CVE-2020-15645 RESERVED CVE-2020-15644 RESERVED CVE-2020-15643 RESERVED CVE-2020-15642 RESERVED CVE-2020-15641 RESERVED CVE-2020-15640 RESERVED CVE-2020-15639 RESERVED CVE-2020-15638 RESERVED CVE-2020-15637 RESERVED CVE-2020-15636 RESERVED CVE-2020-15635 RESERVED CVE-2020-15634 RESERVED CVE-2020-15633 RESERVED CVE-2020-15632 RESERVED CVE-2020-15631 RESERVED CVE-2020-15630 RESERVED CVE-2020-15629 RESERVED CVE-2020-15628 RESERVED CVE-2020-15627 RESERVED CVE-2020-15626 RESERVED CVE-2020-15625 RESERVED CVE-2020-15624 RESERVED CVE-2020-15623 RESERVED CVE-2020-15622 RESERVED CVE-2020-15621 RESERVED CVE-2020-15620 RESERVED CVE-2020-15619 RESERVED CVE-2020-15618 RESERVED CVE-2020-15617 RESERVED CVE-2020-15616 RESERVED CVE-2020-15615 RESERVED CVE-2020-15614 RESERVED CVE-2020-15613 RESERVED CVE-2020-15612 RESERVED CVE-2020-15611 RESERVED CVE-2020-15610 RESERVED CVE-2020-15609 RESERVED CVE-2020-15608 RESERVED CVE-2020-15607 RESERVED CVE-2020-15606 RESERVED CVE-2020-15605 RESERVED CVE-2020-15604 RESERVED CVE-2020-15603 RESERVED CVE-2020-15602 RESERVED CVE-2020-15601 RESERVED CVE-2020-15600 (An issue was discovered in CMSUno before 1.6.1. uno.php allows CSRF to ...) NOT-FOR-US: CMSUno CVE-2020-15599 (Victor CMS through 2019-02-28 allows XSS via the register.php user_fir ...) NOT-FOR-US: Victor CMS CVE-2020-15598 RESERVED CVE-2020-15597 RESERVED CVE-2020-15596 RESERVED CVE-2019-20906 RESERVED CVE-2019-20905 RESERVED CVE-2019-20904 RESERVED CVE-2019-20903 RESERVED CVE-2019-20902 RESERVED CVE-2019-20901 RESERVED CVE-2019-20900 RESERVED CVE-2019-20899 RESERVED CVE-2019-20898 RESERVED CVE-2019-20897 RESERVED CVE-2020-XXXX [veyon-configurator tmp handling] - veyon (bug #964568) [buster] - veyon (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2020/07/07/1 CVE-2020-15595 RESERVED CVE-2020-15594 RESERVED CVE-2020-15593 RESERVED CVE-2020-15592 RESERVED CVE-2020-15591 RESERVED CVE-2020-15590 RESERVED CVE-2020-15589 RESERVED CVE-2020-15588 RESERVED CVE-2020-15587 RESERVED CVE-2020-15586 RESERVED CVE-2020-15585 RESERVED CVE-2020-15584 (An issue was discovered on Samsung mobile devices with Q(10.0) softwar ...) NOT-FOR-US: Samsung mobile devices CVE-2020-15583 (An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), ...) NOT-FOR-US: Samsung mobile devices CVE-2020-15582 (An issue was discovered on Samsung mobile devices with P(9.0) and Q(10 ...) NOT-FOR-US: Samsung mobile devices CVE-2020-15581 (An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), ...) NOT-FOR-US: Samsung mobile devices CVE-2020-15580 (An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), ...) NOT-FOR-US: Samsung mobile devices CVE-2020-15579 (An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), ...) NOT-FOR-US: Samsung mobile devices CVE-2020-15578 (An issue was discovered on Samsung mobile devices with O(8.x) software ...) NOT-FOR-US: Samsung mobile devices CVE-2020-15577 (An issue was discovered on Samsung mobile devices with P(9.0) and Q(10 ...) NOT-FOR-US: Samsung mobile devices CVE-2020-15576 (SolarWinds Serv-U File Server before 15.2.1 allows information disclos ...) NOT-FOR-US: SolarWinds Serv-U File Server CVE-2020-15575 (SolarWinds Serv-U File Server before 15.2.1 allows XSS as demonstrated ...) NOT-FOR-US: SolarWinds Serv-U File Server CVE-2020-15574 (SolarWinds Serv-U File Server before 15.2.1 mishandles the Same-Site c ...) NOT-FOR-US: SolarWinds Serv-U File Server CVE-2020-15573 (SolarWinds Serv-U File Server before 15.2.1 has a "Cross-script vulner ...) NOT-FOR-US: SolarWinds Serv-U File Server CVE-2019-20896 (WebChess 1.0 allows SQL injection via the messageFrom, gameID, opponen ...) NOT-FOR-US: WebChess CVE-2020-15572 RESERVED CVE-2020-15571 RESERVED CVE-2020-15570 (The parse_report() function in whoopsie.c in Whoopsie through 0.2.69 m ...) NOT-FOR-US: Whoopsie CVE-2020-15569 (PlayerGeneric.cpp in MilkyTracker through 1.02.00 has a use-after-free ...) - milkytracker NOTE: https://github.com/milkytracker/MilkyTracker/commit/7afd55c42ad80d01a339197a2d8b5461d214edaf CVE-2020-15568 RESERVED CVE-2020-15567 (An issue was discovered in Xen through 4.13.x, allowing Intel guest OS ...) - xen 4.11.4+24-gddaaccbbab-1 [stretch] - xen (DSA 4602-1) NOTE: https://xenbits.xen.org/xsa/advisory-328.html CVE-2020-15566 (An issue was discovered in Xen through 4.13.x, allowing guest OS users ...) - xen 4.11.4+24-gddaaccbbab-1 [stretch] - xen (DSA 4602-1) NOTE: https://xenbits.xen.org/xsa/advisory-317.html CVE-2020-15565 (An issue was discovered in Xen through 4.13.x, allowing x86 Intel HVM ...) - xen 4.11.4+24-gddaaccbbab-1 [stretch] - xen (DSA 4602-1) NOTE: https://xenbits.xen.org/xsa/advisory-321.html CVE-2020-15564 (An issue was discovered in Xen through 4.13.x, allowing Arm guest OS u ...) - xen 4.11.4+24-gddaaccbbab-1 [stretch] - xen (DSA 4602-1) NOTE: https://xenbits.xen.org/xsa/advisory-327.html CVE-2020-15563 (An issue was discovered in Xen through 4.13.x, allowing x86 HVM guest ...) - xen 4.11.4+24-gddaaccbbab-1 [stretch] - xen (DSA 4602-1) NOTE: https://xenbits.xen.org/xsa/advisory-319.html CVE-2020-15561 RESERVED CVE-2020-15560 RESERVED CVE-2020-15559 RESERVED CVE-2020-15558 RESERVED CVE-2020-15557 RESERVED CVE-2020-15556 RESERVED CVE-2020-15555 RESERVED CVE-2020-15554 RESERVED CVE-2020-15553 RESERVED CVE-2020-15552 RESERVED CVE-2020-15551 RESERVED CVE-2020-15550 RESERVED CVE-2020-15549 RESERVED CVE-2020-15548 RESERVED CVE-2020-15547 RESERVED CVE-2020-15546 RESERVED CVE-2020-15545 RESERVED CVE-2020-15544 RESERVED CVE-2020-15543 (SolarWinds Serv-U FTP server before 15.2.1 does not validate an argume ...) NOT-FOR-US: SolarWinds Serv-U FTP server CVE-2020-15542 (SolarWinds Serv-U FTP server before 15.2.1 mishandles the CHMOD comman ...) NOT-FOR-US: SolarWinds Serv-U FTP server CVE-2020-15541 (SolarWinds Serv-U FTP server before 15.2.1 allows remote command execu ...) NOT-FOR-US: SolarWinds Serv-U FTP server CVE-2020-15562 (An issue was discovered in Roundcube Webmail before 1.2.11, 1.3.x befo ...) {DSA-4720-1} - roundcube 1.4.7+dfsg.1-1 (bug #964355) [stretch] - roundcube (Minor issue; will be fixed via point release) NOTE: 1.4.x https://github.com/roundcube/roundcubemail/commit/3e8832d029b035e3fcfb4c75839567a9580b4f82 NOTE: 1.3.x https://github.com/roundcube/roundcubemail/commit/19502419757a976dbd55ce5a746610c5bab7896b NOTE: 1.2.x https://github.com/roundcube/roundcubemail/commit/f3d1566cf223eb04f47b6dfffcd88753f66c36ee CVE-2020-15540 (We-com OpenData CMS 2.0 allows SQL Injection via the username field on ...) NOT-FOR-US: We-com OpenData CMS CVE-2020-15539 (SQL injection can occur in We-com Municipality portal CMS 2.1.x via th ...) NOT-FOR-US: We-com Municipality portal CMS CVE-2020-15538 (XSS can occur in We-com Municipality portal CMS 2.1.x via the cerca/ s ...) NOT-FOR-US: We-com Municipality portal CMS CVE-2020-15537 (An issue was discovered in the Vanguard plugin 2.1 for WordPress. XSS ...) NOT-FOR-US: Vanguard plugin for WordPress CVE-2020-15536 (An issue was discovered in the bestsoftinc Hotel Booking System Pro pl ...) NOT-FOR-US: bestsoftinc Hotel Booking System Pro plugin for WordPress CVE-2020-15535 (An issue was discovered in the bestsoftinc Car Rental System plugin th ...) NOT-FOR-US: bestsoftinc Car Rental System plugin for WordPress CVE-2020-15534 RESERVED CVE-2020-15533 RESERVED CVE-2019-20895 RESERVED CVE-2020-15532 RESERVED CVE-2020-15531 RESERVED CVE-2020-15530 (An issue was discovered in Valve Steam Client 2.10.91.91. The installe ...) - steam (Steam on Windows) CVE-2020-15529 (An issue was discovered in GOG Galaxy Client 2.0.17. Local escalation ...) NOT-FOR-US: GOG Galaxy client CVE-2020-15528 (An issue was discovered in GOG Galaxy Client 2.0.17. Local escalation ...) NOT-FOR-US: GOG Galaxy client CVE-2020-15527 RESERVED CVE-2020-15526 RESERVED CVE-2020-15525 (GitLab EE 11.3 through 13.1.2 has Incorrect Access Control because of ...) - gitlab (Specific to EE) CVE-2020-15524 RESERVED CVE-2020-15523 (In Python 3.6 through 3.6.10, 3.7 through 3.7.8, 3.8 through 3.8.4rc1, ...) - python3.8 (Python on Windows) - python2.7 (Python on Windows) CVE-2020-15522 RESERVED CVE-2020-15521 RESERVED CVE-2020-15520 RESERVED CVE-2020-15519 RESERVED CVE-2020-15518 (VeeamFSR.sys in Veeam Availability Suite before 10 and Veeam Backup &a ...) NOT-FOR-US: Veeam CVE-2020-15517 (The ke_search (aka Faceted Search) extension through 2.8.2, and 3.x th ...) NOT-FOR-US: Typo3 extension CVE-2020-15516 (The mm_forum extension through 1.9.5 for TYPO3 allows XSS that can be ...) NOT-FOR-US: Typo3 extension CVE-2020-15515 (The turn extension through 0.3.2 for TYPO3 allows Remote Code Executio ...) NOT-FOR-US: Typo3 extension CVE-2020-15514 (The jh_captcha extension through 2.1.3, and 3.x through 3.0.2, for TYP ...) NOT-FOR-US: Typo3 extension CVE-2020-15513 (The typo3_forum extension before 1.2.1 for TYPO3 has Incorrect Access ...) NOT-FOR-US: Typo3 extension CVE-2020-15512 RESERVED CVE-2020-15511 RESERVED CVE-2020-15510 RESERVED CVE-2020-15509 (Nordic Semiconductor Android BLE Library through 2.2.1 and DFU Library ...) NOT-FOR-US: Nordic Semiconductor CVE-2020-15508 RESERVED CVE-2020-15507 (MobileIron Core and Connector before 10.3.0.4, 10.4.x before 10.4.0.4, ...) NOT-FOR-US: MobileIron Core and Connector CVE-2020-15506 (MobileIron Core and Connector before 10.3.0.4, 10.4.x before 10.4.0.4, ...) NOT-FOR-US: MobileIron Core and Connector CVE-2020-15505 (MobileIron Core and Connector before 10.3.0.4, 10.4.x before 10.4.0.4, ...) NOT-FOR-US: MobileIron Core and Connector CVE-2020-15504 RESERVED CVE-2020-15503 (LibRaw before 0.20-RC1 lacks a thumbnail size range check. This affect ...) - libraw [buster] - libraw (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1853477 NOTE: https://github.com/LibRaw/LibRaw/commit/20ad21c0d87ca80217aee47533d91e633ce1864d CVE-2020-15502 (** DISPUTED ** The DuckDuckGo application through 5.58.0 for Android, ...) NOT-FOR-US: DuckDuckGo application for Android and iOS CVE-2019-20894 (Traefik 2.x, in certain configurations, allows HTTPS sessions to proce ...) NOT-FOR-US: Traefik CVE-2020-15501 RESERVED CVE-2020-15500 (An issue was discovered in server.js in TileServer GL through 3.0.0. T ...) NOT-FOR-US: TileServer GL CVE-2020-15499 RESERVED CVE-2020-15498 RESERVED CVE-2020-15497 RESERVED CVE-2020-15496 RESERVED CVE-2020-15495 RESERVED CVE-2020-15494 RESERVED CVE-2020-15493 RESERVED CVE-2020-15492 RESERVED CVE-2020-15491 RESERVED CVE-2020-15490 (An issue was discovered on Wavlink WL-WN530HG4 M30HG4.V5030.191116 dev ...) NOT-FOR-US: Wavlink WL-WN530HG4 CVE-2020-15489 (An issue was discovered on Wavlink WL-WN530HG4 M30HG4.V5030.191116 dev ...) NOT-FOR-US: Wavlink WL-WN530HG4 CVE-2020-15488 RESERVED CVE-2020-15487 RESERVED CVE-2020-15486 RESERVED CVE-2020-15485 RESERVED CVE-2020-15484 RESERVED CVE-2020-15483 RESERVED CVE-2020-15482 RESERVED CVE-2020-15481 RESERVED CVE-2020-15480 RESERVED CVE-2020-15479 RESERVED CVE-2020-15478 (The Journal theme before 3.1.0 for OpenCart allows exposure of sensiti ...) NOT-FOR-US: Journal theme for OpenCart CVE-2020-15477 RESERVED CVE-2020-15476 (In nDPI through 3.2, the Oracle protocol dissector has a heap-based bu ...) - ndpi NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=21780 NOTE: https://github.com/ntop/nDPI/commit/b69177be2fbe01c2442239a61832c44e40136c05 CVE-2020-15475 (In nDPI through 3.2, ndpi_reset_packet_line_info in lib/ndpi_main.c om ...) - ndpi NOTE: https://github.com/ntop/nDPI/commit/6a9f5e4f7c3fd5ddab3e6727b071904d76773952 CVE-2020-15474 (In nDPI through 3.2, there is a stack overflow in extractRDNSequence i ...) - ndpi [buster] - ndpi (Vulnerable code not present) [stretch] - ndpi (Vulnerable code not present) NOTE: https://github.com/ntop/nDPI/commit/23594f036536468072198a57c59b6e9d63caf6ce CVE-2020-15473 (In nDPI through 3.2, the OpenVPN dissector is vulnerable to a heap-bas ...) - ndpi NOTE: https://github.com/ntop/nDPI/commit/8e7b1ea7a136cc4e4aa9880072ec2d69900a825e CVE-2020-15472 (In nDPI through 3.2, the H.323 dissector is vulnerable to a heap-based ...) - ndpi NOTE: https://github.com/ntop/nDPI/commit/b7e666e465f138ae48ab81976726e67deed12701 CVE-2020-15471 (In nDPI through 3.2, the packet parsing code is vulnerable to a heap-b ...) - ndpi [buster] - ndpi (Vulnerable code not present) [stretch] - ndpi (Vulnerable code not present) NOTE: https://github.com/ntop/nDPI/commit/61066fb106efa6d3d95b67e47b662de208b2b622 CVE-2020-15470 (ffjpeg through 2020-02-24 has a heap-based buffer overflow in jfif_dec ...) NOT-FOR-US: ffjpeg CVE-2020-15469 (In QEMU 4.2.0, a MemoryRegionOps object may lack read/write callback m ...) - qemu (low) [buster] - qemu (Minor issue, fix along in next DSA) [stretch] - qemu (Minor issue, fix along in next DSA) NOTE: https://www.openwall.com/lists/oss-security/2020/07/02/1 NOTE: Proposed patch(es): https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg09961.html CVE-2020-15468 (Persian VIP Download Script 1.0 allows SQL Injection via the cart_edit ...) NOT-FOR-US: Persian VIP Download Script CVE-2020-15467 RESERVED CVE-2020-15466 (In Wireshark 3.2.0 to 3.2.4, the GVCP dissector could go into an infin ...) - wireshark 3.2.5-1 (low) [buster] - wireshark (Can be fixed along in next 3.0.x DSA) [stretch] - wireshark (Can be fixed along in next DSA/update to 3.0) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16029 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=11f40896b696e4e8c7f8b2ad96028404a83a51a4 NOTE: https://www.wireshark.org/security/wnpa-sec-2020-09.html CVE-2020-15465 RESERVED CVE-2020-15464 RESERVED CVE-2020-15463 RESERVED CVE-2020-15462 RESERVED CVE-2020-15461 RESERVED CVE-2020-15460 RESERVED CVE-2020-15459 RESERVED CVE-2020-15458 RESERVED CVE-2020-15457 RESERVED CVE-2020-15456 RESERVED CVE-2020-15455 RESERVED CVE-2020-15454 RESERVED CVE-2020-15453 RESERVED CVE-2020-15452 RESERVED CVE-2020-15451 RESERVED CVE-2020-15450 RESERVED CVE-2020-15449 RESERVED CVE-2020-15448 RESERVED CVE-2020-15447 RESERVED CVE-2020-15446 RESERVED CVE-2020-15445 RESERVED CVE-2020-15444 RESERVED CVE-2020-15443 RESERVED CVE-2020-15442 RESERVED CVE-2020-15441 RESERVED CVE-2020-15440 RESERVED CVE-2020-15439 RESERVED CVE-2020-15438 RESERVED CVE-2020-15437 RESERVED CVE-2020-15436 RESERVED CVE-2020-15435 RESERVED CVE-2020-15434 RESERVED CVE-2020-15433 RESERVED CVE-2020-15432 RESERVED CVE-2020-15431 RESERVED CVE-2020-15430 RESERVED CVE-2020-15429 RESERVED CVE-2020-15428 RESERVED CVE-2020-15427 RESERVED CVE-2020-15426 RESERVED CVE-2020-15425 RESERVED CVE-2020-15424 RESERVED CVE-2020-15423 RESERVED CVE-2020-15422 RESERVED CVE-2020-15421 RESERVED CVE-2020-15420 RESERVED CVE-2020-15419 RESERVED CVE-2020-15418 RESERVED CVE-2020-15417 RESERVED CVE-2020-15416 RESERVED CVE-2020-15415 (On DrayTek Vigor3900, Vigor2960, and Vigor300B devices before 1.5.1, c ...) NOT-FOR-US: DrayTek CVE-2020-15414 RESERVED CVE-2020-15413 RESERVED CVE-2020-15412 (An issue was discovered in MISP 2.4.128. app/Controller/EventsControll ...) NOT-FOR-US: MISP CVE-2020-15411 (An issue was discovered in MISP 2.4.128. app/Controller/AttributesCont ...) NOT-FOR-US: MISP CVE-2020-15410 RESERVED CVE-2020-15409 RESERVED CVE-2020-15408 RESERVED CVE-2020-15407 RESERVED CVE-2020-15406 RESERVED CVE-2020-15405 RESERVED CVE-2020-15404 RESERVED CVE-2020-15403 RESERVED CVE-2020-15402 RESERVED CVE-2020-15401 (IOBit Malware Fighter Pro 8.0.2.547 allows local users to gain privile ...) NOT-FOR-US: IOBit Malware Fighter Pro CVE-2020-15400 (CakePHP before 4.0.6 mishandles CSRF token generation. This might be r ...) - cakephp [buster] - cakephp (Minor issue) [stretch] - cakephp (Minor issue) CVE-2020-15399 RESERVED CVE-2020-15398 RESERVED CVE-2020-15397 (HylaFAX+ through 7.0.2 and HylaFAX Enterprise have scripts that execut ...) - hylafax (bug #964198) [buster] - hylafax (Minor issue) [stretch] - hylafax (Minor issue) NOTE: https://sourceforge.net/p/hylafax/HylaFAX+/2534/ CVE-2020-15396 (In HylaFAX+ through 7.0.2 and HylaFAX Enterprise, the faxsetup utility ...) - hylafax (bug #964198) [buster] - hylafax (Minor issue) [stretch] - hylafax (Minor issue) NOTE: https://sourceforge.net/p/hylafax/HylaFAX+/2534/ CVE-2020-15395 (In MediaInfoLib in MediaArea MediaInfo 20.03, there is a stack-based b ...) - libmediainfo (low) [buster] - libmediainfo (Minor issue) [stretch] - libmediainfo (Minor issue) [jessie] - libmediainfo (Minor issue) NOTE: https://sourceforge.net/p/mediainfo/bugs/1127/ CVE-2020-15394 RESERVED CVE-2019-20893 (An issue was discovered in Activision Infinity Ward Call of Duty Moder ...) NOT-FOR-US: Activision CVE-2017-18922 (It was discovered that websockets.c in LibVNCServer prior to 0.9.12 di ...) - libvncserver 0.9.12+dfsg-3 NOTE: https://github.com/LibVNC/libvncserver/commit/aac95a9dcf4bbba87b76c72706c3221a842ca433 NOTE: https://www.openwall.com/lists/oss-security/2020/06/30/2 CVE-2020-15393 (In the Linux kernel through 5.7.6, usbtest_disconnect in drivers/usb/m ...) - linux NOTE: https://git.kernel.org/linus/28ebeb8db77035e058a510ce9bd17c2b9a009dba CVE-2020-15392 (A user enumeration vulnerability flaw was found in Venki Supravizio BP ...) NOT-FOR-US: Venki CVE-2020-15391 RESERVED CVE-2020-15390 RESERVED CVE-2020-15389 (jp2/opj_decompress.c in OpenJPEG through 2.3.1 has a use-after-free th ...) - openjpeg2 NOTE: https://github.com/uclouvain/openjpeg/issues/1261 NOTE: https://github.com/uclouvain/openjpeg/commit/e8e258ab049240c2dd1f1051b4e773b21e2d3dc0 CVE-2020-15388 RESERVED CVE-2020-15387 RESERVED CVE-2020-15386 RESERVED CVE-2020-15385 RESERVED CVE-2020-15384 RESERVED CVE-2020-15383 RESERVED CVE-2020-15382 RESERVED CVE-2020-15381 RESERVED CVE-2020-15380 RESERVED CVE-2020-15379 RESERVED CVE-2020-15378 RESERVED CVE-2020-15377 RESERVED CVE-2020-15376 RESERVED CVE-2020-15375 RESERVED CVE-2020-15374 RESERVED CVE-2020-15373 RESERVED CVE-2020-15372 RESERVED CVE-2020-15371 RESERVED CVE-2020-15370 RESERVED CVE-2020-15369 RESERVED CVE-2020-15368 (AsrDrv103.sys in the ASRock RGB Driver does not properly restrict acce ...) NOT-FOR-US: ASRock RGB Driver CVE-2020-15367 (Venki Supravizio BPM 10.1.2 does not limit the number of authenticatio ...) NOT-FOR-US: Venki CVE-2020-15366 RESERVED CVE-2020-15365 (LibRaw before 0.20-Beta3 has an out-of-bounds write in parse_exif() in ...) - libraw (Vulnerable code introduced in 0.20-Beta1) NOTE: https://github.com/LibRaw/LibRaw/issues/301 NOTE: https://github.com/LibRaw/LibRaw/commit/55f0a0c08974b8b79ebfa7762b555a1704b25fb2 CVE-2020-15364 (The Nexos theme through 1.7 for WordPress allows top-map/?search_locat ...) NOT-FOR-US: Wordpress theme CVE-2020-15363 (The Nexos theme through 1.7 for WordPress allows side-map/?search_orde ...) NOT-FOR-US: Wordpress theme CVE-2020-15362 (wifiscanner.js in thingsSDK WiFi Scanner 1.0.1 allows Code Injection b ...) NOT-FOR-US: thingsSDK WiFi Scanner CVE-2020-15361 RESERVED CVE-2020-15360 (com.docker.vmnetd in Docker Desktop 2.3.0.3 allows privilege escalatio ...) NOT-FOR-US: Docker Desktop on Windows CVE-2020-15359 RESERVED CVE-2020-15357 RESERVED CVE-2020-15358 (In SQLite before 3.32.3, select.c mishandles query-flattener optimizat ...) - sqlite3 3.32.3-1 [stretch] - sqlite3 (Vulnerable code introduced in 3.25.0) [jessie] - sqlite3 (Vulnerable code introduced in 3.25.0) NOTE: https://www.sqlite.org/src/info/10fa79d00f8091e5 NOTE: https://www.sqlite.org/src/tktview?name=8f157e8010 CVE-2020-15356 REJECTED CVE-2020-15355 REJECTED CVE-2020-15354 REJECTED CVE-2013-7489 (The Beaker library through 1.11.0 for Python is affected by deserializ ...) - beaker NOTE: https://github.com/bbangert/beaker/issues/191 NOTE: https://www.openwall.com/lists/oss-security/2020/05/14/11 CVE-2020-15353 RESERVED CVE-2020-15352 RESERVED CVE-2020-15351 (IDrive before 6.7.3.19 on Windows installs by default to %PROGRAMFILES ...) NOT-FOR-US: IDrive CVE-2020-15350 (RIOT 2020.04 has a buffer overflow in the base64 decoder. The decoding ...) NOT-FOR-US: RIOT RIOT-OS CVE-2020-15349 RESERVED CVE-2020-15348 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 allows use of live/CPEManag ...) NOT-FOR-US: Zyxel CVE-2020-15347 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has the q6xV4aW8bQ4cfD-b pa ...) NOT-FOR-US: Zyxel CVE-2020-15346 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a /live/GLOBALS API wit ...) NOT-FOR-US: Zyxel CVE-2020-15345 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has an unauthenticated zy_g ...) NOT-FOR-US: Zyxel CVE-2020-15344 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has an unauthenticated zy_g ...) NOT-FOR-US: Zyxel CVE-2020-15343 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has an unauthenticated zy_i ...) NOT-FOR-US: Zyxel CVE-2020-15342 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has an unauthenticated zy_i ...) NOT-FOR-US: Zyxel CVE-2020-15341 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has an unauthenticated upda ...) NOT-FOR-US: Zyxel CVE-2020-15340 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded opt/axess/A ...) NOT-FOR-US: Zyxel CVE-2020-15339 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 allows live/CPEManager/AXCa ...) NOT-FOR-US: Zyxel CVE-2020-15338 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a "Use of GET Request M ...) NOT-FOR-US: Zyxel CVE-2020-15337 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a "Use of GET Request M ...) NOT-FOR-US: Zyxel CVE-2020-15336 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has no authentication for / ...) NOT-FOR-US: Zyxel CVE-2020-15335 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has no authentication for / ...) NOT-FOR-US: Zyxel CVE-2020-15334 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 allows escape-sequence inje ...) NOT-FOR-US: Zyxel CVE-2020-15333 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 allows attackers to discove ...) NOT-FOR-US: Zyxel CVE-2020-15332 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has weak /opt/axess/etc/def ...) NOT-FOR-US: Zyxel CVE-2020-15331 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded OAUTH_SECRE ...) NOT-FOR-US: Zyxel CVE-2020-15330 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded APP_KEY in ...) NOT-FOR-US: Zyxel CVE-2020-15329 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has weak Data.fs permission ...) NOT-FOR-US: Zyxel CVE-2020-15328 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has weak /opt/axess/var/blo ...) NOT-FOR-US: Zyxel CVE-2020-15327 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 uses ZODB storage without a ...) NOT-FOR-US: Zyxel CVE-2020-15326 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded certificate ...) NOT-FOR-US: Zyxel CVE-2020-15325 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded Erlang cook ...) NOT-FOR-US: Zyxel CVE-2020-15324 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a world-readable axess/ ...) NOT-FOR-US: Zyxel CVE-2020-15323 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has the cloud1234 password ...) NOT-FOR-US: Zyxel CVE-2020-15322 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has the wbboEZ4BN3ssxAfM ha ...) NOT-FOR-US: Zyxel CVE-2020-15321 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has the axzyxel password fo ...) NOT-FOR-US: Zyxel CVE-2020-15320 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has the axiros password for ...) NOT-FOR-US: Zyxel CVE-2020-15319 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded RSA SSH key ...) NOT-FOR-US: Zyxel CVE-2020-15318 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded DSA SSH key ...) NOT-FOR-US: Zyxel CVE-2020-15317 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded RSA SSH key ...) NOT-FOR-US: Zyxel CVE-2020-15316 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded ECDSA SSH k ...) NOT-FOR-US: Zyxel CVE-2020-15315 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded DSA SSH key ...) NOT-FOR-US: Zyxel CVE-2020-15314 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded RSA SSH key ...) NOT-FOR-US: Zyxel CVE-2020-15313 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded ECDSA SSH k ...) NOT-FOR-US: Zyxel CVE-2020-15312 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded DSA SSH key ...) NOT-FOR-US: Zyxel CVE-2020-15311 (Stash 1.0.3 allows SQL Injection via the downloadmp3.php download para ...) NOT-FOR-US: Stash CVE-2020-15310 RESERVED CVE-2020-15309 RESERVED CVE-2020-15308 (Support Incident Tracker (aka SiT! or SiTracker) 3.67 p2 allows post-a ...) NOT-FOR-US: Support Incident Tracker CVE-2020-15307 (Nozomi Guardian before 19.0.4 allows attackers to achieve stored XSS ( ...) NOT-FOR-US: Nozomi Guardian CVE-2020-15306 (An issue was discovered in OpenEXR before v2.5.2. Invalid chunkCount a ...) - openexr [jessie] - openexr (Minor issue) NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/738 CVE-2020-15305 (An issue was discovered in OpenEXR before 2.5.2. Invalid input could c ...) - openexr [jessie] - openexr (Minor issue) NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/730 CVE-2020-15304 (An issue was discovered in OpenEXR before 2.5.2. An invalid tiled inpu ...) - openexr [jessie] - openexr (Minor issue) NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/727 CVE-2020-15303 RESERVED CVE-2020-15302 (In Argent RecoveryManager before 0xdc350d09f71c48c5D22fBE2741e4d6A0397 ...) NOT-FOR-US: Argent RecoveryManager CVE-2020-15301 RESERVED CVE-2020-15300 RESERVED CVE-2020-15299 RESERVED CVE-2020-15298 RESERVED CVE-2020-15297 RESERVED CVE-2020-15296 RESERVED CVE-2020-15295 RESERVED CVE-2020-15294 RESERVED CVE-2020-15293 RESERVED CVE-2020-15292 RESERVED CVE-2020-15291 RESERVED CVE-2020-15290 RESERVED CVE-2020-15289 RESERVED CVE-2020-15288 RESERVED CVE-2020-15287 RESERVED CVE-2020-15286 RESERVED CVE-2020-15285 RESERVED CVE-2020-15284 RESERVED CVE-2020-15283 RESERVED CVE-2020-15282 RESERVED CVE-2020-15281 RESERVED CVE-2020-15280 RESERVED CVE-2020-15279 RESERVED CVE-2020-15278 RESERVED CVE-2020-15277 RESERVED CVE-2020-15276 RESERVED CVE-2020-15275 RESERVED CVE-2020-15274 RESERVED CVE-2020-15273 RESERVED CVE-2020-15272 RESERVED CVE-2020-15271 RESERVED CVE-2020-15270 RESERVED CVE-2020-15269 RESERVED CVE-2020-15268 RESERVED CVE-2020-15267 RESERVED CVE-2020-15266 RESERVED CVE-2020-15265 RESERVED CVE-2020-15264 RESERVED CVE-2020-15263 RESERVED CVE-2020-15262 RESERVED CVE-2020-15261 RESERVED CVE-2020-15260 RESERVED CVE-2020-15259 RESERVED CVE-2020-15258 RESERVED CVE-2020-15257 RESERVED CVE-2020-15256 RESERVED CVE-2020-15255 RESERVED CVE-2020-15254 RESERVED CVE-2020-15253 RESERVED CVE-2020-15252 RESERVED CVE-2020-15251 RESERVED CVE-2020-15250 RESERVED CVE-2020-15249 RESERVED CVE-2020-15248 RESERVED CVE-2020-15247 RESERVED CVE-2020-15246 RESERVED CVE-2020-15245 RESERVED CVE-2020-15244 RESERVED CVE-2020-15243 RESERVED CVE-2020-15242 RESERVED CVE-2020-15241 RESERVED CVE-2020-15240 RESERVED CVE-2020-15239 RESERVED CVE-2020-15238 RESERVED CVE-2020-15237 RESERVED CVE-2020-15236 RESERVED CVE-2020-15235 RESERVED CVE-2020-15234 RESERVED CVE-2020-15233 RESERVED CVE-2020-15232 RESERVED CVE-2020-15231 RESERVED CVE-2020-15230 RESERVED CVE-2020-15229 RESERVED CVE-2020-15228 RESERVED CVE-2020-15227 RESERVED CVE-2020-15226 RESERVED CVE-2020-15225 RESERVED CVE-2020-15224 RESERVED CVE-2020-15223 RESERVED CVE-2020-15222 RESERVED CVE-2020-15221 RESERVED CVE-2020-15220 RESERVED CVE-2020-15219 RESERVED CVE-2020-15218 RESERVED CVE-2020-15217 RESERVED CVE-2020-15216 RESERVED CVE-2020-15215 RESERVED CVE-2020-15214 RESERVED CVE-2020-15213 RESERVED CVE-2020-15212 RESERVED CVE-2020-15211 RESERVED CVE-2020-15210 RESERVED CVE-2020-15209 RESERVED CVE-2020-15208 RESERVED CVE-2020-15207 RESERVED CVE-2020-15206 RESERVED CVE-2020-15205 RESERVED CVE-2020-15204 RESERVED CVE-2020-15203 RESERVED CVE-2020-15202 RESERVED CVE-2020-15201 RESERVED CVE-2020-15200 RESERVED CVE-2020-15199 RESERVED CVE-2020-15198 RESERVED CVE-2020-15197 RESERVED CVE-2020-15196 RESERVED CVE-2020-15195 RESERVED CVE-2020-15194 RESERVED CVE-2020-15193 RESERVED CVE-2020-15192 RESERVED CVE-2020-15191 RESERVED CVE-2020-15190 RESERVED CVE-2020-15189 RESERVED CVE-2020-15188 RESERVED CVE-2020-15187 RESERVED CVE-2020-15186 RESERVED CVE-2020-15185 RESERVED CVE-2020-15184 RESERVED CVE-2020-15183 RESERVED CVE-2020-15182 RESERVED CVE-2020-15181 RESERVED CVE-2020-15180 RESERVED CVE-2020-15179 RESERVED CVE-2020-15178 RESERVED CVE-2020-15177 RESERVED CVE-2020-15176 RESERVED CVE-2020-15175 RESERVED CVE-2020-15174 RESERVED CVE-2020-15173 RESERVED CVE-2020-15172 RESERVED CVE-2020-15171 RESERVED CVE-2020-15170 RESERVED CVE-2020-15169 RESERVED CVE-2020-15168 RESERVED CVE-2020-15167 RESERVED CVE-2020-15166 RESERVED CVE-2020-15165 RESERVED CVE-2020-15164 RESERVED CVE-2020-15163 RESERVED CVE-2020-15162 RESERVED CVE-2020-15161 RESERVED CVE-2020-15160 RESERVED CVE-2020-15159 RESERVED CVE-2020-15158 RESERVED CVE-2020-15157 RESERVED CVE-2020-15156 RESERVED CVE-2020-15155 RESERVED CVE-2020-15154 RESERVED CVE-2020-15153 RESERVED CVE-2020-15152 RESERVED CVE-2020-15151 RESERVED CVE-2020-15150 RESERVED CVE-2020-15149 RESERVED CVE-2020-15148 RESERVED CVE-2020-15147 RESERVED CVE-2020-15146 RESERVED CVE-2020-15145 RESERVED CVE-2020-15144 RESERVED CVE-2020-15143 RESERVED CVE-2020-15142 RESERVED CVE-2020-15141 RESERVED CVE-2020-15140 RESERVED CVE-2020-15139 RESERVED CVE-2020-15138 RESERVED CVE-2020-15137 RESERVED CVE-2020-15136 RESERVED CVE-2020-15135 RESERVED CVE-2020-15134 RESERVED CVE-2020-15133 RESERVED CVE-2020-15132 RESERVED CVE-2020-15131 RESERVED CVE-2020-15130 RESERVED CVE-2020-15129 RESERVED CVE-2020-15128 RESERVED CVE-2020-15127 RESERVED CVE-2020-15126 RESERVED CVE-2020-15125 RESERVED CVE-2020-15124 RESERVED CVE-2020-15123 RESERVED CVE-2020-15122 RESERVED CVE-2020-15121 RESERVED CVE-2020-15120 RESERVED CVE-2020-15119 RESERVED CVE-2020-15118 RESERVED CVE-2020-15117 RESERVED CVE-2020-15116 RESERVED CVE-2020-15115 RESERVED CVE-2020-15114 RESERVED CVE-2020-15113 RESERVED CVE-2020-15112 RESERVED CVE-2020-15111 RESERVED CVE-2020-15110 RESERVED CVE-2020-15109 RESERVED CVE-2020-15108 RESERVED CVE-2020-15107 RESERVED CVE-2020-15106 RESERVED CVE-2020-15105 RESERVED CVE-2020-15104 RESERVED CVE-2020-15103 RESERVED CVE-2020-15102 RESERVED CVE-2020-15101 RESERVED CVE-2020-15100 RESERVED CVE-2020-15099 RESERVED CVE-2020-15098 RESERVED CVE-2020-15097 RESERVED CVE-2020-15096 (In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, the ...) - electron (bug #842420) CVE-2020-15095 (Versions of the npm CLI prior to 6.14.6 are vulnerable to an informati ...) TODO: check CVE-2020-15094 RESERVED CVE-2020-15093 RESERVED CVE-2020-15092 RESERVED CVE-2020-15091 (TenderMint from version 0.33.0 and before version 0.33.6 allows block ...) NOT-FOR-US: TenderMint CVE-2020-15090 RESERVED CVE-2020-15089 RESERVED CVE-2020-15088 RESERVED CVE-2020-15087 (In Presto before version 337, authenticated users can bypass authoriza ...) NOT-FOR-US: Presto query engine, different from src:presto CVE-2020-15086 RESERVED CVE-2020-15085 (In Saleor Storefront before version 2.10.3, request data used to authe ...) NOT-FOR-US: Saleor Storefront CVE-2020-15084 (In express-jwt (NPM package) up and including version 5.3.3, the algor ...) NOT-FOR-US: Node express-jwt CVE-2020-15083 (In PrestaShop from version 1.7.0.0 and before version 1.7.6.6, if a ta ...) NOT-FOR-US: PrestaShop CVE-2020-15082 (In PrestaShop from version 1.6.0.1 and before version 1.7.6.6, the das ...) NOT-FOR-US: PrestaShop CVE-2020-15081 (In PrestaShop from version 1.5.0.0 and before 1.7.6.6, there is inform ...) NOT-FOR-US: PrestaShop CVE-2020-15080 (In PrestaShop from version 1.7.4.0 and before version 1.7.6.6, some fi ...) NOT-FOR-US: PrestaShop CVE-2020-15079 (In PrestaShop from version 1.5.0.0 and before version 1.7.6.6, there i ...) NOT-FOR-US: PrestaShop CVE-2020-15078 RESERVED CVE-2020-15077 RESERVED CVE-2020-15076 RESERVED CVE-2020-15075 RESERVED CVE-2020-15074 RESERVED CVE-2020-15073 RESERVED CVE-2020-15072 RESERVED CVE-2020-15071 RESERVED CVE-2020-15070 RESERVED CVE-2020-15069 (Sophos XG Firewall 17.x through v17.5 MR12 allows a Buffer Overflow an ...) NOT-FOR-US: Sophos CVE-2020-15068 RESERVED CVE-2020-15067 RESERVED CVE-2020-15066 RESERVED CVE-2020-15065 RESERVED CVE-2020-15064 RESERVED CVE-2020-15063 RESERVED CVE-2020-15062 RESERVED CVE-2020-15061 RESERVED CVE-2020-15060 RESERVED CVE-2020-15059 RESERVED CVE-2020-15058 RESERVED CVE-2020-15057 RESERVED CVE-2020-15056 RESERVED CVE-2020-15055 RESERVED CVE-2020-15054 RESERVED CVE-2020-15053 RESERVED CVE-2020-15052 RESERVED CVE-2020-15051 RESERVED CVE-2020-15050 RESERVED CVE-2020-15049 (An issue was discovered in http/ContentLengthInterpreter.cc in Squid b ...) - squid 4.12-1 - squid3 NOTE: https://github.com/squid-cache/squid/security/advisories/GHSA-qf3v-rc95-96j5 NOTE: Squid 4: http://www.squid-cache.org/Versions/v4/changesets/squid-4-ea12a34d338b962707d5078d6d1fc7c6eb119a22.patch CVE-2020-15048 RESERVED CVE-2020-15047 (MSA/SMTP.cpp in Trojita before 0.8 ignores certificate-verification er ...) - trojita (bug #795701) CVE-2018-21268 (The traceroute (aka node-traceroute) package through 1.0.0 for Node.js ...) NOT-FOR-US: Node traceroute CVE-2018-21267 RESERVED CVE-2018-21266 RESERVED CVE-2020-15046 (The web interface on Supermicro X10DRH-iT motherboards with BIOS 2.0a ...) NOT-FOR-US: Supermicro CVE-2020-15045 RESERVED CVE-2020-15044 RESERVED CVE-2020-15043 (iBall WRB303N devices allow CSRF attacks, as demonstrated by enabling ...) NOT-FOR-US: iBall WRB303N devices CVE-2020-15042 RESERVED CVE-2020-15041 (PHP-Fusion 9.03.60 allows XSS via the administration/site_links.php Ad ...) NOT-FOR-US: PHP-Fusion CVE-2020-15040 RESERVED CVE-2020-15039 RESERVED CVE-2020-15038 (The SeedProd coming-soon plugin before 5.1.1 for WordPress allows XSS. ...) NOT-FOR-US: WordPress plugin CVE-2020-15037 (NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The appl ...) NOT-FOR-US: NeDi CVE-2020-15036 (NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The appl ...) NOT-FOR-US: NeDi CVE-2020-15035 (NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The appl ...) NOT-FOR-US: NeDi CVE-2020-15034 (NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The appl ...) NOT-FOR-US: NeDi CVE-2020-15033 (NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The appl ...) NOT-FOR-US: NeDi CVE-2020-15032 (NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The appl ...) NOT-FOR-US: NeDi CVE-2020-15031 (NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The appl ...) NOT-FOR-US: NeDi CVE-2020-15030 (NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The appl ...) NOT-FOR-US: NeDi CVE-2020-15029 (NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The appl ...) NOT-FOR-US: NeDi CVE-2020-15028 (NeDi 1.9C is vulnerable to a cross-site scripting (XSS) attack. The ap ...) NOT-FOR-US: NeDi CVE-2020-15027 RESERVED CVE-2020-15026 (Bludit 3.12.0 allows admins to use a /plugin-backup-download?file=../ ...) NOT-FOR-US: Bludit CVE-2020-15025 (ntpd in ntp 4.2.8 before 4.2.8p15 and 4.3.x before 4.3.101 allows remo ...) - ntp (low; bug #963807) [buster] - ntp (Minor issue) [stretch] - ntp (Vulnerable code introduced later) [jessie] - ntp (Vulnerable code introduced later) - ntpsec (Vulnerable code not present) NOTE: https://support.ntp.org/bin/view/Main/NtpBug3661 NOTE: https://support.ntp.org/bin/view/Main/SecurityNotice#June_2020_ntp_4_2_8p15_NTP_Relea NOTE: https://bugs.ntp.org/show_bug.cgi?id=3661 CVE-2020-15024 RESERVED CVE-2020-15023 RESERVED CVE-2020-15022 RESERVED CVE-2020-15021 RESERVED CVE-2020-15020 RESERVED CVE-2020-15019 RESERVED CVE-2020-15018 (playSMS through 1.4.3 is vulnerable to session fixation. ...) NOT-FOR-US: playSMS CVE-2020-15017 (NeDi 1.9C is vulnerable to reflected cross-site scripting. The Devices ...) NOT-FOR-US: NeDi CVE-2020-15016 (NeDi 1.9C is vulnerable to reflected cross-site scripting. The Other-C ...) NOT-FOR-US: NeDi CVE-2020-15015 (The FileExplorer component in GleamTech FileUltimate 6.1.5.0 allows XS ...) NOT-FOR-US: FileExplorer component in GleamTech FileUltimate CVE-2020-15014 (pramodmahato BlogCMS through 2019-12-31 has admin/changepass.php CSRF. ...) NOT-FOR-US: BlogCMS CVE-2020-15013 RESERVED CVE-2020-15012 RESERVED CVE-2020-15011 (GNU Mailman before 2.1.33 allows arbitrary content injection via the C ...) {DLA-2265-1} - mailman NOTE: https://bugs.launchpad.net/mailman/+bug/1877379 CVE-2020-15010 RESERVED CVE-2020-15009 RESERVED CVE-2020-15008 (A SQLi exists in the probe code of all Connectwise Automate versions b ...) NOT-FOR-US: Connectwise CVE-2020-15007 (A buffer overflow in the M_LoadDefaults function in m_misc.c in id Tec ...) - rbdoom3bfg (unimportant) NOTE: https://github.com/AXDOOMER/doom-vanille/commit/8a6d9a02fa991a91ff90ccdc73b5ceabaa6cb9ec NOTE: Problematic code not built CVE-2020-15006 (Bludit 3.12.0 allows stored XSS via JavaScript code in an SVG document ...) NOT-FOR-US: Bludit CVE-2020-15005 (In MediaWiki before 1.31.8, 1.32.x and 1.33.x before 1.33.4, and 1.34. ...) - mediawiki 1:1.31.8-1 [buster] - mediawiki (Minor issue) [stretch] - mediawiki (Minor issue) NOTE: https://lists.wikimedia.org/pipermail/wikitech-l/2020-June/093535.html CVE-2020-15004 RESERVED CVE-2020-15003 RESERVED CVE-2020-15002 RESERVED CVE-2020-15001 RESERVED CVE-2020-15000 RESERVED CVE-2020-14999 RESERVED CVE-2020-14998 RESERVED CVE-2020-14997 RESERVED CVE-2020-14996 RESERVED CVE-2020-14995 RESERVED CVE-2020-14994 RESERVED CVE-2020-14993 (A stack-based buffer overflow on DrayTek Vigor2960, Vigor3900, and Vig ...) NOT-FOR-US: DrayTek devices CVE-2020-14992 RESERVED CVE-2020-14991 RESERVED CVE-2020-14990 (IOBit Advanced SystemCare Free 13.5.0.263 allows local users to gain p ...) NOT-FOR-US: IOBit Advanced SystemCare Free CVE-2020-14989 RESERVED CVE-2020-14988 RESERVED CVE-2020-14987 RESERVED CVE-2020-14986 RESERVED CVE-2020-14985 RESERVED CVE-2020-14984 RESERVED CVE-2020-14983 (The server in Chocolate Doom 3.0.0 and Crispy Doom 5.8.0 doesn't valid ...) - crispy-doom (bug #964564) [buster] - crispy-doom (Minor issue) - chocolate-doom 3.0.1-1 [buster] - chocolate-doom (Minor issue) [stretch] - chocolate-doom (Minor issue) [jessie] - chocolate-doom (games are not supported) NOTE: https://github.com/chocolate-doom/chocolate-doom/issues/1293 CVE-2020-14982 RESERVED CVE-2020-14981 (The ThreatTrack VIPRE Password Vault app through 1.100.1090 for iOS ha ...) NOT-FOR-US: ThreatTrack VIPRE Password Vault app for IOS CVE-2020-14980 (The Sophos Secure Email application through 3.9.4 for Android has Miss ...) NOT-FOR-US: Sophos Secure Email application for Android CVE-2020-14979 RESERVED CVE-2020-14978 (An issue was discovered in F-Secure SAFE 17.7 on macOS. Due to incorre ...) NOT-FOR-US: F-Secure SAFE CVE-2020-14977 (An issue was discovered in F-Secure SAFE 17.7 on macOS. The XPC servic ...) NOT-FOR-US: F-Secure SAFE CVE-2020-14976 (GNS3 ubridge through 0.9.18 on macOS, as used in GNS3 server before 2. ...) - gns3-server (bug #766166) CVE-2020-14975 (The driver in IOBit Unlocker 1.1.2 allows a low-privileged user to del ...) NOT-FOR-US: IOBit Unlocker CVE-2020-14974 (The driver in IOBit Unlocker 1.1.2 allows a low-privileged user to unl ...) NOT-FOR-US: IOBit Unlocker CVE-2020-14973 (The loginForm within the general/login.php webpage in webTareas 2.0p8 ...) NOT-FOR-US: webTareas CVE-2020-14972 (Multiple SQL injection vulnerabilities in Sourcecodester Pisay Online ...) NOT-FOR-US: Sourcecodester Pisay Online E-Learning System CVE-2020-14971 (Pi-hole through 5.0 allows code injection in piholedhcp (the Static DH ...) NOT-FOR-US: Pi-hole CVE-2020-14970 RESERVED CVE-2020-14969 (app/Model/Attribute.php in MISP 2.4.127 lacks an ACL lookup on attribu ...) NOT-FOR-US: MISP CVE-2020-14968 (An issue was discovered in the jsrsasign package before 8.0.17 for Nod ...) NOT-FOR-US: jsrsasign CVE-2020-14967 (An issue was discovered in the jsrsasign package before 8.0.18 for Nod ...) NOT-FOR-US: jsrsasign CVE-2020-14966 (An issue was discovered in the jsrsasign package through 8.0.18 for No ...) NOT-FOR-US: jsrsasign CVE-2020-14965 (On TP-Link TL-WR740N v4 and TL-WR740ND v4 devices, an attacker with ac ...) NOT-FOR-US: TP-Link CVE-2020-14964 RESERVED CVE-2020-14963 RESERVED CVE-2020-14962 (Multiple XSS vulnerabilities in the Final Tiles Gallery plugin before ...) NOT-FOR-US: Final Tiles Gallery plugin for WordPress CVE-2020-14961 (Concrete5 before 8.5.3 does not constrain the sort direction to a vali ...) NOT-FOR-US: Concrete5 CVE-2020-14960 (A SQL injection vulnerability in PHP-Fusion 9.03.50 affects the endpoi ...) NOT-FOR-US: PHP-Fusion CVE-2020-14959 (Multiple XSS vulnerabilities in the Easy Testimonials plugin before 3. ...) NOT-FOR-US: Easy Testimonials plugin for WordPress CVE-2020-14958 (In Gogs 0.11.91, MakeEmailPrimary in models/user_mail.go lacks a "not ...) NOT-FOR-US: Go Git Service CVE-2020-14957 (In Windows cleaning assistant 3.2, the driver file (AtpKrnl.sys) allow ...) NOT-FOR-US: Windows cleaning assistant CVE-2020-14956 (In Windows cleaning assistant 3.2, the driver file (AtpKrnl.sys) allow ...) NOT-FOR-US: Windows cleaning assistant CVE-2020-14955 (In Jiangmin Antivirus 16.0.13.129, the driver file (KVFG.sys) allows l ...) NOT-FOR-US: Jiangmin Antivirus CVE-2020-14953 RESERVED CVE-2020-14952 RESERVED CVE-2020-14951 RESERVED CVE-2020-14950 (aaPanel through 6.6.6 allows remote authenticated users to execute arb ...) NOT-FOR-US: aaPanel CVE-2020-14949 RESERVED CVE-2020-14948 RESERVED CVE-2020-14947 (OCS Inventory NG 2.7 allows Remote Command Execution via shell metacha ...) - ocsinventory-server (unimportant) NOTE: Only supported in trusted environments, see debtags CVE-2020-14946 (downloadFile.ashx in the Administrator section of the Surveillance mod ...) NOT-FOR-US: Surveillance module in Global RADAR BSA Radar CVE-2020-14945 (A privilege escalation vulnerability exists within Global RADAR BSA Ra ...) NOT-FOR-US: Global RADAR BSA Radar CVE-2020-14944 (Global RADAR BSA Radar 1.6.7234.24750 and earlier lacks valid authoriz ...) NOT-FOR-US: Global RADAR BSA Radar CVE-2020-14943 (The Firstname and Lastname parameters in Global RADAR BSA Radar 1.6.72 ...) NOT-FOR-US: Global RADAR BSA Radar CVE-2020-14942 (Tendenci 12.0.10 allows unrestricted deserialization in apps\helpdesk\ ...) NOT-FOR-US: Tendenci CVE-2020-14941 RESERVED CVE-2020-14940 (An issue was discovered in io/gpx/GPXDocumentReader.java in TuxGuitar ...) - tuxguitar (bug #963626) [buster] - tuxguitar (Minor issue) [stretch] - tuxguitar (Minor issue) [jessie] - tuxguitar (Minor issue) NOTE: https://logicaltrust.net/blog/2020/06/tuxguitar.html NOTE: https://sourceforge.net/p/tuxguitar/bugs/126/ CVE-2020-14939 (An issue was discovered in savestruct_internal.c in FreedroidRPG 1.0rc ...) - freedroidrpg (low; bug #964197) [buster] - freedroidrpg (Minor issue) [stretch] - freedroidrpg (Minor issue) [jessie] - freedroidrpg (games are not supported) NOTE: https://bugs.freedroid.org/b/issue953 NOTE: https://logicaltrust.net/blog/2020/02/freedroid.html CVE-2020-14938 (An issue was discovered in map.c in FreedroidRPG 1.0rc2. It assumes le ...) - freedroidrpg (low; bug #964197) [buster] - freedroidrpg (Minor issue) [stretch] - freedroidrpg (Minor issue) [jessie] - freedroidrpg (games are not supported) NOTE: https://bugs.freedroid.org/b/issue952 NOTE: https://logicaltrust.net/blog/2020/02/freedroid.html CVE-2020-14937 RESERVED CVE-2020-14936 RESERVED CVE-2020-14935 RESERVED CVE-2020-14934 RESERVED CVE-2020-14933 (compose.php in SquirrelMail 1.4.22 calls unserialize for the $attachme ...) - squirrelmail NOTE: https://www.openwall.com/lists/oss-security/2020/06/20/1 CVE-2020-14932 (compose.php in SquirrelMail 1.4.22 calls unserialize for the $mailtoda ...) - squirrelmail NOTE: https://www.openwall.com/lists/oss-security/2020/06/20/1 CVE-2020-14931 (A stack-based buffer overflow in DMitry (Deepmagic Information Gatheri ...) NOT-FOR-US: DMitry CVE-2020-14930 (An issue was discovered in BT CTROMS Terminal OS Port Portal CT-464. A ...) NOT-FOR-US: BT CTROMS Terminal OS Port Portal CT-464 CVE-2019-20892 (net-snmp before 5.8.1.pre1 has a double free in usm_free_usmStateRefer ...) - net-snmp 5.8+dfsg-3 (bug #963713) [stretch] - net-snmp (Vulnerable code introduced later) NOTE: https://www.openwall.com/lists/oss-security/2020/06/25/4 NOTE: https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1877027 NOTE: https://github.com/net-snmp/net-snmp/commit/92ccd5a82a019fbfa835cc8ab2294cf0ca48c8f2 NOTE: https://github.com/net-snmp/net-snmp/commit/adc9b71aba9168ec64149345ea37a1acc11875c6 NOTE: https://github.com/net-snmp/net-snmp/commit/7384a8b550d4ed4a00e41b72229cfcc124926b06 NOTE: https://github.com/net-snmp/net-snmp/commit/39381c4d20dd8042870c28ae3b0c16291e50b705 NOTE: https://github.com/net-snmp/net-snmp/commit/5f881d3bf24599b90d67a45cae7a3eb099cd71c9 NOTE: https://github.com/net-snmp/net-snmp/commit/87bd90d04f20dd3f73e3e7e631a442ccd419b9d3 NOTE: Extra patches to address memory leaks: NOTE: https://salsa.debian.org/debian/net-snmp/-/merge_requests/3 NOTE: Introduced in https://github.com/net-snmp/net-snmp/compare/1a0dbe19bf2787bb5bea913f210a9a5eb4c0c80c...e207b8113260fd7d84df0ebdb66925ab70da29b2 (5.8-dev) CVE-2019-20891 (WooCommerce before 3.6.5, when it handles CSV imports of products, has ...) NOT-FOR-US: WooCommerce CVE-2020-14929 (Alpine before 2.23 silently proceeds to use an insecure connection aft ...) {DLA-2254-1} - alpine 2.23+dfsg1-1 (bug #963179) [buster] - alpine (Minor issue) [stretch] - alpine (Minor issue) NOTE: http://mailman13.u.washington.edu/pipermail/alpine-info/2020-June/008989.html NOTE: https://repo.or.cz/alpine.git/commitdiff/000edd9036b6aea5e6a06900ecd6c58faec665ab CVE-2020-14928 RESERVED - evolution-data-server 3.36.4-1 NOTE: https://gitlab.gnome.org/GNOME/evolution-data-server/-/issues/226 NOTE: https://gitlab.gnome.org/GNOME//evolution-data-server/commit/ba82be72cfd427b5d72ff21f929b3a6d8529c4df CVE-2020-14927 (Navigate CMS 2.9 allows XSS via the Alias or Real URL field of the "We ...) NOT-FOR-US: Navigate CMS CVE-2020-14926 (CMS Made Simple 2.2.14 allows XSS via a Search Term to the admin/modul ...) NOT-FOR-US: CMS Made Simple CVE-2020-14925 RESERVED CVE-2020-14924 RESERVED CVE-2020-14923 RESERVED CVE-2020-14922 RESERVED CVE-2020-14921 RESERVED CVE-2020-14920 RESERVED CVE-2020-14919 RESERVED CVE-2020-14918 RESERVED CVE-2020-14917 RESERVED CVE-2020-14916 RESERVED CVE-2020-14915 RESERVED CVE-2020-14914 RESERVED CVE-2020-14913 RESERVED CVE-2020-14912 RESERVED CVE-2020-14911 RESERVED CVE-2020-14910 RESERVED CVE-2020-14909 RESERVED CVE-2020-14908 RESERVED CVE-2020-14907 RESERVED CVE-2020-14906 RESERVED CVE-2020-14905 RESERVED CVE-2020-14904 RESERVED CVE-2020-14903 RESERVED CVE-2020-14902 RESERVED CVE-2020-14901 RESERVED CVE-2020-14900 RESERVED CVE-2020-14899 RESERVED CVE-2020-14898 RESERVED CVE-2020-14897 RESERVED CVE-2020-14896 RESERVED CVE-2020-14895 RESERVED CVE-2020-14894 RESERVED CVE-2020-14893 RESERVED CVE-2020-14892 RESERVED CVE-2020-14891 RESERVED CVE-2020-14890 RESERVED CVE-2020-14889 RESERVED CVE-2020-14888 RESERVED CVE-2020-14887 RESERVED CVE-2020-14886 RESERVED CVE-2020-14885 RESERVED CVE-2020-14884 RESERVED CVE-2020-14883 RESERVED CVE-2020-14882 RESERVED CVE-2020-14881 RESERVED CVE-2020-14880 RESERVED CVE-2020-14879 RESERVED CVE-2020-14878 RESERVED CVE-2020-14877 RESERVED CVE-2020-14876 RESERVED CVE-2020-14875 RESERVED CVE-2020-14874 RESERVED CVE-2020-14873 RESERVED CVE-2020-14872 RESERVED CVE-2020-14871 RESERVED CVE-2020-14870 RESERVED CVE-2020-14869 RESERVED CVE-2020-14868 RESERVED CVE-2020-14867 RESERVED CVE-2020-14866 RESERVED CVE-2020-14865 RESERVED CVE-2020-14864 RESERVED CVE-2020-14863 RESERVED CVE-2020-14862 RESERVED CVE-2020-14861 RESERVED CVE-2020-14860 RESERVED CVE-2020-14859 RESERVED CVE-2020-14858 RESERVED CVE-2020-14857 RESERVED CVE-2020-14856 RESERVED CVE-2020-14855 RESERVED CVE-2020-14854 RESERVED CVE-2020-14853 RESERVED CVE-2020-14852 RESERVED CVE-2020-14851 RESERVED CVE-2020-14850 RESERVED CVE-2020-14849 RESERVED CVE-2020-14848 RESERVED CVE-2020-14847 RESERVED CVE-2020-14846 RESERVED CVE-2020-14845 RESERVED CVE-2020-14844 RESERVED CVE-2020-14843 RESERVED CVE-2020-14842 RESERVED CVE-2020-14841 RESERVED CVE-2020-14840 RESERVED CVE-2020-14839 RESERVED CVE-2020-14838 RESERVED CVE-2020-14837 RESERVED CVE-2020-14836 RESERVED CVE-2020-14835 RESERVED CVE-2020-14834 RESERVED CVE-2020-14833 RESERVED CVE-2020-14832 RESERVED CVE-2020-14831 RESERVED CVE-2020-14830 RESERVED CVE-2020-14829 RESERVED CVE-2020-14828 RESERVED CVE-2020-14827 RESERVED CVE-2020-14826 RESERVED CVE-2020-14825 RESERVED CVE-2020-14824 RESERVED CVE-2020-14823 RESERVED CVE-2020-14822 RESERVED CVE-2020-14821 RESERVED CVE-2020-14820 RESERVED CVE-2020-14819 RESERVED CVE-2020-14818 RESERVED CVE-2020-14817 RESERVED CVE-2020-14816 RESERVED CVE-2020-14815 RESERVED CVE-2020-14814 RESERVED CVE-2020-14813 RESERVED CVE-2020-14812 RESERVED CVE-2020-14811 RESERVED CVE-2020-14810 RESERVED CVE-2020-14809 RESERVED CVE-2020-14808 RESERVED CVE-2020-14807 RESERVED CVE-2020-14806 RESERVED CVE-2020-14805 RESERVED CVE-2020-14804 RESERVED CVE-2020-14803 RESERVED CVE-2020-14802 RESERVED CVE-2020-14801 RESERVED CVE-2020-14800 RESERVED CVE-2020-14799 RESERVED CVE-2020-14798 RESERVED CVE-2020-14797 RESERVED CVE-2020-14796 RESERVED CVE-2020-14795 RESERVED CVE-2020-14794 RESERVED CVE-2020-14793 RESERVED CVE-2020-14792 RESERVED CVE-2020-14791 RESERVED CVE-2020-14790 RESERVED CVE-2020-14789 RESERVED CVE-2020-14788 RESERVED CVE-2020-14787 RESERVED CVE-2020-14786 RESERVED CVE-2020-14785 RESERVED CVE-2020-14784 RESERVED CVE-2020-14783 RESERVED CVE-2020-14782 RESERVED CVE-2020-14781 RESERVED CVE-2020-14780 RESERVED CVE-2020-14779 RESERVED CVE-2020-14778 RESERVED CVE-2020-14777 RESERVED CVE-2020-14776 RESERVED CVE-2020-14775 RESERVED CVE-2020-14774 RESERVED CVE-2020-14773 RESERVED CVE-2020-14772 RESERVED CVE-2020-14771 RESERVED CVE-2020-14770 RESERVED CVE-2020-14769 RESERVED CVE-2020-14768 RESERVED CVE-2020-14767 RESERVED CVE-2020-14766 RESERVED CVE-2020-14765 RESERVED CVE-2020-14764 RESERVED CVE-2020-14763 RESERVED CVE-2020-14762 RESERVED CVE-2020-14761 RESERVED CVE-2020-14760 RESERVED CVE-2020-14759 RESERVED CVE-2020-14758 RESERVED CVE-2020-14757 RESERVED CVE-2020-14756 RESERVED CVE-2020-14755 RESERVED CVE-2020-14754 RESERVED CVE-2020-14753 RESERVED CVE-2020-14752 RESERVED CVE-2020-14751 RESERVED CVE-2020-14750 RESERVED CVE-2020-14749 RESERVED CVE-2020-14748 RESERVED CVE-2020-14747 RESERVED CVE-2020-14746 RESERVED CVE-2020-14745 RESERVED CVE-2020-14744 RESERVED CVE-2020-14743 RESERVED CVE-2020-14742 RESERVED CVE-2020-14741 RESERVED CVE-2020-14740 RESERVED CVE-2020-14739 RESERVED CVE-2020-14738 RESERVED CVE-2020-14737 RESERVED CVE-2020-14736 RESERVED CVE-2020-14735 RESERVED CVE-2020-14734 RESERVED CVE-2020-14733 RESERVED CVE-2020-14732 RESERVED CVE-2020-14731 RESERVED CVE-2020-14730 RESERVED CVE-2020-14729 RESERVED CVE-2020-14728 RESERVED CVE-2020-14727 RESERVED CVE-2020-14726 RESERVED CVE-2020-14725 RESERVED CVE-2020-14724 RESERVED CVE-2020-14723 RESERVED CVE-2020-14722 RESERVED CVE-2020-14721 RESERVED CVE-2020-14720 RESERVED CVE-2020-14719 RESERVED CVE-2020-14718 RESERVED CVE-2020-14717 RESERVED CVE-2020-14716 RESERVED CVE-2020-14715 RESERVED CVE-2020-14714 RESERVED CVE-2020-14713 RESERVED CVE-2020-14712 RESERVED CVE-2020-14711 RESERVED CVE-2020-14710 RESERVED CVE-2020-14709 RESERVED CVE-2020-14708 RESERVED CVE-2020-14707 RESERVED CVE-2020-14706 RESERVED CVE-2020-14705 RESERVED CVE-2020-14704 RESERVED CVE-2020-14703 RESERVED CVE-2020-14702 RESERVED CVE-2020-14701 RESERVED CVE-2020-14700 RESERVED CVE-2020-14699 RESERVED CVE-2020-14698 RESERVED CVE-2020-14697 RESERVED CVE-2020-14696 RESERVED CVE-2020-14695 RESERVED CVE-2020-14694 RESERVED CVE-2020-14693 RESERVED CVE-2020-14692 RESERVED CVE-2020-14691 RESERVED CVE-2020-14690 RESERVED CVE-2020-14689 RESERVED CVE-2020-14688 RESERVED CVE-2020-14687 RESERVED CVE-2020-14686 RESERVED CVE-2020-14685 RESERVED CVE-2020-14684 RESERVED CVE-2020-14683 RESERVED CVE-2020-14682 RESERVED CVE-2020-14681 RESERVED CVE-2020-14680 RESERVED CVE-2020-14679 RESERVED CVE-2020-14678 RESERVED CVE-2020-14677 RESERVED CVE-2020-14676 RESERVED CVE-2020-14675 RESERVED CVE-2020-14674 RESERVED CVE-2020-14673 RESERVED CVE-2020-14672 RESERVED CVE-2020-14671 RESERVED CVE-2020-14670 RESERVED CVE-2020-14669 RESERVED CVE-2020-14668 RESERVED CVE-2020-14667 RESERVED CVE-2020-14666 RESERVED CVE-2020-14665 RESERVED CVE-2020-14664 RESERVED CVE-2020-14663 RESERVED CVE-2020-14662 RESERVED CVE-2020-14661 RESERVED CVE-2020-14660 RESERVED CVE-2020-14659 RESERVED CVE-2020-14658 RESERVED CVE-2020-14657 RESERVED CVE-2020-14656 RESERVED CVE-2020-14655 RESERVED CVE-2020-14654 RESERVED CVE-2020-14653 RESERVED CVE-2020-14652 RESERVED CVE-2020-14651 RESERVED CVE-2020-14650 RESERVED CVE-2020-14649 RESERVED CVE-2020-14648 RESERVED CVE-2020-14647 RESERVED CVE-2020-14646 RESERVED CVE-2020-14645 RESERVED CVE-2020-14644 RESERVED CVE-2020-14643 RESERVED CVE-2020-14642 RESERVED CVE-2020-14641 RESERVED CVE-2020-14640 RESERVED CVE-2020-14639 RESERVED CVE-2020-14638 RESERVED CVE-2020-14637 RESERVED CVE-2020-14636 RESERVED CVE-2020-14635 RESERVED CVE-2020-14634 RESERVED CVE-2020-14633 RESERVED CVE-2020-14632 RESERVED CVE-2020-14631 RESERVED CVE-2020-14630 RESERVED CVE-2020-14629 RESERVED CVE-2020-14628 RESERVED CVE-2020-14627 RESERVED CVE-2020-14626 RESERVED CVE-2020-14625 RESERVED CVE-2020-14624 RESERVED CVE-2020-14623 RESERVED CVE-2020-14622 RESERVED CVE-2020-14621 RESERVED CVE-2020-14620 RESERVED CVE-2020-14619 RESERVED CVE-2020-14618 RESERVED CVE-2020-14617 RESERVED CVE-2020-14616 RESERVED CVE-2020-14615 RESERVED CVE-2020-14614 RESERVED CVE-2020-14613 RESERVED CVE-2020-14612 RESERVED CVE-2020-14611 RESERVED CVE-2020-14610 RESERVED CVE-2020-14609 RESERVED CVE-2020-14608 RESERVED CVE-2020-14607 RESERVED CVE-2020-14606 RESERVED CVE-2020-14605 RESERVED CVE-2020-14604 RESERVED CVE-2020-14603 RESERVED CVE-2020-14602 RESERVED CVE-2020-14601 RESERVED CVE-2020-14600 RESERVED CVE-2020-14599 RESERVED CVE-2020-14598 RESERVED CVE-2020-14597 RESERVED CVE-2020-14596 RESERVED CVE-2020-14595 RESERVED CVE-2020-14594 RESERVED CVE-2020-14593 RESERVED CVE-2020-14592 RESERVED CVE-2020-14591 RESERVED CVE-2020-14590 RESERVED CVE-2020-14589 RESERVED CVE-2020-14588 RESERVED CVE-2020-14587 RESERVED CVE-2020-14586 RESERVED CVE-2020-14585 RESERVED CVE-2020-14584 RESERVED CVE-2020-14583 RESERVED CVE-2020-14582 RESERVED CVE-2020-14581 RESERVED CVE-2020-14580 RESERVED CVE-2020-14579 RESERVED CVE-2020-14578 RESERVED CVE-2020-14577 RESERVED CVE-2020-14576 RESERVED CVE-2020-14575 RESERVED CVE-2020-14574 RESERVED CVE-2020-14573 RESERVED CVE-2020-14572 RESERVED CVE-2020-14571 RESERVED CVE-2020-14570 RESERVED CVE-2020-14569 RESERVED CVE-2020-14568 RESERVED CVE-2020-14567 RESERVED CVE-2020-14566 RESERVED CVE-2020-14565 RESERVED CVE-2020-14564 RESERVED CVE-2020-14563 RESERVED CVE-2020-14562 RESERVED CVE-2020-14561 RESERVED CVE-2020-14560 RESERVED CVE-2020-14559 RESERVED CVE-2020-14558 RESERVED CVE-2020-14557 RESERVED CVE-2020-14556 RESERVED CVE-2020-14555 RESERVED CVE-2020-14554 RESERVED CVE-2020-14553 RESERVED CVE-2020-14552 RESERVED CVE-2020-14551 RESERVED CVE-2020-14550 RESERVED CVE-2020-14549 RESERVED CVE-2020-14548 RESERVED CVE-2020-14547 RESERVED CVE-2020-14546 RESERVED CVE-2020-14545 RESERVED CVE-2020-14544 RESERVED CVE-2020-14543 RESERVED CVE-2020-14542 RESERVED CVE-2020-14541 RESERVED CVE-2020-14540 RESERVED CVE-2020-14539 RESERVED CVE-2020-14538 RESERVED CVE-2020-14537 RESERVED CVE-2020-14536 RESERVED CVE-2020-14535 RESERVED CVE-2020-14534 RESERVED CVE-2020-14533 RESERVED CVE-2020-14532 RESERVED CVE-2020-14531 RESERVED CVE-2020-14530 RESERVED CVE-2020-14529 RESERVED CVE-2020-14528 RESERVED CVE-2020-14527 RESERVED CVE-2020-14526 RESERVED CVE-2020-14525 RESERVED CVE-2020-14524 RESERVED CVE-2020-14523 RESERVED CVE-2020-14522 RESERVED CVE-2020-14521 RESERVED CVE-2020-14520 RESERVED CVE-2020-14519 RESERVED CVE-2020-14518 RESERVED CVE-2020-14517 RESERVED CVE-2020-14516 RESERVED CVE-2020-14515 RESERVED CVE-2020-14514 RESERVED CVE-2020-14513 RESERVED CVE-2020-14512 RESERVED CVE-2020-14511 RESERVED CVE-2020-14510 RESERVED CVE-2020-14509 RESERVED CVE-2020-14508 RESERVED CVE-2020-14507 RESERVED CVE-2020-14506 RESERVED CVE-2020-14505 RESERVED CVE-2020-14504 RESERVED CVE-2020-14503 RESERVED CVE-2020-14502 RESERVED CVE-2020-14501 RESERVED CVE-2020-14500 RESERVED CVE-2020-14499 RESERVED CVE-2020-14498 RESERVED CVE-2020-14497 RESERVED CVE-2020-14496 RESERVED CVE-2020-14495 RESERVED CVE-2020-14494 RESERVED CVE-2020-14493 RESERVED CVE-2020-14492 RESERVED CVE-2020-14491 RESERVED CVE-2020-14490 RESERVED CVE-2020-14489 RESERVED CVE-2020-14488 RESERVED CVE-2020-14487 RESERVED CVE-2020-14486 RESERVED CVE-2020-14485 RESERVED CVE-2020-14484 RESERVED CVE-2020-14483 RESERVED CVE-2020-14482 (Delta Industrial Automation DOPSoft, Version 4.00.08.15 and prior. Ope ...) NOT-FOR-US: Delta Industrial Automation DOPSoft CVE-2020-14481 RESERVED CVE-2020-14480 RESERVED CVE-2020-14479 RESERVED CVE-2020-14478 RESERVED CVE-2020-14477 (In Philips Ultrasound ClearVue Versions 3.2 and prior, Ultrasound CX V ...) NOT-FOR-US: Philips CVE-2020-14476 REJECTED CVE-2020-14475 (A reflected cross-site scripting (XSS) vulnerability in Dolibarr 11.0. ...) - dolibarr NOTE: https://github.com/Dolibarr/dolibarr/commit/22ca5e067189bffe8066df26df923a386f044c08 CVE-2020-14474 (The Cellebrite UFED physical device 5.0 through 7.5.0.845 relies on ke ...) NOT-FOR-US: Cellebrite CVE-2020-14473 (Stack-based buffer overflow vulnerability in Vigor3900, Vigor2960, and ...) NOT-FOR-US: DrayTek CVE-2020-14472 (DrayTek Vigor3900, Vigor2960, and Vigor300B with firmware before 1.5.1 ...) NOT-FOR-US: DrayTek CVE-2020-14471 RESERVED CVE-2020-14470 (In Octopus Deploy 2018.8.0 through 2019.x before 2019.12.2, an authent ...) NOT-FOR-US: Octopus Deploy CVE-2020-14469 RESERVED CVE-2020-14468 RESERVED CVE-2020-14467 REJECTED CVE-2020-14466 RESERVED CVE-2020-14465 RESERVED CVE-2020-14464 RESERVED CVE-2020-14463 RESERVED CVE-2020-14462 (CALDERA 2.7.0 allows XSS via the Operation Name box. ...) NOT-FOR-US: CALDERA CVE-2020-14461 (Zyxel Armor X1 WAP6806 1.00(ABAL.6)C0 devices allow Directory Traversa ...) NOT-FOR-US: Zyxel CVE-2020-14460 (An issue was discovered in Mattermost Server before 5.19.0, 5.18.1, 5. ...) NOT-FOR-US: Mattermost CVE-2020-14459 (An issue was discovered in Mattermost Server before 5.19.0. Attackers ...) NOT-FOR-US: Mattermost CVE-2020-14458 (An issue was discovered in Mattermost Server before 5.19.0. Attackers ...) NOT-FOR-US: Mattermost CVE-2020-14457 (An issue was discovered in Mattermost Server before 5.20.0. Non-member ...) NOT-FOR-US: Mattermost CVE-2020-14456 (An issue was discovered in Mattermost Desktop App before 4.4.0. The Sa ...) NOT-FOR-US: Mattermost CVE-2020-14455 (An issue was discovered in Mattermost Desktop App before 4.4.0. Prompt ...) NOT-FOR-US: Mattermost CVE-2020-14454 (An issue was discovered in Mattermost Desktop App before 4.4.0. Attack ...) NOT-FOR-US: Mattermost CVE-2020-14453 (An issue was discovered in Mattermost Server before 5.21.0. Socket rea ...) NOT-FOR-US: Mattermost CVE-2020-14452 (An issue was discovered in Mattermost Server before 5.21.0. mmctl allo ...) NOT-FOR-US: Mattermost CVE-2020-14451 (An issue was discovered in Mattermost Mobile Apps before 1.29.0. The i ...) NOT-FOR-US: Mattermost CVE-2020-14450 (An issue was discovered in Mattermost Server before 5.22.0. The markdo ...) NOT-FOR-US: Mattermost CVE-2020-14449 (An issue was discovered in Mattermost Mobile Apps before 1.30.0. Autho ...) NOT-FOR-US: Mattermost CVE-2020-14448 (An issue was discovered in Mattermost Server before 5.23.0. Automatic ...) NOT-FOR-US: Mattermost CVE-2020-14447 (An issue was discovered in Mattermost Server before 5.23.0. Large webh ...) NOT-FOR-US: Mattermost CVE-2019-20890 (An issue was discovered in Mattermost Server before 5.7. It allows a b ...) NOT-FOR-US: Mattermost CVE-2019-20889 (An issue was discovered in Mattermost Server before 5.7, 5.6.3, 5.5.2, ...) NOT-FOR-US: Mattermost CVE-2019-20888 (An issue was discovered in Mattermost Server before 5.7, 5.6.3, 5.5.2, ...) NOT-FOR-US: Mattermost CVE-2019-20887 (An issue was discovered in Mattermost Server before 5.7.1, 5.6.4, 5.5. ...) NOT-FOR-US: Mattermost CVE-2019-20886 (An issue was discovered in Mattermost Server before 5.8.0. The first u ...) NOT-FOR-US: Mattermost CVE-2019-20885 (An issue was discovered in Mattermost Server before 5.8.0. It does not ...) NOT-FOR-US: Mattermost CVE-2019-20884 (An issue was discovered in Mattermost Server before 5.8.0. It allows a ...) NOT-FOR-US: Mattermost CVE-2019-20883 (An issue was discovered in Mattermost Server before 5.8.0, when Town S ...) NOT-FOR-US: Mattermost CVE-2019-20882 (An issue was discovered in Mattermost Server before 5.8.0. It does not ...) NOT-FOR-US: Mattermost CVE-2019-20881 (An issue was discovered in Mattermost Server before 5.8.0. It mishandl ...) NOT-FOR-US: Mattermost CVE-2019-20880 (An issue was discovered in Mattermost Server before 5.8.0, 5.7.2, 5.6. ...) NOT-FOR-US: Mattermost CVE-2019-20879 (An issue was discovered in Mattermost Server before 5.8.0, 5.7.2, 5.6. ...) NOT-FOR-US: Mattermost CVE-2019-20878 (An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7. ...) NOT-FOR-US: Mattermost CVE-2019-20877 (An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7. ...) NOT-FOR-US: Mattermost CVE-2019-20876 (An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7. ...) NOT-FOR-US: Mattermost CVE-2019-20875 (An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7. ...) NOT-FOR-US: Mattermost CVE-2019-20874 (An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7. ...) NOT-FOR-US: Mattermost CVE-2019-20873 (An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7. ...) NOT-FOR-US: Mattermost CVE-2019-20872 (An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7. ...) NOT-FOR-US: Mattermost CVE-2019-20871 (An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7. ...) NOT-FOR-US: Mattermost CVE-2019-20870 (An issue was discovered in Mattermost Server before 5.10.0. An attacke ...) NOT-FOR-US: Mattermost CVE-2019-20869 (An issue was discovered in Mattermost Server before 5.10.0, 5.9.1, 5.8 ...) NOT-FOR-US: Mattermost CVE-2019-20868 (An issue was discovered in Mattermost Server before 5.11.0. Invite IDs ...) NOT-FOR-US: Mattermost CVE-2019-20867 (An issue was discovered in Mattermost Server before 5.11.0. An attacke ...) NOT-FOR-US: Mattermost CVE-2019-20866 (An issue was discovered in Mattermost Server before 5.12.0. Use of a P ...) NOT-FOR-US: Mattermost CVE-2019-20865 (An issue was discovered in Mattermost Server before 5.12.0, 5.11.1, 5. ...) NOT-FOR-US: Mattermost CVE-2019-20864 (An issue was discovered in Mattermost Plugins before 5.13.0. The GitHu ...) NOT-FOR-US: Mattermost CVE-2019-20863 (An issue was discovered in Mattermost Server before 5.13.0. Incoming w ...) NOT-FOR-US: Mattermost CVE-2019-20862 (An issue was discovered in Mattermost Server before 5.13.0. Non-member ...) NOT-FOR-US: Mattermost CVE-2019-20861 (An issue was discovered in Mattermost Desktop App before 4.2.2. It all ...) NOT-FOR-US: Mattermost CVE-2019-20860 (An issue was discovered in Mattermost Server before 5.14.0, 5.13.3, 5. ...) NOT-FOR-US: Mattermost CVE-2019-20859 (An issue was discovered in Mattermost Server before 5.15.0. Login acce ...) NOT-FOR-US: Mattermost CVE-2019-20858 (An issue was discovered in Mattermost Server before 5.15.0. It allows ...) NOT-FOR-US: Mattermost CVE-2019-20857 (An issue was discovered in Mattermost Server before 5.16.0. It allows ...) NOT-FOR-US: Mattermost CVE-2019-20856 (An issue was discovered in Mattermost Desktop App before 4.3.0 on macO ...) NOT-FOR-US: Mattermost CVE-2019-20855 (An issue was discovered in Mattermost Server before 5.16.1, 5.15.2, 5. ...) NOT-FOR-US: Mattermost CVE-2019-20854 (An issue was discovered in Mattermost Server before 5.17.0. It allows ...) NOT-FOR-US: Mattermost CVE-2019-20853 (An issue was discovered in Mattermost Packages before 5.16.3. A Drople ...) NOT-FOR-US: Mattermost CVE-2019-20852 (An issue was discovered in Mattermost Mobile Apps before 1.26.0. Local ...) NOT-FOR-US: Mattermost CVE-2019-20851 (An issue was discovered in Mattermost Mobile Apps before 1.26.0. An at ...) NOT-FOR-US: Mattermost CVE-2019-20850 (An issue was discovered in Mattermost Mobile Apps before 1.26.0. A vie ...) NOT-FOR-US: Mattermost CVE-2019-20849 (An issue was discovered in Mattermost Mobile Apps before 1.26.0. Cooki ...) NOT-FOR-US: Mattermost CVE-2019-20848 (An issue was discovered in Mattermost Mobile Apps before 1.26.0. The Q ...) NOT-FOR-US: Mattermost CVE-2019-20847 (An issue was discovered in Mattermost Server before 5.18.0. An attacke ...) NOT-FOR-US: Mattermost CVE-2019-20846 (An issue was discovered in Mattermost Server before 5.18.0. It has wea ...) NOT-FOR-US: Mattermost CVE-2019-20845 (An issue was discovered in Mattermost Server before 5.18.0. It allows ...) NOT-FOR-US: Mattermost CVE-2019-20844 (An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5. ...) NOT-FOR-US: Mattermost CVE-2019-20843 (An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5. ...) NOT-FOR-US: Mattermost CVE-2019-20842 (An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5. ...) NOT-FOR-US: Mattermost CVE-2019-20841 (An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5. ...) NOT-FOR-US: Mattermost CVE-2018-21265 (An issue was discovered in Mattermost Desktop App before 4.0.0. It mis ...) NOT-FOR-US: Mattermost CVE-2018-21264 (An issue was discovered in Mattermost Server before 4.7.0, 4.6.2, and ...) NOT-FOR-US: Mattermost CVE-2018-21263 (An issue was discovered in Mattermost Server before 4.7.0, 4.6.2, and ...) NOT-FOR-US: Mattermost CVE-2018-21262 (An issue was discovered in Mattermost Server before 4.7.3. It allows a ...) NOT-FOR-US: Mattermost CVE-2018-21261 (An issue was discovered in Mattermost Server before 4.8.1, 4.7.4, and ...) NOT-FOR-US: Mattermost CVE-2018-21260 (An issue was discovered in Mattermost Server before 4.8.1, 4.7.4, and ...) NOT-FOR-US: Mattermost CVE-2018-21259 (An issue was discovered in Mattermost Server before 4.10.1, 4.9.4, and ...) NOT-FOR-US: Mattermost CVE-2018-21258 (An issue was discovered in Mattermost Server before 5.1. It allows att ...) NOT-FOR-US: Mattermost CVE-2018-21257 (An issue was discovered in Mattermost Server before 5.1. It allows att ...) NOT-FOR-US: Mattermost CVE-2018-21256 (An issue was discovered in Mattermost Server before 5.1. It allows att ...) NOT-FOR-US: Mattermost CVE-2018-21255 (An issue was discovered in Mattermost Server before 5.1. Non-members o ...) NOT-FOR-US: Mattermost CVE-2018-21254 (An issue was discovered in Mattermost Server before 5.1. An attacker c ...) NOT-FOR-US: Mattermost CVE-2018-21253 (An issue was discovered in Mattermost Server before 5.1, 5.0.2, and 4. ...) NOT-FOR-US: Mattermost CVE-2018-21252 (An issue was discovered in Mattermost Server before 5.2, 5.1.1, 5.0.3, ...) NOT-FOR-US: Mattermost CVE-2018-21251 (An issue was discovered in Mattermost Server before 5.2 and 5.1.1. Aut ...) NOT-FOR-US: Mattermost CVE-2018-21250 (An issue was discovered in Mattermost Server before 5.2.2, 5.1.2, and ...) NOT-FOR-US: Mattermost CVE-2018-21249 (An issue was discovered in Mattermost Server before 5.3.0. It mishandl ...) NOT-FOR-US: Mattermost CVE-2018-21248 (An issue was discovered in Mattermost Server before 5.4.0. It mishandl ...) NOT-FOR-US: Mattermost CVE-2017-18921 (An issue was discovered in Mattermost Server before 3.6.0 and 3.5.2. X ...) NOT-FOR-US: Mattermost CVE-2017-18920 (An issue was discovered in Mattermost Server before 3.6.2. The WebSock ...) NOT-FOR-US: Mattermost CVE-2017-18919 (An issue was discovered in Mattermost Server before 3.7.0 and 3.6.3. A ...) NOT-FOR-US: Mattermost CVE-2017-18918 (An issue was discovered in Mattermost Server before 3.7.3 and 3.6.5. A ...) NOT-FOR-US: Mattermost CVE-2017-18917 (An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and ...) NOT-FOR-US: Mattermost CVE-2017-18916 (An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and ...) NOT-FOR-US: Mattermost CVE-2017-18915 (An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and ...) NOT-FOR-US: Mattermost CVE-2017-18914 (An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and ...) NOT-FOR-US: Mattermost CVE-2017-18913 (An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and ...) NOT-FOR-US: Mattermost CVE-2017-18912 (An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and ...) NOT-FOR-US: Mattermost CVE-2017-18911 (An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and ...) NOT-FOR-US: Mattermost CVE-2017-18910 (An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and ...) NOT-FOR-US: Mattermost CVE-2017-18909 (An issue was discovered in Mattermost Server before 3.9.0 when SAML is ...) NOT-FOR-US: Mattermost CVE-2017-18908 (An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and ...) NOT-FOR-US: Mattermost CVE-2017-18907 (An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and ...) NOT-FOR-US: Mattermost CVE-2017-18906 (An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and ...) NOT-FOR-US: Mattermost CVE-2017-18905 (An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and ...) NOT-FOR-US: Mattermost CVE-2017-18904 (An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and ...) NOT-FOR-US: Mattermost CVE-2017-18903 (An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and ...) NOT-FOR-US: Mattermost CVE-2017-18902 (An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and ...) NOT-FOR-US: Mattermost CVE-2017-18901 (An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and ...) NOT-FOR-US: Mattermost CVE-2017-18900 (An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and ...) NOT-FOR-US: Mattermost CVE-2017-18899 (An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and ...) NOT-FOR-US: Mattermost CVE-2017-18898 (An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and ...) NOT-FOR-US: Mattermost CVE-2017-18897 (An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and ...) NOT-FOR-US: Mattermost CVE-2017-18896 (An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and ...) NOT-FOR-US: Mattermost CVE-2017-18895 (An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and ...) NOT-FOR-US: Mattermost CVE-2017-18894 (An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and ...) NOT-FOR-US: Mattermost CVE-2017-18893 (An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and ...) NOT-FOR-US: Mattermost CVE-2017-18892 (An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and ...) NOT-FOR-US: Mattermost CVE-2017-18891 (An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and ...) NOT-FOR-US: Mattermost CVE-2017-18890 (An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and ...) NOT-FOR-US: Mattermost CVE-2017-18889 (An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and ...) NOT-FOR-US: Mattermost CVE-2017-18888 (An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and ...) NOT-FOR-US: Mattermost CVE-2017-18887 (An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and ...) NOT-FOR-US: Mattermost CVE-2017-18886 (An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and ...) NOT-FOR-US: Mattermost CVE-2017-18885 (An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and ...) NOT-FOR-US: Mattermost CVE-2017-18884 (An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and ...) NOT-FOR-US: Mattermost CVE-2017-18883 (An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and ...) NOT-FOR-US: Mattermost CVE-2017-18882 (An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and ...) NOT-FOR-US: Mattermost CVE-2017-18881 (An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and ...) NOT-FOR-US: Mattermost CVE-2017-18880 (An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and ...) NOT-FOR-US: Mattermost CVE-2017-18879 (An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and ...) NOT-FOR-US: Mattermost CVE-2017-18878 (An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and ...) NOT-FOR-US: Mattermost CVE-2017-18877 (An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and ...) NOT-FOR-US: Mattermost CVE-2017-18876 (An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and ...) NOT-FOR-US: Mattermost CVE-2017-18875 (An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and ...) NOT-FOR-US: Mattermost CVE-2017-18874 (An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and ...) NOT-FOR-US: Mattermost CVE-2017-18873 (An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and ...) NOT-FOR-US: Mattermost CVE-2017-18872 (An issue was discovered in Mattermost Server before 4.4.3 and 4.3.3. A ...) NOT-FOR-US: Mattermost CVE-2017-18871 (An issue was discovered in Mattermost Server before 4.5.0, 4.4.5, 4.3. ...) NOT-FOR-US: Mattermost CVE-2017-18870 (An issue was discovered in Mattermost Server before 4.5.0, 4.4.5, and ...) NOT-FOR-US: Mattermost CVE-2016-11084 (An issue was discovered in Mattermost Server before 2.1.0. It allows X ...) NOT-FOR-US: Mattermost CVE-2016-11083 (An issue was discovered in Mattermost Server before 2.2.0. It allows X ...) NOT-FOR-US: Mattermost CVE-2016-11082 (An issue was discovered in Mattermost Server before 2.2.0. It allows X ...) NOT-FOR-US: Mattermost CVE-2016-11081 (An issue was discovered in Mattermost Server before 2.2.0. It allows u ...) NOT-FOR-US: Mattermost CVE-2016-11080 (An issue was discovered in Mattermost Server before 3.0.0. It offers s ...) NOT-FOR-US: Mattermost CVE-2016-11079 (An issue was discovered in Mattermost Server before 3.0.0. It allows X ...) NOT-FOR-US: Mattermost CVE-2016-11078 (An issue was discovered in Mattermost Server before 3.0.0. It potentia ...) NOT-FOR-US: Mattermost CVE-2016-11077 (An issue was discovered in Mattermost Server before 3.0.0. It has a su ...) NOT-FOR-US: Mattermost CVE-2016-11076 (An issue was discovered in Mattermost Server before 3.0.0. It does not ...) NOT-FOR-US: Mattermost CVE-2016-11075 (An issue was discovered in Mattermost Server before 3.0.0. It allows a ...) NOT-FOR-US: Mattermost CVE-2016-11074 (An issue was discovered in Mattermost Server before 3.0.0. A password- ...) NOT-FOR-US: Mattermost CVE-2016-11073 (An issue was discovered in Mattermost Server before 3.0.0. It allows X ...) NOT-FOR-US: Mattermost CVE-2016-11072 (An issue was discovered in Mattermost Server before 3.0.2. The purpose ...) NOT-FOR-US: Mattermost CVE-2016-11071 (An issue was discovered in Mattermost Server before 3.1.0. It allows X ...) NOT-FOR-US: Mattermost CVE-2016-11070 (An issue was discovered in Mattermost Server before 3.1.0. It allows X ...) NOT-FOR-US: Mattermost CVE-2016-11069 (An issue was discovered in Mattermost Server before 3.2.0. It mishandl ...) NOT-FOR-US: Mattermost CVE-2016-11068 (An issue was discovered in Mattermost Server before 3.2.0. Attackers c ...) NOT-FOR-US: Mattermost CVE-2016-11067 (An issue was discovered in Mattermost Server before 3.2.0. It allowed ...) NOT-FOR-US: Mattermost CVE-2016-11066 (An issue was discovered in Mattermost Server before 3.2.0. The initial ...) NOT-FOR-US: Mattermost CVE-2016-11065 (An issue was discovered in Mattermost Server before 3.3.0. An attacker ...) NOT-FOR-US: Mattermost CVE-2016-11064 (An issue was discovered in Mattermost Desktop App before 3.4.0. String ...) NOT-FOR-US: Mattermost CVE-2016-11063 (An issue was discovered in Mattermost Server before 3.5.1. XSS can occ ...) NOT-FOR-US: Mattermost CVE-2016-11062 (An issue was discovered in Mattermost Server before 3.5.1. E-mail addr ...) NOT-FOR-US: Mattermost CVE-2015-9548 (An issue was discovered in Mattermost Server before 1.2.0. It allows a ...) NOT-FOR-US: Mattermost CVE-2020-14954 (Mutt before 1.14.4 and NeoMutt before 2020-06-19 have a STARTTLS buffe ...) {DSA-4708-1 DSA-4707-1 DLA-2268-2 DLA-2268-1} - mutt 1.14.4-1 - neomutt 20200619+dfsg.1-1 NOTE: https://gitlab.com/muttmua/mutt/commit/c547433cdf2e79191b15c6932c57f1472bfb5ff4 NOTE: https://gitlab.com/muttmua/mutt/-/issues/248 NOTE: https://github.com/neomutt/neomutt/commit/fb013ec666759cb8a9e294347c7b4c1f597639cc CVE-2020-14446 (An issue was discovered in WSO2 Identity Server through 5.10.0 and WSO ...) NOT-FOR-US: WSO2 Identity Server CVE-2020-14445 (An issue was discovered in WSO2 Identity Server through 5.9.0 and WSO2 ...) NOT-FOR-US: WSO2 Identity Server CVE-2020-14444 (An issue was discovered in WSO2 Identity Server through 5.9.0 and WSO2 ...) NOT-FOR-US: WSO2 Identity Server CVE-2020-14443 (A SQL injection vulnerability in accountancy/customer/card.php in Doli ...) - dolibarr CVE-2020-14442 (Certain NETGEAR devices are affected by command injection by an unauth ...) NOT-FOR-US: NETGEAR CVE-2020-14441 (Certain NETGEAR devices are affected by command injection by an unauth ...) NOT-FOR-US: NETGEAR CVE-2020-14440 (Certain NETGEAR devices are affected by command injection by an unauth ...) NOT-FOR-US: NETGEAR CVE-2020-14439 (Certain NETGEAR devices are affected by command injection by an unauth ...) NOT-FOR-US: NETGEAR CVE-2020-14438 (Certain NETGEAR devices are affected by command injection by an unauth ...) NOT-FOR-US: NETGEAR CVE-2020-14437 (Certain NETGEAR devices are affected by command injection by an unauth ...) NOT-FOR-US: NETGEAR CVE-2020-14436 (Certain NETGEAR devices are affected by command injection by an unauth ...) NOT-FOR-US: NETGEAR CVE-2020-14435 (Certain NETGEAR devices are affected by command injection by an unauth ...) NOT-FOR-US: NETGEAR CVE-2020-14434 (Certain NETGEAR devices are affected by command injection by an authen ...) NOT-FOR-US: NETGEAR CVE-2020-14433 (Certain NETGEAR devices are affected by command injection by an authen ...) NOT-FOR-US: NETGEAR CVE-2020-14432 (Certain NETGEAR devices are affected by CSRF. This affects RBK752 befo ...) NOT-FOR-US: NETGEAR CVE-2020-14431 (Certain NETGEAR devices are affected by disclosure of administrative c ...) NOT-FOR-US: NETGEAR CVE-2020-14430 (Certain NETGEAR devices are affected by disclosure of administrative c ...) NOT-FOR-US: NETGEAR CVE-2020-14429 (Certain NETGEAR devices are affected by disclosure of administrative c ...) NOT-FOR-US: NETGEAR CVE-2020-14428 (Certain NETGEAR devices are affected by disclosure of administrative c ...) NOT-FOR-US: NETGEAR CVE-2020-14427 (Certain NETGEAR devices are affected by disclosure of administrative c ...) NOT-FOR-US: NETGEAR CVE-2020-14426 (Certain NETGEAR devices are affected by disclosure of administrative c ...) NOT-FOR-US: NETGEAR CVE-2020-14425 RESERVED CVE-2020-14424 RESERVED CVE-2020-14423 (Convos before 4.20 does not properly generate a random secret in Core/ ...) NOT-FOR-US: Convos CVE-2020-14422 (Lib/ipaddress.py in Python through 3.8.3 improperly computes hash valu ...) - python3.8 3.8.4~rc1-1 - python3.7 [buster] - python3.7 (Minor issue) - python3.5 [stretch] - python3.5 (Minor issue) - python3.4 [jessie] - python3.4 (Minor issue, DoS with constraints) NOTE: https://bugs.python.org/issue41004 NOTE: https://github.com/python/cpython/pull/20956 NOTE: https://github.com/python/cpython/pull/21033 NOTE: https://github.com/python/cpython/commit/b30ee26e366bf509b7538d79bfec6c6d38d53f28 (master) NOTE: https://github.com/python/cpython/commit/9a646aa82dfa62d70ca2a99ada901ee6cf9f82bd (3.9-branch) NOTE: https://github.com/python/cpython/commit/dc8ce8ead182de46584cc1ed8a8c51d48240cbd5 (v3.8.4rc1) NOTE: https://github.com/python/cpython/commit/b98e7790c77a4378ec4b1c71b84138cb930b69b7 (3.7-branch) NOTE: https://github.com/python/cpython/commit/cfc7ff8d05f7a949a88b8a8dd506fb5c1c30d3e9 (3.6-branch) CVE-2020-14421 (aaPanel through 6.6.6 allows remote authenticated users to execute arb ...) NOT-FOR-US: aaPanel CVE-2020-14420 RESERVED CVE-2020-14419 RESERVED CVE-2020-14418 RESERVED CVE-2020-14417 RESERVED CVE-2020-14415 [division by zero in oss_write() in audio/ossaudio.c] RESERVED - qemu 1:5.0-1 [buster] - qemu (Vulnerable code introduced later) [stretch] - qemu (Vulnerable code introduced later) [jessie] - qemu (Vulnerable code introduced later) NOTE: Introduced in: https://git.qemu.org/?p=qemu.git;a=commit;h=3ba4066d085f5bdce2c7ac145692a4fd52493d67 (4.2.0-rc0) NOTE: Fixed by: https://git.qemu.org/?p=qemu.git;a=commit;h=7a4ede0047a8613b0e3b72c9d351038f013dd357 (5.0.0-rc0) CVE-2020-14416 (In the Linux kernel before 5.4.16, a race condition in tty->disc_da ...) - linux 5.4.19-1 [buster] - linux 4.19.118-1 [stretch] - linux 4.9.210-1+deb9u1 [jessie] - linux 3.16.84-1 NOTE: https://git.kernel.org/linus/0ace17d56824165c7f4c68785d6b58971db954dd CVE-2020-14414 (NeDi 1.9C is vulnerable to Remote Command Execution. pwsec.php imprope ...) NOT-FOR-US: NeDi CVE-2020-14413 (NeDi 1.9C is vulnerable to XSS because of an incorrect implementation ...) NOT-FOR-US: NeDi CVE-2020-14412 (NeDi 1.9C is vulnerable to Remote Command Execution. System-Snapshot.p ...) NOT-FOR-US: NeDi CVE-2020-14411 RESERVED CVE-2020-14410 RESERVED CVE-2020-14409 RESERVED CVE-2020-14408 (An issue was discovered in Agentejo Cockpit 0.10.2. Insufficient sanit ...) NOT-FOR-US: Agentejo Cockpit CVE-2020-14407 RESERVED CVE-2020-14406 RESERVED CVE-2020-14405 (An issue was discovered in LibVNCServer before 0.9.13. libvncclient/rf ...) {DLA-2264-1} - libvncserver 0.9.13+dfsg-1 NOTE: https://github.com/LibVNC/libvncserver/commit/8937203441ee241c4ace85da687b7d6633a12365 CVE-2020-14404 (An issue was discovered in LibVNCServer before 0.9.13. libvncserver/rr ...) {DLA-2264-1} - libvncserver 0.9.13+dfsg-1 NOTE: https://github.com/LibVNC/libvncserver/commit/74e8a70f2c9a5248d6718ce443e07c7ed314dfff CVE-2020-14403 (An issue was discovered in LibVNCServer before 0.9.13. libvncserver/he ...) {DLA-2264-1} - libvncserver 0.9.13+dfsg-1 NOTE: https://github.com/LibVNC/libvncserver/commit/74e8a70f2c9a5248d6718ce443e07c7ed314dfff CVE-2020-14402 (An issue was discovered in LibVNCServer before 0.9.13. libvncserver/co ...) {DLA-2264-1} - libvncserver 0.9.13+dfsg-1 NOTE: https://github.com/LibVNC/libvncserver/commit/74e8a70f2c9a5248d6718ce443e07c7ed314dfff CVE-2020-14401 (An issue was discovered in LibVNCServer before 0.9.13. libvncserver/sc ...) {DLA-2264-1} - libvncserver 0.9.13+dfsg-1 NOTE: https://github.com/LibVNC/libvncserver/commit/a6788d1da719ae006605b78d22f5a9f170b423af CVE-2020-14400 (An issue was discovered in LibVNCServer before 0.9.13. Byte-aligned da ...) {DLA-2264-1} - libvncserver 0.9.13+dfsg-1 NOTE: https://github.com/LibVNC/libvncserver/commit/53073c8d7e232151ea2ecd8a1243124121e10e2d CVE-2020-14399 (An issue was discovered in LibVNCServer before 0.9.13. Byte-aligned da ...) {DLA-2264-1} - libvncserver 0.9.13+dfsg-1 NOTE: https://github.com/LibVNC/libvncserver/commit/23e5cbe6b090d7f22982aee909a6a618174d3c2d CVE-2020-14398 (An issue was discovered in LibVNCServer before 0.9.13. An improperly c ...) - libvncserver 0.9.13+dfsg-1 [jessie] - libvncserver (Proposed patch might break ABI consumers) NOTE: https://github.com/LibVNC/libvncserver/commit/57433015f856cc12753378254ce4f1c78f5d9c7b CVE-2020-14397 (An issue was discovered in LibVNCServer before 0.9.13. libvncserver/rf ...) {DLA-2264-1} - libvncserver 0.9.13+dfsg-1 NOTE: https://github.com/LibVNC/libvncserver/commit/38e98ee61d74f5f5ab4aa4c77146faad1962d6d0 CVE-2020-14396 (An issue was discovered in LibVNCServer before 0.9.13. libvncclient/tl ...) - libvncserver 0.9.13+dfsg-1 [jessie] - libvncserver (Vulnerable code not present) NOTE: https://github.com/LibVNC/libvncserver/commit/33441d90a506d5f3ae9388f2752901227e430553 CVE-2020-14395 RESERVED CVE-2020-14394 RESERVED CVE-2020-14393 RESERVED CVE-2020-14392 RESERVED CVE-2020-14391 RESERVED CVE-2020-14390 RESERVED CVE-2020-14389 RESERVED CVE-2020-14388 RESERVED CVE-2020-14387 RESERVED CVE-2020-14386 RESERVED CVE-2020-14385 RESERVED CVE-2020-14384 RESERVED CVE-2020-14383 RESERVED CVE-2020-14382 RESERVED CVE-2020-14381 RESERVED CVE-2020-14380 RESERVED CVE-2020-14379 RESERVED CVE-2020-14378 RESERVED CVE-2020-14377 RESERVED CVE-2020-14376 RESERVED CVE-2020-14375 RESERVED CVE-2020-14374 RESERVED CVE-2020-14373 RESERVED CVE-2020-14372 RESERVED CVE-2020-14371 RESERVED CVE-2020-14370 RESERVED CVE-2020-14369 RESERVED CVE-2020-14368 RESERVED CVE-2020-14367 RESERVED CVE-2020-14366 RESERVED CVE-2020-14365 RESERVED CVE-2020-14364 RESERVED CVE-2020-14363 RESERVED CVE-2020-14362 RESERVED CVE-2020-14361 RESERVED CVE-2020-14360 RESERVED CVE-2020-14359 RESERVED CVE-2020-14358 RESERVED CVE-2020-14357 RESERVED CVE-2020-14356 RESERVED CVE-2020-14355 RESERVED CVE-2020-14354 RESERVED CVE-2020-14353 RESERVED CVE-2020-14352 RESERVED CVE-2020-14351 RESERVED CVE-2020-14350 RESERVED CVE-2020-14349 RESERVED CVE-2020-14348 RESERVED CVE-2020-14347 RESERVED CVE-2020-14346 RESERVED CVE-2020-14345 RESERVED CVE-2020-14344 RESERVED CVE-2020-14343 RESERVED CVE-2020-14342 RESERVED CVE-2020-14341 RESERVED CVE-2020-14340 RESERVED CVE-2020-14339 RESERVED CVE-2020-14338 RESERVED CVE-2020-14337 RESERVED CVE-2020-14336 RESERVED CVE-2020-14335 RESERVED CVE-2020-14334 RESERVED CVE-2020-14333 RESERVED CVE-2020-14332 RESERVED CVE-2020-14331 RESERVED CVE-2020-14330 RESERVED CVE-2020-14329 RESERVED CVE-2020-14328 RESERVED CVE-2020-14327 RESERVED CVE-2020-14326 RESERVED CVE-2020-14325 RESERVED CVE-2020-14324 RESERVED CVE-2020-14323 RESERVED CVE-2020-14322 RESERVED CVE-2020-14321 RESERVED CVE-2020-14320 RESERVED CVE-2020-14319 RESERVED CVE-2020-14318 RESERVED CVE-2020-14317 RESERVED - wildfly (bug #752018) CVE-2020-14316 RESERVED CVE-2020-14315 RESERVED CVE-2020-14314 [buffer uses out of index in ext3/4 filesystem] RESERVED - linux NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1853922 CVE-2020-14313 RESERVED NOT-FOR-US: Quay CVE-2020-14312 RESERVED - dnsmasq 2.69-1 (bug #732610) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1851342 CVE-2020-14311 RESERVED CVE-2020-14310 RESERVED CVE-2020-14309 RESERVED CVE-2020-14308 RESERVED CVE-2020-14307 RESERVED CVE-2020-14306 RESERVED NOT-FOR-US: OpenShift CVE-2020-14305 [memory corruption in Voice over IP nf_conntrack_h323 module] RESERVED - linux 4.12.6-1 NOTE: https://patchwork.ozlabs.org/project/netfilter-devel/patch/c2385b5c-309c-cc64-2e10-a0ef62897502@virtuozzo.com/ CVE-2020-14304 [ethtool when reading eeprom of device could lead to memory leak] RESERVED - linux (bug #960702) CVE-2020-14303 (A flaw was found in the AD DC NBT server in all Samba versions before ...) - samba 2:4.12.5+dfsg-1 NOTE: https://www.samba.org/samba/security/CVE-2020-14303.html CVE-2020-14302 RESERVED CVE-2020-14301 [leak of sensitive cookie information via dumpxml] RESERVED - libvirt (Vulnerable code introduced with 6.2.0) NOTE: Fixed by: https://github.com/libvirt/libvirt/commit/a5b064bf4b17a9884d7d361733737fb614ad8979 NOTE: Fixed by: https://github.com/libvirt/libvirt/commit/524de6cc35d3b222f0e940bb0fd027f5482572c5 CVE-2020-14300 RESERVED - docker.io (Red Hat specific regression) CVE-2020-14299 RESERVED CVE-2020-14298 RESERVED - docker.io (Red Hat specific regression) CVE-2020-14297 RESERVED CVE-2020-14296 RESERVED CVE-2020-14295 (A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to ...) - cacti (bug #963139) [buster] - cacti (Vulnerability introduced later) [stretch] - cacti (Vulnerability introduced later) [jessie] - cacti (Vulnerability introduced later) NOTE: https://github.com/Cacti/cacti/issues/3622 NOTE: Fixed by: https://github.com/Cacti/cacti/commit/cc1a656f37b08c0c45667c119a44a3751271ac6e NOTE: Introduced with the fix for https://github.com/Cacti/cacti/issues/2839 NOTE: Introduced by: https://github.com/Cacti/cacti/commit/b87747c38ba58e8cf6507d4f1f8476d1df567556 (1.2.6) CVE-2020-14294 RESERVED CVE-2020-14293 RESERVED CVE-2020-14292 RESERVED CVE-2020-14291 RESERVED CVE-2020-14290 RESERVED CVE-2020-14289 RESERVED CVE-2020-14288 RESERVED CVE-2020-14287 RESERVED CVE-2020-14286 RESERVED CVE-2020-14285 RESERVED CVE-2020-14284 RESERVED CVE-2020-14283 RESERVED CVE-2020-14282 RESERVED CVE-2020-14281 RESERVED CVE-2020-14280 RESERVED CVE-2020-14279 RESERVED CVE-2020-14278 RESERVED CVE-2020-14277 RESERVED CVE-2020-14276 RESERVED CVE-2020-14275 RESERVED CVE-2020-14274 RESERVED CVE-2020-14273 RESERVED CVE-2020-14272 RESERVED CVE-2020-14271 RESERVED CVE-2020-14270 RESERVED CVE-2020-14269 RESERVED CVE-2020-14268 RESERVED CVE-2020-14267 RESERVED CVE-2020-14266 RESERVED CVE-2020-14265 RESERVED CVE-2020-14264 RESERVED CVE-2020-14263 RESERVED CVE-2020-14262 RESERVED CVE-2020-14261 RESERVED CVE-2020-14260 RESERVED CVE-2020-14259 RESERVED CVE-2020-14258 RESERVED CVE-2020-14257 RESERVED CVE-2020-14256 RESERVED CVE-2020-14255 RESERVED CVE-2020-14254 RESERVED CVE-2020-14253 RESERVED CVE-2020-14252 RESERVED CVE-2020-14251 RESERVED CVE-2020-14250 RESERVED CVE-2020-14249 RESERVED CVE-2020-14248 RESERVED CVE-2020-14247 RESERVED CVE-2020-14246 RESERVED CVE-2020-14245 RESERVED CVE-2020-14244 RESERVED CVE-2020-14243 RESERVED CVE-2020-14242 RESERVED CVE-2020-14241 RESERVED CVE-2020-14240 RESERVED CVE-2020-14239 RESERVED CVE-2020-14238 RESERVED CVE-2020-14237 RESERVED CVE-2020-14236 RESERVED CVE-2020-14235 RESERVED CVE-2020-14234 RESERVED CVE-2020-14233 RESERVED CVE-2020-14232 RESERVED CVE-2020-14231 RESERVED CVE-2020-14230 RESERVED CVE-2020-14229 RESERVED CVE-2020-14228 RESERVED CVE-2020-14227 RESERVED CVE-2020-14226 RESERVED CVE-2020-14225 RESERVED CVE-2020-14224 RESERVED CVE-2020-14223 RESERVED CVE-2020-14222 RESERVED CVE-2020-14221 RESERVED CVE-2020-14220 RESERVED CVE-2020-14219 RESERVED CVE-2020-14218 RESERVED CVE-2020-14217 RESERVED CVE-2020-14216 RESERVED CVE-2019-20840 (An issue was discovered in LibVNCServer before 0.9.13. libvncserver/ws ...) - libvncserver 0.9.13+dfsg-1 [jessie] - libvncserver (Vulnerable code not present) NOTE: https://github.com/LibVNC/libvncserver/commit/0cf1400c61850065de590d403f6d49e32882fd76 CVE-2019-20839 (libvncclient/sockets.c in LibVNCServer before 0.9.13 has a buffer over ...) {DLA-2264-1} - libvncserver 0.9.13+dfsg-1 NOTE: https://github.com/LibVNC/libvncserver/commit/3fd03977c9b35800d73a865f167338cb4d05b0c1 CVE-2018-21247 (An issue was discovered in LibVNCServer before 0.9.13. There is an inf ...) {DSA-4383-1 DLA-1617-1} - libvncserver 0.9.11+dfsg-1.2 NOTE: https://github.com/LibVNC/libvncserver/issues/253 NOTE: https://github.com/LibVNC/libvncserver/commit/8b06f835e259652b0ff026898014fc7297ade858 CVE-2020-14215 RESERVED CVE-2020-14214 (Zammad before 3.3.1, when Domain Based Assignment is enabled, relies o ...) - zammad (bug #841355) CVE-2020-14213 (In Zammad before 3.3.1, a Customer has ticket access that should only ...) - zammad (bug #841355) CVE-2020-14212 (FFmpeg through 4.3 has a heap-based buffer overflow in avio_get_str in ...) - ffmpeg [buster] - ffmpeg (Vulnerable code not present) [stretch] - ffmpeg (Vulnerable code not present) NOTE: https://trac.ffmpeg.org/ticket/8716 NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=0b3bd001ac1745d9d008a2d195817df57d7d1d14 CVE-2020-14211 RESERVED CVE-2020-14210 (MONITORAPP AIWAF-VE and AIWAF-4000 through 2020-06-16 allow reflected ...) NOT-FOR-US: MONITORAPP CVE-2020-14209 RESERVED CVE-2020-14208 RESERVED CVE-2020-14207 RESERVED CVE-2020-14206 RESERVED CVE-2020-14205 RESERVED CVE-2020-14204 (In WebFOCUS Business Intelligence 8.0 (SP6), the administration portal ...) NOT-FOR-US: WebFOCUS Business Intelligence CVE-2020-14203 (WebFOCUS Business Intelligence 8.0 (SP6) allows a Cross-Site Request F ...) NOT-FOR-US: WebFOCUS Business Intelligence CVE-2020-14202 (WebFOCUS Business Intelligence 8.0 (SP6) was prone to XSS via arbitrar ...) NOT-FOR-US: WebFOCUS Business Intelligence CVE-2020-14201 RESERVED CVE-2020-14200 RESERVED CVE-2020-14199 (BIP-143 in the Bitcoin protocol specification mishandles the signing o ...) NOT-FOR-US: Bitcoin protocol issue CVE-2020-14198 RESERVED CVE-2020-14197 RESERVED CVE-2020-14196 (In PowerDNS Recursor versions up to and including 4.3.1, 4.2.2 and 4.1 ...) - pdns-recursor 4.3.2-1 (low; bug #964103) [buster] - pdns-recursor (Minor issue, fix along in next DSA) [stretch] - pdns-recursor (Minor issue, fix along in next DSA) NOTE: https://www.openwall.com/lists/oss-security/2020/07/01/1 CVE-2020-14195 (FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interact ...) {DLA-2270-1} - jackson-databind [buster] - jackson-databind (Minor issue; can be fixed via a point release) [stretch] - jackson-databind (Minor issue; can be fixed via a point release) NOTE: https://github.com/FasterXML/jackson-databind/issues/2765 NOTE: https://github.com/FasterXML/jackson-databind/commit/f6d9c664f6d481703138319f6a0f1fdbddb3a259 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. CVE-2020-14194 RESERVED CVE-2020-14193 RESERVED CVE-2020-14192 RESERVED CVE-2020-14191 RESERVED CVE-2020-14190 RESERVED CVE-2020-14189 RESERVED CVE-2020-14188 RESERVED CVE-2020-14187 RESERVED CVE-2020-14186 RESERVED CVE-2020-14185 RESERVED CVE-2020-14184 RESERVED CVE-2020-14183 RESERVED CVE-2020-14182 RESERVED CVE-2020-14181 RESERVED CVE-2020-14180 RESERVED CVE-2020-14179 RESERVED CVE-2020-14178 RESERVED CVE-2020-14177 RESERVED CVE-2020-14176 RESERVED CVE-2020-14175 RESERVED CVE-2020-14174 RESERVED CVE-2020-14173 (The file upload feature in Atlassian Jira Server and Data Center in af ...) NOT-FOR-US: Atlassian CVE-2020-14172 (Affected versions of Atlassian Jira Server and Data Center allow remot ...) NOT-FOR-US: Atlassian CVE-2020-14171 RESERVED CVE-2020-14170 RESERVED CVE-2020-14169 (The quick search component in Atlassian Jira Server and Data Center be ...) NOT-FOR-US: Atlassian CVE-2020-14168 (The email client in Jira Server and Data Center before version 7.13.16 ...) NOT-FOR-US: Atlassian CVE-2020-14167 (The MessageBundleResource resource in Jira Server and Data Center befo ...) NOT-FOR-US: Atlassian CVE-2020-14166 (The /servicedesk/customer/portals resource in Jira Service Desk Server ...) NOT-FOR-US: Atlassian CVE-2020-14165 (The UniversalAvatarResource.getAvatars resource in Jira Server and Dat ...) NOT-FOR-US: Atlassian CVE-2020-14164 (The WYSIWYG editor resource in Jira Server and Data Center before vers ...) NOT-FOR-US: Atlassian CVE-2020-14163 (An issue was discovered in ecma/operations/ecma-container-object.c in ...) NOT-FOR-US: JerryScript CVE-2020-14162 RESERVED CVE-2020-14161 RESERVED CVE-2020-14160 RESERVED CVE-2020-14159 (By using an Automate API in ConnectWise Automate before 2020.5.178, a ...) NOT-FOR-US: ConnectWise CVE-2020-14158 RESERVED CVE-2020-14157 (The wireless-communication feature of the ABUS Secvest FUBE50001 devic ...) NOT-FOR-US: ABUS CVE-2020-14156 (user_channel/passwd_mgr.cpp in OpenBMC phosphor-host-ipmid before 2020 ...) NOT-FOR-US: OpenBMC CVE-2020-14155 (libpcre in PCRE before 8.44 allows an integer overflow via a large num ...) - pcre3 2:8.39-13 (bug #963086) [buster] - pcre3 (Minor issue) [stretch] - pcre3 (Minor issue) [jessie] - pcre3 (Minor issue) NOTE: https://bugs.exim.org/show_bug.cgi?id=2463 NOTE: Fixed by: https://vcs.pcre.org/pcre?view=revision&revision=1761 (8.44) CVE-2020-14154 (Mutt before 1.14.3 proceeds with a connection even if, in response to ...) - mutt 1.14.3-1 (unimportant) [buster] - mutt 1.10.1-2.1+deb10u1 - neomutt 20200619+dfsg.1-1 (unimportant) NOTE: http://lists.mutt.org/pipermail/mutt-announce/Week-of-Mon-20200608/000022.html NOTE: https://gitlab.com/muttmua/mutt/commit/bb0e6277a45a5d4c3a30d3b968eeb31d78124e95 NOTE: https://gitlab.com/muttmua/mutt/commit/5fccf603ebcf352ba783136d6b2d2600d811fb3b NOTE: https://gitlab.com/muttmua/mutt/commit/f64ec1deefb67d471a642004e102cd1c501a1db3 NOTE: Negligible security impact CVE-2020-14153 (In IJG JPEG (aka libjpeg) before 9d, jdhuff.c has an out-of-bounds arr ...) - libjpeg9 1:9d-1 - libjpeg-turbo NOTE: Not clear what the exact change is between 9c and 9d and whether it applies to -turbo CVE-2020-14152 (In IJG JPEG (aka libjpeg) before 9d, jpeg_mem_available() in jmemnobs. ...) - libjpeg9 1:9d-1 (low) - libjpeg-turbo 1:1.5.2-1 (low) [jessie] - libjpeg-turbo (Minor issue) NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/commit/da2a27ef056a0179cbd80f9146e58b89403d9933 CVE-2020-14151 REJECTED CVE-2020-14150 (GNU Bison before 3.5.4 allows attackers to cause a denial of service ( ...) - bison 2:3.6.1+dfsg-1 (unimportant) NOTE: https://lists.gnu.org/archive/html/info-gnu/2020-04/msg00000.html NOTE: Crash in CLI tool, no security impact CVE-2020-14149 (In uftpd before 2.12, handle_CWD in ftpcmd.c mishandled the path provi ...) NOT-FOR-US: uftpd CVE-2020-14148 (The Server-Server protocol implementation in ngIRCd before 26~rc2 allo ...) {DLA-2252-1} - ngircd (bug #963147) [buster] - ngircd (Minor issue) [stretch] - ngircd (Minor issue) NOTE: https://github.com/ngircd/ngircd/issues/274 NOTE: https://github.com/ngircd/ngircd/issues/277 NOTE: https://github.com/ngircd/ngircd/pull/275 NOTE: https://github.com/ngircd/ngircd/pull/276 NOTE: https://github.com/ngircd/ngircd/commit/02cf31c0e267a4c9a7656d43ad3ad4eeb37fc9c5 CVE-2020-14147 (An integer overflow in the getnum function in lua_struct.c in Redis be ...) - redis 5:6.0.0-1 [stretch] - redis (Vulnerable code reintroduced later) [jessie] - redis (Vulnerable code reintroduced later) NOTE: https://github.com/antirez/redis/pull/6875 NOTE: Issue re-introduced with https://github.com/antirez/redis/commit/1eb08bcd4634ae42ec45e8284923ac048beaa4c3 (5.0-rc4) NOTE: Fixed by: https://github.com/antirez/redis/commit/ef764dde1cca2f25d00686673d1bc89448819571 NOTE: Fixed upstream in 6.0~rc2 and 5.0.8 CVE-2020-14146 (KumbiaPHP through 1.1.1, in Development mode, allows XSS via the publi ...) NOT-FOR-US: KumbiaPHP CVE-2020-14145 (The client side in OpenSSH 5.7 through 8.3 has an Observable Discrepan ...) - openssh (unimportant) NOTE: https://www.fzi.de/en/news/news/detail-en/artikel/fsa-2020-2-ausnutzung-eines-informationslecks-fuer-gezielte-mitm-angriffe-auf-ssh-clients/ NOTE: https://www.fzi.de/fileadmin/user_upload/2020-06-26-FSA-2020-2.pdf NOTE: The OpenSSH project is not planning to change the behaviour of OpenSSH regarding NOTE: the issue, details in "3.1 OpenSSH" in the publication. CVE-2020-14144 RESERVED CVE-2020-14143 RESERVED CVE-2020-14142 RESERVED CVE-2020-14141 RESERVED CVE-2020-14140 RESERVED CVE-2020-14139 RESERVED CVE-2020-14138 RESERVED CVE-2020-14137 RESERVED CVE-2020-14136 RESERVED CVE-2020-14135 RESERVED CVE-2020-14134 RESERVED CVE-2020-14133 RESERVED CVE-2020-14132 RESERVED CVE-2020-14131 RESERVED CVE-2020-14130 RESERVED CVE-2020-14129 RESERVED CVE-2020-14128 RESERVED CVE-2020-14127 RESERVED CVE-2020-14126 RESERVED CVE-2020-14125 RESERVED CVE-2020-14124 RESERVED CVE-2020-14123 RESERVED CVE-2020-14122 RESERVED CVE-2020-14121 RESERVED CVE-2020-14120 RESERVED CVE-2020-14119 RESERVED CVE-2020-14118 RESERVED CVE-2020-14117 RESERVED CVE-2020-14116 RESERVED CVE-2020-14115 RESERVED CVE-2020-14114 RESERVED CVE-2020-14113 RESERVED CVE-2020-14112 RESERVED CVE-2020-14111 RESERVED CVE-2020-14110 RESERVED CVE-2020-14109 RESERVED CVE-2020-14108 RESERVED CVE-2020-14107 RESERVED CVE-2020-14106 RESERVED CVE-2020-14105 RESERVED CVE-2020-14104 RESERVED CVE-2020-14103 RESERVED CVE-2020-14102 RESERVED CVE-2020-14101 RESERVED CVE-2020-14100 RESERVED CVE-2020-14099 RESERVED CVE-2020-14098 RESERVED CVE-2020-14097 RESERVED CVE-2020-14096 RESERVED CVE-2020-14095 (In Xiaomi router R3600, ROM version<1.0.20, a connect service suffe ...) NOT-FOR-US: Xiaomi CVE-2020-14094 (In Xiaomi router R3600, ROM version<1.0.20, the connection service ...) NOT-FOR-US: Xiaomi CVE-2019-20838 (libpcre in PCRE before 8.43 allows a subject buffer over-read in JIT w ...) - pcre3 (unimportant) NOTE: Fixed by: https://vcs.pcre.org/pcre?view=revision&revision=1740 (8.43) NOTE: Only an issue when UTF support disabled CVE-2018-21246 (Caddy before 0.10.13 mishandles TLS client authentication, as demonstr ...) - caddy (bug #810890) CVE-2018-21245 (Pound before 2.8 allows HTTP request smuggling, a related issue to CVE ...) - pound 2.8-2 [stretch] - pound 2.7-1.3+deb9u1 [jessie] - pound 2.6-6+deb8u2 NOTE: https://admin.hostpoint.ch/pipermail/pound_apsis.ch/2018-May/000054.html NOTE: The exact scope of CVE-2018-21245 (a related issue to CVE-2016-10711) was NOTE: as well fixed with the same changes as done upstream for 2.8. The backport NOTE: for 2.7 was a backport of all security relevant changes between 2.7 and 2.8. NOTE: The same corrections were made in 2.6 version for jessie so fixed in that too. CVE-2017-18869 (A TOCTOU issue in the chownr package before 1.1.0 for Node.js 10.10 co ...) - node-chownr 1.1.1-1 (bug #909024) NOTE: https://github.com/isaacs/chownr/issues/14 NOTE: https://snyk.io/vuln/npm:chownr:20180731 CVE-2020-14093 (Mutt before 1.14.3 allows an IMAP fcc/postpone man-in-the-middle attac ...) {DSA-4708-1 DSA-4707-1 DLA-2268-2 DLA-2268-1} - mutt 1.14.3-1 (bug #962897) - neomutt 20200619+dfsg.1-1 NOTE: Fixed by: https://gitlab.com/muttmua/mutt/commit/3e88866dc60b5fa6aaba6fd7c1710c12c1c3cd01 NOTE: Fix for CVE-2020-14093 introduces a regression, cf. #963107 NOTE: Regression fixed by: https://gitlab.com/muttmua/mutt/-/commit/dc909119b3433a84290f0095c0f43a23b98b3748 CVE-2020-14092 (The CodePeople Payment Form for PayPal Pro plugin before 1.1.65 for Wo ...) NOT-FOR-US: CodePeople Payment Form for PayPal Pro plugin for WordPress CVE-2020-14091 RESERVED CVE-2020-14090 RESERVED CVE-2020-14089 RESERVED CVE-2020-14088 RESERVED CVE-2020-14087 RESERVED CVE-2020-14086 RESERVED CVE-2020-14085 RESERVED CVE-2020-14084 RESERVED CVE-2020-14083 RESERVED CVE-2020-14082 RESERVED CVE-2020-14081 (TRENDnet TEW-827DRU devices through 2.06B04 contain multiple command i ...) NOT-FOR-US: TRENDnet CVE-2020-14080 (TRENDnet TEW-827DRU devices through 2.06B04 contain a stack-based buff ...) NOT-FOR-US: TRENDnet CVE-2020-14079 (TRENDnet TEW-827DRU devices through 2.06B04 contain a stack-based buff ...) NOT-FOR-US: TRENDnet CVE-2020-14078 (TRENDnet TEW-827DRU devices through 2.06B04 contain a stack-based buff ...) NOT-FOR-US: TRENDnet CVE-2020-14077 (TRENDnet TEW-827DRU devices through 2.06B04 contain a stack-based buff ...) NOT-FOR-US: TRENDnet CVE-2020-14076 (TRENDnet TEW-827DRU devices through 2.06B04 contain a stack-based buff ...) NOT-FOR-US: TRENDnet TEW-827DRU devices CVE-2020-14075 (TRENDnet TEW-827DRU devices through 2.06B04 contain multiple command i ...) NOT-FOR-US: TRENDnet CVE-2020-14074 (TRENDnet TEW-827DRU devices through 2.06B04 contain a stack-based buff ...) NOT-FOR-US: TRENDnet CVE-2020-14073 (XSS exists in PRTG Network Monitor 20.1.56.1574 via crafted map proper ...) NOT-FOR-US: PRTG Network Monitor CVE-2020-14072 (An issue was discovered in MK-AUTH 19.01. It allows command execution ...) NOT-FOR-US: MK-AUTH CVE-2020-14071 (An issue was discovered in MK-AUTH 19.01. XSS vulnerabilities in admin ...) NOT-FOR-US: MK-AUTH CVE-2020-14070 (An issue was discovered in MK-AUTH 19.01. There is authentication bypa ...) NOT-FOR-US: MK-AUTH CVE-2020-14069 (An issue was discovered in MK-AUTH 19.01. There are SQL injection issu ...) NOT-FOR-US: MK-AUTH CVE-2020-14068 (An issue was discovered in MK-AUTH 19.01. The web login functionality ...) NOT-FOR-US: MK-AUTH CVE-2020-14067 (The install_from_hash functionality in Navigate CMS 2.9 does not consi ...) NOT-FOR-US: Navigate CMS CVE-2020-14066 RESERVED CVE-2020-14065 RESERVED CVE-2020-14064 RESERVED CVE-2020-14063 RESERVED CVE-2020-14062 (FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interact ...) {DLA-2270-1} - jackson-databind [buster] - jackson-databind (Minor issue; can be fixed via a point release) [stretch] - jackson-databind (Minor issue; can be fixed via a point release) NOTE: https://github.com/FasterXML/jackson-databind/issues/2704 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. CVE-2020-14061 (FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interact ...) {DLA-2270-1} - jackson-databind [buster] - jackson-databind (Minor issue; can be fixed via a point release) [stretch] - jackson-databind (Minor issue; can be fixed via a point release) NOTE: https://github.com/FasterXML/jackson-databind/issues/2698 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. CVE-2020-14060 (FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interact ...) {DLA-2270-1} - jackson-databind [buster] - jackson-databind (Minor issue; can be fixed via a point release) [stretch] - jackson-databind (Minor issue; can be fixed via a point release) NOTE: https://github.com/FasterXML/jackson-databind/issues/2688 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. CVE-2020-14059 (An issue was discovered in Squid 5.x before 5.0.3. Due to an Incorrect ...) - squid (vulnerability introduced in the 5.x series) - squid3 (vulnerability introduced in the 5.x series) NOTE: https://github.com/squid-cache/squid/security/advisories/GHSA-w7pw-2m4p-58hr CVE-2020-14058 (An issue was discovered in Squid before 4.12 and 5.x before 5.0.3. Due ...) - squid 4.12-1 (unimportant) - squid3 (unimportant) NOTE: Squid 4: http://www.squid-cache.org/Versions/v4/changesets/squid-4-93f5fda134a2a010b84ffedbe833d670e63ba4be.patch NOTE: https://github.com/squid-cache/squid/security/advisories/GHSA-qvf6-485q-vm57 NOTE: Squid in Debian builds without OpenSSL support CVE-2020-14057 (Monsta FTP 2.10.1 or below allows external control of paths used in fi ...) NOT-FOR-US: Monsta FTP CVE-2020-14056 (Monsta FTP 2.10.1 or below is prone to a server-side request forgery v ...) NOT-FOR-US: Monsta FTP CVE-2020-14055 (Monsta FTP 2.10.1 or below is prone to a stored cross-site scripting v ...) NOT-FOR-US: Monsta FTP CVE-2020-14054 (SOKKIA GNR5 Vanguard WEB version 1.2 (build: 91f2b2c3a04d203d79862f87e ...) NOT-FOR-US: SOKKIA GNR5 Vanguard WEB CVE-2020-14053 RESERVED CVE-2020-14052 RESERVED CVE-2020-14051 RESERVED CVE-2020-14050 RESERVED CVE-2020-14049 (Viber for Windows up to 13.2.0.39 does not properly quote its custom U ...) NOT-FOR-US: Viber CVE-2020-14048 (Zoho ManageEngine ServiceDesk Plus before 11.1 build 11115 allows remo ...) NOT-FOR-US: Zoho CVE-2020-14047 RESERVED CVE-2020-14046 RESERVED CVE-2020-14045 RESERVED CVE-2020-14044 RESERVED CVE-2020-14043 RESERVED CVE-2020-14042 RESERVED CVE-2020-14041 RESERVED CVE-2020-14040 (The x/text package before 0.3.3 for Go has a vulnerability in encoding ...) - golang-golang-x-text (bug #964272) - golang-x-text (bug #964271) NOTE: https://github.com/golang/go/issues/39491 NOTE: https://go.googlesource.com/text/+/23ae387dee1f90d29a23c0e87ee0b46038fbed0e NOTE: https://groups.google.com/forum/#!topic/golang-announce/bXVeAmGOqz0 CVE-2020-14039 RESERVED CVE-2020-XXXX [Editor: Ensure latest comments can only be viewed from public posts] - wordpress 5.4.2+dfsg1-1 (bug #962685) [buster] - wordpress 5.0.10+dfsg1-0+deb10u1 NOTE: https://core.trac.wordpress.org/changeset/47984 CVE-2020-4050 (In affected versions of WordPress, misuse of the `set-screen-option` f ...) {DSA-4709-1 DLA-2269-1} - wordpress 5.4.2+dfsg1-1 (bug #962685) NOTE: https://core.trac.wordpress.org/changeset/47951 NOTE: https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-4vpv-fgg2-gcqc NOTE: https://github.com/WordPress/wordpress-develop/commit/b8dea76b495f0072523106c6ec46b9ea0d2a0920 CVE-2020-4049 (In affected versions of WordPress, when uploading themes, the name of ...) {DSA-4709-1 DLA-2269-1} - wordpress 5.4.2+dfsg1-1 (bug #962685) NOTE: https://core.trac.wordpress.org/changeset/47950 NOTE: https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-87h4-phjv-rm6p NOTE: https://github.com/WordPress/wordpress-develop/commit/404f397b4012fd9d382e55bf7d206c1317f01148 CVE-2020-4048 (In affected versions of WordPress, due to an issue in wp_validate_redi ...) {DSA-4709-1 DLA-2269-1} - wordpress 5.4.2+dfsg1-1 (bug #962685) NOTE: https://core.trac.wordpress.org/changeset/47949 NOTE: https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-q6pw-gvf4-5fj5 NOTE: https://github.com/WordPress/wordpress-develop/commit/6ef777e9a022bee2a80fa671118e7e2657e52693 CVE-2020-4046 (In affected versions of WordPress, users with low privileges (like con ...) {DSA-4709-1 DLA-2269-1} - wordpress 5.4.2+dfsg1-1 (bug #962685) NOTE: https://core.trac.wordpress.org/changeset/47947 NOTE: https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-rpwf-hrh2-39jf CVE-2020-4047 (In affected versions of WordPress, authenticated users with upload per ...) {DSA-4709-1 DLA-2269-1} - wordpress 5.4.2+dfsg1-1 (bug #962685) NOTE: https://core.trac.wordpress.org/changeset/47948 NOTE: https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-8q2w-5m27-wm27 NOTE: https://github.com/WordPress/wordpress-develop/commit/0977c0d6b241479ecedfe19e96be69f727c3f81f CVE-2020-14038 RESERVED CVE-2020-14037 RESERVED CVE-2020-14036 RESERVED CVE-2020-14035 RESERVED CVE-2020-14034 (An issue was discovered in janus-gateway (aka Janus WebRTC Server) thr ...) - janus 0.10.2-1 [buster] - janus (Will be removed in next point release) NOTE: https://github.com/meetecho/janus-gateway/pull/2229 NOTE: https://github.com/meetecho/janus-gateway/commit/dacb4edfad8e77f73b64d8c175cca0a7796ebf80 CVE-2020-14033 (An issue was discovered in janus-gateway (aka Janus WebRTC Server) thr ...) - janus 0.10.2-1 [buster] - janus (Will be removed in next point release) NOTE: https://github.com/meetecho/janus-gateway/pull/2229 NOTE: https://github.com/meetecho/janus-gateway/commit/dacb4edfad8e77f73b64d8c175cca0a7796ebf80 CVE-2020-14032 RESERVED CVE-2020-14031 RESERVED CVE-2020-14030 RESERVED CVE-2020-14029 RESERVED CVE-2020-14028 RESERVED CVE-2020-14027 RESERVED CVE-2020-14026 RESERVED CVE-2020-14025 RESERVED CVE-2020-14024 RESERVED CVE-2020-14023 RESERVED CVE-2020-14022 RESERVED CVE-2020-14021 RESERVED CVE-2020-14020 RESERVED CVE-2020-14019 (Open-iSCSI rtslib-fb through 2.1.72 has weak permissions for /etc/targ ...) - python-rtslib-fb [stretch] - python-rtslib-fb (vulnerable code introduced later, shutil.copyfile is not used) [jessie] - python-rtslib-fb (vulnerable code introduced later, shutil.copyfile is not used) NOTE: https://github.com/open-iscsi/rtslib-fb/pull/162 CVE-2020-14018 (An issue was discovered in Navigate CMS 2.9 r1433. There is a stored X ...) NOT-FOR-US: Navigate CMS CVE-2020-14017 (An issue was discovered in Navigate CMS 2.9 r1433. Sessions, as well a ...) NOT-FOR-US: Navigate CMS CVE-2020-14016 (An issue was discovered in Navigate CMS 2.9 r1433. The forgot-password ...) NOT-FOR-US: Navigate CMS CVE-2020-14015 (An issue was discovered in Navigate CMS 2.9 r1433. When performing a p ...) NOT-FOR-US: Navigate CMS CVE-2020-14014 (An issue was discovered in Navigate CMS 2.9 r1433. The query parameter ...) NOT-FOR-US: Navigate CMS CVE-2020-14013 RESERVED CVE-2020-14012 (scp/categories.php in osTicket 1.14.2 allows XSS via a Knowledgebase C ...) NOT-FOR-US: osTicket CVE-2020-14011 (Lansweeper 6.0.x through 7.2.x has a default installation in which the ...) NOT-FOR-US: Lansweeper CVE-2020-14010 (The Laborator Xenon theme 1.3 for WordPress allows Reflected XSS via t ...) NOT-FOR-US: Laborator Xenon theme for WordPress CVE-2020-14009 RESERVED CVE-2020-14008 RESERVED CVE-2020-14007 (Solarwinds Orion (with Web Console WPM 2019.4.1, and Orion Platform HF ...) NOT-FOR-US: Solarwinds CVE-2020-14006 (Solarwinds Orion (with Web Console WPM 2019.4.1, and Orion Platform HF ...) NOT-FOR-US: Solarwinds CVE-2020-14005 (Solarwinds Orion (with Web Console WPM 2019.4.1, and Orion Platform HF ...) NOT-FOR-US: Solarwinds CVE-2020-14004 (An issue was discovered in Icinga2 before v2.12.0-rc1. The prepare-dir ...) - icinga2 [jessie] - icinga2 (prepare-dirs script not shipped) NOTE: https://www.openwall.com/lists/oss-security/2020/06/12/1 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1172171 NOTE: https://github.com/Icinga/icinga2/commit/2f0f2e8c355b75fa4407d23f85feea037d2bc4b6 CVE-2020-14003 RESERVED CVE-2020-14002 (PuTTY 0.68 through 0.73 has an Observable Discrepancy leading to an in ...) - putty 0.74-1 [buster] - putty (Minor issue) [stretch] - putty (Minor issue) [jessie] - putty (Minor issue) NOTE: Fixed by: https://git.tartarus.org/?p=simon/putty.git;a=commit;h=08f1e2a5066ea95559945af339a60ca14560d764 (0.74) CVE-2020-14001 RESERVED CVE-2020-14000 RESERVED CVE-2020-13999 (ScaleViewPortExtEx in libemf.cpp in libEMF (aka ECMA-234 Metafile Libr ...) - libemf 1.0.13-1 (bug #963778) [buster] - libemf (Minor issue) NOTE: Fixed upstream in 1.0.13 CVE-2020-13998 (** VERSION NOT SUPPORTED WHEN ASSIGNED ** Citrix XenApp 6.5, when 2FA ...) NOT-FOR-US: Citrix CVE-2020-13997 RESERVED CVE-2020-13996 (The J2Store plugin before 3.3.13 for Joomla! allows a SQL injection at ...) NOT-FOR-US: J2Store plugin for Joomla! CVE-2020-13995 RESERVED CVE-2020-13994 RESERVED CVE-2020-13993 RESERVED CVE-2020-13992 RESERVED CVE-2020-13991 RESERVED CVE-2020-13990 RESERVED CVE-2020-13989 RESERVED CVE-2020-13988 RESERVED CVE-2020-13987 RESERVED CVE-2020-13986 RESERVED CVE-2020-13985 RESERVED CVE-2020-13984 RESERVED CVE-2020-13983 RESERVED CVE-2020-13982 RESERVED CVE-2020-13981 RESERVED CVE-2020-13980 (** DISPUTED ** OpenCart 3.0.3.3 allows remote authenticated users to c ...) NOT-FOR-US: OpenCart CVE-2020-13979 RESERVED CVE-2020-13978 (** DISPUTED ** Monstra CMS 3.0.4 allows an attacker, who already has a ...) NOT-FOR-US: Monstra CMS CVE-2020-13977 (Nagios 4.4.5 allows an attacker, who already has administrative access ...) - nagios4 4.3.4-4 (bug #962826) [buster] - nagios4 (Minor issue) NOTE: https://github.com/NagiosEnterprises/nagioscore/commit/8deeca7cad3df1143ad9c351d107b5c0a6c61213 CVE-2020-13976 (** DISPUTED ** An issue was discovered in DD-WRT through 16214. The Di ...) NOT-FOR-US: DD-WRT CVE-2020-13975 RESERVED CVE-2020-13974 (** DISPUTED ** An issue was discovered in the Linux kernel through 5.7 ...) - linux 5.7.6-1 NOTE: https://git.kernel.org/linus/b86dab054059b970111b5516ae548efaae5b3aae CVE-2020-13973 (OWASP json-sanitizer before 1.2.1 allows XSS. An attacker who controls ...) NOT-FOR-US: OWASP json-sanitizer CVE-2020-13972 RESERVED CVE-2020-13971 RESERVED CVE-2020-13970 RESERVED CVE-2020-13969 RESERVED CVE-2020-13968 RESERVED CVE-2020-13967 RESERVED CVE-2020-13966 RESERVED CVE-2020-13963 RESERVED CVE-2020-13962 (Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 ...) - qtbase-opensource-src [buster] - qtbase-opensource-src (Only affects 5.12.2 and later) [stretch] - qtbase-opensource-src (Only affects 5.12.2 and later) [jessie] - qtbase-opensource-src (Only affects 5.12.2 and later) NOTE: https://bugreports.qt.io/browse/QTBUG-83450 NOTE: https://github.com/mumble-voip/mumble/issues/3679 NOTE: https://github.com/mumble-voip/mumble/pull/4032 CVE-2020-13961 (Strapi before 3.0.2 could allow a remote authenticated attacker to byp ...) NOT-FOR-US: Strapi CVE-2020-13960 (D-Link DSL 2730-U IN_1.10 and IN_1.11 and DIR-600M 3.04 devices have t ...) NOT-FOR-US: D-Link CVE-2020-13959 RESERVED CVE-2020-13958 RESERVED CVE-2020-13957 RESERVED CVE-2020-13956 RESERVED CVE-2020-13955 RESERVED CVE-2020-13954 RESERVED CVE-2020-13953 RESERVED CVE-2020-13952 RESERVED CVE-2020-13951 RESERVED CVE-2020-13950 RESERVED CVE-2020-13949 RESERVED CVE-2020-13948 RESERVED CVE-2020-13947 RESERVED CVE-2020-13946 RESERVED CVE-2020-13945 RESERVED CVE-2020-13944 RESERVED CVE-2020-13943 RESERVED CVE-2020-13942 RESERVED CVE-2020-13941 RESERVED CVE-2020-13940 RESERVED CVE-2020-13939 RESERVED CVE-2020-13938 RESERVED CVE-2020-13937 RESERVED CVE-2020-13936 RESERVED CVE-2020-13935 RESERVED CVE-2020-13934 RESERVED CVE-2020-13933 RESERVED CVE-2020-13932 RESERVED CVE-2020-13931 RESERVED CVE-2020-13930 RESERVED CVE-2020-13929 RESERVED CVE-2020-13928 RESERVED CVE-2020-13927 RESERVED CVE-2020-13926 RESERVED CVE-2020-13925 RESERVED CVE-2020-13924 RESERVED CVE-2020-13923 RESERVED CVE-2020-13922 RESERVED CVE-2020-13921 RESERVED CVE-2020-13920 RESERVED CVE-2020-13919 RESERVED CVE-2020-13918 RESERVED CVE-2020-13917 RESERVED CVE-2020-13916 RESERVED CVE-2020-13915 RESERVED CVE-2020-13914 RESERVED CVE-2020-13913 RESERVED CVE-2020-13912 (SolarWinds Advanced Monitoring Agent before 10.8.9 allows local users ...) NOT-FOR-US: SolarWinds Advanced Monitoring Agent CVE-2020-13911 (Your Online Shop 1.8.0 allows authenticated users to trigger XSS via a ...) NOT-FOR-US: Your Online Shop CVE-2020-13910 (Pengutronix Barebox through v2020.05.0 has an out-of-bounds read in nf ...) NOT-FOR-US: Pengutronix Barebox CVE-2020-13909 (The Ignition page before 2.0.5 for Laravel mishandles globals, _get, _ ...) NOT-FOR-US: Laravel CVE-2020-13908 RESERVED CVE-2020-13907 RESERVED CVE-2020-13906 (IrfanView 4.54 allows a user-mode write access violation starting at F ...) NOT-FOR-US: IrfanView CVE-2020-13905 (IrfanView 4.54 allows a user-mode write access violation starting at F ...) NOT-FOR-US: IrfanView CVE-2020-13904 (FFmpeg 4.2.3 has a use-after-free via a crafted EXTINF duration in an ...) - ffmpeg NOTE: https://patchwork.ffmpeg.org/project/ffmpeg/patch/20200529033905.41926-1-lq@chinaffmpeg.org/ NOTE: https://github.com/FFmpeg/FFmpeg/commit/9dfb19baeb86a8bb02c53a441682c6e9a6e104cc NOTE: https://trac.ffmpeg.org/ticket/8673 CVE-2020-13903 RESERVED CVE-2020-13902 (ImageMagick 7.0.9-27 through 7.0.10-17 has a heap-based buffer over-re ...) - imagemagick [buster] - imagemagick (Not affected, tiff uses TIFF_SETGET_C32_UINT32) [stretch] - imagemagick (Not affected, tiff uses TIFF_SETGET_C32_UINT32) [jessie] - imagemagick (Not affected, tiff uses TIFF_SETGET_C32_UINT32) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20920 NOTE: https://github.com/ImageMagick/ImageMagick/discussions/2132 NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/824f344ceb823e156ad6e85314d79c087933c2a0 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/218d6abc4e36596c90a07463bfb2ab9e8312efbb CVE-2020-13901 (An issue was discovered in janus-gateway (aka Janus WebRTC Server) thr ...) - janus 0.10.1-1 (bug #962680) [buster] - janus (Will be removed in next point release) NOTE: https://github.com/meetecho/janus-gateway/pull/2214 NOTE: https://github.com/meetecho/janus-gateway/pull/2214/commits/90cc2ada775c4d4d8f6ae66f96b4ec7588e4bc86 CVE-2020-13900 (An issue was discovered in janus-gateway (aka Janus WebRTC Server) thr ...) - janus 0.10.1-1 (bug #962680) [buster] - janus (Will be removed in next point release) NOTE: https://github.com/meetecho/janus-gateway/pull/2214 NOTE: https://github.com/meetecho/janus-gateway/pull/2214/commits/5f33d5e1073207f7275a726b7bb4cd7dbb08d13a CVE-2020-13899 (An issue was discovered in janus-gateway (aka Janus WebRTC Server) thr ...) - janus 0.10.1-1 (bug #962680) [buster] - janus (Will be removed in next point release) NOTE: https://github.com/meetecho/janus-gateway/pull/2214 NOTE: https://github.com/meetecho/janus-gateway/pull/2214/commits/f46f27fb129fd1b3744830b4fc6e75ab78794636 CVE-2020-13898 (An issue was discovered in janus-gateway (aka Janus WebRTC Server) thr ...) - janus 0.10.1-1 (bug #962680) [buster] - janus (Will be removed in next point release) NOTE: https://github.com/meetecho/janus-gateway/pull/2214 NOTE: https://github.com/meetecho/janus-gateway/pull/2214/commits/2ed485d04630b9ee9de7c96517135654b7f32120 CVE-2020-13897 (HESK before 3.1.10 allows reflected XSS. ...) NOT-FOR-US: HESK CVE-2020-13896 (The web interface of Maipu MP1800X-50 7.5.3.14(R) devices allows remot ...) NOT-FOR-US: Maipu devices CVE-2020-13894 (handler/upload_handler.jsp in DEXT5 Editor through 3.5.1402961 allows ...) NOT-FOR-US: DEXT5 Editor CVE-2020-13893 RESERVED CVE-2020-13892 (The SportsPress plugin before 2.7.2 for WordPress allows XSS. ...) NOT-FOR-US: SportsPress plugin for WordPress CVE-2020-13891 (An issue was discovered in Mattermost Mobile Apps before 1.31.2 on iOS ...) NOT-FOR-US: Mattermost CVE-2020-13890 (The Neon theme 2.0 before 2020-06-03 for Bootstrap allows XSS via an A ...) NOT-FOR-US: Bootstrap theme CVE-2020-13889 (showAlert() in the administration panel in Bludit 3.12.0 allows XSS. ...) NOT-FOR-US: Bludit CVE-2020-13888 (Kordil EDMS through 2.2.60rc3 allows stored XSS in users_edit.php, use ...) NOT-FOR-US: Kordil EDMS CVE-2020-13887 (documents_add.php in Kordil EDMS through 2.2.60rc3 allows Remote Comma ...) NOT-FOR-US: Kordil EDMS CVE-2020-13895 (Crypt::Perl::ECDSA in the Crypt::Perl (aka p5-Crypt-Perl) module befor ...) - libcrypt-perl-perl (bug #907353) NOTE: https://github.com/FGasper/p5-Crypt-Perl/issues/14 NOTE: https://github.com/FGasper/p5-Crypt-Perl/commit/f960ce75502acf7404187231a706672f8369acb2 CVE-2020-13886 RESERVED CVE-2020-13885 (Citrix Workspace App before 1912 on Windows has Insecure Permissions w ...) NOT-FOR-US: Citrix CVE-2020-13884 (Citrix Workspace App before 1912 on Windows has Insecure Permissions a ...) NOT-FOR-US: Citrix CVE-2020-13883 (In WSO2 API Manager 3.0.0 and earlier, WSO2 API Microgateway 2.2.0, an ...) NOT-FOR-US: WSO2 API Manager CVE-2020-13882 (CISOfy Lynis before 3.0.0 has Incorrect Access Control because of a TO ...) - lynis 3.0.0-1 (unimportant) NOTE: Neutralised by kernel hardening NOTE: https://github.com/CISOfy/lynis/pull/594 NOTE: https://github.com/CISOfy/lynis/commit/5b09da0d9878096d45f04b858c4f65e674369ab4 CVE-2020-13881 (In support.c in pam_tacplus 1.3.8 through 1.5.1, the TACACS+ shared se ...) {DLA-2239-1} - libpam-tacplus (low; bug #962830) [buster] - libpam-tacplus (Minor issue) [stretch] - libpam-tacplus (Minor issue) NOTE: https://github.com/kravietz/pam_tacplus/commit/4a9852c31c2fd0c0e72fbb689a586aabcfb11cb0 NOTE: https://github.com/kravietz/pam_tacplus/issues/149 CVE-2020-13880 RESERVED CVE-2020-13879 RESERVED CVE-2020-13878 RESERVED CVE-2020-13877 RESERVED CVE-2020-13876 RESERVED CVE-2020-13875 RESERVED CVE-2020-13874 RESERVED CVE-2020-13873 RESERVED CVE-2020-13872 (Royal TS before 5 has a 0.0.0.0 listener, which makes it easier for at ...) NOT-FOR-US: Royal TS CVE-2020-13871 (SQLite 3.32.2 has a use-after-free in resetAccumulator in select.c bec ...) - sqlite3 3.32.2-2 [jessie] - sqlite3 (Vulnerable code not present) NOTE: New fix: https://www.sqlite.org/src/info/44a58d6cb135a104 NOTE: Fixed by: https://www.sqlite.org/src/info/79eff1d0383179c4 NOTE: https://www.sqlite.org/src/info/c8d3b9f0a750a529 NOTE: https://www.sqlite.org/src/info/cd708fa84d2aaaea CVE-2020-13870 (An issue was discovered in the Comments plugin before 1.5.5 for Craft ...) NOT-FOR-US: Comments plugin for Craft CMS CVE-2020-13869 (An issue was discovered in the Comments plugin before 1.5.6 for Craft ...) NOT-FOR-US: Comments plugin for Craft CMS CVE-2020-13868 (An issue was discovered in the Comments plugin before 1.5.5 for Craft ...) NOT-FOR-US: Comments plugin for Craft CMS CVE-2020-13867 (Open-iSCSI targetcli-fb through 2.1.52 has weak permissions for /etc/t ...) - targetcli-fb (low; bug #962331) [buster] - targetcli-fb (Minor issue) [stretch] - targetcli-fb (Minor issue) NOTE: https://github.com/open-iscsi/targetcli-fb/pull/172 CVE-2020-13866 (WinGate v9.4.1.5998 has insecure permissions for the installation dire ...) NOT-FOR-US: WinGate CVE-2020-13865 (The Elementor Page Builder plugin before 2.9.9 for WordPress suffers f ...) NOT-FOR-US: Elementor Page Builder plugin for WordPress CVE-2020-13864 (The Elementor Page Builder plugin before 2.9.9 for WordPress suffers f ...) NOT-FOR-US: Elementor Page Builder plugin for WordPress CVE-2020-13863 RESERVED CVE-2020-13862 RESERVED CVE-2020-13861 RESERVED CVE-2020-13860 RESERVED CVE-2020-13859 RESERVED CVE-2020-13858 RESERVED CVE-2020-13857 RESERVED CVE-2020-13856 RESERVED CVE-2020-13855 (Artica Pandora FMS 7.44 allows arbitrary file upload (leading to remot ...) NOT-FOR-US: Artica Pandora FMS CVE-2020-13854 (Artica Pandora FMS 7.44 allows privilege escalation. ...) NOT-FOR-US: Artica Pandora FMS CVE-2020-13853 (Artica Pandora FMS 7.44 has persistent XSS in the Messages feature. ...) NOT-FOR-US: Artica Pandora FMS CVE-2020-13852 (Artica Pandora FMS 7.44 allows arbitrary file upload (leading to remot ...) NOT-FOR-US: Artica Pandora FMS CVE-2020-13851 (Artica Pandora FMS 7.44 allows remote command execution via the events ...) NOT-FOR-US: Artica Pandora FMS CVE-2020-13850 (Artica Pandora FMS 7.44 has inadequate access controls on a web folder ...) NOT-FOR-US: Artica Pandora FMS CVE-2020-13849 (The MQTT protocol 3.1.1 requires a server to set a timeout value of 1. ...) TODO: check CVE-2020-13848 (Portable UPnP SDK (aka libupnp) 1.12.1 and earlier allows remote attac ...) {DLA-2238-1} - pupnp-1.8 (bug #962282) [buster] - pupnp-1.8 (Minor issue) - libupnp [stretch] - libupnp (Minor issue) NOTE: https://github.com/pupnp/pupnp/issues/177 NOTE: https://github.com/pupnp/pupnp/commit/c805c1de1141cb22f74c0d94dd5664bda37398e0 CVE-2020-13847 RESERVED CVE-2020-13846 RESERVED CVE-2020-13845 RESERVED CVE-2020-13844 (Arm Armv8-A core implementations utilizing speculative execution past ...) NOTE: https://lists.llvm.org/pipermail/llvm-dev/2020-June/142109.html NOTE: https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/downloads/straight-line-speculation TODO: check further details CVE-2020-13843 (An issue was discovered on LG mobile devices with Android OS software ...) NOT-FOR-US: LG mobile devices CVE-2020-13842 (An issue was discovered on LG mobile devices with Android OS 7.2, 8.0, ...) NOT-FOR-US: LG mobile devices CVE-2020-13841 (An issue was discovered on LG mobile devices with Android OS 9 and 10 ...) NOT-FOR-US: LG mobile devices CVE-2020-13840 (An issue was discovered on LG mobile devices with Android OS 7.2, 8.0, ...) NOT-FOR-US: LG mobile devices CVE-2020-13839 (An issue was discovered on LG mobile devices with Android OS 7.2, 8.0, ...) NOT-FOR-US: LG mobile devices CVE-2020-13838 (An issue was discovered on Samsung mobile devices with P(9.0) and Q(10 ...) NOT-FOR-US: Samsung mobile devices CVE-2020-13837 (An issue was discovered on Samsung mobile devices with Q(10.0) softwar ...) NOT-FOR-US: Samsung mobile devices CVE-2020-13836 (An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), ...) NOT-FOR-US: Samsung mobile devices CVE-2020-13835 (An issue was discovered on Samsung mobile devices with O(8.x) (with TE ...) NOT-FOR-US: Samsung mobile devices CVE-2020-13834 (An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), ...) NOT-FOR-US: Samsung mobile devices CVE-2020-13833 (An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), ...) NOT-FOR-US: Samsung mobile devices CVE-2020-13832 (An issue was discovered on Samsung mobile devices with Q(10.0) (with T ...) NOT-FOR-US: Samsung mobile devices CVE-2020-13831 (An issue was discovered on Samsung mobile devices with O(8.x) and P(9. ...) NOT-FOR-US: Samsung mobile devices CVE-2020-13830 (An issue was discovered on Samsung mobile devices with P(9.0) software ...) NOT-FOR-US: Samsung mobile devices CVE-2020-13829 (An issue was discovered on Samsung mobile devices with P(9.0) and Q(10 ...) NOT-FOR-US: Samsung mobile devices CVE-2020-13828 RESERVED CVE-2020-13827 (phpList before 3.5.4 allows XSS via /lists/admin/user.php and /lists/a ...) - phplist (bug #612288) CVE-2020-13826 RESERVED CVE-2020-13825 RESERVED CVE-2020-13824 RESERVED CVE-2020-13823 RESERVED CVE-2020-13822 (The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleabi ...) - node-elliptic 6.5.3~dfsg-1 (bug #963149) [buster] - node-elliptic (Minor issue) NOTE: https://github.com/indutny/elliptic/issues/226 CVE-2020-13821 RESERVED CVE-2020-13820 RESERVED CVE-2020-13819 RESERVED CVE-2020-13818 (In Zoho ManageEngine OpManager before 125144, when <cachestart> ...) NOT-FOR-US: Zoho ManageEngine OpManager CVE-2020-13817 (ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows remote att ...) - ntp 1:4.2.8p14+dfsg-1 (low) [buster] - ntp (Minor issue) [stretch] - ntp (Minor issue) [jessie] - ntp (Too intrusive to backport, requires new configuration) NOTE: http://support.ntp.org/bin/view/Main/NtpBug3596 NOTE: https://bugs.ntp.org/show_bug.cgi?id=3596 NOTE: http://bk.ntp.org/ntp-stable/?PAGE=patch&REV=5e312021VVVkyioYBR_aeIP1LqMCVg (4.2.8p14) NOTE: http://bk.ntp.org/ntp-stable/?PAGE=patch&REV=5e4a536dzxRWAzMw-KsKjm04l6joNA (4.2.8p14) TODO: check ntpsec, cf. #964395 CVE-2020-13816 REJECTED CVE-2020-13815 (An issue was discovered in Foxit Reader and PhantomPDF before 9.7.1. I ...) NOT-FOR-US: Foxit Reader CVE-2020-13814 (An issue was discovered in Foxit Reader and PhantomPDF before 9.7.1. I ...) NOT-FOR-US: Foxit Reader CVE-2020-13813 (An issue was discovered in Foxit Studio Photo before 3.6.6.922. It all ...) NOT-FOR-US: Foxit Studio Photo CVE-2020-13812 (An issue was discovered in Foxit Studio Photo before 3.6.6.922. It all ...) NOT-FOR-US: Foxit Studio Photo CVE-2020-13811 (An issue was discovered in Foxit Studio Photo before 3.6.6.922. It has ...) NOT-FOR-US: Foxit Studio Photo CVE-2020-13810 (An issue was discovered in Foxit Reader and PhantomPDF before 9.7.2. I ...) NOT-FOR-US: Foxit Reader CVE-2020-13809 (An issue was discovered in Foxit Reader and PhantomPDF before 9.7.2. I ...) NOT-FOR-US: Foxit Reader CVE-2020-13808 (An issue was discovered in Foxit Reader and PhantomPDF before 9.7.2. I ...) NOT-FOR-US: Foxit Reader CVE-2020-13807 (An issue was discovered in Foxit Reader and PhantomPDF before 9.7.2. I ...) NOT-FOR-US: Foxit Reader CVE-2020-13806 (An issue was discovered in Foxit Reader and PhantomPDF before 9.7.2. I ...) NOT-FOR-US: Foxit Reader CVE-2020-13805 (An issue was discovered in Foxit Reader and PhantomPDF before 9.7.2. I ...) NOT-FOR-US: Foxit Reader CVE-2020-13804 (An issue was discovered in Foxit Reader and PhantomPDF before 9.7.2. I ...) NOT-FOR-US: Foxit Reader CVE-2020-13803 (An issue was discovered in Foxit PhantomPDF Mac and Foxit Reader for M ...) NOT-FOR-US: Foxit Reader CVE-2020-13802 RESERVED CVE-2020-13801 RESERVED CVE-2020-13799 RESERVED CVE-2020-13798 (An issue was discovered in Navigate CMS through 2.8.7. It allows XSS b ...) NOT-FOR-US: Navigate CMS CVE-2020-13797 (An issue was discovered in Navigate CMS through 2.8.7. It allows XSS b ...) NOT-FOR-US: Navigate CMS CVE-2020-13796 (An issue was discovered in Navigate CMS through 2.8.7. It allows XSS b ...) NOT-FOR-US: Navigate CMS CVE-2020-13795 (An issue was discovered in Navigate CMS through 2.8.7. It allows Direc ...) NOT-FOR-US: Navigate CMS CVE-2020-13794 RESERVED CVE-2020-13793 RESERVED CVE-2020-13792 (PlayTube 1.8 allows disclosure of user details via ajax.php?type=../ad ...) NOT-FOR-US: PlayTube CVE-2019-20837 (An issue was discovered in Foxit Reader and PhantomPDF before 9.5. It ...) NOT-FOR-US: Foxit Reader CVE-2019-20836 (An issue was discovered in Foxit Reader and PhantomPDF before 9.5. It ...) NOT-FOR-US: Foxit Reader CVE-2019-20835 (An issue was discovered in Foxit Reader and PhantomPDF before 9.5. It ...) NOT-FOR-US: Foxit Reader CVE-2019-20834 (An issue was discovered in Foxit PhantomPDF before 8.3.10. It allows s ...) NOT-FOR-US: Foxit PhantomPDF CVE-2019-20833 (An issue was discovered in Foxit PhantomPDF before 8.3.10. It has mish ...) NOT-FOR-US: Foxit PhantomPDF CVE-2019-20832 (An issue was discovered in Foxit PhantomPDF before 8.3.10. It has homo ...) NOT-FOR-US: Foxit PhantomPDF CVE-2019-20831 (An issue was discovered in the 3D Plugin Beta for Foxit Reader and Pha ...) NOT-FOR-US: Foxit Reader CVE-2019-20830 (An issue was discovered in Foxit Reader and PhantomPDF before 9.6. It ...) NOT-FOR-US: Foxit Reader CVE-2019-20829 (An issue was discovered in Foxit Reader and PhantomPDF before 9.6. It ...) NOT-FOR-US: Foxit Reader CVE-2019-20828 (An issue was discovered in Foxit Reader and PhantomPDF before 9.6. It ...) NOT-FOR-US: Foxit Reader CVE-2019-20827 (An issue was discovered in Foxit PhantomPDF Mac 3.3 and Foxit Reader f ...) NOT-FOR-US: Foxit Reader CVE-2019-20826 (An issue was discovered in Foxit PhantomPDF Mac 3.3 and Foxit Reader f ...) NOT-FOR-US: Foxit Reader CVE-2019-20825 (An issue was discovered in Foxit PhantomPDF before 8.3.11. It has an o ...) NOT-FOR-US: Foxit PhantomPDF CVE-2019-20824 (An issue was discovered in Foxit PhantomPDF before 8.3.11. It has a NU ...) NOT-FOR-US: Foxit PhantomPDF CVE-2019-20823 (An issue was discovered in Foxit PhantomPDF before 8.3.11. It has a bu ...) NOT-FOR-US: Foxit PhantomPDF CVE-2019-20822 (An issue was discovered in the 3D Plugin Beta for Foxit Reader and Pha ...) NOT-FOR-US: Foxit Reader CVE-2019-20821 (An issue was discovered in Foxit PhantomPDF Mac before 3.4. It has a N ...) NOT-FOR-US: Foxit PhantomPDF CVE-2019-20820 (An issue was discovered in Foxit Reader and PhantomPDF before 9.7. It ...) NOT-FOR-US: Foxit Reader CVE-2019-20819 (An issue was discovered in Foxit Reader and PhantomPDF before 9.7. It ...) NOT-FOR-US: Foxit Reader CVE-2019-20818 (An issue was discovered in Foxit Reader and PhantomPDF before 9.7. It ...) NOT-FOR-US: Foxit Reader CVE-2019-20817 (An issue was discovered in Foxit Reader and PhantomPDF before 9.7. It ...) NOT-FOR-US: Foxit Reader CVE-2019-20816 (An issue was discovered in Foxit PhantomPDF before 8.3.12. It has a NU ...) NOT-FOR-US: Foxit PhantomPDF CVE-2019-20815 (An issue was discovered in Foxit PhantomPDF before 8.3.12. It allows s ...) NOT-FOR-US: Foxit PhantomPDF CVE-2019-20814 (An issue was discovered in Foxit PhantomPDF before 8.3.12. It allows m ...) NOT-FOR-US: Foxit PhantomPDF CVE-2019-20813 (An issue was discovered in Foxit PhantomPDF before 8.3.12. It has a NU ...) NOT-FOR-US: Foxit PhantomPDF CVE-2018-21244 (An issue was discovered in Foxit PhantomPDF before 8.3.6. It allows ar ...) NOT-FOR-US: Foxit PhantomPDF CVE-2018-21243 (An issue was discovered in Foxit PhantomPDF before 8.3.6. It has COM o ...) NOT-FOR-US: Foxit PhantomPDF CVE-2018-21242 (An issue was discovered in Foxit PhantomPDF before 8.3.6. It allows Re ...) NOT-FOR-US: Foxit PhantomPDF CVE-2018-21241 (An issue was discovered in Foxit PhantomPDF before 8.3.6. It has an un ...) NOT-FOR-US: Foxit PhantomPDF CVE-2018-21240 (An issue was discovered in Foxit Reader and PhantomPDF before 9.2. It ...) NOT-FOR-US: Foxit Reader CVE-2018-21239 (An issue was discovered in Foxit Reader and PhantomPDF before 9.2. It ...) NOT-FOR-US: Foxit Reader CVE-2018-21238 (An issue was discovered in Foxit PhantomPDF before 8.3.7. It allows me ...) NOT-FOR-US: Foxit PhantomPDF CVE-2018-21237 (An issue was discovered in Foxit PhantomPDF before 8.3.7. It allows NT ...) NOT-FOR-US: Foxit PhantomPDF CVE-2018-21236 (An issue was discovered in Foxit Reader before 2.4.4. It has a NULL po ...) NOT-FOR-US: Foxit Reader CVE-2018-21235 (An issue was discovered in Foxit E-mail advertising system before Sept ...) NOT-FOR-US: Foxit E-mail advertising system CVE-2020-13965 (An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x b ...) {DSA-4700-1} - roundcube 1.4.5+dfsg.1-1 (bug #962124) NOTE: 1.4.x: https://github.com/roundcube/roundcubemail/commit/ccaccae6653031b809b4347a60021951e19a0e43 NOTE: 1.3.x: https://github.com/roundcube/roundcubemail/commit/884eb611627ef2bd5a2e20e02009ebb1eceecdc3 CVE-2020-13964 (An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x b ...) {DSA-4700-1} - roundcube 1.4.5+dfsg.1-1 (bug #962123) NOTE: 1.4.x: https://github.com/roundcube/roundcubemail/commit/4beec65d40c5e5b1f2bace935c110baf05e10ae5 NOTE: 1.3.x: https://github.com/roundcube/roundcubemail/commit/37e2bc745723ef6322f0f785aefd0b9313a40f19 CVE-2020-13800 (ati-vga in hw/display/ati.c in QEMU 4.2.0 allows guest OS users to tri ...) - qemu 1:5.0-6 [buster] - qemu (Vulnerable code introduced later) [stretch] - qemu (Vulnerable code introduced later) [jessie] - qemu (Vulnerable code introduced later) NOTE: https://www.openwall.com/lists/oss-security/2020/06/04/2 NOTE: https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00833.html NOTE: https://git.qemu.org/?p=qemu.git;a=commitdiff;h=a98610c429d52db0937c1e48659428929835c455 CVE-2020-13791 (hw/pci/pci.c in QEMU 4.2.0 allows guest OS users to trigger an out-of- ...) - qemu 1:5.0-6 [buster] - qemu (Vulnerable code introduced later) [stretch] - qemu (Vulnerable code introduced later) [jessie] - qemu (Vulnerable code introduced later) NOTE: https://www.openwall.com/lists/oss-security/2020/06/04/1 NOTE: https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00831.html CVE-2020-13790 (libjpeg-turbo 2.0.4, and mozjpeg 4.0.0, has a heap-based buffer over-r ...) - libjpeg-turbo (bug #962829) [buster] - libjpeg-turbo (Minor issue) [stretch] - libjpeg-turbo (Minor issue) [jessie] - libjpeg-turbo (No package in Debian jessie uses the TurboJPEG API) NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/issues/433 NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/commit/1bfb0b5247f4fc8f6677639781ce468543490216 (1.5.x) NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/commit/3de15e0c344d11d4b90f4a47136467053eb2d09a (2.0.x) CVE-2020-13789 RESERVED CVE-2020-13788 RESERVED CVE-2020-13787 (D-Link DIR-865L Ax 1.20B01 Beta devices have Cleartext Transmission of ...) NOT-FOR-US: D-Link CVE-2020-13786 (D-Link DIR-865L Ax 1.20B01 Beta devices allow CSRF. ...) NOT-FOR-US: D-Link CVE-2020-13785 (D-Link DIR-865L Ax 1.20B01 Beta devices have Inadequate Encryption Str ...) NOT-FOR-US: D-Link CVE-2020-13784 (D-Link DIR-865L Ax 1.20B01 Beta devices have a predictable seed in a P ...) NOT-FOR-US: D-Link CVE-2020-13783 (D-Link DIR-865L Ax 1.20B01 Beta devices have Cleartext Storage of Sens ...) NOT-FOR-US: D-Link CVE-2020-13782 (D-Link DIR-865L Ax 1.20B01 Beta devices allow Command Injection. ...) NOT-FOR-US: D-Link CVE-2020-13781 RESERVED CVE-2020-13780 RESERVED CVE-2020-13779 RESERVED CVE-2020-13778 RESERVED CVE-2020-13777 (GnuTLS 3.6.x before 3.6.14 uses incorrect cryptography for encrypting ...) {DSA-4697-1} - gnutls28 3.6.14-1 (bug #962289) [stretch] - gnutls28 (Vulnerable code introduced in 3.6.4) [jessie] - gnutls28 (Vulnerable code introduced in 3.6.4) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1843723 NOTE: https://gnutls.org/security-new.html#GNUTLS-SA-2020-06-03 NOTE: https://gitlab.com/gnutls/gnutls/-/issues/1011 NOTE: https://gitlab.com/gnutls/gnutls/-/commit/c2646aeee94e71cb15c90a3147cf3b5b0ca158ca NOTE: https://gitlab.com/gnutls/gnutls/-/commit/3d7fae761e65e9d0f16d7247ee8a464d4fe002da CVE-2020-13776 (systemd through v245 mishandles numerical usernames such as ones compo ...) - systemd (unimportant) NOTE: https://github.com/systemd/systemd/issues/15985 NOTE: Issue exists due to an incomplete fix for CVE-2017-1000082. CVE-2020-13775 (ZNC 1.8.0 up to 1.8.1-rc1 allows authenticated users to trigger an app ...) - znc 1.8.1-1 (bug #962105) [buster] - znc (Vulnerable code introduced later) [stretch] - znc (Vulnerable code introduced later) [jessie] - znc (Vulnerable code introduced later) NOTE: Fixed by: https://github.com/znc/znc/commit/2390ad111bde16a78c98ac44572090b33c3bd2d8 (znc-1.8.1-rc1) NOTE: Introduced with: https://github.com/znc/znc/commit/d229761821da38d984a9e4098ad96842490dc001 (znc-1.8.0) CVE-2020-13774 RESERVED CVE-2020-13773 RESERVED CVE-2020-13772 RESERVED CVE-2020-13771 RESERVED CVE-2020-13770 RESERVED CVE-2020-13769 RESERVED CVE-2020-13768 (In MiniShare before 1.4.2, there is a stack-based buffer overflow via ...) NOT-FOR-US: MiniShare CVE-2020-13767 RESERVED CVE-2020-13766 RESERVED CVE-2020-13765 (rom_copy() in hw/core/loader.c in QEMU 4.1.0 does not validate the rel ...) {DLA-2262-1} - qemu 1:4.2-1 NOTE: https://www.openwall.com/lists/oss-security/2020/06/03/6 NOTE: https://git.qemu.org/?p=qemu.git;a=commitdiff;h=e423455c4f23a1a828901c78fe6d03b7dde79319 NOTE: https://bugs.launchpad.net/qemu/+bug/1844635 CVE-2020-13764 (common.php in the Gravity Forms plugin before 2.4.9 for WordPress can ...) NOT-FOR-US: Gravity Forms plugin for WordPress CVE-2020-13763 (In Joomla! before 3.9.19, the default settings of the global textfilte ...) NOT-FOR-US: Joomla! CVE-2020-13762 (In Joomla! before 3.9.19, incorrect input validation of the module tag ...) NOT-FOR-US: Joomla! CVE-2020-13761 (In Joomla! before 3.9.19, lack of input validation in the heading tag ...) NOT-FOR-US: Joomla! CVE-2020-13760 (In Joomla! before 3.9.19, missing token checks in com_postinstall lead ...) NOT-FOR-US: Joomla! CVE-2019-20812 (An issue was discovered in the Linux kernel before 5.4.7. The prb_calc ...) - linux 5.4.8-1 [buster] - linux 4.19.98-1 [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/b43d1f9f7067c6759b1051e8ecb84e82cef569fe CVE-2019-20811 (An issue was discovered in the Linux kernel before 5.0.6. In rx_queue_ ...) {DSA-4698-1 DLA-2242-1} - linux 4.19.37-1 [jessie] - linux 3.16.72-1 NOTE: https://git.kernel.org/linus/a3e23f719f5c4a38ffb3d30c8d7632a4ed8ccd9e CVE-2019-20810 (go7007_snd_init in drivers/media/usb/go7007/snd-go7007.c in the Linux ...) - linux 5.6.7-1 NOTE: https://git.kernel.org/linus/9453264ef58638ce8976121ac44c07a3ef375983 CVE-2020-13759 (rust-vmm vm-memory before 0.1.1 and 0.2.x before 0.2.1 allows attacker ...) NOT-FOR-US: rust-vmm CVE-2020-13758 (modules/security/classes/general.post_filter.php/post_filter.php in th ...) NOT-FOR-US: Bitrix24 CVE-2020-13757 (Python-RSA before 4.1 ignores leading '\0' bytes during decryption of ...) - python-rsa (bug #962142) [buster] - python-rsa (Minor issue) [stretch] - python-rsa (Minor issue) [jessie] - python-rsa (No reverse dependencies) NOTE: https://github.com/sybrenstuvel/python-rsa/issues/146 CVE-2020-13756 (Sabberworm PHP CSS Parser before 8.3.1 calls eval on uncontrolled data ...) NOT-FOR-US: Sabberworm PHP CSS Parser CVE-2020-13755 RESERVED CVE-2020-13753 RESERVED CVE-2020-13752 RESERVED CVE-2020-13751 RESERVED CVE-2020-13750 RESERVED CVE-2020-13749 RESERVED CVE-2020-13748 RESERVED CVE-2020-13747 RESERVED CVE-2020-13746 RESERVED CVE-2020-13745 RESERVED CVE-2020-13744 RESERVED CVE-2020-13743 RESERVED CVE-2020-13742 RESERVED CVE-2020-13741 RESERVED CVE-2020-13740 RESERVED CVE-2020-13739 RESERVED CVE-2020-13738 RESERVED CVE-2020-13737 RESERVED CVE-2020-13736 RESERVED CVE-2020-13735 RESERVED CVE-2020-13734 RESERVED CVE-2020-13733 RESERVED CVE-2020-13732 RESERVED CVE-2020-13731 RESERVED CVE-2020-13730 RESERVED CVE-2020-13729 RESERVED CVE-2020-13728 RESERVED CVE-2020-13727 RESERVED CVE-2020-13726 RESERVED CVE-2020-13725 RESERVED CVE-2020-13724 RESERVED CVE-2020-13723 RESERVED CVE-2020-13722 RESERVED CVE-2020-13721 RESERVED CVE-2020-13720 RESERVED CVE-2020-13719 RESERVED CVE-2020-13718 RESERVED CVE-2020-13717 RESERVED CVE-2020-13716 RESERVED CVE-2020-13715 RESERVED CVE-2020-13714 RESERVED CVE-2020-13713 RESERVED CVE-2020-13712 RESERVED CVE-2020-13711 RESERVED CVE-2020-13710 RESERVED CVE-2020-13709 RESERVED CVE-2020-13708 RESERVED CVE-2020-13707 RESERVED CVE-2020-13706 RESERVED CVE-2020-13705 RESERVED CVE-2020-13704 RESERVED CVE-2020-13703 RESERVED CVE-2019-20809 (The price oracle in PriceOracle.sol in Compound Finance Compound Price ...) NOT-FOR-US: Compound Finance Compound Price Oracle CVE-2020-13754 (hw/pci/msix.c in QEMU 4.2.0 allows guest OS users to trigger an out-of ...) - qemu 1:5.0-6 NOTE: https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg03732.html CVE-2020-13702 (** DISPUTED ** The Rolling Proximity Identifier used in the Apple/Goog ...) NOT-FOR-US: Apple/Google Exposure Notification API CVE-2020-13701 RESERVED CVE-2020-13700 (An issue was discovered in the acf-to-rest-api plugin through 3.1.0 fo ...) NOT-FOR-US: acf-to-rest-api plugin for WordPress CVE-2020-13699 RESERVED CVE-2020-13698 RESERVED CVE-2020-13697 RESERVED CVE-2020-13696 (An issue was discovered in LinuxTV xawtv before 3.107. The function de ...) {DLA-2246-1} - xawtv 3.107-1 (bug #962221) [stretch] - xawtv (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2020/06/04/6 NOTE: Fixed by: https://git.linuxtv.org/xawtv3.git/commit/?id=31f31f9cbaee7be806cba38e0ff5431bd44b20a3 NOTE: Fixed by: https://git.linuxtv.org/xawtv3.git/commit/?id=36dc44e68e5886339b4a0fbe3f404fb1a4fd2292 NOTE: But those sill allow to test for arbitrary files and would need: NOTE: https://www.openwall.com/lists/oss-security/2020/06/04/6/1 CVE-2020-13695 (In QuickBox Community Edition through 2.5.5 and Pro Edition through 2. ...) NOT-FOR-US: QuickBox CVE-2020-13694 (In QuickBox Community Edition through 2.5.5 and Pro Edition through 2. ...) NOT-FOR-US: QuickBox CVE-2020-13693 (An unauthenticated privilege-escalation issue exists in the bbPress pl ...) NOT-FOR-US: bbPress plugin for WordPress CVE-2020-13692 (PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE. ...) - libpgjava (low; bug #962828) [buster] - libpgjava (Minor issue) [stretch] - libpgjava (Minor issue) [jessie] - libpgjava (Minor issue) NOTE: https://github.com/pgjdbc/pgjdbc/commit/14b62aca4764d496813f55a43d050b017e01eb65 CVE-2020-13691 RESERVED CVE-2020-13690 RESERVED CVE-2020-13689 RESERVED CVE-2020-13688 RESERVED CVE-2020-13687 RESERVED CVE-2020-13686 RESERVED CVE-2020-13685 RESERVED CVE-2020-13684 RESERVED CVE-2020-13683 RESERVED CVE-2020-13682 RESERVED CVE-2020-13681 RESERVED CVE-2020-13680 RESERVED CVE-2020-13679 RESERVED CVE-2020-13678 RESERVED CVE-2020-13677 RESERVED CVE-2020-13676 RESERVED CVE-2020-13675 RESERVED CVE-2020-13674 RESERVED CVE-2020-13673 RESERVED CVE-2020-13672 RESERVED CVE-2020-13671 RESERVED CVE-2020-13670 RESERVED CVE-2020-13669 RESERVED CVE-2020-13668 RESERVED CVE-2020-13667 RESERVED CVE-2020-13666 RESERVED CVE-2020-13665 RESERVED - drupal7 (Drupal 7 not affected) NOTE: https://www.drupal.org/sa-core-2020-006 CVE-2020-13664 RESERVED - drupal7 (Drupal 7 not affected) NOTE: https://www.drupal.org/sa-core-2020-005 CVE-2020-13663 [Drupal SA 2020-004] RESERVED {DSA-4706-1 DLA-2263-1} - drupal7 NOTE: https://www.drupal.org/sa-core-2020-004 NOTE: https://git.drupalcode.org/project/drupal/-/commit/3999b8f658bf2ef8e96a7ee8ccb279c5d3073006 CVE-2020-13661 RESERVED CVE-2020-13660 (CMS Made Simple through 2.2.14 allows XSS via a crafted File Picker pr ...) NOT-FOR-US: CMS Made Simple CVE-2020-13659 (address_space_map in exec.c in QEMU 4.2.0 can trigger a NULL pointer d ...) - qemu 1:5.0-6 [buster] - qemu (Minor issue) [stretch] - qemu (Minor issue) NOTE: https://bugs.launchpad.net/qemu/+bug/1878259 NOTE: https://lists.gnu.org/archive/html/qemu-devel/2020-05/msg07313.html NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=77f55eac6c433e23e82a1b88b2d74f385c4c7d82 CVE-2020-13658 RESERVED CVE-2020-13657 (An elevation of privilege vulnerability exists in Avast Free Antivirus ...) NOT-FOR-US: Avast CVE-2020-13656 (In Morgan Stanley Hobbes through 2020-05-21, the array implementation ...) NOT-FOR-US: Hobbes CVE-2020-13655 RESERVED CVE-2020-13654 RESERVED CVE-2020-13653 (An XSS vulnerability exists in the Webmail component of Zimbra Collabo ...) NOT-FOR-US: Zimbra CVE-2020-13652 (An issue was discovered in DigDash 2018R2 before p20200528, 2019R1 bef ...) NOT-FOR-US: DigDash CVE-2020-13651 (An issue was discovered in DigDash 2018R2 before p20200528, 2019R1 bef ...) NOT-FOR-US: DigDash CVE-2020-13650 (An issue was discovered in DigDash 2018R2 before p20200210 and 2019R1 ...) NOT-FOR-US: DigDash CVE-2020-13649 (parser/js/js-scanner.c in JerryScript 2.2.0 mishandles errors during c ...) NOT-FOR-US: JerryScript CVE-2020-13648 RESERVED CVE-2020-13647 RESERVED CVE-2020-13646 (In Cheetah free WiFi 5.1, the driver file (liebaonat.sys) allows local ...) NOT-FOR-US: cheetah free wifi CVE-2020-13645 (In GNOME glib-networking through 2.64.2, the implementation of GTlsCli ...) - glib-networking 2.64.3-2 (bug #961756) [buster] - glib-networking (Minor issue; will be fixed via point release) NOTE: https://gitlab.gnome.org/GNOME/glib-networking/-/issues/135 NOTE: Updating glib-networking to address CVE-2020-13645 will need a compatibility NOTE: update as well for balsa (cf. https://bugs.debian.org/961792) CVE-2019-20808 [out-of-bounds read in ati_cursor_define() function in hw/display/ati.c leads to DoS] RESERVED - qemu 1:4.2-1 [buster] - qemu (Vulnerable code introduced later) [stretch] - qemu (Vulnerable code introduced later) [jessie] - qemu (Vulnerable code introduced later) NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=aab0e2a661b2b6bf7915c0aefe807fb60d6d9d13 (v4.2.0-rc0) CVE-2019-20807 (In Vim before 8.1.0881, users can circumvent the rvim restricted mode ...) - vim 2:8.1.2136-1 [buster] - vim (Minor issue) [stretch] - vim (Minor issue) [jessie] - vim (Minor issue) NOTE: https://github.com/vim/vim/commit/8c62a08faf89663e5633dc5036cd8695c80f1075 CVE-2020-13644 (An issue was discovered in the Accordion plugin before 2.2.9 for WordP ...) NOT-FOR-US: Accordion plugin for WordPress CVE-2020-13643 (An issue was discovered in the SiteOrigin Page Builder plugin before 2 ...) NOT-FOR-US: SiteOrigin Page Builder plugin for WordPress CVE-2020-13642 (An issue was discovered in the SiteOrigin Page Builder plugin before 2 ...) NOT-FOR-US: SiteOrigin Page Builder plugin for WordPress CVE-2020-13641 (An issue was discovered in the Real-Time Find and Replace plugin befor ...) NOT-FOR-US: Real-Time Find and Replace plugin for WordPress CVE-2020-13640 (A SQL injection issue in the gVectors wpDiscuz plugin 5.3.5 and earlie ...) NOT-FOR-US: gVectors wpDiscuz plugin for WordPress CVE-2020-13639 RESERVED CVE-2020-13638 RESERVED CVE-2020-13637 (An issue was discovered in the stashcat app through 3.9.2 for macOS, W ...) NOT-FOR-US: stashcat app CVE-2020-13636 RESERVED CVE-2020-13635 RESERVED CVE-2020-13634 (In Windows Master (aka Windows Optimization Master) 7.99.13.604, the d ...) NOT-FOR-US: Windows Master (aka Windows Optimization Master) CVE-2020-13633 (Fork before 5.8.3 allows XSS via navigation_title or title. ...) NOT-FOR-US: Fork CMS CVE-2020-13632 (ext/fts3/fts3_snippet.c in SQLite before 3.32.0 has a NULL pointer der ...) - sqlite3 3.32.0-1 [jessie] - sqlite3 (Vulnerable code not present) NOTE: https://bugs.chromium.org/p/chromium/issues/detail?id=1080459 NOTE: https://sqlite.org/src/info/a4dd148928ea65bd CVE-2020-13631 (SQLite before 3.32.0 allows a virtual table to be renamed to the name ...) - sqlite3 3.32.0-1 [jessie] - sqlite3 (Too intrusive to backport) NOTE: https://bugs.chromium.org/p/chromium/issues/detail?id=1080459 NOTE: https://sqlite.org/src/info/eca0ba2cf4c0fdf7 CVE-2020-13630 (ext/fts3/fts3.c in SQLite before 3.32.0 has a use-after-free in fts3Ev ...) - sqlite3 3.32.0-1 [jessie] - sqlite3 (Vulnerable code not found) NOTE: https://bugs.chromium.org/p/chromium/issues/detail?id=1080459 NOTE: https://sqlite.org/src/info/0d69f76f0865f962 CVE-2020-13629 RESERVED CVE-2020-13628 (Cross-site scripting (XSS) vulnerability allows remote attackers to in ...) - centreon-web (bug #913903) CVE-2020-13627 (Cross-site scripting (XSS) vulnerability allows remote attackers to in ...) - centreon-web (bug #913903) CVE-2020-13626 RESERVED CVE-2020-13625 (PHPMailer before 6.1.6 contains an output escaping bug when the name o ...) {DLA-2244-1} - libphp-phpmailer 6.1.6-1 (bug #962827) NOTE: https://github.com/PHPMailer/PHPMailer/security/advisories/GHSA-f7hx-fqxw-rvvj NOTE: https://github.com/PHPMailer/PHPMailer/commit/c2796cb1cb99d7717290b48c4e6f32cb6c60b7b3 CVE-2020-13624 RESERVED CVE-2020-13623 (JerryScript 2.2.0 allows attackers to cause a denial of service (stack ...) NOT-FOR-US: JerryScript CVE-2020-13622 (JerryScript 2.2.0 allows attackers to cause a denial of service (asser ...) NOT-FOR-US: JerryScript CVE-2020-13621 RESERVED CVE-2020-13620 RESERVED CVE-2020-13619 (php/exec/escapeshellarg in Locutus PHP through 2.0.11 allows an attack ...) NOT-FOR-US: Locutus PHP CVE-2020-13618 RESERVED CVE-2020-13617 RESERVED CVE-2020-13616 (The boost ASIO wrapper in net/asio.cpp in Pichi before 1.3.0 lacks TLS ...) NOT-FOR-US: pichi CVE-2020-13615 (lib/QoreSocket.cpp in Qore before 0.9.4.2 lacks hostname verification ...) NOT-FOR-US: Qore CVE-2020-13614 (An issue was discovered in ssl.c in Axel before 2.17.8. The TLS implem ...) - axel 2.17.8-1 [buster] - axel (Minor issue) [stretch] - axel (Minor issue) [jessie] - axel (SSL/TLS implemented from v2.10. But without ssl support is a major drawback) NOTE: https://github.com/axel-download-accelerator/axel/issues/262 CVE-2020-13613 RESERVED CVE-2020-13612 RESERVED CVE-2020-13611 RESERVED CVE-2020-13610 RESERVED CVE-2020-13609 RESERVED CVE-2020-13608 RESERVED CVE-2020-13607 RESERVED CVE-2020-13606 RESERVED CVE-2020-13605 RESERVED CVE-2020-13604 RESERVED CVE-2020-13603 RESERVED CVE-2020-13602 RESERVED CVE-2020-13601 RESERVED CVE-2020-13600 RESERVED CVE-2020-13599 RESERVED CVE-2020-13598 RESERVED CVE-2020-13597 (Clusters using Calico (version 3.14.0 and below), Calico Enterprise (v ...) NOT-FOR-US: Calico CVE-2020-13596 (An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0 ...) {DSA-4705-1 DLA-2233-1} - python-django 2:2.2.13-1 (bug #962323) NOTE: https://www.openwall.com/lists/oss-security/2020/06/03/1 NOTE: https://github.com/django/django/commit/2dd4d110c159d0c81dff42eaead2c378a0998735 (master) NOTE: https://github.com/django/django/commit/49d7cc19e33a104bb23f7ae1dbb1240b4f6c40f9 (3.1 branch) NOTE: https://github.com/django/django/commit/1f2dd37f6fcefdd10ed44cb233b2e62b520afb38 (3.0 branch) NOTE: https://github.com/django/django/commit/6d61860b22875f358fac83d903dc629897934815 (2.2. branch) CVE-2020-13595 RESERVED CVE-2020-13594 RESERVED CVE-2020-13593 RESERVED CVE-2020-13662 [Drupal SA 2020-003] RESERVED {DSA-4693-1 DLA-2250-1} - drupal7 NOTE: https://www.drupal.org/sa-core-2020-003 NOTE: https://git.drupalcode.org/project/drupal/-/commit/905ff00a44160adee3f266cdcc87d3350a64a072 CVE-2020-13592 RESERVED CVE-2020-13591 RESERVED CVE-2020-13590 RESERVED CVE-2020-13589 RESERVED CVE-2020-13588 RESERVED CVE-2020-13587 RESERVED CVE-2020-13586 RESERVED CVE-2020-13585 RESERVED CVE-2020-13584 RESERVED CVE-2020-13583 RESERVED CVE-2020-13582 RESERVED CVE-2020-13581 RESERVED CVE-2020-13580 RESERVED CVE-2020-13579 RESERVED CVE-2020-13578 RESERVED CVE-2020-13577 RESERVED CVE-2020-13576 RESERVED CVE-2020-13575 RESERVED CVE-2020-13574 RESERVED CVE-2020-13573 RESERVED CVE-2020-13572 RESERVED CVE-2020-13571 RESERVED CVE-2020-13570 RESERVED CVE-2020-13569 RESERVED CVE-2020-13568 RESERVED CVE-2020-13567 RESERVED CVE-2020-13566 RESERVED CVE-2020-13565 RESERVED CVE-2020-13564 RESERVED CVE-2020-13563 RESERVED CVE-2020-13562 RESERVED CVE-2020-13561 RESERVED CVE-2020-13560 RESERVED CVE-2020-13559 RESERVED CVE-2020-13558 RESERVED CVE-2020-13557 RESERVED CVE-2020-13556 RESERVED CVE-2020-13555 RESERVED CVE-2020-13554 RESERVED CVE-2020-13553 RESERVED CVE-2020-13552 RESERVED CVE-2020-13551 RESERVED CVE-2020-13550 RESERVED CVE-2020-13549 RESERVED CVE-2020-13548 RESERVED CVE-2020-13547 RESERVED CVE-2020-13546 RESERVED CVE-2020-13545 RESERVED CVE-2020-13544 RESERVED CVE-2020-13543 RESERVED CVE-2020-13542 RESERVED CVE-2020-13541 RESERVED CVE-2020-13540 RESERVED CVE-2020-13539 RESERVED CVE-2020-13538 RESERVED CVE-2020-13537 RESERVED CVE-2020-13536 RESERVED CVE-2020-13535 RESERVED CVE-2020-13534 RESERVED CVE-2020-13533 RESERVED CVE-2020-13532 RESERVED CVE-2020-13531 RESERVED CVE-2020-13530 RESERVED CVE-2020-13529 RESERVED CVE-2020-13528 RESERVED CVE-2020-13527 RESERVED CVE-2020-13526 RESERVED CVE-2020-13525 RESERVED CVE-2020-13524 RESERVED CVE-2020-13523 RESERVED CVE-2020-13522 RESERVED CVE-2020-13521 RESERVED CVE-2020-13520 RESERVED CVE-2020-13519 RESERVED CVE-2020-13518 RESERVED CVE-2020-13517 RESERVED CVE-2020-13516 RESERVED CVE-2020-13515 RESERVED CVE-2020-13514 RESERVED CVE-2020-13513 RESERVED CVE-2020-13512 RESERVED CVE-2020-13511 RESERVED CVE-2020-13510 RESERVED CVE-2020-13509 RESERVED CVE-2020-13508 RESERVED CVE-2020-13507 RESERVED CVE-2020-13506 RESERVED CVE-2020-13505 RESERVED CVE-2020-13504 RESERVED CVE-2020-13503 RESERVED CVE-2020-13502 RESERVED CVE-2020-13501 RESERVED CVE-2020-13500 RESERVED CVE-2020-13499 RESERVED CVE-2020-13498 RESERVED CVE-2020-13497 RESERVED CVE-2020-13496 RESERVED CVE-2020-13495 RESERVED CVE-2020-13494 RESERVED CVE-2020-13493 RESERVED CVE-2020-13492 RESERVED CVE-2020-13491 RESERVED CVE-2020-13490 RESERVED CVE-2020-13489 RESERVED CVE-2020-13488 RESERVED CVE-2020-13487 (The bbPress plugin through 2.6.4 for WordPress has stored XSS in the F ...) NOT-FOR-US: Wordpress plugin CVE-2020-13486 (The Knock Knock plugin before 1.2.8 for Craft CMS allows malicious red ...) NOT-FOR-US: Craft CMS plugin CVE-2020-13485 (The Knock Knock plugin before 1.2.8 for Craft CMS allows IP Whitelist ...) NOT-FOR-US: Craft CMS plugin CVE-2020-13484 (Bitrix24 through 20.0.975 allows SSRF via an intranet IP address in th ...) NOT-FOR-US: Bitrix24 CVE-2020-13483 (The Web Application Firewall in Bitrix24 through 20.0.0 allows XSS via ...) NOT-FOR-US: Bitrix24 CVE-2020-13482 (EM-HTTP-Request 1.1.5 uses the library eventmachine in an insecure way ...) NOT-FOR-US: EM-HTTP-Request CVE-2020-13481 RESERVED CVE-2020-13480 (Verint Workforce Optimization (WFO) 15.2 allows HTML injection via the ...) NOT-FOR-US: Verint Workforce Optimization (WFO) CVE-2020-13479 RESERVED CVE-2020-13478 RESERVED CVE-2020-13477 RESERVED CVE-2020-13476 RESERVED CVE-2020-13475 RESERVED CVE-2020-13474 RESERVED CVE-2020-13473 RESERVED CVE-2020-13472 RESERVED CVE-2020-13471 RESERVED CVE-2020-13470 RESERVED CVE-2020-13469 RESERVED CVE-2020-13468 RESERVED CVE-2020-13467 RESERVED CVE-2020-13466 RESERVED CVE-2020-13465 RESERVED CVE-2020-13464 RESERVED CVE-2020-13463 RESERVED CVE-2020-13462 RESERVED CVE-2020-13461 RESERVED CVE-2020-13460 RESERVED CVE-2020-13459 (An issue was discovered in the Image Resizer plugin before 2.0.9 for C ...) NOT-FOR-US: Image Resizer plugin for Craft CMS CVE-2020-13458 (An issue was discovered in the Image Resizer plugin before 2.0.9 for C ...) NOT-FOR-US: Image Resizer plugin for Craft CMS CVE-2020-13457 RESERVED CVE-2020-13456 RESERVED CVE-2020-13455 RESERVED CVE-2020-13454 RESERVED CVE-2020-13453 RESERVED CVE-2020-13452 RESERVED CVE-2020-13451 RESERVED CVE-2020-13450 RESERVED CVE-2020-13449 RESERVED CVE-2020-13448 (QuickBox Community Edition through 2.5.5 and Pro Edition through 2.1.8 ...) NOT-FOR-US: QuickBox CVE-2020-13447 RESERVED CVE-2020-13446 RESERVED CVE-2020-13445 (In Liferay Portal before 7.3.2 and Liferay DXP 7.0 before fix pack 92, ...) NOT-FOR-US: Liferay CVE-2020-13444 (Liferay Portal 7.x before 7.3.2, and Liferay DXP 7.0 before fix pack 9 ...) NOT-FOR-US: Liferay CVE-2020-13443 (ExpressionEngine before 5.3.2 allows remote attackers to upload and ex ...) NOT-FOR-US: ExpressionEngine CVE-2020-13442 (A Remote code execution vulnerability exists in DEXT5Upload in DEXT5 t ...) NOT-FOR-US: DEXT5 CVE-2020-13441 RESERVED CVE-2020-13440 (ffjpeg through 2020-02-24 has an invalid write in bmp_load in bmp.c. ...) NOT-FOR-US: ffjpeg CVE-2020-13439 (ffjpeg through 2020-02-24 has a heap-based buffer over-read in jfif_de ...) NOT-FOR-US: ffjpeg CVE-2020-13438 (ffjpeg through 2020-02-24 has an invalid read in jfif_encode in jfif.c ...) NOT-FOR-US: ffjpeg CVE-2020-13437 RESERVED CVE-2020-13436 RESERVED CVE-2020-13435 (SQLite through 3.32.0 has a segmentation fault in sqlite3ExprCodeTarge ...) - sqlite3 3.32.1-1 [buster] - sqlite3 (Minor issue) [stretch] - sqlite3 (Vulnerable code introduced later) [jessie] - sqlite3 (Vulnerable code introduced later) NOTE: https://www.sqlite.org/src/info/7a5279a25c57adf1 NOTE: https://www.sqlite.org/src/info/ad7bb70af9bb68d1 NOTE: https://www.sqlite.org/src/info/572105de1d44bca4 CVE-2020-13434 (SQLite through 3.32.0 has an integer overflow in sqlite3_str_vappendf ...) {DLA-2221-1} - sqlite3 3.32.1-1 [buster] - sqlite3 (Minor issue) [stretch] - sqlite3 (Minor issue) NOTE: https://www.sqlite.org/src/info/23439ea582241138 NOTE: https://www.sqlite.org/src/info/d08d3405878d394e CVE-2020-13433 (Jason2605 AdminPanel 4.0 allows SQL Injection via the editPlayer.php h ...) NOT-FOR-US: Jason2605 AdminPanel CVE-2020-13432 (rejetto HFS (aka HTTP File Server) v2.3m Build #300, when virtual file ...) NOT-FOR-US: Rejetto HTTP File Server CVE-2020-13431 (I2P before 0.9.46 allows local users to gain privileges via a Trojan h ...) - i2p (Windows-specific) CVE-2020-13430 (Grafana before 7.0.0 allows tag value XSS via the OpenTSDB datasource. ...) - grafana NOTE: https://github.com/grafana/grafana/pull/24539 CVE-2020-13429 (legend.ts in the piechart-panel (aka Pie Chart Panel) plugin before 1. ...) NOT-FOR-US: piechart-panel plugin for Grafana CVE-2020-13428 (A heap-based buffer overflow in the hxxx_AnnexB_to_xVC function in mod ...) {DSA-4704-1} - vlc 3.0.11-1 [jessie] - vlc (Not supported in jessie LTS) NOTE: https://github.com/videolan/vlc-3.0/releases/tag/3.0.11 NOTE: http://git.videolan.org/?p=vlc/vlc-3.0.git;a=commit;h=d5c43c21c747ff30ed19fcca745dea3481c733e0 CVE-2020-13427 (Victor CMS 1.0 has Persistent XSS in admin/users.php?source=add_user v ...) NOT-FOR-US: Victor CMS CVE-2020-13426 (The Multi-Scheduler plugin 1.0.0 for WordPress has a Cross-Site Reques ...) NOT-FOR-US: Multi-Scheduler plugin for WordPress CVE-2020-13425 (TrackR devices through 2020-05-06 allow attackers to trigger the Beep ...) NOT-FOR-US: TrackR CVE-2020-13424 (The XCloner component before 3.5.4 for Joomla! allows Authenticated Lo ...) NOT-FOR-US: Joomla addon CVE-2020-13423 (Form Builder 2.1.0 for Magento has multiple XSS issues that can be exp ...) NOT-FOR-US: Form Builder for Magento CVE-2020-13422 RESERVED CVE-2020-13421 RESERVED CVE-2020-13420 RESERVED CVE-2020-13419 RESERVED CVE-2020-13418 RESERVED CVE-2020-13417 (An Elevation of Privilege issue was discovered in Aviatrix VPN Client ...) NOT-FOR-US: Aviatrix CVE-2020-13416 (An issue was discovered in Aviatrix Controller before 5.4.1066. A Cont ...) NOT-FOR-US: Aviatrix CVE-2020-13415 (An issue was discovered in Aviatrix Controller through 5.1. An attacke ...) NOT-FOR-US: Aviatrix CVE-2020-13414 (An issue was discovered in Aviatrix Controller before 5.4.1204. It con ...) NOT-FOR-US: Aviatrix CVE-2020-13413 (An issue was discovered in Aviatrix Controller before 5.4.1204. There ...) NOT-FOR-US: Aviatrix CVE-2020-13412 (An issue was discovered in Aviatrix Controller before 5.4.1204. An API ...) NOT-FOR-US: Aviatrix CVE-2020-13411 RESERVED CVE-2020-13410 RESERVED CVE-2020-13409 RESERVED CVE-2020-13408 RESERVED CVE-2020-13407 RESERVED CVE-2020-13406 RESERVED CVE-2020-13405 RESERVED CVE-2020-13404 RESERVED CVE-2020-13403 RESERVED CVE-2020-13402 RESERVED CVE-2020-13401 (An issue was discovered in Docker Engine before 19.03.11. An attacker ...) {DSA-4716-1} - docker.io 19.03.11+dfsg1-1 (bug #962141) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1833233 NOTE: https://github.com/moby/libnetwork/commit/153d0769a1181bf591a9637fd487a541ec7db1e6 CVE-2020-13400 RESERVED CVE-2020-13399 RESERVED CVE-2020-13398 (An issue was discovered in FreeRDP before 2.1.1. An out-of-bounds (OOB ...) - freerdp2 2.1.1+dfsg1-1 [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/commit/8305349a943c68b1bc8c158f431dc607655aadea CVE-2020-13397 (An issue was discovered in FreeRDP before 2.1.1. An out-of-bounds (OOB ...) - freerdp2 2.1.1+dfsg1-1 [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/commit/d6cd14059b257318f176c0ba3ee0a348826a9ef8 CVE-2020-13396 (An issue was discovered in FreeRDP before 2.1.1. An out-of-bounds (OOB ...) - freerdp2 2.1.1+dfsg1-1 [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/commit/48361c411e50826cb602c7aab773a8a20e1da6bc CVE-2020-13395 RESERVED CVE-2020-13394 (An issue was discovered on Tenda AC6 V1.0 V15.03.05.19_multi_TD01, AC9 ...) NOT-FOR-US: Tenda devices CVE-2020-13393 (An issue was discovered on Tenda AC6 V1.0 V15.03.05.19_multi_TD01, AC9 ...) NOT-FOR-US: Tenda devices CVE-2020-13392 (An issue was discovered on Tenda AC6 V1.0 V15.03.05.19_multi_TD01, AC9 ...) NOT-FOR-US: Tenda devices CVE-2020-13391 (An issue was discovered on Tenda AC6 V1.0 V15.03.05.19_multi_TD01, AC9 ...) NOT-FOR-US: Tenda devices CVE-2020-13390 (An issue was discovered on Tenda AC6 V1.0 V15.03.05.19_multi_TD01, AC9 ...) NOT-FOR-US: Tenda devices CVE-2020-13389 (An issue was discovered on Tenda AC6 V1.0 V15.03.05.19_multi_TD01, AC9 ...) NOT-FOR-US: Tenda devices CVE-2020-13388 (An exploitable vulnerability exists in the configuration-loading funct ...) NOT-FOR-US: jw.util CVE-2020-13387 RESERVED CVE-2020-13386 (In SmartDraw 2020 27.0.0.0, the installer gives inherited write permis ...) NOT-FOR-US: SmartDraw CVE-2020-13385 RESERVED CVE-2020-13384 (Monstra CMS 3.0.4 allows remote authenticated users to upload and exec ...) NOT-FOR-US: Monstra CMS CVE-2020-13383 (openSIS through 7.4 allows Directory Traversal. ...) NOT-FOR-US: openSIS CVE-2020-13382 (openSIS through 7.4 has Incorrect Access Control. ...) NOT-FOR-US: openSIS CVE-2020-13381 (openSIS through 7.4 allows SQL Injection. ...) NOT-FOR-US: openSIS CVE-2020-13380 (openSIS before 7.4 allows SQL Injection. ...) NOT-FOR-US: openSIS CVE-2020-13379 (The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrec ...) - grafana NOTE: https://www.openwall.com/lists/oss-security/2020/06/03/4 NOTE: https://grafana.com/blog/2020/06/03/grafana-6.7.4-and-7.0.2-released-with-important-security-fix/ CVE-2020-13378 RESERVED CVE-2020-13377 RESERVED CVE-2020-13376 RESERVED CVE-2020-13375 RESERVED CVE-2020-13374 RESERVED CVE-2020-13373 RESERVED CVE-2020-13372 RESERVED CVE-2020-13371 RESERVED CVE-2020-13370 RESERVED CVE-2020-13369 RESERVED CVE-2020-13368 RESERVED CVE-2020-13367 RESERVED CVE-2020-13366 RESERVED CVE-2020-13365 RESERVED CVE-2020-13364 RESERVED CVE-2020-13363 RESERVED CVE-2020-13362 (In QEMU 5.0.0 and earlier, megasas_lookup_frame in hw/scsi/megasas.c h ...) {DLA-2262-1} - qemu 1:5.0-6 (bug #961887) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2020-05/msg03463.html CVE-2020-13361 (In QEMU 5.0.0 and earlier, es1370_transfer_audio in hw/audio/es1370.c ...) {DLA-2262-1} - qemu 1:5.0-6 (bug #961888) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2020-05/msg07230.html CVE-2019-20806 (An issue was discovered in the Linux kernel before 5.2. There is a NUL ...) {DSA-4698-1 DLA-2242-1} - linux 5.2.6-1 [buster] - linux 4.19.118-1 [jessie] - linux (Vulnerable code introduced later) NOTE: https://git.kernel.org/linus/2e7682ebfc750177a4944eeb56e97a3f05734528 CVE-2019-20805 (p_lx_elf.cpp in UPX before 3.96 has an integer overflow during unpacki ...) - upx-ucl 3.96-1 (unimportant) NOTE: https://github.com/upx/upx/commit/8be9da8280dfa69d5df4417d4d81bda1cab78010 NOTE: https://github.com/upx/upx/issues/317 CVE-2019-20804 (Gila CMS before 1.11.6 allows CSRF with resultant XSS via the admin/th ...) NOT-FOR-US: Gila CMS CVE-2019-20803 (Gila CMS before 1.11.6 has reflected XSS via the admin/content/postcat ...) NOT-FOR-US: Gila CMS CVE-2018-21234 (Jodd before 5.0.4 performs Deserialization of Untrusted JSON Data when ...) - jodd (bug #961298) [buster] - jodd (Minor issue) NOTE: https://github.com/oblac/jodd/commit/9bffc3913aeb8472c11bb543243004b4b4376f16 NOTE: https://github.com/oblac/jodd/issues/628 CVE-2017-18868 (Digi XBee 2 devices do not have an effective protection mechanism agai ...) NOT-FOR-US: Digi XBee 2 devices CVE-2020-13360 RESERVED CVE-2020-13359 RESERVED CVE-2020-13358 RESERVED CVE-2020-13357 RESERVED CVE-2020-13356 RESERVED CVE-2020-13355 RESERVED CVE-2020-13354 RESERVED CVE-2020-13353 RESERVED CVE-2020-13352 RESERVED CVE-2020-13351 RESERVED CVE-2020-13350 RESERVED CVE-2020-13349 RESERVED CVE-2020-13348 RESERVED CVE-2020-13347 RESERVED CVE-2020-13346 RESERVED CVE-2020-13345 RESERVED CVE-2020-13344 RESERVED CVE-2020-13343 RESERVED CVE-2020-13342 RESERVED CVE-2020-13341 RESERVED CVE-2020-13340 RESERVED CVE-2020-13339 RESERVED CVE-2020-13338 RESERVED CVE-2020-13337 RESERVED CVE-2020-13336 RESERVED CVE-2020-13335 RESERVED CVE-2020-13334 RESERVED CVE-2020-13333 RESERVED CVE-2020-13332 RESERVED CVE-2020-13331 RESERVED CVE-2020-13330 RESERVED CVE-2020-13329 RESERVED CVE-2020-13328 RESERVED CVE-2020-13327 RESERVED CVE-2020-13326 RESERVED CVE-2020-13325 RESERVED CVE-2020-13324 RESERVED CVE-2020-13323 RESERVED CVE-2020-13322 RESERVED CVE-2020-13321 RESERVED CVE-2020-13320 RESERVED CVE-2020-13319 RESERVED CVE-2020-13318 RESERVED CVE-2020-13317 RESERVED CVE-2020-13316 RESERVED CVE-2020-13315 RESERVED CVE-2020-13314 RESERVED CVE-2020-13313 RESERVED CVE-2020-13312 RESERVED CVE-2020-13311 RESERVED CVE-2020-13310 RESERVED CVE-2020-13309 RESERVED CVE-2020-13308 RESERVED CVE-2020-13307 RESERVED CVE-2020-13306 RESERVED CVE-2020-13305 RESERVED CVE-2020-13304 RESERVED CVE-2020-13303 RESERVED CVE-2020-13302 RESERVED CVE-2020-13301 RESERVED CVE-2020-13300 RESERVED CVE-2020-13299 RESERVED CVE-2020-13298 RESERVED CVE-2020-13297 RESERVED CVE-2020-13296 RESERVED CVE-2020-13295 RESERVED CVE-2020-13294 RESERVED CVE-2020-13293 RESERVED CVE-2020-13292 RESERVED CVE-2020-13291 RESERVED CVE-2020-13290 RESERVED CVE-2020-13289 RESERVED CVE-2020-13288 RESERVED CVE-2020-13287 RESERVED CVE-2020-13286 RESERVED CVE-2020-13285 RESERVED CVE-2020-13284 RESERVED CVE-2020-13283 RESERVED CVE-2020-13282 RESERVED CVE-2020-13281 RESERVED CVE-2020-13280 RESERVED CVE-2020-13279 (Client side code execution in gitlab-vscode-extension v2.2.0 allows at ...) NOT-FOR-US: gitlab-vscode-extension CVE-2020-13278 RESERVED CVE-2020-13277 (An authorization issue in the mirroring logic allowed read access to p ...) - gitlab CVE-2020-13276 (User is allowed to set an email as a notification email even without v ...) - gitlab CVE-2020-13275 (A user with an unverified email address could request an access to dom ...) - gitlab (Specific to EE) CVE-2020-13274 (A security issue allowed achieving Denial of Service attacks through m ...) - gitlab CVE-2020-13273 (A Denial of Service vulnerability allowed exhausting the system resour ...) - gitlab CVE-2020-13272 (OAuth flow missing verification checks CE/EE 12.3 and later through 13 ...) - gitlab CVE-2020-13271 (A Stored Cross-Site Scripting vulnerability allowed the execution of a ...) - gitlab CVE-2020-13270 (Missing permission check on fork relation creation in GitLab CE/EE 11. ...) - gitlab CVE-2020-13269 (A Reflected Cross-Site Scripting vulnerability allowed the execution o ...) - gitlab CVE-2020-13268 (A specially crafted request could be used to confirm the existence of ...) - gitlab CVE-2020-13267 (A Stored Cross-Site Scripting vulnerability allowed the execution on J ...) - gitlab CVE-2020-13266 (Insecure authorization in Project Deploy Keys in GitLab CE/EE 12.8 and ...) - gitlab CVE-2020-13265 (User email verification bypass in GitLab CE/EE 12.5 and later through ...) - gitlab CVE-2020-13264 (Kubernetes cluster token disclosure in GitLab CE/EE 10.3 and later thr ...) - gitlab CVE-2020-13263 (An authorization issue relating to project maintainer impersonation wa ...) - gitlab (Specific to EE) CVE-2020-13262 (Client-Side code injection through Mermaid markup in GitLab CE/EE 12.9 ...) - gitlab CVE-2020-13261 (Amazon EKS credentials disclosure in GitLab CE/EE 12.6 and later throu ...) - gitlab CVE-2020-13260 RESERVED CVE-2020-13259 RESERVED CVE-2020-13258 (Contentful through 2020-05-21 for Python allows reflected XSS, as demo ...) NOT-FOR-US: Contentful CVE-2020-13257 RESERVED CVE-2020-13256 RESERVED CVE-2020-13255 RESERVED CVE-2020-13254 (An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0 ...) {DSA-4705-1 DLA-2233-1} - python-django 2:2.2.13-1 (bug #962323) NOTE: https://www.openwall.com/lists/oss-security/2020/06/03/1 NOTE: https://github.com/django/django/commit/2c82414914ae6476be5a166be9ff49c24d0d9069 (master) NOTE: https://github.com/django/django/commit/580bd64c0482ae9b7c05715390e25f4405a12719 (3.1 branch) NOTE: https://github.com/django/django/commit/84b2da5552e100ae3294f564f6c862fef8d0e693 (3.0 branch) NOTE: https://github.com/django/django/commit/07e59caa02831c4569bbebb9eb773bdd9cb4b206 (2.2 branch) NOTE: Regression https://code.djangoproject.com/ticket/31654 CVE-2020-13253 (sd_wp_addr in hw/sd/sd.c in QEMU 4.2.0 uses an unvalidated address, wh ...) - qemu 1:5.0-6 (bug #961297) [buster] - qemu (Minor issue, can be fixed along in next DSA) [stretch] - qemu (Minor issue, can be fixed along in next DSA) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2020-05/msg05835.html NOTE: https://www.openwall.com/lists/oss-security/2020/05/27/2 NOTE: https://bugs.launchpad.net/qemu/+bug/1880822 CVE-2020-13252 (Centreon before 19.04.15 allows remote attackers to execute arbitrary ...) - centreon-web (bug #913903) CVE-2020-13251 RESERVED CVE-2020-13250 (HashiCorp Consul and Consul Enterprise include an HTTP API (introduced ...) - consul 1.7.4+dfsg1-1 [buster] - consul (Vulnerable code not present) NOTE: https://github.com/hashicorp/consul/blob/v1.7.4/CHANGELOG.md NOTE: https://github.com/hashicorp/consul/pull/8023 CVE-2020-13249 (libmariadb/mariadb_lib.c in MariaDB Connector/C before 3.1.8 does not ...) - mariadb-10.3 1:10.3.23-1 [buster] - mariadb-10.3 (Minor issue; will be fixed via point release) - mariadb-10.1 (Vulnerable code introduced later) NOTE: Fixed by: https://github.com/mariadb-corporation/mariadb-connector-c/commit/2759b87d72926b7c9b5426437a7c8dd15ff57945 (v3.1.8) NOTE: Introduced around: https://github.com/mariadb-corporation/mariadb-connector-c/commit/b4efe73c9e725f97b3550371f8a78a10a20bf2fd (v3.0-cc-server-integ-0) CVE-2020-13248 (BooleBox Secure File Sharing Utility (potentially all versions) allows ...) NOT-FOR-US: BooleBox Secure File Sharing Utility CVE-2020-13247 (BooleBox Secure File Sharing Utility (potentially all versions) allows ...) NOT-FOR-US: BooleBox Secure File Sharing Utility CVE-2020-13246 (An issue was discovered in Gitea through 1.11.5. An attacker can trigg ...) - gitea CVE-2020-13245 (Certain NETGEAR devices are affected by Missing SSL Certificate Valida ...) NOT-FOR-US: Netgear CVE-2020-13244 RESERVED CVE-2020-13243 RESERVED CVE-2020-13242 RESERVED CVE-2020-13241 (Microweber 1.1.18 allows Unrestricted File Upload because admin/view:m ...) NOT-FOR-US: Microweber CVE-2020-13240 (The DMS/ECM module in Dolibarr 11.0.4 allows users with the 'Setup doc ...) - dolibarr CVE-2020-13239 (The DMS/ECM module in Dolibarr 11.0.4 renders user-uploaded .html file ...) - dolibarr CVE-2020-13238 (Mitsubishi MELSEC iQ-R Series PLCs with firmware 33 allow attackers to ...) NOT-FOR-US: Mitsubishi CVE-2020-13237 RESERVED CVE-2020-13236 RESERVED CVE-2020-13235 RESERVED CVE-2020-13234 RESERVED CVE-2020-13233 RESERVED CVE-2020-13232 RESERVED CVE-2020-13231 (In Cacti before 1.2.11, auth_profile.php?action=edit allows CSRF for a ...) - cacti 1.2.11+ds1-1 [buster] - cacti (Minor issue) [stretch] - cacti (Minor issue) NOTE: https://github.com/Cacti/cacti/issues/3342 CVE-2020-13230 (In Cacti before 1.2.11, disabling a user account does not immediately ...) - cacti 1.2.11+ds1-1 [buster] - cacti (Minor issue) [stretch] - cacti (Minor issue) NOTE: https://github.com/Cacti/cacti/issues/3343 CVE-2020-13229 (An issue was discovered in Sysax Multi Server 6.90. A session can be h ...) NOT-FOR-US: Sysax Multi Server CVE-2020-13228 (An issue was discovered in Sysax Multi Server 6.90. There is reflected ...) NOT-FOR-US: Sysax Multi Server CVE-2020-13227 (An issue was discovered in Sysax Multi Server 6.90. An attacker can de ...) NOT-FOR-US: Sysax Multi Server CVE-2020-13226 (WSO2 API Manager 3.0.0 does not properly restrict outbound network acc ...) NOT-FOR-US: WSO2 API Manager CVE-2020-13225 (phpIPAM 1.4 contains a stored cross site scripting (XSS) vulnerability ...) - phpipam (bug #731713) NOTE: https://github.com/phpipam/phpipam/issues/3025 CVE-2020-13224 (TP-LINK NC200 devices through 2.1.10 build 200401, NC210 devices throu ...) NOT-FOR-US: TP-LINK CVE-2020-13223 (HashiCorp Vault and Vault Enterprise before 1.3.6, and 1.4.2 before 1. ...) NOT-FOR-US: HashiCorp Vault CVE-2020-13222 RESERVED CVE-2020-13221 RESERVED CVE-2020-13220 RESERVED CVE-2020-13219 RESERVED CVE-2020-13218 RESERVED CVE-2020-13217 RESERVED CVE-2020-13216 RESERVED CVE-2020-13215 RESERVED CVE-2020-13214 RESERVED CVE-2020-13213 RESERVED CVE-2020-13212 RESERVED CVE-2020-13211 RESERVED CVE-2020-13210 RESERVED CVE-2020-13209 RESERVED CVE-2020-13208 RESERVED CVE-2020-13207 RESERVED CVE-2020-13206 RESERVED CVE-2020-13205 RESERVED CVE-2020-13204 RESERVED CVE-2020-13203 RESERVED CVE-2020-13202 RESERVED CVE-2020-13201 RESERVED CVE-2020-13200 RESERVED CVE-2020-13199 RESERVED CVE-2020-13198 RESERVED CVE-2020-13197 RESERVED CVE-2020-13196 RESERVED CVE-2020-13195 RESERVED CVE-2020-13194 RESERVED CVE-2020-13193 RESERVED CVE-2020-13192 RESERVED CVE-2020-13191 RESERVED CVE-2020-13190 RESERVED CVE-2020-13189 RESERVED CVE-2020-13188 RESERVED CVE-2020-13187 RESERVED CVE-2020-13186 RESERVED CVE-2020-13185 RESERVED CVE-2020-13184 RESERVED CVE-2020-13183 RESERVED CVE-2020-13182 RESERVED CVE-2020-13181 RESERVED CVE-2020-13180 RESERVED CVE-2020-13179 RESERVED CVE-2020-13178 RESERVED CVE-2020-13177 RESERVED CVE-2020-13176 RESERVED CVE-2020-13175 RESERVED CVE-2020-13174 RESERVED CVE-2020-13173 (Initialization of the pcoip_credential_provider in Teradici PCoIP Stan ...) NOT-FOR-US: Teradici CVE-2020-13172 RESERVED CVE-2020-13171 RESERVED CVE-2020-13170 (HashiCorp Consul and Consul Enterprise did not appropriately enforce s ...) - consul 1.7.4+dfsg1-1 [buster] - consul (Vulnerable code not present) NOTE: https://github.com/hashicorp/consul/blob/v1.7.4/CHANGELOG.md NOTE: https://github.com/hashicorp/consul/pull/8068 CVE-2020-13169 RESERVED CVE-2020-13168 RESERVED CVE-2020-13167 (Netsweeper through 6.4.3 allows unauthenticated remote code execution ...) NOT-FOR-US: Netsweeper CVE-2020-13166 (The management tool in MyLittleAdmin 3.8 allows remote attackers to ex ...) NOT-FOR-US: MyLittleAdmin CVE-2020-13165 RESERVED CVE-2020-13164 (In Wireshark 3.2.0 to 3.2.3, 3.0.0 to 3.0.10, and 2.6.0 to 2.6.16, the ...) - wireshark 3.2.4-1 (low) [buster] - wireshark (Can be fixed along in next 3.0.x DSA) [stretch] - wireshark (Can be fixed along in next DSA/update to 3.0) [jessie] - wireshark (Can be fixed along with other CVEs) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16476 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=e6e98eab8e5e0bbc982cfdc808f2469d7cab6c5a NOTE: https://www.wireshark.org/security/wnpa-sec-2020-08.html CVE-2020-13163 (em-imap 0.5 uses the library eventmachine in an insecure way that allo ...) NOT-FOR-US: em-imap CVE-2020-13162 (A time-of-check time-of-use vulnerability in PulseSecureService.exe in ...) NOT-FOR-US: Pulse Secure Client CVE-2020-13161 RESERVED CVE-2020-13160 (AnyDesk before 5.5.3 on Linux and FreeBSD has a format string vulnerab ...) NOT-FOR-US: AnyDesk CVE-2020-13159 (Artica Proxy before 4.30.000000 Community Edition allows OS command in ...) NOT-FOR-US: Artica Proxy CVE-2020-13158 (Artica Proxy before 4.30.000000 Community Edition allows Directory Tra ...) NOT-FOR-US: Artica Proxy CVE-2020-13157 (modules\users\admin\edit.php in NukeViet 4.4 allows CSRF to change a u ...) NOT-FOR-US: NukeViet CVE-2020-13156 (modules\users\admin\add_user.php in NukeViet 4.4 allows CSRF to add a ...) NOT-FOR-US: NukeViet CVE-2020-13155 (clearsystem.php in NukeViet 4.4 allows CSRF with resultant HTML inject ...) NOT-FOR-US: NukeViet CVE-2020-13154 (Zoho ManageEngine Service Plus before 11.1 build 11112 allows low-priv ...) NOT-FOR-US: Zoho CVE-2020-13153 (app/View/Events/resolved_attributes.ctp in MISP before 2.4.126 has XSS ...) NOT-FOR-US: MISP CVE-2020-13152 (A remote user can create a specially crafted M3U file, media playlist ...) - amarok (unimportant) NOTE: Elevated resource usage in client application, no security impact CVE-2020-13151 RESERVED CVE-2020-13150 (D-link DSL-2750U ISL2750UEME3.V1E devices allow approximately 90 secon ...) NOT-FOR-US: D-link CVE-2020-13149 (Weak permissions on the "%PROGRAMDATA%\MSI\Dragon Center" folder in Dr ...) NOT-FOR-US: Dragon Center CVE-2020-13148 RESERVED CVE-2020-13147 RESERVED CVE-2020-13146 (Studio in Open edX Ironwood 2.5 allows CSV injection because an added ...) NOT-FOR-US: Studio in Open edX Ironwood CVE-2020-13145 (Studio in Open edX Ironwood 2.5 allows users to upload SVG files via t ...) NOT-FOR-US: Studio in Open edX Ironwood CVE-2020-13144 (Studio in Open edX Ironwood 2.5, when CodeJail is not used, allows a u ...) NOT-FOR-US: Studio in Open edX Ironwood CVE-2020-13142 RESERVED CVE-2020-13141 RESERVED CVE-2020-13140 RESERVED CVE-2020-13139 RESERVED CVE-2020-13138 RESERVED CVE-2020-13137 RESERVED CVE-2020-13136 (D-Link DSP-W215 1.26b03 devices send an obfuscated hash that can be re ...) NOT-FOR-US: D-Link CVE-2020-13135 (D-Link DSP-W215 1.26b03 devices allow information disclosure by interc ...) NOT-FOR-US: D-Link CVE-2020-13134 RESERVED CVE-2020-13133 RESERVED CVE-2020-13132 RESERVED CVE-2020-13131 RESERVED CVE-2020-13143 (gadget_dev_desc_UDC_store in drivers/usb/gadget/configfs.c in the Linu ...) {DSA-4699-1 DSA-4698-1 DLA-2242-1 DLA-2241-1} - linux 5.6.14-1 NOTE: https://git.kernel.org/linus/15753588bcd4bbffae1cca33c8ced5722477fe1f CVE-2020-13130 RESERVED CVE-2020-13129 (An issue was discovered in the stashcat app through 3.9.1 for macOS, W ...) NOT-FOR-US: stashcat app for MacOS CVE-2020-13128 (An issue was discovered in Manolo GWTUpload 1.0.3. server/UploadServle ...) NOT-FOR-US: Manolo GWTUpload CVE-2019-20802 (An issue was discovered in the Readdle Documents app before 6.9.7 for ...) NOT-FOR-US: Readdle Documents CVE-2019-20801 (An issue was discovered in the Readdle Documents app before 6.9.7 for ...) NOT-FOR-US: Readdle Documents CVE-2019-20800 (In Cherokee through 1.2.104, remote attackers can trigger an out-of-bo ...) - cherokee CVE-2019-20799 (In Cherokee through 1.2.104, multiple memory corruption errors may be ...) - cherokee CVE-2019-20798 (An XSS issue was discovered in handler_server_info.c in Cherokee throu ...) - cherokee CVE-2019-20797 (An issue was discovered in e6y prboom-plus 2.5.1.5. There is a buffer ...) - prboom-plus 2:2.5.1.7um+git82-1 (bug #961031) [buster] - prboom-plus (Minor issue) [stretch] - prboom-plus (Minor issue) [jessie] - prboom-plus (games are not supported) NOTE: https://logicaltrust.net/blog/2019/10/prboom1.html NOTE: https://sourceforge.net/p/prboom-plus/bugs/252/ NOTE: https://sourceforge.net/p/prboom-plus/bugs/253/ CVE-2020-13127 RESERVED CVE-2020-13126 (An issue was discovered in the Elementor Pro plugin before 2.9.4 for W ...) NOT-FOR-US: Elementor Pro plugin for WordPress CVE-2020-13125 (An issue was discovered in the "Ultimate Addons for Elementor" plugin ...) NOT-FOR-US: "Ultimate Addons for Elementor" plugin for WordPress CVE-2020-13124 RESERVED CVE-2020-13123 RESERVED CVE-2020-13122 RESERVED CVE-2020-13121 (Submitty through 20.04.01 has an open redirect via authentication/logi ...) NOT-FOR-US: Submitty CVE-2020-13120 RESERVED CVE-2020-13119 RESERVED CVE-2020-13118 (An issue was discovered in Mikrotik-Router-Monitoring-System through 2 ...) NOT-FOR-US: Mikrotik-Router-Monitoring-System CVE-2020-13117 RESERVED CVE-2020-13116 RESERVED CVE-2020-13115 RESERVED CVE-2020-13114 (An issue was discovered in libexif before 0.6.22. An unrestricted size ...) {DLA-2222-1} - libexif 0.6.21-9 (bug #961410) [buster] - libexif (Minor issue) [stretch] - libexif (Minor issue) NOTE: https://github.com/libexif/libexif/commit/e6a38a1a23ba94d139b1fa2cd4519fdcfe3c9bab (0.6.22) CVE-2020-13113 (An issue was discovered in libexif before 0.6.22. Use of uninitialized ...) {DLA-2222-1} - libexif 0.6.21-9 (bug #961409) [buster] - libexif (Minor issue) [stretch] - libexif (Minor issue) NOTE: https://github.com/libexif/libexif/commit/ec412aa4583ad71ecabb967d3c77162760169d1f (0.6.22) CVE-2020-13112 (An issue was discovered in libexif before 0.6.22. Several buffer over- ...) {DLA-2222-1} - libexif 0.6.21-9 (bug #961407) [buster] - libexif (Minor issue) [stretch] - libexif (Minor issue) NOTE: https://github.com/libexif/libexif/commit/435e21f05001fb03f9f186fa7cbc69454afd00d1 (0.6.22) CVE-2020-13111 (NaviServer 4.99.4 to 4.99.19 allows denial of service due to the nsd/d ...) NOT-FOR-US: NaviServer CVE-2020-13110 (The kerberos package before 1.0.0 for Node.js allows arbitrary code ex ...) NOT-FOR-US: Node kerberos CVE-2020-13109 (Morita Shogi 64 through 2020-05-02 for Nintendo 64 devices allows remo ...) NOT-FOR-US: Morita Shogi CVE-2020-13108 RESERVED CVE-2020-13107 RESERVED CVE-2020-13106 RESERVED CVE-2020-13105 RESERVED CVE-2020-13104 RESERVED CVE-2020-13103 RESERVED CVE-2020-13102 RESERVED CVE-2020-13101 RESERVED CVE-2020-13100 RESERVED CVE-2020-13099 RESERVED CVE-2020-13098 RESERVED CVE-2020-13097 RESERVED CVE-2020-13096 RESERVED CVE-2020-13095 (Little Snitch version 4.5.1 and older changed ownership of a directory ...) NOT-FOR-US: Little Snitch CVE-2020-13094 (Dolibarr before 11.0.4 allows XSS. ...) - dolibarr CVE-2020-13093 (iSpyConnect.com Agent DVR before 2.7.1.0 allows directory traversal. ...) NOT-FOR-US: iSpyConnect.com Agent DVR CVE-2020-13092 (** DISPUTED ** scikit-learn (aka sklearn) through 0.23.0 can unseriali ...) - scikit-learn (unimportant) CVE-2020-13091 (** DISPUTED ** pandas through 1.0.3 can unserialize and execute comman ...) - pandas (unimportant) CVE-2020-13090 RESERVED CVE-2020-13089 RESERVED CVE-2020-13088 RESERVED CVE-2020-13087 RESERVED CVE-2020-13086 RESERVED CVE-2020-13085 RESERVED CVE-2020-13084 RESERVED CVE-2020-13083 RESERVED CVE-2020-13082 RESERVED CVE-2020-13081 RESERVED CVE-2020-13080 RESERVED CVE-2020-13079 RESERVED CVE-2020-13078 RESERVED CVE-2020-13077 RESERVED CVE-2020-13076 RESERVED CVE-2020-13075 RESERVED CVE-2020-13074 RESERVED CVE-2020-13073 RESERVED CVE-2020-13072 RESERVED CVE-2020-13071 RESERVED CVE-2020-13070 RESERVED CVE-2020-13069 RESERVED CVE-2020-13068 RESERVED CVE-2020-13067 RESERVED CVE-2020-13066 RESERVED CVE-2020-13065 RESERVED CVE-2020-13064 RESERVED CVE-2020-13063 RESERVED CVE-2020-13062 RESERVED CVE-2020-13061 RESERVED CVE-2020-13060 RESERVED CVE-2020-13059 RESERVED CVE-2020-13058 RESERVED CVE-2020-13057 RESERVED CVE-2020-13056 RESERVED CVE-2020-13055 RESERVED CVE-2020-13054 RESERVED CVE-2020-13053 RESERVED CVE-2020-13052 RESERVED CVE-2020-13051 RESERVED CVE-2020-13050 RESERVED CVE-2020-13049 RESERVED CVE-2020-13048 RESERVED CVE-2020-13047 RESERVED CVE-2020-13046 RESERVED CVE-2020-13045 RESERVED CVE-2020-13044 RESERVED CVE-2020-13043 RESERVED CVE-2020-13042 RESERVED CVE-2020-13041 RESERVED CVE-2020-13040 RESERVED CVE-2020-13039 RESERVED CVE-2020-13038 RESERVED CVE-2020-13037 RESERVED CVE-2020-13036 RESERVED CVE-2020-13035 RESERVED CVE-2020-13034 RESERVED CVE-2020-13033 RESERVED CVE-2020-13032 RESERVED CVE-2020-13031 RESERVED CVE-2020-13030 RESERVED CVE-2020-13029 RESERVED CVE-2020-13028 RESERVED CVE-2020-13027 RESERVED CVE-2020-13026 RESERVED CVE-2020-13025 RESERVED CVE-2020-13024 RESERVED CVE-2020-13023 RESERVED CVE-2020-13022 RESERVED CVE-2020-13021 RESERVED CVE-2020-13020 RESERVED CVE-2020-13019 RESERVED CVE-2020-13018 RESERVED CVE-2020-13017 RESERVED CVE-2020-13016 RESERVED CVE-2020-13015 RESERVED CVE-2020-13014 RESERVED CVE-2020-13013 RESERVED CVE-2020-13012 RESERVED CVE-2020-13011 RESERVED CVE-2020-13010 RESERVED CVE-2020-13009 RESERVED CVE-2020-13008 RESERVED CVE-2020-13007 RESERVED CVE-2020-13006 RESERVED CVE-2020-13005 RESERVED CVE-2020-13004 RESERVED CVE-2020-13003 RESERVED CVE-2020-13002 RESERVED CVE-2020-13001 RESERVED CVE-2020-13000 RESERVED CVE-2020-12999 RESERVED CVE-2020-12998 RESERVED CVE-2020-12997 RESERVED CVE-2020-12996 RESERVED CVE-2020-12995 RESERVED CVE-2020-12994 RESERVED CVE-2020-12993 RESERVED CVE-2020-12992 RESERVED CVE-2020-12991 RESERVED CVE-2020-12990 RESERVED CVE-2020-12989 RESERVED CVE-2020-12988 RESERVED CVE-2020-12987 RESERVED CVE-2020-12986 RESERVED CVE-2020-12985 RESERVED CVE-2020-12984 RESERVED CVE-2020-12983 RESERVED CVE-2020-12982 RESERVED CVE-2020-12981 RESERVED CVE-2020-12980 RESERVED CVE-2020-12979 RESERVED CVE-2020-12978 RESERVED CVE-2020-12977 RESERVED CVE-2020-12976 RESERVED CVE-2020-12975 RESERVED CVE-2020-12974 RESERVED CVE-2020-12973 RESERVED CVE-2020-12972 RESERVED CVE-2020-12971 RESERVED CVE-2020-12970 RESERVED CVE-2020-12969 RESERVED CVE-2020-12968 RESERVED CVE-2020-12967 RESERVED CVE-2020-12966 RESERVED CVE-2020-12965 RESERVED CVE-2020-12964 RESERVED CVE-2020-12963 RESERVED CVE-2020-12962 RESERVED CVE-2020-12961 RESERVED CVE-2020-12960 RESERVED CVE-2020-12959 RESERVED CVE-2020-12958 RESERVED CVE-2020-12957 RESERVED CVE-2020-12956 RESERVED CVE-2020-12955 RESERVED CVE-2020-12954 RESERVED CVE-2020-12953 RESERVED CVE-2020-12952 RESERVED CVE-2020-12951 RESERVED CVE-2020-12950 RESERVED CVE-2020-12949 RESERVED CVE-2020-12948 RESERVED CVE-2020-12947 RESERVED CVE-2020-12946 RESERVED CVE-2020-12945 RESERVED CVE-2020-12944 RESERVED CVE-2020-12943 RESERVED CVE-2020-12942 RESERVED CVE-2020-12941 RESERVED CVE-2020-12940 RESERVED CVE-2020-12939 RESERVED CVE-2020-12938 RESERVED CVE-2020-12937 RESERVED CVE-2020-12936 RESERVED CVE-2020-12935 RESERVED CVE-2020-12934 RESERVED CVE-2020-12933 RESERVED CVE-2020-12932 RESERVED CVE-2020-12931 RESERVED CVE-2020-12930 RESERVED CVE-2020-12929 RESERVED CVE-2020-12928 RESERVED CVE-2020-12927 RESERVED CVE-2020-12926 RESERVED CVE-2020-12925 RESERVED CVE-2020-12924 RESERVED CVE-2020-12923 RESERVED CVE-2020-12922 RESERVED CVE-2020-12921 RESERVED CVE-2020-12920 RESERVED CVE-2020-12919 RESERVED CVE-2020-12918 RESERVED CVE-2020-12917 RESERVED CVE-2020-12916 RESERVED CVE-2020-12915 RESERVED CVE-2020-12914 RESERVED CVE-2020-12913 RESERVED CVE-2020-12912 RESERVED CVE-2020-12911 RESERVED CVE-2020-12910 RESERVED CVE-2020-12909 RESERVED CVE-2020-12908 RESERVED CVE-2020-12907 RESERVED CVE-2020-12906 RESERVED CVE-2020-12905 RESERVED CVE-2020-12904 RESERVED CVE-2020-12903 RESERVED CVE-2020-12902 RESERVED CVE-2020-12901 RESERVED CVE-2020-12900 RESERVED CVE-2020-12899 RESERVED CVE-2020-12898 RESERVED CVE-2020-12897 RESERVED CVE-2020-12896 RESERVED CVE-2020-12895 RESERVED CVE-2020-12894 RESERVED CVE-2020-12893 RESERVED CVE-2020-12892 RESERVED CVE-2020-12891 RESERVED CVE-2020-12890 RESERVED CVE-2020-12889 (MISP MISP-maltego 1.4.4 incorrectly shares a MISP connection across us ...) NOT-FOR-US: MISP CVE-2020-12888 (The VFIO PCI driver in the Linux kernel through 5.6.13 mishandles atte ...) - linux NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1836244 CVE-2020-12887 (Memory leaks were discovered in the CoAP library in Arm Mbed OS 5.15.3 ...) NOT-FOR-US: Mbed CoAP (diffrent from src:mbedtls) CVE-2020-12886 (A buffer over-read was discovered in the CoAP library in Arm Mbed OS 5 ...) NOT-FOR-US: Mbed CoAP (diffrent from src:mbedtls) CVE-2020-12885 (An infinite loop was discovered in the CoAP library in Arm Mbed OS 5.1 ...) NOT-FOR-US: Mbed CoAP (diffrent from src:mbedtls) CVE-2020-12884 (A buffer over-read was discovered in the CoAP library in Arm Mbed OS 5 ...) NOT-FOR-US: Mbed CoAP (diffrent from src:mbedtls) CVE-2020-12883 (Buffer over-reads were discovered in the CoAP library in Arm Mbed OS 5 ...) NOT-FOR-US: Mbed CoAP (diffrent from src:mbedtls) CVE-2020-12882 (Submitty through 20.04.01 allows XSS via upload of an SVG document, as ...) NOT-FOR-US: Submitty CVE-2020-12881 RESERVED CVE-2020-12880 RESERVED CVE-2020-12879 RESERVED CVE-2020-12878 RESERVED CVE-2020-12877 (Veritas APTARE versions prior to 10.4 allowed sensitive information to ...) NOT-FOR-US: Veritas CVE-2020-12876 (Veritas APTARE versions prior to 10.4 allowed remote users to access s ...) NOT-FOR-US: Veritas CVE-2020-12875 (Veritas APTARE versions prior to 10.4 did not perform adequate authori ...) NOT-FOR-US: Veritas CVE-2020-12874 (Veritas APTARE versions prior to 10.4 included code that bypassed the ...) NOT-FOR-US: Veritas CVE-2020-12873 RESERVED CVE-2020-12872 (yaws_config.erl in Yaws through 2.0.2 and/or 2.0.7 loads obsolete TLS ...) - erlang 1:21.2.6+dfsg-1 (low) [stretch] - erlang (Minor issue) [jessie] - erlang (Minor issue) NOTE: https://medium.com/@charlielabs101/cve-2020-12872-df315411aa70 NOTE: https://github.com/erlyaws/yaws/issues/402 NOTE: In Debian yaws uses the cipher settings from erlang, mark the version which NOTE: landed in Buster as fixed (although it was possibly fixed earlier between NOTE: Stretch and Buster. The CVE was assigned specifically for yaws, cf. #961422 NOTE: for discussion. CVE-2020-12871 RESERVED CVE-2020-12870 RESERVED CVE-2020-12869 RESERVED CVE-2020-12868 RESERVED CVE-2020-12867 (A NULL pointer dereference in sanei_epson_net_read in SANE Backends be ...) {DLA-2231-1} [experimental] - sane-backends 1.0.30-1~experimental1 - sane-backends (bug #961302) NOTE: https://gitlab.com/sane-project/backends/-/issues/279 NOTE: https://gitlab.com/sane-project/backends/-/issues/279#issue-1-ghsl-2020-075-null-pointer-dereference-in-sanei_epson_net_read NOTE: https://alioth-lists.debian.net/pipermail/sane-announce/2020/000041.html CVE-2020-12866 (A NULL pointer dereference in SANE Backends before 1.0.30 allows a mal ...) [experimental] - sane-backends 1.0.30-1~experimental1 - sane-backends (bug #961302) [jessie] - sane-backends (epsonds backend was added in 1.0.25) NOTE: https://gitlab.com/sane-project/backends/-/issues/279 NOTE: https://gitlab.com/sane-project/backends/-/issues/279#issue-2-ghsl-2020-079-null-pointer-dereference-in-epsonds_net_read NOTE: https://alioth-lists.debian.net/pipermail/sane-announce/2020/000041.html CVE-2020-12865 (A heap buffer overflow in SANE Backends before 1.0.30 may allow a mali ...) [experimental] - sane-backends 1.0.30-1~experimental1 - sane-backends (bug #961302) [jessie] - sane-backends (epsonds backend was added in 1.0.25) NOTE: https://gitlab.com/sane-project/backends/-/issues/279 NOTE: https://gitlab.com/sane-project/backends/-/issues/279#issue-9-ghsl-2020-084-buffer-overflow-in-esci2_img NOTE: https://alioth-lists.debian.net/pipermail/sane-announce/2020/000041.html CVE-2020-12864 (An out-of-bounds read in SANE Backends before 1.0.30 may allow a malic ...) [experimental] - sane-backends 1.0.30-1~experimental1 - sane-backends (bug #961302) [jessie] - sane-backends (epsonds backend was added in 1.0.25) NOTE: https://gitlab.com/sane-project/backends/-/issues/279 NOTE: https://gitlab.com/sane-project/backends/-/issues/279#issue-4-ghsl-2020-081-reading-uninitialized-data-in-epsonds_net_read NOTE: https://alioth-lists.debian.net/pipermail/sane-announce/2020/000041.html CVE-2020-12863 (An out-of-bounds read in SANE Backends before 1.0.30 may allow a malic ...) [experimental] - sane-backends 1.0.30-1~experimental1 - sane-backends (bug #961302) [jessie] - sane-backends (epsonds backend was added in 1.0.25) NOTE: https://gitlab.com/sane-project/backends/-/issues/279 NOTE: https://gitlab.com/sane-project/backends/-/issues/279#issue-7-ghsl-2020-083-out-of-bounds-read-in-esci2_check_header NOTE: https://alioth-lists.debian.net/pipermail/sane-announce/2020/000041.html CVE-2020-12862 (An out-of-bounds read in SANE Backends before 1.0.30 may allow a malic ...) [experimental] - sane-backends 1.0.30-1~experimental1 - sane-backends (bug #961302) [jessie] - sane-backends (epsonds backend was added in 1.0.25) NOTE: https://gitlab.com/sane-project/backends/-/issues/279 NOTE: https://gitlab.com/sane-project/backends/-/issues/279#issue-5-ghsl-2020-082-out-of-bounds-read-in-decode_binary NOTE: https://alioth-lists.debian.net/pipermail/sane-announce/2020/000041.html CVE-2020-12861 (A heap buffer overflow in SANE Backends before 1.0.30 allows a malicio ...) [experimental] - sane-backends 1.0.30-1~experimental1 - sane-backends (bug #961302) [jessie] - sane-backends (epsonds backend was added in 1.0.25) NOTE: https://gitlab.com/sane-project/backends/-/issues/279 NOTE: https://gitlab.com/sane-project/backends/-/issues/279#issue-3-ghsl-2020-080-heap-buffer-overflow-in-epsonds_net_read NOTE: https://alioth-lists.debian.net/pipermail/sane-announce/2020/000041.html CVE-2020-12860 (COVIDSafe through v1.0.17 allows a remote attacker to access phone nam ...) NOT-FOR-US: COVIDSafe CVE-2020-12859 (Unnecessary fields in the OpenTrace/BlueTrace protocol in COVIDSafe th ...) NOT-FOR-US: COVIDSafe CVE-2020-12858 (Non-reinitialisation of random data in the advertising payload in COVI ...) NOT-FOR-US: COVIDSafe CVE-2020-12857 (Caching of GATT characteristic values (TempID) in COVIDSafe v1.0.15 an ...) NOT-FOR-US: COVIDSafe CVE-2020-12856 (OpenTrace, as used in COVIDSafe through v1.0.17, TraceTogether, ABTrac ...) NOT-FOR-US: COVIDSafe CVE-2020-12855 RESERVED CVE-2020-12854 RESERVED CVE-2020-12853 (Pydio Cells 2.0.4 allows XSS. A malicious user can either upload or cr ...) NOT-FOR-US: Pydio Cells CVE-2020-12852 (The update feature for Pydio Cells 2.0.4 allows an administrator user ...) NOT-FOR-US: Pydio Cells CVE-2020-12851 (Pydio Cells 2.0.4 allows an authenticated user to write or overwrite e ...) NOT-FOR-US: Pydio Cells CVE-2020-12850 (The following vulnerability applies only to the Pydio Cells Enterprise ...) NOT-FOR-US: Pydio Cells CVE-2020-12849 (Pydio Cells 2.0.4 allows any user to upload a profile image to the web ...) NOT-FOR-US: Pydio Cells CVE-2020-12848 (In Pydio Cells 2.0.4, once an authenticated user shares a file selecti ...) NOT-FOR-US: Pydio Cells CVE-2020-12847 (Pydio Cells 2.0.4 web application offers an administrative console nam ...) NOT-FOR-US: Pydio Cells CVE-2020-12846 (Zimbra before 8.8.15 Patch 10 and 9.x before 9.0.0 Patch 3 allows remo ...) NOT-FOR-US: Zimbra CVE-2020-12845 RESERVED CVE-2020-12844 RESERVED CVE-2020-12843 RESERVED CVE-2020-12842 RESERVED CVE-2020-12841 RESERVED CVE-2020-12840 RESERVED CVE-2020-12839 RESERVED CVE-2020-12838 RESERVED CVE-2020-12837 RESERVED CVE-2020-12836 RESERVED CVE-2020-12835 (An issue was discovered in SmartBear ReadyAPI SoapUI Pro 3.2.5. Due to ...) NOT-FOR-US: SmartBear ReadyAPI SoapUI Pro CVE-2020-12834 (eQ-3 Homematic Central Control Unit (CCU)2 through 2.51.6 and CCU3 thr ...) NOT-FOR-US: eQ-3 Homematic Central Control Unit CVE-2020-12833 RESERVED CVE-2020-12832 (WordPress Plugin Simple File List before 4.2.8 is prone to a vulnerabi ...) NOT-FOR-US: simple-file-list plugin for WordPress CVE-2020-12831 (** DISPUTED ** An issue was discovered in FRRouting FRR (aka Free Rang ...) - frr (unimportant) NOTE: https://github.com/FRRouting/frr/pull/6383 NOTE: https://github.com/FRRouting/frr/commit/7734484a378052a513c9e21165c13bf85f78ad48 CVE-2020-12830 RESERVED CVE-2020-12829 RESERVED - qemu (low; bug #961451) [buster] - qemu (Minor issue) [stretch] - qemu (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1808510 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1786026 CVE-2020-12828 (An issue was discovered in AnchorFree VPN SDK before 1.3.3.218. The VP ...) NOT-FOR-US: AnchorFree VPN SDK CVE-2020-12827 (MJML prior to 4.6.3 contains a path traversal vulnerability when proce ...) NOT-FOR-US: MJML CVE-2019-20796 RESERVED CVE-2020-12826 (A signal access-control issue was discovered in the Linux kernel befor ...) {DLA-2241-1} - linux 5.6.7-1 [buster] - linux 4.19.118-1 NOTE: https://git.kernel.org/linus/d1e7fd6462ca9fc76650fbe6ca800e35b24267da CVE-2020-12825 (libcroco through 0.6.13 has excessive recursion in cr_parser_parse_any ...) - libcroco (low; bug #960527) [buster] - libcroco (Minor issue) [stretch] - libcroco (Minor issue) [jessie] - libcroco (Minor issue) NOTE: https://gitlab.gnome.org/GNOME/libcroco/-/issues/8 CVE-2020-12824 RESERVED CVE-2020-12823 (OpenConnect 8.09 has a buffer overflow, causing a denial of service (a ...) {DLA-2212-1} - openconnect 8.10-1 (unimportant; bug #960620) NOTE: https://gitlab.com/openconnect/openconnect/-/merge_requests/108 NOTE: Only triggerable by local certs, which are under the control of the user CVE-2020-12822 RESERVED CVE-2020-12821 (Gossipsub 1.0 does not properly resist invalid message spam, such as a ...) NOT-FOR-US: Gossipsub CVE-2020-12820 RESERVED CVE-2020-12819 RESERVED CVE-2020-12818 RESERVED CVE-2020-12817 RESERVED CVE-2020-12816 RESERVED CVE-2020-12815 RESERVED CVE-2020-12814 RESERVED CVE-2020-12813 RESERVED CVE-2020-12812 RESERVED CVE-2020-12811 RESERVED CVE-2020-12810 RESERVED CVE-2020-12809 RESERVED CVE-2020-12808 RESERVED CVE-2020-12807 RESERVED CVE-2020-12806 RESERVED CVE-2020-12805 RESERVED CVE-2020-12804 RESERVED CVE-2020-12803 (ODF documents can contain forms to be filled out by the user. Similar ...) - libreoffice 1:6.4.4-1 (low) [buster] - libreoffice (Minor issue) [stretch] - libreoffice (Minor issue) [jessie] - libreoffice (Minor issue) NOTE: https://www.libreoffice.org/about-us/security/advisories/CVE-2020-12803 CVE-2020-12802 (LibreOffice has a 'stealth mode' in which only documents from location ...) - libreoffice 1:6.4.4-1 (low) [buster] - libreoffice (Minor issue) [stretch] - libreoffice (Minor issue) [jessie] - libreoffice (Minor issue) NOTE: https://www.libreoffice.org/about-us/security/advisories/CVE-2020-12802 CVE-2020-12801 (If LibreOffice has an encrypted document open and crashes, that docume ...) - libreoffice 1:6.4.3-1 (low) [buster] - libreoffice (Minor issue) [stretch] - libreoffice (Minor issue) [jessie] - libreoffice (Minor issue) NOTE: https://www.libreoffice.org/about-us/security/advisories/CVE-2020-12801 CVE-2020-12800 (The drag-and-drop-multiple-file-upload-contact-form-7 plugin before 1. ...) NOT-FOR-US: drag-and-drop-multiple-file-upload-contact-form-7 plugin for WordPress CVE-2020-12799 RESERVED CVE-2020-12798 (Cellebrite UFED 5.0 to 7.5.0.845 implements local operating system pol ...) NOT-FOR-US: Cellebrite UFED CVE-2020-12797 (HashiCorp Consul and Consul Enterprise failed to enforce changes to le ...) - consul 1.7.4+dfsg1-1 [buster] - consul (Vulnerable code not present) NOTE: https://github.com/hashicorp/consul/blob/v1.7.4/CHANGELOG.md NOTE: https://github.com/hashicorp/consul/pull/8047 CVE-2020-12796 RESERVED CVE-2020-12795 RESERVED CVE-2020-12794 RESERVED CVE-2020-12793 RESERVED CVE-2020-12792 RESERVED CVE-2020-12791 RESERVED CVE-2020-12790 (In the SEOmatic plugin before 3.2.49 for Craft CMS, helpers/DynamicMet ...) NOT-FOR-US: SEOmatic plugin for Craft CMS CVE-2020-12789 RESERVED CVE-2020-12788 RESERVED CVE-2020-12787 RESERVED CVE-2020-12786 RESERVED CVE-2020-12785 (cPanel before 86.0.14 allows attackers to obtain access to the current ...) NOT-FOR-US: cPanel CVE-2020-12784 (cPanel before 86.0.14 allows remote attackers to trigger a bandwidth s ...) NOT-FOR-US: cPanel CVE-2020-12782 (Openfind MailGates contains a Command Injection flaw, when receiving e ...) NOT-FOR-US: Openfind MailGates CVE-2020-12781 RESERVED CVE-2020-12780 RESERVED CVE-2020-12779 RESERVED CVE-2020-12778 RESERVED CVE-2020-12777 RESERVED CVE-2020-12776 RESERVED CVE-2020-12775 RESERVED CVE-2020-12774 RESERVED CVE-2020-12773 (A security misconfiguration vulnerability exists in the SDK of some Re ...) NOT-FOR-US: Realtek ADSL/PON Modem SoC firmware CVE-2020-12783 (Exim through 4.93 has an out-of-bounds read in the SPA authenticator t ...) {DSA-4687-1 DLA-2213-1} - exim4 4.93-16 NOTE: https://bugs.exim.org/show_bug.cgi?id=2571 NOTE: https://git.exim.org/exim.git/commitdiff/57aa14b216432be381b6295c312065b2fd034f86 NOTE: https://git.exim.org/exim.git/commitdiff/a04174dc2a84ae1008c23b6a7109e7fa3fb7b8b0 CVE-2020-12772 (An issue was discovered in Ignite Realtime Spark 2.8.3 (and the ROAR p ...) NOT-FOR-US: Ignite Realtime Spark CVE-2020-12767 (exif_entry_get_value in exif-entry.c in libexif 0.6.21 has a divide-by ...) {DLA-2214-1} - libexif 0.6.21-7 (bug #960199) [buster] - libexif (Minor issue) [stretch] - libexif (Minor issue) NOTE: https://github.com/libexif/libexif/issues/31 NOTE: https://github.com/libexif/libexif/commit/e22f73064f804c94e90b642cd0db4697c827da72 CVE-2019-20795 (iproute2 before 5.1.0 has a use-after-free in get_netnsid_from_name in ...) - iproute2 5.2.0-1 [buster] - iproute2 (Minor issue) [stretch] - iproute2 (Vulnerable code introduced later) [jessie] - iproute2 (Vulnerable code introduced later) NOTE: Fixed by: https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit/?id=9bf2c538a0eb10d66e2365a655bf6c52f5ba3d10 (v5.1.0) NOTE: Introduced in: https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit/?id=86bf43c7c2fdc33d7c021b4a1add1c8facbca51c (v4.15.0) CVE-2020-XXXX [unspecified fexsrv security issue] - fex 20160919-2 [buster] - fex 20160919-2~deb10u1 [stretch] - fex (Non-free not supported) CVE-2020-12771 (An issue was discovered in the Linux kernel through 5.6.11. btree_gc_c ...) - linux 5.7.6-1 NOTE: https://lkml.org/lkml/2020/4/26/87 NOTE: https://git.kernel.org/linus/be23e837333a914df3f24bf0b32e87b0331ab8d1 (5.8-rc2) CVE-2020-12770 (An issue was discovered in the Linux kernel through 5.6.11. sg_write l ...) {DSA-4699-1 DSA-4698-1 DLA-2242-1 DLA-2241-1} - linux 5.6.14-1 NOTE: https://git.kernel.org/linus/83c6f2390040f188cc25b270b4befeb5628c1aee (5.7-rc3) CVE-2020-12769 (An issue was discovered in the Linux kernel before 5.4.17. drivers/spi ...) {DLA-2241-1} - linux 5.4.19-1 [buster] - linux 4.19.118-1 NOTE: https://git.kernel.org/linus/19b61392c5a852b4e8a0bf35aecb969983c5932d (5.5-rc6) CVE-2020-12768 (** DISPUTED ** An issue was discovered in the Linux kernel before 5.6. ...) {DSA-4699-1} - linux 5.6.7-1 (unimportant) [stretch] - linux (Vulnerability introduced later) [jessie] - linux (Vulnerability introduced later) NOTE: https://git.kernel.org/linus/d80b64ff297e40c2b6f7d7abc1b3eba70d22a068 (5.6-rc4) CVE-2020-12766 (Gnuteca 3.8 allows action=main:search:simpleSearch SQL Injection via t ...) NOT-FOR-US: Gnuteca CVE-2020-12765 (Solis Miolo 2.0 allows index.php?module=install&action=view&it ...) NOT-FOR-US: Solis Miolo CVE-2020-12764 (Gnuteca 3.8 allows file.php?folder=/&file= Directory Traversal. ...) NOT-FOR-US: Gnuteca CVE-2020-12763 (TRENDnet ProView Wireless camera TV-IP512WN 1.0R 1.0.4 is vulnerable t ...) NOT-FOR-US: TRENDnet ProView CVE-2020-12762 (json-c through 0.14 has an integer overflow and out-of-bounds write vi ...) {DLA-2228-2 DLA-2228-1} - json-c 0.13.1+dfsg-8 (bug #960326) NOTE: https://github.com/json-c/json-c/pull/592 NOTE: https://github.com/json-c/json-c/commit/099016b7e8d70a6d5dd814e788bba08d33d48426 NOTE: https://github.com/json-c/json-c/commit/77d935b7ae7871a1940cd827e850e6063044ec45 NOTE: https://github.com/json-c/json-c/commit/d07b91014986900a3a75f306d302e13e005e9d67 NOTE: https://github.com/json-c/json-c/commit/519dfe1591d85432986f9762d41d1a883198c157 NOTE: https://github.com/json-c/json-c/commit/a59d5acfab4485d5133114df61785b1fc633e0c6 NOTE: d07b91014986 ("Fix integer overflows.") introduces a regression tracked as: NOTE: https://github.com/json-c/json-c/issues/599 NOTE: https://github.com/json-c/json-c/pull/610 NOTE: Working backports for older branches: https://github.com/json-c/json-c/pull/608 CVE-2020-12761 (modules/loaders/loader_ico.c in imlib2 1.6.0 has an integer overflow ( ...) - imlib2 1.6.1-2 (bug #960192) [buster] - imlib2 (Vulnerable code introduced later) [stretch] - imlib2 (Vulnerable code introduced later) [jessie] - imlib2 (Vulnerable code introduced later) NOTE: https://git.enlightenment.org/legacy/imlib2.git/commit/?id=c95f938ff1effaf91729c050a0f1c8684da4dd63 CVE-2020-12760 (An issue was discovered in OpenNMS Horizon before 26.0.1, and Meridian ...) NOT-FOR-US: OpenNMS CVE-2020-12759 RESERVED CVE-2020-12758 (HashiCorp Consul and Consul Enterprise could crash when configured wit ...) - consul 1.7.4+dfsg1-1 [buster] - consul (Vulnerable code not present) NOTE: https://github.com/hashicorp/consul/blob/v1.7.4/CHANGELOG.md NOTE: https://github.com/hashicorp/consul/pull/7783 CVE-2020-12757 (HashiCorp Vault and Vault Enterprise 1.4.x before 1.4.2 has Incorrect ...) NOT-FOR-US: HashiCorp Vault CVE-2020-12756 RESERVED CVE-2020-12755 (fishProtocol::establishConnection in fish/fish.cpp in KDE kio-extras t ...) - kio-extras (low; bug #960306) [buster] - kio-extras (Minor issue) [stretch] - kio-extras (Minor issue) NOTE: https://cgit.kde.org/kio-extras.git/commit/?id=d813cef3cecdec9af1532a40d677a203ff979145 CVE-2019-20794 (An issue was discovered in the Linux kernel 4.18 through 5.6.11 when u ...) - linux NOTE: https://sourceforge.net/p/fuse/mailman/message/36598753/ CVE-2020-12754 (An issue was discovered on LG mobile devices with Android OS 7.2, 8.0, ...) NOT-FOR-US: LG mobile devices CVE-2020-12753 (An issue was discovered on LG mobile devices with Android OS 7.2, 8.0, ...) NOT-FOR-US: LG mobile devices CVE-2020-12752 (An issue was discovered on Samsung mobile devices with P(9.0) and Q(10 ...) NOT-FOR-US: Samsung mobile devices CVE-2020-12751 (An issue was discovered on Samsung mobile devices with O(8.X), P(9.0), ...) NOT-FOR-US: Samsung mobile devices CVE-2020-12750 (An issue was discovered on Samsung mobile devices with Q(10.0) softwar ...) NOT-FOR-US: Samsung mobile devices CVE-2020-12749 (An issue was discovered on Samsung mobile devices with P(9.0) (Exynos ...) NOT-FOR-US: Samsung mobile devices CVE-2020-12748 (An issue was discovered on Samsung mobile devices with Q(10.0) softwar ...) NOT-FOR-US: Samsung mobile devices CVE-2020-12747 (An issue was discovered on Samsung mobile devices with Q(10.0) (Exynos ...) NOT-FOR-US: Samsung mobile devices CVE-2020-12746 (An issue was discovered on Samsung mobile devices with O(8.X), P(9.0), ...) NOT-FOR-US: Samsung mobile devices CVE-2020-12745 (An issue was discovered on Samsung mobile devices with Q(10.0) softwar ...) NOT-FOR-US: Samsung mobile devices CVE-2020-12744 RESERVED CVE-2020-12743 (An issue was discovered in Gazie 7.32. A successful installation does ...) NOT-FOR-US: Gazie CVE-2020-12742 (The iubenda-cookie-law-solution plugin before 2.3.5 for WordPress does ...) NOT-FOR-US: iubenda-cookie-law-solution plugin for WordPress CVE-2020-12741 RESERVED CVE-2020-12740 (tcprewrite in Tcpreplay through 4.3.2 has a heap-based buffer over-rea ...) - tcpreplay (unimportant) [jessie] - tcpreplay (Vulnerable code added later) NOTE: https://github.com/appneta/tcpreplay/issues/576 NOTE: https://github.com/appneta/tcpreplay/pull/590 NOTE: Fixed with: https://github.com/appneta/tcpreplay/issues/578 NOTE: --fuzz-seed in PoC not present until version 4.2.0 NOTE: Crash in CLI tool, no security impact CVE-2020-12739 RESERVED CVE-2020-12738 RESERVED CVE-2020-12737 (An issue was discovered in Maxum Rumpus before 8.2.12 on macOS. Authen ...) NOT-FOR-US: Maxum Rumpus CVE-2020-12736 (Code42 environments with on-premises server versions 7.0.4 and earlier ...) NOT-FOR-US: Code42 CVE-2020-12735 (reset.php in DomainMOD 4.13.0 uses insufficient entropy for password r ...) NOT-FOR-US: DomainMOD CVE-2020-12734 RESERVED CVE-2020-12733 RESERVED CVE-2020-12732 RESERVED CVE-2020-12731 RESERVED CVE-2020-12730 RESERVED CVE-2020-12729 RESERVED CVE-2020-12728 RESERVED CVE-2020-12727 RESERVED CVE-2020-12726 RESERVED CVE-2020-12725 (Havoc Research discovered an authenticated Server-Side Request Forgery ...) NOT-FOR-US: Redash CVE-2020-12724 RESERVED CVE-2020-12723 (regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted ...) - perl 5.30.3-1 (bug #962005) [buster] - perl (Minor issue) [stretch] - perl (Minor issue) NOTE: https://github.com/perl/perl5/commit/66bbb51b93253a3f87d11c2695cfb7bdb782184a (v5.30.3) CVE-2020-12722 RESERVED CVE-2020-12721 RESERVED CVE-2020-12720 (vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6 ...) NOT-FOR-US: vBulletin CVE-2020-12719 (XXE during an EventPublisher update can occur in Management Console in ...) NOT-FOR-US: WSO2 CVE-2020-12718 (In administration/comments.php in PHP-Fusion 9.03.50, an authenticated ...) NOT-FOR-US: PHP-Fusion CVE-2020-12717 (The COVIDSafe (Australia) app 1.0 and 1.1 for iOS allows a remote atta ...) NOT-FOR-US: COVIDSafe (Australia) app CVE-2020-12716 RESERVED CVE-2020-12715 RESERVED CVE-2020-12714 (An issue was discovered in CipherMail Community Gateway Virtual Applia ...) NOT-FOR-US: CipherMail CVE-2020-12713 (An issue was discovered in CipherMail Community Gateway and Profession ...) NOT-FOR-US: CipherMail CVE-2020-12712 (A vulnerability based on insecure user/password encryption in the JOE ...) NOT-FOR-US: SOS JobScheduler CVE-2020-12711 RESERVED CVE-2020-12710 RESERVED CVE-2020-12709 RESERVED CVE-2020-12708 (Multiple cross-site scripting vulnerabilities in PHP-Fusion 9.03.50 al ...) NOT-FOR-US: PHP-Fusion CVE-2020-12707 (An XSS vulnerability exists in modules/wysiwyg/save.php of LeptonCMS 4 ...) NOT-FOR-US: LeptonCMS CVE-2020-12706 (Multiple Cross-site scripting vulnerabilities in PHP-Fusion 9.03.50 al ...) NOT-FOR-US: PHP-Fusion CVE-2020-12705 (Multiple cross-site scripting (XSS) vulnerabilities exist in LeptonCMS ...) NOT-FOR-US: LeptonCMS CVE-2020-12704 (UliCMS before 2020.2 has PageController stored XSS. ...) NOT-FOR-US: UliCMS CVE-2020-12703 (UliCMS before 2020.2 has XSS during PackageController uninstall. ...) NOT-FOR-US: UliCMS CVE-2020-12702 RESERVED CVE-2020-12701 RESERVED CVE-2020-12700 (The direct_mail extension through 5.2.3 for TYPO3 allows Information D ...) NOT-FOR-US: Typo3 extension CVE-2020-12699 (The direct_mail extension through 5.2.3 for TYPO3 has an Open Redirect ...) NOT-FOR-US: Typo3 extension CVE-2020-12698 (The direct_mail extension through 5.2.3 for TYPO3 has Broken Access Co ...) NOT-FOR-US: Typo3 extension CVE-2020-12697 (The direct_mail extension through 5.2.3 for TYPO3 allows Denial of Ser ...) NOT-FOR-US: Typo3 extension CVE-2020-12696 (The iframe plugin before 4.5 for WordPress does not sanitize a URL. ...) NOT-FOR-US: iframe plugin for WordPress CVE-2020-12695 (The Open Connectivity Foundation UPnP specification before 2020-04-17 ...) - wpa - gupnp 1.2.3-1 NOTE: https://w1.fi/security/2020-1/upnp-subscribe-misbehavior-wps-ap.txt NOTE: https://w1.fi/security/2020-1/0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch NOTE: https://w1.fi/security/2020-1/0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch NOTE: https://w1.fi/security/2020-1/0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch TODO: for gupnp, there are partial fixes, check CVE-2020-12694 RESERVED CVE-2020-12693 (Slurm 19.05.x before 19.05.7 and 20.02.x before 20.02.3, in the rare c ...) - slurm-llnl (bug #961406) [buster] - slurm-llnl (Minor issue) [stretch] - slurm-llnl (Minor issue) [jessie] - slurm-llnl (Message Aggregation added in 14.11) NOTE: https://www.schedmd.com/news.php?id=236 NOTE: https://lists.schedmd.com/pipermail/slurm-announce/2020/000036.html NOTE: Issue affects systems with Message Aggregation enabled CVE-2020-12688 RESERVED CVE-2020-12687 (An issue was discovered in Serpico before 1.3.3. The /admin/attacments ...) NOT-FOR-US: Serpico CVE-2020-12686 RESERVED CVE-2020-12685 (XSS in the admin help system admin/help.html and admin/quicklinks.html ...) NOT-FOR-US: Interchange CVE-2020-12684 RESERVED CVE-2020-12683 (Katyshop2 before 2.12 has multiple stored XSS issues. ...) NOT-FOR-US: Katyshop2 CVE-2020-12682 RESERVED CVE-2020-12681 RESERVED CVE-2020-12680 (** DISPUTED ** Avira Free Antivirus through 15.0.2005.1866 allows loca ...) NOT-FOR-US: Avira Free Antivirus CVE-2020-12679 (A reflected cross-site scripting (XSS) vulnerability in the Mitel Shor ...) NOT-FOR-US: Mitel CVE-2020-12678 REJECTED CVE-2020-12677 (An issue was discovered in Progress MOVEit Automation Web Admin. A Web ...) NOT-FOR-US: Progress MOVEit Automation Web Admin CVE-2020-12676 RESERVED CVE-2020-12675 (The mappress-google-maps-for-wordpress plugin before 2.54.6 for WordPr ...) NOT-FOR-US: mappress-google-maps-for-wordpress plugin for WordPress CVE-2020-12692 (An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0. ...) {DSA-4679-1} - keystone 2:17.0.0~rc2-1 (bug #959900) [stretch] - keystone (Not supported in stretch LTS) [jessie] - keystone (Not supported in Jessie LTS) NOTE: https://bugs.launchpad.net/keystone/+bug/1872737 NOTE: https://www.openwall.com/lists/oss-security/2020/05/06/4 CVE-2020-12691 (An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0. ...) {DSA-4679-1} - keystone 2:17.0.0~rc2-1 (bug #959900) [stretch] - keystone (Not supported in stretch LTS) [jessie] - keystone (Not supported in Jessie LTS) NOTE: https://bugs.launchpad.net/keystone/+bug/1872733 NOTE: https://www.openwall.com/lists/oss-security/2020/05/06/5 CVE-2020-12690 (An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0. ...) {DSA-4679-1} - keystone 2:17.0.0~rc2-1 (bug #959900) [stretch] - keystone (Not supported in stretch LTS) [jessie] - keystone (Not supported in Jessie LTS) NOTE: https://bugs.launchpad.net/keystone/+bug/1873290 NOTE: https://www.openwall.com/lists/oss-security/2020/05/06/6 CVE-2020-12674 RESERVED CVE-2020-12673 RESERVED CVE-2020-12689 (An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0. ...) {DSA-4679-1} - keystone 2:17.0.0~rc2-1 (bug #959900) [stretch] - keystone (Not supported in stretch LTS) [jessie] - keystone (Not supported in Jessie) NOTE: https://bugs.launchpad.net/keystone/+bug/1872735 NOTE: https://www.openwall.com/lists/oss-security/2020/05/06/5 CVE-2020-12672 (GraphicsMagick through 1.3.35 has a heap-based buffer overflow in Read ...) {DLA-2236-1} - graphicsmagick 1.4+really1.3.35-2 (bug #960000) [buster] - graphicsmagick (Minor issue; can be fixed along in future DSA) [stretch] - graphicsmagick (Minor issue; can be fixed along in future DSA) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19025 NOTE: Fixed by: https://sourceforge.net/p/graphicsmagick/code/ci/50395430a37188d0d197e71bd85ed6dd0f649ee3/ CVE-2020-12671 RESERVED CVE-2020-12670 RESERVED CVE-2020-12669 (core/get_menudiv.php in Dolibarr before 11.0.4 allows remote authentic ...) - dolibarr CVE-2020-12668 RESERVED CVE-2020-12667 (Knot Resolver before 5.1.1 allows traffic amplification via a crafted ...) - knot-resolver 5.1.1-0.1 (bug #961076) NOTE: https://en.blog.nic.cz/2020/05/19/nxnsattack-upgrade-resolvers-to-stop-new-kind-of-random-subdomain-attack/ NOTE: commit: https://gitlab.labs.nic.cz/knot/knot-resolver/-/commit/54f05e4d7b2e47c0bdd30b84272fc503cc65304b NOTE: commit: https://gitlab.labs.nic.cz/knot/knot-resolver/-/commit/ba7b89db780fe3884b4e90090318e25ee5afb118 CVE-2020-12666 (macaron before 1.3.7 has an open redirect in the static handler, as de ...) NOT-FOR-US: macaron CVE-2020-12665 RESERVED CVE-2020-12664 RESERVED CVE-2020-12663 (Unbound before 1.10.1 has an infinite loop via malformed DNS answers r ...) {DSA-4694-1} - unbound 1.10.1-1 [stretch] - unbound (No longer supported, see DSA 4694) [jessie] - unbound (No longer supported) NOTE: https://nlnetlabs.nl/downloads/unbound/CVE-2020-12662_2020-12663.txt NOTE: Patch: https://nlnetlabs.nl/downloads/unbound/patch_cve_2020-12662_2020-12663.diff CVE-2020-12662 (Unbound before 1.10.1 has Insufficient Control of Network Message Volu ...) {DSA-4694-1} - unbound 1.10.1-1 [stretch] - unbound (No longer supported, see DSA 4694) [jessie] - unbound (No longer supported) NOTE: https://nlnetlabs.nl/downloads/unbound/CVE-2020-12662_2020-12663.txt NOTE: Patch: https://nlnetlabs.nl/downloads/unbound/patch_cve_2020-12662_2020-12663.diff CVE-2017-18867 (Certain NETGEAR devices are affected by incorrect configuration of sec ...) NOT-FOR-US: Netgear CVE-2017-18866 (Certain NETGEAR devices are affected by stored XSS. This affects R9000 ...) NOT-FOR-US: Netgear CVE-2017-18865 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2017-18864 (Certain NETGEAR devices are affected by a buffer overflow by an unauth ...) NOT-FOR-US: Netgear CVE-2020-12661 RESERVED CVE-2020-12660 RESERVED CVE-2020-12659 (An issue was discovered in the Linux kernel before 5.6.7. xdp_umem_reg ...) - linux 5.6.7-1 [buster] - linux 4.19.118-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/99e3a236dd43d06c65af0a2ef9cb44306aef6e02 (5.7-rc2) CVE-2020-12658 RESERVED CVE-2020-12657 (An issue was discovered in the Linux kernel before 5.6.5. There is a u ...) - linux 5.6.7-1 [buster] - linux 4.19.118-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9 (5.7-rc1) CVE-2020-12656 (** DISPUTED ** gss_mech_free in net/sunrpc/auth_gss/gss_mech_switch.c ...) - linux (unimportant) NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=206651 NOTE: Issue is triggered only at module reloading / rebinding CVE-2020-12655 (An issue was discovered in xfs_agf_verify in fs/xfs/libxfs/xfs_alloc.c ...) - linux 5.6.14-1 NOTE: https://git.kernel.org/linus/d0c7feaf87678371c2c09b3709400be416b2dc62 (5.7-rc1) CVE-2020-12654 (An issue was found in Linux kernel before 5.5.4. mwifiex_ret_wmm_get_s ...) {DSA-4698-1 DLA-2242-1 DLA-2241-1} - linux 5.5.13-1 [buster] - linux 4.19.118-1 NOTE: https://git.kernel.org/linus/3a9b153c5591548612c3955c9600a98150c81875 (5.6-rc1) CVE-2020-12653 (An issue was found in Linux kernel before 5.5.4. The mwifiex_cmd_appen ...) {DSA-4698-1 DLA-2242-1 DLA-2241-1} - linux 5.5.13-1 [buster] - linux 4.19.118-1 NOTE: https://git.kernel.org/linus/b70261a288ea4d2f4ac7cd04be08a9f0f2de4f4d (5.6-rc1) CVE-2020-12652 (The __mptctl_ioctl function in drivers/message/fusion/mptctl.c in the ...) {DSA-4698-1 DLA-2242-1 DLA-2241-1} - linux 5.4.19-1 [buster] - linux 4.19.98-1 NOTE: https://git.kernel.org/linus/28d76df18f0ad5bcf5fa48510b225f0ed262a99b (5.5-rc7) CVE-2020-12651 (SecureCRT before 8.7.2 allows remote attackers to execute arbitrary co ...) NOT-FOR-US: SecureCRT CVE-2020-12650 REJECTED CVE-2020-12649 (Gurbalib through 2020-04-30 allows lib/cmds/player/help.c directory tr ...) NOT-FOR-US: Gurbalib CVE-2020-12648 RESERVED CVE-2020-12647 (Unisys ALGOL Compiler 58.1 before 58.1a.15, 59.1 before 59.1a.9, and 6 ...) NOT-FOR-US: Unisys ALGOL Compiler CVE-2020-12646 RESERVED CVE-2020-12645 RESERVED CVE-2020-12644 RESERVED CVE-2020-12643 RESERVED CVE-2020-12642 (An issue was discovered in service-api before 4.3.12 and 5.x before 5. ...) NOT-FOR-US: Report Portal CVE-2020-12641 (rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to ...) - roundcube 1.4.4+dfsg.1-1 (unimportant) [buster] - roundcube 1.3.11+dfsg.1-1~deb10u1 NOTE: https://github.com/roundcube/roundcubemail/commit/fcfb099477f353373c34c8a65c9035b06b364db3 NOTE: https://roundcube.net/news/2020/04/29/security-updates-1.4.4-1.3.11-and-1.2.10 CVE-2020-12640 (Roundcube Webmail before 1.4.4 allows attackers to include local files ...) - roundcube 1.4.4+dfsg.1-1 (unimportant) [buster] - roundcube 1.3.11+dfsg.1-1~deb10u1 NOTE: https://github.com/roundcube/roundcubemail/commit/814eadb699e8576ce3a78f21e95bf69a7c7b3794 NOTE: https://roundcube.net/news/2020/04/29/security-updates-1.4.4-1.3.11-and-1.2.10 CVE-2020-12639 (phpList before 3.5.3 allows XSS, with resultant privilege elevation, v ...) - phplist (bug #612288) CVE-2020-12638 RESERVED CVE-2020-12637 (Zulip Desktop before 5.2.0 has Missing SSL Certificate Validation beca ...) NOT-FOR-US: Zulip Desktop CVE-2018-21233 (TensorFlow before 1.7.0 has an integer overflow that causes an out-of- ...) - tensorflow (bug #804612) CVE-2020-12636 RESERVED CVE-2020-12635 (XSS exists in the WebForms Pro M2 extension before 2.9.17 for Magento ...) NOT-FOR-US: WebForms Pro M2 extension for Magento CVE-2020-12634 RESERVED CVE-2020-12633 RESERVED CVE-2020-12632 RESERVED CVE-2020-12631 RESERVED CVE-2020-12630 RESERVED CVE-2020-12629 (include/class.sla.php in osTicket before 1.14.2 allows XSS via the SLA ...) NOT-FOR-US: osTicket CVE-2020-12628 RESERVED CVE-2020-12627 (Calibre-Web 0.6.6 allows authentication bypass because of the 'A0Zr98j ...) NOT-FOR-US: Calibre-Web CVE-2020-12624 (The League application before 2020-05-02 on Android sends a bearer tok ...) NOT-FOR-US: League CVE-2020-12623 RESERVED CVE-2020-12622 RESERVED CVE-2020-12621 RESERVED CVE-2020-12620 RESERVED CVE-2020-12619 RESERVED CVE-2020-12618 RESERVED CVE-2020-12617 RESERVED CVE-2020-12616 RESERVED CVE-2020-12615 RESERVED CVE-2020-12614 RESERVED CVE-2020-12613 RESERVED CVE-2020-12612 RESERVED CVE-2020-12611 RESERVED CVE-2020-12610 RESERVED CVE-2020-12609 RESERVED CVE-2020-12608 (An issue was discovered in SolarWinds MSP PME (Patch Management Engine ...) NOT-FOR-US: SolarWinds CVE-2020-12607 (An issue was discovered in fastecdsa before 2.1.2. When using the NIST ...) NOT-FOR-US: fastecdsa CVE-2020-12606 RESERVED CVE-2020-12605 (Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier may consume excessive ...) NOT-FOR-US: envoy proxy (not the same as itp'ed envoy, #758651) CVE-2020-12604 (Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier is susceptible to incr ...) NOT-FOR-US: envoy proxy (not the same as itp'ed envoy, #758651) CVE-2020-12603 (Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier may consume excessive ...) NOT-FOR-US: envoy proxy (not the same as itp'ed envoy, #758651) CVE-2020-12602 RESERVED CVE-2020-12601 RESERVED CVE-2020-12600 RESERVED CVE-2020-12599 RESERVED CVE-2020-12598 RESERVED CVE-2020-12597 RESERVED CVE-2020-12596 RESERVED CVE-2020-12595 RESERVED CVE-2020-12594 RESERVED CVE-2020-12593 RESERVED CVE-2020-12592 RESERVED CVE-2020-12591 RESERVED CVE-2020-12590 RESERVED CVE-2020-12589 RESERVED CVE-2020-12588 RESERVED CVE-2020-12587 RESERVED CVE-2020-12586 RESERVED CVE-2020-12585 RESERVED CVE-2020-12584 RESERVED CVE-2020-12583 RESERVED CVE-2020-12582 RESERVED CVE-2020-12581 RESERVED CVE-2020-12580 RESERVED CVE-2020-12579 RESERVED CVE-2020-12578 RESERVED CVE-2020-12577 RESERVED CVE-2020-12576 RESERVED CVE-2020-12575 RESERVED CVE-2020-12574 RESERVED CVE-2020-12573 RESERVED CVE-2020-12572 RESERVED CVE-2020-12571 RESERVED CVE-2020-12570 RESERVED CVE-2020-12569 RESERVED CVE-2020-12568 RESERVED CVE-2020-12567 RESERVED CVE-2020-12566 RESERVED CVE-2020-12565 RESERVED CVE-2020-12564 RESERVED CVE-2020-12563 RESERVED CVE-2020-12562 RESERVED CVE-2020-12561 RESERVED CVE-2020-12560 RESERVED CVE-2020-12559 RESERVED CVE-2020-12558 RESERVED CVE-2020-12557 RESERVED CVE-2020-12556 RESERVED CVE-2020-12555 RESERVED CVE-2020-12554 RESERVED CVE-2020-12553 RESERVED CVE-2020-12552 RESERVED CVE-2020-12551 RESERVED CVE-2020-12550 RESERVED CVE-2020-12549 RESERVED CVE-2020-12548 RESERVED CVE-2020-12547 RESERVED CVE-2020-12546 RESERVED CVE-2020-12545 RESERVED CVE-2020-12544 RESERVED CVE-2020-12543 RESERVED CVE-2020-12542 RESERVED CVE-2020-12541 RESERVED CVE-2020-12540 RESERVED CVE-2020-12539 RESERVED CVE-2020-12538 RESERVED CVE-2020-12537 RESERVED CVE-2020-12536 RESERVED CVE-2020-12535 RESERVED CVE-2020-12534 RESERVED CVE-2020-12533 RESERVED CVE-2020-12532 RESERVED CVE-2020-12531 RESERVED CVE-2020-12530 RESERVED CVE-2020-12529 RESERVED CVE-2020-12528 RESERVED CVE-2020-12527 RESERVED CVE-2020-12526 RESERVED CVE-2020-12525 RESERVED CVE-2020-12524 RESERVED CVE-2020-12523 RESERVED CVE-2020-12522 RESERVED CVE-2020-12521 RESERVED CVE-2020-12520 RESERVED CVE-2020-12519 RESERVED CVE-2020-12518 RESERVED CVE-2020-12517 RESERVED CVE-2020-12516 RESERVED CVE-2020-12515 RESERVED CVE-2020-12514 RESERVED CVE-2020-12513 RESERVED CVE-2020-12512 RESERVED CVE-2020-12511 RESERVED CVE-2020-12510 RESERVED CVE-2020-12509 RESERVED CVE-2020-12508 RESERVED CVE-2020-12507 RESERVED CVE-2020-12506 RESERVED CVE-2020-12505 RESERVED CVE-2020-12504 RESERVED CVE-2020-12503 RESERVED CVE-2020-12502 RESERVED CVE-2020-12501 RESERVED CVE-2020-12500 RESERVED CVE-2020-12499 RESERVED CVE-2020-12498 (mwe file parsing in Phoenix Contact PC Worx and PC Worx Express versio ...) NOT-FOR-US: Phoenix CVE-2020-12497 (PLCopen XML file parsing in Phoenix Contact PC Worx and PC Worx Expres ...) NOT-FOR-US: Phoenix CVE-2020-12496 RESERVED CVE-2020-12495 RESERVED CVE-2020-12494 (Beckhoff's TwinCAT RT network driver for Intel 8254x and 8255x is prov ...) NOT-FOR-US: Beckhoff CVE-2020-12493 (An open port used for debugging in SWARCOs CPU LS4000 Series with vers ...) NOT-FOR-US: SWARCOs CPU LS4000 Series CVE-2020-12492 RESERVED CVE-2020-12491 RESERVED CVE-2020-12490 RESERVED CVE-2020-12489 RESERVED CVE-2020-12488 RESERVED CVE-2020-12487 RESERVED CVE-2020-12486 RESERVED CVE-2020-12485 RESERVED CVE-2020-12484 RESERVED CVE-2020-12483 RESERVED CVE-2020-12482 RESERVED CVE-2020-12481 RESERVED CVE-2020-12480 RESERVED CVE-2020-12479 (TeamPass 2.1.27.36 allows any authenticated TeamPass user to trigger a ...) - teampass (bug #730180) CVE-2020-12478 (TeamPass 2.1.27.36 allows an unauthenticated attacker to retrieve file ...) - teampass (bug #730180) CVE-2020-12477 (The REST API functions in TeamPass 2.1.27.36 allow any user with a val ...) - teampass (bug #730180) CVE-2020-12476 RESERVED CVE-2020-12475 (TP-Link Omada Controller Software 3.2.6 allows Directory Traversal for ...) NOT-FOR-US: TP-Link CVE-2020-12474 (Telegram Desktop through 2.0.1, Telegram through 6.0.1 for Android, an ...) - telegram-desktop 2.1.0+ds-1 [buster] - telegram-desktop (Minor issue) NOTE: https://github.com/VijayT007/Vulnerability-Database/blob/master/Telegram:CVE-2020-12474 CVE-2020-12473 (MonoX through 5.1.40.5152 allows admins to execute arbitrary programs ...) NOT-FOR-US: MonoX CVE-2020-12472 (MonoX through 5.1.40.5152 allows stored XSS via User Status, Blog Comm ...) NOT-FOR-US: MonoX CVE-2020-12471 (MonoX through 5.1.40.5152 allows remote code execution via HTML5Upload ...) NOT-FOR-US: MonoX CVE-2020-12470 (MonoX through 5.1.40.5152 allows administrators to execute arbitrary c ...) NOT-FOR-US: MonoX CVE-2020-12469 (admin/blocks.php in Subrion CMS through 4.2.1 allows PHP Object Inject ...) NOT-FOR-US: Subrion CMS CVE-2020-12468 (Subrion CMS 4.2.1 allows CSV injection via a phrase value within a lan ...) NOT-FOR-US: Subrion CMS CVE-2020-12467 (Subrion CMS 4.2.1 allows session fixation via an alphanumeric value in ...) NOT-FOR-US: Subrion CMS CVE-2019-20793 RESERVED CVE-2016-11061 (Xerox WorkCentre 3655, 3655i, 58XX, 58XXi, 59XX, 59XXi, 6655, 6655i, 7 ...) NOT-FOR-US: Xerox CVE-2020-12626 (An issue was discovered in Roundcube Webmail before 1.4.4. A CSRF atta ...) {DSA-4674-1} - roundcube 1.4.4+dfsg.1-1 (bug #959142) NOTE: https://github.com/roundcube/roundcubemail/pull/7302 NOTE: 1.4.x: https://github.com/roundcube/roundcubemail/commit/9bbda422ff0b782b81de59c86994f1a5fd93f8e6 NOTE: 1.3.x: https://github.com/roundcube/roundcubemail/commit/1e7bec9cb868fa32b05acf6b0a557a6311350c56 NOTE: 1.2.x: https://github.com/roundcube/roundcubemail/commit/cceeff2472c00acb2c6b96c9df7a289f1db77713 CVE-2020-12625 (An issue was discovered in Roundcube Webmail before 1.4.4. There is a ...) {DSA-4674-1} - roundcube 1.4.4+dfsg.1-1 (bug #959140) NOTE: 1.4.x: https://github.com/roundcube/roundcubemail/commit/87e4cd0cf2c550e77586860b94e5c75d2b7686d0 NOTE: 1.3.x: https://github.com/roundcube/roundcubemail/commit/23c06159ae8c6f500336e3075820e648aa6f40a4 NOTE: 1.2.x: https://github.com/roundcube/roundcubemail/commit/4312dc4efecb9553fcacfab0ab9d9ee6e88477e7 CVE-2020-12466 RESERVED CVE-2020-12465 (An array overflow was discovered in mt76_add_fragment in drivers/net/w ...) - linux 5.5.13-1 [buster] - linux 4.19.118-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/b102f0c522cf668c8382c56a4f771b37d011cda2 (5.6-rc6) CVE-2020-12464 (usb_sg_cancel in drivers/usb/core/message.c in the Linux kernel before ...) {DSA-4699-1 DSA-4698-1 DLA-2242-1 DLA-2241-1} - linux 5.6.14-1 NOTE: https://git.kernel.org/linus/056ad39ee9253873522f6469c3364964a322912b (5.7-rc3) CVE-2020-12463 (An elevation of privilege vulnerability exists in Avira Software Updat ...) NOT-FOR-US: Avira CVE-2020-12462 (The ninja-forms plugin before 3.4.24.2 for WordPress allows CSRF with ...) NOT-FOR-US: ninja-forms plugin for WordPress CVE-2020-12461 (PHP-Fusion 9.03.50 allows SQL Injection because maincore.php has an in ...) NOT-FOR-US: PHP-Fusion CVE-2020-12460 RESERVED CVE-2020-12459 (In certain Red Hat packages for Grafana 6.x through 6.3.6, the configu ...) NOT-FOR-US: Grafana as shipped in Red Hat CVE-2020-12458 (An information-disclosure flaw was found in Grafana through 6.7.3. The ...) - grafana NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1827765 NOTE: https://github.com/grafana/grafana/issues/8283 CVE-2020-12457 RESERVED CVE-2020-12456 RESERVED CVE-2020-12455 RESERVED CVE-2020-12454 RESERVED CVE-2020-12453 RESERVED CVE-2020-12452 RESERVED CVE-2020-12451 RESERVED CVE-2020-12450 RESERVED CVE-2020-12449 RESERVED CVE-2020-12448 (GitLab EE 12.8 and later allows Exposure of Sensitive Information to a ...) - gitlab (Only affects GitLab EE 12.8 and later) NOTE: https://about.gitlab.com/releases/2020/04/30/security-release-12-10-2-released/ CVE-2020-12447 (A Local File Inclusion (LFI) issue on Onkyo TX-NR585 1000-0000-000-000 ...) NOT-FOR-US: Onkyo CVE-2020-12446 (The ene.sys driver in G.SKILL Trident Z Lighting Control through 1.00. ...) NOT-FOR-US: G.SKILL Trident Z Lighting Control CVE-2020-12445 RESERVED CVE-2020-12444 RESERVED CVE-2020-12443 (BigBlueButton before 2.2.6 allows remote attackers to read arbitrary f ...) NOT-FOR-US: BigBlueButton CVE-2020-12442 (Ivanti Avalanche 6.3 allows a SQL injection that is vaguely associated ...) NOT-FOR-US: Ivanti CVE-2020-12441 RESERVED CVE-2020-12440 REJECTED CVE-2020-12439 (Grin before 3.1.0 allows attackers to adversely affect availability of ...) NOT-FOR-US: Grin CVE-2020-12438 (An XSS vulnerability exists in the banners.php page of PHP-Fusion 9.03 ...) NOT-FOR-US: PHP-Fusion CVE-2020-12437 RESERVED CVE-2020-12436 RESERVED CVE-2020-12435 RESERVED CVE-2020-12434 RESERVED CVE-2020-12433 RESERVED CVE-2020-12432 RESERVED CVE-2020-12431 (A Windows privilege change issue was discovered in Splashtop Software ...) NOT-FOR-US: Splashtop Software Updater CVE-2020-12430 (An issue was discovered in qemuDomainGetStatsIOThread in qemu/qemu_dri ...) [experimental] - libvirt 6.2.0-1 - libvirt (low; bug #959447) [buster] - libvirt (Minor issue) [stretch] - libvirt (Vulnerable code introduced later) [jessie] - libvirt (Vulnerable code introduced later) NOTE: Fixed by: https://libvirt.org/git/?p=libvirt.git;a=commit;h=9bf9e0ae6af38c806f4672ca7b12a6b38d5a9581 (v6.1.0-rc1) NOTE: Introduced in: https://libvirt.org/git/?p=libvirt.git;a=commit;h=d1eac92784573559b6fd56836e33b215c89308e3 (v4.10.0-rc1) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1804548 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1828190 CVE-2019-20792 (OpenSC before 0.20.0 has a double free in coolkey_free_private_data be ...) - opensc 0.20.0-1 (low) [buster] - opensc (Minor issue) [stretch] - opensc (Minor issue) [jessie] - opensc (Minor issue but can be worth fixing later) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19208 NOTE: https://github.com/OpenSC/OpenSC/commit/c246f6f69a749d4f68626b40795a4f69168008f4 CVE-2020-12429 (Online Course Registration 2.0 has multiple SQL injections that would ...) NOT-FOR-US: Online Course Registration CVE-2020-12428 RESERVED CVE-2020-12427 (The Western Digital WD Discovery application before 3.8.229 for MyClou ...) NOT-FOR-US: Western Digital CVE-2020-12426 RESERVED - firefox 78.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-24/#CVE-2020-12426 CVE-2020-12425 RESERVED - firefox 78.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-24/#CVE-2020-12425 CVE-2020-12424 RESERVED - firefox 78.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-24/#CVE-2020-12424 CVE-2020-12423 RESERVED - firefox (Windows-specific) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-24/#CVE-2020-12423 CVE-2020-12422 RESERVED - firefox 78.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-24/#CVE-2020-12422 CVE-2020-12421 RESERVED {DSA-4718-1 DSA-4713-1} - firefox 78.0-1 - firefox-esr 68.10.0esr-1 - thunderbird 1:68.10.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-24/#CVE-2020-12421 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-25/#CVE-2020-12421 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-26/#CVE-2020-12421 CVE-2020-12420 RESERVED {DSA-4718-1 DSA-4713-1} - firefox 78.0-1 - firefox-esr 68.10.0esr-1 - thunderbird 1:68.10.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-24/#CVE-2020-12420 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-25/#CVE-2020-12420 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-26/#CVE-2020-12420 CVE-2020-12419 RESERVED {DSA-4718-1 DSA-4713-1} - firefox 78.0-1 - firefox-esr 68.10.0esr-1 - thunderbird 1:68.10.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-24/#CVE-2020-12419 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-25/#CVE-2020-12419 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-26/#CVE-2020-12419 CVE-2020-12418 RESERVED {DSA-4718-1 DSA-4713-1} - firefox 78.0-1 - firefox-esr 68.10.0esr-1 - thunderbird 1:68.10.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-24/#CVE-2020-12418 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-25/#CVE-2020-12418 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-26/#CVE-2020-12418 CVE-2020-12417 RESERVED {DSA-4718-1 DSA-4713-1} - firefox 78.0-1 - firefox-esr 68.10.0esr-1 - thunderbird 1:68.10.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-24/#CVE-2020-12417 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-25/#CVE-2020-12417 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-26/#CVE-2020-12417 CVE-2020-12416 RESERVED - firefox 78.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-24/#CVE-2020-12416 CVE-2020-12415 RESERVED - firefox 78.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-24/#CVE-2020-12415 CVE-2020-12414 RESERVED CVE-2020-12413 RESERVED CVE-2020-12412 RESERVED CVE-2020-12411 RESERVED - firefox 77.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-20/#CVE-2020-12411 CVE-2020-12410 RESERVED {DSA-4702-1 DSA-4695-1 DLA-2247-1 DLA-2243-1} - firefox 77.0-1 - firefox-esr 68.9.0esr-1 - thunderbird 1:68.9.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-20/#CVE-2020-12410 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-21/#CVE-2020-12410 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-22/#CVE-2020-12410 CVE-2020-12409 RESERVED - firefox 77.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-20/#CVE-2020-12409 CVE-2020-12408 RESERVED - firefox 77.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-20/#CVE-2020-12408 CVE-2020-12407 RESERVED - firefox 77.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-20/#CVE-2020-12407 CVE-2020-12406 RESERVED {DSA-4702-1 DSA-4695-1 DLA-2247-1 DLA-2243-1} - firefox 77.0-1 - firefox-esr 68.9.0esr-1 - thunderbird 1:68.9.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-20/#CVE-2020-12406 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-21/#CVE-2020-12406 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-22/#CVE-2020-12406 CVE-2020-12405 RESERVED {DSA-4702-1 DSA-4695-1 DLA-2247-1 DLA-2243-1} - firefox 77.0-1 - firefox-esr 68.9.0esr-1 - thunderbird 1:68.9.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-20/#CVE-2020-12405 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-21/#CVE-2020-12405 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-22/#CVE-2020-12405 CVE-2020-12404 RESERVED CVE-2020-12403 RESERVED CVE-2020-12402 [Side channel vulnerabilities during RSA key generation] RESERVED {DLA-2266-1} - nss 2:3.53.1-1 (bug #963152) NOTE: https://hg.mozilla.org/projects/nss/rev/699541a7793bbe9b20f1d73dc49e25c6054aa4c1 NOTE: Fixed upstream in 3.53.1 CVE-2020-12401 RESERVED CVE-2020-12400 RESERVED CVE-2020-12399 [Force a fixed length for DSA exponentiation] RESERVED {DSA-4702-1 DSA-4695-1 DLA-2266-1 DLA-2247-1 DLA-2243-1} - firefox 77.0-1 - firefox-esr 68.9.0esr-1 - nss 2:3.53-1 (bug #961752) - thunderbird 1:68.9.0-1 NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1631576 (non-public) NOTE: Fixed by: https://hg.mozilla.org/projects/nss/rev/daa823a4a29bcef0fec33a379ec83857429aea2e NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-20/#CVE-2020-12399 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-21/#CVE-2020-12399 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-22/#CVE-2020-12399 CVE-2020-12398 RESERVED {DSA-4702-1 DLA-2247-1} - thunderbird 1:68.9.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-22/#CVE-2020-12398 CVE-2020-12397 (By encoding Unicode whitespace characters within the From email header ...) {DSA-4683-1 DLA-2206-1} - thunderbird 1:68.8.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-18/#CVE-2020-12397 CVE-2020-12396 (Mozilla developers and community members reported memory safety bugs p ...) - firefox 76.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-16/#CVE-2020-12396 CVE-2020-12395 (Mozilla developers and community members reported memory safety bugs p ...) {DSA-4683-1 DSA-4678-1 DLA-2206-1 DLA-2205-1} - firefox 76.0-1 - firefox-esr 68.8.0esr-1 - thunderbird 1:68.8.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-16/#CVE-2020-12395 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-17/#CVE-2020-12395 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-18/#CVE-2020-12395 CVE-2020-12394 (A logic flaw in our location bar implementation could have allowed a l ...) - firefox 76.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-16/#CVE-2020-12394 CVE-2020-12393 (The 'Copy as cURL' feature of Devtools' network tab did not properly e ...) - firefox (Only affects Windows) - firefox-esr (Only affects Windows) - thunderbird (Only affects Windows) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-16/#CVE-2020-12393 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-17/#CVE-2020-12393 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-18/#CVE-2020-12393 CVE-2020-12392 (The 'Copy as cURL' feature of Devtools' network tab did not properly e ...) {DSA-4683-1 DSA-4678-1 DLA-2206-1 DLA-2205-1} - firefox 76.0-1 - firefox-esr 68.8.0esr-1 - thunderbird 1:68.8.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-16/#CVE-2020-12392 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-17/#CVE-2020-12392 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-18/#CVE-2020-12392 CVE-2020-12391 (Documents formed using data: URLs in an OBJECT element failed to inher ...) - firefox 76.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-16/#CVE-2020-12391 CVE-2020-12390 (Incorrect origin serialization of URLs with IPv6 addresses could lead ...) - firefox 76.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-16/#CVE-2020-12390 CVE-2020-12389 (The Firefox content processes did not sufficiently lockdown access con ...) - firefox (Only affects Windows) - firefox-esr (Only affects Windows) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-16/#CVE-2020-12389 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-17/#CVE-2020-12389 CVE-2020-12388 (The Firefox content processes did not sufficiently lockdown access con ...) - firefox (Only affects Windows) - firefox-esr (Only affects Windows) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-16/#CVE-2020-12388 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-17/#CVE-2020-12388 CVE-2020-12387 (A race condition when running shutdown code for Web Worker led to a us ...) {DSA-4683-1 DSA-4678-1 DLA-2206-1 DLA-2205-1} - firefox 76.0-1 - firefox-esr 68.8.0esr-1 - thunderbird 1:68.8.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-16/#CVE-2020-12387 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-17/#CVE-2020-12387 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-18/#CVE-2020-12387 CVE-2020-12386 RESERVED CVE-2020-12385 RESERVED CVE-2020-12384 RESERVED CVE-2020-12383 RESERVED CVE-2020-12382 RESERVED CVE-2020-12381 RESERVED CVE-2020-12380 RESERVED CVE-2020-12379 RESERVED CVE-2020-12378 RESERVED CVE-2020-12377 RESERVED CVE-2020-12376 RESERVED CVE-2020-12375 RESERVED CVE-2020-12374 RESERVED CVE-2020-12373 RESERVED CVE-2020-12372 RESERVED CVE-2020-12371 RESERVED CVE-2020-12370 RESERVED CVE-2020-12369 RESERVED CVE-2020-12368 RESERVED CVE-2020-12367 RESERVED CVE-2020-12366 RESERVED CVE-2020-12365 RESERVED CVE-2020-12364 RESERVED CVE-2020-12363 RESERVED CVE-2020-12362 RESERVED CVE-2020-12361 RESERVED CVE-2020-12360 RESERVED CVE-2020-12359 RESERVED CVE-2020-12358 RESERVED CVE-2020-12357 RESERVED CVE-2020-12356 RESERVED CVE-2020-12355 RESERVED CVE-2020-12354 RESERVED CVE-2020-12353 RESERVED CVE-2020-12352 RESERVED CVE-2020-12351 RESERVED CVE-2020-12350 RESERVED CVE-2020-12349 RESERVED CVE-2020-12348 RESERVED CVE-2020-12347 RESERVED CVE-2020-12346 RESERVED CVE-2020-12345 RESERVED CVE-2020-12344 RESERVED CVE-2020-12343 RESERVED CVE-2020-12342 RESERVED CVE-2020-12341 RESERVED CVE-2020-12340 RESERVED CVE-2020-12339 RESERVED CVE-2020-12338 RESERVED CVE-2020-12337 RESERVED CVE-2020-12336 RESERVED CVE-2020-12335 RESERVED CVE-2020-12334 RESERVED CVE-2020-12333 RESERVED CVE-2020-12332 RESERVED CVE-2020-12331 RESERVED CVE-2020-12330 RESERVED CVE-2020-12329 RESERVED CVE-2020-12328 RESERVED CVE-2020-12327 RESERVED CVE-2020-12326 RESERVED CVE-2020-12325 RESERVED CVE-2020-12324 RESERVED CVE-2020-12323 RESERVED CVE-2020-12322 RESERVED CVE-2020-12321 RESERVED CVE-2020-12320 RESERVED CVE-2020-12319 RESERVED CVE-2020-12318 RESERVED CVE-2020-12317 RESERVED CVE-2020-12316 RESERVED CVE-2020-12315 RESERVED CVE-2020-12314 RESERVED CVE-2020-12313 RESERVED CVE-2020-12312 RESERVED CVE-2020-12311 RESERVED CVE-2020-12310 RESERVED CVE-2020-12309 RESERVED CVE-2020-12308 RESERVED CVE-2020-12307 RESERVED CVE-2020-12306 RESERVED CVE-2020-12305 RESERVED CVE-2020-12304 RESERVED CVE-2020-12303 RESERVED CVE-2020-12302 RESERVED CVE-2020-12301 RESERVED CVE-2020-12300 RESERVED CVE-2020-12299 RESERVED CVE-2020-12298 RESERVED CVE-2020-12297 RESERVED CVE-2020-12296 RESERVED CVE-2020-12295 RESERVED CVE-2020-12294 RESERVED CVE-2020-12293 RESERVED CVE-2020-12292 RESERVED CVE-2020-12291 RESERVED CVE-2020-12290 RESERVED CVE-2020-12289 RESERVED CVE-2020-12288 RESERVED CVE-2020-12287 RESERVED CVE-2019-20791 (OpenThread before 2019-12-13 has a stack-based buffer overflow in Mesh ...) NOT-FOR-US: OpenThread CVE-2018-21232 (re2c before 2.0 has uncontrolled recursion that causes stack consumpti ...) - re2c [buster] - re2c (Minor issue) [stretch] - re2c (Minor issue) [jessie] - re2c (Minor issue) NOTE: https://github.com/skvadrik/re2c/issues/219 NOTE: https://www.openwall.com/lists/oss-security/2020/04/27/2 CVE-2020-12286 (In Octopus Deploy before 2019.12.9 and 2020 before 2020.1.12, the Task ...) NOT-FOR-US: Octopus Deploy CVE-2020-12285 RESERVED CVE-2020-12284 (cbs_jpeg_split_fragment in libavcodec/cbs_jpeg.c in FFmpeg 4.2.2 has a ...) - ffmpeg 7:4.2.3-1 [stretch] - ffmpeg (Vulnerable code not present) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19734 NOTE: https://github.com/FFmpeg/FFmpeg/commit/1812352d767ccf5431aa440123e2e260a4db2726 CVE-2017-18863 (Certain NETGEAR devices are affected by command execution via a PHP fo ...) NOT-FOR-US: Netgear CVE-2017-18862 (Certain NETGEAR devices are affected by authentication bypass. This af ...) NOT-FOR-US: Netgear CVE-2017-18861 (Certain NETGEAR devices are affected by CSRF. This affects ReadyNAS Su ...) NOT-FOR-US: Netgear CVE-2017-18860 (Certain NETGEAR devices are affected by debugging command execution. T ...) NOT-FOR-US: Netgear CVE-2017-18859 (Certain NETGEAR devices are affected by slowdown/stoppage. This affect ...) NOT-FOR-US: Netgear CVE-2017-18858 (Certain NETGEAR devices are affected by command execution. This affect ...) NOT-FOR-US: Netgear CVE-2017-18857 (The NETGEAR Insight application before 2.42 for Android and iOS is aff ...) NOT-FOR-US: Netgear CVE-2017-18856 (NETGEAR ReadyNAS devices before 6.6.1 are affected by command injectio ...) NOT-FOR-US: Netgear CVE-2017-18855 (NETGEAR WNR854T devices before 1.5.2 are affected by command execution ...) NOT-FOR-US: Netgear CVE-2017-18854 (NETGEAR ReadyNAS 6.6.1 and earlier is affected by command injection. ...) NOT-FOR-US: Netgear CVE-2017-18853 (Certain NETGEAR devices are affected by password recovery and file acc ...) NOT-FOR-US: Netgear CVE-2016-11060 (Certain NETGEAR devices are affected by insecure renegotiation. This a ...) NOT-FOR-US: Netgear CVE-2016-11059 (Certain NETGEAR devices are affected by password exposure. This affect ...) NOT-FOR-US: Netgear CVE-2016-11058 (The NETGEAR genie application before 2.4.34 for Android is affected by ...) NOT-FOR-US: Netgear CVE-2016-11057 (Certain NETGEAR devices are affected by mishandling of repeated URL ca ...) NOT-FOR-US: Netgear CVE-2016-11056 (Certain NETGEAR devices are affected by anonymous root access. This af ...) NOT-FOR-US: Netgear CVE-2016-11055 (Certain NETGEAR devices are affected by CSRF. This affects CM400 befor ...) NOT-FOR-US: Netgear CVE-2016-11054 (NETGEAR DGN2200v4 devices before 2017-01-06 are affected by command ex ...) NOT-FOR-US: Netgear CVE-2020-12283 (Sourcegraph before 3.15.1 has a vulnerable authentication workflow bec ...) NOT-FOR-US: Sourcegraph CVE-2020-12282 RESERVED CVE-2020-12281 RESERVED CVE-2020-12280 RESERVED CVE-2020-12279 (An issue was discovered in libgit2 before 0.28.4 and 0.9x before 0.99. ...) - libgit2 0.28.4+dfsg.1-2 [buster] - libgit2 (Minor issue; only problematic when used on NTFS like filesystem) [stretch] - libgit2 (Minor issue; only problematic when used on NTFS like filesystem) [jessie] - libgit2 (Minor issue; only problematic when used on NTFS like filesystem) NOTE: https://github.com/libgit2/libgit2/commit/64c612cc3e25eff5fb02c59ef5a66ba7a14751e4 CVE-2020-12278 (An issue was discovered in libgit2 before 0.28.4 and 0.9x before 0.99. ...) - libgit2 0.28.4+dfsg.1-2 [buster] - libgit2 (Minor issue; only problematic when used on NTFS like filesystem) [stretch] - libgit2 (Minor issue; only problematic when used on NTFS like filesystem) [jessie] - libgit2 (Minor issue; only problematic when used on NTFS like filesystem) NOTE: https://github.com/libgit2/libgit2/commit/3f7851eadca36a99627ad78cbe56a40d3776ed01 NOTE: https://github.com/libgit2/libgit2/commit/e1832eb20a7089f6383cfce474f213157f5300cb CVE-2020-12277 (GitLab 10.8 through 12.9 has a vulnerability that allows someone to mi ...) [experimental] - gitlab 12.8.8-1 - gitlab NOTE: https://about.gitlab.com/releases/2020/03/26/security-release-12-dot-9-dot-1-released/ CVE-2020-12276 (GitLab 9.5.9 through 12.9 is vulnerable to stored XSS in an admin noti ...) [experimental] - gitlab 12.8.8-1 - gitlab NOTE: https://about.gitlab.com/releases/2020/03/26/security-release-12-dot-9-dot-1-released/ CVE-2020-12275 (GitLab 12.6 through 12.9 is vulnerable to a privilege escalation that ...) [experimental] - gitlab 12.8.8-1 - gitlab NOTE: https://about.gitlab.com/releases/2020/03/26/security-release-12-dot-9-dot-1-released/ CVE-2020-12274 (In TestLink 1.9.20, the lib/cfields/cfieldsExport.php goback_url param ...) NOT-FOR-US: TestLink CVE-2020-12273 (In TestLink 1.9.20, a crafted login.php viewer parameter exposes clear ...) NOT-FOR-US: TestLink CVE-2020-12272 (OpenDMARC through 1.3.2 and 1.4.x allows attacks that inject authentic ...) - opendmarc NOTE: https://sourceforge.net/p/opendmarc/tickets/237/ NOTE: https://www.usenix.org/system/files/sec20fall_chen-jianjun_prepub_0.pdf CVE-2020-12271 (A SQL injection issue was found in SFOS 17.0, 17.1, 17.5, and 18.0 bef ...) NOT-FOR-US: SFOS CVE-2020-12270 (** DISPUTED ** React Native Bluetooth Scan in Bluezone 1.0.0 uses six- ...) NOT-FOR-US: Bluezone CVE-2020-12269 RESERVED CVE-2020-12268 (jbig2_image_compose in jbig2_image.c in Artifex jbig2dec before 0.18 h ...) - jbig2dec 0.18-1 [buster] - jbig2dec (Minor issue) [stretch] - jbig2dec (Minor issue) [jessie] - jbig2dec (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20332 NOTE: https://github.com/ArtifexSoftware/jbig2dec/commit/0726320a4b55078e9d8deb590e477d598b3da66e CVE-2020-12267 (setMarkdown in Qt before 5.14.2 has a use-after-free related to QTextM ...) - qtbase-opensource-src (Vulnerable code not present) NOTE: https://github.com/qt/qtbase/commit/7447e2b337f12b4d04935d0f30fc673e4327d5a0 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20450 NOTE: The 5.14 in experimental contains the code, but is already fixed CVE-2019-20790 (OpenDMARC through 1.3.2 and 1.4.x, when used with pypolicyd-spf 2.0.2, ...) - opendmarc NOTE: https://bugs.launchpad.net/pypolicyd-spf/+bug/1838816 NOTE: https://sourceforge.net/p/opendmarc/tickets/235/ NOTE: https://www.usenix.org/system/files/sec20fall_chen-jianjun_prepub_0.pdf CVE-2020-12266 (An issue was discovered on WAVLINK WL-WN579G3 M79X3.V5030.180719, WL-W ...) NOT-FOR-US: WAVLINK CVE-2020-12265 (The decompress package before 4.2.1 for Node.js is vulnerable to Arbit ...) NOT-FOR-US: Node decompress CVE-2020-12264 RESERVED CVE-2020-12263 RESERVED CVE-2020-12262 RESERVED CVE-2020-12261 (Open-AudIT 3.3.0 allows an XSS attack after login. ...) NOT-FOR-US: Open-AudIT CVE-2020-12260 RESERVED CVE-2020-12259 (rConfig 3.9.4 is vulnerable to reflected XSS. The configDevice.php fil ...) NOT-FOR-US: rConfig CVE-2020-12258 (rConfig 3.9.4 is vulnerable to session fixation because session expiry ...) NOT-FOR-US: rConfig CVE-2020-12257 (rConfig 3.9.4 is vulnerable to cross-site request forgery (CSRF) becau ...) NOT-FOR-US: rConfig CVE-2020-12256 (rConfig 3.9.4 is vulnerable to reflected XSS. The devicemgmnt.php file ...) NOT-FOR-US: rConfig CVE-2020-12255 (rConfig 3.9.4 is vulnerable to remote code execution due to improper v ...) NOT-FOR-US: rConfig CVE-2020-12254 (Avira Antivirus before 5.0.2003.1821 on Windows allows privilege escal ...) NOT-FOR-US: Avira Antivirus CVE-2019-20789 (Croogo before 3.0.7 allows XSS via the title to admin/menus/menus or a ...) NOT-FOR-US: Croogo CVE-2020-12253 RESERVED CVE-2020-12252 (An issue was discovered in Gigamon GigaVUE 5.5.01.11. The upload funct ...) NOT-FOR-US: Gigamon CVE-2020-12251 (An issue was discovered in Gigamon GigaVUE 5.5.01.11. The upload funct ...) NOT-FOR-US: Gigamon CVE-2020-12250 RESERVED CVE-2020-12249 RESERVED CVE-2020-12248 RESERVED CVE-2020-12247 RESERVED CVE-2020-12246 (Beeline Smart Box 2.0.38 routers allow "Advanced settings > Other & ...) NOT-FOR-US: Beeline Smart Box CVE-2020-12245 (Grafana before 6.7.3 allows table-panel XSS via column.title or cellLi ...) - grafana NOTE: https://github.com/grafana/grafana/pull/23816 CVE-2020-12244 (An issue has been found in PowerDNS Recursor 4.1.0 through 4.3.0 where ...) {DSA-4691-1} - pdns-recursor 4.3.1-1 [jessie] - pdns-recursor (Vulnerable code added later) [stretch] - pdns-recursor (No longer supported, see DSA 4691) NOTE: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-02.html NOTE: https://www.openwall.com/lists/oss-security/2020/05/19/3 CVE-2020-12243 (In filter.c in slapd in OpenLDAP before 2.4.50, LDAP search filters wi ...) {DSA-4666-1 DLA-2199-1} - openldap 2.4.50+dfsg-1 NOTE: https://bugs.openldap.org/show_bug.cgi?id=9202 NOTE: https://git.openldap.org/openldap/openldap/-/commit/d38d48fc8f572dedfb67b9da61a2ba3b125ced91 (master) NOTE: https://git.openldap.org/openldap/openldap/-/commit/98464c11df8247d6a11b52e294ba5dd4f0380440 (OPENLDAP_REL_ENG_2_4_50) CVE-2020-12242 (Valve Source allows local users to gain privileges by writing to the / ...) NOT-FOR-US: Valve CVE-2020-12241 RESERVED CVE-2020-12240 RESERVED CVE-2020-12239 RESERVED CVE-2020-12238 RESERVED CVE-2020-12237 RESERVED CVE-2020-12236 RESERVED CVE-2020-12235 RESERVED CVE-2020-12234 RESERVED CVE-2020-12233 RESERVED CVE-2020-12232 RESERVED CVE-2020-12231 RESERVED CVE-2020-12230 RESERVED CVE-2020-12229 RESERVED CVE-2020-12228 RESERVED CVE-2020-12227 RESERVED CVE-2020-12226 RESERVED CVE-2020-12225 RESERVED CVE-2020-12224 RESERVED CVE-2020-12223 RESERVED CVE-2020-12222 RESERVED CVE-2020-12221 RESERVED CVE-2020-12220 RESERVED CVE-2020-12219 RESERVED CVE-2020-12218 RESERVED CVE-2020-12217 RESERVED CVE-2020-12216 RESERVED CVE-2020-12215 RESERVED CVE-2020-12214 RESERVED CVE-2020-12213 RESERVED CVE-2020-12212 RESERVED CVE-2020-12211 RESERVED CVE-2020-12210 RESERVED CVE-2020-12209 RESERVED CVE-2020-12208 RESERVED CVE-2020-12207 RESERVED CVE-2020-12206 RESERVED CVE-2020-12205 RESERVED CVE-2020-12204 RESERVED CVE-2020-12203 RESERVED CVE-2020-12202 RESERVED CVE-2020-12201 RESERVED CVE-2020-12200 RESERVED CVE-2020-12199 RESERVED CVE-2020-12198 RESERVED CVE-2020-12197 RESERVED CVE-2020-12196 RESERVED CVE-2020-12195 RESERVED CVE-2020-12194 RESERVED CVE-2020-12193 RESERVED CVE-2020-12192 RESERVED CVE-2020-12191 RESERVED CVE-2020-12190 RESERVED CVE-2020-12189 RESERVED CVE-2020-12188 RESERVED CVE-2020-12187 RESERVED CVE-2020-12186 RESERVED CVE-2020-12185 RESERVED CVE-2020-12184 RESERVED CVE-2020-12183 RESERVED CVE-2020-12182 RESERVED CVE-2020-12181 RESERVED CVE-2020-12180 RESERVED CVE-2020-12179 RESERVED CVE-2020-12178 RESERVED CVE-2020-12177 RESERVED CVE-2020-12176 RESERVED CVE-2020-12175 RESERVED CVE-2020-12174 RESERVED CVE-2020-12173 RESERVED CVE-2020-12172 RESERVED CVE-2020-12171 RESERVED CVE-2020-12170 RESERVED CVE-2020-12169 RESERVED CVE-2020-12168 RESERVED CVE-2020-12167 RESERVED CVE-2020-12166 RESERVED CVE-2020-12165 RESERVED CVE-2020-12164 RESERVED CVE-2020-12163 RESERVED CVE-2020-12162 RESERVED CVE-2020-12161 RESERVED CVE-2020-12160 RESERVED CVE-2020-12159 RESERVED CVE-2020-12158 RESERVED CVE-2020-12157 RESERVED CVE-2020-12156 RESERVED CVE-2020-12155 RESERVED CVE-2020-12154 RESERVED CVE-2020-12153 RESERVED CVE-2020-12152 RESERVED CVE-2020-12151 RESERVED CVE-2020-12150 RESERVED CVE-2020-12149 RESERVED CVE-2020-12148 RESERVED CVE-2020-12147 RESERVED CVE-2020-12146 RESERVED CVE-2020-12145 RESERVED CVE-2020-12144 (The certificate used to identify the Silver Peak Cloud Portal to EdgeC ...) NOT-FOR-US: Silver Peak Cloud Portal CVE-2020-12143 (The certificate used to identify Orchestrator to EdgeConnect devices i ...) NOT-FOR-US: EdgeConnect CVE-2020-12142 (1. IPSec UDP key material can be retrieved from machine-to-machine int ...) NOT-FOR-US: EdgeConnect CVE-2020-12141 RESERVED CVE-2020-12140 RESERVED CVE-2020-12139 RESERVED CVE-2020-12138 (AMD ATI atillk64.sys 5.11.9.0 allows low-privileged users to interact ...) NOT-FOR-US: AMD ATI atillk64.sys specific issue CVE-2020-12136 RESERVED CVE-2020-12135 (bson before 0.8 incorrectly uses int rather than size_t for many varia ...) - duo-unix (unimportant; bug #958998) NOTE: Embedded older version, but affected function not used CVE-2020-12134 (Nanometrics Centaur through 4.3.23 and TitanSMA through 4.2.20 mishand ...) NOT-FOR-US: Nanometrics Centaur / TitanSMA CVE-2020-12133 (The Apros Evolution, ConsciusMap, and Furukawa provisioning systems th ...) NOT-FOR-US: Apros Evolution, ConsciusMap, and Furukawa CVE-2020-12132 (Fifthplay S.A.M.I before 2019.3_HP2 allows unauthenticated stored XSS ...) NOT-FOR-US: Fifthplay CVE-2020-12131 (The AirDisk Pro app 5.5.3 for iOS allows XSS via the devicename parame ...) NOT-FOR-US: AirDisk Pro app for iOS CVE-2020-12130 (The AirDisk Pro app 5.5.3 for iOS allows XSS via the deleteFile parame ...) NOT-FOR-US: AirDisk Pro app for iOS CVE-2020-12129 (The AirDisk Pro app 5.5.3 for iOS allows XSS via the createFolder para ...) NOT-FOR-US: AirDisk Pro app for iOS CVE-2020-12128 (DONG JOO CHO File Transfer iFamily 2.1 allows directory traversal rela ...) NOT-FOR-US: DONG JOO CHO File Transfer iFamily CVE-2020-12127 RESERVED CVE-2020-12126 RESERVED CVE-2020-12125 RESERVED CVE-2020-12124 RESERVED CVE-2020-12123 RESERVED CVE-2020-12122 RESERVED CVE-2020-12121 RESERVED CVE-2020-12120 (The Correos Express addon for PrestaShop 1.6 through 1.7 allows remote ...) NOT-FOR-US: PrestaShop CVE-2020-12119 (Ledger Live before 2.7.0 does not handle Bitcoin's Replace-By-Fee (RBF ...) NOT-FOR-US: Ledger Live CVE-2020-12118 (The keygen protocol implementation in Binance tss-lib before 1.2.0 all ...) NOT-FOR-US: Binance tss-lib CVE-2020-12117 (Moxa Service in Moxa NPort 5150A firmware version 1.5 and earlier allo ...) NOT-FOR-US: Moxa CVE-2020-12116 (Zoho ManageEngine OpManager Stable build before 124196 and Released bu ...) NOT-FOR-US: Zoho ManageEngine CVE-2020-12115 RESERVED CVE-2020-12114 (A pivot_root race condition in fs/namespace.c in the Linux kernel 4.4. ...) {DSA-4699-1 DSA-4698-1 DLA-2242-1 DLA-2241-1} - linux 5.3.7-1 NOTE: https://www.openwall.com/lists/oss-security/2020/05/04/2 CVE-2020-12113 (BigBlueButton before 2.2.4 allows XSS via closed captions because dang ...) NOT-FOR-US: BigBlueButton CVE-2020-12112 (BigBlueButton before 2.2.5 allows remote attackers to obtain sensitive ...) NOT-FOR-US: BigBlueButton CVE-2020-12111 (Certain TP-Link devices allow Command Injection. This affects NC260 1. ...) NOT-FOR-US: TP-Link CVE-2020-12110 (Certain TP-Link devices have a Hardcoded Encryption Key. This affects ...) NOT-FOR-US: TP-Link CVE-2020-12109 (Certain TP-Link devices allow Command Injection. This affects NC200 2. ...) NOT-FOR-US: TP-Link CVE-2020-12108 (/options/mailman in GNU Mailman before 2.1.31 allows Arbitrary Content ...) {DLA-2204-1} - mailman NOTE: https://bugs.launchpad.net/mailman/+bug/1873722 CVE-2020-12107 RESERVED CVE-2020-12106 RESERVED CVE-2020-12105 (OpenConnect through 8.08 mishandles negative return values from X509_c ...) - openconnect (unimportant; bug #959428) [jessie] - openconnect (Vulnerable code introduced later) NOTE: https://gitlab.com/openconnect/openconnect/-/merge_requests/96 NOTE: Only an issue if building with OpenSSL, where Debian binary packages use NOTE: GnuTLS. CVE-2020-12104 (The Import feature in the wp-advanced-search plugin 3.3.6 for WordPres ...) NOT-FOR-US: Import feature in the wp-advanced-search plugin for WordPress CVE-2020-12103 (In Tiny File Manager 2.4.1 there is a vulnerability in the ajax file b ...) NOT-FOR-US: Tiny File Manager CVE-2020-12102 (In Tiny File Manager 2.4.1, there is a Path Traversal vulnerability in ...) NOT-FOR-US: Tiny File Manager CVE-2020-12101 (The address-management feature in xt:Commerce 5.1 to 6.2.2 allows remo ...) NOT-FOR-US: xt:Commerce CVE-2020-12100 RESERVED CVE-2020-12099 RESERVED CVE-2020-12098 RESERVED CVE-2020-12097 RESERVED CVE-2020-12096 RESERVED CVE-2020-12095 RESERVED CVE-2020-12094 RESERVED CVE-2020-12093 RESERVED CVE-2020-12092 RESERVED CVE-2020-12091 RESERVED CVE-2020-12090 RESERVED CVE-2020-12089 RESERVED CVE-2020-12088 RESERVED CVE-2020-12087 RESERVED CVE-2020-12086 RESERVED CVE-2020-12085 RESERVED CVE-2020-12084 RESERVED CVE-2020-12083 RESERVED CVE-2020-12082 RESERVED CVE-2020-12081 RESERVED CVE-2020-12080 RESERVED CVE-2019-20788 (libvncclient/cursor.c in LibVNCServer through 0.9.12 has a HandleCurso ...) {DLA-2146-1} - libvncserver 0.9.12+dfsg-9 (bug #954163) [buster] - libvncserver 0.9.11+dfsg-1.3+deb10u3 [stretch] - libvncserver (Minor issue) NOTE: https://github.com/LibVNC/libvncserver/commit/54220248886b5001fbbb9fa73c4e1a2cb9413fed CVE-2020-12137 (GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed app ...) {DSA-4664-1 DLA-2200-1} - mailman (bug #958930) NOTE: https://www.openwall.com/lists/oss-security/2020/02/24/2 NOTE: http://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1801 CVE-2020-12079 (Beaker before 0.8.9 allows a sandbox escape, enabling system access an ...) NOT-FOR-US: Beaker browser, different from src:beaker CVE-2020-12078 (An issue was discovered in Open-AudIT 3.3.1. There is shell metacharac ...) NOT-FOR-US: Open-AudIT CVE-2020-12077 (The mappress-google-maps-for-wordpress plugin before 2.53.9 for WordPr ...) NOT-FOR-US: mappress-google-maps-for-wordpress plugin for WordPress CVE-2020-12076 (The data-tables-generator-by-supsystic plugin before 1.9.92 for WordPr ...) NOT-FOR-US: data-tables-generator-by-supsystic plugin for WordPress CVE-2020-12075 (The data-tables-generator-by-supsystic plugin before 1.9.92 for WordPr ...) NOT-FOR-US: data-tables-generator-by-supsystic plugin for WordPress CVE-2020-12074 (The users-customers-import-export-for-wp-woocommerce plugin before 1.3 ...) NOT-FOR-US: users-customers-import-export-for-wp-woocommerce plugin for WordPress CVE-2020-12073 (The responsive-add-ons plugin before 2.2.7 for WordPress has incorrect ...) NOT-FOR-US: responsive-add-ons plugin for WordPress CVE-2020-12072 RESERVED CVE-2020-12071 (Anchor 0.12.7 allows admins to cause XSS via crafted post content. ...) NOT-FOR-US: Anchor CVE-2020-12070 (The Advanced Woo Search plugin version through 1.99 for Wordpress suff ...) NOT-FOR-US: Advanced Woo Search plugin for WordPress CVE-2020-12069 RESERVED CVE-2020-12068 (An issue was discovered in CODESYS Development System before 3.5.16.0. ...) NOT-FOR-US: CODESYS CVE-2020-12067 RESERVED CVE-2020-12066 (CServer::SendMsg in engine/server/server.cpp in Teeworlds 0.7.x before ...) - teeworlds [jessie] - teeworlds (Not supported in jessie LTS) NOTE: https://github.com/teeworlds/teeworlds/commit/c68402fa7e279d42886d5951d1ea8ac2facc1ea5 NOTE: https://www.teeworlds.com/forum/viewtopic.php?id=14785 CVE-2020-12065 RESERVED CVE-2020-12064 RESERVED CVE-2020-12063 (** DISPUTED ** A certain Postfix 2.10.1-7 package could allow an attac ...) NOTE: https://www.openwall.com/lists/oss-security/2020/04/23/3 NOTE: https://www.openwall.com/lists/oss-security/2020/04/23/12 NOTE: Not considered a Postfix vulnerability and scope is outside of the design goals CVE-2020-12062 (** DISPUTED ** The scp client in OpenSSH 8.2 incorrectly sends duplica ...) - openssh 1:8.3p1-1 (unimportant) NOTE: https://github.com/openssh/openssh-portable/commit/955854cafca88e0cdcd3d09ca1ad4ada465364a1 NOTE: https://github.com/openssh/openssh-portable/commit/aad87b88fc2536b1ea023213729aaf4eaabe1894 NOTE: https://www.openwall.com/lists/oss-security/2020/05/27/1 NOTE: Negligible security impact, a malicious peer can achieve no more than already NOTE: able o achieve within the scp protocol. CVE-2020-12061 RESERVED CVE-2020-12060 RESERVED CVE-2020-12059 (An issue was discovered in Ceph through 13.2.9. A POST request with an ...) - ceph 14.2.4-1 [stretch] - ceph (Vulnerable code introduced later) [jessie] - ceph (Vulnerable code introduced later) NOTE: https://tracker.ceph.com/issues/44967 NOTE: Introduced with: https://github.com/ceph/ceph/commit/5fb068114bb3da2f8fabea89160a8453f861dc96 (v12.1.1) NOTE: Fixed by: https://github.com/ceph/ceph/commit/375d926a4f2720a29b079c216bafb884eef985c3 (v13.2.10) NOTE: Consider 14.x series as fixed due to the use of the new style xml parsing. CVE-2019-20787 (Teeworlds before 0.7.4 has an integer overflow when computing a tilema ...) NOTE: Duplicate of CVE-2019-10877, requested rejection CVE-2020-12058 RESERVED CVE-2020-12057 RESERVED CVE-2020-12056 RESERVED CVE-2020-12055 RESERVED CVE-2020-12054 (The Catch Breadcrumb plugin before 1.5.4 for WordPress allows Reflecte ...) NOT-FOR-US: Catch Breadcrumb plugin for WordPress CVE-2020-12053 (In Unisys Stealth 3.4.x, 4.x and 5.x before 5.0.026, if certificate-ba ...) NOT-FOR-US: Unisys Stealth CVE-2020-12052 (Grafana version < 6.7.3 is vulnerable for annotation popup XSS. ...) - grafana CVE-2020-12051 (The CentralAuth extension through REL1_34 for MediaWiki allows remote ...) NOT-FOR-US: MediaWiki extension CVE-2020-12050 (SQLiteODBC 0.9996, as packaged for certain Linux distributions as 0.99 ...) - sqliteodbc (unimportant) NOTE: The issue is located in the *.spec files used for rpm packaging using insecurely NOTE: /tmp/sqliteodbc$$. Debian packaging maintainer scripts do not suffer from same NOTE: issue. CVE-2020-12049 (An issue was discovered in dbus >= 1.3.0 before 1.12.18. The DBusSe ...) {DLA-2235-1} - dbus 1.12.18-1 [buster] - dbus (Minor issue) [stretch] - dbus (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2020/06/04/3 NOTE: https://gitlab.freedesktop.org/dbus/dbus/-/issues/294 NOTE: Fixed by: https://gitlab.freedesktop.org/dbus/dbus/-/commit/272d484283883fa9ff95b69d924fff6cd34842f5 NOTE: Test: https://gitlab.freedesktop.org/dbus/dbus/-/commit/8bc1381819e5a845331650bfa28dacf6d2ac1748 CVE-2020-12048 (Phoenix Hemodialysis Delivery System SW 3.36 and 3.40, The Phoenix Hem ...) NOT-FOR-US: Phoenix Hemodialysis Delivery System CVE-2020-12047 (The Baxter Spectrum WBM (v17, v20D29, v20D30, v20D31, and v22D24), whe ...) NOT-FOR-US: Baxter Spectrum WBM CVE-2020-12046 (Opto 22 SoftPAC Project Version 9.6 and prior. SoftPAC’s firmwar ...) NOT-FOR-US: Opto 22 SoftPAC Project CVE-2020-12045 (The Baxter Spectrum WBM (v17, v20D29, v20D30, v20D31, and v22D24) when ...) NOT-FOR-US: Baxter Spectrum WBM CVE-2020-12044 RESERVED CVE-2020-12043 (The Baxter Spectrum WBM (v17, v20D29, v20D30, v20D31, and v22D24) when ...) NOT-FOR-US: Baxter Spectrum WBM CVE-2020-12042 (Opto 22 SoftPAC Project Version 9.6 and prior. Paths specified within ...) NOT-FOR-US: Opto 22 SoftPAC Project CVE-2020-12041 (The Baxter Spectrum WBM (v17, v20D29, v20D30, v20D31, and v22D24) teln ...) NOT-FOR-US: Baxter Spectrum WBM CVE-2020-12040 (Sigma Spectrum Infusion System v's6.x (model 35700BAX) and Baxter Spec ...) NOT-FOR-US: Sigma Spectrum Infusion System CVE-2020-12039 (Baxter Sigma Spectrum Infusion Pumps Sigma Spectrum Infusion System v' ...) NOT-FOR-US: Baxter CVE-2020-12038 (Products that use EDS Subsystem: Version 28.0.1 and prior (FactoryTalk ...) NOT-FOR-US: Rockwell Automation CVE-2020-12037 (Baxter PrismaFlex all versions, PrisMax all versions prior to 3.x, The ...) NOT-FOR-US: Baxter CVE-2020-12036 (Baxter PrismaFlex all versions, PrisMax all versions prior to 3.x, The ...) NOT-FOR-US: Baxter CVE-2020-12035 (Baxter PrismaFlex all versions, PrisMax all versions prior to 3.x, The ...) NOT-FOR-US: Baxter CVE-2020-12034 (Products that use EDS Subsystem: Version 28.0.1 and prior (FactoryTalk ...) NOT-FOR-US: Rockwell Automation CVE-2020-12033 (In Rockwell Automation FactoryTalk Services Platform, all versions, th ...) NOT-FOR-US: Rockwell Automation CVE-2020-12032 (Baxter ExactaMix EM 2400 Versions 1.10, 1.11 and ExactaMix EM1200 Vers ...) NOT-FOR-US: Baxter CVE-2020-12031 RESERVED CVE-2020-12030 RESERVED CVE-2020-12029 RESERVED CVE-2020-12028 RESERVED CVE-2020-12027 RESERVED CVE-2020-12026 (Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Mult ...) NOT-FOR-US: Advantech WebAccess Node CVE-2020-12025 RESERVED CVE-2020-12024 (Baxter ExactaMix EM 2400 versions 1.10, 1.11, 1.13, 1.14 and ExactaMix ...) NOT-FOR-US: Baxter CVE-2020-12023 (Philips IntelliBridge Enterprise (IBE), Versions B.12 and prior, Intel ...) NOT-FOR-US: Philips CVE-2020-12022 (Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. An i ...) NOT-FOR-US: Advantech WebAccess Node CVE-2020-12021 (In OSIsoft PI Web API 2019 Patch 1 (1.12.0.6346) and all previous vers ...) NOT-FOR-US: OSIsoft PI Web CVE-2020-12020 (Baxter ExactaMix EM 2400 Versions 1.10, 1.11, and 1.13 and ExactaMix E ...) NOT-FOR-US: Baxter CVE-2020-12019 (WebAccess Node Version 8.4.4 and prior is vulnerable to a stack-based ...) NOT-FOR-US: WebAccess Node CVE-2020-12018 (Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. An o ...) NOT-FOR-US: Advantech WebAccess Node CVE-2020-12017 (GE Grid Solutions Reason RT Clocks, RT430, RT431, and RT434, all firmw ...) NOT-FOR-US: GE Grid Solutions Reason RT Clocks CVE-2020-12016 (Baxter ExactaMix EM 2400 & EM 1200, Versions ExactaMix EM2400 Vers ...) NOT-FOR-US: Baxter CVE-2020-12015 RESERVED CVE-2020-12014 (Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Inpu ...) NOT-FOR-US: Advantech WebAccess Node CVE-2020-12013 RESERVED CVE-2020-12012 (Baxter ExactaMix EM 2400 & EM 1200, Versions ExactaMix EM2400 Vers ...) NOT-FOR-US: Baxter CVE-2020-12011 RESERVED CVE-2020-12010 (Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Mult ...) NOT-FOR-US: Advantech WebAccess Node CVE-2020-12009 RESERVED CVE-2020-12008 (Baxter ExactaMix EM 2400 Versions 1.10, 1.11 and ExactaMix EM1200 Vers ...) NOT-FOR-US: Baxter CVE-2020-12007 RESERVED CVE-2020-12006 (Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Mult ...) NOT-FOR-US: Advantech WebAccess Node CVE-2020-12005 (FactoryTalk Linx versions 6.00, 6.10, and 6.11, RSLinx Classic v4.11.0 ...) NOT-FOR-US: FactoryTalk CVE-2020-12004 (The affected product lacks proper authentication required to query the ...) NOT-FOR-US: Inductive Automation Ignition CVE-2020-12003 (FactoryTalk Linx versions 6.00, 6.10, and 6.11, RSLinx Classic v4.11.0 ...) NOT-FOR-US: FactoryTalk CVE-2020-12002 (Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Mult ...) NOT-FOR-US: Advantech WebAccess Node CVE-2020-12001 (FactoryTalk Linx versions 6.00, 6.10, and 6.11, RSLinx Classic v4.11.0 ...) NOT-FOR-US: FactoryTalk CVE-2020-12000 (The affected product is vulnerable to the handling of serialized data. ...) NOT-FOR-US: Inductive Automation Ignition CVE-2020-11999 (FactoryTalk Linx versions 6.00, 6.10, and 6.11, RSLinx Classic v4.11.0 ...) NOT-FOR-US: FactoryTalk CVE-2020-11998 RESERVED CVE-2020-11997 RESERVED CVE-2020-11996 (A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat ...) - tomcat9 9.0.36-1 - tomcat8 NOTE: https://www.openwall.com/lists/oss-security/2020/06/25/6 NOTE: https://github.com/apache/tomcat/commit/9a0231683a77e2957cea0fdee88b193b30b0c976 (9.0.36) NOTE: https://github.com/apache/tomcat/commit/c8acd2ab7371e39aeca7c306f3b5380f00afe552 (8.5.56) CVE-2020-11995 RESERVED CVE-2020-11994 (Server-Side Template Injection and arbitrary file disclosure on Camel ...) NOT-FOR-US: Apache Camel CVE-2020-11993 RESERVED CVE-2020-11992 RESERVED CVE-2020-11991 RESERVED CVE-2020-11990 RESERVED CVE-2020-11989 (Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic ...) {DLA-2273-1} - shiro NOTE: https://www.openwall.com/lists/oss-security/2020/06/22/1 NOTE: https://github.com/apache/shiro/pull/211 NOTE: https://issues.apache.org/jira/browse/SHIRO-753 NOTE: The original CVE-2020-1957 adressed in 1.5.2 introduced an encoding issue NOTE: which can (security wise) be exploited, resulting in a 1.5.3 release. This NOTE: CVE is closely related to CVE-2020-1957. CVE-2020-11988 RESERVED CVE-2020-11987 RESERVED CVE-2020-11986 RESERVED CVE-2020-11985 RESERVED CVE-2020-11984 RESERVED CVE-2020-11983 RESERVED CVE-2020-11982 RESERVED CVE-2020-11981 RESERVED CVE-2020-11980 (In Karaf, JMX authentication takes place using JAAS and authorization ...) - apache-karaf (bug #881297) CVE-2020-11979 RESERVED CVE-2020-11978 RESERVED CVE-2020-11977 RESERVED CVE-2020-11976 RESERVED CVE-2020-11975 (Apache Unomi allows conditions to use OGNL scripting which offers the ...) NOT-FOR-US: Apache Unomi CVE-2020-11974 RESERVED CVE-2020-11973 (Apache Camel Netty enables Java deserialization by default. Apache Cam ...) NOT-FOR-US: Apache Camel CVE-2020-11972 (Apache Camel RabbitMQ enables Java deserialization by default. Apache ...) NOT-FOR-US: Apache Camel CVE-2020-11971 (Apache Camel's JMX is vulnerable to Rebind Flaw. Apache Camel 2.22.x, ...) NOT-FOR-US: Apache Camel CVE-2020-11970 REJECTED CVE-2020-11969 (If Apache TomEE is configured to use the embedded ActiveMQ broker, and ...) NOT-FOR-US: Apache TomEE CVE-2020-11968 (In the web-panel in IQrouter through 3.3.1, remote attackers can read ...) NOT-FOR-US: IQrouter CVE-2020-11967 (In IQrouter through 3.3.1, remote attackers can control the device (re ...) NOT-FOR-US: IQrouter CVE-2020-11966 (In IQrouter through 3.3.1, the Lua function reset_password in the web- ...) NOT-FOR-US: IQrouter CVE-2020-11965 (In IQrouter through 3.3.1, there is a root user without a password, wh ...) NOT-FOR-US: IQrouter CVE-2020-11964 (In IQrouter through 3.3.1, the Lua function diag_set_password in the w ...) NOT-FOR-US: IQrouter CVE-2020-11963 (IQrouter through 3.3.1, when unconfigured, has multiple remote code ex ...) NOT-FOR-US: IQrouter CVE-2020-11962 RESERVED CVE-2020-11961 (Xiaomi router R3600 ROM before 1.0.50 is affected by a sensitive infor ...) NOT-FOR-US: Xiaomi CVE-2020-11960 (Xiaomi router R3600 ROM before 1.0.50 is affected by a vulnerability w ...) NOT-FOR-US: Xiaomi CVE-2020-11959 (An unsafe configuration of nginx lead to information leak in Xiaomi ro ...) NOT-FOR-US: Xiaomi CVE-2020-11958 (re2c 1.3 has a heap-based buffer overflow in Scanner::fill in parse/sc ...) - re2c 1.3-2 (bug #963158) [buster] - re2c (Vulnerability introduced later) [stretch] - re2c (Vulnerability introduced later) [jessie] - re2c (Vulnerability introduced later) NOTE: http://blogs.gentoo.org/ago/2020/04/19/re2c-heap-overflow-in-scannerfill-scanner-cc/ NOTE: Logical error introduced in: https://github.com/skvadrik/re2c/commit/2f3e597abce36fb7f41413373308b7f13fc98181 (1.2) NOTE: Vulnerability introduced in: https://github.com/skvadrik/re2c/commit/1edd26a35457c5835afd58b8fa8330d33e7a1192 (1.2) NOTE: https://github.com/skvadrik/re2c/commit/c4603ba5ce229db83a2a4fb93e6d4b4e3ec3776a#commitcomment-38652070 NOTE: Fixed by: https://github.com/skvadrik/re2c/commit/c4603ba5ce229db83a2a4fb93e6d4b4e3ec3776a CVE-2020-11957 (The Bluetooth Low Energy implementation in Cypress PSoC Creator BLE 4. ...) NOT-FOR-US: Cypress CVE-2020-11956 RESERVED CVE-2020-11955 RESERVED CVE-2020-11954 RESERVED CVE-2020-11953 RESERVED CVE-2020-11952 RESERVED CVE-2020-11951 RESERVED CVE-2020-11950 (VIVOTEK Network Cameras before XXXXX-VVTK-2.2002.xx.01x (and before XX ...) NOT-FOR-US: VIVOTEK Network Cameras CVE-2020-11949 (testserver.cgi of the web service on VIVOTEK Network Cameras before XX ...) NOT-FOR-US: VIVOTEK Network Cameras CVE-2020-11948 RESERVED CVE-2020-11947 RESERVED CVE-2020-11946 (Zoho ManageEngine OpManager before 125120 allows an unauthenticated us ...) NOT-FOR-US: Zoho ManageEngine OpManager CVE-2020-11945 (An issue was discovered in Squid before 5.0.2. A remote attacker can r ...) {DSA-4682-1} - squid 4.11-1 - squid3 NOTE: http://www.squid-cache.org/Advisories/SQUID-2020_4.txt NOTE: Squid 4: http://www.squid-cache.org/Versions/v4/changesets/squid-4-eeebf0f37a72a2de08348e85ae34b02c34e9a811.patch CVE-2020-11944 (Abe (aka bitcoin-abe) through 0.7.2, and 0.8pre, allows XSS in __call_ ...) NOT-FOR-US: bitcoin-abe CVE-2020-11943 (An issue was discovered in Open-AudIT 3.2.2. There is Arbitrary file u ...) NOT-FOR-US: Open-AudIT CVE-2020-11942 (An issue was discovered in Open-AudIT 3.2.2. There are Multiple SQL In ...) NOT-FOR-US: Open-AudIT CVE-2020-11941 (An issue was discovered in Open-AudIT 3.2.2. There is OS Command injec ...) NOT-FOR-US: Open-AudIT CVE-2020-11940 (In nDPI through 3.2 Stable, an out-of-bounds read in concat_hash_strin ...) - ndpi [buster] - ndpi (Introduced in 3.0) [stretch] - ndpi (Introduced in 3.0) [jessie] - ndpi (Introduced in 3.0) NOTE: https://github.com/ntop/nDPI/commit/3bbb0cd3296023f6f922c71d21a1c374d2b0a435 NOTE: https://securitylab.github.com/advisories/GHSL-2020-051_052-ntop-ndpi CVE-2020-11939 (In nDPI through 3.2 Stable, the SSH protocol dissector has multiple KE ...) - ndpi [buster] - ndpi (Introduced in 3.0) [stretch] - ndpi (Introduced in 3.0) [jessie] - ndpi (Introduced in 3.0) NOTE: https://github.com/ntop/nDPI/commit/7ce478a58b4dd29a8d1e6f4e9df2f778613d9202 NOTE: https://securitylab.github.com/advisories/GHSL-2020-051_052-ntop-ndpi CVE-2020-11938 (In JetBrains TeamCity 2018.2 through 2019.2.1, a project administrator ...) NOT-FOR-US: JetBrains TeamCity CVE-2020-11937 RESERVED CVE-2020-11936 RESERVED CVE-2020-11935 RESERVED - aufs [buster] - aufs (Minor issue; CONFIG_IMA not enabled in kernel; can be fixed via point release)) [stretch] - aufs (Minor issue; too many other aufs issues open) NOTE: To exploit the issue CONFIG_IMA in Kernel needs to be enabled. NOTE: linux/4.9.y had the config enabled, but was disabled in later versions NOTE: including linux/4.19.y. NOTE: https://sourceforge.net/p/aufs/mailman/message/37048642/ NOTE: https://github.com/sfjro/aufs4-linux/commit/515a586eeef31e0717d5dea21e2c11a965340b3c NOTE: https://github.com/sfjro/aufs4-linux/commit/f10aea57d39d6cd311312e9e7746804f7059b5c8 CVE-2020-11934 RESERVED CVE-2020-11933 RESERVED CVE-2020-11932 (It was discovered that the Subiquity installer for Ubuntu Server logge ...) NOT-FOR-US: Subiquity installer for Ubuntu CVE-2020-11931 (An Ubuntu-specific modification to Pulseaudio to provide security medi ...) NOT-FOR-US: Ubuntu snap packaging of Pulseaudio CVE-2018-21231 (Certain NETGEAR devices are affected by incorrect configuration of sec ...) NOT-FOR-US: Netgear CVE-2018-21230 (Certain NETGEAR devices are affected by incorrect configuration of sec ...) NOT-FOR-US: Netgear CVE-2018-21229 (Certain NETGEAR devices are affected by incorrect configuration of sec ...) NOT-FOR-US: Netgear CVE-2018-21228 (Certain NETGEAR devices are affected by command injection by an authen ...) NOT-FOR-US: Netgear CVE-2018-21227 (Certain NETGEAR devices are affected by command injection by an authen ...) NOT-FOR-US: Netgear CVE-2018-21226 (Certain NETGEAR devices are affected by authentication bypass. This af ...) NOT-FOR-US: Netgear CVE-2018-21225 (Certain NETGEAR devices are affected by command injection by an authen ...) NOT-FOR-US: Netgear CVE-2018-21224 (Certain NETGEAR devices are affected by a buffer overflow by an unauth ...) NOT-FOR-US: Netgear CVE-2018-21223 (Certain NETGEAR devices are affected by a buffer overflow by an unauth ...) NOT-FOR-US: Netgear CVE-2018-21222 (Certain NETGEAR devices are affected by a buffer overflow by an unauth ...) NOT-FOR-US: Netgear CVE-2018-21221 (Certain NETGEAR devices are affected by a buffer overflow by an unauth ...) NOT-FOR-US: Netgear CVE-2018-21220 (Certain NETGEAR devices are affected by a buffer overflow by an unauth ...) NOT-FOR-US: Netgear CVE-2018-21219 (Certain NETGEAR devices are affected by a buffer overflow by an unauth ...) NOT-FOR-US: Netgear CVE-2018-21218 (Certain NETGEAR devices are affected by a buffer overflow by an unauth ...) NOT-FOR-US: Netgear CVE-2018-21217 (Certain NETGEAR devices are affected by a buffer overflow by an unauth ...) NOT-FOR-US: Netgear CVE-2018-21216 (Certain NETGEAR devices are affected by a buffer overflow by an unauth ...) NOT-FOR-US: Netgear CVE-2018-21215 (Certain NETGEAR devices are affected by a buffer overflow by an unauth ...) NOT-FOR-US: Netgear CVE-2018-21214 (Certain NETGEAR devices are affected by a buffer overflow by an unauth ...) NOT-FOR-US: Netgear CVE-2018-21213 (Certain NETGEAR devices are affected by a buffer overflow by an unauth ...) NOT-FOR-US: Netgear CVE-2018-21212 (Certain NETGEAR devices are affected by a buffer overflow by an unauth ...) NOT-FOR-US: Netgear CVE-2018-21211 (Certain NETGEAR devices are affected by a buffer overflow by an unauth ...) NOT-FOR-US: Netgear CVE-2018-21210 (Certain NETGEAR devices are affected by a buffer overflow by an unauth ...) NOT-FOR-US: Netgear CVE-2018-21209 (Certain NETGEAR devices are affected by reflected XSS. This affects JN ...) NOT-FOR-US: Netgear CVE-2018-21208 (Certain NETGEAR devices are affected by command injection by an unauth ...) NOT-FOR-US: Netgear CVE-2018-21207 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2018-21206 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2018-21205 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2018-21204 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2018-21203 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2018-21202 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2018-21201 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2018-21200 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2018-21199 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2018-21198 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2018-21197 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2018-21196 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2018-21195 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2018-21194 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2018-21193 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2018-21192 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2018-21191 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2018-21190 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2018-21189 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2018-21188 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2018-21187 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2018-21186 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2018-21185 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2018-21184 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2018-21183 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2018-21182 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2018-21181 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2018-21180 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2018-21179 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2018-21178 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2018-21177 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2018-21176 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2018-21175 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2018-21174 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2018-21173 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2018-21172 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2018-21171 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2018-21170 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2018-21169 (Certain NETGEAR devices are affected by incorrect configuration of sec ...) NOT-FOR-US: Netgear CVE-2018-21168 (Certain NETGEAR devices are affected by disclosure of sensitive inform ...) NOT-FOR-US: Netgear CVE-2018-21167 (Certain NETGEAR devices are affected by stored XSS. This affects D6100 ...) NOT-FOR-US: Netgear CVE-2018-21166 (Certain NETGEAR devices are affected by denial of service. This affect ...) NOT-FOR-US: Netgear CVE-2018-21165 (Certain NETGEAR devices are affected by denial of service. This affect ...) NOT-FOR-US: Netgear CVE-2018-21164 (Certain NETGEAR devices are affected by command injection by an authen ...) NOT-FOR-US: Netgear CVE-2018-21163 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2018-21162 (Certain NETGEAR devices are affected by command injection by an unauth ...) NOT-FOR-US: Netgear CVE-2018-21161 (Certain NETGEAR devices are affected by incorrect configuration of sec ...) NOT-FOR-US: Netgear CVE-2018-21160 (NETGEAR ReadyNAS devices before 6.9.3 are affected by CSRF. ...) NOT-FOR-US: Netgear CVE-2018-21159 (NETGEAR ReadyNAS devices before 6.9.3 are affected by incorrect config ...) NOT-FOR-US: Netgear CVE-2018-21158 (NETGEAR R7800 devices before 1.0.2.46 are affected by incorrect config ...) NOT-FOR-US: Netgear CVE-2018-21157 (Certain NETGEAR devices are affected by command injection by an authen ...) NOT-FOR-US: Netgear CVE-2018-21156 (Certain NETGEAR devices are affected by a buffer overflow by an authen ...) NOT-FOR-US: Netgear CVE-2018-21155 (Certain NETGEAR devices are affected by stored XSS. This affects D7800 ...) NOT-FOR-US: Netgear CVE-2018-21154 (Certain NETGEAR devices are affected by command injection by an authen ...) NOT-FOR-US: Netgear CVE-2018-21153 (Certain NETGEAR devices are affected by a buffer overflow by an unauth ...) NOT-FOR-US: Netgear CVE-2018-21152 (Certain NETGEAR devices are affected by command injection by an authen ...) NOT-FOR-US: Netgear CVE-2018-21151 (Certain NETGEAR devices are affected by a buffer overflow by an authen ...) NOT-FOR-US: Netgear CVE-2018-21150 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2018-21149 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2018-21148 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2018-21147 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2018-21146 (Certain NETGEAR devices are affected by command injection by an authen ...) NOT-FOR-US: Netgear CVE-2018-21145 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2018-21144 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2018-21143 (NETGEAR GS810EMX devices before 1.0.0.5 are affected by disclosure of ...) NOT-FOR-US: Netgear CVE-2018-21142 (Certain NETGEAR devices are affected by denial of service. This affect ...) NOT-FOR-US: Netgear CVE-2018-21141 (Certain NETGEAR devices are affected by denial of service. This affect ...) NOT-FOR-US: Netgear CVE-2018-21140 (Certain NETGEAR devices are affected by incorrect configuration of sec ...) NOT-FOR-US: Netgear CVE-2018-21139 (Certain NETGEAR devices are affected by disclosure of sensitive inform ...) NOT-FOR-US: Netgear CVE-2018-21138 (Certain NETGEAR devices are affected by incorrect configuration of sec ...) NOT-FOR-US: Netgear CVE-2018-21137 (Certain NETGEAR devices are affected by a hardcoded password. This aff ...) NOT-FOR-US: Netgear CVE-2018-21136 (Certain NETGEAR devices are affected by disclosure of sensitive inform ...) NOT-FOR-US: Netgear CVE-2018-21135 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2018-21134 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2018-21133 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2018-21132 (Certain NETGEAR devices are affected by authentication bypass. This af ...) NOT-FOR-US: Netgear CVE-2018-21131 (Certain NETGEAR devices are affected by unauthenticated firmware downg ...) NOT-FOR-US: Netgear CVE-2018-21130 (Certain NETGEAR devices are affected by command injection by an unauth ...) NOT-FOR-US: Netgear CVE-2018-21129 (Certain NETGEAR devices are affected by disclosure of sensitive inform ...) NOT-FOR-US: Netgear CVE-2018-21128 (Certain NETGEAR devices are affected by authentication bypass. This af ...) NOT-FOR-US: Netgear CVE-2018-21127 (Certain NETGEAR devices are affected by command injection by an unauth ...) NOT-FOR-US: Netgear CVE-2018-21126 (Certain NETGEAR devices are affected by command injection by an unauth ...) NOT-FOR-US: Netgear CVE-2018-21125 (NETGEAR WAC510 devices before 5.0.0.17 are affected by authentication ...) NOT-FOR-US: Netgear CVE-2018-21124 (NETGEAR WAC510 devices before 5.0.0.17 are affected by privilege escal ...) NOT-FOR-US: Netgear CVE-2018-21123 (Certain NETGEAR devices are affected by command injection by an unauth ...) NOT-FOR-US: Netgear CVE-2018-21122 (Certain NETGEAR devices are affected by denial of service. This affect ...) NOT-FOR-US: Netgear CVE-2018-21121 (Certain NETGEAR devices are affected by authentication bypass. This af ...) NOT-FOR-US: Netgear CVE-2018-21120 (Certain NETGEAR devices are affected by CSRF. This affects WAC120 befo ...) NOT-FOR-US: Netgear CVE-2018-21119 (Certain NETGEAR devices are affected by command injection by an authen ...) NOT-FOR-US: Netgear CVE-2018-21118 (NETGEAR XR500 devices before 2.3.2.32 are affected by authentication b ...) NOT-FOR-US: Netgear CVE-2018-21117 (NETGEAR XR500 devices before 2.3.2.32 are affected by remote code exec ...) NOT-FOR-US: Netgear CVE-2018-21116 (NETGEAR XR500 devices before 2.3.2.32 are affected by remote code exec ...) NOT-FOR-US: Netgear CVE-2018-21115 (NETGEAR XR500 devices before 2.3.2.32 are affected by remote code exec ...) NOT-FOR-US: Netgear CVE-2018-21114 (Certain NETGEAR devices are affected by command injection by an authen ...) NOT-FOR-US: Netgear CVE-2018-21113 (Certain NETGEAR devices are affected by command injection by an unauth ...) NOT-FOR-US: Netgear CVE-2018-21112 (Certain NETGEAR devices are affected by command injection by an authen ...) NOT-FOR-US: Netgear CVE-2018-21111 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2018-21110 (NETGEAR R7800 devices before 1.0.2.60 are affected by command injectio ...) NOT-FOR-US: Netgear CVE-2018-21109 (NETGEAR R7800 devices before 1.0.2.60 are affected by command injectio ...) NOT-FOR-US: Netgear CVE-2018-21108 (NETGEAR R7800 devices before 1.0.2.60 are affected by command injectio ...) NOT-FOR-US: Netgear CVE-2018-21107 (NETGEAR R7800 devices before 1.0.2.60 are affected by command injectio ...) NOT-FOR-US: Netgear CVE-2018-21106 (NETGEAR R7800 devices before 1.0.2.60 are affected by command injectio ...) NOT-FOR-US: Netgear CVE-2018-21105 (NETGEAR R7800 devices before 1.0.2.60 are affected by command injectio ...) NOT-FOR-US: Netgear CVE-2018-21104 (NETGEAR R7800 devices before 1.0.2.60 are affected by command injectio ...) NOT-FOR-US: Netgear CVE-2018-21103 (NETGEAR R7800 devices before 1.0.2.60 are affected by command injectio ...) NOT-FOR-US: Netgear CVE-2018-21102 (NETGEAR ReadyNAS devices before 6.9.3 are affected by CSRF. ...) NOT-FOR-US: Netgear CVE-2018-21101 (NETGEAR R7800 devices before 1.0.2.60 are affected by command injectio ...) NOT-FOR-US: Netgear CVE-2018-21100 (NETGEAR R7800 devices before 1.0.2.60 are affected by command injectio ...) NOT-FOR-US: Netgear CVE-2018-21099 (NETGEAR R7800 devices before 1.0.2.60 are affected by command injectio ...) NOT-FOR-US: Netgear CVE-2018-21098 (NETGEAR R7800 devices before 1.0.2.60 are affected by command injectio ...) NOT-FOR-US: Netgear CVE-2018-21097 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2018-21096 (Certain NETGEAR devices are affected by CSRF. This affects WAC120 befo ...) NOT-FOR-US: Netgear CVE-2018-21095 (Certain NETGEAR devices are affected by stored XSS. This affects SRR60 ...) NOT-FOR-US: Netgear CVE-2018-21094 (Certain NETGEAR devices are affected by incorrect configuration of sec ...) NOT-FOR-US: Netgear CVE-2018-21093 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2017-18852 (Certain NETGEAR devices are affected by CSRF and authentication bypass ...) NOT-FOR-US: NETGEAR CVE-2017-18851 (Certain NETGEAR devices are affected by command injection by an authen ...) NOT-FOR-US: NETGEAR CVE-2017-18850 (Certain NETGEAR devices are affected by authentication bypass. This af ...) NOT-FOR-US: NETGEAR CVE-2017-18849 (Certain NETGEAR devices are affected by command injection. This affect ...) NOT-FOR-US: NETGEAR CVE-2017-18848 (Certain NETGEAR devices are affected by CSRF. This affects R6300v2 bef ...) NOT-FOR-US: NETGEAR CVE-2017-18847 (Certain NETGEAR devices are affected by an attacker's ability to read ...) NOT-FOR-US: NETGEAR CVE-2017-18846 (Certain NETGEAR devices are affected by a stack-based buffer overflow. ...) NOT-FOR-US: NETGEAR CVE-2017-18845 (Certain NETGEAR devices are affected by disclosure of administrative c ...) NOT-FOR-US: NETGEAR CVE-2017-18844 (Certain NETGEAR devices are affected by disclosure of administrative c ...) NOT-FOR-US: NETGEAR CVE-2017-18843 (Certain NETGEAR devices are affected by disclosure of administrative c ...) NOT-FOR-US: NETGEAR CVE-2017-18842 (Certain NETGEAR devices are affected by CSRF. This affects R7300 befor ...) NOT-FOR-US: NETGEAR CVE-2017-18841 (Certain NETGEAR devices are affected by command injection. This affect ...) NOT-FOR-US: NETGEAR CVE-2017-18840 (Certain NETGEAR devices are affected by denial of service. This affect ...) NOT-FOR-US: NETGEAR CVE-2017-18839 (Certain NETGEAR devices are affected by stored XSS. This affects M4300 ...) NOT-FOR-US: NETGEAR CVE-2017-18838 (Certain NETGEAR devices are affected by privilege escalation. This aff ...) NOT-FOR-US: NETGEAR CVE-2017-18837 (Certain NETGEAR devices are affected by vertical privilege escalation. ...) NOT-FOR-US: NETGEAR CVE-2017-18836 (Certain NETGEAR devices are affected by denial of service. This affect ...) NOT-FOR-US: NETGEAR CVE-2017-18835 (Certain NETGEAR devices are affected by reflected XSS. This affects M4 ...) NOT-FOR-US: NETGEAR CVE-2017-18834 (Certain NETGEAR devices are affected by reflected XSS. This affects M4 ...) NOT-FOR-US: NETGEAR CVE-2017-18833 (Certain NETGEAR devices are affected by reflected XSS. This affects M4 ...) NOT-FOR-US: NETGEAR CVE-2017-18832 (Certain NETGEAR devices are affected by stored XSS. This affects M4300 ...) NOT-FOR-US: NETGEAR CVE-2017-18831 (Certain NETGEAR devices are affected by stored XSS. This affects M4300 ...) NOT-FOR-US: NETGEAR CVE-2017-18830 (Certain NETGEAR devices are affected by vertical privilege escalation. ...) NOT-FOR-US: NETGEAR CVE-2017-18829 (Certain NETGEAR devices are affected by vertical privilege escalation. ...) NOT-FOR-US: NETGEAR CVE-2017-18828 (Certain NETGEAR devices are affected by stored XSS. This affects M4300 ...) NOT-FOR-US: NETGEAR CVE-2017-18827 (Certain NETGEAR devices are affected by stored XSS. This affects M4300 ...) NOT-FOR-US: NETGEAR CVE-2017-18826 (Certain NETGEAR devices are affected by vertical privilege escalation. ...) NOT-FOR-US: NETGEAR CVE-2017-18825 (Certain NETGEAR devices are affected by stored XSS. This affects M4300 ...) NOT-FOR-US: NETGEAR CVE-2017-18824 (Certain NETGEAR devices are affected by directory traversal. This affe ...) NOT-FOR-US: NETGEAR CVE-2017-18823 (Certain NETGEAR devices are affected by incorrect configuration of sec ...) NOT-FOR-US: NETGEAR CVE-2017-18822 (Certain NETGEAR devices are affected by vertical privilege escalation. ...) NOT-FOR-US: NETGEAR CVE-2017-18821 (Certain NETGEAR devices are affected by stored XSS. This affects M4300 ...) NOT-FOR-US: Netgear CVE-2017-18820 (NETGEAR ReadyNAS OS 6 devices running ReadyNAS OS versions prior to 6. ...) NOT-FOR-US: Netgear CVE-2017-18819 (NETGEAR ReadyNAS OS 6 devices, running ReadyNAS OS versions prior to 6 ...) NOT-FOR-US: Netgear CVE-2017-18818 RESERVED CVE-2017-18817 RESERVED CVE-2017-18816 (NETGEAR ReadyNAS OS 6 devices, running ReadyNAS OS versions prior to 6 ...) NOT-FOR-US: Netgear CVE-2017-18815 (NETGEAR ReadyNAS OS 6 devices, running ReadyNAS OS versions prior to 6 ...) NOT-FOR-US: Netgear CVE-2017-18814 (NETGEAR ReadyNAS OS 6 devices running ReadyNAS OS versions prior to 6. ...) NOT-FOR-US: Netgear CVE-2017-18813 (NETGEAR ReadyNAS OS 6 devices running ReadyNAS OS versions prior to 6. ...) NOT-FOR-US: Netgear CVE-2017-18812 (NETGEAR ReadyNAS OS 6 devices running ReadyNAS OS versions prior to 6. ...) NOT-FOR-US: Netgear CVE-2017-18811 (NETGEAR ReadyNAS OS 6 devices running ReadyNAS OS versions prior to 6. ...) NOT-FOR-US: Netgear CVE-2017-18810 (NETGEAR ReadyNAS OS 6 devices running ReadyNAS OS versions prior to 6. ...) NOT-FOR-US: Netgear CVE-2017-18809 (NETGEAR ReadyNAS OS 6 devices running ReadyNAS OS versions prior to 6. ...) NOT-FOR-US: Netgear CVE-2017-18808 (NETGEAR ReadyNAS OS 6 devices running ReadyNAS OS versions prior to 6. ...) NOT-FOR-US: Netgear CVE-2017-18807 (NETGEAR ReadyNAS OS 6 devices running ReadyNAS OS versions prior to 6. ...) NOT-FOR-US: Netgear CVE-2017-18806 (Certain NETGEAR devices are affected by command injection. This affect ...) NOT-FOR-US: Netgear CVE-2017-18805 (Certain NETGEAR devices are affected by command injection. This affect ...) NOT-FOR-US: Netgear CVE-2017-18804 (Certain NETGEAR devices are affected by command injection. This affect ...) NOT-FOR-US: Netgear CVE-2017-18803 (NETGEAR R7800 devices before 1.0.2.30 are affected by incorrect config ...) NOT-FOR-US: Netgear CVE-2017-18802 (Certain NETGEAR devices are affected by command injection. This affect ...) NOT-FOR-US: Netgear CVE-2017-18801 (Certain NETGEAR devices are affected by command injection. This affect ...) NOT-FOR-US: Netgear CVE-2017-18800 (Certain NETGEAR devices are affected by reflected XSS. This affects R6 ...) NOT-FOR-US: Netgear CVE-2017-18799 (Certain NETGEAR devices are affected by incorrect configuration of sec ...) NOT-FOR-US: Netgear CVE-2017-18798 (Certain NETGEAR devices are affected by incorrect configuration of sec ...) NOT-FOR-US: Netgear CVE-2017-18797 (Certain NETGEAR devices are affected by an attacker's ability to read ...) NOT-FOR-US: Netgear CVE-2017-18796 (Certain NETGEAR devices are affected by command injection. This affect ...) NOT-FOR-US: Netgear CVE-2017-18795 (Certain NETGEAR devices are affected by command injection. This affect ...) NOT-FOR-US: Netgear CVE-2017-18794 (Certain NETGEAR devices are affected by command injection. This affect ...) NOT-FOR-US: Netgear CVE-2017-18793 (NETGEAR R7800 devices before 1.0.2.36 are affected by command injectio ...) NOT-FOR-US: Netgear CVE-2017-18792 (NETGEAR D6100 devices before 1.0.0.50_0.0.50 are affected by command i ...) NOT-FOR-US: Netgear CVE-2017-18791 (Certain NETGEAR devices are affected by CSRF. This affects R6050/JR615 ...) NOT-FOR-US: Netgear CVE-2017-18790 (Certain NETGEAR devices are affected by disclosure of sensitive inform ...) NOT-FOR-US: Netgear CVE-2017-18789 (Certain NETGEAR devices are affected by disclosure of sensitive inform ...) NOT-FOR-US: Netgear CVE-2017-18788 (Certain NETGEAR devices are affected by command injection by an authen ...) NOT-FOR-US: Netgear CVE-2017-18787 (Certain NETGEAR devices are affected by command injection. This affect ...) NOT-FOR-US: Netgear CVE-2017-18786 (Certain NETGEAR devices are affected by command injection. This affect ...) NOT-FOR-US: Netgear CVE-2017-18785 (Certain NETGEAR devices are affected by XSS. This affects D3600 before ...) NOT-FOR-US: Netgear CVE-2017-18784 (Certain NETGEAR devices are affected by XSS. This affects D6200 before ...) NOT-FOR-US: Netgear CVE-2017-18783 (Certain NETGEAR devices are affected by XSS. This affects D6200 before ...) NOT-FOR-US: Netgear CVE-2017-18782 (Certain NETGEAR devices are affected by CSRF. This affects D6200 befor ...) NOT-FOR-US: Netgear CVE-2017-18781 (Certain NETGEAR devices are affected by CSRF. This affects D6200 befor ...) NOT-FOR-US: Netgear CVE-2017-18780 (Certain NETGEAR devices are affected by denial of service. This affect ...) NOT-FOR-US: Netgear CVE-2017-18779 (Certain NETGEAR devices are affected by a buffer overflow. This affect ...) NOT-FOR-US: Netgear CVE-2017-18778 (Certain NETGEAR devices are affected by incorrect configuration of sec ...) NOT-FOR-US: Netgear CVE-2017-18777 (Certain NETGEAR devices are affected by administrative password disclo ...) NOT-FOR-US: Netgear CVE-2017-18776 (Certain NETGEAR devices are affected by authentication bypass. This af ...) NOT-FOR-US: Netgear CVE-2017-18775 (Certain NETGEAR devices are affected by CSRF. This affects R6100 befor ...) NOT-FOR-US: Netgear CVE-2017-18774 REJECTED CVE-2017-18773 (Certain NETGEAR devices are affected by command injection by an authen ...) NOT-FOR-US: Netgear CVE-2017-18772 (Certain NETGEAR devices are affected by authentication bypass. This af ...) NOT-FOR-US: Netgear CVE-2017-18771 REJECTED CVE-2017-18770 (Certain NETGEAR devices are affected by a buffer overflow by an authen ...) NOT-FOR-US: Netgear CVE-2017-18769 (Certain NETGEAR devices are affected by an attacker's ability to read ...) NOT-FOR-US: Netgear CVE-2017-18768 (Certain NETGEAR devices are affected by CSRF. This affects EX6100 befo ...) NOT-FOR-US: Netgear CVE-2017-18767 (Certain NETGEAR devices are affected by command injection by an authen ...) NOT-FOR-US: Netgear CVE-2017-18766 (Certain NETGEAR devices are affected by an attacker's ability to read ...) NOT-FOR-US: Netgear CVE-2017-18765 (Certain NETGEAR devices are affected by denial of service. This affect ...) NOT-FOR-US: Netgear CVE-2017-18764 (Certain NETGEAR devices are affected by command injection by an unauth ...) NOT-FOR-US: Netgear CVE-2017-18763 (Certain NETGEAR devices are affected by incorrect configuration of sec ...) NOT-FOR-US: Netgear CVE-2017-18762 (Certain NETGEAR devices are affected by command injection by an unauth ...) NOT-FOR-US: Netgear CVE-2017-18761 (NETGEAR R8000 devices before 1.0.4.2 are affected by a stack-based buf ...) NOT-FOR-US: Netgear CVE-2017-18760 REJECTED CVE-2017-18759 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2017-18758 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2017-18757 (Certain NETGEAR devices are affected by incorrect configuration of sec ...) NOT-FOR-US: Netgear CVE-2017-18756 (Certain NETGEAR devices are affected by incorrect configuration of sec ...) NOT-FOR-US: Netgear CVE-2017-18755 (Certain NETGEAR devices are affected by CSRF. This affects R6300v2 bef ...) NOT-FOR-US: Netgear CVE-2017-18754 (Certain NETGEAR devices are affected by command injection by an authen ...) NOT-FOR-US: Netgear CVE-2017-18753 REJECTED CVE-2017-18752 (Certain NETGEAR devices are affected by an attacker's ability to read ...) NOT-FOR-US: Netgear CVE-2017-18751 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2017-18750 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2017-18749 (Certain NETGEAR devices are affected by CSRF. This affects JNR1010v2 b ...) NOT-FOR-US: Netgear CVE-2017-18748 (Certain NETGEAR devices are affected by incorrect configuration of sec ...) NOT-FOR-US: Netgear CVE-2017-18747 (Certain NETGEAR devices are affected by incorrect configuration of sec ...) NOT-FOR-US: Netgear CVE-2017-18746 (Certain NETGEAR devices are affected by incorrect configuration of sec ...) NOT-FOR-US: Netgear CVE-2017-18745 (Certain NETGEAR devices are affected by stored XSS. This affects R6400 ...) NOT-FOR-US: Netgear CVE-2017-18744 (Certain NETGEAR devices are affected by a buffer overflow by an unauth ...) NOT-FOR-US: Netgear CVE-2017-18743 (Certain NETGEAR devices are affected by authentication bypass. This af ...) NOT-FOR-US: Netgear CVE-2017-18742 (Certain NETGEAR devices are affected by CSRF. This affects JR6150 befo ...) NOT-FOR-US: Netgear CVE-2017-18741 (Certain NETGEAR devices are affected by incorrect configuration of sec ...) NOT-FOR-US: Netgear CVE-2017-18740 (Certain NETGEAR devices are affected by incorrect configuration of sec ...) NOT-FOR-US: Netgear CVE-2017-18739 (Certain NETGEAR devices are affected by a buffer overflow by an unauth ...) NOT-FOR-US: Netgear CVE-2017-18738 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2017-18737 (Certain NETGEAR devices are affected by command injection by an unauth ...) NOT-FOR-US: Netgear CVE-2017-18736 (Certain NETGEAR devices are affected by command injection by an unauth ...) NOT-FOR-US: Netgear CVE-2017-18735 (Certain NETGEAR devices are affected by command injection by an unauth ...) NOT-FOR-US: Netgear CVE-2017-18734 (Certain NETGEAR devices are affected by command injection by an unauth ...) NOT-FOR-US: Netgear CVE-2017-18733 (Certain NETGEAR devices are affected by authentication bypass. This af ...) NOT-FOR-US: Netgear CVE-2017-18732 (Certain NETGEAR devices are affected by authentication bypass. This af ...) NOT-FOR-US: Netgear CVE-2017-18731 (Certain NETGEAR devices are affected by incorrect configuration of sec ...) NOT-FOR-US: Netgear CVE-2017-18730 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2017-18729 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2017-18728 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2017-18727 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2017-18726 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2017-18725 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2017-18724 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2017-18723 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2017-18722 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2017-18721 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2017-18720 (Certain NETGEAR devices are affected by authentication bypass. This af ...) NOT-FOR-US: Netgear CVE-2017-18719 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2017-18718 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2017-18717 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2017-18716 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2017-18715 (Certain NETGEAR devices are affected by reflected XSS. This affects EX ...) NOT-FOR-US: Netgear CVE-2017-18714 (NETGEAR WNDR4500v3 devices before 1.0.0.48 are affected by denial of s ...) NOT-FOR-US: Netgear CVE-2017-18713 (Certain NETGEAR devices are affected by an attacker's ability to read ...) NOT-FOR-US: Netgear CVE-2017-18712 (Certain NETGEAR devices are affected by an attacker's ability to read ...) NOT-FOR-US: Netgear CVE-2017-18711 (Certain NETGEAR devices are affected by incorrect configuration of sec ...) NOT-FOR-US: Netgear CVE-2017-18710 (Certain NETGEAR devices are affected by disclosure of sensitive inform ...) NOT-FOR-US: Netgear CVE-2017-18709 (Certain NETGEAR devices are affected by incorrect configuration of sec ...) NOT-FOR-US: Netgear CVE-2017-18708 (Certain NETGEAR devices are affected by CSRF. This affects R8300 befor ...) NOT-FOR-US: Netgear CVE-2017-18707 (Certain NETGEAR devices are affected by a buffer overflow by an authen ...) NOT-FOR-US: Netgear CVE-2017-18706 (Certain NETGEAR devices are affected by incorrect configuration of sec ...) NOT-FOR-US: Netgear CVE-2017-18705 (Certain NETGEAR devices are affected by incorrect configuration of sec ...) NOT-FOR-US: Netgear CVE-2017-18704 (Certain NETGEAR devices are affected by an attacker's ability to read ...) NOT-FOR-US: Netgear CVE-2017-18703 (Certain NETGEAR devices are affected by CSRF. This affects D1500 befor ...) NOT-FOR-US: Netgear CVE-2017-18702 (NETGEAR R6220 devices before 1.1.0.60 are affected by incorrect config ...) NOT-FOR-US: Netgear CVE-2017-18701 (Certain NETGEAR devices are affected by reflected XSS. This affects R6 ...) NOT-FOR-US: Netgear CVE-2017-18700 (Certain NETGEAR devices are affected by stored XSS. This affects D6400 ...) NOT-FOR-US: Netgear CVE-2017-18699 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2017-18698 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2017-18697 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2020-11930 (The GTranslate plugin before 2.8.52 for WordPress has Reflected XSS vi ...) NOT-FOR-US: GTranslate plugin for WordPress CVE-2020-11929 RESERVED CVE-2020-11928 (In the media-library-assistant plugin before 2.82 for WordPress, Remot ...) NOT-FOR-US: media-library-assistant plugin for WordPress CVE-2020-11927 RESERVED CVE-2020-11926 RESERVED CVE-2020-11925 RESERVED CVE-2020-11924 RESERVED CVE-2020-11923 RESERVED CVE-2020-11922 RESERVED CVE-2020-11921 RESERVED CVE-2020-11920 RESERVED CVE-2020-11919 RESERVED CVE-2020-11918 RESERVED CVE-2020-11917 RESERVED CVE-2020-11916 RESERVED CVE-2020-11915 RESERVED CVE-2019-20786 (handleIncomingPacket in conn.go in Pion DTLS before 1.5.2 lacks a chec ...) NOT-FOR-US: Pion DTLS CVE-2020-11914 (The Treck TCP/IP stack before 6.0.1.66 has an ARP Out-of-bounds Read. ...) NOT-FOR-US: Treck TCP/IP stack / Cisco CVE-2020-11913 (The Treck TCP/IP stack before 6.0.1.66 has an IPv6 Out-of-bounds Read. ...) NOT-FOR-US: Treck TCP/IP stack / Cisco CVE-2020-11912 (The Treck TCP/IP stack before 6.0.1.66 has a TCP Out-of-bounds Read. ...) NOT-FOR-US: Treck TCP/IP stack / Cisco CVE-2020-11911 (The Treck TCP/IP stack before 6.0.1.66 has Improper ICMPv4 Access Cont ...) NOT-FOR-US: Treck TCP/IP stack / Cisco CVE-2020-11910 (The Treck TCP/IP stack before 6.0.1.66 has an ICMPv4 Out-of-bounds Rea ...) NOT-FOR-US: Treck TCP/IP stack / Cisco CVE-2020-11909 (The Treck TCP/IP stack before 6.0.1.66 has an IPv4 Integer Underflow. ...) NOT-FOR-US: Treck TCP/IP stack / Cisco CVE-2020-11908 (The Treck TCP/IP stack before 4.7.1.27 mishandles '\0' termination in ...) NOT-FOR-US: Treck TCP/IP stack / Cisco CVE-2020-11907 (The Treck TCP/IP stack before 6.0.1.66 improperly handles a Length Par ...) NOT-FOR-US: Treck TCP/IP stack / Cisco CVE-2020-11906 (The Treck TCP/IP stack before 6.0.1.66 has an Ethernet Link Layer Inte ...) NOT-FOR-US: Treck TCP/IP stack / Cisco CVE-2020-11905 (The Treck TCP/IP stack before 6.0.1.66 has a DHCPv6 Out-of-bounds Read ...) NOT-FOR-US: Treck TCP/IP stack / Cisco CVE-2020-11904 (The Treck TCP/IP stack before 6.0.1.66 has an Integer Overflow during ...) NOT-FOR-US: Treck TCP/IP stack / Cisco CVE-2020-11903 (The Treck TCP/IP stack before 6.0.1.28 has a DHCP Out-of-bounds Read. ...) NOT-FOR-US: Treck TCP/IP stack / Cisco CVE-2020-11902 (The Treck TCP/IP stack before 6.0.1.66 has an IPv6OverIPv4 tunneling O ...) NOT-FOR-US: Treck TCP/IP stack / Cisco CVE-2020-11901 (The Treck TCP/IP stack before 6.0.1.66 allows Remote Code execution vi ...) NOT-FOR-US: Treck TCP/IP stack / Cisco CVE-2020-11900 (The Treck TCP/IP stack before 6.0.1.41 has an IPv4 tunneling Double Fr ...) NOT-FOR-US: Treck TCP/IP stack / Cisco CVE-2020-11899 (The Treck TCP/IP stack before 6.0.1.66 has an IPv6 Out-of-bounds Read. ...) NOT-FOR-US: Treck TCP/IP stack / Cisco CVE-2020-11898 (The Treck TCP/IP stack before 6.0.1.66 improperly handles an IPv4/ICMP ...) NOT-FOR-US: Treck TCP/IP stack / Cisco CVE-2020-11897 (The Treck TCP/IP stack before 5.0.1.35 has an Out-of-Bounds Write via ...) NOT-FOR-US: Treck TCP/IP stack / Cisco CVE-2020-11896 (The Treck TCP/IP stack before 6.0.1.66 allows Remote Code Execution, r ...) NOT-FOR-US: Treck TCP/IP stack / Cisco CVE-2020-11895 (Ming (aka libming) 0.4.8 has a heap-based buffer over-read (2 bytes) i ...) - ming NOTE: https://github.com/libming/libming/issues/197 CVE-2020-11894 (Ming (aka libming) 0.4.8 has a heap-based buffer over-read (8 bytes) i ...) - ming NOTE: https://github.com/libming/libming/issues/196 CVE-2020-11893 RESERVED CVE-2020-11892 RESERVED CVE-2020-11891 (An issue was discovered in Joomla! before 3.9.17. Incorrect ACL checks ...) NOT-FOR-US: Joomla! CVE-2020-11890 (An issue was discovered in Joomla! before 3.9.17. Improper input valid ...) NOT-FOR-US: Joomla! CVE-2020-11889 (An issue was discovered in Joomla! before 3.9.17. Incorrect ACL checks ...) NOT-FOR-US: Joomla! CVE-2020-11888 (python-markdown2 through 2.3.8 allows XSS because element names are mi ...) - python-markdown2 2.3.9-1 (bug #959445) [buster] - python-markdown2 (Minor issue) NOTE: https://github.com/trentm/python-markdown2/issues/348 CVE-2020-11887 (svg2png 4.1.1 allows XSS with resultant SSRF via JavaScript inside an ...) NOT-FOR-US: svg2png CVE-2020-11886 (OpenNMS Horizon and Meridian allows HQL Injection in element/nodeList. ...) NOT-FOR-US: OpenNMS CVE-2020-11885 (WSO2 Enterprise Integrator through 6.6.0 has an XXE vulnerability wher ...) NOT-FOR-US: WSO2 Enterprise Integrator CVE-2020-11884 (In the Linux kernel through 5.6.7 on the s390 platform, code execution ...) {DSA-4667-1} - linux 5.6.7-1 [stretch] - linux (Vulnerable code introduced later) [jessie] - linux (Vulnerable code introduced later) NOTE: https://git.kernel.org/linus/316ec154810960052d4586b634156c54d0778f74 CVE-2020-11883 (In Divante vue-storefront-api through 1.11.1 and storefront-api throug ...) NOT-FOR-US: Divante vue-storefront-api CVE-2020-11882 (The O2 Business application 1.2.0 for Android exposes the canvasm.myo2 ...) NOT-FOR-US: O2 Business CVE-2020-11881 RESERVED CVE-2020-11880 (An issue was discovered in KDE KMail before 19.12.3. By using the prop ...) - kmail (bug #958054) [buster] - kmail (Minor issue) - kdepim [stretch] - kdepim (Minor issue) [jessie] - kdepim (Minor issue) NOTE: https://cgit.kde.org/kmail.git/commit/?id=2a348eccd352260f192d9b449492071bbf2b34b1 CVE-2020-11879 (An issue was discovered in GNOME Evolution before 3.35.91. By using th ...) - evolution 3.36.0-1 [buster] - evolution (Minor issue) [stretch] - evolution (Minor issue) [jessie] - evolution (Minor issue) NOTE: https://gitlab.gnome.org/GNOME/evolution/issues/784 NOTE: https://gitlab.gnome.org/GNOME/evolution/-/commit/6489f20d6905cc797e2b2581c415e558c457caa7 CVE-2020-11878 (The Jitsi Meet (aka docker-jitsi-meet) stack on Docker before stable-4 ...) - jitsi-meet (bug #760485) CVE-2020-11877 (** DISPUTED ** airhost.exe in Zoom Client for Meetings 4.6.11 uses 342 ...) NOT-FOR-US: Zoom Client for Meetings CVE-2020-11876 (** DISPUTED ** airhost.exe in Zoom Client for Meetings 4.6.11 uses the ...) NOT-FOR-US: Zoom Client for Meetings CVE-2020-11875 (An issue was discovered on LG mobile devices with Android OS 8.0, 8.1, ...) NOT-FOR-US: LG mobile devices CVE-2020-11874 (An issue was discovered on LG mobile devices with Android OS 8.0, 8.1, ...) NOT-FOR-US: LG mobile devices CVE-2020-11873 (An issue was discovered on LG mobile devices with Android OS 7.2, 8.0, ...) NOT-FOR-US: LG mobile devices CVE-2020-11872 (The Cloud Functions subsystem in OpenTrace 1.0 might allow fabrication ...) NOT-FOR-US: OpenTrace CVE-2020-11871 RESERVED CVE-2020-11870 RESERVED CVE-2020-11869 (An integer overflow was found in QEMU 4.0.1 through 4.2.0 in the way i ...) - qemu 1:5.0-1 [buster] - qemu (Vulnerable code introduced later) [stretch] - qemu (Vulnerable code introduced later) [jessie] - qemu (Vulnerable code introduced later) NOTE: Fixed by: https://git.qemu.org/?p=qemu.git;a=commitdiff;h=ac2071c3791b67fc7af78b8ceb320c01ca1b5df7 NOTE: https://www.openwall.com/lists/oss-security/2020/04/24/2 CVE-2020-11868 (ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows an off-pat ...) {DLA-2201-1} - ntp 1:4.2.8p14+dfsg-1 [buster] - ntp (Minor issue) [stretch] - ntp (Minor issue) - ntpsec (Doesn't affect ntpsec per upstream, #958027) NOTE: http://support.ntp.org/bin/view/Main/NtpBug3592 NOTE: http://bugs.ntp.org/3592 NOTE: http://bk.ntp.org/ntp-stable/?PAGE=patch&REV=5df73278nIf5dNbaR_vTeCY43_h7Vg NOTE: http://bk.ntp.org/ntp-stable/?PAGE=patch&REV=5deb5269ieF1tee6Mp3UJyZOk8DB-Q NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1716665 NOTE: https://gitlab.com/NTPsec/ntpsec/issues/651 CVE-2020-11867 RESERVED CVE-2020-11866 (libEMF (aka ECMA-234 Metafile Library) through 1.0.11 allows a use-aft ...) - libemf 1.0.12-1 [buster] - libemf (Minor issue) CVE-2020-11865 (libEMF (aka ECMA-234 Metafile Library) through 1.0.11 allows out-of-bo ...) - libemf 1.0.12-1 [buster] - libemf (Minor issue) CVE-2020-11864 (libEMF (aka ECMA-234 Metafile Library) through 1.0.11 allows denial of ...) - libemf 1.0.12-1 [buster] - libemf (Minor issue) CVE-2020-11863 (libEMF (aka ECMA-234 Metafile Library) through 1.0.11 allows denial of ...) - libemf 1.0.12-1 [buster] - libemf (Minor issue) CVE-2019-20785 (An issue was discovered on LG mobile devices with Android OS 8.0 and 8 ...) NOT-FOR-US: LG mobile devices CVE-2019-20784 (An issue was discovered on LG mobile devices with Android OS 7.0, 7.1, ...) NOT-FOR-US: LG mobile devices CVE-2019-20783 (An issue was discovered on LG mobile devices with Android OS 7.0, 7.1, ...) NOT-FOR-US: LG mobile devices CVE-2019-20782 (An issue was discovered on LG mobile devices with Android OS 7.0, 7.1, ...) NOT-FOR-US: LG mobile devices CVE-2019-20781 (An issue was discovered in LG Bridge before April 2019 on Windows. DLL ...) NOT-FOR-US: LG Bridge CVE-2019-20780 (An issue was discovered on LG mobile devices with Android OS 7.0, 7.1, ...) NOT-FOR-US: LG mobile devices CVE-2019-20779 (An issue was discovered on LG mobile devices with Android OS 7.0, 7.1, ...) NOT-FOR-US: LG mobile devices CVE-2019-20778 (An issue was discovered on LG mobile devices with Android OS 7.0, 7.1, ...) NOT-FOR-US: LG mobile devices CVE-2019-20777 (An issue was discovered on LG mobile devices with Android OS 7.0, 7.1, ...) NOT-FOR-US: LG mobile devices CVE-2019-20776 (An issue was discovered on LG mobile devices with Android OS 7.0, 7.1, ...) NOT-FOR-US: LG mobile devices CVE-2019-20775 (An issue was discovered on LG mobile devices with Android OS 9.0 (Qual ...) NOT-FOR-US: LG mobile devices CVE-2019-20774 (An issue was discovered on LG mobile devices with Android OS 7.0, 7.1, ...) NOT-FOR-US: LG mobile devices CVE-2019-20773 (An issue was discovered on LG mobile devices with Android OS 7.0, 7.1, ...) NOT-FOR-US: LG mobile devices CVE-2019-20772 (An issue was discovered on LG mobile devices with Android OS 7.0, 7.1, ...) NOT-FOR-US: LG mobile devices CVE-2019-20771 (An issue was discovered on LG mobile devices with Android OS 7.0, 7.1, ...) NOT-FOR-US: LG mobile devices CVE-2019-20770 (An issue was discovered on LG mobile devices with Android OS 9.0 softw ...) NOT-FOR-US: LG mobile devices CVE-2019-20769 (An issue was discovered in LG PC Suite for LG G3 and earlier (aka LG P ...) NOT-FOR-US: LG PC Suite CVE-2020-11862 RESERVED CVE-2020-11861 RESERVED CVE-2020-11860 RESERVED CVE-2020-11859 RESERVED CVE-2020-11858 RESERVED CVE-2020-11857 RESERVED CVE-2020-11856 RESERVED CVE-2020-11855 RESERVED CVE-2020-11854 RESERVED CVE-2020-11853 RESERVED CVE-2020-11852 RESERVED CVE-2020-11851 RESERVED CVE-2020-11850 RESERVED CVE-2020-11849 (Elevation of privilege and/or unauthorized access vulnerability in Mic ...) NOT-FOR-US: Micro Focus CVE-2020-11848 RESERVED CVE-2020-11847 RESERVED CVE-2020-11846 RESERVED CVE-2020-11845 (Cross Site Scripting vulnerability in Micro Focus Service Manager prod ...) NOT-FOR-US: Micro Focus CVE-2020-11844 (Incorrect Authorization vulnerability in Micro Focus Container Deploym ...) NOT-FOR-US: Micro Focus CVE-2020-11843 RESERVED CVE-2020-11842 (Information disclosure vulnerability in Micro Focus Verastream Host In ...) NOT-FOR-US: Micro Focus CVE-2020-11841 (Unauthorized information disclosure vulnerability in Micro Focus ArcSi ...) NOT-FOR-US: Micro Focus CVE-2020-11840 (Unauthorized information disclosure vulnerability in Micro Focus ArcSi ...) NOT-FOR-US: Micro Focus CVE-2020-11839 (Cross Site Scripting (XSS) vulnerability in Micro Focus ArcSight Logge ...) NOT-FOR-US: Micro Focus CVE-2020-11838 (Cross Site Scripting (XSS) vulnerability in Micro Focus ArcSight Manag ...) NOT-FOR-US: Micro Focus CVE-2020-11837 RESERVED CVE-2020-11836 RESERVED CVE-2020-11835 RESERVED CVE-2020-11834 RESERVED CVE-2020-11833 RESERVED CVE-2020-11832 RESERVED CVE-2020-11831 RESERVED CVE-2020-11830 RESERVED CVE-2020-11829 RESERVED CVE-2020-11828 (In ColorOS (oppo mobile phone operating system, based on AOSP framewor ...) NOT-FOR-US: ColorOS CVE-2020-11827 RESERVED CVE-2020-11826 (Users can lock their notes with a password in Memono version 3.8. Thus ...) NOT-FOR-US: Memono CVE-2020-11825 (In Dolibarr 10.0.6, forms are protected with a CSRF token against CSRF ...) - dolibarr CVE-2020-11824 RESERVED CVE-2020-11823 (In Dolibarr 10.0.6, if USER_LOGIN_FAILED is active, there is a stored ...) - dolibarr CVE-2020-11822 (In Rukovoditel 2.5.2, there is a stored XSS vulnerability on the appli ...) NOT-FOR-US: Rukovoditel CVE-2020-11821 (In Rukovoditel 2.5.2, users' passwords and usernames are stored in a c ...) NOT-FOR-US: Rukovoditel CVE-2020-11820 (Rukovoditel 2.5.2 is affected by a SQL injection vulnerability because ...) NOT-FOR-US: Rukovoditel CVE-2020-11819 (In Rukovoditel 2.5.2, an attacker may inject an arbitrary .php file lo ...) NOT-FOR-US: Rukovoditel CVE-2020-11818 (In Rukovoditel 2.5.2 has a form_session_token value to prevent CSRF at ...) NOT-FOR-US: Rukovoditel CVE-2020-11817 (In Rukovoditel V2.5.2, attackers can upload an arbitrary file to the s ...) NOT-FOR-US: Rukovoditel CVE-2020-11816 (Rukovoditel 2.5.2 is affected by a SQL injection vulnerability because ...) NOT-FOR-US: Rukovoditel CVE-2020-11815 (In Rukovoditel 2.5.2, attackers can upload arbitrary file to the serve ...) NOT-FOR-US: Rukovoditel CVE-2020-11814 (A Host Header Injection vulnerability in qdPM 9.1 may allow an attacke ...) NOT-FOR-US: qdPM CVE-2020-11813 (In Rukovoditel 2.5.2, there is a stored XSS vulnerability on the confi ...) NOT-FOR-US: Rukovoditel CVE-2020-11812 (Rukovoditel 2.5.2 is affected by a SQL injection vulnerability because ...) NOT-FOR-US: Rukovoditel CVE-2020-11811 (In qdPM 9.1, an attacker can upload a malicious .php file to the serve ...) NOT-FOR-US: qdPM CVE-2020-11810 (An issue was discovered in OpenVPN 2.4.x before 2.4.9. An attacker can ...) - openvpn 2.4.9-1 (low) [buster] - openvpn (Minor issue) [stretch] - openvpn (Minor issue) [jessie] - openvpn (Minor issue) NOTE: https://github.com/OpenVPN/openvpn/commit/37bc691e7d26ea4eb61a8a434ebd7a9ae76225ab CVE-2020-11809 RESERVED CVE-2020-11808 RESERVED CVE-2020-11807 (Because of Unrestricted Upload of a File with a Dangerous Type, Source ...) NOT-FOR-US: Sourcefabric Newscoop CVE-2020-11806 (In MailStore Outlook Add-in (and Email Archive Outlook Add-in) through ...) NOT-FOR-US: MailStore Outlook Add-in CVE-2020-11805 RESERVED CVE-2020-11804 RESERVED CVE-2020-11803 RESERVED CVE-2020-11802 RESERVED CVE-2020-11801 RESERVED CVE-2019-20768 (ServiceNow IT Service Management Kingston through Patch 14-1, London t ...) NOT-FOR-US: ServiceNow IT Service Management Kingston CVE-2020-11800 RESERVED CVE-2020-11799 (Z-Cron 5.6 Build 04 allows an unprivileged attacker to elevate privile ...) NOT-FOR-US: Z-Cron CVE-2020-11798 (A Directory Traversal vulnerability in the web conference component of ...) NOT-FOR-US: Mitel CVE-2020-11797 RESERVED CVE-2020-11796 (In JetBrains Space through 2020-04-22, the password authentication imp ...) NOT-FOR-US: JetBrains Space CVE-2020-11795 (In JetBrains Space through 2020-04-22, the session timeout period was ...) NOT-FOR-US: JetBrains Space CVE-2020-11794 RESERVED CVE-2020-11793 (A use-after-free issue exists in WebKitGTK before 2.28.1 and WPE WebKi ...) {DSA-4658-1} - webkit2gtk 2.28.1-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) - wpewebkit 2.28.1-1 NOTE: https://webkitgtk.org/security/WSA-2020-0004.html CVE-2020-11792 (NETGEAR R8900, R9000, RAX120, and XR700 devices before 2020-01-20 are ...) NOT-FOR-US: Netgear CVE-2020-11791 (NETGEAR JGS516PE devices before 2.6.0.43 are affected by reflected XSS ...) NOT-FOR-US: Netgear CVE-2020-11790 (NETGEAR R7800 devices before 1.0.2.68 are affected by remote code exec ...) NOT-FOR-US: Netgear CVE-2020-11789 (Certain NETGEAR devices are affected by command injection by an unauth ...) NOT-FOR-US: Netgear CVE-2020-11788 (Certain NETGEAR devices are affected by authentication bypass. This af ...) NOT-FOR-US: Netgear CVE-2020-11787 (Certain NETGEAR devices are affected by stored XSS. This affects D7800 ...) NOT-FOR-US: Netgear CVE-2020-11786 (Certain NETGEAR devices are affected by stored XSS. This affects D7800 ...) NOT-FOR-US: Netgear CVE-2020-11785 (Certain NETGEAR devices are affected by stored XSS. This affects D7800 ...) NOT-FOR-US: Netgear CVE-2020-11784 (Certain NETGEAR devices are affected by stored XSS. This affects D7800 ...) NOT-FOR-US: Netgear CVE-2020-11783 (Certain NETGEAR devices are affected by stored XSS. This affects D7800 ...) NOT-FOR-US: Netgear CVE-2020-11782 (Certain NETGEAR devices are affected by stored XSS. This affects D7800 ...) NOT-FOR-US: Netgear CVE-2020-11781 (Certain NETGEAR devices are affected by stored XSS. This affects D7800 ...) NOT-FOR-US: Netgear CVE-2020-11780 (Certain NETGEAR devices are affected by stored XSS. This affects D7800 ...) NOT-FOR-US: Netgear CVE-2020-11779 (Certain NETGEAR devices are affected by stored XSS. This affects D7800 ...) NOT-FOR-US: Netgear CVE-2020-11778 (Certain NETGEAR devices are affected by stored XSS. This affects D7800 ...) NOT-FOR-US: Netgear CVE-2020-11777 (Certain NETGEAR devices are affected by Stored XSS. This affects D7800 ...) NOT-FOR-US: Netgear CVE-2020-11776 (Certain NETGEAR devices are affected by stored XSS. This affects D7800 ...) NOT-FOR-US: Netgear CVE-2020-11775 (Certain NETGEAR devices are affected by stored XSS. This affects D7800 ...) NOT-FOR-US: Netgear CVE-2020-11774 (Certain NETGEAR devices are affected by stored XSS. This affects D7800 ...) NOT-FOR-US: Netgear CVE-2020-11773 (Certain NETGEAR devices are affected by stored XSS. This affects D7800 ...) NOT-FOR-US: Netgear CVE-2020-11772 (Certain NETGEAR devices are affected by stored XSS. This affects D7800 ...) NOT-FOR-US: Netgear CVE-2020-11771 (Certain NETGEAR devices are affected by stored XSS. This affects D7800 ...) NOT-FOR-US: Netgear CVE-2020-11770 (Certain NETGEAR devices are affected by command injection by an authen ...) NOT-FOR-US: Netgear CVE-2020-11769 (Certain NETGEAR devices are affected by stored XSS. This affects D7800 ...) NOT-FOR-US: Netgear CVE-2020-11768 (Certain NETGEAR devices are affected by Stored XSS. This affects D7800 ...) NOT-FOR-US: Netgear CVE-2019-20767 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2019-20766 (NETGEAR R7800 devices before 1.0.2.52 are affected by a stack-based bu ...) NOT-FOR-US: Netgear CVE-2019-20765 (NETGEAR R7800 devices before 1.0.2.52 are affected by a stack-based bu ...) NOT-FOR-US: Netgear CVE-2019-20764 (NETGEAR R7800 devices before 1.0.2.52 are affected by a stack-based bu ...) NOT-FOR-US: Netgear CVE-2019-20763 (NETGEAR R7800 devices before 1.0.2.52 are affected by a stack-based bu ...) NOT-FOR-US: Netgear CVE-2019-20762 (Certain NETGEAR devices are affected by a buffer overflow by an authen ...) NOT-FOR-US: Netgear CVE-2019-20761 (NETGEAR R7800 devices before 1.0.2.62 are affected by command injectio ...) NOT-FOR-US: Netgear CVE-2019-20760 (NETGEAR R9000 devices before 1.0.4.26 are affected by authentication b ...) NOT-FOR-US: Netgear CVE-2019-20759 (NETGEAR R9000 devices before 1.0.4.26 are affected by stored XSS. ...) NOT-FOR-US: Netgear CVE-2019-20758 (NETGEAR R7000 devices before 1.0.9.42 are affected by a buffer overflo ...) NOT-FOR-US: Netgear CVE-2019-20757 (NETGEAR R7800 devices before 1.0.2.62 are affected by command injectio ...) NOT-FOR-US: Netgear CVE-2019-20756 (Certain NETGEAR devices are affected by reflected XSS. This affects EX ...) NOT-FOR-US: Netgear CVE-2019-20755 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2019-20754 (Certain NETGEAR devices are affected by a buffer overflow by an authen ...) NOT-FOR-US: Netgear CVE-2019-20753 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2019-20752 (Certain NETGEAR devices are affected by stored XSS. This affects D3600 ...) NOT-FOR-US: Netgear CVE-2019-20751 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2019-20750 (Certain NETGEAR devices are affected by stored XSS. This affects D7800 ...) NOT-FOR-US: Netgear CVE-2019-20749 (Certain NETGEAR devices are affected by stored XSS. This affects D7800 ...) NOT-FOR-US: Netgear CVE-2019-20748 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2019-20747 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2019-20746 (Certain NETGEAR devices are affected by reflected XSS. This affects D3 ...) NOT-FOR-US: Netgear CVE-2019-20745 (Certain NETGEAR devices are affected by command injection by an authen ...) NOT-FOR-US: Netgear CVE-2019-20744 (NETGEAR WAC510 devices before 5.0.10.2 are affected by disclosure of s ...) NOT-FOR-US: Netgear CVE-2019-20743 (NETGEAR WAC510 devices before 8.0.1.3 are affected by stored XSS. ...) NOT-FOR-US: Netgear CVE-2019-20742 (NETGEAR WAC510 devices before 8.0.1.3 are affected by stored XSS. ...) NOT-FOR-US: Netgear CVE-2019-20741 (NETGEAR WAC510 devices before 5.0.10.2 are affected by disclosure of s ...) NOT-FOR-US: Netgear CVE-2019-20740 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2019-20739 (NETGEAR R8500 devices before v1.0.2.128 are affected by a buffer overf ...) NOT-FOR-US: Netgear CVE-2019-20738 (Certain NETGEAR devices are affected by stored XSS. This affects D6100 ...) NOT-FOR-US: Netgear CVE-2019-20737 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2019-20736 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2019-20735 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2019-20734 (Certain NETGEAR devices are affected by a buffer overflow by an unauth ...) NOT-FOR-US: Netgear CVE-2019-20733 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2019-20732 (Certain NETGEAR devices are affected by command injection by an authen ...) NOT-FOR-US: Netgear CVE-2019-20731 (Certain NETGEAR devices are affected by a buffer overflow by an authen ...) NOT-FOR-US: Netgear CVE-2019-20730 (Certain NETGEAR devices are affected by SQL injection. This affects D3 ...) NOT-FOR-US: Netgear CVE-2019-20729 (Certain NETGEAR devices are affected by incorrect configuration of sec ...) NOT-FOR-US: Netgear CVE-2019-20728 (Certain NETGEAR devices are affected by a buffer overflow by an authen ...) NOT-FOR-US: Netgear CVE-2019-20727 (Certain NETGEAR devices are affected by command injection by an authen ...) NOT-FOR-US: Netgear CVE-2019-20726 (Certain NETGEAR devices are affected by command injection by an authen ...) NOT-FOR-US: Netgear CVE-2019-20725 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2019-20724 (Certain NETGEAR devices are affected by command injection by an authen ...) NOT-FOR-US: Netgear CVE-2019-20723 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2019-20722 (Certain NETGEAR devices are affected by command injection by an authen ...) NOT-FOR-US: Netgear CVE-2019-20721 (Certain NETGEAR devices are affected by stored XSS. This affects D7800 ...) NOT-FOR-US: Netgear CVE-2019-20720 (Certain NETGEAR devices are affected by stored XSS. This affects D3600 ...) NOT-FOR-US: Netgear CVE-2019-20719 (Certain NETGEAR devices are affected by a buffer overflow by an authen ...) NOT-FOR-US: Netgear CVE-2019-20718 (Certain NETGEAR devices are affected by command injection by an authen ...) NOT-FOR-US: Netgear CVE-2019-20717 (Certain NETGEAR devices are affected by denial of service. This affect ...) NOT-FOR-US: Netgear CVE-2019-20716 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2019-20715 (Certain NETGEAR devices are affected by stored XSS. This affects D3600 ...) NOT-FOR-US: Netgear CVE-2019-20714 (Certain NETGEAR devices are affected by stored XSS. This affects D3600 ...) NOT-FOR-US: Netgear CVE-2019-20713 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2019-20712 (Certain NETGEAR devices are affected by a buffer overflow by an authen ...) NOT-FOR-US: Netgear CVE-2019-20711 (Certain NETGEAR devices are affected by command injection by an authen ...) NOT-FOR-US: Netgear CVE-2019-20710 (Certain NETGEAR devices are affected by command injection by an authen ...) NOT-FOR-US: Netgear CVE-2019-20709 (Certain NETGEAR devices are affected by command injection by an authen ...) NOT-FOR-US: Netgear CVE-2019-20708 (Certain NETGEAR devices are affected by command injection by an authen ...) NOT-FOR-US: Netgear CVE-2019-20707 (Certain NETGEAR devices are affected by command injection by an authen ...) NOT-FOR-US: Netgear CVE-2019-20706 (Certain NETGEAR devices are affected by command injection by an authen ...) NOT-FOR-US: Netgear CVE-2019-20705 (Certain NETGEAR devices are affected by command injection by an authen ...) NOT-FOR-US: Netgear CVE-2019-20704 (Certain NETGEAR devices are affected by command injection by an authen ...) NOT-FOR-US: Netgear CVE-2019-20703 (Certain NETGEAR devices are affected by command injection by an authen ...) NOT-FOR-US: Netgear CVE-2019-20702 (Certain NETGEAR devices are affected by command injection by an authen ...) NOT-FOR-US: Netgear CVE-2019-20701 (Certain NETGEAR devices are affected by command injection by an authen ...) NOT-FOR-US: Netgear CVE-2019-20700 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2019-20699 (Certain NETGEAR devices are affected by a buffer overflow by an unauth ...) NOT-FOR-US: Netgear CVE-2019-20698 (Certain NETGEAR devices are affected by disclosure of sensitive inform ...) NOT-FOR-US: Netgear CVE-2019-20697 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2019-20696 (Certain NETGEAR devices are affected by disclosure of sensitive inform ...) NOT-FOR-US: Netgear CVE-2019-20695 (Certain NETGEAR devices are affected by disclosure of sensitive inform ...) NOT-FOR-US: Netgear CVE-2019-20694 (Certain NETGEAR devices are affected by disclosure of sensitive inform ...) NOT-FOR-US: Netgear CVE-2019-20693 (Certain NETGEAR devices are affected by incorrect configuration of sec ...) NOT-FOR-US: Netgear CVE-2019-20692 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2019-20691 (Certain NETGEAR devices are affected by CSRF. This affects D3600 befor ...) NOT-FOR-US: Netgear CVE-2019-20690 (Certain NETGEAR devices are affected by authentication bypass. This af ...) NOT-FOR-US: Netgear CVE-2019-20689 (Certain NETGEAR devices are affected by command injection by an authen ...) NOT-FOR-US: Netgear CVE-2019-20688 (Certain NETGEAR devices are affected by command injection by an authen ...) NOT-FOR-US: Netgear CVE-2019-20687 (Certain NETGEAR devices are affected by denial of service. This affect ...) NOT-FOR-US: Netgear CVE-2019-20686 (Certain NETGEAR devices are affected by a buffer overflow by an unauth ...) NOT-FOR-US: Netgear CVE-2019-20685 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2019-20684 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2019-20683 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2019-20682 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2019-20681 (Certain NETGEAR devices are affected by authentication bypass. This af ...) NOT-FOR-US: Netgear CVE-2019-20680 (Certain NETGEAR devices are affected by command injection by an authen ...) NOT-FOR-US: Netgear CVE-2019-20679 (NETGEAR MR1100 devices before 12.06.08.00 are affected by lack of acce ...) NOT-FOR-US: Netgear CVE-2019-20678 (Certain NETGEAR devices are affected by stored XSS. This affects RBR20 ...) NOT-FOR-US: Netgear CVE-2019-20677 (Certain NETGEAR devices are affected by stored XSS. This affects RBR50 ...) NOT-FOR-US: Netgear CVE-2019-20676 (Certain NETGEAR devices are affected by lack of access control at the ...) NOT-FOR-US: Netgear CVE-2019-20675 (Certain NETGEAR devices are affected by stored XSS. This affects RBR50 ...) NOT-FOR-US: Netgear CVE-2019-20674 (Certain NETGEAR devices are affected by stored XSS. This affects RBR20 ...) NOT-FOR-US: Netgear CVE-2019-20673 (Certain NETGEAR devices are affected by stored XSS. This affects RBR20 ...) NOT-FOR-US: Netgear CVE-2019-20672 (Certain NETGEAR devices are affected by stored XSS. This affects RBR50 ...) NOT-FOR-US: Netgear CVE-2019-20671 (Certain NETGEAR devices are affected by stored XSS. This affects RBR20 ...) NOT-FOR-US: Netgear CVE-2019-20670 (Certain NETGEAR devices are affected by stored XSS. This affects RBR50 ...) NOT-FOR-US: Netgear CVE-2019-20669 (Certain NETGEAR devices are affected by stored XSS. This affects RBR20 ...) NOT-FOR-US: Netgear CVE-2019-20668 (Certain NETGEAR devices are affected by stored XSS. This affects RBR20 ...) NOT-FOR-US: Netgear CVE-2019-20667 (Certain NETGEAR devices are affected by stored XSS. This affects RBR20 ...) NOT-FOR-US: Netgear CVE-2019-20666 (Certain NETGEAR devices are affected by stored XSS. This affects RBR50 ...) NOT-FOR-US: Netgear CVE-2019-20665 (Certain NETGEAR devices are affected by stored XSS. This affects RBR20 ...) NOT-FOR-US: Netgear CVE-2019-20664 (Certain NETGEAR devices are affected by stored XSS. This affects RBR20 ...) NOT-FOR-US: Netgear CVE-2019-20663 (Certain NETGEAR devices are affected by stored XSS. This affects RBR50 ...) NOT-FOR-US: Netgear CVE-2019-20662 (Certain NETGEAR devices are affected by stored XSS. This affects RBR50 ...) NOT-FOR-US: Netgear CVE-2019-20661 (Certain NETGEAR devices are affected by stored XSS. This affects RBR50 ...) NOT-FOR-US: Netgear CVE-2019-20660 (Certain NETGEAR devices are affected by stored XSS. This affects RBR20 ...) NOT-FOR-US: Netgear CVE-2019-20659 (Certain NETGEAR devices are affected by command injection by an authen ...) NOT-FOR-US: Netgear CVE-2019-20658 (Certain NETGEAR devices are affected by disclosure of sensitive inform ...) NOT-FOR-US: Netgear CVE-2019-20657 (Certain NETGEAR devices are affected by a buffer overflow by an authen ...) NOT-FOR-US: Netgear CVE-2019-20656 (Certain NETGEAR devices are affected by a hardcoded password. This aff ...) NOT-FOR-US: Netgear CVE-2019-20655 (Certain NETGEAR devices are affected by command injection by an authen ...) NOT-FOR-US: Netgear CVE-2019-20654 (Certain NETGEAR devices are affected by incorrect configuration of sec ...) NOT-FOR-US: Netgear CVE-2019-20653 (Certain NETGEAR devices are affected by denial of service. This affect ...) NOT-FOR-US: Netgear CVE-2019-20652 (NETGEAR WAC505 devices before 8.2.1.16 are affected by disclosure of s ...) NOT-FOR-US: Netgear CVE-2019-20651 (Certain NETGEAR devices are affected by command injection by an authen ...) NOT-FOR-US: Netgear CVE-2019-20650 (Certain NETGEAR devices are affected by denial of service. This affect ...) NOT-FOR-US: Netgear CVE-2019-20649 (NETGEAR MR1100 devices before 12.06.08.00 are affected by disclosure o ...) NOT-FOR-US: Netgear CVE-2019-20648 (NETGEAR RN42400 devices before 6.10.2 are affected by incorrect config ...) NOT-FOR-US: Netgear CVE-2019-20647 (NETGEAR RAX40 devices before 1.0.3.64 are affected by denial of servic ...) NOT-FOR-US: Netgear CVE-2019-20646 (NETGEAR RAX40 devices before 1.0.3.64 are affected by disclosure of ad ...) NOT-FOR-US: Netgear CVE-2019-20645 (NETGEAR RAX40 devices before 1.0.3.62 are affected by stored XSS. ...) NOT-FOR-US: Netgear CVE-2019-20644 (NETGEAR RAX40 devices before 1.0.3.62 are affected by stored XSS. ...) NOT-FOR-US: Netgear CVE-2019-20643 (NETGEAR RAX40 devices before 1.0.3.64 are affected by disclosure of se ...) NOT-FOR-US: Netgear CVE-2019-20642 (NETGEAR RAX40 devices before 1.0.3.64 are affected by authentication b ...) NOT-FOR-US: Netgear CVE-2019-20641 (NETGEAR RAX40 devices before 1.0.3.64 are affected by lack of access c ...) NOT-FOR-US: Netgear CVE-2019-20640 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2019-20639 (Certain NETGEAR devices are affected by stored XSS. This affects RBR50 ...) NOT-FOR-US: Netgear CVE-2019-20638 (NETGEAR MR1100 devices before 12.06.08.00 are affected by disclosure o ...) NOT-FOR-US: Netgear CVE-2020-11767 (Istio through 1.5.1 and Envoy through 1.14.1 have a data-leak issue. I ...) NOT-FOR-US: itsio CVE-2020-11766 (sendfax.php in iFAX AvantFAX before 3.3.6 and HylaFAX Enterprise Web I ...) NOT-FOR-US: iFAX AvantFAX CVE-2020-11765 (An issue was discovered in OpenEXR before 2.4.1. There is an off-by-on ...) [experimental] - openexr 2.5.0-1 - openexr (bug #959444) [jessie] - openexr (Minor issue) NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1987 NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/3eda5d70aba127bae9bd6bae9956fcf024b64031 NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/2ae5f8376b0a6c3e2bb100042f5de79503ba837a CVE-2020-11764 (An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bo ...) [experimental] - openexr 2.5.0-1 - openexr (bug #959444) [jessie] - openexr (Minor issue) NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1987 NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/e7c26f6ef5bf7ae8ea21ecf19963186cd1391720 NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/a6408c90339bdf19f89476578d7f936b741be9b2 CVE-2020-11763 (An issue was discovered in OpenEXR before 2.4.1. There is an std::vect ...) [experimental] - openexr 2.5.0-1 - openexr (bug #959444) [jessie] - openexr (Minor issue) NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1987 NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/643/commits/d0303d1785d2a8cb994efee9efa81f8ee4be4c17 CVE-2020-11762 (An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bo ...) [experimental] - openexr 2.5.0-1 - openexr (bug #959444) [jessie] - openexr (Minor issue) NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1987 NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/3eda5d70aba127bae9bd6bae9956fcf024b64031 NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/2ae5f8376b0a6c3e2bb100042f5de79503ba837a CVE-2020-11761 (An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bo ...) [experimental] - openexr 2.5.0-1 - openexr (bug #959444) [jessie] - openexr (Minor issue) NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1987 NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/b1c34c496b62117115b1089b18a44e0031800a09 CVE-2020-11760 (An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bo ...) [experimental] - openexr 2.5.0-1 - openexr (bug #959444) [jessie] - openexr (Minor issue) NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1987 NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/37750013830def57f19f3c3b7faaa9fc1dae81b3 CVE-2020-11759 (An issue was discovered in OpenEXR before 2.4.1. Because of integer ov ...) [experimental] - openexr 2.5.0-1 - openexr (bug #959444) [jessie] - openexr (Minor issue) NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1987 NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/b9997d0c045fa01af3d2e46e1a74b07cc4519446 NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/acad98d6d3e787f36012a3737c23c42c7f43a00f TODO: check completeness for upstream commits to cover CVE-2020-11759 CVE-2020-11758 (An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bo ...) [experimental] - openexr 2.5.0-1 - openexr (bug #959444) [jessie] - openexr (Minor issue) NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1987 NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/7a52d40ae23c148f27116cb1f6e897b9143b372c CVE-2020-11757 RESERVED CVE-2020-11756 RESERVED CVE-2020-11755 RESERVED CVE-2020-11754 RESERVED CVE-2020-11753 (An issue was discovered in Sonatype Nexus Repository Manager in versio ...) NOT-FOR-US: Sonatype CVE-2020-11752 RESERVED CVE-2020-11751 RESERVED CVE-2020-11750 RESERVED CVE-2020-11749 RESERVED CVE-2020-11748 RESERVED CVE-2020-11747 REJECTED CVE-2020-11746 RESERVED CVE-2020-11745 RESERVED CVE-2020-11744 RESERVED CVE-2020-11743 (An issue was discovered in Xen through 4.13.x, allowing guest OS users ...) - xen 4.11.4-1 [buster] - xen (Can be fixed along in future Xen DSA) [stretch] - xen (DSA 4602-1) [jessie] - xen (Not supported in jessie LTS) NOTE: https://xenbits.xen.org/xsa/advisory-316.html CVE-2020-11742 (An issue was discovered in Xen through 4.13.x, allowing guest OS users ...) - xen 4.11.4-1 [buster] - xen (Can be fixed along in future Xen DSA) [stretch] - xen (DSA 4602-1) [jessie] - xen (Not supported in jessie LTS) NOTE: https://xenbits.xen.org/xsa/advisory-318.html CVE-2020-11741 (An issue was discovered in xenoprof in Xen through 4.13.x, allowing gu ...) - xen 4.11.4-1 [buster] - xen (Can be fixed along in future Xen DSA) [stretch] - xen (DSA 4602-1) [jessie] - xen (Not supported in jessie LTS) NOTE: https://xenbits.xen.org/xsa/advisory-313.html CVE-2020-11740 (An issue was discovered in xenoprof in Xen through 4.13.x, allowing gu ...) - xen 4.11.4-1 [buster] - xen (Can be fixed along in future Xen DSA) [stretch] - xen (DSA 4602-1) [jessie] - xen (Not supported in jessie LTS) NOTE: https://xenbits.xen.org/xsa/advisory-313.html CVE-2020-11739 (An issue was discovered in Xen through 4.13.x, allowing guest OS users ...) - xen 4.11.4-1 [buster] - xen (Can be fixed along in future Xen DSA) [stretch] - xen (DSA 4602-1) [jessie] - xen (Not supported in jessie LTS) NOTE: https://xenbits.xen.org/xsa/advisory-314.html CVE-2020-11738 (The Snap Creek Duplicator plugin before 1.3.28 for WordPress (and Dupl ...) NOT-FOR-US: Snap Creek Duplicator plugin for WordPress CVE-2020-11737 (A cross-site scripting (XSS) vulnerability in Web Client in Zimbra 9.0 ...) NOT-FOR-US: Zimbra CVE-2020-11735 (The private-key operations in ecc.c in wolfSSL before 4.4.0 do not use ...) - wolfssl 4.4.0+dfsg-1 NOTE: https://github.com/wolfSSL/wolfssl/commit/1de07da61f0c8e9926dcbd68119f73230dae283f CVE-2020-11736 (fr-archive-libarchive.c in GNOME file-roller through 3.36.1 allows Dir ...) {DLA-2180-1} - file-roller 3.36.2-1 (bug #956638) NOTE: https://gitlab.gnome.org/GNOME/file-roller/-/commit/21dfcdbfe258984db89fb65243a1a888924e45a0 CVE-2020-11734 (cgi-bin/go in CyberSolutions CyberMail 5 or later allows XSS via the A ...) NOT-FOR-US: CyberSolutions CyberMail CVE-2020-11733 RESERVED CVE-2020-11732 (The Media Library Assistant plugin before 2.82 for Wordpress suffers f ...) NOT-FOR-US: Media Library Assistant plugin for WordPress CVE-2020-11731 (The Media Library Assistant plugin before 2.82 for Wordpress suffers f ...) NOT-FOR-US: Media Library Assistant plugin for WordPress CVE-2020-11730 RESERVED CVE-2020-11729 (An issue was discovered in DAViCal Andrew's Web Libraries (AWL) throug ...) {DSA-4660-1 DLA-2178-1} - awl 0.61-1 (bug #956650) NOTE: https://gitlab.com/davical-project/awl/-/issues/18 NOTE: https://gitlab.com/davical-project/awl/-/commit/535505c9acd0dda9cf664c38f5f8cb8dd61dc0cd CVE-2020-11728 (An issue was discovered in DAViCal Andrew's Web Libraries (AWL) throug ...) {DSA-4660-1 DLA-2178-1} - awl 0.61-1 (bug #956650) NOTE: https://gitlab.com/davical-project/awl/-/issues/19 NOTE: https://gitlab.com/davical-project/awl/-/commit/c2e808cc2420f8d870ac0a4aa9cc1f2c90562428 CVE-2020-11727 (A cross-site scripting (XSS) vulnerability in the AlgolPlus Advanced O ...) NOT-FOR-US: AlgolPlus CVE-2020-11726 RESERVED CVE-2020-11724 (An issue was discovered in OpenResty before 1.15.8.4. ngx_http_lua_sub ...) - nginx NOTE: Patch: https://github.com/openresty/openresty/blob/4e8b4c395f842a078e429c80dd063b2323999957/patches/ngx_http_lua-0.10.15-fix_location_capture_content_length_chunked.patch TODO: check details (patch applies to src:ngnix, but check if issue is specific to OpenResty before 1.15.8.4) CVE-2020-11725 (** DISPUTED ** snd_ctl_elem_add in sound/core/control.c in the Linux k ...) - linux NOTE: https://twitter.com/yabbadabbadrew/status/1248632267028582400 CVE-2020-11723 (Cellebrite UFED 5.0 through 7.29 uses four hardcoded RSA private keys ...) NOT-FOR-US: Cellebrite UFED CVE-2020-11722 (Dungeon Crawl Stone Soup (aka DCSS or crawl) before 0.25 allows remote ...) - crawl (bug #958232) [buster] - crawl (Minor issue) [stretch] - crawl (Minor issue) [jessie] - crawl (Minor issue) NOTE: https://dpmendenhall.blogspot.com/2020/03/dungeon-crawl-stone-soup.html NOTE: https://github.com/crawl/crawl/commit/768f60da87a3fa0b5561da5ade9309577c176d04 NOTE: https://github.com/crawl/crawl/commit/fc522ff6eb1bbb85e3de60c60a45762571e48c28 CVE-2020-11721 (load_png in loader.c in libsixel.a in libsixel 1.8.6 has an uninitiali ...) - libsixel (low) [buster] - libsixel (Minor issue) [stretch] - libsixel (Minor issue) [jessie] - libsixel (Minor issue) NOTE: https://github.com/saitoha/libsixel/issues/134 CVE-2020-11720 RESERVED CVE-2020-11719 RESERVED CVE-2020-11718 RESERVED CVE-2020-11717 RESERVED CVE-2020-11716 (Panasonic P110, Eluga Z1 Pro, Eluga X1, and Eluga X1 Pro devices throu ...) NOT-FOR-US: Panasonic CVE-2020-11715 (Panasonic P99 devices through 2020-04-10 have Incorrect Access Control ...) NOT-FOR-US: Panasonic CVE-2020-11714 (eten PSG-6528VM 1.1 devices allow XSS via System Contact or System Loc ...) NOT-FOR-US: eten PSG-6528VM 1.1 devices CVE-2020-11713 (wolfSSL 4.3.0 has mulmod code in wc_ecc_mulmod_ex in ecc.c that does n ...) - wolfssl 4.4.0+dfsg-1 (bug #960190) NOTE: https://github.com/wolfSSL/wolfssl/pull/2894/ CVE-2020-11712 (Open Upload through 0.4.3 allows XSS via index.php?action=u and the fi ...) NOT-FOR-US: Open Upload CVE-2020-11711 RESERVED CVE-2020-11710 (** DISPUTED ** An issue was discovered in docker-kong (for Kong) throu ...) NOT-FOR-US: docker-kong CVE-2020-11709 (cpp-httplib through 0.5.8 does not filter \r\n in parameters passed in ...) - chromium [stretch] - chromium (see DSA 4562) NOTE: Chromium embeds cpp-httplib NOTE: https://github.com/yhirose/cpp-httplib/issues/425 CVE-2020-11708 (An issue was discovered in ProVide (formerly zFTPServer) through 13.1. ...) NOT-FOR-US: ProVide (formerly zFTPServer) CVE-2020-11707 (An issue was discovered in ProVide (formerly zFTPServer) through 13.1. ...) NOT-FOR-US: ProVide (formerly zFTPServer) CVE-2020-11706 (An issue was discovered in ProVide (formerly zFTPServer) through 13.1. ...) NOT-FOR-US: ProVide (formerly zFTPServer) CVE-2020-11705 (An issue was discovered in ProVide (formerly zFTPServer) through 13.1. ...) NOT-FOR-US: ProVide (formerly zFTPServer) CVE-2020-11704 (An issue was discovered in ProVide (formerly zFTPServer) through 13.1. ...) NOT-FOR-US: ProVide (formerly zFTPServer) CVE-2020-11703 (An issue was discovered in ProVide (formerly zFTPServer) through 13.1. ...) NOT-FOR-US: ProVide (formerly zFTPServer) CVE-2020-11702 (An issue was discovered in ProVide (formerly zFTPServer) through 13.1. ...) NOT-FOR-US: ProVide (formerly zFTPServer) CVE-2020-11701 (An issue was discovered in ProVide (formerly zFTPServer) through 13.1. ...) NOT-FOR-US: ProVide (formerly zFTPServer) CVE-2020-11700 RESERVED CVE-2020-11699 RESERVED CVE-2020-11698 RESERVED CVE-2020-11697 (In Combodo iTop, dashboard ids can be exploited with a reflective XSS ...) NOT-FOR-US: Combodo iTop CVE-2020-11696 (In Combodo iTop a menu shortcut name can be exploited with a stored XS ...) NOT-FOR-US: Combodo iTop CVE-2020-11695 RESERVED CVE-2020-11694 (In JetBrains PyCharm 2019.2.5 and 2019.3 on Windows, Apple Notarizatio ...) - pycharm (bug #742394) CVE-2020-11693 (JetBrains YouTrack before 2020.1.659 was vulnerable to DoS that could ...) NOT-FOR-US: JetBrains YouTrack CVE-2020-11692 (In JetBrains YouTrack before 2020.1.659, DB export was accessible to r ...) NOT-FOR-US: JetBrains YouTrack CVE-2020-11691 (In JetBrains Hub before 2020.1.12099, content spoofing in the Hub OAut ...) NOT-FOR-US: JetBrains Hub CVE-2020-11690 (In JetBrains IntelliJ IDEA before 2020.1, the license server could be ...) - intellij-idea (bug #747616) CVE-2020-11689 (In JetBrains TeamCity before 2019.2.1, a user without appropriate perm ...) NOT-FOR-US: JetBrains TeamCity CVE-2020-11688 (In JetBrains TeamCity before 2019.2.1, the application state is kept a ...) NOT-FOR-US: JetBrains TeamCity CVE-2020-11687 (In JetBrains TeamCity before 2019.2.2, password values were shown in a ...) NOT-FOR-US: JetBrains TeamCity CVE-2020-11686 (In JetBrains TeamCity before 2019.1.4, a project administrator was abl ...) NOT-FOR-US: JetBrains TeamCity CVE-2020-11685 (In JetBrains GoLand before 2019.3.2, the plugin repository was accesse ...) NOT-FOR-US: JetBrains GoLand CVE-2015-9547 (An issue was discovered on Samsung mobile devices with JBP(4.3) and KK ...) NOT-FOR-US: Samsung mobile devices CVE-2015-9546 (An issue was discovered on Samsung mobile devices with KK(4.4) and lat ...) NOT-FOR-US: Samsung mobile devices CVE-2020-11684 RESERVED CVE-2020-11683 RESERVED CVE-2020-11682 (Castel NextGen DVR v1.0.0 is vulnerable to CSRF in all state-changing ...) NOT-FOR-US: Castel NextGen DVR CVE-2020-11681 (Castel NextGen DVR v1.0.0 stores and displays credentials for the asso ...) NOT-FOR-US: Castel NextGen DVR CVE-2020-11680 (Castel NextGen DVR v1.0.0 is vulnerable to authorization bypass on all ...) NOT-FOR-US: Castel NextGen DVR CVE-2020-11679 (Castel NextGen DVR v1.0.0 is vulnerable to privilege escalation throug ...) NOT-FOR-US: Castel NextGen DVR CVE-2020-11678 RESERVED CVE-2020-11677 (Cerner medico 26.00 has a Local Buffer Overflow (issue 3 of 3). ...) NOT-FOR-US: Cerner medico CVE-2020-11676 (Cerner medico 26.00 has a Local Buffer Overflow (issue 2 of 3). ...) NOT-FOR-US: Cerner medico CVE-2020-11675 (Cerner medico 26.00 has a Local Buffer Overflow (issue 1 of 3). ...) NOT-FOR-US: Cerner medico CVE-2020-11674 (Cerner medico 26.00 allows variable reuse, possibly causing data corru ...) NOT-FOR-US: Cerner medico CVE-2020-11673 (An issue was discovered in the Responsive Poll through 1.3.4 for Wordp ...) NOT-FOR-US: Responsive Poll for WordPress CVE-2020-11672 RESERVED CVE-2020-11671 (Lack of authorization controls in REST API functions in TeamPass throu ...) - teampass (bug #730180) CVE-2020-11670 RESERVED CVE-2020-11669 (An issue was discovered in the Linux kernel before 5.2 on the powerpc ...) - linux 5.2.6-1 [buster] - linux 4.19.118-1 [stretch] - linux (Vulnerability introduced later with support for KVM guests on POWER9) [jessie] - linux (Vulnerability introduced later with support for KVM guests on POWER9) NOTE: https://git.kernel.org/linus/53a712bae5dd919521a58d7bad773b949358add0 NOTE: https://www.openwall.com/lists/oss-security/2020/04/15/1 CVE-2020-11668 (In the Linux kernel before 5.6.1, drivers/media/usb/gspca/xirlink_cit. ...) {DSA-4698-1 DLA-2242-1 DLA-2241-1} - linux 5.5.17-1 [buster] - linux 4.19.118-1 NOTE: https://git.kernel.org/linus/a246b4d547708f33ff4d4b9a7a5dbac741dc89d8 CVE-2020-11667 RESERVED CVE-2020-11666 (CA API Developer Portal 4.3.1 and earlier contains an access control f ...) NOT-FOR-US: CA API Developer Portal CVE-2020-11665 (CA API Developer Portal 4.3.1 and earlier handles loginRedirect page r ...) NOT-FOR-US: CA API Developer Portal CVE-2020-11664 (CA API Developer Portal 4.3.1 and earlier handles homeRedirect page re ...) NOT-FOR-US: CA API Developer Portal CVE-2020-11663 (CA API Developer Portal 4.3.1 and earlier handles 404 requests in an i ...) NOT-FOR-US: CA API Developer Portal CVE-2020-11662 (CA API Developer Portal 4.3.1 and earlier handles requests insecurely, ...) NOT-FOR-US: CA API Developer Portal CVE-2020-11661 (CA API Developer Portal 4.3.1 and earlier contains an access control f ...) NOT-FOR-US: CA API Developer Portal CVE-2020-11660 (CA API Developer Portal 4.3.1 and earlier contains an access control f ...) NOT-FOR-US: CA API Developer Portal CVE-2020-11659 (CA API Developer Portal 4.3.1 and earlier contains an access control f ...) NOT-FOR-US: CA API Developer Portal CVE-2020-11658 (CA API Developer Portal 4.3.1 and earlier handles shared secret keys i ...) NOT-FOR-US: CA API Developer Portal CVE-2020-11657 RESERVED CVE-2020-11656 (In SQLite through 3.31.1, the ALTER TABLE implementation has a use-aft ...) - sqlite3 3.32.0-1 (unimportant) NOTE: https://www.sqlite.org/cgi/src/tktview?name=4722bdab08cb14 NOTE: https://www.sqlite.org/src/info/d09f8c3621d5f7f8 NOTE: https://www.sqlite.org/src/info/b64674919f673602 NOTE: Negliglible security impact (and uncovered in DEBUG build) CVE-2020-11655 (SQLite through 3.31.1 allows attackers to cause a denial of service (s ...) {DLA-2203-1} - sqlite3 3.31.1-5 [buster] - sqlite3 (Minor issue) [stretch] - sqlite3 (Minor issue) NOTE: https://www.sqlite.org/cgi/src/tktview?name=af4556bb5c NOTE: Issue covered before: https://www.sqlite.org/cgi/src/info/712e47714863a8ed NOTE: Fixed by: https://www.sqlite.org/cgi/src/info/4a302b42c7bf5e11 CVE-2020-11654 RESERVED CVE-2020-11653 (An issue was discovered in Varnish Cache before 6.0.6 LTS, 6.1.x and 6 ...) - varnish 6.4.0-1 (bug #956307) [buster] - varnish (Can be fixed along in next DSA) [stretch] - varnish (Only affects 6.x) [jessie] - varnish (Only affects 6.x) NOTE: https://varnish-cache.org/security/VSV00005.html#vsv00005 NOTE: https://github.com/varnishcache/varnish-cache/commit/2d8fc1a784a1e26d78c30174923a2b14ee2ebf62 CVE-2020-11652 (An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 bef ...) {DSA-4676-2 DSA-4676-1 DLA-2223-1} - salt 3000.2+dfsg1-1 (bug #959684) NOTE: https://github.com/saltstack/salt/blob/v3000.2_docs/doc/topics/releases/3000.2.rst NOTE: Fixed by: https://github.com/saltstack/salt/commit/cce7abad9c22d9d50ccee2813acabff8deca35dd CVE-2020-11651 (An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 bef ...) {DSA-4676-2 DSA-4676-1 DLA-2223-1} - salt 3000.2+dfsg1-1 (bug #959684) NOTE: https://github.com/saltstack/salt/blob/v3000.2_docs/doc/topics/releases/3000.2.rst NOTE: Fixed by: https://github.com/saltstack/salt/commit/a67d76b15615983d467ed81371b38b4a17e4f3b7 NOTE: Followup needed: https://github.com/saltstack/salt/commit/78172bf647473d5c1c2720e72fc12d6f2314d583 NOTE: There is a typo in the whitelisted methods on AESFuncs: NOTE: https://github.com/saltstack/salt/blob/v3000.2_docs/doc/topics/releases/3000.2.rst#known-issue NOTE: Regression bugreport: https://github.com/saltstack/salt/issues/57016 NOTE: https://github.com/saltstack/salt/issues/57027 CVE-2020-11650 (An issue was discovered in iXsystems FreeNAS (and TrueNAS) 11.2 before ...) NOT-FOR-US: FreeNAS CVE-2020-11649 (An issue was discovered in GitLab CE and EE 8.15 through 12.9.2. Membe ...) - gitlab NOTE: https://about.gitlab.com/releases/2020/04/14/critical-security-release-gitlab-12-dot-9-dot-3-released/ CVE-2020-11648 RESERVED CVE-2020-11647 (In Wireshark 3.2.0 to 3.2.2, 3.0.0 to 3.0.9, and 2.6.0 to 2.6.15, the ...) - wireshark 3.2.3-1 (low; bug #958213) [buster] - wireshark (Can be fixed along in next 3.0.x DSA) [stretch] - wireshark (Can be fixed along in next DSA/update to 3.0) [jessie] - wireshark (Minor, can be fixed along in a future update) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16474 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=6f56fc9496db158218243ea87e3660c874a0bab0 NOTE: https://www.wireshark.org/security/wnpa-sec-2020-07.html CVE-2019-20637 (An issue was discovered in Varnish Cache before 6.0.5 LTS, 6.1.x and 6 ...) - varnish 6.4.0-1 (bug #956305) [buster] - varnish (Minor issue) [stretch] - varnish (Minor issue) [jessie] - varnish (Vulnerability introduced later, PoC not leaking) NOTE: http://varnish-cache.org/security/VSV00004.html#vsv00004 NOTE: https://github.com/varnishcache/varnish-cache/commit/bd7b3d6d47ccbb5e1747126f8e2a297f38e56b8c (6.x fix) NOTE: https://github.com/varnishcache/varnish-cache/commit/0c9c38513bdb7730ac886eba7563f2d87894d734 (test case / reproducer) NOTE: Introduced in https://github.com/varnishcache/varnish-cache/commit/62932b422f311ed1224f14a216169bcdc1b77a2d (5.0) NOTE: Case #3 implies labels introduced in https://github.com/varnishcache/varnish-cache/commit/34350d5e183ef4e04285729d1f63b784d1bc6454 (5.0) CVE-2020-11646 RESERVED CVE-2020-11645 RESERVED CVE-2020-11644 RESERVED CVE-2020-11643 RESERVED CVE-2020-11642 RESERVED CVE-2020-11641 RESERVED CVE-2020-11640 RESERVED CVE-2020-11639 RESERVED CVE-2020-11638 RESERVED CVE-2020-11637 RESERVED CVE-2019-20636 (In the Linux kernel before 5.4.12, drivers/input/input.c has out-of-bo ...) {DLA-2241-1} - linux 5.4.13-1 [buster] - linux 4.19.98-1 [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/cb222aed03d798fc074be55e59d9a112338ee784 CVE-2020-11636 RESERVED CVE-2020-11635 RESERVED CVE-2020-11634 RESERVED CVE-2020-11633 RESERVED CVE-2020-11632 RESERVED CVE-2020-11631 (An issue was discovered in EJBCA before 6.15.2.6 and 7.x before 7.3.1. ...) NOT-FOR-US: EJBCA / PrimeKey CVE-2020-11630 (An issue was discovered in EJBCA before 6.15.2.6 and 7.x before 7.3.1. ...) NOT-FOR-US: EJBCA / PrimeKey CVE-2020-11629 (An issue was discovered in EJBCA before 6.15.2.6 and 7.x before 7.3.1. ...) NOT-FOR-US: EJBCA / PrimeKey CVE-2020-11628 (An issue was discovered in EJBCA before 6.15.2.6 and 7.x before 7.3.1. ...) NOT-FOR-US: EJBCA / PrimeKey CVE-2020-11627 (An issue was discovered in EJBCA before 6.15.2.6 and 7.x before 7.3.1. ...) NOT-FOR-US: EJBCA / PrimeKey CVE-2020-11626 (An issue was discovered in EJBCA before 6.15.2.6 and 7.x before 7.3.1. ...) NOT-FOR-US: EJBCA / PrimeKey CVE-2020-11625 RESERVED CVE-2020-11624 RESERVED CVE-2020-11623 RESERVED CVE-2020-11622 (A vulnerability exists in Arista’s Cloud EOS VM / vEOS 4.23.2M a ...) NOT-FOR-US: Cloud EOS CVE-2020-11621 RESERVED CVE-2020-11620 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) {DLA-2179-1} - jackson-databind [buster] - jackson-databind (Minor issue; can be fixed via a point release) [stretch] - jackson-databind (Minor issue; can be fixed via a point release) NOTE: https://github.com/FasterXML/jackson-databind/issues/2682 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. CVE-2020-11619 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) {DLA-2179-1} - jackson-databind [buster] - jackson-databind (Minor issue; can be fixed via a point release) [stretch] - jackson-databind (Minor issue; can be fixed via a point release) NOTE: https://github.com/FasterXML/jackson-databind/issues/2680 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. CVE-2020-11618 RESERVED CVE-2020-11617 RESERVED CVE-2020-11616 RESERVED CVE-2020-11615 RESERVED CVE-2020-11614 (Mids' Reborn Hero Designer 2.6.0.7 downloads the update manifest, as w ...) NOT-FOR-US: Mids' Reborn Hero Designer CVE-2020-11613 (Mids' Reborn Hero Designer 2.6.0.7 has an elevation of privilege vulne ...) NOT-FOR-US: Mids' Reborn Hero Designer CVE-2020-11612 (The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memo ...) - netty 1:4.1.48-1 [jessie] - netty (OOM DoS with fix/mitigation involving new API; too intrusive to backport due to more limited 3.x buffer API) NOTE: https://github.com/netty/netty/issues/6168 NOTE: https://github.com/netty/netty/pull/9924 NOTE: https://github.com/netty/netty/commit/1543218d3e7afcb33a90b728b14370395a3deca0 CVE-2020-11611 (An issue was discovered in xdLocalStorage through 2.0.5. The buildMess ...) NOT-FOR-US: xdLocalStorage CVE-2020-11610 (An issue was discovered in xdLocalStorage through 2.0.5. The postData( ...) NOT-FOR-US: xdLocalStorage CVE-2020-11609 (An issue was discovered in the stv06xx subsystem in the Linux kernel b ...) {DSA-4698-1 DLA-2242-1 DLA-2241-1} - linux 5.5.17-1 [buster] - linux 4.19.118-1 NOTE: https://git.kernel.org/linus/485b06aadb933190f4bc44e006076bc27a23f205 CVE-2020-11608 (An issue was discovered in the Linux kernel before 5.6.1. drivers/medi ...) {DSA-4698-1 DLA-2242-1 DLA-2241-1} - linux 5.5.17-1 [buster] - linux 4.19.118-1 NOTE: https://git.kernel.org/linus/998912346c0da53a6dbb71fab3a138586b596b30 CVE-2020-11607 (An issue was discovered on Samsung mobile devices with P(9.0) and Q(10 ...) NOT-FOR-US: Samsung mobile devices CVE-2020-11606 (An issue was discovered on Samsung mobile devices with Q(10.0) softwar ...) NOT-FOR-US: Samsung mobile devices CVE-2020-11605 (An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), ...) NOT-FOR-US: Samsung mobile devices CVE-2020-11604 (An issue was discovered on Samsung mobile devices with P(9.0) and Q(10 ...) NOT-FOR-US: Samsung mobile devices CVE-2020-11603 (An issue was discovered on Samsung mobile devices with P(9.0) and Q(10 ...) NOT-FOR-US: Samsung mobile devices CVE-2020-11602 (An issue was discovered on Samsung mobile devices with P(9.0) and Q(10 ...) NOT-FOR-US: Samsung mobile devices CVE-2020-11601 (An issue was discovered on Samsung mobile devices with P(9.0) and Q(10 ...) NOT-FOR-US: Samsung mobile devices CVE-2020-11600 (An issue was discovered on Samsung mobile devices with Q(10.0) softwar ...) NOT-FOR-US: Samsung mobile devices CVE-2018-21092 (An issue was discovered on Samsung mobile devices with M(6.x) and N(7. ...) NOT-FOR-US: Samsung mobile devices CVE-2018-21091 (An issue was discovered on Samsung mobile devices with M(6.x) and N(7. ...) NOT-FOR-US: Samsung mobile devices CVE-2018-21090 (An issue was discovered on Samsung mobile devices with software throug ...) NOT-FOR-US: Samsung mobile devices CVE-2018-21089 (An issue was discovered on Samsung mobile devices with N(7.x) (MT6755/ ...) NOT-FOR-US: Samsung mobile devices CVE-2018-21088 (An issue was discovered on Samsung mobile devices with N(7.x) software ...) NOT-FOR-US: Samsung mobile devices CVE-2018-21087 (An issue was discovered on Samsung mobile devices with L(5.x), M(6.x), ...) NOT-FOR-US: Samsung mobile devices CVE-2018-21086 (An issue was discovered on Samsung mobile devices with L(5.x), M(6.0), ...) NOT-FOR-US: Samsung mobile devices CVE-2018-21085 (An issue was discovered on Samsung mobile devices with L(5.x), M(6.0), ...) NOT-FOR-US: Samsung mobile devices CVE-2018-21084 (An issue was discovered on Samsung mobile devices with L(5.1), M(6.0), ...) NOT-FOR-US: Samsung mobile devices CVE-2018-21083 (An issue was discovered on Samsung mobile devices with M(6.0), N(7.x), ...) NOT-FOR-US: Samsung mobile devices CVE-2018-21082 (An issue was discovered on Samsung mobile devices with N(7.x) software ...) NOT-FOR-US: Samsung mobile devices CVE-2018-21081 (An issue was discovered on Samsung mobile devices with N(7.x) software ...) NOT-FOR-US: Samsung mobile devices CVE-2018-21080 (An issue was discovered on Samsung mobile devices with N(7.x) software ...) NOT-FOR-US: Samsung mobile devices CVE-2018-21079 (An issue was discovered on Samsung mobile devices with L(5.x), M(6.0), ...) NOT-FOR-US: Samsung mobile devices CVE-2018-21078 (An issue was discovered on Samsung mobile devices with M(6.0), N(7.x), ...) NOT-FOR-US: Samsung mobile devices CVE-2018-21077 (An issue was discovered on Samsung mobile devices with M(6.0), N(7.x), ...) NOT-FOR-US: Samsung mobile devices CVE-2018-21076 (An issue was discovered on Samsung mobile devices with N(7.x) (Exynos8 ...) NOT-FOR-US: Samsung mobile devices CVE-2018-21075 (An issue was discovered on Samsung mobile devices with N(7.x) and O(8. ...) NOT-FOR-US: Samsung mobile devices CVE-2018-21074 (An issue was discovered on Samsung mobile devices with M(6.x) (Exynos ...) NOT-FOR-US: Samsung mobile devices CVE-2018-21073 (An issue was discovered on Samsung mobile devices with N(7.x) and O(8. ...) NOT-FOR-US: Samsung mobile devices CVE-2018-21072 (An issue was discovered on Samsung mobile devices with M(6.0), N(7.x), ...) NOT-FOR-US: Samsung mobile devices CVE-2018-21071 (An issue was discovered on Samsung mobile devices with M(6.0) software ...) NOT-FOR-US: Samsung mobile devices CVE-2018-21070 (An issue was discovered on Samsung mobile devices with N(7.x), O(8.0) ...) NOT-FOR-US: Samsung mobile devices CVE-2018-21069 (An issue was discovered on Samsung mobile devices with N(7.x) (MediaTe ...) NOT-FOR-US: Samsung mobile devices CVE-2018-21068 (An issue was discovered on Samsung mobile devices with O(8.0) software ...) NOT-FOR-US: Samsung mobile devices CVE-2018-21067 (An issue was discovered on Samsung mobile devices with M(6.0) software ...) NOT-FOR-US: Samsung mobile devices CVE-2018-21066 (An issue was discovered on Samsung mobile devices with M(6.0) (Exynos ...) NOT-FOR-US: Samsung mobile devices CVE-2018-21065 (An issue was discovered on Samsung mobile devices with M(6.0), N(7.x), ...) NOT-FOR-US: Samsung mobile devices CVE-2018-21064 (An issue was discovered on Samsung mobile devices with N(7.x) and O(8. ...) NOT-FOR-US: Samsung mobile devices CVE-2018-21063 (An issue was discovered on Samsung mobile devices with M(6.0), N(7.x), ...) NOT-FOR-US: Samsung mobile devices CVE-2018-21062 (An issue was discovered on Samsung mobile devices with N(7.x) and O(8. ...) NOT-FOR-US: Samsung mobile devices CVE-2018-21061 (An issue was discovered on Samsung mobile devices with N(7.1) and O(8. ...) NOT-FOR-US: Samsung mobile devices CVE-2018-21060 (An issue was discovered on Samsung mobile devices with N(7.x) and O(8. ...) NOT-FOR-US: Samsung mobile devices CVE-2018-21059 (An issue was discovered on Samsung mobile devices with N(7.x) and O(8. ...) NOT-FOR-US: Samsung mobile devices CVE-2018-21058 (An issue was discovered on Samsung mobile devices with N(7.0), O(8.0) ...) NOT-FOR-US: Samsung mobile devices CVE-2018-21057 (An issue was discovered on Samsung mobile devices with N(7.x) O(8.x, a ...) NOT-FOR-US: Samsung mobile devices CVE-2018-21056 (An issue was discovered on Samsung mobile devices with O(8.x) software ...) NOT-FOR-US: Samsung mobile devices CVE-2018-21055 (An issue was discovered on Samsung mobile devices with N(7.0) (Qualcom ...) NOT-FOR-US: Samsung mobile devices CVE-2018-21054 (An issue was discovered on Samsung mobile devices with M(6.0), N(7.x) ...) NOT-FOR-US: Samsung mobile devices CVE-2018-21053 (An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), ...) NOT-FOR-US: Samsung mobile devices CVE-2018-21052 (An issue was discovered on Samsung mobile devices with N(7.x) and O(8. ...) NOT-FOR-US: Samsung mobile devices CVE-2018-21051 (An issue was discovered on Samsung mobile devices with N(7.x) and O(8. ...) NOT-FOR-US: Samsung mobile devices CVE-2018-21050 (An issue was discovered on Samsung mobile devices with N(7.x) and O(8. ...) NOT-FOR-US: Samsung mobile devices CVE-2018-21049 (An issue was discovered on Samsung mobile devices with N(7.x) and O(8. ...) NOT-FOR-US: Samsung mobile devices CVE-2018-21048 (An issue was discovered on Samsung mobile devices with O(8.x) software ...) NOT-FOR-US: Samsung mobile devices CVE-2018-21047 (An issue was discovered on Samsung mobile devices with O(8.x) software ...) NOT-FOR-US: Samsung mobile devices CVE-2018-21046 (An issue was discovered on Samsung mobile devices with O(8.x) software ...) NOT-FOR-US: Samsung mobile devices CVE-2018-21045 (An issue was discovered on Samsung mobile devices with N(7.x) and O(8. ...) NOT-FOR-US: Samsung mobile devices CVE-2018-21044 (An issue was discovered on Samsung mobile devices with N(7.x) and O(8. ...) NOT-FOR-US: Samsung mobile devices CVE-2018-21043 (An issue was discovered on Samsung mobile devices with O(8.x) and P(9. ...) NOT-FOR-US: Samsung mobile devices CVE-2018-21042 (An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), ...) NOT-FOR-US: Samsung mobile devices CVE-2018-21041 (An issue was discovered on Samsung mobile devices with O(8.x) software ...) NOT-FOR-US: Samsung mobile devices CVE-2018-21040 (An issue was discovered on Samsung mobile devices with O(8.x) and P(9. ...) NOT-FOR-US: Samsung mobile devices CVE-2018-21039 (An issue was discovered on Samsung mobile devices with N(7.0) software ...) NOT-FOR-US: Samsung mobile devices CVE-2018-21038 (An issue was discovered on Samsung mobile devices with N(7.x) software ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18696 (An issue was discovered on Samsung mobile devices with M(6.0) and N(7. ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18695 (An issue was discovered on Samsung mobile devices with KK(4.4), L(5.0/ ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18694 (An issue was discovered on Samsung mobile devices with software throug ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18693 (An issue was discovered on Samsung mobile devices with KK(4.4), L(5.0/ ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18692 (An issue was discovered on Samsung mobile devices with M(6.0) and N(7. ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18691 (An issue was discovered on Samsung mobile devices with M(6.0) and N(7. ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18690 (An issue was discovered on Samsung mobile devices with KK(4.4), L(5.0/ ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18689 (An issue was discovered on Samsung mobile devices with M(6.0) and N(7. ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18688 (An issue was discovered on Samsung mobile devices with L(5.1), M(6.0), ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18687 (An issue was discovered on Samsung mobile devices with KK(4.4), L(5.0/ ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18686 (An issue was discovered on Samsung mobile devices with M(6.0) and N(7. ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18685 (An issue was discovered on Samsung mobile devices with KK(4.4), L(5.0/ ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18684 (An issue was discovered on Samsung mobile devices with L(5.0/5.1) and ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18683 (An issue was discovered on Samsung mobile devices with L(5.0/5.1) and ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18682 (An issue was discovered on Samsung mobile devices with KK(4.4), L(5.0/ ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18681 (An issue was discovered on Samsung Galaxy S5 mobile devices with softw ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18680 (An issue was discovered on Samsung mobile devices with L(5.0/5.1) and ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18679 (An issue was discovered on Samsung mobile devices with M(6.0) software ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18678 (An issue was discovered on Samsung mobile devices with KK(4.4), L(5.0/ ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18677 (An issue was discovered on Samsung mobile devices with M(6.0) and N(7. ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18676 (An issue was discovered on Samsung mobile devices with N(7.0) (Qualcom ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18675 (An issue was discovered on Samsung mobile devices with M(6.0) and N(7. ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18674 (An issue was discovered on Samsung mobile devices with N(7.0) software ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18673 (An issue was discovered on Samsung mobile devices with N(7.x) software ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18672 (An issue was discovered on Samsung mobile devices with L(5.0/5.1), M(6 ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18671 (An issue was discovered on Samsung mobile devices with L(5.0/5.1), M(6 ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18670 (An issue was discovered on Samsung mobile devices with KK(4.4), L(5.0/ ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18669 (An issue was discovered on Samsung mobile devices with N(7.x) software ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18668 (An issue was discovered on Samsung mobile devices with M(6.0) software ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18667 (An issue was discovered on Samsung mobile devices with KK(4.4), L(5.0/ ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18666 (An issue was discovered on Samsung mobile devices with KK(4.4), L(5.0/ ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18665 (An issue was discovered on Samsung mobile devices with M(6.0) software ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18664 (An issue was discovered on Samsung mobile devices with KK(4.4), L(5.0/ ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18663 (An issue was discovered on Samsung mobile devices with N(7.x) software ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18662 (An issue was discovered on Samsung mobile devices with M(6.0) and N(7. ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18661 (An issue was discovered on Samsung mobile devices with M(6.0) and N(7. ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18660 (An issue was discovered on Samsung mobile devices with M(6.0) and N(7. ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18659 (An issue was discovered on Samsung mobile devices with KK(4.4), L(5.0/ ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18658 (An issue was discovered on Samsung mobile devices with M(6.0) software ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18657 (An issue was discovered on Samsung mobile devices with M(6.0) and N(7. ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18656 (An issue was discovered on Samsung mobile devices with M(6.0) and N(7. ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18655 (An issue was discovered on Samsung mobile devices with M(6.0) and N(7. ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18654 (An issue was discovered on Samsung mobile devices with M(6.0) and N(7. ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18653 (An issue was discovered on Samsung mobile devices with KK(4.4), L(5.0/ ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18652 (An issue was discovered on Samsung mobile devices with M(6.0) and N(7. ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18651 (An issue was discovered on Samsung mobile devices with M(6.x) and N(7. ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18650 (An issue was discovered on Samsung mobile devices with N(7.x) software ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18649 (An issue was discovered on Samsung mobile devices with N(7.x) software ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18648 (An issue was discovered on Samsung mobile devices with KK(4.4.x), L(5. ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18647 (An issue was discovered on Samsung mobile devices with M(6,x) and N(7. ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18646 (An issue was discovered on Samsung mobile devices with M(6.x) and N(7. ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18645 (An issue was discovered on Samsung mobile devices with M(6.x) and N(7. ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18644 (An issue was discovered on Samsung mobile devices with L(5.1), M(6.x), ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18643 (An issue was discovered on Samsung mobile devices with M(6.x) and N(7. ...) NOT-FOR-US: Samsung mobile devices CVE-2016-11053 (An issue was discovered on Samsung mobile devices with software throug ...) NOT-FOR-US: Samsung mobile devices CVE-2016-11052 (An issue was discovered on Samsung mobile devices with L(5.0/5.1) soft ...) NOT-FOR-US: Samsung mobile devices CVE-2016-11051 REJECTED CVE-2016-11050 (An issue was discovered on Samsung mobile devices with S3(KK), Note2(K ...) NOT-FOR-US: Samsung mobile devices CVE-2016-11049 (An issue was discovered on Samsung mobile devices with software throug ...) NOT-FOR-US: Samsung mobile devices CVE-2016-11048 (An issue was discovered on Samsung mobile devices with L(5.0/5.1) (Spr ...) NOT-FOR-US: Samsung mobile devices CVE-2016-11047 (An issue was discovered on Samsung mobile devices with JBP(4.2) and KK ...) NOT-FOR-US: Samsung mobile devices CVE-2016-11046 (An issue was discovered on Samsung mobile devices with JBP(4.3), KK(4. ...) NOT-FOR-US: Samsung mobile devices CVE-2016-11045 (An issue was discovered on Samsung mobile devices with L(5.0/5.1) soft ...) NOT-FOR-US: Samsung mobile devices CVE-2016-11044 (An issue was discovered on Samsung mobile devices with L(5.0/5.1) and ...) NOT-FOR-US: Samsung mobile devices CVE-2016-11043 (An issue was discovered on Samsung mobile devices with M(6.0) software ...) NOT-FOR-US: Samsung mobile devices CVE-2016-11042 (An issue was discovered on Samsung mobile devices with L(5.0/5.1) and ...) NOT-FOR-US: Samsung mobile devices CVE-2016-11041 (An issue was discovered on Samsung mobile devices with KK(4.4) softwar ...) NOT-FOR-US: Samsung mobile devices CVE-2016-11040 (An issue was discovered on Samsung mobile devices with L(5.0/5.1) (wit ...) NOT-FOR-US: Samsung mobile devices CVE-2016-11039 (An issue was discovered on Samsung mobile devices with KK(4.4), L(5.0/ ...) NOT-FOR-US: Samsung mobile devices CVE-2016-11038 (An issue was discovered on Samsung mobile devices with software throug ...) NOT-FOR-US: Samsung mobile devices CVE-2016-11037 REJECTED CVE-2016-11036 (An issue was discovered on Samsung mobile devices with M(6.0) software ...) NOT-FOR-US: Samsung mobile devices CVE-2016-11035 (An issue was discovered on Samsung mobile devices with software throug ...) NOT-FOR-US: Samsung mobile devices CVE-2016-11034 (An issue was discovered on Samsung mobile devices with L(5.0/5.1) and ...) NOT-FOR-US: Samsung mobile devices CVE-2016-11033 (An issue was discovered on Samsung mobile devices with M(6.0) software ...) NOT-FOR-US: Samsung mobile devices CVE-2016-11032 (An issue was discovered on Samsung mobile devices with M(6.0) software ...) NOT-FOR-US: Samsung mobile devices CVE-2016-11031 (An issue was discovered on Samsung mobile devices with KK(4.4), L(5.0/ ...) NOT-FOR-US: Samsung mobile devices CVE-2016-11030 (An issue was discovered on Samsung mobile devices with KK(4.4), L(5.0/ ...) NOT-FOR-US: Samsung mobile devices CVE-2016-11029 (An issue was discovered on Samsung mobile devices with L(5.0/5.1), M(6 ...) NOT-FOR-US: Samsung mobile devices CVE-2016-11028 (An issue was discovered on Samsung mobile devices with software throug ...) NOT-FOR-US: Samsung mobile devices CVE-2016-11027 (An issue was discovered on Samsung mobile devices with M(6.0) software ...) NOT-FOR-US: Samsung mobile devices CVE-2016-11026 (An issue was discovered on Samsung mobile devices with KK(4.4), L(5.0/ ...) NOT-FOR-US: Samsung mobile devices CVE-2016-11025 (An issue was discovered on Samsung mobile devices with software throug ...) NOT-FOR-US: Samsung mobile devices CVE-2015-9545 (An issue was discovered in xdLocalStorage through 2.0.5. The receiveMe ...) NOT-FOR-US: xdLocalStorage CVE-2015-9544 (An issue was discovered in xdLocalStorage through 2.0.5. The receiveMe ...) NOT-FOR-US: xdLocalStorage CVE-2013-7488 (perl-Convert-ASN1 (aka the Convert::ASN1 module for Perl) through 0.27 ...) - libconvert-asn1-perl (bug #956186) [buster] - libconvert-asn1-perl (Minor issue) [stretch] - libconvert-asn1-perl (Minor issue) [jessie] - libconvert-asn1-perl (Minor issue) NOTE: https://github.com/gbarr/perl-Convert-ASN1/issues/14 CVE-2020-11599 (An issue was discovered in CIPPlanner CIPAce 6.80 Build 2016031401. Ge ...) NOT-FOR-US: CIPPlanner CVE-2020-11598 (An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. Upl ...) NOT-FOR-US: CIPPlanner CVE-2020-11597 (An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An ...) NOT-FOR-US: CIPPlanner CVE-2020-11596 (A Directory Traversal issue was discovered in CIPPlanner CIPAce 9.1 Bu ...) NOT-FOR-US: CIPPlanner CVE-2020-11595 (An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An ...) NOT-FOR-US: CIPPlanner CVE-2020-11594 (An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An ...) NOT-FOR-US: CIPPlanner CVE-2020-11593 (An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An ...) NOT-FOR-US: CIPPlanner CVE-2020-11592 (An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An ...) NOT-FOR-US: CIPPlanner CVE-2020-11591 (An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An ...) NOT-FOR-US: CIPPlanner CVE-2020-11590 (An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An ...) NOT-FOR-US: CIPPlanner CVE-2020-11589 (An Insecure Direct Object Reference issue was discovered in CIPPlanner ...) NOT-FOR-US: CIPPlanner CVE-2020-11588 (An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An ...) NOT-FOR-US: CIPPlanner CVE-2020-11587 (An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An ...) NOT-FOR-US: CIPPlanner CVE-2020-11586 (An XXE issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. ...) NOT-FOR-US: CIPPlanner CVE-2020-11585 (There is an information disclosure issue in DNN (formerly DotNetNuke) ...) NOT-FOR-US: DNN (formerly DotNetNuke) CVE-2020-11584 RESERVED CVE-2020-11583 RESERVED CVE-2020-11582 (An issue was discovered in Pulse Secure Pulse Connect Secure (PCS) thr ...) NOT-FOR-US: Pulse Secure Pulse Connect Secure CVE-2020-11581 (An issue was discovered in Pulse Secure Pulse Connect Secure (PCS) thr ...) NOT-FOR-US: Pulse Secure Pulse Connect Secure CVE-2020-11580 (An issue was discovered in Pulse Secure Pulse Connect Secure (PCS) thr ...) NOT-FOR-US: Pulse Secure Pulse Connect Secure CVE-2020-11579 RESERVED CVE-2020-11578 RESERVED CVE-2020-11577 RESERVED CVE-2020-11576 (Fixed in v1.5.1, Argo version v1.5.0 was vulnerable to a user-enumerat ...) NOT-FOR-US: Argo CVE-2020-11575 RESERVED CVE-2020-11574 RESERVED CVE-2020-11573 RESERVED CVE-2020-11572 RESERVED CVE-2020-11571 RESERVED CVE-2020-11570 RESERVED CVE-2020-11569 RESERVED CVE-2020-11568 RESERVED CVE-2020-11567 RESERVED CVE-2020-11566 RESERVED CVE-2020-11565 (** DISPUTED ** An issue was discovered in the Linux kernel through 5.6 ...) {DSA-4698-1 DSA-4667-1 DLA-2242-1 DLA-2241-1} - linux 5.5.17-1 NOTE: https://git.kernel.org/linus/aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd CVE-2020-11564 RESERVED CVE-2020-11563 RESERVED CVE-2020-11562 RESERVED CVE-2020-11561 (In NCH Express Invoice 7.25, an authenticated low-privilege user can e ...) NOT-FOR-US: NCH Express Invoice CVE-2020-11560 (NCH Express Invoice 7.25 allows local users to discover the cleartext ...) NOT-FOR-US: NCH Express Invoice CVE-2020-11559 RESERVED CVE-2020-11558 (An issue was discovered in libgpac.a in GPAC 0.8.0, as demonstrated by ...) - gpac [jessie] - gpac (Vulnerable code not present and not reproducible) NOTE: https://github.com/gpac/gpac/commit/6063b1a011c3f80cee25daade18154e15e4c058c NOTE: https://github.com/gpac/gpac/issues/1440 TODO: check CVE-2020-11557 (An issue was discovered in Castle Rock SNMPc Online 12.10.10 before 20 ...) NOT-FOR-US: Castle Rock SNMPc CVE-2020-11556 (An issue was discovered in Castle Rock SNMPc Online 12.10.10 before 20 ...) NOT-FOR-US: Castle Rock SNMPc CVE-2020-11555 (An issue was discovered in Castle Rock SNMPc Online 12.10.10 before 20 ...) NOT-FOR-US: Castle Rock SNMPc CVE-2020-11554 (An issue was discovered in Castle Rock SNMPc Online 12.10.10 before 20 ...) NOT-FOR-US: Castle Rock SNMPc CVE-2020-11553 (An issue was discovered in Castle Rock SNMPc Online 12.10.10 before 20 ...) NOT-FOR-US: Castle Rock SNMPc CVE-2020-11552 RESERVED CVE-2020-11551 (An issue was discovered on NETGEAR Orbi Tri-Band Business WiFi Add-on ...) NOT-FOR-US: Netgear CVE-2020-11550 (An issue was discovered on NETGEAR Orbi Tri-Band Business WiFi Add-on ...) NOT-FOR-US: Netgear CVE-2020-11549 (An issue was discovered on NETGEAR Orbi Tri-Band Business WiFi Add-on ...) NOT-FOR-US: Netgear CVE-2020-11548 (The Search Meter plugin through 2.13.2 for WordPress allows user input ...) NOT-FOR-US: Search Meter plugin for WordPress CVE-2020-11547 (PRTG Network Monitor before 20.1.57.1745 allows remote unauthenticated ...) NOT-FOR-US: PRTG Network Monitor CVE-2020-11546 RESERVED CVE-2020-11545 (Project Worlds Official Car Rental System 1 is vulnerable to multiple ...) NOT-FOR-US: Project Worlds Official Car Rental System 1 CVE-2020-11544 (An issue was discovered in Project Worlds Official Car Rental System 1 ...) NOT-FOR-US: Project Worlds Official Car Rental System 1 CVE-2020-11543 (OpsRamp Gateway before 5.5.0 has a backdoor account vadmin with the pa ...) NOT-FOR-US: OpsRamp Gateway CVE-2020-11542 (3xLOGIC Infinias eIDC32 2.213 devices with Web 1.107 allow Authenticat ...) NOT-FOR-US: 3xLOGIC Infinias eIDC32 2.213 devices CVE-2020-11541 (In TechSmith SnagIt 11.2.1 through 20.0.3, an XML External Entity (XXE ...) NOT-FOR-US: TechSmith SnagIt CVE-2020-11540 RESERVED CVE-2020-11539 (An issue was discovered on Tata Sonata Smart SF Rush 1.12 devices. It ...) NOT-FOR-US: Tata Sonata Smart SF Rush 1.12 devices CVE-2020-11538 (In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out- ...) - pillow [jessie] - pillow (Minor issue) NOTE: https://github.com/python-pillow/Pillow/pull/4504 NOTE: https://github.com/python-pillow/Pillow/pull/4538 NOTE: Fixed in 7.1.0 CVE-2020-11537 (A SQL Injection issue was discovered in ONLYOFFICE Document Server 5.5 ...) NOT-FOR-US: ONLYOFFICE Document Server CVE-2020-11536 (An issue was discovered in ONLYOFFICE Document Server 5.5.0. An attack ...) NOT-FOR-US: ONLYOFFICE Document Server CVE-2020-11535 (An issue was discovered in ONLYOFFICE Document Server 5.5.0. An attack ...) NOT-FOR-US: ONLYOFFICE Document Server CVE-2020-11534 (An issue was discovered in ONLYOFFICE Document Server 5.5.0. An attack ...) NOT-FOR-US: ONLYOFFICE Document Server CVE-2020-11533 (Ivanti Workspace Control before 10.4.30.0, when SCCM integration is en ...) NOT-FOR-US: Ivanti Workspace Control CVE-2020-11532 (Zoho ManageEngine DataSecurity Plus prior to 6.0.1 uses default admin ...) NOT-FOR-US: Zoho ManageEngine DataSecurity Plus CVE-2020-11531 (The DataEngine Xnode Server application in Zoho ManageEngine DataSecur ...) NOT-FOR-US: Zoho ManageEngine DataSecurity Plus CVE-2020-11530 (A blind SQL injection vulnerability is present in Chop Slider 3, a Wor ...) NOT-FOR-US: Chop Slider 3 WordPress plugin CVE-2020-11529 (Common/Grav.php in Grav before 1.6.23 has an Open Redirect. ...) NOT-FOR-US: Grav CMS CVE-2020-11528 (bit2spr 1992-06-07 has a stack-based buffer overflow (129-byte write) ...) NOT-FOR-US: bit2spr CVE-2020-11527 (In Zoho ManageEngine OpManager before 12.4.181, an unauthenticated rem ...) NOT-FOR-US: Zoho CVE-2020-11526 (libfreerdp/core/update.c in FreeRDP versions > 1.1 through 2.0.0-rc ...) - freerdp2 2.1.1+dfsg1-1 [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-97jw-m5w5-xvf9 NOTE: Fixed by: https://github.com/FreeRDP/FreeRDP/commit/192856cb59974ee4d7d3e72cbeafa676aa7565cf NOTE: https://github.com/FreeRDP/FreeRDP/issues/6012 CVE-2020-11525 (libfreerdp/cache/bitmap.c in FreeRDP versions > 1.0 through 2.0.0-r ...) - freerdp2 2.1.1+dfsg1-1 [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-9755-fphh-gmjg NOTE: https://github.com/FreeRDP/FreeRDP/commit/0b6b92a25a77d533b8a92d6acc840a81e103684e CVE-2020-11524 (libfreerdp/codec/interleaved.c in FreeRDP versions > 1.0 through 2. ...) - freerdp2 2.1.1+dfsg1-1 [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-cgw8-3mp2-p5qw NOTE: https://github.com/FreeRDP/FreeRDP/commit/7b1d4b49391b4512402840431757703a96946820 CVE-2020-11523 (libfreerdp/gdi/region.c in FreeRDP versions > 1.0 through 2.0.0-rc4 ...) - freerdp2 2.1.1+dfsg1-1 [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-4qrh-8cp8-4x42 NOTE: https://github.com/FreeRDP/FreeRDP/commit/ce21b9d7ecd967e0bc98ed31a6b3757848aa6c9e CVE-2020-11522 (libfreerdp/gdi/gdi.c in FreeRDP > 1.0 through 2.0.0-rc4 has an Out- ...) - freerdp2 2.1.1+dfsg1-1 [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-48wx-7vgj-fffh NOTE: https://github.com/FreeRDP/FreeRDP/commit/907640a924fa7a9a99c80a48ac225e9d8e41548b CVE-2020-11521 (libfreerdp/codec/planar.c in FreeRDP version > 1.0 through 2.0.0-rc ...) - freerdp2 2.1.1+dfsg1-1 [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-5cwc-6wc9-255w NOTE: https://github.com/FreeRDP/FreeRDP/commit/17f547ae11835bb11baa3d045245dc1694866845 CVE-2020-11520 (The SDDisk2k.sys driver of WinMagic SecureDoc v8.5 and earlier allows ...) NOT-FOR-US: WinMagic SecureDoc CVE-2020-11519 (The SDDisk2k.sys driver of WinMagic SecureDoc v8.5 and earlier allows ...) NOT-FOR-US: WinMagic SecureDoc CVE-2020-11518 (Zoho ManageEngine ADSelfService Plus before 5815 allows unauthenticate ...) NOT-FOR-US: Zoho CVE-2020-11517 RESERVED CVE-2020-11516 (Stored XSS in the Contact Form 7 Datepicker plugin through 2.6.0 for W ...) NOT-FOR-US: Contact Form 7 Datepicker plugin for WordPress CVE-2020-11515 (The Rank Math plugin through 1.0.40.2 for WordPress allows unauthentic ...) NOT-FOR-US: Rank Math plugin for WordPress CVE-2020-11514 (The Rank Math plugin through 1.0.40.2 for WordPress allows unauthentic ...) NOT-FOR-US: Rank Math plugin for WordPress CVE-2020-11513 RESERVED CVE-2020-11512 (Stored XSS in the IMPress for IDX Broker WordPress plugin before 2.6.2 ...) NOT-FOR-US: IMPress for IDX Broker WordPress plugin CVE-2020-11511 RESERVED CVE-2020-11510 RESERVED CVE-2020-11509 (An XSS vulnerability in the WP Lead Plus X plugin through 0.98 for Wor ...) NOT-FOR-US: WP Lead Plus X plugin for WordPress CVE-2020-11508 (An XSS vulnerability in the WP Lead Plus X plugin through 0.98 for Wor ...) NOT-FOR-US: WP Lead Plus X plugin for WordPress CVE-2020-11507 (An Untrusted Search Path vulnerability in Malwarebytes AdwCleaner 8.0. ...) NOT-FOR-US: Malwarebytes AdwCleaner CVE-2020-11506 (An issue was discovered in GitLab 10.7.0 and later through 12.9.2. A W ...) - gitlab NOTE: https://about.gitlab.com/releases/2020/04/14/critical-security-release-gitlab-12-dot-9-dot-3-released/ CVE-2020-11505 (An issue was discovered in GitLab Community Edition (CE) and Enterpris ...) - gitlab (Only affects GitLab EE 12.8.0 and later) NOTE: https://about.gitlab.com/releases/2020/04/14/critical-security-release-gitlab-12-dot-9-dot-3-released/ CVE-2020-11504 RESERVED CVE-2020-11503 (A heap-based buffer overflow in the awarrensmtp component of Sophos XG ...) NOT-FOR-US: Sophos CVE-2020-11502 RESERVED CVE-2020-11500 (Zoom Client for Meetings through 4.6.9 uses the ECB mode of AES for vi ...) NOT-FOR-US: Zoom CVE-2020-11499 (Firmware Analysis and Comparison Tool (FACT) 3 has Stored XSS when upd ...) NOT-FOR-US: Firmware Analysis and Comparison Tool CVE-2020-11498 (Slack Nebula through 1.1.0 contains a relative path vulnerability that ...) NOT-FOR-US: Slack Nebula CVE-2020-11497 RESERVED CVE-2020-11496 RESERVED CVE-2020-11495 REJECTED CVE-2020-11494 (An issue was discovered in slc_bump in drivers/net/can/slcan.c in the ...) {DSA-4698-1 DLA-2242-1 DLA-2241-1} - linux 5.5.17-1 [buster] - linux 4.19.118-1 NOTE: https://lore.kernel.org/netdev/20200401100639.20199-1-rpalethorpe@suse.com/ CVE-2020-11493 RESERVED CVE-2020-11492 (An issue was discovered in Docker Desktop through 2.2.0.5 on Windows. ...) NOT-FOR-US: Docker Desktop on Windows CVE-2020-11491 (Monitoring::Logs in Zen Load Balancer 3.10.1 allows remote authenticat ...) NOT-FOR-US: Zen Load Balancer CVE-2020-11490 (Manage::Certificates in Zen Load Balancer 3.10.1 allows remote authent ...) NOT-FOR-US: Zen Load Balancer CVE-2020-11489 RESERVED CVE-2020-11488 RESERVED CVE-2020-11487 RESERVED CVE-2020-11486 RESERVED CVE-2020-11485 RESERVED CVE-2020-11484 RESERVED CVE-2020-11483 RESERVED CVE-2019-20635 (codeBeamer before 9.5.0-RC3 does not properly restrict the ability to ...) NOT-FOR-US: codeBeamer CVE-2020-11501 (GnuTLS 3.6.x before 3.6.13 uses incorrect cryptography for DTLS. The e ...) {DSA-4652-1} - gnutls28 3.6.13-2 (bug #955556) [stretch] - gnutls28 (Vulnerable code introduced later) [jessie] - gnutls28 (Vulnerable code introduced later) NOTE: https://gitlab.com/gnutls/gnutls/-/issues/960 NOTE: https://www.gnutls.org/security-new.html#GNUTLS-SA-2020-03-31 NOTE: Fixed by: https://gitlab.com/gnutls/gnutls/-/commit/c01011c2d8533dbbbe754e49e256c109cb848d0d (3.6.13) NOTE: Broken-by: https://gitlab.com/gnutls/gnutls/-/commit/bcf4de0371efbdf0846388e2df0cb14b5db09954 (gnutls_3_6_3) CVE-2020-11482 RESERVED CVE-2020-11481 RESERVED CVE-2020-11480 RESERVED CVE-2020-11479 RESERVED CVE-2020-11478 RESERVED CVE-2020-11477 RESERVED CVE-2020-11476 RESERVED CVE-2020-11475 RESERVED CVE-2020-11474 RESERVED CVE-2020-11473 RESERVED CVE-2020-11472 RESERVED CVE-2020-11471 RESERVED CVE-2020-11470 (Zoom Client for Meetings through 4.6.8 on macOS has the disable-librar ...) NOT-FOR-US: Zoom CVE-2020-11469 (Zoom Client for Meetings through 4.6.8 on macOS copies runwithroot to ...) NOT-FOR-US: Zoom CVE-2020-11468 RESERVED CVE-2020-11467 (An issue was discovered in Deskpro before 2019.8.0. This product enabl ...) NOT-FOR-US: Deskpro CVE-2020-11466 (An issue was discovered in Deskpro before 2019.8.0. The /api/tickets e ...) NOT-FOR-US: Deskpro CVE-2020-11465 (An issue was discovered in Deskpro before 2019.8.0. The /api/apps/* en ...) NOT-FOR-US: Deskpro CVE-2020-11464 (An issue was discovered in Deskpro before 2019.8.0. The /api/people en ...) NOT-FOR-US: Deskpro CVE-2020-11463 (An issue was discovered in Deskpro before 2019.8.0. The /api/email_acc ...) NOT-FOR-US: Deskpro CVE-2020-11462 (An issue was discovered in OpenVPN Access Server before 2.7.0 and 2.8. ...) NOT-FOR-US: OpenVPN Access Server CVE-2020-11461 RESERVED CVE-2020-11460 RESERVED CVE-2020-11459 RESERVED CVE-2020-11458 (app/Model/feed.php in MISP before 2.4.124 allows administrators to cho ...) NOT-FOR-US: MISP CVE-2020-11457 (pfSense before 2.4.5 has stored XSS in system_usermanager_addprivs.php ...) NOT-FOR-US: pfSense CVE-2020-11456 (LimeSurvey before 4.1.12+200324 has stored XSS in application/views/ad ...) - limesurvey (bug #472802) CVE-2020-11455 (LimeSurvey before 4.1.12+200324 contains a path traversal vulnerabilit ...) - limesurvey (bug #472802) CVE-2020-11454 (Microstrategy Web 10.4 is vulnerable to Stored XSS in the HTML Contain ...) NOT-FOR-US: Microstrategy Web CVE-2020-11453 (** DISPUTED ** Microstrategy Web 10.4 is vulnerable to Server-Side Req ...) NOT-FOR-US: Microstrategy Web CVE-2020-11452 (Microstrategy Web 10.4 includes functionality to allow users to import ...) NOT-FOR-US: Microstrategy Web CVE-2020-11451 (The Upload Visualization plugin in the Microstrategy Web 10.4 admin pa ...) NOT-FOR-US: Microstrategy Web CVE-2020-11450 (Microstrategy Web 10.4 exposes the JVM configuration, CPU architecture ...) NOT-FOR-US: Microstrategy Web CVE-2020-11449 (An issue was discovered on Technicolor TC7337 8.89.17 devices. An atta ...) NOT-FOR-US: Technicolor devices CVE-2020-11448 RESERVED CVE-2020-11447 RESERVED CVE-2020-11446 (ESET Antivirus and Antispyware Module module 1553 through 1560 allows ...) NOT-FOR-US: ESET CVE-2020-11445 (TP-Link cloud cameras through 2020-02-09 allow remote attackers to byp ...) NOT-FOR-US: TP-Link CVE-2020-11444 (Sonatype Nexus Repository Manager 3.x up to and including 3.21.2 has I ...) NOT-FOR-US: Sonatype Nexus Repository Manager CVE-2020-11443 (The Zoom IT installer for Windows (ZoomInstallerFull.msi) prior to ver ...) NOT-FOR-US: Zoom CVE-2020-11442 RESERVED CVE-2020-11441 (** DISPUTED ** phpMyAdmin 5.0.2 allows CRLF injection, as demonstrated ...) - phpmyadmin [jessie] - phpmyadmin (The pma_error display code does not exist in this version) NOTE: https://github.com/phpmyadmin/phpmyadmin/issues/16056 CVE-2020-11440 RESERVED CVE-2020-11439 RESERVED CVE-2020-11438 RESERVED CVE-2020-11437 RESERVED CVE-2020-11436 RESERVED CVE-2020-11435 RESERVED CVE-2020-11434 RESERVED CVE-2020-11433 RESERVED CVE-2020-11432 RESERVED CVE-2020-11431 (The documentation component in i-net Clear Reports 16.0 to 19.2, HelpD ...) NOT-FOR-US: i-net CVE-2020-11430 RESERVED CVE-2020-11429 RESERVED CVE-2020-11428 RESERVED CVE-2020-11427 RESERVED CVE-2020-11426 RESERVED CVE-2020-11425 RESERVED CVE-2020-11424 RESERVED CVE-2020-11423 RESERVED CVE-2020-11422 RESERVED CVE-2020-11421 RESERVED CVE-2020-11420 (UPS Adapter CS141 before 1.90 allows Directory Traversal. An attacker ...) NOT-FOR-US: UPS Adapter CS141 CVE-2020-11419 RESERVED CVE-2020-11418 RESERVED CVE-2020-11417 RESERVED CVE-2020-11416 (JetBrains Space through 2020-04-22 allows stored XSS in Chats. ...) NOT-FOR-US: JetBrains Space CVE-2020-11415 (An issue was discovered in Sonatype Nexus Repository Manager 2.x befor ...) NOT-FOR-US: Sonatype Nexus Repository Manager CVE-2020-11414 (An issue was discovered in Progress Telerik UI for Silverlight before ...) NOT-FOR-US: Progress Telerik UI CVE-2020-11413 RESERVED CVE-2020-11412 RESERVED CVE-2020-11411 RESERVED CVE-2020-11410 RESERVED CVE-2020-11409 RESERVED CVE-2020-11408 RESERVED CVE-2020-11407 RESERVED CVE-2020-11406 RESERVED CVE-2020-11405 RESERVED CVE-2020-11404 RESERVED CVE-2020-11403 RESERVED CVE-2020-11402 RESERVED CVE-2020-11401 RESERVED CVE-2020-11400 RESERVED CVE-2020-11399 RESERVED CVE-2020-11398 RESERVED CVE-2020-11397 RESERVED CVE-2020-11396 RESERVED CVE-2020-11395 RESERVED CVE-2020-11394 RESERVED CVE-2020-11393 RESERVED CVE-2020-11392 RESERVED CVE-2020-11391 RESERVED CVE-2020-11390 RESERVED CVE-2020-11389 RESERVED CVE-2020-11388 RESERVED CVE-2020-11387 RESERVED CVE-2020-11386 RESERVED CVE-2020-11385 RESERVED CVE-2020-11384 RESERVED CVE-2020-11383 RESERVED CVE-2020-11382 RESERVED CVE-2020-11381 RESERVED CVE-2020-11380 RESERVED CVE-2020-11379 RESERVED CVE-2020-11378 RESERVED CVE-2020-11377 RESERVED CVE-2020-11376 RESERVED CVE-2020-11375 RESERVED CVE-2020-11374 RESERVED CVE-2020-11373 RESERVED CVE-2020-11372 RESERVED CVE-2020-11371 RESERVED CVE-2020-11370 RESERVED CVE-2020-11369 RESERVED CVE-2020-11368 RESERVED CVE-2020-11367 RESERVED CVE-2020-11366 RESERVED CVE-2020-11365 RESERVED CVE-2020-11364 RESERVED CVE-2020-11363 RESERVED CVE-2020-11362 RESERVED CVE-2020-11361 RESERVED CVE-2020-11360 RESERVED CVE-2020-11359 RESERVED CVE-2020-11358 RESERVED CVE-2020-11357 RESERVED CVE-2020-11356 RESERVED CVE-2020-11355 RESERVED CVE-2020-11354 RESERVED CVE-2020-11353 RESERVED CVE-2020-11352 RESERVED CVE-2020-11351 RESERVED CVE-2020-11350 RESERVED CVE-2020-11349 RESERVED CVE-2020-11348 RESERVED CVE-2020-11347 RESERVED CVE-2020-11346 RESERVED CVE-2020-11345 RESERVED CVE-2020-11344 RESERVED CVE-2020-11343 RESERVED CVE-2020-11342 RESERVED CVE-2020-11341 RESERVED CVE-2020-11340 RESERVED CVE-2020-11339 RESERVED CVE-2020-11338 RESERVED CVE-2020-11337 RESERVED CVE-2020-11336 RESERVED CVE-2020-11335 RESERVED CVE-2020-11334 RESERVED CVE-2020-11333 RESERVED CVE-2020-11332 RESERVED CVE-2020-11331 RESERVED CVE-2020-11330 RESERVED CVE-2020-11329 RESERVED CVE-2020-11328 RESERVED CVE-2020-11327 RESERVED CVE-2020-11326 RESERVED CVE-2020-11325 RESERVED CVE-2020-11324 RESERVED CVE-2020-11323 RESERVED CVE-2020-11322 RESERVED CVE-2020-11321 RESERVED CVE-2020-11320 RESERVED CVE-2020-11319 RESERVED CVE-2020-11318 RESERVED CVE-2020-11317 RESERVED CVE-2020-11316 RESERVED CVE-2020-11315 RESERVED CVE-2020-11314 RESERVED CVE-2020-11313 RESERVED CVE-2020-11312 RESERVED CVE-2020-11311 RESERVED CVE-2020-11310 RESERVED CVE-2020-11309 RESERVED CVE-2020-11308 RESERVED CVE-2020-11307 RESERVED CVE-2020-11306 RESERVED CVE-2020-11305 RESERVED CVE-2020-11304 RESERVED CVE-2020-11303 RESERVED CVE-2020-11302 RESERVED CVE-2020-11301 RESERVED CVE-2020-11300 RESERVED CVE-2020-11299 RESERVED CVE-2020-11298 RESERVED CVE-2020-11297 RESERVED CVE-2020-11296 RESERVED CVE-2020-11295 RESERVED CVE-2020-11294 RESERVED CVE-2020-11293 RESERVED CVE-2020-11292 RESERVED CVE-2020-11291 RESERVED CVE-2020-11290 RESERVED CVE-2020-11289 RESERVED CVE-2020-11288 RESERVED CVE-2020-11287 RESERVED CVE-2020-11286 RESERVED CVE-2020-11285 RESERVED CVE-2020-11284 RESERVED CVE-2020-11283 RESERVED CVE-2020-11282 RESERVED CVE-2020-11281 RESERVED CVE-2020-11280 RESERVED CVE-2020-11279 RESERVED CVE-2020-11278 RESERVED CVE-2020-11277 RESERVED CVE-2020-11276 RESERVED CVE-2020-11275 RESERVED CVE-2020-11274 RESERVED CVE-2020-11273 RESERVED CVE-2020-11272 RESERVED CVE-2020-11271 RESERVED CVE-2020-11270 RESERVED CVE-2020-11269 RESERVED CVE-2020-11268 RESERVED CVE-2020-11267 RESERVED CVE-2020-11266 RESERVED CVE-2020-11265 RESERVED CVE-2020-11264 RESERVED CVE-2020-11263 RESERVED CVE-2020-11262 RESERVED CVE-2020-11261 RESERVED CVE-2020-11260 RESERVED CVE-2020-11259 RESERVED CVE-2020-11258 RESERVED CVE-2020-11257 RESERVED CVE-2020-11256 RESERVED CVE-2020-11255 RESERVED CVE-2020-11254 RESERVED CVE-2020-11253 RESERVED CVE-2020-11252 RESERVED CVE-2020-11251 RESERVED CVE-2020-11250 RESERVED CVE-2020-11249 RESERVED CVE-2020-11248 RESERVED CVE-2020-11247 RESERVED CVE-2020-11246 RESERVED CVE-2020-11245 RESERVED CVE-2020-11244 RESERVED CVE-2020-11243 RESERVED CVE-2020-11242 RESERVED CVE-2020-11241 RESERVED CVE-2020-11240 RESERVED CVE-2020-11239 RESERVED CVE-2020-11238 RESERVED CVE-2020-11237 RESERVED CVE-2020-11236 RESERVED CVE-2020-11235 RESERVED CVE-2020-11234 RESERVED CVE-2020-11233 RESERVED CVE-2020-11232 RESERVED CVE-2020-11231 RESERVED CVE-2020-11230 RESERVED CVE-2020-11229 RESERVED CVE-2020-11228 RESERVED CVE-2020-11227 RESERVED CVE-2020-11226 RESERVED CVE-2020-11225 RESERVED CVE-2020-11224 RESERVED CVE-2020-11223 RESERVED CVE-2020-11222 RESERVED CVE-2020-11221 RESERVED CVE-2020-11220 RESERVED CVE-2020-11219 RESERVED CVE-2020-11218 RESERVED CVE-2020-11217 RESERVED CVE-2020-11216 RESERVED CVE-2020-11215 RESERVED CVE-2020-11214 RESERVED CVE-2020-11213 RESERVED CVE-2020-11212 RESERVED CVE-2020-11211 RESERVED CVE-2020-11210 RESERVED CVE-2020-11209 RESERVED CVE-2020-11208 RESERVED CVE-2020-11207 RESERVED CVE-2020-11206 RESERVED CVE-2020-11205 RESERVED CVE-2020-11204 RESERVED CVE-2020-11203 RESERVED CVE-2020-11202 RESERVED CVE-2020-11201 RESERVED CVE-2020-11200 RESERVED CVE-2020-11199 RESERVED CVE-2020-11198 RESERVED CVE-2020-11197 RESERVED CVE-2020-11196 RESERVED CVE-2020-11195 RESERVED CVE-2020-11194 RESERVED CVE-2020-11193 RESERVED CVE-2020-11192 RESERVED CVE-2020-11191 RESERVED CVE-2020-11190 RESERVED CVE-2020-11189 RESERVED CVE-2020-11188 RESERVED CVE-2020-11187 RESERVED CVE-2020-11186 RESERVED CVE-2020-11185 RESERVED CVE-2020-11184 RESERVED CVE-2020-11183 RESERVED CVE-2020-11182 RESERVED CVE-2020-11181 RESERVED CVE-2020-11180 RESERVED CVE-2020-11179 RESERVED CVE-2020-11178 RESERVED CVE-2020-11177 RESERVED CVE-2020-11176 RESERVED CVE-2020-11175 RESERVED CVE-2020-11174 RESERVED CVE-2020-11173 RESERVED CVE-2020-11172 RESERVED CVE-2020-11171 RESERVED CVE-2020-11170 RESERVED CVE-2020-11169 RESERVED CVE-2020-11168 RESERVED CVE-2020-11167 RESERVED CVE-2020-11166 RESERVED CVE-2020-11165 RESERVED CVE-2020-11164 RESERVED CVE-2020-11163 RESERVED CVE-2020-11162 RESERVED CVE-2020-11161 RESERVED CVE-2020-11160 RESERVED CVE-2020-11159 RESERVED CVE-2020-11158 RESERVED CVE-2020-11157 RESERVED CVE-2020-11156 RESERVED CVE-2020-11155 RESERVED CVE-2020-11154 RESERVED CVE-2020-11153 RESERVED CVE-2020-11152 RESERVED CVE-2020-11151 RESERVED CVE-2020-11150 RESERVED CVE-2020-11149 RESERVED CVE-2020-11148 RESERVED CVE-2020-11147 RESERVED CVE-2020-11146 RESERVED CVE-2020-11145 RESERVED CVE-2020-11144 RESERVED CVE-2020-11143 RESERVED CVE-2020-11142 RESERVED CVE-2020-11141 RESERVED CVE-2020-11140 RESERVED CVE-2020-11139 RESERVED CVE-2020-11138 RESERVED CVE-2020-11137 RESERVED CVE-2020-11136 RESERVED CVE-2020-11135 RESERVED CVE-2020-11134 RESERVED CVE-2020-11133 RESERVED CVE-2020-11132 RESERVED CVE-2020-11131 RESERVED CVE-2020-11130 RESERVED CVE-2020-11129 RESERVED CVE-2020-11128 RESERVED CVE-2020-11127 RESERVED CVE-2020-11126 RESERVED CVE-2020-11125 RESERVED CVE-2020-11124 RESERVED CVE-2020-11123 RESERVED CVE-2020-11122 RESERVED CVE-2020-11121 RESERVED CVE-2020-11120 RESERVED CVE-2020-11119 RESERVED CVE-2020-11118 RESERVED CVE-2020-11117 RESERVED CVE-2020-11116 RESERVED CVE-2020-11115 RESERVED CVE-2020-11114 RESERVED CVE-2020-5291 (Bubblewrap (bwrap) before version 0.4.1, if installed in setuid mode a ...) - bubblewrap 0.4.1-1 (low; bug #955441) [buster] - bubblewrap (Introduced in 0.4.0) [stretch] - bubblewrap (Introduced in 0.4.0) NOTE: https://github.com/containers/bubblewrap/security/advisories/GHSA-j2qp-rvxj-43vj NOTE: https://github.com/containers/bubblewrap/commit/1f7e2ad948c051054b683461885a0215f1806240 CVE-2020-11113 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) {DLA-2179-1} - jackson-databind [buster] - jackson-databind (Minor issue; can be fixed via a point release) [stretch] - jackson-databind (Minor issue; can be fixed via a point release) NOTE: https://github.com/FasterXML/jackson-databind/issues/2670 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. CVE-2020-11112 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) {DLA-2179-1} - jackson-databind [buster] - jackson-databind (Minor issue; can be fixed via a point release) [stretch] - jackson-databind (Minor issue; can be fixed via a point release) NOTE: https://github.com/FasterXML/jackson-databind/issues/2666 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. CVE-2020-11111 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) {DLA-2179-1} - jackson-databind [buster] - jackson-databind (Minor issue; can be fixed via a point release) [stretch] - jackson-databind (Minor issue; can be fixed via a point release) NOTE: https://github.com/FasterXML/jackson-databind/issues/2664 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. CVE-2020-11110 RESERVED CVE-2020-11109 RESERVED CVE-2020-11108 (The Gravity updater in Pi-hole through 4.4 allows an authenticated adv ...) NOT-FOR-US: Pi-hole CVE-2020-11107 (An issue was discovered in XAMPP before 7.2.29, 7.3.x before 7.3.16 , ...) NOT-FOR-US: XAMPP CVE-2020-11106 (An issue was discovered in Responsive Filemanager through 9.14.0. In t ...) NOT-FOR-US: Responsive Filemanager CVE-2020-11105 (An issue was discovered in USC iLab cereal through 1.3.0. It employs c ...) NOT-FOR-US: USC iLab cereal CVE-2020-11104 (An issue was discovered in USC iLab cereal through 1.3.0. Serializatio ...) NOT-FOR-US: USC iLab cereal CVE-2020-11103 RESERVED CVE-2020-11102 (hw/net/tulip.c in QEMU 4.2.0 has a buffer overflow during the copying ...) - qemu 1:4.2-4 (bug #956145) [buster] - qemu (Vulnerable code/Tulip NIC emulator added later) [stretch] - qemu (Vulnerable code/Tulip NIC emulator added later) [jessie] - qemu (Vulnerable code/Tulip NIC emulator added later) - qemu-kvm (Vulnerable code/Tulip NIC emulator added later) NOTE: https://www.openwall.com/lists/oss-security/2020/04/06/1 NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=8ffb7265af64ec81748335ec8f20e7ab542c3850 (v5.0.0-rc1) CVE-2020-11101 RESERVED CVE-2020-11100 (In hpack_dht_insert in hpack-tbl.c in the HPACK decoder in HAProxy 1.8 ...) {DSA-4649-1} - haproxy 2.0.13-2 [stretch] - haproxy (Vulnerable code introduced in 1.8) [jessie] - haproxy (Vulnerable code introduced in 1.8) NOTE: https://git.haproxy.org/?p=haproxy-2.1.git;a=commit;h=f17f86304f187b0f10ca6a8d46346afd9851a543 CVE-2019-20634 (An issue was discovered in Proofpoint Email Protection through 2019-09 ...) NOT-FOR-US: Proofpoint Email Protection CVE-2016-11024 (odata4j 0.7.0 allows ExecuteJPQLQueryCommand.java SQL injection. NOTE: ...) NOT-FOR-US: odata4j CVE-2016-11023 (odata4j 0.7.0 allows ExecuteCountQueryCommand.java SQL injection. NOTE ...) NOT-FOR-US: odata4j CVE-2020-11099 (In FreeRDP before version 2.1.2, there is an out of bounds read in lic ...) - freerdp2 2.1.2+dfsg1-1 [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-977w-866x-4v5h CVE-2020-11098 (In FreeRDP before version 2.1.2, there is an out-of-bound read in glyp ...) - freerdp2 2.1.2+dfsg1-1 [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-jr57-f58x-hjmv CVE-2020-11097 (In FreeRDP before version 2.1.2, an out of bounds read occurs resultin ...) - freerdp2 2.1.2+dfsg1-1 [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c8x2-c3c9-9r3f CVE-2020-11096 (In FreeRDP before version 2.1.2, there is a global OOB read in update_ ...) - freerdp2 2.1.2+dfsg1-1 [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mjw7-3mq2-996x CVE-2020-11095 (In FreeRDP before version 2.1.2, an out of bound reads occurs resultin ...) - freerdp2 2.1.2+dfsg1-1 [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-563r-pvh7-4fw2 CVE-2020-11094 (The October CMS debugbar plugin before version 3.1.0 contains a featur ...) NOT-FOR-US: October CMS CVE-2020-11093 RESERVED CVE-2020-11092 RESERVED CVE-2020-11091 (In Weave Net before version 2.6.3, an attacker able to run a process a ...) NOT-FOR-US: Weave Net CVE-2020-11090 (In Indy Node 1.12.2, there is an Uncontrolled Resource Consumption vul ...) NOT-FOR-US: Indy Node CVE-2020-11089 (In FreeRDP before 2.1.0, there is an out-of-bound read in irp function ...) - freerdp2 2.1.1+dfsg1-1 [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hfc7-c5gv-8c2h CVE-2020-11088 (In FreeRDP less than or equal to 2.0.0, there is an out-of-bound read ...) - freerdp2 2.1.1+dfsg1-1 [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-xh4f-fh87-43hp CVE-2020-11087 (In FreeRDP less than or equal to 2.0.0, there is an out-of-bound read ...) - freerdp2 2.1.1+dfsg1-1 [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-84vj-g73m-chw7 CVE-2020-11086 (In FreeRDP less than or equal to 2.0.0, there is an out-of-bound read ...) - freerdp2 2.1.1+dfsg1-1 [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-fg8v-w34r-c974 CVE-2020-11085 (In FreeRDP before 2.1.0, there is an out-of-bounds read in cliprdr_rea ...) - freerdp2 2.1.1+dfsg1-1 [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-2j4w-v45m-95hf CVE-2020-11084 RESERVED CVE-2020-11083 RESERVED CVE-2020-11082 (In Kaminari before 1.2.1, there is a vulnerability that would allow an ...) - ruby-kaminari 1.0.1-6 (bug #961847) [jessie] - ruby-kaminari (No reverse dependency) NOTE: https://github.com/kaminari/kaminari/security/advisories/GHSA-r5jw-62xg-j433 NOTE: https://github.com/kaminari/kaminari/commit/8dd52a1aed3d2fa2835d836de23fc0d8c4ff5db8 CVE-2020-11081 RESERVED CVE-2020-11080 (In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS fra ...) {DSA-4696-1} - nodejs 10.21.0~dfsg-1 (bug #962145) [stretch] - nodejs (Nodejs in stretch not covered by security support) [jessie] - nodejs (Nodejs in jessie not covered by security support) NOTE: https://nodejs.org/en/blog/vulnerability/june-2020-security-releases/#http-2-large-settings-frame-dos-low-cve-2020-11080 CVE-2020-11079 (node-dns-sync (npm module dns-sync) through 0.2.0 allows execution of ...) NOT-FOR-US: dns-sync nodejs module CVE-2020-11078 (In httplib2 before version 0.18.0, an attacker controlling unescaped p ...) {DLA-2232-1} - python-httplib2 0.18.1-1 [buster] - python-httplib2 (Minor issue) [stretch] - python-httplib2 (Minor issue) NOTE: https://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq NOTE: https://github.com/httplib2/httplib2/commit/a1457cc31f3206cf691d11d2bf34e98865873e9e CVE-2020-11077 (In Puma (RubyGem) before 4.3.5 and 3.12.6, a client could smuggle a re ...) - puma NOTE: https://github.com/puma/puma/security/advisories/GHSA-w64w-qqph-5gxm CVE-2020-11076 (In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle a ...) - puma NOTE: https://github.com/puma/puma/security/advisories/GHSA-x7jg-6pwg-fx5h NOTE: https://github.com/puma/puma/commit/f24d5521295a2152c286abb0a45a1e1e2bd275bd CVE-2020-11075 (In Anchore Engine version 0.7.0, a specially crafted container image m ...) NOT-FOR-US: Anchore Engine CVE-2020-11074 (In PrestaShop from version 1.5.3.0 and before version 1.7.6.6, there i ...) NOT-FOR-US: PrestaShop CVE-2020-11073 (In Autoswitch Python Virtualenv before version 0.16.0, a user who ente ...) NOT-FOR-US: zsh-autoswitch-virtualenv CVE-2020-11072 (In SLP Validate (npm package slp-validate) before version 1.2.1, users ...) NOT-FOR-US: Node slp-validate CVE-2020-11071 (SLPJS (npm package slpjs) before version 0.27.2, has a vulnerability w ...) NOT-FOR-US: Node slpjs CVE-2020-11070 (The SVG Sanitizer extension for TYPO3 has a cross-site scripting vulne ...) NOT-FOR-US: TYPO3 CVE-2020-11069 (In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has be ...) NOT-FOR-US: TYPO3 CVE-2020-11068 (In LoRaMac-node before 4.4.4, a reception buffer overflow can happen d ...) NOT-FOR-US: LoRaMac-node CVE-2020-11067 (In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has be ...) NOT-FOR-US: TYPO3 CVE-2020-11066 (In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and g ...) NOT-FOR-US: TYPO3 CVE-2020-11065 (In TYPO3 CMS greater than or equal to 9.5.12 and less than 9.5.17, and ...) NOT-FOR-US: TYPO3 CVE-2020-11064 (In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and g ...) NOT-FOR-US: TYPO3 CVE-2020-11063 (In TYPO3 CMS versions 10.4.0 and 10.4.1, it has been discovered that t ...) NOT-FOR-US: TYPO3 CVE-2020-11062 (In GLPI after 0.68.1 and before 9.4.6, multiple reflexive XSS occur in ...) - glpi (unimportant) NOTE: https://github.com/glpi-project/glpi/security/advisories/GHSA-3xxh-f5p2-jg3h NOTE: https://github.com/glpi-project/glpi/commit/5e1c52c5e8a30ceb4e9572964da7ed89ddfb1aaf NOTE: Only supported behind an authenticated HTTP zone CVE-2020-11061 RESERVED CVE-2020-11060 (In GLPI before 9.4.6, an attacker can execute system commands by abusi ...) - glpi (unimportant) NOTE: https://github.com/glpi-project/glpi/security/advisories/GHSA-cvvq-3fww-5v6f NOTE: https://github.com/glpi-project/glpi/commit/ad748d59c94da177a3ed25111c453902396f320c NOTE: Only supported behind an authenticated HTTP zone CVE-2020-11059 (In AEgir greater than or equal to 21.7.0 and less than 21.10.1, aegir ...) NOT-FOR-US: AEgir CVE-2020-11058 (In FreeRDP after 1.1 and before 2.0.0, a stream out-of-bounds seek in ...) - freerdp2 2.1.1+dfsg1-1 [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-wjg2-2f82-466g NOTE: https://github.com/FreeRDP/FreeRDP/commit/3627aaf7d289315b614a584afb388f04abfb5bbf NOTE: https://github.com/FreeRDP/FreeRDP/issues/6011 CVE-2020-11057 (In XWiki Platform 7.2 through 11.10.2, registered users without script ...) NOT-FOR-US: XWiki CVE-2020-11056 (In Sprout Forms before 3.9.0, there is a potential Server-Side Templat ...) NOT-FOR-US: Sprout Forms CVE-2020-11055 (In BookStack greater than or equal to 0.18.0 and less than 0.29.2, the ...) NOT-FOR-US: BookStack CVE-2020-11054 (In qutebrowser versions less than 1.11.1, reloading a page with certif ...) - qutebrowser 1.11.1.post1-1 (unimportant) NOTE: https://github.com/qutebrowser/qutebrowser/issues/5403 NOTE: https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-4rcq-jv2f-898j NOTE: Depends on qtwebkit, which is not covered by security support CVE-2020-11053 (In OAuth2 Proxy before 5.1.1, there is an open redirect vulnerability. ...) NOT-FOR-US: OAuth2 Proxy CVE-2020-11052 (In Sorcery before 0.15.0, there is a brute force vulnerability when us ...) NOT-FOR-US: Sorcery CVE-2020-11051 (In Wiki.js before 2.3.81, there is a stored XSS in the Markdown editor ...) NOT-FOR-US: Wiki.js CVE-2020-11050 (In Java-WebSocket less than or equal to 1.4.1, there is an Improper Va ...) NOT-FOR-US: Java-WebSocket, different from src:websocket-api CVE-2020-11049 (In FreeRDP after 1.1 and before 2.0.0, there is an out-of-bound read o ...) - freerdp2 2.1.1+dfsg1-1 [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-wwh7-r2r8-xjpr NOTE: Fixed with: https://github.com/FreeRDP/FreeRDP/pull/6019 NOTE: https://github.com/FreeRDP/FreeRDP/issues/6008 CVE-2020-11048 (In FreeRDP after 1.0 and before 2.0.0, there is an out-of-bounds read. ...) - freerdp2 2.1.1+dfsg1-1 [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hv8w-f2hx-5gcv NOTE: Fixed by: https://github.com/FreeRDP/FreeRDP/commit/9301bfe730c66180263248b74353daa99f5a969b NOTE: https://github.com/FreeRDP/FreeRDP/issues/6007 CVE-2020-11047 (In FreeRDP after 1.1 and before 2.0.0, there is an out-of-bounds read ...) - freerdp2 2.1.1+dfsg1-1 [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-9fw6-m2q8-h5pw NOTE: Fixed by: https://github.com/FreeRDP/FreeRDP/commit/f5e73cc7c9cd973b516a618da877c87b80950b65 NOTE: https://github.com/FreeRDP/FreeRDP/issues/6009 CVE-2020-11046 (In FreeRDP after 1.0 and before 2.0.0, there is a stream out-of-bounds ...) - freerdp2 2.1.1+dfsg1-1 [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hx48-wmmm-mr5q NOTE: Fixed by: https://github.com/FreeRDP/FreeRDP/commit/ed53cd148f43cbab905eaa0f5308c2bf3c48cc37 NOTE: https://github.com/FreeRDP/FreeRDP/issues/6006 CVE-2020-11045 (In FreeRDP after 1.0 and before 2.0.0, there is an out-of-bound read i ...) - freerdp2 2.1.1+dfsg1-1 [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3x39-248q-f4q6 NOTE: Fixed by: https://github.com/FreeRDP/FreeRDP/commit/f8890a645c221823ac133dbf991f8a65ae50d637 NOTE: https://github.com/FreeRDP/FreeRDP/issues/6005 CVE-2020-11044 (In FreeRDP greater than 1.2 and before 2.0.0, a double free in update_ ...) - freerdp2 2.1.1+dfsg1-1 [buster] - freerdp2 (Minor issue) - freerdp (Vulnerable code introduced later) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-cgqh-p732-6x2w NOTE: Fixed by: https://github.com/FreeRDP/FreeRDP/commit/67c2aa52b2ae0341d469071d1bc8aab91f8d2ed8 NOTE: https://github.com/FreeRDP/FreeRDP/issues/6013 CVE-2020-11043 (In FreeRDP less than or equal to 2.0.0, there is an out-of-bounds read ...) - freerdp2 2.1.1+dfsg1-1 [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-5mr4-28w3-rc84 CVE-2020-11042 (In FreeRDP greater than 1.1 and before 2.0.0, there is an out-of-bound ...) - freerdp2 2.1.1+dfsg1-1 [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-9jp6-5vf2-cx2q NOTE: Fixed by: https://github.com/FreeRDP/FreeRDP/commit/6b2bc41935e53b0034fe5948aeeab4f32e80f30f NOTE: https://github.com/FreeRDP/FreeRDP/issues/6010 CVE-2020-11041 (In FreeRDP less than or equal to 2.0.0, an outside controlled array in ...) - freerdp2 2.1.1+dfsg1-1 [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-w67c-26c4-2h9w CVE-2020-11040 (In FreeRDP less than or equal to 2.0.0, there is an out-of-bound data ...) - freerdp2 2.1.1+dfsg1-1 [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-x4wq-m7c9-rjgr CVE-2020-11039 (In FreeRDP less than or equal to 2.0.0, when using a manipulated serve ...) - freerdp2 2.1.1+dfsg1-1 [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mx9p-f6q8-mqwq CVE-2020-11038 (In FreeRDP less than or equal to 2.0.0, an Integer Overflow to Buffer ...) - freerdp2 2.1.1+dfsg1-1 [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-h25x-cqr6-fp6g CVE-2020-11037 (In Wagtail before versions 2.7.2 and 2.8.2, a potential timing attack ...) NOT-FOR-US: Wagtail CVE-2020-11036 (In GLPI before version 9.4.6 there are multiple related stored XSS vul ...) - glpi (unimportant) NOTE: https://github.com/glpi-project/glpi/security/advisories/GHSA-3g3h-rwhr-7385 NOTE: Only supported behind an authenticated HTTP zone CVE-2020-11035 (In GLPI after version 0.83.3 and before version 9.4.6, the CSRF tokens ...) - glpi (unimportant) NOTE: https://github.com/glpi-project/glpi/security/advisories/GHSA-w7q8-58qp-vmpf NOTE: Only supported behind an authenticated HTTP zone CVE-2020-11034 (In GLPI before version 9.4.6, there is a vulnerability that allows byp ...) - glpi (unimportant) NOTE: https://github.com/glpi-project/glpi/security/advisories/GHSA-gxv6-xq9q-37hg NOTE: Only supported behind an authenticated HTTP zone CVE-2020-11033 (In GLPI from version 9.1 and before version 9.4.6, any API user with R ...) - glpi (unimportant) NOTE: https://github.com/glpi-project/glpi/security/advisories/GHSA-rf54-3r4w-4h55 NOTE: Only supported behind an authenticated HTTP zone CVE-2020-11032 (In GLPI before version 9.4.6, there is a SQL injection vulnerability f ...) - glpi (unimportant) NOTE: https://github.com/glpi-project/glpi/security/advisories/GHSA-344w-34h9-wwhh NOTE: Only supported behind an authenticated HTTP zone CVE-2020-11031 RESERVED CVE-2020-11030 (In affected versions of WordPress, a special payload can be crafted th ...) - wordpress 5.4.1+dfsg1-1 (bug #959391) [buster] - wordpress (Vulnerable code not present) [stretch] - wordpress (Vulnerable code not present) [jessie] - wordpress (Vulnerable code not present) NOTE: https://core.trac.wordpress.org/changeset/47636 NOTE: https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-vccm-6gmc-qhjh NOTE: https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updates NOTE: Fixed by: https://github.com/WordPress/wordpress-develop/commit/ec05c8b897ef4ae77fc0cba576573e90a726a52f CVE-2020-11029 (In affected versions of WordPress, a vulnerability in the stats() meth ...) {DSA-4677-1 DLA-2208-1} - wordpress 5.4.1+dfsg1-1 (bug #959391) NOTE: https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-568w-8m88-8g2c NOTE: https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updates NOTE: https://core.trac.wordpress.org/changeset/47637 NOTE: https://github.com/WordPress/wordpress-develop/935ab39e8ee754735a553c74d41270df1164ae56 (master) CVE-2020-11028 (In affected versions of WordPress, some private posts, which were prev ...) {DSA-4677-1 DLA-2208-1} - wordpress 5.4.1+dfsg1-1 (bug #959391) NOTE: https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-xhx9-759f-6p2w NOTE: https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updates NOTE: https://core.trac.wordpress.org/changeset/47635 NOTE: https://github.com/WordPress/wordpress-develop/commit/8e11facb671932a6eefe0e7e4f3d63d39eef55b3 CVE-2020-11027 (In affected versions of WordPress, a password reset link emailed to a ...) {DSA-4677-1 DLA-2208-1} - wordpress 5.4.1+dfsg1-1 (bug #959391) NOTE: https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-ww7v-jg8c-q6jw NOTE: https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updates NOTE: https://core.trac.wordpress.org/changeset/47634 NOTE: https://github.com/WordPress/wordpress-develop/commit/4354d1fc5cd55a18bc24555b11db201d5eb87e0c (master) CVE-2020-11026 (In affected versions of WordPress, files with a specially crafted name ...) {DSA-4677-1 DLA-2208-1} - wordpress 5.4.1+dfsg1-1 (bug #959391) NOTE: https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-3gw2-4656-pfr2 NOTE: https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updates NOTE: https://core.trac.wordpress.org/changeset/47638 NOTE: https://github.com/WordPress/wordpress-develop/commit/74d6f9613b96a2948f7675513b8b7f8224bfc386 (master) CVE-2020-11025 (In affected versions of WordPress, a cross-site scripting (XSS) vulner ...) {DSA-4677-1} - wordpress 5.4.1+dfsg1-1 (bug #959391) [jessie] - wordpress (Vulnerable code not present) NOTE: https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-4mhg-j6fx-5g3c NOTE: https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updates NOTE: https://core.trac.wordpress.org/changeset/47633 NOTE: https://github.com/WordPress/wordpress-develop/commit/cfb690cb8efaee32d55b10a7771afb0f1f47aab3 CVE-2020-11024 (In Moonlight iOS/tvOS before 4.0.1, the pairing process is vulnerable ...) NOT-FOR-US: Moonlight iOS/tvOS CVE-2020-11023 (In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, pa ...) {DSA-4693-1} - jquery [jessie] - jquery (Vulnerable code note present) - drupal7 [jessie] - drupal7 (Vulnerable code not embedded) - node-jquery 3.5.0+dfsg-2 NOTE: https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6 NOTE: https://www.drupal.org/sa-core-2020-002 CVE-2020-11022 (In jQuery versions greater than or equal to 1.2 and before 3.5.0, pass ...) {DSA-4693-1} - jquery [jessie] - jquery (Vulnerable code note present) - node-jquery 3.5.0+dfsg-2 - drupal7 [jessie] - drupal7 (Vulnerable code not embedded) NOTE: https://github.com/jquery/jquery/security/advisories/GHSA-gxr4-xjj5-5px2 NOTE: https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77 NOTE: https://www.drupal.org/sa-core-2020-002 CVE-2020-11021 (Actions Http-Client (NPM @actions/http-client) before version 1.0.8 ca ...) NOT-FOR-US: Actions Http-Client CVE-2020-11020 (Faye (NPM, RubyGem) versions greater than 0.5.0 and before 1.0.4, 1.1. ...) - ruby-faye (bug #959392) NOTE: https://github.com/faye/faye/security/advisories/GHSA-qpg4-4w7w-2mq5 NOTE: https://github.com/faye/faye/commit/65d297d341b607f3cb0b5fa6021a625a991cc30e CVE-2020-11019 (In FreeRDP less than or equal to 2.0.0, when running with logger set t ...) - freerdp2 2.1.1+dfsg1-1 [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-wvrr-2f4r-hjvh CVE-2020-11018 (In FreeRDP less than or equal to 2.0.0, a possible resource exhaustion ...) - freerdp2 2.1.1+dfsg1-1 [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) [jessie] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-8cvc-vcw7-6mfw CVE-2020-11017 (In FreeRDP less than or equal to 2.0.0, by providing manipulated input ...) - freerdp2 2.1.1+dfsg1-1 [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) [jessie] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-q5c8-fm29-q57c CVE-2020-11016 (IntelMQ Manager from version 1.1.0 and before version 2.1.1 has a vuln ...) NOT-FOR-US: IntelMQ Manager CVE-2020-11015 RESERVED CVE-2020-11014 (Electron-Cash-SLP before version 3.6.2 has a vulnerability. All token ...) NOT-FOR-US: Electron-Cash-SLP CVE-2020-11013 (Their is an information disclosure vulnerability in Helm from version ...) - helm-kubernetes (bug #910799) CVE-2020-11012 (MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authenticat ...) NOT-FOR-US: MinIO CVE-2020-11011 (In Phproject before version 1.7.8, there's a vulnerability which allow ...) NOT-FOR-US: Phproject CVE-2020-11010 (In Tortoise ORM before versions 0.15.23 and 0.16.6, various forms of S ...) NOT-FOR-US: Tortoise ORM CVE-2020-11009 (In Rundeck before version 3.2.6, authenticated users can craft a reque ...) NOT-FOR-US: Rundeck CVE-2020-11008 (Affected versions of Git have a vulnerability whereby Git can be trick ...) {DSA-4659-1 DLA-2182-1} - git 1:2.26.2-1 NOTE: https://lore.kernel.org/lkml/xmqq4kterq5s.fsf@gitster.c.googlers.com/ NOTE: https://github.com/git/git/security/advisories/GHSA-hjc9-x69f-jqj7 NOTE: Fixed by: https://git.kernel.org/pub/scm/git/git.git/commit/?id=a88dbd2f8c7fd8c1e2f63483da03bd6928e8791f NOTE: Fixed by: https://git.kernel.org/pub/scm/git/git.git/commit/?id=73aafe9bc27585554181c58871a25e6d0f58a3dc NOTE: Fixed by: https://git.kernel.org/pub/scm/git/git.git/commit/?id=24036686c4af84c9e84e486ef3debab6e6d8e6b5 NOTE: Fixed by: https://git.kernel.org/pub/scm/git/git.git/commit/?id=8ba8ed568e2a3b75ee84c49ddffb026fde1a0a91 NOTE: Fixed by: https://git.kernel.org/pub/scm/git/git.git/commit/?id=a2b26ffb1a81aa23dd14453f4db05d8fe24ee7cc NOTE: Fixed by: https://git.kernel.org/pub/scm/git/git.git/commit/?id=fe29a9b7b0236d3d45c254965580d6aff7fa8504 NOTE: Fixed by: https://git.kernel.org/pub/scm/git/git.git/commit/?id=c44088ecc4b0722636e0a305f9608d3047197282 NOTE: Fixed by: https://git.kernel.org/pub/scm/git/git.git/commit/?id=e7fab62b736cca3416660636e46f0be8386a5030 NOTE: Fixed by: https://git.kernel.org/pub/scm/git/git.git/commit/?id=1a3609e402a062ef7b11f197fe96c28cabca132c CVE-2020-11007 (In Shopizer before version 2.11.0, using API or Controller based versi ...) NOT-FOR-US: Shopizer CVE-2020-11006 (In Shopizer before version 2.11.0, a script can be injected in various ...) NOT-FOR-US: Shopizer CVE-2020-11005 (The WindowsHello open source library (NuGet HaemmerElectronics.SeppPen ...) NOT-FOR-US: WindowsHello CVE-2020-11004 (SQL Injection was discovered in Admidio before version 3.3.13. The mai ...) NOT-FOR-US: Admidio CVE-2020-11003 (Oasis before version 2.15.0 has a potential DNS rebinding or CSRF vuln ...) NOT-FOR-US: Oasis (not the same as src:oasis) CVE-2020-11002 (dropwizard-validation before versions 2.0.3 and 1.3.21 has a remote co ...) NOT-FOR-US: dropwizard-validation CVE-2020-11001 (In Wagtail before versions 2.8.1 and 2.7.2, a cross-site scripting (XS ...) NOT-FOR-US: Wagtail CVE-2020-11000 (GreenBrowser before version 1.2 has a vulnerability where apps that re ...) NOT-FOR-US: GreenBrowser CVE-2020-10999 RESERVED CVE-2020-10998 RESERVED CVE-2020-10997 (Percona XtraBackup before 2.4.20 unintentionally writes the command li ...) - percona-xtrabackup (Vulnerable code introduced later) NOTE: https://jira.percona.com/browse/PXB-2142 NOTE: Introduced in: https://github.com/percona/percona-xtrabackup/commit/0b38ffc0f30f1b6d3ff7ed0f9cb3ab31a2ccad13 (percona-xtrabackup-2.4.11) NOTE: https://www.percona.com/blog/2020/04/16/cve-2020-10997-percona-xtrabackup-information-disclosure-of-command-line-arguments/ CVE-2020-10996 (An issue was discovered in Percona XtraDB Cluster before 5.7.28-31.41. ...) NOT-FOR-US: Percona XtraDB Cluster CVE-2020-10995 (PowerDNS Recursor from 4.1.0 up to and including 4.3.0 does not suffic ...) {DSA-4691-1} - pdns-recursor 4.3.1-1 [jessie] - pdns-recursor (Vulnerable code added later) [stretch] - pdns-recursor (No longer supported, see DSA 4691) NOTE: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-01.html NOTE: https://www.openwall.com/lists/oss-security/2020/05/19/3 CVE-2020-10994 (In libImaging/Jpeg2KDecode.c in Pillow before 7.0.0, there are multipl ...) - pillow [jessie] - pillow (Minor issue) NOTE: https://github.com/python-pillow/Pillow/pull/4505 NOTE: https://github.com/python-pillow/Pillow/pull/4538 NOTE: Fixed in 7.1.0 CVE-2020-10993 (Osmand through 2.0.0 allow XXE because of binary/BinaryMapIndexReader. ...) NOT-FOR-US: Osmand CVE-2020-10992 (Azkaban through 3.84.0 allows XXE, related to validator/XmlValidatorMa ...) NOT-FOR-US: Azkaban CVE-2020-10991 (Mulesoft APIkit through 1.3.0 allows XXE because of validation/RestXml ...) NOT-FOR-US: Mulesoft APIkit CVE-2020-10990 (An XXE issue exists in Accenture Mercury before 1.12.28 because of the ...) NOT-FOR-US: Accenture Mercury CVE-2020-10989 RESERVED CVE-2020-10988 RESERVED CVE-2020-10987 RESERVED CVE-2020-10986 RESERVED CVE-2020-10985 RESERVED CVE-2020-10984 RESERVED CVE-2020-10983 RESERVED CVE-2020-10982 RESERVED CVE-2020-10981 (GitLab EE/CE 9.0 to 12.9 allows a maintainer to modify other maintaine ...) [experimental] - gitlab 12.8.8-1 - gitlab NOTE: https://about.gitlab.com/releases/2020/03/26/security-release-12-dot-9-dot-1-released/ CVE-2020-10980 (GitLab EE/CE 8.0.rc1 to 12.9 is vulnerable to a blind SSRF in the FogB ...) [experimental] - gitlab 12.8.8-1 - gitlab NOTE: https://about.gitlab.com/releases/2020/03/26/security-release-12-dot-9-dot-1-released/ CVE-2020-10979 (GitLab EE/CE 11.10 to 12.9 is leaking information on restricted CI pip ...) [experimental] - gitlab 12.8.8-1 - gitlab NOTE: https://about.gitlab.com/releases/2020/03/26/security-release-12-dot-9-dot-1-released/ CVE-2020-10978 (GitLab EE/CE 8.11 to 12.9 is leaking information on Issues opened in a ...) [experimental] - gitlab 12.8.8-1 - gitlab NOTE: https://about.gitlab.com/releases/2020/03/26/security-release-12-dot-9-dot-1-released/ CVE-2020-10977 (GitLab EE/CE 8.5 to 12.9 is vulnerable to a an path traversal when mov ...) [experimental] - gitlab 12.8.8-1 - gitlab NOTE: https://about.gitlab.com/releases/2020/03/26/security-release-12-dot-9-dot-1-released/ CVE-2020-10976 (GitLab EE/CE 8.17 to 12.9 is vulnerable to information leakage when qu ...) [experimental] - gitlab 12.8.8-1 - gitlab NOTE: https://about.gitlab.com/releases/2020/03/26/security-release-12-dot-9-dot-1-released/ CVE-2020-10975 (GitLab EE/CE 10.8 to 12.9 is leaking metadata and comments on vulnerab ...) [experimental] - gitlab 12.8.8-1 - gitlab NOTE: https://about.gitlab.com/releases/2020/03/26/security-release-12-dot-9-dot-1-released/ CVE-2020-10974 (An issue was discovered on Wavlink WL-WN579G3 - M79X3.V5030.180719 and ...) NOT-FOR-US: Wavlink CVE-2020-10973 (An issue was discovered on Wavlink WL-WN530HG4 M30HG4.V5030.191116 dev ...) NOT-FOR-US: Wavlink CVE-2020-10972 (An issue was discovered on Wavlink WL-WN530HG4 M30HG4.V5030.191116 dev ...) NOT-FOR-US: Wavlink CVE-2020-10971 (An issue was discovered on Wavlink WL-WN579G3 M79X3.V5030.180719, WL-W ...) NOT-FOR-US: Wavlink CVE-2020-10970 RESERVED CVE-2020-10969 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) {DLA-2179-1} - jackson-databind [buster] - jackson-databind (Minor issue; can be fixed via a point release) [stretch] - jackson-databind (Minor issue; can be fixed via a point release) NOTE: https://github.com/FasterXML/jackson-databind/issues/2642 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. CVE-2020-10968 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) {DLA-2179-1} - jackson-databind [buster] - jackson-databind (Minor issue; can be fixed via a point release) [stretch] - jackson-databind (Minor issue; can be fixed via a point release) NOTE: https://github.com/FasterXML/jackson-databind/issues/2662 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. CVE-2020-10967 (In Dovecot before 2.3.10.1, remote unauthenticated attackers can crash ...) {DSA-4690-1} - dovecot 1:2.3.10.1+dfsg1-1 (bug #960963) [stretch] - dovecot (Vulnerable code introduced in 2.3.0) [jessie] - dovecot (Vulnerable code introduced in 2.3.0) NOTE: https://www.openwall.com/lists/oss-security/2020/05/18/1 CVE-2020-XXXX [RUSTSEC-2020-0006: bumpalo: Flaw in `realloc` allows reading unknown memory] - rust-bumpalo 3.2.1-1 (bug #955151) NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0006.html NOTE: https://github.com/fitzgen/bumpalo/issues/69 CVE-2020-10966 (In the Password Reset Module in VESTA Control Panel through 0.9.8-25 a ...) NOT-FOR-US: VESTA Control Panel CVE-2020-10965 (Teradici PCoIP Management Console 20.01.0 and 19.11.1 is vulnerable to ...) NOT-FOR-US: Teradici PCoIP Management Console CVE-2020-10964 (Serendipity before 2.3.4 on Windows allows remote attackers to execute ...) - serendipity CVE-2020-10963 (FrozenNode Laravel-Administrator through 5.0.12 allows unrestricted fi ...) NOT-FOR-US: FrozenNode Laravel-Administrator CVE-2020-10962 RESERVED CVE-2020-10961 RESERVED CVE-2020-10960 (In MediaWiki before 1.34.1, users can add various Cascading Style Shee ...) {DSA-4651-1} - mediawiki 1:1.31.7-1 [stretch] - mediawiki (Vulnerable code introduced later) NOTE: https://phabricator.wikimedia.org/T246602 NOTE: https://lists.wikimedia.org/pipermail/wikitech-l/2020-March/093243.html CVE-2020-10959 (resources/src/mediawiki.page.ready/ready.js in MediaWiki before 1.35 a ...) - mediawiki (Vulnerable code introduced later) NOTE: https://phabricator.wikimedia.org/T232932 NOTE: https://lists.wikimedia.org/pipermail/wikitech-l/2020-March/093243.html CVE-2020-10958 (In Dovecot before 2.3.10.1, a crafted SMTP/LMTP message triggers an un ...) {DSA-4690-1} - dovecot 1:2.3.10.1+dfsg1-1 (bug #960963) [stretch] - dovecot (Vulnerable code introduced in 2.3.0) [jessie] - dovecot (Vulnerable code introduced in 2.3.0) NOTE: https://www.openwall.com/lists/oss-security/2020/05/18/1 CVE-2020-10957 (In Dovecot before 2.3.10.1, unauthenticated sending of malformed param ...) {DSA-4690-1} - dovecot 1:2.3.10.1+dfsg1-1 (bug #960963) [stretch] - dovecot (Vulnerable code introduced in 2.3.0) [jessie] - dovecot (Vulnerable code introduced in 2.3.0) NOTE: https://www.openwall.com/lists/oss-security/2020/05/18/1 CVE-2020-10956 (GitLab 8.10 and later through 12.9 is vulnerable to an SSRF in a proje ...) [experimental] - gitlab 12.8.8-1 - gitlab NOTE: https://about.gitlab.com/releases/2020/03/26/security-release-12-dot-9-dot-1-released/ CVE-2020-10955 (GitLab EE/CE 11.1 through 12.9 is vulnerable to parameter tampering on ...) [experimental] - gitlab 12.8.8-1 - gitlab NOTE: https://about.gitlab.com/releases/2020/03/26/security-release-12-dot-9-dot-1-released/ CVE-2020-10954 (GitLab through 12.9 is affected by a potential DoS in repository archi ...) [experimental] - gitlab 12.8.8-1 - gitlab NOTE: https://about.gitlab.com/releases/2020/03/26/security-release-12-dot-9-dot-1-released/ CVE-2020-10953 (In GitLab EE 11.7 through 12.9, the NPM feature is vulnerable to a pat ...) - gitlab (Only affects GitLab EE 11.7 and later) NOTE: https://about.gitlab.com/releases/2020/03/26/security-release-12-dot-9-dot-1-released/ CVE-2020-10952 (GitLab EE/CE 8.11 through 12.9.1 allows blocked users to pull/push doc ...) [experimental] - gitlab 12.8.8-1 - gitlab NOTE: https://about.gitlab.com/releases/2020/03/26/security-release-12-dot-9-dot-1-released/ CVE-2020-10951 (Western Digital My Cloud Home and ibi devices before 2.2.0 allow click ...) NOT-FOR-US: Western Digital My Cloud Home and ibi devices CVE-2020-10950 RESERVED CVE-2020-10949 RESERVED CVE-2020-10948 (Jon Hedley AlienForm2 (typically installed as af.cgi or alienform.cgi) ...) NOT-FOR-US: Jon Hedley AlienForm2 CVE-2020-10947 (Mac Endpoint for Sophos Central before 9.9.6 and Mac Endpoint for Soph ...) NOT-FOR-US: Sophos CVE-2020-10946 (Cross-site scripting (XSS) vulnerability allows remote attackers to in ...) - centreon-web (bug #913903) CVE-2020-10945 (Centreon before 19.10.7 exposes Session IDs in server responses. ...) - centreon-web (bug #913903) CVE-2020-10944 (HashiCorp Nomad and Nomad Enterprise up to 0.10.4 contained a cross-si ...) - nomad 0.10.5+dfsg1-1 NOTE: https://github.com/hashicorp/nomad/issues/7468 CVE-2020-10943 RESERVED CVE-2019-20633 (GNU patch through 2.7.6 contains a free(p_line[p_end]) Double Free vul ...) - patch (Incomplete fix for CVE-2018-6952 not applied) NOTE: https://savannah.gnu.org/bugs/index.php?56683 CVE-2020-10942 (In the Linux kernel before 5.5.8, get_raw_socket in drivers/vhost/net. ...) {DSA-4698-1 DSA-4667-1 DLA-2242-1 DLA-2241-1} - linux 5.5.13-1 NOTE: https://git.kernel.org/linus/42d84c8490f9f0931786f1623191fcab397c3d64 (5.6-rc4) CVE-2020-10941 (Arm Mbed TLS before 2.6.15 allows attackers to obtain sensitive inform ...) - mbedtls 2.16.5-1 NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-02 CVE-2020-10940 (Local Privilege Escalation can occur in PHOENIX CONTACT PORTICO SERVER ...) NOT-FOR-US: PHOENIX CONTACT CVE-2020-10939 (Insecure, default path permissions in PHOENIX CONTACT PC WORX SRT thro ...) NOT-FOR-US: PHOENIX CONTACT CVE-2020-10938 (GraphicsMagick before 1.3.35 has an integer overflow and resultant hea ...) {DSA-4675-1 DLA-2173-1} - graphicsmagick 1.4+really1.3.34-1 NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/95abc2b694ce CVE-2020-10937 RESERVED CVE-2020-10936 (Sympa before 6.2.56 allows privilege escalation. ...) - sympa (bug #961491) NOTE: https://sympa-community.github.io/security/2020-002.html NOTE: Patch: https://github.com/sympa-community/sympa/releases/download/6.2.56/sympa-6.2.54-sa-2020-002-r2.patch NOTE: Patch for sympa-6.1.25: https://github.com/sympa-community/sympa/releases/download/6.2.56/sympa-6.1.25-sa-2020-002-r2.patch NOTE: https://sysdream.com/news/lab/2020-05-25-cve-2020-10936-sympa-privileges-escalation-to-root/ NOTE: https://github.com/sympa-community/sympa/issues/943 CVE-2020-10935 (Zulip Server before 2.1.3 allows XSS via a Markdown link, with resulta ...) - zulip-server (bug #800052) CVE-2020-10934 (Acyba AcyMailing before 6.9.2 mishandles file uploads by admins. ...) NOT-FOR-US: Acyba AcyMailing CVE-2020-10933 (An issue was discovered in Ruby 2.5.x through 2.5.7, 2.6.x through 2.6 ...) {DSA-4721-1} - ruby2.7 2.7.1-1 - ruby2.5 - ruby2.3 (Vulnerable code introduced in 2.5.0) - ruby2.1 (Vulnerable code introduced in 2.5.0) NOTE: https://www.ruby-lang.org/en/news/2020/03/31/heap-exposure-in-socket-cve-2020-10933/ NOTE: Fixed by: https://github.com/ruby/ruby/commit/61b7f86248bd121be2e83768be71ef289e8e5b90 NOTE: Introduced around https://github.com/ruby/ruby/commit/ba5eb6458a7e9a41ee76cfe45b84f997600681dc NOTE: and https://github.com/ruby/ruby/commit/ba5eb6458a7e9a41ee76cfe45b84f997600681dc CVE-2020-10932 (An issue was discovered in Arm Mbed TLS before 2.16.6 and 2.7.x before ...) - mbedtls (bug #963159) NOTE: https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.6-and-2.7.15-released NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-04 CVE-2020-10930 RESERVED CVE-2020-10929 RESERVED CVE-2020-10928 RESERVED CVE-2020-10927 RESERVED CVE-2020-10926 RESERVED CVE-2020-10925 RESERVED CVE-2020-10924 RESERVED CVE-2020-10923 RESERVED CVE-2020-10922 RESERVED CVE-2020-10921 RESERVED CVE-2020-10920 RESERVED CVE-2020-10919 RESERVED CVE-2020-10918 RESERVED CVE-2020-10917 RESERVED CVE-2020-10916 (This vulnerability allows network-adjacent attackers to escalate privi ...) NOT-FOR-US: TP-Link CVE-2020-10915 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: VEEAM One Agent CVE-2020-10914 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: VEEAM One Agent CVE-2020-10913 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit PhantomPDF CVE-2020-10912 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit PhantomPDF CVE-2020-10911 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit PhantomPDF CVE-2020-10910 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit PhantomPDF CVE-2020-10909 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit PhantomPDF CVE-2020-10908 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit PhantomPDF CVE-2020-10907 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2020-10906 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2020-10905 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit PhantomPDF CVE-2020-10904 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit PhantomPDF CVE-2020-10903 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit PhantomPDF CVE-2020-10902 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit PhantomPDF CVE-2020-10901 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit PhantomPDF CVE-2020-10900 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2020-10899 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2020-10898 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit PhantomPDF CVE-2020-10897 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit PhantomPDF CVE-2020-10896 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit PhantomPDF CVE-2020-10895 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit PhantomPDF CVE-2020-10894 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit PhantomPDF CVE-2020-10893 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit PhantomPDF CVE-2020-10892 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit PhantomPDF CVE-2020-10891 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit PhantomPDF CVE-2020-10890 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit PhantomPDF CVE-2020-10889 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit PhantomPDF CVE-2020-10888 (This vulnerability allows remote attackers to bypass authentication on ...) NOT-FOR-US: TP-Link CVE-2020-10887 (This vulnerability allows a firewall bypass on affected installations ...) NOT-FOR-US: TP-Link CVE-2020-10886 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: TP-Link CVE-2020-10885 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: TP-Link CVE-2020-10884 (This vulnerability allows network-adjacent attackers execute arbitrary ...) NOT-FOR-US: TP-Link CVE-2020-10883 (This vulnerability allows local attackers to escalate privileges on af ...) NOT-FOR-US: TP-Link CVE-2020-10882 (This vulnerability allows network-adjacent attackers to execute arbitr ...) NOT-FOR-US: TP-Link CVE-2020-10881 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: TP-Link CVE-2019-20632 (An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstr ...) - gpac [buster] - gpac (Minor issue) [stretch] - gpac (Minor issue) [jessie] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/commit/1ab4860609f2e7a35634930571e7d0531297e090 NOTE: https://github.com/gpac/gpac/issues/1271 CVE-2019-20631 (An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstr ...) - gpac [buster] - gpac (Minor issue) [stretch] - gpac (Minor issue) [jessie] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/commit/1ab4860609f2e7a35634930571e7d0531297e090 NOTE: https://github.com/gpac/gpac/issues/1270 CVE-2019-20630 (An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstr ...) - gpac [buster] - gpac (Minor issue) [stretch] - gpac (Minor issue) [jessie] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/commit/1ab4860609f2e7a35634930571e7d0531297e090 NOTE: https://github.com/gpac/gpac/issues/1268 CVE-2019-20629 (An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstr ...) - gpac [buster] - gpac (Minor issue) [stretch] - gpac (Minor issue) [jessie] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/commit/2320eb73afba753b39b7147be91f7be7afc0eeb7 NOTE: https://github.com/gpac/gpac/issues/1264 CVE-2019-20628 (An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstr ...) - gpac [buster] - gpac (Minor issue) [stretch] - gpac (Minor issue) [jessie] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/commit/1ab4860609f2e7a35634930571e7d0531297e090 NOTE: https://github.com/gpac/gpac/commit/98b727637e32d1d4824101d8947e2dbd573d4fc8 NOTE: https://github.com/gpac/gpac/issues/1269 CVE-2020-10880 RESERVED CVE-2020-10879 (rConfig before 3.9.5 allows command injection by sending a crafted GET ...) NOT-FOR-US: rConfig CVE-2020-10878 (Perl before 5.30.3 has an integer overflow related to mishandling of a ...) - perl 5.30.3-1 (bug #962005) [buster] - perl (Minor issue) [stretch] - perl (Minor issue) NOTE: https://github.com/perl/perl5/commit/0a320d753fe7fca03df259a4dfd8e641e51edaa8 (v5.30.3) NOTE: https://github.com/perl/perl5/commit/3295b48defa0f8570114877b063fe546dd348b3c (v5.30.3) CVE-2020-10877 RESERVED CVE-2020-10876 (The OKLOK (3.1.1) mobile companion app for Fingerprint Bluetooth Padlo ...) NOT-FOR-US: OKLOK CVE-2020-10875 (Motorola FX9500 devices allow remote attackers to conduct absolute pat ...) NOT-FOR-US: Motorola devices CVE-2020-10874 (Motorola FX9500 devices allow remote attackers to read database files. ...) NOT-FOR-US: Motorola devices CVE-2020-10873 RESERVED CVE-2020-10872 RESERVED CVE-2020-10871 (** DISPUTED ** In OpenWrt LuCI git-20.x, remote unauthenticated attack ...) NOT-FOR-US: OpenWrt LuCI CVE-2020-10870 (Zim through 0.72.1 creates temporary directories with predictable name ...) - zim 0.72.1-1 (unimportant; bug #954810) NOTE: https://github.com/zim-desktop-wiki/zim-desktop-wiki/issues/1028 NOTE: Negligible security impact CVE-2020-10869 RESERVED CVE-2020-10868 (An issue was discovered in Avast Antivirus before 20. The aswTask RPC ...) NOT-FOR-US: Avast Antivirus CVE-2020-10867 (An issue was discovered in Avast Antivirus before 20. The aswTask RPC ...) NOT-FOR-US: Avast Antivirus CVE-2020-10866 (An issue was discovered in Avast Antivirus before 20. The aswTask RPC ...) NOT-FOR-US: Avast Antivirus CVE-2020-10865 (An issue was discovered in Avast Antivirus before 20. The aswTask RPC ...) NOT-FOR-US: Avast Antivirus CVE-2020-10864 (An issue was discovered in Avast Antivirus before 20. The aswTask RPC ...) NOT-FOR-US: Avast Antivirus CVE-2020-10863 (An issue was discovered in Avast Antivirus before 20. The aswTask RPC ...) NOT-FOR-US: Avast Antivirus CVE-2020-10862 (An issue was discovered in Avast Antivirus before 20. The aswTask RPC ...) NOT-FOR-US: Avast Antivirus CVE-2020-10861 (An issue was discovered in Avast Antivirus before 20. The aswTask RPC ...) NOT-FOR-US: Avast Antivirus CVE-2020-10860 (An issue was discovered in Avast Antivirus before 20. An Arbitrary Mem ...) NOT-FOR-US: Avast Antivirus CVE-2020-10859 (Zoho ManageEngine Desktop Central before 10.0.484 allows authenticated ...) NOT-FOR-US: Zoho CVE-2020-10858 RESERVED CVE-2020-10857 RESERVED CVE-2020-10856 RESERVED CVE-2019-20627 (AutoUpdater.cs in AutoUpdater.NET before 1.5.8 allows XXE. ...) NOT-FOR-US: AutoUpdater.NET CVE-2019-20626 (The remote keyless system on Honda HR-V 2017 vehicles sends the same R ...) NOT-FOR-US: Honda HR-V 2017 vehicles CVE-2020-10931 (Memcached 1.6.x before 1.6.2 allows remote attackers to cause a denial ...) - memcached 1.6.2-1 (bug #954808) [buster] - memcached (Introduced in 1.6) [stretch] - memcached (Introduced in 1.6) [jessie] - memcached (Introduced in 1.6) NOTE: https://github.com/memcached/memcached/issues/629 NOTE: https://github.com/memcached/memcached/commit/02c6a2b62ddcb6fa4569a591d3461a156a636305 CVE-2020-10855 (An issue was discovered on Samsung mobile devices with P(9.0) software ...) NOT-FOR-US: Samsung mobile devices CVE-2020-10854 (An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), ...) NOT-FOR-US: Samsung mobile devices CVE-2020-10853 (An issue was discovered on Samsung mobile devices with P(9.0) software ...) NOT-FOR-US: Samsung mobile devices CVE-2020-10852 (An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), ...) NOT-FOR-US: Samsung mobile devices CVE-2020-10851 (An issue was discovered on Samsung mobile devices with P(9.0) and Q(10 ...) NOT-FOR-US: Samsung mobile devices CVE-2020-10850 (An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), ...) NOT-FOR-US: Samsung mobile devices CVE-2020-10849 (An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), ...) NOT-FOR-US: Samsung mobile devices CVE-2020-10848 (An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), ...) NOT-FOR-US: Samsung mobile devices CVE-2020-10847 (An issue was discovered on Samsung mobile devices with P(9.0) (Galaxy ...) NOT-FOR-US: Samsung mobile devices CVE-2020-10846 (An issue was discovered on Samsung mobile devices with P(9.x) and Q(10 ...) NOT-FOR-US: Samsung mobile devices CVE-2020-10845 (An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), ...) NOT-FOR-US: Samsung mobile devices CVE-2020-10844 (An issue was discovered on Samsung mobile devices with O(8.x), P(9.x), ...) NOT-FOR-US: Samsung mobile devices CVE-2020-10843 (An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), ...) NOT-FOR-US: Samsung mobile devices CVE-2020-10842 (An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), ...) NOT-FOR-US: Samsung mobile devices CVE-2020-10841 (An issue was discovered on Samsung mobile devices with P(9.0) and Q(10 ...) NOT-FOR-US: Samsung mobile devices CVE-2020-10840 (An issue was discovered on Samsung mobile devices with P(9.0) and Q(10 ...) NOT-FOR-US: Samsung mobile devices CVE-2020-10839 (An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), ...) NOT-FOR-US: Samsung mobile devices CVE-2020-10838 (An issue was discovered on Samsung mobile devices with P(9.0) and Q(10 ...) NOT-FOR-US: Samsung mobile devices CVE-2020-10837 (An issue was discovered on Samsung mobile devices with P(9.0) and Q(10 ...) NOT-FOR-US: Samsung mobile devices CVE-2020-10836 (An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), ...) NOT-FOR-US: Samsung mobile devices CVE-2020-10835 (An issue was discovered on Samsung mobile devices with any (before Feb ...) NOT-FOR-US: Samsung mobile devices CVE-2020-10834 (An issue was discovered on Samsung mobile devices with P(9.0) software ...) NOT-FOR-US: Samsung mobile devices CVE-2020-10833 (An issue was discovered on Samsung mobile devices with Q(10.0) softwar ...) NOT-FOR-US: Samsung mobile devices CVE-2020-10832 (An issue was discovered on Samsung mobile devices with P(9.0) (Exynos ...) NOT-FOR-US: Samsung mobile devices CVE-2020-10831 (An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), ...) NOT-FOR-US: Samsung mobile devices CVE-2020-10830 (An issue was discovered on Samsung mobile devices with P(9.0) and Q(10 ...) NOT-FOR-US: Samsung mobile devices CVE-2020-10829 (An issue was discovered on Samsung mobile devices with O(8.0), P(9.0), ...) NOT-FOR-US: Samsung mobile devices CVE-2020-10828 (A stack-based buffer overflow in cvmd on Draytek Vigor3900, Vigor2960, ...) NOT-FOR-US: Draytek CVE-2020-10827 (A stack-based buffer overflow in apmd on Draytek Vigor3900, Vigor2960, ...) NOT-FOR-US: Draytek CVE-2020-10826 (/cgi-bin/activate.cgi on Draytek Vigor3900, Vigor2960, and Vigor300B d ...) NOT-FOR-US: Draytek CVE-2020-10825 (A stack-based buffer overflow in /cgi-bin/activate.cgi while base64 de ...) NOT-FOR-US: Draytek CVE-2020-10824 (A stack-based buffer overflow in /cgi-bin/activate.cgi through ticket ...) NOT-FOR-US: Draytek CVE-2020-10823 (A stack-based buffer overflow in /cgi-bin/activate.cgi through var par ...) NOT-FOR-US: Draytek CVE-2020-10822 RESERVED CVE-2020-10821 (Nagios XI 5.6.11 allows XSS via the account/main.php theme parameter. ...) NOT-FOR-US: Nagios XI CVE-2020-10820 (Nagios XI 5.6.11 allows XSS via the includes/components/ldap_ad_integr ...) NOT-FOR-US: Nagios XI CVE-2020-10819 (Nagios XI 5.6.11 allows XSS via the includes/components/ldap_ad_integr ...) NOT-FOR-US: Nagios XI CVE-2020-10818 (Artica Proxy 4.26 allows remote command execution for an authenticated ...) NOT-FOR-US: Artica Proxy CVE-2020-10817 (The custom-searchable-data-entry-system (aka Custom Searchable Data En ...) NOT-FOR-US: custom-searchable-data-entry-system (aka Custom Searchable Data Entry System) plugin for WordPress CVE-2019-20625 (An issue was discovered on Samsung mobile devices with N(7.1) and O(8. ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20624 (An issue was discovered on Samsung mobile devices with N(7.x) and O(8. ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20623 (An issue was discovered on Samsung mobile devices with N(7.1), O(8.x), ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20622 (An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20621 (An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20620 (An issue was discovered on Samsung mobile devices with P(9.0) software ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20619 (An issue was discovered on Samsung mobile devices with P(9.0) software ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20618 (An issue was discovered on Samsung mobile devices with P(9.0) software ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20617 (An issue was discovered on Samsung mobile devices with P(9.0) software ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20616 (An issue was discovered on Samsung mobile devices with N(7.x) and O(8. ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20615 (An issue was discovered on Samsung mobile devices with N(7.x) and O(8. ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20614 (An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20613 (An issue was discovered on Samsung mobile devices with N(7.x) and O(8. ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20612 (An issue was discovered on Samsung mobile devices with N(7.x) and O(8. ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20611 (An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20610 (An issue was discovered on Samsung mobile devices with N(7.X) and O(8. ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20609 (An issue was discovered on Samsung mobile devices with P(9.0) software ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20608 (An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20607 (An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20606 (An issue was discovered on Samsung mobile devices with any (before May ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20605 (An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20604 (An issue was discovered on Samsung mobile devices with O(8.x) software ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20603 (An issue was discovered on Samsung mobile devices with N(7.x), O(8.0), ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20602 (An issue was discovered on Samsung mobile devices with N(7.x), O(8.0), ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20601 (An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20600 (An issue was discovered on Samsung mobile devices with O(8.0) and P(9. ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20599 (An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20598 (An issue was discovered on Samsung mobile devices with O(8.x) software ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20597 (An issue was discovered on Samsung mobile devices with N(7.1), O(8.x), ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20596 (An issue was discovered on Samsung mobile devices with N(7.x) and O(8. ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20595 (An issue was discovered on Samsung mobile devices with P(9.0) software ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20594 (An issue was discovered on Samsung mobile devices with O(8.1) and P(9. ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20593 (An issue was discovered on Samsung mobile devices with N(7.x) and O(8. ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20592 (An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20591 (An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20590 (An issue was discovered on Samsung mobile devices with O(8.x) (Qualcom ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20589 (An issue was discovered on Samsung mobile devices with O(8.x) and P(9. ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20588 (An issue was discovered on Samsung mobile devices with O(8.x) and P(9. ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20587 (An issue was discovered on Samsung mobile devices with O(8.1) and P(9. ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20586 (An issue was discovered on Samsung mobile devices with O(8.1) and P(9. ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20585 (An issue was discovered on Samsung mobile devices with O(8.x) and P(9. ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20584 (An issue was discovered on Samsung mobile devices with O(8.x) and P(9. ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20583 (An issue was discovered on Samsung mobile devices with O(8.x) and P(9. ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20582 (An issue was discovered on Samsung mobile devices with O(8.x) and P(9. ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20581 (An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20580 (An issue was discovered on Samsung mobile devices with P(9.0) software ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20579 (An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20578 (An issue was discovered on Samsung mobile devices with P(9.0) (Exynos ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20577 (An issue was discovered on Samsung mobile devices with P(9.0) (Exynos ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20576 (An issue was discovered on Samsung mobile devices with P(9.0) software ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20575 (An issue was discovered on Samsung mobile devices with P(9.0) software ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20574 (An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20573 (An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20572 (An issue was discovered on Samsung mobile devices with O(8.1) and P(9. ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20571 (An issue was discovered on Samsung mobile devices with O(8.x) (with TE ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20570 (An issue was discovered on Samsung mobile devices with P(9.0), O(8.0), ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20569 (An issue was discovered on Samsung mobile devices with P(9.0) software ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20568 (An issue was discovered on Samsung mobile devices with O(8.x) and P(9. ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20567 (An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20566 (An issue was discovered on Samsung mobile devices with any (before Sep ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20565 (An issue was discovered on Samsung mobile devices with O(8.x) and P(9. ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20564 (An issue was discovered on Samsung mobile devices with any (before Oct ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20563 (An issue was discovered on Samsung mobile devices with O(8.x) and P(9. ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20562 (An issue was discovered on Samsung mobile devices with P(9.0) (with TE ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20561 (An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20560 (An issue was discovered on Samsung mobile devices with O(8.x) and P(9. ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20559 (An issue was discovered on Samsung mobile devices with P(9.0) software ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20558 (An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20557 (An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20556 (An issue was discovered on Samsung mobile devices with P(9.0) (SM6150, ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20555 (An issue was discovered on Samsung mobile devices with N(7.x) software ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20554 (An issue was discovered on Samsung mobile devices with O(8.x) software ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20553 (An issue was discovered on Samsung mobile devices with P(9.0) (SM6150, ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20552 (An issue was discovered on Samsung mobile devices with P(9.0) software ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20551 (An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20550 (An issue was discovered on Samsung mobile devices with O(8.x) (release ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20549 (An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20548 (An issue was discovered on Samsung mobile devices with P(9.0) devices ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20547 (An issue was discovered on Samsung mobile devices with O(8.x) and P(9. ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20546 (An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20545 (An issue was discovered on Samsung mobile devices with O(8.x) and P(9. ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20544 (An issue was discovered on Samsung mobile devices with O(8.x) and P(9. ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20543 (An issue was discovered on Samsung mobile devices with P(9.0) software ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20542 (An issue was discovered on Samsung mobile devices with N(7.1), O(8.x), ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20541 (An issue was discovered on Samsung mobile devices with P(9.0) (Exynos ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20540 (An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20539 (An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20538 (An issue was discovered on Samsung mobile devices with P(9.0) software ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20537 (An issue was discovered on Samsung mobile devices with P(9.0) (TEEGRIS ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20536 (An issue was discovered on Samsung mobile devices with N(7.1), O(8.x), ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20535 (An issue was discovered on Samsung mobile devices with O(8.x) and P(9. ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20534 (An issue was discovered on Samsung mobile devices with P(9.0) software ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20533 (An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20532 (An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20531 (An issue was discovered on Samsung mobile devices with P(9.0) (Exynos ...) NOT-FOR-US: Samsung mobile devices CVE-2019-20530 (An issue was discovered on Samsung mobile devices with N(7.1), O(8.x), ...) NOT-FOR-US: Samsung mobile devices CVE-2020-10816 RESERVED CVE-2020-10815 RESERVED CVE-2020-10814 (A buffer overflow vulnerability in Code::Blocks 17.12 allows an attack ...) NOT-FOR-US: Code::Blocks CVE-2020-10813 (A buffer overflow vulnerability in FTPDMIN 0.96 allows attackers to cr ...) NOT-FOR-US: FTPDMIN CVE-2020-10812 (An issue was discovered in HDF5 through 1.12.0. A NULL pointer derefer ...) - hdf5 NOTE: https://github.com/Loginsoft-Research/hdf5-reports/tree/master/Vuln_4 NOTE: https://research.loginsoft.com/bugs/null-pointer-dereference-in-h5fquery-c-hdf5-1-13-0/ TODO: check details CVE-2020-10811 (An issue was discovered in HDF5 through 1.12.0. A heap-based buffer ov ...) - hdf5 NOTE: https://github.com/Loginsoft-Research/hdf5-reports/tree/master/Vuln_2 NOTE: https://research.loginsoft.com/bugs/heap-buffer-overflow-in-h5olayout-c-hdf5-1-13-0/ TODO: check details CVE-2020-10810 (An issue was discovered in HDF5 through 1.12.0. A NULL pointer derefer ...) - hdf5 NOTE: https://github.com/Loginsoft-Research/hdf5-reports/tree/master/Vuln_3 NOTE: https://research.loginsoft.com/bugs/null-pointer-dereference-in-h5ac-c-hdf5-1-13-0/ TODO: check details CVE-2020-10809 (An issue was discovered in HDF5 through 1.12.0. A heap-based buffer ov ...) - hdf5 NOTE: https://github.com/Loginsoft-Research/hdf5-reports/tree/master/Vuln_1 NOTE: https://research.loginsoft.com/bugs/heap-overflow-in-decompress-c-hdf5-1-13-0/ TODO: check details CVE-2020-10808 (Vesta Control Panel (VestaCP) through 0.9.8-26 allows Command Injectio ...) NOT-FOR-US: Vesta Control Panel CVE-2020-10807 (auth_svc in Caldera before 2.6.5 allows authentication bypass (for RES ...) NOT-FOR-US: Caldera CVE-2020-10806 (eZ Publish Kernel before 5.4.14.1, 6.x before 6.13.6.2, and 7.x before ...) NOT-FOR-US: eZ Publish Kernel CVE-2020-10805 RESERVED CVE-2016-11022 (NETGEAR Prosafe WC9500 5.1.0.17, WC7600 5.1.0.17, and WC7520 2.5.0.35 ...) NOT-FOR-US: Netgear CVE-2020-10804 (In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection v ...) - phpmyadmin 4:4.9.5+dfsg1-1 (bug #954667) [stretch] - phpmyadmin (Minor issue) [jessie] - phpmyadmin (Vulnerable code not present) NOTE: Introduced-by: https://github.com/phpmyadmin/phpmyadmin/commit/56b43527196b0349ec2bea8ca711667e5aa75c65 NOTE: Introduced-by: https://github.com/phpmyadmin/phpmyadmin/commit/d55abcd5ffa1ea8785f1217f5b7d78a8a54b8542 NOTE: https://www.phpmyadmin.net/security/PMASA-2020-2/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/89fbcd7c39e6b3979cdb2f64aa4cd5f4db27eaad NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/3258978c38bee8cb4b99f249dffac9c8aaea2d80 CVE-2020-10803 (In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection v ...) {DLA-2154-1} - phpmyadmin 4:4.9.5+dfsg1-1 (bug #954666) [stretch] - phpmyadmin (Minor issue) NOTE: https://www.phpmyadmin.net/security/PMASA-2020-4/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/46a7aa7cd4ff2be0eeb23721fbf71567bebe69a5 NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/6b9b2601d8af916659cde8aefd3a6eaadd10284a CVE-2020-10802 (In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection v ...) {DLA-2154-1} - phpmyadmin 4:4.9.5+dfsg1-1 (bug #954665) [stretch] - phpmyadmin (Minor issue) NOTE: https://www.phpmyadmin.net/security/PMASA-2020-3/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/a8acd7a42cf743186528b0453f90aaa32bfefabe CVE-2020-10801 RESERVED CVE-2020-10800 (lix through 15.8.7 allows man-in-the-middle attackers to execute arbit ...) NOT-FOR-US: lix node (different from src:lix) CVE-2020-10799 (The svglib package through 0.9.3 for Python allows XXE attacks via an ...) NOT-FOR-US: svglib CVE-2020-10798 RESERVED CVE-2020-10797 (An XSS vulnerability resides in the hostname field of the diag_ping.ph ...) NOT-FOR-US: pfSense CVE-2020-10796 RESERVED CVE-2020-10795 (Gira TKS-IP-Gateway 4.0.7.7 is vulnerable to authenticated remote code ...) NOT-FOR-US: Gira TKS-IP-Gateway CVE-2020-10794 (Gira TKS-IP-Gateway 4.0.7.7 is vulnerable to unauthenticated path trav ...) NOT-FOR-US: Gira TKS-IP-Gateway CVE-2020-10793 (** DISPUTED ** CodeIgniter through 4.0.0 allows remote attackers to ga ...) - codeigniter (bug #471583) CVE-2020-10792 (openITCOCKPIT through 3.7.2 allows remote attackers to configure the s ...) NOT-FOR-US: openITCOCKPIT CVE-2020-10791 (app/Plugin/GrafanaModule/Controller/GrafanaConfigurationController.php ...) NOT-FOR-US: openITCOCKPIT CVE-2020-10790 (openITCOCKPIT before 3.7.3 has unnecessary files (such as Lodash files ...) NOT-FOR-US: openITCOCKPIT CVE-2020-10789 (openITCOCKPIT before 3.7.3 has a web-based terminal that allows attack ...) NOT-FOR-US: openITCOCKPIT CVE-2020-10788 (openITCOCKPIT before 3.7.3 uses the 1fea123e07f730f76e661bced33a941523 ...) NOT-FOR-US: openITCOCKPIT CVE-2020-10787 (An elevation of privilege in Vesta Control Panel through 0.9.8-26 allo ...) NOT-FOR-US: Vesta Control Panel CVE-2020-10786 (A remote command execution in Vesta Control Panel through 0.9.8-26 all ...) NOT-FOR-US: Vesta Control Panel CVE-2020-10785 RESERVED CVE-2020-10784 RESERVED CVE-2020-10783 RESERVED CVE-2020-10782 (An exposure of sensitive information flaw was found in Ansible Tower b ...) NOT-FOR-US: Ansible Tower CVE-2020-10781 [zram sysfs resource consumption] RESERVED - linux [stretch] - linux (Vulnerable code introduced later) [jessie] - linux (Vulnerable code introduced later) NOTE: https://www.openwall.com/lists/oss-security/2020/06/18/1 CVE-2020-10780 RESERVED CVE-2020-10779 RESERVED CVE-2020-10778 RESERVED CVE-2020-10777 RESERVED CVE-2020-10776 RESERVED CVE-2020-10775 RESERVED CVE-2020-10774 RESERVED - linux (Red Hat-specific patch) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1846964 CVE-2020-10773 [kernel stack information leak on s390/s390x] RESERVED - linux NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1846380 CVE-2020-10772 RESERVED - unbound (Red Hat specific regression in backport) CVE-2020-10771 RESERVED NOT-FOR-US: Infinispan CVE-2020-10770 RESERVED CVE-2020-10769 (A buffer over-read flaw was found in RH kernel versions before 5.0 in ...) - linux 4.19.20-1 [stretch] - linux 4.9.161-1 [jessie] - linux 3.16.68-1 NOTE: https://git.kernel.org/linus/8f9c469348487844328e162db57112f7d347c49f CVE-2020-10768 [Indirect branch speculation can be enabled after it was force-disabled by the PR_SPEC_FORCE_DISABLE prctl command] RESERVED - linux 5.7.6-1 NOTE: https://www.openwall.com/lists/oss-security/2020/06/10/1 NOTE: https://git.kernel.org/linus/4d8df8cbb9156b0a0ab3f802b80cb5db57acc0bf CVE-2020-10767 [Indirect Branch Prediction Barrier is force-disabled when STIBP is unavailable or enhanced IBRS is available] RESERVED - linux 5.7.6-1 NOTE: https://www.openwall.com/lists/oss-security/2020/06/10/1 NOTE: https://git.kernel.org/linus/21998a351512eba4ed5969006f0c55882d995ada CVE-2020-10766 [Rogue cross-process SSBD shutdown] RESERVED - linux 5.7.6-1 NOTE: https://www.openwall.com/lists/oss-security/2020/06/10/1 NOTE: https://git.kernel.org/linus/dbbe2ad02e9df26e372f38cc3e70dab9222c832e CVE-2020-10765 RESERVED CVE-2020-10764 RESERVED CVE-2020-10763 RESERVED CVE-2020-10762 RESERVED CVE-2020-10761 (An assertion failure issue was found in the Network Block Device(NBD) ...) - qemu 1:5.0-6 [buster] - qemu (Vulnerable code introduced later) [stretch] - qemu (Vulnerable code introduced later) [jessie] - qemu (Vulnerable code introduced later) NOTE: https://www.openwall.com/lists/oss-security/2020/06/09/1 NOTE: Proposed upstream patch: https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg02031.html NOTE: Fixed by: https://git.qemu.org/?p=qemu.git;a=commit;h=5c4fe018c025740fef4a0a4421e8162db0c3eefd NOTE: Introduced in: https://git.qemu.org/?p=qemu.git;a=commit;h=93676c88d7a5cd5971de94f9091eff8e9773b1af CVE-2020-10760 (A use-after-free flaw was found in all samba LDAP server versions befo ...) - samba 2:4.12.5+dfsg-1 NOTE: https://www.samba.org/samba/security/CVE-2020-10760.html CVE-2020-10759 [Possible bypass in signature verification] RESERVED - fwupd 1.3.10-1 (bug #962517) - libjcat 0.1.3-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1844316 NOTE: https://github.com/justinsteven/advisories/blob/master/2020_fwupd_dangling_s3_bucket_and_CVE-2020-10759_signature_verification_bypass.md NOTE: Fixed by: https://github.com/fwupd/fwupd/commit/21f2d12fccef63b8aaa99ec53278ce18250b0444 (1.3.10) NOTE: Introduced with: https://github.com/fwupd/fwupd/commit/36a889034c3d34ae4ac4530ea7b6b16e82476fae (0.1.2) NOTE: https://github.com/hughsie/libjcat/commit/839b89f45a38b2373bf5836337a33f450aaab72e CVE-2020-10758 RESERVED CVE-2020-10757 (A flaw was found in the Linux Kernel in versions after 4.5-rc1 in the ...) {DSA-4699-1 DSA-4698-1 DLA-2242-1} - linux 5.6.14-2 [jessie] - linux (Vulnerable code introduced later) NOTE: https://git.kernel.org/linus/5bfea2d9b17f1034a68147a8b03b9789af5700f9 CVE-2020-10756 [slirp: networking out-of-bounds read information disclosure vulnerability] RESERVED - libslirp - qemu 1:4.1-2 [buster] - qemu (Minor issue) [stretch] - qemu (Minor issue) - slirp4netns 1.0.1-1 [buster] - slirp4netns (Minor issue) NOTE: qemu 1:4.1-2 switched to system libslirp, marking that version as fixed. NOTE: slirp4netns 1.0.1-1 switched to system libslirp, marking that version as fixed. NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1835986#c11 CVE-2020-10755 (An insecure-credentials flaw was found in all openstack-cinder version ...) - cinder 2:16.1.0-1 (low) [buster] - cinder (Minor issue) [stretch] - cinder (Minor issue) [jessie] - cinder (OpenStack component, not supported in jessie LTS) NOTE: https://bugs.launchpad.net/cinder/+bug/1823200 NOTE: https://wiki.openstack.org/wiki/OSSN/OSSN-0086 TODO: check, affects as well python-os-brick or needs a respective update? CVE-2020-10754 (It was found that nmcli, a command line interface to NetworkManager di ...) - network-manager (unimportant) NOTE: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/448 NOTE: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/commit/8affcc19b61fc3c516474ba075e61b82030feeb4 NOTE: Only affects builds enabling ifcfg-rh settings plugin, source-wise only NOTE: affected but not the Debian binary builds (and is RedHat/Fedora specific NOTE: plugin). CVE-2020-10753 (A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gate ...) - ceph [jessie] - ceph (Minor issue) NOTE: https://github.com/ceph/ceph/pull/35773 NOTE: Fix: https://github.com/ceph/ceph/commit/1524d3c0c5cb11775313ea1e2bb36a93257947f2 CVE-2020-10752 (A flaw was found in the OpenShift API Server, where it failed to suffi ...) NOT-FOR-US: OpenShift CVE-2020-10751 (A flaw was found in the Linux kernels SELinux LSM hook implementation ...) {DSA-4699-1 DSA-4698-1 DLA-2242-1 DLA-2241-1} - linux 5.6.14-1 NOTE: https://git.kernel.org/linus/fb73974172ffaaf57a7c42f35424d9aece1a5af6 CVE-2020-10750 (Sensitive information written to a log file vulnerability was found in ...) NOT-FOR-US: Jaeger CVE-2020-10749 (A vulnerability was found in all versions of containernetworking/plugi ...) - golang-github-containernetworking-plugins 0.8.6-1 NOTE: https://github.com/containernetworking/plugins/pull/484 NOTE: https://github.com/containernetworking/plugins/commit/219eb9e0464761c47383d239aba206da695e1a43 CVE-2020-10748 RESERVED NOT-FOR-US: Keycloak CVE-2020-10747 REJECTED CVE-2020-10746 RESERVED CVE-2020-10745 (A flaw was found in all Samba versions before 4.10.17, before 4.11.11 ...) - samba 2:4.12.5+dfsg-1 NOTE: https://www.samba.org/samba/security/CVE-2020-10745.html CVE-2020-10744 (An incomplete fix was found for the fix of the flaw CVE-2020-1733 ansi ...) - ansible [buster] - ansible (Incomplete fix not applied) [stretch] - ansible (Incomplete fix not applied) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1835566 NOTE: CVE is for an incomplete fix of CVE-2020-1733 CVE-2020-10743 RESERVED - kibana (bug #700337) CVE-2020-10742 RESERVED - linux 3.16.2-2 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1835127 CVE-2020-10741 REJECTED CVE-2020-10740 (A vulnerability was found in Wildfly in versions before 20.0.0.Final, ...) - wildfly (bug #752018) CVE-2020-10739 (Istio 1.4.x before 1.4.9 and Istio 1.5.x before 1.5.4 contain the foll ...) NOT-FOR-US: envoy proxy (not the same as itp'ed envoy, #758651) CVE-2020-10738 (A flaw was found in Moodle versions 3.8 before 3.8.3, 3.7 before 3.7.6 ...) - moodle CVE-2020-10737 (A race condition was found in the mkhomedir tool shipped with the oddj ...) - oddjob 0.34.6-1 (bug #960089) [buster] - oddjob (Minor issue) [stretch] - oddjob (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1833042 NOTE: https://pagure.io/oddjob/c/10b8aaa1564b723a005b53acc069df71313f4cac CVE-2020-10736 (An authorization bypass vulnerability was found in Ceph versions 15.2. ...) - ceph (Vulnerable code introduced later) NOTE: https://ceph.io/releases/v15-2-2-octopus-released/ NOTE: https://github.com/ceph/ceph/commit/c7e7009a690621aacd4ac2c70c6469f25d692868 (master) NOTE: https://github.com/ceph/ceph/commit/f2cf2ce1bd9a86462510a7a12afa4e528b615df2 (v15.2.2) CVE-2020-10735 RESERVED CVE-2020-10734 RESERVED CVE-2020-10733 RESERVED - postgresql-12 (Windows-specific) - postgresql-11 (Windows-specific) - postgresql-9.6 (Windows-specific) NOTE: https://www.postgresql.org/about/news/2038/ CVE-2020-10732 (A flaw was found in the Linux kernel's implementation of Userspace cor ...) {DSA-4699-1 DSA-4698-1 DLA-2242-1} - linux 5.6.14-2 [jessie] - linux (Does not affect supported architectures) NOTE: https://www.openwall.com/lists/oss-security/2020/05/06/1 NOTE: https://git.kernel.org/linus/1d605416fb7175e1adf094251466caa52093b413 CVE-2020-10731 RESERVED CVE-2020-10730 (A NULL pointer dereference, or possible use-after-free flaw was found ...) - ldb 2:2.1.4-1 - samba 2:4.12.5+dfsg-1 [stretch] - ldb (Vulnerable code introduced later) NOTE: https://www.samba.org/samba/security/CVE-2020-10730.html NOTE: https://git.samba.org/?p=samba.git;a=commitdiff;h=9dd458956d7af1b4bbe505ba2ab72235e81c27d0 (for ldb) CVE-2020-10729 [two random password lookups in same task return same value] RESERVED - ansible 2.9.6+dfsg-1 [jessie] - ansible (Vulnerable code introduced later, no variables template caching) NOTE: https://github.com/ansible/ansible/issues/34144 NOTE: https://github.com/ansible/ansible/pull/67429/ NOTE: https://github.com/ansible/ansible/commit/b38603c45ed3a53574ec2080fb3a24db38ab5bc6 NOTE: Introduced in https://github.com/ansible/ansible/commit/87a9485b2f5a3188460f0a0219d2e0d990ce4e67 (2.0) CVE-2020-10728 RESERVED NOT-FOR-US: automationbroker/apb CVE-2020-10727 (A flaw was found in ActiveMQ Artemis management API from version 2.7.0 ...) NOT-FOR-US: ApacheMQ Artemis CVE-2020-10726 (A vulnerability was found in DPDK versions 19.11 and above. A maliciou ...) - dpdk 19.11.2-1 (bug #960936) [buster] - dpdk (Vulnerable code not present) [stretch] - dpdk (Vulnerable code not present) CVE-2020-10725 (A flaw was found in DPDK version 19.11 and above that allows a malicio ...) - dpdk 19.11.2-1 (bug #960936) [buster] - dpdk (Vulnerable code not present) [stretch] - dpdk (Vulnerable code not present) CVE-2020-10724 (A vulnerability was found in DPDK versions 18.11 and above. The vhost- ...) - dpdk 19.11.2-1 (bug #960936) [buster] - dpdk 18.11.6-1~deb10u2 [stretch] - dpdk (Vulnerable code not present) CVE-2020-10723 (A memory corruption issue was found in DPDK versions 17.05 and above. ...) - dpdk 19.11.2-1 (bug #960936) [buster] - dpdk 18.11.6-1~deb10u2 [stretch] - dpdk (Vulnerable code not present) CVE-2020-10722 (A vulnerability was found in DPDK versions 18.05 and above. A missing ...) {DSA-4688-1} - dpdk 19.11.2-1 (bug #960936) CVE-2020-10721 RESERVED CVE-2020-10720 RESERVED - linux 5.2.6-1 [buster] - linux 4.19.67-1 [stretch] - linux 4.9.184-1 [jessie] - linux 3.16.76-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1781204 NOTE: Fixed by: https://git.kernel.org/linus/a4270d6795b0580287453ea55974d948393e66ef CVE-2020-10719 (A flaw was found in Undertow in versions before 2.1.1.Final, regarding ...) - undertow NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1828459 TODO: check, no details on Red Hat bugreport CVE-2020-10718 RESERVED CVE-2020-10717 (A potential DoS flaw was found in the virtio-fs shared file system dae ...) - qemu 1:5.0-5 (bug #959746) [buster] - qemu (Vulnerable code introduced later) [stretch] - qemu (Vulnerable code introduced later) [jessie] - qemu (Vulnerable code introduced later) NOTE: Introduced in: https://git.qemu.org/?p=qemu.git;a=commit;h=01a6dc95ec7f71eeff9963fe3cb03d85225fba3e (v5.0.0-rc0) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2020-05/msg00143.html CVE-2020-10716 RESERVED NOT-FOR-US: tfm-rubygem-foreman_ansible / Red Hat Satellite's Job Invocation CVE-2020-10715 RESERVED CVE-2020-10714 RESERVED NOT-FOR-US: WildFly Elytron CVE-2020-10713 RESERVED CVE-2020-10712 (A flaw was found in OpenShift Container Platform version 4.1 and later ...) NOT-FOR-US: image registry operator in OpenShift Container Platform CVE-2020-10711 (A NULL pointer dereference flaw was found in the Linux kernel's SELinu ...) {DSA-4699-1 DSA-4698-1 DLA-2242-1} - linux 5.6.14-1 [jessie] - linux (Vulnerability introduced later) NOTE: https://www.openwall.com/lists/oss-security/2020/05/12/2 CVE-2020-10710 RESERVED CVE-2020-10709 RESERVED - ansible-awx (bug #908763) NOTE: https://github.com/ansible/awx/issues/6630 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1824033 CVE-2020-10708 REJECTED CVE-2020-10707 REJECTED CVE-2020-10706 (A flaw was found in OpenShift Container Platform where OAuth tokens ar ...) NOT-FOR-US: OpenShift CVE-2020-10705 (A flaw was discovered in Undertow in versions before Undertow 2.1.1.Fi ...) - undertow NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1803241 CVE-2020-10704 (A flaw was found when using samba as an Active Directory Domain Contro ...) - samba 2:4.12.3+dfsg-2 (bug #960188) [buster] - samba (Can be fixed along in future DSA) [stretch] - samba (Can be fixed along in future DSA) [jessie] - samba (Minor issue and the patch is very invisible, eg. http://paste.debian.net/plain/1143919 is not even complete) NOTE: https://bugzilla.samba.org/show_bug.cgi?id=14334 NOTE: https://www.samba.org/samba/security/CVE-2020-10704.html CVE-2020-10703 (A NULL pointer dereference was found in the libvirt API responsible in ...) - libvirt 6.0.0-2 [buster] - libvirt (Minor issue) [stretch] - libvirt (Vulnerable code introduced later) [jessie] - libvirt (Vulnerable code introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1790725 NOTE: Introduced by: https://libvirt.org/git/?p=libvirt.git;a=commit;h=5d5c732d748d644ec14626bce448e84bdc4bd93e (v3.10.0-rc1) NOTE: Fixed by: https://libvirt.org/git/?p=libvirt.git;a=commit;h=dfff16a7c261f8d28e3abe60a47165f845fa952f (v6.0.0-rc1) CVE-2020-10702 (A flaw was found in QEMU in the implementation of the Pointer Authenti ...) - qemu 1:4.2-5 [buster] - qemu (Vulnerable code introduced later) [stretch] - qemu (Vulnerable code introduced later) [jessie] - qemu (Vulnerable code introduced later) - qemu-kvm (Vulnerable code introduced later) NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=de0b1bae6461f67243282555475f88b2384a1eb9 (v5.0.0-rc0) CVE-2020-10701 [guest agent timeout can be set under read-only mode leading to DoS] RESERVED - libvirt 6.0.0-7 (bug #955841) [buster] - libvirt (Vulnerable code introduced later) [stretch] - libvirt (Vulnerable code introduced later) [jessie] - libvirt (Vulnerable code introduced later) NOTE: Introduced in: https://libvirt.org/git/?p=libvirt.git;a=commit;h=95f5ac9ae52455e9da47afc95fa31c9456ac27ae (v5.10.0-rc1) NOTE: Fixed by: https://libvirt.org/git/?p=libvirt.git;a=commit;h=4cc90c2e62df653e909ad31fd810224bf8bcf913 (v6.2.0-rc1) CVE-2020-10700 (A use-after-free flaw was found in the way samba AD DC LDAP servers, h ...) - samba 2:4.12.3+dfsg-2 (bug #960189) [buster] - samba (Vulnerable code introduced later) [stretch] - samba (Vulnerable code introduced later) [jessie] - samba (Vulnerable code introduced later) NOTE: https://bugzilla.samba.org/show_bug.cgi?id=14331 NOTE: https://www.samba.org/samba/security/CVE-2020-10700.html CVE-2020-10699 (A flaw was found in Linux, in targetcli-fb versions 2.1.50 and 2.1.51 ...) - targetcli-fb (Vulnerable code introduced later) NOTE: https://github.com/open-iscsi/targetcli-fb/issues/162 NOTE: Introduced in: https://github.com/open-iscsi/targetcli-fb/commit/ad37f94ae72d0e3d5963ce182e2897c84af9c039 (v2.1.50) NOTE: Fixed by: https://github.com/open-iscsi/targetcli-fb/commit/6e4f39357a90a914d11bac21cc2d2b52c07c213d CVE-2020-10698 RESERVED NOT-FOR-US: Ansible Tower CVE-2020-10697 RESERVED NOT-FOR-US: Ansible Tower CVE-2020-10696 (A path traversal flaw was found in Buildah in versions before 1.14.5. ...) - golang-github-containers-buildah NOTE: https://github.com/containers/buildah/commit/c61925b8936e93a5e900f91b653a846f7ea3a9ed CVE-2020-10695 RESERVED NOTE: Red Hat specific CVE assignment for openshift/redhat-sso-7 container CVE-2020-10694 RESERVED CVE-2020-10693 (A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in ...) - libhibernate-validator-java [buster] - libhibernate-validator-java (EL support added in 5.x) [stretch] - libhibernate-validator-java (EL support added in 5.x) [jessie] - libhibernate-validator-java (EL support added in 5.x) - libhibernate-validator4-java (EL support added in 5.x) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1805501 CVE-2020-10692 RESERVED CVE-2020-10691 (An archive traversal flaw was found in all ansible-engine versions 2.9 ...) - ansible 2.9.7+dfsg-1 [buster] - ansible (Vulnerable code introduced later) [stretch] - ansible (Vulnerable code introduced later) [jessie] - ansible (Vulnerable code introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1817161 NOTE: https://github.com/ansible/ansible/pull/68596 NOTE: https://github.com/ansible/ansible/commit/b2551bb6943eec078066aa3a923e0bb3ed85abe8 (stable-2.9) CVE-2020-10690 (There is a use-after-free in kernel versions before 5.5 due to a race ...) {DLA-2241-1} - linux 5.4.8-1 [buster] - linux 4.19.98-1 NOTE: Fixed by: https://git.kernel.org/linus/a33121e5487b424339636b25c35d3a180eaa5f5e CVE-2020-10689 (A flaw was found in the Eclipse Che up to version 7.8.x, where it did ...) NOT-FOR-US: Eclipse Che CVE-2020-10688 RESERVED - resteasy - resteasy3.0 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1814974 NOTE: https://github.com/quarkusio/quarkus/issues/7248 NOTE: https://issues.redhat.com/browse/RESTEASY-2519 (restricted) TODO: check details, not much information provided by Red Hat. CVE-2020-10687 RESERVED - undertow NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1785049 CVE-2020-10686 (A flaw was found in Keycloak version 8.0.2 and 9.0.0, and was fixed in ...) NOT-FOR-US: Keycloak CVE-2020-10685 (A flaw was found in Ansible Engine affecting Ansible Engine versions 2 ...) - ansible 2.9.7+dfsg-1 [jessie] - ansible (Vulnerable code introduced later, all decryption in-memory, no transparent file decryption) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1814627 NOTE: https://github.com/ansible/ansible/pull/68433 NOTE: https://github.com/ansible/ansible/commit/6452a82452f3a721233b50f62419598206442fd9 NOTE: Introduced in https://github.com/ansible/ansible/commit/cdf6e3e4bf44fdab62c2e4ccd3f5fd67ea554548 (2.1) CVE-2020-10684 (A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9. ...) - ansible 2.9.7+dfsg-1 [jessie] - ansible (Vulnerable code introduced later, 'ansible_facts' variable not exposed) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1815519 NOTE: https://github.com/ansible/ansible/pull/68431 NOTE: https://github.com/ansible/ansible/commit/a9d2ceafe429171c0e2ad007058b88bae57c74ce CVE-2020-10683 (dom4j before 2.1.3 allows external DTDs and External Entities by defau ...) {DLA-2191-1} - dom4j (bug #958055) NOTE: https://github.com/dom4j/dom4j/commit/1707bf3d898a8ada3b213acb0e3b38f16eaae73d (the fix?) NOTE: https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658 (post-fix refactor?) CVE-2020-10682 (The Filemanager in CMS Made Simple 2.2.13 allows remote code execution ...) NOT-FOR-US: CMS Made Simple CVE-2020-10681 (The Filemanager in CMS Made Simple 2.2.13 has stored XSS via a .pxd fi ...) NOT-FOR-US: CMS Made Simple CVE-2020-10680 RESERVED CVE-2020-10679 RESERVED CVE-2020-10678 (In Octopus Deploy before 2020.1.5, for customers running on-premises A ...) NOT-FOR-US: Octopus Deploy CVE-2020-10677 RESERVED CVE-2020-10676 RESERVED CVE-2020-10675 (The Library API in buger jsonparser through 2019-12-04 allows attacker ...) - golang-github-buger-jsonparser 0.0~git20200322.0.f7e751e-1 (bug #954373) [buster] - golang-github-buger-jsonparser (Minor issue) NOTE: https://github.com/buger/jsonparser/issues/188 NOTE: https://github.com/buger/jsonparser/commit/91ac96899e492584984ded0c8f9a08f10b473717 CVE-2020-10673 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) {DLA-2153-1} - jackson-databind [buster] - jackson-databind (Minor issue; can be fixed via a point release) [stretch] - jackson-databind (Minor issue; can be fixed via a point release) NOTE: https://github.com/FasterXML/jackson-databind/issues/2660 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. CVE-2020-10672 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) {DLA-2153-1} - jackson-databind [buster] - jackson-databind (Minor issue; can be fixed via a point release) [stretch] - jackson-databind (Minor issue; can be fixed via a point release) NOTE: https://github.com/FasterXML/jackson-databind/issues/2659 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. CVE-2020-10671 (The Canon Oce Colorwave 500 4.0.0.0 printer's web application is missi ...) NOT-FOR-US: Canon CVE-2020-10670 (The web application exposed by the Canon Oce Colorwave 500 4.0.0.0 pri ...) NOT-FOR-US: Canon CVE-2020-10669 (The web application exposed by the Canon Oce Colorwave 500 4.0.0.0 pri ...) NOT-FOR-US: Canon CVE-2020-10668 (The web application exposed by the Canon Oce Colorwave 500 4.0.0.0 pri ...) NOT-FOR-US: Canon CVE-2020-10667 (The web application exposed by the Canon Oce Colorwave 500 4.0.0.0 pri ...) NOT-FOR-US: Canon CVE-2020-10666 RESERVED CVE-2020-10674 (PerlSpeak through 2.01 allows attackers to execute arbitrary OS comman ...) - libperlspeak-perl (bug #954238) [stretch] - libperlspeak-perl (Will be removed in next point release) [jessie] - libperlspeak-perl (Not supported in jessie LTS) NOTE: https://rt.cpan.org/Public/Bug/Display.html?id=132173 CVE-2020-10665 (Docker Desktop allows local privilege escalation to NT AUTHORITY\SYSTE ...) NOT-FOR-US: Docker Desktop on Windows CVE-2020-10664 (The IGMP component in VxWorks 6.8.3 IPNET CVE patches created in 2019 ...) NOT-FOR-US: VxWorks CVE-2020-10663 (The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9 ...) {DSA-4721-1 DLA-2192-1 DLA-2190-1} - ruby-json 2.3.0+dfsg-1 [buster] - ruby-json (Minor issue) [stretch] - ruby-json (Minor issue) - ruby2.7 (Fixed before initial upload to Debian) - ruby2.5 - ruby2.3 [stretch] - ruby2.3 (Minor issue) - ruby2.1 NOTE: https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/ NOTE: https://hackerone.com/reports/706934 NOTE: https://github.com/ruby/ruby/commit/36e9ed7fef6eb2d14becf6c52452e4ab16e4bf01 (2.6.6) NOTE: https://github.com/ruby/ruby/commit/b379ecd8b6832dfcd5dad353b6bfd41701e2d678 (2.5.8) CVE-2020-10662 RESERVED CVE-2020-10661 (HashiCorp Vault and Vault Enterprise versions 0.11.0 through 1.3.3 may ...) NOT-FOR-US: HashiCorp Vault CVE-2020-10660 (HashiCorp Vault and Vault Enterprise versions 0.9.0 through 1.3.3 may, ...) NOT-FOR-US: HashiCorp Vault CVE-2019-20529 (In core/doctype/prepared_report/prepared_report.py in Frappe 11 and 12 ...) NOT-FOR-US: Frappe Framework CVE-2019-20528 (Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasour ...) NOT-FOR-US: Ignite Realtime Openfire CVE-2019-20527 (Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasour ...) NOT-FOR-US: Ignite Realtime Openfire CVE-2019-20526 (Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasour ...) NOT-FOR-US: Ignite Realtime Openfire CVE-2019-20525 (Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasour ...) NOT-FOR-US: Ignite Realtime Openfire CVE-2019-20524 (ilchCMS 2.1.23 allows XSS via the index.php/partner/index Banner param ...) NOT-FOR-US: ilchCMS CVE-2019-20523 (ilchCMS 2.1.23 allows XSS via the index.php/partner/index Name paramet ...) NOT-FOR-US: ilchCMS CVE-2019-20522 (ilchCMS 2.1.23 allows XSS via the index.php/partner/index Link paramet ...) NOT-FOR-US: ilchCMS CVE-2019-20521 (ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/ URI ...) NOT-FOR-US: ERPNext CVE-2019-20520 (ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/meth ...) NOT-FOR-US: ERPNext CVE-2019-20519 (ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the user/ UR ...) NOT-FOR-US: ERPNext CVE-2019-20518 (ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the project/ ...) NOT-FOR-US: ERPNext CVE-2019-20517 (ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the contact/ ...) NOT-FOR-US: ERPNext CVE-2019-20516 (ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the blog/ UR ...) NOT-FOR-US: ERPNext CVE-2019-20515 (ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the addresse ...) NOT-FOR-US: ERPNext CVE-2019-20514 (ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the address/ ...) NOT-FOR-US: ERPNext CVE-2019-20513 (Open edX Ironwood.1 allows support/certificates?user= reflected XSS. ...) NOT-FOR-US: Open edX Ironwood.1 CVE-2019-20512 (Open edX Ironwood.1 allows support/certificates?course_id= reflected X ...) NOT-FOR-US: Open edX Ironwood.1 CVE-2019-20511 (ERPNext 11.1.47 allows blog?blog_category= Frame Injection. ...) NOT-FOR-US: ERPNext CVE-2020-10659 (Entrust Entelligence Security Provider (ESP) before 10.0.60 on Windows ...) NOT-FOR-US: Entrust Entelligence Security Provider (ESP) CVE-2020-10658 RESERVED CVE-2020-10657 RESERVED CVE-2020-10656 RESERVED CVE-2020-10655 RESERVED CVE-2020-10654 (Ping Identity PingID SSH before 4.0.14 contains a heap buffer overflow ...) NOT-FOR-US: Ping Identity PingID CVE-2020-10653 RESERVED CVE-2020-10652 RESERVED CVE-2020-10651 RESERVED CVE-2020-10650 RESERVED CVE-2019-20510 REJECTED CVE-2020-10649 (DevActSvc.exe in ASUS Device Activation before 1.0.7.0 for Windows 10 ...) NOT-FOR-US: ASUS Device Activation CVE-2020-10648 (Das U-Boot through 2020.01 allows attackers to bypass verified boot re ...) - u-boot 2020.04+dfsg-1 [buster] - u-boot (Minor issue) [stretch] - u-boot (Minor issue) [jessie] - u-boot (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2020/03/18/5 NOTE: https://labs.f-secure.com/advisories/das-u-boot-verified-boot-bypass/ NOTE: https://lists.denx.de/pipermail/u-boot/2020-March/403409.html CVE-2020-10647 REJECTED CVE-2020-10646 (Fuji Electric V-Server Lite all versions prior to 4.0.9.0 contains a h ...) NOT-FOR-US: Fuji Electric V-Server Lite CVE-2020-10645 RESERVED CVE-2020-10644 (The affected product lacks proper validation of user-supplied data, wh ...) NOT-FOR-US: Inductive Automation Ignition CVE-2020-10643 RESERVED CVE-2020-10642 (In Rockwell Automation RSLinx Classic versions 4.1.00 and prior, an au ...) NOT-FOR-US: Rockwell CVE-2020-10641 (An unprotected logging route may allow an attacker to write endless lo ...) NOT-FOR-US: Inductive Automation CVE-2020-10640 RESERVED CVE-2020-10639 (Eaton HMiSoft VU3 (HMIVU3 runtime not impacted), Version 3.00.23 and p ...) NOT-FOR-US: Eaton HMiSoft VU3 CVE-2020-10638 (Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Mult ...) NOT-FOR-US: Advantech WebAccess Node CVE-2020-10637 (Eaton HMiSoft VU3 (HMIVU3 runtime not impacted), Version 3.00.23 and p ...) NOT-FOR-US: Eaton HMiSoft VU3 CVE-2020-10636 RESERVED CVE-2020-10635 RESERVED CVE-2020-10634 (SAE IT-systems FW-50 Remote Telemetry Unit (RTU). A specially crafted ...) NOT-FOR-US: SAE IT-systems FW-50 Remote Telemetry Unit CVE-2020-10633 (A non-persistent XSS (cross-site scripting) vulnerability exists in eW ...) NOT-FOR-US: eWON Flexy and Cosy CVE-2020-10632 RESERVED CVE-2020-10631 (An attacker could use a specially crafted URL to delete or read files ...) NOT-FOR-US: WebAccess/NMS CVE-2020-10630 (SAE IT-systems FW-50 Remote Telemetry Unit (RTU). The software does no ...) NOT-FOR-US: SAE IT-systems FW-50 Remote Telemetry Unit CVE-2020-10629 (WebAccess/NMS (versions prior to 3.0.2) does not sanitize XML input. S ...) NOT-FOR-US: WebAccess/NMS CVE-2020-10628 (ControlEdge PLC (R130.2, R140, R150, and R151) and RTU (R101, R110, R1 ...) NOT-FOR-US: ControlEdge PLC CVE-2020-10627 RESERVED CVE-2020-10626 (In Fazecast jSerialComm, Version 2.2.2 and prior, an uncontrolled sear ...) NOT-FOR-US: Fazecast jSerialComm CVE-2020-10625 (WebAccess/NMS (versions prior to 3.0.2) allows an unauthenticated remo ...) NOT-FOR-US: WebAccess/NMS CVE-2020-10624 (ControlEdge PLC (R130.2, R140, R150, and R151) and RTU (R101, R110, R1 ...) NOT-FOR-US: ControlEdge PLC CVE-2020-10623 (Multiple vulnerabilities could allow an attacker with low privileges t ...) NOT-FOR-US: WebAccess/NMS CVE-2020-10622 (LCDS LAquis SCADA Versions 4.3.1 and prior. The affected product is vu ...) NOT-FOR-US: LCDS LAquis SCADA CVE-2020-10621 (Multiple issues exist that allow files to be uploaded and executed on ...) NOT-FOR-US: WebAccess/NMS CVE-2020-10620 (Opto 22 SoftPAC Project Version 9.6 and prior. SoftPAC communication d ...) NOT-FOR-US: Opto 22 SoftPAC Project CVE-2020-10619 (An attacker could use a specially crafted URL to delete files outside ...) NOT-FOR-US: WebAccess/NMS CVE-2020-10618 (LCDS LAquis SCADA Versions 4.3.1 and prior. The affected product is vu ...) NOT-FOR-US: LCDS LAquis SCADA CVE-2020-10617 (There are multiple ways an unauthenticated attacker could perform SQL ...) NOT-FOR-US: WebAccess/NMS CVE-2020-10616 (Opto 22 SoftPAC Project Version 9.6 and prior. SoftPAC does not specif ...) NOT-FOR-US: Opto 22 SoftPAC Project CVE-2020-10615 (Triangle MicroWorks SCADA Data Gateway 3.02.0697 through 4.0.122, 2.41 ...) NOT-FOR-US: Triangle MicroWorks SCADA Data Gateway CVE-2020-10614 RESERVED CVE-2020-10613 (Triangle MicroWorks SCADA Data Gateway 3.02.0697 through 4.0.122, 2.41 ...) NOT-FOR-US: Triangle MicroWorks SCADA Data Gateway CVE-2020-10612 (Opto 22 SoftPAC Project Version 9.6 and prior. SoftPACAgent communicat ...) NOT-FOR-US: Opto 22 SoftPAC Project CVE-2020-10611 (Triangle MicroWorks SCADA Data Gateway 3.02.0697 through 4.0.122, 2.41 ...) NOT-FOR-US: Triangle MicroWorks SCADA Data Gateway CVE-2020-10610 RESERVED CVE-2020-10609 RESERVED CVE-2020-10608 RESERVED CVE-2020-10607 (In Advantech WebAccess, Versions 8.4.2 and prior. A stack-based buffer ...) NOT-FOR-US: Advantech WebAccess CVE-2020-10606 RESERVED CVE-2020-10605 RESERVED CVE-2020-10604 RESERVED CVE-2020-10603 (WebAccess/NMS (versions prior to 3.0.2) does not properly sanitize use ...) NOT-FOR-US: WebAccess/NMS CVE-2020-10602 RESERVED CVE-2020-10601 (VISAM VBASE Editor version 11.5.0.2 and VBASE Web-Remote Module allow ...) NOT-FOR-US: VISAM VBASE Editor CVE-2020-10600 RESERVED CVE-2020-10599 (VISAM VBASE Editor version 11.5.0.2 and VBASE Web-Remote Module may al ...) NOT-FOR-US: VISAM VBASE Editor CVE-2020-10598 (In BD Pyxis MedStation ES System v1.6.1 and Pyxis Anesthesia (PAS) ES ...) NOT-FOR-US: Pyxis CVE-2020-10597 (Delta Industrial Automation DOPSoft, Version 4.00.08.15 and prior. Mul ...) NOT-FOR-US: Insulet CVE-2020-10596 (OpenCart 3.0.3.2 allows remote authenticated users to conduct XSS atta ...) NOT-FOR-US: OpenCart CVE-2018-21037 (Subrion CMS 4.1.5 (and possibly earlier versions) allow CSRF to change ...) NOT-FOR-US: Subrion CMS CVE-2020-10595 (pam-krb5 before 4.9 has a buffer overflow that might cause remote code ...) {DSA-4648-1 DLA-2166-1} - libpam-krb5 4.9-1 NOTE: https://www.openwall.com/lists/oss-security/2020/03/31/1 CVE-2020-10594 (An issue was discovered in drf-jwt 1.15.x before 1.15.1. It allows att ...) NOT-FOR-US: drf-jwt CVE-2020-10593 (Tor before 0.3.5.10, 0.4.x before 0.4.1.9, and 0.4.2.x before 0.4.2.7 ...) - tor 0.4.2.7-1 [buster] - tor (Only affects tor 0.4.0.1-alpha onwards) [stretch] - tor (Only affects tor 0.4.0.1-alpha onwards) [jessie] - tor (Only affects tor 0.4.0.1-alpha onwards) NOTE: https://blog.torproject.org/new-releases-03510-0419-0427 NOTE: https://bugs.torproject.org/33619 CVE-2020-10592 (Tor before 0.3.5.10, 0.4.x before 0.4.1.9, and 0.4.2.x before 0.4.2.7 ...) {DSA-4644-1} - tor 0.4.2.7-1 [stretch] - tor (See DSA 4644) [jessie] - tor (Not supported in jessie LTS) NOTE: https://blog.torproject.org/new-releases-03510-0419-0427 NOTE: https://bugs.torproject.org/33120 CVE-2020-10591 (An issue was discovered in Walmart Labs Concord before 1.44.0. CORS Ac ...) NOT-FOR-US: Walmart Labs Concord CVE-2020-10590 RESERVED CVE-2020-10589 (v2rayL 2.1.3 allows local users to achieve root access because /etc/v2 ...) NOT-FOR-US: v2rayL CVE-2020-10588 (v2rayL 2.1.3 allows local users to achieve root access because /etc/v2 ...) NOT-FOR-US: v2rayL CVE-2020-10587 (antiX and MX Linux allow local users to achieve root access via "persi ...) NOT-FOR-US: antiX and MX Linux CVE-2020-10586 RESERVED CVE-2020-10585 RESERVED CVE-2020-10584 RESERVED CVE-2020-10583 RESERVED CVE-2020-10582 RESERVED CVE-2020-10581 RESERVED CVE-2020-10580 RESERVED CVE-2020-10579 RESERVED CVE-2020-10578 (An arbitrary file read vulnerability exists in system/controller/backe ...) NOT-FOR-US: QCMS CVE-2020-10577 (An issue was discovered in Janus through 0.9.1. janus.c has multiple c ...) - janus 0.9.2-1 (bug #954668) [buster] - janus (Will be removed in next point release) NOTE: https://github.com/meetecho/janus-gateway/pull/1990 CVE-2020-10576 (An issue was discovered in Janus through 0.9.1. plugins/janus_voicemai ...) - janus 0.9.1+20200313-1 [buster] - janus (Will be removed in next point release) NOTE: https://github.com/meetecho/janus-gateway/pull/1993 CVE-2020-10575 (An issue was discovered in Janus through 0.9.1. plugins/janus_videocal ...) - janus 0.9.1+20200313-1 [buster] - janus (Will be removed in next point release) NOTE: https://github.com/meetecho/janus-gateway/pull/1994 CVE-2020-10574 (An issue was discovered in Janus through 0.9.1. janus.c tries to use a ...) - janus 0.9.1+20200313-1 [buster] - janus (Will be removed in next point release) NOTE: https://github.com/meetecho/janus-gateway/pull/1989 CVE-2020-10573 (An issue was discovered in Janus through 0.9.1. janus_audiobridge.c ha ...) - janus 0.9.1+20200313-1 [buster] - janus (Will be removed in next point release) NOTE: https://github.com/meetecho/janus-gateway/pull/1988 CVE-2020-10572 RESERVED CVE-2020-10571 (An issue was discovered in psd-tools before 1.9.4. The Cython implemen ...) NOT-FOR-US: psd-tools CVE-2020-10570 (The Telegram application through 5.12 for Android, when Show Popup is ...) NOT-FOR-US: Telegram for Android CVE-2020-10569 (SysAid On-Premise 20.1.11, by default, allows the AJP protocol port, w ...) NOT-FOR-US: SysAid On-Premise CVE-2020-10568 (The sitepress-multilingual-cms (WPML) plugin before 4.3.7-b.2 for Word ...) NOT-FOR-US: sitepress-multilingual-cms (WPML) plugin for WordPress CVE-2020-10567 (An issue was discovered in Responsive Filemanager through 9.14.0. In t ...) NOT-FOR-US: Responsive Filemanager CVE-2018-21036 RESERVED CVE-2020-10566 (grub2-bhyve, as used in FreeBSD bhyve before revision 525916 2020-02-1 ...) NOT-FOR-US: FreeBSD CVE-2020-10565 (grub2-bhyve, as used in FreeBSD bhyve before revision 525916 2020-02-1 ...) NOT-FOR-US: FreeBSD CVE-2020-10564 (An issue was discovered in the File Upload plugin before 4.13.0 for Wo ...) NOT-FOR-US: File Upload plugin for WordPress CVE-2020-10563 (An issue was discovered in DEVOME GRR before 3.4.1c. frmcontactlist.ph ...) NOT-FOR-US: DEVOME GRR CVE-2020-10562 (An issue was discovered in DEVOME GRR before 3.4.1c. admin_edit_room.p ...) NOT-FOR-US: DEVOME GRR CVE-2020-10561 (An issue was discovered on Xiaomi Mi Jia ink-jet printer < 3.4.6_01 ...) NOT-FOR-US: Xiaomi CVE-2020-10560 (An issue was discovered in Open Source Social Network (OSSN) through 5 ...) NOT-FOR-US: Open Source Social Network (OSSN) CVE-2020-10559 RESERVED CVE-2020-10558 (The driving interface of Tesla Model 3 vehicles in any release before ...) NOT-FOR-US: driving interface of Tesla Model 3 vehicles CVE-2020-10557 (An issue was discovered in AContent through 1.4. It allows the user to ...) NOT-FOR-US: AContent CVE-2020-10556 RESERVED CVE-2020-10555 RESERVED CVE-2020-10554 RESERVED CVE-2020-10553 RESERVED CVE-2020-10552 RESERVED CVE-2020-10551 (QQBrowser before 10.5.3870.400 installs a Windows service TsService.ex ...) NOT-FOR-US: QQBrowser CVE-2020-10550 RESERVED CVE-2020-10549 (rConfig 3.9.4 and previous versions has unauthenticated snippets.inc.p ...) NOT-FOR-US: rConfig CVE-2020-10548 (rConfig 3.9.4 and previous versions has unauthenticated devices.inc.ph ...) NOT-FOR-US: rConfig CVE-2020-10547 (rConfig 3.9.4 and previous versions has unauthenticated compliancepoli ...) NOT-FOR-US: rConfig CVE-2020-10546 (rConfig 3.9.4 and previous versions has unauthenticated compliancepoli ...) NOT-FOR-US: rConfig CVE-2020-10545 RESERVED CVE-2020-10544 (An XSS issue was discovered in tooltip/tooltip.js in PrimeTek PrimeFac ...) NOT-FOR-US: PrimeTek PrimeFaces CVE-2009-5159 (Invision Power Board (aka IPB or IP.Board) 2.x through 3.0.4, when Int ...) NOT-FOR-US: Invision Power Board CVE-2020-10543 (Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer over ...) - perl 5.30.3-1 (bug #962005) [buster] - perl (Minor issue) [stretch] - perl (Minor issue) NOTE: https://github.com/perl/perl5/commit/897d1f7fd515b828e4b198d8b8bef76c6faf03ed (v5.30.3) CVE-2020-10542 RESERVED CVE-2020-10541 (Zoho ManageEngine OpManager before 12.4.179 allows remote code executi ...) NOT-FOR-US: Zoho ManageEngine OpManager CVE-2020-10540 (Untis WebUntis before 2020.9.6 allows CSRF for certain combinations of ...) NOT-FOR-US: Untis WebUntis CVE-2020-10539 RESERVED CVE-2020-10538 RESERVED CVE-2020-10537 RESERVED CVE-2020-10536 RESERVED CVE-2020-10534 (In the GlobalBlocking extension before 2020-03-10 for MediaWiki throug ...) NOT-FOR-US: MediaWiki extension CVE-2020-10535 (GitLab 12.8.x before 12.8.6, when sign-up is enabled, allows remote at ...) - gitlab (Only affects Gitlab 12.8.x) NOTE: https://about.gitlab.com/releases/2020/03/11/critical-security-release-gitlab-12-dot-8-dot-6-released/ CVE-2020-10533 RESERVED CVE-2020-10532 (The AD Helper component in WatchGuard Fireware before 5.8.5.10317 allo ...) NOT-FOR-US: AD Helper component in WatchGuard Fireware CVE-2020-10531 (An issue was discovered in International Components for Unicode (ICU) ...) {DSA-4646-1 DLA-2151-1} [experimental] - icu 66.1-2 - icu 63.2-3 (bug #953747) NOTE: https://bugs.chromium.org/p/chromium/issues/detail?id=1044570 (not public) NOTE: Upstream ICU bug: https://unicode-org.atlassian.net/browse/ICU-20958 (private) NOTE: Fixed by: https://github.com/unicode-org/icu/commit/b7d08bc04a4296982fcef8b6b8a354a9e4e7afca NOTE: https://github.com/unicode-org/icu/pull/971 CVE-2020-10530 RESERVED CVE-2020-10529 RESERVED CVE-2020-10528 RESERVED CVE-2020-10527 RESERVED CVE-2020-10526 RESERVED CVE-2020-10525 RESERVED CVE-2020-10524 RESERVED CVE-2020-10523 RESERVED CVE-2020-10522 RESERVED CVE-2020-10521 RESERVED CVE-2020-10520 RESERVED CVE-2020-10519 RESERVED CVE-2020-10518 RESERVED CVE-2020-10517 RESERVED CVE-2020-10516 (An improper access control vulnerability was identified in the GitHub ...) NOT-FOR-US: GitHub Enterprise Server API CVE-2020-10515 (STARFACE UCC Client before 6.7.1.204 on WIndows allows binary planting ...) NOT-FOR-US: STARFACE UCC Client CVE-2020-10514 (iCatch DVR firmware before 20200103 do not validate function parameter ...) NOT-FOR-US: iCatch DVR CVE-2020-10513 (The file management interface of iCatch DVR firmware before 20200103 c ...) NOT-FOR-US: iCatch DVR CVE-2020-10512 (HGiga C&Cmail CCMAILQ before olln-calendar-6.0-100.i386.rpm and CC ...) NOT-FOR-US: HGiga C&Cmail CVE-2020-10511 (HGiga C&Cmail CCMAILQ before olln-base-6.0-418.i386.rpm and CCMAIL ...) NOT-FOR-US: HGiga C&Cmail CVE-2020-10510 (Sunnet eHRD, a human training and development management system, conta ...) NOT-FOR-US: Sunnet eHRD CVE-2020-10509 (Sunnet eHRD, a human training and development management system, conta ...) NOT-FOR-US: Sunnet eHRD CVE-2020-10508 (Sunnet eHRD, a human training and development management system, impro ...) NOT-FOR-US: Sunnet eHRD CVE-2020-10507 (The School Manage System before 2020, developed by ALLE INFORMATION CO ...) NOT-FOR-US: The School Manage System CVE-2020-10506 (The School Manage System before 2020, developed by ALLE INFORMATION CO ...) NOT-FOR-US: The School Manage System CVE-2020-10505 (The School Manage System before 2020, developed by ALLE INFORMATION CO ...) NOT-FOR-US: The School Manage System CVE-2020-10504 (CSRF in admin/edit-comments.php in Chadha PHPKB Standard Multi-Languag ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10503 (CSRF in admin/manage-comments.php in Chadha PHPKB Standard Multi-Langu ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10502 (CSRF in admin/manage-comments.php in Chadha PHPKB Standard Multi-Langu ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10501 (CSRF in admin/manage-departments.php in Chadha PHPKB Standard Multi-La ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10500 (CSRF in admin/reply-ticket.php in Chadha PHPKB Standard Multi-Language ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10499 (CSRF in admin/manage-tickets.php in Chadha PHPKB Standard Multi-Langua ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10498 (CSRF in admin/edit-category.php in Chadha PHPKB Standard Multi-Languag ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10497 (CSRF in admin/manage-categories.php in Chadha PHPKB Standard Multi-Lan ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10496 (CSRF in admin/edit-article.php in Chadha PHPKB Standard Multi-Language ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10495 (CSRF in admin/edit-template.php in Chadha PHPKB Standard Multi-Languag ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10494 (CSRF in admin/edit-news.php in Chadha PHPKB Standard Multi-Language 9 ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10493 (CSRF in admin/edit-glossary.php in Chadha PHPKB Standard Multi-Languag ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10492 (CSRF in admin/manage-templates.php in Chadha PHPKB Standard Multi-Lang ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10491 (CSRF in admin/manage-departments.php in Chadha PHPKB Standard Multi-La ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10490 (CSRF in admin/manage-departments.php in Chadha PHPKB Standard Multi-La ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10489 (CSRF in admin/manage-tickets.php in Chadha PHPKB Standard Multi-Langua ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10488 (CSRF in admin/manage-news.php in Chadha PHPKB Standard Multi-Language ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10487 (CSRF in admin/manage-glossary.php in Chadha PHPKB Standard Multi-Langu ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10486 (CSRF in admin/manage-comments.php in Chadha PHPKB Standard Multi-Langu ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10485 (CSRF in admin/manage-articles.php in Chadha PHPKB Standard Multi-Langu ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10484 (CSRF in admin/add-field.php in Chadha PHPKB Standard Multi-Language 9 ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10483 (CSRF in admin/ajax-hub.php in Chadha PHPKB Standard Multi-Language 9 a ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10482 (CSRF in admin/add-template.php in Chadha PHPKB Standard Multi-Language ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10481 (CSRF in admin/add-glossary.php in Chadha PHPKB Standard Multi-Language ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10480 (CSRF in admin/add-category.php in Chadha PHPKB Standard Multi-Language ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10479 (CSRF in admin/add-news.php in Chadha PHPKB Standard Multi-Language 9 a ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10478 (CSRF in admin/manage-settings.php in Chadha PHPKB Standard Multi-Langu ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10477 (Reflected XSS in admin/manage-news.php in Chadha PHPKB Standard Multi- ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10476 (Reflected XSS in admin/manage-glossary.php in Chadha PHPKB Standard Mu ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10475 (Reflected XSS in admin/manage-tickets.php in Chadha PHPKB Standard Mul ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10474 (Reflected XSS in admin/manage-comments.php in Chadha PHPKB Standard Mu ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10473 (Reflected XSS in admin/manage-categories.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10472 (Reflected XSS in admin/manage-templates.php in Chadha PHPKB Standard M ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10471 (Reflected XSS in admin/manage-articles.php in Chadha PHPKB Standard Mu ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10470 (Reflected XSS in admin/manage-fields.php in Chadha PHPKB Standard Mult ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10469 (Reflected XSS in admin/manage-departments.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10468 (Reflected XSS in admin/edit-news.php in Chadha PHPKB Standard Multi-La ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10467 (Reflected XSS in admin/edit-comment.php in Chadha PHPKB Standard Multi ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10466 (Reflected XSS in admin/edit-glossary.php in Chadha PHPKB Standard Mult ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10465 (Reflected XSS in admin/edit-category.php in Chadha PHPKB Standard Mult ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10464 (Reflected XSS in admin/edit-article.php in Chadha PHPKB Standard Multi ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10463 (Reflected XSS in admin/edit-template.php in Chadha PHPKB Standard Mult ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10462 (Reflected XSS in admin/edit-field.php in Chadha PHPKB Standard Multi-L ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10461 (The way comments in article.php (vulnerable function in include/functi ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10460 (admin/include/operations.php (via admin/email-harvester.php) in Chadha ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10459 (Path Traversal in admin/assetmanager/assetmanager.php (vulnerable func ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10458 (Path Traversal in admin/imagepaster/operations.php in Chadha PHPKB Sta ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10457 (Path Traversal in admin/imagepaster/image-renaming.php in Chadha PHPKB ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10456 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10455 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10454 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10453 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10452 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10451 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10450 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10449 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10448 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10447 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10446 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10445 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10444 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10443 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10442 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10441 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10440 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10439 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10438 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10437 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10436 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10435 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10434 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10433 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10432 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10431 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10430 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10429 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10428 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10427 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10426 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10425 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10424 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10423 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10422 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10421 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10420 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10419 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10418 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10417 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10416 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10415 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10414 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10413 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10412 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10411 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10410 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10409 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10408 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10407 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10406 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10405 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10404 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10403 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10402 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10401 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10400 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10399 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10398 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10397 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10396 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10395 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10394 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10393 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10392 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10391 (The way URIs are handled in admin/header.php in Chadha PHPKB Standard ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10390 (OS Command Injection in export.php (vulnerable function called from in ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10389 (admin/save-settings.php in Chadha PHPKB Standard Multi-Language 9 allo ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10388 (The way the Referer header in article.php is handled in Chadha PHPKB S ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10387 (Path Traversal in admin/download.php in Chadha PHPKB Standard Multi-La ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10386 (admin/imagepaster/image-upload.php in Chadha PHPKB Standard Multi-Lang ...) NOT-FOR-US: Chadha PHPKB CVE-2020-10385 (A stored cross-site scripting (XSS) vulnerability exists in the WPForm ...) NOT-FOR-US: WPForms Contact Form plugin for WordPress CVE-2020-10384 (An issue was discovered in the MB CONNECT LINE mymbCONNECT24 and mbCON ...) NOT-FOR-US: MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 software CVE-2020-10383 (An issue was discovered in the MB CONNECT LINE mymbCONNECT24 and mbCON ...) NOT-FOR-US: MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 software CVE-2020-10382 (An issue was discovered in the MB CONNECT LINE mymbCONNECT24 and mbCON ...) NOT-FOR-US: MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 software CVE-2020-10381 (An issue was discovered in the MB CONNECT LINE mymbCONNECT24 and mbCON ...) NOT-FOR-US: MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 software CVE-2020-10380 (RMySQL through 0.10.19 allows SQL Injection. ...) - rmysql 0.10.20-1 [buster] - rmysql (Minor issue) [jessie] - rmysql (Minor issue) NOTE: Fixed by: https://github.com/r-dbi/RMySQL/commit/c2467c466684b4733a7b0df4689987e1f9dcfc32 NOTE: Test: https://github.com/r-dbi/RMySQL/commit/6137ce887c1e36b278f11656a9a9fc1cae6a5f40 CVE-2020-10379 (In Pillow before 7.1.0, there are two Buffer Overflows in libImaging/T ...) - pillow [jessie] - pillow (Minor issue) NOTE: https://github.com/python-pillow/Pillow/pull/4538 NOTE: Fixed in 6.2.3 and 7.1.0 CVE-2020-10378 (In libImaging/PcxDecode.c in Pillow before before 7.0.1, an out-of-bou ...) - pillow [jessie] - pillow (Minor issue) NOTE: https://github.com/python-pillow/Pillow/pull/4538 NOTE: Fixed in 6.2.3 and 7.1.0 CVE-2020-10377 (A weak encryption vulnerability in Mitel MiVoice Connect Client before ...) NOT-FOR-US: Mitel CVE-2020-10376 (Technicolor TC7337NET 08.89.17.23.03 devices allow remote attackers to ...) NOT-FOR-US: Technicolor CVE-2020-10375 RESERVED CVE-2020-10374 (A webserver component in Paessler PRTG Network Monitor 19.2.50 to PRTG ...) NOT-FOR-US: PRTG Network Monitor CVE-2020-10373 RESERVED CVE-2020-10372 (Ramp AltitudeCDN Altimeter before 2.4.0 allows authenticated Stored XS ...) NOT-FOR-US: Ramp AltitudeCDN Altimeter CVE-2020-10371 RESERVED CVE-2020-10370 RESERVED CVE-2020-10369 RESERVED CVE-2020-10368 RESERVED CVE-2020-10367 RESERVED CVE-2020-10366 (LogicalDoc before 8.3.3 allows /servlet.gupld Directory Traversal, a d ...) NOT-FOR-US: LogicalDoc CVE-2020-10365 (LogicalDoc before 8.3.3 allows SQL Injection. LogicalDoc populates the ...) NOT-FOR-US: LogicalDoc CVE-2020-10364 (The SSH daemon on MikroTik routers through v6.44.3 could allow remote ...) NOT-FOR-US: SSH daemon on MikroTik routers CVE-2020-10363 RESERVED CVE-2020-10362 RESERVED CVE-2020-10361 RESERVED CVE-2020-10360 RESERVED CVE-2020-10359 RESERVED CVE-2020-10358 RESERVED CVE-2020-10357 RESERVED CVE-2020-10356 RESERVED CVE-2020-10355 RESERVED CVE-2020-10354 RESERVED CVE-2020-10353 RESERVED CVE-2020-10352 RESERVED CVE-2020-10351 RESERVED CVE-2020-10350 RESERVED CVE-2020-10349 RESERVED CVE-2020-10348 RESERVED CVE-2020-10347 RESERVED CVE-2020-10346 RESERVED CVE-2020-10345 RESERVED CVE-2020-10344 RESERVED CVE-2020-10343 RESERVED CVE-2020-10342 RESERVED CVE-2020-10341 RESERVED CVE-2020-10340 RESERVED CVE-2020-10339 RESERVED CVE-2020-10338 RESERVED CVE-2020-10337 RESERVED CVE-2020-10336 RESERVED CVE-2020-10335 RESERVED CVE-2020-10334 RESERVED CVE-2020-10333 RESERVED CVE-2020-10332 RESERVED CVE-2020-10331 RESERVED CVE-2020-10330 RESERVED CVE-2020-10329 RESERVED CVE-2020-10328 RESERVED CVE-2020-10327 RESERVED CVE-2020-10326 RESERVED CVE-2020-10325 RESERVED CVE-2020-10324 RESERVED CVE-2020-10323 RESERVED CVE-2020-10322 RESERVED CVE-2020-10321 RESERVED CVE-2020-10320 RESERVED CVE-2020-10319 RESERVED CVE-2020-10318 RESERVED CVE-2020-10317 RESERVED CVE-2020-10316 RESERVED CVE-2020-10315 RESERVED CVE-2020-10314 RESERVED CVE-2020-10313 RESERVED CVE-2020-10312 RESERVED CVE-2020-10311 RESERVED CVE-2020-10310 RESERVED CVE-2020-10309 RESERVED CVE-2020-10308 RESERVED CVE-2020-10307 RESERVED CVE-2020-10306 RESERVED CVE-2020-10305 RESERVED CVE-2020-10304 RESERVED CVE-2020-10303 RESERVED CVE-2020-10302 RESERVED CVE-2020-10301 RESERVED CVE-2020-10300 RESERVED CVE-2020-10299 RESERVED CVE-2020-10298 RESERVED CVE-2020-10297 RESERVED CVE-2020-10296 RESERVED CVE-2020-10295 RESERVED CVE-2020-10294 RESERVED CVE-2020-10293 RESERVED CVE-2020-10292 RESERVED CVE-2020-10291 RESERVED CVE-2020-10290 RESERVED CVE-2020-10289 RESERVED CVE-2020-10288 RESERVED CVE-2020-10287 RESERVED CVE-2020-10286 RESERVED CVE-2020-10285 RESERVED CVE-2020-10284 RESERVED CVE-2020-10283 RESERVED CVE-2020-10282 (The Micro Air Vehicle Link (MAVLink) protocol presents no authenticati ...) NOT-FOR-US: Micro Air Vehicle Link (MAVLink) protocol CVE-2020-10281 (This vulnerability applies to the Micro Air Vehicle Link (MAVLink) pro ...) NOT-FOR-US: Micro Air Vehicle Link (MAVLink) protocol CVE-2020-10280 (The Apache server on port 80 that host the web interface is vulnerable ...) NOT-FOR-US: MiR CVE-2020-10279 (MiR robot controllers (central computation unit) makes use of Ubuntu 1 ...) NOT-FOR-US: MiR CVE-2020-10278 (The BIOS onboard MiR's Computer is not protected by password, therefor ...) NOT-FOR-US: MiR CVE-2020-10277 (There is no mechanism in place to prevent a bad operator to boot from ...) NOT-FOR-US: MiR CVE-2020-10276 (The password for the safety PLC is the default and thus easy to find ( ...) NOT-FOR-US: Safety PLC CVE-2020-10275 (The access tokens for the REST API are directly derived from the publi ...) NOT-FOR-US: MiR CVE-2020-10274 (The access tokens for the REST API are directly derived (sha256 and ba ...) NOT-FOR-US: MiR CVE-2020-10273 (MiR controllers across firmware versions 2.8.1.1 and before do not enc ...) NOT-FOR-US: MiR CVE-2020-10272 (MiR100, MiR200 and other MiR robots use the Robot Operating System (RO ...) NOT-FOR-US: MiR CVE-2020-10271 (MiR100, MiR200 and other MiR robots use the Robot Operating System (RO ...) NOT-FOR-US: MiR CVE-2020-10270 (Out of the wired and wireless interfaces within MiR100, MiR200 and oth ...) NOT-FOR-US: MiR CVE-2020-10269 (One of the wireless interfaces within MiR100, MiR200 and possibly (acc ...) NOT-FOR-US: MiR CVE-2020-10268 (Critical services for operation can be terminated from windows task ma ...) NOT-FOR-US: Kuka CVE-2020-10267 (Universal Robots control box CB 3.1 across firmware versions (tested o ...) NOT-FOR-US: Universal Robots control box CB CVE-2020-10266 (UR+ (Universal Robots+) is a platform of hardware and software compone ...) NOT-FOR-US: Universal Robots+ CVE-2020-10265 (Universal Robots Robot Controllers Version CB2 SW Version 1.4 upwards, ...) NOT-FOR-US: Universal Robots+ CVE-2020-10264 (CB3 SW Version 3.3 and upwards, e-series SW Version 5.0 and upwards al ...) NOT-FOR-US: CB3 SW CVE-2019-20509 REJECTED CVE-2020-10263 (An issue was discovered on XIAOMI XIAOAI speaker Pro LX06 1.52.4. Atta ...) NOT-FOR-US: XIAOMI CVE-2020-10262 (An issue was discovered on XIAOMI XIAOAI speaker Pro LX06 1.58.10. Att ...) NOT-FOR-US: XIAOMI CVE-2020-10261 RESERVED CVE-2020-10260 RESERVED CVE-2020-10259 RESERVED CVE-2020-10258 RESERVED CVE-2020-10257 (The ThemeREX Addons plugin before 2020-03-09 for WordPress lacks acces ...) NOT-FOR-US: ThemeREX Addons plugin for WordPress CVE-2020-10256 RESERVED CVE-2020-10255 (Modern DRAM chips (DDR4 and LPDDR4 after 2015) are affected by a vulne ...) NOT-FOR-US: Hardware vulnerabliity in DDR4 DRAM chips CVE-2020-10254 RESERVED CVE-2020-10253 RESERVED CVE-2020-10252 RESERVED CVE-2020-10251 (In ImageMagick 7.0.9, an out-of-bounds read vulnerability exists withi ...) - imagemagick (low; bug #953741) [buster] - imagemagick (Minor issue) [stretch] - imagemagick (Vulnerable code introduced later with HEIC image format support) [jessie] - imagemagick (Vulnerable code introduced later with HEIC image format support) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1859 NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/868aad754ee599eb7153b84d610f2ecdf7b339f6 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/3456724dff047db5adb32f8cf70c903c1b7d16d4 CVE-2019-20508 RESERVED CVE-2019-20507 RESERVED CVE-2019-20506 RESERVED CVE-2019-20505 RESERVED CVE-2020-10250 (BWA DiREX-Pro 1.2181 devices allow remote attackers to execute arbitra ...) NOT-FOR-US: BWA DiREX-Pro devices CVE-2020-10249 (BWA DiREX-Pro 1.2181 devices allow full path disclosure via an invalid ...) NOT-FOR-US: BWA DiREX-Pro devices CVE-2020-10248 (BWA DiREX-Pro 1.2181 devices allow remote attackers to discover passwo ...) NOT-FOR-US: BWA DiREX-Pro devices CVE-2020-10247 (MISP 2.4.122 has Persistent XSS in the sighting popover tool. This is ...) NOT-FOR-US: MISP CVE-2020-10246 (MISP 2.4.122 has reflected XSS via unsanitized URL parameters. This is ...) NOT-FOR-US: MISP CVE-2020-10245 (CODESYS V3 web server before 3.5.15.40, as used in CODESYS Control run ...) NOT-FOR-US: CODESYS CVE-2020-10244 (JPaseto before 0.3.0 generates weak hashes when using v2.local tokens. ...) NOT-FOR-US: JPaseto CVE-2020-10243 (An issue was discovered in Joomla! before 3.9.16. The lack of type cas ...) NOT-FOR-US: Joomla! CVE-2020-10242 (An issue was discovered in Joomla! before 3.9.16. Inadequate handling ...) NOT-FOR-US: Joomla! CVE-2020-10241 (An issue was discovered in Joomla! before 3.9.16. Missing token checks ...) NOT-FOR-US: Joomla! CVE-2020-10240 (An issue was discovered in Joomla! before 3.9.16. Missing length check ...) NOT-FOR-US: Joomla! CVE-2020-10239 (An issue was discovered in Joomla! before 3.9.16. Incorrect Access Con ...) NOT-FOR-US: Joomla! CVE-2020-10238 (An issue was discovered in Joomla! before 3.9.16. Various actions in c ...) NOT-FOR-US: Joomla! CVE-2020-10237 (An issue was discovered in Froxlor through 0.10.15. The installer wrot ...) NOT-FOR-US: Froxlor CVE-2020-10236 (An issue was discovered in Froxlor before 0.10.14. It created files wi ...) NOT-FOR-US: Froxlor CVE-2020-10235 (An issue was discovered in Froxlor before 0.10.14. Remote attackers wi ...) NOT-FOR-US: Froxlor CVE-2020-10234 RESERVED CVE-2020-10233 (In version 4.8.0 and earlier of The Sleuth Kit (TSK), there is a heap- ...) - sleuthkit (unimportant) NOTE: https://github.com/sleuthkit/sleuthkit/issues/1829 NOTE: Crash in CLI tool, no security impact CVE-2020-10232 (In version 4.8.0 and earlier of The Sleuth Kit (TSK), there is a stack ...) {DLA-2137-1} - sleuthkit (low; bug #953976) [buster] - sleuthkit (Minor issue) [stretch] - sleuthkit (Minor issue) NOTE: https://github.com/sleuthkit/sleuthkit/issues/1836 NOTE: https://github.com/sleuthkit/sleuthkit/commit/459ae818fc8dae717549810150de4d191ce158f1 CVE-2020-10231 (TP-Link NC200 through 2.1.8_Build_171109, NC210 through 1.0.9_Build_17 ...) NOT-FOR-US: TP-Link CVE-2020-10230 (CentOS-WebPanel.com (aka CWP) CentOS Web Panel (for CentOS 6 and 7) al ...) NOT-FOR-US: CentOS-WebPanel.com CVE-2020-10229 RESERVED CVE-2020-10228 RESERVED CVE-2020-10227 RESERVED CVE-2020-10226 RESERVED CVE-2020-10225 (An unauthenticated file upload vulnerability has been identified in ad ...) NOT-FOR-US: PHPGurukul Job Portal CVE-2020-10224 (An unauthenticated file upload vulnerability has been identified in ad ...) NOT-FOR-US: PHPGurukul Online Book Store CVE-2020-10223 (npdf.dll in Nitro Pro before 13.13.2.242 is vulnerable to JBIG2Decode ...) NOT-FOR-US: npdf.dll in Nitro Pro CVE-2020-10222 (npdf.dll in Nitro Pro before 13.13.2.242 is vulnerable to Heap Corrupt ...) NOT-FOR-US: npdf.dll in Nitro Pro CVE-2020-10221 (lib/ajaxHandlers/ajaxAddTemplate.php in rConfig through 3.94 allows re ...) NOT-FOR-US: rConfig CVE-2019-20504 (service/krashrpt.php in Quest KACE K1000 Systems Management Appliance ...) NOT-FOR-US: Quest KACE CVE-2016-11021 (setSystemCommand on D-Link DCS-930L devices before 2.12 allows a remot ...) NOT-FOR-US: D-Link CVE-2020-10220 (An issue was discovered in rConfig through 3.9.4. The web interface is ...) NOT-FOR-US: rConfig CVE-2020-10219 RESERVED CVE-2020-10218 (A Blind SQL Injection issue was discovered in Sapplica Sentrifugo 3.2 ...) NOT-FOR-US: Sapplica Sentrifugo CVE-2020-10217 RESERVED CVE-2020-10216 (An issue was discovered on D-Link DIR-825 Rev.B 2.10 devices. They all ...) NOT-FOR-US: D-Link CVE-2020-10215 (An issue was discovered on D-Link DIR-825 Rev.B 2.10 devices. They all ...) NOT-FOR-US: D-Link CVE-2020-10214 (An issue was discovered on D-Link DIR-825 Rev.B 2.10 devices. There is ...) NOT-FOR-US: D-Link CVE-2020-10213 (An issue was discovered on D-Link DIR-825 Rev.B 2.10 devices. They all ...) NOT-FOR-US: D-Link CVE-2020-10212 (upload.php in Responsive FileManager 9.13.4 and 9.14.0 allows SSRF via ...) NOT-FOR-US: Responsive FileManager CVE-2020-10211 (A remote code execution vulnerability in UCB component of Mitel MiVoic ...) NOT-FOR-US: Mitel CVE-2020-10210 RESERVED CVE-2020-10209 RESERVED CVE-2020-10208 RESERVED CVE-2020-10207 RESERVED CVE-2020-10206 RESERVED CVE-2020-10205 RESERVED CVE-2020-10204 (Sonatype Nexus Repository before 3.21.2 allows Remote Code Execution. ...) NOT-FOR-US: Sonatype Nexus Repository CVE-2020-10203 (Sonatype Nexus Repository before 3.21.2 allows XSS. ...) NOT-FOR-US: Sonatype Nexus Repository CVE-2020-10202 RESERVED CVE-2020-10201 RESERVED CVE-2020-10200 RESERVED CVE-2020-10199 (Sonatype Nexus Repository before 3.21.2 allows JavaEL Injection (issue ...) NOT-FOR-US: Sonatype Nexus Repository CVE-2020-10198 RESERVED CVE-2020-10197 RESERVED CVE-2020-10196 (An XSS vulnerability in the popup-builder plugin before 3.64.1 for Wor ...) NOT-FOR-US: popup-builder plugin for WordPress CVE-2020-10195 (The popup-builder plugin before 3.64.1 for WordPress allows informatio ...) NOT-FOR-US: popup-builder plugin for WordPress CVE-2020-10194 (cs/service/account/AutoCompleteGal.java in Zimbra zm-mailbox before 8. ...) NOT-FOR-US: Zimbra CVE-2020-10193 (ESET Archive Support Module before 1294 allows virus-detection bypass ...) NOT-FOR-US: ESET Archive Support Module CVE-2020-10192 (An issue was discovered in Munkireport before 5.3.0.3923. An unauthent ...) NOT-FOR-US: Munkireport CVE-2020-10191 (An issue was discovered in MunkiReport before 5.3.0. An authenticated ...) NOT-FOR-US: Munkireport CVE-2020-10190 (An issue was discovered in MunkiReport before 5.3.0. An authenticated ...) NOT-FOR-US: Munkireport CVE-2020-10189 (Zoho ManageEngine Desktop Central before 10.0.474 allows remote code e ...) NOT-FOR-US: Zoho ManageEngine CVE-2020-10188 (utility.c in telnetd in netkit telnet through 0.17 allows remote attac ...) {DLA-2176-1} - inetutils 2:1.9.4-12 (bug #956084) - netkit-telnet 0.17-18woody2 (bug #953477) - netkit-telnet-ssl 0.17.17+0.1-2woody3 (bug #953478) NOTE: https://appgateresearch.blogspot.com/2020/02/bravestarr-fedora-31-netkit-telnetd_28.html NOTE: https://github.com/marado/netkit-telnet-ssl/issues/5 NOTE: https://lists.gnu.org/archive/html/bug-inetutils/2020-04/msg00010.html NOTE: Patch in Fedora: https://src.fedoraproject.org/rpms/telnet/raw/master/f/telnet-0.17-overflow-exploit.patch CVE-2019-20503 (usrsctp before 2019-12-20 has out-of-bounds reads in sctp_load_address ...) {DSA-4645-1 DSA-4642-1 DSA-4639-1 DLA-2150-1 DLA-2140-1} - libusrsctp 0.9.3.0+20200312-1 (bug #953270) [buster] - libusrsctp (Minor issue) - firefox 74.0-1 - firefox-esr 68.6.0esr-1 - thunderbird 1:68.6.0-1 - chromium 80.0.3987.149-1 [stretch] - chromium (see DSA 4562) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-10/#CVE-2019-20503 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-09/#CVE-2019-20503 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-08/#CVE-2019-20503 NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1992 NOTE: https://github.com/sctplab/usrsctp/commit/790a7a2555aefb392a5a69923f1e9d17b4968467 CVE-2020-10187 (Doorkeeper version 5.0.0 and later contains an information disclosure ...) - ruby-doorkeeper 5.0.3-1 (bug #959903) NOTE: https://github.com/doorkeeper-gem/doorkeeper/commit/25d038022c2fcad45af5b73f9d003cf38ff491f6 NOTE: https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-j7vx-8mqj-cqp9 CVE-2020-10186 RESERVED CVE-2020-10185 (The sync endpoint in YubiKey Validation Server before 2.40 allows remo ...) {DLA-2141-1} - yubikey-val [buster] - yubikey-val (Minor issue) [stretch] - yubikey-val (Minor issue) NOTE: https://www.yubico.com/support/security-advisories/ysa-2020-01/ NOTE: https://github.com/Yubico/yubikey-val/commit/d0e4db3245deb5ce0c8d7d26069c78071a140286 CVE-2020-10184 (The verify endpoint in YubiKey Validation Server before 2.40 does not ...) {DLA-2141-1} - yubikey-val [buster] - yubikey-val (Minor issue) [stretch] - yubikey-val (Minor issue) NOTE: https://www.yubico.com/support/security-advisories/ysa-2020-01/ NOTE: https://github.com/Yubico/yubikey-val/commit/d0e4db3245deb5ce0c8d7d26069c78071a140286 CVE-2020-10183 RESERVED CVE-2020-10182 RESERVED CVE-2020-10181 (goform/formEMR30 in Sumavision Enhanced Multimedia Router (EMR) 3.0.4. ...) NOT-FOR-US: Sumavision Enhanced Multimedia Router CVE-2019-20502 (An issue was discovered in EFS Easy Chat Server 3.1. There is a buffer ...) NOT-FOR-US: EFS Easy Chat Server CVE-2020-10180 (The ESET AV parsing engine allows virus-detection bypass via a crafted ...) NOT-FOR-US: ESET AV parsing engine CVE-2020-10179 RESERVED CVE-2020-10178 REJECTED CVE-2020-10177 (Pillow before 7.0.1 has multiple out-of-bounds reads in libImaging/Fli ...) - pillow [jessie] - pillow (Minor issue) NOTE: https://github.com/python-pillow/Pillow/pull/4503 NOTE: https://github.com/python-pillow/Pillow/pull/4538 NOTE: Fixed in 6.2.3 and 7.1.0 CVE-2020-10176 (ASSA ABLOY Yale WIPC-301W 2.x.2.29 through 2.x.2.43_p1 devices allow E ...) NOT-FOR-US: ASSA ABLOY Yale WIPC-301W CVE-2020-10175 REJECTED CVE-2020-10174 (init_tmp in TeeJee.FileSystem.vala in Timeshift before 20.03 unsafely ...) - timeshift 20.03+ds-1 (bug #953385) [buster] - timeshift 19.01+ds-2+deb10u1 NOTE: https://www.openwall.com/lists/oss-security/2020/03/06/3 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1165802 NOTE: https://github.com/teejee2008/timeshift/commit/335b3d5398079278b8f7094c77bfd148b315b462 CVE-2020-10173 (Comtrend VR-3033 DE11-416SSG-C01_R02.A2pvI042j1.d26m devices have Mult ...) NOT-FOR-US: Comtrend VR-3033 DE11-416SSG-C01_R02.A2pvI042j1.d26m devices CVE-2020-10172 RESERVED CVE-2020-10171 RESERVED CVE-2020-10170 RESERVED CVE-2020-10169 RESERVED CVE-2020-10168 RESERVED CVE-2020-10167 RESERVED CVE-2020-10166 RESERVED CVE-2020-10165 RESERVED CVE-2020-10164 RESERVED CVE-2020-10163 RESERVED CVE-2020-10162 RESERVED CVE-2020-10161 RESERVED CVE-2020-10160 RESERVED CVE-2020-10159 RESERVED CVE-2020-10158 RESERVED CVE-2020-10157 RESERVED CVE-2020-10156 RESERVED CVE-2020-10155 RESERVED CVE-2020-10154 RESERVED CVE-2020-10153 RESERVED CVE-2020-10152 RESERVED CVE-2020-10151 RESERVED CVE-2020-10150 RESERVED CVE-2020-10149 RESERVED CVE-2020-10148 RESERVED CVE-2020-10147 RESERVED CVE-2020-10146 RESERVED CVE-2020-10145 RESERVED CVE-2020-10144 RESERVED CVE-2020-10143 RESERVED CVE-2020-10142 RESERVED CVE-2020-10141 RESERVED CVE-2020-10140 RESERVED CVE-2020-10139 RESERVED CVE-2020-10138 RESERVED CVE-2020-10137 RESERVED CVE-2020-10136 (Multiple products that implement the IP Encapsulation within IP standa ...) NOT-FOR-US: Cisco CVE-2020-10135 (Legacy pairing and secure-connections pairing authentication in Blueto ...) NOTE: Bluetooth protocol issue CVE-2020-10134 (Pairing in Bluetooth® Core v5.2 and earlier may permit an unauthe ...) NOTE: Bluetooth protocol issue CVE-2020-10133 RESERVED CVE-2020-10132 RESERVED CVE-2020-10131 RESERVED CVE-2020-10130 RESERVED CVE-2020-10129 RESERVED CVE-2020-10128 RESERVED CVE-2020-10127 RESERVED CVE-2020-10126 RESERVED CVE-2020-10125 RESERVED CVE-2020-10124 RESERVED CVE-2020-10123 RESERVED CVE-2019-20501 (D-Link DWL-2600AP 4.2.0.15 Rev A devices have an authenticated OS comm ...) NOT-FOR-US: D-Link CVE-2019-20500 (D-Link DWL-2600AP 4.2.0.15 Rev A devices have an authenticated OS comm ...) NOT-FOR-US: D-Link CVE-2019-20499 (D-Link DWL-2600AP 4.2.0.15 Rev A devices have an authenticated OS comm ...) NOT-FOR-US: D-Link CVE-2020-10122 (cPanel before 84.0.20 allows a webmail or demo account to delete arbit ...) NOT-FOR-US: cPanel CVE-2020-10121 (cPanel before 84.0.20 allows a demo account to achieve code execution ...) NOT-FOR-US: cPanel CVE-2020-10120 (cPanel before 84.0.20 allows resellers to achieve remote code executio ...) NOT-FOR-US: cPanel CVE-2020-10119 (cPanel before 84.0.20 allows a demo account to achieve remote code exe ...) NOT-FOR-US: cPanel CVE-2020-10118 (cPanel before 84.0.20 allows a demo account to modify files via Brandi ...) NOT-FOR-US: cPanel CVE-2020-10117 (cPanel before 84.0.20 mishandles enforcement of demo checks in the Mar ...) NOT-FOR-US: cPanel CVE-2020-10116 (cPanel before 84.0.20 allows attackers to bypass intended restrictions ...) NOT-FOR-US: cPanel CVE-2020-10115 (cPanel before 84.0.20, when PowerDNS is used, allows arbitrary code ex ...) NOT-FOR-US: cPanel CVE-2020-10114 (cPanel before 84.0.20 allows stored self-XSS via the HTML file editor ...) NOT-FOR-US: cPanel CVE-2020-10113 (cPanel before 84.0.20 allows self XSS via a temporary character-set sp ...) NOT-FOR-US: cPanel CVE-2020-10112 (** DISPUTED ** Citrix Gateway 11.1, 12.0, and 12.1 allows Cache Poison ...) NOT-FOR-US: Citrix CVE-2020-10111 (** DISPUTED ** Citrix Gateway 11.1, 12.0, and 12.1 has an Inconsistent ...) NOT-FOR-US: Citrix CVE-2020-10110 (** DISPUTED ** Citrix Gateway 11.1, 12.0, and 12.1 allows Information ...) NOT-FOR-US: Citrix CVE-2020-10109 (In Twisted Web through 19.10.0, there was an HTTP request splitting vu ...) {DLA-2145-1} - twisted 18.9.0-7 (bug #953950) [buster] - twisted (Minor issue) [stretch] - twisted (Minor issue) NOTE: https://know.bishopfox.com/advisories/twisted-version-19.10.0#INOR NOTE: https://github.com/twisted/twisted/commit/4a7d22e490bb8ff836892cc99a1f54b85ccb0281 CVE-2020-10108 (In Twisted Web through 19.10.0, there was an HTTP request splitting vu ...) {DLA-2145-1} - twisted 18.9.0-7 (bug #953950) [buster] - twisted (Minor issue) [stretch] - twisted (Minor issue) NOTE: https://know.bishopfox.com/advisories/twisted-version-19.10.0#INOR NOTE: https://github.com/twisted/twisted/commit/4a7d22e490bb8ff836892cc99a1f54b85ccb0281 CVE-2020-10107 (PHPGurukul Daily Expense Tracker System 1.0 is vulnerable to stored XS ...) NOT-FOR-US: PHPGurukul Daily Expense Tracker System CVE-2020-10106 (PHPGurukul Daily Expense Tracker System 1.0 is vulnerable to SQL injec ...) NOT-FOR-US: PHPGurukul Daily Expense Tracker System CVE-2020-10105 (An issue was discovered in Zammad 3.0 through 3.2. It returns source c ...) - zammad (bug #841355) CVE-2020-10104 (An issue was discovered in Zammad 3.0 through 3.2. After authenticatio ...) - zammad (bug #841355) CVE-2020-10103 (An XSS issue was discovered in Zammad 3.0 through 3.2. Malicious code ...) - zammad (bug #841355) CVE-2020-10102 (An issue was discovered in Zammad 3.0 through 3.2. The Forgot Password ...) - zammad (bug #841355) CVE-2020-10101 (An issue was discovered in Zammad 3.0 through 3.2. The WebSocket serve ...) - zammad (bug #841355) CVE-2020-10100 (An issue was discovered in Zammad 3.0 through 3.2. It allows for users ...) - zammad (bug #841355) CVE-2020-10099 (An XSS issue was discovered in Zammad 3.0 through 3.2. Malicious code ...) - zammad (bug #841355) CVE-2020-10098 (An XSS issue was discovered in Zammad 3.0 through 3.2. Malicious code ...) - zammad (bug #841355) CVE-2020-10097 (An issue was discovered in Zammad 3.0 through 3.2. It may respond with ...) - zammad (bug #841355) CVE-2020-10096 (An issue was discovered in Zammad 3.0 through 3.2. It does not prevent ...) - zammad (bug #841355) CVE-2020-10095 RESERVED CVE-2020-10094 (A cross-site scripting (XSS) vulnerability in Lexmark CS31x before LW7 ...) NOT-FOR-US: Lexmark CVE-2020-10093 (A cross-site scripting (XSS) vulnerability in Lexmark Pro910 series in ...) NOT-FOR-US: Lexmark CVE-2020-10092 (GitLab 12.1 through 12.8.1 allows XSS. A cross-site scripting vulnerab ...) - gitlab (Only affects Gitlab 12.1 and later) NOTE: https://about.gitlab.com/releases/2020/03/04/gitlab-12-dot-8-dot-2-released/ CVE-2020-10091 (GitLab 9.3 through 12.8.1 allows XSS. A cross-site scripting vulnerabi ...) [experimental] - gitlab 12.6.8-1 - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/releases/2020/03/04/gitlab-12-dot-8-dot-2-released/ CVE-2020-10090 (GitLab 11.7 through 12.8.1 allows Information Disclosure. Under certai ...) [experimental] - gitlab 12.6.8-1 - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/releases/2020/03/04/gitlab-12-dot-8-dot-2-released/ CVE-2020-10089 (GitLab 8.11 through 12.8.1 allows a Denial of Service when using sever ...) [experimental] - gitlab 12.6.8-1 - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/releases/2020/03/04/gitlab-12-dot-8-dot-2-released/ CVE-2020-10088 (GitLab 12.5 through 12.8.1 has Insecure Permissions. Depending on part ...) - gitlab (Only affects Gitlab 12.5 and later) NOTE: https://about.gitlab.com/releases/2020/03/04/gitlab-12-dot-8-dot-2-released/ CVE-2020-10087 (GitLab before 12.8.2 allows Information Disclosure. Badge images were ...) [experimental] - gitlab 12.6.8-1 - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/releases/2020/03/04/gitlab-12-dot-8-dot-2-released/ CVE-2020-10086 (GitLab 10.4 through 12.8.1 allows Directory Traversal. A particular en ...) [experimental] - gitlab 12.6.8-1 - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/releases/2020/03/04/gitlab-12-dot-8-dot-2-released/ CVE-2020-10085 (GitLab 12.3.5 through 12.8.1 allows Information Disclosure. A particul ...) - gitlab (Only affects Gitlab 12.3.5 and later) NOTE: https://about.gitlab.com/releases/2020/03/04/gitlab-12-dot-8-dot-2-released/ CVE-2020-10084 (GitLab EE 11.6 through 12.8.1 allows Information Disclosure. Sending a ...) - gitlab (Only affects Gitlab EE) NOTE: https://about.gitlab.com/releases/2020/03/04/gitlab-12-dot-8-dot-2-released/ CVE-2020-10083 (GitLab 12.7 through 12.8.1 has Insecure Permissions. Under certain con ...) - gitlab (Only affects Gitlab 12.7 and later) NOTE: https://about.gitlab.com/releases/2020/03/04/gitlab-12-dot-8-dot-2-released/ CVE-2020-10082 (GitLab 12.2 through 12.8.1 allows Denial of Service. A denial of servi ...) - gitlab (Only affects Gitlab 12.2 and later) NOTE: https://about.gitlab.com/releases/2020/03/04/gitlab-12-dot-8-dot-2-released/ CVE-2020-10081 (GitLab before 12.8.2 has Incorrect Access Control. It was internally d ...) [experimental] - gitlab 12.6.8-1 - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/releases/2020/03/04/gitlab-12-dot-8-dot-2-released/ CVE-2020-10080 (GitLab 8.3 through 12.8.1 allows Information Disclosure. It was possib ...) [experimental] - gitlab 12.6.8-1 - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/releases/2020/03/04/gitlab-12-dot-8-dot-2-released/ CVE-2020-10079 (GitLab 7.10 through 12.8.1 has Incorrect Access Control. Under certain ...) [experimental] - gitlab 12.6.8-1 - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/releases/2020/03/04/gitlab-12-dot-8-dot-2-released/ CVE-2020-10078 (GitLab 12.1 through 12.8.1 allows XSS. The merge request submission fo ...) - gitlab (Only affects Gitlab 12.1 and later) NOTE: https://about.gitlab.com/releases/2020/03/04/gitlab-12-dot-8-dot-2-released/ CVE-2020-10077 (GitLab EE 3.0 through 12.8.1 allows SSRF. An internal investigation re ...) - gitlab (Only affects Gitlab EE) NOTE: https://about.gitlab.com/releases/2020/03/04/gitlab-12-dot-8-dot-2-released/ CVE-2020-10076 (GitLab 12.1 through 12.8.1 allows XSS. A stored cross-site scripting v ...) - gitlab (Only affects Gitlab 12.1 and later) NOTE: https://about.gitlab.com/releases/2020/03/04/gitlab-12-dot-8-dot-2-released/ CVE-2020-10075 (GitLab 12.5 through 12.8.1 allows HTML Injection. A particular error h ...) - gitlab (Only affects Gitlab 12.5 and later) NOTE: https://about.gitlab.com/releases/2020/03/04/gitlab-12-dot-8-dot-2-released/ CVE-2020-10074 (GitLab 10.1 through 12.8.1 has Incorrect Access Control. A scenario wa ...) [experimental] - gitlab 12.6.8-1 - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/releases/2020/03/04/gitlab-12-dot-8-dot-2-released/ CVE-2020-10073 (GitLab EE 12.4.2 through 12.8.1 allows Denial of Service. It was inter ...) - gitlab (Only affects Gitlab EE) NOTE: https://about.gitlab.com/releases/2020/03/04/gitlab-12-dot-8-dot-2-released/ CVE-2020-10072 RESERVED CVE-2020-10071 (The Zephyr MQTT parsing code performs insufficient checking of the len ...) NOT-FOR-US: Zephyr, different from src:zephyr CVE-2020-10070 (In the Zephyr Project MQTT code, improper bounds checking can result i ...) NOT-FOR-US: Zephyr, different from src:zephyr CVE-2020-10069 RESERVED CVE-2020-10068 (In the Zephyr project Bluetooth subsystem, certain duplicate and back- ...) NOT-FOR-US: Zephyr, different from src:zephyr CVE-2020-10067 (A malicious userspace application can cause a integer overflow and byp ...) NOT-FOR-US: Zephyr, different from src:zephyr CVE-2020-10066 RESERVED CVE-2020-10065 RESERVED CVE-2020-10064 RESERVED CVE-2020-10063 (A remote adversary with the ability to send arbitrary CoAP packets to ...) NOT-FOR-US: Zephyr, different from src:zephyr CVE-2020-10062 (An off-by-one error in the Zephyr project MQTT packet length decoder c ...) NOT-FOR-US: Zephyr, different from src:zephyr CVE-2020-10061 (Improper handling of the full-buffer case in the Zephyr Bluetooth impl ...) NOT-FOR-US: Zephyr, different from src:zephyr CVE-2020-10060 (In updatehub_probe, right after JSON parsing is complete, objects\[1] ...) NOT-FOR-US: Zephyr, different from src:zephyr CVE-2020-10059 (The UpdateHub module disables DTLS peer checking, which allows for a m ...) NOT-FOR-US: Zephyr, different from src:zephyr CVE-2020-10058 (Multiple syscalls in the Kscan subsystem perform insufficient argument ...) NOT-FOR-US: Zephyr, different from src:zephyr CVE-2019-20498 (cPanel before 82.0.18 allows WebDAV authentication bypass because the ...) NOT-FOR-US: cPanel CVE-2019-20497 (cPanel before 82.0.18 allows stored XSS via WHM Backup Restoration (SE ...) NOT-FOR-US: cPanel CVE-2019-20496 (cPanel before 82.0.18 allows attackers to conduct arbitrary chown oper ...) NOT-FOR-US: cPanel CVE-2019-20495 (cPanel before 82.0.18 allows attackers to read an arbitrary database v ...) NOT-FOR-US: cPanel CVE-2019-20494 (In cPanel before 82.0.18, Cpanel::Rand::Get can produce a predictable ...) NOT-FOR-US: cPanel CVE-2019-20493 (cPanel before 82.0.18 allows self-XSS because JSON string escaping is ...) NOT-FOR-US: cPanel CVE-2019-20492 (cPanel before 82.0.18 allows authentication bypass because of misparsi ...) NOT-FOR-US: cPanel CVE-2019-20491 (cPanel before 82.0.18 allows attackers to leverage virtual mail accoun ...) NOT-FOR-US: cPanel CVE-2019-20490 (cPanel before 82.0.18 allows authentication bypass because webmail use ...) NOT-FOR-US: cPanel CVE-2020-10057 (GeniXCMS 1.1.7 is vulnerable to user privilege escalation due to broke ...) NOT-FOR-US: GeniXCMS CVE-2020-10056 RESERVED CVE-2020-10055 RESERVED CVE-2020-10054 RESERVED CVE-2020-10053 RESERVED CVE-2020-10052 RESERVED CVE-2020-10051 RESERVED CVE-2020-10050 RESERVED CVE-2020-10049 RESERVED CVE-2020-10048 RESERVED CVE-2020-10047 RESERVED CVE-2020-10046 RESERVED CVE-2020-10045 RESERVED CVE-2020-10044 RESERVED CVE-2020-10043 RESERVED CVE-2020-10042 RESERVED CVE-2020-10041 RESERVED CVE-2020-10040 RESERVED CVE-2020-10039 RESERVED CVE-2020-10038 RESERVED CVE-2020-10037 RESERVED CVE-2020-10036 RESERVED CVE-2020-10035 RESERVED CVE-2020-10034 RESERVED CVE-2020-10033 RESERVED CVE-2020-10032 RESERVED CVE-2020-10031 RESERVED CVE-2020-10030 (An issue has been found in PowerDNS Recursor 4.1.0 up to and including ...) - pdns-recursor 4.3.1-1 (unimportant) NOTE: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-03.html NOTE: https://www.openwall.com/lists/oss-security/2020/05/19/3 NOTE: Non exploitable on Linux CVE-2020-10029 (The GNU C Library (aka glibc or libc6) before 2.32 could overflow an o ...) - glibc 2.30-1 (bug #953108) [buster] - glibc (Minor issue) [stretch] - glibc (Minor issue) [jessie] - glibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=25487 NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9333498794cde1d5cca518badf79533a24114b6f NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c10acd40262486dac597001aecc20ad9d3bd0e4a CVE-2020-9999 RESERVED CVE-2020-9998 RESERVED CVE-2020-9997 RESERVED CVE-2020-9996 RESERVED CVE-2020-9995 RESERVED CVE-2020-9994 RESERVED CVE-2020-9993 RESERVED CVE-2020-9992 RESERVED CVE-2020-9991 RESERVED CVE-2020-9990 RESERVED CVE-2020-9989 RESERVED CVE-2020-9988 RESERVED CVE-2020-9987 RESERVED CVE-2020-9986 RESERVED CVE-2020-9985 RESERVED CVE-2020-9984 RESERVED CVE-2020-9983 RESERVED CVE-2020-9982 RESERVED CVE-2020-9981 RESERVED CVE-2020-9980 RESERVED CVE-2020-9979 RESERVED CVE-2020-9978 RESERVED CVE-2020-9977 RESERVED CVE-2020-9976 RESERVED CVE-2020-9975 RESERVED CVE-2020-9974 RESERVED CVE-2020-9973 RESERVED CVE-2020-9972 RESERVED CVE-2020-9971 RESERVED CVE-2020-9970 RESERVED CVE-2020-9969 RESERVED CVE-2020-9968 RESERVED CVE-2020-9967 RESERVED CVE-2020-9966 RESERVED CVE-2020-9965 RESERVED CVE-2020-9964 RESERVED CVE-2020-9963 RESERVED CVE-2020-9962 RESERVED CVE-2020-9961 RESERVED CVE-2020-9960 RESERVED CVE-2020-9959 RESERVED CVE-2020-9958 RESERVED CVE-2020-9957 RESERVED CVE-2020-9956 RESERVED CVE-2020-9955 RESERVED CVE-2020-9954 RESERVED CVE-2020-9953 RESERVED CVE-2020-9952 RESERVED CVE-2020-9951 RESERVED CVE-2020-9950 RESERVED CVE-2020-9949 RESERVED CVE-2020-9948 RESERVED CVE-2020-9947 RESERVED CVE-2020-9946 RESERVED CVE-2020-9945 RESERVED CVE-2020-9944 RESERVED CVE-2020-9943 RESERVED CVE-2020-9942 RESERVED CVE-2020-9941 RESERVED CVE-2020-9940 RESERVED CVE-2020-9939 RESERVED CVE-2020-9938 RESERVED CVE-2020-9937 RESERVED CVE-2020-9936 RESERVED CVE-2020-9935 RESERVED CVE-2020-9934 RESERVED CVE-2020-9933 RESERVED CVE-2020-9932 RESERVED CVE-2020-9931 RESERVED CVE-2020-9930 RESERVED CVE-2020-9929 RESERVED CVE-2020-9928 RESERVED CVE-2020-9927 RESERVED CVE-2020-9926 RESERVED CVE-2020-9925 RESERVED CVE-2020-9924 RESERVED CVE-2020-9923 RESERVED CVE-2020-9922 RESERVED CVE-2020-9921 RESERVED CVE-2020-9920 RESERVED CVE-2020-9919 RESERVED CVE-2020-9918 RESERVED CVE-2020-9917 RESERVED CVE-2020-9916 RESERVED CVE-2020-9915 RESERVED CVE-2020-9914 RESERVED CVE-2020-9913 RESERVED CVE-2020-9912 RESERVED CVE-2020-9911 RESERVED CVE-2020-9910 RESERVED CVE-2020-9909 RESERVED CVE-2020-9908 RESERVED CVE-2020-9907 RESERVED CVE-2020-9906 RESERVED CVE-2020-9905 RESERVED CVE-2020-9904 RESERVED CVE-2020-9903 RESERVED CVE-2020-9902 RESERVED CVE-2020-9901 RESERVED CVE-2020-9900 RESERVED CVE-2020-9899 RESERVED CVE-2020-9898 RESERVED CVE-2020-9897 RESERVED CVE-2020-9896 RESERVED CVE-2020-9895 RESERVED CVE-2020-9894 RESERVED CVE-2020-9893 RESERVED CVE-2020-9892 RESERVED CVE-2020-9891 RESERVED CVE-2020-9890 RESERVED CVE-2020-9889 RESERVED CVE-2020-9888 RESERVED CVE-2020-9887 RESERVED CVE-2020-9886 RESERVED CVE-2020-9885 RESERVED CVE-2020-9884 RESERVED CVE-2020-9883 RESERVED CVE-2020-9882 RESERVED CVE-2020-9881 RESERVED CVE-2020-9880 RESERVED CVE-2020-9879 RESERVED CVE-2020-9878 RESERVED CVE-2020-9877 RESERVED CVE-2020-9876 RESERVED CVE-2020-9875 RESERVED CVE-2020-9874 RESERVED CVE-2020-9873 RESERVED CVE-2020-9872 RESERVED CVE-2020-9871 RESERVED CVE-2020-9870 RESERVED CVE-2020-9869 RESERVED CVE-2020-9868 RESERVED CVE-2020-9867 RESERVED CVE-2020-9866 RESERVED CVE-2020-9865 RESERVED CVE-2020-9864 RESERVED CVE-2020-9863 RESERVED CVE-2020-9862 RESERVED CVE-2020-9861 RESERVED CVE-2020-9860 RESERVED CVE-2020-9859 (A memory consumption issue was addressed with improved memory handling ...) NOT-FOR-US: Apple CVE-2020-9858 (A dynamic library loading issue was addressed with improved path searc ...) NOT-FOR-US: Apple CVE-2020-9857 RESERVED CVE-2020-9856 (This issue was addressed with improved checks. This issue is fixed in ...) NOT-FOR-US: Apple CVE-2020-9855 (A validation issue existed in the handling of symlinks. This issue was ...) NOT-FOR-US: Apple CVE-2020-9854 RESERVED CVE-2020-9853 RESERVED CVE-2020-9852 (An integer overflow was addressed through improved input validation. T ...) NOT-FOR-US: Apple CVE-2020-9851 (An access issue was addressed with improved access restrictions. This ...) NOT-FOR-US: Apple CVE-2020-9850 (A logic issue was addressed with improved restrictions. This issue is ...) NOT-FOR-US: Apple CVE-2020-9849 RESERVED CVE-2020-9848 (An authorization issue was addressed with improved state management. T ...) NOT-FOR-US: Apple CVE-2020-9847 (An out-of-bounds read was addressed with improved bounds checking. Thi ...) NOT-FOR-US: Apple CVE-2020-9846 RESERVED CVE-2020-9845 RESERVED CVE-2020-9844 (A double free issue was addressed with improved memory management. Thi ...) NOT-FOR-US: Apple CVE-2020-9843 (An input validation issue was addressed with improved input validation ...) NOT-FOR-US: Apple CVE-2020-9842 (This issue was addressed with improved checks. This issue is fixed in ...) NOT-FOR-US: Apple CVE-2020-9841 (An integer overflow was addressed through improved input validation. T ...) NOT-FOR-US: Apple CVE-2020-9840 (In SwiftNIO Extras before 1.4.1, a logic issue was addressed with impr ...) NOT-FOR-US: SwiftNIO Extras CVE-2020-9839 (A race condition was addressed with improved state handling. This issu ...) NOT-FOR-US: Apple CVE-2020-9838 (An out-of-bounds read was addressed with improved bounds checking. Thi ...) NOT-FOR-US: Apple CVE-2020-9837 (An out-of-bounds read was addressed with improved bounds checking. Thi ...) NOT-FOR-US: Apple CVE-2020-9836 RESERVED CVE-2020-9835 (An issue existed in the pausing of FaceTime video. The issue was resol ...) NOT-FOR-US: Apple CVE-2020-9834 (A memory corruption issue was addressed with improved input validation ...) NOT-FOR-US: Apple CVE-2020-9833 (A memory initialization issue was addressed with improved memory handl ...) NOT-FOR-US: Apple CVE-2020-9832 (An out-of-bounds read was addressed with improved input validation. Th ...) NOT-FOR-US: Apple CVE-2020-9831 (An out-of-bounds read was addressed with improved bounds checking. Thi ...) NOT-FOR-US: Apple CVE-2020-9830 (A memory corruption issue was addressed with improved state management ...) NOT-FOR-US: Apple CVE-2020-9829 (A validation issue was addressed with improved input sanitization. Thi ...) NOT-FOR-US: Apple CVE-2020-9828 RESERVED CVE-2020-9827 (A denial of service issue was addressed with improved input validation ...) NOT-FOR-US: Apple CVE-2020-9826 (A denial of service issue was addressed with improved input validation ...) NOT-FOR-US: Apple CVE-2020-9825 (An access issue was addressed with additional sandbox restrictions. Th ...) NOT-FOR-US: Apple CVE-2020-9824 (A logic issue was addressed with improved restrictions. This issue is ...) NOT-FOR-US: Apple CVE-2020-9823 (This issue was addressed with improved checks. This issue is fixed in ...) NOT-FOR-US: Apple CVE-2020-9822 (An out-of-bounds write issue was addressed with improved bounds checki ...) NOT-FOR-US: Apple CVE-2020-9821 (A memory corruption issue was addressed with improved state management ...) NOT-FOR-US: Apple CVE-2020-9820 (A logic issue was addressed with improved restrictions. This issue is ...) NOT-FOR-US: Apple CVE-2020-9819 (A memory consumption issue was addressed with improved memory handling ...) NOT-FOR-US: Apple CVE-2020-9818 (An out-of-bounds write issue was addressed with improved bounds checki ...) NOT-FOR-US: Apple CVE-2020-9817 (A permissions issue existed. This issue was addressed with improved pe ...) NOT-FOR-US: Apple CVE-2020-9816 (An out-of-bounds write issue was addressed with improved bounds checki ...) NOT-FOR-US: Apple CVE-2020-9815 (An out-of-bounds read was addressed with improved bounds checking. Thi ...) NOT-FOR-US: Apple CVE-2020-9814 (A logic issue existed resulting in memory corruption. This was address ...) NOT-FOR-US: Apple CVE-2020-9813 (A logic issue existed resulting in memory corruption. This was address ...) NOT-FOR-US: Apple CVE-2020-9812 (An information disclosure issue was addressed with improved state mana ...) NOT-FOR-US: Apple CVE-2020-9811 (An information disclosure issue was addressed with improved state mana ...) NOT-FOR-US: Apple CVE-2020-9810 RESERVED CVE-2020-9809 (An information disclosure issue was addressed with improved state mana ...) NOT-FOR-US: Apple CVE-2020-9808 (A memory corruption issue was addressed with improved state management ...) NOT-FOR-US: Apple CVE-2020-9807 (A memory corruption issue was addressed with improved state management ...) NOT-FOR-US: Apple CVE-2020-9806 (A memory corruption issue was addressed with improved state management ...) NOT-FOR-US: Apple CVE-2020-9805 (A logic issue was addressed with improved restrictions. This issue is ...) NOT-FOR-US: Apple CVE-2020-9804 (A logic issue was addressed with improved restrictions. This issue is ...) NOT-FOR-US: Apple CVE-2020-9803 (A memory corruption issue was addressed with improved validation. This ...) NOT-FOR-US: Apple CVE-2020-9802 (A logic issue was addressed with improved restrictions. This issue is ...) NOT-FOR-US: Apple CVE-2020-9801 (A logic issue was addressed with improved restrictions. This issue is ...) NOT-FOR-US: Apple CVE-2020-9800 (A type confusion issue was addressed with improved memory handling. Th ...) NOT-FOR-US: Apple CVE-2020-9799 RESERVED CVE-2020-9798 RESERVED CVE-2020-9797 (An information disclosure issue was addressed by removing the vulnerab ...) NOT-FOR-US: Apple CVE-2020-9796 RESERVED CVE-2020-9795 (A use after free issue was addressed with improved memory management. ...) NOT-FOR-US: Apple CVE-2020-9794 (An out-of-bounds read was addressed with improved bounds checking. Thi ...) - sqlite3 NOTE: https://vuldb.com/?id.155768 TODO: Try to get more information, as usual Apple advisories are too unspecific CVE-2020-9793 (A memory corruption issue was addressed with improved input validation ...) NOT-FOR-US: Apple CVE-2020-9792 (A validation issue was addressed with improved input sanitization. Thi ...) NOT-FOR-US: Apple CVE-2020-9791 (An out-of-bounds read was addressed with improved input validation. Th ...) NOT-FOR-US: Apple CVE-2020-9790 (An out-of-bounds write issue was addressed with improved bounds checki ...) NOT-FOR-US: Apple CVE-2020-9789 (An out-of-bounds write issue was addressed with improved bounds checki ...) NOT-FOR-US: Apple CVE-2020-9788 (A validation issue was addressed with improved input sanitization. Thi ...) NOT-FOR-US: Apple CVE-2020-9787 RESERVED CVE-2020-9786 RESERVED CVE-2020-9785 (Multiple memory corruption issues were addressed with improved state m ...) NOT-FOR-US: Apple CVE-2020-9784 (A logic issue was addressed with improved restrictions. This issue is ...) NOT-FOR-US: Apple Safari CVE-2020-9783 (A use after free issue was addressed with improved memory management. ...) NOT-FOR-US: Apple CVE-2020-9782 RESERVED CVE-2020-9781 (The issue was addressed by clearing website permission prompts after n ...) NOT-FOR-US: Apple CVE-2020-9780 (The issue was resolved by clearing application previews when content i ...) NOT-FOR-US: Apple CVE-2020-9779 RESERVED CVE-2020-9778 RESERVED CVE-2020-9777 (An issue existed in the selection of video file by Mail. The issue was ...) NOT-FOR-US: Apple CVE-2020-9776 (This issue was addressed with a new entitlement. This issue is fixed i ...) NOT-FOR-US: Apple CVE-2020-9775 (An issue existed in the handling of tabs displaying picture in picture ...) NOT-FOR-US: Apple CVE-2020-9774 RESERVED CVE-2020-9773 (The issue was addressed with improved handling of icon caches. This is ...) NOT-FOR-US: Apple CVE-2020-9772 RESERVED CVE-2020-9771 RESERVED CVE-2020-9770 (A logic issue was addressed with improved state management. This issue ...) NOT-FOR-US: Apple CVE-2020-9769 (Multiple issues were addressed by updating to version 8.1.1850. This i ...) NOT-FOR-US: Apple CVE-2020-9768 (A use after free issue was addressed with improved memory management. ...) NOT-FOR-US: Apple CVE-2020-9767 RESERVED CVE-2020-10028 (Multiple syscalls with insufficient argument validation See NCC-ZEP-00 ...) NOT-FOR-US: Zephyr, different from src:zephyr CVE-2020-10027 (An attacker who has obtained code execution within a user thread is ab ...) NOT-FOR-US: Zephyr, different from src:zephyr CVE-2020-10026 REJECTED CVE-2020-10025 REJECTED CVE-2020-10024 (The arm platform-specific code uses a signed integer comparison when v ...) NOT-FOR-US: Zephyr, different from src:zephyr CVE-2020-10023 (The shell subsystem contains a buffer overflow, whereby an adversary w ...) NOT-FOR-US: Zephyr, different from src:zephyr CVE-2020-10022 (A malformed JSON payload that is received from an UpdateHub server may ...) NOT-FOR-US: Zephyr, different from src:zephyr CVE-2020-10021 (Out-of-bounds Write in the USB Mass Storage memoryWrite handler with u ...) NOT-FOR-US: Zephyr, different from src:zephyr CVE-2020-10020 REJECTED CVE-2020-10019 (USB DFU has a potential buffer overflow where the requested length (wL ...) NOT-FOR-US: Zephyr, different from src:zephyr CVE-2020-10018 (WebKitGTK through 2.26.4 and WPE WebKit through 2.26.4 (which are the ...) {DSA-4641-1} - webkit2gtk 2.28.0-2 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) - wpewebkit 2.28.0-1 NOTE: https://webkitgtk.org/security/WSA-2020-0003.html CVE-2020-10017 RESERVED CVE-2020-10016 RESERVED CVE-2020-10015 RESERVED CVE-2020-10014 RESERVED CVE-2020-10013 RESERVED CVE-2020-10012 RESERVED CVE-2020-10011 RESERVED CVE-2020-10010 RESERVED CVE-2020-10009 RESERVED CVE-2020-10008 RESERVED CVE-2020-10007 RESERVED CVE-2020-10006 RESERVED CVE-2020-10005 RESERVED CVE-2020-10004 RESERVED CVE-2020-10003 RESERVED CVE-2020-10002 RESERVED CVE-2020-10001 RESERVED CVE-2020-10000 RESERVED CVE-2020-9766 RESERVED CVE-2020-9765 RESERVED CVE-2020-9764 RESERVED CVE-2020-9763 RESERVED CVE-2020-9762 RESERVED CVE-2020-9761 (An issue was discovered in UNCTAD ASYCUDA World 2001 through 2020. The ...) NOT-FOR-US: UNCTAD ASYCUDA World CVE-2020-9760 (An issue was discovered in WeeChat before 2.7.1 (0.3.4 to 2.7 are affe ...) {DLA-2157-1} - weechat 2.7.1-1 [buster] - weechat (Minor issue) [stretch] - weechat (Minor issue) NOTE: https://github.com/weechat/weechat/commit/694b5c9f874d7337cd2e03761e0de435275dd64d CVE-2020-9759 (An issue was discovered in WeeChat before 2.7.1 (0.4.0 to 2.7 are affe ...) {DLA-2157-1} - weechat 2.7.1-1 [buster] - weechat (Minor issue) [stretch] - weechat (Minor issue) NOTE: https://github.com/weechat/weechat/commit/c827d6fa864e2c0b79cea640c45272e83703081e CVE-2020-9758 (An issue was discovered in chat.php in LiveZilla Live Chat 8.0.1.3 (He ...) NOT-FOR-US: LiveZilla Live Chat CVE-2020-9757 (The SEOmatic component before 3.3.0 for Craft CMS allows Server-Side T ...) NOT-FOR-US: Seomatic component for Craft CMS CVE-2020-9756 (Patriot Viper RGB Driver 1.1 and prior exposes IOCTL and allows insuff ...) NOT-FOR-US: Patriot Viper RGB Driver CVE-2020-9755 RESERVED CVE-2020-9754 RESERVED CVE-2020-9753 (Whale Browser Installer before 1.2.0.5 versions don't support signatur ...) NOT-FOR-US: Whale Browser CVE-2020-9752 (Naver Cloud Explorer before 2.2.2.11 allows the attacker can move a lo ...) NOT-FOR-US: Naver Cloud Explorer CVE-2020-9751 (Naver Cloud Explorer before 2.2.2.11 allows the system to download an ...) NOT-FOR-US: Naver Cloud Explorer CVE-2020-9750 RESERVED CVE-2020-9749 RESERVED CVE-2020-9748 RESERVED CVE-2020-9747 RESERVED CVE-2020-9746 RESERVED CVE-2020-9745 RESERVED CVE-2020-9744 RESERVED CVE-2020-9743 RESERVED CVE-2020-9742 RESERVED CVE-2020-9741 RESERVED CVE-2020-9740 RESERVED CVE-2020-9739 RESERVED CVE-2020-9738 RESERVED CVE-2020-9737 RESERVED CVE-2020-9736 RESERVED CVE-2020-9735 RESERVED CVE-2020-9734 RESERVED CVE-2020-9733 RESERVED CVE-2020-9732 RESERVED CVE-2020-9731 RESERVED CVE-2020-9730 RESERVED CVE-2020-9729 RESERVED CVE-2020-9728 RESERVED CVE-2020-9727 RESERVED CVE-2020-9726 RESERVED CVE-2020-9725 RESERVED CVE-2020-9724 RESERVED CVE-2020-9723 RESERVED CVE-2020-9722 RESERVED CVE-2020-9721 RESERVED CVE-2020-9720 RESERVED CVE-2020-9719 RESERVED CVE-2020-9718 RESERVED CVE-2020-9717 RESERVED CVE-2020-9716 RESERVED CVE-2020-9715 RESERVED CVE-2020-9714 RESERVED CVE-2020-9713 RESERVED CVE-2020-9712 RESERVED CVE-2020-9711 RESERVED CVE-2020-9710 RESERVED CVE-2020-9709 RESERVED CVE-2020-9708 RESERVED CVE-2020-9707 RESERVED CVE-2020-9706 RESERVED CVE-2020-9705 RESERVED CVE-2020-9704 RESERVED CVE-2020-9703 RESERVED CVE-2020-9702 RESERVED CVE-2020-9701 RESERVED CVE-2020-9700 RESERVED CVE-2020-9699 RESERVED CVE-2020-9698 RESERVED CVE-2020-9697 RESERVED CVE-2020-9696 RESERVED CVE-2020-9695 RESERVED CVE-2020-9694 RESERVED CVE-2020-9693 RESERVED CVE-2020-9692 RESERVED CVE-2020-9691 RESERVED CVE-2020-9690 RESERVED CVE-2020-9689 RESERVED CVE-2020-9688 RESERVED CVE-2020-9687 RESERVED CVE-2020-9686 RESERVED CVE-2020-9685 RESERVED CVE-2020-9684 RESERVED CVE-2020-9683 RESERVED CVE-2020-9682 RESERVED CVE-2020-9681 RESERVED CVE-2020-9680 RESERVED CVE-2020-9679 RESERVED CVE-2020-9678 RESERVED CVE-2020-9677 RESERVED CVE-2020-9676 RESERVED CVE-2020-9675 RESERVED CVE-2020-9674 RESERVED CVE-2020-9673 RESERVED CVE-2020-9672 RESERVED CVE-2020-9671 RESERVED CVE-2020-9670 RESERVED CVE-2020-9669 RESERVED CVE-2020-9668 RESERVED CVE-2020-9667 RESERVED CVE-2020-9666 (Adobe Campaign Classic before 20.2 have an out-of-bounds read vulnerab ...) NOT-FOR-US: Adobe CVE-2020-9665 RESERVED CVE-2020-9664 RESERVED CVE-2020-9663 RESERVED CVE-2020-9662 (Adobe After Effects versions 17.1 and earlier have an out-of-bounds wr ...) NOT-FOR-US: Adobe CVE-2020-9661 (Adobe After Effects versions 17.1 and earlier have an out-of-bounds re ...) NOT-FOR-US: Adobe CVE-2020-9660 (Adobe After Effects versions 17.1 and earlier have an out-of-bounds wr ...) NOT-FOR-US: Adobe CVE-2020-9659 (Adobe Audition versions 13.0.6 and earlier have an out-of-bounds write ...) NOT-FOR-US: Adobe CVE-2020-9658 (Adobe Audition versions 13.0.6 and earlier have an out-of-bounds write ...) NOT-FOR-US: Adobe CVE-2020-9657 (Adobe Premiere Rush versions 1.5.12 and earlier have an out-of-bounds ...) NOT-FOR-US: Adobe CVE-2020-9656 (Adobe Premiere Rush versions 1.5.12 and earlier have an out-of-bounds ...) NOT-FOR-US: Adobe CVE-2020-9655 (Adobe Premiere Rush versions 1.5.12 and earlier have an out-of-bounds ...) NOT-FOR-US: Adobe CVE-2020-9654 (Adobe Premiere Pro versions 14.2 and earlier have an out-of-bounds wri ...) NOT-FOR-US: Adobe CVE-2020-9653 (Adobe Premiere Pro versions 14.2 and earlier have an out-of-bounds wri ...) NOT-FOR-US: Adobe CVE-2020-9652 (Adobe Premiere Pro versions 14.2 and earlier have an out-of-bounds rea ...) NOT-FOR-US: Adobe CVE-2020-9651 (Adobe Experience Manager versions 6.5 and earlier have a cross-site sc ...) NOT-FOR-US: Adobe CVE-2020-9650 RESERVED CVE-2020-9649 RESERVED CVE-2020-9648 (Adobe Experience Manager versions 6.5 and earlier have a cross-site sc ...) NOT-FOR-US: Adobe CVE-2020-9647 (Adobe Experience Manager versions 6.5 and earlier have a cross-site sc ...) NOT-FOR-US: Adobe CVE-2020-9646 RESERVED CVE-2020-9645 (Adobe Experience Manager versions 6.5 and earlier have a blind server- ...) NOT-FOR-US: Adobe CVE-2020-9644 (Adobe Experience Manager versions 6.5 and earlier have a cross-site sc ...) NOT-FOR-US: Adobe CVE-2020-9643 (Adobe Experience Manager versions 6.5 and earlier have a server-side r ...) NOT-FOR-US: Adobe CVE-2020-9642 (Adobe Illustrator versions 24.1.2 and earlier have a buffer errors vul ...) NOT-FOR-US: Adobe CVE-2020-9641 (Adobe Illustrator versions 24.1.2 and earlier have a memory corruption ...) NOT-FOR-US: Adobe CVE-2020-9640 (Adobe Illustrator versions 24.1.2 and earlier have a memory corruption ...) NOT-FOR-US: Adobe CVE-2020-9639 (Adobe Illustrator versions 24.1.2 and earlier have a memory corruption ...) NOT-FOR-US: Adobe CVE-2020-9638 (Adobe After Effects versions 17.1 and earlier have a heap overflow vul ...) NOT-FOR-US: Adobe CVE-2020-9637 (Adobe After Effects versions 17.1 and earlier have a heap overflow vul ...) NOT-FOR-US: Adobe CVE-2020-9636 (Adobe Framemaker versions 2019.0.5 and below have a memory corruption ...) NOT-FOR-US: Adobe CVE-2020-9635 (Adobe Framemaker versions 2019.0.5 and below have an out-of-bounds wri ...) NOT-FOR-US: Adobe CVE-2020-9634 (Adobe Framemaker versions 2019.0.5 and below have an out-of-bounds wri ...) NOT-FOR-US: Adobe CVE-2020-9633 (Adobe Flash Player Desktop Runtime 32.0.0.371 and earlier, Adobe Flash ...) NOT-FOR-US: Adobe CVE-2020-9632 (Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.1 ...) NOT-FOR-US: Magento CVE-2020-9631 (Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.1 ...) NOT-FOR-US: Magento CVE-2020-9630 (Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.1 ...) NOT-FOR-US: Magento CVE-2020-9629 (Adobe DNG Software Development Kit (SDK) 1.5 and earlier versions have ...) NOT-FOR-US: Adobe CVE-2020-9628 (Adobe DNG Software Development Kit (SDK) 1.5 and earlier versions have ...) NOT-FOR-US: Adobe CVE-2020-9627 (Adobe DNG Software Development Kit (SDK) 1.5 and earlier versions have ...) NOT-FOR-US: Adobe CVE-2020-9626 (Adobe DNG Software Development Kit (SDK) 1.5 and earlier versions have ...) NOT-FOR-US: Adobe CVE-2020-9625 (Adobe DNG Software Development Kit (SDK) 1.5 and earlier versions have ...) NOT-FOR-US: Adobe CVE-2020-9624 (Adobe DNG Software Development Kit (SDK) 1.5 and earlier versions have ...) NOT-FOR-US: Adobe CVE-2020-9623 (Adobe DNG Software Development Kit (SDK) 1.5 and earlier versions have ...) NOT-FOR-US: Adobe CVE-2020-9622 (Adobe DNG Software Development Kit (SDK) 1.5 and earlier versions have ...) NOT-FOR-US: Adobe CVE-2020-9621 (Adobe DNG Software Development Kit (SDK) 1.5 and earlier versions have ...) NOT-FOR-US: Adobe CVE-2020-9620 (Adobe DNG Software Development Kit (SDK) 1.5 and earlier versions have ...) NOT-FOR-US: Adobe CVE-2020-9619 RESERVED CVE-2020-9618 (Adobe Audition versions 13.0.5 and earlier have an out-of-bounds read ...) NOT-FOR-US: Adobe CVE-2020-9617 (Adobe Premiere Rush versions 1.5.8 and earlier have an out-of-bounds r ...) NOT-FOR-US: Adobe CVE-2020-9616 (Adobe Premiere Pro versions 14.1 and earlier have an out-of-bounds rea ...) NOT-FOR-US: Adobe CVE-2020-9615 (Adobe Acrobat and Reader versions 2020.006.20042 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2020-9614 (Adobe Acrobat and Reader versions 2020.006.20042 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2020-9613 (Adobe Acrobat and Reader versions 2020.006.20042 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2020-9612 (Adobe Acrobat and Reader versions 2020.006.20042 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2020-9611 (Adobe Acrobat and Reader versions 2020.006.20042 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2020-9610 (Adobe Acrobat and Reader versions 2020.006.20042 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2020-9609 (Adobe Acrobat and Reader versions 2020.006.20042 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2020-9608 (Adobe Acrobat and Reader versions 2020.006.20042 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2020-9607 (Adobe Acrobat and Reader versions 2020.006.20042 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2020-9606 (Adobe Acrobat and Reader versions 2020.006.20042 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2020-9605 (Adobe Acrobat and Reader versions 2020.006.20042 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2020-9604 (Adobe Acrobat and Reader versions 2020.006.20042 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2020-9603 (Adobe Acrobat and Reader versions 2020.006.20042 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2020-9602 (Adobe Acrobat and Reader versions 2020.006.20042 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2020-9601 (Adobe Acrobat and Reader versions 2020.006.20042 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2020-9600 (Adobe Acrobat and Reader versions 2020.006.20042 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2020-9599 (Adobe Acrobat and Reader versions 2020.006.20042 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2020-9598 (Adobe Acrobat and Reader versions 2020.006.20042 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2020-9597 (Adobe Acrobat and Reader versions 2020.006.20042 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2020-9596 (Adobe Acrobat and Reader versions 2020.006.20042 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2020-9595 (Adobe Acrobat and Reader versions 2020.006.20042 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2020-9594 (Adobe Acrobat and Reader versions 2020.006.20042 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2020-9593 (Adobe Acrobat and Reader versions 2020.006.20042 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2020-9592 (Adobe Acrobat and Reader versions 2020.006.20042 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2020-9591 (Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.1 ...) NOT-FOR-US: Magento CVE-2020-9590 (Adobe DNG Software Development Kit (SDK) 1.5 and earlier versions have ...) NOT-FOR-US: Adobe CVE-2020-9589 (Adobe DNG Software Development Kit (SDK) 1.5 and earlier versions have ...) NOT-FOR-US: Adobe CVE-2020-9588 (Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.1 ...) NOT-FOR-US: Magento CVE-2020-9587 (Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.1 ...) NOT-FOR-US: Magento CVE-2020-9586 (Adobe Character Animator versions 3.2 and earlier have a buffer overfl ...) NOT-FOR-US: Adobe CVE-2020-9585 (Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.1 ...) NOT-FOR-US: Magento CVE-2020-9584 (Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.1 ...) NOT-FOR-US: Magento CVE-2020-9583 (Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.1 ...) NOT-FOR-US: Magento CVE-2020-9582 (Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.1 ...) NOT-FOR-US: Magento CVE-2020-9581 (Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.1 ...) NOT-FOR-US: Magento CVE-2020-9580 (Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.1 ...) NOT-FOR-US: Magento CVE-2020-9579 (Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.1 ...) NOT-FOR-US: Magento CVE-2020-9578 (Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.1 ...) NOT-FOR-US: Magento CVE-2020-9577 (Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.1 ...) NOT-FOR-US: Magento CVE-2020-9576 (Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.1 ...) NOT-FOR-US: Magento CVE-2020-9575 (Adobe Illustrator versions 24.1.2 and earlier have a memory corruption ...) NOT-FOR-US: Adobe CVE-2020-9574 (Adobe Illustrator versions 24.0.2 and earlier have a memory corruption ...) NOT-FOR-US: Adobe CVE-2020-9573 (Adobe Illustrator versions 24.0.2 and earlier have a memory corruption ...) NOT-FOR-US: Adobe CVE-2020-9572 (Adobe Illustrator versions 24.0.2 and earlier have a memory corruption ...) NOT-FOR-US: Adobe CVE-2020-9571 (Adobe Illustrator versions 24.0.2 and earlier have a memory corruption ...) NOT-FOR-US: Adobe CVE-2020-9570 (Adobe Illustrator versions 24.0.2 and earlier have a memory corruption ...) NOT-FOR-US: Adobe CVE-2020-9569 (Adobe Bridge versions 10.0.1 and earlier version have an out-of-bounds ...) NOT-FOR-US: Adobe CVE-2020-9568 (Adobe Bridge versions 10.0.1 and earlier version have a memory corrupt ...) NOT-FOR-US: Adobe CVE-2020-9567 (Adobe Bridge versions 10.0.1 and earlier version have an use after fre ...) NOT-FOR-US: Adobe CVE-2020-9566 (Adobe Bridge versions 10.0.1 and earlier version have an use after fre ...) NOT-FOR-US: Adobe CVE-2020-9565 (Adobe Bridge versions 10.0.1 and earlier version have an out-of-bounds ...) NOT-FOR-US: Adobe CVE-2020-9564 (Adobe Bridge versions 10.0.1 and earlier version have an out-of-bounds ...) NOT-FOR-US: Adobe CVE-2020-9563 (Adobe Bridge versions 10.0.1 and earlier version have a heap overflow ...) NOT-FOR-US: Adobe CVE-2020-9562 (Adobe Bridge versions 10.0.1 and earlier version have a heap overflow ...) NOT-FOR-US: Adobe CVE-2020-9561 (Adobe Bridge versions 10.0.1 and earlier version have an out-of-bounds ...) NOT-FOR-US: Adobe CVE-2020-9560 (Adobe Bridge versions 10.0.1 and earlier version have an out-of-bounds ...) NOT-FOR-US: Adobe CVE-2020-9559 (Adobe Bridge versions 10.0.1 and earlier version have an out-of-bounds ...) NOT-FOR-US: Adobe CVE-2020-9558 (Adobe Bridge versions 10.0.1 and earlier version have an out-of-bounds ...) NOT-FOR-US: Adobe CVE-2020-9557 (Adobe Bridge versions 10.0.1 and earlier version have an out-of-bounds ...) NOT-FOR-US: Adobe CVE-2020-9556 (Adobe Bridge versions 10.0.1 and earlier version have an out-of-bounds ...) NOT-FOR-US: Adobe CVE-2020-9555 (Adobe Bridge versions 10.0.1 and earlier version have a stack-based bu ...) NOT-FOR-US: Adobe CVE-2020-9554 (Adobe Bridge versions 10.0.1 and earlier version have an out-of-bounds ...) NOT-FOR-US: Adobe CVE-2020-9553 (Adobe Bridge versions 10.0.1 and earlier version have an out-of-bounds ...) NOT-FOR-US: Adobe CVE-2020-9552 (Adobe Bridge versions 10.0 have a heap-based buffer overflow vulnerabi ...) NOT-FOR-US: Adobe CVE-2020-9551 (Adobe Bridge versions 10.0 have an out-of-bounds write vulnerability. ...) NOT-FOR-US: Adobe CVE-2019-20489 (An issue was discovered on NETGEAR WNR1000V4 1.1.0.54 devices. The web ...) NOT-FOR-US: Netgear CVE-2019-20488 (An issue was discovered on NETGEAR WNR1000V4 1.1.0.54 devices. Multipl ...) NOT-FOR-US: Netgear CVE-2019-20487 (An issue was discovered on NETGEAR WNR1000V4 1.1.0.54 devices. Multipl ...) NOT-FOR-US: Netgear CVE-2019-20486 (An issue was discovered on NETGEAR WNR1000V4 1.1.0.54 devices. Multipl ...) NOT-FOR-US: Netgear CVE-2020-9550 (Rubetek SmartHome 2020 devices use unencrypted 433 MHz communication b ...) NOT-FOR-US: Rubetek SmartHome 2020 devices CVE-2020-9549 (In PDFResurrect 0.12 through 0.19, get_type in pdf.c has an out-of-bou ...) {DLA-2134-1} - pdfresurrect 0.20-1 (unimportant; bug #952948) NOTE: https://github.com/enferex/pdfresurrect/issues/8 NOTE: Crash in CLI tool, no security impact CVE-2020-9548 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) {DLA-2135-1} - jackson-databind [buster] - jackson-databind (Minor issue; can be fixed via a point release) [stretch] - jackson-databind (Minor issue; can be fixed via a point release) NOTE: https://github.com/FasterXML/jackson-databind/issues/2634 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. CVE-2020-9547 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) {DLA-2135-1} - jackson-databind [buster] - jackson-databind (Minor issue; can be fixed via a point release) [stretch] - jackson-databind (Minor issue; can be fixed via a point release) NOTE: https://github.com/FasterXML/jackson-databind/issues/2634 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. CVE-2020-9546 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) {DLA-2135-1} - jackson-databind [buster] - jackson-databind (Minor issue; can be fixed via a point release) [stretch] - jackson-databind (Minor issue; can be fixed via a point release) NOTE: https://github.com/FasterXML/jackson-databind/issues/2631 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. CVE-2020-9545 (Pale Moon 28.x before 28.8.4 has a segmentation fault related to modul ...) NOT-FOR-US: Pale Moon CVE-2020-9544 (An issue was discovered on D-Link DSL-2640B E1 EU_1.01 devices. The ad ...) NOT-FOR-US: D-Link CVE-2020-9543 (OpenStack Manila <7.4.1, >=8.0.0 <8.1.1, and >=9.0.0 <9 ...) - manila 1:9.0.0-5 (bug #953581) [buster] - manila 1:7.0.0-1+deb10u1 [stretch] - manila (Minor issue) NOTE: https://bugs.launchpad.net/manila/+bug/1861485 NOTE: https://security.openstack.org/ossa/OSSA-2020-002.html CVE-2020-9542 RESERVED CVE-2020-9541 RESERVED CVE-2020-9540 (Sophos HitmanPro.Alert before build 861 allows local elevation of priv ...) NOT-FOR-US: Sophos CVE-2020-9539 RESERVED CVE-2020-9538 RESERVED CVE-2020-9537 RESERVED CVE-2020-9536 RESERVED CVE-2020-9535 (fmwlan.c on D-Link DIR-615Jx10 devices has a stack-based buffer overfl ...) NOT-FOR-US: D-Link CVE-2020-9534 (fmwlan.c on D-Link DIR-615Jx10 devices has a stack-based buffer overfl ...) NOT-FOR-US: D-Link CVE-2020-9533 RESERVED CVE-2020-9532 RESERVED CVE-2020-9531 (An issue was discovered on Xiaomi MIUI V11.0.5.0.QFAEUXM devices. In t ...) NOT-FOR-US: Xiaomi CVE-2020-9530 (An issue was discovered on Xiaomi MIUI V11.0.5.0.QFAEUXM devices. The ...) NOT-FOR-US: Xiaomi CVE-2020-9529 RESERVED CVE-2020-9528 RESERVED CVE-2020-9527 RESERVED CVE-2020-9526 RESERVED CVE-2020-9525 RESERVED CVE-2020-9524 (Cross Site scripting vulnerability on Micro Focus Enterprise Server an ...) NOT-FOR-US: Micro Focus CVE-2020-9523 (Insufficiently protected credentials vulnerability on Micro Focus ente ...) NOT-FOR-US: Micro Focus CVE-2020-9522 (Cross Site Scripting (XSS) vulnerability in Micro Focus ArcSight Enter ...) NOT-FOR-US: Micro Focus CVE-2020-9521 (An SQL injection vulnerability was discovered in Micro Focus Service M ...) NOT-FOR-US: Micro Focus CVE-2020-9520 (A stored XSS vulnerability was discovered in Micro Focus Vibe, affecti ...) NOT-FOR-US: Micro Focus Vibe CVE-2020-9519 (HTTP methods reveled in Web services vulnerability in Micro Focus Serv ...) NOT-FOR-US: Micro Focus CVE-2020-9518 (Login filter can access configuration files vulnerability in Micro Foc ...) NOT-FOR-US: Micro Focus CVE-2020-9517 (There is an improper restriction of rendered UI layers or frames vulne ...) NOT-FOR-US: Micro Focus CVE-2020-9516 RESERVED CVE-2020-9515 RESERVED CVE-2020-9514 (An issue was discovered in the IMPress for IDX Broker plugin before 2. ...) NOT-FOR-US: IMPress for IDX Broker plugin for WordPress CVE-2020-9513 RESERVED CVE-2020-9512 RESERVED CVE-2020-9511 RESERVED CVE-2020-9510 RESERVED CVE-2020-9509 RESERVED CVE-2020-9508 RESERVED CVE-2020-9507 RESERVED CVE-2020-9506 RESERVED CVE-2020-9505 RESERVED CVE-2020-9504 RESERVED CVE-2020-9503 RESERVED CVE-2020-9502 (Some Dahua products with Build time before December 2019 have Session ...) NOT-FOR-US: Dahua CVE-2020-9501 (Attackers can obtain Cloud Key information from the Dahua Web P2P cont ...) NOT-FOR-US: Dahua CVE-2020-9500 (Some products of Dahua have Denial of Service vulnerabilities. After t ...) NOT-FOR-US: Dahua CVE-2020-9499 (Some Dahua products have buffer overflow vulnerabilities. After the su ...) NOT-FOR-US: Dahua CVE-2020-9498 (Apache Guacamole 1.1.0 and older may mishandle pointers involved inpro ...) - guacamole-client (bug #964195) NOTE: https://www.openwall.com/lists/oss-security/2020/07/02/3 CVE-2020-9497 (Apache Guacamole 1.1.0 and older do not properly validate datareceived ...) - guacamole-client (bug #964195) NOTE: https://www.openwall.com/lists/oss-security/2020/07/02/2 CVE-2020-9496 RESERVED CVE-2020-9495 (Apache Archiva login service before 2.2.5 is vulnerable to LDAP inject ...) NOT-FOR-US: Apache Archiva CVE-2020-9494 (Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.10, and 8.0.0 to 8. ...) {DSA-4710-1} - trafficserver 8.0.8+ds-1 (bug #963629) NOTE: https://github.com/apache/trafficserver/pull/6922 CVE-2020-9493 RESERVED CVE-2020-9492 RESERVED CVE-2020-9491 RESERVED CVE-2020-9490 RESERVED CVE-2020-9489 (A carefully crafted or corrupt file may trigger a System.exit in Tika' ...) - tika [jessie] - tika (the fix is too invasive to backport) NOTE: https://www.openwall.com/lists/oss-security/2020/04/24/1 CVE-2020-9488 (Improper validation of certificate with host mismatch in Apache Log4j ...) - apache-log4j2 (bug #959450) [jessie] - apache-log4j2 (Minor issue; set mail.smtp.ssl.checkserveridentity to true to enable hostname verification) NOTE: https://www.openwall.com/lists/oss-security/2020/04/25/1 NOTE: https://issues.apache.org/jira/browse/LOG4J2-2819 NOTE: https://gitbox.apache.org/repos/asf?p=logging-log4j2.git;h=6851b5083ef9610bae320bf07e1f24d2aa08851b (release-2.x) NOTE: https://gitbox.apache.org/repos/asf?p=logging-log4j2.git;h=fb91a3d71e2f3dadad6fd1beb2ab857f44fe8bbb (master) CVE-2020-9487 RESERVED CVE-2020-9486 RESERVED CVE-2020-9485 RESERVED CVE-2020-9484 (When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to ...) {DLA-2217-1 DLA-2209-1} - tomcat9 9.0.35-1 (bug #961209) - tomcat8 - tomcat7 NOTE: https://github.com/apache/tomcat/commit/bb33048e3f9b4f2b70e4da2e6c4e34ca89023b1b (10.0.0-M5) NOTE: https://github.com/apache/tomcat/commit/3aa8f28db7efb311cdd1b6fe15a9cd3b167a2222 (9.0.35) NOTE: https://github.com/apache/tomcat/commit/ec08af18d0f9ddca3f2d800ef66fe7fd20afef2f (8.5.55) NOTE: https://github.com/apache/tomcat/commit/53e30390943c18fca0c9e57dbcc14f1c623cfd06 (7.0.104) CVE-2020-9483 (**Resolved** When use H2/MySQL/TiDB as Apache SkyWalking storage, the ...) NOT-FOR-US: Apache SkyWalking CVE-2020-9482 (If NiFi Registry 0.1.0 to 0.5.0 uses an authentication mechanism other ...) NOT-FOR-US: Apache NiFi CVE-2020-9481 (Apache ATS 6.0.0 to 6.2.3, 7.0.0 to 7.1.9, and 8.0.0 to 8.0.6 is vulne ...) {DSA-4672-1} - trafficserver 8.0.7+ds-1 NOTE: https://lists.apache.org/thread.html/rcb8bae0b289d71d18a3220be256c1dfcc4d9ab49d2d6e07d1eac7c9d%40%3Cannounce.trafficserver.apache.org%3E NOTE: https://github.com/apache/trafficserver/commit/50441b39e6631389ef95c4133f06bbf94544879c CVE-2020-9480 (In Apache Spark 2.4.5 and earlier, a standalone resource manager's mas ...) - apache-spark (bug #802194) CVE-2020-9479 RESERVED CVE-2019-20485 (qemu/qemu_driver.c in libvirt before 6.0.0 mishandles the holding of a ...) - libvirt 6.0.0-2 (low; bug #953078) [buster] - libvirt (Minor issue) [stretch] - libvirt (Minor issue) [jessie] - libvirt (Vulnerable code not present) NOTE: https://libvirt.org/git/?p=libvirt.git;a=commitdiff;h=a663a860819287e041c3de672aad1d8543098ecc (v6.0.0-rc1) CVE-2013-7487 (On Swann DVR04B, DVR08B, DVR-16CIF, and DVR16B devices, raysharpdvr ap ...) NOT-FOR-US: Swann CVE-2020-9478 (An issue was discovered in Rubrik 5.0.3-2296. An OS command injection ...) NOT-FOR-US: Rubrik CVE-2020-9477 (An issue was discovered on HUMAX HGA12R-02 BRGCAA 1.1.53 devices. A vu ...) NOT-FOR-US: HUMAX HGA12R-02 BRGCAA devices CVE-2020-9476 (ARRIS TG1692A devices allow remote attackers to discover the administr ...) NOT-FOR-US: ARRIS TG1692A devices CVE-2020-9475 (The S. Siedle & Soehne SG 150-0 Smart Gateway before 1.2.4 allows ...) NOT-FOR-US: S. Siedle & Soehne SG 150-0 Smart Gateway CVE-2020-9474 (The S. Siedle & Soehne SG 150-0 Smart Gateway before 1.2.4 allows ...) NOT-FOR-US: S. Siedle & Soehne SG 150-0 Smart Gateway CVE-2020-9473 (The S. Siedle & Soehne SG 150-0 Smart Gateway before 1.2.4 has a p ...) NOT-FOR-US: S. Siedle & Soehne SG 150-0 Smart Gateway CVE-2020-9472 (Umbraco CMS 8.5.3 allows an authenticated file upload (and consequentl ...) NOT-FOR-US: Umbraco CMS CVE-2020-9471 (Umbraco Cloud 8.5.3 allows an authenticated file upload (and consequen ...) NOT-FOR-US: Umbraco CVE-2020-9470 (An issue was discovered in Wing FTP Server 6.2.5 before February 2020. ...) NOT-FOR-US: Wing FTP Server CVE-2020-9469 RESERVED CVE-2020-9468 (The Community plugin 2.9.e-beta for Piwigo allows users to set image i ...) - piwigo CVE-2020-9467 (Piwigo 2.10.1 has stored XSS via the file parameter in a /ws.php reque ...) - piwigo CVE-2020-9466 (The Export Users to CSV plugin through 1.4.2 for WordPress allows CSV ...) NOT-FOR-US: Export Users to CSV plugin for WordPress CVE-2020-9465 (An issue was discovered in EyesOfNetwork eonweb 5.1 through 5.3 before ...) NOT-FOR-US: EyesOfNetwork (EON) CVE-2020-9464 (A Denial-of-Service vulnerability exists in BECKHOFF Ethernet TCP/IP B ...) NOT-FOR-US: BECKHOFF Ethernet TCP/IP Bus Coupler BK9000 CVE-2020-9463 (Centreon 19.10 allows remote authenticated users to execute arbitrary ...) - centreon-web (bug #913903) CVE-2020-9462 (An issue was discovered in all Athom Homey and Homey Pro devices up to ...) NOT-FOR-US: Athom CVE-2020-9461 (Octech Oempro 4.7 through 4.11 allow stored XSS by an authenticated us ...) NOT-FOR-US: Octech Oempro CVE-2020-9460 (Octech Oempro 4.7 through 4.11 allow XSS by an authenticated user. The ...) NOT-FOR-US: Octech Oempro CVE-2020-9459 (Multiple Stored Cross-site scripting (XSS) vulnerabilities in the Webn ...) NOT-FOR-US: Webnus Modern Events Calendar Lite plugin for WordPress CVE-2020-9458 (In the RegistrationMagic plugin through 4.6.0.3 for WordPress, the exp ...) NOT-FOR-US: RegistrationMagic plugin for WordPress CVE-2020-9457 (The RegistrationMagic plugin through 4.6.0.3 for WordPress allows remo ...) NOT-FOR-US: RegistrationMagic plugin for WordPress CVE-2020-9456 (In the RegistrationMagic plugin through 4.6.0.3 for WordPress, the use ...) NOT-FOR-US: RegistrationMagic plugin for WordPress CVE-2020-9455 (The RegistrationMagic plugin through 4.6.0.3 for WordPress allows remo ...) NOT-FOR-US: RegistrationMagic plugin for WordPress CVE-2020-9454 (A CSRF vulnerability in the RegistrationMagic plugin through 4.6.0.3 f ...) NOT-FOR-US: RegistrationMagic plugin for WordPress CVE-2020-9453 RESERVED CVE-2020-9452 RESERVED CVE-2020-9451 RESERVED CVE-2020-9450 RESERVED CVE-2020-9449 (An insecure random number generation vulnerability in BlaB! AX, BlaB! ...) NOT-FOR-US: BlaB! CVE-2020-9448 RESERVED CVE-2020-9447 (There is an XSS (cross-site scripting) vulnerability in GwtUpload 1.0. ...) NOT-FOR-US: GwtUpload CVE-2020-9446 RESERVED CVE-2018-21035 (In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB f ...) - qtwebsockets-opensource-src (low; bug #953049) [buster] - qtwebsockets-opensource-src (Minor issue) [stretch] - qtwebsockets-opensource-src (Minor issue) [jessie] - qtwebsockets-opensource-src (Minor issue) NOTE: https://bugreports.qt.io/browse/QTBUG-70693 NOTE: https://codereview.qt-project.org/c/qt/qtwebsockets/+/284735 CVE-2020-9445 (Zulip Server before 2.1.3 allows XSS via the modal_link feature in the ...) - zulip-server (bug #800052) CVE-2020-9444 (Zulip Server before 2.1.3 allows reverse tabnabbing via the Markdown f ...) - zulip-server (bug #800052) CVE-2020-9443 (Zulip Desktop before 4.0.3 loaded untrusted content in an Electron web ...) NOT-FOR-US: Zulip Desktop (different from itp'ed zulip-server) CVE-2020-9442 (OpenVPN Connect 3.1.0.361 on Windows has Insecure Permissions for %PRO ...) NOT-FOR-US: OpenVPN Connect on Windows CVE-2020-9441 RESERVED CVE-2020-9440 (A cross-site scripting (XSS) vulnerability in the WSC plugin through 5 ...) NOT-FOR-US: CKEditor plugin CVE-2020-9439 RESERVED CVE-2020-9438 (Tinxy Door Lock with firmware before 3.2 allow attackers to unlock a d ...) NOT-FOR-US: Tinxy Door Lock CVE-2020-9437 (SecureAuth.aspx in SecureAuth IdP 9.3.0 suffers from a client-side tem ...) NOT-FOR-US: SecureAuth IdP CVE-2020-9436 (PHOENIX CONTACT TC ROUTER 3002T-4G through 2.05.3, TC ROUTER 2002T-3G ...) NOT-FOR-US: PHOENIX CVE-2020-9435 (PHOENIX CONTACT TC ROUTER 3002T-4G through 2.05.3, TC ROUTER 2002T-3G ...) NOT-FOR-US: PHOENIX CVE-2020-9434 (openssl_x509_check_ip_asc in lua-openssl 0.7.7-1 mishandles X.509 cert ...) NOT-FOR-US: lua-openssl (different from lua-luaossl) CVE-2020-9433 (openssl_x509_check_email in lua-openssl 0.7.7-1 mishandles X.509 certi ...) NOT-FOR-US: lua-openssl (different from lua-luaossl) CVE-2020-9432 (openssl_x509_check_host in lua-openssl 0.7.7-1 mishandles X.509 certif ...) NOT-FOR-US: lua-openssl (different from lua-luaossl) CVE-2020-9427 (OX Guard 2.10.3 and earlier allows SSRF. ...) NOT-FOR-US: OX Guard CVE-2020-9426 (OX Guard 2.10.3 and earlier allows XSS. ...) NOT-FOR-US: OX Guard CVE-2020-9425 (An issue was discovered in includes/head.inc.php in rConfig before 3.9 ...) NOT-FOR-US: rConfig CVE-2020-9424 RESERVED CVE-2020-9423 (LogicalDoc before 8.3.3 could allow an attacker to upload arbitrary fi ...) NOT-FOR-US: LogicalDoc CVE-2020-9422 RESERVED CVE-2020-9421 RESERVED CVE-2019-20484 RESERVED CVE-2019-20483 RESERVED CVE-2020-9420 RESERVED CVE-2020-9419 RESERVED CVE-2020-9431 (In Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14, the ...) - wireshark 3.2.2-1 [buster] - wireshark (Can be fixed along in next 3.0.x DSA) [stretch] - wireshark (Can be fixed along in next DSA/update to 3.0) [jessie] - wireshark (composite TVB handling added later) NOTE: https://www.wireshark.org/security/wnpa-sec-2020-03.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16341 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=086003c9d616906e08bbeeab9c17b3aa4c6ff850 CVE-2020-9430 (In Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14, the ...) - wireshark 3.2.2-1 [buster] - wireshark (Can be fixed along in next 3.0.x DSA) [stretch] - wireshark (Can be fixed along in next DSA/update to 3.0) [jessie] - wireshark (Vulnerable code not present) NOTE: https://www.wireshark.org/security/wnpa-sec-2020-04.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16368 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16383 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=6b98dc63701b1da1cc7681cb383dabb0b7007d73 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=93d6b03a67953b82880cdbdcf0d30e2a3246d790 CVE-2020-9428 (In Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14, the ...) - wireshark 3.2.2-1 (low) [buster] - wireshark (Can be fixed along in next 3.0.x DSA) [stretch] - wireshark (Can be fixed along in next DSA/update to 3.0) [jessie] - wireshark (Vulnerable code not present) NOTE: https://www.wireshark.org/security/wnpa-sec-2020-05.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16397 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=9fe2de783dbcbe74144678d60a4e3923367044b2 CVE-2020-9429 (In Wireshark 3.2.0 to 3.2.1, the WireGuard dissector could crash. This ...) - wireshark 3.2.2-1 [buster] - wireshark (Vulnerable code not present) [stretch] - wireshark (Vulnerable code not present) [jessie] - wireshark (Vulnerable code not present) NOTE: https://www.wireshark.org/security/wnpa-sec-2020-06.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16394 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=73c5fff899f253c44a72657048aec7db6edee571 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=a2530f740d67d41908e84434bb5ec99480c2ac2e CVE-2020-9418 (An untrusted search path vulnerability in the installer of PDFescape D ...) NOT-FOR-US: PDFescape CVE-2020-9417 RESERVED CVE-2020-9416 RESERVED CVE-2020-9415 RESERVED CVE-2020-9414 (The MFT admin service component of TIBCO Software Inc.'s TIBCO Managed ...) NOT-FOR-US: TIBCO CVE-2020-9413 (The MFT Browser file transfer client and MFT Browser admin client comp ...) NOT-FOR-US: TIBCO CVE-2020-9412 (The file transfer component of TIBCO Software Inc.'s TIBCO Managed Fil ...) NOT-FOR-US: TIBCO CVE-2020-9411 (The file transfer component of TIBCO Software Inc.'s TIBCO Managed Fil ...) NOT-FOR-US: TIBCO CVE-2020-9410 (The report generator component of TIBCO Software Inc.'s TIBCO JasperRe ...) NOT-FOR-US: TIBCO CVE-2020-9409 (The administrative UI component of TIBCO Software Inc.'s TIBCO JasperR ...) NOT-FOR-US: TIBCO CVE-2020-9408 (The Spotfire library component of TIBCO Software Inc.'s TIBCO Spotfire ...) NOT-FOR-US: TIBCO CVE-2020-9407 (IBL Online Weather before 4.3.5a allows attackers to obtain sensitive ...) NOT-FOR-US: IBL Online Weather CVE-2020-9406 (IBL Online Weather before 4.3.5a allows unauthenticated eval injection ...) NOT-FOR-US: IBL Online Weather CVE-2020-9405 (IBL Online Weather before 4.3.5a allows unauthenticated reflected XSS ...) NOT-FOR-US: IBL Online Weather CVE-2020-9404 RESERVED CVE-2020-9403 RESERVED CVE-2020-9402 (Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 al ...) - python-django 2:2.2.11-1 (low; bug #953102) [buster] - python-django 1:1.11.29-1~deb10u1 [stretch] - python-django (Can be fixed along in a future DSA) [jessie] - python-django (Vulnerable code introduced later) NOTE: https://www.openwall.com/lists/oss-security/2020/03/04/1 NOTE: Introduced by: https://github.com/django/django/commit/fcf494b48fea7c0c55ea29721ba0b2d250351ff8 NOTE: Fixed by: https://github.com/django/django/commit/fe886a3b58a93cfbe8864b485f93cb6d426cd1f2 (v2.2) NOTE: Fixed by: https://github.com/django/django/commit/02d97f3c9a88adc890047996e5606180bd1c6166 (v1.11) CVE-2020-9401 RESERVED CVE-2020-9400 RESERVED CVE-2020-9399 (The Avast AV parsing engine allows virus-detection bypass via a crafte ...) NOT-FOR-US: Avast AV parsing engine CVE-2020-9398 (ISPConfig before 3.1.15p3, when the undocumented reverse_proxy_panel_a ...) NOT-FOR-US: ISPConfig CVE-2020-9397 RESERVED CVE-2020-9396 RESERVED CVE-2020-9395 (An issue was discovered on Realtek RTL8195AM, RTL8711AM, RTL8711AF, an ...) TODO: check CVE-2020-9394 (An issue was discovered in the pricing-table-by-supsystic plugin befor ...) NOT-FOR-US: pricing-table-by-supsystic plugin for WordPress CVE-2020-9393 (An issue was discovered in the pricing-table-by-supsystic plugin befor ...) NOT-FOR-US: pricing-table-by-supsystic plugin for WordPress CVE-2020-9392 (An issue was discovered in the pricing-table-by-supsystic plugin befor ...) NOT-FOR-US: pricing-table-by-supsystic plugin for WordPress CVE-2020-9390 RESERVED CVE-2020-9389 RESERVED CVE-2020-9388 RESERVED CVE-2020-9387 (In Mahara 19.04 before 19.04.5 and 19.10 before 19.10.3, account detai ...) - mahara CVE-2020-9386 (In Mahara 18.10 before 18.10.5, 19.04 before 19.04.4, and 19.10 before ...) - mahara CVE-2020-9391 (An issue was discovered in the Linux kernel 5.4 and 5.5 through 5.5.6 ...) - linux 5.5.13-1 [buster] - linux (Vulnerable code not present) [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/dcde237319e626d1ec3c9d8b7613032f0fd4663a CVE-2020-9385 (A NULL Pointer Dereference exists in libzint in Zint 2.7.1 because mul ...) - zint (bug #732141) CVE-2020-9384 (** DISPUTED ** An Insecure Direct Object Reference (IDOR) vulnerabilit ...) NOT-FOR-US: Subex CVE-2020-9383 (An issue was discovered in the Linux kernel through 5.5.6. set_fdc in ...) {DSA-4698-1 DLA-2242-1 DLA-2241-1} - linux 5.5.13-1 [buster] - linux 4.19.118-1 NOTE: https://git.kernel.org/linus/2e90ca68b0d2f5548804f22f0dd61145516171e3 CVE-2020-9382 (An issue was discovered in the Widgets extension through 1.4.0 for Med ...) NOT-FOR-US: Widgets extension for MediaWiki CVE-2020-9381 (controllers/admin.js in Total.js CMS 13 allows remote attackers to exe ...) NOT-FOR-US: Total.js CMS CVE-2020-9380 (IPTV Smarters WEB TV PLAYER through 2020-02-22 allows attackers to exe ...) NOT-FOR-US: IPTV Smarters WEB TV PLAYER CVE-2020-9379 (The Software Development Kit of the MiContact Center Business with Sit ...) NOT-FOR-US: Mitel CVE-2020-9378 RESERVED CVE-2020-9377 RESERVED CVE-2020-9376 RESERVED CVE-2020-9375 (TP-Link Archer C50 V3 devices before Build 200318 Rel. 62209 allows re ...) NOT-FOR-US: TP-Link CVE-2019-20482 RESERVED CVE-2020-9374 (On TP-Link TL-WR849N 0.9.1 4.16 devices, a remote command execution vu ...) NOT-FOR-US: TP-Link CVE-2020-9373 RESERVED CVE-2020-9372 (The Appointment Booking Calendar plugin before 1.3.35 for WordPress al ...) NOT-FOR-US: Appointment Booking Calendar plugin for WordPress CVE-2020-9371 (Stored XSS exists in the Appointment Booking Calendar plugin before 1. ...) NOT-FOR-US: Appointment Booking Calendar plugin for WordPress CVE-2020-9370 (HUMAX HGA12R-02 BRGCAA 1.1.53 devices allow Session Hijacking. ...) NOT-FOR-US: HUMAX HGA12R-02 BRGCAA devices CVE-2020-9369 (Sympa 6.2.38 through 6.2.52 allows remote attackers to cause a denial ...) - sympa 6.2.40~dfsg-4 (low; bug #952428) [buster] - sympa (Minor issue) [stretch] - sympa (Vulnerability introduced later in 6.2.38) [jessie] - sympa (Vulnerability introduced later in 6.2.38) NOTE: https://github.com/sympa-community/sympa/issues/886 NOTE: https://sympa-community.github.io/security/2020-001.html NOTE: Upstream patch: https://github.com/sympa-community/sympa/releases/download/6.2.54/sympa-6.2.52-sa-2020-001.patch CVE-2020-9368 RESERVED CVE-2020-9367 RESERVED CVE-2020-9365 (An issue was discovered in Pure-FTPd 1.0.49. An out-of-bounds (OOB) re ...) - pure-ftpd 1.0.49-3 (bug #952471) [buster] - pure-ftpd (Minor issue) [stretch] - pure-ftpd (Minor issue) [jessie] - pure-ftpd (Vulnerable code does not exist) NOTE: https://github.com/jedisct1/pure-ftpd/commit/36c6d268cb190282a2c17106acfd31863121b CVE-2020-9364 (An issue was discovered in helpers/mailer.php in the Creative Contact ...) NOT-FOR-US: Creative Contact Form extension for Joomla! CVE-2020-9363 (The Sophos AV parsing engine before 2020-01-14 allows virus-detection ...) NOT-FOR-US: Sophos AV CVE-2020-9362 (The Quick Heal AV parsing engine (November 2019) allows virus-detectio ...) NOT-FOR-US: Quick Heal AV parsing engine CVE-2019-20481 (In MIELE XGW 3000 ZigBee Gateway before 2.4.0, the Password Change Fun ...) NOT-FOR-US: MIELE XGW 3000 ZigBee Gateway CVE-2019-20480 (In MIELE XGW 3000 ZigBee Gateway before 2.4.0, a malicious website vis ...) NOT-FOR-US: MIELE XGW 3000 ZigBee Gateway CVE-2016-11020 (Kunena before 5.0.4 does not restrict avatar file extensions to gif, j ...) NOT-FOR-US: Kunena CVE-2020-9366 (A buffer overflow was found in the way GNU Screen before 4.8.0 treated ...) - screen 4.8.0-1 (bug #950896) [buster] - screen (Vulnerable code introduced in v4.7.0) [stretch] - screen (Vulnerable code introduced in v4.7.0) [jessie] - screen (Vulnerable code introduced in v4.7.0) NOTE: https://lists.gnu.org/archive/html/screen-devel/2020-02/msg00007.html NOTE: https://www.openwall.com/lists/oss-security/2020/02/06/3 NOTE: Fixed by: https://git.savannah.gnu.org/cgit/screen.git/commit/?id=68386dfb1fa33471372a8cd2e74686758a2f527b (v4.8.0) NOTE: Follow-up: https://git.savannah.gnu.org/cgit/screen.git/commit/?id=0dd53533e20d2948351a99ec5336fbc9b82b226a (v4.8.0) NOTE: Introduced due to: https://git.savannah.gnu.org/cgit/screen.git/commit/?id=c5db181b6e017cfccb8d7842ce140e59294d9f62 (v4.7.0) CVE-2020-9361 RESERVED CVE-2020-9360 RESERVED CVE-2020-9359 (KDE Okular before 1.10.0 allows code execution via an action link in a ...) {DLA-2159-1} - okular 4:19.12.3-2 (bug #954891) [buster] - okular (Minor issue) [stretch] - okular (Minor issue) NOTE: https://invent.kde.org/kde/okular/-/commit/6a93a033b4f9248b3cd4d04689b8391df754e244 NOTE: https://kde.org/info/security/advisory-20200312-1.txt NOTE: https://sysdream.com/news/lab/2020-03-24-cve-2020-9359-okular-command-execution/ (PoC) CVE-2020-9358 RESERVED CVE-2020-9357 RESERVED CVE-2020-9356 RESERVED CVE-2020-9354 (An issue was discovered in SmartClient 12.0. The Remote Procedure Call ...) NOT-FOR-US: SmartClient CVE-2020-9353 (An issue was discovered in SmartClient 12.0. The Remote Procedure Call ...) NOT-FOR-US: SmartClient CVE-2020-9352 (An issue was discovered in SmartClient 12.0. Unauthenticated exploitat ...) NOT-FOR-US: SmartClient CVE-2020-9351 (An issue was discovered in SmartClient 12.0. If an unauthenticated att ...) NOT-FOR-US: SmartClient CVE-2020-9350 (Graph Builder in SAS Visual Analytics 8.5 allows XSS via a graph templ ...) NOT-FOR-US: Graph Builder in SAS Visual Analytics CVE-2020-9349 (The CACAGOO Cloud Storage Intelligent Camera TV-288ZD-2MP with firmwar ...) NOT-FOR-US: CACAGOO Cloud Storage Intelligent Camera TV-288ZD-2MP CVE-2020-9348 RESERVED CVE-2020-9347 (** DISPUTED ** Zoho ManageEngine Password Manager Pro through 10.x has ...) NOT-FOR-US: Zoho ManageEngine CVE-2020-9346 (Zoho ManageEngine Password Manager Pro 10.4 and prior has no protectio ...) NOT-FOR-US: Zoho ManageEngine CVE-2020-9345 (An issue was discovered in signotec signoPAD-API/Web (formerly Websock ...) NOT-FOR-US: signoPAD-API/Web CVE-2020-9344 (Subversion ALM for the enterprise before 8.8.2 allows reflected XSS at ...) NOT-FOR-US: Subversion ALM CVE-2020-9343 (An issue was discovered in signotec signoPAD-API/Web (formerly Websock ...) NOT-FOR-US: signoPAD-API/Web CVE-2020-9342 (The F-Secure AV parsing engine before 2020-02-05 allows virus-detectio ...) NOT-FOR-US: F-Secure AV parsing engine CVE-2020-9341 (CandidATS 2.1.0 is vulnerable to CSRF that allows for an administrator ...) NOT-FOR-US: CandidATS CVE-2020-9340 (fauzantrif eLection 2.0 has SQL Injection via the admin/ajax/op_kandid ...) NOT-FOR-US: fauzantrif eLection CVE-2020-9339 (SOPlanning 1.45 allows XSS via the Name or Comment to status.php. ...) NOT-FOR-US: SOPlanning CVE-2020-9338 (SOPlanning 1.45 allows XSS via the "Your SoPlanning url" field. ...) NOT-FOR-US: SOPlanning CVE-2020-9337 (In GolfBuddy Course Manager 1.1, passwords are sent (with base64 encod ...) NOT-FOR-US: GolfBuddy Course Manager CVE-2020-9336 (fauzantrif eLection 2.0 has XSS via the Admin Dashboard -> Settings ...) NOT-FOR-US: fauzantrif eLection CVE-2020-6816 (In Mozilla Bleach before 3.12, a mutation XSS in bleach.clean when RCD ...) {DSA-4643-1} - python-bleach 3.1.3-1 (bug #954236) [stretch] - python-bleach (Requires invasive changes to address issue) [jessie] - python-bleach (Requires invasive change to address issue) NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1621692 (not public) NOTE: https://github.com/mozilla/bleach/security/advisories/GHSA-m6xf-fq7q-8743 NOTE: https://github.com/mozilla/bleach/commit/175f67740e7951e1d80cefb7831e6c3e4efeb986 CVE-2020-6802 (In Mozilla Bleach before 3.11, a mutation XSS affects users calling bl ...) {DSA-4636-1} - python-bleach 3.1.1-1 (bug #951907) [stretch] - python-bleach (Requires invasive changes to address issue) [jessie] - python-bleach (Fix too invasive in jessie; uses external html5 parser) NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1615315 (not public) NOTE: https://github.com/mozilla/bleach/security/advisories/GHSA-q65m-pv3f-wr5r NOTE: https://github.com/mozilla/bleach/commit/f77e0f6392177a06e46a49abd61a4d9f035e57fd CVE-2020-9335 (Multiple stored XSS vulnerabilities exist in the 10Web Photo Gallery p ...) NOT-FOR-US: 10Web Photo Gallery plugin for WordPress CVE-2020-9334 (A stored XSS vulnerability exists in the Envira Photo Gallery plugin t ...) NOT-FOR-US: Envira Photo Gallery plugin for WordPress CVE-2020-9333 RESERVED CVE-2020-9332 (ftusbbus2.sys in FabulaTech USB for Remote Desktop through 2020-02-19 ...) NOT-FOR-US: FabulaTech CVE-2020-9331 RESERVED CVE-2020-9330 (Certain Xerox WorkCentre printers before 073.xxx.000.02300 do not requ ...) NOT-FOR-US: Xerox CVE-2020-9329 (Gogs through 0.11.91 allows attackers to violate the admin-specified r ...) NOT-FOR-US: Go Git Service CVE-2020-9328 RESERVED CVE-2020-9327 (In SQLite 3.31.1, isAuxiliaryVtabOperator allows attackers to trigger ...) - sqlite3 3.31.1-3 (bug #951835) [buster] - sqlite3 (Minor issue) [stretch] - sqlite3 (Minor issue) [jessie] - sqlite3 (vulnerable code not present) NOTE: https://www.sqlite.org/cgi/src/info/4374860b29383380 NOTE: https://www.sqlite.org/cgi/src/info/9d0d4ab95dc0c56e NOTE: https://www.sqlite.org/cgi/src/info/abc473fb8fb99900 CVE-2020-9326 (BeyondTrust Privilege Management for Windows and Mac (aka PMWM; former ...) NOT-FOR-US: BeyondTrust Privilege Management for Windows and Mac CVE-2020-9325 (Aquaforest TIFF Server 4.0 allows Unauthenticated Arbitrary File Downl ...) NOT-FOR-US: Aquaforest TIFF Server CVE-2020-9324 (Aquaforest TIFF Server 4.0 allows Unauthenticated SMB Hash Capture via ...) NOT-FOR-US: Aquaforest TIFF Server CVE-2020-9323 (Aquaforest TIFF Server 4.0 allows Unauthenticated File and Directory E ...) NOT-FOR-US: Aquaforest TIFF Server CVE-2020-9322 RESERVED CVE-2020-9321 (configurationwatcher.go in Traefik 2.x before 2.1.4 and TraefikEE 2.0. ...) NOT-FOR-US: Traefik CVE-2020-9320 (Avira AV Engine before 8.3.54.138 allows virus-detection bypass via a ...) NOT-FOR-US: Avira CVE-2020-9319 RESERVED CVE-2020-9318 (Red Gate SQL Monitor 9.0.13 through 9.2.14 allows an administrative us ...) NOT-FOR-US: Red Gate SQL Monitor CVE-2020-9317 RESERVED CVE-2020-9316 RESERVED CVE-2020-9315 (** PRODUCT NOT SUPPORTED WHEN ASSIGNED ** Oracle iPlanet Web Server 7. ...) NOT-FOR-US: Oracle CVE-2020-9314 (** PRODUCT NOT SUPPORTED WHEN ASSIGNED ** Oracle iPlanet Web Server 7. ...) NOT-FOR-US: Oracle CVE-2020-9313 RESERVED CVE-2020-9312 RESERVED CVE-2020-9311 RESERVED CVE-2020-9310 REJECTED CVE-2020-9309 RESERVED CVE-2020-9308 (archive_read_support_format_rar5.c in libarchive before 3.4.2 attempts ...) - libarchive 3.4.0-2 (bug #951759) [buster] - libarchive (rar5 support added in 3.4.0) [stretch] - libarchive (rar5 support added in 3.4.0) [jessie] - libarchive (rar5 support added in 3.4.0) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20459 NOTE: https://github.com/libarchive/libarchive/pull/1326 NOTE: https://github.com/libarchive/libarchive/commit/94821008d6eea81e315c5881cdf739202961040a CVE-2020-9307 RESERVED CVE-2020-9306 RESERVED CVE-2020-9305 RESERVED CVE-2020-9304 RESERVED CVE-2020-9303 RESERVED CVE-2020-9302 RESERVED CVE-2020-9301 RESERVED CVE-2020-9300 RESERVED CVE-2020-9299 RESERVED CVE-2020-9298 RESERVED CVE-2020-9297 RESERVED CVE-2020-9296 (Netflix Titus uses Java Bean Validation (JSR 380) custom constraint va ...) NOT-FOR-US: Netflix Conductor CVE-2020-9295 RESERVED CVE-2020-9294 (An improper authentication vulnerability in FortiMail 5.4.10, 6.0.7, 6 ...) NOT-FOR-US: FortiMail Fortiguard CVE-2020-9293 RESERVED CVE-2020-9292 (An unquoted service path vulnerability in the FortiSIEM Windows Agent ...) NOT-FOR-US: Fortiguard CVE-2020-9291 (An Insecure Temporary File vulnerability in FortiClient for Windows 6. ...) NOT-FOR-US: Fortiguard / FortiClient for Windows CVE-2020-9290 (An Unsafe Search Path vulnerability in FortiClient for Windows online ...) NOT-FOR-US: Fortiguard CVE-2020-9289 (Use of a hard-coded cryptographic key to encrypt password data in CLI ...) NOT-FOR-US: Fortiguard CVE-2020-9288 (An improper neutralization of input vulnerability in FortiWLC 8.5.1 al ...) NOT-FOR-US: Fortinet CVE-2020-9287 (An Unsafe Search Path vulnerability in FortiClient EMS online installe ...) NOT-FOR-US: Fortiguard CVE-2020-9286 (An improper authorization vulnerability in FortiADC may allow a remote ...) NOT-FOR-US: Fortiguard CVE-2020-9285 RESERVED CVE-2020-9284 RESERVED CVE-2020-9283 (golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go a ...) - golang-go.crypto 1:0.0~git20200221.2aa609c-1 (bug #952462) [buster] - golang-go.crypto (Minor issue) [stretch] - golang-go.crypto (Minor issue) [jessie] - golang-go.crypto (Minor issue) NOTE: https://github.com/golang/crypto/commit/bac4c82f69751a6dd76e702d54b3ceb88adab236 CVE-2020-9282 (In Mahara 18.10 before 18.10.5, 19.04 before 19.04.4, and 19.10 before ...) - mahara CVE-2020-9281 (A cross-site scripting (XSS) vulnerability in the HTML Data Processor ...) NOT-FOR-US: CKEditor plugin CVE-2020-9280 (In SilverStripe through 4.5, files uploaded via Forms to folders migra ...) NOT-FOR-US: SilverStripe CVE-2020-9279 (An issue was discovered on D-Link DSL-2640B B2 EU_4.01B devices. A har ...) NOT-FOR-US: D-Link CVE-2020-9278 (An issue was discovered on D-Link DSL-2640B B2 EU_4.01B devices. The d ...) NOT-FOR-US: D-Link CVE-2020-9277 (An issue was discovered on D-Link DSL-2640B B2 EU_4.01B devices. Authe ...) NOT-FOR-US: D-Link CVE-2020-9276 (An issue was discovered on D-Link DSL-2640B B2 EU_4.01B devices. The f ...) NOT-FOR-US: D-Link CVE-2020-9275 (An issue was discovered on D-Link DSL-2640B B2 EU_4.01B devices. A cfm ...) NOT-FOR-US: D-Link CVE-2020-9274 (An issue was discovered in Pure-FTPd 1.0.49. An uninitialized pointer ...) {DLA-2123-1} - pure-ftpd 1.0.49-4 (bug #952666) [buster] - pure-ftpd (Minor issue) [stretch] - pure-ftpd (Minor issue) NOTE: https://github.com/jedisct1/pure-ftpd/commit/8d0d42542e2cb7a56d645fbe4d0ef436e38bcefa NOTE: though the CVE description does not specifically say, the issue seems to be an NOTE: out-of-bounds memory read which may result in information disclosure; NOTE: probably not the end of the world, but it is made worse by use of the rather NOTE: unsafe strcmp() instead of strncmp() in the vulnerable functions CVE-2020-9273 (In ProFTPD 1.3.7, it is possible to corrupt the memory pool by interru ...) {DSA-4635-1 DLA-2115-2 DLA-2115-1} - proftpd-dfsg 1.3.6c-2 (bug #951800) NOTE: https://github.com/proftpd/proftpd/issues/903 NOTE: https://github.com/proftpd/proftpd/commit/d388f7904d4c9a6d0ea54237b8b54a57c19d8d49 (master) NOTE: https://github.com/proftpd/proftpd/commit/f8047a1ed0e0eb15193f555c4cbbb281e705c5c3 (master) NOTE: https://github.com/proftpd/proftpd/commit/e845abc1bd86eebec7a0342fded908a1b0f1996b (1.3.6c) NOTE: https://github.com/proftpd/proftpd/commit/cd9036f4ef7a05c107f0ffcb19a018b20267c531 (1.3.6-branch) CVE-2020-9272 (ProFTPD 1.3.7 has an out-of-bounds (OOB) read vulnerability in mod_cap ...) - proftpd-dfsg 1.3.6c-1 (unimportant) NOTE: https://github.com/proftpd/proftpd/issues/902 NOTE: Debian does not build mod_cap and does not use the embedded libcap. NOTE: Sourcewise fixed in 1.3.6c by updating to the lastest libcap. CVE-2019-20479 (A flaw was found in mod_auth_openidc before version 2.4.1. An open red ...) {DLA-2130-1} - libapache2-mod-auth-openidc 2.4.1-1 NOTE: https://github.com/zmartzone/mod_auth_openidc/commit/02431c0adfa30f478cf2eb20ed6ea51fdf446be7 NOTE: https://github.com/zmartzone/mod_auth_openidc/pull/453 CVE-2019-20478 (In ruamel.yaml through 0.16.7, the load method allows remote code exec ...) - ruamel.yaml (unimportant) NOTE: This is a well-known design deficiency in pyyaml (of which ruamel.yaml is derived), NOTE: various CVE IDs have been assigned to applications misusing the API over the years. NOTE: pyyaml 5.1 changed the default hebaviour CVE-2019-20477 (PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and ...) - pyyaml 5.2-1 (unimportant) [buster] - pyyaml (Vulnerability introduced in 5.1) [stretch] - pyyaml (Vulnerability introduced in 5.1) [jessie] - pyyaml (Vulnerability introduced in 5.1) NOTE: CVE exists due to an incomplete fix for CVE-2017-18342. CVE-2019-20476 RESERVED CVE-2019-20475 RESERVED CVE-2015-9543 (An issue was discovered in OpenStack Nova before 18.2.4, 19.x before 1 ...) - nova (bug #951635) [buster] - nova (Minor issue) [stretch] - nova (Minor issue) [jessie] - nova (Minor issue) NOTE: https://launchpad.net/bugs/1492140 NOTE: https://review.opendev.org/220622 CVE-2020-9271 (ICE Hrm 26.2.0 is vulnerable to CSRF that leads to user creation via s ...) NOT-FOR-US: ICE Hrm CVE-2020-9270 (ICE Hrm 26.2.0 is vulnerable to CSRF that leads to password reset via ...) NOT-FOR-US: ICE Hrm CVE-2020-9269 (SOPlanning 1.45 is vulnerable to authenticated SQL Injection that lead ...) NOT-FOR-US: SOPlanning CVE-2020-9268 (SoPlanning 1.45 is vulnerable to SQL Injection in the OrderBy clause, ...) NOT-FOR-US: SOPlanning CVE-2020-9267 (SOPlanning 1.45 is vulnerable to a CSRF attack that allows for arbitra ...) NOT-FOR-US: SOPlanning CVE-2020-9266 (SOPlanning 1.45 is vulnerable to a CSRF attack that allows for arbitra ...) NOT-FOR-US: SOPlanning CVE-2020-9265 (phpMyChat-Plus 1.98 is vulnerable to multiple SQL injections against t ...) NOT-FOR-US: phpMyChat-Plus CVE-2020-9264 (ESET Archive Support Module before 1296 allows virus-detection bypass ...) NOT-FOR-US: ESET CVE-2020-9263 RESERVED CVE-2020-9262 (HUAWEI Mate 30 with versions earlier than 10.1.0.150(C00E136R5P3) have ...) NOT-FOR-US: HUAWEI CVE-2020-9261 (HUAWEI Mate 30 with versions earlier than 10.1.0.150(C00E136R5P3) have ...) NOT-FOR-US: HUAWEI CVE-2020-9260 RESERVED CVE-2020-9259 RESERVED CVE-2020-9258 RESERVED CVE-2020-9257 RESERVED CVE-2020-9256 RESERVED CVE-2020-9255 RESERVED CVE-2020-9254 RESERVED CVE-2020-9253 RESERVED CVE-2020-9252 RESERVED CVE-2020-9251 RESERVED CVE-2020-9250 RESERVED CVE-2020-9249 RESERVED CVE-2020-9248 RESERVED CVE-2020-9247 RESERVED CVE-2020-9246 RESERVED CVE-2020-9245 RESERVED CVE-2020-9244 RESERVED CVE-2020-9243 RESERVED CVE-2020-9242 RESERVED CVE-2020-9241 RESERVED CVE-2020-9240 RESERVED CVE-2020-9239 RESERVED CVE-2020-9238 RESERVED CVE-2020-9237 RESERVED CVE-2020-9236 RESERVED CVE-2020-9235 RESERVED CVE-2020-9234 RESERVED CVE-2020-9233 RESERVED CVE-2020-9232 RESERVED CVE-2020-9231 RESERVED CVE-2020-9230 RESERVED CVE-2020-9229 RESERVED CVE-2020-9228 RESERVED CVE-2020-9227 RESERVED CVE-2020-9226 (HUAWEI P30 with versions earlier than 10.1.0.135(C00E135R2P11) have an ...) NOT-FOR-US: HUAWEI CVE-2020-9225 (FusionSphere OpenStack 6.5.1 have an improper permissions management v ...) TODO: check CVE-2020-9224 RESERVED CVE-2020-9223 RESERVED CVE-2020-9222 RESERVED CVE-2020-9221 RESERVED CVE-2020-9220 RESERVED CVE-2020-9219 RESERVED CVE-2020-9218 RESERVED CVE-2020-9217 RESERVED CVE-2020-9216 RESERVED CVE-2020-9215 RESERVED CVE-2020-9214 RESERVED CVE-2020-9213 RESERVED CVE-2020-9212 RESERVED CVE-2020-9211 RESERVED CVE-2020-9210 RESERVED CVE-2020-9209 RESERVED CVE-2020-9208 RESERVED CVE-2020-9207 RESERVED CVE-2020-9206 RESERVED CVE-2020-9205 RESERVED CVE-2020-9204 RESERVED CVE-2020-9203 RESERVED CVE-2020-9202 RESERVED CVE-2020-9201 RESERVED CVE-2020-9200 RESERVED CVE-2020-9199 RESERVED CVE-2020-9198 RESERVED CVE-2020-9197 RESERVED CVE-2020-9196 RESERVED CVE-2020-9195 RESERVED CVE-2020-9194 RESERVED CVE-2020-9193 RESERVED CVE-2020-9192 RESERVED CVE-2020-9191 RESERVED CVE-2020-9190 RESERVED CVE-2020-9189 RESERVED CVE-2020-9188 RESERVED CVE-2020-9187 RESERVED CVE-2020-9186 RESERVED CVE-2020-9185 RESERVED CVE-2020-9184 RESERVED CVE-2020-9183 RESERVED CVE-2020-9182 RESERVED CVE-2020-9181 RESERVED CVE-2020-9180 RESERVED CVE-2020-9179 RESERVED CVE-2020-9178 RESERVED CVE-2020-9177 RESERVED CVE-2020-9176 RESERVED CVE-2020-9175 RESERVED CVE-2020-9174 RESERVED CVE-2020-9173 RESERVED CVE-2020-9172 RESERVED CVE-2020-9171 RESERVED CVE-2020-9170 RESERVED CVE-2020-9169 RESERVED CVE-2020-9168 RESERVED CVE-2020-9167 RESERVED CVE-2020-9166 RESERVED CVE-2020-9165 RESERVED CVE-2020-9164 RESERVED CVE-2020-9163 RESERVED CVE-2020-9162 RESERVED CVE-2020-9161 RESERVED CVE-2020-9160 RESERVED CVE-2020-9159 RESERVED CVE-2020-9158 RESERVED CVE-2020-9157 RESERVED CVE-2020-9156 RESERVED CVE-2020-9155 RESERVED CVE-2020-9154 RESERVED CVE-2020-9153 RESERVED CVE-2020-9152 RESERVED CVE-2020-9151 RESERVED CVE-2020-9150 RESERVED CVE-2020-9149 RESERVED CVE-2020-9148 RESERVED CVE-2020-9147 RESERVED CVE-2020-9146 RESERVED CVE-2020-9145 RESERVED CVE-2020-9144 RESERVED CVE-2020-9143 RESERVED CVE-2020-9142 RESERVED CVE-2020-9141 RESERVED CVE-2020-9140 RESERVED CVE-2020-9139 RESERVED CVE-2020-9138 RESERVED CVE-2020-9137 RESERVED CVE-2020-9136 RESERVED CVE-2020-9135 RESERVED CVE-2020-9134 RESERVED CVE-2020-9133 RESERVED CVE-2020-9132 RESERVED CVE-2020-9131 RESERVED CVE-2020-9130 RESERVED CVE-2020-9129 RESERVED CVE-2020-9128 RESERVED CVE-2020-9127 RESERVED CVE-2020-9126 RESERVED CVE-2020-9125 RESERVED CVE-2020-9124 RESERVED CVE-2020-9123 RESERVED CVE-2020-9122 RESERVED CVE-2020-9121 RESERVED CVE-2020-9120 RESERVED CVE-2020-9119 RESERVED CVE-2020-9118 RESERVED CVE-2020-9117 RESERVED CVE-2020-9116 RESERVED CVE-2020-9115 RESERVED CVE-2020-9114 RESERVED CVE-2020-9113 RESERVED CVE-2020-9112 RESERVED CVE-2020-9111 RESERVED CVE-2020-9110 RESERVED CVE-2020-9109 RESERVED CVE-2020-9108 RESERVED CVE-2020-9107 RESERVED CVE-2020-9106 RESERVED CVE-2020-9105 RESERVED CVE-2020-9104 RESERVED CVE-2020-9103 RESERVED CVE-2020-9102 RESERVED CVE-2020-9101 RESERVED CVE-2020-9100 (Earlier than HiSuite 10.1.0.500 have a DLL hijacking vulnerability. Th ...) NOT-FOR-US: Huawei CVE-2020-9099 (Huawei products IPS Module; NGFW Module; NIP6300; NIP6600; NIP6800; Se ...) NOT-FOR-US: Huawei CVE-2020-9098 (Huawei OceanStor 5310 product with version of V500R007C60SPC100 has an ...) NOT-FOR-US: Huawei CVE-2020-9097 RESERVED CVE-2020-9096 RESERVED CVE-2020-9095 RESERVED CVE-2020-9094 RESERVED CVE-2020-9093 RESERVED CVE-2020-9092 RESERVED CVE-2020-9091 RESERVED CVE-2020-9090 RESERVED CVE-2020-9089 RESERVED CVE-2020-9088 RESERVED CVE-2020-9087 RESERVED CVE-2020-9086 RESERVED CVE-2020-9085 RESERVED CVE-2020-9084 RESERVED CVE-2020-9083 RESERVED CVE-2020-9082 RESERVED CVE-2020-9081 RESERVED CVE-2020-9080 RESERVED CVE-2020-9079 RESERVED CVE-2020-9078 RESERVED CVE-2020-9077 RESERVED CVE-2020-9076 (HUAWEI P30;HUAWEI P30 Pro;Tony-AL00B smartphones with versions earlier ...) NOT-FOR-US: Huawei CVE-2020-9075 (Huawei products Secospace USG6300;USG6300E with versions of V500R001C3 ...) NOT-FOR-US: Huawei CVE-2020-9074 (Huawei Smartphones HONOR 20 PRO;Honor View 20;HONOR 20 have an imprope ...) NOT-FOR-US: Huawei CVE-2020-9073 (Huawei P20 smartphones with versions earlier than 10.0.0.156(C00E156R1 ...) NOT-FOR-US: Huawei CVE-2020-9072 (Huawei OSD product with versions earlier than OSD_uwp_9.0.32.0 have a ...) NOT-FOR-US: Huawei CVE-2020-9071 (There is a few bytes out-of-bounds read vulnerability in some Huawei p ...) NOT-FOR-US: Huawei CVE-2020-9070 (Huawei smartphones Taurus-AL00B with versions earlier than 10.0.0.205( ...) NOT-FOR-US: Huawei CVE-2020-9069 (There is an information leakage vulnerability in some Huawei products. ...) NOT-FOR-US: Huawei CVE-2020-9068 (Huawei AR3200 products with versions of V200R007C00SPC900, V200R007C00 ...) NOT-FOR-US: Huawei CVE-2020-9067 (There is a buffer overflow vulnerability in some Huawei products. The ...) NOT-FOR-US: Huawei CVE-2020-9066 (Huawei smartphones OxfordP-AN10B with versions earlier than 10.0.1.169 ...) NOT-FOR-US: Huawei CVE-2020-9065 (Huawei smart phone Taurus-AL00B with versions earlier than 10.0.0.203( ...) NOT-FOR-US: Huawei CVE-2020-9064 (Huawei smartphone Honor V30 with versions earlier than OxfordS-AN00A 1 ...) NOT-FOR-US: Huawei CVE-2020-9063 RESERVED CVE-2020-9062 RESERVED CVE-2020-9061 RESERVED CVE-2020-9060 RESERVED CVE-2020-9059 RESERVED CVE-2020-9058 RESERVED CVE-2020-9057 RESERVED CVE-2020-9056 (Periscope BuySpeed version 14.5 is vulnerable to stored cross-site scr ...) NOT-FOR-US: Periscope BuySpeed CVE-2020-9055 (Versiant LYNX Customer Service Portal (CSP), version 3.5.2, is vulnera ...) NOT-FOR-US: Versiant LYNX Customer Service Portal CVE-2020-9054 (Multiple ZyXEL network-attached storage (NAS) devices running firmware ...) NOT-FOR-US: ZyXEL CVE-2020-9053 RESERVED CVE-2020-9052 RESERVED CVE-2020-9051 RESERVED CVE-2020-9050 RESERVED CVE-2020-9049 RESERVED CVE-2020-9048 RESERVED CVE-2020-9047 (A vulnerability exists that could allow the execution of unauthorized ...) NOT-FOR-US: exacqVision Web Service CVE-2020-9046 (A vulnerability in all versions of Kantech EntraPass Editions could po ...) NOT-FOR-US: Kantech CVE-2020-9045 (During installation or upgrade to Software House C•CURE 9000 v2. ...) NOT-FOR-US: Software House CVE-2020-9044 (XXE vulnerability exists in the Metasys family of product Web Services ...) NOT-FOR-US: Johnson Controls CVE-2020-9043 (The wpCentral plugin before 1.5.1 for WordPress allows disclosure of t ...) NOT-FOR-US: wpCentral plugin for WordPress CVE-2020-9042 (In Couchbase Server 6.0, credentials cached by a browser can be used t ...) NOT-FOR-US: Couchbase CVE-2020-9041 (In Couchbase Server 6.0.3 and Couchbase Sync Gateway through 2.7.0, th ...) NOT-FOR-US: Couchbase CVE-2020-9040 (Couchbase Server Java SDK before 2.7.1.1 allows a potential attacker t ...) NOT-FOR-US: Couchbase CVE-2020-9039 (Couchbase Server 4.0.0, 4.1.0, 4.1.1, 4.5.0, 4.5.1, 4.6.0 through 4.6. ...) NOT-FOR-US: Couchbase CVE-2020-9038 (Joplin through 1.0.184 allows Arbitrary File Read via XSS. ...) NOT-FOR-US: Joplin CVE-2020-9037 RESERVED CVE-2020-9036 RESERVED CVE-2020-9035 RESERVED CVE-2019-20474 (An issue was discovered in Zoho ManageEngine Remote Access Plus 10.0.4 ...) NOT-FOR-US: Zoho ManageEngine Remote Access Plus CVE-2016-11019 RESERVED CVE-2020-9355 (danfruehauf NetworkManager-ssh before 1.2.11 allows privilege escalati ...) {DSA-4637-1} - network-manager-ssh 1.2.11-1 NOTE: https://github.com/danfruehauf/NetworkManager-ssh/pull/98 NOTE: https://github.com/danfruehauf/NetworkManager-ssh/commit/5d88cd89795352b5df54cc0ebb6a0076b8c89ee4 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1803499 CVE-2020-9034 (Symmetricom SyncServer S100 2.90.70.3, S200 1.30, S250 1.25, S300 2.65 ...) NOT-FOR-US: Symmetricom SyncServer CVE-2020-9033 (Symmetricom SyncServer S100 2.90.70.3, S200 1.30, S250 1.25, S300 2.65 ...) NOT-FOR-US: Symmetricom SyncServer CVE-2020-9032 (Symmetricom SyncServer S100 2.90.70.3, S200 1.30, S250 1.25, S300 2.65 ...) NOT-FOR-US: Symmetricom SyncServer CVE-2020-9031 (Symmetricom SyncServer S100 2.90.70.3, S200 1.30, S250 1.25, S300 2.65 ...) NOT-FOR-US: Symmetricom SyncServer CVE-2020-9030 (Symmetricom SyncServer S100 2.90.70.3, S200 1.30, S250 1.25, S300 2.65 ...) NOT-FOR-US: Symmetricom SyncServer CVE-2020-9029 (Symmetricom SyncServer S100 2.90.70.3, S200 1.30, S250 1.25, S300 2.65 ...) NOT-FOR-US: Symmetricom SyncServer CVE-2020-9028 (Symmetricom SyncServer S100 2.90.70.3, S200 1.30, S250 1.25, S300 2.65 ...) NOT-FOR-US: Symmetricom SyncServer CVE-2020-9027 (ELTEX NTP-RG-1402G 1v10 3.25.3.32 devices allow OS command injection v ...) NOT-FOR-US: ELTEX devices CVE-2020-9026 (ELTEX NTP-RG-1402G 1v10 3.25.3.32 devices allow OS command injection v ...) NOT-FOR-US: ELTEX devices CVE-2020-9025 (Iteris Vantage Velocity Field Unit 2.4.2 devices have multiple stored ...) NOT-FOR-US: Iteris Vantage Velocity Field Unit devices CVE-2020-9024 (Iteris Vantage Velocity Field Unit 2.3.1 and 2.4.2 devices have world- ...) NOT-FOR-US: Iteris Vantage Velocity Field Unit devices CVE-2020-9023 (Iteris Vantage Velocity Field Unit 2.3.1 and 2.4.2 devices have two us ...) NOT-FOR-US: Iteris Vantage Velocity Field Unit devices CVE-2020-9022 (An issue was discovered on Xirrus XR520, XR620, XR2436, and XH2-120 de ...) NOT-FOR-US: Xirrus devices CVE-2020-9021 (Post Oak AWAM Bluetooth Field Device 7400v2.08.21.2018, 7800SD.2015.1. ...) NOT-FOR-US: Post Oak AWAM Bluetooth Field Device CVE-2020-9020 (Iteris Vantage Velocity Field Unit 2.3.1, 2.4.2, and 3.0 devices allow ...) NOT-FOR-US: Iteris Vantage Velocity Field Unit devices CVE-2020-9019 (The WPJobBoard plugin 5.5.3 for WordPress allows Persistent XSS via th ...) NOT-FOR-US: WPJobBoard plugin for WordPress CVE-2020-9018 (LiteCart through 2.2.1 allows admin/?app=users&doc=edit_user CSRF ...) NOT-FOR-US: LiteCart CVE-2020-9017 (LiteCart through 2.2.1 allows CSV injection via a customer's profile. ...) NOT-FOR-US: LiteCart CVE-2020-9016 (Dolibarr 11.0 allows XSS via the joinfiles, topic, or code parameter, ...) - dolibarr CVE-2020-9015 (** DISPUTED ** Arista DCS-7050QX-32S-R 4.20.9M, DCS-7050CX3-32S-R 4.20 ...) NOT-FOR-US: Arista devices CVE-2020-9014 RESERVED CVE-2020-9013 (Arvato Skillpipe 3.0 allows attackers to bypass intended print restric ...) NOT-FOR-US: Arvato Skillpipe CVE-2020-9012 (A cross-site scripting (XSS) vulnerability in the Import People functi ...) NOT-FOR-US: Gluu Identity Configuration CVE-2020-9011 RESERVED CVE-2020-9010 RESERVED CVE-2020-9009 RESERVED CVE-2020-9008 (Stored Cross-site scripting (XSS) vulnerability in Blackboard Learn/Pe ...) NOT-FOR-US: Blackboard Learn/PeopleTool CVE-2019-20473 RESERVED CVE-2019-20472 RESERVED CVE-2019-20471 RESERVED CVE-2019-20470 RESERVED CVE-2019-20469 RESERVED CVE-2019-20468 RESERVED CVE-2019-20467 RESERVED CVE-2019-20466 RESERVED CVE-2019-20465 RESERVED CVE-2019-20464 RESERVED CVE-2019-20463 RESERVED CVE-2019-20462 RESERVED CVE-2019-20461 RESERVED CVE-2019-20460 RESERVED CVE-2019-20459 RESERVED CVE-2019-20458 RESERVED CVE-2019-20457 RESERVED CVE-2020-9007 (Codoforum 4.8.8 allows self-XSS via the title of a new topic. ...) NOT-FOR-US: Codoforum CVE-2020-9006 (The Popup Builder plugin 2.2.8 through 2.6.7.6 for WordPress is vulner ...) NOT-FOR-US: Popup Builder plugin for WordPress CVE-2020-9005 (meshsystem.dll in Valve Dota 2 through 2020-02-17 allows remote attack ...) NOT-FOR-US: Dota 2 CVE-2020-9004 (A remote authenticated authorization-bypass vulnerability in Wowza Str ...) NOT-FOR-US: Wowza Streaming Engine CVE-2020-9003 (A stored XSS vulnerability exists in the Modula Image Gallery plugin b ...) NOT-FOR-US: Modula Image Gallery plugin for WordPress CVE-2020-9002 RESERVED CVE-2020-9001 RESERVED CVE-2020-9000 RESERVED CVE-2020-8999 RESERVED CVE-2020-8998 REJECTED CVE-2020-8997 (Older generation Abbott FreeStyle Libre sensors allow remote attackers ...) NOT-FOR-US: Abbott FreeStyle Libre CVE-2020-8996 (AnyShare Cloud 6.0.9 allows authenticated directory traversal to read ...) NOT-FOR-US: AnyShare Cloud CVE-2019-20456 (Goverlan Reach Console before 9.50, Goverlan Reach Server before 3.50, ...) NOT-FOR-US: Goverlan CVE-2020-8995 RESERVED CVE-2019-20455 (Gateways/Gateway.php in Heartland & Global Payments PHP SDK before ...) NOT-FOR-US: Heartland & Global Payments PHP SDK CVE-2019-20454 (An out-of-bounds read was discovered in PCRE before 10.34 when the pat ...) - pcre2 10.34-1 [buster] - pcre2 (Minor issue) [stretch] - pcre2 (Minor issue) NOTE: https://bugs.exim.org/show_bug.cgi?id=2421 NOTE: https://bugs.php.net/bug.php?id=78338 NOTE: Fixed by: https://vcs.pcre.org/pcre2?view=revision&revision=1092 NOTE: Tests: https://vcs.pcre.org/pcre2?view=revision&revision=1091 CVE-2020-8994 (An issue was discovered on XIAOMI AI speaker MDZ-25-DT 1.34.36, and 1. ...) NOT-FOR-US: XIAOMI AI speaker MDZ-25-DT CVE-2020-8993 RESERVED CVE-2020-8992 (ext4_protect_reserved_inode in fs/ext4/block_validity.c in the Linux k ...) - linux 5.5.13-1 [buster] - linux 4.19.118-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) NOTE: https://patchwork.ozlabs.org/patch/1236118/ CVE-2020-8991 (** DISPUTED ** vg_lookup in daemons/lvmetad/lvmetad-core.c in LVM2 2.0 ...) - lvm2 2.03.01-2 [stretch] - lvm2 (Minor issue) [jessie] - lvm2 (Minor issue) NOTE: https://sourceware.org/git/?p=lvm2.git;a=commit;h=bcf9556b8fcd16ad8997f80cc92785f295c66701 NOTE: 2.03.00 upstream removed lvmetad (and the still vulnerable code) CVE-2020-8990 (Western Digital My Cloud Home before 3.6.0 and ibi before 3.6.0 allow ...) NOT-FOR-US: Western Digital My Cloud Home CVE-2020-8989 (In the Voatz application 2020-01-01 for Android, the amount of data tr ...) NOT-FOR-US: Voatz application for Android CVE-2020-8988 (The Voatz application 2020-01-01 for Android allows only 100 million d ...) NOT-FOR-US: Voatz application for Android CVE-2020-8987 (Avast AntiTrack before 1.5.1.172 and AVG Antitrack before 2.0.0.178 pr ...) NOT-FOR-US: Avast AntiTrack CVE-2020-8986 (lib/NSSDropbox.php in ZendTo prior to 5.22-2 Beta failed to properly c ...) NOT-FOR-US: ZendTo CVE-2020-8985 (ZendTo prior to 5.22-2 Beta allowed reflected XSS and CSRF via the unl ...) NOT-FOR-US: ZendTo CVE-2020-8984 (lib/NSSDropbox.php in ZendTo prior to 5.22-2 Beta allowed IP address s ...) NOT-FOR-US: ZendTo CVE-2020-8983 (An arbitrary file write issue exists in all versions of Citrix ShareFi ...) NOT-FOR-US: Citrix CVE-2020-8982 (An unauthenticated arbitrary file read issue exists in all versions of ...) NOT-FOR-US: Citrix CVE-2020-8981 (A cross-site scripting (XSS) vulnerability was discovered in the Sourc ...) NOT-FOR-US: Source Integration plugin for MantisBT CVE-2020-8980 RESERVED CVE-2020-8979 RESERVED CVE-2020-8978 RESERVED CVE-2020-8977 RESERVED CVE-2020-8976 RESERVED CVE-2020-8975 RESERVED CVE-2020-8974 RESERVED CVE-2020-8973 RESERVED CVE-2020-8972 RESERVED CVE-2020-8971 RESERVED CVE-2020-8970 RESERVED CVE-2020-8969 RESERVED CVE-2020-8968 RESERVED CVE-2020-8967 (There is an improper Neutralization of Special Elements used in an SQL ...) NOT-FOR-US: GESIO CVE-2020-8966 (There is an Improper Neutralization of Script-Related HTML Tags in a W ...) NOT-FOR-US: Tiki-Wiki Groupware CVE-2020-8965 RESERVED CVE-2020-8964 (TimeTools SC7105 1.0.007, SC9205 1.0.007, SC9705 1.0.007, SR7110 1.0.0 ...) NOT-FOR-US: TimeTools devices CVE-2020-8963 (TimeTools SC7105 1.0.007, SC9205 1.0.007, SC9705 1.0.007, SR7110 1.0.0 ...) NOT-FOR-US: TimeTools devices CVE-2020-8962 (A stack-based buffer overflow was found on the D-Link DIR-842 REVC wit ...) NOT-FOR-US: D-Link CVE-2020-8961 (An issue was discovered in Avira Free-Antivirus before 15.0.2004.1825. ...) NOT-FOR-US: Avira CVE-2020-8960 (Western Digital mycloud.com before Web Version 2.2.0-134 allows XSS. ...) NOT-FOR-US: Western Digital mycloud.com CVE-2020-8959 (Western Digital WesternDigitalSSDDashboardSetup.exe before 3.0.2.0 all ...) NOT-FOR-US: Western Digital CVE-2020-8958 RESERVED CVE-2020-8957 RESERVED CVE-2020-8956 RESERVED CVE-2020-8955 (irc_mode_channel_update in plugins/irc/irc-mode.c in WeeChat through 2 ...) {DLA-2157-1} - weechat 2.7.1-1 (bug #951289) [buster] - weechat (Minor issue) [stretch] - weechat (Minor issue) NOTE: https://github.com/weechat/weechat/commit/6f4f147d8e86adf9ad34a8ffd7e7f1f23a7e74da CVE-2020-8954 (OpenSearch Web browser 1.0.4.9 allows Intent Scheme Hijacking.[a link ...) NOT-FOR-US: OpenSearch Web browser CVE-2020-8953 (OpenVPN Access Server 2.8.x before 2.8.1 allows LDAP authentication by ...) NOT-FOR-US: OpenVPN Access Server CVE-2020-8952 (Fiserv Accurate Reconciliation 2.19.0 allows XSS via the logout.jsp ti ...) NOT-FOR-US: Fiserv Accurate Reconciliation CVE-2020-8951 (Fiserv Accurate Reconciliation 2.19.0 allows XSS via the Source or Des ...) NOT-FOR-US: Fiserv Accurate Reconciliation CVE-2020-8950 (The AUEPLauncher service in Radeon AMD User Experience Program Launche ...) NOT-FOR-US: Radeon AMD User Experience Program Launcher CVE-2020-8949 (Gocloud S2A_WL 4.2.7.16471, S2A 4.2.7.17278, S2A 4.3.0.15815, S2A 4.3. ...) NOT-FOR-US: Gocloud devices CVE-2020-8948 (The Sierra Wireless Windows Mobile Broadband Driver Packages (MBDP) be ...) NOT-FOR-US: Sierra Wireless Windows Mobile Broadband Driver Packages (MBDP) CVE-2020-8947 (functions_netflow.php in Artica Pandora FMS 7.0 allows remote attacker ...) NOT-FOR-US: Pandora FMS CVE-2020-8946 (Netis WF2471 v1.2.30142 devices allow an authenticated attacker to exe ...) NOT-FOR-US: Netis devices CVE-2020-8945 (The proglottis Go wrapper before 0.1.1 for the GPGME library has a use ...) - golang-github-proglottis-gpgme 0.1.1-1 (bug #951372) [buster] - golang-github-proglottis-gpgme (Minor issue) NOTE: https://github.com/proglottis/gpgme/pull/23 CVE-2020-8944 RESERVED CVE-2020-8943 RESERVED CVE-2020-8942 RESERVED CVE-2020-8941 RESERVED CVE-2020-8940 RESERVED CVE-2020-8939 RESERVED CVE-2020-8938 RESERVED CVE-2020-8937 RESERVED CVE-2020-8936 RESERVED CVE-2020-8935 RESERVED CVE-2020-8934 RESERVED CVE-2020-8933 (A vulnerability in Google Cloud Platform's guest-oslogin versions betw ...) - google-compute-image-packages NOTE: https://cloud.google.com/compute/docs/security-bulletins#2020619 NOTE: https://github.com/GoogleCloudPlatform/guest-oslogin/pull/29 CVE-2020-8932 RESERVED CVE-2020-8931 RESERVED CVE-2020-8930 RESERVED CVE-2020-8929 RESERVED CVE-2020-8928 RESERVED CVE-2020-8927 RESERVED CVE-2020-8926 RESERVED CVE-2020-8925 RESERVED CVE-2020-8924 RESERVED CVE-2020-8923 (An improper HTML sanitization in Dart versions up to and including 2.7 ...) NOT-FOR-US: Dart (different from src:dart) CVE-2020-8922 RESERVED CVE-2020-8921 RESERVED CVE-2020-8920 RESERVED CVE-2020-8919 RESERVED CVE-2020-8918 RESERVED CVE-2020-8917 RESERVED CVE-2020-8916 (A memory leak in Openthread's wpantund versions up to commit 0e5d1601f ...) TODO: check CVE-2020-8915 RESERVED CVE-2020-8914 RESERVED CVE-2020-8913 RESERVED CVE-2020-8912 RESERVED CVE-2020-8911 RESERVED CVE-2020-8910 (A URL parsing issue in goog.uri of the Google Closure Library versions ...) - chromium [stretch] - chromium (see DSA 4562) NOTE: https://github.com/google/closure-library/commit/294fc00b01d248419d8f8de37580adf2a0024fc9 CVE-2020-8909 RESERVED CVE-2020-8908 RESERVED CVE-2020-8907 (A vulnerability in Google Cloud Platform's guest-oslogin versions betw ...) - google-compute-image-packages NOTE: https://cloud.google.com/compute/docs/security-bulletins#2020619 NOTE: https://github.com/GoogleCloudPlatform/guest-oslogin/pull/29 CVE-2020-8906 RESERVED CVE-2020-8905 RESERVED CVE-2020-8904 RESERVED CVE-2020-8903 (A vulnerability in Google Cloud Platform's guest-oslogin versions betw ...) - google-compute-image-packages NOTE: https://cloud.google.com/compute/docs/security-bulletins#2020619 NOTE: https://github.com/GoogleCloudPlatform/guest-oslogin/pull/29 CVE-2020-8902 RESERVED CVE-2020-8901 RESERVED CVE-2020-8900 RESERVED CVE-2020-8899 (There is a buffer overwrite vulnerability in the Quram qmg library of ...) NOT-FOR-US: Samsung CVE-2020-8898 RESERVED CVE-2020-8897 RESERVED CVE-2020-8896 (A Buffer Overflow vulnerability in the khcrypt implementation in Googl ...) NOT-FOR-US: Google Earth Pro CVE-2020-8895 (Untrusted Search Path vulnerability in the windows installer of Google ...) NOT-FOR-US: windows installer of Google Earth Pro CVE-2020-8894 (An issue was discovered in MISP before 2.4.121. ACLs for discussion th ...) NOT-FOR-US: MISP CVE-2020-8893 (An issue was discovered in MISP before 2.4.121. The Galaxy view contai ...) NOT-FOR-US: MISP CVE-2020-8892 (An issue was discovered in MISP before 2.4.121. It did not consider th ...) NOT-FOR-US: MISP CVE-2020-8891 (An issue was discovered in MISP before 2.4.121. It did not canonicaliz ...) NOT-FOR-US: MISP CVE-2020-8890 (An issue was discovered in MISP before 2.4.121. It mishandled time ske ...) NOT-FOR-US: MISP CVE-2020-8889 RESERVED CVE-2020-8888 RESERVED CVE-2020-8887 RESERVED CVE-2020-8886 RESERVED CVE-2020-8885 RESERVED CVE-2019-20453 (A problem was found in Pydio Core before 8.2.4 and Pydio Enterprise be ...) - ajaxplorer (bug #668381) CVE-2019-20452 (A problem was found in Pydio Core before 8.2.4 and Pydio Enterprise be ...) - ajaxplorer (bug #668381) CVE-2012-6721 (Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) ...) NOT-FOR-US: SocialEngine CVE-2012-6720 (Multiple cross-site scripting (XSS) vulnerabilities in SocialEngine be ...) NOT-FOR-US: SocialEngine CVE-2020-8884 RESERVED CVE-2020-8883 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Studio Photo CVE-2020-8882 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Studio Photo CVE-2020-8881 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Studio Photo CVE-2020-8880 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Studio Photo CVE-2020-8879 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Studio Photo CVE-2020-8878 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Studio Photo CVE-2020-8877 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Studio Photo CVE-2020-8876 (This vulnerability allows local attackers to disclose information on a ...) NOT-FOR-US: Parallels CVE-2020-8875 (This vulnerability allows local attackers to escalate privileges on af ...) NOT-FOR-US: Parallels CVE-2020-8874 (This vulnerability allows local attackers to escalate privileges on af ...) NOT-FOR-US: Parallels CVE-2020-8873 (This vulnerability allows local attackers to escalate privileges on af ...) NOT-FOR-US: Parallels CVE-2020-8872 (This vulnerability allows local attackers to disclose sensitive inform ...) NOT-FOR-US: Parallels CVE-2020-8871 (This vulnerability allows local attackers to escalate privileges on af ...) NOT-FOR-US: Parallels CVE-2020-8870 RESERVED CVE-2020-8869 RESERVED CVE-2020-8868 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Quest Foglight Evolve CVE-2020-8867 (This vulnerability allows remote attackers to create a denial-of-servi ...) NOT-FOR-US: OPC Foundation UA .NET Standard CVE-2020-8866 (This vulnerability allows remote attackers to create arbitrary files o ...) {DLA-2162-1} - php-horde-form 2.0.20-1 (bug #955020) [buster] - php-horde-form 2.0.18-3.1+deb10u1 [stretch] - php-horde-form (Minor issue) NOTE: https://lists.horde.org/archives/announce/2020/001288.html NOTE: https://www.zerodayinitiative.com/advisories/ZDI-20-275/ NOTE: https://github.com/horde/Form/commit/813f8e7e9479fad4546b89c569325ee9eef60b0f CVE-2020-8865 (This vulnerability allows remote attackers to execute local PHP files ...) {DLA-2175-1} - php-horde-trean 1.1.10-1 (bug #955019) [buster] - php-horde-trean 1.1.9-3+deb10u1 [stretch] - php-horde-trean (Minor issue) NOTE: https://lists.horde.org/archives/announce/2020/001286.html NOTE: https://www.zerodayinitiative.com/advisories/ZDI-20-276/ NOTE: https://github.com/horde/trean/commit/db0714a0c04d87bda9e2852f1b0d259fc281ca75 NOTE: https://github.com/horde/trean/commit/055029f551501803d7e293a48316e2cf31307908 CVE-2020-8864 (This vulnerability allows network-adjacent attackers to bypass authent ...) NOT-FOR-US: D-Link CVE-2020-8863 (This vulnerability allows network-adjacent attackers to bypass authent ...) NOT-FOR-US: D-Link CVE-2020-8862 (This vulnerability allows network-adjacent attackers to bypass authent ...) NOT-FOR-US: D-Link CVE-2020-8861 (This vulnerability allows network-adjacent attackers to bypass authent ...) NOT-FOR-US: D-Link CVE-2020-8860 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Samsung Galaxy S10 Firmware CVE-2020-8859 (This vulnerability allows remote attackers to create a denial-of-servi ...) NOT-FOR-US: elog CVE-2020-8858 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Moxa CVE-2020-8857 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2020-8856 (This vulnerability allows remote atackers to execute arbitrary code on ...) NOT-FOR-US: Foxit PhantomPDF CVE-2020-8855 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit PhantomPDF CVE-2020-8854 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit PhantomPDF CVE-2020-8853 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit PhantomPDF CVE-2020-8852 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2020-8851 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2020-8850 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2020-8849 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2020-8848 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2020-8847 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2020-8846 (This vulnerability allows remote atackers to execute arbitrary code on ...) NOT-FOR-US: Foxit PhantomPDF CVE-2020-8845 (This vulnerability allows remote atackers to execute arbitrary code on ...) NOT-FOR-US: Foxit PhantomPDF CVE-2020-8844 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2020-8843 (An issue was discovered in Istio 1.3 through 1.3.6. Under certain circ ...) NOT-FOR-US: itsio CVE-2020-8842 (Unquoted search path vulnerability in MSI True Color before 3.0.52.0 a ...) NOT-FOR-US: MSI True Color CVE-2020-8841 (An issue was discovered in TestLink 1.9.19. The relation_type paramete ...) NOT-FOR-US: TestLink CVE-2020-8840 (FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean- ...) {DLA-2111-1} - jackson-databind [buster] - jackson-databind (Minor issue; can be fixed via a point release) [stretch] - jackson-databind (Minor issue; can be fixed via a point release) NOTE: https://github.com/FasterXML/jackson-databind/issues/2620 NOTE: https://github.com/FasterXML/jackson-databind/commit/914e7c9f2cb8ce66724bf26a72adc7e958992497 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. CVE-2020-8839 (Stored XSS was discovered on CHIYU BF-430 232/485 TCP/IP Converter dev ...) NOT-FOR-US: CHIYU BF-430 232/485 TCP/IP Converter devices CVE-2015-9542 (add_password in pam_radius_auth.c in pam_radius 1.4.0 does not correct ...) {DLA-2116-1} - libpam-radius-auth 1.4.0-3 (bug #951396) NOTE: https://github.com/FreeRADIUS/pam_radius/commit/01173ec NOTE: https://github.com/FreeRADIUS/pam_radius/commit/6bae92d NOTE: https://github.com/FreeRADIUS/pam_radius/commit/ac2c1677 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1686980 CVE-2020-8838 (An issue was discovered in Zoho ManageEngine AssetExplorer 6.5. During ...) NOT-FOR-US: Zoho ManageEngine CVE-2020-8837 RESERVED CVE-2020-8836 RESERVED CVE-2020-8835 (In the Linux kernel 5.5.0 and newer, the bpf verifier (kernel/bpf/veri ...) - linux 5.5.13-2 [buster] - linux (Vulnerable code introduced later) [stretch] - linux (Vulnerable code introduced later) [jessie] - linux (Vulnerable code introduced later) NOTE: https://git.kernel.org/linus/f2d67fec0b43edce8c416101cdc52e71145b5fef NOTE: https://www.zerodayinitiative.com/advisories/ZDI-20-350/ CVE-2020-8834 (KVM in the Linux kernel on Power8 processors has a conflicting use of ...) - linux 4.18.6-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2020/04/06/2 CVE-2020-8833 (Time-of-check Time-of-use Race Condition vulnerability on crash report ...) NOT-FOR-US: Apport CVE-2020-8832 (The fix for the Linux kernel in Ubuntu 18.04 LTS for CVE-2019-14615 (" ...) - linux 4.16.5-1 [stretch] - linux (Vulnerable code not present, incomplete fix not applied) [jessie] - linux (No support for this hardware) NOTE: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1862840 NOTE: The CVE is for an incomplete fix for CVE-2019-14615 which technically only NOTE: affects upstream versions (and downstreams) which applied the fix fo NOTE: CVE-2019-14615 which is bc8a76a152c5 ("drm/i915/gen9: Clear residual context NOTE: state on context switch"). But there is need to apply as well the prerequistite NOTE: d2b4b97933f5 ("drm/i915: Record the default hw state after reset upon load"). CVE-2020-8831 (Apport creates a world writable lock file with root ownership in the w ...) NOT-FOR-US: Apport CVE-2019-20451 (The HTTP API in Prismview System 9 11.10.17.00 and Prismview Player 11 ...) NOT-FOR-US: Prismview CVE-2017-18642 (Syska Smart Bulb devices through 2017-08-06 receive RGB parameters ove ...) NOT-FOR-US: Syska Smart Bulb devices CVE-2020-8830 (CSRF in login.asp on Ruckus devices allows an attacker to access the p ...) NOT-FOR-US: Ruckus CVE-2020-8829 (CSRF on Intelbras CIP 92200 devices allows an attacker to access the p ...) NOT-FOR-US: Intelbras CVE-2020-8828 (As of v1.5.0, the default admin password is set to the argocd-server p ...) NOT-FOR-US: Argo CVE-2020-8827 (As of v1.5.0, the Argo API does not implement anti-automation measures ...) NOT-FOR-US: Argo CVE-2020-8826 (As of v1.5.0, the Argo web interface authentication system issued immu ...) NOT-FOR-US: Argo CVE-2020-8825 (index.php?p=/dashboard/settings/branding in Vanilla 2.6.3 allows store ...) NOT-FOR-US: Vanilla Forums CVE-2020-8824 (Hitron CODA-4582U 7.1.1.30 devices allow XSS via a Managed Device name ...) NOT-FOR-US: Hitron devices CVE-2020-8823 (htmlfile in lib/transport/htmlfile.js in SockJS before 3.0 is vulnerab ...) NOT-FOR-US: SockJS CVE-2020-8822 (Digi TransPort WR21 5.2.2.3, WR44 5.1.6.4, and WR44v2 5.1.6.9 devices ...) NOT-FOR-US: Digi TransPort CVE-2020-8821 RESERVED CVE-2020-8820 RESERVED CVE-2020-8819 (An issue was discovered in the CardGate Payments plugin through 3.1.15 ...) NOT-FOR-US: CardGate Payments plugin for WooCommerce CVE-2020-8818 (An issue was discovered in the CardGate Payments plugin through 2.0.30 ...) NOT-FOR-US: CardGate Payments plugin for Magento CVE-2020-8817 RESERVED CVE-2020-8816 (Pi-hole Web v4.3.2 (aka AdminLTE) allows Remote Code Execution by priv ...) NOT-FOR-US: Pi-hole CVE-2020-8815 (Improper connection handling in the base connection handler in IKTeam ...) NOT-FOR-US: BearFTP CVE-2020-8814 RESERVED CVE-2018-21034 (In Argo versions prior to v1.5.0-rc1, it was possible for authenticate ...) NOT-FOR-US: Argo CVE-2017-18641 (In LXC 2.0, many template scripts download code over cleartext HTTP, a ...) - lxc-templates - lxc 1:3.0.3-1 (low) [stretch] - lxc (Minor issue) [jessie] - lxc (https://lists.debian.org/debian-lts/2020/02/msg00102.html) NOTE: LXC 3.0.2 split the templates out to separate lxc-templates. NOTE: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1661447 NOTE: Some of the templates were switched to fetch the pacakges over HTTPS, cf. NOTE: https://github.com/lxc/lxc/pull/1371 for the lxc-fedora template. CVE-2020-8813 (graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute a ...) - cacti 1.2.10+ds1-1 (bug #951832) [stretch] - cacti (Vulnerable code not present) [jessie] - cacti (Vulnerable code not present) NOTE: https://gist.github.com/mhaskar/ebe6b74c32fd0f7e1eedf1aabfd44129 NOTE: https://shells.systems/cacti-v1-2-8-authenticated-remote-code-execution-cve-2020-8813/ NOTE: https://github.com/Cacti/cacti/issues/3285 NOTE: https://github.com/Cacti/cacti/commit/fea919e8fe05bb730c802054661fd3a7ec029784 CVE-2020-8812 (** DISPUTED ** Bludit 3.10.0 allows Editor or Author roles to insert m ...) NOT-FOR-US: Bludit CVE-2020-8811 (ajax/profile-picture-upload.php in Bludit 3.10.0 allows authenticated ...) NOT-FOR-US: Bludit CVE-2020-8810 (An issue was discovered in Gurux GXDLMS Director through 8.5.1905.1301 ...) NOT-FOR-US: Gurux CVE-2020-8809 (Gurux GXDLMS Director prior to 8.5.1905.1301 downloads updates to add- ...) NOT-FOR-US: Gurux CVE-2020-8808 (The CorsairLLAccess64.sys and CorsairLLAccess32.sys drivers in CORSAIR ...) NOT-FOR-US: CORSAIR iCUE CVE-2020-8807 RESERVED CVE-2020-8806 RESERVED CVE-2020-8805 RESERVED CVE-2020-8804 (SuiteCRM through 7.11.10 allows SQL Injection via the SOAP API, the Em ...) NOT-FOR-US: SuiteCRM CVE-2020-8803 (SuiteCRM through 7.11.11 allows Directory Traversal to include arbitra ...) NOT-FOR-US: SuiteCRM CVE-2020-8802 (SuiteCRM through 7.11.11 has Incorrect Access Control via action_saveH ...) NOT-FOR-US: SuiteCRM CVE-2020-8801 (SuiteCRM through 7.11.11 allows PHAR Deserialization. ...) NOT-FOR-US: SuiteCRM CVE-2020-8800 (SuiteCRM through 7.11.11 allows EmailsControllerActionGetFromFields PH ...) NOT-FOR-US: SuiteCRM CVE-2020-8799 (A Stored XSS vulnerability has been found in the administration page o ...) NOT-FOR-US: administration page of the WTI Like Post plugin for WordPress CVE-2020-8798 (httpd in Juplink RX4-1500 v1.0.3-v1.0.5 allows remote attackers to cha ...) NOT-FOR-US: Juplink CVE-2020-8797 (Juplink RX4-1500 v1.0.3 allows remote attackers to gain root access to ...) NOT-FOR-US: Juplink CVE-2020-8796 (Biscom Secure File Transfer (SFT) before 5.1.1071 and 6.0.1xxx before ...) NOT-FOR-US: Biscom Secure File Transfer (SFT) CVE-2020-8795 (In GitLab Enterprise Edition (EE) 12.5.0 through 12.7.5, sharing a gro ...) - gitlab (Only affects EE version) NOTE: https://about.gitlab.com/releases/2020/02/13/critical-security-release-gitlab-12-dot-7-dot-6-released/ CVE-2020-8794 (OpenSMTPD before 6.6.4 allows remote code execution because of an out- ...) {DSA-4634-1} - opensmtpd 6.6.4p1-1 (bug #952453) NOTE: https://www.openwall.com/lists/oss-security/2020/02/24/5 NOTE: https://poolp.org/posts/2020-01-30/opensmtpd-advisory-dissected/ NOTE: https://www.openwall.com/lists/oss-security/2020/02/26/1 CVE-2020-8793 (OpenSMTPD before 6.6.4 allows local users to read arbitrary files (e.g ...) - opensmtpd 6.6.4p1-1 (unimportant; bug #952453) [buster] - opensmtpd 6.0.3p1-5+deb10u4 [stretch] - opensmtpd 6.0.2p1-2+deb9u3 NOTE: https://www.openwall.com/lists/oss-security/2020/02/24/4 NOTE: https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/021_smtpd_envelope.patch.sig NOTE: https://poolp.org/posts/2020-01-30/opensmtpd-advisory-dissected/ NOTE: Neutralised by kernel hardening CVE-2020-8792 (The OKLOK (3.1.1) mobile companion app for Fingerprint Bluetooth Padlo ...) NOT-FOR-US: OKLOK CVE-2020-8791 (The OKLOK (3.1.1) mobile companion app for Fingerprint Bluetooth Padlo ...) NOT-FOR-US: OKLOK CVE-2020-8790 (The OKLOK (3.1.1) mobile companion app for Fingerprint Bluetooth Padlo ...) NOT-FOR-US: OKLOK CVE-2020-8789 (Composr 10.0.30 allows Persistent XSS via a Usergroup name under the S ...) NOT-FOR-US: Composr CVE-2020-8788 (Synaptive Medical ClearCanvas ImageServer 3.0 Alpha allows XSS (and HT ...) NOT-FOR-US: Synaptive Medical ClearCanvas ImageServer CVE-2020-8787 (SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to ...) NOT-FOR-US: SuiteCRM CVE-2020-8786 (SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to ...) NOT-FOR-US: SuiteCRM CVE-2020-8785 (SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to ...) NOT-FOR-US: SuiteCRM CVE-2020-8784 (SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to ...) NOT-FOR-US: SuiteCRM CVE-2020-8783 (SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to ...) NOT-FOR-US: SuiteCRM CVE-2019-20450 RESERVED CVE-2019-20449 RESERVED CVE-2019-20448 RESERVED CVE-2020-8782 RESERVED CVE-2020-8781 RESERVED CVE-2020-8780 RESERVED CVE-2020-8779 RESERVED CVE-2020-8778 (Alfresco Enterprise before 5.2.7 and Alfresco Community before 6.2.0 ( ...) NOT-FOR-US: Alfresco CVE-2020-8777 (Alfresco Enterprise before 5.2.7 and Alfresco Community before 6.2.0 ( ...) NOT-FOR-US: Alfresco CVE-2020-8776 (Alfresco Enterprise before 5.2.7 and Alfresco Community before 6.2.0 ( ...) NOT-FOR-US: Alfresco CVE-2020-8775 (Pega Platform before version 8.2.6 is affected by a Stored Cross-Site ...) NOT-FOR-US: Pega Platform CVE-2020-8774 (Pega Platform before version 8.2.6 is affected by a Reflected Cross-Si ...) NOT-FOR-US: Pega Platform CVE-2020-8773 (The Richtext Editor in Pega Platform before 8.2.6 is affected by a Sto ...) NOT-FOR-US: Pega Platform CVE-2020-8772 (The InfiniteWP Client plugin before 1.9.4.5 for WordPress has a missin ...) NOT-FOR-US: InfiniteWP Client plugin for WordPress CVE-2020-8771 (The Time Capsule plugin before 1.21.16 for WordPress has an authentica ...) NOT-FOR-US: Time Capsule plugin for WordPress CVE-2020-8770 RESERVED CVE-2020-8769 RESERVED CVE-2020-8768 (An issue was discovered on Phoenix Contact Emalytics Controller ILC 20 ...) NOT-FOR-US: PHOENIX CONTACT Emalytics Controller ILC 2050 BI(L) CVE-2020-8767 RESERVED CVE-2020-8766 RESERVED CVE-2020-8765 RESERVED CVE-2020-8764 RESERVED CVE-2020-8763 RESERVED CVE-2020-8762 RESERVED CVE-2020-8761 RESERVED CVE-2020-8760 RESERVED CVE-2020-8759 RESERVED CVE-2020-8758 RESERVED CVE-2020-8757 RESERVED CVE-2020-8756 RESERVED CVE-2020-8755 RESERVED CVE-2020-8754 RESERVED CVE-2020-8753 RESERVED CVE-2020-8752 RESERVED CVE-2020-8751 RESERVED CVE-2020-8750 RESERVED CVE-2020-8749 RESERVED CVE-2020-8748 RESERVED CVE-2020-8747 RESERVED CVE-2020-8746 RESERVED CVE-2020-8745 RESERVED CVE-2020-8744 RESERVED CVE-2020-8743 RESERVED CVE-2020-8742 RESERVED CVE-2020-8741 RESERVED CVE-2020-8740 RESERVED CVE-2020-8739 RESERVED CVE-2020-8738 RESERVED CVE-2020-8737 RESERVED CVE-2020-8736 RESERVED CVE-2020-8735 RESERVED CVE-2020-8734 RESERVED CVE-2020-8733 RESERVED CVE-2020-8732 RESERVED CVE-2020-8731 RESERVED CVE-2020-8730 RESERVED CVE-2020-8729 RESERVED CVE-2020-8728 RESERVED CVE-2020-8727 RESERVED CVE-2020-8726 RESERVED CVE-2020-8725 RESERVED CVE-2020-8724 RESERVED CVE-2020-8723 RESERVED CVE-2020-8722 RESERVED CVE-2020-8721 RESERVED CVE-2020-8720 RESERVED CVE-2020-8719 RESERVED CVE-2020-8718 RESERVED CVE-2020-8717 RESERVED CVE-2020-8716 RESERVED CVE-2020-8715 RESERVED CVE-2020-8714 RESERVED CVE-2020-8713 RESERVED CVE-2020-8712 RESERVED CVE-2020-8711 RESERVED CVE-2020-8710 RESERVED CVE-2020-8709 RESERVED CVE-2020-8708 RESERVED CVE-2020-8707 RESERVED CVE-2020-8706 RESERVED CVE-2020-8705 RESERVED CVE-2020-8704 RESERVED CVE-2020-8703 RESERVED CVE-2020-8702 RESERVED CVE-2020-8701 RESERVED CVE-2020-8700 RESERVED CVE-2020-8699 RESERVED CVE-2020-8698 RESERVED CVE-2020-8697 RESERVED CVE-2020-8696 RESERVED CVE-2020-8695 RESERVED CVE-2020-8694 RESERVED CVE-2020-8693 RESERVED CVE-2020-8692 RESERVED CVE-2020-8691 RESERVED CVE-2020-8690 RESERVED CVE-2020-8689 RESERVED CVE-2020-8688 RESERVED CVE-2020-8687 RESERVED CVE-2020-8686 RESERVED CVE-2020-8685 RESERVED CVE-2020-8684 RESERVED CVE-2020-8683 RESERVED CVE-2020-8682 RESERVED CVE-2020-8681 RESERVED CVE-2020-8680 RESERVED CVE-2020-8679 RESERVED CVE-2020-8678 RESERVED CVE-2020-8677 RESERVED CVE-2020-8676 RESERVED CVE-2020-8675 (Insufficient control flow management in firmware build and signing too ...) NOT-FOR-US: Intel CVE-2020-8674 (Out-of-bounds read in DHCPv6 subsystem in Intel(R) AMT and Intel(R)ISM ...) NOT-FOR-US: Intel CVE-2020-8673 RESERVED CVE-2020-8672 RESERVED CVE-2020-8671 RESERVED CVE-2020-8670 RESERVED CVE-2020-8669 RESERVED CVE-2020-8668 RESERVED CVE-2014-10400 (The session.lua library in CGILua 5.0.x uses sequential session IDs, w ...) - lua-cgi (session generation changed in 5.1.x, cf. CVE-2014-10399) NOTE: https://seclists.org/fulldisclosure/2014/Apr/318 CVE-2014-10399 (The session.lua library in CGILua 5.1.x uses the same ID for each sess ...) - lua-cgi (session generation changed in 5.2.x, cf. CVE-2014-2875) NOTE: https://seclists.org/fulldisclosure/2014/Apr/318 CVE-2020-8667 RESERVED CVE-2020-8666 RESERVED CVE-2020-8665 RESERVED CVE-2020-8664 (CNCF Envoy through 1.13.0 has incorrect Access Control when using SDS ...) NOT-FOR-US: envoy proxy (not the same as itp'ed envoy, #758651) CVE-2020-8663 (Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier may exhaust file descr ...) NOT-FOR-US: envoy proxy (not the same as itp'ed envoy, #758651) CVE-2020-8662 RESERVED CVE-2020-8661 (CNCF Envoy through 1.13.0 may consume excessive amounts of memory when ...) NOT-FOR-US: envoy proxy (not the same as itp'ed envoy, #758651) CVE-2020-8660 (CNCF Envoy through 1.13.0 TLS inspector bypass. TLS inspector could ha ...) NOT-FOR-US: envoy proxy (not the same as itp'ed envoy, #758651) CVE-2020-8659 (CNCF Envoy through 1.13.0 may consume excessive amounts of memory when ...) NOT-FOR-US: envoy proxy (not the same as itp'ed envoy, #758651) CVE-2020-8658 (The BestWebSoft Htaccess plugin through 1.8.1 for WordPress allows wp- ...) NOT-FOR-US: BestWebSoft Htaccess plugin for WordPress CVE-2020-8657 (An issue was discovered in EyesOfNetwork 5.3. The installation uses th ...) NOT-FOR-US: EyesOfNetwork (EON) CVE-2020-8656 (An issue was discovered in EyesOfNetwork 5.3. The EyesOfNetwork API 2. ...) NOT-FOR-US: EyesOfNetwork (EON) CVE-2020-8655 (An issue was discovered in EyesOfNetwork 5.3. The sudoers configuratio ...) NOT-FOR-US: EyesOfNetwork (EON) CVE-2020-8654 (An issue was discovered in EyesOfNetwork 5.3. An authenticated web use ...) NOT-FOR-US: EyesOfNetwork (EON) CVE-2020-8653 RESERVED CVE-2020-8652 RESERVED CVE-2020-8651 RESERVED CVE-2020-8650 RESERVED CVE-2020-8646 RESERVED CVE-2020-8645 (An issue was discovered in Simplejobscript.com SJS through 1.66. There ...) NOT-FOR-US: Simplejobscript.com SJS CVE-2020-8644 (PlaySMS before 1.4.3 does not sanitize inputs from a malicious string. ...) NOT-FOR-US: PlaySMS CVE-2020-8643 RESERVED CVE-2020-8642 RESERVED CVE-2020-8641 (Lotus Core CMS 1.0.1 allows authenticated Local File Inclusion of .php ...) NOT-FOR-US: Lotus Core CMS CVE-2019-20447 (Jobberbase 2.0 has SQL injection via the PATH_INFO to the jobs-in endp ...) NOT-FOR-US: Jobberbase CMS CVE-2020-8649 (There is a use-after-free vulnerability in the Linux kernel through 5. ...) {DSA-4698-1 DLA-2242-1 DLA-2241-1} - linux 5.5.13-1 [buster] - linux 4.19.118-1 NOTE: https://git.kernel.org/linus/513dc792d6060d5ef572e43852683097a8420f56 CVE-2020-8648 (There is a use-after-free vulnerability in the Linux kernel through 5. ...) {DSA-4698-1 DLA-2242-1 DLA-2241-1} - linux 5.5.13-1 [buster] - linux 4.19.118-1 NOTE: https://git.kernel.org/linus/07e6124a1a46b4b5a9b3cacc0c306b50da87abf5 CVE-2020-8647 (There is a use-after-free vulnerability in the Linux kernel through 5. ...) {DSA-4698-1 DLA-2242-1 DLA-2241-1} - linux 5.5.13-1 [buster] - linux 4.19.118-1 NOTE: https://git.kernel.org/linus/513dc792d6060d5ef572e43852683097a8420f56 CVE-2020-8640 RESERVED CVE-2020-8639 (An unrestricted file upload vulnerability in keywordsImport.php in Tes ...) NOT-FOR-US: TestLink CVE-2020-8638 (A SQL injection vulnerability in TestLink 1.9.20 allows attackers to e ...) NOT-FOR-US: TestLink CVE-2020-8637 (A SQL injection vulnerability in TestLink 1.9.20 allows attackers to e ...) NOT-FOR-US: TestLink CVE-2020-8636 (An issue was discovered in OpServices OpMon 9.3.2 that allows Remote C ...) NOT-FOR-US: OpServices OpMon CVE-2020-8635 (Wing FTP Server v6.2.3 for Linux, macOS, and Solaris sets insecure per ...) NOT-FOR-US: Wing FTP Server CVE-2020-8634 (Wing FTP Server v6.2.3 for Linux, macOS, and Solaris sets insecure per ...) NOT-FOR-US: Wing FTP Server CVE-2020-8633 (An issue was discovered in Zimbra Collaboration Suite (ZCS) before 8.8 ...) NOT-FOR-US: Zimbra Collaboration Suite (ZCS) CVE-2020-8632 (In cloud-init through 19.4, rand_user_password in cloudinit/config/cc_ ...) {DLA-2113-1} - cloud-init 19.4-2 (bug #951363) [buster] - cloud-init (Minor issue) [stretch] - cloud-init (Minor issue) NOTE: https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/1860795 NOTE: https://github.com/canonical/cloud-init/pull/189 NOTE: https://github.com/canonical/cloud-init/commit/42788bf24a1a0a5421a2d00a7f59b59e38ba1a14 CVE-2020-8631 (cloud-init through 19.4 relies on Mersenne Twister for a random passwo ...) {DLA-2113-1} - cloud-init 19.4-2 (bug #951362) [buster] - cloud-init (Minor issue) [stretch] - cloud-init (Minor issue) NOTE: https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/1860795 NOTE: https://github.com/canonical/cloud-init/pull/204 CVE-2020-8630 RESERVED CVE-2020-8629 RESERVED CVE-2020-8628 RESERVED CVE-2020-8627 RESERVED CVE-2020-8626 RESERVED CVE-2020-8625 RESERVED CVE-2020-8624 RESERVED CVE-2020-8623 RESERVED CVE-2020-8622 RESERVED CVE-2020-8621 RESERVED CVE-2020-8620 RESERVED CVE-2020-8619 (In ISC BIND9 versions BIND 9.11.14 -> 9.11.19, BIND 9.14.9 -> 9. ...) - bind9 1:9.16.4-1 [buster] - bind9 (Vulnerable code introduced later) [stretch] - bind9 (Vulnerable code introduced later) [jessie] - bind9 (Vulnerable code introduced later) NOTE: https://kb.isc.org/docs/cve-2020-8619 NOTE: https://gitlab.isc.org/isc-projects/bind9/-/issues/1718 CVE-2020-8618 (An attacker who is permitted to send zone data to a server via zone tr ...) - bind9 1:9.16.4-1 [buster] - bind9 (Vulnerable code introduced later) [stretch] - bind9 (Vulnerable code introduced later) [jessie] - bind9 (Vulnerable code introduced later) NOTE: https://kb.isc.org/docs/cve-2020-8618 NOTE: https://gitlab.isc.org/isc-projects/bind9/-/issues/1850 CVE-2020-8617 (Using a specially-crafted message, an attacker may potentially cause a ...) {DSA-4689-1 DLA-2227-1} - bind9 1:9.16.3-1 (bug #961939) NOTE: https://kb.isc.org/docs/cve-2020-8617 NOTE: https://kb.isc.org/docs/cve-2020-8617-faq-and-supplemental-information CVE-2020-8616 (A malicious actor who intentionally exploits this lack of effective li ...) {DSA-4689-1 DLA-2227-1} - bind9 1:9.16.3-1 (bug #961939) NOTE: https://kb.isc.org/docs/cve-2020-8616 CVE-2020-8615 (A CSRF vulnerability in the Tutor LMS plugin before 1.5.3 for WordPres ...) NOT-FOR-US: Tutor LMS plugin for WordPress CVE-2020-8614 (An issue was discovered on Askey AP4000W TDC_V1.01.003 devices. An att ...) NOT-FOR-US: Askey devices CVE-2020-8613 RESERVED CVE-2020-8612 (In Progress MOVEit Transfer 2019.1 before 2019.1.4 and 2019.2 before 2 ...) NOT-FOR-US: Progress MOVEit Transfer CVE-2020-8611 (In Progress MOVEit Transfer 2019.1 before 2019.1.4 and 2019.2 before 2 ...) NOT-FOR-US: Progress MOVEit Transfer CVE-2020-8610 RESERVED CVE-2020-8609 RESERVED CVE-2020-8608 (In libslirp 4.1.0, as used in QEMU 4.2.0, tcp_subr.c misuses snprintf ...) {DLA-2144-1 DLA-2142-1} - libslirp 4.2.0-1 - qemu 1:4.1-2 [buster] - qemu (Minor issue) [stretch] - qemu (Minor issue) - qemu-kvm - slirp - slirp4netns 1.0.1-1 [buster] - slirp4netns (Minor issue) NOTE: https://gitlab.freedesktop.org/slirp/libslirp/commit/68ccb8021a838066f0951d4b2817eb6b6f10a843 NOTE: https://gitlab.freedesktop.org/slirp/libslirp/commit/30648c03b27fb8d9611b723184216cd3174b6775 NOTE: qemu 1:4.1-2 switched to system libslirp, marking that version as fixed. NOTE: slirp4netns 1.0.1-1 switched to system libslirp, marking that version as fixed. CVE-2020-8607 RESERVED CVE-2020-8606 (A vulnerability in Trend Micro InterScan Web Security Virtual Applianc ...) NOT-FOR-US: Trend Micro CVE-2020-8605 (A vulnerability in Trend Micro InterScan Web Security Virtual Applianc ...) NOT-FOR-US: Trend Micro CVE-2020-8604 (A vulnerability in Trend Micro InterScan Web Security Virtual Applianc ...) NOT-FOR-US: Trend Micro CVE-2020-8603 (A cross-site scripting vulnerability (XSS) in Trend Micro InterScan We ...) NOT-FOR-US: Trend Micro CVE-2020-8602 RESERVED CVE-2020-8601 (Trend Micro Vulnerability Protection 2.0 is affected by a vulnerabilit ...) NOT-FOR-US: Trend Micro CVE-2020-8600 (Trend Micro Worry-Free Business Security (9.0, 9.5, 10.0) is affected ...) NOT-FOR-US: Trend Micro CVE-2020-8599 (Trend Micro Apex One (2019) and OfficeScan XG server contain a vulnera ...) NOT-FOR-US: Trend Micro CVE-2020-8598 (Trend Micro Apex One (2019), OfficeScan XG and Worry-Free Business Sec ...) NOT-FOR-US: Trend Micro CVE-2020-8597 (eap.c in pppd in ppp 2.4.2 through 2.4.8 has an rhostname buffer overf ...) {DSA-4632-1 DLA-2097-1} - lwip 2.1.2+dfsg1-5 (bug #951291) [buster] - lwip 2.0.3-3+deb10u1 [experimental] - ppp 2.4.8-1+1~exp1 - ppp (bug #950618) NOTE: http://git.savannah.nongnu.org/cgit/lwip.git/commit/?id=2ee3cbe69c6d2805e64e7cac2a1c1706e49ffd86 NOTE: https://github.com/paulusmack/ppp/commit/8d7970b8f3db727fe798b65f3377fe6787575426 CVE-2020-8596 (participants-database.php in the Participants Database plugin 1.9.5.5 ...) NOT-FOR-US: Participants Database plugin for WordPress CVE-2020-8595 (Istio versions 1.2.10 (End of Life) and prior, 1.3 through 1.3.7, and ...) NOT-FOR-US: itsio CVE-2020-8594 (The Ninja Forms plugin 3.4.22 for WordPress has Multiple Stored XSS vu ...) NOT-FOR-US: Ninja Forms plugin for WordPress CVE-2020-8593 RESERVED CVE-2020-8592 (eG Manager 7.1.2 allows SQL Injection via the user parameter to com.eg ...) NOT-FOR-US: eG Manager CVE-2020-8591 (eG Manager 7.1.2 allows authentication bypass via a com.egurkha.EgLogi ...) NOT-FOR-US: eG Manager CVE-2020-8590 RESERVED CVE-2020-8589 RESERVED CVE-2020-8588 RESERVED CVE-2020-8587 RESERVED CVE-2020-8586 RESERVED CVE-2020-8585 RESERVED CVE-2020-8584 RESERVED CVE-2020-8583 RESERVED CVE-2020-8582 RESERVED CVE-2020-8581 RESERVED CVE-2020-8580 RESERVED CVE-2020-8579 RESERVED CVE-2020-8578 RESERVED CVE-2020-8577 RESERVED CVE-2020-8576 RESERVED CVE-2020-8575 RESERVED CVE-2020-8574 RESERVED CVE-2020-8573 (The NetApp HCI H610S Baseboard Management Controller (BMC) is shipped ...) NOT-FOR-US: NetApp CVE-2020-8572 (Element OS prior to version 12.0 and Element HealthTools prior to vers ...) NOT-FOR-US: Element OS CVE-2020-8571 (StorageGRID (formerly StorageGRID Webscale) versions 10.0.0 through 11 ...) NOT-FOR-US: StorageGRID CVE-2020-8570 RESERVED CVE-2020-8569 RESERVED CVE-2020-8568 RESERVED CVE-2020-8567 RESERVED CVE-2020-8566 RESERVED CVE-2020-8565 RESERVED CVE-2020-8564 RESERVED CVE-2020-8563 RESERVED CVE-2020-8562 RESERVED CVE-2020-8561 RESERVED CVE-2020-8560 RESERVED CVE-2020-8559 RESERVED CVE-2020-8558 RESERVED CVE-2020-8557 RESERVED CVE-2020-8556 RESERVED CVE-2020-8555 (The Kubernetes kube-controller-manager in versions v1.0-1.14, versions ...) - kubernetes 1.18.2-1 NOTE: https://github.com/kubernetes/kubernetes/issues/91542 CVE-2020-8554 RESERVED CVE-2020-8553 RESERVED CVE-2020-8552 (The Kubernetes API server component in versions prior to 1.15.9, 1.16. ...) - kubernetes 1.17.4-1 NOTE: https://github.com/kubernetes/kubernetes/issues/89378 CVE-2020-8551 (The Kubelet component in versions 1.15.0-1.15.9, 1.16.0-1.16.6, and 1. ...) - kubernetes 1.17.4-1 NOTE: https://github.com/kubernetes/kubernetes/issues/89377 CVE-2020-8550 RESERVED CVE-2020-8549 (Stored XSS in the Strong Testimonials plugin before 2.40.1 for WordPre ...) NOT-FOR-US: Strong Testimonials plugin for WordPress CVE-2020-8548 (massCode 1.0.0-alpha.6 allows XSS via crafted Markdown text, with resu ...) NOT-FOR-US: massCode CVE-2020-8547 (phpList 3.5.0 allows type juggling for admin login bypass because == i ...) - phplist (bug #612288) CVE-2020-8546 RESERVED CVE-2020-8545 (Global.py in AIL framework 2.8 allows path traversal. ...) NOT-FOR-US: AIL framework CVE-2020-8544 (OX App Suite through 7.10.3 allows SSRF. ...) NOT-FOR-US: OX App Suite CVE-2020-8543 (OX App Suite through 7.10.3 has Improper Input Validation. ...) NOT-FOR-US: OX App Suite CVE-2020-8542 (OX App Suite through 7.10.3 allows XSS. ...) NOT-FOR-US: OX App Suite CVE-2020-8541 (OX App Suite through 7.10.3 allows XXE attacks. ...) NOT-FOR-US: OX App Suite CVE-2020-8540 (An XML external entity (XXE) vulnerability in Zoho ManageEngine Deskto ...) NOT-FOR-US: Zoho ManageEngine Desktop Central CVE-2020-8539 RESERVED CVE-2020-8538 RESERVED CVE-2020-8537 RESERVED CVE-2020-8536 RESERVED CVE-2020-8535 RESERVED CVE-2020-8534 RESERVED CVE-2020-8533 RESERVED CVE-2020-8532 RESERVED CVE-2020-8531 RESERVED CVE-2020-8530 RESERVED CVE-2020-8529 RESERVED CVE-2020-8528 RESERVED CVE-2020-8527 RESERVED CVE-2020-8526 RESERVED CVE-2020-8525 RESERVED CVE-2020-8524 RESERVED CVE-2020-8523 RESERVED CVE-2020-8522 RESERVED CVE-2020-8521 (SQL injection with start and length parameters in Records.php for phpz ...) NOT-FOR-US: phpzag CVE-2020-8520 (SQL injection in order and column parameters in Records.php for phpzag ...) NOT-FOR-US: phpzag CVE-2020-8519 (SQL injection with the search parameter in Records.php for phpzag live ...) NOT-FOR-US: phpzag CVE-2020-8518 (Horde Groupware Webmail Edition 5.2.22 allows injection of arbitrary P ...) {DLA-2174-1} - php-horde-data (bug #951537) [buster] - php-horde-data 2.1.4-5+deb10u1 [stretch] - php-horde-data (Minor issue) NOTE: https://lists.horde.org/archives/announce/2020/001285.html NOTE: https://github.com/horde/Data/commit/78ad0c2390176cdde7260a271bc6ddd86f4c9c0e CVE-2020-8517 (An issue was discovered in Squid before 4.10. Due to incorrect input v ...) - squid 4.10-1 (unimportant) - squid3 (unimportant) NOTE: http://www.squid-cache.org/Advisories/SQUID-2020_3.txt NOTE: Squid 3.5: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-c62d2b43ad4962ea44aa0c5edb4cc99cb83a413d.patch NOTE: Squid 4: http://www.squid-cache.org/Versions/v4/changesets/squid-4-6982f1187a26557e582172965e266f544ea562a5.patch NOTE: Debian binary packages are not build with --enable-external-acl-helpers="[...]LM_group[...". CVE-2020-8516 (** DISPUTED ** The daemon in Tor through 0.4.1.8 and 0.4.2.x through 0 ...) - tor (unimportant) NOTE: Not considered a bug / explicit design choice by upstream NOTE: https://lists.torproject.org/pipermail/tor-dev/2020-February/014147.html NOTE: https://trac.torproject.org/projects/tor/ticket/33129 NOTE: http://www.hackerfactor.com/blog/index.php?/archives/868-Deanonymizing-Tor-Circuits.html CVE-2019-20446 (In xml.rs in GNOME librsvg before 2.46.2, a crafted SVG file with nest ...) - librsvg 2.46.4-1 [jessie] - librsvg (Minor issue) NOTE: https://gitlab.gnome.org/GNOME/librsvg/issues/515 NOTE: https://gitlab.gnome.org/GNOME/librsvg/commit/572f95f739529b865e2717664d6fefcef9493135 CVE-2020-8515 (DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3. ...) NOT-FOR-US: DrayTek devices CVE-2020-8514 (An issue was discovered in Rumpus 8.2.10 on macOS. By crafting a direc ...) NOT-FOR-US: Rumpus on macOS CVE-2020-8513 RESERVED CVE-2020-8512 (In IceWarp Webmail Server through 11.4.4.1, there is XSS in the /webma ...) NOT-FOR-US: IceWarp Webmail Server CVE-2020-8511 (In Artica Pandora FMS through 7.42, Web Admin users can execute arbitr ...) NOT-FOR-US: Artica Pandora FMS CVE-2020-8510 (An issue was discovered in phpABook 0.9 Intermediate. On the login pag ...) NOT-FOR-US: phpABook CVE-2020-8509 (Zoho ManageEngine Desktop Central before 10.0.483 allows unauthenticat ...) NOT-FOR-US: Zoho ManageEngine Desktop Central CVE-2020-8508 (nsak64.sys in Norman Malware Cleaner 2.08.08 allows users to call arbi ...) NOT-FOR-US: Norman Malware Cleaner CVE-2020-8507 (The Citytv Video application 4.08.0 for Android and 3.35 for iOS sends ...) NOT-FOR-US: Citytv Video application for Android and iOS CVE-2020-8506 (The Global TV application 2.3.2 for Android and 4.7.5 for iOS sends Un ...) NOT-FOR-US: Global TV application for Android and iOS CVE-2020-8505 (School Management Software PHP/mySQL through 2019-03-14 allows office_ ...) NOT-FOR-US: School Management Software PHP/mySQL CVE-2020-8504 (School Management Software PHP/mySQL through 2019-03-14 allows office_ ...) NOT-FOR-US: School Management Software PHP/mySQL CVE-2020-8503 (Biscom Secure File Transfer (SFT) 5.0.1050 through 5.1.1067 and 6.0.10 ...) NOT-FOR-US: Biscom Secure File Transfer (SFT) CVE-2020-8502 RESERVED CVE-2020-8501 RESERVED CVE-2020-8500 (** DISPUTED ** In Artica Pandora FMS 7.42, Web Admin users can execute ...) NOT-FOR-US: Artica Pandora FMS CVE-2020-8499 RESERVED CVE-2020-8498 (XSS exists in the shortcode functionality of the GistPress plugin befo ...) NOT-FOR-US: shortcode functionality of the GistPress plugin for WordPress CVE-2020-8497 (In Artica Pandora FMS through 7.42, an unauthenticated attacker can re ...) NOT-FOR-US: Artica Pandora FMS CVE-2020-8496 (In Kronos Web Time and Attendance (webTA) 4.1.x and later 4.x versions ...) NOT-FOR-US: Kronos Web Time and Attendance (webTA) CVE-2020-8495 (In Kronos Web Time and Attendance (webTA) 3.8.x and later 3.x versions ...) NOT-FOR-US: Kronos Web Time and Attendance (webTA) CVE-2020-8494 (In Kronos Web Time and Attendance (webTA) 3.8.x and later 3.x versions ...) NOT-FOR-US: Kronos Web Time and Attendance (webTA) CVE-2020-8493 (A stored XSS vulnerability in Kronos Web Time and Attendance (webTA) a ...) NOT-FOR-US: Kronos Web Time and Attendance (webTA) CVE-2020-8492 (Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 ...) - python3.8 3.8.3~rc1-1 - python3.7 [buster] - python3.7 (Minor issue) - python3.5 [stretch] - python3.5 (Minor issue) - python3.4 [jessie] - python3.4 (Minor issue) - python2.7 [buster] - python2.7 (Minor issue) [stretch] - python2.7 (Minor issue) [jessie] - python2.7 (Minor issue) NOTE: https://bugs.python.org/issue39503 NOTE: https://github.com/python/cpython/pull/18284 NOTE: https://python-security.readthedocs.io/vuln/urllib-basic-auth-regex.html NOTE: https://github.com/python/cpython/commit/0b297d4ff1c0e4480ad33acae793fbaf4bf015b4 (master) NOTE: https://github.com/python/cpython/commit/ea9e240aa02372440be8024acb110371f69c9d41 (3.8-branch) NOTE: https://github.com/python/cpython/commit/b57a73694e26e8b2391731b5ee0b1be59437388e (3.7-branch) NOTE: https://github.com/python/cpython/commit/69cdeeb93e0830004a495ed854022425b93b3f3e (3.6-branch) CVE-2020-8491 RESERVED CVE-2020-8490 RESERVED CVE-2020-8489 (Insufficient protection of the inter-process communication functions i ...) NOT-FOR-US: ABB CVE-2020-8488 (Insufficient protection of the inter-process communication functions i ...) NOT-FOR-US: ABB CVE-2020-8487 (Insufficient protection of the inter-process communication functions i ...) NOT-FOR-US: ABB CVE-2020-8486 (Insufficient protection of the inter-process communication functions i ...) NOT-FOR-US: ABB CVE-2020-8485 (Insufficient protection of the inter-process communication functions i ...) NOT-FOR-US: ABB CVE-2020-8484 (Insufficient protection of the inter-process communication functions i ...) NOT-FOR-US: ABB CVE-2020-8483 RESERVED CVE-2020-8482 (Insecure storage of sensitive information in ABB Device Library Wizard ...) NOT-FOR-US: ABB CVE-2020-8481 (For ABB products ABB Ability™ System 800xA and related system ex ...) NOT-FOR-US: ABB CVE-2020-8480 RESERVED CVE-2020-8479 (For the Central Licensing Server component used in ABB products ABB Ab ...) NOT-FOR-US: ABB CVE-2020-8478 (Insufficient protection of the inter-process communication functions i ...) NOT-FOR-US: ABB CVE-2020-8477 (The installations for ABB System 800xA Information Manager versions 5. ...) NOT-FOR-US: ABB CVE-2020-8476 (For the Central Licensing Server component used in ABB products ABB Ab ...) NOT-FOR-US: ABB CVE-2020-8475 (For the Central Licensing Server component used in ABB products ABB Ab ...) NOT-FOR-US: ABB CVE-2020-8474 (Weak Registry permissions in ABB System 800xA Base allow low privilege ...) NOT-FOR-US: ABB CVE-2020-8473 (Insufficient folder permissions used by system functions in ABB System ...) NOT-FOR-US: ABB CVE-2020-8472 (Insufficient folder permissions used by system functions in ABB System ...) NOT-FOR-US: ABB CVE-2020-8471 (For the Central Licensing Server component used in ABB products ABB Ab ...) NOT-FOR-US: ABB CVE-2020-8470 (Trend Micro Apex One (2019), OfficeScan XG and Worry-Free Business Sec ...) NOT-FOR-US: Trend Micro CVE-2020-8469 (Trend Micro Password Manager for Windows version 5.0 is affected by a ...) NOT-FOR-US: Trend Micro CVE-2020-8468 (Trend Micro Apex One (2019), OfficeScan XG and Worry-Free Business Sec ...) NOT-FOR-US: Trend Micro CVE-2020-8467 (A migration tool component of Trend Micro Apex One (2019) and OfficeSc ...) NOT-FOR-US: Trend Micro CVE-2020-8466 RESERVED CVE-2020-8465 RESERVED CVE-2020-8464 RESERVED CVE-2020-8463 RESERVED CVE-2020-8462 RESERVED CVE-2020-8461 RESERVED CVE-2020-8460 RESERVED CVE-2020-8459 RESERVED CVE-2020-8458 RESERVED CVE-2020-8457 RESERVED CVE-2020-8456 RESERVED CVE-2020-8455 RESERVED CVE-2020-8454 RESERVED CVE-2020-8453 RESERVED CVE-2020-8452 RESERVED CVE-2020-8451 RESERVED CVE-2020-8450 (An issue was discovered in Squid before 4.10. Due to incorrect buffer ...) {DSA-4682-1} - squid 4.10-1 (bug #950802) - squid3 NOTE: http://www.squid-cache.org/Advisories/SQUID-2020_1.txt NOTE: http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2020_1.patch (Squid 3.5) NOTE: http://www.squid-cache.org/Versions/v4/changesets/SQUID-2020_1.patch (Squid 4.8 and older) NOTE: http://www.squid-cache.org/Versions/v4/changesets/squid-4-b3a0719affab099c684f1cd62b79ab02816fa962.patch (Squid 4.9) CVE-2020-8449 (An issue was discovered in Squid before 4.10. Due to incorrect input v ...) {DSA-4682-1} - squid 4.10-1 (bug #950802) - squid3 NOTE: http://www.squid-cache.org/Advisories/SQUID-2020_1.txt NOTE: http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2020_1.patch (Squid 3.5) NOTE: http://www.squid-cache.org/Versions/v4/changesets/SQUID-2020_1.patch (Squid 4.8 and older) NOTE: http://www.squid-cache.org/Versions/v4/changesets/squid-4-b3a0719affab099c684f1cd62b79ab02816fa962.patch (Squid 4.9) CVE-2020-8448 (In OSSEC-HIDS 2.7 through 3.5.0, the server component responsible for ...) - ossec-hids (bug #361954) CVE-2020-8447 (In OSSEC-HIDS 2.7 through 3.5.0, the server component responsible for ...) - ossec-hids (bug #361954) CVE-2020-8446 (In OSSEC-HIDS 2.7 through 3.5.0, the server component responsible for ...) - ossec-hids (bug #361954) CVE-2020-8445 (In OSSEC-HIDS 2.7 through 3.5.0, the OS_CleanMSG function in ossec-ana ...) - ossec-hids (bug #361954) CVE-2020-8444 (In OSSEC-HIDS 2.7 through 3.5.0, the server component responsible for ...) - ossec-hids (bug #361954) CVE-2020-8443 (In OSSEC-HIDS 2.7 through 3.5.0, the server component responsible for ...) - ossec-hids (bug #361954) CVE-2020-8442 (In OSSEC-HIDS 2.7 through 3.5.0, the server component responsible for ...) - ossec-hids (bug #361954) CVE-2020-8441 (JYaml through 1.3 allows remote code execution during deserialization ...) NOT-FOR-US: JYaml CVE-2020-8440 (controllers/page_apply.php in Simplejobscript.com SJS through 1.66 is ...) NOT-FOR-US: Simplejobscript.com SJS CVE-2020-8439 (Monstra CMS through 3.0.4 allows remote authenticated users to take ov ...) NOT-FOR-US: Monstra CMS CVE-2020-8438 (Ruckus ZoneFlex R500 104.0.0.0.1347 devices allow an authenticated att ...) NOT-FOR-US: Ruckus devices CVE-2020-8437 (The bencoding parser in BitTorrent uTorrent through 3.5.5 (build 45505 ...) NOT-FOR-US: uTorrent CVE-2020-8436 (XSS was discovered in the RegistrationMagic plugin 4.6.0.0 for WordPre ...) NOT-FOR-US: RegistrationMagic plugin for WordPress CVE-2020-8435 (An issue was discovered in the RegistrationMagic plugin 4.6.0.0 for Wo ...) NOT-FOR-US: RegistrationMagic plugin for WordPress CVE-2020-8434 (Jenzabar JICS (aka Internet Campus Solution) before 9.0.1 Patch 3, 9.1 ...) NOT-FOR-US: Jenzabar JICS (aka Internet Campus Solution) CVE-2020-8433 RESERVED CVE-2019-20445 (HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length ...) {DLA-2110-1 DLA-2109-1} - netty 1:4.1.45-1 (bug #950967) - netty-3.9 NOTE: https://github.com/netty/netty/issues/9861 NOTE: https://github.com/netty/netty/commit/8494b046ec7e4f28dbd44bc699cc4c4c92251729 (4.1) NOTE: https://github.com/netty/netty/commit/629034624626b722128e0fcc6b3ec9d406cb3706 (4.1) NOTE: https://github.com/netty/netty/commit/5f68897880467c00f29495b0aa46ed19bf7a873c (tests) CVE-2019-20444 (HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header th ...) {DLA-2110-1 DLA-2109-1} - netty 1:4.1.45-1 (bug #950966) - netty-3.9 NOTE: https://github.com/netty/netty/issues/9866 NOTE: https://github.com/netty/netty/commit/a7c18d44b46e02dadfe3da225a06e5091f5f328e (4.1) CVE-2020-8432 (In Das U-Boot through 2020.01, a double free has been found in the cmd ...) - u-boot 2020.01+dfsg-2 (low) [buster] - u-boot (Minor issue) [stretch] - u-boot (Minor issue) [jessie] - u-boot (Minor issue) NOTE: https://lists.denx.de/pipermail/u-boot/2020-January/396799.html NOTE: https://lists.denx.de/pipermail/u-boot/2020-January/396853.html CVE-2020-8431 RESERVED CVE-2020-8430 (Stormshield Network Security 310 3.7.10 devices have an auth/lang.html ...) NOT-FOR-US: Stormshield Network Security 310 CVE-2020-8429 (The Admin web application in Kinetica 7.0.9.2.20191118151947 does not ...) NOT-FOR-US: Kinetica CVE-2020-8427 (In Unitrends Backup before 10.4.1, an HTTP request parameter was not p ...) NOT-FOR-US: Kaseya Traverse CVE-2020-8426 (The Elementor plugin before 2.8.5 for WordPress suffers from a reflect ...) NOT-FOR-US: Elementor plugin for WordPress CVE-2020-8425 (Cups Easy (Purchase & Inventory) 1.0 is vulnerable to CSRF that le ...) NOT-FOR-US: Cups Easy (Purchase & Inventory) CVE-2020-8424 (Cups Easy (Purchase & Inventory) 1.0 is vulnerable to CSRF that le ...) NOT-FOR-US: Cups Easy (Purchase & Inventory) CVE-2020-8423 (A buffer overflow in the httpd daemon on TP-Link TL-WR841N V10 (firmwa ...) NOT-FOR-US: TP-Link CVE-2020-8422 (An authorization issue was discovered in the Credential Manager featur ...) NOT-FOR-US: Zoho ManageEngine CVE-2020-8421 (An issue was discovered in Joomla! before 3.9.15. Inadequate escaping ...) NOT-FOR-US: Joomla! CVE-2020-8420 (An issue was discovered in Joomla! before 3.9.15. A missing CSRF token ...) NOT-FOR-US: Joomla! CVE-2020-8419 (An issue was discovered in Joomla! before 3.9.15. Missing token checks ...) NOT-FOR-US: Joomla! CVE-2020-8418 RESERVED CVE-2020-8417 (The Code Snippets plugin before 2.14.0 for WordPress allows CSRF becau ...) NOT-FOR-US: Code Snippets plugin for WordPress CVE-2020-8416 (IKTeam BearFTP before 0.2.0 allows remote attackers to achieve denial ...) NOT-FOR-US: BearFTP CVE-2020-8415 RESERVED CVE-2020-8414 RESERVED CVE-2020-8413 RESERVED CVE-2020-8412 RESERVED CVE-2020-8411 RESERVED CVE-2020-8410 RESERVED CVE-2020-8409 RESERVED CVE-2020-8408 RESERVED CVE-2020-8407 RESERVED CVE-2020-8406 RESERVED CVE-2020-8405 RESERVED CVE-2020-8404 RESERVED CVE-2020-8403 RESERVED CVE-2020-8402 RESERVED CVE-2020-8401 RESERVED CVE-2020-8400 RESERVED CVE-2020-8399 RESERVED CVE-2020-8398 RESERVED CVE-2020-8397 RESERVED CVE-2020-8396 RESERVED CVE-2020-8395 RESERVED CVE-2020-8394 RESERVED CVE-2020-8393 RESERVED CVE-2020-8392 RESERVED CVE-2020-8391 RESERVED CVE-2020-8390 RESERVED CVE-2020-8389 RESERVED CVE-2020-8388 RESERVED CVE-2020-8387 RESERVED CVE-2020-8386 RESERVED CVE-2020-8385 RESERVED CVE-2020-8384 RESERVED CVE-2020-8383 RESERVED CVE-2020-8382 RESERVED CVE-2020-8381 RESERVED CVE-2020-8380 RESERVED CVE-2020-8379 RESERVED CVE-2020-8378 RESERVED CVE-2020-8377 RESERVED CVE-2020-8376 RESERVED CVE-2020-8375 RESERVED CVE-2020-8374 RESERVED CVE-2020-8373 RESERVED CVE-2020-8372 RESERVED CVE-2020-8371 RESERVED CVE-2020-8370 RESERVED CVE-2020-8369 RESERVED CVE-2020-8368 RESERVED CVE-2020-8367 RESERVED CVE-2020-8366 RESERVED CVE-2020-8365 RESERVED CVE-2020-8364 RESERVED CVE-2020-8363 RESERVED CVE-2020-8362 RESERVED CVE-2020-8361 RESERVED CVE-2020-8360 RESERVED CVE-2020-8359 RESERVED CVE-2020-8358 RESERVED CVE-2020-8357 RESERVED CVE-2020-8356 RESERVED CVE-2020-8355 RESERVED CVE-2020-8354 RESERVED CVE-2020-8353 RESERVED CVE-2020-8352 RESERVED CVE-2020-8351 RESERVED CVE-2020-8350 RESERVED CVE-2020-8349 RESERVED CVE-2020-8348 RESERVED CVE-2020-8347 RESERVED CVE-2020-8346 RESERVED CVE-2020-8345 RESERVED CVE-2020-8344 RESERVED CVE-2020-8343 RESERVED CVE-2020-8342 RESERVED CVE-2020-8341 RESERVED CVE-2020-8340 RESERVED CVE-2020-8339 RESERVED CVE-2020-8338 RESERVED CVE-2020-8337 (An unquoted search path vulnerability was reported in versions prior t ...) NOT-FOR-US: Synaptics Smart Audio UWP app CVE-2020-8336 (Lenovo implemented Intel CSME Anti-rollback ARB protections on some Th ...) NOT-FOR-US: Lenovo CVE-2020-8335 RESERVED CVE-2020-8334 (The BIOS tamper detection mechanism was not triggered in Lenovo ThinkP ...) NOT-FOR-US: Lenovo CVE-2020-8333 RESERVED CVE-2020-8332 RESERVED CVE-2020-8331 REJECTED CVE-2020-8330 (A denial of service vulnerability was reported in the firmware prior t ...) NOT-FOR-US: Lenovo CVE-2020-8329 (A denial of service vulnerability was reported in the firmware prior t ...) NOT-FOR-US: Lenovo CVE-2020-8328 RESERVED CVE-2020-8327 (A privilege escalation vulnerability was reported in LenovoBatteryGaug ...) NOT-FOR-US: Lenovo CVE-2020-8326 RESERVED CVE-2020-8325 RESERVED CVE-2020-8324 (A vulnerability was reported in LenovoAppScenarioPluginSystem for Leno ...) NOT-FOR-US: Lenovo CVE-2020-8323 (A potential vulnerability in the SMI callback function used in the Leg ...) NOT-FOR-US: Lenovo CVE-2020-8322 (A potential vulnerability in the SMI callback function used in the Leg ...) NOT-FOR-US: Lenovo CVE-2020-8321 (A potential vulnerability in the SMI callback function used in the Sys ...) NOT-FOR-US: Lenovo CVE-2020-8320 (An internal shell was included in BIOS image in some ThinkPad models t ...) NOT-FOR-US: Lenovo CVE-2020-8319 (A privilege escalation vulnerability was reported in Lenovo System Int ...) NOT-FOR-US: Lenovo CVE-2020-8318 (A privilege escalation vulnerability was reported in the LenovoSystemU ...) NOT-FOR-US: Lenovo CVE-2020-8317 RESERVED CVE-2020-8316 (A vulnerability was reported in Lenovo Vantage prior to version 10.200 ...) NOT-FOR-US: Lenovo CVE-2020-8428 (fs/namei.c in the Linux kernel before 5.5 has a may_create_in_sticky u ...) {DSA-4698-1 DSA-4667-1 DLA-2242-1} - linux 5.4.19-1 [jessie] - linux (Vulnerable code introduced later) NOTE: Fixed by: https://git.kernel.org/linus/d0cb50185ae942b03c4327be322055d622dc79f6 CVE-2020-8315 (In Python (CPython) 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 thr ...) - python3.8 (Windows-specific) - python3.7 (Windows-specific) NOTE: https://bugs.python.org/issue39401 CVE-2020-8314 RESERVED CVE-2020-8313 RESERVED CVE-2020-8312 RESERVED CVE-2020-8311 RESERVED CVE-2020-8310 RESERVED CVE-2020-8309 RESERVED CVE-2020-8308 RESERVED CVE-2020-8307 RESERVED CVE-2020-8306 RESERVED CVE-2020-8305 RESERVED CVE-2020-8304 RESERVED CVE-2020-8303 RESERVED CVE-2020-8302 RESERVED CVE-2020-8301 RESERVED CVE-2020-8300 RESERVED CVE-2020-8299 RESERVED CVE-2020-8298 RESERVED CVE-2020-8297 RESERVED CVE-2020-8296 RESERVED CVE-2020-8295 RESERVED CVE-2020-8294 RESERVED CVE-2020-8293 RESERVED CVE-2020-8292 RESERVED CVE-2020-8291 RESERVED CVE-2020-8290 RESERVED CVE-2020-8289 RESERVED CVE-2020-8288 RESERVED CVE-2020-8287 RESERVED CVE-2020-8286 RESERVED CVE-2020-8285 RESERVED CVE-2020-8284 RESERVED CVE-2020-8283 RESERVED CVE-2020-8282 RESERVED CVE-2020-8281 RESERVED CVE-2020-8280 RESERVED CVE-2020-8279 RESERVED CVE-2020-8278 RESERVED CVE-2020-8277 RESERVED CVE-2020-8276 RESERVED CVE-2020-8275 RESERVED CVE-2020-8274 RESERVED CVE-2020-8273 RESERVED CVE-2020-8272 RESERVED CVE-2020-8271 RESERVED CVE-2020-8270 RESERVED CVE-2020-8269 RESERVED CVE-2020-8268 RESERVED CVE-2020-8267 RESERVED CVE-2020-8266 RESERVED CVE-2020-8265 RESERVED CVE-2020-8264 RESERVED CVE-2020-8263 RESERVED CVE-2020-8262 RESERVED CVE-2020-8261 RESERVED CVE-2020-8260 RESERVED CVE-2020-8259 RESERVED CVE-2020-8258 RESERVED CVE-2020-8257 RESERVED CVE-2020-8256 RESERVED CVE-2020-8255 RESERVED CVE-2020-8254 RESERVED CVE-2020-8253 RESERVED CVE-2020-8252 RESERVED CVE-2020-8251 RESERVED CVE-2020-8250 RESERVED CVE-2020-8249 RESERVED CVE-2020-8248 RESERVED CVE-2020-8247 RESERVED CVE-2020-8246 RESERVED CVE-2020-8245 RESERVED CVE-2020-8244 RESERVED CVE-2020-8243 RESERVED CVE-2020-8242 RESERVED CVE-2020-8241 RESERVED CVE-2020-8240 RESERVED CVE-2020-8239 RESERVED CVE-2020-8238 RESERVED CVE-2020-8237 RESERVED CVE-2020-8236 RESERVED CVE-2020-8235 RESERVED CVE-2020-8234 RESERVED CVE-2020-8233 RESERVED CVE-2020-8232 RESERVED CVE-2020-8231 RESERVED CVE-2020-8230 RESERVED CVE-2020-8229 RESERVED CVE-2020-8228 RESERVED CVE-2020-8227 RESERVED CVE-2020-8226 RESERVED CVE-2020-8225 RESERVED CVE-2020-8224 RESERVED CVE-2020-8223 RESERVED CVE-2020-8222 RESERVED CVE-2020-8221 RESERVED CVE-2020-8220 RESERVED CVE-2020-8219 RESERVED CVE-2020-8218 RESERVED CVE-2020-8217 RESERVED CVE-2020-8216 RESERVED CVE-2020-8215 RESERVED CVE-2020-8214 RESERVED CVE-2020-8213 RESERVED CVE-2020-8212 RESERVED CVE-2020-8211 RESERVED CVE-2020-8210 RESERVED CVE-2020-8209 RESERVED CVE-2020-8208 RESERVED CVE-2020-8207 RESERVED CVE-2020-8206 RESERVED CVE-2020-8205 RESERVED CVE-2020-8204 RESERVED CVE-2020-8203 RESERVED CVE-2020-8202 RESERVED CVE-2020-8201 RESERVED CVE-2020-8200 RESERVED CVE-2020-8199 RESERVED CVE-2020-8198 RESERVED CVE-2020-8197 RESERVED CVE-2020-8196 RESERVED CVE-2020-8195 RESERVED CVE-2020-8194 RESERVED CVE-2020-8193 RESERVED CVE-2020-8192 RESERVED CVE-2020-8191 RESERVED CVE-2020-8190 RESERVED CVE-2020-8189 RESERVED CVE-2020-8188 (We have recently released new version of UniFi Protect firmware v1.13. ...) NOT-FOR-US: UniFi Protect CVE-2020-8187 RESERVED CVE-2020-8186 RESERVED CVE-2020-8185 (A denial of service vulnerability exists in Rails <6.0.3.2 that all ...) [experimental] - rails 6.0.3.2+dfsg-1 (bug #964081) - rails (Introduced in rails 6.x) NOTE: https://groups.google.com/g/rubyonrails-security/c/pAe9EV8gbM0 CVE-2020-8184 (A reliance on cookies without validation/integrity check security vuln ...) - ruby-rack (bug #963477) NOTE: Fixed by: https://github.com/rack/rack/commit/1f5763de6a9fe515ff84992b343d63c88104654c CVE-2020-8183 RESERVED CVE-2020-8182 RESERVED CVE-2020-8181 RESERVED CVE-2020-8180 (A too lax check in Nextcloud Talk 6.0.4, 7.0.2 and 8.0.7 allowed a cod ...) NOT-FOR-US: Nextcloud Talk CVE-2020-8179 (Improper access control in Nextcloud Deck 1.0.0 allowed an attacker to ...) NOT-FOR-US: Nextcloud Deck CVE-2020-8178 RESERVED CVE-2020-8177 RESERVED - curl NOTE: https://curl.haxx.se/docs/CVE-2020-8177.html NOTE: https://github.com/curl/curl/commit/8236aba58542c5f89f1d41ca09d84579efb05e22 (7.71.0) CVE-2020-8176 (A cross-site scripting vulnerability exists in koa-shopify-auth v3.1.6 ...) NOT-FOR-US: koa-shopify-auth CVE-2020-8175 RESERVED CVE-2020-8174 [napi_get_value_string_*() allows various kinds of memory corruption] RESERVED {DSA-4696-1} - nodejs 10.21.0~dfsg-1 (bug #962145) [stretch] - nodejs (Nodejs in stretch not covered by security support) [jessie] - nodejs (Nodejs in jessie not covered by security support) NOTE: https://nodejs.org/en/blog/vulnerability/june-2020-security-releases/#napi_get_value_string_-allows-various-kinds-of-memory-corruption-high-cve-2020-8174 CVE-2020-8173 RESERVED CVE-2020-8172 (TLS session reuse can lead to host certificate verification bypass in ...) - nodejs (Only affects 12.x and later) NOTE: https://nodejs.org/en/blog/vulnerability/june-2020-security-releases/#tls-session-reuse-can-lead-to-host-certificate-verification-bypass-high-cve-2020-8172 CVE-2020-8171 (We have recently released new version of AirMax AirOS firmware v6.3.0 ...) NOT-FOR-US: AirMax AirOS CVE-2020-8170 (We have recently released new version of AirMax AirOS firmware v6.3.0 ...) NOT-FOR-US: AirMax AirOS CVE-2020-8169 RESERVED - curl [stretch] - curl (Vulnerable code introduced later) [jessie] - curl (Vulnerable code introduced later) NOTE: https://curl.haxx.se/docs/CVE-2020-8169.html NOTE: https://github.com/curl/curl/commit/600a8cded447cd7118ed50142c576567c0cf5158 (7.71.0) CVE-2020-8168 (We have recently released new version of AirMax AirOS firmware v6.3.0 ...) NOT-FOR-US: AirMax AirOS CVE-2020-8167 (A CSRF vulnerability exists in rails <= 6.0.3 rails-ujs module that ...) - rails 2:5.2.4.3+dfsg-1 [stretch] - rails (Vulnerable code introduced later) [jessie] - rails (Vulnerable code introduced later) NOTE: https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released NOTE: https://github.com/rails/rails/commit/fbc7bec074b5ef9ae22f79ca5d9bafec7b276dd3 CVE-2020-8166 (A CSRF forgery vulnerability exists in rails < 5.2.5, rails < 6. ...) - rails 2:5.2.4.3+dfsg-1 [stretch] - rails (Vulnerable code introduced later) [jessie] - rails (Vulnerable code introduced later) NOTE: https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released NOTE: https://github.com/rails/rails/commit/d124f19287f4892c72ca54da728a781591c6fca1 NOTE: per-form CSRF token introduced in 5.x: https://github.com/rails/rails/commit/3e98819e20bc113343d4d4c0df614865ad5a9d3a CVE-2020-8165 (A deserialization of untrusted data vulnernerability exists in rails & ...) {DLA-2251-1} - rails 2:5.2.4.3+dfsg-1 NOTE: https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released NOTE: https://github.com/rails/rails/commit/f7e077f85e61fc0b7381963eda0ceb0e457546b5 (MemCache backend) NOTE: https://github.com/rails/rails/commit/467e3399c9007996c03ffe3212689d48dd25ae99 (Redis backend) NOTE: Redis backend introduced in 5.2: https://github.com/rails/rails/commit/9f8ec3535247ac41a9c92e84ddc7a3b771bc318b CVE-2020-8164 (A deserialization of untrusted data vulnerability exists in rails < ...) {DLA-2251-1} [experimental] - rails 2:6.0.3.1+dfsg-1 - rails 2:5.2.4.3+dfsg-1 NOTE: https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released NOTE: https://github.com/rails/rails/commit/7a3ee4fea90b7555f8d09c6c05c15fe7ab5a06ec CVE-2020-8163 (The is a code injection vulnerability in versions of Rails prior to 5. ...) - rails 2:5.2.0+dfsg-2 NOTE: https://weblog.rubyonrails.org/2020/5/15/Rails-4-2-11-2-has-been-released/ NOTE: https://weblog.rubyonrails.org/2020/5/16/rails-4-2-11-3-has-been-released/ NOTE: https://groups.google.com/forum/#!topic/rubyonrails-security/hWuKcHyoKh0 NOTE: https://github.com/rails/rails/commit/4c46a15e0a7815ca9e4cd7c7fda042eb8c1b7724 (4.2.11.2) NOTE: Followup needed due to breaking change: https://github.com/rails/rails/issues/39301 NOTE: https://github.com/rails/rails/commit/1f3db0ad793441a0c00e85d56228fc80aafbe6c1 (4.2.11.3) NOTE: The combined patch can still potentially affect reverse dependencies like redmine: NOTE: https://github.com/rails/rails/issues/39301#issuecomment-636818148 NOTE: For rails 5.0 the issue is fixed in >= 5.0.1 CVE-2020-8162 (A client side enforcement of server side security vulnerability exists ...) - rails 2:5.2.4.3+dfsg-1 [stretch] - rails (Vulnerable code introduced later) [jessie] - rails (Vulnerable code introduced later) NOTE: https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released NOTE: https://github.com/rails/rails/commit/e8df5648515a0e8324d3b3c4bdb7bde6802cd8be CVE-2020-8161 (A directory traversal vulnerability exists in rack < 2.2.0 that all ...) {DLA-2216-1} - ruby-rack 2.1.1-5 [buster] - ruby-rack (Minor issue; can be fixed via point release) [stretch] - ruby-rack (Minor issue; can be fixed via point release) NOTE: https://groups.google.com/forum/#!msg/rubyonrails-security/IOO1vNZTzPA/Ylzi1UYLAAAJ NOTE: Fixed by: https://github.com/rack/rack/commit/dddb7ad18ed79ca6ab06ccc417a169fde451246e NOTE: Required followup: https://github.com/rack/rack/commit/e7ba1b0557d3ad97af1ef113bbeb5f27417983fa NOTE: Test: https://github.com/rack/rack/commit/775c836bdd25b63340399fea739532d746860a94 CVE-2020-8160 RESERVED CVE-2020-8159 (There is a vulnerability in actionpack_page-caching gem < v1.2.1 th ...) - ruby-actionpack-page-caching 1.2.2-1 (bug #960680) NOTE: https://groups.google.com/forum/#!topic/rubyonrails-security/CFRVkEytdP8 CVE-2020-8158 RESERVED CVE-2020-8157 (UniFi Cloud Key firmware <= v1.1.10 for Cloud Key gen2 and Cloud Ke ...) NOT-FOR-US: UniFi Cloud Key CVE-2020-8156 (A missing verification of the TLS host in Nextcloud Mail 1.1.3 allowed ...) NOT-FOR-US: Nextcloud Mail CVE-2020-8155 (An outdated 3rd party library in the Files PDF viewer for Nextcloud Se ...) - nextcloud-server (bug #941708) CVE-2020-8154 (An Insecure direct object reference vulnerability in Nextcloud Server ...) - nextcloud-server (bug #941708) CVE-2020-8153 (Improper access control in Groupfolders app 4.0.3 allowed to delete hi ...) NOT-FOR-US: Nextcloud Groupfolders app CVE-2020-8152 RESERVED CVE-2020-8151 (There is a possible information disclosure issue in Active Resource &l ...) - rails (Vulnerable code splitted out upstream before initial upload to Debian) NOTE: ActiveResource was extracted to a separate gem in starting in the 4.0 rails NOTE: release as it was not widely used. CVE-2020-8150 RESERVED CVE-2020-8149 (Lack of output sanitization allowed an attack to execute arbitrary she ...) NOT-FOR-US: Node logkitty CVE-2020-8148 (UniFi Cloud Key firmware < 1.1.6 contains a vulnerability that enab ...) NOT-FOR-US: UniFi Cloud Key firmware CVE-2020-8147 (Flaw in input validation in npm package utils-extend version 1.0.8 and ...) NOT-FOR-US: Node utils-extend CVE-2020-8146 (In UniFi Video v3.10.1 (for Windows 7/8/10 x64) there is a Local Privi ...) NOT-FOR-US: UniFi CVE-2020-8145 (The UniFi Video Server (Windows) web interface configuration restore f ...) NOT-FOR-US: UniFi CVE-2020-8144 (The UniFi Video Server v3.9.3 and prior (for Windows 7/8/10 x64) web i ...) NOT-FOR-US: UniFi CVE-2020-8143 (An Open Redirect vulnerability was discovered in Revive Adserver versi ...) NOT-FOR-US: Revive Adserver CVE-2020-8142 (A security restriction bypass vulnerability has been discovered in Rev ...) NOT-FOR-US: Revive Adserver CVE-2020-8141 (The dot package v1.1.2 uses Function() to compile templates. This can ...) - node-dot 1.1.3+ds-1 [buster] - node-dot 1.1.1-1+deb10u1 NOTE: https://hackerone.com/reports/390929 CVE-2020-8140 (A code injection in Nextcloud Desktop Client 2.6.2 for macOS allowed t ...) - nextcloud-desktop (MacOS-specific) CVE-2020-8139 (A missing access control check in Nextcloud Server < 18.0.1, < 1 ...) - nextcloud-server (bug #941708) CVE-2020-8138 (A missing check for IPv4 nested inside IPv6 in Nextcloud server < 1 ...) - nextcloud-server (bug #941708) CVE-2020-8137 (Code injection vulnerability in blamer 1.0.0 and earlier may result in ...) NOT-FOR-US: Node blamer CVE-2020-8136 (Prototype pollution vulnerability in fastify-multipart < 1.0.5 allo ...) NOT-FOR-US: Node fastify-multipart CVE-2020-8135 (The uppy npm package < 1.9.3 is vulnerable to a Server-Side Request ...) NOT-FOR-US: Node uppy CVE-2020-8134 (Server-side request forgery (SSRF) vulnerability in Ghost CMS < 3.1 ...) NOT-FOR-US: Ghost CMS CVE-2020-8133 RESERVED CVE-2020-8132 (Lack of input validation in pdf-image npm package version <= 2.0.0 ...) NOT-FOR-US: Node pdf-image package CVE-2020-8131 (Arbitrary filesystem write vulnerability in Yarn before 1.22.0 allows ...) - node-yarnpkg 1.22.4-2 (bug #952912) [buster] - node-yarnpkg (Minor issue) NOTE: https://hackerone.com/reports/730239 NOTE: https://github.com/yarnpkg/yarn/pull/7831 CVE-2020-8130 (There is an OS command injection vulnerability in Ruby Rake < 12.3. ...) {DLA-2120-1} - rake 12.3.3-1 [buster] - rake 12.3.1-3+deb10u1 [stretch] - rake (Minor issue) NOTE: https://hackerone.com/reports/651518 NOTE: Fixed by: https://github.com/ruby/rake/commit/5b8f8fc41a5d7d7d6a5d767e48464c60884d3aee (v12.3.3) CVE-2020-8129 (An unintended require vulnerability in script-manager npm package vers ...) NOT-FOR-US: script-manager nodejs module CVE-2020-8128 (An unintended require and server-side request forgery vulnerabilities ...) NOT-FOR-US: jsreport CVE-2020-8127 (Insufficient validation in cross-origin communication (postMessage) in ...) NOT-FOR-US: reveal.js CVE-2020-8126 (A privilege escalation in the EdgeSwitch prior to version 1.7.1, an CG ...) NOT-FOR-US: Ubiquiti Networks EdgeSwitch CVE-2020-8125 (Flaw in input validation in npm package klona version 1.1.0 and earlie ...) NOT-FOR-US: klona node module CVE-2020-8124 (Insufficient validation and sanitization of user input exists in url-p ...) - node-url-parse 1.4.7-1 [buster] - node-url-parse (Minor issue) [stretch] - node-url-parse (Nodejs in stretch not covered by security support) NOTE: https://github.com/unshiftio/url-parse/commit/3ecd256f127c3ada36a84d9b8dd3ebd14316274b NOTE: https://hackerone.com/reports/496293 CVE-2020-8123 (A denial of service exists in strapi v3.0.0-beta.18.3 and earlier that ...) NOT-FOR-US: strapi CVE-2020-8122 (A missing check in Nextcloud Server 14.0.3 could give recipient the po ...) - nextcloud-server (bug #941708) CVE-2020-8121 (A bug in Nextcloud Server 14.0.4 could expose more data in reshared li ...) - nextcloud-server (bug #941708) CVE-2020-8120 (A reflected Cross-Site Scripting vulnerability in Nextcloud Server 16. ...) - nextcloud-server (bug #941708) CVE-2020-8119 (Improper authorization in Nextcloud server 17.0.0 causes leaking of pr ...) - nextcloud-server (bug #941708) CVE-2020-8118 (An authenticated server-side request forgery in Nextcloud server 16.0. ...) - nextcloud-server (bug #941708) CVE-2020-8117 (Improper preservation of permissions in Nextcloud Server 14.0.3 causes ...) - nextcloud-server (bug #941708) CVE-2020-8116 (Prototype pollution vulnerability in dot-prop npm package version 5.1. ...) - node-dot-prop 5.2.0-1 [buster] - node-dot-prop 4.1.1-1+deb10u1 NOTE: https://hackerone.com/reports/719856 NOTE: https://github.com/sindresorhus/dot-prop/commit/3039c8c07f6fdaa8b595ec869ae0895686a7a0f2 CVE-2020-8115 (A reflected XSS vulnerability has been discovered in the publicly acce ...) NOT-FOR-US: Revive Adserver CVE-2020-8114 (GitLab EE 8.9 and later through 12.7.2 has Insecure Permission ...) - gitlab (Only affects Gitlab EE) NOTE: https://about.gitlab.com/releases/2020/01/30/security-release-gitlab-12-7-4-released/ CVE-2020-8113 (GitLab 10.7 and later through 12.7.2 has Incorrect Access Control. ...) [experimental] - gitlab 12.6.8-1 - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/releases/2020/03/04/gitlab-12-dot-8-dot-2-released/ CVE-2020-8112 (opj_t1_clbl_decode_processor in openjp2/t1.c in OpenJPEG 2.3.1 through ...) {DLA-2089-1} - openjpeg2 (bug #950184) [buster] - openjpeg2 (Minor issue) [stretch] - openjpeg2 (Minor issue) NOTE: https://github.com/uclouvain/openjpeg/issues/1231 CVE-2020-8111 RESERVED CVE-2020-8110 RESERVED CVE-2020-8109 RESERVED CVE-2020-8108 RESERVED CVE-2020-8107 RESERVED CVE-2020-8106 RESERVED CVE-2020-8105 RESERVED CVE-2020-8104 RESERVED CVE-2020-8103 (A vulnerability in the improper handling of symbolic links in Bitdefen ...) NOT-FOR-US: Bitdefender Antivirus Free CVE-2020-8102 (Improper Input Validation vulnerability in the Safepay browser compone ...) NOT-FOR-US: Safepay CVE-2020-8101 RESERVED CVE-2020-8100 (Improper Input Validation vulnerability in the cevakrnl.rv0 module as ...) NOT-FOR-US: Bitdefender CVE-2020-8099 (A vulnerability in the improper handling of junctions in Bitdefender A ...) NOT-FOR-US: Bitdefender Antivirus Free CVE-2020-8098 RESERVED CVE-2020-8097 RESERVED CVE-2020-8096 (Untrusted Search Path vulnerability in Bitdefender High-Level Antimalw ...) NOT-FOR-US: Bitdefender CVE-2020-8095 (A vulnerability in the improper handling of junctions before deletion ...) NOT-FOR-US: Bitdefender Total Security CVE-2020-8094 RESERVED CVE-2020-8093 (A vulnerability in the AntivirusforMac binary as used in Bitdefender A ...) NOT-FOR-US: Bitdefender Antivirus for Mac CVE-2020-8092 (A privilege escalation vulnerability in BDLDaemon as used in Bitdefend ...) NOT-FOR-US: Bitdefender Antivirus for Mac CVE-2020-8091 (svg.swf in TYPO3 6.2.0 to 6.2.38 ELTS and 7.0.0 to 7.1.0 could allow a ...) NOT-FOR-US: TYPO3 CVE-2020-8090 (The Username field in the Storage Service settings of A1 WLAN Box ADB ...) NOT-FOR-US: A1 WLAN Box ADB VV2220v2 devices CVE-2020-8089 (Piwigo 2.10.1 is affected by stored XSS via the Group Name Field to th ...) - piwigo CVE-2020-8088 (panel_login.php in UseBB 1.0.12 allows type juggling for login bypass ...) NOT-FOR-US: UseBB CVE-2020-8087 (SMC Networks D3G0804W D3GNV5M-3.5.1.6.10_GA devices allow remote comma ...) NOT-FOR-US: SMC Networks D3G0804W D3GNV5M-3.5.1.6.10_GA devices CVE-2019-20443 (An issue was discovered in WSO2 API Manager 2.6.0, WSO2 Enterprise Int ...) NOT-FOR-US: WSO2 CVE-2019-20442 (An issue was discovered in WSO2 API Manager 2.6.0, WSO2 Enterprise Int ...) NOT-FOR-US: WSO2 CVE-2019-20441 (An issue was discovered in WSO2 API Manager 2.6.0. A potential Stored ...) NOT-FOR-US: WSO2 CVE-2019-20440 (An issue was discovered in WSO2 API Manager 2.6.0. A potential Reflect ...) NOT-FOR-US: WSO2 CVE-2019-20439 (An issue was discovered in WSO2 API Manager 2.6.0. A potential Reflect ...) NOT-FOR-US: WSO2 CVE-2019-20438 (An issue was discovered in WSO2 API Manager 2.6.0. A potential stored ...) NOT-FOR-US: WSO2 CVE-2019-20437 (An issue was discovered in WSO2 API Manager 2.6.0, WSO2 IS as Key Mana ...) NOT-FOR-US: WSO2 CVE-2019-20436 (An issue was discovered in WSO2 API Manager 2.6.0, WSO2 IS as Key Mana ...) NOT-FOR-US: WSO2 CVE-2019-20435 (An issue was discovered in WSO2 API Manager 2.6.0. A reflected XSS att ...) NOT-FOR-US: WSO2 CVE-2019-20434 (An issue was discovered in WSO2 API Manager 2.6.0. A potential Reflect ...) NOT-FOR-US: WSO2 CVE-2020-8086 (The mod_auth_ldap and mod_auth_ldap2 Community Modules through 2020-01 ...) {DSA-4612-1} - prosody-modules 0.0~hg20200128.09e7e880e056+dfsg-1 NOTE: https://hg.prosody.im/prosody-modules/rev/f2b29183ef08 NOTE: https://prosody.im/security/advisory_20200128/ CVE-2020-8085 RESERVED CVE-2020-8084 RESERVED CVE-2020-8083 RESERVED CVE-2020-8082 RESERVED CVE-2020-8081 RESERVED CVE-2020-8080 RESERVED CVE-2020-8079 RESERVED CVE-2020-8078 RESERVED CVE-2020-8077 RESERVED CVE-2020-8076 RESERVED CVE-2020-8075 RESERVED CVE-2020-8074 RESERVED CVE-2020-8073 RESERVED CVE-2020-8072 RESERVED CVE-2020-8071 RESERVED CVE-2020-8070 RESERVED CVE-2020-8069 RESERVED CVE-2020-8068 RESERVED CVE-2020-8067 RESERVED CVE-2020-8066 RESERVED CVE-2020-8065 RESERVED CVE-2020-8064 RESERVED CVE-2020-8063 RESERVED CVE-2020-8062 RESERVED CVE-2020-8061 RESERVED CVE-2020-8060 RESERVED CVE-2020-8059 RESERVED CVE-2020-8058 RESERVED CVE-2020-8057 RESERVED CVE-2020-8056 RESERVED CVE-2020-8055 RESERVED CVE-2020-8054 RESERVED CVE-2020-8053 RESERVED CVE-2020-8052 RESERVED CVE-2020-8051 RESERVED CVE-2020-8050 RESERVED CVE-2020-8049 RESERVED CVE-2020-8048 RESERVED CVE-2020-8047 RESERVED CVE-2020-8046 RESERVED CVE-2020-8045 RESERVED CVE-2020-8044 RESERVED CVE-2020-8043 RESERVED CVE-2020-8042 RESERVED CVE-2020-8041 RESERVED CVE-2020-8040 RESERVED CVE-2020-8039 RESERVED CVE-2020-8038 RESERVED CVE-2020-8037 RESERVED CVE-2020-8036 RESERVED CVE-2020-8035 (The image view functionality in Horde Groupware Webmail Edition before ...) {DLA-2230-1} - php-horde 5.2.23+debian0-1 (bug #963809) [buster] - php-horde (Minor issue; can be fixed via point release) [stretch] - php-horde (Minor issue; can be fixed via point release) NOTE: https://github.com/horde/base/commit/64127fe3c2b9843c9760218e59dae9731cc56bdf NOTE: https://lists.horde.org/archives/announce/2020/001290.html CVE-2020-8034 (Gollem before 3.0.13, as used in Horde Groupware Webmail Edition 5.2.2 ...) {DLA-2229-1} - php-horde-gollem 3.0.12-6 (bug #961649) [buster] - php-horde-gollem (Minor issue) [stretch] - php-horde-gollem (Minor issue) NOTE: https://lists.horde.org/archives/announce/2020/001289.html NOTE: https://github.com/horde/gollem/commit/a73bef1aef27d4cbfc7b939c2a81dea69aabb083 CVE-2020-8033 (Ruckus R500 3.4.2.0.384 devices allow XSS via the index.asp Device Nam ...) NOT-FOR-US: Ruckus CVE-2020-8032 RESERVED CVE-2020-8031 RESERVED CVE-2020-8030 RESERVED CVE-2020-8029 RESERVED CVE-2020-8028 RESERVED CVE-2020-8027 RESERVED CVE-2020-8026 RESERVED CVE-2020-8025 RESERVED CVE-2020-8024 (A Incorrect Default Permissions vulnerability in the packaging of hyla ...) - hylafax (SuSE-specific packaging issue) CVE-2020-8023 RESERVED CVE-2020-8022 (A Incorrect Default Permissions vulnerability in the packaging of tomc ...) NOT-FOR-US: SAP CVE-2020-8021 (a Improper Access Control vulnerability in of Open Build Service allow ...) TODO: check CVE-2020-8020 (A Improper Neutralization of Input During Web Page Generation vulnerab ...) TODO: check CVE-2020-8019 (A UNIX Symbolic Link (Symlink) Following vulnerability in the packagin ...) NOT-FOR-US: SAP CVE-2020-8018 (A Incorrect Default Permissions vulnerability in the SLES15-SP1-CHOST- ...) NOT-FOR-US: Some SLES images CVE-2020-8017 (A Race Condition Enabling Link Following vulnerability in the cron job ...) NOT-FOR-US: SuSE packaging of TexLive CVE-2020-8016 (A Race Condition Enabling Link Following vulnerability in the packagin ...) NOT-FOR-US: SuSE packaging of TexLive CVE-2020-8015 (A UNIX Symbolic Link (Symlink) Following vulnerability in the packagin ...) NOT-FOR-US: SuSE packaging of TexLive CVE-2020-8014 (A UNIX Symbolic Link (Symlink) Following vulnerability in the packagin ...) - kopanocore (SuSE-specific packaging issue) CVE-2020-8013 (A UNIX Symbolic Link (Symlink) Following vulnerability in chkstat of S ...) NOT-FOR-US: chkstat CVE-2020-8012 (CA Unified Infrastructure Management (Nimsoft/UIM) 9.20 and below cont ...) NOT-FOR-US: CA Unified Infrastructure Management (Nimsoft/UIM) CVE-2020-8011 (CA Unified Infrastructure Management (Nimsoft/UIM) 9.20 and below cont ...) NOT-FOR-US: CA Unified Infrastructure Management (Nimsoft/UIM) CVE-2020-8010 (CA Unified Infrastructure Management (Nimsoft/UIM) 9.20 and below cont ...) NOT-FOR-US: CA Unified Infrastructure Management (Nimsoft/UIM) CVE-2020-8009 (AVB MOTU devices through 2020-01-22 allow /.. Directory Traversal, as ...) NOT-FOR-US: AVB MOTU devices CVE-2020-8008 RESERVED CVE-2020-8007 RESERVED CVE-2020-8006 RESERVED CVE-2020-8005 RESERVED CVE-2020-8004 (STMicroelectronics STM32F1 devices have Incorrect Access Control. ...) NOT-FOR-US: STMicroelectronics STM32F1 devices CVE-2019-20433 (libaspell.a in GNU Aspell before 0.60.8 has a buffer over-read for a s ...) - aspell 0.60.7-3 (bug #935128) [buster] - aspell (Minor issue) [stretch] - aspell (Minor issue) [jessie] - aspell (Minor issue) NOTE: http://aspell.net/buffer-overread-ucs.txt NOTE: Fixed by: https://github.com/GNUAspell/aspell/commit/de29341638833ba7717bd6b5e6850998454b044b NOTE: Recommended additionally: https://github.com/GNUAspell/aspell/commit/cefd447e5528b08bb0cd6656bc52b4255692cefc CVE-2020-8003 (A double-free vulnerability in vrend_renderer.c in virglrenderer throu ...) - virglrenderer 0.8.2-1 (bug #949954) [buster] - virglrenderer (Minor issue) NOTE: https://gitlab.freedesktop.org/virgl/virglrenderer/commit/522b610a826f6de58c560cbb38fa8dfc65ae3c42 CVE-2020-8002 (A NULL pointer dereference in vrend_renderer.c in virglrenderer throug ...) - virglrenderer 0.8.2-1 (bug #949954) [buster] - virglrenderer (Minor issue) NOTE: https://gitlab.freedesktop.org/virgl/virglrenderer/commit/63bcca251f093d83da7e290ab4bbd38ae69089b5 CVE-2020-8001 (The Intellian Aptus application 1.0.2 for Android has a hardcoded pass ...) NOT-FOR-US: Intellian Aptus application for Android CVE-2020-8000 (Intellian Aptus Web 1.24 has a hardcoded password of 12345678 for the ...) NOT-FOR-US: Intellian Aptus Web CVE-2020-7999 (The Intellian Aptus application 1.0.2 for Android has hardcoded values ...) NOT-FOR-US: Intellian Aptus application for Android CVE-2020-7998 (An arbitrary file upload vulnerability has been discovered in the Supe ...) NOT-FOR-US: Super File Explorer app for iOS CVE-2020-7997 (ASUS WRT-AC66U 3 RT 3.0.0.4.372_67 devices allow XSS via the Client Na ...) NOT-FOR-US: ASUS WRT-AC66U 3 RT 3.0.0.4.372_67 devices CVE-2020-7996 (htdocs/user/passwordforgotten.php in Dolibarr 10.0.6 allows XSS via th ...) - dolibarr CVE-2020-7995 (The htdocs/index.php?mainmenu=home login page in Dolibarr 10.0.6 allow ...) - dolibarr CVE-2020-7994 (Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr 10.0.6 ...) - dolibarr CVE-2020-7993 (Prototype 1.6.0.1 allows remote authenticated users to forge ticket cr ...) NOT-FOR-US: Prototype node module CVE-2020-7992 RESERVED CVE-2020-7991 (Adive Framework 2.0.8 has admin/config CSRF to change the Administrato ...) NOT-FOR-US: Adive Framework CVE-2020-7990 (Adive Framework 2.0.8 has admin/user/add userName XSS. ...) NOT-FOR-US: Adive Framework CVE-2020-7989 (Adive Framework 2.0.8 has admin/user/add userUsername XSS. ...) NOT-FOR-US: Adive Framework CVE-2020-7988 (An issue was discovered in tools/pass-change/result.php in phpIPAM 1.4 ...) NOT-FOR-US: phpIPAM CVE-2020-7987 RESERVED CVE-2020-7986 RESERVED CVE-2020-7985 RESERVED CVE-2020-7984 (SolarWinds N-central before 12.1 SP1 HF5 and 12.2 before SP1 HF2 allow ...) NOT-FOR-US: SolarWinds CVE-2020-7983 (A CSRF issue in login.asp on Ruckus R500 3.4.2.0.384 devices allows re ...) NOT-FOR-US: Ruckus CVE-2019-20432 (In the Lustre file system before 2.12.3, the mdt module has an out-of- ...) - lustre CVE-2019-20431 (In the Lustre file system before 2.12.3, the ptlrpc module has an osd_ ...) - lustre CVE-2019-20430 (In the Lustre file system before 2.12.3, the mdt module has an LBUG pa ...) - lustre CVE-2019-20429 (In the Lustre file system before 2.12.3, the ptlrpc module has an out- ...) - lustre CVE-2019-20428 (In the Lustre file system before 2.12.3, the ptlrpc module has an out- ...) - lustre CVE-2019-20427 (In the Lustre file system before 2.12.3, the ptlrpc module has a buffe ...) - lustre CVE-2019-20426 (In the Lustre file system before 2.12.3, the ptlrpc module has an out- ...) - lustre CVE-2019-20425 (In the Lustre file system before 2.12.3, the ptlrpc module has an out- ...) - lustre CVE-2019-20424 (In the Lustre file system before 2.12.3, mdt_object_remote in the mdt ...) - lustre CVE-2019-20423 (In the Lustre file system before 2.12.3, the ptlrpc module has a buffe ...) - lustre CVE-2019-20422 (In the Linux kernel before 5.3.4, fib6_rule_lookup in net/ipv6/ip6_fib ...) - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/7b09c2d052db4b4ad0b27b97918b46a7746966fa CVE-2019-20421 (In Jp2Image::readMetadata() in jp2image.cpp in Exiv2 0.27.2, an input ...) - exiv2 0.27.2-8 (low; bug #950183) [buster] - exiv2 (Minor issue) [stretch] - exiv2 (Minor issue) [jessie] - exiv2 (Minor issue) NOTE: https://github.com/Exiv2/exiv2/commit/a82098f4f90cd86297131b5663c3dec6a34470e8 NOTE: https://github.com/Exiv2/exiv2/issues/1011 CVE-2020-7982 (An issue was discovered in OpenWrt 18.06.0 to 18.06.6 and 19.07.0, and ...) NOT-FOR-US: OpenWrt CVE-2020-7981 (sql.rb in Geocoder before 1.6.1 allows Boolean-based SQL injection whe ...) - ruby-geocoder 1.5.1-3 (bug #949870) NOTE: https://github.com/alexreisner/geocoder/commit/dcdc3d8675411edce3965941a2ca7c441ca48613 CVE-2020-7980 (Intellian Aptus Web 1.24 allows remote attackers to execute arbitrary ...) NOT-FOR-US: Intellian Aptus Web CVE-2020-7979 (GitLab EE 8.9 and later through 12.7.2 has Insecure Permission ...) - gitlab (Only affects Gitlab EE 12.0 and later) NOTE: https://about.gitlab.com/releases/2020/01/30/security-release-gitlab-12-7-4-released/ CVE-2020-7978 (GitLab EE 12.6 and later through 12.7.2 allows Denial of Service. ...) - gitlab (Only affects Gitlab EE 12.6 and later) NOTE: https://about.gitlab.com/releases/2020/01/30/security-release-gitlab-12-7-4-released/ CVE-2020-7977 (GitLab EE 8.8 and later through 12.7.2 has Insecure Permissions. ...) - gitlab (Only affects Gitlab EE 8.8 and later) NOTE: https://about.gitlab.com/releases/2020/01/30/security-release-gitlab-12-7-4-released/ CVE-2020-7976 (GitLab EE 12.4 and later through 12.7.2 has Incorrect Access Control. ...) - gitlab (Only affects Gitlab EE 12.4 and later) NOTE: https://about.gitlab.com/releases/2020/01/30/security-release-gitlab-12-7-4-released/ CVE-2020-7975 REJECTED CVE-2020-7974 (GitLab EE 10.1 through 12.7.2 allows Information Disclosure. ...) - gitlab (Only affects Gitlab EE 10.1 and later) NOTE: https://about.gitlab.com/releases/2020/01/30/security-release-gitlab-12-7-4-released/ CVE-2020-7973 (GitLab through 12.7.2 allows XSS. ...) [experimental] - gitlab 12.6.7-1 - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/releases/2020/01/30/security-release-gitlab-12-7-4-released/ CVE-2020-7972 (GitLab EE 12.2 has Insecure Permissions (issue 2 of 2). ...) - gitlab (Only affects Gitlab EE 12.0 and later) NOTE: https://about.gitlab.com/releases/2020/01/30/security-release-gitlab-12-7-4-released/ CVE-2020-7971 (GitLab EE 11.0 and later through 12.7.2 allows XSS. ...) - gitlab (Only affects Gitlab EE 11.0 and later) NOTE: https://about.gitlab.com/releases/2020/01/30/security-release-gitlab-12-7-4-released/ CVE-2020-7970 RESERVED CVE-2020-7969 (GitLab EE 8.0 and later through 12.7.2 allows Information Disclosure. ...) - gitlab (Only affects Gitlab EE 8.0 and later) NOTE: https://about.gitlab.com/releases/2020/01/30/security-release-gitlab-12-7-4-released/ CVE-2020-7968 (GitLab EE 8.0 through 12.7.2 has Incorrect Access Control. ...) [experimental] - gitlab 12.6.7-1 - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/releases/2020/01/30/security-release-gitlab-12-7-4-released/ CVE-2020-7967 (GitLab EE 8.0 through 12.7.2 has Insecure Permissions (issue 1 of 2). ...) - gitlab (ONly affects Gitlab EE 12.0 and later) NOTE: https://about.gitlab.com/releases/2020/01/30/security-release-gitlab-12-7-4-released/ CVE-2020-7966 (GitLab EE 11.11 and later through 12.7.2 allows Directory Traversal. ...) - gitlab (Only affects Gitlab EE 11.11 and later) NOTE: https://about.gitlab.com/releases/2020/01/30/security-release-gitlab-12-7-4-released/ CVE-2020-7965 (flaskparser.py in Webargs 5.x through 5.5.2 doesn't check that the Con ...) NOT-FOR-US: webargs CVE-2020-7964 (An issue was discovered in Mirumee Saleor 2.x before 2.9.1. Incorrect ...) NOT-FOR-US: Mirumee Saleor CVE-2020-7963 RESERVED CVE-2019-20420 RESERVED CVE-2015-9541 (Qt through 5.14 allows an exponential XML entity expansion attack via ...) - qtbase-opensource-src 5.12.5+dfsg-9 (low; bug #951066) [buster] - qtbase-opensource-src (Minor issue) [stretch] - qtbase-opensource-src (Minor issue) [jessie] - qtbase-opensource-src (Minor issue; upstream patches use not-yet-available QStringView API) NOTE: https://bugreports.qt.io/browse/QTBUG-47417 NOTE: https://code.qt.io/cgit/qt/qtbase.git/commit/?id=fd4be84d23a0db4186cb42e736a9de3af722c7f7 NOTE: https://code.qt.io/cgit/qt/qtbase.git/commit/?id=f432c08882ffebe5074ea28de871559a98a4d094 (5.12 backport) CVE-2020-7962 RESERVED CVE-2020-7961 (Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE ...) NOT-FOR-US: Liferay Portal CVE-2020-7960 RESERVED CVE-2020-7959 (LabVantage LIMS 8.3 does not properly maintain the confidentiality of ...) NOT-FOR-US: LabVantage LIMS CVE-2020-7958 (An issue was discovered on OnePlus 7 Pro devices before 10.0.3.GM21BA. ...) NOT-FOR-US: OnePlus 7 Pro devices CVE-2020-7957 (The IMAP and LMTP components in Dovecot 2.3.9 before 2.3.9.3 mishandle ...) - dovecot (Only affects 2.3.9) NOTE: https://www.openwall.com/lists/oss-security/2020/02/12/2 CVE-2020-7956 (HashiCorp Nomad and Nomad Enterprise up to 0.10.2 incorrectly validate ...) - nomad 0.10.3+dfsg1-1 NOTE: https://github.com/hashicorp/nomad/issues/7003 CVE-2020-7955 (HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not uni ...) - consul 1.7.0+dfsg1-1 (bug #950736) [buster] - consul (Minor issue) NOTE: https://github.com/hashicorp/consul/issues/7160 NOTE: Fixed in 1.6.3. CVE-2020-7954 (An issue was discovered in OpServices OpMon 9.3.2. Starting from the a ...) NOT-FOR-US: OpServices OpMon CVE-2020-7953 (An issue was discovered in OpServices OpMon 9.3.2. Without authenticat ...) NOT-FOR-US: OpServices OpMon CVE-2020-7952 (rendersystemdx9.dll in Valve Dota 2 before 7.23f allows remote attacke ...) NOT-FOR-US: rendersystemdx9.dll in Valve Dota 2 CVE-2020-7951 (meshsystem.dll in Valve Dota 2 before 7.23e allows remote attackers to ...) NOT-FOR-US: Dota 2 CVE-2020-7950 (meshsystem.dll in Valve Dota 2 before 7.23f allows remote attackers to ...) NOT-FOR-US: Dota 2 CVE-2020-7949 (schemasystem.dll in Valve Dota 2 before 7.23f allows remote attackers ...) NOT-FOR-US: Dota 2 CVE-2020-7948 (An issue was discovered in the Login by Auth0 plugin before 4.0.0 for ...) NOT-FOR-US: Login by Auth0 plugin for WordPress CVE-2020-7947 (An issue was discovered in the Login by Auth0 plugin before 4.0.0 for ...) NOT-FOR-US: Login by Auth0 plugin for WordPress CVE-2020-7946 RESERVED CVE-2020-7945 RESERVED CVE-2020-7944 (In Continuous Delivery for Puppet Enterprise (CD4PE) before 3.4.0, cha ...) NOT-FOR-US: Puppet Enterprise CVE-2020-7943 (Puppet Server and PuppetDB provide useful performance and debugging in ...) - puppet (low) [stretch] - puppet (Minor issue) [buster] - puppet (Minor issue) [jessie] - puppet (vulnerable code not present) - puppetdb (low) [buster] - puppetdb (Minor issue) NOTE: https://puppet.com/security/cve/CVE-2020-7943/ NOTE: https://github.com/puppetlabs/puppet_metrics_dashboard/pull/92 CVE-2020-7942 (Previously, Puppet operated on a model that a node with a valid certif ...) - puppet (unimportant) NOTE: This CVE assignment is for switching the default setting of strict_hostname_checking, NOTE: the option is available in older Puppet releases (such as 4.8 from Stretch) NOTE: https://puppet.com/security/cve/CVE-2020-7942/ CVE-2020-7941 (A privilege escalation issue in plone.app.contenttypes in Plone 4.3 th ...) NOT-FOR-US: Plone CVE-2020-7940 (Missing password strength checks on some forms in Plone 4.3 through 5. ...) NOT-FOR-US: Plone CVE-2020-7939 (SQL Injection in DTML or in connection objects in Plone 4.0 through 5. ...) NOT-FOR-US: Plone CVE-2020-7938 (plone.restapi in Plone 5.2.0 through 5.2.1 allows users with a certain ...) NOT-FOR-US: Plone CVE-2020-7937 (An XSS issue in the title field in Plone 5.0 through 5.2.1 allows user ...) NOT-FOR-US: Plone CVE-2020-7936 (An open redirect on the login form (and possibly other places) in Plon ...) NOT-FOR-US: Plone CVE-2020-7935 (Artica Pandora FMS through 7.42 is vulnerable to remote PHP code execu ...) NOT-FOR-US: Artica Pandora FMS CVE-2020-7934 (In LifeRay Portal CE 7.1.0 through 7.2.1, the First Name, Middle Name, ...) NOT-FOR-US: LifeRay Portal CVE-2020-7933 RESERVED CVE-2020-7932 (OMERO.web before 5.6.3 optionally allows sensitive data elements (e.g. ...) NOT-FOR-US: OMERO CVE-2020-7931 (In JFrog Artifactory 5.x and 6.x, insecure FreeMarker template process ...) NOT-FOR-US: JFrog Artifactory CVE-2020-7930 RESERVED CVE-2020-7929 RESERVED CVE-2020-7928 RESERVED CVE-2020-7927 RESERVED CVE-2020-7926 RESERVED CVE-2020-7925 RESERVED CVE-2020-7924 RESERVED CVE-2020-7923 RESERVED CVE-2020-7922 (X.509 certificates generated by the MongoDB Enterprise Kubernetes Oper ...) NOT-FOR-US: MongoDB Enterprise CVE-2020-7921 (Improper serialization of internal state in the authorization subsyste ...) - mongodb [stretch] - mongodb (Minor issue) [jessie] - mongodb (Minor issue) NOTE: https://jira.mongodb.org/browse/SERVER-45472 CVE-2019-20419 (Affected versions of Atlassian Jira Server and Data Center allow remot ...) NOT-FOR-US: Atlassian CVE-2019-20418 (Affected versions of Atlassian Jira Server and Data Center allow remot ...) NOT-FOR-US: Atlassian CVE-2019-20417 (Affected versions of Atlassian Jira Server and Data Center allow remot ...) NOT-FOR-US: Atlassian CVE-2019-20416 (Affected versions of Atlassian Jira Server and Data Center allow remot ...) NOT-FOR-US: Atlassian CVE-2019-20415 (Atlassian Jira Server and Data Center in affected versions allows remo ...) NOT-FOR-US: Atlassian CVE-2019-20414 (Affected versions of Atlassian Jira Server and Data Center allow remot ...) NOT-FOR-US: Atlassian CVE-2019-20413 (Affected versions of Atlassian Jira Server and Data Center allow remot ...) NOT-FOR-US: Atlassian CVE-2019-20412 (The Convert Sub-Task to Issue page in affected versions of Atlassian J ...) NOT-FOR-US: Atlassian CVE-2019-20411 (Affected versions of Atlassian Jira Server and Data Center allow remot ...) NOT-FOR-US: Atlassian CVE-2019-20410 (Affected versions of Atlassian Jira Server and Data Center allow remot ...) NOT-FOR-US: Atlassian CVE-2019-20409 (The way in which velocity templates were used in Atlassian Jira Server ...) NOT-FOR-US: Atlassian CVE-2019-20408 (The /plugins/servlet/gadgets/makeRequest resource in Jira before versi ...) NOT-FOR-US: Atlassian CVE-2019-20407 (The ConfigureBambooRelease resource in Jira Software and Jira Software ...) NOT-FOR-US: Atlassian Jira CVE-2019-20406 (The usage of Tomcat in Confluence on the Microsoft Windows operating s ...) NOT-FOR-US: Atlassian CVE-2019-20405 (The JMX monitoring flag in Atlassian Jira Server and Data Center befor ...) NOT-FOR-US: Atlassian CVE-2019-20404 (The API in Atlassian Jira Server and Data Center before version 8.6.0 ...) NOT-FOR-US: Atlassian CVE-2019-20403 (The API in Atlassian Jira Server and Data Center before version 8.6.0 ...) NOT-FOR-US: Atlassian CVE-2019-20402 (Support zip files in Atlassian Jira Server and Data Center before vers ...) NOT-FOR-US: Atlassian CVE-2019-20401 (Various installation setup resources in Jira before version 8.5.2 allo ...) NOT-FOR-US: Atlassian CVE-2019-20400 (The usage of Tomcat in Jira before version 8.5.2 allows local attacker ...) NOT-FOR-US: Atlassian CVE-2020-7920 (pmm-server in Percona Monitoring and Management (PMM) 2.2.x before 2.2 ...) NOT-FOR-US: Percona Monitoring and Management (PMM) CVE-2020-7919 (Go before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte ...) - golang-1.14 1.14~rc1-1 - golang-1.13 1.13.7-1 - golang-1.11 [buster] - golang-1.11 (Minor issue, can be fixed along in next DSA) NOTE: https://github.com/golang/go/issues/36837 NOTE: https://github.com/golang/go/commit/b13ce14c4a6aa59b7b041ad2b6eed2d23e15b574 (master) NOTE: https://github.com/golang/go/issues/36838 (Go 1.13) NOTE: https://github.com/golang/go/commit/f938e06d0623d0e1de202575d16f1e126741f6e0 (go1.13.7) TODO: check older versions than golang-1.11 CVE-2020-7918 (An insecure direct object reference in webmail in totemo totemomail 7. ...) NOT-FOR-US: totemo totemomail CVE-2020-7917 RESERVED CVE-2020-7916 (be_teacher in class-lp-admin-ajax.php in the LearnPress plugin 3.2.6.5 ...) NOT-FOR-US: LearnPress plugin for WordPress CVE-2020-7915 (An issue was discovered on Eaton 5P 850 devices. The Ubicacion SAI fie ...) NOT-FOR-US: Eaton devices CVE-2020-7914 (In JetBrains IntelliJ IDEA 2019.2, an XSLT debugger plugin misconfigur ...) - intellij-idea (bug #747616) CVE-2020-7913 (JetBrains YouTrack 2019.2 before 2019.2.59309 was vulnerable to XSS vi ...) NOT-FOR-US: JetBrains CVE-2020-7912 (In JetBrains YouTrack before 2019.2.59309, SMTP/Jabber settings could ...) NOT-FOR-US: JetBrains CVE-2020-7911 (In JetBrains TeamCity before 2019.2, several user-level pages were vul ...) NOT-FOR-US: JetBrains CVE-2020-7910 (JetBrains TeamCity before 2019.2 was vulnerable to a stored XSS attack ...) NOT-FOR-US: JetBrains CVE-2020-7909 (In JetBrains TeamCity before 2019.1.5, some server-stored passwords co ...) NOT-FOR-US: JetBrains CVE-2020-7908 (In JetBrains TeamCity before 2019.1.5, reverse tabnabbing was possible ...) NOT-FOR-US: JetBrains CVE-2020-7907 (In the JetBrains Scala plugin before 2019.2.1, some artefact dependenc ...) NOT-FOR-US: JetBrains Scala plugin CVE-2020-7906 (In JetBrains Rider versions 2019.3 EAP2 through 2019.3 EAP7, there wer ...) NOT-FOR-US: JetBrains CVE-2020-7905 (Ports listened to by JetBrains IntelliJ IDEA before 2019.3 were expose ...) - intellij-idea (bug #747616) CVE-2020-7904 (In JetBrains IntelliJ IDEA before 2019.3, some Maven repositories were ...) - intellij-idea (bug #747616) CVE-2019-20399 (A timing vulnerability in the Scalar::check_overflow function in Parit ...) NOT-FOR-US: libsecp256k1-rs (Rust Implementation of secp256k1) CVE-2019-20398 (A NULL pointer dereference is present in libyang before v1.0-r3 in the ...) [experimental] - libyang 1.0.167-1 - libyang [buster] - libyang (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1793935 NOTE: https://github.com/CESNET/libyang/commit/7852b272ef77f8098c35deea6c6f09cb78176f08 NOTE: https://github.com/CESNET/libyang/issues/773 CVE-2019-20397 (A double-free is present in libyang before v1.0-r1 in the function yyp ...) [experimental] - libyang 1.0.167-1 - libyang [buster] - libyang (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1793928 NOTE: https://github.com/CESNET/libyang/commit/88bd6c548ba79bce176cd875e9b56e7e0ef4d8d4 NOTE: https://github.com/CESNET/libyang/issues/739 CVE-2019-20396 (A segmentation fault is present in yyparse in libyang before v1.0-r1 d ...) [experimental] - libyang 1.0.167-1 - libyang [buster] - libyang (Minor issue) NOTE: https://github.com/CESNET/libyang/commit/a1f17693904ed6fecc8902c747fc50a8f20e6af8 NOTE: https://github.com/CESNET/libyang/issues/740 CVE-2019-20395 (A stack consumption issue is present in libyang before v1.0-r1 due to ...) [experimental] - libyang 1.0.167-1 - libyang [buster] - libyang (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1793924 NOTE: https://github.com/CESNET/libyang/commit/4e610ccd87a2ba9413819777d508f71163fcc237 NOTE: https://github.com/CESNET/libyang/issues/724 CVE-2019-20394 (A double-free is present in libyang before v1.0-r3 in the function yyp ...) [experimental] - libyang 1.0.167-1 - libyang [buster] - libyang (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1793932 NOTE: https://github.com/CESNET/libyang/commit/6cc51b1757dfbb7cff92de074ada65e8523289a6 NOTE: https://github.com/CESNET/libyang/issues/769 CVE-2019-20393 (A double-free is present in libyang before v1.0-r1 in the function yyp ...) [experimental] - libyang 1.0.167-1 - libyang [buster] - libyang (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1793930 NOTE: https://github.com/CESNET/libyang/commit/d9feacc4a590d35dbc1af21caf9080008b4450ed NOTE: https://github.com/CESNET/libyang/issues/742 CVE-2019-20392 (An invalid memory access flaw is present in libyang before v1.0-r1 in ...) [experimental] - libyang 1.0.167-1 - libyang [buster] - libyang (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1793922 NOTE: https://github.com/CESNET/libyang/commit/32fb4993bc8bb49e93e84016af3c10ea53964be5 NOTE: https://github.com/CESNET/libyang/issues/723 CVE-2019-20391 (An invalid memory access flaw is present in libyang before v1.0-r3 in ...) [experimental] - libyang 1.0.167-1 - libyang [buster] - libyang (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1793934 NOTE: https://github.com/CESNET/libyang/commit/bdb596ddc07596fa212f231135b87d0b9178f6f8 NOTE: https://github.com/CESNET/libyang/issues/772 CVE-2020-7903 RESERVED CVE-2020-7902 RESERVED CVE-2020-7901 RESERVED CVE-2020-7900 RESERVED CVE-2020-7899 RESERVED CVE-2020-7898 RESERVED CVE-2020-7897 RESERVED CVE-2020-7896 RESERVED CVE-2020-7895 RESERVED CVE-2020-7894 RESERVED CVE-2020-7893 RESERVED CVE-2020-7892 RESERVED CVE-2020-7891 RESERVED CVE-2020-7890 RESERVED CVE-2020-7889 RESERVED CVE-2020-7888 RESERVED CVE-2020-7887 RESERVED CVE-2020-7886 RESERVED CVE-2020-7885 RESERVED CVE-2020-7884 RESERVED CVE-2020-7883 RESERVED CVE-2020-7882 RESERVED CVE-2020-7881 RESERVED CVE-2020-7880 RESERVED CVE-2020-7879 RESERVED CVE-2020-7878 RESERVED CVE-2020-7877 RESERVED CVE-2020-7876 RESERVED CVE-2020-7875 RESERVED CVE-2020-7874 RESERVED CVE-2020-7873 RESERVED CVE-2020-7872 RESERVED CVE-2020-7871 RESERVED CVE-2020-7870 RESERVED CVE-2020-7869 RESERVED CVE-2020-7868 RESERVED CVE-2020-7867 RESERVED CVE-2020-7866 RESERVED CVE-2020-7865 RESERVED CVE-2020-7864 RESERVED CVE-2020-7863 RESERVED CVE-2020-7862 RESERVED CVE-2020-7861 RESERVED CVE-2020-7860 RESERVED CVE-2020-7859 RESERVED CVE-2020-7858 RESERVED CVE-2020-7857 RESERVED CVE-2020-7856 RESERVED CVE-2020-7855 RESERVED CVE-2020-7854 RESERVED CVE-2020-7853 RESERVED CVE-2020-7852 RESERVED CVE-2020-7851 RESERVED CVE-2020-7850 RESERVED CVE-2020-7849 RESERVED CVE-2020-7848 RESERVED CVE-2020-7847 RESERVED CVE-2020-7846 RESERVED CVE-2020-7845 RESERVED CVE-2020-7844 RESERVED CVE-2020-7843 RESERVED CVE-2020-7842 RESERVED CVE-2020-7841 RESERVED CVE-2020-7840 RESERVED CVE-2020-7839 RESERVED CVE-2020-7838 RESERVED CVE-2020-7837 RESERVED CVE-2020-7836 RESERVED CVE-2020-7835 RESERVED CVE-2020-7834 RESERVED CVE-2020-7833 RESERVED CVE-2020-7832 RESERVED CVE-2020-7831 RESERVED CVE-2020-7830 RESERVED CVE-2020-7829 RESERVED CVE-2020-7828 RESERVED CVE-2020-7827 RESERVED CVE-2020-7826 RESERVED CVE-2020-7825 RESERVED CVE-2020-7824 RESERVED CVE-2020-7823 RESERVED CVE-2020-7822 RESERVED CVE-2020-7821 (Nexacro14/17 ExtCommonApiV13 Library under 2019.9.6 version contain a ...) NOT-FOR-US: Nexacro14/17 ExtCommonApiV13 Library CVE-2020-7820 (Nexacro14/17 ExtCommonApiV13 Library under 2019.9.6 version contain a ...) NOT-FOR-US: Nexacro14/17 ExtCommonApiV13 Library CVE-2020-7819 RESERVED CVE-2020-7818 RESERVED CVE-2020-7817 RESERVED CVE-2020-7816 (A vulnerability in the JPEG image parsing module in DaView Indy, DaVa+ ...) NOT-FOR-US: DaView CVE-2020-7815 RESERVED CVE-2020-7814 RESERVED CVE-2020-7813 (Ezhttptrans.ocx ActiveX Control in Kaoni ezHTTPTrans 1.0.0.70 and prio ...) NOT-FOR-US: Kaoni CVE-2020-7812 (Ezhttptrans.ocx ActiveX Control in Kaoni ezHTTPTrans 1.0.0.70 and prio ...) NOT-FOR-US: Kaoni ezHTTPTrans CVE-2020-7811 RESERVED CVE-2020-7810 RESERVED CVE-2020-7809 (ALSong 3.46 and earlier version contain a Document Object Model (DOM) ...) NOT-FOR-US: ALSong CVE-2020-7808 (In RAONWIZ K Upload v2018.0.2.51 and prior, automatic update processin ...) NOT-FOR-US: RAONWIZ K Upload CVE-2020-7807 RESERVED CVE-2020-7806 (Tobesoft Xplatform 9.2.2.250 and earlier version have an arbitrary cod ...) NOT-FOR-US: Tobesoft Xplatform CVE-2020-7805 (An issue was discovered on KT Slim egg IML500 (R7283, R8112, R8424) an ...) NOT-FOR-US: KT Slim egg IML500 wifi devices CVE-2020-7804 (ActiveX Control(HShell.dll) in Handy Groupware 1.7.3.1 for Windows 7, ...) NOT-FOR-US: Handy Groupware CVE-2020-7803 (IMGTech Co,Ltd ZInsX.ocx ActiveX Control in Zoneplayer 2.0.1.3, versio ...) NOT-FOR-US: Zoneplayer CVE-2020-7802 (The Synergy Systems & Solutions (SSS) HUSKY RTU 6049-E70, with fir ...) NOT-FOR-US: Synergy Systems & Solutions (SSS) CVE-2020-7801 (The Synergy Systems & Solutions (SSS) HUSKY RTU 6049-E70, with fir ...) NOT-FOR-US: Synergy Systems & Solutions (SSS) CVE-2020-7800 (The Synergy Systems & Solutions (SSS) HUSKY RTU 6049-E70, with fir ...) NOT-FOR-US: Synergy Systems & Solutions (SSS) CVE-2020-7799 (An issue was discovered in FusionAuth before 1.11.0. An authenticated ...) NOT-FOR-US: FusionAuth CVE-2020-7798 RESERVED CVE-2020-7797 RESERVED CVE-2020-7796 (Zimbra Collaboration Suite (ZCS) before 8.8.15 Patch 7 allows SSRF whe ...) NOT-FOR-US: Zimbra Collaboration Suite (ZCS) CVE-2020-7795 RESERVED CVE-2020-7794 RESERVED CVE-2020-7793 RESERVED CVE-2020-7792 RESERVED CVE-2020-7791 RESERVED CVE-2020-7790 RESERVED CVE-2020-7789 RESERVED CVE-2020-7788 RESERVED CVE-2020-7787 RESERVED CVE-2020-7786 RESERVED CVE-2020-7785 RESERVED CVE-2020-7784 RESERVED CVE-2020-7783 RESERVED CVE-2020-7782 RESERVED CVE-2020-7781 RESERVED CVE-2020-7780 RESERVED CVE-2020-7779 RESERVED CVE-2020-7778 RESERVED CVE-2020-7777 RESERVED CVE-2020-7776 RESERVED CVE-2020-7775 RESERVED CVE-2020-7774 RESERVED CVE-2020-7773 RESERVED CVE-2020-7772 RESERVED CVE-2020-7771 RESERVED CVE-2020-7770 RESERVED CVE-2020-7769 RESERVED CVE-2020-7768 RESERVED CVE-2020-7767 RESERVED CVE-2020-7766 RESERVED CVE-2020-7765 RESERVED CVE-2020-7764 RESERVED CVE-2020-7763 RESERVED CVE-2020-7762 RESERVED CVE-2020-7761 RESERVED CVE-2020-7760 RESERVED CVE-2020-7759 RESERVED CVE-2020-7758 RESERVED CVE-2020-7757 RESERVED CVE-2020-7756 RESERVED CVE-2020-7755 RESERVED CVE-2020-7754 RESERVED CVE-2020-7753 RESERVED CVE-2020-7752 RESERVED CVE-2020-7751 RESERVED CVE-2020-7750 RESERVED CVE-2020-7749 RESERVED CVE-2020-7748 RESERVED CVE-2020-7747 RESERVED CVE-2020-7746 RESERVED CVE-2020-7745 RESERVED CVE-2020-7744 RESERVED CVE-2020-7743 RESERVED CVE-2020-7742 RESERVED CVE-2020-7741 RESERVED CVE-2020-7740 RESERVED CVE-2020-7739 RESERVED CVE-2020-7738 RESERVED CVE-2020-7737 RESERVED CVE-2020-7736 RESERVED CVE-2020-7735 RESERVED CVE-2020-7734 RESERVED CVE-2020-7733 RESERVED CVE-2020-7732 RESERVED CVE-2020-7731 RESERVED CVE-2020-7730 RESERVED CVE-2020-7729 RESERVED CVE-2020-7728 RESERVED CVE-2020-7727 RESERVED CVE-2020-7726 RESERVED CVE-2020-7725 RESERVED CVE-2020-7724 RESERVED CVE-2020-7723 RESERVED CVE-2020-7722 RESERVED CVE-2020-7721 RESERVED CVE-2020-7720 RESERVED CVE-2020-7719 RESERVED CVE-2020-7718 RESERVED CVE-2020-7717 RESERVED CVE-2020-7716 RESERVED CVE-2020-7715 RESERVED CVE-2020-7714 RESERVED CVE-2020-7713 RESERVED CVE-2020-7712 RESERVED CVE-2020-7711 RESERVED CVE-2020-7710 RESERVED CVE-2020-7709 RESERVED CVE-2020-7708 RESERVED CVE-2020-7707 RESERVED CVE-2020-7706 RESERVED CVE-2020-7705 RESERVED CVE-2020-7704 RESERVED CVE-2020-7703 RESERVED CVE-2020-7702 RESERVED CVE-2020-7701 RESERVED CVE-2020-7700 RESERVED CVE-2020-7699 RESERVED CVE-2020-7698 RESERVED CVE-2020-7697 RESERVED CVE-2020-7696 RESERVED CVE-2020-7695 RESERVED CVE-2020-7694 RESERVED CVE-2020-7693 RESERVED CVE-2020-7692 RESERVED CVE-2020-7691 (In all versions of the package jspdf, it is possible to use <<sc ...) TODO: check CVE-2020-7690 (In all versions of package jspdf, it is possible to inject JavaScript ...) TODO: check CVE-2020-7689 (Data is truncated wrong when its length is greater than 255 bytes. ...) NOT-FOR-US: Node bcrypt CVE-2020-7688 (The issue occurs because tagName user input is formatted inside the ex ...) NOT-FOR-US: Node mversion CVE-2020-7687 RESERVED CVE-2020-7686 RESERVED CVE-2020-7685 RESERVED CVE-2020-7684 RESERVED CVE-2020-7683 RESERVED CVE-2020-7682 RESERVED CVE-2020-7681 RESERVED CVE-2020-7680 RESERVED CVE-2020-7679 (In all versions of package casperjs, the mergeObjects utility function ...) NOT-FOR-US: Node casperjs CVE-2020-7678 RESERVED CVE-2020-7677 RESERVED CVE-2020-7676 (angular.js prior to 1.8.0 allows cross site scripting. The regex-based ...) - angular.js 1.8.0-1 [buster] - angular.js (Minor issue; can be fixed via point release) [stretch] - angular.js (Nodejs in stretch not covered by security support) [jessie] - angular.js (Minor issue, low usage of 2014-era Nodejs) NOTE: https://github.com/angular/angular.js/pull/17028 NOTE: https://snyk.io/vuln/SNYK-JS-ANGULAR-570058 CVE-2020-7675 (cd-messenger through 2.7.26 is vulnerable to Arbitrary Code Execution. ...) NOT-FOR-US: Node cd-messenger CVE-2020-7674 (access-policy through 3.1.0 is vulnerable to Arbitrary Code Execution. ...) NOT-FOR-US: Node access-policy CVE-2020-7673 (node-extend through 0.2.0 is vulnerable to Arbitrary Code Execution. U ...) TODO: check CVE-2020-7672 (mosc through 1.0.0 is vulnerable to Arbitrary Code Execution. User inp ...) TODO: check CVE-2020-7671 (goliath through 1.0.6 allows request smuggling attacks where goliath i ...) TODO: check CVE-2020-7670 (agoo through 2.12.3 allows request smuggling attacks where agoo is use ...) TODO: check CVE-2020-7669 RESERVED CVE-2020-7668 (In all versions of the package github.com/unknwon/cae/tz, the ExtractT ...) TODO: check CVE-2020-7667 (In package github.com/sassoftware/go-rpmutils/cpio before version 0.1. ...) TODO: check CVE-2020-7666 RESERVED CVE-2020-7665 RESERVED CVE-2020-7664 (In all versions of the package github.com/unknwon/cae/zip, the Extract ...) TODO: check CVE-2020-7663 (websocket-extensions ruby module prior to 0.1.5 allows Denial of Servi ...) - ruby-websocket-extensions (bug #964274) NOTE: https://github.com/faye/websocket-extensions-ruby/security/advisories/GHSA-g6wq-qcwm-j5g2 NOTE: https://github.com/faye/websocket-extensions-ruby/commit/aa156a439da681361ed6f53f1a8131892418838b CVE-2020-7662 (websocket-extensions npm module prior to 1.0.4 allows Denial of Servic ...) NOT-FOR-US: Node websocket-extensions CVE-2020-7661 (all versions of url-regex are vulnerable to Regular Expression Denial ...) TODO: check CVE-2020-7660 (serialize-javascript prior to 3.1.0 allows remote attackers to inject ...) NOT-FOR-US: serialize-javascript Node package CVE-2020-7659 (reel through 0.6.1 allows Request Smuggling attacks due to incorrect C ...) TODO: check CVE-2020-7658 (meinheld prior to 1.0.2 is vulnerable to HTTP Request Smuggling. HTTP ...) NOT-FOR-US: meinheld CVE-2020-7657 RESERVED CVE-2020-7656 (jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load ...) - jquery 2.2.4+dfsg-1 [jessie] - jquery (Too intrusive to backport) NOTE: https://snyk.io/vuln/SNYK-JS-JQUERY-569619 NOTE: See debian-lts discussion starting at: https://lists.debian.org/debian-lts/2020/06/msg00025.html CVE-2020-7655 (netius prior to 1.17.58 is vulnerable to HTTP Request Smuggling. HTTP ...) NOT-FOR-US: netius CVE-2020-7654 (All versions of snyk-broker before 4.73.1 are vulnerable to Informatio ...) NOT-FOR-US: snyk-broker CVE-2020-7653 (All versions of snyk-broker before 4.80.0 are vulnerable to Arbitrary ...) NOT-FOR-US: snyk-broker CVE-2020-7652 (All versions of snyk-broker before 4.80.0 are vulnerable to Arbitrary ...) NOT-FOR-US: snyk-broker CVE-2020-7651 (All versions of snyk-broker before 4.79.0 are vulnerable to Arbitrary ...) NOT-FOR-US: snyk-broker CVE-2020-7650 (All versions of snyk-broker after 4.72.0 including and before 4.73.1 a ...) NOT-FOR-US: snyk-broker CVE-2020-7649 RESERVED CVE-2020-7648 (All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary ...) NOT-FOR-US: snyk-broker CVE-2020-7647 (All versions before 1.6.7 and all versions after 2.0.0 inclusive and b ...) NOT-FOR-US: jooby CVE-2020-7646 (curlrequest through 1.0.1 allows reading any file by populating the fi ...) NOT-FOR-US: Noed curlrequest CVE-2020-7645 (All versions of chrome-launcher allow execution of arbitrary commands, ...) NOT-FOR-US: Node chrome-launcher CVE-2020-7644 (fun-map through 3.3.1 is vulnerable to Prototype Pollution. The functi ...) NOT-FOR-US: Node fun-map CVE-2020-7643 (paypal-adaptive through 0.4.2 manipulation of JavaScript objects resul ...) NOT-FOR-US: Node paypal-adaptive CVE-2020-7642 (lazysizes through 5.2.0 allows execution of malicious JavaScript. The ...) NOT-FOR-US: Node lazysizes CVE-2020-7641 RESERVED CVE-2020-7640 (pixl-class prior to 1.0.3 allows execution of arbitrary commands. The ...) NOT-FOR-US: Node pixl-class CVE-2020-7639 (eivindfjeldstad-dot below 1.0.3 is vulnerable to Prototype Pollution.T ...) NOT-FOR-US: Node eivindfjeldstad-dot CVE-2020-7638 (confinit through 0.3.0 is vulnerable to Prototype Pollution.The 'setDe ...) NOT-FOR-US: Node confinit CVE-2020-7637 (class-transformer through 0.2.3 is vulnerable to Prototype Pollution. ...) NOT-FOR-US: Node class-transformer CVE-2020-7636 (adb-driver through 0.1.8 is vulnerable to Command Injection.It allows ...) NOT-FOR-US: Node adb-driver CVE-2020-7635 (compass-compile through 0.0.1 is vulnerable to Command Injection.It al ...) NOT-FOR-US: Node compass-compile CVE-2020-7634 (heroku-addonpool through 0.1.15 is vulnerable to Command Injection. ...) NOT-FOR-US: Node heroku-addonpool CVE-2020-7633 (apiconnect-cli-plugins through 6.0.1 is vulnerable to Command Injectio ...) NOT-FOR-US: Node apiconnect-cli-plugins CVE-2020-7632 (node-mpv through 1.4.3 is vulnerable to Command Injection. It allows e ...) NOT-FOR-US: Node node-mpv CVE-2020-7631 (diskusage-ng through 0.2.4 is vulnerable to Command Injection.It allow ...) NOT-FOR-US: Node diskusage-ng CVE-2020-7630 (git-add-remote through 1.0.0 is vulnerable to Command Injection. It al ...) NOT-FOR-US: git-add-remote node module CVE-2020-7629 (install-package through 0.4.0 is vulnerable to Command Injection. It a ...) NOT-FOR-US: install-package node module CVE-2020-7628 (umount through 1.1.6 is vulnerable to Command Injection. The argument ...) NOT-FOR-US: install-package node module CVE-2020-7627 (node-key-sender through 1.0.11 is vulnerable to Command Injection. It ...) NOT-FOR-US: node-key-sender node module CVE-2020-7626 (karma-mojo through 1.0.1 is vulnerable to Command Injection. It allows ...) NOT-FOR-US: karma-mojo node module CVE-2020-7625 (op-browser through 1.0.6 is vulnerable to Command Injection. It allows ...) NOT-FOR-US: op-browser node module CVE-2020-7624 (effect through 1.0.4 is vulnerable to Command Injection. It allows exe ...) NOT-FOR-US: effect node module CVE-2020-7623 (jscover through 1.0.0 is vulnerable to Command Injection. It allows ex ...) NOT-FOR-US: Node jscover CVE-2020-7622 (All versions of Jooby before 2.2.1 are vulnerable to HTTP Response Spl ...) NOT-FOR-US: Jooby CVE-2020-7621 (strong-nginx-controller through 1.0.2 is vulnerable to Command Injecti ...) NOT-FOR-US: Node strong-nginx-controller CVE-2020-7620 (pomelo-monitor through 0.3.7 is vulnerable to Command Injection.It all ...) NOT-FOR-US: Node pomelo-monitor CVE-2020-7619 (get-git-data through 1.3.1 is vulnerable to Command Injection. It is p ...) NOT-FOR-US: get-git-data node module CVE-2020-7618 (sds through 3.2.0 is vulnerable to Prototype Pollution.The library cou ...) NOT-FOR-US: Node sds CVE-2020-7617 (ini-parser through 0.0.2 is vulnerable to Prototype Pollution.The libr ...) NOT-FOR-US: Node ini-parser CVE-2020-7616 (express-mock-middleware through 0.0.6 is vulnerable to Prototype Pollu ...) NOT-FOR-US: Node express-mock-middleware CVE-2020-7615 (fsa through 0.5.1 is vulnerable to Command Injection. The first argume ...) NOT-FOR-US: Node fsa CVE-2020-7614 (npm-programmatic through 0.0.12 is vulnerable to Command Injection.The ...) NOT-FOR-US: npm-programmatic CVE-2020-7613 (clamscan through 1.2.0 is vulnerable to Command Injection. It is possi ...) NOT-FOR-US: Node clamscan CVE-2020-7612 REJECTED CVE-2020-7611 (All versions of io.micronaut:micronaut-http-client before 1.2.11 and a ...) NOT-FOR-US: io.micronaut:micronaut-http-client CVE-2020-7610 (All versions of bson before 1.1.4 are vulnerable to Deserialization of ...) [experimental] - node-mongodb 3.5.5+~cs11.12.19-1 - node-mongodb 3.5.6+~cs11.12.19-1 [buster] - node-mongodb 3.1.13+~3.1.11-2+deb10u1 NOTE: Fixed in js-bson v1.1.4 included in 3.5.5+~cs11.12.19 NOTE: https://snyk.io/vuln/SNYK-JS-BSON-561052 NOTE: https://github.com/mongodb/js-bson/commit/3809c1313a7b2a8001065f0271199df9fa3d16a8 CVE-2020-7609 (node-rules including 3.0.0 and prior to 5.0.0 allows injection of arbi ...) NOT-FOR-US: Node node-rules CVE-2020-7608 (yargs-parser could be tricked into adding or modifying properties of O ...) - node-yargs-parser 18.1.1-1 [buster] - node-yargs-parser 11.1.1-1+deb10u1 [stretch] - node-yargs-parser (Nodejs in stretch not covered by security support) NOTE: https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381 NOTE: https://github.com/yargs/yargs-parser/commit/63810ca1ae1a24b08293a4d971e70e058c7a41e2 NOTE: https://gist.github.com/Kirill89/dcd8100d010896157a36624119439832 CVE-2020-7607 (gulp-styledocco through 0.0.3 allows execution of arbitrary commands. ...) NOT-FOR-US: Node gulp-styledocco CVE-2020-7606 (docker-compose-remote-api through 0.1.4 allows execution of arbitrary ...) NOT-FOR-US: Node docker-compose-remote-api CVE-2020-7605 (gulp-tape through 1.0.0 allows execution of arbitrary commands. It is ...) NOT-FOR-US: Node gulp-tape CVE-2020-7604 (pulverizr through 0.7.0 allows execution of arbitrary commands. Within ...) NOT-FOR-US: Node pulverizr CVE-2020-7603 (closure-compiler-stream through 0.1.15 allows execution of arbitrary c ...) NOT-FOR-US: closure-compiler-stream CVE-2020-7602 (node-prompt-here through 1.0.1 allows execution of arbitrary commands. ...) NOT-FOR-US: Node node-prompt-here CVE-2020-7601 (gulp-scss-lint through 1.0.0 allows execution of arbitrary commands. I ...) NOT-FOR-US: Node gulp-scss-lint CVE-2020-7600 (querymen prior to 2.1.4 allows modification of object properties. The ...) NOT-FOR-US: querymen nodejs module CVE-2020-7599 (All versions of com.gradle.plugin-publish before 0.11.0 are vulnerable ...) NOT-FOR-US: com.gradle.plugin-publish CVE-2020-7598 (minimist before 1.2.2 could be tricked into adding or modifying proper ...) - node-minimist 1.2.5-1 (bug #953762) [buster] - node-minimist (Minor issue) [stretch] - node-minimist (Nodejs in stretch not covered by security support) NOTE: https://snyk.io/vuln/SNYK-JS-MINIMIST-559764 NOTE: POC: https://gist.github.com/Kirill89/47feb345b09bf081317f08dd43403a8a NOTE: Fixed by: https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94 CVE-2020-7597 (codecov-node npm module before 3.6.5 allows remote attackers to execut ...) NOT-FOR-US: codecov-node nodejs module CVE-2020-7596 (Codecov npm module before 3.6.2 allows remote attackers to execute arb ...) NOT-FOR-US: Codecov npm module CVE-2020-7595 (xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infini ...) - libxml2 2.9.10+dfsg-2.1 (bug #949582) [buster] - libxml2 (Minor issue) [stretch] - libxml2 (Minor issue) [jessie] - libxml2 (Minor issue) NOTE: https://gitlab.gnome.org/GNOME/libxml2/commit/0e1a49c8907645d2e155f0d89d4d9895ac5112b5 CVE-2020-7594 (MultiTech Conduit MTCDT-LVW2-24XX 1.4.17-ocea-13592 devices allow remo ...) NOT-FOR-US: MultiTech Conduit MTCDT-LVW2-24XX devices CVE-2020-7593 RESERVED CVE-2020-7592 RESERVED CVE-2020-7591 RESERVED CVE-2020-7590 RESERVED CVE-2020-7589 (A vulnerability has been identified in LOGO!8 BM (incl. SIPLUS variant ...) NOT-FOR-US: Siemens CVE-2020-7588 RESERVED CVE-2020-7587 RESERVED CVE-2020-7586 (A vulnerability has been identified in SIMATIC PCS 7 (All versions), S ...) NOT-FOR-US: Siemens CVE-2020-7585 (A vulnerability has been identified in SIMATIC PCS 7 (All versions), S ...) NOT-FOR-US: Siemens CVE-2020-7584 RESERVED CVE-2020-7583 RESERVED CVE-2020-7582 RESERVED CVE-2020-7581 RESERVED CVE-2020-7580 (A vulnerability has been identified in SIMATIC Automation Tool (All ve ...) NOT-FOR-US: Siemens CVE-2020-7579 (A vulnerability has been identified in Spectrum Power™ 5 (All ve ...) NOT-FOR-US: Siemens CVE-2020-7578 RESERVED CVE-2020-7577 RESERVED CVE-2020-7576 RESERVED CVE-2020-7575 (A vulnerability has been identified in Climatix POL908 (BACnet/IP modu ...) NOT-FOR-US: Climatix CVE-2020-7574 (A vulnerability has been identified in Climatix POL908 (BACnet/IP modu ...) NOT-FOR-US: Climatix CVE-2020-7573 RESERVED CVE-2020-7572 RESERVED CVE-2020-7571 RESERVED CVE-2020-7570 RESERVED CVE-2020-7569 RESERVED CVE-2020-7568 RESERVED CVE-2020-7567 RESERVED CVE-2020-7566 RESERVED CVE-2020-7565 RESERVED CVE-2020-7564 RESERVED CVE-2020-7563 RESERVED CVE-2020-7562 RESERVED CVE-2020-7561 RESERVED CVE-2020-7560 RESERVED CVE-2020-7559 RESERVED CVE-2020-7558 RESERVED CVE-2020-7557 RESERVED CVE-2020-7556 RESERVED CVE-2020-7555 RESERVED CVE-2020-7554 RESERVED CVE-2020-7553 RESERVED CVE-2020-7552 RESERVED CVE-2020-7551 RESERVED CVE-2020-7550 RESERVED CVE-2020-7549 RESERVED CVE-2020-7548 RESERVED CVE-2020-7547 RESERVED CVE-2020-7546 RESERVED CVE-2020-7545 RESERVED CVE-2020-7544 RESERVED CVE-2020-7543 RESERVED CVE-2020-7542 RESERVED CVE-2020-7541 RESERVED CVE-2020-7540 RESERVED CVE-2020-7539 RESERVED CVE-2020-7538 RESERVED CVE-2020-7537 RESERVED CVE-2020-7536 RESERVED CVE-2020-7535 RESERVED CVE-2020-7534 RESERVED CVE-2020-7533 RESERVED CVE-2020-7532 RESERVED CVE-2020-7531 RESERVED CVE-2020-7530 RESERVED CVE-2020-7529 RESERVED CVE-2020-7528 RESERVED CVE-2020-7527 RESERVED CVE-2020-7526 RESERVED CVE-2020-7525 RESERVED CVE-2020-7524 RESERVED CVE-2020-7523 RESERVED CVE-2020-7522 RESERVED CVE-2020-7521 RESERVED CVE-2020-7520 RESERVED CVE-2020-7519 RESERVED CVE-2020-7518 RESERVED CVE-2020-7517 RESERVED CVE-2020-7516 RESERVED CVE-2020-7515 RESERVED CVE-2020-7514 RESERVED CVE-2020-7513 (A CWE-312: Cleartext Storage of Sensitive Information vulnerability ex ...) TODO: check CVE-2020-7512 (A CWE-1103: Use of Platform-Dependent Third Party Components with vuln ...) NOT-FOR-US: Easergy T300 CVE-2020-7511 (A CWE-327: Use of a Broken or Risky Cryptographic Algorithm vulnerabil ...) NOT-FOR-US: Easergy T300 CVE-2020-7510 (A CWE-200: Information Exposure vulnerability exists in Easergy T300 ( ...) NOT-FOR-US: Easergy T300 CVE-2020-7509 (A CWE-269: Improper privilege management (write) vulnerability exists ...) NOT-FOR-US: Easergy T300 CVE-2020-7508 (A CWE-307 Improper Restriction of Excessive Authentication Attempts vu ...) NOT-FOR-US: Easergy T300 CVE-2020-7507 (A CWE-400: Uncontrolled Resource Consumption vulnerability exists in E ...) NOT-FOR-US: Easergy T300 CVE-2020-7506 (A CWE-538: File and Directory Information Exposure vulnerability exist ...) NOT-FOR-US: Easergy T300 CVE-2020-7505 (A CWE-494 Download of Code Without Integrity Check vulnerability exist ...) NOT-FOR-US: Easergy T300 CVE-2020-7504 (A CWE-20: Improper Input Validation vulnerability exists in Easergy T3 ...) NOT-FOR-US: Easergy T300 CVE-2020-7503 (A CWE-352: Cross-Site Request Forgery (CSRF) vulnerability exists in E ...) NOT-FOR-US: Easergy T300 CVE-2020-7502 (A CWE-787: Out-of-bounds Write vulnerability exists in Modicon M218 Lo ...) NOT-FOR-US: Modicon CVE-2020-7501 (A CWE-798: Use of Hard-coded Credentials vulnerability exists in Vijeo ...) NOT-FOR-US: Schneider CVE-2020-7500 (A CWE-89:Improper Neutralization of Special Elements used in an SQL Co ...) NOT-FOR-US: Schneider CVE-2020-7499 (A CWE-284:Improper Access Control vulnerability exists in U.motion Ser ...) NOT-FOR-US: Schneider CVE-2020-7498 (A CWE-798: Use of Hard-coded Credentials vulnerability exists in the U ...) NOT-FOR-US: Schneider CVE-2020-7497 (A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ...) NOT-FOR-US: Schneider CVE-2020-7496 (A CWE-88: Argument Injection or Modification vulnerability exists in E ...) NOT-FOR-US: Schneider CVE-2020-7495 (A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ...) NOT-FOR-US: Schneider CVE-2020-7494 (A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ...) NOT-FOR-US: Schneider CVE-2020-7493 (A CWE-89: Improper Neutralization of Special Elements used in an SQL C ...) NOT-FOR-US: Schneider CVE-2020-7492 (A CWE-521: Weak Password Requirements vulnerability exists in the GP-P ...) NOT-FOR-US: Schneider CVE-2020-7491 RESERVED CVE-2020-7490 (A CWE-426: Untrusted Search Path vulnerability exists in Vijeo Designe ...) NOT-FOR-US: Schneider CVE-2020-7489 (A CWE-74: Improper Neutralization of Special Elements in Output Used b ...) NOT-FOR-US: Schneider CVE-2020-7488 (A CWE-319: Cleartext Transmission of Sensitive Information vulnerabili ...) NOT-FOR-US: Schneider CVE-2020-7487 (A CWE-345: Insufficient Verification of Data Authenticity vulnerabilit ...) NOT-FOR-US: Schneider CVE-2020-7486 (**VERSION NOT SUPPORTED WHEN ASSIGNED** A vulnerability could cause TC ...) NOT-FOR-US: Schneider Electric CVE-2020-7485 (**VERSION NOT SUPPORTED WHEN ASSIGNED** A legacy support account in th ...) NOT-FOR-US: Schneider Electric CVE-2020-7484 (**VERSION NOT SUPPORTED WHEN ASSIGNED** A vulnerability with the forme ...) NOT-FOR-US: Schneider Electric CVE-2020-7483 (**VERSION NOT SUPPORTED WHEN ASSIGNED** A vulnerability could cause ce ...) NOT-FOR-US: Schneider Electric CVE-2020-7482 (A CWE-79:Improper Neutralization of Input During Web Page Generation ( ...) NOT-FOR-US: Andover Continuum CVE-2020-7481 (A CWE-79:Improper Neutralization of Input During Web Page Generation ( ...) NOT-FOR-US: Andover Continuum CVE-2020-7480 (A CWE-94: Improper Control of Generation of Code ('Code Injection') vu ...) NOT-FOR-US: Andover Continuum CVE-2020-7479 (A CWE-306: Missing Authentication for Critical Function vulnerability ...) NOT-FOR-US: IGSS CVE-2020-7478 (A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ...) NOT-FOR-US: IGSS CVE-2020-7477 (A CWE-754: Improper Check for Unusual or Exceptional Conditions vulner ...) NOT-FOR-US: Quantum Ethernet Network module CVE-2020-7476 (A CWE-426: Untrusted Search Path vulnerability exists in ZigBee Instal ...) NOT-FOR-US: ZigBee Installation Kit CVE-2020-7475 (A CWE-74: Improper Neutralization of Special Elements in Output Used b ...) NOT-FOR-US: EcoStruxure Control Expert CVE-2020-7474 (A CWE-427: Uncontrolled Search Path Element vulnerability exists in Pr ...) NOT-FOR-US: ProSoft Configurator CVE-2020-7473 (In certain situations, all versions of Citrix ShareFile StorageZones ( ...) NOT-FOR-US: Citrix CVE-2020-7472 RESERVED CVE-2019-20390 (A Cross-Site Request Forgery (CSRF) vulnerability was discovered in Su ...) NOT-FOR-US: Subrion CMS CVE-2019-20389 (An XSS issue was identified on the Subrion CMS 4.2.1 /panel/configurat ...) NOT-FOR-US: Subrion CMS CVE-2019-20388 (xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaV ...) - libxml2 2.9.10+dfsg-2.1 (bug #949583) [buster] - libxml2 (Minor issue) [stretch] - libxml2 (Minor issue) [jessie] - libxml2 (Minor issue) NOTE: https://gitlab.gnome.org/GNOME/libxml2/commit/7ffcd44d7e6c46704f8af0321d9314cd26e0e18a CVE-2019-20387 (repodata_schema2id in repodata.c in libsolv before 0.7.6 has a heap-ba ...) {DLA-2088-1} - libsolv 0.6.36-2 (bug #949611) [buster] - libsolv 0.6.35-2+deb10u1 [stretch] - libsolv 0.6.24-1+deb9u2 NOTE: https://github.com/openSUSE/libsolv/commit/fdb9c9c03508990e4583046b590c30d958f272da (0.7.6) CVE-2020-7471 (Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 al ...) {DSA-4629-1} - python-django 2:2.2.10-1 (bug #950581) [jessie] - python-django (Vulnerable code introduced in Django ~1.9) NOTE: https://www.djangoproject.com/weblog/2020/feb/03/security-releases/ NOTE: https://github.com/django/django/commit/eb31d845323618d688ad429479c6dda973056136 (master) NOTE: https://github.com/django/django/commit/505826b469b16ab36693360da9e11fd13213421b (3.0.3) NOTE: https://github.com/django/django/commit/c67a368c16e4680b324b4f385398d638db4d8147 (2.2.10) NOTE: https://github.com/django/django/commit/001b0634cd309e372edb6d7d95d083d02b8e37bd (1.11.28) CVE-2020-7470 (Sonoff TH 10 and 16 devices with firmware 6.6.0.21 allows XSS via the ...) NOT-FOR-US: Sonoff TH 10 and 16 devices CVE-2020-7469 RESERVED CVE-2020-7468 RESERVED CVE-2020-7467 RESERVED CVE-2020-7466 RESERVED CVE-2020-7465 RESERVED CVE-2020-7464 RESERVED CVE-2020-7463 RESERVED CVE-2020-7462 RESERVED CVE-2020-7461 RESERVED CVE-2020-7460 RESERVED CVE-2020-7459 RESERVED CVE-2020-7458 RESERVED CVE-2020-7457 RESERVED CVE-2020-7456 (In FreeBSD 12.1-STABLE before r361918, 12.1-RELEASE before p6, 11.4-ST ...) - kfreebsd-10 (unimportant) NOTE: https://www.freebsd.org/security/advisories/FreeBSD-SA-20:17.usb.asc CVE-2020-7455 (In FreeBSD 12.1-STABLE before r360973, 12.1-RELEASE before p5, 11.4-ST ...) NOT-FOR-US: FreeBSD CVE-2020-7454 (In FreeBSD 12.1-STABLE before r360971, 12.1-RELEASE before p5, 11.4-ST ...) NOT-FOR-US: FreeBSD CVE-2020-7453 (In FreeBSD 12.1-STABLE before r359021, 12.1-RELEASE before 12.1-RELEAS ...) - kfreebsd-10 (unimportant) NOTE: https://www.freebsd.org/security/advisories/FreeBSD-SA-20:08.jail.asc CVE-2020-7452 (In FreeBSD 12.1-STABLE before r357490, 12.1-RELEASE before 12.1-RELEAS ...) - kfreebsd-10 (unimportant) NOTE: https://www.freebsd.org/security/advisories/FreeBSD-SA-20:07.epair.asc CVE-2020-7451 (In FreeBSD 12.1-STABLE before r358739, 12.1-RELEASE before 12.1-RELEAS ...) NOT-FOR-US: FreeBSD CVE-2020-7450 (In FreeBSD 12.1-STABLE before r357213, 12.1-RELEASE before 12.1-RELEAS ...) NOT-FOR-US: FreeBSD CVE-2020-7449 RESERVED CVE-2020-7448 RESERVED CVE-2020-7447 RESERVED CVE-2020-7446 RESERVED CVE-2020-7445 RESERVED CVE-2020-7444 RESERVED CVE-2020-7443 RESERVED CVE-2020-7442 RESERVED CVE-2020-7441 RESERVED CVE-2020-7440 RESERVED CVE-2020-7439 RESERVED CVE-2020-7438 RESERVED CVE-2020-7437 RESERVED CVE-2020-7436 RESERVED CVE-2020-7435 RESERVED CVE-2020-7434 RESERVED CVE-2020-7433 RESERVED CVE-2020-7432 RESERVED CVE-2020-7431 RESERVED CVE-2020-7430 RESERVED CVE-2020-7429 RESERVED CVE-2020-7428 RESERVED CVE-2020-7427 RESERVED CVE-2020-7426 RESERVED CVE-2020-7425 RESERVED CVE-2020-7424 RESERVED CVE-2020-7423 RESERVED CVE-2020-7422 RESERVED CVE-2020-7421 RESERVED CVE-2020-7420 RESERVED CVE-2020-7419 RESERVED CVE-2020-7418 RESERVED CVE-2020-7417 RESERVED CVE-2020-7416 RESERVED CVE-2020-7415 RESERVED CVE-2020-7414 RESERVED CVE-2020-7413 RESERVED CVE-2020-7412 RESERVED CVE-2020-7411 RESERVED CVE-2020-7410 RESERVED CVE-2020-7409 RESERVED CVE-2020-7408 RESERVED CVE-2020-7407 RESERVED CVE-2020-7406 RESERVED CVE-2020-7405 RESERVED CVE-2020-7404 RESERVED CVE-2020-7403 RESERVED CVE-2020-7402 RESERVED CVE-2020-7401 RESERVED CVE-2020-7400 RESERVED CVE-2020-7399 RESERVED CVE-2020-7398 RESERVED CVE-2020-7397 RESERVED CVE-2020-7396 RESERVED CVE-2020-7395 RESERVED CVE-2020-7394 RESERVED CVE-2020-7393 RESERVED CVE-2020-7392 RESERVED CVE-2020-7391 RESERVED CVE-2020-7390 RESERVED CVE-2020-7389 RESERVED CVE-2020-7388 RESERVED CVE-2020-7387 RESERVED CVE-2020-7386 RESERVED CVE-2020-7385 RESERVED CVE-2020-7384 RESERVED CVE-2020-7383 RESERVED CVE-2020-7382 RESERVED CVE-2020-7381 RESERVED CVE-2020-7380 RESERVED CVE-2020-7379 RESERVED CVE-2020-7378 RESERVED CVE-2020-7377 RESERVED CVE-2020-7376 RESERVED CVE-2020-7375 RESERVED CVE-2020-7374 RESERVED CVE-2020-7373 RESERVED CVE-2020-7372 RESERVED CVE-2020-7371 RESERVED CVE-2020-7370 RESERVED CVE-2020-7369 RESERVED CVE-2020-7368 RESERVED CVE-2020-7367 RESERVED CVE-2020-7366 RESERVED CVE-2020-7365 RESERVED CVE-2020-7364 RESERVED CVE-2020-7363 RESERVED CVE-2020-7362 RESERVED CVE-2020-7361 RESERVED CVE-2020-7360 RESERVED CVE-2020-7359 RESERVED CVE-2020-7358 RESERVED CVE-2020-7357 RESERVED CVE-2020-7356 RESERVED CVE-2020-7355 (Cross-site Scripting (XSS) vulnerability in the 'notes' field of a dis ...) TODO: check CVE-2020-7354 (Cross-site Scripting (XSS) vulnerability in the 'host' field of a disc ...) TODO: check CVE-2020-7353 RESERVED CVE-2020-7352 RESERVED CVE-2020-7351 (An OS Command Injection vulnerability in the endpoint_devicemap.php co ...) NOT-FOR-US: Fonality Trixbox Community Edition CVE-2020-7350 (Rapid7 Metasploit Framework versions before 5.0.85 suffers from an ins ...) NOT-FOR-US: Rapid7 Metasploit Framework CVE-2020-7349 RESERVED CVE-2020-7348 RESERVED CVE-2020-7347 RESERVED CVE-2020-7346 RESERVED CVE-2020-7345 RESERVED CVE-2020-7344 RESERVED CVE-2020-7343 RESERVED CVE-2020-7342 RESERVED CVE-2020-7341 RESERVED CVE-2020-7340 RESERVED CVE-2020-7339 RESERVED CVE-2020-7338 RESERVED CVE-2020-7337 RESERVED CVE-2020-7336 RESERVED CVE-2020-7335 RESERVED CVE-2020-7334 RESERVED CVE-2020-7333 RESERVED CVE-2020-7332 RESERVED CVE-2020-7331 RESERVED CVE-2020-7330 RESERVED CVE-2020-7329 RESERVED CVE-2020-7328 RESERVED CVE-2020-7327 RESERVED CVE-2020-7326 RESERVED CVE-2020-7325 RESERVED CVE-2020-7324 RESERVED CVE-2020-7323 RESERVED CVE-2020-7322 RESERVED CVE-2020-7321 RESERVED CVE-2020-7320 RESERVED CVE-2020-7319 RESERVED CVE-2020-7318 RESERVED CVE-2020-7317 RESERVED CVE-2020-7316 RESERVED CVE-2020-7315 RESERVED CVE-2020-7314 RESERVED CVE-2020-7313 RESERVED CVE-2020-7312 RESERVED CVE-2020-7311 RESERVED CVE-2020-7310 RESERVED CVE-2020-7309 RESERVED CVE-2020-7308 RESERVED CVE-2020-7307 RESERVED CVE-2020-7306 RESERVED CVE-2020-7305 RESERVED CVE-2020-7304 RESERVED CVE-2020-7303 RESERVED CVE-2020-7302 RESERVED CVE-2020-7301 RESERVED CVE-2020-7300 RESERVED CVE-2020-7299 RESERVED CVE-2020-7298 RESERVED CVE-2020-7297 RESERVED CVE-2020-7296 RESERVED CVE-2020-7295 RESERVED CVE-2020-7294 RESERVED CVE-2020-7293 RESERVED CVE-2020-7292 RESERVED CVE-2020-7291 (Privilege Escalation vulnerability in McAfee Active Response (MAR) for ...) NOT-FOR-US: McAfee CVE-2020-7290 (Privilege Escalation vulnerability in McAfee Active Response (MAR) for ...) NOT-FOR-US: McAfee CVE-2020-7289 (Privilege Escalation vulnerability in McAfee Active Response (MAR) for ...) NOT-FOR-US: McAfee CVE-2020-7288 (Privilege Escalation vulnerability in McAfee Exploit Detection and Res ...) NOT-FOR-US: McAfee CVE-2020-7287 (Privilege Escalation vulnerability in McAfee Exploit Detection and Res ...) NOT-FOR-US: McAfee CVE-2020-7286 (Privilege Escalation vulnerability in McAfee Exploit Detection and Res ...) NOT-FOR-US: McAfee CVE-2020-7285 (Privilege Escalation vulnerability in McAfee MVISION Endpoint prior to ...) NOT-FOR-US: McAfee CVE-2020-7284 (Exposure of Sensitive Information in McAfee Network Security Managemen ...) NOT-FOR-US: McAfee CVE-2020-7283 (Privilege Escalation vulnerability in McAfee Total Protection (MTP) be ...) NOT-FOR-US: McAfee CVE-2020-7282 (Privilege Escalation vulnerability in McAfee Total Protection (MTP) be ...) NOT-FOR-US: McAfee CVE-2020-7281 (Privilege Escalation vulnerability in McAfee Total Protection (MTP) pr ...) NOT-FOR-US: McAfee CVE-2020-7280 (Privilege Escalation vulnerability during daily DAT updates when using ...) NOT-FOR-US: McAfee CVE-2020-7279 (DLL Search Order Hijacking Vulnerability in the installer component of ...) NOT-FOR-US: McAfee CVE-2020-7278 (Exploiting incorrectly configured access control security levels vulne ...) NOT-FOR-US: McAfee CVE-2020-7277 (Protection mechanism failure in all processes in McAfee Endpoint Secur ...) NOT-FOR-US: McAfee CVE-2020-7276 (Authentication bypass vulnerability in MfeUpgradeTool in McAfee Endpoi ...) NOT-FOR-US: McAfee CVE-2020-7275 (Accessing, modifying or executing executable files vulnerability in th ...) NOT-FOR-US: McAfee CVE-2020-7274 (Privilege escalation vulnerability in McTray.exe in McAfee Endpoint Se ...) NOT-FOR-US: McAfee CVE-2020-7273 (Accessing functionality not properly constrained by ACLs vulnerability ...) NOT-FOR-US: McAfee CVE-2020-7272 RESERVED CVE-2020-7271 RESERVED CVE-2020-7270 RESERVED CVE-2020-7269 RESERVED CVE-2020-7268 RESERVED CVE-2020-7267 (Privilege Escalation vulnerability in McAfee VirusScan Enterprise (VSE ...) NOT-FOR-US: McAfee CVE-2020-7266 (Privilege Escalation vulnerability in McAfee VirusScan Enterprise (VSE ...) NOT-FOR-US: McAfee CVE-2020-7265 (Privilege Escalation vulnerability in McAfee Endpoint Security (ENS) f ...) NOT-FOR-US: McAfee CVE-2020-7264 (Privilege Escalation vulnerability in McAfee Endpoint Security (ENS) f ...) NOT-FOR-US: McAfee CVE-2020-7263 (Improper access control vulnerability in ESConfigTool.exe in ENS for W ...) NOT-FOR-US: ENS for Windows CVE-2020-7262 (Improper Access Control vulnerability in McAfee Advanced Threat Defens ...) NOT-FOR-US: McAfee CVE-2020-7261 (Buffer Overflow via Environment Variables vulnerability in AMSI compon ...) NOT-FOR-US: McAfee CVE-2020-7260 (DLL Side Loading vulnerability in the installer for McAfee Application ...) NOT-FOR-US: McAfee CVE-2020-7259 (Exploitation of Privilege/Trust vulnerability in file in McAfee Endpoi ...) NOT-FOR-US: McAfee CVE-2020-7258 (Cross site scripting vulnerability in McAfee Network Security Manageme ...) NOT-FOR-US: McAfee CVE-2020-7257 (Privilege escalation vulnerability in McAfee Endpoint Security (ENS) f ...) NOT-FOR-US: McAfee CVE-2020-7256 (Cross site scripting vulnerability in McAfee Network Security Manageme ...) NOT-FOR-US: McAfee CVE-2020-7255 (Privilege escalation vulnerability in the administrative user interfac ...) NOT-FOR-US: McAfee CVE-2020-7254 (Privilege Escalation vulnerability in the command line interface in Mc ...) NOT-FOR-US: McAfee CVE-2020-7253 (Improper access control vulnerability in masvc.exe in McAfee Agent (MA ...) NOT-FOR-US: McAfee CVE-2020-7252 (Unquoted service executable path in DXL Broker in McAfee Data eXchange ...) NOT-FOR-US: McAfee CVE-2020-7251 (Improper access control vulnerability in Configuration Tool in McAfee ...) NOT-FOR-US: McAfee CVE-2020-7250 (Symbolic link manipulation vulnerability in McAfee Endpoint Security ( ...) NOT-FOR-US: McAfee CVE-2020-7249 (SMC D3G0804W 3.5.2.5-LAT_GA devices allow XSS via the SSID field on th ...) NOT-FOR-US: SMC D3G0804W devices CVE-2020-7248 (libubox in OpenWrt before 18.06.7 and 19.x before 19.07.1 has a tagged ...) NOT-FOR-US: libubox in OpenWrt CVE-2020-XXXX [opensmtpd DoS via opportunistic TLS downgrade] - opensmtpd 6.6.2p1-1 (bug #950121) [stretch] - opensmtpd 6.0.2p1-2+deb9u2 [buster] - opensmtpd 6.0.3p1-5+deb10u3 NOTE: https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/018_smtpd_tls.patch.sig CVE-2020-7247 (smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6 ...) {DSA-4611-1} - opensmtpd 6.6.2p1-1 (bug #950121) NOTE: https://www.openwall.com/lists/oss-security/2020/01/28/3 NOTE: Fixed by: https://github.com/OpenSMTPD/OpenSMTPD/commit/2afab2297347342f81fa31a75bbbf7dbee614fda NOTE: https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/019_smtpd_exec.patch.sig NOTE: The issue is exploitable after switching "to new grammar", which is included NOTE: in portable sync commit: NOTE: https://github.com/OpenSMTPD/OpenSMTPD/commit/be6ef06cba9484d008d9f057e6b25d863cf278ff (opensmtpd-6.4.0) CVE-2020-7246 (A remote code execution (RCE) vulnerability exists in qdPM 9.1 and ear ...) NOT-FOR-US: qdPM CVE-2020-7245 (Incorrect username validation in the registration process of CTFd v2.0 ...) NOT-FOR-US: CTFd CVE-2020-7244 (Comtech Stampede FX-1010 7.4.3 devices allow remote authenticated admi ...) NOT-FOR-US: Comtech Stampede FX-1010 devices CVE-2020-7243 (Comtech Stampede FX-1010 7.4.3 devices allow remote authenticated admi ...) NOT-FOR-US: Comtech Stampede FX-1010 devices CVE-2020-7242 (Comtech Stampede FX-1010 7.4.3 devices allow remote authenticated admi ...) NOT-FOR-US: Comtech Stampede FX-1010 devices CVE-2020-7241 (The WP Database Backup plugin through 5.5 for WordPress stores downloa ...) NOT-FOR-US: WP Database Backup plugin for WordPress CVE-2020-7240 (** DISPUTED ** Meinberg Lantime M300 and M1000 devices allow attackers ...) NOT-FOR-US: Meinberg Lantime M300 and M1000 devices CVE-2020-7239 (The conversation-watson plugin before 0.8.21 for WordPress has a DOM-b ...) NOT-FOR-US: conversation-watson plugin for WordPress CVE-2019-20386 (An issue was discovered in button_open in login/logind-button.c in sys ...) - systemd 243-5 (unimportant) NOTE: https://github.com/systemd/systemd/commit/b2774a3ae692113e1f47a336a6c09bac9cfb49ad NOTE: Negligible security impact, requires root or physical access to plug in a device, NOTE: at which point you can just as well DoS the computer with a hammer instead CVE-2019-20385 (The CSV upload feature in /supervisor/procesa_carga.php on Logaritmo A ...) NOT-FOR-US: Logaritmo Aware CallManager 2012 devices CVE-2019-20384 (Gentoo Portage through 2.3.84 allows local users to place a Trojan hor ...) NOT-FOR-US: Portage CVE-2019-20383 RESERVED CVE-2019-20382 (QEMU 4.1.0 has a memory leak in zrle_compress_data in ui/vnc-enc-zrle. ...) {DSA-4665-1} - qemu 1:4.2-1 [stretch] - qemu (Minor, can be fixed along in future DSA) [jessie] - qemu (Minor, can be fixed along in future DLA) - qemu-kvm NOTE: https://www.openwall.com/lists/oss-security/2020/03/05/1 NOTE: https://git.qemu.org/?p=qemu.git;a=commitdiff;h=6bf21f3d83e95bcc4ba35a7a07cc6655e8b010b0 CVE-2020-7238 (Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles ...) {DLA-2110-1 DLA-2109-1} - netty 1:4.1.45-1 (bug #950967) - netty-3.9 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1796225 NOTE: https://github.com/jdordonezn/CVE-2020-72381/issues/1 NOTE: Issue exists because of incomplete fix for CVE-2019-16869. NOTE: https://github.com/netty/netty/issues/9861#issuecomment-582307539 (same fix as CVE-2019-20445) CVE-2020-7237 (Cacti 1.2.8 allows Remote Code Execution (by privileged users) via she ...) - cacti 1.2.9+ds1-1 (bug #949997) [buster] - cacti (Minor issue) [stretch] - cacti (Minor issue) [jessie] - cacti (Vulnerable code introduced later) NOTE: https://github.com/Cacti/cacti/issues/3201 NOTE: https://github.com/Cacti/cacti/commit/5010719dbd160198be3e07bb994cf237e3af1308 CVE-2020-7236 (UHP UHP-100 3.4.1.15, 3.4.2.4, and 3.4.3 devices allow XSS via cw2?td= ...) NOT-FOR-US: UHP UHP-100 devices CVE-2020-7235 (UHP UHP-100 3.4.1.15, 3.4.2.4, and 3.4.3 devices allow XSS via cB3?ta= ...) NOT-FOR-US: UHP UHP-100 devices CVE-2020-7234 (Ruckus ZoneFlex R310 104.0.0.0.1347 devices allow Stored XSS via the S ...) NOT-FOR-US: Ruckus ZoneFlex R310 devices CVE-2020-7233 (KMS Controls BAC-A1616BC BACnet devices have a cleartext password of s ...) NOT-FOR-US: KMS Controls BAC-A1616BC BACnet devices CVE-2020-7232 (Evoko Home 1.31 devices allow remote attackers to obtain sensitive inf ...) NOT-FOR-US: Evoko Home devices CVE-2020-7231 (Evoko Home 1.31 devices provide different error messages for failed lo ...) NOT-FOR-US: Evoko Home devices CVE-2019-20381 (TestLink before 1.9.20 allows XSS via non-lowercase javascript: in the ...) NOT-FOR-US: TestLink CVE-2016-11018 (An issue was discovered in the Huge-IT gallery-images plugin before 1. ...) NOT-FOR-US: Huge-IT gallery-images plugin for WordPress CVE-2020-7230 RESERVED CVE-2020-7229 (An issue was discovered in Simplejobscript.com SJS before 1.65. There ...) NOT-FOR-US: Simplejobscript.com SJS CVE-2020-7228 (The Calculated Fields Form plugin through 1.0.353 for WordPress suffer ...) NOT-FOR-US: Calculated Fields Form plugin for WordPress CVE-2020-7227 (Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosur ...) NOT-FOR-US: Westermo MRD-315 devices CVE-2020-7226 (CiphertextHeader.java in Cryptacular 1.2.3, as used in Apereo CAS and ...) NOT-FOR-US: cryptacular CVE-2020-7225 RESERVED CVE-2020-7224 (The Aviatrix OpenVPN client through 2.5.7 on Linux, macOS, and Windows ...) NOT-FOR-US: Aviatrix OpenVPN client CVE-2020-7223 RESERVED CVE-2020-7222 (An issue was discovered in Amcrest Web Server 2.520.AC00.18.R 2017-06- ...) NOT-FOR-US: Amcrest Web Server CVE-2020-7221 (mysql_install_db in MariaDB 10.4.7 through 10.4.11 allows privilege es ...) - mariadb-10.3 (Only affects MariaDB 10.4.7 through 10.4.11) - mariadb-10.1 (Only affects MariaDB 10.4.7 through 10.4.11) CVE-2020-7220 (HashiCorp Vault Enterprise 0.11.0 through 1.3.1 fails, in certain circ ...) NOT-FOR-US: HashiCorp Vault CVE-2020-7219 (HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC services a ...) - consul 1.7.0+dfsg1-1 (bug #950736) [buster] - consul (Minor issue) NOTE: https://github.com/hashicorp/consul/issues/7159 NOTE: Fixed in 1.6.3. CVE-2020-7218 (HashiCorp Nomad and Nomad Enterprise before 0.10.3 allow unbounded res ...) - nomad 0.10.3+dfsg1-1 NOTE: https://github.com/hashicorp/nomad/issues/7002 CVE-2020-7217 (An ni_dhcp4_fsm_process_dhcp4_packet memory leak in openSUSE wicked 0. ...) NOT-FOR-US: openSUSE wicked CVE-2020-7216 (An ni_dhcp4_parse_response memory leak in openSUSE wicked 0.6.55 and e ...) NOT-FOR-US: openSUSE wicked CVE-2020-7215 (An issue was discovered in Gallagher Command Centre 7.x before 7.90.99 ...) NOT-FOR-US: Gallagher Command Centre CVE-2020-7214 RESERVED CVE-2020-7213 (Parallels 13 uses cleartext HTTP as part of the update process, allowi ...) NOT-FOR-US: Parallels CVE-2020-7212 (The _encode_invalid_chars function in util/url.py in the urllib3 libra ...) - python-urllib3 1.25.8-1 [buster] - python-urllib3 (Vulnerable code introduced later) [stretch] - python-urllib3 (Vulnerable code introduced later) [jessie] - python-urllib3 (Vulnerable code introduced later) NOTE: https://github.com/urllib3/urllib3/pull/1787 NOTE: Introduced by: https://github.com/urllib3/urllib3/commit/a74c9cfbaed9f811e7563cfc3dce894928e0221a (1.25.2) NOTE: Fixed by: https://github.com/urllib3/urllib3/commit/a2697e7c6b275f05879b60f593c5854a816489f0 (1.25.8) CVE-2020-7211 (tftp.c in libslirp 4.1.0, as used in QEMU 4.2.0, does not prevent ..\ ...) - libslirp (unimportant) NOTE: https://bugs.launchpad.net/qemu/+bug/1812451 NOTE: https://gitlab.freedesktop.org/slirp/libslirp/commit/14ec36e107a8c9af7d0a80c3571fe39b291ff1d4 CVE-2020-7210 (Umbraco CMS 8.2.2 allows CSRF to enable/disable or delete user account ...) NOT-FOR-US: Umbraco CMS CVE-2020-7209 (LinuxKI v6.0-1 and earlier is vulnerable to an remote code execution w ...) NOT-FOR-US: LinuxKI CVE-2020-7208 (LinuxKI v6.0-1 and earlier is vulnerable to an XSS which is resolved i ...) NOT-FOR-US: LinuxKI CVE-2020-7207 RESERVED CVE-2020-7206 RESERVED CVE-2020-7205 RESERVED CVE-2020-7204 RESERVED CVE-2020-7203 RESERVED CVE-2020-7202 RESERVED CVE-2020-7201 RESERVED CVE-2020-7200 RESERVED CVE-2020-7199 RESERVED CVE-2020-7198 RESERVED CVE-2020-7197 RESERVED CVE-2020-7196 RESERVED CVE-2020-7195 RESERVED CVE-2020-7194 RESERVED CVE-2020-7193 RESERVED CVE-2020-7192 RESERVED CVE-2020-7191 RESERVED CVE-2020-7190 RESERVED CVE-2020-7189 RESERVED CVE-2020-7188 RESERVED CVE-2020-7187 RESERVED CVE-2020-7186 RESERVED CVE-2020-7185 RESERVED CVE-2020-7184 RESERVED CVE-2020-7183 RESERVED CVE-2020-7182 RESERVED CVE-2020-7181 RESERVED CVE-2020-7180 RESERVED CVE-2020-7179 RESERVED CVE-2020-7178 RESERVED CVE-2020-7177 RESERVED CVE-2020-7176 RESERVED CVE-2020-7175 RESERVED CVE-2020-7174 RESERVED CVE-2020-7173 RESERVED CVE-2020-7172 RESERVED CVE-2020-7171 RESERVED CVE-2020-7170 RESERVED CVE-2020-7169 RESERVED CVE-2020-7168 RESERVED CVE-2020-7167 RESERVED CVE-2020-7166 RESERVED CVE-2020-7165 RESERVED CVE-2020-7164 RESERVED CVE-2020-7163 RESERVED CVE-2020-7162 RESERVED CVE-2020-7161 RESERVED CVE-2020-7160 RESERVED CVE-2020-7159 RESERVED CVE-2020-7158 RESERVED CVE-2020-7157 RESERVED CVE-2020-7156 RESERVED CVE-2020-7155 RESERVED CVE-2020-7154 RESERVED CVE-2020-7153 RESERVED CVE-2020-7152 RESERVED CVE-2020-7151 RESERVED CVE-2020-7150 RESERVED CVE-2020-7149 RESERVED CVE-2020-7148 RESERVED CVE-2020-7147 RESERVED CVE-2020-7146 RESERVED CVE-2020-7145 RESERVED CVE-2020-7144 RESERVED CVE-2020-7143 RESERVED CVE-2020-7142 RESERVED CVE-2020-7141 RESERVED CVE-2020-7140 (A security vulnerability in HPE IceWall SSO Dfw and Dgfw (Domain Gatew ...) NOT-FOR-US: HPE CVE-2020-7139 (Potential remote access security vulnerabilities have been identified ...) NOT-FOR-US: HPE CVE-2020-7138 (Potential remote code execution security vulnerabilities have been ide ...) NOT-FOR-US: HPE CVE-2020-7137 (A validation issue in HPE Superdome Flex's RMC component may allow loc ...) NOT-FOR-US: HPE CVE-2020-7136 (A security vulnerability in HPE Smart Update Manager (SUM) prior to ve ...) NOT-FOR-US: HPE Smart Update Manager (SUM) CVE-2020-7135 (A potential security vulnerability has been identified in the disk dri ...) NOT-FOR-US: HPE CVE-2020-7134 (A remote access to sensitive data vulnerability was discovered in HPE ...) NOT-FOR-US: HPE CVE-2020-7133 (A unauthorized remote access vulnerability was discovered in HPE IOT + ...) NOT-FOR-US: HPE CVE-2020-7132 (A potential security vulnerability has been identified in HPE Onboard ...) NOT-FOR-US: HPE CVE-2020-7131 (This document describes a security vulnerability in Blade Maintenance ...) NOT-FOR-US: HPE CVE-2020-7130 (HPE OneView Global Dashboard (OVGD) 1.9 has a remote information discl ...) NOT-FOR-US: HPE CVE-2020-7129 RESERVED CVE-2020-7128 RESERVED CVE-2020-7127 RESERVED CVE-2020-7126 RESERVED CVE-2020-7125 RESERVED CVE-2020-7124 RESERVED CVE-2020-7123 RESERVED CVE-2020-7122 RESERVED CVE-2020-7121 RESERVED CVE-2020-7120 RESERVED CVE-2020-7119 RESERVED CVE-2020-7118 RESERVED CVE-2020-7117 (The ClearPass Policy Manager WebUI administrative interface has an aut ...) NOT-FOR-US: ClearPass Policy Manager WebUI CVE-2020-7116 (The ClearPass Policy Manager WebUI administrative interface has an aut ...) NOT-FOR-US: ClearPass Policy Manager WebUI CVE-2020-7115 (The ClearPass Policy Manager web interface is affected by a vulnerabil ...) NOT-FOR-US: ClearPass Policy Manager CVE-2020-7114 (A vulnerability exists allowing attackers, when present in the same ne ...) NOT-FOR-US: ClearPass CVE-2020-7113 (A vulnerability was found when an attacker, while communicating with t ...) NOT-FOR-US: ClearPass CVE-2020-7112 RESERVED CVE-2020-7111 (A server side injection vulnerability exists which could allow an auth ...) NOT-FOR-US: ClearPass CVE-2020-7110 (ClearPass is vulnerable to Stored Cross Site Scripting by allowing a m ...) NOT-FOR-US: ClearPass CVE-2020-7109 (The Elementor Page Builder plugin before 2.8.4 for WordPress does not ...) NOT-FOR-US: Elementor Page Builder plugin for WordPress CVE-2020-7108 (The LearnDash LMS plugin before 3.1.2 for WordPress allows XSS via the ...) NOT-FOR-US: LearnDash LMS plugin for WordPress CVE-2020-7107 (The Ultimate FAQ plugin before 1.8.30 for WordPress allows XSS via Dis ...) NOT-FOR-US: Ultimate FAQ plugin for WordPress CVE-2020-7106 (Cacti 1.2.8 has stored XSS in data_sources.php, color_templates_item.p ...) {DLA-2069-1} - cacti 1.2.9+ds1-1 (bug #949996) [buster] - cacti (can be fixed along with more important issues) [stretch] - cacti (can be fixed along with more important issues) NOTE: https://github.com/Cacti/cacti/issues/3191 NOTE: https://github.com/Cacti/cacti/commit/4cbb045e03ee20a2bd09094a201a925fbb8a39d9 NOTE: https://github.com/Cacti/cacti/commit/47a000b5aba4af16967e249b25f25397506e3464 NOTE: https://github.com/Cacti/cacti/commit/b1c70e19466a6e69284e24cde437b55ccc454bee CVE-2020-7105 (async.c and dict.c in libhiredis.a in hiredis through 0.14.0 allow a N ...) {DLA-2083-1} - hiredis 0.14.0-5 (bug #949995) [buster] - hiredis (Minor issue) [stretch] - hiredis (Minor issue) NOTE: https://github.com/redis/hiredis/pull/754 NOTE: https://github.com/redis/hiredis/pull/756 CVE-2020-7104 (The chained-quiz plugin 1.1.8.1 for WordPress has reflected XSS via th ...) NOT-FOR-US: chained-quiz plugin for WordPress CVE-2019-20380 RESERVED CVE-2020-7103 RESERVED CVE-2020-7102 RESERVED CVE-2020-7101 RESERVED CVE-2020-7100 RESERVED CVE-2020-7099 RESERVED CVE-2020-7098 RESERVED CVE-2020-7097 RESERVED CVE-2020-7096 RESERVED CVE-2020-7095 RESERVED CVE-2020-7094 RESERVED CVE-2020-7093 RESERVED CVE-2020-7092 RESERVED CVE-2020-7091 RESERVED CVE-2020-7090 RESERVED CVE-2020-7089 RESERVED CVE-2020-7088 RESERVED CVE-2020-7087 RESERVED CVE-2020-7086 RESERVED CVE-2020-7085 (A heap overflow vulnerability in the Autodesk FBX-SDK versions 2019.2 ...) NOT-FOR-US: Autodesk CVE-2020-7084 (A NULL pointer dereference vulnerability in the Autodesk FBX-SDK versi ...) NOT-FOR-US: Autodesk CVE-2020-7083 (An intager overflow vulnerability in the Autodesk FBX-SDK versions 201 ...) NOT-FOR-US: Autodesk CVE-2020-7082 (A use-after-free vulnerability in the Autodesk FBX-SDK versions 2019.0 ...) NOT-FOR-US: Autodesk CVE-2020-7081 (A type confusion vulnerability in the Autodesk FBX-SDK versions 2019.0 ...) NOT-FOR-US: Autodesk CVE-2020-7080 (A buffer overflow vulnerability in the Autodesk FBX-SDK versions 2019. ...) NOT-FOR-US: Autodesk CVE-2020-7079 (An improper signature validation vulnerability in Autodesk Dynamo BIM ...) NOT-FOR-US: Autodesk CVE-2020-7078 RESERVED CVE-2020-7077 RESERVED CVE-2020-7076 RESERVED CVE-2020-7075 RESERVED CVE-2020-7074 RESERVED CVE-2020-7073 RESERVED CVE-2020-7072 RESERVED CVE-2020-7071 RESERVED CVE-2020-7070 RESERVED CVE-2020-7069 RESERVED CVE-2020-7068 RESERVED CVE-2020-7067 (In PHP versions 7.2.x below 7.2.30, 7.3.x below 7.3.17 and 7.4.x below ...) {DSA-4719-1 DSA-4717-1 DLA-2188-1} - php7.4 7.4.5-1 (unimportant) - php7.3 (unimportant) - php7.0 (unimportant) - php5 (unimportant) NOTE: Fixed in PHP 7.4.5, 7.3.17 NOTE: PHP Bug: https://bugs.php.net/79465 NOTE: http://git.php.net/?p=php-src.git;a=commit;h=9d6bf8221b05f86ce5875832f0f646c4c1f218be NOTE: This only affects builds which enable EDBDIC CVE-2020-7066 (In PHP versions 7.2.x below 7.2.29, 7.3.x below 7.3.16 and 7.4.x below ...) {DSA-4719-1 DSA-4717-1 DLA-2188-1} - php7.4 7.4.5-1 - php7.3 - php7.0 - php5 NOTE: Fixed in PHP 7.4.4, 7.3.16, 7.2.29 NOTE: PHP Bug: https://bugs.php.net/79329 NOTE: http://git.php.net/?p=php-src.git;a=commit;h=0d139c5b94a5f485a66901919e51faddb0371c43 CVE-2020-7065 (In PHP versions 7.3.x below 7.3.16 and 7.4.x below 7.4.34, while using ...) {DSA-4719-1} - php7.4 7.4.5-1 - php7.3 - php7.0 (Vulnerable code introduced later) - php5 (Vulnerable code introduced later) NOTE: Fixed in PHP 7.4.4, 7.3.16 NOTE: PHP Bug: https://bugs.php.net/79371 NOTE: http://git.php.net/?p=php-src.git;a=commit;h=1fdffd1c55d771ca22ae217784ab75fce592ad38 CVE-2020-7064 (In PHP versions 7.2.x below 7.2.9, 7.3.x below 7.3.16 and 7.4.x below ...) {DSA-4719-1 DSA-4717-1 DLA-2188-1} - php7.4 7.4.5-1 - php7.3 - php7.0 - php5 NOTE: Fixed in PHP 7.4.4, 7.3.16, 7.2.29 NOTE: PHP Bug: https://bugs.php.net/79282 NOTE: http://git.php.net/?p=php-src.git;a=commit;h=25238bdf6005b85ab844aa2b743b589dfce9f0d2 CVE-2020-7063 (In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below ...) {DSA-4719-1 DSA-4717-1 DLA-2160-1} - php7.4 7.4.3-1 - php7.3 7.3.15-1 - php7.0 - php5 NOTE: Fixed in PHP 7.4.3, 7.3.15, 7.2.28 NOTE: PHP Bug: http://bugs.php.net/79082 CVE-2020-7062 (In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below ...) {DSA-4719-1 DSA-4717-1 DLA-2160-1} - php7.4 7.4.3-1 - php7.3 7.3.15-1 - php7.0 - php5 NOTE: Fixed in PHP 7.4.3, 7.3.15, 7.2.28 NOTE: PHP Bug: http://bugs.php.net/79221 CVE-2020-7061 (In PHP versions 7.3.x below 7.3.15 and 7.4.x below 7.4.3, while extrac ...) - php7.4 (Windows specific issue) - php7.3 (Windows specific issue) - php7.0 (Windows specific issue) - php5 (Windows specific issue) NOTE: Fixed in PHP 7.4.3, 7.3.15 NOTE: PHP Bug: http://bugs.php.net/79171 CVE-2020-7060 (When using certain mbstring functions to convert multibyte encodings, ...) {DSA-4628-1 DSA-4626-1 DLA-2124-1} - php7.4 7.4.2-7 - php7.3 7.3.15-1 - php7.0 - php5 NOTE: Fixed in PHP 7.4.2, 7.3.14, 7.2.27 NOTE: PHP Bug: http://bugs.php.net/79037 CVE-2020-7059 (When using fgetss() function to read data with stripping tags, in PHP ...) {DSA-4628-1 DSA-4626-1 DLA-2124-1} - php7.4 7.4.2-7 - php7.3 7.3.15-1 - php7.0 - php5 NOTE: Fixed in PHP 7.4.2, 7.3.14, 7.2.27 NOTE: PHP Bug: https://bugs.php.net/79099 CVE-2020-7058 (** DISPUTED ** data_input.php in Cacti 1.2.8 allows remote code execut ...) - cacti (unimportant) NOTE: https://github.com/Cacti/cacti/issues/3186 NOTE: Properly configured in there is no security impact, cf. NOTE: https://github.com/Cacti/cacti/issues/3186#issuecomment-574444803 CVE-2020-7057 (Hikvision DVR DS-7204HGHI-F1 V4.0.1 build 180903 Web Version sends a d ...) NOT-FOR-US: Hikvision CVE-2020-7056 RESERVED CVE-2020-7055 (An issue was discovered in Elementor 2.7.4. Arbitrary file upload is p ...) NOT-FOR-US: Elementor CVE-2020-7054 (MmsValue_decodeMmsData in mms/iso_mms/server/mms_access_result.c in li ...) NOT-FOR-US: libIEC61850 CVE-2020-7053 (In the Linux kernel 4.14 longterm through 4.14.165 and 4.19 longterm t ...) - linux 5.2.6-1 [buster] - linux 4.19.98-1 [stretch] - linux (Vulnerable code introduced later) [jessie] - linux (Vulnerable code introduced later) NOTE: https://lore.kernel.org/stable/20200114183937.12224-1-tyhicks@canonical.com/ CVE-2020-7052 (CODESYS Control V3, Gateway V3, and HMI V3 before 3.5.15.30 allow unco ...) NOT-FOR-US: CODESYS CVE-2020-7051 (Codologic Codoforum through 4.8.4 allows stored XSS in the login area. ...) NOT-FOR-US: Codoforum CVE-2020-7050 (Codologic Codoforum through 4.8.4 allows a DOM-based XSS. While creati ...) NOT-FOR-US: Codoforum CVE-2020-7049 (Nozomi Networks OS before 19.0.4 allows /#/network?tab=network_node_li ...) NOT-FOR-US: Nozomi Networks OS CVE-2020-7048 (The WordPress plugin, WP Database Reset through 3.1, contains a flaw t ...) NOT-FOR-US: Wordpress plugin CVE-2020-7047 (The WordPress plugin, WP Database Reset through 3.1, contains a flaw t ...) NOT-FOR-US: Wordpress plugin CVE-2020-7046 (lib-smtp in submission-login and lmtp in Dovecot 2.3.9 before 2.3.9.3 ...) - dovecot (Only affects 2.3.9) NOTE: https://www.openwall.com/lists/oss-security/2020/02/12/1 CVE-2020-7045 (In Wireshark 3.0.x before 3.0.8, the BT ATT dissector could crash. Thi ...) - wireshark 3.2.0-1 [buster] - wireshark (Can be fixed along in next 3.0.x DSA) [stretch] - wireshark (Can be fixed along in next DSA/update to 3.0) [jessie] - wireshark (Doesn't support request-respone tracking in affected code passage, yet) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16258 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=01f261de41f4dd3233ef578e5c0ffb9c25c7d14d NOTE: https://www.wireshark.org/security/wnpa-sec-2020-02.html CVE-2020-7044 (In Wireshark 3.2.x before 3.2.1, the WASSP dissector could crash. This ...) - wireshark 3.2.1-1 [buster] - wireshark (Vulnerable code not present) [stretch] - wireshark (Vulnerable code not present) [jessie] - wireshark (Vulnerable code not present) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16324 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=f90a3720b73ca140403315126e2a478c4f70ca03 NOTE: https://www.wireshark.org/security/wnpa-sec-2020-01.html CVE-2020-7043 (An issue was discovered in openfortivpn 1.11.0 when used with OpenSSL ...) - openfortivpn 1.12.0-1 (unimportant) NOTE: https://github.com/adrienverge/openfortivpn/issues/536 NOTE: https://github.com/adrienverge/openfortivpn/commit/6328a070ddaab16faaf008cb9a8a62439c30f2a8 NOTE: No version of openfortivpn was shipped with OpenSSL < 1.0.2, marking as unimportant CVE-2020-7042 (An issue was discovered in openfortivpn 1.11.0 when used with OpenSSL ...) - openfortivpn 1.12.0-1 [buster] - openfortivpn (Minor issue) NOTE: https://github.com/adrienverge/openfortivpn/issues/536 NOTE: https://github.com/adrienverge/openfortivpn/commit/9eee997d599a89492281fc7ffdd79d88cd61afc3 CVE-2020-7041 (An issue was discovered in openfortivpn 1.11.0 when used with OpenSSL ...) - openfortivpn 1.12.0-1 [buster] - openfortivpn (Minor issue) NOTE: https://github.com/adrienverge/openfortivpn/issues/536 NOTE: https://github.com/adrienverge/openfortivpn/commit/60660e00b80bad0fadcf39aee86f6f8756c94f91 CVE-2020-7040 (storeBackup.pl in storeBackup through 3.5 relies on the /tmp/storeBack ...) {DLA-2095-1} - storebackup 3.2.1-2 (bug #949393) [buster] - storebackup (Minor issue) [stretch] - storebackup (Minor issue) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1156767 NOTE: https://www.openwall.com/lists/oss-security/2020/01/20/3 NOTE: SuSE provided patch: https://www.openwall.com/lists/oss-security/2020/01/20/3/1 CVE-2020-7039 (tcp_emu in tcp_subr.c in libslirp 4.1.0, as used in QEMU 4.2.0, misman ...) {DSA-4616-1 DLA-2090-1 DLA-2076-1} - libslirp 4.1.0-2 (bug #949084) - qemu 1:4.1-2 - qemu-kvm - slirp 1:1.0.17-10 (bug #949085) [buster] - slirp (Minor issue; can be fixed via point release) [stretch] - slirp (Minor issue; can be fixed via point release) NOTE: https://www.openwall.com/lists/oss-security/2020/01/16/2 NOTE: https://gitlab.freedesktop.org/slirp/libslirp/commit/2655fffed7a9e765bcb4701dd876e9dab975f289 NOTE: https://gitlab.freedesktop.org/slirp/libslirp/commit/ce131029d6d4a405cb7d3ac6716d03e58fb4a5d9 NOTE: https://gitlab.freedesktop.org/slirp/libslirp/commit/82ebe9c370a0e2970fb5695aa19aa5214a6a1c80 NOTE: qemu 1:4.1-2 switched to system libslirp, marking that version as fixed. CVE-2020-7038 RESERVED CVE-2020-7037 RESERVED CVE-2020-7036 RESERVED CVE-2020-7035 RESERVED CVE-2020-7034 RESERVED CVE-2020-7033 RESERVED CVE-2020-7032 RESERVED CVE-2020-7031 RESERVED CVE-2020-7030 (A sensitive information disclosure vulnerability was discovered in the ...) NOT-FOR-US: IP Office CVE-2020-7029 RESERVED CVE-2020-7028 RESERVED CVE-2020-7027 RESERVED CVE-2020-7026 RESERVED CVE-2020-7025 RESERVED CVE-2020-7024 RESERVED CVE-2020-7023 RESERVED CVE-2020-7022 RESERVED CVE-2020-7021 RESERVED CVE-2020-7020 RESERVED CVE-2020-7019 RESERVED CVE-2020-7018 RESERVED CVE-2020-7017 RESERVED CVE-2020-7016 RESERVED CVE-2020-7015 (Kibana versions before 6.8.9 and 7.7.0 contains a stored XSS flaw in t ...) - kibana (bug #700337) CVE-2020-7014 (The fix for CVE-2020-7009 was found to be incomplete. Elasticsearch ve ...) - elasticsearch CVE-2020-7013 (Kibana versions before 6.8.9 and 7.7.0 contain a prototype pollution f ...) - kibana (bug #700337) CVE-2020-7012 (Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype ...) - kibana (bug #700337) CVE-2020-7011 (Elastic App Search versions before 7.7.0 contain a cross site scriptin ...) - elasticsearch CVE-2020-7010 (Elastic Cloud on Kubernetes (ECK) versions prior to 1.1.0 generate pas ...) TODO: check CVE-2020-7009 (Elasticsearch versions from 6.7.0 before 6.8.8 and 7.0.0 before 7.6.2 ...) - elasticsearch CVE-2020-7008 (VISAM VBASE Editor version 11.5.0.2 and VBASE Web-Remote Module may al ...) NOT-FOR-US: VISAM VBASE Editor CVE-2020-7007 (In Moxa EDS-G516E Series firmware, Version 5.2 or lower, the attacker ...) NOT-FOR-US: Moxa CVE-2020-7006 (Systech Corporation NDS-5000 Terminal Server, NDS/5008 (8 Port, RJ45), ...) NOT-FOR-US: Systech Corporation CVE-2020-7005 (In Honeywell WIN-PAK 4.7.2, Web and prior versions, the affected produ ...) NOT-FOR-US: Honeywell CVE-2020-7004 (VISAM VBASE Editor version 11.5.0.2 and VBASE Web-Remote Module may al ...) NOT-FOR-US: VISAM VBASE Editor CVE-2020-7003 (In Moxa ioLogik 2500 series firmware, Version 3.0 or lower, and IOxpre ...) NOT-FOR-US: Moxa CVE-2020-7002 (Delta Industrial Automation CNCSoft ScreenEditor, v1.00.96 and prior. ...) NOT-FOR-US: McAfee CVE-2020-7001 (In Moxa EDS-G516E Series firmware, Version 5.2 or lower, the affected ...) NOT-FOR-US: Moxa CVE-2020-7000 (VISAM VBASE Editor version 11.5.0.2 and VBASE Web-Remote Module may al ...) NOT-FOR-US: VISAM VBASE Editor CVE-2020-6999 (In Moxa EDS-G516E Series firmware, Version 5.2 or lower, some of the p ...) NOT-FOR-US: Moxa CVE-2020-6998 RESERVED CVE-2020-6997 (In Moxa EDS-G516E Series firmware, Version 5.2 or lower, sensitive inf ...) NOT-FOR-US: Moxa CVE-2020-6996 (Triangle MicroWorks DNP3 Outstation LibrariesDNP3 Outstation .NET Prot ...) NOT-FOR-US: Triangle MicroWorks CVE-2020-6995 (In Moxa PT-7528 series firmware, Version 4.0 or lower, and PT-7828 ser ...) NOT-FOR-US: Moxa CVE-2020-6994 (A buffer overflow vulnerability was found in some devices of Hirschman ...) NOT-FOR-US: Hirschmann Automation and Control HiOS and HiSecOS CVE-2020-6993 (In Moxa PT-7528 series firmware, Version 4.0 or lower, and PT-7828 ser ...) NOT-FOR-US: Moxa CVE-2020-6992 (A local privilege escalation vulnerability has been identified in the ...) NOT-FOR-US: GE Digital CVE-2020-6991 (In Moxa EDS-G516E Series firmware, Version 5.2 or lower, weak password ...) NOT-FOR-US: Moxa CVE-2020-6990 (Rockwell Automation MicroLogix 1400 Controllers Series B v21.001 and p ...) NOT-FOR-US: Rockwell CVE-2020-6989 (In Moxa PT-7528 series firmware, Version 4.0 or lower, and PT-7828 ser ...) NOT-FOR-US: Moxa CVE-2020-6988 (Rockwell Automation MicroLogix 1400 Controllers Series B v21.001 and p ...) NOT-FOR-US: Rockwell CVE-2020-6987 (In Moxa PT-7528 series firmware, Version 4.0 or lower, and PT-7828 ser ...) NOT-FOR-US: Moxa CVE-2020-6986 (In all versions of Omron PLC CJ Series, an attacker can send a series ...) NOT-FOR-US: Omron CVE-2020-6985 (In Moxa PT-7528 series firmware, Version 4.0 or lower, and PT-7828 ser ...) NOT-FOR-US: Moxa CVE-2020-6984 (Rockwell Automation MicroLogix 1400 Controllers Series B v21.001 and p ...) NOT-FOR-US: Rockwell CVE-2020-6983 (In Moxa PT-7528 series firmware, Version 4.0 or lower, and PT-7828 ser ...) NOT-FOR-US: Moxa CVE-2020-6982 (In Honeywell WIN-PAK 4.7.2, Web and prior versions, the header injecti ...) NOT-FOR-US: Honeywell CVE-2020-6981 (In Moxa EDS-G516E Series firmware, Version 5.2 or lower, an attacker m ...) NOT-FOR-US: Moxa CVE-2020-6980 (Rockwell Automation MicroLogix 1400 Controllers Series B v21.001 and p ...) NOT-FOR-US: Rockwell CVE-2020-6979 (In Moxa EDS-G516E Series firmware, Version 5.2 or lower, the affected ...) NOT-FOR-US: Moxa CVE-2020-6978 (In Honeywell WIN-PAK 4.7.2, Web and prior versions, the affected produ ...) NOT-FOR-US: Honeywell CVE-2020-6977 (A restricted desktop environment escape vulnerability exists in the Ki ...) NOT-FOR-US: GE CVE-2020-6976 (Delta Industrial Automation CNCSoft ScreenEditor, v1.00.96 and prior. ...) NOT-FOR-US: Delta Industrial Automation CNCSoft ScreenEditor CVE-2020-6975 (Digi International ConnectPort LTS 32 MEI, Firmware Version 1.4.3 (820 ...) NOT-FOR-US: Digi International ConnectPort LTS 32 MEI CVE-2020-6974 (Honeywell Notifier Web Server (NWS) Version 3.50 is vulnerable to a pa ...) NOT-FOR-US: Honeywell CVE-2020-6973 (Digi International ConnectPort LTS 32 MEI, Firmware Version 1.4.3 (820 ...) NOT-FOR-US: Digi International ConnectPort LTS 32 MEI CVE-2020-6972 (In Notifier Web Server (NWS) Version 3.50 and earlier, the Honeywell F ...) NOT-FOR-US: Honeywell CVE-2020-6971 (In Emerson ValveLink v12.0.264 to v13.4.118, a vulnerability in the Va ...) NOT-FOR-US: Emerson CVE-2020-6970 (A Heap-based Buffer Overflow was found in Emerson OpenEnterprise SCADA ...) NOT-FOR-US: Emerson OpenEnterprise SCADA Server CVE-2020-6969 (It is possible to unmask credentials and other sensitive information o ...) NOT-FOR-US: AutomationDirect CVE-2020-6968 (Honeywell INNCOM INNControl 3 allows workstation users to escalate app ...) NOT-FOR-US: Honeywell CVE-2020-6967 (In Rockwell Automation all versions of FactoryTalk Diagnostics softwar ...) NOT-FOR-US: Rockwell CVE-2020-6966 (In ApexPro Telemetry Server Versions 4.2 and prior, CARESCAPE Telemetr ...) NOT-FOR-US: ApexPro Telemetry Server CVE-2020-6965 (In ApexPro Telemetry Server Versions 4.2 and prior, CARESCAPE Telemetr ...) NOT-FOR-US: ApexPro Telemetry Server CVE-2020-6964 (In ApexPro Telemetry Server Versions 4.2 and prior, CARESCAPE Telemetr ...) NOT-FOR-US: ApexPro Telemetry Server CVE-2020-6963 (In ApexPro Telemetry Server Versions 4.2 and prior, CARESCAPE Telemetr ...) NOT-FOR-US: ApexPro Telemetry Server CVE-2020-6962 (In ApexPro Telemetry Server, Versions 4.2 and prior, CARESCAPE Telemet ...) NOT-FOR-US: ApexPro Telemetry Server CVE-2020-6961 (In ApexPro Telemetry Server, Versions 4.2 and prior, CARESCAPE Telemet ...) NOT-FOR-US: ApexPro Telemetry Server CVE-2020-6960 (The following versions of MAXPRO VMS and NVR, MAXPRO VMS:HNMSWVMS prio ...) NOT-FOR-US: Honeywell CVE-2020-6959 (The following versions of MAXPRO VMS and NVR, MAXPRO VMS:HNMSWVMS prio ...) NOT-FOR-US: Honeywell CVE-2020-6958 (An XXE vulnerability in JnlpSupport in Yet Another Java Service Wrappe ...) NOT-FOR-US: Yet Another Java Service Wrapper (YAJSW) CVE-2020-6957 RESERVED CVE-2020-6956 (PCS DEXICON 3.4.1 allows XSS via the loginName parameter in login_acti ...) NOT-FOR-US: PCS DEXICON CVE-2020-6955 (An issue was discovered on Cayin SMP-PRO4 devices. They allow image_pr ...) NOT-FOR-US: Cayin SMP-PRO4 devices CVE-2020-6954 (An issue was discovered on Cayin SMP-PRO4 devices. A user can discover ...) NOT-FOR-US: Cayin SMP-PRO4 devices CVE-2020-6953 RESERVED CVE-2020-6952 RESERVED CVE-2020-6951 RESERVED CVE-2020-6950 RESERVED - mojarra (Vulnerable code introduced later) NOTE: https://github.com/eclipse-ee4j/mojarra/commit/cefbb9447e7be560e59da2da6bd7cb93776f7741 CVE-2020-6949 (A privilege escalation issue was discovered in the postUser function i ...) NOT-FOR-US: HashBrown CMS CVE-2020-6948 (A remote code execution issue was discovered in HashBrown CMS through ...) NOT-FOR-US: HashBrown CMS CVE-2020-6947 RESERVED CVE-2020-6946 RESERVED CVE-2020-6945 RESERVED CVE-2020-6944 RESERVED CVE-2020-6943 RESERVED CVE-2020-6942 RESERVED CVE-2020-6941 RESERVED CVE-2020-6940 RESERVED CVE-2020-6939 RESERVED CVE-2020-6938 (A sensitive information disclosure vulnerability in Tableau Server 10. ...) NOT-FOR-US: Tableau Server CVE-2020-6937 (A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, ...) NOT-FOR-US: MuleSoft CVE-2020-6936 RESERVED CVE-2020-6935 RESERVED CVE-2020-6934 RESERVED CVE-2020-6933 RESERVED CVE-2020-6932 RESERVED CVE-2020-6931 RESERVED CVE-2020-6930 RESERVED CVE-2020-6929 RESERVED CVE-2020-6928 RESERVED CVE-2020-6927 RESERVED CVE-2020-6926 RESERVED CVE-2020-6925 RESERVED CVE-2020-6924 RESERVED CVE-2020-6923 RESERVED CVE-2020-6922 RESERVED CVE-2020-6921 RESERVED CVE-2020-6920 RESERVED CVE-2020-6919 RESERVED CVE-2020-6918 RESERVED CVE-2020-6917 RESERVED CVE-2020-6916 RESERVED CVE-2020-6915 RESERVED CVE-2020-6914 RESERVED CVE-2020-6913 RESERVED CVE-2020-6912 RESERVED CVE-2020-6911 RESERVED CVE-2020-6910 RESERVED CVE-2020-6909 RESERVED CVE-2020-6908 RESERVED CVE-2020-6907 RESERVED CVE-2020-6906 RESERVED CVE-2020-6905 RESERVED CVE-2020-6904 RESERVED CVE-2020-6903 RESERVED CVE-2020-6902 RESERVED CVE-2020-6901 RESERVED CVE-2020-6900 RESERVED CVE-2020-6899 RESERVED CVE-2020-6898 RESERVED CVE-2020-6897 RESERVED CVE-2020-6896 RESERVED CVE-2020-6895 RESERVED CVE-2020-6894 RESERVED CVE-2020-6893 RESERVED CVE-2020-6892 RESERVED CVE-2020-6891 RESERVED CVE-2020-6890 RESERVED CVE-2020-6889 RESERVED CVE-2020-6888 RESERVED CVE-2020-6887 RESERVED CVE-2020-6886 RESERVED CVE-2020-6885 RESERVED CVE-2020-6884 RESERVED CVE-2020-6883 RESERVED CVE-2020-6882 RESERVED CVE-2020-6881 RESERVED CVE-2020-6880 RESERVED CVE-2020-6879 RESERVED CVE-2020-6878 RESERVED CVE-2020-6877 RESERVED CVE-2020-6876 RESERVED CVE-2020-6875 RESERVED CVE-2020-6874 RESERVED CVE-2020-6873 RESERVED CVE-2020-6872 RESERVED CVE-2020-6871 RESERVED CVE-2020-6870 (The version V12.17.20T115 of ZTE U31R20 product is impacted by a desig ...) NOT-FOR-US: ZTE CVE-2020-6869 (All versions up to 10.06 of ZTEMarket APK are impacted by an informati ...) NOT-FOR-US: ZTE CVE-2020-6868 (ZTE's PON terminal product is impacted by the access control vulnerabi ...) NOT-FOR-US: ZTE CVE-2020-6867 (ZTE's SDON controller is impacted by the resource management error vul ...) NOT-FOR-US: ZTE CVE-2020-6866 (A ZTE product is impacted by a resource management error vulnerability ...) NOT-FOR-US: ZTE CVE-2020-6865 (ZTE SDN controller platform is impacted by an information leakage vuln ...) NOT-FOR-US: ZTE CVE-2020-6864 (ZTE E8820V3 router product is impacted by an information leak vulnerab ...) NOT-FOR-US: ZTE CVE-2020-6863 (ZTE E8820V3 router product is impacted by a permission and access cont ...) NOT-FOR-US: ZTE CVE-2020-6862 (V6.0.10P2T2 and V6.0.10P2T5 of F6x2W product are impacted by Informati ...) NOT-FOR-US: ZTE F6x2W CVE-2020-6861 (A flawed protocol design in the Ledger Monero app before 1.5.1 for Led ...) NOT-FOR-US: Ledger Monero app CVE-2020-6860 (libmysofa 0.9.1 has a stack-based buffer overflow in readDataVar in hd ...) - libmysofa 1.0~dfsg0-1 (bug #949325) [buster] - libmysofa (Minor issue) NOTE: https://github.com/hoene/libmysofa/issues/96 NOTE: https://github.com/hoene/libmysofa/commit/c31120a4ddfe3fc705cfdd74da7e884e1866da85 CVE-2020-6859 (Multiple Insecure Direct Object Reference vulnerabilities in includes/ ...) NOT-FOR-US: Ultimate Member plugin for WordPress CVE-2020-6858 (Hotels Styx through 1.0.0.beta8 allows HTTP response splitting due to ...) NOT-FOR-US: Hotels Styx CVE-2020-6857 (CarbonFTP v1.4 uses insecure proprietary password encryption with a ha ...) NOT-FOR-US: CarbonFTP CVE-2020-6856 (An XML External Entity (XEE) vulnerability exists in the JOC Cockpit c ...) NOT-FOR-US: JOC Cockpit component of SOS JobScheduler CVE-2020-6855 (A large or infinite loop vulnerability in the JOC Cockpit component of ...) NOT-FOR-US: JOC Cockpit component of SOS JobScheduler CVE-2020-6854 (A cross-site scripting (XSS) vulnerability in the JOC Cockpit componen ...) NOT-FOR-US: JOC Cockpit, different from src:cockpit CVE-2020-6853 RESERVED CVE-2020-6852 (CACAGOO Cloud Storage Intelligent Camera TV-288ZD-2MP with firmware 3. ...) NOT-FOR-US: CACAGOO Cloud Storage Intelligent Camera TV-288ZD-2MP CVE-2020-6851 (OpenJPEG through 2.3.1 has a heap-based buffer overflow in opj_t1_clbl ...) {DLA-2081-1} - openjpeg2 (bug #950000) [buster] - openjpeg2 (Minor issue) [stretch] - openjpeg2 (Minor issue) NOTE: https://github.com/uclouvain/openjpeg/issues/1228 NOTE: https://github.com/uclouvain/openjpeg/commit/024b8407392cb0b82b04b58ed256094ed5799e04 CVE-2020-6850 (Utilities.php in the miniorange-saml-20-single-sign-on plugin before 4 ...) NOT-FOR-US: miniorange-saml-20-single-sign-on plugin for WordPress CVE-2020-6849 (The marketo-forms-and-tracking plugin through 1.0.2 for WordPress allo ...) NOT-FOR-US: marketo-forms-and-tracking plugin for WordPress CVE-2020-6848 (Axper Vision II 4 devices allow XSS via the DEVICE_NAME (aka Device Na ...) NOT-FOR-US: Axper Vision II 4 devices CVE-2020-6847 (OpenTrade through 0.2.0 has a DOM-based XSS vulnerability that is exec ...) NOT-FOR-US: OpenTrade CVE-2020-6846 RESERVED CVE-2020-6845 (An issue was discovered in TopManage OLK 2020. As there is no ReadOnly ...) NOT-FOR-US: TopManage CVE-2020-6844 (In TopManage OLK 2020, login CSRF can be chained with another vulnerab ...) NOT-FOR-US: TopManage CVE-2020-6843 (Zoho ManageEngine ServiceDesk Plus 11.0 Build 11007 allows XSS. This i ...) NOT-FOR-US: Zoho ManageEngine ServiceDesk Plus CVE-2020-6842 (D-Link DCH-M225 1.05b01 and earlier devices allow remote authenticated ...) NOT-FOR-US: D-Link CVE-2020-6841 (D-Link DCH-M225 1.05b01 and earlier devices allow remote attackers to ...) NOT-FOR-US: D-Link CVE-2020-6840 (In mruby 2.1.0, there is a use-after-free in hash_slice in mrbgems/mru ...) - mruby (Vulnerable code introduced later) NOTE: https://github.com/mruby/mruby/issues/4927 NOTE: Introduced by: https://github.com/mruby/mruby/commit/694089fafe4eae36c379a3d918d540eb0c4b8661 NOTE: Fixed by: https://github.com/mruby/mruby/commit/fc8fb41451b07b3fda0726ba80e88e509ad02452 CVE-2020-6839 (In mruby 2.1.0, there is a stack-based buffer overflow in mrb_str_len_ ...) - mruby (Vulnerable code not present) NOTE: https://github.com/mruby/mruby/issues/4929 NOTE: Introduced by: https://github.com/mruby/mruby/commit/2532e625edc2457447369e36e2ecf7882d872ef9 NOTE: Fixed by: https://github.com/mruby/mruby/commit/2124b9b4c95e66e63b1eb26a8dab49753b82fd6c CVE-2020-6838 (In mruby 2.1.0, there is a use-after-free in hash_values_at in mrbgems ...) - mruby (Vulnerable code not present) NOTE: Introduced by: https://github.com/mruby/mruby/commit/694089fafe4eae36c379a3d918d540eb0c4b8661 NOTE: https://github.com/mruby/mruby/issues/4926 NOTE: https://github.com/mruby/mruby/commit/fc8fb41451b07b3fda0726ba80e88e509ad02452 NOTE: https://github.com/mruby/mruby/commit/70e574689664c10ed2c47581999cc2ce3e3c5afb NOTE: https://github.com/mruby/mruby/commit/2742ded32fe18f88833d76b297f5c2170b6880c3 CVE-2020-6837 RESERVED CVE-2020-6836 (grammar-parser.jison in the hot-formula-parser package before 3.0.1 fo ...) NOT-FOR-US: hot-formula-parser Node package CVE-2020-6835 (An issue was discovered in Bftpd before 5.4. There is a heap-based off ...) - bftpd (bug #640469) CVE-2020-6834 RESERVED CVE-2020-6833 (An issue was discovered in GitLab EE 11.3 and later. A GitLab Workhors ...) - gitlab (Only affects Gitlab EE 11.3 and later) NOTE: https://about.gitlab.com/releases/2020/01/30/security-release-gitlab-12-7-4-released/ CVE-2020-6832 (An issue was discovered in GitLab Enterprise Edition (EE) 8.9.0 throug ...) - gitlab (Only affects GitLab EE 8.9.0 and later) NOTE: https://about.gitlab.com/releases/2020/01/13/critical-security-release-gitlab-12-dot-6-dot-4-released/ CVE-2019-20379 (ganglia-web (aka Ganglia Web Frontend) through 3.7.5 allows XSS via th ...) - ganglia-web (unimportant; bug #948664) NOTE: https://github.com/ganglia/ganglia-web/issues/351 NOTE: See README.Debian.security, only supported behind an authenticated HTTP zone, #702776 CVE-2019-20378 (ganglia-web (aka Ganglia Web Frontend) through 3.7.5 allows XSS via th ...) - ganglia-web (unimportant; bug #948664) NOTE: https://github.com/ganglia/ganglia-web/issues/351 NOTE: See README.Debian.security, only supported behind an authenticated HTTP zone, #702776 CVE-2019-20377 (TopList before 2019-09-03 allows XSS via a title. ...) NOT-FOR-US: TopList CVE-2020-6831 (A buffer overflow could occur when parsing and validating SCTP chunks ...) {DSA-4714-1 DSA-4683-1 DSA-4678-1 DLA-2206-1 DLA-2205-1} - firefox 76.0-1 - firefox-esr 68.8.0esr-1 - thunderbird 1:68.8.0-1 - chromium 83.0.4103.83-1 [stretch] - chromium (see DSA 4562) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-16/#CVE-2020-6831 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-17/#CVE-2020-6831 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-18/#CVE-2020-6831 CVE-2020-6830 (For native-to-JS bridging, the app requires a unique token to be passe ...) - firefox (Firefox on iOS) CVE-2020-6829 RESERVED CVE-2020-6828 (A malicious Android application could craft an Intent that would have ...) - firefox-esr (Android-specific) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-13/#CVE-2020-6828 CVE-2020-6827 (When following a link that opened an intent://-schemed URL, causing a ...) - firefox-esr (Android-specific) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-13/#CVE-2020-6827 CVE-2020-6826 (Mozilla developers Tyson Smith, Bob Clary, and Alexandru Michis report ...) - firefox 75.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-12/#CVE-2020-6826 CVE-2020-6825 (Mozilla developers and community members Tyson Smith and Christian Hol ...) {DSA-4656-1 DSA-4655-1 DLA-2172-1 DLA-2170-1} - firefox 75.0-1 - firefox-esr 68.7.0esr-1 - thunderbird 1:68.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-14/#CVE-2020-6825 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-13/#CVE-2020-6825 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-12/#CVE-2020-6825 CVE-2020-6824 (Initially, a user opens a Private Browsing Window and generates a pass ...) - firefox 75.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-12/#CVE-2020-6824 CVE-2020-6823 (A malicious extension could have called <code>browser.identity.l ...) - firefox 75.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-12/#CVE-2020-6823 CVE-2020-6822 (On 32-bit builds, an out of bounds write could have occurred when proc ...) {DSA-4656-1 DSA-4655-1 DLA-2172-1 DLA-2170-1} - firefox 75.0-1 - firefox-esr 68.7.0esr-1 - thunderbird 1:68.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-14/#CVE-2020-6822 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-13/#CVE-2020-6822 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-12/#CVE-2020-6822 CVE-2020-6821 (When reading from areas partially or fully outside the source resource ...) {DSA-4656-1 DSA-4655-1 DLA-2172-1 DLA-2170-1} - firefox 75.0-1 - firefox-esr 68.7.0esr-1 - thunderbird 1:68.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-14/#CVE-2020-6821 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-13/#CVE-2020-6821 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-12/#CVE-2020-6821 CVE-2020-6820 (Under certain conditions, when handling a ReadableStream, a race condi ...) {DSA-4656-1 DSA-4653-1 DLA-2172-1 DLA-2170-1} - firefox 74.0.1-1 - firefox-esr 68.6.1esr-1 - thunderbird 1:68.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-11/#CVE-2020-6820 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-14/#CVE-2020-6820 CVE-2020-6819 (Under certain conditions, when running the nsDocShell destructor, a ra ...) {DSA-4656-1 DSA-4653-1 DLA-2172-1 DLA-2170-1} - firefox 74.0.1-1 - firefox-esr 68.6.1esr-1 - thunderbird 1:68.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-11/#CVE-2020-6819 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-14/#CVE-2020-6819 CVE-2020-6818 RESERVED CVE-2020-6817 [Regular expression denial of service] RESERVED {DLA-2167-1} - python-bleach 3.1.4-1 (bug #955388) [buster] - python-bleach (Minor issue; some regression potential) [stretch] - python-bleach (Minor issue; some regression potential) NOTE: https://github.com/mozilla/bleach/security/advisories/GHSA-vqhp-cxgc-6wmm NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1623633 NOTE: https://github.com/mozilla/bleach/commit/d6018f2539d271963c3e7f54f36ef11900363c69 NOTE: https://github.com/mozilla/bleach/commit/6e74a5027b57055cdaeb040343d32934121392a7 NOTE: Regression report: https://github.com/mozilla/bleach/pull/530 CVE-2020-6815 (Mozilla developers reported memory safety and script safety bugs prese ...) - firefox 74.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-08/#CVE-2020-6815 CVE-2020-6814 (Mozilla developers reported memory safety bugs present in Firefox and ...) {DSA-4642-1 DSA-4639-1 DLA-2150-1 DLA-2140-1} - firefox 74.0-1 - firefox-esr 68.6.0esr-1 - thunderbird 1:68.6.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-10/#CVE-2020-6814 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-09/#CVE-2020-6814 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-08/#CVE-2020-6814 CVE-2020-6813 (When protecting CSS blocks with the nonce feature of Content Security ...) - firefox 74.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-08/#CVE-2020-6813 CVE-2020-6812 (The first time AirPods are connected to an iPhone, they become named a ...) {DSA-4642-1 DSA-4639-1 DLA-2150-1 DLA-2140-1} - firefox 74.0-1 - firefox-esr 68.6.0esr-1 - thunderbird 1:68.6.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-10/#CVE-2020-6812 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-09/#CVE-2020-6812 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-08/#CVE-2020-6812 CVE-2020-6811 (The 'Copy as cURL' feature of Devtools' network tab did not properly e ...) {DSA-4642-1 DSA-4639-1 DLA-2150-1 DLA-2140-1} - firefox 74.0-1 - firefox-esr 68.6.0esr-1 - thunderbird 1:68.6.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-10/#CVE-2020-6811 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-09/#CVE-2020-6811 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-08/#CVE-2020-6811 CVE-2020-6810 (After a website had entered fullscreen mode, it could have used a prev ...) - firefox 74.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-08/#CVE-2020-6810 CVE-2020-6809 (When a Web Extension had the all-urls permission and made a fetch requ ...) - firefox 74.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-08/#CVE-2020-6809 CVE-2020-6808 (When a JavaScript URL (javascript:) is evaluated and the result is a s ...) - firefox 74.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-08/#CVE-2020-6808 CVE-2020-6807 (When a device was changed while a stream was about to be destroyed, th ...) {DSA-4642-1 DSA-4639-1 DLA-2150-1 DLA-2140-1} - firefox 74.0-1 - firefox-esr 68.6.0esr-1 - thunderbird 1:68.6.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-10/#CVE-2020-6807 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-09/#CVE-2020-6807 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-08/#CVE-2020-6807 CVE-2020-6806 (By carefully crafting promise resolutions, it was possible to cause an ...) {DSA-4642-1 DSA-4639-1 DLA-2150-1 DLA-2140-1} - firefox 74.0-1 - firefox-esr 68.6.0esr-1 - thunderbird 1:68.6.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-10/#CVE-2020-6806 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-09/#CVE-2020-6806 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-08/#CVE-2020-6806 CVE-2020-6805 (When removing data about an origin whose tab was recently closed, a us ...) {DSA-4642-1 DSA-4639-1 DLA-2150-1 DLA-2140-1} - firefox 74.0-1 - firefox-esr 68.6.0esr-1 - thunderbird 1:68.6.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-10/#CVE-2020-6805 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-09/#CVE-2020-6805 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-08/#CVE-2020-6805 CVE-2020-6804 (A reflected XSS vulnerability exists within the gateway, allowing an a ...) NOT-FOR-US: Mozilla IOT CVE-2020-6803 (An open redirect is present on the gateway's login page, which could c ...) NOT-FOR-US: Mozilla IOT CVE-2020-6801 (Mozilla developers reported memory safety bugs present in Firefox 72. ...) - firefox 73.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-05/#CVE-2020-6801 CVE-2020-6800 (Mozilla developers and community members reported memory safety bugs p ...) {DSA-4625-1 DSA-4620-1 DLA-2104-1 DLA-2102-1} - firefox 73.0-1 - firefox-esr 68.5.0esr-1 - thunderbird 1:68.5.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-05/#CVE-2020-6800 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-06/#CVE-2020-6800 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-07/#CVE-2020-6800 CVE-2020-6799 (Command line arguments could have been injected during Firefox invocat ...) - firefox (Only affects Windows) - firefox-esr (Only affects Windows) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-05/#CVE-2020-6799 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-06/#CVE-2020-6799 CVE-2020-6798 (If a template tag was used in a select tag, the parser could be confus ...) {DSA-4625-1 DSA-4620-1 DLA-2104-1 DLA-2102-1} - firefox 73.0-1 - firefox-esr 68.5.0esr-1 - thunderbird 1:68.5.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-05/#CVE-2020-6798 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-06/#CVE-2020-6798 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-07/#CVE-2020-6798 CVE-2020-6797 (By downloading a file with the .fileloc extension, a semi-privileged e ...) - firefox (Only affects Mac OSX) - firefox-esr (Only affects Mac OSX) - thunderbird (Only affects Mac OSX) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-05/#CVE-2020-6797 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-06/#CVE-2020-6797 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-07/#CVE-2020-6797 CVE-2020-6796 (A content process could have modified shared memory relating to crash ...) {DSA-4620-1 DLA-2102-1} - firefox 73.0-1 - firefox-esr 68.5.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-05/#CVE-2020-6796 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-06/#CVE-2020-6796 CVE-2020-6795 (When processing a message that contains multiple S/MIME signatures, a ...) {DSA-4625-1 DLA-2104-1} - thunderbird 1:68.5.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-07/#CVE-2020-6795 CVE-2020-6794 (If a user saved passwords before Thunderbird 60 and then later set a m ...) {DSA-4625-1 DLA-2104-1} - thunderbird 1:68.5.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-07/#CVE-2020-6794 CVE-2020-6793 (When processing an email message with an ill-formed envelope, Thunderb ...) {DSA-4625-1 DLA-2104-1} - thunderbird 1:68.5.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-07/#CVE-2020-6793 CVE-2020-6792 (When deriving an identifier for an email message, uninitialized memory ...) {DSA-4625-1 DLA-2104-1} - thunderbird 1:68.5.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-07/#CVE-2020-6792 CVE-2020-6791 RESERVED CVE-2020-6790 RESERVED CVE-2020-6789 RESERVED CVE-2020-6788 RESERVED CVE-2020-6787 RESERVED CVE-2020-6786 RESERVED CVE-2020-6785 RESERVED CVE-2020-6784 RESERVED CVE-2020-6783 RESERVED CVE-2020-6782 RESERVED CVE-2020-6781 RESERVED CVE-2020-6780 RESERVED CVE-2020-6779 RESERVED CVE-2020-6778 RESERVED CVE-2020-6777 RESERVED CVE-2020-6776 RESERVED CVE-2020-6775 RESERVED CVE-2020-6774 (Improper Access Control in the Kiosk Mode functionality of Bosch Recor ...) NOT-FOR-US: Bosch CVE-2020-6773 RESERVED CVE-2020-6772 RESERVED CVE-2020-6771 RESERVED CVE-2020-6770 (Deserialization of Untrusted Data in the BVMS Mobile Video Service (BV ...) NOT-FOR-US: BVMS Mobile Video Service (BVMS MVS) CVE-2020-6769 (Missing Authentication for Critical Function in the Bosch Video Stream ...) NOT-FOR-US: Bosch CVE-2020-6768 (A path traversal vulnerability in the Bosch Video Management System (B ...) NOT-FOR-US: Bosch CVE-2020-6767 (A path traversal vulnerability in the Bosch Video Management System (B ...) NOT-FOR-US: Bosch CVE-2020-6766 RESERVED CVE-2020-6765 (D-Link DSL-GS225 J1 AU_1.0.4 devices allow an admin to execute OS comm ...) NOT-FOR-US: D-Link CVE-2020-6764 REJECTED CVE-2020-6763 RESERVED CVE-2020-6762 RESERVED CVE-2020-6761 RESERVED CVE-2020-6760 (Schmid ZI 620 V400 VPN 090 routers allow an attacker to execute OS com ...) NOT-FOR-US: Schmid ZI 620 V400 VPN 090 routers CVE-2020-6759 RESERVED CVE-2020-6758 (A cross-site scripting (XSS) vulnerability in Option/optionsAll.php in ...) NOT-FOR-US: Rasilient PixelStor CVE-2020-6757 (contentHostProperties.php in Rasilient PixelStor 5000 K:4.0.1580-20150 ...) NOT-FOR-US: Rasilient PixelStor CVE-2020-6756 (languageOptions.php in Rasilient PixelStor 5000 K:4.0.1580-20150629 (K ...) NOT-FOR-US: Rasilient PixelStor CVE-2020-6755 RESERVED CVE-2020-6754 (dotCMS before 5.2.4 is vulnerable to directory traversal, leading to i ...) NOT-FOR-US: dotCMS CVE-2020-6753 (The Login by Auth0 plugin before 4.0.0 for WordPress allows stored XSS ...) NOT-FOR-US: Login by Auth0 plugin for WordPress CVE-2020-6752 (In OMERO before 5.6.1, group owners can access members' data in other ...) TODO: check CVE-2020-6751 RESERVED CVE-2019-20376 (A cross-site scripting (XSS) vulnerability in Electronic Logbook (ELOG ...) NOT-FOR-US: Electronic Logbook (ELOG) CVE-2019-20375 (A cross-site scripting (XSS) vulnerability in Electronic Logbook (ELOG ...) NOT-FOR-US: Electronic Logbook (ELOG) CVE-2019-20374 (A mutation cross-site scripting (XSS) issue in Typora through 0.9.9.31 ...) NOT-FOR-US: Typora CVE-2019-20372 (NGINX before 1.17.7, with certain error_page configurations, allows HT ...) - nginx 1.16.1-3 (low; bug #948579) [buster] - nginx (Minor issue) [stretch] - nginx (Minor issue) [jessie] - nginx (Minor issue) NOTE: https://bertjwregeer.keybase.pub/2019-12-10%20-%20error_page%20request%20smuggling.pdf NOTE: https://github.com/nginx/nginx/commit/c1be55f97211d38b69ac0c2027e6812ab8b1b94e CVE-2019-20373 (LTSP LDM through 2.18.06 allows fat-client root access because the LDM ...) {DSA-4601-1 DLA-2064-1} - ldm (bug #948538) NOTE: https://git.launchpad.net/~ltsp-upstream/ltsp/+git/ldm/commit/?id=c351ac69ef63ed6c84221cef73e409059661b8ba NOTE: https://bugs.launchpad.net/ubuntu/+source/ldm/+bug/1839431 CVE-2020-6750 (GSocketClient in GNOME GLib through 2.62.4 may occasionally connect di ...) - glib2.0 2.62.5-1 (bug #948554) [buster] - glib2.0 (Vulnerable code introduced later, regreession from 2.60.0) [stretch] - glib2.0 (Vulnerable code introduced later, regreession from 2.60.0) [jessie] - glib2.0 (Vulnerable code introduced later, regreession from 2.60.0) NOTE: https://gitlab.gnome.org/GNOME/glib/issues/1989 CVE-2020-6749 RESERVED CVE-2020-6748 RESERVED CVE-2020-6747 RESERVED CVE-2020-6746 RESERVED CVE-2020-6745 RESERVED CVE-2020-6744 RESERVED CVE-2020-6743 RESERVED CVE-2020-6742 RESERVED CVE-2020-6741 RESERVED CVE-2020-6740 RESERVED CVE-2020-6739 RESERVED CVE-2020-6738 RESERVED CVE-2020-6737 RESERVED CVE-2020-6736 RESERVED CVE-2020-6735 RESERVED CVE-2020-6734 RESERVED CVE-2020-6733 RESERVED CVE-2020-6732 RESERVED CVE-2020-6731 RESERVED CVE-2020-6730 RESERVED CVE-2020-6729 RESERVED CVE-2020-6728 RESERVED CVE-2020-6727 RESERVED CVE-2020-6726 RESERVED CVE-2020-6725 RESERVED CVE-2020-6724 RESERVED CVE-2020-6723 RESERVED CVE-2020-6722 RESERVED CVE-2020-6721 RESERVED CVE-2020-6720 RESERVED CVE-2020-6719 RESERVED CVE-2020-6718 RESERVED CVE-2020-6717 RESERVED CVE-2020-6716 RESERVED CVE-2020-6715 RESERVED CVE-2020-6714 RESERVED CVE-2020-6713 RESERVED CVE-2020-6712 RESERVED CVE-2020-6711 RESERVED CVE-2020-6710 RESERVED CVE-2020-6709 RESERVED CVE-2020-6708 RESERVED CVE-2020-6707 RESERVED CVE-2020-6706 RESERVED CVE-2020-6705 RESERVED CVE-2020-6704 RESERVED CVE-2020-6703 RESERVED CVE-2020-6702 RESERVED CVE-2020-6701 RESERVED CVE-2020-6700 RESERVED CVE-2020-6699 RESERVED CVE-2020-6698 RESERVED CVE-2020-6697 RESERVED CVE-2020-6696 RESERVED CVE-2020-6695 RESERVED CVE-2020-6694 RESERVED CVE-2020-6693 RESERVED CVE-2020-6692 RESERVED CVE-2020-6691 RESERVED CVE-2020-6690 RESERVED CVE-2020-6689 RESERVED CVE-2020-6688 RESERVED CVE-2020-6687 RESERVED CVE-2020-6686 RESERVED CVE-2020-6685 RESERVED CVE-2020-6684 RESERVED CVE-2020-6683 RESERVED CVE-2020-6682 RESERVED CVE-2020-6681 RESERVED CVE-2020-6680 RESERVED CVE-2020-6679 RESERVED CVE-2020-6678 RESERVED CVE-2020-6677 RESERVED CVE-2020-6676 RESERVED CVE-2020-6675 RESERVED CVE-2020-6674 RESERVED CVE-2020-6673 RESERVED CVE-2020-6672 RESERVED CVE-2020-6671 RESERVED CVE-2020-6670 RESERVED CVE-2020-6669 RESERVED CVE-2020-6668 RESERVED CVE-2020-6667 RESERVED CVE-2020-6666 RESERVED CVE-2020-6665 RESERVED CVE-2020-6664 RESERVED CVE-2020-6663 RESERVED CVE-2020-6662 RESERVED CVE-2020-6661 RESERVED CVE-2020-6660 RESERVED CVE-2020-6659 RESERVED CVE-2020-6658 RESERVED CVE-2020-6657 RESERVED CVE-2020-6656 RESERVED CVE-2020-6655 RESERVED CVE-2020-6654 RESERVED CVE-2020-6653 RESERVED CVE-2020-6652 (Incorrect Privilege Assignment vulnerability in Eaton's Intelligent Po ...) NOT-FOR-US: Eaton CVE-2020-6651 (Improper Input Validation in Eaton's Intelligent Power Manager (IPM) v ...) NOT-FOR-US: Eaton CVE-2020-6650 (UPS companion software v1.05 & Prior is affected by ‘Eval In ...) NOT-FOR-US: UPS companion software CVE-2020-6649 RESERVED CVE-2020-6648 RESERVED CVE-2020-6647 (An improper neutralization of input vulnerability in the dashboard of ...) NOT-FOR-US: Fortiguard CVE-2020-6646 (An improper neutralization of input vulnerability in FortiWeb allows a ...) NOT-FOR-US: Fortiguard CVE-2020-6645 RESERVED CVE-2020-6644 (An insufficient session expiration vulnerability in FortiDeceptor 3.0. ...) NOT-FOR-US: Fortiguard CVE-2020-6643 (An improper neutralization of input vulnerability in the URL Descripti ...) NOT-FOR-US: Fortinet CVE-2020-6642 RESERVED CVE-2020-6641 RESERVED CVE-2020-6640 (An improper neutralization of input vulnerability in the Admin Profile ...) NOT-FOR-US: Fortiguard CVE-2020-6639 RESERVED CVE-2020-6638 (Grin through 2.1.1 has Insufficient Validation. ...) NOT-FOR-US: Grin CVE-2020-6637 RESERVED CVE-2020-6636 RESERVED CVE-2020-6635 RESERVED CVE-2020-6634 RESERVED CVE-2020-6633 RESERVED CVE-2020-6632 (In PrestaShop 1.7.6.2, XSS can occur during addition or removal of a Q ...) NOT-FOR-US: PrestaShop CVE-2020-6631 (An issue was discovered in GPAC version 0.8.0. There is a NULL pointer ...) - gpac (low) [buster] - gpac (Minor issue) [stretch] - gpac (Minor issue) [jessie] - gpac (Minor issue, clean crash, MP42TS not shipped, incomplete patch) NOTE: https://github.com/gpac/gpac/issues/1378 NOTE: https://github.com/gpac/gpac/commit/c7e46e948ebe2d4a532539c7e714cdf655b84521 NOTE: fix considered "ugly" by upstream and introduces abort(3)-based DoS CVE-2020-6630 (An issue was discovered in GPAC version 0.8.0. There is a NULL pointer ...) - gpac (low) [buster] - gpac (Minor issue) [stretch] - gpac (Minor issue) [jessie] - gpac (Minor issue, clean crash, MP42TS not shipped, incomplete patch) NOTE: https://github.com/gpac/gpac/issues/1377 NOTE: https://github.com/gpac/gpac/commit/c7e46e948ebe2d4a532539c7e714cdf655b84521 NOTE: fix considered "ugly" by upstream and introduces abort(3)-based DoS CVE-2020-6629 (Ming (aka libming) 0.4.8 has z NULL pointer dereference in the functio ...) - ming NOTE: https://github.com/libming/libming/issues/190 CVE-2020-6628 (Ming (aka libming) 0.4.8 has a heap-based buffer over-read in the func ...) - ming NOTE: https://github.com/libming/libming/issues/191 CVE-2020-6627 RESERVED CVE-2020-6626 RESERVED CVE-2020-6625 (jhead through 3.04 has a heap-based buffer over-read in Get32s when ca ...) - jhead (unimportant) NOTE: https://bugs.launchpad.net/ubuntu/+source/jhead/+bug/1858746 NOTE: Crash in CLI tool, no security impact CVE-2020-6624 (jhead through 3.04 has a heap-based buffer over-read in process_DQT in ...) - jhead (unimportant) NOTE: https://bugs.launchpad.net/ubuntu/+source/jhead/+bug/1858744 NOTE: Crash in CLI tool, no security impact CVE-2020-6623 (stb stb_truetype.h through 1.22 has an assertion failure in stbtt__cff ...) - libstb (low; bug #949560) [buster] - libstb (Minor issue) NOTE: https://github.com/nothings/stb/issues/865 NOTE: Potentially affects mame, embree, libtcod, sumo, goxel, mesa, godot, dart CVE-2020-6622 (stb stb_truetype.h through 1.22 has a heap-based buffer over-read in s ...) - libstb (low; bug #949559) [buster] - libstb (Minor issue) NOTE: https://github.com/nothings/stb/issues/869 CVE-2020-6621 (stb stb_truetype.h through 1.22 has a heap-based buffer over-read in t ...) - libstb (low; bug #949558) [buster] - libstb (Minor issue) NOTE: https://github.com/nothings/stb/issues/867 CVE-2020-6620 (stb stb_truetype.h through 1.22 has a heap-based buffer over-read in s ...) - libstb (low; bug #949557) [buster] - libstb (Minor issue) NOTE: https://github.com/nothings/stb/issues/868 CVE-2020-6619 (stb stb_truetype.h through 1.22 has an assertion failure in stbtt__buf ...) - libstb (low; bug #949556) [buster] - libstb (Minor issue) NOTE: https://github.com/nothings/stb/issues/863 CVE-2020-6618 (stb stb_truetype.h through 1.22 has a heap-based buffer over-read in s ...) - libstb (low; bug #949555) [buster] - libstb (Minor issue) NOTE: https://github.com/nothings/stb/issues/866 CVE-2020-6617 (stb stb_truetype.h through 1.22 has an assertion failure in stbtt__cff ...) - libstb (low; bug #949554) [buster] - libstb (Minor issue) NOTE: https://github.com/nothings/stb/issues/867 CVE-2020-6616 (Some Broadcom chips mishandle Bluetooth random-number generation becau ...) NOT-FOR-US: Broadcom CVE-2020-6615 (GNU LibreDWG 0.9.3.2564 has an invalid pointer dereference in dwg_dyna ...) - libredwg (bug #595191) CVE-2020-6614 (GNU LibreDWG 0.9.3.2564 has a heap-based buffer over-read in bfr_read ...) - libredwg (bug #595191) CVE-2020-6613 (GNU LibreDWG 0.9.3.2564 has a heap-based buffer over-read in bit_searc ...) - libredwg (bug #595191) CVE-2020-6612 (GNU LibreDWG 0.9.3.2564 has a heap-based buffer over-read in copy_comp ...) - libredwg (bug #595191) CVE-2020-6611 (GNU LibreDWG 0.9.3.2564 has a NULL pointer dereference in get_next_own ...) - libredwg (bug #595191) CVE-2020-6610 (GNU LibreDWG 0.9.3.2564 has an attempted excessive memory allocation i ...) - libredwg (bug #595191) CVE-2020-6609 (GNU LibreDWG 0.9.3.2564 has a heap-based buffer over-read in read_page ...) - libredwg (bug #595191) CVE-2020-6608 RESERVED CVE-2020-6607 RESERVED CVE-2020-6606 RESERVED CVE-2020-6605 RESERVED CVE-2020-6604 RESERVED CVE-2020-6603 RESERVED CVE-2020-6602 RESERVED CVE-2020-6601 RESERVED CVE-2020-6600 RESERVED CVE-2020-6599 RESERVED CVE-2020-6598 RESERVED CVE-2020-6597 RESERVED CVE-2020-6596 RESERVED CVE-2020-6595 RESERVED CVE-2020-6594 RESERVED CVE-2020-6593 RESERVED CVE-2020-6592 RESERVED CVE-2020-6591 RESERVED CVE-2020-6590 RESERVED CVE-2020-6589 RESERVED CVE-2020-6588 RESERVED CVE-2020-6587 RESERVED CVE-2020-6586 (Nagios Log Server 2.1.3 allows XSS by visiting /profile and entering a ...) NOT-FOR-US: Nagios Log Server CVE-2020-6585 (Nagios Log Server 2.1.3 has CSRF. ...) NOT-FOR-US: Nagios Log Server CVE-2020-6584 (Nagios Log Server 2.1.3 has Incorrect Access Control. ...) NOT-FOR-US: Nagios Log Server CVE-2019-20371 RESERVED CVE-2019-20370 RESERVED CVE-2019-20369 RESERVED CVE-2019-20368 RESERVED CVE-2020-6583 (BigProf Online Invoicing System (OIS) through 2.6 has XSS that can be ...) NOT-FOR-US: BigProf Online Invoicing System (OIS) CVE-2020-6582 (Nagios NRPE 3.2.1 has a Heap-Based Buffer Overflow, as demonstrated by ...) - nagios-nrpe 4.0.0-1 [buster] - nagios-nrpe (Minor issue) [stretch] - nagios-nrpe (Minor issue) [jessie] - nagios-nrpe (Minor issue) NOTE: https://herolab.usd.de/security-advisories/usd-2020-0001/ NOTE: https://github.com/NagiosEnterprises/nrpe/commit/b84f9b8c9d290dd02e139df8dad1c3eb690c1213 NOTE: https://github.com/NagiosEnterprises/nrpe/commit/8e3bea4e1b1937e395a182729762aa8894e8649e NOTE: https://github.com/NagiosEnterprises/nrpe/commit/0db345444d0dcb3e37cca1bcbb0027dcbb764197 (part validating incoming buffer size) CVE-2020-6581 (Nagios NRPE 3.2.1 has Insufficient Filtering because, for example, nas ...) - nagios-nrpe 4.0.0-1 [buster] - nagios-nrpe (Minor issue) [stretch] - nagios-nrpe (Minor issue) [jessie] - nagios-nrpe (Vulnerable code introduced later) NOTE: https://herolab.usd.de/security-advisories/usd-2020-0002/ NOTE: https://github.com/NagiosEnterprises/nrpe/commit/0db345444d0dcb3e37cca1bcbb0027dcbb764197 (part for proper processing of nasty_metachars) CVE-2020-6580 RESERVED CVE-2020-6579 (Cross-site scripting (XSS) vulnerability in mailhive/cloudbeez/cloudlo ...) NOT-FOR-US: MailBeez plugin for ZenCart CVE-2020-6578 RESERVED CVE-2020-6577 RESERVED CVE-2020-6576 RESERVED CVE-2020-6575 RESERVED CVE-2020-6574 RESERVED CVE-2020-6573 RESERVED CVE-2020-6572 RESERVED CVE-2020-6571 RESERVED CVE-2020-6570 RESERVED CVE-2020-6569 RESERVED CVE-2020-6568 RESERVED CVE-2020-6567 RESERVED CVE-2020-6566 RESERVED CVE-2020-6565 RESERVED CVE-2020-6564 RESERVED CVE-2020-6563 RESERVED CVE-2020-6562 RESERVED CVE-2020-6561 RESERVED CVE-2020-6560 RESERVED CVE-2020-6559 RESERVED CVE-2020-6558 RESERVED CVE-2020-6557 RESERVED CVE-2020-6556 RESERVED CVE-2020-6555 RESERVED CVE-2020-6554 RESERVED CVE-2020-6553 RESERVED CVE-2020-6552 RESERVED CVE-2020-6551 RESERVED CVE-2020-6550 RESERVED CVE-2020-6549 RESERVED CVE-2020-6548 RESERVED CVE-2020-6547 RESERVED CVE-2020-6546 RESERVED CVE-2020-6545 RESERVED CVE-2020-6544 RESERVED CVE-2020-6543 RESERVED CVE-2020-6542 RESERVED CVE-2020-6541 RESERVED CVE-2020-6540 RESERVED CVE-2020-6539 RESERVED CVE-2020-6538 RESERVED CVE-2020-6537 RESERVED CVE-2020-6536 RESERVED CVE-2020-6535 RESERVED CVE-2020-6534 RESERVED CVE-2020-6533 RESERVED CVE-2020-6532 RESERVED CVE-2020-6531 RESERVED CVE-2020-6530 RESERVED CVE-2020-6529 RESERVED CVE-2020-6528 RESERVED CVE-2020-6527 RESERVED CVE-2020-6526 RESERVED CVE-2020-6525 RESERVED CVE-2020-6524 RESERVED CVE-2020-6523 RESERVED CVE-2020-6522 RESERVED CVE-2020-6521 RESERVED CVE-2020-6520 RESERVED CVE-2020-6519 RESERVED CVE-2020-6518 RESERVED CVE-2020-6517 RESERVED CVE-2020-6516 RESERVED CVE-2020-6515 RESERVED CVE-2020-6514 RESERVED CVE-2020-6513 RESERVED CVE-2020-6512 RESERVED CVE-2020-6511 RESERVED CVE-2020-6510 RESERVED CVE-2020-6509 RESERVED {DSA-4714-1} - chromium 83.0.4103.116-1 [stretch] - chromium (see DSA 4562) CVE-2020-6508 RESERVED CVE-2020-6507 RESERVED {DSA-4714-1} - chromium 83.0.4103.106-1 [stretch] - chromium (see DSA 4562) CVE-2020-6506 RESERVED {DSA-4714-1} - chromium 83.0.4103.106-1 [stretch] - chromium (see DSA 4562) CVE-2020-6505 RESERVED {DSA-4714-1} - chromium 83.0.4103.106-1 [stretch] - chromium (see DSA 4562) CVE-2020-6504 (Insufficient policy enforcement in notifications in Google Chrome prio ...) {DSA-4500-1} - chromium 74.0.3729.108-1 [stretch] - chromium (see DSA 4562) CVE-2020-6503 (Inappropriate implementation in accessibility in Google Chrome prior t ...) {DSA-4500-1} - chromium 74.0.3729.108-1 [stretch] - chromium (see DSA 4562) CVE-2020-6502 (Incorrect implementation in permissions in Google Chrome prior to 80.0 ...) {DSA-4638-1} - chromium 80.0.3987.106-1 [stretch] - chromium (see DSA 4562) CVE-2020-6501 (Insufficient policy enforcement in CSP in Google Chrome prior to 80.0. ...) {DSA-4638-1} - chromium 80.0.3987.106-1 [stretch] - chromium (see DSA 4562) CVE-2020-6500 (Inappropriate implementation in interstitials in Google Chrome prior t ...) {DSA-4638-1} - chromium 80.0.3987.106-1 [stretch] - chromium (see DSA 4562) CVE-2020-6499 (Inappropriate implementation in AppCache in Google Chrome prior to 80. ...) {DSA-4638-1} - chromium 80.0.3987.106-1 [stretch] - chromium (see DSA 4562) CVE-2020-6498 (Incorrect implementation in user interface in Google Chrome on iOS pri ...) {DSA-4714-1} - chromium 83.0.4103.106-1 [stretch] - chromium (see DSA 4562) CVE-2020-6497 (Insufficient policy enforcement in Omnibox in Google Chrome on iOS pri ...) {DSA-4714-1} - chromium 83.0.4103.106-1 [stretch] - chromium (see DSA 4562) CVE-2020-6496 (Use after free in payments in Google Chrome on MacOS prior to 83.0.410 ...) {DSA-4714-1} - chromium 83.0.4103.106-1 [stretch] - chromium (see DSA 4562) CVE-2020-6495 (Insufficient policy enforcement in developer tools in Google Chrome pr ...) {DSA-4714-1} - chromium 83.0.4103.106-1 [stretch] - chromium (see DSA 4562) CVE-2020-6494 (Incorrect security UI in payments in Google Chrome on Android prior to ...) {DSA-4714-1} - chromium 83.0.4103.106-1 [stretch] - chromium (see DSA 4562) CVE-2020-6493 (Use after free in WebAuthentication in Google Chrome prior to 83.0.410 ...) {DSA-4714-1} - chromium 83.0.4103.106-1 [stretch] - chromium (see DSA 4562) CVE-2020-6492 RESERVED CVE-2020-6491 (Insufficient data validation in site information in Google Chrome prio ...) {DSA-4714-1} - chromium 83.0.4103.83-1 [stretch] - chromium (see DSA 4562) CVE-2020-6490 (Insufficient data validation in loader in Google Chrome prior to 83.0. ...) {DSA-4714-1} - chromium 83.0.4103.83-1 [stretch] - chromium (see DSA 4562) CVE-2020-6489 (Inappropriate implementation in developer tools in Google Chrome prior ...) {DSA-4714-1} - chromium 83.0.4103.83-1 [stretch] - chromium (see DSA 4562) CVE-2020-6488 (Insufficient policy enforcement in downloads in Google Chrome prior to ...) {DSA-4714-1} - chromium 83.0.4103.83-1 [stretch] - chromium (see DSA 4562) CVE-2020-6487 (Insufficient policy enforcement in downloads in Google Chrome prior to ...) {DSA-4714-1} - chromium 83.0.4103.83-1 [stretch] - chromium (see DSA 4562) CVE-2020-6486 (Insufficient policy enforcement in navigations in Google Chrome prior ...) {DSA-4714-1} - chromium 83.0.4103.83-1 [stretch] - chromium (see DSA 4562) CVE-2020-6485 (Insufficient data validation in media router in Google Chrome prior to ...) {DSA-4714-1} - chromium 83.0.4103.83-1 [stretch] - chromium (see DSA 4562) CVE-2020-6484 (Insufficient data validation in ChromeDriver in Google Chrome prior to ...) {DSA-4714-1} - chromium 83.0.4103.83-1 [stretch] - chromium (see DSA 4562) CVE-2020-6483 (Insufficient policy enforcement in payments in Google Chrome prior to ...) {DSA-4714-1} - chromium 83.0.4103.83-1 [stretch] - chromium (see DSA 4562) CVE-2020-6482 (Insufficient policy enforcement in developer tools in Google Chrome pr ...) {DSA-4714-1} - chromium 83.0.4103.83-1 [stretch] - chromium (see DSA 4562) CVE-2020-6481 (Insufficient policy enforcement in URL formatting in Google Chrome pri ...) {DSA-4714-1} - chromium 83.0.4103.83-1 [stretch] - chromium (see DSA 4562) CVE-2020-6480 (Insufficient policy enforcement in enterprise in Google Chrome prior t ...) {DSA-4714-1} - chromium 83.0.4103.83-1 [stretch] - chromium (see DSA 4562) CVE-2020-6479 (Inappropriate implementation in sharing in Google Chrome prior to 83.0 ...) {DSA-4714-1} - chromium 83.0.4103.83-1 [stretch] - chromium (see DSA 4562) CVE-2020-6478 (Inappropriate implementation in full screen in Google Chrome prior to ...) {DSA-4714-1} - chromium 83.0.4103.83-1 [stretch] - chromium (see DSA 4562) CVE-2020-6477 (Inappropriate implementation in installer in Google Chrome on OS X pri ...) - chromium (Only affects installer) CVE-2020-6476 (Insufficient policy enforcement in tab strip in Google Chrome prior to ...) {DSA-4714-1} - chromium 83.0.4103.83-1 [stretch] - chromium (see DSA 4562) CVE-2020-6475 (Incorrect implementation in full screen in Google Chrome prior to 83.0 ...) {DSA-4714-1} - chromium 83.0.4103.83-1 [stretch] - chromium (see DSA 4562) CVE-2020-6474 (Use after free in Blink in Google Chrome prior to 83.0.4103.61 allowed ...) {DSA-4714-1} - chromium 83.0.4103.83-1 [stretch] - chromium (see DSA 4562) CVE-2020-6473 (Insufficient policy enforcement in Blink in Google Chrome prior to 83. ...) {DSA-4714-1} - chromium 83.0.4103.83-1 [stretch] - chromium (see DSA 4562) CVE-2020-6472 (Insufficient policy enforcement in developer tools in Google Chrome pr ...) {DSA-4714-1} - chromium 83.0.4103.83-1 [stretch] - chromium (see DSA 4562) CVE-2020-6471 (Insufficient policy enforcement in developer tools in Google Chrome pr ...) {DSA-4714-1} - chromium 83.0.4103.83-1 [stretch] - chromium (see DSA 4562) CVE-2020-6470 (Insufficient validation of untrusted input in clipboard in Google Chro ...) {DSA-4714-1} - chromium 83.0.4103.83-1 [stretch] - chromium (see DSA 4562) CVE-2020-6469 (Insufficient policy enforcement in developer tools in Google Chrome pr ...) {DSA-4714-1} - chromium 83.0.4103.83-1 [stretch] - chromium (see DSA 4562) CVE-2020-6468 (Type confusion in V8 in Google Chrome prior to 83.0.4103.61 allowed a ...) {DSA-4714-1} - chromium 83.0.4103.83-1 [stretch] - chromium (see DSA 4562) CVE-2020-6467 (Use after free in WebRTC in Google Chrome prior to 83.0.4103.61 allowe ...) {DSA-4714-1} - chromium 83.0.4103.83-1 [stretch] - chromium (see DSA 4562) CVE-2020-6466 (Use after free in media in Google Chrome prior to 83.0.4103.61 allowed ...) {DSA-4714-1} - chromium 83.0.4103.83-1 [stretch] - chromium (see DSA 4562) CVE-2020-6465 (Use after free in reader mode in Google Chrome on Android prior to 83. ...) {DSA-4714-1} - chromium 83.0.4103.83-1 [stretch] - chromium (see DSA 4562) CVE-2020-6464 (Type confusion in Blink in Google Chrome prior to 81.0.4044.138 allowe ...) {DSA-4714-1} - chromium 83.0.4103.83-1 [stretch] - chromium (see DSA 4562) CVE-2020-6463 (Use after free in ANGLE in Google Chrome prior to 81.0.4044.122 allowe ...) {DSA-4714-1} - chromium 83.0.4103.83-1 [stretch] - chromium (see DSA 4562) CVE-2020-6462 (Use after free in task scheduling in Google Chrome prior to 81.0.4044. ...) {DSA-4714-1} - chromium 83.0.4103.83-1 [stretch] - chromium (see DSA 4562) CVE-2020-6461 (Use after free in storage in Google Chrome prior to 81.0.4044.129 allo ...) {DSA-4714-1} - chromium 83.0.4103.83-1 [stretch] - chromium (see DSA 4562) CVE-2020-6460 (Insufficient data validation in URL formatting in Google Chrome prior ...) {DSA-4714-1} - chromium 83.0.4103.83-1 [stretch] - chromium (see DSA 4562) CVE-2020-6459 (Use after free in payments in Google Chrome prior to 81.0.4044.122 all ...) {DSA-4714-1} - chromium 83.0.4103.83-1 [stretch] - chromium (see DSA 4562) CVE-2020-6458 (Out of bounds read and write in PDFium in Google Chrome prior to 81.0. ...) {DSA-4714-1} - chromium 83.0.4103.83-1 [stretch] - chromium (see DSA 4562) CVE-2020-6457 (Use after free in speech recognizer in Google Chrome prior to 81.0.404 ...) {DSA-4714-1} - chromium 83.0.4103.83-1 (bug #958450) [stretch] - chromium (see DSA 4562) CVE-2020-6456 (Insufficient validation of untrusted input in clipboard in Google Chro ...) {DSA-4714-1} - chromium 81.0.4044.92-1 [stretch] - chromium (see DSA 4562) CVE-2020-6455 (Out of bounds read in WebSQL in Google Chrome prior to 81.0.4044.92 al ...) {DSA-4714-1} - chromium 81.0.4044.92-1 [stretch] - chromium (see DSA 4562) CVE-2020-6454 (Use after free in extensions in Google Chrome prior to 81.0.4044.92 al ...) {DSA-4714-1} - chromium 81.0.4044.92-1 [stretch] - chromium (see DSA 4562) CVE-2020-6453 (Inappropriate implementation in V8 in Google Chrome prior to 80.0.3987 ...) {DSA-4654-1} - chromium 80.0.3987.162-1 [stretch] - chromium (see DSA 4562) CVE-2020-6452 (Heap buffer overflow in media in Google Chrome prior to 80.0.3987.162 ...) {DSA-4654-1} - chromium 80.0.3987.162-1 [stretch] - chromium (see DSA 4562) CVE-2020-6451 (Use after free in WebAudio in Google Chrome prior to 80.0.3987.162 all ...) {DSA-4654-1} - chromium 80.0.3987.162-1 [stretch] - chromium (see DSA 4562) CVE-2020-6450 (Use after free in WebAudio in Google Chrome prior to 80.0.3987.162 all ...) {DSA-4654-1} - chromium 80.0.3987.162-1 [stretch] - chromium (see DSA 4562) CVE-2020-6449 (Use after free in audio in Google Chrome prior to 80.0.3987.149 allowe ...) {DSA-4645-1} - chromium 80.0.3987.149-1 [stretch] - chromium (see DSA 4562) CVE-2020-6448 (Use after free in V8 in Google Chrome prior to 81.0.4044.92 allowed a ...) {DSA-4714-1} - chromium 81.0.4044.92-1 [stretch] - chromium (see DSA 4562) CVE-2020-6447 (Inappropriate implementation in developer tools in Google Chrome prior ...) {DSA-4714-1} - chromium 81.0.4044.92-1 [stretch] - chromium (see DSA 4562) CVE-2020-6446 (Insufficient policy enforcement in trusted types in Google Chrome prio ...) {DSA-4714-1} - chromium 81.0.4044.92-1 [stretch] - chromium (see DSA 4562) CVE-2020-6445 (Insufficient policy enforcement in trusted types in Google Chrome prio ...) {DSA-4714-1} - chromium 81.0.4044.92-1 [stretch] - chromium (see DSA 4562) CVE-2020-6444 (Uninitialized use in WebRTC in Google Chrome prior to 81.0.4044.92 all ...) {DSA-4714-1} - chromium 81.0.4044.92-1 [stretch] - chromium (see DSA 4562) CVE-2020-6443 (Insufficient data validation in developer tools in Google Chrome prior ...) {DSA-4714-1} - chromium 81.0.4044.92-1 [stretch] - chromium (see DSA 4562) CVE-2020-6442 (Inappropriate implementation in cache in Google Chrome prior to 81.0.4 ...) {DSA-4714-1} - chromium 81.0.4044.92-1 [stretch] - chromium (see DSA 4562) CVE-2020-6441 (Insufficient policy enforcement in omnibox in Google Chrome prior to 8 ...) {DSA-4714-1} - chromium 81.0.4044.92-1 [stretch] - chromium (see DSA 4562) CVE-2020-6440 (Inappropriate implementation in extensions in Google Chrome prior to 8 ...) {DSA-4714-1} - chromium 81.0.4044.92-1 [stretch] - chromium (see DSA 4562) CVE-2020-6439 (Insufficient policy enforcement in navigations in Google Chrome prior ...) {DSA-4714-1} - chromium 81.0.4044.92-1 [stretch] - chromium (see DSA 4562) CVE-2020-6438 (Insufficient policy enforcement in extensions in Google Chrome prior t ...) {DSA-4714-1} - chromium 81.0.4044.92-1 [stretch] - chromium (see DSA 4562) CVE-2020-6437 (Inappropriate implementation in WebView in Google Chrome prior to 81.0 ...) {DSA-4714-1} - chromium 81.0.4044.92-1 [stretch] - chromium (see DSA 4562) CVE-2020-6436 (Use after free in window management in Google Chrome prior to 81.0.404 ...) {DSA-4714-1} - chromium 81.0.4044.92-1 [stretch] - chromium (see DSA 4562) CVE-2020-6435 (Insufficient policy enforcement in extensions in Google Chrome prior t ...) {DSA-4714-1} - chromium 81.0.4044.92-1 [stretch] - chromium (see DSA 4562) CVE-2020-6434 (Use after free in devtools in Google Chrome prior to 81.0.4044.92 allo ...) {DSA-4714-1} - chromium 81.0.4044.92-1 [stretch] - chromium (see DSA 4562) CVE-2020-6433 (Insufficient policy enforcement in extensions in Google Chrome prior t ...) {DSA-4714-1} - chromium 81.0.4044.92-1 [stretch] - chromium (see DSA 4562) CVE-2020-6432 (Insufficient policy enforcement in navigations in Google Chrome prior ...) {DSA-4714-1} - chromium 81.0.4044.92-1 [stretch] - chromium (see DSA 4562) CVE-2020-6431 (Insufficient policy enforcement in full screen in Google Chrome prior ...) {DSA-4714-1} - chromium 81.0.4044.92-1 [stretch] - chromium (see DSA 4562) CVE-2020-6430 (Type Confusion in V8 in Google Chrome prior to 81.0.4044.92 allowed a ...) {DSA-4714-1} - chromium 81.0.4044.92-1 [stretch] - chromium (see DSA 4562) CVE-2020-6429 (Use after free in audio in Google Chrome prior to 80.0.3987.149 allowe ...) {DSA-4645-1} - chromium 80.0.3987.149-1 [stretch] - chromium (see DSA 4562) CVE-2020-6428 (Use after free in audio in Google Chrome prior to 80.0.3987.149 allowe ...) {DSA-4645-1} - chromium 80.0.3987.149-1 [stretch] - chromium (see DSA 4562) CVE-2020-6427 (Use after free in audio in Google Chrome prior to 80.0.3987.149 allowe ...) {DSA-4645-1} - chromium 80.0.3987.149-1 [stretch] - chromium (see DSA 4562) CVE-2020-6426 (Inappropriate implementation in V8 in Google Chrome prior to 80.0.3987 ...) {DSA-4645-1} - chromium 80.0.3987.149-1 [stretch] - chromium (see DSA 4562) CVE-2020-6425 (Insufficient policy enforcement in extensions in Google Chrome prior t ...) {DSA-4645-1} - chromium 80.0.3987.149-1 [stretch] - chromium (see DSA 4562) CVE-2020-6424 (Use after free in media in Google Chrome prior to 80.0.3987.149 allowe ...) {DSA-4645-1} - chromium 80.0.3987.149-1 [stretch] - chromium (see DSA 4562) CVE-2020-6423 (Use after free in audio in Google Chrome prior to 81.0.4044.92 allowed ...) {DSA-4714-1} - chromium 81.0.4044.92-1 [stretch] - chromium (see DSA 4562) CVE-2020-6422 (Use after free in WebGL in Google Chrome prior to 80.0.3987.149 allowe ...) {DSA-4645-1} - chromium 80.0.3987.149-1 [stretch] - chromium (see DSA 4562) CVE-2020-6421 RESERVED CVE-2020-6420 (Insufficient policy enforcement in media in Google Chrome prior to 80. ...) {DSA-4638-1} - chromium 80.0.3987.132-1 [stretch] - chromium (see DSA 4562) CVE-2020-6419 (Out of bounds write in V8 in Google Chrome prior to 81.0.4044.92 allow ...) - chromium 81.0.4044.92-1 [stretch] - chromium (see DSA 4562) CVE-2020-6418 (Type confusion in V8 in Google Chrome prior to 80.0.3987.122 allowed a ...) {DSA-4638-1} - chromium 80.0.3987.122-1 [stretch] - chromium (see DSA 4562) CVE-2020-6417 (Inappropriate implementation in installer in Google Chrome prior to 80 ...) - chromium (debian package does not support the chromium installer) CVE-2020-6416 (Insufficient data validation in streams in Google Chrome prior to 80.0 ...) {DSA-4638-1} - chromium 80.0.3987.106-1 [stretch] - chromium (see DSA 4562) CVE-2020-6415 (Inappropriate implementation in JavaScript in Google Chrome prior to 8 ...) {DSA-4638-1} - chromium 80.0.3987.106-1 [stretch] - chromium (see DSA 4562) CVE-2020-6414 (Insufficient policy enforcement in Safe Browsing in Google Chrome prio ...) {DSA-4638-1} - chromium 80.0.3987.106-1 [stretch] - chromium (see DSA 4562) CVE-2020-6413 (Inappropriate implementation in Blink in Google Chrome prior to 80.0.3 ...) {DSA-4638-1} - chromium 80.0.3987.106-1 [stretch] - chromium (see DSA 4562) CVE-2020-6412 (Insufficient validation of untrusted input in Omnibox in Google Chrome ...) {DSA-4638-1} - chromium 80.0.3987.106-1 [stretch] - chromium (see DSA 4562) CVE-2020-6411 (Insufficient validation of untrusted input in Omnibox in Google Chrome ...) {DSA-4638-1} - chromium 80.0.3987.106-1 [stretch] - chromium (see DSA 4562) CVE-2020-6410 (Insufficient policy enforcement in navigation in Google Chrome prior t ...) {DSA-4638-1} - chromium 80.0.3987.106-1 [stretch] - chromium (see DSA 4562) CVE-2020-6409 (Inappropriate implementation in Omnibox in Google Chrome prior to 80.0 ...) {DSA-4638-1} - chromium 80.0.3987.106-1 [stretch] - chromium (see DSA 4562) CVE-2020-6408 (Insufficient policy enforcement in CORS in Google Chrome prior to 80.0 ...) {DSA-4638-1} - chromium 80.0.3987.106-1 [stretch] - chromium (see DSA 4562) CVE-2020-6407 (Out of bounds memory access in streams in Google Chrome prior to 80.0. ...) {DSA-4638-1} - chromium 80.0.3987.122-1 [stretch] - chromium (see DSA 4562) CVE-2020-6406 (Use after free in audio in Google Chrome prior to 80.0.3987.87 allowed ...) {DSA-4638-1} - chromium 80.0.3987.106-1 [stretch] - chromium (see DSA 4562) CVE-2020-6405 (Out of bounds read in SQLite in Google Chrome prior to 80.0.3987.87 al ...) {DSA-4638-1} - chromium 80.0.3987.106-1 [stretch] - chromium (see DSA 4562) CVE-2020-6404 (Inappropriate implementation in Blink in Google Chrome prior to 80.0.3 ...) {DSA-4638-1} - chromium 80.0.3987.106-1 [stretch] - chromium (see DSA 4562) CVE-2020-6403 (Incorrect implementation in Omnibox in Google Chrome on iOS prior to 8 ...) {DSA-4638-1} - chromium 80.0.3987.106-1 [stretch] - chromium (see DSA 4562) CVE-2020-6402 (Insufficient policy enforcement in downloads in Google Chrome on OS X ...) {DSA-4638-1} - chromium 80.0.3987.106-1 [stretch] - chromium (see DSA 4562) CVE-2020-6401 (Insufficient validation of untrusted input in Omnibox in Google Chrome ...) {DSA-4638-1} - chromium 80.0.3987.106-1 [stretch] - chromium (see DSA 4562) CVE-2020-6400 (Inappropriate implementation in CORS in Google Chrome prior to 80.0.39 ...) {DSA-4638-1} - chromium 80.0.3987.106-1 [stretch] - chromium (see DSA 4562) CVE-2020-6399 (Insufficient policy enforcement in AppCache in Google Chrome prior to ...) {DSA-4638-1} - chromium 80.0.3987.106-1 [stretch] - chromium (see DSA 4562) CVE-2020-6398 (Use of uninitialized data in PDFium in Google Chrome prior to 80.0.398 ...) {DSA-4638-1} - chromium 80.0.3987.106-1 [stretch] - chromium (see DSA 4562) CVE-2020-6397 (Inappropriate implementation in sharing in Google Chrome prior to 80.0 ...) {DSA-4638-1} - chromium 80.0.3987.106-1 [stretch] - chromium (see DSA 4562) CVE-2020-6396 (Inappropriate implementation in Skia in Google Chrome prior to 80.0.39 ...) {DSA-4638-1} - chromium 80.0.3987.106-1 [stretch] - chromium (see DSA 4562) CVE-2020-6395 (Out of bounds read in JavaScript in Google Chrome prior to 80.0.3987.8 ...) {DSA-4638-1} - chromium 80.0.3987.106-1 [stretch] - chromium (see DSA 4562) CVE-2020-6394 (Insufficient policy enforcement in Blink in Google Chrome prior to 80. ...) {DSA-4638-1} - chromium 80.0.3987.106-1 [stretch] - chromium (see DSA 4562) CVE-2020-6393 (Insufficient policy enforcement in Blink in Google Chrome prior to 80. ...) {DSA-4638-1} - chromium 80.0.3987.106-1 [stretch] - chromium (see DSA 4562) CVE-2020-6392 (Insufficient policy enforcement in extensions in Google Chrome prior t ...) {DSA-4638-1} - chromium 80.0.3987.106-1 [stretch] - chromium (see DSA 4562) CVE-2020-6391 (Insufficient validation of untrusted input in Blink in Google Chrome p ...) {DSA-4638-1} - chromium 80.0.3987.106-1 [stretch] - chromium (see DSA 4562) CVE-2020-6390 (Out of bounds memory access in streams in Google Chrome prior to 80.0. ...) {DSA-4638-1} - chromium 80.0.3987.106-1 [stretch] - chromium (see DSA 4562) CVE-2020-6389 (Out of bounds write in WebRTC in Google Chrome prior to 80.0.3987.87 a ...) {DSA-4638-1} - chromium 80.0.3987.106-1 [stretch] - chromium (see DSA 4562) CVE-2020-6388 (Out of bounds access in WebAudio in Google Chrome prior to 80.0.3987.8 ...) {DSA-4638-1} - chromium 80.0.3987.106-1 [stretch] - chromium (see DSA 4562) CVE-2020-6387 (Out of bounds write in WebRTC in Google Chrome prior to 80.0.3987.87 a ...) {DSA-4638-1} - chromium 80.0.3987.106-1 [stretch] - chromium (see DSA 4562) CVE-2020-6386 (Use after free in speech in Google Chrome prior to 80.0.3987.116 allow ...) {DSA-4638-1} - chromium 80.0.3987.116-1 [stretch] - chromium (see DSA 4562) CVE-2020-6385 (Insufficient policy enforcement in storage in Google Chrome prior to 8 ...) {DSA-4638-1} - chromium 80.0.3987.106-1 [stretch] - chromium (see DSA 4562) CVE-2020-6384 (Use after free in WebAudio in Google Chrome prior to 80.0.3987.116 all ...) {DSA-4638-1} - chromium 80.0.3987.116-1 [stretch] - chromium (see DSA 4562) CVE-2020-6383 (Type confusion in V8 in Google Chrome prior to 80.0.3987.116 allowed a ...) {DSA-4638-1} - chromium 80.0.3987.116-1 [stretch] - chromium (see DSA 4562) CVE-2020-6382 (Type confusion in JavaScript in Google Chrome prior to 80.0.3987.87 al ...) {DSA-4638-1} - chromium 80.0.3987.106-1 [stretch] - chromium (see DSA 4562) CVE-2020-6381 (Integer overflow in JavaScript in Google Chrome on ChromeOS and Androi ...) {DSA-4638-1} - chromium 80.0.3987.106-1 [stretch] - chromium (see DSA 4562) CVE-2020-6380 (Insufficient policy enforcement in extensions in Google Chrome prior t ...) {DSA-4606-1} - chromium 79.0.3945.130-1 [stretch] - chromium (see DSA 4562) CVE-2020-6379 (Use after free in V8 in Google Chrome prior to 79.0.3945.130 allowed a ...) {DSA-4606-1} - chromium 79.0.3945.130-1 [stretch] - chromium (see DSA 4562) CVE-2020-6378 (Use after free in speech in Google Chrome prior to 79.0.3945.130 allow ...) {DSA-4606-1} - chromium 79.0.3945.130-1 [stretch] - chromium (see DSA 4562) CVE-2020-6377 (Use after free in audio in Google Chrome prior to 79.0.3945.117 allowe ...) {DSA-4606-1} - chromium 79.0.3945.130-1 [stretch] - chromium (see DSA 4562) CVE-2020-6376 RESERVED CVE-2020-6375 RESERVED CVE-2020-6374 RESERVED CVE-2020-6373 RESERVED CVE-2020-6372 RESERVED CVE-2020-6371 RESERVED CVE-2020-6370 RESERVED CVE-2020-6369 RESERVED CVE-2020-6368 RESERVED CVE-2020-6367 RESERVED CVE-2020-6366 RESERVED CVE-2020-6365 RESERVED CVE-2020-6364 RESERVED CVE-2020-6363 RESERVED CVE-2020-6362 RESERVED CVE-2020-6361 RESERVED CVE-2020-6360 RESERVED CVE-2020-6359 RESERVED CVE-2020-6358 RESERVED CVE-2020-6357 RESERVED CVE-2020-6356 RESERVED CVE-2020-6355 RESERVED CVE-2020-6354 RESERVED CVE-2020-6353 RESERVED CVE-2020-6352 RESERVED CVE-2020-6351 RESERVED CVE-2020-6350 RESERVED CVE-2020-6349 RESERVED CVE-2020-6348 RESERVED CVE-2020-6347 RESERVED CVE-2020-6346 RESERVED CVE-2020-6345 RESERVED CVE-2020-6344 RESERVED CVE-2020-6343 RESERVED CVE-2020-6342 RESERVED CVE-2020-6341 RESERVED CVE-2020-6340 RESERVED CVE-2020-6339 RESERVED CVE-2020-6338 RESERVED CVE-2020-6337 RESERVED CVE-2020-6336 RESERVED CVE-2020-6335 RESERVED CVE-2020-6334 RESERVED CVE-2020-6333 RESERVED CVE-2020-6332 RESERVED CVE-2020-6331 RESERVED CVE-2020-6330 RESERVED CVE-2020-6329 RESERVED CVE-2020-6328 RESERVED CVE-2020-6327 RESERVED CVE-2020-6326 RESERVED CVE-2020-6325 RESERVED CVE-2020-6324 RESERVED CVE-2020-6323 RESERVED CVE-2020-6322 RESERVED CVE-2020-6321 RESERVED CVE-2020-6320 RESERVED CVE-2020-6319 RESERVED CVE-2020-6318 RESERVED CVE-2020-6317 RESERVED CVE-2020-6316 RESERVED CVE-2020-6315 RESERVED CVE-2020-6314 RESERVED CVE-2020-6313 RESERVED CVE-2020-6312 RESERVED CVE-2020-6311 RESERVED CVE-2020-6310 RESERVED CVE-2020-6309 RESERVED CVE-2020-6308 RESERVED CVE-2020-6307 (Automated Note Search Tool (update provided in SAP Basis 7.0, 7.01, 7. ...) NOT-FOR-US: SAP CVE-2020-6306 (Missing authorization check in a transaction within SAP Leasing (updat ...) NOT-FOR-US: SAP CVE-2020-6305 (PI Rest Adapter of SAP Process Integration (update provided in SAP_XIA ...) NOT-FOR-US: SAP CVE-2020-6304 (Improper input validation in SAP NetWeaver Internet Communication Mana ...) NOT-FOR-US: SAP CVE-2020-6303 (SAP Disclosure Management, before version 10.1, does not validate user ...) NOT-FOR-US: SAP CVE-2020-6302 RESERVED CVE-2020-6301 RESERVED CVE-2020-6300 RESERVED CVE-2020-6299 RESERVED CVE-2020-6298 RESERVED CVE-2020-6297 RESERVED CVE-2020-6296 RESERVED CVE-2020-6295 RESERVED CVE-2020-6294 RESERVED CVE-2020-6293 RESERVED CVE-2020-6292 RESERVED CVE-2020-6291 RESERVED CVE-2020-6290 RESERVED CVE-2020-6289 RESERVED CVE-2020-6288 RESERVED CVE-2020-6287 RESERVED CVE-2020-6286 RESERVED CVE-2020-6285 RESERVED CVE-2020-6284 RESERVED CVE-2020-6283 RESERVED CVE-2020-6282 RESERVED CVE-2020-6281 RESERVED CVE-2020-6280 RESERVED CVE-2020-6279 (OData APIs and JobApplicationInterview and JobApplication export permi ...) NOT-FOR-US: SAP CVE-2020-6278 RESERVED CVE-2020-6277 RESERVED CVE-2020-6276 RESERVED CVE-2020-6275 (SAP Netweaver AS ABAP, versions 700, 701, 702, 710, 711, 730, 731, 740 ...) NOT-FOR-US: SAP CVE-2020-6274 RESERVED CVE-2020-6273 RESERVED CVE-2020-6272 RESERVED CVE-2020-6271 (SAP Solution Manager (Problem Context Manager), version 7.2, does not ...) NOT-FOR-US: SAP CVE-2020-6270 (SAP NetWeaver AS ABAP (Banking Services), versions - 710, 711, 740, 75 ...) NOT-FOR-US: SAP CVE-2020-6269 (Under certain conditions SAP Business Objects Business Intelligence Pl ...) NOT-FOR-US: SAP CVE-2020-6268 (Statutory Reporting for Insurance Companies in SAP ERP (EA-FINSERV ver ...) NOT-FOR-US: SAP CVE-2020-6267 RESERVED CVE-2020-6266 (SAP Fiori for SAP S/4HANA, versions - 100, 200, 300, 400, allows an at ...) NOT-FOR-US: SAP CVE-2020-6265 (SAP Commerce, versions - 6.7, 1808, 1811, 1905, and SAP Commerce (Data ...) NOT-FOR-US: SAP CVE-2020-6264 (SAP Commerce, versions - 6.7, 1808, 1811, 1905, may allow an attacker ...) NOT-FOR-US: SAP CVE-2020-6263 (Standalone clients connecting to SAP NetWeaver AS Java via P4 Protocol ...) NOT-FOR-US: SAP CVE-2020-6262 (Service Data Download in SAP Application Server ABAP (ST-PI, before ve ...) NOT-FOR-US: SAP CVE-2020-6261 (SAP Solution Manager (Trace Analysis), version 7.20, allows an attacke ...) NOT-FOR-US: SAP CVE-2020-6260 (SAP Solution Manager (Trace Analysis), version 7.20, allows an attacke ...) NOT-FOR-US: SAP CVE-2020-6259 (Under certain conditions SAP Adaptive Server Enterprise, versions 15.7 ...) NOT-FOR-US: SAP CVE-2020-6258 (SAP Identity Management, version 8.0, does not perform necessary autho ...) NOT-FOR-US: SAP CVE-2020-6257 (SAP Business Objects Business Intelligence Platform (CMC and BI Launch ...) NOT-FOR-US: SAP CVE-2020-6256 (SAP Master Data Governance, versions - 748, 749, 750, 751, 752, 800, 8 ...) NOT-FOR-US: SAP CVE-2020-6255 RESERVED CVE-2020-6254 (SAP Enterprise Threat Detection, versions 1.0, 2.0, does not sufficien ...) NOT-FOR-US: SAP CVE-2020-6253 (Under certain conditions, SAP Adaptive Server Enterprise (Web Services ...) NOT-FOR-US: SAP CVE-2020-6252 (Under certain conditions SAP Adaptive Server Enterprise (Cockpit), ver ...) NOT-FOR-US: SAP CVE-2020-6251 (Under certain conditions or error scenarios SAP Business Objects Busin ...) NOT-FOR-US: SAP CVE-2020-6250 (SAP Adaptive Server Enterprise, version 16.0, allows an authenticated ...) NOT-FOR-US: SAP CVE-2020-6249 (The use of an admin backend report within SAP Master Data Governance, ...) NOT-FOR-US: SAP CVE-2020-6248 (SAP Adaptive Server Enterprise (Backup Server), version 16.0, does not ...) NOT-FOR-US: SAP CVE-2020-6247 (SAP Business Objects Business Intelligence Platform, version 4.2, allo ...) NOT-FOR-US: SAP CVE-2020-6246 (SAP NetWeaver AS ABAP Business Server Pages Test Application SBSPEXT_T ...) NOT-FOR-US: SAP CVE-2020-6245 (SAP Business Objects Business Intelligence Platform, version 4.2, allo ...) NOT-FOR-US: SAP CVE-2020-6244 (SAP Business Client, version 7.0, allows an attacker after a successfu ...) NOT-FOR-US: SAP CVE-2020-6243 (Under certain conditions, SAP Adaptive Server Enterprise (XP Server on ...) NOT-FOR-US: SAP CVE-2020-6242 (SAP Business Objects Business Intelligence Platform (Live Data Connect ...) NOT-FOR-US: SAP CVE-2020-6241 (SAP Adaptive Server Enterprise, version 16.0, allows an authenticated ...) NOT-FOR-US: SAP CVE-2020-6240 (SAP NetWeaver AS ABAP (Web Dynpro ABAP), versions (SAP_UI 750, 752, 75 ...) NOT-FOR-US: SAP CVE-2020-6239 (Under certain conditions SAP Business One (Backup service), versions 9 ...) NOT-FOR-US: SAP CVE-2020-6238 (SAP Commerce, versions - 6.6, 6.7, 1808, 1811, 1905, does not process ...) NOT-FOR-US: SAP CVE-2020-6237 (Under certain conditions, SAP Business Objects Business Intelligence P ...) NOT-FOR-US: SAP CVE-2020-6236 (SAP Landscape Management, version 3.0, and SAP Adaptive Extensions, ve ...) NOT-FOR-US: SAP CVE-2020-6235 (SAP Solution Manager (Diagnostics Agent), version 7.2, does not perfor ...) NOT-FOR-US: SAP CVE-2020-6234 (SAP Host Agent, version 7.21, allows an attacker with admin privileges ...) NOT-FOR-US: SAP CVE-2020-6233 (SAP S/4 HANA (Financial Products Subledger and Banking Services), vers ...) NOT-FOR-US: SAP CVE-2020-6232 (SAP Commerce, versions 1811, 1905, does not perform necessary authoriz ...) NOT-FOR-US: SAP CVE-2020-6231 (SAP Business Objects Business Intelligence Platform (Web Intelligence ...) NOT-FOR-US: SAP CVE-2020-6230 (SAP OrientDB, version 3.0, allows an authenticated attacker with scrip ...) NOT-FOR-US: SAP CVE-2020-6229 (SAP NetWeaver AS ABAP (Business Server Pages application CRM_BSP_FRAME ...) NOT-FOR-US: SAP CVE-2020-6228 (SAP Business Client, versions 6.5, 7.0, does not perform necessary int ...) NOT-FOR-US: SAP CVE-2020-6227 (SAP Business Objects Business Intelligence Platform (CMS / Auditing is ...) NOT-FOR-US: SAP CVE-2020-6226 (SAP Business Objects Business Intelligence Platform (Web Intelligence ...) NOT-FOR-US: SAP CVE-2020-6225 (SAP NetWeaver (Knowledge Management), versions (KMC-CM - 7.00, 7.01, 7 ...) NOT-FOR-US: SAP CVE-2020-6224 (SAP NetWeaver AS Java (HTTP Service), versions 7.10, 7.11, 7.20, 7.30, ...) NOT-FOR-US: SAP CVE-2020-6223 (The open document of SAP Business Objects Business Intelligence Platfo ...) NOT-FOR-US: SAP CVE-2020-6222 (SAP Business Objects Business Intelligence Platform (Web Intelligence ...) NOT-FOR-US: SAP CVE-2020-6221 (Web Intelligence HTML interface in SAP Business Objects Business Intel ...) NOT-FOR-US: SAP CVE-2020-6220 RESERVED CVE-2020-6219 (SAP Business Objects Business Intelligence Platform (CrystalReports We ...) NOT-FOR-US: SAP CVE-2020-6218 (Admin tools and Query Builder in SAP Business Objects Business Intelli ...) NOT-FOR-US: SAP CVE-2020-6217 (SAP NetWeaver AS ABAP Business Server Pages Test Application IT00, ver ...) NOT-FOR-US: SAP CVE-2020-6216 (SAP Business Objects Business Intelligence Platform (BI Launchpad), ve ...) NOT-FOR-US: SAP CVE-2020-6215 (SAP NetWeaver AS ABAP Business Server Pages Test Application IT00, ver ...) NOT-FOR-US: SAP CVE-2020-6214 (SAP S/4HANA (Financial Products Subledger), version 100, uses an incor ...) NOT-FOR-US: SAP CVE-2020-6213 (SAP NetWeaver AS ABAP Business Server Pages Test Application SBSPEXT_P ...) NOT-FOR-US: SAP CVE-2020-6212 (Egypt localized withholding tax reports Clearing of Liabilities and Re ...) NOT-FOR-US: SAP CVE-2020-6211 (SAP Business Objects Business Intelligence Platform (AdminTools), vers ...) NOT-FOR-US: SAP CVE-2020-6210 (SAP Fiori Launchpad, versions- 753, 754, does not sufficiently encode ...) NOT-FOR-US: SAP CVE-2020-6209 (SAP Disclosure Management, version 10.1, does not perform necessary au ...) NOT-FOR-US: SAP CVE-2020-6208 (SAP Business Objects Business Intelligence Platform (Crystal Reports), ...) NOT-FOR-US: SAP CVE-2020-6207 (SAP Solution Manager (User Experience Monitoring), version- 7.2, due t ...) NOT-FOR-US: SAP CVE-2020-6206 (SAP Cloud Platform Integration for Data Services, version 1.0, allows ...) NOT-FOR-US: SAP CVE-2020-6205 (SAP NetWeaver AS ABAP Business Server Pages (Smart Forms), SAP_BASIS v ...) NOT-FOR-US: SAP CVE-2020-6204 (The selection query in SAP Treasury and Risk Management (Transaction M ...) NOT-FOR-US: SAP CVE-2020-6203 (SAP NetWeaver UDDI Server (Services Registry), versions- 7.10, 7.11, 7 ...) NOT-FOR-US: SAP CVE-2020-6202 (SAP NetWeaver Application Server Java (User Management Engine), versio ...) NOT-FOR-US: SAP CVE-2020-6201 (The SAP Commerce (Testweb Extension), versions- 6.6, 6.7, 1808, 1811, ...) NOT-FOR-US: SAP CVE-2020-6200 (The SAP Commerce (SmartEdit Extension), versions- 6.6, 6.7, 1808, 1811 ...) NOT-FOR-US: SAP CVE-2020-6199 (The view FIMENAV_COMPCERT in SAP ERP (MENA Certificate Management), EA ...) NOT-FOR-US: SAP CVE-2020-6198 (SAP Solution Manager (Diagnostics Agent), version 720, allows unencryp ...) NOT-FOR-US: SAP CVE-2020-6197 (SAP Enable Now, before version 1908, does not invalidate session token ...) NOT-FOR-US: SAP CVE-2020-6196 (SAP BusinessObjects Mobile (MobileBIService), version 4.2, allows an a ...) NOT-FOR-US: SAP CVE-2020-6195 (SAP Business Objects Business Intelligence Platform (CMC), version 4.1 ...) NOT-FOR-US: SAP CVE-2020-6194 RESERVED CVE-2020-6193 (SAP NetWeaver (Knowledge Management ICE Service), versions 7.30, 7.31, ...) NOT-FOR-US: SAP CVE-2020-6192 (SAP Landscape Management, version 3.0, allows an attacker with admin p ...) NOT-FOR-US: SAP CVE-2020-6191 (SAP Landscape Management, version 3.0, allows an attacker with admin p ...) NOT-FOR-US: SAP CVE-2020-6190 (Certain vulnerable endpoints in SAP NetWeaver AS Java (Heap Dump Appli ...) NOT-FOR-US: SAP CVE-2020-6189 (Certain settings page(s) in SAP Business Objects Business Intelligence ...) NOT-FOR-US: SAP CVE-2020-6188 (VAT Pro-Rata reports in SAP ERP (SAP_APPL versions 600, 602, 603, 604, ...) NOT-FOR-US: SAP CVE-2020-6187 (SAP NetWeaver (Guided Procedures), versions 7.10, 7.11, 7.20, 7.30, 7. ...) NOT-FOR-US: SAP CVE-2020-6186 (SAP Host Agent, version 7.21, allows an attacker to cause a slowdown i ...) NOT-FOR-US: SAP CVE-2020-6185 (Under certain conditions ABAP Online Community in SAP NetWeaver (SAP_B ...) NOT-FOR-US: SAP CVE-2020-6184 (Under certain conditions, ABAP Online Community in SAP NetWeaver (SAP_ ...) NOT-FOR-US: SAP CVE-2020-6183 (SAP Host Agent, version 7.21, allows an unprivileged user to read the ...) NOT-FOR-US: SAP CVE-2020-6182 RESERVED CVE-2020-6181 (Under some circumstances the SAML SSO implementation in the SAP NetWea ...) NOT-FOR-US: SAP CVE-2020-6180 RESERVED CVE-2020-6179 RESERVED CVE-2020-6178 (SAP Enable Now, before version 1911, sends the Session ID cookie value ...) NOT-FOR-US: SAP CVE-2020-6177 (SAP Mobile Platform, version 3.0, does not sufficiently validate an XM ...) NOT-FOR-US: SAP CVE-2019-20367 (nlist.c in libbsd before 0.10.0 has an out-of-bounds read during a com ...) - libbsd 0.10.0-1 [buster] - libbsd (Minor issue) [stretch] - libbsd (Minor issue) [jessie] - libbsd (Minor issue) NOTE: https://lists.freedesktop.org/archives/libbsd/2019-August/000229.html NOTE: https://gitlab.freedesktop.org/libbsd/libbsd/commit/9d917aad37778a9f4a96ba358415f077f3f36f3b (0.10.0) CVE-2019-20366 (An XSS issue was discovered in Ignite Realtime Openfire 4.4.4 via isTr ...) NOT-FOR-US: Ignite Realtime Openfire CVE-2019-20365 (An XSS issue was discovered in Ignite Realtime Openfire 4.4.4 via sear ...) NOT-FOR-US: Ignite Realtime Openfire CVE-2019-20364 (An XSS issue was discovered in Ignite Realtime Openfire 4.4.4 via cach ...) NOT-FOR-US: Ignite Realtime Openfire CVE-2019-20363 (An XSS issue was discovered in Ignite Realtime Openfire 4.4.4 via alia ...) NOT-FOR-US: Ignite Realtime Openfire CVE-2019-20362 (In Teradici PCoIP Agent before 19.08.1 and PCoIP Client before 19.08.3 ...) NOT-FOR-US: Teradici CVE-2020-6176 RESERVED CVE-2020-6175 (Citrix SD-WAN 10.2.x before 10.2.6 and 11.0.x before 11.0.3 has Missin ...) NOT-FOR-US: Citrix CVE-2020-6174 (TUF (aka The Update Framework) through 0.12.1 has Improper Verificatio ...) - python-tuf (bug #934151) CVE-2020-6173 (TUF (aka The Update Framework) 0.7.2 through 0.12.1 allows Uncontrolle ...) - python-tuf (bug #934151) CVE-2020-6172 RESERVED CVE-2020-6171 (A cross-site scripting (XSS) vulnerability in the index page of the CL ...) NOT-FOR-US: Clink Office CVE-2020-6170 (An authentication bypass vulnerability on Genexis Platinum-4410 v2.1 P ...) NOT-FOR-US: Genexis CVE-2020-6169 RESERVED CVE-2020-6168 (A flaw in the WordPress plugin, Minimal Coming Soon & Maintenance ...) NOT-FOR-US: WordPress plugin CVE-2020-6167 (A flaw in the WordPress plugin, Minimal Coming Soon & Maintenance ...) NOT-FOR-US: WordPress plugin CVE-2020-6166 (A flaw in the WordPress plugin, Minimal Coming Soon & Maintenance ...) NOT-FOR-US: WordPress plugin CVE-2020-6165 RESERVED CVE-2020-6164 RESERVED CVE-2020-6163 (The WikibaseMediaInfo extension 1.35 for MediaWiki allows XSS because ...) NOT-FOR-US: WikibaseMediaInfo MediaWiki extension CVE-2020-6162 (An issue was discovered in Bftpd 5.3. Under certain circumstances, an ...) - bftpd (bug #640469) CVE-2019-20361 (There was a flaw in the WordPress plugin, Email Subscribers & News ...) NOT-FOR-US: Wordpress plugin CVE-2019-20360 (A flaw in Give before 2.5.5, a WordPress plugin, allowed unauthenticat ...) NOT-FOR-US: Wordpress plugin CVE-2019-20359 RESERVED CVE-2020-6161 RESERVED CVE-2020-6160 RESERVED CVE-2020-6159 RESERVED CVE-2020-6158 RESERVED CVE-2020-6157 RESERVED CVE-2020-6156 RESERVED CVE-2020-6155 RESERVED CVE-2020-6154 RESERVED CVE-2020-6153 RESERVED CVE-2020-6152 RESERVED CVE-2020-6151 RESERVED CVE-2020-6150 RESERVED CVE-2020-6149 RESERVED CVE-2020-6148 RESERVED CVE-2020-6147 RESERVED CVE-2020-6146 RESERVED CVE-2020-6145 RESERVED CVE-2020-6144 RESERVED CVE-2020-6143 RESERVED CVE-2020-6142 RESERVED CVE-2020-6141 RESERVED CVE-2020-6140 RESERVED CVE-2020-6139 RESERVED CVE-2020-6138 RESERVED CVE-2020-6137 RESERVED CVE-2020-6136 RESERVED CVE-2020-6135 RESERVED CVE-2020-6134 RESERVED CVE-2020-6133 RESERVED CVE-2020-6132 RESERVED CVE-2020-6131 RESERVED CVE-2020-6130 RESERVED CVE-2020-6129 RESERVED CVE-2020-6128 RESERVED CVE-2020-6127 RESERVED CVE-2020-6126 RESERVED CVE-2020-6125 RESERVED CVE-2020-6124 RESERVED CVE-2020-6123 RESERVED CVE-2020-6122 RESERVED CVE-2020-6121 RESERVED CVE-2020-6120 RESERVED CVE-2020-6119 RESERVED CVE-2020-6118 RESERVED CVE-2020-6117 RESERVED CVE-2020-6116 RESERVED CVE-2020-6115 RESERVED CVE-2020-6114 RESERVED CVE-2020-6113 RESERVED CVE-2020-6112 RESERVED CVE-2020-6111 RESERVED CVE-2020-6110 (An exploitable partial path traversal vulnerability exists in the way ...) NOT-FOR-US: Zoom CVE-2020-6109 (An exploitable path traversal vulnerability exists in the Zoom client, ...) NOT-FOR-US: Zoom CVE-2020-6108 RESERVED CVE-2020-6107 RESERVED CVE-2020-6106 RESERVED CVE-2020-6105 RESERVED CVE-2020-6104 RESERVED CVE-2020-6103 RESERVED CVE-2020-6102 RESERVED CVE-2020-6101 RESERVED CVE-2020-6100 RESERVED CVE-2020-6099 RESERVED CVE-2020-6098 RESERVED CVE-2020-6097 RESERVED CVE-2020-6096 (An exploitable signed comparison vulnerability exists in the ARMv7 mem ...) - glibc (low; bug #961452) [buster] - glibc (Minor issue) [stretch] - glibc (Minor issue) [jessie] - glibc (Vulnerable code not present) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=25620 NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1019 CVE-2020-6095 (An exploitable denial of service vulnerability exists in the GstRTSPAu ...) - gst-rtsp-server1.0 1.16.2-3 (low) [buster] - gst-rtsp-server1.0 (Minor issue) [stretch] - gst-rtsp-server1.0 (Minor issue) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1018 NOTE: https://gitlab.freedesktop.org/gstreamer/gst-rtsp-server/-/commit/44ccca3086dd81081d72ca0b21d0ecdde962fb1a CVE-2020-6094 (An exploitable code execution vulnerability exists in the TIFF fillinr ...) NOT-FOR-US: Accusoft ImageGear CVE-2020-6093 (An exploitable information disclosure vulnerability exists in the way ...) NOT-FOR-US: Nitro Pro CVE-2020-6092 (An exploitable code execution vulnerability exists in the way Nitro Pr ...) NOT-FOR-US: Nitro Pro CVE-2020-6091 (An exploitable authentication bypass vulnerability exists in the ESPON ...) NOT-FOR-US: EPSON CVE-2020-6090 (An exploitable code execution vulnerability exists in the Web-Based Ma ...) NOT-FOR-US: WAGO CVE-2020-6089 (An exploitable code execution vulnerability exists in the ANI file for ...) NOT-FOR-US: Leadtools CVE-2020-6088 RESERVED CVE-2020-6087 RESERVED CVE-2020-6086 RESERVED CVE-2020-6085 RESERVED CVE-2020-6084 RESERVED CVE-2020-6083 RESERVED CVE-2020-6082 (An exploitable out-of-bounds write vulnerability exists in the ico_rea ...) NOT-FOR-US: Accusoft CVE-2020-6081 (An exploitable code execution vulnerability exists in the PLC_Task fun ...) NOT-FOR-US: 3S-Smart Software Solutions GmbH CODESYS Runtime CVE-2020-6080 (An exploitable denial-of-service vulnerability exists in the resource ...) {DSA-4671-1} - libmicrodns [stretch] - libmicrodns (Will be removed in next point release) - vlc 3.0.8-4 [jessie] - vlc (Not supported in jessie LTS) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1002 NOTE: These were addressed on the source level in 3.0.9, but 3.0.8-4 disables the plugin CVE-2020-6079 (An exploitable denial-of-service vulnerability exists in the resource ...) {DSA-4671-1} - libmicrodns [stretch] - libmicrodns (Will be removed in next point release) - vlc 3.0.8-4 [jessie] - vlc (Not supported in jessie LTS) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1002 NOTE: These were addressed on the source level in 3.0.9, but 3.0.8-4 disables the plugin CVE-2020-6078 (An exploitable denial-of-service vulnerability exists in the message-p ...) {DSA-4671-1} - libmicrodns [stretch] - libmicrodns (Will be removed in next point release) - vlc 3.0.8-4 [jessie] - vlc (Not supported in jessie LTS) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1001 NOTE: These were addressed on the source level in 3.0.9, but 3.0.8-4 disables the plugin CVE-2020-6077 (An exploitable denial-of-service vulnerability exists in the message-p ...) {DSA-4671-1} - libmicrodns [stretch] - libmicrodns (Will be removed in next point release) - vlc 3.0.8-4 [jessie] - vlc (Not supported in jessie LTS) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1000 NOTE: These were addressed on the source level in 3.0.9, but 3.0.8-4 disables the plugin CVE-2020-6076 (An exploitable out-of-bounds write vulnerability exists in the igcore1 ...) NOT-FOR-US: Accusoft CVE-2020-6075 (An exploitable out-of-bounds write vulnerability exists in the store_d ...) NOT-FOR-US: Accusoft CVE-2020-6074 (An exploitable code execution vulnerability exists in the PDF parser o ...) NOT-FOR-US: Nitro Pro CVE-2020-6073 (An exploitable denial-of-service vulnerability exists in the TXT recor ...) {DSA-4671-1} - libmicrodns [stretch] - libmicrodns (Will be removed in next point release) - vlc 3.0.8-4 [jessie] - vlc (Not supported in jessie LTS) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-0996 NOTE: These were addressed on the source level in 3.0.9, but 3.0.8-4 disables the plugin CVE-2020-6072 (An exploitable code execution vulnerability exists in the label-parsin ...) {DSA-4671-1} - libmicrodns [stretch] - libmicrodns (Will be removed in next point release) - vlc 3.0.8-4 [jessie] - vlc (Not supported in jessie LTS) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-0995 NOTE: These were addressed on the source level in 3.0.9, but 3.0.8-4 disables the plugin CVE-2020-6071 (An exploitable denial-of-service vulnerability exists in the resource ...) {DSA-4671-1} - libmicrodns [stretch] - libmicrodns (Will be removed in next point release) - vlc 3.0.8-4 [jessie] - vlc (Not supported in jessie LTS) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-0994 NOTE: These were addressed on the source level in 3.0.9, but 3.0.8-4 disables the plugin CVE-2020-6070 RESERVED CVE-2020-6069 (An exploitable out-of-bounds write vulnerability exists in the igcore1 ...) NOT-FOR-US: Accusoft ImageGear CVE-2020-6068 (An exploitable out-of-bounds write vulnerability exists in the igcore1 ...) NOT-FOR-US: Accusoft ImageGear CVE-2020-6067 (An exploitable out-of-bounds write vulnerability exists in the igcore1 ...) NOT-FOR-US: Accusoft ImageGear CVE-2020-6066 (An exploitable out-of-bounds write vulnerability exists in the igcore1 ...) NOT-FOR-US: Accusoft ImageGear CVE-2020-6065 (An exploitable out-of-bounds write vulnerability exists in the bmp_par ...) NOT-FOR-US: Accusoft ImageGear CVE-2020-6064 (An exploitable out-of-bounds write vulnerability exists in the uncompr ...) NOT-FOR-US: Accusoft ImageGear CVE-2020-6063 (An exploitable out-of-bounds write vulnerability exists in the uncompr ...) NOT-FOR-US: Accusoft ImageGear CVE-2020-6062 (An exploitable denial-of-service vulnerability exists in the way CoTUR ...) {DSA-4711-1} - coturn 4.5.1.1-1.2 (bug #951876) [jessie] - coturn (Vulnerable code introduced later) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-0985 NOTE: https://github.com/coturn/coturn/commit/e09bcd9f7af5b32c81b37f51835b384b5a7d03a8 CVE-2020-6061 (An exploitable heap overflow vulnerability exists in the way CoTURN 4. ...) {DSA-4711-1} - coturn 4.5.1.1-1.2 (bug #951876) [jessie] - coturn (Vulnerable code introduced later) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-0984 NOTE: https://github.com/coturn/coturn/commit/51a7c2b9bf924890c7a3ff4db9c4976c5a93340a CVE-2020-6060 (A stack buffer overflow vulnerability exists in the way MiniSNMPD vers ...) NOT-FOR-US: MiniSNMPD CVE-2020-6059 (An exploitable out of bounds read vulnerability exists in the way Mini ...) NOT-FOR-US: MiniSNMPD CVE-2020-6058 (An exploitable out-of-bounds read vulnerability exists in the way Mini ...) NOT-FOR-US: MiniSNMPD CVE-2020-6057 RESERVED CVE-2020-6056 RESERVED CVE-2020-6055 RESERVED CVE-2020-6054 RESERVED CVE-2020-6053 RESERVED CVE-2020-6052 RESERVED CVE-2020-6051 RESERVED CVE-2020-6050 RESERVED CVE-2020-6049 RESERVED CVE-2020-6048 RESERVED CVE-2020-6047 RESERVED CVE-2020-6046 RESERVED CVE-2020-6045 RESERVED CVE-2020-6044 RESERVED CVE-2020-6043 RESERVED CVE-2020-6042 RESERVED CVE-2020-6041 RESERVED CVE-2020-6040 RESERVED CVE-2020-6039 RESERVED CVE-2020-6038 RESERVED CVE-2020-6037 RESERVED CVE-2020-6036 RESERVED CVE-2020-6035 RESERVED CVE-2020-6034 RESERVED CVE-2020-6033 RESERVED CVE-2020-6032 RESERVED CVE-2020-6031 RESERVED CVE-2020-6030 RESERVED CVE-2020-6029 RESERVED CVE-2020-6028 RESERVED CVE-2020-6027 RESERVED CVE-2020-6026 RESERVED CVE-2020-6025 RESERVED CVE-2020-6024 RESERVED CVE-2020-6023 RESERVED CVE-2020-6022 RESERVED CVE-2020-6021 RESERVED CVE-2020-6020 RESERVED CVE-2020-6019 RESERVED CVE-2020-6018 RESERVED CVE-2020-6017 RESERVED CVE-2020-6016 RESERVED CVE-2020-6015 RESERVED CVE-2020-6014 RESERVED CVE-2020-6013 (ZoneAlarm Firewall and Antivirus products before version 15.8.109.1843 ...) NOT-FOR-US: ZoneAlarm CVE-2020-6012 RESERVED CVE-2020-6011 RESERVED CVE-2020-6010 (LearnPress Wordpress plugin version prior and including 3.2.6.7 is vul ...) NOT-FOR-US: LearnPress Wordpress plugin CVE-2020-6009 (LearnDash Wordpress plugin version below 3.1.6 is vulnerable to Unauth ...) NOT-FOR-US: LearnDash Wordpress plugin CVE-2020-6008 (LifterLMS Wordpress plugin version below 3.37.15 is vulnerable to arbi ...) NOT-FOR-US: LifterLMS Wordpress plugin CVE-2020-6007 (Philips Hue Bridge model 2.X prior to and including version 1935144020 ...) NOT-FOR-US: Philips Hue Bridge model CVE-2020-6006 RESERVED CVE-2020-6005 RESERVED CVE-2020-6004 RESERVED CVE-2020-6003 RESERVED CVE-2020-6002 RESERVED CVE-2020-6001 RESERVED CVE-2020-6000 RESERVED CVE-2020-5999 RESERVED CVE-2020-5998 RESERVED CVE-2020-5997 RESERVED CVE-2020-5996 RESERVED CVE-2020-5995 RESERVED CVE-2020-5994 RESERVED CVE-2020-5993 RESERVED CVE-2020-5992 RESERVED CVE-2020-5991 RESERVED CVE-2020-5990 RESERVED CVE-2020-5989 RESERVED CVE-2020-5988 RESERVED CVE-2020-5987 RESERVED CVE-2020-5986 RESERVED CVE-2020-5985 RESERVED CVE-2020-5984 RESERVED CVE-2020-5983 RESERVED CVE-2020-5982 RESERVED CVE-2020-5981 RESERVED CVE-2020-5980 RESERVED CVE-2020-5979 RESERVED CVE-2020-5978 RESERVED CVE-2020-5977 RESERVED CVE-2020-5976 RESERVED CVE-2020-5975 RESERVED CVE-2020-5974 RESERVED CVE-2020-5973 (NVIDIA Virtual GPU Manager and the guest drivers contain a vulnerabili ...) NOT-FOR-US: NVIDIA Virtual GPU Manager CVE-2020-5972 (NVIDIA Virtual GPU Manager contains a vulnerability in the vGPU plugin ...) NOT-FOR-US: NVIDIA Virtual GPU Manager CVE-2020-5971 (NVIDIA Virtual GPU Manager contains a vulnerability in the vGPU plugin ...) NOT-FOR-US: NVIDIA Virtual GPU Manager CVE-2020-5970 (NVIDIA Virtual GPU Manager contains a vulnerability in the vGPU plugin ...) NOT-FOR-US: NVIDIA Virtual GPU Manager CVE-2020-5969 (NVIDIA Virtual GPU Manager contains a vulnerability in the vGPU plugin ...) NOT-FOR-US: NVIDIA Virtual GPU Manager CVE-2020-5968 (NVIDIA Virtual GPU Manager contains a vulnerability in the vGPU plugin ...) NOT-FOR-US: NVIDIA Virtual GPU Manager CVE-2020-5967 (NVIDIA Linux GPU Display Driver, all versions, contains a vulnerabilit ...) - nvidia-graphics-drivers 440.100-1 (bug #963766) [buster] - nvidia-graphics-drivers (Non-free not supported) [stretch] - nvidia-graphics-drivers (Non-free not supported) [jessie] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-390xx 390.138-1 (bug #963908) [buster] - nvidia-graphics-drivers-legacy-390xx (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx [buster] - nvidia-graphics-drivers-legacy-340xx (Non-free not supported) [stretch] - nvidia-graphics-drivers-legacy-340xx (Non-free not supported) - nvidia-graphics-drivers-legacy-304xx [stretch] - nvidia-graphics-drivers-legacy-304xx (Non-free not supported) [jessie] - nvidia-graphics-drivers-legacy-304xx (Non-free not supported) - nvidia-graphics-drivers-tesla-440 440.95.01-1 - nvidia-graphics-drivers-tesla-418 418.152.00-1 NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5031/kw/Security%20Bulletin CVE-2020-5966 (NVIDIA Windows GPU Display Driver, all versions, contains a vulnerabil ...) NOT-FOR-US: NVIDIA Windows GPU Display Driver CVE-2020-5965 (NVIDIA Windows GPU Display Driver, all versions, contains a vulnerabil ...) NOT-FOR-US: NVIDIA Windows GPU Display Driver CVE-2020-5964 (NVIDIA Windows GPU Display Driver, all versions, contains a vulnerabil ...) NOT-FOR-US: NVIDIA Windows GPU Display Driver CVE-2020-5963 (NVIDIA Windows GPU Display Driver, all versions, contains a vulnerabil ...) - nvidia-graphics-drivers 440.100-1 (bug #963766) [buster] - nvidia-graphics-drivers (Non-free not supported) [stretch] - nvidia-graphics-drivers (Non-free not supported) [jessie] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-390xx 390.138-1 (bug #963908) [buster] - nvidia-graphics-drivers-legacy-390xx (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx [buster] - nvidia-graphics-drivers-legacy-340xx (Non-free not supported) [stretch] - nvidia-graphics-drivers-legacy-340xx (Non-free not supported) - nvidia-graphics-drivers-legacy-304xx [stretch] - nvidia-graphics-drivers-legacy-304xx (Non-free not supported) [jessie] - nvidia-graphics-drivers-legacy-304xx (Non-free not supported) - nvidia-graphics-drivers-tesla-440 440.95.01-1 - nvidia-graphics-drivers-tesla-418 418.152.00-1 NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5031/kw/Security%20Bulletin CVE-2020-5962 (NVIDIA Windows GPU Display Driver, all versions, contains a vulnerabil ...) NOT-FOR-US: NVIDIA Windows GPU Display Driver CVE-2020-5961 (NVIDIA vGPU graphics driver for guest OS contains a vulnerability in w ...) NOT-FOR-US: NVIDIA vGPU graphics driver for guest OS CVE-2020-5960 (NVIDIA Virtual GPU Manager contains a vulnerability in the kernel modu ...) NOT-FOR-US: NVIDIA Virtual GPU Manager CVE-2020-5959 (NVIDIA Virtual GPU Manager, all versions, contains a vulnerability in ...) NOT-FOR-US: NVIDIA Virtual GPU Manager CVE-2020-5958 (NVIDIA Windows GPU Display Driver, all versions, contains a vulnerabil ...) NOT-FOR-US: NVIDIA Windows GPU Display Driver CVE-2020-5957 (NVIDIA Windows GPU Display Driver, all versions, contains a vulnerabil ...) NOT-FOR-US: Nvidia driver for Windows CVE-2019-20358 (Trend Micro Anti-Threat Toolkit (ATTK) versions 1.62.0.1218 and below ...) NOT-FOR-US: Trend Micro CVE-2019-20357 (A Persistent Arbitrary Code Execution vulnerability exists in the Tren ...) NOT-FOR-US: Trend Micro CVE-2020-5956 RESERVED CVE-2020-5955 RESERVED CVE-2020-5954 RESERVED CVE-2020-5953 RESERVED CVE-2020-5952 RESERVED CVE-2020-5951 RESERVED CVE-2020-5950 RESERVED CVE-2020-5949 RESERVED CVE-2020-5948 RESERVED CVE-2020-5947 RESERVED CVE-2020-5946 RESERVED CVE-2020-5945 RESERVED CVE-2020-5944 RESERVED CVE-2020-5943 RESERVED CVE-2020-5942 RESERVED CVE-2020-5941 RESERVED CVE-2020-5940 RESERVED CVE-2020-5939 RESERVED CVE-2020-5938 RESERVED CVE-2020-5937 RESERVED CVE-2020-5936 RESERVED CVE-2020-5935 RESERVED CVE-2020-5934 RESERVED CVE-2020-5933 RESERVED CVE-2020-5932 RESERVED CVE-2020-5931 RESERVED CVE-2020-5930 RESERVED CVE-2020-5929 RESERVED CVE-2020-5928 RESERVED CVE-2020-5927 RESERVED CVE-2020-5926 RESERVED CVE-2020-5925 RESERVED CVE-2020-5924 RESERVED CVE-2020-5923 RESERVED CVE-2020-5922 RESERVED CVE-2020-5921 RESERVED CVE-2020-5920 RESERVED CVE-2020-5919 RESERVED CVE-2020-5918 RESERVED CVE-2020-5917 RESERVED CVE-2020-5916 RESERVED CVE-2020-5915 RESERVED CVE-2020-5914 RESERVED CVE-2020-5913 RESERVED CVE-2020-5912 RESERVED CVE-2020-5911 (In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller ...) TODO: check CVE-2020-5910 (In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic ...) TODO: check CVE-2020-5909 (In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the co ...) TODO: check CVE-2020-5908 (In versions bundled with BIG-IP APM 12.1.0-12.1.5 and 11.6.1-11.6.5.2, ...) NOT-FOR-US: F5 BIG-IP CVE-2020-5907 (In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.3, 13.1.0-13.1.3.3, ...) NOT-FOR-US: F5 BIG-IP CVE-2020-5906 (In versions 13.1.0-13.1.3.3, 12.1.0-12.1.5.2, and 11.6.1-11.6.5.2, the ...) NOT-FOR-US: F5 BIG-IP CVE-2020-5905 (In version 11.6.1-11.6.5.2 of the BIG-IP system Configuration utility ...) NOT-FOR-US: F5 BIG-IP CVE-2020-5904 (In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, ...) NOT-FOR-US: F5 BIG-IP CVE-2020-5903 (In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, ...) NOT-FOR-US: F5 BIG-IP CVE-2020-5902 (In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, ...) NOT-FOR-US: F5 BIG-IP CVE-2020-5901 (In NGINX Controller 3.3.0-3.4.0, undisclosed API endpoints may allow f ...) TODO: check CVE-2020-5900 (In versions 3.0.0-3.4.0, 2.0.0-2.9.0, and 1.0.1, there is insufficient ...) TODO: check CVE-2020-5899 (In NGINX Controller 3.0.0-3.4.0, recovery code required to change a us ...) TODO: check CVE-2020-5898 (In versions 7.1.5-7.1.9, BIG-IP Edge Client Windows Stonewall driver d ...) NOT-FOR-US: F5 BIG-IP CVE-2020-5897 (In versions 7.1.5-7.1.9, there is use-after-free memory vulnerability ...) NOT-FOR-US: F5 BIG-IP CVE-2020-5896 (On versions 7.1.5-7.1.9, the BIG-IP Edge Client's Windows Installer Se ...) NOT-FOR-US: F5 BIG-IP CVE-2020-5895 (On NGINX Controller versions 3.1.0-3.3.0, AVRD uses world-readable and ...) NOT-FOR-US: NGINX Controller CVE-2020-5894 (On versions 3.0.0-3.3.0, the NGINX Controller webserver does not inval ...) NOT-FOR-US: NGINX Controller CVE-2020-5893 (In versions 7.1.5-7.1.8, when a user connects to a VPN using BIG-IP Ed ...) NOT-FOR-US: F5 BIG-IP CVE-2020-5892 (In versions 7.1.5-7.1.8, the BIG-IP Edge Client components in BIG-IP A ...) NOT-FOR-US: F5 BIG-IP CVE-2020-5891 (On BIG-IP 15.1.0-15.1.0.1, 15.0.0-15.0.1.2, and 14.1.0-14.1.2.3, undis ...) NOT-FOR-US: F5 BIG-IP CVE-2020-5890 (On BIG-IP 15.0.0-15.0.1, 14.1.0-14.1.2.3, 13.1.0-13.1.3.3, and 12.1.0- ...) NOT-FOR-US: F5 BIG-IP CVE-2020-5889 (On versions 15.1.0-15.1.0.1, 15.0.0-15.0.1.2, and 14.1.0-14.1.2.3, in ...) NOT-FOR-US: F5 BIG-IP CVE-2020-5888 (On versions 15.1.0-15.1.0.1, 15.0.0-15.0.1.2, and 14.1.0-14.1.2.3, BIG ...) NOT-FOR-US: F5 BIG-IP CVE-2020-5887 (On versions 15.1.0-15.1.0.1, 15.0.0-15.0.1.2, and 14.1.0-14.1.2.3, BIG ...) NOT-FOR-US: F5 BIG-IP CVE-2020-5886 (On versions 15.0.0-15.1.0.1, 14.1.0-14.1.2.3, 13.1.0-13.1.3.3, and 12. ...) NOT-FOR-US: F5 BIG-IP CVE-2020-5885 (On versions 15.0.0-15.1.0.1, 14.1.0-14.1.2.3, 13.1.0-13.1.3.3, and 12. ...) NOT-FOR-US: F5 BIG-IP CVE-2020-5884 (On versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.4, 13.1.0-13.1.3.3, 12.1.0- ...) NOT-FOR-US: F5 BIG-IP CVE-2020-5883 (On BIG-IP 15.0.0-15.0.1, 14.1.0-14.1.2.3, 14.0.0-14.0.1, and 13.1.0-13 ...) NOT-FOR-US: F5 BIG-IP CVE-2020-5882 (On BIG-IP 15.0.0-15.0.1.3, 14.1.0-14.1.2.3, 13.1.0-13.1.3.3, 12.1.0-12 ...) NOT-FOR-US: F5 BIG-IP CVE-2020-5881 (On versions 15.0.0-15.1.0.1, 14.1.0-14.1.2.3, and 13.1.0-13.1.3.3, whe ...) NOT-FOR-US: F5 BIG-IP CVE-2020-5880 (Om BIG-IP 15.0.0-15.0.1.3 and 14.1.0-14.1.2.3, the restjavad process m ...) NOT-FOR-US: F5 BIG-IP CVE-2020-5879 (On BIG-IP ASM 11.6.1-11.6.5.1, under certain configurations, the BIG-I ...) NOT-FOR-US: F5 BIG-IP CVE-2020-5878 (On versions 15.1.0-15.1.0.1, 15.0.0-15.0.1.1, and 14.1.0-14.1.2.3, Tra ...) NOT-FOR-US: F5 BIG-IP CVE-2020-5877 (On BIG-IP 15.0.0-15.1.0.1, 14.1.0-14.1.2.3, 13.1.0-13.1.3.3, 12.1.0-12 ...) NOT-FOR-US: F5 BIG-IP CVE-2020-5876 (On BIG-IP 15.0.0-15.0.1.3, 14.1.0-14.1.2.3, 13.1.0-13.1.3.3, 12.1.0-12 ...) NOT-FOR-US: F5 BIG-IP CVE-2020-5875 (On BIG-IP 15.0.0-15.0.1 and 14.1.0-14.1.2.3, under certain conditions, ...) NOT-FOR-US: F5 BIG-IP CVE-2020-5874 (On BIG-IP APM 15.0.0-15.0.1.2, 14.1.0-14.1.2.3, and 14.0.0-14.0.1, in ...) NOT-FOR-US: F5 BIG-IP CVE-2020-5873 (On BIG-IP 15.0.0-15.0.1, 14.1.0-14.1.2.3, 13.1.0-13.1.3.1, 12.1.0-12.1 ...) NOT-FOR-US: F5 BIG-IP CVE-2020-5872 (On BIG-IP 14.1.0-14.1.2.3, 14.0.0-14.0.1, 13.1.0-13.1.3.1, and 12.1.0- ...) NOT-FOR-US: F5 BIG-IP CVE-2020-5871 (On BIG-IP 14.1.0-14.1.2.3, undisclosed requests can lead to a denial o ...) NOT-FOR-US: F5 BIG-IP CVE-2020-5870 (In BIG-IQ 5.2.0-7.0.0, high availability (HA) synchronization mechanis ...) NOT-FOR-US: F5 CVE-2020-5869 (In BIG-IQ 5.2.0-7.0.0, high availability (HA) synchronization is not s ...) NOT-FOR-US: F5 CVE-2020-5868 (In BIG-IQ 6.0.0-7.0.0, a remote access vulnerability has been discover ...) NOT-FOR-US: F5 CVE-2020-5867 (In versions prior to 3.3.0, the NGINX Controller Agent installer scrip ...) NOT-FOR-US: NGINX Controller CVE-2020-5866 (In versions of NGINX Controller prior to 3.3.0, the helper.sh script, ...) NOT-FOR-US: NGINX Controller CVE-2020-5865 (In versions prior to 3.3.0, the NGINX Controller is configured to comm ...) NOT-FOR-US: NGINX Controller CVE-2020-5864 (In versions of NGINX Controller prior to 3.2.0, communication between ...) NOT-FOR-US: NGINX Controller CVE-2020-5863 (In NGINX Controller versions prior to 3.2.0, an unauthenticated attack ...) NOT-FOR-US: NGINX Controller CVE-2020-5862 (On BIG-IP 15.1.0-15.1.0.1, 15.0.0-15.0.1.1, and 14.1.0-14.1.2.2, under ...) NOT-FOR-US: F5 BIG-IP CVE-2020-5861 (On BIG-IP 12.1.0-12.1.5, the TMM process may produce a core file in so ...) NOT-FOR-US: F5 BIG-IP CVE-2020-5860 (On BIG-IP 15.0.0-15.1.0.2, 14.1.0-14.1.2.3, 13.1.0-13.1.3.2, 12.1.0-12 ...) NOT-FOR-US: F5 BIG-IP CVE-2020-5859 (On BIG-IP 15.1.0.1, specially formatted HTTP/3 messages may cause TMM ...) NOT-FOR-US: F5 BIG-IP CVE-2020-5858 (On BIG-IP 15.0.0-15.0.1.2, 14.1.0-14.1.2.2, 13.1.0-13.1.3.2, 12.1.0-12 ...) NOT-FOR-US: F5 BIG-IP CVE-2020-5857 (On BIG-IP 15.0.0-15.0.1, 14.1.0-14.1.2.2, 13.1.0-13.1.3.1, 12.1.0-12.1 ...) NOT-FOR-US: F5 BIG-IP CVE-2020-5856 (On BIG-IP 15.0.0-15.0.1.1 and 14.1.0-14.1.2.2, while processing specif ...) NOT-FOR-US: F5 BIG-IP CVE-2020-5855 (When the Windows Logon Integration feature is configured for all versi ...) NOT-FOR-US: F5 BIG-IP CVE-2020-5854 (On BIG-IP 15.0.0-15.0.1.1, 14.1.0-14.1.2.2, 14.0.0-14.0.1, 13.1.0-13.1 ...) NOT-FOR-US: F5 BIG-IP CVE-2020-5853 (In BIG-IP APM portal access on versions 15.0.0-15.1.0, 14.0.0-14.1.2.3 ...) NOT-FOR-US: F5 BIG-IP CVE-2020-5852 (Undisclosed traffic patterns received may cause a disruption of servic ...) NOT-FOR-US: F5 BIG-IP CVE-2020-5851 (On impacted versions and platforms the Trusted Platform Module (TPM) s ...) NOT-FOR-US: F5 BIG-IP CVE-2020-5850 RESERVED CVE-2020-5849 (Unraid 6.8.0 allows authentication bypass. ...) NOT-FOR-US: Unraid CVE-2020-5848 RESERVED CVE-2020-5847 (Unraid through 6.8.0 allows Remote Code Execution. ...) NOT-FOR-US: Unraid CVE-2020-5846 (An insecure file upload and code execution issue was discovered in Ahs ...) NOT-FOR-US: Ahsay Cloud Backup Suite CVE-2020-5845 RESERVED CVE-2020-5844 (index.php?sec=godmode/extensions&sec2=extensions/files_repo in Pan ...) NOT-FOR-US: Pandora FMS CVE-2020-5843 (Codoforum 4.8.3 allows XSS in the admin dashboard via a category to th ...) NOT-FOR-US: Codoforum CVE-2020-5842 (Codoforum 4.8.3 allows XSS in the user registration page: via the user ...) NOT-FOR-US: Codoforum CVE-2020-5841 (An issue was discovered in OpServices OpMon 9.3.1-1. Using password ch ...) NOT-FOR-US: OpServices OpMon CVE-2020-5840 (An issue was discovered in HashBrown CMS before 1.3.2. Server/Entity/R ...) NOT-FOR-US: HashBrown CMS CVE-2020-5839 (Symantec Endpoint Detection And Response, prior to 4.4, may be suscept ...) NOT-FOR-US: Symantec CVE-2020-5838 (Symantec IT Analytics, prior to 2.9.1, may be susceptible to a cross-s ...) NOT-FOR-US: Symantec CVE-2020-5837 (Symantec Endpoint Protection, prior to 14.3, may not respect file perm ...) NOT-FOR-US: Symantec CVE-2020-5836 (Symantec Endpoint Protection, prior to 14.3, can potentially reset the ...) NOT-FOR-US: Symantec CVE-2020-5835 (Symantec Endpoint Protection Manager, prior to 14.3, has a race condit ...) NOT-FOR-US: Symantec CVE-2020-5834 (Symantec Endpoint Protection Manager, prior to 14.3, may be susceptibl ...) NOT-FOR-US: Symantec CVE-2020-5833 (Symantec Endpoint Protection Manager, prior to 14.3, may be susceptibl ...) NOT-FOR-US: Symantec CVE-2020-5832 (Symantec Data Center Security Manager Component, prior to 6.8.2 (aka 6 ...) NOT-FOR-US: Symantec CVE-2020-5831 (Symantec Endpoint Protection Manager (SEPM), prior to 14.2 RU2 MP1, ma ...) NOT-FOR-US: Symantec Endpoint Protection Manager (SEPM) CVE-2020-5830 (Symantec Endpoint Protection Manager (SEPM), prior to 14.2 RU2 MP1, ma ...) NOT-FOR-US: Symantec Endpoint Protection Manager (SEPM) CVE-2020-5829 (Symantec Endpoint Protection Manager (SEPM), prior to 14.2 RU2 MP1, ma ...) NOT-FOR-US: Symantec Endpoint Protection Manager (SEPM) CVE-2020-5828 (Symantec Endpoint Protection Manager (SEPM), prior to 14.2 RU2 MP1, ma ...) NOT-FOR-US: Symantec Endpoint Protection Manager (SEPM) CVE-2020-5827 (Symantec Endpoint Protection Manager (SEPM), prior to 14.2 RU2 MP1, ma ...) NOT-FOR-US: Symantec Endpoint Protection Manager (SEPM) CVE-2020-5826 (Symantec Endpoint Protection (SEP) and Symantec Endpoint Protection Sm ...) NOT-FOR-US: Symantec CVE-2020-5825 (Symantec Endpoint Protection (SEP) and Symantec Endpoint Protection Sm ...) NOT-FOR-US: Symantec CVE-2020-5824 (Symantec Endpoint Protection (SEP) and Symantec Endpoint Protection Sm ...) NOT-FOR-US: Symantec CVE-2020-5823 (Symantec Endpoint Protection (SEP) and Symantec Endpoint Protection Sm ...) NOT-FOR-US: Symantec CVE-2020-5822 (Symantec Endpoint Protection (SEP) and Symantec Endpoint Protection Sm ...) NOT-FOR-US: Symantec CVE-2020-5821 (Symantec Endpoint Protection (SEP) and Symantec Endpoint Protection Sm ...) NOT-FOR-US: Symantec CVE-2020-5820 (Symantec Endpoint Protection (SEP) and Symantec Endpoint Protection Sm ...) NOT-FOR-US: Symantec CVE-2020-5819 RESERVED CVE-2020-5818 RESERVED CVE-2020-5817 RESERVED CVE-2020-5816 RESERVED CVE-2020-5815 RESERVED CVE-2020-5814 RESERVED CVE-2020-5813 RESERVED CVE-2020-5812 RESERVED CVE-2020-5811 RESERVED CVE-2020-5810 RESERVED CVE-2020-5809 RESERVED CVE-2020-5808 RESERVED CVE-2020-5807 RESERVED CVE-2020-5806 RESERVED CVE-2020-5805 RESERVED CVE-2020-5804 RESERVED CVE-2020-5803 RESERVED CVE-2020-5802 RESERVED CVE-2020-5801 RESERVED CVE-2020-5800 RESERVED CVE-2020-5799 RESERVED CVE-2020-5798 RESERVED CVE-2020-5797 RESERVED CVE-2020-5796 RESERVED CVE-2020-5795 RESERVED CVE-2020-5794 RESERVED CVE-2020-5793 RESERVED CVE-2020-5792 RESERVED CVE-2020-5791 RESERVED CVE-2020-5790 RESERVED CVE-2020-5789 RESERVED CVE-2020-5788 RESERVED CVE-2020-5787 RESERVED CVE-2020-5786 RESERVED CVE-2020-5785 RESERVED CVE-2020-5784 RESERVED CVE-2020-5783 RESERVED CVE-2020-5782 RESERVED CVE-2020-5781 RESERVED CVE-2020-5780 RESERVED CVE-2020-5779 RESERVED CVE-2020-5778 RESERVED CVE-2020-5777 RESERVED CVE-2020-5776 RESERVED CVE-2020-5775 RESERVED CVE-2020-5774 RESERVED CVE-2020-5773 RESERVED CVE-2020-5772 RESERVED CVE-2020-5771 RESERVED CVE-2020-5770 RESERVED CVE-2020-5769 RESERVED CVE-2020-5768 RESERVED CVE-2020-5767 RESERVED CVE-2020-5766 RESERVED CVE-2020-5765 RESERVED CVE-2020-5764 (MX Player Android App versions prior to v1.24.5, are vulnerable to a d ...) NOT-FOR-US: MX Player Android App CVE-2020-5763 RESERVED CVE-2020-5762 RESERVED CVE-2020-5761 RESERVED CVE-2020-5760 RESERVED CVE-2020-5759 RESERVED CVE-2020-5758 RESERVED CVE-2020-5757 RESERVED CVE-2020-5756 RESERVED CVE-2020-5755 (Webroot endpoint agents prior to version v9.0.28.48 did not protect th ...) NOT-FOR-US: Webroot CVE-2020-5754 (Webroot endpoint agents prior to version v9.0.28.48 allows remote atta ...) NOT-FOR-US: Webroot CVE-2020-5753 (Signal Private Messenger Android v4.59.0 and up and iOS v3.8.1.5 and u ...) NOT-FOR-US: Signal Private Messenger (Android and iOS version) CVE-2020-5752 (Relative path traversal in Druva inSync Windows Client 6.6.3 allows a ...) NOT-FOR-US: Druva inSync Windows Client CVE-2020-5751 (Insufficient output sanitization in TCExam 14.2.2 allows a remote, aut ...) NOT-FOR-US: TCExam CVE-2020-5750 (Insufficient output sanitization in TCExam 14.2.2 allows a remote, una ...) NOT-FOR-US: TCExam CVE-2020-5749 (Insufficient output sanitization in TCExam 14.2.2 allows a remote, aut ...) NOT-FOR-US: TCExam CVE-2020-5748 (Insufficient output sanitization in TCExam 14.2.2 allows a remote, una ...) NOT-FOR-US: TCExam CVE-2020-5747 (Insufficient output sanitization in TCExam 14.2.2 allows a remote, aut ...) NOT-FOR-US: TCExam CVE-2020-5746 (Insufficient output sanitization in TCExam 14.2.2 allows a remote, aut ...) NOT-FOR-US: TCExam CVE-2020-5745 (Cross-site request forgery in TCExam 14.2.2 allows a remote attacker t ...) NOT-FOR-US: TCExam CVE-2020-5744 (Relative Path Traversal in TCExam 14.2.2 allows a remote, authenticate ...) NOT-FOR-US: TCExam CVE-2020-5743 (Improper Control of Resource Identifiers in TCExam 14.2.2 allows a rem ...) NOT-FOR-US: TCExam CVE-2020-5742 (Improper Access Control in Plex Media Server prior to June 15, 2020 al ...) NOT-FOR-US: Plex Media Server CVE-2020-5741 (Deserialization of Untrusted Data in Plex Media Server on Windows allo ...) NOT-FOR-US: Plex Media Server on Windows CVE-2020-5740 (Improper Input Validation in Plex Media Server on Windows allows a loc ...) NOT-FOR-US: Plex Media Server CVE-2020-5739 (Grandstream GXP1600 series firmware 1.0.4.152 and below is vulnerable ...) NOT-FOR-US: Grandstream CVE-2020-5738 (Grandstream GXP1600 series firmware 1.0.4.152 and below is vulnerable ...) NOT-FOR-US: Grandstream CVE-2020-5737 (Stored XSS in Tenable.Sc before 5.14.0 could allow an authenticated re ...) NOT-FOR-US: Tenable.Sc CVE-2020-5736 (Amcrest cameras and NVR are vulnerable to a null pointer dereference o ...) NOT-FOR-US: Amcrest CVE-2020-5735 (Amcrest cameras and NVR are vulnerable to a stack-based buffer overflo ...) NOT-FOR-US: Amcrest CVE-2020-5734 (Classic buffer overflow in SolarWinds Dameware allows a remote, unauth ...) NOT-FOR-US: SolarWinds CVE-2020-5733 (In OpenMRS 2.9 and prior, the export functionality of the Data Exchang ...) NOT-FOR-US: OpenMRS CVE-2020-5732 (In OpenMRS 2.9 and prior, he import functionality of the Data Exchange ...) NOT-FOR-US: OpenMRS CVE-2020-5731 (In OpenMRS 2.9 and prior, the app parameter for the ActiveVisit's page ...) NOT-FOR-US: OpenMRS CVE-2020-5730 (In OpenMRS 2.9 and prior, the sessionLocation parameter for the login ...) NOT-FOR-US: OpenMRS CVE-2020-5729 (In OpenMRS 2.9 and prior, the UI Framework Error Page reflects arbitra ...) NOT-FOR-US: OpenMRS CVE-2020-5728 (OpenMRS 2.9 and prior copies "Referrer" header values into an html ele ...) NOT-FOR-US: OpenMRS CVE-2020-5727 (Authentication bypass using an alternate path or channel in SimpliSafe ...) NOT-FOR-US: SimpliSafe CVE-2020-5726 (The Grandstream UCM6200 series before 1.0.20.22 is vulnerable to an SQ ...) NOT-FOR-US: Grandstream CVE-2020-5725 (The Grandstream UCM6200 series before 1.0.20.22 is vulnerable to an SQ ...) NOT-FOR-US: Grandstream CVE-2020-5724 (The Grandstream UCM6200 series before 1.0.20.22 is vulnerable to an SQ ...) NOT-FOR-US: Grandstream CVE-2020-5723 (The UCM6200 series 1.0.20.22 and below stores unencrypted user passwor ...) NOT-FOR-US: UCM6200 CVE-2020-5722 (The HTTP interface of the Grandstream UCM6200 series is vulnerable to ...) NOT-FOR-US: Grandstream CVE-2020-5721 (MikroTik WinBox 3.22 and below stores the user's cleartext password in ...) NOT-FOR-US: MikroTik CVE-2020-5720 (MikroTik WinBox before 3.21 is vulnerable to a path traversal vulnerab ...) NOT-FOR-US: MikroTik WinBox CVE-2020-5719 RESERVED CVE-2020-5718 RESERVED CVE-2020-5717 RESERVED CVE-2020-5716 RESERVED CVE-2020-5715 RESERVED CVE-2020-5714 RESERVED CVE-2020-5713 RESERVED CVE-2020-5712 RESERVED CVE-2020-5711 RESERVED CVE-2020-5710 RESERVED CVE-2020-5709 RESERVED CVE-2020-5708 RESERVED CVE-2020-5707 RESERVED CVE-2020-5706 RESERVED CVE-2020-5705 RESERVED CVE-2020-5704 RESERVED CVE-2020-5703 RESERVED CVE-2020-5702 RESERVED CVE-2020-5701 RESERVED CVE-2020-5700 RESERVED CVE-2020-5699 RESERVED CVE-2020-5698 RESERVED CVE-2020-5697 RESERVED CVE-2020-5696 RESERVED CVE-2020-5695 RESERVED CVE-2020-5694 RESERVED CVE-2020-5693 RESERVED CVE-2020-5692 RESERVED CVE-2020-5691 RESERVED CVE-2020-5690 RESERVED CVE-2020-5689 RESERVED CVE-2020-5688 RESERVED CVE-2020-5687 RESERVED CVE-2020-5686 RESERVED CVE-2020-5685 RESERVED CVE-2020-5684 RESERVED CVE-2020-5683 RESERVED CVE-2020-5682 RESERVED CVE-2020-5681 RESERVED CVE-2020-5680 RESERVED CVE-2020-5679 RESERVED CVE-2020-5678 RESERVED CVE-2020-5677 RESERVED CVE-2020-5676 RESERVED CVE-2020-5675 RESERVED CVE-2020-5674 RESERVED CVE-2020-5673 RESERVED CVE-2020-5672 RESERVED CVE-2020-5671 RESERVED CVE-2020-5670 RESERVED CVE-2020-5669 RESERVED CVE-2020-5668 RESERVED CVE-2020-5667 RESERVED CVE-2020-5666 RESERVED CVE-2020-5665 RESERVED CVE-2020-5664 RESERVED CVE-2020-5663 RESERVED CVE-2020-5662 RESERVED CVE-2020-5661 RESERVED CVE-2020-5660 RESERVED CVE-2020-5659 RESERVED CVE-2020-5658 RESERVED CVE-2020-5657 RESERVED CVE-2020-5656 RESERVED CVE-2020-5655 RESERVED CVE-2020-5654 RESERVED CVE-2020-5653 RESERVED CVE-2020-5652 RESERVED CVE-2020-5651 RESERVED CVE-2020-5650 RESERVED CVE-2020-5649 RESERVED CVE-2020-5648 RESERVED CVE-2020-5647 RESERVED CVE-2020-5646 RESERVED CVE-2020-5645 RESERVED CVE-2020-5644 RESERVED CVE-2020-5643 RESERVED CVE-2020-5642 RESERVED CVE-2020-5641 RESERVED CVE-2020-5640 RESERVED CVE-2020-5639 RESERVED CVE-2020-5638 RESERVED CVE-2020-5637 RESERVED CVE-2020-5636 RESERVED CVE-2020-5635 RESERVED CVE-2020-5634 RESERVED CVE-2020-5633 RESERVED CVE-2020-5632 RESERVED CVE-2020-5631 RESERVED CVE-2020-5630 RESERVED CVE-2020-5629 RESERVED CVE-2020-5628 RESERVED CVE-2020-5627 RESERVED CVE-2020-5626 RESERVED CVE-2020-5625 RESERVED CVE-2020-5624 RESERVED CVE-2020-5623 RESERVED CVE-2020-5622 RESERVED CVE-2020-5621 RESERVED CVE-2020-5620 RESERVED CVE-2020-5619 RESERVED CVE-2020-5618 RESERVED CVE-2020-5617 RESERVED CVE-2020-5616 RESERVED CVE-2020-5615 RESERVED CVE-2020-5614 RESERVED CVE-2020-5613 RESERVED CVE-2020-5612 RESERVED CVE-2020-5611 RESERVED CVE-2020-5610 RESERVED CVE-2020-5609 RESERVED CVE-2020-5608 RESERVED CVE-2020-5607 RESERVED CVE-2020-5606 RESERVED CVE-2020-5605 RESERVED CVE-2020-5604 RESERVED CVE-2020-5603 (Uncontrolled resource consumption vulnerability in Mitsubishi Electori ...) NOT-FOR-US: Mitsubishi CVE-2020-5602 (Mitsubishi Electoric FA Engineering Software (CPU Module Logging Confi ...) NOT-FOR-US: Mitsubishi CVE-2020-5601 (Chrome Extension for e-Tax Reception System Ver1.0.0.0 allows remote a ...) NOT-FOR-US: Chrome Extension for e-Tax Reception System CVE-2020-5600 (TCP/IP function included in the firmware of Mitsubishi Electric GOT200 ...) NOT-FOR-US: Mitsubishi CVE-2020-5599 (TCP/IP function included in the firmware of Mitsubishi Electric GOT200 ...) NOT-FOR-US: Mitsubishi CVE-2020-5598 (TCP/IP function included in the firmware of Mitsubishi Electric GOT200 ...) NOT-FOR-US: Mitsubishi CVE-2020-5597 (TCP/IP function included in the firmware of Mitsubishi Electric GOT200 ...) NOT-FOR-US: Mitsubishi CVE-2020-5596 (TCP/IP function included in the firmware of Mitsubishi Electric GOT200 ...) NOT-FOR-US: Mitsubishi CVE-2020-5595 (TCP/IP function included in the firmware of Mitsubishi Electric GOT200 ...) NOT-FOR-US: Mitsubishi CVE-2020-5594 (Mitsubishi Electric MELSEC iQ-R, iQ-F, Q, L, and FX series CPU modules ...) NOT-FOR-US: Mitsubishi CVE-2020-5593 (Zenphoto versions prior to 1.5.7 allows an attacker to conduct PHP cod ...) NOT-FOR-US: Zenphoto CVE-2020-5592 (Cross-site scripting vulnerability in Zenphoto versions prior to 1.5.7 ...) NOT-FOR-US: Zenphoto CVE-2020-5591 (XACK DNS 1.11.0 to 1.11.4, 1.10.0 to 1.10.8, 1.8.0 to 1.8.23, 1.7.0 to ...) NOT-FOR-US: XACK DNS CVE-2020-5590 (Directory traversal vulnerability in EC-CUBE 3.0.0 to 3.0.18 and 4.0.0 ...) NOT-FOR-US: EC-CUBE CVE-2020-5589 (SONY Wireless Headphones WF-1000X, WF-SP700N, WH-1000XM2, WH-1000XM3, ...) NOT-FOR-US: SONY CVE-2020-5588 (Path traversal vulnerability in Cybozu Garoon 5.0.0 to 5.0.1 allows at ...) NOT-FOR-US: Cybozu Garoon CVE-2020-5587 (Cybozu Garoon 4.0.0 to 5.0.1 allow remote authenticated attackers to o ...) NOT-FOR-US: Cybozu Garoon CVE-2020-5586 (Cross-site scripting vulnerability in Cybozu Garoon 4.10.3 to 5.0.1 al ...) NOT-FOR-US: Cybozu Garoon CVE-2020-5585 (Cross-site scripting vulnerability in Cybozu Garoon 5.0.0 to 5.0.1 all ...) NOT-FOR-US: Cybozu Garoon CVE-2020-5584 (Cybozu Garoon 4.0.0 to 5.0.1 allow remote attackers to obtain unintend ...) NOT-FOR-US: Cybozu Garoon CVE-2020-5583 (Cybozu Garoon 4.0.0 to 5.0.1 allows remote authenticated attackers to ...) NOT-FOR-US: Cybozu Garoon CVE-2020-5582 (Cybozu Garoon 4.0.0 to 5.0.1 allows remote authenticated attackers to ...) NOT-FOR-US: Cybozu Garoon CVE-2020-5581 (Path traversal vulnerability in Cybozu Garoon 4.0.0 to 5.0.1 allows re ...) NOT-FOR-US: Cybozu Garoon CVE-2020-5580 (Cybozu Garoon 4.0.0 to 5.0.1 allows remote authenticated attackers to ...) NOT-FOR-US: Cybozu Garoon CVE-2020-5579 (SQL injection vulnerability in the Paid Memberships versions prior to ...) NOT-FOR-US: Paid Memberships CVE-2020-5578 RESERVED CVE-2020-5577 (Movable Type series (Movable Type 7 r.4606 (7.2.1) and earlier (Movabl ...) - movabletype-opensource CVE-2020-5576 (Cross-site request forgery (CSRF) vulnerability in Movable Type series ...) - movabletype-opensource CVE-2020-5575 (Cross-site scripting vulnerability in Movable Type series (Movable Typ ...) - movabletype-opensource CVE-2020-5574 (HTML attribute value injection vulnerability in Movable Type series (M ...) - movabletype-opensource CVE-2020-5573 (Android App 'kintone mobile for Android' 1.0.0 to 2.5 allows an attack ...) NOT-FOR-US: Android App 'kintone mobile for Android' CVE-2020-5572 (Android App 'Mailwise for Android' 1.0.0 to 1.0.1 allows an attacker t ...) NOT-FOR-US: Android App 'Mailwise for Android' CVE-2020-5571 (SHARP AQUOS series (AQUOS SH-M02 build number 01.00.05 and earlier, AQ ...) NOT-FOR-US: SHARP AQUOS CVE-2020-5570 (Cross-site scripting vulnerability in Sales Force Assistant version 11 ...) NOT-FOR-US: Sales Force Assistant CVE-2020-5569 (An unquoted search path vulnerability exists in HDD Password tool (for ...) NOT-FOR-US: HDD Password tool (CANVIO) CVE-2020-5568 (Cross-site scripting vulnerability in Cybozu Garoon 4.6.0 to 5.0.0 all ...) NOT-FOR-US: Cybozu Garoon CVE-2020-5567 (Improper authentication vulnerability in Cybozu Garoon 4.0.0 to 4.10.3 ...) NOT-FOR-US: Cybozu Garoon CVE-2020-5566 (Improper authorization vulnerability in Cybozu Garoon 4.0.0 to 4.10.3 ...) NOT-FOR-US: Cybozu Garoon CVE-2020-5565 (Improper input validation vulnerability in Cybozu Garoon 4.0.0 to 4.10 ...) NOT-FOR-US: Cybozu Garoon CVE-2020-5564 (Cross-site scripting vulnerability in Cybozu Garoon 4.0.0 to 4.10.3 al ...) NOT-FOR-US: Cybozu Garoon CVE-2020-5563 (Improper authentication vulnerability in Cybozu Garoon 4.0.0 to 4.10.3 ...) NOT-FOR-US: Cybozu Garoon CVE-2020-5562 (Server-side request forgery (SSRF) vulnerability in Cybozu Garoon 4.6. ...) NOT-FOR-US: Cybozu Garoon CVE-2020-5561 (Keijiban Tsumiki v1.15 allows remote attackers to execute arbitrary OS ...) NOT-FOR-US: Keijiban Tsumiki CVE-2020-5560 (WL-Enq 1.11 and 1.12 allows remote attackers to execute arbitrary OS c ...) NOT-FOR-US: WL-Enq CVE-2020-5559 (Cross-site scripting vulnerability in WL-Enq 1.11 and 1.12 allows remo ...) NOT-FOR-US: WL-Enq CVE-2020-5558 (CuteNews 2.0.1 allows remote authenticated attackers to execute arbitr ...) NOT-FOR-US: CuteNews CVE-2020-5557 (Cross-site scripting vulnerability in CuteNews 2.0.1 allows remote att ...) NOT-FOR-US: CuteNews CVE-2020-5556 (Shihonkanri Plus GOOUT Ver1.5.8 and Ver2.2.10 allows remote attackers ...) NOT-FOR-US: Shihonkanri Plus GOOUT CVE-2020-5555 (Shihonkanri Plus GOOUT Ver1.5.8 and Ver2.2.10 allows remote attackers ...) NOT-FOR-US: Shihonkanri Plus GOOUT CVE-2020-5554 (Directory traversal vulnerability in Shihonkanri Plus GOOUT Ver1.5.8 a ...) NOT-FOR-US: Shihonkanri Plus GOOUT CVE-2020-5553 (mailform version 1.04 allows remote attackers to execute arbitrary PHP ...) NOT-FOR-US: mailform CVE-2020-5552 (Cross-site scripting vulnerability in mailform version 1.04 allows rem ...) NOT-FOR-US: mailform CVE-2020-5551 (Toyota 2017 Model Year DCU (Display Control Unit) allows an unauthenti ...) NOT-FOR-US: Toyota CVE-2020-5550 (Session fixation vulnerability in EasyBlocks IPv6 Ver. 2.0.1 and earli ...) NOT-FOR-US: EasyBlocks CVE-2020-5549 (Cross-site request forgery (CSRF) vulnerability in EasyBlocks IPv6 Ver ...) NOT-FOR-US: EasyBlocks CVE-2020-5548 (Yamaha LTE VoIP Router(NVR700W firmware Rev.15.00.15 and earlier), Yam ...) NOT-FOR-US: Yamaha CVE-2020-5547 (Resource Management Errors vulnerability in TCP function included in t ...) NOT-FOR-US: Mitsubishi CVE-2020-5546 (Improper Neutralization of Argument Delimiters in a Command ('Argument ...) NOT-FOR-US: Mitsubishi CVE-2020-5545 (TCP function included in the firmware of Mitsubishi Electric MELQIC IU ...) NOT-FOR-US: Mitsubishi CVE-2020-5544 (Null Pointer Dereference vulnerability in TCP function included in the ...) NOT-FOR-US: Mitsubishi CVE-2020-5543 (TCP function included in the firmware of Mitsubishi Electric MELQIC IU ...) NOT-FOR-US: Mitsubishi CVE-2020-5542 (Buffer error vulnerability in TCP function included in the firmware of ...) NOT-FOR-US: Mitsubishi CVE-2020-5541 RESERVED CVE-2020-5540 RESERVED CVE-2020-5539 (GRANDIT Ver.1.6, Ver.2.0, Ver.2.1, Ver.2.2, Ver.2.3, and Ver.3.0 do no ...) NOT-FOR-US: GRANDIT CVE-2020-5538 (Improper Access Control in PALLET CONTROL Ver. 6.3 and earlier allows ...) NOT-FOR-US: PALLET CONTROL CVE-2020-5537 (Cybozu Desktop for Windows 2.0.23 to 2.2.40 allows remote code executi ...) NOT-FOR-US: Cybozu CVE-2020-5536 (OpenBlocks IoT VX2 prior to Ver.4.0.0 (Ver.3 Series) allows an attacke ...) NOT-FOR-US: OpenBlocks IoT VX2 CVE-2020-5535 (OpenBlocks IoT VX2 prior to Ver.4.0.0 (Ver.3 Series) allows an attacke ...) NOT-FOR-US: OpenBlocks IoT VX2 CVE-2020-5534 (Aterm WG2600HS firmware Ver1.3.2 and earlier allows an authenticated a ...) NOT-FOR-US: Aterm WG2600HS firmware CVE-2020-5533 (Cross-site scripting vulnerability in Aterm WG2600HS firmware Ver1.3.2 ...) NOT-FOR-US: Aterm WG2600HS firmware CVE-2020-5532 (ilbo App (ilbo App for Android prior to version 1.1.8 and ilbo App for ...) NOT-FOR-US: ilbo App CVE-2020-5531 (Mitsubishi Electric MELSEC C Controller Module and MELIPC Series MI500 ...) NOT-FOR-US: Mitsubishi CVE-2020-5530 (Cross-site request forgery (CSRF) vulnerability in Easy Property Listi ...) NOT-FOR-US: Easy Property Listings plugin for WordPress CVE-2020-5529 (HtmlUnit prior to 2.37.0 contains code execution vulnerabilities. Html ...) - htmlunit NOTE: https://github.com/HtmlUnit/htmlunit/commit/934390fefcd2cd58e6d86f2bc19d811ae17bfa28 TODO: check details, might affect jenkins-htmlunit CVE-2020-5528 (Cross-site scripting vulnerability in Movable Type series (Movable Typ ...) - movabletype-opensource CVE-2020-5527 (When MELSOFT transmission port (UDP/IP) of Mitsubishi Electric MELSEC ...) NOT-FOR-US: Mitsubishi CVE-2020-5526 (The AWMS Mobile App for Android 2.0.0 to 2.0.5 and for iOS 2.0.0 to 2. ...) NOT-FOR-US: AWMS Mobile App for Android and iOS CVE-2020-5525 (Aterm series (Aterm WF1200C firmware Ver1.2.1 and earlier, Aterm WG120 ...) NOT-FOR-US: Aterm series firmware CVE-2020-5524 (Aterm series (Aterm WF1200C firmware Ver1.2.1 and earlier, Aterm WG120 ...) NOT-FOR-US: Aterm series firmware CVE-2020-5523 (Android App 'MyPallete' and some of the Android banking applications b ...) NOT-FOR-US: MyPallete CVE-2020-5522 (The kantan netprint App for Android 2.0.3 and earlier does not verify ...) NOT-FOR-US: kantan netprint App for Android CVE-2020-5521 (The kantan netprint App for iOS 2.0.2 and earlier does not verify X.50 ...) NOT-FOR-US: kantan netprint App for iOS CVE-2020-5520 (The netprint App for iOS 3.2.3 and earlier does not verify X.509 certi ...) NOT-FOR-US: netprint App for iOS CVE-2020-5519 (The WebAdmin Console in OpenLiteSpeed before v1.6.5 does not strictly ...) NOT-FOR-US: OpenLiteSpeed CVE-2019-20356 RESERVED CVE-2016-11017 (The application login page in AKIPS Network Monitor 15.37 through 16.5 ...) NOT-FOR-US: AKIPS Network Monitor CVE-2020-5518 RESERVED CVE-2020-5517 (CSRF in the /login URI in BlueOnyx 5209R allows an attacker to access ...) NOT-FOR-US: BlueOnyx CVE-2020-5516 RESERVED CVE-2020-5515 (Gila CMS 1.11.8 allows /admin/sql?query= SQL Injection. ...) NOT-FOR-US: Gila CMS CVE-2020-5514 (Gila CMS 1.11.8 allows Unrestricted Upload of a File with a Dangerous ...) NOT-FOR-US: Gila CMS CVE-2020-5513 (Gila CMS 1.11.8 allows /cm/delete?t=../ Directory Traversal. ...) NOT-FOR-US: Gila CMS CVE-2020-5512 (Gila CMS 1.11.8 allows /admin/media?path=../ Path Traversal. ...) NOT-FOR-US: Gila CMS CVE-2020-5511 (PHPGurukul Small CRM v2.0 was found vulnerable to authentication bypas ...) NOT-FOR-US: PHPGurukul Small CRM CVE-2020-5510 (PHPGurukul Hostel Management System v2.0 allows SQL injection via the ...) NOT-FOR-US: PHPGurukul Hostel Management System CVE-2020-5509 (PHPGurukul Car Rental Project v1.0 allows Remote Code Execution via an ...) NOT-FOR-US: PHPGurukul Car Rental Project CVE-2020-5508 RESERVED CVE-2019-20355 RESERVED CVE-2019-20354 (The web application component of piSignage before 2.6.4 allows a remot ...) NOT-FOR-US: piSignage CVE-2019-20353 RESERVED CVE-2019-20352 (In Netwide Assembler (NASM) 2.15rc0, a heap-based buffer over-read occ ...) - nasm (unimportant) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392636 NOTE: Crash in CLI tool, no security impact CVE-2019-20351 RESERVED CVE-2019-20350 RESERVED CVE-2019-20349 RESERVED CVE-2019-20348 (OKER G232V1 v1.03.02.20161129 devices provide a root terminal on a UAR ...) NOT-FOR-US: OKER G232V1 devices CVE-2019-20347 RESERVED CVE-2019-20346 RESERVED CVE-2019-20345 RESERVED CVE-2019-20344 RESERVED CVE-2019-20343 (The MojoHaus Exec Maven plugin 1.1.1 for Maven allows code execution v ...) NOT-FOR-US: Maven plugin CVE-2019-20342 RESERVED CVE-2019-20341 RESERVED CVE-2019-20340 RESERVED CVE-2019-20339 RESERVED CVE-2019-20338 RESERVED CVE-2019-20337 (In PHP Scripts Mall advanced-real-estate-script 4.0.9, the news_edit.p ...) NOT-FOR-US: PHP Scripts Mall advanced-real-estate-script CVE-2019-20336 (In PHP Scripts Mall advanced-real-estate-script 4.0.9, the search-resu ...) NOT-FOR-US: PHP Scripts Mall advanced-real-estate-script CVE-2019-20335 RESERVED CVE-2020-5507 RESERVED CVE-2020-5506 RESERVED CVE-2020-5505 (Freelancy v1.0.0 allows remote command execution via the "file":"data: ...) NOT-FOR-US: Freelancy CVE-2020-5504 (In phpMyAdmin 4 before 4.9.4 and 5 before 5.0.1, SQL injection exists ...) {DLA-2060-1} - phpmyadmin 4:4.9.4+dfsg1-1 (bug #948718) [stretch] - phpmyadmin (Minor issue; can be fixed via point release) NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/c86acbf3ed49f69cf38b31879886dd5eb86b6983 NOTE: https://gist.github.com/ibennetch/4c1b701f4b766e4dd5556e8e26200b6b NOTE: https://www.phpmyadmin.net/security/PMASA-2020-1/ CVE-2020-5503 RESERVED CVE-2020-5502 (phpBB 3.2.8 allows a CSRF attack that can approve pending group member ...) NOT-FOR-US: phpBB CVE-2020-5501 (phpBB 3.2.8 allows a CSRF attack that can modify a group avatar. ...) NOT-FOR-US: phpBB CVE-2020-5500 RESERVED CVE-2020-5499 (Baidu Rust SGX SDK through 1.0.8 has an enclave ID race. There are non ...) NOT-FOR-US: Baidu Rust SGX SDK CVE-2020-5498 REJECTED CVE-2020-5497 (The OpenID Connect reference implementation for MITREid Connect throug ...) NOT-FOR-US: MITREid Connect CVE-2020-5496 (FontForge 20190801 has a heap-based buffer overflow in the Type2NotDef ...) - fontforge (bug #948231) [buster] - fontforge (Minor issue) [stretch] - fontforge (Minor issue) [jessie] - fontforge (Minor issue) NOTE: https://github.com/fontforge/fontforge/issues/4085 CVE-2020-5495 RESERVED CVE-2020-5494 RESERVED CVE-2020-5493 RESERVED CVE-2020-5492 RESERVED CVE-2020-5491 RESERVED CVE-2020-5490 RESERVED CVE-2020-5489 RESERVED CVE-2020-5488 RESERVED CVE-2020-5487 RESERVED CVE-2020-5486 RESERVED CVE-2020-5485 RESERVED CVE-2020-5484 RESERVED CVE-2020-5483 RESERVED CVE-2020-5482 RESERVED CVE-2020-5481 RESERVED CVE-2020-5480 RESERVED CVE-2020-5479 RESERVED CVE-2020-5478 RESERVED CVE-2020-5477 RESERVED CVE-2020-5476 RESERVED CVE-2020-5475 RESERVED CVE-2020-5474 RESERVED CVE-2020-5473 RESERVED CVE-2020-5472 RESERVED CVE-2020-5471 RESERVED CVE-2020-5470 RESERVED CVE-2020-5469 RESERVED CVE-2020-5468 RESERVED CVE-2020-5467 RESERVED CVE-2020-5466 RESERVED CVE-2020-5465 RESERVED CVE-2020-5464 RESERVED CVE-2020-5463 RESERVED CVE-2020-5462 RESERVED CVE-2020-5461 RESERVED CVE-2020-5460 RESERVED CVE-2020-5459 RESERVED CVE-2020-5458 RESERVED CVE-2020-5457 RESERVED CVE-2020-5456 RESERVED CVE-2020-5455 RESERVED CVE-2020-5454 RESERVED CVE-2020-5453 RESERVED CVE-2020-5452 RESERVED CVE-2020-5451 RESERVED CVE-2020-5450 RESERVED CVE-2020-5449 RESERVED CVE-2020-5448 RESERVED CVE-2020-5447 RESERVED CVE-2020-5446 RESERVED CVE-2020-5445 RESERVED CVE-2020-5444 RESERVED CVE-2020-5443 RESERVED CVE-2020-5442 RESERVED CVE-2020-5441 RESERVED CVE-2020-5440 RESERVED CVE-2020-5439 RESERVED CVE-2020-5438 RESERVED CVE-2020-5437 RESERVED CVE-2020-5436 RESERVED CVE-2020-5435 RESERVED CVE-2020-5434 RESERVED CVE-2020-5433 RESERVED CVE-2020-5432 RESERVED CVE-2020-5431 RESERVED CVE-2020-5430 RESERVED CVE-2020-5429 RESERVED CVE-2020-5428 RESERVED CVE-2020-5427 RESERVED CVE-2020-5426 RESERVED CVE-2020-5425 RESERVED CVE-2020-5424 RESERVED CVE-2020-5423 RESERVED CVE-2020-5422 RESERVED CVE-2020-5421 RESERVED CVE-2020-5420 RESERVED CVE-2020-5419 RESERVED CVE-2020-5418 RESERVED CVE-2020-5417 RESERVED CVE-2020-5416 RESERVED CVE-2020-5415 RESERVED CVE-2020-5414 RESERVED CVE-2020-5413 RESERVED CVE-2020-5412 RESERVED CVE-2020-5411 (When configured to enable default typing, Jackson contained a deserial ...) TODO: check CVE-2020-5410 (Spring Cloud Config, versions 2.2.x prior to 2.2.3, versions 2.1.x pri ...) NOT-FOR-US: Spring Cloud Config CVE-2020-5409 (Pivotal Concourse, most versions prior to 6.0.0, allows redirects to u ...) NOT-FOR-US: Pivotal CVE-2020-5408 (Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5 ...) - libspring-security-2.0-java [jessie] - libspring-security-2.0-java (Vulnerable code introduced later) CVE-2020-5407 (Spring Security versions 5.2.x prior to 5.2.4 and 5.3.x prior to 5.3.2 ...) - libspring-security-2.0-java [jessie] - libspring-security-2.0-java (Vulnerable code introduced later) CVE-2020-5406 (VMware Tanzu Application Service for VMs, 2.6.x versions prior to 2.6. ...) NOT-FOR-US: VMware CVE-2020-5405 (Spring Cloud Config, versions 2.2.x prior to 2.2.2, versions 2.1.x pri ...) NOT-FOR-US: Spring Cloud Config CVE-2020-5404 (The HttpClient from Reactor Netty, versions 0.9.x prior to 0.9.5, and ...) NOT-FOR-US: Reactor Netty, different from src:netty CVE-2020-5403 (Reactor Netty HttpServer, versions 0.9.3 and 0.9.4, is exposed to a UR ...) NOT-FOR-US: Reactor Netty, different from src:netty CVE-2020-5402 (In Cloud Foundry UAA, versions prior to 74.14.0, a CSRF vulnerability ...) NOT-FOR-US: Cloud Foundry CVE-2020-5401 (Cloud Foundry Routing Release, versions prior to 0.197.0, contains GoR ...) NOT-FOR-US: Cloud Foundry CVE-2020-5400 (Cloud Foundry Cloud Controller (CAPI), versions prior to 1.91.0, logs ...) NOT-FOR-US: Cloud Foundry CVE-2020-5399 (Cloud Foundry CredHub, versions prior to 2.5.10, connects to a MySQL d ...) NOT-FOR-US: Cloud Foundry CredHub CVE-2020-5398 (In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x pri ...) - libspring-java [jessie] - libspring-java (Vulnerable code not present) NOTE: https://pivotal.io/security/cve-2020-5398 NOTE: https://github.com/spring-projects/spring-framework/issues/24220 NOTE: https://github.com/spring-projects/spring-framework/commit/41f40c6c229d3b4f768718f1ec229d8f0ad76d76 NOTE: https://github.com/spring-projects/spring-framework/commit/956ffe68587c8d5f21135b5ce4650af0c2dea933 CVE-2020-5397 (Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF ...) - libspring-java [jessie] - libspring-java (Vulnerable code not present) NOTE: https://pivotal.io/security/cve-2020-5397 NOTE: https://github.com/spring-projects/spring-framework/issues/24327 NOTE: https://github.com/spring-projects/spring-framework/commit/bc7d01048579430b4b2df668178809b63d3f1929 CVE-2020-5396 RESERVED CVE-2020-5395 (FontForge 20190801 has a use-after-free in SFD_GetFontMetaData in sfd. ...) - fontforge (bug #948231) [buster] - fontforge (Minor issue) [stretch] - fontforge (Minor issue) [jessie] - fontforge (Minor issue) NOTE: https://github.com/fontforge/fontforge/issues/4084 CVE-2019-20334 (In Netwide Assembler (NASM) 2.14.02, stack consumption occurs in expr# ...) - nasm (unimportant) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392548#c4 NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392638 NOTE: Crash in CLI tool, no security impact CVE-2015-9540 (Chamilo LMS through 1.9.10.2 allows a link_goto.php?link_url= open red ...) NOT-FOR-US: Chamilo LMS CVE-2014-10398 (Multiple cross-site scripting (XSS) vulnerabilities in bsi.dll in Bank ...) NOT-FOR-US: Bank Soft Systems (BSS) RBS BS-Client CVE-2020-5394 RESERVED CVE-2020-5393 (In Appspace On-Prem through 7.1.3, an adversary can steal a session to ...) NOT-FOR-US: Appspace On-Prem CVE-2020-5392 (A stored cross-site scripting (XSS) vulnerability exists in the Auth0 ...) NOT-FOR-US: Auth0 plugin for WordPress CVE-2020-5391 (Cross-site request forgery (CSRF) vulnerabilities exist in the Auth0 p ...) NOT-FOR-US: Auth0 plugin for WordPress CVE-2020-5390 (PySAML2 before 5.0.0 does not check that the signature in a SAML docum ...) {DSA-4630-1 DLA-2119-1} - python-pysaml2 4.5.0-7 (bug #949322) NOTE: https://github.com/IdentityPython/pysaml2/commit/5e9d5acbcd8ae45c4e736ac521fd2df5b1c62e25 (v5.0.0) CVE-2020-5389 RESERVED CVE-2020-5388 RESERVED CVE-2020-5387 RESERVED CVE-2020-5386 RESERVED CVE-2020-5385 RESERVED CVE-2020-5384 RESERVED CVE-2020-5383 RESERVED CVE-2020-5382 RESERVED CVE-2020-5381 RESERVED CVE-2020-5380 RESERVED CVE-2020-5379 RESERVED CVE-2020-5378 RESERVED CVE-2020-5377 RESERVED CVE-2020-5376 RESERVED CVE-2020-5375 RESERVED CVE-2020-5374 RESERVED CVE-2020-5373 RESERVED CVE-2020-5372 (Dell EMC PowerStore versions prior to 1.0.1.0.5.002 contain a vulnerab ...) NOT-FOR-US: EMC CVE-2020-5371 (Dell EMC Isilon OneFS versions 8.2.2 and earlier and Dell EMC PowerSca ...) NOT-FOR-US: EMC CVE-2020-5370 RESERVED CVE-2020-5369 RESERVED CVE-2020-5368 (Dell EMC VxRail versions 4.7.410 and 4.7.411 contain an improper authe ...) NOT-FOR-US: EMC CVE-2020-5367 (Dell EMC Unisphere for PowerMax versions prior to 9.1.0.17, Dell EMC U ...) NOT-FOR-US: Dell EMC CVE-2020-5366 RESERVED CVE-2020-5365 (Dell EMC Isilon versions 8.2.2 and earlier contain a remotesupport vul ...) NOT-FOR-US: EMC CVE-2020-5364 (Dell EMC Isilon OneFS versions 8.2.2 and earlier contain an SNMPv2 vul ...) NOT-FOR-US: EMC CVE-2020-5363 (Select Dell Client Consumer and Commercial platforms include an issue ...) NOT-FOR-US: Dell CVE-2020-5362 (Dell Client Consumer and Commercial platforms include an improper auth ...) NOT-FOR-US: Dell CVE-2020-5361 RESERVED CVE-2020-5360 RESERVED CVE-2020-5359 RESERVED CVE-2020-5358 (Dell Encryption versions prior to 10.7 and Dell Endpoint Security Suit ...) NOT-FOR-US: Dell Encryption CVE-2020-5357 (Dell Dock Firmware Update Utilities for Dell Client Consumer and Comme ...) NOT-FOR-US: Dell CVE-2020-5356 (Dell PowerProtect Data Manager (PPDM) versions prior to 19.4 and Dell ...) NOT-FOR-US: Dell CVE-2020-5355 RESERVED CVE-2020-5354 RESERVED CVE-2020-5353 RESERVED CVE-2020-5352 (Dell EMC Data Protection Advisor 6.4, 6.5 and 18.1 contain an OS comma ...) NOT-FOR-US: EMC CVE-2020-5351 RESERVED CVE-2020-5350 (Dell EMC Integrated Data Protection Appliance versions 2.0, 2.1, 2.2, ...) NOT-FOR-US: EMC CVE-2020-5349 RESERVED CVE-2020-5348 (Dell Latitude 7202 Rugged Tablet BIOS versions prior to A28 contain a ...) NOT-FOR-US: Dell CVE-2020-5347 (Dell EMC Isilon OneFS versions 8.2.2 and earlier contain a denial of s ...) NOT-FOR-US: Dell EMC Isilon OneFS CVE-2020-5346 (RSA Authentication Manager versions prior to 8.4 P11 contain a stored ...) NOT-FOR-US: RSA Authentication Manager CVE-2020-5345 (Dell EMC Unisphere for PowerMax versions prior to 9.1.0.17, Dell EMC U ...) NOT-FOR-US: Dell EMC CVE-2020-5344 (Dell EMC iDRAC7, iDRAC8 and iDRAC9 versions prior to 2.65.65.65, 2.70. ...) NOT-FOR-US: EMC CVE-2020-5343 (Dell Client platforms restored using a Dell OS recovery image download ...) NOT-FOR-US: Dell CVE-2020-5342 (Dell Digital Delivery versions prior to 3.5.2015 contain an incorrect ...) NOT-FOR-US: Dell CVE-2020-5341 RESERVED CVE-2020-5340 (RSA Authentication Manager versions prior to 8.4 P10 contain a stored ...) NOT-FOR-US: RSA Authentication Manager CVE-2020-5339 (RSA Authentication Manager versions prior to 8.4 P10 contain a stored ...) NOT-FOR-US: RSA Authentication Manager CVE-2020-5338 RESERVED CVE-2020-5337 (RSA Archer, versions prior to 6.7 P1 (6.7.0.1), contain a URL redirect ...) NOT-FOR-US: RSA CVE-2020-5336 (RSA Archer, versions prior to 6.7 P1 (6.7.0.1), contain a URL injectio ...) NOT-FOR-US: RSA CVE-2020-5335 (RSA Archer, versions prior to 6.7 P2 (6.7.0.2), contain a cross-site r ...) NOT-FOR-US: RSA CVE-2020-5334 (RSA Archer, versions prior to 6.7 P2 (6.7.0.2), contains a Document Ob ...) NOT-FOR-US: RSA CVE-2020-5333 (RSA Archer, versions prior to 6.7 P3 (6.7.0.3), contain an authorizati ...) NOT-FOR-US: RSA CVE-2020-5332 (RSA Archer, versions prior to 6.7 P3 (6.7.0.3), contain a command inje ...) NOT-FOR-US: RSA CVE-2020-5331 (RSA Archer, versions prior to 6.7 P3 (6.7.0.3), contain an information ...) NOT-FOR-US: RSA CVE-2020-5330 (Dell EMC Networking X-Series firmware versions 3.0.1.2 and older, Dell ...) NOT-FOR-US: EMC CVE-2020-5329 RESERVED CVE-2020-5328 (Dell EMC Isilon OneFS versions prior to 8.2.0 contain an unauthorized ...) NOT-FOR-US: EMC CVE-2020-5327 (Dell Security Management Server versions prior to 10.2.10 contain a Ja ...) NOT-FOR-US: Dell CVE-2020-5326 (Affected Dell Client platforms contain a BIOS Setup configuration auth ...) NOT-FOR-US: Dell CVE-2020-5325 RESERVED CVE-2020-5324 (Dell Client Consumer and Commercial Platforms contain an Arbitrary Fil ...) NOT-FOR-US: Dell CVE-2020-5323 RESERVED CVE-2020-5322 RESERVED CVE-2020-5321 RESERVED CVE-2020-5320 RESERVED CVE-2020-5319 (Dell EMC Unity, Dell EMC Unity XT, and Dell EMC UnityVSA versions prio ...) NOT-FOR-US: EMC CVE-2020-5318 (Dell EMC Isilon OneFS versions 8.1.2, 8.1.0.4, 8.1.0.3, and 8.0.0.7 co ...) NOT-FOR-US: EMC CVE-2020-5317 (Dell EMC ECS versions prior to 3.4.0.1 contain an XSS vulnerability. A ...) NOT-FOR-US: EMC CVE-2020-5316 RESERVED CVE-2020-5315 RESERVED CVE-2019-20333 RESERVED CVE-2019-20332 RESERVED CVE-2019-20331 RESERVED CVE-2020-5314 RESERVED CVE-2020-5313 (libImaging/FliDecode.c in Pillow before 6.2.2 has an FLI buffer overfl ...) {DSA-4631-1 DLA-2057-1} - pillow 7.0.0-1 (bug #948224) NOTE: https://github.com/python-pillow/Pillow/commit/a09acd0decd8a87ccce939d5ff65dab59e7d365b (6.2.2) CVE-2020-5312 (libImaging/PcxDecode.c in Pillow before 6.2.2 has a PCX P mode buffer ...) {DSA-4631-1 DLA-2057-1} - pillow 7.0.0-1 (bug #948224) NOTE: https://github.com/python-pillow/Pillow/commit/93b22b846e0269ee9594ff71a72bec02d2bea8fd (6.2.2) CVE-2020-5311 (libImaging/SgiRleDecode.c in Pillow before 6.2.2 has an SGI buffer ove ...) - pillow 7.0.0-1 (bug #948224) [buster] - pillow 5.4.1-2+deb10u1 [stretch] - pillow (Vulnerable code not present) [jessie] - pillow (The vulnerable code was introduced later) NOTE: https://github.com/python-pillow/Pillow/commit/a79b65c47c7dc6fe623aadf09aa6192fc54548f3 (6.2.2) CVE-2020-5310 (libImaging/TiffDecode.c in Pillow before 6.2.2 has a TIFF decoding int ...) - pillow 7.0.0-1 (bug #948224) [buster] - pillow (Vulnerability introduced later) [stretch] - pillow (Vulnerable code not present) [jessie] - pillow (The vulnerable code was introduced later) NOTE: Introduced by: https://github.com/python-pillow/Pillow/commit/f0436a4ddc954541fa10a531e2d9ea0c5ae2065d (5.3.0) NOTE: and https://github.com/python-pillow/Pillow/commit/e91b851fdc1c914419543f485bdbaa010790719f (6.0.0) NOTE: Fixed by: https://github.com/python-pillow/Pillow/commit/4e2def2539ec13e53a82e06c4b3daf00454100c4 (6.2.2) CVE-2020-5309 RESERVED CVE-2020-5308 (PHPGurukul Dairy Farm Shop Management System 1.0 is vulnerable to XSS, ...) NOT-FOR-US: PHPGurukul Dairy Farm Shop Management System CVE-2020-5307 (PHPGurukul Dairy Farm Shop Management System 1.0 is vulnerable to SQL ...) NOT-FOR-US: PHPGurukul Dairy Farm Shop Management System CVE-2020-5306 (Codoforum 4.8.3 allows XSS via a post using parameters display name, t ...) NOT-FOR-US: Codoforum CVE-2020-5305 (Codoforum 4.8.3 allows XSS in the admin dashboard via a name field of ...) NOT-FOR-US: Codoforum CVE-2020-5304 (The dashboard in WhiteSource Application Vulnerability Management (AVM ...) NOT-FOR-US: WhiteSource Application Vulnerability Management (AVM) CVE-2020-5303 (Tendermint before versions 0.33.3, 0.32.10, and 0.31.12 has a denial-o ...) NOT-FOR-US: Tendermint CVE-2020-5302 (MH-WikiBot (an IRC Bot for interacting with the Miraheze API), had a b ...) NOT-FOR-US: MH-WikiBot CVE-2020-5301 (SimpleSAMLphp versions before 1.18.6 contain an information disclosure ...) - simplesamlphp (Windows-only issue) CVE-2020-5300 (In Hydra (an OAuth2 Server and OpenID Certified™ OpenID Connect ...) NOT-FOR-US: ORY Hydra CVE-2020-5299 (In OctoberCMS (october/october composer package) versions from 1.0.319 ...) NOT-FOR-US: OctoberCMS CVE-2020-5298 (In OctoberCMS (october/october composer package) versions from 1.0.319 ...) NOT-FOR-US: OctoberCMS CVE-2020-5297 (In OctoberCMS (october/october composer package) versions from 1.0.319 ...) NOT-FOR-US: OctoberCMS CVE-2020-5296 (In OctoberCMS (october/october composer package) versions from 1.0.319 ...) NOT-FOR-US: OctoberCMS CVE-2020-5295 (In OctoberCMS (october/october composer package) versions from 1.0.319 ...) NOT-FOR-US: OctoberCMS CVE-2020-5294 (PrestaShop module ps_facetedsearch versions before 2.1.0 has a reflect ...) NOT-FOR-US: PrestaShop CVE-2020-5293 (In PrestaShop between versions 1.7.0.0 and 1.7.6.5, there are improper ...) NOT-FOR-US: PrestaShop CVE-2020-5292 (Leantime before versions 2.0.15 and 2.1-beta3 has a SQL Injection vuln ...) NOT-FOR-US: Leantime CVE-2020-5290 (In RedpwnCTF before version 2.3, there is a session fixation vulnerabi ...) NOT-FOR-US: RedpwnCTF CVE-2020-5289 (In Elide before 4.5.14, it is possible for an adversary to "guess and ...) NOT-FOR-US: Elide CVE-2020-5288 ("In PrestaShop between versions 1.7.0.0 and 1.7.6.5, there is improper ...) NOT-FOR-US: PrestaShop CVE-2020-5287 (In PrestaShop between versions 1.5.5.0 and 1.7.6.5, there is improper ...) NOT-FOR-US: PrestaShop CVE-2020-5286 (In PrestaShop between versions 1.7.4.0 and 1.7.6.5, there is a reflect ...) NOT-FOR-US: PrestaShop CVE-2020-5285 (In PrestaShop between versions 1.7.6.0 and 1.7.6.5, there is a reflect ...) NOT-FOR-US: PrestaShop CVE-2020-5284 (Next.js versions before 9.3.2 have a directory traversal vulnerability ...) NOT-FOR-US: next.js CVE-2020-5283 (ViewVC before versions 1.1.28 and 1.2.1 has a XSS vulnerability in CVS ...) - viewvc [buster] - viewvc (Minor issue) [stretch] - viewvc (Minor issue) [jessie] - viewvc (Minor issue) NOTE: https://github.com/viewvc/viewvc/security/advisories/GHSA-xpxf-fvqv-7mfg NOTE: https://github.com/viewvc/viewvc/commit/ad0f966e9a997b17d853a6972ea283d4dcd70fa8 NOTE: https://github.com/viewvc/viewvc/issues/211 CVE-2020-5282 (In Nick Chan Bot before version 1.0.0-beta there is a vulnerability in ...) NOT-FOR-US: Nick Chan Bot CVE-2020-5281 (In Perun before version 3.9.1, VO or group manager can modify configur ...) NOT-FOR-US: Perun CVE-2020-5280 (http4s before versions 0.18.26, 0.20.20, and 0.21.2 has a local file i ...) NOT-FOR-US: http4s CVE-2020-5279 (In PrestaShop between versions 1.5.0.0 and 1.7.6.5, there are improper ...) NOT-FOR-US: PrestaShop CVE-2020-5278 (In PrestaShop between versions 1.5.4.0 and 1.7.6.5, there is a reflect ...) NOT-FOR-US: PrestaShop CVE-2020-5277 (PrestaShop module ps_facetedsearch versions before 3.5.0 has a reflect ...) NOT-FOR-US: PrestaShop CVE-2020-5276 (In PrestaShop between versions 1.7.1.0 and 1.7.6.5, there is a reflect ...) NOT-FOR-US: PrestaShop CVE-2020-5275 (In symfony/security-http before versions 4.4.7 and 5.0.7, when a `Fire ...) - symfony 4.4.8-1 (bug #961415) [buster] - symfony (Introduced in 4.4.0) [stretch] - symfony (Introduced in 4.4.0) [jessie] - symfony (Introduced in 4.4.0) NOTE: https://symfony.com/blog/cve-2020-5275-all-access-control-rules-are-required-when-a-firewall-uses-the-unanimous-strategy NOTE: https://github.com/symfony/symfony/commit/c935e4a3fba6cc2ab463a6ca382858068d63cebf CVE-2020-5274 (In Symfony before versions 5.0.5 and 4.4.5, some properties of the Exc ...) - symfony 4.4.8-1 (bug #961415) [buster] - symfony (Introduced in 4.4.0) [stretch] - symfony (Introduced in 4.4.0) [jessie] - symfony (Introduced in 4.4.0) NOTE: https://symfony.com/blog/cve-2020-5274-fix-exception-message-escaping-rendered-by-errorhandler NOTE: https://github.com/symfony/symfony/commit/cf80224589ac05402d4f72f5ddf80900ec94d5ad NOTE: https://github.com/symfony/symfony/commit/629d21b800a15dc649fb0ae9ed7cd9211e7e45db CVE-2020-5273 (In PrestaShop module ps_linklist versions before 3.1.0, there is a sto ...) NOT-FOR-US: PrestaShop CVE-2020-5272 (In PrestaShop between versions 1.5.5.0 and 1.7.6.5, there is a reflect ...) NOT-FOR-US: PrestaShop CVE-2020-5271 (In PrestaShop between versions 1.6.0.0 and 1.7.6.5, there is a reflect ...) NOT-FOR-US: PrestaShop CVE-2020-5270 (In PrestaShop between versions 1.7.6.0 and 1.7.6.5, there is an open r ...) NOT-FOR-US: PrestaShop CVE-2020-5269 (In PrestaShop between versions 1.7.6.1 and 1.7.6.5, there is a reflect ...) NOT-FOR-US: PrestaShop CVE-2020-5268 (In Saml2 Authentication Services for ASP.NET versions before 1.0.2, an ...) NOT-FOR-US: Saml2 Authentication Services for ASP.NET CVE-2020-5267 (In ActionView before versions 6.0.2.2 and 5.2.4.2, there is a possible ...) {DLA-2149-1} - rails 2:5.2.4.1+dfsg-2 (bug #954304) [buster] - rails 2:5.2.2.1+dfsg-1+deb10u1 [stretch] - rails (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2020/03/19/1 NOTE: https://github.com/rails/rails/commit/033a738817abd6e446e1b320cb7d1a5c15224e9a (master) CVE-2020-5266 (In the ps_link module for PrestaShop before version 3.1.0, there is a ...) NOT-FOR-US: PrestaShop CVE-2020-5265 (In PrestaShop between versions 1.7.6.1 and 1.7.6.5, there is a reflect ...) NOT-FOR-US: PrestaShop CVE-2020-5264 (In PrestaShop before version 1.7.6.5, there is a reflected XSS while r ...) NOT-FOR-US: PrestaShop CVE-2020-5263 (auth0.js (NPM package auth0-js) greater than version 8.0.0 and before ...) NOT-FOR-US: Node auth0-js CVE-2020-5262 (In EasyBuild before version 4.1.2, the GitHub Personal Access Token (P ...) NOT-FOR-US: EasyBuild CVE-2020-5261 (Saml2 Authentication services for ASP.NET (NuGet package Sustainsys.Sa ...) NOT-FOR-US: ASP.NET CVE-2020-5260 (Affected versions of Git have a vulnerability whereby Git can be trick ...) {DSA-4657-1 DLA-2177-1} - git 1:2.26.1-1 NOTE: https://lore.kernel.org/lkml/xmqqy2qy7xn8.fsf@gitster.c.googlers.com/ NOTE: Fixed by: https://git.kernel.org/pub/scm/git/git.git/commit/?id=9a6bbee8006c24b46a85d29e7b38cfa79e9ab21b NOTE: Additional/nice-to-have: https://git.kernel.org/pub/scm/git/git.git/commit/?id=17f1c0b8c7e447aa62f85dc355bb48133d2812f2 NOTE: Additional/nice-to-have: https://git.kernel.org/pub/scm/git/git.git/commit/?id=c716fe4bd917e013bf376a678b3a924447777b2d NOTE: Additional/nice-to-have: https://git.kernel.org/pub/scm/git/git.git/commit/?id=07259e74ec1237c836874342c65650bdee8a3993 NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=2021 NOTE: https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q CVE-2020-5259 (In affected versions of dojox (NPM package), the jqMix method is vulne ...) {DLA-2139-1} - dojo 1.15.3+dfsg1-1 (bug #953587) [buster] - dojo (Minor issue) NOTE: https://github.com/dojo/dojox/security/advisories/GHSA-3hw5-q855-g6cw NOTE: https://github.com/dojo/dojox/commit/47d1b302b5b23d94e875b77b9b9a8c4f5622c9da CVE-2020-5258 (In affected versions of dojo (NPM package), the deepCopy method is vul ...) {DLA-2139-1} - dojo 1.15.3+dfsg1-1 (bug #953585) [buster] - dojo (Minor issue) NOTE: https://github.com/dojo/dojo/security/advisories/GHSA-jxfh-8wgv-vfr2 NOTE: https://github.com/dojo/dojo/commit/20a00afb68f5587946dc76fbeaa68c39bda2171d CVE-2020-5257 (In Administrate (rubygem) before version 0.13.0, when sorting by attri ...) NOT-FOR-US: Administrate ruby gem CVE-2020-5256 (BookStack before version 0.25.5 has a vulnerability where a user could ...) NOT-FOR-US: BookStack CVE-2020-5255 (In Symfony before versions 4.4.7 and 5.0.7, when a `Response` does not ...) - symfony 4.4.8-1 (bug #961415) [buster] - symfony (Introduced in 4.4.0) [stretch] - symfony (Introduced in 4.4.0) [jessie] - symfony (Introduced in 4.4.0) NOTE: https://symfony.com/blog/cve-2020-5255-prevent-cache-poisoning-via-a-response-content-type-header NOTE: https://github.com/symfony/symfony/commit/dca343442e6a954f96a2609e7b4e9c21ed6d74e6 CVE-2020-5254 (In NetHack before 3.6.6, some out-of-bound values for the hilite_statu ...) - nethack 3.6.6-1 (bug #953978) [buster] - nethack (Minor issue) [stretch] - nethack (Vulnerable code introduced in 3.6.1) [jessie] - nethack (Vulnerable code introduced in 3.6.1) NOTE: https://github.com/NetHack/NetHack/security/advisories/GHSA-2ch6-6r8h-m2p9 NOTE: https://nethack.org/security/CVE-2020-5254.html NOTE: Fixed with: https://github.com/NetHack/NetHack/commit/abdd3254ae06dd1fbcff637c4c631783d5ed9741 (NetHack-3.6.6_Released) NOTE: Introduced with: https://github.com/NetHack/NetHack/commit/f8211f69f2008609b59fe4c9ba341ff1fa520825 (NetHack-3.6.1_RC01) CVE-2020-5253 (NetHack before version 3.6.0 allowed malicious use of escaping of char ...) - nethack 3.6.0-1 [jessie] - nethack (Not supported in jessie LTS) NOTE: https://github.com/NetHack/NetHack/security/advisories/GHSA-2c7p-3fj4-223m NOTE: https://github.com/NetHack/NetHack/commit/612755bfb5c412079795c68ba392df5d93874ed8 CVE-2020-5252 (The command-line "safety" package for Python has a potential security ...) NOT-FOR-US: safety Python module CVE-2020-5251 (In parser-server before version 4.1.0, you can fetch all the users obj ...) NOT-FOR-US: parser-server CVE-2020-5250 (In PrestaShop before version 1.7.6.4, when a customer edits their addr ...) NOT-FOR-US: PrestaShop CVE-2020-5249 (In Puma (RubyGem) before 4.3.3 and 3.12.4, if an application using Pum ...) - puma 3.12.4-1 (bug #953122) [buster] - puma (Minor issue) [stretch] - puma (Minor issue) NOTE: https://github.com/puma/puma/security/advisories/GHSA-33vf-4xgg-9r58 NOTE: https://github.com/puma/puma/commit/c22712fc93284a45a93f9ad7023888f3a65524f3 CVE-2020-5248 (GLPI before before version 9.4.6 has a vulnerability involving a defau ...) - glpi (unimportant) NOTE: Only supported behind an authenticated HTTP zone NOTE: https://github.com/glpi-project/glpi/security/advisories/GHSA-j222-j9mf-h6j9 NOTE: https://github.com/glpi-project/glpi/commit/efd14468c92c4da43333aa9735e65fd20cbc7c6c CVE-2020-5247 (In Puma (RubyGem) before 4.3.2 and before 3.12.3, if an application us ...) - puma 3.12.4-1 (bug #952766) [buster] - puma (Minor issue) [stretch] - puma (Minor issue) NOTE: https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v NOTE: https://github.com/puma/puma/commit/1b17e85a06183cd169b41ca719928c26d44a6e03 (3.12.3) NOTE: https://github.com/puma/puma/commit/694feafcd4fdcea786a0730701dad933f7547bea (4.3.2) CVE-2020-5246 RESERVED CVE-2020-5245 (Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary cod ...) NOT-FOR-US: Dropwizard-Validation CVE-2020-5244 (In BuddyPress before 5.1.2, requests to a certain REST API endpoint ca ...) NOT-FOR-US: BuddyPress CVE-2020-5243 (uap-core before 0.7.3 is vulnerable to a denial of service attack when ...) - uap-core 1:0.8.0-1 (bug #952649) [buster] - uap-core (Minor issue) NOTE: https://github.com/ua-parser/uap-core/security/advisories/GHSA-cmcx-xhr8-3w9p NOTE: https://github.com/ua-parser/uap-core/commit/a679b131697e7371f0441f4799940779efa2f27e NOTE: https://github.com/ua-parser/uap-core/commit/dd279cff09546dbd4174bd05d29c0e90c2cffa7c NOTE: https://github.com/ua-parser/uap-core/commit/7d92a383440c9742ec878273c90a4dcf8446f9af NOTE: https://github.com/ua-parser/uap-core/commit/e9a1c74dae9ecd4aa6385bd34ef6c7243f89b537 CVE-2020-5242 (openHAB before 2.5.2 allow a remote attacker to use REST calls to inst ...) NOT-FOR-US: openHAB CVE-2020-5241 (matestack-ui-core (RubyGem) before 0.7.4 is vulnerable to XSS/Script i ...) NOT-FOR-US: matestack-ui-core Ruby gem CVE-2020-5240 (In wagtail-2fa before 1.4.1, any user with access to the CMS can view ...) NOT-FOR-US: wagtail-2fa CVE-2020-5239 (In Mailu before version 1.7, an authenticated user can exploit a vulne ...) NOT-FOR-US: Mailu CVE-2020-5238 (The table extension in GitHub Flavored Markdown before version 0.29.0. ...) - cmark-gfm - python-cmarkgfm - ruby-commonmarker - haskell-cmark-gfm - r-cran-commonmark NOTE: https://github.com/github/cmark-gfm/security/advisories/GHSA-7gc6-9qr5-hc85 NOTE: https://github.com/github/cmark-gfm/commit/85d895289c5ab67f988ca659493a64abb5fec7b4 CVE-2020-5237 (Multiple relative path traversal vulnerabilities in the oneup/uploader ...) NOT-FOR-US: oneup/uploader-bundle CVE-2020-5236 (Waitress version 1.4.2 allows a DOS attack When waitress receives a he ...) - waitress (Vulnerable code introduced later) NOTE: https://github.com/Pylons/waitress/security/advisories/GHSA-73m2-3pwg-5fgc NOTE: Introduced in: https://github.com/Pylons/waitress/commit/0bf98dadd8cae23830cb365cc6cb9cedd7f98db0 (v1.4.2) NOTE: https://github.com/Pylons/waitress/commit/6e46f9e3f014d64dd7d1e258eaf626e39870ee1f (v1.4.3) CVE-2020-5235 (There is a potentially exploitable out of memory condition In Nanopb b ...) - nanopb (Fixed before initial upload to Debian) NOTE: https://github.com/nanopb/nanopb/security/advisories/GHSA-gcx3-7m76-287p NOTE: https://github.com/nanopb/nanopb/commit/45582f1f97f49e2abfdba1463d1e1027682d9856 NOTE: https://github.com/nanopb/nanopb/commit/7b396821ddd06df8e39143f16e1dc0a4645b89a3 NOTE: https://github.com/nanopb/nanopb/commit/aa9d0d1ca78d6adec3adfeecf3a706c7f9df81f2 CVE-2020-5234 (MessagePack for C# and Unity before version 1.9.11 and 2.1.90 has a vu ...) NOT-FOR-US: MessagePack for C# CVE-2020-5233 (OAuth2 Proxy before 5.0 has an open redirect vulnerability. Authentica ...) NOT-FOR-US: OAuth2 Proxy CVE-2020-5232 (A user who owns an ENS domain can set a trapdoor, allowing them to tra ...) NOT-FOR-US: Ethereum CVE-2020-5231 (In Opencast before 7.6 and 8.1, users with the role ROLE_COURSE_ADMIN ...) NOT-FOR-US: Opencast CVE-2020-5230 (Opencast before 8.1 and 7.6 allows almost arbitrary identifiers for me ...) NOT-FOR-US: Opencast CVE-2020-5229 (Opencast before 8.1 stores passwords using the rather outdated and cry ...) NOT-FOR-US: Opencast CVE-2020-5228 (Opencast before 8.1 and 7.6 allows unauthorized public access to all m ...) NOT-FOR-US: Opencast CVE-2020-5227 (Feedgen (python feedgen) before 0.9.0 is susceptible to XML Denial of ...) NOT-FOR-US: Feedgen CVE-2020-5226 (Cross-site scripting in SimpleSAMLphp before version 1.18.4. The www/e ...) - simplesamlphp 1.18.4-1 [buster] - simplesamlphp (Vulnerable code introduced later) [stretch] - simplesamlphp (Vulnerable code introduced later) [jessie] - simplesamlphp (Vulnerable code introduced later) NOTE: https://github.com/simplesamlphp/simplesamlphp/security/advisories/GHSA-mj9p-v2r8-wf8w NOTE: https://simplesamlphp.org/security/202001-01 CVE-2020-5225 (Log injection in SimpleSAMLphp before version 1.18.4. The www/errorepo ...) - simplesamlphp 1.18.4-1 (low) [buster] - simplesamlphp (Minor issue) [stretch] - simplesamlphp (Minor issue) [jessie] - simplesamlphp (Minor issue) NOTE: https://github.com/simplesamlphp/simplesamlphp/security/advisories/GHSA-6gc6-m364-85ww NOTE: https://simplesamlphp.org/security/202001-02 CVE-2020-5224 (In Django User Sessions (django-user-sessions) before 1.7.1, the views ...) NOT-FOR-US: Django User Sessions (django-user-sessions) CVE-2020-5223 (In PrivateBin versions 1.2.0 before 1.2.2, and 1.3.0 before 1.3.2, a p ...) NOT-FOR-US: PrivateBin CVE-2020-5222 (Opencast before 7.6 and 8.1 enables a remember-me cookie based on a ha ...) NOT-FOR-US: Opencast CVE-2020-5221 (In uftpd before 2.11, it is possible for an unauthenticated user to pe ...) NOT-FOR-US: uftpd CVE-2020-5220 (Sylius ResourceBundle accepts and uses any serialisation groups to be ...) NOT-FOR-US: Sylius CVE-2020-5219 (Angular Expressions before version 1.0.1 has a remote code execution v ...) NOT-FOR-US: Angular Expressions CVE-2020-5218 (Affected versions of Sylius give attackers the ability to switch chann ...) NOT-FOR-US: Sylius CVE-2020-5217 (In Secure Headers (RubyGem secure_headers), a directive injection vuln ...) - ruby-secure-headers (bug #949999) NOTE: https://github.com/twitter/secure_headers/security/advisories/GHSA-xq52-rv6w-397c NOTE: https://github.com/twitter/secure_headers/commit/936a160e3e9659737a9f9eafce13eea36b5c9fa3 NOTE: https://github.com/twitter/secure_headers/issues/418 NOTE: https://github.com/twitter/secure_headers/pull/421 CVE-2020-5216 (In Secure Headers (RubyGem secure_headers), a directive injection vuln ...) - ruby-secure-headers (bug #949998) NOTE: https://github.com/twitter/secure_headers/security/advisories/GHSA-w978-rmpf-qmwg NOTE: https://github.com/twitter/secure_headers/commit/301695706f6a70517c2a90c6ef9b32178440a2d0 CVE-2020-5215 (In TensorFlow before 1.15.2 and 2.0.1, converting a string (from Pytho ...) - tensorflow (bug #804612) CVE-2020-5214 (In NetHack before 3.6.5, detecting an unknown configuration file optio ...) - nethack 3.6.6-1 (unimportant) NOTE: https://github.com/NetHack/NetHack/security/advisories/GHSA-p8fw-rq89-xqx6 NOTE: Negligible security impact CVE-2020-5213 (In NetHack before 3.6.5, too long of a value for the SYMBOL configurat ...) - nethack 3.6.6-1 (unimportant) NOTE: https://github.com/NetHack/NetHack/security/advisories/GHSA-rr25-4v34-pr7v NOTE: Negligible security impact CVE-2020-5212 (In NetHack before 3.6.5, an extremely long value for the MENUCOLOR con ...) - nethack 3.6.6-1 (unimportant) NOTE: https://github.com/NetHack/NetHack/security/advisories/GHSA-g89f-m829-4m56 NOTE: Negligible security impact CVE-2020-5211 (In NetHack before 3.6.5, an invalid extended command in value for the ...) - nethack 3.6.6-1 (unimportant) NOTE: https://github.com/NetHack/NetHack/security/advisories/GHSA-r788-4jf4-r9f7 NOTE: Negligible security impact CVE-2020-5210 (In NetHack before 3.6.5, an invalid argument to the -w command line op ...) - nethack 3.6.6-1 (unimportant) NOTE: https://github.com/NetHack/NetHack/security/advisories/GHSA-v5pg-hpjg-9rpp NOTE: https://github.com/NetHack/NetHack/commit/f3def5c0b999478da2d0a8f0b6a7c370a2065f77 NOTE: Negligible security impact CVE-2020-5209 (In NetHack before 3.6.5, unknown options starting with -de and -i can ...) - nethack 3.6.6-1 (unimportant) NOTE: https://github.com/NetHack/NetHack/security/advisories/GHSA-fw72-r8xm-45p8 NOTE: https://github.com/NetHack/NetHack/commit/f3def5c0b999478da2d0a8f0b6a7c370a2065f77 NOTE: Negligible security impact CVE-2020-5208 (It's been found that multiple functions in ipmitool before 1.8.19 negl ...) {DLA-2098-1} - ipmitool (bug #950761) [buster] - ipmitool (Minor issue) [stretch] - ipmitool (Minor issue) NOTE: https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp NOTE: https://github.com/ipmitool/ipmitool/commit/e824c23316ae50beb7f7488f2055ac65e8b341f2 NOTE: https://github.com/ipmitool/ipmitool/commit/840fb1cbb4fb365cb9797300e3374d4faefcdb10 NOTE: https://github.com/ipmitool/ipmitool/commit/41d7026946fafbd4d1ec0bcaca3ea30a6e8eed22 NOTE: https://github.com/ipmitool/ipmitool/commit/9452be87181a6e83cfcc768b3ed8321763db50e4 NOTE: https://github.com/ipmitool/ipmitool/commit/d45572d71e70840e0d4c50bf48218492b79c1a10 NOTE: https://github.com/ipmitool/ipmitool/commit/7ccea283dd62a05a320c1921e3d8d71a87772637 CVE-2020-5207 (In Ktor before 1.3.0, request smuggling is possible when running behin ...) NOT-FOR-US: Ktor CVE-2020-5206 (In Opencast before 7.6 and 8.1, using a remember-me cookie with an arb ...) NOT-FOR-US: Opencast CVE-2020-5205 (In Pow (Hex package) before 1.0.16, the use of Plug.Session in Pow.Plu ...) NOT-FOR-US: Pow CVE-2020-5204 (In uftpd before 2.11, there is a buffer overflow vulnerability in hand ...) NOT-FOR-US: uftpd CVE-2020-5203 (In Fat-Free Framework 3.7.1, attackers can achieve arbitrary code exec ...) NOT-FOR-US: Fat-Free Framework CVE-2020-5202 (apt-cacher-ng through 3.3 allows local users to obtain sensitive infor ...) - apt-cacher-ng 3.3.1-1 [buster] - apt-cacher-ng 3.2.1-1 [stretch] - apt-cacher-ng (Minor issue) [jessie] - apt-cacher-ng (Minor issue) NOTE: https://salsa.debian.org/blade/apt-cacher-ng/commit/3b91874b0c099b0ded1a94f1784fe1265082efbc CVE-2020-5201 RESERVED CVE-2019-20330 (FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.eh ...) {DLA-2111-1} - jackson-databind 2.10.1-1 [buster] - jackson-databind (Minor issue; can be fixed via a point release) [stretch] - jackson-databind (Minor issue; can be fixed via a point release) NOTE: https://github.com/FasterXML/jackson-databind/issues/2526 NOTE: https://github.com/FasterXML/jackson-databind/commit/fc4214a883dc087070f25da738ef0d49c2f3387e CVE-2019-20329 (OpenLambda 2019-09-10 allows DNS rebinding attacks against the OL serv ...) NOT-FOR-US: OpenLambda CVE-2019-20328 RESERVED CVE-2019-20327 (Insecure permissions in cwrapper_perl in Centreon Infrastructure Monit ...) NOT-FOR-US: Centreon Infrastructure Monitoring CVE-2019-20325 REJECTED CVE-2019-20324 REJECTED CVE-2019-20323 REJECTED CVE-2019-20322 REJECTED CVE-2019-20321 REJECTED CVE-2019-20320 REJECTED CVE-2019-20319 REJECTED CVE-2019-20318 REJECTED CVE-2019-20317 REJECTED CVE-2019-20316 REJECTED CVE-2019-20315 REJECTED CVE-2019-20314 REJECTED CVE-2019-20313 REJECTED CVE-2019-20312 REJECTED CVE-2019-20311 REJECTED CVE-2019-20310 REJECTED CVE-2019-20309 REJECTED CVE-2019-20308 REJECTED CVE-2019-20307 REJECTED CVE-2019-20306 REJECTED CVE-2019-20305 REJECTED CVE-2019-20304 REJECTED CVE-2019-20303 REJECTED CVE-2019-20302 REJECTED CVE-2019-20301 REJECTED CVE-2019-20300 REJECTED CVE-2019-20299 REJECTED CVE-2019-20298 REJECTED CVE-2019-20297 REJECTED CVE-2019-20296 REJECTED CVE-2019-20295 REJECTED CVE-2019-20294 REJECTED CVE-2019-20293 REJECTED CVE-2019-20292 REJECTED CVE-2019-20291 REJECTED CVE-2019-20290 REJECTED CVE-2019-20289 REJECTED CVE-2019-20288 REJECTED CVE-2019-20287 REJECTED CVE-2019-20286 REJECTED CVE-2019-20285 REJECTED CVE-2019-20284 REJECTED CVE-2019-20283 REJECTED CVE-2019-20282 REJECTED CVE-2019-20281 REJECTED CVE-2019-20280 REJECTED CVE-2019-20279 REJECTED CVE-2019-20278 REJECTED CVE-2019-20277 REJECTED CVE-2019-20276 REJECTED CVE-2019-20275 REJECTED CVE-2019-20274 REJECTED CVE-2019-20273 REJECTED CVE-2019-20272 REJECTED CVE-2019-20271 REJECTED CVE-2019-20270 REJECTED CVE-2019-20269 REJECTED CVE-2019-20268 REJECTED CVE-2019-20267 REJECTED CVE-2019-20266 REJECTED CVE-2019-20265 REJECTED CVE-2019-20264 REJECTED CVE-2019-20263 REJECTED CVE-2019-20262 REJECTED CVE-2019-20261 REJECTED CVE-2019-20260 REJECTED CVE-2019-20259 REJECTED CVE-2019-20258 REJECTED CVE-2019-20257 REJECTED CVE-2019-20256 REJECTED CVE-2019-20255 REJECTED CVE-2019-20254 REJECTED CVE-2019-20253 REJECTED CVE-2019-20252 REJECTED CVE-2019-20251 REJECTED CVE-2019-20250 REJECTED CVE-2019-20249 REJECTED CVE-2019-20248 REJECTED CVE-2019-20247 REJECTED CVE-2019-20246 REJECTED CVE-2019-20245 REJECTED CVE-2019-20244 REJECTED CVE-2019-20243 REJECTED CVE-2019-20242 REJECTED CVE-2019-20241 REJECTED CVE-2019-20240 REJECTED CVE-2019-20239 REJECTED CVE-2019-20238 REJECTED CVE-2019-20237 REJECTED CVE-2019-20236 REJECTED CVE-2019-20235 REJECTED CVE-2019-20234 REJECTED CVE-2019-20233 REJECTED CVE-2019-20232 REJECTED CVE-2019-20231 REJECTED CVE-2019-20230 REJECTED CVE-2019-20229 REJECTED CVE-2019-20228 REJECTED CVE-2019-20227 REJECTED CVE-2019-20226 REJECTED CVE-2019-20326 (A heap-based buffer overflow in _cairo_image_surface_create_from_jpeg( ...) {DLA-2066-1} - gthumb (bug #948197) [buster] - gthumb (Minor issue) [stretch] - gthumb (Minor issue) NOTE: https://gitlab.gnome.org/GNOME/gthumb/commit/14860321ce3235d420498c4f81f21003d1fb78f4 (3.8.3) NOTE: https://gitlab.gnome.org/GNOME/gthumb/commit/4faa5ce2358812d23a1147953ee76f59631590ad (master) CVE-2020-5200 RESERVED CVE-2020-5199 RESERVED CVE-2020-5198 RESERVED CVE-2020-5197 (An issue was discovered in GitLab Community Edition (CE) and Enterpris ...) [experimental] - gitlab 12.6.2-1 - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/blog/2020/01/02/security-release-gitlab-12-6-2-released/ CVE-2020-5196 (Cerberus FTP Server Enterprise Edition prior to versions 11.0.3 and 10 ...) NOT-FOR-US: Cerberus FTP Server Enterprise Edition CVE-2020-5195 (Reflected XSS through an IMG element in Cerberus FTP Server prior to v ...) NOT-FOR-US: Cerberus FTP Server CVE-2020-5194 (The zip API endpoint in Cerberus FTP Server 8 allows an authenticated ...) NOT-FOR-US: Cerberus FTP Server CVE-2019-20225 (MyBB before 1.8.22 allows an open redirect on login. ...) NOT-FOR-US: MyBB CVE-2013-7486 (Cross-site scripting (XSS) vulnerability in the backend in Open-Xchang ...) NOT-FOR-US: Open-Xchange App Suite CVE-2013-7485 (Cross-site scripting (XSS) vulnerability in the backend in Open-Xchang ...) NOT-FOR-US: Open-Xchange App Suite CVE-2020-5193 (PHPGurukul Hospital Management System in PHP v4.0 suffers from multipl ...) NOT-FOR-US: PHPGurukul Hospital Management System CVE-2020-5192 (PHPGurukul Hospital Management System in PHP v4.0 suffers from multipl ...) NOT-FOR-US: PHPGurukul Hospital Management System CVE-2020-5191 (PHPGurukul Hospital Management System in PHP v4.0 suffers from multipl ...) NOT-FOR-US: PHPGurukul Hospital Management System CVE-2020-5190 RESERVED CVE-2020-5189 RESERVED CVE-2020-5188 (DNN (formerly DotNetNuke) through 9.4.4 has Insecure Permissions. ...) NOT-FOR-US: DNN CVE-2020-5187 (DNN (formerly DotNetNuke) through 9.4.4 allows Path Traversal (issue 2 ...) NOT-FOR-US: DNN CVE-2020-5186 (DNN (formerly DotNetNuke) through 9.4.4 allows XSS (issue 1 of 2). ...) NOT-FOR-US: DNN CVE-2020-5185 RESERVED CVE-2020-5184 RESERVED CVE-2020-5183 (FTPGetter Professional 5.97.0.223 is vulnerable to a memory corruption ...) NOT-FOR-US: FTPGetter Professional CVE-2020-5182 (The J-BusinessDirectory extension before 5.2.9 for Joomla! allows Reve ...) NOT-FOR-US: J-BusinessDirectory extension for Joomla! CVE-2020-5181 RESERVED CVE-2020-5180 (Viscosity 1.8.2 on Windows and macOS allows an unprivileged user to se ...) NOT-FOR-US: Viscosity on Widnows and macOS CVE-2019-20224 (netflow_get_stats in functions_netflow.php in Pandora FMS 7.0NG allows ...) NOT-FOR-US: Pandora FMS CVE-2019-20223 (In Support Incident Tracker (SiT!) 3.67, the id parameter is affected ...) NOT-FOR-US: Support Incident Tracker CVE-2019-20222 (In Support Incident Tracker (SiT!) 3.67, the Short Application Name an ...) NOT-FOR-US: Support Incident Tracker CVE-2019-20221 (In Support Incident Tracker (SiT!) 3.67, Load Plugins input in the con ...) NOT-FOR-US: Support Incident Tracker CVE-2019-20220 (In Support Incident Tracker (SiT!) 3.67, the search_id parameter in th ...) NOT-FOR-US: Support Incident Tracker CVE-2019-20219 (ngiflib 0.4 has a heap-based buffer over-read in GifIndexToTrueColor i ...) NOT-FOR-US: ngiflib CVE-2019-20218 (selectExpander in select.c in SQLite 3.30.1 proceeds with WITH stack u ...) - sqlite3 3.30.1+fossil191229-1 [buster] - sqlite3 (Minor issue) [stretch] - sqlite3 (Minor issue) [jessie] - sqlite3 (Minor issue) NOTE: Fixed by: https://github.com/sqlite/sqlite/commit/a6c1a71cde082e09750465d5675699062922e387 CVE-2019-20217 (D-Link DIR-859 1.05 and 1.06B01 Beta01 devices allow remote attackers ...) NOT-FOR-US: D-Link CVE-2019-20216 (D-Link DIR-859 1.05 and 1.06B01 Beta01 devices allow remote attackers ...) NOT-FOR-US: D-Link CVE-2019-20215 (D-Link DIR-859 1.05 and 1.06B01 Beta01 devices allow remote attackers ...) NOT-FOR-US: D-Link CVE-2019-20214 RESERVED CVE-2019-20213 (D-Link DIR-859 routers before v1.07b03_beta allow Unauthenticated Info ...) NOT-FOR-US: D-Link CVE-2019-20212 (The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and EasyBoo ...) NOT-FOR-US: themes for WordPress CVE-2019-20211 (The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and EasyBoo ...) NOT-FOR-US: themes for WordPress CVE-2019-20210 (The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and EasyBoo ...) NOT-FOR-US: themes for WordPress CVE-2019-20209 (The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and EasyBoo ...) NOT-FOR-US: themes for WordPress CVE-2019-20208 (dimC_Read in isomedia/box_code_3gpp.c in GPAC 0.8.0 has a stack-based ...) {DLA-2072-1} - gpac [buster] - gpac (Minor issue) [stretch] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/issues/1348 NOTE: https://github.com/gpac/gpac/commit/bcfcb3e90476692fe0d2bb532ea8deeb2a77580e (chunk #1) CVE-2019-20207 RESERVED CVE-2019-20206 RESERVED CVE-2019-20205 (libsixel 1.8.4 has an integer overflow in sixel_frame_resize in frame. ...) - libsixel 1.8.6-1 (low; bug #948103) [buster] - libsixel (Minor issue) [stretch] - libsixel (Minor issue) [jessie] - libsixel (Minor issue) NOTE: https://github.com/saitoha/libsixel/issues/127 NOTE: https://github.com/saitoha/libsixel/commit/bb65fce3bbecdd325ecb86d78132c3554907af87 CVE-2019-20204 (The Postie plugin 1.9.40 for WordPress allows XSS, as demonstrated by ...) NOT-FOR-US: Postie plugin for WordPress CVE-2019-20203 (The Authorized Addresses feature in the Postie plugin 1.9.40 for WordP ...) NOT-FOR-US: Authorized Addresses feature in the Postie plugin for WordPress CVE-2020-5179 (Comtech Stampede FX-1010 7.4.3 devices allow remote authenticated admi ...) NOT-FOR-US: Comtech Stampede FX-1010 7.4.3 devices CVE-2019-20202 (An issue was discovered in ezXML 0.8.3 through 0.8.6. The function ezx ...) NOT-FOR-US: ezXML CVE-2019-20201 (An issue was discovered in ezXML 0.8.3 through 0.8.6. The ezxml_parse_ ...) NOT-FOR-US: ezXML CVE-2019-20200 (An issue was discovered in ezXML 0.8.3 through 0.8.6. The function ezx ...) NOT-FOR-US: ezXML CVE-2019-20199 (An issue was discovered in ezXML 0.8.3 through 0.8.6. The function ezx ...) NOT-FOR-US: ezXML CVE-2019-20198 (An issue was discovered in ezXML 0.8.3 through 0.8.6. The function ezx ...) NOT-FOR-US: ezXML CVE-2020-5178 RESERVED CVE-2020-5177 RESERVED CVE-2020-5176 RESERVED CVE-2020-5175 RESERVED CVE-2020-5174 RESERVED CVE-2020-5173 RESERVED CVE-2020-5172 RESERVED CVE-2020-5171 RESERVED CVE-2020-5170 RESERVED CVE-2020-5169 RESERVED CVE-2020-5168 RESERVED CVE-2020-5167 RESERVED CVE-2020-5166 RESERVED CVE-2020-5165 RESERVED CVE-2020-5164 RESERVED CVE-2020-5163 RESERVED CVE-2020-5162 RESERVED CVE-2020-5161 RESERVED CVE-2020-5160 RESERVED CVE-2020-5159 RESERVED CVE-2020-5158 RESERVED CVE-2020-5157 RESERVED CVE-2020-5156 RESERVED CVE-2020-5155 RESERVED CVE-2020-5154 RESERVED CVE-2020-5153 RESERVED CVE-2020-5152 RESERVED CVE-2020-5151 RESERVED CVE-2020-5150 RESERVED CVE-2020-5149 RESERVED CVE-2020-5148 RESERVED CVE-2020-5147 RESERVED CVE-2020-5146 RESERVED CVE-2020-5145 RESERVED CVE-2020-5144 RESERVED CVE-2020-5143 RESERVED CVE-2020-5142 RESERVED CVE-2020-5141 RESERVED CVE-2020-5140 RESERVED CVE-2020-5139 RESERVED CVE-2020-5138 RESERVED CVE-2020-5137 RESERVED CVE-2020-5136 RESERVED CVE-2020-5135 RESERVED CVE-2020-5134 RESERVED CVE-2020-5133 RESERVED CVE-2020-5132 RESERVED CVE-2020-5131 RESERVED CVE-2020-5130 RESERVED CVE-2020-5129 (A vulnerability in the SonicWall SMA1000 HTTP Extraweb server allows a ...) NOT-FOR-US: SonicWall CVE-2019-20197 (In Nagios XI 5.6.9, an authenticated user is able to execute arbitrary ...) NOT-FOR-US: Nagios XI CVE-2019-20196 RESERVED CVE-2019-20195 RESERVED CVE-2019-20194 RESERVED CVE-2019-20193 RESERVED CVE-2019-20192 RESERVED CVE-2019-20191 (Oxygen XML Editor 21.1.1 allows XXE to read any file. ...) NOT-FOR-US: Oxygen XML Editor CVE-2019-20190 RESERVED CVE-2019-20189 RESERVED CVE-2019-20188 RESERVED CVE-2019-20187 RESERVED CVE-2019-20186 RESERVED CVE-2019-20185 RESERVED CVE-2019-20184 (KeePass 2.4.1 allows CSV injection in the title field of a CSV export. ...) - keepass2 (unimportant) NOTE: No security impact CVE-2019-20183 (uploadimage.php in Employee Records System 1.0 allows upload and execu ...) NOT-FOR-US: Employee Records System CVE-2019-20182 (The FooGallery plugin 1.8.12 for WordPress allow XSS via the post_titl ...) NOT-FOR-US: Wordpress plugin CVE-2019-20181 (The awesome-support plugin 5.8.0 for WordPress allows XSS via the post ...) NOT-FOR-US: Wordpress plugin CVE-2019-20180 (The TablePress plugin 1.9.2 for WordPress allows tablepress[data] CSV ...) NOT-FOR-US: Wordpress plugin CVE-2019-20179 (SOPlanning 1.45 has SQL injection via the user_list.php "by" parameter ...) NOT-FOR-US: SOPlanning CVE-2019-20178 (Advisto PEEL Shopping 9.2.1 has CSRF via administrer/utilisateurs.php ...) NOT-FOR-US: Advisto PEEL Shopping CVE-2019-20177 RESERVED CVE-2019-20176 (In Pure-FTPd 1.0.49, a stack exhaustion issue was discovered in the li ...) - pure-ftpd 1.0.49-2 (low; bug #947869) [buster] - pure-ftpd (Minor issue) [stretch] - pure-ftpd (Minor issue) [jessie] - pure-ftpd (Minor issue) NOTE: https://github.com/jedisct1/pure-ftpd/commit/aea56f4bcb9948d456f3fae4d044fd3fa2e19706 CVE-2019-20175 (** DISPUTED ** An issue was discovered in ide_dma_cb() in hw/ide/core. ...) - qemu (unimportant) NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2019-07/msg01651.html NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2019-07/msg03869.html NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2019-11/msg00597.html NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2019-11/msg02165.html NOTE: Marked unimportant, as negligible security impact (a privileged guest NOTE: can trigger similar issues without triggering the specific assert) and NOTE: is disputed by QEMU security team. CVE-2019-20174 (Auth0 Lock before 11.21.0 allows XSS when additionalSignUpFields is us ...) NOT-FOR-US: Auth0 Lock CVE-2019-20173 (The Auth0 wp-auth0 plugin 3.11.x before 3.11.3 for WordPress allows XS ...) NOT-FOR-US: Auth0 wp-auth0 plugin for WordPress CVE-2019-20172 (Kernel/VM/MemoryManager.cpp in SerenityOS before 2019-12-30 does not r ...) NOT-FOR-US: SerenityOS CVE-2019-20171 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...) {DLA-2072-1} - gpac (low) [buster] - gpac (Minor issue) [stretch] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/issues/1337 NOTE: https://github.com/gpac/gpac/commit/72cdc5048dead86bb1df7d21e0b9975e49cf2d97 NOTE: https://github.com/gpac/gpac/commit/2bcca3f1d4605100bb27d3ed7be25b53cddbc75c CVE-2019-20170 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...) {DLA-2072-1} - gpac (low) [buster] - gpac (Minor issue) [stretch] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/issues/1328 NOTE: https://github.com/gpac/gpac/commit/16856430287cc10f495eb241910b4dc45b193e03 CVE-2019-20169 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...) - gpac (Vulnerability introduced later, fix relates to 'use_dump_mode' introduced in v0.7.0) NOTE: https://github.com/gpac/gpac/issues/1329 NOTE: Introduces use_dump_mode: https://github.com/gpac/gpac/commit/9ea1fb39891669014a6e7592a4422e8de630cdc0 (v0.7.0) NOTE: https://github.com/gpac/gpac/commit/a8b6246da925cf744805c9427a01fcacb53314bb CVE-2019-20168 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...) - gpac (Vulnerability introduced later, fix relates to 'use_dump_mode' introduced in v0.7.0) NOTE: https://github.com/gpac/gpac/issues/1333 NOTE: Introduces use_dump_mode: https://github.com/gpac/gpac/commit/9ea1fb39891669014a6e7592a4422e8de630cdc0 (v0.7.0) NOTE: Uncovers/makes visible the vulnerability: https://github.com/gpac/gpac/commit/697d6afb3cd012d442e12400b6841ebd1256a354 (v0.8.0) NOTE: https://github.com/gpac/gpac/commit/a8b6246da925cf744805c9427a01fcacb53314bb CVE-2019-20167 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...) - gpac (Vulnerable code introduced in development version after v0.8.0) NOTE: https://github.com/gpac/gpac/issues/1330 NOTE: https://github.com/gpac/gpac/commit/5250afecbc770c8f26829e9566d5b226a3c5fa80 (chunk #3) CVE-2019-20166 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...) - gpac (Vulnerable code introduced in 0.7.0) NOTE: https://github.com/gpac/gpac/issues/1331 NOTE: https://github.com/gpac/gpac/commit/5250afecbc770c8f26829e9566d5b226a3c5fa80 (chunk #2) CVE-2019-20165 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...) {DLA-2072-1} - gpac (low) [buster] - gpac (Minor issue) [stretch] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/issues/1338 NOTE: https://github.com/gpac/gpac/commit/5250afecbc770c8f26829e9566d5b226a3c5fa80 (chunk #1) CVE-2019-20164 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...) - gpac (Vulnerable code introduced in 0.7.0) NOTE: https://github.com/gpac/gpac/issues/1332 NOTE: https://github.com/gpac/gpac/commit/5250afecbc770c8f26829e9566d5b226a3c5fa80 (chunk #2) CVE-2019-20163 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...) {DLA-2072-1} - gpac (low) [buster] - gpac (Minor issue) [stretch] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/issues/1335 NOTE: https://github.com/gpac/gpac/commit/5250afecbc770c8f26829e9566d5b226a3c5fa80 (chunk #4) CVE-2019-20162 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...) {DLA-2072-1} - gpac NOTE: https://github.com/gpac/gpac/issues/1327 NOTE: https://github.com/gpac/gpac/commit/3c0ba42546c8148c51169c3908e845c308746c77 CVE-2019-20161 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...) {DLA-2072-1} - gpac NOTE: https://github.com/gpac/gpac/issues/1320 NOTE: https://github.com/gpac/gpac/commit/7a09732d4978586e6284e84caa9c301b2fa5e956 CVE-2019-20160 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...) - gpac (Vulnerable code introduced in 0.8.0) NOTE: https://github.com/gpac/gpac/issues/1334 NOTE: Introduced in: https://github.com/gpac/gpac/commit/d7c2bb5cc3c67566f506f51cbefbf66f8169ea85 NOTE: Fixed by: https://github.com/gpac/gpac/commit/bcfcb3e90476692fe0d2bb532ea8deeb2a77580e (chunk #2) CVE-2019-20159 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...) - gpac (Vulnerable code introduced in 0.7.0) NOTE: https://github.com/gpac/gpac/issues/1321 NOTE: Introduced in: https://github.com/gpac/gpac/commit/261fab7f51479ae8b1732350d9d4cc456c4919af (v0.7.0) NOTE: Fixed by: https://github.com/gpac/gpac/commit/e4c1f09ab9618b6af3bec6b94b8b349f2d01dbf8 CVE-2019-20158 RESERVED CVE-2019-20157 RESERVED CVE-2019-20156 RESERVED CVE-2019-20155 (An issue was discovered in report_edit.jsp in Determine (formerly Sele ...) NOT-FOR-US: Determine (formerly Selectica) Contract Lifecycle Management CVE-2019-20154 (An issue was discovered in Determine (formerly Selectica) Contract Lif ...) NOT-FOR-US: Determine (formerly Selectica) Contract Lifecycle Management CVE-2019-20153 (An issue was discovered in Determine (formerly Selectica) Contract Lif ...) NOT-FOR-US: Determine (formerly Selectica) Contract Lifecycle Management CVE-2019-20152 RESERVED CVE-2019-20151 RESERVED CVE-2019-20150 RESERVED CVE-2020-5128 RESERVED CVE-2020-5127 RESERVED CVE-2020-5126 RESERVED CVE-2020-5125 RESERVED CVE-2020-5124 RESERVED CVE-2020-5123 RESERVED CVE-2020-5122 RESERVED CVE-2020-5121 RESERVED CVE-2020-5120 RESERVED CVE-2020-5119 RESERVED CVE-2020-5118 RESERVED CVE-2020-5117 RESERVED CVE-2020-5116 RESERVED CVE-2020-5115 RESERVED CVE-2020-5114 RESERVED CVE-2020-5113 RESERVED CVE-2020-5112 RESERVED CVE-2020-5111 RESERVED CVE-2020-5110 RESERVED CVE-2020-5109 RESERVED CVE-2020-5108 RESERVED CVE-2020-5107 RESERVED CVE-2020-5106 RESERVED CVE-2020-5105 RESERVED CVE-2020-5104 RESERVED CVE-2020-5103 RESERVED CVE-2020-5102 RESERVED CVE-2020-5101 RESERVED CVE-2020-5100 RESERVED CVE-2020-5099 RESERVED CVE-2020-5098 RESERVED CVE-2020-5097 RESERVED CVE-2020-5096 RESERVED CVE-2020-5095 RESERVED CVE-2020-5094 RESERVED CVE-2020-5093 RESERVED CVE-2020-5092 RESERVED CVE-2020-5091 RESERVED CVE-2020-5090 RESERVED CVE-2020-5089 RESERVED CVE-2020-5088 RESERVED CVE-2020-5087 RESERVED CVE-2020-5086 RESERVED CVE-2020-5085 RESERVED CVE-2020-5084 RESERVED CVE-2020-5083 RESERVED CVE-2020-5082 RESERVED CVE-2020-5081 RESERVED CVE-2020-5080 RESERVED CVE-2020-5079 RESERVED CVE-2020-5078 RESERVED CVE-2020-5077 RESERVED CVE-2020-5076 RESERVED CVE-2020-5075 RESERVED CVE-2020-5074 RESERVED CVE-2020-5073 RESERVED CVE-2020-5072 RESERVED CVE-2020-5071 RESERVED CVE-2020-5070 RESERVED CVE-2020-5069 RESERVED CVE-2020-5068 RESERVED CVE-2020-5067 RESERVED CVE-2020-5066 RESERVED CVE-2020-5065 RESERVED CVE-2020-5064 RESERVED CVE-2020-5063 RESERVED CVE-2020-5062 RESERVED CVE-2020-5061 RESERVED CVE-2020-5060 RESERVED CVE-2020-5059 RESERVED CVE-2020-5058 RESERVED CVE-2020-5057 RESERVED CVE-2020-5056 RESERVED CVE-2020-5055 RESERVED CVE-2020-5054 RESERVED CVE-2020-5053 RESERVED CVE-2020-5052 RESERVED CVE-2020-5051 RESERVED CVE-2020-5050 RESERVED CVE-2020-5049 RESERVED CVE-2020-5048 RESERVED CVE-2020-5047 RESERVED CVE-2020-5046 RESERVED CVE-2020-5045 RESERVED CVE-2020-5044 RESERVED CVE-2020-5043 RESERVED CVE-2020-5042 RESERVED CVE-2020-5041 RESERVED CVE-2020-5040 RESERVED CVE-2020-5039 RESERVED CVE-2020-5038 RESERVED CVE-2020-5037 RESERVED CVE-2020-5036 RESERVED CVE-2020-5035 RESERVED CVE-2020-5034 RESERVED CVE-2020-5033 RESERVED CVE-2020-5032 RESERVED CVE-2020-5031 RESERVED CVE-2020-5030 RESERVED CVE-2020-5029 RESERVED CVE-2020-5028 RESERVED CVE-2020-5027 RESERVED CVE-2020-5026 RESERVED CVE-2020-5025 RESERVED CVE-2020-5024 RESERVED CVE-2020-5023 RESERVED CVE-2020-5022 RESERVED CVE-2020-5021 RESERVED CVE-2020-5020 RESERVED CVE-2020-5019 RESERVED CVE-2020-5018 RESERVED CVE-2020-5017 RESERVED CVE-2020-5016 RESERVED CVE-2020-5015 RESERVED CVE-2020-5014 RESERVED CVE-2020-5013 RESERVED CVE-2020-5012 RESERVED CVE-2020-5011 RESERVED CVE-2020-5010 RESERVED CVE-2020-5009 RESERVED CVE-2020-5008 RESERVED CVE-2020-5007 RESERVED CVE-2020-5006 RESERVED CVE-2020-5005 RESERVED CVE-2020-5004 RESERVED CVE-2020-5003 RESERVED CVE-2020-5002 RESERVED CVE-2020-5001 RESERVED CVE-2020-5000 RESERVED CVE-2020-4999 RESERVED CVE-2020-4998 RESERVED CVE-2020-4997 RESERVED CVE-2020-4996 RESERVED CVE-2020-4995 RESERVED CVE-2020-4994 RESERVED CVE-2020-4993 RESERVED CVE-2020-4992 RESERVED CVE-2020-4991 RESERVED CVE-2020-4990 RESERVED CVE-2020-4989 RESERVED CVE-2020-4988 RESERVED CVE-2020-4987 RESERVED CVE-2020-4986 RESERVED CVE-2020-4985 RESERVED CVE-2020-4984 RESERVED CVE-2020-4983 RESERVED CVE-2020-4982 RESERVED CVE-2020-4981 RESERVED CVE-2020-4980 RESERVED CVE-2020-4979 RESERVED CVE-2020-4978 RESERVED CVE-2020-4977 RESERVED CVE-2020-4976 RESERVED CVE-2020-4975 RESERVED CVE-2020-4974 RESERVED CVE-2020-4973 RESERVED CVE-2020-4972 RESERVED CVE-2020-4971 RESERVED CVE-2020-4970 RESERVED CVE-2020-4969 RESERVED CVE-2020-4968 RESERVED CVE-2020-4967 RESERVED CVE-2020-4966 RESERVED CVE-2020-4965 RESERVED CVE-2020-4964 RESERVED CVE-2020-4963 RESERVED CVE-2020-4962 RESERVED CVE-2020-4961 RESERVED CVE-2020-4960 RESERVED CVE-2020-4959 RESERVED CVE-2020-4958 RESERVED CVE-2020-4957 RESERVED CVE-2020-4956 RESERVED CVE-2020-4955 RESERVED CVE-2020-4954 RESERVED CVE-2020-4953 RESERVED CVE-2020-4952 RESERVED CVE-2020-4951 RESERVED CVE-2020-4950 RESERVED CVE-2020-4949 RESERVED CVE-2020-4948 RESERVED CVE-2020-4947 RESERVED CVE-2020-4946 RESERVED CVE-2020-4945 RESERVED CVE-2020-4944 RESERVED CVE-2020-4943 RESERVED CVE-2020-4942 RESERVED CVE-2020-4941 RESERVED CVE-2020-4940 RESERVED CVE-2020-4939 RESERVED CVE-2020-4938 RESERVED CVE-2020-4937 RESERVED CVE-2020-4936 RESERVED CVE-2020-4935 RESERVED CVE-2020-4934 RESERVED CVE-2020-4933 RESERVED CVE-2020-4932 RESERVED CVE-2020-4931 RESERVED CVE-2020-4930 RESERVED CVE-2020-4929 RESERVED CVE-2020-4928 RESERVED CVE-2020-4927 RESERVED CVE-2020-4926 RESERVED CVE-2020-4925 RESERVED CVE-2020-4924 RESERVED CVE-2020-4923 RESERVED CVE-2020-4922 RESERVED CVE-2020-4921 RESERVED CVE-2020-4920 RESERVED CVE-2020-4919 RESERVED CVE-2020-4918 RESERVED CVE-2020-4917 RESERVED CVE-2020-4916 RESERVED CVE-2020-4915 RESERVED CVE-2020-4914 RESERVED CVE-2020-4913 RESERVED CVE-2020-4912 RESERVED CVE-2020-4911 RESERVED CVE-2020-4910 RESERVED CVE-2020-4909 RESERVED CVE-2020-4908 RESERVED CVE-2020-4907 RESERVED CVE-2020-4906 RESERVED CVE-2020-4905 RESERVED CVE-2020-4904 RESERVED CVE-2020-4903 RESERVED CVE-2020-4902 RESERVED CVE-2020-4901 RESERVED CVE-2020-4900 RESERVED CVE-2020-4899 RESERVED CVE-2020-4898 RESERVED CVE-2020-4897 RESERVED CVE-2020-4896 RESERVED CVE-2020-4895 RESERVED CVE-2020-4894 RESERVED CVE-2020-4893 RESERVED CVE-2020-4892 RESERVED CVE-2020-4891 RESERVED CVE-2020-4890 RESERVED CVE-2020-4889 RESERVED CVE-2020-4888 RESERVED CVE-2020-4887 RESERVED CVE-2020-4886 RESERVED CVE-2020-4885 RESERVED CVE-2020-4884 RESERVED CVE-2020-4883 RESERVED CVE-2020-4882 RESERVED CVE-2020-4881 RESERVED CVE-2020-4880 RESERVED CVE-2020-4879 RESERVED CVE-2020-4878 RESERVED CVE-2020-4877 RESERVED CVE-2020-4876 RESERVED CVE-2020-4875 RESERVED CVE-2020-4874 RESERVED CVE-2020-4873 RESERVED CVE-2020-4872 RESERVED CVE-2020-4871 RESERVED CVE-2020-4870 RESERVED CVE-2020-4869 RESERVED CVE-2020-4868 RESERVED CVE-2020-4867 RESERVED CVE-2020-4866 RESERVED CVE-2020-4865 RESERVED CVE-2020-4864 RESERVED CVE-2020-4863 RESERVED CVE-2020-4862 RESERVED CVE-2020-4861 RESERVED CVE-2020-4860 RESERVED CVE-2020-4859 RESERVED CVE-2020-4858 RESERVED CVE-2020-4857 RESERVED CVE-2020-4856 RESERVED CVE-2020-4855 RESERVED CVE-2020-4854 RESERVED CVE-2020-4853 RESERVED CVE-2020-4852 RESERVED CVE-2020-4851 RESERVED CVE-2020-4850 RESERVED CVE-2020-4849 RESERVED CVE-2020-4848 RESERVED CVE-2020-4847 RESERVED CVE-2020-4846 RESERVED CVE-2020-4845 RESERVED CVE-2020-4844 RESERVED CVE-2020-4843 RESERVED CVE-2020-4842 RESERVED CVE-2020-4841 RESERVED CVE-2020-4840 RESERVED CVE-2020-4839 RESERVED CVE-2020-4838 RESERVED CVE-2020-4837 RESERVED CVE-2020-4836 RESERVED CVE-2020-4835 RESERVED CVE-2020-4834 RESERVED CVE-2020-4833 RESERVED CVE-2020-4832 RESERVED CVE-2020-4831 RESERVED CVE-2020-4830 RESERVED CVE-2020-4829 RESERVED CVE-2020-4828 RESERVED CVE-2020-4827 RESERVED CVE-2020-4826 RESERVED CVE-2020-4825 RESERVED CVE-2020-4824 RESERVED CVE-2020-4823 RESERVED CVE-2020-4822 RESERVED CVE-2020-4821 RESERVED CVE-2020-4820 RESERVED CVE-2020-4819 RESERVED CVE-2020-4818 RESERVED CVE-2020-4817 RESERVED CVE-2020-4816 RESERVED CVE-2020-4815 RESERVED CVE-2020-4814 RESERVED CVE-2020-4813 RESERVED CVE-2020-4812 RESERVED CVE-2020-4811 RESERVED CVE-2020-4810 RESERVED CVE-2020-4809 RESERVED CVE-2020-4808 RESERVED CVE-2020-4807 RESERVED CVE-2020-4806 RESERVED CVE-2020-4805 RESERVED CVE-2020-4804 RESERVED CVE-2020-4803 RESERVED CVE-2020-4802 RESERVED CVE-2020-4801 RESERVED CVE-2020-4800 RESERVED CVE-2020-4799 RESERVED CVE-2020-4798 RESERVED CVE-2020-4797 RESERVED CVE-2020-4796 RESERVED CVE-2020-4795 RESERVED CVE-2020-4794 RESERVED CVE-2020-4793 RESERVED CVE-2020-4792 RESERVED CVE-2020-4791 RESERVED CVE-2020-4790 RESERVED CVE-2020-4789 RESERVED CVE-2020-4788 RESERVED CVE-2020-4787 RESERVED CVE-2020-4786 RESERVED CVE-2020-4785 RESERVED CVE-2020-4784 RESERVED CVE-2020-4783 RESERVED CVE-2020-4782 RESERVED CVE-2020-4781 RESERVED CVE-2020-4780 RESERVED CVE-2020-4779 RESERVED CVE-2020-4778 RESERVED CVE-2020-4777 RESERVED CVE-2020-4776 RESERVED CVE-2020-4775 RESERVED CVE-2020-4774 RESERVED CVE-2020-4773 RESERVED CVE-2020-4772 RESERVED CVE-2020-4771 RESERVED CVE-2020-4770 RESERVED CVE-2020-4769 RESERVED CVE-2020-4768 RESERVED CVE-2020-4767 RESERVED CVE-2020-4766 RESERVED CVE-2020-4765 RESERVED CVE-2020-4764 RESERVED CVE-2020-4763 RESERVED CVE-2020-4762 RESERVED CVE-2020-4761 RESERVED CVE-2020-4760 RESERVED CVE-2020-4759 RESERVED CVE-2020-4758 RESERVED CVE-2020-4757 RESERVED CVE-2020-4756 RESERVED CVE-2020-4755 RESERVED CVE-2020-4754 RESERVED CVE-2020-4753 RESERVED CVE-2020-4752 RESERVED CVE-2020-4751 RESERVED CVE-2020-4750 RESERVED CVE-2020-4749 RESERVED CVE-2020-4748 RESERVED CVE-2020-4747 RESERVED CVE-2020-4746 RESERVED CVE-2020-4745 RESERVED CVE-2020-4744 RESERVED CVE-2020-4743 RESERVED CVE-2020-4742 RESERVED CVE-2020-4741 RESERVED CVE-2020-4740 RESERVED CVE-2020-4739 RESERVED CVE-2020-4738 RESERVED CVE-2020-4737 RESERVED CVE-2020-4736 RESERVED CVE-2020-4735 RESERVED CVE-2020-4734 RESERVED CVE-2020-4733 RESERVED CVE-2020-4732 RESERVED CVE-2020-4731 RESERVED CVE-2020-4730 RESERVED CVE-2020-4729 RESERVED CVE-2020-4728 RESERVED CVE-2020-4727 RESERVED CVE-2020-4726 RESERVED CVE-2020-4725 RESERVED CVE-2020-4724 RESERVED CVE-2020-4723 RESERVED CVE-2020-4722 RESERVED CVE-2020-4721 RESERVED CVE-2020-4720 RESERVED CVE-2020-4719 RESERVED CVE-2020-4718 RESERVED CVE-2020-4717 RESERVED CVE-2020-4716 RESERVED CVE-2020-4715 RESERVED CVE-2020-4714 RESERVED CVE-2020-4713 RESERVED CVE-2020-4712 RESERVED CVE-2020-4711 RESERVED CVE-2020-4710 RESERVED CVE-2020-4709 RESERVED CVE-2020-4708 RESERVED CVE-2020-4707 RESERVED CVE-2020-4706 RESERVED CVE-2020-4705 RESERVED CVE-2020-4704 RESERVED CVE-2020-4703 RESERVED CVE-2020-4702 RESERVED CVE-2020-4701 RESERVED CVE-2020-4700 RESERVED CVE-2020-4699 RESERVED CVE-2020-4698 RESERVED CVE-2020-4697 RESERVED CVE-2020-4696 RESERVED CVE-2020-4695 RESERVED CVE-2020-4694 RESERVED CVE-2020-4693 RESERVED CVE-2020-4692 RESERVED CVE-2020-4691 RESERVED CVE-2020-4690 RESERVED CVE-2020-4689 RESERVED CVE-2020-4688 RESERVED CVE-2020-4687 RESERVED CVE-2020-4686 RESERVED CVE-2020-4685 RESERVED CVE-2020-4684 RESERVED CVE-2020-4683 RESERVED CVE-2020-4682 RESERVED CVE-2020-4681 RESERVED CVE-2020-4680 RESERVED CVE-2020-4679 RESERVED CVE-2020-4678 RESERVED CVE-2020-4677 RESERVED CVE-2020-4676 RESERVED CVE-2020-4675 RESERVED CVE-2020-4674 RESERVED CVE-2020-4673 RESERVED CVE-2020-4672 RESERVED CVE-2020-4671 RESERVED CVE-2020-4670 RESERVED CVE-2020-4669 RESERVED CVE-2020-4668 RESERVED CVE-2020-4667 RESERVED CVE-2020-4666 RESERVED CVE-2020-4665 RESERVED CVE-2020-4664 RESERVED CVE-2020-4663 RESERVED CVE-2020-4662 RESERVED CVE-2020-4661 RESERVED CVE-2020-4660 RESERVED CVE-2020-4659 RESERVED CVE-2020-4658 RESERVED CVE-2020-4657 RESERVED CVE-2020-4656 RESERVED CVE-2020-4655 RESERVED CVE-2020-4654 RESERVED CVE-2020-4653 RESERVED CVE-2020-4652 RESERVED CVE-2020-4651 RESERVED CVE-2020-4650 RESERVED CVE-2020-4649 RESERVED CVE-2020-4648 RESERVED CVE-2020-4647 RESERVED CVE-2020-4646 RESERVED CVE-2020-4645 RESERVED CVE-2020-4644 RESERVED CVE-2020-4643 RESERVED CVE-2020-4642 RESERVED CVE-2020-4641 RESERVED CVE-2020-4640 RESERVED CVE-2020-4639 RESERVED CVE-2020-4638 RESERVED CVE-2020-4637 RESERVED CVE-2020-4636 RESERVED CVE-2020-4635 RESERVED CVE-2020-4634 RESERVED CVE-2020-4633 RESERVED CVE-2020-4632 RESERVED CVE-2020-4631 RESERVED CVE-2020-4630 RESERVED CVE-2020-4629 RESERVED CVE-2020-4628 RESERVED CVE-2020-4627 RESERVED CVE-2020-4626 RESERVED CVE-2020-4625 RESERVED CVE-2020-4624 RESERVED CVE-2020-4623 RESERVED CVE-2020-4622 RESERVED CVE-2020-4621 RESERVED CVE-2020-4620 RESERVED CVE-2020-4619 RESERVED CVE-2020-4618 RESERVED CVE-2020-4617 RESERVED CVE-2020-4616 RESERVED CVE-2020-4615 RESERVED CVE-2020-4614 RESERVED CVE-2020-4613 RESERVED CVE-2020-4612 RESERVED CVE-2020-4611 RESERVED CVE-2020-4610 RESERVED CVE-2020-4609 RESERVED CVE-2020-4608 RESERVED CVE-2020-4607 RESERVED CVE-2020-4606 RESERVED CVE-2020-4605 RESERVED CVE-2020-4604 RESERVED CVE-2020-4603 RESERVED CVE-2020-4602 RESERVED CVE-2020-4601 RESERVED CVE-2020-4600 RESERVED CVE-2020-4599 RESERVED CVE-2020-4598 RESERVED CVE-2020-4597 RESERVED CVE-2020-4596 RESERVED CVE-2020-4595 RESERVED CVE-2020-4594 RESERVED CVE-2020-4593 RESERVED CVE-2020-4592 RESERVED CVE-2020-4591 RESERVED CVE-2020-4590 RESERVED CVE-2020-4589 RESERVED CVE-2020-4588 RESERVED CVE-2020-4587 RESERVED CVE-2020-4586 RESERVED CVE-2020-4585 RESERVED CVE-2020-4584 RESERVED CVE-2020-4583 RESERVED CVE-2020-4582 RESERVED CVE-2020-4581 RESERVED CVE-2020-4580 RESERVED CVE-2020-4579 RESERVED CVE-2020-4578 RESERVED CVE-2020-4577 RESERVED CVE-2020-4576 RESERVED CVE-2020-4575 RESERVED CVE-2020-4574 RESERVED CVE-2020-4573 RESERVED CVE-2020-4572 RESERVED CVE-2020-4571 RESERVED CVE-2020-4570 RESERVED CVE-2020-4569 RESERVED CVE-2020-4568 RESERVED CVE-2020-4567 RESERVED CVE-2020-4566 RESERVED CVE-2020-4565 (IBM Spectrum Protect Plus 10.1.0 through 10.1.5 could allow an attacke ...) NOT-FOR-US: IBM CVE-2020-4564 RESERVED CVE-2020-4563 RESERVED CVE-2020-4562 RESERVED CVE-2020-4561 RESERVED CVE-2020-4560 RESERVED CVE-2020-4559 RESERVED CVE-2020-4558 RESERVED CVE-2020-4557 (IBM Business Automation Workflow 18.0, 19.0, and 20.0 and IBM Business ...) NOT-FOR-US: IBM CVE-2020-4556 RESERVED CVE-2020-4555 RESERVED CVE-2020-4554 RESERVED CVE-2020-4553 RESERVED CVE-2020-4552 RESERVED CVE-2020-4551 RESERVED CVE-2020-4550 RESERVED CVE-2020-4549 RESERVED CVE-2020-4548 RESERVED CVE-2020-4547 RESERVED CVE-2020-4546 RESERVED CVE-2020-4545 RESERVED CVE-2020-4544 RESERVED CVE-2020-4543 RESERVED CVE-2020-4542 RESERVED CVE-2020-4541 RESERVED CVE-2020-4540 RESERVED CVE-2020-4539 RESERVED CVE-2020-4538 RESERVED CVE-2020-4537 RESERVED CVE-2020-4536 RESERVED CVE-2020-4535 RESERVED CVE-2020-4534 RESERVED CVE-2020-4533 RESERVED CVE-2020-4532 (IBM Business Automation Workflow and IBM Business Process Manager (IBM ...) NOT-FOR-US: IBM CVE-2020-4531 RESERVED CVE-2020-4530 RESERVED CVE-2020-4529 (IBM Maximo Asset Management 7.6.0 and 7.6.1 is vulnerable to server si ...) NOT-FOR-US: IBM CVE-2020-4528 RESERVED CVE-2020-4527 RESERVED CVE-2020-4526 RESERVED CVE-2020-4525 RESERVED CVE-2020-4524 RESERVED CVE-2020-4523 RESERVED CVE-2020-4522 RESERVED CVE-2020-4521 RESERVED CVE-2020-4520 RESERVED CVE-2020-4519 RESERVED CVE-2020-4518 RESERVED CVE-2020-4517 RESERVED CVE-2020-4516 RESERVED CVE-2020-4515 RESERVED CVE-2020-4514 RESERVED CVE-2020-4513 RESERVED CVE-2020-4512 RESERVED CVE-2020-4511 RESERVED CVE-2020-4510 RESERVED CVE-2020-4509 (IBM QRadar SIEM 7.3 and 7.4 is vulnerable to an XML External Entity In ...) NOT-FOR-US: IBM CVE-2020-4508 RESERVED CVE-2020-4507 RESERVED CVE-2020-4506 RESERVED CVE-2020-4505 RESERVED CVE-2020-4504 RESERVED CVE-2020-4503 (IBM Planning Analytics Local 2.0 is vulnerable to cross-site scripting ...) NOT-FOR-US: IBM CVE-2020-4502 RESERVED CVE-2020-4501 RESERVED CVE-2020-4500 RESERVED CVE-2020-4499 RESERVED CVE-2020-4498 RESERVED CVE-2020-4497 RESERVED CVE-2020-4496 RESERVED CVE-2020-4495 RESERVED CVE-2020-4494 (IBM Spectrum Protect Client 8.1.7.0 through 8.1.9.1 (Linux and Windows ...) NOT-FOR-US: IBM CVE-2020-4493 RESERVED CVE-2020-4492 RESERVED CVE-2020-4491 RESERVED CVE-2020-4490 (IBM Business Automation Workflow 18 and 19, and IBM Business Process M ...) NOT-FOR-US: IBM CVE-2020-4489 RESERVED CVE-2020-4488 RESERVED CVE-2020-4487 RESERVED CVE-2020-4486 RESERVED CVE-2020-4485 RESERVED CVE-2020-4484 RESERVED CVE-2020-4483 RESERVED CVE-2020-4482 RESERVED CVE-2020-4481 RESERVED CVE-2020-4480 RESERVED CVE-2020-4479 RESERVED CVE-2020-4478 RESERVED CVE-2020-4477 (IBM Spectrum Protect Plus 10.1.0 through 10.1.5 discloses highly sensi ...) NOT-FOR-US: IBM CVE-2020-4476 RESERVED CVE-2020-4475 RESERVED CVE-2020-4474 RESERVED CVE-2020-4473 RESERVED CVE-2020-4472 RESERVED CVE-2020-4471 (IBM Spectrum Protect Plus 10.1.0 through 10.1.5 could allow an unauthe ...) NOT-FOR-US: IBM CVE-2020-4470 (IBM Spectrum Protect Plus 10.1.0 through 10.1.5 Administrative Console ...) NOT-FOR-US: IBM CVE-2020-4469 (IBM Spectrum Protect Plus 10.1.0 through 10.1.5 could allow a remote a ...) NOT-FOR-US: IBM CVE-2020-4468 (IBM i2 Intelligent Analyis Platform 9.2.1 could allow a remote attacke ...) NOT-FOR-US: IBM CVE-2020-4467 (IBM i2 Intelligent Analyis Platform 9.2.1 could allow a remote attacke ...) NOT-FOR-US: IBM CVE-2020-4466 RESERVED CVE-2020-4465 RESERVED CVE-2020-4464 RESERVED CVE-2020-4463 RESERVED CVE-2020-4462 RESERVED CVE-2020-4461 (IBM Security Access Manager Appliance 9.0.7.1 could allow an authentic ...) NOT-FOR-US: IBM CVE-2020-4460 RESERVED CVE-2020-4459 RESERVED CVE-2020-4458 RESERVED CVE-2020-4457 RESERVED CVE-2020-4456 RESERVED CVE-2020-4455 RESERVED CVE-2020-4454 RESERVED CVE-2020-4453 RESERVED CVE-2020-4452 (IBM API Connect V2018.4.1.0 through 2018.4.1.11 uses weaker than expec ...) NOT-FOR-US: IBM CVE-2020-4451 RESERVED CVE-2020-4450 (IBM WebSphere Application Server 8.5 and 9.0 traditional could allow a ...) NOT-FOR-US: IBM CVE-2020-4449 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional co ...) NOT-FOR-US: IBM CVE-2020-4448 (IBM WebSphere Application Server Network Deployment 7.0, 8.0, 8.5, and ...) NOT-FOR-US: IBM CVE-2020-4447 RESERVED CVE-2020-4446 (IBM Business Process Manager 8.0, 8.5, and 8.6 and IBM Business Automa ...) NOT-FOR-US: IBM CVE-2020-4445 RESERVED CVE-2020-4444 RESERVED CVE-2020-4443 RESERVED CVE-2020-4442 RESERVED CVE-2020-4441 RESERVED CVE-2020-4440 RESERVED CVE-2020-4439 RESERVED CVE-2020-4438 RESERVED CVE-2020-4437 RESERVED CVE-2020-4436 (Certain IBM Aspera applications are vulnerable to buffer overflow afte ...) NOT-FOR-US: IBM CVE-2020-4435 (Certain IBM Aspera applications are vulnerable to arbitrary memory cor ...) NOT-FOR-US: IBM CVE-2020-4434 (Certain IBM Aspera applications are vulnerable to buffer overflow base ...) NOT-FOR-US: IBM CVE-2020-4433 (Certain IBM Aspera applications are vulnerable to a stack-based buffer ...) NOT-FOR-US: IBM CVE-2020-4432 (Certain IBM Aspera applications are vulnerable to command injection af ...) NOT-FOR-US: IBM CVE-2020-4431 (IBM Planning Analytics Local 2.0 is vulnerable to cross-site scripting ...) NOT-FOR-US: IBM CVE-2020-4430 (IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, and 2.0.4 could allow a rem ...) NOT-FOR-US: IBM CVE-2020-4429 (IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, and 2.0.6 con ...) NOT-FOR-US: IBM CVE-2020-4428 (IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, and 2.0.4 could allow a rem ...) NOT-FOR-US: IBM CVE-2020-4427 (IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, and 2.0.6 cou ...) NOT-FOR-US: IBM CVE-2020-4426 RESERVED CVE-2020-4425 RESERVED CVE-2020-4424 RESERVED CVE-2020-4423 RESERVED CVE-2020-4422 (IBM i2 Intelligent Analyis Platform 9.2.1 could allow a remote attacke ...) NOT-FOR-US: IBM CVE-2020-4421 (IBM WebSphere Application Liberty 19.0.0.5 through 20.0.0.4 could allo ...) NOT-FOR-US: IBM CVE-2020-4420 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, ...) NOT-FOR-US: IBM CVE-2020-4419 (IBM Jazz Reporting Service 6.0.6, 6.0.6.1, and 7.0 is vulnerable to cr ...) NOT-FOR-US: IBM CVE-2020-4418 RESERVED CVE-2020-4417 RESERVED CVE-2020-4416 RESERVED CVE-2020-4415 (IBM Spectrum Protect 7.1 and 8.1 server is vulnerable to a stack-based ...) NOT-FOR-US: IBM CVE-2020-4414 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, ...) NOT-FOR-US: IBM CVE-2020-4413 (IBM Security Secret Server 10.7 could allow a remote attacker to obtai ...) NOT-FOR-US: IBM CVE-2020-4412 (The Spectrum Scale 4.2.0.0 through 4.2.3.21 and 5.0.0.0 through 5.0.4. ...) NOT-FOR-US: IBM CVE-2020-4411 (The Spectrum Scale 4.2.0.0 through 4.2.3.21 and 5.0.0.0 through 5.0.4. ...) NOT-FOR-US: IBM CVE-2020-4410 RESERVED CVE-2020-4409 RESERVED CVE-2020-4408 RESERVED CVE-2020-4407 RESERVED CVE-2020-4406 (IBM Spectrum Protect Client 8.1.7.0 through 8.1.9.1 (Linux and Windows ...) NOT-FOR-US: IBM CVE-2020-4405 RESERVED CVE-2020-4404 RESERVED CVE-2020-4403 RESERVED CVE-2020-4402 RESERVED CVE-2020-4401 RESERVED CVE-2020-4400 RESERVED CVE-2020-4399 RESERVED CVE-2020-4398 RESERVED CVE-2020-4397 RESERVED CVE-2020-4396 RESERVED CVE-2020-4395 RESERVED CVE-2020-4394 RESERVED CVE-2020-4393 RESERVED CVE-2020-4392 RESERVED CVE-2020-4391 RESERVED CVE-2020-4390 RESERVED CVE-2020-4389 RESERVED CVE-2020-4388 RESERVED CVE-2020-4387 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, ...) NOT-FOR-US: IBM CVE-2020-4386 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, ...) NOT-FOR-US: IBM CVE-2020-4385 RESERVED CVE-2020-4384 (IBM InfoSphere Information Server 11.3, 11.5, and 11.7 is vulnerable t ...) NOT-FOR-US: IBM CVE-2020-4383 RESERVED CVE-2020-4382 RESERVED CVE-2020-4381 RESERVED CVE-2020-4380 (IBM Workload Scheduler 9.3.0.4 is vulnerable to cross-site scripting. ...) NOT-FOR-US: IBM CVE-2020-4379 (IBM Spectrum Scale 5.0.0.0 through 5.0.4.4 uses weaker than expected c ...) NOT-FOR-US: IBM CVE-2020-4378 (IBM Spectrum Scale 5.0.0.0 through 5.0.4.4 could allow a privileged au ...) NOT-FOR-US: IBM CVE-2020-4377 RESERVED CVE-2020-4376 (IBM MQ, IBM MQ Appliance, IBM MQ for HPE NonStop 8.0.4 and 8.1.0 could ...) NOT-FOR-US: IBM CVE-2020-4375 RESERVED CVE-2020-4374 RESERVED CVE-2020-4373 RESERVED CVE-2020-4372 RESERVED CVE-2020-4371 RESERVED CVE-2020-4370 RESERVED CVE-2020-4369 RESERVED CVE-2020-4368 RESERVED CVE-2020-4367 (IBM Planning Analytics Local 2.0 uses weaker than expected cryptograph ...) NOT-FOR-US: IBM CVE-2020-4366 (IBM Planning Analytics Local 2.0 is vulnerable to cross-site scripting ...) NOT-FOR-US: IBM CVE-2020-4365 (IBM WebSphere Application Server 8.5 is vulnerable to server-side requ ...) NOT-FOR-US: IBM CVE-2020-4364 RESERVED CVE-2020-4363 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, ...) NOT-FOR-US: IBM CVE-2020-4362 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional is ...) NOT-FOR-US: IBM CVE-2020-4361 RESERVED CVE-2020-4360 (IBM Planning Analytics Local 2.0 is vulnerable to cross-site scripting ...) NOT-FOR-US: IBM CVE-2020-4359 RESERVED CVE-2020-4358 (IBM Spectrum Scale 5.0.0.0 through 5.0.4.4 is vulnerable to cross-site ...) NOT-FOR-US: IBM CVE-2020-4357 (IBM Spectrum Scale 5.0.0.0 through 5.0.4.4 could allow a remote attack ...) NOT-FOR-US: IBM CVE-2020-4356 RESERVED CVE-2020-4355 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, ...) NOT-FOR-US: IBM CVE-2020-4354 RESERVED CVE-2020-4353 (IBM MaaS360 6.82 could allow a user with pysical access to the device ...) NOT-FOR-US: IBM CVE-2020-4352 (IBM MQ on HPE NonStop 8.0.4 and 8.1.0 is vulnerable to a privilege esc ...) NOT-FOR-US: IBM CVE-2020-4351 RESERVED CVE-2020-4350 (IBM Spectrum Scale 5.0.0.0 through 5.0.4.4 uses weaker than expected c ...) NOT-FOR-US: IBM CVE-2020-4349 (IBM Spectrum Scale 5.0.0.0 through 5.0.4.4 uses weaker than expected c ...) NOT-FOR-US: IBM CVE-2020-4348 (IBM Spectrum Scale 4.2.0.0 through 4.2.3.21 and 5.0.0.0 through 5.0.4. ...) NOT-FOR-US: IBM CVE-2020-4347 (IBM InfoSphere Information Server 11.3, 11.5, and 11.7 could be subjec ...) NOT-FOR-US: IBM CVE-2020-4346 (IBM API Connect's V2018.4.1.0 through 2018.4.1.10 management server ha ...) NOT-FOR-US: IBM CVE-2020-4345 (IBM i 7.2, 7.3, and 7.4 users running complex SQL statements under a s ...) NOT-FOR-US: IBM CVE-2020-4344 RESERVED CVE-2020-4343 (IBM i2 Intelligent Analyis Platform 9.2.1 could allow a remote attacke ...) NOT-FOR-US: IBM CVE-2020-4342 (IBM Security Secret Server 10.7 could disclose sensitive information i ...) NOT-FOR-US: IBM CVE-2020-4341 (IBM Security Secret Server 10.7 could allow a remote attacker to obtai ...) NOT-FOR-US: IBM CVE-2020-4340 RESERVED CVE-2020-4339 RESERVED CVE-2020-4338 (IBM MQ 9.1.4 could allow a local attacker to obtain sensitive informat ...) NOT-FOR-US: IBM CVE-2020-4337 RESERVED CVE-2020-4336 RESERVED CVE-2020-4335 RESERVED CVE-2020-4334 RESERVED CVE-2020-4333 RESERVED CVE-2020-4332 RESERVED CVE-2020-4331 RESERVED CVE-2020-4330 RESERVED CVE-2020-4329 (IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0 ...) NOT-FOR-US: IBM CVE-2020-4328 RESERVED CVE-2020-4327 (IBM Security Secret Server 10.7 could allow a remote attacker to obtai ...) NOT-FOR-US: IBM CVE-2020-4326 RESERVED CVE-2020-4325 (The IBM Process Federation Server 18.0.0.1, 18.0.0.2, 19.0.0.1, 19.0.0 ...) NOT-FOR-US: IBM CVE-2020-4324 RESERVED CVE-2020-4323 (IBM Security Secret Server 10.7 is vulnerable to cross-site scripting. ...) NOT-FOR-US: IBM CVE-2020-4322 (IBM Security Secret Server 10.7 could allow a remote attacker to hijac ...) NOT-FOR-US: IBM CVE-2020-4321 RESERVED CVE-2020-4320 (IBM MQ Appliance and IBM MQ AMQP Channels 8.0, 9.0 LTS, 9.1 LTS, and 9 ...) NOT-FOR-US: IBM CVE-2020-4319 RESERVED CVE-2020-4318 RESERVED CVE-2020-4317 RESERVED CVE-2020-4316 RESERVED CVE-2020-4315 RESERVED CVE-2020-4314 RESERVED CVE-2020-4313 RESERVED CVE-2020-4312 (IBM Sterling B2B Integrator Standard Edition 5.2.0.0 trough 6.0.3.1 co ...) NOT-FOR-US: IBM CVE-2020-4311 (IBM Tivoli Monitoring 6.3.0 could allow a local attacker to execute ar ...) NOT-FOR-US: IBM CVE-2020-4310 (IBM MQ and MQ Appliance 7.1, 7.5, 8.0, 9.0 LTS, 9.1 LTS, and 9.1 C are ...) NOT-FOR-US: IBM CVE-2020-4309 (IBM Content Navigator 3.0CD could disclose sensitive information to an ...) NOT-FOR-US: IBM CVE-2020-4308 RESERVED CVE-2020-4307 (IBM Security Guardium 11.1 could allow an attacker on the same network ...) NOT-FOR-US: IBM CVE-2020-4306 (IBM Planning Analytics Local 2.0.0 through 2.0.9 is vulnerable to cros ...) NOT-FOR-US: IBM CVE-2020-4305 RESERVED CVE-2020-4304 (IBM WebSphere Application Server - Liberty 17.0.0.3 through 20.0.0.3 i ...) NOT-FOR-US: IBM CVE-2020-4303 (IBM WebSphere Application Server - Liberty 17.0.0.3 through 20.0.0.3 i ...) NOT-FOR-US: IBM CVE-2020-4302 RESERVED CVE-2020-4301 RESERVED CVE-2020-4300 RESERVED CVE-2020-4299 (IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 6.0.3.1 c ...) NOT-FOR-US: IBM CVE-2020-4298 (IBM InfoSphere Information Server 11.3, 11.5, and 11.7 is vulnerable t ...) NOT-FOR-US: IBM CVE-2020-4297 (IBM DOORS Next Generation (DNG/RRC) 6.0.2, 6.0.6, 6.0.6.1, and 7.0 is ...) NOT-FOR-US: IBM CVE-2020-4296 RESERVED CVE-2020-4295 (IBM DOORS Next Generation (DNG/RRC) 6.0.2, 6.0.6, 6.0.6.1, and 7.0 is ...) NOT-FOR-US: IBM CVE-2020-4294 (IBM QRadar 7.3.0 to 7.3.3 Patch 2 is vulnerable to Server Side Request ...) NOT-FOR-US: IBM CVE-2020-4293 RESERVED CVE-2020-4292 (IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, and ...) NOT-FOR-US: IBM CVE-2020-4291 (IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0. ...) NOT-FOR-US: IBM CVE-2020-4290 (IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0. ...) NOT-FOR-US: IBM CVE-2020-4289 (IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0. ...) NOT-FOR-US: IBM CVE-2020-4288 (IBM i2 Intelligent Analyis Platform 9.2.1 could allow a remote attacke ...) NOT-FOR-US: IBM CVE-2020-4287 (IBM i2 Intelligent Analyis Platform 9.2.1 could allow a remote attacke ...) NOT-FOR-US: IBM CVE-2020-4286 (IBM InfoSphere Information Server 11.3, 11.5, and 11.7 is vulnerable t ...) NOT-FOR-US: IBM CVE-2020-4285 (IBM i2 Intelligent Analyis Platform 9.2.1 could allow a remote attacke ...) NOT-FOR-US: IBM CVE-2020-4284 (IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0. ...) NOT-FOR-US: IBM CVE-2020-4283 (IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, and ...) NOT-FOR-US: IBM CVE-2020-4282 (IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0. ...) NOT-FOR-US: IBM CVE-2020-4281 (IBM DOORS Next Generation (DNG/RRC) 6.0.2, 6.0.6, 6.0.6.1, and 7.0 is ...) NOT-FOR-US: IBM CVE-2020-4280 RESERVED CVE-2020-4279 RESERVED CVE-2020-4278 (IBM Platform LSF 9.1 and 10.1, IBM Spectrum LSF Suite 10.2, and IBM Sp ...) NOT-FOR-US: IBM CVE-2020-4277 (IBM TRIRIGA Application Platform 3.5.3 and 3.6.1 discloses sensitive i ...) NOT-FOR-US: IBM CVE-2020-4276 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional is ...) NOT-FOR-US: IBM CVE-2020-4275 RESERVED CVE-2020-4274 (IBM QRadar 7.3.0 to 7.3.3 Patch 2 could allow an authenticated user to ...) NOT-FOR-US: IBM CVE-2020-4273 (IBM Spectrum Scale 4.2 and 5.0 could allow a local unprivileged attack ...) NOT-FOR-US: IBM CVE-2020-4272 (IBM QRadar 7.3.0 to 7.3.3 Patch 2 could allow a remote attacker to inc ...) NOT-FOR-US: IBM CVE-2020-4271 (IBM QRadar 7.3.0 to 7.3.3 Patch 2 could allow an authenticated user to ...) NOT-FOR-US: IBM CVE-2020-4270 (IBM QRadar 7.3.0 to 7.3.3 Patch 2 could allow a local user to gain esc ...) NOT-FOR-US: IBM CVE-2020-4269 (IBM QRadar 7.3.0 to 7.3.3 Patch 2 contains hard-coded credentials, suc ...) NOT-FOR-US: IBM CVE-2020-4268 (IBM QRadar 7.3.0 to 7.3.3 Patch 2 is vulnerable to cross-site scriptin ...) NOT-FOR-US: IBM CVE-2020-4267 (IBM MQ and MQ Appliance 8.0, 9.1 LTS, and 9.1 CD could allow an authen ...) NOT-FOR-US: IBM CVE-2020-4266 (IBM i2 Intelligent Analyis Platform 9.2.1 could allow a local attacker ...) NOT-FOR-US: IBM CVE-2020-4265 (IBM i2 Intelligent Analyis Platform 9.2.1 could allow a local attacker ...) NOT-FOR-US: IBM CVE-2020-4264 (IBM i2 Intelligent Analyis Platform 9.2.1 could allow a local attacker ...) NOT-FOR-US: IBM CVE-2020-4263 (IBM i2 Intelligent Analyis Platform 9.2.1 could allow a local attacker ...) NOT-FOR-US: IBM CVE-2020-4262 (IBM i2 Intelligent Analyis Platform 9.2.1 could allow a local attacker ...) NOT-FOR-US: IBM CVE-2020-4261 (IBM i2 Intelligent Analyis Platform 9.2.1 could allow a local attacker ...) NOT-FOR-US: IBM CVE-2020-4260 (IBM UrbanCode Deploy (UCD) 7.0.5 could allow a user with special permi ...) NOT-FOR-US: IBM CVE-2020-4259 (IBM Sterling File Gateway 2.2.0.0 through 6.0.3.1 could allow an authe ...) NOT-FOR-US: IBM CVE-2020-4258 (IBM i2 Intelligent Analyis Platform 9.2.1 could allow a local attacker ...) NOT-FOR-US: IBM CVE-2020-4257 (IBM i2 Intelligent Analyis Platform 9.2.1 could allow a local attacker ...) NOT-FOR-US: IBM CVE-2020-4256 RESERVED CVE-2020-4255 RESERVED CVE-2020-4254 RESERVED CVE-2020-4253 (IBM Content Navigator 3.0CD does not invalidate session after logout w ...) NOT-FOR-US: IBM CVE-2020-4252 (IBM DOORS Next Generation (DNG/RRC) 6.0.2. 6.0.6, and 6.0.61 is vulner ...) NOT-FOR-US: IBM CVE-2020-4251 (IBM API Connect 5.0.0.0 through 5.0.8.8 is vulnerable to cross-site sc ...) NOT-FOR-US: IBM CVE-2020-4250 RESERVED CVE-2020-4249 (IBM Security Identity Governance and Intelligence 5.2.6 could disclose ...) NOT-FOR-US: IBM CVE-2020-4248 (IBM Security Identity Governance and Intelligence 5.2.6 could allow a ...) NOT-FOR-US: IBM CVE-2020-4247 RESERVED CVE-2020-4246 (IBM Security Identity Governance and Intelligence 5.2.6 is vulnerable ...) NOT-FOR-US: IBM CVE-2020-4245 (IBM Security Identity Governance and Intelligence 5.2.6 does not requi ...) NOT-FOR-US: IBM CVE-2020-4244 (IBM Security Identity Governance and Intelligence 5.2.6 could allow an ...) NOT-FOR-US: IBM CVE-2020-4243 RESERVED CVE-2020-4242 (IBM Spectrum Scale and IBM Spectrum Protect Plus 10.1.0 through 10.1.5 ...) NOT-FOR-US: IBM CVE-2020-4241 (IBM Spectrum Scale and IBM Spectrum Protect Plus 10.1.0 through 10.1.5 ...) NOT-FOR-US: IBM CVE-2020-4240 (IBM Spectrum Protect Plus 10.1.0 through 10.1.5 could allow a remote a ...) NOT-FOR-US: IBM CVE-2020-4239 (IBM Tivoli Netcool Impact 7.1.0.0 through 7.1.0.17 could allow a remot ...) NOT-FOR-US: IBM CVE-2020-4238 (IBM Tivoli Netcool Impact 7.1.0.0 through 7.1.0.17 is vulnerable to cr ...) NOT-FOR-US: IBM CVE-2020-4237 (IBM Tivoli Netcool Impact 7.1.0.0 through 7.1.0.17 is vulnerable to cr ...) NOT-FOR-US: IBM CVE-2020-4236 (IBM Tivoli Netcool Impact 7.1.0.0 through 7.1.0.17 could allow an auth ...) NOT-FOR-US: IBM CVE-2020-4235 (IBM Tivoli Netcool Impact 7.1.0.0 through 7.1.0.17 is vulnerable to cr ...) NOT-FOR-US: IBM CVE-2020-4234 RESERVED CVE-2020-4233 (IBM Security Identity Governance and Intelligence 5.2.6 could allow a ...) NOT-FOR-US: IBM CVE-2020-4232 (IBM Security Identity Governance and Intelligence 5.2.6 could allow an ...) NOT-FOR-US: IBM CVE-2020-4231 (IBM Security Identity Governance and Intelligence 5.2.6 could allow an ...) NOT-FOR-US: IBM CVE-2020-4230 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.1 ...) NOT-FOR-US: IBM CVE-2020-4229 (IBM Worklight/MobileFoundation 8.0.0.0 does not properly invalidate se ...) NOT-FOR-US: IBM CVE-2020-4228 RESERVED CVE-2020-4227 RESERVED CVE-2020-4226 (IBM MobileFirst Platform Foundation 8.0.0.0 stores highly sensitive in ...) NOT-FOR-US: IBM CVE-2020-4225 RESERVED CVE-2020-4224 (IBM StoredIQ 7.6.0.17 through 7.6.0.20 could disclose sensitive inform ...) NOT-FOR-US: IBM CVE-2020-4223 (IBM Maximo Asset Management 7.6.0.10 and 7.6.1.1 is vulnerable to cros ...) NOT-FOR-US: IBM CVE-2020-4222 (IBM Spectrum Protect Plus 10.1.0 and 10.1.5 could allow a remote attac ...) NOT-FOR-US: IBM Spectrum Protect Plus CVE-2020-4221 RESERVED CVE-2020-4220 RESERVED CVE-2020-4219 RESERVED CVE-2020-4218 RESERVED CVE-2020-4217 (The IBM Spectrum Scale 4.2 and 5.0 file system component is affected b ...) NOT-FOR-US: IBM CVE-2020-4216 (IBM Spectrum Protect Plus 10.1.0 through 10.1.5 contains hard-coded cr ...) NOT-FOR-US: IBM CVE-2020-4215 RESERVED CVE-2020-4214 (IBM Spectrum Protect Plus 10.1.0 through 10.1.5 could allow a remote a ...) NOT-FOR-US: IBM CVE-2020-4213 (IBM Spectrum Protect Plus 10.1.0 and 10.1.5 could allow a remote attac ...) NOT-FOR-US: IBM CVE-2020-4212 (IBM Spectrum Protect Plus 10.1.0 and 10.1.5 could allow a remote attac ...) NOT-FOR-US: IBM CVE-2020-4211 (IBM Spectrum Protect Plus 10.1.0 and 10.1.5 could allow a remote attac ...) NOT-FOR-US: IBM CVE-2020-4210 (IBM Spectrum Protect Plus 10.1.0 and 10.1.5 could allow a remote attac ...) NOT-FOR-US: IBM CVE-2020-4209 (IBM Spectrum Protect Plus 10.1.0 through 10.1.5 could allow a remote a ...) NOT-FOR-US: IBM CVE-2020-4208 (IBM Spectrum Protect Plus 10.1.0 through 10.1.5 contains hard-coded cr ...) NOT-FOR-US: IBM CVE-2020-4207 (IBM Watson IoT Message Gateway 2.0.0.x, 5.0.0.0, 5.0.0.1, and 5.0.0.2 ...) NOT-FOR-US: IBM CVE-2020-4206 (IBM Spectrum Protect Plus 10.1.0 through 10.1.5 could allow a remote a ...) NOT-FOR-US: IBM CVE-2020-4205 (IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.8 could allow an aut ...) NOT-FOR-US: IBM CVE-2020-4204 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, ...) NOT-FOR-US: IBM CVE-2020-4203 (IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.8 could potentially ...) NOT-FOR-US: IBM CVE-2020-4202 (IBM UrbanCode Deploy (UCD) 7.0.3.0 and 7.0.4.0 could allow an authenti ...) NOT-FOR-US: IBM CVE-2020-4201 RESERVED CVE-2020-4200 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 10.5 ...) NOT-FOR-US: IBM CVE-2020-4199 (IBM Tivoli Netcool/OMNIbus 8.1.0 is vulnerable to cross-site request f ...) NOT-FOR-US: IBM CVE-2020-4198 (IBM Tivoli Netcool/OMNIbus_GUI 8.1.0 is vulnerable to cross-site scrip ...) NOT-FOR-US: IBM CVE-2020-4197 (IBM Tivoli Netcool/OMNIbus_GUI 8.1.0 allows web pages to be stored loc ...) NOT-FOR-US: IBM CVE-2020-4196 (IBM Tivoli Netcool/OMNIbus_GUI 8.1.0 is vulnerable to cross-site scrip ...) NOT-FOR-US: IBM CVE-2020-4195 (IBM API Connect V2018.4.1.0 through 2018.4.1.10 could allow a remote a ...) NOT-FOR-US: IBM CVE-2020-4194 RESERVED CVE-2020-4193 (IBM Security Guardium 11.1 uses an inadequate account lockout setting ...) NOT-FOR-US: IBM CVE-2020-4192 RESERVED CVE-2020-4191 (IBM Security Guardium 11.1 uses weaker than expected cryptographic alg ...) NOT-FOR-US: IBM CVE-2020-4190 (IBM Security Guardium 10.6, 11.0, and 11.1 contains hard-coded credent ...) NOT-FOR-US: IBM CVE-2020-4189 RESERVED CVE-2020-4188 (IBM Security Guardium 10.6 and 11.1 may use insufficiently random numb ...) NOT-FOR-US: IBM CVE-2020-4187 (IBM Security Guardium 11.1 could disclose sensitive information on the ...) NOT-FOR-US: IBM CVE-2020-4186 RESERVED CVE-2020-4185 RESERVED CVE-2020-4184 RESERVED CVE-2020-4183 (IBM Security Guardium 11.1 is vulnerable to cross-site scripting. This ...) NOT-FOR-US: IBM CVE-2020-4182 (IBM Security Guardium 11.1 is vulnerable to cross-site scripting. This ...) NOT-FOR-US: IBM CVE-2020-4181 RESERVED CVE-2020-4180 (IBM Security Guardium 11.1 could allow a remote authenticated attacker ...) NOT-FOR-US: IBM CVE-2020-4179 RESERVED CVE-2020-4178 RESERVED CVE-2020-4177 (IBM Security Guardium 11.1 contains hard-coded credentials, such as a ...) NOT-FOR-US: IBM CVE-2020-4176 RESERVED CVE-2020-4175 RESERVED CVE-2020-4174 RESERVED CVE-2020-4173 RESERVED CVE-2020-4172 RESERVED CVE-2020-4171 RESERVED CVE-2020-4170 RESERVED CVE-2020-4169 RESERVED CVE-2020-4168 RESERVED CVE-2020-4167 RESERVED CVE-2020-4166 RESERVED CVE-2020-4165 RESERVED CVE-2020-4164 (IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0. ...) NOT-FOR-US: IBM CVE-2020-4163 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0, under special ...) NOT-FOR-US: IBM CVE-2020-4162 (IBM InfoSphere Information Server 11.5 and 11.7 is vulnerable to cross ...) NOT-FOR-US: IBM CVE-2020-4161 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.5 ...) NOT-FOR-US: IBM CVE-2020-4160 RESERVED CVE-2020-4159 RESERVED CVE-2020-4158 RESERVED CVE-2020-4157 RESERVED CVE-2020-4156 RESERVED CVE-2020-4155 RESERVED CVE-2020-4154 RESERVED CVE-2020-4153 RESERVED CVE-2020-4152 RESERVED CVE-2020-4151 (IBM QRadar SIEM 7.3.0 through 7.3.3 could allow an authenticated attac ...) NOT-FOR-US: IBM CVE-2020-4150 RESERVED CVE-2020-4149 RESERVED CVE-2020-4148 RESERVED CVE-2020-4147 RESERVED CVE-2020-4146 RESERVED CVE-2020-4145 RESERVED CVE-2020-4144 RESERVED CVE-2020-4143 RESERVED CVE-2020-4142 RESERVED CVE-2020-4141 RESERVED CVE-2020-4140 RESERVED CVE-2020-4139 RESERVED CVE-2020-4138 RESERVED CVE-2020-4137 RESERVED CVE-2020-4136 RESERVED CVE-2020-4135 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, ...) NOT-FOR-US: IBM CVE-2020-4134 RESERVED CVE-2020-4133 RESERVED CVE-2020-4132 RESERVED CVE-2020-4131 RESERVED CVE-2020-4130 RESERVED CVE-2020-4129 RESERVED CVE-2020-4128 RESERVED CVE-2020-4127 RESERVED CVE-2020-4126 RESERVED CVE-2020-4125 RESERVED CVE-2020-4124 RESERVED CVE-2020-4123 RESERVED CVE-2020-4122 RESERVED CVE-2020-4121 RESERVED CVE-2020-4120 RESERVED CVE-2020-4119 RESERVED CVE-2020-4118 RESERVED CVE-2020-4117 RESERVED CVE-2020-4116 RESERVED CVE-2020-4115 RESERVED CVE-2020-4114 RESERVED CVE-2020-4113 RESERVED CVE-2020-4112 RESERVED CVE-2020-4111 RESERVED CVE-2020-4110 RESERVED CVE-2020-4109 RESERVED CVE-2020-4108 RESERVED CVE-2020-4107 RESERVED CVE-2020-4106 RESERVED CVE-2020-4105 RESERVED CVE-2020-4104 RESERVED CVE-2020-4103 RESERVED CVE-2020-4102 RESERVED CVE-2020-4101 ("HCL Digital Experience is susceptible to Server Side Request Forgery. ...) NOT-FOR-US: HCL Digital Experience CVE-2020-4100 RESERVED CVE-2020-4099 RESERVED CVE-2020-4098 RESERVED CVE-2020-4097 RESERVED CVE-2020-4096 RESERVED CVE-2020-4095 RESERVED CVE-2020-4094 RESERVED CVE-2020-4093 RESERVED CVE-2020-4092 ("If port encryption is not enabled on the Domino Server, HCL Nomad on ...) NOT-FOR-US: HCL Nomad CVE-2020-4091 RESERVED CVE-2020-4090 RESERVED CVE-2020-4089 (HCL Notes is vulnerable to an information leakage vulnerability throug ...) NOT-FOR-US: HCL Notes CVE-2020-4088 RESERVED CVE-2020-4087 RESERVED CVE-2020-4086 RESERVED CVE-2020-4085 ("HCL Connections is vulnerable to possible information leakage and cou ...) NOT-FOR-US: HCL Connections CVE-2020-4084 (HCL Connections v5.5, v6.0, and v6.5 are vulnerable to cross-site scri ...) NOT-FOR-US: HCL Connections CVE-2020-4083 (HCL Connections 6.5 is vulnerable to possible information leakage. Con ...) NOT-FOR-US: HCL Connections CVE-2020-4082 (The HCL Connections 5.5 help system is vulnerable to cross-site script ...) NOT-FOR-US: HCL Connections CVE-2020-4081 RESERVED CVE-2020-4080 RESERVED CVE-2020-4079 RESERVED CVE-2020-4078 RESERVED CVE-2020-4077 (In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, there is a ...) - electron (bug #842420) CVE-2020-4076 (In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, there is a ...) - electron (bug #842420) CVE-2020-4075 (In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, arbitrary ...) - electron (bug #842420) CVE-2020-4074 (In PrestaShop from version 1.5.0.0 and before version 1.7.6.6, the aut ...) NOT-FOR-US: PrestaShop CVE-2020-4073 RESERVED CVE-2020-4072 (In generator-jhipster-kotlin version 1.6.0 log entries are created for ...) TODO: check CVE-2020-4071 (In django-basic-auth-ip-whitelist before 0.3.4, a potential timing att ...) TODO: check CVE-2020-4070 (In CSS Validator less than or equal to commit 54d68a1, there is a cros ...) TODO: check CVE-2020-4069 RESERVED CVE-2020-4068 (In APNSwift 1.0.0, calling APNSwiftSigner.sign(digest:) is likely to r ...) NOT-FOR-US: APNSwift CVE-2020-4067 (In coturn before version 4.5.1.3, there is an issue whereby STUN/TURN ...) {DSA-4711-1 DLA-2271-1} - coturn 4.5.1.3-1 NOTE: https://github.com/coturn/coturn/security/advisories/GHSA-c8r8-8vp5-6gcm NOTE: https://github.com/coturn/coturn/commit/170da1140797748ae85565b5a93a2e35e7b07b6a CVE-2020-4066 (In Limdu before 0.95, the trainBatch function has a command injection ...) TODO: check CVE-2020-4065 RESERVED CVE-2020-4064 RESERVED CVE-2020-4063 RESERVED CVE-2020-4062 (In Conjur OSS Helm Chart before 2.0.0, a recently identified critical ...) TODO: check CVE-2020-4061 (In October from version 1.0.319 and before version 1.0.467, pasting co ...) NOT-FOR-US: October CMS CVE-2020-4060 (In LoRa Basics Station before 2.0.4, there is a Use After Free vulnera ...) NOT-FOR-US: LoRa Basics Station CVE-2020-4059 (In mversion before 2.0.0, there is a command injection vulnerability. ...) TODO: check CVE-2020-4058 RESERVED CVE-2020-4057 RESERVED CVE-2020-4056 RESERVED CVE-2020-4055 RESERVED CVE-2020-4054 (In Sanitize (RubyGem sanitize) greater than or equal to 3.0.0 and less ...) - ruby-sanitize (bug #963808) [stretch] - ruby-sanitize (Vulnerable code introduced later) [jessie] - ruby-sanitize (Vulnerable code introduced later) NOTE: https://github.com/rgrove/sanitize/security/advisories/GHSA-p4x4-rw2p-8j8m NOTE: https://github.com/rgrove/sanitize/commit/a11498de9e283cd457b35ee252983662f7452aa9 CVE-2020-4053 (In Helm greater than or equal to 3.0.0 and less than 3.2.4, a path tra ...) - helm-kubernetes (bug #910799) CVE-2020-4052 (In Wiki.js before 2.4.107, there is a stored cross-site scripting thro ...) NOT-FOR-US: Wiki.js CVE-2020-4051 (In Dijit before versions 1.11.11, and greater than or equal to 1.12.0 ...) TODO: check CVE-2020-4045 (SSB-DB version 20.0.0 has an information disclosure vulnerability. The ...) NOT-FOR-US: SSB-DB CVE-2020-4044 (The xrdp-sesman service before version 0.9.13.1 can be crashed by conn ...) TODO: check CVE-2020-4043 (phpMussel from versions 1.0.0 and less than 1.6.0 has an unserializati ...) NOT-FOR-US: phpMussel CVE-2020-4042 RESERVED CVE-2020-4041 (In Bolt CMS before version 3.7.1, the filename of uploaded files was v ...) NOT-FOR-US: Bolt CMS CVE-2020-4040 (Bolt CMS before version 3.7.1 lacked CSRF protection in the preview ge ...) NOT-FOR-US: Bolt CMS CVE-2020-4039 RESERVED CVE-2020-4038 (GraphQL Playground (graphql-playground-html NPM package) before versio ...) TODO: check CVE-2020-4037 (In OAuth2 Proxy from version 5.1.1 and less than version 6.0.0, users ...) TODO: check CVE-2020-4036 RESERVED CVE-2020-4035 (In WatermelonDB (NPM package "@nozbe/watermelondb") before versions 0. ...) TODO: check CVE-2020-4034 RESERVED CVE-2020-4033 (In FreeRDP before version 2.1.2, there is an out of bounds read in RLE ...) - freerdp2 2.1.2+dfsg1-1 [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-7rhj-856w-82p8 CVE-2020-4032 (In FreeRDP before version 2.1.2, there is an integer casting vulnerabi ...) - freerdp2 2.1.2+dfsg1-1 [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3898-mc89-x2vc CVE-2020-4031 (In FreeRDP before version 2.1.2, there is a use-after-free in gdi_Sele ...) - freerdp2 2.1.2+dfsg1-1 [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-gwcq-hpq2-m74g CVE-2020-4030 (In FreeRDP before version 2.1.2, there is an out of bounds read in Tri ...) - freerdp2 2.1.2+dfsg1-1 [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-fjr5-97f5-qq98 CVE-2020-4029 (The /rest/project-templates/1.0/createshared resource in Atlassian Jir ...) NOT-FOR-US: Atlassian CVE-2020-4028 (Versions before 8.9.1, Various resources in Jira responded with a 404 ...) NOT-FOR-US: Atlassian CVE-2020-4027 (Atlassian Confluence Server and Data Center before version 7.5.1 allow ...) NOT-FOR-US: Atlassian CVE-2020-4026 (The CustomAppsRestResource list resource in Atlassian Navigator Links ...) NOT-FOR-US: Atlassian CVE-2020-4025 (The attachment download resource in Atlassian Jira Server and Data Cen ...) NOT-FOR-US: Atlassian CVE-2020-4024 (The attachment download resource in Atlassian Jira Server and Data Cen ...) NOT-FOR-US: Atlassian CVE-2020-4023 (The review coverage resource in Atlassian Fisheye and Crucible before ...) NOT-FOR-US: Atlassian Fisheye and Crucible CVE-2020-4022 (The attachment download resource in Atlassian Jira Server and Data Cen ...) NOT-FOR-US: Atlassian CVE-2020-4021 (Affected versions are: Before 8.5.5, and from 8.6.0 before 8.8.1 of At ...) NOT-FOR-US: Atlassian CVE-2020-4020 (The file downloading functionality in the Atlassian Companion App befo ...) NOT-FOR-US: Atlassian CVE-2020-4019 (The file editing functionality in the Atlassian Companion App before v ...) NOT-FOR-US: Atlassian CVE-2020-4018 (The setup resources in Atlassian Fisheye and Crucible before version 4 ...) NOT-FOR-US: Atlassian CVE-2020-4017 (The /rest/jira-ril/1.0/jira-rest/applinks resource in the crucible-jir ...) NOT-FOR-US: Atlassian CVE-2020-4016 (The /plugins/servlet/jira-blockers/ resource in the crucible-jira-ril ...) NOT-FOR-US: Atlassian CVE-2020-4015 (The /json/fe/activeUserFinder.do resource in Altassian Fisheye and Cru ...) NOT-FOR-US: Atlassian CVE-2020-4014 (The /profile/deleteWatch.do resource in Atlassian Fisheye and Crucible ...) NOT-FOR-US: Atlassian CVE-2020-4013 (The review resource in Atlassian Fisheye and Crucible before version 4 ...) NOT-FOR-US: Atlassian CVE-2020-4012 RESERVED CVE-2020-4011 RESERVED CVE-2020-4010 RESERVED CVE-2020-4009 RESERVED CVE-2020-4008 RESERVED CVE-2020-4007 RESERVED CVE-2020-4006 RESERVED CVE-2020-4005 RESERVED CVE-2020-4004 RESERVED CVE-2020-4003 RESERVED CVE-2020-4002 RESERVED CVE-2020-4001 RESERVED CVE-2020-4000 RESERVED CVE-2020-3999 RESERVED CVE-2020-3998 RESERVED CVE-2020-3997 RESERVED CVE-2020-3996 RESERVED CVE-2020-3995 RESERVED CVE-2020-3994 RESERVED CVE-2020-3993 RESERVED CVE-2020-3992 RESERVED CVE-2020-3991 RESERVED CVE-2020-3990 RESERVED CVE-2020-3989 RESERVED CVE-2020-3988 RESERVED CVE-2020-3987 RESERVED CVE-2020-3986 RESERVED CVE-2020-3985 RESERVED CVE-2020-3984 RESERVED CVE-2020-3983 RESERVED CVE-2020-3982 RESERVED CVE-2020-3981 RESERVED CVE-2020-3980 RESERVED CVE-2020-3979 RESERVED CVE-2020-3978 RESERVED CVE-2020-3977 RESERVED CVE-2020-3976 RESERVED CVE-2020-3975 RESERVED CVE-2020-3974 RESERVED CVE-2020-3973 (The VeloCloud Orchestrator does not apply correct input validation whi ...) TODO: check CVE-2020-3972 (VMware Tools for macOS (11.x.x and prior before 11.1.1) contains a den ...) NOT-FOR-US: VMware CVE-2020-3971 (VMware ESXi (6.7 before ESXi670-201904101-SG and 6.5 before ESXi650-20 ...) NOT-FOR-US: VMware CVE-2020-3970 (VMware ESXi (7.0 before ESXi_7.0.0-1.20.16321839, 6.7 before ESXi670-2 ...) NOT-FOR-US: VMware CVE-2020-3969 (VMware ESXi (7.0 before ESXi_7.0.0-1.20.16321839, 6.7 before ESXi670-2 ...) NOT-FOR-US: VMware CVE-2020-3968 (VMware ESXi (7.0 before ESXi_7.0.0-1.20.16321839, 6.7 before ESXi670-2 ...) NOT-FOR-US: VMware CVE-2020-3967 (VMware ESXi (7.0 before ESXi_7.0.0-1.20.16321839, 6.7 before ESXi670-2 ...) NOT-FOR-US: VMware CVE-2020-3966 (VMware ESXi (7.0 before ESXi_7.0.0-1.20.16321839, 6.7 before ESXi670-2 ...) NOT-FOR-US: VMware CVE-2020-3965 (VMware ESXi (7.0 before ESXi_7.0.0-1.20.16321839, 6.7 before ESXi670-2 ...) NOT-FOR-US: VMware CVE-2020-3964 (VMware ESXi (7.0 before ESXi_7.0.0-1.20.16321839, 6.7 before ESXi670-2 ...) NOT-FOR-US: VMware CVE-2020-3963 (VMware ESXi (7.0 before ESXi_7.0.0-1.20.16321839, 6.7 before ESXi670-2 ...) NOT-FOR-US: VMware CVE-2020-3962 (VMware ESXi (7.0 before ESXi_7.0.0-1.20.16321839, 6.7 before ESXi670-2 ...) NOT-FOR-US: VMware CVE-2020-3961 (VMware Horizon Client for Windows (prior to 5.4.3) contains a privileg ...) NOT-FOR-US: VMware CVE-2020-3960 RESERVED CVE-2020-3959 (VMware ESXi (6.7 before ESXi670-202004101-SG and 6.5 before ESXi650-20 ...) NOT-FOR-US: VMware CVE-2020-3958 (VMware ESXi (6.7 before ESXi670-202004101-SG and 6.5 before ESXi650-20 ...) NOT-FOR-US: VMware CVE-2020-3957 (VMware Fusion (11.x before 11.5.5), VMware Remote Console for Mac (11. ...) NOT-FOR-US: VMware CVE-2020-3956 (VMware Cloud Director 10.0.x before 10.0.0.2, 9.7.0.x before 9.7.0.5, ...) NOT-FOR-US: VMware CVE-2020-3955 (ESXi 6.5 without patch ESXi650-201912104-SG and ESXi 6.7 without patch ...) NOT-FOR-US: VMware CVE-2020-3954 (Open Redirect vulnerability exists in VMware vRealize Log Insight prio ...) NOT-FOR-US: VMware CVE-2020-3953 (Cross Site Scripting (XSS) vulnerability exists in VMware vRealize Log ...) NOT-FOR-US: VMware CVE-2020-3952 (Under certain conditions, vmdir that ships with VMware vCenter Server, ...) NOT-FOR-US: VMware CVE-2020-3951 (VMware Workstation (15.x before 15.5.2) and Horizon Client for Windows ...) NOT-FOR-US: VMware CVE-2020-3950 (VMware Fusion (11.x before 11.5.2), VMware Remote Console for Mac (11. ...) NOT-FOR-US: VMware CVE-2020-3949 RESERVED CVE-2020-3948 (Linux Guest VMs running on VMware Workstation (15.x before 15.5.2) and ...) NOT-FOR-US: VMware CVE-2020-3947 (VMware Workstation (15.x before 15.5.2) and Fusion (11.x before 11.5.2 ...) NOT-FOR-US: VMware CVE-2020-3946 (InstallBuilder AutoUpdate tool and regular installers enabling <che ...) NOT-FOR-US: InstallBuilder CVE-2020-3945 (vRealize Operations for Horizon Adapter (6.7.x prior to 6.7.1 and 6.6. ...) NOT-FOR-US: VMware CVE-2020-3944 (vRealize Operations for Horizon Adapter (6.7.x prior to 6.7.1 and 6.6. ...) NOT-FOR-US: VMware CVE-2020-3943 (vRealize Operations for Horizon Adapter (6.7.x prior to 6.7.1 and 6.6. ...) NOT-FOR-US: VMware CVE-2020-3942 RESERVED CVE-2020-3941 (The repair operation of VMware Tools for Windows 10.x.y has a race con ...) NOT-FOR-US: VMware Tools for Windows CVE-2020-3940 (VMware Workspace ONE SDK and dependent mobile application updates addr ...) NOT-FOR-US: VMware CVE-2019-20149 (ctorName in index.js in kind-of v6.0.2 allows external user input to o ...) - node-kind-of 6.0.3+dfsg-1 (bug #948095) [buster] - node-kind-of 6.0.2+dfsg-1+deb10u1 [stretch] - node-kind-of (Minor issue; can be fixed via point release) NOTE: https://github.com/jonschlinkert/kind-of/issues/30 NOTE: https://github.com/jonschlinkert/kind-of/pull/31 CVE-2019-20148 (An issue was discovered in GitLab Community Edition (CE) and Enterpris ...) [experimental] - gitlab 12.6.2-1 - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/blog/2020/01/02/security-release-gitlab-12-6-2-released/ CVE-2019-20147 (An issue was discovered in GitLab Community Edition (CE) and Enterpris ...) [experimental] - gitlab 12.6.2-1 - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/blog/2020/01/02/security-release-gitlab-12-6-2-released/ CVE-2019-20146 (An issue was discovered in GitLab Community Edition (CE) and Enterpris ...) [experimental] - gitlab 12.6.2-1 - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/blog/2020/01/02/security-release-gitlab-12-6-2-released/ CVE-2019-20145 (An issue was discovered in GitLab Community Edition (CE) and Enterpris ...) [experimental] - gitlab 12.6.2-1 - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/blog/2020/01/02/security-release-gitlab-12-6-2-released/ CVE-2019-20144 (An issue was discovered in GitLab Community Edition (CE) and Enterpris ...) [experimental] - gitlab 12.6.2-1 - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/blog/2020/01/02/security-release-gitlab-12-6-2-released/ CVE-2019-20143 (An issue was discovered in GitLab Community Edition (CE) and Enterpris ...) - gitlab (Only affects Gitlab CE 12.6) NOTE: https://about.gitlab.com/blog/2020/01/02/security-release-gitlab-12-6-2-released/ CVE-2019-20142 (An issue was discovered in GitLab Community Edition (CE) and Enterpris ...) - gitlab (Only affects Gitlab CE 12.3 and later) NOTE: https://about.gitlab.com/blog/2020/01/02/security-release-gitlab-12-6-2-released/ CVE-2019-20141 (An XSS issue was discovered in the Laborator Neon theme 2.0 for WordPr ...) NOT-FOR-US: Laborator Neon theme for WordPress CVE-2019-20140 (An issue was discovered in libsixel 1.8.4. There is a heap-based buffe ...) - libsixel 1.8.6-1 (low; bug #948103) [buster] - libsixel (Minor issue) [stretch] - libsixel (Minor issue) [jessie] - libsixel (Minor issue) NOTE: https://github.com/saitoha/libsixel/issues/122 NOTE: https://github.com/saitoha/libsixel/commit/598c8c88c97fd2eb5f6f5d1324fc325e66317f0c CVE-2019-20139 (In Nagios XI 5.6.9, XSS exists via the nocscreenapi.php host, hostgrou ...) NOT-FOR-US: Nagios XI CVE-2019-20138 (The HTTP Authentication library before 2019-12-27 for Nim has weak pas ...) NOT-FOR-US: HTTP Authentication library for Nim CVE-2019-20137 RESERVED CVE-2019-20136 RESERVED CVE-2019-20135 RESERVED CVE-2019-20134 RESERVED CVE-2019-20133 RESERVED CVE-2019-20132 RESERVED CVE-2019-20131 RESERVED CVE-2019-20130 RESERVED CVE-2019-20129 RESERVED CVE-2019-20128 RESERVED CVE-2019-20127 RESERVED CVE-2019-20126 RESERVED CVE-2019-20125 RESERVED CVE-2019-20124 RESERVED CVE-2019-20123 RESERVED CVE-2019-20122 RESERVED CVE-2019-20121 RESERVED CVE-2019-20120 RESERVED CVE-2019-20119 RESERVED CVE-2019-20118 RESERVED CVE-2019-20117 RESERVED CVE-2019-20116 RESERVED CVE-2019-20115 RESERVED CVE-2019-20114 RESERVED CVE-2019-20113 RESERVED CVE-2019-20112 RESERVED CVE-2019-20111 RESERVED CVE-2019-20110 RESERVED CVE-2019-20109 RESERVED CVE-2019-20108 RESERVED CVE-2019-20107 (Multiple SQL injection vulnerabilities in TestLink through 1.9.19 allo ...) NOT-FOR-US: TestLink CVE-2019-20106 (Comment properties in Atlassian Jira Server and Data Center before ver ...) NOT-FOR-US: Atlassian CVE-2019-20105 (The EditApplinkServlet resource in the Atlassian Application Links plu ...) NOT-FOR-US: Atlassian CVE-2019-20104 (The OpenID client application in Atlassian Crowd before version 3.6.2, ...) NOT-FOR-US: Atlassian CVE-2019-20103 RESERVED CVE-2019-20102 (The attachment-uploading feature in Atlassian Confluence Server from v ...) NOT-FOR-US: Atlassian CVE-2019-20101 RESERVED CVE-2019-20100 (The Atlassian Application Links plugin is vulnerable to cross-site req ...) NOT-FOR-US: Atlassian Application Links plugin CVE-2019-20099 (The VerifyPopServerConnection!add.jspa component in Atlassian Jira Ser ...) NOT-FOR-US: Atlassian CVE-2019-20098 (The VerifySmtpServerConnection!add.jspa component in Atlassian Jira Se ...) NOT-FOR-US: Atlassian CVE-2019-20097 (Bitbucket Server and Bitbucket Data Center versions starting from 1.0. ...) NOT-FOR-US: Bitbucket Server and Bitbucket Data Center CVE-2019-20096 (In the Linux kernel before 5.1, there is a memory leak in __feat_regis ...) {DLA-2114-1} - linux 5.2.6-1 [buster] - linux 4.19.98-1 [stretch] - linux 4.9.210-1 [jessie] - linux 3.16.72-1 NOTE: https://git.kernel.org/linus/1d3ff0950e2b40dc861b1739029649d03f591820 CVE-2019-20095 (mwifiex_tm_cmd in drivers/net/wireless/marvell/mwifiex/cfg80211.c in t ...) - linux 5.2.6-1 [buster] - linux 4.19.67-1 [stretch] - linux 4.9.184-1 [jessie] - linux (Vulnerable code introduced later) NOTE: https://git.kernel.org/linus/003b686ace820ce2d635a83f10f2d7f9c147dabc CVE-2019-20094 (An issue was discovered in libsixel 1.8.4. There is a heap-based buffe ...) - libsixel 1.8.6-1 (low; bug #948103) [buster] - libsixel (Minor issue) [stretch] - libsixel (Minor issue) [jessie] - libsixel (Minor issue) NOTE: https://github.com/saitoha/libsixel/issues/125 NOTE: https://github.com/saitoha/libsixel/commit/a18b3789cfd147028403c17fe79a43b169d8f034 CVE-2019-20093 (The PoDoFo::PdfVariant::DelayedLoad function in PdfVariant.h in PoDoFo ...) - libpodofo [buster] - libpodofo (Minor issue) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) NOTE: https://sourceforge.net/p/podofo/tickets/75/ CVE-2019-20092 (An issue was discovered in Bento4 1.5.1.0. There is a NULL pointer der ...) NOT-FOR-US: Bento4 CVE-2019-20091 (An issue was discovered in Bento4 1.5.1.0. There is a NULL pointer der ...) NOT-FOR-US: Bento4 CVE-2019-20090 (An issue was discovered in Bento4 1.5.1.0. There is a use-after-free i ...) NOT-FOR-US: Bento4 CVE-2019-20089 (GoPro GPMF-parser 1.2.3 has an heap-based buffer over-read in GPMF_See ...) NOT-FOR-US: gpmf-parser CVE-2019-20088 (GoPro GPMF-parser 1.2.3 has a heap-based buffer over-read in GetPayloa ...) NOT-FOR-US: gpmf-parser CVE-2019-20087 (GoPro GPMF-parser 1.2.3 has a heap-based buffer over-read in GPMF_seek ...) NOT-FOR-US: gpmf-parser CVE-2019-20086 (GoPro GPMF-parser 1.2.3 has a heap-based buffer over-read in GPMF_Next ...) NOT-FOR-US: gpmf-parser CVE-2019-20085 (TVT NVMS-1000 devices allow GET /.. Directory Traversal ...) NOT-FOR-US: TVT NVMS-1000 devices CVE-2019-20084 RESERVED CVE-2019-20083 RESERVED CVE-2019-20082 RESERVED CVE-2019-20081 RESERVED CVE-2019-20080 RESERVED CVE-2019-20079 (The autocmd feature in window.c in Vim before 8.1.2136 accesses freed ...) - vim 2:8.1.2136-1 [buster] - vim (Minor issue) [stretch] - vim (Vulnerable code introduced later) [jessie] - vim (vulnerable code was introduced later) NOTE: https://github.com/vim/vim/issues/5041 NOTE: https://github.com/vim/vim/commit/ec66c41d84e574baf8009dbc0bd088d2bc5b2421 CVE-2019-20078 RESERVED CVE-2019-20077 (The Typesetter CMS 5.1 logout functionality is affected by a CSRF vuln ...) NOT-FOR-US: Typesetter CMS CVE-2019-20076 (On Netis DL4323 devices, XSS exists via the form2Ddns.cgi username par ...) NOT-FOR-US: Netis DL4323 devices CVE-2019-20075 (On Netis DL4323 devices, pingrtt_v6.html has XSS (Ping6 Diagnostic). ...) NOT-FOR-US: Netis DL4323 devices CVE-2019-20074 (On Netis DL4323 devices, any user role can view sensitive information, ...) NOT-FOR-US: Netis DL4323 devices CVE-2019-20073 (On Netis DL4323 devices, XSS exists via the form2userconfig.cgi userna ...) NOT-FOR-US: Netis DL4323 devices CVE-2019-20072 (On Netis DL4323 devices, XSS exists via the form2Ddns.cgi hostname par ...) NOT-FOR-US: Netis DL4323 devices CVE-2019-20071 (On Netis DL4323 devices, CSRF exists via form2logaction.cgi to delete ...) NOT-FOR-US: Netis DL4323 devices CVE-2019-20070 (On Netis DL4323 devices, XSS exists via the urlFQDN parameter to form2 ...) NOT-FOR-US: Netis DL4323 devices CVE-2019-20069 RESERVED CVE-2019-20068 RESERVED CVE-2019-20067 RESERVED CVE-2019-20066 RESERVED CVE-2019-20065 RESERVED CVE-2019-20064 RESERVED CVE-2019-20063 (hdf/dataobject.c in libmysofa before 0.8 has an uninitialized use of m ...) - libmysofa 0.8~dfsg0-1 [buster] - libmysofa 0.6~dfsg0-3+deb10u1 NOTE: https://github.com/hoene/libmysofa/issues/67 NOTE: https://github.com/hoene/libmysofa/commit/ecb7b743b6f6d47b93a7bc680a60071a0f9524c6 CVE-2019-20062 (MFScripts YetiShare v3.5.2 through v4.5.4 might allow an attacker to r ...) NOT-FOR-US: MFScripts YetiShare CVE-2019-20061 (The user-introduction email in MFScripts YetiShare v3.5.2 through v4.5 ...) NOT-FOR-US: MFScripts YetiShare CVE-2019-20060 (MFScripts YetiShare v3.5.2 through v4.5.4 places sensitive information ...) NOT-FOR-US: MFScripts YetiShare CVE-2019-20059 (payment_manage.ajax.php and various *_manage.ajax.php in MFScripts Yet ...) NOT-FOR-US: MFScripts YetiShare CVE-2019-20058 (** DISPUTED ** Bolt 3.7.0, if Symfony Web Profiler is used, allows XSS ...) NOT-FOR-US: Bolt CMS CVE-2019-20057 (com.proxyman.NSProxy.HelperTool in Privileged Helper Tool in Proxyman ...) NOT-FOR-US: Proxyman for macOS CVE-2019-20056 (stb_image.h (aka the stb image loader) 2.23, as used in libsixel and o ...) - libsixel 1.8.6-1 (low; bug #948103) [buster] - libsixel (Minor issue) [stretch] - libsixel (Minor issue) [jessie] - libsixel (Minor issue) - libstb (low) [buster] - libstb (Minor issue) NOTE: libsixel PR: https://github.com/saitoha/libsixel/issues/126 NOTE: libsixel patch: https://github.com/saitoha/libsixel/commit/814f831555ea2492d442e784ab5d594f6a8e2e8d NOTE: libstb PR: https://github.com/nothings/stb/issues/886 CVE-2019-20055 (LuquidPixels LiquiFire OS 4.8.0 allows SSRF via the call%3Durl substri ...) NOT-FOR-US: LuquidPixels LiquiFire OS CVE-2019-20053 (An invalid memory address dereference was discovered in the canUnpack ...) - upx-ucl 3.96-1 (unimportant; bug #947471) NOTE: https://github.com/upx/upx/issues/314 NOTE: https://github.com/upx/upx/commit/819c33fee2b2c33b96bef27a13cb20f2589819aa CVE-2019-20052 (A memory leak was discovered in Mat_VarCalloc in mat.c in matio 1.5.17 ...) - libmatio (Vulnerable code introduced later) NOTE: https://github.com/tbeu/matio/issues/131 CVE-2019-20051 (A floating-point exception was discovered in PackLinuxElf::elf_hash in ...) - upx-ucl 3.96-1 (unimportant) NOTE: https://github.com/upx/upx/issues/313 CVE-2019-20050 (Pandora FMS ≤ 7.42 suffers from a remote code execution vulnerab ...) NOT-FOR-US: Pandora FMS CVE-2019-20054 (In the Linux kernel before 5.0.6, there is a NULL pointer dereference ...) - linux 5.2.6-1 [buster] - linux 4.19.67-1 [stretch] - linux 4.9.184-1 [jessie] - linux 3.16.72-1 NOTE: https://git.kernel.org/linus/23da9588037ecdd4901db76a5b79a42b529c4ec3 NOTE: https://git.kernel.org/linus/89189557b47b35683a27c80ee78aef18248eefb4 CVE-2019-20049 (An issue was discovered on Alcatel-Lucent OmniVista 4760 devices. A re ...) NOT-FOR-US: Alcatel-Lucent OmniVista 4760 devices CVE-2019-20048 (An issue was discovered on Alcatel-Lucent OmniVista 8770 devices befor ...) NOT-FOR-US: Alcatel-Lucent OmniVista 8770 devices CVE-2019-20047 (An issue was discovered on Alcatel-Lucent OmniVista 4760 devices, and ...) NOT-FOR-US: Alcatel-Lucent OmniVista 4760 devices CVE-2019-20046 (The Synergy Systems & Solutions PLC & RTU system has a vulnera ...) NOT-FOR-US: Synergy Systems & Solutions PLC & RTU system CVE-2019-20045 (The Synergy Systems & Solutions PLC & RTU system has a vulnera ...) NOT-FOR-US: Synergy Systems & Solutions PLC & RTU system CVE-2019-20044 (In Zsh before 5.8, attackers able to execute commands can regain privi ...) {DLA-2117-1} - zsh 5.8-1 (bug #951458) [buster] - zsh (Minor issue) [stretch] - zsh (Minor issue) NOTE: https://www.zsh.org/mla/zsh-announce/141 NOTE: https://sourceforge.net/p/zsh/code/ci/24e993db62cf146fb76ebcf677a4a7aa3766fc74/ NOTE: https://sourceforge.net/p/zsh/code/ci/8250c5c168f07549ed646e6848e6dda118271e23/ NOTE: https://sourceforge.net/p/zsh/code/ci/26d02efa7a9b0a6b32e1a8bbc6aca6c544b94211/ NOTE: https://sourceforge.net/p/zsh/code/ci/4ce66857b71b40a0661df3780ff557f2b0f4cb13/ NOTE: https://sourceforge.net/p/zsh/code/ci/b15bd4aa590db8087d1e8f2eb1af2874f5db814d/ CVE-2019-20040 RESERVED CVE-2019-20039 RESERVED CVE-2019-20038 RESERVED CVE-2019-20037 RESERVED CVE-2019-20036 RESERVED CVE-2019-20035 RESERVED CVE-2019-20034 RESERVED CVE-2019-20033 RESERVED CVE-2019-20032 RESERVED CVE-2019-20031 RESERVED CVE-2019-20030 RESERVED CVE-2019-20029 RESERVED CVE-2019-20028 RESERVED CVE-2019-20027 RESERVED CVE-2019-20026 RESERVED CVE-2019-20025 RESERVED CVE-2019-20024 (A heap-based buffer overflow was discovered in image_buffer_resize in ...) - libsixel 1.8.6-1 (low; bug #948103) [buster] - libsixel (Minor issue) [stretch] - libsixel (Minor issue) [jessie] - libsixel (Minor issue) NOTE: https://github.com/saitoha/libsixel/issues/121 NOTE: https://github.com/saitoha/libsixel/commit/6367d2fc8c365c5841d05697200e90c73c4b3c4b CVE-2019-20023 (A memory leak was discovered in image_buffer_resize in fromsixel.c in ...) - libsixel 1.8.6-1 (low; bug #948103) [buster] - libsixel (Minor issue) [stretch] - libsixel (Minor issue) [jessie] - libsixel (Minor issue) NOTE: https://github.com/saitoha/libsixel/issues/120 NOTE: Proposed fix: https://github.com/saitoha/libsixel/commit/b9a4175c803b50a863b0fbd8b8b49058ca725ea6 CVE-2019-20022 (An invalid memory address dereference was discovered in load_pnm in fr ...) - libsixel 1.8.6-1 (low; bug #948103) [buster] - libsixel (Minor issue) [stretch] - libsixel (Minor issue) [jessie] - libsixel (Minor issue) NOTE: https://github.com/saitoha/libsixel/issues/108 NOTE: https://github.com/saitoha/libsixel/commit/e17c0765ed708186865f0f8badfed44181063776 CVE-2019-20021 (A heap-based buffer over-read was discovered in canUnpack in p_mach.cp ...) - upx-ucl 3.96-1 (unimportant; bug #947471) NOTE: https://github.com/upx/upx/issues/315 NOTE: https://github.com/upx/upx/commit/819c33fee2b2c33b96bef27a13cb20f2589819aa CVE-2019-20020 (A stack-based buffer over-read was discovered in ReadNextStructField i ...) - libmatio [buster] - libmatio (Minor issue) [stretch] - libmatio (Minor issue) [jessie] - libmatio (Minor issue) NOTE: https://github.com/tbeu/matio/issues/128 CVE-2019-20019 (An attempted excessive memory allocation was discovered in Mat_VarRead ...) - libmatio [buster] - libmatio (Minor issue) [stretch] - libmatio (Minor issue) [jessie] - libmatio (Minor issue) NOTE: https://github.com/tbeu/matio/issues/130 CVE-2019-20018 (A stack-based buffer over-read was discovered in ReadNextCell in mat5. ...) - libmatio [buster] - libmatio (Minor issue) [stretch] - libmatio (Minor issue) [jessie] - libmatio (Minor issue) NOTE: https://github.com/tbeu/matio/issues/129 CVE-2019-20017 (A stack-based buffer over-read was discovered in Mat_VarReadNextInfo5 ...) - libmatio [buster] - libmatio (Minor issue) [stretch] - libmatio (Minor issue) [jessie] - libmatio (Minor issue) NOTE: https://github.com/tbeu/matio/issues/127 CVE-2019-20016 (libmysofa before 2019-11-24 does not properly restrict recursive funct ...) - libmysofa 0.9~dfsg0-1 [buster] - libmysofa (Minor issue) NOTE: https://github.com/hoene/libmysofa/commit/2e6fac6ab6156dae8e8c6f417741388084b70d6f NOTE: https://github.com/hoene/libmysofa/issues/83 NOTE: https://github.com/hoene/libmysofa/issues/84 CVE-2019-20015 (An issue was discovered in GNU LibreDWG 0.92. Crafted input will lead ...) - libredwg (bug #595191) CVE-2019-20014 (An issue was discovered in GNU LibreDWG before 0.93. There is a double ...) - libredwg (bug #595191) CVE-2019-20013 (An issue was discovered in GNU LibreDWG before 0.93. Crafted input wil ...) - libredwg (bug #595191) CVE-2019-20012 (An issue was discovered in GNU LibreDWG 0.92. Crafted input will lead ...) - libredwg (bug #595191) CVE-2019-20011 (An issue was discovered in GNU LibreDWG 0.92. There is a heap-based bu ...) - libredwg (bug #595191) CVE-2019-20010 (An issue was discovered in GNU LibreDWG 0.92. There is a use-after-fre ...) - libredwg (bug #595191) CVE-2019-20009 (An issue was discovered in GNU LibreDWG before 0.93. Crafted input wil ...) - libredwg (bug #595191) CVE-2019-20008 (In Archery before 1.3, inserting an XSS payload into a project name (e ...) NOT-FOR-US: Archery CVE-2019-20007 (An issue was discovered in ezXML 0.8.2 through 0.8.6. The function ezx ...) NOT-FOR-US: ezXML CVE-2019-20006 (An issue was discovered in ezXML 0.8.3 through 0.8.6. The function ezx ...) NOT-FOR-US: ezXML CVE-2019-20005 (An issue was discovered in ezXML 0.8.3 through 0.8.6. The function ezx ...) NOT-FOR-US: ezXML CVE-2019-20004 (An issue was discovered on Intelbras IWR 3000N 1.8.7 devices. When the ...) NOT-FOR-US: Intelbras CVE-2019-20003 (Feldtech easescreen Crystal 9.0 Web-Services 9.0.1.16265 allows Stored ...) NOT-FOR-US: Feldtech easescreen Crystal 9.0 Web-Services CVE-2019-20002 (Formula Injection exists in the export feature in SolarWinds WebHelpDe ...) NOT-FOR-US: SolarWinds WebHelpDesk CVE-2019-20001 RESERVED CVE-2019-20000 (The malware scan function in BullGuard Premium Protection 20.0.371.8 h ...) NOT-FOR-US: BullGuard Premium Protection CVE-2019-19999 (Halo before 1.2.0-beta.1 allows Server Side Template Injection (SSTI) ...) NOT-FOR-US: Halo CVE-2019-19998 (Xiuno BBS 4.0 allows XXE via plugin/xn_wechat_public/route/token.php. ...) NOT-FOR-US: Xiuno BBS CVE-2019-19997 RESERVED CVE-2019-19996 (An issue was discovered on Intelbras IWR 3000N 1.8.7 devices. A malfor ...) NOT-FOR-US: Intelbras IWR 3000N devices CVE-2019-19995 (A CSRF issue was discovered on Intelbras IWR 3000N 1.8.7 devices, lead ...) NOT-FOR-US: Intelbras IWR 3000N devices CVE-2019-19994 (An issue was discovered in Selesta Visual Access Manager (VAM) 4.15.0 ...) NOT-FOR-US: Selesta Visual Access Manager (VAM) CVE-2019-19993 (An issue was discovered in Selesta Visual Access Manager (VAM) 4.15.0 ...) NOT-FOR-US: Selesta Visual Access Manager (VAM) CVE-2019-19992 (An issue was discovered in Selesta Visual Access Manager (VAM) 4.15.0 ...) NOT-FOR-US: Selesta Visual Access Manager (VAM) CVE-2019-19991 (An issue was discovered in Selesta Visual Access Manager (VAM) 4.15.0 ...) NOT-FOR-US: Selesta Visual Access Manager (VAM) CVE-2019-19990 (An issue was discovered in Selesta Visual Access Manager (VAM) 4.15.0 ...) NOT-FOR-US: Selesta Visual Access Manager (VAM) CVE-2019-19989 (An issue was discovered in Selesta Visual Access Manager (VAM) 4.15.0 ...) NOT-FOR-US: Selesta Visual Access Manager (VAM) CVE-2019-19988 (An issue was discovered in Selesta Visual Access Manager (VAM) 4.15.0 ...) NOT-FOR-US: Selesta Visual Access Manager (VAM) CVE-2019-19987 (An issue was discovered in Selesta Visual Access Manager (VAM) 4.15.0 ...) NOT-FOR-US: Selesta Visual Access Manager (VAM) CVE-2019-19986 (An issue was discovered in Selesta Visual Access Manager (VAM) 4.15.0 ...) NOT-FOR-US: Selesta Visual Access Manager (VAM) CVE-2019-19985 (The WordPress plugin, Email Subscribers & Newsletters, before 4.2. ...) NOT-FOR-US: WordPress plugin CVE-2019-19984 (The WordPress plugin, Email Subscribers & Newsletters, before 4.2. ...) NOT-FOR-US: WordPress plugin CVE-2019-19983 (In the WordPress plugin, Fast Velocity Minify before 2.7.7, the full w ...) NOT-FOR-US: WordPress plugin CVE-2019-19982 (The WordPress plugin, Email Subscribers & Newsletters, before 4.2. ...) NOT-FOR-US: WordPress plugin CVE-2019-19981 (The WordPress plugin, Email Subscribers & Newsletters, before 4.2. ...) NOT-FOR-US: WordPress plugin CVE-2019-19980 (The WordPress plugin, Email Subscribers & Newsletters, before 4.2. ...) NOT-FOR-US: WordPress plugin CVE-2019-19979 (A flaw in the WordPress plugin, WP Maintenance before 5.0.6, allowed a ...) NOT-FOR-US: WordPress plugin CVE-2019-19978 RESERVED CVE-2019-19976 RESERVED CVE-2019-19975 RESERVED CVE-2019-19974 RESERVED CVE-2019-19973 RESERVED CVE-2019-19972 RESERVED CVE-2019-19971 RESERVED CVE-2019-19970 RESERVED CVE-2019-19969 RESERVED CVE-2019-19968 (PandoraFMS 742 suffers from multiple XSS vulnerabilities, affecting th ...) NOT-FOR-US: PandoraFMS CVE-2019-19967 (The Administration page on Connect Box EuroDOCSIS 3.0 Voice Gateway CH ...) NOT-FOR-US: Connect Box EuroDOCSIS 3.0 Voice Gateway devices CVE-2019-19977 (libESMTP through 1.0.6 mishandles domain copying into a fixed-size buf ...) - libesmtp (unimportant) NOTE: https://github.com/Kirin-say/Vulnerabilities/blob/master/Stack_Overflow_in_libesmtp.md NOTE: NTLM support not enabled in the Debian builds. CVE-2019-19966 (In the Linux kernel before 5.1.6, there is a use-after-free in cpia2_e ...) {DLA-2068-1} - linux 5.2.6-1 [buster] - linux 4.19.67-1 [stretch] - linux 4.9.184-1 NOTE: https://git.kernel.org/linus/dea37a97265588da604c6ba80160a287b72c7bfd CVE-2019-19965 (In the Linux kernel through 5.4.6, there is a NULL pointer dereference ...) {DLA-2114-1 DLA-2068-1} - linux 5.4.13-1 [buster] - linux 4.19.98-1 [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/f70267f379b5e5e11bdc5d72a56bf17e5feed01f CVE-2019-19964 (On NETGEAR GS728TPS devices through 5.3.0.35, a remote attacker having ...) NOT-FOR-US: NETGEAR CVE-2019-19963 (An issue was discovered in wolfSSL before 4.3.0 in a non-default confi ...) - wolfssl 4.3.0+dfsg-1 NOTE: https://github.com/wolfSSL/wolfssl/commit/7e391f0fd57f2ef375b1174d752a56ce34b2b190 (v4.3.0-stable) CVE-2019-19962 (wolfSSL before 4.3.0 mishandles calls to wc_SignatureGenerateHash, lea ...) - wolfssl 4.3.0+dfsg-1 NOTE: https://github.com/wolfSSL/wolfssl/commit/23878512c65834d12811b1107d19a001478eca5d (4.3.0-stable) CVE-2019-19961 RESERVED CVE-2019-19960 (In wolfSSL before 4.3.0, wc_ecc_mulmod_ex does not properly resist sid ...) - wolfssl 4.3.0+dfsg-1 NOTE: https://github.com/wolfSSL/wolfssl/commit/5ee9f9c7a23f8ed093fe1e42bc540727e96cebb8 (v4.3.0-stable) CVE-2019-19959 (ext/misc/zipfile.c in SQLite 3.30.1 mishandles certain uses of INSERT ...) - sqlite3 3.30.1+fossil191229-1 [buster] - sqlite3 (Minor issue) [stretch] - sqlite3 (Vulnerable code introduced later) [jessie] - sqlite3 (Vulnerable code introduced later) NOTE: https://github.com/sqlite/sqlite/commit/1e490c4ca6b43a9cf8637d695907888349f69bec NOTE: https://github.com/sqlite/sqlite/commit/d8f2d46cbc9925e034a68aaaf60aad788d9373c1 CVE-2019-19958 (In libIEC61850 1.4.0, StringUtils_createStringFromBuffer in common/str ...) NOT-FOR-US: libIEC61850 CVE-2019-19957 (In libIEC61850 1.4.0, getNumberOfElements in mms/iso_mms/server/mms_ac ...) NOT-FOR-US: libIEC61850 CVE-2019-19956 (xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.1 ...) {DLA-2048-1} [experimental] - libxml2 2.9.10+dfsg-1 - libxml2 2.9.10+dfsg-2 [buster] - libxml2 (Minor issue) [stretch] - libxml2 (Minor issue) NOTE: https://gitlab.gnome.org/GNOME/libxml2/issues/82 NOTE: https://gitlab.gnome.org/GNOME/libxml2/commit/5a02583c7e683896d84878bd90641d8d9b0d0549 (v2.9.10-rc1) CVE-2019-19955 RESERVED CVE-2019-19954 (Signal Desktop before 1.29.1 on Windows allows local users to gain pri ...) - signal-desktop (bug #842943) CVE-2019-19953 (In GraphicsMagick 1.4 snapshot-20191208 Q8, there is a heap-based buff ...) {DSA-4640-1 DLA-2084-1} - graphicsmagick 1.4+really1.3.34-1 (bug #947311) NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/28f8bacd4bbf NOTE: https://sourceforge.net/p/graphicsmagick/bugs/617/ CVE-2019-19952 (In ImageMagick 7.0.9-7 Q16, there is a use-after-free in the function ...) - imagemagick (Vulnerable code introduced later) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1791 NOTE: https://github.com/ImageMagick/ImageMagick/commit/916d7bbd2c66a286d379dbd94bc6035c8fab937c (7.x) NOTE: https://github.com/ImageMagick/ImageMagick6/commit/7ef923841437bb57bd9b55fc0bf40ddc99b93c2b (6.x) CVE-2019-19951 (In GraphicsMagick 1.4 snapshot-20190423 Q8, there is a heap-based buff ...) {DSA-4640-1 DLA-2084-1} - graphicsmagick 1.4~hg16039-1 NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/bc99af93614d NOTE: https://sourceforge.net/p/graphicsmagick/bugs/608/ CVE-2019-19950 (In GraphicsMagick 1.4 snapshot-20190403 Q8, there is a use-after-free ...) {DSA-4640-1 DLA-2084-1} - graphicsmagick 1.4~hg16039-1 NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/44ab7f6c20b4 NOTE: https://sourceforge.net/p/graphicsmagick/bugs/603/ CVE-2019-19949 (In ImageMagick 7.0.8-43 Q16, there is a heap-based buffer over-read in ...) {DSA-4712-1 DLA-2049-1} - imagemagick (low; bug #947309) [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1561 NOTE: https://github.com/ImageMagick/ImageMagick/commit/d17c047f7bff7c0edbf304470cd2ab9d02fbf617 (7.x) NOTE: https://github.com/ImageMagick/ImageMagick6/commit/34adc98afd5c7e7fb774d2ebdaea39e831c24dce (6.x) CVE-2019-19948 (In ImageMagick 7.0.8-43 Q16, there is a heap-based buffer overflow in ...) {DSA-4715-1 DSA-4712-1 DLA-2049-1} - imagemagick (low; bug #947308) [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1562 NOTE: https://github.com/ImageMagick/ImageMagick/commit/6ae32a9038e360b3491969d5d03d490884f02b4c (7.x) NOTE: https://github.com/ImageMagick/ImageMagick6/commit/9e7db22f8c374301db3f968757f0d08070fd4e54 (6.x) CVE-2019-19947 (In the Linux kernel through 5.4.6, there are information leaks of unin ...) {DLA-2114-1 DLA-2068-1} - linux 5.4.8-1 [buster] - linux 4.19.98-1 [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/da2311a6385c3b499da2ed5d9be59ce331fa93e9 CVE-2019-19946 (The API in Dradis Pro 3.4.1 allows any user to extract the content of ...) NOT-FOR-US: Dradis Pro CVE-2019-19945 (uhttpd in OpenWrt through 18.06.5 and 19.x through 19.07.0-rc2 has an ...) NOT-FOR-US: uhttpd in OpenWrt CVE-2019-19944 (In libIEC61850 1.4.0, BerDecoder_decodeUint32 in mms/asn1/ber_decode.c ...) NOT-FOR-US: libIEC61850 CVE-2019-19943 (The HTTP service in quickweb.exe in Pablo Quick 'n Easy Web Server 3.3 ...) NOT-FOR-US: Pablo Quick 'n Easy Web Server CVE-2019-19942 (Missing output sanitation in Swisscom Centro Grande Centro Grande befo ...) NOT-FOR-US: Swisscom CVE-2019-19941 (Missing hostname validation in Swisscom Centro Grande before 6.16.12 a ...) NOT-FOR-US: Swisscom CVE-2019-19940 (Incorrect input sanitation in text-oriented user interfaces (telnet, s ...) NOT-FOR-US: Swisscom CVE-2019-19939 RESERVED CVE-2019-19938 RESERVED CVE-2019-19937 (In JFrog Artifactory before 6.18, it is not possible to restrict eithe ...) NOT-FOR-US: JFrog Artifactory CVE-2019-19936 RESERVED CVE-2019-19935 (Froala Editor before 3.0.6 allows XSS. ...) TODO: check CVE-2019-19934 RESERVED CVE-2019-19933 RESERVED CVE-2019-19932 RESERVED CVE-2019-19931 (In libIEC61850 1.4.0, MmsValue_decodeMmsData in mms/iso_mms/server/mms ...) NOT-FOR-US: libIEC61850 CVE-2019-19930 (In libIEC61850 1.4.0, MmsValue_newOctetString in mms/iso_mms/common/mm ...) NOT-FOR-US: libIEC61850 CVE-2019-19929 (An Untrusted Search Path vulnerability in Malwarebytes AdwCleaner befo ...) NOT-FOR-US: Malwarebytes AdwCleaner CVE-2019-19928 RESERVED CVE-2019-19927 (In the Linux kernel 5.0.0-rc7 (as distributed in ubuntu/linux.git on k ...) - linux 5.2.6-1 [buster] - linux 4.19.98-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) CVE-2019-19926 (multiSelect in select.c in SQLite 3.30.1 mishandles certain errors dur ...) {DSA-4638-1} - sqlite3 (Incomplete fix for CVE-2019-19880 not applied) NOTE: https://github.com/sqlite/sqlite/commit/8428b3b437569338a9d1e10c4cd8154acbe33089 - chromium 80.0.3987.106-1 [stretch] - chromium (see DSA 4562) CVE-2019-19925 (zipfileUpdate in ext/misc/zipfile.c in SQLite 3.30.1 mishandles a NULL ...) {DSA-4638-1} - sqlite3 3.30.1+fossil191229-1 [buster] - sqlite3 (Minor issue) [stretch] - sqlite3 (Vulnerable code introduced later) [jessie] - sqlite3 (Vulnerable code introduced later) - chromium 80.0.3987.106-1 [stretch] - chromium (see DSA 4562) NOTE: https://github.com/sqlite/sqlite/commit/54d501092d88c0cf89bec4279951f548fb0b8618 CVE-2019-19924 (SQLite 3.30.1 mishandles certain parser-tree rewriting, related to exp ...) - sqlite3 3.30.1+fossil191229-1 [buster] - sqlite3 (Minor issue) [stretch] - sqlite3 (Vulnerable code introduced later) [jessie] - sqlite3 (Vulnerable code introduced later) NOTE: https://github.com/sqlite/sqlite/commit/8654186b0236d556aa85528c2573ee0b6ab71be3 CVE-2019-19923 (flattenSubquery in select.c in SQLite 3.30.1 mishandles certain uses o ...) {DSA-4638-1} - sqlite3 3.30.1+fossil191229-1 [buster] - sqlite3 (Minor issue) [stretch] - sqlite3 (Vulnerable code introduced later) [jessie] - sqlite3 (Vulnerable code introduced later) - chromium 80.0.3987.106-1 [stretch] - chromium (see DSA 4562) NOTE: https://github.com/sqlite/sqlite/commit/396afe6f6aa90a31303c183e11b2b2d4b7956b35 CVE-2019-19922 (kernel/sched/fair.c in the Linux kernel before 5.3.9, when cpu.cfs_quo ...) {DLA-2068-1} - linux 5.3.9-1 [buster] - linux 4.19.87-1 [stretch] - linux (Vulnerability introduced later) NOTE: https://git.kernel.org/linus/de53fd7aedb100f03e5d2231cfce0e4993282425 CVE-2019-19921 (runc through 1.0.0-rc9 has Incorrect Access Control leading to Escalat ...) - runc 1.0.0~rc10+dfsg1-1 [buster] - runc (Minor issue) [stretch] - runc (Minor issue) NOTE: https://github.com/opencontainers/runc/issues/2197 NOTE: https://github.com/opencontainers/runc/pull/2190 CVE-2019-19919 (Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Poll ...) - node-handlebars 3:4.5.3-1 [buster] - node-handlebars (Minor issue; will be fixed via point release) NOTE: https://www.npmjs.com/advisories/1164 CVE-2019-19918 (Lout 3.40 has a heap-based buffer overflow in the srcnext() function i ...) - lout (bug #947113) [buster] - lout (Minor issue) [stretch] - lout (Minor issue) [jessie] - lout (Minor issue) NOTE: https://lists.gnu.org/archive/html/lout-users/2019-12/msg00001.html CVE-2019-19917 (Lout 3.40 has a buffer overflow in the StringQuotedWord() function in ...) - lout (bug #947113) [buster] - lout (Minor issue) [stretch] - lout (Minor issue) [jessie] - lout (Minor issue) NOTE: https://lists.gnu.org/archive/html/lout-users/2019-12/msg00002.html CVE-2020-3939 (SysJust Syuan-Gu-Da-Shih, versions before 20191223, contain vulnerabil ...) NOT-FOR-US: SysJust Syuan-Gu-Da-Shih CVE-2020-3938 (SysJust Syuan-Gu-Da-Shih, versions before 20191223, contain vulnerabil ...) NOT-FOR-US: SysJust Syuan-Gu-Da-Shih CVE-2020-3937 (SQL Injection in SysJust Syuan-Gu-Da-Shih, versions before 20191223, a ...) NOT-FOR-US: SysJust Syuan-Gu-Da-Shih CVE-2020-3936 (UltraLog Express device management interface does not properly filter ...) NOT-FOR-US: UltraLog Express CVE-2020-3935 (Secom Co. Dr.ID, a Door Access Control and Personnel Attendance Manage ...) NOT-FOR-US: Secom Co. Dr.ID CVE-2020-3934 (Secom Co. Dr.ID, a Door Access Control and Personnel Attendance Manage ...) NOT-FOR-US: Secom Co. Dr.ID CVE-2020-3933 (Secom Co. Dr.ID, a Door Access Control and Personnel Attendance Manage ...) NOT-FOR-US: Secom Co. Dr.ID CVE-2020-3932 (A vulnerable SNMP in Draytek VigorAP910C cannot be disabled, which may ...) NOT-FOR-US: Draytek VigorAP910C CVE-2020-3931 (Buffer overflow exists in Geovision Door Access Control device family, ...) TODO: check CVE-2020-3930 (GeoVision Door Access Control device family improperly stores and cont ...) NOT-FOR-US: GeoVision Door Access Control CVE-2020-3929 (GeoVision Door Access Control device family employs shared cryptograph ...) NOT-FOR-US: GeoVision Door Access Control CVE-2020-3928 (GeoVision Door Access Control device family is hardcoded with a root p ...) NOT-FOR-US: GeoVision Door Access Control CVE-2020-3927 (An arbitrary-file-access vulnerability exists in ServiSign security pl ...) NOT-FOR-US: ServiSign security plugin CVE-2020-3926 (An arbitrary-file-access vulnerability exists in ServiSign security pl ...) NOT-FOR-US: ServiSign security plugin CVE-2020-3925 (A Remote Code Execution(RCE) vulnerability exists in some designated a ...) NOT-FOR-US: ServiSign security plugin CVE-2020-3924 (DVR firmware in TAT-76 and TAT-77 series of products, provided by TONN ...) NOT-FOR-US: DVR firmware in TAT-76 and TAT-77 series CVE-2020-3923 (DVR firmware in TAT-76 and TAT-77 series of products, provided by TONN ...) NOT-FOR-US: DVR firmware in TAT-76 and TAT-77 series CVE-2020-3922 (LisoMail, by ArmorX, allows SQL Injections, attackers can access the d ...) NOT-FOR-US: LisoMail CVE-2020-3921 (UltraLog Express device management software stores user’s inform ...) NOT-FOR-US: UltraLog Express CVE-2020-3920 (UltraLog Express device management interface does not properly perform ...) NOT-FOR-US: UltraLog Express CVE-2019-19916 (In Midori Browser 0.5.11 (on Windows 10), Content Security Policy (CSP ...) NOT-FOR-US: Midori Browser CVE-2019-19915 (The "301 Redirects - Easy Redirect Manager" plugin before 2.45 for Wor ...) NOT-FOR-US: "301 Redirects - Easy Redirect Manager" plugin for WordPress CVE-2019-19914 REJECTED CVE-2019-19913 (In Intland codeBeamer ALM 9.5 and earlier, there is stored XSS via the ...) NOT-FOR-US: Intland codeBeamer ALM CVE-2019-19912 (In Intland codeBeamer ALM 9.5 and earlier, a cross-site scripting (XSS ...) NOT-FOR-US: Intland codeBeamer ALM CVE-2019-19911 (There is a DoS vulnerability in Pillow before 6.2.2 caused by FpxImage ...) {DSA-4631-1 DLA-2057-1} - pillow 7.0.0-1 (bug #948224) NOTE: https://github.com/python-pillow/Pillow/commit/774e53bb132461d8d5ebefec1162e29ec0ebc63d (6.2.2) CVE-2019-19910 (The MinervaNeue Skin in MediaWiki from 2019-11-05 to 2019-12-13 (1.35 ...) NOT-FOR-US: Mediawiki skin CVE-2019-19909 (An issue was discovered in Public Knowledge Project (PKP) pkp-lib befo ...) NOT-FOR-US: Public Knowledge Project (PKP) pkp-lib CVE-2019-19908 (phpMyChat-Plus 1.98 is vulnerable to reflected XSS via JavaScript inje ...) NOT-FOR-US: phpMyChat CVE-2019-19907 (HrAddFBBlock in libfreebusy/freebusyutil.cpp in Kopano Groupware Core ...) - kopanocore 8.7.0-6 (bug #947312) [buster] - kopanocore (Minor issue) NOTE: https://stash.kopano.io/projects/KC/repos/kopanocore/commits/4e02b420fff CVE-2019-19904 RESERVED CVE-2019-19903 (An issue was discovered in Backdrop CMS 1.14.x before 1.14.2. It doesn ...) - backdrop (bug #914257) CVE-2019-19902 (An issue was discovered in Backdrop CMS 1.13.x before 1.13.5 and 1.14. ...) - backdrop (bug #914257) CVE-2019-19901 (An issue was discovered in Backdrop CMS 1.13.x before 1.13.5 and 1.14. ...) - backdrop (bug #914257) CVE-2019-19900 (An issue was discovered in Backdrop CMS 1.13.x before 1.13.5 and 1.14. ...) - backdrop (bug #914257) CVE-2019-19899 (Pebble Templates 3.1.2 allows attackers to bypass a protection mechani ...) NOT-FOR-US: Pebble Templates CVE-2019-19898 (In IXP EasyInstall 6.2.13723, there are cleartext credentials in netwo ...) NOT-FOR-US: IXP EasyInstall CVE-2019-19897 (In IXP EasyInstall 6.2.13723, there is Remote Code Execution via the A ...) NOT-FOR-US: IXP EasyInstall CVE-2019-19896 (In IXP EasyInstall 6.2.13723, there is Remote Code Execution via weak ...) NOT-FOR-US: IXP EasyInstall CVE-2019-19895 (In IXP EasyInstall 6.2.13723, there is Lateral Movement (using the Age ...) NOT-FOR-US: IXP EasyInstall CVE-2019-19894 (In IXP EasyInstall 6.2.13723, it is possible to temporarily disable UA ...) NOT-FOR-US: IXP EasyInstall CVE-2019-19893 (In IXP EasyInstall 6.2.13723, there is Directory Traversal on TCP port ...) NOT-FOR-US: IXP EasyInstall CVE-2019-19892 RESERVED CVE-2019-19891 (An encryption key vulnerability on Mitel SIP-DECT wireless devices 8.0 ...) NOT-FOR-US: Mitel SIP-DECT wireless devices CVE-2019-19906 (cyrus-sasl (aka Cyrus SASL) 2.1.27 has an out-of-bounds write leading ...) {DSA-4591-1 DLA-2044-1} - cyrus-sasl2 2.1.27+dfsg-2 (bug #947043) NOTE: https://github.com/cyrusimap/cyrus-sasl/issues/587 NOTE: https://github.com/cyrusimap/cyrus-sasl/commit/dcc9f51cbd4ed622cfb0f9b1c141eb2ffe3b12f1 NOTE: https://www.openldap.org/its/index.cgi/Incoming?id=9123 CVE-2019-16787 REJECTED CVE-2019-19905 (NetHack 3.6.x before 3.6.4 is prone to a buffer overflow vulnerability ...) - nethack 3.6.6-1 (unimportant; bug #947005) NOTE: https://github.com/NetHack/NetHack/commit/f4a840a48f4bcf11757b3d859e9d53cc9d5ef226 NOTE: https://github.com/NetHack/NetHack/commit/f001de79542b8c38b1f8e6d7eaefbbd28ab94b47 NOTE: Negligible security impact CVE-2020-3919 (A memory initialization issue was addressed with improved memory handl ...) NOT-FOR-US: Apple CVE-2020-3918 RESERVED CVE-2020-3917 (This issue was addressed with a new entitlement. This issue is fixed i ...) NOT-FOR-US: Apple CVE-2020-3916 (An access issue was addressed with additional sandbox restrictions. Th ...) NOT-FOR-US: Apple CVE-2020-3915 RESERVED CVE-2020-3914 (A memory initialization issue was addressed with improved memory handl ...) NOT-FOR-US: Apple CVE-2020-3913 (A permissions issue existed. This issue was addressed with improved pe ...) NOT-FOR-US: Apple CVE-2020-3912 (An out-of-bounds read was addressed with improved input validation. Th ...) NOT-FOR-US: Apple CVE-2020-3911 (A buffer overflow was addressed with improved bounds checking. This is ...) NOT-FOR-US: Apple CVE-2020-3910 (A buffer overflow was addressed with improved size validation. This is ...) - libxml2 CVE-2020-3909 (A buffer overflow was addressed with improved bounds checking. This is ...) - libxml2 CVE-2020-3908 (An out-of-bounds read was addressed with improved input validation. Th ...) NOT-FOR-US: Apple CVE-2020-3907 (An out-of-bounds read was addressed with improved input validation. Th ...) NOT-FOR-US: Apple CVE-2020-3906 (A logic issue was addressed with improved restrictions. This issue is ...) NOT-FOR-US: Apple CVE-2020-3905 (A memory corruption issue was addressed with improved input validation ...) NOT-FOR-US: Apple CVE-2020-3904 (Multiple memory corruption issues were addressed with improved state m ...) NOT-FOR-US: Apple CVE-2020-3903 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2020-3902 (An input validation issue was addressed with improved input validation ...) {DSA-4681-1} - webkit2gtk 2.28.0-2 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) - wpewebkit 2.28.0-1 NOTE: https://webkitgtk.org/security/WSA-2020-0005.html CVE-2020-3901 (A type confusion issue was addressed with improved memory handling. Th ...) {DSA-4681-1} - webkit2gtk 2.28.0-2 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) - wpewebkit 2.28.0-1 NOTE: https://webkitgtk.org/security/WSA-2020-0005.html CVE-2020-3900 (A memory corruption issue was addressed with improved memory handling. ...) {DSA-4681-1} - webkit2gtk 2.28.0-2 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) - wpewebkit 2.28.0-1 NOTE: https://webkitgtk.org/security/WSA-2020-0005.html CVE-2020-3899 (A memory consumption issue was addressed with improved memory handling ...) {DSA-4681-1} - webkit2gtk 2.28.2-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) - wpewebkit 2.28.2-1 NOTE: https://webkitgtk.org/security/WSA-2020-0005.html CVE-2020-3898 [heap based buffer overflow in libcups's ppdFindOption() in ppd-mark.c] RESERVED {DLA-2237-1} - cups 2.3.1-12 [buster] - cups 2.2.10-6+deb10u3 [stretch] - cups (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1823964 NOTE: https://src.fedoraproject.org/rpms/cups/blob/c1920d09b842bd2d0611559d00d595abd8aa2424/f/cups-ppdopen-heap-overflow.patch NOTE: https://github.com/apple/cups/commit/82e3ee0e3230287b76a76fb8f16b92ca6e50b444 (cups/ppd.c, ppdc/ppdc-source.cxx) CVE-2020-3897 (A type confusion issue was addressed with improved memory handling. Th ...) {DSA-4681-1} - webkit2gtk 2.28.0-2 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) - wpewebkit 2.28.0-1 NOTE: https://webkitgtk.org/security/WSA-2020-0005.html CVE-2020-3896 RESERVED CVE-2020-3895 (A memory corruption issue was addressed with improved memory handling. ...) {DSA-4681-1} - webkit2gtk 2.28.0-2 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) - wpewebkit 2.28.0-1 NOTE: https://webkitgtk.org/security/WSA-2020-0005.html CVE-2020-3894 (A race condition was addressed with additional validation. This issue ...) {DSA-4681-1} - webkit2gtk 2.28.0-2 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) - wpewebkit 2.28.0-1 NOTE: https://webkitgtk.org/security/WSA-2020-0005.html CVE-2020-3893 (A memory corruption issue was addressed with improved input validation ...) NOT-FOR-US: Apple CVE-2020-3892 (A memory corruption issue was addressed with improved input validation ...) NOT-FOR-US: Apple CVE-2020-3891 (A logic issue was addressed with improved state management. This issue ...) NOT-FOR-US: Apple CVE-2020-3890 (The issue was addressed with improved deletion. This issue is fixed in ...) NOT-FOR-US: Apple CVE-2020-3889 (A logic issue was addressed with improved state management. This issue ...) NOT-FOR-US: Apple CVE-2020-3888 (A logic issue was addressed with improved restrictions. This issue is ...) NOT-FOR-US: Apple CVE-2020-3887 (A logic issue was addressed with improved restrictions. This issue is ...) NOT-FOR-US: Apple CVE-2020-3886 RESERVED CVE-2020-3885 (A logic issue was addressed with improved restrictions. This issue is ...) {DSA-4681-1} - webkit2gtk 2.28.0-2 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) - wpewebkit 2.28.0-1 NOTE: https://webkitgtk.org/security/WSA-2020-0005.html CVE-2020-3884 (An injection issue was addressed with improved validation. This issue ...) NOT-FOR-US: Apple CVE-2020-3883 (This issue was addressed with improved checks. This issue is fixed in ...) NOT-FOR-US: Apple CVE-2020-3882 (This issue was addressed with improved checks. This issue is fixed in ...) NOT-FOR-US: Apple CVE-2020-3881 (A logic issue was addressed with improved state management. This issue ...) NOT-FOR-US: Apple CVE-2020-3880 RESERVED CVE-2020-3879 RESERVED CVE-2020-3878 (An out-of-bounds read was addressed with improved input validation. Th ...) NOT-FOR-US: Apple CVE-2020-3877 (An out-of-bounds read was addressed with improved input validation. Th ...) NOT-FOR-US: Apple CVE-2020-3876 RESERVED CVE-2020-3875 (A validation issue was addressed with improved input sanitization. Thi ...) NOT-FOR-US: Apple CVE-2020-3874 (An issued existed in the naming of screenshots. The issue was correcte ...) NOT-FOR-US: Apple CVE-2020-3873 (This issue was addressed with improved setting propagation. This issue ...) NOT-FOR-US: Apple CVE-2020-3872 (A memory initialization issue was addressed with improved memory handl ...) NOT-FOR-US: Apple CVE-2020-3871 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2020-3870 (An out-of-bounds read was addressed with improved input validation. Th ...) NOT-FOR-US: Apple CVE-2020-3869 (An issue existed in the handling of the local user's self-view. The is ...) NOT-FOR-US: Apple CVE-2020-3868 (Multiple memory corruption issues were addressed with improved memory ...) {DSA-4627-1} - webkit2gtk 2.26.4-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) - wpewebkit 2.26.4-1 NOTE: https://webkitgtk.org/security/WSA-2020-0002.html CVE-2020-3867 (A logic issue was addressed with improved state management. This issue ...) {DSA-4627-1} - webkit2gtk 2.26.4-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) - wpewebkit 2.26.4-1 NOTE: https://webkitgtk.org/security/WSA-2020-0002.html CVE-2020-3866 (This was addressed with additional checks by Gatekeeper on files mount ...) NOT-FOR-US: Apple CVE-2020-3865 (Multiple memory corruption issues were addressed with improved memory ...) {DSA-4627-1} - webkit2gtk 2.26.4-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) - wpewebkit 2.26.4-1 NOTE: https://webkitgtk.org/security/WSA-2020-0002.html CVE-2020-3864 RESERVED {DSA-4627-1} - webkit2gtk 2.26.4-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) - wpewebkit 2.26.4-1 NOTE: https://webkitgtk.org/security/WSA-2020-0002.html CVE-2020-3863 RESERVED CVE-2020-3862 (A denial of service issue was addressed with improved memory handling. ...) {DSA-4627-1} - webkit2gtk 2.26.4-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) - wpewebkit 2.26.4-1 NOTE: https://webkitgtk.org/security/WSA-2020-0002.html CVE-2020-3861 (The issue was addressed with improved permissions logic. This issue is ...) NOT-FOR-US: Apple CVE-2020-3860 (A memory corruption issue was addressed with improved input validation ...) NOT-FOR-US: Apple CVE-2020-3859 (An inconsistent user interface issue was addressed with improved state ...) NOT-FOR-US: Apple CVE-2020-3858 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2020-3857 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2020-3856 (A memory corruption issue was addressed with improved input validation ...) NOT-FOR-US: Apple CVE-2020-3855 RESERVED CVE-2020-3854 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2020-3853 (A type confusion issue was addressed with improved memory handling. Th ...) NOT-FOR-US: Apple CVE-2020-3852 RESERVED CVE-2020-3851 RESERVED CVE-2020-3850 (A memory corruption issue was addressed with improved input validation ...) NOT-FOR-US: Apple CVE-2020-3849 (A memory corruption issue was addressed with improved input validation ...) NOT-FOR-US: Apple CVE-2020-3848 (A memory corruption issue was addressed with improved input validation ...) NOT-FOR-US: Apple CVE-2020-3847 (An out-of-bounds read was addressed with improved input validation. Th ...) NOT-FOR-US: Apple CVE-2020-3846 (A buffer overflow was addressed with improved size validation. This is ...) NOT-FOR-US: Apple CVE-2020-3845 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2020-3844 (This issue was addressed with improved checks. This issue is fixed in ...) NOT-FOR-US: Apple CVE-2020-3843 (A memory corruption issue was addressed with improved input validation ...) NOT-FOR-US: Apple CVE-2020-3842 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2020-3841 (The issue was addressed with improved UI handling. This issue is fixed ...) NOT-FOR-US: Apple CVE-2020-3840 (An off by one issue existed in the handling of racoon configuration fi ...) NOT-FOR-US: Apple CVE-2020-3839 (A validation issue was addressed with improved input sanitization. Thi ...) NOT-FOR-US: Apple CVE-2020-3838 (The issue was addressed with improved permissions logic. This issue is ...) NOT-FOR-US: Apple CVE-2020-3837 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2020-3836 (An access issue was addressed with improved memory management. This is ...) NOT-FOR-US: Apple CVE-2020-3835 (A validation issue existed in the handling of symlinks. This issue was ...) NOT-FOR-US: Apple CVE-2020-3834 (A memory corruption issue was addressed with improved state management ...) NOT-FOR-US: Apple CVE-2020-3833 (An inconsistent user interface issue was addressed with improved state ...) NOT-FOR-US: Apple CVE-2020-3832 RESERVED CVE-2020-3831 (A race condition was addressed with improved locking. This issue is fi ...) NOT-FOR-US: Apple CVE-2020-3830 (A validation issue existed in the handling of symlinks. This issue was ...) NOT-FOR-US: Apple CVE-2020-3829 (An out-of-bounds read was addressed with improved bounds checking. Thi ...) NOT-FOR-US: Apple CVE-2020-3828 (A lock screen issue allowed access to contacts on a locked device. Thi ...) NOT-FOR-US: Apple CVE-2020-3827 (A memory corruption issue was addressed with improved input validation ...) NOT-FOR-US: Apple CVE-2020-3826 (An out-of-bounds read was addressed with improved input validation. Th ...) NOT-FOR-US: Apple CVE-2020-3825 (Multiple memory corruption issues were addressed with improved memory ...) NOT-FOR-US: Apple CVE-2019-19890 (An issue was discovered on Humax Wireless Voice Gateway HGB10R-2 20160 ...) NOT-FOR-US: Humax Wireless Voice Gateway HGB10R-2 20160817_1855 devices CVE-2019-19889 (An issue was discovered on Humax Wireless Voice Gateway HGB10R-2 20160 ...) NOT-FOR-US: Humax Wireless Voice Gateway HGB10R-2 20160817_1855 devices CVE-2019-19888 (jfif_decode in jfif.c in ffjpeg through 2019-08-21 has a divide-by-zer ...) NOT-FOR-US: ffjpeg CVE-2019-19887 (bitstr_tell at bitstr.c in ffjpeg through 2019-08-21 has a NULL pointe ...) NOT-FOR-US: ffjpeg CVE-2019-19886 (Trustwave ModSecurity 3.0.0 through 3.0.3 allows an attacker to send c ...) - modsecurity 3.0.4-1 (bug #949682) [buster] - modsecurity 3.0.3-1+deb10u1 NOTE: https://github.com/SpiderLabs/ModSecurity/pull/2202 NOTE: https://github.com/SpiderLabs/ModSecurity/commit/7ba77631f9a37e0680d23ee57c455c6a35c65cb9 CVE-2019-19885 RESERVED CVE-2019-19884 RESERVED CVE-2019-19883 RESERVED CVE-2019-19882 (shadow 4.8, in certain circumstances affecting at least Gentoo, Arch L ...) - shadow (unimportant) NOTE: https://github.com/shadow-maint/shadow/pull/199 NOTE: https://bugs.archlinux.org/task/64836 NOTE: https://bugs.gentoo.org/702252 NOTE: Debian builds are compiled using -with-libpam and explicitly passing NOTE: --disable-account-tools-setuid. CVE-2019-19881 RESERVED CVE-2019-19880 (exprListAppendList in window.c in SQLite 3.30.1 allows attackers to tr ...) {DSA-4638-1} - sqlite3 3.30.1+fossil191229-1 [buster] - sqlite3 (Vulnerable code introduced later) [stretch] - sqlite3 (Vulnerable code introduced later) [jessie] - sqlite3 (Vulnerable code introduced later) - chromium 80.0.3987.106-1 [stretch] - chromium (see DSA 4562) NOTE: Introduced in: https://github.com/sqlite/sqlite/commit/08f6de7f314ad6b15d34cc5f27c3e737fcd99268 (3.29.0) NOTE: Fixed by: https://github.com/sqlite/sqlite/commit/75e95e1fcd52d3ec8282edb75ac8cd0814095d54 NOTE: When fixing this issue make sure to apply as well NOTE: https://github.com/sqlite/sqlite/commit/8428b3b437569338a9d1e10c4cd8154acbe33089 NOTE: to not open CVE-2019-19926. CVE-2019-19879 (HashiCorp Sentinel up to 0.10.1 incorrectly parsed negation in certain ...) NOT-FOR-US: HashiCorp Sentinel (different from Redis Sentinel) CVE-2019-19878 RESERVED CVE-2019-19877 RESERVED CVE-2019-19876 RESERVED CVE-2019-19875 RESERVED CVE-2019-19874 RESERVED CVE-2019-19873 RESERVED CVE-2019-19872 RESERVED CVE-2019-19871 RESERVED CVE-2019-19870 RESERVED CVE-2019-19869 RESERVED CVE-2019-19868 RESERVED CVE-2019-19867 RESERVED CVE-2019-19866 (Atos Unify OpenScape UC Web Client V9 before version V9 R4.31.0 and V1 ...) NOT-FOR-US: Atos Unify OpenScape UC Web Client CVE-2019-19865 (Atos Unify OpenScape UC Application V9 before version V9 R4.31.0 and V ...) NOT-FOR-US: Atos Unify OpenScape UC Web Client CVE-2020-3824 RESERVED CVE-2020-3823 RESERVED CVE-2020-3822 RESERVED CVE-2020-3821 RESERVED CVE-2020-3820 RESERVED CVE-2020-3819 RESERVED CVE-2020-3818 RESERVED CVE-2020-3817 RESERVED CVE-2020-3816 RESERVED CVE-2020-3815 RESERVED CVE-2020-3814 RESERVED CVE-2020-3813 RESERVED CVE-2020-3812 (qmail-verify as used in netqmail 1.06 is prone to an information discl ...) {DSA-4692-1 DLA-2234-1} - netqmail 1.06-6.2 (bug #961060) NOTE: https://www.openwall.com/lists/oss-security/2020/05/19/8 CVE-2020-3811 (qmail-verify as used in netqmail 1.06 is prone to a mail-address verif ...) {DSA-4692-1 DLA-2234-1} - netqmail 1.06-6.2 (bug #961060) NOTE: https://www.openwall.com/lists/oss-security/2020/05/19/8 CVE-2020-3810 (Missing input validation in the ar/tar implementations of APT before v ...) {DSA-4685-1 DLA-2210-1} - apt 2.1.2 NOTE: https://github.com/Debian/apt/issues/111 NOTE: https://bugs.launchpad.net/bugs/1878177 NOTE: https://salsa.debian.org/apt-team/apt/-/commit/dceb1e49e4b8e4dadaf056be34088b415939cda6 CVE-2020-3809 (Adobe After Effects versions 17.0.1 and earlier have an out-of-bounds ...) NOT-FOR-US: Adobe CVE-2020-3808 (Creative Cloud Desktop Application versions 5.0 and earlier have a tim ...) NOT-FOR-US: Adobe CVE-2020-3807 (Adobe Acrobat and Reader versions 2020.006.20034 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2020-3806 (Adobe Acrobat and Reader versions 2020.006.20034 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2020-3805 (Adobe Acrobat and Reader versions 2020.006.20034 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2020-3804 (Adobe Acrobat and Reader versions 2020.006.20034 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2020-3803 (Adobe Acrobat and Reader versions 2020.006.20034 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2020-3802 (Adobe Acrobat and Reader versions 2020.006.20034 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2020-3801 (Adobe Acrobat and Reader versions 2020.006.20034 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2020-3800 (Adobe Acrobat and Reader versions 2020.006.20034 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2020-3799 (Adobe Acrobat and Reader versions 2020.006.20034 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2020-3798 (Adobe Digital Editions versions 4.5.11.187212 and below have a file en ...) NOT-FOR-US: Adobe CVE-2020-3797 (Adobe Acrobat and Reader versions 2020.006.20034 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2020-3796 (ColdFusion versions ColdFusion 2016, and ColdFusion 2018 have an impro ...) NOT-FOR-US: ColdFusion CVE-2020-3795 (Adobe Acrobat and Reader versions 2020.006.20034 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2020-3794 (ColdFusion versions ColdFusion 2016, and ColdFusion 2018 have a file i ...) NOT-FOR-US: Adobe CVE-2020-3793 (Adobe Acrobat and Reader versions 2020.006.20034 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2020-3792 (Adobe Acrobat and Reader versions 2020.006.20034 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2020-3791 (Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 202 ...) NOT-FOR-US: Adobe CVE-2020-3790 (Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 202 ...) NOT-FOR-US: Adobe CVE-2020-3789 (Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 202 ...) NOT-FOR-US: Adobe CVE-2020-3788 (Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 202 ...) NOT-FOR-US: Adobe CVE-2020-3787 (Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 202 ...) NOT-FOR-US: Adobe CVE-2020-3786 (Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 202 ...) NOT-FOR-US: Adobe CVE-2020-3785 (Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 202 ...) NOT-FOR-US: Adobe CVE-2020-3784 (Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 202 ...) NOT-FOR-US: Adobe CVE-2020-3783 (Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 202 ...) NOT-FOR-US: Adobe CVE-2020-3782 (Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 202 ...) NOT-FOR-US: Adobe CVE-2020-3781 (Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 202 ...) NOT-FOR-US: Adobe CVE-2020-3780 (Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 202 ...) NOT-FOR-US: Adobe CVE-2020-3779 (Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 202 ...) NOT-FOR-US: Adobe CVE-2020-3778 (Adobe Photoshop versions Photoshop CC 2019, and Photoshop 2020 have an ...) NOT-FOR-US: Adobe CVE-2020-3777 (Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 202 ...) NOT-FOR-US: Adobe CVE-2020-3776 (Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 202 ...) NOT-FOR-US: Adobe CVE-2020-3775 (Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 202 ...) NOT-FOR-US: Adobe CVE-2020-3774 (Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 202 ...) NOT-FOR-US: Adobe CVE-2020-3773 (Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 202 ...) NOT-FOR-US: Adobe CVE-2020-3772 (Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 202 ...) NOT-FOR-US: Adobe CVE-2020-3771 (Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 202 ...) NOT-FOR-US: Adobe CVE-2020-3770 (Adobe Photoshop CC 2019 versions 20.0.8 and earlier, and Photoshop 202 ...) NOT-FOR-US: Adobe CVE-2020-3769 (Adobe Experience Manager versions 6.5 and earlier have a server-side r ...) NOT-FOR-US: Adobe CVE-2020-3768 (ColdFusion versions ColdFusion 2016, and ColdFusion 2018 have a dll se ...) NOT-FOR-US: ColdFusion CVE-2020-3767 (ColdFusion versions ColdFusion 2016, and ColdFusion 2018 have an insuf ...) NOT-FOR-US: ColdFusion CVE-2020-3766 (Adobe Genuine Integrity Service versions Version 6.4 and earlier have ...) NOT-FOR-US: Adobe CVE-2020-3765 (Adobe After Effects versions 16.1.2 and earlier have an out-of-bounds ...) NOT-FOR-US: Adobe CVE-2020-3764 (Adobe Media Encoder versions 14.0 and earlier have an out-of-bounds wr ...) NOT-FOR-US: Adobe CVE-2020-3763 (Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2020-3762 (Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2020-3761 (ColdFusion versions ColdFusion 2016, and ColdFusion 2018 have a remote ...) NOT-FOR-US: Adobe CVE-2020-3760 (Adobe Digital Editions versions 4.5.10 and below have a command inject ...) NOT-FOR-US: Adobe CVE-2020-3759 (Adobe Digital Editions versions 4.5.10 and below have a buffer errors ...) NOT-FOR-US: Adobe CVE-2020-3758 (Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and e ...) NOT-FOR-US: Magento CVE-2020-3757 (Adobe Flash Player versions 32.0.0.321 and earlier, 32.0.0.314 and ear ...) NOT-FOR-US: Adobe CVE-2020-3756 (Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2020-3755 (Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2020-3754 (Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2020-3753 (Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2020-3752 (Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2020-3751 (Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2020-3750 (Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2020-3749 (Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2020-3748 (Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2020-3747 (Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2020-3746 (Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2020-3745 (Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2020-3744 (Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2020-3743 (Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2020-3742 (Adobe Acrobat and Reader versions, 2019.021.20061 and earlier, 2017.01 ...) NOT-FOR-US: Adobe CVE-2020-3741 (Adobe Experience Manager versions 6.5, and 6.4 have an uncontrolled re ...) NOT-FOR-US: Adobe CVE-2020-3740 (Adobe Framemaker versions 2019.0.4 and below have a memory corruption ...) NOT-FOR-US: Adobe CVE-2020-3739 (Adobe Framemaker versions 2019.0.4 and below have a memory corruption ...) NOT-FOR-US: Adobe CVE-2020-3738 (Adobe Framemaker versions 2019.0.4 and below have an out-of-bounds wri ...) NOT-FOR-US: Adobe CVE-2020-3737 (Adobe Framemaker versions 2019.0.4 and below have an out-of-bounds wri ...) NOT-FOR-US: Adobe CVE-2020-3736 (Adobe Framemaker versions 2019.0.4 and below have an out-of-bounds wri ...) NOT-FOR-US: Adobe CVE-2020-3735 (Adobe Framemaker versions 2019.0.4 and below have a heap overflow vuln ...) NOT-FOR-US: Adobe CVE-2020-3734 (Adobe Framemaker versions 2019.0.4 and below have a buffer error vulne ...) NOT-FOR-US: Adobe CVE-2020-3733 (Adobe Framemaker versions 2019.0.4 and below have an out-of-bounds wri ...) NOT-FOR-US: Adobe CVE-2020-3732 (Adobe Framemaker versions 2019.0.4 and below have an out-of-bounds wri ...) NOT-FOR-US: Adobe CVE-2020-3731 (Adobe Framemaker versions 2019.0.4 and below have a heap overflow vuln ...) NOT-FOR-US: Adobe CVE-2020-3730 (Adobe Framemaker versions 2019.0.4 and below have an out-of-bounds wri ...) NOT-FOR-US: Adobe CVE-2020-3729 (Adobe Framemaker versions 2019.0.4 and below have an out-of-bounds wri ...) NOT-FOR-US: Adobe CVE-2020-3728 (Adobe Framemaker versions 2019.0.4 and below have an out-of-bounds wri ...) NOT-FOR-US: Adobe CVE-2020-3727 (Adobe Framemaker versions 2019.0.4 and below have an out-of-bounds wri ...) NOT-FOR-US: Adobe CVE-2020-3726 (Adobe Framemaker versions 2019.0.4 and below have an out-of-bounds wri ...) NOT-FOR-US: Adobe CVE-2020-3725 (Adobe Framemaker versions 2019.0.4 and below have an out-of-bounds wri ...) NOT-FOR-US: Adobe CVE-2020-3724 (Adobe Framemaker versions 2019.0.4 and below have an out-of-bounds wri ...) NOT-FOR-US: Adobe CVE-2020-3723 (Adobe Framemaker versions 2019.0.4 and below have an out-of-bounds wri ...) NOT-FOR-US: Adobe CVE-2020-3722 (Adobe Framemaker versions 2019.0.4 and below have an out-of-bounds wri ...) NOT-FOR-US: Adobe CVE-2020-3721 (Adobe Framemaker versions 2019.0.4 and below have an out-of-bounds wri ...) NOT-FOR-US: Adobe CVE-2020-3720 (Adobe Framemaker versions 2019.0.4 and below have an out-of-bounds wri ...) NOT-FOR-US: Adobe CVE-2020-3719 (Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and e ...) NOT-FOR-US: Magento CVE-2020-3718 (Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and e ...) NOT-FOR-US: Magento CVE-2020-3717 (Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and e ...) NOT-FOR-US: Magento CVE-2020-3716 (Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and e ...) NOT-FOR-US: Magento CVE-2020-3715 (Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and e ...) NOT-FOR-US: Magento CVE-2020-3714 (Adobe Illustrator CC versions 24.0 and earlier have a memory corruptio ...) NOT-FOR-US: Adobe CVE-2020-3713 (Adobe Illustrator CC versions 24.0 and earlier have a memory corruptio ...) NOT-FOR-US: Adobe CVE-2020-3712 (Adobe Illustrator CC versions 24.0 and earlier have a memory corruptio ...) NOT-FOR-US: Adobe CVE-2020-3711 (Adobe Illustrator CC versions 24.0 and earlier have a memory corruptio ...) NOT-FOR-US: Adobe CVE-2020-3710 (Adobe Illustrator CC versions 24.0 and earlier have a memory corruptio ...) NOT-FOR-US: Adobe CVE-2020-3709 RESERVED CVE-2020-3708 RESERVED CVE-2020-3707 RESERVED CVE-2020-3706 RESERVED CVE-2020-3705 RESERVED CVE-2020-3704 RESERVED CVE-2020-3703 RESERVED CVE-2020-3702 RESERVED CVE-2020-3701 RESERVED CVE-2020-3700 RESERVED CVE-2020-3699 RESERVED CVE-2020-3698 RESERVED CVE-2020-3697 RESERVED CVE-2020-3696 RESERVED CVE-2020-3695 RESERVED CVE-2020-3694 RESERVED CVE-2020-3693 RESERVED CVE-2020-3692 RESERVED CVE-2020-3691 RESERVED CVE-2020-3690 RESERVED CVE-2020-3689 RESERVED CVE-2020-3688 RESERVED CVE-2020-3687 RESERVED CVE-2020-3686 RESERVED CVE-2020-3685 RESERVED CVE-2020-3684 RESERVED CVE-2020-3683 RESERVED CVE-2020-3682 RESERVED CVE-2020-3681 RESERVED CVE-2020-3680 (A race condition can occur when using the fastrpc memory mapping API. ...) NOT-FOR-US: Qualcomm components for Android CVE-2020-3679 RESERVED CVE-2020-3678 RESERVED CVE-2020-3677 RESERVED CVE-2020-3676 (Possible memory corruption in perfservice due to improper validation a ...) NOT-FOR-US: Snapdragon CVE-2020-3675 RESERVED CVE-2020-3674 RESERVED CVE-2020-3673 RESERVED CVE-2020-3672 RESERVED CVE-2020-3671 RESERVED CVE-2020-3670 RESERVED CVE-2020-3669 RESERVED CVE-2020-3668 RESERVED CVE-2020-3667 RESERVED CVE-2020-3666 RESERVED CVE-2020-3665 (A possible buffer overflow would occur while processing command from f ...) NOT-FOR-US: Snapdragon CVE-2020-3664 RESERVED CVE-2020-3663 (Buffer over-write may occur during fetching track decoder specific inf ...) NOT-FOR-US: Snapdragon CVE-2020-3662 (Buffer overflow can occur while parsing eac3 header while playing the ...) NOT-FOR-US: Snapdragon CVE-2020-3661 (Buffer overflow will happen while parsing mp4 clip with corrupted samp ...) NOT-FOR-US: Snapdragon CVE-2020-3660 (Possible null-pointer dereference can occur while parsing mp4 clip wit ...) NOT-FOR-US: Snapdragon CVE-2020-3659 RESERVED CVE-2020-3658 (Possible null-pointer dereference can occur while parsing mp4 clip wit ...) NOT-FOR-US: Snapdragon CVE-2020-3657 RESERVED CVE-2020-3656 RESERVED CVE-2020-3655 RESERVED CVE-2020-3654 RESERVED CVE-2020-3653 (Possible buffer over-read in windows wlan driver function due to lack ...) NOT-FOR-US: Snapdragon CVE-2020-3652 (Possible buffer over-read issue in windows x86 wlan driver function wh ...) NOT-FOR-US: Snapdragon CVE-2020-3651 (Active command timeout since WM status change cmd is not removed from ...) NOT-FOR-US: Qualcomm components for Android CVE-2020-3650 RESERVED CVE-2020-3649 RESERVED CVE-2020-3648 RESERVED CVE-2020-3647 RESERVED CVE-2020-3646 RESERVED CVE-2020-3645 (Firmware will hit assert in WLAN firmware If encrypted data length in ...) NOT-FOR-US: Qualcomm components for Android CVE-2020-3644 RESERVED CVE-2020-3643 RESERVED CVE-2020-3642 (Use after free issue in camera applications when used randomly over mu ...) NOT-FOR-US: Snapdragon CVE-2020-3641 (Integer overflow may occur if atom size is less than atom offset as th ...) NOT-FOR-US: Qualcomm components for Android CVE-2020-3640 RESERVED CVE-2020-3639 RESERVED CVE-2020-3638 RESERVED CVE-2020-3637 RESERVED CVE-2020-3636 RESERVED CVE-2020-3635 (Stack based overflow If the maximum number of arguments allowed per re ...) NOT-FOR-US: Snapdragon CVE-2020-3634 RESERVED CVE-2020-3633 (Array out of bound may occur while playing mp3 file as no check is the ...) NOT-FOR-US: Qualcomm components for Android CVE-2020-3632 RESERVED CVE-2020-3631 RESERVED CVE-2020-3630 (Possibility of out of bound access while processing the responses from ...) NOT-FOR-US: Qualcomm components for Android CVE-2020-3629 RESERVED CVE-2020-3628 (Improper access due to socket opened by the logging application withou ...) NOT-FOR-US: Snapdragon CVE-2020-3627 RESERVED CVE-2020-3626 (Any application can bind to it and exercise the APIs due to no protect ...) NOT-FOR-US: Snapdragon CVE-2020-3625 (When making query to DSP capabilities, Stack out of bounds occurs due ...) NOT-FOR-US: Qualcomm components for Android CVE-2020-3624 RESERVED CVE-2020-3623 (kernel failure due to load failures while running v1 path directly via ...) NOT-FOR-US: Qualcomm components for Android CVE-2020-3622 RESERVED CVE-2020-3621 RESERVED CVE-2020-3620 RESERVED CVE-2020-3619 RESERVED CVE-2020-3618 (NULL exception due to accessing bad pointer while posting events on RT ...) NOT-FOR-US: Qualcomm components for Android CVE-2020-3617 RESERVED CVE-2020-3616 (Buffer overflow in display function due to memory copy without checkin ...) NOT-FOR-US: Qualcomm components for Android CVE-2020-3615 (Valid deauth/disassoc frames is dropped in case if RMF is enabled and ...) NOT-FOR-US: Qualcomm components for Android CVE-2020-3614 (Possible buffer overflow while copying the frame to local buffer due t ...) NOT-FOR-US: Snapdragon CVE-2020-3613 (Double free issue in kernel memory mapping due to lack of memory prote ...) NOT-FOR-US: Snapdragon CVE-2020-3612 RESERVED CVE-2020-3611 RESERVED CVE-2020-3610 (Possibility of double free of the drawobj that is added to the drawque ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-19864 REJECTED CVE-2019-19863 REJECTED CVE-2019-19862 REJECTED CVE-2019-19861 REJECTED CVE-2019-19860 RESERVED CVE-2019-19859 (An issue was discovered in Serpico (aka SimplE RePort wrIting and Coll ...) NOT-FOR-US: Serpico CVE-2019-19858 (An issue was discovered in Serpico (aka SimplE RePort wrIting and Coll ...) NOT-FOR-US: Serpico CVE-2019-19857 (An issue was discovered in Serpico (aka SimplE RePort wrIting and Coll ...) NOT-FOR-US: Serpico CVE-2019-19856 (An issue was discovered in Serpico (aka SimplE RePort wrIting and Coll ...) NOT-FOR-US: Serpico CVE-2019-19855 (An issue was discovered in Serpico (aka SimplE RePort wrIting and Coll ...) NOT-FOR-US: Serpico CVE-2019-19854 (An issue was discovered in Serpico (aka SimplE RePort wrIting and Coll ...) NOT-FOR-US: Serpico CVE-2019-19853 RESERVED CVE-2019-19852 (An XSS Injection vulnerability exists in Sangoma FreePBX and PBXact 13 ...) NOT-FOR-US: FreePBX CVE-2019-19851 (An XSS Injection vulnerability exists in Sangoma FreePBX and PBXact 13 ...) NOT-FOR-US: FreePBX CVE-2019-19850 (An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and ...) NOT-FOR-US: TYPO3 CVE-2019-19849 (An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and ...) NOT-FOR-US: TYPO3 CVE-2019-19848 (An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and ...) NOT-FOR-US: TYPO3 CVE-2019-19847 (Libspiro through 20190731 has a stack-based buffer overflow in the spi ...) - libspiro 1:20200505-1 (unimportant; bug #947276) [jessie] - libspiro (Vulnerable code not present) NOTE: https://github.com/fontforge/libspiro/issues/21 NOTE: https://github.com/fontforge/libspiro/issues/21#issuecomment-567983822 NOTE: https://github.com/fontforge/libspiro/commit/35233450c922787dad42321e359e5229ff470a1e CVE-2019-19846 (In Joomla! before 3.9.14, the lack of validation of configuration para ...) NOT-FOR-US: Joomla! CVE-2019-19845 (In Joomla! before 3.9.14, a missing access check in framework files co ...) NOT-FOR-US: Joomla! CVE-2019-19844 (Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows a ...) {DSA-4598-1 DLA-2042-1} - python-django 2:2.2.9-1 (bug #946937) NOTE: https://www.djangoproject.com/weblog/2019/dec/18/security-releases/ NOTE: https://github.com/django/django/commit/5b1fbcef7a8bec991ebe7b2a18b5d5a95d72cb70 (master) NOTE: https://github.com/django/django/commit/302a4ff1e8b1c798aab97673909c7a3dfda42c26 (3.0.x branch) NOTE: https://github.com/django/django/commit/4d334bea06cac63dc1272abcec545b85136cca0e (2.2.x branch) NOTE: https://github.com/django/django/commit/f4cff43bf921fcea6a29b726eb66767f67753fa2 (1.11.x branch) CVE-2019-19843 (Incorrect access control in the web interface in Ruckus Wireless Unlea ...) NOT-FOR-US: Ruckus devices CVE-2019-19842 (emfd in Ruckus Wireless Unleashed through 200.7.10.102.64 allows remot ...) NOT-FOR-US: Ruckus devices CVE-2019-19841 (emfd in Ruckus Wireless Unleashed through 200.7.10.102.64 allows remot ...) NOT-FOR-US: Ruckus devices CVE-2019-19840 (A stack-based buffer overflow in zap_parse_args in zap.c in zap in Ruc ...) NOT-FOR-US: Ruckus devices CVE-2019-19839 (emfd in Ruckus Wireless Unleashed through 200.7.10.102.64 allows remot ...) NOT-FOR-US: Ruckus devices CVE-2019-19838 (emfd in Ruckus Wireless Unleashed through 200.7.10.102.64 allows remot ...) NOT-FOR-US: Ruckus devices CVE-2019-19837 (Incorrect access control in the web interface in Ruckus Wireless Unlea ...) NOT-FOR-US: Ruckus devices CVE-2019-19836 (AjaxRestrictedCmdStat in zap in Ruckus Wireless Unleashed through 200. ...) NOT-FOR-US: Ruckus devices CVE-2019-19835 (SSRF in AjaxRestrictedCmdStat in zap in Ruckus Wireless Unleashed thro ...) NOT-FOR-US: Ruckus devices CVE-2019-19834 (Directory Traversal in ruckus_cli2 in Ruckus Wireless Unleashed throug ...) NOT-FOR-US: Ruckus devices CVE-2019-20043 (In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.ph ...) {DSA-4599-1} - wordpress 5.3.2+dfsg1-1 (bug #946905) [stretch] - wordpress 4.7.5+dfsg-2+deb9u6 [jessie] - wordpress (Vulnerable REST API introduced in 4.4) NOTE: https://core.trac.wordpress.org/changeset/46893/trunk NOTE: https://github.com/WordPress/wordpress-develop/commit/1d1d5be7aa94608c04516cac4238e8c22b93c1d9 NOTE: https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/ CVE-2019-20042 (In wp-includes/formatting.php in WordPress 3.7 to 5.3.0, the function ...) {DSA-4599-1} - wordpress 5.3.2+dfsg1-1 (bug #946905) [stretch] - wordpress (Vulnerable function introduced in 5.1) [jessie] - wordpress (Vulnerable function introduced in 5.1) NOTE: https://core.trac.wordpress.org/changeset/46894/trunk NOTE: https://github.com/WordPress/wordpress-develop/commit/1f7f3f1f59567e2504f0fbebd51ccf004b3ccb1d NOTE: https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/ CVE-2019-20041 (wp_kses_bad_protocol in wp-includes/kses.php in WordPress before 5.3.1 ...) {DSA-4599-1 DLA-2067-1} - wordpress 5.3.2+dfsg1-1 (bug #946905) [stretch] - wordpress 4.7.5+dfsg-2+deb9u6 NOTE: https://github.com/WordPress/wordpress-develop/commit/b1975463dd995da19bb40d3fa0786498717e3c53 NOTE: https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/ CVE-2019-16781 (In WordPress before 5.3.1, authenticated users with lower privileges ( ...) {DSA-4599-1} - wordpress 5.3.2+dfsg1-1 (bug #946905) [stretch] - wordpress (Vulnerable Block feature introduce in 5.0) [jessie] - wordpress (Vulnerable Block feature introduce in 5.0) NOTE: https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-pg4x-64rh-3c9v NOTE: https://hackerone.com/reports/731301 NOTE: https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/ CVE-2019-16780 (WordPress users with lower privileges (like contributors) can inject J ...) {DSA-4599-1} - wordpress 5.3.2+dfsg1-1 (bug #946905) [stretch] - wordpress (Vulnerable Block feature introduce in 5.0) [jessie] - wordpress (Vulnerable Block feature introduce in 5.0) NOTE: https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-x3wp-h3qx-9w94 NOTE: https://github.com/WordPress/wordpress-develop/commit/505dd6a20b6fc3d06130018c1caeff764248c29e NOTE: https://hackerone.com/reports/738644 NOTE: https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/ CVE-2019-19833 (In Tautulli 2.1.9, CSRF in the /shutdown URI allows an attacker to shu ...) NOT-FOR-US: Tautulli CVE-2019-19832 (Xerox AltaLink C8035 printers allow CSRF. A request to add users is ma ...) NOT-FOR-US: Xerox CVE-2019-19831 RESERVED CVE-2019-19829 (A cross-site scripting (XSS) vulnerability exists in SolarWinds Serv-U ...) NOT-FOR-US: SolarWinds CVE-2019-19828 RESERVED CVE-2019-19827 RESERVED CVE-2019-19826 (The Views Dynamic Fields module through 7.x-1.0-alpha4 for Drupal make ...) NOT-FOR-US: Views Dynamic Fields module for Drupal CVE-2019-19825 (On certain TOTOLINK Realtek SDK based routers, the CAPTCHA text can be ...) NOT-FOR-US: TOTOLINK Realtek SDK based routers CVE-2019-19824 (On certain TOTOLINK Realtek SDK based routers, an authenticated attack ...) NOT-FOR-US: TOTOLINK Realtek SDK based routers CVE-2019-19823 (A certain router administration interface (that includes Realtek APMIB ...) NOT-FOR-US: Realtek CVE-2019-19822 (A certain router administration interface (that includes Realtek APMIB ...) NOT-FOR-US: Realtek CVE-2019-19821 (A post-authentication privilege escalation in the web application of C ...) NOT-FOR-US: Combodo iTop CVE-2019-19820 (An invalid pointer vulnerability in IOCTL Handling in the kyrld.sys dr ...) NOT-FOR-US: Kyrol Internet Security CVE-2019-19819 (The JBIG2Globals library in npdf.dll in Nitro Free PDF Reader 12.0.0.1 ...) NOT-FOR-US: JBIG2Globals library in npdf.dll in Nitro Free PDF Reader CVE-2019-19818 (The JBIG2Decode library in npdf.dll in Nitro Free PDF Reader 12.0.0.11 ...) NOT-FOR-US: JBIG2Globals library in npdf.dll in Nitro Free PDF Reader CVE-2019-19817 (The JBIG2Decode library in npdf.dll in Nitro Free PDF Reader 12.0.0.11 ...) NOT-FOR-US: JBIG2Globals library in npdf.dll in Nitro Free PDF Reader CVE-2019-19816 (In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image ...) - linux CVE-2019-19815 (In the Linux kernel 5.0.21, mounting a crafted f2fs filesystem image c ...) - linux 5.3.7-1 CVE-2019-19814 (In the Linux kernel 5.0.21, mounting a crafted f2fs filesystem image c ...) - linux CVE-2019-19813 (In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image, ...) - linux CVE-2019-19812 RESERVED CVE-2019-19811 RESERVED CVE-2019-19810 RESERVED CVE-2019-19809 RESERVED CVE-2019-3467 (Debian-edu-config all versions < 2.11.10, a set of configuration fi ...) {DSA-4595-1 DSA-4589-1 DLA-2063-1 DLA-2041-1} - debian-edu-config 2.11.10 (bug #946797) - debian-lan-config 0.26 (bug #947459) NOTE: debian-lan-config is effectively the same issue as in debian-edu-config and a somewhat NOTE: derived codebase, so same CVE ID is used CVE-2019-19808 RESERVED CVE-2019-19806 (_account_forgot_password.ajax.php in MFScripts YetiShare 3.5.2 through ...) NOT-FOR-US: MFScripts YetiShare CVE-2019-19805 (_account_forgot_password.ajax.php in MFScripts YetiShare 3.5.2 through ...) NOT-FOR-US: MFScripts YetiShare CVE-2019-19804 RESERVED CVE-2019-19803 RESERVED CVE-2019-19802 (In Gallagher Command Centre Server v8.10 prior to v8.10.1134(MR4), v8. ...) NOT-FOR-US: Gallagher Command Centre Server CVE-2019-19801 (In Gallagher Command Centre Server versions of v8.10 prior to v8.10.11 ...) NOT-FOR-US: Gallagher Command Centre Server CVE-2019-19800 (Zoho ManageEngine Applications Manager 14 before 14520 allows a remote ...) NOT-FOR-US: Zoho ManageEngine Applications Manager CVE-2019-19799 (Zoho ManageEngine Applications Manager before 14600 allows a remote un ...) NOT-FOR-US: Zoho ManageEngine CVE-2019-19798 RESERVED CVE-2019-19797 (read_colordef in read.c in Xfig fig2dev 3.2.7b has an out-of-bounds wr ...) - fig2dev 1:3.2.7b-3 (bug #946866) [buster] - fig2dev 1:3.2.7a-5+deb10u3 [stretch] - fig2dev (Minor issue) - transfig [jessie] - transfig (Minor issue) NOTE: https://sourceforge.net/p/mcj/tickets/67/ NOTE: https://sourceforge.net/p/mcj/fig2dev/ci/41b9bb838a3d544539f6e68aa4f87d70ef7d45ce/ CVE-2019-19807 (In the Linux kernel before 5.3.11, sound/core/timer.c has a use-after- ...) - linux 5.3.15-1 [buster] - linux (Vulnerable code introduced later and not present in released Debian version) [stretch] - linux (Vulnerable code introduced later and not present in released Debian version) [jessie] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/e7af6307a8a54f0b873960b32b6a644f2d0fbd97 CVE-2019-19796 (Yabasic 2.86.2 has a heap-based buffer overflow in myformat in functio ...) - yabasic (unimportant) NOTE: https://github.com/marcIhm/yabasic/issues/37 NOTE: Negligible security impact CVE-2019-19795 (samurai 0.7 has a heap-based buffer overflow in canonpath in util.c vi ...) NOT-FOR-US: samurai CVE-2019-19794 (The miekg Go DNS package before 1.1.25, as used in CoreDNS before 1.6. ...) - golang-github-miekg-dns 1.1.26-1 (bug #947403) [buster] - golang-github-miekg-dns (Minor issue) NOTE: https://github.com/coredns/coredns/issues/3519 NOTE: https://github.com/miekg/dns/commit/8ebf2e419df7857ac8919baa05248789a8ffbf33 NOTE: https://github.com/miekg/dns/issues/1043 NOTE: https://github.com/miekg/dns/pull/1044 CVE-2019-19793 (In Cyxtera AppGate SDP Client 4.1.x through 4.3.x before 4.3.2 on Wind ...) NOT-FOR-US: Cyxtera AppGate SDP Client CVE-2019-19792 (A permissions issue in ESET Cyber Security before 6.8.300.0 for macOS ...) NOT-FOR-US: ESET Cyber Security CVE-2019-19791 [Apache access rules and SOAP/REST endpoints issue] RESERVED - lemonldap-ng 2.0.7+ds-1 [buster] - lemonldap-ng 2.0.2+ds-7+deb10u3 [stretch] - lemonldap-ng (Minor issue) [jessie] - lemonldap-ng (Minor issue) NOTE: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1943 NOTE: https://projects.ow2.org/view/lemonldap-ng/lemonldap-ng-2-0-7-is-out/ CVE-2019-19790 (Path traversal in RadChart in Telerik UI for ASP.NET AJAX allows a rem ...) NOT-FOR-US: Telerik UI for ASP.NET AJAX CVE-2019-19789 (3S-Smart CODESYS SP Realtime NT before V2.3.7.28, CODESYS Runtime Tool ...) NOT-FOR-US: CODESYS CVE-2019-19788 (Opera for Android before 54.0.2669.49432 is vulnerable to a sandboxed ...) NOT-FOR-US: Opera for Android CVE-2019-19787 (ATasm 1.06 has a stack-based buffer overflow in the get_signed_express ...) NOT-FOR-US: ATasm CVE-2019-19786 (ATasm 1.06 has a stack-based buffer overflow in the parse_expr() funct ...) NOT-FOR-US: ATasm CVE-2019-19785 (ATasm 1.06 has a stack-based buffer overflow in the to_comma() functio ...) NOT-FOR-US: ATasm CVE-2019-19784 RESERVED CVE-2019-19783 (An issue was discovered in Cyrus IMAP before 2.5.15, 3.0.x before 3.0. ...) {DSA-4590-1} - cyrus-imapd 3.0.13-1 NOTE: https://www.cyrusimap.org/imap/download/release-notes/3.0/x/3.0.13.html#security-fixes CVE-2019-19782 (The FTP client in AceaXe Plus 1.0 allows a buffer overflow via a long ...) NOT-FOR-US: AceaXe Plus CVE-2019-19781 (An issue was discovered in Citrix Application Delivery Controller (ADC ...) NOT-FOR-US: Citrix CVE-2019-19780 RESERVED CVE-2019-19779 RESERVED CVE-2019-19778 (An issue was discovered in libsixel 1.8.2. There is a heap-based buffe ...) - libsixel 1.8.6-1 (low; bug #948103) [buster] - libsixel (Minor issue) [stretch] - libsixel (Minor issue) [jessie] - libsixel (Minor issue) NOTE: https://github.com/saitoha/libsixel/issues/110 CVE-2019-19777 (stb_image.h (aka the stb image loader) 2.23, as used in libsixel and o ...) - libsixel 1.8.6-1 (low; bug #948103) [buster] - libsixel (Minor issue) [stretch] - libsixel (Minor issue) [jessie] - libsixel (Minor issue) NOTE: https://github.com/saitoha/libsixel/issues/109 CVE-2019-19776 RESERVED CVE-2019-19775 (The image thumbnailing handler in Zulip Server versions 1.9.0 to befor ...) - zulip-server (bug #800052) CVE-2019-19774 (An issue was discovered in Zoho ManageEngine EventLog Analyzer 10.0 SP ...) NOT-FOR-US: Zoho ManageEngine EventLog Analyzer CVE-2019-19773 (Various Lexmark products have stored XSS in the embedded web server us ...) NOT-FOR-US: Lexmark CVE-2019-19772 (Various Lexmark products have reflected XSS in the embedded web server ...) NOT-FOR-US: Lexmark CVE-2019-19771 (The lodahs package 0.0.1 for Node.js is a Trojan horse, and may have b ...) NOT-FOR-US: lodahs malicious package on npm CVE-2019-19830 (_core_/plugins/medias in SPIP 3.2.x before 3.2.7 allows remote authent ...) {DSA-4583-1} - spip 3.2.7-1 [stretch] - spip (Vulnerable code not present) [jessie] - spip (Vulnerable code not present) CVE-2020-3609 RESERVED CVE-2020-3608 RESERVED CVE-2020-3607 RESERVED CVE-2020-3606 RESERVED CVE-2020-3605 RESERVED CVE-2020-3604 RESERVED CVE-2020-3603 RESERVED CVE-2020-3602 RESERVED CVE-2020-3601 RESERVED CVE-2020-3600 RESERVED CVE-2020-3599 RESERVED CVE-2020-3598 RESERVED CVE-2020-3597 RESERVED CVE-2020-3596 RESERVED CVE-2020-3595 RESERVED CVE-2020-3594 RESERVED CVE-2020-3593 RESERVED CVE-2020-3592 RESERVED CVE-2020-3591 RESERVED CVE-2020-3590 RESERVED CVE-2020-3589 RESERVED CVE-2020-3588 RESERVED CVE-2020-3587 RESERVED CVE-2020-3586 RESERVED CVE-2020-3585 RESERVED CVE-2020-3584 RESERVED CVE-2020-3583 RESERVED CVE-2020-3582 RESERVED CVE-2020-3581 RESERVED CVE-2020-3580 RESERVED CVE-2020-3579 RESERVED CVE-2020-3578 RESERVED CVE-2020-3577 RESERVED CVE-2020-3576 RESERVED CVE-2020-3575 RESERVED CVE-2020-3574 RESERVED CVE-2020-3573 RESERVED CVE-2020-3572 RESERVED CVE-2020-3571 RESERVED CVE-2020-3570 RESERVED CVE-2020-3569 RESERVED CVE-2020-3568 RESERVED CVE-2020-3567 RESERVED CVE-2020-3566 RESERVED CVE-2020-3565 RESERVED CVE-2020-3564 RESERVED CVE-2020-3563 RESERVED CVE-2020-3562 RESERVED CVE-2020-3561 RESERVED CVE-2020-3560 RESERVED CVE-2020-3559 RESERVED CVE-2020-3558 RESERVED CVE-2020-3557 RESERVED CVE-2020-3556 RESERVED CVE-2020-3555 RESERVED CVE-2020-3554 RESERVED CVE-2020-3553 RESERVED CVE-2020-3552 RESERVED CVE-2020-3551 RESERVED CVE-2020-3550 RESERVED CVE-2020-3549 RESERVED CVE-2020-3548 RESERVED CVE-2020-3547 RESERVED CVE-2020-3546 RESERVED CVE-2020-3545 RESERVED CVE-2020-3544 RESERVED CVE-2020-3543 RESERVED CVE-2020-3542 RESERVED CVE-2020-3541 RESERVED CVE-2020-3540 RESERVED CVE-2020-3539 RESERVED CVE-2020-3538 RESERVED CVE-2020-3537 RESERVED CVE-2020-3536 RESERVED CVE-2020-3535 RESERVED CVE-2020-3534 RESERVED CVE-2020-3533 RESERVED CVE-2020-3532 RESERVED CVE-2020-3531 RESERVED CVE-2020-3530 RESERVED CVE-2020-3529 RESERVED CVE-2020-3528 RESERVED CVE-2020-3527 RESERVED CVE-2020-3526 RESERVED CVE-2020-3525 RESERVED CVE-2020-3524 RESERVED CVE-2020-3523 RESERVED CVE-2020-3522 RESERVED CVE-2020-3521 RESERVED CVE-2020-3520 RESERVED CVE-2020-3519 RESERVED CVE-2020-3518 RESERVED CVE-2020-3517 RESERVED CVE-2020-3516 RESERVED CVE-2020-3515 RESERVED CVE-2020-3514 RESERVED CVE-2020-3513 RESERVED CVE-2020-3512 RESERVED CVE-2020-3511 RESERVED CVE-2020-3510 RESERVED CVE-2020-3509 RESERVED CVE-2020-3508 RESERVED CVE-2020-3507 RESERVED CVE-2020-3506 RESERVED CVE-2020-3505 RESERVED CVE-2020-3504 RESERVED CVE-2020-3503 RESERVED CVE-2020-3502 RESERVED CVE-2020-3501 RESERVED CVE-2020-3500 RESERVED CVE-2020-3499 RESERVED CVE-2020-3498 RESERVED CVE-2020-3497 RESERVED CVE-2020-3496 RESERVED CVE-2020-3495 RESERVED CVE-2020-3494 RESERVED CVE-2020-3493 RESERVED CVE-2020-3492 RESERVED CVE-2020-3491 RESERVED CVE-2020-3490 RESERVED CVE-2020-3489 RESERVED CVE-2020-3488 RESERVED CVE-2020-3487 RESERVED CVE-2020-3486 RESERVED CVE-2020-3485 RESERVED CVE-2020-3484 RESERVED CVE-2020-3483 RESERVED CVE-2020-3482 RESERVED CVE-2020-3481 RESERVED CVE-2020-3480 RESERVED CVE-2020-3479 RESERVED CVE-2020-3478 RESERVED CVE-2020-3477 RESERVED CVE-2020-3476 RESERVED CVE-2020-3475 RESERVED CVE-2020-3474 RESERVED CVE-2020-3473 RESERVED CVE-2020-3472 RESERVED CVE-2020-3471 RESERVED CVE-2020-3470 RESERVED CVE-2020-3469 RESERVED CVE-2020-3468 RESERVED CVE-2020-3467 RESERVED CVE-2020-3466 RESERVED CVE-2020-3465 RESERVED CVE-2020-3464 RESERVED CVE-2020-3463 RESERVED CVE-2020-3462 RESERVED CVE-2020-3461 RESERVED CVE-2020-3460 RESERVED CVE-2020-3459 RESERVED CVE-2020-3458 RESERVED CVE-2020-3457 RESERVED CVE-2020-3456 RESERVED CVE-2020-3455 RESERVED CVE-2020-3454 RESERVED CVE-2020-3453 RESERVED CVE-2020-3452 RESERVED CVE-2020-3451 RESERVED CVE-2020-3450 RESERVED CVE-2020-3449 RESERVED CVE-2020-3448 RESERVED CVE-2020-3447 RESERVED CVE-2020-3446 RESERVED CVE-2020-3445 RESERVED CVE-2020-3444 RESERVED CVE-2020-3443 RESERVED CVE-2020-3442 RESERVED CVE-2020-3441 RESERVED CVE-2020-3440 RESERVED CVE-2020-3439 RESERVED CVE-2020-3438 RESERVED CVE-2020-3437 RESERVED CVE-2020-3436 RESERVED CVE-2020-3435 RESERVED CVE-2020-3434 RESERVED CVE-2020-3433 RESERVED CVE-2020-3432 RESERVED CVE-2020-3431 RESERVED CVE-2020-3430 RESERVED CVE-2020-3429 RESERVED CVE-2020-3428 RESERVED CVE-2020-3427 RESERVED CVE-2020-3426 RESERVED CVE-2020-3425 RESERVED CVE-2020-3424 RESERVED CVE-2020-3423 RESERVED CVE-2020-3422 RESERVED CVE-2020-3421 RESERVED CVE-2020-3420 RESERVED CVE-2020-3419 RESERVED CVE-2020-3418 RESERVED CVE-2020-3417 RESERVED CVE-2020-3416 RESERVED CVE-2020-3415 RESERVED CVE-2020-3414 RESERVED CVE-2020-3413 RESERVED CVE-2020-3412 RESERVED CVE-2020-3411 RESERVED CVE-2020-3410 RESERVED CVE-2020-3409 RESERVED CVE-2020-3408 RESERVED CVE-2020-3407 RESERVED CVE-2020-3406 RESERVED CVE-2020-3405 RESERVED CVE-2020-3404 RESERVED CVE-2020-3403 RESERVED CVE-2020-3402 (A vulnerability in the Java Remote Method Invocation (RMI) interface o ...) NOT-FOR-US: Cisco CVE-2020-3401 RESERVED CVE-2020-3400 RESERVED CVE-2020-3399 RESERVED CVE-2020-3398 RESERVED CVE-2020-3397 RESERVED CVE-2020-3396 RESERVED CVE-2020-3395 RESERVED CVE-2020-3394 RESERVED CVE-2020-3393 RESERVED CVE-2020-3392 RESERVED CVE-2020-3391 (A vulnerability in Cisco Digital Network Architecture (DNA) Center cou ...) NOT-FOR-US: Cisco CVE-2020-3390 RESERVED CVE-2020-3389 RESERVED CVE-2020-3388 RESERVED CVE-2020-3387 RESERVED CVE-2020-3386 RESERVED CVE-2020-3385 RESERVED CVE-2020-3384 RESERVED CVE-2020-3383 RESERVED CVE-2020-3382 RESERVED CVE-2020-3381 RESERVED CVE-2020-3380 RESERVED CVE-2020-3379 RESERVED CVE-2020-3378 RESERVED CVE-2020-3377 RESERVED CVE-2020-3376 RESERVED CVE-2020-3375 RESERVED CVE-2020-3374 RESERVED CVE-2020-3373 RESERVED CVE-2020-3372 RESERVED CVE-2020-3371 RESERVED CVE-2020-3370 RESERVED CVE-2020-3369 RESERVED CVE-2020-3368 (A vulnerability in the antispam protection mechanisms of Cisco AsyncOS ...) NOT-FOR-US: Cisco CVE-2020-3367 RESERVED CVE-2020-3366 RESERVED CVE-2020-3365 RESERVED CVE-2020-3364 (A vulnerability in the access control list (ACL) functionality of the ...) NOT-FOR-US: Cisco CVE-2020-3363 RESERVED CVE-2020-3362 (A vulnerability in the CLI of Cisco Network Services Orchestrator (NSO ...) NOT-FOR-US: Cisco CVE-2020-3361 (A vulnerability in Cisco Webex Meetings and Cisco Webex Meetings Serve ...) NOT-FOR-US: Cisco CVE-2020-3360 (A vulnerability in the Web Access feature of Cisco IP Phones Series 78 ...) NOT-FOR-US: Cisco CVE-2020-3359 RESERVED CVE-2020-3358 RESERVED CVE-2020-3357 RESERVED CVE-2020-3356 (A vulnerability in the web-based management interface of Cisco Data Ce ...) NOT-FOR-US: Cisco CVE-2020-3355 (A vulnerability in the web-based management interface of Cisco Data Ce ...) NOT-FOR-US: Cisco CVE-2020-3354 (A vulnerability in the web-based management interface of Cisco Data Ce ...) NOT-FOR-US: Cisco CVE-2020-3353 (A vulnerability in the syslog processing engine of Cisco Identity Serv ...) NOT-FOR-US: Cisco CVE-2020-3352 RESERVED CVE-2020-3351 RESERVED CVE-2020-3350 (A vulnerability in the endpoint software of Cisco AMP for Endpoints an ...) NOT-FOR-US: Cisco CVE-2020-3349 RESERVED CVE-2020-3348 RESERVED CVE-2020-3347 (A vulnerability in Cisco Webex Meetings Desktop App for Windows could ...) NOT-FOR-US: Cisco CVE-2020-3346 RESERVED CVE-2020-3345 RESERVED CVE-2020-3344 (A vulnerability in Cisco AMP for Endpoints Linux Connector Software an ...) NOT-FOR-US: Cisco CVE-2020-3343 (A vulnerability in Cisco AMP for Endpoints Linux Connector Software an ...) NOT-FOR-US: Cisco CVE-2020-3342 (A vulnerability in the software update feature of Cisco Webex Meetings ...) NOT-FOR-US: Cisco CVE-2020-3341 (A vulnerability in the PDF archive parsing module in Clam AntiVirus (C ...) {DLA-2215-1} - clamav 0.102.3+dfsg-1 [buster] - clamav (ClamAV is updated via -updates) [stretch] - clamav (ClamAV is updated via -updates) NOTE: https://blog.clamav.net/2020/05/clamav-01023-security-patch-released.html CVE-2020-3340 (Multiple vulnerabilities in the web-based management interface of Cisc ...) NOT-FOR-US: Cisco CVE-2020-3339 (A vulnerability in the web-based management interface of Cisco Prime I ...) NOT-FOR-US: Cisco CVE-2020-3338 RESERVED CVE-2020-3337 (A vulnerability in the web server of Cisco Umbrella could allow an una ...) NOT-FOR-US: Cisco CVE-2020-3336 (A vulnerability in the software upgrade process of Cisco TelePresence ...) NOT-FOR-US: Cisco CVE-2020-3335 (A vulnerability in the key store of Cisco Application Services Engine ...) NOT-FOR-US: Cisco CVE-2020-3334 (A vulnerability in the ARP packet processing of Cisco Adaptive Securit ...) NOT-FOR-US: Cisco CVE-2020-3333 (A vulnerability in the API of Cisco Application Services Engine Softwa ...) NOT-FOR-US: Cisco CVE-2020-3332 RESERVED CVE-2020-3331 RESERVED CVE-2020-3330 RESERVED CVE-2020-3329 (A vulnerability in role-based access control of Cisco Integrated Manag ...) NOT-FOR-US: Cisco CVE-2020-3328 RESERVED CVE-2020-3327 (A vulnerability in the ARJ archive parsing module in Clam AntiVirus (C ...) {DLA-2215-1} - clamav 0.102.3+dfsg-1 [buster] - clamav (ClamAV is updated via -updates) [stretch] - clamav (ClamAV is updated via -updates) NOTE: https://blog.clamav.net/2020/05/clamav-01023-security-patch-released.html CVE-2020-3326 RESERVED CVE-2020-3325 RESERVED CVE-2020-3324 RESERVED CVE-2020-3323 RESERVED CVE-2020-3322 (A vulnerability in Cisco Webex Network Recording Player and Cisco Webe ...) NOT-FOR-US: Cisco CVE-2020-3321 (A vulnerability in Cisco Webex Network Recording Player and Cisco Webe ...) NOT-FOR-US: Cisco CVE-2020-3320 RESERVED CVE-2020-3319 (A vulnerability in Cisco Webex Network Recording Player and Cisco Webe ...) NOT-FOR-US: Cisco CVE-2020-3318 (Multiple vulnerabilities in Cisco Firepower Management Center (FMC) So ...) NOT-FOR-US: Cisco CVE-2020-3317 RESERVED CVE-2020-3316 RESERVED CVE-2020-3315 (Multiple Cisco products are affected by a vulnerability in the Snort d ...) NOT-FOR-US: Cisco CVE-2020-3314 (A vulnerability in the file scan process of Cisco AMP for Endpoints Ma ...) NOT-FOR-US: Cisco CVE-2020-3313 (A vulnerability in the web UI of Cisco Firepower Management Center (FM ...) NOT-FOR-US: Cisco CVE-2020-3312 (A vulnerability in the application policy configuration of Cisco Firep ...) NOT-FOR-US: Cisco CVE-2020-3311 (A vulnerability in the web interface of Cisco Firepower Management Cen ...) NOT-FOR-US: Cisco CVE-2020-3310 (A vulnerability in the XML parser code of Cisco Firepower Device Manag ...) NOT-FOR-US: Cisco CVE-2020-3309 (A vulnerability in Cisco Firepower Device Manager (FDM) On-Box softwar ...) NOT-FOR-US: Cisco CVE-2020-3308 (A vulnerability in the Image Signature Verification feature of Cisco F ...) NOT-FOR-US: Cisco CVE-2020-3307 (A vulnerability in the web UI of Cisco Firepower Management Center (FM ...) NOT-FOR-US: Cisco CVE-2020-3306 (A vulnerability in the DHCP module of Cisco Adaptive Security Applianc ...) NOT-FOR-US: Cisco CVE-2020-3305 (A vulnerability in the implementation of the Border Gateway Protocol ( ...) NOT-FOR-US: Cisco CVE-2020-3304 RESERVED CVE-2020-3303 (A vulnerability in the Internet Key Exchange version 1 (IKEv1) feature ...) NOT-FOR-US: Cisco CVE-2020-3302 (A vulnerability in the web UI of Cisco Firepower Management Center (FM ...) NOT-FOR-US: Cisco CVE-2020-3301 (Multiple vulnerabilities in Cisco Firepower Management Center (FMC) So ...) NOT-FOR-US: Cisco CVE-2020-3300 RESERVED CVE-2020-3299 RESERVED CVE-2020-3298 (A vulnerability in the Open Shortest Path First (OSPF) implementation ...) NOT-FOR-US: Cisco CVE-2020-3297 (A vulnerability in session management for the web-based interface of C ...) NOT-FOR-US: Cisco CVE-2020-3296 (Multiple vulnerabilities in the web-based management interface of Cisc ...) NOT-FOR-US: Cisco CVE-2020-3295 (Multiple vulnerabilities in the web-based management interface of Cisc ...) NOT-FOR-US: Cisco CVE-2020-3294 (Multiple vulnerabilities in the web-based management interface of Cisc ...) NOT-FOR-US: Cisco CVE-2020-3293 (Multiple vulnerabilities in the web-based management interface of Cisc ...) NOT-FOR-US: Cisco CVE-2020-3292 (Multiple vulnerabilities in the web-based management interface of Cisc ...) NOT-FOR-US: Cisco CVE-2020-3291 (Multiple vulnerabilities in the web-based management interface of Cisc ...) NOT-FOR-US: Cisco CVE-2020-3290 (Multiple vulnerabilities in the web-based management interface of Cisc ...) NOT-FOR-US: Cisco CVE-2020-3289 (Multiple vulnerabilities in the web-based management interface of Cisc ...) NOT-FOR-US: Cisco CVE-2020-3288 (Multiple vulnerabilities in the web-based management interface of Cisc ...) NOT-FOR-US: Cisco CVE-2020-3287 (Multiple vulnerabilities in the web-based management interface of Cisc ...) NOT-FOR-US: Cisco CVE-2020-3286 (Multiple vulnerabilities in the web-based management interface of Cisc ...) NOT-FOR-US: Cisco CVE-2020-3285 (A vulnerability in the Transport Layer Security version 1.3 (TLS 1.3) ...) NOT-FOR-US: Cisco CVE-2020-3284 RESERVED CVE-2020-3283 (A vulnerability in the Secure Sockets Layer (SSL)/Transport Layer Secu ...) NOT-FOR-US: Cisco CVE-2020-3282 (A vulnerability in the web-based management interface of Cisco Unified ...) TODO: check CVE-2020-3281 (A vulnerability in the audit logging component of Cisco Digital Networ ...) NOT-FOR-US: Cisco CVE-2020-3280 (A vulnerability in the Java Remote Management Interface of Cisco Unifi ...) NOT-FOR-US: Cisco CVE-2020-3279 (Multiple vulnerabilities in the web-based management interface of Cisc ...) NOT-FOR-US: Cisco CVE-2020-3278 (Multiple vulnerabilities in the web-based management interface of Cisc ...) NOT-FOR-US: Cisco CVE-2020-3277 (Multiple vulnerabilities in the web-based management interface of Cisc ...) NOT-FOR-US: Cisco CVE-2020-3276 (Multiple vulnerabilities in the web-based management interface of Cisc ...) NOT-FOR-US: Cisco CVE-2020-3275 (Multiple vulnerabilities in the web-based management interface of Cisc ...) NOT-FOR-US: Cisco CVE-2020-3274 (Multiple vulnerabilities in the web-based management interface of Cisc ...) NOT-FOR-US: Cisco CVE-2020-3273 (A vulnerability in the 802.11 Generic Advertisement Service (GAS) fram ...) NOT-FOR-US: Cisco CVE-2020-3272 (A vulnerability in the DHCP server of Cisco Prime Network Registrar co ...) NOT-FOR-US: Cisco CVE-2020-3271 RESERVED CVE-2020-3270 RESERVED CVE-2020-3269 (Multiple vulnerabilities in the web-based management interface of Cisc ...) NOT-FOR-US: Cisco CVE-2020-3268 (Multiple vulnerabilities in the web-based management interface of Cisc ...) NOT-FOR-US: Cisco CVE-2020-3267 (A vulnerability in the API subsystem of Cisco Unified Contact Center E ...) NOT-FOR-US: Cisco CVE-2020-3266 (A vulnerability in the CLI of Cisco SD-WAN Solution software could all ...) NOT-FOR-US: Cisco CVE-2020-3265 (A vulnerability in Cisco SD-WAN Solution software could allow an authe ...) NOT-FOR-US: Cisco CVE-2020-3264 (A vulnerability in Cisco SD-WAN Solution software could allow an authe ...) NOT-FOR-US: Cisco CVE-2020-3263 (A vulnerability in Cisco Webex Meetings Desktop App could allow an una ...) NOT-FOR-US: Cisco CVE-2020-3262 (A vulnerability in the Control and Provisioning of Wireless Access Poi ...) NOT-FOR-US: Cisco CVE-2020-3261 (A vulnerability in the web-based management interface of Cisco Mobilit ...) NOT-FOR-US: Cisco CVE-2020-3260 (A vulnerability in Cisco Aironet Series Access Points Software could a ...) NOT-FOR-US: Cisco CVE-2020-3259 (A vulnerability in the web services interface of Cisco Adaptive Securi ...) NOT-FOR-US: Cisco CVE-2020-3258 (Multiple vulnerabilities in Cisco IOS Software for Cisco 809 and 829 I ...) NOT-FOR-US: Cisco CVE-2020-3257 (Multiple vulnerabilities in the Cisco IOx application environment of C ...) NOT-FOR-US: Cisco CVE-2020-3256 (A vulnerability in the web-based management interface of Cisco Hosted ...) NOT-FOR-US: Cisco CVE-2020-3255 (A vulnerability in the packet processing functionality of Cisco Firepo ...) NOT-FOR-US: Cisco CVE-2020-3254 (Multiple vulnerabilities in the Media Gateway Control Protocol (MGCP) ...) NOT-FOR-US: Cisco CVE-2020-3253 (A vulnerability in the support tunnel feature of Cisco Firepower Threa ...) NOT-FOR-US: Cisco CVE-2020-3252 (Multiple vulnerabilities in the REST API of Cisco UCS Director and Cis ...) NOT-FOR-US: Cisco CVE-2020-3251 (Multiple vulnerabilities in the REST API of Cisco UCS Director and Cis ...) NOT-FOR-US: Cisco CVE-2020-3250 (Multiple vulnerabilities in the REST API of Cisco UCS Director and Cis ...) NOT-FOR-US: Cisco CVE-2020-3249 (Multiple vulnerabilities in the REST API of Cisco UCS Director and Cis ...) NOT-FOR-US: Cisco CVE-2020-3248 (Multiple vulnerabilities in the REST API of Cisco UCS Director and Cis ...) NOT-FOR-US: Cisco CVE-2020-3247 (Multiple vulnerabilities in the REST API of Cisco UCS Director and Cis ...) NOT-FOR-US: Cisco CVE-2020-3246 (A vulnerability in the web server of Cisco Umbrella could allow an una ...) NOT-FOR-US: Cisco CVE-2020-3245 (A vulnerability in the web application of Cisco Smart Software Manager ...) NOT-FOR-US: Cisco CVE-2020-3244 (A vulnerability in the Enhanced Charging Service (ECS) functionality o ...) NOT-FOR-US: Cisco CVE-2020-3243 (Multiple vulnerabilities in the REST API of Cisco UCS Director and Cis ...) NOT-FOR-US: Cisco CVE-2020-3242 (A vulnerability in the REST API of Cisco UCS Director could allow an a ...) NOT-FOR-US: Cisco CVE-2020-3241 (A vulnerability in the orchestration tasks of Cisco UCS Director could ...) NOT-FOR-US: Cisco CVE-2020-3240 (Multiple vulnerabilities in the REST API of Cisco UCS Director and Cis ...) NOT-FOR-US: Cisco CVE-2020-3239 (Multiple vulnerabilities in the REST API of Cisco UCS Director and Cis ...) NOT-FOR-US: Cisco CVE-2020-3238 (A vulnerability in the Cisco Application Framework component of the Ci ...) NOT-FOR-US: Cisco CVE-2020-3237 (A vulnerability in the Cisco Application Framework component of the Ci ...) NOT-FOR-US: Cisco CVE-2020-3236 (A vulnerability in the CLI of Cisco Enterprise NFV Infrastructure Soft ...) NOT-FOR-US: Cisco CVE-2020-3235 (A vulnerability in the Simple Network Management Protocol (SNMP) subsy ...) NOT-FOR-US: Cisco CVE-2020-3234 (A vulnerability in the virtual console authentication of Cisco IOS Sof ...) NOT-FOR-US: Cisco CVE-2020-3233 (A vulnerability in the web-based Local Manager interface of the Cisco ...) NOT-FOR-US: Cisco CVE-2020-3232 (A vulnerability in the Simple Network Management Protocol (SNMP) imple ...) NOT-FOR-US: Cisco CVE-2020-3231 (A vulnerability in the 802.1X feature of Cisco Catalyst 2960-L Series ...) NOT-FOR-US: Cisco CVE-2020-3230 (A vulnerability in the Internet Key Exchange Version 2 (IKEv2) impleme ...) NOT-FOR-US: Cisco CVE-2020-3229 (A vulnerability in Role Based Access Control (RBAC) functionality of C ...) NOT-FOR-US: Cisco CVE-2020-3228 (A vulnerability in Security Group Tag Exchange Protocol (SXP) in Cisco ...) NOT-FOR-US: Cisco CVE-2020-3227 (A vulnerability in the authorization controls for the Cisco IOx applic ...) NOT-FOR-US: Cisco CVE-2020-3226 (A vulnerability in the Session Initiation Protocol (SIP) library of Ci ...) NOT-FOR-US: Cisco CVE-2020-3225 (Multiple vulnerabilities in the implementation of the Common Industria ...) NOT-FOR-US: Cisco CVE-2020-3224 (A vulnerability in the web-based user interface (web UI) of Cisco IOS ...) NOT-FOR-US: Cisco CVE-2020-3223 (A vulnerability in the web-based user interface (web UI) of Cisco IOS ...) NOT-FOR-US: Cisco CVE-2020-3222 (A vulnerability in the web-based user interface (web UI) of Cisco IOS ...) NOT-FOR-US: Cisco CVE-2020-3221 (A vulnerability in the Flexible NetFlow Version 9 packet processor of ...) NOT-FOR-US: Cisco CVE-2020-3220 (A vulnerability in the hardware crypto driver of Cisco IOS XE Software ...) NOT-FOR-US: Cisco CVE-2020-3219 (A vulnerability in the web UI of Cisco IOS XE Software could allow an ...) NOT-FOR-US: Cisco CVE-2020-3218 (A vulnerability in the web UI of Cisco IOS XE Software could allow an ...) NOT-FOR-US: Cisco CVE-2020-3217 (A vulnerability in the Topology Discovery Service of Cisco One Platfor ...) NOT-FOR-US: Cisco CVE-2020-3216 (A vulnerability in Cisco IOS XE SD-WAN Software could allow an unauthe ...) NOT-FOR-US: Cisco CVE-2020-3215 (A vulnerability in the Virtual Services Container of Cisco IOS XE Soft ...) NOT-FOR-US: Cisco CVE-2020-3214 (A vulnerability in Cisco IOS XE Software could allow an authenticated, ...) NOT-FOR-US: Cisco CVE-2020-3213 (A vulnerability in the ROMMON of Cisco IOS XE Software could allow an ...) NOT-FOR-US: Cisco CVE-2020-3212 (A vulnerability in the web UI of Cisco IOS XE Software could allow an ...) NOT-FOR-US: Cisco CVE-2020-3211 (A vulnerability in the web UI of Cisco IOS XE Software could allow an ...) NOT-FOR-US: Cisco CVE-2020-3210 (A vulnerability in the CLI parsers of Cisco IOS Software for Cisco 809 ...) NOT-FOR-US: Cisco CVE-2020-3209 (A vulnerability in software image verification in Cisco IOS XE Softwar ...) NOT-FOR-US: Cisco CVE-2020-3208 (A vulnerability in the image verification feature of Cisco IOS Softwar ...) NOT-FOR-US: Cisco CVE-2020-3207 (A vulnerability in the processing of boot options of specific Cisco IO ...) NOT-FOR-US: Cisco CVE-2020-3206 (A vulnerability in the handling of IEEE 802.11w Protected Management F ...) NOT-FOR-US: Cisco CVE-2020-3205 (A vulnerability in the implementation of the inter-VM channel of Cisco ...) NOT-FOR-US: Cisco CVE-2020-3204 (A vulnerability in the Tool Command Language (Tcl) interpreter of Cisc ...) NOT-FOR-US: Cisco CVE-2020-3203 (A vulnerability in the locally significant certificate (LSC) provision ...) NOT-FOR-US: Cisco CVE-2020-3202 RESERVED CVE-2020-3201 (A vulnerability in the Tool Command Language (Tcl) interpreter of Cisc ...) NOT-FOR-US: Cisco CVE-2020-3200 (A vulnerability in the Secure Shell (SSH) server code of Cisco IOS Sof ...) NOT-FOR-US: Cisco CVE-2020-3199 (Multiple vulnerabilities in the Cisco IOx application environment of C ...) NOT-FOR-US: Cisco CVE-2020-3198 (Multiple vulnerabilities in Cisco IOS Software for Cisco 809 and 829 I ...) NOT-FOR-US: Cisco CVE-2020-3197 RESERVED CVE-2020-3196 (A vulnerability in the Secure Sockets Layer (SSL)/Transport Layer Secu ...) NOT-FOR-US: Cisco CVE-2020-3195 (A vulnerability in the Open Shortest Path First (OSPF) implementation ...) NOT-FOR-US: Cisco CVE-2020-3194 (A vulnerability in Cisco Webex Network Recording Player for Microsoft ...) NOT-FOR-US: Cisco CVE-2020-3193 (A vulnerability in the web-based management interface of Cisco Prime C ...) NOT-FOR-US: Cisco CVE-2020-3192 (A vulnerability in the web-based management interface of Cisco Prime C ...) NOT-FOR-US: Cisco CVE-2020-3191 (A vulnerability in DNS over IPv6 packet processing for Cisco Adaptive ...) NOT-FOR-US: Cisco CVE-2020-3190 (A vulnerability in the IPsec packet processor of Cisco IOS XR Software ...) NOT-FOR-US: Cisco CVE-2020-3189 (A vulnerability in the VPN System Logging functionality for Cisco Fire ...) NOT-FOR-US: Cisco CVE-2020-3188 (A vulnerability in how Cisco Firepower Threat Defense (FTD) Software h ...) NOT-FOR-US: Cisco CVE-2020-3187 (A vulnerability in the web services interface of Cisco Adaptive Securi ...) NOT-FOR-US: Cisco CVE-2020-3186 (A vulnerability in the management access list configuration of Cisco F ...) NOT-FOR-US: Cisco CVE-2020-3185 (A vulnerability in the web-based management interface of Cisco TelePre ...) NOT-FOR-US: Cisco CVE-2020-3184 (A vulnerability in the web-based management interface of Cisco Prime C ...) NOT-FOR-US: Cisco CVE-2020-3183 RESERVED CVE-2020-3182 (A vulnerability in the multicast DNS (mDNS) protocol configuration of ...) NOT-FOR-US: Cisco CVE-2020-3181 (A vulnerability in the malware detection functionality in Cisco Advanc ...) NOT-FOR-US: Cisco CVE-2020-3180 RESERVED CVE-2020-3179 (A vulnerability in the generic routing encapsulation (GRE) tunnel deca ...) NOT-FOR-US: Cisco CVE-2020-3178 (Multiple vulnerabilities in the web-based GUI of Cisco AsyncOS Softwar ...) NOT-FOR-US: Cisco CVE-2020-3177 (A vulnerability in the Tool for Auto-Registered Phones Support (TAPS) ...) NOT-FOR-US: Cisco CVE-2020-3176 (A vulnerability in Cisco Remote PHY Device Software could allow an aut ...) NOT-FOR-US: Cisco CVE-2020-3175 (A vulnerability in the resource handling system of Cisco NX-OS Softwar ...) NOT-FOR-US: Cisco CVE-2020-3174 (A vulnerability in the anycast gateway feature of Cisco NX-OS Software ...) NOT-FOR-US: Cisco CVE-2020-3173 (A vulnerability in the local management (local-mgmt) CLI of Cisco UCS ...) NOT-FOR-US: Cisco CVE-2020-3172 (A vulnerability in the Cisco Discovery Protocol feature of Cisco FXOS ...) NOT-FOR-US: Cisco CVE-2020-3171 (A vulnerability in the local management (local-mgmt) CLI of Cisco FXOS ...) NOT-FOR-US: Cisco CVE-2020-3170 (A vulnerability in the NX-API feature of Cisco NX-OS Software could al ...) NOT-FOR-US: Cisco CVE-2020-3169 (A vulnerability in the CLI of Cisco FXOS Software could allow an authe ...) NOT-FOR-US: Cisco CVE-2020-3168 (A vulnerability in the Secure Login Enhancements capability of Cisco N ...) NOT-FOR-US: Cisco CVE-2020-3167 (A vulnerability in the CLI of Cisco FXOS Software and Cisco UCS Manage ...) NOT-FOR-US: Cisco CVE-2020-3166 (A vulnerability in the CLI of Cisco FXOS Software could allow an authe ...) NOT-FOR-US: Cisco CVE-2020-3165 (A vulnerability in the implementation of Border Gateway Protocol (BGP) ...) NOT-FOR-US: Cisco CVE-2020-3164 (A vulnerability in the web-based management interface of Cisco AsyncOS ...) NOT-FOR-US: Cisco CVE-2020-3163 (A vulnerability in the Live Data server of Cisco Unified Contact Cente ...) NOT-FOR-US: Cisco CVE-2020-3162 (A vulnerability in the Constrained Application Protocol (CoAP) impleme ...) NOT-FOR-US: Cisco CVE-2020-3161 (A vulnerability in the web server for Cisco IP Phones could allow an u ...) NOT-FOR-US: Cisco CVE-2020-3160 (A vulnerability in the Extensible Messaging and Presence Protocol (XMP ...) NOT-FOR-US: Cisco CVE-2020-3159 (A vulnerability in the web-based management interface of Cisco Finesse ...) NOT-FOR-US: Cisco CVE-2020-3158 (A vulnerability in the High Availability (HA) service of Cisco Smart S ...) NOT-FOR-US: Cisco CVE-2020-3157 (A vulnerability in the web-based management interface of Cisco Identit ...) NOT-FOR-US: Cisco CVE-2020-3156 (A vulnerability in the logging component of Cisco Identity Services En ...) NOT-FOR-US: Cisco CVE-2020-3155 (A vulnerability in the SSL implementation of the Cisco Intelligent Pro ...) NOT-FOR-US: Cisco CVE-2020-3154 (A vulnerability in the web UI of Cisco Cloud Web Security (CWS) could ...) NOT-FOR-US: Cisco CVE-2020-3153 (A vulnerability in the installer component of Cisco AnyConnect Secure ...) NOT-FOR-US: Cisco CVE-2020-3152 RESERVED CVE-2020-3151 RESERVED CVE-2020-3150 RESERVED CVE-2020-3149 (A vulnerability in the web-based management interface of Cisco Identit ...) NOT-FOR-US: Cisco CVE-2020-3148 (A vulnerability in the web-based interface of Cisco Prime Network Regi ...) NOT-FOR-US: Cisco CVE-2020-3147 (A vulnerability in the web UI of Cisco Small Business Switches could a ...) NOT-FOR-US: Cisco CVE-2020-3146 RESERVED CVE-2020-3145 RESERVED CVE-2020-3144 RESERVED CVE-2020-3143 RESERVED CVE-2020-3142 (A vulnerability in Cisco Webex Meetings Suite sites and Cisco Webex Me ...) NOT-FOR-US: Cisco CVE-2020-3141 RESERVED CVE-2020-3140 RESERVED CVE-2020-3139 (A vulnerability in the out of band (OOB) management interface IP table ...) NOT-FOR-US: Cisco CVE-2020-3138 (A vulnerability in the upgrade component of Cisco Enterprise NFV Infra ...) NOT-FOR-US: Cisco CVE-2020-3137 RESERVED CVE-2020-3136 (A vulnerability in the web-based management interface of Cisco Jabber ...) NOT-FOR-US: Cisco CVE-2020-3135 RESERVED CVE-2020-3134 (A vulnerability in the zip decompression engine of Cisco AsyncOS Softw ...) NOT-FOR-US: Cisco CVE-2020-3133 RESERVED CVE-2020-3132 (A vulnerability in the email message scanning feature of Cisco AsyncOS ...) NOT-FOR-US: Cisco CVE-2020-3131 (A vulnerability in the Cisco Webex Teams client for Windows could allo ...) NOT-FOR-US: Cisco CVE-2020-3130 RESERVED CVE-2020-3129 (A vulnerability in the web-based management interface of Cisco Unity C ...) NOT-FOR-US: Cisco CVE-2020-3128 (Multiple vulnerabilities in Cisco Webex Network Recording Player for M ...) NOT-FOR-US: Cisco CVE-2020-3127 (Multiple vulnerabilities in Cisco Webex Network Recording Player for M ...) NOT-FOR-US: Cisco CVE-2020-3126 (vulnerability within the Multimedia Viewer feature of Cisco Webex Meet ...) NOT-FOR-US: Cisco CVE-2020-3125 (A vulnerability in the Kerberos authentication feature of Cisco Adapti ...) NOT-FOR-US: Cisco CVE-2020-3124 RESERVED CVE-2020-3123 (A vulnerability in the Data-Loss-Prevention (DLP) module in Clam AntiV ...) - clamav 0.102.2+dfsg-1 (bug #950944) [buster] - clamav 0.102.2+dfsg-0+deb10u1 [stretch] - clamav (ClamAV is updated via -updates) [jessie] - clamav (Vulnerable code introduced in 0.102.x) NOTE: https://blog.clamav.net/2020/02/clamav-01022-security-patch-released.html CVE-2020-3122 RESERVED CVE-2020-3121 (A vulnerability in the web-based management interface of Cisco Small B ...) NOT-FOR-US: Cisco CVE-2020-3120 (A vulnerability in the Cisco Discovery Protocol implementation for Cis ...) NOT-FOR-US: Cisco CVE-2020-3119 (A vulnerability in the Cisco Discovery Protocol implementation for Cis ...) NOT-FOR-US: Cisco CVE-2020-3118 (A vulnerability in the Cisco Discovery Protocol implementation for Cis ...) NOT-FOR-US: Cisco CVE-2020-3117 RESERVED CVE-2020-3116 RESERVED CVE-2020-3115 (A vulnerability in the CLI of the Cisco SD-WAN Solution vManage softwa ...) NOT-FOR-US: Cisco CVE-2020-3114 (A vulnerability in the web-based management interface of Cisco Data Ce ...) NOT-FOR-US: Cisco CVE-2020-3113 (A vulnerability in the web-based management interface of Cisco Data Ce ...) NOT-FOR-US: Cisco CVE-2020-3112 (A vulnerability in the REST API endpoint of Cisco Data Center Network ...) NOT-FOR-US: Cisco CVE-2020-3111 (A vulnerability in the Cisco Discovery Protocol implementation for the ...) NOT-FOR-US: Cisco CVE-2020-3110 (A vulnerability in the Cisco Discovery Protocol implementation for the ...) NOT-FOR-US: Cisco CVE-2019-19770 (** DISPUTED ** In the Linux kernel 4.19.83, there is a use-after-free ...) - linux NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=205713 CVE-2019-19769 (In the Linux kernel 5.3.10, there is a use-after-free (read) in the pe ...) - linux 5.5.13-1 [buster] - linux (Vulnerable code not present) [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=205705 NOTE: https://git.kernel.org/linus/6d390e4b5d48ec03bb87e63cf0a2bff5f4e116da CVE-2019-19768 (In the Linux kernel 5.4.0-rc2, there is a use-after-free (read) in the ...) {DSA-4698-1 DLA-2242-1 DLA-2241-1} - linux 5.5.13-1 [buster] - linux 4.19.118-1 NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=205711 CVE-2019-19767 (The Linux kernel before 5.4.2 mishandles ext4_expand_extra_isize, as d ...) {DLA-2114-1 DLA-2068-1} - linux 5.3.15-1 [buster] - linux 4.19.98-1 [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/4ea99936a1630f51fc3a2d61a58ec4a1c4b7d55a CVE-2019-19766 (The Bitwarden server through 1.32.0 has a potentially unwanted KDF. ...) NOT-FOR-US: Bitwarden server CVE-2019-19765 REJECTED CVE-2019-19764 REJECTED CVE-2019-19763 REJECTED CVE-2019-19762 REJECTED CVE-2019-19761 RESERVED CVE-2019-19760 RESERVED CVE-2019-19759 RESERVED CVE-2019-19758 (A vulnerability in the web interface of Lenovo EZ Media & Backup C ...) NOT-FOR-US: Lenovo CVE-2019-19757 (An internal product security audit of Lenovo XClarity Administrator (L ...) NOT-FOR-US: Lenovo CVE-2019-19756 (An internal product security audit of Lenovo XClarity Administrator (L ...) NOT-FOR-US: Lenovo CVE-2019-19755 RESERVED CVE-2019-19754 RESERVED CVE-2019-19753 RESERVED CVE-2019-19752 RESERVED CVE-2019-19751 RESERVED CVE-2019-19750 (minerstat msOS before 2019-10-23 does not have a unique SSH key for ea ...) NOT-FOR-US: minerstat msOS CVE-2019-19749 RESERVED CVE-2019-19748 (The Work Time Calendar app before 4.7.1 for Jira allows XSS. ...) NOT-FOR-US: Work Time Calendar app for Jira CVE-2019-19747 (NeuVector 3.1 when configured to allow authentication via Active Direc ...) NOT-FOR-US: NeuVector CVE-2019-19746 (make_arrow in arrow.c in Xfig fig2dev 3.2.7b allows a segmentation fau ...) - fig2dev 1:3.2.7b-3 (unimportant; bug #946628) [buster] - fig2dev 1:3.2.7a-5+deb10u3 - transfig (unimportant) NOTE: https://sourceforge.net/p/mcj/tickets/57/ NOTE: https://sourceforge.net/p/mcj/fig2dev/ci/3065abc7b4f740ed6532322843531317de782a26/ CVE-2019-19745 (Contao 4.0 through 4.8.5 allows PHP local file inclusion. A back end u ...) NOT-FOR-US: Contao CVE-2019-19744 RESERVED CVE-2019-19743 (On D-Link DIR-615 devices, a normal user is able to create a root(admi ...) NOT-FOR-US: D-Link CVE-2019-19742 (On D-Link DIR-615 devices, the User Account Configuration page is vuln ...) NOT-FOR-US: D-Link CVE-2019-19741 (Electronic Arts Origin 10.5.55.33574 is vulnerable to local privilege ...) NOT-FOR-US: Electronic Arts Origin CVE-2019-19740 (Octeth Oempro 4.7 and 4.8 allow SQL injection. The parameter CampaignI ...) NOT-FOR-US: Octeth Oempro CVE-2019-19739 (MFScripts YetiShare 3.5.2 through 4.5.3 does not set the Secure flag o ...) NOT-FOR-US: MFScripts YetiShare CVE-2019-19738 (log_file_viewer.php in MFScripts YetiShare 3.5.2 through 4.5.3 does no ...) NOT-FOR-US: MFScripts YetiShare CVE-2019-19737 (MFScripts YetiShare 3.5.2 through 4.5.3 does not set the SameSite flag ...) NOT-FOR-US: MFScripts YetiShare CVE-2019-19736 (MFScripts YetiShare 3.5.2 through 4.5.3 does not set the HttpOnly flag ...) NOT-FOR-US: MFScripts YetiShare CVE-2019-19735 (class.userpeer.php in MFScripts YetiShare 3.5.2 through 4.5.3 uses an ...) NOT-FOR-US: MFScripts YetiShare CVE-2019-19734 (_account_move_file_in_folder.ajax.php in MFScripts YetiShare 3.5.2 dir ...) NOT-FOR-US: MFScripts YetiShare CVE-2019-19733 (_get_all_file_server_paths.ajax.php (aka get_all_file_server_paths.aja ...) NOT-FOR-US: MFScripts YetiShare CVE-2019-19732 (translation_manage_text.ajax.php and various *_manage.ajax.php in MFSc ...) NOT-FOR-US: MFScripts YetiShare CVE-2019-19731 (Roxy Fileman 1.4.5 for .NET is vulnerable to path traversal. A remote ...) NOT-FOR-US: Roxy Fileman CVE-2019-19730 RESERVED CVE-2019-19729 (An issue was discovered in the BSON ObjectID (aka bson-objectid) packa ...) NOT-FOR-US: bsjon-objectid node module CVE-2019-19728 (SchedMD Slurm before 18.08.9 and 19.x before 19.05.5 executes srun --u ...) - slurm-llnl 19.05.5-1 [buster] - slurm-llnl (Minor issue) [stretch] - slurm-llnl (Minor issue) [jessie] - slurm-llnl (Minor issue, fix introduces regression, upstream refuses access to bug tracker) NOTE: https://github.com/SchedMD/slurm/commit/5ac031b2ef5462f6e8e47dad0247bd474614c118 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1159692 NOTE: Fixed upstream in 18.08.9, 19.05.5 CVE-2019-19727 (SchedMD Slurm before 18.08.9 and 19.x before 19.05.5 has weak slurmdbd ...) - slurm-llnl 19.05.5-1 (unimportant) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1155784 NOTE: Fixed upstream in 18.08.9, 19.05.5 NOTE: The example file is installed as well in Debian as 0644 and slurmdbd.conf NOTE: not directly installed by the slurmdbd binary package. CVE-2017-18640 (The Alias feature in SnakeYAML 1.18 allows entity expansion during a l ...) - snakeyaml 1.25+ds-3 (bug #952683) [buster] - snakeyaml (Minor issue) [stretch] - snakeyaml (Minor issue) [jessie] - snakeyaml (unclear security impact) NOTE: https://bitbucket.org/asomov/snakeyaml/issues/377/allow-configuration-for-preventing-billion NOTE: Patch to introduce a configuration option to restrict aliases for NOTE: collections: NOTE: https://bitbucket.org/asomov/snakeyaml/commits/da11ddbd91c1f8392ea932b37fa48110fa54ed8c CVE-2019-19726 (OpenBSD through 6.6 allows local users to escalate to root because a c ...) NOT-FOR-US: OpenBSD CVE-2019-19725 (sysstat through 12.2.0 has a double free in check_file_actlst in sa_co ...) - sysstat 12.2.0-2 (unimportant; bug #946657) [stretch] - sysstat (Vulnerable code introduced in v11.7.1) [jessie] - sysstat (Vulnerable code introduced in v11.7.1) NOTE: https://github.com/sysstat/sysstat/issues/242 NOTE: https://github.com/sysstat/sysstat/commit/a5c8abd4a481ee6e27a3acf00e6d9b0f023e20ed NOTE: Crash in CLI tool, no security impact CVE-2019-19724 (Insecure permissions (777) are set on $HOME/.singularity when it is ne ...) - singularity-container 3.5.2+ds1-1 NOTE: https://github.com/sylabs/singularity/commit/2cda4981812c29f0fb11d3ea6aaf6139f665a631 CVE-2019-19723 RESERVED CVE-2019-19722 (In Dovecot before 2.3.9.2, an attacker can crash a push-notification d ...) - dovecot (Only affects 2.3.9) NOTE: https://www.openwall.com/lists/oss-security/2019/12/13/2 NOTE: https://github.com/dovecot/core/commit/1307766b6f5d97341a47376657d342bcefd10f1b NOTE: https://github.com/dovecot/core/commit/393a8cabf4dad893bf2ec60bf96cfde7a0c58432 CVE-2019-19721 (An off-by-one error in the DecodeBlock function in codec/sdl_image.c i ...) {DSA-4671-1} - vlc 3.0.9.2-1 [jessie] - vlc (https://lists.debian.org/debian-security-announce/2018/msg00130.html) NOTE: https://git.videolan.org/?p=vlc/vlc-3.0.git;a=commit;h=72afe7ebd8305bf4f5360293b8621cde52ec506b (3.0.9) CVE-2020-3109 RESERVED CVE-2020-3108 RESERVED CVE-2020-3107 RESERVED CVE-2020-3106 RESERVED CVE-2020-3105 RESERVED CVE-2020-3104 RESERVED CVE-2020-3103 RESERVED CVE-2020-3102 RESERVED CVE-2020-3101 RESERVED CVE-2020-3100 RESERVED CVE-2020-3099 RESERVED CVE-2020-3098 RESERVED CVE-2020-3097 RESERVED CVE-2020-3096 RESERVED CVE-2020-3095 RESERVED CVE-2020-3094 RESERVED CVE-2020-3093 RESERVED CVE-2020-3092 RESERVED CVE-2020-3091 RESERVED CVE-2020-3090 RESERVED CVE-2020-3089 RESERVED CVE-2020-3088 RESERVED CVE-2020-3087 RESERVED CVE-2020-3086 RESERVED CVE-2020-3085 RESERVED CVE-2020-3084 RESERVED CVE-2020-3083 RESERVED CVE-2020-3082 RESERVED CVE-2020-3081 RESERVED CVE-2020-3080 RESERVED CVE-2020-3079 RESERVED CVE-2020-3078 RESERVED CVE-2020-3077 RESERVED CVE-2020-3076 RESERVED CVE-2020-3075 RESERVED CVE-2020-3074 RESERVED CVE-2020-3073 RESERVED CVE-2020-3072 RESERVED CVE-2020-3071 RESERVED CVE-2020-3070 RESERVED CVE-2020-3069 RESERVED CVE-2020-3068 RESERVED CVE-2020-3067 RESERVED CVE-2020-3066 RESERVED CVE-2020-3065 RESERVED CVE-2020-3064 RESERVED CVE-2020-3063 RESERVED CVE-2020-3062 RESERVED CVE-2020-3061 RESERVED CVE-2020-3060 RESERVED CVE-2020-3059 RESERVED CVE-2020-3058 RESERVED CVE-2020-3057 RESERVED CVE-2020-3056 RESERVED CVE-2020-3055 RESERVED CVE-2020-3054 RESERVED CVE-2020-3053 RESERVED CVE-2020-3052 RESERVED CVE-2020-3051 RESERVED CVE-2020-3050 RESERVED CVE-2020-3049 RESERVED CVE-2020-3048 RESERVED CVE-2020-3047 RESERVED CVE-2020-3046 RESERVED CVE-2020-3045 RESERVED CVE-2020-3044 RESERVED CVE-2020-3043 RESERVED CVE-2020-3042 RESERVED CVE-2020-3041 RESERVED CVE-2020-3040 RESERVED CVE-2020-3039 RESERVED CVE-2020-3038 RESERVED CVE-2020-3037 RESERVED CVE-2020-3036 RESERVED CVE-2020-3035 RESERVED CVE-2020-3034 RESERVED CVE-2020-3033 RESERVED CVE-2020-3032 RESERVED CVE-2020-3031 RESERVED CVE-2020-3030 RESERVED CVE-2020-3029 RESERVED CVE-2020-3028 RESERVED CVE-2020-3027 RESERVED CVE-2020-3026 RESERVED CVE-2020-3025 RESERVED CVE-2020-3024 RESERVED CVE-2020-3023 RESERVED CVE-2020-3022 RESERVED CVE-2020-3021 RESERVED CVE-2020-3020 RESERVED CVE-2020-3019 RESERVED CVE-2020-3018 RESERVED CVE-2020-3017 RESERVED CVE-2020-3016 RESERVED CVE-2020-3015 RESERVED CVE-2020-3014 RESERVED CVE-2020-3013 RESERVED CVE-2020-3012 RESERVED CVE-2020-3011 RESERVED CVE-2020-3010 RESERVED CVE-2020-3009 RESERVED CVE-2020-3008 RESERVED CVE-2020-3007 RESERVED CVE-2020-3006 RESERVED CVE-2020-3005 RESERVED CVE-2020-3004 RESERVED CVE-2020-3003 RESERVED CVE-2020-3002 RESERVED CVE-2020-3001 RESERVED CVE-2020-3000 RESERVED CVE-2020-2999 RESERVED CVE-2020-2998 RESERVED CVE-2020-2997 RESERVED CVE-2020-2996 RESERVED CVE-2020-2995 RESERVED CVE-2020-2994 RESERVED CVE-2020-2993 RESERVED CVE-2020-2992 RESERVED CVE-2020-2991 RESERVED CVE-2020-2990 RESERVED CVE-2020-2989 RESERVED CVE-2020-2988 RESERVED CVE-2020-2987 RESERVED CVE-2020-2986 RESERVED CVE-2020-2985 RESERVED CVE-2020-2984 RESERVED CVE-2020-2983 RESERVED CVE-2020-2982 RESERVED CVE-2020-2981 RESERVED CVE-2020-2980 RESERVED CVE-2020-2979 RESERVED CVE-2020-2978 RESERVED CVE-2020-2977 RESERVED CVE-2020-2976 RESERVED CVE-2020-2975 RESERVED CVE-2020-2974 RESERVED CVE-2020-2973 RESERVED CVE-2020-2972 RESERVED CVE-2020-2971 RESERVED CVE-2020-2970 RESERVED CVE-2020-2969 RESERVED CVE-2020-2968 RESERVED CVE-2020-2967 RESERVED CVE-2020-2966 RESERVED CVE-2020-2965 RESERVED CVE-2020-2964 (Vulnerability in the Oracle Financial Services Data Foundation product ...) NOT-FOR-US: Oracle CVE-2020-2963 (Vulnerability in the Oracle WebLogic Server product of Oracle Fusion M ...) NOT-FOR-US: Oracle CVE-2020-2962 RESERVED CVE-2020-2961 (Vulnerability in the Enterprise Manager Base Platform product of Oracl ...) NOT-FOR-US: Oracle CVE-2020-2960 RESERVED CVE-2020-2959 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox 6.1.6-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2020-2958 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox 6.1.6-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2020-2957 RESERVED CVE-2020-2956 (Vulnerability in the Oracle Human Resources product of Oracle E-Busine ...) NOT-FOR-US: Oracle CVE-2020-2955 (Vulnerability in the Oracle FLEXCUBE Core Banking product of Oracle Fi ...) NOT-FOR-US: Oracle CVE-2020-2954 (Vulnerability in the PeopleSoft Enterprise HRMS product of Oracle Peop ...) NOT-FOR-US: Oracle CVE-2020-2953 (Vulnerability in the Oracle Retail Customer Management and Segmentatio ...) NOT-FOR-US: Oracle CVE-2020-2952 (Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middl ...) NOT-FOR-US: Oracle CVE-2020-2951 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox 6.1.6-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2020-2950 (Vulnerability in the Oracle Business Intelligence Enterprise Edition p ...) NOT-FOR-US: Oracle CVE-2020-2949 (Vulnerability in the Oracle Coherence product of Oracle Fusion Middlew ...) NOT-FOR-US: Oracle CVE-2020-2948 RESERVED CVE-2020-2947 (Vulnerability in the PeopleSoft Enterprise HCM Absence Management prod ...) NOT-FOR-US: Oracle CVE-2020-2946 (Vulnerability in the Application Performance Management product of Ora ...) NOT-FOR-US: Oracle CVE-2020-2945 (Vulnerability in the Oracle Financial Services Deposit Insurance Calcu ...) NOT-FOR-US: Oracle CVE-2020-2944 (Vulnerability in the Oracle Solaris product of Oracle Systems (compone ...) NOT-FOR-US: Oracle Solaris CVE-2020-2943 (Vulnerability in the Oracle Financial Services Liquidity Risk Measurem ...) NOT-FOR-US: Oracle CVE-2020-2942 (Vulnerability in the Oracle Financial Services Price Creation and Disc ...) NOT-FOR-US: Oracle CVE-2020-2941 (Vulnerability in the Oracle Financial Services Funds Transfer Pricing ...) NOT-FOR-US: Oracle CVE-2020-2940 (Vulnerability in the Oracle Financial Services Profitability Managemen ...) NOT-FOR-US: Oracle CVE-2020-2939 (Vulnerability in the Oracle Financial Services Asset Liability Managem ...) NOT-FOR-US: Oracle CVE-2020-2938 (Vulnerability in the Oracle Financial Services Loan Loss Forecasting a ...) NOT-FOR-US: Oracle CVE-2020-2937 (Vulnerability in the Oracle Insurance Accounting Analyzer product of O ...) NOT-FOR-US: Oracle CVE-2020-2936 (Vulnerability in the Oracle Financial Services Balance Sheet Planning ...) NOT-FOR-US: Oracle CVE-2020-2935 (Vulnerability in the Oracle Financial Services Hedge Management and IF ...) NOT-FOR-US: Oracle CVE-2020-2934 (Vulnerability in the MySQL Connectors product of Oracle MySQL (compone ...) {DSA-4703-1 DLA-2245-1} - mysql-connector-java NOTE: https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixMSQL CVE-2020-2933 (Vulnerability in the MySQL Connectors product of Oracle MySQL (compone ...) {DSA-4703-1 DLA-2245-1} - mysql-connector-java NOTE: https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixMSQL CVE-2020-2932 (Vulnerability in the Oracle Knowledge product of Oracle Knowledge (com ...) NOT-FOR-US: Oracle CVE-2020-2931 (Vulnerability in the Oracle Knowledge product of Oracle Knowledge (com ...) NOT-FOR-US: Oracle CVE-2020-2930 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (Only affects MySQL 8) NOTE: https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixMSQL CVE-2020-2929 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox 6.1.6-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2020-2928 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (Only affects MySQL 8) NOTE: https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixMSQL CVE-2020-2927 (Vulnerability in the Oracle Solaris product of Oracle Systems (compone ...) NOT-FOR-US: Oracle CVE-2020-2926 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (Only affects MySQL 8) NOTE: https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixMSQL CVE-2020-2925 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (Only affects MySQL 8) NOTE: https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixMSQL CVE-2020-2924 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (Only affects MySQL 8) NOTE: https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixMSQL CVE-2020-2923 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (Only affects MySQL 8) NOTE: https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixMSQL CVE-2020-2922 (Vulnerability in the MySQL Client product of Oracle MySQL (component: ...) - mysql-5.7 (bug #956832) NOTE: https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixMSQL CVE-2020-2921 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (Only affects MySQL 8) NOTE: https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixMSQL CVE-2020-2920 (Vulnerability in the Oracle Agile PLM product of Oracle Supply Chain ( ...) NOT-FOR-US: Oracle CVE-2020-2919 RESERVED CVE-2020-2918 RESERVED CVE-2020-2917 RESERVED CVE-2020-2916 RESERVED CVE-2020-2915 (Vulnerability in the Oracle Coherence product of Oracle Fusion Middlew ...) NOT-FOR-US: Oracle CVE-2020-2914 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox 6.1.6-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2020-2913 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox 6.1.6-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2020-2912 (Vulnerability in the PeopleSoft Enterprise CS Campus Community product ...) NOT-FOR-US: Oracle CVE-2020-2911 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox 6.1.6-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2020-2910 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox 6.1.6-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2020-2909 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox 6.1.6-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2020-2908 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox 6.1.6-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2020-2907 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox 6.1.6-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2020-2906 (Vulnerability in the PeopleSoft Enterprise SCM Purchasing product of O ...) NOT-FOR-US: Oracle CVE-2020-2905 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox 6.1.6-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2020-2904 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (Only affects MySQL 8) NOTE: https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixMSQL CVE-2020-2903 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (Only affects MySQL 8) NOTE: https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixMSQL CVE-2020-2902 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox 6.1.6-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2020-2901 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (Only affects MySQL 8) NOTE: https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixMSQL CVE-2020-2900 (Vulnerability in the Oracle GraalVM Enterprise Edition product of Orac ...) NOT-FOR-US: Oracle CVE-2020-2899 (Vulnerability in the PeopleSoft Enterprise SCM Purchasing product of O ...) NOT-FOR-US: Oracle CVE-2020-2898 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (Only affects MySQL 8) NOTE: https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixMSQL CVE-2020-2897 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (Only affects MySQL 8) NOTE: https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixMSQL CVE-2020-2896 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (Only affects MySQL 8) NOTE: https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixMSQL CVE-2020-2895 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (Only affects MySQL 8) NOTE: https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixMSQL CVE-2020-2894 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox 6.1.6-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2020-2893 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (Only affects MySQL 8) NOTE: https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixMSQL CVE-2020-2892 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (Only affects MySQL 8) NOTE: https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixMSQL CVE-2020-2891 (Vulnerability in the Oracle Financial Services Liquidity Risk Manageme ...) NOT-FOR-US: Oracle CVE-2020-2890 (Vulnerability in the Oracle Applications Framework product of Oracle E ...) NOT-FOR-US: Oracle CVE-2020-2889 (Vulnerability in the Oracle CRM Technical Foundation product of Oracle ...) NOT-FOR-US: Oracle CVE-2020-2888 (Vulnerability in the Oracle Marketing product of Oracle E-Business Sui ...) NOT-FOR-US: Oracle CVE-2020-2887 (Vulnerability in the Oracle Customer Interaction History product of Or ...) NOT-FOR-US: Oracle CVE-2020-2886 (Vulnerability in the Oracle CRM Technical Foundation product of Oracle ...) NOT-FOR-US: Oracle CVE-2020-2885 (Vulnerability in the Oracle Document Management and Collaboration prod ...) NOT-FOR-US: Oracle CVE-2020-2884 (Vulnerability in the Oracle WebLogic Server product of Oracle Fusion M ...) NOT-FOR-US: Oracle CVE-2020-2883 (Vulnerability in the Oracle WebLogic Server product of Oracle Fusion M ...) NOT-FOR-US: Oracle CVE-2020-2882 (Vulnerability in the Oracle Human Resources product of Oracle E-Busine ...) NOT-FOR-US: Oracle CVE-2020-2881 (Vulnerability in the Oracle CRM Technical Foundation product of Oracle ...) NOT-FOR-US: Oracle CVE-2020-2880 (Vulnerability in the Oracle Learning Management product of Oracle E-Bu ...) NOT-FOR-US: Oracle CVE-2020-2879 (Vulnerability in the Oracle Scripting product of Oracle E-Business Sui ...) NOT-FOR-US: Oracle CVE-2020-2878 (Vulnerability in the Oracle iSupport product of Oracle E-Business Suit ...) NOT-FOR-US: Oracle CVE-2020-2877 (Vulnerability in the Oracle Partner Management product of Oracle E-Bus ...) NOT-FOR-US: Oracle CVE-2020-2876 (Vulnerability in the Oracle Marketing product of Oracle E-Business Sui ...) NOT-FOR-US: Oracle CVE-2020-2875 (Vulnerability in the MySQL Connectors product of Oracle MySQL (compone ...) {DSA-4703-1 DLA-2245-1} - mysql-connector-java NOTE: https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixMSQL CVE-2020-2874 (Vulnerability in the Oracle Email Center product of Oracle E-Business ...) NOT-FOR-US: Oracle CVE-2020-2873 (Vulnerability in the Oracle Customer Interaction History product of Or ...) NOT-FOR-US: Oracle CVE-2020-2872 (Vulnerability in the Oracle iSupport product of Oracle E-Business Suit ...) NOT-FOR-US: Oracle CVE-2020-2871 (Vulnerability in the Oracle Advanced Outbound Telephony product of Ora ...) NOT-FOR-US: Oracle CVE-2020-2870 (Vulnerability in the Oracle One-to-One Fulfillment product of Oracle E ...) NOT-FOR-US: Oracle CVE-2020-2869 (Vulnerability in the Oracle WebLogic Server product of Oracle Fusion M ...) NOT-FOR-US: Oracle CVE-2020-2868 (Vulnerability in the PeopleSoft Enterprise PeopleTools product of Orac ...) NOT-FOR-US: Oracle CVE-2020-2867 (Vulnerability in the Oracle WebLogic Server product of Oracle Fusion M ...) NOT-FOR-US: Oracle CVE-2020-2866 (Vulnerability in the Oracle Applications Framework product of Oracle E ...) NOT-FOR-US: Oracle CVE-2020-2865 (Vulnerability in the Oracle Configurator product of Oracle Supply Chai ...) NOT-FOR-US: Oracle CVE-2020-2864 (Vulnerability in the Oracle iSupplier Portal product of Oracle E-Busin ...) NOT-FOR-US: Oracle CVE-2020-2863 (Vulnerability in the Oracle Advanced Outbound Telephony product of Ora ...) NOT-FOR-US: Oracle CVE-2020-2862 (Vulnerability in the Oracle One-to-One Fulfillment product of Oracle E ...) NOT-FOR-US: Oracle CVE-2020-2861 (Vulnerability in the Oracle Marketing product of Oracle E-Business Sui ...) NOT-FOR-US: Oracle CVE-2020-2860 (Vulnerability in the Oracle Marketing product of Oracle E-Business Sui ...) NOT-FOR-US: Oracle CVE-2020-2859 (Vulnerability in the PeopleSoft Enterprise PeopleTools product of Orac ...) NOT-FOR-US: Oracle CVE-2020-2858 (Vulnerability in the Oracle Marketing product of Oracle E-Business Sui ...) NOT-FOR-US: Oracle CVE-2020-2857 (Vulnerability in the Oracle Advanced Outbound Telephony product of Ora ...) NOT-FOR-US: Oracle CVE-2020-2856 (Vulnerability in the Oracle Advanced Outbound Telephony product of Ora ...) NOT-FOR-US: Oracle CVE-2020-2855 (Vulnerability in the Oracle iSupport product of Oracle E-Business Suit ...) NOT-FOR-US: Oracle CVE-2020-2854 (Vulnerability in the Oracle Advanced Outbound Telephony product of Ora ...) NOT-FOR-US: Oracle CVE-2020-2853 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (Only affects MySQL 8) NOTE: https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixMSQL CVE-2020-2852 (Vulnerability in the Oracle Advanced Outbound Telephony product of Ora ...) NOT-FOR-US: Oracle CVE-2020-2851 (Vulnerability in the Oracle Solaris product of Oracle Systems (compone ...) NOT-FOR-US: Oracle Solaris CVE-2020-2850 (Vulnerability in the Oracle Depot Repair product of Oracle E-Business ...) NOT-FOR-US: Oracle CVE-2020-2849 (Vulnerability in the Oracle Depot Repair product of Oracle E-Business ...) NOT-FOR-US: Oracle CVE-2020-2848 (Vulnerability in the Oracle Depot Repair product of Oracle E-Business ...) NOT-FOR-US: Oracle CVE-2020-2847 (Vulnerability in the Oracle Depot Repair product of Oracle E-Business ...) NOT-FOR-US: Oracle CVE-2020-2846 (Vulnerability in the Oracle Depot Repair product of Oracle E-Business ...) NOT-FOR-US: Oracle CVE-2020-2845 (Vulnerability in the Oracle Depot Repair product of Oracle E-Business ...) NOT-FOR-US: Oracle CVE-2020-2844 (Vulnerability in the Oracle Depot Repair product of Oracle E-Business ...) NOT-FOR-US: Oracle CVE-2020-2843 (Vulnerability in the Oracle iSupport product of Oracle E-Business Suit ...) NOT-FOR-US: Oracle CVE-2020-2842 (Vulnerability in the Oracle Depot Repair product of Oracle E-Business ...) NOT-FOR-US: Oracle CVE-2020-2841 (Vulnerability in the Oracle Knowledge Management product of Oracle E-B ...) NOT-FOR-US: Oracle CVE-2020-2840 (Vulnerability in the Oracle E-Business Intelligence product of Oracle ...) NOT-FOR-US: Oracle CVE-2020-2839 (Vulnerability in the Oracle Service Intelligence product of Oracle E-B ...) NOT-FOR-US: Oracle CVE-2020-2838 (Vulnerability in the Oracle CRM Gateway for Mobile Devices product of ...) NOT-FOR-US: Oracle CVE-2020-2837 (Vulnerability in the Oracle Marketing product of Oracle E-Business Sui ...) NOT-FOR-US: Oracle CVE-2020-2836 (Vulnerability in the Oracle Marketing product of Oracle E-Business Sui ...) NOT-FOR-US: Oracle CVE-2020-2835 (Vulnerability in the Oracle Marketing product of Oracle E-Business Sui ...) NOT-FOR-US: Oracle CVE-2020-2834 (Vulnerability in the Oracle Marketing product of Oracle E-Business Sui ...) NOT-FOR-US: Oracle CVE-2020-2833 (Vulnerability in the Oracle Quoting product of Oracle E-Business Suite ...) NOT-FOR-US: Oracle CVE-2020-2832 (Vulnerability in the Oracle One-to-One Fulfillment product of Oracle E ...) NOT-FOR-US: Oracle CVE-2020-2831 (Vulnerability in the Oracle Marketing product of Oracle E-Business Sui ...) NOT-FOR-US: Oracle CVE-2020-2830 (Vulnerability in the Java SE, Java SE Embedded product of Oracle Java ...) {DSA-4668-1 DSA-4662-1 DLA-2193-1} - openjdk-14 14.0.1+7-1 - openjdk-11 11.0.7+10-1 - openjdk-8 8u252-b09-1 - openjdk-7 CVE-2020-2829 (Vulnerability in the Oracle WebLogic Server product of Oracle Fusion M ...) NOT-FOR-US: Oracle CVE-2020-2828 (Vulnerability in the Oracle WebLogic Server product of Oracle Fusion M ...) NOT-FOR-US: Oracle CVE-2020-2827 (Vulnerability in the Oracle One-to-One Fulfillment product of Oracle E ...) NOT-FOR-US: Oracle CVE-2020-2826 (Vulnerability in the Oracle One-to-One Fulfillment product of Oracle E ...) NOT-FOR-US: Oracle CVE-2020-2825 (Vulnerability in the Oracle One-to-One Fulfillment product of Oracle E ...) NOT-FOR-US: Oracle CVE-2020-2824 (Vulnerability in the Oracle One-to-One Fulfillment product of Oracle E ...) NOT-FOR-US: Oracle CVE-2020-2823 (Vulnerability in the Oracle Common Applications Calendar product of Or ...) NOT-FOR-US: Oracle CVE-2020-2822 (Vulnerability in the Oracle Trade Management product of Oracle E-Busin ...) NOT-FOR-US: Oracle CVE-2020-2821 (Vulnerability in the Oracle Trade Management product of Oracle E-Busin ...) NOT-FOR-US: Oracle CVE-2020-2820 (Vulnerability in the Oracle Common Applications Calendar product of Or ...) NOT-FOR-US: Oracle CVE-2020-2819 (Vulnerability in the Oracle Universal Work Queue product of Oracle E-B ...) NOT-FOR-US: Oracle CVE-2020-2818 (Vulnerability in the Oracle Universal Work Queue product of Oracle E-B ...) NOT-FOR-US: Oracle CVE-2020-2817 (Vulnerability in the Oracle Scripting product of Oracle E-Business Sui ...) NOT-FOR-US: Oracle CVE-2020-2816 (Vulnerability in the Java SE product of Oracle Java SE (component: JSS ...) {DSA-4662-1} - openjdk-14 14.0.1+7-1 - openjdk-11 11.0.7+10-1 CVE-2020-2815 (Vulnerability in the Oracle iSupport product of Oracle E-Business Suit ...) NOT-FOR-US: Oracle CVE-2020-2814 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mariadb-10.3 1:10.3.23-1 (bug #961849) [buster] - mariadb-10.3 (Minor issue; will be fixed via point release) - mariadb-10.1 [stretch] - mariadb-10.1 (Will be fixed via point release) - mysql-5.7 (bug #956832) NOTE: https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixMSQL NOTE: Fixed in MariaDB 10.3.23, 10.1.45 CVE-2020-2813 (Vulnerability in the Oracle Email Center product of Oracle E-Business ...) NOT-FOR-US: Oracle CVE-2020-2812 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mariadb-10.3 1:10.3.23-1 (bug #961849) [buster] - mariadb-10.3 (Minor issue; will be fixed via point release) - mariadb-10.1 [stretch] - mariadb-10.1 (Will be fixed via point release) - mysql-5.7 (bug #956832) NOTE: https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixMSQL NOTE: Fixed in MariaDB 10.3.23, 10.1.45 CVE-2020-2811 (Vulnerability in the Oracle WebLogic Server product of Oracle Fusion M ...) NOT-FOR-US: Oracle CVE-2020-2810 (Vulnerability in the Oracle iStore product of Oracle E-Business Suite ...) NOT-FOR-US: Oracle CVE-2020-2809 (Vulnerability in the Oracle E-Business Intelligence product of Oracle ...) NOT-FOR-US: Oracle CVE-2020-2808 (Vulnerability in the Oracle E-Business Intelligence product of Oracle ...) NOT-FOR-US: Oracle CVE-2020-2807 (Vulnerability in the Oracle Marketing Encyclopedia System product of O ...) NOT-FOR-US: Oracle CVE-2020-2806 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (bug #956832) NOTE: https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixMSQL CVE-2020-2805 (Vulnerability in the Java SE, Java SE Embedded product of Oracle Java ...) {DSA-4668-1 DSA-4662-1 DLA-2193-1} - openjdk-14 14.0.1+7-1 - openjdk-11 11.0.7+10-1 - openjdk-8 8u252-b09-1 - openjdk-7 CVE-2020-2804 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (bug #956832) NOTE: https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixMSQL CVE-2020-2803 (Vulnerability in the Java SE, Java SE Embedded product of Oracle Java ...) {DSA-4668-1 DSA-4662-1 DLA-2193-1} - openjdk-14 14.0.1+7-1 - openjdk-11 11.0.7+10-1 - openjdk-8 8u252-b09-1 - openjdk-7 CVE-2020-2802 (Vulnerability in the Oracle GraalVM Enterprise Edition product of Orac ...) NOT-FOR-US: Oracle CVE-2020-2801 (Vulnerability in the Oracle WebLogic Server product of Oracle Fusion M ...) NOT-FOR-US: Oracle CVE-2020-2800 (Vulnerability in the Java SE, Java SE Embedded product of Oracle Java ...) {DSA-4668-1 DSA-4662-1 DLA-2193-1} - openjdk-14 14.0.1+7-1 - openjdk-11 11.0.7+10-1 - openjdk-8 8u252-b09-1 - openjdk-7 CVE-2020-2799 (Vulnerability in the Oracle GraalVM Enterprise Edition product of Orac ...) NOT-FOR-US: Oracle CVE-2020-2798 (Vulnerability in the Oracle WebLogic Server product of Oracle Fusion M ...) NOT-FOR-US: Oracle CVE-2020-2797 (Vulnerability in the PeopleSoft Enterprise PeopleTools product of Orac ...) NOT-FOR-US: Oracle CVE-2020-2796 (Vulnerability in the Oracle Email Center product of Oracle E-Business ...) NOT-FOR-US: Oracle CVE-2020-2795 (Vulnerability in the Oracle Knowledge product of Oracle Knowledge (com ...) NOT-FOR-US: Oracle CVE-2020-2794 (Vulnerability in the Oracle Email Center product of Oracle E-Business ...) NOT-FOR-US: Oracle CVE-2020-2793 (Vulnerability in the Oracle Financial Services Analytical Applications ...) NOT-FOR-US: Oracle CVE-2020-2792 RESERVED CVE-2020-2791 (Vulnerability in the Oracle Knowledge product of Oracle Knowledge (com ...) NOT-FOR-US: Oracle CVE-2020-2790 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (bug #956832) NOTE: https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixMSQL CVE-2020-2789 (Vulnerability in the Oracle iSupport product of Oracle E-Business Suit ...) NOT-FOR-US: Oracle CVE-2020-2788 RESERVED CVE-2020-2787 (Vulnerability in the Oracle Outside In Technology product of Oracle Fu ...) NOT-FOR-US: Oracle CVE-2020-2786 (Vulnerability in the Oracle Outside In Technology product of Oracle Fu ...) NOT-FOR-US: Oracle CVE-2020-2785 (Vulnerability in the Oracle Outside In Technology product of Oracle Fu ...) NOT-FOR-US: Oracle CVE-2020-2784 (Vulnerability in the Oracle Outside In Technology product of Oracle Fu ...) NOT-FOR-US: Oracle CVE-2020-2783 (Vulnerability in the Oracle Outside In Technology product of Oracle Fu ...) NOT-FOR-US: Oracle CVE-2020-2782 (Vulnerability in the PeopleSoft Enterprise PeopleTools product of Orac ...) NOT-FOR-US: Oracle CVE-2020-2781 (Vulnerability in the Java SE, Java SE Embedded product of Oracle Java ...) {DSA-4668-1 DSA-4662-1 DLA-2193-1} - openjdk-14 14.0.1+7-1 - openjdk-11 11.0.7+10-1 - openjdk-8 8u252-b09-1 - openjdk-7 CVE-2020-2780 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (bug #956832) NOTE: https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixMSQL CVE-2020-2779 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (MySQL 8 only) NOTE: https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixMSQL CVE-2020-2778 (Vulnerability in the Java SE product of Oracle Java SE (component: JSS ...) {DSA-4662-1} - openjdk-14 14.0.1+7-1 - openjdk-11 11.0.7+10-1 CVE-2020-2777 (Vulnerability in the Hyperion Financial Management product of Oracle H ...) NOT-FOR-US: Oracle CVE-2020-2776 (Vulnerability in the PeopleSoft Enterprise PeopleTools product of Orac ...) NOT-FOR-US: Oracle CVE-2020-2775 (Vulnerability in the PeopleSoft Enterprise PeopleTools product of Orac ...) NOT-FOR-US: Oracle CVE-2020-2774 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (Only affects MySQL 8) NOTE: https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixMSQL CVE-2020-2773 (Vulnerability in the Java SE, Java SE Embedded product of Oracle Java ...) {DSA-4668-1 DSA-4662-1 DLA-2193-1} - openjdk-14 14.0.1+7-1 - openjdk-11 11.0.7+10-1 - openjdk-8 8u252-b09-1 - openjdk-7 CVE-2020-2772 (Vulnerability in the Oracle Human Resources product of Oracle E-Busine ...) NOT-FOR-US: Oracle CVE-2020-2771 (Vulnerability in the Oracle Solaris product of Oracle Systems (compone ...) NOT-FOR-US: Oracle Solaris CVE-2020-2770 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (Only affects MySQL 8) NOTE: https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixMSQL CVE-2020-2769 (Vulnerability in the Hyperion Financial Reporting product of Oracle Hy ...) NOT-FOR-US: Oracle CVE-2020-2768 (Vulnerability in the MySQL Cluster product of Oracle MySQL (component: ...) - mysql-cluster (bug #833356) NOTE: https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixMSQL CVE-2020-2767 (Vulnerability in the Java SE product of Oracle Java SE (component: JSS ...) {DSA-4662-1} - openjdk-14 14.0.1+7-1 - openjdk-11 11.0.7+10-1 CVE-2020-2766 (Vulnerability in the Oracle WebLogic Server product of Oracle Fusion M ...) NOT-FOR-US: Oracle CVE-2020-2765 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (bug #956832) NOTE: https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixMSQL CVE-2020-2764 (Vulnerability in the Java SE product of Oracle Java SE (component: Adv ...) NOT-FOR-US: Java Advanced Management Console CVE-2020-2763 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (bug #956832) NOTE: https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixMSQL CVE-2020-2762 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (Only affects MySQL 8) NOTE: https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixMSQL CVE-2020-2761 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (Only affects MySQL 8) NOTE: https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixMSQL CVE-2020-2760 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mariadb-10.3 1:10.3.23-1 (bug #961849) [buster] - mariadb-10.3 (Minor issue; will be fixed via point release) - mysql-5.7 (bug #956832) NOTE: https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixMSQL NOTE: Fixed in MariaDB 10.3.23 CVE-2020-2759 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (Only affects MySQL 8) NOTE: https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixMSQL CVE-2020-2758 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox 6.1.6-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2020-2757 (Vulnerability in the Java SE, Java SE Embedded product of Oracle Java ...) {DSA-4668-1 DSA-4662-1 DLA-2193-1} - openjdk-14 14.0.1+7-1 - openjdk-11 11.0.7+10-1 - openjdk-8 8u252-b09-1 - openjdk-7 CVE-2020-2756 (Vulnerability in the Java SE, Java SE Embedded product of Oracle Java ...) {DSA-4668-1 DSA-4662-1 DLA-2193-1} - openjdk-14 14.0.1+7-1 - openjdk-11 11.0.7+10-1 - openjdk-8 8u252-b09-1 - openjdk-7 CVE-2020-2755 (Vulnerability in the Java SE, Java SE Embedded product of Oracle Java ...) {DSA-4668-1 DSA-4662-1} - openjdk-14 14.0.1+7-1 - openjdk-11 11.0.7+10-1 - openjdk-8 8u252-b09-1 CVE-2020-2754 (Vulnerability in the Java SE, Java SE Embedded product of Oracle Java ...) {DSA-4668-1 DSA-4662-1} - openjdk-14 14.0.1+7-1 - openjdk-11 11.0.7+10-1 - openjdk-8 8u252-b09-1 CVE-2020-2753 (Vulnerability in the Oracle Workflow product of Oracle E-Business Suit ...) NOT-FOR-US: Oracle CVE-2020-2752 (Vulnerability in the MySQL Client product of Oracle MySQL (component: ...) - mariadb-10.3 1:10.3.23-1 (bug #961849) [buster] - mariadb-10.3 (Minor issue; will be fixed via point release) - mariadb-10.1 [stretch] - mariadb-10.1 (Will be fixed via point release) - mysql-5.7 (bug #956832) NOTE: https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixMSQL NOTE: Fixed in MariaDB 10.3.23, 10.1.45 CVE-2020-2751 (Vulnerability in the PeopleSoft Enterprise PeopleTools product of Orac ...) NOT-FOR-US: Oracle CVE-2020-2750 (Vulnerability in the Oracle General Ledger product of Oracle E-Busines ...) NOT-FOR-US: Oracle CVE-2020-2749 (Vulnerability in the Oracle Solaris product of Oracle Systems (compone ...) NOT-FOR-US: Oracle CVE-2020-2748 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox 6.1.6-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2020-2747 (Vulnerability in the Oracle Access Manager product of Oracle Fusion Mi ...) NOT-FOR-US: Oracle CVE-2020-2746 (Vulnerability in the Oracle Hospitality Reporting and Analytics compon ...) NOT-FOR-US: Oracle CVE-2020-2745 (Vulnerability in the Oracle Access Manager product of Oracle Fusion Mi ...) NOT-FOR-US: Oracle CVE-2020-2744 (Vulnerability in the Oracle Transportation Management product of Oracl ...) NOT-FOR-US: Oracle CVE-2020-2743 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox 6.1.2-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2020-2742 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox 6.1.2-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2020-2741 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox 6.1.6-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2020-2740 (Vulnerability in the Oracle Access Manager product of Oracle Fusion Mi ...) NOT-FOR-US: Oracle CVE-2020-2739 (Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion M ...) NOT-FOR-US: Oracle CVE-2020-2738 (Vulnerability in the Siebel UI Framework product of Oracle Siebel CRM ...) NOT-FOR-US: Oracle CVE-2020-2737 (Vulnerability in the Core RDBMS component of Oracle Database Server. S ...) NOT-FOR-US: Oracle CVE-2020-2736 RESERVED CVE-2020-2735 (Vulnerability in the Java VM component of Oracle Database Server. Supp ...) NOT-FOR-US: Oracle CVE-2020-2734 (Vulnerability in the RDBMS/Optimizer component of Oracle Database Serv ...) NOT-FOR-US: Oracle CVE-2020-2733 (Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle ...) NOT-FOR-US: Oracle CVE-2020-2732 (A flaw was discovered in the way that the KVM hypervisor handled instr ...) {DSA-4698-1 DSA-4667-1 DLA-2242-1 DLA-2241-1} - linux 5.5.13-1 NOTE: https://git.kernel.org/linus/07721feee46b4b248402133228235318199b05ec NOTE: https://git.kernel.org/linus/35a571346a94fb93b5b3b6a599675ef3384bc75c NOTE: https://git.kernel.org/linus/e71237d3ff1abf9f3388337cfebf53b96df2020d CVE-2020-2731 (Vulnerability in the Core RDBMS component of Oracle Database Server. S ...) NOT-FOR-US: Oracle CVE-2020-2730 (Vulnerability in the Oracle Financial Services Revenue Management and ...) NOT-FOR-US: Oracle CVE-2020-2729 (Vulnerability in the Identity Manager product of Oracle Fusion Middlew ...) NOT-FOR-US: Oracle CVE-2020-2728 (Vulnerability in the Identity Manager product of Oracle Fusion Middlew ...) NOT-FOR-US: Oracle CVE-2020-2727 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox 6.1.2-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2020-2726 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox 6.1.2-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2020-2725 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox 6.1.2-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2020-2724 (Vulnerability in the Oracle FLEXCUBE Investor Servicing product of Ora ...) NOT-FOR-US: Oracle CVE-2020-2723 (Vulnerability in the Oracle FLEXCUBE Investor Servicing product of Ora ...) NOT-FOR-US: Oracle CVE-2020-2722 (Vulnerability in the Oracle FLEXCUBE Investor Servicing product of Ora ...) NOT-FOR-US: Oracle CVE-2020-2721 (Vulnerability in the Oracle FLEXCUBE Investor Servicing product of Ora ...) NOT-FOR-US: Oracle CVE-2020-2720 (Vulnerability in the Oracle FLEXCUBE Investor Servicing product of Ora ...) NOT-FOR-US: Oracle CVE-2020-2719 (Vulnerability in the Oracle Banking Corporate Lending product of Oracl ...) NOT-FOR-US: Oracle CVE-2020-2718 (Vulnerability in the Oracle Banking Corporate Lending product of Oracl ...) NOT-FOR-US: Oracle CVE-2020-2717 (Vulnerability in the Oracle Banking Corporate Lending product of Oracl ...) NOT-FOR-US: Oracle CVE-2020-2716 (Vulnerability in the Oracle Banking Corporate Lending product of Oracl ...) NOT-FOR-US: Oracle CVE-2020-2715 (Vulnerability in the Oracle Banking Corporate Lending product of Oracl ...) NOT-FOR-US: Oracle CVE-2020-2714 (Vulnerability in the Oracle Banking Payments product of Oracle Financi ...) NOT-FOR-US: Oracle CVE-2020-2713 (Vulnerability in the Oracle Banking Payments product of Oracle Financi ...) NOT-FOR-US: Oracle CVE-2020-2712 (Vulnerability in the Oracle Banking Payments product of Oracle Financi ...) NOT-FOR-US: Oracle CVE-2020-2711 (Vulnerability in the Oracle Banking Payments product of Oracle Financi ...) NOT-FOR-US: Oracle CVE-2020-2710 (Vulnerability in the Oracle Banking Payments product of Oracle Financi ...) NOT-FOR-US: Oracle CVE-2020-2709 (Vulnerability in the Oracle iLearning product of Oracle iLearning (com ...) NOT-FOR-US: Oracle CVE-2020-2708 RESERVED CVE-2020-2707 (Vulnerability in the Primavera P6 Enterprise Project Portfolio Managem ...) NOT-FOR-US: Oracle CVE-2020-2706 (Vulnerability in the Primavera P6 Enterprise Project Portfolio Managem ...) NOT-FOR-US: Oracle CVE-2020-2705 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox 6.1.2-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2020-2704 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox 6.1.2-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2020-2703 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox 6.1.2-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2020-2702 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox 6.1.2-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2020-2701 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox 6.1.2-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2020-2700 (Vulnerability in the Oracle FLEXCUBE Universal Banking product of Orac ...) NOT-FOR-US: Oracle CVE-2020-2699 (Vulnerability in the Oracle FLEXCUBE Universal Banking product of Orac ...) NOT-FOR-US: Oracle CVE-2020-2698 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox 6.1.2-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2020-2697 (Vulnerability in the Oracle Hospitality Suites Management component of ...) NOT-FOR-US: Oracle CVE-2020-2696 (Vulnerability in the Oracle Solaris product of Oracle Systems (compone ...) NOT-FOR-US: Oracle CVE-2020-2695 (Vulnerability in the PeopleSoft Enterprise CC Common Application Objec ...) NOT-FOR-US: Oracle CVE-2020-2694 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (MySQL 8 only) NOTE: https://www.oracle.com/security-alerts/cpujan2020.html#AppendixMSQL CVE-2020-2693 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox 6.1.2-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2020-2692 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox 6.1.2-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2020-2691 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox 6.1.2-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2020-2690 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox 6.1.2-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2020-2689 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox 6.1.2-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2020-2688 (Vulnerability in the Oracle Financial Services Analytical Applications ...) NOT-FOR-US: Oracle CVE-2020-2687 (Vulnerability in the PeopleSoft Enterprise PeopleTools product of Orac ...) NOT-FOR-US: Oracle CVE-2020-2686 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (Only affects MySQL 8) NOTE: https://www.oracle.com/security-alerts/cpujan2020.html#AppendixMSQL CVE-2020-2685 (Vulnerability in the Oracle FLEXCUBE Universal Banking product of Orac ...) NOT-FOR-US: Oracle CVE-2020-2684 (Vulnerability in the Oracle FLEXCUBE Universal Banking product of Orac ...) NOT-FOR-US: Oracle CVE-2020-2683 (Vulnerability in the Oracle FLEXCUBE Universal Banking product of Orac ...) NOT-FOR-US: Oracle CVE-2020-2682 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox 6.1.2-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2020-2681 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox 6.1.2-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2020-2680 (Vulnerability in the Oracle Solaris product of Oracle Systems (compone ...) NOT-FOR-US: Oracle CVE-2020-2679 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (Only affects MySQL 8) NOTE: https://www.oracle.com/security-alerts/cpujan2020.html#AppendixMSQL CVE-2020-2678 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox 6.1.2-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2020-2677 (Vulnerability in the Oracle Hospitality OPERA 5 product of Oracle Hosp ...) NOT-FOR-US: Oracle CVE-2020-2676 (Vulnerability in the Oracle Hospitality OPERA 5 product of Oracle Hosp ...) NOT-FOR-US: Oracle CVE-2020-2675 (Vulnerability in the Oracle Hospitality OPERA 5 product of Oracle Hosp ...) NOT-FOR-US: Oracle CVE-2020-2674 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox 6.1.2-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2020-2673 (Vulnerability in the Oracle Application Testing Suite product of Oracl ...) NOT-FOR-US: Oracle CVE-2020-2672 (Vulnerability in the Oracle Email Center product of Oracle E-Business ...) NOT-FOR-US: Oracle CVE-2020-2671 (Vulnerability in the Oracle Email Center product of Oracle E-Business ...) NOT-FOR-US: Oracle CVE-2020-2670 (Vulnerability in the Oracle Email Center product of Oracle E-Business ...) NOT-FOR-US: Oracle CVE-2020-2669 (Vulnerability in the Oracle Email Center product of Oracle E-Business ...) NOT-FOR-US: Oracle CVE-2020-2668 (Vulnerability in the Oracle iSupport product of Oracle E-Business Suit ...) NOT-FOR-US: Oracle CVE-2020-2667 (Vulnerability in the Oracle iSupport product of Oracle E-Business Suit ...) NOT-FOR-US: Oracle CVE-2020-2666 (Vulnerability in the Oracle Applications Framework product of Oracle E ...) NOT-FOR-US: Oracle CVE-2020-2665 (Vulnerability in the Oracle iSupport product of Oracle E-Business Suit ...) NOT-FOR-US: Oracle CVE-2020-2664 (Vulnerability in the Oracle Solaris product of Oracle Systems (compone ...) NOT-FOR-US: Oracle CVE-2020-2663 (Vulnerability in the PeopleSoft Enterprise PeopleTools product of Orac ...) NOT-FOR-US: Oracle CVE-2020-2662 (Vulnerability in the Oracle iSupport product of Oracle E-Business Suit ...) NOT-FOR-US: Oracle CVE-2020-2661 (Vulnerability in the Oracle iSupport product of Oracle E-Business Suit ...) NOT-FOR-US: Oracle CVE-2020-2660 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (bug #949994) NOTE: https://www.oracle.com/security-alerts/cpujan2020.html#AppendixMSQL CVE-2020-2659 (Vulnerability in the Java SE, Java SE Embedded product of Oracle Java ...) {DSA-4621-1 DLA-2128-1} - openjdk-8 8u242-b08-1 - openjdk-7 CVE-2020-2658 (Vulnerability in the Oracle iSupport product of Oracle E-Business Suit ...) NOT-FOR-US: Oracle CVE-2020-2657 (Vulnerability in the Oracle CRM Technical Foundation product of Oracle ...) NOT-FOR-US: Oracle CVE-2020-2656 (Vulnerability in the Oracle Solaris product of Oracle Systems (compone ...) NOT-FOR-US: Oracle CVE-2020-2655 (Vulnerability in the Java SE product of Oracle Java SE (component: JSS ...) {DSA-4605-1} - openjdk-13 13.0.2+8-1 - openjdk-11 11.0.6+10-1 CVE-2020-2654 (Vulnerability in the Java SE product of Oracle Java SE (component: Lib ...) {DSA-4621-1 DSA-4605-1 DLA-2128-1} - openjdk-13 13.0.2+8-1 - openjdk-11 11.0.6+10-1 - openjdk-8 8u242-b08-1 - openjdk-7 CVE-2020-2653 (Vulnerability in the Oracle CRM Technical Foundation product of Oracle ...) NOT-FOR-US: Oracle CVE-2020-2652 (Vulnerability in the Oracle CRM Technical Foundation product of Oracle ...) NOT-FOR-US: Oracle CVE-2020-2651 (Vulnerability in the Oracle CRM Technical Foundation product of Oracle ...) NOT-FOR-US: Oracle CVE-2020-2650 (Vulnerability in the Oracle Retail Customer Management and Segmentatio ...) NOT-FOR-US: Oracle CVE-2020-2649 (Vulnerability in the Oracle Retail Customer Management and Segmentatio ...) NOT-FOR-US: Oracle CVE-2020-2648 (Vulnerability in the Oracle Retail Customer Management and Segmentatio ...) NOT-FOR-US: Oracle CVE-2020-2647 (Vulnerability in the Oracle Solaris product of Oracle Systems (compone ...) NOT-FOR-US: Oracle CVE-2020-2646 (Vulnerability in the Enterprise Manager Base Platform product of Oracl ...) NOT-FOR-US: Oracle CVE-2020-2645 (Vulnerability in the Enterprise Manager Base Platform product of Oracl ...) NOT-FOR-US: Oracle CVE-2020-2644 (Vulnerability in the Enterprise Manager Base Platform product of Oracl ...) NOT-FOR-US: Oracle CVE-2020-2643 (Vulnerability in the Enterprise Manager Base Platform product of Oracl ...) NOT-FOR-US: Oracle CVE-2020-2642 (Vulnerability in the Enterprise Manager Base Platform product of Oracl ...) NOT-FOR-US: Oracle CVE-2020-2641 (Vulnerability in the Enterprise Manager for Oracle Database product of ...) NOT-FOR-US: Oracle CVE-2020-2640 (Vulnerability in the Enterprise Manager for Oracle Database product of ...) NOT-FOR-US: Oracle CVE-2020-2639 (Vulnerability in the Enterprise Manager Base Platform product of Oracl ...) NOT-FOR-US: Oracle CVE-2020-2638 (Vulnerability in the Enterprise Manager for Oracle Database product of ...) NOT-FOR-US: Oracle CVE-2020-2637 (Vulnerability in the Enterprise Manager for Oracle Database product of ...) NOT-FOR-US: Oracle CVE-2020-2636 (Vulnerability in the Enterprise Manager Base Platform product of Oracl ...) NOT-FOR-US: Oracle CVE-2020-2635 (Vulnerability in the Enterprise Manager Base Platform product of Oracl ...) NOT-FOR-US: Oracle CVE-2020-2634 (Vulnerability in the Enterprise Manager Base Platform product of Oracl ...) NOT-FOR-US: Oracle CVE-2020-2633 (Vulnerability in the Enterprise Manager Base Platform product of Oracl ...) NOT-FOR-US: Oracle CVE-2020-2632 (Vulnerability in the Enterprise Manager Base Platform product of Oracl ...) NOT-FOR-US: Oracle CVE-2020-2631 (Vulnerability in the Enterprise Manager Base Platform product of Oracl ...) NOT-FOR-US: Oracle CVE-2020-2630 (Vulnerability in the Enterprise Manager Base Platform product of Oracl ...) NOT-FOR-US: Oracle CVE-2020-2629 (Vulnerability in the Enterprise Manager Base Platform product of Oracl ...) NOT-FOR-US: Oracle CVE-2020-2628 (Vulnerability in the Enterprise Manager Base Platform product of Oracl ...) NOT-FOR-US: Oracle CVE-2020-2627 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (Only affects MySQL 8) NOTE: https://www.oracle.com/security-alerts/cpujan2020.html#AppendixMSQL CVE-2020-2626 (Vulnerability in the Enterprise Manager Base Platform product of Oracl ...) NOT-FOR-US: Oracle CVE-2020-2625 (Vulnerability in the Enterprise Manager Base Platform product of Oracl ...) NOT-FOR-US: Oracle CVE-2020-2624 (Vulnerability in the Enterprise Manager Base Platform product of Oracl ...) NOT-FOR-US: Oracle CVE-2020-2623 (Vulnerability in the Enterprise Manager Base Platform product of Oracl ...) NOT-FOR-US: Oracle CVE-2020-2622 (Vulnerability in the Enterprise Manager Base Platform product of Oracl ...) NOT-FOR-US: Oracle CVE-2020-2621 (Vulnerability in the Enterprise Manager Base Platform product of Oracl ...) NOT-FOR-US: Oracle CVE-2020-2620 (Vulnerability in the Enterprise Manager Base Platform product of Oracl ...) NOT-FOR-US: Oracle CVE-2020-2619 (Vulnerability in the Enterprise Manager Base Platform product of Oracl ...) NOT-FOR-US: Oracle CVE-2020-2618 (Vulnerability in the Enterprise Manager Base Platform product of Oracl ...) NOT-FOR-US: Oracle CVE-2020-2617 (Vulnerability in the Enterprise Manager Base Platform product of Oracl ...) NOT-FOR-US: Oracle CVE-2020-2616 (Vulnerability in the Enterprise Manager Base Platform product of Oracl ...) NOT-FOR-US: Oracle CVE-2020-2615 (Vulnerability in the Enterprise Manager Base Platform product of Oracl ...) NOT-FOR-US: Oracle CVE-2020-2614 (Vulnerability in the Enterprise Manager for Fusion Middleware product ...) NOT-FOR-US: Oracle CVE-2020-2613 (Vulnerability in the Enterprise Manager Base Platform product of Oracl ...) NOT-FOR-US: Oracle CVE-2020-2612 (Vulnerability in the Enterprise Manager Base Platform product of Oracl ...) NOT-FOR-US: Oracle CVE-2020-2611 (Vulnerability in the Enterprise Manager Base Platform product of Oracl ...) NOT-FOR-US: Oracle CVE-2020-2610 (Vulnerability in the Enterprise Manager Base Platform product of Oracl ...) NOT-FOR-US: Oracle CVE-2020-2609 (Vulnerability in the Enterprise Manager Base Platform product of Oracl ...) NOT-FOR-US: Oracle CVE-2020-2608 (Vulnerability in the Enterprise Manager Base Platform product of Oracl ...) NOT-FOR-US: Oracle CVE-2020-2607 (Vulnerability in the PeopleSoft Enterprise PeopleTools product of Orac ...) NOT-FOR-US: Oracle CVE-2020-2606 (Vulnerability in the PeopleSoft Enterprise PeopleTools product of Orac ...) NOT-FOR-US: Oracle CVE-2020-2605 (Vulnerability in the Oracle Solaris product of Oracle Systems (compone ...) NOT-FOR-US: Oracle CVE-2020-2604 (Vulnerability in the Java SE, Java SE Embedded product of Oracle Java ...) {DSA-4621-1 DSA-4605-1 DLA-2128-1} - openjdk-13 13.0.2+8-1 - openjdk-11 11.0.6+10-1 - openjdk-8 8u242-b08-1 - openjdk-7 CVE-2020-2603 (Vulnerability in the Oracle Field Service product of Oracle E-Business ...) NOT-FOR-US: Oracle CVE-2020-2602 (Vulnerability in the PeopleSoft Enterprise PeopleTools product of Orac ...) NOT-FOR-US: Oracle CVE-2020-2601 (Vulnerability in the Java SE, Java SE Embedded product of Oracle Java ...) {DSA-4621-1 DSA-4605-1 DLA-2128-1} - openjdk-13 13.0.2+8-1 - openjdk-11 11.0.6+10-1 - openjdk-8 8u242-b08-1 - openjdk-7 CVE-2020-2600 (Vulnerability in the PeopleSoft Enterprise PeopleTools product of Orac ...) NOT-FOR-US: Oracle CVE-2020-2599 (Vulnerability in the Oracle Hospitality Cruise Materials Management pr ...) NOT-FOR-US: Oracle CVE-2020-2598 (Vulnerability in the PeopleSoft Enterprise PeopleTools product of Orac ...) NOT-FOR-US: Oracle CVE-2020-2597 (Vulnerability in the Oracle One-to-One Fulfillment product of Oracle E ...) NOT-FOR-US: Oracle CVE-2020-2596 (Vulnerability in the Oracle CRM Technical Foundation product of Oracle ...) NOT-FOR-US: Oracle CVE-2020-2595 (Vulnerability in the Oracle GraalVM Enterprise Edition product of Orac ...) NOT-FOR-US: Oracle CVE-2020-2594 (Vulnerability in the Primavera P6 Enterprise Project Portfolio Managem ...) NOT-FOR-US: Oracle CVE-2020-2593 (Vulnerability in the Java SE, Java SE Embedded product of Oracle Java ...) {DSA-4621-1 DSA-4605-1 DLA-2128-1} - openjdk-13 13.0.2+8-1 - openjdk-11 11.0.6+10-1 - openjdk-8 8u242-b08-1 - openjdk-7 CVE-2020-2592 (Vulnerability in the Oracle AutoVue product of Oracle Supply Chain (co ...) NOT-FOR-US: Oracle CVE-2020-2591 (Vulnerability in the Oracle Web Applications Desktop Integrator produc ...) NOT-FOR-US: Oracle CVE-2020-2590 (Vulnerability in the Java SE, Java SE Embedded product of Oracle Java ...) {DSA-4621-1 DSA-4605-1 DLA-2128-1} - openjdk-13 13.0.2+8-1 - openjdk-11 11.0.6+10-1 - openjdk-8 8u242-b08-1 - openjdk-7 CVE-2020-2589 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (bug #949994) NOTE: https://www.oracle.com/security-alerts/cpujan2020.html#AppendixMSQL CVE-2020-2588 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (MySQL 8 only) NOTE: https://www.oracle.com/security-alerts/cpujan2020.html#AppendixMSQL CVE-2020-2587 (Vulnerability in the Oracle Human Resources product of Oracle E-Busine ...) NOT-FOR-US: Oracle CVE-2020-2586 (Vulnerability in the Oracle Human Resources product of Oracle E-Busine ...) NOT-FOR-US: Oracle CVE-2020-2585 (Vulnerability in the Java SE product of Oracle Java SE (component: Jav ...) - openjfx 11+26-1 [stretch] - openjfx (Minor issue) NOTE: This only affects JavaFX 8, so marking the first post 8 version as fixed CVE-2020-2584 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (bug #949994) NOTE: https://www.oracle.com/security-alerts/cpujan2020.html#AppendixMSQL CVE-2020-2583 (Vulnerability in the Java SE, Java SE Embedded product of Oracle Java ...) {DSA-4621-1 DSA-4605-1 DLA-2128-1} - openjdk-13 13.0.2+8-1 - openjdk-11 11.0.6+10-1 - openjdk-8 8u242-b08-1 - openjdk-7 CVE-2020-2582 (Vulnerability in the Oracle iStore product of Oracle E-Business Suite ...) NOT-FOR-US: Oracle CVE-2020-2581 (Vulnerability in the Oracle GraalVM Enterprise Edition product of Orac ...) NOT-FOR-US: Oracle CVE-2020-2580 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (MySQL 8 only) NOTE: https://www.oracle.com/security-alerts/cpujan2020.html#AppendixMSQL CVE-2020-2579 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (bug #949994) NOTE: https://www.oracle.com/security-alerts/cpujan2020.html#AppendixMSQL CVE-2020-2578 (Vulnerability in the Oracle Solaris product of Oracle Systems (compone ...) NOT-FOR-US: Oracle CVE-2020-2577 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (bug #949994) NOTE: https://www.oracle.com/security-alerts/cpujan2020.html#AppendixMSQL CVE-2020-2576 (Vulnerability in the Oracle Outside In Technology product of Oracle Fu ...) NOT-FOR-US: Oracle CVE-2020-2575 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox 6.1.6-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2020-2574 (Vulnerability in the MySQL Client product of Oracle MySQL (component: ...) - mysql-5.7 (bug #949994) - mariadb-10.3 1:10.3.22-1 [buster] - mariadb-10.3 1:10.3.22-0+deb10u1 - mariadb-10.1 [stretch] - mariadb-10.1 10.1.44-0+deb9u1 NOTE: https://www.oracle.com/security-alerts/cpujan2020.html#AppendixMSQL NOTE: Fixed in MariaDB: 5.5.67, 10.1.44, 10.2.31, 10.3.22, 10.4.12 CVE-2020-2573 (Vulnerability in the MySQL Client product of Oracle MySQL (component: ...) - mysql-5.7 (bug #949994) NOTE: https://www.oracle.com/security-alerts/cpujan2020.html#AppendixMSQL CVE-2020-2572 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (bug #949994) NOTE: https://www.oracle.com/security-alerts/cpujan2020.html#AppendixMSQL CVE-2020-2571 (Vulnerability in the Oracle VM Server for SPARC product of Oracle Syst ...) NOT-FOR-US: Oracle CVE-2020-2570 (Vulnerability in the MySQL Client product of Oracle MySQL (component: ...) - mysql-5.7 (bug #949994) NOTE: https://www.oracle.com/security-alerts/cpujan2020.html#AppendixMSQL CVE-2020-2569 (Vulnerability in the Oracle Applications DBA component of Oracle Datab ...) NOT-FOR-US: Oracle CVE-2020-2568 (Vulnerability in the Oracle Applications DBA component of Oracle Datab ...) NOT-FOR-US: Oracle CVE-2020-2567 (Vulnerability in the Oracle Retail Customer Management and Segmentatio ...) NOT-FOR-US: Oracle CVE-2020-2566 (Vulnerability in the Oracle Applications Framework product of Oracle E ...) NOT-FOR-US: Oracle CVE-2020-2565 (Vulnerability in the Oracle Solaris product of Oracle Systems (compone ...) NOT-FOR-US: Oracle CVE-2020-2564 (Vulnerability in the Siebel UI Framework product of Oracle Siebel CRM ...) NOT-FOR-US: Oracle CVE-2020-2563 (Vulnerability in the Hyperion Financial Close Management product of Or ...) NOT-FOR-US: Oracle CVE-2020-2562 RESERVED CVE-2020-2561 (Vulnerability in the PeopleSoft Enterprise HCM Human Resources product ...) NOT-FOR-US: Oracle CVE-2020-2560 (Vulnerability in the Siebel UI Framework product of Oracle Siebel CRM ...) NOT-FOR-US: Oracle CVE-2020-2559 (Vulnerability in the Siebel UI Framework product of Oracle Siebel CRM ...) NOT-FOR-US: Oracle CVE-2020-2558 (Vulnerability in the Oracle Solaris product of Oracle Systems (compone ...) NOT-FOR-US: Oracle CVE-2020-2557 (Vulnerability in the Oracle Demantra Demand Management product of Orac ...) NOT-FOR-US: Oracle CVE-2020-2556 (Vulnerability in the Primavera P6 Enterprise Project Portfolio Managem ...) NOT-FOR-US: Oracle CVE-2020-2555 (Vulnerability in the Oracle Coherence product of Oracle Fusion Middlew ...) NOT-FOR-US: Oracle CVE-2020-2554 RESERVED CVE-2020-2553 (Vulnerability in the Oracle Knowledge product of Oracle Knowledge (com ...) NOT-FOR-US: Oracle CVE-2020-2552 (Vulnerability in the Oracle WebLogic Server product of Oracle Fusion M ...) NOT-FOR-US: Oracle CVE-2020-2551 (Vulnerability in the Oracle WebLogic Server product of Oracle Fusion M ...) NOT-FOR-US: Oracle CVE-2020-2550 (Vulnerability in the Oracle WebLogic Server product of Oracle Fusion M ...) NOT-FOR-US: Oracle CVE-2020-2549 (Vulnerability in the Oracle WebLogic Server product of Oracle Fusion M ...) NOT-FOR-US: Oracle CVE-2020-2548 (Vulnerability in the Oracle WebLogic Server product of Oracle Fusion M ...) NOT-FOR-US: Oracle CVE-2020-2547 (Vulnerability in the Oracle WebLogic Server product of Oracle Fusion M ...) NOT-FOR-US: Oracle CVE-2020-2546 (Vulnerability in the Oracle WebLogic Server product of Oracle Fusion M ...) NOT-FOR-US: Oracle CVE-2020-2545 (Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middl ...) NOT-FOR-US: Oracle CVE-2020-2544 (Vulnerability in the Oracle WebLogic Server product of Oracle Fusion M ...) NOT-FOR-US: Oracle CVE-2020-2543 (Vulnerability in the Oracle Outside In Technology product of Oracle Fu ...) NOT-FOR-US: Oracle CVE-2020-2542 (Vulnerability in the Oracle Outside In Technology product of Oracle Fu ...) NOT-FOR-US: Oracle CVE-2020-2541 (Vulnerability in the Oracle Outside In Technology product of Oracle Fu ...) NOT-FOR-US: Oracle CVE-2020-2540 (Vulnerability in the Oracle Outside In Technology product of Oracle Fu ...) NOT-FOR-US: Oracle CVE-2020-2539 (Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion M ...) NOT-FOR-US: Oracle CVE-2020-2538 (Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion M ...) NOT-FOR-US: Oracle CVE-2020-2537 (Vulnerability in the Oracle Business Intelligence Enterprise Edition p ...) NOT-FOR-US: Oracle CVE-2020-2536 (Vulnerability in the Oracle Outside In Technology product of Oracle Fu ...) NOT-FOR-US: Oracle CVE-2020-2535 (Vulnerability in the Oracle Business Intelligence Enterprise Edition p ...) NOT-FOR-US: Oracle CVE-2020-2534 (Vulnerability in the Oracle Reports Developer product of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2020-2533 (Vulnerability in the Oracle Reports Developer product of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2020-2532 RESERVED CVE-2020-2531 (Vulnerability in the Oracle Business Intelligence Enterprise Edition p ...) NOT-FOR-US: Oracle CVE-2020-2530 (Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middl ...) NOT-FOR-US: Oracle CVE-2020-2529 RESERVED CVE-2020-2528 RESERVED CVE-2020-2527 (Vulnerability in the Core RDBMS component of Oracle Database Server. S ...) NOT-FOR-US: Oracle CVE-2020-2526 RESERVED CVE-2020-2525 RESERVED CVE-2020-2524 (Vulnerability in the Oracle Knowledge product of Oracle Knowledge (com ...) NOT-FOR-US: Oracle CVE-2020-2523 RESERVED CVE-2020-2522 (Vulnerability in the Oracle Knowledge product of Oracle Knowledge (com ...) NOT-FOR-US: Oracle CVE-2020-2521 RESERVED CVE-2020-2520 RESERVED CVE-2020-2519 (Vulnerability in the Oracle WebLogic Server product of Oracle Fusion M ...) NOT-FOR-US: Oracle CVE-2020-2518 (Vulnerability in the Java VM component of Oracle Database Server. Supp ...) NOT-FOR-US: Oracle CVE-2020-2517 (Vulnerability in the Database Gateway for ODBC component of Oracle Dat ...) NOT-FOR-US: Oracle CVE-2020-2516 (Vulnerability in the Core RDBMS component of Oracle Database Server. S ...) NOT-FOR-US: Oracle CVE-2020-2515 (Vulnerability in the Database Gateway for ODBC component of Oracle Dat ...) NOT-FOR-US: Oracle CVE-2020-2514 (Vulnerability in the Oracle Application Express component of Oracle Da ...) NOT-FOR-US: Oracle CVE-2020-2513 RESERVED CVE-2020-2512 (Vulnerability in the Database Gateway for ODBC component of Oracle Dat ...) NOT-FOR-US: Oracle CVE-2020-2511 (Vulnerability in the Core RDBMS component of Oracle Database Server. S ...) NOT-FOR-US: Oracle CVE-2020-2510 (Vulnerability in the Core RDBMS component of Oracle Database Server. S ...) NOT-FOR-US: Oracle CVE-2019-19720 (Yabasic 2.86.1 has a heap-based buffer overflow in the yylex() functio ...) - yabasic (unimportant) NOTE: https://github.com/marcIhm/yabasic/issues/36 NOTE: Negligible security impact CVE-2019-19719 (Tableau Server 10.3 through 2019.4 on Windows and Linux allows XSS via ...) NOT-FOR-US: Tableau Server CVE-2019-19718 RESERVED CVE-2019-19717 RESERVED CVE-2019-19716 RESERVED CVE-2019-19715 RESERVED CVE-2019-19714 (Contao 4.8.4 and 4.8.5 has Improper Encoding or Escaping of Output. It ...) NOT-FOR-US: Contao CVE-2019-19713 RESERVED CVE-2019-19712 (Contao 4.0 through 4.8.5 has Insecure Permissions. Back end users can ...) NOT-FOR-US: Contao CVE-2019-19711 RESERVED CVE-2019-19710 RESERVED CVE-2019-19709 (MediaWiki through 1.33.1 allows attackers to bypass the Title_blacklis ...) {DSA-4592-1} - mediawiki 1:1.31.6-1 NOTE: https://gerrit.wikimedia.org/r/q/Ie54f366986056c876eade0fcad6c41f70b8b8de8 NOTE: https://phabricator.wikimedia.org/T239466 NOTE: https://lists.wikimedia.org/pipermail/wikitech-l/2019-December/092886.html CVE-2019-19708 (The VisualEditor extension through 1.34 for MediaWiki allows XSS via p ...) NOT-FOR-US: VisualEditor MediaWiki extension CVE-2019-19707 (On Moxa EDS-G508E, EDS-G512E, and EDS-G516E devices (with firmware thr ...) NOT-FOR-US: Moxa CVE-2019-19706 RESERVED CVE-2019-19705 RESERVED CVE-2019-19704 RESERVED CVE-2019-19703 (In Ktor through 1.2.6, the client resends data from the HTTP Authoriza ...) NOT-FOR-US: Ktor CVE-2019-19702 (The modoboa-dmarc plugin 1.1.0 for Modoboa is vulnerable to an XML Ext ...) NOT-FOR-US: Modoboa CVE-2018-21033 (A vulnerability in Hitachi Command Suite prior to 8.6.2-00, Hitachi Au ...) NOT-FOR-US: Hitachi CVE-2018-21032 (A vulnerability in Hitachi Command Suite prior to 8.7.1-00 and Hitachi ...) NOT-FOR-US: Hitachi CVE-2020-2509 RESERVED CVE-2020-2508 RESERVED CVE-2020-2507 RESERVED CVE-2020-2506 RESERVED CVE-2020-2505 RESERVED CVE-2020-2504 RESERVED CVE-2020-2503 RESERVED CVE-2020-2502 RESERVED CVE-2020-2501 RESERVED CVE-2020-2500 (This improper access control vulnerability in Helpdesk allows attacker ...) NOT-FOR-US: QNAP CVE-2020-2499 RESERVED CVE-2020-2498 RESERVED CVE-2020-2497 RESERVED CVE-2020-2496 RESERVED CVE-2020-2495 RESERVED CVE-2020-2494 RESERVED CVE-2020-2493 RESERVED CVE-2020-2492 RESERVED CVE-2020-2491 RESERVED CVE-2020-2490 RESERVED CVE-2019-19701 RESERVED CVE-2019-19700 RESERVED CVE-2019-19699 (There is Authenticated remote code execution in Centreon Infrastructur ...) - centreon-web (bug #913903) CVE-2019-19698 (marc-q libwav through 2017-04-20 has a NULL pointer dereference in wav ...) NOT-FOR-US: libwav CVE-2019-19697 (An arbitrary code execution vulnerability exists in the Trend Micro Se ...) NOT-FOR-US: Trend Micro CVE-2019-19696 (A RootCA vulnerability found in Trend Micro Password Manager for Windo ...) NOT-FOR-US: Trend Micro CVE-2019-19695 (A privilege escalation vulnerability in Trend Micro Antivirus for Mac ...) NOT-FOR-US: Trend Micro CVE-2019-19694 (The Trend Micro Security 2019 (15.0.0.1163 and below) consumer family ...) NOT-FOR-US: Trend Micro CVE-2019-19693 (The Trend Micro Security 2020 consumer family of products contains a v ...) NOT-FOR-US: Trend Micro CVE-2019-19692 (Trend Micro Apex One (2019) is affected by a cross-site scripting (XSS ...) NOT-FOR-US: Trend Micro CVE-2019-19691 (A vulnerability in Trend Micro Apex One and OfficeScan XG could allow ...) NOT-FOR-US: Trend Micro CVE-2019-19690 (Trend Micro Mobile Security for Android (Consumer) versions 10.3.1 and ...) NOT-FOR-US: Trend Micro CVE-2019-19689 (Trend Micro HouseCall for Home Networks (versions below 5.3.0.1063) co ...) NOT-FOR-US: Trend Micro CVE-2019-19688 (A privilege escalation vulnerability in Trend Micro HouseCall for Home ...) NOT-FOR-US: Trend Micro CVE-2019-19687 (OpenStack Keystone 15.0.0 and 16.0.0 is affected by Data Leakage in th ...) - keystone 2:16.0.0-5 (bug #946614) [buster] - keystone (Vulnerable code introduced later) [stretch] - keystone (Vulnerable code introduced later) [jessie] - keystone (Vulnerable code introduced later) NOTE: https://www.openwall.com/lists/oss-security/2019/12/11/8 NOTE: https://bugs.launchpad.net/keystone/+bug/1855080 CVE-2019-19686 RESERVED CVE-2019-19685 (RoxyFileman, as shipped with nopCommerce v4.2.0, is vulnerable to CSRF ...) NOT-FOR-US: RoxyFileman in nopCommerce CVE-2019-19684 (nopCommerce v4.2.0 allows privilege escalation via file upload in Pres ...) NOT-FOR-US: nopCommerce CVE-2019-19683 (RoxyFileman, as shipped with nopCommerce v4.2.0, is vulnerable to ../ ...) NOT-FOR-US: RoxyFileman in nopCommerce CVE-2019-19682 (nopCommerce through 4.20 allows XSS in the SaveStoreMappings of the co ...) NOT-FOR-US: nopCommerce CVE-2019-19681 (** DISPUTED ** Pandora FMS 7.x suffers from remote code execution vuln ...) NOT-FOR-US: Pandora FMS CVE-2019-19680 (A file-extension filtering vulnerability in Proofpoint Enterprise Prot ...) NOT-FOR-US: ProofPoint Protection Server Email Firewall CVE-2019-19679 (In "Xray Test Management for Jira" prior to version 3.5.5, remote auth ...) NOT-FOR-US: Xray Test Management for Jira CVE-2019-19678 (In "Xray Test Management for Jira" prior to version 3.5.5, remote auth ...) NOT-FOR-US: Xray Test Management for Jira CVE-2019-19677 (arxes-tolina 3.0.0 allows User Enumeration. ...) NOT-FOR-US: Arxes Tolina CVE-2019-19676 (A CSV injection in arxes-tolina 3.0.0 allows malicious users to gain r ...) NOT-FOR-US: Arxes Tolina CVE-2019-19675 (In Ivanti Workspace Control before 10.3.180.0. a locally authenticated ...) NOT-FOR-US: Ivanti Workspace Control CVE-2019-19674 RESERVED CVE-2019-19673 RESERVED CVE-2019-19672 RESERVED CVE-2019-19671 RESERVED CVE-2019-19670 (A HTTP Response Splitting vulnerability was identified in the Web Sett ...) NOT-FOR-US: Rumpus FTP Server CVE-2019-19669 (A CSRF vulnerability exists in the Upload Center Forms Component of We ...) NOT-FOR-US: Rumpus FTP CVE-2019-19668 (A CSRF vulnerability exists in the File Types component of Web File Ma ...) NOT-FOR-US: Rumpus FTP CVE-2019-19667 (A CSRF vulnerability exists in the Block Clients component of Web File ...) NOT-FOR-US: Rumpus FTP CVE-2019-19666 (A CSRF vulnerability exists in the Event Notices Settings of Web File ...) NOT-FOR-US: Rumpus FTP CVE-2019-19665 (A CSRF vulnerability exists in the FTP Settings of Web File Manager in ...) NOT-FOR-US: Rumpus FTP CVE-2019-19664 (A CSRF vulnerability exists in the Web Settings of Web File Manager in ...) NOT-FOR-US: Rumpus FTP CVE-2019-19663 (A CSRF vulnerability exists in the Folder Sets Settings of Web File Ma ...) NOT-FOR-US: Rumpus FTP CVE-2019-19662 (A CSRF vulnerability exists in the Web File Manager's Create/Delete Ac ...) NOT-FOR-US: Rumpus FTP CVE-2019-19661 (A Cookie based reflected XSS exists in the Web File Manager of Rumpus ...) NOT-FOR-US: Rumpus FTP CVE-2019-19660 (A CSRF vulnerability exists in the Web File Manager's Network Setting ...) NOT-FOR-US: Rumpus FTP CVE-2019-19659 (A CSRF vulnerability exists in the Web File Manager's Edit Accounts fu ...) NOT-FOR-US: Rumpus FTP CVE-2019-19658 RESERVED CVE-2019-19657 RESERVED CVE-2019-19656 RESERVED CVE-2019-19655 RESERVED CVE-2019-19654 RESERVED CVE-2019-19653 RESERVED CVE-2019-19652 RESERVED CVE-2019-19651 RESERVED CVE-2019-19650 (Zoho ManageEngine Applications Manager before 13640 allows a remote au ...) NOT-FOR-US: Zoho ManageEngine Applications Manager CVE-2019-19649 (Zoho ManageEngine Applications Manager before 13620 allows a remote un ...) NOT-FOR-US: Zoho ManageEngine Applications Manager CVE-2019-19648 (In the macho_parse_file functionality in macho/macho.c of YARA 3.11.0, ...) - yara [buster] - yara (Minor issue) [stretch] - yara (Minor issue) [jessie] - yara (Minor issue) NOTE: https://github.com/VirusTotal/yara/issues/1178 CVE-2019-19647 (radare2 through 4.0.0 lacks validation of the content variable in the ...) - radare2 4.2.1+dfsg-1 (bug #947402) [jessie] - radare2 (Minor issue) NOTE: https://github.com/radareorg/radare2/issues/15545 NOTE: https://github.com/radareorg/radare2/commit/07b5e062f2d4a00403ff031302cb18dfa58e3805 (4.1.0) CVE-2019-19646 (pragma.c in SQLite through 3.30.1 mishandles NOT NULL in an integrity_ ...) - sqlite3 (Generated column support added later) NOTE: https://github.com/sqlite/sqlite/commit/926f796e8feec15f3836aa0a060ed906f8ae04d3 NOTE: https://github.com/sqlite/sqlite/commit/ebd70eedd5d6e6a890a670b5ee874a5eae86b4dd CVE-2019-19645 (alter.c in SQLite through 3.30.1 allows attackers to trigger infinite ...) - sqlite3 3.30.1+fossil191229-1 (bug #946612) [buster] - sqlite3 (Minor issue) [stretch] - sqlite3 (Minor issue) [jessie] - sqlite3 (Minor issue) NOTE: https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06 CVE-2019-19644 RESERVED CVE-2019-19643 RESERVED CVE-2019-19642 (On SuperMicro X8STi-F motherboards with IPMI firmware 2.06 and BIOS 02 ...) NOT-FOR-US: SuperMicro CVE-2019-19641 RESERVED CVE-2019-19640 RESERVED CVE-2019-19639 RESERVED CVE-2019-19638 (An issue was discovered in libsixel 1.8.2. There is a heap-based buffe ...) - libsixel 1.8.6-1 (low; bug #948103) [buster] - libsixel (Minor issue) [stretch] - libsixel (Minor issue) [jessie] - libsixel (Minor issue) NOTE: https://github.com/saitoha/libsixel/issues/102 CVE-2019-19637 (An issue was discovered in libsixel 1.8.2. There is an integer overflo ...) - libsixel 1.8.6-1 (low; bug #948103) [buster] - libsixel (Minor issue) [stretch] - libsixel (Minor issue) [jessie] - libsixel (Minor issue) NOTE: https://github.com/saitoha/libsixel/issues/105 CVE-2019-19636 (An issue was discovered in libsixel 1.8.2. There is an integer overflo ...) - libsixel 1.8.6-1 (low; bug #948103) [buster] - libsixel (Minor issue) [stretch] - libsixel (Minor issue) [jessie] - libsixel (Minor issue) NOTE: https://github.com/saitoha/libsixel/issues/104 CVE-2019-19635 (An issue was discovered in libsixel 1.8.2. There is a heap-based buffe ...) - libsixel 1.8.6-1 (low; bug #948103) [buster] - libsixel (Minor issue) [stretch] - libsixel (Minor issue) [jessie] - libsixel (Minor issue) NOTE: https://github.com/saitoha/libsixel/issues/103 CVE-2019-19634 (class.upload.php in verot.net class.upload through 1.0.3 and 2.x throu ...) NOT-FOR-US: K2 extension for Joomla! CVE-2019-19633 RESERVED CVE-2019-19632 (An issue was discovered in Big Switch Big Monitoring Fabric 6.2 throug ...) NOT-FOR-US: Big Switch Networks CVE-2019-19631 (An issue was discovered in Big Switch Big Monitoring Fabric 6.2 throug ...) NOT-FOR-US: Big Switch Networks CVE-2019-19630 (HTMLDOC 1.9.7 allows a stack-based buffer overflow in the hd_strlcpy() ...) {DLA-2026-1} - htmldoc 1.9.7-1 (low) [buster] - htmldoc (Minor issue) [stretch] - htmldoc (Minor issue) NOTE: https://github.com/michaelrsweet/htmldoc/issues/370 NOTE: https://github.com/michaelrsweet/htmldoc/commit/8a129c520e90fc967351f3e165f967128a88f09c CVE-2019-19629 (In GitLab EE 10.5 through 12.5.3, 12.4.5, and 12.3.8, when transferrin ...) - gitlab (Only affects Gitlab EE) NOTE: https://about.gitlab.com/blog/2019/12/10/critical-security-release-gitlab-12-5-4-released/ CVE-2019-19628 (In GitLab EE 11.3 through 12.5.3, 12.4.5, and 12.3.8, insufficient par ...) - gitlab (Only affects Gitlab EE) NOTE: https://about.gitlab.com/blog/2019/12/10/critical-security-release-gitlab-12-5-4-released/ CVE-2019-19627 (SROS 2 0.8.1 (after CVE-2019-19625 is mitigated) leaks ROS 2 node-rela ...) NOT-FOR-US: SROS CVE-2019-19626 RESERVED CVE-2019-19625 (SROS 2 0.8.1 (which provides the tools that generate and distribute ke ...) NOT-FOR-US: SROS CVE-2019-19624 (An out-of-bounds read was discovered in OpenCV before 4.1.1. Specifica ...) - opencv 4.1.2+dfsg-3 [buster] - opencv (Minor issue; can be fixed via point release) [stretch] - opencv (Vulnerable code introduced later) [jessie] - opencv (Vulnerable code introduced later) NOTE: https://github.com/opencv/opencv/commit/d1615ba11a93062b1429fce9f0f638d1572d3418 NOTE: https://github.com/opencv/opencv/issues/14554 CVE-2019-19623 RESERVED CVE-2019-19622 RESERVED CVE-2019-19621 RESERVED CVE-2019-19620 (In SecureWorks Red Cloak Windows Agent before 2.0.7.9, a local user ca ...) NOT-FOR-US: SecureWorks Red Cloak Windows Agent CVE-2019-19619 (domain/section/markdown/markdown.go in Documize before 3.5.1 mishandle ...) NOT-FOR-US: Documize CVE-2019-19618 RESERVED CVE-2019-19617 (phpMyAdmin before 4.9.2 does not escape certain Git information, relat ...) {DLA-2024-1} - phpmyadmin 4:4.9.2+dfsg1-1 [stretch] - phpmyadmin (Minor issue) NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/1119de642b136d20e810bb20f545069a01dd7cc9 CVE-2019-19616 (An Insecure Direct Object Reference (IDOR) vulnerability in the Xtivia ...) NOT-FOR-US: Microsoft Dynamics NAV CVE-2019-19615 (Multiple XSS vulnerabilities exist in the Backup & Restore module ...) NOT-FOR-US: FreePBX CVE-2019-19614 (An issue was discovered in Halvotec RAQuest 10.23.10801.0. The login p ...) NOT-FOR-US: Halvotec RAQuest CVE-2019-19613 (An issue was discovered in Halvotec RaQuest 10.23.10801.0. The login p ...) NOT-FOR-US: Halvotec RaQuest CVE-2019-19612 (An issue was discovered in Halvotec RaQuest 10.23.10801.0. Several fea ...) NOT-FOR-US: Halvotec RaQuest CVE-2019-19611 (An issue was discovered in Halvotec RaQuest 10.23.10801.0. One of the ...) NOT-FOR-US: Halvotec RaQuest CVE-2019-19610 (An issue was discovered in Halvotec RaQuest 10.23.10801.0. It allows s ...) NOT-FOR-US: Halvotec RaQuest CVE-2019-19609 (The Strapi framework before 3.0.0-beta.17.8 is vulnerable to Remote Co ...) NOT-FOR-US: Strapi CVE-2019-19608 (A SQL injection vulnerability in in the web conferencing component of ...) NOT-FOR-US: Mitel CVE-2019-19607 (A SQL injection vulnerability in the web conferencing component of Mit ...) NOT-FOR-US: Mitel CVE-2019-19606 (X-Plane before 11.41 has multiple improper path validations that could ...) NOT-FOR-US: X-Plane CVE-2019-19605 (X-Plane before 11.41 allows Arbitrary Memory Write via crafted network ...) NOT-FOR-US: X-Plane CVE-2019-19604 (Arbitrary command execution is possible in Git before 2.20.2, 2.21.x b ...) - git 1:2.24.0-2 [buster] - git 1:2.20.1-2+deb10u1 [stretch] - git (Vulnerable code introduced in v2.20.0-rc0) [jessie] - git (Vulnerable code introduced in v2.20.0-rc0) NOTE: https://git.kernel.org/pub/scm/git/git.git/commit/?id=e904deb89d9a9669a76a426182506a084d3f6308 NOTE: https://git.kernel.org/pub/scm/git/git.git/commit/?id=bb92255ebe6bccd76227e023d6d0bc997e318ad0 NOTE: https://git.kernel.org/pub/scm/git/git.git/commit/?id=c1547450748fcbac21675f2681506d2d80351a19 NOTE: Upstream did backport fixes for CVE-2019-19604 to older versions as the introducing NOTE: version for sake of robustness/hardening. In particular, the server-side protection NOTE: provided by the fsck is useful for protecting unpatched clients that are affected NOTE: by the bug. NOTE: https://gitlab.com/gitlab-com/gl-security/disclosures/blob/master/003_git_submodule/advisory.md NOTE: https://www.openwall.com/lists/oss-security/2019/12/13/1 CVE-2019-19603 (SQLite 3.30.1 mishandles certain SELECT statements with a nonexistent ...) - sqlite3 3.30.1+fossil191229-1 [buster] - sqlite3 (Minor issue) [stretch] - sqlite3 (Minor issue) [jessie] - sqlite3 (Minor issue) NOTE: https://github.com/sqlite/sqlite/commit/527cbd4a104cb93bf3994b3dd3619a6299a78b13 CVE-2019-19601 (OpenDetex 2.8.5 has a Buffer Overflow in TexOpen in detex.l because of ...) - texlive-bin (unimportant; bug #949630) NOTE: https://github.com/pkubowicz/opendetex/issues/60 NOTE: Debian builds using the kpathsea codepaths. CVE-2019-19600 RESERVED CVE-2019-19599 RESERVED CVE-2019-19602 (fpregs_state_valid in arch/x86/include/asm/fpu/internal.h in the Linux ...) - linux 5.3.15-1 [buster] - linux (Vulnerable code introduced later) [stretch] - linux (Vulnerable code introduced later) [jessie] - linux (Vulnerable code introduced later) NOTE: https://git.kernel.org/linus/59c4bd853abcea95eccc167a7d7fd5f1a5f47b98 CVE-2020-2489 RESERVED CVE-2020-2488 RESERVED CVE-2020-2487 RESERVED CVE-2020-2486 RESERVED CVE-2020-2485 RESERVED CVE-2020-2484 RESERVED CVE-2020-2483 RESERVED CVE-2020-2482 RESERVED CVE-2020-2481 RESERVED CVE-2020-2480 RESERVED CVE-2020-2479 RESERVED CVE-2020-2478 RESERVED CVE-2020-2477 RESERVED CVE-2020-2476 RESERVED CVE-2020-2475 RESERVED CVE-2020-2474 RESERVED CVE-2020-2473 RESERVED CVE-2020-2472 RESERVED CVE-2020-2471 RESERVED CVE-2020-2470 RESERVED CVE-2020-2469 RESERVED CVE-2020-2468 RESERVED CVE-2020-2467 RESERVED CVE-2020-2466 RESERVED CVE-2020-2465 RESERVED CVE-2020-2464 RESERVED CVE-2020-2463 RESERVED CVE-2020-2462 RESERVED CVE-2020-2461 RESERVED CVE-2020-2460 RESERVED CVE-2020-2459 RESERVED CVE-2020-2458 RESERVED CVE-2020-2457 RESERVED CVE-2020-2456 RESERVED CVE-2020-2455 RESERVED CVE-2020-2454 RESERVED CVE-2020-2453 RESERVED CVE-2020-2452 RESERVED CVE-2020-2451 RESERVED CVE-2020-2450 RESERVED CVE-2020-2449 RESERVED CVE-2020-2448 RESERVED CVE-2020-2447 RESERVED CVE-2020-2446 RESERVED CVE-2020-2445 RESERVED CVE-2020-2444 RESERVED CVE-2020-2443 RESERVED CVE-2020-2442 RESERVED CVE-2020-2441 RESERVED CVE-2020-2440 RESERVED CVE-2020-2439 RESERVED CVE-2020-2438 RESERVED CVE-2020-2437 RESERVED CVE-2020-2436 RESERVED CVE-2020-2435 RESERVED CVE-2020-2434 RESERVED CVE-2020-2433 RESERVED CVE-2020-2432 RESERVED CVE-2020-2431 RESERVED CVE-2020-2430 RESERVED CVE-2020-2429 RESERVED CVE-2020-2428 RESERVED CVE-2020-2427 RESERVED CVE-2020-2426 RESERVED CVE-2020-2425 RESERVED CVE-2020-2424 RESERVED CVE-2020-2423 RESERVED CVE-2020-2422 RESERVED CVE-2020-2421 RESERVED CVE-2020-2420 RESERVED CVE-2020-2419 RESERVED CVE-2020-2418 RESERVED CVE-2020-2417 RESERVED CVE-2020-2416 RESERVED CVE-2020-2415 RESERVED CVE-2020-2414 RESERVED CVE-2020-2413 RESERVED CVE-2020-2412 RESERVED CVE-2020-2411 RESERVED CVE-2020-2410 RESERVED CVE-2020-2409 RESERVED CVE-2020-2408 RESERVED CVE-2020-2407 RESERVED CVE-2020-2406 RESERVED CVE-2020-2405 RESERVED CVE-2020-2404 RESERVED CVE-2020-2403 RESERVED CVE-2020-2402 RESERVED CVE-2020-2401 RESERVED CVE-2020-2400 RESERVED CVE-2020-2399 RESERVED CVE-2020-2398 RESERVED CVE-2020-2397 RESERVED CVE-2020-2396 RESERVED CVE-2020-2395 RESERVED CVE-2020-2394 RESERVED CVE-2020-2393 RESERVED CVE-2020-2392 RESERVED CVE-2020-2391 RESERVED CVE-2020-2390 RESERVED CVE-2020-2389 RESERVED CVE-2020-2388 RESERVED CVE-2020-2387 RESERVED CVE-2020-2386 RESERVED CVE-2020-2385 RESERVED CVE-2020-2384 RESERVED CVE-2020-2383 RESERVED CVE-2020-2382 RESERVED CVE-2020-2381 RESERVED CVE-2020-2380 RESERVED CVE-2020-2379 RESERVED CVE-2020-2378 RESERVED CVE-2020-2377 RESERVED CVE-2020-2376 RESERVED CVE-2020-2375 RESERVED CVE-2020-2374 RESERVED CVE-2020-2373 RESERVED CVE-2020-2372 RESERVED CVE-2020-2371 RESERVED CVE-2020-2370 RESERVED CVE-2020-2369 RESERVED CVE-2020-2368 RESERVED CVE-2020-2367 RESERVED CVE-2020-2366 RESERVED CVE-2020-2365 RESERVED CVE-2020-2364 RESERVED CVE-2020-2363 RESERVED CVE-2020-2362 RESERVED CVE-2020-2361 RESERVED CVE-2020-2360 RESERVED CVE-2020-2359 RESERVED CVE-2020-2358 RESERVED CVE-2020-2357 RESERVED CVE-2020-2356 RESERVED CVE-2020-2355 RESERVED CVE-2020-2354 RESERVED CVE-2020-2353 RESERVED CVE-2020-2352 RESERVED CVE-2020-2351 RESERVED CVE-2020-2350 RESERVED CVE-2020-2349 RESERVED CVE-2020-2348 RESERVED CVE-2020-2347 RESERVED CVE-2020-2346 RESERVED CVE-2020-2345 RESERVED CVE-2020-2344 RESERVED CVE-2020-2343 RESERVED CVE-2020-2342 RESERVED CVE-2020-2341 RESERVED CVE-2020-2340 RESERVED CVE-2020-2339 RESERVED CVE-2020-2338 RESERVED CVE-2020-2337 RESERVED CVE-2020-2336 RESERVED CVE-2020-2335 RESERVED CVE-2020-2334 RESERVED CVE-2020-2333 RESERVED CVE-2020-2332 RESERVED CVE-2020-2331 RESERVED CVE-2020-2330 RESERVED CVE-2020-2329 RESERVED CVE-2020-2328 RESERVED CVE-2020-2327 RESERVED CVE-2020-2326 RESERVED CVE-2020-2325 RESERVED CVE-2020-2324 RESERVED CVE-2020-2323 RESERVED CVE-2020-2322 RESERVED CVE-2020-2321 RESERVED CVE-2020-2320 RESERVED CVE-2020-2319 RESERVED CVE-2020-2318 RESERVED CVE-2020-2317 RESERVED CVE-2020-2316 RESERVED CVE-2020-2315 RESERVED CVE-2020-2314 RESERVED CVE-2020-2313 RESERVED CVE-2020-2312 RESERVED CVE-2020-2311 RESERVED NOT-FOR-US: Qualcomm components for Android CVE-2020-2310 RESERVED CVE-2020-2309 RESERVED CVE-2020-2308 RESERVED CVE-2020-2307 RESERVED CVE-2020-2306 RESERVED CVE-2020-2305 RESERVED CVE-2020-2304 RESERVED CVE-2020-2303 RESERVED CVE-2020-2302 RESERVED CVE-2020-2301 RESERVED CVE-2020-2300 RESERVED NOT-FOR-US: Qualcomm components for Android CVE-2020-2299 RESERVED CVE-2020-2298 RESERVED CVE-2020-2297 RESERVED CVE-2020-2296 RESERVED CVE-2020-2295 RESERVED CVE-2020-2294 RESERVED CVE-2020-2293 RESERVED CVE-2020-2292 RESERVED CVE-2020-2291 RESERVED CVE-2020-2290 RESERVED CVE-2020-2289 RESERVED CVE-2020-2288 RESERVED CVE-2020-2287 RESERVED CVE-2020-2286 RESERVED CVE-2020-2285 RESERVED CVE-2020-2284 RESERVED CVE-2020-2283 RESERVED CVE-2020-2282 RESERVED CVE-2020-2281 RESERVED CVE-2020-2280 RESERVED CVE-2020-2279 RESERVED CVE-2020-2278 RESERVED CVE-2020-2277 RESERVED CVE-2020-2276 RESERVED CVE-2020-2275 RESERVED CVE-2020-2274 RESERVED CVE-2020-2273 RESERVED CVE-2020-2272 RESERVED CVE-2020-2271 RESERVED CVE-2020-2270 RESERVED CVE-2020-2269 RESERVED CVE-2020-2268 RESERVED CVE-2020-2267 RESERVED CVE-2020-2266 RESERVED CVE-2020-2265 RESERVED CVE-2020-2264 RESERVED NOT-FOR-US: Qualcomm components for Android CVE-2020-2263 RESERVED CVE-2020-2262 RESERVED CVE-2020-2261 RESERVED CVE-2020-2260 RESERVED CVE-2020-2259 RESERVED CVE-2020-2258 RESERVED CVE-2020-2257 RESERVED CVE-2020-2256 RESERVED CVE-2020-2255 RESERVED CVE-2020-2254 RESERVED CVE-2020-2253 RESERVED CVE-2020-2252 RESERVED CVE-2020-2251 RESERVED CVE-2020-2250 RESERVED CVE-2020-2249 RESERVED CVE-2020-2248 RESERVED CVE-2020-2247 RESERVED CVE-2020-2246 RESERVED CVE-2020-2245 RESERVED CVE-2020-2244 RESERVED CVE-2020-2243 RESERVED CVE-2020-2242 RESERVED CVE-2020-2241 RESERVED CVE-2020-2240 RESERVED CVE-2020-2239 RESERVED CVE-2020-2238 RESERVED CVE-2020-2237 RESERVED CVE-2020-2236 RESERVED CVE-2020-2235 RESERVED CVE-2020-2234 RESERVED CVE-2020-2233 RESERVED CVE-2020-2232 RESERVED CVE-2020-2231 RESERVED CVE-2020-2230 RESERVED CVE-2020-2229 RESERVED CVE-2020-2228 RESERVED CVE-2020-2227 RESERVED CVE-2020-2226 RESERVED CVE-2020-2225 RESERVED CVE-2020-2224 RESERVED CVE-2020-2223 RESERVED CVE-2020-2222 RESERVED CVE-2020-2221 RESERVED CVE-2020-2220 RESERVED CVE-2020-2219 (Jenkins Link Column Plugin 1.0 and earlier does not filter URLs of lin ...) NOT-FOR-US: Jenkins plugin CVE-2020-2218 (Jenkins HP ALM Quality Center Plugin 1.6 and earlier stores a password ...) NOT-FOR-US: Jenkins plugin CVE-2020-2217 (Jenkins Compatibility Action Storage Plugin 1.0 and earlier does not e ...) NOT-FOR-US: Jenkins plugin CVE-2020-2216 (A missing permission check in Jenkins Zephyr for JIRA Test Management ...) NOT-FOR-US: Jenkins plugin CVE-2020-2215 (A cross-site request forgery vulnerability in Jenkins Zephyr for JIRA ...) NOT-FOR-US: Jenkins plugin CVE-2020-2214 (Jenkins ZAP Pipeline Plugin 1.9 and earlier programmatically disables ...) NOT-FOR-US: Jenkins plugin CVE-2020-2213 (Jenkins White Source Plugin 19.1.1 and earlier stores credentials unen ...) NOT-FOR-US: Jenkins plugin CVE-2020-2212 (Jenkins GitHub Coverage Reporter Plugin 1.8 and earlier stores secrets ...) NOT-FOR-US: Jenkins plugin CVE-2020-2211 (Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin 1.3 and earlier doe ...) NOT-FOR-US: Jenkins plugin CVE-2020-2210 (Jenkins Stash Branch Parameter Plugin 0.3.0 and earlier transmits conf ...) NOT-FOR-US: Jenkins plugin CVE-2020-2209 (Jenkins TestComplete support Plugin 2.4.1 and earlier stores a passwor ...) NOT-FOR-US: Jenkins plugin CVE-2020-2208 (Jenkins Slack Upload Plugin 1.7 and earlier stores a secret unencrypte ...) NOT-FOR-US: Jenkins plugin CVE-2020-2207 (Jenkins VncViewer Plugin 1.7 and earlier does not escape a parameter v ...) NOT-FOR-US: Jenkins plugin CVE-2020-2206 (Jenkins VncRecorder Plugin 1.25 and earlier does not escape a paramete ...) NOT-FOR-US: Jenkins plugin CVE-2020-2205 (Jenkins VncRecorder Plugin 1.25 and earlier does not escape a tool pat ...) NOT-FOR-US: Jenkins plugin CVE-2020-2204 (A missing permission check in Jenkins Fortify on Demand Plugin 5.0.1 a ...) NOT-FOR-US: Jenkins plugin CVE-2020-2203 (A cross-site request forgery vulnerability in Jenkins Fortify on Deman ...) NOT-FOR-US: Jenkins plugin CVE-2020-2202 (A missing permission check in Jenkins Fortify on Demand Plugin 6.0.0 a ...) NOT-FOR-US: Jenkins plugin CVE-2020-2201 (Jenkins Sonargraph Integration Plugin 3.0.0 and earlier does not escap ...) NOT-FOR-US: Jenkins plugin CVE-2020-2200 (Jenkins Play Framework Plugin 1.0.2 and earlier lets users specify the ...) NOT-FOR-US: Jenkins plugin CVE-2020-2199 (Jenkins Subversion Partial Release Manager Plugin 1.0.1 and earlier do ...) NOT-FOR-US: Jenkins plugin CVE-2020-2198 (Jenkins Project Inheritance Plugin 19.08.02 and earlier does not redac ...) NOT-FOR-US: Jenkins plugin CVE-2020-2197 (Jenkins Project Inheritance Plugin 19.08.02 and earlier does not requi ...) NOT-FOR-US: Jenkins plugin CVE-2020-2196 (Jenkins Selenium Plugin 3.141.59 and earlier has no CSRF protection fo ...) NOT-FOR-US: Jenkins plugin CVE-2020-2195 (Jenkins Compact Columns Plugin 1.11 and earlier displays the unprocess ...) NOT-FOR-US: Jenkins plugin CVE-2020-2194 (Jenkins ECharts API Plugin 4.7.0-3 and earlier does not escape the dis ...) NOT-FOR-US: Jenkins plugin CVE-2020-2193 (Jenkins ECharts API Plugin 4.7.0-3 and earlier does not escape the par ...) NOT-FOR-US: Jenkins plugin CVE-2020-2192 (A cross-site request forgery vulnerability in Jenkins Self-Organizing ...) NOT-FOR-US: Jenkins plugin CVE-2020-2191 (Jenkins Self-Organizing Swarm Plug-in Modules Plugin 3.20 and earlier ...) NOT-FOR-US: Jenkins plugin CVE-2020-2190 (Jenkins Script Security Plugin 1.72 and earlier does not correctly esc ...) NOT-FOR-US: Jenkins plugin CVE-2020-2189 (Jenkins SCM Filter Jervis Plugin 0.2.1 and earlier does not configure ...) NOT-FOR-US: Jenkins plugin CVE-2020-2188 (A missing permission check in Jenkins Amazon EC2 Plugin 1.50.1 and ear ...) NOT-FOR-US: Jenkins plugin CVE-2020-2187 (Jenkins Amazon EC2 Plugin 1.50.1 and earlier unconditionally accepts s ...) NOT-FOR-US: Jenkins plugin CVE-2020-2186 (A cross-site request forgery vulnerability in Jenkins Amazon EC2 Plugi ...) NOT-FOR-US: Jenkins plugin CVE-2020-2185 (Jenkins Amazon EC2 Plugin 1.50.1 and earlier does not validate SSH hos ...) NOT-FOR-US: Jenkins plugin CVE-2020-2184 (A cross-site request forgery vulnerability in Jenkins CVS Plugin 2.15 ...) NOT-FOR-US: Jenkins plugin CVE-2020-2183 (Jenkins Copy Artifact Plugin 1.43.1 and earlier performs improper perm ...) NOT-FOR-US: Jenkins plugin CVE-2020-2182 (Jenkins Credentials Binding Plugin 1.22 and earlier does not mask (i.e ...) NOT-FOR-US: Jenkins plugin CVE-2020-2181 (Jenkins Credentials Binding Plugin 1.22 and earlier does not mask (i.e ...) NOT-FOR-US: Jenkins plugin CVE-2020-2180 (Jenkins AWS SAM Plugin 1.2.2 and earlier does not configure its YAML p ...) NOT-FOR-US: Jenkins plugin CVE-2020-2179 (Jenkins Yaml Axis Plugin 0.2.0 and earlier does not configure its YAML ...) NOT-FOR-US: Jenkins plugin CVE-2020-2178 (Jenkins Parasoft Findings Plugin 10.4.3 and earlier does not configure ...) NOT-FOR-US: Jenkins plugin CVE-2020-2177 (Jenkins Copr Plugin 0.3 and earlier stores credentials unencrypted in ...) NOT-FOR-US: Jenkins plugin CVE-2020-2176 (Multiple form validation endpoints in Jenkins useMango Runner Plugin 1 ...) NOT-FOR-US: Jenkins plugin CVE-2020-2175 (Jenkins FitNesse Plugin 1.31 and earlier does not correctly escape rep ...) NOT-FOR-US: Jenkins plugin CVE-2020-2174 (Jenkins AWSEB Deployment Plugin 0.3.19 and earlier does not escape var ...) NOT-FOR-US: Jenkins plugin CVE-2020-2173 (Jenkins Gatling Plugin 1.2.7 and earlier prevents Content-Security-Pol ...) NOT-FOR-US: Jenkins plugin CVE-2020-2172 (Jenkins Code Coverage API Plugin 1.1.4 and earlier does not configure ...) NOT-FOR-US: Jenkins plugin CVE-2020-2171 (Jenkins RapidDeploy Plugin 4.2 and earlier does not configure its XML ...) NOT-FOR-US: Jenkins plugin CVE-2020-2170 (Jenkins RapidDeploy Plugin 4.2 and earlier does not escape package nam ...) NOT-FOR-US: Jenkins plugin CVE-2020-2169 (A form validation endpoint in Jenkins Queue cleanup Plugin 1.3 and ear ...) NOT-FOR-US: Jenkins plugin CVE-2020-2168 (Jenkins Azure Container Service Plugin 1.0.1 and earlier does not conf ...) NOT-FOR-US: Jenkins plugin CVE-2020-2167 (Jenkins OpenShift Pipeline Plugin 1.0.56 and earlier does not configur ...) NOT-FOR-US: Jenkins plugin CVE-2020-2166 (Jenkins Pipeline: AWS Steps Plugin 1.40 and earlier does not configure ...) NOT-FOR-US: Jenkins plugin CVE-2020-2165 (Jenkins Artifactory Plugin 3.6.0 and earlier transmits configured pass ...) NOT-FOR-US: Jenkins plugin CVE-2020-2164 (Jenkins Artifactory Plugin 3.5.0 and earlier stores its Artifactory se ...) NOT-FOR-US: Jenkins plugin CVE-2020-2163 (Jenkins 2.227 and earlier, LTS 2.204.5 and earlier improperly processe ...) NOT-FOR-US: Jenkins CVE-2020-2162 (Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not set Conten ...) NOT-FOR-US: Jenkins CVE-2020-2161 (Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not properly e ...) NOT-FOR-US: Jenkins CVE-2020-2160 (Jenkins 2.227 and earlier, LTS 2.204.5 and earlier uses different repr ...) NOT-FOR-US: Jenkins CVE-2020-2159 (Jenkins CryptoMove Plugin 0.1.33 and earlier allows attackers with Job ...) NOT-FOR-US: Jenkins CryptoMove Plugin CVE-2020-2158 (Jenkins Literate Plugin 1.0 and earlier does not configure its YAML pa ...) NOT-FOR-US: Jenkins Literate Plugin CVE-2020-2157 (Jenkins Skytap Cloud CI Plugin 2.07 and earlier transmits configured c ...) NOT-FOR-US: Jenkins Skytap Cloud CI Plugin CVE-2020-2156 (Jenkins DeployHub Plugin 8.0.14 and earlier transmits configured crede ...) NOT-FOR-US: Jenkins DeployHub Plugin CVE-2020-2155 (Jenkins OpenShift Deployer Plugin 1.2.0 and earlier transmits configur ...) NOT-FOR-US: Jenkins OpenShift Deployer Plugin CVE-2020-2154 (Jenkins Zephyr for JIRA Test Management Plugin 1.5 and earlier stores ...) NOT-FOR-US: Jenkins Zephyr for JIRA Test Management Plugin CVE-2020-2153 (Jenkins Backlog Plugin 2.4 and earlier transmits configured credential ...) NOT-FOR-US: Jenkins Backlog Plugin CVE-2020-2152 (Jenkins Subversion Release Manager Plugin 1.2 and earlier does not esc ...) NOT-FOR-US: Jenkins Subversion Release Manager Plugin CVE-2020-2151 (Jenkins Quality Gates Plugin 2.5 and earlier transmits configured cred ...) NOT-FOR-US: Jenkins Quality Gates Plugin CVE-2020-2150 (Jenkins Sonar Quality Gates Plugin 1.3.1 and earlier transmits configu ...) NOT-FOR-US: Jenkins Sonar Quality Gates Plugin CVE-2020-2149 (Jenkins Repository Connector Plugin 1.2.6 and earlier transmits config ...) NOT-FOR-US: Jenkins Repository Connector Plugin CVE-2020-2148 (A missing permission check in Jenkins Mac Plugin 1.1.0 and earlier all ...) NOT-FOR-US: Jenkins Mac Plugin CVE-2020-2147 (A cross-site request forgery vulnerability in Jenkins Mac Plugin 1.1.0 ...) NOT-FOR-US: Jenkins Mac Plugin CVE-2020-2146 (Jenkins Mac Plugin 1.1.0 and earlier does not validate SSH host keys w ...) NOT-FOR-US: Jenkins Mac Plugin CVE-2020-2145 (Jenkins Zephyr Enterprise Test Management Plugin 1.9.1 and earlier sto ...) NOT-FOR-US: Jenkins Zephyr Enterprise Test Management Plugin CVE-2020-2144 (Jenkins Rundeck Plugin 3.6.6 and earlier does not configure its XML pa ...) NOT-FOR-US: Jenkins Rundeck Plugin CVE-2020-2143 (Jenkins Logstash Plugin 2.3.1 and earlier transmits configured credent ...) NOT-FOR-US: Jenkins Logstash Plugin CVE-2020-2142 (A missing permission check in Jenkins P4 Plugin 1.10.10 and earlier al ...) NOT-FOR-US: Jenkins P4 Plugin CVE-2020-2141 (A cross-site request forgery vulnerability in Jenkins P4 Plugin 1.10.1 ...) NOT-FOR-US: Jenkins P4 Plugin CVE-2020-2140 (Jenkins Audit Trail Plugin 3.2 and earlier does not escape the error m ...) NOT-FOR-US: Jenkins Audit Trail Plugin CVE-2020-2139 (An arbitrary file write vulnerability in Jenkins Cobertura Plugin 1.15 ...) NOT-FOR-US: Jenkins Cobertura Plugin CVE-2020-2138 (Jenkins Cobertura Plugin 1.15 and earlier does not configure its XML p ...) NOT-FOR-US: Jenkins Cobertura Plugin CVE-2020-2137 (Jenkins Timestamper Plugin 1.11.1 and earlier does not sanitize HTML f ...) NOT-FOR-US: Jenkins Timestamper Plugin CVE-2020-2136 (Jenkins Git Plugin 4.2.0 and earlier does not escape the error message ...) NOT-FOR-US: Jenkins Git Plugin CVE-2020-2135 (Sandbox protection in Jenkins Script Security Plugin 1.70 and earlier ...) NOT-FOR-US: Jenkins Script Security Plugin CVE-2020-2134 (Sandbox protection in Jenkins Script Security Plugin 1.70 and earlier ...) NOT-FOR-US: Jenkins Script Security Plugin CVE-2020-2133 (Jenkins Applatix Plugin 1.1 and earlier stores a password unencrypted ...) NOT-FOR-US: Jenkins plugin CVE-2020-2132 (Jenkins Parasoft Environment Manager Plugin 2.14 and earlier stores a ...) NOT-FOR-US: Jenkins plugin CVE-2020-2131 (Jenkins Harvest SCM Plugin 0.5.1 and earlier stores passwords unencryp ...) NOT-FOR-US: Jenkins plugin CVE-2020-2130 (Jenkins Harvest SCM Plugin 0.5.1 and earlier stores a password unencry ...) NOT-FOR-US: Jenkins plugin CVE-2020-2129 (Jenkins Eagle Tester Plugin 1.0.9 and earlier stores a password unencr ...) NOT-FOR-US: Jenkins plugin CVE-2020-2128 (Jenkins ECX Copy Data Management Plugin 1.9 and earlier stores a passw ...) NOT-FOR-US: Jenkins plugin CVE-2020-2127 (Jenkins BMC Release Package and Deployment Plugin 1.1 and earlier stor ...) NOT-FOR-US: Jenkins plugin CVE-2020-2126 (Jenkins DigitalOcean Plugin 1.1 and earlier stores a token unencrypted ...) NOT-FOR-US: Jenkins plugin CVE-2020-2125 (Jenkins Debian Package Builder Plugin 1.6.11 and earlier stores a GPG ...) NOT-FOR-US: Jenkins plugin CVE-2020-2124 (Jenkins Dynamic Extended Choice Parameter Plugin 1.0.1 and earlier sto ...) NOT-FOR-US: Jenkins plugin CVE-2020-2123 (Jenkins RadarGun Plugin 1.7 and earlier does not configure its YAML pa ...) NOT-FOR-US: Jenkins plugin CVE-2020-2122 (Jenkins Brakeman Plugin 0.12 and earlier did not escape values receive ...) NOT-FOR-US: Jenkins plugin CVE-2020-2121 (Jenkins Google Kubernetes Engine Plugin 0.8.0 and earlier does not con ...) NOT-FOR-US: Jenkins plugin CVE-2020-2120 (Jenkins FitNesse Plugin 1.30 and earlier does not configure the XML pa ...) NOT-FOR-US: Jenkins plugin CVE-2020-2119 (Jenkins Azure AD Plugin 1.1.2 and earlier transmits configured credent ...) NOT-FOR-US: Jenkins plugin CVE-2020-2118 (A missing permission check in Jenkins Pipeline GitHub Notify Step Plug ...) NOT-FOR-US: Jenkins plugin CVE-2020-2117 (A missing permission check in Jenkins Pipeline GitHub Notify Step Plug ...) NOT-FOR-US: Jenkins plugin CVE-2020-2116 (A cross-site request forgery vulnerability in Jenkins Pipeline GitHub ...) NOT-FOR-US: Jenkins plugin CVE-2020-2115 (Jenkins NUnit Plugin 0.25 and earlier does not configure the XML parse ...) NOT-FOR-US: Jenkins plugin CVE-2020-2114 (Jenkins S3 publisher Plugin 0.11.4 and earlier transmits configured cr ...) NOT-FOR-US: Jenkins plugin CVE-2020-2113 (Jenkins Git Parameter Plugin 0.9.11 and earlier does not escape the de ...) NOT-FOR-US: Jenkins plugin CVE-2020-2112 (Jenkins Git Parameter Plugin 0.9.11 and earlier does not escape the pa ...) NOT-FOR-US: Jenkins plugin CVE-2020-2111 (Jenkins Subversion Plugin 2.13.0 and earlier does not escape the error ...) NOT-FOR-US: Jenkins plugin CVE-2020-2110 (Sandbox protection in Jenkins Script Security Plugin 1.69 and earlier ...) NOT-FOR-US: Jenkins plugin CVE-2020-2109 (Sandbox protection in Jenkins Pipeline: Groovy Plugin 2.78 and earlier ...) NOT-FOR-US: Jenkins plugin CVE-2020-2108 (Jenkins WebSphere Deployer Plugin 1.6.1 and earlier does not configure ...) NOT-FOR-US: Jenkins plugin CVE-2020-2107 (Jenkins Fortify Plugin 19.1.29 and earlier stores proxy server passwor ...) NOT-FOR-US: Jenkins plugin CVE-2020-2106 (Jenkins Code Coverage API Plugin 1.1.2 and earlier does not escape the ...) NOT-FOR-US: Jenkins plugin CVE-2020-2105 (REST API endpoints in Jenkins 2.218 and earlier, LTS 2.204.1 and earli ...) NOT-FOR-US: Jenkins CVE-2020-2104 (Jenkins 2.218 and earlier, LTS 2.204.1 and earlier allowed users with ...) NOT-FOR-US: Jenkins CVE-2020-2103 (Jenkins 2.218 and earlier, LTS 2.204.1 and earlier exposed session ide ...) NOT-FOR-US: Jenkins CVE-2020-2102 (Jenkins 2.218 and earlier, LTS 2.204.1 and earlier used a non-constant ...) NOT-FOR-US: Jenkins CVE-2020-2101 (Jenkins 2.218 and earlier, LTS 2.204.1 and earlier did not use a const ...) NOT-FOR-US: Jenkins CVE-2020-2100 (Jenkins 2.218 and earlier, LTS 2.204.1 and earlier was vulnerable to a ...) NOT-FOR-US: Jenkins CVE-2020-2099 (Jenkins 2.213 and earlier, LTS 2.204.1 and earlier improperly reuses e ...) NOT-FOR-US: Jenkins CVE-2020-2098 (A cross-site request forgery vulnerability in Jenkins Sounds Plugin 0. ...) NOT-FOR-US: Jenkins plugin CVE-2020-2097 (Jenkins Sounds Plugin 0.5 and earlier does not perform permission chec ...) NOT-FOR-US: Jenkins plugin CVE-2020-2096 (Jenkins Gitlab Hook Plugin 1.4.2 and earlier does not escape project n ...) NOT-FOR-US: Jenkins plugin CVE-2020-2095 (Jenkins Redgate SQL Change Automation Plugin 2.0.4 and earlier stored ...) NOT-FOR-US: Jenkins plugin CVE-2020-2094 (A missing permission check in Jenkins Health Advisor by CloudBees Plug ...) NOT-FOR-US: Jenkins plugin CVE-2020-2093 (A cross-site request forgery vulnerability in Jenkins Health Advisor b ...) NOT-FOR-US: Jenkins plugin CVE-2020-2092 (Jenkins Robot Framework Plugin 2.0.0 and earlier does not configure it ...) NOT-FOR-US: Jenkins plugin CVE-2020-2091 (A missing permission check in Jenkins Amazon EC2 Plugin 1.47 and earli ...) NOT-FOR-US: Jenkins plugin CVE-2020-2090 (A cross-site request forgery vulnerability in Jenkins Amazon EC2 Plugi ...) NOT-FOR-US: Jenkins plugin CVE-2020-2089 RESERVED CVE-2020-2088 RESERVED CVE-2020-2087 RESERVED CVE-2020-2086 RESERVED CVE-2020-2085 RESERVED CVE-2020-2084 RESERVED CVE-2020-2083 RESERVED CVE-2020-2082 RESERVED CVE-2020-2081 RESERVED CVE-2020-2080 RESERVED CVE-2020-2079 RESERVED CVE-2020-2078 RESERVED CVE-2020-2077 RESERVED CVE-2020-2076 RESERVED CVE-2020-2075 RESERVED CVE-2020-2074 RESERVED CVE-2020-2073 RESERVED CVE-2020-2072 RESERVED CVE-2020-2071 RESERVED CVE-2020-2070 RESERVED CVE-2020-2069 RESERVED CVE-2020-2068 RESERVED CVE-2020-2067 RESERVED CVE-2020-2066 RESERVED CVE-2020-2065 RESERVED CVE-2020-2064 RESERVED CVE-2020-2063 RESERVED CVE-2020-2062 RESERVED CVE-2020-2061 RESERVED CVE-2020-2060 RESERVED CVE-2020-2059 RESERVED CVE-2020-2058 RESERVED CVE-2020-2057 RESERVED CVE-2020-2056 RESERVED CVE-2020-2055 RESERVED CVE-2020-2054 RESERVED CVE-2020-2053 RESERVED CVE-2020-2052 RESERVED CVE-2020-2051 RESERVED CVE-2020-2050 RESERVED CVE-2020-2049 RESERVED CVE-2020-2048 RESERVED CVE-2020-2047 RESERVED CVE-2020-2046 RESERVED CVE-2020-2045 RESERVED CVE-2020-2044 RESERVED CVE-2020-2043 RESERVED CVE-2020-2042 RESERVED CVE-2020-2041 RESERVED CVE-2020-2040 RESERVED CVE-2020-2039 RESERVED CVE-2020-2038 RESERVED CVE-2020-2037 RESERVED CVE-2020-2036 RESERVED CVE-2020-2035 RESERVED CVE-2020-2034 (An OS Command Injection vulnerability in the PAN-OS GlobalProtect port ...) TODO: check CVE-2020-2033 (When the pre-logon feature is enabled, a missing certification validat ...) NOT-FOR-US: Palo Alto Networks CVE-2020-2032 (A race condition vulnerability Palo Alto Networks GlobalProtect app on ...) NOT-FOR-US: Palo Alto Networks CVE-2020-2031 (An integer underflow vulnerability in the dnsproxyd component of the P ...) TODO: check CVE-2020-2030 (An OS Command Injection vulnerability in the PAN-OS management interfa ...) TODO: check CVE-2020-2029 (An OS Command Injection vulnerability in the PAN-OS web management int ...) NOT-FOR-US: Palo Alto Networks CVE-2020-2028 (An OS Command Injection vulnerability in PAN-OS management server allo ...) NOT-FOR-US: Palo Alto Networks CVE-2020-2027 (A buffer overflow vulnerability in the authd component of the PAN-OS m ...) NOT-FOR-US: Palo Alto Networks CVE-2020-2026 (A malicious guest compromised before a container creation (e.g. a mali ...) NOT-FOR-US: Kata Containers CVE-2020-2025 (Kata Containers before 1.11.0 on Cloud Hypervisor persists guest files ...) NOT-FOR-US: Kata Containers CVE-2020-2024 (An improper link resolution vulnerability affects Kata Containers vers ...) NOT-FOR-US: Kata Containers CVE-2020-2023 (Kata Containers doesn't restrict containers from accessing the guest's ...) NOT-FOR-US: Kata Containers CVE-2020-2022 RESERVED CVE-2020-2021 (When Security Assertion Markup Language (SAML) authentication is enabl ...) NOT-FOR-US: Palo Alto Networks CVE-2020-2020 RESERVED CVE-2020-2019 RESERVED CVE-2020-2018 (An authentication bypass vulnerability in the Panorama context switchi ...) NOT-FOR-US: PAN-OS CVE-2020-2017 (A DOM-Based Cross Site Scripting Vulnerability exists in PAN-OS and Pa ...) NOT-FOR-US: PAN-OS CVE-2020-2016 (A race condition due to insecure creation of a file in a temporary dir ...) NOT-FOR-US: PAN-OS CVE-2020-2015 (A buffer overflow vulnerability in the PAN-OS management server allows ...) NOT-FOR-US: PAN-OS CVE-2020-2014 (An OS Command Injection vulnerability in PAN-OS management server allo ...) NOT-FOR-US: PAN-OS CVE-2020-2013 (A cleartext transmission of sensitive information vulnerability in Pal ...) NOT-FOR-US: PAN-OS CVE-2020-2012 (Improper restriction of XML external entity reference ('XXE') vulnerab ...) NOT-FOR-US: PAN-OS CVE-2020-2011 (An improper input validation vulnerability in the configuration daemon ...) NOT-FOR-US: PAN-OS CVE-2020-2010 (An OS command injection vulnerability in PAN-OS management interface a ...) NOT-FOR-US: PAN-OS CVE-2020-2009 (An external control of filename vulnerability in the SD WAN component ...) NOT-FOR-US: PAN-OS CVE-2020-2008 (An OS command injection and external control of filename vulnerability ...) NOT-FOR-US: PAN-OS CVE-2020-2007 (An OS command injection vulnerability in the management server compone ...) NOT-FOR-US: PAN-OS CVE-2020-2006 (A stack-based buffer overflow vulnerability in the management server c ...) NOT-FOR-US: PAN-OS CVE-2020-2005 (A cross-site scripting (XSS) vulnerability exists when visiting malici ...) NOT-FOR-US: PAN-OS CVE-2020-2004 (Under certain circumstances a user's password may be logged in clearte ...) NOT-FOR-US: PAN-OS CVE-2020-2003 (An external control of filename vulnerability in the command processin ...) NOT-FOR-US: PAN-OS CVE-2020-2002 (An authentication bypass by spoofing vulnerability exists in the authe ...) NOT-FOR-US: PAN-OS CVE-2020-2001 (An external control of path and data vulnerability in the Palo Alto Ne ...) NOT-FOR-US: PAN-OS CVE-2020-2000 RESERVED CVE-2020-1999 RESERVED CVE-2020-1998 (An improper authorization vulnerability in PAN-OS that mistakenly uses ...) NOT-FOR-US: PAN-OS CVE-2020-1997 (An open redirection vulnerability in the GlobalProtect component of Pa ...) NOT-FOR-US: PAN-OS CVE-2020-1996 (A missing authorization vulnerability in the management server compone ...) NOT-FOR-US: PAN-OS CVE-2020-1995 (A NULL pointer dereference vulnerability in Palo Alto Networks PAN-OS ...) NOT-FOR-US: PAN-OS CVE-2020-1994 (A predictable temporary file vulnerability in PAN-OS allows a local au ...) NOT-FOR-US: PAN-OS CVE-2020-1993 (The GlobalProtect Portal feature in PAN-OS does not set a new session ...) NOT-FOR-US: PAN-OS CVE-2020-1992 (A format string vulnerability in the Varrcvr daemon of PAN-OS on PA-70 ...) NOT-FOR-US: Palo Alto Networks CVE-2020-1991 (An insecure temporary file vulnerability in Palo Alto Networks Traps a ...) NOT-FOR-US: Palo Alto Networks CVE-2020-1990 (A stack-based buffer overflow vulnerability in the management server c ...) NOT-FOR-US: Palo Alto Networks CVE-2020-1989 (An incorrect privilege assignment vulnerability when writing applicati ...) NOT-FOR-US: Palo Alto Networks CVE-2020-1988 (An unquoted search path vulnerability in the Windows release of Global ...) NOT-FOR-US: Palo Alto Networks CVE-2020-1987 (An information exposure vulnerability in the logging component of Palo ...) NOT-FOR-US: Palo Alto Networks CVE-2020-1986 (Improper input validation vulnerability in Secdo allows an authenticat ...) NOT-FOR-US: Palo Alto Networks CVE-2020-1985 (Incorrect Default Permissions on C:\Programdata\Secdo\Logs folder in S ...) NOT-FOR-US: Palo Alto Networks CVE-2020-1984 (Secdo tries to execute a script at a hardcoded path if present, which ...) NOT-FOR-US: Palo Alto Networks CVE-2020-1983 (A use after free vulnerability in ip_reass() in ip_input.c of libslirp ...) {DSA-4665-1 DLA-2262-1} - qemu 1:4.1-2 - qemu-kvm - libslirp 4.2.0-2 - slirp4netns 1.0.1-1 [buster] - slirp4netns (Minor issue) NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/9bd6c5913271eabcb7768a58197ed3301fe19f2d NOTE: qemu 1:4.1-2 switched to system libslirp, marking that version as fixed NOTE: slirp4netns 1.0.1-1 switched to system libslirp, marking that version as fixed. CVE-2020-1982 (Certain communication between PAN-OS and cloud-delivered services inad ...) TODO: check CVE-2020-1981 (A predictable temporary filename vulnerability in PAN-OS allows local ...) NOT-FOR-US: PAN-OS CVE-2020-1980 (A shell command injection vulnerability in the PAN-OS CLI allows a loc ...) NOT-FOR-US: PAN-OS CVE-2020-1979 (A format string vulnerability in the PAN-OS log daemon (logd) on Panor ...) NOT-FOR-US: PAN-OS CVE-2020-1978 (TechSupport files generated on Palo Alto Networks VM Series firewalls ...) NOT-FOR-US: Palo Alto Networks CVE-2020-1977 (Insufficient Cross-Site Request Forgery (XSRF) protection on Expeditio ...) NOT-FOR-US: Palo Alto CVE-2020-1976 (A denial-of-service (DoS) vulnerability in Palo Alto Networks GlobalPr ...) NOT-FOR-US: Palo Alto Networks GlobalProtect software CVE-2020-1975 (Missing XML validation vulnerability in the PAN-OS web interface on Pa ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2019-19598 (D-Link DAP-1860 devices before v1.04b03 Beta allow access to administr ...) NOT-FOR-US: D-Link CVE-2019-19597 (D-Link DAP-1860 devices before v1.04b03 Beta allow arbitrary remote co ...) NOT-FOR-US: D-Link CVE-2019-19596 (GitBook through 2.6.9 allows XSS via a local .md file. ...) NOT-FOR-US: GitBook CVE-2019-19595 (reset/modules/advanced_form_maker_edit/multiupload/upload.php in the R ...) NOT-FOR-US: RESET.PRO Adobe Stock API integration for PrestaShop CVE-2019-19594 (reset/modules/fotoliaFoto/multi_upload.php in the RESET.PRO Adobe Stoc ...) NOT-FOR-US: Adobe Stock API integration for PrestaShop CVE-2019-19593 RESERVED CVE-2019-19592 (Jama Connect 8.44.0 is vulnerable to stored Cross-Site Scripting ...) NOT-FOR-US: Jama Connect CVE-2019-19591 RESERVED CVE-2019-19590 (In radare2 through 4.0, there is an integer overflow for the variable ...) - radare2 4.2.1+dfsg-1 (bug #947791) [jessie] - radare2 (Minor issue) NOTE: https://github.com/radareorg/radare2/issues/15543 NOTE: https://github.com/radareorg/radare2/commit/9bbc63ffa0e93aa054e262cdfb973326935a2d70 CVE-2019-19589 (The Lever PDF Embedder plugin 4.4 for WordPress does not block the dis ...) NOT-FOR-US: Lever PDF Embedder plugin for WordPress CVE-2019-19588 (The validators package 0.12.2 through 0.12.5 for Python enters an infi ...) NOT-FOR-US: validators Python package CVE-2019-19587 (In WSO2 Enterprise Integrator 6.5.0, reflected XSS occurs when updatin ...) NOT-FOR-US: WSO2 Enterprise Integrator CVE-2019-19586 RESERVED CVE-2019-19585 (An issue was discovered in rConfig 3.9.3. The install script updates t ...) NOT-FOR-US: rConfig CVE-2019-19584 RESERVED CVE-2019-19583 (An issue was discovered in Xen through 4.12.x allowing x86 HVM/PVH gue ...) {DSA-4602-1} - xen 4.11.3+24-g14b62ab3e5-1 (bug #947944) [jessie] - xen (Not supported in jessie LTS) NOTE: https://xenbits.xen.org/xsa/advisory-308.html CVE-2019-19582 (An issue was discovered in Xen through 4.12.x allowing x86 guest OS us ...) {DSA-4602-1} - xen 4.11.3+24-g14b62ab3e5-1 (bug #947944) [jessie] - xen (Not supported in jessie LTS) NOTE: https://xenbits.xen.org/xsa/advisory-307.html CVE-2019-19581 (An issue was discovered in Xen through 4.12.x allowing 32-bit Arm gues ...) {DSA-4602-1} - xen 4.11.3+24-g14b62ab3e5-1 (bug #947944) [jessie] - xen (Not supported in jessie LTS) NOTE: https://xenbits.xen.org/xsa/advisory-307.html CVE-2019-19580 (An issue was discovered in Xen through 4.12.x allowing x86 PV guest OS ...) {DSA-4602-1} - xen 4.11.3+24-g14b62ab3e5-1 (bug #947944) [jessie] - xen (Not supported in jessie LTS) NOTE: https://xenbits.xen.org/xsa/advisory-310.html CVE-2019-19578 (An issue was discovered in Xen through 4.12.x allowing x86 PV guest OS ...) {DSA-4602-1} - xen 4.11.3+24-g14b62ab3e5-1 (bug #947944) [jessie] - xen (Not supported in jessie LTS) NOTE: https://xenbits.xen.org/xsa/advisory-309.html CVE-2019-19577 (An issue was discovered in Xen through 4.12.x allowing x86 AMD HVM gue ...) {DSA-4602-1} - xen 4.11.3+24-g14b62ab3e5-1 (bug #947944) [jessie] - xen (Not supported in jessie LTS) NOTE: https://xenbits.xen.org/xsa/advisory-311.html CVE-2019-19579 (An issue was discovered in Xen through 4.12.x allowing attackers to ga ...) {DSA-4602-1} - xen 4.11.3+24-g14b62ab3e5-1 (bug #947944) [jessie] - xen (Not supported in jessie LTS) NOTE: https://xenbits.xen.org/xsa/advisory-306.html CVE-2019-19576 (class.upload.php in verot.net class.upload before 1.0.3 and 2.x before ...) NOT-FOR-US: K2 extension for Joomla! CVE-2019-19575 RESERVED CVE-2019-19574 RESERVED CVE-2019-19573 RESERVED CVE-2019-19572 RESERVED CVE-2019-19571 RESERVED CVE-2019-19570 RESERVED CVE-2019-19569 RESERVED CVE-2019-19568 RESERVED CVE-2019-19567 RESERVED CVE-2019-19566 RESERVED CVE-2019-19565 RESERVED CVE-2019-19564 RESERVED CVE-2019-19563 RESERVED CVE-2019-19562 RESERVED CVE-2019-19561 RESERVED CVE-2019-19560 RESERVED CVE-2019-19559 RESERVED CVE-2019-19558 RESERVED CVE-2019-19557 RESERVED CVE-2019-19556 RESERVED CVE-2019-19555 (read_textobject in read.c in Xfig fig2dev 3.2.7b has a stack-based buf ...) {DLA-2073-1} - fig2dev 1:3.2.7b-2 (unimportant; bug #946176) [buster] - fig2dev 1:3.2.7a-5+deb10u2 [stretch] - fig2dev 1:3.2.6a-2+deb9u3 - transfig (unimportant) NOTE: https://sourceforge.net/p/mcj/tickets/55/ NOTE: https://sourceforge.net/p/mcj/fig2dev/ci/19db5fe6f77ebad91af4b4ef0defd61bd0bb358f/ NOTE: Crash in CLI tool, negligible security impact CVE-2019-19554 RESERVED CVE-2019-19553 (In Wireshark 3.0.0 to 3.0.6 and 2.6.0 to 2.6.12, the CMS dissector cou ...) - wireshark 3.0.7-1 (low) [buster] - wireshark (Can be fixed along in next 3.0.x DSA) [stretch] - wireshark (Can be fixed along in next 2.6.x DSA) [jessie] - wireshark (Can be fixed along in next 1.12.x DLA) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15961 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=34d2e0d5318d0a7e9889498c721639e5cbf4ce45 NOTE: https://www.wireshark.org/security/wnpa-sec-2019-22.html CVE-2019-19552 (In userman 13.0.76.43 through 15.0.20 in Sangoma FreePBX, XSS exists i ...) NOT-FOR-US: FreePBX CVE-2019-19551 (In userman 13.0.76.43 through 15.0.20 in Sangoma FreePBX, XSS exists i ...) NOT-FOR-US: FreePBX CVE-2020-1974 RESERVED CVE-2020-1973 RESERVED CVE-2020-1972 RESERVED CVE-2020-1971 RESERVED CVE-2020-1970 RESERVED CVE-2020-1969 RESERVED CVE-2020-1968 RESERVED CVE-2020-1967 (Server or client applications that call the SSL_check_chain() function ...) {DSA-4661-1} - openssl 1.1.1g-1 [stretch] - openssl (Only affects 1.1.1d to 1.1.1f) [jessie] - openssl (Only affects 1.1.1d to 1.1.1f) - openssl1.0 (Only affects 1.1.1d to 1.1.1f) NOTE: https://www.openssl.org/news/secadv/20200421.txt CVE-2020-1966 RESERVED CVE-2020-1965 RESERVED CVE-2019-19550 (Remote Authentication Bypass in Senior Rubiweb 6.2.34.28 and 6.2.34.37 ...) NOT-FOR-US: Senior Rubiweb CVE-2019-19549 RESERVED CVE-2019-19548 (Norton Power Eraser, prior to 5.3.0.67, may be susceptible to a privil ...) NOT-FOR-US: Norton CVE-2019-19547 (Symantec Endpoint Detection and Response (SEDR), prior to 4.3.0, may b ...) NOT-FOR-US: Symantec CVE-2019-19546 (Norton Password Manager, prior to 6.6.2.5, may be susceptible to an in ...) NOT-FOR-US: Norton Password Manager CVE-2019-19545 (Norton Password Manager, prior to 6.6.2.5, may be susceptible to a cro ...) NOT-FOR-US: Norton Password Manager CVE-2019-19544 (CA Automic Dollar Universe 5.3.3 contains a vulnerability, related to ...) NOT-FOR-US: CA Automic Dollar Universe CVE-2019-19542 (The ListingPro theme before v2.0.14.2 for WordPress has Persistent XSS ...) NOT-FOR-US: ListingPro theme for WordPress CVE-2019-19541 (The ListingPro theme before v2.0.14.2 for WordPress has Persistent XSS ...) NOT-FOR-US: ListingPro theme for WordPress CVE-2019-19540 (The ListingPro theme before v2.0.14.2 for WordPress has Reflected XSS ...) NOT-FOR-US: ListingPro theme for WordPress CVE-2019-19543 (In the Linux kernel before 5.1.6, there is a use-after-free in serial_ ...) - linux 5.2.6-1 [buster] - linux 4.19.67-1 [stretch] - linux (Vulnerability introduced later) [jessie] - linux (Vulnerability introduced later) NOTE: https://git.kernel.org/linus/56cd26b618855c9af48c8301aa6754ced8dd0beb CVE-2019-19539 (An issue was discovered in Idelji Web ViewPoint H01ABO-H01BY and L01AB ...) NOT-FOR-US: Idelji Web ViewPoint CVE-2019-19538 (In Sangoma FreePBX 13 through 15 and sysadmin (aka System Admin) 13.0. ...) NOT-FOR-US: FreePBX CVE-2019-19537 (In the Linux kernel before 5.2.10, there is a race condition bug that ...) {DLA-2114-1 DLA-2068-1} - linux 5.2.17-1 [buster] - linux 4.19.87-1 [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/303911cfc5b95d33687d9046133ff184cf5043ff CVE-2019-19536 (In the Linux kernel before 5.2.9, there is an info-leak bug that can b ...) {DLA-2114-1 DLA-2068-1} - linux 5.2.9-1 [buster] - linux 4.19.67-1 [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/ead16e53c2f0ed946d82d4037c630e2f60f4ab69 CVE-2019-19535 (In the Linux kernel before 5.2.9, there is an info-leak bug that can b ...) {DLA-2114-1} - linux 5.2.9-1 [buster] - linux 4.19.67-1 [stretch] - linux 4.9.210-1 [jessie] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/30a8beeb3042f49d0537b7050fd21b490166a3d9 CVE-2019-19534 (In the Linux kernel before 5.3.11, there is an info-leak bug that can ...) {DLA-2114-1 DLA-2068-1} - linux 5.3.15-1 [buster] - linux 4.19.87-1 [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/f7a1337f0d29b98733c8824e165fca3371d7d4fd CVE-2019-19533 (In the Linux kernel before 5.3.4, there is an info-leak bug that can b ...) {DLA-2114-1 DLA-2068-1} - linux 5.3.7-1 [buster] - linux 4.19.87-1 [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/a10feaf8c464c3f9cfdd3a8a7ce17e1c0d498da1 CVE-2019-19532 (In the Linux kernel before 5.3.9, there are multiple out-of-bounds wri ...) {DLA-2114-1 DLA-2068-1} - linux 5.3.9-1 [buster] - linux 4.19.87-1 [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/d9d4b1e46d9543a82c23f6df03f4ad697dab361b CVE-2019-19531 (In the Linux kernel before 5.2.9, there is a use-after-free bug that c ...) {DLA-2114-1 DLA-2068-1} - linux 5.2.9-1 [buster] - linux 4.19.67-1 [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/fc05481b2fcabaaeccf63e32ac1baab54e5b6963 CVE-2019-19530 (In the Linux kernel before 5.2.10, there is a use-after-free bug that ...) {DLA-2114-1 DLA-2068-1} - linux 5.2.17-1 [buster] - linux 4.19.87-1 [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/c52873e5a1ef72f845526d9f6a50704433f9c625 CVE-2019-19529 (In the Linux kernel before 5.3.11, there is a use-after-free bug that ...) - linux 5.3.15-1 [buster] - linux 4.19.87-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/4d6636498c41891d0482a914dd570343a838ad79 CVE-2019-19528 (In the Linux kernel before 5.3.7, there is a use-after-free bug that c ...) - linux 5.3.7-1 [buster] - linux 4.19.87-1 [stretch] - linux (Vulnerable code not yet present in released version) [jessie] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/edc4746f253d907d048de680a621e121517f484b CVE-2019-19527 (In the Linux kernel before 5.2.10, there is a use-after-free bug that ...) {DLA-2114-1 DLA-2068-1} - linux 5.2.17-1 [buster] - linux 4.19.87-1 [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/6d4472d7bec39917b54e4e80245784ea5d60ce49 NOTE: https://git.kernel.org/linus/9c09b214f30e3c11f9b0b03f89442df03643794d CVE-2019-19526 (In the Linux kernel before 5.3.9, there is a use-after-free bug that c ...) - linux 5.3.9-1 [buster] - linux 4.19.87-1 [stretch] - linux (Vulnerability introduced later) [jessie] - linux (Vulnerability introduced later) NOTE: https://git.kernel.org/linus/6af3aa57a0984e061f61308fe181a9a12359fecc CVE-2019-19525 (In the Linux kernel before 5.3.6, there is a use-after-free bug that c ...) {DLA-2114-1} - linux 5.3.7-1 [buster] - linux 4.19.87-1 [stretch] - linux 4.9.210-1 [jessie] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/7fd25e6fc035f4b04b75bca6d7e8daa069603a76 CVE-2019-19524 (In the Linux kernel before 5.3.12, there is a use-after-free bug that ...) {DLA-2114-1 DLA-2068-1} - linux 5.3.15-1 [buster] - linux 4.19.87-1 [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/fa3a5a1880c91bb92594ad42dfe9eedad7996b86 CVE-2019-19523 (In the Linux kernel before 5.3.7, there is a use-after-free bug that c ...) {DLA-2114-1 DLA-2068-1} - linux 5.3.7-1 [buster] - linux 4.19.87-1 [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/44efc269db7929f6275a1fa927ef082e533ecde0 CVE-2019-19522 (OpenBSD 6.6, in a non-default configuration where S/Key or YubiKey aut ...) NOT-FOR-US: OpenBSD CVE-2019-19521 (libc in OpenBSD 6.6 allows authentication bypass via the -schallenge u ...) NOT-FOR-US: OpenBSD CVE-2019-19520 (xlock in OpenBSD 6.6 allows local users to gain the privileges of the ...) NOT-FOR-US: OpenBSD CVE-2019-19519 (In OpenBSD 6.6, local users can use the su -L option to achieve any lo ...) NOT-FOR-US: OpenBSD CVE-2019-19518 (CA Automic Sysload 5.6.0 through 6.1.2 contains a vulnerability, relat ...) NOT-FOR-US: CA Automic Sysload CVE-2020-1964 (It was noticed that Apache Heron 0.20.2-incubating, Release 0.20.1-inc ...) NOT-FOR-US: Apache Heron CVE-2020-1963 (Apache Ignite uses H2 database to build SQL distributed execution engi ...) NOT-FOR-US: Apache Ignite CVE-2020-1962 REJECTED CVE-2020-1961 (Vulnerability to Server-Side Template Injection on Mail templates for ...) NOT-FOR-US: Apache Syncope CVE-2020-1960 (A vulnerability in Apache Flink (1.1.0 to 1.1.5, 1.2.0 to 1.2.1, 1.3.0 ...) NOT-FOR-US: Apache Flink CVE-2020-1959 (A Server-Side Template Injection was identified in Apache Syncope prio ...) NOT-FOR-US: Apache Syncope CVE-2020-1958 (When LDAP authentication is enabled in Apache Druid 0.17.0, callers of ...) - druid (bug #825797) CVE-2020-1957 (Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic ...) {DLA-2273-1 DLA-2181-1} - shiro (bug #955018) NOTE: https://www.openwall.com/lists/oss-security/2020/03/23/2 NOTE: Fixed by: https://github.com/apache/shiro/commit/3708d7907016bf2fa12691dff6ff0def1249b8ce#diff-98f7bc5c0391389e56531f8b3754081aL139 NOTE: https://github.com/apache/shiro/pull/203#issuecomment-606270322 NOTE: Fix for CVE-2020-1957 introduces a (security sensitive) encoding issue NOTE: resulting in a followup release 1.5.3. CVE-2020-1956 (Apache Kylin 2.3.0, and releases up to 2.6.5 and 3.0.1 has some restfu ...) NOT-FOR-US: Apache Kylin CVE-2020-1955 (CouchDB version 3.0.0 shipped with a new configuration setting that go ...) - couchdb CVE-2020-1954 (Apache CXF has the ability to integrate with JMX by registering an Ins ...) NOT-FOR-US: Apache CXF CVE-2020-1953 (Apache Commons Configuration uses a third-party library to parse YAML ...) - commons-configuration2 2.7-1 (bug #954713) NOTE: https://www.openwall.com/lists/oss-security/2020/03/13/1 CVE-2020-1952 (An issue was found in Apache IoTDB .9.0 to 0.9.1 and 0.8.0 to 0.8.2. W ...) NOT-FOR-US: Apache IoTDB CVE-2020-1951 (A carefully crafted or corrupt PSD file can cause an infinite loop in ...) {DLA-2161-1} - tika (bug #954302) [buster] - tika (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2020/03/18/4 CVE-2020-1950 (A carefully crafted or corrupt PSD file can cause excessive memory usa ...) {DLA-2161-1} - tika (bug #954303) [buster] - tika (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2020/03/18/3 CVE-2020-1949 (Scripts in Sling CMS before 0.16.0 do not property escape the Sling Se ...) NOT-FOR-US: Apache Sling CVE-2020-1948 RESERVED CVE-2020-1947 (In Apache ShardingSphere(incubator) 4.0.0-RC3 and 4.0.0, the ShardingS ...) NOT-FOR-US: Apache ShardingSphere CVE-2020-1946 RESERVED CVE-2020-1945 (Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default tempora ...) - ant 1.10.8-1 (low; bug #960630) [buster] - ant (Minor issue) [stretch] - ant (Minor issue) [jessie] - ant (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2020/05/13/1 NOTE: https://github.com/apache/ant/commit/9c1f4d905da59bf446570ac28df5b68a37281f35 (1.9.15) NOTE: https://github.com/apache/ant/commit/926f339ea30362bec8e53bf5924ce803938163b7 (1.9.15) NOTE: https://github.com/apache/ant/commit/d591851ae3921172bb825b5a5344afa3de0e28ca (10.8) NOTE: https://github.com/apache/ant/commit/9c1f4d905da59bf446570ac28df5b68a37281f35 (10.8) NOTE: https://github.com/apache/ant/commit/041b058c7bf10a94d56db3ca9dba38cf90ab9943 (10.8) NOTE: https://github.com/apache/ant/commit/a8645a151bc706259fb1789ef587d05482d98612 (10.8) NOTE: https://github.com/apache/ant/commit/926f339ea30362bec8e53bf5924ce803938163b7 (10.8) CVE-2020-1944 (There is a vulnerability in Apache Traffic Server 6.0.0 to 6.2.3, 7.0. ...) {DSA-4672-1} - trafficserver 8.0.6+ds-1 NOTE: https://lists.apache.org/thread.html/r99d18d0bc4daa05e7d0e5a63e0e22701a421b2ef5a8f4f7694c43869%40%3Cannounce.trafficserver.apache.org%3E NOTE: https://github.com/apache/trafficserver/commit/5830bc72611e85e7a31098ce86710242f29076dc CVE-2020-1943 (Data sent with contentId to /control/stream is not sanitized, allowing ...) NOT-FOR-US: Apache OFBiz CVE-2020-1942 (In Apache NiFi 0.0.1 to 1.11.0, the flow fingerprint factory generated ...) NOT-FOR-US: Apache NiFi CVE-2020-1941 (In Apache ActiveMQ 5.0.0 to 5.15.11, the webconsole admin GUI is open ...) - activemq (unimportant) NOTE: Admin console not enabled in the Debian package, see #702670) NOTE: Fixed in 5.15.12 CVE-2020-1940 (The optional initial password change and password expiration features ...) NOT-FOR-US: Apache Jackrabbit Oak CVE-2020-1939 (The Apache NuttX (Incubating) project provides an optional separate "a ...) NOT-FOR-US: Apache NuttX CVE-2020-1938 (When using the Apache JServ Protocol (AJP), care must be taken when tr ...) {DSA-4680-1 DSA-4673-1 DLA-2209-1 DLA-2133-1} - tomcat9 9.0.31-1 (bug #952437) - tomcat8 (bug #952438) - tomcat7 (bug #952436) NOTE: AJP disabled in Debian in default configuration since 2008 NOTE: fixed in upstream versions 9.0.31, 8.5.51, 7.0.100 NOTE: https://www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487 NOTE: https://github.com/apache/tomcat/commit/0e8a50f0a5958744bea1fd6768c862e04d3b7e75 (9.0.31) NOTE: https://github.com/apache/tomcat/commit/9ac90532e9a7d239f90952edb229b07c80a9a3eb (9.0.31) NOTE: https://github.com/apache/tomcat/commit/64fa5b99442589ef0bf2a7fcd71ad2bc68b35fad (9.0.31) NOTE: https://github.com/apache/tomcat/commit/7a1406a3cd20fdd90656add6cd8f27ef8f24e957 (9.0.31) NOTE: https://github.com/apache/tomcat/commit/49ad3f954f69c6e838c8cd112ad79aa5fa8e7153 (9.0.31) NOTE: https://github.com/apache/tomcat/commit/69c56080fb3355507e1b55d014ec0ee6767a6150 (8.5.51) NOTE: https://github.com/apache/tomcat/commit/b962835f98b905286b78c414d5aaec2d0e711f75 (8.5.51) NOTE: https://github.com/apache/tomcat/commit/9be57601efb8a81e3832feb0dd60b1eb9d2b61d5 (8.5.51) NOTE: https://github.com/apache/tomcat/commit/64159aa1d7cdc2c118fcb5eac098e70129d54a19 (8.5.51) NOTE: https://github.com/apache/tomcat/commit/03c436126db6794db5277a3b3d871016fb9a3f23 (8.5.51) NOTE: https://github.com/apache/tomcat/commit/0d633e72ebc7b3c242d0081c23bba5e4dacd9b72 (7.0.100) NOTE: https://github.com/apache/tomcat/commit/40d5d93bd284033cf4a1f77f5492444f83d803e2 (7.0.100) NOTE: https://github.com/apache/tomcat/commit/b99fba5bd796d876ea536e83299603443842feba (7.0.100) NOTE: https://github.com/apache/tomcat/commit/f7180bafc74cb1250c9e9287b68a230f0e1f4645 (7.0.100) CVE-2020-1937 (Kylin has some restful apis which will concatenate SQLs with the user ...) NOT-FOR-US: Apache Kylin CVE-2020-1936 RESERVED CVE-2020-1935 (In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0. ...) {DSA-4680-1 DSA-4673-1 DLA-2209-1 DLA-2133-1} - tomcat9 9.0.31-1 - tomcat8 - tomcat7 NOTE: https://github.com/apache/tomcat/commit/8bfb0ff7f25fe7555a5eb2f7984f73546c11aa26 (9.0.31) NOTE: https://github.com/apache/tomcat/commit/8fbe2e962f0ea138d92361921643fe5abe0c4f56 (8.5.51) NOTE: https://github.com/apache/tomcat/commit/702bf15bea292915684d931526d95d4990b2e73d (7.0.100) CVE-2020-1934 (In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitial ...) - apache2 2.4.43-1 (low) [buster] - apache2 (Minor issue) [stretch] - apache2 (Minor issue) [jessie] - apache2 (Minor issue) NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1934 NOTE: Upstream patch: https://svn.apache.org/r1873745 CVE-2020-1933 (A XSS vulnerability was found in Apache NiFi 1.0.0 to 1.10.0. Maliciou ...) NOT-FOR-US: Apache NiFi CVE-2020-1932 (An information disclosure issue was found in Apache Superset 0.34.0, 0 ...) NOT-FOR-US: Apache Superset CVE-2020-1931 (A command execution issue was found in Apache SpamAssassin prior to 3. ...) {DSA-4615-1 DLA-2107-1} - spamassassin 3.4.4~rc1-1 (bug #950258) NOTE: https://svn.apache.org/repos/asf/spamassassin/branches/3.4/build/announcements/3.4.4.txt NOTE: https://www.openwall.com/lists/oss-security/2020/01/30/2 NOTE: https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7784 (restricted) CVE-2020-1930 (A command execution issue was found in Apache SpamAssassin prior to 3. ...) {DSA-4615-1 DLA-2107-1} - spamassassin 3.4.4~rc1-1 (bug #950258) NOTE: https://svn.apache.org/repos/asf/spamassassin/branches/3.4/build/announcements/3.4.4.txt NOTE: https://www.openwall.com/lists/oss-security/2020/01/30/3 NOTE: https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7648 (restricted) CVE-2020-1929 (The Apache Beam MongoDB connector in versions 2.10.0 to 2.16.0 has an ...) NOT-FOR-US: Apache Beam MongoDB connector CVE-2020-1928 (An information disclosure vulnerability was found in Apache NiFi 1.10. ...) NOT-FOR-US: Apache NiFi CVE-2020-1927 (In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_r ...) - apache2 2.4.43-1 (low) [buster] - apache2 (Minor issue) [stretch] - apache2 (Minor issue) [jessie] - apache2 (Minor issue) NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927 NOTE: https://svn.apache.org/r1873905 NOTE: https://svn.apache.org/r1874191 CVE-2020-1926 RESERVED CVE-2020-1925 (Apache Olingo versions 4.0.0 to 4.7.0 provide the AsyncRequestWrapperI ...) NOT-FOR-US: Olingo CVE-2019-19517 (Intelbras RF1200 1.1.3 devices allow CSRF to bypass the login.html for ...) NOT-FOR-US: Intelbras CVE-2019-19516 (Intelbras WRN 150 1.0.18 devices allow CSRF via GO=system_password.asp ...) NOT-FOR-US: Intelbras WRN CVE-2019-19515 (Ayision Ays-WR01 v28K.RPT.20161224 devices allow stored XSS in wireles ...) NOT-FOR-US: Ayision CVE-2019-19514 (Ayision Ays-WR01 v28K.RPT.20161224 devices allow stored XSS in basic r ...) NOT-FOR-US: Ayision CVE-2019-19513 RESERVED CVE-2020-1924 RESERVED CVE-2020-1923 RESERVED CVE-2020-1922 RESERVED CVE-2020-1921 RESERVED CVE-2020-1920 RESERVED CVE-2020-1919 RESERVED CVE-2020-1918 RESERVED CVE-2020-1917 RESERVED CVE-2020-1916 RESERVED CVE-2020-1915 RESERVED CVE-2020-1914 RESERVED CVE-2020-1913 RESERVED CVE-2020-1912 RESERVED CVE-2020-1911 RESERVED CVE-2020-1910 RESERVED CVE-2020-1909 RESERVED CVE-2020-1908 RESERVED CVE-2020-1907 RESERVED CVE-2020-1906 RESERVED CVE-2020-1905 RESERVED CVE-2020-1904 RESERVED CVE-2020-1903 RESERVED CVE-2020-1902 RESERVED CVE-2020-1901 RESERVED CVE-2020-1900 RESERVED CVE-2020-1899 RESERVED CVE-2020-1898 RESERVED CVE-2020-1897 (A use-after-free is possible due to an error in lifetime management in ...) NOT-FOR-US: Facebook Proxygen CVE-2020-1896 RESERVED CVE-2020-1895 (A large heap overflow could occur in Instagram for Android when attemp ...) NOT-FOR-US: Instagram for Android CVE-2020-1894 RESERVED CVE-2020-1893 (Insufficient boundary checks when decoding JSON in TryParse reads out ...) - hhvm CVE-2020-1892 (Insufficient boundary checks when decoding JSON in JSON_parser allows ...) - hhvm CVE-2020-1891 RESERVED CVE-2020-1890 RESERVED CVE-2020-1889 RESERVED CVE-2020-1888 (Insufficient boundary checks when decoding JSON in handleBackslash rea ...) - hhvm CVE-2020-1887 (Incorrect validation of the TLS SNI hostname in osquery versions after ...) - osquery (bug #803502) CVE-2020-1886 RESERVED CVE-2020-1885 (Writing to an unprivileged file from a privileged OVRRedir.exe process ...) NOT-FOR-US: Oculus Desktop CVE-2019-19512 RESERVED CVE-2019-19511 RESERVED CVE-2019-19510 RESERVED CVE-2019-19509 (An issue was discovered in rConfig 3.9.3. A remote authenticated user ...) NOT-FOR-US: rConfig CVE-2019-19508 RESERVED CVE-2019-19507 (In jpv (aka Json Pattern Validator) before 2.1.1, compareCommon() can ...) NOT-FOR-US: Json Pattern Validator CVE-2019-19506 (Tenda PA6 Wi-Fi Powerline extender 1.0.1.21 is vulnerable to a denial ...) NOT-FOR-US: Tenda PA6 Wi-Fi Powerline extender CVE-2019-19505 (Tenda PA6 Wi-Fi Powerline extender 1.0.1.21 is vulnerable to a stack-b ...) NOT-FOR-US: Tenda PA6 Wi-Fi Powerline extender CVE-2019-19504 RESERVED CVE-2019-19503 RESERVED CVE-2019-19502 (Code injection in pluginconfig.php in Image Uploader and Browser for C ...) NOT-FOR-US: ckeditor plugin CVE-2019-19501 (VeraCrypt 1.24 allows Local Privilege Escalation during execution of V ...) NOT-FOR-US: VeraCrypt CVE-2019-19500 (Matrix42 Workspace Management 9.1.2.2765 and below allows stored XSS v ...) NOT-FOR-US: Matrix42 Workspace Management CVE-2019-19499 RESERVED CVE-2019-19498 RESERVED CVE-2019-19497 (MDaemon Email Server 17.5.1 allows XSS via the filename of an attachme ...) NOT-FOR-US: MDaemon Email Server CVE-2019-19496 (Alfresco Enterprise before 5.2.5 allows stored XSS via an uploaded HTM ...) NOT-FOR-US: Alfresco CVE-2019-19495 (The web interface on the Technicolor TC7230 STEB 01.25 is vulnerable t ...) NOT-FOR-US: Technicolor CVE-2019-19494 (Broadcom based cable modems across multiple vendors are vulnerable to ...) NOT-FOR-US: Broadcom based cable modems CVE-2019-19493 (Kentico before 12.0.50 allows file uploads in which the Content-Type h ...) NOT-FOR-US: Kentico CVE-2019-19492 (FreeSWITCH 1.6.10 through 1.10.1 has a default password in event_socke ...) - freeswitch (bug #389591) CVE-2019-19491 (TestLink 1.9.19 has XSS via the lib/testcases/archiveData.php edit par ...) NOT-FOR-US: TestLink CVE-2019-19490 (LiteManager 4.5.0 has weak permissions (Everyone: Full Control) in the ...) NOT-FOR-US: LiteManager CVE-2019-19489 (SMPlayer 19.5.0 has a buffer overflow via a long .m3u file. ...) NOTE: Bogus report, smplayer correctly bails out CVE-2019-19488 RESERVED CVE-2019-19487 (Command Injection in minPlayCommand.php in Centreon (19.04.4 and below ...) - centreon-web (bug #913903) CVE-2019-19486 (Local File Inclusion in minPlayCommand.php in Centreon (19.04.4 and be ...) - centreon-web (bug #913903) CVE-2019-19485 RESERVED CVE-2019-19484 (Open redirect via parameter ‘p’ in login.php in Centreon ( ...) - centreon-web (bug #913903) CVE-2019-19483 RESERVED CVE-2019-19482 RESERVED CVE-2019-19481 (An issue was discovered in OpenSC through 0.19.0 and 0.20.x through 0. ...) - opensc 0.19.0~rc1-1 [stretch] - opensc (Vulnerable code not present) [jessie] - opensc (Vulnerable code not present) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18618 NOTE: CAC support added in: https://github.com/OpenSC/OpenSC/commit/777e2a3751e3f6d53f056c98e9e20e42af674fb1 (0.17.0-rc1) NOTE: Drop support of CAC1: https://github.com/OpenSC/OpenSC/commit/2190bb927c739852266481d6517aaf3a07b52526 (0.19.0-rc1) NOTE: Restored minimal CAC1 driver support: https://github.com/OpenSC/OpenSC/commit/e2b1fb81e0e1339eebaa36fb90635e03f69d4da3 (0.20.0-rc1) NOTE: https://github.com/OpenSC/OpenSC/commit/b75c002cfb1fd61cd20ec938ff4937d7b1a94278 NOTE: Mark 0.19.0~rc1 based version as fixed which removed the affected code, which NOTE: later was re-introduced upstream in 0.20.0~rc1 again. CVE-2019-19480 (An issue was discovered in OpenSC through 0.19.0 and 0.20.x through 0. ...) - opensc (Vulnerable code not present) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18478 NOTE: Introduced in: https://github.com/OpenSC/OpenSC/commit/630d6adf32cecaab0ee184618f56497bd50400fb NOTE: Fixed by: https://github.com/OpenSC/OpenSC/commit/6ce6152284c47ba9b1d4fe8ff9d2e6a3f5ee02c7 NOTE: The introducing commit attempted to fix a memory leak issue, and later on NOTE: further memleak issues were addressed related to those changes. But those NOTE: fixes are not related "directly" to the CVE assignment for the incorrect NOTE: free operation in sc_pkcs15_decode_prkdf_entry. CVE-2019-19479 (An issue was discovered in OpenSC through 0.19.0 and 0.20.x through 0. ...) {DLA-2046-1} - opensc 0.20.0-1 (bug #947383) [buster] - opensc (Minor issue) [stretch] - opensc (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18693 NOTE: https://github.com/OpenSC/OpenSC/commit/c3f23b836e5a1766c36617fe1da30d22f7b63de2 CVE-2019-19478 RESERVED CVE-2019-19477 RESERVED CVE-2019-19476 RESERVED CVE-2019-19475 (An issue was discovered in ManageEngine Applications Manager 14 with B ...) NOT-FOR-US: ManageEngine Applications Manager CVE-2019-19474 RESERVED CVE-2019-19473 RESERVED CVE-2019-19472 RESERVED CVE-2019-19471 RESERVED CVE-2019-19470 (Unsafe usage of .NET deserialization in Named Pipe message processing ...) NOT-FOR-US: TinyWall Controller CVE-2019-19469 (In Zmanda Management Console 3.3.9, ZMC_Admin_Advanced?form=adminTasks ...) NOT-FOR-US: Zmanda Management Console CVE-2019-19468 (Free Photo Viewer 1.3 allows remote attackers to execute arbitrary cod ...) NOT-FOR-US: Free Photo Viewer CVE-2019-19467 RESERVED CVE-2020-1884 RESERVED CVE-2020-1883 (Huawei products NIP6800;Secospace USG6600;USG9500 have a memory leak v ...) NOT-FOR-US: Huawei CVE-2020-1882 (Huawei mobile phones Ever-L29B versions earlier than 10.0.0.180(C185E6 ...) NOT-FOR-US: Huawei CVE-2020-1881 (NIP6800;Secospace USG6600;USG9500 products with versions of V500R001C3 ...) NOT-FOR-US: Huawei CVE-2020-1880 (Huawei smartphone Lion-AL00C with versions earlier than 10.0.0.205(C00 ...) NOT-FOR-US: Huawei CVE-2020-1879 (There is an improper integrity checking vulnerability on some huawei p ...) NOT-FOR-US: Huawei CVE-2020-1878 (Huawei smartphone OxfordS-AN00A with versions earlier than 10.0.1.152D ...) NOT-FOR-US: Huawei CVE-2020-1877 (NIP6800;Secospace USG6600;USG9500 with versions of V500R001C30; V500R0 ...) NOT-FOR-US: Huawei CVE-2020-1876 (NIP6800;Secospace USG6600;USG9500 with versions of V500R001C30; V500R0 ...) NOT-FOR-US: Huawei CVE-2020-1875 (NIP6800;Secospace USG6600;USG9500 products versions of V500R001C30; V5 ...) NOT-FOR-US: Huawei CVE-2020-1874 (NIP6800;Secospace USG6600;USG9500 products versions of V500R001C30; V5 ...) NOT-FOR-US: Huawei CVE-2020-1873 (NIP6800;Secospace USG6600;USG9500 products with versions of V500R001C3 ...) NOT-FOR-US: Huawei CVE-2020-1872 (Huawei smart phones P10 Plus with versions earlier than 9.1.0.201(C01E ...) NOT-FOR-US: Huawei CVE-2020-1871 (USG9500 with software of V500R001C30SPC100; V500R001C30SPC200; V500R00 ...) NOT-FOR-US: Huawei CVE-2020-1870 (CloudEngine 12800 products with versions of V200R019C00, V200R019C10SP ...) NOT-FOR-US: Huawei CVE-2020-1869 RESERVED CVE-2020-1868 RESERVED CVE-2020-1867 RESERVED CVE-2020-1866 RESERVED CVE-2020-1865 RESERVED CVE-2020-1864 (Some Huawei products have a security vulnerability due to improper aut ...) NOT-FOR-US: Huawei CVE-2020-1863 (Huawei USG6000V with versions V500R001C20SPC300, V500R003C00SPC100, an ...) NOT-FOR-US: Huawei CVE-2020-1862 (There is a double free vulnerability in some Huawei products. A local ...) NOT-FOR-US: Huawei CVE-2020-1861 (CloudEngine 12800 with versions of V200R001C00SPC600,V200R001C00SPC700 ...) NOT-FOR-US: Huawei CVE-2020-1860 (NIP6800;Secospace USG6600;USG9500 products with versions of V500R001C3 ...) NOT-FOR-US: Huawei CVE-2020-1859 RESERVED CVE-2020-1858 (Huawei products NIP6800 versions V500R001C30, V500R001C60SPC500, and V ...) NOT-FOR-US: Huawei CVE-2020-1857 (Huawei NIP6800 versions V500R001C30, V500R001C60SPC500, and V500R005C0 ...) NOT-FOR-US: Huawei CVE-2020-1856 (Huawei NGFW Module, NIP6300, NIP6600, Secospace USG6500, Secospace USG ...) NOT-FOR-US: Huawei CVE-2020-1855 (Huawei HEGE-570 version 1.0.1.22(SP3); and HEGE-560, OSCA-550, OSCA-55 ...) NOT-FOR-US: Huawei CVE-2020-1854 RESERVED CVE-2020-1853 (GaussDB 200 with version of 6.5.1 have a path traversal vulnerability. ...) NOT-FOR-US: Huawei CVE-2020-1852 RESERVED CVE-2020-1851 RESERVED CVE-2020-1850 RESERVED CVE-2020-1849 RESERVED CVE-2020-1848 RESERVED CVE-2020-1847 RESERVED CVE-2020-1846 RESERVED CVE-2020-1845 (Huawei PCManager product with versions earlier than 10.0.5.53 have a l ...) NOT-FOR-US: Huawei CVE-2020-1844 (PCManager with versions earlier than 10.0.5.51 have a privilege escala ...) NOT-FOR-US: Huawei CVE-2020-1843 (Huawei HEGE-560 version 1.0.1.20(SP2), OSCA-550 version 1.0.0.71(SP1), ...) NOT-FOR-US: Huawei CVE-2020-1842 (Huawei HEGE-560 version 1.0.1.20(SP2); OSCA-550 and OSCA-550A version ...) NOT-FOR-US: Huawei CVE-2020-1841 (Huawei CloudLink Board version 20.0.0; DP300 version V500R002C00; RSE6 ...) NOT-FOR-US: Huawei CVE-2020-1840 (HUAWEI Mate 20 smart phones with versions earlier than 10.0.0.175(C00E ...) NOT-FOR-US: Huawei CVE-2020-1839 (HUAWEI Mate 30 with versions earlier than 10.1.0.150(C00E136R5P3) have ...) TODO: check CVE-2020-1838 (HUAWEI Mate 30 Pro with versions earlier than 10.1.0.150(C00E136R5P3) ...) TODO: check CVE-2020-1837 (ChangXiang 8 Plus with versions earlier than 9.1.0.136(C00E121R1P6T8) ...) TODO: check CVE-2020-1836 (HUAWEI P30 with versions earlier than 10.1.0.160(C00E160R2P11) and HUA ...) TODO: check CVE-2020-1835 (HUAWEI Mate 30 with versions earlier than 10.1.0.126(C00E125R5P3) have ...) NOT-FOR-US: Huawei CVE-2020-1834 (HUAWEI P30 and HUAWEI P30 Pro with versions earlier than 10.1.0.135(C0 ...) NOT-FOR-US: Huawei CVE-2020-1833 (Honor 9X smartphones with versions earlier than 9.1.1.172(C00E170R8P1) ...) NOT-FOR-US: Huawei CVE-2020-1832 (E6878-370 products with versions of 10.0.3.1(H557SP27C233) and 10.0.3. ...) NOT-FOR-US: Huawei CVE-2020-1831 (HUAWEI Mate 20 smartphones with versions earlier than 10.0.0.195(SP31C ...) NOT-FOR-US: Huawei CVE-2020-1830 (Huawei NIP6800 versions V500R001C30, V500R001C60SPC500, and V500R005C0 ...) NOT-FOR-US: Huawei CVE-2020-1829 (Huawei NIP6800 versions V500R001C30 and V500R001C60SPC500; and Secospa ...) NOT-FOR-US: Huawei CVE-2020-1828 (Huawei NIP6800 versions V500R001C30, V500R001C60SPC500, and V500R005C0 ...) NOT-FOR-US: Huawei CVE-2020-1827 (Huawei NIP6800 versions V500R001C30, V500R001C60SPC500, and V500R005C0 ...) NOT-FOR-US: Huawei CVE-2020-1826 (Huawei Honor Magic2 mobile phones with versions earlier than 10.0.0.17 ...) NOT-FOR-US: Huawei CVE-2020-1825 (FusionAccess with versions earlier than 6.5.1.SPC002 have a Denial of ...) NOT-FOR-US: Huawei CVE-2020-1824 RESERVED CVE-2020-1823 RESERVED CVE-2020-1822 RESERVED CVE-2020-1821 RESERVED CVE-2020-1820 RESERVED CVE-2020-1819 RESERVED CVE-2020-1818 RESERVED CVE-2020-1817 (Huawei PCManager with versions earlier than 10.0.1.36 has a privilege ...) NOT-FOR-US: Huawei CVE-2020-1816 (Huawei NIP6800 versions V500R001C30, V500R001C60SPC500, and V500R005C0 ...) NOT-FOR-US: Huawei CVE-2020-1815 (Huawei NIP6800 versions V500R001C30, V500R001C60SPC500, and V500R005C0 ...) NOT-FOR-US: Huawei CVE-2020-1814 (Huawei NIP6800 versions V500R001C30, V500R001C60SPC500, and V500R005C0 ...) NOT-FOR-US: Huawei CVE-2020-1813 (HUAWEI P30 smart phone with versions earlier than 10.1.0.135(C00E135R2 ...) NOT-FOR-US: Huawei CVE-2020-1812 (HUAWEI P30 smartphones with versions earlier than 10.0.0.173(C00E73R1P ...) NOT-FOR-US: Huawei CVE-2020-1811 (GaussDB 200 with version of 6.5.1 have a command injection vulnerabili ...) NOT-FOR-US: Huawei CVE-2020-1810 (There is a weak algorithm vulnerability in some Huawei products. The a ...) NOT-FOR-US: Huawei CVE-2020-1809 (HUAWEI Mate 10 smartphones with versions earlier than 10.0.0.143(C00E1 ...) NOT-FOR-US: Huawei CVE-2020-1808 (Huawei smartphones Honor View 20;Honor 20;Honor 20 PRO;Honor Magic2 wi ...) NOT-FOR-US: Huawei CVE-2020-1807 (HUAWEI Mate 20 smartphones with versions earlier than 10.0.0.188(C00E7 ...) NOT-FOR-US: Huawei CVE-2020-1806 (Huawei Honor V10 smartphones with versions earlier than 10.0.0.156(C00 ...) NOT-FOR-US: Huawei CVE-2020-1805 (Huawei Honor V10 smartphones with versions earlier than 10.0.0.156(C00 ...) NOT-FOR-US: Huawei CVE-2020-1804 (Huawei Honor V10 smartphones with versions earlier than 10.0.0.156(C00 ...) NOT-FOR-US: Huawei CVE-2020-1803 (Huawei smartphones Honor V20 with versions earlier than 10.0.0.179(C63 ...) NOT-FOR-US: Huawei CVE-2020-1802 (There is an insufficient integrity validation vulnerability in several ...) NOT-FOR-US: Huawei CVE-2020-1801 (There is an improper authentication vulnerability in several smartphon ...) NOT-FOR-US: Huawei CVE-2020-1800 (HUAWEI smartphones P30 with versions earlier than 10.0.0.185(C00E85R1P ...) NOT-FOR-US: Huawei CVE-2020-1799 (E6878-370 with versions of 10.0.3.1(H557SP27C233), 10.0.3.1(H563SP1C00 ...) NOT-FOR-US: Huawei CVE-2020-1798 (HUAWEI P30 smartphones with versions earlier than 10.1.0.135(C00E135R2 ...) NOT-FOR-US: Huawei CVE-2020-1797 (HUAWEI Mate 20 smartphones with versions earlier than 10.0.0.185(C00E7 ...) NOT-FOR-US: Huawei CVE-2020-1796 (There is an improper authorization vulnerability in several smartphone ...) NOT-FOR-US: Huawei CVE-2020-1795 (There is a logic error vulnerability in several smartphones. The softw ...) NOT-FOR-US: Huawei CVE-2020-1794 (There is an improper authentication vulnerability in several smartphon ...) NOT-FOR-US: Huawei CVE-2020-1793 (There is an improper authentication vulnerability in several smartphon ...) NOT-FOR-US: Huawei CVE-2020-1792 (Honor V10 smartphones with versions earlier than BKL-AL20 10.0.0.156(C ...) NOT-FOR-US: Huawei CVE-2020-1791 (HUAWEI Mate 20 smartphones with versions earlier than 10.0.0.185(C00E7 ...) NOT-FOR-US: Huawei CVE-2020-1790 (GaussDB 200 with version of 6.5.1 have a command injection vulnerabili ...) NOT-FOR-US: Huawei CVE-2020-1789 (Huawei OSCA-550, OSCA-550A, OSCA-550AX, and OSCA-550X products with ve ...) NOT-FOR-US: Huawei CVE-2020-1788 (Honor V30 smartphones with versions earlier than 10.0.1.135(C00E130R4P ...) NOT-FOR-US: Huawei CVE-2020-1787 (HUAWEI Mate 20 smartphones versions earlier than 9.1.0.139(C00E133R3P1 ...) NOT-FOR-US: Huawei CVE-2020-1786 (HUAWEI Mate 20 Pro smartphones versions earlier than 10.0.0.175(C00E69 ...) NOT-FOR-US: Huawei CVE-2020-1785 (Mate 10 Pro;Honor V10;Honor 10;Nova 4 smartphones have a denial of ser ...) NOT-FOR-US: Huawei CVE-2019-19466 (SCEditor 2.1.3 allows XSS. ...) NOT-FOR-US: SCEditor CVE-2019-19465 RESERVED CVE-2019-19464 (The CBC Gem application before 9.24.1 for Android and before 9.26.0 fo ...) NOT-FOR-US: CBC Gem application for Android CVE-2019-19463 (The Anhui Huami Mi Fit application before 4.0.11 for Android has an Un ...) NOT-FOR-US: Anhui Huami Mi Fit application for Android CVE-2019-19462 (relay_open in kernel/relay.c in the Linux kernel through 5.4.1 allows ...) {DSA-4699-1 DSA-4698-1 DLA-2242-1} - linux 5.6.14-2 [jessie] - linux (Vulnerability introduced later) CVE-2019-19461 (Post-authentication Stored XSS in Team Password Manager through 7.93.2 ...) NOT-FOR-US: Team Password Manager CVE-2019-19460 (An issue was discovered in SALTO ProAccess SPACE 5.4.3.0. The product' ...) NOT-FOR-US: SALTO ProAccess SPACE CVE-2019-19459 (An issue was discovered in SALTO ProAccess SPACE 5.4.3.0. An attacker ...) NOT-FOR-US: SALTO ProAccess SPACE CVE-2019-19458 (SALTO ProAccess SPACE 5.4.3.0 allows Directory Traversal in the Data E ...) NOT-FOR-US: SALTO ProAccess SPACE CVE-2019-19457 (SALTO ProAccess SPACE 5.4.3.0 allows XSS. ...) NOT-FOR-US: SALTO ProAccess SPACE CVE-2019-19456 (A Reflected XSS was found in the server selection box inside the login ...) NOT-FOR-US: Wowza Streaming Engine CVE-2019-19455 RESERVED CVE-2019-19454 (An arbitrary file download was found in the "Download Log" functionali ...) NOT-FOR-US: Wowza Streaming Engine CVE-2019-19453 RESERVED CVE-2019-19452 (A buffer overflow was found in Patriot Viper RGB through 1.1 when proc ...) NOT-FOR-US: Patriot Viper RGB CVE-2019-19451 (When GNOME Dia before 2019-11-27 is launched with a filename argument ...) - dia (unimportant; bug #945876) NOTE: https://gitlab.gnome.org/GNOME/dia/issues/428 NOTE: Introduced by: https://gitlab.gnome.org/GNOME/dia/commit/9a5f438d4b3e718c8ab0efe01d08ee2c3a0d9a86 NOTE: Fixed by: https://gitlab.gnome.org/GNOME/dia/commit/baa2df853f9fb770eedcf3d94c7f5becebc90bb9 NOTE: Negligible security impact, hang in end user tool CVE-2019-19450 RESERVED CVE-2019-19449 (In the Linux kernel 5.0.21, mounting a crafted f2fs filesystem image c ...) - linux NOTE: https://github.com/bobfuzzer/CVE/tree/master/CVE-2019-19449 CVE-2019-19448 (In the Linux kernel 5.0.21 and 5.3.11, mounting a crafted btrfs filesy ...) - linux NOTE: https://github.com/bobfuzzer/CVE/tree/master/CVE-2019-19448 CVE-2019-19447 (In the Linux kernel 5.0.21, mounting a crafted ext4 filesystem image, ...) {DLA-2241-1 DLA-2114-1} - linux 5.4.6-1 [buster] - linux 4.19.98-1 [stretch] - linux 4.9.210-1 NOTE: https://github.com/bobfuzzer/CVE/tree/master/CVE-2019-19447 NOTE: https://git.kernel.org/linus/c7df4a1ecb8579838ec8c56b2bb6a6716e974f37 CVE-2019-19446 RESERVED CVE-2019-19445 RESERVED CVE-2019-19444 RESERVED CVE-2019-19443 RESERVED CVE-2019-19442 RESERVED CVE-2019-19441 (HUAWEI P30 smart phones with versions earlier than 10.0.0.166(C00E66R1 ...) NOT-FOR-US: Huawei CVE-2019-19440 RESERVED CVE-2019-19439 RESERVED CVE-2019-19438 RESERVED CVE-2019-19437 RESERVED CVE-2019-19436 RESERVED CVE-2019-19435 RESERVED CVE-2019-19434 RESERVED CVE-2019-19433 RESERVED CVE-2019-19432 RESERVED CVE-2019-19431 RESERVED CVE-2019-19430 RESERVED CVE-2019-19429 RESERVED CVE-2019-19428 RESERVED CVE-2019-19427 RESERVED CVE-2019-19426 RESERVED CVE-2019-19425 RESERVED CVE-2019-19424 RESERVED CVE-2019-19423 RESERVED CVE-2019-19422 RESERVED CVE-2019-19421 RESERVED CVE-2019-19420 RESERVED CVE-2019-19419 RESERVED CVE-2019-19418 RESERVED CVE-2019-19417 (The SIP module of some Huawei products have a denial of service (DoS) ...) TODO: check CVE-2019-19416 (The SIP module of some Huawei products have a denial of service (DoS) ...) TODO: check CVE-2019-19415 (The SIP module of some Huawei products have a denial of service (DoS) ...) TODO: check CVE-2019-19414 (There is an integer overflow vulnerability in LDAP server of some Huaw ...) NOT-FOR-US: Huawei CVE-2019-19413 (There is an integer overflow vulnerability in LDAP client of some Huaw ...) NOT-FOR-US: Huawei CVE-2019-19412 (Huawei smart phones have a Factory Reset Protection (FRP) bypass secur ...) NOT-FOR-US: Huawei CVE-2019-19411 (USG9500 with versions of V500R001C30SPC100, V500R001C30SPC200, V500R00 ...) NOT-FOR-US: Huawei CVE-2019-19410 RESERVED CVE-2019-19409 RESERVED CVE-2019-19408 RESERVED CVE-2019-19407 RESERVED CVE-2019-19406 RESERVED CVE-2019-19405 RESERVED CVE-2019-19404 RESERVED CVE-2019-19403 RESERVED CVE-2019-19402 RESERVED CVE-2019-19401 RESERVED CVE-2019-19400 RESERVED CVE-2019-19399 RESERVED CVE-2019-19398 (M5 lite 10 with versions of 8.0.0.182(C00) have an insufficient input ...) NOT-FOR-US: Huawei CVE-2019-19397 (There is a weak algorithm vulnerability in some Huawei products. The a ...) NOT-FOR-US: Huawei CVE-2019-19396 (illumos, as used in OmniOS Community Edition before r151030y, allows a ...) NOT-FOR-US: illumos CVE-2019-19395 RESERVED CVE-2013-7484 (Zabbix before 5.0 represents passwords in the users table with unsalte ...) - zabbix [buster] - zabbix (Minor issue) [stretch] - zabbix (Minor issue) [jessie] - zabbix (Minor issue) CVE-2020-1784 RESERVED CVE-2020-1783 RESERVED CVE-2020-1782 RESERVED CVE-2020-1781 RESERVED CVE-2020-1780 RESERVED CVE-2020-1779 RESERVED CVE-2020-1778 RESERVED CVE-2020-1777 RESERVED CVE-2020-1776 RESERVED CVE-2020-1775 (BCC recipients in mails sent from OTRS are visible in article detail o ...) TODO: check CVE-2020-1774 (When user downloads PGP or S/MIME keys/certificates, exported file has ...) {DLA-2198-1} - otrs2 6.0.28-1 (bug #959448) [buster] - otrs2 (Non-free not supported) [stretch] - otrs2 (Non-free not supported) NOTE: https://otrs.com/release-notes/otrs-security-advisory-2020-11/ NOTE: Fixed in 7.0.17, 6.0.28 NOTE: OTRS6: https://github.com/OTRS/otrs/commit/ff725cbea77f03fa296bb13f93f5b07086920342 CVE-2020-1773 (An attacker with the ability to generate session IDs or password reset ...) - otrs2 6.0.27-1 [buster] - otrs2 (Non-free not supported) [stretch] - otrs2 (Non-free not supported) [jessie] - otrs2 (Too intrusive to backport) NOTE: https://otrs.com/release-notes/otrs-security-advisory-2020-10/ NOTE: Fixed in 7.0.16, 6.0.27, 5.0.42 NOTE: OTRS6: https://github.com/OTRS/otrs/commit/ab253734bc211541309b9f8ea2b8b70389c4a64e NOTE: OTRS5: https://github.com/OTRS/otrs/commit/4955521af50238046847bce51ad9865950324f77 CVE-2020-1772 (It's possible to craft Lost Password requests with wildcards in the To ...) {DLA-2198-1} - otrs2 6.0.27-1 [buster] - otrs2 (Non-free not supported) [stretch] - otrs2 (Non-free not supported) NOTE: https://otrs.com/release-notes/otrs-security-advisory-2020-09/ NOTE: Fixed in 7.0.16, 6.0.27, 5.0.42 NOTE: OTRS6: https://github.com/OTRS/otrs/commit/c0255365d5c455272b2b9e7bb1f6c96c3fce441b NOTE: OTRS5: https://github.com/OTRS/otrs/commit/2628464f659c39fafbc32147d569553eb07d41d7 CVE-2020-1771 (Attacker is able craft an article with a link to the customer address ...) - otrs2 6.0.27-1 [buster] - otrs2 (Non-free not supported) [stretch] - otrs2 (Non-free not supported) [jessie] - otrs2 (Vulnerable code introduced in later version) NOTE: https://otrs.com/release-notes/otrs-security-advisory-2020-08/ NOTE: Fixed in 7.0.16, 6.0.27 NOTE: https://github.com/OTRS/otrs/commit/2576830053f70a3a9251558e55f34843dec61aa2 CVE-2020-1770 (Support bundle generated files could contain sensitive information tha ...) {DLA-2198-1} - otrs2 6.0.27-1 [buster] - otrs2 (Non-free not supported) [stretch] - otrs2 (Non-free not supported) NOTE: https://otrs.com/release-notes/otrs-security-advisory-2020-07/ NOTE: Fixed in 7.0.16, 6.0.27, 5.0.42 NOTE: OTRS6: https://github.com/OTRS/otrs/commit/cb6d12a74fbf721ba33f24ce93ae37ed9a945a95 NOTE: OTRS5: https://github.com/OTRS/otrs/commit/d37defe6592992e886cc5cc8fec444d34875fd4d CVE-2020-1769 (In the login screens (in agent and customer interface), Username and P ...) - otrs2 6.0.27-1 [buster] - otrs2 (Non-free not supported) [stretch] - otrs2 (Non-free not supported) [jessie] - otrs2 (https://lists.debian.org/debian-lts/2020/04/msg00040.html) NOTE: https://otrs.com/release-notes/otrs-security-advisory-2020-06/ NOTE: Fixed in 7.0.16, 6.0.27, 5.0.42 NOTE: OTRS6: https://github.com/OTRS/otrs/commit/1b74e24582c946d02209acfc248d4ba451251f93 NOTE: OTRS5: https://github.com/OTRS/otrs/commit/7974ea582211c13730d223fc4dcdffa542af423f CVE-2020-1768 (The external frontend system uses numerous background calls to the bac ...) - otrs2 (Only affects 7.0.x series) NOTE: https://community.otrs.com/security-advisory-2020-04/ CVE-2020-1767 (Agent A is able to save a draft (i.e. for customer reply). Then Agent ...) {DLA-2079-1} - otrs2 6.0.25-1 [buster] - otrs2 (Non-free not supported) [stretch] - otrs2 (Non-free not supported) NOTE: https://otrs.com/release-notes/otrs-security-advisory-2020-03/ NOTE: https://github.com/OTRS/otrs/commit/5f488fd6c809064ee49def3a432030258d211570 CVE-2020-1766 (Due to improper handling of uploaded images it is possible in very unl ...) {DLA-2079-1} - otrs2 6.0.25-1 [buster] - otrs2 (Non-free not supported) [stretch] - otrs2 (Non-free not supported) NOTE: https://otrs.com/release-notes/otrs-security-advisory-2020-02/ NOTE: https://github.com/OTRS/otrs/commit/128078b0bb30f601ed97d4a13906644264ee6013 (OTRS6) NOTE: https://github.com/OTRS/otrs/commit/b7d80f9000fc9a435743d8d1d7d44d9a17483a9a (OTRS5) CVE-2020-1765 (An improper control of parameters allows the spoofing of the from fiel ...) {DLA-2079-1} - otrs2 6.0.25-1 [buster] - otrs2 (Non-free not supported) [stretch] - otrs2 (Non-free not supported) NOTE: https://otrs.com/release-notes/otrs-security-advisory-2020-01/ NOTE: https://github.com/OTRS/otrs/commit/d146d4997cbd6e1370669784c6a2ec8d64655252 (OTRS6) NOTE: https://github.com/OTRS/otrs/commit/874889b86abea4c01ceb1368a836b66694fae1c3 (OTRS5) CVE-2019-19394 (Northern.tech CFEngine Enterprise before 3.10.7, 3.11.x and 3.12.x bef ...) NOT-FOR-US: CFEngine Enterprise CVE-2019-19393 RESERVED CVE-2019-19392 (The forDNN.UsersExportImport module before 1.2.0 for DNN (formerly Dot ...) NOT-FOR-US: forDNN.UsersExportImport module for DNN CVE-2019-19391 (** DISPUTED ** In LuaJIT through 2.0.5, as used in Moonjit before 2.1. ...) - luajit (bug #946053; unimportant) NOTE: https://github.com/LuaJIT/LuaJIT/pull/526 NOTE: Negligible security impact. The debug library is unsafe per se and one is NOTE: not supposed to release an application with the debug library. CVE-2019-19390 (The Search parameter of the Software Catalogue section of Matrix42 Wor ...) NOT-FOR-US: Matrix42 Workspace Management CVE-2019-19389 (JetBrains Ktor framework before version 1.2.6 was vulnerable to HTTP R ...) NOT-FOR-US: JetBrains Ktor framework CVE-2019-19388 (A cross-site scripting (XSS) vulnerability in app/dialplans/dialplan_d ...) NOT-FOR-US: FusionPBX CVE-2019-19387 (A cross-site scripting (XSS) vulnerability in app/fifo_list/fifo_inter ...) NOT-FOR-US: FusionPBX CVE-2019-19386 (A cross-site scripting (XSS) vulnerability in app/voicemail_greetings/ ...) NOT-FOR-US: FusionPBX CVE-2019-19385 (A cross-site scripting (XSS) vulnerability in app/dialplans/dialplans. ...) NOT-FOR-US: FusionPBX CVE-2019-19384 (A cross-site scripting (XSS) vulnerability in app/fax/fax_log_view.php ...) NOT-FOR-US: FusionPBX CVE-2019-19383 (freeFTPd 1.0.8 has a Post-Authentication Buffer Overflow via a crafted ...) NOT-FOR-US: freeFTPd CVE-2019-19382 (Max Secure Anti Virus Plus 19.0.4.020 has Insecure Permissions on the ...) NOT-FOR-US: Max Secure Anti Virus Plus CVE-2019-19381 (oauth/oauth2/v1/saml/ in Abacus OAuth Login 2019_01_r4_20191021_0000 b ...) NOT-FOR-US: Abacus OAuth Login CVE-2019-19380 RESERVED CVE-2019-19379 (In app/Controller/TagsController.php in MISP 2.4.118, users can bypass ...) NOT-FOR-US: MISP CVE-2019-19378 (In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image ...) - linux CVE-2019-19377 (In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image, ...) - linux 5.6.7-1 NOTE: https://git.kernel.org/linus/b3ff8f1d380e65dddd772542aa9bff6c86bf715a CVE-2019-19376 (In Octopus Deploy before 2019.10.6, an authenticated user with TeamEdi ...) NOT-FOR-US: Octopus Deploy CVE-2019-19375 (In Octopus Deploy before 2019.10.7, in a configuration where SSL offlo ...) NOT-FOR-US: Octopus Deploy CVE-2019-19374 (An issue was discovered in core/assets/form/form_question_types/form_q ...) NOT-FOR-US: Squiz Matrix CMS CVE-2019-19373 (An issue was discovered in Squiz Matrix CMS 5.5.0 prior to 5.5.0.3, 5. ...) NOT-FOR-US: Squiz Matrix CMS CVE-2019-19372 (** DISPUTED ** A downloadFile.php download_file path traversal vulnera ...) NOT-FOR-US: rConfig CVE-2019-19371 (A cross-site scripting (XSS) vulnerability in the web conferencing com ...) NOT-FOR-US: Mitel CVE-2019-19370 (A cross-site scripting (XSS) vulnerability in the web conferencing com ...) NOT-FOR-US: Mitel CVE-2019-19369 RESERVED CVE-2019-19368 (A Reflected Cross Site Scripting was discovered in the Login page of R ...) NOT-FOR-US: Rumpus FTP Web File Manager CVE-2019-19367 (A cross-site scripting (XSS) vulnerability in app/fax/fax_files.php in ...) NOT-FOR-US: FusionPBX CVE-2019-19366 (A cross-site scripting (XSS) vulnerability in app/xml_cdr/xml_cdr_sear ...) NOT-FOR-US: FusionPBX CVE-2019-19365 RESERVED CVE-2020-1764 (A hard-coded cryptographic key vulnerability in the default configurat ...) NOT-FOR-US: Kiali CVE-2020-1763 (An out-of-bounds buffer read flaw was found in the pluto daemon of lib ...) {DSA-4684-1} - libreswan 3.32-1 (bug #960458) NOTE: Introduced by: https://github.com/libreswan/libreswan/commit/fa004e7d4b83fbeaa8d0f6d8430a96aed97a97b9 (v3.27) NOTE: Fixed by: https://github.com/libreswan/libreswan/commit/471a3e41a449d7c753bc4edbba4239501bb62ba8 NOTE: https://libreswan.org/security/CVE-2020-1763/CVE-2020-1763.txt CVE-2020-1762 (An insufficient JWT validation vulnerability was found in Kiali versio ...) NOT-FOR-US: Kiali CVE-2020-1761 RESERVED NOT-FOR-US: OpenShift CVE-2020-1760 (A flaw was found in the Ceph Object Gateway, where it supports request ...) {DLA-2171-1} - ceph 14.2.9-1 (bug #956142) NOTE: Introduced with: https://github.com/ceph/ceph-ci/commit/f4a0b2d9260a4523745875e3977a8a1ef9dc5e2e NOTE: Fixed by: https://github.com/ceph/ceph-ci/commit/8aa1f77363ec32bdc57744a143035033291ab5e1 NOTE: Fixed by: https://github.com/ceph/ceph-ci/commit/18eb4d918b27d362312c29a3bbd57a421897c0a5 NOTE: Fixed by: https://github.com/ceph/ceph-ci/commit/1bf14094fec34770d2cc74317f4238ccb2dfef98 NOTE: https://www.openwall.com/lists/oss-security/2020/04/07/1 CVE-2020-1759 (A vulnerability was found in Red Hat Ceph Storage 4 and Red Hat Opensh ...) - ceph 14.2.9-1 (bug #956139) [buster] - ceph (Vulnerable code not present) [stretch] - ceph (Vulnerable code not present) [jessie] - ceph (Vulnerable code not present) NOTE: Introduced with: https://github.com/ceph/ceph-ci/commit/fe387e02b11df98357d8cdbfa3b1f1d5f2bb3f74 NOTE: Fixed by: https://github.com/ceph/ceph-ci/commit/84d2e215969cde830b086d11544aeb3666614211 NOTE: Fixed by: https://github.com/ceph/ceph-ci/commit/659ec7dc6e30fe961832f813da007f49e603a33d NOTE: https://www.openwall.com/lists/oss-security/2020/04/07/2 CVE-2020-1758 (A flaw was found in Keycloak in versions before 10.0.0, where it does ...) NOT-FOR-US: Keycloak CVE-2020-1757 (A flaw was found in all undertow-2.x.x SP1 versions prior to undertow- ...) - undertow NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1752770 CVE-2020-1756 RESERVED CVE-2020-1755 RESERVED CVE-2020-1754 RESERVED CVE-2020-1753 (A security flaw was found in Ansible Engine, all Ansible 2.7.x version ...) - ansible [stretch] - ansible (Vulnerable code introduced later) [jessie] - ansible (Vulnerable code introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1811008 NOTE: https://github.com/ansible-collections/kubernetes/pull/51 NOTE: Fixing commit only introduces a warning about disclosure when using certain NOTE: options. CVE-2020-1752 (A use-after-free vulnerability introduced in glibc upstream version 2. ...) - glibc 2.30-3 (bug #953788) [buster] - glibc (Minor issue) [stretch] - glibc (Minor issue) [jessie] - glibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=25414 NOTE: Introduced in: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f2962a71959fd254a7a223437ca4b63b9e81130c (2.14) NOTE: Fixed by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c CVE-2020-1751 (An out-of-bounds write vulnerability was found in glibc before 2.31 wh ...) - glibc 2.30-3 [buster] - glibc (Minor issue) [stretch] - glibc (Minor issue) [jessie] - glibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=25423 NOTE: Fixed by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d93769405996dfc11d216ddbe415946617b5a494 CVE-2020-1750 RESERVED NOT-FOR-US: OpenShift machine-config-operator CVE-2020-1749 [net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup] RESERVED {DLA-2241-1} - linux 5.4.6-1 [buster] - linux 4.19.118-1 NOTE: https://git.kernel.org/linus/6c8991f41546c3c472503dff1ea9daaddf9331c2 CVE-2020-1748 RESERVED CVE-2020-1747 (A vulnerability was discovered in the PyYAML library in versions befor ...) - pyyaml 5.3-2 (bug #953013) [buster] - pyyaml (Loader/Constructor classes are unsafe in this version) [stretch] - pyyaml (Loader/Constructor classes are unsafe in this version) [jessie] - pyyaml (Loader/Constructor classes are unsafe in this version) NOTE: https://github.com/yaml/pyyaml/pull/386 CVE-2020-1746 (A flaw was found in the Ansible Engine affecting Ansible Engine versio ...) - ansible 2.9.7+dfsg-1 [stretch] - ansible (Vulnerable code introduced later) [jessie] - ansible (Vulnerable code introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1805491 NOTE: https://github.com/ansible/ansible/pull/67866 NOTE: Fixed by: https://github.com/ansible/ansible/commit/d41e38435b1a9e300d8011ac28f16a5add2db119 (v2.9.7) CVE-2020-1745 (A file inclusion vulnerability was found in the AJP connector enabled ...) - undertow 2.0.30-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1807305 NOTE: Variant of the Ghostcat Tomcat vulnerability, CVE-2020-1938. NOTE: According to https://lists.jboss.org/pipermail/undertow-dev/2020-March/002422.html NOTE: the fix is: https://github.com/undertow-io/undertow/pull/859 CVE-2020-1744 (A flaw was found in keycloak before version 9.0.1. When configuring an ...) NOT-FOR-US: Keycloak CVE-2020-1743 RESERVED CVE-2020-1742 RESERVED NOT-FOR-US: OpenShift jenkins-slave-base-rhel7-container CVE-2020-1741 (A flaw was found in openshift-ansible. OpenShift Container Platform (O ...) NOT-FOR-US: openshift-ansible CVE-2020-1740 (A flaw was found in Ansible Engine when using Ansible Vault for editin ...) {DLA-2202-1} - ansible 2.9.7+dfsg-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1802193 NOTE: https://github.com/ansible/ansible/issues/67798 NOTE: https://github.com/ansible/ansible/pull/68644 CVE-2020-1739 (A flaw was found in Ansible 2.7.16 and prior, 2.8.8 and prior, and 2.9 ...) {DLA-2202-1} - ansible 2.9.7+dfsg-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1802178 NOTE: https://github.com/ansible/ansible/issues/67797 NOTE: https://github.com/ansible/ansible/pull/67829 NOTE: https://github.com/ansible/ansible/commit/d91658ec0c8434c82c3ef98bfe9eb4e1027a43a3 CVE-2020-1738 (A flaw was found in Ansible Engine when the module package or service ...) - ansible (unimportant) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1802164 NOTE: https://github.com/ansible/ansible/issues/67796 NOTE: Marked unimportant as for exploitation it requires already a remote that is NOTE: compromised, cf. https://github.com/ansible/ansible/issues/67796#issuecomment-614656017 CVE-2020-1737 (A flaw was found in Ansible 2.7.17 and prior, 2.8.9 and prior, and 2.9 ...) - ansible 2.9.7+dfsg-1 (unimportant) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1802154 NOTE: https://github.com/ansible/ansible/issues/67795 NOTE: https://github.com/ansible/ansible/pull/67799 NOTE: Issue in the win_unzip module which is executed only on Windows plattform CVE-2020-1736 (A flaw was found in Ansible Engine when a file is moved using atomic_m ...) - ansible NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1802124 NOTE: https://github.com/ansible/ansible/issues/67794 CVE-2020-1735 (A flaw was found in the Ansible Engine when the fetch module is used. ...) - ansible 2.9.7+dfsg-1 [jessie] - ansible (No remote expansion in fetch module) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1802085 NOTE: https://github.com/ansible/ansible/issues/67793 NOTE: https://github.com/ansible/ansible/pull/68720 NOTE: Introduced in https://github.com/ansible/ansible/commit/e47f6137e5b897dec4319e7cb7791fb9b2cffb8d (1.8) NOTE: Fixed by: https://github.com/ansible/ansible/commit/290bfa820d533dc224e0c3fa7dd7c6b907ed0189 NOTE: The commit has incorrect CVE reference adressed in NOTE: https://github.com/ansible/ansible/commit/18f91bbb88a84b1d3614ef41c3550da735592ac1 CVE-2020-1734 (A flaw was found in the pipe lookup plugin of ansible. Arbitrary comma ...) - ansible (unimportant) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1801804 NOTE: https://github.com/ansible/ansible/issues/6550 NOTE: https://github.com/ansible/ansible/issues/67792 NOTE: Upstream considers this intended functionality and delegates it up to the NOTE: playbook author to ensure they use the quote filter. CVE-2020-1733 (A race condition flaw was found in Ansible Engine 2.7.17 and prior, 2. ...) {DLA-2202-1} - ansible 2.9.7+dfsg-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1801735 NOTE: https://github.com/ansible/ansible/issues/67791 NOTE: https://github.com/ansible/ansible/pull/68921 NOTE: https://github.com/ansible/ansible/commit/8077d8e40148fe77e2393caa5f2b2ea855149d63 NOTE: When applying the fix for CVE-2020-1733 make sure to apply complete fix to NOTE: not open up CVE-2020-10744. CVE-2020-1732 (A flaw was found in Soteria before 1.0.1, in a way that multiple reque ...) - wildfly (bug #752018) CVE-2020-1731 (A flaw was found in all versions of the Keycloak operator, before vers ...) NOT-FOR-US: Keycloak CVE-2020-1730 (A flaw was found in libssh versions before 0.8.9 and before 0.9.4 in t ...) - libssh 0.9.4-1 (bug #956308) [buster] - libssh 0.8.7-1+deb10u1 [stretch] - libssh (Vulnerable code introduced later) [jessie] - libssh (Vulnerable code introduced later) NOTE: https://www.libssh.org/security/advisories/CVE-2020-1730.txt NOTE: https://bugs.libssh.org/T213 NOTE: Introduced by: https://git.libssh.org/projects/libssh.git/commit/?id=84a85803b4c83b8dac03b0d0aba58b48c98253e6 (libssh-0.8.0) NOTE: Fixed by: https://git.libssh.org/projects/libssh.git/commit/?id=b36272eac1b36982598c10de7af0a501582de07a CVE-2020-1729 RESERVED NOT-FOR-US: SmallRye Config CVE-2020-1728 (A vulnerability was found in all versions of Keycloak where, the pages ...) NOT-FOR-US: Keycloak CVE-2020-1727 (A vulnerability was found in Keycloak before 9.0.2, where every Author ...) NOT-FOR-US: Keycloak CVE-2020-1726 (A flaw was discovered in Podman where it incorrectly allows containers ...) - libpod 1.6.4+dfsg1-3 (bug #961421) NOTE: Introduced in: https://github.com/containers/libpod/commit/997c4b56ed2121726e966afe9a102ed16ba78f93 (v1.6.0-rc1) NOTE: https://github.com/containers/libpod/pull/5168 NOTE: Fixed by: https://github.com/containers/libpod/commit/c140ecdc9b416ab4efd4d21d14acd63b6adbdd42 (v1.8.1-rc1) CVE-2020-1725 RESERVED CVE-2020-1724 (A flaw was found in Keycloak in versions before 9.0.2. This flaw allow ...) NOT-FOR-US: Keycloak CVE-2020-1723 RESERVED CVE-2020-1722 (A flaw was found in all ipa versions 4.x.x through 4.8.0. When sending ...) - freeipa NOTE: https://pagure.io/freeipa/issue/8268 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1793071 CVE-2020-1721 RESERVED - dogtag-pki NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1777579 CVE-2020-1720 (A flaw was found in PostgreSQL's "ALTER ... DEPENDS ON EXTENSION", whe ...) {DSA-4623-1 DSA-4622-1 DLA-2105-1} - postgresql-12 12.2-1 - postgresql-11 - postgresql-9.6 - postgresql-9.4 NOTE: https://www.postgresql.org/about/news/2011/ NOTE: Fixed in 12.2, 11.7, 10.12, 9.6.17, 9.5.21, and 9.4.26 NOTE: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=b048f558dd7c26a0c630a2cff29d3d8981eaf6b9 CVE-2020-1719 RESERVED - wildfly (bug #752018) CVE-2020-1718 (A flaw was found in the reset credential flow in all Keycloak versions ...) NOT-FOR-US: Keycloak CVE-2020-1717 RESERVED CVE-2020-1716 RESERVED NOT-FOR-US: ceph-ansible CVE-2020-1715 RESERVED CVE-2020-1714 (A flaw was found in Keycloak before version 11.0.0, where the code bas ...) NOT-FOR-US: Keycloak CVE-2020-1713 RESERVED CVE-2020-1712 (A heap use-after-free vulnerability was found in systemd before versio ...) - systemd 244.2-1 (bug #950732) [buster] - systemd 241-7~deb10u4 [stretch] - systemd (Can be fixed via point release) [jessie] - systemd (Vulnerable code introduced later) NOTE: https://github.com/systemd/systemd/commit/773b1a7916bfce3aa2a21ecf534d475032e8528e (preparation) NOTE: https://github.com/systemd/systemd/commit/95f82ae9d774f3508ce89dcbdd0714ef7385df59 (preparation) NOTE: https://github.com/systemd/systemd/commit/7f56982289275ce84e20f0554475864953e6aaab (preparation) NOTE: https://github.com/systemd/systemd/commit/f4425c72c7395ec93ae00052916a66e2f60f200b (preparation) NOTE: https://github.com/systemd/systemd/commit/1068447e6954dc6ce52f099ed174c442cb89ed54 (introduce new API) NOTE: https://github.com/systemd/systemd/commit/637486261528e8aa3da9f26a4487dc254f4b7abb (use new function to fix CVE-2020-1712) NOTE: https://github.com/systemd/systemd/commit/5c1163273569809742c164260cfd9f096520cb82 (documentation) NOTE: https://github.com/systemd/systemd/commit/bc130b6858327b382b07b3985cf48e2aa9016b2d (documentation) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1794578 NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1971 CVE-2020-1711 (An out-of-bounds heap buffer access flaw was found in the way the iSCS ...) {DLA-2144-1} - qemu 1:4.2-2 (bug #949731) [buster] - qemu 1:3.1+dfsg-8+deb10u4 [stretch] - qemu (Intrusive to backport, revisit later) - qemu-kvm NOTE: Upstream patch: https://lists.gnu.org/archive/html/qemu-devel/2020-01/msg05535.html NOTE: https://www.openwall.com/lists/oss-security/2020/01/23/3 CVE-2020-1710 RESERVED CVE-2020-1709 (A vulnerability was found in all openshift/mediawiki 4.x.x versions pr ...) NOT-FOR-US: openshift CVE-2020-1708 (It has been found in openshift-enterprise version 3.11 and all openshi ...) NOT-FOR-US: openshift CVE-2020-1707 (A vulnerability was found in all openshift/postgresql-apb 4.x.x versio ...) NOT-FOR-US: openshift CVE-2020-1706 (It has been found that in openshift-enterprise version 3.11 and opensh ...) NOT-FOR-US: openshift CVE-2020-1705 (A vulnerability was found in openshift/template-service-broker-operato ...) NOT-FOR-US: openshift CVE-2020-1704 (An insecure modification vulnerability in the /etc/passwd file was fou ...) NOT-FOR-US: openshift CVE-2020-1703 REJECTED CVE-2020-1702 RESERVED NOT-FOR-US: Red Hat container manager tooling CVE-2020-1701 RESERVED NOT-FOR-US: KubeVirt CVE-2020-1700 (A flaw was found in the way the Ceph RGW Beast front-end handles unexp ...) - ceph 14.2.7-1 [buster] - ceph (Minor issue) [stretch] - ceph (Vulnerable code introduced later) [jessie] - ceph (Vulnerable code introduced later) NOTE: https://tracker.ceph.com/issues/42531 NOTE: https://github.com/ceph/ceph/pull/33017 NOTE: https://github.com/ceph/ceph/commit/ff72c50a2c43c57aead933eb4903ad1ca6d1748a CVE-2020-1699 (A path traversal flaw was found in the Ceph dashboard implemented in u ...) - ceph 14.2.6-4 (bug #949206) [buster] - ceph (Vulnerable code introduced later) [stretch] - ceph (Vulnerable code introduced later) [jessie] - ceph (Vulnerable code introduced later) NOTE: https://tracker.ceph.com/issues/41320 NOTE: https://github.com/ceph/ceph/commit/0443e40c11280ba3b7efcba61522afa70c4f8158 CVE-2020-1698 (A flaw was found in keycloak in versions before 9.0.0. A logged except ...) NOT-FOR-US: Keycloak CVE-2020-1697 (It was found in all keycloak versions before 9.0.0 that links to exter ...) NOT-FOR-US: Keycloak CVE-2020-1696 (A flaw was found in the all pki-core 10.x.x versions, where Token Proc ...) - dogtag-pki NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1780707 CVE-2020-1695 (A flaw was found in all resteasy 3.x.x versions prior to 3.12.0.Final ...) - resteasy - resteasy3.0 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1730462 CVE-2020-1694 RESERVED NOT-FOR-US: Keycloak CVE-2020-1693 (A flaw was found in Spacewalk up to version 2.9 where it was vulnerabl ...) NOT-FOR-US: NOT-FOR-US: Red Hat Satellite / Spacewalk CVE-2020-1692 (Moodle before version 3.7.2 is vulnerable to information exposure of s ...) - moodle CVE-2020-1691 RESERVED CVE-2020-1690 RESERVED NOT-FOR-US: openstack-selinux CVE-2019-19364 (A weak malicious user can escalate its privilege whenever CatalystProd ...) NOT-FOR-US: Sony Catalyst Production Suite CVE-2019-19363 (An issue was discovered in Ricoh (including Savin and Lanier) Windows ...) NOT-FOR-US: Ricoh CVE-2019-19362 (An issue was discovered in the Chat functionality of the TeamViewer de ...) NOT-FOR-US: TeamViewer CVE-2019-19361 RESERVED CVE-2019-19360 RESERVED CVE-2019-19359 RESERVED CVE-2019-19358 RESERVED CVE-2019-19357 RESERVED CVE-2019-19356 (Netis WF2419 is vulnerable to authenticated Remote Code Execution (RCE ...) NOT-FOR-US: Netis WF2419 CVE-2019-19355 (An insecure modification vulnerability in the /etc/passwd file was fou ...) NOT-FOR-US: openshift CVE-2019-19354 RESERVED NOT-FOR-US: openshift CVE-2019-19353 RESERVED NOT-FOR-US: openshift CVE-2019-19352 RESERVED NOT-FOR-US: openshift CVE-2019-19351 (An insecure modification vulnerability in the /etc/passwd file was fou ...) NOT-FOR-US: openshift CVE-2019-19350 RESERVED NOT-FOR-US: openshift CVE-2019-19349 RESERVED NOT-FOR-US: openshift CVE-2019-19348 (An insecure modification vulnerability in the /etc/passwd file was fou ...) NOT-FOR-US: openshift CVE-2019-19347 REJECTED CVE-2019-19346 (An insecure modification vulnerability in the /etc/passwd file was fou ...) NOT-FOR-US: openshift CVE-2019-19345 (A vulnerability was found in all openshift/mediawiki-apb 4.x.x version ...) NOT-FOR-US: openshift CVE-2019-19344 (There is a use-after-free issue in all samba 4.9.x versions before 4.9 ...) - samba 2:4.11.5+dfsg-1 (bug #950499) [buster] - samba (Minor issue) [stretch] - samba (Only affects Samba 4.9 onwards) [jessie] - samba (Only affects Samba 4.9 onwards) NOTE: https://www.samba.org/samba/security/CVE-2019-19344.html CVE-2019-19343 RESERVED - undertow (bug #948024; unimportant) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1780445 NOTE: Issue affects both Undertow and rmeoting, but for adressing the immediate NOTE: issue only af fix via remoting (https://issues.redhat.com/browse/REM3-347) NOTE: was added. CVE-2019-19342 (A flaw was found in Ansible Tower, versions 3.6.x before 3.6.2 and 3.5 ...) NOT-FOR-US: Ansible Tower CVE-2019-19341 (A flaw was found in Ansible Tower, versions 3.6.x before 3.6.2, where ...) NOT-FOR-US: Ansible Tower CVE-2019-19340 (A flaw was found in Ansible Tower, versions 3.6.x before 3.6.2 and 3.5 ...) NOT-FOR-US: Ansible Tower CVE-2019-19339 (It was found that the Red Hat Enterprise Linux 8 kpatch update did not ...) NOT-FOR-US: Red Hat specific kpatch update which was incomplete to address CVE-2018-12207 CVE-2019-19338 [KVM: export MSR_IA32_TSX_CTRL to guest - incomplete fix for TAA (CVE-2019-11135)] RESERVED - linux (Only affects specific distro kernels which do not include commit e1d38b63acd8) NOTE: https://www.openwall.com/lists/oss-security/2019/12/10/3 NOTE: https://www.openwall.com/lists/oss-security/2019/12/11/1 CVE-2019-19337 (A flaw was found in Red Hat Ceph Storage version 3 in the way the Ceph ...) - ceph (Only affects Ceph as packaged by Red Hat) CVE-2019-19336 (A cross-site scripting vulnerability was reported in the oVirt-engine' ...) NOT-FOR-US: ovirt-engine CVE-2019-19335 (During installation of an OpenShift 4 cluster, the `openshift-install` ...) NOT-FOR-US: OpenShift CVE-2019-19334 (In all versions of libyang before 1.0-r5, a stack-based buffer overflo ...) - libyang 0.16.105-2 (bug #946217) [buster] - libyang (Minor issue) NOTE: https://github.com/CESNET/libyang/commit/6980afae2ff9fcd6d67508b0a3f694d75fd059d6 CVE-2019-19333 (In all versions of libyang before 1.0-r5, a stack-based buffer overflo ...) - libyang 0.16.105-2 (bug #946217) [buster] - libyang (Minor issue) NOTE: https://github.com/CESNET/libyang/commit/f6d684ade99dd37b21babaa8a856f64faa1e2e0d CVE-2019-19332 (An out-of-bounds memory write issue was found in the Linux Kernel, ver ...) {DLA-2114-1 DLA-2068-1} - linux 5.4.6-1 [buster] - linux 4.19.98-1 [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/433f4ba1904100da65a311033f17a9bf586b287e CVE-2019-19331 (knot-resolver before version 4.3.0 is vulnerable to denial of service ...) - knot-resolver 5.0.1-1 (bug #946181) NOTE: https://www.openwall.com/lists/oss-security/2019/12/04/4 CVE-2019-19329 (In Wikibase Wikidata Query Service GUI before 0.3.6-SNAPSHOT 2019-11-0 ...) NOT-FOR-US: Wikibase Wikidata Query Service GUI CVE-2019-19328 (ui/editor/tooltip/Rdf.js in Wikibase Wikidata Query Service GUI before ...) NOT-FOR-US: Wikibase Wikidata Query Service GUI CVE-2019-19327 (ui/ResultView.js in Wikibase Wikidata Query Service GUI before 0.3.6-S ...) NOT-FOR-US: Wikibase Wikidata Query Service GUI CVE-2019-19326 RESERVED CVE-2019-19325 (SilverStripe through 4.4.x before 4.4.5 and 4.5.x before 4.5.2 allows ...) NOT-FOR-US: SilverStripe CVE-2019-19324 (Xmidt cjwt through 1.0.1 before 2019-11-25 maps unsupported algorithms ...) NOT-FOR-US: Xmidt cjwt CVE-2019-19323 RESERVED CVE-2019-19322 RESERVED CVE-2019-19321 RESERVED CVE-2019-19320 RESERVED CVE-2019-19319 (In the Linux kernel 5.0.21, a setxattr operation, after a mount of a c ...) {DSA-4698-1 DLA-2242-1 DLA-2241-1} - linux 5.2.6-1 [buster] - linux 4.19.87-1 CVE-2019-19318 (In the Linux kernel 5.3.11, mounting a crafted btrfs image twice can c ...) - linux 5.4.6-1 CVE-2019-19317 (lookupName in resolve.c in SQLite 3.30.1 omits bits from the colUsed b ...) - sqlite3 (Generated column support was added with SQLite version 3.31.0) NOTE: Fixed by: https://github.com/sqlite/sqlite/commit/522ebfa7cee96fb325a22ea3a2464a63485886a8 NOTE: Additional testcases: https://github.com/sqlite/sqlite/commit/73bacb7f93eab9f4bd5a65cbc4ae242acf63c9e3 CVE-2019-19316 (When using the Azure backend with a shared access signature (SAS), Ter ...) NOT-FOR-US: Terraform CVE-2019-19315 (NLSSRV32.EXE in Nalpeiron Licensing Service 7.3.4.0, as used with Nitr ...) NOT-FOR-US: Nalpeiron Licensing Service CVE-2019-19314 (GitLab EE 8.4 through 12.5, 12.4.3, and 12.3.6 stored several tokens i ...) - gitlab (Only affects Gitlab EE) NOTE: https://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-1-released/ CVE-2019-19313 (GitLab EE 12.3 through 12.5, 12.4.3, and 12.3.6 allows Denial of Servi ...) - gitlab (Only affects Gitlab EE) NOTE: https://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-1-released/ CVE-2019-19312 (GitLab EE 8.14 through 12.5, 12.4.3, and 12.3.6 has Incorrect Access C ...) - gitlab (Only affects Gitlab EE) NOTE: https://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-1-released/ CVE-2019-19311 (GitLab EE 8.14 through 12.5, 12.4.3, and 12.3.6 allows XSS in group an ...) - gitlab (Only affects Gitlab EE) NOTE: https://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-1-released/ CVE-2019-19310 (GitLab Enterprise Edition (EE) 9.0 and later through 12.5 allows Infor ...) - gitlab (Only affects Gitlab EE) NOTE: https://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-1-released/ CVE-2019-19309 (GitLab Enterprise Edition (EE) 8.90 and later through 12.5 has Incorre ...) - gitlab (Only affects Gitlab EE) NOTE: https://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-1-released/ CVE-2019-19330 (The HTTP/2 implementation in HAProxy before 2.0.10 mishandles headers, ...) {DSA-4577-1} - haproxy 2.0.10-1 [stretch] - haproxy (Vulnerable code introduced in 1.8) [jessie] - haproxy (Vulnerable code introduced in 1.8) NOTE: https://git.haproxy.org/?p=haproxy.git;a=commit;h=54f53ef7ce4102be596130b44c768d1818570344 NOTE: https://git.haproxy.org/?p=haproxy.git;a=commit;h=146f53ae7e97dbfe496d0445c2802dd0a30b0878 CVE-2019-19308 (In text_to_glyphs in sushi-font-widget.c in gnome-font-viewer 3.34.0, ...) - gnome-font-viewer 3.34.0-2 (unimportant) - gnome-sushi (unimportant) NOTE: https://gitlab.gnome.org/GNOME/gnome-font-viewer/issues/17 NOTE: https://gitlab.gnome.org/GNOME/gnome-font-viewer/commit/9661683379806e2bad6a52ce6dde776a33f4f981 NOTE: Crash in GUI tool, no security impact CVE-2019-19307 (An integer overflow in parse_mqtt in mongoose.c in Cesanta Mongoose 6. ...) NOT-FOR-US: Cesanta Mongoose NOTE: smplayer embeds a copy, which is unused in any released version and disabled since 18.5.0~ds1-1 CVE-2019-19306 (The Zoho CRM Lead Magnet plugin 1.6.9.1 for WordPress allows XSS via m ...) NOT-FOR-US: Zoho CRM Lead Magnet plugin for WordPress CVE-2019-19305 RESERVED CVE-2019-19304 RESERVED CVE-2019-19303 RESERVED CVE-2019-19302 RESERVED CVE-2019-19301 (A vulnerability has been identified in SCALANCE X-200 switch family (i ...) NOT-FOR-US: Siemens CVE-2019-19300 (A vulnerability has been identified in KTK ATE530S (All versions), SID ...) NOT-FOR-US: Siemens CVE-2019-19299 (A vulnerability has been identified in SiNVR 3 Central Control Server ...) NOT-FOR-US: SiNVR 3 Central Control Server (CCS) CVE-2019-19298 (A vulnerability has been identified in SiNVR 3 Central Control Server ...) NOT-FOR-US: SiNVR 3 Central Control Server (CCS) CVE-2019-19297 (A vulnerability has been identified in SiNVR 3 Central Control Server ...) NOT-FOR-US: SiNVR 3 Central Control Server (CCS) CVE-2019-19296 (A vulnerability has been identified in SiNVR 3 Central Control Server ...) NOT-FOR-US: SiNVR 3 Central Control Server (CCS) CVE-2019-19295 (A vulnerability has been identified in SiNVR 3 Central Control Server ...) NOT-FOR-US: SiNVR 3 Central Control Server (CCS) CVE-2019-19294 (A vulnerability has been identified in SiNVR 3 Central Control Server ...) NOT-FOR-US: SiNVR 3 Central Control Server (CCS) CVE-2019-19293 (A vulnerability has been identified in SiNVR 3 Central Control Server ...) NOT-FOR-US: SiNVR 3 Central Control Server (CCS) CVE-2019-19292 (A vulnerability has been identified in SiNVR 3 Central Control Server ...) NOT-FOR-US: SiNVR 3 Central Control Server (CCS) CVE-2019-19291 (A vulnerability has been identified in SiNVR 3 Central Control Server ...) NOT-FOR-US: SiNVR 3 Central Control Server (CCS) CVE-2019-19290 (A vulnerability has been identified in SiNVR 3 Central Control Server ...) NOT-FOR-US: SiNVR 3 Central Control Server (CCS) CVE-2019-19289 RESERVED CVE-2019-19288 RESERVED CVE-2019-19287 RESERVED CVE-2019-19286 RESERVED CVE-2019-19285 RESERVED CVE-2019-19284 RESERVED CVE-2019-19283 RESERVED CVE-2019-19282 (A vulnerability has been identified in OpenPCS 7 V8.1 (All versions), ...) NOT-FOR-US: Siemens CVE-2019-19281 (A vulnerability has been identified in SIMATIC ET 200SP Open Controlle ...) NOT-FOR-US: Siemens CVE-2019-19280 RESERVED CVE-2019-19279 (A vulnerability has been identified in SIPROTEC 4 and SIPROTEC Compact ...) NOT-FOR-US: Siemens CVE-2019-19278 (A vulnerability has been identified in SINAMICS PERFECT HARMONY GH180 ...) NOT-FOR-US: SINAMICS CVE-2019-19277 (A vulnerability has been identified in SIPORT MP (All versions < 3. ...) NOT-FOR-US: Siemens CVE-2019-19276 RESERVED CVE-2019-19275 (typed_ast 1.3.0 and 1.3.1 has an ast_for_arguments out-of-bounds read. ...) - python3-typed-ast 1.4.0-1 (low) [buster] - python3-typed-ast (Minor issue) [stretch] - python3-typed-ast (Vulnerable code introduced later) NOTE: https://bugs.python.org/issue36495 NOTE: Introduced by: https://github.com/python/typed_ast/commit/156afcb26c198e162504a57caddfe0acd9ed7dce (1.3.0) NOTE: Fixed by: https://github.com/python/typed_ast/commit/dc317ac9cff859aa84eeabe03fb5004982545b3b (1.3.2) CVE-2019-19274 (typed_ast 1.3.0 and 1.3.1 has a handle_keywordonly_args out-of-bounds ...) - python3-typed-ast 1.4.0-1 (low) [buster] - python3-typed-ast (Minor issue) [stretch] - python3-typed-ast (Vulnerable code introduced later) NOTE: https://bugs.python.org/issue36495 NOTE: Introduced by: https://github.com/python/typed_ast/commit/156afcb26c198e162504a57caddfe0acd9ed7dce (1.3.0) NOTE: Fixed by: https://github.com/python/typed_ast/commit/dc317ac9cff859aa84eeabe03fb5004982545b3b (1.3.2) CVE-2019-19273 (On Samsung mobile devices with O(8.0) and P(9.0) software and an Exyno ...) NOT-FOR-US: Samsung CVE-2015-9539 (The Fast Secure Contact Form plugin before 4.0.38 for WordPress allows ...) NOT-FOR-US: Fast Secure Contact Form plugin for WordPress CVE-2015-9538 (The NextGEN Gallery plugin before 2.1.15 for WordPress allows ../ Dire ...) NOT-FOR-US: NextGEN Gallery plugin for WordPress CVE-2015-9537 (The NextGEN Gallery plugin before 2.1.10 for WordPress has multiple XS ...) NOT-FOR-US: NextGEN Gallery plugin for WordPress CVE-2019-19272 (An issue was discovered in tls_verify_crl in ProFTPD before 1.3.6. Dir ...) - proftpd-dfsg 1.3.6-1 [stretch] - proftpd-dfsg (Bug was introduced in 1.3.5c) [jessie] - proftpd-dfsg (Bug was introduced in 1.3.5c) NOTE: https://github.com/proftpd/proftpd/issues/858 NOTE: Introduced in: https://github.com/proftpd/proftpd/commit/474075d2cb8c8ced7764b1b4b5ad63a49284d61f (v1.3.5c) CVE-2019-19271 (An issue was discovered in tls_verify_crl in ProFTPD before 1.3.6. A w ...) - proftpd-dfsg 1.3.6-1 [stretch] - proftpd-dfsg (Bug was introduced in 1.3.5c) [jessie] - proftpd-dfsg (Bug was introduced in 1.3.5c) NOTE: https://github.com/proftpd/proftpd/issues/860 NOTE: Introduced in: https://github.com/proftpd/proftpd/commit/474075d2cb8c8ced7764b1b4b5ad63a49284d61f (v1.3.5c) CVE-2019-19270 (An issue was discovered in tls_verify_crl in ProFTPD through 1.3.6b. F ...) - proftpd-dfsg 1.3.6b-2 (bug #946346) [buster] - proftpd-dfsg 1.3.6-4+deb10u3 [stretch] - proftpd-dfsg (Bug was introduced in 1.3.5c) [jessie] - proftpd-dfsg (Bug was introduced in 1.3.5c) NOTE: https://github.com/proftpd/proftpd/issues/859 NOTE: https://github.com/proftpd/proftpd/commit/81cc5dce4fc0285629a1b08a07a109af10c208dd (master) NOTE: https://github.com/proftpd/proftpd/commit/be8e1687819cb665359bd62b4c896ff4b1a09c3f (1.3.6 branch) NOTE: Introduced in: https://github.com/proftpd/proftpd/commit/0e27c53177db6e1ce4196c772c119071678c77a7 (v1.3.5c) CVE-2019-19269 (An issue was discovered in tls_verify_crl in ProFTPD through 1.3.6b. A ...) {DLA-2018-1} - proftpd-dfsg 1.3.6b-2 (bug #946345) [buster] - proftpd-dfsg 1.3.6-4+deb10u3 [stretch] - proftpd-dfsg 1.3.5b-4+deb9u3 NOTE: https://github.com/proftpd/proftpd/issues/861 NOTE: https://github.com/proftpd/proftpd/commit/81cc5dce4fc0285629a1b08a07a109af10c208dd (master) NOTE: https://github.com/proftpd/proftpd/commit/be8e1687819cb665359bd62b4c896ff4b1a09c3f (1.3.6 branch) CVE-2019-19268 RESERVED CVE-2019-19267 RESERVED CVE-2019-19266 (IceWarp WebMail Server 12.2.0 and 12.1.x before 12.2.1.1 (and probably ...) NOT-FOR-US: IceWarp WebMail Server CVE-2019-19265 (IceWarp WebMail Server 12.2.0 and 12.1.x before 12.2.1.1 (and probably ...) NOT-FOR-US: IceWarp WebMail Server CVE-2019-19264 (In Simplifile RecordFusion through 2019-11-25, the logs and hist param ...) NOT-FOR-US: Simplifile RecordFusion CVE-2019-19263 (GitLab Enterprise Edition (EE) 8.2 and later through 12.5 has Insecure ...) - gitlab (Only affects Gitlab EE) NOTE: https://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-1-released/ CVE-2019-19262 (GitLab Enterprise Edition (EE) 11.9 and later through 12.5 has Insecur ...) - gitlab (Only affects Gitlab EE) NOTE: https://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-1-released/ NOTE: https://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-2-released/ CVE-2019-19261 (GitLab Enterprise Edition (EE) 6.7 and later through 12.5 allows SSRF. ...) - gitlab (Only affects Gitlab EE) NOTE: https://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-1-released/ CVE-2019-19260 (GitLab Community Edition (CE) and Enterprise Edition (EE) through 12.5 ...) [experimental] - gitlab 12.2.9-5 - gitlab 12.6.8-3 - gitlab-workhorse 8.8.1+debian-3 [buster] - gitlab-workhorse (Minor issue) [stretch] - gitlab-workhorse (Minor issue) [experimental] - gitaly 1.65.2+dfsg-1 - gitaly NOTE: https://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-1-released/ CVE-2019-19259 (GitLab Enterprise Edition (EE) 11.3 and later through 12.5 allows an I ...) - gitlab (Only affects Gitlab EE) NOTE: https://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-1-released/ CVE-2019-19258 (GitLab Enterprise Edition (EE) 10.8 and later through 12.5 has Incorre ...) - gitlab (Only affects Gitlab EE) NOTE: https://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-1-released/ CVE-2019-19257 (GitLab Community Edition (CE) and Enterprise Edition (EE) through 12.5 ...) [experimental] - gitlab 12.2.9-5 - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-1-released/ CVE-2019-19256 (GitLab Enterprise Edition (EE) 12.2 and later through 12.5 has Incorre ...) - gitlab (Only affects Gitlab EE) NOTE: https://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-1-released/ CVE-2019-19255 (GitLab Enterprise Edition (EE) 12.3 and later through 12.5 has Incorre ...) - gitlab (Only affects Gitlab EE) NOTE: https://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-1-released/ CVE-2019-19254 (GitLab Community Edition (CE) and Enterprise Edition (EE). 9.6 and lat ...) [experimental] - gitlab 12.2.9-5 - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-1-released/ CVE-2019-19253 RESERVED NOT-FOR-US: Apereo CAS CVE-2019-19252 (vcs_write in drivers/tty/vt/vc_screen.c in the Linux kernel through 5. ...) - linux 5.4.6-1 [buster] - linux 4.19.98-1 [stretch] - linux (Vulnerability introduced later) [jessie] - linux (Vulnerability introduced later) NOTE: https://lore.kernel.org/lkml/c30fc539-68a8-65d7-226c-6f8e6fd8bdfb@suse.com/ CVE-2019-19251 (The Last.fm desktop app (Last.fm Scrobbler) through 2.1.39 on macOS ma ...) NOT-FOR-US: Last.fm desktop app on macOS CVE-2019-19250 (OpenTrade before 2019-11-23 allows SQL injection, related to server/mo ...) NOT-FOR-US: OpenTrade CVE-2019-19249 (Controllers/InvitationsController.cs in QueryTree before 3.0.99-beta m ...) NOT-FOR-US: QueryTree CVE-2019-19248 (Electronic Arts Origin through 10.5.x allows Elevation of Privilege (i ...) NOT-FOR-US: Electronic Arts Origin CVE-2019-19247 (Electronic Arts Origin through 10.5.x allows Elevation of Privilege (i ...) NOT-FOR-US: Electronic Arts Origin CVE-2019-19246 (Oniguruma through 6.9.3, as used in PHP 7.3.x and other products, has ...) {DLA-2020-1} - libonig 6.9.4-1 (low; bug #946344) [buster] - libonig (Minor issue) [stretch] - libonig (Minor issue) NOTE: https://bugs.php.net/bug.php?id=78559 NOTE: https://github.com/kkos/oniguruma/commit/d3e402928b6eb3327f8f7d59a9edfa622fec557b CVE-2019-19245 (NAPC Xinet Elegant 6 Asset Library 6.1.655 allows Pre-Authentication S ...) NOT-FOR-US: NAPC Xinet Elegant 6 Asset Library CVE-2019-19244 (sqlite3Select in select.c in SQLite 3.30.1 allows a crash if a sub-sel ...) - sqlite3 3.30.1+fossil191229-1 (bug #946656) [buster] - sqlite3 (Minor issue) [stretch] - sqlite3 (Vulnerable code introduced later) [jessie] - sqlite3 (Vulnerable code, i.e. window functions, not present) NOTE: https://github.com/sqlite/sqlite/commit/e59c562b3f6894f84c715772c4b116d7b5c01348 CVE-2019-19243 RESERVED CVE-2019-19242 (SQLite 3.30.1 mishandles pExpr->y.pTab, as demonstrated by the TK_C ...) - sqlite3 3.30.1+fossil191229-1 [buster] - sqlite3 (Minor issue) [stretch] - sqlite3 (Vulnerable code introduced later) [jessie] - sqlite3 (Vulnerable code not present) NOTE: https://github.com/sqlite/sqlite/commit/57f7ece78410a8aae86aa4625fb7556897db384c CVE-2019-19241 (In the Linux kernel before 5.4.2, the io_uring feature leads to reques ...) - linux 5.3.15-1 [buster] - linux (Vulnerable code introduced later) [stretch] - linux (Vulnerable code introduced later) [jessie] - linux (Vulnerable code introduced later) NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1975 NOTE: https://git.kernel.org/linus/181e448d8709e517c9c7b523fcd209f24eb38ca7 NOTE: https://git.kernel.org/linus/d69e07793f891524c6bbf1e75b9ae69db4450953 CVE-2019-19240 (Embedthis GoAhead before 5.0.1 mishandles redirected HTTP requests wit ...) NOT-FOR-US: Embedthis GoAhead CVE-2019-19239 RESERVED CVE-2019-19238 RESERVED CVE-2019-19237 RESERVED CVE-2019-19236 RESERVED CVE-2019-19235 (AsLdrSrv.exe in ASUS ATK Package before V1.0.0061 (for Windows 10 note ...) NOT-FOR-US: ASUS CVE-2019-19234 (** DISPUTED ** In Sudo through 1.8.29, the fact that a user has been b ...) - sudo 1.8.31-1 (bug #947225; unimportant) NOTE: https://www.sudo.ws/devel.html#1.8.30b2 NOTE: Sudo 1.8.30 adds an optional setting to check the shell of the target user NOTE: additionally. CVE-2019-19233 RESERVED CVE-2019-19232 (** DISPUTED ** In Sudo through 1.8.29, an attacker with access to a Ru ...) - sudo 1.8.31-1 (bug #947225; unimportant) NOTE: https://www.sudo.ws/devel.html#1.8.30b2 NOTE: Sudo 1.8.30 introduces an option to enable/disable the behavior. CVE-2019-19231 (An insecure file access vulnerability exists in CA Client Automation 1 ...) NOT-FOR-US: CA Client Automation CVE-2019-19230 (An unsafe deserialization vulnerability exists in CA Release Automatio ...) NOT-FOR-US: CA Release Automation (Nolio) CVE-2019-19229 (admincgi-bin/service.fcgi on Fronius Solar Inverter devices before 3.1 ...) NOT-FOR-US: Fronius Solar Inverter devices CVE-2019-19228 (Fronius Solar Inverter devices before 3.14.1 (HM 1.12.1) allow attacke ...) NOT-FOR-US: Fronius Solar Inverter devices CVE-2019-19227 (In the AppleTalk subsystem in the Linux kernel before 5.1, there is a ...) {DLA-2114-1 DLA-2068-1} - linux 5.2.6-1 [buster] - linux 4.19.98-1 [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/9804501fa1228048857910a6bf23e085aade37cc CVE-2019-19226 (A Broken Access Control vulnerability in the D-Link DSL-2680 web admin ...) NOT-FOR-US: D-Link CVE-2019-19225 (A Broken Access Control vulnerability in the D-Link DSL-2680 web admin ...) NOT-FOR-US: D-Link CVE-2019-19224 (A Broken Access Control vulnerability in the D-Link DSL-2680 web admin ...) NOT-FOR-US: D-Link CVE-2019-19223 (A Broken Access Control vulnerability in the D-Link DSL-2680 web admin ...) NOT-FOR-US: D-Link CVE-2019-19222 (A Stored XSS issue in the D-Link DSL-2680 web administration interface ...) NOT-FOR-US: D-Link CVE-2019-19221 (In Libarchive 3.4.0, archive_wstring_append_from_mbs in archive_string ...) - libarchive 3.4.2-1 (bug #945287) [buster] - libarchive (Minor issue) [stretch] - libarchive (Minor issue) [jessie] - libarchive (Minor issue) NOTE: https://github.com/libarchive/libarchive/commit/22b1db9d46654afc6f0c28f90af8cdc84a199f41 NOTE: https://github.com/libarchive/libarchive/issues/1276 CVE-2019-19220 (BMC Control-M/Agent 7.0.00.000 allows OS Command Injection (issue 2 of ...) NOT-FOR-US: BMC Control-M/Agent CVE-2019-19219 (BMC Control-M/Agent 7.0.00.000 allows Arbitrary File Download. ...) NOT-FOR-US: BMC Control-M/Agent CVE-2019-19218 (BMC Control-M/Agent 7.0.00.000 has Insecure Password Storage. ...) NOT-FOR-US: BMC Control-M/Agent CVE-2019-19217 (BMC Control-M/Agent 7.0.00.000 allows OS Command Injection. ...) NOT-FOR-US: BMC Control-M/Agent CVE-2019-19216 (BMC Control-M/Agent 7.0.00.000 has an Insecure File Copy. ...) NOT-FOR-US: BMC Control-M/Agent CVE-2019-19215 (A buffer overflow vulnerability in BMC Control-M/Agent 7.0.00.000 when ...) NOT-FOR-US: BMC Control-M/Agent CVE-2019-19214 REJECTED CVE-2019-19213 REJECTED CVE-2019-19212 (Dolibarr ERP/CRM 3.0 through 10.0.3 allows XSS via the qty parameter t ...) - dolibarr CVE-2019-19211 (Dolibarr ERP/CRM before 10.0.3 has an Insufficient Filtering issue tha ...) - dolibarr CVE-2019-19210 (Dolibarr ERP/CRM before 10.0.3 allows XSS because uploaded HTML docume ...) - dolibarr CVE-2019-19209 (Dolibarr ERP/CRM before 10.0.3 allows SQL Injection. ...) - dolibarr CVE-2019-19208 (Codiad Web IDE through 2.8.4 allows PHP Code injection. ...) NOT-FOR-US: Codiad Web IDE CVE-2019-19207 (rConfig 3.9.2 allows devices.php?searchColumn= SQL injection. ...) NOT-FOR-US: rConfig CVE-2019-19206 (Dolibarr CRM/ERP 10.0.3 allows viewimage.php?file= Stored XSS due to J ...) - dolibarr CVE-2019-19205 RESERVED CVE-2019-19204 (An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the func ...) {DLA-2020-1} - libonig 6.9.4-1 (low; bug #945313) [buster] - libonig (Minor issue) [stretch] - libonig (Minor issue) NOTE: https://github.com/kkos/oniguruma/issues/162 NOTE: https://github.com/kkos/oniguruma/commit/6eb4aca6a7f2f60f473580576d86686ed6a6ebec (v6.9.4_rc2) NOTE: Only exploitable with attacker-provided pattern CVE-2019-19203 (An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the func ...) - libonig 6.9.4-1 (low; bug #945312) [buster] - libonig (Minor issue) [stretch] - libonig (Minor issue) [jessie] - libonig (Minor issue, not reproducible, non-trivial backport) NOTE: https://github.com/kkos/oniguruma/issues/163 NOTE: https://github.com/kkos/oniguruma/commit/aa0188eaedc056dca8374ac03d0177429b495515 (v6.9.4_rc2) NOTE: Only exploitable with attacker-provided pattern CVE-2019-19202 (In Vtiger 7.x before 7.2.0, the My Preferences saving functionality al ...) NOT-FOR-US: Vtiger CRM CVE-2019-19201 RESERVED CVE-2019-19200 RESERVED CVE-2019-19199 RESERVED CVE-2019-19198 (The Scoutnet Kalender plugin 1.1.0 for WordPress allows XSS. ...) NOT-FOR-US: Scoutnet Kalender plugin for WordPress CVE-2019-19197 (IOCTL Handling in the kyrld.sys driver in Kyrol Internet Security 9.0. ...) NOT-FOR-US: Kyrol Internet Security CVE-2019-19196 (The Bluetooth Low Energy Secure Manager Protocol (SMP) implementation ...) NOT-FOR-US: Telink CVE-2019-19195 (The Bluetooth Low Energy implementation on Microchip Technology BluSDK ...) NOT-FOR-US: Microchip CVE-2019-19194 (The Bluetooth Low Energy Secure Manager Protocol (SMP) implementation ...) NOT-FOR-US: Telink CVE-2019-19193 (The Bluetooth Low Energy peripheral implementation on Texas Instrument ...) NOT-FOR-US: Texas Instruments CVE-2019-19192 (The Bluetooth Low Energy implementation on STMicroelectronics BLE Stac ...) NOT-FOR-US: STMicroelectronics CVE-2019-19191 (Shibboleth Service Provider (SP) 3.x before 3.1.0 shipped a spec file ...) - shibboleth-sp (unimportant) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1157471 NOTE: https://issues.shibboleth.net/jira/browse/SSPCPP-874 NOTE: This is an issue in the upstream provided spec file which is not relevant NOTE: for the binary packages build in Debian (fixed upstream in 3.1.0). The NOTE: postinst in the Debian packaging does not have similar problematic chown logic. CVE-2019-19190 RESERVED CVE-2019-19189 RESERVED CVE-2019-19188 RESERVED CVE-2019-19187 RESERVED CVE-2019-19186 RESERVED CVE-2019-19185 RESERVED CVE-2019-19184 RESERVED CVE-2019-19183 RESERVED CVE-2019-19182 RESERVED CVE-2019-19181 RESERVED CVE-2019-19180 RESERVED CVE-2019-19179 RESERVED CVE-2019-19178 RESERVED CVE-2019-19177 RESERVED CVE-2019-19176 RESERVED CVE-2019-19175 RESERVED CVE-2019-19174 RESERVED CVE-2019-19173 RESERVED CVE-2019-19172 RESERVED CVE-2019-19171 RESERVED CVE-2019-19170 RESERVED CVE-2019-19169 (Dext5.ocx ActiveX 5.0.0.116 and eariler versions contain a vulnerabili ...) NOT-FOR-US: Dext5.ocx ActiveX CVE-2019-19168 (Dext5.ocx ActiveX 5.0.0.116 and eariler versions contain a vulnerabili ...) NOT-FOR-US: Dext5.ocx ActiveX CVE-2019-19167 (Tobesoft Nexacro v2019.9.25.1 and earlier version have an arbitrary co ...) NOT-FOR-US: Tobesoft Nexacro CVE-2019-19166 (Tobesoft XPlatform v9.1, 9.2.0, 9.2.1 and 9.2.2 have a vulnerability t ...) NOT-FOR-US: Tobesoft XPlatform CVE-2019-19165 (AxECM.cab(ActiveX Control) in Inogard Ebiz4u contains a vulnerability ...) NOT-FOR-US: Inogard Ebiz4u CVE-2019-19164 (dext5.ocx ActiveX Control in Dext5 Upload 5.0.0.112 and earlier versio ...) NOT-FOR-US: Dext5.ocx ActiveX CVE-2019-19163 (A Vulnerability in the firmware of COMMAX WallPad(CDP-1020MB) allow an ...) NOT-FOR-US: COMMAX CVE-2019-19162 (A use-after-free vulnerability in the TOBESOFT XPLATFORM versions 9.1 ...) NOT-FOR-US: TOBESOFT XPLATFORM CVE-2019-19161 (CyMiInstaller322 ActiveX which runs MIPLATFORM downloads files require ...) TODO: check CVE-2019-19160 (Reportexpress ProPlus contains a vulnerability that could allow an arb ...) NOT-FOR-US: Reportexpress ProPlus CVE-2019-19159 RESERVED CVE-2019-19158 RESERVED CVE-2019-19157 RESERVED CVE-2019-19156 RESERVED CVE-2019-19155 RESERVED CVE-2019-19154 RESERVED CVE-2019-19153 RESERVED CVE-2019-19152 RESERVED CVE-2019-19151 (On BIG-IP versions 15.0.0-15.1.0, 14.0.0-14.1.2.3, 13.1.0-13.1.3.2, 12 ...) NOT-FOR-US: F5 BIG-IP CVE-2019-19150 (On versions 15.0.0-15.0.1.1, 14.1.0-14.1.2, 14.0.0-14.0.1, 13.1.0-13.1 ...) NOT-FOR-US: F5 BIG-IP CVE-2019-19149 RESERVED CVE-2019-19148 (Tellabs Optical Line Terminal (OLT) 1150 devices allow Remote Command ...) NOT-FOR-US: Tellabs Optical Line Terminal (OLT) devices CVE-2019-19147 RESERVED CVE-2019-19146 RESERVED CVE-2019-19145 RESERVED CVE-2019-19144 RESERVED CVE-2019-19143 (TP-LINK TL-WR849N 0.9.1 4.16 devices do not require authentication to ...) NOT-FOR-US: TP-LINK CVE-2019-19142 (Intelbras WRN240 devices do not require authentication to replace the ...) NOT-FOR-US: Intelbras CVE-2019-19141 (The Camera Upload functionality in Plex Media Server through 1.18.2.20 ...) NOT-FOR-US: Plex Media Server CVE-2019-19140 RESERVED CVE-2019-19139 RESERVED CVE-2019-19138 RESERVED CVE-2019-19137 RESERVED CVE-2019-19136 RESERVED CVE-2019-19135 (In OPC Foundation OPC UA .NET Standard codebase 1.4.357.28, servers do ...) NOT-FOR-US: OPC Foundation OPC UA .NET Standard codebase CVE-2019-19134 (The Hero Maps Premium plugin 2.2.1 and prior for WordPress is prone to ...) NOT-FOR-US: Hero Maps Premium plugin for WordPress CVE-2019-19133 (The CSS Hero plugin through 4.0.3 for WordPress is prone to reflected ...) NOT-FOR-US: CSS Hero plugin for WordPress CVE-2019-19132 RESERVED CVE-2019-19131 RESERVED CVE-2019-19130 RESERVED CVE-2019-19129 (Afterlogic WebMail Pro 8.3.11, and WebMail in Afterlogic Aurora 8.3.11 ...) NOT-FOR-US: Afterlogic CVE-2019-19128 RESERVED CVE-2019-19127 (An authentication bypass vulnerability is present in the standalone SI ...) NOT-FOR-US: Tribal SITS CVE-2019-19126 (On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 ...) - glibc 2.29-8 (bug #945250) [buster] - glibc (Minor issue) [stretch] - glibc (Minor issue) [jessie] - glibc (Vulnerable code introduced in 2.23) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=25204 NOTE: Introduced by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=object;h=b9eb92ab05204df772eb4929eccd018637c9f3e9 NOTE: Fixed by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d5dfad4326fc683c813df1e37bbf5cf920591c8e CVE-2019-19125 RESERVED CVE-2019-19124 RESERVED CVE-2019-19123 RESERVED CVE-2019-19122 RESERVED CVE-2019-19121 RESERVED CVE-2019-19120 RESERVED CVE-2019-19119 (An issue was discovered in PRTG 7.x through 19.4.53. Due to insufficie ...) NOT-FOR-US: PRTG Network Monitor CVE-2019-19118 (Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model ...) - python-django 2:2.2.8-1 (bug #946011) [buster] - python-django (Vulnerable code introduced later) [stretch] - python-django (Vulnerable code introduced later) [jessie] - python-django (Vulnerable code introduced later) NOTE: https://www.djangoproject.com/weblog/2019/dec/02/security-releases/ NOTE: Introduced after https://github.com/django/django/commit/825f0beda804e48e9197fcf3b0d909f9f548aa47 (2.1a1) NOTE: https://github.com/django/django/commit/11c5e0609bcc0db93809de2a08e0dc3d70b393e4 (master) NOTE: https://github.com/django/django/commit/092cd66cf3c3e175acce698d6ca2012068d878fa (3.0 branch) NOTE: https://github.com/django/django/commit/36f580a17f0b3cb087deadf3b65eea024f479c21 (2.2 branch) NOTE: https://github.com/django/django/commit/103ebe2b5ff1b2614b85a52c239f471904d26244 (2.1 branch) CVE-2019-19117 (/usr/lib/lua/luci/controller/admin/autoupgrade.lua on PHICOMM K2(PSG12 ...) NOT-FOR-US: PHICOMM K2(PSG1218) devices CVE-2019-19116 RESERVED CVE-2019-19115 RESERVED CVE-2019-19114 RESERVED CVE-2019-19113 (main/resources/mapper/NewBeeMallGoodsMapper.xml in newbee-mall (aka Ne ...) NOT-FOR-US: newbee-mall CVE-2019-19112 (The wpForo plugin 1.6.5 for WordPress allows XSS involving the wpf-dw- ...) NOT-FOR-US: wpForo plugin for WordPress CVE-2019-19111 (The wpForo plugin 1.6.5 for WordPress allows XSS via the wp-admin/admi ...) NOT-FOR-US: wpForo plugin for WordPress CVE-2019-19110 (The wpForo plugin 1.6.5 for WordPress allows XSS via the wp-admin/admi ...) NOT-FOR-US: wpForo plugin for WordPress CVE-2019-19109 (The wpForo plugin 1.6.5 for WordPress allows wp-admin/admin.php?page=w ...) NOT-FOR-US: wpForo plugin for WordPress CVE-2019-19108 (An authentication weakness in the SNMP service in B&R Automation R ...) NOT-FOR-US: B&R Automation Runtime CVE-2019-19107 (The Configuration pages in ABB Telephone Gateway TG/S 3.2 and Busch-Ja ...) NOT-FOR-US: ABB CVE-2019-19106 (Improper implementation of Access Control in ABB Telephone Gateway TG/ ...) NOT-FOR-US: ABB CVE-2019-19105 (The backup function in ABB Telephone Gateway TG/S 3.2 and Busch-Jaeger ...) NOT-FOR-US: ABB CVE-2019-19104 (The web server in ABB Telephone Gateway TG/S 3.2 and Busch-Jaeger 6186 ...) NOT-FOR-US: ABB CVE-2019-19103 RESERVED CVE-2019-19102 (A directory traversal vulnerability in SharpZipLib used in the upgrade ...) NOT-FOR-US: B&R Automation Studio CVE-2019-19101 (A missing secure communication definition and an incomplete TLS valida ...) NOT-FOR-US: B&R Automation Studio CVE-2019-19100 (A privilege escalation vulnerability in the upgrade service in B&R ...) NOT-FOR-US: B&R Automation Studio CVE-2019-19099 RESERVED CVE-2019-19098 RESERVED CVE-2019-19097 (ABB eSOMS versions 4.0 to 6.0.3 accept connections using medium streng ...) NOT-FOR-US: ABB eSOMS CVE-2019-19096 (The Redis data structure component used in ABB eSOMS versions 6.0 to 6 ...) NOT-FOR-US: ABB eSOMS CVE-2019-19095 (Lack of adequate input/output validation for ABB eSOMS versions 4.0 to ...) NOT-FOR-US: ABB eSOMS CVE-2019-19094 (Lack of input checks for SQL queries in ABB eSOMS versions 3.9 to 6.0. ...) NOT-FOR-US: ABB eSOMS CVE-2019-19093 (eSOMS versions 4.0 to 6.0.3 do not enforce password complexity setting ...) NOT-FOR-US: ABB eSOMS CVE-2019-19092 (ABB eSOMS versions 4.0 to 6.0.3 use ASP.NET Viewstate without Message ...) NOT-FOR-US: ABB eSOMS CVE-2019-19091 (For ABB eSOMS versions 4.0 to 6.0.3, HTTPS responses contain comments ...) NOT-FOR-US: ABB eSOMS CVE-2019-19090 (For ABB eSOMS versions 4.0 to 6.0.2, the Secure Flag is not set in the ...) NOT-FOR-US: ABB eSOMS CVE-2019-19089 (For ABB eSOMS versions 4.0 to 6.0.3, the X-Content-Type-Options Header ...) NOT-FOR-US: ABB eSOMS CVE-2019-19088 (Gitlab Enterprise Edition (EE) 11.3 through 12.4.2 allows Directory Tr ...) - gitlab (Only affects Gitlab EE) NOTE: https://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-1-released/ CVE-2019-19087 (Gitlab Enterprise Edition (EE) before 12.5.1 has Insecure Permissions ...) - gitlab (Only affects Gitlab EE) NOTE: https://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-1-released/ CVE-2019-19086 (Gitlab Enterprise Edition (EE) before 12.5.1 has Insecure Permissions ...) - gitlab (Only affects Gitlab EE) NOTE: https://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-1-released/ CVE-2019-19085 (A persistent cross-site scripting (XSS) vulnerability in Octopus Serve ...) NOT-FOR-US: Octopus Server CVE-2019-19084 (In Octopus Deploy 3.3.0 through 2019.10.4, an authenticated user with ...) NOT-FOR-US: Octopus Deploy CVE-2018-21031 (Tautulli versions 2.1.38 and below allows remote attackers to bypass i ...) NOT-FOR-US: Plex Media Server CVE-2011-5331 (Distributed Ruby (aka DRuby) 1.8 mishandles instance_eval. ...) NOT-FOR-US: Distributed Ruby CVE-2011-5330 (Distributed Ruby (aka DRuby) 1.8 mishandles the sending of syscalls. ...) NOT-FOR-US: Distributed Ruby CVE-2019-19083 (Memory leaks in *clock_source_create() functions under drivers/gpu/drm ...) - linux 5.3.9-1 (unimportant) [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/055e547478a11a6360c7ce05e2afc3e366968a12 CVE-2019-19082 (Memory leaks in *create_resource_pool() functions under drivers/gpu/dr ...) - linux 5.4.6-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/104c307147ad379617472dd91a5bcb368d72bd6d CVE-2019-19081 (A memory leak in the nfp_flower_spawn_vnic_reprs() function in drivers ...) - linux 5.3.7-1 [buster] - linux 4.19.87-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/8ce39eb5a67aee25d9f05b40b673c95b23502e3e CVE-2019-19080 (Four memory leaks in the nfp_flower_spawn_phy_reprs() function in driv ...) - linux 5.3.7-1 [buster] - linux 4.19.87-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/8572cea1461a006bce1d06c0c4b0575869125fa4 CVE-2019-19079 (A memory leak in the qrtr_tun_write_iter() function in net/qrtr/tun.c ...) - linux 5.3.7-1 [buster] - linux 4.19.98-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/a21b7f0cff1906a93a0130b74713b15a0b36481d CVE-2019-19078 (A memory leak in the ath10k_usb_hif_tx_sg() function in drivers/net/wi ...) - linux 5.4.13-1 [buster] - linux 4.19.98-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) CVE-2019-19077 (A memory leak in the bnxt_re_create_srq() function in drivers/infiniba ...) - linux 5.4.6-1 [buster] - linux 4.19.98-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/4a9d46a9fe14401f21df69cea97c62396d5fb053 CVE-2019-19076 (** DISPUTED ** A memory leak in the nfp_abm_u32_knode_replace() functi ...) - linux 5.3.7-1 [buster] - linux (Vulnerable code not present) [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/78beef629fd95be4ed853b2d37b832f766bd96ca CVE-2019-19075 (A memory leak in the ca8210_probe() function in drivers/net/ieee802154 ...) - linux 5.3.9-1 (unimportant) [buster] - linux 4.19.87-1 NOTE: https://git.kernel.org/linus/6402939ec86eaf226c8b8ae00ed983936b164908 CVE-2019-19074 (A memory leak in the ath9k_wmi_cmd() function in drivers/net/wireless/ ...) - linux 5.4.6-1 NOTE: https://git.kernel.org/linus/728c1e2a05e4b5fc52fab3421dce772a806612a2 CVE-2019-19073 (Memory leaks in drivers/net/wireless/ath/ath9k/htc_hst.c in the Linux ...) - linux 5.4.6-1 NOTE: https://git.kernel.org/linus/853acf7caf10b828102d92d05b5c101666a6142b CVE-2019-19072 (A memory leak in the predicate_parse() function in kernel/trace/trace_ ...) - linux 5.4.6-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/96c5c6e6a5b6db592acae039fed54b5c8844cd35 CVE-2019-19071 (A memory leak in the rsi_send_beacon() function in drivers/net/wireles ...) - linux 5.4.6-1 [buster] - linux 4.19.98-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) CVE-2019-19070 (** DISPUTED ** A memory leak in the spi_gpio_probe() function in drive ...) - linux (unimportant) CVE-2019-19069 (A memory leak in the fastrpc_dma_buf_attach() function in drivers/misc ...) - linux 5.3.9-1 [buster] - linux (Vulnerable code not present) [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/fc739a058d99c9297ef6bfd923b809d85855b9a9 CVE-2019-19068 (A memory leak in the rtl8xxxu_submit_int_urb() function in drivers/net ...) {DLA-2114-1} - linux 5.4.13-1 [buster] - linux 4.19.98-1 [stretch] - linux 4.9.210-1 [jessie] - linux (Vulnerable code not present) CVE-2019-19067 (** DISPUTED ** Four memory leaks in the acp_hw_init() function in driv ...) - linux 5.3.9-1 (unimportant) NOTE: https://git.kernel.org/linus/57be09c6e8747bf48704136d9e3f92bfb93f5725 CVE-2019-19066 (A memory leak in the bfad_im_get_stats() function in drivers/scsi/bfa/ ...) {DLA-2114-1 DLA-2068-1} - linux 5.4.13-1 [buster] - linux 4.19.98-1 [stretch] - linux 4.9.210-1 CVE-2019-19065 (** DISPUTED ** A memory leak in the sdma_init() function in drivers/in ...) - linux 5.3.9-1 [buster] - linux 4.19.87-1 [stretch] - linux (Vulnerability introduced later) [jessie] - linux (Vulnerability introduced later) NOTE: https://git.kernel.org/linus/34b3be18a04ecdc610aae4c48e5d1b799d8689f6 CVE-2019-19064 (** DISPUTED ** A memory leak in the fsl_lpspi_probe() function in driv ...) - linux 5.4.13-1 (unimportant) CVE-2019-19063 (Two memory leaks in the rtl_usb_probe() function in drivers/net/wirele ...) - linux 5.4.8-1 (unimportant) [buster] - linux 4.19.98-1 [stretch] - linux 4.9.210-1 CVE-2019-19062 (A memory leak in the crypto_report() function in crypto/crypto_user_ba ...) {DLA-2114-1 DLA-2068-1} - linux 5.4.6-1 [buster] - linux 4.19.98-1 [stretch] - linux 4.9.210-1 CVE-2019-19061 (A memory leak in the adis_update_scan_mode_burst() function in drivers ...) - linux 5.3.9-1 (unimportant) NOTE: https://git.kernel.org/linus/9c0530e898f384c5d279bfcebd8bb17af1105873 CVE-2019-19060 (A memory leak in the adis_update_scan_mode() function in drivers/iio/i ...) - linux 5.3.9-1 (unimportant) [buster] - linux 4.19.87-1 NOTE: https://git.kernel.org/linus/ab612b1daf415b62c58e130cb3d0f30b255a14d0 CVE-2019-19059 (Multiple memory leaks in the iwl_pcie_ctxt_info_gen3_init() function i ...) - linux 5.4.6-1 [buster] - linux 4.19.98-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/0f4f199443faca715523b0659aa536251d8b978f CVE-2019-19058 (A memory leak in the alloc_sgtable() function in drivers/net/wireless/ ...) - linux 5.4.6-1 [buster] - linux 4.19.98-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/b4b814fec1a5a849383f7b3886b654a13abbda7d CVE-2019-19057 (Two memory leaks in the mwifiex_pcie_init_evt_ring() function in drive ...) {DLA-2114-1 DLA-2068-1} - linux 5.4.8-1 [buster] - linux 4.19.98-1 [stretch] - linux 4.9.210-1 CVE-2019-19056 (A memory leak in the mwifiex_pcie_alloc_cmdrsp_buf() function in drive ...) {DLA-2114-1 DLA-2068-1} - linux 5.4.13-1 [buster] - linux 4.19.98-1 [stretch] - linux 4.9.210-1 CVE-2019-19055 (** DISPUTED ** A memory leak in the nl80211_get_ftm_responder_stats() ...) - linux 5.4.6-1 (unimportant) [buster] - linux (Vulnerable code introduced later) [stretch] - linux (Vulnerable code introduced later) [jessie] - linux (Vulnerable code introduced later) NOTE: https://git.kernel.org/linus/1399c59fa92984836db90538cf92397fe7caaa57 CVE-2019-19054 (A memory leak in the cx23888_ir_probe() function in drivers/media/pci/ ...) - linux (unimportant) NOTE: Memory leak on probe only. CVE-2019-19053 (A memory leak in the rpmsg_eptdev_write_iter() function in drivers/rpm ...) - linux 5.4.13-1 [buster] - linux (Vulnerable code not present) [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) CVE-2019-19052 (A memory leak in the gs_can_open() function in drivers/net/can/usb/gs_ ...) {DLA-2114-1 DLA-2068-1} - linux 5.3.15-1 [buster] - linux 4.19.87-1 [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/fb5be6a7b4863ecc44963bb80ca614584b6c7817 CVE-2019-19051 (A memory leak in the i2400m_op_rfkill_sw_toggle() function in drivers/ ...) {DLA-2114-1 DLA-2068-1} - linux 5.3.15-1 [buster] - linux 4.19.98-1 [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/6f3ef5c25cc762687a7341c18cbea5af54461407 CVE-2019-19050 (A memory leak in the crypto_reportstat() function in crypto/crypto_use ...) - linux 5.4.6-1 [buster] - linux (Vulnerable code not present) [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) CVE-2019-19049 (** DISPUTED ** A memory leak in the unittest_data_add() function in dr ...) - linux 5.3.15-1 (unimportant) [buster] - linux 4.19.87-1 [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/e13de8fe0d6a51341671bbe384826d527afe8d44 NOTE: unittest.c can only be reached during boot. CVE-2019-19048 (A memory leak in the crypto_reportstat() function in drivers/virt/vbox ...) - linux 5.3.9-1 [buster] - linux 4.19.87-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/e0b0cb9388642c104838fac100a4af32745621e2 CVE-2019-19047 (A memory leak in the mlx5_fw_fatal_reporter_dump() function in drivers ...) - linux 5.3.15-1 [buster] - linux (Vulnerability introduced later) [stretch] - linux (Vulnerability introduced later) [jessie] - linux (Vulnerability introduced later) NOTE: https://git.kernel.org/linus/c7ed6d0183d5ea9bc31bcaeeba4070bd62546471 CVE-2019-19046 (** DISPUTED ** A memory leak in the __ipmi_bmc_register() function in ...) - linux 5.4.19-1 (unimportant) [buster] - linux 4.19.118-1 NOTE: Only a memory leak on the probe path CVE-2019-19045 (A memory leak in the mlx5_fpga_conn_create_cq() function in drivers/ne ...) - linux 5.3.15-1 [buster] - linux 4.19.87-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/c8c2a057fdc7de1cd16f4baa51425b932a42eb39 CVE-2019-19044 (Two memory leaks in the v3d_submit_cl_ioctl() function in drivers/gpu/ ...) - linux 5.3.15-1 [buster] - linux (Vulnerability introduced later) [stretch] - linux (Vulnerability introduced later) [jessie] - linux (Vulnerability introduced later) NOTE: https://git.kernel.org/linus/29cd13cfd7624726d9e6becbae9aa419ef35af7f CVE-2019-19043 (A memory leak in the i40e_setup_macvlans() function in drivers/net/eth ...) - linux 5.4.19-1 [buster] - linux (Vulnerable code not present) [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) CVE-2019-19042 RESERVED CVE-2019-19041 (An issue was discovered in Xorux Lpar2RRD 6.11 and Stor2RRD 2.61, as d ...) NOT-FOR-US: Xorux CVE-2019-19040 (KairosDB through 1.2.2 has XSS in view.html because of showErrorMessag ...) NOT-FOR-US: KairosDB CVE-2019-19039 (** DISPUTED ** __btrfs_free_extent in fs/btrfs/extent-tree.c in the Li ...) - linux CVE-2019-19038 RESERVED CVE-2019-19037 (ext4_empty_dir in fs/ext4/namei.c in the Linux kernel through 5.3.12 a ...) {DLA-2114-1} - linux 5.4.8-1 [buster] - linux 4.19.98-1 [stretch] - linux 4.9.210-1 [jessie] - linux (Vulnerability introduced later) CVE-2019-19036 (btrfs_root_node in fs/btrfs/ctree.c in the Linux kernel through 5.3.12 ...) - linux CVE-2019-19035 (jhead 3.03 is affected by: heap-based buffer over-read. The impact is: ...) - jhead 1:3.04-1 (unimportant; bug #944961) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1765647 NOTE: Crash in CLI tool, no security impact CVE-2019-19034 (Zoho ManageEngine Asset Explorer 6.5 does not validate the System Cent ...) NOT-FOR-US: Zoho CVE-2019-19033 (Jalios JCMS 10 allows attackers to access any part of the website and ...) NOT-FOR-US: Jalios JCMS CVE-2019-19032 (XMLBlueprint through 16.191112 is affected by XML External Entity Inje ...) NOT-FOR-US: XMLBlueprint CVE-2019-19031 (Easy XML Editor through v1.7.8 is affected by: XML External Entity Inj ...) NOT-FOR-US: Easy XML Editor CVE-2019-19030 RESERVED CVE-2019-19029 (Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allo ...) NOT-FOR-US: Harbor CVE-2019-19028 RESERVED CVE-2019-19027 RESERVED CVE-2019-19026 (Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allo ...) NOT-FOR-US: Harbor CVE-2019-19025 (Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allo ...) NOT-FOR-US: Harbor CVE-2019-19024 RESERVED CVE-2019-19023 (Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 has ...) NOT-FOR-US: Harbor CVE-2019-19022 (iTerm2 through 3.3.6 has potentially insufficient documentation about ...) NOT-FOR-US: iTerm2 CVE-2019-19021 (An issue was discovered in TitanHQ WebTitan before 5.18. It has a hidd ...) NOT-FOR-US: TitanHQ WebTitan CVE-2019-19020 (An issue was discovered in TitanHQ WebTitan before 5.18. In the admini ...) NOT-FOR-US: TitanHQ WebTitan CVE-2019-19019 (An issue was discovered in TitanHQ WebTitan before 5.18. It contains a ...) NOT-FOR-US: TitanHQ WebTitan CVE-2019-19018 (An issue was discovered in TitanHQ WebTitan before 5.18. It exposes a ...) NOT-FOR-US: TitanHQ WebTitan CVE-2019-19017 (An issue was discovered in TitanHQ WebTitan before 5.18. The appliance ...) NOT-FOR-US: TitanHQ WebTitan CVE-2019-19016 (An issue was discovered in TitanHQ WebTitan before 5.18. Some function ...) NOT-FOR-US: TitanHQ WebTitan CVE-2019-19015 (An issue was discovered in TitanHQ WebTitan before 5.18. The proxy ser ...) NOT-FOR-US: TitanHQ WebTitan CVE-2019-19014 (An issue was discovered in TitanHQ WebTitan before 5.18. It has a sudo ...) NOT-FOR-US: TitanHQ WebTitan CVE-2019-19013 (A CSRF vulnerability in Pagekit 1.0.17 allows an attacker to upload an ...) NOT-FOR-US: Pagekit CMS CVE-2019-19012 (An integer overflow in the search_in_range function in regexec.c in On ...) {DLA-2020-1} - libonig 6.9.4-1 (low; bug #944959) [buster] - libonig (Minor issue) [stretch] - libonig (Minor issue) NOTE: https://github.com/kkos/oniguruma/issues/164 NOTE: https://github.com/kkos/oniguruma/commit/0463e21432515631a9bc925ce5eb95b097c73719 NOTE: https://github.com/kkos/oniguruma/commit/778a43dd56925ed58bbe26e3a7bb8202d72c3f3f NOTE: https://github.com/kkos/oniguruma/commit/b6cb7580a7e0c56fc325fe9370b9d34044910aed NOTE: https://github.com/kkos/oniguruma/commit/bfc36d3d8139b8be4d3df630d625c58687b0c7d4 NOTE: https://github.com/kkos/oniguruma/commit/db64ef3189f54917a5008a02bdb000adc514a90a CVE-2019-19011 (MiniUPnP ngiflib 0.4 has a NULL pointer dereference in GifIndexToTrueC ...) NOT-FOR-US: ngiflib CVE-2019-19010 (Eval injection in the Math plugin of Limnoria (before 2019.11.09) and ...) - limnoria 2019.11.09-1 [buster] - limnoria 2019.02.23-1+deb10u1 [stretch] - limnoria 2017.01.10-1+deb9u1 NOTE: https://github.com/ProgVal/Limnoria/commit/3848ae78de45b35c029cc333963d436b9d2f0a35 NOTE: https://github.com/ProgVal/Limnoria/wiki/math-eval-vulnerability CVE-2019-19009 RESERVED CVE-2019-19008 REJECTED CVE-2019-19007 (Intelbras IWR 3000N 1.8.7 devices allow disclosure of the administrato ...) NOT-FOR-US: Intelbras IWR 3000N 1.8.7 devices CVE-2019-19006 (Sangoma FreePBX 115.0.16.26 and below, 14.0.13.11 and below, 13.0.197. ...) NOT-FOR-US: FreePBX CVE-2019-19005 RESERVED CVE-2019-19004 RESERVED CVE-2019-19003 (For ABB eSOMS versions 4.0 to 6.0.2, the HTTPOnly flag is not set. Thi ...) NOT-FOR-US: ABB eSOMS CVE-2019-19002 (For ABB eSOMS versions 4.0 to 6.0.2, the X-XSS-Protection HTTP respons ...) NOT-FOR-US: ABB eSOMS CVE-2019-19001 (For ABB eSOMS versions 4.0 to 6.0.2, the X-Frame-Options header is not ...) NOT-FOR-US: ABB eSOMS CVE-2019-19000 (For ABB eSOMS 4.0 to 6.0.3, the Cache-Control and Pragma HTTP header(s ...) NOT-FOR-US: ABB eSOMS CVE-2019-18999 RESERVED CVE-2019-18998 (Insufficient access control in the web interface of ABB Asset Suite ve ...) NOT-FOR-US: ABB Asset Suite CVE-2019-18997 (The HMISimulator component of ABB PB610 Panel Builder 600 uses the rea ...) NOT-FOR-US: ABB PB610 Panel Builder CVE-2019-18996 (Path settings in HMIStudio component of ABB PB610 Panel Builder 600 ve ...) NOT-FOR-US: ABB PB610 Panel Builder CVE-2019-18995 (The HMISimulator component of ABB PB610 Panel Builder 600 versions 2.8 ...) NOT-FOR-US: ABB PB610 Panel Builder CVE-2019-18994 (Due to a lack of file length check, the HMIStudio component of ABB PB6 ...) NOT-FOR-US: ABB PB610 Panel Builder CVE-2019-18993 (OpenWrt 18.06.4 allows XSS via the "New port forward" Name field to th ...) NOT-FOR-US: OpenWrt CVE-2019-18992 (OpenWrt 18.06.4 allows XSS via these Name fields to the cgi-bin/luci/a ...) NOT-FOR-US: OpenWrt CVE-2019-18991 RESERVED CVE-2019-18990 RESERVED CVE-2019-18989 RESERVED CVE-2019-18988 (TeamViewer Desktop through 14.7.1965 allows a bypass of remote-login a ...) NOT-FOR-US: TeamViewer CVE-2019-18987 (An issue was discovered in the AbuseFilter extension through 1.34 for ...) NOT-FOR-US: AbuseFilter MediaWiki extension CVE-2019-18986 (Pimcore before 6.2.2 allow attackers to brute-force (guess) valid user ...) NOT-FOR-US: Pimcore CVE-2019-18985 (Pimcore before 6.2.2 lacks brute force protection for the 2FA token. ...) NOT-FOR-US: Pimcore CVE-2019-18984 RESERVED CVE-2019-18983 RESERVED CVE-2019-18982 (bundles/AdminBundle/Controller/Admin/EmailController.php in Pimcore be ...) NOT-FOR-US: Pimcore CVE-2019-18981 (Pimcore before 6.2.2 lacks an Access Denied outcome for a certain scen ...) NOT-FOR-US: Pimcore CVE-2019-18980 (On Signify Philips Taolight Smart Wi-Fi Wiz Connected LED Bulb 9290022 ...) NOT-FOR-US: Signify Philips Taolight CVE-2019-18979 (Adaware antivirus 12.6.1005.11662 and 12.7.1055.0 has a quarantine fla ...) NOT-FOR-US: Adaware CVE-2019-18978 (An issue was discovered in the rack-cors (aka Rack CORS Middleware) ge ...) {DLA-2096-1} - ruby-rack-cors 1.1.1-1 (bug #944849) NOTE: https://github.com/cyu/rack-cors/commit/e4d4fc362a4315808927011cbe5afcfe5486f17d NOTE: https://github.com/cyu/rack-cors/compare/v1.0.3...v1.0.4 CVE-2019-18977 RESERVED CVE-2019-18976 (An issue was discovered in res_pjsip_t38.c in Sangoma Asterisk through ...) - asterisk 1:16.1.1~dfsg-1 [stretch] - asterisk (Minor issue) [jessie] - asterisk (Vulnerable code not present) NOTE: https://downloads.asterisk.org/pub/security/AST-2019-008.html NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-28612 NOTE: Only affects 13.x, marking first unstable upload after 13.x as fixed CVE-2019-18975 RESERVED CVE-2019-18974 RESERVED CVE-2019-18973 RESERVED CVE-2019-18972 RESERVED CVE-2019-18971 RESERVED CVE-2019-18970 REJECTED CVE-2019-18969 REJECTED CVE-2019-18968 REJECTED CVE-2019-18967 REJECTED CVE-2019-18966 REJECTED CVE-2019-18965 REJECTED CVE-2019-18964 REJECTED CVE-2019-18963 REJECTED CVE-2019-18962 REJECTED CVE-2019-18961 REJECTED CVE-2019-18960 (Firecracker vsock implementation buffer overflow in versions 0.18.0 an ...) NOT-FOR-US: AWS Firecracker CVE-2019-18959 RESERVED CVE-2019-18958 (Nitro Pro before 13.2 creates a debug.log file in the directory where ...) NOT-FOR-US: Nitro Pro CVE-2019-18957 (Microstrategy Library in MicroStrategy before 2019 before 11.1.3 has r ...) NOT-FOR-US: Microstrategy Library CVE-2019-18956 (Divisa Proxia Suite 9 < 9.12.16, 9.11.19, 9.10.26, 9.9.8, 9.8.43 an ...) NOT-FOR-US: Divisa Proxia Suite CVE-2019-18955 (The web console in Lansweeper 7.2.105.2 has XSS via the URL path. Prod ...) NOT-FOR-US: Lansweeper CVE-2019-18954 (Pomelo v2.2.5 allows external control of critical state data. A malici ...) NOT-FOR-US: Pomelo CVE-2019-18953 RESERVED CVE-2019-18952 (SibSoft Xfilesharing through 2.5.1 allows cgi-bin/up.cgi arbitrary fil ...) NOT-FOR-US: SibSoft Xfilesharing CVE-2019-18951 (SibSoft Xfilesharing through 2.5.1 allows op=page&tmpl=../ directo ...) NOT-FOR-US: SibSoft Xfilesharing CVE-2019-18950 RESERVED CVE-2019-18949 (SnowHaze before 2.6.6 is sometimes too late to honor a per-site JavaSc ...) NOT-FOR-US: SnowHaze CVE-2019-18948 (An issue was found in Arista EOS. Specific malformed ARP packets can i ...) NOT-FOR-US: Arista CVE-2019-18947 RESERVED CVE-2019-18946 RESERVED CVE-2019-18945 RESERVED CVE-2019-18944 RESERVED CVE-2019-18943 RESERVED CVE-2019-18942 RESERVED CVE-2019-18941 RESERVED CVE-2019-18940 RESERVED CVE-2019-18939 (eQ-3 Homematic CCU2 2.47.20 and CCU3 3.47.18 with the HM-Print AddOn t ...) NOT-FOR-US: eQ-3 Homematic CVE-2019-18938 (eQ-3 Homematic CCU2 2.47.20 and CCU3 3.47.18 with the E-Mail AddOn thr ...) NOT-FOR-US: eQ-3 Homematic CVE-2019-18937 (eQ-3 Homematic CCU2 2.47.20 and CCU3 3.47.18 with the Script Parser Ad ...) NOT-FOR-US: eQ-3 Homematic CVE-2019-18936 (UniValue::read() in UniValue before 1.0.5 allow attackers to cause a d ...) - libunivalue 1.1.1-2 (bug #954959) [buster] - libunivalue (Minor issue) [stretch] - libunivalue (Minor issue) NOTE: https://github.com/jgarzik/univalue/commit/07aa635c034f3a2accfe4e20a8148c366bccf5bf NOTE: https://github.com/jgarzik/univalue/pull/58 CVE-2019-18935 (Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .N ...) NOT-FOR-US: Progress Telerik UI for ASP.NET AJAX CVE-2019-18934 (Unbound 1.6.4 through 1.9.4 contain a vulnerability in the ipsec modul ...) - unbound (unimportant) [stretch] - unbound (ipsecmod module introduced later) [jessie] - unbound (ipsecmod module introduced later) NOTE: Debian binary packages not built with --enable-ipsecmod NOTE: https://nlnetlabs.nl/downloads/unbound/CVE-2019-18934.txt CVE-2019-18933 (In Zulip Server versions from 1.7.0 to before 2.0.7, a bug in the new ...) - zulip-server (bug #800052) CVE-2019-18932 (log.c in Squid Analysis Report Generator (sarg) through 2.3.11 allows ...) - sarg 2.4.0-1 (unimportant; bug #951390) NOTE: https://www.openwall.com/lists/oss-security/2020/01/20/6 NOTE: The sarg-reports as shipped in Debian has already safe use of mktemp for NOTE: use of temporary files and directories. NOTE: Fixed by: https://sourceforge.net/p/sarg/code/ci/8ec6d20be8c0da3c885aba78e63251f2e5080748 NOTE: Neutralised by kernel hardening CVE-2019-18931 (Western Digital My Cloud EX2 Ultra firmware 2.31.195 allows a Buffer O ...) NOT-FOR-US: Western Digital My Cloud EX2 Ultra firmware CVE-2019-18930 (Western Digital My Cloud EX2 Ultra firmware 2.31.183 allows web users ...) NOT-FOR-US: Western Digital My Cloud EX2 Ultra firmware CVE-2019-18929 (Western Digital My Cloud EX2 Ultra firmware 2.31.183 allows web users ...) NOT-FOR-US: Western Digital My Cloud EX2 Ultra firmware CVE-2019-18928 (Cyrus IMAP 2.5.x before 2.5.14 and 3.x before 3.0.12 allows privilege ...) - cyrus-imapd 3.0.12-1 [buster] - cyrus-imapd 3.0.8-6+deb10u3 [stretch] - cyrus-imapd (Minor issue; can be fixed via point release) NOTE: https://github.com/cyrusimap/cyrus-imapd/commit/e675bf7b0e9c6e160516d274bffaec6f9dccaef7 (cyrus-imapd-3.0.12) NOTE: Fixed in 3.0.12 and 2.5.14 upstream CVE-2019-18927 RESERVED CVE-2019-18926 (Systematic IRIS Standards Management (ISM) v2.1 SP1 89 is vulnerable t ...) NOT-FOR-US: Systematic IRIS Standards Management (ISM) CVE-2019-18925 (Systematic IRIS WebForms 5.4 and its functionalities can be accessed a ...) NOT-FOR-US: Systematic IRIS WebForms CVE-2019-18924 (Systematic IRIS WebForms 5.4 is vulnerable to directory traversal. By ...) NOT-FOR-US: Systematic IRIS WebForms CVE-2019-18923 (Insufficient content type validation of proxied resources in go-camo b ...) NOT-FOR-US: go-camo CVE-2019-18922 (A Directory Traversal in the Web interface of the Allied Telesis AT-GS ...) NOT-FOR-US: Allied Telesis CVE-2019-18921 RESERVED CVE-2019-18920 RESERVED CVE-2019-18919 RESERVED CVE-2019-18918 RESERVED CVE-2019-18917 (A potential security vulnerability has been identified for certain HP ...) NOT-FOR-US: HP CVE-2019-18916 RESERVED CVE-2019-18915 (A potential security vulnerability has been identified with certain ve ...) NOT-FOR-US: HP System Event Utility CVE-2019-18914 RESERVED CVE-2019-18913 (A potential security vulnerability with pre-boot DMA may allow unautho ...) NOT-FOR-US: Generic UEFI hardware/software issue CVE-2019-18912 RESERVED CVE-2019-18911 RESERVED CVE-2019-18910 (The Citrix Receiver wrapper function does not safely handle user suppl ...) NOT-FOR-US: Citrix CVE-2019-18909 (The VPN software within HP ThinPro does not safely handle user supplie ...) NOT-FOR-US: HP ThinPro CVE-2019-18908 RESERVED CVE-2019-18907 RESERVED CVE-2019-18906 RESERVED CVE-2019-18905 (A Insufficient Verification of Data Authenticity vulnerability in auto ...) NOT-FOR-US: autoyast2 CVE-2019-18904 (A Uncontrolled Resource Consumption vulnerability in rmt of SUSE Linux ...) NOT-FOR-US: SAP CVE-2019-18903 (A Use After Free vulnerability in wicked of SUSE Linux Enterprise Serv ...) NOT-FOR-US: openSUSE wicked CVE-2019-18902 (A Use After Free vulnerability in wicked of SUSE Linux Enterprise Serv ...) NOT-FOR-US: openSUSE wicked CVE-2019-18901 (A UNIX Symbolic Link (Symlink) Following vulnerability in the mysql-sy ...) NOT-FOR-US: SuSE-specific mysqld-systemd-helper CVE-2019-18900 (: Incorrect Default Permissions vulnerability in libzypp of SUSE CaaS ...) {DLA-2132-1} - libzypp (bug #953362) [buster] - libzypp (Minor issue) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1158763 NOTE: https://github.com/openSUSE/libzypp/pull/196 NOTE: https://github.com/openSUSE/libzypp/commit/ea50981352bb5c7ab48663edaeb2df1ddd66953e NOTE: https://github.com/openSUSE/libzypp/commit/508b1201f23b44ee90dee6dbbeb3ac5f8bd4c089 CVE-2019-18899 (The apt-cacher-ng package of openSUSE Leap 15.1 runs operations in use ...) - apt-cacher-ng (openSUSE specific systemd service unit configuration) CVE-2019-18898 (UNIX Symbolic Link (Symlink) Following vulnerability in the trousers p ...) NOT-FOR-US: SUSE specific packaging issue in %posttrans section in src:trousers CVE-2019-18897 (A UNIX Symbolic Link (Symlink) Following vulnerability in the packagin ...) - salt (SuSE-specific Salt packaging vulnerability) CVE-2019-18896 RESERVED CVE-2019-18895 (Scanguard through 2019-11-12 on Windows has Insecure Permissions for t ...) NOT-FOR-US: Scanguard CVE-2019-18894 (In Avast Premium Security 19.8.2393, attackers can send a specially cr ...) NOT-FOR-US: Avast Premium Security CVE-2019-18893 (XSS in the Video Downloader component before 1.5 of Avast Secure Brows ...) NOT-FOR-US: Avast Secure Browser CVE-2019-18892 RESERVED CVE-2019-18891 RESERVED CVE-2019-18890 (A SQL injection vulnerability in Redmine through 3.2.9 and 3.3.x befor ...) {DSA-4574-1} - redmine 3.4.2-1 NOTE: https://www.redmine.org/news/125 NOTE: https://www.redmine.org/projects/redmine/repository/revisions/16196 NOTE: https://www.redmine.org/issues/32374 NOTE: https://github.com/redmine/redmine/commit/04d4a1a191c46e4595ed455372e86c66cf3f6ed7#diff-72469d98e80a60152ebcfa998306b5ecL581-R584 CVE-2019-18889 (An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through ...) - symfony 4.3.8+dfsg-1 [buster] - symfony 3.4.22+dfsg-2+deb10u1 [stretch] - symfony (Vulnerable code not present) [jessie] - symfony (Vulnerable code not present) NOTE: https://symfony.com/blog/cve-2019-18889-forbid-serializing-abstractadapter-and-tagawareadapter-instances NOTE: https://github.com/symfony/symfony/commit/8817d28fcaacb31fe01d267f6e19b44d8179395a CVE-2019-18888 (An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through ...) {DSA-4573-1 DLA-1999-1} - symfony 4.3.8+dfsg-1 NOTE: https://symfony.com/blog/cve-2019-18888-prevent-argument-injection-in-a-mimetypeguesser NOTE: https://github.com/symfony/symfony/commit/691486e43ce0e4893cd703e221bafc10a871f365 NOTE: https://github.com/symfony/symfony/commit/77ddabf2e785ea85860d2720cc86f7c5d8967ed5 CVE-2019-18887 (An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through ...) {DSA-4573-1 DLA-1999-1} - symfony 4.3.8+dfsg-1 NOTE: https://symfony.com/blog/cve-2019-18887-use-constant-time-comparison-in-urisigner NOTE: https://github.com/symfony/symfony/commit/cccefe6a7f12e776df0665aeb77fe9294c285fbb CVE-2019-18886 (An issue was discovered in Symfony 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7. ...) {DLA-1999-1} - symfony 4.3.8+dfsg-1 [buster] - symfony (Vulnerability introduced in 4.1.0) [stretch] - symfony (Vulnerability introduced in 4.1.0) NOTE: https://symfony.com/blog/cve-2019-18886-prevent-user-enumeration-using-switch-user-functionality NOTE: Introduced by: https://github.com/symfony/symfony/commit/6e6ac9eaeec9e6a6cc0ab003cac3738460542b0a (v4.1.0-BETA1) NOTE: Previous versions asserts "the current user is granted to switch" BEFORE NOTE: "loading the user" and thus are not affected. NOTE: Fixed by: https://github.com/symfony/symfony/commit/7bd4a92fc9cc15d9a9fbb9eb1041e01b977f8332 (v4.2.12) CVE-2019-18885 (fs/btrfs/volumes.c in the Linux kernel before 5.1 allows a btrfs_verif ...) - linux 5.2.6-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/09ba3bc9dd150457c506e4661380a6183af651c1 (5.1-rc1) CVE-2019-18884 (index.php/team_members/add_team_member in RISE Ultimate Project Manage ...) NOT-FOR-US: RISE CVE-2019-18883 (XSS exists in Lavalite CMS 5.7 via the admin/profile name or designati ...) NOT-FOR-US: Lavalite CMS CVE-2019-18882 (WSO2 IS as Key Manager 5.7.0 allows stored XSS in download-userinfo.ja ...) NOT-FOR-US: WSO2 IS CVE-2019-18881 (WSO2 IS as Key Manager 5.7.0 allows unauthenticated reflected XSS in t ...) NOT-FOR-US: WSO2 IS CVE-2019-18880 RESERVED CVE-2019-18879 RESERVED CVE-2019-18878 RESERVED CVE-2019-18877 RESERVED CVE-2019-18876 RESERVED CVE-2019-18875 RESERVED CVE-2019-18874 (psutil (aka python-psutil) through 5.6.5 can have a double free. This ...) {DLA-1998-1} - python-psutil 5.6.7-1 (low; bug #944605) [buster] - python-psutil (Minor issue) [stretch] - python-psutil (Minor issue) NOTE: https://github.com/giampaolo/psutil/commit/7d512c8e4442a896d56505be3e78f1156f443465 NOTE: https://github.com/giampaolo/psutil/pull/1616 CVE-2019-18873 (FUDForum 3.0.9 is vulnerable to Stored XSS via the User-Agent HTTP hea ...) NOT-FOR-US: FUDForum CVE-2019-18872 (Weak password requirements in Blaauw Remote Kiln Control through v3.00 ...) NOT-FOR-US: Blaauw Remote Kiln Control CVE-2019-18871 (A path traversal in debug.php accessed via default.php in Blaauw Remot ...) NOT-FOR-US: Blaauw Remote Kiln Control CVE-2019-18870 (A path traversal via the iniFile parameter in excel.php in Blaauw Remo ...) NOT-FOR-US: Blaauw Remote Kiln Control CVE-2019-18869 (Leftover Debug Code in Blaauw Remote Kiln Control through v3.00r4 allo ...) NOT-FOR-US: Blaauw Remote Kiln Control CVE-2019-18868 (Blaauw Remote Kiln Control through v3.00r4 allows an unauthenticated a ...) NOT-FOR-US: Blaauw Remote Kiln Control CVE-2019-18867 (Browsable directories in Blaauw Remote Kiln Control through v3.00r4 al ...) NOT-FOR-US: Blaauw Remote Kiln Control CVE-2019-18866 (Unauthenticated SQL injection via the username in the login mechanism ...) NOT-FOR-US: Blaauw Remote Kiln Control CVE-2019-18865 (Information disclosure via error message discrepancies in authenticati ...) NOT-FOR-US: Blaauw Remote Kiln Control CVE-2019-18864 (/server-info and /server-status in Blaauw Remote Kiln Control through ...) NOT-FOR-US: Blaauw Remote Kiln Control CVE-2019-18863 (A key length vulnerability in the implementation of the SRTP 128-bit k ...) NOT-FOR-US: Mitel CVE-2019-18862 (maidag in GNU Mailutils before 3.8 is installed setuid and allows loca ...) - mailutils 1:3.8-1 (unimportant; bug #944265) NOTE: /usr/sbin/maidat not installed suid root on Debian CVE-2019-18861 RESERVED CVE-2019-18860 (Squid before 4.9, when certain web browsers are used, mishandles HTML ...) - squid 4.9-1 (low) [buster] - squid (Minor issue) - squid3 NOTE: https://github.com/squid-cache/squid/pull/504 NOTE: https://github.com/squid-cache/squid/commit/5cc4b155cee1a4968109737f6eba2ef29d51034d (SQUID_5_0_1) NOTE: https://github.com/squid-cache/squid/commit/5a90b4ce64c346ba7f317a278ba601091d9de076 (SQUID_4_9) CVE-2019-18859 (Digi AnywhereUSB 14 allows XSS via a link for the Digi Page. ...) NOT-FOR-US: Digi AnywhereUSB CVE-2019-18858 (CODESYS 3 web server before 3.5.15.20, as distributed with CODESYS Con ...) NOT-FOR-US: CODESYS 3 web server CVE-2019-18857 (darylldoyle svg-sanitizer before 0.12.0 mishandles script and data val ...) NOT-FOR-US: darylldoyle svg-sanitizer CVE-2019-18856 (A Denial Of Service vulnerability exists in the SVG Sanitizer module t ...) NOT-FOR-US: SVG Sanitizer module for Drupal CVE-2019-18855 (A Denial Of Service vulnerability exists in the safe-svg (aka Safe SVG ...) NOT-FOR-US: safe-svg (aka Safe SVG) plugin for WordPress CVE-2019-18854 (A Denial Of Service vulnerability exists in the safe-svg (aka Safe SVG ...) NOT-FOR-US: safe-svg (aka Safe SVG) plugin for WordPress CVE-2019-18853 (ImageMagick before 7.0.9-0 allows remote attackers to cause a denial o ...) - imagemagick (Only affects Imagemagick 7.x) NOTE: https://github.com/ImageMagick/ImageMagick/commit/ec9c8944af2bfc65c697ca44f93a727a99b405f1 CVE-2019-18852 (Certain D-Link devices have a hardcoded Alphanetworks user account wit ...) NOT-FOR-US: D-Link CVE-2019-18851 RESERVED CVE-2019-18850 (TrevorC2 v1.1/v1.2 fails to prevent fingerprinting primarily via a dis ...) NOT-FOR-US: TrevorC2 CVE-2019-18849 (In tnef before 1.4.18, an attacker may be able to write to the victim' ...) {DLA-2005-1} - tnef 1.4.18-1 (bug #944851) [buster] - tnef (Minor issue; can be fixed via point release) [stretch] - tnef (Minor issue; can be fixed via point release) NOTE: https://github.com/verdammelt/tnef/pull/40 CVE-2019-18848 (The json-jwt gem before 1.11.0 for Ruby lacks an element count during ...) - ruby-json-jwt 1.11.0-1 (bug #944850) NOTE: https://github.com/nov/json-jwt/commit/ada16e772906efdd035e3df49cb2ae372f0f948a CVE-2019-18847 RESERVED CVE-2019-18846 (OX App Suite through 7.10.2 allows SSRF. ...) NOT-FOR-US: OX App Suite CVE-2019-18845 (The MsIo64.sys and MsIo32.sys drivers in Patriot Viper RGB before 1.1 ...) NOT-FOR-US: Patriot Viper RGB CVE-2019-18844 (The Device Model in ACRN before 2019w25.5-140000p relies on assert cal ...) NOT-FOR-US: ACRN CVE-2019-18843 RESERVED CVE-2019-18842 (A cross-site scripting (XSS) vulnerability in the configuration web in ...) NOT-FOR-US: Jinan USR IOT USR-WIFI232-S/T/G2/H Low Power WiFi Module CVE-2019-18841 (Chartkick.js 3.1.0 through 3.1.3, as used in the Chartkick gem before ...) - chartkick.js (Vulnerability introduced with 3.1.0) NOTE: https://github.com/ankane/chartkick/commit/b810936bbf687bc74c5b6dba72d2397a399885fa CVE-2019-18840 (In wolfSSL 4.1.0 through 4.2.0c, there are missing sanity checks of me ...) - wolfssl 4.2.0+dfsg-3 NOTE: https://github.com/wolfSSL/wolfssl/issues/2555 NOTE: https://github.com/wolfSSL/wolfssl/commit/52f28bd5149360f8e3bf8ca13d3fb9a77283df7c CVE-2019-18839 (FUDForum 3.0.9 is vulnerable to Stored XSS via the nlogin parameter. T ...) NOT-FOR-US: FUDForum CVE-2019-18838 (An issue was discovered in Envoy 1.12.0. Upon receipt of a malformed H ...) NOT-FOR-US: envoy proxy (not the same as itp'ed envoy, #758651) CVE-2019-18837 (An issue was discovered in crun before 0.10.5. With a crafted image, i ...) - crun (Fixed in initial upload) CVE-2019-18836 (Envoy 1.12.0 allows a remote denial of service because of resource loo ...) NOT-FOR-US: envoy proxy (not the same as itp'ed envoy, #758651) CVE-2019-18835 (Matrix Synapse before 1.5.0 mishandles signature checking on some fede ...) - matrix-synapse 1.5.0-1 (bug #944355) NOTE: https://github.com/matrix-org/synapse/pull/6262 NOTE: https://github.com/matrix-org/synapse/releases/tag/v1.5.0 CVE-2019-18834 RESERVED CVE-2019-18833 (Barco ClickShare Button R9861500D01 devices before 1.9.0 allow Informa ...) NOT-FOR-US: Barco ClickShare Button R9861500D01 devices CVE-2019-18832 (Barco ClickShare Button R9861500D01 devices before 1.9.0 have incorrec ...) NOT-FOR-US: Barco ClickShare Button R9861500D01 devices CVE-2019-18831 (Barco ClickShare Button R9861500D01 devices before 1.9.0 allow Informa ...) NOT-FOR-US: Barco ClickShare Button R9861500D01 devices CVE-2019-18830 (Barco ClickShare Button R9861500D01 devices before 1.9.0 allow OS Comm ...) NOT-FOR-US: Barco ClickShare Button R9861500D01 devices CVE-2019-18829 (Barco ClickShare Button R9861500D01 devices before 1.9.0 have Missing ...) NOT-FOR-US: Barco ClickShare Button R9861500D01 devices CVE-2019-18828 (Barco ClickShare Button R9861500D01 devices before 1.9.0 have Insuffic ...) NOT-FOR-US: Barco ClickShare Button R9861500D01 devices CVE-2019-18827 (On Barco ClickShare Button R9861500D01 devices (before firmware versio ...) NOT-FOR-US: Barco ClickShare Button R9861500D01 devices CVE-2019-18826 (Barco ClickShare Button R9861500D01 devices before 1.9.0 have Improper ...) NOT-FOR-US: Barco ClickShare Button R9861500D01 devices CVE-2019-18825 (Barco ClickShare Huddle CS-100 devices before 1.9.0 and CSE-200 device ...) NOT-FOR-US: Barco ClickShare Huddle devices CVE-2019-18824 (Barco ClickShare Button R9861500D01 devices before 1.9.0 have Missing ...) NOT-FOR-US: Barco ClickShare Button R9861500D01 devices CVE-2019-18823 (HTCondor up to and including stable series 8.8.6 and development serie ...) - condor (bug #963777) NOTE: https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2020-0001.html NOTE: https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2020-0002.html NOTE: https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2020-0003.html NOTE: https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2020-0004.html NOTE: https://github.com/htcondor/htcondor/commit/95eaee86e7ad3852c17df46a1b8b193dabd1fd14 NOTE: https://github.com/htcondor/htcondor/commit/07e33c8b14aa00e04d045d4d79c963db082a3129 NOTE: https://github.com/htcondor/htcondor/commit/cbcb93695a932d511c1c7bd40aed1eabeff01d8d NOTE: https://github.com/htcondor/htcondor/commit/3916209123a8ef762b7a9cd84ca0cf8b2cd99716 NOTE: https://github.com/htcondor/htcondor/commit/5c84c6f0b3db4eda1eec42c2c708069bb9393f0b CVE-2019-18822 (A privilege escalation vulnerability in ZOOM Call Recording 6.3.1 allo ...) NOT-FOR-US: ZOOM Call Recording CVE-2019-18821 (Eximious Logo Designer 3.82 has a User Mode Write AV starting at ExiCu ...) NOT-FOR-US: Eximious Logo Designer CVE-2019-18820 (Eximious Logo Designer 3.82 has Heap Corruption starting at ntdll!Rtlp ...) NOT-FOR-US: Eximious Logo Designer CVE-2019-18819 (Eximious Logo Designer 3.82 has a User Mode Write AV starting at ExiVe ...) NOT-FOR-US: Eximious Logo Designer CVE-2019-18818 (strapi before 3.0.0-beta.17.5 mishandles password resets within packag ...) NOT-FOR-US: strapi CMS CVE-2019-18817 (Istio 1.3.x before 1.3.5 allows Denial of Service because continue_on_ ...) NOT-FOR-US: Istio CVE-2019-18816 (po-admin/route.php?mod=post&act=edit in PopojiCMS 2.0.1 allows pos ...) NOT-FOR-US: PopojiCMS CVE-2019-18815 (PopojiCMS 2.0.1 allows refer= Open Redirection. ...) NOT-FOR-US: PopojiCMS CVE-2019-18814 (An issue was discovered in the Linux kernel through 5.3.9. There is a ...) - linux [stretch] - linux (Vulnerability introduced later) [jessie] - linux (Vulnerability introduced later) NOTE: https://lore.kernel.org/patchwork/patch/1142523/ CVE-2019-18813 (A memory leak in the dwc3_pci_probe() function in drivers/usb/dwc3/dwc ...) - linux 5.3.15-1 (unimportant) [buster] - linux 4.19.87-1 [stretch] - linux (Bug introduced later) [jessie] - linux (Bug introduced later) NOTE: https://git.kernel.org/linus/9bbfceea12a8f145097a27d7c7267af25893c060 NOTE: No security impact since the issue is on the probe path. CVE-2019-18812 (A memory leak in the sof_dfsentry_write() function in sound/soc/sof/de ...) - linux 5.4.6-1 (unimportant) [buster] - linux (Vulnerable code not present) [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) NOTE: Function only exposed through debugfs CVE-2019-18811 (A memory leak in the sof_set_get_large_ctrl_data() function in sound/s ...) - linux 5.3.15-1 [buster] - linux (Vulnerability introduced later) [stretch] - linux (Vulnerability introduced later) [jessie] - linux (Vulnerability introduced later) CVE-2019-18810 (A memory leak in the komeda_wb_connector_add() function in drivers/gpu ...) - linux 5.3.9-1 (unimportant) [buster] - linux (Bug introduced later) [stretch] - linux (Bug introduced later) [jessie] - linux (Bug introduced later) NOTE: https://git.kernel.org/linus/a0ecd6fdbf5d648123a7315c695fb6850d702835 NOTE: CONFIG_DRM_KOMEDA not enabled in Debian builds. CVE-2019-18809 (A memory leak in the af9005_identify_state() function in drivers/media ...) {DLA-2114-1} - linux 5.4.13-1 [buster] - linux 4.19.98-1 [stretch] - linux 4.9.210-1 [jessie] - linux (Bug introduced later) CVE-2019-18808 (A memory leak in the ccp_run_sha_cmd() function in drivers/crypto/ccp/ ...) - linux (unimportant) NOTE: Not a valid issue CVE-2019-18807 (Two memory leaks in the sja1105_static_config_upload() function in dri ...) - linux 5.3.7-1 [buster] - linux (Vulnerable code not present) [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/68501df92d116b760777a2cfda314789f926476f CVE-2019-18806 (A memory leak in the ql_alloc_large_buffers() function in drivers/net/ ...) - linux 5.3.7-1 (unimportant) [buster] - linux 4.19.87-1 [stretch] - linux 4.9.210-1 [jessie] - linux 3.16.81-1 NOTE: https://git.kernel.org/linus/1acb8f2a7a9f10543868ddd737e37424d5c36cf4 CVE-2019-18805 (An issue was discovered in net/ipv4/sysctl_net_ipv4.c in the Linux ker ...) - linux 5.2.6-1 [buster] - linux 4.19.67-1 [stretch] - linux 4.9.184-1 [jessie] - linux (Vulnerable code introduced later) NOTE: https://git.kernel.org/linus/19fad20d15a6494f47f85d869f00b11343ee5c78 CVE-2019-18804 (DjVuLibre 3.5.27 has a NULL pointer dereference in the function DJVU:: ...) {DLA-1985-1} - djvulibre 3.5.27.1-14 (bug #945114) [buster] - djvulibre (Minor issue) [stretch] - djvulibre (Minor issue) NOTE: https://sourceforge.net/p/djvu/bugs/309/ NOTE: https://sourceforge.net/p/djvu/djvulibre-git/ci/c8bec6549c10ffaa2f2fbad8bbc629efdf0dd125/ CVE-2019-18803 RESERVED CVE-2019-18802 (An issue was discovered in Envoy 1.12.0. An untrusted remote client ma ...) NOT-FOR-US: envoy proxy (not the same as itp'ed envoy, #758651) CVE-2019-18801 (An issue was discovered in Envoy 1.12.0. An untrusted remote client ma ...) NOT-FOR-US: envoy proxy (not the same as itp'ed envoy, #758651) CVE-2019-18800 (Viber through 11.7.0.5 allows a remote attacker who can capture a vict ...) NOT-FOR-US: Viber CVE-2019-18799 (LibSass before 3.6.3 allows a NULL pointer dereference in Sass::Parser ...) - libsass (low) [buster] - libsass (Minor issue) [stretch] - libsass (Minor issue) NOTE: https://github.com/sass/libsass/issues/3001 CVE-2019-18798 (LibSass before 3.6.3 allows a heap-based buffer over-read in Sass::wea ...) - libsass (low) [buster] - libsass (Minor issue) [stretch] - libsass (Minor issue) NOTE: https://github.com/sass/libsass/issues/2999 CVE-2019-18797 (LibSass 3.6.1 has uncontrolled recursion in Sass::Eval::operator()(Sas ...) - libsass (low) [buster] - libsass (Minor issue) [stretch] - libsass (Minor issue) NOTE: https://github.com/sass/libsass/issues/3000 CVE-2019-18796 RESERVED CVE-2019-18795 RESERVED CVE-2019-18794 RESERVED CVE-2019-18793 (Parallels Plesk Panel 9.5 allows XSS in target/locales/tr-TR/help/inde ...) NOT-FOR-US: Parallels Plesk Panel CVE-2017-18639 (Progress Sitefinity CMS before 10.1 allows XSS via /Pages Parameter : ...) NOT-FOR-US: Progress Sitefinity CMS CVE-2019-18792 (An issue was discovered in Suricata 5.0.0. It is possible to bypass/ev ...) {DLA-2087-1} [experimental] - suricata 1:5.0.1-1~exp1 - suricata 1:5.0.2-1 [buster] - suricata (Minor issue) [stretch] - suricata (Minor issue) NOTE: https://github.com/OISF/suricata/commit/1c63d3905852f746ccde7e2585600b2199cefb4b (master-4.1.x) NOTE: https://github.com/OISF/suricata/commit/fa692df37a796c3330c81988d15ef1a219afc006 (suricata-5.0.1) NOTE: https://redmine.openinfosecfoundation.org/issues/3324 NOTE: https://redmine.openinfosecfoundation.org/issues/3394 CVE-2019-18791 (Lexmark printer MS812 and multiple older generation Lexmark devices ha ...) NOT-FOR-US: Lexmark CVE-2019-18790 (An issue was discovered in channels/chan_sip.c in Sangoma Asterisk 13. ...) {DLA-2017-1} - asterisk 1:16.10.0~dfsg-1 (bug #947381) [buster] - asterisk (Minor issue) [stretch] - asterisk (Minor issue) NOTE: https://downloads.asterisk.org/pub/security/AST-2019-006.html NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-28589 CVE-2019-18789 RESERVED CVE-2019-18788 RESERVED CVE-2019-18787 RESERVED CVE-2019-18785 (SuiteCRM 7.10.x prior to 7.10.21 and 7.11.x prior to 7.11.9 mishandles ...) NOT-FOR-US: SuiteCRM CVE-2019-18784 (SuiteCRM 7.10.x versions prior to 7.10.21 and 7.11.x versions prior to ...) NOT-FOR-US: SuiteCRM CVE-2019-18783 RESERVED CVE-2019-18782 (SuiteCRM 7.10.x prior to 7.10.21 and 7.11.x prior to 7.11.9 does not c ...) NOT-FOR-US: SuiteCRM CVE-2019-18781 (An open redirect vulnerability was discovered in Zoho ManageEngine ADS ...) NOT-FOR-US: Zoho ManageEngine ADSelfService Plus CVE-2019-18786 (In the Linux kernel through 5.3.8, f->fmt.sdr.reserved is uninitial ...) - linux 5.4.8-1 [buster] - linux 4.19.98-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) NOTE: https://patchwork.linuxtv.org/patch/59542/ CVE-2019-18780 (An arbitrary command injection vulnerability in the Cluster Server com ...) NOT-FOR-US: Veritas InfoScale CVE-2020-1689 RESERVED CVE-2020-1688 RESERVED CVE-2020-1687 RESERVED CVE-2020-1686 RESERVED CVE-2020-1685 RESERVED CVE-2020-1684 RESERVED CVE-2020-1683 RESERVED CVE-2020-1682 RESERVED CVE-2020-1681 RESERVED CVE-2020-1680 RESERVED CVE-2020-1679 RESERVED CVE-2020-1678 RESERVED CVE-2020-1677 RESERVED CVE-2020-1676 RESERVED CVE-2020-1675 RESERVED CVE-2020-1674 RESERVED CVE-2020-1673 RESERVED CVE-2020-1672 RESERVED CVE-2020-1671 RESERVED CVE-2020-1670 RESERVED CVE-2020-1669 RESERVED CVE-2020-1668 RESERVED CVE-2020-1667 RESERVED CVE-2020-1666 RESERVED CVE-2020-1665 RESERVED CVE-2020-1664 RESERVED CVE-2020-1663 RESERVED CVE-2020-1662 RESERVED CVE-2020-1661 RESERVED CVE-2020-1660 RESERVED CVE-2020-1659 RESERVED CVE-2020-1658 RESERVED CVE-2020-1657 RESERVED CVE-2020-1656 RESERVED CVE-2020-1655 RESERVED CVE-2020-1654 RESERVED CVE-2020-1653 RESERVED CVE-2020-1652 RESERVED CVE-2020-1651 RESERVED CVE-2020-1650 RESERVED CVE-2020-1649 RESERVED CVE-2020-1648 RESERVED CVE-2020-1647 RESERVED CVE-2020-1646 RESERVED CVE-2020-1645 RESERVED CVE-2020-1644 RESERVED CVE-2020-1643 RESERVED CVE-2020-1642 RESERVED CVE-2020-1641 RESERVED CVE-2020-1640 RESERVED CVE-2020-1639 (When an attacker sends a specific crafted Ethernet Operation, Administ ...) NOT-FOR-US: Juniper CVE-2020-1638 (The FPC (Flexible PIC Concentrator) of Juniper Networks Junos OS and J ...) NOT-FOR-US: Juniper CVE-2020-1637 (A vulnerability in Juniper Networks SRX Series device configured as a ...) NOT-FOR-US: Juniper CVE-2020-1636 RESERVED CVE-2020-1635 RESERVED CVE-2020-1634 (On High-End SRX Series devices, in specific configurations and when sp ...) NOT-FOR-US: Juniper CVE-2020-1633 (Due to a new NDP proxy feature for EVPN leaf nodes introduced in Junos ...) NOT-FOR-US: Juniper CVE-2020-1632 (In a certain condition, receipt of a specific BGP UPDATE message might ...) NOT-FOR-US: Juniper CVE-2020-1631 (A vulnerability in the HTTP/HTTPS service used by J-Web, Web Authentic ...) NOT-FOR-US: Juniper CVE-2020-1630 (A privilege escalation vulnerability in Juniper Networks Junos OS devi ...) NOT-FOR-US: Juniper CVE-2020-1629 (A race condition vulnerability on Juniper Network Junos OS devices may ...) NOT-FOR-US: Juniper CVE-2020-1628 (Juniper Networks Junos OS uses the 128.0.0.0/2 subnet for internal com ...) NOT-FOR-US: Juniper CVE-2020-1627 (A vulnerability in Juniper Networks Junos OS on vMX and MX150 devices ...) NOT-FOR-US: Juniper CVE-2020-1626 (A vulnerability in Juniper Networks Junos OS Evolved may allow an atta ...) NOT-FOR-US: Juniper CVE-2020-1625 (The kernel memory usage represented as "temp" via 'show system virtual ...) NOT-FOR-US: Juniper CVE-2020-1624 (A local, authenticated user with shell can obtain the hashed values of ...) NOT-FOR-US: Juniper CVE-2020-1623 (A local, authenticated user with shell can view sensitive configuratio ...) NOT-FOR-US: Juniper CVE-2020-1622 (A local, authenticated user with shell can obtain the hashed values of ...) NOT-FOR-US: Juniper CVE-2020-1621 (A local, authenticated user with shell can obtain the hashed values of ...) NOT-FOR-US: Juniper CVE-2020-1620 (A local, authenticated user with shell can obtain the hashed values of ...) NOT-FOR-US: Juniper CVE-2020-1619 (A privilege escalation vulnerability in Juniper Networks QFX10K Series ...) NOT-FOR-US: Juniper CVE-2020-1618 (On Juniper Networks EX and QFX Series, an authentication bypass vulner ...) NOT-FOR-US: Juniper CVE-2020-1617 (This issue occurs on Juniper Networks Junos OS devices which do not su ...) NOT-FOR-US: Juniper CVE-2020-1616 (Due to insufficient server-side login attempt limit enforcement, a vul ...) NOT-FOR-US: Juniper CVE-2020-1615 (The factory configuration for vMX installations, as shipped, includes ...) NOT-FOR-US: Juniper CVE-2020-1614 (A Use of Hard-coded Credentials vulnerability exists in the NFX250 Ser ...) NOT-FOR-US: Juniper CVE-2020-1613 (A vulnerability in the BGP FlowSpec implementation may cause a Juniper ...) NOT-FOR-US: Juniper CVE-2020-1612 RESERVED CVE-2020-1611 (A Local File Inclusion vulnerability in Juniper Networks Junos Space a ...) NOT-FOR-US: Juniper CVE-2020-1610 RESERVED CVE-2020-1609 (When a device using Juniper Network's Dynamic Host Configuration Proto ...) NOT-FOR-US: Juniper CVE-2020-1608 (Receipt of a specific MPLS or IPv6 packet on the core facing interface ...) NOT-FOR-US: Juniper CVE-2020-1607 (Insufficient Cross-Site Scripting (XSS) protection in J-Web may potent ...) NOT-FOR-US: Juniper CVE-2020-1606 (A path traversal vulnerability in the Juniper Networks Junos OS device ...) NOT-FOR-US: Juniper CVE-2020-1605 (When a device using Juniper Network's Dynamic Host Configuration Proto ...) NOT-FOR-US: Juniper CVE-2020-1604 (On EX4300, EX4600, QFX3500, and QFX5100 Series, a vulnerability in the ...) NOT-FOR-US: Juniper CVE-2020-1603 (Specific IPv6 packets sent by clients processed by the Routing Engine ...) NOT-FOR-US: Juniper CVE-2020-1602 (When a device using Juniper Network's Dynamic Host Configuration Proto ...) NOT-FOR-US: Juniper CVE-2020-1601 (Certain types of malformed Path Computation Element Protocol (PCEP) pa ...) NOT-FOR-US: Juniper CVE-2020-1600 (In a Point-to-Multipoint (P2MP) Label Switched Path (LSP) scenario, an ...) NOT-FOR-US: Juniper CVE-2020-1599 RESERVED CVE-2020-1598 RESERVED CVE-2020-1597 RESERVED CVE-2020-1596 RESERVED CVE-2020-1595 RESERVED CVE-2020-1594 RESERVED CVE-2020-1593 RESERVED CVE-2020-1592 RESERVED CVE-2020-1591 RESERVED CVE-2020-1590 RESERVED CVE-2020-1589 RESERVED CVE-2020-1588 RESERVED CVE-2020-1587 RESERVED CVE-2020-1586 RESERVED CVE-2020-1585 RESERVED CVE-2020-1584 RESERVED CVE-2020-1583 RESERVED CVE-2020-1582 RESERVED CVE-2020-1581 RESERVED CVE-2020-1580 RESERVED CVE-2020-1579 RESERVED CVE-2020-1578 RESERVED CVE-2020-1577 RESERVED CVE-2020-1576 RESERVED CVE-2020-1575 RESERVED CVE-2020-1574 RESERVED CVE-2020-1573 RESERVED CVE-2020-1572 RESERVED CVE-2020-1571 RESERVED CVE-2020-1570 RESERVED CVE-2020-1569 RESERVED CVE-2020-1568 RESERVED CVE-2020-1567 RESERVED CVE-2020-1566 RESERVED CVE-2020-1565 RESERVED CVE-2020-1564 RESERVED CVE-2020-1563 RESERVED CVE-2020-1562 RESERVED CVE-2020-1561 RESERVED CVE-2020-1560 RESERVED CVE-2020-1559 RESERVED CVE-2020-1558 RESERVED CVE-2020-1557 RESERVED CVE-2020-1556 RESERVED CVE-2020-1555 RESERVED CVE-2020-1554 RESERVED CVE-2020-1553 RESERVED CVE-2020-1552 RESERVED CVE-2020-1551 RESERVED CVE-2020-1550 RESERVED CVE-2020-1549 RESERVED CVE-2020-1548 RESERVED CVE-2020-1547 RESERVED CVE-2020-1546 RESERVED CVE-2020-1545 RESERVED CVE-2020-1544 RESERVED CVE-2020-1543 RESERVED CVE-2020-1542 RESERVED CVE-2020-1541 RESERVED CVE-2020-1540 RESERVED CVE-2020-1539 RESERVED CVE-2020-1538 RESERVED CVE-2020-1537 RESERVED CVE-2020-1536 RESERVED CVE-2020-1535 RESERVED CVE-2020-1534 RESERVED CVE-2020-1533 RESERVED CVE-2020-1532 RESERVED CVE-2020-1531 RESERVED CVE-2020-1530 RESERVED CVE-2020-1529 RESERVED CVE-2020-1528 RESERVED CVE-2020-1527 RESERVED CVE-2020-1526 RESERVED CVE-2020-1525 RESERVED CVE-2020-1524 RESERVED CVE-2020-1523 RESERVED CVE-2020-1522 RESERVED CVE-2020-1521 RESERVED CVE-2020-1520 RESERVED CVE-2020-1519 RESERVED CVE-2020-1518 RESERVED CVE-2020-1517 RESERVED CVE-2020-1516 RESERVED CVE-2020-1515 RESERVED CVE-2020-1514 RESERVED CVE-2020-1513 RESERVED CVE-2020-1512 RESERVED CVE-2020-1511 RESERVED CVE-2020-1510 RESERVED CVE-2020-1509 RESERVED CVE-2020-1508 RESERVED CVE-2020-1507 RESERVED CVE-2020-1506 RESERVED CVE-2020-1505 RESERVED CVE-2020-1504 RESERVED CVE-2020-1503 RESERVED CVE-2020-1502 RESERVED CVE-2020-1501 RESERVED CVE-2020-1500 RESERVED CVE-2020-1499 RESERVED CVE-2020-1498 RESERVED CVE-2020-1497 RESERVED CVE-2020-1496 RESERVED CVE-2020-1495 RESERVED CVE-2020-1494 RESERVED CVE-2020-1493 RESERVED CVE-2020-1492 RESERVED CVE-2020-1491 RESERVED CVE-2020-1490 RESERVED CVE-2020-1489 RESERVED CVE-2020-1488 RESERVED CVE-2020-1487 RESERVED CVE-2020-1486 RESERVED CVE-2020-1485 RESERVED CVE-2020-1484 RESERVED CVE-2020-1483 RESERVED CVE-2020-1482 RESERVED CVE-2020-1481 RESERVED CVE-2020-1480 RESERVED CVE-2020-1479 RESERVED CVE-2020-1478 RESERVED CVE-2020-1477 RESERVED CVE-2020-1476 RESERVED CVE-2020-1475 RESERVED CVE-2020-1474 RESERVED CVE-2020-1473 RESERVED CVE-2020-1472 RESERVED CVE-2020-1471 RESERVED CVE-2020-1470 RESERVED CVE-2020-1469 RESERVED CVE-2020-1468 RESERVED CVE-2020-1467 RESERVED CVE-2020-1466 RESERVED CVE-2020-1465 RESERVED CVE-2020-1464 RESERVED CVE-2020-1463 RESERVED CVE-2020-1462 RESERVED CVE-2020-1461 RESERVED CVE-2020-1460 RESERVED CVE-2020-1459 RESERVED CVE-2020-1458 RESERVED CVE-2020-1457 RESERVED CVE-2020-1456 RESERVED CVE-2020-1455 RESERVED CVE-2020-1454 RESERVED CVE-2020-1453 RESERVED CVE-2020-1452 RESERVED CVE-2020-1451 RESERVED CVE-2020-1450 RESERVED CVE-2020-1449 RESERVED CVE-2020-1448 RESERVED CVE-2020-1447 RESERVED CVE-2020-1446 RESERVED CVE-2020-1445 RESERVED CVE-2020-1444 RESERVED CVE-2020-1443 RESERVED CVE-2020-1442 RESERVED CVE-2020-1441 RESERVED CVE-2020-1440 RESERVED CVE-2020-1439 RESERVED CVE-2020-1438 RESERVED CVE-2020-1437 RESERVED CVE-2020-1436 RESERVED CVE-2020-1435 RESERVED CVE-2020-1434 RESERVED CVE-2020-1433 RESERVED CVE-2020-1432 RESERVED CVE-2020-1431 RESERVED CVE-2020-1430 RESERVED CVE-2020-1429 RESERVED CVE-2020-1428 RESERVED CVE-2020-1427 RESERVED CVE-2020-1426 RESERVED CVE-2020-1425 RESERVED CVE-2020-1424 RESERVED CVE-2020-1423 RESERVED CVE-2020-1422 RESERVED CVE-2020-1421 RESERVED CVE-2020-1420 RESERVED CVE-2020-1419 RESERVED CVE-2020-1418 RESERVED CVE-2020-1417 RESERVED CVE-2020-1416 RESERVED CVE-2020-1415 RESERVED CVE-2020-1414 RESERVED CVE-2020-1413 RESERVED CVE-2020-1412 RESERVED CVE-2020-1411 RESERVED CVE-2020-1410 RESERVED CVE-2020-1409 RESERVED CVE-2020-1408 RESERVED CVE-2020-1407 RESERVED CVE-2020-1406 RESERVED CVE-2020-1405 RESERVED CVE-2020-1404 RESERVED CVE-2020-1403 RESERVED CVE-2020-1402 RESERVED CVE-2020-1401 RESERVED CVE-2020-1400 RESERVED CVE-2020-1399 RESERVED CVE-2020-1398 RESERVED CVE-2020-1397 RESERVED CVE-2020-1396 RESERVED CVE-2020-1395 RESERVED CVE-2020-1394 RESERVED CVE-2020-1393 RESERVED CVE-2020-1392 RESERVED CVE-2020-1391 RESERVED CVE-2020-1390 RESERVED CVE-2020-1389 RESERVED CVE-2020-1388 RESERVED CVE-2020-1387 RESERVED CVE-2020-1386 RESERVED CVE-2020-1385 RESERVED CVE-2020-1384 RESERVED CVE-2020-1383 RESERVED CVE-2020-1382 RESERVED CVE-2020-1381 RESERVED CVE-2020-1380 RESERVED CVE-2020-1379 RESERVED CVE-2020-1378 RESERVED CVE-2020-1377 RESERVED CVE-2020-1376 RESERVED CVE-2020-1375 RESERVED CVE-2020-1374 RESERVED CVE-2020-1373 RESERVED CVE-2020-1372 RESERVED CVE-2020-1371 RESERVED CVE-2020-1370 RESERVED CVE-2020-1369 RESERVED CVE-2020-1368 RESERVED CVE-2020-1367 RESERVED CVE-2020-1366 RESERVED CVE-2020-1365 RESERVED CVE-2020-1364 RESERVED CVE-2020-1363 RESERVED CVE-2020-1362 RESERVED CVE-2020-1361 RESERVED CVE-2020-1360 RESERVED CVE-2020-1359 RESERVED CVE-2020-1358 RESERVED CVE-2020-1357 RESERVED CVE-2020-1356 RESERVED CVE-2020-1355 RESERVED CVE-2020-1354 RESERVED CVE-2020-1353 RESERVED CVE-2020-1352 RESERVED CVE-2020-1351 RESERVED CVE-2020-1350 RESERVED CVE-2020-1349 RESERVED CVE-2020-1348 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft CVE-2020-1347 RESERVED CVE-2020-1346 RESERVED CVE-2020-1345 RESERVED CVE-2020-1344 RESERVED CVE-2020-1343 (An information disclosure vulnerability exists in Visual Studio Code L ...) NOT-FOR-US: Microsoft CVE-2020-1342 RESERVED CVE-2020-1341 RESERVED CVE-2020-1340 (A spoofing vulnerability exists when the NuGetGallery does not properl ...) NOT-FOR-US: Microsoft CVE-2020-1339 RESERVED CVE-2020-1338 RESERVED CVE-2020-1337 RESERVED CVE-2020-1336 RESERVED CVE-2020-1335 RESERVED CVE-2020-1334 (An elevation of privilege vulnerability exists when the Windows Runtim ...) NOT-FOR-US: Microsoft CVE-2020-1333 RESERVED CVE-2020-1332 RESERVED CVE-2020-1331 (A spoofing vulnerability exists when System Center Operations Manager ...) NOT-FOR-US: Microsoft CVE-2020-1330 RESERVED CVE-2020-1329 (A spoofing vulnerability exists when Microsoft Bing Search for Android ...) NOT-FOR-US: Microsoft CVE-2020-1328 RESERVED CVE-2020-1327 (A spoofing vulnerability exists in Microsoft Azure DevOps Server when ...) NOT-FOR-US: Microsoft CVE-2020-1326 RESERVED CVE-2020-1325 RESERVED CVE-2020-1324 (An elevation of privilege (user to user) vulnerability exists in Windo ...) NOT-FOR-US: Microsoft CVE-2020-1323 (An open redirect vulnerability exists in Microsoft SharePoint that cou ...) NOT-FOR-US: Microsoft CVE-2020-1322 (An information disclosure vulnerability exists when Microsoft Project ...) NOT-FOR-US: Microsoft CVE-2020-1321 (A remote code execution vulnerability exists in Microsoft Office softw ...) NOT-FOR-US: Microsoft CVE-2020-1320 (A cross-site-scripting (XSS) vulnerability exists when Microsoft Share ...) NOT-FOR-US: Microsoft CVE-2020-1319 RESERVED CVE-2020-1318 (A cross-site-scripting (XSS) vulnerability exists when Microsoft Share ...) NOT-FOR-US: Microsoft CVE-2020-1317 (An elevation of privilege vulnerability exists when Group Policy impro ...) NOT-FOR-US: Microsoft CVE-2020-1316 (An elevation of privilege vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2020-1315 (An information disclosure vulnerability exists when Internet Explorer ...) NOT-FOR-US: Microsoft CVE-2020-1314 (An elevation of privilege vulnerability exists in Windows Text Service ...) NOT-FOR-US: Microsoft CVE-2020-1313 (An elevation of privilege vulnerability exists when the Windows Update ...) NOT-FOR-US: Microsoft CVE-2020-1312 (An elevation of privilege vulnerability exists in Windows Installer be ...) NOT-FOR-US: Microsoft CVE-2020-1311 (An elevation of privilege vulnerability exists when Component Object M ...) NOT-FOR-US: Microsoft CVE-2020-1310 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft CVE-2020-1309 (An elevation of privilege vulnerability exists when the Microsoft Stor ...) NOT-FOR-US: Microsoft CVE-2020-1308 RESERVED CVE-2020-1307 (An elevation of privilege vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2020-1306 (An elevation of privilege vulnerability exists when the Windows Runtim ...) NOT-FOR-US: Microsoft CVE-2020-1305 (An elevation of privilege vulnerability exists when the Windows State ...) NOT-FOR-US: Microsoft CVE-2020-1304 (An elevation of privilege vulnerability exists when the Windows Runtim ...) NOT-FOR-US: Microsoft CVE-2020-1303 RESERVED CVE-2020-1302 (An elevation of privilege vulnerability exists in Windows Installer be ...) NOT-FOR-US: Microsoft CVE-2020-1301 (A remote code execution vulnerability exists in the way that the Micro ...) NOT-FOR-US: Microsoft CVE-2020-1300 (A remote code execution vulnerability exists when Microsoft Windows fa ...) NOT-FOR-US: Microsoft CVE-2020-1299 (A remote code execution vulnerability exists in Microsoft Windows that ...) NOT-FOR-US: Microsoft CVE-2020-1298 (A cross-site-scripting (XSS) vulnerability exists when Microsoft Share ...) NOT-FOR-US: Microsoft CVE-2020-1297 (A cross-site-scripting (XSS) vulnerability exists when Microsoft Share ...) NOT-FOR-US: Microsoft CVE-2020-1296 (A vulnerability exists in the way the Windows Diagnostics &amp; fe ...) NOT-FOR-US: Microsoft CVE-2020-1295 (An elevation of privilege vulnerability exists in Microsoft SharePoint ...) NOT-FOR-US: Microsoft CVE-2020-1294 (An elevation of privilege vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2020-1293 (An elevation of privilege vulnerability exists when the Diagnostics Hu ...) NOT-FOR-US: Microsoft CVE-2020-1292 (An elevation of privilege vulnerability exists in OpenSSH for Windows ...) NOT-FOR-US: Microsoft CVE-2020-1291 (An elevation of privilege vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2020-1290 (An information disclosure vulnerability exists when the win32k compone ...) NOT-FOR-US: Microsoft CVE-2020-1289 (A spoofing vulnerability exists when Microsoft SharePoint Server does ...) NOT-FOR-US: Microsoft CVE-2020-1288 RESERVED CVE-2020-1287 (An elevation of privilege vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2020-1286 (A remote code execution vulnerability exists when the Windows Shell do ...) NOT-FOR-US: Microsoft CVE-2020-1285 RESERVED CVE-2020-1284 (A denial of service vulnerability exists in the way that the Microsoft ...) NOT-FOR-US: Microsoft CVE-2020-1283 (A denial of service vulnerability exists when Windows improperly handl ...) NOT-FOR-US: Microsoft CVE-2020-1282 (An elevation of privilege vulnerability exists when the Windows Runtim ...) NOT-FOR-US: Microsoft CVE-2020-1281 (A remote code execution vulnerability exists when Microsoft Windows OL ...) NOT-FOR-US: Microsoft CVE-2020-1280 (An elevation of privilege vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2020-1279 (An elevation of privilege vulnerability exists when Windows Lockscreen ...) NOT-FOR-US: Microsoft CVE-2020-1278 (An elevation of privilege vulnerability exists when the Diagnostics Hu ...) NOT-FOR-US: Microsoft CVE-2020-1277 (An elevation of privilege vulnerability exists in Windows Installer be ...) NOT-FOR-US: Microsoft CVE-2020-1276 (An elevation of privilege vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2020-1275 (An elevation of privilege vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2020-1274 (An elevation of privilege vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2020-1273 (An elevation of privilege vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2020-1272 (An elevation of privilege vulnerability exists in the Windows Installe ...) NOT-FOR-US: Microsoft CVE-2020-1271 (An elevation of privilege vulnerability exists when the Windows Backup ...) NOT-FOR-US: Microsoft CVE-2020-1270 (An elevation of privilege vulnerability exists in the way that the wla ...) NOT-FOR-US: Microsoft CVE-2020-1269 (An elevation of privilege vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2020-1268 (An information disclosure vulnerability exists when a Windows service ...) NOT-FOR-US: Microsoft CVE-2020-1267 RESERVED CVE-2020-1266 (An elevation of privilege vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2020-1265 (An elevation of privilege vulnerability exists when the Windows Runtim ...) NOT-FOR-US: Microsoft CVE-2020-1264 (An elevation of privilege vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2020-1263 (An information disclosure vulnerability exists in the way Windows Erro ...) NOT-FOR-US: Microsoft CVE-2020-1262 (An elevation of privilege vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2020-1261 (An information disclosure vulnerability exists in the way Windows Erro ...) NOT-FOR-US: Microsoft CVE-2020-1260 (A remote code execution vulnerability exists in the way that the VBScr ...) NOT-FOR-US: Microsoft CVE-2020-1259 (A security feature bypass vulnerability exists when Windows Host Guard ...) NOT-FOR-US: Microsoft CVE-2020-1258 (An elevation of privilege vulnerability exists when DirectX improperly ...) NOT-FOR-US: Microsoft CVE-2020-1257 (An elevation of privilege vulnerability exists when the Diagnostics Hu ...) NOT-FOR-US: Microsoft CVE-2020-1256 RESERVED CVE-2020-1255 (An elevation of privilege vulnerability exists when the Windows Backgr ...) NOT-FOR-US: Microsoft CVE-2020-1254 (An elevation of privilege vulnerability exists when Windows Modules In ...) NOT-FOR-US: Microsoft CVE-2020-1253 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft CVE-2020-1252 RESERVED CVE-2020-1251 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft CVE-2020-1250 RESERVED CVE-2020-1249 RESERVED CVE-2020-1248 (A remote code execution vulnerability exists in the way that the Windo ...) NOT-FOR-US: Microsoft CVE-2020-1247 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft CVE-2020-1246 (An elevation of privilege vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2020-1245 RESERVED CVE-2020-1244 (A denial of service vulnerability exists when Connected User Experienc ...) NOT-FOR-US: Microsoft CVE-2020-1243 RESERVED CVE-2020-1242 (An information disclosure vulnerability exists in the way that Microso ...) NOT-FOR-US: Microsoft CVE-2020-1241 (A security feature bypass vulnerability exists when Windows Kernel fai ...) NOT-FOR-US: Microsoft CVE-2020-1240 RESERVED CVE-2020-1239 (A memory corruption vulnerability exists when Windows Media Foundation ...) NOT-FOR-US: Microsoft CVE-2020-1238 (A memory corruption vulnerability exists when Windows Media Foundation ...) NOT-FOR-US: Microsoft CVE-2020-1237 (An elevation of privilege vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2020-1236 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2020-1235 (An elevation of privilege vulnerability exists when the Windows Runtim ...) NOT-FOR-US: Microsoft CVE-2020-1234 (An elevation of privilege vulnerability exists when Windows Error Repo ...) NOT-FOR-US: Microsoft CVE-2020-1233 (An elevation of privilege vulnerability exists when the Windows Runtim ...) NOT-FOR-US: Microsoft CVE-2020-1232 (An information disclosure vulnerability exists when Media Foundation i ...) NOT-FOR-US: Microsoft CVE-2020-1231 (An elevation of privilege vulnerability exists when the Windows Runtim ...) NOT-FOR-US: Microsoft CVE-2020-1230 (A remote code execution vulnerability exists in the way that the VBScr ...) NOT-FOR-US: Microsoft CVE-2020-1229 (A security feature bypass vulnerability exists in Microsoft Outlook wh ...) NOT-FOR-US: Microsoft CVE-2020-1228 RESERVED CVE-2020-1227 RESERVED CVE-2020-1226 (A remote code execution vulnerability exists in Microsoft Excel softwa ...) NOT-FOR-US: Microsoft CVE-2020-1225 (A remote code execution vulnerability exists in Microsoft Excel softwa ...) NOT-FOR-US: Microsoft CVE-2020-1224 RESERVED CVE-2020-1223 (A remote code execution vulnerability exists when Microsoft Word for A ...) NOT-FOR-US: Microsoft CVE-2020-1222 (An elevation of privilege vulnerability exists when the Microsoft Stor ...) NOT-FOR-US: Microsoft CVE-2020-1221 RESERVED CVE-2020-1220 (A spoofing vulnerability exists when theMicrosoft Edge (Chromium-based ...) NOT-FOR-US: Microsoft CVE-2020-1219 (A remote code execution vulnerability exists in the way that Microsoft ...) NOT-FOR-US: Microsoft CVE-2020-1218 RESERVED CVE-2020-1217 (An information disclosure vulnerability exists when the Windows Runtim ...) NOT-FOR-US: Microsoft CVE-2020-1216 (A remote code execution vulnerability exists in the way that the VBScr ...) NOT-FOR-US: Microsoft CVE-2020-1215 (A remote code execution vulnerability exists in the way that the VBScr ...) NOT-FOR-US: Microsoft CVE-2020-1214 (A remote code execution vulnerability exists in the way that the VBScr ...) NOT-FOR-US: Microsoft CVE-2020-1213 (A remote code execution vulnerability exists in the way that the VBScr ...) NOT-FOR-US: Microsoft CVE-2020-1212 (An elevation of privilege vulnerability exists when an OLE Automation ...) NOT-FOR-US: Microsoft CVE-2020-1211 (An elevation of privilege vulnerability exists in the way that the Con ...) NOT-FOR-US: Microsoft CVE-2020-1210 RESERVED CVE-2020-1209 (An elevation of privilege vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2020-1208 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2020-1207 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft CVE-2020-1206 (An information disclosure vulnerability exists in the way that the Mic ...) NOT-FOR-US: Microsoft CVE-2020-1205 RESERVED CVE-2020-1204 (An elevation of privilege vulnerability exists when Windows Mobile Dev ...) NOT-FOR-US: Microsoft CVE-2020-1203 (An elevation of privilege vulnerability exists when the Diagnostics Hu ...) NOT-FOR-US: Microsoft CVE-2020-1202 (An elevation of privilege vulnerability exists when the Diagnostics Hu ...) NOT-FOR-US: Microsoft CVE-2020-1201 (An elevation of privilege vulnerability exists in the way the Windows ...) NOT-FOR-US: Microsoft CVE-2020-1200 RESERVED CVE-2020-1199 (An elevation of privilege vulnerability exists when the Windows Feedba ...) NOT-FOR-US: Microsoft CVE-2020-1198 RESERVED CVE-2020-1197 (An elevation of privilege vulnerability exists when Windows Error Repo ...) NOT-FOR-US: Microsoft CVE-2020-1196 (An elevation of privilege vulnerability exists in the way that the pri ...) NOT-FOR-US: Microsoft CVE-2020-1195 (An elevation of privilege vulnerability exists in Microsoft Edge (Chro ...) NOT-FOR-US: Microsoft CVE-2020-1194 (A denial of service vulnerability exists when Windows Registry imprope ...) NOT-FOR-US: Microsoft CVE-2020-1193 RESERVED CVE-2020-1192 (A remote code execution vulnerability exists in Visual Studio Code whe ...) NOT-FOR-US: Microsoft CVE-2020-1191 (An elevation of privilege vulnerability exists when the Windows State ...) NOT-FOR-US: Microsoft CVE-2020-1190 (An elevation of privilege vulnerability exists when the Windows State ...) NOT-FOR-US: Microsoft CVE-2020-1189 (An elevation of privilege vulnerability exists when the Windows State ...) NOT-FOR-US: Microsoft CVE-2020-1188 (An elevation of privilege vulnerability exists when the Windows State ...) NOT-FOR-US: Microsoft CVE-2020-1187 (An elevation of privilege vulnerability exists when the Windows State ...) NOT-FOR-US: Microsoft CVE-2020-1186 (An elevation of privilege vulnerability exists when the Windows State ...) NOT-FOR-US: Microsoft CVE-2020-1185 (An elevation of privilege vulnerability exists when the Windows State ...) NOT-FOR-US: Microsoft CVE-2020-1184 (An elevation of privilege vulnerability exists when the Windows State ...) NOT-FOR-US: Microsoft CVE-2020-1183 (A cross-site-scripting (XSS) vulnerability exists when Microsoft Share ...) NOT-FOR-US: Microsoft CVE-2020-1182 RESERVED CVE-2020-1181 (A remote code execution vulnerability exists in Microsoft SharePoint S ...) NOT-FOR-US: Microsoft CVE-2020-1180 RESERVED CVE-2020-1179 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft CVE-2020-1178 (An elevation of privilege vulnerability exists when Microsoft SharePoi ...) NOT-FOR-US: Microsoft CVE-2020-1177 (A cross-site-scripting (XSS) vulnerability exists when Microsoft Share ...) NOT-FOR-US: Microsoft CVE-2020-1176 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2020-1175 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2020-1174 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2020-1173 (A spoofing vulnerability exists in Microsoft Power BI Report Server in ...) NOT-FOR-US: Microsoft CVE-2020-1172 RESERVED CVE-2020-1171 (A remote code execution vulnerability exists in Visual Studio Code whe ...) NOT-FOR-US: Microsoft CVE-2020-1170 (An elevation of privilege vulnerability exists in Windows Defender tha ...) NOT-FOR-US: Microsoft CVE-2020-1169 RESERVED CVE-2020-1168 RESERVED CVE-2020-1167 RESERVED CVE-2020-1166 (An elevation of privilege vulnerability exists when Windows improperly ...) NOT-FOR-US: Microsoft CVE-2020-1165 (An elevation of privilege vulnerability exists when Windows improperly ...) NOT-FOR-US: Microsoft CVE-2020-1164 (An elevation of privilege vulnerability exists when the Windows Runtim ...) NOT-FOR-US: Microsoft CVE-2020-1163 (An elevation of privilege vulnerability exists in Windows Defender tha ...) NOT-FOR-US: Microsoft CVE-2020-1162 (An elevation of privilege (user to user) vulnerability exists in Windo ...) NOT-FOR-US: Microsoft CVE-2020-1161 (A denial of service vulnerability exists when ASP.NET Core improperly ...) NOT-FOR-US: Microsoft .NET CVE-2020-1160 (An information disclosure vulnerability exists when the Microsoft Wind ...) NOT-FOR-US: Microsoft CVE-2020-1159 RESERVED CVE-2020-1158 (An elevation of privilege vulnerability exists when the Windows Runtim ...) NOT-FOR-US: Microsoft CVE-2020-1157 (An elevation of privilege vulnerability exists when the Windows Runtim ...) NOT-FOR-US: Microsoft CVE-2020-1156 (An elevation of privilege vulnerability exists when the Windows Runtim ...) NOT-FOR-US: Microsoft CVE-2020-1155 (An elevation of privilege vulnerability exists when the Windows Runtim ...) NOT-FOR-US: Microsoft CVE-2020-1154 (An elevation of privilege vulnerability exists when the Windows Common ...) NOT-FOR-US: Microsoft CVE-2020-1153 (A remote code execution vulnerability exists in the way that Microsoft ...) NOT-FOR-US: Microsoft CVE-2020-1152 RESERVED CVE-2020-1151 (An elevation of privilege vulnerability exists when the Windows Runtim ...) NOT-FOR-US: Microsoft CVE-2020-1150 (A memory corruption vulnerability exists when Windows Media Foundation ...) NOT-FOR-US: Microsoft CVE-2020-1149 (An elevation of privilege vulnerability exists when the Windows Runtim ...) NOT-FOR-US: Microsoft CVE-2020-1148 (A spoofing vulnerability exists when Microsoft SharePoint Server does ...) NOT-FOR-US: Microsoft CVE-2020-1147 RESERVED CVE-2020-1146 RESERVED CVE-2020-1145 (An information disclosure vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2020-1144 (An elevation of privilege vulnerability exists when the Windows State ...) NOT-FOR-US: Microsoft CVE-2020-1143 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft CVE-2020-1142 (An elevation of privilege vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2020-1141 (An information disclosure vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2020-1140 (An elevation of privilege vulnerability exists when DirectX improperly ...) NOT-FOR-US: Microsoft CVE-2020-1139 (An elevation of privilege vulnerability exists when the Windows Runtim ...) NOT-FOR-US: Microsoft CVE-2020-1138 (An elevation of privilege vulnerability exists when the Storage Servic ...) NOT-FOR-US: Microsoft CVE-2020-1137 (An elevation of privilege vulnerability exists in the way the Windows ...) NOT-FOR-US: Microsoft CVE-2020-1136 (A memory corruption vulnerability exists when Windows Media Foundation ...) NOT-FOR-US: Microsoft CVE-2020-1135 (An elevation of privilege vulnerability exists when the Windows Graphi ...) NOT-FOR-US: Microsoft CVE-2020-1134 (An elevation of privilege vulnerability exists when the Windows State ...) NOT-FOR-US: Microsoft CVE-2020-1133 RESERVED CVE-2020-1132 (An elevation of privilege vulnerability exists when Windows Error Repo ...) NOT-FOR-US: Microsoft CVE-2020-1131 (An elevation of privilege vulnerability exists when the Windows State ...) NOT-FOR-US: Microsoft CVE-2020-1130 RESERVED CVE-2020-1129 RESERVED CVE-2020-1128 RESERVED CVE-2020-1127 RESERVED CVE-2020-1126 (A memory corruption vulnerability exists when Windows Media Foundation ...) NOT-FOR-US: Microsoft CVE-2020-1125 (An elevation of privilege vulnerability exists when the Windows Runtim ...) NOT-FOR-US: Microsoft CVE-2020-1124 (An elevation of privilege vulnerability exists when the Windows State ...) NOT-FOR-US: Microsoft CVE-2020-1123 (A denial of service vulnerability exists when Connected User Experienc ...) NOT-FOR-US: Microsoft CVE-2020-1122 RESERVED CVE-2020-1121 (An elevation of privilege vulnerability exists when Windows improperly ...) NOT-FOR-US: Microsoft CVE-2020-1120 (A denial of service vulnerability exists when Connected User Experienc ...) NOT-FOR-US: Microsoft CVE-2020-1119 RESERVED CVE-2020-1118 (A denial of service vulnerability exists in the Windows implementation ...) NOT-FOR-US: Microsoft CVE-2020-1117 (A remote code execution vulnerability exists in the way that the Color ...) NOT-FOR-US: Microsoft CVE-2020-1116 (An information disclosure vulnerability exists when the Windows Client ...) NOT-FOR-US: Microsoft CVE-2020-1115 RESERVED CVE-2020-1114 (An elevation of privilege vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2020-1113 (A security feature bypass vulnerability exists in Microsoft Windows wh ...) NOT-FOR-US: Microsoft CVE-2020-1112 (An elevation of privilege vulnerability exists when the Windows Backgr ...) NOT-FOR-US: Microsoft CVE-2020-1111 (An elevation of privilege vulnerability exists when Windows improperly ...) NOT-FOR-US: Microsoft CVE-2020-1110 (An elevation of privilege vulnerability exists when the Windows Update ...) NOT-FOR-US: Microsoft CVE-2020-1109 (An elevation of privilege vulnerability exists when the Windows Update ...) NOT-FOR-US: Microsoft CVE-2020-1108 (A denial of service vulnerability exists when .NET Core or .NET Framew ...) NOT-FOR-US: Microsoft .NET CVE-2020-1107 (A spoofing vulnerability exists when Microsoft SharePoint Server does ...) NOT-FOR-US: Microsoft CVE-2020-1106 (A cross-site-scripting (XSS) vulnerability exists when Microsoft Share ...) NOT-FOR-US: Microsoft CVE-2020-1105 (A spoofing vulnerability exists when Microsoft SharePoint Server does ...) NOT-FOR-US: Microsoft CVE-2020-1104 (A spoofing vulnerability exists when Microsoft SharePoint Server does ...) NOT-FOR-US: Microsoft CVE-2020-1103 (An information disclosure vulnerability exists where certain modes of ...) NOT-FOR-US: Microsoft CVE-2020-1102 (A remote code execution vulnerability exists in Microsoft SharePoint w ...) NOT-FOR-US: Microsoft CVE-2020-1101 (A cross-site-scripting (XSS) vulnerability exists when Microsoft Share ...) NOT-FOR-US: Microsoft CVE-2020-1100 (A cross-site-scripting (XSS) vulnerability exists when Microsoft Share ...) NOT-FOR-US: Microsoft CVE-2020-1099 (A cross-site-scripting (XSS) vulnerability exists when Microsoft Share ...) NOT-FOR-US: Microsoft CVE-2020-1098 RESERVED CVE-2020-1097 RESERVED CVE-2020-1096 (A remote code execution vulnerability exists when Microsoft Edge PDF R ...) NOT-FOR-US: Microsoft CVE-2020-1095 RESERVED CVE-2020-1094 (An elevation of privilege vulnerability exists when the Windows Work F ...) NOT-FOR-US: Microsoft CVE-2020-1093 (A remote code execution vulnerability exists in the way that the VBScr ...) NOT-FOR-US: Microsoft CVE-2020-1092 (A remote code execution vulnerability exists when Internet Explorer im ...) NOT-FOR-US: Microsoft CVE-2020-1091 RESERVED CVE-2020-1090 (An elevation of privilege vulnerability exists when the Windows Runtim ...) NOT-FOR-US: Microsoft CVE-2020-1089 RESERVED CVE-2020-1088 (An elevation of privilege vulnerability exists in Windows Error Report ...) NOT-FOR-US: Microsoft CVE-2020-1087 (An elevation of privilege vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2020-1086 (An elevation of privilege vulnerability exists when the Windows Runtim ...) NOT-FOR-US: Microsoft CVE-2020-1085 RESERVED CVE-2020-1084 (A Denial Of Service vulnerability exists when Connected User Experienc ...) NOT-FOR-US: Microsoft CVE-2020-1083 RESERVED CVE-2020-1082 (An elevation of privilege vulnerability exists in Windows Error Report ...) NOT-FOR-US: Microsoft CVE-2020-1081 (An elevation of privilege vulnerability exists when the Windows Printe ...) NOT-FOR-US: Microsoft CVE-2020-1080 RESERVED CVE-2020-1079 (An elevation of privilege vulnerability exists when the Windows fails ...) NOT-FOR-US: Microsoft CVE-2020-1078 (An elevation of privilege vulnerability exists in Windows Installer be ...) NOT-FOR-US: Microsoft CVE-2020-1077 (An elevation of privilege vulnerability exists when the Windows Runtim ...) NOT-FOR-US: Microsoft CVE-2020-1076 (A denial of service vulnerability exists when Windows improperly handl ...) NOT-FOR-US: Microsoft CVE-2020-1075 (An information disclosure vulnerability exists when Windows Subsystem ...) NOT-FOR-US: Microsoft CVE-2020-1074 RESERVED CVE-2020-1073 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2020-1072 (An information disclosure vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2020-1071 (An elevation of privilege vulnerability exists when Windows improperly ...) NOT-FOR-US: Microsoft CVE-2020-1070 (An elevation of privilege vulnerability exists when the Windows Print ...) NOT-FOR-US: Microsoft CVE-2020-1069 (A remote code execution vulnerability exists in Microsoft SharePoint S ...) NOT-FOR-US: Microsoft CVE-2020-1068 (An elevation of privilege vulnerability exists in Windows Media Servic ...) NOT-FOR-US: Microsoft CVE-2020-1067 (A remote code execution vulnerability exists in the way that Windows h ...) NOT-FOR-US: Microsoft CVE-2020-1066 (An elevation of privilege vulnerability exists in .NET Framework which ...) NOT-FOR-US: Microsoft CVE-2020-1065 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2020-1064 (A remote code execution vulnerability exists in the way that the MSHTM ...) NOT-FOR-US: Microsoft CVE-2020-1063 (A cross site scripting vulnerability exists when Microsoft Dynamics 36 ...) NOT-FOR-US: Microsoft CVE-2020-1062 (A remote code execution vulnerability exists when Internet Explorer im ...) NOT-FOR-US: Microsoft CVE-2020-1061 (A remote code execution vulnerability exists in the way that the Micro ...) NOT-FOR-US: Microsoft CVE-2020-1060 (A remote code execution vulnerability exists in the way that the VBScr ...) NOT-FOR-US: Microsoft CVE-2020-1059 (A spoofing vulnerability exists when Microsoft Edge does not properly ...) NOT-FOR-US: Microsoft CVE-2020-1058 (A remote code execution vulnerability exists in the way that the VBScr ...) NOT-FOR-US: Microsoft CVE-2020-1057 RESERVED CVE-2020-1056 (An elevation of privilege vulnerability exists when Microsoft Edge doe ...) NOT-FOR-US: Microsoft CVE-2020-1055 (A cross-site-scripting (XSS) vulnerability exists when Active Director ...) NOT-FOR-US: Microsoft CVE-2020-1054 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft CVE-2020-1053 RESERVED CVE-2020-1052 RESERVED CVE-2020-1051 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2020-1050 (A cross site scripting vulnerability exists when Microsoft Dynamics 36 ...) NOT-FOR-US: Microsoft CVE-2020-1049 (A cross site scripting vulnerability exists when Microsoft Dynamics 36 ...) NOT-FOR-US: Microsoft CVE-2020-1048 (An elevation of privilege vulnerability exists when the Windows Print ...) NOT-FOR-US: Microsoft CVE-2020-1047 RESERVED CVE-2020-1046 RESERVED CVE-2020-1045 RESERVED CVE-2020-1044 RESERVED CVE-2020-1043 RESERVED CVE-2020-1042 RESERVED CVE-2020-1041 RESERVED CVE-2020-1040 RESERVED CVE-2020-1039 RESERVED CVE-2020-1038 RESERVED CVE-2020-1037 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2020-1036 RESERVED CVE-2020-1035 (A remote code execution vulnerability exists in the way that the VBScr ...) NOT-FOR-US: Microsoft CVE-2020-1034 RESERVED CVE-2020-1033 RESERVED CVE-2020-1032 RESERVED CVE-2020-1031 RESERVED CVE-2020-1030 RESERVED CVE-2020-1029 (An elevation of privilege vulnerability exists when Connected User Exp ...) NOT-FOR-US: Microsoft CVE-2020-1028 (A memory corruption vulnerability exists when Windows Media Foundation ...) NOT-FOR-US: Microsoft CVE-2020-1027 (An elevation of privilege vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2020-1026 (A Security Feature Bypass vulnerability exists in the MSR JavaScript C ...) NOT-FOR-US: Microsoft CVE-2020-1025 RESERVED CVE-2020-1024 (A remote code execution vulnerability exists in Microsoft SharePoint w ...) NOT-FOR-US: Microsoft CVE-2020-1023 (A remote code execution vulnerability exists in Microsoft SharePoint w ...) NOT-FOR-US: Microsoft CVE-2020-1022 (A remote code execution vulnerability exists in Microsoft Dynamics Bus ...) NOT-FOR-US: Microsoft CVE-2020-1021 (An elevation of privilege vulnerability exists in Windows Error Report ...) NOT-FOR-US: Microsoft CVE-2020-1020 (A remote code execution vulnerability exists in Microsoft Windows when ...) NOT-FOR-US: Microsoft CVE-2020-1019 (An elevation of privilege vulnerability exists in RMS Sharing App for ...) NOT-FOR-US: Microsoft CVE-2020-1018 (An information disclosure vulnerability exists when Microsoft Dynamics ...) NOT-FOR-US: Microsoft CVE-2020-1017 (An elevation of privilege vulnerability exists in the way the Windows ...) NOT-FOR-US: Microsoft CVE-2020-1016 (An information disclosure vulnerability exists when the Windows Push N ...) NOT-FOR-US: Microsoft CVE-2020-1015 (An elevation of privilege vulnerability exists in the way that the Use ...) NOT-FOR-US: Microsoft CVE-2020-1014 (An elevation of privilege vulnerability exists in the Microsoft Window ...) NOT-FOR-US: Microsoft CVE-2020-1013 RESERVED CVE-2020-1012 RESERVED CVE-2020-1011 (An elevation of privilege vulnerability exists when the Windows System ...) NOT-FOR-US: Microsoft CVE-2020-1010 (An elevation of privilege vulnerability exists in Windows Block Level ...) NOT-FOR-US: Microsoft CVE-2020-1009 (An elevation of privilege vulnerability exists in the way that the Mic ...) NOT-FOR-US: Microsoft CVE-2020-1008 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2020-1007 (An information disclosure vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2020-1006 (An elevation of privilege vulnerability exists in the way the Windows ...) NOT-FOR-US: Microsoft CVE-2020-1005 (An information disclosure vulnerability exists when the Microsoft Wind ...) NOT-FOR-US: Microsoft CVE-2020-1004 (An elevation of privilege vulnerability exists when the Windows Graphi ...) NOT-FOR-US: Microsoft CVE-2020-1003 (An elevation of privilege vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2020-1002 (An elevation of privilege vulnerability exists when the MpSigStub.exe ...) NOT-FOR-US: Microsoft CVE-2020-1001 (An elevation of privilege vulnerability exists in the way the Windows ...) NOT-FOR-US: Microsoft CVE-2020-1000 (An elevation of privilege vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2020-0999 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2020-0998 RESERVED CVE-2020-0997 RESERVED CVE-2020-0996 (An elevation of privilege vulnerability exists when the Windows Update ...) NOT-FOR-US: Microsoft CVE-2020-0995 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2020-0994 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2020-0993 (A denial of service vulnerability exists in Windows DNS when it fails ...) NOT-FOR-US: Microsoft CVE-2020-0992 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2020-0991 (A remote code execution vulnerability exists in Microsoft Office softw ...) NOT-FOR-US: Microsoft CVE-2020-0990 RESERVED CVE-2020-0989 RESERVED CVE-2020-0988 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2020-0987 (An information disclosure vulnerability exists when the Microsoft Wind ...) NOT-FOR-US: Microsoft CVE-2020-0986 (An elevation of privilege vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2020-0985 (An elevation of privilege vulnerability exists when the Windows Update ...) NOT-FOR-US: Microsoft CVE-2020-0984 (An elevation of privilege vulnerability exists when the Microsoft Auto ...) NOT-FOR-US: Microsoft CVE-2020-0983 (An elevation of privilege vulnerability exists when the Windows Delive ...) NOT-FOR-US: Microsoft CVE-2020-0982 (An information disclosure vulnerability exists when the Microsoft Wind ...) NOT-FOR-US: Microsoft CVE-2020-0981 (A security feature bypass vulnerability exists when Windows fails to p ...) NOT-FOR-US: Microsoft CVE-2020-0980 (A remote code execution vulnerability exists in Microsoft Word softwar ...) NOT-FOR-US: Microsoft CVE-2020-0979 (A remote code execution vulnerability exists in Microsoft Excel softwa ...) NOT-FOR-US: Microsoft CVE-2020-0978 (A cross-site-scripting (XSS) vulnerability exists when Microsoft Share ...) NOT-FOR-US: Microsoft CVE-2020-0977 (A spoofing vulnerability exists when Microsoft SharePoint Server does ...) NOT-FOR-US: Microsoft CVE-2020-0976 (A spoofing vulnerability exists when Microsoft SharePoint Server does ...) NOT-FOR-US: Microsoft CVE-2020-0975 (A spoofing vulnerability exists when Microsoft SharePoint Server does ...) NOT-FOR-US: Microsoft CVE-2020-0974 (A remote code execution vulnerability exists in Microsoft SharePoint w ...) NOT-FOR-US: Microsoft CVE-2020-0973 (A cross-site-scripting (XSS) vulnerability exists when Microsoft Share ...) NOT-FOR-US: Microsoft CVE-2020-0972 (A spoofing vulnerability exists when Microsoft SharePoint Server does ...) NOT-FOR-US: Microsoft CVE-2020-0971 (A remote code execution vulnerability exists in Microsoft SharePoint w ...) NOT-FOR-US: Microsoft CVE-2020-0970 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2020-0969 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2020-0968 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2020-0967 (A remote code execution vulnerability exists in the way that the VBScr ...) NOT-FOR-US: Microsoft CVE-2020-0966 (A remote code execution vulnerability exists in the way that the VBScr ...) NOT-FOR-US: Microsoft CVE-2020-0965 (A remoted code execution vulnerability exists in the way that Microsof ...) NOT-FOR-US: Microsoft CVE-2020-0964 (A remote code execution vulnerability exists in the way that the Windo ...) NOT-FOR-US: Microsoft CVE-2020-0963 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft CVE-2020-0962 (An information disclosure vulnerability exists when the win32k compone ...) NOT-FOR-US: Microsoft CVE-2020-0961 (A remote code execution vulnerability exists when the Microsoft Office ...) NOT-FOR-US: Microsoft CVE-2020-0960 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2020-0959 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2020-0958 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft CVE-2020-0957 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft CVE-2020-0956 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft CVE-2020-0955 (An information disclosure vulnerability exists when certain central pr ...) NOT-FOR-US: Microsoft CVE-2020-0954 (A cross-site-scripting (XSS) vulnerability exists when Microsoft Share ...) NOT-FOR-US: Microsoft CVE-2020-0953 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2020-0952 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft CVE-2020-0951 RESERVED CVE-2020-0950 (A memory corruption vulnerability exists when Windows Media Foundation ...) NOT-FOR-US: Microsoft CVE-2020-0949 (A memory corruption vulnerability exists when Windows Media Foundation ...) NOT-FOR-US: Microsoft CVE-2020-0948 (A memory corruption vulnerability exists when Windows Media Foundation ...) NOT-FOR-US: Microsoft CVE-2020-0947 (An information disclosure vulnerability exists when Media Foundation i ...) NOT-FOR-US: Microsoft CVE-2020-0946 (An information disclosure vulnerability exists when Media Foundation i ...) NOT-FOR-US: Microsoft CVE-2020-0945 (An information disclosure vulnerability exists when Media Foundation i ...) NOT-FOR-US: Microsoft CVE-2020-0944 (An elevation of privilege vulnerability exists when Connected User Exp ...) NOT-FOR-US: Microsoft CVE-2020-0943 (An authentication bypass vulnerability exists in Microsoft YourPhoneCo ...) NOT-FOR-US: Microsoft CVE-2020-0942 (An elevation of privilege vulnerability exists when Connected User Exp ...) NOT-FOR-US: Microsoft CVE-2020-0941 RESERVED CVE-2020-0940 (An elevation of privilege vulnerability exists in the way the Windows ...) NOT-FOR-US: Microsoft CVE-2020-0939 (An information disclosure vulnerability exists when Media Foundation i ...) NOT-FOR-US: Microsoft CVE-2020-0938 (A remote code execution vulnerability exists in Microsoft Windows when ...) NOT-FOR-US: Microsoft CVE-2020-0937 (An information disclosure vulnerability exists when Media Foundation i ...) NOT-FOR-US: Microsoft CVE-2020-0936 (An elevation of privilege vulnerability exists when a Windows schedule ...) NOT-FOR-US: Microsoft CVE-2020-0935 (An elevation of privilege vulnerability exists when the OneDrive for W ...) NOT-FOR-US: Microsoft CVE-2020-0934 (An elevation of privilege vulnerability exists when the Windows WpcDes ...) NOT-FOR-US: Microsoft CVE-2020-0933 (A cross-site-scripting (XSS) vulnerability exists when Microsoft Share ...) NOT-FOR-US: Microsoft CVE-2020-0932 (A remote code execution vulnerability exists in Microsoft SharePoint w ...) NOT-FOR-US: Microsoft CVE-2020-0931 (A remote code execution vulnerability exists in Microsoft SharePoint w ...) NOT-FOR-US: Microsoft CVE-2020-0930 (A cross-site-scripting (XSS) vulnerability exists when Microsoft Share ...) NOT-FOR-US: Microsoft CVE-2020-0929 (A remote code execution vulnerability exists in Microsoft SharePoint w ...) NOT-FOR-US: Microsoft CVE-2020-0928 RESERVED CVE-2020-0927 (A cross-site-scripting (XSS) vulnerability exists when Microsoft Share ...) NOT-FOR-US: Microsoft CVE-2020-0926 (A cross-site-scripting (XSS) vulnerability exists when Microsoft Share ...) NOT-FOR-US: Microsoft CVE-2020-0925 (A cross-site-scripting (XSS) vulnerability exists when Microsoft Share ...) NOT-FOR-US: Microsoft CVE-2020-0924 (A cross-site-scripting (XSS) vulnerability exists when Microsoft Share ...) NOT-FOR-US: Microsoft CVE-2020-0923 (A cross-site-scripting (XSS) vulnerability exists when Microsoft Share ...) NOT-FOR-US: Microsoft CVE-2020-0922 RESERVED CVE-2020-0921 RESERVED CVE-2020-0920 (A remote code execution vulnerability exists in Microsoft SharePoint w ...) NOT-FOR-US: Microsoft CVE-2020-0919 (An elevation of privilege vulnerability exists in Remote Desktop App f ...) NOT-FOR-US: Microsoft CVE-2020-0918 (An elevation of privilege vulnerability exists when Windows Hyper-V on ...) NOT-FOR-US: Microsoft CVE-2020-0917 (An elevation of privilege vulnerability exists when Windows Hyper-V on ...) NOT-FOR-US: Microsoft CVE-2020-0916 (An elevation of privilege vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2020-0915 (An elevation of privilege vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2020-0914 RESERVED CVE-2020-0913 (An elevation of privilege vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2020-0912 RESERVED CVE-2020-0911 RESERVED CVE-2020-0910 (A remote code execution vulnerability exists when Windows Hyper-V on a ...) NOT-FOR-US: Microsoft CVE-2020-0909 (A denial of service vulnerability exists when Hyper-V on a Windows Ser ...) NOT-FOR-US: Microsoft CVE-2020-0908 RESERVED CVE-2020-0907 (A remote code execution vulnerability exists in the way that Microsoft ...) NOT-FOR-US: Microsoft CVE-2020-0906 (A remote code execution vulnerability exists in Microsoft Excel softwa ...) NOT-FOR-US: Microsoft CVE-2020-0905 (An remote code execution vulnerability exists in Microsoft Dynamics Bu ...) NOT-FOR-US: Microsoft CVE-2020-0904 RESERVED CVE-2020-0903 (A cross-site-scripting (XSS) vulnerability exists when Microsoft Excha ...) NOT-FOR-US: Microsoft CVE-2020-0902 (An elevation of privilege vulnerability exists in Service Fabric File ...) NOT-FOR-US: Microsoft CVE-2020-0901 (A remote code execution vulnerability exists in Microsoft Excel softwa ...) NOT-FOR-US: Microsoft CVE-2020-0900 (An elevation of privilege vulnerability exists when the Visual Studio ...) NOT-FOR-US: Microsoft CVE-2020-0899 (An elevation of privilege vulnerability exists when Microsoft Visual S ...) NOT-FOR-US: Microsoft CVE-2020-0898 (An elevation of privilege vulnerability exists when the Windows Graphi ...) NOT-FOR-US: Microsoft CVE-2020-0897 (An elevation of privilege vulnerability exists when the Windows Work F ...) NOT-FOR-US: Microsoft CVE-2020-0896 (An elevation of privilege vulnerability exists when Windows improperly ...) NOT-FOR-US: Microsoft CVE-2020-0895 (A remote code execution vulnerability exists in the way that the VBScr ...) NOT-FOR-US: Microsoft CVE-2020-0894 (A cross-site-scripting (XSS) vulnerability exists when Microsoft Share ...) NOT-FOR-US: Microsoft CVE-2020-0893 (A cross-site-scripting (XSS) vulnerability exists when Microsoft Share ...) NOT-FOR-US: Microsoft CVE-2020-0892 (A remote code execution vulnerability exists in Microsoft Word softwar ...) NOT-FOR-US: Microsoft CVE-2020-0891 (This vulnerability is caused when SharePoint Server does not properly ...) NOT-FOR-US: Microsoft CVE-2020-0890 RESERVED CVE-2020-0889 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2020-0888 (An elevation of privilege vulnerability exists when DirectX improperly ...) NOT-FOR-US: Microsoft CVE-2020-0887 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft CVE-2020-0886 RESERVED CVE-2020-0885 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft CVE-2020-0884 (A spoofing vulnerability exists in Microsoft Visual Studio as it inclu ...) NOT-FOR-US: Microsoft CVE-2020-0883 (A remote code execution vulnerability exists in the way that the Windo ...) NOT-FOR-US: Microsoft CVE-2020-0882 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft CVE-2020-0881 (A remote code execution vulnerability exists in the way that the Windo ...) NOT-FOR-US: Microsoft CVE-2020-0880 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft CVE-2020-0879 (An information disclosure vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2020-0878 RESERVED CVE-2020-0877 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft CVE-2020-0876 (An information disclosure vulnerability exists when the win32k compone ...) NOT-FOR-US: Microsoft CVE-2020-0875 RESERVED CVE-2020-0874 (An information disclosure vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2020-0873 RESERVED CVE-2020-0872 (A remote code execution vulnerability exists in Application Inspector ...) NOT-FOR-US: Microsoft CVE-2020-0871 (An information disclosure vulnerability exists when Windows Network Co ...) NOT-FOR-US: Microsoft CVE-2020-0870 RESERVED CVE-2020-0869 (A memory corruption vulnerability exists when Windows Media Foundation ...) NOT-FOR-US: Microsoft CVE-2020-0868 (An elevation of privilege vulnerability exists when the Windows Update ...) NOT-FOR-US: Microsoft CVE-2020-0867 (An elevation of privilege vulnerability exists when the Windows Update ...) NOT-FOR-US: Microsoft CVE-2020-0866 (An elevation of privilege vulnerability exists when the Windows Work F ...) NOT-FOR-US: Microsoft CVE-2020-0865 (An elevation of privilege vulnerability exists when the Windows Work F ...) NOT-FOR-US: Microsoft CVE-2020-0864 (An elevation of privilege vulnerability exists when the Windows Work F ...) NOT-FOR-US: Microsoft CVE-2020-0863 (An information vulnerability exists when Windows Connected User Experi ...) NOT-FOR-US: Microsoft CVE-2020-0862 RESERVED CVE-2020-0861 (An information disclosure vulnerability exists when the Windows Networ ...) NOT-FOR-US: Microsoft CVE-2020-0860 (An elevation of privilege vulnerability exists when the Windows Active ...) NOT-FOR-US: Microsoft CVE-2020-0859 (An information vulnerability exists when Windows Modules Installer Ser ...) NOT-FOR-US: Microsoft CVE-2020-0858 (An elevation of privilege vulnerability exists when the &quot;Publ ...) NOT-FOR-US: Microsoft CVE-2020-0857 (An elevation of privilege vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2020-0856 RESERVED CVE-2020-0855 (A remote code execution vulnerability exists in Microsoft Word softwar ...) NOT-FOR-US: Microsoft CVE-2020-0854 (An elevation of privilege vulnerability exists when Windows Mobile Dev ...) NOT-FOR-US: Microsoft CVE-2020-0853 (An information disclosure vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft CVE-2020-0852 (A remote code execution vulnerability exists in Microsoft Word softwar ...) NOT-FOR-US: Microsoft CVE-2020-0851 (A remote code execution vulnerability exists in Microsoft Word softwar ...) NOT-FOR-US: Microsoft CVE-2020-0850 (A remote code execution vulnerability exists in Microsoft Word softwar ...) NOT-FOR-US: Microsoft CVE-2020-0849 (An elevation of privilege vulnerability exists when Windows improperly ...) NOT-FOR-US: Microsoft CVE-2020-0848 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2020-0847 (A remote code execution vulnerability exists in the way that the VBScr ...) NOT-FOR-US: Microsoft CVE-2020-0846 RESERVED CVE-2020-0845 (An elevation of privilege vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2020-0844 (An elevation of privilege vulnerability exists when Connected User Exp ...) NOT-FOR-US: Microsoft CVE-2020-0843 (An elevation of privilege vulnerability exists in Windows Installer be ...) NOT-FOR-US: Microsoft CVE-2020-0842 (An elevation of privilege vulnerability exists in Windows Installer be ...) NOT-FOR-US: Microsoft CVE-2020-0841 (An elevation of privilege vulnerability exists when Windows improperly ...) NOT-FOR-US: Microsoft CVE-2020-0840 (An elevation of privilege vulnerability exists when Windows improperly ...) NOT-FOR-US: Microsoft CVE-2020-0839 RESERVED CVE-2020-0838 RESERVED CVE-2020-0837 RESERVED CVE-2020-0836 RESERVED CVE-2020-0835 (An elevation of privilege vulnerability exists when Windows Defender a ...) NOT-FOR-US: Microsoft CVE-2020-0834 (An elevation of privilege vulnerability exists when Windows improperly ...) NOT-FOR-US: Microsoft CVE-2020-0833 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2020-0832 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2020-0831 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2020-0830 (A remote code execution vulnerability exists in the way the scripting ...) NOT-FOR-US: Microsoft CVE-2020-0829 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2020-0828 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2020-0827 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2020-0826 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2020-0825 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2020-0824 (A remote code execution vulnerability exists when Internet Explorer im ...) NOT-FOR-US: Microsoft CVE-2020-0823 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2020-0822 (An elevation of privilege vulnerability exists when the Windows Langua ...) NOT-FOR-US: Microsoft CVE-2020-0821 (An information disclosure vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2020-0820 (An information disclosure vulnerability exists when Media Foundation i ...) NOT-FOR-US: Microsoft CVE-2020-0819 (An elevation of privilege vulnerability exists when the Windows Device ...) NOT-FOR-US: Microsoft CVE-2020-0818 RESERVED CVE-2020-0817 RESERVED CVE-2020-0816 (A remote code execution vulnerability exists when Microsoft Edge impro ...) NOT-FOR-US: Microsoft CVE-2020-0815 (An elevation of privilege vulnerability exists when Azure DevOps Serve ...) NOT-FOR-US: Microsoft CVE-2020-0814 (An elevation of privilege vulnerability exists in Windows Installer be ...) NOT-FOR-US: Microsoft CVE-2020-0813 (An information disclosure vulnerability exists when Chakra improperly ...) NOT-FOR-US: Microsoft CVE-2020-0812 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2020-0811 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2020-0810 (An elevation of privilege vulnerability exists when the Diagnostics Hu ...) NOT-FOR-US: Microsoft CVE-2020-0809 (A memory corruption vulnerability exists when Windows Media Foundation ...) NOT-FOR-US: Microsoft CVE-2020-0808 (An elevation of privilege vulnerability exists in the way the Provisio ...) NOT-FOR-US: Microsoft CVE-2020-0807 (A memory corruption vulnerability exists when Windows Media Foundation ...) NOT-FOR-US: Microsoft CVE-2020-0806 (An elevation of privilege vulnerability exists in Windows Error Report ...) NOT-FOR-US: Microsoft CVE-2020-0805 RESERVED CVE-2020-0804 (An elevation of privilege vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2020-0803 (An elevation of privilege vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2020-0802 (An elevation of privilege vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2020-0801 (A memory corruption vulnerability exists when Windows Media Foundation ...) NOT-FOR-US: Microsoft CVE-2020-0800 (An elevation of privilege vulnerability exists when the Windows Work F ...) NOT-FOR-US: Microsoft CVE-2020-0799 (An elevation of privilege vulnerability exists in Microsoft Windows wh ...) NOT-FOR-US: Microsoft CVE-2020-0798 (An elevation of privilege vulnerability exists in the Windows Installe ...) NOT-FOR-US: Microsoft CVE-2020-0797 (An elevation of privilege vulnerability exists when the Windows Work F ...) NOT-FOR-US: Microsoft CVE-2020-0796 (A remote code execution vulnerability exists in the way that the Micro ...) NOT-FOR-US: Microsoft CVE-2020-0795 (This vulnerability is caused when SharePoint Server does not properly ...) NOT-FOR-US: Microsoft CVE-2020-0794 (A denial of service vulnerability exists when Windows improperly handl ...) NOT-FOR-US: Microsoft CVE-2020-0793 (An elevation of privilege vulnerability exists when the Diagnostics Hu ...) NOT-FOR-US: Microsoft CVE-2020-0792 (An elevation of privilege vulnerability exists when the Windows Graphi ...) NOT-FOR-US: Microsoft CVE-2020-0791 (An elevation of privilege vulnerability exists when the Windows Graphi ...) NOT-FOR-US: Microsoft CVE-2020-0790 RESERVED CVE-2020-0789 (A denial of service vulnerability exists when the Visual Studio Extens ...) NOT-FOR-US: Microsoft CVE-2020-0788 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft CVE-2020-0787 (An elevation of privilege vulnerability exists when the Windows Backgr ...) NOT-FOR-US: Microsoft CVE-2020-0786 (A denial of service vulnerability exists when the Windows Tile Object ...) NOT-FOR-US: Microsoft CVE-2020-0785 (An elevation of privilege vulnerability exists when the Windows User P ...) NOT-FOR-US: Microsoft CVE-2020-0784 (An elevation of privilege vulnerability exists when DirectX improperly ...) NOT-FOR-US: Microsoft CVE-2020-0783 (An elevation of privilege vulnerability exists when the Windows Univer ...) NOT-FOR-US: Microsoft CVE-2020-0782 RESERVED CVE-2020-0781 (An elevation of privilege vulnerability exists when the Windows Univer ...) NOT-FOR-US: Microsoft CVE-2020-0780 (An elevation of privilege vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2020-0779 (An elevation of privilege vulnerability exists in the Windows Installe ...) NOT-FOR-US: Microsoft CVE-2020-0778 (An elevation of privilege vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2020-0777 (An elevation of privilege vulnerability exists when the Windows Work F ...) NOT-FOR-US: Microsoft CVE-2020-0776 (An elevation of privilege vulnerability exists when the Windows AppX D ...) NOT-FOR-US: Microsoft CVE-2020-0775 (An information disclosure vulnerability exists when Windows Error Repo ...) NOT-FOR-US: Microsoft CVE-2020-0774 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft CVE-2020-0773 (An elevation of privilege vulnerability exists when the Windows Active ...) NOT-FOR-US: Microsoft CVE-2020-0772 (An elevation of privilege vulnerability exists when Windows Error Repo ...) NOT-FOR-US: Microsoft CVE-2020-0771 (An elevation of privilege vulnerability exists when the Windows CSC Se ...) NOT-FOR-US: Microsoft CVE-2020-0770 (An elevation of privilege vulnerability exists when the Windows Active ...) NOT-FOR-US: Microsoft CVE-2020-0769 (An elevation of privilege vulnerability exists when the Windows CSC Se ...) NOT-FOR-US: Microsoft CVE-2020-0768 (A remote code execution vulnerability exists in the way the scripting ...) NOT-FOR-US: Microsoft CVE-2020-0767 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2020-0766 RESERVED CVE-2020-0765 (An information disclosure vulnerability exists in the Remote Desktop C ...) NOT-FOR-US: Microsoft CVE-2020-0764 RESERVED CVE-2020-0763 (An elevation of privilege vulnerability exists when Windows Defender S ...) NOT-FOR-US: Microsoft CVE-2020-0762 (An elevation of privilege vulnerability exists when Windows Defender S ...) NOT-FOR-US: Microsoft CVE-2020-0761 RESERVED CVE-2020-0760 (A remote code execution vulnerability exists when Microsoft Office imp ...) NOT-FOR-US: Microsoft CVE-2020-0759 (A remote code execution vulnerability exists in Microsoft Excel softwa ...) NOT-FOR-US: Microsoft CVE-2020-0758 (An elevation of privilege vulnerability exists when Azure DevOps Serve ...) NOT-FOR-US: Microsoft CVE-2020-0757 (An elevation of privilege vulnerability exists when Windows improperly ...) NOT-FOR-US: Microsoft CVE-2020-0756 (An information disclosure vulnerability exists in the Cryptography Nex ...) NOT-FOR-US: Microsoft CVE-2020-0755 (An information disclosure vulnerability exists in the Cryptography Nex ...) NOT-FOR-US: Microsoft CVE-2020-0754 (An elevation of privilege vulnerability exists in Windows Error Report ...) NOT-FOR-US: Microsoft CVE-2020-0753 (An elevation of privilege vulnerability exists in Windows Error Report ...) NOT-FOR-US: Microsoft CVE-2020-0752 (An elevation of privilege vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2020-0751 (A denial of service vulnerability exists when Microsoft Hyper-V on a h ...) NOT-FOR-US: Microsoft CVE-2020-0750 (An elevation of privilege vulnerability exists in the way that the Con ...) NOT-FOR-US: Microsoft CVE-2020-0749 (An elevation of privilege vulnerability exists in the way that the Con ...) NOT-FOR-US: Microsoft CVE-2020-0748 (An information disclosure vulnerability exists in the Cryptography Nex ...) NOT-FOR-US: Microsoft CVE-2020-0747 (An elevation of privilege vulnerability exists when the Windows Data S ...) NOT-FOR-US: Microsoft CVE-2020-0746 (An information disclosure vulnerability exists in the way that Microso ...) NOT-FOR-US: Microsoft CVE-2020-0745 (An elevation of privilege vulnerability exists when the Windows Graphi ...) NOT-FOR-US: Microsoft CVE-2020-0744 (An information disclosure vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2020-0743 (An elevation of privilege vulnerability exists in the way that the Con ...) NOT-FOR-US: Microsoft CVE-2020-0742 (An elevation of privilege vulnerability exists in the way that the Con ...) NOT-FOR-US: Microsoft CVE-2020-0741 (An elevation of privilege vulnerability exists in the way that the Con ...) NOT-FOR-US: Microsoft CVE-2020-0740 (An elevation of privilege vulnerability exists in the way that the Con ...) NOT-FOR-US: Microsoft CVE-2020-0739 (An elevation of privilege vulnerability exists in the way that the dss ...) NOT-FOR-US: Microsoft CVE-2020-0738 (A memory corruption vulnerability exists when Windows Media Foundation ...) NOT-FOR-US: Microsoft CVE-2020-0737 (An elevation of privilege vulnerability exists in the way that the tap ...) NOT-FOR-US: Microsoft CVE-2020-0736 (An information disclosure vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2020-0735 (An elevation of privilege vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2020-0734 (A remote code execution vulnerability exists in the Windows Remote Des ...) NOT-FOR-US: Microsoft CVE-2020-0733 (An elevation of privilege vulnerability exists when the Windows Malici ...) NOT-FOR-US: Microsoft CVE-2020-0732 (An elevation of privilege vulnerability exists when DirectX improperly ...) NOT-FOR-US: Microsoft CVE-2020-0731 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft CVE-2020-0730 (An elevation of privilege vulnerability exists when the Windows User P ...) NOT-FOR-US: Microsoft CVE-2020-0729 (A remote code execution vulnerability exists in Microsoft Windows that ...) NOT-FOR-US: Microsoft CVE-2020-0728 (An information vulnerability exists when Windows Modules Installer Ser ...) NOT-FOR-US: Microsoft CVE-2020-0727 (An elevation of privilege vulnerability exists when the Connected User ...) NOT-FOR-US: Microsoft CVE-2020-0726 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft CVE-2020-0725 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft CVE-2020-0724 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft CVE-2020-0723 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft CVE-2020-0722 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft CVE-2020-0721 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft CVE-2020-0720 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft CVE-2020-0719 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft CVE-2020-0718 RESERVED CVE-2020-0717 (An information disclosure vulnerability exists when the win32k compone ...) NOT-FOR-US: Microsoft CVE-2020-0716 (An information disclosure vulnerability exists when the win32k compone ...) NOT-FOR-US: Microsoft CVE-2020-0715 (An elevation of privilege vulnerability exists when the Windows Graphi ...) NOT-FOR-US: Microsoft CVE-2020-0714 (An information disclosure vulnerability exists when DirectX improperly ...) NOT-FOR-US: Microsoft CVE-2020-0713 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2020-0712 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2020-0711 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2020-0710 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2020-0709 (An elevation of privilege vulnerability exists when DirectX improperly ...) NOT-FOR-US: Microsoft CVE-2020-0708 (A remote code execution vulnerability exists when the Windows Imaging ...) NOT-FOR-US: Microsoft CVE-2020-0707 (An elevation of privilege vulnerability exists when the Windows IME im ...) NOT-FOR-US: Microsoft CVE-2020-0706 (An information disclosure vulnerability exists in the way that affecte ...) NOT-FOR-US: Microsoft CVE-2020-0705 (An information disclosure vulnerability exists when the Windows Networ ...) NOT-FOR-US: Microsoft CVE-2020-0704 (An elevation of privilege vulnerability exists when the Windows Wirele ...) NOT-FOR-US: Microsoft CVE-2020-0703 (An elevation of privilege vulnerability exists when the Windows Backup ...) NOT-FOR-US: Microsoft CVE-2020-0702 (A security feature bypass vulnerability exists in Surface Hub when pro ...) NOT-FOR-US: Microsoft CVE-2020-0701 (An elevation of privilege vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2020-0700 (A Cross-site Scripting (XSS) vulnerability exists when Azure DevOps Se ...) NOT-FOR-US: Microsoft CVE-2020-0699 (An information disclosure vulnerability exists when the win32k compone ...) NOT-FOR-US: Microsoft CVE-2020-0698 (An information disclosure vulnerability exists when the Telephony Serv ...) NOT-FOR-US: Microsoft CVE-2020-0697 (An elevation of privilege vulnerability exists in Microsoft Office OLi ...) NOT-FOR-US: Microsoft CVE-2020-0696 (A security feature bypass vulnerability exists in Microsoft Outlook so ...) NOT-FOR-US: Microsoft CVE-2020-0695 (A spoofing vulnerability exists when Office Online Server does not val ...) NOT-FOR-US: Microsoft CVE-2020-0694 (A cross-site-scripting (XSS) vulnerability exists when Microsoft Share ...) NOT-FOR-US: Microsoft CVE-2020-0693 (A cross-site-scripting (XSS) vulnerability exists when Microsoft Share ...) NOT-FOR-US: Microsoft CVE-2020-0692 (An elevation of privilege vulnerability exists in Microsoft Exchange S ...) NOT-FOR-US: Microsoft CVE-2020-0691 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft CVE-2020-0690 (An elevation of privilege vulnerability exists when DirectX improperly ...) NOT-FOR-US: Microsoft CVE-2020-0689 (A security feature bypass vulnerability exists in secure boot, aka 'Mi ...) NOT-FOR-US: Microsoft CVE-2020-0688 (A remote code execution vulnerability exists in Microsoft Exchange sof ...) NOT-FOR-US: Microsoft CVE-2020-0687 (A remote code execution vulnerability exists when the Windows font lib ...) NOT-FOR-US: Microsoft CVE-2020-0686 (An elevation of privilege vulnerability exists in the Windows Installe ...) NOT-FOR-US: Microsoft CVE-2020-0685 (An elevation of privilege vulnerability exists when Windows improperly ...) NOT-FOR-US: Microsoft CVE-2020-0684 (A remote code execution vulnerability exists in Microsoft Windows that ...) NOT-FOR-US: Microsoft CVE-2020-0683 (An elevation of privilege vulnerability exists in the Windows Installe ...) NOT-FOR-US: Microsoft CVE-2020-0682 (An elevation of privilege vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2020-0681 (A remote code execution vulnerability exists in the Windows Remote Des ...) NOT-FOR-US: Microsoft CVE-2020-0680 (An elevation of privilege vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2020-0679 (An elevation of privilege vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2020-0678 (An elevation of privilege vulnerability exists when Windows Error Repo ...) NOT-FOR-US: Microsoft CVE-2020-0677 (An information disclosure vulnerability exists in the Cryptography Nex ...) NOT-FOR-US: Microsoft CVE-2020-0676 (An information disclosure vulnerability exists in the Cryptography Nex ...) NOT-FOR-US: Microsoft CVE-2020-0675 (An information disclosure vulnerability exists in the Cryptography Nex ...) NOT-FOR-US: Microsoft CVE-2020-0674 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2020-0673 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2020-0672 (An elevation of privilege vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2020-0671 (An elevation of privilege vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2020-0670 (An elevation of privilege vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2020-0669 (An elevation of privilege vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2020-0668 (An elevation of privilege vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2020-0667 (An elevation of privilege vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2020-0666 (An elevation of privilege vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2020-0665 (An elevation of privilege vulnerability exists in Active Directory For ...) NOT-FOR-US: Microsoft CVE-2020-0664 RESERVED CVE-2020-0663 (An elevation of privilege vulnerability exists when Microsoft Edge doe ...) NOT-FOR-US: Microsoft CVE-2020-0662 (A remote code execution vulnerability exists in the way that Windows h ...) NOT-FOR-US: Microsoft CVE-2020-0661 (A denial of service vulnerability exists when Microsoft Hyper-V on a h ...) NOT-FOR-US: Microsoft CVE-2020-0660 (A denial of service vulnerability exists in Remote Desktop Protocol (R ...) NOT-FOR-US: Microsoft CVE-2020-0659 (An elevation of privilege vulnerability exists when the Windows Data S ...) NOT-FOR-US: Microsoft CVE-2020-0658 (An information disclosure vulnerability exists in the Windows Common L ...) NOT-FOR-US: Microsoft CVE-2020-0657 (An elevation of privilege vulnerability exists when the Windows Common ...) NOT-FOR-US: Microsoft CVE-2020-0656 (A cross site scripting vulnerability exists when Microsoft Dynamics 36 ...) NOT-FOR-US: Microsoft CVE-2020-0655 (A remote code execution vulnerability exists in Remote Desktop Service ...) NOT-FOR-US: Microsoft CVE-2020-0654 (A security feature bypass vulnerability exists in Microsoft OneDrive A ...) NOT-FOR-US: Microsoft CVE-2020-0653 (A remote code execution vulnerability exists in Microsoft Excel softwa ...) NOT-FOR-US: Microsoft CVE-2020-0652 (A remote code execution vulnerability exists in Microsoft Office softw ...) NOT-FOR-US: Microsoft CVE-2020-0651 (A remote code execution vulnerability exists in Microsoft Excel softwa ...) NOT-FOR-US: Microsoft CVE-2020-0650 (A remote code execution vulnerability exists in Microsoft Excel softwa ...) NOT-FOR-US: Microsoft CVE-2020-0649 RESERVED CVE-2020-0648 RESERVED CVE-2020-0647 (A spoofing vulnerability exists when Office Online does not validate o ...) NOT-FOR-US: Microsoft CVE-2020-0646 (A remote code execution vulnerability exists when the Microsoft .NET F ...) NOT-FOR-US: Microsoft CVE-2020-0645 (A tampering vulnerability exists when Microsoft IIS Server improperly ...) NOT-FOR-US: Microsoft CVE-2020-0644 (An elevation of privilege vulnerability exists when Microsoft Windows ...) NOT-FOR-US: Microsoft CVE-2020-0643 (An information disclosure vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2020-0642 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft CVE-2020-0641 (An elevation of privilege vulnerability exists in Windows Media Servic ...) NOT-FOR-US: Microsoft CVE-2020-0640 (A remote code execution vulnerability exists when Internet Explorer im ...) NOT-FOR-US: Microsoft CVE-2020-0639 (An information disclosure vulnerability exists in the Windows Common L ...) NOT-FOR-US: Microsoft CVE-2020-0638 (An elevation of privilege vulnerability exists in the way the Update N ...) NOT-FOR-US: Microsoft CVE-2020-0637 (An information disclosure vulnerability exists when Remote Desktop Web ...) NOT-FOR-US: Microsoft CVE-2020-0636 (An elevation of privilege vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2020-0635 (An elevation of privilege vulnerability exists in Microsoft Windows wh ...) NOT-FOR-US: Microsoft CVE-2020-0634 (An elevation of privilege vulnerability exists when the Windows Common ...) NOT-FOR-US: Microsoft CVE-2020-0633 (An elevation of privilege vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2020-0632 (An elevation of privilege vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2020-0631 (An elevation of privilege vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2020-0630 (An elevation of privilege vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2020-0629 (An elevation of privilege vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2020-0628 (An elevation of privilege vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2020-0627 (An elevation of privilege vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2020-0626 (An elevation of privilege vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2020-0625 (An elevation of privilege vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2020-0624 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft CVE-2020-0623 (An elevation of privilege vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2020-0622 (An information disclosure vulnerability exists when the Microsoft Wind ...) NOT-FOR-US: Microsoft CVE-2020-0621 (A security feature bypass vulnerability exists in Windows 10 when thir ...) NOT-FOR-US: Microsoft CVE-2020-0620 (An elevation of privilege vulnerability exists when Microsoft Cryptogr ...) NOT-FOR-US: Microsoft CVE-2020-0619 RESERVED CVE-2020-0618 (A remote code execution vulnerability exists in Microsoft SQL Server R ...) NOT-FOR-US: Microsoft CVE-2020-0617 (A denial of service vulnerability exists when Microsoft Hyper-V Virtua ...) NOT-FOR-US: Microsoft CVE-2020-0616 (A denial of service vulnerability exists when Windows improperly handl ...) NOT-FOR-US: Microsoft CVE-2020-0615 (An information disclosure vulnerability exists in the Windows Common L ...) NOT-FOR-US: Microsoft CVE-2020-0614 (An elevation of privilege vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2020-0613 (An elevation of privilege vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2020-0612 (A denial of service vulnerability exists in Windows Remote Desktop Gat ...) NOT-FOR-US: Microsoft CVE-2020-0611 (A remote code execution vulnerability exists in the Windows Remote Des ...) NOT-FOR-US: Microsoft CVE-2020-0610 (A remote code execution vulnerability exists in Windows Remote Desktop ...) NOT-FOR-US: Microsoft CVE-2020-0609 (A remote code execution vulnerability exists in Windows Remote Desktop ...) NOT-FOR-US: Microsoft CVE-2020-0608 (An information disclosure vulnerability exists when the win32k compone ...) NOT-FOR-US: Microsoft CVE-2020-0607 (An information disclosure vulnerability exists in the way that Microso ...) NOT-FOR-US: Microsoft CVE-2020-0606 (A remote code execution vulnerability exists in .NET software when the ...) NOT-FOR-US: Microsoft CVE-2020-0605 (A remote code execution vulnerability exists in .NET software when the ...) NOT-FOR-US: Microsoft CVE-2020-0604 RESERVED CVE-2020-0603 (A remote code execution vulnerability exists in ASP.NET Core software ...) NOT-FOR-US: Microsoft CVE-2020-0602 (A denial of service vulnerability exists when ASP.NET Core improperly ...) NOT-FOR-US: Microsoft CVE-2020-0601 (A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32. ...) NOT-FOR-US: Microsoft CVE-2019-18779 RESERVED CVE-2019-18778 RESERVED CVE-2019-18777 RESERVED CVE-2019-18776 RESERVED CVE-2019-18775 RESERVED CVE-2019-18774 REJECTED CVE-2019-18773 REJECTED CVE-2019-18772 REJECTED CVE-2019-18771 REJECTED CVE-2019-18770 REJECTED CVE-2019-18769 REJECTED CVE-2019-18768 REJECTED CVE-2019-18767 REJECTED CVE-2019-18766 REJECTED CVE-2019-18765 REJECTED CVE-2019-18764 REJECTED CVE-2019-18763 REJECTED CVE-2019-18762 REJECTED CVE-2019-18761 REJECTED CVE-2019-18760 REJECTED CVE-2019-18759 REJECTED CVE-2019-18758 REJECTED CVE-2019-18757 REJECTED CVE-2019-18756 REJECTED CVE-2019-18755 REJECTED CVE-2019-18754 REJECTED CVE-2019-18753 REJECTED CVE-2019-18752 REJECTED CVE-2019-18751 REJECTED CVE-2019-18750 REJECTED CVE-2019-18749 REJECTED CVE-2019-18748 REJECTED CVE-2019-18747 REJECTED CVE-2019-18746 REJECTED CVE-2019-18745 REJECTED CVE-2019-18744 REJECTED CVE-2019-18743 REJECTED CVE-2019-18742 REJECTED CVE-2019-18741 REJECTED CVE-2019-18740 REJECTED CVE-2019-18739 REJECTED CVE-2019-18738 REJECTED CVE-2019-18737 REJECTED CVE-2019-18736 REJECTED CVE-2019-18735 REJECTED CVE-2019-18734 REJECTED CVE-2019-18733 REJECTED CVE-2019-18732 REJECTED CVE-2019-18731 REJECTED CVE-2019-18730 REJECTED CVE-2019-18729 REJECTED CVE-2019-18728 REJECTED CVE-2019-18727 REJECTED CVE-2019-18726 REJECTED CVE-2019-18725 REJECTED CVE-2019-18724 REJECTED CVE-2019-18723 REJECTED CVE-2019-18722 REJECTED CVE-2019-18721 REJECTED CVE-2019-18720 REJECTED CVE-2019-18719 REJECTED CVE-2019-18718 REJECTED CVE-2019-18717 REJECTED CVE-2019-18716 REJECTED CVE-2019-18715 REJECTED CVE-2019-18714 REJECTED CVE-2019-18713 REJECTED CVE-2019-18712 REJECTED CVE-2019-18711 REJECTED CVE-2019-18710 REJECTED CVE-2019-18709 REJECTED CVE-2019-18708 REJECTED CVE-2019-18707 REJECTED CVE-2019-18706 REJECTED CVE-2019-18705 REJECTED CVE-2019-18704 REJECTED CVE-2019-18703 REJECTED CVE-2019-18702 REJECTED CVE-2019-18701 REJECTED CVE-2019-18700 REJECTED CVE-2019-18699 REJECTED CVE-2019-18698 REJECTED CVE-2019-18697 REJECTED CVE-2019-18696 REJECTED CVE-2019-18695 REJECTED CVE-2019-18694 REJECTED CVE-2019-18693 REJECTED CVE-2019-18692 REJECTED CVE-2019-18691 REJECTED CVE-2019-18690 REJECTED CVE-2019-18689 REJECTED CVE-2019-18688 REJECTED CVE-2019-18687 REJECTED CVE-2019-18686 REJECTED CVE-2019-18685 REJECTED CVE-2019-18684 (** DISPUTED ** Sudo through 1.8.29 allows local users to escalate to r ...) NOTE: https://gist.github.com/oxagast/51171aa161074188a11d96cbef884bbd NOTE: Issue is bogus and a non-security issue (confirmed by upstream and in progress NOTE: of beeing REJECTED). An attack is only viable if the attacker can write to fd/3. CVE-2019-18682 RESERVED CVE-2019-18681 RESERVED CVE-2019-18680 (An issue was discovered in the Linux kernel 4.4.x before 4.4.195. Ther ...) - linux (Vulnerable code not present) NOTE: https://lkml.org/lkml/2019/9/18/337 CVE-2019-18679 (An issue was discovered in Squid 2.x, 3.x, and 4.x through 4.8. Due to ...) {DSA-4682-1 DLA-2028-1} - squid 4.9-1 - squid3 NOTE: Squid 4: http://www.squid-cache.org/Versions/v4/changesets/squid-4-6f2841090dffbec1a2b2417e18bb3dc71d62dd2e.patch NOTE: http://www.squid-cache.org/Advisories/SQUID-2019_11.txt CVE-2019-18678 (An issue was discovered in Squid 3.x and 4.x through 4.8. It allows at ...) {DSA-4682-1 DLA-2028-1} - squid 4.9-1 - squid3 NOTE: Squid 4: http://www.squid-cache.org/Versions/v4/changesets/squid-4-671ba97abe929156dc4c717ee52ad22fba0f7443.patch NOTE: http://www.squid-cache.org/Advisories/SQUID-2019_10.txt CVE-2019-18677 (An issue was discovered in Squid 3.x and 4.x through 4.8 when the appe ...) {DSA-4682-1 DLA-2028-1} - squid 4.9-1 - squid3 NOTE: Squid 4: http://www.squid-cache.org/Versions/v4/changesets/squid-4-36492033ea4097821a4f7ff3ddcb971fbd1e8ba0.patch NOTE: Squid 3.5: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-e5f1813a674848dde570f7920873e1071f96e0b4.patch NOTE: http://www.squid-cache.org/Advisories/SQUID-2019_9.txt CVE-2019-18676 (An issue was discovered in Squid 3.x and 4.x through 4.8. Due to incor ...) {DSA-4682-1} - squid 4.9-1 - squid3 NOTE: http://www.squid-cache.org/Advisories/SQUID-2019_8.txt NOTE: Squid 4: http://www.squid-cache.org/Versions/v4/changesets/squid-4-fbbdf75efd7a5cc244b4886a9d42ea458c5a3a73.patch CVE-2019-18683 (An issue was discovered in drivers/media/platform/vivid in the Linux k ...) {DLA-2114-1} - linux 5.3.15-1 [buster] - linux 4.19.87-1 [stretch] - linux 4.9.210-1 [jessie] - linux (Vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2019/11/02/1 CVE-2019-18675 (The Linux kernel through 5.3.13 has a start_offset+size Integer Overfl ...) - linux 4.16.16-1 [stretch] - linux 4.9.110-1 [jessie] - linux 3.16.64-1 NOTE: https://deshal3v.github.io/blog/kernel-research/mmap_exploitation CVE-2019-18674 (An issue was discovered in Joomla! before 3.9.13. A missing access che ...) NOT-FOR-US: Joomla! CVE-2019-18673 (On SHIFT BitBox02 devices, a side channel for the row-based OLED displ ...) NOT-FOR-US: SHIFT BitBox02 devices CVE-2019-18672 (Insufficient checks in the finite state machine of the ShapeShift Keep ...) NOT-FOR-US: ShapeShift CVE-2019-18671 (Insufficient checks in the USB packet handling of the ShapeShift KeepK ...) NOT-FOR-US: ShapeShift CVE-2019-18670 (In the Quick Access Service (QAAdminAgent.exe) in Acer Quick Access V2 ...) NOT-FOR-US: Acer CVE-2019-18669 RESERVED CVE-2019-18668 (An issue was discovered in the Currency Switcher addon before 2.11.2 f ...) NOT-FOR-US: Currency Switcher addon for WooCommerce CVE-2019-18667 (/usr/local/www/freeradius_view_config.php in the freeradius3 package b ...) NOT-FOR-US: FreeBSD specific freeradius_view_config.php in the freeradius3 package CVE-2019-18666 (An issue was discovered on D-Link DAP-1360 revision F devices. Remote ...) NOT-FOR-US: D-Link CVE-2019-18665 (The Log module in SECUDOS DOMOS before 5.6 allows local file inclusion ...) NOT-FOR-US: SECUDOS DOMOS CVE-2019-18664 (The Log module in SECUDOS DOMOS before 5.6 allows XSS. ...) NOT-FOR-US: SECUDOS DOMOS CVE-2019-18663 (A SQL injection vulnerability in a /login/forgot1 POST request in ARP- ...) NOT-FOR-US: ARP-GUARD CVE-2019-18662 (An issue was discovered in YouPHPTube through 7.7. User input passed t ...) NOT-FOR-US: YouPHPTube CVE-2019-18661 (Fastweb FASTGate 1.0.1b devices allow partial authentication bypass by ...) NOT-FOR-US: Fastweb FASTGate CVE-2019-18660 (The Linux kernel before 5.4.1 on powerpc allows Information Exposure b ...) - linux 5.3.15-1 [buster] - linux 4.19.87-1 [stretch] - linux 4.9.210-1 [jessie] - linux (powerpc not supported in LTS) NOTE: https://www.openwall.com/lists/oss-security/2019/11/27/1 CVE-2019-18659 (The Wireless Emergency Alerts (WEA) protocol allows remote attackers t ...) NOT-FOR-US: Wireless Emergency Alerts (WEA) protocol CVE-2019-18658 (In Helm 2.x before 2.15.2, commands that deal with loading a chart as ...) - helm-kubernetes (bug #910799) CVE-2019-18657 (ClickHouse before 19.13.5.44 allows HTTP header injection via the url ...) NOT-FOR-US: ClickHouse CVE-2019-18656 (Pimcore 6.2.3 has XSS in the translations grid because bundles/AdminBu ...) NOT-FOR-US: Pimcore CVE-2019-18655 (File Sharing Wizard version 1.5.0 build 2008 is affected by a Structur ...) NOT-FOR-US: File Sharing Wizard CVE-2019-18654 (A Cross Site Scripting (XSS) issue exists in AVG AntiVirus (Internet S ...) NOT-FOR-US: AVG CVE-2019-18653 (A Cross Site Scripting (XSS) issue exists in Avast AntiVirus (Free, In ...) NOT-FOR-US: Avast CVE-2019-18652 (A DOM based XSS vulnerability has been identified on the WatchGuard XM ...) NOT-FOR-US: Watchguard CVE-2019-18651 (A cross-site request forgery (CSRF) vulnerability in 3xLogic Infinias ...) NOT-FOR-US: 3xLogic CVE-2019-18650 (An issue was discovered in Joomla! before 3.9.13. A missing token chec ...) NOT-FOR-US: Joomla! CVE-2018-21030 (Jupyter Notebook before 5.5.0 does not use a CSP header to treat serve ...) - jupyter-notebook 5.7.4-1 NOTE: https://github.com/jupyter/notebook/pull/3341 CVE-2019-18649 (When logged in as an admin user, the Title input field (under Reports) ...) NOT-FOR-US: Untangle NG firewall CVE-2019-18648 (When logged in as an admin user, the Untangle NG firewall 14.2.0 is vu ...) NOT-FOR-US: Untangle NG firewall CVE-2019-18647 (The Untangle NG firewall 14.2.0 is vulnerable to an authenticated comm ...) NOT-FOR-US: Untangle NG firewall CVE-2019-18646 (The Untangle NG firewall 14.2.0 is vulnerable to authenticated inline- ...) NOT-FOR-US: Untangle NG firewall CVE-2019-18645 (The quarantine restoration function in Total Defense Anti-virus 11.5.2 ...) NOT-FOR-US: Total Defense Anti-virus CVE-2019-18644 (The malware scan function in Total Defense Anti-virus 11.5.2.28 is vul ...) NOT-FOR-US: Total Defense Anti-virus CVE-2019-18643 RESERVED CVE-2019-18642 RESERVED CVE-2019-18641 (Rock RMS before 1.8.6 mishandles vCard access control within the Peopl ...) NOT-FOR-US: Rock RMS CVE-2019-18640 RESERVED CVE-2019-18639 RESERVED CVE-2019-18638 RESERVED CVE-2019-18637 RESERVED CVE-2019-18636 (A cross-site scripting (XSS) vulnerability in Jitbit .NET Forum (aka A ...) NOT-FOR-US: Jitbit .NET Forum CVE-2019-18635 (An issue was discovered in Mooltipass Moolticute through v0.42.1 and v ...) NOT-FOR-US: Mooltipass Moolticute CVE-2019-18634 (In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users ...) {DSA-4614-1 DLA-2094-1} - sudo 1.8.31-1 (bug #950371) [buster] - sudo 1.8.27-1+deb10u2 NOTE: https://www.sudo.ws/alerts/pwfeedback.html NOTE: https://www.openwall.com/lists/oss-security/2020/01/30/6 NOTE: https://github.com/sudo-project/sudo/commit/fa8ffeb17523494f0e8bb49a25e53635f4509078 (master) NOTE: https://github.com/sudo-project/sudo/commit/b5d2010b6514ff45693509273bb07df3abb0bf0a (SUDO_1_8_31) NOTE: The issue itself is fixed only in 1.8.31 but a change in the EOF handling NOTE: introduced in 1.8.26 mitigated exploitation of the bug in some cases: NOTE: https://www.openwall.com/lists/oss-security/2020/01/31/1 NOTE: Change for "Print a warning for password read issues" in 1.8.26: NOTE: https://github.com/sudo-project/sudo/commit/ab2cba0f5d8b286e8e52c06076efd32434f538ae (SUDO_1_8_26) NOTE: The overflow is tough as well reachable when using a pty: NOTE: https://www.openwall.com/lists/oss-security/2020/02/05/2 CVE-2019-18633 (European Commission eIDAS-Node Integration Package before 2.3.1 has Mi ...) NOT-FOR-US: European Commission eIDAS-Node Integration Package CVE-2019-18632 (European Commission eIDAS-Node Integration Package before 2.3.1 allows ...) NOT-FOR-US: European Commission eIDAS-Node Integration Package CVE-2019-18631 (The Windows component of Centrify Authentication and Privilege Elevati ...) NOT-FOR-US: Centrify Authentication and Privilege Elevation Services CVE-2019-18630 RESERVED CVE-2019-18629 RESERVED CVE-2019-18628 RESERVED CVE-2019-18627 RESERVED CVE-2019-18626 (Harris Ormed Self Service before 2019.1.4 allows an authenticated user ...) NOT-FOR-US: Harris Ormed Self Service CVE-2018-21029 (** DISPUTED ** systemd 239 through 244 accepts any certificate signed ...) - systemd 244-1 (low) [buster] - systemd (Only affected v243) [stretch] - systemd (Only affected v243) [jessie] - systemd (Only affected v243) NOTE: https://github.com/systemd/systemd/issues/9397 CVE-2019-18625 (An issue was discovered in Suricata 5.0.0. It was possible to bypass/e ...) {DLA-2087-1} [experimental] - suricata 1:5.0.1-1~exp1 - suricata 1:5.0.2-1 [buster] - suricata (Minor issue) [stretch] - suricata (Minor issue) NOTE: https://github.com/OISF/suricata/commit/9f0294fadca3dcc18c919424242a41e01f3e8318 (suricata-5.0.1) NOTE: https://github.com/OISF/suricata/commit/ea0659de7640cf6a51de5bbd1dbbb0414e4623a0 (master-4.1.x) NOTE: https://redmine.openinfosecfoundation.org/issues/3286 NOTE: https://redmine.openinfosecfoundation.org/issues/3395 CVE-2019-18624 (Opera Mini for Android allows attackers to bypass intended restriction ...) NOT-FOR-US: Opera Mini for Android CVE-2019-18623 (Escalation of privileges in EnergyCAP 7 through 7.5.6 allows an attack ...) NOT-FOR-US: EnergyCAP CVE-2019-18622 (An issue was discovered in phpMyAdmin before 4.9.2. A crafted database ...) - phpmyadmin 4:4.9.2+dfsg1-1 (bug #945349) [stretch] - phpmyadmin (vulnerable code is not present) [jessie] - phpmyadmin (vulnerable code is not present) NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/ff541af95d7155d8dd326f331b5e248fea8e7111 NOTE: https://gist.github.com/ibennetch/4ba7d2fac6f384a5039d697a110e0912 NOTE: https://www.phpmyadmin.net/security/PMASA-2019-5/ CVE-2019-18621 RESERVED CVE-2019-18620 RESERVED CVE-2019-18619 RESERVED CVE-2019-18618 RESERVED CVE-2019-18617 RESERVED CVE-2019-18616 RESERVED CVE-2019-18615 (In CloudVision Portal (CVP) for all releases in the 2018.2 Train, unde ...) NOT-FOR-US: CloudVision Portal CVE-2019-18614 (On the Cypress CYW20735 evaluation board, any data that exceeds 384 by ...) NOT-FOR-US: Cypress CVE-2019-18613 RESERVED CVE-2019-18612 (An issue was discovered in the AbuseFilter extension through 1.34 for ...) NOT-FOR-US: AbuseFilter MediaWiki extension CVE-2019-18611 (An issue was discovered in the CheckUser extension through 1.34 for Me ...) NOT-FOR-US: CheckUser MediaWiki extension CVE-2019-18610 (An issue was discovered in manager.c in Sangoma Asterisk through 13.x, ...) {DLA-2017-1} - asterisk 1:16.10.0~dfsg-1 (bug #947377) [buster] - asterisk (Minor issue) [stretch] - asterisk (Minor issue) NOTE: https://downloads.asterisk.org/pub/security/AST-2019-007.html NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-28580 CVE-2019-18609 (An issue was discovered in amqp_handle_input in amqp_connection.c in r ...) {DLA-2022-1} - librabbitmq 0.10.0-1 (low; bug #946005) [buster] - librabbitmq (Minor issue) [stretch] - librabbitmq (Minor issue) NOTE: https://github.com/alanxz/rabbitmq-c/commit/fc85be7123050b91b054e45b91c78d3241a5047a CVE-2019-18608 (Cezerin v0.33.0 allows unauthorized order-information modification bec ...) NOT-FOR-US: Cezerin CVE-2019-18607 RESERVED CVE-2019-18606 RESERVED CVE-2019-18605 RESERVED CVE-2019-18604 (In axohelp.c before 1.3 in axohelp in axodraw2 before 2.1.1b, as distr ...) - texlive-bin 2020.20200327.54578-2 [buster] - texlive-bin (Minor issue) [stretch] - texlive-bin (Vulnerable code not present) [jessie] - texlive-bin (Vulnerable code not present) NOTE: https://github.com/TeX-Live/texlive-source/commit/9216833a3888a4105a18e8c349f65b045ddb1079#diff-987e40c0e27ee43f6a2414ada73a191a CVE-2019-18600 RESERVED CVE-2019-18599 RESERVED CVE-2019-18598 RESERVED CVE-2019-18597 RESERVED CVE-2019-18596 RESERVED CVE-2019-18595 RESERVED CVE-2019-18594 RESERVED CVE-2019-18593 RESERVED CVE-2019-18592 RESERVED CVE-2019-18591 RESERVED CVE-2019-18590 RESERVED CVE-2019-18589 RESERVED CVE-2019-18588 (Dell EMC Unisphere for PowerMax versions prior to 9.1.0.9, Dell EMC Un ...) NOT-FOR-US: EMC CVE-2019-18587 RESERVED CVE-2019-18586 REJECTED CVE-2019-18585 REJECTED CVE-2019-18584 REJECTED CVE-2019-18583 REJECTED CVE-2019-18582 (Dell EMC Data Protection Advisor versions 6.3, 6.4, 6.5, 18.2 versions ...) NOT-FOR-US: EMC CVE-2019-18581 (Dell EMC Data Protection Advisor versions 6.3, 6.4, 6.5, 18.2 versions ...) NOT-FOR-US: EMC CVE-2019-18580 (Dell EMC Storage Monitoring and Reporting version 4.3.1 contains a Jav ...) NOT-FOR-US: EMC CVE-2019-18579 (Settings for the Dell XPS 13 2-in-1 (7390) BIOS versions prior to 1.1. ...) NOT-FOR-US: Dell CVE-2019-18578 (Dell EMC XtremIO XMS versions prior to 6.3.0 contain a stored cross-si ...) NOT-FOR-US: EMC XtremIO XMS CVE-2019-18577 (Dell EMC XtremIO XMS versions prior to 6.3.0 contain an incorrect perm ...) NOT-FOR-US: EMC XtremIO XMS CVE-2019-18576 (Dell EMC XtremIO XMS versions prior to 6.3.0 contain an information di ...) NOT-FOR-US: EMC XtremIO XMS CVE-2019-18575 (Dell Command Configure versions prior to 4.2.1 contain an uncontrolled ...) NOT-FOR-US: Dell Command Configure CVE-2019-18574 (RSA Authentication Manager software versions prior to 8.4 P8 contain a ...) NOT-FOR-US: RSA Authentication Manager software CVE-2019-18573 (The RSA Identity Governance and Lifecycle and RSA Via Lifecycle and Go ...) NOT-FOR-US: RSA CVE-2019-18572 (The RSA Identity Governance and Lifecycle and RSA Via Lifecycle and Go ...) NOT-FOR-US: RSA CVE-2019-18571 (The RSA Identity Governance and Lifecycle and RSA Via Lifecycle and Go ...) NOT-FOR-US: RSA CVE-2020-0600 (Improper buffer restrictions in firmware for some Intel(R) NUC may all ...) NOT-FOR-US: Intel CVE-2020-0599 RESERVED CVE-2020-0598 (Uncontrolled search path in the installer for the Intel(R) Binary Conf ...) NOT-FOR-US: Intel CVE-2020-0597 (Out-of-bounds read in IPv6 subsystem in Intel(R) AMT and Intel(R) ISM ...) NOT-FOR-US: Intel CVE-2020-0596 (Improper input validation in DHCPv6 subsystem in Intel(R) AMT and Inte ...) NOT-FOR-US: Intel CVE-2020-0595 (Use after free in IPv6 subsystem in Intel(R) AMT and Intel(R) ISM vers ...) NOT-FOR-US: Intel CVE-2020-0594 (Out-of-bounds read in IPv6 subsystem in Intel(R) AMT and Intel(R) ISM ...) NOT-FOR-US: Intel CVE-2020-0593 RESERVED CVE-2020-0592 RESERVED CVE-2020-0591 RESERVED CVE-2020-0590 RESERVED CVE-2020-0589 RESERVED CVE-2020-0588 RESERVED CVE-2020-0587 RESERVED CVE-2020-0586 (Improper initialization in subsystem for Intel(R) SPS versions before ...) NOT-FOR-US: Intel CVE-2020-0585 RESERVED CVE-2020-0584 RESERVED CVE-2020-0583 (Improper access control in the subsystem for Intel(R) Smart Sound Tech ...) NOT-FOR-US: Intel CVE-2020-0582 RESERVED CVE-2020-0581 RESERVED CVE-2020-0580 RESERVED CVE-2020-0579 RESERVED CVE-2020-0578 (Improper conditions check for Intel(R) Modular Server MFS2600KISPP Com ...) NOT-FOR-US: Intel CVE-2020-0577 (Insufficient control flow for Intel(R) Modular Server MFS2600KISPP Com ...) NOT-FOR-US: Intel CVE-2020-0576 (Buffer overflow in Intel(R) Modular Server MFS2600KISPP Compute Module ...) NOT-FOR-US: Intel CVE-2020-0575 RESERVED CVE-2020-0574 (Improper configuration in block design for Intel(R) MAX(R) 10 FPGA all ...) NOT-FOR-US: Intel CVE-2020-0573 RESERVED CVE-2020-0572 RESERVED CVE-2020-0571 RESERVED CVE-2020-0570 RESERVED - qtbase-opensource-src 5.12.5+dfsg-8 [buster] - qtbase-opensource-src 5.11.3+dfsg1-1+deb10u3 [stretch] - qtbase-opensource-src (Only affects 5.12.0 through 5.14.0) [jessie] - qtbase-opensource-src (Only affects 5.12.0 through 5.14.0) NOTE: https://bugreports.qt.io/browse/QTBUG-81272 NOTE: Patch: https://code.qt.io/cgit/qt/qtbase.git/commit/?id=e6f1fde24f77f63fb16b2df239f82a89d2bf05dd NOTE: https://lists.qt-project.org/pipermail/development/2020-January/038534.html CVE-2020-0569 RESERVED {DSA-4617-1 DLA-2092-1} - qtbase-opensource-src 5.12.5+dfsg-8 NOTE: Patch for 5.6.0 through 5.13.2: https://code.qt.io/cgit/qt/qtbase.git/commit/?id=bf131e8d2181b3404f5293546ed390999f760404 NOTE: Patch for 5.0.0 through 5.5.1: https://code.qt.io/cgit/qt/qtbase.git/commit/?id=5c4234ed958130d655df8197129806f687d4df0d CVE-2020-0568 (Race condition in the Intel(R) Driver and Support Assistant before ver ...) NOT-FOR-US: Intel CVE-2020-0567 (Improper input validation in Intel(R) Graphics Drivers before version ...) NOT-FOR-US: Intel graphics driver for Windows CVE-2020-0566 (Improper Access Control in subsystem for Intel(R) TXE versions before ...) NOT-FOR-US: Intel CVE-2020-0565 (Uncontrolled search path in Intel(R) Graphics Drivers before version 2 ...) NOT-FOR-US: Intel graphics driver for Windows CVE-2020-0564 (Improper permissions in the installer for Intel(R) RWC3 for Windows be ...) NOT-FOR-US: Intel CVE-2020-0563 (Improper permissions in the installer for Intel(R) MPSS before version ...) NOT-FOR-US: Intel CVE-2020-0562 (Improper permissions in the installer for Intel(R) RWC2, all versions, ...) NOT-FOR-US: Intel CVE-2020-0561 (Improper initialization in the Intel(R) SGX SDK before v2.6.100.1 may ...) NOT-FOR-US: Intel CVE-2020-0560 (Improper permissions in the installer for the Intel(R) Renesas Electro ...) NOT-FOR-US: Intel CVE-2020-0559 RESERVED CVE-2020-0558 (Improper buffer restrictions in kernel mode driver for Intel(R) PROSet ...) NOT-FOR-US: Intel CVE-2020-0557 (Insecure inherited permissions in Intel(R) PROSet/Wireless WiFi produc ...) NOT-FOR-US: Intel CVE-2020-0556 (Improper access control in subsystem for BlueZ before version 5.54 may ...) {DSA-4647-1 DLA-2240-1} - bluez 5.50-1.1 (bug #953770) NOTE: https://lore.kernel.org/linux-bluetooth/20200310023516.209146-1-alainm@chromium.org/ NOTE: Fixed by: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=8cdbd3b09f29da29374e2f83369df24228da0ad1 NOTE: Fixed by: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=3cccdbab2324086588df4ccf5f892fb3ce1f1787 NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html NOTE: Second commit introduces new configuration option "ClassicBondedOnly" which defaults NOTE: to false, and allows to make sure that input connections only come from bonded NOTE: device connections. NOTE: Followup commits to avoid (functional) regression: NOTE: Followup: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=35d8d895cd0b724e58129374beb0bb4a2edf9519 NOTE: Followup: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=f2778f5877d20696d68a452b26e4accb91bfb19e CVE-2020-0555 RESERVED CVE-2020-0554 RESERVED CVE-2020-0553 RESERVED CVE-2020-0552 RESERVED CVE-2020-0551 (Load value injection in some Intel(R) Processors utilizing speculative ...) NOTE: https://software.intel.com/security-software-guidance/software-guidance/load-value-injection NOTE: https://software.intel.com/security-software-guidance/insights/deep-dive-load-value-injection NOTE: https://xenbits.xen.org/xsa/advisory-315.html NOTE: https://lviattack.eu/ NOTE: No mitigation will provided by this issue in software, primarily impacts Intel SGX NOTE: binutils/toolchain updates will include a patch that optionally emits lfence NOTE: instructions in problematic situations (but have performance impact), cf. NOTE: https://sourceware.org/pipermail/binutils/2020-March/110175.html CVE-2020-0550 (Improper data forwarding in some data cache for some Intel(R) Processo ...) NOTE: Intel is (currently) no planning to release microcode updates to mitigate issue. NOTE: https://software.intel.com/security-software-guidance/insights/deep-dive-snoop-assisted-l1-data-sampling NOTE: https://software.intel.com/security-software-guidance/insights/processors-affected-snoop-assisted-l1-data-sampling CVE-2020-0549 (Cleanup errors in some data cache evictions for some Intel(R) Processo ...) {DSA-4701-1 DLA-2248-1} - intel-microcode 3.20200609.1 NOTE: https://software.intel.com/security-software-guidance/software-guidance/l1d-eviction-sampling NOTE: https://cacheoutattack.com/ NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00329.html CVE-2020-0548 (Cleanup errors in some Intel(R) Processors may allow an authenticated ...) {DSA-4701-1 DLA-2248-1} - intel-microcode 3.20200609.1 NOTE: https://software.intel.com/security-software-guidance/software-guidance/vector-register-sampling NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00329.html CVE-2020-0547 (Incorrect default permissions in the installer for Intel(R) Data Migra ...) NOT-FOR-US: Intel CVE-2020-0546 (Unquoted service path in Intel(R) Optane(TM) DC Persistent Memory Modu ...) NOT-FOR-US: Intel CVE-2020-0545 (Integer overflow in subsystem for Intel(R) CSME versions before 11.8.7 ...) NOT-FOR-US: Intel CVE-2020-0544 RESERVED CVE-2020-0543 (Incomplete cleanup from specific special register read operations in s ...) {DSA-4701-1 DSA-4699-1 DSA-4698-1 DLA-2248-1 DLA-2242-1 DLA-2241-1} - intel-microcode 3.20200609.1 - linux 5.6.14-2 NOTE: https://www.vusec.net/projects/crosstalk/ NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00320.html NOTE: https://software.intel.com/security-software-guidance/insights/deep-dive-special-register-buffer-data-sampling CVE-2020-0542 (Improper buffer restrictions in subsystem for Intel(R) CSME versions b ...) NOT-FOR-US: Intel CVE-2020-0541 (Out-of-bounds write in subsystem for Intel(R) CSME versions before 12. ...) NOT-FOR-US: Intel CVE-2020-0540 (Insufficiently protected credentials in Intel(R) AMT versions before 1 ...) NOT-FOR-US: Intel CVE-2020-0539 (Path traversal in subsystem for Intel(R) DAL software for Intel(R) CSM ...) NOT-FOR-US: Intel CVE-2020-0538 (Improper input validation in subsystem for Intel(R) AMT versions befor ...) NOT-FOR-US: Intel CVE-2020-0537 (Improper input validation in subsystem for Intel(R) AMT versions befor ...) NOT-FOR-US: Intel CVE-2020-0536 (Improper input validation in the DAL subsystem for Intel(R) CSME versi ...) NOT-FOR-US: Intel CVE-2020-0535 (Improper input validation in Intel(R) AMT versions before 11.8.76, 11. ...) NOT-FOR-US: Intel CVE-2020-0534 (Improper input validation in the DAL subsystem for Intel(R) CSME versi ...) NOT-FOR-US: Intel CVE-2020-0533 (Reversible one-way hash in Intel(R) CSME versions before 11.8.76, 11.1 ...) NOT-FOR-US: Intel CVE-2020-0532 (Improper input validation in subsystem for Intel(R) AMT versions befor ...) NOT-FOR-US: Intel CVE-2020-0531 (Improper input validation in Intel(R) AMT versions before 11.8.77, 11. ...) NOT-FOR-US: Intel CVE-2020-0530 (Improper buffer restrictions in firmware for Intel(R) NUC may allow an ...) NOT-FOR-US: Intel CVE-2020-0529 (Improper initialization in BIOS firmware for 8th, 9th and 10th Generat ...) NOT-FOR-US: Intel CVE-2020-0528 (Improper buffer restrictions in BIOS firmware for 7th, 8th, 9th and 10 ...) NOT-FOR-US: Intel CVE-2020-0527 (Insufficient control flow management in firmware for some Intel(R) Dat ...) NOT-FOR-US: Intel CVE-2020-0526 (Improper input validation in firmware for Intel(R) NUC may allow a pri ...) NOT-FOR-US: Intel CVE-2020-0525 RESERVED CVE-2020-0524 RESERVED CVE-2020-0523 RESERVED CVE-2020-0522 RESERVED CVE-2020-0521 RESERVED CVE-2020-0520 (Path traversal in igdkmd64.sys for Intel(R) Graphics Drivers before ve ...) NOT-FOR-US: Intel CVE-2020-0519 (Improper access control for Intel(R) Graphics Drivers before versions ...) NOT-FOR-US: Intel Graphics drivers for Windows CVE-2020-0518 RESERVED CVE-2020-0517 (Out-of-bounds write in Intel(R) Graphics Drivers before version 15.36. ...) NOT-FOR-US: Intel Graphics drivers for Windows CVE-2020-0516 (Improper access control in Intel(R) Graphics Drivers before version 26 ...) NOT-FOR-US: Intel Graphics drivers for Windows CVE-2020-0515 (Uncontrolled search path element in the installer for Intel(R) Graphic ...) NOT-FOR-US: Intel CVE-2020-0514 (Improper default permissions in the installer for Intel(R) Graphics Dr ...) NOT-FOR-US: Intel CVE-2020-0513 RESERVED CVE-2020-0512 RESERVED CVE-2020-0511 (Uncaught exception in system driver for Intel(R) Graphics Drivers befo ...) NOT-FOR-US: Intel Graphics drivers for Windows CVE-2020-0510 RESERVED CVE-2020-0509 RESERVED CVE-2020-0508 (Incorrect default permissions in the installer for Intel(R) Graphics D ...) NOT-FOR-US: Intel CVE-2020-0507 (Unquoted service path in Intel(R) Graphics Drivers before versions 15. ...) NOT-FOR-US: Intel Graphics drivers for Windows CVE-2020-0506 (Improper initialization in Intel(R) Graphics Drivers before versions 1 ...) NOT-FOR-US: Intel Graphics drivers for Windows CVE-2020-0505 (Improper conditions check in Intel(R) Graphics Drivers before versions ...) NOT-FOR-US: Intel Graphics drivers for Windows CVE-2020-0504 (Buffer overflow in Intel(R) Graphics Drivers before versions 15.40.44. ...) NOT-FOR-US: Intel Graphics drivers for Windows CVE-2020-0503 (Improper access control in Intel(R) Graphics Drivers before version 26 ...) NOT-FOR-US: Intel Graphics drivers for Windows CVE-2020-0502 (Improper access control in Intel(R) Graphics Drivers before version 26 ...) NOT-FOR-US: Intel Graphics drivers for Windows CVE-2020-0501 (Buffer overflow in Intel(R) Graphics Drivers before version 26.20.100. ...) NOT-FOR-US: Intel Graphics drivers for Windows CVE-2019-18570 RESERVED CVE-2019-18569 RESERVED CVE-2019-18568 (Avira Free Antivirus 15.0.1907.1514 is prone to a local privilege esca ...) NOT-FOR-US: Avira Free Antivirus CVE-2019-18567 (Bromium client version 4.0.3.2060 and prior to 4.1.7 Update 1 has an o ...) NOT-FOR-US: Bromium CVE-2019-18566 REJECTED CVE-2019-18565 REJECTED CVE-2019-18564 REJECTED CVE-2019-18563 REJECTED CVE-2019-18562 REJECTED CVE-2019-18561 REJECTED CVE-2019-18560 REJECTED CVE-2019-18559 REJECTED CVE-2019-18558 REJECTED CVE-2019-18557 REJECTED CVE-2019-18556 REJECTED CVE-2019-18555 REJECTED CVE-2019-18554 REJECTED CVE-2019-18553 REJECTED CVE-2019-18552 REJECTED CVE-2019-18551 REJECTED CVE-2019-18550 REJECTED CVE-2019-18549 REJECTED CVE-2019-18548 REJECTED CVE-2019-18547 REJECTED CVE-2019-18546 REJECTED CVE-2019-18545 REJECTED CVE-2019-18544 REJECTED CVE-2019-18543 REJECTED CVE-2019-18542 REJECTED CVE-2019-18541 REJECTED CVE-2019-18540 REJECTED CVE-2019-18539 REJECTED CVE-2019-18538 REJECTED CVE-2019-18537 REJECTED CVE-2019-18536 REJECTED CVE-2019-18535 REJECTED CVE-2019-18534 REJECTED CVE-2019-18533 REJECTED CVE-2019-18532 REJECTED CVE-2019-18531 REJECTED CVE-2019-18530 REJECTED CVE-2019-18529 REJECTED CVE-2019-18528 REJECTED CVE-2019-18527 REJECTED CVE-2019-18526 REJECTED CVE-2019-18525 REJECTED CVE-2019-18524 REJECTED CVE-2019-18523 REJECTED CVE-2019-18522 REJECTED CVE-2019-18521 REJECTED CVE-2019-18520 REJECTED CVE-2019-18519 REJECTED CVE-2019-18518 REJECTED CVE-2019-18517 REJECTED CVE-2019-18516 REJECTED CVE-2019-18515 REJECTED CVE-2019-18514 REJECTED CVE-2019-18513 REJECTED CVE-2019-18512 REJECTED CVE-2019-18511 REJECTED CVE-2019-18510 REJECTED CVE-2019-18509 REJECTED CVE-2019-18508 REJECTED CVE-2019-18507 REJECTED CVE-2019-18506 REJECTED CVE-2019-18505 REJECTED CVE-2019-18504 REJECTED CVE-2019-18503 REJECTED CVE-2019-18502 REJECTED CVE-2019-18501 REJECTED CVE-2019-18500 REJECTED CVE-2019-18499 REJECTED CVE-2019-18498 REJECTED CVE-2019-18497 REJECTED CVE-2019-18496 REJECTED CVE-2019-18495 REJECTED CVE-2019-18494 REJECTED CVE-2019-18493 REJECTED CVE-2019-18492 REJECTED CVE-2019-18491 REJECTED CVE-2019-18490 REJECTED CVE-2019-18489 REJECTED CVE-2019-18488 REJECTED CVE-2019-18487 REJECTED CVE-2019-18486 REJECTED CVE-2019-18485 REJECTED CVE-2019-18484 REJECTED CVE-2019-18483 REJECTED CVE-2019-18482 REJECTED CVE-2019-18481 REJECTED CVE-2019-18480 REJECTED CVE-2019-18479 REJECTED CVE-2019-18478 REJECTED CVE-2019-18477 REJECTED CVE-2019-18476 REJECTED CVE-2019-18475 REJECTED CVE-2019-18474 REJECTED CVE-2019-18473 REJECTED CVE-2019-18472 REJECTED CVE-2019-18471 REJECTED CVE-2019-18470 REJECTED CVE-2019-18469 REJECTED CVE-2019-18468 REJECTED CVE-2019-18467 REJECTED CVE-2019-18466 (An issue was discovered in Podman in libpod before 1.6.0. It resolves ...) - libpod (Fixed before initial upload) CVE-2019-18601 (OpenAFS before 1.6.24 and 1.8.x before 1.8.5 is prone to denial of ser ...) {DLA-1982-1} - openafs 1.8.5-1 (low; bug #943587) [buster] - openafs (Minor issue) [stretch] - openafs (Minor issue) NOTE: http://openafs.org/pages/security/OPENAFS-SA-2019-003.txt CVE-2019-18602 (OpenAFS before 1.6.24 and 1.8.x before 1.8.5 is prone to an informatio ...) {DLA-1982-1} - openafs 1.8.5-1 (low; bug #943587) [buster] - openafs (Minor issue) [stretch] - openafs (Minor issue) NOTE: http://openafs.org/pages/security/OPENAFS-SA-2019-002.txt CVE-2019-18603 (OpenAFS before 1.6.24 and 1.8.x before 1.8.5 is prone to information l ...) {DLA-1982-1} - openafs 1.8.5-1 (low; bug #943587) [buster] - openafs (Minor issue) [stretch] - openafs (Minor issue) NOTE: http://openafs.org/pages/security/OPENAFS-SA-2019-001.txt CVE-2019-18465 (In Progress MOVEit Transfer 11.1 before 11.1.3, a vulnerability has be ...) NOT-FOR-US: Progress MOVEit Transfer CVE-2019-18464 (In Progress MOVEit Transfer 10.2 before 10.2.6 (2018.3), 11.0 before 1 ...) NOT-FOR-US: Progress MOVEit Transfer CVE-2019-18463 (An issue was discovered in GitLab Community and Enterprise Edition thr ...) [experimental] - gitlab 12.2.9-1 - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/blog/2019/10/30/security-release-gitlab-12-dot-4-dot-1-released/ CVE-2019-18462 (An issue was discovered in GitLab Community and Enterprise Edition 11. ...) [experimental] - gitlab 12.2.9-1 - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/blog/2019/10/30/security-release-gitlab-12-dot-4-dot-1-released/ CVE-2019-18461 (An issue was discovered in GitLab Community and Enterprise Edition 11. ...) [experimental] - gitlab 12.2.9-1 - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/blog/2019/10/30/security-release-gitlab-12-dot-4-dot-1-released/ CVE-2019-18460 (An issue was discovered in GitLab Community and Enterprise Edition 8.1 ...) [experimental] - gitlab 12.2.9-1 - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/blog/2019/10/30/security-release-gitlab-12-dot-4-dot-1-released/ CVE-2019-18459 (An issue was discovered in GitLab Community and Enterprise Edition 11. ...) [experimental] - gitlab 12.2.9-1 - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/blog/2019/10/30/security-release-gitlab-12-dot-4-dot-1-released/ CVE-2019-18458 (An issue was discovered in GitLab Community and Enterprise Edition thr ...) [experimental] - gitlab 12.2.9-1 - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/blog/2019/10/30/security-release-gitlab-12-dot-4-dot-1-released/ CVE-2019-18457 (An issue was discovered in GitLab Community and Enterprise Edition 11. ...) [experimental] - gitlab 12.2.9-1 - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/blog/2019/10/30/security-release-gitlab-12-dot-4-dot-1-released/ CVE-2019-18456 (An issue was discovered in GitLab Community and Enterprise Edition 8.1 ...) - gitlab (Only affects Gitlab EE) NOTE: https://about.gitlab.com/blog/2019/10/30/security-release-gitlab-12-dot-4-dot-1-released/ CVE-2019-18455 (An issue was discovered in GitLab Community and Enterprise Edition 11 ...) [experimental] - gitlab 12.2.9-1 - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/blog/2019/10/30/security-release-gitlab-12-dot-4-dot-1-released/ CVE-2019-18454 (An issue was discovered in GitLab Community and Enterprise Edition 10. ...) [experimental] - gitlab 12.2.9-1 - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/blog/2019/10/30/security-release-gitlab-12-dot-4-dot-1-released/ CVE-2019-18453 (An issue was discovered in GitLab Community and Enterprise Edition 11. ...) [experimental] - gitlab 12.2.9-1 - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/blog/2019/10/30/security-release-gitlab-12-dot-4-dot-1-released/ CVE-2019-18452 (An issue was discovered in GitLab Community and Enterprise Edition 11. ...) [experimental] - gitlab 12.2.9-1 - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/blog/2019/10/30/security-release-gitlab-12-dot-4-dot-1-released/ CVE-2019-18451 (An issue was discovered in GitLab Community and Enterprise Edition 10. ...) [experimental] - gitlab 12.2.9-1 - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/blog/2019/10/30/security-release-gitlab-12-dot-4-dot-1-released/ CVE-2019-18450 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) [experimental] - gitlab 12.2.9-1 - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/blog/2019/10/30/security-release-gitlab-12-dot-4-dot-1-released/ CVE-2019-18449 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) [experimental] - gitlab 12.2.9-1 - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/blog/2019/10/30/security-release-gitlab-12-dot-4-dot-1-released/ CVE-2019-18448 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) [experimental] - gitlab 12.2.9-1 - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/blog/2019/10/30/security-release-gitlab-12-dot-4-dot-1-released/ CVE-2019-18447 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) [experimental] - gitlab 12.2.9-1 - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/blog/2019/10/30/security-release-gitlab-12-dot-4-dot-1-released/ CVE-2019-18446 (An issue was discovered in GitLab Community and Enterprise Edition 8.1 ...) [experimental] - gitlab 12.2.9-1 - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/blog/2019/10/30/security-release-gitlab-12-dot-4-dot-1-released/ CVE-2019-18445 RESERVED CVE-2019-18444 RESERVED CVE-2019-18443 RESERVED CVE-2019-18442 RESERVED CVE-2019-18441 RESERVED CVE-2019-18440 RESERVED CVE-2019-18439 RESERVED CVE-2019-18438 RESERVED CVE-2019-18437 RESERVED CVE-2019-18436 RESERVED CVE-2019-18435 RESERVED CVE-2019-18434 RESERVED CVE-2019-18433 RESERVED CVE-2019-18432 RESERVED CVE-2019-18431 RESERVED CVE-2019-18430 RESERVED CVE-2019-18429 RESERVED CVE-2019-18428 RESERVED CVE-2019-18427 RESERVED CVE-2019-18426 (A vulnerability in WhatsApp Desktop versions prior to 0.3.9309 when pa ...) NOT-FOR-US: WhatsApp Desktop CVE-2019-18425 (An issue was discovered in Xen through 4.12.x allowing 32-bit PV guest ...) {DSA-4602-1} - xen 4.11.3+24-g14b62ab3e5-1 (bug #947944) [jessie] - xen (Not supported in jessie LTS) NOTE: https://xenbits.xen.org/xsa/advisory-298.html CVE-2019-18424 (An issue was discovered in Xen through 4.12.x allowing attackers to ga ...) {DSA-4602-1} - xen 4.11.3+24-g14b62ab3e5-1 (bug #947944) [jessie] - xen (Not supported in jessie LTS) NOTE: https://xenbits.xen.org/xsa/advisory-302.html CVE-2019-18423 (An issue was discovered in Xen through 4.12.x allowing ARM guest OS us ...) {DSA-4602-1} - xen 4.11.3+24-g14b62ab3e5-1 (bug #947944) [jessie] - xen (Not supported in jessie LTS) NOTE: https://xenbits.xen.org/xsa/advisory-301.html CVE-2019-18422 (An issue was discovered in Xen through 4.12.x allowing ARM guest OS us ...) {DSA-4602-1} - xen 4.11.3+24-g14b62ab3e5-1 (bug #947944) [jessie] - xen (Not supported in jessie LTS) NOTE: https://xenbits.xen.org/xsa/advisory-303.html CVE-2019-18421 (An issue was discovered in Xen through 4.12.x allowing x86 PV guest OS ...) {DSA-4602-1} - xen 4.11.3+24-g14b62ab3e5-1 (bug #947944) [jessie] - xen (Not supported in jessie LTS) NOTE: https://xenbits.xen.org/xsa/advisory-299.html CVE-2019-18420 (An issue was discovered in Xen through 4.12.x allowing x86 PV guest OS ...) {DSA-4602-1} - xen 4.11.3+24-g14b62ab3e5-1 (bug #947944) [jessie] - xen (Not supported in jessie LTS) NOTE: https://xenbits.xen.org/xsa/advisory-296.html CVE-2019-18419 (A cross-site scripting (XSS) vulnerability in index.php in ClonOS WEB ...) NOT-FOR-US: ClonOS CVE-2019-18418 (clonos.php in ClonOS WEB control panel 19.09 allows remote attackers t ...) NOT-FOR-US: ClonOS CVE-2019-18417 (Sourcecodester Restaurant Management System 1.0 allows an authenticate ...) NOT-FOR-US: Sourcecodester Restaurant Management System CVE-2019-18416 (Sourcecodester Restaurant Management System 1.0 allows XSS via the Las ...) NOT-FOR-US: Sourcecodester Restaurant Management System CVE-2019-18415 (Sourcecodester Restaurant Management System 1.0 allows XSS via the "se ...) NOT-FOR-US: Sourcecodester Restaurant Management System CVE-2019-18414 (Sourcecodester Restaurant Management System 1.0 is affected by an admi ...) NOT-FOR-US: Sourcecodester Restaurant Management System CVE-2019-18413 (In TypeStack class-validator 0.10.2, validate() input validation can b ...) NOT-FOR-US: TypeStack class-validator CVE-2019-18412 (JetBrains IDETalk plugin before version 193.4099.10 allows XXE ...) NOT-FOR-US: JetBrains IDETalk plugin CVE-2019-18411 (Zoho ManageEngine ADSelfService Plus 5.x through 5803 has CSRF on the ...) NOT-FOR-US: Zoho ManageEngine CVE-2019-18410 RESERVED CVE-2019-18409 (The ruby_parser-legacy (aka legacy) gem 1.0.0 for Ruby allows local pr ...) NOT-FOR-US: ruby_parser-legacy packaging issue CVE-2019-18408 (archive_read_format_rar_read_data in archive_read_support_format_rar.c ...) {DSA-4557-1 DLA-1971-1} - libarchive 3.4.0-1 NOTE: https://github.com/libarchive/libarchive/commit/b8592ecba2f9e451e1f5cb7ab6dcee8b8e7b3f60 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14689 CVE-2019-18407 RESERVED CVE-2019-18406 RESERVED CVE-2019-18405 RESERVED CVE-2019-18404 RESERVED CVE-2019-18403 RESERVED CVE-2019-18402 RESERVED CVE-2019-18401 RESERVED CVE-2019-18400 RESERVED CVE-2019-18399 RESERVED CVE-2019-18398 RESERVED CVE-2019-18397 (A buffer overflow in the fribidi_get_par_embedding_levels_ex() functio ...) {DSA-4561-1} - fribidi 1.0.7-1.1 (bug #944327) [stretch] - fribidi (Vulnerable code not present) [jessie] - fribidi (Vulnerable code not present) NOTE: Fixed by: https://github.com/fribidi/fribidi/commit/034c6e9a1d296286305f4cfd1e0072b879f52568 NOTE: Introduced by: https://github.com/fribidi/fribidi/commit/f20b6480b9cd46dae8d82a6f95d9c53558fcfd20 (v1.0.0) CVE-2019-18396 (An issue was discovered in certain Oi third-party firmware that may be ...) NOT-FOR-US: Technicolor CVE-2019-18395 RESERVED CVE-2019-18394 (A Server Side Request Forgery (SSRF) vulnerability in FaviconServlet.j ...) NOT-FOR-US: Ignite Realtime Openfire CVE-2019-18393 (PluginServlet.java in Ignite Realtime Openfire through 4.4.2 does not ...) NOT-FOR-US: Ignite Realtime Openfire CVE-2019-18392 RESERVED CVE-2019-18391 (A heap-based buffer overflow in the vrend_renderer_transfer_write_iov ...) - virglrenderer 0.8.1-1 (bug #946942) [buster] - virglrenderer (Minor issue) NOTE: https://gitlab.freedesktop.org/virgl/virglrenderer/merge_requests/314 NOTE: https://gitlab.freedesktop.org/virgl/virglrenderer/commit/2abeb1802e3c005b17a7123e382171b3fb665971 CVE-2019-18390 (An out-of-bounds read in the vrend_blit_need_swizzle function in vrend ...) - virglrenderer 0.8.1-1 [buster] - virglrenderer (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1765584 NOTE: https://gitlab.freedesktop.org/virgl/virglrenderer/commit/24f67de7a9088a873844a39be03cee6882260ac9 NOTE: https://gitlab.freedesktop.org/virgl/virglrenderer/merge_requests/314/diffs?commit_id=d2cdbcf6a8f2317f250fd54f08aa35dde2fa3e30#3cd772559e0d73afa136d6818023cfd0c4c8ecc0_0_151 CVE-2019-18389 (A heap-based buffer overflow in the vrend_renderer_transfer_write_iov ...) - virglrenderer 0.8.1-1 (bug #946942) [buster] - virglrenderer (Minor issue) NOTE: https://gitlab.freedesktop.org/virgl/virglrenderer/merge_requests/314 NOTE: https://gitlab.freedesktop.org/virgl/virglrenderer/commit/cbc8d8b75be360236cada63784046688aeb6d921 CVE-2019-18388 (A NULL pointer dereference in vrend_renderer.c in virglrenderer throug ...) - virglrenderer 0.8.1-1 [buster] - virglrenderer (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1765578 NOTE: https://gitlab.freedesktop.org/virgl/virglrenderer/commit/0d9a2c88dc3a70023541b3260b9f00c982abda16 NOTE: https://gitlab.freedesktop.org/virgl/virglrenderer/merge_requests/314/diffs?commit_id=d2cdbcf6a8f2317f250fd54f08aa35dde2fa3e30#diff-content-3cd772559e0d73afa136d6818023cfd0c4c8ecc0 CVE-2019-18387 (Sourcecodester Hotel and Lodge Management System 1.0 is vulnerable to ...) NOT-FOR-US: Sourcecodester Hotel and Lodge Management System CVE-2019-18386 (Systems management on Unisys ClearPath Forward Libra and ClearPath MCP ...) NOT-FOR-US: Unisys CVE-2019-18385 (An issue was discovered on TerraMaster FS-210 4.0.19 devices. An unaut ...) NOT-FOR-US: TerraMaster CVE-2019-18384 (An issue was discovered on TerraMaster FS-210 4.0.19 devices. An authe ...) NOT-FOR-US: TerraMaster CVE-2019-18383 (An issue was discovered on TerraMaster FS-210 4.0.19 devices. One can ...) NOT-FOR-US: TerraMaster CVE-2019-18382 (An issue was discovered on AVStar PE204 3.10.70 IP camera devices. A d ...) NOT-FOR-US: AVStar PE204 CVE-2019-18381 (Norton Password Manager, prior to 6.6.2.5, may be susceptible to a cro ...) NOT-FOR-US: Norton Password Manager CVE-2019-18380 (Symantec Industrial Control System Protection (ICSP), versions 6.x.x, ...) NOT-FOR-US: Symantec CVE-2019-18379 (Symantec Messaging Gateway, prior to 10.7.3, may be susceptible to a s ...) NOT-FOR-US: Symantec CVE-2019-18378 (Symantec Messaging Gateway, prior to 10.7.3, may be susceptible to a c ...) NOT-FOR-US: Symantec CVE-2019-18377 (Symantec Messaging Gateway, prior to 10.7.3, may be susceptible to a p ...) NOT-FOR-US: Symantec CVE-2019-18376 (A CSRF token disclosure vulnerability allows a remote attacker, with a ...) NOT-FOR-US: Broadcom CVE-2019-18375 (The ASG and ProxySG management consoles are susceptible to a session h ...) NOT-FOR-US: ASG and ProxySG management consoles CVE-2019-18374 (Symantec Critical System Protection (CSP), versions 8.0, 8.0 HF1 & ...) NOT-FOR-US: Symantec CVE-2019-18373 (Norton App Lock, prior to 1.4.0.503, may be susceptible to a bypass ex ...) NOT-FOR-US: Norton CVE-2019-18372 (Symantec Endpoint Protection, prior to 14.2 RU2, may be susceptible to ...) NOT-FOR-US: Symantec Endpoint Protection CVE-2019-18371 (An issue was discovered on Xiaomi Mi WiFi R3G devices before 2.28.23-s ...) NOT-FOR-US: Xiaomi CVE-2019-18370 (An issue was discovered on Xiaomi Mi WiFi R3G devices before 2.28.23-s ...) NOT-FOR-US: Xiaomi CVE-2019-18369 (In JetBrains YouTrack before 2019.2.55152, removing tags from the issu ...) NOT-FOR-US: JetBrains CVE-2019-18368 (In JetBrains Toolbox App before 1.15.5666 for Windows, privilege escal ...) NOT-FOR-US: JetBrains CVE-2019-18367 (In JetBrains TeamCity before 2019.1.2, a non-destructive operation cou ...) NOT-FOR-US: JetBrains CVE-2019-18366 (In JetBrains TeamCity before 2019.1.2, secure values could be exposed ...) NOT-FOR-US: JetBrains CVE-2019-18365 (In JetBrains TeamCity before 2019.1.4, reverse tabnabbing was possible ...) NOT-FOR-US: JetBrains CVE-2019-18364 (In JetBrains TeamCity before 2019.1.4, insecure Java Deserialization c ...) NOT-FOR-US: JetBrains CVE-2019-18363 (In JetBrains TeamCity before 2019.1.2, access could be gained to the h ...) NOT-FOR-US: JetBrains CVE-2019-18362 (JetBrains MPS before 2019.2.2 exposed listening ports to the network. ...) NOT-FOR-US: JetBrains CVE-2019-18361 (JetBrains IntelliJ IDEA before 2019.2 allows local user privilege esca ...) - intellij-idea (bug #747616) CVE-2019-18360 (In JetBrains Hub versions earlier than 2019.1.11738, username enumerat ...) NOT-FOR-US: JetBrains CVE-2019-18359 (A buffer over-read was discovered in ReadMP3APETag in apetag.c in MP3G ...) - mp3gain CVE-2019-18358 RESERVED CVE-2019-18357 (An XSS issue was discovered in Thycotic Secret Server before 10.7 (iss ...) NOT-FOR-US: Thycotic Secret Server CVE-2019-18356 (An XSS issue was discovered in Thycotic Secret Server before 10.7 (iss ...) NOT-FOR-US: Thycotic Secret Server CVE-2019-18355 (An SSRF issue was discovered in the legacy Web launcher in Thycotic Se ...) NOT-FOR-US: Thycotic Secret Server CVE-2019-18354 RESERVED CVE-2019-18353 RESERVED CVE-2019-18352 (Improper access control exists on PHOENIX CONTACT FL NAT 2208 devices ...) NOT-FOR-US: PHOENIX CONTACT FL NAT 2208 devices CVE-2019-18351 RESERVED CVE-2019-18350 (In Ant Design Pro 4.0.0, reflected XSS in the user/login redirect GET ...) NOT-FOR-US: Ant Design Pro CVE-2019-18349 (HotkeyP through 4.9 r96 allows privilege escalation in the privilege f ...) NOT-FOR-US: HotkeyP CVE-2019-18348 (An issue was discovered in urllib2 in Python 2.x through 2.7.17 and ur ...) - python3.8 3.8.3~rc1-1 (unimportant) - python3.7 (unimportant) - python3.5 (unimportant) - python3.4 (unimportant) - python2.7 2.7.18~rc1-1 (unimportant) NOTE: https://github.com/python/cpython/commit/9165addc22d05e776a54319a8531ebd0b2fe01ef (master) NOTE: https://github.com/python/cpython/commit/ff69c9d12c1b06af58e5eae5db4630cedd94740e (3.8 branch) NOTE: https://github.com/python/cpython/commit/34f85af3229f86c004a954c3f261ceea1f5e9f95 (3.7 branch) NOTE: https://github.com/python/cpython/commit/09d8172837b6985c4ad90ee025f6b5a554a9f0ac (3.5 branch) NOTE: https://github.com/python/cpython/commit/e176e0c105786e9f476758eb5438c57223b65e7f (v2.7.18rc1) NOTE: https://bugs.python.org/issue38576 NOTE: Issue only exploitable if CVE-2016-10739 is unfixed in src:glibc. This is NOTE: not the case in all suites, but the issue is minor in general and would NOTE: tend to a no-dsa/ignored tag in those suites. CVE-2019-18347 (A stored XSS issue was discovered in DAViCal through 1.1.8. It does no ...) {DSA-4582-1 DLA-2034-1} - davical 1.1.9.2-1 (bug #946343) NOTE: https://hackdefense.com/publications/cve-2019-18347-davical-caldav-server-vulnerability/ NOTE: https://gitlab.com/davical-project/davical/commit/86a8ec5302b705cd11f0373eefbe2168799b277b NOTE: https://gitlab.com/davical-project/davical/commit/a3acb770ac6bc807feb2015b4eb10ab641322d19 CVE-2019-18346 (A CSRF issue was discovered in DAViCal through 1.1.8. If an authentica ...) {DSA-4582-1 DLA-2034-1} - davical 1.1.9.2-1 (bug #946343) NOTE: https://hackdefense.com/publications/cve-2019-18346-davical-caldav-server-vulnerability/ NOTE: https://gitlab.com/davical-project/davical/commit/86a8ec5302b705cd11f0373eefbe2168799b277b NOTE: https://gitlab.com/davical-project/davical/commit/a3acb770ac6bc807feb2015b4eb10ab641322d19 CVE-2019-18345 (A reflected XSS issue was discovered in DAViCal through 1.1.8. It echo ...) {DSA-4582-1 DLA-2034-1} - davical 1.1.9.2-1 (bug #946343) NOTE: https://hackdefense.com/publications/cve-2019-18345-davical-caldav-server-vulnerability/ NOTE: https://gitlab.com/davical-project/davical/commit/86a8ec5302b705cd11f0373eefbe2168799b277b NOTE: https://gitlab.com/davical-project/davical/commit/a3acb770ac6bc807feb2015b4eb10ab641322d19 CVE-2019-18344 (Sourcecodester Online Grading System 1.0 is vulnerable to unauthentica ...) NOT-FOR-US: Sourcecodester Online Grading System CVE-2019-18343 RESERVED CVE-2019-18342 (A vulnerability has been identified in SiNVR 3 Central Control Server ...) NOT-FOR-US: Siemens CVE-2019-18341 (A vulnerability has been identified in SiNVR 3 Central Control Server ...) NOT-FOR-US: Siemens CVE-2019-18340 (A vulnerability has been identified in SiNVR 3 Central Control Server ...) NOT-FOR-US: Siemens CVE-2019-18339 (A vulnerability has been identified in SiNVR 3 Central Control Server ...) NOT-FOR-US: Siemens CVE-2019-18338 (A vulnerability has been identified in SiNVR 3 Central Control Server ...) NOT-FOR-US: Siemens CVE-2019-18337 (A vulnerability has been identified in SiNVR 3 Central Control Server ...) NOT-FOR-US: Siemens CVE-2019-18336 (A vulnerability has been identified in SIMATIC S7-300 CPU family (incl ...) NOT-FOR-US: Siemens CVE-2019-18335 (A vulnerability has been identified in SPPA-T3000 Application Server ( ...) NOT-FOR-US: Siemens CVE-2019-18334 (A vulnerability has been identified in SPPA-T3000 Application Server ( ...) NOT-FOR-US: Siemens CVE-2019-18333 (A vulnerability has been identified in SPPA-T3000 Application Server ( ...) NOT-FOR-US: Siemens CVE-2019-18332 (A vulnerability has been identified in SPPA-T3000 Application Server ( ...) NOT-FOR-US: Siemens CVE-2019-18331 (A vulnerability has been identified in SPPA-T3000 Application Server ( ...) NOT-FOR-US: Siemens CVE-2019-18330 (A vulnerability has been identified in SPPA-T3000 MS3000 Migration Ser ...) NOT-FOR-US: Siemens CVE-2019-18329 (A vulnerability has been identified in SPPA-T3000 MS3000 Migration Ser ...) NOT-FOR-US: Siemens CVE-2019-18328 (A vulnerability has been identified in SPPA-T3000 MS3000 Migration Ser ...) NOT-FOR-US: Siemens CVE-2019-18327 (A vulnerability has been identified in SPPA-T3000 MS3000 Migration Ser ...) NOT-FOR-US: Siemens CVE-2019-18326 (A vulnerability has been identified in SPPA-T3000 MS3000 Migration Ser ...) NOT-FOR-US: Siemens CVE-2019-18325 (A vulnerability has been identified in SPPA-T3000 MS3000 Migration Ser ...) NOT-FOR-US: Siemens CVE-2019-18324 (A vulnerability has been identified in SPPA-T3000 MS3000 Migration Ser ...) NOT-FOR-US: Siemens CVE-2019-18323 (A vulnerability has been identified in SPPA-T3000 MS3000 Migration Ser ...) NOT-FOR-US: Siemens CVE-2019-18322 (A vulnerability has been identified in SPPA-T3000 MS3000 Migration Ser ...) NOT-FOR-US: Siemens CVE-2019-18321 (A vulnerability has been identified in SPPA-T3000 MS3000 Migration Ser ...) NOT-FOR-US: Siemens CVE-2019-18320 (A vulnerability has been identified in SPPA-T3000 Application Server ( ...) NOT-FOR-US: Siemens CVE-2019-18319 (A vulnerability has been identified in SPPA-T3000 Application Server ( ...) NOT-FOR-US: Siemens CVE-2019-18318 (A vulnerability has been identified in SPPA-T3000 Application Server ( ...) NOT-FOR-US: Siemens CVE-2019-18317 (A vulnerability has been identified in SPPA-T3000 Application Server ( ...) NOT-FOR-US: Siemens CVE-2019-18316 (A vulnerability has been identified in SPPA-T3000 Application Server ( ...) NOT-FOR-US: Siemens CVE-2019-18315 (A vulnerability has been identified in SPPA-T3000 Application Server ( ...) NOT-FOR-US: Siemens CVE-2019-18314 (A vulnerability has been identified in SPPA-T3000 Application Server ( ...) NOT-FOR-US: Siemens CVE-2019-18313 (A vulnerability has been identified in SPPA-T3000 MS3000 Migration Ser ...) NOT-FOR-US: Siemens CVE-2019-18312 (A vulnerability has been identified in SPPA-T3000 MS3000 Migration Ser ...) NOT-FOR-US: Siemens CVE-2019-18311 (A vulnerability has been identified in SPPA-T3000 MS3000 Migration Ser ...) NOT-FOR-US: Siemens CVE-2019-18310 (A vulnerability has been identified in SPPA-T3000 MS3000 Migration Ser ...) NOT-FOR-US: Siemens CVE-2019-18309 (A vulnerability has been identified in SPPA-T3000 MS3000 Migration Ser ...) NOT-FOR-US: Siemens CVE-2019-18308 (A vulnerability has been identified in SPPA-T3000 MS3000 Migration Ser ...) NOT-FOR-US: Siemens CVE-2019-18307 (A vulnerability has been identified in SPPA-T3000 MS3000 Migration Ser ...) NOT-FOR-US: Siemens CVE-2019-18306 (A vulnerability has been identified in SPPA-T3000 MS3000 Migration Ser ...) NOT-FOR-US: Siemens CVE-2019-18305 (A vulnerability has been identified in SPPA-T3000 MS3000 Migration Ser ...) NOT-FOR-US: Siemens CVE-2019-18304 (A vulnerability has been identified in SPPA-T3000 MS3000 Migration Ser ...) NOT-FOR-US: Siemens CVE-2019-18303 (A vulnerability has been identified in SPPA-T3000 MS3000 Migration Ser ...) NOT-FOR-US: Siemens CVE-2019-18302 (A vulnerability has been identified in SPPA-T3000 MS3000 Migration Ser ...) NOT-FOR-US: Siemens CVE-2019-18301 (A vulnerability has been identified in SPPA-T3000 MS3000 Migration Ser ...) NOT-FOR-US: Siemens CVE-2019-18300 (A vulnerability has been identified in SPPA-T3000 MS3000 Migration Ser ...) NOT-FOR-US: Siemens CVE-2019-18299 (A vulnerability has been identified in SPPA-T3000 MS3000 Migration Ser ...) NOT-FOR-US: Siemens CVE-2019-18298 (A vulnerability has been identified in SPPA-T3000 MS3000 Migration Ser ...) NOT-FOR-US: Siemens CVE-2019-18297 (A vulnerability has been identified in SPPA-T3000 MS3000 Migration Ser ...) NOT-FOR-US: Siemens CVE-2019-18296 (A vulnerability has been identified in SPPA-T3000 MS3000 Migration Ser ...) NOT-FOR-US: Siemens CVE-2019-18295 (A vulnerability has been identified in SPPA-T3000 MS3000 Migration Ser ...) NOT-FOR-US: Siemens CVE-2019-18294 (A vulnerability has been identified in SPPA-T3000 MS3000 Migration Ser ...) NOT-FOR-US: Siemens CVE-2019-18293 (A vulnerability has been identified in SPPA-T3000 MS3000 Migration Ser ...) NOT-FOR-US: Siemens CVE-2019-18292 (A vulnerability has been identified in SPPA-T3000 MS3000 Migration Ser ...) NOT-FOR-US: Siemens CVE-2019-18291 (A vulnerability has been identified in SPPA-T3000 MS3000 Migration Ser ...) NOT-FOR-US: Siemens CVE-2019-18290 (A vulnerability has been identified in SPPA-T3000 MS3000 Migration Ser ...) NOT-FOR-US: Siemens CVE-2019-18289 (A vulnerability has been identified in SPPA-T3000 MS3000 Migration Ser ...) NOT-FOR-US: Siemens CVE-2019-18288 (A vulnerability has been identified in SPPA-T3000 Application Server ( ...) NOT-FOR-US: Siemens CVE-2019-18287 (A vulnerability has been identified in SPPA-T3000 Application Server ( ...) NOT-FOR-US: Siemens CVE-2019-18286 (A vulnerability has been identified in SPPA-T3000 Application Server ( ...) NOT-FOR-US: Siemens CVE-2019-18285 (A vulnerability has been identified in SPPA-T3000 Application Server ( ...) NOT-FOR-US: Siemens CVE-2019-18284 (A vulnerability has been identified in SPPA-T3000 Application Server ( ...) NOT-FOR-US: Siemens CVE-2019-18283 (A vulnerability has been identified in SPPA-T3000 Application Server ( ...) NOT-FOR-US: Siemens CVE-2019-18282 (The flow_dissector feature in the Linux kernel 4.3 through 5.x before ...) {DLA-2114-1} - linux 5.3.15-1 [buster] - linux 4.19.87-1 [stretch] - linux 4.9.210-1 [jessie] - linux (Vulnerability introduced later) NOTE: https://git.kernel.org/linus/55667441c84fa5e0911a0aac44fb059c15ba6da2 CVE-2019-18281 (An out-of-bounds memory access in the generateDirectionalRuns() functi ...) {DSA-4556-1} - qtbase-opensource-src-gles 5.12.5+dfsg-1 - qtbase-opensource-src 5.12.5+dfsg-2 [buster] - qtbase-opensource-src (Minor issue) [stretch] - qtbase-opensource-src (Vulnerable code not present) [jessie] - qtbase-opensource-src (Vulnerable code not present) NOTE: https://github.com/qt/qtbase/commit/af6ac444c97ed2dc234f93fe457440c9da5482ea NOTE: https://bugreports.qt.io/browse/QTBUG-77819 CVE-2019-18280 (Sourcecodester Online Grading System 1.0 is affected by a Cross Site R ...) NOT-FOR-US: Sourcecodester Online Grading System CVE-2019-18279 (In Phoenix SCT WinFlash 1.1.12.0 through 1.5.74.0, the included driver ...) NOT-FOR-US: Phoenix SCT WinFlash CVE-2019-18278 (When executing VideoLAN VLC media player 3.0.8 with libqt on Windows, ...) NOT-FOR-US: VLC on Windows CVE-2019-18277 (A flaw was found in HAProxy before 2.0.6. In legacy mode, messages fea ...) - haproxy 2.0.6-1 [buster] - haproxy (Minor issue) [stretch] - haproxy (Minor issue) [jessie] - haproxy (Minor issue) NOTE: https://git.haproxy.org/?p=haproxy-2.0.git;a=commit;h=196a7df44d8129d1adc795da020b722614d6a581 NOTE: https://nathandavison.com/blog/haproxy-http-request-smuggling CVE-2019-18276 (An issue was discovered in disable_priv_mode in shell.c in GNU Bash th ...) - bash (unimportant) NOTE: https://git.savannah.gnu.org/cgit/bash.git/commit/?h=devel&id=951bdaad7a18cc0dc1036bba86b18b90874d39ff NOTE: https://savannah.gnu.org/patch/?9822 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1158028 NOTE: Negligible security impact CVE-2019-18275 (OSIsoft PI Vision, All versions of PI Vision prior to 2019. The affect ...) NOT-FOR-US: OSIsoft CVE-2019-18274 RESERVED CVE-2019-18273 (OSIsoft PI Vision, PI Vision 2017 R2 and PI Vision 2017 R2 SP1. The af ...) NOT-FOR-US: OSIsoft CVE-2019-18272 RESERVED CVE-2019-18271 (OSIsoft PI Vision, All versions of PI Vision prior to 2019. The affect ...) NOT-FOR-US: OSIsoft CVE-2019-18270 RESERVED CVE-2019-18269 (In Omron PLC CJ series, all versions, and Omron PLC CS series, all ver ...) NOT-FOR-US: Omron CVE-2019-18268 RESERVED CVE-2019-18267 (An issue was found in GE S2020/S2020G Fast Switch 61850, S2020/S2020G ...) NOT-FOR-US: GE CVE-2019-18266 RESERVED CVE-2019-18265 RESERVED CVE-2019-18264 RESERVED CVE-2019-18263 (An issue was found in Philips Veradius Unity, Pulsera, and Endura Dual ...) NOT-FOR-US: Philips CVE-2019-18262 RESERVED CVE-2019-18261 (In Omron PLC CS series, all versions, Omron PLC CJ series, all version ...) NOT-FOR-US: Omron CVE-2019-18260 RESERVED CVE-2019-18259 (In Omron PLC CJ series, all versions and Omron PLC CS series, all vers ...) NOT-FOR-US: Omron CVE-2019-18258 RESERVED CVE-2019-18257 (In Advantech DiagAnywhere Server, Versions 3.07.11 and prior, multiple ...) NOT-FOR-US: Advantech CVE-2019-18256 (BIOTRONIK CardioMessenger II, The affected products use individual per ...) NOT-FOR-US: BIOTRONIK CardioMessenge CVE-2019-18255 RESERVED CVE-2019-18254 (BIOTRONIK CardioMessenger II, The affected products do not encrypt sen ...) NOT-FOR-US: BIOTRONIK CardioMessenge CVE-2019-18253 (An attacker could use specially crafted paths in a specific request to ...) NOT-FOR-US: Relion CVE-2019-18252 (BIOTRONIK CardioMessenger II, The affected products allow credential r ...) NOT-FOR-US: BIOTRONIK CardioMessenge CVE-2019-18251 (In Omron CX-Supervisor, Versions 3.5 (12) and prior, Omron CX-Supervis ...) NOT-FOR-US: Omron CVE-2019-18250 (In all versions of ABB Power Generation Information Manager (PGIM) and ...) NOT-FOR-US: ABB CVE-2019-18249 (Reliable Controls MACH-ProWebCom/Sys, all versions prior to 2.15 (Firm ...) NOT-FOR-US: Reliable Controls CVE-2019-18248 (BIOTRONIK CardioMessenger II, The affected products transmit credentia ...) NOT-FOR-US: BIOTRONIK CardioMessenge CVE-2019-18247 (An attacker may use a specially crafted message to force Relion 650 se ...) NOT-FOR-US: Relion CVE-2019-18246 (BIOTRONIK CardioMessenger II, The affected products do not properly en ...) NOT-FOR-US: BIOTRONIK CardioMessenge CVE-2019-18245 (Reliable Controls LicenseManager versions 3.4 and prior may allow an a ...) NOT-FOR-US: Reliable Controls LicenseManager CVE-2019-18244 (OSIsoft PI Vision, PI Vision 2017 R2, PI Vision 2017 R2 SP1, PI Vision ...) NOT-FOR-US: OSIsoft CVE-2019-18243 RESERVED CVE-2019-18242 (In Moxa ioLogik 2500 series firmware, Version 3.0 or lower, and IOxpre ...) NOT-FOR-US: Moxa CVE-2019-18241 (In Philips IntelliBridge EC40 and EC80, IntelliBridge EC40 Hub all ver ...) NOT-FOR-US: Philips CVE-2019-18240 (In Fuji Electric V-Server 4.0.6 and prior, several heap-based buffer o ...) NOT-FOR-US: Fuji CVE-2019-18239 RESERVED CVE-2019-18238 (In Moxa ioLogik 2500 series firmware, Version 3.0 or lower, and IOxpre ...) NOT-FOR-US: Moxa CVE-2019-18237 RESERVED CVE-2019-18236 (Multiple buffer overflow vulnerabilities exist when the PLC Editor Ver ...) NOT-FOR-US: PLC Editor CVE-2019-18235 RESERVED CVE-2019-18234 (Equinox Control Expert all versions, is vulnerable to an SQL injection ...) NOT-FOR-US: Equinox Control Expert CVE-2019-18233 RESERVED CVE-2019-18232 (SafeNet Sentinel LDK License Manager, all versions prior to 7.101(only ...) NOT-FOR-US: SafeNet Sentinel LDK License Manager CVE-2019-18231 RESERVED CVE-2019-18230 (Honeywell equIP and Performance series IP cameras, multiple versions, ...) NOT-FOR-US: Honeywell CVE-2019-18229 (Advantech WISE-PaaS/RMM, Versions 3.3.29 and prior. Lack of sanitizati ...) NOT-FOR-US: Advantech CVE-2019-18228 (Honeywell equIP series IP cameras Multiple equIP Series Cameras, A vul ...) NOT-FOR-US: Honeywell CVE-2019-18227 (Advantech WISE-PaaS/RMM, Versions 3.3.29 and prior. XXE vulnerabilitie ...) NOT-FOR-US: Advantech CVE-2019-18226 (Honeywell equIP series and Performance series IP cameras and recorders ...) NOT-FOR-US: Honeywell CVE-2019-18225 (An issue was discovered in Citrix Application Delivery Controller (ADC ...) NOT-FOR-US: Citrix CVE-2019-18224 (idn2_to_ascii_4i in lib/lookup.c in GNU libidn2 before 2.1.1 has a hea ...) {DSA-4613-1} - libidn2 2.2.0-1 (bug #942895) - libidn2-0 (Vulnerable code not present) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12420 NOTE: https://github.com/libidn/libidn2/commit/e4d1558aa2c1c04a05066ee8600f37603890ba8c CVE-2019-18223 (ZOOM International Call Recording 6.3.1 suffers from multiple authenti ...) NOT-FOR-US: ZOOM International Call Recording CVE-2019-18222 (The ECDSA signature implementation in ecdsa.c in Arm Mbed Crypto 2.1 a ...) - mbedtls 2.16.4-1 NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2019-12 NOTE: Fixed upstream in 2.20.0, 2.16.4 and 2.7.13 CVE-2019-18221 (CoreHR Core Portal before 27.0.7 allows stored XSS. ...) NOT-FOR-US: CoreHR Core Portal CVE-2019-18220 (Sitemagic CMS 4.4.1 is affected by a Cross-Site-Request-Forgery (CSRF) ...) NOT-FOR-US: Sitemagic CMS CVE-2019-18219 (Sitemagic CMS 4.4.1 is affected by a Cross-Site-Scripting (XSS) vulner ...) NOT-FOR-US: Sitemagic CMS CVE-2019-18218 (cdf_read_property_info in cdf.c in file through 5.37 does not restrict ...) {DSA-4550-1 DLA-1969-1} - file 1:5.37-6 (bug #942830) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16780 NOTE: https://github.com/file/file/commit/46a8443f76cec4b41ec736eca396984c74664f84 CVE-2019-18217 (ProFTPD before 1.3.6b and 1.3.7rc before 1.3.7rc2 allows remote unauth ...) {DSA-4559-1 DLA-1974-1} - proftpd-dfsg 1.3.6a-2 (bug #942831) NOTE: https://github.com/proftpd/proftpd/commit/13fe9462787b9a551152162f46f1641d65fe4df4 NOTE: https://github.com/proftpd/proftpd/issues/846 CVE-2019-18216 (** DISPUTED ** The BIOS configuration design on ASUS ROG Zephyrus M GM ...) NOT-FOR-US: BIOS configuration design on ASUS ROG Zephyrus M GM501GS laptops with BIOS 313 CVE-2019-18215 (An issue was discovered in signmgr.dll 6.5.0.819 in Comodo Internet Se ...) NOT-FOR-US: Comodo Internet Security CVE-2019-18214 (The Video_Converter app 0.1.0 for Nextcloud allows denial of service ( ...) NOT-FOR-US: Video_Converter app for Nextcloud CVE-2019-18213 (XML Language Server (aka lsp4xml) before 0.9.1, as used in Red Hat XML ...) NOT-FOR-US: XML Language Server (aka lsp4xml) CVE-2019-18212 (XMLLanguageService.java in XML Language Server (aka lsp4xml) before 0. ...) NOT-FOR-US: XML Language Server (aka lsp4xml) CVE-2019-18211 (An issue was discovered in Orckestra C1 CMS through 6.6. The EntityTok ...) NOT-FOR-US: Orckestra C1 CMS CVE-2019-18210 (Persistent XSS in /course/modedit.php of Moodle through 3.7.2 allows a ...) - moodle CVE-2019-18209 (templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser doe ...) - etherpad-lite (bug #576998) CVE-2019-18208 RESERVED CVE-2019-18207 (In Zucchetti InfoBusiness before and including 4.4.1, an authenticated ...) NOT-FOR-US: Zucchetti InfoBusiness CVE-2019-18206 (A cross-site request forgery (CSRF) vulnerability in Zucchetti InfoBus ...) NOT-FOR-US: Zucchetti InfoBusiness CVE-2019-18205 (Multiple Reflected Cross-site Scripting (XSS) vulnerabilities exist in ...) NOT-FOR-US: Zucchetti InfoBusiness CVE-2019-18204 (Zucchetti InfoBusiness before and including 4.4.1 allows any authentic ...) NOT-FOR-US: Zucchetti InfoBusiness CVE-2019-18203 (On the RICOH MP 501 printer, HTML Injection and Stored XSS vulnerabili ...) NOT-FOR-US: Ricoh CVE-2019-18202 (Information Disclosure is possible on WAGO Series PFC100 and PFC200 de ...) NOT-FOR-US: WAGO Series PFC100 and PFC200 devices CVE-2019-18201 (An issue was discovered on Fujitsu Wireless Keyboard Set LX390 GK381 d ...) NOT-FOR-US: Fujitsu CVE-2019-18200 (An issue was discovered on Fujitsu Wireless Keyboard Set LX390 GK381 d ...) NOT-FOR-US: Fujitsu CVE-2019-18199 (An issue was discovered on Fujitsu Wireless Keyboard Set LX390 GK381 d ...) NOT-FOR-US: Fujitsu CVE-2019-18197 (In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable i ...) {DLA-1973-1} - libxslt 1.1.32-2.2 (bug #942646) [buster] - libxslt 1.1.32-2.2~deb10u1 [stretch] - libxslt 1.1.29-2.1+deb9u2 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15746 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15768 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15914 NOTE: https://gitlab.gnome.org/GNOME/libxslt/commit/2232473733b7313d67de8836ea3b29eec6e8e285 CVE-2019-18196 (A DLL side loading vulnerability in the Windows Service in TeamViewer ...) NOT-FOR-US: TeamViewer CVE-2019-18198 (In the Linux kernel before 5.3.4, a reference count usage error in the ...) - linux (Vulnerable code introduced later) NOTE: https://git.kernel.org/linus/ca7a03c4175366a92cee0ccc4fec0038c3266e26 NOTE: https://launchpad.net/bugs/1847478 CVE-2019-18195 (An issue was discovered on TerraMaster FS-210 4.0.19 devices. Normal u ...) NOT-FOR-US: TerraMaster FS-210 devices CVE-2019-18194 (TotalAV 2020 4.14.31 has a quarantine flaw that allows privilege escal ...) NOT-FOR-US: TotalAV CVE-2019-18193 (In Unisys Stealth (core) 3.4.108.0, 3.4.209.x, 4.0.027.x and 4.0.114, ...) NOT-FOR-US: Unisys Stealth CVE-2020-0500 RESERVED CVE-2020-0499 RESERVED CVE-2020-0498 RESERVED CVE-2020-0497 RESERVED CVE-2020-0496 RESERVED CVE-2020-0495 RESERVED CVE-2020-0494 RESERVED CVE-2020-0493 RESERVED CVE-2020-0492 RESERVED CVE-2020-0491 RESERVED CVE-2020-0490 RESERVED CVE-2020-0489 RESERVED CVE-2020-0488 RESERVED CVE-2020-0487 RESERVED CVE-2020-0486 RESERVED CVE-2020-0485 RESERVED CVE-2020-0484 RESERVED CVE-2020-0483 RESERVED CVE-2020-0482 RESERVED CVE-2020-0481 RESERVED CVE-2020-0480 RESERVED CVE-2020-0479 RESERVED CVE-2020-0478 RESERVED CVE-2020-0477 RESERVED CVE-2020-0476 RESERVED CVE-2020-0475 RESERVED CVE-2020-0474 RESERVED CVE-2020-0473 RESERVED CVE-2020-0472 RESERVED CVE-2020-0471 RESERVED CVE-2020-0470 RESERVED CVE-2020-0469 RESERVED CVE-2020-0468 RESERVED CVE-2020-0467 RESERVED CVE-2020-0466 RESERVED CVE-2020-0465 RESERVED CVE-2020-0464 RESERVED CVE-2020-0463 RESERVED CVE-2020-0462 RESERVED CVE-2020-0461 RESERVED CVE-2020-0460 RESERVED CVE-2020-0459 RESERVED CVE-2020-0458 RESERVED CVE-2020-0457 RESERVED CVE-2020-0456 RESERVED CVE-2020-0455 RESERVED CVE-2020-0454 RESERVED CVE-2020-0453 RESERVED CVE-2020-0452 RESERVED CVE-2020-0451 RESERVED CVE-2020-0450 RESERVED CVE-2020-0449 RESERVED CVE-2020-0448 RESERVED CVE-2020-0447 RESERVED CVE-2020-0446 RESERVED CVE-2020-0445 RESERVED CVE-2020-0444 RESERVED CVE-2020-0443 RESERVED CVE-2020-0442 RESERVED CVE-2020-0441 RESERVED CVE-2020-0440 RESERVED CVE-2020-0439 RESERVED CVE-2020-0438 RESERVED CVE-2020-0437 RESERVED CVE-2020-0436 RESERVED CVE-2020-0435 RESERVED CVE-2020-0434 RESERVED CVE-2020-0433 RESERVED CVE-2020-0432 RESERVED CVE-2020-0431 RESERVED CVE-2020-0430 RESERVED CVE-2020-0429 RESERVED CVE-2020-0428 RESERVED CVE-2020-0427 RESERVED CVE-2020-0426 RESERVED CVE-2020-0425 RESERVED CVE-2020-0424 RESERVED CVE-2020-0423 RESERVED CVE-2020-0422 RESERVED CVE-2020-0421 RESERVED CVE-2020-0420 RESERVED CVE-2020-0419 RESERVED CVE-2020-0418 RESERVED CVE-2020-0417 RESERVED CVE-2020-0416 RESERVED CVE-2020-0415 RESERVED CVE-2020-0414 RESERVED CVE-2020-0413 RESERVED CVE-2020-0412 RESERVED CVE-2020-0411 RESERVED CVE-2020-0410 RESERVED CVE-2020-0409 RESERVED CVE-2020-0408 RESERVED CVE-2020-0407 RESERVED CVE-2020-0406 RESERVED CVE-2020-0405 RESERVED CVE-2020-0404 RESERVED CVE-2020-0403 RESERVED CVE-2020-0402 RESERVED CVE-2020-0401 RESERVED CVE-2020-0400 RESERVED CVE-2020-0399 RESERVED CVE-2020-0398 RESERVED CVE-2020-0397 RESERVED CVE-2020-0396 RESERVED CVE-2020-0395 RESERVED CVE-2020-0394 RESERVED CVE-2020-0393 RESERVED CVE-2020-0392 RESERVED CVE-2020-0391 RESERVED CVE-2020-0390 RESERVED CVE-2020-0389 RESERVED CVE-2020-0388 RESERVED CVE-2020-0387 RESERVED CVE-2020-0386 RESERVED CVE-2020-0385 RESERVED CVE-2020-0384 RESERVED CVE-2020-0383 RESERVED CVE-2020-0382 RESERVED CVE-2020-0381 RESERVED CVE-2020-0380 RESERVED CVE-2020-0379 RESERVED CVE-2020-0378 RESERVED CVE-2020-0377 RESERVED CVE-2020-0376 RESERVED CVE-2020-0375 RESERVED CVE-2020-0374 RESERVED CVE-2020-0373 RESERVED CVE-2020-0372 RESERVED CVE-2020-0371 RESERVED CVE-2020-0370 RESERVED CVE-2020-0369 RESERVED CVE-2020-0368 RESERVED CVE-2020-0367 RESERVED CVE-2020-0366 RESERVED CVE-2020-0365 RESERVED CVE-2020-0364 RESERVED CVE-2020-0363 RESERVED CVE-2020-0362 RESERVED CVE-2020-0361 RESERVED CVE-2020-0360 RESERVED CVE-2020-0359 RESERVED CVE-2020-0358 RESERVED CVE-2020-0357 RESERVED CVE-2020-0356 RESERVED CVE-2020-0355 RESERVED CVE-2020-0354 RESERVED CVE-2020-0353 RESERVED CVE-2020-0352 RESERVED CVE-2020-0351 RESERVED CVE-2020-0350 RESERVED CVE-2020-0349 RESERVED CVE-2020-0348 RESERVED CVE-2020-0347 RESERVED CVE-2020-0346 RESERVED CVE-2020-0345 RESERVED CVE-2020-0344 RESERVED CVE-2020-0343 RESERVED CVE-2020-0342 RESERVED CVE-2020-0341 RESERVED CVE-2020-0340 RESERVED CVE-2020-0339 RESERVED CVE-2020-0338 RESERVED CVE-2020-0337 RESERVED CVE-2020-0336 RESERVED CVE-2020-0335 RESERVED CVE-2020-0334 RESERVED CVE-2020-0333 RESERVED CVE-2020-0332 RESERVED CVE-2020-0331 RESERVED CVE-2020-0330 RESERVED CVE-2020-0329 RESERVED CVE-2020-0328 RESERVED CVE-2020-0327 RESERVED CVE-2020-0326 RESERVED CVE-2020-0325 RESERVED CVE-2020-0324 RESERVED CVE-2020-0323 RESERVED CVE-2020-0322 RESERVED CVE-2020-0321 RESERVED CVE-2020-0320 RESERVED CVE-2020-0319 RESERVED CVE-2020-0318 RESERVED CVE-2020-0317 RESERVED CVE-2020-0316 RESERVED CVE-2020-0315 RESERVED CVE-2020-0314 RESERVED CVE-2020-0313 RESERVED CVE-2020-0312 RESERVED CVE-2020-0311 RESERVED CVE-2020-0310 RESERVED CVE-2020-0309 RESERVED CVE-2020-0308 RESERVED CVE-2020-0307 RESERVED CVE-2020-0306 RESERVED CVE-2020-0305 RESERVED CVE-2020-0304 RESERVED CVE-2020-0303 RESERVED CVE-2020-0302 RESERVED CVE-2020-0301 RESERVED CVE-2020-0300 RESERVED CVE-2020-0299 RESERVED CVE-2020-0298 RESERVED CVE-2020-0297 RESERVED CVE-2020-0296 RESERVED CVE-2020-0295 RESERVED CVE-2020-0294 RESERVED CVE-2020-0293 RESERVED CVE-2020-0292 RESERVED CVE-2020-0291 RESERVED CVE-2020-0290 RESERVED CVE-2020-0289 RESERVED CVE-2020-0288 RESERVED CVE-2020-0287 RESERVED CVE-2020-0286 RESERVED CVE-2020-0285 RESERVED CVE-2020-0284 RESERVED CVE-2020-0283 RESERVED CVE-2020-0282 RESERVED CVE-2020-0281 RESERVED CVE-2020-0280 RESERVED CVE-2020-0279 RESERVED CVE-2020-0278 RESERVED CVE-2020-0277 RESERVED CVE-2020-0276 RESERVED CVE-2020-0275 RESERVED CVE-2020-0274 RESERVED CVE-2020-0273 RESERVED CVE-2020-0272 RESERVED CVE-2020-0271 RESERVED CVE-2020-0270 RESERVED CVE-2020-0269 RESERVED CVE-2020-0268 RESERVED CVE-2020-0267 RESERVED CVE-2020-0266 RESERVED CVE-2020-0265 RESERVED CVE-2020-0264 RESERVED CVE-2020-0263 RESERVED CVE-2020-0262 RESERVED CVE-2020-0261 RESERVED CVE-2020-0260 RESERVED CVE-2020-0259 RESERVED CVE-2020-0258 RESERVED CVE-2020-0257 RESERVED CVE-2020-0256 RESERVED CVE-2020-0255 RESERVED CVE-2020-0254 RESERVED CVE-2020-0253 RESERVED CVE-2020-0252 RESERVED CVE-2020-0251 RESERVED CVE-2020-0250 RESERVED CVE-2020-0249 RESERVED CVE-2020-0248 RESERVED CVE-2020-0247 RESERVED CVE-2020-0246 RESERVED CVE-2020-0245 RESERVED CVE-2020-0244 RESERVED CVE-2020-0243 RESERVED CVE-2020-0242 RESERVED CVE-2020-0241 RESERVED CVE-2020-0240 RESERVED CVE-2020-0239 RESERVED CVE-2020-0238 RESERVED CVE-2020-0237 RESERVED CVE-2020-0236 RESERVED CVE-2020-0235 (In crus_sp_shared_ioctl we first copy 4 bytes from userdata into "size ...) NOT-FOR-US: Pixel kernel drivers CVE-2020-0234 (In crus_afe_get_param of msm-cirrus-playback.c, there is a possible ou ...) NOT-FOR-US: Pixel kernel drivers CVE-2020-0233 (In main of main.cpp, there is possible memory corruption due to a use ...) NOT-FOR-US: Android CVE-2020-0232 (Function abc_pcie_issue_dma_xfer_sync creates a transfer object, adds ...) NOT-FOR-US: Pixel kernel drivers CVE-2020-0231 RESERVED CVE-2020-0230 RESERVED CVE-2020-0229 RESERVED CVE-2020-0228 RESERVED CVE-2020-0227 RESERVED CVE-2020-0226 RESERVED CVE-2020-0225 RESERVED CVE-2020-0224 RESERVED CVE-2020-0223 (This is an unbounded write into kernel global memory, via a user-contr ...) NOT-FOR-US: Pixel kernel drivers CVE-2020-0222 RESERVED CVE-2020-0221 (Airbrush FW's scratch memory allocator is susceptible to numeric overf ...) NOT-FOR-US: Android CVE-2020-0220 (In crus_afe_callback of msm-cirrus-playback.c, there is a possible out ...) NOT-FOR-US: Android CVE-2020-0219 (In onCreate of SliceDeepLinkSpringBoard.java there is a possible insec ...) NOT-FOR-US: Android CVE-2020-0218 (In loadSoundModel and related functions of SoundTriggerHwService.cpp, ...) NOT-FOR-US: Android Media Framework CVE-2020-0217 (In RW_T4tPresenceCheck of rw_t4t.cc, there is a possible out of bounds ...) NOT-FOR-US: Android CVE-2020-0216 (In phNciNfc_RecvMfResp of phNxpExtns_MifareStd.cpp, there is a possibl ...) NOT-FOR-US: Android CVE-2020-0215 (In onCreate of ConfirmConnectActivity.java, there is a possible leak o ...) NOT-FOR-US: Android CVE-2020-0214 (In ce_t4t_process_select_file_cmd of ce_t4t.cc, there is a possible ou ...) NOT-FOR-US: Android CVE-2020-0213 (In hevcd_fmt_conv_420sp_to_420sp_av8 of ihevcd_fmt_conv_420sp_to_420sp ...) NOT-FOR-US: Android Media Framework CVE-2020-0212 (In _onBufferDestroyed of InputBufferManager.cpp, there is a possible o ...) NOT-FOR-US: Android Media Framework CVE-2020-0211 (In SumCompoundHorizontalTaps of convolve_neon.cc, there is a possible ...) NOT-FOR-US: Android Media Framework CVE-2020-0210 (In removeSharedAccountAsUser of AccountManager.java, there is a possib ...) NOT-FOR-US: Android CVE-2020-0209 (In multiple functions of AccountManager.java, there is a possible perm ...) NOT-FOR-US: Android CVE-2020-0208 (In multiple functions of AccountManager.java, there is a possible perm ...) NOT-FOR-US: Android CVE-2020-0207 (In next_marker of jdmarker.c, there is a possible out of bounds read d ...) NOT-FOR-US: Android Media Framework CVE-2020-0206 (In the settings app, there is a possible app crash due to improper inp ...) NOT-FOR-US: Android CVE-2020-0205 (In the DaalaBitReader constructor of entropy_decoder.cc, there is a po ...) NOT-FOR-US: Android Media Framework CVE-2020-0204 (In InstallPackage of package.cpp, there is a possible bypass of a sign ...) NOT-FOR-US: Android CVE-2020-0203 (In freeIsolatedUidLocked of ProcessList.java, there is a possible UID ...) NOT-FOR-US: Android CVE-2020-0202 (In onStart of MainActivity.java, there is a possible bypass of develop ...) NOT-FOR-US: Android CVE-2020-0201 (In showSecurityFields of WifiConfigController.java there is a possible ...) NOT-FOR-US: Android CVE-2020-0200 (In ReadLittleEndian of raw_bit_reader.cc, there is a possible out of b ...) NOT-FOR-US: Android Media Framework CVE-2020-0199 (In TimeCheck::TimeCheckThread::threadLoop of TimeCheck.cpp, there is a ...) NOT-FOR-US: Android Media Framework CVE-2020-0198 (In exif_data_load_data_content of exif-data.c, there is a possible UBS ...) {DLA-2249-1} - libexif 0.6.22-2 (bug #962345) [buster] - libexif (Minor issue) [stretch] - libexif (Minor issue) NOTE: https://android.googlesource.com/platform/external/libexif/+/1e187b62682ffab5003c702657d6d725b4278f16%5E%21/#F0 NOTE: https://github.com/libexif/libexif/commit/ce03ad7ef4e8aeefce79192bf5b6f69fae396f0c CVE-2020-0197 (In InitDataParser::parsePssh of InitDataParser.cpp, there is a possibl ...) NOT-FOR-US: Android Media Framework CVE-2020-0196 (In RegisterNotificationResponse::GetEvent of register_notification_pac ...) NOT-FOR-US: Android CVE-2020-0195 (In ihevcd_iquant_itrans_recon_ctb of ihevcd_iquant_itrans_recon_ctb.c ...) NOT-FOR-US: Android Media Framework CVE-2020-0194 (In ihevcd_parse_slice_header of ihevcd_parse_slice_header.c, there is ...) NOT-FOR-US: Android Media Framework CVE-2020-0193 (In ihevc_intra_pred_chroma_mode_3_to_9_av8 of ihevc_intra_pred_chroma_ ...) NOT-FOR-US: Android Media Framework CVE-2020-0192 (In ih264d_decode_slice_thread of ih264d_thread_parse_decode.c, there i ...) NOT-FOR-US: Android Media Framework CVE-2020-0191 (In ih264d_update_default_index_list() of ih264d_dpb_mgr.c, there is a ...) NOT-FOR-US: Android Media Framework CVE-2020-0190 (In ideint_weave_blk of ideint_utils.c, there is a possible out of boun ...) NOT-FOR-US: Android Media Framework CVE-2020-0189 (In ihevcd_decode() of ihevcd_decode.c, there is possible resource exha ...) NOT-FOR-US: Android Media Framework CVE-2020-0188 (In onCreatePermissionRequest of SettingsSliceProvider.java, there is a ...) NOT-FOR-US: Android CVE-2020-0187 (In engineSetMode of BaseBlockCipher.java, there is a possible incorrec ...) NOT-FOR-US: Android CVE-2020-0186 (In hal_fd_init of hal_fd.cc, there is a possible out of bounds write d ...) NOT-FOR-US: Android CVE-2020-0185 (In avrc_pars_browsing_cmd of avrc_pars_tg.cc, there is a possible out ...) NOT-FOR-US: Android CVE-2020-0184 (In ihevcd_ref_list() of ihevcd_ref_list.c, there is a possible infinit ...) NOT-FOR-US: Android Media Framework CVE-2020-0183 (In handleMessage of BluetoothManagerService, there is an incomplete re ...) NOT-FOR-US: Android CVE-2020-0182 (In exif_entry_get_value of exif-entry.c, there is a possible out of bo ...) {DLA-2249-1} - libexif 0.6.22-1 (low) [buster] - libexif (Minor issue) [stretch] - libexif (Minor issue) NOTE: https://github.com/libexif/libexif/commit/f9bb9f263fb00f0603ecbefa8957cad24168cbff (0.6.22) NOTE: CVE originally originally reported by Android where a different patch was shipped CVE-2020-0181 (In exif_data_load_data_thumbnail of exif-data.c, there is a possible d ...) {DSA-4618-1 DLA-2100-1} - libexif 0.6.21-6 (bug #962346) NOTE: https://android.googlesource.com/platform/external/libexif/+/f6c54954cbfc25eb73d2d2902f0597c0220174a4 NOTE: Fixed by the patch for CVE-2019-9278 CVE-2020-0180 (In GetOpusHeaderBuffers() of OpusHeader.cpp, there is a possible out o ...) NOT-FOR-US: Android Media Framework CVE-2020-0179 (In doSendObjectInfo of MtpServer.cpp, there is a possible path travers ...) NOT-FOR-US: Android Media Framework CVE-2020-0178 (In getAllConfigFlags of SettingsProvider.cpp, there is a possible ille ...) NOT-FOR-US: Android CVE-2020-0177 (In connect() of PanService.java, there is a possible permissions bypas ...) NOT-FOR-US: Android CVE-2020-0176 (In avdt_msg_prs_rej of avdt_msg.cc, there is a possible out-of-bounds ...) NOT-FOR-US: Android CVE-2020-0175 (In XMF_ReadNode of eas_xmf.c, there is possible resource exhaustion du ...) NOT-FOR-US: Android Media Framework CVE-2020-0174 (In Parse_ptbl of eas_mdls.c, there is possible resource exhaustion due ...) NOT-FOR-US: Android Media Framework CVE-2020-0173 (In Parse_lins of eas_mdls.c, there is possible resource exhaustion due ...) NOT-FOR-US: Android Media Framework CVE-2020-0172 (In Parse_art of eas_mdls.c, there is possible resource exhaustion due ...) NOT-FOR-US: Android Media Framework CVE-2020-0171 (In Parse_lart of eas_mdls.c, there is possible resource exhaustion due ...) NOT-FOR-US: Android Media Framework CVE-2020-0170 (In IMY_Event of eas_imelody.c, there is possible resource exhaustion d ...) NOT-FOR-US: Android Media Framework CVE-2020-0169 (In RTTTL_Event of eas_rtttl.c, there is possible resource exhaustion d ...) NOT-FOR-US: Android Media Framework CVE-2020-0168 (In impeg2_fmt_conv_yuv420p_to_yuv420sp_uv of impeg2_format_conv.c, the ...) NOT-FOR-US: Android Media Framework CVE-2020-0167 (In load of ResourceTypes.cpp, there is a possible out of bounds read d ...) NOT-FOR-US: Android CVE-2020-0166 (In multiple functions of URI.java, there is a possible escalation of p ...) NOT-FOR-US: Android CVE-2020-0165 (In phNxpNciHal_NfcDep_cmd_ext of phNxpNciHal_NfcDepSWPrio.cc, there is ...) NOT-FOR-US: Android CVE-2020-0164 (In phNxpNciHal_NfcDep_cmd_ext of phNxpNciHal_NfcDepSWPrio.cc, there is ...) NOT-FOR-US: Android CVE-2020-0163 (In parseSampleAuxiliaryInformationSizes of MPEG4Extractor.cpp, there i ...) NOT-FOR-US: Android Media Framework CVE-2020-0162 (In parseSampleAuxiliaryInformationOffsets of MPEG4Extractor.cpp, there ...) NOT-FOR-US: Android Media Framework CVE-2020-0161 (In parseChunk of MPEG4Extractor.cpp, there is possible resource exhaus ...) NOT-FOR-US: Android Media Framework CVE-2020-0160 (In setSyncSampleParams of SampleTable.cpp, there is possible resource ...) NOT-FOR-US: Android Media Framework CVE-2020-0159 (In rw_mfc_writeBlock of rw_mfc.cc, there is a possible out of bounds r ...) NOT-FOR-US: Android CVE-2020-0158 (In nfc_ncif_proc_t3t_polling_ntf of nfc_ncif.cc, there is a possible o ...) NOT-FOR-US: Android CVE-2020-0157 (In nfa_hci_conn_cback of nfa_hci_main.cc, there is a possible out of b ...) NOT-FOR-US: Android CVE-2020-0156 (In NxpNfc::ioctl of NxpNfc.cpp, there is a possible out of bounds read ...) NOT-FOR-US: Android CVE-2020-0155 (In phNxpNciHal_send_ese_hal_cmd of phNxpNciHal_ext.cc, there is a poss ...) NOT-FOR-US: Android CVE-2020-0154 (In nci_proc_core_rsp of nci_hrcv.cc, there is a possible out of bounds ...) NOT-FOR-US: Android CVE-2020-0153 (In phNxpNciHal_write_ext of phNxpNciHal_ext.cc, there is a possible ou ...) NOT-FOR-US: Android CVE-2020-0152 (In avb_vbmeta_image_verify of avb_vbmeta_image.c, there is a possible ...) NOT-FOR-US: Android Media Framework CVE-2020-0151 (In avb_vbmeta_image_verify of avb_vbmeta_image.c there is a possible o ...) NOT-FOR-US: Android Media Framework CVE-2020-0150 (In rw_t3t_message_set_block_list of rw_t3t.cc, there is a possible out ...) NOT-FOR-US: Android CVE-2020-0149 (In btu_hcif_mode_change_evt of btu_hcif.cc, there is a possible out of ...) NOT-FOR-US: Android CVE-2020-0148 (In btu_hcif_pin_code_request_evt, btu_hcif_link_key_request_evt, and b ...) NOT-FOR-US: Android CVE-2020-0147 (In btu_hcif_esco_connection_chg_evt of btu_hcif.cc, there is a possibl ...) NOT-FOR-US: Android CVE-2020-0146 (In btu_hcif_hardware_error_evt of btu_hcif.cc, there is a possible out ...) NOT-FOR-US: Android CVE-2020-0145 (In btm_simple_pair_complete of btm_sec.cc, there is a possible out of ...) NOT-FOR-US: Android CVE-2020-0144 (In btm_proc_sp_req_evt of btm_sec.cc, there is a possible out of bound ...) NOT-FOR-US: Android CVE-2020-0143 (In nfa_dm_ndef_find_next_handler of nfa_dm_ndef.c, there is a possible ...) NOT-FOR-US: Android CVE-2020-0142 (In rw_i93_sm_format of rw_i93.c, there is a possible information discl ...) NOT-FOR-US: Android CVE-2020-0141 (In OutputBuffersArray::realloc of CCodecBuffers.cpp, there is a possib ...) NOT-FOR-US: Android Media Framework CVE-2020-0140 (In rw_i93_sm_detect_ndef of rw_i93.c, there is a possible information ...) NOT-FOR-US: Android CVE-2020-0139 (In NDEF_MsgValidate of ndef_utils.c, there is a possible out of bounds ...) NOT-FOR-US: Android CVE-2020-0138 (In get_element_attr_rsp of btif_rc.cc, there is a possible out of boun ...) NOT-FOR-US: Android CVE-2020-0137 (In setIPv6AddrGenMode of NetworkManagementService.java, there is a pos ...) NOT-FOR-US: Android CVE-2020-0136 (In multiple locations of Parcel.cpp, there is a possible out-of-bounds ...) NOT-FOR-US: Android CVE-2020-0135 (In dump of RollbackManagerServiceImpl.java, there is a possible backup ...) NOT-FOR-US: Android CVE-2020-0134 (In BnDrm::onTransact of IDrm.cpp, there is a possible information disc ...) NOT-FOR-US: Android Media Framework CVE-2020-0133 (In MockLocationAppPreferenceController.java, it is possible to mock th ...) NOT-FOR-US: Android CVE-2020-0132 (In BnAAudioService::onTransact of IAAudioService.cpp, there is a possi ...) NOT-FOR-US: Android Media Framework CVE-2020-0131 (In parseChunk of MPEG4Extractor.cpp, there is a possible out of bounds ...) NOT-FOR-US: Android Media Framework CVE-2020-0130 RESERVED CVE-2020-0129 (In SetData of btm_ble_multi_adv.cc, there is a possible out-of-bound w ...) NOT-FOR-US: Android CVE-2020-0128 (In addPacket of AMPEG4ElementaryAssembler, there is an out of bounds r ...) NOT-FOR-US: Android Media Framework CVE-2020-0127 (In AudioStream::decode of AudioGroup.cpp, there is a possible out of b ...) NOT-FOR-US: Android Media Framework CVE-2020-0126 (In multiple functions in DrmPlugin.cpp, there is a possible use after ...) NOT-FOR-US: Android Media Framework CVE-2020-0125 RESERVED CVE-2020-0124 (In markBootComplete of InstalldNativeService.cpp, there is a possible ...) NOT-FOR-US: Android CVE-2020-0123 RESERVED CVE-2020-0122 RESERVED CVE-2020-0121 (In updateUidProcState of AppOpsService.java, there is a possible permi ...) NOT-FOR-US: Android CVE-2020-0120 RESERVED NOT-FOR-US: Android Media Framework CVE-2020-0119 (In addOrUpdateNetworkInternal and related functions of WifiConfigManag ...) NOT-FOR-US: Android CVE-2020-0118 (In addListener of RegionSamplingThread.cpp, there is a possible out of ...) NOT-FOR-US: Android Media Framework CVE-2020-0117 (In aes_cmac of aes_cmac.cc, there is a possible out of bounds write du ...) NOT-FOR-US: Android CVE-2020-0116 (In checkSystemLocationAccess of LocationAccessPolicy.java, there is a ...) NOT-FOR-US: Android CVE-2020-0115 (In verifyIntentFiltersIfNeeded of PackageManagerService.java, there is ...) NOT-FOR-US: Android CVE-2020-0114 (In onCreateSliceProvider of KeyguardSliceProvider.java, there is a pos ...) NOT-FOR-US: Android CVE-2020-0113 (In sendCaptureResult of Camera3OutputUtils.cpp, there is a possible ou ...) NOT-FOR-US: Android Media Framework CVE-2020-0112 RESERVED CVE-2020-0111 RESERVED CVE-2020-0110 (In psi_write of psi.c, there is a possible out of bounds write due to ...) - linux 5.5.13-1 [buster] - linux (Vulnerable code not present) [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/6fcca0fa48118e6d63733eb4644c6cd880c15b8f (5.6-rc2) CVE-2020-0109 (In simulatePackageSuspendBroadcast of NotificationManagerService.java, ...) NOT-FOR-US: Android CVE-2020-0108 RESERVED CVE-2020-0107 RESERVED CVE-2020-0106 (In getCellLocation of PhoneInterfaceManager.java, there is a possible ...) NOT-FOR-US: Android CVE-2020-0105 (In onKeyguardVisibilityChanged of key_store_service.cpp, there is a mi ...) NOT-FOR-US: Android CVE-2020-0104 (In onShowingStateChanged of KeyguardStateMonitor.java, there is a poss ...) NOT-FOR-US: Android CVE-2020-0103 (In a2dp_aac_decoder_cleanup of a2dp_aac_decoder.cc, there is a possibl ...) NOT-FOR-US: Android CVE-2020-0102 (In GattServer::SendResponse of gatt_server.cc, there is a possible out ...) NOT-FOR-US: Android CVE-2020-0101 (In BnCrypto::onTransact of ICrypto.cpp, there is a possible informatio ...) NOT-FOR-US: Android media framework CVE-2020-0100 (In onTransact of IHDCP.cpp, there is a possible out of bounds read due ...) NOT-FOR-US: Android media framework CVE-2020-0099 RESERVED CVE-2020-0098 (In navigateUpToLocked of ActivityStack.java, there is a possible permi ...) NOT-FOR-US: Android CVE-2020-0097 (In various methods of PackageManagerService.java, there is a possible ...) NOT-FOR-US: Android CVE-2020-0096 (In startActivities of ActivityStartController.java, there is a possibl ...) NOT-FOR-US: Android CVE-2020-0095 RESERVED NOT-FOR-US: Android Media Framework CVE-2020-0094 (In setImageHeight and setImageWidth of ExifUtils.cpp, there is a possi ...) NOT-FOR-US: Android media framework CVE-2020-0093 (In exif_data_save_data_entry of exif-data.c, there is a possible out o ...) {DLA-2214-1} - libexif 0.6.21-8 [buster] - libexif (Minor issue) [stretch] - libexif (Minor issue) NOTE: https://github.com/libexif/libexif/issues/42 NOTE: https://github.com/libexif/libexif/commit/5ae5973bed1947f4d447dc80b76d5cefadd90133 CVE-2020-0092 (In setHideSensitive of NotificationStackScrollLayout.java, there is a ...) NOT-FOR-US: Android CVE-2020-0091 (In mnld, an incorrect configuration in driver_cfg of mnld for meta fac ...) NOT-FOR-US: Mediatek components for Android CVE-2020-0090 (An improper authorization in the receiver component of Email.Product: ...) NOT-FOR-US: Mediatek components for Android CVE-2020-0089 RESERVED CVE-2020-0088 (In parseTrackFragmentRun of MPEG4Extractor.cpp, there is possible reso ...) NOT-FOR-US: Android Media Framework CVE-2020-0087 (In getProcessPss of ActivityManagerService.java, there is a possible s ...) NOT-FOR-US: Android CVE-2020-0086 (In readCString of Parcel.cpp, there is a possible out of bounds write ...) NOT-FOR-US: Android Media Framework CVE-2020-0085 (In setBluetoothTethering of PanService.java, there is a possible permi ...) NOT-FOR-US: Android CVE-2020-0084 (In several functions of NotificationManagerService.java, there are mis ...) NOT-FOR-US: Android CVE-2020-0083 (In setRequirePmfInternal of sta_network.cpp, there is a possible defau ...) NOT-FOR-US: Android CVE-2020-0082 (In ExternalVibration of ExternalVibration.java, there is a possible ac ...) NOT-FOR-US: Android CVE-2020-0081 (In finalize of AssetManager.java, there is possible memory corruption ...) NOT-FOR-US: Android CVE-2020-0080 (In onOpActiveChanged and related methods of AppOpsControllerImpl.java, ...) NOT-FOR-US: Android CVE-2020-0079 (In decrypt_1_2 of CryptoPlugin.cpp, there is a possible out of bounds ...) NOT-FOR-US: Android CVE-2020-0078 (In releaseSecureStops of DrmPlugin.cpp, there is a possible out of bou ...) NOT-FOR-US: Android CVE-2020-0077 (In authorize_enroll of the FPC IRIS TrustZone app, there is a possible ...) NOT-FOR-US: Android CVE-2020-0076 (In get_auth_result of the FPC IRIS TrustZone app, there is a possible ...) NOT-FOR-US: Android CVE-2020-0075 (In set_shared_key of the FPC IRIS TrustZone app, there is a possible o ...) NOT-FOR-US: Android CVE-2020-0074 RESERVED CVE-2020-0073 (In rw_t2t_handle_tlv_detect_rsp of rw_t2t_ndef.cc, there is a possible ...) NOT-FOR-US: Android CVE-2020-0072 (In rw_t2t_handle_tlv_detect_rsp of rw_t2t_ndef.cc, there is a possible ...) NOT-FOR-US: Android CVE-2020-0071 (In rw_t2t_extract_default_locks_info of rw_t2t_ndef.cc, there is a pos ...) NOT-FOR-US: Android CVE-2020-0070 (In rw_t2t_update_lock_attributes of rw_t2t_ndef.cc, there is a possibl ...) NOT-FOR-US: Android CVE-2020-0069 (In the ioctl handlers of the Mediatek Command Queue driver, there is a ...) NOT-FOR-US: Mediatek components for Android CVE-2020-0068 (In crus_afe_get_param of msm-cirrus-playback.c, there is a possible ou ...) NOT-FOR-US: Android CVE-2020-0067 (In f2fs_xattr_generic_list of xattr.c, there is a possible out of boun ...) - linux 5.5.13-1 [buster] - linux 4.19.118-1 [jessie] - linux (f2fs is not supportable) NOTE: https://git.kernel.org/linus/688078e7f36c293dae25b338ddc9e0a2790f6e06 CVE-2020-0066 (In the netlink driver, there is a possible out of bounds write due to ...) - linux 4.2.5-1 [jessie] - linux 3.16.7-ckt20-1 NOTE: https://git.kernel.org/linus/db65a3aaf29ecce2e34271d52e8d2336b97bd9fe CVE-2020-0065 (An improper authorization in the receiver component of the Android Sui ...) NOT-FOR-US: Mediatek components for Android CVE-2020-0064 (An improper authorization while processing the provisioning data.Produ ...) NOT-FOR-US: Mediatek components for Android CVE-2020-0063 (In SurfaceFlinger, it is possible to override UI confirmation screen p ...) NOT-FOR-US: Android CVE-2020-0062 (In Euicc, there is a possible information disclosure due to an include ...) NOT-FOR-US: Android CVE-2020-0061 (In Pixel Recorder, there is a possible permissions bypass allowing arb ...) NOT-FOR-US: Android CVE-2020-0060 (In query of SmsProvider.java and MmsSmsProvider.java, there is a possi ...) NOT-FOR-US: Android CVE-2020-0059 (In btm_ble_batchscan_filter_track_adv_vse_cback of btm_ble_batchscan.c ...) NOT-FOR-US: Android CVE-2020-0058 (In l2c_rcv_acl_data of l2c_main.cc, there is a possible out of bounds ...) NOT-FOR-US: Android CVE-2020-0057 (In btm_process_inq_results of btm_inq.cc, there is a possible out of b ...) NOT-FOR-US: Android CVE-2020-0056 (In btu_hcif_connection_comp_evt of btu_hcif.cc, there is a possible ou ...) NOT-FOR-US: Android CVE-2020-0055 (In l2c_link_process_num_completed_pkts of l2c_link.cc, there is a poss ...) NOT-FOR-US: Android CVE-2020-0054 (In WifiNetworkSuggestionsManager of WifiNetworkSuggestionsManager.java ...) NOT-FOR-US: Android CVE-2020-0053 (In convertHidlNanDataPathInitiatorRequestToLegacy, and convertHidlNanD ...) NOT-FOR-US: Android CVE-2020-0052 (In smsSelected of AnswerFragment.java, there is a way to send an SMS f ...) NOT-FOR-US: Android CVE-2020-0051 (In onCreate of SettingsHomepageActivity, there is a possible tapjackin ...) NOT-FOR-US: Android CVE-2020-0050 (In nfa_hciu_send_msg of nfa_hci_utils.cc, there is a possible out of b ...) NOT-FOR-US: Android CVE-2020-0049 (In onReadBuffer() of StreamingSource.cpp, there is a possible informat ...) NOT-FOR-US: Android media framework CVE-2020-0048 (In onTransact of IAudioFlinger.cpp, there is a possible stack informat ...) NOT-FOR-US: Android media framework CVE-2020-0047 (In setMasterMute of AudioService.java, there is a missing permission c ...) NOT-FOR-US: Android media framework CVE-2020-0046 (In DrmPlugin::releaseSecureStops of DrmPlugin.cpp, there is a possible ...) NOT-FOR-US: Android media framework CVE-2020-0045 (In StatsService::command of StatsService.cpp, there is possible memory ...) NOT-FOR-US: Android CVE-2020-0044 (In set_nonce of fpc_ta_qc_auth.c, there is a possible out of bounds re ...) NOT-FOR-US: FPC components for Android CVE-2020-0043 (In authorize_enrol of fpc_ta_hw_auth.c, there is a possible out of bou ...) NOT-FOR-US: FPC components for Android CVE-2020-0042 (In fpc_ta_hw_auth_unwrap_key of fpc_ta_hw_auth_qsee.c, there is a poss ...) NOT-FOR-US: FPC components for Android CVE-2020-0041 (In binder_transaction of binder.c, there is a possible out of bounds w ...) - linux 5.4.6-1 [buster] - linux (Vulnerability introduced later) [stretch] - linux (Vulnerability introduced later) [jessie] - linux (Vulnerability introduced later) NOTE: https://git.kernel.org/linus/16981742717b04644a41052570fb502682a315d2 CVE-2020-0040 RESERVED NOTE: Duplicate of CVE-2019-15239, will be rejected CVE-2020-0039 (In rw_i93_sm_update_ndef of rw_i93.cc, there is a possible read of uni ...) NOT-FOR-US: Android CVE-2020-0038 (In rw_i93_sm_update_ndef of rw_i93.cc, there is a possible read of uni ...) NOT-FOR-US: Android CVE-2020-0037 (In rw_i93_sm_set_read_only of rw_i93.cc, there is a possible out of bo ...) NOT-FOR-US: Android CVE-2020-0036 (In hasPermissions of PermissionMonitor.java, there is a possible acces ...) NOT-FOR-US: Android CVE-2020-0035 (In query of TelephonyProvider.java, there is a possible access to SIM ...) NOT-FOR-US: Android CVE-2020-0034 (In vp8_decode_frame of decodeframe.c, there is a possible out of bound ...) {DLA-2136-1} - libvpx 1.7.0-3 [stretch] - libvpx (Minor issue) NOTE: https://github.com/webmproject/libvpx/commit/45daecb4f73a47ab3236a29a3a48c52324cbf19a CVE-2020-0033 (In CryptoPlugin::decrypt of CryptoPlugin.cpp, there is a possible out ...) NOT-FOR-US: Android media framework CVE-2020-0032 (In ih264d_release_display_bufs of ih264d_utils.c, there is a possible ...) NOT-FOR-US: Android media framework CVE-2020-0031 (In triggerAugmentedAutofillLocked and related functions of Session.jav ...) NOT-FOR-US: Android CVE-2020-0030 (In binder_thread_release of binder.c, there is a possible use after fr ...) - linux 4.15.11-1 NOTE: Fixed by: https://git.kernel.org/linus/5eeb2ca02a2f6084fc57ae5c244a38baab07033a CVE-2020-0029 (In the WifiConfigManager, there is a possible storage of location hist ...) NOT-FOR-US: Android CVE-2020-0028 (In notifyNetworkTested and related functions of NetworkMonitor.java, t ...) NOT-FOR-US: Android CVE-2020-0027 (In HidRawSensor::batch of HidRawSensor.cpp, there is a possible out of ...) NOT-FOR-US: Android CVE-2020-0026 (In Parcel::continueWrite of Parcel.cpp, there is possible memory corru ...) NOT-FOR-US: Android CVE-2020-0025 RESERVED CVE-2020-0024 (In onCreate of SettingsBaseActivity.java, there is a possible unauthor ...) NOT-FOR-US: Android CVE-2020-0023 (In setPhonebookAccessPermission of AdapterService.java, there is a pos ...) NOT-FOR-US: Android CVE-2020-0022 (In reassemble_and_dispatch of packet_fragmenter.cc, there is possible ...) NOT-FOR-US: Android CVE-2020-0021 (In removeUnusedPackagesLPw of PackageManagerService.java, there is a p ...) NOT-FOR-US: Android CVE-2020-0020 (In getAttributeRange of ExifInterface.java, there is a possible failur ...) NOT-FOR-US: Android CVE-2020-0019 RESERVED CVE-2020-0018 (In MotionEntry::appendDescription of InputDispatcher.cpp, there is a p ...) NOT-FOR-US: Android CVE-2020-0017 (In multiple places, it was possible for the primary user’s dicti ...) NOT-FOR-US: Android CVE-2020-0016 RESERVED CVE-2020-0015 (In onCreate of CertInstaller.java, there is a possible way to overlay ...) NOT-FOR-US: Android CVE-2020-0014 (It is possible for a malicious application to construct a TYPE_TOAST w ...) NOT-FOR-US: Android CVE-2020-0013 RESERVED CVE-2020-0012 (In fpc_ta_pn_get_unencrypted_image of fpc_ta_pn.c, there is a possible ...) NOT-FOR-US: FPC components for Android CVE-2020-0011 (In get_auth_result of fpc_ta_hw_auth.c, there is a possible out of bou ...) NOT-FOR-US: FPC components for Android CVE-2020-0010 (In fpc_ta_get_build_info of fpc_ta_kpi.c, there is a possible out of b ...) NOT-FOR-US: FPC components for Android CVE-2020-0009 (In calc_vm_may_flags of ashmem.c, there is a possible arbitrary write ...) {DLA-2241-1} - linux 5.5.13-1 [buster] - linux 4.19.118-1 [stretch] - linux (Driver is not enabled or supported) NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1949 CVE-2020-0008 (In LowEnergyClient::MtuChangedCallback of low_energy_client.cc, there ...) NOT-FOR-US: Android CVE-2020-0007 (In flattenString8 of Sensor.cpp, there is a possible information discl ...) NOT-FOR-US: Android CVE-2020-0006 (In rw_i93_send_cmd_write_single_block of rw_i93.cc, there is a possibl ...) NOT-FOR-US: Android CVE-2020-0005 (In btm_read_remote_ext_features_complete of btm_acl.cc, there is a pos ...) NOT-FOR-US: Android CVE-2020-0004 (In generateCrop of WallpaperManagerService.java, there is a possible s ...) NOT-FOR-US: Android CVE-2020-0003 (In onCreate of InstallStart.java, there is a possible package validati ...) NOT-FOR-US: Android CVE-2020-0002 (In ih264d_init_decoder of ih264d_api.c, there is a possible out of bou ...) NOT-FOR-US: Android Media Framework CVE-2020-0001 (In getProcessRecordLocked of ActivityManagerService.java isolated apps ...) NOT-FOR-US: Android CVE-2019-18192 (GNU Guix 1.0.1 allows local users to gain access to an arbitrary user' ...) - guix (bug #850644) NOTE: https://issues.guix.gnu.org/issue/37744 CVE-2019-18191 (A privilege escalation vulnerability in the Trend Micro Deep Security ...) NOT-FOR-US: Trend Micro CVE-2019-18190 (Trend Micro Security (Consumer) 2020 (v16.x) is affected by a vulnerab ...) NOT-FOR-US: Trend Micro CVE-2019-18189 (A directory traversal vulnerability in Trend Micro Apex One, OfficeSca ...) NOT-FOR-US: Trend Micro CVE-2019-18188 (Trend Micro Apex One could be exploited by an attacker utilizing a com ...) NOT-FOR-US: Trend Micro CVE-2019-18187 (Trend Micro OfficeScan versions 11.0 and XG (12.0) could be exploited ...) NOT-FOR-US: Trend Micro CVE-2019-18186 RESERVED CVE-2019-18185 RESERVED CVE-2019-18184 (Crestron DMC-STRO 1.0 devices allow remote command execution as root v ...) NOT-FOR-US: Crestron DMC-STRO 1.0 devices CVE-2019-18183 (pacman before 5.2 is vulnerable to arbitrary command injection in lib/ ...) NOT-FOR-US: pacman package manager for arch, different from src:pacman CVE-2019-18182 (pacman before 5.2 is vulnerable to arbitrary command injection in conf ...) NOT-FOR-US: pacman package manager for arch, different from src:pacman CVE-2019-18181 (In CloudVision Portal all releases in the 2018.1 and 2018.2 Code train ...) NOT-FOR-US: CloudVision Portal CVE-2019-18180 (Improper Check for filenames with overly long extensions in PostMaster ...) - otrs2 6.0.24-1 (bug #945251) [buster] - otrs2 (Non-free not supported) [stretch] - otrs2 (Non-free not supported) [jessie] - otrs2 (vulnerable code not present) NOTE: https://community.otrs.com/security-advisory-2019-15-security-update-for-otrs-framework/ CVE-2019-18179 (An issue was discovered in Open Ticket Request System (OTRS) 7.0.x thr ...) {DLA-2053-1} - otrs2 6.0.24-1 (bug #945251) [buster] - otrs2 (Non-free not supported) [stretch] - otrs2 (Non-free not supported) NOTE: https://community.otrs.com/security-advisory-2019-14-security-update-for-otrs-framework/ CVE-2019-18178 (Real Time Engineers FreeRTOS+FAT 160919a has a use after free. The fun ...) NOT-FOR-US: FreeRTOS+FAT CVE-2019-18177 RESERVED CVE-2019-18176 RESERVED CVE-2019-18175 RESERVED CVE-2019-18174 RESERVED CVE-2019-18173 RESERVED CVE-2019-18172 RESERVED CVE-2019-18171 RESERVED CVE-2019-18170 RESERVED CVE-2019-18169 RESERVED CVE-2019-18168 RESERVED CVE-2019-18167 RESERVED CVE-2019-18166 RESERVED CVE-2019-18165 RESERVED CVE-2019-18164 RESERVED CVE-2019-18163 RESERVED CVE-2019-18162 RESERVED CVE-2019-18161 RESERVED CVE-2019-18160 RESERVED CVE-2019-18159 RESERVED CVE-2019-18158 RESERVED CVE-2019-18157 RESERVED CVE-2019-18156 RESERVED CVE-2019-18155 RESERVED CVE-2019-18154 RESERVED CVE-2019-18153 RESERVED CVE-2019-18152 RESERVED CVE-2019-18151 RESERVED CVE-2019-18150 RESERVED CVE-2019-18149 RESERVED CVE-2019-18148 RESERVED CVE-2019-18147 RESERVED CVE-2019-18146 RESERVED CVE-2019-18145 RESERVED CVE-2019-18144 RESERVED CVE-2019-18143 RESERVED CVE-2019-18142 RESERVED CVE-2019-18141 RESERVED CVE-2019-18140 RESERVED CVE-2019-18139 RESERVED CVE-2019-18138 RESERVED CVE-2019-18137 RESERVED CVE-2019-18136 RESERVED CVE-2019-18135 RESERVED CVE-2019-18134 RESERVED CVE-2019-18133 RESERVED CVE-2019-18132 RESERVED CVE-2019-18131 RESERVED CVE-2019-18130 RESERVED CVE-2019-18129 RESERVED CVE-2019-18128 RESERVED CVE-2019-18127 RESERVED CVE-2019-18126 RESERVED CVE-2019-18125 RESERVED CVE-2019-18124 RESERVED CVE-2019-18123 RESERVED CVE-2019-18122 RESERVED CVE-2019-18121 RESERVED CVE-2019-18120 RESERVED CVE-2019-18119 RESERVED CVE-2019-18118 RESERVED CVE-2019-18117 RESERVED CVE-2019-18116 RESERVED CVE-2019-18115 RESERVED CVE-2019-18114 RESERVED CVE-2019-18113 RESERVED CVE-2019-18112 RESERVED CVE-2019-18111 RESERVED CVE-2019-18110 RESERVED CVE-2019-18109 RESERVED CVE-2019-18108 RESERVED CVE-2019-18107 RESERVED CVE-2019-18106 RESERVED CVE-2019-18105 RESERVED CVE-2019-18104 RESERVED CVE-2019-18103 RESERVED CVE-2019-18102 RESERVED CVE-2019-18101 RESERVED CVE-2019-18100 RESERVED CVE-2019-18099 RESERVED CVE-2019-18098 RESERVED CVE-2019-18097 RESERVED CVE-2019-18096 RESERVED CVE-2019-18095 RESERVED CVE-2019-18094 RESERVED CVE-2019-18093 RESERVED CVE-2019-18092 RESERVED CVE-2019-18091 RESERVED CVE-2019-18090 RESERVED CVE-2019-18089 RESERVED CVE-2019-18088 RESERVED CVE-2019-18087 RESERVED CVE-2019-18086 RESERVED CVE-2019-18085 RESERVED CVE-2019-18084 RESERVED CVE-2019-18083 RESERVED CVE-2019-18082 RESERVED CVE-2019-18081 RESERVED CVE-2019-18080 RESERVED CVE-2019-18079 RESERVED CVE-2019-18078 RESERVED CVE-2019-18077 RESERVED CVE-2019-18076 RESERVED CVE-2019-18075 RESERVED CVE-2019-18074 RESERVED CVE-2019-18073 RESERVED CVE-2019-18072 RESERVED CVE-2019-18071 RESERVED CVE-2019-18070 RESERVED CVE-2019-18069 RESERVED CVE-2019-18068 RESERVED CVE-2019-18067 RESERVED CVE-2019-18066 RESERVED CVE-2019-18065 RESERVED CVE-2019-18064 RESERVED CVE-2019-18063 RESERVED CVE-2019-18062 RESERVED CVE-2019-18061 RESERVED CVE-2019-18060 RESERVED CVE-2019-18059 RESERVED CVE-2019-18058 RESERVED CVE-2019-18057 RESERVED CVE-2019-18056 RESERVED CVE-2019-18055 RESERVED CVE-2019-18054 RESERVED CVE-2019-18053 RESERVED CVE-2019-18052 RESERVED CVE-2019-18051 RESERVED CVE-2019-18050 RESERVED CVE-2019-18049 RESERVED CVE-2019-18048 RESERVED CVE-2019-18047 RESERVED CVE-2019-18046 RESERVED CVE-2019-18045 RESERVED CVE-2019-18044 RESERVED CVE-2019-18043 RESERVED CVE-2019-18042 RESERVED CVE-2019-18041 RESERVED CVE-2019-18040 RESERVED CVE-2019-18039 RESERVED CVE-2019-18038 RESERVED CVE-2019-18037 RESERVED CVE-2019-18036 RESERVED CVE-2019-18035 RESERVED CVE-2019-18034 RESERVED CVE-2019-18033 RESERVED CVE-2019-18032 RESERVED CVE-2019-18031 RESERVED CVE-2019-18030 RESERVED CVE-2019-18029 RESERVED CVE-2019-18028 RESERVED CVE-2019-18027 RESERVED CVE-2019-18026 RESERVED CVE-2019-18025 RESERVED CVE-2019-18024 RESERVED CVE-2019-18023 RESERVED CVE-2019-18022 RESERVED CVE-2019-18021 RESERVED CVE-2019-18020 RESERVED CVE-2019-18019 RESERVED CVE-2019-18018 RESERVED CVE-2019-18017 RESERVED CVE-2019-18016 RESERVED CVE-2019-18015 RESERVED CVE-2019-18014 RESERVED CVE-2019-18013 RESERVED CVE-2019-18012 RESERVED CVE-2019-18011 RESERVED CVE-2019-18010 RESERVED CVE-2019-18009 RESERVED CVE-2019-18008 RESERVED CVE-2019-18007 RESERVED CVE-2019-18006 RESERVED CVE-2019-18005 RESERVED CVE-2019-18004 RESERVED CVE-2019-18003 RESERVED CVE-2019-18002 RESERVED CVE-2019-18001 RESERVED CVE-2019-18000 RESERVED CVE-2019-17999 RESERVED CVE-2019-17998 RESERVED CVE-2019-17997 RESERVED CVE-2019-17996 RESERVED CVE-2019-17995 RESERVED CVE-2019-17994 RESERVED CVE-2019-17993 RESERVED CVE-2019-17992 RESERVED CVE-2019-17991 RESERVED CVE-2019-17990 RESERVED CVE-2019-17989 RESERVED CVE-2019-17988 RESERVED CVE-2019-17987 RESERVED CVE-2019-17986 RESERVED CVE-2019-17985 RESERVED CVE-2019-17984 RESERVED CVE-2019-17983 RESERVED CVE-2019-17982 RESERVED CVE-2019-17981 RESERVED CVE-2019-17980 RESERVED CVE-2019-17979 RESERVED CVE-2019-17978 RESERVED CVE-2019-17977 RESERVED CVE-2019-17976 RESERVED CVE-2019-17975 RESERVED CVE-2019-17974 RESERVED CVE-2019-17973 RESERVED CVE-2019-17972 RESERVED CVE-2019-17971 RESERVED CVE-2019-17970 RESERVED CVE-2019-17969 RESERVED CVE-2019-17968 RESERVED CVE-2019-17967 RESERVED CVE-2019-17966 RESERVED CVE-2019-17965 RESERVED CVE-2019-17964 RESERVED CVE-2019-17963 RESERVED CVE-2019-17962 RESERVED CVE-2019-17961 RESERVED CVE-2019-17960 RESERVED CVE-2019-17959 RESERVED CVE-2019-17958 RESERVED CVE-2019-17957 RESERVED CVE-2019-17956 RESERVED CVE-2019-17955 RESERVED CVE-2019-17954 RESERVED CVE-2019-17953 RESERVED CVE-2019-17952 RESERVED CVE-2019-17951 RESERVED CVE-2019-17950 RESERVED CVE-2019-17949 RESERVED CVE-2019-17948 RESERVED CVE-2019-17947 RESERVED CVE-2019-17946 RESERVED CVE-2019-17945 RESERVED CVE-2019-17944 RESERVED CVE-2019-17943 RESERVED CVE-2019-17942 RESERVED CVE-2019-17941 RESERVED CVE-2019-17940 RESERVED CVE-2019-17939 RESERVED CVE-2019-17938 RESERVED CVE-2019-17937 RESERVED CVE-2019-17936 RESERVED CVE-2019-17935 RESERVED CVE-2019-17934 RESERVED CVE-2019-17933 RESERVED CVE-2019-17932 RESERVED CVE-2019-17931 RESERVED CVE-2019-17930 RESERVED CVE-2019-17929 RESERVED CVE-2019-17928 RESERVED CVE-2019-17927 RESERVED CVE-2019-17926 RESERVED CVE-2019-17925 RESERVED CVE-2019-17924 RESERVED CVE-2019-17923 RESERVED CVE-2019-17922 RESERVED CVE-2019-17921 RESERVED CVE-2019-17920 RESERVED CVE-2019-17919 RESERVED CVE-2019-17918 RESERVED CVE-2019-17917 RESERVED CVE-2019-17916 RESERVED CVE-2019-17915 RESERVED CVE-2019-17914 RESERVED CVE-2019-17913 RESERVED CVE-2019-17912 RESERVED CVE-2019-17911 RESERVED CVE-2019-17910 RESERVED CVE-2019-17909 RESERVED CVE-2019-17908 RESERVED CVE-2019-17907 RESERVED CVE-2019-17906 RESERVED CVE-2019-17905 RESERVED CVE-2019-17904 RESERVED CVE-2019-17903 RESERVED CVE-2019-17902 RESERVED CVE-2019-17901 RESERVED CVE-2019-17900 RESERVED CVE-2019-17899 RESERVED CVE-2019-17898 RESERVED CVE-2019-17897 RESERVED CVE-2019-17896 RESERVED CVE-2019-17895 RESERVED CVE-2019-17894 RESERVED CVE-2019-17893 RESERVED CVE-2019-17892 RESERVED CVE-2019-17891 RESERVED CVE-2019-17890 RESERVED CVE-2019-17889 RESERVED CVE-2019-17888 RESERVED CVE-2019-17887 RESERVED CVE-2019-17886 RESERVED CVE-2019-17885 RESERVED CVE-2019-17884 RESERVED CVE-2019-17883 RESERVED CVE-2019-17882 RESERVED CVE-2019-17881 RESERVED CVE-2019-17880 RESERVED CVE-2019-17879 RESERVED CVE-2019-17878 RESERVED CVE-2019-17877 RESERVED CVE-2019-17876 RESERVED CVE-2019-17875 RESERVED CVE-2019-17874 RESERVED CVE-2019-17873 RESERVED CVE-2019-17872 RESERVED CVE-2019-17871 RESERVED CVE-2019-17870 RESERVED CVE-2019-17869 RESERVED CVE-2019-17868 RESERVED CVE-2019-17867 RESERVED CVE-2019-17866 RESERVED CVE-2019-17865 RESERVED CVE-2019-17864 RESERVED CVE-2019-17863 RESERVED CVE-2019-17862 RESERVED CVE-2019-17861 RESERVED CVE-2019-17860 RESERVED CVE-2019-17859 RESERVED CVE-2019-17858 RESERVED CVE-2019-17857 RESERVED CVE-2019-17856 RESERVED CVE-2019-17855 RESERVED CVE-2019-17854 RESERVED CVE-2019-17853 RESERVED CVE-2019-17852 RESERVED CVE-2019-17851 RESERVED CVE-2019-17850 RESERVED CVE-2019-17849 RESERVED CVE-2019-17848 RESERVED CVE-2019-17847 RESERVED CVE-2019-17846 RESERVED CVE-2019-17845 RESERVED CVE-2019-17844 RESERVED CVE-2019-17843 RESERVED CVE-2019-17842 RESERVED CVE-2019-17841 RESERVED CVE-2019-17840 RESERVED CVE-2019-17839 RESERVED CVE-2019-17838 RESERVED CVE-2019-17837 RESERVED CVE-2019-17836 RESERVED CVE-2019-17835 RESERVED CVE-2019-17834 RESERVED CVE-2019-17833 RESERVED CVE-2019-17832 RESERVED CVE-2019-17831 RESERVED CVE-2019-17830 RESERVED CVE-2019-17829 RESERVED CVE-2019-17828 RESERVED CVE-2019-17827 RESERVED CVE-2019-17826 RESERVED CVE-2019-17825 RESERVED CVE-2019-17824 RESERVED CVE-2019-17823 RESERVED CVE-2019-17822 RESERVED CVE-2019-17821 RESERVED CVE-2019-17820 RESERVED CVE-2019-17819 RESERVED CVE-2019-17818 RESERVED CVE-2019-17817 RESERVED CVE-2019-17816 RESERVED CVE-2019-17815 RESERVED CVE-2019-17814 RESERVED CVE-2019-17813 RESERVED CVE-2019-17812 RESERVED CVE-2019-17811 RESERVED CVE-2019-17810 RESERVED CVE-2019-17809 RESERVED CVE-2019-17808 RESERVED CVE-2019-17807 RESERVED CVE-2019-17806 RESERVED CVE-2019-17805 RESERVED CVE-2019-17804 RESERVED CVE-2019-17803 RESERVED CVE-2019-17802 RESERVED CVE-2019-17801 RESERVED CVE-2019-17800 RESERVED CVE-2019-17799 RESERVED CVE-2019-17798 RESERVED CVE-2019-17797 RESERVED CVE-2019-17796 RESERVED CVE-2019-17795 RESERVED CVE-2019-17794 RESERVED CVE-2019-17793 RESERVED CVE-2019-17792 RESERVED CVE-2019-17791 RESERVED CVE-2019-17790 RESERVED CVE-2019-17789 RESERVED CVE-2019-17788 RESERVED CVE-2019-17787 RESERVED CVE-2019-17786 RESERVED CVE-2019-17785 RESERVED CVE-2019-17784 RESERVED CVE-2019-17783 RESERVED CVE-2019-17782 RESERVED CVE-2019-17781 RESERVED CVE-2019-17780 RESERVED CVE-2019-17779 RESERVED CVE-2019-17778 RESERVED CVE-2019-17777 RESERVED CVE-2019-17776 RESERVED CVE-2019-17775 RESERVED CVE-2019-17774 RESERVED CVE-2019-17773 RESERVED CVE-2019-17772 RESERVED CVE-2019-17771 RESERVED CVE-2019-17770 RESERVED CVE-2019-17769 RESERVED CVE-2019-17768 RESERVED CVE-2019-17767 RESERVED CVE-2019-17766 RESERVED CVE-2019-17765 RESERVED CVE-2019-17764 RESERVED CVE-2019-17763 RESERVED CVE-2019-17762 RESERVED CVE-2019-17761 RESERVED CVE-2019-17760 RESERVED CVE-2019-17759 RESERVED CVE-2019-17758 RESERVED CVE-2019-17757 RESERVED CVE-2019-17756 RESERVED CVE-2019-17755 RESERVED CVE-2019-17754 RESERVED CVE-2019-17753 RESERVED CVE-2019-17752 RESERVED CVE-2019-17751 RESERVED CVE-2019-17750 RESERVED CVE-2019-17749 RESERVED CVE-2019-17748 RESERVED CVE-2019-17747 RESERVED CVE-2019-17746 RESERVED CVE-2019-17745 RESERVED CVE-2019-17744 RESERVED CVE-2019-17743 RESERVED CVE-2019-17742 RESERVED CVE-2019-17741 RESERVED CVE-2019-17740 RESERVED CVE-2019-17739 RESERVED CVE-2019-17738 RESERVED CVE-2019-17737 RESERVED CVE-2019-17736 RESERVED CVE-2019-17735 RESERVED CVE-2019-17734 RESERVED CVE-2019-17733 RESERVED CVE-2019-17732 RESERVED CVE-2019-17731 RESERVED CVE-2019-17730 RESERVED CVE-2019-17729 RESERVED CVE-2019-17728 RESERVED CVE-2019-17727 RESERVED CVE-2019-17726 RESERVED CVE-2019-17725 RESERVED CVE-2019-17724 RESERVED CVE-2019-17723 RESERVED CVE-2019-17722 RESERVED CVE-2019-17721 RESERVED CVE-2019-17720 RESERVED CVE-2019-17719 RESERVED CVE-2019-17718 RESERVED CVE-2019-17717 RESERVED CVE-2019-17716 RESERVED CVE-2019-17715 RESERVED CVE-2019-17714 RESERVED CVE-2019-17713 RESERVED CVE-2019-17712 RESERVED CVE-2019-17711 RESERVED CVE-2019-17710 RESERVED CVE-2019-17709 RESERVED CVE-2019-17708 RESERVED CVE-2019-17707 RESERVED CVE-2019-17706 RESERVED CVE-2019-17705 RESERVED CVE-2019-17704 RESERVED CVE-2019-17703 RESERVED CVE-2019-17702 RESERVED CVE-2019-17701 RESERVED CVE-2019-17700 RESERVED CVE-2019-17699 RESERVED CVE-2019-17698 RESERVED CVE-2019-17697 RESERVED CVE-2019-17696 RESERVED CVE-2019-17695 RESERVED CVE-2019-17694 RESERVED CVE-2019-17693 RESERVED CVE-2019-17692 RESERVED CVE-2019-17691 RESERVED CVE-2019-17690 RESERVED CVE-2019-17689 RESERVED CVE-2019-17688 RESERVED CVE-2019-17687 RESERVED CVE-2019-17686 RESERVED CVE-2019-17685 RESERVED CVE-2019-17684 RESERVED CVE-2019-17683 RESERVED CVE-2019-17682 RESERVED CVE-2019-17681 RESERVED CVE-2019-17680 RESERVED CVE-2019-17679 RESERVED CVE-2019-17678 RESERVED CVE-2019-17677 RESERVED CVE-2019-17676 (app/system/admin/admin/index.class.php in MetInfo 7.0.0beta allows a C ...) NOT-FOR-US: MetInfo CVE-2019-17668 (Samsung Galaxy S10 and Note10 devices allow unlock operations via unre ...) NOT-FOR-US: Samsung Galaxy S10 and Note10 devices CVE-2019-17667 (Comtech H8 Heights Remote Gateway 2.5.1 devices allow XSS and HTML inj ...) NOT-FOR-US: Comtech H8 Heights Remote Gateway devices CVE-2019-17666 (rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the Lin ...) {DLA-2114-1 DLA-2068-1} - linux 5.3.9-1 [buster] - linux 4.19.87-1 [stretch] - linux 4.9.210-1 NOTE: https://lkml.org/lkml/2019/10/16/1226 CVE-2019-17665 (NSA Ghidra before 9.0.2 is vulnerable to DLL hijacking because it load ...) - ghidra (bug #923851) CVE-2019-17664 (NSA Ghidra through 9.0.4 uses a potentially untrusted search path. Whe ...) - ghidra (bug #923851) CVE-2019-17663 (D-Link DIR-866L 1.03B04 devices allow XSS via HtmlResponseMessage in t ...) NOT-FOR-US: D-Link CVE-2019-17662 (ThinVNC 1.0b1 is vulnerable to arbitrary file read, which leads to a c ...) NOT-FOR-US: ThinVNC CVE-2019-17661 (A CSV injection in the codepress-admin-columns (aka Admin Columns) plu ...) NOT-FOR-US: Wordpress plugin CVE-2019-17660 (A cross-site scripting (XSS) vulnerability in admin/translate/translat ...) - limesurvey (bug #472802) CVE-2019-17659 RESERVED CVE-2019-17658 (An unquoted service path vulnerability in the FortiClient FortiTray co ...) NOT-FOR-US: Fortiguard CVE-2019-17657 (An Uncontrolled Resource Consumption vulnerability in Fortinet FortiSw ...) NOT-FOR-US: Fortiguard CVE-2019-17656 RESERVED CVE-2019-17655 (A cleartext storage in a file or on disk (CWE-313) vulnerability in Fo ...) NOT-FOR-US: Fortiguard CVE-2019-17654 (An Insufficient Verification of Data Authenticity vulnerability in For ...) NOT-FOR-US: Fortiguard CVE-2019-17653 (A Cross-Site Request Forgery (CSRF) vulnerability in the user interfac ...) NOT-FOR-US: Fortiguard CVE-2019-17652 (A stack buffer overflow vulnerability in FortiClient for Linux 6.2.1 a ...) NOT-FOR-US: Fortiguard FortiClient CVE-2019-17651 (An Improper Neutralization of Input vulnerability in the description a ...) NOT-FOR-US: FortiSIEM CVE-2019-17650 (An Improper Neutralization of Special Elements used in a Command vulne ...) NOT-FOR-US: Fortiguard CVE-2019-17649 RESERVED CVE-2019-17648 RESERVED CVE-2019-17647 (An issue was discovered in Centreon before 2.8.30, 18.10.8, 19.04.5, a ...) - centreon-web (bug #913903) CVE-2019-17646 (An issue was discovered in Centreon before 18.10.8, 19.04.5, and 19.10 ...) - centreon-web (bug #913903) CVE-2019-17645 (An issue was discovered in Centreon before 2.8.31, 18.10.9, 19.04.6, a ...) - centreon-web (bug #913903) CVE-2019-17644 (An issue was discovered in Centreon before 2.8-30, 18.10-8, 19.04-5, a ...) - centreon-web (bug #913903) CVE-2019-17643 (An issue was discovered in Centreon before 2.8-30,18.10-8, 19.04-5, an ...) - centreon-web (bug #913903) CVE-2019-17642 (An issue was discovered in Centreon before 18.10.8, 19.10.1, and 19.04 ...) - centreon-web (bug #913903) CVE-2019-17641 RESERVED CVE-2019-17640 RESERVED CVE-2019-17639 RESERVED CVE-2019-17638 RESERVED CVE-2019-17637 RESERVED CVE-2019-17636 (In Eclipse Theia versions 0.3.9 through 0.15.0, one of the default pre ...) NOT-FOR-US: Eclipse Theia CVE-2019-17635 (Eclipse Memory Analyzer version 1.9.1 and earlier is subject to a dese ...) NOT-FOR-US: Eclipse Memory Analyzer CVE-2019-17634 (Eclipse Memory Analyzer version 1.9.1 and earlier is subject to a cros ...) NOT-FOR-US: Eclipse Memory Analyzer CVE-2019-17633 (For Eclipse Che versions 6.16 to 7.3.0, with both authentication and T ...) NOT-FOR-US: Eclipse Che CVE-2019-17632 (In Eclipse Jetty versions 9.4.21.v20190926, 9.4.22.v20191022, and 9.4. ...) - jetty9 [buster] - jetty9 (Minor issue) [stretch] - jetty9 (Minor issue) - jetty8 [jessie] - jetty8 (vulnerable code introduced later) - jetty [jessie] - jetty (vulnerable code introduced later) NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=553443 CVE-2019-17631 (From Eclipse OpenJ9 0.15 to 0.16, access to diagnostic operations such ...) NOT-FOR-US: Eclipse OpenJ9 CVE-2019-17630 (CMS Made Simple (CMSMS) 2.2.11 allows stored XSS by an admin via a cra ...) NOT-FOR-US: CMS Made Simple CVE-2019-17629 (CMS Made Simple (CMSMS) 2.2.11 allows stored XSS by an admin via a cra ...) NOT-FOR-US: CMS Made Simple CVE-2019-17628 RESERVED CVE-2019-17627 (The Yale Bluetooth Key application for mobile devices allows unauthori ...) NOT-FOR-US: Yale Bluetooth Key application for mobile devices CVE-2019-17626 (ReportLab through 3.5.26 allows remote code execution because of toCol ...) {DSA-4663-1 DLA-2112-1} - python-reportlab 3.5.34-1 (bug #942763) NOTE: https://bitbucket.org/rptlab/reportlab/issues/199/eval-in-colorspy-leads-to-remote-code NOTE: Minimal patch in https://bitbucket.org/rptlab/reportlab/issues/199/eval-in-colorspy-leads-to-remote-code#comment-55887892 NOTE: but upstream did make the bugreport private. CVE-2019-17625 (There is a stored XSS in Rambox 0.6.9 that can lead to code execution. ...) NOT-FOR-US: Rambox CVE-2019-17624 ("" In X.Org X Server 1.20.4, there is a stack-based buffer overflow in ...) NOTE: Bogus report, will probably get rejected NOTE: https://packetstormsecurity.com/files/154868/X.Org-X-Server-1.20.4-Local-Stack-Overflow.html CVE-2019-17623 RESERVED CVE-2019-17622 RESERVED CVE-2019-17675 (WordPress before 5.2.4 does not properly consider type confusion durin ...) {DSA-4599-1 DLA-1980-1} - wordpress 5.2.4+dfsg1-1 (bug #942459) [stretch] - wordpress 4.7.5+dfsg-2+deb9u6 NOTE: https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html NOTE: https://core.trac.wordpress.org/changeset/46477 NOTE: https://github.com/WordPress/WordPress/commit/b183fd1cca0b44a92f0264823dd9f22d2fd8b8d0 NOTE: https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/ CVE-2019-17674 (WordPress before 5.2.4 is vulnerable to stored XSS (cross-site scripti ...) {DSA-4599-1} - wordpress 5.2.4+dfsg1-1 (bug #942459) [stretch] - wordpress 4.7.5+dfsg-2+deb9u6 [jessie] - wordpress (officially fixed in 4.1.28 but no related fix was identified) NOTE: https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html NOTE: https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/ NOTE: https://wordpress.org/support/wordpress-version/version-4.1.28/ NOTE: https://github.com/WordPress/WordPress/commit/d1e2b35359df9644f255b7b54a568b56a2c490d7 (4.1.28) CVE-2019-17673 (WordPress before 5.2.4 is vulnerable to poisoning of the cache of JSON ...) {DSA-4599-1} - wordpress 5.2.4+dfsg1-1 (bug #942459) [stretch] - wordpress 4.7.5+dfsg-2+deb9u6 [jessie] - wordpress (vulnerable code not present) NOTE: https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html NOTE: https://core.trac.wordpress.org/changeset/46478 NOTE: https://github.com/WordPress/WordPress/commit/b224c251adfa16a5f84074a3c0886270c9df38de NOTE: https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/ CVE-2019-17672 (WordPress before 5.2.4 is vulnerable to a stored XSS attack to inject ...) {DSA-4599-1} - wordpress 5.2.4+dfsg1-1 (bug #942459) [stretch] - wordpress 4.7.5+dfsg-2+deb9u6 [jessie] - wordpress (officially fixed in 4.1.28 but no related fix was identified) NOTE: https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html NOTE: https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/ NOTE: https://wordpress.org/support/wordpress-version/version-4.1.28/ NOTE: https://github.com/WordPress/WordPress/commit/d1e2b35359df9644f255b7b54a568b56a2c490d7 (4.1.28) CVE-2019-17671 (In WordPress before 5.2.4, unauthenticated viewing of certain content ...) {DSA-4599-1 DLA-1980-1} - wordpress 5.2.4+dfsg1-1 (bug #942459) [stretch] - wordpress 4.7.5+dfsg-2+deb9u6 NOTE: https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html NOTE: https://core.trac.wordpress.org/changeset/46474 NOTE: https://github.com/WordPress/WordPress/commit/f82ed753cf00329a5e41f2cb6dc521085136f308 CVE-2019-17670 (WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulner ...) {DLA-1980-1} - wordpress 5.2.4+dfsg1-1 (bug #942459) [buster] - wordpress (Minor issue) [stretch] - wordpress (Minor issue) NOTE: https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html NOTE: https://core.trac.wordpress.org/changeset/46472 NOTE: https://github.com/WordPress/WordPress/commit/9db44754b9e4044690a6c32fd74b9d5fe26b07b2 NOTE: https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/ CVE-2019-17669 (WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulner ...) {DSA-4599-1 DLA-1980-1} - wordpress 5.2.4+dfsg1-1 (bug #942459) [stretch] - wordpress 4.7.5+dfsg-2+deb9u6 NOTE: https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html NOTE: https://core.trac.wordpress.org/changeset/46475 NOTE: https://github.com/WordPress/WordPress/commit/608d39faed63ea212b6c6cdf9fe2bef92e2120ea NOTE: https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/ CVE-2019-17621 (The UPnP endpoint URL /gena.cgi in the D-Link DIR-859 Wi-Fi router 1.0 ...) NOT-FOR-US: D-Link CVE-2019-17620 RESERVED CVE-2019-17619 RESERVED CVE-2019-17618 RESERVED CVE-2019-17617 RESERVED CVE-2019-17616 RESERVED CVE-2019-17615 RESERVED CVE-2019-17614 RESERVED CVE-2019-17613 (qibosoft 7 allows remote code execution because do/jf.php makes eval c ...) NOT-FOR-US: qibosoft CVE-2019-17612 (An issue was discovered in 74CMS v5.2.8. There is a SQL Injection gene ...) NOT-FOR-US: 74CMS CVE-2019-17611 (HongCMS 3.0.0 has XSS via the install/index.php tableprefix parameter. ...) NOT-FOR-US: HongCMS CVE-2019-17610 (HongCMS 3.0.0 has XSS via the install/index.php dbpassword parameter. ...) NOT-FOR-US: HongCMS CVE-2019-17609 (HongCMS 3.0.0 has XSS via the install/index.php dbusername parameter. ...) NOT-FOR-US: HongCMS CVE-2019-17608 (HongCMS 3.0.0 has XSS via the install/index.php dbname parameter. ...) NOT-FOR-US: HongCMS CVE-2019-17607 (HongCMS 3.0.0 has XSS via the install/index.php servername parameter. ...) NOT-FOR-US: HongCMS CVE-2019-17606 (The Post editor functionality in the hexo-admin plugin versions 2.3.0 ...) NOT-FOR-US: hexo-admin Node module CVE-2019-17605 (A mass assignment vulnerability in eyecomms eyeCMS through 2019-10-15 ...) NOT-FOR-US: eyeCMS CVE-2019-17604 (An Insecure Direct Object Reference (IDOR) vulnerability in eyecomms e ...) NOT-FOR-US: eyeCMS CVE-2019-17603 (Ene.sys in Asus Aura Sync through 1.07.71 does not properly validate i ...) NOT-FOR-US: Asus CVE-2019-17602 (An issue was discovered in Zoho ManageEngine OpManager before 12.4 bui ...) NOT-FOR-US: Zoho ManageEngine OpManager CVE-2019-17601 (In MiniShare 1.4.1, there is a stack-based buffer overflow via an HTTP ...) NOT-FOR-US: MiniShare CVE-2016-11016 (NETGEAR JNR1010 devices before 1.0.0.32 allow webproc?getpage= XSS. ...) NOT-FOR-US: NETGEAR CVE-2016-11015 (NETGEAR JNR1010 devices before 1.0.0.32 allow cgi-bin/webproc CSRF via ...) NOT-FOR-US: NETGEAR CVE-2016-11014 (NETGEAR JNR1010 devices before 1.0.0.32 have Incorrect Access Control ...) NOT-FOR-US: NETGEAR CVE-2019-17600 (Intelbras IWR 1000N 1.6.4 devices allow disclosure of the administrato ...) NOT-FOR-US: Intelbras IWR 1000N devices CVE-2019-17599 (The quiz-master-next (aka Quiz And Survey Master) plugin before 6.3.5 ...) NOT-FOR-US: quiz-master-next (aka Quiz And Survey Master) plugin for WordPress CVE-2019-17598 (An issue was discovered in Lightbend Play Framework 2.5.x through 2.6. ...) NOT-FOR-US: Lightbend Play Framework CVE-2019-17597 RESERVED CVE-2017-1002201 (In haml versions prior to version 5.0.0.beta.2, when using user input ...) {DLA-1986-1} - ruby-haml 5.0.4-1 [stretch] - ruby-haml (Minor issue) NOTE: https://snyk.io/vuln/SNYK-RUBY-HAML-20362 NOTE: https://github.com/haml/haml/commit/18576ae6e9bdcb4303fdbe6b3199869d289d67c2 CVE-2019-17596 (Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to ...) {DSA-4551-1} - golang-1.13 1.13.3-1 (bug #942628) - golang-1.12 1.12.12-1 (bug #942629) - golang-1.11 - golang-1.8 [stretch] - golang-1.8 (Minor issue) - golang-1.7 [stretch] - golang-1.7 (Minor issue) - golang [jessie] - golang (Minor issue) NOTE: https://golang.org/issue/34960 NOTE: https://github.com/golang/go/issues/34962 (1.13 backport) NOTE: https://github.com/golang/go/issues/34961 (1.12 backport) NOTE: https://groups.google.com/forum/#!msg/golang-announce/lVEm7llp0w0/VbafyRkgCgAJ CVE-2019-17595 (There is a heap-based buffer over-read in the fmt_entry function in ti ...) - ncurses 6.1+20191019-1 (low; bug #942401) [buster] - ncurses 6.1+20181013-2+deb10u2 [stretch] - ncurses (Minor issue) [jessie] - ncurses (Minor issue) NOTE: https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html NOTE: https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html CVE-2019-17594 (There is a heap-based buffer over-read in the _nc_find_entry function ...) - ncurses 6.1+20191019-1 (low; bug #942401) [buster] - ncurses 6.1+20181013-2+deb10u2 [stretch] - ncurses (Minor issue) [jessie] - ncurses (Minor issue) NOTE: https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00017.html NOTE: https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html CVE-2019-17593 (JIZHICMS 1.5.1 allows admin.php/Admin/adminadd.html CSRF to add an adm ...) NOT-FOR-US: JIZHICMS CVE-2019-17592 (The csv-parse module before 4.4.6 for Node.js is vulnerable to Regular ...) NOT-FOR-US: csv-parse Node module CVE-2019-17591 RESERVED CVE-2019-17590 (** DISPUTED ** The csrf_callback function in the CSRF Magic library th ...) NOT-FOR-US: CSRF Magic library CVE-2019-17589 REJECTED CVE-2019-17588 REJECTED CVE-2019-17587 REJECTED CVE-2019-17586 REJECTED CVE-2019-17585 REJECTED CVE-2019-17584 (The Meinberg SyncBox/PTP/PTPv2 devices have default SSH keys which all ...) NOT-FOR-US: Meinberg SyncBox/PTP/PTPv2 devices CVE-2019-17583 (idreamsoft iCMS 7.0.15 allows remote attackers to cause a denial of se ...) NOT-FOR-US: idreamsoft iCMS CVE-2019-17582 RESERVED CVE-2019-17581 (tonyy dormsystem through 1.3 allows DOM XSS. ...) NOT-FOR-US: tonyy dormsystem CVE-2019-17580 (tonyy dormsystem through 1.3 allows SQL Injection in admin.php. ...) NOT-FOR-US: tonyy dormsystem CVE-2019-17579 (SonarSource SonarQube before 7.8 has XSS in project links on account/p ...) NOT-FOR-US: SonarSource SonarQube CVE-2019-17578 (An issue was discovered in Dolibarr 10.0.2. It has XSS via the "outgoi ...) - dolibarr CVE-2019-17577 (An issue was discovered in Dolibarr 10.0.2. It has XSS via the "outgoi ...) - dolibarr CVE-2019-17576 (An issue was discovered in Dolibarr 10.0.2. It has XSS via the "outgoi ...) - dolibarr CVE-2019-17575 (A file-rename filter bypass exists in admin/media/rename.php in WBCE C ...) NOT-FOR-US: WBCE CMS CVE-2019-17574 (An issue was discovered in the Popup Maker plugin before 1.8.13 for Wo ...) NOT-FOR-US: Popup Maker plugin for WordPress CVE-2019-17573 (By default, Apache CXF creates a /services page containing a listing o ...) NOT-FOR-US: Apache CFX CVE-2019-17572 (In Apache RocketMQ 4.2.0 to 4.6.0, when the automatic topic creation i ...) NOT-FOR-US: Apache RocketMQ CVE-2019-17571 (Included in Log4j 1.2 is a SocketServer class that is vulnerable to de ...) {DSA-4686-1 DLA-2065-1} - apache-log4j1.2 1.2.17-9 (bug #947124) NOTE: https://lists.apache.org/thread.html/eea03d504b36e8f870e8321d908e1def1addda16adda04327fe7c125%40%3Cdev.logging.apache.org%3E NOTE: CVE-2019-17571 correspond to CVE-2017-5645 for apache-log4j2. 1.2.x branch NOTE: is end-of-life upstream and does not recieve a fix for this issue. Users NOTE: should upgrade to Log4j 2.x. NOTE: Fixed by https://src.fedoraproject.org/rpms/log4j12/c/d4c817c458d69dcc629a7271999d178b0dcb7c74?branch=master CVE-2019-17570 (An untrusted deserialization was found in the org.apache.xmlrpc.parser ...) {DSA-4619-1 DLA-2078-1} - libxmlrpc3-java (bug #949089) NOTE: https://www.openwall.com/lists/oss-security/2020/01/16/1 NOTE: Proposed patch: https://bugzilla.redhat.com/show_bug.cgi?id=1775193 NOTE: https://github.com/orangecertcc/xmlrpc-common-deserialization CVE-2019-17569 (The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8 ...) {DSA-4680-1 DSA-4673-1 DLA-2133-1} - tomcat9 9.0.31-1 - tomcat8 [jessie] - tomcat8 (vulnerable code introduced in later version) - tomcat7 NOTE: https://github.com/apache/tomcat/commit/060ecc5eb839208687b7fcc9e35287ac8eb46998 (9.0.31) NOTE: https://github.com/apache/tomcat/commit/959f1dfd767bf3cb64776b44f7395d1d8d8f7ab3 (8.5.51) NOTE: https://github.com/apache/tomcat/commit/b191a0d9cf06f4e04257c221bfe41d2b108a9cc8 (7.0.100) CVE-2019-17568 REJECTED CVE-2019-17567 RESERVED CVE-2019-17566 [SSRF vulnerability] RESERVED - batik (bug #964510) NOTE: https://www.openwall.com/lists/oss-security/2020/06/15/2 NOTE: patch: http://svn.apache.org/viewvc?view=revision&revision=1871084 NOTE: corresponding bug: https://issues.apache.org/jira/browse/BATIK-1276 CVE-2019-17565 (There is a vulnerability in Apache Traffic Server 6.0.0 to 6.2.3, 7.0. ...) {DSA-4672-1} - trafficserver 8.0.6+ds-1 NOTE: https://lists.apache.org/thread.html/r99d18d0bc4daa05e7d0e5a63e0e22701a421b2ef5a8f4f7694c43869%40%3Cannounce.trafficserver.apache.org%3E NOTE: https://github.com/apache/trafficserver/commit/60e0a8ce23d390b851873e020483d6f75e857158 CVE-2019-17564 (Unsafe deserialization occurs within a Dubbo application which has HTT ...) NOT-FOR-US: Dubbo CVE-2019-17563 (When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, ...) {DSA-4680-1 DSA-4596-1 DLA-2209-1 DLA-2077-1} - tomcat9 9.0.31-1 - tomcat8 - tomcat7 NOTE: https://github.com/apache/tomcat/commit/1ecba14e690cf5f3f143eef6ae7037a6d3c16652 (9.0.30) NOTE: https://github.com/apache/tomcat/commit/e19a202ee43b6e2a538be5515ae0ab32d8ef112c (8.5.50) NOTE: https://github.com/apache/tomcat/commit/ab72a106fe5d992abddda954e30849d7cf8cc583 (7.0.99) CVE-2019-17562 (A buffer overflow vulnerability has been found in the baremetal compon ...) NOT-FOR-US: Apache CloudStack CVE-2019-17561 (The "Apache NetBeans" autoupdate system does not fully validate code s ...) - netbeans (unimportant) NOTE: Debian packages updated via apt CVE-2019-17560 (The "Apache NetBeans" autoupdate system does not validate SSL certific ...) - netbeans (unimportant) NOTE: Debian packages updated via apt CVE-2019-17559 (There is a vulnerability in Apache Traffic Server 6.0.0 to 6.2.3, 7.0. ...) {DSA-4672-1} - trafficserver 8.0.6+ds-1 NOTE: https://lists.apache.org/thread.html/r99d18d0bc4daa05e7d0e5a63e0e22701a421b2ef5a8f4f7694c43869%40%3Cannounce.trafficserver.apache.org%3E CVE-2019-17558 (Apache Solr 5.0.0 to Apache Solr 8.3.1 are vulnerable to a Remote Code ...) - lucene-solr (unimportant) NOTE: https://www.openwall.com/lists/oss-security/2019/12/30/1 NOTE: https://issues.apache.org/jira/browse/SOLR-13971 NOTE: https://issues.apache.org/jira/browse/SOLR-14025 TODO: check, whilst the advisory claims 5.0.0 upwards only the SolrParamResourceLoader might be of issue already earlier? CVE-2019-17557 (It was found that the Apache Syncope EndUser UI login page prio to 2.0 ...) NOT-FOR-US: Apache Syncope CVE-2019-17556 (Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService clas ...) NOT-FOR-US: Olingo CVE-2019-17555 (The AsyncResponseWrapperImpl class in Apache Olingo versions 4.0.0 to ...) NOT-FOR-US: Olingo CVE-2019-17554 (The XML content type entity deserializer in Apache Olingo versions 4.0 ...) NOT-FOR-US: Olingo CVE-2019-17553 (An issue was discovered in MetInfo v7.0.0 beta. There is SQL Injection ...) NOT-FOR-US: MetInfo CVE-2019-17552 (An issue was discovered in idreamsoft iCMS v7.0.14. There is a spider_ ...) NOT-FOR-US: idreamsoft iCMS CVE-2019-17551 (In Apak Wholesale Floorplanning Finance 6.31.8.3 and 6.31.8.5, an atta ...) NOT-FOR-US: Apak Wholesale Floorplanning Finance CVE-2019-17550 (The Blog2Social plugin before 5.9.0 for WordPress is affected by: Cros ...) NOT-FOR-US: Blog2Social plugin for WordPress CVE-2019-17549 (ESET Cyber Security before 6.8.1.0 is vulnerable to a denial-of-servic ...) NOT-FOR-US: ESET Cyber Security CVE-2019-17548 RESERVED CVE-2015-9536 (The Easy Digital Downloads (EDD) Twenty-Twelve theme for WordPress, as ...) NOT-FOR-US: Wordpress theme CVE-2015-9535 (The Easy Digital Downloads (EDD) Shoppette theme for WordPress, as use ...) NOT-FOR-US: Wordpress theme CVE-2015-9534 (The Easy Digital Downloads (EDD) Quota theme for WordPress, as used wi ...) NOT-FOR-US: Wordpress theme CVE-2015-9533 (The Easy Digital Downloads (EDD) Lattice theme for WordPress, as used ...) NOT-FOR-US: Wordpress theme CVE-2015-9532 (The Easy Digital Downloads (EDD) Digital Store theme for WordPress, as ...) NOT-FOR-US: Wordpress theme CVE-2015-9531 (The Easy Digital Downloads (EDD) Wish Lists extension for WordPress, a ...) NOT-FOR-US: Wordpress plugin CVE-2015-9530 (The Easy Digital Downloads (EDD) Upload File extension for WordPress, ...) NOT-FOR-US: Wordpress plugin CVE-2015-9529 (The Easy Digital Downloads (EDD) Stripe extension for WordPress, as us ...) NOT-FOR-US: Wordpress plugin CVE-2015-9528 (The Easy Digital Downloads (EDD) Software Licensing extension for Word ...) NOT-FOR-US: Wordpress plugin CVE-2015-9527 (The Easy Digital Downloads (EDD) Simple Shipping extension for WordPre ...) NOT-FOR-US: Wordpress plugin CVE-2015-9526 (The Easy Digital Downloads (EDD) Reviews extension for WordPress, as u ...) NOT-FOR-US: Wordpress plugin CVE-2015-9525 (The Easy Digital Downloads (EDD) Recurring Payments extension for Word ...) NOT-FOR-US: Wordpress plugin CVE-2015-9524 (The Easy Digital Downloads (EDD) Recount Earnings extension for WordPr ...) NOT-FOR-US: Wordpress plugin CVE-2015-9523 (The Easy Digital Downloads (EDD) Recommended Products extension for Wo ...) NOT-FOR-US: Wordpress plugin CVE-2015-9522 (The Easy Digital Downloads (EDD) QR Code extension for WordPress, as u ...) NOT-FOR-US: Wordpress plugin CVE-2015-9521 (The Easy Digital Downloads (EDD) Pushover Notifications extension for ...) NOT-FOR-US: Wordpress plugin CVE-2015-9520 (The Easy Digital Downloads (EDD) Per Product Emails extension for Word ...) NOT-FOR-US: Wordpress plugin CVE-2015-9519 (The Easy Digital Downloads (EDD) PDF Stamper extension for WordPress, ...) NOT-FOR-US: Wordpress plugin CVE-2015-9518 (The Easy Digital Downloads (EDD) PDF Invoices extension for WordPress, ...) NOT-FOR-US: Wordpress plugin CVE-2015-9517 (The Easy Digital Downloads (EDD) Manual Purchases extension for WordPr ...) NOT-FOR-US: Wordpress plugin CVE-2015-9516 (The Easy Digital Downloads (EDD) Invoices extension for WordPress, as ...) NOT-FOR-US: Wordpress plugin CVE-2015-9515 (The Easy Digital Downloads (EDD) htaccess Editor extension for WordPre ...) NOT-FOR-US: Wordpress plugin CVE-2015-9514 (The Easy Digital Downloads (EDD) Free Downloads extension for WordPres ...) NOT-FOR-US: Wordpress plugin CVE-2015-9513 (The Easy Digital Downloads (EDD) Favorites extension for WordPress, as ...) NOT-FOR-US: Wordpress plugin CVE-2015-9512 (The Easy Digital Downloads (EDD) CSV Manager extension for WordPress, ...) NOT-FOR-US: Wordpress plugin CVE-2015-9511 (The Easy Digital Downloads (EDD) Conditional Success Redirects extensi ...) NOT-FOR-US: Wordpress plugin CVE-2015-9510 (The Easy Digital Downloads (EDD) Cross-sell Upsell extension for WordP ...) NOT-FOR-US: Wordpress plugin CVE-2015-9509 (The Easy Digital Downloads (EDD) Content Restriction extension for Wor ...) NOT-FOR-US: Wordpress plugin CVE-2015-9508 (The Easy Digital Downloads (EDD) Commissions extension for WordPress, ...) NOT-FOR-US: Wordpress plugin CVE-2015-9507 (The Easy Digital Downloads (EDD) Attach Accounts to Orders extension f ...) NOT-FOR-US: Wordpress plugin CVE-2015-9506 (The Easy Digital Downloads (EDD) Amazon S3 extension for WordPress, as ...) NOT-FOR-US: Wordpress plugin CVE-2015-9505 (The Easy Digital Downloads (EDD) core component 1.8.x before 1.8.7, 1. ...) NOT-FOR-US: Wordpress plugin CVE-2015-9504 (The weeklynews theme before 2.2.9 for WordPress has XSS via the s para ...) NOT-FOR-US: Wordpress plugin CVE-2015-9503 (The Modern theme before 1.4.2 for WordPress has XSS via the genericons ...) NOT-FOR-US: Wordpress theme CVE-2015-9502 (The Auberge theme before 1.4.5 for WordPress has XSS via the genericon ...) NOT-FOR-US: Wordpress theme CVE-2015-9501 (The Artificial Intelligence theme before 1.2.4 for WordPress has XSS b ...) NOT-FOR-US: Wordpress plugin CVE-2015-9500 (The Exquisite Ultimate Newspaper theme 1.3.3 for WordPress has XSS via ...) NOT-FOR-US: Wordpress plugin CVE-2015-9499 (The Showbiz Pro plugin through 1.7.1 for WordPress has PHP code execut ...) NOT-FOR-US: Wordpress plugin CVE-2015-9498 (The wps-hide-login plugin before 1.1 for WordPress has CSRF that affec ...) NOT-FOR-US: Wordpress plugin CVE-2015-9497 (The ad-inserter plugin before 1.5.3 for WordPress has CSRF with result ...) NOT-FOR-US: Wordpress plugin CVE-2015-9496 (The freshmail-newsletter plugin before 1.6 for WordPress has shortcode ...) NOT-FOR-US: Wordpress plugin CVE-2015-9495 (The syndication-links plugin before 1.0.3 for WordPress has XSS via th ...) NOT-FOR-US: Wordpress plugin CVE-2015-9494 (The indieweb-post-kinds plugin before 1.3.1.1 for WordPress has XSS vi ...) NOT-FOR-US: Wordpress plugin CVE-2015-9493 (The my-wish-list plugin before 1.4.2 for WordPress has multiple XSS is ...) NOT-FOR-US: Wordpress plugin CVE-2019-17547 (In ImageMagick before 7.0.8-62, TraceBezier in MagickCore/draw.c has a ...) - imagemagick (Vulnerable code not present) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16537 NOTE: https://github.com/ImageMagick/ImageMagick/commit/ecf7c6b288e11e7e7f75387c5e9e93e423b98397 CVE-2019-17546 (tif_getimage.c in LibTIFF through 4.0.10, as used in GDAL through 3.0. ...) {DSA-4670-1 DSA-4608-1 DLA-2147-1 DLA-2009-1} - gdal (unimportant) - tiff 4.0.10+git190818-1 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16443 NOTE: https://github.com/OSGeo/gdal/commit/21674033ee246f698887604c7af7ba1962a40ddf NOTE: https://gitlab.com/libtiff/libtiff/commit/4bb584a35f87af42d6cf09d15e9ce8909a839145 NOTE: gdal uses system libtiff libraries since 2.0.1+dfsg-1~exp1 (#684233) CVE-2019-17545 (GDAL through 3.0.1 has a poolDestroy double free in OGRExpatRealloc in ...) {DLA-1984-1} - gdal 2.4.2+dfsg-2 (low) [buster] - gdal (Minor issue) [stretch] - gdal (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16178 NOTE: https://github.com/OSGeo/gdal/commit/148115fcc40f1651a5d15fa34c9a8c528e7147bb CVE-2019-17544 (libaspell.a in GNU Aspell before 0.60.8 has a stack-based buffer over- ...) {DLA-1966-1} - aspell 0.60.8-1 (low) [buster] - aspell (Minor issue) [stretch] - aspell (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16109 NOTE: https://github.com/GNUAspell/aspell/commit/80fa26c74279fced8d778351cff19d1d8f44fe4e CVE-2019-17543 (LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (rela ...) - lz4 1.9.2-1 (low; bug #943680) [buster] - lz4 (Minor issue) [stretch] - lz4 (Minor issue) [jessie] - lz4 (Very hard to exploit, low risk) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941 NOTE: https://github.com/lz4/lz4/pull/756 NOTE: https://github.com/lz4/lz4/pull/760 CVE-2019-17542 (FFmpeg before 4.2 has a heap-based buffer overflow in vqa_decode_chunk ...) {DLA-2021-1} - ffmpeg 7:4.2.1-1 [stretch] - ffmpeg (Minor issue, wait until fixed in 3.2.x branch) - libav NOTE: https://github.com/FFmpeg/FFmpeg/commit/02f909dc24b1f05cfbba75077c7707b905e63cd2 CVE-2019-17541 (ImageMagick before 7.0.8-55 has a use-after-free in DestroyStringInfo ...) - imagemagick (Vulnerable code introduced later) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15827 NOTE: https://github.com/ImageMagick/ImageMagick/commit/39f226a9c137f547e12afde972eeba7551124493 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/c1a5aa3f4214ad6e4748de84dad44398959014e1 NOTE: https://github.com/ImageMagick/ImageMagick/issues/1641 NOTE: vulnerable code introduced in NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/edb32b1780e23c76b5d6dd735f89959a0b7e3867 CVE-2019-17540 (ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPS ...) - imagemagick (bug #942578; Vulnerable code introduced later) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15826 NOTE: vulnerable code introduced in NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/bfb5bdd6b41dac60d5171108fc02ecaf8735c4a8 NOTE: no upstream bug report, four commits: NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/668d6a970553a94b0a2e378afda1d37abac94b5c NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/9667a9034a5eeedb30dfb18cfd1083ff32fd679b NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/73dd03cfb57f8f8c0a732fa062b9966ec7bf2f91 NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/e868e227085463932c5db32e5e0f27e306a0eb95 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/b9261b1bce3dbfeecc445e092d207434b41c0752 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/5a4c9cfb76ee82bda0cd970cc9e58499b09cc137 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/41399a3414069870071e47680b0bbbe0a283db5d NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/4ba4dc73b7e38bb66c57d457f17ab4aeb9b6bbdc CVE-2019-17539 (In FFmpeg before 4.2, avcodec_open2 in libavcodec/utils.c allows a NUL ...) - ffmpeg 7:4.2.1-1 (low) [stretch] - ffmpeg (Minor issue, wait until fixed in 3.2.x branch) - libav (low) [jessie] - libav (Vulnerable code introduced in v12.x) NOTE: https://github.com/FFmpeg/FFmpeg/commit/8df6884832ec413cf032dfaa45c23b1c7876670c CVE-2019-17538 (Jiangnan Online Judge (aka jnoj) 0.8.0 has Directory Traversal for fil ...) NOT-FOR-US: Jiangnan Online Judge CVE-2019-17537 (Jiangnan Online Judge (aka jnoj) 0.8.0 has Directory Traversal for fil ...) NOT-FOR-US: Jiangnan Online Judge CVE-2019-17536 (Gila CMS through 1.11.4 allows Unrestricted Upload of a File with a Da ...) NOT-FOR-US: Gila CMS CVE-2019-17535 (Gila CMS through 1.11.4 allows blog-list.php XSS, in both the gila-blo ...) NOT-FOR-US: Gila CMS CVE-2019-17534 (vips_foreign_load_gif_scan_image in foreign/gifload.c in libvips befor ...) - vips (Vulnerable code never in a released version) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16796 NOTE: Introduced by: https://github.com/libvips/libvips/commit/https://github.com/libvips/libvips/commit/25e457736173369dcb0f7c09d07af68aedbdc175 NOTE: Fixed by: https://github.com/libvips/libvips/commit/ce684dd008532ea0bf9d4a1d89bacb35f4a83f4d CVE-2019-17533 (Mat_VarReadNextInfo4 in mat4.c in MATIO 1.5.17 omits a certain '\0' ch ...) {DLA-2267-1} - libmatio 1.5.17-4 (bug #942255) [buster] - libmatio (Minor issue) [stretch] - libmatio (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16856 NOTE: https://github.com/tbeu/matio/commit/651a8e28099edb5fbb9e4e1d4d3238848f446c9a CVE-2019-17532 (An issue was discovered on Belkin Wemo Switch 28B WW_2.00.11057.PVT-OW ...) NOT-FOR-US: Belkin CVE-2019-17531 (A Polymorphic Typing issue was discovered in FasterXML jackson-databin ...) {DLA-2030-1} - jackson-databind 2.10.1-1 [buster] - jackson-databind (Minor issue; can be fixed via a point release) [stretch] - jackson-databind (Minor issue; can be fixed via a point release) NOTE: https://github.com/FasterXML/jackson-databind/issues/2498 NOTE: https://github.com/FasterXML/jackson-databind/commit/b5a304a98590b6bb766134f9261e6566dcbbb6d0 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. CVE-2019-17530 (An issue was discovered in Bento4 1.5.1.0. There is a heap-based buffe ...) NOT-FOR-US: Bento4 CVE-2019-17529 (An issue was discovered in Bento4 1.5.1.0. There is a heap-based buffe ...) NOT-FOR-US: Bento4 CVE-2019-17528 (An issue was discovered in Bento4 1.5.1.0. There is a SEGV in the func ...) NOT-FOR-US: Bento4 CVE-2019-17527 (dataForDepandantField in models/custormfields.php in the JS JOBS FREE ...) NOT-FOR-US: JS JOBS FREE extension for Joomla! CVE-2019-17526 (** DISPUTED ** An issue was discovered in SageMath Sage Cell Server th ...) NOT-FOR-US: Sage Cell Server (not part of SafeMath as packaged in Debian) CVE-2019-17525 (The login page on D-Link DIR-615 T1 20.10 devices allows remote attack ...) NOT-FOR-US: D-Link CVE-2019-17524 (An XSS vulnerability on Technicolor TC7300 STFA.51.20 devices allows r ...) NOT-FOR-US: Technicolor TC7300 STFA.51.20 devices CVE-2019-17523 (An XSS vulnerability on Technicolor TC7300 STFA.51.20 devices allows r ...) NOT-FOR-US: Technicolor TC7300 STFA.51.20 devices CVE-2019-17522 (A stored XSS vulnerability was discovered in Hotaru CMS v1.7.2 via the ...) NOT-FOR-US: Hotaru CMS CVE-2019-17521 (An issue was discovered in Landing-CMS 0.0.6. There is a CSRF vulnerab ...) NOT-FOR-US: Landing-CMS CVE-2019-17520 (The Bluetooth Low Energy implementation on Texas Instruments SDK throu ...) NOT-FOR-US: Texas Instruments CVE-2019-17519 (The Bluetooth Low Energy implementation on NXP SDK through 2.2.1 for K ...) NOT-FOR-US: NXP CVE-2019-17518 (The Bluetooth Low Energy implementation on Dialog Semiconductor SDK th ...) NOT-FOR-US: Dialog Semiconductor CVE-2019-17517 (The Bluetooth Low Energy implementation on Dialog Semiconductor SDK th ...) NOT-FOR-US: Dialog Semiconductor CVE-2019-17516 RESERVED CVE-2019-17515 (The CleanTalk cleantalk-spam-protect plugin before 5.127.4 for WordPre ...) NOT-FOR-US: CleanTalk cleantalk-spam-protect plugin for WordPress CVE-2019-17514 (library/glob.html in the Python 2 and 3 documentation before 2016 has ...) NOT-FOR-US: Non-actionable CVE assignment for Python docs CVE-2019-17513 (An issue was discovered in Ratpack before 1.7.5. Due to a misuse of th ...) NOT-FOR-US: Ratpack CVE-2019-17512 (There are some web interfaces without authentication requirements on D ...) NOT-FOR-US: D-Link CVE-2019-17511 (There are some web interfaces without authentication requirements on D ...) NOT-FOR-US: D-Link CVE-2019-17510 (D-Link DIR-846 devices with firmware 100A35 allow remote attackers to ...) NOT-FOR-US: D-Link CVE-2019-17509 (D-Link DIR-846 devices with firmware 100A35 allow remote attackers to ...) NOT-FOR-US: D-Link CVE-2019-17508 (On D-Link DIR-859 A3-1.06 and DIR-850 A1.13 devices, /etc/services/DEV ...) NOT-FOR-US: D-Link CVE-2019-17507 (An issue was discovered on D-Link DIR-816 A1 1.06 devices. An attacker ...) NOT-FOR-US: D-Link CVE-2019-17506 (There are some web interfaces without authentication requirements on D ...) NOT-FOR-US: D-Link CVE-2019-17505 (D-Link DAP-1320 A2-V1.21 routers have some web interfaces without auth ...) NOT-FOR-US: D-Link CVE-2017-18638 (send_email in graphite-web/webapp/graphite/composer/views.py in Graphi ...) {DLA-1962-1} - graphite-web 1.1.4-5 [buster] - graphite-web 1.1.4-3+deb10u1 NOTE: https://github.com/graphite-project/graphite-web/issues/2008 NOTE: https://github.com/graphite-project/graphite-web/pull/2499 NOTE: https://github.com/graphite-project/graphite-web/security/advisories/GHSA-vfj6-275q-4pvm CVE-2019-17504 (An issue was discovered in Kirona Dynamic Resource Scheduling (DRS) 5. ...) NOT-FOR-US: Kirona Dynamic Resource Scheduling (DRS) CVE-2019-17503 (An issue was discovered in Kirona Dynamic Resource Scheduling (DRS) 5. ...) NOT-FOR-US: Kirona Dynamic Resource Scheduling (DRS) CVE-2019-17502 (Hydra through 0.1.8 has a NULL pointer dereference and daemon crash wh ...) NOT-FOR-US: Hydra (different from src:hydra) CVE-2019-17501 (Centreon 19.04 allows attackers to execute arbitrary OS commands via t ...) - centreon-web (bug #913903) CVE-2019-17500 RESERVED CVE-2019-17499 (The setter.xml component of the Common Gateway Interface on Compal CH7 ...) NOT-FOR-US: Compal CH7465LG devices CVE-2019-17498 (In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic i ...) {DLA-1991-1} - libssh2 (low; bug #943562) [buster] - libssh2 (Minor issue) [stretch] - libssh2 (Minor issue) NOTE: https://github.com/libssh2/libssh2/commit/dedcbd106f8e52d5586b0205bc7677e4c9868f9c NOTE: https://blog.semmle.com/libssh2-integer-overflow-CVE-2019-17498/ NOTE: Backported SUSE patch for versions <= 1.8.0 (including struct string_buf, NOTE: and the functions _libssh2_check_length(), _libssh2_get_u32() and NOTE: libssh2_get_string(), forming part of the fix): NOTE: https://bugzilla.suse.com/attachment.cgi?id=822416 NOTE: Only exploitable with a malicious server CVE-2018-21028 (Boa through 0.94.14rc21 allows remote attackers to trigger a memory le ...) - boa CVE-2018-21027 (Boa through 0.94.14rc21 allows remote attackers to trigger an out-of-m ...) - boa CVE-2015-9492 (The ThemeMakers SmartIT Premium Responsive theme through 2015-05-15 fo ...) NOT-FOR-US: ThemeMakers SmartIT Premium Responsive theme for WordPress CVE-2015-9491 (The ThemeMakers Blessing Premium Responsive theme through 2015-05-15 f ...) NOT-FOR-US: ThemeMakers Blessing Premium Responsive theme for WordPress CVE-2015-9490 (The ThemeMakers GamesTheme Premium theme through 2015-05-15 for WordPr ...) NOT-FOR-US: ThemeMakers GamesTheme Premium theme for WordPress CVE-2015-9489 (The ThemeMakers Goodnex Premium Responsive theme through 2015-05-15 fo ...) NOT-FOR-US: ThemeMakers Goodnex Premium Responsive theme for WordPress CVE-2015-9488 (The ThemeMakers Almera Responsive Portfolio Site Template component th ...) NOT-FOR-US: ThemeMakers Almera Responsive Portfolio Site Template component for WordPress CVE-2015-9487 (The ThemeMakers Almera Responsive Portfolio theme through 2015-05-15 f ...) NOT-FOR-US: ThemeMakers Almera Responsive Portfolio theme for WordPress CVE-2015-9486 (The ThemeMakers Axioma Premium Responsive theme through 2015-05-15 for ...) NOT-FOR-US: ThemeMakers Axioma Premium Responsive theme for WordPress CVE-2015-9485 (The ThemeMakers Accio Responsive Parallax One Page Site Template compo ...) NOT-FOR-US: ThemeMakers Accio Responsive Parallax One Page Site Template component for WordPress CVE-2015-9484 (The ThemeMakers Accio One Page Parallax Responsive theme through 2015- ...) NOT-FOR-US: ThemeMakers Accio One Page Parallax Responsive theme for WordPress CVE-2015-9483 (The ThemeMakers Invento Responsive Gallery/Architecture Template compo ...) NOT-FOR-US: ThemeMakers Invento Responsive Gallery/Architecture Template component for WordPress CVE-2015-9482 (The ThemeMakers Car Dealer / Auto Dealer Responsive theme through 2015 ...) NOT-FOR-US: ThemeMakers Car Dealer / Auto Dealer Responsive theme for WordPress CVE-2015-9481 (The ThemeMakers Diplomat | Political theme through 2015-05-15 for Word ...) NOT-FOR-US: ThemeMakers Diplomat | Political theme for WordPress CVE-2010-5340 (IceWarp Webclient before 10.2.1 has XSS via an HTTP POST request: webm ...) NOT-FOR-US: IceWarp Webclient CVE-2010-5339 (IceWarp Webclient before 10.2.1 has XSS via an HTTP POST request: webm ...) NOT-FOR-US: IceWarp Webclient CVE-2010-5338 (IceWarp Webclient before 10.2.1 has XSS via an HTTP POST request: webm ...) NOT-FOR-US: IceWarp Webclient CVE-2010-5337 (IceWarp Webclient before 10.2.1 has XSS via an HTTP POST request: webm ...) NOT-FOR-US: IceWarp Webclient CVE-2010-5336 (IceWarp Webclient before 10.2.1 has XSS via an HTTP POST request: admi ...) NOT-FOR-US: IceWarp Webclient CVE-2010-5335 (IceWarp Webclient before 10.2.1 has a directory traversal vulnerabilit ...) NOT-FOR-US: IceWarp Webclient CVE-2010-5334 (IceWarp Webclient before 10.2.1 has a directory traversal vulnerabilit ...) NOT-FOR-US: IceWarp Webclient CVE-2019-17497 (Tracker PDF-XChange Editor before 8.0.330.0 has an NTLM SSO hash theft ...) NOT-FOR-US: Tracker PDF-XChange Editor CVE-2019-17496 (Craft CMS before 3.3.8 has stored XSS via a name field. This field is ...) NOT-FOR-US: Craft CMS CVE-2019-17495 (A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI b ...) - node-swagger-ui (bug #871461) - swagger-ui (bug #895422) CVE-2019-17494 (laravel-bjyblog 6.1.1 has XSS via a crafted URL. ...) NOT-FOR-US: laravel-bjyblog CVE-2019-17493 (Jiangnan Online Judge (aka jnoj) 0.8.0 has XSS via the Problem[sample_ ...) NOT-FOR-US: Jiangnan Online Judge CVE-2019-17492 RESERVED CVE-2019-17491 (Jiangnan Online Judge (aka jnoj) 0.8.0 has XSS via the Problem[descrip ...) NOT-FOR-US: Jiangnan Online Judge CVE-2019-17490 (app\modules\polygon\controllers\ProblemController in Jiangnan Online J ...) NOT-FOR-US: Jiangnan Online Judge CVE-2019-17489 (Jiangnan Online Judge (aka jnoj) 0.8.0 has XSS via the Problem[title] ...) NOT-FOR-US: Jiangnan Online Judge CVE-2019-17488 (b3log Symphony (aka Sym) before 3.6.0 has XSS via the HTTP User-Agent ...) NOT-FOR-US: b3log Symphony CVE-2019-17487 RESERVED CVE-2019-17486 RESERVED CVE-2019-17485 RESERVED CVE-2019-17484 RESERVED CVE-2019-17483 RESERVED CVE-2019-17482 RESERVED CVE-2019-17481 RESERVED CVE-2019-17480 RESERVED CVE-2019-17479 RESERVED CVE-2019-17478 RESERVED CVE-2019-17477 RESERVED CVE-2019-17476 RESERVED CVE-2019-17475 RESERVED CVE-2019-17474 RESERVED CVE-2019-17473 RESERVED CVE-2019-17472 RESERVED CVE-2019-17471 RESERVED CVE-2019-17470 RESERVED CVE-2019-17469 RESERVED CVE-2019-17468 RESERVED CVE-2019-17467 RESERVED CVE-2019-17466 RESERVED CVE-2019-17465 RESERVED CVE-2019-17464 RESERVED CVE-2019-17463 RESERVED CVE-2019-17462 RESERVED CVE-2019-17461 RESERVED CVE-2019-17460 RESERVED CVE-2019-17459 RESERVED CVE-2019-17458 RESERVED CVE-2019-17457 RESERVED CVE-2019-17456 RESERVED CVE-2019-17455 (Libntlm through 1.5 relies on a fixed buffer size for tSmbNtlmAuthRequ ...) {DLA-2207-1} - libntlm 1.6-1 (bug #942145) [buster] - libntlm (Minor issue) [stretch] - libntlm (Minor issue) NOTE: https://gitlab.com/jas/libntlm/issues/2 NOTE: https://gitlab.com/jas/libntlm/-/commit/b967886873fcf19f816b9c0868465f2d9e5df85e CVE-2019-17454 (Bento4 1.5.1.0 has a NULL pointer dereference in AP4_Descriptor::GetTa ...) NOT-FOR-US: Bento4 CVE-2019-17453 (Bento4 1.5.1.0 has a NULL pointer dereference in AP4_DescriptorListWri ...) NOT-FOR-US: Bento4 CVE-2019-17452 (Bento4 1.5.1.0 has a NULL pointer dereference in AP4_DescriptorListIns ...) NOT-FOR-US: Bento4 CVE-2019-17451 (An issue was discovered in the Binary File Descriptor (BFD) library (a ...) - binutils (unimportant) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=25070 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=336bfbeb1848f4b9558456fdcf283ee8a32d7fd1 NOTE: binutils not covered by security support CVE-2019-17450 (find_abstract_instance in dwarf2.c in the Binary File Descriptor (BFD) ...) - binutils (unimportant) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=25078 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=063c511bd79281f33fd33f0964541a73511b9e2b NOTE: binutils not covered by security support CVE-2019-17449 (** DISPUTED ** Avira Software Updater before 2.0.6.21094 allows a DLL ...) NOT-FOR-US: Avira Software Updater CVE-2019-17448 RESERVED CVE-2019-17447 RESERVED CVE-2019-17446 (An issue was discovered in Eracent EPA Agent through 10.2.26. The agen ...) NOT-FOR-US: Eracent EPA Agent CVE-2019-17445 (An issue was discovered in Eracent EDA, EPA, EPM, EUA, FLW, and SUM Ag ...) NOT-FOR-US: Eracent EDA, EPA, EPM, EUA, FLW, and SUM Agent CVE-2019-17444 RESERVED CVE-2019-17443 RESERVED CVE-2019-17442 RESERVED CVE-2019-17441 RESERVED CVE-2019-17440 (Improper restriction of communications to Log Forwarding Card (LFC) on ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2019-17439 RESERVED CVE-2019-17438 RESERVED CVE-2019-17437 (An improper authentication check in Palo Alto Networks PAN-OS may allo ...) NOT-FOR-US: PAN-OS CVE-2019-17436 (A Local Privilege Escalation vulnerability exists in GlobalProtect Age ...) NOT-FOR-US: GlobalProtect Agent CVE-2019-17435 (A Local Privilege Escalation vulnerability exists in the GlobalProtect ...) NOT-FOR-US: GlobalProtect Agent CVE-2019-17434 (LavaLite through 5.7 has XSS via a crafted account name that is mishan ...) NOT-FOR-US: LavaLite CVE-2019-17433 (z-song laravel-admin 1.7.3 has XSS via the Slug or Name on the Roles s ...) NOT-FOR-US: z-song laravel-admin CVE-2019-17432 (An issue was discovered in fastadmin 1.0.0.20190705_beta. There is a p ...) NOT-FOR-US: fastadmin CVE-2019-17431 (An issue was discovered in fastadmin 1.0.0.20190705_beta. There is a p ...) NOT-FOR-US: fastadmin CVE-2019-17430 (EyouCms through 2019-07-11 has XSS related to the login.php web_record ...) NOT-FOR-US: EyouCms CVE-2019-17429 (Adhouma CMS through 2019-10-09 has SQL Injection via the post.php p_id ...) NOT-FOR-US: Adhouma CMS CVE-2015-9480 (The RobotCPA plugin 5 for WordPress has directory traversal via the f. ...) NOT-FOR-US: RobotCPA plugin for WordPress CVE-2015-9479 (The ACF-Frontend-Display plugin through 2015-07-03 for WordPress has a ...) NOT-FOR-US: ACF-Frontend-Display plugin for WordPress CVE-2015-9478 (prettyPhoto before 3.1.6 has js/jquery.prettyPhoto.js XSS. ...) NOT-FOR-US: prettyPhoto CVE-2015-9477 (The Vernissage theme 1.2.8 for WordPress has insufficient restrictions ...) NOT-FOR-US: Vernissage theme for WordPress CVE-2015-9476 (The Teardrop theme 1.8.1 for WordPress has insufficient restrictions o ...) NOT-FOR-US: Teardrop theme for WordPress CVE-2015-9475 (The Pont theme 1.5 for WordPress has insufficient restrictions on opti ...) NOT-FOR-US: Pont theme for WordPress CVE-2015-9474 (The Simpolio theme 1.3.2 for WordPress has insufficient restrictions o ...) NOT-FOR-US: Simpolio theme for WordPress CVE-2015-9473 (The estrutura-basica theme through 2015-09-13 for WordPress has direct ...) NOT-FOR-US: estrutura-basica theme for WordPress CVE-2015-9472 (The incoming-links plugin before 0.9.10b for WordPress has referrers.p ...) NOT-FOR-US: incoming-links plugin for WordPress CVE-2015-9471 (The dzs-zoomsounds plugin through 2.0 for WordPress has admin/upload.p ...) NOT-FOR-US: dzs-zoomsounds plugin for WordPress CVE-2015-9470 (The history-collection plugin through 1.1.1 for WordPress has director ...) NOT-FOR-US: history-collection plugin for WordPress CVE-2015-9469 (The content-grabber plugin 1.0 for WordPress has XSS via obj_field_nam ...) NOT-FOR-US: content-grabber plugin for WordPress CVE-2015-9468 (The broken-link-manager plugin 0.4.5 for WordPress has XSS via the pag ...) NOT-FOR-US: broken-link-manager plugin for WordPress CVE-2015-9467 (The broken-link-manager plugin before 0.5.0 for WordPress has wpslDelU ...) NOT-FOR-US: broken-link-manager plugin for WordPress CVE-2015-9466 (The wti-like-post plugin before 1.4.3 for WordPress has WtiLikePostPro ...) NOT-FOR-US: wti-like-post plugin for WordPress CVE-2015-9465 (The yet-another-stars-rating plugin before 0.9.1 for WordPress has yas ...) NOT-FOR-US: yet-another-stars-rating plugin for WordPress CVE-2015-9464 (The s3bubble-amazon-s3-html-5-video-with-adverts plugin 0.7 for WordPr ...) NOT-FOR-US: s3bubble-amazon-s3-html-5-video-with-adverts plugin for WordPress CVE-2015-9463 (The s3bubble-amazon-s3-audio-streaming plugin 2.0 for WordPress has di ...) NOT-FOR-US: s3bubble-amazon-s3-audio-streaming plugin for WordPress CVE-2015-9462 (The awesome-filterable-portfolio plugin before 1.9 for WordPress has a ...) NOT-FOR-US: awesome-filterable-portfolio plugin for WordPress CVE-2015-9461 (The awesome-filterable-portfolio plugin before 1.9 for WordPress has a ...) NOT-FOR-US: awesome-filterable-portfolio plugin for WordPress CVE-2015-9460 (The booking-system plugin before 2.1 for WordPress has DOPBSPBackEndTr ...) NOT-FOR-US: booking-system plugin for WordPress CVE-2015-9459 (The searchterms-tagging-2 plugin through 1.535 for WordPress has XSS v ...) NOT-FOR-US: searchterms-tagging-2 plugin for WordPress CVE-2015-9458 (The searchterms-tagging-2 plugin through 1.535 for WordPress has SQL i ...) NOT-FOR-US: searchterms-tagging-2 plugin for WordPress CVE-2015-9457 (The pretty-link plugin before 1.6.8 for WordPress has PrliLinksControl ...) NOT-FOR-US: pretty-link plugin for WordPress CVE-2019-17428 (An issue was discovered in Intesync Solismed 3.3sp1. An flaw in the en ...) NOT-FOR-US: Intesync Solismed CVE-2019-17427 (In Redmine before 3.4.11 and 4.0.x before 4.0.4, persistent XSS exists ...) {DSA-4574-1} - redmine 4.0.4-1 NOTE: Fixed in 3.4.11 and 4.0.4 NOTE: https://github.com/redmine/redmine/commit/899fc2e0cd2bcb4f5f9333b612b160bb9c6e803b CVE-2019-17426 (Automattic Mongoose through 5.7.4 allows attackers to bypass access co ...) NOT-FOR-US: Automattic Mongoose (different from Cesenta Mongoose) CVE-2019-17425 RESERVED CVE-2019-17424 (A stack-based buffer overflow in the processPrivilage() function in IO ...) NOT-FOR-US: nipper-ng CVE-2019-17423 RESERVED CVE-2019-17422 RESERVED CVE-2019-17421 (Incorrect file permissions on the packaged Nipper executable file in Z ...) NOT-FOR-US: Zoho CVE-2019-17420 (In OISF LibHTP before 0.5.31, as used in Suricata 4.1.4 and other prod ...) - libhtp 1:0.5.31-1 [buster] - libhtp (Minor issue) NOTE: https://github.com/OISF/libhtp/pull/213 CVE-2019-17419 (An issue was discovered in MetInfo 7.0. There is SQL injection via the ...) NOT-FOR-US: MetInfo CVE-2019-17418 (An issue was discovered in MetInfo 7.0. There is SQL injection via the ...) NOT-FOR-US: MetInfo CVE-2019-17417 (PbootCMS 2.0.2 allows XSS via vectors involving the Pboot/admin.php?p= ...) NOT-FOR-US: PbootCMS CVE-2019-17416 RESERVED CVE-2019-17415 (A Structured Exception Handler (SEH) based buffer overflow in File Sha ...) NOT-FOR-US: File Sharing Wizard CVE-2019-17414 (tinylcy Vino through 2017-12-15 allows remote attackers to cause a den ...) NOT-FOR-US: tinylcy Vino CVE-2019-17413 RESERVED CVE-2019-17412 RESERVED CVE-2019-17411 RESERVED CVE-2019-17410 RESERVED CVE-2019-17409 (Reflected XSS exists in interface/forms/eye_mag/view.php in OpenEMR 5. ...) NOT-FOR-US: OpenEMR CVE-2019-17408 (parserIfLabel in inc/zzz_template.php in ZZZCMS zzzphp 1.7.3 allows re ...) NOT-FOR-US: ZZZCMS CVE-2019-17407 RESERVED CVE-2019-14842 (Structured reply is a feature of the newstyle NBD protocol allowing th ...) - libnbd 1.0.3-1 (bug #942215) NOTE: https://www.redhat.com/archives/libguestfs/2019-October/msg00060.html NOTE: https://github.com/libguestfs/libnbd/commit/f75f602a6361c0c5f42debfeea6980f698ce7f09 (1.1.4) NOTE: https://github.com/libguestfs/libnbd/commit/2c1987fc23d6d0f537edc6d4701e95a2387f7917 (stable-1.0) CVE-2019-17406 (Nokia IMPACT < 18A has path traversal that may lead to RCE if chain ...) NOT-FOR-US: Nokia CVE-2019-17405 (Nokia IMPACT < 18A: has Reflected self XSS ...) NOT-FOR-US: Nokia CVE-2019-17404 (Nokia IMPACT < 18A: allows full path disclosure ...) NOT-FOR-US: Nokia CVE-2019-17403 (Nokia IMPACT < 18A: An unrestricted File Upload vulnerability was f ...) NOT-FOR-US: Nokia CVE-2019-17402 (Exiv2 0.27.2 allows attackers to trigger a crash in Exiv2::getULong in ...) {DLA-2019-1} - exiv2 (bug #946341) [buster] - exiv2 (Minor issue) [stretch] - exiv2 (Minor issue) NOTE: https://github.com/Exiv2/exiv2/issues/1019 NOTE: https://github.com/Exiv2/exiv2/commit/88054239e3c914862d13f6ac89a19a104fa2c076 (master) NOTE: https://github.com/Exiv2/exiv2/commit/50e9dd964a439da357798344ed1dd86edcadf0ec (0.27-branch) NOTE: Follow-up: https://github.com/Exiv2/exiv2/issues/1026 CVE-2019-17401 (** DISPUTED ** libyal liblnk 20191006 has a heap-based buffer over-rea ...) - liblnk (unimportant) NOTE: https://github.com/libyal/liblnk/issues/40 NOTE: Negligible/questionable security impact CVE-2019-17400 (The unoconv package before 0.9 mishandles untrusted pathnames, leading ...) - unoconv 0.7-2 (low; bug #943561) [buster] - unoconv (Minor issue) [stretch] - unoconv (Minor issue) [jessie] - unoconv (Minor issue) NOTE: https://github.com/unoconv/unoconv/pull/510 CVE-2019-17399 (The Shack Forms Pro extension before 4.0.32 for Joomla! allows path tr ...) NOT-FOR-US: Shack Forms Pro extension for Joomla! CVE-2019-17398 (In the Dark Horse Comics application 1.3.21 for Android, token informa ...) NOT-FOR-US: Dark Horse Comics application CVE-2019-17397 (In the DoorDash application through 11.5.2 for Android, the username a ...) NOT-FOR-US: DoorDash application CVE-2019-17396 (In the PowerSchool Mobile application 1.1.8 for Android, the username ...) NOT-FOR-US: PowerSchool Mobile application CVE-2019-17395 (In the Rapid Gator application 0.7.1 for Android, the username and pas ...) NOT-FOR-US: Rapid Gator application CVE-2019-17394 (In the Seesaw Parent and Family application 6.2.5 for Android, the use ...) NOT-FOR-US: Seesaw Parent and Family application CVE-2019-17393 (The Customer's Tomedo Server in Version 1.7.3 communicates to the Vend ...) NOT-FOR-US: Tomedo Server CVE-2019-17392 (Progress Sitefinity 12.1 has a Weak Password Recovery Mechanism for a ...) NOT-FOR-US: Progress Sitefinity CVE-2019-17391 (An issue was discovered in the Espressif ESP32 mask ROM code 2016-06-0 ...) NOT-FOR-US: Espressif ESP32 CVE-2019-17390 (An issue was discovered in the Outlook add-in in Pronestor Planner bef ...) NOT-FOR-US: Outlook add-in in Pronestor Planner CVE-2019-17389 (In RIOT 2019.07, the MQTT-SN implementation (asymcute) mishandles erro ...) NOT-FOR-US: RIOT RIOT-OS CVE-2019-17388 (Weak file permissions applied to the Aviatrix VPN Client through 2.2.1 ...) NOT-FOR-US: Aviatrix VPN Client CVE-2019-17387 (An authentication flaw in the AVPNC_RP service in Aviatrix VPN Client ...) NOT-FOR-US: Aviatrix VPN Client CVE-2019-17386 (The animate-it plugin before 2.3.6 for WordPress has CSRF in edsanimat ...) NOT-FOR-US: Wordpress plugin CVE-2019-17385 (The animate-it plugin before 2.3.5 for WordPress has XSS. ...) NOT-FOR-US: animate-it plugin for WordPress CVE-2019-17384 (The animate-it plugin before 2.3.4 for WordPress has XSS. ...) NOT-FOR-US: animate-it plugin for WordPress CVE-2019-17383 (The netaddr gem before 2.0.4 for Ruby has misconfigured file permissio ...) - ruby-netaddr (Upstream packaging issue) CVE-2019-17382 (An issue was discovered in zabbix.php?action=dashboard.view&dashbo ...) - zabbix [buster] - zabbix (Minor issue) [stretch] - zabbix (Minor issue) [jessie] - zabbix (Minor issue, guest accounts can be disabled) NOTE: https://support.zabbix.com/browse/ZBX-16789 NOTE: Disputed by upstream, closed as not a security bug. NOTE: Guest account is disabled by default starting in 4.0.15rc1, 4.4.2rc1 and NOTE: 5.0.0alpha1 (Cf. https://support.zabbix.com/browse/ZBXNEXT-5532) CVE-2019-17381 RESERVED CVE-2019-17380 (cPanel before 82.0.15 allows self XSS in the WHM Update Preferences in ...) NOT-FOR-US: cPanel CVE-2019-17379 (cPanel before 82.0.15 allows self stored XSS in the WHM SSL Storage Ma ...) NOT-FOR-US: cPanel CVE-2019-17378 (cPanel before 82.0.15 allows self XSS in the SSL Key Delete interface ...) NOT-FOR-US: cPanel CVE-2019-17377 (cPanel before 82.0.15 allows self XSS in LiveAPI example scripts (SEC- ...) NOT-FOR-US: cPanel CVE-2019-17376 (cPanel before 82.0.15 allows self XSS in the SSL Certificate Upload in ...) NOT-FOR-US: cPanel CVE-2019-17375 (cPanel before 82.0.15 allows API token credentials to persist after an ...) NOT-FOR-US: cPanel CVE-2019-17374 RESERVED CVE-2019-17373 (Certain NETGEAR devices allow unauthenticated access to critical .cgi ...) NOT-FOR-US: NETGEAR CVE-2019-17372 (Certain NETGEAR devices allow remote attackers to disable all authenti ...) NOT-FOR-US: NETGEAR CVE-2019-17371 (gif2png 2.5.13 has a memory leak in the writefile function. ...) - gif2png (unimportant) NOTE: https://github.com/glennrp/libpng/issues/307 NOTE: Initially filed for libpng, but the bug is actually in gif2png NOTE: Memory leak in CLI tool, no security impact CVE-2019-17370 (OTCMS v3.85 allows arbitrary PHP Code Execution because admin/sysCheck ...) NOT-FOR-US: OTCMS CVE-2019-17369 (OTCMS v3.85 has CSRF in the admin/member_deal.php Admin Panel page, le ...) NOT-FOR-US: OTCMS CVE-2019-17368 (S-CMS v1.5 has XSS in tpl.php via the member/member_login.php from par ...) NOT-FOR-US: S-CMS CVE-2019-17367 (OpenWRT firmware version 18.06.4 is vulnerable to CSRF via wireless/ra ...) NOT-FOR-US: OpenWRT CVE-2019-17366 (Citrix Application Delivery Management (ADM) 12.1 before build 54.13 h ...) NOT-FOR-US: Citrix CVE-2019-17365 (Nix through 2.3 allows local users to gain access to an arbitrary user ...) NOT-FOR-US: Nix CVE-2019-17364 (The processCommandUploadLog() function of libcommon.so in Petwant PF-1 ...) NOT-FOR-US: Petwant CVE-2019-17363 RESERVED CVE-2019-17362 (In LibTomCrypt through 1.18.2, the der_decode_utf8_string function (in ...) {DLA-1951-1} - libtomcrypt 1.18.2-3 [buster] - libtomcrypt (Minor issue) [stretch] - libtomcrypt (Minor issue) NOTE: https://github.com/libtom/libtomcrypt/issues/507 NOTE: https://github.com/libtom/libtomcrypt/pull/508 CVE-2019-17361 (In SaltStack Salt through 2019.2.0, the salt-api NET API with the ssh ...) {DSA-4676-1} - salt 2019.2.3+dfsg1-1 (bug #949222) [jessie] - salt (Vulnerable code added in v2014.7) NOTE: https://github.com/saltstack/salt/commit/bca115f3f00fbde564dd2f12bf036b5d2fd08387 NOTE: Vulnerability introduced in https://github.com/saltstack/salt/commit/3bade9d6258fb8df849b32f68de6343cfdd83720 CVE-2019-17360 (A vulnerability in Hitachi Command Suite 7.x and 8.x before 8.7.0-00 a ...) NOT-FOR-US: Hitachi CVE-2018-21026 (A vulnerability in Hitachi Command Suite 7.x and 8.x before 8.6.5-00 a ...) NOT-FOR-US: Hitachi CVE-2019-17359 (The ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.63 can trigge ...) - bouncycastle (Vulnerable code introduced n 1.63) NOTE: Introduced only in 1.63, fixed in 1.64. NOTE: https://github.com/bcgit/bc-java/commit/b1bc75254f5fea633a49a751a1a7339056f97856 CVE-2019-17358 (Cacti through 1.2.7 is affected by multiple instances of lib/functions ...) {DSA-4604-1 DLA-2032-1} - cacti 1.2.8+ds1-1 (bug #947375) NOTE: https://github.com/Cacti/cacti/issues/3026 NOTE: https://github.com/Cacti/cacti/commit/adf221344359f5b02b8aed43dfb6b33ae5d708c8 CVE-2019-17357 (Cacti through 1.2.7 is affected by a graphs.php?template_id= SQL injec ...) - cacti 1.2.8+ds1-1 (bug #947374) [buster] - cacti 1.2.2+ds1-2+deb10u2 [stretch] - cacti (Vulnerable code not present) [jessie] - cacti (Vulnerable code not present) NOTE: https://github.com/Cacti/cacti/issues/3025 NOTE: https://github.com/Cacti/cacti/commit/d6dc48503bbcde0717e7a93df7638fd4796200f4 CVE-2019-17356 (The Infinite Design application 3.4.12 for Android sends a username an ...) NOT-FOR-US: Infinite Design application CVE-2019-17355 (In the Orbitz application 19.31.1 for Android, the username and passwo ...) NOT-FOR-US: Orbitz application CVE-2019-17354 (wan.htm page on Zyxel NBG-418N v2 with firmware version V1.00(AARP.9)C ...) NOT-FOR-US: Zyxel CVE-2019-17353 (An issue discovered on D-Link DIR-615 devices with firmware version 20 ...) NOT-FOR-US: D-Link CVE-2019-17352 (In JFinal cos before 2019-08-13, as used in JFinal 4.4, there is a vul ...) NOT-FOR-US: JFinal CVE-2019-17339 RESERVED CVE-2019-17338 (The user interface component of TIBCO Software Inc.'s TIBCO Patterns - ...) NOT-FOR-US: TIBCO CVE-2019-17337 (The Spotfire library component of TIBCO Software Inc.'s TIBCO Spotfire ...) NOT-FOR-US: TIBCO CVE-2019-17336 (The Data access layer component of TIBCO Software Inc.'s TIBCO Spotfir ...) NOT-FOR-US: TIBCO CVE-2019-17335 (The Data access layer component of TIBCO Software Inc.'s TIBCO Spotfir ...) NOT-FOR-US: TIBCO CVE-2019-17334 (The Visualizations component of TIBCO Software Inc.'s TIBCO Spotfire A ...) NOT-FOR-US: TIBCO CVE-2019-17333 (The Web server component of TIBCO Software Inc.'s TIBCO EBX contains a ...) NOT-FOR-US: TIBCO EBX CVE-2019-17332 (The Digital Asset Manager Web Interface component of TIBCO Software In ...) NOT-FOR-US: TIBCO CVE-2019-17331 (The Data Exchange Web Interface component of TIBCO Software Inc.'s TIB ...) NOT-FOR-US: TIBCO CVE-2019-17330 (The Web server component of TIBCO Software Inc.'s TIBCO EBX contains m ...) NOT-FOR-US: TIBCO CVE-2019-17329 RESERVED CVE-2019-17328 RESERVED CVE-2019-17327 (JEUS 7 Fix#0~5 and JEUS 8Fix#0~1 versions contains a directory travers ...) NOT-FOR-US: JEUS CVE-2019-17326 (ClipSoft REXPERT 1.0.0.527 and earlier version allows remote attacker ...) NOT-FOR-US: ClipSoft REXPERT CVE-2019-17325 (ClipSoft REXPERT 1.0.0.527 and earlier version allows remote attacker ...) NOT-FOR-US: ClipSoft REXPERT CVE-2019-17324 (ClipSoft REXPERT 1.0.0.527 and earlier version allows directory traver ...) NOT-FOR-US: ClipSoft REXPERT CVE-2019-17323 (ClipSoft REXPERT 1.0.0.527 and earlier version allows arbitrary file c ...) NOT-FOR-US: ClipSoft REXPERT CVE-2019-17322 (ClipSoft REXPERT 1.0.0.527 and earlier version allows arbitrary file c ...) NOT-FOR-US: ClipSoft REXPERT CVE-2019-17321 (ClipSoft REXPERT 1.0.0.527 and earlier version have an information dis ...) NOT-FOR-US: ClipSoft REXPERT CVE-2019-17320 (NetSarang XFTP Client 6.0149 and earlier version contains a buffer ove ...) NOT-FOR-US: NetSarang XFTP Client CVE-2019-17319 (SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the ...) NOT-FOR-US: SugarCRM CVE-2019-17318 (SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the ...) NOT-FOR-US: SugarCRM CVE-2019-17317 (SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection ...) NOT-FOR-US: SugarCRM CVE-2019-17316 (SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection ...) NOT-FOR-US: SugarCRM CVE-2019-17315 (SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection ...) NOT-FOR-US: SugarCRM CVE-2019-17314 (SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal ...) NOT-FOR-US: SugarCRM CVE-2019-17313 (SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal ...) NOT-FOR-US: SugarCRM CVE-2019-17312 (SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal ...) NOT-FOR-US: SugarCRM CVE-2019-17311 (SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal ...) NOT-FOR-US: SugarCRM CVE-2019-17310 (SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection i ...) NOT-FOR-US: SugarCRM CVE-2019-17309 (SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection i ...) NOT-FOR-US: SugarCRM CVE-2019-17308 (SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection i ...) NOT-FOR-US: SugarCRM CVE-2019-17307 (SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection i ...) NOT-FOR-US: SugarCRM CVE-2019-17306 (SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection i ...) NOT-FOR-US: SugarCRM CVE-2019-17305 (SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection i ...) NOT-FOR-US: SugarCRM CVE-2019-17304 (SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection i ...) NOT-FOR-US: SugarCRM CVE-2019-17303 (SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection i ...) NOT-FOR-US: SugarCRM CVE-2019-17302 (SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection i ...) NOT-FOR-US: SugarCRM CVE-2019-17301 (SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection i ...) NOT-FOR-US: SugarCRM CVE-2019-17300 (SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection i ...) NOT-FOR-US: SugarCRM CVE-2019-17299 (SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection i ...) NOT-FOR-US: SugarCRM CVE-2019-17298 (SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the ...) NOT-FOR-US: SugarCRM CVE-2019-17297 (SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the ...) NOT-FOR-US: SugarCRM CVE-2019-17296 (SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the ...) NOT-FOR-US: SugarCRM CVE-2019-17295 (SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the ...) NOT-FOR-US: SugarCRM CVE-2019-17294 (SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the ...) NOT-FOR-US: SugarCRM CVE-2019-17293 (SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the ...) NOT-FOR-US: SugarCRM CVE-2019-17292 (SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the ...) NOT-FOR-US: SugarCRM CVE-2019-17291 REJECTED CVE-2019-17290 REJECTED CVE-2019-17289 REJECTED CVE-2019-17288 REJECTED CVE-2019-17287 REJECTED CVE-2019-17286 REJECTED CVE-2019-17285 REJECTED CVE-2019-17284 REJECTED CVE-2019-17283 REJECTED CVE-2019-17282 REJECTED CVE-2019-17281 REJECTED CVE-2019-17280 REJECTED CVE-2019-17279 REJECTED CVE-2019-17278 REJECTED CVE-2019-17277 REJECTED CVE-2019-17276 (OnCommand System Manager versions 9.3 prior to 9.3P18 and 9.4 prior to ...) NOT-FOR-US: OnCommand CVE-2019-17275 (OnCommand Cloud Manager versions prior to 3.8.0 are susceptible to arb ...) NOT-FOR-US: OnCommand Cloud Manager CVE-2019-17274 (NetApp FAS 8300/8700 and AFF A400 Baseboard Management Controller (BMC ...) NOT-FOR-US: NetApp CVE-2019-17273 (E-Series SANtricity OS Controller Software version 11.60.0 is suscepti ...) NOT-FOR-US: E-Series SANtricity OS Controller Software CVE-2019-17272 (All versions of ONTAP Select Deploy administration utility are suscept ...) NOT-FOR-US: ONTAP CVE-2019-17271 (vBulletin 5.5.4 allows SQL Injection via the ajax/api/hook/getHookList ...) NOT-FOR-US: vBulletin CVE-2019-17270 (Yachtcontrol through 2019-10-06: It's possible to perform direct Opera ...) NOT-FOR-US: Yachtcontrol CVE-2019-17269 (Intellian Remote Access 3.18 allows remote attackers to execute arbitr ...) NOT-FOR-US: Intellian Remote Access CVE-2019-17268 (The omniauth-weibo-oauth2 gem 0.4.6 for Ruby, as distributed on RubyGe ...) NOT-FOR-US: omniauth-weibo-oauth2 gem CVE-2019-17267 (A Polymorphic Typing issue was discovered in FasterXML jackson-databin ...) {DLA-2030-1} - jackson-databind 2.10.0-1 [buster] - jackson-databind (Minor issue; can be fixed via a point release) [stretch] - jackson-databind (Minor issue; can be fixed via a point release) NOTE: https://github.com/FasterXML/jackson-databind/issues/2460 NOTE: https://github.com/FasterXML/jackson-databind/commit/191a4cdf87b56d2ddddb77edd895ee756b7f75eb CVE-2019-17266 (libsoup from versions 2.65.1 until 2.68.1 have a heap-based buffer ove ...) - libsoup2.4 2.68.2-1 (bug #941912) [buster] - libsoup2.4 (Vulnerable code introduced in 2.65.1) [stretch] - libsoup2.4 (Vulnerable code introduced in 2.65.1) [jessie] - libsoup2.4 (Vulnerable code introduced in 2.65.1) NOTE: https://gitlab.gnome.org/GNOME/libsoup/issues/173 (private) CVE-2019-17265 RESERVED CVE-2019-17264 (** DISPUTED ** In libyal liblnk before 20191006, liblnk_location_infor ...) - liblnk (unimportant) NOTE: https://github.com/libyal/liblnk/issues/38 NOTE: https://github.com/libyal/liblnk/commit/c4d04de2c76f62129677c90a616d049be9c52482 NOTE: Negligible/questionable security impact CVE-2019-17263 (** DISPUTED ** In libyal libfwsi before 20191006, libfwsi_extension_bl ...) - liblnk (unimportant) - libfwsi (unimportant) NOTE: https://github.com/libyal/libfwsi/issues/13 NOTE: https://github.com/libyal/libfwsi/commit/54afa5c71d6c795a555dbcb1e160fea393b98fb3 NOTE: Negligible/questionable security impact CVE-2019-17262 (XnView Classic 2.49.1 allows a User Mode Write AV starting at Xwsq+0x0 ...) NOT-FOR-US: XnView CVE-2019-17261 (XnView Classic 2.49.1 allows a User Mode Write AV starting at Xwsq+0x0 ...) NOT-FOR-US: XnView CVE-2019-17260 (MPC-HC through 1.7.13 allows a Read Access Violation on a Block Data M ...) NOT-FOR-US: MPC-HC CVE-2019-17259 (KMPlayer 4.2.2.31 allows a User Mode Write AV starting at utils!src_ne ...) NOT-FOR-US: KMPlayer (different from src:kmplayer) CVE-2019-17258 (IrfanView 4.53 allows Data from a Faulting Address to control a subseq ...) NOT-FOR-US: IrfanView CVE-2019-17257 (IrfanView 4.53 allows a Exception Handler Chain to be Corrupted starti ...) NOT-FOR-US: IrfanView CVE-2019-17256 (IrfanView 4.53 allows a User Mode Write AV starting at DPX!ReadDPX_W+0 ...) NOT-FOR-US: IrfanView CVE-2019-17255 (IrfanView 4.53 allows a User Mode Write AV starting at EXR!ReadEXR+0x0 ...) NOT-FOR-US: IrfanView CVE-2019-17254 (IrfanView 4.53 allows Data from a Faulting Address to control a subseq ...) NOT-FOR-US: IrfanView CVE-2019-17253 (IrfanView 4.53 allows a User Mode Write AV starting at JPEG_LS+0x00000 ...) NOT-FOR-US: IrfanView CVE-2019-17252 (IrfanView 4.53 allows a User Mode Write AV starting at FORMATS!Read_Ba ...) NOT-FOR-US: IrfanView CVE-2019-17251 (IrfanView 4.53 allows a User Mode Write AV starting at FORMATS!GetPlug ...) NOT-FOR-US: IrfanView CVE-2019-17250 (IrfanView 4.53 allows a User Mode Write AV starting at WSQ!ReadWSQ+0x0 ...) NOT-FOR-US: IrfanView CVE-2019-17249 (IrfanView 4.53 allows a User Mode Write AV starting at WSQ!ReadWSQ+0x0 ...) NOT-FOR-US: IrfanView CVE-2019-17248 (IrfanView 4.53 allows a User Mode Write AV starting at WSQ!ReadWSQ+0x0 ...) NOT-FOR-US: IrfanView CVE-2019-17247 (IrfanView 4.53 allows Data from a Faulting Address to control a subseq ...) NOT-FOR-US: IrfanView CVE-2019-17246 (IrfanView 4.53 allows a User Mode Write AV starting at WSQ!ReadWSQ+0x0 ...) NOT-FOR-US: IrfanView CVE-2019-17245 (IrfanView 4.53 allows a User Mode Write AV starting at WSQ!ReadWSQ+0x0 ...) NOT-FOR-US: IrfanView CVE-2019-17244 (IrfanView 4.53 allows Data from a Faulting Address to control Code Flo ...) NOT-FOR-US: IrfanView CVE-2019-17243 (IrfanView 4.53 allows Data from a Faulting Address to control Code Flo ...) NOT-FOR-US: IrfanView CVE-2019-17242 (IrfanView 4.53 allows a User Mode Write AV starting at WSQ!ReadWSQ+0x0 ...) NOT-FOR-US: IrfanView CVE-2019-17241 (IrfanView 4.53 allows a User Mode Write AV starting at WSQ!ReadWSQ+0x0 ...) NOT-FOR-US: IrfanView CVE-2019-17240 (bl-kernel/security.class.php in Bludit 3.9.2 allows attackers to bypas ...) NOT-FOR-US: Bludit CVE-2019-17239 (includes/settings/class-alg-download-plugins-settings.php in the downl ...) NOT-FOR-US: Wordpress plugin CVE-2019-17238 RESERVED CVE-2019-17237 (includes/class-coming-soon-creator.php in the igniteup plugin through ...) NOT-FOR-US: igniteup plugin for WordPress CVE-2019-17236 (includes/class-coming-soon-creator.php in the igniteup plugin through ...) NOT-FOR-US: igniteup plugin for WordPress CVE-2019-17235 (includes/class-coming-soon-creator.php in the igniteup plugin through ...) NOT-FOR-US: igniteup plugin for WordPress CVE-2019-17234 (includes/class-coming-soon-creator.php in the igniteup plugin through ...) NOT-FOR-US: igniteup plugin for WordPress CVE-2019-17233 (Functions/EWD_UFAQ_Import.php in the ultimate-faqs plugin through 1.8. ...) NOT-FOR-US: Wordpress plugin CVE-2019-17232 (Functions/EWD_UFAQ_Import.php in the ultimate-faqs plugin through 1.8. ...) NOT-FOR-US: Wordpress plugin CVE-2019-17231 (includes/theme-functions.php in the OneTone theme through 3.0.6 for Wo ...) NOT-FOR-US: OneTone theme for WordPress CVE-2019-17230 (includes/theme-functions.php in the OneTone theme through 3.0.6 for Wo ...) NOT-FOR-US: OneTone theme for WordPress CVE-2019-17229 (includes/options.php in the motors-car-dealership-classified-listings ...) NOT-FOR-US: motors-car-dealership-classified-listings (aka Motors - Car Dealer & Classified Ads) plugin for WordPress CVE-2019-17228 (includes/options.php in the motors-car-dealership-classified-listings ...) NOT-FOR-US: motors-car-dealership-classified-listings (aka Motors - Car Dealer & Classified Ads) plugin for WordPress CVE-2019-17227 RESERVED CVE-2019-17226 (CMS Made Simple (CMSMS) 2.2.11 allows XSS via the Site Admin > Modu ...) NOT-FOR-US: CMS Made Simple CVE-2019-17225 (Subrion 4.2.1 allows XSS via the panel/members/ Username, Full Name, o ...) NOT-FOR-US: Subrion CMS CVE-2019-17224 (The web interface of the Compal Broadband CH7465LG modem (version CH74 ...) NOT-FOR-US: Compal Broadband CH7465LG modem CVE-2019-17223 (There is HTML Injection in the Note field in Dolibarr ERP/CRM 10.0.2 v ...) - dolibarr CVE-2019-17222 (An issue was discovered on Intelbras WRN 150 1.0.17 devices. There is ...) NOT-FOR-US: Intelbras WRN 150 devices CVE-2019-17221 (PhantomJS through 2.1.1 has an arbitrary file read vulnerability, as d ...) - phantomjs (unimportant) NOTE: https://www.darkmatter.ae/blogs/breaching-the-perimeter-phantomjs-arbitrary-file-read/ NOTE: qtwebkit not covered by security support CVE-2019-17220 (Rocket.Chat before 2.1.0 allows XSS via a URL on a ![title] line. ...) NOT-FOR-US: Rocket.Chat CVE-2019-17219 (An issue was discovered on V-Zug Combi-Steam MSLQ devices before Ether ...) NOT-FOR-US: V-Zug Combi-Steam MSLQ devices CVE-2019-17218 (An issue was discovered on V-Zug Combi-Steam MSLQ devices before Ether ...) NOT-FOR-US: V-Zug Combi-Steam MSLQ devices CVE-2019-17217 (An issue was discovered on V-Zug Combi-Steam MSLQ devices before Ether ...) NOT-FOR-US: V-Zug Combi-Steam MSLQ devices CVE-2019-17216 (An issue was discovered on V-Zug Combi-Steam MSLQ devices before Ether ...) NOT-FOR-US: V-Zug Combi-Steam MSLQ devices CVE-2019-17215 (An issue was discovered on V-Zug Combi-Steam MSLQ devices before Ether ...) NOT-FOR-US: V-Zug Combi-Steam MSLQ devices CVE-2019-17214 (The WebARX plugin 1.3.0 for WordPress allows firewall bypass by append ...) NOT-FOR-US: WebARX plugin for WordPress CVE-2019-17213 (The WebARX plugin 1.3.0 for WordPress has unauthenticated stored XSS v ...) NOT-FOR-US: WebARX plugin for WordPress CVE-2019-17212 (Buffer overflows were discovered in the CoAP library in Arm Mbed OS 5. ...) NOT-FOR-US: Arm Mbed OS CVE-2019-17211 (An integer overflow was discovered in the CoAP library in Arm Mbed OS ...) NOT-FOR-US: Arm Mbed OS CVE-2019-17210 (A denial-of-service issue was discovered in the MQTT library in Arm Mb ...) NOT-FOR-US: Arm Mbed OS CVE-2019-17209 RESERVED CVE-2019-17208 RESERVED CVE-2019-17207 (A reflected XSS vulnerability was found in includes/admin/table-printe ...) NOT-FOR-US: broken-link-checker (aka Broken Link Checker) plugin for WordPress CVE-2019-17206 (Uncontrolled deserialization of a pickled object in models.py in Frost ...) NOT-FOR-US: Frost Ming rediswrapper CVE-2019-17205 (TeamPass 2.1.27.36 allows Stored XSS by placing a payload in the usern ...) - teampass (bug #730180) CVE-2019-17204 (TeamPass 2.1.27.36 allows Stored XSS by setting a crafted Knowledge Ba ...) - teampass (bug #730180) CVE-2019-17203 (TeamPass 2.1.27.36 allows Stored XSS at the Search page by setting a c ...) - teampass (bug #730180) CVE-2019-17202 (FastTrack Admin By Request 6.1.0.0 supports group policies that are su ...) NOT-FOR-US: FastTrack Admin By Request CVE-2019-17201 (FastTrack Admin By Request 6.1.0.0 supports group policies that are su ...) NOT-FOR-US: FastTrack Admin By Request CVE-2019-17200 RESERVED CVE-2017-18637 RESERVED CVE-2019-17199 (www/getfile.php in WPO WebPageTest 19.04 on Windows allows Directory T ...) NOT-FOR-US: WPO WebPageTest CVE-2019-17198 RESERVED CVE-2019-17197 (OpenEMR through 5.0.2 has SQL Injection in the Lifestyle demographic f ...) NOT-FOR-US: OpenEMR CVE-2019-17196 RESERVED CVE-2019-17195 (Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exce ...) NOT-FOR-US: Connect2id Nimbus JOSE+JWT CVE-2019-17194 RESERVED CVE-2019-17193 RESERVED CVE-2019-17192 (** DISPUTED ** The WebRTC component in the Signal Private Messenger ap ...) NOT-FOR-US: Signal CVE-2019-17191 (The Signal Private Messenger application before 4.47.7 for Android all ...) NOT-FOR-US: Signal CVE-2019-17190 (A Local Privilege Escalation issue was discovered in Avast Secure Brow ...) NOT-FOR-US: Avast Secure Browser CVE-2019-17189 (totemodata 3.0.0_b936 has XSS via a folder name. ...) NOT-FOR-US: totemodata CVE-2019-17188 (An unrestricted file upload vulnerability was discovered in catalog/pr ...) NOT-FOR-US: Fecshop FecMall CVE-2019-17187 (/var/WEB-GUI/cgi-bin/downloadfile.cgi on FiberHome HG2201T 1.00.M5007_ ...) NOT-FOR-US: FiberHome HG2201T devices CVE-2019-17186 (/var/WEB-GUI/cgi-bin/telnet.cgi on FiberHome HG2201T 1.00.M5007_JS_201 ...) NOT-FOR-US: FiberHome HG2201T devices CVE-2019-17185 (In FreeRADIUS 3.0.x before 3.0.20, the EAP-pwd module used a global Op ...) - freeradius 3.0.20+dfsg-1 [buster] - freeradius (Minor issue) [stretch] - freeradius (Minor issue) [jessie] - freeradius (Vulnerable code not present; EAP-pwd module introduced in later version) NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/6b522f8780813726799e6b8cf0f1f8e0ce2c8ebf CVE-2019-17184 (Xerox AtlaLink B8045/B8055/B8065/B8075/B8090 C8030/C8035/C8045/C8055/C ...) NOT-FOR-US: Xerox printers CVE-2019-17183 (Foxit Reader before 9.7 allows an Access Violation and crash if insuff ...) NOT-FOR-US: Foxit Reader CVE-2019-17182 RESERVED CVE-2019-17181 (A remote SEH buffer overflow has been discovered in IntraSrv 1.0 (2007 ...) NOT-FOR-US: IntraSrv CVE-2019-17180 (Valve Steam Client before 2019-09-12 allows placing or appending parti ...) NOT-FOR-US: Steam on Windows CVE-2019-17179 (4.1.0, 4.1.1, 4.1.2, 4.1.2.3, 4.1.2.6, 4.1.2.7, 4.2.0, 4.2.1, 4.2.2, 5 ...) NOT-FOR-US: OpenEMR CVE-2019-17178 (HuffmanTree_makeFromFrequencies in lodepng.c in LodePNG through 2019-0 ...) TODO: check CVE-2019-17177 (libfreerdp/codec/region.c in FreeRDP through 1.1.x and 2.x through 2.0 ...) - freerdp2 2.0.0~git20190204.1.2693389a+dfsg1-2 (low) [buster] - freerdp2 2.0.0~git20190204.1.2693389a+dfsg1-1+deb10u1 - freerdp (low) [stretch] - freerdp (Minor issue) [jessie] - freerdp (Minor issue; Patching this old version would be very invasive; no upstream patch available) NOTE: https://github.com/FreeRDP/FreeRDP/issues/5645 NOTE: https://github.com/akallabeth/FreeRDP/commit/fc80ab45621bd966f70594c0b7393ec005a94007 CVE-2019-17176 (Genesys PureEngage Digital (eServices) 8.1.x allows XSS via HtmlChatPa ...) NOT-FOR-US: Genesys PureEngage Digital (eServices) CVE-2019-17175 (joyplus-cms 1.6.0 allows manager/admin_pic.php?rootpath= absolute path ...) NOT-FOR-US: joyplus-cms CVE-2019-17174 RESERVED CVE-2019-17173 RESERVED CVE-2019-17172 RESERVED CVE-2019-17171 RESERVED CVE-2019-17170 RESERVED CVE-2019-17169 RESERVED CVE-2019-17168 RESERVED CVE-2019-17167 RESERVED CVE-2019-17166 RESERVED CVE-2019-17165 RESERVED CVE-2019-17164 RESERVED CVE-2019-17163 RESERVED CVE-2019-17162 RESERVED CVE-2019-17161 RESERVED CVE-2019-17160 RESERVED CVE-2019-17159 RESERVED CVE-2019-17158 RESERVED CVE-2019-17157 RESERVED CVE-2019-17156 RESERVED CVE-2019-17155 RESERVED CVE-2019-17154 RESERVED CVE-2019-17153 RESERVED CVE-2019-17152 RESERVED CVE-2019-17151 (This vulnerability allows remote attackers redirect users to an extern ...) NOT-FOR-US: Tencent WeChat CVE-2019-17150 REJECTED CVE-2019-17149 REJECTED CVE-2019-17148 (This vulnerability allows local attackers to escalate privileges on af ...) NOT-FOR-US: Parallels CVE-2019-17147 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: TP-Link CVE-2019-17146 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: D-Link CVE-2019-17145 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit CVE-2019-17144 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit CVE-2019-17143 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit CVE-2019-17142 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit CVE-2019-17141 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit CVE-2019-17140 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit CVE-2019-17139 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit CVE-2019-17138 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit CVE-2019-17137 (This vulnerability allows network-adjacent attackers to bypass authent ...) NOT-FOR-US: Netgear CVE-2019-17136 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit PhantomPDF CVE-2019-17135 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit PhantomPDF CVE-2019-17134 (Amphora Images in OpenStack Octavia >=0.10.0 <2.1.2, >=3.0.0 ...) - octavia 4.0.0-6 (bug #941897) [buster] - octavia (Minor issue in regular setups, can be fixed via point release) CVE-2019-17132 (vBulletin through 5.5.4 mishandles custom avatars. ...) NOT-FOR-US: vBulletin CVE-2019-17131 (vBulletin before 5.5.4 allows clickjacking. ...) NOT-FOR-US: vBulletin CVE-2019-17130 (vBulletin through 5.5.4 mishandles external URLs within the /core/vb/v ...) NOT-FOR-US: vBulletin CVE-2019-17133 (In the Linux kernel through 5.3.2, cfg80211_mgd_wext_giwessid in net/w ...) {DLA-2114-1 DLA-2068-1} - linux 5.3.9-1 [buster] - linux 4.19.87-1 [stretch] - linux 4.9.210-1 NOTE: https://marc.info/?l=linux-wireless&m=157018270915487&w=2 CVE-2019-17129 RESERVED CVE-2019-17128 (Netreo OmniCenter through 12.1.1 allows unauthenticated SQL Injection ...) NOT-FOR-US: Netreo OmniCenter CVE-2019-17127 (A Stored Client Side Template Injection (CSTI) with Angular was discov ...) NOT-FOR-US: SolarWinds Orion Platform CVE-2019-17126 RESERVED CVE-2019-17125 (A Reflected Client Side Template Injection (CSTI) with Angular was dis ...) NOT-FOR-US: SolarWinds Orion Platform CVE-2019-17124 (Kramer VIAware 2.5.0719.1034 has Incorrect Access Control. ...) NOT-FOR-US: Kramer VIAware CVE-2019-17123 (The eGain Web Email API 11+ allows spoofed messages because the fromNa ...) NOT-FOR-US: eGain Web Email API CVE-2019-17122 RESERVED CVE-2019-17121 (REDCap before 9.3.4 has XSS on the Customize & Manage Locking/E-si ...) NOT-FOR-US: REDCap CVE-2019-17120 (A stored and reflected cross-site scripting (XSS) vulnerability in WiK ...) NOT-FOR-US: WiKID 2FA Enterprise Server CVE-2019-17119 (Multiple SQL injection vulnerabilities in Logs.jsp in WiKID 2FA Enterp ...) NOT-FOR-US: WiKID 2FA Enterprise Server CVE-2019-17118 (A CSRF issue in WiKID 2FA Enterprise Server through 4.2.0-b2053 allows ...) NOT-FOR-US: WiKID 2FA Enterprise Server CVE-2019-17117 (A SQL injection vulnerability in processPref.jsp in WiKID 2FA Enterpri ...) NOT-FOR-US: WiKID 2FA Enterprise Server CVE-2019-17116 (A stored and reflected cross-site scripting (XSS) vulnerability in WiK ...) NOT-FOR-US: WiKID 2FA Enterprise Server CVE-2019-17115 (Multiple cross-site scripting (XSS) vulnerabilities in WiKID 2FA Enter ...) NOT-FOR-US: WiKID 2FA Enterprise Server CVE-2019-17114 (A stored and reflected cross-site scripting (XSS) vulnerability in WiK ...) NOT-FOR-US: WiKID 2FA Enterprise Server CVE-2019-17113 (In libopenmpt before 0.3.19 and 0.4.x before 0.4.9, ModPlug_Instrument ...) - libopenmpt 0.4.9-1 NOTE: https://github.com/OpenMPT/openmpt/commit/927688ddab43c2b203569de79407a899e734fabe NOTE: https://source.openmpt.org/browse/openmpt/trunk/OpenMPT/?op=revision&rev=12127&peg=12127 NOTE: Fixed in upstream versions 0.3.19 and 0.4.9. CVE-2019-17112 (An issue was discovered in Zoho ManageEngine DataSecurity Plus before ...) NOT-FOR-US: Zoho CVE-2019-17111 RESERVED CVE-2019-17110 REJECTED CVE-2019-17109 (Koji through 1.18.0 allows remote Directory Traversal, with resultant ...) - koji (bug #942146) NOTE: https://docs.pagure.org/koji/CVE-2019-17109/ NOTE: https://pagure.io/koji/issue/1634 CVE-2019-17108 (Local file inclusion in brokerPerformance.php in Centreon Web before 2 ...) - centreon-web (bug #913903) CVE-2019-17107 (minPlayCommand.php in Centreon Web before 2.8.27 allows authenticated ...) - centreon-web (bug #913903) CVE-2019-17106 (In Centreon Web through 2.8.29, disclosure of external components' pas ...) - centreon-web (bug #913903) CVE-2019-17105 (The token generator in index.php in Centreon Web before 2.8.27 is pred ...) - centreon-web (bug #913903) CVE-2019-17104 (In Centreon VM through 19.04.3, the cookie configuration within the Ap ...) - centreon-web (bug #913903) CVE-2018-21025 (In Centreon VM through 19.04.3, centreon-backup.pl allows attackers to ...) - centreon-web (bug #913903) CVE-2018-21024 (licenseUpload.php in Centreon Web before 2.8.27 allows attackers to up ...) - centreon-web (bug #913903) CVE-2018-21023 (getStats.php in Centreon Web before 2.8.28 allows authenticated attack ...) - centreon-web (bug #913903) CVE-2018-21022 (makeXML_ListServices.php in Centreon Web before 2.8.28 allows attacker ...) - centreon-web (bug #913903) CVE-2018-21021 (img_gantt.php in Centreon Web before 2.8.27 allows attackers to perfor ...) - centreon-web (bug #913903) CVE-2018-21020 (In very rare cases, a PHP type juggling vulnerability in centreonAuth. ...) - centreon-web (bug #913903) CVE-2019-17103 (An Incorrect Default Permissions vulnerability in the BDLDaemon compon ...) NOT-FOR-US: Bitdefender AV for Mac CVE-2019-17102 (An exploitable command execution vulnerability exists in the recovery ...) NOT-FOR-US: Bitdefender BOX 2 CVE-2019-17101 (Improper Neutralization of Special Elements used in a Command ('Comman ...) NOT-FOR-US: Netatmo Smart Indoor Camera CVE-2019-17100 (An Untrusted Search Path vulnerability in bdserviceshost.exe as used i ...) NOT-FOR-US: Bitdefender Total Security CVE-2019-17099 (An Untrusted Search Path vulnerability in EPSecurityService.exe as use ...) NOT-FOR-US: Bitdefender Endpoint Security Tools CVE-2019-17098 RESERVED CVE-2019-17097 RESERVED CVE-2019-17096 (A OS Command Injection vulnerability in the bootstrap stage of Bitdefe ...) NOT-FOR-US: Bitdefender BOX 2 CVE-2019-17095 (A command injection vulnerability has been discovered in the bootstrap ...) NOT-FOR-US: Bitdefender BOX 2 CVE-2019-17094 (A Stack-based Buffer Overflow vulnerability in libbelkin_api.so compon ...) NOT-FOR-US: Belkin CVE-2019-17093 (An issue was discovered in Avast antivirus before 19.8 and AVG antivir ...) NOT-FOR-US: Avast CVE-2019-17092 (An XSS vulnerability in project list in OpenProject before 9.0.4 and 1 ...) NOT-FOR-US: OpenProject CVE-2019-17091 (faces/context/PartialViewContextImpl.java in Eclipse Mojarra, as used ...) - mojarra (Vulnerable code not present) CVE-2019-17090 RESERVED CVE-2019-17089 RESERVED CVE-2019-17088 RESERVED CVE-2019-17087 (Unauthorized file download vulnerability in all supported versions of ...) NOT-FOR-US: Micro Focus AcuToWeb CVE-2019-17086 RESERVED CVE-2019-17085 (XXE attack vulnerability on Micro Focus Operations Agent, affected ver ...) NOT-FOR-US: Micro Focus CVE-2019-17084 RESERVED CVE-2019-17083 RESERVED CVE-2019-17082 RESERVED CVE-2019-17081 RESERVED CVE-2019-17080 (mintinstall (aka Software Manager) 7.9.9 for Linux Mint allows code ex ...) NOT-FOR-US: Linux Mint CVE-2019-17079 RESERVED CVE-2019-17078 RESERVED CVE-2019-17077 RESERVED CVE-2019-17076 (An issue was discovered in Jamf Pro 9.x and 10.x before 10.15.1. Deser ...) NOT-FOR-US: Jamf Pro CVE-2019-17075 (An issue was discovered in write_tpt_entry in drivers/infiniband/hw/cx ...) {DLA-2114-1} - linux 5.3.7-1 [buster] - linux 4.19.87-1 [stretch] - linux 4.9.210-1 [jessie] - linux (Not a problem in practice) NOTE: https://lore.kernel.org/lkml/20191001165611.GA3542072@kroah.com CVE-2019-17074 (An issue was discovered in XunRuiCMS 4.3.1. There is a stored XSS in t ...) NOT-FOR-US: XunRuiCMS CVE-2019-17073 (emlog through 6.0.0beta allows remote authenticated users to delete ar ...) NOT-FOR-US: emlog CVE-2019-17072 (The new-contact-form-widget (aka Contact Form Widget - Contact Query, ...) NOT-FOR-US: new-contact-form-widget (aka Contact Form Widget - Contact Query, Form Maker) plugin for WordPress CVE-2019-17071 (The client-dash (aka Client Dash) plugin 2.1.4 for WordPress allows XS ...) NOT-FOR-US: client-dash (aka Client Dash) plugin for WordPress CVE-2019-17070 (The liquid-speech-balloon (aka LIQUID SPEECH BALLOON) plugin before 1. ...) NOT-FOR-US: liquid-speech-balloon (aka LIQUID SPEECH BALLOON) plugin for WordPress CVE-2019-17069 (PuTTY before 0.73 might allow remote SSH-1 servers to cause a denial o ...) - putty 0.73-1 (unimportant) NOTE: https://lists.tartarus.org/pipermail/putty-announce/2019/000029.html NOTE: Fixed by: https://git.tartarus.org/?p=simon/putty.git;a=commit;h=69201ad8936fe0ff1b8723b7a43accb5e9f1c888 NOTE: Negligible security impact CVE-2019-17068 (PuTTY before 0.73 mishandles the "bracketed paste mode" protection mec ...) - putty 0.73-1 [buster] - putty (Vulnerable code introduced later) [stretch] - putty (Vulnerable code introduced later) [jessie] - putty (Vulnerable code introduced later) NOTE: https://lists.tartarus.org/pipermail/putty-announce/2019/000029.html NOTE: Introduced by: https://git.tartarus.org/?p=simon/putty.git;a=commit;h=9fccb065a67c283d978b2e3394d6fff69b4f4f30 (0.72) NOTE: Fixed by: https://git.tartarus.org/?p=simon/putty.git;a=commit;h=2c279283cc695ade15bafb418a8207ef0edd89cd (0.73) CVE-2019-17067 (PuTTY before 0.73 on Windows improperly opens port-forwarding listenin ...) - putty (Windows-specific) NOTE: https://lists.tartarus.org/pipermail/putty-announce/2019/000029.html CVE-2019-17066 (In Ivanti WorkSpace Control before 10.4.40.0, a user can elevate right ...) NOT-FOR-US: Ivanti WorkSpace Control CVE-2019-17065 RESERVED CVE-2019-17064 (Catalog.cc in Xpdf 4.02 has a NULL pointer dereference because Catalog ...) - xpdf (xpdf in Debian uses poppler, which is fixed) CVE-2019-17063 (In Snowtide PDFxStream before 3.7.1 (for Java), a crafted PDF file can ...) NOT-FOR-US: Snowtide PDFxStream CVE-2019-17062 (An issue was discovered in OXID eShop 6.x before 6.0.6 and 6.1.x befor ...) NOT-FOR-US: OXID eShop CVE-2019-17061 (The Bluetooth Low Energy (BLE) stack implementation on Cypress PSoC 4 ...) NOT-FOR-US: Cypress CVE-2019-17060 (The Bluetooth Low Energy (BLE) stack implementation on the NXP KW41Z ( ...) NOT-FOR-US: NXP CVE-2019-17059 (A shell injection vulnerability on the Sophos Cyberoam firewall applia ...) NOT-FOR-US: Sophos CVE-2019-17058 (Footy Tipping Software AFL Web Edition 2019 allows arbitrary file uplo ...) NOT-FOR-US: Footy Tipping Software AFL Web Edition CVE-2019-17057 (Footy Tipping Software AFL Web Edition 2019 allows XSS. ...) NOT-FOR-US: Footy Tipping Software AFL Web Edition CVE-2019-17056 (llcp_sock_create in net/nfc/llcp_sock.c in the AF_NFC network module i ...) {DLA-2114-1 DLA-2068-1} - linux 5.3.7-1 [buster] - linux 4.19.87-1 [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/3a359798b176183ef09efb7a3dc59abad1cc7104 CVE-2019-17055 (base_sock_create in drivers/isdn/mISDN/socket.c in the AF_ISDN network ...) {DLA-2114-1 DLA-2068-1} - linux 5.3.7-1 [buster] - linux 4.19.87-1 [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/b91ee4aa2a2199ba4d4650706c272985a5a32d80 CVE-2019-17054 (atalk_create in net/appletalk/ddp.c in the AF_APPLETALK network module ...) {DLA-2114-1 DLA-2068-1} - linux 5.3.7-1 [buster] - linux 4.19.87-1 [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/6cc03e8aa36c51f3b26a0d21a3c4ce2809c842ac CVE-2019-17053 (ieee802154_create in net/ieee802154/socket.c in the AF_IEEE802154 netw ...) {DLA-2114-1 DLA-2068-1} - linux 5.3.7-1 [buster] - linux 4.19.87-1 [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/e69dbd4619e7674c1679cba49afd9dd9ac347eef CVE-2019-17052 (ax25_create in net/ax25/af_ax25.c in the AF_AX25 network module in the ...) {DLA-2114-1 DLA-2068-1} - linux 5.3.7-1 [buster] - linux 4.19.87-1 [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/0614e2b73768b502fc32a75349823356d98aae2c CVE-2019-17051 (Evernote before 7.13 GA on macOS allows code execution because the com ...) NOT-FOR-US: Evernote CVE-2019-17050 (An issue was discovered in the Voyager package through 1.2.7 for Larav ...) NOT-FOR-US: Voyager CVE-2019-17049 (NETGEAR SRX5308 4.3.5-3 devices allow SQL Injection, as exploited in t ...) NOT-FOR-US: NETGEAR CVE-2019-17048 RESERVED CVE-2019-17047 RESERVED CVE-2019-17046 (Ilch 2.1.22 allows remote code execution because php is listed under " ...) NOT-FOR-US: Ilch CMS CVE-2019-17045 (Ilch 2.1.22 allows stored XSS via the title, text, or email id to the ...) NOT-FOR-US: Ilch CMS CVE-2019-17044 (An issue was discovered in BMC Patrol Agent 9.0.10i. Weak execution pe ...) NOT-FOR-US: BMC Patrol Agent CVE-2019-17043 (An issue was discovered in BMC Patrol Agent 9.0.10i. Weak execution pe ...) NOT-FOR-US: BMC Patrol Agent CVE-2019-17042 (An issue was discovered in Rsyslog v8.1908.0. contrib/pmcisconames/pmc ...) {DLA-1952-1} - rsyslog 8.1910.0-1 (bug #942065) [buster] - rsyslog (Minor issue, pmcisconames module not loaded by default) [stretch] - rsyslog (Minor issue, pmcisconames module not loaded by default) NOTE: https://github.com/rsyslog/rsyslog/pull/3883 CVE-2019-17041 (An issue was discovered in Rsyslog v8.1908.0. contrib/pmaixforwardedfr ...) {DLA-1952-1} - rsyslog 8.1910.0-1 (bug #942067) [buster] - rsyslog (Minor issue, pmaixforwardedfrom module not loaded by default) [stretch] - rsyslog (Minor issue, pmaixforwardedfrom module not loaded by default) NOTE: https://github.com/rsyslog/rsyslog/pull/3884 CVE-2019-17040 (contrib/pmdb2diag/pmdb2diag.c in Rsyslog v8.1908.0 allows out-of-bound ...) - rsyslog 8.1910.0-1 (unimportant) [buster] - rsyslog (Vulnerable code introduced later) [stretch] - rsyslog (Vulnerable code introduced later) [jessie] - rsyslog (Vulnerable code introduced later) NOTE: https://github.com/rsyslog/rsyslog/pull/3875 NOTE: pmdb2diag module not complied in Debian. CVE-2019-17039 REJECTED CVE-2019-17038 REJECTED CVE-2019-17037 REJECTED CVE-2019-17036 REJECTED CVE-2019-17035 REJECTED CVE-2019-17034 REJECTED CVE-2019-17033 REJECTED CVE-2019-17032 REJECTED CVE-2019-17031 REJECTED CVE-2019-17030 REJECTED CVE-2019-17029 REJECTED CVE-2019-17028 REJECTED CVE-2019-17027 REJECTED CVE-2019-17026 (Incorrect alias information in IonMonkey JIT compiler for setting arra ...) {DSA-4603-1 DSA-4600-1 DLA-2093-1 DLA-2071-1} - firefox 72.0.1-1 (bug #948452) - firefox-esr 68.4.1esr-1 - thunderbird 1:68.4.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-03/#CVE-2019-17026 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-04/#CVE-2019-17026 CVE-2019-17025 (Mozilla developers reported memory safety bugs present in Firefox 71. ...) - firefox 72.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-01/#CVE-2019-17025 CVE-2019-17024 (Mozilla developers reported memory safety bugs present in Firefox 71 a ...) {DSA-4603-1 DSA-4600-1 DLA-2071-1 DLA-2061-1} - firefox 72.0-1 - firefox-esr 68.4.0esr-1 - thunderbird 1:68.4.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-01/#CVE-2019-17024 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-02/#CVE-2019-17024 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-04/#CVE-2019-17024 CVE-2019-17023 (After a HelloRetryRequest has been sent, the client may negotiate a lo ...) - firefox 72.0-1 - nss 2:3.49-1 [jessie] - nss (Vulnerable code was introduced later) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-01/#CVE-2019-17023 NOTE: https://hg.mozilla.org/projects/nss/rev/d64102b76a437f24d98a20480dcc9f1655143e7c NOTE: https://hg.mozilla.org/projects/nss/rev/8a2bd40e7f89a796cf24a0ff7cfb67c6e69c5c78 CVE-2019-17022 (When pasting a &lt;style&gt; tag from the clipboard into a ric ...) {DSA-4603-1 DSA-4600-1 DLA-2071-1 DLA-2061-1} - firefox 72.0-1 - firefox-esr 68.4.0esr-1 - thunderbird 1:68.4.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-01/#CVE-2019-17022 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-02/#CVE-2019-17022 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-04/#CVE-2019-17022 CVE-2019-17021 (During the initialization of a new content process, a race condition o ...) - firefox (Windows-specific) - firefox-esr (Windows-specific) - thunderbird (Windows-specific) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-01/#CVE-2019-17021 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-02/#CVE-2019-17021 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-04/#CVE-2019-17021 CVE-2019-17020 (If an XML file is served with a Content Security Policy and the XML fi ...) - firefox 72.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-01/#CVE-2019-17020 CVE-2019-17019 (When Python was installed on Windows, a python file being served with ...) - firefox (Windows-specific) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-01/#CVE-2019-17019 CVE-2019-17018 (When in Private Browsing Mode on Windows 10, the Windows keyboard may ...) - firefox (Windows-specific) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-01/#CVE-2019-17018 CVE-2019-17017 (Due to a missing case handling object types, a type confusion vulnerab ...) {DSA-4603-1 DSA-4600-1 DLA-2071-1 DLA-2061-1} - firefox 72.0-1 - firefox-esr 68.4.0esr-1 - thunderbird 1:68.4.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-01/#CVE-2019-17017 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-02/#CVE-2019-17017 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-04/#CVE-2019-17017 CVE-2019-17016 (When pasting a &lt;style&gt; tag from the clipboard into a ric ...) {DSA-4603-1 DSA-4600-1 DLA-2071-1 DLA-2061-1} - firefox 72.0-1 - firefox-esr 68.4.0esr-1 - thunderbird 1:68.4.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-01/#CVE-2019-17016 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-02/#CVE-2019-17016 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-04/#CVE-2019-17016 CVE-2019-17015 (During the initialization of a new content process, a pointer offset c ...) - firefox (Windows-specific) - firefox-esr (Windows-specific) - thunderbird (Windows-specific) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-01/#CVE-2019-17015 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-02/#CVE-2019-17015 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-04/#CVE-2019-17015 CVE-2019-17014 (If an image had not loaded correctly (such as when it is not actually ...) - firefox 71.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-36/#CVE-2019-17014 CVE-2019-17013 (Mozilla developers reported memory safety bugs present in Firefox 70. ...) - firefox 71.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-36/#CVE-2019-17013 CVE-2019-17012 (Mozilla developers reported memory safety bugs present in Firefox 70 a ...) {DSA-4585-1 DSA-4580-1 DLA-2036-1 DLA-2029-1} - firefox 71.0-1 - firefox-esr 68.3.0esr-1 - thunderbird 1:68.3.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-36/#CVE-2019-17012 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-37/#CVE-2019-17012 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-38/#CVE-2019-17012 CVE-2019-17011 (Under certain conditions, when retrieving a document from a DocShell i ...) {DSA-4585-1 DSA-4580-1 DLA-2036-1 DLA-2029-1} - firefox 71.0-1 - firefox-esr 68.3.0esr-1 - thunderbird 1:68.3.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-36/#CVE-2019-17011 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-37/#CVE-2019-17011 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-38/#CVE-2019-17011 CVE-2019-17010 (Under certain conditions, when checking the Resist Fingerprinting pref ...) {DSA-4585-1 DSA-4580-1 DLA-2036-1 DLA-2029-1} - firefox 71.0-1 - firefox-esr 68.3.0esr-1 - thunderbird 1:68.3.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-36/#CVE-2019-17010 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-37/#CVE-2019-17010 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-38/#CVE-2019-17010 CVE-2019-17009 (When running, the updater service wrote status and log files to an unr ...) - firefox (Updater not used in Debian packages) - firefox-esr (Updater not used in Debian packages) - thunderbird (Updater not used in Debian packages) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-36/#CVE-2019-17009 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-37/#CVE-2019-17009 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-38/#CVE-2019-17009 CVE-2019-17008 (When using nested workers, a use-after-free could occur during worker ...) {DSA-4585-1 DSA-4580-1 DLA-2036-1 DLA-2029-1} - firefox 71.0-1 - firefox-esr 68.3.0esr-1 - thunderbird 1:68.3.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-36/#CVE-2019-17008 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-37/#CVE-2019-17008 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-38/#CVE-2019-17008 CVE-2019-17007 [nss: Handling of Netscape Certificate Sequences in CERT_DecodeCertPackage() may crash with a NULL deref leading to DoS] RESERVED {DSA-4579-1 DLA-2015-1} - nss 2:3.45-1 NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1798 NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1533216 NOTE: https://hg.mozilla.org/projects/nss/rev/1473dd7efe2ce4f8722a33ebb03a3425e09887de NOTE: Fixed in 3.44 upstream (and there was an upload of 3.44 to unstable NOTE: but then reverted until the 2:3.45-1 upload). CVE-2019-17006 [Check length of inputs for cryptographic primitives] RESERVED {DLA-2058-1} - nss 2:3.47-1 NOTE: Fixed upstream in NSS 3.46. NOTE: Upstream bug (currently non-public): https://bugzilla.mozilla.org/show_bug.cgi?id=1539788 NOTE: https://hg.mozilla.org/projects/nss/rev/dfd6996fe7425eb0437346d11a01082f16fcfe34 NOTE: https://hg.mozilla.org/projects/nss/rev/9d1f5e71773d4e3146524096d74cb96c8df51abe CVE-2019-17005 (The plain text serializer used a fixed-size array for the number of &l ...) {DSA-4585-1 DSA-4580-1 DLA-2036-1 DLA-2029-1} - firefox 71.0-1 - firefox-esr 68.3.0esr-1 - thunderbird 1:68.3.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-36/#CVE-2019-17005 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-37/#CVE-2019-17005 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-38/#CVE-2019-17005 CVE-2019-17004 RESERVED CVE-2019-17003 RESERVED CVE-2019-17002 (If upgrade-insecure-requests was specified in the Content Security Pol ...) - firefox 70.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-34/#CVE-2019-17002 CVE-2019-17001 (A Content-Security-Policy that blocks in-line scripts could be bypasse ...) - firefox 70.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-34/#CVE-2019-17001 CVE-2019-17000 (An object tag with a data URI did not correctly inherit the document's ...) - firefox 70.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-34/#CVE-2019-17000 CVE-2019-16999 (CloudBoot through 2019-03-08 allows SQL Injection via a crafted Status ...) NOT-FOR-US: CloudBoot CVE-2019-16998 RESERVED CVE-2019-16997 (In Metinfo 7.0.0beta, a SQL Injection was discovered in app/system/lan ...) NOT-FOR-US: Metinfo CVE-2019-16996 (In Metinfo 7.0.0beta, a SQL Injection was discovered in app/system/pro ...) NOT-FOR-US: Metinfo CVE-2017-18636 (CDG through 2017-01-01 allows downloadDocument.jsp?command=download&am ...) NOT-FOR-US: CDG CVE-2019-16995 (In the Linux kernel before 5.0.3, a memory leak exits in hsr_dev_final ...) - linux 4.19.37-1 [stretch] - linux 4.9.168-1 [jessie] - linux (Vulnerability introduced later) NOTE: https://git.kernel.org/linus/6caabe7f197d3466d238f70915d65301f1716626 CVE-2019-16994 (In the Linux kernel before 5.0, a memory leak exists in sit_init_net() ...) - linux 4.19.28-1 [stretch] - linux (Vulnerability introduced later) [jessie] - linux (Vulnerability introduced later) NOTE: https://git.kernel.org/linus/07f12b26e21ab359261bf75cfcb424fdc7daeb6d CVE-2019-16992 (The Keybase app 2.13.2 for iOS provides potentially insufficient notic ...) NOT-FOR-US: Keybase CVE-2019-16991 (In FusionPBX up to v4.5.7, the file app\edit\filedelete.php uses an un ...) NOT-FOR-US: FusionPBX CVE-2019-16990 (In FusionPBX up to v4.5.7, the file app/music_on_hold/music_on_hold.ph ...) NOT-FOR-US: FusionPBX CVE-2019-16989 (In FusionPBX up to v4.5.7, the file app\conferences_active\conference_ ...) NOT-FOR-US: FusionPBX CVE-2019-16988 (In FusionPBX up to v4.5.7, the file app\basic_operator_panel\resources ...) NOT-FOR-US: FusionPBX CVE-2019-16987 (In FusionPBX up to v4.5.7, the file app\contacts\contact_import.php us ...) NOT-FOR-US: FusionPBX CVE-2019-16986 (In FusionPBX up to v4.5.7, the file resources\download.php uses an uns ...) NOT-FOR-US: FusionPBX CVE-2019-16985 (In FusionPBX up to v4.5.7, the file app\xml_cdr\xml_cdr_delete.php use ...) NOT-FOR-US: FusionPBX CVE-2019-16984 (In FusionPBX up to v4.5.7, the file app\recordings\recording_play.php ...) NOT-FOR-US: FusionPBX CVE-2019-16983 (In FusionPBX up to v4.5.7, the file resources\paging.php has a paging ...) NOT-FOR-US: FusionPBX CVE-2019-16982 (In FusionPBX up to v4.5.7, the file app\access_controls\access_control ...) NOT-FOR-US: FusionPBX CVE-2019-16981 (In FusionPBX up to v4.5.7, the file app\conference_profiles\conference ...) NOT-FOR-US: FusionPBX CVE-2019-16980 (In FusionPBX up to v4.5.7, the file app\call_broadcast\call_broadcast_ ...) NOT-FOR-US: FusionPBX CVE-2019-16979 (In FusionPBX up to v4.5.7, the file app\contacts\contact_urls.php uses ...) NOT-FOR-US: FusionPBX CVE-2019-16978 (In FusionPBX up to v4.5.7, the file app\devices\device_settings.php us ...) NOT-FOR-US: FusionPBX CVE-2019-16977 (In FusionPBX up to 4.5.7, the file app\extensions\extension_imports.ph ...) NOT-FOR-US: FusionPBX CVE-2019-16976 (In FusionPBX up to 4.5.7, the file app\destinations\destination_import ...) NOT-FOR-US: FusionPBX CVE-2019-16975 (In FusionPBX up to 4.5.7, the file app\contacts\contact_notes.php uses ...) NOT-FOR-US: FusionPBX CVE-2019-16974 (In FusionPBX up to 4.5.7, the file app\contacts\contact_times.php uses ...) NOT-FOR-US: FusionPBX CVE-2019-16973 (In FusionPBX up to 4.5.7, the file app\contacts\contact_edit.php uses ...) NOT-FOR-US: FusionPBX CVE-2019-16972 (In FusionPBX up to 4.5.7, the file app\contacts\contact_addresses.php ...) NOT-FOR-US: FusionPBX CVE-2019-16971 (In FusionPBX up to 4.5.7, the file app\messages\messages_thread.php us ...) NOT-FOR-US: FusionPBX CVE-2019-16970 (In FusionPBX up to 4.5.7, the file app\sip_status\sip_status.php uses ...) NOT-FOR-US: FusionPBX CVE-2019-16969 (In FusionPBX up to 4.5.7, the file app\fifo_list\fifo_interactive.php ...) NOT-FOR-US: FusionPBX CVE-2019-16968 (An issue was discovered in FusionPBX up to 4.5.7. In the file app\conf ...) NOT-FOR-US: FusionPBX CVE-2019-16967 (An issue was discovered in Manager 13.x before 13.0.2.6 and 15.x befor ...) NOT-FOR-US: FusionPBX CVE-2019-16966 (An issue was discovered in Contactmanager 13.x before 13.0.45.3, 14.x ...) NOT-FOR-US: FusionPBX CVE-2019-16965 (resources/cmd.php in FusionPBX up to 4.5.7 suffers from a command inje ...) NOT-FOR-US: FusionPBX CVE-2019-16964 (app/call_centers/cmd.php in the Call Center Queue Module in FusionPBX ...) NOT-FOR-US: FusionPBX CVE-2019-16963 RESERVED CVE-2019-16962 RESERVED CVE-2019-16961 RESERVED CVE-2019-16960 RESERVED CVE-2019-16959 RESERVED CVE-2019-16958 RESERVED CVE-2019-16957 RESERVED CVE-2019-16956 RESERVED CVE-2019-16955 RESERVED CVE-2019-16954 RESERVED CVE-2019-16953 RESERVED CVE-2019-16952 RESERVED CVE-2019-16951 (A remote file include (RFI) issue was discovered in Enghouse Web Chat ...) NOT-FOR-US: Enghouse Web Chat CVE-2019-16950 (An XSS issue was discovered in Enghouse Web Chat 6.1.300.31 and 6.2.28 ...) NOT-FOR-US: Enghouse Web Chat CVE-2019-16949 (An issue was discovered in Enghouse Web Chat 6.1.300.31 and 6.2.284.34 ...) NOT-FOR-US: Enghouse Web Chat CVE-2019-16948 (An SSRF issue was discovered in Enghouse Web Chat 6.1.300.31. In any P ...) NOT-FOR-US: Enghouse Web Chat CVE-2019-16947 RESERVED CVE-2019-16946 RESERVED CVE-2019-16945 RESERVED CVE-2019-16944 RESERVED CVE-2019-16943 (A Polymorphic Typing issue was discovered in FasterXML jackson-databin ...) {DSA-4542-1 DLA-1943-1} - jackson-databind 2.10.0-2 (bug #941530) NOTE: https://github.com/FasterXML/jackson-databind/issues/2478 CVE-2019-16942 (A Polymorphic Typing issue was discovered in FasterXML jackson-databin ...) {DSA-4542-1 DLA-1943-1} - jackson-databind 2.10.0-2 (bug #941530) NOTE: https://github.com/FasterXML/jackson-databind/issues/2478 CVE-2019-16941 (NSA Ghidra through 9.0.4, when experimental mode is enabled, allows ar ...) - ghidra (bug #923851) CVE-2019-16940 RESERVED CVE-2019-16939 RESERVED CVE-2019-16938 RESERVED CVE-2019-16937 RESERVED CVE-2019-16936 RESERVED CVE-2019-16935 (The documentation XML-RPC server in Python through 2.7.16, 3.x through ...) - python3.8 3.8.0~rc1-1 - python3.7 3.7.5~rc1-1 [buster] - python3.7 3.7.3-2+deb10u1 - python3.5 - python3.4 [jessie] - python3.4 (Minor Issue, XSS in an unlikely use-case) - python2.7 2.7.17~rc1-1 [buster] - python2.7 2.7.16-2+deb10u1 [stretch] - python2.7 (Minor issue) [jessie] - python2.7 (Minor Issue, XSS in an unlikely use-case) - jython [buster] - jython (Minor Issue) [stretch] - jython (Minor Issue) [jessie] - jython (Minor Issue, XSS in an unlikely use-case) - pypy (low) [buster] - pypy (Minor issue) [stretch] - pypy (Minor issue) [jessie] - pypy (Minor Issue, XSS in an unlikely use-case) NOTE: https://bugs.python.org/issue38243 NOTE: https://github.com/python/cpython/pull/16373 NOTE: https://github.com/python/cpython/commit/e8650a4f8c7fb76f570d4ca9c1fbe44e91c8dfaa (master) NOTE: https://github.com/python/cpython/commit/6447b9f9bd27e1f6b04cef674dd3a7ab27bf4f28 (3.8 branch) NOTE: https://github.com/python/cpython/commit/39a0c7555530e31c6941a78da19b6a5b61170687 (3.7 branch) NOTE: https://github.com/python/cpython/commit/1698cacfb924d1df452e78d11a4bf81ae7777389 (3.6 branch) NOTE: https://github.com/python/cpython/commit/8eb64155ff26823542ccf0225b3d57b6ae36ea89 (2.7 branch) CVE-2019-16934 RESERVED CVE-2019-16933 RESERVED CVE-2019-16932 (A blind SSRF vulnerability exists in the Visualizer plugin before 3.3. ...) NOT-FOR-US: Visualizer plugin for WordPress CVE-2019-16931 (A stored XSS vulnerability in the Visualizer plugin 3.3.0 for WordPres ...) NOT-FOR-US: Visualizer plugin for WordPress CVE-2019-16930 (Zcashd in Zcash before 2.0.7-3 allows discovery of the IP address of a ...) NOT-FOR-US: Zcash CVE-2019-16929 (Auth0 auth0.net before 6.5.4 has Incorrect Access Control because Iden ...) NOT-FOR-US: Auth0 auth0.net CVE-2019-16927 (Xpdf 4.01.01 has an out-of-bounds write in the vertProfile part of the ...) - xpdf (xpdf in Debian uses poppler, which is fixed) CVE-2019-16926 (** DISPUTED ** Flower 0.9.3 has XSS via a crafted worker name. NOTE: T ...) NOT-FOR-US: Flower CVE-2019-16925 (** DISPUTED ** Flower 0.9.3 has XSS via the name parameter in an @app. ...) NOT-FOR-US: Flower CVE-2019-16924 (The Nulock application 1.5.0 for mobile devices sends a cleartext pass ...) NOT-FOR-US: Nulock CVE-2019-16923 (kkcms 1.3 has jx.php?url= XSS. ...) NOT-FOR-US: kkcms CVE-2019-16922 (SuiteCRM 7.10.x before 7.10.20 and 7.11.x before 7.11.8 allows uninten ...) NOT-FOR-US: SuiteCRM CVE-2019-16921 (In the Linux kernel before 4.17, hns_roce_alloc_ucontext in drivers/in ...) - linux (Did not affect any released kernel) CVE-2019-16920 (Unauthenticated remote code execution occurs in D-Link products such a ...) NOT-FOR-US: D-Link CVE-2019-16928 (Exim 4.92 through 4.92.2 allows remote code execution, a different vul ...) {DSA-4536-1} - exim4 4.92.2-3 [stretch] - exim4 (Vulnerable code introduced later) [jessie] - exim4 (Vulnerable code introduced later) NOTE: https://lists.exim.org/lurker/message/20190927.032457.c1044d4c.en.html NOTE: https://bugs.exim.org/show_bug.cgi?id=2449 NOTE: https://git.exim.org/exim.git/commit/478effbfd9c3cc5a627fc671d4bf94d13670d65f CVE-2019-16919 (Harbor API has a Broken Access Control vulnerability. The vulnerabilit ...) NOT-FOR-US: Harbor CVE-2019-16918 RESERVED CVE-2019-16917 (WiKID Enterprise 2FA (two factor authentication) Enterprise Server thr ...) NOT-FOR-US: WiKID 2FA Enterprise Server CVE-2019-16916 REJECTED CVE-2019-16915 (An issue was discovered in pfSense through 2.4.4-p3. widgets/widgets/p ...) NOT-FOR-US: pfSense CVE-2019-16914 (An XSS issue was discovered in pfSense through 2.4.4-p3. In services_c ...) NOT-FOR-US: pfSense CVE-2019-16913 (PC Protect Antivirus v4.14.31 installs by default to %PROGRAMFILES(X86 ...) NOT-FOR-US: PC Protect Antivirus CVE-2019-16912 RESERVED CVE-2019-16911 RESERVED CVE-2019-16910 (Arm Mbed TLS before 2.19.0 and Arm Mbed Crypto before 2.0.0, when dete ...) - mbedtls 2.16.3-1 (bug #941265) [buster] - mbedtls (Minor issue) [stretch] - mbedtls (Minor issue) - polarssl [jessie] - polarssl (Minor issue, backport intrusive because of API changes) NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2019-10 NOTE: https://github.com/ARMmbed/mbedtls/commit/298a43a77ec0ed2c19a8c924ddd8571ef3e65dfd (2.7.12) NOTE: https://github.com/ARMmbed/mbedtls/commit/33f66ba6fd234114aa37f0209dac031bb2870a9b (2.16.3) CVE-2019-16909 (An issue was discovered in the Infosysta "In-App & Desktop Notific ...) NOT-FOR-US: Infosysta CVE-2019-16908 (An issue was discovered in the Infosysta "In-App & Desktop Notific ...) NOT-FOR-US: Infosysta CVE-2019-16907 (An issue was discovered in the Infosysta "In-App & Desktop Notific ...) NOT-FOR-US: Infosysta CVE-2019-16906 (An issue was discovered in the Infosysta "In-App & Desktop Notific ...) NOT-FOR-US: Infosysta CVE-2019-16905 (OpenSSH 7.7 through 7.9 and 8.x before 8.1, when compiled with an expe ...) - openssh 1:8.1p1-1 (unimportant) [stretch] - openssh (Vulnerable code introduced later) [jessie] - openssh (Vulnerable code introduced later) NOTE: Issue in experimental (and not enabled) XMSS implementation; futhermore there NOTE: is not supported way to enable it when building openssh. CVE-2019-16904 (TeamPass 2.1.27.36 allows Stored XSS by setting a crafted password for ...) - teampass (bug #730180) CVE-2019-16903 (Platinum UPnP SDK 1.2.0 allows Directory Traversal in Core/PltHttpServ ...) NOT-FOR-US: Platinum UPnP SDK CVE-2015-9456 (The orbisius-child-theme-creator plugin before 1.2.8 for WordPress has ...) NOT-FOR-US: orbisius-child-theme-creator plugin for WordPress CVE-2015-9455 (The buddypress-activity-plus plugin before 1.6.2 for WordPress has CSR ...) NOT-FOR-US: buddypress-activity-plus plugin for WordPress CVE-2015-9454 (The smooth-slider plugin before 2.7 for WordPress has SQL Injection vi ...) NOT-FOR-US: smooth-slider plugin for WordPress CVE-2015-9453 (The broken-link-manager plugin before 0.6.0 for WordPress has XSS via ...) NOT-FOR-US: broken-link-manager plugin for WordPress CVE-2015-9452 (The nex-forms-express-wp-form-builder plugin before 4.6.1 for WordPres ...) NOT-FOR-US: nex-forms-express-wp-form-builder plugin for WordPress CVE-2015-9451 (The plugmatter-optin-feature-box-lite plugin before 2.0.14 for WordPre ...) NOT-FOR-US: plugmatter-optin-feature-box-lite plugin for WordPress CVE-2015-9450 (The plugmatter-optin-feature-box-lite plugin before 2.0.14 for WordPre ...) NOT-FOR-US: plugmatter-optin-feature-box-lite plugin for WordPress CVE-2019-16902 (In the ARforms plugin 3.7.1 for WordPress, arf_delete_file in arformco ...) NOT-FOR-US: ARforms plugin for WordPress CVE-2019-16901 (Advantech WebAccess/HMI Designer 2.1.9.31 has Exception Handler Chain ...) NOT-FOR-US: Advantech CVE-2019-16900 (Advantech WebAccess/HMI Designer 2.1.9.31 has a User Mode Write AV sta ...) NOT-FOR-US: Advantech CVE-2019-16899 (In Advantech WebAccess/HMI Designer 2.1.9.31, Data from a Faulting Add ...) NOT-FOR-US: Advantech CVE-2019-16898 REJECTED CVE-2019-16897 (In K7 Antivirus Premium 16.0.xxx through 16.0.0120; K7 Total Security ...) NOT-FOR-US: K7 CVE-2019-16896 (In K7 Ultimate Security 16.0.0117, the module K7BKCExt.dll (aka the ba ...) NOT-FOR-US: K7 Ultimate Security CVE-2019-16895 REJECTED CVE-2019-16894 (download.php in inoERP 4.15 allows SQL injection through insecure dese ...) NOT-FOR-US: inoERP CVE-2019-16893 (The Web Management of TP-Link TP-SG105E V4 1.0.0 Build 20181120 device ...) NOT-FOR-US: TP-Link CVE-2019-16892 (In Rubyzip before 1.3.0, a crafted ZIP file can bypass application che ...) - ruby-zip 2.0.0-1 (low; bug #941222) [buster] - ruby-zip (Minor issue) [stretch] - ruby-zip (Minor issue) [jessie] - ruby-zip (Minor issue, zip bomb non-default mitigation) NOTE: https://github.com/rubyzip/rubyzip/pull/403 NOTE: https://github.com/rubyzip/rubyzip/commit/4167f0ce67e42b082605bca75c7bdfd01eb23804 NOTE: https://github.com/rubyzip/rubyzip/commit/7849f7362ab0cd23d5730ef8b6f2c39252da2285 NOTE: https://github.com/rubyzip/rubyzip/commit/97cb6aefe6d12bd2429d7a2e119ccb26f259d71d CVE-2019-16891 (Liferay Portal CE 6.2.5 allows remote command execution because of des ...) NOT-FOR-US: Liferay Portal CVE-2019-16890 (Halo 1.1.0 has XSS via a crafted authorUrl in JSON data to api/content ...) NOT-FOR-US: Halo CVE-2019-16889 (Ubiquiti EdgeMAX devices before 2.0.3 allow remote attackers to cause ...) NOT-FOR-US: Ubiquiti EdgeMAX CVE-2017-18635 (An XSS vulnerability was discovered in noVNC before 0.6.2 in which the ...) {DLA-1946-1} - novnc 1:1.0.0-1 [stretch] - novnc (Minor issue) NOTE: https://bugs.launchpad.net/horizon/+bug/1656435 NOTE: https://github.com/novnc/noVNC/commit/6048299a138e078aed210f163111698c8c526a13#diff-286f7dc7b881e942e97cd50c10898f03L534 NOTE: https://github.com/novnc/noVNC/issues/748 CVE-2019-16888 RESERVED CVE-2019-16887 (In IrfanView 4.53, Data from a Faulting Address controls a subsequent ...) NOT-FOR-US: IrfanView CVE-2019-16886 RESERVED CVE-2019-16885 (In OkayCMS through 2.3.4, an unauthenticated attacker can achieve remo ...) NOT-FOR-US: OkayCMS CVE-2019-16884 (runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other ...) - runc 1.0.0~rc9+dfsg1-1 (bug #942026) [buster] - runc (Minor issue) [stretch] - runc (Minor issue) - golang-github-opencontainers-selinux 1.3.0-2 (bug #942027) NOTE: https://github.com/opencontainers/runc/issues/2128 CVE-2019-16883 RESERVED CVE-2019-16882 (An issue was discovered in the string-interner crate before 0.7.1 for ...) NOT-FOR-US: Rust string-interner crate CVE-2019-16881 (An issue was discovered in the portaudio-rs crate through 0.3.1 for Ru ...) NOT-FOR-US: Rustportaudio-rs crate CVE-2019-16880 (An issue was discovered in the linea crate through 0.9.4 for Rust. The ...) NOT-FOR-US: Rust linea crate CVE-2019-16879 (The Synergy Systems & Solutions (SSS) HUSKY RTU 6049-E70, with fir ...) NOT-FOR-US: Synergy Systems & Solutions (SSS) CVE-2019-16878 (Portainer before 1.22.1 has XSS (issue 2 of 2). ...) NOT-FOR-US: Portainer CVE-2019-16877 (Portainer before 1.22.1 has Incorrect Access Control (issue 4 of 4). ...) NOT-FOR-US: Portainer CVE-2019-16876 (Portainer before 1.22.1 allows Directory Traversal. ...) NOT-FOR-US: Portainer CVE-2019-16875 RESERVED CVE-2019-16874 (Portainer before 1.22.1 has Incorrect Access Control (issue 2 of 4). ...) NOT-FOR-US: Portainer CVE-2019-16873 (Portainer before 1.22.1 has XSS (issue 1 of 2). ...) NOT-FOR-US: Portainer CVE-2019-16872 (Portainer before 1.22.1 has Incorrect Access Control (issue 1 of 4). ...) NOT-FOR-US: Portainer CVE-2019-16871 (Beckhoff Embedded Windows PLCs through 3.1.4024.0, and Beckhoff Twinca ...) NOT-FOR-US: Beckhoff CVE-2019-16870 RESERVED CVE-2019-16869 (Netty before 4.1.42.Final mishandles whitespace before the colon in HT ...) {DSA-4597-1 DLA-2110-1 DLA-1941-1} - netty 1:4.1.33-2 (bug #941266) - netty-3.9 NOTE: https://github.com/netty/netty/issues/9571 NOTE: https://github.com/netty/netty/commit/39cafcb05c99f2aa9fce7e6597664c9ed6a63a95 CVE-2019-16868 (emlog through 6.0.0beta has an arbitrary file deletion vulnerability v ...) NOT-FOR-US: emlog CVE-2019-16867 (HongCMS 3.0.0 allows arbitrary file deletion via a ../ in the file par ...) NOT-FOR-US: HongCMS CVE-2019-16866 (Unbound before 1.9.4 accesses uninitialized memory, which allows remot ...) {DSA-4544-1} - unbound 1.9.4-1 (bug #941692) [stretch] - unbound (Vulnerable code introduced in 1.7.1) [jessie] - unbound (Vulnerable code introduced in 1.7.1) NOTE: https://nlnetlabs.nl/downloads/unbound/CVE-2019-16866.txt NOTE: Patch: https://nlnetlabs.nl/downloads/unbound/patch_cve_2019-16866.diff CVE-2015-9449 (The microblog-poster plugin before 1.6.2 for WordPress has SQL Injecti ...) NOT-FOR-US: microblog-poster plugin for WordPress CVE-2015-9448 (The sendpress plugin before 1.2 for WordPress has SQL Injection via th ...) NOT-FOR-US: sendpress plugin for WordPress CVE-2015-9447 (The unite-gallery-lite plugin before 1.5 for WordPress has CSRF and SQ ...) NOT-FOR-US: unite-gallery-lite plugin for WordPress CVE-2015-9446 (The unite-gallery-lite plugin before 1.5 for WordPress has SQL injecti ...) NOT-FOR-US: unite-gallery-lite plugin for WordPress CVE-2015-9445 (The unite-gallery-lite plugin before 1.5 for WordPress has CSRF and SQ ...) NOT-FOR-US: unite-gallery-lite plugin for WordPress CVE-2015-9444 (The altos-connect plugin 1.3.0 for WordPress has XSS via the wp-conten ...) NOT-FOR-US: altos-connect plugin for WordPress CVE-2015-9443 (The accurate-form-data-real-time-form-validation plugin 1.2 for WordPr ...) NOT-FOR-US: accurate-form-data-real-time-form-validation plugin for WordPress CVE-2015-9442 (The avenirsoft-directdownload plugin 1.0 for WordPress has CSRF with r ...) NOT-FOR-US: avenirsoft-directdownload plugin for WordPress CVE-2015-9441 (The bookmarkify plugin 2.9.2 for WordPress has CSRF with resultant XSS ...) NOT-FOR-US: bookmarkify plugin for WordPress CVE-2015-9440 (The monetize plugin through 1.03 for WordPress has CSRF with resultant ...) NOT-FOR-US: monetize plugin for WordPress CVE-2015-9439 (The addthis plugin before 5.0.13 for WordPress has CSRF with resultant ...) NOT-FOR-US: addthis plugin for WordPress CVE-2015-9438 (The display-widgets plugin before 2.04 for WordPress has XSS via the w ...) NOT-FOR-US: display-widgets plugin for WordPress CVE-2015-9437 (The dynamic-widgets plugin before 1.5.11 for WordPress has CSRF with r ...) NOT-FOR-US: dynamic-widgets plugin for WordPress CVE-2015-9436 (The dynamic-widgets plugin before 1.5.11 for WordPress has XSS via the ...) NOT-FOR-US: dynamic-widgets plugin for WordPress CVE-2015-9435 (The oauth2-provider plugin before 3.1.5 for WordPress has incorrect ge ...) NOT-FOR-US: oauth2-provider plugin for WordPress CVE-2015-9434 (The kiwi-logo-carousel plugin before 1.7.2 for WordPress has CSRF with ...) NOT-FOR-US: kiwi-logo-carousel plugin for WordPress CVE-2015-9433 (The wp-social-bookmarking-light plugin before 1.7.10 for WordPress has ...) NOT-FOR-US: wp-social-bookmarking-light plugin for WordPress CVE-2015-9432 (The alpine-photo-tile-for-instagram plugin before 1.2.7.6 for WordPres ...) NOT-FOR-US: alpine-photo-tile-for-instagram plugin for WordPress CVE-2015-9431 (The qtranslate-x plugin before 3.4.4 for WordPress has CSRF with resul ...) NOT-FOR-US: qtranslate-x plugin for WordPress CVE-2015-9430 (The crazy-bone plugin before 0.6.0 for WordPress has XSS via the User- ...) NOT-FOR-US: crazy-bone plugin for WordPress CVE-2015-9429 (The yith-maintenance-mode plugin before 1.2.0 for WordPress has CSRF w ...) NOT-FOR-US: yith-maintenance-mode plugin for WordPress CVE-2015-9428 (The wplegalpages plugin before 1.1 for WordPress has CSRF with resulta ...) NOT-FOR-US: wplegalpages plugin for WordPress CVE-2015-9427 (The googmonify plugin through 0.5.1 for WordPress has CSRF with result ...) NOT-FOR-US: googmonify plugin for WordPress CVE-2015-9426 (The manual-image-crop plugin before 1.11 for WordPress has CSRF with r ...) NOT-FOR-US: manual-image-crop plugin for WordPress CVE-2015-9425 (The social-locker plugin before 4.2.5 for WordPress has CSRF with resu ...) NOT-FOR-US: social-locker plugin for WordPress CVE-2015-9424 (The multicons plugin before 3.0 for WordPress has CSRF with resultant ...) NOT-FOR-US: multicons plugin for WordPress CVE-2015-9423 (The PlugNedit Adaptive Editor plugin before 6.2.0 for WordPress has XS ...) NOT-FOR-US: PlugNedit Adaptive Editor plugin for WordPress CVE-2015-9422 (The PlugNedit Adaptive Editor plugin before 6.2.0 for WordPress has CS ...) NOT-FOR-US: PlugNedit Adaptive Editor plugin for WordPress CVE-2015-9421 (The olevmedia-shortcodes plugin before 1.1.9 for WordPress has CSRF wi ...) NOT-FOR-US: olevmedia-shortcodes plugin for WordPress CVE-2015-9420 (The soundcloud-is-gold plugin before 2.3.2 for WordPress has XSS via t ...) NOT-FOR-US: soundcloud-is-gold plugin for WordPress CVE-2015-9419 (The captain-slider plugin 1.0.6 for WordPress has XSS via a Title or C ...) NOT-FOR-US: captain-slider plugin for WordPress CVE-2015-9418 (The Watu Pro plugin before 4.9.0.8 for WordPress has CSRF that allows ...) NOT-FOR-US: Watu Pro plugin for WordPress CVE-2015-9417 (The testimonial-slider plugin through 1.2.1 for WordPress has CSRF wit ...) NOT-FOR-US: testimonial-slider plugin for WordPress CVE-2015-9416 (The sitepress-multilingual-cms (WPML) plugin 2.9.3 to 3.2.6 for WordPr ...) NOT-FOR-US: Wordpress plugin CVE-2015-9415 (The bj-lazy-load plugin before 1.0 for WordPress has Remote File Inclu ...) NOT-FOR-US: bj-lazy-load plugin for WordPress CVE-2015-9414 (The wp-symposium plugin through 15.8.1 for WordPress has XSS via the w ...) NOT-FOR-US: wp-symposium plugin for WordPress CVE-2015-9413 (The eshop plugin through 6.3.13 for WordPress has CSRF with resultant ...) NOT-FOR-US: eshop plugin for WordPress CVE-2015-9412 (The Royal-Slider plugin before 3.2.7 for WordPress has XSS via the rst ...) NOT-FOR-US: Royal-Slider plugin for WordPress CVE-2015-9411 (The Postmatic plugin before 1.4.6 for WordPress has XSS. ...) NOT-FOR-US: Postmatic plugin for WordPress CVE-2015-9410 (The Blubrry PowerPress Podcasting plugin 6.0.4 for WordPress has XSS v ...) NOT-FOR-US: Blubrry PowerPress Podcasting plugin for WordPress CVE-2015-9409 (The alo-easymail plugin before 2.6.01 for WordPress has CSRF with resu ...) NOT-FOR-US: Wordpress plugin CVE-2019-16865 (An issue was discovered in Pillow before 6.2.0. When reading specially ...) - pillow 6.2.0-1 (low) [buster] - pillow 5.4.1-2+deb10u1 [stretch] - pillow (Minor issue, too intrusive to backport) [jessie] - pillow (Risk of regressions is too high) - python-imaging NOTE: https://github.com/python-pillow/Pillow/commit/b36c1bc943d554ba223086c7efb502d080f73905 NOTE: https://github.com/python-pillow/Pillow/commit/f228d0ccbf6bf9392d7fcd51356ef2cfda80c75a NOTE: https://github.com/python-pillow/Pillow/commit/b9693a51c99c260bd66d1affeeab4a226cf7e5a5 NOTE: https://github.com/python-pillow/Pillow/commit/cc16025e234b7a7a4dd3a86d2fdc0980698db9cc CVE-2019-16864 RESERVED CVE-2019-16863 (STMicroelectronics ST33TPHF2ESPI TPM devices before 2019-09-12 allow a ...) NOT-FOR-US: STMicroelectronics CVE-2019-16862 (Reflected XSS in interface/forms/eye_mag/view.php in OpenEMR 5.x befor ...) NOT-FOR-US: OpenEMR CVE-2019-16861 (Code42 server through 7.0.2 for Windows has an Untrusted Search Path. ...) NOT-FOR-US: Code42 CVE-2019-16860 (Code42 app through version 7.0.2 for Windows has an Untrusted Search P ...) NOT-FOR-US: Code42 CVE-2019-16859 RESERVED CVE-2019-16858 RESERVED CVE-2019-16857 RESERVED CVE-2019-16856 RESERVED CVE-2019-16855 RESERVED CVE-2019-16854 RESERVED CVE-2019-16853 RESERVED CVE-2019-16852 RESERVED CVE-2019-16851 RESERVED CVE-2019-16850 RESERVED CVE-2019-16849 RESERVED CVE-2019-16848 RESERVED CVE-2019-16847 RESERVED CVE-2019-16846 RESERVED CVE-2019-16845 RESERVED CVE-2019-16844 RESERVED CVE-2019-16843 RESERVED CVE-2019-16842 RESERVED CVE-2019-16841 RESERVED CVE-2019-16840 RESERVED CVE-2019-16839 RESERVED CVE-2019-16838 RESERVED CVE-2019-16837 RESERVED CVE-2019-16836 RESERVED CVE-2019-16835 RESERVED CVE-2019-16834 RESERVED CVE-2019-16833 RESERVED CVE-2019-16832 RESERVED CVE-2019-16831 RESERVED CVE-2019-16830 RESERVED CVE-2019-16829 RESERVED CVE-2019-16828 RESERVED CVE-2019-16827 RESERVED CVE-2019-16826 RESERVED CVE-2019-16825 RESERVED CVE-2019-16824 RESERVED CVE-2019-16823 RESERVED CVE-2019-16822 RESERVED CVE-2019-16821 RESERVED CVE-2019-16820 RESERVED CVE-2019-16819 RESERVED CVE-2019-16818 RESERVED CVE-2019-16817 RESERVED CVE-2019-16816 RESERVED CVE-2019-16815 RESERVED CVE-2019-16814 RESERVED CVE-2019-16813 RESERVED CVE-2019-16812 RESERVED CVE-2019-16811 RESERVED CVE-2019-16810 RESERVED CVE-2019-16809 RESERVED CVE-2019-16808 RESERVED CVE-2019-16807 RESERVED CVE-2019-16806 RESERVED CVE-2019-16805 RESERVED CVE-2019-16804 RESERVED CVE-2019-16803 RESERVED CVE-2019-16802 RESERVED CVE-2019-16801 RESERVED CVE-2019-16800 RESERVED CVE-2019-16799 RESERVED CVE-2019-16798 RESERVED CVE-2019-16797 RESERVED CVE-2019-16796 RESERVED CVE-2019-16795 RESERVED CVE-2019-16794 RESERVED CVE-2019-16793 RESERVED CVE-2019-16792 (Waitress through version 1.3.1 allows request smuggling by sending the ...) - waitress 1.4.1-1 [buster] - waitress (Minor issue) [stretch] - waitress (Minor issue) [jessie] - waitress (Minor issue) NOTE: https://github.com/Pylons/waitress/security/advisories/GHSA-4ppp-gpcr-7qf6 NOTE: https://github.com/Pylons/waitress/commit/575994cd42e83fd772a5f7ec98b2c56751bd3f65 CVE-2019-16791 (In postfix-mta-sts-resolver before 0.5.1, All users can receive incorr ...) - postfix-mta-sts-resolver (Fixed before initial upload) NOTE: https://github.com/Snawoot/postfix-mta-sts-resolver/security/advisories/GHSA-h92m-42h4-82f6 CVE-2019-16790 (In Tiny File Manager before 2.3.9, there is a remote code execution vi ...) NOT-FOR-US: Tiny File Manager CVE-2019-16789 (In Waitress through version 1.4.0, if a proxy server is used in front ...) {DLA-2056-1} - waitress 1.4.1-1 (bug #947433) [buster] - waitress (Minor issue) [stretch] - waitress (Minor issue) NOTE: https://github.com/Pylons/waitress/security/advisories/GHSA-m5ff-3wj3-8ph4 NOTE: https://github.com/Pylons/waitress/commit/11d9e138125ad46e951027184b13242a3c1de017 CVE-2019-16788 REJECTED CVE-2019-16786 (Waitress through version 1.3.1 would parse the Transfer-Encoding heade ...) - waitress 1.4.1-1 (bug #947306) [buster] - waitress (Minor issue) [stretch] - waitress (Minor issue) [jessie] - waitress (Minor issue) NOTE: https://github.com/Pylons/waitress/security/advisories/GHSA-g2xc-35jw-c63p NOTE: https://github.com/Pylons/waitress/commit/f11093a6b3240fc26830b6111e826128af7771c3 CVE-2019-16785 (Waitress through version 1.3.1 implemented a "MAY" part of the RFC7230 ...) - waitress 1.4.1-1 (bug #947306) [buster] - waitress (Minor issue) [stretch] - waitress (Minor issue) [jessie] - waitress (Minor issue) NOTE: https://github.com/Pylons/waitress/security/advisories/GHSA-pg36-wpm5-g57p NOTE: https://github.com/Pylons/waitress/commit/8eba394ad75deaf9e5cd15b78a3d16b12e6b0eba CVE-2019-16784 (In PyInstaller before version 3.6, only on Windows, a local privilege ...) NOT-FOR-US: PyInstaller on Windows CVE-2019-16783 RESERVED CVE-2019-16782 (There's a possible information leak / session hijack vulnerability in ...) - ruby-rack 2.1.1-2 (bug #946983) [buster] - ruby-rack (Minor issue) [stretch] - ruby-rack (Minor issue) [jessie] - ruby-rack (Minor issue) NOTE: https://github.com/rack/rack/commit/7fecaee81f59926b6e1913511c90650e76673b38 NOTE: https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3 CVE-2019-16779 (In RubyGem excon before 0.71.0, there was a race condition around pers ...) {DLA-2070-1} - ruby-excon 0.60.0-2 (bug #946904) [buster] - ruby-excon (Minor issue) [stretch] - ruby-excon (Minor issue) NOTE: https://github.com/excon/excon/security/advisories/GHSA-q58g-455p-8vw9 NOTE: https://github.com/excon/excon/commit/ccb57d7a422f020dc74f1de4e8fb505ab46d8a29 CVE-2019-16778 (In TensorFlow before 1.15, a heap buffer overflow in UnsortedSegmentSu ...) - tensorflow (bug #804612) CVE-2019-16777 (Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary ...) [experimental] - npm 6.13.4+ds-1 - npm 6.13.4+ds-2 (bug #947127) [buster] - npm 5.8.0+ds6-4+deb10u1 [jessie] - npm (Nodejs in jessie not covered by security support) NOTE: https://github.com/npm/cli/security/advisories/GHSA-4328-8hgf-7wjr NOTE: https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli CVE-2019-16776 (Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary ...) [experimental] - npm 6.13.4+ds-1 - npm 6.13.4+ds-2 (bug #947127) [buster] - npm 5.8.0+ds6-4+deb10u1 [jessie] - npm (Nodejs in jessie not covered by security support) NOTE: https://github.com/npm/cli/security/advisories/GHSA-x8qc-rrcw-4r46 NOTE: https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli CVE-2019-16775 (Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary ...) [experimental] - npm 6.13.4+ds-1 - npm 6.13.4+ds-2 (bug #947127) [buster] - npm 5.8.0+ds6-4+deb10u1 [jessie] - npm (Nodejs in jessie not covered by security support) NOTE: https://github.com/npm/cli/security/advisories/GHSA-m6cx-g6qm-p2cx NOTE: https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli CVE-2019-16774 (In phpfastcache before 5.1.3, there is a possible object injection vul ...) - kopano-webapp-plugin-files 2.1.5+dfsg1-2 (unimportant) NOTE: https://github.com/PHPSocialNetwork/phpfastcache/security/advisories/GHSA-484f-743f-6jx2 NOTE: https://github.com/PHPSocialNetwork/phpfastcache/commit/c4527205cb7a402b595790c74310791f5b04a1a4 (5.0.13) NOTE: https://github.com/PHPSocialNetwork/phpfastcache/commit/82a84adff6e8fc9b564c616d0fdc9238ae2e86c3 (4.3.18) NOTE: Affected phpfastcache code is not used in kopano-webapp-plugin-files. CVE-2019-16773 REJECTED CVE-2019-16772 (The serialize-to-js NPM package before version 3.0.1 is vulnerable to ...) NOT-FOR-US: serialize-to-js Node package CVE-2019-16771 (Versions of Armeria 0.85.0 through and including 0.96.0 are vulnerable ...) NOT-FOR-US: Armeria CVE-2019-16770 (In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client coul ...) - puma 3.12.0-4 (bug #946312) [buster] - puma 3.12.0-2+deb10u1 [stretch] - puma (Minor issue) NOTE: https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994 NOTE: https://github.com/puma/puma/commit/06053e60908074bb38293d4449ea261cb009b53e CVE-2019-16769 (The serialize-javascript npm package before version 2.1.1 is vulnerabl ...) NOT-FOR-US: serialize-javascript Node package CVE-2019-16768 (In affected versions of Sylius, exception messages from internal excep ...) NOT-FOR-US: Sylius CVE-2019-16767 (The admin sys mode is now conditional and dedicated for the special ca ...) NOT-FOR-US: ezmaster CVE-2019-16766 (When using wagtail-2fa before 1.3.0, if someone gains access to someon ...) NOT-FOR-US: wagtail-2fa CVE-2019-16765 (If an attacker can get a user to open a specially prepared directory t ...) NOT-FOR-US: Vscode CVE-2019-16764 (The use of `String.to_atom/1` in PowAssent is susceptible to denial of ...) NOT-FOR-US: PowAssent CVE-2019-16763 (In Pannellum from 2.5.0 through 2.5.4 URLs were not sanitized for data ...) NOT-FOR-US: Pannellum CVE-2019-16762 (A specially crafted Bitcoin script can cause a discrepancy between the ...) NOT-FOR-US: SLP CVE-2019-16761 (A specially crafted Bitcoin script can cause a discrepancy between the ...) NOT-FOR-US: SLP CVE-2019-16760 (Cargo prior to Rust 1.26.0 may download the wrong dependency if your p ...) - cargo 0.27.0-1 NOTE: https://rustsec.org/advisories/CVE-2019-16760.html CVE-2019-16759 (vBulletin 5.x through 5.5.4 allows remote command execution via the wi ...) NOT-FOR-US: vBulletin CVE-2019-16758 (In Lexmark Services Monitor 2.27.4.0.39 (running on TCP port 2070), a ...) NOT-FOR-US: Lexmark CVE-2019-16757 RESERVED CVE-2019-16756 RESERVED CVE-2019-16755 (BMC Remedy ITSM Suite is prone to unspecified vulnerabilities in both ...) NOT-FOR-US: BMC MyIT Digital Workplace DWP CVE-2019-16754 (RIOT 2019.07 contains a NULL pointer dereference in the MQTT-SN implem ...) NOT-FOR-US: RIOT RIOT-OS CVE-2019-16753 (An issue was discovered in Decentralized Anonymous Payment System (DAP ...) NOT-FOR-US: Decentralized Anonymous Payment System (DAPS) CVE-2019-16752 (An issue was discovered in Decentralized Anonymous Payment System (DAP ...) NOT-FOR-US: Decentralized Anonymous Payment System (DAPS) CVE-2019-16751 (An issue was discovered in Devise Token Auth through 1.1.2. The omniau ...) NOT-FOR-US: Devise Token Auth CVE-2019-16750 RESERVED CVE-2019-16749 RESERVED CVE-2019-16748 (In wolfSSL through 4.1.0, there is a missing sanity check of memory ac ...) - wolfssl 4.2.0+dfsg-1 NOTE: https://github.com/wolfSSL/wolfssl/issues/2459 CVE-2019-16747 RESERVED CVE-2019-16745 (eBrigade before 5.0 has evenement_choice.php chxCal SQL Injection. ...) NOT-FOR-US: eBrigade CVE-2019-16744 (eBrigade before 5.0 has evenements.php cid SQL Injection. ...) NOT-FOR-US: eBrigade CVE-2019-16743 (eBrigade before 5.0 has evenement_ical.php evenement SQL Injection. ...) NOT-FOR-US: eBrigade CVE-2019-16742 RESERVED CVE-2019-16741 RESERVED CVE-2019-16740 RESERVED CVE-2019-16739 RESERVED CVE-2019-16738 (In MediaWiki through 1.33.0, Special:Redirect allows information discl ...) {DSA-4545-1} - mediawiki 1:1.31.4-1 NOTE: https://phabricator.wikimedia.org/T230402 CVE-2019-16737 (The processCommandSetMac() function of libcommon.so in Petwant PF-103 ...) NOT-FOR-US: Petwant PF-103 and Petalk AI CVE-2019-16736 (A stack-based buffer overflow in processCommandUploadSnapshot in libco ...) NOT-FOR-US: Petwant PF-103 and Petalk AI CVE-2019-16735 (A stack-based buffer overflow in processCommandUploadLog in libcommon. ...) NOT-FOR-US: Petwant PF-103 and Petalk AI CVE-2019-16734 (Use of default credentials for the TELNET server in Petwant PF-103 fir ...) NOT-FOR-US: Petwant PF-103 and Petalk AI CVE-2019-16733 (processCommandSetUid() in libcommon.so in Petwant PF-103 firmware 4.22 ...) NOT-FOR-US: Petwant PF-103 and Petalk AI CVE-2019-16732 (Unencrypted HTTP communications for firmware upgrades in Petalk AI and ...) NOT-FOR-US: Petwant PF-103 and Petalk AI CVE-2019-16731 (The udpServerSys service in Petwant PF-103 firmware 4.22.2.42 and Peta ...) NOT-FOR-US: Petwant PF-103 and Petalk AI CVE-2019-16730 (processCommandUpgrade() in libcommon.so in Petwant PF-103 firmware 4.2 ...) NOT-FOR-US: Petwant PF-103 and Petalk AI CVE-2019-16728 (DOMPurify before 2.0.1 allows XSS because of innerHTML mutation XSS (m ...) - dompurify.js [stretch] - dompurify.js (Minor issue) NOTE: https://research.securitum.com/dompurify-bypass-using-mxss/ CVE-2019-16746 (An issue was discovered in net/wireless/nl80211.c in the Linux kernel ...) {DLA-2114-1 DLA-2068-1} - linux 5.3.7-1 [buster] - linux 4.19.87-1 [stretch] - linux 4.9.210-1 NOTE: https://marc.info/?l=linux-wireless&m=156901391225058&w=2 CVE-2019-16727 RESERVED CVE-2019-16726 RESERVED CVE-2019-16725 (In Joomla! 3.x before 3.9.12, inadequate escaping allowed XSS attacks ...) NOT-FOR-US: Joomla! CVE-2019-16724 (File Sharing Wizard 1.5.0 allows a remote attacker to obtain arbitrary ...) NOT-FOR-US: File Sharing Wizard CVE-2019-16723 (In Cacti through 1.2.6, authenticated users may bypass authorization c ...) - cacti 1.2.7+ds1-1 (bug #941036) [buster] - cacti 1.2.2+ds1-2+deb10u2 [stretch] - cacti (vulnerability introduced later) [jessie] - cacti (vulnerability introduced later) NOTE: vulnerability introduced in NOTE: https://github.com/Cacti/cacti/commit/cf73ae1a9f65b5a27d7f9d10c8e14835c3a76326 NOTE: see Debian bug report for more information NOTE: https://github.com/Cacti/cacti/issues/2964 NOTE: https://github.com/Cacti/cacti/commit/7a6a17252a1cbda180b61fff244cb3ce797d5264 NOTE: https://github.com/Cacti/cacti/commit/c7cf4a26e4848872b48094e67f8d0a01dd7613d2 NOTE: after further discussion, upstream issued a new fix which reverts previous commits NOTE: https://github.com/Cacti/cacti/commit/cfb0733597af97abc92270de4f47cbfa32f9ce8b NOTE: which turned out to be insufficient to fix the issue, follow up patches: NOTE: https://github.com/Cacti/cacti/commit/9a1d2ec46d2dde23826c134ca70a0cd3bef43ee7 NOTE: https://github.com/Cacti/cacti/commit/d5f98679a06aa96adfe04f60908f9108cfc9f7f7 NOTE: https://github.com/Cacti/cacti/commit/4cecb19f6be8b84fa1c7b6450b66176007cb53df NOTE: The original issue mentions only a bypass via graph_json.php but there are NOTE: additional permission checks missed while checking the issue fixed with the NOTE: upstream commits. CVE-2019-16722 (ZZZCMS zzzphp v1.7.2 has an insufficient protection mechanism against ...) NOT-FOR-US: ZZZCMS CVE-2019-16721 (NoneCMS v1.3 has CSRF in public/index.php/admin/admin/dele.html, as de ...) NOT-FOR-US: NoneCMS CVE-2019-16720 (ZZZCMS zzzphp v1.7.2 does not properly restrict file upload in plugins ...) NOT-FOR-US: ZZZCMS CVE-2019-16719 (WTCMS 1.0 allows index.php?g=admin&m=index&a=index CSRF with r ...) NOT-FOR-US: WTCMS CVE-2019-16718 (In radare2 before 3.9.0, a command injection vulnerability exists in b ...) - radare2 (Incomplete fixes for CVE-2019-14745 not applied) CVE-2019-16717 (OX App Suite through 7.10.2 has XSS. ...) NOT-FOR-US: Open-Xchange App Suite CVE-2019-16716 (OX App Suite through 7.10.2 has Incorrect Access Control. ...) NOT-FOR-US: Open-Xchange App Suite CVE-2019-16715 RESERVED CVE-2019-16713 (ImageMagick 7.0.8-43 has a memory leak in coders/dot.c, as demonstrate ...) {DSA-4712-1} - imagemagick (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1558 CVE-2019-16712 (ImageMagick 7.0.8-43 has a memory leak in Huffman2DEncodeImage in code ...) - imagemagick (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1557 CVE-2019-16711 (ImageMagick 7.0.8-40 has a memory leak in Huffman2DEncodeImage in code ...) {DSA-4712-1} - imagemagick (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1542 CVE-2019-16710 (ImageMagick 7.0.8-35 has a memory leak in coders/dot.c, as demonstrate ...) {DSA-4712-1} - imagemagick (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1528 CVE-2019-16709 (ImageMagick 7.0.8-35 has a memory leak in coders/dps.c, as demonstrate ...) - imagemagick (unimportant) - graphicsmagick 1.4+really1.3.33+hg16117-1 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1531 CVE-2019-16708 (ImageMagick 7.0.8-35 has a memory leak in magick/xwindow.c, related to ...) {DSA-4712-1} - imagemagick (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1531 CVE-2019-16707 (Hunspell 1.7.0 has an invalid read operation in SuggestMgr::leftcommon ...) - hunspell 1.7.0-3 (unimportant; bug #941185) NOTE: Negligible security impact NOTE: https://github.com/butterflyhack/hunspell-crash NOTE: https://github.com/hunspell/hunspell/issues/624 CVE-2019-16706 (kkcms v1.3 has a CSRF vulnerablity that can add an user account via ad ...) NOT-FOR-US: kkcms CVE-2018-21019 (Home Assistant before 0.67.0 was vulnerable to an information disclosu ...) NOT-FOR-US: Home Assistant CVE-2019-16729 (pam-python before 1.0.7-1 has an issue in regard to the default enviro ...) {DSA-4555-1 DLA-2000-1} - pam-python 1.0.7-1 (bug #942514) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1150510#c1 NOTE: https://sourceforge.net/p/pam-python/code/ci/0247ab687b4347cc52859ca461fb0126dd7e2ebe/ CVE-2019-16714 (In the Linux kernel before 5.2.14, rds6_inc_info_copy in net/rds/recv. ...) - linux 5.2.17-1 [buster] - linux 4.19.87-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/7d0a06586b2686ba80c4a2da5f91cb10ffbea736 CVE-2019-16705 (Ming (aka libming) 0.4.8 has an out of bounds read vulnerability in th ...) - ming NOTE: https://github.com/libming/libming/issues/178 CVE-2019-16704 (admin/infoclass_update.php in PHPMyWind 5.6 has stored XSS. ...) NOT-FOR-US: PHPMyWind CVE-2019-16703 (admin/infolist_add.php in PHPMyWind 5.6 has stored XSS. ...) NOT-FOR-US: PHPMyWind CVE-2019-16702 (Integard Pro 2.2.0.9026 allows remote attackers to execute arbitrary c ...) NOT-FOR-US: Integard Pro CVE-2019-16701 (pfSense through 2.3.4 through 2.4.4-p3 allows Remote Code Injection vi ...) NOT-FOR-US: pfSense CVE-2019-16700 (The slub_events (aka SLUB: Event Registration) extension through 3.0.2 ...) NOT-FOR-US: TYPO3 extension CVE-2019-16699 (The sr_freecap (aka freeCap CAPTCHA) extension 2.4.5 and below and 2.5 ...) NOT-FOR-US: TYPO3 extension CVE-2019-16698 (The direct_mail (aka Direct Mail) extension through 5.2.2 for TYPO3 ha ...) NOT-FOR-US: TYPO3 extension CVE-2019-16697 RESERVED CVE-2019-16696 (phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/edit. ...) NOT-FOR-US: phpIPAM CVE-2019-16695 (phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/filte ...) NOT-FOR-US: phpIPAM CVE-2019-16694 (phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/edit- ...) NOT-FOR-US: phpIPAM CVE-2019-16693 (phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/order ...) NOT-FOR-US: phpIPAM CVE-2019-16692 (phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/filte ...) NOT-FOR-US: phpIPAM CVE-2019-16691 REJECTED CVE-2019-16690 RESERVED CVE-2019-16689 RESERVED CVE-2019-16688 (Dolibarr 9.0.5 has stored XSS in an Email Template section to mails_te ...) - dolibarr CVE-2019-16687 (Dolibarr 9.0.5 has stored XSS in a User Profile in a Signature section ...) - dolibarr CVE-2019-16686 (Dolibarr 9.0.5 has stored XSS in a User Note section to note.php. A us ...) - dolibarr CVE-2019-16685 (Dolibarr 9.0.5 has stored XSS vulnerability via a User Group Descripti ...) - dolibarr CVE-2019-16684 (An issue was discovered in the image-manager in Xoops 2.5.10. When any ...) NOT-FOR-US: Xoops CVE-2019-16683 (An issue was discovered in the image-manager in Xoops 2.5.10. When the ...) NOT-FOR-US: Xoops CVE-2019-16682 (The url_redirect (aka URL redirect) extension through 1.2.1 for TYPO3 ...) NOT-FOR-US: TYPO3 extension CVE-2018-21018 (Mastodon before 2.6.3 mishandles timeouts of incompletely established ...) NOT-FOR-US: Mastodon CVE-2019-16681 (The Traveloka application 3.14.0 for Android exports com.traveloka.and ...) NOT-FOR-US: Traveloka CVE-2019-16680 (An issue was discovered in GNOME file-roller before 3.29.91. It allows ...) {DSA-4537-1 DLA-1938-1} - file-roller 3.30.0-1 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=794337 NOTE: https://gitlab.gnome.org/GNOME/file-roller/commit/57268e51e59b61c9e3125eb0f65551c7084297e2 CVE-2019-16679 (Gila CMS before 1.11.1 allows admin/fm/?f=../ directory traversal, lea ...) NOT-FOR-US: Gila CMS CVE-2019-16678 (admin/urlrule/add.html in YzmCMS 5.3 allows CSRF with a resultant deni ...) NOT-FOR-US: YzmCMS CVE-2019-16677 (An issue was discovered in idreamsoft iCMS V7.0. admincp.php?app=membe ...) NOT-FOR-US: idreamsoft iCMS CVE-2019-16676 (Plataformatec Simple Form has Incorrect Access Control in file_method? ...) - ruby-simple-form NOTE: http://blog.plataformatec.com.br/2019/09/incorrect-access-control-in-simple-form-cve-2019-16676/ NOTE: https://github.com/plataformatec/simple_form/commit/8c91bd76a5052ddf3e3ab9fd8333f9aa7b2e2dd6 NOTE: https://github.com/plataformatec/simple_form/security/advisories/GHSA-r74q-gxcg-73hx CVE-2019-16675 (An issue was discovered in PHOENIX CONTACT PC Worx through 1.86, PC Wo ...) NOT-FOR-US: PHOENIX CONTACT PC Worx CVE-2019-16674 (An issue was discovered on Weidmueller IE-SW-VL05M 3.6.6 Build 1610241 ...) NOT-FOR-US: Weidmueller IE-SW-VL05M CVE-2019-16673 (An issue was discovered on Weidmueller IE-SW-VL05M 3.6.6 Build 1610241 ...) NOT-FOR-US: Weidmueller IE-SW-VL05M CVE-2019-16672 (An issue was discovered on Weidmueller IE-SW-VL05M 3.6.6 Build 1610241 ...) NOT-FOR-US: Weidmueller IE-SW-VL05M CVE-2019-16671 (An issue was discovered on Weidmueller IE-SW-VL05M 3.6.6 Build 1610241 ...) NOT-FOR-US: Weidmueller IE-SW-VL05M CVE-2019-16670 (An issue was discovered on Weidmueller IE-SW-VL05M 3.6.6 Build 1610241 ...) NOT-FOR-US: Weidmueller IE-SW-VL05M CVE-2019-16669 (The Reset Password feature in Pagekit 1.0.17 gives a different respons ...) NOT-FOR-US: Pagekit CMS CVE-2019-16668 RESERVED CVE-2019-16667 (diag_command.php in pfSense 2.4.4-p3 allows CSRF via the txtCommand or ...) NOT-FOR-US: pfSense CVE-2019-16666 RESERVED CVE-2019-16665 (An issue was discovered in ThinkSAAS 2.91. There is XSS via the conten ...) NOT-FOR-US: ThinkSAAS CVE-2019-16664 (An issue was discovered in ThinkSAAS 2.91. There is XSS via the index. ...) NOT-FOR-US: ThinkSAAS CVE-2019-16663 (An issue was discovered in rConfig 3.9.2. An attacker can directly exe ...) NOT-FOR-US: rConfig CVE-2019-16662 (An issue was discovered in rConfig 3.9.2. An attacker can directly exe ...) NOT-FOR-US: rConfig CVE-2019-16661 (Ogma CMS 0.5 has XSS via creation of a new blog. ...) NOT-FOR-US: Ogma CMS CVE-2019-16660 (joyplus-cms 1.6.0 has admin_ajax.php?action=savexml&tab=vodplay CS ...) NOT-FOR-US: joyplus-cms CVE-2019-16659 (TuziCMS 2.0.6 has index.php/manage/link/do_add CSRF. ...) NOT-FOR-US: TuziCMS CVE-2019-16658 (TuziCMS 2.0.6 has index.php/manage/notice/do_add CSRF. ...) NOT-FOR-US: TuziCMS CVE-2019-16657 (TuziCMS 2.0.6 has XSS via the PATH_INFO to a group URI, as demonstrate ...) NOT-FOR-US: TuziCMS CVE-2019-16656 (joyplus-cms 1.6.0 allows remote attackers to execute arbitrary PHP cod ...) NOT-FOR-US: joyplus-cms CVE-2019-16655 (joyplus-cms 1.6.0 allows reinstallation if the install/ URI remains av ...) NOT-FOR-US: joyplus-cms CVE-2019-16654 RESERVED CVE-2019-16653 (An application plugin in Genius Bytes Genius Server (Genius CDDS) 3.2. ...) NOT-FOR-US: Genius Bytes Genius Server (Genius CDDS) CVE-2019-16652 (The BPM component in Genius Bytes Genius Server (Genius CDDS) 3.2.2 al ...) NOT-FOR-US: Genius Bytes Genius Server (Genius CDDS) CVE-2019-16651 RESERVED CVE-2019-16650 (On Supermicro X10 and X11 products, a client's access privileges may b ...) NOT-FOR-US: Supermicro CVE-2019-16649 (On Supermicro H11, H12, M11, X9, X10, and X11 products, a combination ...) NOT-FOR-US: Supermicro CVE-2019-16648 RESERVED CVE-2019-16647 (Unquoted Search Path in Maxthon 5.1.0 to 5.2.7 Browser for Windows. ...) NOT-FOR-US: Maxthon CVE-2019-16646 RESERVED CVE-2019-16645 (An issue was discovered in Embedthis GoAhead 2.5.0. Certain pages (suc ...) NOT-FOR-US: Embedthis GoAhead CVE-2019-16644 (App\Home\Controller\ZhuantiController.class.php in TuziCMS 2.0.6 has S ...) NOT-FOR-US: TuziCMS CVE-2019-16643 (An issue was discovered in ZrLog 2.1.1. There is a Stored XSS vulnerab ...) NOT-FOR-US: ZrLog CVE-2019-16642 (App\Mobile\Controller\ZhuantiController.class.php in TuziCMS 2.0.6 has ...) NOT-FOR-US: TuziCMS CVE-2019-16641 RESERVED CVE-2019-16640 RESERVED CVE-2019-16639 RESERVED CVE-2019-16638 RESERVED CVE-2019-16637 RESERVED CVE-2019-16636 RESERVED CVE-2019-16635 RESERVED CVE-2019-16634 RESERVED CVE-2019-16633 RESERVED CVE-2019-16632 RESERVED CVE-2019-16631 RESERVED CVE-2019-16630 RESERVED CVE-2019-16629 RESERVED CVE-2019-16628 RESERVED CVE-2019-16627 RESERVED CVE-2019-16626 RESERVED CVE-2019-16625 RESERVED CVE-2019-16624 RESERVED CVE-2019-16623 RESERVED CVE-2019-16622 RESERVED CVE-2019-16621 RESERVED CVE-2019-16620 RESERVED CVE-2019-16619 RESERVED CVE-2019-16618 RESERVED CVE-2019-16617 RESERVED CVE-2019-16616 RESERVED CVE-2019-16615 RESERVED CVE-2019-16614 RESERVED CVE-2019-16613 RESERVED CVE-2019-16612 RESERVED CVE-2019-16611 RESERVED CVE-2019-16610 RESERVED CVE-2019-16609 RESERVED CVE-2019-16608 RESERVED CVE-2019-16607 RESERVED CVE-2019-16606 RESERVED CVE-2019-16605 RESERVED CVE-2019-16604 RESERVED CVE-2019-16603 RESERVED CVE-2019-16602 RESERVED CVE-2019-16601 RESERVED CVE-2019-16600 RESERVED CVE-2019-16599 RESERVED CVE-2019-16598 RESERVED CVE-2019-16597 RESERVED CVE-2019-16596 RESERVED CVE-2019-16595 RESERVED CVE-2019-16594 RESERVED CVE-2019-16593 RESERVED CVE-2019-16592 RESERVED CVE-2019-16591 RESERVED CVE-2019-16590 RESERVED CVE-2019-16589 RESERVED CVE-2019-16588 RESERVED CVE-2019-16587 RESERVED CVE-2019-16586 RESERVED CVE-2019-16585 RESERVED CVE-2019-16584 RESERVED CVE-2019-16583 RESERVED CVE-2019-16582 RESERVED CVE-2019-16581 RESERVED CVE-2019-16580 RESERVED CVE-2019-16579 RESERVED CVE-2019-16578 RESERVED CVE-2019-16577 RESERVED CVE-2019-16576 (A missing permission check in Jenkins Alauda Kubernetes Suport Plugin ...) NOT-FOR-US: Jenkins plugin CVE-2019-16575 (A cross-site request forgery vulnerability in Jenkins Alauda Kubernete ...) NOT-FOR-US: Jenkins plugin CVE-2019-16574 (A missing permission check in Jenkins Alauda DevOps Pipeline Plugin 2. ...) NOT-FOR-US: Jenkins plugin CVE-2019-16573 (A cross-site request forgery vulnerability in Jenkins Alauda DevOps Pi ...) NOT-FOR-US: Jenkins plugin CVE-2019-16572 (Jenkins Weibo Plugin 1.0.1 and earlier stores credentials unencrypted ...) NOT-FOR-US: Jenkins plugin CVE-2019-16571 (A missing permission check in Jenkins RapidDeploy Plugin 4.1 and earli ...) NOT-FOR-US: Jenkins plugin CVE-2019-16570 (A cross-site request forgery vulnerability in Jenkins RapidDeploy Plug ...) NOT-FOR-US: Jenkins plugin CVE-2019-16569 (A cross-site request forgery vulnerability in Jenkins Mantis Plugin 0. ...) NOT-FOR-US: Jenkins plugin CVE-2019-16568 (Jenkins SCTMExecutor Plugin 2.2 and earlier transmits previously confi ...) NOT-FOR-US: Jenkins plugin CVE-2019-16567 (A missing permission check in Jenkins Team Concert Plugin 1.3.0 and ea ...) NOT-FOR-US: Jenkins plugin CVE-2019-16566 (A missing permission check in Jenkins Team Concert Plugin 1.3.0 and ea ...) NOT-FOR-US: Jenkins plugin CVE-2019-16565 (A cross-site request forgery vulnerability in Jenkins Team Concert Plu ...) NOT-FOR-US: Jenkins plugin CVE-2019-16564 (Jenkins Pipeline Aggregator View Plugin 1.8 and earlier does not escap ...) NOT-FOR-US: Jenkins plugin CVE-2019-16563 (Jenkins Mission Control Plugin 0.9.16 and earlier does not escape job ...) NOT-FOR-US: Jenkins plugin CVE-2019-16562 (Jenkins buildgraph-view Plugin 1.8 and earlier does not escape the des ...) NOT-FOR-US: Jenkins plugin CVE-2019-16561 (Jenkins WebSphere Deployer Plugin 1.6.1 and earlier allows users with ...) NOT-FOR-US: Jenkins plugin CVE-2019-16560 (A cross-site request forgery vulnerability in Jenkins WebSphere Deploy ...) NOT-FOR-US: Jenkins plugin CVE-2019-16559 (A missing permission check in Jenkins WebSphere Deployer Plugin 1.6.1 ...) NOT-FOR-US: Jenkins plugin CVE-2019-16558 (Jenkins Spira Importer Plugin 3.2.3 and earlier disables SSL/TLS certi ...) NOT-FOR-US: Jenkins plugin CVE-2019-16557 (Jenkins Redgate SQL Change Automation Plugin 2.0.3 and earlier stores ...) NOT-FOR-US: Jenkins plugin CVE-2019-16556 (Jenkins Rundeck Plugin 3.6.5 and earlier stores credentials unencrypte ...) NOT-FOR-US: Jenkins plugin CVE-2019-16555 (A user-supplied regular expression in Jenkins Build Failure Analyzer P ...) NOT-FOR-US: Jenkins Build Failure Analyzer Plugin CVE-2019-16554 (A missing permission check in Jenkins Build Failure Analyzer Plugin 1. ...) NOT-FOR-US: Jenkins plugin CVE-2019-16553 (A cross-site request forgery vulnerability in Jenkins Build Failure An ...) NOT-FOR-US: Jenkins plugin CVE-2019-16552 (A missing permission check in Jenkins Gerrit Trigger Plugin 2.30.1 and ...) NOT-FOR-US: Jenkins plugin CVE-2019-16551 (A cross-site request forgery vulnerability in Jenkins Gerrit Trigger P ...) NOT-FOR-US: Jenkins plugin CVE-2019-16550 (A cross-site request forgery vulnerability in a connection test form m ...) NOT-FOR-US: Jenkins plugin CVE-2019-16549 (Jenkins Maven Release Plugin 0.16.1 and earlier does not configure the ...) NOT-FOR-US: Jenkins plugin CVE-2019-16548 (A cross-site request forgery vulnerability in Jenkins Google Compute E ...) NOT-FOR-US: Jenkins plugin CVE-2019-16547 (Missing permission checks in various API endpoints in Jenkins Google C ...) NOT-FOR-US: Jenkins plugin CVE-2019-16546 (Jenkins Google Compute Engine Plugin 4.1.1 and earlier does not verify ...) NOT-FOR-US: Jenkins plugin CVE-2019-16545 (Jenkins QMetry for JIRA - Test Management Plugin transmits credentials ...) NOT-FOR-US: Jenkins plugin CVE-2019-16544 (Jenkins QMetry for JIRA - Test Management Plugin 1.12 and earlier stor ...) NOT-FOR-US: Jenkins plugin CVE-2019-16543 (Jenkins Spira Importer Plugin 3.2.2 and earlier stores credentials une ...) NOT-FOR-US: Jenkins plugin CVE-2019-16542 (Jenkins Anchore Container Image Scanner Plugin 1.0.19 and earlier stor ...) NOT-FOR-US: Jenkins plugin CVE-2019-16541 (Jenkins JIRA Plugin 3.0.10 and earlier does not declare the correct (f ...) NOT-FOR-US: Jenkins plugin CVE-2019-16540 (A path traversal vulnerability in Jenkins Support Core Plugin 2.63 and ...) NOT-FOR-US: Jenkins plugin CVE-2019-16539 (A missing permission check in Jenkins Support Core Plugin 2.63 and ear ...) NOT-FOR-US: Jenkins plugin CVE-2019-16538 (A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.67 ...) NOT-FOR-US: Jenkins plugin CVE-2016-11013 (The wp-listings plugin before 2.0.2 for WordPress has includes/views/s ...) NOT-FOR-US: wp-listings plugin for WordPress CVE-2016-11012 (The sola-support-tickets plugin before 3.13 for WordPress has incorrec ...) NOT-FOR-US: sola-support-tickets plugin for WordPress CVE-2016-11011 (The wp-invoice plugin before 4.1.1 for WordPress has wpi_update_user_o ...) NOT-FOR-US: wp-invoice plugin for WordPress CVE-2016-11010 (The wp-invoice plugin before 4.1.1 for WordPress has incorrect access ...) NOT-FOR-US: wp-invoice plugin for WordPress CVE-2016-11009 (The wp-invoice plugin before 4.1.1 for WordPress has incorrect access ...) NOT-FOR-US: wp-invoice plugin for WordPress CVE-2016-11008 (The wp-invoice plugin before 4.1.1 for WordPress has incorrect access ...) NOT-FOR-US: wp-invoice plugin for WordPress CVE-2016-11007 (The wp-invoice plugin before 4.1.1 for WordPress has incorrect access ...) NOT-FOR-US: wp-invoice plugin for WordPress CVE-2016-11006 (The wp-invoice plugin before 4.1.1 for WordPress has incorrect access ...) NOT-FOR-US: wp-invoice plugin for WordPress CVE-2016-11005 (The instalinker plugin before 1.1.2 for WordPress has includes/instali ...) NOT-FOR-US: instalinker plugin for WordPress CVE-2016-11004 (The Elegant Themes Monarch plugin before 1.2.7 for WordPress has privi ...) NOT-FOR-US: Elegant Themes Monarch plugin for WordPress CVE-2016-11003 (The Elegant Themes Bloom plugin before 1.1.1 for WordPress has privile ...) NOT-FOR-US: Elegant Themes Bloom plugin for WordPress CVE-2016-11002 (The Elegant Themes Extra theme before 1.2.4 for WordPress has privileg ...) NOT-FOR-US: Elegant Themes Extra theme for WordPress CVE-2016-11001 (The user-submitted-posts plugin before 20160215 for WordPress has XSS ...) NOT-FOR-US: user-submitted-posts plugin for WordPress CVE-2016-11000 (The wp-ultimate-exporter plugin through 1.1 for WordPress has SQL inje ...) NOT-FOR-US: wp-ultimate-exporter plugin for WordPress CVE-2016-10999 (The Goodnews theme through 2016-02-28 for WordPress has XSS via the s ...) NOT-FOR-US: Goodnews theme for WordPress CVE-2016-10998 (The ocim-mp3 plugin through 2016-03-07 for WordPress has wp-content/pl ...) NOT-FOR-US: ocim-mp3 plugin for WordPress CVE-2016-10997 (The beauty-premium theme 1.0.8 for WordPress has CSRF with resultant a ...) NOT-FOR-US: beauty-premium theme for WordPress CVE-2016-10996 (The optinmonster plugin before 1.1.4.6 for WordPress has incorrect acc ...) NOT-FOR-US: optinmonster plugin for WordPress CVE-2015-9408 (The xpinner-lite plugin through 2.2 for WordPress has wp-admin/options ...) NOT-FOR-US: xpinner-lite plugin for WordPress CVE-2015-9407 (The xpinner-lite plugin through 2.2 for WordPress has xpinner-lite.php ...) NOT-FOR-US: xpinner-lite plugin for WordPress CVE-2015-9406 (Directory traversal vulnerability in the mTheme-Unus theme before 2.3 ...) NOT-FOR-US: mTheme-Unus theme for WordPress CVE-2015-9405 (The wp-piwik plugin before 1.0.5 for WordPress has XSS. ...) NOT-FOR-US: wp-piwik plugin for WordPress CVE-2015-9404 (The neuvoo-jobroll plugin 2.0 for WordPress has neuvoo_keywords XSS. ...) NOT-FOR-US: neuvoo-jobroll plugin for WordPress CVE-2015-9403 (The neuvoo-jobroll plugin 2.0 for WordPress has neuvoo_location XSS. ...) NOT-FOR-US: neuvoo-jobroll plugin for WordPress CVE-2015-9402 (The users-ultra plugin before 1.5.59 for WordPress has uultra-form-cvs ...) NOT-FOR-US: users-ultra plugin for WordPress CVE-2015-9401 (The websimon-tables plugin through 1.3.4 for WordPress has wp-admin/to ...) NOT-FOR-US: websimon-tables plugin for WordPress CVE-2015-9400 (The wordpress-meta-robots plugin through 2.1 for WordPress has wp-admi ...) NOT-FOR-US: wordpress-meta-robots plugin for WordPress CVE-2015-9399 (The wp-stats-dashboard plugin through 2.9.4 for WordPress has admin/gr ...) NOT-FOR-US: wp-stats-dashboard plugin for WordPress CVE-2015-9398 (The gocodes plugin through 1.3.5 for WordPress has wp-admin/tools.php ...) NOT-FOR-US: gocodes plugin for WordPress CVE-2015-9397 (The gocodes plugin through 1.3.5 for WordPress has wp-admin/tools.php ...) NOT-FOR-US: gocodes plugin for WordPress CVE-2015-9396 (The auto-thickbox-plus plugin through 1.9 for WordPress has wp-content ...) NOT-FOR-US: auto-thickbox-plus plugin for WordPress CVE-2015-9395 (The users-ultra plugin before 1.5.64 for WordPress has SQL Injection v ...) NOT-FOR-US: users-ultra plugin for WordPress CVE-2015-9394 (The users-ultra plugin before 1.5.63 for WordPress has CSRF via action ...) NOT-FOR-US: users-ultra plugin for WordPress CVE-2015-9393 (The users-ultra plugin before 1.5.63 for WordPress has XSS via the p_d ...) NOT-FOR-US: users-ultra plugin for WordPress CVE-2015-9392 (The users-ultra plugin before 1.5.63 for WordPress has XSS via the p_n ...) NOT-FOR-US: users-ultra plugin for WordPress CVE-2015-9391 (The yawpp plugin through 1.2.2 for WordPress has XSS via the field1 pa ...) NOT-FOR-US: yawpp plugin for WordPress CVE-2015-9390 (The admin-management-xtended plugin before 2.4.0.1 for WordPress has p ...) NOT-FOR-US: admin-management-xtended plugin for WordPress CVE-2015-9389 (The mtouch-quiz plugin before 3.1.3 for WordPress has XSS via a quiz n ...) NOT-FOR-US: mtouch-quiz plugin for WordPress CVE-2015-9388 (The mtouch-quiz plugin before 3.1.3 for WordPress has wp-admin/edit.ph ...) NOT-FOR-US: mtouch-quiz plugin for WordPress CVE-2015-9387 (The mtouch-quiz plugin before 3.1.3 for WordPress has wp-admin/options ...) NOT-FOR-US: mtouch-quiz plugin for WordPress CVE-2015-9386 (The mtouch-quiz plugin before 3.1.3 for WordPress has XSS via the quiz ...) NOT-FOR-US: mtouch-quiz plugin for WordPress CVE-2015-9385 (The quotes-and-tips plugin before 1.20 for WordPress has XSS. ...) NOT-FOR-US: quotes-and-tips plugin for WordPress CVE-2015-9384 (The relevant plugin before 1.0.8 for WordPress has XSS. ...) NOT-FOR-US: relevant plugin for WordPress CVE-2014-10397 (The Antioch theme through 2014-09-07 for WordPress allows arbitrary fi ...) NOT-FOR-US: Antioch theme for WordPress CVE-2014-10396 (The epic theme through 2014-09-07 for WordPress allows arbitrary file ...) NOT-FOR-US: epic theme for WordPress CVE-2019-16537 RESERVED CVE-2019-16536 RESERVED CVE-2019-16535 (In all versions of ClickHouse before 19.14, an OOB read, OOB write and ...) NOT-FOR-US: ClickHouse CVE-2019-16534 (On DrayTek Vigor2925 devices with firmware 3.8.4.3, XSS exists via a c ...) NOT-FOR-US: DrayTek Vigor2925 devices CVE-2019-16533 (On DrayTek Vigor2925 devices with firmware 3.8.4.3, Incorrect Access C ...) NOT-FOR-US: DrayTek Vigor2925 devices CVE-2019-16532 (An HTTP Host header injection vulnerability exists in YzmCMS V5.3. A m ...) NOT-FOR-US: YzmCMS CVE-2019-16531 (LayerBB before 1.1.4 has multiple CSRF issues, as demonstrated by chan ...) NOT-FOR-US: LayerBB CVE-2019-16530 (Sonatype Nexus Repository Manager 2.x before 2.14.15 and 3.x before 3. ...) NOT-FOR-US: Sonatype CVE-2019-16529 (An issue was discovered in the CheckUser extension through 1.35.0 for ...) NOT-FOR-US: CheckUser extension for MediawWiki CVE-2019-16528 (An issue was discovered in the AbuseFilter extension for MediaWiki. in ...) NOT-FOR-US: AbuseFilter extension for MediawWiki CVE-2019-16527 RESERVED CVE-2019-16526 RESERVED CVE-2019-16525 (An XSS issue was discovered in the checklist plugin before 1.1.9 for W ...) NOT-FOR-US: checklist plugin for WordPress CVE-2019-16524 (The easy-fancybox plugin before 1.8.18 for WordPress (aka Easy FancyBo ...) NOT-FOR-US: Wordpress plugin CVE-2019-16523 (The events-manager plugin through 5.9.5 for WordPress (aka Events Mana ...) NOT-FOR-US: Wordpress plugin CVE-2019-16522 (The eu-cookie-law plugin through 3.0.6 for WordPress (aka EU Cookie La ...) NOT-FOR-US: Wordpress plugin CVE-2019-16521 (The broken-link-checker plugin through 1.11.8 for WordPress (aka Broke ...) NOT-FOR-US: Wordpress plugin CVE-2019-16520 (The all-in-one-seo-pack plugin before 3.2.7 for WordPress (aka All in ...) NOT-FOR-US: Wordpress plugin CVE-2019-16519 (ESET Cyber Security 6.7.900.0 for macOS allows a local attacker to exe ...) NOT-FOR-US: ESET Cyber Security CVE-2019-16518 (An issue was discovered on Swell Kit Mod devices that use the Vandy Va ...) NOT-FOR-US: Swell Kit Mod devices CVE-2019-16517 (An issue was discovered in ConnectWise Control (formerly known as Scre ...) NOT-FOR-US: ConnectWise Control CVE-2019-16516 (An issue was discovered in ConnectWise Control (formerly known as Scre ...) NOT-FOR-US: ConnectWise Control CVE-2019-16515 (An issue was discovered in ConnectWise Control (formerly known as Scre ...) NOT-FOR-US: ConnectWise Control CVE-2019-16514 (An issue was discovered in ConnectWise Control (formerly known as Scre ...) NOT-FOR-US: ConnectWise Control CVE-2019-16513 (An issue was discovered in ConnectWise Control (formerly known as Scre ...) NOT-FOR-US: ConnectWise Control CVE-2019-16512 (An issue was discovered in ConnectWise Control (formerly known as Scre ...) NOT-FOR-US: ConnectWise Control CVE-2019-16511 (An issue was discovered in DTF in FireGiant WiX Toolset before 3.11.2. ...) NOT-FOR-US: FireGiant CVE-2019-16510 (libIEC61850 through 1.3.3 has a use-after-free in MmsServer_waitReady ...) NOT-FOR-US: libIEC61850 CVE-2019-16509 RESERVED CVE-2019-16508 (The Imagination Technologies driver for Chrome OS before R74-11895.B, ...) NOT-FOR-US: Imagination Technologies driver for Chrome OS CVE-2019-16507 RESERVED CVE-2019-16506 RESERVED CVE-2019-16505 RESERVED CVE-2019-16504 RESERVED CVE-2019-16503 RESERVED CVE-2019-16502 RESERVED CVE-2019-16501 RESERVED CVE-2019-16500 RESERVED CVE-2019-16499 RESERVED CVE-2019-16498 RESERVED CVE-2019-16497 RESERVED CVE-2019-16496 RESERVED CVE-2019-16495 RESERVED CVE-2019-16494 RESERVED CVE-2019-16493 RESERVED CVE-2019-16492 RESERVED CVE-2019-16491 RESERVED CVE-2019-16490 RESERVED CVE-2019-16489 RESERVED CVE-2019-16488 RESERVED CVE-2019-16487 RESERVED CVE-2019-16486 RESERVED CVE-2019-16485 RESERVED CVE-2019-16484 RESERVED CVE-2019-16483 RESERVED CVE-2019-16482 RESERVED CVE-2019-16481 RESERVED CVE-2019-16480 RESERVED CVE-2019-16479 RESERVED CVE-2019-16478 RESERVED CVE-2019-16477 RESERVED CVE-2019-16476 RESERVED CVE-2019-16475 RESERVED CVE-2019-16474 RESERVED CVE-2019-16473 RESERVED CVE-2019-16472 RESERVED CVE-2019-16471 RESERVED CVE-2019-16470 RESERVED CVE-2019-16469 (Adobe Experience Manager versions 6.5, 6.4, 6.3, 6.2, 6.1, and 6.0 hav ...) NOT-FOR-US: Adobe Experience Manager CVE-2019-16468 (Adobe Experience Manager versions 6.5, 6.4, 6.3, 6.2, 6.1, and 6.0 hav ...) NOT-FOR-US: Adobe Experience Manager CVE-2019-16467 (Adobe Experience Manager versions 6.5, 6.4, 6.3, 6.2, 6.1, and 6.0 hav ...) NOT-FOR-US: Adobe Experience Manager CVE-2019-16466 (Adobe Experience Manager versions 6.5, 6.4, 6.3, 6.2, 6.1, and 6.0 hav ...) NOT-FOR-US: Adobe Experience Manager CVE-2019-16465 (Adobe Acrobat and Reader versions , 2019.021.20056 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-16464 (Adobe Acrobat and Reader versions , 2019.021.20056 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-16463 (Adobe Acrobat and Reader versions , 2019.021.20056 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-16462 (Adobe Acrobat and Reader versions , 2019.021.20056 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-16461 (Adobe Acrobat and Reader versions , 2019.021.20056 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-16460 (Adobe Acrobat and Reader versions , 2019.021.20056 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-16459 (Adobe Acrobat and Reader versions , 2019.021.20056 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-16458 (Adobe Acrobat and Reader versions , 2019.021.20056 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-16457 (Adobe Acrobat and Reader versions , 2019.021.20056 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-16456 (Adobe Acrobat and Reader versions , 2019.021.20056 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-16455 (Adobe Acrobat and Reader versions , 2019.021.20056 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-16454 (Adobe Acrobat and Reader versions , 2019.021.20056 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-16453 (Adobe Acrobat and Reader versions , 2019.021.20056 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-16452 (Adobe Acrobat and Reader versions , 2019.021.20056 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-16451 (Adobe Acrobat and Reader versions , 2019.021.20056 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-16450 (Adobe Acrobat and Reader versions , 2019.021.20056 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-16449 (Adobe Acrobat and Reader versions , 2019.021.20056 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-16448 (Adobe Acrobat and Reader versions , 2019.021.20056 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-16447 RESERVED CVE-2019-16446 (Adobe Acrobat and Reader versions , 2019.021.20056 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-16445 (Adobe Acrobat and Reader versions , 2019.021.20056 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-16444 (Adobe Acrobat and Reader versions , 2019.021.20056 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-16443 RESERVED CVE-2019-16442 RESERVED CVE-2019-16441 RESERVED CVE-2019-16440 RESERVED CVE-2019-16439 RESERVED CVE-2019-16438 RESERVED CVE-2019-16437 RESERVED CVE-2019-16436 RESERVED CVE-2019-16435 RESERVED CVE-2019-16434 RESERVED CVE-2019-16433 RESERVED CVE-2019-16432 RESERVED CVE-2019-16431 RESERVED CVE-2019-16430 RESERVED CVE-2019-16429 RESERVED CVE-2019-16428 RESERVED CVE-2019-16427 RESERVED CVE-2019-16426 RESERVED CVE-2019-16425 RESERVED CVE-2019-16424 RESERVED CVE-2019-16423 RESERVED CVE-2019-16422 RESERVED CVE-2019-16421 RESERVED CVE-2019-16420 RESERVED CVE-2019-16419 RESERVED CVE-2019-16418 RESERVED CVE-2019-16417 (HRworks FLOW 3.36.9 allows XSS via the purpose of a travel-expense rep ...) NOT-FOR-US: HRworks FLOW CVE-2019-16416 (HRworks 3.36.9 allows XSS via the purpose of a travel-expense report. ...) NOT-FOR-US: HRworks CVE-2019-16415 RESERVED CVE-2019-16414 (A DOM based XSS in GFI Kerio Control v9.3.0 allows embedding of malici ...) NOT-FOR-US: GFI Kerio Control CVE-2019-16413 (An issue was discovered in the Linux kernel before 5.0.4. The 9p files ...) - linux 4.19.37-1 [stretch] - linux 4.9.168-1 [jessie] - linux 3.16.70-1 NOTE: https://git.kernel.org/linus/5e3cc1ee1405a7eb3487ed24f786dec01b4cbe1f CVE-2019-16412 (In goform/setSysTools on Tenda N301 wireless routers, attackers can tr ...) NOT-FOR-US: Tenda CVE-2019-16411 (An issue was discovered in Suricata 4.1.4. By sending multiple IPv4 pa ...) - suricata 1:4.1.5-1 (low) [buster] - suricata (Minor issue) [stretch] - suricata (Minor issue) [jessie] - suricata (Minor issue) NOTE: https://suricata-ids.org/2019/09/24/suricata-4-1-5-released/ CVE-2019-16410 (An issue was discovered in Suricata 4.1.4. By sending multiple fragmen ...) - suricata 1:4.1.5-1 (low) [buster] - suricata (Minor issue) [stretch] - suricata (Minor issue) [jessie] - suricata (Minor issue) NOTE: https://suricata-ids.org/2019/09/24/suricata-4-1-5-released/ CVE-2019-16409 (In the Versioned Files module through 2.0.3 for SilverStripe 3.x, unpu ...) NOT-FOR-US: SilverStripe CVE-2019-16408 RESERVED CVE-2019-16407 (JetBrains ReSharper installers for versions before 2019.2 had a DLL Hi ...) NOT-FOR-US: JetBrains ReSharper installer CVE-2019-16406 (Centreon Web 19.04.4 has weak permissions within the OVA (aka VMware v ...) - centreon-web (bug #913903) CVE-2019-16405 (Centreon Web before 2.8.30, 18.10.x before 18.10.8, 19.04.x before 19. ...) - centreon-web (bug #913903) CVE-2019-16404 (Authenticated SQL Injection in interface/forms/eye_mag/js/eye_base.php ...) NOT-FOR-US: OpenEMR CVE-2019-16403 (In Webkul Bagisto before 0.1.5, the functionalities for customers to c ...) NOT-FOR-US: Webkul Bagisto CVE-2019-16402 RESERVED CVE-2019-16401 (Samsung Galaxy S8 plus (Android version: 8.0.0, Build Number: R16NW.G9 ...) NOT-FOR-US: Samsung CVE-2019-16400 (Samsung Galaxy S8 plus (Android version: 8.0.0, Build Number: R16NW.G9 ...) NOT-FOR-US: Samsung CVE-2019-16399 (Western Digital WD My Book World through II 1.02.12 suffers from Broke ...) NOT-FOR-US: Western Digital CVE-2019-16398 (On Keeper K5 20.1.0.25 and 20.1.0.63 devices, remote code execution ca ...) NOT-FOR-US: Keeper CVE-2019-16397 RESERVED CVE-2019-16396 (GnuCOBOL 2.2 has a use-after-free in the end_scope_of_program_name() f ...) - gnucobol (low; bug #940950) [buster] - gnucobol (Minor issue) - open-cobol [stretch] - open-cobol (Minor issue) [jessie] - open-cobol (Minor issue) NOTE: https://sourceforge.net/p/open-cobol/bugs/587/ CVE-2019-16395 (GnuCOBOL 2.2 has a stack-based buffer overflow in the cb_name() functi ...) - gnucobol (low; bug #940949) [buster] - gnucobol (Minor issue) - open-cobol [stretch] - open-cobol (Minor issue) [jessie] - open-cobol (Minor issue) NOTE: https://sourceforge.net/p/open-cobol/bugs/586/ CVE-2019-16390 RESERVED CVE-2019-16389 RESERVED CVE-2019-16388 (** DISPUTED ** PEGA Platform 8.3.0 is vulnerable to Information disclo ...) NOT-FOR-US: PEGA Platform CVE-2019-16387 (** DISPUTED ** PEGA Platform 8.3.0 is vulnerable to a direct prweb/sso ...) NOT-FOR-US: PEGA Platform CVE-2019-16386 (** DISPUTED ** PEGA Platform 7.x and 8.x is vulnerable to Information ...) NOT-FOR-US: PEGA Platform CVE-2019-16385 (Cybele Thinfinity VirtualUI 2.5.17.2 allows HTTP response splitting vi ...) NOT-FOR-US: Cybele Thinfinity VirtualUI CVE-2019-16384 (Cybele Thinfinity VirtualUI 2.5.17.2 allows ../ path traversal that ca ...) NOT-FOR-US: Cybele Thinfinity VirtualUI CVE-2019-16383 (MOVEit.DMZ.WebApi.dll in Progress MOVEit Transfer 2018 SP2 before 10.2 ...) NOT-FOR-US: Progress MOVEit Transfer CVE-2019-16382 (An issue was discovered in Ivanti Workspace Control 10.3.110.0. One is ...) NOT-FOR-US: Ivanti Workspace Control CVE-2019-16381 RESERVED CVE-2019-16380 RESERVED CVE-2019-16379 RESERVED CVE-2016-10995 (The Tevolution plugin before 2.3.0 for WordPress has arbitrary file up ...) NOT-FOR-US: Tevolution plugin for WordPress CVE-2016-10994 (The Truemag theme 2016 Q2 for WordPress has XSS via the s parameter. ...) NOT-FOR-US: Truemag theme for WordPress CVE-2016-10993 (The ScoreMe theme through 2016-04-01 for WordPress has XSS via the s p ...) NOT-FOR-US: Wordpress plugin CVE-2016-10992 (The music-store plugin before 1.0.43 for WordPress has XSS via the wp- ...) NOT-FOR-US: music-store plugin for WordPress CVE-2016-10991 (The imdb-widget plugin before 1.0.9 for WordPress has Local File Inclu ...) NOT-FOR-US: imdb-widget plugin for WordPress CVE-2016-10990 (The wp-cerber plugin before 2.7 for WordPress has XSS via the X-Forwar ...) NOT-FOR-US: wp-cerber plugin for WordPress CVE-2016-10989 (The leenkme plugin before 2.6.0 for WordPress has wp-admin/admin.php?p ...) NOT-FOR-US: leenkme plugin for WordPress CVE-2016-10988 (The leenkme plugin before 2.6.0 for WordPress has stored XSS via faceb ...) NOT-FOR-US: leenkme plugin for WordPress CVE-2016-10987 (The persian-woocommerce-sms plugin before 3.3.4 for WordPress has ps_s ...) NOT-FOR-US: persian-woocommerce-sms plugin for WordPress CVE-2016-10986 (The tweet-wheel plugin before 1.0.3.3 for WordPress has XSS via consum ...) NOT-FOR-US: tweet-wheel plugin for WordPress CVE-2016-10985 (The echosign plugin before 1.2 for WordPress has XSS via the templates ...) NOT-FOR-US: echosign plugin for WordPress CVE-2016-10984 (The echosign plugin before 1.2 for WordPress has XSS via the inc.php p ...) NOT-FOR-US: echosign plugin for WordPress CVE-2016-10983 (The ghost plugin before 0.5.6 for WordPress has no access control for ...) NOT-FOR-US: ghost plugin for WordPress CVE-2016-10982 (The kento-post-view-counter plugin through 2.8 for WordPress has wp-ad ...) NOT-FOR-US: kento-post-view-counter plugin for WordPress CVE-2016-10981 (The kento-post-view-counter plugin through 2.8 for WordPress has store ...) NOT-FOR-US: kento-post-view-counter plugin for WordPress CVE-2016-10980 (The kento-post-view-counter plugin through 2.8 for WordPress has XSS v ...) NOT-FOR-US: kento-post-view-counter plugin for WordPress CVE-2016-10979 (The fossura-tag-miner plugin before 1.1.5 for WordPress has XSS. ...) NOT-FOR-US: fossura-tag-miner plugin for WordPress CVE-2016-10978 (The fossura-tag-miner plugin before 1.1.5 for WordPress has CSRF. ...) NOT-FOR-US: fossura-tag-miner plugin for WordPress CVE-2016-10977 (The nelio-ab-testing plugin before 4.5.0 for WordPress has filename=.. ...) NOT-FOR-US: nelio-ab-testing plugin for WordPress CVE-2016-10976 (The safe-editor plugin before 1.2 for WordPress has no se_save authent ...) NOT-FOR-US: safe-editor plugin for WordPress CVE-2016-10975 (The fluid-responsive-slideshow plugin before 2.2.7 for WordPress has r ...) NOT-FOR-US: fluid-responsive-slideshow plugin for WordPress CVE-2016-10974 (The fluid-responsive-slideshow plugin before 2.2.7 for WordPress has f ...) NOT-FOR-US: fluid-responsive-slideshow plugin for WordPress CVE-2019-16377 (The makandra consul gem through 1.0.2 for Ruby has Incorrect Access Co ...) NOT-FOR-US: makandra consul gem CVE-2019-16376 RESERVED CVE-2019-16375 (An issue was discovered in Open Ticket Request System (OTRS) 7.0.x thr ...) - otrs2 6.0.23-1 [buster] - otrs2 (Non-free not supported) [stretch] - otrs2 (Non-free not supported) [jessie] - otrs2 (Minor issue) NOTE: https://community.otrs.com/security-advisory-2019-13-security-update-for-otrs-framework/ NOTE: https://github.com/OTRS/otrs/commit/aeb33d800716e2a6653597aa86314c4cbdadb678 (6.x) NOTE: https://github.com/OTRS/otrs/commit/03ca8f396b1aa9933c212a63f52a9ea26c06e7da (5.x) CVE-2019-16394 (SPIP before 3.1.11 and 3.2 before 3.2.5 provides different error messa ...) {DSA-4532-1 DLA-1975-1} - spip 3.2.5-1 NOTE: https://core.spip.net/issues/4171 NOTE: https://zone.spip.net/trac/spip-zone/changeset/117577/spip-zone NOTE: https://zone.spip.net/trac/spip-zone/changeset/117578/spip-zone CVE-2019-16393 (SPIP before 3.1.11 and 3.2 before 3.2.5 mishandles redirect URLs in ec ...) {DSA-4532-1 DLA-1975-1} - spip 3.2.5-1 NOTE: https://core.spip.net/issues/4362 NOTE: https://git.spip.net/SPIP/spip/commit/0b832408b0aabd5b94a81e261e9413c0f31a19f1 CVE-2019-16392 (SPIP before 3.1.11 and 3.2 before 3.2.5 allows prive/formulaires/login ...) {DSA-4532-1 DLA-1975-1} - spip 3.2.5-1 NOTE: https://git.spip.net/SPIP/spip/commit/3c12a82c7d9d4afd09e708748fa82e7836174028 CVE-2019-16391 (SPIP before 3.1.11 and 3.2 before 3.2.5 allows authenticated visitors ...) {DSA-4532-1 DLA-1975-1} - spip 3.2.5-1 NOTE: https://git.spip.net/SPIP/spip/commit/187952ce85e73b52c2753f2d54fc2c44807b8f79 NOTE: https://git.spip.net/SPIP/spip/commit/3cbc758400323ab006c00ea78eacdb8f76aa5f66 CVE-2019-16374 RESERVED CVE-2019-16373 RESERVED CVE-2019-16372 RESERVED CVE-2019-16371 (LogMeIn LastPass before 4.33.0 allows attackers to construct a crafted ...) NOT-FOR-US: LogMeIn LastPass CVE-2019-16370 (The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algori ...) - gradle (low; bug #941186) [buster] - gradle (Minor issue) [stretch] - gradle (Minor issue) [jessie] - gradle (Minor issue, old gradle mainly used for building Debian packages with apt signatures) NOTE: https://github.com/gradle/gradle/commit/425b2b7a50cd84106a77cdf1ab665c89c6b14d2f CVE-2019-16369 RESERVED CVE-2019-16368 RESERVED CVE-2019-16367 RESERVED CVE-2019-16366 (In XS 9.0.0 in Moddable SDK OS180329, there is a heap-based buffer ove ...) NOT-FOR-US: Moddable SDK CVE-2019-16365 RESERVED CVE-2019-16364 RESERVED CVE-2019-16363 RESERVED CVE-2019-16362 RESERVED CVE-2019-16361 RESERVED CVE-2019-16360 RESERVED CVE-2019-16359 RESERVED CVE-2019-16358 RESERVED CVE-2019-16357 RESERVED CVE-2019-16356 RESERVED CVE-2019-16355 (The File Session Manager in Beego 1.10.0 allows local users to read se ...) NOT-FOR-US: Beego CVE-2019-16354 (The File Session Manager in Beego 1.10.0 allows local users to read se ...) NOT-FOR-US: Beego CVE-2019-16353 (Emerson GE Automation Proficy Machine Edition 8.0 allows an access vio ...) NOT-FOR-US: Emerson GE Automation Proficy Machine Edition CVE-2019-16352 (ffjpeg before 2019-08-21 has a heap-based buffer overflow in jfif_load ...) NOT-FOR-US: ffjpeg CVE-2019-16351 (ffjpeg before 2019-08-18 has a NULL pointer dereference in huffman_dec ...) NOT-FOR-US: ffjpeg CVE-2019-16350 (ffjpeg before 2019-08-18 has a NULL pointer dereference in idct2d8x8() ...) NOT-FOR-US: ffjpeg CVE-2019-16349 (Bento4 1.5.1-628 has a NULL pointer dereference in AP4_ByteStream::Rea ...) NOT-FOR-US: Bento4 CVE-2019-16348 (marc-q libwav through 2017-04-20 has a NULL pointer dereference in gai ...) NOT-FOR-US: libwav CVE-2019-16347 (ngiflib 0.4 has a heap-based buffer overflow in WritePixels() in ngifl ...) NOT-FOR-US: ngiflib CVE-2019-16346 (ngiflib 0.4 has a heap-based buffer overflow in WritePixel() in ngifli ...) NOT-FOR-US: ngiflib CVE-2019-16345 RESERVED CVE-2019-16344 (A cross-site scripting (XSS) vulnerability in the login form (/ScadaBR ...) NOT-FOR-US: ScadaBR CVE-2019-16343 RESERVED CVE-2018-21017 (GPAC 0.7.1 has a memory leak in dinf_Read in isomedia/box_code_base.c. ...) [experimental] - gpac (bug #940855) - gpac (Vulnerable code introduced in 0.6.0) NOTE: https://github.com/gpac/gpac/issues/1183 NOTE: Introduced in https://github.com/gpac/gpac/commit/6cfd65819add78426d9635e3f8358f8bc149b645 (v0.6.0) NOTE: Fixed by: https://github.com/gpac/gpac/commit/d2371b4b204f0a3c0af51ad4e9b491144dd1225c (v0.8.) CVE-2018-21016 (audio_sample_entry_AddBox() at isomedia/box_code_base.c in GPAC 0.7.1 ...) {DLA-2072-1} - gpac (bug #940882) [buster] - gpac (Minor issue) [stretch] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/issues/1180 NOTE: https://github.com/gpac/gpac/commit/ea13945f3c2dc2c21e30e2731bf2782384307a13 CVE-2018-21015 (AVC_DuplicateConfig() at isomedia/avc_ext.c in GPAC 0.7.1 allows remot ...) {DLA-2072-1} - gpac (bug #940882) [buster] - gpac (Minor issue) [stretch] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/issues/1179 NOTE: https://github.com/gpac/gpac/commit/0545bb0a01bfac6764c43bd5074e9c2d1eae495f CVE-2019-16342 RESERVED CVE-2019-16341 RESERVED CVE-2019-16340 (Belkin Linksys Velop 1.1.8.192419 devices allows remote attackers to d ...) NOT-FOR-US: Belkin CVE-2019-16339 RESERVED CVE-2019-16338 (The tfo_common component in HwordApp.dll in Hancom Office 9.6.1.7634 a ...) NOT-FOR-US: Hancom Office CVE-2019-16337 (The hncbd90 component in Hancom Office 9.6.1.9403 allows a use-after-f ...) NOT-FOR-US: Hancom Office CVE-2019-16336 (The Bluetooth Low Energy implementation in Cypress PSoC 4 BLE componen ...) NOT-FOR-US: Cypress CVE-2019-16335 (A Polymorphic Typing issue was discovered in FasterXML jackson-databin ...) {DSA-4542-1 DLA-1943-1} - jackson-databind 2.10.0-1 (bug #940498) NOTE: https://github.com/FasterXML/jackson-databind/issues/2449 NOTE: https://github.com/FasterXML/jackson-databind/commit/73c1c2cc76e6cdd7f3a5615cbe3207fe96e4d3db CVE-2019-16334 (In Bludit v3.9.2, there is a persistent XSS vulnerability in the Categ ...) NOT-FOR-US: Bludit CVE-2019-16333 (GetSimple CMS v3.3.15 has Persistent Cross-Site Scripting (XSS) in adm ...) NOT-FOR-US: GetSimple CMS CVE-2019-16332 (In the api-bearer-auth plugin before 20190907 for WordPress, the serve ...) NOT-FOR-US: Wordpress plugin CVE-2019-12412 [Remotely exploitable null pointer dereference bug] RESERVED {DSA-4541-1 DLA-1944-1} - libapreq2 2.13-6 (bug #939937) NOTE: https://svn.apache.org/r1866760 CVE-2019-16331 RESERVED CVE-2019-16330 (In NCH Express Accounts Accounting v7.02, persistent cross site script ...) NOT-FOR-US: NCH Express Accounts Accounting CVE-2019-16329 RESERVED CVE-2019-16328 (In RPyC 4.1.x through 4.1.1, a remote attacker can dynamically modify ...) - rpyc CVE-2019-16327 (D-Link DIR-601 B1 2.00NA devices are vulnerable to authentication bypa ...) NOT-FOR-US: D-Link CVE-2019-16326 (D-Link DIR-601 B1 2.00NA devices have CSRF because no anti-CSRF token ...) NOT-FOR-US: D-Link CVE-2019-16325 RESERVED CVE-2019-16324 RESERVED CVE-2019-16323 RESERVED CVE-2019-16322 RESERVED CVE-2019-16321 (ScadaBR 1.0CE, and 1.1.x through 1.1.0-RC, has XSS via a request for a ...) NOT-FOR-US: ScadaBR CVE-2019-16320 (Cobham Sea Tel v170 224521 through v194 225444 devices allow attackers ...) NOT-FOR-US: Cobham Sea Tel CVE-2019-16318 (In Pimcore before 5.7.1, an attacker with limited privileges can bypas ...) NOT-FOR-US: Pimcore CVE-2019-16317 (In Pimcore before 5.7.1, an attacker with limited privileges can trigg ...) NOT-FOR-US: Pimcore CVE-2019-16316 RESERVED CVE-2019-16315 RESERVED CVE-2019-16314 (Indexhibit 2.1.5 allows a product reinstallation, with resultant remot ...) NOT-FOR-US: Indexhibit CVE-2019-16313 (ifw8 Router ROM v4.31 allows credential disclosure by reading the acti ...) NOT-FOR-US: ifw8 Router ROM CVE-2019-16312 (s-cms V3.0 has XSS in index.php?type=text via the S_id parameter. ...) NOT-FOR-US: s-cms CVE-2019-16311 (NIUSHOP V1.11 has CSRF via search&#95;info to index.php. ...) NOT-FOR-US: NIUSHOP CVE-2019-16310 (NIUSHOP V1.11 has XSS via the index.php?s=/admin URI. ...) NOT-FOR-US: NIUSHOP CVE-2019-16309 (FlameCMS 3.3.5 has SQL injection in account/login.php via accountName. ...) NOT-FOR-US: FlameCMS CVE-2019-16308 RESERVED CVE-2019-16307 (A Reflected Cross-Site Scripting (XSS) vulnerability in the webEx modu ...) NOT-FOR-US: Fuji CVE-2019-16306 RESERVED CVE-2019-16305 (In MobaXterm 11.1 and 12.1, the protocol handler is vulnerable to comm ...) NOT-FOR-US: MobaXterm CVE-2019-16304 RESERVED CVE-2019-16303 (A class generated by the Generator in JHipster before 6.3.0 and JHipst ...) NOT-FOR-US: JHipster CVE-2019-16302 (An issue was discovered in Open Network Operating System (ONOS) 1.14. ...) NOT-FOR-US: Open Network Operating System (ONOS) CVE-2019-16301 (An issue was discovered in Open Network Operating System (ONOS) 1.14. ...) NOT-FOR-US: Open Network Operating System (ONOS) CVE-2019-16300 (An issue was discovered in Open Network Operating System (ONOS) 1.14. ...) NOT-FOR-US: Open Network Operating System (ONOS) CVE-2019-16299 (An issue was discovered in Open Network Operating System (ONOS) 1.14. ...) NOT-FOR-US: Open Network Operating System (ONOS) CVE-2019-16298 (An issue was discovered in Open Network Operating System (ONOS) 1.14. ...) NOT-FOR-US: Open Network Operating System (ONOS) CVE-2019-16297 (An issue was discovered in Open Network Operating System (ONOS) 1.14. ...) NOT-FOR-US: Open Network Operating System (ONOS) CVE-2019-16296 RESERVED CVE-2019-16295 (Stored XSS in filemanager2.php in CentOS-WebPanel.com (aka CWP) CentOS ...) NOT-FOR-US: CentOS-WebPanel.com CVE-2019-16294 (SciLexer.dll in Scintilla in Notepad++ (x64) before 7.7 allows remote ...) NOT-FOR-US: Notepad++ CVE-2019-16293 (The Create Discoveries feature of Open-AudIT before 3.2.0 allows an au ...) NOT-FOR-US: Open-AudIT CVE-2019-16292 RESERVED CVE-2019-16291 RESERVED CVE-2019-16290 RESERVED CVE-2019-16289 (The insert-php (aka Woody ad snippets) plugin before 2.2.8 for WordPre ...) NOT-FOR-US: Wordpress plugin CVE-2019-16288 (On Tenda N301 wireless routers, a long string in the wifiSSID paramete ...) NOT-FOR-US: Tenda CVE-2019-16287 (In HP ThinPro Linux 6.2, 6.2.1, 7.0 and 7.1, an attacker may be able t ...) NOT-FOR-US: HP CVE-2019-16286 (An attacker may be able to bypass the OS application filter meant to r ...) NOT-FOR-US: HP CVE-2019-16285 (If a local user has been configured and logged in, an unauthenticated ...) NOT-FOR-US: HP CVE-2019-16284 (A potential security vulnerability has been identified in multiple HP ...) NOT-FOR-US: HP CVE-2019-16283 RESERVED CVE-2019-16282 (In NCH Express Invoice v7.12, persistent cross site scripting (XSS) ex ...) NOT-FOR-US: NCH Express Invoice CVE-2019-16281 RESERVED CVE-2019-16280 RESERVED CVE-2019-16279 (A memory error in the function SSL_accept in nostromo nhttpd through 1 ...) - nostromo (bug #493645) CVE-2019-16278 (Directory Traversal in the function http_verify in nostromo nhttpd thr ...) - nostromo (bug #493645) CVE-2019-16277 (PicoC 2.1 has a heap-based buffer overflow in StringStrcpy in cstdlib/ ...) NOT-FOR-US: PicoC CVE-2017-18634 (The newspaper theme before 6.7.2 for WordPress has script injection vi ...) NOT-FOR-US: newspaper theme for WordPress CVE-2016-10973 (The Brafton plugin before 3.4.8 for WordPress has XSS via the wp-admin ...) NOT-FOR-US: Brafton plugin for WordPress CVE-2016-10972 (The newspaper theme before 6.7.2 for WordPress has a lack of options a ...) NOT-FOR-US: newspaper theme for WordPress CVE-2016-10971 (The MemberSonic Lite plugin before 1.302 for WordPress has incorrect l ...) NOT-FOR-US: MemberSonic Lite plugin for WordPress CVE-2016-10970 (The supportflow plugin before 0.7 for WordPress has XSS via a ticket e ...) NOT-FOR-US: supportflow plugin for WordPress CVE-2016-10969 (The supportflow plugin before 0.7 for WordPress has XSS via a discussi ...) NOT-FOR-US: supportflow plugin for WordPress CVE-2016-10968 (The peepso-core plugin before 1.6.1 for WordPress has PeepSoProfilePre ...) NOT-FOR-US: peepso-core plugin for WordPress CVE-2016-10967 (The real3d-flipbook-lite plugin 1.0 for WordPress has XSS via the wp-c ...) NOT-FOR-US: real3d-flipbook-lite plugin for WordPress CVE-2016-10966 (The real3d-flipbook-lite plugin 1.0 for WordPress has bookName=../ dir ...) NOT-FOR-US: real3d-flipbook-lite plugin for WordPress CVE-2016-10965 (The real3d-flipbook-lite plugin 1.0 for WordPress has deleteBook=../ d ...) NOT-FOR-US: real3d-flipbook-lite plugin for WordPress CVE-2016-10964 (The dwnldr plugin before 1.01 for WordPress has XSS via the User-Agent ...) NOT-FOR-US: dwnldr plugin for WordPress CVE-2016-10963 (The icegram plugin before 1.9.19 for WordPress has XSS. ...) NOT-FOR-US: icegram plugin for WordPress CVE-2016-10962 (The icegram plugin before 1.9.19 for WordPress has CSRF via the wp-adm ...) NOT-FOR-US: icegram plugin for WordPress CVE-2016-10961 (The colorway theme before 3.4.2 for WordPress has XSS via the contactN ...) NOT-FOR-US: colorway theme for WordPress CVE-2016-10960 (The wsecure plugin before 2.4 for WordPress has remote code execution ...) NOT-FOR-US: wsecure plugin for WordPress CVE-2016-10959 (The estatik plugin before 2.3.1 for WordPress has authenticated arbitr ...) NOT-FOR-US: estatik plugin for WordPress CVE-2016-10958 (The estatik plugin before 2.3.0 for WordPress has unauthenticated arbi ...) NOT-FOR-US: estatik plugin for WordPress CVE-2016-10957 (The Akal theme through 2016-08-22 for WordPress has XSS via the framew ...) NOT-FOR-US: Akal theme for WordPress CVE-2016-10956 (The mail-masta plugin 1.0 for WordPress has local file inclusion in co ...) NOT-FOR-US: mail-masta plugin for WordPress CVE-2010-5333 (The web server in Integard Pro and Home before 2.0.0.9037 and 2.2.x be ...) NOT-FOR-US: Integard CVE-2019-16319 (In Wireshark 3.0.0 to 3.0.3 and 2.6.0 to 2.6.10, the Gryphon dissector ...) - wireshark 3.0.4-1 (low) [buster] - wireshark (Can be fixed along in next 3.0.x DSA) [stretch] - wireshark (Can be fixed along in next 2.6.x DSA) [jessie] - wireshark (Vulnerable code not present) NOTE: https://www.wireshark.org/security/wnpa-sec-2019-21.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16020 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=02ddd49885c6a09e936a76aceb726ed06539704a CVE-2019-16276 (Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smugglin ...) {DSA-4534-1} - golang-1.13 1.13.1-1 - golang-1.12 1.12.10-1 (bug #941173) - golang-1.11 - golang-1.8 [stretch] - golang-1.8 (Minor issue) - golang-1.7 [stretch] - golang-1.7 (Minor issue) - golang [jessie] - golang (does not makes sense to fix in jessie if not in later dists) NOTE: https://groups.google.com/forum/m/#!topic/golang-announce/cszieYyuL9Q NOTE: https://golang.org/issue/34540 NOTE: https://github.com/golang/go/commit/5a6ab1ec3e678640befebeb3318b746a64ad986c (golang-1.13) NOTE: https://github.com/golang/go/commit/6e6f4aaf70c8b1cc81e65a26332aa9409de03ad8 (golang-1.12) CVE-2019-16274 (DTEN D5 before 1.3 and D7 before 1.3 devices transfer customer data fi ...) NOT-FOR-US: DTEN D5 devices CVE-2019-16273 (DTEN D5 and D7 before 1.3.4 devices allow unauthenticated root shell a ...) NOT-FOR-US: DTEN D5 devices CVE-2019-16272 (On DTEN D5 and D7 before 1.3.4 devices, factory settings allows for fi ...) NOT-FOR-US: DTEN D5 devices CVE-2019-16271 (DTEN D5 and D7 before 1.3.2 devices allows remote attackers to read sa ...) NOT-FOR-US: DTEN D5 devices CVE-2019-16270 RESERVED CVE-2019-16269 RESERVED CVE-2019-16268 RESERVED CVE-2019-16267 RESERVED CVE-2019-16266 RESERVED CVE-2019-16265 (CODESYS V2.3 ENI server up to V3.2.2.24 has a Buffer Overflow. ...) NOT-FOR-US: 3S-Smart CODESYS CVE-2019-16264 (In Escuela de Gestion Publica Plurinacional (EGPP) Sistema Integrado d ...) NOT-FOR-US: Escuela de Gestion Publica Plurinacional (EGPP) Sistema Integrado de Gestion Academica (GESAC) CVE-2019-16263 (The Twitter Kit framework through 3.4.2 for iOS does not properly vali ...) NOT-FOR-US: Twitter Kit framework CVE-2019-16262 RESERVED CVE-2019-16261 (Tripp Lite PDUMH15AT 12.04.0053 devices allow unauthenticated POST req ...) NOT-FOR-US: Tripp Lite PDUMH15AT CVE-2019-16260 RESERVED CVE-2019-16259 RESERVED CVE-2019-16258 (The bootloader of the homee Brain Cube V2 through 2.23.0 allows attack ...) NOT-FOR-US: homee Brain Cube V2 CVE-2019-16257 (Some Motorola devices include the SIMalliance Toolbox Browser (aka S@T ...) NOT-FOR-US: SIMalliance Toolbox Browser CVE-2019-16256 (Some Samsung devices include the SIMalliance Toolbox Browser (aka S@T ...) NOT-FOR-US: SIMalliance Toolbox Browser CVE-2017-18633 RESERVED CVE-2017-18632 RESERVED CVE-2017-18631 RESERVED CVE-2017-18630 RESERVED CVE-2017-18629 RESERVED CVE-2017-18628 RESERVED CVE-2017-18627 RESERVED CVE-2017-18626 RESERVED CVE-2017-18625 RESERVED CVE-2017-18624 RESERVED CVE-2017-18623 RESERVED CVE-2017-18622 RESERVED CVE-2017-18621 RESERVED CVE-2017-18620 RESERVED CVE-2017-18619 RESERVED CVE-2017-18618 RESERVED CVE-2017-18617 RESERVED CVE-2017-18616 RESERVED CVE-2017-18615 (The kama-clic-counter plugin before 3.5.0 for WordPress has XSS. ...) NOT-FOR-US: Wordpress plugin CVE-2017-18614 (The kama-clic-counter plugin 3.4.9 for WordPress has SQL injection via ...) NOT-FOR-US: Wordpress plugin CVE-2017-18613 (The trust-form plugin 2.0 for WordPress has XSS via the wp-admin/admin ...) NOT-FOR-US: Wordpress plugin CVE-2017-18612 (The wp-whois-domain plugin 1.0.0 for WordPress has XSS via the pages/f ...) NOT-FOR-US: Wordpress plugin CVE-2016-10955 (The cysteme-finder plugin before 1.4 for WordPress has unrestricted fi ...) NOT-FOR-US: Wordpress plugin CVE-2016-10954 (The Neosense theme before 1.8 for WordPress has qquploader unrestricte ...) NOT-FOR-US: Wordpress plugin CVE-2016-10953 (The Headway theme before 3.8.9 for WordPress has XSS via the license k ...) NOT-FOR-US: Wordpress plugin CVE-2016-10952 (The quotes-collection plugin before 2.0.6 for WordPress has XSS via th ...) NOT-FOR-US: Wordpress plugin CVE-2016-10951 (The fs-shopping-cart plugin 2.07.02 for WordPress has SQL injection vi ...) NOT-FOR-US: Wordpress plugin CVE-2016-10950 (The sirv plugin before 1.3.2 for WordPress has SQL injection via the i ...) NOT-FOR-US: Wordpress plugin CVE-2016-10949 (The Relevanssi Premium plugin before 1.14.6.1 for WordPress has SQL in ...) NOT-FOR-US: Wordpress plugin CVE-2016-10948 (The Post Indexer plugin before 3.0.6.2 for WordPress has incorrect han ...) NOT-FOR-US: Wordpress plugin CVE-2016-10947 (The Post Indexer plugin before 3.0.6.2 for WordPress has SQL injection ...) NOT-FOR-US: Wordpress plugin CVE-2016-10946 (The wp-d3 plugin before 2.4.1 for WordPress has CSRF. ...) NOT-FOR-US: Wordpress plugin CVE-2016-10945 (The PageLines theme 1.1.4 for WordPress has wp-admin/admin-post.php?pa ...) NOT-FOR-US: Wordpress plugin CVE-2016-10944 (The multisite-post-duplicator plugin before 1.1.3 for WordPress has wp ...) NOT-FOR-US: Wordpress plugin CVE-2016-10943 (The zx-csv-upload plugin 1 for WordPress has SQL injection via the id ...) NOT-FOR-US: Wordpress plugin CVE-2016-10942 (The podlove-podcasting-plugin-for-wordpress plugin before 2.3.16 for W ...) NOT-FOR-US: Wordpress plugin CVE-2016-10941 (The podlove-podcasting-plugin-for-wordpress plugin before 2.3.16 for W ...) NOT-FOR-US: Wordpress plugin CVE-2016-10940 (The zm-gallery plugin 1.0 for WordPress has SQL injection via the orde ...) NOT-FOR-US: Wordpress plugin CVE-2016-10939 (The xtremelocator plugin 1.5 for WordPress has SQL injection via the i ...) NOT-FOR-US: Wordpress plugin CVE-2016-10938 (The copy-me plugin 1.0.0 for WordPress has CSRF for copying non-public ...) NOT-FOR-US: Wordpress plugin CVE-2019-16255 (Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allow ...) {DSA-4587-1 DSA-4586-1 DLA-2027-1 DLA-2007-1} - ruby2.5 2.5.7-1 - ruby2.3 - ruby2.1 - jruby NOTE: https://www.ruby-lang.org/en/news/2019/10/01/code-injection-shell-test-cve-2019-16255/ NOTE: ruby2.5: https://github.com/ruby/ruby/commit/3af01ae1101e0b8815ae5a106be64b0e82a58640 CVE-2019-16254 (Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allow ...) {DSA-4587-1 DSA-4586-1 DLA-2027-1 DLA-2007-1} - ruby2.5 2.5.7-1 - ruby2.3 - ruby2.1 - jruby NOTE: https://github.com/ruby/ruby/commit/3ce238b5f9795581eb84114dcfbdf4aa086bfecc NOTE: https://hackerone.com/reports/331984 NOTE: https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/ CVE-2019-16253 (The Text-to-speech Engine (aka SamsungTTS) application before 3.0.02.7 ...) NOT-FOR-US: Samsung CVE-2019-16252 (Missing SSL Certificate Validation in the Nutfind.com application thro ...) NOT-FOR-US: Nutfind CVE-2019-16251 (plugin-fw/lib/yit-plugin-panel-wc.php in the YIT Plugin Framework thro ...) NOT-FOR-US: YIT Plugin Framework CVE-2019-16250 (includes/wizard/wizard.php in the Ocean Extra plugin through 1.5.8 for ...) NOT-FOR-US: Ocean Extra plugin for WordPress CVE-2019-16249 (OpenCV 4.1.1 has an out-of-bounds read in hal_baseline::v_load in core ...) - opencv (Vulnerable code not present) NOTE: https://github.com/opencv/opencv/issues/15481 NOTE: https://github.com/opencv/opencv/commit/cd7fa04985b10db5e66de542725d0da57f0d10b6 NOTE: Issue was present in experimental, but suites up to unstable never were NOTE: shiping the vulnerable code. CVE-2019-16248 (The "delete for" feature in Telegram before 5.11 on Android does not d ...) NOT-FOR-US: Telegram for Android CVE-2019-16247 (Delta DCISoft 1.21 has a User Mode Write AV starting at CommLib!CCommL ...) NOT-FOR-US: Delta DCISoft CVE-2019-16246 (Intesync Solismed 3.3sp1 allows Local File Inclusion (LFI), a differen ...) NOT-FOR-US: Intesync Solismed CVE-2019-16245 (OMERO before 5.6.1 makes the details of each user available to all use ...) NOT-FOR-US: OMERO CVE-2019-16244 RESERVED CVE-2019-16243 (On TCL Alcatel Cingular Flip 2 B9HUAH1 devices, there is an undocument ...) NOT-FOR-US: TCL Alcatel Cingular Flip 2 B9HUAH1 devices CVE-2019-16242 (On TCL Alcatel Cingular Flip 2 B9HUAH1 devices, there is an engineerin ...) NOT-FOR-US: TCL Alcatel Cingular Flip 2 B9HUAH1 devices CVE-2019-16241 (On TCL Alcatel Cingular Flip 2 B9HUAH1 devices, PIN authentication can ...) NOT-FOR-US: TCL Alcatel Cingular Flip 2 B9HUAH1 devices CVE-2019-16240 RESERVED CVE-2019-16239 (process_http_response in OpenConnect before 8.05 has a Buffer Overflow ...) {DSA-4607-1 DLA-1945-1} - openconnect 8.02-1.1 (bug #940871) NOTE: http://lists.infradead.org/pipermail/openconnect-devel/2019-September/005412.html NOTE: https://github.com/openconnect/openconnect/commit/875f0a65ab73f4fb581ca870fd3a901bd278f8e8 CVE-2019-16378 (OpenDMARC through 1.3.2 and 1.4.x through 1.4.0-Beta1 is prone to a si ...) {DSA-4526-1} - opendmarc 1.3.2-7 (bug #940081) NOTE: https://github.com/trusteddomainproject/OpenDMARC/pull/48 CVE-2019-16275 (hostapd before 2.10 and wpa_supplicant before 2.10 allow an incorrect ...) {DSA-4538-1 DLA-1922-1} - wpa 2:2.9-2 (bug #940080) [stretch] - wpa (Minor issue; can be fixed via point release) NOTE: https://www.openwall.com/lists/oss-security/2019/09/11/7 NOTE: https://w1.fi/security/2019-7/ CVE-2019-16238 (Afterlogic Aurora through 8.3.9-build-a3 has XSS that can be leveraged ...) NOT-FOR-US: Afterlogic Aurora CVE-2019-16237 (Dino before 2019-09-10 does not properly check the source of an MAM me ...) {DSA-4524-1} - dino-im 0.0.git20190911.2a70a4e-1 NOTE: https://github.com/dino/dino/commit/307f16cc86dd2b95aa02ab8a85110e4a2d5e7363 NOTE: https://gultsch.de/dino_multiple.html CVE-2019-16236 (Dino before 2019-09-10 does not check roster push authorization in mod ...) {DSA-4524-1} - dino-im 0.0.git20190911.2a70a4e-1 NOTE: https://github.com/dino/dino/commit/dd33f5f949248d87d34f399e8846d5ee5b8823d9 NOTE: https://gultsch.de/dino_multiple.html CVE-2019-16235 (Dino before 2019-09-10 does not properly check the source of a carbons ...) {DSA-4524-1} - dino-im 0.0.git20190911.2a70a4e-1 NOTE: https://github.com/dino/dino/commit/e84f2c49567e86d2a261ea264d65c4adc549c930 NOTE: https://gultsch.de/dino_multiple.html CVE-2019-16234 (drivers/net/wireless/intel/iwlwifi/pcie/trans.c in the Linux kernel 5. ...) - linux (unimportant) NOTE: https://lkml.org/lkml/2019/9/9/487 NOTE: Requires memory allocation failure during device probe, so unlikely to NOTE: be exploitable, and then it's only a local DoS. CVE-2019-16233 (drivers/scsi/qla2xxx/qla_os.c in the Linux kernel 5.2.14 does not chec ...) - linux (unimportant) NOTE: https://lkml.org/lkml/2019/9/9/487 NOTE: Requires memory allocation failure during device probe, so unlikely to NOTE: be exploitable, and then it's only a local DoS. CVE-2019-16232 (drivers/net/wireless/marvell/libertas/if_sdio.c in the Linux kernel 5. ...) - linux (unimportant) NOTE: https://lkml.org/lkml/2019/9/9/487 NOTE: Requires memory allocation failure during device probe, so unlikely to NOTE: be exploitable, and then it's only a local DoS. CVE-2019-16231 (drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14 does not check ...) - linux (unimportant) NOTE: https://lkml.org/lkml/2019/9/9/487 NOTE: Requires memory allocation failure during device probe, so unlikely to NOTE: be exploitable, and then it's only a local DoS. CVE-2019-16230 (** DISPUTED ** drivers/gpu/drm/radeon/radeon_display.c in the Linux ke ...) - linux (unimportant) NOTE: https://lkml.org/lkml/2019/9/9/487 NOTE: Requires memory allocation failure during device probe, so unlikely to NOTE: be exploitable, and then it's only a local DoS. CVE-2019-16229 (** DISPUTED ** drivers/gpu/drm/amd/amdkfd/kfd_interrupt.c in the Linux ...) - linux (unimportant) NOTE: https://lkml.org/lkml/2019/9/9/487 NOTE: Requires memory allocation failure during device probe, so unlikely to NOTE: be exploitable, and then it's only a local DoS. CVE-2019-16228 (An issue was discovered in py-lmdb 0.97. There is a divide-by-zero err ...) - py-lmdb (unimportant) NOTE: https://github.com/jnwatson/py-lmdb/issues/210 NOTE: No real security issue in py-lmdb and disputed (MITRE contacted). If at all NOTE: then issues in underlying library but cf. https://github.com/jnwatson/py-lmdb/issues/210#issuecomment-531015023 CVE-2019-16227 (An issue was discovered in py-lmdb 0.97. For certain values of mn_flag ...) - py-lmdb (unimportant) NOTE: https://github.com/jnwatson/py-lmdb/issues/210 NOTE: No real security issue in py-lmdb and disputed (MITRE contacted). If at all NOTE: then issues in underlying library but cf. https://github.com/jnwatson/py-lmdb/issues/210#issuecomment-531015023 CVE-2019-16226 (An issue was discovered in py-lmdb 0.97. mdb_node_del does not validat ...) - py-lmdb (unimportant) NOTE: https://github.com/jnwatson/py-lmdb/issues/210 NOTE: No real security issue in py-lmdb and disputed (MITRE contacted). If at all NOTE: then issues in underlying library but cf. https://github.com/jnwatson/py-lmdb/issues/210#issuecomment-531015023 CVE-2019-16225 (An issue was discovered in py-lmdb 0.97. For certain values of mp_flag ...) - py-lmdb (unimportant) NOTE: https://github.com/jnwatson/py-lmdb/issues/210 NOTE: No real security issue in py-lmdb and disputed (MITRE contacted). If at all NOTE: then issues in underlying library but cf. https://github.com/jnwatson/py-lmdb/issues/210#issuecomment-531015023 CVE-2019-16224 (An issue was discovered in py-lmdb 0.97. For certain values of md_flag ...) - py-lmdb (unimportant) NOTE: https://github.com/jnwatson/py-lmdb/issues/210 NOTE: No real security issue in py-lmdb and disputed (MITRE contacted). If at all NOTE: then issues in underlying library but cf. https://github.com/jnwatson/py-lmdb/issues/210#issuecomment-531015023 CVE-2019-16223 (WordPress before 5.2.3 allows XSS in post previews by authenticated us ...) {DSA-4599-1 DLA-1960-1} - wordpress 5.2.3+dfsg1-1 (bug #939543) [stretch] - wordpress 4.7.5+dfsg-2+deb9u6 CVE-2019-16222 (WordPress before 5.2.3 has an issue with URL sanitization in wp_kses_b ...) {DSA-4599-1 DLA-1960-1} - wordpress 5.2.3+dfsg1-1 (bug #939543) [stretch] - wordpress 4.7.5+dfsg-2+deb9u6 NOTE: https://core.trac.wordpress.org/changeset/45997 NOTE: https://github.com/WordPress/WordPress/commit/30ac67579559fe42251b5a9f887211bf61a8ed68 CVE-2019-16221 (WordPress before 5.2.3 allows reflected XSS in the dashboard. ...) {DSA-4599-1 DLA-1960-1} - wordpress 5.2.3+dfsg1-1 (bug #939543) [stretch] - wordpress 4.7.5+dfsg-2+deb9u6 CVE-2019-16220 (In WordPress before 5.2.3, validation and sanitization of a URL in wp_ ...) {DSA-4599-1 DLA-1960-1} - wordpress 5.2.3+dfsg1-1 (bug #939543) [stretch] - wordpress 4.7.5+dfsg-2+deb9u6 NOTE: https://core.trac.wordpress.org/changeset/45971 NOTE: https://github.com/WordPress/WordPress/commit/c86ee39ff4c1a79b93c967eb88522f5c09614a28 CVE-2019-16219 (WordPress before 5.2.3 allows XSS in shortcode previews. ...) {DSA-4599-1 DLA-1960-1} - wordpress 5.2.3+dfsg1-1 (bug #939543) [stretch] - wordpress 4.7.5+dfsg-2+deb9u6 CVE-2019-16218 (WordPress before 5.2.3 allows XSS in stored comments. ...) {DSA-4599-1 DLA-1960-1} - wordpress 5.2.3+dfsg1-1 (bug #939543) [stretch] - wordpress 4.7.5+dfsg-2+deb9u6 CVE-2019-16217 (WordPress before 5.2.3 allows XSS in media uploads because wp_ajax_upl ...) {DSA-4599-1 DLA-1960-1} - wordpress 5.2.3+dfsg1-1 (bug #939543) [stretch] - wordpress 4.7.5+dfsg-2+deb9u6 NOTE: https://core.trac.wordpress.org/changeset/45936 CVE-2019-16216 (Zulip server before 2.0.5 incompletely validated the MIME types of upl ...) - zulip-server (bug #800052) CVE-2019-16215 (The Markdown parser in Zulip server before 2.0.5 used a regular expres ...) - zulip-server (bug #800052) CVE-2019-16214 (Libra Core before 2019-09-03 has an erroneous regular expression for i ...) NOT-FOR-US: Libra CVE-2019-16213 (Tenda PA6 Wi-Fi Powerline extender 1.0.1.21 could allow a remote authe ...) NOT-FOR-US: Tenda PA6 Wi-Fi Powerline extender CVE-2019-16212 RESERVED CVE-2019-16211 RESERVED CVE-2019-16210 (Brocade SANnav versions before v2.0, logs plain text database connecti ...) NOT-FOR-US: Brocade CVE-2019-16209 (A vulnerability, in The ReportsTrustManager class of Brocade SANnav ve ...) NOT-FOR-US: Brocade CVE-2019-16208 (Password-based encryption (PBE) algorithm, of Brocade SANnav versions ...) NOT-FOR-US: Brocade CVE-2019-16207 (Brocade SANnav versions before v2.0 use a hard-coded password, which c ...) NOT-FOR-US: Brocade CVE-2019-16206 (The authentication mechanism, in Brocade SANnav versions before v2.0, ...) NOT-FOR-US: Brocade CVE-2019-16205 (A vulnerability, in Brocade SANnav versions before v2.0, could allow r ...) NOT-FOR-US: Brocade CVE-2019-16204 (Brocade Fabric OS Versions before v7.4.2f, v8.2.2a, v8.1.2j and v8.2.1 ...) NOT-FOR-US: Brocade Fabric OS CVE-2019-16203 (Brocade Fabric OS Versions before v8.2.2a and v8.2.1d could expose the ...) NOT-FOR-US: Brocade Fabric OS CVE-2019-16202 (MISP before 2.4.115 allows privilege escalation in certain situations. ...) NOT-FOR-US: MISP CVE-2019-16201 (WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5 ...) {DSA-4587-1 DSA-4586-1 DLA-2027-1 DLA-2007-1} - ruby2.5 2.5.7-1 - ruby2.3 - ruby2.1 - jruby NOTE: https://github.com/ruby/ruby/commit/36e057e26ef2104bc2349799d6c52d22bb1c7d03 NOTE: https://hackerone.com/reports/661722 NOTE: https://www.ruby-lang.org/en/news/2019/10/01/webrick-regexp-digestauth-dos-cve-2019-16201/ CVE-2019-16200 (GNU Serveez through 0.2.2 has an Information Leak. An attacker may sen ...) - serveez CVE-2019-16199 (eQ-3 Homematic CCU2 before 2.47.18 and CCU3 before 3.47.18 allow Remot ...) NOT-FOR-US: eQ-3 Homematic CCU2 CVE-2019-16198 (KSLabs KSWEB 3.93 allows ../ directory traversal, as demonstrated by t ...) NOT-FOR-US: KSLabs KSWEB CVE-2019-16197 (In htdocs/societe/card.php in Dolibarr 10.0.1, the value of the User-A ...) - dolibarr CVE-2019-16196 RESERVED CVE-2019-16195 (Centreon before 2.8.30, 18.x before 18.10.8, and 19.x before 19.04.5 a ...) - centreon-web (bug #913903) CVE-2019-16194 (SQL injection vulnerabilities in Centreon through 19.04 allow attacks ...) - centreon-web (bug #913903) CVE-2019-16193 (In ArcGIS Enterprise 10.6.1, a crafted IFRAME element can be used to t ...) NOT-FOR-US: ArcGIS Enterprise CVE-2019-16192 (upload_model() in /admini/controllers/system/managemodel.php in DocCms ...) NOT-FOR-US: DocCMS CVE-2019-16191 RESERVED CVE-2019-16190 (SharePort Web Access on D-Link DIR-868L REVB through 2.03, DIR-885L RE ...) NOT-FOR-US: D-Link CVE-2019-16189 RESERVED CVE-2019-16188 (HCL AppScan Source before 9.03.13 is susceptible to XML External Entit ...) NOT-FOR-US: HCL AppScan Source CVE-2017-18611 (The magic-fields plugin before 1.7.2 for WordPress has XSS via the RCC ...) NOT-FOR-US: magic-fields plugin for WordPress CVE-2017-18610 (The magic-fields plugin before 1.7.2 for WordPress has XSS via the RCC ...) NOT-FOR-US: magic-fields plugin for WordPress CVE-2017-18609 (The magic-fields plugin before 1.7.2 for WordPress has XSS via the cus ...) NOT-FOR-US: magic-fields plugin for WordPress CVE-2017-18608 (The spotim-comments plugin before 4.0.4 for WordPress has multiple XSS ...) NOT-FOR-US: spotim-comments plugin for WordPress CVE-2017-18607 (The avada theme before 5.1.5 for WordPress has CSRF. ...) NOT-FOR-US: avada theme for WordPress CVE-2017-18606 (The avada theme before 5.1.5 for WordPress has stored XSS. ...) NOT-FOR-US: avada theme for WordPress CVE-2017-18605 (The gravitate-qa-tracker plugin through 1.2.1 for WordPress has PHP Ob ...) NOT-FOR-US: gravitate-qa-tracker plugin for WordPress CVE-2017-18604 (The sitebuilder-dynamic-components plugin through 1.0 for WordPress ha ...) NOT-FOR-US: sitebuilder-dynamic-components plugin for WordPress CVE-2017-18603 (The postman-smtp plugin through 2017-10-04 for WordPress has XSS via t ...) NOT-FOR-US: postman-smtp plugin for WordPress CVE-2017-18602 (The examapp plugin 1.0 for WordPress has SQL injection via the wp-admi ...) NOT-FOR-US: examapp plugin for WordPress CVE-2017-18601 (The examapp plugin 1.0 for WordPress has XSS via exam input text field ...) NOT-FOR-US: examapp plugin for WordPress CVE-2017-18600 (The formcraft3 plugin before 3.4 for WordPress has stored XSS via the ...) NOT-FOR-US: formcraft3 plugin for WordPress CVE-2017-18599 (The Pinfinity theme before 2.0 for WordPress has XSS via the s paramet ...) NOT-FOR-US: Pinfinity theme for WordPress CVE-2017-18598 (The Qards plugin through 2017-10-11 for WordPress has XSS via a remote ...) NOT-FOR-US: Qards plugin for WordPress CVE-2017-18597 (The jtrt-responsive-tables plugin before 4.1.2 for WordPress has SQL I ...) NOT-FOR-US: jtrt-responsive-tables plugin for WordPress CVE-2017-18596 (The elementor plugin before 1.8.0 for WordPress has incorrect access c ...) NOT-FOR-US: elementor plugin for WordPress CVE-2019-16187 (Limesurvey before 3.17.14 uses an anti-CSRF cookie without the HttpOnl ...) - limesurvey (bug #472802) CVE-2019-16186 (In Limesurvey before 3.17.14, admin users can access the plugin manage ...) - limesurvey (bug #472802) CVE-2019-16185 (In Limesurvey before 3.17.14, admin users can view, update, or delete ...) - limesurvey (bug #472802) CVE-2019-16184 (A CSV injection vulnerability was found in Limesurvey before 3.17.14 t ...) - limesurvey (bug #472802) CVE-2019-16183 (In Limesurvey before 3.17.14, admin users can run an integrity check w ...) - limesurvey (bug #472802) CVE-2019-16182 (A reflected cross-site scripting (XSS) vulnerability was found in Lime ...) - limesurvey (bug #472802) CVE-2019-16181 (In Limesurvey before 3.17.14, admin users can mark other users' notifi ...) - limesurvey (bug #472802) CVE-2019-16180 (Limesurvey before 3.17.14 allows remote attackers to bruteforce the lo ...) - limesurvey (bug #472802) CVE-2019-16179 (Limesurvey before 3.17.14 does not enforce SSL/TLS usage in the defaul ...) - limesurvey (bug #472802) CVE-2019-16178 (A stored cross-site scripting (XSS) vulnerability was found in Limesur ...) - limesurvey (bug #472802) CVE-2019-16177 (In Limesurvey before 3.17.14, the entire database is exposed through b ...) - limesurvey (bug #472802) CVE-2019-16176 (A path disclosure vulnerability was found in Limesurvey before 3.17.14 ...) - limesurvey (bug #472802) CVE-2019-16175 (A clickjacking vulnerability was found in Limesurvey before 3.17.14. ...) - limesurvey (bug #472802) CVE-2019-16174 (An XML injection vulnerability was found in Limesurvey before 3.17.14 ...) - limesurvey (bug #472802) CVE-2019-16173 (LimeSurvey before v3.17.14 allows reflected XSS for escalating privile ...) - limesurvey (bug #472802) CVE-2019-16172 (LimeSurvey before v3.17.14 allows stored XSS for escalating privileges ...) - limesurvey (bug #472802) CVE-2019-16171 (In JetBrains YouTrack through 2019.2.56594, stored XSS was found on th ...) NOT-FOR-US: JetBrains YouTrack CVE-2019-16170 (An issue was discovered in GitLab Enterprise Edition 11.x and 12.x bef ...) [experimental] - gitlab 12.0.9-1 - gitlab 12.6.8-3 (bug #940007) NOTE: https://about.gitlab.com/2019/09/10/critical-security-release-gitlab-12-dot-2-dot-5-released/ CVE-2019-16169 RESERVED CVE-2019-16167 (sysstat before 12.1.6 has memory corruption due to an Integer Overflow ...) - sysstat 12.1.7-1 (bug #939914) [buster] - sysstat (Minor issue, can be fixed via point release) [stretch] - sysstat (Vulnerable code introduced later) [jessie] - sysstat (Vulnerable code introduced later) NOTE: https://github.com/sysstat/sysstat/issues/230 NOTE: Introduced after: https://github.com/sysstat/sysstat/commit/65ac30359e49ee717397e39950d7c24a6610d57c (v11.7.1) NOTE: Fixed by: https://github.com/sysstat/sysstat/commit/edbf507678bf10914e9804ff8a06737fdcb2e781 CVE-2019-16166 (GNU cflow through 1.6 has a heap-based buffer over-read in the nexttok ...) - cflow (unimportant; bug #939916) NOTE: https://lists.gnu.org/archive/html/bug-cflow/2019-04/msg00000.html NOTE: Crash in CLI tool, no security impact CVE-2019-16165 (GNU cflow through 1.6 has a use-after-free in the reference function i ...) - cflow (unimportant; bug #939915) NOTE: https://lists.gnu.org/archive/html/bug-cflow/2019-04/msg00001.html NOTE: Crash in CLI tool, no security impact CVE-2019-16164 (MyHTML through 4.0.5 has a NULL pointer dereference in myhtml_tree_nod ...) NOT-FOR-US: MyHTML CVE-2019-16163 (Oniguruma before 6.9.3 allows Stack Exhaustion in regcomp.c because of ...) {DLA-1918-1} - libonig 6.9.4-1 (low; bug #939988) [buster] - libonig (Minor issue) [stretch] - libonig (Minor issue) NOTE: https://github.com/kkos/oniguruma/issues/147 NOTE: https://github.com/kkos/oniguruma/commit/4097828d7cc87589864fecf452f2cd46c5f37180 CVE-2019-16162 (Onigmo through 6.2.0 has an out-of-bounds read in parse_char_class bec ...) NOT-FOR-US: Onigmo (fork of Oniguruma) CVE-2019-16161 (Onigmo through 6.2.0 has a NULL pointer dereference in onig_error_code ...) NOT-FOR-US: Onigmo (fork of Oniguruma) CVE-2019-16160 RESERVED CVE-2019-16159 (BIRD Internet Routing Daemon 1.6.x through 1.6.7 and 2.x through 2.0.5 ...) - bird 1.6.8-1 (bug #939990) [buster] - bird 1.6.6-1+deb10u1 [stretch] - bird (Vulnerable code introduced later) [jessie] - bird (Vulnerable code introduced later) - bird2 2.0.6-1 (bug #940522) NOTE: https://gitlab.labs.nic.cz/labs/bird/commit/1657c41c96b3c07d9265b07dd4912033ead4124b (1.6.x) NOTE: https://gitlab.labs.nic.cz/labs/bird/commit/8388f5a7e14108a1458fea35bfbb5a453e2c563c (2.0.x) CVE-2019-16158 RESERVED CVE-2019-16157 (An information exposure vulnerability in Fortinet FortiWeb 6.2.0 CLI a ...) NOT-FOR-US: Fortiguard CVE-2019-16156 (An Improper Neutralization of Input vulnerability in the Anomaly Detec ...) NOT-FOR-US: Fortiguard CVE-2019-16155 (A privilege escalation vulnerability in FortiClient for Linux 6.2.1 an ...) NOT-FOR-US: Fortiguard FortiClient CVE-2019-16154 (An improper neutralization of input during web page generation in Fort ...) NOT-FOR-US: FortiAuthenticator WEB UI CVE-2019-16153 (A hard-coded password vulnerability in the Fortinet FortiSIEM database ...) NOT-FOR-US: Fortinet CVE-2019-16152 (A Denial of service (DoS) vulnerability in FortiClient for Linux 6.2.1 ...) NOT-FOR-US: Fortiguard FortiClient CVE-2019-16151 RESERVED CVE-2019-16150 (Use of a hard-coded cryptographic key to encrypt security sensitive da ...) NOT-FOR-US: Fortiguard CVE-2019-16149 RESERVED CVE-2019-16168 (In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can cras ...) - sqlite3 3.29.0-2 [buster] - sqlite3 (Minor issue) [stretch] - sqlite3 (Minor issue) [jessie] - sqlite3 (Minor issue) NOTE: https://www.mail-archive.com/sqlite-users@mailinglists.sqlite.org/msg116312.html NOTE: https://www.sqlite.org/src/info/e4598ecbdd18bd82945f6029013296690e719a62 NOTE: Fixed by: https://www.sqlite.org/src/info/d93508fc9913cfe6 NOTE: Introduced by: https://www.sqlite.org/src/info/90e36676476e8db0 CVE-2019-16148 (Sakai through 12.6 allows XSS via a chat user name. ...) NOT-FOR-US: Sakai CVE-2019-16147 (Liferay Portal through 7.2.0 GA1 allows XSS via a journal article titl ...) NOT-FOR-US: Liferay Portal CVE-2019-16146 (Gophish through 0.8.0 allows XSS via a username. ...) NOT-FOR-US: Gophish CVE-2019-16145 (The breadcrumbs contributed module through 0.2.0 for Padrino Framework ...) NOT-FOR-US: Padrino module CVE-2019-16144 (An issue was discovered in the generator crate before 0.6.18 for Rust. ...) NOT-FOR-US: Rust crate generator CVE-2019-16143 (An issue was discovered in the blake2 crate before 0.8.1 for Rust. The ...) NOT-FOR-US: Rust crate blake CVE-2019-16142 (An issue was discovered in the renderdoc crate before 0.5.0 for Rust. ...) NOT-FOR-US: Rust crate renderdoc CVE-2019-16141 (An issue was discovered in the once_cell crate before 1.0.1 for Rust. ...) - rust-once-cell (Only affects 0.2.5 and later) NOTE: https://rustsec.org/advisories/RUSTSEC-2019-0017.html CVE-2019-16140 (An issue was discovered in the chttp crate before 0.1.3 for Rust. Ther ...) NOT-FOR-US: Rust crate chttp CVE-2019-16139 (An issue was discovered in the compact_arena crate before 0.4.0 for Ru ...) NOT-FOR-US: Rust crate renderdoc CVE-2019-16138 (An issue was discovered in the image crate before 0.21.3 for Rust, aff ...) - rust-image (Fixed before initial upload) NOTE: https://rustsec.org/advisories/RUSTSEC-2019-0014.html CVE-2019-16137 (An issue was discovered in the spin crate before 0.5.2 for Rust, when ...) - rust-spin 0.5.2-1 [buster] - rust-spin (Minor issue) NOTE: https://rustsec.org/advisories/RUSTSEC-2019-0013.html CVE-2019-16136 RESERVED CVE-2019-16135 RESERVED CVE-2019-16134 RESERVED CVE-2019-16133 (An issue was discovered in eteams OA v4.0.34. Because the session is n ...) NOT-FOR-US: eteams CVE-2019-16132 (An issue was discovered in OKLite v1.2.25. framework/admin/tpl_control ...) NOT-FOR-US: OKLite CVE-2019-16131 (framework/admin/modulec_control.php in OKLite v1.2.25 has an Arbitrary ...) NOT-FOR-US: OKLite CVE-2019-16130 (YII2-CMS v1.0 has XSS in protected\core\modules\home\models\Contact.ph ...) NOT-FOR-US: YII2-CMS CVE-2019-16129 RESERVED CVE-2019-16128 RESERVED CVE-2019-16127 RESERVED CVE-2019-16126 (Grav through 1.6.15 allows (Stored) Cross-Site Scripting due to JavaSc ...) NOT-FOR-US: Grav CMS CVE-2019-16125 (In Jobberbase 2.0, the parameter category is not sanitized in public/p ...) NOT-FOR-US: Jobberbase CVE-2019-16124 (In YouPHPTube 7.4, the file install/checkConfiguration.php has no acce ...) NOT-FOR-US: YouPHPTube CVE-2019-16123 (In Kartatopia PilusCart 1.4.1, the parameter filename in the file cata ...) NOT-FOR-US: Kartatopia PilusCart CVE-2019-16122 RESERVED CVE-2019-16121 RESERVED CVE-2019-16120 (CSV injection in the event-tickets (Event Tickets) plugin before 4.10. ...) NOT-FOR-US: event-tickets (Event Tickets) plugin for WordPress CVE-2019-16119 (SQL injection in the photo-gallery (10Web Photo Gallery) plugin before ...) NOT-FOR-US: photo-gallery (10Web Photo Gallery) plugin for WordPress CVE-2019-16118 (Cross site scripting (XSS) in the photo-gallery (10Web Photo Gallery) ...) NOT-FOR-US: photo-gallery (10Web Photo Gallery) plugin for WordPress CVE-2019-16117 (Cross site scripting (XSS) in the photo-gallery (10Web Photo Gallery) ...) NOT-FOR-US: photo-gallery (10Web Photo Gallery) plugin for WordPress CVE-2019-16116 (EnterpriseDT CompleteFTP Server prior to version 12.1.3 is vulnerable ...) NOT-FOR-US: EnterpriseDT CompleteFTP Server CVE-2019-16115 (In Xpdf 4.01.01, a stack-based buffer under-read could be triggered in ...) - xpdf (xpdf in Debian uses poppler, which is fixed) CVE-2019-16114 (In ATutor 2.2.4, an unauthenticated attacker can change the applicatio ...) NOT-FOR-US: ATutor CVE-2019-16113 (Bludit 3.9.2 allows remote code execution via bl-kernel/ajax/upload-im ...) NOT-FOR-US: Bludit CVE-2019-16112 (TylerTech Eagle 2018.3.11 deserializes untrusted user input, resulting ...) NOT-FOR-US: TylerTech Eagle CVE-2019-16111 RESERVED CVE-2019-16110 (The network protocol of Blade Shadow though 2.13.3 allows remote attac ...) NOT-FOR-US: Blade Shadow CVE-2019-16109 (An issue was discovered in Plataformatec Devise before 4.7.1. It confi ...) NOT-FOR-US: Plataformatec Devise CVE-2019-16108 (phpBB 3.2.7 allows adding an arbitrary Cascading Style Sheets (CSS) to ...) NOT-FOR-US: phpBB CVE-2019-16107 (Missing form token validation in phpBB 3.2.7 allows CSRF in deleting p ...) NOT-FOR-US: phpBB CVE-2018-21014 (The buddyboss-media plugin through 3.2.3 for WordPress has stored XSS. ...) NOT-FOR-US: Wordpress plugin CVE-2018-21013 (The Swape theme before 1.2.1 for WordPress has incorrect access contro ...) NOT-FOR-US: Wordpress plugin CVE-2018-21012 (The cf7-invisible-recaptcha plugin before 1.3.2 for WordPress has XSS. ...) NOT-FOR-US: Wordpress plugin CVE-2018-21011 (The charitable plugin before 1.5.14 for WordPress has unauthorized acc ...) NOT-FOR-US: Wordpress plugin CVE-2019-16106 (The Recruitment module in Humanica Humatrix 7 1.0.0.203 and 1.0.0.681 ...) NOT-FOR-US: Recruitment module in Humanica Humatrix CVE-2019-16105 (Silver Peak EdgeConnect SD-WAN before 8.1.7.x allows ..%2f directory t ...) NOT-FOR-US: Silver Peak EdgeConnect SD-WAN CVE-2019-16104 (Silver Peak EdgeConnect SD-WAN before 8.1.7.x has reflected XSS via th ...) NOT-FOR-US: Silver Peak EdgeConnect SD-WAN CVE-2019-16103 (Silver Peak EdgeConnect SD-WAN before 8.1.7.x allows privilege escalat ...) NOT-FOR-US: Silver Peak EdgeConnect SD-WAN CVE-2019-16102 (Silver Peak EdgeConnect SD-WAN before 8.1.7.x has an SNMP service with ...) NOT-FOR-US: Silver Peak EdgeConnect SD-WAN CVE-2019-16101 (Silver Peak EdgeConnect SD-WAN before 8.1.7.x allows remote attackers ...) NOT-FOR-US: Silver Peak EdgeConnect SD-WAN CVE-2019-16100 (Silver Peak EdgeConnect SD-WAN before 8.1.7.x allows remote attackers ...) NOT-FOR-US: Silver Peak EdgeConnect SD-WAN CVE-2019-16099 (Silver Peak EdgeConnect SD-WAN before 8.1.7.x allows CSRF via JSON dat ...) NOT-FOR-US: Silver Peak EdgeConnect SD-WAN CVE-2019-16098 (The driver in Micro-Star MSI Afterburner 4.6.2.15658 (aka RTCore64.sys ...) NOT-FOR-US: Micro-Star MSI Afterburner CVE-2019-16097 (core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users ...) NOT-FOR-US: Harbor CVE-2016-10937 (IMAPFilter through 2.6.12 does not validate the hostname in an SSL cer ...) {DLA-1976-1} - imapfilter 1:2.6.13-1 (bug #939702) [buster] - imapfilter (Minor issue) [stretch] - imapfilter (Minor issue) NOTE: https://github.com/lefcha/imapfilter/issues/142 NOTE: Patch for support for hostname validation (requrires OpenSSL 1.1.0 and later): NOTE: https://github.com/lefcha/imapfilter/commit/bf2515da752eddd54973adb0853c6aa289e921b6 NOTE: Patch for support for hostname validation (for OpenSSL 1.0.2 and later): NOTE: https://github.com/lefcha/imapfilter/commit/3daa2692e37fc52ce630e39a3fb6faf270c054b1 CVE-2019-16096 (Kilo 0.0.1 has a heap-based buffer overflow because there is an intege ...) NOT-FOR-US: Kilo CVE-2019-16095 (Symonics libmysofa 0.7 has an invalid read in getDimension in hrtf/rea ...) - libmysofa 0.8~dfsg0-1 (bug #939735) [buster] - libmysofa 0.6~dfsg0-3+deb10u1 CVE-2019-16094 (Symonics libmysofa 0.7 has an invalid read in readOHDRHeaderMessageDat ...) - libmysofa 0.8~dfsg0-1 (bug #939735) [buster] - libmysofa 0.6~dfsg0-3+deb10u1 CVE-2019-16093 (Symonics libmysofa 0.7 has an invalid write in readOHDRHeaderMessageDa ...) - libmysofa 0.8~dfsg0-1 (bug #939735) [buster] - libmysofa 0.6~dfsg0-3+deb10u1 CVE-2019-16092 (Symonics libmysofa 0.7 has a NULL pointer dereference in getHrtf in hr ...) - libmysofa 0.8~dfsg0-1 (bug #939735) [buster] - libmysofa 0.6~dfsg0-3+deb10u1 CVE-2019-16091 (Symonics libmysofa 0.7 has an out-of-bounds read in directblockRead in ...) - libmysofa 0.8~dfsg0-1 (bug #939735) [buster] - libmysofa 0.6~dfsg0-3+deb10u1 CVE-2019-16090 RESERVED CVE-2019-16088 (Xpdf 3.04 has a SIGSEGV in XRef::fetch in XRef.cc after many recursive ...) - xpdf (xpdf in Debian uses poppler, which is fixed) CVE-2019-16087 RESERVED CVE-2019-16086 RESERVED CVE-2019-16085 RESERVED CVE-2019-16084 RESERVED CVE-2019-16083 RESERVED CVE-2019-16082 RESERVED CVE-2019-16081 RESERVED CVE-2019-16080 RESERVED CVE-2019-16079 RESERVED CVE-2019-16078 RESERVED CVE-2019-16077 RESERVED CVE-2019-16076 RESERVED CVE-2019-16075 RESERVED CVE-2019-16074 RESERVED CVE-2019-16073 RESERVED CVE-2019-16072 (An OS command injection vulnerability in the discover_and_manage CGI s ...) NOT-FOR-US: NETSAS Enigma NMS CVE-2019-16071 (Enigma NMS 65.0.0 and prior allows administrative users to create low- ...) NOT-FOR-US: Enigma NMS CVE-2019-16070 (A number of stored Cross-site Scripting (XSS) vulnerabilities were ide ...) NOT-FOR-US: NETSAS Enigma NMS CVE-2019-16069 (A number of stored Cross-site Scripting (XSS) vulnerabilities were ide ...) NOT-FOR-US: NETSAS Enigma NMS CVE-2019-16068 (A CSRF vulnerability exists in NETSAS ENIGMA NMS version 65.0.0 and pr ...) NOT-FOR-US: NETSAS Enigma NMS CVE-2019-16067 (NETSAS Enigma NMS 65.0.0 and prior utilises basic authentication over ...) NOT-FOR-US: NETSAS Enigma NMS CVE-2019-16066 (An unrestricted file upload vulnerability exists in user and system fi ...) NOT-FOR-US: NETSAS Enigma NMS CVE-2019-16065 (A remote SQL injection web vulnerability was discovered in the Enigma ...) NOT-FOR-US: Enigma NMS CVE-2019-16064 (NETSAS Enigma NMS 65.0.0 and prior suffers from a directory traversal ...) NOT-FOR-US: NETSAS Enigma NMS CVE-2019-16063 (NETSAS Enigma NMS 65.0.0 and prior does not encrypt sensitive data ren ...) NOT-FOR-US: NETSAS Enigma NMS CVE-2019-16062 (NETSAS Enigma NMS 65.0.0 and prior does not encrypt sensitive data sto ...) NOT-FOR-US: NETSAS Enigma NMS CVE-2019-16061 (A number of files on the NETSAS Enigma NMS server 65.0.0 and prior are ...) NOT-FOR-US: NETSAS Enigma NMS CVE-2019-16089 (An issue was discovered in the Linux kernel through 5.2.13. nbd_genl_s ...) - linux [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) CVE-2019-16060 (The Airbrake Ruby notifier 4.2.3 for Airbrake mishandles the blacklist ...) NOT-FOR-US: Airbrake Ruby notifier CVE-2019-16059 (Sentrifugo 3.2 lacks CSRF protection. This could lead to an attacker t ...) NOT-FOR-US: Sentrifugo CVE-2019-16058 (An issue was discovered in the pam_p11 component 0.2.0 and 0.3.0 for O ...) - pam-p11 0.3.1-1 (bug #939664) [buster] - pam-p11 (Minor issue) [stretch] - pam-p11 (Minor issue) [jessie] - pam-p11 (Minor issue) NOTE: https://github.com/OpenSC/pam_p11/commit/d150b60e1e14c261b113f55681419ad1dfa8a76c NOTE: PKCS11_sign() is used in Jessie and Stretch and has a similar problem as EVP_SignFinal() everywhere else CVE-2019-16057 (The login_mgr.cgi script in D-Link DNS-320 through 2.05.B10 is vulnera ...) NOT-FOR-US: D-Link CVE-2019-16056 (An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3 ...) {DLA-1925-1 DLA-1924-1} - python3.8 3.8.0~b4-1 - python3.7 3.7.4-4 [buster] - python3.7 3.7.3-2+deb10u1 - python3.5 - python3.4 - python2.7 2.7.17~rc1-1 (bug #940901) [buster] - python2.7 2.7.16-2+deb10u1 [stretch] - python2.7 (Minor issue) NOTE: https://bugs.python.org/issue34155 NOTE: https://github.com/python/cpython/commit/8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9 (master) NOTE: https://github.com/python/cpython/commit/217077440a6938a0b428f67cfef6e053c4f8673c (v3.8.0b4) NOTE: https://github.com/python/cpython/commit/c48d606adcef395e59fd555496c42203b01dd3e8 (3.7 branch) NOTE: https://github.com/python/cpython/commit/13a19139b5e76175bc95294d54afc9425e4f36c9 (3.6 branch) NOTE: https://github.com/python/cpython/commit/063eba280a11d3c9a5dd9ee5abe4de640907951b (3.5 branch) NOTE: https://github.com/python/cpython/commit/4cbcd2f8c4e12b912e4d21fd892eedf7a3813d8e (2.7 branch) CVE-2019-16055 RESERVED CVE-2019-16054 RESERVED CVE-2019-16053 RESERVED CVE-2019-16052 RESERVED CVE-2019-16051 RESERVED CVE-2019-16050 RESERVED CVE-2019-16049 RESERVED CVE-2019-16048 RESERVED CVE-2019-16047 RESERVED CVE-2019-16046 RESERVED CVE-2019-16045 RESERVED CVE-2019-16044 RESERVED CVE-2019-16043 RESERVED CVE-2019-16042 RESERVED CVE-2019-16041 RESERVED CVE-2019-16040 RESERVED CVE-2019-16039 RESERVED CVE-2019-16038 RESERVED CVE-2019-16037 RESERVED CVE-2019-16036 RESERVED CVE-2019-16035 RESERVED CVE-2019-16034 RESERVED CVE-2019-16033 RESERVED CVE-2019-16032 RESERVED CVE-2019-16031 RESERVED CVE-2019-16030 RESERVED CVE-2019-16029 (A vulnerability in the application programming interface (API) of Cisc ...) NOT-FOR-US: Cisco CVE-2019-16028 RESERVED CVE-2019-16027 (A vulnerability in the implementation of the Intermediate System&n ...) NOT-FOR-US: Cisco CVE-2019-16026 (A vulnerability in the implementation of the Stream Control Transmissi ...) NOT-FOR-US: Cisco CVE-2019-16025 RESERVED CVE-2019-16024 (A vulnerability in the web-based management interface of Cisco Crosswo ...) NOT-FOR-US: Cisco CVE-2019-16023 RESERVED CVE-2019-16022 (Multiple vulnerabilities in the implementation of Border Gateway Proto ...) NOT-FOR-US: Cisco CVE-2019-16021 RESERVED CVE-2019-16020 (Multiple vulnerabilities in the implementation of Border Gateway Proto ...) NOT-FOR-US: Cisco CVE-2019-16019 RESERVED CVE-2019-16018 (A vulnerability in the implementation of Border Gateway Protocol (BGP) ...) NOT-FOR-US: Cisco CVE-2019-16017 RESERVED CVE-2019-16016 RESERVED CVE-2019-16015 (A vulnerability in the web-based management interface of the Cisco Dat ...) NOT-FOR-US: Cisco CVE-2019-16014 RESERVED CVE-2019-16013 RESERVED CVE-2019-16012 (A vulnerability in the web UI of Cisco SD-WAN Solution vManage softwar ...) NOT-FOR-US: Cisco CVE-2019-16011 (A vulnerability in the CLI of Cisco IOS XE SD-WAN Software could allow ...) NOT-FOR-US: Cisco CVE-2019-16010 (A vulnerability in the web UI of the Cisco SD-WAN vManage software cou ...) NOT-FOR-US: Cisco CVE-2019-16009 RESERVED CVE-2019-16008 (A vulnerability in the web-based GUI of Cisco IP Phone 6800, 7800, and ...) NOT-FOR-US: Cisco CVE-2019-16007 RESERVED CVE-2019-16006 RESERVED CVE-2019-16005 (A vulnerability in the web-based management interface of Cisco Webex V ...) NOT-FOR-US: Cisco CVE-2019-16004 RESERVED CVE-2019-16003 (A vulnerability in the web-based management interface of Cisco UCS Dir ...) NOT-FOR-US: Cisco CVE-2019-16002 (A vulnerability in the vManage web-based UI (web UI) of the Cisco SD-W ...) NOT-FOR-US: Cisco CVE-2019-16001 (A vulnerability in the loading mechanism of specific dynamic link libr ...) NOT-FOR-US: Cisco CVE-2019-16000 RESERVED CVE-2019-15999 (A vulnerability in the application environment of Cisco Data Center Ne ...) NOT-FOR-US: Cisco CVE-2019-15998 (A vulnerability in the access-control logic of the NETCONF over Secure ...) NOT-FOR-US: Cisco CVE-2019-15997 (A vulnerability in Cisco DNA Spaces: Connector could allow an authenti ...) NOT-FOR-US: Cisco CVE-2019-15996 (A vulnerability in Cisco DNA Spaces: Connector could allow an authenti ...) NOT-FOR-US: Cisco CVE-2019-15995 (A vulnerability in the web UI of Cisco DNA Spaces: Connector could all ...) NOT-FOR-US: Cisco CVE-2019-15994 (A vulnerability in the web-based management interface of Cisco Stealth ...) NOT-FOR-US: Cisco CVE-2019-15993 RESERVED CVE-2019-15992 RESERVED CVE-2019-15991 RESERVED CVE-2019-15990 (A vulnerability in the web-based management interface of certain Cisco ...) NOT-FOR-US: Cisco CVE-2019-15989 (A vulnerability in the implementation of the Border Gateway Protocol ( ...) NOT-FOR-US: Cisco CVE-2019-15988 (A vulnerability in the antispam protection mechanisms of Cisco AsyncOS ...) NOT-FOR-US: Cisco CVE-2019-15987 (A vulnerability in web interface of the Cisco Webex Event Center, Cisc ...) NOT-FOR-US: Cisco CVE-2019-15986 (A vulnerability in the CLI of Cisco Unity Express could allow an authe ...) NOT-FOR-US: Cisco CVE-2019-15985 (Multiple vulnerabilities in the REST and SOAP API endpoints of Cisco D ...) NOT-FOR-US: Cisco CVE-2019-15984 (Multiple vulnerabilities in the REST and SOAP API endpoints of Cisco D ...) NOT-FOR-US: Cisco CVE-2019-15983 (A vulnerability in the SOAP API of Cisco Data Center Network Manager ( ...) NOT-FOR-US: Cisco CVE-2019-15982 (Multiple vulnerabilities in the REST and SOAP API endpoints and the Ap ...) NOT-FOR-US: Cisco CVE-2019-15981 (Multiple vulnerabilities in the REST and SOAP API endpoints and the Ap ...) NOT-FOR-US: Cisco CVE-2019-15980 (Multiple vulnerabilities in the REST and SOAP API endpoints and the Ap ...) NOT-FOR-US: Cisco CVE-2019-15979 (Multiple vulnerabilities in the REST and SOAP API endpoints of Cisco D ...) NOT-FOR-US: Cisco CVE-2019-15978 (Multiple vulnerabilities in the REST and SOAP API endpoints of Cisco D ...) NOT-FOR-US: Cisco CVE-2019-15977 (Multiple vulnerabilities in the authentication mechanisms of Cisco Dat ...) NOT-FOR-US: Cisco CVE-2019-15976 (Multiple vulnerabilities in the authentication mechanisms of Cisco Dat ...) NOT-FOR-US: Cisco CVE-2019-15975 (Multiple vulnerabilities in the authentication mechanisms of Cisco Dat ...) NOT-FOR-US: Cisco CVE-2019-15974 RESERVED CVE-2019-15973 (A vulnerability in the web-based management interface of Cisco Industr ...) NOT-FOR-US: Cisco CVE-2019-15972 (A vulnerability in the web-based management interface of Cisco Unified ...) NOT-FOR-US: Cisco CVE-2019-15971 (A vulnerability in the MP3 detection engine of Cisco AsyncOS Software ...) NOT-FOR-US: Cisco CVE-2019-15970 RESERVED CVE-2019-15969 RESERVED CVE-2019-15968 (A vulnerability in the web-based management interface of Cisco Unified ...) NOT-FOR-US: Cisco CVE-2019-15967 (A vulnerability in the CLI of Cisco TelePresence Collaboration Endpoin ...) NOT-FOR-US: Cisco CVE-2019-15966 (A vulnerability in the web application of Cisco TelePresence Advanced ...) NOT-FOR-US: Cisco TelePresence Advanced Media Gateway CVE-2019-15965 RESERVED CVE-2019-15964 RESERVED CVE-2019-15963 RESERVED CVE-2019-15962 (A vulnerability in the CLI of Cisco TelePresence Collaboration Endpoin ...) NOT-FOR-US: Cisco CVE-2019-15961 (A vulnerability in the email parsing module Clam AntiVirus (ClamAV) So ...) {DLA-2108-1} - clamav 0.102.1+dfsg-1 (bug #945265) [buster] - clamav 0.102.1+dfsg-0+deb10u1 [stretch] - clamav 0.102.1+dfsg-0+deb9u2 NOTE: https://blog.clamav.net/2019/11/clamav-01021-and-01015-patches-have.html CVE-2019-15960 (A vulnerability in the Webex Network Recording Admin page of Cisco Web ...) NOT-FOR-US: Cisco CVE-2019-15959 RESERVED CVE-2019-15958 (A vulnerability in the REST API of Cisco Prime Infrastructure (PI) and ...) NOT-FOR-US: Cisco CVE-2019-15957 RESERVED CVE-2019-15956 (A vulnerability in the web management interface of Cisco AsyncOS Softw ...) NOT-FOR-US: Cisco CVE-2019-15955 (An issue was discovered in Total.js CMS 12.0.0. A low privilege user c ...) NOT-FOR-US: Total.js CMS CVE-2019-15954 (An issue was discovered in Total.js CMS 12.0.0. An authenticated user ...) NOT-FOR-US: Total.js CMS CVE-2019-15953 (An issue was discovered in Total.js CMS 12.0.0. An authenticated user ...) NOT-FOR-US: Total.js CMS CVE-2019-15952 (An issue was discovered in Total.js CMS 12.0.0. An authenticated user ...) NOT-FOR-US: Total.js CMS CVE-2019-15951 RESERVED CVE-2019-15950 (The CRM Plugin before 4.2.4 for Redmine allows XSS via crafted vCard d ...) NOT-FOR-US: Redmine plugin CVE-2019-15949 (Nagios XI before 5.6.6 allows remote command execution as root. The ex ...) NOT-FOR-US: Nagios XI CVE-2019-15948 (Texas Instruments CC256x and WL18xx dual-mode Bluetooth controller dev ...) NOT-FOR-US: Texas Instruments CC256x and WL18xx dual-mode Bluetooth controller devices CVE-2019-15947 (In Bitcoin Core 0.18.0, bitcoin-qt stores wallet.dat data unencrypted ...) - bitcoin (bug #939608) CVE-2019-15946 (OpenSC before 0.20.0-rc1 has an out-of-bounds access of an ASN.1 Octet ...) {DLA-1916-1} - opensc 0.20.0-1 (bug #939669) [buster] - opensc (Minor issue) [stretch] - opensc (Minor issue) NOTE: https://github.com/OpenSC/OpenSC/commit/a3fc7693f3a035a8a7921cffb98432944bb42740 CVE-2019-15945 (OpenSC before 0.20.0-rc1 has an out-of-bounds access of an ASN.1 Bitst ...) {DLA-1916-1} - opensc 0.20.0-1 (bug #939668) [buster] - opensc (Minor issue) [stretch] - opensc (Minor issue) NOTE: https://github.com/OpenSC/OpenSC/commit/412a6142c27a5973c61ba540e33cdc22d5608e68 CVE-2019-15944 (In Counter-Strike: Global Offensive before 8/29/2019, community game s ...) NOT-FOR-US: Counter-Strike: Global Offensive CVE-2019-15943 (vphysics.dll in Counter-Strike: Global Offensive before 1.37.1.1 allow ...) NOT-FOR-US: Counter-Strike: Global Offensive CVE-2019-15942 (FFmpeg through 4.2 has a "Conditional jump or move depends on uninitia ...) - ffmpeg (Only affects 4.2) NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=af70bfbeadc0c9b9215cf045ff2a6a31e8ac3a71 CVE-2019-15941 (OpenID Connect Issuer in LemonLDAP::NG 2.x through 2.0.5 may allow an ...) {DSA-4533-1} - lemonldap-ng 2.0.6+ds-1 [stretch] - lemonldap-ng (Restrictions on OIDC federation added in 2.0) [jessie] - lemonldap-ng (Vulnerable code introduced later) NOTE: Vulnerability exists pre-2.0 versions, but as restrictions on OIDC federation NOTE: were added only in 2.0 the vulnerability has no effect. The vulnerability NOTE: itself exists only with versions >= 1.9.0 (as there is no OIDC before) CVE-2019-15940 (Victure PC530 devices allow unauthenticated TELNET access as root. ...) NOT-FOR-US: Victure PC530 devices CVE-2019-15939 (An issue was discovered in OpenCV 4.1.0. There is a divide-by-zero err ...) - opencv 4.1.2+dfsg-3 [buster] - opencv (Minor issue) [stretch] - opencv (Minor issue) [jessie] - opencv (Minor issue) NOTE: https://github.com/OpenCV/opencv/issues/15287 NOTE: https://github.com/opencv/opencv/pull/15382 CVE-2019-15938 (Pengutronix barebox through 2019.08.1 has a remote buffer overflow in ...) NOT-FOR-US: Pengutronix barebox CVE-2019-15937 (Pengutronix barebox through 2019.08.1 has a remote buffer overflow in ...) NOT-FOR-US: Pengutronix barebox CVE-2019-15936 (Intesync Solismed 3.3sp allows Insecure File Upload. ...) NOT-FOR-US: Intesync Solismed CVE-2019-15935 (Intesync Solismed 3.3sp has XSS. ...) NOT-FOR-US: Intesync Solismed CVE-2019-15934 (Intesync Solismed 3.3sp has CSRF. ...) NOT-FOR-US: Intesync Solismed CVE-2019-15933 (Intesync Solismed 3.3sp has SQL Injection. ...) NOT-FOR-US: Intesync Solismed CVE-2019-15932 (Intesync Solismed 3.3sp has Incorrect Access Control. ...) NOT-FOR-US: Intesync Solismed CVE-2019-15931 (Intesync Solismed 3.3sp allows Directory Traversal, a different vulner ...) NOT-FOR-US: Intesync Solismed CVE-2019-15930 (Intesync Solismed 3.3sp allows Clickjacking. ...) NOT-FOR-US: Intesync Solismed CVE-2019-15929 (In Craft CMS through 3.1.7, the elevated session password prompt was n ...) NOT-FOR-US: Craft CMS CVE-2019-15928 RESERVED CVE-2019-15927 (An issue was discovered in the Linux kernel before 4.20.2. An out-of-b ...) - linux 4.19.16-1 [stretch] - linux 4.9.161-1 [jessie] - linux 3.16.68-1 NOTE: https://git.kernel.org/linus/f4351a199cc120ff9d59e06d02e8657d08e6cc46 CVE-2019-15926 (An issue was discovered in the Linux kernel before 5.2.3. Out of bound ...) {DLA-1930-1 DLA-1919-1} - linux 5.2.6-1 [buster] - linux 4.19.67-1 [stretch] - linux 4.9.189-1 NOTE: https://git.kernel.org/linus/5d6751eaff672ea77642e74e92e6c0ac7f9709ab CVE-2019-15925 (An issue was discovered in the Linux kernel before 5.2.3. An out of bo ...) - linux 5.2.6-1 [buster] - linux 4.19.67-1 [stretch] - linux (Vulnerable code introduced later) [jessie] - linux (Vulnerable code introduced later) NOTE: https://git.kernel.org/linus/04f25edb48c441fc278ecc154c270f16966cbb90 CVE-2018-21010 (OpenJPEG before 2.3.1 has a heap buffer overflow in color_apply_icc_pr ...) {DLA-1950-1} - openjpeg2 2.3.1-1 (bug #939553) [buster] - openjpeg2 2.3.0-2+deb10u1 [stretch] - openjpeg2 2.1.2-1.1+deb9u4 NOTE: https://github.com/uclouvain/openjpeg/commit/2e5ab1d9987831c981ff05862e8ccf1381ed58ea CVE-2018-21009 (Poppler before 0.66.0 has an integer overflow in Parser::makeStream in ...) {DLA-1939-1} - poppler 0.69.0-2 NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/0868c499a9f5f37f8df5c9fef03c37496b40fc8a CVE-2018-21008 (An issue was discovered in the Linux kernel before 4.16.7. A use-after ...) {DLA-2114-1 DLA-1930-1} - linux 4.18.6-1 [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/abd39c6ded9db53aa44c2540092bdd5fb6590fa8 CVE-2017-18595 (An issue was discovered in the Linux kernel before 4.14.11. A double f ...) - linux 4.14.12-1 [stretch] - linux 4.9.80-1 [jessie] - linux 3.16.56-1 NOTE: https://git.kernel.org/linus/4397f04575c44e1440ec2e49b6302785c95fd2f8 CVE-2019-15924 (An issue was discovered in the Linux kernel before 5.0.11. fm10k_init_ ...) {DLA-1919-1} - linux 5.2.6-1 [buster] - linux 4.19.67-1 [stretch] - linux 4.9.184-1 [jessie] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/01ca667133d019edc9f0a1f70a272447c84ec41f CVE-2019-15923 (An issue was discovered in the Linux kernel before 5.0.9. There is a N ...) - linux (Vulnerability never present) NOTE: https://git.kernel.org/linus/f0d1762554014ce0ae347b9f0d088f2c157c8c72 NOTE: unimportant as CONFIG_PARIDE_PCD not enabled in Debian builds CVE-2019-15922 (An issue was discovered in the Linux kernel before 5.0.9. There is a N ...) - linux (Vulnerability never present) NOTE: https://git.kernel.org/linus/58ccd2d31e502c37e108b285bf3d343eb00c235b NOTE: unimportant as CONFIG_PARIDE_PF not enabled in Debian builds CVE-2019-15921 (An issue was discovered in the Linux kernel before 5.0.6. There is a m ...) - linux 4.19.37-1 [stretch] - linux (Vulnerable code introduced later) [jessie] - linux (Vulnerable code introduced later) NOTE: https://git.kernel.org/linus/ceabee6c59943bdd5e1da1a6a20dc7ee5f8113a2 CVE-2019-15920 (An issue was discovered in the Linux kernel before 5.0.10. SMB2_read i ...) - linux 5.2.6-1 [buster] - linux 4.19.67-1 [stretch] - linux (Vulnerability introduced later) [jessie] - linux (Vulnerability introduced later) NOTE: https://git.kernel.org/linus/088aaf17aa79300cab14dbee2569c58cfafd7d6e CVE-2019-15919 (An issue was discovered in the Linux kernel before 5.0.10. SMB2_write ...) - linux 4.19.37-1 [stretch] - linux (Vulnerability introduced later) [jessie] - linux (Vulnerability introduced later) NOTE: https://git.kernel.org/linus/6a3eb3360667170988f8a6477f6686242061488a CVE-2019-15918 (An issue was discovered in the Linux kernel before 5.0.10. SMB2_negoti ...) - linux 5.2.6-1 [buster] - linux 4.19.87-1 [stretch] - linux (Vulnerability introduced later) [jessie] - linux (Vulnerability introduced later) NOTE: https://git.kernel.org/linus/b57a55e2200ede754e4dc9cce4ba9402544b9365 CVE-2019-15917 (An issue was discovered in the Linux kernel before 5.0.5. There is a u ...) {DLA-2114-1 DLA-1930-1} - linux 4.19.37-1 [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/56897b217a1d0a91c9920cb418d6b3fe922f590a CVE-2019-15916 (An issue was discovered in the Linux kernel before 5.0.1. There is a m ...) - linux 4.19.28-1 [stretch] - linux 4.9.168-1 [jessie] - linux 3.16.70-1 NOTE: https://git.kernel.org/linus/895a5e96dbd6386c8e78e5b78e067dcc67b7f0ab CVE-2019-15915 (An issue was discovered on Xiaomi DGNWG03LM, ZNCZ03LM, MCCGQ01LM, RTCG ...) NOT-FOR-US: Xiaomi devices CVE-2019-15914 (An issue was discovered on Xiaomi DGNWG03LM, ZNCZ03LM, MCCGQ01LM, WSDC ...) NOT-FOR-US: Xiaomi devices CVE-2019-15913 (An issue was discovered on Xiaomi DGNWG03LM, ZNCZ03LM, MCCGQ01LM, WSDC ...) NOT-FOR-US: Xiaomi devices CVE-2019-15912 (An issue was discovered on ASUS HG100, MW100, WS-101, TS-101, AS-101, ...) NOT-FOR-US: ASUS devices CVE-2019-15911 (An issue was discovered on ASUS HG100, MW100, WS-101, TS-101, AS-101, ...) NOT-FOR-US: ASUS devices CVE-2019-15910 (An issue was discovered on ASUS HG100, MW100, WS-101, TS-101, AS-101, ...) NOT-FOR-US: ASUS devices CVE-2019-15909 RESERVED CVE-2019-15908 RESERVED CVE-2019-15907 RESERVED CVE-2019-15906 RESERVED CVE-2019-15905 RESERVED CVE-2019-15904 RESERVED CVE-2019-15903 (In libexpat before 2.2.8, crafted XML input could fool the parser into ...) {DSA-4571-1 DSA-4549-1 DSA-4530-1 DLA-1997-1 DLA-1987-1 DLA-1912-1} - expat 2.2.7-2 (bug #939394) - firefox 70.0-1 - firefox-esr 68.2.0esr-1 - chromium (uses system libexpat) - thunderbird 1:68.2.1-1 NOTE: https://github.com/libexpat/libexpat/commit/c20b758c332d9a13afbbb276d30db1d183a85d43 NOTE: https://github.com/libexpat/libexpat/issues/317 NOTE: https://github.com/libexpat/libexpat/pull/318 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-34/#CVE-2019-15903 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-33/#CVE-2019-15903 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-35/#CVE-2019-15903 NOTE: src:hromium uses the system expat library. CVE-2019-15902 (A backporting error was discovered in the Linux stable/longterm kernel ...) {DSA-4531-1 DLA-1940-1} - linux 5.2.17-1 [jessie] - linux (Bug never introduced) NOTE: https://grsecurity.net/teardown_of_a_failed_linux_lts_spectre_fix.php CVE-2019-15901 (An issue was discovered in slicer69 doas before 6.2 on certain platfor ...) NOT-FOR-US: slicer69 doas CVE-2019-15900 (An issue was discovered in slicer69 doas before 6.2 on certain platfor ...) NOT-FOR-US: slicer69 doas CVE-2019-15899 RESERVED CVE-2019-15898 (Nagios Log Server before 2.0.8 allows Reflected XSS via the username o ...) NOT-FOR-US: Nagios Log Server CVE-2019-15897 (beegfs-ctl in ThinkParQ BeeGFS through 7.1.3 allows Authentication Byp ...) NOT-FOR-US: BeeGFS CVE-2019-15896 (An issue was discovered in the LifterLMS plugin through 3.34.5 for Wor ...) NOT-FOR-US: LifterLMS plugin for WordPress CVE-2019-15895 (search-exclude.php in the "Search Exclude" plugin before 1.2.4 for Wor ...) NOT-FOR-US: "Search Exclude" plugin for WordPress CVE-2019-15894 (An issue was discovered in Espressif ESP-IDF 2.x, 3.0.x through 3.0.9, ...) NOT-FOR-US: Espressif CVE-2019-15893 (Sonatype Nexus Repository Manager 2.x before 2.14.15 allows Remote Cod ...) NOT-FOR-US: Sonatype Nexus Repository Manager CVE-2019-15891 (An issue was discovered in CKFinder through 2.6.2.1 and 3.x through 3. ...) NOT-FOR-US: CKFinder CVE-2019-15890 (libslirp 4.0.0, as used in QEMU 4.1.0, has a use-after-free in ip_reas ...) {DSA-4616-1 DLA-1927-1} - slirp4netns 0.4.1-1 (bug #939868) [buster] - slirp4netns (Minor issue) - qemu 1:4.1-2 (bug #939869) - qemu-kvm NOTE: https://www.openwall.com/lists/oss-security/2019/09/06/3 NOTE: https://gitlab.freedesktop.org/slirp/libslirp/commit/c59279437eda91841b9d26079c70b8a540d41204 NOTE: 1:4.1-2 switched to system libslirp, marking that version as fixed CVE-2019-15889 (The download-manager plugin before 2.9.94 for WordPress has XSS via th ...) NOT-FOR-US: download-manager plugin for WordPress CVE-2019-15888 RESERVED CVE-2019-15887 RESERVED CVE-2019-15886 RESERVED CVE-2019-15885 RESERVED CVE-2019-15884 RESERVED CVE-2019-15883 RESERVED CVE-2019-15882 RESERVED CVE-2019-15881 RESERVED CVE-2019-15880 (In FreeBSD 12.1-STABLE before r356911, and 12.1-RELEASE before p5, ins ...) NOT-FOR-US: FreeBSD CVE-2019-15879 (In FreeBSD 12.1-STABLE before r356908, 12.1-RELEASE before p5, 11.3-ST ...) NOT-FOR-US: FreeBSD CVE-2019-15878 (In FreeBSD 12.1-STABLE before r352509, 11.3-STABLE before r352509, and ...) - kfreebsd-10 (unimportant) NOTE: https://www.freebsd.org/security/advisories/FreeBSD-SA-20:14.sctp.asc CVE-2019-15877 (In FreeBSD 12.1-STABLE before r356606 and 12.1-RELEASE before 12.1-REL ...) NOT-FOR-US: FreeBSD CVE-2019-15876 (In FreeBSD 12.1-STABLE before r356089, 12.1-RELEASE before 12.1-RELEAS ...) NOT-FOR-US: FreeBSD CVE-2019-15875 (In FreeBSD 12.1-STABLE before r354734, 12.1-RELEASE before 12.1-RELEAS ...) - kfreebsd-10 (unimportant) NOTE: https://www.freebsd.org/security/advisories/FreeBSD-SA-20:03.thrmisc.asc CVE-2019-15874 (In FreeBSD 12.1-STABLE before r356035, 12.1-RELEASE before 12.1-RELEAS ...) - kfreebsd-10 (unimportant) NOTE: https://www.freebsd.org/security/advisories/FreeBSD-SA-20:10.ipfw.asc CVE-2019-15873 (The profilegrid-user-profiles-groups-and-communities plugin before 2.8 ...) NOT-FOR-US: profilegrid-user-profiles-groups-and-communities plugin for WordPress CVE-2019-15872 (The LoginPress plugin before 1.1.4 for WordPress has SQL injection via ...) NOT-FOR-US: LoginPress plugin for WordPress CVE-2019-15871 (The LoginPress plugin before 1.1.4 for WordPress has no capability che ...) NOT-FOR-US: LoginPress plugin for WordPress CVE-2019-15870 (The CarSpot theme before 2.1.7 for WordPress has stored XSS via the Ph ...) NOT-FOR-US: CarSpot theme for WordPress CVE-2019-15869 (The JobCareer theme before 2.5.1 for WordPress has stored XSS. ...) NOT-FOR-US: JobCareer theme for WordPress CVE-2019-15868 (The affiliates-manager plugin before 2.6.6 for WordPress has CSRF. ...) NOT-FOR-US: affiliates-manager plugin for WordPress CVE-2019-15867 (The slick-popup plugin before 1.7.2 for WordPress has a hardcoded Omak ...) NOT-FOR-US: slick-popup plugin for WordPress CVE-2019-15866 (The crelly-slider plugin before 1.3.5 for WordPress has arbitrary file ...) NOT-FOR-US: crelly-slider plugin for WordPress CVE-2019-15865 (The breadcrumbs-by-menu plugin before 1.0.3 for WordPress has CSRF. ...) NOT-FOR-US: breadcrumbs-by-menu plugin for WordPress CVE-2019-15864 (The breadcrumbs-by-menu plugin before 1.0.3 for WordPress has XSS. ...) NOT-FOR-US: breadcrumbs-by-menu plugin for WordPress CVE-2019-15863 (The ConvertPlus plugin before 3.4.5 for WordPress has an unintended ac ...) NOT-FOR-US: ConvertPlus plugin for WordPress CVE-2019-15892 (An issue was discovered in Varnish Cache before 6.0.4 LTS, and 6.1.x a ...) {DSA-4514-1} - varnish 6.2.1-1 (bug #939333) [stretch] - varnish (Only a security issue in 6.0 and later) [jessie] - varnish (Only a security issue in 6.0 and later) NOTE: https://varnish-cache.org/security/VSV00003.html NOTE: https://github.com/varnishcache/varnish-cache/commit/1cb778f6f69737109e8c070a74b8e95b78f46d13 NOTE: https://github.com/varnishcache/varnish-cache/commit/0f0e51e9871ed1bd1236378f8b0dea0d33df4e9e NOTE: https://github.com/varnishcache/varnish-cache/commit/72df38fa8bfc0f5ca4a75d3e32657e8e590d85ab NOTE: https://github.com/varnishcache/varnish-cache/commit/dd47e658a0de9d12c433a4a01fb43ea4fe4d3a41 NOTE: https://github.com/varnishcache/varnish-cache/commit/34717183beda3803e3d54c9826a1a9f026ca2505 NOTE: https://github.com/varnishcache/varnish-cache/commit/ec3997a59a93cbc13a3cba22dfe0b4c4710a8f65 NOTE: https://github.com/varnishcache/varnish-cache/commit/af13de03eaa3d04f60ada52ed3235d545b8d3973 NOTE: https://github.com/varnishcache/varnish-cache/commit/6da64a47beff44ecdb45c82b033811f2d19819af CVE-2019-15862 (An issue was discovered in CKFinder through 2.6.2.1. Improper checks o ...) NOT-FOR-US: CKFinder CVE-2019-15861 RESERVED CVE-2019-15860 (Xpdf 2.00 allows a SIGSEGV in XRef::constructXRef in XRef.cc. NOTE: 2. ...) - xpdf (xpdf in Debian uses poppler, which is fixed) CVE-2019-15859 (Password disclosure in the web interface on socomec DIRIS A-40 devices ...) NOT-FOR-US: DIRIS CVE-2019-15858 (admin/includes/class.import.snippet.php in the "Woody ad snippets" plu ...) NOT-FOR-US: "Woody ad snippets" plugin for WordPress CVE-2019-15857 RESERVED CVE-2019-15856 RESERVED CVE-2019-15855 (An issue was discovered in Maarch RM before 2.5. A path traversal vuln ...) NOT-FOR-US: Maarch RM CVE-2019-15854 (An issue was discovered in Maarch RM before 2.5. A privilege escalatio ...) NOT-FOR-US: Maarch RM CVE-2019-15853 RESERVED CVE-2019-15852 RESERVED CVE-2019-15851 REJECTED CVE-2019-15850 (eQ-3 HomeMatic CCU3 firmware version 3.41.11 allows Remote Code Execut ...) NOT-FOR-US: eQ-3 HomeMatic CCU3 CVE-2019-15849 (eQ-3 HomeMatic CCU3 firmware 3.41.11 allows session fixation. An attac ...) NOT-FOR-US: eQ-3 HomeMatic CCU3 CVE-2019-15848 (JetBrains TeamCity 2019.1 and 2019.1.1 allows cross-site scripting (XS ...) NOT-FOR-US: JetBrains TeamCity CVE-2019-15847 (The POWER9 backend in GNU Compiler Collection (GCC) before version 10 ...) - gcc-7 [buster] - gcc-7 (minor issue, affects only POWER9 binaries) - gcc-8 [buster] - gcc-8 (minor issue, affects only POWER9 binaries) - gcc-9 9.2.1-7 (low) NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481 CVE-2015-9383 (FreeType before 2.6.2 has a heap-based buffer over-read in tt_cmap14_v ...) {DLA-1909-1} - freetype 2.6.3-1 NOTE: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=57cbb8c148999ba8f14ed53435fc071ac9953afd NOTE: https://savannah.nongnu.org/bugs/?46346 CVE-2015-9382 (FreeType before 2.6.1 has a buffer over-read in skip_comment in psaux/ ...) {DLA-1909-1} - freetype 2.6.1-0.1 NOTE: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/src/psaux/psobjs.c?id=db5a4a9ae7b0048f033361744421da8569642f73 NOTE: https://savannah.nongnu.org/bugs/?45922 CVE-2015-9381 (FreeType before 2.6.1 has a heap-based buffer over-read in T1_Get_Priv ...) {DLA-1909-1} - freetype 2.6.1-0.1 NOTE: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/src/type1/t1parse.c?id=7962a15d64c876870ca0ae435ea2467d9be268d9 NOTE: https://savannah.nongnu.org/bugs/?45955 CVE-2019-15846 (Exim before 4.92.2 allows remote attackers to execute arbitrary code a ...) {DSA-4517-1 DLA-1911-1} - exim4 4.92.1-3 NOTE: https://www.openwall.com/lists/oss-security/2019/09/04/1 NOTE: https://git.exim.org/exim.git/commit/2600301ba6dbac5c9d640c87007a07ee6dcea1f4 CVE-2019-15845 (Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 misha ...) {DSA-4587-1 DSA-4586-1 DLA-2007-1} - ruby2.5 2.5.7-1 - ruby2.3 - ruby2.1 - jruby [stretch] - jruby (Vulnerable code is not present) [jessie] - jruby (vulnerable code is not present) NOTE: https://github.com/ruby/ruby/commit/a0a2640b398cffd351f87d3f6243103add66575b NOTE: https://hackerone.com/reports/449617 NOTE: https://www.ruby-lang.org/en/news/2019/10/01/nul-injection-file-fnmatch-cve-2019-15845/ CVE-2019-15844 RESERVED CVE-2019-15843 (A malicious file upload vulnerability was discovered in Xiaomi Millet ...) NOT-FOR-US: Xiaomi CVE-2019-15842 (The easy-pdf-restaurant-menu-upload plugin before 1.1.2 for WordPress ...) NOT-FOR-US: easy-pdf-restaurant-menu-upload plugin for WordPress CVE-2019-15841 (The facebook-for-woocommerce plugin before 1.9.15 for WordPress has CS ...) NOT-FOR-US: facebook-for-woocommerce plugin for WordPress CVE-2019-15840 (The facebook-for-woocommerce plugin before 1.9.14 for WordPress has CS ...) NOT-FOR-US: facebook-for-woocommerce plugin for WordPress CVE-2019-15839 (The sina-extension-for-elementor plugin before 2.2.1 for WordPress has ...) NOT-FOR-US: sina-extension-for-elementor plugin for WordPress CVE-2019-15838 (The custom-404-pro plugin before 3.2.8 for WordPress has reflected XSS ...) NOT-FOR-US: custom-404-pro plugin for WordPress CVE-2019-15837 (The webp-express plugin before 0.14.8 for WordPress has stored XSS. ...) NOT-FOR-US: webp-express plugin for WordPress CVE-2019-15836 (The wp-ultimate-recipe plugin before 3.12.7 for WordPress has stored X ...) NOT-FOR-US: wp-ultimate-recipe plugin for WordPress CVE-2019-15835 (The wp-better-permalinks plugin before 3.0.5 for WordPress has CSRF. ...) NOT-FOR-US: wp-better-permalinks plugin for WordPress CVE-2019-15834 (The webp-converter-for-media plugin before 1.0.3 for WordPress has CSR ...) NOT-FOR-US: webp-converter-for-media plugin for WordPress CVE-2019-15833 (The simple-mail-address-encoder plugin before 1.7 for WordPress has re ...) NOT-FOR-US: simple-mail-address-encoder plugin for WordPress CVE-2019-15832 (The visitors-traffic-real-time-statistics plugin before 1.13 for WordP ...) NOT-FOR-US: visitors-traffic-real-time-statistics plugin for WordPress CVE-2019-15831 (The visitors-traffic-real-time-statistics plugin before 1.12 for WordP ...) NOT-FOR-US: visitors-traffic-real-time-statistics plugin for WordPress CVE-2019-15830 (The icegram plugin before 1.10.29 for WordPress has ig_cat_list XSS. ...) NOT-FOR-US: icegram plugin for WordPress CVE-2019-15829 (The photoblocks-grid-gallery plugin before 1.1.33 for WordPress has wp ...) NOT-FOR-US: photoblocks-grid-gallery plugin for WordPress CVE-2019-15828 (The one-click-ssl plugin before 1.4.7 for WordPress has CSRF. ...) NOT-FOR-US: one-click-ssl plugin for WordPress CVE-2019-15827 (The onesignal-free-web-push-notifications plugin before 1.17.8 for Wor ...) NOT-FOR-US: onesignal-free-web-push-notifications plugin for WordPress CVE-2019-15826 (The wps-hide-login plugin before 1.5.3 for WordPress has a protection ...) NOT-FOR-US: wps-hide-login plugin for WordPress CVE-2019-15825 (The wps-hide-login plugin before 1.5.3 for WordPress has an action=rp& ...) NOT-FOR-US: wps-hide-login plugin for WordPress CVE-2019-15824 (The wps-hide-login plugin before 1.5.3 for WordPress has an adminhash ...) NOT-FOR-US: wps-hide-login plugin for WordPress CVE-2019-15823 (The wps-hide-login plugin before 1.5.3 for WordPress has an action=con ...) NOT-FOR-US: wps-hide-login plugin for WordPress CVE-2019-15822 (The wps-child-theme-generator plugin before 1.2 for WordPress has clas ...) NOT-FOR-US: wps-child-theme-generator plugin for WordPress CVE-2019-15821 (The bold-page-builder plugin before 2.3.2 for WordPress has no protect ...) NOT-FOR-US: bold-page-builder plugin for WordPress CVE-2019-15820 (The login-or-logout-menu-item plugin before 1.2.0 for WordPress has no ...) NOT-FOR-US: login-or-logout-menu-item plugin for WordPress CVE-2019-15819 (The nd-restaurant-reservations plugin before 1.5 for WordPress has no ...) NOT-FOR-US: nd-restaurant-reservations plugin for WordPress CVE-2019-15818 (The simple-301-redirects-addon-bulk-uploader plugin through 1.2.4 for ...) NOT-FOR-US: simple-301-redirects-addon-bulk-uploader plugin for WordPress CVE-2019-15817 (The easy-property-listings plugin before 3.4 for WordPress has XSS. ...) NOT-FOR-US: easy-property-listings plugin for WordPress CVE-2019-15816 (The wp-private-content-plus plugin before 2.0 for WordPress has no pro ...) NOT-FOR-US: wp-private-content-plus plugin for WordPress CVE-2019-15815 (ZyXEL P-1302-T10D v3 devices with firmware version 2.00(ABBX.3) and ea ...) NOT-FOR-US: ZyXEL CVE-2019-15814 (Multiple stored XSS vulnerabilities in Sentrifugo 3.2 could allow auth ...) NOT-FOR-US: Sentrifugo CVE-2019-15813 (Multiple file upload restriction bypass vulnerabilities in Sentrifugo ...) NOT-FOR-US: Sentrifugo CVE-2015-9380 (The photo-gallery plugin before 1.2.42 for WordPress has CSRF. ...) NOT-FOR-US: photo-gallery plugin for WordPress CVE-2019-15812 RESERVED CVE-2019-15811 (In DomainMOD through 4.13, the parameter daterange in the file reporti ...) NOT-FOR-US: DomainMOD CVE-2019-15810 (Insufficient sanitization during device search in Netdisco 2.042010 al ...) NOT-FOR-US: Netdisco CVE-2019-15809 (Smart cards from the Athena SCS manufacturer, based on the Atmel Toolb ...) NOT-FOR-US: Athena SCS CVE-2019-15808 RESERVED CVE-2019-15806 (CommScope ARRIS TR4400 devices with firmware through A1.00.004-180301 ...) NOT-FOR-US: CommScope ARRIS TR4400 devices CVE-2019-15805 (CommScope ARRIS TR4400 devices with firmware through A1.00.004-180301 ...) NOT-FOR-US: CommScope ARRIS TR4400 devices CVE-2019-15804 (An issue was discovered on Zyxel GS1900 devices with firmware before 2 ...) NOT-FOR-US: Zyxel CVE-2019-15803 (An issue was discovered on Zyxel GS1900 devices with firmware before 2 ...) NOT-FOR-US: Zyxel CVE-2019-15802 (An issue was discovered on Zyxel GS1900 devices with firmware before 2 ...) NOT-FOR-US: Zyxel CVE-2019-15801 (An issue was discovered on Zyxel GS1900 devices with firmware before 2 ...) NOT-FOR-US: Zyxel CVE-2019-15800 (An issue was discovered on Zyxel GS1900 devices with firmware before 2 ...) NOT-FOR-US: Zyxel CVE-2019-15799 (An issue was discovered on Zyxel GS1900 devices with firmware before 2 ...) NOT-FOR-US: Zyxel CVE-2019-15798 RESERVED CVE-2019-15797 RESERVED CVE-2019-15796 (Python-apt doesn't check if hashes are signed in `Version.fetch_binary ...) {DSA-4609-1 DLA-2074-1} - python-apt 1.8.5 NOTE: https://salsa.debian.org/apt-team/python-apt/commit/b4eef110b7ba4fb21cc0dd92585756f50e0100c9 (1.8.5) NOTE: https://salsa.debian.org/apt-team/python-apt/commit/e3321eb9792bf3b4cace4cee47dc6da00fbee929 (1.8.5) CVE-2019-15795 (python-apt only checks the MD5 sums of downloaded files in `Version.fe ...) {DSA-4609-1 DLA-2074-1} - python-apt 1.8.5 NOTE: https://salsa.debian.org/apt-team/python-apt/commit/e175130e51c2b0424f3dfeb825e3dc598fec1a24 (1.8.5) CVE-2019-15794 (Overlayfs in the Linux kernel and shiftfs, a non-upstream patch to the ...) - linux [stretch] - linux (overlayfs passes through mmap) [jessie] - linux (overlayfs not present) NOTE: https://bugs.launchpad.net/bugs/1850994 CVE-2019-15793 (In shiftfs, a non-upstream patch to the Linux kernel included in the U ...) - linux (Ubuntu-specific patch set, shiftfs not in Debian kernels) NOTE: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1850867 CVE-2019-15792 (In shiftfs, a non-upstream patch to the Linux kernel included in the U ...) - linux (Ubuntu-specific patch set, shiftfs not in Debian kernels) NOTE: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1850867 CVE-2019-15791 (In shiftfs, a non-upstream patch to the Linux kernel included in the U ...) - linux (Ubuntu-specific patch set, shiftfs not in Debian kernels) NOTE: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1850867 CVE-2019-15790 (Apport reads and writes information on a crashed process to /proc/pid ...) NOT-FOR-US: Apport CVE-2019-15789 (Privilege escalation vulnerability in MicroK8s allows a low privilege ...) NOT-FOR-US: MicroK8s CVE-2019-15807 (In the Linux kernel before 5.1.13, there is a memory leak in drivers/s ...) {DLA-1930-1 DLA-1919-1} - linux 5.2.6-1 [buster] - linux 4.19.67-1 [stretch] - linux 4.9.184-1 NOTE: https://git.kernel.org/linus/3b0541791453fbe7f42867e310e0c9eb6295364d CVE-2019-15788 (Clara Genomics Analysis before 0.2.0 has an integer overflow for cudap ...) NOT-FOR-US: Clara Genomics Analysis CVE-2019-15787 (libZetta.rs through 0.1.2 has an integer overflow in the zpool parser ...) NOT-FOR-US: libzetta-rs CVE-2019-15786 (ROBOTIS Dynamixel SDK through 3.7.11 has a buffer overflow via a large ...) NOT-FOR-US: ROBOTIS Dynamixel SDK CVE-2019-15785 (FontForge 20190813 through 20190820 has a buffer overflow in PrefsUI_L ...) - fontforge (Vulnerable code introduced later) NOTE: https://github.com/fontforge/fontforge/pull/3886 CVE-2019-15784 (Secure Reliable Transport (SRT) through 1.3.4 has a CSndUList array ov ...) - srt 1.4.0-1 (bug #939040) NOTE: https://github.com/Haivision/srt/pull/811 CVE-2019-15783 (Lute-Tab before 2019-08-23 has a buffer overflow in pdf_print.cc. ...) - lute-tab (bug #825785) CVE-2019-15782 (WebTorrent before 0.107.6 allows XSS in the HTTP server via a title or ...) NOT-FOR-US: WebTorrent CVE-2019-15781 (The facebook-by-weblizar plugin before 2.8.5 for WordPress has CSRF. ...) NOT-FOR-US: facebook-by-weblizar plugin for WordPress CVE-2019-15780 (The formidable plugin before 4.02.01 for WordPress has unsafe deserial ...) NOT-FOR-US: formidable plugin for WordPress CVE-2019-15779 (The insta-gallery plugin before 2.4.8 for WordPress has no nonce valid ...) NOT-FOR-US: insta-gallery plugin for WordPress CVE-2019-15778 (The woo-variation-gallery plugin before 1.1.29 for WordPress has XSS. ...) NOT-FOR-US: woo-variation-gallery plugin for WordPress CVE-2019-15777 (The shapepress-dsgvo plugin before 2.2.19 for WordPress has wp-admin/a ...) NOT-FOR-US: shapepress-dsgvo plugin for WordPress CVE-2019-15776 (The simple-301-redirects-addon-bulk-uploader plugin before 1.2.5 for W ...) NOT-FOR-US: simple-301-redirects-addon-bulk-uploader plugin for WordPress CVE-2019-15775 (The nd-learning plugin before 4.8 for WordPress has a nopriv_ AJAX act ...) NOT-FOR-US: nd-learning plugin for WordPress CVE-2019-15774 (The nd-booking plugin before 2.5 for WordPress has a nopriv_ AJAX acti ...) NOT-FOR-US: nd-booking plugin for WordPress CVE-2019-15773 (The nd-travel plugin before 1.7 for WordPress has a nopriv_ AJAX actio ...) NOT-FOR-US: nd-travel plugin for WordPress CVE-2019-15772 (The nd-donations plugin before 1.4 for WordPress has a nopriv_ AJAX ac ...) NOT-FOR-US: nd-donations plugin for WordPress CVE-2019-15771 (The nd-shortcodes plugin before 6.0 for WordPress has a nopriv_ AJAX a ...) NOT-FOR-US: nd-shortcodes plugin for WordPress CVE-2019-15770 (The woo-address-book plugin before 1.6.0 for WordPress has save calls ...) NOT-FOR-US: woo-address-book plugin for WordPress CVE-2019-15769 (The handl-utm-grabber plugin before 2.6.5 for WordPress has CSRF via a ...) NOT-FOR-US: handl-utm-grabber plugin for WordPress CVE-2019-15768 RESERVED CVE-2019-15767 (In GNU Chess 6.2.5, there is a stack-based buffer overflow in the cmd_ ...) - gnuchess (unimportant; bug #936023) NOTE: https://lists.gnu.org/archive/html/bug-gnu-chess/2019-08/msg00004.html NOTE: Neutralised by toolchain hardening, no security impact CVE-2019-15766 (The KSLABS KSWEB (aka ru.kslabs.ksweb) application 3.93 for Android al ...) NOT-FOR-US: KSLABS KSWEB CVE-2019-15765 RESERVED CVE-2019-15764 RESERVED CVE-2019-15763 RESERVED CVE-2019-15762 RESERVED CVE-2019-15761 RESERVED CVE-2019-15760 RESERVED CVE-2019-15759 (An issue was discovered in Binaryen 1.38.32. Two visitors in ir/Expres ...) - binaryen 89-1 (unimportant; bug #936024) NOTE: https://github.com/WebAssembly/binaryen/issues/2288 NOTE: Crash in CLI tool, no security impact CVE-2019-15758 (An issue was discovered in Binaryen 1.38.32. Missing validation rules ...) - binaryen 89-1 (unimportant; bug #936024) NOTE: https://github.com/WebAssembly/binaryen/issues/2288 NOTE: Crash in CLI tool, no security impact CVE-2019-15757 (libMirage 3.2.2 in CDemu has a NULL pointer dereference in the NRG par ...) NOT-FOR-US: libMirage CVE-2019-15756 RESERVED CVE-2019-15755 RESERVED CVE-2019-15754 RESERVED CVE-2019-15753 (In OpenStack os-vif 1.15.x before 1.15.2, and 1.16.0, a hard-coded MAC ...) - python-os-vif 1.15.2-1 (low; bug #939288) [buster] - python-os-vif (Vulnerable code introduced in 1.15.0) [stretch] - python-os-vif (Vulnerable code introduced in 1.15.0) NOTE: https://security.openstack.org/ossa/OSSA-2019-004.html NOTE: https://launchpad.net/bugs/1837252 CVE-2019-15752 (Docker Desktop Community Edition before 2.1.0.1 allows local users to ...) - docker.io (Issue specific to Docker for Windows) CVE-2018-21007 (The woo-confirmation-email plugin before 3.2.0 for WordPress has no bl ...) NOT-FOR-US: woo-confirmation-email plugin for WordPress CVE-2017-18594 (nse_libssh2.cc in Nmap 7.70 is subject to a denial of service conditio ...) - nmap 7.80+dfsg1-1 (unimportant) NOTE: https://github.com/nmap/nmap/commit/350bbe0597d37ad67abe5fef8fba984707b4e9ad NOTE: https://github.com/nmap/nmap/issues/1077 NOTE: https://github.com/nmap/nmap/issues/1227 NOTE: Crash in CLI tool, no security impact CVE-2019-15751 (An unrestricted file upload vulnerability in SITOS six Build v6.2.1 al ...) NOT-FOR-US: SITOS CVE-2019-15750 (A Cross-Site Scripting (XSS) vulnerability in the blog function in SIT ...) NOT-FOR-US: SITOS CVE-2019-15749 (SITOS six Build v6.2.1 allows a user to change their password and reco ...) NOT-FOR-US: SITOS CVE-2019-15748 (SITOS six Build v6.2.1 permits unauthorised users to upload and import ...) NOT-FOR-US: SITOS CVE-2019-15747 (SITOS six Build v6.2.1 allows a user with the user role of Seminar Coo ...) NOT-FOR-US: SITOS CVE-2019-15746 (SITOS six Build v6.2.1 allows an attacker to inject arbitrary PHP comm ...) NOT-FOR-US: SITOS CVE-2019-15745 (The Eques elf smart plug and the mobile app use a hardcoded AES 256 bi ...) NOT-FOR-US: Eques elf smart plug CVE-2019-15744 (The Sony Xperia Xperia XZs Android device with a build fingerprint of ...) NOT-FOR-US: Sony CVE-2019-15743 (The Sony Xperia Touch Android device with a build fingerprint of Sony/ ...) NOT-FOR-US: Sony CVE-2019-15742 (A local privilege-escalation vulnerability exists in the Poly Plantron ...) NOT-FOR-US: Poly Plantronics Hub CVE-2019-15741 (An issue was discovered in GitLab Omnibus 7.4 through 12.2.1. An unsaf ...) NOT-FOR-US: GitLab Omnibus CVE-2019-15740 (An issue was discovered in GitLab Community and Enterprise Edition 7.9 ...) [experimental] - gitlab 12.0.8-1 - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/2019/08/29/security-release-gitlab-12-dot-2-dot-3-released/ CVE-2019-15739 (An issue was discovered in GitLab Community and Enterprise Edition 8.1 ...) [experimental] - gitlab 12.0.8-1 - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/2019/08/29/security-release-gitlab-12-dot-2-dot-3-released/ CVE-2019-15738 (An issue was discovered in GitLab Community and Enterprise Edition 12. ...) - gitlab (Only affects 12.0 and later) NOTE: https://about.gitlab.com/2019/08/29/security-release-gitlab-12-dot-2-dot-3-released/ CVE-2019-15737 (An issue was discovered in GitLab Community and Enterprise Edition thr ...) [experimental] - gitlab 12.0.8-1 - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/2019/08/29/security-release-gitlab-12-dot-2-dot-3-released/ CVE-2019-15736 (An issue was discovered in GitLab Community and Enterprise Edition thr ...) [experimental] - gitlab 12.0.8-1 - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/2019/08/29/security-release-gitlab-12-dot-2-dot-3-released/ CVE-2019-15735 RESERVED CVE-2019-15734 (An issue was discovered in GitLab Community and Enterprise Edition 8.6 ...) [experimental] - gitlab 12.0.8-1 - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/2019/08/29/security-release-gitlab-12-dot-2-dot-3-released/ CVE-2019-15733 (An issue was discovered in GitLab Community and Enterprise Edition 7.1 ...) [experimental] - gitlab 12.0.8-1 - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/2019/08/29/security-release-gitlab-12-dot-2-dot-3-released/ CVE-2019-15732 (An issue was discovered in GitLab Community and Enterprise Edition 12. ...) - gitlab (Only affects 12.2 and later) NOTE: https://about.gitlab.com/2019/08/29/security-release-gitlab-12-dot-2-dot-3-released/ CVE-2019-15731 (An issue was discovered in GitLab Community and Enterprise Edition 12. ...) - gitlab (Only affects 12.0 and later) NOTE: https://about.gitlab.com/2019/08/29/security-release-gitlab-12-dot-2-dot-3-released/ CVE-2019-15730 (An issue was discovered in GitLab Community and Enterprise Edition 8.1 ...) [experimental] - gitlab 12.0.8-1 - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/2019/08/29/security-release-gitlab-12-dot-2-dot-3-released/ CVE-2019-15729 (An issue was discovered in GitLab Community and Enterprise Edition 8.1 ...) [experimental] - gitlab 12.0.8-1 - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/2019/08/29/security-release-gitlab-12-dot-2-dot-3-released/ CVE-2019-15728 (An issue was discovered in GitLab Community and Enterprise Edition 10. ...) [experimental] - gitlab 12.0.8-1 - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/2019/08/29/security-release-gitlab-12-dot-2-dot-3-released/ CVE-2019-15727 (An issue was discovered in GitLab Community and Enterprise Edition 11. ...) [experimental] - gitlab 12.0.8-1 - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/2019/08/29/security-release-gitlab-12-dot-2-dot-3-released/ CVE-2019-15726 (An issue was discovered in GitLab Community and Enterprise Edition thr ...) [experimental] - gitlab 12.0.8-1 - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/2019/08/29/security-release-gitlab-12-dot-2-dot-3-released/ CVE-2019-15725 (An issue was discovered in GitLab Community and Enterprise Edition 12. ...) - gitlab (only affects 12.0 and later) NOTE: https://about.gitlab.com/2019/08/29/security-release-gitlab-12-dot-2-dot-3-released/ CVE-2019-15724 (An issue was discovered in GitLab Community and Enterprise Edition 11. ...) - gitlab (Only affects 11.10 and later) NOTE: https://about.gitlab.com/2019/08/29/security-release-gitlab-12-dot-2-dot-3-released/ CVE-2019-15723 (An issue was discovered in GitLab Community and Enterprise Edition 11. ...) - gitlab (Only affects versions 11.9.4-11.10.0) NOTE: https://about.gitlab.com/2019/08/29/security-release-gitlab-12-dot-2-dot-3-released/ CVE-2019-15722 (An issue was discovered in GitLab Community and Enterprise Edition 8.1 ...) [experimental] - gitlab 12.0.8-1 - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/2019/08/29/security-release-gitlab-12-dot-2-dot-3-released/ CVE-2019-15721 (An issue was discovered in GitLab Community and Enterprise Edition 10. ...) [experimental] - gitlab 12.0.8-1 - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/2019/08/29/security-release-gitlab-12-dot-2-dot-3-released/ CVE-2019-15720 (CloudBerry Backup v6.1.2.34 allows local privilege escalation via a Pr ...) NOT-FOR-US: CloudBerry Backup CVE-2019-15719 (Altair PBS Professional through 19.1.2 allows Privilege Escalation bec ...) NOT-FOR-US: Altair PBS Professional CVE-2019-15718 (In systemd 240, bus_open_system_watch_bind_with_description in shared/ ...) - systemd 242-7 (bug #939353) [buster] - systemd 241-7~deb10u2 [stretch] - systemd (Vulnerable code introduced later) [jessie] - systemd (Vulnerable code introduced later) NOTE: https://www.openwall.com/lists/oss-security/2019/09/03/1 NOTE: https://github.com/systemd/systemd/pull/13457 NOTE: https://github.com/systemd/systemd/commit/35e528018f315798d3bffcb592b32a0d8f5162bd CVE-2019-15717 (Irssi 1.2.x before 1.2.2 has a use-after-free if the IRC server sends ...) - irssi 1.2.2-1 (bug #936074) [buster] - irssi (Minor issue) [stretch] - irssi (Vulnerable code not present) [jessie] - irssi (Vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2019/08/29/3 NOTE: https://irssi.org/security/irssi_sa_2019_08.txt NOTE: https://github.com/irssi/irssi/commit/5a4e7ab659aba2855895c9f43e9a7a131f4e89b3 CVE-2019-15716 (WTF before 0.19.0 does not set the permissions of config.yml, which mi ...) NOT-FOR-US: wtfutil CVE-2019-15715 (MantisBT before 1.3.20 and 2.22.1 allows Post Authentication Command I ...) - mantis CVE-2019-15714 (cli/lib/main.js in Entropic before 2019-06-13 does not reject / and \ ...) NOT-FOR-US: Entropic CVE-2019-15713 (The my-calendar plugin before 3.1.10 for WordPress has XSS. ...) NOT-FOR-US: my-calendar plugin for WordPress CVE-2017-18593 (The updraftplus plugin before 1.13.5 for WordPress has XSS in rare cas ...) NOT-FOR-US: updraftplus plugin for WordPress CVE-2015-9379 (iThemes Builder Style Manager before 0.7.7 for WordPress has XSS via a ...) NOT-FOR-US: Wordpress plugin CVE-2015-9378 (iThemes Builder Theme Market before 5.1.27 for WordPress has XSS via a ...) NOT-FOR-US: Wordpress plugin CVE-2015-9377 (iThemes Builder Theme Depot before 5.0.30 for WordPress has XSS via ad ...) NOT-FOR-US: Wordpress plugin CVE-2015-9376 (iThemes Mobile before 1.2.8 for WordPress has XSS via add_query_arg() ...) NOT-FOR-US: Wordpress plugin CVE-2015-9375 (Table Rate Shipping Add-on for iThemes Exchange before 1.1.0 for WordP ...) NOT-FOR-US: Wordpress plugin CVE-2015-9374 (Stripe Add-on for iThemes Exchange before 1.2.0 for WordPress has XSS ...) NOT-FOR-US: Wordpress plugin CVE-2015-9373 (PayPal Pro Add-on for iThemes Exchange before 1.1.0 for WordPress has ...) NOT-FOR-US: Wordpress plugin CVE-2015-9372 (Membership Add-on for iThemes Exchange before 1.3.0 for WordPress has ...) NOT-FOR-US: Wordpress plugin CVE-2015-9371 (Manual Purchases Add-on for iThemes Exchange before 1.1.0 for WordPres ...) NOT-FOR-US: Wordpress plugin CVE-2015-9370 (Invoices Add-on for iThemes Exchange before 1.4.0 for WordPress has XS ...) NOT-FOR-US: Wordpress plugin CVE-2015-9369 (Easy US Sales Taxes Add-on for iThemes Exchange before 1.1.0 for WordP ...) NOT-FOR-US: Wordpress plugin CVE-2015-9368 (Easy EU Value Added (VAT) Taxes Add-on for iThemes Exchange before 1.2 ...) NOT-FOR-US: Wordpress plugin CVE-2015-9367 (Easy Canadian Sales Taxes Add-on for iThemes Exchange before 1.1.0 for ...) NOT-FOR-US: Wordpress plugin CVE-2015-9366 (Custom URL Tracking Add-on for iThemes Exchange before 1.1.0 for WordP ...) NOT-FOR-US: Wordpress plugin CVE-2015-9365 (Authorize.net Add-on for iThemes Exchange before 1.1.0 for WordPress h ...) NOT-FOR-US: Wordpress plugin CVE-2015-9364 (2Checkout Add-on for iThemes Exchange before 1.1.0 for WordPress has X ...) NOT-FOR-US: Wordpress plugin CVE-2015-9363 (iThemes Exchange before 1.12.0 for WordPress has XSS via add_query_arg ...) NOT-FOR-US: Wordpress plugin CVE-2015-9362 (The Post Connector plugin before 1.0.4 for WordPress has XSS via add_q ...) NOT-FOR-US: Post Connector plugin for WordPress CVE-2015-9361 (The Related Posts plugin before 1.8.2 for WordPress has XSS via add_qu ...) NOT-FOR-US: Related Posts plugin for WordPress CVE-2015-9360 (The updraftplus plugin before 1.9.64 for WordPress has XSS via add_que ...) NOT-FOR-US: updraftplus plugin for WordPress CVE-2015-9359 (The Jetpack plugin before 3.4.3 for WordPress has XSS via add_query_ar ...) NOT-FOR-US: Jetpack plugin for WordPress CVE-2015-9358 (The feedwordpress plugin before 2015.0514 for WordPress has XSS via ad ...) NOT-FOR-US: feedwordpress plugin for WordPress CVE-2015-9357 (The akismet plugin before 3.1.5 for WordPress has XSS. ...) NOT-FOR-US: akismet plugin for WordPress CVE-2015-9356 (The wp-vipergb plugin before 1.3.16 for WordPress has XSS via add_quer ...) NOT-FOR-US: wp-vipergb plugin for WordPress CVE-2015-9355 (The two-factor-authentication plugin before 1.1.10 for WordPress has X ...) NOT-FOR-US: two-factor-authentication plugin for WordPress CVE-2015-9354 (The gigpress plugin before 2.3.11 for WordPress has XSS. ...) NOT-FOR-US: gigpress plugin for WordPress CVE-2015-9353 (The gigpress plugin before 2.3.11 for WordPress has SQL injection in t ...) NOT-FOR-US: gigpress plugin for WordPress CVE-2012-6719 (The sharebar plugin before 1.2.2 for WordPress has SQL injection. ...) NOT-FOR-US: sharebar plugin for WordPress CVE-2012-6718 (The sharebar plugin before 1.2.2 for WordPress has XSS, a different is ...) NOT-FOR-US: sharebar plugin for WordPress CVE-2012-6717 (The redirection plugin before 2.2.12 for WordPress has XSS, a differen ...) NOT-FOR-US: redirection plugin for WordPress CVE-2011-5329 (The redirection plugin before 2.2.9 for WordPress has XSS in the admin ...) NOT-FOR-US: redirection plugin for WordPress CVE-2019-15712 (An improper access control vulnerability in FortiMail admin webUI 6.2. ...) NOT-FOR-US: FortiMail admin webUI CVE-2019-15711 (A privilege escalation vulnerability in FortiClient for Linux 6.2.1 an ...) NOT-FOR-US: Fortiguard FortiClient CVE-2019-15710 (An OS command injection vulnerability in FortiExtender 4.1.0 to 4.1.1, ...) NOT-FOR-US: FortiExtender CVE-2019-15709 (An improper input validation in FortiAP-S/W2 6.2.0 to 6.2.2, 6.0.5 and ...) NOT-FOR-US: Fortiguard CVE-2019-15708 (A system command injection vulnerability in the FortiAP-S/W2 6.2.1, 6. ...) NOT-FOR-US: Fortiguard CVE-2019-15707 (An improper access control vulnerability in FortiMail admin webUI 6.2. ...) NOT-FOR-US: FortiMail admin webUI CVE-2019-15706 RESERVED CVE-2019-15705 (An Improper Input Validation vulnerability in the SSL VPN portal of Fo ...) NOT-FOR-US: Fortinet FortiOS CVE-2019-15704 (A clear text storage of sensitive information vulnerability in FortiCl ...) NOT-FOR-US: Fortinet CVE-2019-15703 (An Insufficient Entropy in PRNG vulnerability in Fortinet FortiOS 6.2. ...) NOT-FOR-US: Fortinet CVE-2019-15702 (In the TCP implementation (gnrc_tcp) in RIOT through 2019.07, the pars ...) NOT-FOR-US: RIOT RIOT-OS CVE-2019-15701 (components/Modals/HelpModal.jsx in BloodHound 2.2.0 allows remote atta ...) NOT-FOR-US: BloodHound CVE-2019-15700 (public/js/frappe/form/footer/timeline.js in Frappe Framework 12 throug ...) NOT-FOR-US: Frappe Framework CVE-2019-15699 (An issue was discovered in app-layer-ssl.c in Suricata 4.1.4. Upon rec ...) - suricata 1:4.1.5-1 (low) [buster] - suricata (Minor issue) [stretch] - suricata (Minor issue) [jessie] - suricata (Vulnerable code introduced later) NOTE: https://suricata-ids.org/2019/09/24/suricata-4-1-5-released/ CVE-2019-15698 (In Octopus Deploy 2019.7.3 through 2019.7.9, in certain circumstances, ...) NOT-FOR-US: Octopus Deploy CVE-2019-15697 RESERVED CVE-2019-15696 RESERVED CVE-2019-15695 (TigerVNC version prior to 1.10.1 is vulnerable to stack buffer overflo ...) - tigervnc 1.10.1+dfsg-1 (bug #947428) [buster] - tigervnc 1.9.0+dfsg-3+deb10u1 [stretch] - tigervnc 1.7.0+dfsg-7+deb9u1 NOTE: https://www.openwall.com/lists/oss-security/2019/12/20/2 NOTE: https://github.com/TigerVNC/tigervnc/commit/05e28490873a861379c943bf616614b78b558b89 (master) NOTE: https://github.com/TigerVNC/tigervnc/commit/6c47340e095258a959c95db9aa2a6c715d62bf7c (v1.10.1) CVE-2019-15694 (TigerVNC version prior to 1.10.1 is vulnerable to heap buffer overflow ...) - tigervnc 1.10.1+dfsg-1 (bug #947428) [buster] - tigervnc 1.9.0+dfsg-3+deb10u1 [stretch] - tigervnc 1.7.0+dfsg-7+deb9u1 NOTE: https://www.openwall.com/lists/oss-security/2019/12/20/2 NOTE: https://github.com/TigerVNC/tigervnc/commit/0943c006c7d900dfc0281639e992791d6c567438 (master) NOTE: https://github.com/TigerVNC/tigervnc/commit/f287032d3643a6437f7de0ed35f4c45bb735522d (v1.10.1) CVE-2019-15693 (TigerVNC version prior to 1.10.1 is vulnerable to heap buffer overflow ...) - tigervnc 1.10.1+dfsg-1 (bug #947428) [buster] - tigervnc 1.9.0+dfsg-3+deb10u1 [stretch] - tigervnc 1.7.0+dfsg-7+deb9u1 NOTE: https://www.openwall.com/lists/oss-security/2019/12/20/2 NOTE: https://github.com/TigerVNC/tigervnc/commit/b4ada8d0c6dac98c8b91fc64d112569a8ae5fb95 (master) NOTE: https://github.com/TigerVNC/tigervnc/commit/46c081926efd83c90a45c0a96b1b5bc1927e1346 (v1.10.1) CVE-2019-15692 (TigerVNC version prior to 1.10.1 is vulnerable to heap buffer overflow ...) - tigervnc 1.10.1+dfsg-1 (bug #947428) [buster] - tigervnc 1.9.0+dfsg-3+deb10u1 [stretch] - tigervnc 1.7.0+dfsg-7+deb9u1 NOTE: https://www.openwall.com/lists/oss-security/2019/12/20/2 NOTE: https://github.com/TigerVNC/tigervnc/commit/996356b6c65ca165ee1ea46a571c32a1dc3c3821 (master) NOTE: https://github.com/TigerVNC/tigervnc/commit/ff08ca78b24b5a4ed5263245c7ce8744059ff4ad (v1.10.1) CVE-2019-15691 (TigerVNC version prior to 1.10.1 is vulnerable to stack use-after-retu ...) - tigervnc 1.10.1+dfsg-1 (bug #947428) [buster] - tigervnc 1.9.0+dfsg-3+deb10u1 [stretch] - tigervnc 1.7.0+dfsg-7+deb9u1 NOTE: https://www.openwall.com/lists/oss-security/2019/12/20/2 NOTE: https://github.com/TigerVNC/tigervnc/commit/d61a767d6842b530ffb532ddd5a3d233119aad40 (master) NOTE: https://github.com/TigerVNC/tigervnc/commit/042de4642293df9b72a08189c249e2da79cbca91 (v1.10.1) CVE-2019-15690 RESERVED {DLA-2146-1} - libvncserver 0.9.12+dfsg-9 (bug #954163) [buster] - libvncserver 0.9.11+dfsg-1.3+deb10u3 [stretch] - libvncserver (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2019/12/20/2 NOTE: https://github.com/LibVNC/libvncserver/issues/381 NOTE: https://github.com/LibVNC/libvncserver/commit/54220248886b5001fbbb9fa73c4e1a2cb9413fed CVE-2019-15689 (Kaspersky Secure Connection, Kaspersky Internet Security, Kaspersky To ...) NOT-FOR-US: Kaspersky CVE-2019-15688 (Kaspersky Anti-Virus, Kaspersky Internet Security, Kaspersky Total Sec ...) NOT-FOR-US: Kaspersky CVE-2019-15687 (Kaspersky Anti-Virus, Kaspersky Internet Security, Kaspersky Total Sec ...) NOT-FOR-US: Kaspersky CVE-2019-15686 (Kaspersky Anti-Virus, Kaspersky Internet Security, Kaspersky Total Sec ...) NOT-FOR-US: Kaspersky CVE-2019-15685 (Kaspersky Anti-Virus, Kaspersky Internet Security, Kaspersky Total Sec ...) NOT-FOR-US: Kaspersky CVE-2019-15684 (Kaspersky Protection extension for web browser Google Chrome prior to ...) NOT-FOR-US: Kaspersky Protection extension for web browser Google Chrome CVE-2019-15683 (TurboVNC server code contains stack buffer overflow vulnerability in c ...) NOT-FOR-US: TurboVNC CVE-2019-15682 (RDesktop version 1.8.4 contains multiple out-of-bound access read vuln ...) {DSA-4473-1 DLA-1837-1} - rdesktop 1.8.6-1 NOTE: https://ics-cert.kaspersky.com/advisories/klcert-advisories/2019/10/30/klcert-19-032-denial-of-service-in-rdesktop-before-1-8-4/ CVE-2019-15681 (LibVNC commit before d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a contains ...) {DLA-2045-1 DLA-2014-1 DLA-1979-1 DLA-1977-1} [experimental] - libvncserver 0.9.12+dfsg-1 - libvncserver 0.9.12+dfsg-3 (low; bug #943793) [buster] - libvncserver 0.9.11+dfsg-1.3+deb10u1 [stretch] - libvncserver 0.9.11+dfsg-1.3~deb9u2 - italc [stretch] - italc 1:3.0.3+dfsg1-1+deb9u1 - tightvnc 1:1.3.9-9.1 [buster] - tightvnc 1:1.3.9-9deb10u1 [stretch] - tightvnc 1:1.3.9-9+deb9u1 - vino 3.22.0-6 (bug #945784) [buster] - vino (Minor issue) [stretch] - vino (Minor issue) NOTE: https://github.com/LibVNC/libvncserver/commit/d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a CVE-2019-15680 (TightVNC code version 1.3.10 contains null pointer dereference in Hand ...) {DLA-2045-1} - tightvnc 1:1.3.9-9.1 (unimportant; bug #945364) [buster] - tightvnc 1:1.3.9-9deb10u1 [stretch] - tightvnc 1:1.3.9-9+deb9u1 - italc (unimportant) - libvncserver (unimportant) NOTE: https://www.openwall.com/lists/oss-security/2018/12/10/5 NOTE: https://github.com/sunweaver/libvncserver/commit/85d00057b5daf71675462c9b175d8cb2d47cd0e1 NOTE: Non-issue in libvncserver's case: https://github.com/LibVNC/libvncserver/issues/359#issuecomment-599202068 CVE-2019-15679 (TightVNC code version 1.3.10 contains heap buffer overflow in Initiali ...) {DLA-2045-1} - tightvnc 1:1.3.9-9.1 (bug #945364) [buster] - tightvnc 1:1.3.9-9deb10u1 [stretch] - tightvnc 1:1.3.9-9+deb9u1 NOTE: https://www.openwall.com/lists/oss-security/2018/12/10/5 NOTE: https://github.com/LibVNC/libvncserver/commit/c2c4b81e6cb3b485fb1ec7ba9e7defeb889f6ba7 NOTE: part of CVE-2018-20748/libvncserver CVE-2019-15678 (TightVNC code version 1.3.10 contains heap buffer overflow in rfbServe ...) {DLA-2045-1} - tightvnc 1:1.3.9-9.1 (bug #945364) [buster] - tightvnc 1:1.3.9-9deb10u1 [stretch] - tightvnc 1:1.3.9-9+deb9u1 NOTE: https://www.openwall.com/lists/oss-security/2018/12/10/5 NOTE: https://github.com/LibVNC/libvncserver/commit/c5ba3fee85a7ecbbca1df5ffd46d32b92757bc2a NOTE: part of CVE-2018-20748/libvnvserver CVE-2019-15677 RESERVED CVE-2019-15676 RESERVED CVE-2019-15675 RESERVED CVE-2019-15674 RESERVED CVE-2019-15673 RESERVED CVE-2019-15672 RESERVED CVE-2019-15671 RESERVED CVE-2019-15670 RESERVED CVE-2019-15669 RESERVED CVE-2019-15668 RESERVED CVE-2019-15667 RESERVED CVE-2019-15666 (An issue was discovered in the Linux kernel before 5.0.19. There is an ...) {DLA-1919-1} - linux 5.2.6-1 [buster] - linux 4.19.67-1 [stretch] - linux 4.9.184-1 [jessie] - linux 3.16.72-1 NOTE: https://git.kernel.org/linus/b805d78d300bcf2c83d6df7da0c818b0fee41427 CVE-2019-15665 (An issue was discovered in Rivet Killer Control Center before 2.1.1352 ...) NOT-FOR-US: Rivet Killer Control Center CVE-2019-15664 (An issue was discovered in Rivet Killer Control Center before 2.1.1352 ...) NOT-FOR-US: Rivet Killer Control Center CVE-2019-15663 (An issue was discovered in Rivet Killer Control Center before 2.1.1352 ...) NOT-FOR-US: Rivet Killer Control Center CVE-2019-15662 (An issue was discovered in Rivet Killer Control Center before 2.1.1352 ...) NOT-FOR-US: Rivet Killer Control Center CVE-2019-15661 (An issue was discovered in Rivet Killer Control Center before 2.1.1352 ...) NOT-FOR-US: Rivet Killer Control Center CVE-2019-15660 (The wp-members plugin before 3.2.8 for WordPress has CSRF. ...) NOT-FOR-US: wp-members plugin for WordPress CVE-2019-15659 (The pie-register plugin before 3.1.2 for WordPress has SQL injection, ...) NOT-FOR-US: pie-register plugin for WordPress CVE-2019-15658 (connect-pg-simple before 6.0.1 allows SQL injection if tableName or sc ...) NOT-FOR-US: connect-pg-simple CVE-2019-15657 (In eslint-utils before 1.4.1, the getStaticValue function can execute ...) NOT-FOR-US: eslint-utils CVE-2019-15656 (D-Link DSL-2875AL and DSL-2877AL devices through 1.00.05 are prone to ...) NOT-FOR-US: D-Link CVE-2019-15655 (D-Link DSL-2875AL devices through 1.00.05 are prone to password disclo ...) NOT-FOR-US: D-Link CVE-2019-15654 (Comba AC2400 devices are prone to password disclosure via a simple cra ...) NOT-FOR-US: Comba CVE-2019-15653 (Comba AP2600-I devices through A02,0202N00PD2 are prone to password di ...) NOT-FOR-US: Comba CVE-2019-15652 (The web interface for NSSLGlobal SatLink VSAT Modem Unit (VMU) devices ...) NOT-FOR-US: NSSLGlobal SatLink VSAT Modem Unit (VMU) devices CVE-2019-15651 (wolfSSL 4.1.0 has a one-byte heap-based buffer over-read in DecodeCert ...) - wolfssl 4.1.0+dfsg-2 NOTE: https://github.com/wolfSSL/wolfssl/issues/2421 CVE-2019-15650 (The stops-core-theme-and-plugin-updates plugin before 8.0.5 for WordPr ...) NOT-FOR-US: stops-core-theme-and-plugin-updates plugin for WordPress CVE-2019-15649 (The insert-or-embed-articulate-content-into-wordpress plugin before 4. ...) NOT-FOR-US: insert-or-embed-articulate-content-into-wordpress plugin for WordPress CVE-2019-15648 (The insert-or-embed-articulate-content-into-wordpress plugin before 4. ...) NOT-FOR-US: insert-or-embed-articulate-content-into-wordpress plugin for WordPress CVE-2019-15647 (The groundhogg plugin before 1.3.5 for WordPress has wp-admin/admin-aj ...) NOT-FOR-US: groundhogg plugin for WordPress CVE-2019-15646 (The rsvpmaker plugin before 6.2 for WordPress has SQL injection. ...) NOT-FOR-US: rsvpmaker plugin for WordPress CVE-2019-15645 (The zoho-salesiq plugin before 1.0.9 for WordPress has CSRF. ...) NOT-FOR-US: zoho-salesiq plugin for WordPress CVE-2019-15644 (The zoho-salesiq plugin before 1.0.9 for WordPress has stored XSS. ...) NOT-FOR-US: zoho-salesiq plugin for WordPress CVE-2019-15643 (The ultimate-faqs plugin before 1.8.22 for WordPress has XSS. ...) NOT-FOR-US: ultimate-faqs plugin for WordPress CVE-2018-21006 (The bbp-move-topics plugin before 1.1.6 for WordPress has CSRF. ...) NOT-FOR-US: bbp-move-topics plugin for WordPress CVE-2018-21005 (The bbp-move-topics plugin before 1.1.6 for WordPress has code injecti ...) NOT-FOR-US: bbp-move-topics plugin for WordPress CVE-2018-21004 (The rsvpmaker plugin before 5.6.4 for WordPress has SQL injection. ...) NOT-FOR-US: rsvpmaker plugin for WordPress CVE-2018-21003 (The buddyforms plugin before 2.2.8 for WordPress has SQL injection. ...) NOT-FOR-US: buddyforms plugin for WordPress CVE-2018-21002 (The js-support-ticket plugin before 2.0.6 for WordPress has CSRF. ...) NOT-FOR-US: js-support-ticket plugin for WordPress CVE-2018-21001 (The anycomment plugin before 0.0.33 for WordPress has XSS. ...) NOT-FOR-US: anycomment plugin for WordPress CVE-2017-18592 (The woocommerce-catalog-enquiry plugin before 3.1.0 for WordPress has ...) NOT-FOR-US: woocommerce-catalog-enquiry plugin for WordPress CVE-2017-18591 (The gd-rating-system plugin before 2.1 for WordPress has XSS in log.ph ...) NOT-FOR-US: gd-rating-system plugin for WordPress CVE-2017-18590 (The timesheet plugin before 0.1.5 for WordPress has multiple XSS issue ...) NOT-FOR-US: timesheet plugin for WordPress CVE-2016-10936 (The wp-polls plugin before 2.73.1 for WordPress has XSS via the Poll b ...) NOT-FOR-US: wp-polls plugin for WordPress CVE-2016-10935 (The woocommerce-exporter plugin before 1.8.4 for WordPress has privile ...) NOT-FOR-US: woocommerce-exporter plugin for WordPress CVE-2016-10934 (The check-email plugin before 0.5.2 for WordPress has XSS. ...) NOT-FOR-US: check-email plugin for WordPress CVE-2015-9352 (The wp-polls plugin before 2.72 for WordPress has SQL injection. ...) NOT-FOR-US: wp-polls plugin for WordPress CVE-2015-9351 (The feed-them-social plugin before 1.7.0 for WordPress has possible sh ...) NOT-FOR-US: feed-them-social plugin for WordPress CVE-2015-9350 (The feed-them-social plugin before 1.7.0 for WordPress has reflected X ...) NOT-FOR-US: feed-them-social plugin for WordPress CVE-2015-9349 (The ckeditor-for-wordpress plugin before 4.5.3.1 for WordPress has ref ...) NOT-FOR-US: ckeditor-for-wordpress plugin for WordPress CVE-2015-9348 (The sell-downloads plugin before 1.0.8 for WordPress has insufficient ...) NOT-FOR-US: sell-downloads plugin for WordPress CVE-2015-9347 (The wp-plotly plugin before 1.0.3 for WordPress has XSS by authors. ...) NOT-FOR-US: wp-plotly plugin for WordPress CVE-2015-9346 (The cp-polls plugin before 1.0.5 for WordPress has XSS. ...) NOT-FOR-US: cp-polls plugin for WordPress CVE-2015-9345 (The link-log plugin before 2.0 for WordPress has HTTP Response Splitti ...) NOT-FOR-US: link-log plugin for WordPress CVE-2015-9344 (The link-log plugin before 2.1 for WordPress has SQL injection. ...) NOT-FOR-US: link-log plugin for WordPress CVE-2015-9343 (The wp-rollback plugin before 1.2.3 for WordPress has CSRF. ...) NOT-FOR-US: wp-rollback plugin for WordPress CVE-2015-9342 (The wp-rollback plugin before 1.2.3 for WordPress has XSS. ...) NOT-FOR-US: wp-rollback plugin for WordPress CVE-2014-10395 (The cp-polls plugin before 1.0.1 for WordPress has XSS in the votes li ...) NOT-FOR-US: cp-polls plugin for WordPress CVE-2019-15642 (rpc.cgi in Webmin through 1.920 allows authenticated Remote Code Execu ...) - webmin CVE-2019-15641 (xmlrpc.cgi in Webmin through 1.930 allows authenticated XXE attacks. B ...) - webmin CVE-2019-15640 (Limesurvey before 3.17.10 does not validate both the MIME type and fil ...) - limesurvey (bug #472802) CVE-2019-15639 (main/translate.c in Sangoma Asterisk 13.28.0 and 16.5.0 allows a remot ...) - asterisk (Vulnerable code introduced later) NOTE: https://downloads.asterisk.org/pub/security/AST-2019-005.html NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-28499 NOTE: Issue was introduced specifically only in versions 13.28.0 and 16.5.0 upstream NOTE: and got fixed in 13.28.1 respectively 16.5.1. CVE-2019-15638 (COPA-DATA zenone32 zenon Editor through 8.10 has an Uncontrolled Searc ...) NOT-FOR-US: COPA-DATA zenone32 zenon Editor CVE-2019-15637 (Numerous Tableau products are vulnerable to XXE via a malicious workbo ...) NOT-FOR-US: Tableau CVE-2019-15636 RESERVED CVE-2019-15635 (An issue was discovered in Grafana 5.4.0. Passwords for data sources u ...) - grafana CVE-2019-15634 RESERVED CVE-2019-15633 RESERVED CVE-2019-15632 RESERVED CVE-2019-15631 (Remote Code Execution vulnerability in MuleSoft Mule CE/EE 3.x and API ...) NOT-FOR-US: MuleSoft CVE-2019-15630 (Directory Traversal in APIkit, HTTP connector, and OAuth2 Provider com ...) NOT-FOR-US: MuleSoft CVE-2019-15629 (Trend Micro Password Manager versions 3.x, 5.0, and 5.1 for Android is ...) NOT-FOR-US: Trend Micro CVE-2019-15628 (Trend Micro Security (Consumer) 2020 (v16.0.1221 and below) is affecte ...) NOT-FOR-US: Trend Micro CVE-2019-15627 (Versions 10.0, 11.0 and 12.0 of the Trend Micro Deep Security Agent ar ...) NOT-FOR-US: Trend Micro CVE-2019-15626 (The Deep Security Manager application (Versions 10.0, 11.0 and 12.0), ...) NOT-FOR-US: Deep Security Manager application (Trend Micro) CVE-2019-15625 (A memory usage vulnerability exists in Trend Micro Password Manager 3. ...) NOT-FOR-US: Trend Micro CVE-2019-15624 (Improper Input Validation in Nextcloud Server 15.0.7 allows group admi ...) - nextcloud-server (bug #941708) CVE-2019-15623 (Exposure of Private Information in Nextcloud Server 16.0.1 causes the ...) - nextcloud-server (bug #941708) CVE-2019-15622 (Not strictly enough sanitization in the Nextcloud Android app 3.6.0 al ...) NOT-FOR-US: Nextcloud Android App CVE-2019-15621 (Improper permissions preservation in Nextcloud Server 16.0.1 causes sh ...) - nextcloud-server (bug #941708) CVE-2019-15620 (Improper access control in Nextcloud Talk 6.0.3 leaks the existance an ...) NOT-FOR-US: Nextcloud Talk CVE-2019-15619 (Improper neutralization of file names, conversation names and board na ...) - nextcloud-server (bug #941708) CVE-2019-15618 (Missing escaping of HTML in the Updater of Nextcloud 15.0.5 allowed a ...) - nextcloud-server (bug #941708) CVE-2019-15617 (A missing check in Nextcloud Server 17.0.0 allowed an attacker to set ...) - nextcloud-server (bug #941708) CVE-2019-15616 (Dangling remote share attempts in Nextcloud 16 allow a DNS pollution w ...) - nextcloud-server (bug #941708) CVE-2019-15615 (A wrong check for the system time in the Android App 3.9.0 causes a by ...) NOT-FOR-US: Nextcloud Android app CVE-2019-15614 (Missing sanitization in the iOS App 2.24.4 causes an XSS when opening ...) NOT-FOR-US: Nextcloud iOS App CVE-2019-15613 (A bug in Nextcloud Server 17.0.1 causes the workflow rules to depend t ...) - nextcloud-server (bug #941708) CVE-2019-15612 (A bug in Nextcloud Server 15.0.2 causes pending 2FA logins to not be c ...) - nextcloud-server (bug #941708) CVE-2019-15611 (Violation of Secure Design Principles in the iOS App 2.23.0 causes the ...) NOT-FOR-US: Nextcloud iOS App CVE-2019-15610 (Improper authorization in the Circles app 0.17.7 causes retaining acce ...) NOT-FOR-US: Circles app CVE-2019-15609 (The kill-port-process package version < 2.2.0 is vulnerable to a Co ...) NOT-FOR-US: Node kill-port-process CVE-2019-15608 (The package integrity validation in yarn < 1.19.0 contains a TOCTOU ...) - node-yarnpkg 1.19.1-1 NOTE: https://hackerone.com/reports/703138 CVE-2019-15607 (A stored XSS vulnerability is present within node-red (version: <= ...) NOT-FOR-US: node-red CVE-2019-15606 (Including trailing white space in HTTP header values in Nodejs 10, 12, ...) {DSA-4669-1} - nodejs 10.19.0~dfsg-1 [stretch] - nodejs (Nodejs in stretch not covered by security support) [jessie] - nodejs (Nodejs in jessie not covered by security support) NOTE: https://hackerone.com/reports/730779 NOTE: https://github.com/nodejs/node/commit/2eee90e959ca4abaf53caf238d063c396f2ea17c (v10.19.0) CVE-2019-15605 (HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payl ...) {DSA-4669-1} - nodejs 10.19.0~dfsg-1 [stretch] - nodejs (Nodejs in stretch not covered by security support) [jessie] - nodejs (Nodejs in jessie not covered by security support) [experimental] - http-parser 2.9.3-1 - http-parser [jessie] - http-parser (Invasive patch, requires prior content-length support and public struct changes that break ABI) NOTE: https://hackerone.com/reports/735748 NOTE: https://github.com/nodejs/http-parser/commit/7d5c99d09f6743b055d53fc3f642746d9801479b (http-parser) NOTE: nodejs/10.19.0~dfsg-1 contains both the source fix but switches as well NOTE: back to use shared libhttp-parser again. CVE-2019-15604 (Improper Certificate Validation in Node.js 10, 12, and 13 causes the p ...) {DSA-4669-1} - nodejs 10.19.0~dfsg-1 [stretch] - nodejs (Nodejs in stretch not covered by security support) [jessie] - nodejs (Nodejs in jessie not covered by security support) NOTE: https://hackerone.com/reports/746733 NOTE: https://github.com/nodejs/node/commit/f940bee3b7da865e28093472dee9ce664f273f6d (v10.19.0) CVE-2019-15603 (The seefl package v0.1.1 is vulnerable to a stored Cross-Site Scriptin ...) NOT-FOR-US: seefl CVE-2019-15602 (The fileview package v0.1.6 has inadequate output encoding and escapin ...) NOT-FOR-US: fileview CVE-2019-15601 REJECTED CVE-2019-15600 (A Path traversal exists in http_server which allows an attacker to rea ...) NOT-FOR-US: Node module http_server CVE-2019-15599 (A Code Injection exists in tree-kill on Windows which allows a remote ...) NOT-FOR-US: Node module tree-kill CVE-2019-15598 (A Code Injection exists in treekill on Windows which allows a remote c ...) NOT-FOR-US: Node module treekill CVE-2019-15597 (A code injection exists in node-df v0.1.4 that can allow an attacker t ...) NOT-FOR-US: Node module node-df CVE-2019-15596 (A path traversal in statics-server exists in all version that allows a ...) NOT-FOR-US: Node module statics-server CVE-2019-15595 (A privilege escalation exists in UniFi Video Controller =<3.10.6 th ...) NOT-FOR-US: UniFi Video Controller CVE-2019-15594 (GitLab 11.8 and later contains a security vulnerability that allows a ...) - gitlab (Only affects Gitlab EE) NOTE: https://about.gitlab.com/releases/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/ CVE-2019-15593 (GitLab 12.2.3 contains a security vulnerability that allows a user to ...) [experimental] - gitlab 12.0.8-1 - gitlab 12.6.8-3 NOTE: https://hackerone.com/reports/557154 NOTE: https://gitlab.com/gitlab-org/gitlab/commit/5af535d919c50951513f5859730afd924a01c29b CVE-2019-15592 (GitLab 12.2.2 and below contains a security vulnerability that allows ...) [experimental] - gitlab 12.0.8-1 - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/releases/2019/08/29/security-release-gitlab-12-dot-2-dot-3-released/ CVE-2019-15591 (An improper access control vulnerability exists in GitLab <12.3.3 t ...) - gitlab 12.6.8-3 NOTE: https://hackerone.com/reports/676976 CVE-2019-15590 (An access control issue exists in < 12.3.5, < 12.2.8, and < 1 ...) - gitlab (Only affects GitLab EE 11.5 and later) NOTE: https://hackerone.com/reports/701144 NOTE: https://about.gitlab.com/releases/2019/10/07/security-release-gitlab-12-dot-3-dot-5-released/ CVE-2019-15589 (An improper access control vulnerability exists in Gitlab <v12.3.2, ...) - gitlab 12.6.8-3 NOTE: https://hackerone.com/reports/497047 NOTE: https://about.gitlab.com/releases/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/ CVE-2019-15588 (There is an OS Command Injection in Nexus Repository Manager <= 2.1 ...) NOT-FOR-US: Nexus Repository Manager CVE-2019-15587 (In the Loofah gem for Ruby through v2.3.0 unsanitized JavaScript may o ...) {DSA-4554-1} - ruby-loofah 2.3.1+dfsg-1 (bug #942894) NOTE: https://github.com/flavorjones/loofah/issues/171 CVE-2019-15586 (A XSS exists in Gitlab CE/EE < 12.1.10 in the Mermaid plugin. ...) - gitlab (Only affects Gitlab 12.1) NOTE: https://about.gitlab.com/releases/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/ CVE-2019-15585 (Improper authentication exists in < 12.3.2, < 12.2.6, and < 1 ...) - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/releases/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/ CVE-2019-15584 (A denial of service exists in gitlab <v12.3.2, <v12.2.6, and < ...) - gitlab 12.6.8-3 NOTE: https://hackerone.com/reports/670572 NOTE: https://about.gitlab.com/releases/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/ CVE-2019-15583 (An information disclosure exists in < 12.3.2, < 12.2.6, and < ...) - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/releases/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/ CVE-2019-15582 (An IDOR was discovered in < 12.3.2, < 12.2.6, and < 12.1.12 f ...) - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/releases/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/ CVE-2019-15581 (An IDOR exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLa ...) - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/releases/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/ CVE-2019-15580 (An information exposure vulnerability exists in gitlab.com <v12.3.2 ...) - gitlab (Only affects EE) NOTE: https://about.gitlab.com/releases/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/ CVE-2019-15579 (An information disclosure exists in < 12.3.2, < 12.2.6, and < ...) - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/releases/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/ CVE-2019-15578 (An information disclosure exists in < 12.3.2, < 12.2.6, and < ...) - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/releases/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/ CVE-2019-15577 (An information disclosure vulnerability exists in GitLab CE/EE <v12 ...) - gitlab 12.6.8-3 NOTE: https://hackerone.com/reports/636560 NOTE: https://about.gitlab.com/releases/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/ CVE-2019-15576 (An information disclosure vulnerability exists in GitLab CE/EE <v12 ...) - gitlab 12.6.8-3 NOTE: https://hackerone.com/reports/633001 NOTE: https://about.gitlab.com/releases/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/ CVE-2019-15575 (A command injection exists in GitLab CE/EE <v12.3.2, <v12.2.6, a ...) - gitlab 12.6.8-3 NOTE: https://hackerone.com/reports/682442 NOTE: https://about.gitlab.com/releases/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/ CVE-2019-15574 (Gesior-AAC before 2019-05-01 allows serviceID SQL injection in account ...) NOT-FOR-US: Gesior-AAC CVE-2019-15573 (Gesior-AAC before 2019-05-01 allows SQL injection in tankyou.php. ...) NOT-FOR-US: Gesior-AAC CVE-2019-15572 (Gesior-AAC before 2019-05-01 allows ServiceCategoryID SQL injection in ...) NOT-FOR-US: Gesior-AAC CVE-2019-15571 (The WEB control panel before 2019-04-30 for ClonOS allows SQL injectio ...) NOT-FOR-US: WEB control panel for ClonOS CVE-2019-15570 (BEdita through 4.0.0-RC2 allows SQL injection during a save operation ...) NOT-FOR-US: BEdita CVE-2019-15569 (HM Courts & Tribunals ccd-data-store-api before 2019-06-10 allows ...) NOT-FOR-US: HM Courts CVE-2019-15568 (idseq-web before 2019-07-01 in Infectious Disease Sequencing Platform ...) NOT-FOR-US: idseq-web CVE-2019-15567 (OpenForis Arena before 2019-05-07 allows SQL injection in the sorting ...) NOT-FOR-US: OpenForis Arena CVE-2019-15566 (The Alfresco application before 1.8.7 for Android allows SQL injection ...) NOT-FOR-US: Alfresco application for Android CVE-2019-15565 (The ICOMMKT connector before 1.0.7 for PrestaShop allows SQL injection ...) NOT-FOR-US: PrestaShop CVE-2019-15564 (The Compassion Switzerland addons 10.01.4 for Odoo allow SQL injection ...) NOT-FOR-US: Compassion Switzerland addons for Odoo CVE-2019-15563 (Observational Health Data Sciences and Informatics (OHDSI) WebAPI befo ...) NOT-FOR-US: Observational Health Data Sciences and Informatics CVE-2019-15562 (GORM before 1.9.10 allows SQL injection via incomplete parentheses. ...) NOT-FOR-US: GORM CVE-2019-15561 (FlashLingo before 2019-06-12 allows SQL injection, related to flashlin ...) NOT-FOR-US: FlashLingo CVE-2019-15560 (The Reviews Module before 2019-06-14 for OpenSource Table allows SQL i ...) NOT-FOR-US: OpenSource Table addon CVE-2019-15559 (DianoxDragon Hawn before 2019-07-10 allows SQL injection. ...) NOT-FOR-US: DianoxDragon Hawn CVE-2019-15558 (XM^online 2 Common Utils and Endpoints 0.2.1 allows SQL injection, rel ...) NOT-FOR-US: XM^online 2 CVE-2019-15557 (XM^online 2 User Account and Authentication server 1.0.0 allows SQL in ...) NOT-FOR-US: XM^online 2 CVE-2019-15556 (Pvanloon1983 social_network before 2019-07-03 allows SQL injection in ...) NOT-FOR-US: Pvanloon1983 CVE-2019-15555 (FredReinink Wellness-app before 2019-06-19 allows SQL injection, relat ...) NOT-FOR-US: FredReinink Wellness-app CVE-2019-15554 (An issue was discovered in the smallvec crate before 0.6.10 for Rust. ...) - rust-smallvec 0.6.10-1 [buster] - rust-smallvec (Minor issue) NOTE: https://github.com/servo/rust-smallvec/issues/149 NOTE: https://rustsec.org/advisories/RUSTSEC-2019-0012.html CVE-2019-15553 (An issue was discovered in the memoffset crate before 0.5.0 for Rust. ...) - rust-memoffset 0.5.1-1 (bug #936025) [buster] - rust-memoffset (Minor issue) NOTE: https://github.com/Gilnaa/memoffset/issues/9#issuecomment-505461490 NOTE: https://rustsec.org/advisories/RUSTSEC-2019-0011.html CVE-2019-15552 (An issue was discovered in the libflate crate before 0.1.25 for Rust. ...) - rust-libflate 0.1.25-1 [buster] - rust-libflate (Minor issue) NOTE: https://github.com/sile/libflate/issues/35 NOTE: https://rustsec.org/advisories/RUSTSEC-2019-0010.html CVE-2019-15551 (An issue was discovered in the smallvec crate before 0.6.10 for Rust. ...) - rust-smallvec 0.6.10-1 [buster] - rust-smallvec (Minor issue) NOTE: https://github.com/servo/rust-smallvec/issues/148 NOTE: https://rustsec.org/advisories/RUSTSEC-2019-0009.html CVE-2019-15550 (An issue was discovered in the simd-json crate before 0.1.15 for Rust. ...) NOT-FOR-US: Rust crate simd-json CVE-2019-15549 (An issue was discovered in the asn1_der crate before 0.6.2 for Rust. A ...) NOT-FOR-US: Rust crate asn1_der CVE-2019-15548 (An issue was discovered in the ncurses crate through 5.99.0 for Rust. ...) NOT-FOR-US: Rust crate ncurses CVE-2019-15547 (An issue was discovered in the ncurses crate through 5.99.0 for Rust. ...) NOT-FOR-US: Rust crate ncurses CVE-2019-15546 (An issue was discovered in the pancurses crate through 0.16.1 for Rust ...) NOT-FOR-US: Rust crate pancurses CVE-2019-15545 (An issue was discovered in the libp2p-core crate before 0.8.1 for Rust ...) NOT-FOR-US: Rust crate libp2p-core CVE-2019-15544 (An issue was discovered in the protobuf crate before 2.6.0 for Rust. A ...) NOT-FOR-US: Rust crate protobuf CVE-2019-15543 (An issue was discovered in the slice-deque crate before 0.2.0 for Rust ...) NOT-FOR-US: Rust crate slice-deque CVE-2019-15542 (An issue was discovered in the ammonia crate before 2.1.0 for Rust. Th ...) NOT-FOR-US: Rust crate ammonia CVE-2018-21000 (An issue was discovered in the safe-transmute crate before 0.10.1 for ...) - rust-safe-transmute (Fixed with initial upload to archive) NOTE: https://github.com/nabijaczleweli/safe-transmute-rs/pull/36 NOTE: https://rustsec.org/advisories/RUSTSEC-2018-0013.html CVE-2018-20999 (An issue was discovered in the orion crate before 0.11.2 for Rust. res ...) NOT-FOR-US: Rust crate orion CVE-2018-20998 (An issue was discovered in the arrayfire crate before 3.6.0 for Rust. ...) NOT-FOR-US: Rust crate arrayfire CVE-2018-20997 (An issue was discovered in the openssl crate before 0.10.9 for Rust. A ...) - rust-openssl (Only affected 0.10.8, which was never in the archive) NOTE: https://rustsec.org/advisories/RUSTSEC-2018-0010.html CVE-2018-20996 (An issue was discovered in the crossbeam crate before 0.4.1 for Rust. ...) - rust-crossbeam-epoch (Fixed before initial upload to archive) NOTE: https://rustsec.org/advisories/RUSTSEC-2018-0009.html CVE-2018-20995 (An issue was discovered in the slice-deque crate before 0.1.16 for Rus ...) NOT-FOR-US: Rust crate slice-deque CVE-2018-20994 (An issue was discovered in the trust-dns-proto crate before 0.5.0-alph ...) NOT-FOR-US: Rust crate trust-dns-proto CVE-2018-20993 (An issue was discovered in the yaml-rust crate before 0.4.1 for Rust. ...) - rust-yaml-rust (Fixed before initial upload to archive) NOTE: https://rustsec.org/advisories/RUSTSEC-2018-0006.html CVE-2018-20992 (An issue was discovered in the claxon crate before 0.4.1 for Rust. Uni ...) NOT-FOR-US: Rust crate claxon CVE-2018-20991 (An issue was discovered in the smallvec crate before 0.6.3 for Rust. T ...) - rust-smallvec (Fixed before initial upload to archive) NOTE: https://rustsec.org/advisories/RUSTSEC-2018-0003.html CVE-2018-20990 (An issue was discovered in the tar crate before 0.4.16 for Rust. Arbit ...) - rust-tar (Fixed with initial upload to archive) NOTE: https://rustsec.org/advisories/RUSTSEC-2018-0002.html CVE-2018-20989 (An issue was discovered in the untrusted crate before 0.6.2 for Rust. ...) - rust-untrusted (Fixed with initial upload to archive) NOTE: https://rustsec.org/advisories/RUSTSEC-2018-0001.html CVE-2017-18589 (An issue was discovered in the cookie crate before 0.7.6 for Rust. Lar ...) - rust-cookie (Fixed before initial upload to archive) NOTE: https://rustsec.org/advisories/RUSTSEC-2017-0005.html CVE-2017-18588 (An issue was discovered in the security-framework crate before 0.1.12 ...) - rust-security-framework-sys (Fixed before initial upload to archive) NOTE: https://rustsec.org/advisories/RUSTSEC-2017-0003.html CVE-2017-18587 (An issue was discovered in the hyper crate before 0.9.18 for Rust. It ...) - rust-hyper (Fixed before initial upload to archive) NOTE: https://rustsec.org/advisories/RUSTSEC-2017-0002.html CVE-2016-10933 (An issue was discovered in the portaudio crate through 0.7.0 for Rust. ...) NOT-FOR-US: Rust crate portaudio CVE-2016-10932 (An issue was discovered in the hyper crate before 0.9.4 for Rust on Wi ...) - rust-hyper (Fixed before initial upload to archive and Windows-specific anyway) NOTE: https://rustsec.org/advisories/RUSTSEC-2016-0002.html CVE-2016-10931 (An issue was discovered in the openssl crate before 0.9.0 for Rust. Th ...) - rust-openssl (Fixed before initial upload to archive) NOTE: https://rustsec.org/advisories/RUSTSEC-2016-0001.html CVE-2019-15541 (rustls-mio/examples/tlsserver.rs in the rustls crate before 0.16.0 for ...) NOT-FOR-US: Rust crate rustls CVE-2019-15540 (filters/filter-cso/filter-stream.c in the CSO filter in libMirage 3.2. ...) NOT-FOR-US: libMirage CVE-2019-15539 (The proj_doc_edit_page.php Project Documentation feature in MantisBT b ...) - mantis CVE-2019-15538 (An issue was discovered in xfs_setattr_nonsize in fs/xfs/xfs_iops.c in ...) {DLA-1919-1} - linux 5.2.17-1 [buster] - linux 4.19.67-2 [stretch] - linux 4.9.189-2 [jessie] - linux (Vulnerable code introduced later) NOTE: https://git.kernel.org/linus/1fb254aa983bf190cfd685d40c64a480a9bafaee CVE-2019-15537 (The proxystatistics module before 3.1.0 for SimpleSAMLphp allows SQL I ...) NOT-FOR-US: SimpleSAMLphp module proxystatistics CVE-2019-15536 (The Acclaim block plugin before 2019-06-26 for Moodle allows SQL Injec ...) NOT-FOR-US: Acclaim block plugin for Moodle CVE-2019-15535 (Tasking Manager before 3.4.0 allows SQL Injection via custom SQL. ...) NOT-FOR-US: Tasking Manager CVE-2019-15534 (Raml-Module-Builder 26.4.0 allows SQL Injection in PostgresClient.upda ...) NOT-FOR-US: Raml-Module-Builder CVE-2019-15533 (XENFCoreSharp before 2019-07-16 allows SQL injection in web/verify.php ...) NOT-FOR-US: XENFCoreSharp CVE-2019-15532 (CyberChef before 8.31.2 allows XSS in core/operations/TextEncodingBrut ...) NOT-FOR-US: CyberChef CVE-2019-15531 (GNU Libextractor through 1.9 has a heap-based buffer over-read in the ...) {DLA-1904-1} - libextractor 1:1.9-2 (bug #935553) [buster] - libextractor (Minor issue) [stretch] - libextractor (Minor issue) NOTE: https://bugs.gnunet.org/view.php?id=5846 NOTE: https://git.gnunet.org/libextractor.git/commit/?id=d2b032452241708bee68d02aa02092cfbfba951a CVE-2019-15530 (An issue was discovered on D-Link DIR-823G devices with firmware V1.0. ...) NOT-FOR-US: D-Link CVE-2019-15529 (An issue was discovered on D-Link DIR-823G devices with firmware V1.0. ...) NOT-FOR-US: D-Link CVE-2019-15528 (An issue was discovered on D-Link DIR-823G devices with firmware V1.0. ...) NOT-FOR-US: D-Link CVE-2019-15527 (An issue was discovered on D-Link DIR-823G devices with firmware V1.0. ...) NOT-FOR-US: D-Link CVE-2019-15526 (An issue was discovered on D-Link DIR-823G devices with firmware V1.0. ...) NOT-FOR-US: D-Link CVE-2019-15525 (There is Missing SSL Certificate Validation in the pw3270 terminal emu ...) NOT-FOR-US: pw3270 terminal emulator CVE-2019-15524 (CSZ CMS 1.2.3 allows arbitrary file upload, as demonstrated by a .php ...) NOT-FOR-US: CSZ CMS CVE-2019-15523 RESERVED CVE-2019-15522 (An issue was discovered in LINBIT csync2 through 2.0. csync_daemon_ses ...) - csync2 2.0-25-gc0faaf9-1 (bug #955445) [buster] - csync2 2.0-22-gce67c55-1+deb10u1 [stretch] - csync2 (Minor issue) [jessie] - csync2 (Minor issue) NOTE: https://github.com/LINBIT/csync2/pull/13/commits/0ecfc333da51575f188dd7cf6ac4974d13a800b1 CVE-2019-15521 (Spoon Library through 2014-02-06, as used in Fork CMS before 1.4.1 and ...) NOT-FOR-US: Spoon Library CVE-2019-15520 (comelz Quark before 2019-03-26 allows directory traversal to locations ...) NOT-FOR-US: comelz Quark CVE-2019-15519 (Power-Response before 2019-02-02 allows directory traversal (up to the ...) NOT-FOR-US: Power-Response CVE-2019-15518 (Swoole before 4.2.13 allows directory traversal in swPort_http_static_ ...) NOT-FOR-US: Swoole CVE-2019-15517 (jc21 Nginx Proxy Manager before 2.0.13 allows %2e%2e%2f directory trav ...) NOT-FOR-US: jc21 Nginx Proxy Manager CVE-2019-15516 (Cuberite before 2019-06-11 allows webadmin directory traversal via ... ...) NOT-FOR-US: Cuberite CVE-2019-15515 (Discourse 2.3.2 sends the CSRF token in the query string. ...) NOT-FOR-US: Discourse CVE-2019-15514 (The Privacy > Phone Number feature in the Telegram app 5.10 for And ...) NOT-FOR-US: Telegram app for Android and iOS CVE-2019-15513 (An issue was discovered in OpenWrt libuci (aka Library for the Unified ...) NOT-FOR-US: OpenWrt libuci CVE-2019-15512 RESERVED CVE-2019-15511 (An exploitable local privilege escalation vulnerability exists in the ...) NOT-FOR-US: GOG Galaxy CVE-2019-15510 (ManageEngine_DesktopCentral.exe in Zoho ManageEngine Desktop Central 1 ...) NOT-FOR-US: Zoho CVE-2019-15509 RESERVED CVE-2019-15508 (In Octopus Tentacle versions 3.0.8 to 5.0.0, when a web request proxy ...) NOT-FOR-US: Octopus Tentacle CVE-2019-15507 (In Octopus Deploy versions 2018.8.4 to 2019.7.6, when a web request pr ...) NOT-FOR-US: Octopus Deploy CVE-2019-15506 (An issue was discovered in Kaseya Virtual System Administrator (VSA) t ...) NOT-FOR-US: Kaseya Virtual System Administrator (VSA) CVE-2019-15505 (drivers/media/usb/dvb-usb/technisat-usb2.c in the Linux kernel through ...) {DLA-2114-1 DLA-2068-1} - linux 5.2.17-1 [buster] - linux 4.19.87-1 [stretch] - linux 4.9.210-1 CVE-2019-15504 (drivers/net/wireless/rsi/rsi_91x_usb.c in the Linux kernel through 5.2 ...) - linux 5.2.17-1 [buster] - linux 4.19.87-1 [stretch] - linux (Vulnerability introduced later) [jessie] - linux (Vulnerability introduced later) CVE-2019-15503 (cgi-cpn/xcoding/prontus_videocut.cgi in AltaVoz Prontus (aka ProntusCM ...) NOT-FOR-US: AltaVoz Prontus CVE-2019-15502 (The TeamSpeak client before 3.3.2 allows remote servers to trigger a c ...) - teamspeak-client CVE-2019-15501 (Reflected cross site scripting (XSS) in L-Soft LISTSERV before 16.5-20 ...) NOT-FOR-US: L-Soft LISTSERV CVE-2019-15500 RESERVED CVE-2019-15499 (CodiMD 1.3.1, when Safari is used, allows XSS via an IFRAME element wi ...) NOT-FOR-US: CodiMD CVE-2019-15498 (cgi-bin/cmh/webcam.sh in Vera Edge Home Controller 1.7.4452 allows rem ...) NOT-FOR-US: Vera Edge Home Controller CVE-2019-15497 (Black Box iCOMPEL 9.2.3 through 11.1.4, as used in ONELAN Net-Top-Box ...) NOT-FOR-US: Black Box iCOMPEL CVE-2019-15496 (MyT Project Management 1.5.1 lacks CSRF protection and, for example, a ...) NOT-FOR-US: MyT Project Management CVE-2019-15495 RESERVED CVE-2019-15494 (openITCOCKPIT before 3.7.1 allows SSRF, aka RVID 5-445b21. ...) NOT-FOR-US: openITCOCKPIT CVE-2019-15493 (openITCOCKPIT before 3.7.1 allows deletion of files, aka RVID 4-445b21 ...) NOT-FOR-US: openITCOCKPIT CVE-2019-15492 (openITCOCKPIT before 3.7.1 has reflected XSS, aka RVID 3-445b21. ...) NOT-FOR-US: openITCOCKPIT CVE-2019-15491 (openITCOCKPIT before 3.7.1 has CSRF, aka RVID 2-445b21. ...) NOT-FOR-US: openITCOCKPIT CVE-2019-15490 (openITCOCKPIT before 3.7.1 allows code injection, aka RVID 1-445b21. ...) NOT-FOR-US: openITCOCKPIT CVE-2019-15489 (laracom (aka Laravel FREE E-Commerce Software) 1.4.11 has search?q= XS ...) NOT-FOR-US: laracom (aka Laravel FREE E-Commerce Software) CVE-2019-15488 (Ignite Realtime Openfire before 4.4.1 has reflected XSS via an LDAP se ...) NOT-FOR-US: Ignite Realtime Openfire CVE-2019-15487 (DfE School Experience before v16333-GA has XSS via a teacher training ...) NOT-FOR-US: DfE School Experience CVE-2019-15486 (django-js-reverse (aka Django JS Reverse) before 0.9.1 has XSS via js_ ...) - django-js-reverse (Issue introduced in 0.9.0) NOTE: https://github.com/ierror/django-js-reverse/pull/81 NOTE: https://github.com/ierror/django-js-reverse/commit/a3b57d1e4424e2fadabcd526d170c4868d55159c (0.9.1) CVE-2019-15485 (Bolt before 3.6.10 has XSS via createFolder or createFile in Controlle ...) NOT-FOR-US: Bolt CMS CVE-2019-15484 (Bolt before 3.6.10 has XSS via an image's alt or title field. ...) NOT-FOR-US: Bolt CMS CVE-2019-15483 (Bolt before 3.6.10 has XSS via a title that is mishandled in the syste ...) NOT-FOR-US: Bolt CMS CVE-2019-15482 (selectize-plugin-a11y before 1.1.0 has XSS via the msg field. ...) NOT-FOR-US: selectize-plugin-a11y CVE-2019-15481 (Kimai v2 before 1.1 has XSS via a timesheet description. ...) NOT-FOR-US: Kimai CVE-2019-15480 (Domoticz 4.10717 has XSS via item.Name. ...) - domoticz (bug #899058) CVE-2019-15479 (Status Board 1.1.81 has reflected XSS via dashboard.ts. ...) NOT-FOR-US: Status Board CVE-2019-15478 (Status Board 1.1.81 has reflected XSS via logic.ts. ...) NOT-FOR-US: Status Board CVE-2019-15477 (Jooby before 1.6.4 has XSS via the default error handler. ...) NOT-FOR-US: Jooby CVE-2019-15476 (Former before 4.2.1 has XSS via a checkbox value. ...) NOT-FOR-US: Former CVE-2019-15475 (The Xiaomi Mi A3 Android device with a build fingerprint of xiaomi/onc ...) NOT-FOR-US: Xiaomi Mi A3 Android device CVE-2019-15474 (The Xiaomi Cepheus Android device with a build fingerprint of Xiaomi/c ...) NOT-FOR-US: Xiaomi Cepheus Android device CVE-2019-15473 (The Xiaomi Mi A2 Lite Android device with a build fingerprint of xiaom ...) NOT-FOR-US: Xiaomi Mi A2 Lite Android device CVE-2019-15472 (The Xiaomi Mi A2 Lite Android device with a build fingerprint of xiaom ...) NOT-FOR-US: Xiaomi Mi A2 Lite Android device CVE-2019-15471 (The Xiaomi Mi Mix 2S Android device with a build fingerprint of Xiaomi ...) NOT-FOR-US: Xiaomi Mi Mix 2S Android device CVE-2019-15470 (The Xiaomi Redmi Note 6 Pro Android device with a build fingerprint of ...) NOT-FOR-US: Xiaomi Redmi Note 6 Pro Android device CVE-2019-15469 (The Xiaomi Mi Pad 4 Android device with a build fingerprint of Xiaomi/ ...) NOT-FOR-US: Xiaomi Mi Pad 4 Android device CVE-2019-15468 (The Xiaomi Mi A2 Lite Android device with a build fingerprint of xiaom ...) NOT-FOR-US: Xiaomi Mi A2 Lite Android devic CVE-2019-15467 (The Xiaomi Mi Mix 2S Android device with a build fingerprint of Xiaomi ...) NOT-FOR-US: Xiaomi Mi Mix 2S Android device CVE-2019-15466 (The Xiaomi Redmi 6 Pro Android device with a build fingerprint of xiao ...) NOT-FOR-US: Xiaomi Redmi 6 Pro Android device CVE-2019-15465 (The Samsung J7 Pro Android device with a build fingerprint of samsung/ ...) NOT-FOR-US: Samsung CVE-2019-15464 (The Samsung J7 Pro Android device with a build fingerprint of samsung/ ...) NOT-FOR-US: Samsung CVE-2019-15463 (The Samsung j7popeltemtr Android device with a build fingerprint of sa ...) NOT-FOR-US: Samsung CVE-2019-15462 (The Samsung J7 Duo Android device with a build fingerprint of samsung/ ...) NOT-FOR-US: Samsung CVE-2019-15461 (The Samsung J7 Neo Android device with a build fingerprint of samsung/ ...) NOT-FOR-US: Samsung CVE-2019-15460 (The Samsung J7 Neo Android device with a build fingerprint of samsung/ ...) NOT-FOR-US: Samsung CVE-2019-15459 (The Samsung J7 Neo Android device with a build fingerprint of samsung/ ...) NOT-FOR-US: Samsung CVE-2019-15458 (The Samsung J7 Neo Android device with a build fingerprint of samsung/ ...) NOT-FOR-US: Samsung CVE-2019-15457 (The Samsung J6 Android device with a build fingerprint of samsung/j6lt ...) NOT-FOR-US: Samsung CVE-2019-15456 (The Samsung J6 Android device with a build fingerprint of samsung/j6lt ...) NOT-FOR-US: Samsung CVE-2019-15455 (The Samsung J5 Android device with a build fingerprint of samsung/j5y1 ...) NOT-FOR-US: Samsung CVE-2019-15454 (The Samsung J4 Android device with a build fingerprint of samsung/j4lt ...) NOT-FOR-US: Samsung CVE-2019-15453 (The Samsung J4 Android device with a build fingerprint of samsung/j4lt ...) NOT-FOR-US: Samsung CVE-2019-15452 (The Samsung J3 Android device with a build fingerprint of samsung/j3y1 ...) NOT-FOR-US: Samsung CVE-2019-15451 (The Samsung J3 Android device with a build fingerprint of samsung/j3y1 ...) NOT-FOR-US: Samsung CVE-2019-15450 (The Samsung j3popeltecan Android device with a build fingerprint of sa ...) NOT-FOR-US: Samsung CVE-2019-15449 (The Samsung S7 Edge Android device with a build fingerprint of samsung ...) NOT-FOR-US: Samsung CVE-2019-15448 (The Samsung S7 Edge Android device with a build fingerprint of samsung ...) NOT-FOR-US: Samsung CVE-2019-15447 (The Samsung S7 Edge Android device with a build fingerprint of samsung ...) NOT-FOR-US: Samsung CVE-2019-15446 (The Samsung S7 Android device with a build fingerprint of samsung/hero ...) NOT-FOR-US: Samsung CVE-2019-15445 (The Samsung S7 Android device with a build fingerprint of samsung/hero ...) NOT-FOR-US: Samsung CVE-2019-15444 (The Samsung S7 Android device with a build fingerprint of samsung/hero ...) NOT-FOR-US: Samsung CVE-2019-15443 (The Samsung J7 Max Android device with a build fingerprint of samsung/ ...) NOT-FOR-US: Samsung CVE-2019-15442 (The Samsung on7xelteskt Android device with a build fingerprint of sam ...) NOT-FOR-US: Samsung CVE-2019-15441 (The Samsung on7xeltelgt Android device with a build fingerprint of sam ...) NOT-FOR-US: Samsung CVE-2019-15440 (The Samsung J5 Android device with a build fingerprint of samsung/on5x ...) NOT-FOR-US: Samsung CVE-2019-15439 (The Samsung XCover4 Android device with a build fingerprint of samsung ...) NOT-FOR-US: Samsung CVE-2019-15438 (The Samsung XCover4 Android device with a build fingerprint of samsung ...) NOT-FOR-US: Samsung CVE-2019-15437 (The Samsung XCover4 Android device with a build fingerprint of samsung ...) NOT-FOR-US: Samsung CVE-2019-15436 (The Samsung A8+ Android device with a build fingerprint of samsung/jac ...) NOT-FOR-US: Samsung CVE-2019-15435 (The Samsung A7 Android device with a build fingerprint of samsung/a7y1 ...) NOT-FOR-US: Samsung CVE-2019-15434 (The Samsung A5 Android device with a build fingerprint of samsung/a5y1 ...) NOT-FOR-US: Samsung CVE-2019-15433 (The Samsung A3 Android device with a build fingerprint of samsung/a3y1 ...) NOT-FOR-US: Samsung CVE-2019-15432 (The Evercoss U6 Android device with a build fingerprint of EVERCOSS/U6 ...) NOT-FOR-US: Evercoss CVE-2019-15431 (The Evercoss U50A Android device with a build fingerprint of EVERCOSS/ ...) NOT-FOR-US: Evercoss CVE-2019-15430 (The Bluboo D3 Pro Android device with a build fingerprint of BLUBOO/Bl ...) NOT-FOR-US: Bluboo CVE-2019-15429 (The Panasonic ELUGA_I9 Android device with a build fingerprint of Pana ...) NOT-FOR-US: Panasonic CVE-2019-15428 (The Xiaomi Mi Note 2 Android device with a build fingerprint of Xiaomi ...) NOT-FOR-US: Xiaomi Mi Note 2 Android device CVE-2019-15427 (The Xiaomi Mi Mix Android device with a build fingerprint of Xiaomi/li ...) NOT-FOR-US: Xiaomi Mi Mix Android device CVE-2019-15426 (The Xiaomi 5S Plus Android device with a build fingerprint of Xiaomi/n ...) NOT-FOR-US: Xiaomi 5S Plus Android device CVE-2019-15425 (The Kata M4s Android device with a build fingerprint of alps/full_hct6 ...) NOT-FOR-US: Kata M4s Android device CVE-2019-15424 (The Doogee BL5000 Android device with a build fingerprint of DOOGEE/BL ...) NOT-FOR-US: Doogee BL5000 Android device CVE-2019-15423 (The Bluboo Bluboo_S1 Android device with a build fingerprint of BLUBOO ...) NOT-FOR-US: Bluboo Bluboo_S1 Android device CVE-2019-15422 (The Doogee Mix Android device with a build fingerprint of DOOGEE/MIX/M ...) NOT-FOR-US: Doogee Mix Android device CVE-2019-15421 (The Blackview BV7000_Pro Android device with a build fingerprint of Bl ...) NOT-FOR-US: The Blackview CVE-2019-15420 (The Blackview BV9000Pro-F Android device with a build fingerprint of B ...) NOT-FOR-US: Blackview CVE-2019-15419 (The Asus ASUS_X015_1 Android device with a build fingerprint of asus/C ...) NOT-FOR-US: Asus CVE-2019-15418 (The Asus ASUS_X00K_1 Android device with a build fingerprint of asus/C ...) NOT-FOR-US: Asus CVE-2019-15417 (The Tecno Spark Pro Android device with a build fingerprint of TECNO/H ...) NOT-FOR-US: Tecno Spark Pro Android device CVE-2019-15416 (The Sony keyaki_kddi Android device with a build fingerprint of Sony/k ...) NOT-FOR-US: Sony CVE-2019-15415 (The Xiaomi Redmi 5 Android device with a build fingerprint of xiaomi/v ...) NOT-FOR-US: Xiaomi Redmi 5 Android device CVE-2019-15414 (The Asus ZenFone AR Android device with a build fingerprint of asus/WW ...) NOT-FOR-US: Asus CVE-2019-15413 (The Asus ZenFone 3 Ultra Android device with a build fingerprint of as ...) NOT-FOR-US: Asus CVE-2019-15412 (The Asus ZenFone 4 Selfie Android device with a build fingerprint of a ...) NOT-FOR-US: Asus CVE-2019-15411 (The Asus ZenFone 3 Laser Android device with a build fingerprint of as ...) NOT-FOR-US: Asus CVE-2019-15410 (The Asus ZenFone 5Q Android device with a build fingerprint of asus/WW ...) NOT-FOR-US: Asus CVE-2019-15409 (The Asus ZenFone 5Q Android device with a build fingerprint of asus/WW ...) NOT-FOR-US: Asus CVE-2019-15408 (The Asus ZenFone 5 Lite Android device with a build fingerprint of asu ...) NOT-FOR-US: Asus CVE-2019-15407 (The Asus ASUS_X015_1 Android device with a build fingerprint of asus/C ...) NOT-FOR-US: Asus CVE-2019-15406 (The Asus ASUS_X00LD_3 Android device with a build fingerprint of asus/ ...) NOT-FOR-US: Asus CVE-2019-15405 (The Asus ASUS_X00K_1 Android device with a build fingerprint of asus/C ...) NOT-FOR-US: Asus CVE-2019-15404 (The Asus ZenFone Max 4 Android device with a build fingerprint of asus ...) NOT-FOR-US: Asus CVE-2019-15403 (The Asus ZenFone 3s Max Android device with a build fingerprint of asu ...) NOT-FOR-US: Asus CVE-2019-15402 (The Asus ASUS_A002_2 Android device with a build fingerprint of asus/W ...) NOT-FOR-US: Asus CVE-2019-15401 (The Asus ASUS_A002 Android device with a build fingerprint of asus/WW_ ...) NOT-FOR-US: Asus CVE-2019-15400 (The Asus ZenFone 3 Ultra Android device with a build fingerprint of as ...) NOT-FOR-US: Asus CVE-2019-15399 (The Asus ZenFone 5Q Android device with a build fingerprint of asus/WW ...) NOT-FOR-US: Asus CVE-2019-15398 (The Asus ZenFone 4 Selfie Android device with a build fingerprint of a ...) NOT-FOR-US: Asus CVE-2019-15397 (The Asus ZenFone Max 4 Android device with a build fingerprint of asus ...) NOT-FOR-US: Asus CVE-2019-15396 (The Asus ZenFone 3 Android device with a build fingerprint of asus/WW_ ...) NOT-FOR-US: Asus CVE-2019-15395 (The Asus ZenFone 3s Max Android device with a build fingerprint of asu ...) NOT-FOR-US: Asus CVE-2019-15394 (The Asus ZenFone 5 Selfie Android device with a build fingerprint of a ...) NOT-FOR-US: Asus CVE-2019-15393 (The Asus ZenFone Live Android device with a build fingerprint of asus/ ...) NOT-FOR-US: Asus CVE-2019-15392 (The Asus ZenFone 4 Selfie Android device with a build fingerprint of A ...) NOT-FOR-US: Asus CVE-2019-15391 (The Asus ZenFone 4 Selfie Android device with a build fingerprint of a ...) NOT-FOR-US: Asus CVE-2019-15390 (The Haier G8 Android device with a build fingerprint of Haier/HM-G559- ...) NOT-FOR-US: Haier G8 Android device CVE-2019-15389 (The Haier A6 Android device with a build fingerprint of Haier/A6/A6:8. ...) NOT-FOR-US: Haier A6 Android device CVE-2019-15388 (The Coolpad 1851 Android device with a build fingerprint of Coolpad/an ...) NOT-FOR-US: Coolpad CVE-2019-15387 (The Archos Core 101 Android device with a build fingerprint of archos/ ...) NOT-FOR-US: Archos CVE-2019-15386 (The Lava Z60s Android device with a build fingerprint of LAVA/Z60s/Z60 ...) NOT-FOR-US: Lava CVE-2019-15385 (The Infinix Note 5 Android device with a build fingerprint of Infinix/ ...) NOT-FOR-US: Infinix Note 5 Android device CVE-2019-15384 (The Elephone A4 Android device with a build fingerprint of Elephone/A4 ...) NOT-FOR-US: Elephone CVE-2019-15383 (The Allview X5 Android device with a build fingerprint of ALLVIEW/X5_S ...) NOT-FOR-US: Allview CVE-2019-15382 (The Cubot Nova Android device with a build fingerprint of CUBOT/CUBOT_ ...) NOT-FOR-US: Cubot Nova CVE-2019-15381 (The BQ 5515L Android device with a build fingerprint of BQru/BQru-5515 ...) NOT-FOR-US: BQ 5515L Android device CVE-2019-15380 (The Fly Photo Pro Android device with a build fingerprint of Fly/Photo ...) NOT-FOR-US: Fly Photo Pro Android device CVE-2019-15379 (The Walton Primo G3 Android device with a build fingerprint of WALTON/ ...) NOT-FOR-US: Walton Primo G3 Android device CVE-2019-15378 (The Panasonic Eluga Ray 600 Android device with a build fingerprint of ...) NOT-FOR-US: Panasonic CVE-2019-15377 (The Cherry Flare S7 Android device with a build fingerprint of Cherry_ ...) NOT-FOR-US: Cherry Flare S7 Android device CVE-2019-15376 (The Panasonic Eluga Ray 530 Android device with a build fingerprint of ...) NOT-FOR-US: Panasonic CVE-2019-15375 (The Haier G8 Android device with a build fingerprint of Haier/HM-G559- ...) NOT-FOR-US: Haier G8 Android device CVE-2019-15374 (The Lava Iris 88 Lite Android device with a build fingerprint of LAVA/ ...) NOT-FOR-US: Lava Iris 88 Lite Android device CVE-2019-15373 (The Symphony i95 Lite Android device with a build fingerprint of LAVA/ ...) NOT-FOR-US: Symphony i95 Lite Android device CVE-2019-15372 (The Hisense F17 Android device with a build fingerprint of Hisense/F17 ...) NOT-FOR-US: Hisense F17 Android device CVE-2019-15371 (The Symphony G100 Android device with a build fingerprint of Symphony/ ...) NOT-FOR-US: Symphony G100 Android device CVE-2019-15370 (The Haier G8 Android device with a build fingerprint of Haier/HM-G559- ...) NOT-FOR-US: Haier G8 Android device CVE-2019-15369 (The Lava Z61 Turbo Android device with a build fingerprint of LAVA/Z61 ...) NOT-FOR-US: Lava Z61 Turbo Android device CVE-2019-15368 (The Coolpad 1851 Android device with a build fingerprint of Coolpad/an ...) NOT-FOR-US: Coolpad CVE-2019-15367 (The Haier P10 Android device with a build fingerprint of Haier/P10/P10 ...) NOT-FOR-US: Haier P10 Android device CVE-2019-15366 (The Infinix Note 5 Android device with a build fingerprint of Infinix/ ...) NOT-FOR-US: Infinix Note 5 Android device CVE-2019-15365 (The Lava Z92 Android device with a build fingerprint of LAVA/Z92/Z92:8 ...) NOT-FOR-US: Lava Z92 Android device CVE-2019-15364 (The Dexp BL250 Android device with a build fingerprint of DEXP/BL250/B ...) NOT-FOR-US: Dexp BL250 Android device CVE-2019-15363 (The Leagoo Power 5 Android device with a build fingerprint of LEAGOO/P ...) NOT-FOR-US: Leagoo Power 5 Android device CVE-2019-15362 (The Lava Iris 88 Go Android device with a build fingerprint of LAVA/ir ...) NOT-FOR-US: Lava Iris 88 Go Android device CVE-2019-15361 (The Infinix Note 5 Android device with a build fingerprint of Infinix/ ...) NOT-FOR-US: Infinix Note 5 Android device CVE-2019-15360 (The Hisense U965 Android device with a build fingerprint of Hisense/U9 ...) NOT-FOR-US: Hisense U965 Android device CVE-2019-15359 (The Haier A6 Android device with a build fingerprint of Haier/A6/A6:8. ...) NOT-FOR-US: Haier A6 Android device CVE-2019-15358 (The Dexp Z250 Android device with a build fingerprint of DEXP/Z250/Z25 ...) NOT-FOR-US: Dexp Z250 Android device CVE-2019-15357 (The Advan i6A Android device with a build fingerprint of ADVAN/i6A/i6A ...) NOT-FOR-US: Advan i6A Android device CVE-2019-15356 (The Lava Flair Z1 Android device with a build fingerprint of LAVA/Z1/Z ...) NOT-FOR-US: Lava Flair Z1 Android device CVE-2019-15355 (The Tecno Camon iClick Android device with a build fingerprint of TECN ...) NOT-FOR-US: Tecno Camon iClick Android device CVE-2019-15354 (The Ulefone Armor 5 Android device with a build fingerprint of Ulefone ...) NOT-FOR-US: Ulefone Armor 5 Android device CVE-2019-15353 (The Coolpad N3C Android device with a build fingerprint of Coolpad/N3C ...) NOT-FOR-US: Coolpad N3C Android device CVE-2019-15352 (The Coolpad 1851 Android device with a build fingerprint of Coolpad/an ...) NOT-FOR-US: Coolpad 1851 Android device CVE-2019-15351 (The Tecno Camon Android device with a build fingerprint of TECNO/H622/ ...) NOT-FOR-US: Tecno Camon Android device CVE-2019-15350 (The Tecno Camon Android device with a build fingerprint of TECNO/H622/ ...) NOT-FOR-US: Tecno Camon Android device CVE-2019-15349 (The Tecno Camon Android device with a build fingerprint of TECNO/H612/ ...) NOT-FOR-US: Tecno Camon Android device CVE-2019-15348 (The Tecno Camon Android device with a build fingerprint of TECNO/H612/ ...) NOT-FOR-US: Tecno Camon Android device CVE-2019-15347 (The Tecno Camon iClick 2 Android device with a build fingerprint of TE ...) NOT-FOR-US: Tecno Camon iClick 2 Android device CVE-2019-15346 (The Tecno Camon iClick 2 Android device with a build fingerprint of TE ...) NOT-FOR-US: Tecno Camon iClick 2 Android device CVE-2019-15345 (The Tecno Camon iClick Android device with a build fingerprint of TECN ...) NOT-FOR-US: Tecno Camon iClick Android device CVE-2019-15344 (The Tecno Camon iClick Android device with a build fingerprint of TECN ...) NOT-FOR-US: Tecno Camon iClick Android device CVE-2019-15343 (The Tecno Camon iClick Android device with a build fingerprint of TECN ...) NOT-FOR-US: Tecno Camon iClick Android device CVE-2019-15342 (The Tecno Camon iAir 2 Plus Android device with a build fingerprint of ...) NOT-FOR-US: Tecno Camon iAir 2 Plus Android device CVE-2019-15341 (The Tecno Camon iAir 2 Plus Android device with a build fingerprint of ...) NOT-FOR-US: Tecno Camon iAir 2 Plus Android device CVE-2019-15340 (The Xiaomi Redmi 6 Pro Android device with a build fingerprint of xiao ...) NOT-FOR-US: Xiaomi Redmi 6 Pro Android device CVE-2019-15339 (The Lava Z60s Android device with a build fingerprint of LAVA/Z60s/Z60 ...) NOT-FOR-US: Lava Z60s Android device CVE-2019-15338 (The Lava Iris 88 Lite Android device with a build fingerprint of LAVA/ ...) NOT-FOR-US: Lava Iris 88 Lite Android device CVE-2019-15337 (The Lava Z81 Android device with a build fingerprint of LAVA/Z81/Z81:8 ...) NOT-FOR-US: Lava Z81 Android device CVE-2019-15336 (The Lava Z61 Turbo Android device with a build fingerprint of LAVA/Z61 ...) NOT-FOR-US: Lava Z61 Turbo Android device CVE-2019-15335 (The Lava Z92 Android device with a build fingerprint of LAVA/Z92/Z92:8 ...) NOT-FOR-US: Lava Z92 Android device CVE-2019-15334 (The Lava Iris 88 Go Android device with a build fingerprint of LAVA/ir ...) NOT-FOR-US: Lava Iris 88 Go Android device CVE-2019-15333 (The Lava Flair Z1 Android device with a build fingerprint of LAVA/Z1/Z ...) NOT-FOR-US: Lava Flair Z1 Android device CVE-2019-15332 (The Lava Z61 Android device with a build fingerprint of LAVA/Z61_2GB/Z ...) NOT-FOR-US: Lava Z61 Android device CVE-2019-15331 (The wp-support-plus-responsive-ticket-system plugin before 9.1.2 for W ...) NOT-FOR-US: wp-support-plus-responsive-ticket-system plugin for WordPress CVE-2019-15330 (The webp-express plugin before 0.14.11 for WordPress has insufficient ...) NOT-FOR-US: webp-express plugin for WordPress CVE-2019-15329 (The import-users-from-csv-with-meta plugin before 1.14.0.3 for WordPre ...) NOT-FOR-US: import-users-from-csv-with-meta plugin for WordPress CVE-2019-15328 (The import-users-from-csv-with-meta plugin before 1.14.0.3 for WordPre ...) NOT-FOR-US: import-users-from-csv-with-meta plugin for WordPress CVE-2019-15327 (The import-users-from-csv-with-meta plugin before 1.14.1.3 for WordPre ...) NOT-FOR-US: import-users-from-csv-with-meta plugin for WordPress CVE-2019-15326 (The import-users-from-csv-with-meta plugin before 1.14.2.1 for WordPre ...) NOT-FOR-US: import-users-from-csv-with-meta plugin for WordPress CVE-2019-15325 (In GalliumOS 3.0, CONFIG_SECURITY_YAMA is disabled but /etc/sysctl.d/1 ...) NOT-FOR-US: GalliumOS CVE-2018-20988 (The wpgform plugin before 0.94 for WordPress has eval injection in the ...) NOT-FOR-US: wpgform plugin for WordPress CVE-2018-20987 (The newsletters-lite plugin before 4.6.8.6 for WordPress has PHP objec ...) NOT-FOR-US: newsletters-lite plugin for WordPress CVE-2017-18586 (The insert-pages plugin before 3.2.4 for WordPress has directory trave ...) NOT-FOR-US: insert-pages plugin for WordPress CVE-2016-10930 (The wp-support-plus-responsive-ticket-system plugin before 7.1.0 for W ...) NOT-FOR-US: wp-support-plus-responsive-ticket-system plugin for WordPress CVE-2015-9341 (The wp-file-upload plugin before 3.4.1 for WordPress has insufficient ...) NOT-FOR-US: wp-file-upload plugin for WordPress CVE-2015-9340 (The wp-file-upload plugin before 3.0.0 for WordPress has insufficient ...) NOT-FOR-US: wp-file-upload plugin for WordPress CVE-2015-9339 (The wp-file-upload plugin before 2.7.1 for WordPress has insufficient ...) NOT-FOR-US: wp-file-upload plugin for WordPress CVE-2015-9338 (The wp-file-upload plugin before 2.5.0 for WordPress has insufficient ...) NOT-FOR-US: wp-file-upload plugin for WordPress CVE-2014-10394 (The rich-counter plugin before 1.2.0 for WordPress has JavaScript inje ...) NOT-FOR-US: rich-counter plugin for WordPress CVE-2014-10393 (The cforms2 plugin before 10.5 for WordPress has XSS. ...) NOT-FOR-US: cforms2 plugin for WordPress CVE-2014-10392 (The cforms2 plugin before 10.2 for WordPress has XSS. ...) NOT-FOR-US: cforms2 plugin for WordPress CVE-2014-10391 (The wp-support-plus-responsive-ticket-system plugin before 4.1 for Wor ...) NOT-FOR-US: wp-support-plus-responsive-ticket-system plugin for WordPress CVE-2014-10390 (The wp-support-plus-responsive-ticket-system plugin before 4.2 for Wor ...) NOT-FOR-US: wp-support-plus-responsive-ticket-system plugin for WordPress CVE-2014-10389 (The wp-support-plus-responsive-ticket-system plugin before 4.2 for Wor ...) NOT-FOR-US: wp-support-plus-responsive-ticket-system plugin for WordPress CVE-2014-10388 (The wp-support-plus-responsive-ticket-system plugin before 4.2 for Wor ...) NOT-FOR-US: wp-support-plus-responsive-ticket-system plugin for WordPress CVE-2014-10387 (The wp-support-plus-responsive-ticket-system plugin before 4.2 for Wor ...) NOT-FOR-US: wp-support-plus-responsive-ticket-system plugin for WordPress CVE-2014-10386 (The wp-live-chat-support plugin before 4.1.0 for WordPress has JavaScr ...) NOT-FOR-US: wp-live-chat-support plugin for WordPress CVE-2019-15324 (The ad-inserter plugin before 2.4.22 for WordPress has remote code exe ...) NOT-FOR-US: ad-inserter plugin for WordPress CVE-2019-15323 (The ad-inserter plugin before 2.4.20 for WordPress has path traversal. ...) NOT-FOR-US: ad-inserter plugin for WordPress CVE-2019-15322 (The shortcode-factory plugin before 2.8 for WordPress has Local File I ...) NOT-FOR-US: shortcode-factory plugin for WordPress CVE-2019-15321 (The option-tree plugin before 2.7.3 for WordPress has Object Injection ...) NOT-FOR-US: option-tree plugin for WordPress CVE-2019-15320 (The option-tree plugin before 2.7.3 for WordPress has Object Injection ...) NOT-FOR-US: option-tree plugin for WordPress CVE-2019-15319 (The option-tree plugin before 2.7.0 for WordPress has Object Injection ...) NOT-FOR-US: option-tree plugin for WordPress CVE-2019-15318 (The yikes-inc-easy-mailchimp-extender plugin before 6.5.3 for WordPres ...) NOT-FOR-US: yikes-inc-easy-mailchimp-extender plugin for WordPress CVE-2019-15317 (The give plugin before 2.4.7 for WordPress has XSS via a donor name. ...) NOT-FOR-US: give plugin for WordPress CVE-2019-15316 (Valve Steam Client for Windows through 2019-08-20 has weak folder perm ...) NOT-FOR-US: Valve Steam Client for Windows CVE-2019-15315 (Valve Steam Client for Windows through 2019-08-16 allows privilege esc ...) NOT-FOR-US: Valve Steam Client for Windows CVE-2018-20986 (The advanced-custom-fields (aka Elliot Condon Advanced Custom Fields) ...) NOT-FOR-US: advanced-custom-fields plugin for WordPress CVE-2018-20985 (The wp-payeezy-pay plugin before 2.98 for WordPress has local file inc ...) NOT-FOR-US: wp-payeezy-pay plugin for WordPress CVE-2018-20984 (The patreon-connect plugin before 1.2.2 for WordPress has Object Injec ...) NOT-FOR-US: patreon-connect plugin for WordPress CVE-2018-20983 (The wp-retina-2x plugin before 5.2.3 for WordPress has XSS. ...) NOT-FOR-US: wp-retina-2x plugin for WordPress CVE-2018-20982 (The media-library-assistant plugin before 2.74 for WordPress has XSS v ...) NOT-FOR-US: media-library-assistant plugin for WordPress CVE-2018-20981 (The ninja-forms plugin before 3.3.9 for WordPress has insufficient res ...) NOT-FOR-US: ninja-forms plugin for WordPress CVE-2018-20980 (The ninja-forms plugin before 3.2.15 for WordPress has parameter tampe ...) NOT-FOR-US: ninja-forms plugin for WordPress CVE-2018-20979 (The contact-form-7 plugin before 5.0.4 for WordPress has privilege esc ...) NOT-FOR-US: contact-form-7 plugin for WordPress CVE-2017-18585 (The posts-in-page plugin before 1.3.0 for WordPress has ic_add_posts t ...) NOT-FOR-US: posts-in-page plugin for WordPress CVE-2017-18584 (The post-pay-counter plugin before 2.731 for WordPress has no permissi ...) NOT-FOR-US: post-pay-counter plugin for WordPress CVE-2017-18583 (The post-pay-counter plugin before 2.731 for WordPress has PHP Object ...) NOT-FOR-US: post-pay-counter plugin for WordPress CVE-2017-18582 (The time-sheets plugin before 1.5.2 for WordPress has multiple XSS iss ...) NOT-FOR-US: time-sheets plugin for WordPress CVE-2017-18581 (The time-sheets plugin before 1.5.0 for WordPress has XSS via the old ...) NOT-FOR-US: time-sheets plugin for WordPress CVE-2017-18580 (The shortcodes-ultimate plugin before 5.0.1 for WordPress has remote c ...) NOT-FOR-US: shortcodes-ultimate plugin for WordPress CVE-2017-18579 (The corner-ad plugin before 1.0.8 for WordPress has XSS. ...) NOT-FOR-US: corner-ad plugin for WordPress CVE-2017-18578 (The crafty-social-buttons plugin before 1.5.8 for WordPress has XSS. ...) NOT-FOR-US: crafty-social-buttons plugin for WordPress CVE-2017-18577 (The mailchimp-for-wp plugin before 4.1.8 for WordPress has XSS via the ...) NOT-FOR-US: mailchimp-for-wp plugin for WordPress CVE-2017-18576 (The event-notifier plugin before 1.2.1 for WordPress has XSS via the l ...) NOT-FOR-US: event-notifier plugin for WordPress CVE-2017-18575 (The newstatpress plugin before 1.2.5 for WordPress has multiple stored ...) NOT-FOR-US: newstatpress plugin for WordPress CVE-2017-18574 (The ninja-forms plugin before 3.0.31 for WordPress has insufficient HT ...) NOT-FOR-US: ninja-forms plugin for WordPress CVE-2017-18573 (The simple-login-log plugin before 1.1.2 for WordPress has SQL injecti ...) NOT-FOR-US: simple-login-log plugin for WordPress CVE-2017-18572 (The gnucommerce plugin before 1.4.2 for WordPress has XSS. ...) NOT-FOR-US: gnucommerce plugin for WordPress CVE-2017-18571 (The search-everything plugin before 8.1.7 for WordPress has SQL inject ...) NOT-FOR-US: search-everything plugin for WordPress CVE-2017-18570 (The cforms2 plugin before 14.13 for WordPress has SQL injection in the ...) NOT-FOR-US: cforms2 plugin for WordPress CVE-2016-10929 (The advanced-ajax-page-loader plugin before 2.7.7 for WordPress has no ...) NOT-FOR-US: advanced-ajax-page-loader plugin for WordPress CVE-2016-10928 (The onelogin-saml-sso plugin before 2.2.0 for WordPress has a hardcode ...) NOT-FOR-US: onelogin-saml-sso plugin for WordPress CVE-2016-10927 (The nelio-ab-testing plugin before 4.5.11 for WordPress has SSRF in aj ...) NOT-FOR-US: nelio-ab-testing plugin for WordPress CVE-2016-10926 (The nelio-ab-testing plugin before 4.5.9 for WordPress has SSRF in aja ...) NOT-FOR-US: nelio-ab-testing plugin for WordPress CVE-2016-10925 (The peters-login-redirect plugin before 2.9.1 for WordPress has XSS du ...) NOT-FOR-US: peters-login-redirect plugin for WordPress CVE-2016-10924 (The ebook-download plugin before 1.2 for WordPress has directory trave ...) NOT-FOR-US: ebook-download plugin for WordPress CVE-2016-10923 (The woocommerce-store-toolkit plugin before 1.5.8 for WordPress has pr ...) NOT-FOR-US: woocommerce-store-toolkit plugin for WordPress CVE-2016-10922 (The woocommerce-store-toolkit plugin before 1.5.7 for WordPress has pr ...) NOT-FOR-US: woocommerce-store-toolkit plugin for WordPress CVE-2016-10921 (The gallery-photo-gallery plugin before 1.0.1 for WordPress has SQL in ...) NOT-FOR-US: gallery-photo-gallery plugin for WordPress CVE-2016-10920 (The gnucommerce plugin before 0.5.7-BETA for WordPress has XSS. ...) NOT-FOR-US: gnucommerce plugin for WordPress CVE-2016-10919 (The wassup plugin before 1.9.1 for WordPress has XSS via the Top stats ...) NOT-FOR-US: wassup plugin for WordPress CVE-2016-10918 (The gallery-by-supsystic plugin before 1.8.6 for WordPress has CSRF. ...) NOT-FOR-US: gallery-by-supsystic plugin for WordPress CVE-2016-10917 (The search-everything plugin before 8.1.6 for WordPress has SQL inject ...) NOT-FOR-US: search-everything plugin for WordPress CVE-2016-10916 (The appointment-booking-calendar plugin before 1.1.24 for WordPress ha ...) NOT-FOR-US: appointment-booking-calendar plugin for WordPress CVE-2015-9337 (The profile-builder plugin before 2.1.4 for WordPress has no access co ...) NOT-FOR-US: profile-builder plugin for WordPress CVE-2015-9336 (The clean-login plugin before 1.5.1 for WordPress has reflected XSS. ...) NOT-FOR-US: clean-login plugin for WordPress CVE-2015-9335 (The limit-attempts plugin before 1.1.1 for WordPress has SQL injection ...) NOT-FOR-US: limit-attempts plugin for WordPress CVE-2015-9334 (The email-newsletter plugin through 20.15 for WordPress has SQL inject ...) NOT-FOR-US: email-newsletter plugin for WordPress CVE-2015-9333 (The cforms2 plugin before 14.6.10 for WordPress has SQL injection. ...) NOT-FOR-US: cforms2 plugin for WordPress CVE-2014-10385 (The memphis-documents-library plugin before 3.0 for WordPress has XSS ...) NOT-FOR-US: memphis-documents-library plugin for WordPress CVE-2014-10384 (The memphis-documents-library plugin before 3.0 for WordPress has Loca ...) NOT-FOR-US: memphis-documents-library plugin for WordPress CVE-2014-10383 (The memphis-documents-library plugin before 3.0 for WordPress has Remo ...) NOT-FOR-US: memphis-documents-library plugin for WordPress CVE-2014-10382 (The feature-comments plugin before 1.2.5 for WordPress has CSRF for fe ...) NOT-FOR-US: feature-comments plugin for WordPress CVE-2013-7483 (The slidedeck2 plugin before 2.3.5 for WordPress has file inclusion. ...) NOT-FOR-US: slidedeck2 plugin for WordPress CVE-2013-7482 (The reflex-gallery plugin before 1.4.3 for WordPress has XSS. ...) NOT-FOR-US: reflex-gallery plugin for WordPress CVE-2013-7481 (The contact-form-plugin plugin before 3.3.5 for WordPress has XSS. ...) NOT-FOR-US: contact-form-plugin plugin for WordPress CVE-2013-7480 (The events-manager plugin before 5.3.6.1 for WordPress has XSS via the ...) NOT-FOR-US: events-manager plugin for WordPress CVE-2013-7479 (The events-manager plugin before 5.3.9 for WordPress has XSS in the se ...) NOT-FOR-US: events-manager plugin for WordPress CVE-2013-7478 (The events-manager plugin before 5.5 for WordPress has XSS via EM_Tick ...) NOT-FOR-US: events-manager plugin for WordPress CVE-2013-7477 (The events-manager plugin before 5.5.2 for WordPress has XSS in the bo ...) NOT-FOR-US: events-manager plugin for WordPress CVE-2012-6716 (The events-manager plugin before 5.1.7 for WordPress has XSS via JSON ...) NOT-FOR-US: events-manager plugin for WordPress CVE-2009-5158 (The google-analyticator plugin before 5.2.1 for WordPress has insuffic ...) NOT-FOR-US: google-analyticator plugin for WordPress CVE-2008-7321 (The tubepress plugin before 1.6.5 for WordPress has XSS. ...) NOT-FOR-US: tubepress plugin for WordPress CVE-2019-15314 (tiki/tiki-upload_file.php in Tiki 18.4 allows remote attackers to uplo ...) - tikiwiki CVE-2019-15313 (In Zimbra Collaboration before 8.8.15 Patch 1, there is a non-persiste ...) NOT-FOR-US: Zimbra Collaboration CVE-2019-15312 (An issue was discovered on Zolo Halo devices via the Linkplay firmware ...) NOT-FOR-US: Zolo Halo devices CVE-2019-15311 (An issue was discovered on Zolo Halo devices via the Linkplay firmware ...) NOT-FOR-US: Zolo Halo devices CVE-2019-15310 (An issue was discovered on various devices via the Linkplay firmware. ...) NOT-FOR-US: Linkplay CVE-2019-15309 RESERVED CVE-2019-15308 RESERVED CVE-2019-15307 RESERVED CVE-2019-15306 RESERVED CVE-2019-15305 RESERVED CVE-2019-15304 (Lierda Grill Temperature Monitor V1.00_50006 has a default password of ...) NOT-FOR-US: Lierda Grill Temperature Monitor CVE-2019-15303 RESERVED CVE-2019-15302 (The pad management logic in XWiki labs CryptPad before 3.0.0 allows a ...) NOT-FOR-US: CryptPad CVE-2019-15301 (A SQL injection vulnerability in the method Terrasoft.Core.DB.Column.C ...) NOT-FOR-US: Terrasoft Bpm'online CRM-System SDK CVE-2019-15300 (A problem was found in Centreon Web through 19.04.3. An authenticated ...) - centreon-web (bug #913903) CVE-2019-15299 (An issue was discovered in Centreon Web through 19.04.3. When a user c ...) - centreon-web (bug #913903) CVE-2019-15298 (A problem was found in Centreon Web through 19.04.3. An authenticated ...) - centreon-web (bug #913903) CVE-2019-15297 (res_pjsip_t38 in Sangoma Asterisk 13.21-cert4, 15.7.3, and 16.5.0 allo ...) - asterisk 1:16.10.0~dfsg-1 (low; bug #940060) [buster] - asterisk (Minor issue) [stretch] - asterisk (Minor issue) [jessie] - asterisk (The vulnerable code is not present) NOTE: https://downloads.asterisk.org/pub/security/AST-2019-004.html NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-28495 CVE-2019-15296 (An issue was discovered in Freeware Advanced Audio Decoder 2 (FAAD2) 2 ...) {DSA-4522-1 DLA-1899-1} - faad2 2.8.8-3 NOTE: https://github.com/knik0/faad2/commit/942c3e0aee748ea6fe97cb2c1aa5893225316174 CVE-2019-15295 (An Untrusted Search Path vulnerability in the ServiceInstance.dll libr ...) NOT-FOR-US: Bitdefender Antivirus Free CVE-2019-15294 (An issue was discovered in Gallagher Command Centre 8.10 before 8.10.1 ...) NOT-FOR-US: Gallagher Command Centre CVE-2019-15293 (An issue was discovered in ACDSee Photo Studio Standard 22.1 Build 115 ...) NOT-FOR-US: ACDSee CVE-2019-15289 RESERVED CVE-2019-15288 (A vulnerability in the CLI of Cisco TelePresence Collaboration Endpoin ...) NOT-FOR-US: Cisco CVE-2019-15287 RESERVED CVE-2019-15286 (Multiple vulnerabilities in Cisco Webex Network Recording Player for M ...) NOT-FOR-US: Cisco CVE-2019-15285 RESERVED CVE-2019-15284 (Multiple vulnerabilities in Cisco Webex Network Recording Player for M ...) NOT-FOR-US: Cisco CVE-2019-15283 RESERVED CVE-2019-15282 (A vulnerability in the web-based management interface of Cisco Identit ...) NOT-FOR-US: Cisco CVE-2019-15281 (A vulnerability in the web-based management interface of Cisco Identit ...) NOT-FOR-US: Cisco CVE-2019-15280 (A vulnerability in the web-based management interface of Cisco Firepow ...) NOT-FOR-US: Cisco CVE-2019-15279 RESERVED CVE-2019-15278 (A vulnerability in the web-based management interface of Cisco Finesse ...) NOT-FOR-US: Cisco CVE-2019-15277 (A vulnerability in the CLI of Cisco TelePresence Collaboration Endpoin ...) NOT-FOR-US: Cisco CVE-2019-15276 (A vulnerability in the web interface of Cisco Wireless LAN Controller ...) NOT-FOR-US: Cisco CVE-2019-15275 (A vulnerability in the CLI of Cisco TelePresence Collaboration Endpoin ...) NOT-FOR-US: Cisco CVE-2019-15274 (A vulnerability in the CLI of Cisco TelePresence Collaboration Endpoin ...) NOT-FOR-US: Cisco CVE-2019-15273 (Multiple vulnerabilities in the CLI of Cisco TelePresence Collaboratio ...) NOT-FOR-US: Cisco CVE-2019-15272 (A vulnerability in the web-based interface of Cisco Unified Communicat ...) NOT-FOR-US: Cisco CVE-2019-15271 (A vulnerability in the web-based management interface of certain Cisco ...) NOT-FOR-US: Cisco CVE-2019-15270 (A vulnerability in the web-based management interface of Cisco Firepow ...) NOT-FOR-US: Cisco CVE-2019-15269 (Multiple vulnerabilities in the web-based management interface of Cisc ...) NOT-FOR-US: Cisco CVE-2019-15268 (Multiple vulnerabilities in the web-based management interface of Cisc ...) NOT-FOR-US: Cisco CVE-2019-15267 RESERVED CVE-2019-15266 (A vulnerability in the CLI of Cisco Wireless LAN Controller (WLC) Soft ...) NOT-FOR-US: Cisco CVE-2019-15265 (A vulnerability in the bridge protocol data unit (BPDU) forwarding fun ...) NOT-FOR-US: Cisco CVE-2019-15264 (A vulnerability in the Control and Provisioning of Wireless Access Poi ...) NOT-FOR-US: Cisco CVE-2019-15263 RESERVED CVE-2019-15262 (A vulnerability in the Secure Shell (SSH) session management for Cisco ...) NOT-FOR-US: Cisco CVE-2019-15261 (A vulnerability in the Point-to-Point Tunneling Protocol (PPTP) VPN pa ...) NOT-FOR-US: Cisco CVE-2019-15260 (A vulnerability in Cisco Aironet Access Points (APs) Software could al ...) NOT-FOR-US: Cisco CVE-2019-15259 (A vulnerability in Cisco Unified Contact Center Express (UCCX) Softwar ...) NOT-FOR-US: Cisco CVE-2019-15258 (A vulnerability in the web-based management interface of Cisco SPA100 ...) NOT-FOR-US: Cisco CVE-2019-15257 (A vulnerability in the web-based management interface of Cisco SPA100 ...) NOT-FOR-US: Cisco CVE-2019-15256 (A vulnerability in the Internet Key Exchange version 1 (IKEv1) feature ...) NOT-FOR-US: Cisco CVE-2019-15255 (A vulnerability in the web-based management interface of Cisco Identit ...) NOT-FOR-US: Cisco CVE-2019-15254 RESERVED CVE-2019-15253 (A vulnerability in the web-based management interface of Cisco Digital ...) NOT-FOR-US: Cisco CVE-2019-15252 (Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapt ...) NOT-FOR-US: Cisco CVE-2019-15251 (Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapt ...) NOT-FOR-US: Cisco CVE-2019-15250 (Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapt ...) NOT-FOR-US: Cisco CVE-2019-15249 (Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapt ...) NOT-FOR-US: Cisco CVE-2019-15248 (Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapt ...) NOT-FOR-US: Cisco CVE-2019-15247 (Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapt ...) NOT-FOR-US: Cisco CVE-2019-15246 (Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapt ...) NOT-FOR-US: Cisco CVE-2019-15245 (Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapt ...) NOT-FOR-US: Cisco CVE-2019-15244 (Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapt ...) NOT-FOR-US: Cisco CVE-2019-15243 (Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapt ...) NOT-FOR-US: Cisco CVE-2019-15242 (Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapt ...) NOT-FOR-US: Cisco CVE-2019-15241 (Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapt ...) NOT-FOR-US: Cisco CVE-2019-15240 (Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapt ...) NOT-FOR-US: Cisco CVE-2019-15292 (An issue was discovered in the Linux kernel before 5.0.9. There is a u ...) {DLA-1930-1 DLA-1919-1} - linux 4.19.37-1 [stretch] - linux 4.9.184-1 CVE-2019-15291 (An issue was discovered in the Linux kernel through 5.2.9. There is a ...) {DLA-2114-1 DLA-2068-1} - linux 5.3.15-1 [buster] - linux 4.19.87-1 [stretch] - linux 4.9.210-1 NOTE: https://www.openwall.com/lists/oss-security/2019/08/20/2 CVE-2019-15290 REJECTED CVE-2019-15239 (In the Linux kernel, a certain net/ipv4/tcp_output.c change, which was ...) {DSA-4497-1 DLA-1884-1} - linux 4.15.4-1 NOTE: https://pulsesecurity.co.nz/advisories/linux-kernel-4.9-tcpsocketsuaf NOTE: Workaround entry for main entry as the issue never affected upstream version NOTE: actually and is specific to the stable versions backports. CVE-2019-15238 (The cforms2 plugin before 15.0.2 for WordPress has CSRF related to the ...) NOT-FOR-US: Wordpress plugin CVE-2019-15237 (Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names, ...) - roundcube (low; bug #949629) [buster] - roundcube (Minor issue) [stretch] - roundcube (Minor issue) NOTE: https://github.com/roundcube/roundcubemail/issues/6891 CVE-2019-15236 RESERVED CVE-2019-15235 (CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.864 allows an att ...) NOT-FOR-US: CentOS-WebPanel.com CentOS Web Panel CVE-2019-15234 (SHAREit through 4.0.6.177 does not check the full message length from ...) NOT-FOR-US: SHAREit CVE-2019-15233 (The Live:Text Box macro in the Old Street Live Input Macros app before ...) NOT-FOR-US: Old Street Live Input Macros app for Confluence CVE-2019-15232 (Live555 before 2019.08.16 has a Use-After-Free because GenericMediaSer ...) [experimental] - liblivemedia 2019.08.16-1 - liblivemedia 2019.10.11-2 (low) [buster] - liblivemedia (Can be fixed along in future update) [stretch] - liblivemedia (Can be fixed along in future update) [jessie] - liblivemedia (Can be fixed along with more important patches) NOTE: Fixed upstream in 2019.08.16 according to available information. CVE-2019-15231 REJECTED CVE-2019-15230 (LibreNMS v1.54 has XSS in the Create User, Inventory, Add Device, Noti ...) NOT-FOR-US: LibreNMS CVE-2019-15229 (FUEL CMS 1.4.4 has CSRF in the blocks/create/ Create Blocks section of ...) NOT-FOR-US: FUEL CMS CVE-2019-15228 (FUEL CMS 1.4.4 has XSS in the Create Blocks section of the Admin conso ...) NOT-FOR-US: FUEL CMS CVE-2019-15227 (FlightPath 4.8.3 has XSS in the Content, Edit urgent message, and User ...) NOT-FOR-US: FlightPath CVE-2019-15226 (Upon receiving each incoming request header data, Envoy will iterate o ...) NOT-FOR-US: envoy proxy (not the same as itp'ed envoy, #758651) CVE-2019-15225 (In Envoy through 1.11.1, users may configure a route to match incoming ...) NOT-FOR-US: envoy proxy (not the same as itp'ed envoy, #758651) CVE-2019-15224 (The rest-client gem 1.6.10 through 1.6.13 for Ruby, as distributed on ...) - ruby-rest-client (Backdoored version not uploaded to Debian) CVE-2019-15223 (An issue was discovered in the Linux kernel before 5.1.8. There is a N ...) - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/0b074ab7fc0d575247b9cc9f93bb7e007ca38840 CVE-2019-15222 (An issue was discovered in the Linux kernel before 5.2.8. There is a N ...) - linux (Vulnerable code not present in any released version) NOTE: https://git.kernel.org/linus/5d78e1c2b7f4be00bbe62141603a631dc7812f35 CVE-2019-15221 (An issue was discovered in the Linux kernel before 5.1.17. There is a ...) {DLA-1930-1 DLA-1919-1} - linux 5.2.6-1 [buster] - linux 4.19.67-1 [stretch] - linux 4.9.185-1 NOTE: https://git.kernel.org/linus/3450121997ce872eb7f1248417225827ea249710 CVE-2019-15220 (An issue was discovered in the Linux kernel before 5.2.1. There is a u ...) {DLA-1930-1 DLA-1919-1} - linux 5.2.6-1 [buster] - linux 4.19.67-1 [stretch] - linux 4.9.189-1 NOTE: https://git.kernel.org/linus/6e41e2257f1094acc37618bf6c856115374c6922 CVE-2019-15219 (An issue was discovered in the Linux kernel before 5.1.8. There is a N ...) {DLA-1930-1 DLA-1919-1} - linux 5.2.6-1 [buster] - linux 4.19.67-1 [stretch] - linux 4.9.184-1 NOTE: https://git.kernel.org/linus/9a5729f68d3a82786aea110b1bfe610be318f80a CVE-2019-15218 (An issue was discovered in the Linux kernel before 5.1.8. There is a N ...) {DLA-1930-1 DLA-1919-1} - linux 5.2.6-1 [buster] - linux 4.19.67-1 [stretch] - linux 4.9.184-1 NOTE: https://git.kernel.org/linus/31e0456de5be379b10fea0fa94a681057114a96e CVE-2019-15217 (An issue was discovered in the Linux kernel before 5.2.3. There is a N ...) {DLA-2114-1 DLA-2068-1} - linux 5.2.6-1 [buster] - linux 4.19.98-1 [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/5d2e73a5f80a5b5aff3caf1ec6d39b5b3f54b26e CVE-2019-15216 (An issue was discovered in the Linux kernel before 5.0.14. There is a ...) {DLA-1919-1 DLA-1884-1} - linux 5.2.6-1 [buster] - linux 4.19.67-1 [stretch] - linux 4.9.184-1 NOTE: https://git.kernel.org/linus/ef61eb43ada6c1d6b94668f0f514e4c268093ff3 CVE-2019-15215 (An issue was discovered in the Linux kernel before 5.2.6. There is a u ...) {DLA-1930-1 DLA-1919-1} - linux 5.2.6-1 [buster] - linux 4.19.67-1 [stretch] - linux 4.9.189-1 NOTE: https://git.kernel.org/linus/eff73de2b1600ad8230692f00bc0ab49b166512a CVE-2019-15214 (An issue was discovered in the Linux kernel before 5.0.10. There is a ...) {DLA-1884-1} - linux 4.19.37-1 [stretch] - linux 4.9.184-1 CVE-2019-15213 (An issue was discovered in the Linux kernel before 5.2.3. There is a u ...) - linux [stretch] - linux (Vulnerable code introduced later) [jessie] - linux (Vulnerable code introduced later) CVE-2019-15212 (An issue was discovered in the Linux kernel before 5.1.8. There is a d ...) {DLA-1930-1 DLA-1919-1} - linux 5.2.6-1 [buster] - linux 4.19.67-1 [stretch] - linux 4.9.184-1 NOTE: https://git.kernel.org/linus/3864d33943b4a76c6e64616280e98d2410b1190f CVE-2019-15211 (An issue was discovered in the Linux kernel before 5.2.6. There is a u ...) {DLA-1930-1 DLA-1919-1} - linux 5.2.6-1 [buster] - linux 4.19.67-1 [stretch] - linux 4.9.189-1 NOTE: https://git.kernel.org/linus/c666355e60ddb4748ead3bdd983e3f7f2224aaf0 CVE-2018-20978 (The wp-all-import plugin before 3.4.7 for WordPress has XSS. ...) NOT-FOR-US: Wordpress plugin CVE-2018-20977 (The all-in-one-schemaorg-rich-snippets plugin before 1.5.0 for WordPre ...) NOT-FOR-US: all-in-one-schemaorg-rich-snippets plugin for WordPress CVE-2017-18569 (The my-wp-translate plugin before 1.0.4 for WordPress has CSRF. ...) NOT-FOR-US: Wordpress plugin CVE-2017-18568 (The my-wp-translate plugin before 1.0.4 for WordPress has XSS. ...) NOT-FOR-US: Wordpress plugin CVE-2017-18567 (The wp-all-import plugin before 3.4.6 for WordPress has XSS. ...) NOT-FOR-US: Wordpress plugin CVE-2017-18566 (The user-role plugin before 1.5.6 for WordPress has multiple XSS issue ...) NOT-FOR-US: Wordpress plugin CVE-2017-18565 (The updater plugin before 1.35 for WordPress has multiple XSS issues. ...) NOT-FOR-US: updater plugin for WordPress CVE-2017-18564 (The sender plugin before 1.2.1 for WordPress has multiple XSS issues. ...) NOT-FOR-US: sender plugin for WordPress CVE-2017-18563 (The rsvp plugin before 2.3.8 for WordPress has persistent XSS via the ...) NOT-FOR-US: rsvp plugin for WordPress CVE-2017-18562 (The error-log-viewer plugin before 1.0.6 for WordPress has multiple XS ...) NOT-FOR-US: error-log-viewer plugin for WordPress CVE-2017-18561 (The embed-comment-images plugin before 0.6 for WordPress has XSS. ...) NOT-FOR-US: embed-comment-images plugin for WordPress CVE-2017-18560 (The content-audit plugin before 1.9.2 for WordPress has XSS. ...) NOT-FOR-US: content-audit plugin for WordPress CVE-2017-18559 (The cforms2 plugin before 14.13.3 for WordPress has multiple XSS issue ...) NOT-FOR-US: cforms2 plugin for WordPress CVE-2017-18558 (The bws-testimonials plugin before 0.1.9 for WordPress has multiple XS ...) NOT-FOR-US: bws-testimonials plugin for WordPress CVE-2017-18557 (The bws-google-maps plugin before 1.3.6 for WordPress has multiple XSS ...) NOT-FOR-US: bws-google-maps plugin for WordPress CVE-2017-18556 (The bws-google-analytics plugin before 1.7.1 for WordPress has multipl ...) NOT-FOR-US: bws-google-analytics plugin for WordPress CVE-2017-18555 (The booking-sms plugin before 1.1.0 for WordPress has XSS. ...) NOT-FOR-US: booking-sms plugin for WordPress CVE-2017-18554 (The analytics-tracker plugin before 1.1.1 for WordPress has XSS via a ...) NOT-FOR-US: analytics-tracker plugin for WordPress CVE-2017-18553 (The ad-buttons plugin before 2.3.2 for WordPress has XSS. ...) NOT-FOR-US: ad-buttons plugin for WordPress CVE-2016-10915 (The popup-by-supsystic plugin before 1.7.9 for WordPress has CSRF. ...) NOT-FOR-US: Wordpress plugin CVE-2016-10914 (The add-from-server plugin before 3.3.2 for WordPress has CSRF for imp ...) NOT-FOR-US: Wordpress plugin CVE-2016-10913 (The wp-latest-posts plugin before 3.7.5 for WordPress has XSS. ...) NOT-FOR-US: Wordpress plugin CVE-2016-10912 (The universal-analytics plugin before 1.3.1 for WordPress has XSS. ...) NOT-FOR-US: universal-analytics plugin for WordPress CVE-2016-10911 (The profile-builder plugin before 2.4.2 for WordPress has multiple XSS ...) NOT-FOR-US: profile-builder plugin for WordPress CVE-2016-10910 (The formbuilder plugin before 1.06 for WordPress has multiple XSS issu ...) NOT-FOR-US: formbuilder plugin for WordPress CVE-2016-10909 (The booking-calendar-contact-form plugin before 1.0.24 for WordPress h ...) NOT-FOR-US: booking-calendar-contact-form plugin for WordPress CVE-2016-10908 (The booking-calendar-contact-form plugin before 1.0.24 for WordPress h ...) NOT-FOR-US: booking-calendar-contact-form plugin for WordPress CVE-2015-9332 (The uninstall plugin before 1.2 for WordPress has CSRF to delete all t ...) NOT-FOR-US: Wordpress plugin CVE-2015-9331 (The wp-all-import plugin before 3.2.4 for WordPress has no prevention ...) NOT-FOR-US: Wordpress plugin CVE-2015-9330 (The wp-all-import plugin before 3.2.5 for WordPress has blind SQL inje ...) NOT-FOR-US: Wordpress plugin CVE-2015-9329 (The wp-all-import plugin before 3.2.5 for WordPress has reflected XSS. ...) NOT-FOR-US: Wordpress plugin CVE-2015-9328 (The profile-builder plugin before 2.2.5 for WordPress has XSS. ...) NOT-FOR-US: profile-builder plugin for WordPress CVE-2015-9327 (The flickr-justified-gallery plugin before 3.4.0 for WordPress has XSS ...) NOT-FOR-US: flickr-justified-gallery plugin for WordPress CVE-2014-10381 (The user-domain-whitelist plugin before 1.5 for WordPress has CSRF. ...) NOT-FOR-US: Wordpress plugin CVE-2014-10380 (The profile-builder plugin before 1.1.66 for WordPress has multiple XS ...) NOT-FOR-US: profile-builder plugin for WordPress CVE-2014-10379 (The duplicate-post plugin before 2.6 for WordPress has SQL injection. ...) NOT-FOR-US: duplicate-post plugin for WordPress CVE-2014-10378 (The duplicate-post plugin before 2.6 for WordPress has XSS. ...) NOT-FOR-US: duplicate-post plugin for WordPress CVE-2014-10377 (The cforms2 plugin before 13.2 for WordPress has XSS in lib_ajax.php. ...) NOT-FOR-US: cforms2 plugin for WordPress CVE-2012-6715 (The formbuilder plugin before 0.9.1 for WordPress has XSS via a Refere ...) NOT-FOR-US: formbuilder plugin for WordPress CVE-2012-6714 (The count-per-day plugin before 3.2.3 for WordPress has XSS via search ...) NOT-FOR-US: count-per-day plugin for WordPress CVE-2011-5328 (The user-access-manager plugin before 1.2 for WordPress has CSRF. ...) NOT-FOR-US: Wordpress plugin CVE-2019-15210 RESERVED CVE-2019-15209 RESERVED CVE-2019-15208 RESERVED CVE-2019-15207 RESERVED CVE-2019-15206 RESERVED CVE-2019-15205 RESERVED CVE-2019-15204 RESERVED CVE-2019-15203 RESERVED CVE-2019-15202 RESERVED CVE-2019-15201 RESERVED CVE-2019-15200 RESERVED CVE-2019-15199 RESERVED CVE-2019-15198 RESERVED CVE-2019-15197 RESERVED CVE-2019-15196 RESERVED CVE-2019-15195 RESERVED CVE-2019-15194 RESERVED CVE-2019-15193 RESERVED CVE-2019-15192 RESERVED CVE-2019-15191 RESERVED CVE-2019-15190 RESERVED CVE-2019-15189 RESERVED CVE-2019-15188 RESERVED CVE-2019-15187 RESERVED CVE-2019-15186 RESERVED CVE-2019-15185 RESERVED CVE-2019-15184 RESERVED CVE-2019-15183 RESERVED CVE-2019-15182 RESERVED CVE-2019-15181 RESERVED CVE-2019-15180 RESERVED CVE-2019-15179 RESERVED CVE-2019-15178 RESERVED CVE-2019-15177 RESERVED CVE-2019-15176 RESERVED CVE-2019-15175 RESERVED CVE-2019-15174 RESERVED CVE-2019-15173 RESERVED CVE-2019-15172 RESERVED CVE-2019-15171 RESERVED CVE-2019-15170 RESERVED CVE-2019-15169 RESERVED CVE-2019-15168 RESERVED CVE-2019-15167 RESERVED CVE-2019-15166 (lmp_print_data_link_subobjs() in print-lmp.c in tcpdump before 4.9.3 l ...) {DSA-4547-1 DLA-1955-1} - tcpdump 4.9.3-1 (bug #941698) NOTE: https://github.com/the-tcpdump-group/tcpdump/commit/0b661e0aa61850234b64394585cf577aac570bf4 CVE-2019-15165 (sf-pcapng.c in libpcap before 1.9.1 does not properly validate the PHB ...) {DLA-1967-1} - libpcap 1.9.1-1 (low; bug #941697) [buster] - libpcap (Minor issue) [stretch] - libpcap (Minor issue) NOTE: https://github.com/the-tcpdump-group/libpcap/commit/87d6bef033062f969e70fa40c43dfd945d5a20ab NOTE: https://github.com/the-tcpdump-group/libpcap/commit/a5a36d9e82dde7265e38fe1f87b7f11c461c29f6 CVE-2019-15164 (rpcapd/daemon.c in libpcap before 1.9.1 allows SSRF because a URL may ...) - libpcap 1.9.1-1 (unimportant) [buster] - libpcap (Vulnerable code introduced in 1.9.0) [stretch] - libpcap (Vulnerable code introduced in 1.9.0) [jessie] - libpcap (Vulnerable code introduced in 1.9.0) NOTE: https://github.com/the-tcpdump-group/libpcap/commit/33834cb2a4d035b52aa2a26742f832a112e90a0a NOTE: rpcapd not build in Debian. CVE-2019-15163 (rpcapd/daemon.c in libpcap before 1.9.1 allows attackers to cause a de ...) - libpcap 1.9.1-1 (unimportant) [buster] - libpcap (Vulnerable code introduced in 1.9.0) [stretch] - libpcap (Vulnerable code introduced in 1.9.0) [jessie] - libpcap (Vulnerable code introduced in 1.9.0) NOTE: https://github.com/the-tcpdump-group/libpcap/commit/437b273761adedcbd880f714bfa44afeec186a31 NOTE: rpcapd not build in Debian. CVE-2019-15162 (rpcapd/daemon.c in libpcap before 1.9.1 on non-Windows platforms provi ...) - libpcap 1.9.1-1 (unimportant) [buster] - libpcap (Vulnerable code introduced in 1.9.0) [stretch] - libpcap (Vulnerable code introduced in 1.9.0) [jessie] - libpcap (Vulnerable code introduced in 1.9.0) NOTE: https://github.com/the-tcpdump-group/libpcap/commit/484d60cbf7ca4ec758c3cbb8a82d68b244a78d58 NOTE: rpcapd not build in Debian. CVE-2019-15161 (rpcapd/daemon.c in libpcap before 1.9.1 mishandles certain length valu ...) - libpcap 1.9.1-1 (unimportant) [buster] - libpcap (Vulnerable code introduced in 1.9.0) [stretch] - libpcap (Vulnerable code introduced in 1.9.0) [jessie] - libpcap (Vulnerable code introduced in 1.9.0) NOTE: https://github.com/the-tcpdump-group/libpcap/commit/617b12c0339db4891d117b661982126c495439ea NOTE: rpcapd not built in Debian. CVE-2019-15160 (The SweetXml (aka sweet_xml) package through 0.6.6 for Erlang and Elix ...) NOT-FOR-US: SweetXml (aka sweet_xml) package for Erlang and Elixir CVE-2019-15159 RESERVED CVE-2019-15158 RESERVED CVE-2019-15157 RESERVED CVE-2019-15156 RESERVED CVE-2019-15155 RESERVED CVE-2019-15154 RESERVED CVE-2019-15153 RESERVED CVE-2019-15152 RESERVED CVE-2019-15151 (AdPlug 2.3.1 has a double free in the Cu6mPlayer class in u6m.h. ...) [experimental] - adplug 2.3.3+dfsg-1 - adplug (bug #946340) [buster] - adplug (Minor issue) [stretch] - adplug (Minor issue) [jessie] - adplug (Minor issue) NOTE: https://github.com/adplug/adplug/issues/91 CVE-2019-15150 (In the OAuth2 Client extension before 0.4 for MediaWiki, a CSRF vulner ...) NOT-FOR-US: OAuth2 Client MediaWiki extension CVE-2019-15149 (** DISPUTED ** core.py in Mitogen before 0.2.8 has a typo that drops t ...) NOT-FOR-US: Mitogen CVE-2018-20976 (An issue was discovered in fs/xfs/xfs_super.c in the Linux kernel befo ...) {DLA-2114-1 DLA-1930-1} - linux 4.18.6-1 [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/c9fbd7bbc23dbdd73364be4d045e5d3612cf6e82 CVE-2017-18552 (An issue was discovered in net/rds/af_rds.c in the Linux kernel before ...) - linux 4.11.6-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/780e982905bef61d13496d9af5310bf4af3a64d3 CVE-2017-18551 (An issue was discovered in drivers/i2c/i2c-core-smbus.c in the Linux k ...) - linux 4.14.17-1 [stretch] - linux 4.9.168-1 [jessie] - linux 3.16.56-1 NOTE: https://git.kernel.org/linus/89c6efa61f5709327ecfa24bff18e57a4e80c7fa CVE-2017-18550 (An issue was discovered in drivers/scsi/aacraid/commctrl.c in the Linu ...) - linux 4.13.4-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/342ffc26693b528648bdc9377e51e4f2450b4860 CVE-2017-18549 (An issue was discovered in drivers/scsi/aacraid/commctrl.c in the Linu ...) - linux 4.13.4-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/342ffc26693b528648bdc9377e51e4f2450b4860 CVE-2016-10907 (An issue was discovered in drivers/iio/dac/ad5755.c in the Linux kerne ...) - linux 4.9.2-1 [jessie] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/9d47964bfd471f0dd4c89f28556aec68bffa0020 CVE-2016-10906 (An issue was discovered in drivers/net/ethernet/arc/emac_main.c in the ...) - linux 4.5.1-1 NOTE: https://git.kernel.org/linus/c278c253f3d992c6994d08aa0efb2b6806ca396f CVE-2016-10905 (An issue was discovered in fs/gfs2/rgrp.c in the Linux kernel before 4 ...) {DLA-1930-1} - linux 4.8.5-1 NOTE: https://git.kernel.org/linus/36e4ad0316c017d5b271378ed9a1c9a4b77fab5f CVE-2019-15148 (GoPro GPMF-parser 1.2.2 has an out-of-bounds write in OpenMP4Source in ...) NOT-FOR-US: gpmf-parser CVE-2019-15147 (GoPro GPMF-parser 1.2.2 has an out-of-bounds read and SEGV in GPMF_Nex ...) NOT-FOR-US: gpmf-parser CVE-2019-15146 (GoPro GPMF-parser 1.2.2 has a heap-based buffer over-read (4 bytes) in ...) NOT-FOR-US: gpmf-parser CVE-2019-15145 (DjVuLibre 3.5.27 allows attackers to cause a denial-of-service attack ...) {DLA-1902-1} - djvulibre 3.5.27.1-11 (low) [buster] - djvulibre (Minor issue) [stretch] - djvulibre (Minor issue) NOTE: https://sourceforge.net/p/djvu/bugs/298/ NOTE: https://sourceforge.net/p/djvu/djvulibre-git/ci/9658b01431cd7ff6344d7787f855179e73fe81a7/ CVE-2019-15144 (In DjVuLibre 3.5.27, the sorting functionality (aka GArrayTemplate< ...) {DLA-1902-1} - djvulibre 3.5.27.1-11 (low) [buster] - djvulibre (Minor issue) [stretch] - djvulibre (Minor issue) NOTE: https://sourceforge.net/p/djvu/bugs/299/ NOTE: https://sourceforge.net/p/djvu/djvulibre-git/ci/e15d51510048927f172f1bf1f27ede65907d940d/ CVE-2019-15143 (In DjVuLibre 3.5.27, the bitmap reader component allows attackers to c ...) {DLA-1902-1} - djvulibre 3.5.27.1-11 (low) [buster] - djvulibre (Minor issue) [stretch] - djvulibre (Minor issue) NOTE: https://sourceforge.net/p/djvu/bugs/297/ NOTE: https://sourceforge.net/p/djvu/djvulibre-git/ci/b1f4e1b2187d9e5010cd01ceccf20b4a11ce723f/ CVE-2019-15142 (In DjVuLibre 3.5.27, DjVmDir.cpp in the DJVU reader component allows a ...) {DLA-1902-1} - djvulibre 3.5.27.1-11 (low) [buster] - djvulibre (Minor issue) [stretch] - djvulibre (Minor issue) NOTE: https://sourceforge.net/p/djvu/bugs/296/ NOTE: https://sourceforge.net/p/djvu/djvulibre-git/ci/970fb11a296b5bbdc5e8425851253d2c5913c45e/ CVE-2019-15141 (WriteTIFFImage in coders/tiff.c in ImageMagick 7.0.8-43 Q16 allows att ...) - imagemagick (Incomplete fix for CVE-2019-11597 not applied) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1560 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/3c53413eb544cc567309b4c86485eae43e956112 CVE-2019-15140 (coders/mat.c in ImageMagick 7.0.8-43 Q16 allows remote attackers to ca ...) {DSA-4715-1 DSA-4712-1 DLA-1968-1} - imagemagick (bug #941671) NOTE: https://github.com/ImageMagick/ImageMagick/commit/f7206618d27c2e69d977abf40e3035a33e5f6be0 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/5caef6e97f3f575cf7bea497865a4c1e624b8010 NOTE: followup, previous patch introduced compiler warnings NOTE: https://github.com/ImageMagick/ImageMagick6/commit/5caef6e97f3f575cf7bea497865a4c1e624b8010 NOTE: https://github.com/ImageMagick/ImageMagick/issues/1554 CVE-2019-15139 (The XWD image (X Window System window dumping file) parsing component ...) {DSA-4712-1 DLA-1968-1} - imagemagick (bug #941670) [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/commit/c78993d138bf480ab4652b5a48379d4ff75ba5f7 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/6d46f0a046a58e7c4567a86ba1b9cb847d5b1968 NOTE: ImageMagick6: followup, partly reverts previous patch: NOTE: https://github.com/ImageMagick/ImageMagick6/commit/e295b8193a1413a39d5c0b3e18fa7ca952c35cdf NOTE: https://github.com/ImageMagick/ImageMagick/issues/1553 CVE-2019-15138 (The html-pdf package 2.2.0 for Node.js has an arbitrary file read vuln ...) NOT-FOR-US: node html-pdf CVE-2019-15137 (The Access Control plugin in eProsima Fast RTPS through 1.9.0 allows f ...) NOT-FOR-US: eProsima Fast RTPS CVE-2019-15136 (The Access Control plugin in eProsima Fast RTPS through 1.9.0 does not ...) NOT-FOR-US: eProsima Fast RTPS CVE-2019-15135 (The handshake protocol in Object Management Group (OMG) DDS Security 1 ...) NOT-FOR-US: Object Management Group (OMG) DDS Security CVE-2019-15134 (RIOT through 2019.07 contains a memory leak in the TCP implementation ...) NOT-FOR-US: RIOT RIOT-OS CVE-2019-15133 (In GIFLIB before 2019-02-16, a malformed GIF file triggers a divide-by ...) [experimental] - giflib 5.1.8-1 - giflib 5.1.9-1 [buster] - giflib (Minor issue) [stretch] - giflib (Minor issue) [jessie] - giflib (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=13008 NOTE: https://sourceforge.net/p/giflib/code/ci/799eb6a3af8a3dd81e2429bf11a72a57e541f908/ NOTE: https://sourceforge.net/p/giflib/bugs/119/ CVE-2019-15132 (Zabbix through 4.4.0alpha1 allows User Enumeration. With login request ...) - zabbix (bug #935027) [buster] - zabbix (Minor issue) [stretch] - zabbix (Minor issue) [jessie] - zabbix (Minor issue) NOTE: https://support.zabbix.com/browse/ZBX-16532 CVE-2019-15131 (In Code42 Enterprise 6.7.5 and earlier, 6.8.4 through 6.8.8, and 7.0.0 ...) NOT-FOR-US: Code42 CVE-2019-15130 (The Recruitment module in Humanica Humatrix 7 1.0.0.203 and 1.0.0.681 ...) NOT-FOR-US: Recruitment module in Humanica Humatrix CVE-2019-15129 (The Recruitment module in Humanica Humatrix 7 1.0.0.203 and 1.0.0.681 ...) NOT-FOR-US: Recruitment module in Humanica Humatrix CVE-2019-15128 (iF.SVNAdmin through 1.6.2 allows svnadmin/usercreate.php CSRF to creat ...) NOT-FOR-US: iF.SVNAdmin CVE-2019-15127 (REDCap before 9.3.0 allows XSS attacks against non-administrator accou ...) NOT-FOR-US: REDCap CVE-2019-15126 (An issue was discovered on Broadcom Wi-Fi client devices. Specifically ...) NOT-FOR-US: Broadcom CVE-2019-15125 RESERVED CVE-2018-20975 (Fat Free CRM before 0.18.1 has XSS in the tags_helper in app/helpers/t ...) NOT-FOR-US: Fat Free CRM CVE-2019-15124 (In the MobileFrontend extension for MediaWiki, XSS exists within the e ...) NOT-FOR-US: MobileFrontend extension for MediaWiki CVE-2019-15123 (The Branding Module in Viki Vera 4.9.1.26180 allows an authenticated u ...) NOT-FOR-US: Viki Vera CVE-2019-15122 RESERVED CVE-2019-15121 RESERVED CVE-2019-15120 (The Kunena extension before 5.1.14 for Joomla! allows XSS via BBCode. ...) NOT-FOR-US: Kunena extension for Joomla! CVE-2019-15119 (lib/install/install.go in cnlh nps through 0.23.2 uses 0777 permission ...) NOT-FOR-US: cnlh nps CVE-2019-15118 (check_input_term in sound/usb/mixer.c in the Linux kernel through 5.2. ...) {DSA-4531-1 DLA-1940-1 DLA-1930-1} - linux 5.2.17-1 NOTE: Fixed by: https://git.kernel.org/linus/19bce474c45be69a284ecee660aa12d8f1e88f18 CVE-2019-15117 (parse_audio_mixer_unit in sound/usb/mixer.c in the Linux kernel throug ...) {DSA-4531-1 DLA-1940-1 DLA-1930-1} - linux 5.2.17-1 NOTE: Fixed by: https://git.kernel.org/linus/daac07156b330b18eb5071aec4b3ddca1c377f2c CVE-2019-15116 (The easy-digital-downloads plugin before 2.9.16 for WordPress has XSS ...) NOT-FOR-US: easy-digital-downloads plugin for WordPress CVE-2019-15115 (The peters-login-redirect plugin before 2.9.2 for WordPress has CSRF. ...) NOT-FOR-US: peters-login-redirect plugin for WordPress CVE-2019-15114 (The formcraft-form-builder plugin before 1.2.2 for WordPress has CSRF. ...) NOT-FOR-US: formcraft-form-builder plugin for WordPress CVE-2019-15113 (The companion-sitemap-generator plugin before 3.7.0 for WordPress has ...) NOT-FOR-US: companion-sitemap-generator plugin for WordPress CVE-2019-15112 (The wp-slimstat plugin before 4.8.1 for WordPress has XSS. ...) NOT-FOR-US: wp-slimstat plugin for WordPress CVE-2019-15111 (The wp-front-end-profile plugin before 0.2.2 for WordPress has a privi ...) NOT-FOR-US: wp-front-end-profile plugin for WordPress CVE-2019-15110 (The wp-front-end-profile plugin before 0.2.2 for WordPress has XSS. ...) NOT-FOR-US: wp-front-end-profile plugin for WordPress CVE-2019-15109 (The the-events-calendar plugin before 4.8.2 for WordPress has XSS via ...) NOT-FOR-US: the-events-calendar plugin for WordPress CVE-2019-15108 (An issue was discovered in WSO2 API Manager 2.6.0 before WSO2-CARBON-P ...) NOT-FOR-US: WSO2 API Manager CVE-2019-15107 (An issue was discovered in Webmin <=1.920. The parameter old in pas ...) - webmin CVE-2019-15106 (An issue was discovered in Zoho ManageEngine OpManager in builds befor ...) NOT-FOR-US: Zoho ManageEngine OpManager CVE-2019-15105 (An issue was discovered in Zoho ManageEngine Application Manager throu ...) NOT-FOR-US: Zoho ManageEngine Application Manager CVE-2019-15104 (An issue was discovered in Zoho ManageEngine OpManager through 12.4x. ...) NOT-FOR-US: Zoho ManageEngine OpManager CVE-2019-15103 RESERVED CVE-2019-15102 (An issue was discovered in Tyto Sahi Pro 6.x through 8.0.0. TestRunner ...) NOT-FOR-US: Tyto Sahi Pro CVE-2019-15101 RESERVED CVE-2019-15100 RESERVED CVE-2019-15097 RESERVED CVE-2019-15096 RESERVED CVE-2019-15095 (DWSurvey through 2019-07-22 has reflected XSS via the design/qu-multi- ...) NOT-FOR-US: DWSurvey CVE-2019-15094 RESERVED CVE-2019-15093 RESERVED CVE-2019-15092 (The webtoffee "WordPress Users & WooCommerce Customers Import Expo ...) NOT-FOR-US: webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin for WordPress CVE-2019-15091 (filemgr.php in Artica Integria IMS 5.0.86 allows index.php?sec=wiki&am ...) NOT-FOR-US: Artica Integria IMS CVE-2019-15089 (An issue was discovered in PRiSE adAS 1.7.0. Forms have no CSRF protec ...) NOT-FOR-US: PRiSE adAS CVE-2019-15088 (An issue was discovered in PRiSE adAS 1.7.0. Password hashes are compa ...) NOT-FOR-US: PRiSE adAS CVE-2019-15087 (An issue was discovered in PRiSE adAS 1.7.0. An authenticated user can ...) NOT-FOR-US: PRiSE adAS CVE-2019-15086 (An issue was discovered in PRiSE adAS 1.7.0. The newentityID parameter ...) NOT-FOR-US: PRiSE adAS CVE-2019-15085 (An issue was discovered in PRiSE adAS 1.7.0. The current database pass ...) NOT-FOR-US: PRiSE adAS CVE-2019-15084 (Realtek Waves MaxxAudio driver 1.6.2.0, as used on Dell laptops, insta ...) NOT-FOR-US: Realtek CVE-2019-15083 (Default installations of Zoho ManageEngine ServiceDesk Plus 10.0 befor ...) NOT-FOR-US: Zoho ManageEngine CVE-2018-20974 (The js-jobs plugin before 1.0.7 for WordPress has CSRF. ...) NOT-FOR-US: js-jobs plugin for WordPress CVE-2018-20973 (The companion-auto-update plugin before 3.2.1 for WordPress has local ...) NOT-FOR-US: companion-auto-update plugin for WordPress CVE-2018-20972 (The companion-auto-update plugin before 3.2.1 for WordPress has CSRF. ...) NOT-FOR-US: companion-auto-update plugin for WordPress CVE-2018-20971 (The church-admin plugin before 1.2550 for WordPress has CSRF affecting ...) NOT-FOR-US: church-admin plugin for WordPress CVE-2018-20970 (The pdf-print plugin before 2.0.3 for WordPress has multiple XSS issue ...) NOT-FOR-US: pdf-print plugin for WordPress CVE-2018-20969 (do_ed_script in pch.c in GNU patch through 2.7.6 does not block string ...) {DSA-4489-1 DLA-1864-1} - patch 2.7.6-5 NOTE: https://git.savannah.gnu.org/cgit/patch.git/commit/?id=3fcd042d26d70856e826a42b5f93dc4854d80bf0 CVE-2017-18548 (The note-press plugin before 0.1.2 for WordPress has SQL injection. ...) NOT-FOR-US: note-press plugin for WordPress CVE-2017-18547 (The nelio-ab-testing plugin before 4.6.4 for WordPress has CSRF in exp ...) NOT-FOR-US: nelio-ab-testing plugin for WordPress CVE-2017-18546 (The jayj-quicktag plugin before 1.3.2 for WordPress has CSRF. ...) NOT-FOR-US: jayj-quicktag plugin for WordPress CVE-2017-18545 (The invite-anyone plugin before 1.3.16 for WordPress has incorrect esc ...) NOT-FOR-US: invite-anyone plugin for WordPress CVE-2017-18544 (The invite-anyone plugin before 1.3.16 for WordPress has admin-panel C ...) NOT-FOR-US: invite-anyone plugin for WordPress CVE-2017-18543 (The invite-anyone plugin before 1.3.16 for WordPress has incorrect acc ...) NOT-FOR-US: invite-anyone plugin for WordPress CVE-2017-18542 (The zendesk-help-center plugin before 1.0.5 for WordPress has multiple ...) NOT-FOR-US: zendesk-help-center plugin for WordPress CVE-2017-18541 (The xo-security plugin before 1.5.3 for WordPress has XSS. ...) NOT-FOR-US: xo-security plugin for WordPress CVE-2017-18540 (The weblibrarian plugin before 3.4.8.7 for WordPress has XSS via front ...) NOT-FOR-US: weblibrarian plugin for WordPress CVE-2017-18539 (The weblibrarian plugin before 3.4.8.6 for WordPress has XSS via front ...) NOT-FOR-US: weblibrarian plugin for WordPress CVE-2017-18538 (The weblibrarian plugin before 3.4.8.5 for WordPress has XSS via front ...) NOT-FOR-US: weblibrarian plugin for WordPress CVE-2017-18537 (The visitors-online plugin before 1.0.0 for WordPress has multiple XSS ...) NOT-FOR-US: visitors-online plugin for WordPress CVE-2017-18536 (The stop-user-enumeration plugin before 1.3.8 for WordPress has XSS. ...) NOT-FOR-US: stop-user-enumeration plugin for WordPress CVE-2017-18535 (The smokesignal plugin before 1.2.7 for WordPress has XSS. ...) NOT-FOR-US: smokesignal plugin for WordPress CVE-2017-18534 (The share-on-diaspora plugin before 0.7.2 for WordPress has reflected ...) NOT-FOR-US: share-on-diaspora plugin for WordPress CVE-2017-18533 (The rimons-twitter-widget plugin before 1.3 for WordPress has XSS. ...) NOT-FOR-US: Wordpress plugin CVE-2017-18532 (The realty plugin before 1.1.0 for WordPress has multiple XSS issues. ...) NOT-FOR-US: Wordpress plugin CVE-2017-18531 (The raygun4wp plugin before 1.8.3 for WordPress has XSS in the setting ...) NOT-FOR-US: Wordpress plugin CVE-2017-18530 (The rating-bws plugin before 0.2 for WordPress has multiple XSS issues ...) NOT-FOR-US: Wordpress plugin CVE-2017-18529 (The promobar plugin before 1.1.1 for WordPress has multiple XSS issues ...) NOT-FOR-US: Wordpress plugin CVE-2017-18528 (The pdf-print plugin before 1.9.4 for WordPress has multiple XSS issue ...) NOT-FOR-US: Wordpress plugin CVE-2017-18527 (The pagination plugin before 1.0.7 for WordPress has multiple XSS issu ...) NOT-FOR-US: Wordpress plugin CVE-2017-18526 (The moreads-se plugin before 1.4.7 for WordPress has XSS. ...) NOT-FOR-US: Wordpress plugin CVE-2016-10904 (The olimometer plugin before 2.57 for WordPress has SQL injection. ...) NOT-FOR-US: olimometer plugin for WordPress CVE-2016-10903 (The GoDaddy godaddy-email-marketing-sign-up-forms plugin before 1.1.3 ...) NOT-FOR-US: GoDaddy godaddy-email-marketing-sign-up-forms plugin for WordPress CVE-2016-10902 (The wp-customer-reviews plugin before 3.0.9 for WordPress has CSRF in ...) NOT-FOR-US: wp-customer-reviews plugin for WordPress CVE-2016-10901 (The wp-customer-reviews plugin before 3.0.9 for WordPress has XSS in t ...) NOT-FOR-US: wp-customer-reviews plugin for WordPress CVE-2016-10900 (The uji-countdown plugin before 2.0.7 for WordPress has XSS. ...) NOT-FOR-US: uji-countdown plugin for WordPress CVE-2016-10899 (The total-security plugin before 3.4.1 for WordPress has a settings-ch ...) NOT-FOR-US: total-security plugin for WordPress CVE-2016-10898 (The total-security plugin before 3.4.1 for WordPress has XSS. ...) NOT-FOR-US: total-security plugin for WordPress CVE-2016-10897 (The sermon-browser plugin before 0.45.16 for WordPress has multiple XS ...) NOT-FOR-US: sermon-browser plugin for WordPress CVE-2016-10896 (The seo-redirection plugin before 4.3 for WordPress has stored XSS. ...) NOT-FOR-US: seo-redirection plugin for WordPress CVE-2016-10895 (The option-tree plugin before 2.6.0 for WordPress has XSS via an add_l ...) NOT-FOR-US: Wordpress plugin CVE-2015-9326 (The wp-business-intelligence-lite plugin before 1.6.3 for WordPress ha ...) NOT-FOR-US: wp-business-intelligence-lite plugin for WordPress CVE-2015-9325 (The visitors-online plugin before 0.4 for WordPress has SQL injection. ...) NOT-FOR-US: visitors-online plugin for WordPress CVE-2015-9324 (The easy-digital-downloads plugin before 2.3.3 for WordPress has SQL i ...) NOT-FOR-US: easy-digital-downloads plugin for WordPress CVE-2015-9323 (The 404-to-301 plugin before 2.0.3 for WordPress has SQL injection. ...) NOT-FOR-US: 404-to-301 plugin for WordPress CVE-2015-9322 (The erident-custom-login-and-dashboard plugin before 3.5 for WordPress ...) NOT-FOR-US: erident-custom-login-and-dashboard plugin for WordPress CVE-2015-9321 (The shortcode-factory plugin before 1.1.1 for WordPress has XSS via ad ...) NOT-FOR-US: shortcode-factory plugin for WordPress CVE-2015-9320 (The option-tree plugin before 2.5.4 for WordPress has XSS related to a ...) NOT-FOR-US: Wordpress plugin CVE-2014-10376 (The i-recommend-this plugin before 3.7.3 for WordPress has SQL injecti ...) NOT-FOR-US: i-recommend-this plugin for WordPress CVE-2019-15099 (drivers/net/wireless/ath/ath10k/usb.c in the Linux kernel through 5.2. ...) - linux 5.3.15-1 [buster] - linux 4.19.87-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) NOTE: https://lore.kernel.org/linux-wireless/20190804003101.11541-1-benquike@gmail.com/T/#u CVE-2019-15098 (drivers/net/wireless/ath/ath6kl/usb.c in the Linux kernel through 5.2. ...) {DLA-2114-1 DLA-2068-1} - linux 5.3.7-1 [buster] - linux 4.19.87-1 [stretch] - linux 4.9.210-1 NOTE: https://lore.kernel.org/linux-wireless/20190804002905.11292-1-benquike@gmail.com/T/#u CVE-2019-15090 (An issue was discovered in drivers/scsi/qedi/qedi_dbg.c in the Linux k ...) - linux 5.2.6-1 [buster] - linux 4.19.67-1 [stretch] - linux (Vulnerable code introduced later) [jessie] - linux (Vulnerable code introduced later) NOTE: Fixed by: https://git.kernel.org/linus/c09581a52765a85f19fc35340127396d5e3379cc CVE-2019-15082 (The 360-product-rotation plugin before 1.4.8 for WordPress has reflect ...) NOT-FOR-US: Wordpress plugin CVE-2019-15081 (OpenCart 3.x, when the attacker has login access to the admin panel, a ...) NOT-FOR-US: OpenCart CVE-2019-15080 RESERVED CVE-2019-15079 RESERVED CVE-2019-15078 RESERVED CVE-2019-15077 RESERVED CVE-2019-15076 RESERVED CVE-2019-15075 (An issue was discovered in iNextrix ASTPP before 4.0.1. web_interface/ ...) NOT-FOR-US: iNextrix ASTPP CVE-2019-15074 (The Timeline feature in my_view_page.php in MantisBT through 2.21.1 ha ...) - mantis NOTE: https://github.com/mantisbt/mantisbt/commit/9cee1971c498bbe0a72bca1c773fae50171d8c27 NOTE: https://mantisbt.org/bugs/view.php?id=25995 CVE-2019-15073 (An Open Redirect vulnerability for all browsers in MAIL2000 through ve ...) NOT-FOR-US: Openfind MAIL2000 CVE-2019-15072 (The login feature in "/cgi-bin/portal" in MAIL2000 through version 6.0 ...) NOT-FOR-US: Openfind MAIL2000 CVE-2019-15071 (The "/cgi-bin/go" page in MAIL2000 through version 6.0 and 7.0 has a c ...) NOT-FOR-US: Openfind MAIL2000 CVE-2019-15070 RESERVED CVE-2019-15069 (An unsafe authentication interface was discovered in Smart Battery A4, ...) NOT-FOR-US: Smart Battery CVE-2019-15068 (A broken access control vulnerability in Smart Battery A4, a multifunc ...) NOT-FOR-US: Smart Battery CVE-2019-15067 (An authentication bypass vulnerability discovered in Smart Battery A2- ...) NOT-FOR-US: Smart Battery CVE-2019-15066 (An “invalid command” handler issue was discovered in HiNet ...) NOT-FOR-US: HiNet GPON firmware CVE-2019-15065 (A service which is hosted on port 6998 in HiNet GPON firmware < I04 ...) NOT-FOR-US: HiNet GPON firmware CVE-2019-15064 (HiNet GPON firmware version < I040GWR190731 allows an attacker logi ...) NOT-FOR-US: HiNet GPON firmware CVE-2017-18525 (The megamenu plugin before 2.4 for WordPress has XSS. ...) NOT-FOR-US: megamenu plugin for WordPress CVE-2017-18524 (The football-pool plugin before 2.6.5 for WordPress has multiple XSS i ...) NOT-FOR-US: Wordpress plugin CVE-2017-18523 (The eelv-newsletter plugin before 4.6.1 for WordPress has CSRF in the ...) NOT-FOR-US: Wordpress plugin CVE-2017-18522 (The eelv-newsletter plugin before 4.6.1 for WordPress has XSS in the a ...) NOT-FOR-US: Wordpress plugin CVE-2017-18521 (The democracy-poll plugin before 5.4 for WordPress has CSRF via wp-adm ...) NOT-FOR-US: democracy-poll plugin for WordPress CVE-2017-18520 (The democracy-poll plugin before 5.4 for WordPress has XSS via update_ ...) NOT-FOR-US: Wordpress plugin CVE-2017-18519 (The customer-area plugin before 7.4.3 for WordPress has XSS via admin ...) NOT-FOR-US: Wordpress plugin CVE-2017-18518 (The bws-smtp plugin before 1.1.0 for WordPress has multiple XSS issues ...) NOT-FOR-US: Wordpress plugin CVE-2017-18517 (The bws-pinterest plugin before 1.0.5 for WordPress has multiple XSS i ...) NOT-FOR-US: Wordpress plugin CVE-2017-18516 (The bws-linkedin plugin before 1.0.5 for WordPress has multiple XSS is ...) NOT-FOR-US: bws-linkedin plugin for WordPress CVE-2016-10894 (xtrlock through 2.10 does not block multitouch events. Consequently, a ...) {DLA-1959-1} - xtrlock 2.12 (bug #830726) [buster] - xtrlock 2.8+deb10u1 [stretch] - xtrlock (Minor issue; can be fixed via point release) CVE-2016-10893 (The crayon-syntax-highlighter plugin before 2.8.4 for WordPress has mu ...) NOT-FOR-US: Wordpress plugin CVE-2016-10892 (The chained-quiz plugin before 1.0 for WordPress has multiple XSS issu ...) NOT-FOR-US: Wordpress plugin CVE-2016-10891 (The aryo-activity-log plugin before 2.3.3 for WordPress has XSS. ...) NOT-FOR-US: aryo-activity-log plugin for WordPress CVE-2016-10890 (The aryo-activity-log plugin before 2.3.2 for WordPress has XSS. ...) NOT-FOR-US: aryo-activity-log plugin for WordPress CVE-2015-9319 (The gregs-high-performance-seo plugin before 1.6.2 for WordPress has X ...) NOT-FOR-US: Wordpress plugin CVE-2015-9318 (The awesome-support plugin before 3.1.7 for WordPress has a security i ...) NOT-FOR-US: Wordpress plugin CVE-2015-9317 (The awesome-support plugin before 3.1.7 for WordPress has XSS via cust ...) NOT-FOR-US: Wordpress plugin CVE-2019-15063 RESERVED CVE-2019-15062 (An issue was discovered in Dolibarr 11.0.0-alpha. A user can store an ...) - dolibarr NOTE: https://github.com/Dolibarr/dolibarr/issues/11671 CVE-2019-15061 RESERVED CVE-2019-15060 (The traceroute function on the TP-Link TL-WR840N v4 router with firmwa ...) NOT-FOR-US: TP-Link CVE-2019-15059 RESERVED CVE-2019-15058 (stb_image.h (aka the stb image loader) 2.23 has a heap-based buffer ov ...) - libstb (bug #934973) [buster] - libstb (Minor issue) NOTE: https://github.com/nothings/stb/issues/790 NOTE: Potentially also affects libsixel, mame, libsfml, love, zynaddsubfx, yquake2, ccextractor, zam-plugins, osgearth, catimg, darknet, gem, retroarch, renderdoc, goxel CVE-2019-15057 RESERVED CVE-2019-15056 RESERVED CVE-2019-15055 (MikroTik RouterOS through 6.44.5 and 6.45.x through 6.45.3 improperly ...) NOT-FOR-US: MikroTik RouterOS CVE-2019-15054 (Multiple cross-site scripting (XSS) vulnerabilities in Mailbird before ...) NOT-FOR-US: Mailbird CVE-2019-15053 (The "HTML Include and replace macro" plugin before 1.5.0 for Confluenc ...) NOT-FOR-US: "HTML Include and replace macro" plugin for Confluence Server CVE-2019-15052 (The HTTP client in Gradle before 5.6 sends authentication credentials ...) - gradle (low; bug #941187) [buster] - gradle (Minor issue) [stretch] - gradle (Minor issue) [jessie] - gradle (Minor issue, old gradle mainly used for building Debian packages with system libraries) NOTE: https://github.com/gradle/gradle/issues/10278 NOTE: https://github.com/gradle/gradle/pull/10176 NOTE: https://github.com/gradle/gradle/security/advisories/GHSA-4cwg-f7qc-6r95 CVE-2019-15051 (An issue was discovered in Softing uaGate (SI, MB, 840D) firmware thro ...) NOT-FOR-US: Softing uaGate CVE-2019-15050 (An issue was discovered in Bento4 1.5.1.0. There is a heap-based buffe ...) NOT-FOR-US: Bento4 CVE-2019-15049 (An issue was discovered in Bento4 1.5.1.0. There is a heap-based buffe ...) NOT-FOR-US: Bento4 CVE-2019-15048 (An issue was discovered in Bento4 1.5.1.0. There is a heap-based buffe ...) NOT-FOR-US: Bento4 CVE-2019-15047 (An issue was discovered in Bento4 1.5.1.0. There is a heap-based buffe ...) NOT-FOR-US: Bento4 CVE-2019-15046 (Zoho ManageEngine ServiceDesk Plus 10 before 10509 allows unauthentica ...) NOT-FOR-US: Zoho ManageEngine ServiceDesk Plus CVE-2019-15045 (** DISPUTED ** AjaxDomainServlet in Zoho ManageEngine ServiceDesk Plus ...) NOT-FOR-US: Zoho ManageEngine ServiceDesk Plus CVE-2019-15044 RESERVED NOT-FOR-US: Qualcomm components for Android CVE-2019-15043 (In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow u ...) - grafana CVE-2019-15042 (An issue was discovered in JetBrains TeamCity 2018.2.4. It had no SSL ...) NOT-FOR-US: JetBrains TeamCity CVE-2019-15041 (JetBrains YouTrack versions before 2019.1.52545 allowed unbounded URL ...) NOT-FOR-US: JetBrains YouTrack CVE-2019-15040 (JetBrains YouTrack versions before 2019.1 had a CSRF vulnerability on ...) NOT-FOR-US: JetBrains YouTrack CVE-2019-15039 (An issue was discovered in JetBrains TeamCity 2018.2.4. It had a possi ...) NOT-FOR-US: JetBrains TeamCity CVE-2019-15038 (An issue was discovered in JetBrains TeamCity 2018.2.4. The TeamCity s ...) NOT-FOR-US: JetBrains TeamCity CVE-2019-15037 (An issue was discovered in JetBrains TeamCity 2018.2.4. It had several ...) NOT-FOR-US: JetBrains TeamCity CVE-2019-15036 (An issue was discovered in JetBrains TeamCity 2018.2.4. A TeamCity Pro ...) NOT-FOR-US: JetBrains TeamCity CVE-2019-15035 (An issue was discovered in JetBrains TeamCity 2018.2.4. A TeamCity Pro ...) NOT-FOR-US: JetBrains TeamCity CVE-2019-15034 (hw/display/bochs-display.c in QEMU 4.0.0 does not ensure a sufficient ...) {DSA-4665-1} - qemu 1:4.1-1 [stretch] - qemu (Vulnerable code introduced later) [jessie] - qemu (Vulnerable code introduced later) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2019-08/msg01959.html NOTE: https://git.qemu.org/?p=qemu.git;a=commitdiff;h=5e7bcdcfe69ce0fad66012b2cfb2035003c37eef CVE-2019-15033 (Pydio 6.0.8 allows Authenticated SSRF during a Remote Link Feature dow ...) - ajaxplorer (bug #668381) CVE-2019-15032 (Pydio 6.0.8 mishandles error reporting when a directory allows unauthe ...) - ajaxplorer (bug #668381) CVE-2019-15031 (In the Linux kernel through 5.2.14 on the powerpc platform, a local us ...) - linux 5.2.17-1 [buster] - linux 4.19.87-1 [stretch] - linux (Vulnerable code introduced later) [jessie] - linux (Vulnerable code introduced later) NOTE: https://git.kernel.org/linus/a8318c13e79badb92bc6640704a64cc022a6eb97 CVE-2019-15030 (In the Linux kernel through 5.2.14 on the powerpc platform, a local us ...) - linux 5.2.17-1 [buster] - linux 4.19.87-1 [stretch] - linux 4.9.210-1 [jessie] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/8205d5d98ef7f155de211f5e2eb6ca03d95a5a60 CVE-2019-15029 (FusionPBX 4.4.8 allows an attacker to execute arbitrary system command ...) NOT-FOR-US: FusionPBX CVE-2019-15028 (In Joomla! before 3.9.11, inadequate checks in com_contact could allow ...) NOT-FOR-US: Joomla! CVE-2019-15027 (The MediaTek Embedded Multimedia Card (eMMC) subsystem for Android on ...) NOT-FOR-US: Mediatek CVE-2019-15026 (memcached 1.5.16, when UNIX sockets are used, has a stack-based buffer ...) {DLA-1913-1} - memcached 1.5.17-1 (bug #939337) [buster] - memcached (Minor issue) [stretch] - memcached (Minor issue) NOTE: Fixed by: https://github.com/memcached/memcached/commit/554b56687a19300a75ec24184746b5512580c819 CVE-2019-15025 (The ninja-forms plugin before 3.3.21.2 for WordPress has SQL injection ...) NOT-FOR-US: ninja-forms plugin for WordPress CVE-2018-20968 (The wp-ultimate-exporter plugin before 1.4.2 for WordPress has CSRF. ...) NOT-FOR-US: wp-ultimate-exporter plugin for WordPress CVE-2018-20967 (The wp-ultimate-csv-importer plugin before 5.6.1 for WordPress has CSR ...) NOT-FOR-US: wp-ultimate-csv-importer plugin for WordPress CVE-2017-18515 (The wp-statistics plugin before 12.0.8 for WordPress has SQL injection ...) NOT-FOR-US: wp-statistics plugin for WordPress CVE-2017-18514 (The simple-login-log plugin before 1.1.2 for WordPress has SQL injecti ...) NOT-FOR-US: simple-login-log plugin for WordPress CVE-2017-18513 (The responsive-menu plugin before 3.1.4 for WordPress has no CSRF prot ...) NOT-FOR-US: responsive-menu plugin for WordPress CVE-2017-18512 (The newsletter-by-supsystic plugin before 1.1.8 for WordPress has CSRF ...) NOT-FOR-US: newsletter-by-supsystic plugin for WordPress CVE-2017-18511 (The custom-sidebars plugin before 3.0.8.1 for WordPress has CSRF. ...) NOT-FOR-US: custom-sidebars plugin for WordPress CVE-2017-18510 (The custom-sidebars plugin before 3.1.0 for WordPress has CSRF related ...) NOT-FOR-US: custom-sidebars plugin for WordPress CVE-2016-10889 (The nextgen-gallery plugin before 2.1.57 for WordPress has SQL injecti ...) NOT-FOR-US: nextgen-gallery plugin for WordPress CVE-2016-10888 (The all-in-one-wp-security-and-firewall plugin before 4.0.7 for WordPr ...) NOT-FOR-US: all-in-one-wp-security-and-firewall plugin for WordPress CVE-2016-10887 (The all-in-one-wp-security-and-firewall plugin before 4.0.9 for WordPr ...) NOT-FOR-US: all-in-one-wp-security-and-firewall plugin for WordPress CVE-2016-10886 (The wp-editor plugin before 1.2.6 for WordPress has incorrect permissi ...) NOT-FOR-US: wp-editor plugin for WordPress CVE-2016-10885 (The wp-editor plugin before 1.2.6 for WordPress has CSRF. ...) NOT-FOR-US: wp-editor plugin for WordPress CVE-2016-10884 (The simple-membership plugin before 3.3.3 for WordPress has multiple C ...) NOT-FOR-US: simple-membership plugin for WordPress CVE-2016-10883 (The simple-add-pages-or-posts plugin before 1.7 for WordPress has CSRF ...) NOT-FOR-US: simple-add-pages-or-posts plugin for WordPress CVE-2016-10882 (The google-document-embedder plugin before 2.6.2 for WordPress has CSR ...) NOT-FOR-US: google-document-embedder plugin for WordPress CVE-2016-10881 (The google-document-embedder plugin before 2.6.2 for WordPress has XSS ...) NOT-FOR-US: google-document-embedder plugin for WordPress CVE-2016-10880 (The google-document-embedder plugin before 2.6.1 for WordPress has XSS ...) NOT-FOR-US: google-document-embedder plugin for WordPress CVE-2015-9316 (The wp-fastest-cache plugin before 0.8.4.9 for WordPress has SQL injec ...) NOT-FOR-US: wp-fastest-cache plugin for WordPress CVE-2015-9315 (The newstatpress plugin before 1.0.1 for WordPress has SQL injection. ...) NOT-FOR-US: newstatpress plugin for WordPress CVE-2015-9314 (The newstatpress plugin before 1.0.4 for WordPress has XSS related to ...) NOT-FOR-US: newstatpress plugin for WordPress CVE-2015-9313 (The newstatpress plugin before 1.0.5 for WordPress has SQL injection r ...) NOT-FOR-US: newstatpress plugin for WordPress CVE-2015-9312 (The newstatpress plugin before 1.0.5 for WordPress has XSS related to ...) NOT-FOR-US: newstatpress plugin for WordPress CVE-2015-9311 (The newstatpress plugin before 1.0.6 for WordPress has reflected XSS. ...) NOT-FOR-US: newstatpress plugin for WordPress CVE-2015-9310 (The all-in-one-wp-security-and-firewall plugin before 3.9.1 for WordPr ...) NOT-FOR-US: all-in-one-wp-security-and-firewall plugin for WordPress CVE-2015-9309 (The wp-google-map-plugin plugin before 2.3.10 for WordPress has CSRF i ...) NOT-FOR-US: wp-google-map-plugin plugin for WordPress CVE-2015-9308 (The wp-google-map-plugin plugin before 2.3.10 for WordPress has CSRF i ...) NOT-FOR-US: wp-google-map-plugin plugin for WordPress CVE-2015-9307 (The wp-google-map-plugin plugin before 2.3.10 for WordPress has CSRF i ...) NOT-FOR-US: wp-google-map-plugin plugin for WordPress CVE-2014-10375 (handle_messages in eXtl_tls.c in eXosip before 5.0.0 mishandles a nega ...) - libexosip2 (bug #934766) [buster] - libexosip2 (Minor issue) [stretch] - libexosip2 (Minor issue) [jessie] - libexosip2 (Minor issue) NOTE: http://git.savannah.nongnu.org/cgit/exosip.git/commit/?id=2549e421c14aff886629b8482c14af800f411070 CVE-2013-7476 (The simple-fields plugin before 1.2 for WordPress has CSRF in the admi ...) NOT-FOR-US: simple-fields plugin for WordPress CVE-2019-15024 (In all versions of ClickHouse before 19.14.3, an attacker having write ...) NOT-FOR-US: ClickHouse CVE-2019-15023 (A security vulnerability exists in Zingbox Inspector versions 1.294 an ...) NOT-FOR-US: Zingbox Inspector CVE-2019-15022 (A security vulnerability exists in Zingbox Inspector versions 1.294 an ...) NOT-FOR-US: Zingbox Inspector CVE-2019-15021 (A security vulnerability exists in the Zingbox Inspector versions 1.29 ...) NOT-FOR-US: Zingbox Inspector CVE-2019-15020 (A security vulnerability exists in the Zingbox Inspector versions 1.29 ...) NOT-FOR-US: Zingbox Inspector CVE-2019-15019 (A security vulnerability exists in the Zingbox Inspector versions 1.29 ...) NOT-FOR-US: Zingbox Inspector CVE-2019-15018 (A security vulnerability exists in the Zingbox Inspector versions 1.28 ...) NOT-FOR-US: Zingbox Inspector CVE-2019-15017 (The SSH service is enabled on the Zingbox Inspector versions 1.294 and ...) NOT-FOR-US: Zingbox Inspector CVE-2019-15016 (An SQL injection vulnerability exists in the management interface of Z ...) NOT-FOR-US: Zingbox Inspector CVE-2019-15015 (In the Zingbox Inspector, versions 1.294 and earlier, hardcoded creden ...) NOT-FOR-US: Zingbox Inspector CVE-2019-15014 (A command injection vulnerability exists in the Zingbox Inspector vers ...) NOT-FOR-US: Zingbox Inspector CVE-2019-15013 (The WorkflowResource class removeStatus method in Jira before version ...) NOT-FOR-US: Atlassian CVE-2019-15012 (Bitbucket Server and Bitbucket Data Center from version 4.13. before 5 ...) NOT-FOR-US: Bitbucket Server and Bitbucket Data Center CVE-2019-15011 (The ListEntityLinksServlet resource in Application Links before versio ...) NOT-FOR-US: Application Links CVE-2019-15010 (Bitbucket Server and Bitbucket Data Center versions starting from vers ...) NOT-FOR-US: Bitbucket Server and Bitbucket Data Center CVE-2019-15009 (The /json/profile/removeStarAjax.do resource in Atlassian Fisheye and ...) NOT-FOR-US: Atlassian Fisheye and Crucible CVE-2019-15008 (The /plugins/servlet/branchreview resource in Atlassian Fisheye and Cr ...) NOT-FOR-US: Atlassian Fisheye and Crucible CVE-2019-15007 (The review resource in Atlassian Fisheye and Crucible before version 4 ...) NOT-FOR-US: Atlassian Fisheye and Crucible CVE-2019-15006 (There was a man-in-the-middle (MITM) vulnerability present in the Conf ...) NOT-FOR-US: Confluence CVE-2019-15005 (The Atlassian Troubleshooting and Support Tools plugin prior to versio ...) NOT-FOR-US: Atlassian CVE-2019-15004 (The Customer Context Filter in Atlassian Jira Service Desk Server and ...) NOT-FOR-US: Atlassian CVE-2019-15003 (The Customer Context Filter in Atlassian Jira Service Desk Server and ...) NOT-FOR-US: Atlassian CVE-2019-15002 RESERVED CVE-2019-15001 (The Jira Importers Plugin in Atlassian Jira Server and Data Cente from ...) NOT-FOR-US: Atlassian CVE-2019-15000 (The commit diff rest endpoint in Bitbucket Server and Data Center befo ...) NOT-FOR-US: Atlassian CVE-2019-14999 (The Uninstall REST endpoint in Atlassian Universal Plugin Manager befo ...) NOT-FOR-US: Atlassian CVE-2019-14998 (The Webwork action Cross-Site Request Forgery (CSRF) protection implem ...) NOT-FOR-US: Atlassian Jira CVE-2019-14997 (The AccessLogFilter class in Jira before version 8.4.0 allows remote a ...) NOT-FOR-US: Atlassian Jira CVE-2019-14996 (The FilterPickerPopup.jspa resource in Jira before version 7.13.7, and ...) NOT-FOR-US: Atlassian Jira CVE-2019-14995 (The /rest/api/1.0/render resource in Jira before version 8.4.0 allows ...) NOT-FOR-US: Atlassian Jira CVE-2019-14994 (The Customer Context Filter in Atlassian Jira Service Desk Server and ...) NOT-FOR-US: Atlassian CVE-2019-14993 (Istio before 1.1.13 and 1.2.x before 1.2.4 mishandles regular expressi ...) NOT-FOR-US: Istio CVE-2019-14992 REJECTED CVE-2019-14991 REJECTED CVE-2019-14990 REJECTED CVE-2019-14989 REJECTED CVE-2019-14988 REJECTED CVE-2019-14987 (Adive Framework through 2.0.7 is affected by XSS in the Create New Tab ...) NOT-FOR-US: Adive Framework CVE-2019-14986 (eQ-3 Homematic CCU2 and CCU3 with the CUxD AddOn before 2.3.0 installe ...) NOT-FOR-US: eQ-3 Homematic CCU2 and CCU3 CVE-2019-14985 (eQ-3 Homematic CCU2 and CCU3 with the CUxD AddOn installed allow Remot ...) NOT-FOR-US: eQ-3 Homematic CCU2 and CCU3 CVE-2019-14984 (eQ-3 Homematic CCU2 and CCU3 with the XML-API through 1.2.0 AddOn inst ...) NOT-FOR-US: eQ-3 Homematic CCU2 and CCU3 CVE-2019-14983 RESERVED CVE-2019-14982 (In Exiv2 before v0.27.2, there is an integer overflow vulnerability in ...) - exiv2 (Vulnerable code not present) NOTE: https://github.com/Exiv2/exiv2/issues/960 NOTE: https://github.com/Exiv2/exiv2/pull/962/commits/e925bc5addd881543fa503470c8a859e112cca62 CVE-2019-14981 (In ImageMagick 7.x before 7.0.8-41 and 6.x before 6.9.10-41, there is ...) {DSA-4712-1 DLA-1968-1} - imagemagick (bug #955025) [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1552 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/b522d2d857d2f75b659936b59b0da9df1682c256 CVE-2019-14980 (In ImageMagick 7.x before 7.0.8-42 and 6.x before 6.9.10-42, there is ...) - imagemagick (Vulnerable code introduced later) NOTE: https://github.com/ImageMagick/ImageMagick6/issues/43 NOTE: Introduced in https://github.com/ImageMagick/ImageMagick6/commit/6f29b3755748a899145b639195dd3bc640d36bb4 (6.9.10-24) NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick6/commit/614a257295bdcdeda347086761062ac7658b6830 (6.9.10-42) CVE-2019-14979 (** DISPUTED ** cgi-bin/webscr?cmd=_cart in the WooCommerce PayPal Chec ...) NOT-FOR-US: WooCommerce PayPal Checkout Payment Gateway plugin for WordPress CVE-2019-14978 (/payu/icpcheckout/ in the WooCommerce PayU India Payment Gateway plugi ...) NOT-FOR-US: WooCommerce PayU India Payment Gateway plugin for WordPress CVE-2019-14977 REJECTED CVE-2019-14976 (iCMS 7.0.15 allows admincp.php?app=apps XSS via the keywords parameter ...) NOT-FOR-US: idreamsoft iCMS CVE-2019-14975 (Artifex MuPDF before 1.16.0 has a heap-based buffer over-read in fz_ch ...) - mupdf (Vulnerable code introduced later) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=701292 NOTE: Introduced by: http://git.ghostscript.com/?p=mupdf.git;a=commit;h=abcb3e68670ebc2e5127953462a026fe1a5dd321 (1.16.0-rc1) NOTE: Fixed by: http://git.ghostscript.com/?p=mupdf.git;a=commit;h=97096297d409ec6f206298444ba00719607e8ba8 (1.16.0) CVE-2019-14974 (SugarCRM Enterprise 9.0.0 allows mobile/error-not-supported-platform.h ...) NOT-FOR-US: SugarCRM CVE-2019-14973 (_TIFFCheckMalloc and _TIFFCheckRealloc in tif_aux.c in LibTIFF through ...) {DSA-4670-1 DSA-4608-1 DLA-1897-1} - tiff 4.0.10+git190814-1 (low; bug #934780) - tiff3 NOTE: https://gitlab.com/libtiff/libtiff/merge_requests/90 NOTE: https://gitlab.com/libtiff/libtiff/commit/1b5e3b6a23827c33acf19ad50ce5ce78f12b3773 CVE-2019-14972 RESERVED CVE-2019-14971 RESERVED CVE-2019-14970 (A vulnerability in mkv::event_thread_t in VideoLAN VLC media player 3. ...) {DSA-4504-1} - vlc 3.0.8-1 [jessie] - vlc (https://lists.debian.org/debian-security-announce/2018/msg00130.html) NOTE: https://www.videolan.org/security/sb-vlc308.html CVE-2019-14969 (Netwrix Auditor before 9.8 has insecure permissions on %PROGRAMDATA%\N ...) NOT-FOR-US: Netwrix Auditor CVE-2019-14968 (An issue was discovered in imcat 4.9. There is SQL Injection via the i ...) NOT-FOR-US: imcat CVE-2019-14967 (An issue was discovered in Frappe Framework 10, 11 before 11.1.46, and ...) NOT-FOR-US: Frappe Framework CVE-2019-14966 (An issue was discovered in Frappe Framework 10 through 12 before 12.0. ...) NOT-FOR-US: Frappe Framework CVE-2019-14965 (An issue was discovered in Frappe Framework 10 through 12 before 12.0. ...) NOT-FOR-US: Frappe Framework CVE-2019-14964 RESERVED CVE-2019-14963 RESERVED CVE-2019-14962 RESERVED CVE-2019-14961 (JetBrains Upsource before 2019.1.1412 was not properly escaping HTML t ...) NOT-FOR-US: JetBrains Upsource CVE-2019-14960 (JetBrains Rider before 2019.1.2 was using an unsigned JetBrains.Rider. ...) NOT-FOR-US: JetBrains Rider CVE-2019-14959 (JetBrains Toolbox before 1.15.5605 was resolving an internal URL via a ...) NOT-FOR-US: JetBrains Toolbox CVE-2019-14958 (JetBrains PyCharm before 2019.2 was allocating a buffer of unknown siz ...) - pycharm (bug #742394) CVE-2019-14957 (The JetBrains Vim plugin before version 0.52 was storing individual pr ...) NOT-FOR-US: JetBrains Vim plugin CVE-2019-14956 (JetBrains YouTrack before 2019.2.53938 was using incorrect settings, a ...) NOT-FOR-US: JetBrains YouTrack CVE-2019-14955 (In JetBrains Hub versions earlier than 2018.4.11436, there was no opti ...) NOT-FOR-US: JetBrains Hub CVE-2019-14954 (JetBrains IntelliJ IDEA before 2019.2 was resolving the markdown plant ...) - intellij-idea (bug #747616) CVE-2019-14953 (JetBrains YouTrack versions before 2019.2.53938 had a possible XSS thr ...) NOT-FOR-US: JetBrains YouTrack CVE-2019-14952 (JetBrains YouTrack versions before 2019.1.52584 had a possible XSS in ...) NOT-FOR-US: JetBrains YouTrack CVE-2019-14951 (The Telenav Scout GPS Link app 1.x for iOS, as used with Toyota and Le ...) NOT-FOR-US: Telenav Scout GPS Link app CVE-2019-14950 (The wp-live-chat-support plugin before 8.0.27 for WordPress has XSS vi ...) NOT-FOR-US: wp-live-chat-support plugin for WordPress CVE-2019-14949 (The wp-database-backup plugin before 5.1.2 for WordPress has XSS. ...) NOT-FOR-US: wp-database-backup plugin for WordPress CVE-2019-14948 (The woocommerce-product-addon plugin before 18.4 for WordPress has XSS ...) NOT-FOR-US: woocommerce-product-addon plugin for WordPress CVE-2019-14947 (The ultimate-member plugin before 2.0.52 for WordPress has XSS during ...) NOT-FOR-US: ultimate-member plugin for WordPress CVE-2019-14946 (The ultimate-member plugin before 2.0.52 for WordPress has XSS related ...) NOT-FOR-US: ultimate-member plugin for WordPress CVE-2019-14945 (The ultimate-member plugin before 2.0.54 for WordPress has XSS. ...) NOT-FOR-US: ultimate-member plugin for WordPress CVE-2019-14944 [Multiple Command-Line Flag Injection Vulnerabilities] RESERVED [experimental] - gitlab 11.11.8+dfsg-1 - gitlab 12.6.8-3 (bug #934708) NOTE: https://about.gitlab.com/2019/08/12/critical-security-release-gitlab-12-dot-1-dot-6-released/ CVE-2019-14943 (An issue was discovered in GitLab Community and Enterprise Edition 12. ...) - gitlab (Only affects GitLab CE/EE 12.0 and later) NOTE: https://about.gitlab.com/2019/08/12/critical-security-release-gitlab-12-dot-1-dot-6-released/ CVE-2019-14942 [Insecure Cookie Handling on GitLab Pages] RESERVED [experimental] - gitlab 11.11.8+dfsg-1 - gitlab 12.6.8-3 (bug #934708) NOTE: https://about.gitlab.com/2019/08/12/critical-security-release-gitlab-12-dot-1-dot-6-released/ CVE-2019-14941 (SHAREit through 4.0.6.177 does not check the body length from the rece ...) NOT-FOR-US: SHAREit CVE-2019-14940 (In Storage Performance Development Kit (SPDK) before 19.07, a user of ...) NOT-FOR-US: Storage Performance Development Kit CVE-2019-14939 (An issue was discovered in the mysql (aka mysqljs) module 2.17.1 for N ...) - node-mysql 2.18.0-1 (bug #934712) [buster] - node-mysql (Minor issue) [stretch] - node-mysql (Nodejs in stretch not covered by security support) [jessie] - node-mysql (Nodejs in jessie not covered by security support) NOTE: https://github.com/mysqljs/mysql/issues/2257 CVE-2019-14938 RESERVED CVE-2019-14937 (REDCap before 9.3.0 allows time-based SQL injection in the edit calend ...) NOT-FOR-US: REDCap CVE-2019-14936 (Easy!Appointments 1.3.2 plugin for WordPress allows Sensitive Informat ...) NOT-FOR-US: Easy!Appointments plugin for WordPress CVE-2019-14935 (3CX Phone 15 on Windows has insecure permissions on the "%PROGRAMDATA% ...) NOT-FOR-US: 3CX Phone 15 on Windows CVE-2019-14934 (An issue was discovered in PDFResurrect before 0.18. pdf_load_pages_ki ...) - pdfresurrect 0.18-1 [buster] - pdfresurrect (Minor issue) [stretch] - pdfresurrect (Minor issue) [jessie] - pdfresurrect (Minor issue) NOTE: https://github.com/enferex/pdfresurrect/commit/0c4120fffa3dffe97b95c486a120eded82afe8a6 NOTE: https://github.com/enferex/pdfresurrect/issues/6 NOTE: CVE specific to the calloc_some.pdf and malloc_some.pdf issues. CVE-2019-14933 (Bagisto 0.1.5 allows CSRF under /admin URIs. ...) NOT-FOR-US: Bagisto CVE-2019-14932 (The Recruitment module in Humanica Humatrix 7 1.0.0.681 and 1.0.0.203 ...) NOT-FOR-US: Recruitment module in Humanica Humatrix CVE-2018-20966 (The woocommerce-jetpack plugin before 3.8.0 for WordPress has XSS in t ...) NOT-FOR-US: woocommerce-jetpack plugin for WordPress CVE-2018-20965 (The ultimate-member plugin before 2.0.4 for WordPress has XSS. ...) NOT-FOR-US: ultimate-member plugin for WordPress CVE-2018-20964 (The contact-form-to-email plugin before 1.2.66 for WordPress has CSRF. ...) NOT-FOR-US: contact-form-to-email plugin for WordPress CVE-2018-20963 (The contact-form-to-email plugin before 1.2.66 for WordPress has XSS. ...) NOT-FOR-US: contact-form-to-email plugin for WordPress CVE-2017-18508 (The wp-live-chat-support plugin before 7.1.03 for WordPress has XSS. ...) NOT-FOR-US: wp-live-chat-support plugin for WordPress CVE-2017-18507 (The wp-live-chat-support plugin before 7.1.05 for WordPress has XSS. ...) NOT-FOR-US: wp-live-chat-support plugin for WordPress CVE-2017-18506 (The woocommerce-pdf-invoices-packing-slips plugin before 2.0.13 for Wo ...) NOT-FOR-US: woocommerce-pdf-invoices-packing-slips plugin for WordPress CVE-2017-18505 (The twitter-plugin plugin before 2.55 for WordPress has XSS. ...) NOT-FOR-US: twitter-plugin plugin for WordPress CVE-2017-18504 (The twitter-cards-meta plugin before 2.5.0 for WordPress has CSRF. ...) NOT-FOR-US: twitter-cards-meta plugin for WordPress CVE-2017-18503 (The twitter-cards-meta plugin before 2.5.0 for WordPress has XSS. ...) NOT-FOR-US: twitter-cards-meta plugin for WordPress CVE-2017-18502 (The subscriber plugin before 1.3.5 for WordPress has multiple XSS issu ...) NOT-FOR-US: subscriber plugin for WordPress CVE-2017-18501 (The social-login-bws plugin before 0.2 for WordPress has multiple XSS ...) NOT-FOR-US: social-login-bws plugin for WordPress CVE-2017-18500 (The social-buttons-pack plugin before 1.1.1 for WordPress has multiple ...) NOT-FOR-US: social-buttons-pack plugin for WordPress CVE-2017-18499 (The simple-membership plugin before 3.5.7 for WordPress has XSS. ...) NOT-FOR-US: simple-membership plugin for WordPress CVE-2017-18498 (The simple-job-board plugin before 2.4.4 for WordPress has reflected X ...) NOT-FOR-US: simple-job-board plugin for WordPress CVE-2017-18497 (The liveforms plugin before 3.4.0 for WordPress has XSS. ...) NOT-FOR-US: liveforms plugin for WordPress CVE-2017-18496 (The htaccess plugin before 1.7.6 for WordPress has multiple XSS issues ...) NOT-FOR-US: htaccess plugin for WordPress CVE-2017-18495 (The gravity-forms-sms-notifications plugin before 2.4.0 for WordPress ...) NOT-FOR-US: gravity-forms-sms-notifications plugin for WordPress CVE-2017-18494 (The custom-search-plugin plugin before 1.36 for WordPress has multiple ...) NOT-FOR-US: custom-search-plugin plugin for WordPress CVE-2017-18493 (The custom-admin-page plugin before 0.1.2 for WordPress has multiple X ...) NOT-FOR-US: custom-admin-page plugin for WordPress CVE-2017-18492 (The contact-form-to-db plugin before 1.5.7 for WordPress has multiple ...) NOT-FOR-US: contact-form-to-db plugin for WordPress CVE-2017-18491 (The contact-form-plugin plugin before 4.0.6 for WordPress has multiple ...) NOT-FOR-US: contact-form-plugin plugin for WordPress CVE-2017-18490 (The contact-form-multi plugin before 1.2.1 for WordPress has multiple ...) NOT-FOR-US: contact-form-multi plugin for WordPress CVE-2017-18489 (The contact-form-7-sms-addon plugin before 2.4.0 for WordPress has XSS ...) NOT-FOR-US: contact-form-7-sms-addon plugin for WordPress CVE-2017-18488 (The Backup Guard plugin before 1.1.47 for WordPress has multiple XSS i ...) NOT-FOR-US: Backup Guard plugin for WordPress CVE-2017-18487 (The adsense-plugin (aka Google AdSense) plugin before 1.44 for WordPre ...) NOT-FOR-US: adsense-plugin (aka Google AdSense) plugin for WordPress CVE-2016-10879 (The wp-live-chat-support plugin before 6.2.02 for WordPress has XSS. ...) NOT-FOR-US: wp-live-chat-support plugin for WordPress CVE-2016-10878 (The wp-google-map-plugin plugin before 3.1.2 for WordPress has XSS. ...) NOT-FOR-US: wp-google-map-plugin plugin for WordPress CVE-2016-10877 (The wp-editor plugin before 1.2.6.3 for WordPress has multiple XSS iss ...) NOT-FOR-US: wp-editor plugin for WordPress CVE-2016-10876 (The wp-database-backup plugin before 4.3.1 for WordPress has CSRF. ...) NOT-FOR-US: wp-database-backup plugin for WordPress CVE-2016-10875 (The wp-database-backup plugin before 4.3.1 for WordPress has XSS. ...) NOT-FOR-US: wp-database-backup plugin for WordPress CVE-2016-10874 (The wp-database-backup plugin before 4.3.3 for WordPress has CSRF. ...) NOT-FOR-US: wp-database-backup plugin for WordPress CVE-2016-10873 (The wp-database-backup plugin before 4.3.3 for WordPress has XSS. ...) NOT-FOR-US: wp-database-backup plugin for WordPress CVE-2016-10872 (The ultimate-member plugin before 1.3.40 for WordPress has XSS on the ...) NOT-FOR-US: ultimate-member plugin for WordPress CVE-2016-10871 (The mailchimp-for-wp plugin before 4.0.11 for WordPress has XSS on the ...) NOT-FOR-US: mailchimp-for-wp plugin for WordPress CVE-2016-10870 (The google-language-translator plugin before 5.0.06 for WordPress has ...) NOT-FOR-US: google-language-translator plugin for WordPress CVE-2016-10869 (The contact-form-plugin plugin before 4.0.2 for WordPress has XSS. ...) NOT-FOR-US: contact-form-plugin plugin for WordPress CVE-2016-10868 (The all-in-one-wp-security-and-firewall plugin before 4.0.5 for WordPr ...) NOT-FOR-US: all-in-one-wp-security-and-firewall plugin for WordPress CVE-2016-10867 (The all-in-one-wp-security-and-firewall plugin before 4.0.6 for WordPr ...) NOT-FOR-US: all-in-one-wp-security-and-firewall plugin for WordPress CVE-2016-10866 (The all-in-one-wp-security-and-firewall plugin before 4.2.0 for WordPr ...) NOT-FOR-US: all-in-one-wp-security-and-firewall plugin for WordPress CVE-2015-9306 (The wp-ultimate-csv-importer plugin before 3.8.1 for WordPress has XSS ...) NOT-FOR-US: wp-ultimate-csv-importer plugin for WordPress CVE-2015-9305 (The wp-google-map-plugin plugin before 2.3.7 for WordPress has XSS rel ...) NOT-FOR-US: wp-google-map-plugin plugin for WordPress CVE-2015-9304 (The ultimate-member plugin before 1.3.18 for WordPress has XSS via tex ...) NOT-FOR-US: ultimate-member plugin for WordPress CVE-2015-9303 (The simple-share-buttons-adder plugin before 6.0.0 for WordPress has X ...) NOT-FOR-US: simple-share-buttons-adder plugin for WordPress CVE-2015-9302 (The simple-fields plugin before 1.4.11 for WordPress has XSS. ...) NOT-FOR-US: simple-fields plugin for WordPress CVE-2015-9301 (The liveforms plugin before 3.2.0 for WordPress has SQL injection. ...) NOT-FOR-US: liveforms plugin for WordPress CVE-2015-9300 (The events-manager plugin before 5.5.7 for WordPress has multiple XSS ...) NOT-FOR-US: events-manager plugin for WordPress CVE-2015-9299 (The events-manager plugin before 5.5.7.1 for WordPress has DOM XSS. ...) NOT-FOR-US: events-manager plugin for WordPress CVE-2015-9298 (The events-manager plugin before 5.6 for WordPress has code injection. ...) NOT-FOR-US: events-manager plugin for WordPress CVE-2015-9297 (The events-manager plugin before 5.6 for WordPress has XSS. ...) NOT-FOR-US: events-manager plugin for WordPress CVE-2015-9296 (The download-monitor plugin before 1.7.1 for WordPress has XSS related ...) NOT-FOR-US: download-monitor plugin for WordPress CVE-2015-9295 (The contact-form-plugin plugin before 3.96 for WordPress has XSS. ...) NOT-FOR-US: contact-form-plugin plugin for WordPress CVE-2015-9294 (The all-in-one-wp-security-and-firewall plugin before 3.9.5 for WordPr ...) NOT-FOR-US: all-in-one-wp-security-and-firewall plugin for WordPress CVE-2015-9293 (The all-in-one-wp-security-and-firewall plugin before 3.9.8 for WordPr ...) NOT-FOR-US: all-in-one-wp-security-and-firewall plugin for WordPress CVE-2013-7475 (The contact-form-plugin plugin before 3.52 for WordPress has XSS. ...) NOT-FOR-US: contact-form-plugin plugin for WordPress CVE-2012-6713 (The job-manager plugin before 0.7.19 for WordPress has multiple XSS is ...) NOT-FOR-US: job-manager plugin for WordPress CVE-2019-14931 (An issue was discovered on Mitsubishi Electric ME-RTU devices through ...) NOT-FOR-US: Mitsubishi Electric ME-RTU devices CVE-2019-14930 (An issue was discovered on Mitsubishi Electric ME-RTU devices through ...) NOT-FOR-US: Mitsubishi Electric ME-RTU devices CVE-2019-14929 (An issue was discovered on Mitsubishi Electric ME-RTU devices through ...) NOT-FOR-US: Mitsubishi Electric ME-RTU devices CVE-2019-14928 (An issue was discovered on Mitsubishi Electric ME-RTU devices through ...) NOT-FOR-US: Mitsubishi Electric ME-RTU devices CVE-2019-14927 (An issue was discovered on Mitsubishi Electric ME-RTU devices through ...) NOT-FOR-US: Mitsubishi Electric ME-RTU devices CVE-2019-14926 (An issue was discovered on Mitsubishi Electric ME-RTU devices through ...) NOT-FOR-US: Mitsubishi Electric ME-RTU devices CVE-2019-14925 (An issue was discovered on Mitsubishi Electric ME-RTU devices through ...) NOT-FOR-US: Mitsubishi Electric ME-RTU devices CVE-2019-14924 (An issue was discovered in GCDWebServer before 3.5.3. The method moveI ...) NOT-FOR-US: GCDWebServer CVE-2019-14923 (EyesOfNetwork 5.1 allows Remote Command Execution via shell metacharac ...) NOT-FOR-US: EyesOfNetwork (EON) CVE-2019-14922 RESERVED CVE-2019-14921 RESERVED CVE-2019-14920 (Billion Smart Energy Router SG600R2 Firmware v3.02.rc6 allows an authe ...) NOT-FOR-US: Billion Smart Energy Router SG600R2 Firmware CVE-2019-14919 (An exposed Telnet Service on the Billion Smart Energy Router SG600R2 w ...) NOT-FOR-US: Billion Smart Energy Router SG600R2 Firmware CVE-2019-14918 (XSS in the DHCP lease-status table in Billion Smart Energy Router SG60 ...) NOT-FOR-US: Billion Smart Energy Router SG600R2 Firmware CVE-2019-14917 RESERVED CVE-2019-14916 (An issue was discovered in PRiSE adAS 1.7.0. A file's format is not pr ...) NOT-FOR-US: PRiSE adAS CVE-2019-14915 (An issue was discovered in PRiSE adAS 1.7.0. Certificate data are not ...) NOT-FOR-US: PRiSE adAS CVE-2019-14914 (An issue was discovered in PRiSE adAS 1.7.0. The path is not properly ...) NOT-FOR-US: PRiSE adAS CVE-2019-14913 (An issue was discovered in PRiSE adAS 1.7.0. Log data are not properly ...) NOT-FOR-US: PRiSE adAS CVE-2019-14912 (An issue was discovered in PRiSE adAS 1.7.0. The OPENSSO module does n ...) NOT-FOR-US: PRiSE adAS CVE-2019-14911 (An issue was discovered in PRiSE adAS 1.7.0. The OPENSSO module does n ...) NOT-FOR-US: PRiSE adAS CVE-2019-14910 (A vulnerability was found in keycloak 7.x, when keycloak is configured ...) NOT-FOR-US: Keycloak CVE-2019-14909 (A vulnerability was found in Keycloak 7.x where the user federation LD ...) NOT-FOR-US: Keycloak CVE-2019-14908 RESERVED CVE-2019-14907 (All samba versions 4.9.x before 4.9.18, 4.10.x before 4.10.12 and 4.11 ...) - samba 2:4.11.5+dfsg-1 [buster] - samba (Minor issue) [stretch] - samba (Minor issue) [jessie] - samba (Minor issue) NOTE: https://www.samba.org/samba/security/CVE-2019-14907.html CVE-2019-14906 (A flaw was found with the RHSA-2019:3950 erratum, where it did not fix ...) NOT-FOR-US: Specific CVE assignment for incorrect/incomplete fix of CVE-2019-13616 in RHEL 7 CVE-2019-14905 (A vulnerability was found in Ansible Engine versions 2.9.x before 2.9. ...) - ansible 2.9.4+dfsg-1 (low) [buster] - ansible (Minor issue) [stretch] - ansible (Minor issue) [jessie] - ansible (Vulnerable module first bundled in 2.2) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1776943 NOTE: https://github.com/ansible/ansible/pull/65423 NOTE: https://github.com/ansible/ansible/blob/stable-2.2/CHANGELOG.md CVE-2019-14904 [vulnerability in solaris_zone module via crafted solaris zone] RESERVED - ansible 2.9.4+dfsg-1 (low) [buster] - ansible (Minor issue) [stretch] - ansible (Minor issue) [jessie] - ansible (Vulnerable module first bundled in 2.0) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1776944 NOTE: https://github.com/ansible/ansible/pull/65686 NOTE: https://github.com/ansible/ansible/blob/stable-2.0/CHANGELOG.md CVE-2019-14903 RESERVED CVE-2019-14902 (There is an issue in all samba 4.11.x versions before 4.11.5, all samb ...) - samba 2:4.11.5+dfsg-1 [buster] - samba (Minor issue) [stretch] - samba (Minor issue) [jessie] - samba (Minor issue) NOTE: https://www.samba.org/samba/security/CVE-2019-14902.html CVE-2019-14901 (A heap overflow flaw was found in the Linux kernel, all versions 3.x.x ...) {DLA-2114-1 DLA-2068-1} - linux 5.4.13-1 [buster] - linux 4.19.98-1 [stretch] - linux 4.9.210-1 NOTE: https://www.openwall.com/lists/oss-security/2019/11/22/2 CVE-2019-14900 (A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 an ...) - libhibernate3-java (Vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1666499 NOTE: https://github.com/hibernate/hibernate-orm/commit/b658e903d71e34a5be5690a33e6faa21b1db628b NOTE: https://github.com/hibernate/hibernate-orm/commit/7dfb0fdf24fb4a1f757be14ce5806b5a81f20ab8 NOTE: https://github.com/hibernate/hibernate-orm/commit/50a5da07c1e6cb1da630b01c67bce9f7fe49dd8e CVE-2019-14899 (A vulnerability was discovered in Linux, FreeBSD, OpenBSD, MacOS, iOS, ...) NOTE: https://www.openwall.com/lists/oss-security/2019/12/05/1 CVE-2019-14898 (The fix for CVE-2019-11599, affecting the Linux kernel before 5.0.10 w ...) - linux (RHEL-7 specific incomplete fix for CVE-2019-11599) CVE-2019-14897 (A stack-based buffer overflow was found in the Linux kernel, version k ...) {DLA-2114-1 DLA-2068-1} - linux 5.4.19-1 [buster] - linux 4.19.98-1 [stretch] - linux 4.9.210-1 NOTE: https://www.openwall.com/lists/oss-security/2019/11/22/1 CVE-2019-14896 (A heap-based buffer overflow vulnerability was found in the Linux kern ...) {DLA-2114-1 DLA-2068-1} - linux 5.4.19-1 [buster] - linux 4.19.98-1 [stretch] - linux 4.9.210-1 NOTE: https://www.openwall.com/lists/oss-security/2019/11/22/1 CVE-2019-14895 (A heap-based buffer overflow was discovered in the Linux kernel, all v ...) {DLA-2114-1 DLA-2068-1} - linux 5.4.13-1 [buster] - linux 4.19.98-1 [stretch] - linux 4.9.210-1 NOTE: https://www.openwall.com/lists/oss-security/2019/11/22/1 CVE-2019-14894 (A flaw was found in the CloudForms management engine version 5.10 and ...) NOT-FOR-US: Red Hat CloudForm CVE-2019-14893 (A flaw was discovered in FasterXML jackson-databind in all versions be ...) - jackson-databind 2.10.0-1 [buster] - jackson-databind 2.9.8-3+deb10u1 [stretch] - jackson-databind 2.8.6-1+deb9u6 [jessie] - jackson-databind 2.4.2-2+deb8u9 NOTE: https://github.com/FasterXML/jackson-databind/issues/2469 NOTE: https://github.com/FasterXML/jackson-databind/commit/998efd708284778f29d83d7962a9bd935c228317 CVE-2019-14892 (A flaw was discovered in jackson-databind in versions before 2.9.10, 2 ...) - jackson-databind 2.10.0-1 [buster] - jackson-databind 2.9.8-3+deb10u1 [stretch] - jackson-databind 2.8.6-1+deb9u6 [jessie] - jackson-databind 2.4.2-2+deb8u9 NOTE: https://github.com/FasterXML/jackson-databind/issues/2462 NOTE: https://github.com/FasterXML/jackson-databind/commit/41b7f9b90149e9d44a65a8261a8deedc7186f6af NOTE: https://github.com/FasterXML/jackson-databind/commit/819cdbcab51c6da9fb896380f2d46e9b7d4fdc3b CVE-2019-14891 (A flaw was found in cri-o, as a result of all pod-related processes be ...) NOT-FOR-US: Kubernetes CRI-O CVE-2019-14890 (A vulnerability was found in Ansible Tower before 3.6.1 where an attac ...) NOT-FOR-US: Ansible Tower CVE-2019-14889 (A flaw was found with the libssh API function ssh_scp_new() in version ...) {DLA-2038-1} - libssh 0.9.3-1 (bug #946548) [buster] - libssh (Minor issue) [stretch] - libssh (Minor issue) NOTE: https://www.libssh.org/security/advisories/CVE-2019-14889.txt NOTE: https://bugs.libssh.org/T181 NOTE: The fix in libssh makes an update in x2goclient necessary, cf: NOTE: https://bugs.debian.org/947129 NOTE: https://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=ce559d163a943737fe4160f7233925df2eee1f9a CVE-2019-14888 (A vulnerability was found in the Undertow HTTP server in versions befo ...) - undertow NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1772464 CVE-2019-14887 (A flaw was found when an OpenSSL security provider is used with Wildfl ...) - wildfly (bug #752018) CVE-2019-14886 (A vulnerability was found in business-central, as shipped in rhdm-7.5. ...) NOT-FOR-US: Business central CVE-2019-14885 (A flaw was found in the JBoss EAP Vault system in all versions before ...) NOT-FOR-US: JBoss EAP CVE-2019-14884 (A vulnerability was found in Moodle 3.7 before 3.73, 3.6 before 3.6.7 ...) - moodle CVE-2019-14883 (A vulnerability was found in Moodle 3.6 before 3.6.7 and 3.7 before 3. ...) - moodle CVE-2019-14882 (A vulnerability was found in Moodle 3.7 to 3.7.3, 3.6 to 3.6.7, 3.5 to ...) - moodle CVE-2019-14881 (A vulnerability was found in moodle 3.7 before 3.7.3, where there is b ...) - moodle CVE-2019-14880 (A vulnerability was found in Moodle versions 3.7 before 3.7.3, 3.6 bef ...) - moodle CVE-2019-14879 (A vulnerability was found in Moodle versions 3.7.x before 3.7.3, 3.6.x ...) - moodle CVE-2019-14878 (In the __d2b function of the newlib libc library, all versions prior t ...) - newlib 3.3.0-1 [buster] - newlib (Minor issue) [stretch] - newlib (Minor issue) [jessie] - newlib (Minor issue) - picolibc 1.4.3-1 NOTE: https://census-labs.com/news/2020/01/31/multiple-null-pointer-dereference-vulnerabilities-in-newlib/ NOTE: https://keithp.com/blogs/picolibc-string-float/ CVE-2019-14877 (In the __mdiff function of the newlib libc library, all versions prior ...) - newlib 3.3.0-1 [buster] - newlib (Minor issue) [stretch] - newlib (Minor issue) [jessie] - newlib (Minor issue) - picolibc 1.4.3-1 NOTE: https://census-labs.com/news/2020/01/31/multiple-null-pointer-dereference-vulnerabilities-in-newlib/ NOTE: https://keithp.com/blogs/picolibc-string-float/ CVE-2019-14876 (In the __lshift function of the newlib libc library, all versions prio ...) - newlib 3.3.0-1 [buster] - newlib (Minor issue) [stretch] - newlib (Minor issue) [jessie] - newlib (Minor issue) - picolibc (unimportant) NOTE: https://census-labs.com/news/2020/01/31/multiple-null-pointer-dereference-vulnerabilities-in-newlib/ CVE-2019-14875 (In the __multiply function of the newlib libc library, all versions pr ...) - newlib 3.3.0-1 [buster] - newlib (Minor issue) [stretch] - newlib (Minor issue) [jessie] - newlib (Minor issue) - picolibc (Affected code not present) NOTE: https://census-labs.com/news/2020/01/31/multiple-null-pointer-dereference-vulnerabilities-in-newlib/ CVE-2019-14874 (In the __i2b function of the newlib libc library, all versions prior t ...) - newlib 3.3.0-1 [buster] - newlib (Minor issue) [stretch] - newlib (Minor issue) [jessie] - newlib (Minor issue) - picolibc 1.4.3-1 NOTE: https://census-labs.com/news/2020/01/31/multiple-null-pointer-dereference-vulnerabilities-in-newlib/ NOTE: https://keithp.com/blogs/picolibc-string-float/ CVE-2019-14873 (In the __multadd function of the newlib libc library, prior to version ...) - newlib 3.3.0-1 [buster] - newlib (Minor issue) [stretch] - newlib (Minor issue) [jessie] - newlib (Minor issue) - picolibc 1.4.3-1 NOTE: https://census-labs.com/news/2020/01/31/multiple-null-pointer-dereference-vulnerabilities-in-newlib/ NOTE: https://keithp.com/blogs/picolibc-string-float/ CVE-2019-14872 (The _dtoa_r function of the newlib libc library, prior to version 3.3. ...) - newlib 3.3.0-1 [buster] - newlib (Minor issue) [stretch] - newlib (Minor issue) [jessie] - newlib (Minor issue) - picolibc 1.4.3-1 NOTE: https://census-labs.com/news/2020/01/31/multiple-null-pointer-dereference-vulnerabilities-in-newlib/ NOTE: https://keithp.com/blogs/picolibc-string-float/ CVE-2019-14871 (The REENT_CHECK macro (see newlib/libc/include/sys/reent.h) as used by ...) - newlib 3.3.0-1 [buster] - newlib (Minor issue) [stretch] - newlib (Minor issue) [jessie] - newlib (Minor issue) - picolibc 1.4.3-1 NOTE: https://census-labs.com/news/2020/01/31/multiple-null-pointer-dereference-vulnerabilities-in-newlib/ NOTE: https://keithp.com/blogs/picolibc-string-float/ CVE-2019-14870 (All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11 ...) - samba 2:4.11.3+dfsg-1 [buster] - samba (Minor issue) [stretch] - samba (Minor issue) [jessie] - samba (Minor issue) - heimdal 7.7.0+dfsg-1 (bug #946786) [buster] - heimdal (Minor issue) [stretch] - heimdal (Minor issue) [jessie] - heimdal (Minor issue) NOTE: https://www.samba.org/samba/security/CVE-2019-14870.html NOTE: https://github.com/heimdal/heimdal/pull/663 NOTE: https://github.com/heimdal/heimdal/pull/664 (port to 7.1 branch) CVE-2019-14869 (A flaw was found in all versions of ghostscript 9.x before 9.50, where ...) {DSA-4569-1 DLA-1992-1} - ghostscript 9.50~dfsg-3 (bug #944760) NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=485904772c5f0aa1140032746e5a0abfc40f4cef NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=701841 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1768911 NOTE: For recent versions (9.28~~rc1~dfsg-1) the issue is mitigated starting NOTE: from http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=7ecbfda92b4c8dbf6f6c2bf8fc82020a29219eff NOTE: which changed the access to file permissions. CVE-2019-14868 (In ksh version 20120801, a flaw was found in the way it evaluates cert ...) - ksh 2020.0.0-2.1 (bug #948989) [jessie] - ksh (Minor issue) - ksh93 (bug #964034) NOTE: https://github.com/att/ast/commit/c7de8b641266bac7c77942239ac659edfee9ecd2 CVE-2019-14867 (A flaw was found in IPA, all 4.6.x versions before 4.6.7, all 4.7.x ve ...) - freeipa 4.8.3-1 [buster] - freeipa (Minor issue; can be fixed via point release) NOTE: https://pagure.io/freeipa/c/4abd2f76d76c4c1a1ec5087ec447f4515b63c2c6 CVE-2019-14866 (In all versions of cpio before 2.13 does not properly validate input f ...) {DLA-1981-1} - cpio 2.13+dfsg-1 (low; bug #941412) [buster] - cpio (Minor issue) [stretch] - cpio (Minor issue) NOTE: https://lists.gnu.org/archive/html/bug-cpio/2019-08/msg00003.html NOTE: http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=7554e3e42cd72f6f8304410c47fe6f8918e9bfd7 CVE-2019-14865 (A flaw was found in the grub2-set-bootflag utility of grub2. A local a ...) - grub2 (Red Hat-specific patch) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1764925 NOTE: https://seclists.org/oss-sec/2019/q4/101 NOTE: Red Hat-specific patch, get added as 0131-Add-grub-set-bootflag-utility.patch in their SRPM CVE-2019-14864 (Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible v ...) - ansible 2.9.2+dfsg-1 (low; bug #943768) [buster] - ansible (Minor issue) [stretch] - ansible (Minor issue) [jessie] - ansible (Vulnerable code introduced later) NOTE: https://github.com/ansible/ansible/issues/63522 NOTE: https://github.com/ansible/ansible/pull/63527 NOTE: Introduced in https://github.com/ansible/ansible/commit/91da1653e0b592d4d67c5fb3ecd4fa60c797ff03 (2.6) CVE-2019-14863 (There is a vulnerability in all angular versions before 1.5.0-beta.0, ...) {DLA-1995-1} - angular.js 1.5.3-2 (bug #942833) NOTE: https://snyk.io/vuln/npm:angular:20150807 NOTE: https://github.com/angular/angular.js/commit/f33ce173c90736e349cf594df717ae3ee41e0f7a NOTE: https://github.com/angular/angular.js/pull/12524 CVE-2019-14862 (There is a vulnerability in knockout before version 3.5.0-beta, where ...) - node-knockout 3.4.2-3 (unimportant; bug #943560) [buster] - node-knockout 3.4.2-2+deb10u1 NOTE: https://github.com/knockout/knockout/issues/1244 NOTE: https://github.com/knockout/knockout/pull/2345 NOTE: https://github.com/knockout/knockout/commit/7e280b2b8a04cc19176b5171263a5c68bda98efb NOTE: Only impacts browsers which are totally insecure and EOLed anyway CVE-2019-14861 (All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11 ...) - samba 2:4.11.3+dfsg-1 [buster] - samba (Minor issue) [stretch] - samba (Minor issue) [jessie] - samba (Minor issue) NOTE: https://www.samba.org/samba/security/CVE-2019-14861.html CVE-2019-14860 (It was found that the Syndesis configuration for Cross-Origin Resource ...) NOT-FOR-US: Syndesis CVE-2019-14859 (A flaw was found in all python-ecdsa versions before 0.13.3, where it ...) {DSA-4588-1 DLA-1978-1} - python-ecdsa 0.13.3-1 NOTE: https://github.com/warner/python-ecdsa/issues/114 NOTE: Upstream patches: NOTE: https://github.com/warner/python-ecdsa/pull/115 NOTE: https://github.com/warner/python-ecdsa/pull/124 NOTE: Fix for CVE-2019-14853 fixes as well CVE-2019-14859. CVE-2019-14858 (A vulnerability was found in Ansible engine 2.x up to 2.8 and Ansible ...) - ansible 2.8.6+dfsg-1 (bug #942332) [buster] - ansible (Minor issue) [stretch] - ansible (Minor issue) [jessie] - ansible (Vulnerable code introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1760593 NOTE: https://github.com/ansible/ansible/pull/63405 NOTE: Sub-options/sub-specs/sub-parameters introduced in https://github.com/ansible/ansible/commit/25de905c6e05bd6df91f4299628ee6d386d3da50 (2.4) CVE-2019-14857 (A flaw was found in mod_auth_openidc before version 2.4.0.1. An open r ...) {DLA-1996-1} - libapache2-mod-auth-openidc 2.4.0.3-1 (bug #942165) [buster] - libapache2-mod-auth-openidc (Minor issue) [stretch] - libapache2-mod-auth-openidc (Minor issue) NOTE: https://github.com/zmartzone/mod_auth_openidc/commit/5c15dfb08106c2451c2c44ce7ace6813c216ba75 NOTE: https://github.com/zmartzone/mod_auth_openidc/commit/ce37080c6aea30aabae8b4a9b4eea7808445cc8e NOTE: https://github.com/zmartzone/mod_auth_openidc/pull/451 NOTE: https://groups.google.com/forum/#!topic/mod_auth_openidc/boy1Ba3Gdk4 CVE-2019-14855 (A flaw was found in the way certificate signatures could be forged usi ...) - gnupg2 2.2.19-1 (low; bug #945859) [buster] - gnupg2 (Minor issue) [stretch] - gnupg2 (Minor issue) [jessie] - gnupg2 (No backport to version << 2.2.x, low impact, danger of breaking things) - gnupg1 (low) [buster] - gnupg1 (Minor issue) [stretch] - gnupg1 (Minor issue) - gnupg (low) [jessie] - gnupg (No backport to version << 2.2.x, low impact, danger of breaking things) NOTE: https://dev.gnupg.org/T4755 NOTE: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=c4f2d9e3e1d77d2f1f168764fcdfed32f7d1dfc4 NOTE: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=7d9aad63c4f1aefe97da61baf5acd96c12c0278e NOTE: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=dd18be979e138dd3712315ee390463e8ee1fe8c1 NOTE: https://eprint.iacr.org/2020/014.pdf CVE-2019-14854 (OpenShift Container Platform 4 does not sanitize secret data written t ...) NOT-FOR-US: OpenShift CVE-2019-14853 (An error-handling flaw was found in python-ecdsa before version 0.13.3 ...) {DSA-4588-1 DLA-1978-1} - python-ecdsa 0.13.3-1 NOTE: https://github.com/warner/python-ecdsa/issues/114 NOTE: Upstream patches: NOTE: https://github.com/warner/python-ecdsa/pull/115 NOTE: https://github.com/warner/python-ecdsa/pull/124 NOTE: Fix for CVE-2019-14853 fixes as well CVE-2019-14859. CVE-2019-14852 RESERVED CVE-2019-14851 [assertion failure by issuing commands in the wrong order] RESERVED - nbdkit 1.14.2-1 [buster] - nbdkit (Issue introduced by the fix for CVE-2019-14850) [stretch] - nbdkit (Issue introduced by the fix for CVE-2019-14850) [jessie] - nbdkit (introduced by CVE-2019-14850) NOTE: https://www.redhat.com/archives/libguestfs/2019-September/msg00272.html NOTE: 1.15 (development branch): NOTE: https://github.com/libguestfs/nbdkit/commit/a6b88b195a959b17524d1c8353fd425d4891dc5f NOTE: 1.14: NOTE: https://github.com/libguestfs/nbdkit/commit/bf0d61883a2f02f4388ec10dc92d4c61c093679e NOTE: 1.12: NOTE: https://github.com/libguestfs/nbdkit/commit/b2bc6683ea3cd1f6be694e8a681dfa411b7d15f3 CVE-2019-14850 [denial of service due to premature opening of back-end connection] RESERVED - nbdkit 1.14.1-1 [buster] - nbdkit (Minor issue) [stretch] - nbdkit (Minor issue) [jessie] - nbdkit (Minor issue, DoS/amplification for specific configuration, non-trivial backport, low popcon) NOTE: https://www.redhat.com/archives/libguestfs/2019-September/msg00084.html NOTE: 1.15 (development branch): NOTE: https://github.com/libguestfs/nbdkit/commit/c05686f9577fa91b6a3a4d8c065954ca6fc3fd62 NOTE: https://github.com/libguestfs/nbdkit/commit/a6b88b195a959b17524d1c8353fd425d4891dc5f NOTE: 1.14: NOTE: https://github.com/libguestfs/nbdkit/commit/e06cde00659ff97182173d0e33fff784041bcb4a NOTE: https://github.com/libguestfs/nbdkit/commit/bf0d61883a2f02f4388ec10dc92d4c61c093679e NOTE: 1.12: NOTE: https://github.com/libguestfs/nbdkit/commit/22b30adb796bb6dca264a38598f80b8a234ff978 NOTE: https://github.com/libguestfs/nbdkit/commit/b2bc6683ea3cd1f6be694e8a681dfa411b7d15f3 CVE-2019-14849 (A vulnerability was found in 3scale before version 2.6, did not set th ...) NOT-FOR-US: Red Hat 3scale CVE-2019-14848 RESERVED CVE-2019-14847 (A flaw was found in samba 4.0.0 before samba 4.9.15 and samba 4.10.x b ...) - samba 2:4.11.0+dfsg-6 [buster] - samba (Minor issue) [stretch] - samba (Minor issue) [jessie] - samba (Minor issue) NOTE: https://www.samba.org/samba/security/CVE-2019-14847.html CVE-2019-14846 (Ansible, all ansible_engine-2.x versions and ansible_engine-3.x up to ...) {DLA-2202-1} - ansible 2.8.6+dfsg-1 (low; bug #942188) [buster] - ansible (Minor issue) [stretch] - ansible (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1755373 NOTE: https://github.com/ansible/ansible/pull/63366 NOTE: https://github.com/ansible/ansible/commit/90e74dd2600e5cc42dd9b4f4656f3d651c4ce5c4 CVE-2019-14845 (A vulnerability was found in OpenShift builds, versions 4.1 up to 4.3. ...) NOT-FOR-US: OpenShift CVE-2019-14844 (A flaw was found in, Fedora versions of krb5 from 1.16.1 to, including ...) - krb5 (Vulnerable code not present; problematic commit not backported; not present in any MIT krb5 release) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1753589 NOTE: Introduced by: https://github.com/krb5/krb5/commit/a649279727490687d54becad91fde8cf7429d951 NOTE: Fixed by: https://github.com/krb5/krb5/commit/275c9a1aad36a1a7b56042f1a2c21c33e7d16eaf CVE-2019-14843 (A flaw was found in Wildfly Security Manager, running under JDK 11 or ...) - wildfly (bug #752018) CVE-2019-14841 RESERVED CVE-2019-14840 RESERVED CVE-2019-14839 RESERVED CVE-2019-14838 (A flaw was found in wildfly-core before 7.2.5.GA. The Management users ...) - wildfly (bug #752018) CVE-2019-14837 (A flaw was found in keycloack before version 8.0.0. The owner of 'plac ...) NOT-FOR-US: Keycloak CVE-2019-14836 RESERVED CVE-2019-14835 (A buffer overflow flaw was found, in versions from 2.6.34 to 5.2.x, in ...) {DSA-4531-1 DLA-1940-1 DLA-1930-1} - linux 5.2.17-1 NOTE: https://www.openwall.com/lists/oss-security/2019/09/17/1 NOTE: https://git.kernel.org/linus/060423bfdee3f8bc6e2c1bac97de24d5415e2bc4 CVE-2019-14834 (A vulnerability was found in dnsmasq before version 2.81, where the me ...) - dnsmasq 2.81-1 (bug #948373) [buster] - dnsmasq (Minor issue) [stretch] - dnsmasq (Minor issue) [jessie] - dnsmasq (Minor issue) NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=69bc94779c2f035a9fffdb5327a54c3aeca73ed5 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1764425 CVE-2019-14833 (A flaw was found in Samba, all versions starting samba 4.5.0 before sa ...) - samba 2:4.11.1+dfsg-2 [buster] - samba (Minor issue) [stretch] - samba (Minor issue) [jessie] - samba (Minor issue) NOTE: https://www.samba.org/samba/security/CVE-2019-14833.html CVE-2019-14832 (A flaw was found in the Keycloak REST API before version 8.0.0 where i ...) NOT-FOR-US: Keycloak CVE-2019-14831 RESERVED CVE-2019-14830 RESERVED CVE-2019-14829 RESERVED CVE-2019-14828 RESERVED CVE-2019-14827 RESERVED CVE-2019-14826 (A flaw was found in FreeIPA versions 4.5.0 and later. Session cookies ...) - freeipa (bug #940913) [buster] - freeipa (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1746944 NOTE: Introduced by https://pagure.io/freeipa/c/b895f4a34bcbd0b1787d2bfc1db25f34c3584b9c NOTE: due to fix for https://fedorahosted.org/freeipa/ticket/6682. CVE-2019-14825 (A cleartext password storage issue was discovered in Katello, versions ...) NOT-FOR-US: Katello CVE-2019-14824 (A flaw was found in the 'deref' plugin of 389-ds-base where it could u ...) {DLA-2004-1} - 389-ds-base 1.4.2.4-1 (bug #944150) [buster] - 389-ds-base (Minor issue) [stretch] - 389-ds-base (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1747448 NOTE: https://pagure.io/freeipa/issue/8050 CVE-2019-14823 (A flaw was found in the "Leaf and Chain" OCSP policy implementation in ...) - jss 4.6.2-1 (bug #942463) [buster] - jss (Vulnerable code backported only in 4.5.3 onwards) [stretch] - jss (Vulnerable code not present) [jessie] - jss (Vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1747435 NOTE: https://github.com/dogtagpki/jss/pull/284 NOTE: https://github.com/dogtagpki/jss/commit/be37ff4738b4696d529a13b6ed33c7ac56d97ba4 CVE-2019-14822 (A flaw was discovered in ibus that allows any unprivileged user to mon ...) {DSA-4525-1} - ibus 1.5.21-1 (bug #940267) [jessie] - ibus (Hard to exploit, regression risk) NOTE: https://www.openwall.com/lists/oss-security/2019/09/13/1 NOTE: Fixed by: https://github.com/ibus/ibus/commit/3d442dbf936d197aa11ca0a71663c2bc61696151 NOTE: The original fix introduces regression with Qt applications (the fix uncovered an NOTE: interoperability bug between GLib's implementation of D-Bus and the reference implementation NOTE: libdbus): NOTE: https://bugs.debian.org/941018 NOTE: https://launchpad.net/bugs/1844853 NOTE: https://github.com/ibus/ibus/issues/2137 CVE-2019-14821 (An out-of-bounds access issue was found in the Linux kernel, all versi ...) {DSA-4531-1 DLA-1940-1 DLA-1930-1} - linux 5.2.17-1 NOTE: https://git.kernel.org/linus/b60fe990c6b07ef6d4df67bc0530c7c90a62623a CVE-2019-14820 (It was found that keycloak before version 8.0.0 exposes internal adapt ...) NOT-FOR-US: Keycloak CVE-2019-14819 (A flaw was found during the upgrade of an existing OpenShift Container ...) NOT-FOR-US: openshift-ansible CVE-2019-14818 (A flaw was found in all dpdk version 17.x.x before 17.11.8, 16.x.x bef ...) {DSA-4567-1} - dpdk 18.11.4-1 NOTE: http://mails.dpdk.org/archives/announce/2019-November/000293.html NOTE: https://bugs.dpdk.org/show_bug.cgi?id=363 CVE-2019-14817 (A flaw was found in, ghostscript versions prior to 9.50, in the .pdfex ...) {DSA-4518-1 DLA-1915-1} - ghostscript 9.28~~rc2~dfsg-1 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=701450 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=cd1b1cacadac2479e291efe611979bdc1b3bdb19 NOTE: https://www.openwall.com/lists/oss-security/2019/08/28/2 NOTE: For recent versions (9.28~~rc1~dfsg-1) the issue is mitigated starting NOTE: from http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=7ecbfda92b4c8dbf6f6c2bf8fc82020a29219eff NOTE: which changed the access to file permissions. CVE-2019-14816 (There is heap-based buffer overflow in kernel, all versions up to, exc ...) {DLA-2114-1 DLA-1930-1} - linux 5.2.17-1 [buster] - linux 4.19.87-1 [stretch] - linux 4.9.210-1 CVE-2019-14815 (A vulnerability was found in Linux Kernel, where a Heap Overflow was f ...) {DLA-2114-1 DLA-1930-1} - linux 5.2.17-1 [buster] - linux 4.19.87-1 [stretch] - linux 4.9.210-1 [jessie] - linux (Vulnerability introduced later) CVE-2019-14814 (There is heap-based buffer overflow in Linux kernel, all versions up t ...) {DLA-2114-1 DLA-1930-1} - linux 5.2.17-1 [buster] - linux 4.19.87-1 [stretch] - linux 4.9.210-1 CVE-2019-14813 (A flaw was found in ghostscript, versions 9.x before 9.50, in the sets ...) {DSA-4518-1 DLA-1915-1} - ghostscript 9.28~~rc2~dfsg-1 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=701443 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=885444fcbe10dc42787ecb76686c8ee4dd33bf33 NOTE: https://www.openwall.com/lists/oss-security/2019/08/28/2 NOTE: For recent versions (9.28~~rc1~dfsg-1) the issue is mitigated starting NOTE: from http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=7ecbfda92b4c8dbf6f6c2bf8fc82020a29219eff NOTE: which changed the access to file permissions. CVE-2019-14812 (A flaw was found in all ghostscript versions 9.x before 9.50, in the . ...) {DSA-4518-1 DLA-1915-1} - ghostscript 9.28~~rc2~dfsg-1 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=701444 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=885444fcbe10dc42787ecb76686c8ee4dd33bf33 NOTE: https://www.openwall.com/lists/oss-security/2019/08/28/2 NOTE: For recent versions (9.28~~rc1~dfsg-1) the issue is mitigated starting NOTE: from http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=7ecbfda92b4c8dbf6f6c2bf8fc82020a29219eff NOTE: which changed the access to file permissions. CVE-2019-14811 (A flaw was found in, ghostscript versions prior to 9.50, in the .pdf_h ...) {DSA-4518-1 DLA-1915-1} - ghostscript 9.28~~rc2~dfsg-1 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=701445 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=885444fcbe10dc42787ecb76686c8ee4dd33bf33 NOTE: https://www.openwall.com/lists/oss-security/2019/08/28/2 NOTE: For recent versions (9.28~~rc1~dfsg-1) the issue is mitigated starting NOTE: from http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=7ecbfda92b4c8dbf6f6c2bf8fc82020a29219eff NOTE: which changed the access to file permissions. CVE-2019-14810 (A vulnerability has been found in the implementation of the Label Dist ...) NOT-FOR-US: EOS CVE-2019-14809 (net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malfo ...) {DSA-4503-1} - golang-1.13 1.13~beta1-3 (bug #934954) - golang-1.12 1.12.8-1 - golang-1.11 1.11.13-1 - golang-1.8 [stretch] - golang-1.8 (Minor issue) - golang-1.7 [stretch] - golang-1.7 (Minor issue) - golang [jessie] - golang (Fix too invasive to backport, url.go file in jessie too far behind upstream) NOTE: Issue: https://github.com/golang/go/issues/29098 NOTE: https://github.com/golang/go/commit/c1d9ca70995dc232a2145e3214f94e03409f6fcc (golang-1.11) NOTE: https://github.com/golang/go/commit/3226f2d492963d361af9dfc6714ef141ba606713 (golang-1.12) CVE-2019-14808 (An issue was discovered in the RENPHO application 3.0.0 for iOS. It tr ...) NOT-FOR-US: RENPHO CVE-2019-14807 (In the MobileFrontend extension 1.31 through 1.33 for MediaWiki, XSS e ...) NOT-FOR-US: MobileFrontend extension for MediaWiki CVE-2019-14806 (Pallets Werkzeug before 0.15.3, when used with Docker, has insufficien ...) - python-werkzeug 0.15.6+dfsg1-1 (low; bug #940935) [buster] - python-werkzeug 0.14.1+dfsg1-4+deb10u1 [stretch] - python-werkzeug 0.11.15+dfsg1-1+deb9u1 [jessie] - python-werkzeug (Vulnerable code not present) NOTE: https://github.com/pallets/werkzeug/commit/00bc43b1672e662e5e3b8cecd79e67fc968fa246 CVE-2019-14805 (studio/builder_menu.php?page=sets in UNA 10.0.0-RC1 allows XSS via the ...) NOT-FOR-US: UNA CVE-2019-14804 (studio/polyglot.php?page=etemplates in UNA 10.0.0-RC1 allows XSS via t ...) NOT-FOR-US: UNA CVE-2019-14803 RESERVED CVE-2019-14802 RESERVED CVE-2017-18486 (Jitbit Helpdesk before 9.0.3 allows remote attackers to escalate privi ...) NOT-FOR-US: Jitbit Helpdesk CVE-2019-14801 (The FV Flowplayer Video Player plugin before 7.3.15.727 for WordPress ...) NOT-FOR-US: FV Flowplayer Video Player plugin for WordPress CVE-2019-14800 (The FV Flowplayer Video Player plugin before 7.3.15.727 for WordPress ...) NOT-FOR-US: FV Flowplayer Video Player plugin for WordPress CVE-2019-14799 (The FV Flowplayer Video Player plugin before 7.3.14.727 for WordPress ...) NOT-FOR-US: FV Flowplayer Video Player plugin for WordPress CVE-2019-14798 (The 10Web Photo Gallery plugin before 1.5.25 for WordPress has Authent ...) NOT-FOR-US: 10Web Photo Gallery plugin for WordPress CVE-2019-14797 (The 10Web Photo Gallery plugin before 1.5.23 for WordPress has authent ...) NOT-FOR-US: 10Web Photo Gallery plugin for WordPress CVE-2019-14796 (The mq-woocommerce-products-price-bulk-edit (aka Woocommerce Products ...) NOT-FOR-US: mq-woocommerce-products-price-bulk-edit (aka Woocommerce Products Price Bulk Edit) plugin for WordPress CVE-2019-14795 (The toggle-the-title (aka Toggle The Title) plugin 1.4 for WordPress h ...) NOT-FOR-US: toggle-the-title (aka Toggle The Title) plugin for WordPress CVE-2019-14794 (The Meta Box plugin before 4.16.2 for WordPress mishandles the uploadi ...) NOT-FOR-US: Meta Box plugin for WordPress CVE-2019-14793 (The Meta Box plugin before 4.16.3 for WordPress allows file deletion v ...) NOT-FOR-US: Meta Box plugin for WordPress CVE-2019-14792 (The WP Google Maps plugin before 7.11.35 for WordPress allows XSS via ...) NOT-FOR-US: WP Google Maps plugin for WordPress CVE-2019-14791 (The Appointment Booking Calendar plugin 1.3.18 for WordPress allows XS ...) NOT-FOR-US: Appointment Booking Calendar plugin for WordPress CVE-2019-14790 (The limb-gallery (aka Limb Gallery) plugin 1.4.0 for WordPress has XSS ...) NOT-FOR-US: limb-gallery (aka Limb Gallery) plugin for WordPress CVE-2019-14789 (The Custom 404 Pro plugin 3.2.8 for WordPress has XSS via the wp-admin ...) NOT-FOR-US: Custom 404 Pro plugin for WordPress CVE-2019-14788 (wp-admin/admin-ajax.php?action=newsletters_exportmultiple in the Tribu ...) NOT-FOR-US: Tribulant Newsletters plugin for WordPress CVE-2019-14787 (The Tribulant Newsletters plugin before 4.6.19 for WordPress allows XS ...) NOT-FOR-US: Tribulant Newsletters plugin for WordPress CVE-2019-14786 (The Rank Math SEO plugin 1.0.27 for WordPress allows non-admin users t ...) NOT-FOR-US: Rank Math SEO plugin for WordPress CVE-2019-14785 (The "CP Contact Form with PayPal" plugin before 1.2.99 for WordPress h ...) NOT-FOR-US: "CP Contact Form with PayPal" plugin for WordPress CVE-2019-14784 (The "CP Contact Form with PayPal" plugin before 1.2.98 for WordPress h ...) NOT-FOR-US: "CP Contact Form with PayPal" plugin for WordPress CVE-2019-14783 (On Samsung mobile devices with N(7.x), and O(8.x), P(9.0) software, Fo ...) NOT-FOR-US: Samsung CVE-2019-14782 (CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.856 through 0.9.8 ...) NOT-FOR-US: CentOS-WebPanel.com CentOS Web Panel CVE-2019-14781 RESERVED CVE-2019-14780 RESERVED CVE-2016-10865 (The Lightbox Plus Colorbox plugin through 2.7.2 for WordPress has cros ...) NOT-FOR-US: Lightbox Plus Colorbox plugin for WordPress CVE-2019-14779 RESERVED CVE-2019-14778 (The mkv::virtual_segment_c::seek method of demux/mkv/virtual_segment.c ...) {DSA-4504-1} - vlc 3.0.8-1 [jessie] - vlc (https://lists.debian.org/debian-security-announce/2018/msg00130.html) NOTE: https://www.videolan.org/security/sb-vlc308.html CVE-2019-14777 (The Control function of demux/mkv/mkv.cpp in VideoLAN VLC media player ...) {DSA-4504-1} - vlc 3.0.8-1 [jessie] - vlc (https://lists.debian.org/debian-security-announce/2018/msg00130.html) NOTE: https://www.videolan.org/security/sb-vlc308.html CVE-2019-14776 (A heap-based buffer over-read exists in DemuxInit() in demux/asf/asf.c ...) {DSA-4504-1} - vlc 3.0.8-1 [jessie] - vlc (https://lists.debian.org/debian-security-announce/2018/msg00130.html) NOTE: https://www.videolan.org/security/sb-vlc308.html CVE-2019-14775 RESERVED CVE-2019-12625 (ClamAV versions prior to 0.101.3 are susceptible to a zip bomb vulnera ...) {DLA-1953-1} - clamav 0.101.4+dfsg-1 (bug #934359) [buster] - clamav 0.101.4+dfsg-0+deb10u1 [stretch] - clamav 0.101.4+dfsg-0+deb9u1 NOTE: https://www.openwall.com/lists/oss-security/2019/08/06/3 NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=12356 NOTE: Partially adressed already in 0.101.2+dfsg-3 but incomplete. NOTE: https://blog.clamav.net/2019/08/clamav-01014-security-patch-release-has.html CVE-2019-14774 (The woo-variation-swatches (aka Variation Swatches for WooCommerce) pl ...) NOT-FOR-US: Wordpress plugin CVE-2019-14773 (admin/includes/class.actions.snippet.php in the "Woody ad snippets" pl ...) NOT-FOR-US: Wordpress plugin CVE-2019-14772 (verdaccio before 3.12.0 allows XSS. ...) NOT-FOR-US: verdaccio CVE-2019-14771 (Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3 allows the ...) - backdrop (bug #914257) CVE-2019-14770 (In Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3, some me ...) - backdrop (bug #914257) CVE-2019-14769 (Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3 doesn't suf ...) - backdrop (bug #914257) CVE-2019-14768 (An Arbitrary File Upload issue in the file browser of DIMO YellowBox C ...) NOT-FOR-US: DIMO YellowBox CRM CVE-2019-14767 (In DIMO YellowBox CRM before 6.3.4, Path Traversal in images/Apparence ...) NOT-FOR-US: DIMO YellowBox CRM CVE-2019-14766 (Path Traversal in the file browser of DIMO YellowBox CRM before 6.3.4 ...) NOT-FOR-US: DIMO YellowBox CRM CVE-2019-14765 (Incorrect Access Control in AfficheExplorateurParam() in DIMO YellowBo ...) NOT-FOR-US: DIMO YellowBox CRM CVE-2019-14764 RESERVED CVE-2019-14763 (In the Linux kernel before 4.16.4, a double-locking error in drivers/u ...) - linux 4.16.5-1 [stretch] - linux (Vulnerability introduced later) [jessie] - linux (Vulnerability introduced later) CVE-2019-14762 RESERVED CVE-2019-14761 RESERVED CVE-2019-14760 RESERVED CVE-2019-14759 RESERVED CVE-2019-14758 RESERVED CVE-2019-14757 RESERVED CVE-2019-14756 RESERVED CVE-2019-14755 (The profile photo upload feature in Leaf Admin 61.9.0212.10 f allows U ...) NOT-FOR-US: Leaf Admin CVE-2019-14754 (Open-School 3.0, and Community Edition 2.3, allows SQL Injection via t ...) NOT-FOR-US: Open-School CVE-2018-20962 (The Backpack\CRUD Backpack component before 3.4.9 for Laravel allows X ...) NOT-FOR-US: Backpack\CRUD Backpack CVE-2019-14753 (SICK FX0-GPNT00000 and FX0-GENT00000 devices through 3.4.0 have a Buff ...) NOT-FOR-US: SICK FX0-GPNT00000 and FX0-GENT00000 devices CVE-2019-14752 (SuiteCRM 7.10.x and 7.11.x before 7.10.20 and 7.11.8 has XSS. ...) NOT-FOR-US: SuiteCRM CVE-2019-14751 (NLTK Downloader before 3.4.5 is vulnerable to a directory traversal, a ...) - nltk 3.4.5-1 (low; bug #935201) [buster] - nltk (Minor issue) [stretch] - nltk (Minor issue) [jessie] - nltk (Minor issue; user has to configure a compromised server) NOTE: https://salvatoresecurity.com/zip-slip-in-nltk-cve-2019-14751/ NOTE: https://github.com/nltk/nltk/commit/f59d7ed8df2e0e957f7f247fe218032abdbe9a10 CVE-2019-14750 (An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1. ...) NOT-FOR-US: osTicket CVE-2019-14749 (An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1. ...) NOT-FOR-US: osTicket CVE-2019-14748 (An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1. ...) NOT-FOR-US: osTicket CVE-2019-14747 (DWSurvey through 2019-07-22 has stored XSS via the design/my-survey-de ...) NOT-FOR-US: DWSurvey CVE-2019-14746 (A issue was discovered in KuaiFanCMS 5.0. It allows eval injection by ...) NOT-FOR-US: KuaiFanCMS CVE-2019-14745 (In radare2 before 3.7.0, a command injection vulnerability exists in b ...) - radare2 3.9.0+dfsg-1 (bug #934204) [jessie] - radare2 (Minor issue) NOTE: https://github.com/radare/radare2/pull/14690 NOTE: When fixing this ussue make sure to not only apply the initial commits but NOTE: as well the followups to avoid opening CVE-2019-16718: NOTE: https://github.com/radareorg/radare2/commit/5411543a310a470b1257fb93273cdd6e8dfcb3af NOTE: https://github.com/radareorg/radare2/commit/dd739f5a45b3af3d1f65f00fe19af1dbfec7aea7 CVE-2019-14744 (In KDE Frameworks KConfig before 5.61.0, malicious desktop files and c ...) {DSA-4494-1 DLA-1890-1} - kconfig 5.54.0-2 (bug #934267) - kde4libs 4:4.14.38-4 (bug #934268) [buster] - kde4libs (Minor issue) [stretch] - kde4libs (Minor issue) NOTE: https://gist.githubusercontent.com/zeropwn/630832df151029cb8f22d5b6b9efaefb/raw/64aa3d30279acb207f787ce9c135eefd5e52643b/kde-kdesktopfile-command-injection.txt NOTE: https://kde.org/info/security/advisory-20190807-1.txt NOTE: kconfig: https://cgit.kde.org/kconfig.git/commit/?id=5d3e71b1d2ecd2cb2f910036e614ffdfc895aa22 NOTE: kdelibs: https://cgit.kde.org/kdelibs.git/commit/?id=2c3762feddf7e66cf6b64d9058f625a715694a00 CVE-2019-14743 (In Valve Steam Client for Windows through 2019-08-07, HKLM\SOFTWARE\Wo ...) NOT-FOR-US: Valve Steam Client for Windows CVE-2019-14742 RESERVED CVE-2019-14741 RESERVED CVE-2019-14740 RESERVED CVE-2019-14739 RESERVED CVE-2019-14738 RESERVED CVE-2019-14737 (Ubisoft Uplay 92.0.0.6280 has Insecure Permissions. ...) NOT-FOR-US: Ubisoft Uplay CVE-2019-14736 RESERVED CVE-2019-14735 RESERVED CVE-2019-14734 (AdPlug 2.3.1 has multiple heap-based buffer overflows in CmtkLoader::l ...) - adplug [buster] - adplug (Minor issue) [stretch] - adplug (Minor issue) [jessie] - adplug (Minor issue) NOTE: https://github.com/adplug/adplug/issues/90 CVE-2019-14733 (AdPlug 2.3.1 has multiple heap-based buffer overflows in CradLoader::l ...) - adplug [buster] - adplug (Minor issue) [stretch] - adplug (Minor issue) [jessie] - adplug (Minor issue) NOTE: https://github.com/adplug/adplug/issues/89 CVE-2019-14732 (AdPlug 2.3.1 has multiple heap-based buffer overflows in Ca2mLoader::l ...) - adplug [buster] - adplug (Minor issue) [stretch] - adplug (Minor issue) [jessie] - adplug (Minor issue) NOTE: https://github.com/adplug/adplug/issues/88 CVE-2019-14731 (An issue was discovered in ZenTao 11.5.1. There is an XSS (stored) vul ...) NOT-FOR-US: ZenTao CMS CVE-2019-14730 (In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecu ...) NOT-FOR-US: CentOS-WebPanel.com CentOS Web Panel CVE-2019-14729 (In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecu ...) NOT-FOR-US: CentOS-WebPanel.com CentOS Web Panel CVE-2019-14728 (In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecu ...) NOT-FOR-US: CentOS-WebPanel.com CentOS Web Panel CVE-2019-14727 (In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecu ...) NOT-FOR-US: CentOS-WebPanel.com CentOS Web Panel CVE-2019-14726 (In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecu ...) NOT-FOR-US: CentOS-WebPanel.com CentOS Web Panel CVE-2019-14725 (In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecu ...) NOT-FOR-US: CentOS-WebPanel.com CentOS Web Panel CVE-2019-14724 (In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecu ...) NOT-FOR-US: CentOS-WebPanel.com CentOS Web Panel CVE-2019-14723 (In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecu ...) NOT-FOR-US: CentOS-WebPanel.com CentOS Web Panel CVE-2019-14722 (In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecu ...) NOT-FOR-US: CentOS-WebPanel.com CentOS Web Panel CVE-2019-14721 (In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecu ...) NOT-FOR-US: CentOS-WebPanel.com CentOS Web Panel CVE-2019-14720 RESERVED CVE-2019-14719 RESERVED CVE-2019-14718 RESERVED CVE-2019-14717 RESERVED CVE-2019-14716 RESERVED CVE-2019-14715 RESERVED CVE-2019-14714 RESERVED CVE-2019-14713 RESERVED CVE-2019-14712 RESERVED CVE-2019-14711 RESERVED CVE-2019-14710 RESERVED CVE-2019-14709 (A cleartext password storage issue was discovered on MicroDigital N-se ...) NOT-FOR-US: MicroDigital CVE-2019-14708 (An issue was discovered on MicroDigital N-series cameras with firmware ...) NOT-FOR-US: MicroDigital CVE-2019-14707 (An issue was discovered on MicroDigital N-series cameras with firmware ...) NOT-FOR-US: MicroDigital CVE-2019-14706 (A denial of service issue in HTTPD was discovered on MicroDigital N-se ...) NOT-FOR-US: MicroDigital CVE-2019-14705 (An Incorrect Access Control issue was discovered on MicroDigital N-ser ...) NOT-FOR-US: MicroDigital CVE-2019-14704 (An SSRF issue was discovered in HTTPD on MicroDigital N-series cameras ...) NOT-FOR-US: MicroDigital CVE-2019-14703 (A CSRF issue was discovered in webparam?user&action=set&param= ...) NOT-FOR-US: MicroDigital CVE-2019-14702 (An issue was discovered on MicroDigital N-series cameras with firmware ...) NOT-FOR-US: MicroDigital CVE-2019-14701 (An issue was discovered on MicroDigital N-series cameras with firmware ...) NOT-FOR-US: MicroDigital CVE-2019-14700 (An issue was discovered on MicroDigital N-series cameras with firmware ...) NOT-FOR-US: MicroDigital CVE-2019-14699 (An issue was discovered on MicroDigital N-series cameras with firmware ...) NOT-FOR-US: MicroDigital CVE-2019-14698 (An issue was discovered on MicroDigital N-series cameras with firmware ...) NOT-FOR-US: MicroDigital CVE-2019-14696 (Open-School 3.0, and Community Edition 2.3, allows XSS via the osv/ind ...) NOT-FOR-US: Open-School CVE-2019-14695 (A SQL injection vulnerability exists in the Sygnoos Popup Builder plug ...) NOT-FOR-US: Sygnoos Popup Builder plugin for WordPress CVE-2019-14694 (A use-after-free flaw in the sandbox container implemented in cmdguard ...) NOT-FOR-US: Comodo Antivirus CVE-2019-14693 (Zoho ManageEngine AssetExplorer 6.2.0 is vulnerable to an XML External ...) NOT-FOR-US: Zoho ManageEngine AssetExplorer CVE-2019-14692 (AdPlug 2.3.1 has a heap-based buffer overflow in CmkjPlayer::load() in ...) [experimental] - adplug 2.3.3+dfsg-1 - adplug (bug #943927) [buster] - adplug (Minor issue) [stretch] - adplug (Minor issue) [jessie] - adplug (Minor issue) NOTE: https://github.com/adplug/adplug/issues/87 CVE-2019-14691 (AdPlug 2.3.1 has a heap-based buffer overflow in CdtmLoader::load() in ...) [experimental] - adplug 2.3.3+dfsg-1 - adplug (bug #943928) [buster] - adplug (Minor issue) [stretch] - adplug (Minor issue) [jessie] - adplug (Minor issue) NOTE: https://github.com/adplug/adplug/issues/86 CVE-2019-14690 (AdPlug 2.3.1 has a heap-based buffer overflow in CxadbmfPlayer::__bmf_ ...) [experimental] - adplug 2.3.3+dfsg-1 - adplug (bug #943929) [buster] - adplug (Minor issue) [stretch] - adplug (Minor issue) [jessie] - adplug (Minor issue) NOTE: https://github.com/adplug/adplug/issues/85 CVE-2019-14697 (musl libc through 1.1.23 has an x87 floating-point stack adjustment im ...) - musl 1.1.23-2 [buster] - musl (Minor issue) [stretch] - musl (Minor issue) [jessie] - musl (Minor issue) NOTE: https://git.musl-libc.org/cgit/musl/patch/?id=f3ed8bfe8a82af1870ddc8696ed4cc1d5aa6b441 NOTE: https://git.musl-libc.org/cgit/musl/patch/?id=6818c31c9bc4bbad5357f1de14bedf781e5b349e NOTE: https://www.openwall.com/lists/oss-security/2019/08/06/1 CVE-2019-14689 RESERVED CVE-2019-14688 (Trend Micro has repackaged installers for several Trend Micro products ...) NOT-FOR-US: Trend Micro CVE-2019-14687 (A DLL hijacking vulnerability exists in Trend Micro Password Manager 5 ...) NOT-FOR-US: Trend Micro CVE-2019-14686 (A DLL hijacking vulnerability exists in the Trend Micro Security's 201 ...) NOT-FOR-US: Trend Micro CVE-2019-14685 (A local privilege escalation vulnerability exists in Trend Micro Secur ...) NOT-FOR-US: Trend Micro CVE-2019-14684 (A DLL hijacking vulnerability exists in Trend Micro Password Manager 5 ...) NOT-FOR-US: Trend Micro CVE-2019-14683 (The codection "Import users from CSV with meta" plugin before 1.14.2.2 ...) NOT-FOR-US: Wordpress plugin CVE-2019-14682 (The acf-better-search (aka ACF: Better Search) plugin before 3.3.1 for ...) NOT-FOR-US: Wordpress plugin CVE-2019-14681 (The Deny All Firewall plugin before 1.1.7 for WordPress allows wp-admi ...) NOT-FOR-US: Wordpress plugin CVE-2019-14680 (The admin-renamer-extended (aka Admin renamer extended) plugin 3.2.1 f ...) NOT-FOR-US: Wordpress plugin CVE-2019-14679 (core/views/arprice_import_export.php in the ARPrice Lite plugin 2.2 fo ...) NOT-FOR-US: Wordpress plugin CVE-2019-14678 (SAS XML Mapper 9.45 has an XML External Entity (XXE) vulnerability tha ...) NOT-FOR-US: SAP CVE-2019-14677 RESERVED CVE-2019-14676 RESERVED CVE-2019-14675 RESERVED CVE-2019-14674 RESERVED CVE-2019-14673 RESERVED CVE-2019-14672 (Firefly III 4.7.17.5 is vulnerable to stored XSS due to the lack of fi ...) NOT-FOR-US: Firefly CVE-2019-14671 (Firefly III 4.7.17.3 is vulnerable to local file enumeration. An attac ...) NOT-FOR-US: Firefly CVE-2019-14670 (Firefly III 4.7.17.3 is vulnerable to stored XSS due to the lack of fi ...) NOT-FOR-US: Firefly CVE-2019-14669 (Firefly III 4.7.17.3 is vulnerable to stored XSS due to the lack of fi ...) NOT-FOR-US: Firefly CVE-2019-14668 (Firefly III 4.7.17.3 is vulnerable to stored XSS due to the lack of fi ...) NOT-FOR-US: Firefly CVE-2019-14667 (Firefly III 4.7.17.4 is vulnerable to multiple stored XSS issues due t ...) NOT-FOR-US: Firefly CVE-2015-9292 (6kbbs 7.1 and 8.0 allows CSRF via portalchannel_ajax.php (id or code p ...) NOT-FOR-US: 6kbbs CVE-2019-14666 (GLPI through 9.4.3 is prone to account takeover by abusing the ajax/au ...) - glpi (unimportant) NOTE: https://github.com/glpi-project/glpi/security/advisories/GHSA-47hq-pfrr-jh5q NOTE: Only supported behind an authenticated HTTP zone CVE-2019-14665 (Brandy 1.20.1 has a heap-based buffer overflow in define_array in vari ...) - brandy (unimportant; bug #933996) NOTE: https://sourceforge.net/p/brandy/bugs/8/ NOTE: Negligible security impact CVE-2019-14664 (In Enigmail below 2.1, an attacker in possession of PGP encrypted emai ...) - enigmail [buster] - enigmail (Minor issue and too intrusive to backport) [stretch] - enigmail (Minor issue and too intrusive to backport) [jessie] - enigmail (see https://lists.debian.org/debian-lts-announce/2019/02/msg00002.html) NOTE: https://sourceforge.net/p/enigmail/bugs/984/ CVE-2019-14663 (Brandy 1.20.1 has a stack-based buffer overflow in fileio_openin in fi ...) - brandy (unimportant; bug #933996) NOTE: https://sourceforge.net/p/brandy/bugs/6/ NOTE: Negligible security impact CVE-2019-14662 (Brandy 1.20.1 has a stack-based buffer overflow in fileio_openout in f ...) - brandy (unimportant; bug #933996) NOTE: https://sourceforge.net/p/brandy/bugs/7/ NOTE: Negligible security impact CVE-2018-20961 (In the Linux kernel before 4.16.4, a double free vulnerability in the ...) - linux 4.16.5-1 [stretch] - linux 4.9.107-1 [jessie] - linux (Vulnerability introduced later) NOTE: Fixed by: https://git.kernel.org/linus/7fafcfdf6377b18b2a726ea554d6e593ba44349f CVE-2018-20960 (Nespresso Prodigio devices lack Bluetooth connection security. ...) NOT-FOR-US: Nespresso Prodigio CVE-2018-20959 (Jura E8 devices lack Bluetooth connection security. ...) NOT-FOR-US: Jura E8 devices CVE-2018-20958 (The Bluetooth Low Energy (BLE) subsystem on Tapplock devices before 20 ...) NOT-FOR-US: Tapplock devices CVE-2018-20957 (The Bluetooth Low Energy (BLE) subsystem on Tapplock devices before 20 ...) NOT-FOR-US: Tapplock devices CVE-2018-20956 (Swann SWWHD-INTCAM-HD devices leave the PSK in logs after a factory re ...) NOT-FOR-US: Swann CVE-2018-20955 (Swann SWWHD-INTCAM-HD devices have the twipc root password, leading to ...) NOT-FOR-US: Swann CVE-2017-18485 (Cognitoys Dino devices allow profiles_add.html CSRF. ...) NOT-FOR-US: Cognitoys Dino CVE-2017-18484 (Cognitoys Dino devices allow XSS via the SSID. ...) NOT-FOR-US: Cognitoys Dino CVE-2016-10864 (NETGEAR EX7000 V1.0.0.42_1.0.94 devices allow XSS via the SSID. ...) NOT-FOR-US: NETGEAR CVE-2016-10863 (Edimax Wi-Fi Extender devices allow goform/formwlencryptvxd CSRF with ...) NOT-FOR-US: Edimax CVE-2019-14661 RESERVED CVE-2019-14660 RESERVED CVE-2019-14659 REJECTED CVE-2019-14658 RESERVED CVE-2019-14657 (Yealink phones through 2019-08-04 have an issue with OpenVPN file uplo ...) NOT-FOR-US: Yealink CVE-2019-14656 (Yealink phones through 2019-08-04 do not properly check user roles in ...) NOT-FOR-US: Yealink CVE-2019-14655 REJECTED CVE-2019-14654 (In Joomla! 3.9.7 and 3.9.8, inadequate filtering allows users authoris ...) NOT-FOR-US: Joomla! CVE-2018-20954 (The "Security and Privacy" Encryption feature in Mailpile before 1.0.0 ...) NOT-FOR-US: Mailpile CVE-2019-XXXX [Buffer overflow during processing of large server replies] - pump (bug #933674) [jessie] - pump 0.8.24-7+deb8u1 CVE-2019-14653 (pandao Editor.md 1.5.0 allows XSS via an attribute of an ABBR or SUP e ...) NOT-FOR-US: pandao Editor.md CVE-2019-14652 (explorer.js in Amazon AWS JavaScript S3 Explorer (aka aws-js-s3-explor ...) NOT-FOR-US: Amazon AWS JavaScript S3 Explorer CVE-2019-14651 RESERVED CVE-2019-14650 RESERVED CVE-2019-14649 RESERVED CVE-2019-14648 RESERVED CVE-2019-14647 RESERVED CVE-2019-14646 RESERVED CVE-2019-14645 RESERVED CVE-2019-14644 RESERVED CVE-2019-14643 RESERVED CVE-2019-14642 RESERVED CVE-2019-14641 RESERVED CVE-2019-14640 RESERVED CVE-2019-14639 RESERVED CVE-2019-14638 RESERVED CVE-2019-14637 RESERVED CVE-2019-14636 RESERVED CVE-2019-14635 RESERVED CVE-2019-14634 RESERVED CVE-2019-14633 RESERVED CVE-2019-14632 RESERVED CVE-2019-14631 RESERVED CVE-2019-14630 RESERVED CVE-2019-14629 (Improper permissions in Intel(R) DAAL before version 2020 Gold may all ...) NOT-FOR-US: Intel CVE-2019-14628 RESERVED CVE-2019-14627 RESERVED CVE-2019-14626 (Improper access control in PCIe function for the Intel® FPGA Prog ...) NOT-FOR-US: Intel CVE-2019-14625 (Improper access control in on-card storage for the Intel® FPGA Pr ...) NOT-FOR-US: Intel CVE-2019-14624 RESERVED CVE-2019-14623 RESERVED CVE-2019-14622 RESERVED CVE-2019-14621 RESERVED CVE-2019-14620 RESERVED CVE-2019-14619 RESERVED CVE-2019-14618 RESERVED CVE-2019-14617 RESERVED CVE-2019-14616 RESERVED CVE-2019-14615 (Insufficient control flow in certain data structures for some Intel(R) ...) {DLA-2114-1} - linux 5.4.13-1 [buster] - linux 4.19.98-1 [stretch] - linux 4.9.210-1 [jessie] - linux (Driver doesn't support this hardware) NOTE: https://git.kernel.org/linus/bc8a76a152c5f9ef3b48104154a65a68a8b76946 CVE-2019-14614 RESERVED CVE-2019-14613 (Improper access control in driver for Intel(R) VTune(TM) Amplifier for ...) NOT-FOR-US: Intel CVE-2019-14612 (Out of bounds write in firmware for Intel(R) NUC(R) may allow a privil ...) NOT-FOR-US: Intel CVE-2019-14611 (Integer overflow in firmware for Intel(R) NUC(R) may allow a privilege ...) NOT-FOR-US: Intel CVE-2019-14610 (Improper access control in firmware for Intel(R) NUC(R) may allow an a ...) NOT-FOR-US: Intel CVE-2019-14609 (Improper input validation in firmware for Intel(R) NUC(R) may allow a ...) NOT-FOR-US: Intel CVE-2019-14608 (Improper buffer restrictions in firmware for Intel(R) NUC(R) may allow ...) NOT-FOR-US: Intel CVE-2019-14607 (Improper conditions check in multiple Intel® Processors may allow ...) {DSA-4565-2} - intel-microcode 3.20191115.1 NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00317.html CVE-2019-14606 RESERVED CVE-2019-14605 (Improper permissions in the installer for the Intel(R) SCS Platform Di ...) NOT-FOR-US: Intel CVE-2019-14604 (Null pointer dereference in the FPGA kernel driver for Intel(R) Quartu ...) NOT-FOR-US: Intel CVE-2019-14603 (Improper permissions in the installer for the License Server software ...) NOT-FOR-US: Intel CVE-2019-14602 (Improper permissions in the installer for the Nuvoton* CIR Driver vers ...) NOT-FOR-US: Nuvoton* CIR Driver CVE-2019-14601 (Improper permissions in the installer for Intel(R) RWC 3 for Windows b ...) NOT-FOR-US: Intel CVE-2019-14600 (Uncontrolled search path element in the installer for Intel(R) SNMP Su ...) NOT-FOR-US: Intel CVE-2019-14599 (Unquoted service path in Control Center-I version 2.1.0.0 and earlier ...) NOT-FOR-US: Intel CVE-2019-14598 (Improper Authentication in subsystem in Intel(R) CSME versions 12.0 th ...) NOT-FOR-US: Intel CVE-2019-14597 RESERVED CVE-2019-14596 (Improper access control in the installer for Intel(R) Chipset Device S ...) NOT-FOR-US: Intel CVE-2019-14595 RESERVED CVE-2019-14594 RESERVED CVE-2019-14593 RESERVED CVE-2019-14592 RESERVED CVE-2019-14591 (Improper input validation in the API for Intel(R) Graphics Driver vers ...) NOT-FOR-US: Intel Windows graphics driver CVE-2019-14590 (Improper access control in the API for the Intel(R) Graphics Driver ve ...) NOT-FOR-US: Intel Windows graphics driver CVE-2019-14589 RESERVED CVE-2019-14588 RESERVED CVE-2019-14587 RESERVED - edk2 0~20200229.4c0f6e34-1 [buster] - edk2 0~20181115.85588389-3+deb10u1 [stretch] - edk2 (Minor issue) [jessie] - edk2 (non-free) CVE-2019-14586 RESERVED - edk2 0~20200229.4c0f6e34-1 [buster] - edk2 0~20181115.85588389-3+deb10u1 [stretch] - edk2 (Minor issue) [jessie] - edk2 (non-free) CVE-2019-14585 RESERVED CVE-2019-14584 RESERVED CVE-2019-14583 RESERVED CVE-2019-14582 RESERVED CVE-2019-14581 RESERVED CVE-2019-14580 RESERVED CVE-2019-14579 RESERVED CVE-2019-14578 RESERVED CVE-2019-14577 RESERVED CVE-2019-14576 RESERVED CVE-2019-14575 [DxeImageVerificationHandler() fails open in case of dbx signature check] RESERVED - edk2 0~20200229.4c0f6e34-1 (low; bug #952935) [buster] - edk2 0~20181115.85588389-3+deb10u1 [stretch] - edk2 (Minor issue) [jessie] - edk2 (non-free) NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=1608 CVE-2019-14574 (Out of bounds read in a subsystem for Intel(R) Graphics Driver version ...) NOT-FOR-US: Intel Windows graphics driver CVE-2019-14573 RESERVED CVE-2019-14572 RESERVED CVE-2019-14571 RESERVED CVE-2019-14570 (Memory corruption in system firmware for Intel(R) NUC may allow a priv ...) NOT-FOR-US: Intel CVE-2019-14569 (Pointer corruption in system firmware for Intel(R) NUC may allow a pri ...) NOT-FOR-US: Intel CVE-2019-14568 (Improper permissions in the executable for Intel(R) RST before version ...) NOT-FOR-US: Intel CVE-2019-14567 RESERVED CVE-2019-14566 (Insufficient input validation in Intel(R) SGX SDK multiple Linux and W ...) NOT-FOR-US: Intel CVE-2019-14565 (Insufficient initialization in Intel(R) SGX SDK Windows versions 2.4.1 ...) NOT-FOR-US: Intel CVE-2019-14564 RESERVED CVE-2019-14563 [numeric truncation in MdeModulePkg/PiDxeS3BootScriptLib] RESERVED - edk2 0~20200229.4c0f6e34-1 (low; bug #952934) [buster] - edk2 0~20181115.85588389-3+deb10u1 [stretch] - edk2 (Minor issue) [jessie] - edk2 (non-free) NOTE: https://github.com/tianocore/edk2/commit/322ac05f8bbc1bce066af1dabd1b70ccdbe28891 NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=2001 CVE-2019-14562 RESERVED CVE-2019-14561 RESERVED CVE-2019-14560 RESERVED CVE-2019-14559 [memory leak in ArpOnFrameRcvdDpc] RESERVED - edk2 0~20200229.4c0f6e34-1 (bug #952926; low) [buster] - edk2 0~20181115.85588389-3+deb10u1 [stretch] - edk2 (Minor issue) [jessie] - edk2 (non-free) NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=2550 NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=2031 CVE-2019-14558 RESERVED - edk2 0~20200229.4c0f6e34-1 [buster] - edk2 0~20181115.85588389-3+deb10u1 [stretch] - edk2 (Minor issue) [jessie] - edk2 (non-free) CVE-2019-14557 RESERVED CVE-2019-14556 RESERVED CVE-2019-14555 RESERVED CVE-2019-14554 RESERVED CVE-2019-14553 [invalid server certificate accepted in HTTPS-over-IPv6 boot] RESERVED - edk2 0~20190828.37eef910-4 (unimportant; bug #941775) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1758518 NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=960 NOTE: unimportant, as Debian builds do not enable HTTPSBOOT (via NOTE: -DNETWORK_TLS_ENABLE=TRUE). CVE-2019-14552 RESERVED CVE-2017-18509 (An issue was discovered in net/ipv6/ip6mr.c in the Linux kernel before ...) {DSA-4497-1 DLA-1885-1 DLA-1884-1} - linux 4.11.6-1 NOTE: https://git.kernel.org/linus/99253eb750fda6a644d5188fb26c43bad8d5a745 NOTE: https://pulsesecurity.co.nz/advisories/linux-kernel-4.9-inetcsklistenstop-gpf CVE-2019-14551 (Das Q before 2019-08-02 allows web sites to execute arbitrary code on ...) NOT-FOR-US: Das Keyboard Q CVE-2019-14550 (An issue was discovered in EspoCRM before 5.6.9. Stored XSS was execut ...) NOT-FOR-US: EspoCRM CVE-2019-14549 (An issue was discovered in EspoCRM before 5.6.9. Stored XSS was execut ...) NOT-FOR-US: EspoCRM CVE-2019-14548 (An issue was discovered in EspoCRM before 5.6.9. Stored XSS in the bod ...) NOT-FOR-US: EspoCRM CVE-2019-14547 (An issue was discovered in EspoCRM before 5.6.9. Stored XSS was execut ...) NOT-FOR-US: EspoCRM CVE-2019-14546 (An issue was discovered in EspoCRM before 5.6.9. Stored XSS was execut ...) NOT-FOR-US: EspoCRM CVE-2019-14545 RESERVED CVE-2019-14544 (routes/api/v1/api.go in Gogs 0.11.86 lacks permission checks for route ...) NOT-FOR-US: Go Git Service CVE-2019-14543 RESERVED CVE-2019-14542 RESERVED CVE-2019-14541 (GnuCOBOL 2.2 has a stack-based buffer overflow in cb_encode_program_id ...) - gnucobol 3.0~rc1-2 (low; bug #933884) [buster] - gnucobol (Minor issue) - open-cobol [stretch] - open-cobol (Minor issue) [jessie] - open-cobol (Minor issue) NOTE: https://sourceforge.net/p/open-cobol/bugs/584/ CVE-2019-14540 (A Polymorphic Typing issue was discovered in FasterXML jackson-databin ...) {DSA-4542-1 DLA-1943-1} - jackson-databind 2.10.0-1 (bug #940498) NOTE: https://github.com/FasterXML/jackson-databind/issues/2410 NOTE: https://github.com/FasterXML/jackson-databind/issues/2449 NOTE: https://github.com/FasterXML/jackson-databind/commit/d4983c740fec7d5576b207a8c30a63d3ea7443de CVE-2019-14539 RESERVED CVE-2019-14538 RESERVED CVE-2019-14537 (YOURLS through 1.7.3 is affected by a type juggling vulnerability in t ...) NOT-FOR-US: YOURLS CVE-2019-14536 RESERVED CVE-2017-18483 (ANNKE SP1 HD wireless camera 3.4.1.1604071109 devices allow XSS via a ...) NOT-FOR-US: ANNKE SP1 HD wireless camera devices CVE-2016-10862 (Neet AirStream NAS1.1 devices have a password of ifconfig for the root ...) NOT-FOR-US: Neet AirStream NAS1.1 devices CVE-2016-10861 (Neet AirStream NAS1.1 devices allow CSRF attacks that cause the settin ...) NOT-FOR-US: Neet AirStream NAS1.1 devices CVE-2019-14535 (A divide-by-zero error exists in the SeekIndex function of demux/asf/a ...) {DSA-4504-1} - vlc 3.0.8-1 [jessie] - vlc (https://lists.debian.org/debian-security-announce/2018/msg00130.html) NOTE: https://www.videolan.org/security/sb-vlc308.html CVE-2019-14534 (In VideoLAN VLC media player 3.0.7.1, there is a NULL pointer derefere ...) {DSA-4504-1} - vlc 3.0.8-1 [jessie] - vlc (https://lists.debian.org/debian-security-announce/2018/msg00130.html) NOTE: https://www.videolan.org/security/sb-vlc308.html CVE-2019-14533 (The Control function of demux/asf/asf.c in VideoLAN VLC media player 3 ...) {DSA-4504-1} - vlc 3.0.8-1 [jessie] - vlc (https://lists.debian.org/debian-security-announce/2018/msg00130.html) NOTE: https://www.videolan.org/security/sb-vlc308.html CVE-2019-14532 (An issue was discovered in The Sleuth Kit (TSK) 4.6.6. There is an off ...) - sleuthkit (unimportant) NOTE: https://github.com/sleuthkit/sleuthkit/issues/1575 NOTE: Negligible security impact CVE-2019-14531 (An issue was discovered in The Sleuth Kit (TSK) 4.6.6. There is an out ...) - sleuthkit (unimportant) NOTE: https://github.com/sleuthkit/sleuthkit/issues/1576 NOTE: Negligible security impact CVE-2019-14530 (An issue was discovered in custom/ajax_download.php in OpenEMR before ...) NOT-FOR-US: OpenEMR CVE-2019-14529 (OpenEMR before 5.0.2 allows SQL Injection in interface/forms/eye_mag/s ...) NOT-FOR-US: OpenEMR CVE-2019-14528 (GnuCOBOL 2.2 has a heap-based buffer overflow in read_literal in cobc/ ...) - gnucobol 3.0~rc1-2 (low; bug #933884) [buster] - gnucobol (Minor issue) - open-cobol [stretch] - open-cobol (Minor issue) [jessie] - open-cobol (Minor issue) NOTE: https://sourceforge.net/p/open-cobol/bugs/583/ CVE-2019-14527 (An issue was discovered on NETGEAR Nighthawk M1 (MR1100) devices befor ...) NOT-FOR-US: NETGEAR CVE-2019-14526 (An issue was discovered on NETGEAR Nighthawk M1 (MR1100) devices befor ...) NOT-FOR-US: NETGEAR CVE-2019-14525 (In Octopus Deploy 2019.4.0 through 2019.6.x before 2019.6.6, and 2019. ...) NOT-FOR-US: Octopus Deploy CVE-2019-14524 (An issue was discovered in Schism Tracker through 20190722. There is a ...) - schism 2:20190805-1 (bug #933808) [buster] - schism (Minor issue) [stretch] - schism (Minor issue) [jessie] - schism (Minor issue) NOTE: https://github.com/schismtracker/schismtracker/issues/201 CVE-2019-14523 (An issue was discovered in Schism Tracker through 20190722. There is a ...) - schism 2:20190805-1 (bug #933809) [buster] - schism (Minor issue) [stretch] - schism (Minor issue) [jessie] - schism (Minor issue) NOTE: https://github.com/schismtracker/schismtracker/issues/202 CVE-2019-14522 RESERVED CVE-2019-14521 (The api/admin/logoupload Logo File upload feature in EMCA Energy Logse ...) NOT-FOR-US: EMCA Energy Logserver CVE-2019-14520 RESERVED CVE-2019-14519 RESERVED CVE-2019-14518 (** DISPUTED ** Evolution CMS 2.0.x allows XSS via a description and ne ...) NOT-FOR-US: Evolution CMS CVE-2019-14517 (pandao Editor.md 1.5.0 allows XSS via the Javas&#99;ript: string. ...) NOT-FOR-US: pandao Editor.md CVE-2019-14516 (The mAadhaar application 1.2.7 for Android lacks SSL Certificate Valid ...) NOT-FOR-US: mAadhaar application for Android CVE-2019-14515 RESERVED CVE-2019-14514 (An issue was discovered in Microvirt MEmu all versions prior to 7.0.2. ...) NOT-FOR-US: Microvirt MEmu CVE-2019-14513 (Improper bounds checking in Dnsmasq before 2.76 allows an attacker con ...) {DLA-1921-1} - dnsmasq 2.76-1 [buster] - dnsmasq (Minor issue) [stretch] - dnsmasq (Minor issue) NOTE: https://github.com/Slovejoy/dnsmasq-pre2.76 NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=d3a8b39c7df2f0debf3b5f274a1c37a9e261f94e CVE-2019-14512 (LimeSurvey 3.17.7+190627 has XSS via Boxes in application/extensions/P ...) - limesurvey (bug #472802) CVE-2019-14511 (Sphinx Technologies Sphinx 3.1.1 by default has no authentication and ...) - sphinxsearch (unimportant; bug #939762) NOTE: Issue is just with the default configuration, but can be easily reconfigured NOTE: to listen on localhost only. sphinxsearch will not be started automatically NOTE: and an admin needs first to create anyway a /etc/sphinxsearch/sphinx.conf NOTE: starting from a sample. NOTE: sphinxsearch should ideally update the defaults in sample configs to bind NOTE: listeners to localhost. NOTE: This is not treated as a vulnerability, subject to design choices for deployment CVE-2019-14510 (An issue was discovered in Kaseya VSA RMM through 9.5.0.22. When using ...) NOT-FOR-US: Kaseya VSA RMM CVE-2019-14509 RESERVED CVE-2019-14508 REJECTED CVE-2019-14507 REJECTED CVE-2019-14506 REJECTED CVE-2019-14505 REJECTED CVE-2019-14504 REJECTED CVE-2019-14503 REJECTED CVE-2019-14502 REJECTED CVE-2019-14501 REJECTED CVE-2019-14500 REJECTED CVE-2019-14499 REJECTED CVE-2019-14498 (A divide-by-zero error exists in the Control function of demux/caf.c i ...) {DSA-4504-1} - vlc 3.0.8-1 [jessie] - vlc (https://lists.debian.org/debian-security-announce/2018/msg00130.html) NOTE: https://www.videolan.org/security/sb-vlc308.html CVE-2019-14497 (ModuleEditor::convertInstrument in tracker/ModuleEditor.cpp in MilkyTr ...) {DLA-1961-1} - milkytracker 1.02.00+dfsg-2 (bug #933964) [buster] - milkytracker (Minor issue) [stretch] - milkytracker (Minor issue) NOTE: https://github.com/milkytracker/MilkyTracker/issues/182 NOTE: https://github.com/milkytracker/MilkyTracker/commit/ea7772a3fae0a9dd0a322e8fec441d15843703b7 CVE-2019-14496 (LoaderXM::load in LoaderXM.cpp in milkyplay in MilkyTracker 1.02.00 ha ...) {DLA-1961-1} - milkytracker 1.02.00+dfsg-2 (bug #933964) [buster] - milkytracker (Minor issue) [stretch] - milkytracker (Minor issue) NOTE: https://github.com/milkytracker/MilkyTracker/issues/183 NOTE: https://github.com/milkytracker/MilkyTracker/commit/ea7772a3fae0a9dd0a322e8fec441d15843703b7 CVE-2019-14495 (webadmin.c in 3proxy before 0.8.13 has an out-of-bounds write in the a ...) - 3proxy (bug #718219) CVE-2019-14494 (An issue was discovered in Poppler through 0.78.0. There is a divide-b ...) [experimental] - poppler 0.81.0-1 - poppler (bug #933812) [buster] - poppler (Minor issue) [stretch] - poppler (Minor issue) [jessie] - poppler (Minor issue) NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/802 NOTE: https://gitlab.freedesktop.org/poppler/poppler/merge_requests/317 NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/b224e2f5739fe61de9fa69955d016725b2a4b78d CVE-2019-14493 (An issue was discovered in OpenCV before 4.1.1. There is a NULL pointe ...) [experimental] - opencv 4.1.1+dfsg-1 - opencv 4.1.2+dfsg-3 [buster] - opencv (Minor issue) [stretch] - opencv (Minor issue) [jessie] - opencv (Minor issue, DoS, PoC not crashing) NOTE: https://github.com/opencv/opencv/issues/15127 NOTE: https://github.com/opencv/opencv/commit/5691d998ead1d9b0542bcfced36c2dceb3a59023 NOTE: In older versions of opencv missing NULL pointer check(s) are in NOTE: modules/core/src/persistence.cpp (before refactoring). TODO: check if the old code though is really affected, might been introduced with the refactoring CVE-2019-14492 (An issue was discovered in OpenCV before 3.4.7 and 4.x before 4.1.1. T ...) [experimental] - opencv 4.1.1+dfsg-1 - opencv 4.1.2+dfsg-3 [buster] - opencv (Minor issue; can be fixed via point release) [stretch] - opencv (Minor issue; can be fixed via point release) [jessie] - opencv (Minor issue, DoS, PoC not crashing) NOTE: https://github.com/opencv/opencv/issues/15124 NOTE: https://github.com/opencv/opencv/commit/ac425f67e4c1d0da9afb9203f0918d8d57c067ed CVE-2019-14491 (An issue was discovered in OpenCV before 3.4.7 and 4.x before 4.1.1. T ...) [experimental] - opencv 4.1.1+dfsg-1 - opencv 4.1.2+dfsg-3 [buster] - opencv (Minor issue; can be fixed via point release) [stretch] - opencv (Minor issue; can be fixed via point release) [jessie] - opencv (Minor issue, DoS, PoC not crashing) NOTE: https://github.com/opencv/opencv/issues/15125 NOTE: https://github.com/opencv/opencv/commit/ac425f67e4c1d0da9afb9203f0918d8d57c067ed CVE-2019-14490 RESERVED CVE-2019-14489 RESERVED CVE-2019-14488 RESERVED CVE-2019-14487 RESERVED CVE-2019-14486 (GnuCOBOL 2.2 has a buffer overflow in cb_evaluate_expr in cobc/field.c ...) - gnucobol 3.0~rc1-2 (low; bug #933884) [buster] - gnucobol (Minor issue) - open-cobol [stretch] - open-cobol (Minor issue) [jessie] - open-cobol (Minor issue) NOTE: https://sourceforge.net/p/open-cobol/bugs/582/ CVE-2019-14485 RESERVED CVE-2019-14484 RESERVED CVE-2019-14483 RESERVED CVE-2019-14482 RESERVED CVE-2019-14481 RESERVED CVE-2019-14480 RESERVED CVE-2019-14479 RESERVED CVE-2019-14478 RESERVED CVE-2019-14477 RESERVED CVE-2019-14476 RESERVED CVE-2019-14475 (eQ-3 Homematic CCU2 2.47.15 and prior and CCU3 3.47.15 and prior use s ...) NOT-FOR-US: eQ-3 Homematic CCU2 and CCU3 CVE-2019-14474 (eQ-3 Homematic CCU3 3.47.15 and prior has Improper Input Validation in ...) NOT-FOR-US: eQ-3 Homematic CCU3 CVE-2019-14473 (eQ-3 Homematic CCU2 and CCU3 use session IDs for authentication but la ...) NOT-FOR-US: eQ-3 Homematic CCU2 and CCU3 CVE-2019-14472 (Zurmo 3.2.7-2 has XSS via the app/index.php/zurmo/default PATH_INFO. ...) NOT-FOR-US: Zumo CVE-2019-14471 (TestLink 1.9.19 has XSS via the error.php message parameter. ...) NOT-FOR-US: TestLink CVE-2019-14470 (cosenary Instagram-PHP-API (aka Instagram PHP API V2), as used in the ...) NOT-FOR-US: cosenary Instagram-PHP-API CVE-2019-14469 (In Nexus Repository Manager before 3.18.0, users with elevated privile ...) NOT-FOR-US: Nexus Repository Manager CVE-2019-14468 (GnuCOBOL 2.2 has a buffer overflow in cb_push_op in cobc/field.c via c ...) - gnucobol 3.0~rc1-2 (low; bug #933884) [buster] - gnucobol (Minor issue) - open-cobol [stretch] - open-cobol (Minor issue) [jessie] - open-cobol (Minor issue) NOTE: https://sourceforge.net/p/open-cobol/bugs/581/ CVE-2019-14467 (The Social Photo Gallery plugin 1.0 for WordPress allows Remote Code E ...) NOT-FOR-US: Social Photo Gallery plugin for WordPress CVE-2019-14466 (The GOsa_Filter_Settings cookie in GONICUS GOsa 2.7.5.2 is vulnerable ...) {DLA-1905-1} - gosa 2.7.4+reloaded3-10 [buster] - gosa 2.7.4+reloaded3-8+deb10u2 NOTE: https://github.com/gosa-project/gosa-core/commit/e1504e9765db2adde8b4685b5c93fbba57df868b (fix) NOTE: https://github.com/gosa-project/gosa-core/commit/90b674960335d888c76ca5e99027df8e7fa66f3a (fixing the prev commit) NOTE: https://github.com/gosa-project/gosa-core/pull/30#issuecomment-521975100 CVE-2019-14465 (fmt_mtm_load_song in fmt/mtm.c in Schism Tracker 20190722 has a heap-b ...) - schism 2:20190805-1 (bug #933807) [buster] - schism (Minor issue) [stretch] - schism (Minor issue) [jessie] - schism (Minor issue) NOTE: https://github.com/schismtracker/schismtracker/issues/198 NOTE: https://github.com/schismtracker/schismtracker/commit/b78e8d32883f8a865035436af4fa6d541b6ebb42 CVE-2019-14464 (XMFile::read in XMFile.cpp in milkyplay in MilkyTracker 1.02.00 has a ...) {DLA-1961-1} - milkytracker 1.02.00+dfsg-2 (bug #933964) [buster] - milkytracker (Minor issue) [stretch] - milkytracker (Minor issue) NOTE: https://github.com/milkytracker/MilkyTracker/issues/184 NOTE: https://github.com/milkytracker/MilkyTracker/commit/fd607a3439fcdd0992e5efded3c16fc79c804e34 CVE-2019-14463 (An issue was discovered in libmodbus before 3.0.7 and 3.1.x before 3.1 ...) - libmodbus 3.1.6-1 (bug #933805) [buster] - libmodbus (Minor issue) [stretch] - libmodbus (Minor issue) [jessie] - libmodbus (Minor issue) NOTE: https://github.com/stephane/libmodbus/commit/5ccdf5ef79d742640355d1132fa9e2abc7fbaefc (3.1.5) NOTE: https://github.com/stephane/libmodbus/commit/6f915d4215c06be3c719761423d9b5e8aa3cb820 (3.1.5) NOTE: https://github.com/stephane/libmodbus/commit/2b5cb5896120d7564f4c34fdc5aaa4f22a97e45c (3.0.7) NOTE: https://github.com/stephane/libmodbus/commit/64cd092bcc421a70431fe1fb6b7f1e6f491f7cf8 (3.0.8) CVE-2019-14462 (An issue was discovered in libmodbus before 3.0.7 and 3.1.x before 3.1 ...) - libmodbus 3.1.6-1 (bug #933805) [buster] - libmodbus (Minor issue) [stretch] - libmodbus (Minor issue) [jessie] - libmodbus (Minor issue) NOTE: https://github.com/stephane/libmodbus/commit/5ccdf5ef79d742640355d1132fa9e2abc7fbaefc (3.1.5) NOTE: https://github.com/stephane/libmodbus/commit/6f915d4215c06be3c719761423d9b5e8aa3cb820 (3.1.5) NOTE: https://github.com/stephane/libmodbus/commit/2b5cb5896120d7564f4c34fdc5aaa4f22a97e45c (3.0.7) NOTE: https://github.com/stephane/libmodbus/commit/64cd092bcc421a70431fe1fb6b7f1e6f491f7cf8 (3.0.8) CVE-2019-14461 RESERVED CVE-2019-14460 RESERVED CVE-2019-14459 (nfdump 1.6.17 and earlier is affected by an integer overflow in the fu ...) - nfdump 1.6.18-1 (bug #933740) [buster] - nfdump (Minor issue) [stretch] - nfdump (Minor issue) NOTE: https://github.com/phaag/nfdump/issues/171 NOTE: https://github.com/phaag/nfdump/commit/3b006ededaf351f1723aea6c727c9edd1b1fff9b CVE-2019-14458 (VIVOTEK IP Camera devices with firmware before 0x20x allow a denial of ...) NOT-FOR-US: VIVOTEK IP Camera devices CVE-2019-14457 (VIVOTEK IP Camera devices with firmware before 0x20x have a stack-base ...) NOT-FOR-US: VIVOTEK IP Camera devices CVE-2019-14456 (Opengear console server firmware releases prior to 4.5.0 have a stored ...) NOT-FOR-US: Opengear console server firmware CVE-2019-14455 RESERVED CVE-2019-14454 (SuiteCRM 7.11.x and 7.10.x before 7.11.8 and 7.10.20 is vulnerable to ...) NOT-FOR-US: SuiteCRM CVE-2013-7474 (Windu CMS 2.2 allows XSS via the name parameter to admin/content/edit ...) NOT-FOR-US: Windu CMS CVE-2013-7473 (Windu CMS 2.2 allows CSRF via admin/users/?mn=admin.message.error to a ...) NOT-FOR-US: Windu CMS CVE-2019-14453 RESERVED CVE-2018-20953 (cPanel before 68.0.27 allows self XSS in the WHM listips interface (SE ...) NOT-FOR-US: cPanel CVE-2018-20952 (cPanel before 68.0.27 creates world-readable files during use of WHM A ...) NOT-FOR-US: cPanel CVE-2018-20951 (cPanel before 68.0.27 allows self XSS in WHM Spamd Startup Config (SEC ...) NOT-FOR-US: cPanel CVE-2018-20950 (cPanel before 68.0.27 allows self stored XSS in WHM Account Transfer ( ...) NOT-FOR-US: cPanel CVE-2018-20949 (cPanel before 68.0.27 allows self XSS in WHM Apache Configuration Incl ...) NOT-FOR-US: cPanel CVE-2018-20948 (cPanel before 68.0.27 allows self XSS in cPanel Backup Restoration (SE ...) NOT-FOR-US: cPanel CVE-2018-20947 (cPanel before 68.0.27 allows certain file-write operations via the tel ...) NOT-FOR-US: cPanel CVE-2018-20946 (cPanel before 68.0.27 allows attackers to read zone information becaus ...) NOT-FOR-US: cPanel CVE-2018-20945 (bin/csvprocess in cPanel before 68.0.27 allows insecure file operation ...) NOT-FOR-US: cPanel CVE-2018-20944 (cPanel before 68.0.27 allows attackers to read a copy of httpd.conf th ...) NOT-FOR-US: cPanel CVE-2018-20943 (cPanel before 68.0.27 allows attackers to read root's crontab file dur ...) NOT-FOR-US: cPanel CVE-2018-20942 (cPanel before 68.0.27 allows attackers to read root's crontab file dur ...) NOT-FOR-US: cPanel CVE-2018-20941 (cPanel before 68.0.27 allows arbitrary file-read operations via restor ...) NOT-FOR-US: cPanel CVE-2018-20940 (cPanel before 68.0.27 allows attackers to read root's crontab file dur ...) NOT-FOR-US: cPanel CVE-2018-20939 (cPanel before 68.0.27 allows a user to discover contents of directorie ...) NOT-FOR-US: cPanel CVE-2018-20938 (cPanel before 68.0.27 does not enforce ownership during addpkgext and ...) NOT-FOR-US: cPanel CVE-2018-20937 (cPanel before 68.0.27 does not validate database and dbuser names duri ...) NOT-FOR-US: cPanel CVE-2018-20936 (cPanel before 68.0.27 allows attackers to read the SRS secret via exim ...) NOT-FOR-US: cPanel CVE-2018-20935 (cPanel before 70.0.23 allows stored XSS in via a WHM "Reset a DNS Zone ...) NOT-FOR-US: cPanel CVE-2018-20934 (cPanel before 70.0.23 does not prevent e-mail account suspensions from ...) NOT-FOR-US: cPanel CVE-2018-20933 (cPanel before 70.0.23 has Stored XSS via an WHM Edit DNS Zone action ( ...) NOT-FOR-US: cPanel CVE-2018-20932 (cPanel before 70.0.23 exposes Apache HTTP Server logs after creation o ...) NOT-FOR-US: cPanel CVE-2018-20931 (cPanel before 70.0.23 allows demo accounts to execute code via the Lan ...) NOT-FOR-US: cPanel CVE-2018-20930 (cPanel before 70.0.23 allows .htaccess restrictions bypass when Htacce ...) NOT-FOR-US: cPanel CVE-2018-20929 (cPanel before 70.0.23 allows an open redirect via the /unprotected/red ...) NOT-FOR-US: cPanel CVE-2018-20928 (cPanel before 70.0.23 allows stored XSS via the cpaddons vendor interf ...) NOT-FOR-US: cPanel CVE-2018-20927 (cPanel before 70.0.23 allows jailshell escape because of incorrect cro ...) NOT-FOR-US: cPanel CVE-2018-20926 (cPanel before 70.0.23 allows local privilege escalation via the WHM Lo ...) NOT-FOR-US: cPanel CVE-2018-20925 (cPanel before 70.0.23 allows local privilege escalation via the WHM Le ...) NOT-FOR-US: cPanel CVE-2018-20924 (cPanel before 70.0.23 allows arbitrary file-read and file-unlink opera ...) NOT-FOR-US: cPanel CVE-2018-20923 (cPanel before 70.0.23 allows stored XSS via a WHM Synchronize DNS Reco ...) NOT-FOR-US: cPanel CVE-2018-20922 (cPanel before 70.0.23 allows stored XSS via a WHM DNS Cleanup action ( ...) NOT-FOR-US: cPanel CVE-2018-20921 (cPanel before 70.0.23 allows stored XSS via a WHM "Delete a DNS Zone" ...) NOT-FOR-US: cPanel CVE-2018-20920 (cPanel before 70.0.23 allows stored XSS via a WHM Edit DNS Zone action ...) NOT-FOR-US: cPanel CVE-2018-20919 (cPanel before 70.0.23 allows stored XSS via a WHM Create Account actio ...) NOT-FOR-US: cPanel CVE-2018-20918 (cPanel before 70.0.23 allows stored XSS in WHM DNS Cluster (SEC-372). ...) NOT-FOR-US: cPanel CVE-2018-20917 (cPanel before 70.0.23 allows any user to disable Solr (SEC-371). ...) NOT-FOR-US: cPanel CVE-2018-20916 (cPanel before 70.0.23 allows Stored XSS via a WHM Edit MX Entry (SEC-3 ...) NOT-FOR-US: cPanel CVE-2018-20915 (cPanel before 70.0.23 allows stored XSS via a WHM Edit DNS Zone action ...) NOT-FOR-US: cPanel CVE-2018-20914 (In cPanel before 70.0.23, OpenID providers can inject arbitrary data i ...) NOT-FOR-US: cPanel CVE-2018-20913 (cPanel before 70.0.23 allows attackers to read the root accesshash via ...) NOT-FOR-US: cPanel CVE-2018-20912 (cPanel before 70.0.23 allows demo accounts to execute code via awstats ...) NOT-FOR-US: cPanel CVE-2018-20911 (cPanel before 70.0.23 allows code execution because "." is in @INC dur ...) NOT-FOR-US: cPanel CVE-2018-20910 (cPanel before 70.0.23 allows self XSS in the WHM cPAddons showsecurity ...) NOT-FOR-US: cPanel CVE-2018-20909 (cPanel before 70.0.23 allows arbitrary file-chmod operations during le ...) NOT-FOR-US: cPanel CVE-2018-20908 (cPanel before 71.9980.37 allows arbitrary file-read operations during ...) NOT-FOR-US: cPanel CVE-2018-20907 (cPanel before 71.9980.37 does not enforce the Mime::list_hotlinks API ...) NOT-FOR-US: cPanel CVE-2018-20906 (cPanel before 71.9980.37 allows attackers to make API calls that bypas ...) NOT-FOR-US: cPanel CVE-2018-20905 (cPanel before 71.9980.37 allows attackers to make API calls that bypas ...) NOT-FOR-US: cPanel CVE-2018-20904 (cPanel before 71.9980.37 allows attackers to make API calls that bypas ...) NOT-FOR-US: cPanel CVE-2018-20903 (cPanel before 71.9980.37 allows self XSS in the WHM Backup Configurati ...) NOT-FOR-US: cPanel CVE-2018-20902 (cPanel before 71.9980.37 allows attackers to read root's crontab file ...) NOT-FOR-US: cPanel CVE-2018-20901 (cPanel before 71.9980.37 allows Remote-Stored XSS in WHM Save Theme In ...) NOT-FOR-US: cPanel CVE-2018-20900 (cPanel before 71.9980.37 allows stored XSS in the YUM autorepair funct ...) NOT-FOR-US: cPanel CVE-2018-20899 (cPanel before 71.9980.37 allows stored XSS in the WHM cPAddons install ...) NOT-FOR-US: cPanel CVE-2018-20898 (cPanel before 71.9980.37 allows e-mail injection during cPAddons moder ...) NOT-FOR-US: cPanel CVE-2018-20897 (cPanel before 71.9980.37 allows arbitrary file-unlink operations via t ...) NOT-FOR-US: cPanel CVE-2018-20896 (cPanel before 71.9980.37 allows code injection in the WHM cPAddons int ...) NOT-FOR-US: cPanel CVE-2018-20895 (In cPanel before 71.9980.37, API tokens retain ACLs after those ACLs a ...) NOT-FOR-US: cPanel CVE-2018-20894 (cPanel before 74.0.0 makes web-site contents accessible to other local ...) NOT-FOR-US: cPanel CVE-2018-20893 (cPanel before 74.0.0 allows file-rename operations during account rena ...) NOT-FOR-US: cPanel CVE-2018-20892 (cPanel before 74.0.0 allows arbitrary zone file modifications because ...) NOT-FOR-US: cPanel CVE-2018-20891 (cPanel before 74.0.0 allows arbitrary file-read operations during File ...) NOT-FOR-US: cPanel CVE-2018-20890 (cPanel before 74.0.0 allows arbitrary zone file modifications during r ...) NOT-FOR-US: cPanel CVE-2018-20889 (cPanel before 74.0.0 allows certain file-read operations via password ...) NOT-FOR-US: cPanel CVE-2018-20888 (cPanel before 74.0.0 allows file modification in the context of the ro ...) NOT-FOR-US: cPanel CVE-2018-20887 (cPanel before 74.0.0 allows SQL injection during database backups (SEC ...) NOT-FOR-US: cPanel CVE-2018-20886 (cPanel before 74.0.0 insecurely stores phpMyAdmin session files (SEC-4 ...) NOT-FOR-US: cPanel CVE-2018-20885 (cPanel before 74.0.0 allows Apache HTTP Server configuration injection ...) NOT-FOR-US: cPanel CVE-2018-20884 (cPanel before 74.0.0 allows stored XSS in the WHM File Restoration int ...) NOT-FOR-US: cPanel CVE-2018-20883 (cPanel before 74.0.8 allows FTP access during account suspension (SEC- ...) NOT-FOR-US: cPanel CVE-2018-20882 (cPanel before 74.0.8 allows arbitrary file-write operations in the con ...) NOT-FOR-US: cPanel CVE-2018-20881 (cPanel before 74.0.8 allows self stored XSS on the Security Questions ...) NOT-FOR-US: cPanel CVE-2018-20880 (cPanel before 74.0.8 mishandles account suspension because of an inval ...) NOT-FOR-US: cPanel CVE-2018-20879 (cPanel before 74.0.8 allows demo accounts to execute arbitrary code vi ...) NOT-FOR-US: cPanel CVE-2018-20878 (cPanel before 74.0.8 allows stored XSS in WHM "File and Directory Rest ...) NOT-FOR-US: cPanel CVE-2018-20877 (cPanel before 74.0.8 allows self XSS in WHM Style Upload interface (SE ...) NOT-FOR-US: cPanel CVE-2018-20876 (cPanel before 74.0.8 allows self XSS in the Site Software Moderation i ...) NOT-FOR-US: cPanel CVE-2018-20875 (cPanel before 74.0.8 allows self XSS in the WHM Security Questions int ...) NOT-FOR-US: cPanel CVE-2018-20874 (cPanel before 74.0.8 allows self XSS in the WHM "Create a New Account" ...) NOT-FOR-US: cPanel CVE-2018-20873 (cPanel before 74.0.8 allows local users to disable the ClamAV daemon ( ...) NOT-FOR-US: cPanel CVE-2018-20872 (DrayTek routers before 2018-05-23 allow CSRF attacks to change DNS or ...) NOT-FOR-US: DrayTek routers CVE-2017-18482 (cPanel before 62.0.4 allows resellers to use the WHM enqueue_transfer_ ...) NOT-FOR-US: cPanel CVE-2017-18481 (cPanel before 62.0.4 allows stored XSS in the WHM Account Suspension L ...) NOT-FOR-US: cPanel CVE-2017-18480 (cPanel before 62.0.4 does not enforce account ownership for has_mycnf_ ...) NOT-FOR-US: cPanel CVE-2017-18479 (In cPanel before 62.0.4, WHM SSL certificate generation uses an unrese ...) NOT-FOR-US: cPanel CVE-2017-18478 (In cPanel before 62.0.4 incorrect ACL checks could occur in xml-api fo ...) NOT-FOR-US: cPanel CVE-2017-18477 (In cPanel before 62.0.4, Exim transports could execute in the context ...) NOT-FOR-US: cPanel CVE-2017-18476 (Leech Protect in cPanel before 62.0.4 does not protect certain directo ...) NOT-FOR-US: cPanel CVE-2017-18475 (In cPanel before 62.0.4, Exim piped filters ran in the context of an i ...) NOT-FOR-US: cPanel CVE-2017-18474 (cPanel before 62.0.4 allows arbitrary file-read operations via Exim va ...) NOT-FOR-US: cPanel CVE-2017-18473 (cPanel before 62.0.4 allows self XSS on the webmail Password and Secur ...) NOT-FOR-US: cPanel CVE-2017-18472 (cPanel before 62.0.4 allows reflected XSS in reset-password interfaces ...) NOT-FOR-US: cPanel CVE-2017-18471 (cPanel before 62.0.4 allows self XSS on the paper_lantern password-cha ...) NOT-FOR-US: cPanel CVE-2017-18470 (cPanel before 62.0.4 has a fixed password for the Munin MySQL test acc ...) NOT-FOR-US: cPanel CVE-2017-18469 (cPanel before 62.0.17 allows demo accounts to execute code via an NVDa ...) NOT-FOR-US: cPanel CVE-2017-18468 (cPanel before 62.0.17 allows demo accounts to execute code via the Hta ...) NOT-FOR-US: cPanel CVE-2017-18467 (cPanel before 62.0.17 allows access to restricted resources because of ...) NOT-FOR-US: cPanel CVE-2017-18466 (cPanel before 62.0.17 does not properly recognize domain ownership dur ...) NOT-FOR-US: cPanel CVE-2017-18465 (cPanel before 62.0.17 does not have a sufficient list of reserved user ...) NOT-FOR-US: cPanel CVE-2017-18464 (cPanel before 62.0.17 allows arbitrary file-overwrite operations via t ...) NOT-FOR-US: cPanel CVE-2017-18463 (cPanel before 62.0.17 allows code execution in the context of the root ...) NOT-FOR-US: cPanel CVE-2017-18462 (cPanel before 62.0.17 allows a CPHulk one-day ban bypass when IP based ...) NOT-FOR-US: cPanel CVE-2017-18461 (cPanel before 62.0.17 allows does not preserve security policy questio ...) NOT-FOR-US: cPanel CVE-2017-18460 (cPanel before 62.0.17 allows arbitrary code execution during automatic ...) NOT-FOR-US: cPanel CVE-2017-18459 (cPanel before 62.0.17 allows arbitrary code execution during account m ...) NOT-FOR-US: cPanel CVE-2017-18458 (cPanel before 62.0.17 allows file overwrite when renaming an account ( ...) NOT-FOR-US: cPanel CVE-2017-18457 (cPanel before 62.0.17 allows arbitrary file-read operations via WHM /s ...) NOT-FOR-US: cPanel CVE-2017-18456 (cPanel before 62.0.17 allows self XSS in the WHM cPAddons showsecurity ...) NOT-FOR-US: cPanel CVE-2017-18455 (In cPanel before 62.0.17, addon domain conversion did not require a pa ...) NOT-FOR-US: cPanel CVE-2017-18454 (cPanel before 62.0.24 allows stored XSS in the WHM cPAddons install in ...) NOT-FOR-US: cPanel CVE-2017-18453 (cPanel before 64.0.21 does not preserve supplemental groups across acc ...) NOT-FOR-US: cPanel CVE-2017-18452 (cPanel before 64.0.21 allows code execution via Rails configuration fi ...) NOT-FOR-US: cPanel CVE-2017-18451 (cPanel before 64.0.21 allows attackers to read a user's crontab file d ...) NOT-FOR-US: cPanel CVE-2017-18450 (cPanel before 64.0.21 allows certain file-chmod operations via /script ...) NOT-FOR-US: cPanel CVE-2017-18449 (cPanel before 64.0.21 allows certain file-rename operations in the con ...) NOT-FOR-US: cPanel CVE-2017-18448 (cPanel before 64.0.21 allows certain file-read operations via a Server ...) NOT-FOR-US: cPanel CVE-2017-18447 (cPanel before 64.0.21 allows demo accounts to execute code via the Cla ...) NOT-FOR-US: cPanel CVE-2017-18446 (cPanel before 64.0.21 allows file-read and file-write operations for d ...) NOT-FOR-US: cPanel CVE-2017-18445 (cPanel before 64.0.21 does not enforce demo restrictions for SSL API c ...) NOT-FOR-US: cPanel CVE-2017-18444 (cPanel before 64.0.21 allows demo accounts to execute SSH API commands ...) NOT-FOR-US: cPanel CVE-2017-18443 (cPanel before 64.0.21 allows demo and suspended accounts to use SSH po ...) NOT-FOR-US: cPanel CVE-2017-18442 (cPanel before 64.0.21 allows demo accounts to execute Cpanel::SPFUI AP ...) NOT-FOR-US: cPanel CVE-2017-18441 (cPanel before 64.0.21 allows demo accounts to redirect web traffic (SE ...) NOT-FOR-US: cPanel CVE-2017-18440 (cPanel before 64.0.21 allows demo users to execute traceroute via api2 ...) NOT-FOR-US: cPanel CVE-2017-18439 (cPanel before 64.0.21 allows demo accounts to execute code via an Imag ...) NOT-FOR-US: cPanel CVE-2017-18438 (cPanel before 64.0.21 allows demo accounts to execute code via Encodin ...) NOT-FOR-US: cPanel CVE-2017-18437 (cPanel before 64.0.21 allows a Webmail account to execute code via for ...) NOT-FOR-US: cPanel CVE-2017-18436 (cPanel before 64.0.21 allows demo accounts to read files via a Fileman ...) NOT-FOR-US: cPanel CVE-2017-18435 (cPanel before 64.0.21 allows demo accounts to execute code via the Box ...) NOT-FOR-US: cPanel CVE-2017-18434 (cPanel before 64.0.21 allows code execution in the context of the root ...) NOT-FOR-US: cPanel CVE-2017-18433 (cPanel before 64.0.21 allows code execution by webmail and demo accoun ...) NOT-FOR-US: cPanel CVE-2017-18432 (In cPanel before 64.0.21, Horde MySQL to SQLite conversion can leak a ...) NOT-FOR-US: cPanel CVE-2017-18431 (cPanel before 66.0.1 does not reliably perform suspend/unsuspend opera ...) NOT-FOR-US: cPanel CVE-2017-18430 (In cPanel before 66.0.2, user and group ownership may be incorrectly s ...) NOT-FOR-US: cPanel CVE-2017-18429 (In cPanel before 66.0.2, Apache HTTP Server SSL domain logs can persis ...) NOT-FOR-US: cPanel CVE-2017-18428 (In cPanel before 66.0.2, Apache HTTP Server domlogs become temporarily ...) NOT-FOR-US: cPanel CVE-2017-18427 (In cPanel before 66.0.2, weak log-file permissions can occur after acc ...) NOT-FOR-US: cPanel CVE-2017-18426 (cPanel before 66.0.2 allows resellers to read other accounts' domain l ...) NOT-FOR-US: cPanel CVE-2017-18425 (In cPanel before 66.0.2, the cpdavd_error_log file can be created with ...) NOT-FOR-US: cPanel CVE-2017-18424 (In cPanel before 66.0.2, the Apache HTTP Server configuration file is ...) NOT-FOR-US: cPanel CVE-2017-18423 (In cPanel before 66.0.2, domain log files become readable after log pr ...) NOT-FOR-US: cPanel CVE-2017-18422 (In cPanel before 66.0.2, EasyApache 4 conversion sets weak domlog owne ...) NOT-FOR-US: cPanel CVE-2017-18421 (cPanel before 66.0.2 allows demo accounts to create databases and user ...) NOT-FOR-US: cPanel CVE-2017-18420 (cPanel before 66.0.2 allows stored XSS during WHM cPAddons processing ...) NOT-FOR-US: cPanel CVE-2017-18419 (cPanel before 66.0.2 allows stored XSS during WHM cPAddons uninstallat ...) NOT-FOR-US: cPanel CVE-2017-18418 (cPanel before 66.0.2 allows stored XSS during WHM cPAddons file operat ...) NOT-FOR-US: cPanel CVE-2017-18417 (cPanel before 66.0.2 allows stored XSS during WHM cPAddons installatio ...) NOT-FOR-US: cPanel CVE-2017-18416 (cPanel before 67.9999.103 allows arbitrary file-overwrite operations d ...) NOT-FOR-US: cPanel CVE-2017-18415 (cPanel before 67.9999.103 allows code execution in the context of the ...) NOT-FOR-US: cPanel CVE-2017-18414 (cPanel before 67.9999.103 allows an open redirect in /unprotected/redi ...) NOT-FOR-US: cPanel CVE-2017-18413 (In cPanel before 67.9999.103, the backup system overwrites root's home ...) NOT-FOR-US: cPanel CVE-2017-18412 (cPanel before 67.9999.103 allows Apache HTTP Server log files to becom ...) NOT-FOR-US: cPanel CVE-2017-18411 (The "addon domain conversion" feature in cPanel before 67.9999.103 can ...) NOT-FOR-US: cPanel CVE-2017-18410 (In cPanel before 67.9999.103, a user account's backup archive could co ...) NOT-FOR-US: cPanel CVE-2017-18409 (In cPanel before 67.9999.103, the backup interface could return a back ...) NOT-FOR-US: cPanel CVE-2017-18408 (cPanel before 67.9999.103 allows stored XSS in WHM MySQL Password Chan ...) NOT-FOR-US: cPanel CVE-2017-18407 (cPanel before 67.9999.103 does not enforce SSL hostname verification f ...) NOT-FOR-US: cPanel CVE-2017-18406 (cPanel before 67.9999.103 allows SQL injection during eximstats proces ...) NOT-FOR-US: cPanel CVE-2017-18405 (cPanel before 68.0.15 allows arbitrary file-read operations because of ...) NOT-FOR-US: cPanel CVE-2017-18404 (cPanel before 68.0.15 allows domain data to be deleted for domains wit ...) NOT-FOR-US: cPanel CVE-2017-18403 (cPanel before 68.0.15 allows code execution in the context of the nobo ...) NOT-FOR-US: cPanel CVE-2017-18402 (cPanel before 68.0.15 allows stored XSS during a cpaddons moderated up ...) NOT-FOR-US: cPanel CVE-2017-18401 (cPanel before 68.0.15 allows user accounts to be partially created wit ...) NOT-FOR-US: cPanel CVE-2017-18400 (cPanel before 68.0.15 allows local root code execution via cpdavd (SEC ...) NOT-FOR-US: cPanel CVE-2017-18399 (cPanel before 68.0.15 allows attackers to read root's crontab file dur ...) NOT-FOR-US: cPanel CVE-2017-18398 (DnsUtils in cPanel before 68.0.15 allows zone creation for hostname an ...) NOT-FOR-US: cPanel CVE-2017-18397 (cPanel before 68.0.15 does not preserve permissions for local backup t ...) NOT-FOR-US: cPanel CVE-2017-18396 (cPanel before 68.0.15 allows arbitrary file-read operations via Exim v ...) NOT-FOR-US: cPanel CVE-2017-18395 (cPanel before 68.0.15 does not block a username of ssl (SEC-328). ...) NOT-FOR-US: cPanel CVE-2017-18394 (cPanel before 68.0.15 does not have a sufficient list of reserved user ...) NOT-FOR-US: cPanel CVE-2017-18393 (cPanel before 68.0.15 does not block a username of postmaster, which m ...) NOT-FOR-US: cPanel CVE-2017-18392 (cPanel before 68.0.15 allows collisions because PostgreSQL databases c ...) NOT-FOR-US: cPanel CVE-2017-18391 (cPanel before 68.0.15 allows attackers to read backup files because th ...) NOT-FOR-US: cPanel CVE-2017-18390 (cPanel before 68.0.15 allows code execution in the context of the root ...) NOT-FOR-US: cPanel CVE-2017-18389 (cPanel before 68.0.15 allows string format injection in dovecot-xaps-p ...) NOT-FOR-US: cPanel CVE-2017-18388 (cPanel before 68.0.15 can perform unsafe file operations because Jails ...) NOT-FOR-US: cPanel CVE-2017-18387 (cPanel before 68.0.15 allows arbitrary code execution via Maketext inj ...) NOT-FOR-US: cPanel CVE-2017-18386 (cPanel before 68.0.15 allows arbitrary code execution via Maketext inj ...) NOT-FOR-US: cPanel CVE-2017-18385 (cPanel before 68.0.15 allows unprivileged users to access restricted d ...) NOT-FOR-US: cPanel CVE-2017-18384 (cPanel before 68.0.15 allows jailed accounts to restore files that are ...) NOT-FOR-US: cPanel CVE-2017-18383 (cPanel before 68.0.15 writes home-directory backups to an incorrect lo ...) NOT-FOR-US: cPanel CVE-2017-18382 (cPanel before 68.0.15 allows use of an unreserved e-mail address in DN ...) NOT-FOR-US: cPanel CVE-2016-10860 (cPanel before 11.54.0.0 allows unauthorized zone modification via the ...) NOT-FOR-US: cPanel CVE-2016-10859 (cPanel before 11.54.0.0 allows unauthorized password changes via Webma ...) NOT-FOR-US: cPanel CVE-2016-10858 (cPanel before 11.54.0.0 allows unauthenticated arbitrary code executio ...) NOT-FOR-US: cPanel CVE-2016-10857 (cPanel before 11.54.0.0 allows a bypass of the e-mail sending limit (S ...) NOT-FOR-US: cPanel CVE-2016-10856 (cPanel before 11.54.0.0 allows subaccounts to discover sensitive data ...) NOT-FOR-US: cPanel CVE-2016-10855 (cPanel before 11.54.0.4 allows unauthenticated arbitrary code executio ...) NOT-FOR-US: cPanel CVE-2016-10854 (cPanel before 11.54.0.4 allows self XSS in the X3 Entropy Banner inter ...) NOT-FOR-US: cPanel CVE-2016-10853 (cPanel before 11.54.0.4 allows stored XSS in the WHM Feature Manager i ...) NOT-FOR-US: cPanel CVE-2016-10852 (cPanel before 11.54.0.4 lacks ACL enforcement in the AppConfig subsyst ...) NOT-FOR-US: cPanel CVE-2016-10851 (cPanel before 11.54.0.4 allows self XSS in the WHM PHP Configuration e ...) NOT-FOR-US: cPanel CVE-2016-10850 (cPanel before 11.54.0.4 allows arbitrary code execution via scripts/sy ...) NOT-FOR-US: cPanel CVE-2016-10849 (cPanel before 11.54.0.4 allows certain file-chmod operations in script ...) NOT-FOR-US: cPanel CVE-2016-10848 (cPanel before 11.54.0.4 allows arbitrary file-overwrite operations in ...) NOT-FOR-US: cPanel CVE-2016-10847 (cPanel before 11.54.0.4 allows arbitrary file-read and file-write oper ...) NOT-FOR-US: cPanel CVE-2016-10846 (cPanel before 11.54.0.4 allows arbitrary file-chown and file-chmod ope ...) NOT-FOR-US: cPanel CVE-2016-10845 (cPanel before 11.54.0.4 allows arbitrary file-overwrite operations in ...) NOT-FOR-US: cPanel CVE-2016-10844 (The chcpass script in cPanel before 11.54.0.4 reveals a password hash ...) NOT-FOR-US: cPanel CVE-2016-10843 (cPanel before 11.54.0.4 allows code execution in the context of shared ...) NOT-FOR-US: cPanel CVE-2016-10842 (cPanel before 11.54.0.4 allows certain file-read operations in bin/set ...) NOT-FOR-US: cPanel CVE-2016-10841 (The bin/mkvhostspasswd script in cPanel before 11.54.0.4 discloses pas ...) NOT-FOR-US: cPanel CVE-2016-10840 (cPanel before 11.54.0.4 allows arbitrary code execution during locale ...) NOT-FOR-US: cPanel CVE-2016-10839 (cPanel before 11.54.0.4 allows SQL injection in bin/horde_update_usern ...) NOT-FOR-US: cPanel CVE-2016-10838 (cPanel before 11.54.0.4 allows arbitrary file-read operations via the ...) NOT-FOR-US: cPanel CVE-2016-10837 (cPanel before 11.54.0.4 allows arbitrary code execution because of an ...) NOT-FOR-US: cPanel CVE-2016-10836 (cPanel before 55.9999.141 allows arbitrary file-read operations during ...) NOT-FOR-US: cPanel CVE-2016-10835 (cPanel before 55.9999.141 allows a POP/IMAP cPHulk bypass via account ...) NOT-FOR-US: cPanel CVE-2016-10834 (cPanel before 55.9999.141 allows account-suspension bypass via ftp (SE ...) NOT-FOR-US: cPanel CVE-2016-10833 (cPanel before 55.9999.141 mishandles username-based blocking for PRE r ...) NOT-FOR-US: cPanel CVE-2016-10832 (cPanel before 55.9999.141 allows FTP cPHulk bypass via account name mu ...) NOT-FOR-US: cPanel CVE-2016-10831 (cPanel before 55.9999.141 does not perform as two-factor authenticatio ...) NOT-FOR-US: cPanel CVE-2016-10830 (cPanel before 55.9999.141 allows ACL bypass for AppConfig applications ...) NOT-FOR-US: cPanel CVE-2016-10829 (cPanel before 55.9999.141 allows arbitrary file-read operations becaus ...) NOT-FOR-US: cPanel CVE-2016-10828 (cPanel before 55.9999.141 allows arbitrary code execution because of a ...) NOT-FOR-US: cPanel CVE-2016-10827 (cPanel before 55.9999.141 allows self stored XSS in WHM Edit System Ma ...) NOT-FOR-US: cPanel CVE-2016-10826 (cPanel before 55.9999.141 allows attackers to bypass Two Factor Authen ...) NOT-FOR-US: cPanel CVE-2016-10825 (cPanel before 55.9999.141 allows attackers to bypass a Security Policy ...) NOT-FOR-US: cPanel CVE-2016-10824 (cPanel before 55.9999.141 allows unauthenticated arbitrary code execut ...) NOT-FOR-US: cPanel CVE-2016-10823 (cPanel before 55.9999.141 allows arbitrary code execution in the conte ...) NOT-FOR-US: cPanel CVE-2016-10822 (cPanel before 55.9999.141 allows self XSS in X3 Reseller Branding Imag ...) NOT-FOR-US: cPanel CVE-2016-10821 (In cPanel before 55.9999.141, Scripts/addpop reveals a command-line pa ...) NOT-FOR-US: cPanel CVE-2016-10820 (cPanel before 55.9999.141 allows daemons to access their controlling T ...) NOT-FOR-US: cPanel CVE-2016-10819 (In cPanel before 57.9999.54, user log files become world-readable when ...) NOT-FOR-US: cPanel CVE-2016-10818 (cPanel before 57.9999.54 incorrectly sets log-file permissions in dnsa ...) NOT-FOR-US: cPanel CVE-2016-10817 (cPanel before 57.9999.54 allows SQL Injection via the ModSecurity Tail ...) NOT-FOR-US: cPanel CVE-2016-10816 (cPanel before 57.9999.54 allows Webmail accounts to execute arbitrary ...) NOT-FOR-US: cPanel CVE-2016-10815 (cPanel before 57.9999.54 allows arbitrary file-read operations for Web ...) NOT-FOR-US: cPanel CVE-2016-10814 (cPanel before 57.9999.54 allows demo-mode escape via show_template.sto ...) NOT-FOR-US: cPanel CVE-2016-10813 (cPanel before 57.9999.54 allows self XSS during ftp account creation u ...) NOT-FOR-US: cPanel CVE-2016-10812 (In cPanel before 57.9999.54, /scripts/enablefileprotect exposed TTYs ( ...) NOT-FOR-US: cPanel CVE-2016-10811 (In cPanel before 57.9999.54, /scripts/unsuspendacct exposed TTYs (SEC- ...) NOT-FOR-US: cPanel CVE-2016-10810 (In cPanel before 57.9999.54, /scripts/maildir_converter exposed a TTY ...) NOT-FOR-US: cPanel CVE-2016-10809 (In cPanel before 57.9999.54, /scripts/checkinfopages exposed a TTY to ...) NOT-FOR-US: cPanel CVE-2016-10808 (In cPanel before 57.9999.54, /scripts/addpop and /scripts/delpop expos ...) NOT-FOR-US: cPanel CVE-2016-10807 (cPanel before 57.9999.54 allows certain denial-of-service outcomes via ...) NOT-FOR-US: cPanel CVE-2016-10806 (cPanel before 57.9999.54 allows self XSS on the Paper Lantern Landing ...) NOT-FOR-US: cPanel CVE-2016-10805 (cPanel before 57.9999.54 allows demo accounts to execute arbitrary cod ...) NOT-FOR-US: cPanel CVE-2016-10804 (The SQLite journal feature in cPanel before 57.9999.54 allows arbitrar ...) NOT-FOR-US: cPanel CVE-2016-10803 (cPanel before 57.9999.105 allows newline injection via LOC records (CP ...) NOT-FOR-US: cPanel CVE-2016-10802 (cPanel before 58.0.4 allows code execution in the context of other use ...) NOT-FOR-US: cPanel CVE-2016-10801 (cPanel before 58.0.4 has improper session handling for shared users (S ...) NOT-FOR-US: cPanel CVE-2016-10800 (cPanel before 58.0.4 allows demo-mode escape via Site Templates and Bo ...) NOT-FOR-US: cPanel CVE-2016-10799 (cPanel before 58.0.4 does not set the Pear tmp directory during a PHP ...) NOT-FOR-US: cPanel CVE-2016-10798 (cPanel before 58.0.4 allows a file-ownership change (to nobody) via re ...) NOT-FOR-US: cPanel CVE-2016-10797 (cPanel before 58.0.4 allows WHM "Purchase and Install an SSL Certifica ...) NOT-FOR-US: cPanel CVE-2016-10796 (cPanel before 58.0.4 initially uses weak permissions for Apache HTTP S ...) NOT-FOR-US: cPanel CVE-2016-10795 (cPanel before 59.9999.145 allows stored XSS in the WHM tail_upcp2.cgi ...) NOT-FOR-US: cPanel CVE-2016-10794 (cPanel before 59.9999.145 allows arbitrary file-read operations becaus ...) NOT-FOR-US: cPanel CVE-2016-10793 (cPanel before 59.9999.145 allows arbitrary code execution due to an in ...) NOT-FOR-US: cPanel CVE-2016-10792 (cPanel before 59.9999.145 allows code execution in the context of othe ...) NOT-FOR-US: cPanel CVE-2016-10791 (cPanel before 60.0.15 does not ensure that system accounts lack a vali ...) NOT-FOR-US: cPanel CVE-2016-10790 (cPanel before 60.0.25 does not use TLS for HTTP POSTs to listinput.cpa ...) NOT-FOR-US: cPanel CVE-2016-10789 (cPanel before 60.0.25 allows code execution via the cpsrvd 403 error r ...) NOT-FOR-US: cPanel CVE-2016-10788 (cPanel before 60.0.25 allows arbitrary code execution via Maketext in ...) NOT-FOR-US: cPanel CVE-2016-10787 (The Host Access Control feature in cPanel before 60.0.25 mishandles ac ...) NOT-FOR-US: cPanel CVE-2016-10786 (cPanel before 60.0.25 allows members of the nobody group to read Apach ...) NOT-FOR-US: cPanel CVE-2016-10785 (cPanel before 60.0.25 allows attackers to discover file contents durin ...) NOT-FOR-US: cPanel CVE-2016-10784 (cPanel before 60.0.25 allows self XSS in the alias upload interface (S ...) NOT-FOR-US: cPanel CVE-2016-10783 (cPanel before 60.0.25 allows self stored XSS in SSL_listkeys (SEC-182) ...) NOT-FOR-US: cPanel CVE-2016-10782 (cPanel before 60.0.25 allows self stored XSS in postgres API1 listdbs ...) NOT-FOR-US: cPanel CVE-2016-10781 (cPanel before 60.0.25 allows self XSS in the UI_confirm API (SEC-180). ...) NOT-FOR-US: cPanel CVE-2016-10780 (cPanel before 60.0.25 allows stored XSS in the ftp_sessions API (SEC-1 ...) NOT-FOR-US: cPanel CVE-2016-10779 (cPanel before 60.0.25 allows stored XSS in api1_listautoresponders (SE ...) NOT-FOR-US: cPanel CVE-2016-10778 (cPanel before 60.0.25 allows self stored XSS in the listftpstable API ...) NOT-FOR-US: cPanel CVE-2016-10777 (cPanel before 60.0.25 allows self XSS in WHM Tweak Settings for autodi ...) NOT-FOR-US: cPanel CVE-2016-10776 (cPanel before 60.0.25 allows stored XSS during the homedir removal pha ...) NOT-FOR-US: cPanel CVE-2016-10775 (cPanel before 60.0.25 allows arbitrary file-chown operations via reass ...) NOT-FOR-US: cPanel CVE-2016-10774 (cPanel before 60.0.25 allows self XSS in the tail_ea4_migration.cgi in ...) NOT-FOR-US: cPanel CVE-2016-10773 (cPanel before 60.0.25 allows format-string injection in exception-mess ...) NOT-FOR-US: cPanel CVE-2016-10772 (cPanel before 60.0.25 does not enforce feature-list restrictions when ...) NOT-FOR-US: cPanel CVE-2016-10771 (cPanel before 60.0.25 allows file-create and file-chmod operations dur ...) NOT-FOR-US: cPanel CVE-2016-10770 (cPanel before 60.0.25 allows arbitrary file-overwrite operations durin ...) NOT-FOR-US: cPanel CVE-2016-10769 (cPanel before 60.0.25 allows an open redirect via /cgi-sys/FormMail-cl ...) NOT-FOR-US: cPanel CVE-2016-10768 (cPanel before 60.0.25 allows file-overwrite operations during preparat ...) NOT-FOR-US: cPanel CVE-2016-10767 (cPanel before 60.0.25 allows stored XSS in the WHM Repair Mailbox Perm ...) NOT-FOR-US: cPanel CVE-2015-9291 (cPanel before 11.52.0.13 does not prevent arbitrary file-read operatio ...) NOT-FOR-US: cPanel CVE-2019-14452 (Sigil before 0.9.16 is vulnerable to a directory traversal, allowing a ...) - sigil 0.9.16+dfsg-1 (bug #933797) [buster] - sigil (Minor issue) [stretch] - sigil (Minor issue) NOTE: https://github.com/Sigil-Ebook/Sigil/commit/04e2f280cc4a0766bedcc7b9eb56449ceecc2ad4 NOTE: https://github.com/Sigil-Ebook/Sigil/commit/0979ba8d10c96ebca330715bfd4494ea0e019a8f NOTE: https://github.com/Sigil-Ebook/Sigil/commit/369eebe936e4a8c83cc54662a3412ce8bef189e4 CVE-2019-14451 (RepetierServer.exe in Repetier-Server 0.8 through 0.91 does not proper ...) NOT-FOR-US: Repetier-Server CVE-2019-14450 (A directory traversal vulnerability was discovered in RepetierServer.e ...) NOT-FOR-US: Repetier-Server CVE-2019-14449 (An issue was discovered in Cloudera Manager 5.x before 5.16.2, 6.0.x b ...) NOT-FOR-US: Cloudera CVE-2019-14448 RESERVED CVE-2019-14447 RESERVED CVE-2019-14446 RESERVED CVE-2007-6763 (SAS Drug Development (SDD) before 32DRG02 mishandles logout actions, w ...) NOT-FOR-US: SAS Drug Development (SDD) CVE-2019-14445 RESERVED CVE-2019-14444 (apply_relocations in readelf.c in GNU Binutils 2.32 contains an intege ...) - binutils 2.32.51.20190813-1 (unimportant) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24829 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e17869db99195849826eaaf5d2d0eb2cfdd7a2a7 NOTE: binutils not covered by security support CVE-2019-14443 (An issue was discovered in Libav 12.3. Division by zero in range_decod ...) {DLA-2021-1} - libav NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1161#c1 CVE-2019-14442 (In mpc8_read_header in libavformat/mpc8.c in Libav 12.3, an input file ...) {DLA-1907-1} - libav NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1159 CVE-2019-14441 (** DISPUTED ** An issue was discovered in Libav 12.3. An access violat ...) - libav [jessie] - libav (cf. CVE-2018-19129) NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1161#c0 NOTE: Duplicate of CVE-2018-19129 CVE-2019-14440 RESERVED CVE-2019-14439 (A Polymorphic Typing issue was discovered in FasterXML jackson-databin ...) {DSA-4542-1 DLA-1879-1} - jackson-databind 2.9.9.3-1 (bug #933393) NOTE: https://github.com/FasterXML/jackson-databind/issues/2389 NOTE: https://github.com/FasterXML/jackson-databind/commit/ad418eeb974e357f2797aef64aa0e3ffaaa6125b CVE-2018-20871 (In Univa Grid Engine before 8.6.3, when configured for Docker jobs and ...) - gridengine CVE-2015-9290 (In FreeType before 2.6.1, a buffer over-read occurs in type1/t1parse.c ...) {DLA-1887-1} - freetype 2.6.1-0.1 NOTE: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/src/type1/t1parse.c?id=e3058617f384cb6709f3878f753fa17aca9e3a30 NOTE: https://savannah.nongnu.org/bugs/?45923 CVE-2019-14438 (A heap-based buffer over-read in xiph_PackHeaders() in modules/demux/x ...) {DSA-4504-1} - vlc 3.0.8-1 [jessie] - vlc (https://lists.debian.org/debian-security-announce/2018/msg00130.html) NOTE: https://www.videolan.org/security/sb-vlc308.html CVE-2019-14437 (The xiph_SplitHeaders function in modules/demux/xiph.h in VideoLAN VLC ...) {DSA-4504-1} - vlc 3.0.8-1 [jessie] - vlc (https://lists.debian.org/debian-security-announce/2018/msg00130.html) NOTE: https://www.videolan.org/security/sb-vlc308.html CVE-2019-14436 RESERVED CVE-2019-14435 RESERVED CVE-2019-14434 RESERVED CVE-2019-14433 (An issue was discovered in OpenStack Nova before 17.0.12, 18.x before ...) - nova 2:19.0.2-1 (low; bug #934114) [buster] - nova (Minor issue) [stretch] - nova (Minor issue) [jessie] - nova (Minor issue) NOTE: https://security.openstack.org/ossa/OSSA-2019-003.html NOTE: https://launchpad.net/bugs/1837877 CVE-2019-14432 (Incorrect authentication of application WebSocket connections in Loom ...) NOT-FOR-US: Loom Desktop for Mac CVE-2019-14431 (In MatrixSSL 3.8.3 Open through 4.2.1 Open, the DTLS server mishandles ...) - matrixssl CVE-2019-14430 (plugin/Audit/Objects/AuditTable.php in YouPHPTube through 7.2 allows S ...) NOT-FOR-US: YouPHPTube CVE-2019-14429 RESERVED CVE-2019-14428 RESERVED CVE-2019-14427 (XSS exists in WEB STUDIO Ultimate Loan Manager 2.0 by adding a branch ...) NOT-FOR-US: WEB STUDIO Ultimate Loan Manager CVE-2019-14426 RESERVED CVE-2019-14425 RESERVED CVE-2019-14424 (A Local File Inclusion (LFI) issue in the addon CUx-Daemon 1.11a of th ...) NOT-FOR-US: eQ-3 Homematic CCU-Firmware CVE-2019-14423 (A Remote Code Execution (RCE) issue in the addon CUx-Daemon 1.11a of t ...) NOT-FOR-US: eQ-3 Homematic CCU-Firmware CVE-2019-14422 (An issue was discovered in in TortoiseSVN 1.12.1. The Tsvncmd: URI han ...) NOT-FOR-US: TortoiseSVN CVE-2019-14421 RESERVED CVE-2019-14420 RESERVED CVE-2019-14419 RESERVED CVE-2019-14418 (An issue was discovered in Veritas Resiliency Platform (VRP) before 3. ...) NOT-FOR-US: Veritas Resiliency Platform (VRP) CVE-2019-14417 (An issue was discovered in Veritas Resiliency Platform (VRP) before 3. ...) NOT-FOR-US: Veritas Resiliency Platform (VRP) CVE-2019-14416 (An issue was discovered in Veritas Resiliency Platform (VRP) before 3. ...) NOT-FOR-US: Veritas Resiliency Platform (VRP) CVE-2019-14415 (An issue was discovered in Veritas Resiliency Platform (VRP) before 3. ...) NOT-FOR-US: Veritas Resiliency Platform (VRP) CVE-2019-14414 (In cPanel before 78.0.2, a Userdata cache temporary file can conflict ...) NOT-FOR-US: cPanel CVE-2019-14413 (cPanel before 78.0.2 allows certain file-write operations as shared us ...) NOT-FOR-US: cPanel CVE-2019-14412 (Maketext in cPanel before 78.0.2 allows format-string injection in the ...) NOT-FOR-US: cPanel CVE-2019-14411 (cPanel before 78.0.2 does not properly restrict demo accounts from wri ...) NOT-FOR-US: cPanel CVE-2019-14410 (Maketext in cPanel before 78.0.2 allows format-string injection in the ...) NOT-FOR-US: cPanel CVE-2019-14409 (cPanel before 78.0.2 allows arbitrary file-read operations via Passeng ...) NOT-FOR-US: cPanel CVE-2019-14408 (cPanel before 78.0.2 allows a demo account to link with an OpenID prov ...) NOT-FOR-US: cPanel CVE-2019-14407 (cPanel before 78.0.2 reveals internal data to OpenID providers (SEC-41 ...) NOT-FOR-US: cPanel CVE-2019-14406 (cPanel before 78.0.18 has stored XSS in the BoxTrapper Queue Listing ( ...) NOT-FOR-US: cPanel CVE-2019-14405 (cPanel before 78.0.18 allows demo accounts to execute code via securit ...) NOT-FOR-US: cPanel CVE-2019-14404 (cPanel before 78.0.18 allows certain file-read operations in the conte ...) NOT-FOR-US: cPanel CVE-2019-14403 (cPanel before 78.0.18 offers an open mail relay because of incorrect d ...) NOT-FOR-US: cPanel CVE-2019-14402 (cPanel before 78.0.18 unsafely determines terminal capabilities by usi ...) NOT-FOR-US: cPanel CVE-2019-14401 (cPanel before 78.0.18 allows code execution via an addforward API1 cal ...) NOT-FOR-US: cPanel CVE-2019-14400 (cPanel before 78.0.18 allows local users to escalate to root access be ...) NOT-FOR-US: cPanel CVE-2019-14399 (The SSL certificate-storage feature in cPanel before 78.0.18 allows un ...) NOT-FOR-US: cPanel CVE-2019-14398 (cPanel before 80.0.5 allows demo accounts to execute arbitrary code vi ...) NOT-FOR-US: cPanel CVE-2019-14397 (cPanel before 80.0.5 allows demo accounts to modify arbitrary files vi ...) NOT-FOR-US: cPanel CVE-2019-14396 (API Analytics adminbin in cPanel before 80.0.5 allows spoofed insertio ...) NOT-FOR-US: cPanel CVE-2019-14395 (cPanel before 80.0.5 uses world-readable permissions for the Queueproc ...) NOT-FOR-US: cPanel CVE-2019-14394 (cPanel before 80.0.5 allows unsafe file operations in the context of t ...) NOT-FOR-US: cPanel CVE-2019-14393 (cPanel before 80.0.5 allows local code execution in the context of a d ...) NOT-FOR-US: cPanel CVE-2019-14392 (cPanel before 80.0.22 allows remote code execution by a demo account b ...) NOT-FOR-US: cPanel CVE-2019-14391 (cPanel before 82.0.2 does not properly enforce Reseller package creati ...) NOT-FOR-US: cPanel CVE-2019-14390 (cPanel before 82.0.2 has stored XSS in the WHM Modify Account interfac ...) NOT-FOR-US: cPanel CVE-2019-14389 (cPanel before 82.0.2 allows local users to discover the MySQL root pas ...) NOT-FOR-US: cPanel CVE-2019-14388 (cPanel before 82.0.2 allows unauthenticated file creation because Exim ...) NOT-FOR-US: cPanel CVE-2019-14387 (cPanel before 82.0.2 has Self XSS in the cPanel and webmail master tem ...) NOT-FOR-US: cPanel CVE-2019-14386 (cPanel before 82.0.2 has stored XSS in the WHM Tomcat Manager interfac ...) NOT-FOR-US: cPanel CVE-2019-14385 RESERVED CVE-2019-14384 RESERVED CVE-2019-14383 (J2B in libopenmpt before 0.4.2 allows an assertion failure during file ...) - libopenmpt 0.4.2-1 (unimportant) NOTE: https://lib.openmpt.org/libopenmpt/2019/01/22/security-updates-0.4.2-0.3.15-0.2.11253-beta37-0.2.7561-beta20.5-p13-0.2.7386-beta20.3-p16/ NOTE: https://source.openmpt.org/browse/openmpt/trunk/?op=revision&rev=11216 NOTE: Negligible security impact CVE-2019-14382 (DSM in libopenmpt before 0.4.2 allows an assertion failure during file ...) - libopenmpt 0.4.2-1 (unimportant) NOTE: https://lib.openmpt.org/libopenmpt/2019/01/22/security-updates-0.4.2-0.3.15-0.2.11253-beta37-0.2.7561-beta20.5-p13-0.2.7386-beta20.3-p16/ NOTE: https://source.openmpt.org/browse/openmpt/trunk/?op=revision&rev=11209 NOTE: Negligible security impact CVE-2019-14381 (libopenmpt before 0.4.3 allows a crash due to a NULL pointer dereferen ...) - libopenmpt 0.4.3-1 [stretch] - libopenmpt (Vulnerable code not present in 0.2.x series) NOTE: https://lib.openmpt.org/libopenmpt/2019/02/11/security-update-0.4.3/ CVE-2019-14380 (libopenmpt before 0.4.5 allows a crash during playback due to an out-o ...) - libopenmpt 0.4.5-1 (low) [buster] - libopenmpt (Minor issue) [stretch] - libopenmpt (Vulnerable code not present in 0.2 branch) NOTE: https://lib.openmpt.org/libopenmpt/2019/05/27/security-update-0.4.5/ CVE-2019-14379 (SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mis ...) {DSA-4542-1 DLA-1879-1} - jackson-databind 2.9.9.3-1 (bug #933393) NOTE: https://github.com/FasterXML/jackson-databind/issues/2387 NOTE: https://github.com/FasterXML/jackson-databind/commit/ad418eeb974e357f2797aef64aa0e3ffaaa6125b CVE-2019-14378 (ip_reass in ip_input.c in libslirp 4.0.0 has a heap-based buffer overf ...) {DSA-4512-1 DSA-4506-1 DLA-1927-1} - qemu 1:4.1-1 (bug #933741) - qemu-kvm - slirp4netns 0.3.2-1 (bug #933742) [buster] - slirp4netns 0.2.3-1 NOTE: https://gitlab.freedesktop.org/slirp/libslirp/commit/126c04acbabd7ad32c2b018fe10dfac2a3bc1210 CVE-2018-20870 (The WebDAV transport feature in cPanel before 76.0.8 enables debug log ...) NOT-FOR-US: cPanel CVE-2018-20869 (cPanel before 76.0.8 allows arbitrary code execution in the context of ...) NOT-FOR-US: cPanel CVE-2018-20868 (cPanel before 76.0.8 has Stored XSS in the WHM MultiPHP Manager interf ...) NOT-FOR-US: cPanel CVE-2018-20867 (cPanel before 76.0.8 has an open redirect when resetting connections ( ...) NOT-FOR-US: cPanel CVE-2018-20866 (cPanel before 76.0.8 has Stored XSS in the WHM "Reset a DNS Zone" feat ...) NOT-FOR-US: cPanel CVE-2018-20865 (cPanel before 76.0.8 has Self XSS in the WHM Additional Backup Destina ...) NOT-FOR-US: cPanel CVE-2018-20864 (cPanel before 76.0.8 allows a persistent Virtual FTP accounts after re ...) NOT-FOR-US: cPanel CVE-2018-20863 (cPanel before 76.0.8 allows remote attackers to execute arbitrary code ...) NOT-FOR-US: cPanel CVE-2018-20862 (cPanel before 76.0.8 unsafely performs PostgreSQL password changes (SE ...) NOT-FOR-US: cPanel CVE-2018-20861 (libopenmpt before 0.3.11 allows a crash with certain malformed custom ...) - libopenmpt 0.3.11-1 [stretch] - libopenmpt (Minor issue) NOTE: https://lib.openmpt.org/libopenmpt/2018/07/28/security-updates-0.3.11-0.2.10635-beta34-0.2.7561-beta20.5-p10-0.2.7386-beta20.3-p13/ NOTE: https://source.openmpt.org/browse/openmpt/trunk/?op=revision&rev=10615 (0.3.11) NOTE: https://source.openmpt.org/browse/openmpt/trunk/?op=revision&rev=10616 (0.2.10635-beta34) NOTE: https://source.openmpt.org/browse/openmpt/trunk/?op=revision&rev=10617 (0.2.10635-beta34) CVE-2018-20859 (edx-platform before 2018-07-18 allows XSS via a response to a Chemical ...) NOT-FOR-US: Open edX CVE-2018-20858 (Recommender before 2018-07-18 allows XSS. ...) NOT-FOR-US: RecommenderXBlock CVE-2017-18381 (The installation process in Open edX before 2017-01-10 exposes a Mongo ...) NOT-FOR-US: Open edX CVE-2017-18380 (edx-platform before 2017-08-03 allows attackers to trigger password-re ...) NOT-FOR-US: Open edX CVE-2016-10766 (edx-platform before 2016-06-06 allows CSRF. ...) NOT-FOR-US: Open edX CVE-2016-10765 (edx-platform before 2016-06-10 allows account activation with a spoofe ...) NOT-FOR-US: Open edX CVE-2019-14377 RESERVED CVE-2019-14376 RESERVED CVE-2019-14375 RESERVED CVE-2019-14374 RESERVED CVE-2019-14373 (An issue was discovered in image_save_png in image/image-png.cpp in Fr ...) - flif NOTE: https://github.com/FLIF-hub/FLIF/issues/541 CVE-2019-14372 (In Libav 12.3, there is an infinite loop in the function wv_read_block ...) {DLA-1907-1} - libav NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1165 CVE-2019-14371 (An issue was discovered in Libav 12.3. There is an infinite loop in th ...) {DLA-1907-1} - libav NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1163 NOTE: fixed through CVE-2018-11102 / https://git.ffmpeg.org/gitweb/ffmpeg.git/commitdiff/7abf394814d818973db562102f21ab9d10540840 CVE-2019-14370 (In Exiv2 0.27.99.0, there is an out-of-bounds read in Exiv2::MrwImage: ...) - exiv2 0.27.2-6 [buster] - exiv2 (Minor issue) [stretch] - exiv2 (Minor issue) [jessie] - exiv2 (poc not triggered with asan/valgrind, different MemIo::seek bound check) NOTE: https://github.com/Exiv2/exiv2/issues/954 NOTE: fixed through CVE-2019-13504 NOTE: https://github.com/Exiv2/exiv2/commit/bd0afe0390439b2c424d881c8c6eb0c5624e31d9 CVE-2019-14369 (Exiv2::PngImage::readMetadata() in pngimage.cpp in Exiv2 0.27.99.0 all ...) - exiv2 0.27.2-6 [buster] - exiv2 (Minor issue) [stretch] - exiv2 (Minor issue) [jessie] - exiv2 (poc not triggered with asan/valgrind, different MemIo::seek bound check) NOTE: https://github.com/Exiv2/exiv2/issues/953 NOTE: fixed through CVE-2019-13504 NOTE: https://github.com/Exiv2/exiv2/commit/bd0afe0390439b2c424d881c8c6eb0c5624e31d9 CVE-2019-14368 (Exiv2 0.27.99.0 has a heap-based buffer over-read in Exiv2::RafImage:: ...) - exiv2 (Vulnerable code introduced later) NOTE: https://github.com/Exiv2/exiv2/issues/952 NOTE: Fixed by: https://github.com/Exiv2/exiv2/commit/bd0afe0390439b2c424d881c8c6eb0c5624e31d9 NOTE: Introduced by: https://github.com/Exiv2/exiv2/commit/c72d16f4c402a8acc2dfe06fe3d58bf6cf99069e CVE-2019-14367 (Slack-Chat through 1.5.5 leaks a Slack Access Token in source code. An ...) NOT-FOR-US: Slack-Chat CVE-2019-14366 (WP SlackSync plugin through 1.8.5 for WordPress leaks a Slack Access T ...) NOT-FOR-US: WP SlackSync plugin for WordPress CVE-2019-14365 (The Intercom plugin through 1.2.1 for WordPress leaks a Slack Access T ...) NOT-FOR-US: Intercom plugin for WordPress CVE-2019-14364 (An XSS vulnerability in the "Email Subscribers & Newsletters" plug ...) NOT-FOR-US: "Email Subscribers & Newsletters" plugin for WordPress CVE-2019-14363 (A stack-based buffer overflow in the upnpd binary running on NETGEAR W ...) NOT-FOR-US: NETGEAR CVE-2019-14362 (Openbravo ERP before 3.0PR19Q1.3 is affected by Directory Traversal. T ...) NOT-FOR-US: Openbravo ERP CVE-2019-14361 REJECTED CVE-2019-14360 (On Hyundai Pay Kasse HK-1000 devices, a side channel for the row-based ...) NOT-FOR-US: Hyundai Pay Kasse HK-1000 devices CVE-2019-14359 (** DISPUTED ** On BC Vault devices, a side channel for the row-based S ...) NOT-FOR-US: BC Vault devices CVE-2019-14358 (On Archos Safe-T devices, a side channel for the row-based OLED displa ...) NOT-FOR-US: Archos Safe-T devices CVE-2019-14357 (** DISPUTED ** On Mooltipass Mini devices, a side channel for the row- ...) NOT-FOR-US: Mooltipass Mini devices CVE-2019-14356 (** DISPUTED ** On Coldcard MK1 and MK2 devices, a side channel for the ...) NOT-FOR-US: Coldcard CVE-2019-14355 (** DISPUTED ** On ShapeShift KeepKey devices, a side channel for the r ...) NOT-FOR-US: ShapeShift KeepKey devices CVE-2019-14354 (On Ledger Nano S and Nano X devices, a side channel for the row-based ...) NOT-FOR-US: Ledger Nano S and Nano X devices CVE-2019-14353 (On Trezor One devices before 1.8.2, a side channel for the row-based O ...) NOT-FOR-US: Trezor One devices CVE-2019-14352 (** DISPUTED ** In Joget Workflow 6.0.20, CSV Injection, also known as ...) NOT-FOR-US: Joget Workflow CVE-2019-14351 (EspoCRM 5.6.4 is vulnerable to user password hash enumeration. A malic ...) NOT-FOR-US: EspoCRM CVE-2019-14350 (EspoCRM 5.6.4 is vulnerable to stored XSS due to lack of filtration of ...) NOT-FOR-US: EspoCRM CVE-2019-14349 (EspoCRM version 5.6.4 is vulnerable to stored XSS due to lack of filtr ...) NOT-FOR-US: EspoCRM CVE-2019-14348 (The BearDev JoomSport plugin 3.3 for WordPress allows SQL injection to ...) NOT-FOR-US: BearDev JoomSport plugin for WordPress CVE-2019-14347 (Internal/Views/addUsers.php in Schben Adive 2.0.7 allows remote unpriv ...) NOT-FOR-US: Schben Adive CVE-2019-14346 (Internal/Views/config.php in Schben Adive 2.0.7 allows admin/config CS ...) NOT-FOR-US: Schben Adive CVE-2019-14345 (TemaTres 3.0 allows remote unprivileged users to create an administrat ...) NOT-FOR-US: TemaTres CVE-2019-14344 (TemaTres 3.0 has reflected XSS via the replace_string or search_string ...) NOT-FOR-US: TemaTres CVE-2019-14343 (TemaTres 3.0 has stored XSS via the value parameter to the vocab/admin ...) NOT-FOR-US: TemaTres CVE-2019-14342 RESERVED CVE-2019-14341 RESERVED CVE-2019-14340 RESERVED CVE-2019-14339 (The ContentProvider in the Canon PRINT jp.co.canon.bsd.ad.pixmaprint 2 ...) NOT-FOR-US: CANON CVE-2019-14338 (An issue was discovered on D-Link 6600-AP and DWL-3600AP Ax 4.2.0.14 2 ...) NOT-FOR-US: D-Link CVE-2019-14337 (An issue was discovered on D-Link 6600-AP and DWL-3600AP Ax 4.2.0.14 2 ...) NOT-FOR-US: D-Link CVE-2019-14336 (An issue was discovered on D-Link 6600-AP and DWL-3600AP Ax 4.2.0.14 2 ...) NOT-FOR-US: D-Link CVE-2019-14335 (An issue was discovered on D-Link 6600-AP and DWL-3600AP Ax 4.2.0.14 2 ...) NOT-FOR-US: D-Link CVE-2019-14334 (An issue was discovered on D-Link 6600-AP, DWL-3600AP, and DWL-8610AP ...) NOT-FOR-US: D-Link CVE-2019-14333 (An issue was discovered on D-Link 6600-AP and DWL-3600AP Ax 4.2.0.14 2 ...) NOT-FOR-US: D-Link CVE-2019-14332 (An issue was discovered on D-Link 6600-AP and DWL-3600AP Ax 4.2.0.14 2 ...) NOT-FOR-US: D-Link CVE-2019-14331 (An issue was discovered in EspoCRM before 5.6.6. Stored XSS exists due ...) NOT-FOR-US: EspoCRM CVE-2019-14330 (An issue was discovered in EspoCRM before 5.6.6. Stored XSS exists due ...) NOT-FOR-US: EspoCRM CVE-2019-14329 (An issue was discovered in EspoCRM before 5.6.6. There is stored XSS d ...) NOT-FOR-US: EspoCRM CVE-2019-14328 (The Simple Membership plugin before 3.8.5 for WordPress has CSRF affec ...) NOT-FOR-US: Simple Membership plugin for WordPress CVE-2019-14327 (A CSRF vulnerability in Settings form in the Custom Simple Rss plugin ...) NOT-FOR-US: Custom Simple Rss plugin for WordPress CVE-2019-14326 (An issue was discovered in AndyOS Andy versions up to 46.11.113. By de ...) NOT-FOR-US: AndyOS Andy CVE-2019-14325 RESERVED CVE-2019-14324 RESERVED CVE-2019-14323 (SSDP Responder 1.x through 1.5 mishandles incoming network messages, l ...) NOT-FOR-US: SSDP Responder CVE-2019-14322 (In Pallets Werkzeug before 0.15.5, SharedDataMiddleware mishandles dri ...) - python-werkzeug (Windows-specific) CVE-2019-14321 RESERVED CVE-2019-14320 RESERVED CVE-2019-14319 (The TikTok (formerly Musical.ly) application 12.2.0 for Android and iO ...) NOT-FOR-US: TikTok CVE-2019-14318 (Crypto++ 8.3.0 and earlier contains a timing side channel in ECDSA sig ...) [experimental] - libcrypto++ 8.2.0-2 - libcrypto++ 5.6.4-9 (low; bug #934326) [buster] - libcrypto++ (Minor issue) [stretch] - libcrypto++ (Minor issue) [jessie] - libcrypto++ (Minor issue) NOTE: https://github.com/weidai11/cryptopp/issues/869 CVE-2019-14317 (wolfSSL and wolfCrypt 4.1.0 and earlier (formerly known as CyaSSL) gen ...) - wolfssl 4.2.0+dfsg-1 CVE-2019-14316 RESERVED CVE-2019-14315 (A cross-site scripting (XSS) vulnerability in upload.php in SunHater K ...) NOT-FOR-US: SunHater KCFinder CVE-2019-14314 (A SQL injection vulnerability exists in the Imagely NextGEN Gallery pl ...) NOT-FOR-US: Imagely NextGEN Gallery plugin for WordPress CVE-2019-14313 (A SQL injection vulnerability exists in the 10Web Photo Gallery plugin ...) NOT-FOR-US: 10Web Photo Gallery plugin for WordPress CVE-2019-14312 (Aptana Jaxer 1.0.3.4547 is vulnerable to a local file inclusion vulner ...) NOT-FOR-US: Aptana Jaxer CVE-2019-14311 RESERVED CVE-2019-14310 (Ricoh SP C250DN 1.05 devices allow denial of service (issue 2 of 3). U ...) NOT-FOR-US: Ricoh CVE-2019-14309 (Ricoh SP C250DN 1.05 devices have a fixed password. FTP service creden ...) NOT-FOR-US: Ricoh CVE-2019-14308 (Several Ricoh printers have multiple buffer overflows parsing LPD pack ...) NOT-FOR-US: Ricoh CVE-2019-14307 (Several Ricoh printers have multiple buffer overflows parsing HTTP par ...) NOT-FOR-US: Ricoh CVE-2019-14306 (Ricoh SP C250DN 1.06 devices have Incorrect Access Control (issue 2 of ...) NOT-FOR-US: Ricoh SP C250DN 1.06 devices CVE-2019-14305 (Several Ricoh printers have multiple buffer overflows parsing HTTP par ...) NOT-FOR-US: Ricoh CVE-2019-14304 (Ricoh SP C250DN 1.06 devices allow CSRF. ...) NOT-FOR-US: Ricoh SP C250DN 1.06 devices CVE-2019-14303 (Ricoh SP C250DN 1.05 devices allow denial of service (issue 1 of 3). S ...) NOT-FOR-US: Ricoh CVE-2019-14302 (On Ricoh SP C250DN 1.06 devices, a debug port can be used. ...) NOT-FOR-US: Ricoh SP C250DN 1.06 devices CVE-2019-14301 (Ricoh SP C250DN 1.06 devices have Incorrect Access Control (issue 1 of ...) NOT-FOR-US: Ricoh SP C250DN 1.06 devices CVE-2019-14300 (Several Ricoh printers have multiple buffer overflows parsing HTTP coo ...) NOT-FOR-US: Ricoh CVE-2019-14299 (Ricoh SP C250DN 1.05 devices have an Authentication Method Vulnerable ...) NOT-FOR-US: Ricoh CVE-2019-14298 (Veeam ONE Reporter 9.5.0.3201 allows XSS via a crafted Description(con ...) NOT-FOR-US: Veeam ONE Reporter CVE-2019-14297 (Veeam ONE Reporter 9.5.0.3201 allows XSS via the Add/Edit Widget with ...) NOT-FOR-US: Veeam ONE Reporter CVE-2017-18379 (In the Linux kernel before 4.14, an out of boundary access happened in ...) - linux 4.14.2-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/0c319d3a144d4b8f1ea2047fd614d2149b68f889 CVE-2016-10764 (In the Linux kernel before 4.9.6, there is an off by one in the driver ...) - linux 4.9.6-1 NOTE: https://git.kernel.org/linus/193e87143c290ec16838f5368adc0e0bc94eb931 CVE-2015-9289 (In the Linux kernel before 4.1.4, a buffer overflow occurs when checki ...) - linux 4.1.5-1 NOTE: https://git.kernel.org/linus/1fa2337a315a2448c5434f41e00d56b01a22283c CVE-2012-6712 (In the Linux kernel before 3.4, a buffer overflow occurs in drivers/ne ...) - linux 3.8.11-1 NOTE: https://git.kernel.org/linus/2da424b0773cea3db47e1e81db71eeebde8269d4 CVE-2011-5327 (In the Linux kernel before 3.1, an off by one in the drivers/target/lo ...) - linux (Fixed before src:linux-2.6 -> src:linux rename) NOTE: https://git.kernel.org/linus/12f09ccb4612734a53e47ed5302e0479c10a50f8 CVE-2010-5332 (In the Linux kernel before 2.6.37, an out of bounds array access happe ...) - linux (Fixed before src:linux-2.6 -> src:linux rename) NOTE: https://git.kernel.org/linus/0926f91083f34d047abc74f1ca4fa6a9c161f7db CVE-2010-5331 (** DISPUTED ** In the Linux kernel before 2.6.34, a range check issue ...) - linux (Fixed before src:linux-2.6 -> src:linux rename) NOTE: https://git.kernel.org/linus/0031c41be5c529f8329e327b63cde92ba1284842 CVE-2007-6762 (In the Linux kernel before 2.6.20, there is an off-by-one bug in net/n ...) - linux (Fixed before src:linux-2.6 -> src:linux rename) NOTE: https://git.kernel.org/linus/2a2f11c227bdf292b3a2900ad04139d301b56ac4 CVE-2019-14296 (canUnpack in p_vmlinx.cpp in UPX 3.95 allows remote attackers to cause ...) - upx-ucl 3.95-2 (unimportant; bug #933232) NOTE: https://github.com/upx/upx/issues/287 NOTE: https://github.com/upx/upx/commit/276b748aa6021c38a2dc699153f61b10e76bc3d2 CVE-2019-14295 (An Integer overflow in the getElfSections function in p_vmlinx.cpp in ...) - upx-ucl 3.95-2 (unimportant; bug #933232) NOTE: https://github.com/upx/upx/issues/286 NOTE: https://github.com/upx/upx/commit/58b122d97da1e02dfec24b10b6b8f56218b5622c NOTE: https://github.com/upx/upx/commit/6a53c0b3d499d62346a5c51034db543a4ef78ea3 CVE-2019-14294 (An issue was discovered in Xpdf 4.01.01. There is a use-after-free in ...) - xpdf (xpdf in Debian uses poppler, which is fixed) NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/f7990386d268a444c297958e9c50ed27a0825a00 NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/2c0f70afff03798165c2b609e115dc7e9c034c57 CVE-2019-14293 (An issue was discovered in Xpdf 4.01.01. There is an out of bounds rea ...) - xpdf (xpdf in Debian uses poppler, which is fixed) NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/44cd46a6e04a87bd702dab4a662042f69f16c4ad CVE-2019-14292 (An issue was discovered in Xpdf 4.01.01. There is an out of bounds rea ...) - xpdf (xpdf in Debian uses poppler, which is fixed) NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/44cd46a6e04a87bd702dab4a662042f69f16c4ad CVE-2019-14291 (An issue was discovered in Xpdf 4.01.01. There is an out of bounds rea ...) - xpdf (xpdf in Debian uses poppler, which is fixed) NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/44cd46a6e04a87bd702dab4a662042f69f16c4ad CVE-2019-14290 (An issue was discovered in Xpdf 4.01.01. There is an out of bounds rea ...) - xpdf (xpdf in Debian uses poppler, which is fixed) NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/44cd46a6e04a87bd702dab4a662042f69f16c4ad CVE-2019-14289 (An issue was discovered in Xpdf 4.01.01. There is an integer overflow ...) - xpdf (xpdf in Debian uses poppler, which is fixed) NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/55db66c69fd56826b8523710046deab1a8d14ba2 NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/22c4701d5f7be0010ee4519daa546fba5ab7ac13 NOTE: Issue correspond to CVE-2017-9776 for src:poppler CVE-2019-14288 (An issue was discovered in Xpdf 4.01.01. There is an Integer overflow ...) - xpdf (xpdf in Debian uses poppler, which is fixed) NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/55db66c69fd56826b8523710046deab1a8d14ba2 NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/22c4701d5f7be0010ee4519daa546fba5ab7ac13 NOTE: Issue correspond to CVE-2017-9776 for src:poppler CVE-2019-14287 (In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer a ...) {DSA-4543-1 DLA-1964-1} - sudo 1.8.27-1.1 (bug #942322) NOTE: https://www.sudo.ws/alerts/minus_1_uid.html NOTE: Patch: https://www.sudo.ws/repos/sudo/rev/83db8dba09e7 NOTE: Fix test regression: https://www.sudo.ws/repos/sudo/rev/db06a8336c09 NOTE: Patch: https://www.openwall.com/lists/oss-security/2019/10/15/2 (1.8.5, 1.8.10) CVE-2019-14286 (In app/webroot/js/event-graph.js in MISP 2.4.111, a stored XSS vulnera ...) NOT-FOR-US: MISP CVE-2019-14285 RESERVED CVE-2015-9288 (The Unity Web Player plugin before 4.6.6f2 and 5.x before 5.0.3f2 allo ...) NOT-FOR-US: Unity Web Player plugin CVE-2019-1000033 REJECTED CVE-2019-14284 (In the Linux kernel before 5.2.3, drivers/block/floppy.c allows a deni ...) {DSA-4497-1 DSA-4495-1 DLA-1885-1 DLA-1884-1} - linux 5.2.6-1 NOTE: Fixed by: https://git.kernel.org/linus/f3554aeb991214cbfafd17d55e2bfddb50282e32 CVE-2019-14283 (In the Linux kernel before 5.2.3, set_geometry in drivers/block/floppy ...) {DSA-4497-1 DSA-4495-1 DLA-1885-1 DLA-1884-1} - linux 5.2.6-1 NOTE: Fixed by: https://git.kernel.org/linus/da99466ac243f15fbba65bd261bfc75ffa1532b6 CVE-2019-1020019 (invenio-previewer before 1.0.0a12 allows XSS. ...) NOT-FOR-US: invenio-previewer CVE-2019-1020018 (Discourse before 2.3.0 and 2.4.x before 2.4.0.beta3 lacks a confirmati ...) NOT-FOR-US: Discourse CVE-2019-1020017 (Discourse before 2.3.0 and 2.4.x before 2.4.0.beta3 lacks a confirmati ...) NOT-FOR-US: Discourse CVE-2019-1020016 (ASH-AIO before 2.0.0.3 allows an open redirect. ...) NOT-FOR-US: ASH-AIO CVE-2019-1020015 (graphql-engine (aka Hasura GraphQL Engine) before 1.0.0-beta.3 mishand ...) NOT-FOR-US: graphql-engine (aka Hasura GraphQL Engine) CVE-2019-1020014 (docker-credential-helpers before 0.6.3 has a double free in the List f ...) - golang-github-docker-docker-credential-helpers 0.6.1-3 (bug #933801) [buster] - golang-github-docker-docker-credential-helpers (Minor issue, can be fixed in point release) NOTE: https://github.com/docker/docker-credential-helpers/commit/1c9f7ede70a5ab9851f4c9cb37d317fd89cd318a CVE-2019-1020013 (parse-server before 3.6.0 allows account enumeration. ...) NOT-FOR-US: parse-server CVE-2019-1020012 (parse-server before 3.4.1 allows DoS after any POST to a volatile clas ...) NOT-FOR-US: parse-server CVE-2019-1020011 (SmokeDetector intentionally does automatic deployments of updated copi ...) NOT-FOR-US: SmokeDetector CVE-2019-1020010 (Misskey before 10.102.4 allows hijacking a user's token. ...) NOT-FOR-US: Misskey CVE-2019-1020009 (Fleet before 2.1.2 allows exposure of SMTP credentials. ...) NOT-FOR-US: Fleet (osquery frontend) CVE-2019-1020008 (stacktable.js before 1.0.4 allows XSS. ...) NOT-FOR-US: stacktable.js CVE-2019-1020007 (Dependency-Track before 3.5.1 allows XSS. ...) NOT-FOR-US: Dependency-Track CVE-2019-1020006 (invenio-app before 1.1.1 allows host header injection. ...) NOT-FOR-US: invenio-app CVE-2019-1020005 (invenio-communities before 1.0.0a20 allows XSS. ...) NOT-FOR-US: invenio-communities CVE-2019-1020004 (Tridactyl before 1.16.0 allows fake key events. ...) NOT-FOR-US: Tridactyl CVE-2019-1020003 (invenio-records before 1.2.2 allows XSS. ...) NOT-FOR-US: invenio-records CVE-2019-1020002 (Pterodactyl before 0.7.14 with 2FA allows credential sniffing. ...) NOT-FOR-US: Pterodactyl CVE-2019-1020001 (yard before 0.9.20 allows path traversal. ...) - yard 0.9.20-1 (low; bug #945369) [buster] - yard (Minor issue) [stretch] - yard (Minor issue) [jessie] - yard (Bug was introduced in 0.9.6) NOTE: https://github.com/lsegal/yard/security/advisories/GHSA-xfhh-rx56-rxcr NOTE: Introduced in: https://github.com/lsegal/yard/commit/b32a2efe40e7bd8e5daac7fae119493376a73cde (0.9.6) CVE-2018-20857 (Zendesk Samlr before 2.6.2 allows an XML nodes comment attack such as ...) NOT-FOR-US: Zendesk Samlr CVE-2019-14282 (The simple_captcha2 gem 0.2.3 for Ruby, as distributed on RubyGems.org ...) - ruby-simple-captcha2 (Backdoored versions not available in a Debian release) NOTE: https://github.com/rubygems/rubygems.org/issues/2073 CVE-2019-14281 (The datagrid gem 1.0.6 for Ruby, as distributed on RubyGems.org, inclu ...) NOT-FOR-US: Ruby datagrid gem CVE-2019-14280 (In some circumstances, Craft 2 before 2.7.10 and 3 before 3.2.6 wasn't ...) NOT-FOR-US: Craft CMS CVE-2019-14279 RESERVED CVE-2019-14278 (In Knowage through 6.1.1, an unauthenticated user can enumerated valid ...) NOT-FOR-US: Knowage CVE-2019-14277 (** DISPUTED ** Axway SecureTransport 5.x through 5.3 (or 5.x through 5 ...) NOT-FOR-US: Axway SecureTransport CVE-2019-14276 (WUSTL XNAT 1.7.5.3 allows XXE attacks via a POST request body. ...) NOT-FOR-US: WUSTL XNAT CVE-2019-14275 (Xfig fig2dev 3.2.7a has a stack-based buffer overflow in the calc_arro ...) {DLA-2073-1} - fig2dev 1:3.2.7a-7 (unimportant; bug #933075) [buster] - fig2dev 1:3.2.7a-5+deb10u1 [stretch] - fig2dev 1:3.2.6a-2+deb9u2 - transfig (unimportant) NOTE: https://sourceforge.net/p/mcj/tickets/52/ NOTE: Crash in CLI tool, no security impact, hardening build CVE-2019-14274 (MCPP 2.7.2 has a heap-based buffer overflow in the do_msg() function i ...) - mcpp 2.7.2-5 (bug #933497) [buster] - mcpp (Minor issue) [stretch] - mcpp (Minor issue) [jessie] - mcpp (Minor issue) NOTE: https://sourceforge.net/p/mcpp/bugs/13/ CVE-2019-14273 (In SilverStripe assets 4.0, there is broken access control on files. ...) NOT-FOR-US: SilverStripe CVE-2019-14272 (In SilverStripe asset-admin 4.0, there is XSS in file titles managed t ...) NOT-FOR-US: SilverStripe CVE-2019-14271 (In Docker 19.03.x before 19.03.1 linked against the GNU C Library (aka ...) {DSA-4521-1} - docker.io 18.09.1+dfsg1-9 NOTE: https://github.com/moby/moby/issues/39449 NOTE: https://github.com/moby/moby/pull/39612 (19.03.x) NOTE: Fix needs to be backported to 18.09 as well: NOTE: https://github.com/docker/engine/pull/305 (18.09.x) NOTE: https://github.com/moby/moby/pull/39612#issuecomment-517999360 CVE-2019-14270 (Comodo Antivirus through 12.0.0.6870, Comodo Firewall through 12.0.0.6 ...) NOT-FOR-US: Comodo Antivirus CVE-2019-14269 RESERVED CVE-2019-14268 (In Octopus Deploy versions 3.0.19 to 2019.7.2, when a web request prox ...) NOT-FOR-US: Octopus Deploy CVE-2019-14267 (PDFResurrect 0.15 has a buffer overflow via a crafted PDF file because ...) - pdfresurrect 0.16-1 (unimportant) NOTE: https://github.com/enferex/pdfresurrect/commit/4ea7a6f4f51d0440da651d099247e2273f811dbc NOTE: Crash in CLI tool, negligible security impact, hardening build CVE-2019-14266 (OpenSNS v6.1.0 allows SQL Injection via the index.php?s=/ucenter/Confi ...) NOT-FOR-US: OpenSNS CVE-2019-14265 RESERVED CVE-2019-14264 RESERVED CVE-2019-14263 RESERVED CVE-2019-14262 (MetadataExtractor 2.1.0 allows stack consumption. ...) NOT-FOR-US: MetadataExtractor CVE-2019-14261 (An issue was discovered on ABUS Secvest FUAA50000 3.01.01 devices. Due ...) NOT-FOR-US: ABUS Secvest FUAA50000 3.01.01 devices CVE-2019-14260 (On the Alcatel-Lucent Enterprise (ALE) 8008 Cloud Edition Deskphone Vo ...) NOT-FOR-US: Alcatel-Lucent Enterprise (ALE) 8008 Cloud Edition Deskphone VoIP phone CVE-2019-14259 (On the Polycom Obihai Obi1022 VoIP phone with firmware 5.1.11, a comma ...) NOT-FOR-US: Polycom Obihai Obi1022 VoIP phone CVE-2019-14258 (The XML-RPC subsystem in Zenoss 2.5.3 allows XXE attacks that lead to ...) - zenoss (bug #361253) CVE-2019-14257 (pyraw in Zenoss 2.5.3 allows local privilege escalation by modifying e ...) - zenoss (bug #361253) CVE-2019-14256 RESERVED CVE-2019-14255 (A Server Side Request Forgery (SSRF) vulnerability in go-camo up to ve ...) NOT-FOR-US: go-camo CVE-2019-14254 (An issue was discovered in the secure portal in Publisure 2.1.2. Becau ...) NOT-FOR-US: Publisure CVE-2019-14253 (An issue was discovered in servletcontroller in the secure portal in P ...) NOT-FOR-US: Publisure CVE-2019-14252 (An issue was discovered in the secure portal in Publisure 2.1.2. Once ...) NOT-FOR-US: Publisure CVE-2019-14251 (An issue was discovered in T24 in TEMENOS Channels R15.01. The login p ...) NOT-FOR-US: T24 in TEMENOS Channels R15.01 CVE-2019-14250 (An issue was discovered in GNU libiberty, as distributed in GNU Binuti ...) - binutils 2.33-1 (unimportant) NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90924 NOTE: https://gcc.gnu.org/ml/gcc-patches/2019-07/msg01003.html NOTE: binutils not covered by security support CVE-2019-14249 (dwarf_elf_load_headers.c in libdwarf before 2019-07-05 allows attacker ...) - dwarfutils (Vulnerable code introduced in 20190505 version) NOTE: https://sourceforge.net/p/libdwarf/code/merge-requests/4/ NOTE: Fixed by: https://sourceforge.net/p/libdwarf/code/ci/cb7198abde46c2ae29957ad460da6886eaa606ba NOTE: Introduced in: https://sourceforge.net/p/libdwarf/code/ci/4709f63c8b7488241b5b522267a796834a66db3a CVE-2019-14248 (In libnasm.a in Netwide Assembler (NASM) 2.14.xx, asm/pragma.c allows ...) - nasm (unimportant; bug #932907) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392576 NOTE: Crash in CLI tool, no security impact CVE-2019-14247 (The scan() function in mad.c in mpg321 0.3.2 allows remote attackers t ...) - mpg321 0.3.2-2 [stretch] - mpg321 (Minor issue) [jessie] - mpg321 (Minor issue) NOTE: https://sourceforge.net/p/mpg321/bugs/51/ NOTE: Fixed by handle_illegal_bitrate_value.patch CVE-2019-14246 (In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecu ...) NOT-FOR-US: CentOS-WebPanel.com CentOS Web Panel CVE-2019-14245 (In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecu ...) NOT-FOR-US: CentOS-WebPanel.com CentOS Web Panel CVE-2019-14244 RESERVED CVE-2019-14243 (headerv2.go in mastercactapus proxyprotocol before 0.0.2, as used in t ...) NOT-FOR-US: mastercactapus proxyprotocol CVE-2019-14242 (An issue was discovered in Bitdefender products for Windows (Bitdefend ...) NOT-FOR-US: Bitdefender products for Windows CVE-2019-14241 (HAProxy through 2.0.2 allows attackers to cause a denial of service (h ...) - haproxy (Vulnerable code not present) NOTE: https://github.com/haproxy/haproxy/issues/181 CVE-2019-14240 (WCMS v0.3.2 has a CSRF vulnerability, with resultant directory travers ...) NOT-FOR-US: WCMS CVE-2019-14239 (On NXP Kinetis KV1x, Kinetis KV3x, and Kinetis K8x devices, Flash Acce ...) NOT-FOR-US: NXP Kinetis CVE-2019-14238 (On STMicroelectronics STM32F7 devices, Proprietary Code Read Out Prote ...) NOT-FOR-US: STMicroelectronics CVE-2019-14237 (On NXP Kinetis KV1x, Kinetis KV3x, and Kinetis K8x devices, Flash Acce ...) NOT-FOR-US: NXP Kinetis KV1x, Kinetis KV3x, and Kinetis K8x devices CVE-2019-14236 (On STMicroelectronics STM32L0, STM32L1, STM32L4, STM32F4, STM32F7, and ...) NOT-FOR-US: STMicroelectronics STM32L0, STM32L1, STM32L4, STM32F4, STM32F7, and STM32H7 devices CVE-2019-14235 (An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before ...) {DSA-4498-1} - python-django 2:2.2.4-1 (bug #934026) [jessie] - python-django (Vulnerable code not present) NOTE: https://www.djangoproject.com/weblog/2019/aug/01/security-releases/ NOTE: https://github.com/django/django/commit/cf694e6852b0da7799f8b53f1fb2f7d20cf17534 (2.2.x) NOTE: https://github.com/django/django/commit/869b34e9b3be3a4cfcb3a145f218ffd3f5e3fd79 (1.11.x) CVE-2019-14234 (An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before ...) {DSA-4498-1} - python-django 2:2.2.4-1 (bug #934026) [jessie] - python-django (Vulnerable code not present) NOTE: https://www.djangoproject.com/weblog/2019/aug/01/security-releases/ NOTE: https://github.com/django/django/commit/4f5b58f5cd3c57fee9972ab074f8dc6895d8f387 (2.2.x) NOTE: https://github.com/django/django/commit/ed682a24fca774818542757651bfba576c3fc3ef (1.11.x) CVE-2019-14233 (An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before ...) {DSA-4498-1 DLA-1872-1} - python-django 2:2.2.4-1 (bug #934026) NOTE: https://www.djangoproject.com/weblog/2019/aug/01/security-releases/ NOTE: https://github.com/django/django/commit/e34f3c0e9ee5fc9022428fe91640638bafd4cda7 (2.2.x) NOTE: https://github.com/django/django/commit/52479acce792ad80bb0f915f20b835f919993c72 (1.11.x) CVE-2019-14232 (An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before ...) {DSA-4498-1 DLA-1872-1} - python-django 2:2.2.4-1 (bug #934026) NOTE: https://www.djangoproject.com/weblog/2019/aug/01/security-releases/ NOTE: https://github.com/django/django/commit/c3289717c6f21a8cf23daff1c78c0c014b94041f (2.2.x) NOTE: https://github.com/django/django/commit/42a66e969023c00536256469f0e8b8a099ef109d (1.11.x) CVE-2019-14231 (An issue was discovered in the Viral Quiz Maker - OnionBuzz plugin bef ...) NOT-FOR-US: Viral Quiz Maker CVE-2019-14230 (An issue was discovered in the Viral Quiz Maker - OnionBuzz plugin bef ...) NOT-FOR-US: Viral Quiz Maker CVE-2019-14229 RESERVED CVE-2019-14228 (Xavier PHP Management Panel 3.0 is vulnerable to Reflected POST-based ...) NOT-FOR-US: Xavier PHP Management Panel CVE-2019-14227 (OX App Suite 7.10.1 and 7.10.2 allows XSS. ...) NOT-FOR-US: Open-Xchange App Suite CVE-2019-14226 (OX App Suite through 7.10.2 has Insecure Permissions. ...) NOT-FOR-US: Open-Xchange App Suite CVE-2019-14225 (OX App Suite 7.10.1 and 7.10.2 allows SSRF. ...) NOT-FOR-US: Open-Xchange App Suite CVE-2019-14224 (An issue was discovered in Alfresco Community Edition 5.2 201707. By l ...) NOT-FOR-US: Alfresco CVE-2019-14223 (An issue was discovered in Alfresco Community Edition versions below 5 ...) NOT-FOR-US: Alfresco CVE-2019-14222 (An issue was discovered in Alfresco Community Edition versions 6.0 and ...) NOT-FOR-US: Alfresco CVE-2019-14221 (1CRM On-Premise Software 8.5.7 allows XSS via a payload that is mishan ...) NOT-FOR-US: 1CRM On-Premise Software CVE-2019-14220 (An issue was discovered in BlueStacks 4.110 and below on macOS and on ...) NOT-FOR-US: BlueStacks CVE-2019-14219 RESERVED CVE-2019-14218 RESERVED CVE-2019-14217 RESERVED CVE-2019-14216 (An issue was discovered in the svg-vector-icon-plugin (aka WP SVG Icon ...) NOT-FOR-US: svg-vector-icon-plugin (aka WP SVG Icons) plugin for WordPress CVE-2019-14215 (An issue was discovered in Foxit PhantomPDF before 8.3.11. The applica ...) NOT-FOR-US: Foxit PhantomPDF CVE-2019-14214 (An issue was discovered in Foxit PhantomPDF before 8.3.10. The applica ...) NOT-FOR-US: Foxit PhantomPDF CVE-2019-14213 (An issue was discovered in Foxit PhantomPDF before 8.3.11. The applica ...) NOT-FOR-US: Foxit PhantomPDF CVE-2019-14212 (An issue was discovered in Foxit PhantomPDF before 8.3.11. The applica ...) NOT-FOR-US: Foxit PhantomPDF CVE-2019-14211 (An issue was discovered in Foxit PhantomPDF before 8.3.11. The applica ...) NOT-FOR-US: Foxit PhantomPDF CVE-2019-14210 (An issue was discovered in Foxit PhantomPDF before 8.3.10. The applica ...) NOT-FOR-US: Foxit PhantomPDF CVE-2019-14209 (An issue was discovered in Foxit PhantomPDF before 8.3.10. The applica ...) NOT-FOR-US: Foxit PhantomPDF CVE-2019-14208 (An issue was discovered in Foxit PhantomPDF before 8.3.10. The applica ...) NOT-FOR-US: Foxit PhantomPDF CVE-2019-14207 (An issue was discovered in Foxit PhantomPDF before 8.3.11. The applica ...) NOT-FOR-US: Foxit PhantomPDF CVE-2019-14206 (An Arbitrary File Deletion vulnerability in the Nevma Adaptive Images ...) NOT-FOR-US: Nevma Adaptive Images plugin for WordPress CVE-2019-14205 (A Local File Inclusion vulnerability in the Nevma Adaptive Images plug ...) NOT-FOR-US: Nevma Adaptive Images plugin for WordPress CVE-2019-14204 (An issue was discovered in Das U-Boot through 2019.07. There is a stac ...) - u-boot 2020.01+dfsg-1 [buster] - u-boot (Minor issue) [stretch] - u-boot (Minor issue) [jessie] - u-boot (Minor issue) NOTE: https://blog.semmle.com/uboot-rce-nfs-vulnerability/ NOTE: https://gitlab.denx.de/u-boot/u-boot/commit/741a8a08ebe5bc3ccfe3cde6c2b44ee53891af21 CVE-2019-14203 (An issue was discovered in Das U-Boot through 2019.07. There is a stac ...) - u-boot 2020.01+dfsg-1 [buster] - u-boot (Minor issue) [stretch] - u-boot (Minor issue) [jessie] - u-boot (Minor issue) NOTE: https://blog.semmle.com/uboot-rce-nfs-vulnerability/ NOTE: https://gitlab.denx.de/u-boot/u-boot/commit/741a8a08ebe5bc3ccfe3cde6c2b44ee53891af21 CVE-2019-14202 (An issue was discovered in Das U-Boot through 2019.07. There is a stac ...) - u-boot 2020.01+dfsg-1 [buster] - u-boot (Minor issue) [stretch] - u-boot (Minor issue) [jessie] - u-boot (Minor issue) NOTE: https://blog.semmle.com/uboot-rce-nfs-vulnerability/ NOTE: https://gitlab.denx.de/u-boot/u-boot/commit/741a8a08ebe5bc3ccfe3cde6c2b44ee53891af21 CVE-2019-14201 (An issue was discovered in Das U-Boot through 2019.07. There is a stac ...) - u-boot 2020.01+dfsg-1 [buster] - u-boot (Minor issue) [stretch] - u-boot (Minor issue) [jessie] - u-boot (Minor issue) NOTE: https://blog.semmle.com/uboot-rce-nfs-vulnerability/ NOTE: https://gitlab.denx.de/u-boot/u-boot/commit/741a8a08ebe5bc3ccfe3cde6c2b44ee53891af21 CVE-2019-14200 (An issue was discovered in Das U-Boot through 2019.07. There is a stac ...) - u-boot 2020.01+dfsg-1 [buster] - u-boot (Minor issue) [stretch] - u-boot (Minor issue) [jessie] - u-boot (Minor issue) NOTE: https://blog.semmle.com/uboot-rce-nfs-vulnerability/ NOTE: https://gitlab.denx.de/u-boot/u-boot/commit/741a8a08ebe5bc3ccfe3cde6c2b44ee53891af21 CVE-2019-14199 (An issue was discovered in Das U-Boot through 2019.07. There is an unb ...) - u-boot 2020.01+dfsg-1 [buster] - u-boot (Minor issue) [stretch] - u-boot (Minor issue) [jessie] - u-boot (Minor issue) NOTE: https://blog.semmle.com/uboot-rce-nfs-vulnerability/ NOTE: https://gitlab.denx.de/u-boot/u-boot/commit/fe7288069d2e6659117049f7d27e261b550bb725 CVE-2019-14198 (An issue was discovered in Das U-Boot through 2019.07. There is an unb ...) - u-boot 2020.01+dfsg-1 [buster] - u-boot (Minor issue) [stretch] - u-boot (Minor issue) [jessie] - u-boot (Minor issue) NOTE: https://blog.semmle.com/uboot-rce-nfs-vulnerability/ NOTE: https://gitlab.denx.de/u-boot/u-boot/commit/aa207cf3a6d68f39d64cd29057a4fb63943e9078 CVE-2019-14197 (An issue was discovered in Das U-Boot through 2019.07. There is a read ...) - u-boot 2020.01+dfsg-1 [buster] - u-boot (Minor issue) [stretch] - u-boot (Minor issue) [jessie] - u-boot (Minor issue) NOTE: https://blog.semmle.com/uboot-rce-nfs-vulnerability/ NOTE: https://gitlab.denx.de/u-boot/u-boot/commit/741a8a08ebe5bc3ccfe3cde6c2b44ee53891af21 CVE-2019-14196 (An issue was discovered in Das U-Boot through 2019.07. There is an unb ...) - u-boot 2020.01+dfsg-1 [buster] - u-boot (Minor issue) [stretch] - u-boot (Minor issue) [jessie] - u-boot (Minor issue) NOTE: https://blog.semmle.com/uboot-rce-nfs-vulnerability/ NOTE: https://gitlab.denx.de/u-boot/u-boot/commit/5d14ee4e53a81055d34ba280cb8fd90330f22a96 CVE-2019-14195 (An issue was discovered in Das U-Boot through 2019.07. There is an unb ...) - u-boot 2020.01+dfsg-1 [buster] - u-boot (Minor issue) [stretch] - u-boot (Minor issue) [jessie] - u-boot (Minor issue) NOTE: https://blog.semmle.com/uboot-rce-nfs-vulnerability/ NOTE: https://gitlab.denx.de/u-boot/u-boot/commit/cf3a4f1e86ecdd24f87b615051b49d8e1968c230 CVE-2019-14194 (An issue was discovered in Das U-Boot through 2019.07. There is an unb ...) - u-boot 2020.01+dfsg-1 [buster] - u-boot (Minor issue) [stretch] - u-boot (Minor issue) [jessie] - u-boot (Minor issue) NOTE: https://blog.semmle.com/uboot-rce-nfs-vulnerability/ NOTE: https://gitlab.denx.de/u-boot/u-boot/commit/aa207cf3a6d68f39d64cd29057a4fb63943e9078 CVE-2019-14193 (An issue was discovered in Das U-Boot through 2019.07. There is an unb ...) - u-boot 2020.01+dfsg-1 [buster] - u-boot (Minor issue) [stretch] - u-boot (Minor issue) [jessie] - u-boot (Minor issue) NOTE: https://blog.semmle.com/uboot-rce-nfs-vulnerability/ NOTE: https://gitlab.denx.de/u-boot/u-boot/commit/fe7288069d2e6659117049f7d27e261b550bb725 CVE-2019-14192 (An issue was discovered in Das U-Boot through 2019.07. There is an unb ...) - u-boot 2020.01+dfsg-1 [buster] - u-boot (Minor issue) [stretch] - u-boot (Minor issue) [jessie] - u-boot (Minor issue) NOTE: https://blog.semmle.com/uboot-rce-nfs-vulnerability/ NOTE: https://gitlab.denx.de/u-boot/u-boot/commit/fe7288069d2e6659117049f7d27e261b550bb725 CVE-2019-14191 RESERVED CVE-2019-14190 RESERVED CVE-2019-14189 RESERVED CVE-2019-14188 RESERVED CVE-2019-14187 RESERVED CVE-2019-14186 RESERVED CVE-2019-14185 RESERVED CVE-2019-14184 RESERVED CVE-2019-14183 RESERVED CVE-2019-14182 RESERVED CVE-2019-14181 RESERVED CVE-2019-14180 RESERVED CVE-2019-14179 RESERVED CVE-2019-14178 RESERVED CVE-2019-14177 RESERVED CVE-2019-14176 RESERVED CVE-2019-14175 RESERVED CVE-2019-14174 RESERVED CVE-2019-14173 RESERVED CVE-2019-14172 RESERVED CVE-2019-14171 RESERVED CVE-2019-14170 RESERVED CVE-2019-14169 RESERVED CVE-2019-14168 RESERVED CVE-2019-14167 RESERVED CVE-2019-14166 RESERVED CVE-2019-14165 RESERVED CVE-2019-14164 RESERVED CVE-2019-14163 RESERVED CVE-2019-14162 RESERVED CVE-2019-14161 RESERVED CVE-2019-14160 RESERVED CVE-2019-14159 RESERVED CVE-2019-14158 RESERVED CVE-2019-14157 RESERVED CVE-2019-14156 RESERVED CVE-2019-14155 RESERVED CVE-2019-14154 RESERVED CVE-2019-14153 RESERVED CVE-2019-14152 RESERVED CVE-2019-14151 RESERVED CVE-2019-14150 RESERVED CVE-2019-14149 RESERVED CVE-2019-14148 RESERVED CVE-2019-14147 RESERVED CVE-2019-14146 RESERVED CVE-2019-14145 RESERVED CVE-2019-14144 RESERVED CVE-2019-14143 RESERVED CVE-2019-14142 RESERVED CVE-2019-14141 RESERVED CVE-2019-14140 RESERVED CVE-2019-14139 RESERVED CVE-2019-14138 RESERVED CVE-2019-14137 RESERVED CVE-2019-14136 RESERVED CVE-2019-14135 (Possible integer overflow to buffer overflow in WLAN while parsing non ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14134 (Possible out of bound access in WLAN handler when the received value o ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14133 RESERVED CVE-2019-14132 (Buffer over-write when this 0-byte buffer is typecasted to some other ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14131 (Out of bound write can occur in radio measurement request if STA recei ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14130 RESERVED CVE-2019-14129 RESERVED CVE-2019-14128 RESERVED CVE-2019-14127 (Possible buffer overflow while playing mkv clip due to lack of validat ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14126 RESERVED CVE-2019-14125 RESERVED CVE-2019-14124 RESERVED CVE-2019-14123 RESERVED CVE-2019-14122 (Memory failure in SKB if it fails to to add the requested padding to t ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14121 RESERVED CVE-2019-14120 RESERVED CVE-2019-14119 RESERVED CVE-2019-14118 RESERVED CVE-2019-14117 RESERVED CVE-2019-14116 (Privilege escalation by using an altered debug policy image can occur ...) NOT-FOR-US: Snapdragon CVE-2019-14115 RESERVED CVE-2019-14114 (Buffer overflow in WLAN firmware while parsing GTK IE containing GTK k ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14113 (Buffer overflow can occur in In WLAN firmware while unwraping data usi ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14112 (Potential buffer overflow while processing CBF frames due to lack of c ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14111 (Possible buffer overflow while handling NAN reception of NMF in Snapdr ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14110 (Buffer overflow can occur in function wlan firmware while copying asso ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14109 RESERVED CVE-2019-14108 RESERVED CVE-2019-14107 RESERVED CVE-2019-14106 RESERVED CVE-2019-14105 (Kernel was reading the CSL defined reserved field as uint16 instead of ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14104 (Slab-out-of-bounds access can occur if the context pointer is invalid ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14103 RESERVED CVE-2019-14102 RESERVED CVE-2019-14101 RESERVED CVE-2019-14100 RESERVED CVE-2019-14099 RESERVED CVE-2019-14098 (Possible buffer overflow in data offload handler due to lack of check ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14097 (Possible buffer overflow in WLAN Parser due to lack of length check wh ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14096 RESERVED CVE-2019-14095 (Buffer overflow occurs while processing LMP packet in which name lengt ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14094 (Integer overflow in diag command handler when user inputs a large valu ...) NOT-FOR-US: Snapdragon CVE-2019-14093 RESERVED CVE-2019-14092 (System Services exports services without permission protect and can le ...) NOT-FOR-US: Snapdragon CVE-2019-14091 (Double free issue in NPU due to lack of resource locking mechanism to ...) NOT-FOR-US: Snapdragon CVE-2019-14090 RESERVED CVE-2019-14089 RESERVED CVE-2019-14088 (Possible use after free issue while CRM is accessing the link pointer ...) NOT-FOR-US: Snapdragon CVE-2019-14087 (Failure in buffer management while accessing handle for HDR blit when ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14086 (Possible integer overflow while checking the length of frame which is ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14085 (Possible Integer underflow in WLAN function due to lack of check of da ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14084 RESERVED CVE-2019-14083 (While parsing Service Descriptor Extended Attribute received as part o ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14082 (Potential buffer over-read due to lack of bound check of memory offset ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14081 (Buffer Over-read when WLAN module gets a WMI message for SAR limits wi ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14080 (Out of bound write can happen due to lack of check of array index valu ...) NOT-FOR-US: Snapdragon CVE-2019-14079 (Access to the uninitialized variable when the driver tries to unmap th ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14078 (Out of bound memory access while processing qpay due to not validating ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14077 (Out of bound memory access while processing ese transmit command due t ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14076 (Buffer overflow occurs while processing an subsample data length out o ...) NOT-FOR-US: Snapdragon CVE-2019-14075 (Null pointer dereference issue in radio interface layer due to lack of ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14074 RESERVED CVE-2019-14073 (Copying RTCP messages into the output buffer without checking the dest ...) NOT-FOR-US: Snapdragon CVE-2019-14072 (Unhandled paging request is observed due to dereferencing an already f ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14071 (Compromised reset handler may bypass access control due to AC config i ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14070 (Possible use after free issue in pcm volume controls due to race condi ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14069 RESERVED CVE-2019-14068 (Out of bound access in msm routing due to lack of check of size before ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14067 (Using non-time-constant functions like memcmp to compare sensitive dat ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14066 (Integer overflow in calculating estimated output buffer size when gett ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14065 RESERVED CVE-2019-14064 RESERVED CVE-2019-14063 (Out of bound access due to Invalid inputs to dapm mux settings which r ...) NOT-FOR-US: Snapdragon CVE-2019-14062 (Buffer overflows while decoding setup message from Network due to lack ...) NOT-FOR-US: Snapdragon CVE-2019-14061 (Null-pointer dereference can occur while accessing the segment element ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14060 (Uninitialized stack data gets used If memory is not allocated for blob ...) NOT-FOR-US: Snapdragon CVE-2019-14059 RESERVED CVE-2019-14058 RESERVED CVE-2019-14057 (Buffer Over read of codec private data while parsing an mkv file due t ...) NOT-FOR-US: Snapdragon CVE-2019-14056 RESERVED CVE-2019-14055 (Possibility of use-after-free and double free because of not marking b ...) NOT-FOR-US: Snapdragon CVE-2019-14054 (Improper permissions in XBL_SEC region enable user to update XBL_SEC c ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14053 (When attempting to create a new XFRM policy, a stack out-of-bounds rea ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14052 RESERVED CVE-2019-14051 (Subsequent additions performed during Module loading while allocating ...) NOT-FOR-US: Snapdragon CVE-2019-14050 (Out-of-bound writes occurs due to lack of check of buffer size will ca ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14049 (Stage-2 fault will occur while writing to an ION system allocation whi ...) NOT-FOR-US: Snapdragon CVE-2019-14048 (Possible out of bound memory access while playing a crafted clip in me ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14047 (While IPA driver processes route add rule IOCTL, there is no input val ...) NOT-FOR-US: Snapdragon CVE-2019-14046 (Out of bound access while allocating memory for an array in camera due ...) NOT-FOR-US: Snapdragon CVE-2019-14045 (Possible buffer overflow while processing clientlog and serverlog due ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14044 (Out of bound access due to access of uninitialized memory segment in a ...) NOT-FOR-US: Snapdragon CVE-2019-14043 (Out of bound read in Fingerprint application due to requested data is ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14042 (Out of bound read in in fingerprint application due to requested data ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14041 (During listener modified response processing, a buffer overrun occurs ...) NOT-FOR-US: Snapdragon CVE-2019-14040 (Using memory after being freed in qsee due to wrong implementation can ...) NOT-FOR-US: Snapdragon CVE-2019-14039 (Out of bound read in adm call back function due to incorrect boundary ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14038 (Buffer over-read in ADSP parse function due to lack of check for avail ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14037 RESERVED CVE-2019-14036 (Possible buffer overflow issue in error processing due to improper val ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14035 RESERVED CVE-2019-14034 (Use after free while processing eeprom query as there is a chance to n ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14033 (Multiple Read overflows issue due to improper length check while decod ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14032 (Memory use after free issue in audio due to lack of resource control i ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14031 (Buffer overflow can occur while parsing RSN IE containing list of PMK ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14030 (The size of a buffer is determined by addition and multiplications ope ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14029 (Use-after-free in graphics module due to destroying already queued syn ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14028 (Buffer overwrite during memcpy due to lack of check on SSID length val ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14027 (Buffer overflow due to lack of upper bound check on channel length whi ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14026 (Possible buffer overflow in WLAN WMI handler due to lack of ssid lengt ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14025 RESERVED CVE-2019-14024 (Possible stack-use-after-scope issue in NFC usecase for card emulation ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14023 (String format issue will occur while processing HLOS data as there is ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14022 (Error occurs While extracting the ipv6_header having an invalid length ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14021 (Possible buffer overrun when processing EFS filename and payload sent ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14020 (Multiple Read overflows issue due to improper length check while decod ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14019 (Multiple Read overflows issue due to improper length check while decod ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14018 (Possible out of bound array access as there is no check on carrier ind ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14017 (Heap buffer overflow can occur while parsing invalid MKV clip which is ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14016 (Integer overflow occurs while playing the clip which is nonstandard in ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14015 (A stack-based buffer overflow exists in the initialization of the iden ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14014 (Possible buffer overflow when byte array receives incorrect input from ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14013 (While parsing invalid super index table, elements within super index t ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14012 (Possibility of null pointer deference as the array of video codecs fro ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14011 (Multiple Read overflows issue due to improper length check while decod ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14010 (The device may enter into error state when some tool or application ge ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14009 (Out of bound memory access while processing TZ command handler due to ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14008 (Possible null pointer dereference issue in location assistance data pr ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14007 (Due to the use of non-time-constant comparison functions there is issu ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14006 (Buffer overflow occur while playing the clip which is nonstandard due ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14005 (Buffer overflow occur while playing the clip which is nonstandard due ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14004 (Buffer overflow occurs while processing invalid MKV clip, which has in ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14003 (Null pointer exception can happen while parsing invalid MKV clip where ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14002 (APKs without proper permission may bind to CallEnhancementService and ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14001 (Wrong public key usage from existing oem_keystore for hash generation ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14000 (Lack of check that the RX FIFO write index that is read from shared RA ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-13999 RESERVED CVE-2019-13998 RESERVED CVE-2019-13997 RESERVED CVE-2019-13996 RESERVED CVE-2019-13995 RESERVED CVE-2019-13994 RESERVED CVE-2019-13993 RESERVED CVE-2019-13992 RESERVED CVE-2019-13991 (Embedded systems based on Arduino before Rev3 allow remote attackers t ...) NOT-FOR-US: Issue on embedded systems based on Arduino before Rev3 CVE-2019-13990 (initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracott ...) - libquartz-java 2.3.0-3 (bug #933169) [buster] - libquartz-java (Minor issue) [stretch] - libquartz-java (Minor issue) [jessie] - libquartz-java (Minor issue) - libquartz2-java 2.3.0-3 (bug #933170) [buster] - libquartz2-java (Minor issue) [stretch] - libquartz2-java (Minor issue) NOTE: https://github.com/quartz-scheduler/quartz/issues/467 NOTE: https://github.com/quartz-scheduler/quartz/commit/a1395ba118df306c7fe67c24fb0c9a95a4473140 CVE-2019-13989 (dpic 2019.06.20 has a Stack-based Buffer Overflow in the wfloat() func ...) - dpic (Fixed before initial upload to Debian) NOTE: https://gitlab.com/aplevich/dpic/issues/4 NOTE: https://gitlab.com/aplevich/dpic/commit/aa9fc45e207134cbfefa4b9e7a1b49cf11e9397d CVE-2019-13988 RESERVED CVE-2019-13987 RESERVED CVE-2019-13986 RESERVED CVE-2019-13985 RESERVED CVE-2019-13984 (Directus 7 API before 2.3.0 does not validate uploaded files. Regardle ...) NOT-FOR-US: Directus CVE-2019-13983 (Directus 7 API before 2.2.2 has insufficient anti-automation, as demon ...) NOT-FOR-US: Directus CVE-2019-13982 (interfaces/markdown/input.vue in Directus 7 Application before 7.7.0 d ...) NOT-FOR-US: Directus CVE-2019-13981 (In Directus 7 API through 2.3.0, remote attackers can read image files ...) NOT-FOR-US: Directus CVE-2019-13980 (In Directus 7 API through 2.3.0, uploading of PHP files is blocked onl ...) NOT-FOR-US: Directus CVE-2019-13979 (In Directus 7 API before 2.2.1, uploading of PHP files is not blocked, ...) NOT-FOR-US: Directus CVE-2019-13978 (Ovidentia 8.4.3 has SQL Injection via the id parameter in an index.php ...) NOT-FOR-US: Ovidentia CVE-2019-13977 (index.php in Ovidentia 8.4.3 has XSS via tg=groups, tg=maildoms&id ...) NOT-FOR-US: Ovidentia CVE-2019-13976 (eGain Chat 15.0.3 allows unrestricted file upload. ...) NOT-FOR-US: eGain Chat CVE-2019-13975 (eGain Chat 15.0.3 allows HTML Injection. ...) NOT-FOR-US: eGain Chat CVE-2019-13974 (LayerBB 1.1.3 allows conversations.php/cmd/new CSRF. ...) NOT-FOR-US: LayerBB CVE-2019-13973 (LayerBB 1.1.3 allows admin/general.php arbitrary file upload because t ...) NOT-FOR-US: LayerBB CVE-2019-13972 (LayerBB 1.1.3 allows XSS via the application/commands/new.php pm_title ...) NOT-FOR-US: LayerBB CVE-2019-13971 (OTCMS 3.81 allows XSS via the mode parameter in an apiRun.php?mudi=aut ...) NOT-FOR-US: OTCMS CVE-2019-13970 (In antSword before 2.1.0, self-XSS in the database configuration leads ...) NOT-FOR-US: antSword CVE-2019-13969 (Metinfo 6.x allows SQL Injection via the id parameter in an admin/inde ...) NOT-FOR-US: Metinfo CVE-2019-13968 RESERVED CVE-2019-13967 (iTop 2.2.0 through 2.6.0 allows remote attackers to cause a denial of ...) NOT-FOR-US: iTop (not the same as src:itop) CVE-2019-13966 (In iTop through 2.6.0, an XSS payload can be delivered in certain fiel ...) NOT-FOR-US: iTop (not the same as src:itop) CVE-2019-13965 (Because of a lack of sanitization around error messages, multiple Refl ...) NOT-FOR-US: iTop (not the same as src:itop) CVE-2019-13964 RESERVED CVE-2019-13963 RESERVED CVE-2019-13962 (lavc_CopyPicture in modules/codec/avcodec/video.c in VideoLAN VLC medi ...) {DSA-4504-1} - vlc 3.0.8-1 (low) [jessie] - vlc (https://lists.debian.org/debian-security-announce/2018/msg00130.html) NOTE: http://git.videolan.org/?p=vlc/vlc-3.0.git;a=commit;h=2b4f9d0b0e0861f262c90e9b9b94e7d53b864509 NOTE: https://trac.videolan.org/vlc/ticket/22240 NOTE: https://www.videolan.org/security/sb-vlc308.html CVE-2019-13961 (A CSRF vulnerability was found in flatCore before 1.5, leading to the ...) NOT-FOR-US: flatCore CVE-2019-13960 (** DISPUTED ** In libjpeg-turbo 2.0.2, a large amount of memory can be ...) NOT-FOR-US: Disputed libjpeg issue, issue would be in application using libjpeg CVE-2019-13959 (In Bento4 1.5.1-627, AP4_DataBuffer::SetDataSize does not handle reall ...) NOT-FOR-US: Bento4 CVE-2019-13958 RESERVED CVE-2019-13957 (In Umbraco 7.3.8, there is SQL Injection in the backoffice/PageWApprov ...) NOT-FOR-US: Umbraco CVE-2019-13956 (Discuz!ML 3.2 through 3.4 allows remote attackers to execute arbitrary ...) NOT-FOR-US: Discuz!ML CVE-2019-13955 (Mikrotik RouterOS before 6.44.5 (long-term release tree) is vulnerable ...) NOT-FOR-US: Mikrotik RouterOS CVE-2019-13954 (Mikrotik RouterOS before 6.44.5 (long-term release tree) is vulnerable ...) NOT-FOR-US: Mikrotik RouterOS CVE-2019-13953 (An exploitable authentication bypass vulnerability exists in the Bluet ...) NOT-FOR-US: YI M1 Mirrorless Camera CVE-2019-13952 (The set_ipv6() function in zscan_rfc1035.rl in gdnsd before 2.4.3 and ...) - gdnsd (unimportant; bug #932407) NOTE: https://github.com/gdnsd/gdnsd/issues/185 NOTE: No security impact, data is under administrative control NOTE: Patches: https://github.com/gdnsd/gdnsd/issues/185#issuecomment-513288786 CVE-2019-13951 (The set_ipv4() function in zscan_rfc1035.rl in gdnsd 3.x before 3.2.1 ...) - gdnsd (Vulnerable code not present, introduced in 3.x) NOTE: https://github.com/gdnsd/gdnsd/issues/185 NOTE: No security impact, data is under administrative control NOTE: Introduced in https://github.com/gdnsd/gdnsd/commit/15715fc30d5e41e53d4a16d2434fc5c3190e129b NOTE: Patches: https://github.com/gdnsd/gdnsd/issues/185#issuecomment-513288786 CVE-2019-13950 (index.php?c=admin&a=index in SyGuestBook A5 Version 1.2 has stored ...) NOT-FOR-US: SyGuestBook A5 CVE-2019-13949 (SyGuestBook A5 Version 1.2 has no CSRF protection mechanism, as demons ...) NOT-FOR-US: SyGuestBook A5 CVE-2019-13948 (SyGuestBook A5 Version 1.2 allows stored XSS because the isValidData f ...) NOT-FOR-US: SyGuestBook A5 CVE-2019-13947 (A vulnerability has been identified in SiNVR 3 Central Control Server ...) NOT-FOR-US: Siemens CVE-2019-13946 (A vulnerability has been identified in Development/Evaluation Kits for ...) NOT-FOR-US: Siemens CVE-2019-13945 (A vulnerability has been identified in SIMATIC S7-1200 CPU family (inc ...) NOT-FOR-US: Siemens CVE-2019-13944 (A vulnerability has been identified in EN100 Ethernet module DNP3 vari ...) NOT-FOR-US: Siemens CVE-2019-13943 (A vulnerability has been identified in EN100 Ethernet module DNP3 vari ...) NOT-FOR-US: Siemens CVE-2019-13942 (A vulnerability has been identified in EN100 Ethernet module DNP3 vari ...) NOT-FOR-US: Siemens CVE-2019-13941 (A vulnerability has been identified in OZW672 (All versions < V10.0 ...) NOT-FOR-US: Siemens CVE-2019-13940 (A vulnerability has been identified in SIMATIC S7-1200 CPU family (inc ...) NOT-FOR-US: Siemens CVE-2019-13939 (A vulnerability has been identified in Nucleus NET (All versions), Nuc ...) NOT-FOR-US: Nucleus CVE-2019-13938 RESERVED CVE-2019-13937 RESERVED CVE-2019-13936 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) NOT-FOR-US: Siemens CVE-2019-13935 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) NOT-FOR-US: Siemens CVE-2019-13934 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) NOT-FOR-US: Siemens CVE-2019-13933 (A vulnerability has been identified in SCALANCE X-200RNA switch family ...) NOT-FOR-US: Siemens CVE-2019-13932 (A vulnerability has been identified in XHQ (All versions < V6.0.0.2 ...) NOT-FOR-US: Siemens CVE-2019-13931 (A vulnerability has been identified in XHQ (All versions < V6.0.0.2 ...) NOT-FOR-US: Siemens CVE-2019-13930 (A vulnerability has been identified in XHQ (All versions < V6.0.0.2 ...) NOT-FOR-US: Siemens CVE-2019-13929 (A vulnerability has been identified in SIMATIC IT UADM (All versions & ...) NOT-FOR-US: Siemens CVE-2019-13928 RESERVED CVE-2019-13927 (A vulnerability has been identified in Desigo PX automation controller ...) NOT-FOR-US: Siemens CVE-2019-13926 (A vulnerability has been identified in SCALANCE S602 (All versions > ...) NOT-FOR-US: Siemens CVE-2019-13925 (A vulnerability has been identified in SCALANCE S602 (All versions > ...) NOT-FOR-US: Siemens CVE-2019-13924 (A vulnerability has been identified in SCALANCE X-200 switch family (i ...) NOT-FOR-US: Siemens CVE-2019-13923 (A vulnerability has been identified in IE/WSN-PA Link WirelessHART Gat ...) NOT-FOR-US: Siemens CVE-2019-13922 (A vulnerability has been identified in SINEMA Remote Connect Server (A ...) NOT-FOR-US: Siemens CVE-2019-13921 (A vulnerability has been identified in SIMATIC WinAC RTX (F) 2010 (All ...) NOT-FOR-US: Siemens CVE-2019-13920 (A vulnerability has been identified in SINEMA Remote Connect Server (A ...) NOT-FOR-US: Siemens CVE-2019-13919 (A vulnerability has been identified in SINEMA Remote Connect Server (A ...) NOT-FOR-US: Siemens CVE-2019-13918 (A vulnerability has been identified in SINEMA Remote Connect Server (A ...) NOT-FOR-US: Siemens CVE-2019-13917 (Exim 4.85 through 4.92 (fixed in 4.92.1) allows remote code execution ...) {DSA-4488-1} - exim4 4.92-10 [jessie] - exim4 (Vulnerable code confirmed as introduced in version 4.85) NOTE: https://www.openwall.com/lists/oss-security/2019/07/22/3 NOTE: https://www.exim.org/static/doc/security/CVE-2019-13917.txt NOTE: https://git.exim.org/exim.git/commit/21aa05977abff1eaa69bb97ef99080220915f7c0 CVE-2019-13916 (An issue was discovered in Cypress (formerly Broadcom) WICED Studio 6. ...) NOT-FOR-US: Cypress CVE-2019-13915 (b3log Wide before 1.6.0 allows three types of attacks to access arbitr ...) NOT-FOR-US: b3log Wide CVE-2019-13914 RESERVED CVE-2019-13913 RESERVED CVE-2019-13912 RESERVED CVE-2019-13911 RESERVED CVE-2019-13910 RESERVED CVE-2019-13909 RESERVED CVE-2019-13908 RESERVED CVE-2019-13907 RESERVED CVE-2019-13906 RESERVED CVE-2019-13905 RESERVED CVE-2019-13904 RESERVED CVE-2019-13903 RESERVED CVE-2019-13902 RESERVED CVE-2019-13901 RESERVED CVE-2019-13900 RESERVED CVE-2019-13899 RESERVED CVE-2019-13898 RESERVED CVE-2019-13897 RESERVED CVE-2019-13896 RESERVED CVE-2019-13895 RESERVED CVE-2019-13894 RESERVED CVE-2019-13893 RESERVED CVE-2019-13892 RESERVED CVE-2019-13891 RESERVED CVE-2019-13890 RESERVED CVE-2019-13889 RESERVED CVE-2019-13888 RESERVED CVE-2019-13887 RESERVED CVE-2019-13886 RESERVED CVE-2019-13885 RESERVED CVE-2019-13884 RESERVED CVE-2019-13883 RESERVED CVE-2019-13882 RESERVED CVE-2019-13881 RESERVED CVE-2019-13880 RESERVED CVE-2019-13879 RESERVED CVE-2019-13878 RESERVED CVE-2019-13877 RESERVED CVE-2019-13876 RESERVED CVE-2019-13875 RESERVED CVE-2019-13874 RESERVED CVE-2019-13873 RESERVED CVE-2019-13872 RESERVED CVE-2019-13871 RESERVED CVE-2019-13870 RESERVED CVE-2019-13869 RESERVED CVE-2019-13868 RESERVED CVE-2019-13867 RESERVED CVE-2019-13866 RESERVED CVE-2019-13865 RESERVED CVE-2019-13864 RESERVED CVE-2019-13863 RESERVED CVE-2019-13862 RESERVED CVE-2019-13861 RESERVED CVE-2019-13860 RESERVED CVE-2019-13859 RESERVED CVE-2019-13858 RESERVED CVE-2019-13857 RESERVED CVE-2019-13856 RESERVED CVE-2019-13855 RESERVED CVE-2019-13854 RESERVED CVE-2019-13853 RESERVED CVE-2019-13852 RESERVED CVE-2019-13851 RESERVED CVE-2019-13850 RESERVED CVE-2019-13849 RESERVED CVE-2019-13848 RESERVED CVE-2019-13847 RESERVED CVE-2019-13846 RESERVED CVE-2019-13845 RESERVED CVE-2019-13844 RESERVED CVE-2019-13843 RESERVED CVE-2019-13842 RESERVED CVE-2019-13841 RESERVED CVE-2019-13840 RESERVED CVE-2019-13839 RESERVED CVE-2019-13838 RESERVED CVE-2019-13837 RESERVED CVE-2019-13836 RESERVED CVE-2019-13835 RESERVED CVE-2019-13834 RESERVED CVE-2019-13833 RESERVED CVE-2019-13832 RESERVED CVE-2019-13831 RESERVED CVE-2019-13830 RESERVED CVE-2019-13829 RESERVED CVE-2019-13828 RESERVED CVE-2019-13827 RESERVED CVE-2019-13826 RESERVED CVE-2019-13825 RESERVED CVE-2019-13824 RESERVED CVE-2019-13823 RESERVED CVE-2019-13822 RESERVED CVE-2019-13821 RESERVED CVE-2019-13820 RESERVED CVE-2019-13819 RESERVED CVE-2019-13818 RESERVED CVE-2019-13817 RESERVED CVE-2019-13816 RESERVED CVE-2019-13815 RESERVED CVE-2019-13814 RESERVED CVE-2019-13813 RESERVED CVE-2019-13812 RESERVED CVE-2019-13811 RESERVED CVE-2019-13810 RESERVED CVE-2019-13809 RESERVED CVE-2019-13808 RESERVED CVE-2019-13807 RESERVED CVE-2019-13806 RESERVED CVE-2019-13805 RESERVED CVE-2019-13804 RESERVED CVE-2019-13803 RESERVED CVE-2019-13802 RESERVED CVE-2019-13801 RESERVED CVE-2019-13800 RESERVED CVE-2019-13799 RESERVED CVE-2019-13798 RESERVED CVE-2019-13797 RESERVED CVE-2019-13796 RESERVED CVE-2019-13795 RESERVED CVE-2019-13794 RESERVED CVE-2019-13793 RESERVED CVE-2019-13792 RESERVED CVE-2019-13791 RESERVED CVE-2019-13790 RESERVED CVE-2019-13789 RESERVED CVE-2019-13788 RESERVED CVE-2019-13787 RESERVED CVE-2019-13786 RESERVED CVE-2019-13785 RESERVED CVE-2019-13784 RESERVED CVE-2019-13783 RESERVED CVE-2019-13782 RESERVED CVE-2019-13781 RESERVED CVE-2019-13780 RESERVED CVE-2019-13779 RESERVED CVE-2019-13778 RESERVED CVE-2019-13777 RESERVED CVE-2019-13776 RESERVED CVE-2019-13775 RESERVED CVE-2019-13774 RESERVED CVE-2019-13773 RESERVED CVE-2019-13772 RESERVED CVE-2019-13771 RESERVED CVE-2019-13770 RESERVED CVE-2019-13769 RESERVED CVE-2019-13768 RESERVED CVE-2019-13767 (Use after free in media picker in Google Chrome prior to 79.0.3945.88 ...) {DSA-4606-1} - chromium 79.0.3945.130-1 [stretch] - chromium (see DSA 4562) CVE-2019-13766 (Use-after-free in accessibility in Google Chrome prior to 77.0.3865.75 ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13765 (Use-after-free in content delivery manager in Google Chrome prior to 7 ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13764 (Type confusion in JavaScript in Google Chrome prior to 79.0.3945.79 al ...) {DSA-4606-1} - chromium 79.0.3945.79-1 [stretch] - chromium (see DSA 4562) CVE-2019-13763 (Insufficient policy enforcement in payments in Google Chrome prior to ...) {DSA-4606-1} - chromium 79.0.3945.79-1 [stretch] - chromium (see DSA 4562) CVE-2019-13762 (Insufficient policy enforcement in downloads in Google Chrome on Windo ...) {DSA-4606-1} - chromium 79.0.3945.79-1 [stretch] - chromium (see DSA 4562) CVE-2019-13761 (Incorrect security UI in Omnibox in Google Chrome prior to 79.0.3945.7 ...) {DSA-4606-1} - chromium 79.0.3945.79-1 [stretch] - chromium (see DSA 4562) CVE-2019-13760 RESERVED CVE-2019-13759 (Incorrect security UI in interstitials in Google Chrome prior to 79.0. ...) {DSA-4606-1} - chromium 79.0.3945.79-1 [stretch] - chromium (see DSA 4562) CVE-2019-13758 (Insufficient policy enforcement in navigation in Google Chrome on Andr ...) {DSA-4606-1} - chromium 79.0.3945.79-1 [stretch] - chromium (see DSA 4562) CVE-2019-13757 (Incorrect security UI in Omnibox in Google Chrome prior to 79.0.3945.7 ...) {DSA-4606-1} - chromium 79.0.3945.79-1 [stretch] - chromium (see DSA 4562) CVE-2019-13756 (Incorrect security UI in printing in Google Chrome prior to 79.0.3945. ...) {DSA-4606-1} - chromium 79.0.3945.79-1 [stretch] - chromium (see DSA 4562) CVE-2019-13755 (Insufficient policy enforcement in extensions in Google Chrome prior t ...) {DSA-4606-1} - chromium 79.0.3945.79-1 [stretch] - chromium (see DSA 4562) CVE-2019-13754 (Insufficient policy enforcement in extensions in Google Chrome prior t ...) {DSA-4606-1} - chromium 79.0.3945.79-1 [stretch] - chromium (see DSA 4562) CVE-2019-13753 (Out of bounds read in SQLite in Google Chrome prior to 79.0.3945.79 al ...) {DSA-4606-1} - chromium 79.0.3945.79-1 [stretch] - chromium (see DSA 4562) CVE-2019-13752 (Out of bounds read in SQLite in Google Chrome prior to 79.0.3945.79 al ...) {DSA-4606-1} - chromium 79.0.3945.79-1 [stretch] - chromium (see DSA 4562) CVE-2019-13751 (Uninitialized data in SQLite in Google Chrome prior to 79.0.3945.79 al ...) {DSA-4606-1} - chromium 79.0.3945.79-1 [stretch] - chromium (see DSA 4562) CVE-2019-13750 (Insufficient data validation in SQLite in Google Chrome prior to 79.0. ...) {DSA-4606-1} - chromium 79.0.3945.79-1 [stretch] - chromium (see DSA 4562) CVE-2019-13749 (Incorrect security UI in Omnibox in Google Chrome on iOS prior to 79.0 ...) {DSA-4606-1} - chromium 79.0.3945.79-1 [stretch] - chromium (see DSA 4562) CVE-2019-13748 (Insufficient policy enforcement in developer tools in Google Chrome pr ...) {DSA-4606-1} - chromium 79.0.3945.79-1 [stretch] - chromium (see DSA 4562) CVE-2019-13747 (Uninitialized data in rendering in Google Chrome on Android prior to 7 ...) {DSA-4606-1} - chromium 79.0.3945.79-1 [stretch] - chromium (see DSA 4562) CVE-2019-13746 (Insufficient policy enforcement in Omnibox in Google Chrome prior to 7 ...) {DSA-4606-1} - chromium 79.0.3945.79-1 [stretch] - chromium (see DSA 4562) CVE-2019-13745 (Insufficient policy enforcement in audio in Google Chrome prior to 79. ...) {DSA-4606-1} - chromium 79.0.3945.79-1 [stretch] - chromium (see DSA 4562) CVE-2019-13744 (Insufficient policy enforcement in cookies in Google Chrome prior to 7 ...) {DSA-4606-1} - chromium 79.0.3945.79-1 [stretch] - chromium (see DSA 4562) CVE-2019-13743 (Incorrect security UI in external protocol handling in Google Chrome p ...) {DSA-4606-1} - chromium 79.0.3945.79-1 [stretch] - chromium (see DSA 4562) CVE-2019-13742 (Incorrect security UI in Omnibox in Google Chrome on iOS prior to 79.0 ...) {DSA-4606-1} - chromium 79.0.3945.79-1 [stretch] - chromium (see DSA 4562) CVE-2019-13741 (Insufficient validation of untrusted input in Blink in Google Chrome p ...) {DSA-4606-1} - chromium 79.0.3945.79-1 [stretch] - chromium (see DSA 4562) CVE-2019-13740 (Incorrect security UI in sharing in Google Chrome prior to 79.0.3945.7 ...) {DSA-4606-1} - chromium 79.0.3945.79-1 [stretch] - chromium (see DSA 4562) CVE-2019-13739 (Insufficient policy enforcement in Omnibox in Google Chrome prior to 7 ...) {DSA-4606-1} - chromium 79.0.3945.79-1 [stretch] - chromium (see DSA 4562) CVE-2019-13738 (Insufficient policy enforcement in navigation in Google Chrome prior t ...) {DSA-4606-1} - chromium 79.0.3945.79-1 [stretch] - chromium (see DSA 4562) CVE-2019-13737 (Insufficient policy enforcement in autocomplete in Google Chrome prior ...) {DSA-4606-1} - chromium 79.0.3945.79-1 [stretch] - chromium (see DSA 4562) CVE-2019-13736 (Integer overflow in PDFium in Google Chrome prior to 79.0.3945.79 allo ...) {DSA-4606-1} - chromium 79.0.3945.79-1 [stretch] - chromium (see DSA 4562) CVE-2019-13735 (Out of bounds write in JavaScript in Google Chrome prior to 79.0.3945. ...) {DSA-4606-1} - chromium 79.0.3945.79-1 [stretch] - chromium (see DSA 4562) CVE-2019-13734 (Out of bounds write in SQLite in Google Chrome prior to 79.0.3945.79 a ...) {DSA-4606-1} - chromium 79.0.3945.79-1 [stretch] - chromium (see DSA 4562) CVE-2019-13733 RESERVED CVE-2019-13732 (Use-after-free in WebAudio in Google Chrome prior to 79.0.3945.79 allo ...) {DSA-4606-1} - chromium 79.0.3945.79-1 CVE-2019-13731 RESERVED CVE-2019-13730 (Type confusion in JavaScript in Google Chrome prior to 79.0.3945.79 al ...) {DSA-4606-1} - chromium 79.0.3945.79-1 [stretch] - chromium (see DSA 4562) CVE-2019-13729 (Use-after-free in WebSockets in Google Chrome prior to 79.0.3945.79 al ...) {DSA-4606-1} - chromium 79.0.3945.79-1 [stretch] - chromium (see DSA 4562) CVE-2019-13728 (Out of bounds write in JavaScript in Google Chrome prior to 79.0.3945. ...) {DSA-4606-1} - chromium 79.0.3945.79-1 [stretch] - chromium (see DSA 4562) CVE-2019-13727 (Insufficient policy enforcement in WebSockets in Google Chrome prior t ...) {DSA-4606-1} - chromium 79.0.3945.79-1 [stretch] - chromium (see DSA 4562) CVE-2019-13726 (Buffer overflow in password manager in Google Chrome prior to 79.0.394 ...) {DSA-4606-1} - chromium 79.0.3945.79-1 [stretch] - chromium (see DSA 4562) CVE-2019-13725 (Use-after-free in Bluetooth in Google Chrome prior to 79.0.3945.79 all ...) {DSA-4606-1} - chromium 79.0.3945.79-1 [stretch] - chromium (see DSA 4562) CVE-2019-13724 (Out of bounds memory access in WebBluetooth in Google Chrome prior to ...) {DSA-4575-1} - chromium 78.0.3904.108-1 [stretch] - chromium (see DSA 4562) CVE-2019-13723 (Use after free in WebBluetooth in Google Chrome prior to 78.0.3904.108 ...) {DSA-4575-1} - chromium 78.0.3904.108-1 [stretch] - chromium (see DSA 4562) CVE-2019-13722 (Inappropriate implementation in WebRTC in Google Chrome prior to 79.0. ...) - firefox (Windows-specific) - firefox-esr (Windows-specific) - thunderbird (Windows-specific) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-36/#CVE-2019-13722 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-37/#CVE-2019-13722 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-38/#CVE-2019-13722 CVE-2019-13721 (Use after free in PDFium in Google Chrome prior to 78.0.3904.87 allowe ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13720 (Use after free in WebAudio in Google Chrome prior to 78.0.3904.87 allo ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13719 (Incorrect security UI in full screen mode in Google Chrome prior to 78 ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13718 (Insufficient data validation in Omnibox in Google Chrome prior to 78.0 ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13717 (Incorrect security UI in full screen mode in Google Chrome prior to 78 ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13716 (Insufficient policy enforcement in service workers in Google Chrome pr ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13715 (Insufficient validation of untrusted input in Omnibox in Google Chrome ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13714 (Insufficient validation of untrusted input in Color Enhancer extension ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13713 (Insufficient policy enforcement in JavaScript in Google Chrome prior t ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13712 RESERVED CVE-2019-13711 (Insufficient policy enforcement in JavaScript in Google Chrome prior t ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13710 (Insufficient validation of untrusted input in downloads in Google Chro ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13709 (Insufficient policy enforcement in downloads in Google Chrome prior to ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13708 (Inappropriate implementation in navigation in Google Chrome on iOS pri ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13707 (Insufficient validation of untrusted input in intents in Google Chrome ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13706 (Out of bounds memory access in PDFium in Google Chrome prior to 78.0.3 ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13705 (Insufficient policy enforcement in extensions in Google Chrome prior t ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13704 (Insufficient policy enforcement in navigation in Google Chrome prior t ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13703 (Insufficient policy enforcement in the Omnibox in Google Chrome on And ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13702 (Inappropriate implementation in installer in Google Chrome on Windows ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13701 (Incorrect implementation in navigation in Google Chrome prior to 78.0. ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13700 (Out of bounds memory access in the gamepad API in Google Chrome prior ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13699 (Use after free in media in Google Chrome prior to 78.0.3904.70 allowed ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13698 (Out of bounds memory access in JavaScript in Google Chrome prior to 73 ...) {DSA-4500-1} - chromium 74.0.3729.108-1 [stretch] - chromium (see DSA 4562) CVE-2019-13697 (Insufficient policy enforcement in performance APIs in Google Chrome p ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13696 (Use after free in JavaScript in Google Chrome prior to 77.0.3865.120 a ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13695 (Use after free in audio in Google Chrome on Android prior to 77.0.3865 ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13694 (Use after free in WebRTC in Google Chrome prior to 77.0.3865.120 allow ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13693 (Use after free in IndexedDB in Google Chrome prior to 77.0.3865.120 al ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13692 (Insufficient policy enforcement in reader mode in Google Chrome prior ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13691 (Insufficient validation of untrusted input in navigation in Google Chr ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13690 RESERVED CVE-2019-13689 RESERVED CVE-2019-13688 (Use after free in Blink in Google Chrome prior to 77.0.3865.90 allowed ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13687 (Use after free in Blink in Google Chrome prior to 77.0.3865.90 allowed ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13686 (Use after free in offline mode in Google Chrome prior to 77.0.3865.90 ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13685 (Use after free in sharing view in Google Chrome prior to 77.0.3865.90 ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13684 (Inappropriate implementation in JavaScript in Google Chrome prior to 7 ...) {DSA-4395-1} - chromium 72.0.3626.81-1 [stretch] - chromium (see DSA 4562) CVE-2019-13683 (Insufficient policy enforcement in developer tools in Google Chrome pr ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13682 (Insufficient policy enforcement in external protocol handling in Googl ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13681 (Insufficient data validation in downloads in Google Chrome prior to 77 ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13680 (Inappropriate implementation in TLS in Google Chrome prior to 77.0.386 ...) {DSA-4562-1} - chromium 78.0.3904.87-1 CVE-2019-13679 (Insufficient policy enforcement in PDFium in Google Chrome prior to 77 ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13678 (Incorrect data validation in downloads in Google Chrome prior to 77.0. ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13677 (Insufficient policy enforcement in site isolation in Google Chrome pri ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13676 (Insufficient policy enforcement in Chromium in Google Chrome prior to ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13675 (Insufficient data validation in extensions in Google Chrome prior to 7 ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13674 (IDN spoofing in Omnibox in Google Chrome prior to 77.0.3865.75 allowed ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13673 (Insufficient data validation in developer tools in Google Chrome prior ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13672 (Incorrect security UI in Omnibox in Google Chrome prior to 77.0.3865.7 ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13671 (UI spoofing in Blink in Google Chrome prior to 77.0.3865.75 allowed a ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13670 (Insufficient data validation in JavaScript in Google Chrome prior to 7 ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13669 (Incorrect data validation in navigation in Google Chrome prior to 77.0 ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13668 (Insufficient policy enforcement in developer tools in Google Chrome pr ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13667 (Inappropriate implementation in Omnibox in Google Chrome on iOS prior ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13666 (Information leak in storage in Google Chrome prior to 77.0.3865.75 all ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13665 (Insufficient filtering in Blink in Google Chrome prior to 77.0.3865.75 ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13664 (Insufficient policy enforcement in Blink in Google Chrome prior to 77. ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13663 (IDN spoofing in Omnibox in Google Chrome prior to 77.0.3865.75 allowed ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13662 (Insufficient policy enforcement in navigations in Google Chrome prior ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13661 (UI spoofing in Chromium in Google Chrome prior to 77.0.3865.75 allowed ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13660 (UI spoofing in Chromium in Google Chrome prior to 77.0.3865.75 allowed ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13659 (IDN spoofing in Omnibox in Google Chrome prior to 77.0.3865.75 allowed ...) {DSA-4562-1} - chromium 78.0.3904.87-1 [stretch] - chromium (see DSA 4562) CVE-2019-13658 (CA Network Flow Analysis 9.x and 10.0.x have a default credential vuln ...) NOT-FOR-US: CA Network Flow Analysis CVE-2019-13657 (CA Performance Management 3.5.x, 3.6.x before 3.6.9, and 3.7.x before ...) NOT-FOR-US: CA Performance Management CVE-2019-13656 (An access vulnerability in CA Common Services DIA of CA Technologies C ...) NOT-FOR-US: CA Technologies Client Automation CVE-2019-13655 (Imgix through 2019-06-19 allows remote attackers to cause a denial of ...) NOT-FOR-US: Imgix CVE-2019-13654 RESERVED CVE-2019-13653 (TP-Link M7350 devices through 1.0.16 Build 181220 Rel.1116n allow trig ...) NOT-FOR-US: TP-Link CVE-2019-13652 (TP-Link M7350 devices through 1.0.16 Build 181220 Rel.1116n allow serv ...) NOT-FOR-US: TP-Link CVE-2019-13651 (TP-Link M7350 devices through 1.0.16 Build 181220 Rel.1116n allow port ...) NOT-FOR-US: TP-Link CVE-2019-13650 (TP-Link M7350 devices through 1.0.16 Build 181220 Rel.1116n allow inte ...) NOT-FOR-US: TP-Link CVE-2019-13649 (TP-Link M7350 devices through 1.0.16 Build 181220 Rel.1116n allow exte ...) NOT-FOR-US: TP-Link CVE-2019-13648 (In the Linux kernel through 5.2.1 on the powerpc platform, when hardwa ...) {DSA-4497-1 DSA-4495-1 DLA-1885-1} - linux 5.2.6-1 NOTE: https://patchwork.ozlabs.org/patch/1133904/ CVE-2018-20856 (An issue was discovered in the Linux kernel before 4.18.7. In block/bl ...) {DSA-4497-1 DLA-1885-1} - linux 4.18.8-1 [jessie] - linux (Vulnerability introduced later) NOTE: Fixed by: https://git.kernel.org/linus/54648cf1ec2d7f4b6a71767799c45676a138ca24 CVE-2018-20855 (An issue was discovered in the Linux kernel before 4.18.7. In create_q ...) - linux 4.18.8-1 [stretch] - linux (Vulnerability introduced later) [jessie] - linux (Vulnerability introduced later) NOTE: Fixed by: https://git.kernel.org/linus/0625b4ba1a5d4703c7fb01c497bd6c156908af00 CVE-2018-20854 (An issue was discovered in the Linux kernel before 4.20. drivers/phy/m ...) - linux (Vulnerable code introduced later) NOTE: Fixed by: https://git.kernel.org/linus/6acb47d1a318e5b3b7115354ebc4ea060c59d3a1 CVE-2018-20853 (An issue was discovered in the MailPoet Newsletters (aka wysija-newsle ...) NOT-FOR-US: MailPoet Newsletters (aka wysija- newsletters) plugin for WordPress CVE-2016-10763 (The CampTix Event Ticketing plugin before 1.5 for WordPress allows XSS ...) NOT-FOR-US: CampTix Event Ticketing plugin for WordPress CVE-2016-10762 (The CampTix Event Ticketing plugin before 1.5 for WordPress allows CSV ...) NOT-FOR-US: CampTix Event Ticketing plugin for WordPress CVE-2019-13647 (Firefly III before 4.7.17.3 is vulnerable to stored XSS due to lack of ...) NOT-FOR-US: Firefly CVE-2019-13646 (Firefly III before 4.7.17.3 is vulnerable to reflected XSS due to lack ...) NOT-FOR-US: Firefly CVE-2019-13645 (Firefly III before 4.7.17.3 is vulnerable to stored XSS due to lack of ...) NOT-FOR-US: Firefly CVE-2019-13644 (Firefly III before 4.7.17.1 is vulnerable to stored XSS due to lack of ...) NOT-FOR-US: Firefly CVE-2019-13643 (Stored XSS in EspoCRM before 5.6.4 allows remote attackers to execute ...) NOT-FOR-US: EspoCRM CVE-2019-13642 RESERVED CVE-2019-13641 RESERVED CVE-2019-13640 (In qBittorrent before 4.1.7, the function Application::runExternalProg ...) {DSA-4650-1} - qbittorrent 4.1.7-1 (bug #932539) [jessie] - qbittorrent (Vulnerable code not present in 3.1.x series) NOTE: https://github.com/qbittorrent/qBittorrent/issues/10925 CVE-2019-13639 RESERVED CVE-2019-13638 (GNU patch through 2.7.6 is vulnerable to OS shell command injection th ...) {DSA-4489-1 DLA-1864-1} - patch 2.7.6-5 NOTE: https://git.savannah.gnu.org/cgit/patch.git/commit/?id=3fcd042d26d70856e826a42b5f93dc4854d80bf0 CVE-2019-13637 (In LogMeIn join.me before 3.16.0.5505, an attacker could execute arbit ...) NOT-FOR-US: LogMeIn join.me CVE-2019-13636 (In GNU patch through 2.7.6, the following of symlinks is mishandled in ...) {DSA-4489-1 DLA-1856-1} - patch 2.7.6-5 (bug #932401) NOTE: https://git.savannah.gnu.org/cgit/patch.git/commit/?id=dce4683cbbe107a95f1f0d45fabc304acfb5d71a CVE-2019-13635 (The WP Fastest Cache plugin through 0.8.9.5 for WordPress allows wpFas ...) NOT-FOR-US: WP Fastest Cache plugin for WordPress CVE-2019-13634 RESERVED CVE-2019-13633 RESERVED CVE-2019-13632 RESERVED CVE-2019-13631 (In parse_hid_report_descriptor in drivers/input/tablet/gtco.c in the L ...) {DSA-4497-1 DSA-4495-1 DLA-1885-1 DLA-1884-1} - linux 5.2.6-1 NOTE: https://patchwork.kernel.org/patch/11040813/ CVE-2019-13630 RESERVED CVE-2019-13629 (MatrixSSL 4.2.1 and earlier contains a timing side channel in ECDSA si ...) - matrixssl CVE-2019-13628 (wolfSSL and wolfCrypt 4.0.0 and earlier (when configured without --ena ...) - wolfssl 4.1.0+dfsg-1 NOTE: https://github.com/wolfSSL/wolfssl/pull/2353 CVE-2019-13627 (It was discovered that there was a ECDSA timing attack in the libgcryp ...) {DLA-1931-2 DLA-1931-1} - libgcrypt20 1.8.5-1 (bug #938938) [buster] - libgcrypt20 (Minor issue) [stretch] - libgcrypt20 (Minor issue) - libgcrypt11 NOTE: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=b9577f7c89b4327edc09f2231bc8b31521102c79 (master) NOTE: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=7c2943309d14407b51c8166c4dcecb56a3628567 (master) NOTE: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=d5407b78cca9f9d318a4f4d2f6ba2b8388584cd9 (1.8.5) NOTE: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=db4e9976cc31b314aafad6626b2894e86ee44d60 (1.8.5) CVE-2019-13626 (SDL (Simple DirectMedia Layer) 2.x through 2.0.9 has a heap-based buff ...) - libsdl2 2.0.10+dfsg1-1 [buster] - libsdl2 (Minor issue) [stretch] - libsdl2 (Minor issue) [jessie] - libsdl2 (Minor issue) - libsdl1.2 (Vulnerable code added later) NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4522 NOTE: 24-bit PCM WAVE introduced in SDL 2.0 CVE-2019-13625 (NSA Ghidra before 9.0.1 allows XXE when a project is opened or restore ...) - ghidra (bug #923851) CVE-2019-13624 (In ONOS 1.15.0, apps/yang/web/src/main/java/org/onosproject/yang/web/Y ...) NOT-FOR-US: ONOS CVE-2019-13623 (In NSA Ghidra before 9.1, path traversal can occur in RestoreTask.java ...) - ghidra (bug #923851) CVE-2019-13622 RESERVED CVE-2019-13621 RESERVED CVE-2019-13620 RESERVED CVE-2019-13619 (In Wireshark 3.0.0 to 3.0.2, 2.6.0 to 2.6.9, and 2.4.0 to 2.4.15, the ...) - wireshark 2.6.10-1 (low) [buster] - wireshark (Can be fixed along in next 2.6.x release) [stretch] - wireshark (Can be fixed along in next 2.6.x release) [jessie] - wireshark (vulnerable code not present, binary encoding not yet supported) NOTE: https://www.wireshark.org/security/wnpa-sec-2019-20.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15870 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=7e90aed666e809c0db5de9d1816802a7dcea28d9 CVE-2019-13618 (In GPAC before 0.8.0, isomedia/isom_read.c in libgpac.a has a heap-bas ...) {DLA-2072-1} - gpac (low; bug #932242) [buster] - gpac (Minor issue) [stretch] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/issues/1250 NOTE: https://github.com/gpac/gpac/commit/c23d54ed15a70b4543e3191e6ead5097cda0878b CVE-2019-13617 (njs through 0.3.3, used in NGINX, has a heap-based buffer over-read in ...) NOT-FOR-US: njs CVE-2019-13616 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 ha ...) - libsdl2 2.0.10+dfsg1-1 [buster] - libsdl2 (Minor issue) [stretch] - libsdl2 (Minor issue) [jessie] - libsdl2 (can be fixed along with more important patches) - libsdl1.2 1.2.15+dfsg2-5 [buster] - libsdl1.2 (Minor issue) [stretch] - libsdl1.2 (Minor issue) [jessie] - libsdl1.2 (can be fixed along with more important patches) - libsdl2-image 2.0.5+dfsg1-2 (bug #940934) [buster] - libsdl2-image (Minor issue) [stretch] - libsdl2-image (Minor issue) [jessie] - libsdl2-image (can be fixed along with more important patches) - sdl-image1.2 1.2.12-12 [buster] - sdl-image1.2 (Minor issue) [stretch] - sdl-image1.2 (Minor issue) [jessie] - sdl-image1.2 (can be fixed along with more important patches) NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4538 NOTE: libsdl2: https://hg.libsdl.org/SDL/rev/e7ba650a643a NOTE: libsdl1.2: https://hg.libsdl.org/SDL/rev/ad1bbfbca760 NOTE: libsdl2-image: https://hg.libsdl.org/SDL_image/rev/ba45f00879ba NOTE: sdl-image1.2: https://hg.libsdl.org/SDL_image/rev/a59bfe382008 CVE-2019-13615 (libebml before 1.3.6, as used in the MKV module in VideoLAN VLC Media ...) - libebml 1.3.6-1 (low; bug #932241) [stretch] - libebml 1.3.4-1+deb9u1 [jessie] - libebml (Minor issue) NOTE: https://trac.videolan.org/vlc/ticket/22474 NOTE: Issue was originally reported to vlc project, but the underlying issue is NOTE: found in the libebml library NOTE: https://github.com/Matroska-Org/libebml/commit/05beb69ba60acce09f73ed491bb76f332849c3a0 NOTE: https://github.com/Matroska-Org/libebml/commit/ff0dc3cc21494578ce731f5d7dcde5fdec23d40f NOTE: https://github.com/Matroska-Org/libebml/commit/b66ca475be967547af9a3784e720fbbacd381be6 NOTE: https://github.com/Matroska-Org/libebml/commit/534dfdb995edc18e528de8ce9fa20b3df88426ae CVE-2019-13614 (CMD_SET_CONFIG_COUNTRY in the TP-Link Device Debug protocol in TP-Link ...) NOT-FOR-US: TP-Link CVE-2019-13613 (CMD_FTEST_CONFIG in the TP-Link Device Debug protocol in TP-Link Wirel ...) NOT-FOR-US: TP-Link CVE-2019-13612 (MDaemon Email Server 19 skips SpamAssassin checks by default for e-mai ...) NOT-FOR-US: MDaemon Email Server CVE-2019-13611 (An issue was discovered in python-engineio through 3.8.2. There is a C ...) - python-engineio 3.11.1-1 (bug #932538) [buster] - python-engineio (Minor issue) NOTE: https://github.com/miguelgrinberg/python-engineio/issues/128 NOTE: https://github.com/miguelgrinberg/python-engineio/security/advisories/GHSA-j3jp-gvr5-7hwq CVE-2019-13610 RESERVED CVE-2019-13609 RESERVED CVE-2019-13608 (Citrix StoreFront Server before 1903, 7.15 LTSR before CU4 (3.12.4000) ...) NOT-FOR-US: Citrix StoreFront Server CVE-2014-1200 RESERVED CVE-2014-1199 RESERVED CVE-2014-1198 RESERVED CVE-2014-1197 RESERVED CVE-2014-1196 RESERVED CVE-2014-1195 RESERVED CVE-2014-1194 RESERVED CVE-2014-1193 RESERVED CVE-2014-1192 RESERVED CVE-2014-1191 RESERVED CVE-2014-1190 RESERVED CVE-2014-1189 RESERVED CVE-2014-1188 RESERVED CVE-2014-1187 RESERVED CVE-2014-1186 RESERVED CVE-2014-1185 RESERVED CVE-2014-1184 RESERVED CVE-2014-1183 RESERVED CVE-2014-1182 RESERVED CVE-2014-1181 RESERVED CVE-2014-1180 RESERVED CVE-2014-1179 RESERVED CVE-2014-1178 RESERVED CVE-2014-1177 RESERVED CVE-2014-1176 RESERVED CVE-2014-1175 RESERVED CVE-2014-1174 RESERVED CVE-2014-1173 RESERVED CVE-2014-1172 RESERVED CVE-2014-1171 RESERVED CVE-2014-1170 RESERVED CVE-2014-1169 RESERVED CVE-2014-1168 RESERVED CVE-2014-1167 RESERVED CVE-2014-1166 RESERVED CVE-2014-1165 RESERVED CVE-2014-1164 RESERVED CVE-2014-1163 RESERVED CVE-2014-1162 RESERVED CVE-2014-1161 RESERVED CVE-2014-1160 RESERVED CVE-2014-1159 RESERVED CVE-2014-1158 RESERVED CVE-2014-1157 RESERVED CVE-2014-1156 RESERVED CVE-2014-1154 RESERVED CVE-2014-1153 RESERVED CVE-2014-1152 RESERVED CVE-2014-1151 RESERVED CVE-2014-1150 RESERVED CVE-2014-1149 RESERVED CVE-2014-1148 RESERVED CVE-2014-1147 RESERVED CVE-2014-1146 RESERVED CVE-2014-1145 RESERVED CVE-2014-1144 RESERVED CVE-2014-1143 RESERVED CVE-2014-1142 RESERVED CVE-2014-1141 RESERVED CVE-2014-1140 RESERVED CVE-2014-1139 RESERVED CVE-2014-1138 RESERVED CVE-2014-1136 RESERVED CVE-2014-1135 RESERVED CVE-2014-1134 RESERVED CVE-2014-1133 RESERVED CVE-2014-1132 RESERVED CVE-2014-1131 RESERVED CVE-2014-1130 RESERVED CVE-2014-1129 RESERVED CVE-2014-1128 RESERVED CVE-2014-1127 RESERVED CVE-2014-1126 RESERVED CVE-2014-1125 RESERVED CVE-2014-1124 RESERVED CVE-2014-1123 RESERVED CVE-2014-1122 RESERVED CVE-2014-1121 RESERVED CVE-2014-1120 RESERVED CVE-2014-1119 RESERVED CVE-2014-1118 RESERVED CVE-2014-1117 RESERVED CVE-2014-1116 RESERVED CVE-2014-1115 RESERVED CVE-2014-1114 RESERVED CVE-2014-1113 RESERVED CVE-2014-1112 RESERVED CVE-2014-1111 RESERVED CVE-2014-1110 RESERVED CVE-2014-1109 RESERVED CVE-2014-1108 RESERVED CVE-2014-1107 RESERVED CVE-2014-1106 RESERVED CVE-2014-1105 RESERVED CVE-2014-1104 RESERVED CVE-2014-1103 RESERVED CVE-2014-1102 RESERVED CVE-2014-1101 RESERVED CVE-2014-1100 RESERVED CVE-2014-1099 RESERVED CVE-2014-1098 RESERVED CVE-2014-1097 RESERVED CVE-2014-1096 RESERVED CVE-2014-1095 RESERVED CVE-2014-1094 RESERVED CVE-2014-1093 RESERVED CVE-2014-1092 RESERVED CVE-2014-1091 RESERVED CVE-2014-1090 RESERVED CVE-2014-1089 RESERVED CVE-2014-1088 RESERVED CVE-2014-1087 RESERVED CVE-2014-1086 RESERVED CVE-2014-1085 RESERVED CVE-2014-1084 RESERVED CVE-2014-1083 RESERVED CVE-2014-1082 RESERVED CVE-2014-1081 RESERVED CVE-2014-1080 RESERVED CVE-2014-1079 RESERVED CVE-2014-1078 RESERVED CVE-2014-1077 RESERVED CVE-2014-1076 RESERVED CVE-2014-1075 RESERVED CVE-2014-1074 RESERVED CVE-2014-1073 RESERVED CVE-2014-1072 RESERVED CVE-2014-1071 RESERVED CVE-2014-1070 RESERVED CVE-2014-1069 RESERVED CVE-2014-1068 RESERVED CVE-2014-1067 RESERVED CVE-2014-1066 RESERVED CVE-2014-1065 RESERVED CVE-2014-1064 RESERVED CVE-2014-1063 RESERVED CVE-2014-1062 RESERVED CVE-2014-1061 RESERVED CVE-2014-1060 RESERVED CVE-2014-1059 RESERVED CVE-2014-1058 RESERVED CVE-2014-1057 RESERVED CVE-2014-1056 RESERVED CVE-2014-1055 RESERVED CVE-2014-1054 RESERVED CVE-2014-1053 RESERVED CVE-2014-1052 RESERVED CVE-2014-1051 RESERVED CVE-2014-1050 RESERVED CVE-2014-1049 RESERVED CVE-2014-1048 RESERVED CVE-2014-1047 RESERVED CVE-2014-1046 RESERVED CVE-2014-1045 RESERVED CVE-2014-1044 RESERVED CVE-2014-1043 RESERVED CVE-2014-1042 RESERVED CVE-2014-1041 RESERVED CVE-2014-1040 RESERVED CVE-2014-1039 RESERVED CVE-2014-1038 RESERVED CVE-2014-10374 (On Fitbit activity-tracker devices, certain addresses never change. Ac ...) NOT-FOR-US: Fitbit activity-tracker devices CVE-2014-10373 RESERVED CVE-2014-10372 RESERVED CVE-2014-10371 RESERVED CVE-2014-10370 RESERVED CVE-2014-1037 RESERVED CVE-2014-10369 RESERVED CVE-2014-10368 RESERVED CVE-2014-10367 RESERVED CVE-2014-10366 RESERVED CVE-2014-10365 RESERVED CVE-2014-10364 RESERVED CVE-2014-10363 RESERVED CVE-2014-10362 RESERVED CVE-2014-10361 RESERVED CVE-2014-10360 RESERVED CVE-2014-1036 RESERVED CVE-2014-10359 RESERVED CVE-2014-10358 RESERVED CVE-2014-10357 RESERVED CVE-2014-10356 RESERVED CVE-2014-10355 RESERVED CVE-2014-10354 RESERVED CVE-2014-10353 RESERVED CVE-2014-10352 RESERVED CVE-2014-10351 RESERVED CVE-2014-10350 RESERVED CVE-2014-1035 RESERVED CVE-2014-10349 RESERVED CVE-2014-10348 RESERVED CVE-2014-10347 RESERVED CVE-2014-10346 RESERVED CVE-2014-10345 RESERVED CVE-2014-10344 RESERVED CVE-2014-10343 RESERVED CVE-2014-10342 RESERVED CVE-2014-10341 RESERVED CVE-2014-10340 RESERVED CVE-2014-1034 RESERVED CVE-2014-10339 RESERVED CVE-2014-10338 RESERVED CVE-2014-10337 RESERVED CVE-2014-10336 RESERVED CVE-2014-10335 RESERVED CVE-2014-10334 RESERVED CVE-2014-10333 RESERVED CVE-2014-10332 RESERVED CVE-2014-10331 RESERVED CVE-2014-10330 RESERVED CVE-2014-1033 RESERVED CVE-2014-10329 RESERVED CVE-2014-10328 RESERVED CVE-2014-10327 RESERVED CVE-2014-10326 RESERVED CVE-2014-10325 RESERVED CVE-2014-10324 RESERVED CVE-2014-10323 RESERVED CVE-2014-10322 RESERVED CVE-2014-10321 RESERVED CVE-2014-10320 RESERVED CVE-2014-1032 RESERVED CVE-2014-10319 RESERVED CVE-2014-10318 RESERVED CVE-2014-10317 RESERVED CVE-2014-10316 RESERVED CVE-2014-10315 RESERVED CVE-2014-10314 RESERVED CVE-2014-10313 RESERVED CVE-2014-10312 RESERVED CVE-2014-10311 RESERVED CVE-2014-10310 RESERVED CVE-2014-1031 RESERVED CVE-2014-10309 RESERVED CVE-2014-10308 RESERVED CVE-2014-10307 RESERVED CVE-2014-10306 RESERVED CVE-2014-10305 RESERVED CVE-2014-10304 RESERVED CVE-2014-10303 RESERVED CVE-2014-10302 RESERVED CVE-2014-10301 RESERVED CVE-2014-10300 RESERVED CVE-2014-1030 RESERVED CVE-2014-10299 RESERVED CVE-2014-10298 RESERVED CVE-2014-10297 RESERVED CVE-2014-10296 RESERVED CVE-2014-10295 RESERVED CVE-2014-10294 RESERVED CVE-2014-10293 RESERVED CVE-2014-10292 RESERVED CVE-2014-10291 RESERVED CVE-2014-10290 RESERVED CVE-2014-1029 RESERVED CVE-2014-10289 RESERVED CVE-2014-10288 RESERVED CVE-2014-10287 RESERVED CVE-2014-10286 RESERVED CVE-2014-10285 RESERVED CVE-2014-10284 RESERVED CVE-2014-10283 RESERVED CVE-2014-10282 RESERVED CVE-2014-10281 RESERVED CVE-2014-10280 RESERVED CVE-2014-1028 RESERVED CVE-2014-10279 RESERVED CVE-2014-10278 RESERVED CVE-2014-10277 RESERVED CVE-2014-10276 RESERVED CVE-2014-10275 RESERVED CVE-2014-10274 RESERVED CVE-2014-10273 RESERVED CVE-2014-10272 RESERVED CVE-2014-10271 RESERVED CVE-2014-10270 RESERVED CVE-2014-1027 RESERVED CVE-2014-10269 RESERVED CVE-2014-10268 RESERVED CVE-2014-10267 RESERVED CVE-2014-10266 RESERVED CVE-2014-10265 RESERVED CVE-2014-10264 RESERVED CVE-2014-10263 RESERVED CVE-2014-10262 RESERVED CVE-2014-10261 RESERVED CVE-2014-10260 RESERVED CVE-2014-1026 RESERVED CVE-2014-10259 RESERVED CVE-2014-10258 RESERVED CVE-2014-10257 RESERVED CVE-2014-10256 RESERVED CVE-2014-10255 RESERVED CVE-2014-10254 RESERVED CVE-2014-10253 RESERVED CVE-2014-10252 RESERVED CVE-2014-10251 RESERVED CVE-2014-10250 RESERVED CVE-2014-1025 RESERVED CVE-2014-10249 RESERVED CVE-2014-10248 RESERVED CVE-2014-10247 RESERVED CVE-2014-10246 RESERVED CVE-2014-10245 RESERVED CVE-2014-10244 RESERVED CVE-2014-10243 RESERVED CVE-2014-10242 RESERVED CVE-2014-10241 RESERVED CVE-2014-10240 RESERVED CVE-2014-1024 RESERVED CVE-2014-10239 RESERVED CVE-2014-10238 RESERVED CVE-2014-10237 RESERVED CVE-2014-10236 RESERVED CVE-2014-10235 RESERVED CVE-2014-10234 RESERVED CVE-2014-10233 RESERVED CVE-2014-10232 RESERVED CVE-2014-10231 RESERVED CVE-2014-10230 RESERVED CVE-2014-1023 RESERVED CVE-2014-10229 RESERVED CVE-2014-10228 RESERVED CVE-2014-10227 RESERVED CVE-2014-10226 RESERVED CVE-2014-10225 RESERVED CVE-2014-10224 RESERVED CVE-2014-10223 RESERVED CVE-2014-10222 RESERVED CVE-2014-10221 RESERVED CVE-2014-10220 RESERVED CVE-2014-1022 RESERVED CVE-2014-10219 RESERVED CVE-2014-10218 RESERVED CVE-2014-10217 RESERVED CVE-2014-10216 RESERVED CVE-2014-10215 RESERVED CVE-2014-10214 RESERVED CVE-2014-10213 RESERVED CVE-2014-10212 RESERVED CVE-2014-10211 RESERVED CVE-2014-10210 RESERVED CVE-2014-1021 RESERVED CVE-2014-10209 RESERVED CVE-2014-10208 RESERVED CVE-2014-10207 RESERVED CVE-2014-10206 RESERVED CVE-2014-10205 RESERVED CVE-2014-10204 RESERVED CVE-2014-10203 RESERVED CVE-2014-10202 RESERVED CVE-2014-10201 RESERVED CVE-2014-10200 RESERVED CVE-2014-1020 RESERVED CVE-2014-10199 RESERVED CVE-2014-10198 RESERVED CVE-2014-10197 RESERVED CVE-2014-10196 RESERVED CVE-2014-10195 RESERVED CVE-2014-10194 RESERVED CVE-2014-10193 RESERVED CVE-2014-10192 RESERVED CVE-2014-10191 RESERVED CVE-2014-10190 RESERVED CVE-2014-1019 RESERVED CVE-2014-10189 RESERVED CVE-2014-10188 RESERVED CVE-2014-10187 RESERVED CVE-2014-10186 RESERVED CVE-2014-10185 RESERVED CVE-2014-10184 RESERVED CVE-2014-10183 RESERVED CVE-2014-10182 RESERVED CVE-2014-10181 RESERVED CVE-2014-10180 RESERVED CVE-2014-1018 RESERVED CVE-2014-10179 RESERVED CVE-2014-10178 RESERVED CVE-2014-10177 RESERVED CVE-2014-10176 RESERVED CVE-2014-10175 RESERVED CVE-2014-10174 RESERVED CVE-2014-10173 RESERVED CVE-2014-10172 RESERVED CVE-2014-10171 RESERVED CVE-2014-10170 RESERVED CVE-2014-1017 RESERVED CVE-2014-10169 RESERVED CVE-2014-10168 RESERVED CVE-2014-10167 RESERVED CVE-2014-10166 RESERVED CVE-2014-10165 RESERVED CVE-2014-10164 RESERVED CVE-2014-10163 RESERVED CVE-2014-10162 RESERVED CVE-2014-10161 RESERVED CVE-2014-10160 RESERVED CVE-2014-1016 RESERVED CVE-2014-10159 RESERVED CVE-2014-10158 RESERVED CVE-2014-10157 RESERVED CVE-2014-10156 RESERVED CVE-2014-10155 RESERVED CVE-2014-10154 RESERVED CVE-2014-10153 RESERVED CVE-2014-10152 RESERVED CVE-2014-10151 RESERVED CVE-2014-10150 RESERVED CVE-2014-1015 RESERVED CVE-2014-10149 RESERVED CVE-2014-10148 RESERVED CVE-2014-10147 RESERVED CVE-2014-10146 RESERVED CVE-2014-10145 RESERVED CVE-2014-10144 RESERVED CVE-2014-10143 RESERVED CVE-2014-10142 RESERVED CVE-2014-10141 RESERVED CVE-2014-10140 RESERVED CVE-2014-1014 RESERVED CVE-2014-10139 RESERVED CVE-2014-10138 RESERVED CVE-2014-10137 RESERVED CVE-2014-10136 RESERVED CVE-2014-10135 RESERVED CVE-2014-10134 RESERVED CVE-2014-10133 RESERVED CVE-2014-10132 RESERVED CVE-2014-10131 RESERVED CVE-2014-10130 RESERVED CVE-2014-1013 RESERVED CVE-2014-10129 RESERVED CVE-2014-10128 RESERVED CVE-2014-10127 RESERVED CVE-2014-10126 RESERVED CVE-2014-10125 RESERVED CVE-2014-10124 RESERVED CVE-2014-10123 RESERVED CVE-2014-10122 RESERVED CVE-2014-10121 RESERVED CVE-2014-10120 RESERVED CVE-2014-1012 RESERVED CVE-2014-10119 RESERVED CVE-2014-10118 RESERVED CVE-2014-10117 RESERVED CVE-2014-10116 RESERVED CVE-2014-10115 RESERVED CVE-2014-10114 RESERVED CVE-2014-10113 RESERVED CVE-2014-10112 RESERVED CVE-2014-10111 RESERVED CVE-2014-10110 RESERVED CVE-2014-1011 RESERVED CVE-2014-10109 RESERVED CVE-2014-10108 RESERVED CVE-2014-10107 RESERVED CVE-2014-10106 RESERVED CVE-2014-10105 RESERVED CVE-2014-10104 RESERVED CVE-2014-10103 RESERVED CVE-2014-10102 RESERVED CVE-2014-10101 RESERVED CVE-2014-10100 RESERVED CVE-2014-1010 RESERVED CVE-2014-10099 RESERVED CVE-2014-10098 RESERVED CVE-2014-10097 RESERVED CVE-2014-10096 RESERVED CVE-2014-10095 RESERVED CVE-2014-10094 RESERVED CVE-2014-10093 RESERVED CVE-2014-10092 RESERVED CVE-2014-10091 RESERVED CVE-2014-10090 RESERVED CVE-2014-1009 RESERVED CVE-2014-10089 RESERVED CVE-2014-10088 RESERVED CVE-2014-10087 RESERVED CVE-2014-10086 RESERVED CVE-2014-10085 RESERVED CVE-2014-10084 RESERVED CVE-2014-10083 RESERVED CVE-2014-10082 RESERVED CVE-2014-10081 RESERVED CVE-2014-10080 RESERVED CVE-2014-1008 RESERVED CVE-2014-1007 RESERVED CVE-2014-1006 RESERVED CVE-2014-1005 RESERVED CVE-2014-1003 RESERVED CVE-2014-1002 RESERVED CVE-2014-1001 RESERVED CVE-2014-1000 RESERVED CVE-2019-13607 (The Opera Mini application through 16.0.14 for iOS has a UXSS vulnerab ...) NOT-FOR-US: Opera Mini application for iOS CVE-2019-13606 RESERVED CVE-2019-13605 (In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.838 to 0.9.8.8 ...) NOT-FOR-US: CentOS-WebPanel.com CentOS Web Panel CVE-2019-13604 (There is a short key vulnerability in HID Global DigitalPersona (forme ...) NOT-FOR-US: HID Global DigitalPersona U.are.U 4500 Fingerprint Reader CVE-2019-13603 (An issue was discovered in the HID Global DigitalPersona (formerly Cro ...) NOT-FOR-US: HID Global DigitalPersona U.are.U 4500 Fingerprint Reader Windows Biometric Framework driver CVE-2019-13602 (An Integer Underflow in MP4_EIA608_Convert() in modules/demux/mp4/mp4. ...) {DSA-4504-1} - vlc 3.0.7.1-2 (bug #932131) [jessie] - vlc (https://lists.debian.org/debian-security-announce/2018/msg00130.html) NOTE: https://git.videolan.org/?p=vlc.git;a=commit;h=8e8e0d72447f8378244f5b4a3dcde036dbeb1491 NOTE: https://git.videolan.org/?p=vlc.git;a=commit;h=b2b157076d9e94df34502dd8df0787deb940e938 NOTE: https://www.videolan.org/security/sb-vlc308.html CVE-2019-13601 RESERVED CVE-2019-13600 RESERVED CVE-2019-13599 (In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.848, the Login ...) NOT-FOR-US: CentOS-WebPanel.com CentOS Web Panel CVE-2019-13598 (LuaUPnP in Vera Edge Home Controller 1.7.4452 allows remote unauthenti ...) NOT-FOR-US: LuaUPnP in Vera Edge Home Controller CVE-2019-13597 (_s_/sprm/_s_/dyn/Player_setScriptFile in Sahi Pro 8.0.0 allows command ...) NOT-FOR-US: Sahi Pro CVE-2019-13596 RESERVED CVE-2019-13595 RESERVED CVE-2019-13594 (In Mirumee Saleor 2.7.0 (fixed in 2.8.0), CSRF protection middleware w ...) NOT-FOR-US: Mirumee Saleor CVE-2019-13593 RESERVED CVE-2019-13592 RESERVED CVE-2019-13591 RESERVED CVE-2019-13590 (An issue was discovered in libsox.a in SoX 14.4.2. In sox-fmt.h (start ...) - sox 14.4.2+git20190427-2 (low; bug #932082) [buster] - sox (Minor issue) [stretch] - sox (Minor issue) [jessie] - sox (Minor issue) NOTE: https://sourceforge.net/p/sox/bugs/325/ NOTE: https://sourceforge.net/p/sox/code/ci/7b6a889217d62ed7e28188621403cc7542fd1f7e/ CVE-2019-13589 (The paranoid2 gem 1.1.6 for Ruby, as distributed on RubyGems.org, incl ...) NOT-FOR-US: backdoor in paranoid_2 gem, different from src:ruby-paranoia CVE-2019-13588 (A cross-site scripting (XSS) vulnerability in getPagingStart() in core ...) NOT-FOR-US: WIKINDX CVE-2019-13587 RESERVED CVE-2019-13586 RESERVED CVE-2019-13585 (The remote admin webserver on FANUC Robotics Virtual Robot Controller ...) NOT-FOR-US: FANUC Robotics Virtual Robot Controller CVE-2019-13584 (The remote admin webserver on FANUC Robotics Virtual Robot Controller ...) NOT-FOR-US: FANUC Robotics Virtual Robot Controller CVE-2019-13583 RESERVED CVE-2019-13582 (An issue was discovered in Marvell 88W8688 Wi-Fi firmware before versi ...) NOT-FOR-US: Tesla CVE-2019-13581 (An issue was discovered in Marvell 88W8688 Wi-Fi firmware before versi ...) NOT-FOR-US: Tesla CVE-2019-13580 RESERVED CVE-2019-13579 RESERVED CVE-2019-13578 (A SQL injection vulnerability exists in the Impress GiveWP Give plugin ...) NOT-FOR-US: Impress GiveWP Give plugin for WordPress CVE-2019-13577 (SnmpAdm.exe in MAPLE WBT SNMP Administrator v2.0.195.15 has an Unauthe ...) NOT-FOR-US: SnmpAdm.exe in MAPLE WBT SNMP Administrator CVE-2018-20852 (http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py ...) {DLA-1906-1 DLA-1889-1} - python3.7 3.7.3~rc1-1 - python3.5 - python3.4 - python2.7 2.7.16-3 [buster] - python2.7 2.7.16-2+deb10u1 [stretch] - python2.7 (Minor issue) NOTE: https://bugs.python.org/issue35121 NOTE: https://python-security.readthedocs.io/vuln/cookie-domain-check.html NOTE: https://github.com/python/cpython/commit/979daae300916adb399ab5b51410b6ebd0888f13 (2.7.x branch) NOTE: https://github.com/python/cpython/commit/42ad4101d3ba7ca3c371dadf0f8880764c9f15fb (v3.4.10) NOTE: https://github.com/python/cpython/commit/4749f1b69000259e23b4cc6f63c542a9bdc62f1b (v3.5.7) NOTE: https://github.com/python/cpython/commit/b241af861b37e20ad30533bc0b7e2e5491cc470f (v3.6.9rc1) NOTE: https://github.com/python/cpython/commit/e5123d81ffb3be35a1b2767d6ced1a097aaf77be (v3.7.3rc1) CVE-2019-13576 RESERVED CVE-2019-13575 (A SQL injection vulnerability exists in WPEverest Everest Forms plugin ...) NOT-FOR-US: WPEverest Everest Forms plugin for WordPress CVE-2019-13574 (In lib/mini_magick/image.rb in MiniMagick before 4.9.4, a fetched remo ...) {DSA-4481-1 DLA-1948-1} - ruby-mini-magick 4.9.2-1.1 (bug #931932) CVE-2019-13573 (A SQL injection vulnerability exists in the FolioVision FV Flowplayer ...) NOT-FOR-US: FolioVision FV Flowplayer Video Player plugin for WordPress CVE-2019-13572 (The Adenion Blog2Social plugin through 5.5.0 for WordPress allows SQL ...) NOT-FOR-US: Adenion Blog2Social plugin for WordPress CVE-2019-13571 (A SQL injection vulnerability exists in the Vsourz Digital Advanced CF ...) NOT-FOR-US: Vsourz Digital Advanced CF7 DB plugin for WordPress CVE-2019-13570 (The AJdG AdRotate plugin before 5.3 for WordPress allows SQL Injection ...) NOT-FOR-US: WordPress plugin AJdG AdRotate CVE-2019-13569 (A SQL injection vulnerability exists in the Icegram Email Subscribers ...) NOT-FOR-US: Icegram Email Subscribers & Newsletters plugin for WordPress CVE-2019-13568 (CImg through 2.6.7 has a heap-based buffer overflow in _load_bmp in CI ...) - cimg 2.8.4+dfsg-1 (bug #940952) [buster] - cimg (Minor issue) [stretch] - cimg (Minor issue) [jessie] - cimg (Vulnerable code added later) NOTE: https://github.com/dtschump/CImg/commit/ac8003393569aba51048c9d67e1491559877b1d1 CVE-2019-13567 (The Zoom Client before 4.4.53932.0709 on macOS allows remote code exec ...) NOT-FOR-US: Zoom CVE-2019-13566 (An issue was discovered in the ROS communications-related packages (ak ...) - ros-ros-comm 1.14.3+ds1-10 (bug #945361) [buster] - ros-ros-comm 1.14.3+ds1-5+deb10u1 [stretch] - ros-ros-comm 1.12.6-2+deb9u1 NOTE: https://github.com/ros/ros_comm/issues/1735 NOTE: https://github.com/ros/ros_comm/pull/1771 CVE-2019-13565 (An issue was discovered in OpenLDAP 2.x before 2.4.48. When using SASL ...) {DLA-1891-1} - openldap 2.4.48+dfsg-1 (low; bug #932998) [buster] - openldap 2.4.47+dfsg-3+deb10u1 [stretch] - openldap 2.4.44+dfsg-5+deb9u3 NOTE: https://openldap.org/its/?findid=9052 CVE-2019-13564 (XSS exists in Ping Identity Agentless Integration Kit before 1.5. ...) NOT-FOR-US: Ping Identity Agentless Integration Kit CVE-2019-13563 (D-Link DIR-655 C devices before 3.02B05 BETA03 allow CSRF for the enti ...) NOT-FOR-US: D-Link CVE-2019-13562 (D-Link DIR-655 C devices before 3.02B05 BETA03 allow XSS, as demonstra ...) NOT-FOR-US: D-Link CVE-2019-13561 (D-Link DIR-655 C devices before 3.02B05 BETA03 allow remote attackers ...) NOT-FOR-US: D-Link CVE-2019-13560 (D-Link DIR-655 C devices before 3.02B05 BETA03 allow remote attackers ...) NOT-FOR-US: D-Link CVE-2019-13559 (GE Mark VIe Controller is shipped with pre-configured hard-coded crede ...) NOT-FOR-US: GE Mark VIe Controller CVE-2019-13558 (In WebAccess versions 8.4.1 and prior, an exploit executed over the ne ...) NOT-FOR-US: WebAccess CVE-2019-13557 (In Tasy EMR, Tasy WebPortal Versions 3.02.1757 and prior, there is an ...) NOT-FOR-US: Tasy CVE-2019-13556 (In WebAccess versions 8.4.1 and prior, multiple stack-based buffer ove ...) NOT-FOR-US: WebAccess CVE-2019-13555 (In Mitsubishi Electric MELSEC-Q Series Q03/04/06/13/26UDVCPU: serial n ...) NOT-FOR-US: Mitsubishi CVE-2019-13554 (GE Mark VIe Controller has an unsecured Telnet protocol that may allow ...) NOT-FOR-US: GE Mark VIe Controller CVE-2019-13553 (Rittal Chiller SK 3232-Series web interface as built upon Carel pCOWeb ...) NOT-FOR-US: Rittal Chiller SK 3232-Series CVE-2019-13552 (In WebAccess versions 8.4.1 and prior, multiple command injection vuln ...) NOT-FOR-US: WebAccess CVE-2019-13551 (Advantech WISE-PaaS/RMM, Versions 3.3.29 and prior. Path traversal vul ...) NOT-FOR-US: Advantech CVE-2019-13550 (In WebAccess, versions 8.4.1 and prior, an improper authorization vuln ...) NOT-FOR-US: WebAccess CVE-2019-13549 (Rittal Chiller SK 3232-Series web interface as built upon Carel pCOWeb ...) NOT-FOR-US: Rittal Chiller SK 3232-Series CVE-2019-13548 (CODESYS V3 web server, all versions prior to 3.5.14.10, allows an atta ...) NOT-FOR-US: CODESYS CVE-2019-13547 (Advantech WISE-PaaS/RMM, Versions 3.3.29 and prior. There is an unsecu ...) NOT-FOR-US: Advantech CVE-2019-13546 (In IntelliSpace Perinatal, Versions K and prior, a vulnerability withi ...) NOT-FOR-US: IntelliSpace Perinatal CVE-2019-13545 (In Horner Automation Cscape 9.90 and prior, improper validation of dat ...) NOT-FOR-US: Horner Automation Cscape CVE-2019-13544 (Delta Electronics TPEditor, Versions 1.94 and prior. Multiple out-of-b ...) NOT-FOR-US: Delta Electronics TPEditor CVE-2019-13543 (Medtronic Valleylab Exchange Client version 3.4 and below, Valleylab F ...) NOT-FOR-US: Medtronic CVE-2019-13542 (3S-Smart Software Solutions GmbH CODESYS V3 OPC UA Server, all version ...) NOT-FOR-US: 3S-Smart CVE-2019-13541 (In Horner Automation Cscape 9.90 and prior, an improper input validati ...) NOT-FOR-US: Horner Automation Cscape CVE-2019-13540 (Delta Electronics TPEditor, Versions 1.94 and prior. Multiple stack-ba ...) NOT-FOR-US: Delta Electronics TPEditor CVE-2019-13539 (Medtronic Valleylab Exchange Client version 3.4 and below, Valleylab F ...) NOT-FOR-US: Medtronic CVE-2019-13538 (3S-Smart Software Solutions GmbH CODESYS V3 Library Manager, all versi ...) NOT-FOR-US: 3S-Smart CVE-2019-13537 (The IEC870IP driver for AVEVA’s Vijeo Citect and Citect SCADA an ...) NOT-FOR-US: IEC870IP driver CVE-2019-13536 (Delta Electronics TPEditor, Versions 1.94 and prior. Multiple heap-bas ...) NOT-FOR-US: Delta Electronics TPEditor CVE-2019-13535 (In Medtronic Valleylab FT10 Energy Platform (VLFT10GEN) version 2.1.0 ...) NOT-FOR-US: Medtronic Valleylab FT10 Energy Platform CVE-2019-13534 (Philips IntelliVue WLAN, portable patient monitors, WLAN Version A, Fi ...) NOT-FOR-US: Philips CVE-2019-13533 (In Omron PLC CJ series, all versions, and Omron PLC CS series, all ver ...) NOT-FOR-US: Omron CVE-2019-13532 (CODESYS V3 web server, all versions prior to 3.5.14.10, allows an atta ...) NOT-FOR-US: CODESYS CVE-2019-13531 (In Medtronic Valleylab FT10 Energy Platform (VLFT10GEN) version 2.1.0 ...) NOT-FOR-US: Medtronic Valleylab FT10 Energy Platform CVE-2019-13530 (Philips IntelliVue WLAN, portable patient monitors, WLAN Version A, Fi ...) NOT-FOR-US: Philips CVE-2019-13529 (An attacker could send a malicious link to an authenticated operator, ...) NOT-FOR-US: Sunny WebBox Firmware CVE-2019-13528 (A specific utility may allow an attacker to gain read access to privil ...) NOT-FOR-US: Niagara CVE-2019-13527 (In Rockwell Automation Arena Simulation Software Cat. 9502-Ax, Version ...) NOT-FOR-US: Rockwell CVE-2019-13526 (Datalogic AV7000 Linear barcode scanner all versions prior to 4.6.0.0 ...) NOT-FOR-US: Datalogic AV7000 Linear barcode scanner CVE-2019-13525 (In IP-AK2 Access Control Panel Version 1.04.07 and prior, the integrat ...) NOT-FOR-US: IP-AK2 Access Control Panel CVE-2019-13524 (GE PACSystems RX3i CPE100/115: All versions prior to R9.85,CPE302/305/ ...) NOT-FOR-US: GE/Emerson CVE-2019-13523 (In Honeywell Performance IP Cameras and Performance NVRs, the integrat ...) NOT-FOR-US: Honeywell CVE-2019-13522 (An attacker could use a specially crafted project file to corrupt the ...) NOT-FOR-US: EZ PLC Editor CVE-2019-13521 (A maliciously crafted program file opened by an unsuspecting user of R ...) NOT-FOR-US: Rockwell CVE-2019-13520 (Multiple buffer overflow issues have been identified in Alpha5 Smart L ...) NOT-FOR-US: Fuji Electric CVE-2019-13519 (A maliciously crafted program file opened by an unsuspecting user of R ...) NOT-FOR-US: Rockwell CVE-2019-13518 (An attacker could use a specially crafted project file to overflow the ...) NOT-FOR-US: EZAutomation CVE-2019-13517 (In Pyxis ES Versions 1.3.4 through to 1.6.1 and Pyxis Enterprise Serve ...) NOT-FOR-US: Pyxis CVE-2019-13516 (In OSIsoft PI Web API and prior, the affected product is vulnerable to ...) NOT-FOR-US: OSIsoft LLC CVE-2019-13515 (OSIsoft PI Web API 2018 and prior may allow disclosure of sensitive in ...) NOT-FOR-US: OSIsoft LLC CVE-2019-13514 (In Delta Industrial Automation DOPSoft, Version 4.00.06.15 and prior, ...) NOT-FOR-US: Delta Industrial Automation DOPSoft CVE-2019-13513 (In Delta Industrial Automation DOPSoft, Version 4.00.06.15 and prior, ...) NOT-FOR-US: Delta Industrial Automation DOPSoft CVE-2019-13512 (Fuji Electric FRENIC Loader 3.5.0.0 and prior is vulnerable to an out- ...) NOT-FOR-US: Fuji Electric FRENIC Loader CVE-2019-13511 (Rockwell Automation Arena Simulation Software versions 16.00.00 and ea ...) NOT-FOR-US: Rockwell Automation Arena Simulation Software CVE-2019-13510 (Rockwell Automation Arena Simulation Software versions 16.00.00 and ea ...) NOT-FOR-US: Rockwell Automation Arena Simulation Software CVE-2019-13509 (In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06. ...) {DSA-4521-1} - docker.io 18.09.1+dfsg1-8 (bug #932673) CVE-2019-13508 (FreeTDS through 1.1.11 has a Buffer Overflow. ...) - freetds 1.1.6-1.1 (bug #944012) [buster] - freetds 1.00.104-1+deb10u1 [stretch] - freetds (Vulnerable code introduced in 0.95 upstream) [jessie] - freetds (Vulnerable code introduced in 0.95 upstream) NOTE: https://github.com/FreeTDS/freetds/commit/0df4eb82a0e3ff844e373d7c9f9c6c813925e2ac NOTE: https://bugs.launchpad.net/bugs/1835896 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1736255 NOTE: https://bugzilla.novell.com/show_bug.cgi?id=1141132 CVE-2019-13507 (hidea.com AZ Admin 1.0 has news_det.php?cod= SQL Injection. ...) NOT-FOR-US: hidea.com AZ Admin CVE-2019-13506 (@nuxt/devalue before 1.2.3, as used in Nuxt.js before 2.6.2, mishandle ...) NOT-FOR-US: Nuxt.js CVE-2019-13505 (The Appointment Hour Booking plugin 1.1.44 for WordPress allows XSS vi ...) NOT-FOR-US: Appointment Hour Booking plugin for WordPress CVE-2019-13504 (There is an out-of-bounds read in Exiv2::MrwImage::readMetadata in mrw ...) {DLA-1855-1} - exiv2 0.27.2-6 (low; bug #932467) [buster] - exiv2 (Minor issue) [stretch] - exiv2 (Minor issue) NOTE: https://github.com/Exiv2/exiv2/pull/943 NOTE: https://github.com/Exiv2/exiv2/pull/944 NOTE: https://github.com/Exiv2/exiv2/commit/bd0afe0390439b2c424d881c8c6eb0c5624e31d9 NOTE: https://github.com/Exiv2/exiv2/pull/946 (complementary fix) NOTE: https://github.com/Exiv2/exiv2/commit/54f0bebca032d0286a0e48f47e67dfc6141fedff CVE-2019-13503 (mq_parse_http in mongoose.c in Mongoose 6.15 has a heap-based buffer o ...) NOT-FOR-US: Cesanta Mongoose NOTE: smplayer embeds a copy, which is unused in any released version and disabled since 18.5.0~ds1-1 CVE-2019-13502 RESERVED CVE-2019-13501 RESERVED CVE-2019-13500 RESERVED CVE-2019-13499 RESERVED CVE-2019-13498 (One Identity Cloud Access Manager 8.1.3 does not use HTTP Strict Trans ...) NOT-FOR-US: One Identity Cloud Access Manager CVE-2019-13497 (One Identity Cloud Access Manager before 8.1.4 Hotfix 1 allows CSRF fo ...) NOT-FOR-US: One Identity Cloud Access Manager CVE-2019-13496 (One Identity Cloud Access Manager before 8.1.4 Hotfix 1 allows OTP byp ...) NOT-FOR-US: One Identity Cloud Access Manager CVE-2019-13495 (In firmware version 4.50 of Zyxel XGS2210-52HP, multiple stored cross- ...) NOT-FOR-US: Zyxel CVE-2019-13494 (nodeimp.exe in Castle Rock SNMPc before 9.0.12.1 and 10.x before 10.0. ...) NOT-FOR-US: Castle Rock SNMPc CVE-2019-13493 (In Sitecore 9.0 rev 171002, Persistent XSS exists in the Media Library ...) NOT-FOR-US: Sitecore CVE-2019-13492 RESERVED CVE-2019-13491 RESERVED CVE-2019-13490 RESERVED CVE-2019-13489 (Trape through 2019-05-08 has SQL injection via the data[2] variable in ...) NOT-FOR-US: Trape CVE-2019-13488 (A cross-site scripting (XSS) vulnerability in static/js/trape.js in Tr ...) NOT-FOR-US: Trape CVE-2019-13487 RESERVED CVE-2019-13486 (In Xymon through 4.3.28, a stack-based buffer overflow exists in the s ...) {DLA-1898-1} - xymon 4.3.29-1 [buster] - xymon 4.3.28-5+deb10u1 [stretch] - xymon 4.3.28-2+deb9u1 NOTE: https://lists.xymon.com/archive/2019-July/046570.html CVE-2019-13485 (In Xymon through 4.3.28, a stack-based buffer overflow vulnerability e ...) {DLA-1898-1} - xymon 4.3.29-1 [buster] - xymon 4.3.28-5+deb10u1 [stretch] - xymon 4.3.28-2+deb9u1 NOTE: https://lists.xymon.com/archive/2019-July/046570.html CVE-2019-13484 (In Xymon through 4.3.28, a buffer overflow exists in the status-log vi ...) {DLA-1898-1} - xymon 4.3.29-1 [buster] - xymon 4.3.28-5+deb10u1 [stretch] - xymon 4.3.28-2+deb9u1 NOTE: https://lists.xymon.com/archive/2019-July/046570.html CVE-2019-13483 (Auth0 Passport-SharePoint before 0.4.0 does not validate the JWT signa ...) NOT-FOR-US: Auth0 Passport-SharePoint CVE-2019-13482 (An issue was discovered on D-Link DIR-818LW devices with firmware 2.06 ...) NOT-FOR-US: D-Link CVE-2019-13481 (An issue was discovered on D-Link DIR-818LW devices with firmware 2.06 ...) NOT-FOR-US: D-Link CVE-2019-13480 RESERVED CVE-2019-13479 RESERVED CVE-2018-20851 (Helpy before 2.2.0 allows agents to edit admins. ...) NOT-FOR-US: Helpy CVE-2019-13478 (The Yoast SEO plugin before 11.6-RC5 for WordPress does not properly r ...) NOT-FOR-US: Wordpress plugin CVE-2019-13477 (In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.837, CSRF in t ...) NOT-FOR-US: CentOS-WebPanel.com CentOS Web Panel CVE-2019-13476 (In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.837, XSS in th ...) NOT-FOR-US: CentOS-WebPanel.com CentOS Web Panel CVE-2019-13475 (In MobaXterm 11.1, the mobaxterm: URI handler has an argument injectio ...) NOT-FOR-US: MobaXterm CVE-2019-13474 (TELESTAR Bobs Rock Radio, Dabman D10, Dabman i30 Stereo, Imperial i110 ...) NOT-FOR-US: TELESTAR CVE-2019-13473 (TELESTAR Bobs Rock Radio, Dabman D10, Dabman i30 Stereo, Imperial i110 ...) NOT-FOR-US: TELESTAR CVE-2019-13472 (PHPWind 9.1.0 has XSS vulnerabilities in the c and m parameters of the ...) NOT-FOR-US: PHPWind CVE-2019-13471 RESERVED CVE-2019-13470 (MatrixSSL before 4.2.1 has an out-of-bounds read during ASN.1 handling ...) - matrixssl CVE-2019-13469 RESERVED CVE-2019-13468 RESERVED CVE-2019-13467 (Description: Western Digital SSD Dashboard before 2.5.1.0 and SanDisk ...) NOT-FOR-US: Western Digital SSD Dashboard and SanDisk SSD Dashboard applications CVE-2019-13466 (Western Digital SSD Dashboard before 2.5.1.0 and SanDisk SSD Dashboard ...) NOT-FOR-US: Western Digital SSD Dashboard and SanDisk SSD Dashboard CVE-2019-13465 (An issue was discovered in the ROS communications-related packages (ak ...) - ros-ros-comm 1.14.3+ds1-10 (bug #947946) [buster] - ros-ros-comm 1.14.3+ds1-5+deb10u1 [stretch] - ros-ros-comm 1.12.6-2+deb9u1 NOTE: https://github.com/ros/ros_comm/issues/1752 NOTE: https://github.com/ros/ros_comm/pull/1763 CVE-2019-13464 (An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) 3.0.2 ...) - modsecurity-crs 3.2.0-1 (low; bug #943773) [buster] - modsecurity-crs 3.1.0-1+deb10u1 [stretch] - modsecurity-crs (Minor issue) [jessie] - modsecurity-crs (incorrect rule does not exist) NOTE: https://github.com/SpiderLabs/owasp-modsecurity-crs/commit/6090d6b0a90417f1a60aa68a01eb777cef2e1184 NOTE: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1386 CVE-2019-13463 (An XSS vulnerability in qcopd-shortcode-generator.php in the Simple Li ...) NOT-FOR-US: Simple Link Directory plugin for WordPress CVE-2019-13462 (Lansweeper before 7.1.117.4 allows unauthenticated SQL injection. ...) NOT-FOR-US: Lansweeper CVE-2019-13461 (In PrestaShop before 1.7.6.0 RC2, the id_address_delivery and id_addre ...) NOT-FOR-US: PrestaShop CVE-2019-13460 RESERVED CVE-2019-13459 RESERVED CVE-2019-13458 (An issue was discovered in Open Ticket Request System (OTRS) 7.0.x thr ...) {DLA-1877-1} - otrs2 6.0.20-1 [buster] - otrs2 (Non-free not supported) [stretch] - otrs2 (Non-free not supported) NOTE: https://community.otrs.com/security-advisory-2019-12-security-update-for-otrs-framework/ NOTE: OTRS 6.0: https://github.com/OTRS/otrs/commit/69430f260d52e5a7afc185048da0cfc2eef2659a NOTE: OTRS 5.0: https://github.com/OTRS/otrs/commit/0e26066dfff8efff0039da13e29609ca7f00d9a2 CVE-2019-13457 (An issue was discovered in Open Ticket Request System (OTRS) 7.0.x thr ...) - otrs2 (Only affects 7.x series) NOTE: https://otrs.com/release-notes/otrs-security-advisory-2019-11/ CVE-2019-13456 (In FreeRADIUS 3.0 through 3.0.19, on average 1 in every 2048 EAP-pwd h ...) - freeradius 3.0.20+dfsg-1 [buster] - freeradius (Minor issue) [stretch] - freeradius (Minor issue) [jessie] - freeradius (Vulnerable code introduced later in version 3.0.0) NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/3ea2a5a026e73d81cd9a3e9bbd4300c433004bfa (release_3_0_20) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1737663 NOTE: https://wpa3.mathyvanhoef.com/#new CVE-2019-13455 (In Xymon through 4.3.28, a stack-based buffer overflow vulnerability e ...) {DLA-1898-1} - xymon 4.3.29-1 [buster] - xymon 4.3.28-5+deb10u1 [stretch] - xymon 4.3.28-2+deb9u1 NOTE: https://lists.xymon.com/archive/2019-July/046570.html CVE-2019-13454 (ImageMagick 7.0.8-54 Q16 allows Division by Zero in RemoveDuplicateLay ...) {DSA-4712-1} - imagemagick (low; bug #931740) [stretch] - imagemagick (Minor issue) [jessie] - imagemagick (low impact issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1629 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/4f31d78716ac94c85c244efcea368fea202e2ed4 CVE-2019-13453 (Zipios before 0.1.7 does not properly handle certain malformed zip arc ...) - zipios++ 0.1.5.9+cvs.2007.04.28-11 (low; bug #932556) [buster] - zipios++ (Minor issue) [stretch] - zipios++ (Minor issue) [jessie] - zipios++ (Minor issue) NOTE: https://sourceforge.net/p/zipios/news/2019/07/version-017-cve-/ NOTE: Patch: https://sourceforge.net/p/zipios/code-git/ci/96e26640573410709bb863b8916a8216f4c6a546/tree/infinite_loop.patch CVE-2019-13452 (In Xymon through 4.3.28, a buffer overflow vulnerability exists in rep ...) {DLA-1898-1} - xymon 4.3.29-1 [buster] - xymon 4.3.28-5+deb10u1 [stretch] - xymon 4.3.28-2+deb9u1 NOTE: https://lists.xymon.com/archive/2019-July/046570.html CVE-2019-13451 (In Xymon through 4.3.28, a buffer overflow vulnerability exists in his ...) {DLA-1898-1} - xymon 4.3.29-1 [buster] - xymon 4.3.28-5+deb10u1 [stretch] - xymon 4.3.28-2+deb9u1 NOTE: https://lists.xymon.com/archive/2019-July/046570.html CVE-2019-17351 (An issue was discovered in drivers/xen/balloon.c in the Linux kernel b ...) - linux 5.2.6-1 [buster] - linux 4.19.67-1 [stretch] - linux 4.9.168-1+deb9u5 NOTE: https://xenbits.xen.org/xsa/advisory-300.html CVE-2019-13450 (In the Zoom Client through 4.4.4 and RingCentral 7.0.136380.0312 on ma ...) NOT-FOR-US: Zoom Client and RingCentral on MacOS CVE-2019-13449 (In the Zoom Client before 4.4.2 on macOS, remote attackers can cause a ...) NOT-FOR-US: Zoom Client on macOS CVE-2019-13448 (An issue was discovered in Sertek Xpare 3.67. The login form does not ...) NOT-FOR-US: Sertek Xpare CVE-2019-13447 (An issue was discovered in Sertek Xpare 3.67. The login form does not ...) NOT-FOR-US: Sertek Xpare CVE-2019-13446 REJECTED CVE-2019-13445 (An issue was discovered in the ROS communications-related packages (ak ...) - ros-ros-comm 1.14.3+ds1-11 (bug #947947) [buster] - ros-ros-comm 1.14.3+ds1-5+deb10u1 [stretch] - ros-ros-comm 1.12.6-2+deb9u2 NOTE: https://github.com/ros/ros_comm/issues/1738 NOTE: https://github.com/ros/ros_comm/pull/1741 CVE-2019-13444 RESERVED CVE-2019-13443 RESERVED CVE-2019-13442 RESERVED CVE-2019-13441 RESERVED CVE-2019-13440 RESERVED CVE-2019-13439 RESERVED CVE-2019-13438 RESERVED CVE-2019-13437 RESERVED CVE-2019-13436 RESERVED CVE-2019-13435 RESERVED CVE-2019-13434 RESERVED CVE-2019-13433 RESERVED CVE-2019-13432 RESERVED CVE-2019-13431 RESERVED CVE-2019-13430 RESERVED CVE-2019-13429 RESERVED CVE-2019-13428 RESERVED CVE-2019-13427 RESERVED CVE-2019-13426 RESERVED CVE-2019-13425 RESERVED CVE-2019-13424 RESERVED CVE-2019-13423 (Search Guard Kibana Plugin versions before 5.6.8-7 and before 6.x.y-12 ...) NOT-FOR-US: Search Guard CVE-2019-13422 (Search Guard Kibana Plugin versions before 5.6.8-7 and before 6.x.y-12 ...) NOT-FOR-US: Search Guard CVE-2019-13421 (Search Guard versions before 23.1 had an issue that an administrative ...) NOT-FOR-US: Search Guard CVE-2019-13420 (Search Guard versions before 21.0 had an timing side channel issue whe ...) NOT-FOR-US: Search Guard CVE-2019-13419 (Search Guard versions before 23.1 had an issue that for aggregations c ...) NOT-FOR-US: Search Guard CVE-2019-13418 (Search Guard versions before 24.0 had an issue that values of string a ...) NOT-FOR-US: Search Guard CVE-2019-13417 (Search Guard versions before 24.0 had an issue that field caps and map ...) NOT-FOR-US: Search Guard CVE-2019-13416 (Search Guard versions before 24.3 had an issue when Cross Cluster Sear ...) NOT-FOR-US: Search Guard CVE-2019-13415 (Search Guard versions before 24.3 had an issue when Cross Cluster Sear ...) NOT-FOR-US: Search Guard CVE-2019-13414 (The Rencontre plugin before 3.1.3 for WordPress allows XSS via inc/ren ...) NOT-FOR-US: Wordpress plugin CVE-2019-13413 (The Rencontre plugin before 3.1.3 for WordPress allows SQL Injection v ...) NOT-FOR-US: Wordpress plugin CVE-2019-13412 (A service which is hosted on port 3097 in HiNet GPON firmware < I04 ...) NOT-FOR-US: HiNet GPON firmware CVE-2019-13411 (An “invalid command” handler issue was discovered in HiNet ...) NOT-FOR-US: HiNet GPON firmware CVE-2019-13410 (TOPMeeting before version 8.8 (2019/08/19) shows attendees account and ...) NOT-FOR-US: TOPMeeting CVE-2019-13409 (A SQL injection vulnerability was discovered in TOPMeeting before vers ...) NOT-FOR-US: TOPMeeting CVE-2019-13408 (A relative path traversal vulnerability found in Advan VD-1 firmware v ...) NOT-FOR-US: Advan VD-1 firmware CVE-2019-13407 (A XSS found in Advan VD-1 firmware versions up to 230. VD-1 responses ...) NOT-FOR-US: Advan VD-1 firmware CVE-2019-13406 (A broken access control vulnerability found in Advan VD-1 firmware ver ...) NOT-FOR-US: Advan VD-1 firmware CVE-2019-13405 (A broken access control vulnerability found in Advan VD-1 firmware ver ...) NOT-FOR-US: Advan VD-1 firmware CVE-2019-13404 (** DISPUTED ** The MSI installer for Python through 2.7.16 on Windows ...) NOT-FOR-US: Disputed issue for Windows installer for Python CVE-2019-13403 (Temenos CWX version 8.9 has an Broken Access Control vulnerability in ...) NOT-FOR-US: Temenos CWX CVE-2019-13402 (/usr/sbin/default.sh and /usr/apache/htdocs/cgi-bin/admin/hardfactoryd ...) NOT-FOR-US: Dynacolor CVE-2019-13401 (Dynacolor FCM-MB40 v1.2.0.0 devices have CSRF in all scripts under cgi ...) NOT-FOR-US: Dynacolor CVE-2019-13400 (Dynacolor FCM-MB40 v1.2.0.0 use /etc/appWeb/appweb.pass to store admin ...) NOT-FOR-US: Dynacolor CVE-2019-13399 (Dynacolor FCM-MB40 v1.2.0.0 devices have a hard-coded SSL/TLS key that ...) NOT-FOR-US: Dynacolor CVE-2019-13398 (Dynacolor FCM-MB40 v1.2.0.0 devices allow remote attackers to execute ...) NOT-FOR-US: Dynacolor CVE-2019-13397 (Unauthenticated Stored XSS in osTicket 1.10.1 allows a remote attacker ...) NOT-FOR-US: osTicket CVE-2019-13396 (FlightPath 4.x and 5.0-x allows directory traversal and Local File Inc ...) NOT-FOR-US: FlightPath CVE-2019-13395 (The Voo branded NETGEAR CG3700b custom firmware V2.02.03 allows CSRF a ...) NOT-FOR-US: Netgear CVE-2019-13394 (The Voo branded NETGEAR CG3700b custom firmware V2.02.03 uses HTTP Bas ...) NOT-FOR-US: Netgear CVE-2019-13393 (The Voo branded NETGEAR CG3700b custom firmware V2.02.03 uses the same ...) NOT-FOR-US: Netgear CVE-2019-13392 (A reflected Cross-Site Scripting (XSS) vulnerability in MindPalette Na ...) NOT-FOR-US: MindPalette NateMail CVE-2019-13391 (In ImageMagick 7.0.8-50 Q16, ComplexImages in MagickCore/fourier.c has ...) {DSA-4712-1} - imagemagick (low; bug #931633) [stretch] - imagemagick (Minor issue) [jessie] - imagemagick (minor, wait for upstream to clear patch-related questions) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1588 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/f6ffc702c6eecd963587273a429dcd608c648984 NOTE: Patch is insufficient, partly reverted by the CVE-2019-13308 patch NOTE: which seems to be the actual patch for this issue. CVE-2019-13390 (In FFmpeg 4.1.3, there is a division by zero at adx_write_trailer in l ...) - ffmpeg 7:4.2.1-1 (low; bug #932535) [stretch] - ffmpeg (Minor issue, wait until fixed in 3.2.x branch) NOTE: https://trac.ffmpeg.org/ticket/7979 NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=aef24efb0c1e65097ab77a4bf9264189bdf3ace3 CVE-2019-13389 (RainLoop Webmail before 1.13.0 lacks XSS protection mechanisms such as ...) NOT-FOR-US: RainLoop Webmail CVE-2019-13388 RESERVED CVE-2019-13387 (In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.846, Reflected ...) NOT-FOR-US: CentOS-WebPanel.com CentOS Web Panel CVE-2019-13386 (In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.846, a hidden ...) NOT-FOR-US: CentOS-WebPanel.com CentOS Web Panel CVE-2019-13385 (In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.840, File and ...) NOT-FOR-US: CentOS-WebPanel.com CentOS Web Panel CVE-2019-13384 RESERVED CVE-2019-13383 (In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.846, the Login ...) NOT-FOR-US: CentOS-WebPanel.com CentOS Web Panel CVE-2019-13382 (UploaderService in SnagIT 2019.1.2 allows elevation of privilege by pl ...) NOT-FOR-US: SnagIT CVE-2019-13381 REJECTED CVE-2019-13380 (KEYNTO Team Password Manager 1.5.0 allows XSS because data saved from ...) NOT-FOR-US: KEYNTO Team Password Manager CVE-2019-13379 (On AVTECH Room Alert 3E devices before 2.2.5, an attacker with access ...) NOT-FOR-US: AVTECH Room Alert CVE-2019-13378 RESERVED CVE-2019-13377 (The implementations of SAE and EAP-pwd in hostapd and wpa_supplicant 2 ...) {DSA-4538-1} - wpa 2:2.9-1 (bug #934180) [stretch] - wpa (Introduced in 2.5) [jessie] - wpa (Introduced in 2.5) NOTE: https://wpa3.mathyvanhoef.com/#new NOTE: Added in v2.5: https://w1.fi/cgit/hostap/plain/wpa_supplicant/ChangeLog: NOTE: "added support for Brainpool Elliptic Curves with SAE" NOTE: Patches: https://w1.fi/security/2019-6/ CVE-2019-13376 (phpBB version 3.2.7 allows the stealing of an Administration Control P ...) {DLA-1942-2 DLA-1942-1} - phpbb3 NOTE: https://ssd-disclosure.com/archives/4007/ssd-advisory-phpbb-csrf-token-hijacking-leading-to-stored-xss NOTE: fixed in 3.2.8 as 'SECURITY-246' NOTE: https://github.com/phpbb/phpbb/commit/cdf4f5ef85f05c0f94eae1a9edb1c28d4ac3515f NOTE: follow-up to incomplete fix for CVE-2019-16993 CVE-2019-16993 (In phpBB before 3.1.7-PL1, includes/acp/acp_bbcodes.php has improper v ...) {DLA-1942-2 DLA-1942-1} - phpbb3 NOTE: https://github.com/phpbb/phpbb/commit/18abef716ecf42a35416444f3f84f5459d573789 NOTE: https://www.phpbb.com/community/viewtopic.php?t=2352606 CVE-2019-13375 (A SQL Injection was discovered in D-Link Central WiFi Manager CWM(100) ...) NOT-FOR-US: D-Link CVE-2019-13374 (A cross-site scripting (XSS) vulnerability in resource view in PayActi ...) NOT-FOR-US: D-Link CVE-2019-13373 (An issue was discovered in the D-Link Central WiFi Manager CWM(100) be ...) NOT-FOR-US: D-Link CVE-2019-13372 (/web/Lib/Action/IndexAction.class.php in D-Link Central WiFi Manager C ...) NOT-FOR-US: D-Link CVE-2019-13371 RESERVED CVE-2019-13370 (index.php/admin/permissions in Ignited CMS through 2017-02-19 allows C ...) NOT-FOR-US: Ignited CMS CVE-2019-13369 REJECTED CVE-2019-13368 REJECTED CVE-2019-13367 REJECTED CVE-2019-13366 RESERVED CVE-2019-13365 RESERVED CVE-2019-13364 (admin.php?page=account_billing in Piwigo 2.9.5 has XSS via the vat& ...) - piwigo CVE-2019-13363 (admin.php?page=notification_by_mail in Piwigo 2.9.5 has XSS via the nb ...) - piwigo CVE-2019-13362 (Codedoc v3.2 has a stack-based buffer overflow in add_variable in code ...) NOT-FOR-US: Codedoc CVE-2019-13361 (Smanos W100 1.0.0 devices have Insecure Permissions, exploitable by an ...) NOT-FOR-US: Smanos W100 1.0.0 devices CVE-2019-13360 (In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.836, remote at ...) NOT-FOR-US: CentOS-WebPanel.com CentOS Web Panel CVE-2019-13359 (In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.836, a cwpsrv- ...) NOT-FOR-US: CentOS-WebPanel.com CentOS Web Panel CVE-2019-13358 (lib/DocumentToText.php in OpenCats before 0.9.4-3 has XXE that allows ...) NOT-FOR-US: OpenCats CVE-2019-13357 (In Total Defense Anti-virus 9.0.0.773, resource acquisition from the u ...) NOT-FOR-US: Total Defense Anti-virus CVE-2019-13356 (In Total Defense Anti-virus 9.0.0.773, insecure access control for the ...) NOT-FOR-US: Total Defense Anti-virus CVE-2019-13355 (In Total Defense Anti-virus 9.0.0.773, insecure access control for the ...) NOT-FOR-US: Total Defense Anti-virus CVE-2019-13354 (The strong_password gem 0.0.7 for Ruby, as distributed on RubyGems.org ...) NOT-FOR-US: strong_password gem CVE-2019-13353 RESERVED CVE-2019-13352 (WolfVision Cynap before 1.30j uses a static, hard-coded cryptographic ...) NOT-FOR-US: WolfVision Cynap CVE-2019-13351 (posix/JackSocket.cpp in libjack in JACK2 1.9.1 through 1.9.12 (as dist ...) - jackd2 (low; bug #931488) [buster] - jackd2 (Minor issue) [stretch] - jackd2 (Minor issue) [jessie] - jackd2 (Minor issue, hard to reproduce crash with theoretically possible file corruption, no sensitive data to leak) NOTE: https://github.com/jackaudio/jack2/pull/480 NOTE: https://github.com/jackaudio/jack2/commit/994e225bbb07a89f56147f7ce7d59beb49f8cfba CVE-2019-13350 RESERVED CVE-2019-13349 (In Knowage through 6.1.1, an authenticated user that accesses the user ...) NOT-FOR-US: Knowage CVE-2019-13348 (In Knowage through 6.1.1, an authenticated user who accesses the datas ...) NOT-FOR-US: Knowage CVE-2019-13347 (An issue was discovered in the SAML Single Sign On (SSO) plugin for se ...) NOT-FOR-US: SAML Single Sign On plugin for several Atlassian products CVE-2019-13346 (In MyT 1.5.1, the User[username] parameter has XSS. ...) NOT-FOR-US: MyT CVE-2019-13345 (The cachemgr.cgi web module of Squid through 4.7 has XSS via the user_ ...) {DSA-4507-1 DLA-1847-1} - squid 4.8-1 (bug #931478) - squid3 NOTE: http://www.squid-cache.org/Advisories/SQUID-2019_6.txt NOTE: https://bugs.squid-cache.org/show_bug.cgi?id=4957 NOTE: https://github.com/squid-cache/squid/pull/429 NOTE: Squid 4: http://www.squid-cache.org/Versions/v4/changesets/squid-4-be1dc8614e7514103ba84d4067ed6fd15ab8f82e.patch NOTE: Squid 3.x: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-5730c2b5cb56e7639dc423dd62651c8736a54e35.patch CVE-2019-13344 (An authentication bypass vulnerability in the CRUDLab WP Like Button p ...) NOT-FOR-US: CRUDLab WP Like Button plugin for WordPress CVE-2019-13343 (Butor Portal before 1.0.27 is affected by a Path Traversal vulnerabili ...) NOT-FOR-US: Butor Portal CVE-2019-13342 RESERVED CVE-2019-13341 (In MiniCMS V1.10, stored XSS was found in mc-admin/conf.php (comment b ...) NOT-FOR-US: MiniCMS CVE-2019-13340 (In MiniCMS V1.10, stored XSS was found in mc-admin/post-edit.php via t ...) NOT-FOR-US: MiniCMS CVE-2019-13339 (In MiniCMS V1.10, stored XSS was found in mc-admin/page-edit.php (cont ...) NOT-FOR-US: MiniCMS CVE-2019-13338 (In WESEEK GROWI before 3.5.0, a remote attacker can obtain the passwor ...) NOT-FOR-US: WESEEK GROWI CVE-2019-13337 (In WESEEK GROWI before 3.5.0, the site-wide basic authentication can b ...) NOT-FOR-US: WESEEK GROWI CVE-2019-13336 (The dbell Wi-Fi Smart Video Doorbell DB01-S Gen 1 allows remote attack ...) NOT-FOR-US: dbell Wi-Fi Smart Video Doorbell CVE-2019-13335 (SalesAgility SuiteCRM 7.10.x 7.10.19 and 7.11.x before and 7.11.7 has ...) NOT-FOR-US: SalesAgility SuiteCRM CVE-2019-13334 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit PhantomPDF CVE-2019-13333 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit PhantomPDF CVE-2019-13332 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2019-13331 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2019-13330 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2019-13329 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2019-13328 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2019-13327 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2019-13326 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2019-13325 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Studio Photo CVE-2019-13324 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Studio Photo CVE-2019-13323 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Studio Photo CVE-2019-13322 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit CVE-2019-13321 (This vulnerability allows network adjacent attackers to execute arbitr ...) NOT-FOR-US: Foxit CVE-2019-13320 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2019-13319 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2019-13318 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2019-13317 (This vulnerability allows remote atackers to execute arbitrary code on ...) NOT-FOR-US: Foxit PhantomPDF CVE-2019-13316 (This vulnerability allows remote atackers to execute arbitrary code on ...) NOT-FOR-US: Foxit PhantomPDF CVE-2019-13315 (This vulnerability allows remote atackers to execute arbitrary code on ...) NOT-FOR-US: Foxit Reader CVE-2019-13314 (virt-bootstrap 1.1.0 allows local users to discover a root password by ...) - virt-bootstrap (bug #871621) CVE-2019-13313 (libosinfo 1.5.0 allows local users to discover credentials by listing ...) - libosinfo 1.6.0-1 (bug #931479) [buster] - libosinfo (Minor issue) [stretch] - libosinfo (Minor issue) [jessie] - libosinfo (Minor issue, local transient password leak in `ps`, affected binary not used by other packages) NOTE: https://www.redhat.com/archives/libosinfo/2019-July/msg00026.html CVE-2019-13312 (block_cmp() in libavcodec/zmbvenc.c in FFmpeg 4.1.3 has a heap-based b ...) - ffmpeg (Vulnerable code not present) NOTE: https://trac.ffmpeg.org/ticket/7980 NOTE: Introduced in http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=0321370601833f4ae47e8e11c44570ea4bd382a4 CVE-2019-13311 (ImageMagick 7.0.8-50 Q16 has memory leaks at AcquireMagickMemory becau ...) {DSA-4712-1} - imagemagick (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1623 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/bb812022d0bc12107db215c981cab0b1ccd73d91 CVE-2019-13310 (ImageMagick 7.0.8-50 Q16 has memory leaks at AcquireMagickMemory becau ...) - imagemagick (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1616 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/5982632109cad48bc6dab867298fdea4dea57c51 CVE-2019-13309 (ImageMagick 7.0.8-50 Q16 has memory leaks at AcquireMagickMemory becau ...) {DSA-4712-1} - imagemagick (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1616 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/5982632109cad48bc6dab867298fdea4dea57c51 CVE-2019-13308 (ImageMagick 7.0.8-50 Q16 has a heap-based buffer overflow in MagickCor ...) {DSA-4712-1} - imagemagick (low; bug #931447) [stretch] - imagemagick (Minor issue) [jessie] - imagemagick (minor, wait for upstream to clear patch-related questions) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1595 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/19651f3db63fa1511ed83a348c4c82fa553f8d01 CVE-2019-13307 (ImageMagick 7.0.8-50 Q16 has a heap-based buffer overflow at MagickCor ...) {DSA-4715-1 DSA-4712-1} - imagemagick (bug #931448) [jessie] - imagemagick (minor issue, patch fairly intrusive) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1615 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/91e58d967a92250439ede038ccfb0913a81e59fe NOTE: incomplete, introduces a memory leak, follow-up patches: NOTE: https://github.com/ImageMagick/ImageMagick6/commit/e6d26d4e2f07375ddbf46a857d309d51eeff7ee1 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/643921ca69a20b203faebd0b287d8b7012dc749d CVE-2019-13306 (ImageMagick 7.0.8-50 Q16 has a stack-based buffer overflow at coders/p ...) {DSA-4715-1 DSA-4712-1 DLA-1888-1} - imagemagick (bug #931449) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1612 NOTE: initial fix: NOTE: https://github.com/ImageMagick/ImageMagick6/commit/cb5ec7d98195aa74d5ed299b38eff2a68122f3fa NOTE: later reverted by the CVE-2019-13305 fix which is the right one: NOTE: https://github.com/ImageMagick/ImageMagick6/commit/5c7fbf9a14fb83c9685ad69d48899f490a37609d CVE-2019-13305 (ImageMagick 7.0.8-50 Q16 has a stack-based buffer overflow at coders/p ...) {DSA-4712-1 DLA-1888-1} - imagemagick (bug #931452) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1613 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/5c7fbf9a14fb83c9685ad69d48899f490a37609d CVE-2019-13304 (ImageMagick 7.0.8-50 Q16 has a stack-based buffer overflow at coders/p ...) {DSA-4715-1 DSA-4712-1 DLA-1888-1} - imagemagick (bug #931453) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1614 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/bfa3b9610c83227894c92b0d312ad327fceb6241 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/a2f84f23d064e98f423aa0d050ff98838cf0a1b1 CVE-2019-13303 (ImageMagick 7.0.8-50 Q16 has a heap-based buffer over-read in MagickCo ...) - imagemagick (Only affects Imagemagick 7) NOTE: https://github.com/ImageMagick/ImageMagick/commit/d29148fae06c01ef215940e084cf41853c117bab NOTE: https://github.com/ImageMagick/ImageMagick/issues/1603 CVE-2019-13302 (ImageMagick 7.0.8-50 Q16 has a heap-based buffer over-read in MagickCo ...) - imagemagick (Only affects Imagemagick 7) NOTE: https://github.com/ImageMagick/ImageMagick/commit/d5089971bd792311aaab5cb73460326d7ef7f32d NOTE: https://github.com/ImageMagick/ImageMagick/issues/1597 CVE-2019-13301 (ImageMagick 7.0.8-50 Q16 has memory leaks in AcquireMagickMemory becau ...) {DSA-4712-1} - imagemagick (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick6/commit/0b7d3675438cbcde824e751895847a0794406e08 CVE-2019-13300 (ImageMagick 7.0.8-50 Q16 has a heap-based buffer overflow at MagickCor ...) {DSA-4715-1 DSA-4712-1} - imagemagick (bug #931454) [jessie] - imagemagick (minor issue, patch fairly intrusive) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1586 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/5e409ae7a389cdf2ed17469303be3f3f21cec450 CVE-2019-13299 (ImageMagick 7.0.8-50 Q16 has a heap-based buffer over-read at MagickCo ...) - imagemagick (Only affects Imagemagick 7) NOTE: https://github.com/ImageMagick/ImageMagick/commit/8187d2d8fd010d2d6b1a3a8edd935beec404dddc NOTE: https://github.com/ImageMagick/ImageMagick/issues/1610 CVE-2019-13298 (ImageMagick 7.0.8-50 Q16 has a heap-based buffer overflow at MagickCor ...) - imagemagick (Only affects Imagemagick 7) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1611 NOTE: https://github.com/ImageMagick/ImageMagick/commit/d4fc44b58a14f76b1ac997517d742ee12c9dc5d3 CVE-2019-13297 (ImageMagick 7.0.8-50 Q16 has a heap-based buffer over-read at MagickCo ...) {DSA-4712-1 DLA-1888-1} - imagemagick (low; bug #931455) [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1609 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/35c7032723d85eee7318ff6c82f031fa2666b773 NOTE: Some older version before the fixing commit did as well not check for NOTE: width size (cf. CVE-2019-13295). CVE-2019-13296 (ImageMagick 7.0.8-50 Q16 has direct memory leaks in AcquireMagickMemor ...) - imagemagick (Only affects Imagemagick 7) NOTE: https://github.com/ImageMagick/ImageMagick/commit/ce08a3691a8ac29125e29fc41967b3737fa3f425 NOTE: https://github.com/ImageMagick/ImageMagick/issues/1604 CVE-2019-13295 (ImageMagick 7.0.8-50 Q16 has a heap-based buffer over-read at MagickCo ...) {DSA-4712-1 DLA-1888-1} - imagemagick (low; bug #931457) [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1608 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/55e6dc49f1a381d9d511ee2f888fdc3e3c3e3953 CVE-2019-13294 (AROX School-ERP Pro has a command execution vulnerability. import_stud ...) NOT-FOR-US: AROX School-ERP Pro CVE-2019-13293 RESERVED CVE-2019-13292 (A SQL Injection issue was discovered in webERP 4.15. Payments.php acce ...) NOT-FOR-US: webERP CVE-2019-13291 (In Xpdf 4.01.01, there is a heap-based buffer over-read in the functio ...) - xpdf (xpdf in Debian uses poppler, which is fixed) CVE-2019-13290 (Artifex MuPDF 1.15.0 has a heap-based buffer overflow in fz_append_dis ...) - mupdf 1.15.0+ds1-1 (bug #931475) [jessie] - mupdf (Vulnerable code introduced later) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=701118 NOTE: http://git.ghostscript.com/?p=mupdf.git;h=aaf794439e40a2ef544f15b50c20e657414dec7a NOTE: http://git.ghostscript.com/?p=mupdf.git;h=ed19bc806809ad10c4ddce515d375581b86ede85 NOTE: Introduced in 1.6 / http://git.ghostscript.com/?p=mupdf.git;a=commit;f=source/fitz/list-device.c;h=e9411aba2b71b67b8521f55917ab26585c464b88 CVE-2019-13289 (In Xpdf 4.01.01, there is a use-after-free vulnerability in the functi ...) - xpdf (xpdf in Debian uses poppler, which is fixed) CVE-2019-13288 (In Xpdf 4.01.01, the Parser::getObj() function in Parser.cc may cause ...) - xpdf (xpdf in Debian uses poppler, which is fixed) CVE-2019-13287 (In Xpdf 4.01.01, there is an out-of-bounds read vulnerability in the f ...) - xpdf (xpdf in Debian uses poppler, which is fixed) CVE-2019-13286 (In Xpdf 4.01.01, there is a heap-based buffer over-read in the functio ...) - xpdf (xpdf in Debian uses poppler, which is fixed) CVE-2019-13285 (CoSoSys Endpoint Protector 5.1.0.2 allows Host Header Injection. ...) NOT-FOR-US: CoSoSys Endpoint Protector CVE-2019-13284 RESERVED CVE-2019-13283 (In Xpdf 4.01.01, a heap-based buffer over-read could be triggered in s ...) - xpdf (xpdf in Debian uses poppler, which is fixed) CVE-2019-13282 (In Xpdf 4.01.01, a heap-based buffer over-read could be triggered in S ...) - xpdf (xpdf in Debian uses poppler, which is fixed) CVE-2019-13281 (In Xpdf 4.01.01, a heap-based buffer overflow could be triggered in DC ...) - xpdf (xpdf in Debian uses poppler, which is fixed) CVE-2019-13280 (TRENDnet TEW-827DRU with firmware up to and including 2.04B03 contains ...) NOT-FOR-US: TRENDnet CVE-2019-13279 (TRENDnet TEW-827DRU with firmware up to and including 2.04B03 contains ...) NOT-FOR-US: TRENDnet CVE-2019-13278 (TRENDnet TEW-827DRU with firmware up to and including 2.04B03 contains ...) NOT-FOR-US: TRENDnet CVE-2019-13277 (TRENDnet TEW-827DRU with firmware up to and including 2.04B03 allows a ...) NOT-FOR-US: TRENDnet TEW-827DRU CVE-2019-13276 (TRENDnet TEW-827DRU with firmware up to and including 2.04B03 contains ...) NOT-FOR-US: TRENDnet CVE-2019-13275 (An issue was discovered in the VeronaLabs wp-statistics plugin before ...) NOT-FOR-US: VeronaLabs wp-statistics plugin for WordPress CVE-2019-13274 (In Xymon through 4.3.28, an XSS vulnerability exists in the csvinfo CG ...) {DLA-1898-1} - xymon 4.3.29-1 [buster] - xymon 4.3.28-5+deb10u1 [stretch] - xymon 4.3.28-2+deb9u1 NOTE: https://lists.xymon.com/archive/2019-July/046570.html CVE-2019-13273 (In Xymon through 4.3.28, a buffer overflow vulnerability exists in the ...) {DLA-1898-1} - xymon 4.3.29-1 [buster] - xymon 4.3.28-5+deb10u1 [stretch] - xymon 4.3.28-2+deb9u1 NOTE: https://lists.xymon.com/archive/2019-July/046570.html CVE-2019-13272 (In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mish ...) {DSA-4484-1 DLA-1863-1 DLA-1862-1} - linux 4.19.37-6 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1140671 NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1903 NOTE: https://git.kernel.org/linus/6994eefb0053799d2e07cd140df6c2ea106c41ee CVE-2019-13271 (Edimax BR-6208AC V1 devices have Insufficient Compartmentalization bet ...) NOT-FOR-US: Edimax BR-6208AC V1 devices CVE-2019-13270 (Edimax BR-6208AC V1 devices have Insufficient Compartmentalization bet ...) NOT-FOR-US: Edimax BR-6208AC V1 devices CVE-2019-13269 (Edimax BR-6208AC V1 devices have Insufficient Compartmentalization bet ...) NOT-FOR-US: Edimax BR-6208AC V1 devices CVE-2019-13268 (TP-Link Archer C3200 V1 and Archer C2 V1 devices have Insufficient Com ...) NOT-FOR-US: TP-Link CVE-2019-13267 (TP-Link Archer C3200 V1 and Archer C2 V1 devices have Insufficient Com ...) NOT-FOR-US: TP-Link CVE-2019-13266 (TP-Link Archer C3200 V1 and Archer C2 V1 devices have Insufficient Com ...) NOT-FOR-US: TP-Link CVE-2019-13265 (D-link DIR-825AC G1 devices have Insufficient Compartmentalization bet ...) NOT-FOR-US: D-link CVE-2019-13264 (D-link DIR-825AC G1 devices have Insufficient Compartmentalization bet ...) NOT-FOR-US: D-link CVE-2019-13263 (D-link DIR-825AC G1 devices have Insufficient Compartmentalization bet ...) NOT-FOR-US: D-link CVE-2019-13262 (XnView Classic 2.48 has a User Mode Write AV starting at xnview+0x0000 ...) NOT-FOR-US: XnView CVE-2019-13261 (XnView Classic 2.48 has a User Mode Write AV starting at xnview+0x0000 ...) NOT-FOR-US: XnView CVE-2019-13260 (XnView Classic 2.48 has a User Mode Write AV starting at xnview+0x0000 ...) NOT-FOR-US: XnView CVE-2019-13259 (XnView Classic 2.48 has a User Mode Write AV starting at xnview+0x0000 ...) NOT-FOR-US: XnView CVE-2019-13258 (XnView Classic 2.48 has a User Mode Write AV starting at xnview+0x0000 ...) NOT-FOR-US: XnView CVE-2019-13257 (XnView Classic 2.48 has a User Mode Write AV starting at xnview+0x0000 ...) NOT-FOR-US: XnView CVE-2019-13256 (XnView Classic 2.48 has a User Mode Write AV starting at xnview+0x0000 ...) NOT-FOR-US: XnView CVE-2019-13255 (XnView Classic 2.48 has a User Mode Write AV starting at xnview+0x0000 ...) NOT-FOR-US: XnView CVE-2019-13254 (XnView Classic 2.48 has a User Mode Write AV starting at xnview+0x0000 ...) NOT-FOR-US: XnView CVE-2019-13253 (XnView Classic 2.48 has a User Mode Write AV starting at xnview+0x0000 ...) NOT-FOR-US: XnView CVE-2019-13252 (ACDSee Free 1.1.21 has a User Mode Write AV starting at IDE_ACDStd!IEP ...) NOT-FOR-US: ACDSee Free CVE-2019-13251 (ACDSee Free 1.1.21 has a User Mode Write AV starting at IDE_ACDStd!IEP ...) NOT-FOR-US: ACDSee Free CVE-2019-13250 (ACDSee Free 1.1.21 has a User Mode Write AV starting at IDE_ACDStd!IEP ...) NOT-FOR-US: ACDSee Free CVE-2019-13249 (ACDSee Free 1.1.21 has a User Mode Write AV starting at IDE_ACDStd!IEP ...) NOT-FOR-US: ACDSee Free CVE-2019-13248 (ACDSee Free 1.1.21 has a User Mode Write AV starting at IDE_ACDStd!JPE ...) NOT-FOR-US: ACDSee Free CVE-2019-13247 (ACDSee Free 1.1.21 has a User Mode Write AV starting at IDE_ACDStd!JPE ...) NOT-FOR-US: ACDSee Free CVE-2019-13246 (FastStone Image Viewer 7.0 has a User Mode Write AV starting at image0 ...) NOT-FOR-US: FastStone Image Viewer CVE-2019-13245 (FastStone Image Viewer 7.0 has a User Mode Write AV starting at image0 ...) NOT-FOR-US: FastStone Image Viewer CVE-2019-13244 (FastStone Image Viewer 7.0 has a User Mode Write AV starting at image0 ...) NOT-FOR-US: FastStone Image Viewer CVE-2019-13243 (IrfanView 4.52 has a User Mode Write AV starting at image00400000+0x00 ...) NOT-FOR-US: IrfanView CVE-2019-13242 (IrfanView 4.52 has a User Mode Write AV starting at image00400000+0x00 ...) NOT-FOR-US: IrfanView CVE-2019-13241 (FlightCrew v0.9.2 and older are vulnerable to a directory traversal, a ...) - flightcrew 0.7.2+dfsg-14 [buster] - flightcrew 0.7.2+dfsg-13+deb10u1 [stretch] - flightcrew 0.7.2+dfsg-9+deb9u1 NOTE: https://github.com/Sigil-Ebook/flightcrew/issues/52 CVE-2019-13240 (An issue was discovered in GLPI before 9.4.1. After a successful passw ...) - glpi (unimportant) NOTE: https://github.com/glpi-project/glpi/commit/5da9f99b2d81713b1e36016b47ce656a33648bc7 NOTE: https://github.com/glpi-project/glpi/commit/86a43ae47b3dd844947f40a2ffcf1a36e53dbba6 NOTE: Only supported behind an authenticated HTTP zone CVE-2019-13239 (inc/user.class.php in GLPI before 9.4.3 allows XSS via a user picture. ...) - glpi (unimportant) NOTE: https://github.com/glpi-project/glpi/commit/c2aa7a7cd6af28be3809acc7e7842d2d2008c0fb NOTE: Only supported behind an authenticated HTTP zone CVE-2019-13238 (An issue was discovered in Bento4 1.5.1.0. A memory allocation failure ...) NOT-FOR-US: Bento4 CVE-2019-13237 (In Alkacon OpenCms 10.5.4 and 10.5.5, there are multiple resources vul ...) NOT-FOR-US: Alkacon OpenCms CVE-2019-13236 (In system/workplace/ in Alkacon OpenCms 10.5.4 and 10.5.5, there are m ...) NOT-FOR-US: Alkacon OpenCms CVE-2019-13235 (In the Alkacon OpenCms Apollo Template 10.5.4 and 10.5.5, there is XSS ...) NOT-FOR-US: Alkacon OpenCms CVE-2019-13234 (In the Alkacon OpenCms Apollo Template 10.5.4 and 10.5.5, there is XSS ...) NOT-FOR-US: Alkacon OpenCms CVE-2019-13232 (Info-ZIP UnZip 6.0 mishandles the overlapping of files inside a ZIP co ...) {DLA-1846-1} - unzip 6.0-24 (unimportant; bug #931433) [buster] - unzip 6.0-23+deb10u1 [stretch] - unzip 6.0-21+deb9u2 NOTE: https://www.bamsoftware.com/hacks/zipbomb/ NOTE: Fixed by: https://github.com/madler/unzip/commit/47b3ceae397d21bf822bc2ac73052a4b1daf8e1c NOTE: Fix depends on: https://github.com/madler/unzip/commit/41beb477c5744bc396fa1162ee0c14218ec12213 NOTE: Further commit needed: https://github.com/madler/unzip/commit/6d351831be705cc26d897db44f878a978f4138fc NOTE: No security impact, crash in CLI tool, any server implementing automatic extraction needs NOTE: to apply resource limits anyway NOTE: https://www.openwall.com/lists/oss-security/2019/08/06/3 CVE-2019-13231 RESERVED CVE-2019-13230 RESERVED CVE-2019-13229 (deepin-clone before 1.1.3 uses a fixed path /tmp/partclone.log in the ...) - deepin-clone (bug #873045) CVE-2019-13228 (deepin-clone before 1.1.3 uses a fixed path /tmp/repo.iso in the BootD ...) - deepin-clone (bug #873045) CVE-2019-13227 (In GUI mode, deepin-clone before 1.1.3 creates a log file at the fixed ...) - deepin-clone (bug #873045) CVE-2019-13226 (deepin-clone before 1.1.3 uses a predictable path /tmp/.deepin-clone/m ...) - deepin-clone (bug #873045) CVE-2018-20850 (Stormshield Network Security 2.0.0 through 2.13.0 and 3.0.0 through 3. ...) NOT-FOR-US: Stormshield Network Security CVE-2019-13233 (In arch/x86/lib/insn-eval.c in the Linux kernel before 5.1.9, there is ...) {DSA-4495-1} - linux 5.2.6-1 [stretch] - linux (Vulnerable code introduced later) [jessie] - linux (Vulnerable code introduced later) NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1879 NOTE: Fixed by: https://git.kernel.org/linus/de9f869616dd95e95c00bdd6b0fcd3421e8a4323 CVE-2019-13225 (A NULL Pointer Dereference in match_at() in regexec.c in Oniguruma 6.9 ...) - libonig 6.9.2-1 (low; bug #931878) [buster] - libonig (Minor issue) [stretch] - libonig (Minor issue) [jessie] - libonig (vulnerable code was introduced later) NOTE: https://github.com/kkos/oniguruma/commit/c509265c5f6ae7264f7b8a8aae1cfa5fc59d108c CVE-2019-13224 (A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 a ...) {DLA-1854-1} - libonig 6.9.2-1 (low; bug #931878) [buster] - libonig (Minor issue) [stretch] - libonig (Minor issue) NOTE: https://github.com/kkos/oniguruma/commit/0f7f61ed1b7b697e283e37bd2d731d0bd57adb55 CVE-2019-13223 (A reachable assertion in the lookup1_values function in stb_vorbis thr ...) - libstb 0.0~git20190817.1.052dce1-1 (bug #934966) [buster] - libstb (Minor issue) NOTE: https://github.com/nothings/stb/commit/98fdfc6df88b1e34a736d5e126e6c8139c8de1a6 NOTE: Potentially affects liblivemedia, retroarch, godot, yquake2, pax-britannica, libxmp, faudio CVE-2019-13222 (An out-of-bounds read of a global buffer in the draw_line function in ...) - libstb 0.0~git20190817.1.052dce1-1 (bug #934966) [buster] - libstb (Minor issue) NOTE: https://github.com/nothings/stb/commit/98fdfc6df88b1e34a736d5e126e6c8139c8de1a6 NOTE: Potentially affects liblivemedia, retroarch, godot, yquake2, pax-britannica, libxmp, faudio CVE-2019-13221 (A stack buffer overflow in the compute_codewords function in stb_vorbi ...) - libstb 0.0~git20190817.1.052dce1-1 (bug #934966) [buster] - libstb (Minor issue) NOTE: https://github.com/nothings/stb/commit/98fdfc6df88b1e34a736d5e126e6c8139c8de1a6 NOTE: Potentially affects godot, libxmp, pax-britannica, faudio, retroarch, yquake2 CVE-2019-13220 (Use of uninitialized stack variables in the start_decoder function in ...) - libstb 0.0~git20190817.1.052dce1-1 (bug #934966) [buster] - libstb (Minor issue) NOTE: https://github.com/nothings/stb/commit/98fdfc6df88b1e34a736d5e126e6c8139c8de1a6 NOTE: Potentially affects liblivemedia, retroarch, godot, yquake2, pax-britannica, libxmp, faudio CVE-2019-13219 (A NULL pointer dereference in the get_window function in stb_vorbis th ...) - libstb 0.0~git20190817.1.052dce1-1 (bug #934966) [buster] - libstb (Minor issue) NOTE: https://github.com/nothings/stb/commit/98fdfc6df88b1e34a736d5e126e6c8139c8de1a6 NOTE: Potentially affects liblivemedia, retroarch, godot, yquake2, pax-britannica, libxmp, faudio CVE-2019-13218 (Division by zero in the predict_point function in stb_vorbis through 2 ...) - libstb 0.0~git20190817.1.052dce1-1 (bug #934966) [buster] - libstb (Minor issue) NOTE: https://github.com/nothings/stb/commit/98fdfc6df88b1e34a736d5e126e6c8139c8de1a6 NOTE: Potentially affects godot, libxmp, pax-britannica, faudio, retroarch, yquake2 CVE-2019-13217 (A heap buffer overflow in the start_decoder function in stb_vorbis thr ...) - libstb 0.0~git20190817.1.052dce1-1 (bug #934966) [buster] - libstb (Minor issue) NOTE: https://github.com/nothings/stb/commit/98fdfc6df88b1e34a736d5e126e6c8139c8de1a6 NOTE: Potentially affects liblivemedia, retroarch, godot, yquake2, pax-britannica, libxmp, faudio CVE-2019-13216 RESERVED CVE-2019-13215 RESERVED CVE-2019-13214 RESERVED CVE-2019-13213 RESERVED CVE-2019-13212 RESERVED CVE-2019-13211 RESERVED CVE-2019-13210 RESERVED CVE-2019-13209 (Rancher 2 through 2.2.4 is vulnerable to a Cross-Site Websocket Hijack ...) NOT-FOR-US: Rancher CVE-2019-13208 (WavesSysSvc in Waves MAXX Audio allows privilege escalation because th ...) NOT-FOR-US: Waves MAXX Audio CVE-2019-13207 (nsd-checkzone in NLnet Labs NSD 4.2.0 has a Stack-based Buffer Overflo ...) - nsd 4.2.4-1 (low; bug #931476) [buster] - nsd (Minor issue) [stretch] - nsd (Minor issue) [jessie] - nsd (Minor issue, crash on malformed admin-controlled disk configuration) - nsd3 NOTE: https://github.com/NLnetLabs/nsd/issues/20 NOTE: https://github.com/NLnetLabs/nsd/commit/91102da24d5949ccfec8fdab5bae2d01c4cabab5 CVE-2019-13206 (Some Kyocera printers (such as the ECOSYS M5526cdw 2R7_2000.001.701) w ...) NOT-FOR-US: Kyocera CVE-2019-13205 (All configuration parameters of certain Kyocera printers (such as the ...) NOT-FOR-US: Kyocera CVE-2019-13204 (Some Kyocera printers (such as the ECOSYS M5526cdw 2R7_2000.001.701) w ...) NOT-FOR-US: Kyocera CVE-2019-13203 (Some Kyocera printers (such as the ECOSYS M5526cdw 2R7_2000.001.701) w ...) NOT-FOR-US: Kyocera CVE-2019-13202 (Some Kyocera printers (such as the ECOSYS M5526cdw 2R7_2000.001.701) w ...) NOT-FOR-US: Kyocera CVE-2019-13201 (Some Kyocera printers (such as the ECOSYS M5526cdw 2R7_2000.001.701) w ...) NOT-FOR-US: Kyocera CVE-2019-13200 (The web application of several Kyocera printers (such as the ECOSYS M5 ...) NOT-FOR-US: Kyocera CVE-2019-13199 (Some Kyocera printers (such as the ECOSYS M5526cdw 2R7_2000.001.701) d ...) NOT-FOR-US: Kyocera CVE-2019-13198 (The web application of several Kyocera printers (such as the ECOSYS M5 ...) NOT-FOR-US: Kyocera CVE-2019-13197 (Some Kyocera printers (such as the ECOSYS M5526cdw 2R7_2000.001.701) w ...) NOT-FOR-US: Kyocera CVE-2019-13196 (Some Kyocera printers (such as the ECOSYS M5526cdw 2R7_2000.001.701) w ...) NOT-FOR-US: Kyocera CVE-2019-13195 (The web application of some Kyocera printers (such as the ECOSYS M5526 ...) NOT-FOR-US: Kyocera CVE-2019-13194 (Some Brother printers (such as the HL-L8360CDW v1.20) were affected by ...) NOT-FOR-US: Brother CVE-2019-13193 (Some Brother printers (such as the HL-L8360CDW v1.20) were affected by ...) NOT-FOR-US: Brother CVE-2019-13192 (Some Brother printers (such as the HL-L8360CDW v1.20) were affected by ...) NOT-FOR-US: Brother CVE-2019-13191 (A SQL injection vulnerability in IntraMaps MapControl 8 allows attacke ...) NOT-FOR-US: IntraMaps MapControl CVE-2019-13190 (In Knowage through 6.1.1, the sign up page does not invalidate a valid ...) NOT-FOR-US: Knowage CVE-2019-13189 (In Knowage through 6.1.1, there is XSS via the start_url or user_id fi ...) NOT-FOR-US: Knowage CVE-2019-13188 (In Knowage through 6.1.1, an unauthenticated user can bypass access co ...) NOT-FOR-US: Knowage CVE-2019-13187 (The Rich Text Formatter (Redactor) extension through v1.1.1 for Sympho ...) NOT-FOR-US: Symphony CMS addon CVE-2019-13186 (In MiniCMS V1.10, stored XSS was found in mc-admin/post-edit.php via t ...) NOT-FOR-US: MiniCMS CVE-2019-13185 RESERVED CVE-2019-13184 RESERVED CVE-2019-13183 (Flarum before 0.1.0-beta.9 allows CSRF against all POST endpoints, as ...) NOT-FOR-US: Flarum CVE-2019-13182 (A stored cross-site scripting (XSS) vulnerability exists in the web UI ...) NOT-FOR-US: SolarWinds CVE-2019-13181 (A CSV injection vulnerability exists in the web UI of SolarWinds Serv- ...) NOT-FOR-US: SolarWinds CVE-2019-13180 RESERVED CVE-2019-13179 (Calamares versions 3.1 through 3.2.10 copies a LUKS encryption keyfile ...) - calamares 3.2.11-1 (bug #931392) [buster] - calamares (Mitigated via calamares-settings-debian in Debian) - calamares-settings-debian 10.0.23-1 (bug #931373) [buster] - calamares-settings-debian 10.0.20-1+deb10u1 NOTE: https://github.com/calamares/calamares/issues/1191 NOTE: https://github.com/calamares/calamares/commit/003096698627a527b589c0c929dda4d58f23fd93 NOTE: The issue itself can be adressed as well via calamares-settings-debian and NOTE: placing a more restrictive umask override in /etc/initramfs-tools/conf.d NOTE: directory. NOTE: https://github.com/calamares/calamares/commit/43eb664e7d44d963bb7b82d03215d84b47100ba0 NOTE: Fixed by: https://github.com/calamares/calamares/commit/c9b675cbc64ac5aab35ddd86a64311abd50f7720 CVE-2019-13178 (modules/luksbootkeyfile/main.py in Calamares versions 3.1 through 3.2. ...) - calamares 3.2.11-1 (unimportant; bug #931391) NOTE: https://github.com/calamares/calamares/issues/1190 NOTE: Fixed by: https://github.com/calamares/calamares/commit/c9b675cbc64ac5aab35ddd86a64311abd50f7720 NOTE: Negligible security impact, Debian live media grant a sudo root shell anyway CVE-2019-13177 (verification.py in django-rest-registration (aka Django REST Registrat ...) NOT-FOR-US: django-rest-registration CVE-2019-13176 (An issue was discovered in the 3CX Phone system (web) management conso ...) NOT-FOR-US: 3CX Phone system CVE-2019-13175 (Read the Docs before 3.5.1 has an Open Redirect if certain user-define ...) NOT-FOR-US: Read the Docs CVE-2019-13174 RESERVED CVE-2019-13173 (fstream before 1.0.12 is vulnerable to Arbitrary File Overwrite. Extra ...) - node-fstream 1.0.12-1 (bug #931408) [buster] - node-fstream 1.0.10-1+deb10u1 [stretch] - node-fstream 1.0.10-1+deb9u1 [jessie] - node-fstream (Nodejs in jessie not covered by security support) NOTE: https://www.npmjs.com/advisories/886 NOTE: https://github.com/npm/fstream/commit/6a77d2fa6e1462693cf8e46f930da96ec1b0bb22 CVE-2019-13172 (Some Xerox printers (such as the Phaser 3320 V53.006.16.000) were affe ...) NOT-FOR-US: Xerox CVE-2019-13171 (Some Xerox printers (such as the Phaser 3320 V53.006.16.000) were affe ...) NOT-FOR-US: Xerox CVE-2019-13170 (Some Xerox printers (such as the Phaser 3320 V53.006.16.000) did not i ...) NOT-FOR-US: Xerox CVE-2019-13169 (Some Xerox printers (such as the Phaser 3320 V53.006.16.000) were affe ...) NOT-FOR-US: Xerox CVE-2019-13168 (Some Xerox printers (such as the Phaser 3320 V53.006.16.000) were affe ...) NOT-FOR-US: Xerox CVE-2019-13167 (Multiple Stored XSS vulnerabilities were found in the Xerox Web Applic ...) NOT-FOR-US: Xerox CVE-2019-13166 (Some Xerox printers (such as the Phaser 3320 V53.006.16.000) did not i ...) NOT-FOR-US: Xerox CVE-2019-13165 (Some Xerox printers (such as the Phaser 3320 V53.006.16.000) were affe ...) NOT-FOR-US: Xerox CVE-2019-13164 (qemu-bridge-helper.c in QEMU 4.0.0 does not ensure that a network inte ...) {DSA-4512-1 DSA-4506-1 DLA-1927-1} - qemu 1:4.1-1 (bug #931351) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2019-07/msg00245.html NOTE: https://git.qemu.org/?p=qemu.git;a=commitdiff;h=6f5d8671225dc77190647f18a27a0d156d4ca97a CVE-2019-13163 (The Fujitsu TLS library allows a man-in-the-middle attack. This affect ...) NOT-FOR-US: Fujitsu CVE-2019-13162 RESERVED CVE-2019-13161 (An issue was discovered in Asterisk Open Source through 13.27.0, 14.x ...) - asterisk 1:16.2.1~dfsg-2 (low; bug #931981) [buster] - asterisk 1:16.2.1~dfsg-1+deb10u1 [stretch] - asterisk (Minor issue) [jessie] - asterisk (Minor issue) NOTE: http://downloads.digium.com/pub/security/AST-2019-003.html NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-28465 CVE-2019-13160 RESERVED CVE-2019-13159 RESERVED CVE-2019-13158 RESERVED CVE-2019-13157 (nsGreen.dll in Naver Vaccine 2.1.4 allows remote attackers to overwrit ...) NOT-FOR-US: Naver Vaccine CVE-2019-13156 (NDrive(1.2.2).sys in Naver Cloud Explorer has a stack-based buffer ove ...) NOT-FOR-US: Naver Cloud Explorer CVE-2019-13155 (An issue was discovered in TRENDnet TEW-827DRU firmware before 2.05B11 ...) NOT-FOR-US: TRENDnet TEW-827DRU firmware CVE-2019-13154 (An issue was discovered in TRENDnet TEW-827DRU firmware before 2.05B11 ...) NOT-FOR-US: TRENDnet TEW-827DRU firmware CVE-2019-13153 (An issue was discovered in TRENDnet TEW-827DRU firmware before 2.05B11 ...) NOT-FOR-US: TRENDnet TEW-827DRU firmware CVE-2019-13152 (An issue was discovered in TRENDnet TEW-827DRU firmware before 2.05B11 ...) NOT-FOR-US: TRENDnet TEW-827DRU firmware CVE-2019-13151 (An issue was discovered in TRENDnet TEW-827DRU firmware before 2.05B11 ...) NOT-FOR-US: TRENDnet TEW-827DRU firmware CVE-2019-13150 (An issue was discovered in TRENDnet TEW-827DRU firmware before 2.05B11 ...) NOT-FOR-US: TRENDnet TEW-827DRU firmware CVE-2019-13149 (An issue was discovered in TRENDnet TEW-827DRU firmware before 2.05B11 ...) NOT-FOR-US: TRENDnet TEW-827DRU firmware CVE-2019-13148 (An issue was discovered in TRENDnet TEW-827DRU firmware before 2.05B11 ...) NOT-FOR-US: TRENDnet TEW-827DRU firmware CVE-2019-13147 (In Audio File Library (aka audiofile) 0.3.6, there exists one NULL poi ...) - audiofile (low; bug #931343) [buster] - audiofile (Minor issue) [stretch] - audiofile (Minor issue) [jessie] - audiofile (Minor issue, local DoS) NOTE: https://github.com/mpruett/audiofile/issues/54 CVE-2019-13146 (The field_test gem 0.3.0 for Ruby has unvalidated input. A method call ...) NOT-FOR-US: field_test gem CVE-2019-13145 REJECTED CVE-2019-13144 (myTinyTodo 1.3.3 through 1.4.3 allows CSV Injection. This is fixed in ...) NOT-FOR-US: myTinyTodo CVE-2019-13143 (An HTTP parameter pollution issue was discovered on Shenzhen Dragon Br ...) NOT-FOR-US: Shenzhen Dragon Brothers Fingerprint Bluetooth Round Padlock FB50 CVE-2019-13142 (The RzSurroundVADStreamingService (RzSurroundVADStreamingService.exe) ...) NOT-FOR-US: Razer Surround CVE-2019-13141 RESERVED CVE-2019-13140 (Inteno EG200 EG200-WU7P1U_ADAMO3.16.4-190226_1650 routers have a JUCI ...) NOT-FOR-US: Inteno CVE-2019-13139 (In Docker before 18.09.4, an attacker who is capable of supplying or m ...) {DSA-4521-1} [experimental] - docker.io 18.09.5+dfsg1-1 - docker.io 18.09.1+dfsg1-8 (bug #933002) NOTE: https://github.com/moby/moby/pull/38944 NOTE: https://staaldraad.github.io/post/2019-07-16-cve-2019-13139-docker-build/ CVE-2019-13138 RESERVED CVE-2019-13137 (ImageMagick before 7.0.8-50 has a memory leak vulnerability in the fun ...) {DSA-4712-1} - imagemagick (unimportant; bug #931342) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1601 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/7d11230060fa9c8f67e53c85224daf6648805c7b CVE-2019-13136 (ImageMagick before 7.0.8-50 has an integer overflow vulnerability in t ...) - imagemagick (Vulnerable code introduced later) NOTE: https://github.com/ImageMagick/ImageMagick/commit/fe5f4b85e6b1b54d3b4588a77133c06ade46d891 NOTE: https://github.com/ImageMagick/ImageMagick/issues/1602 CVE-2019-13135 (ImageMagick before 7.0.8-50 has a "use of uninitialized value" vulnera ...) {DSA-4712-1 DLA-1888-1} - imagemagick (bug #932079) [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1599 NOTE: https://github.com/ImageMagick/ImageMagick/commit/cdb383749ef7b68a38891440af8cc23e0115306d (7.x) NOTE: https://github.com/ImageMagick/ImageMagick6/commit/1e59b29e520d2beab73e8c78aacd5f1c0d76196d (6.x) CVE-2019-13134 (ImageMagick before 7.0.8-50 has a memory leak vulnerability in the fun ...) - imagemagick (Only affects Imagemagick 7) NOTE: https://github.com/ImageMagick/ImageMagick/commit/fe3066122ef72c82415811d25e9e3fad622c0a99 NOTE: https://github.com/ImageMagick/ImageMagick/issues/1600 CVE-2019-13133 (ImageMagick before 7.0.8-50 has a memory leak vulnerability in the fun ...) - imagemagick (Only affects Imagemagick 7) NOTE: https://github.com/ImageMagick/ImageMagick/commit/fe3066122ef72c82415811d25e9e3fad622c0a99 NOTE: https://github.com/ImageMagick/ImageMagick/issues/1600 CVE-2019-13132 (In ZeroMQ libzmq before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4. ...) {DSA-4477-1 DLA-1849-1} - zeromq3 4.3.1-5 NOTE: https://github.com/zeromq/libzmq/issues/3558 CVE-2019-13131 (Super Micro SuperDoctor 5, when restrictions are not implemented in ag ...) NOT-FOR-US: Super Micro SuperDoctor CVE-2019-13130 RESERVED CVE-2019-13129 (On the Motorola router CX2L MWR04L 1.01, there is a stack consumption ...) NOT-FOR-US: Motorola CVE-2019-13128 (An issue was discovered on D-Link DIR-823G devices with firmware 1.02B ...) NOT-FOR-US: D-Link CVE-2019-13127 (An issue was discovered in mxGraph through 4.0.0, related to the "draw ...) NOT-FOR-US: mxGraph CVE-2019-13126 (An integer overflow in NATS Server before 2.0.2 allows a remote attack ...) NOT-FOR-US: NATS Server CVE-2019-13125 (HaboMalHunter through 2.0.0.3 in Tencent Habo allows attackers to evad ...) NOT-FOR-US: Tencent CVE-2019-13124 (Foxit Reader 9.6.0.25114 and earlier has two unique RecursiveCall bugs ...) NOT-FOR-US: Foxit Reader CVE-2019-13123 (Foxit Reader 9.6.0.25114 and earlier has two unique RecursiveCall bugs ...) NOT-FOR-US: Foxit Reader CVE-2019-13122 (A Cross Site Scripting (XSS) vulnerability exists in the template tag ...) NOT-FOR-US: Patchwork CVE-2019-13121 (An issue was discovered in GitLab Enterprise Edition 10.6 through 12.0 ...) [experimental] - gitlab 11.10.8+dfsg-1 - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/2019/07/03/security-release-gitlab-12-dot-0-dot-3-released/ CVE-2019-13120 (Amazon FreeRTOS up to and including v1.4.8 lacks length checking in pr ...) NOT-FOR-US: Amazon FreeRTOS CVE-2019-13119 RESERVED CVE-2019-13118 (In numbers.c in libxslt 1.1.33, a type holding grouping characters of ...) {DLA-1860-1} - libxslt 1.1.32-2.1 (low; bug #931320; bug #933743) [buster] - libxslt 1.1.32-2.1~deb10u1 [stretch] - libxslt 1.1.29-2.1+deb9u1 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15069 NOTE: https://gitlab.gnome.org/GNOME/libxslt/commit/6ce8de69330783977dd14f6569419489875fb71b NOTE: https://oss-fuzz.com/testcase-detail/5197371471822848 CVE-2019-13117 (In numbers.c in libxslt 1.1.33, an xsl:number with certain format stri ...) {DLA-1860-1} - libxslt 1.1.32-2.1 (low; bug #931321; bug #933743) [buster] - libxslt 1.1.32-2.1~deb10u1 [stretch] - libxslt 1.1.29-2.1+deb9u1 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14471 NOTE: https://gitlab.gnome.org/GNOME/libxslt/commit/c5eb6cf3aba0af048596106ed839b4ae17ecbcb1 NOTE: https://oss-fuzz.com/testcase-detail/5631739747106816 CVE-2019-13116 (The MuleSoft Mule Community Edition runtime engine before 3.8 allows r ...) NOT-FOR-US: MuleSoft Mule CVE-2019-13115 (In libssh2 before 1.9.0, kex_method_diffie_hellman_group_exchange_sha2 ...) {DLA-1730-3} - libssh2 (bug #932329) [buster] - libssh2 (Minor issue) [stretch] - libssh2 (Minor issue) NOTE: https://blog.semmle.com/libssh2-integer-overflow/ NOTE: https://github.com/libssh2/libssh2/pull/350 CVE-2019-13114 (http.c in Exiv2 through 0.27.1 allows a malicious http server to cause ...) - exiv2 0.27.2-6 (low) [buster] - exiv2 (Minor issue) [stretch] - exiv2 (Minor issue) [jessie] - exiv2 (HTTP support yet added in 0.25) NOTE: https://github.com/Exiv2/exiv2/commit/ccde30afa8ca787a3fe17388a15977f107a53b72 NOTE: https://github.com/Exiv2/exiv2/issues/793 CVE-2019-13113 (Exiv2 through 0.27.1 allows an attacker to cause a denial of service ( ...) - exiv2 0.27.2-6 (unimportant) NOTE: https://github.com/Exiv2/exiv2/commit/6212806b7637be683a56c769a8d905153996d933 NOTE: https://github.com/Exiv2/exiv2/commit/ccde30afa8ca787a3fe17388a15977f107a53b72 NOTE: https://github.com/Exiv2/exiv2/issues/841 NOTE: Negligible security impact CVE-2019-13112 (A PngChunk::parseChunkContent uncontrolled memory allocation in Exiv2 ...) - exiv2 0.27.2-6 (low) [buster] - exiv2 (Minor issue) [stretch] - exiv2 (Minor issue) [jessie] - exiv2 (Minor issue, clean exception / local DoS) NOTE: https://github.com/Exiv2/exiv2/commit/1ed1e03c83802547585833fa9d4433af94798778 NOTE: https://github.com/Exiv2/exiv2/issues/845 CVE-2019-13111 (A WebPImage::decodeChunks integer overflow in Exiv2 through 0.27.1 all ...) - exiv2 (Only affected 0.27, vulnerable versions were only in experimental) NOTE: https://github.com/Exiv2/exiv2/issues/791 NOTE: https://github.com/Exiv2/exiv2/pull/797/commits CVE-2019-13110 (A CiffDirectory::readDirectory integer overflow and out-of-bounds read ...) - exiv2 0.27.2-6 (low) [buster] - exiv2 (Minor issue) [stretch] - exiv2 (Minor issue) [jessie] - exiv2 (Minor issue, read segfault) NOTE: https://github.com/Exiv2/exiv2/issues/843 NOTE: https://github.com/Exiv2/exiv2/commit/9628f82084ed30d494ddd4f7360d233801e22967 CVE-2019-13109 (An integer overflow in Exiv2 through 0.27.1 allows an attacker to caus ...) - exiv2 0.27.2-6 (low) [buster] - exiv2 (Minor issue) [stretch] - exiv2 (Minor issue) [jessie] - exiv2 (ICC-specific support added in 0.26, PoC doesn't crash) NOTE: https://github.com/Exiv2/exiv2/commit/491c3ebe3b3faa6d8f75fb28146186792c2439da NOTE: https://github.com/Exiv2/exiv2/issues/790 CVE-2019-13108 (An integer overflow in Exiv2 through 0.27.1 allows an attacker to caus ...) - exiv2 0.27.2-6 (low) [buster] - exiv2 (Minor issue) [stretch] - exiv2 (Minor issue) [jessie] - exiv2 (ICC-specific support added in 0.26, PoC doesn't crash) NOTE: https://github.com/Exiv2/exiv2/commit/5d1d6981229b5e44401bf5c503100553fc7d877a NOTE: https://github.com/Exiv2/exiv2/issues/789 CVE-2019-13107 (Multiple integer overflows exist in MATIO before 1.5.16, related to ma ...) [experimental] - libmatio 1.5.16-1 - libmatio 1.5.17-3 (bug #931323) [buster] - libmatio (Minor issue) [stretch] - libmatio (Minor issue) [jessie] - libmatio (Minor issue, hard to backport) NOTE: Several commits between 1.5.15..1.5.16: https://github.com/tbeu/matio/compare/f8cd397...fabac6c CVE-2019-13106 (Das U-Boot versions 2016.09 through 2019.07-rc4 can memset() too much ...) - u-boot 2020.01+dfsg-1 (low) [buster] - u-boot (Minor issue) [stretch] - u-boot (Minor issue) [jessie] - u-boot (Minor issue) NOTE: https://lists.denx.de/pipermail/u-boot/2019-July/375516.html NOTE: https://gitlab.denx.de/u-boot/u-boot/commit/e205896c5383c938274262524adceb2775fb03ba CVE-2019-13105 (Das U-Boot versions 2019.07-rc1 through 2019.07-rc4 can double-free a ...) - u-boot 2020.01+dfsg-1 (low) [buster] - u-boot (Minor issue) [stretch] - u-boot (Minor issue) [jessie] - u-boot (Minor issue) NOTE: https://lists.denx.de/pipermail/u-boot/2019-July/375513.html NOTE: https://gitlab.denx.de/u-boot/u-boot/commit/6e5a79de658cb1c8012c86e0837379aa6eabd024 CVE-2019-13104 (In Das U-Boot versions 2016.11-rc1 through 2019.07-rc4, an underflow c ...) - u-boot 2020.01+dfsg-1 (low) [buster] - u-boot (Minor issue) [stretch] - u-boot (Minor issue) [jessie] - u-boot (Minor issue) NOTE: https://lists.denx.de/pipermail/u-boot/2019-July/375514.html NOTE: https://gitlab.denx.de/u-boot/u-boot/commit/878269dbe74229005dd7f27aca66c554e31dad8e CVE-2019-13103 (A crafted self-referential DOS partition table will cause all Das U-Bo ...) - u-boot 2020.01+dfsg-1 (low) [buster] - u-boot (Minor issue) [stretch] - u-boot (Minor issue) [jessie] - u-boot (Minor issue) NOTE: https://lists.denx.de/pipermail/u-boot/2019-July/375512.html NOTE: https://gitlab.denx.de/u-boot/u-boot/commit/232e2f4fd9a24bf08215ddc8c53ccadffc841fb5 CVE-2019-13102 RESERVED CVE-2019-13101 (An issue was discovered on D-Link DIR-600M 3.02, 3.03, 3.04, and 3.06 ...) NOT-FOR-US: D-Link CVE-2019-13100 (The Send Anywhere application 9.4.18 for Android stores confidential i ...) NOT-FOR-US: Send Anywhere application for Android CVE-2019-13099 (The Momo application 2.1.9 for Android stores confidential information ...) NOT-FOR-US: Momo application for Android CVE-2019-13098 (The user password via the registration form of TronLink Wallet 2.2.0 i ...) NOT-FOR-US: TronLink Wallet CVE-2019-13097 (The application API of Cat Runner Decorate Home version 2.8.0 for Andr ...) NOT-FOR-US: Cat Runner Decorate Home CVE-2019-13096 (TronLink Wallet 2.2.0 stores user wallet keystore in plaintext and pla ...) NOT-FOR-US: TronLink Wallet CVE-2019-13095 RESERVED CVE-2019-13094 RESERVED CVE-2019-13093 RESERVED CVE-2019-13092 RESERVED CVE-2019-13091 RESERVED CVE-2019-13090 RESERVED CVE-2019-13089 RESERVED CVE-2019-13088 RESERVED CVE-2019-13087 RESERVED CVE-2019-13086 (core/MY_Security.php in CSZ CMS 1.2.2 before 2019-06-20 has member/log ...) NOT-FOR-US: CSZ CMS CVE-2019-13085 (XnView Classic 2.48 has a User Mode Write AV starting at xnview+0x0000 ...) NOT-FOR-US: XnView CVE-2019-13084 (XnView Classic 2.48 has a User Mode Write AV starting at xnview+0x0000 ...) NOT-FOR-US: XnView CVE-2019-13083 (XnView Classic 2.48 has a User Mode Write AV starting at xnview+0x0000 ...) NOT-FOR-US: XnView CVE-2019-13082 (Chamilo LMS 1.11.8 and 2.x allows remote code execution through an lp_ ...) NOT-FOR-US: Chamilo LMS CVE-2019-13081 (Quest KACE Systems Management Appliance Server Center 9.1.317 has an X ...) NOT-FOR-US: Quest KACE Systems Management Appliance Server Center CVE-2019-13080 (Quest KACE Systems Management Appliance Server Center 9.1.317 has an X ...) NOT-FOR-US: Quest KACE Systems Management Appliance Server Center CVE-2019-13079 (Quest KACE Systems Management Appliance Server Center 9.1.317 is vulne ...) NOT-FOR-US: Quest KACE Systems Management Appliance Server Center CVE-2019-13078 (Quest KACE Systems Management Appliance Server Center 9.1.317 is vulne ...) NOT-FOR-US: Quest KACE Systems Management Appliance Server Center CVE-2019-13077 (Quest KACE Systems Management Appliance Server Center 9.1.317 has an X ...) NOT-FOR-US: Quest KACE Systems Management Appliance Server Center CVE-2019-13076 (Quest KACE Systems Management Appliance Server Center 9.1.317 is vulne ...) NOT-FOR-US: Quest KACE Systems Management Appliance Server Center CVE-2019-13075 (Tor Browser through 8.5.3 has an information exposure vulnerability. I ...) - firefox-esr 68.2.0esr-1 (unimportant) - firefox 68.0-1 (unimportant) NOTE: https://hackerone.com/reports/588239 NOTE: https://trac.torproject.org/projects/tor/ticket/30657 NOTE: This affects Firefox, but it's not a security issue in Firefox by itself CVE-2019-13074 (A vulnerability in the FTP daemon on MikroTik routers through 6.44.3 c ...) NOT-FOR-US: MikroTik CVE-2019-13073 RESERVED CVE-2018-20849 (Arastta eCommerce 1.6.2 is vulnerable to XSS via the PATH_INFO to the ...) NOT-FOR-US: Arastta eCommerce CVE-2018-20848 (Advisto PEEL SHOPPING 9.0.0 has CSRF via en/achat/caddie_ajout.php and ...) NOT-FOR-US: Advisto PEEL SHOPPING CVE-2019-13072 (Stored XSS in the Filters page (Name field) in ZoneMinder 1.32.3 allow ...) - zoneminder 1.34.6-1 NOTE: https://github.com/ZoneMinder/zoneminder/issues/2642 CVE-2019-13071 (CSRF in the Agent/Center component of CyberPower PowerPanel Business E ...) NOT-FOR-US: CyberPower PowerPanel Business Edition CVE-2019-13070 (A stored XSS vulnerability in the Agent/Center component of CyberPower ...) NOT-FOR-US: CyberPower PowerPanel Business Edition CVE-2019-13069 (extenua SilverSHielD 6.x fails to secure its ProgramData folder, leadi ...) NOT-FOR-US: extenua SilverSHielD CVE-2019-13068 (public/app/features/panel/panel_ctrl.ts in Grafana before 6.2.5 allows ...) - grafana NOTE: https://github.com/grafana/grafana/issues/17718 CVE-2019-13067 (njs through 0.3.3, used in NGINX, has a buffer over-read in nxt_utf8_d ...) NOT-FOR-US: njs CVE-2019-13066 (Sahi Pro 8.0.0 has a script manager arena located at _s_/dyn/pro/DBRep ...) NOT-FOR-US: Sahi Pro CVE-2019-13065 RESERVED CVE-2019-13064 RESERVED CVE-2019-13063 (Within Sahi Pro 8.0.0, an attacker can send a specially crafted URL to ...) NOT-FOR-US: Sahi Pro CVE-2019-13062 RESERVED CVE-2019-13061 RESERVED CVE-2019-13060 RESERVED CVE-2019-13059 RESERVED CVE-2019-13058 RESERVED CVE-2019-13057 (An issue was discovered in the server in OpenLDAP before 2.4.48. When ...) {DLA-1891-1} - openldap 2.4.48+dfsg-1 (low; bug #932997) [buster] - openldap 2.4.47+dfsg-3+deb10u1 [stretch] - openldap 2.4.44+dfsg-5+deb9u3 NOTE: https://openldap.org/its/?findid=9038 CVE-2019-13056 (An issue was discovered in CyberPanel through 1.8.4. On the user edit ...) NOT-FOR-US: CyberPanel CVE-2019-13055 (Certain Logitech Unifying devices allow attackers to dump AES keys and ...) NOT-FOR-US: Logitech CVE-2019-13054 (The Logitech R500 presentation clicker allows attackers to determine t ...) NOT-FOR-US: Logitech CVE-2019-13053 (Logitech Unifying devices allow keystroke injection, bypassing encrypt ...) NOT-FOR-US: Logitech CVE-2019-13052 (Logitech Unifying devices allow live decryption if the pairing of a ke ...) NOT-FOR-US: Logitech CVE-2019-13051 (Pi-Hole 4.3 allows Command Injection. ...) NOT-FOR-US: Pi-Hole CVE-2019-13050 (Interaction between the sks-keyserver code through 1.2.0 of the SKS ke ...) NOT-FOR-US: Conceptual weakness in PGP keyserver design CVE-2019-13049 (An integer wrap in kernel/sys/syscall.c in ToaruOS 1.10.10 allows user ...) NOT-FOR-US: ToaruOS CVE-2019-13048 (kernel/sys/syscall.c in ToaruOS through 1.10.9 allows a denial of serv ...) NOT-FOR-US: ToaruOS CVE-2019-13047 (kernel/sys/syscall.c in ToaruOS through 1.10.9 has incorrect access co ...) NOT-FOR-US: ToaruOS CVE-2019-13046 (linker/linker.c in ToaruOS through 1.10.9 has insecure LD_LIBRARY_PATH ...) NOT-FOR-US: ToaruOS CVE-2019-13044 REJECTED CVE-2019-13043 RESERVED CVE-2019-13042 RESERVED CVE-2019-13041 RESERVED CVE-2019-13040 RESERVED CVE-2019-13039 RESERVED CVE-2019-13038 (mod_auth_mellon through 0.14.2 has an Open Redirect via the login?Retu ...) - libapache2-mod-auth-mellon 0.15.0-1 (low; bug #931265) [buster] - libapache2-mod-auth-mellon (Minor issue) [stretch] - libapache2-mod-auth-mellon (Minor issue) [jessie] - libapache2-mod-auth-mellon (Open Redirect protection not implemented yet) NOTE: https://github.com/Uninett/mod_auth_mellon/issues/35#issuecomment-503974885 CVE-2019-13037 RESERVED CVE-2019-13036 RESERVED CVE-2019-13035 (Artica Pandora FMS 7.0 NG before 735 suffers from local privilege esca ...) NOT-FOR-US: Artica Pandora FMS CVE-2019-13034 RESERVED CVE-2016-10761 (Logitech Unifying devices before 2016-02-26 allow keystroke injection, ...) NOT-FOR-US: Logitech CVE-2019-13045 (Irssi before 1.0.8, 1.1.x before 1.1.3, and 1.2.x before 1.2.1, when S ...) - irssi 1.2.1-1 (low; bug #931264) [buster] - irssi (Minor issue) [stretch] - irssi (Minor issue) [jessie] - irssi (vulnerable sasl code is not present) NOTE: https://irssi.org/security/irssi_sa_2019_06.txt NOTE: https://github.com/irssi/irssi/pull/1058 NOTE: https://github.com/irssi/irssi/commit/5a67b983dc97caeb5df1139aabd0bc4f260a47d8 NOTE: Fixed in 1.0.8, 1.1.3, 1.2.1 CVE-2019-13033 (In CISOfy Lynis 2.x through 2.7.5, the license key can be obtained by ...) {DLA-2253-1} - lynis 3.0.0-1 (unimportant; bug #963161) NOTE: https://cisofy.com/security/cve/cve-2019-13033/ NOTE: https://github.com/CISOfy/lynis/commit/3b9eda53cc20e851c4456618f027bc9ea794ad30 NOTE: Enabling license system in the packaged version is possible, but enabling it NOTE: makes little sense as users will end-up quitting on all the extra tests that NOTE: are not opensourced (and only present in the enterprise version). CVE-2019-13032 (An issue was discovered in FlightCrew v0.9.2 and earlier. A NULL point ...) - flightcrew 0.7.2+dfsg-14 (unimportant; bug #931246) [buster] - flightcrew 0.7.2+dfsg-13+deb10u1 [stretch] - flightcrew 0.7.2+dfsg-9+deb9u1 NOTE: https://github.com/Sigil-Ebook/flightcrew/issues/53 NOTE: https://github.com/Sigil-Ebook/flightcrew/commit/c75c100218ed5c0e7652947051e28b54a75212ae NOTE: https://github.com/Sigil-Ebook/flightcrew/commit/b4f4a70f604ddcb4e8e343aa0e690764fc46d780 NOTE: Negligible security impact CVE-2019-13030 (eQ-3 Homematic CCU3 AddOn 'Mediola NEO Server for Homematic CCU3' prio ...) NOT-FOR-US: eQ-3 Homematic CCU3 CVE-2019-13029 (Multiple stored Cross-site scripting (XSS) issues in the admin panel a ...) NOT-FOR-US: REDCap CVE-2019-13028 (An incorrect implementation of a local web server in eID client (Windo ...) NOT-FOR-US: local web server in eID client (Product from the Ministry of Interior of the Slovak Republic) CVE-2019-13027 (Realization Concerto Critical Chain Planner (aka CCPM) 5.10.8071 has S ...) NOT-FOR-US: Realization Concerto Critical Chain Planner CVE-2019-13026 (OXID eShop 6.0.x before 6.0.5 and 6.1.x before 6.1.4 allows SQL Inject ...) NOT-FOR-US: OXID eShop CVE-2019-13025 (Compal CH7465LG CH7465LG-NCIP-6.12.18.24-5p8-NOSH devices have Incorre ...) NOT-FOR-US: Compal CH7465LG CH7465LG-NCIP-6.12.18.24-5p8-NOSH devices CVE-2019-13024 (Centreon 18.x before 18.10.6, 19.x before 19.04.3, and Centreon web be ...) - centreon-web (bug #913903) CVE-2019-13023 (An issue was discovered in all versions of Bond JetSelect. Within the ...) NOT-FOR-US: Bond JetSelect CVE-2019-13022 (Bond JetSelect (all versions) has an issue in the Java class (ENCtool. ...) NOT-FOR-US: Bond JetSelect CVE-2019-13021 (The administrative passwords for all versions of Bond JetSelect are st ...) NOT-FOR-US: Bond JetSelect CVE-2019-13020 (The fetch API in Tightrope Media Carousel before 7.1.3 has CarouselAPI ...) NOT-FOR-US: Tightrope Media Carousel CVE-2019-13019 RESERVED NOT-FOR-US: Microsoft .NET CVE-2019-13018 RESERVED CVE-2019-13017 RESERVED CVE-2019-13016 RESERVED CVE-2019-13015 RESERVED CVE-2019-13014 (Little Snitch versions 4.4.0 fixes a vulnerability in a privileged hel ...) NOT-FOR-US: Little Snitch CVE-2019-13013 (Little Snitch versions 4.3.0 to 4.3.2 have a local privilege escalatio ...) NOT-FOR-US: Little Snitch CVE-2019-13011 (An issue was discovered in GitLab Enterprise Edition 8.11.0 through 12 ...) [experimental] - gitlab 11.10.8+dfsg-1 - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/2019/07/03/security-release-gitlab-12-dot-0-dot-3-released/ CVE-2019-13010 (An issue was discovered in GitLab Enterprise Edition 8.3 through 12.0. ...) [experimental] - gitlab 11.10.8+dfsg-1 - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/2019/07/03/security-release-gitlab-12-dot-0-dot-3-released/ CVE-2019-13009 (An issue was discovered in GitLab Community and Enterprise Edition 9.2 ...) [experimental] - gitlab 11.10.8+dfsg-1 - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/2019/07/03/security-release-gitlab-12-dot-0-dot-3-released/ CVE-2019-13008 RESERVED CVE-2019-13007 (An issue was discovered in GitLab Community and Enterprise Edition 11. ...) - gitlab (Only affects 11.1 and later) NOTE: https://about.gitlab.com/2019/07/03/security-release-gitlab-12-dot-0-dot-3-released/ CVE-2019-13006 (An issue was discovered in GitLab Community and Enterprise Edition 9.0 ...) [experimental] - gitlab 11.10.8+dfsg-1 - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/2019/07/03/security-release-gitlab-12-dot-0-dot-3-released/ CVE-2019-13005 (An issue was discovered in GitLab Enterprise Edition and Community Edi ...) [experimental] - gitlab 11.10.8+dfsg-1 - gitlab (Only affects 11.10 and later) NOTE: https://about.gitlab.com/2019/07/03/security-release-gitlab-12-dot-0-dot-3-released/ CVE-2019-13004 (An issue was discovered in GitLab Community and Enterprise Edition 11. ...) - gitlab (Only affects 11.1 and later) NOTE: https://about.gitlab.com/2019/07/03/security-release-gitlab-12-dot-0-dot-3-released/ CVE-2019-13003 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) [experimental] - gitlab 11.10.8+dfsg-1 - gitlab 12.6.8-3 NOTE: https://about.gitlab.com/2019/07/03/security-release-gitlab-12-dot-0-dot-3-released/ CVE-2019-13002 (An issue was discovered in GitLab Community and Enterprise Edition 11. ...) [experimental] - gitlab 11.10.8+dfsg-1 - gitlab (Only affects 11.10 and later) NOTE: https://about.gitlab.com/2019/07/03/security-release-gitlab-12-dot-0-dot-3-released/ CVE-2019-13001 (An issue was discovered in GitLab Community and Enterprise Edition 11. ...) [experimental] - gitlab 11.10.8+dfsg-1 - gitlab (Only affects 11.9 and later) NOTE: https://about.gitlab.com/2019/07/03/security-release-gitlab-12-dot-0-dot-3-released/ CVE-2019-13000 (Eclair through 0.3 allows attackers to trigger loss of funds because o ...) NOT-FOR-US: Eclair CVE-2019-12999 (Lightning Network Daemon (lnd) before 0.7 allows attackers to trigger ...) - lnd (bug #886577) CVE-2019-12998 (c-lightning before 0.7.1 allows attackers to trigger loss of funds bec ...) NOT-FOR-US: c-lightning CVE-2019-12997 (In Loopchain through 2.2.1.3, an attacker can escalate privileges from ...) NOT-FOR-US: Loopchain CVE-2019-12996 (In Mendix 7.23.5 and earlier, issue in XML import mappings allow DOCTY ...) NOT-FOR-US: Mendix CVE-2019-12995 (Istio before 1.2.2 mishandles certain access tokens, leading to "Epoch ...) NOT-FOR-US: Istio CVE-2019-12994 (Server Side Request Forgery (SSRF) exists in Zoho ManageEngine AssetEx ...) NOT-FOR-US: Zoho ManageEngine AssetExplorer CVE-2019-12993 RESERVED CVE-2019-12992 (Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before ...) NOT-FOR-US: Citrix and NetScaler SD-WAN CVE-2019-12991 (Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before ...) NOT-FOR-US: Citrix and NetScaler SD-WAN CVE-2019-12990 (Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before ...) NOT-FOR-US: Citrix and NetScaler SD-WAN CVE-2019-12989 (Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before ...) NOT-FOR-US: Citrix and NetScaler SD-WAN CVE-2019-12988 (Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before ...) NOT-FOR-US: Citrix and NetScaler SD-WAN CVE-2019-12987 (Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before ...) NOT-FOR-US: Citrix and NetScaler SD-WAN CVE-2019-12986 (Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before ...) NOT-FOR-US: Citrix and NetScaler SD-WAN CVE-2019-12985 (Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before ...) NOT-FOR-US: Citrix and NetScaler SD-WAN CVE-2019-12984 (A NULL pointer dereference vulnerability in the function nfc_genl_deac ...) {DSA-4495-1} - linux 5.2.6-1 NOTE: Fixed by: https://git.kernel.org/linus/385097a3675749cbc9e97c085c0e5dfe4269ca51 CVE-2019-12983 REJECTED CVE-2019-12982 (Ming (aka libming) 0.4.8 has a heap buffer overflow and underflow in t ...) - ming NOTE: https://github.com/libming/libming/pull/179/commits/2be22fcf56a223dafe8de0e8a20fe20e8bbdb0b9 CVE-2019-12981 (Ming (aka libming) 0.4.8 has an "fill overflow" vulnerability in the f ...) - ming NOTE: https://github.com/libming/libming/pull/179/commits/3dc0338e4a36a3092720ebaa5b908ba3dca467d9 CVE-2019-12980 (In Ming (aka libming) 0.4.8, there is an integer overflow (caused by a ...) - ming NOTE: https://github.com/libming/libming/pull/179/commits/2223f7a1e431455a1411bee77c90db94a6f8e8fe CVE-2019-12979 (ImageMagick 7.0.8-34 has a "use of uninitialized value" vulnerability ...) {DSA-4712-1} - imagemagick (bug #931189) [stretch] - imagemagick (Minor issue) [jessie] - imagemagick (minor security impact) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1522 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/27b1c74979ac473a430e266ff6c4b645664bc805 CVE-2019-12978 (ImageMagick 7.0.8-34 has a "use of uninitialized value" vulnerability ...) {DSA-4712-1} - imagemagick (low; bug #931190) [stretch] - imagemagick (Minor issue) [jessie] - imagemagick (minor security impact) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1519 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/ae1ded6140bfa8ae9f6dcba5413b72d98ed94614 CVE-2019-12977 (ImageMagick 7.0.8-34 has a "use of uninitialized value" vulnerability ...) {DSA-4712-1} - imagemagick (low; bug #931191) [stretch] - imagemagick (Minor issue) [jessie] - imagemagick (minor security impact) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1518 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/e6103897fae2ed47e24b9cf7de719eea877b0504 CVE-2019-12976 (ImageMagick 7.0.8-34 has a memory leak in the ReadPCLImage function in ...) {DSA-4712-1} - imagemagick (unimportant; bug #931192) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1520 CVE-2019-12975 (ImageMagick 7.0.8-34 has a memory leak vulnerability in the WriteDPXIm ...) {DSA-4712-1} - imagemagick (unimportant; bug #931193) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1517 CVE-2019-12974 (A NULL pointer dereference in the function ReadPANGOImage in coders/pa ...) {DSA-4712-1 DLA-1888-1} - imagemagick (low; bug #931196) [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1515 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/b4391bdd60df0a77e97a6ef1674f2ffef0e19e24 CVE-2019-12973 (In OpenJPEG 2.3.1, there is excessive iteration in the opj_t1_encode_c ...) - openjpeg2 (bug #931292) [buster] - openjpeg2 (Minor issue) [stretch] - openjpeg2 (Minor issue) [jessie] - openjpeg2 (vulnerable code is not present) NOTE: https://github.com/uclouvain/openjpeg/pull/1185 NOTE: https://github.com/uclouvain/openjpeg/commit/21399f6b7d318fcdf4406d5e88723c4922202aa3 NOTE: https://github.com/uclouvain/openjpeg/commit/3aef207f90e937d4931daf6d411e092f76d82e66 NOTE: Issue is similar to CVE-2018-6616. CVE-2019-12972 (An issue was discovered in the Binary File Descriptor (BFD) library (a ...) - binutils 2.32.51.20190707-1 (unimportant) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24689 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=890f750a3b053532a4b839a2dd6243076de12031 NOTE: binutils not covered by security support CVE-2019-12971 (BKS EBK Ethernet-Buskoppler Pro before 3.01 allows Unrestricted Upload ...) NOT-FOR-US: BKS EBK Ethernet-Buskoppler Pro CVE-2019-12970 (XSS was discovered in SquirrelMail through 1.4.22 and 1.5.x through 1. ...) {DLA-1868-1} - squirrelmail NOTE: https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-016.txt NOTE: https://sourceforge.net/p/squirrelmail/code/14828/ CVE-2019-12969 RESERVED CVE-2019-12968 (A vulnerability was found in the Sonic Robo Blast 2 (SRB2) plugin (EP_ ...) NOT-FOR-US: Sonic Robo Blast 2 CVE-2019-12967 (Stephan Mooltipass Moolticute through 0.42.1 (and possibly earlier ver ...) NOT-FOR-US: Stephan Mooltipass Moolticute CVE-2019-12966 (FeHelper through 2019-06-19 allows arbitrary code execution during a J ...) NOT-FOR-US: FeHelper CVE-2018-20847 (An improper computation of p_tx0, p_tx1, p_ty0 and p_ty1 in the functi ...) {DLA-1851-1} - openjpeg2 2.3.1-1 (low; bug #931294) [buster] - openjpeg2 2.3.0-2+deb10u1 [stretch] - openjpeg2 2.1.2-1.1+deb9u4 NOTE: https://github.com/uclouvain/openjpeg/issues/431 NOTE: https://github.com/uclouvain/openjpeg/commit/5d00b719f4b93b1445e6fb4c766b9a9883c57949 NOTE: https://github.com/uclouvain/openjpeg/commit/2d24b6000d5611615e3e6d799e20d5fdbe4e2a1e NOTE: https://github.com/uclouvain/openjpeg/commit/c58df149900df862806d0e892859b41115875845 CVE-2018-20846 (Out-of-bounds accesses in the functions pi_next_lrcp, pi_next_rlcp, pi ...) - openjpeg2 (unimportant) NOTE: https://github.com/uclouvain/openjpeg/commit/c277159986c80142180fbe5efb256bbf3bdf3edc NOTE: Debian binary packages built with BUILD_MJ2:BOOL=OFF CVE-2018-20845 (Division-by-zero vulnerabilities in the functions pi_next_pcrl, pi_nex ...) - openjpeg2 2.3.1-1 (unimportant) NOTE: https://github.com/uclouvain/openjpeg/commit/c5bd64ea146162967c29bd2af0cbb845ba3eaaaf (2.3.1) NOTE: Debian binary packages built with BUILD_MJ2:BOOL=OFF CVE-2018-20844 RESERVED CVE-2019-13031 (LemonLDAP::NG before 1.9.20 has an XML External Entity (XXE) issue whe ...) {DLA-1844-1} - lemonldap-ng 2.0.0+ds-1 (bug #931117) [stretch] - lemonldap-ng 1.9.7-3+deb9u2 NOTE: Upstream issue: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1820 NOTE: Issue explained in: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1818 NOTE: 2.0.0 upstream replaced the (old) feature with a new REST/JSON service, and NOTE: added a "oldXMLFormat" option which is functionwise broken up to 2.0.5. NOTE: By default the notification server is not enabled and has a 'deny all' rule. CVE-2019-12965 RESERVED CVE-2019-12964 (LiveZilla Server before 8.0.1.1 is vulnerable to XSS in the ticket.php ...) NOT-FOR-US: LiveZilla Server CVE-2019-12963 (LiveZilla Server before 8.0.1.1 is vulnerable to XSS in the chat.php C ...) NOT-FOR-US: LiveZilla Server CVE-2019-12962 (LiveZilla Server before 8.0.1.1 is vulnerable to XSS in mobile/index.p ...) NOT-FOR-US: LiveZilla Server CVE-2019-12961 (LiveZilla Server before 8.0.1.1 is vulnerable to CSV Injection in the ...) NOT-FOR-US: LiveZilla Server CVE-2019-12960 (LiveZilla Server before 8.0.1.1 is vulnerable to SQL Injection in func ...) NOT-FOR-US: LiveZilla Server CVE-2019-12959 (Server Side Request Forgery (SSRF) exists in Zoho ManageEngine AssetEx ...) NOT-FOR-US: Zoho ManageEngine AssetExplorer CVE-2019-12958 (In Xpdf 4.01.01, a heap-based buffer over-read could be triggered in F ...) - xpdf (xpdf in Debian uses poppler, which is fixed) NOTE: CVE-2017-14976 in poppler CVE-2019-12957 (In Xpdf 4.01.01, a buffer over-read could be triggered in FoFiType1C:: ...) - xpdf (xpdf in Debian uses poppler, which is fixed) - poppler 0.22.5-4 NOTE: poppler fix: https://gitlab.freedesktop.org/poppler/poppler/commit/96931732f343d2bbda9af9488b485da031866c3b CVE-2019-12956 RESERVED CVE-2019-12955 RESERVED CVE-2019-12954 (SolarWinds Network Performance Monitor (Orion Platform 2018, NPM 12.3, ...) NOT-FOR-US: SolarWinds CVE-2019-12953 RESERVED CVE-2019-12952 RESERVED CVE-2019-12951 (An issue was discovered in Mongoose before 6.15. The parse_mqtt() func ...) NOT-FOR-US: Cesanta Mongoose NOTE: smplayer embeds a copy, which is unused in any released version and disabled since 18.5.0~ds1-1 CVE-2019-12950 (An issue was discovered in TeamPass 2.1.27.35. From the sources/items. ...) - teampass (bug #730180) CVE-2019-12949 (In pfSense 2.4.4-p2 and 2.4.4-p3, if it is possible to trick an authen ...) NOT-FOR-US: pfSense CVE-2019-12948 (A vulnerability in the web-based management interface of VVX, Trio, So ...) NOT-FOR-US: Polycom UC Software CVE-2019-12947 RESERVED CVE-2019-12946 (Elcom CMS before 10.7 has SQL Injection via EventSearchByState.aspx an ...) NOT-FOR-US: Elcom CMS CVE-2019-12945 REJECTED CVE-2019-12944 (Glue Smart Lock 2.7.8 devices do not properly block guest access in ce ...) NOT-FOR-US: Glue Smart Lock devices CVE-2019-12943 (TTLock devices do not properly restrict password-reset attempts, leadi ...) NOT-FOR-US: TTLock devices CVE-2019-12942 (TTLock devices do not properly block guest access in certain situation ...) NOT-FOR-US: TTLock devices CVE-2019-12941 (AutoPi Wi-Fi/NB and 4G/LTE devices before 2019-10-15 allows an attacke ...) NOT-FOR-US: AutoPi Wi-Fi/NB and 4G/LTE devices CVE-2019-12940 (LiveZilla Server before 8.0.1.1 is vulnerable to Denial Of Service (me ...) NOT-FOR-US: LiveZilla CVE-2019-12939 (LiveZilla Server before 8.0.1.1 is vulnerable to SQL Injection in serv ...) NOT-FOR-US: LiveZilla CVE-2019-12938 (The Roundcube component of Analogic Poste.io 2.1.6 uses .htaccess to p ...) NOT-FOR-US: Roundcube component of Analogic Poste.io CVE-2018-20843 (In libexpat in Expat before 2.2.7, XML input including XML names that ...) {DSA-4472-1 DLA-1839-1} - expat 2.2.6-2 (bug #931031) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5226 NOTE: https://github.com/libexpat/libexpat/issues/186 NOTE: https://github.com/libexpat/libexpat/pull/262 NOTE: https://github.com/libexpat/libexpat/commit/11f8838bf99ea0a6f0b76f9760c43704d00c4ff6 CVE-2019-12937 (apps/gsudo.c in gsudo in ToaruOS through 1.10.9 has a buffer overflow ...) NOT-FOR-US: gsudo in ToaruOS CVE-2019-12936 (BlueStacks App Player 2, 3, and 4 before 4.90 allows DNS Rebinding for ...) NOT-FOR-US: BlueStacks App Player CVE-2019-12934 (An issue was discovered in the wp-code-highlightjs plugin through 0.6. ...) NOT-FOR-US: wp-code-highlightjs plugin for WordPress CVE-2019-12935 (Shopware before 5.5.8 has XSS via the Query String to the backend/Logi ...) NOT-FOR-US: Shopware CVE-2019-12933 REJECTED CVE-2019-12932 (A stored XSS vulnerability was found in SeedDMS 5.1.11 due to poorly e ...) NOT-FOR-US: SeedDMS CVE-2019-12931 RESERVED CVE-2019-12930 (A cross-site scripting (XSS) vulnerability in noMenu() and noSubMenu() ...) NOT-FOR-US: WIKINDX CVE-2019-12929 (** DISPUTED ** The QMP guest_exec command in QEMU 4.0.0 and earlier is ...) - qemu (unimportant) - qemu-kvm (unimportant) NOTE: https://fakhrizulkifli.github.io/posts/2019/06/06/CVE-2019-12929/ NOTE: The QEMU machine protocol (QMP) should not be exposed to unprivileged users, NOTE: and is only intended for administrative control of QEMU instances. CVE-2019-12928 (** DISPUTED ** The QMP migrate command in QEMU version 4.0.0 and earli ...) - qemu (unimportant) - qemu-kvm (unimportant) NOTE: https://fakhrizulkifli.github.io/posts/2019/06/05/CVE-2019-12928/ NOTE: The QEMU machine protocol (QMP) should not be exposed to unprivileged users, NOTE: and is only intended for administrative control of QEMU instances. CVE-2019-12927 (MailEnable Enterprise Premium 10.23 was vulnerable to stored and refle ...) NOT-FOR-US: MailEnable Enterprise Premium CVE-2019-12926 (MailEnable Enterprise Premium 10.23 did not use appropriate access con ...) NOT-FOR-US: MailEnable Enterprise Premium CVE-2019-12925 (MailEnable Enterprise Premium 10.23 was vulnerable to multiple directo ...) NOT-FOR-US: MailEnable Enterprise Premium CVE-2019-12924 (MailEnable Enterprise Premium 10.23 was vulnerable to XML External Ent ...) NOT-FOR-US: MailEnable Enterprise Premium CVE-2019-12923 (In MailEnable Enterprise Premium 10.23, the potential cross-site reque ...) NOT-FOR-US: MailEnable Enterprise Premium CVE-2019-12922 (A CSRF issue in phpMyAdmin 4.9.0.1 allows deletion of any server in th ...) - phpmyadmin 4:4.9.1+dfsg1-2 [stretch] - phpmyadmin (Minor issue) [jessie] - phpmyadmin (Minor issue, target only accessible is setup is enabled and htpasswd.setup populated) NOTE: https://seclists.org/fulldisclosure/2019/Sep/23 NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/427fbed55d3154d96ecfc1c7784d49eaa3c04161 (4.9.1) CVE-2019-12921 (In GraphicsMagick before 1.3.32, the text filename component allows re ...) {DSA-4675-1 DLA-2152-1} - graphicsmagick 1.4~hg16039-1 NOTE: https://github.com/d0ge/data-processing/blob/master/CVE-2019-12921.md NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/f780c290b4ab CVE-2019-12920 (On Shenzhen Cylan Clever Dog Smart Camera DOG-2W and DOG-2W-V4 devices ...) NOT-FOR-US: Shenzhen Cylan Clever Dog Smart Cameraa DOG-2W and DOG-2W-V4 devices CVE-2019-12919 (On Shenzhen Cylan Clever Dog Smart Camera DOG-2W and DOG-2W-V4 devices ...) NOT-FOR-US: Shenzhen Cylan Clever Dog Smart Camera DOG-2W and DOG-2W-V4 devices CVE-2019-12918 (Quest KACE Systems Management Appliance Server Center version 9.1.317 ...) NOT-FOR-US: Quest KACE Systems Management Appliance Server Center CVE-2019-12917 (A reflected XSS vulnerability exists in Quest KACE Systems Management ...) NOT-FOR-US: Quest KACE Systems Management Appliance Server Center CVE-2019-12916 REJECTED CVE-2019-12915 REJECTED CVE-2019-12914 (Redbrick Shift through 3.4.3 allows an attacker to extract authenticat ...) NOT-FOR-US: Redbrick Shift CVE-2019-12913 (Redbrick Shift through 3.4.3 allows an attacker to extract emails of s ...) NOT-FOR-US: Redbrick Shift CVE-2019-12912 (Redbrick Shift through 3.4.3 allows an attacker to extract emails of s ...) NOT-FOR-US: Redbrick Shift CVE-2019-12911 (Redbrick Shift through 3.4.3 allows an attacker to extract authenticat ...) NOT-FOR-US: Redbrick Shift CVE-2019-12910 RESERVED CVE-2019-12909 RESERVED CVE-2019-12908 RESERVED CVE-2019-12907 RESERVED CVE-2019-12906 RESERVED CVE-2019-12905 (FileRun 2019.05.21 allows XSS via the filename to the ?module=fileman& ...) NOT-FOR-US: FileRun CVE-2019-12904 (In Libgcrypt 1.8.4, the C implementation of AES is vulnerable to a flu ...) - libgcrypt20 (bug #930885) [buster] - libgcrypt20 (Minor issue) [stretch] - libgcrypt20 (Minor issue) [jessie] - libgcrypt20 (Vulnerable code introduced later in version 1.7.0) - libgcrypt11 NOTE: https://dev.gnupg.org/T4541 NOTE: https://github.com/gpg/libgcrypt/commit/a4c561aab1014c3630bc88faf6f5246fee16b020 NOTE: https://github.com/gpg/libgcrypt/commit/daedbbb5541cd8ecda1459d3b843ea4d92788762 CVE-2019-12903 (Pydio Cells before 1.5.0, when supplied with a Name field in an unexpe ...) NOT-FOR-US: Pydio Cells (relates to Pydio product) CVE-2019-12902 (Pydio Cells before 1.5.0 does incomplete cleanup of a user's data upon ...) NOT-FOR-US: Pydio Cells (relates to Pydio product) CVE-2019-12901 (Pydio Cells before 1.5.0 fails to neutralize '../' elements, allowing ...) NOT-FOR-US: Pydio Cells (relates to Pydio product) CVE-2019-12900 (BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bo ...) {DLA-1953-1 DLA-1833-1} - bzip2 1.0.6-9.1 (bug #930886) [stretch] - bzip2 (Not exploitable; potential dangerous parts already guarded) - clamav 0.101.4+dfsg-1 (bug #934359) [buster] - clamav 0.101.4+dfsg-0+deb10u1 [stretch] - clamav 0.101.4+dfsg-0+deb9u1 NOTE: https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc NOTE: The original fix introduces regressions when extracting certain lbzip2 files NOTE: which were created with a buggy libzip2: https://bugs.debian.org/931278 NOTE: Details on followup: https://sourceware.org/ml/bzip2-devel/2019-q3/msg00007.html NOTE: explaining as well why, whilst the issue described by CVE-2019-12900 is definitvely NOTE: an issue, it was not exploitable in the first place. NOTE: Regression fix: https://sourceware.org/git/?p=bzip2.git;a=commit;h=b07b105d1b66e32760095e3602261738443b9e13 NOTE: Clamav: https://blog.clamav.net/2019/08/clamav-01014-security-patch-release-has.html NOTE: clamav uses libbz2 but the "nsis" scanner/decompressor has a decompress.c from bzip2 CVE-2019-12899 (Delta Electronics DeviceNet Builder 2.04 has a User Mode Write AV star ...) NOT-FOR-US: Delta Electronics DeviceNet Builder CVE-2019-12898 (Delta Electronics DeviceNet Builder 2.04 has a User Mode Write AV star ...) NOT-FOR-US: Delta Electronics DeviceNet Builder CVE-2019-12897 (Edraw Max 7.9.3 has a Read Access Violation at the Instruction Pointer ...) NOT-FOR-US: Edraw Max CVE-2019-12896 (Edraw Max 7.9.3 has Heap Corruption starting at ntdll!RtlpNtMakeTempor ...) NOT-FOR-US: Edraw Max CVE-2019-12895 (In Alternate Pic View 2.600, the Exception Handler Chain is Corrupted ...) NOT-FOR-US: Alternate Pic View CVE-2019-12894 (Alternate Pic View 2.600 has a Read Access Violation at the Instructio ...) NOT-FOR-US: Alternate Pic View CVE-2019-12893 (Alternate Pic View 2.600 has a User Mode Write AV starting at PicViewe ...) NOT-FOR-US: Alternate Pic View CVE-2019-12892 RESERVED CVE-2019-12891 RESERVED CVE-2019-12890 (RedwoodHQ 2.5.5 does not require any authentication for database opera ...) NOT-FOR-US: RedwoodHQ CVE-2019-12889 (An unauthenticated privilege escalation exists in SailPoint Desktop Pa ...) NOT-FOR-US: SailPoint Desktop Password Reset CVE-2019-12888 REJECTED CVE-2019-12887 (KeyIdentity LinOTP before 2.10.5.3 has Incorrect Access Control (issue ...) NOT-FOR-US: KeyIdentity LinOTP CVE-2019-12886 RESERVED CVE-2019-12885 RESERVED CVE-2019-12884 RESERVED CVE-2019-12883 RESERVED CVE-2019-12882 REJECTED CVE-2019-12881 (i915_gem_userptr_get_pages in drivers/gpu/drm/i915/i915_gem_userptr.c ...) - linux NOTE: https://gist.github.com/oxagast/472866fb2c3d439e10499d7141d0a520 CVE-2019-12880 (BCN Quark Quarking Password Manager 3.1.84 suffers from a clickjacking ...) NOT-FOR-US: BCN Quark Quarking Password Manager CVE-2019-12879 RESERVED CVE-2019-12878 RESERVED CVE-2019-12877 RESERVED CVE-2019-12876 (Zoho ManageEngine ADManager Plus 6.6.5, ADSelfService Plus 5.7, and De ...) NOT-FOR-US: Zoho ManageEngine CVE-2019-12875 (Alpine Linux abuild through 3.4.0 allows an unprivileged member of the ...) NOT-FOR-US: Alpine Linux CVE-2019-12874 (An issue was discovered in zlib_decompress_extra in modules/demux/mkv/ ...) {DSA-4459-1} - vlc 3.0.7-1 [jessie] - vlc (https://lists.debian.org/debian-security-announce/2018/msg00130.html) NOTE: http://git.videolan.org/?p=vlc.git;a=commit;h=81023659c7de5ac2637b4a879195efef50846102 CVE-2019-12873 RESERVED CVE-2019-12872 (dotCMS before 5.1.6 is vulnerable to a SQL injection that can be explo ...) NOT-FOR-US: dotCMS CVE-2019-12871 (An issue was discovered in PHOENIX CONTACT PC Worx through 1.86, PC Wo ...) NOT-FOR-US: PHOENIX CONTACT PC Worx CVE-2019-12870 (An issue was discovered in PHOENIX CONTACT PC Worx through 1.86, PC Wo ...) NOT-FOR-US: PHOENIX CONTACT PC Worx CVE-2019-12869 (An issue was discovered in PHOENIX CONTACT PC Worx through 1.86, PC Wo ...) NOT-FOR-US: PHOENIX CONTACT PC Worx CVE-2019-12868 (app/Model/Server.php in MISP 2.4.109 allows remote command execution b ...) NOT-FOR-US: MISP CVE-2019-12867 (Certain actions could cause privilege escalation for issue attachments ...) NOT-FOR-US: JetBrains YouTrack CVE-2019-12866 (An Insecure Direct Object Reference, with Authorization Bypass through ...) NOT-FOR-US: JetBrains YouTrack CVE-2019-12865 (In radare2 through 3.5.1, cmd_mount in libr/core/cmd_mount.c has a dou ...) - radare2 3.8.0+dfsg-1 (bug #930704) [jessie] - radare2 (Minor issue) NOTE: https://github.com/radare/radare2/issues/14334 NOTE: https://github.com/radare/radare2/commit/40453029179d230cf02ffed205f2d63e33981b8f CVE-2012-6711 (A heap-based buffer overflow exists in GNU Bash before 4.3 when wide c ...) - bash 4.3-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1721071 NOTE: https://git.savannah.gnu.org/cgit/bash.git/commit/?h=devel&id=863d31ae775d56b785dc5b0105b6d251515d81d5 (bash-4.3-alpha) CVE-2019-12864 (SolarWinds Orion Platform 2018.4 HF3 (NPM 12.4, NetPath 1.1.4) is vuln ...) NOT-FOR-US: SolarWinds CVE-2019-12863 (SolarWinds Orion Platform 2018.4 HF3 (NPM 12.4, NetPath 1.1.4) allows ...) NOT-FOR-US: SolarWinds CVE-2019-12862 RESERVED CVE-2019-12861 RESERVED CVE-2019-12860 RESERVED CVE-2019-12859 RESERVED CVE-2019-12858 RESERVED CVE-2019-12857 RESERVED CVE-2019-12856 RESERVED CVE-2019-12855 (In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP su ...) - twisted 18.9.0-7 (bug #930626) [buster] - twisted (Minor issue) [stretch] - twisted (Minor issue) [jessie] - twisted (Minor issue) NOTE: https://github.com/twisted/twisted/pull/1147 NOTE: https://twistedmatrix.com/trac/ticket/9561 CVE-2019-12854 (Due to incorrect string termination, Squid cachemgr.cgi 4.0 through 4. ...) {DSA-4507-1} - squid 4.8-1 - squid3 (Vulnerable code not present; Vulnerable code only in 4.x series) NOTE: http://www.squid-cache.org/Advisories/SQUID-2019_1.txt NOTE: http://www.squid-cache.org/Versions/v4/changesets/squid-4-2981a957716c61ff7e21eee1d7d6eb5a237e466d.patch CVE-2019-12853 RESERVED CVE-2019-12852 (An SSRF attack was possible on a JetBrains YouTrack server. The issue ...) NOT-FOR-US: JetBrains YouTrack CVE-2019-12851 (A CSRF vulnerability was detected in one of the admin endpoints of Jet ...) NOT-FOR-US: JetBrains YouTrack CVE-2019-12850 (A query injection was possible in JetBrains YouTrack. The issue was fi ...) NOT-FOR-US: JetBrains YouTrack CVE-2019-12849 RESERVED CVE-2019-12848 RESERVED CVE-2019-12847 (In JetBrains Hub versions earlier than 2018.4.11298, the audit events ...) NOT-FOR-US: JetBrains Hub CVE-2019-12846 (A user without the required permissions could gain access to some JetB ...) NOT-FOR-US: JetBrains CVE-2019-12845 (The generated Kotlin DSL settings allowed usage of an unencrypted conn ...) NOT-FOR-US: JetBrains CVE-2019-12844 (A possible stored JavaScript injection was detected on one of the JetB ...) NOT-FOR-US: JetBrains CVE-2019-12843 (A possible stored JavaScript injection requiring a deliberate server a ...) NOT-FOR-US: JetBrains CVE-2019-12842 (A reflected XSS on a user page was detected on one of the JetBrains Te ...) NOT-FOR-US: JetBrains CVE-2019-12841 (Incorrect handling of user input in ZIP extraction was detected in Jet ...) NOT-FOR-US: JetBrains CVE-2019-12840 (In Webmin through 1.910, any user authorized to the "Package Updates" ...) - webmin CVE-2019-12839 (In OrangeHRM 4.3.1 and before, there is an input validation error with ...) NOT-FOR-US: OrangeHRM CVE-2013-7472 (The "Count per Day" plugin before 3.2.6 for WordPress allows XSS via t ...) NOT-FOR-US: "Count per Day" plugin for WordPress CVE-2019-12838 (SchedMD Slurm 17.11.x, 18.08.0 through 18.08.7, and 19.05.0 allows SQL ...) {DSA-4572-1 DLA-2143-1} - slurm-llnl 19.05.3.2-1 (bug #931880) [stretch] - slurm-llnl (Too intrusive to backport) NOTE: https://github.com/SchedMD/slurm/commit/afa7d743f407c60a7c8a4bd98a10be32c82988b5 NOTE: https://lists.schedmd.com/pipermail/slurm-announce/2019/000025.html CVE-2019-12837 (The Java API in accesuniversitat.gencat.cat 1.7.5 allows remote attack ...) NOT-FOR-US: Java API in Generalitat de Catalunya accesuniversitat.gencat.cat CVE-2019-12836 (The Bobronix JEditor editor before 3.0.6 for Jira allows an attacker t ...) NOT-FOR-US: Bobronix JEditor editor for Jira CVE-2019-12835 (formats/xml.cpp in Leanify 0.4.3 allows for a controlled out-of-bounds ...) NOT-FOR-US: Leanify CVE-2019-12834 (In HT2 Labs Learning Locker 3.15.1, it's possible to inject malicious ...) NOT-FOR-US: HT2 Labs Learning Locker CVE-2019-12833 RESERVED CVE-2019-12832 RESERVED CVE-2019-12831 (In MyBB before 1.8.21, an attacker can abuse a default behavior of MyS ...) NOT-FOR-US: MyBB CVE-2019-12830 (In MyBB before 1.8.21, an attacker can exploit a parsing flaw in the P ...) NOT-FOR-US: MyBB CVE-2019-12829 (radare2 through 3.5.1 mishandles the RParse API, which allows remote a ...) - radare2 3.8.0+dfsg-1 (bug #930590) [jessie] - radare2 (Minor issue) NOTE: https://github.com/radare/radare2/issues/14303 NOTE: https://github.com/radare/radare2/commit/b282620b7a8818910c42a29b8f0855a2d13eec14 CVE-2019-12828 (An issue was discovered in Electronic Arts Origin before 10.5.39. Due ...) NOT-FOR-US: Electronic Arts Origin CVE-2019-12827 (Buffer overflow in res_pjsip_messaging in Digium Asterisk versions 13. ...) - asterisk 1:16.2.1~dfsg-2 (bug #931980) [buster] - asterisk 1:16.2.1~dfsg-1+deb10u1 [stretch] - asterisk (Minor issue) [jessie] - asterisk (Vulnerable code not present) NOTE: https://downloads.asterisk.org/pub/security/AST-2019-002.html NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-28447 CVE-2019-12826 (A Cross-Site-Request-Forgery (CSRF) vulnerability in widget_logic.php ...) NOT-FOR-US: 2by2host Widget Logic plugin for WordPress CVE-2019-12825 (Unauthorized Access to the Container Registry of other groups was disc ...) - gitlab (Only affects Gitlab EE) CVE-2019-12824 RESERVED CVE-2019-12823 (Craft CMS 3.1.30 has XSS. ...) NOT-FOR-US: Craft CMS CVE-2019-12822 (In http.c in Embedthis GoAhead before 4.1.1 and 5.x before 5.0.1, a he ...) NOT-FOR-US: Embedthis GoAhead CVE-2019-12821 (A vulnerability was found in the app 2.0 of the Shenzhen Jisiwei i3 ro ...) NOT-FOR-US: app of the Shenzhen Jisiwei i3 robot vacuum cleaner CVE-2019-12820 (A vulnerability was found in the app 2.0 of the Shenzhen Jisiwei i3 ro ...) NOT-FOR-US: app of the Shenzhen Jisiwei i3 robot vacuum cleaner CVE-2019-12817 (arch/powerpc/mm/mmu_context_book3s64.c in the Linux kernel before 5.1. ...) {DSA-4495-1} - linux 5.2.6-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) CVE-2019-12816 (Modules.cpp in ZNC before 1.7.4-rc1 allows remote authenticated non-ad ...) {DSA-4463-1 DLA-1830-1} - znc 1.7.2-3 NOTE: Versions affected: 0.098 - 1.7.3 NOTE: https://github.com/znc/znc/commit/8de9e376ce531fe7f3c8b0aa4876d15b479b7311 CVE-2019-12815 (An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3. ...) {DSA-4491-1 DLA-1873-1} - proftpd-dfsg 1.3.6-6 (low; bug #932453) NOTE: http://bugs.proftpd.org/show_bug.cgi?id=4372 NOTE: https://github.com/proftpd/proftpd/pull/816 NOTE: https://tbspace.de/cve201912815proftpd.html CVE-2019-12814 (A Polymorphic Typing issue was discovered in FasterXML jackson-databin ...) {DLA-1831-1} - jackson-databind 2.9.8-3 (bug #930750) [stretch] - jackson-databind 2.8.6-1+deb9u6 NOTE: https://github.com/FasterXML/jackson-databind/issues/2341 NOTE: https://github.com/FasterXML/jackson-databind/commit/5f7c69bba07a7155adde130d9dee2e54a54f1fa5 CVE-2019-12813 (An issue was discovered in Digital Persona U.are.U 4500 Fingerprint Re ...) NOT-FOR-US: Digital Persona U.are.U 4500 Fingerprint Reader CVE-2019-12812 (MyBuilder viewer before 6.2.2019.814 allow an attacker to execute arbi ...) NOT-FOR-US: MyBuilder CVE-2019-12811 (ActiveX Control in MyBuilder before 6.2.2019.814 allow an attacker to ...) NOT-FOR-US: MyBuilder CVE-2019-12810 (A memory corruption vulnerability exists in the .PSD parsing functiona ...) NOT-FOR-US: ALSee CVE-2019-12809 (Yes24ViewerX ActiveX Control 1.0.327.50126 and earlier versions contai ...) NOT-FOR-US: Yes24ViewerX ActiveX Control CVE-2019-12808 (ALTOOLS update service 18.1 and earlier versions contains a local priv ...) NOT-FOR-US: ALTOOLS update service CVE-2019-12807 (Alzip 10.83 and earlier version contains a stack-based buffer overflow ...) NOT-FOR-US: ALZip CVE-2019-12806 (UniSign 2.0.4.0 and earlier version contains a stack-based buffer over ...) NOT-FOR-US: UniSign CVE-2019-12805 (NCSOFT Game Launcher, NC Launcher2 2.4.1.691 and earlier versions have ...) NOT-FOR-US: NCSOFT Game Launcher CVE-2019-12804 (In Hunesion i-oneNet version 3.0.7 ~ 3.0.53 and 4.0.4 ~ 4.0.16, due to ...) NOT-FOR-US: Hunesion i-oneNet CVE-2019-12803 (In Hunesion i-oneNet version 3.0.7 ~ 3.0.53 and 4.0.4 ~ 4.0.16, the sp ...) NOT-FOR-US: Hunesion i-oneNet CVE-2019-12802 (In radare2 through 3.5.1, the rcc_context function of libr/egg/egg_lan ...) - radare2 3.8.0+dfsg-1 (bug #930510) [jessie] - radare2 (Minor issue) NOTE: https://github.com/radare/radare2/issues/14296 CVE-2019-12801 (out/out.GroupMgr.php in SeedDMS 5.1.11 has Stored XSS by making a new ...) NOT-FOR-US: SeedDMS CVE-2019-12800 RESERVED CVE-2019-12819 (An issue was discovered in the Linux kernel before 5.0. The function _ ...) - linux 4.19.37-1 [stretch] - linux 4.9.168-1 [jessie] - linux 3.16.68-1 NOTE: https://git.kernel.org/linus/6ff7b060535e87c2ae14dd8548512abfdda528fb CVE-2019-12818 (An issue was discovered in the Linux kernel before 4.20.15. The nfc_ll ...) - linux 4.19.28-1 [stretch] - linux 4.9.168-1 [jessie] - linux 3.16.68-1 NOTE: https://git.kernel.org/linus/58bdd544e2933a21a51eecf17c3f5f94038261b5 CVE-2019-12799 (In createInstanceFromNamedArguments in Shopware through 5.6.x, a craft ...) NOT-FOR-US: Shopware CVE-2019-12798 (An issue was discovered in Artifex MuJS 1.0.5. regcompx in regexp.c do ...) NOT-FOR-US: MuJS CVE-2019-12797 (A clone version of an ELM327 OBD2 Bluetooth device has a hardcoded PIN ...) NOT-FOR-US: ELM327 OBD2 Bluetooth device CVE-2019-12796 RESERVED CVE-2019-12795 (daemon/gvfsdaemon.c in gvfsd from GNOME gvfs before 1.38.3, 1.40.x bef ...) {DLA-1827-1} - gvfs 1.38.1-5 (bug #930376) [stretch] - gvfs (Minor issue) NOTE: https://gitlab.gnome.org/GNOME/gvfs/commit/70dbfc68a79faac49bd3423e079cb6902522082a (master) NOTE: https://gitlab.gnome.org/GNOME/gvfs/commit/d8c9138bf240975848b1c54db648ec4cd516a48f (gnome-3-32) NOTE: https://gitlab.gnome.org/GNOME/gvfs/commit/e3808a1b4042761055b1d975333a8243d67b8bfe (gnome-3-30) CVE-2018-20842 RESERVED CVE-2018-20841 (HooToo TripMate Titan HT-TM05 and HT-05 routers with firmware 2.000.02 ...) NOT-FOR-US: HooToo TripMate Titan HT-TM05 and HT-05 routers CVE-2017-18378 (In NETGEAR ReadyNAS Surveillance before 1.4.3-17 x86 and before 1.1.4- ...) NOT-FOR-US: NETGEAR CVE-2017-18377 (An issue was discovered on Wireless IP Camera (P2P) WIFICAM cameras. T ...) NOT-FOR-US: Wireless IP Camera (P2P) WIFICAM cameras CVE-2016-10760 (On Seowon Intech routers, there is a Command Injection vulnerability i ...) NOT-FOR-US: Seowon Intech routers CVE-2013-7471 (An issue was discovered in soap.cgi?service=WANIPConn1 on D-Link DIR-8 ...) NOT-FOR-US: D-Link CVE-2010-5330 (On certain Ubiquiti devices, Command Injection exists via a GET reques ...) NOT-FOR-US: Ubiquiti CVE-2009-5157 (On Linksys WAG54G2 1.00.10 devices, there is authenticated command inj ...) NOT-FOR-US: Linksys CVE-2009-5156 (An issue was discovered on ASMAX AR-804gu 66.34.1 devices. There is Co ...) NOT-FOR-US: ASMAX AR-804gu 66.34.1 devices CVE-2019-12794 (An issue was discovered in MISP 2.4.108. Organization admins could res ...) NOT-FOR-US: MISP CVE-2019-XXXX [security issues fixed in 1.8.5] - rdesktop 1.8.6-1 (bug #930387) [stretch] - rdesktop 1.8.6-2~deb9u1 [jessie] - rdesktop 1.8.6-0+deb8u1 NOTE: Workaround entry for DSA-4473-1/DLA-1837-1 until CVEs assigned CVE-2019-12793 RESERVED CVE-2019-12792 (A command injection vulnerability in UploadHandler.php in Vesta Contro ...) NOT-FOR-US: Vesta Control Panel CVE-2019-12791 (A directory traversal vulnerability in the v-list-user script in Vesta ...) NOT-FOR-US: Vesta Control Panel CVE-2019-12790 (In radare2 through 3.5.1, there is a heap-based buffer over-read in th ...) - radare2 3.8.0+dfsg-1 (bug #930344) [jessie] - radare2 (Minor issue) NOTE: https://github.com/radare/radare2/issues/14211 CVE-2019-12789 (An issue was discovered on Actiontec T2200H T2200H-31.128L.08 devices, ...) NOT-FOR-US: Actiontec devices CVE-2019-12788 (An issue was discovered in Photodex ProShow Producer v9.0.3797 (an app ...) NOT-FOR-US: Photodex ProShow Producer CVE-2019-12787 (An issue was discovered on D-Link DIR-818LW devices from 2.05.B03 to 2 ...) NOT-FOR-US: D-Link CVE-2019-12786 (An issue was discovered on D-Link DIR-818LW devices from 2.05.B03 to 2 ...) NOT-FOR-US: D-Link CVE-2019-12785 RESERVED CVE-2019-12784 RESERVED CVE-2019-12783 RESERVED CVE-2019-12782 (An authorization bypass vulnerability in pinboard updates in ThoughtSp ...) NOT-FOR-US: ThoughtSpot CVE-2019-12781 (An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1. ...) {DSA-4476-1 DLA-1842-1} - python-django 1:1.11.22-1 (bug #931316) [buster] - python-django 1:1.11.22-1~deb10u1 NOTE: https://www.djangoproject.com/weblog/2019/jul/01/security-releases/ NOTE: https://github.com/django/django/commit/54d0f5e62f54c29a12dd96f44bacd810cbe03ac8 (master) NOTE: https://github.com/django/django/commit/77706a3e4766da5d5fb75c4db22a0a59a28e6cd6 (2.2) NOTE: https://github.com/django/django/commit/1e40f427bb8d0fb37cc9f830096a97c36c97af6f (2.1) NOTE: https://github.com/django/django/commit/32124fc41e75074141b05f10fc55a4f01ff7f050 (1.11) CVE-2019-12780 (The Belkin Wemo Enabled Crock-Pot allows command injection in the Wemo ...) NOT-FOR-US: Belkin Wemo Enabled Crock-Pot CVE-2019-5439 (A Buffer Overflow in VLC Media Player < 3.0.7 causes a crash which ...) {DSA-4459-1} - vlc 3.0.7-1 (bug #930276) [jessie] - vlc (https://lists.debian.org/debian-security-announce/2018/msg00130.html) NOTE: https://hackerone.com/reports/484398 NOTE: http://www.jbkempf.com/blog/post/2019/VLC-3.0.7-and-security CVE-2019-12779 (libqb before 1.0.5 allows local users to overwrite arbitrary files via ...) - libqb 1.0.4-1 (unimportant; bug #927159) [jessie] - libqb (https://salsa.debian.org/debian/debian-security-support/commit/ba638006d397eda2cc094761ed7a7bfdca9e534b) NOTE: https://github.com/ClusterLabs/libqb/issues/338 NOTE: https://github.com/ClusterLabs/libqb/commit/6a4067c1d1764d93d255eccecfd8bf9f43cb0b4d NOTE: Regression fix: https://github.com/ClusterLabs/libqb/pull/349 NOTE: Neutralised by kernel hardening CVE-2019-12778 RESERVED CVE-2019-12777 (An issue was discovered on the ENTTEC Datagate MK2, Storm 24, Pixelato ...) NOT-FOR-US: ENTTEC CVE-2019-12776 (An issue was discovered on the ENTTEC Datagate MK2, Storm 24, Pixelato ...) NOT-FOR-US: ENTTEC CVE-2019-12775 (An issue was discovered on the ENTTEC Datagate MK2, Storm 24, Pixelato ...) NOT-FOR-US: ENTTEC CVE-2019-12774 (A number of stored XSS vulnerabilities have been identified in the web ...) NOT-FOR-US: ENTTEC CVE-2019-12773 RESERVED CVE-2019-12772 RESERVED CVE-2019-12771 (Command injection is possible in ThinStation through 6.1.1 via shell m ...) NOT-FOR-US: ThinStation CVE-2019-12770 RESERVED CVE-2019-12769 (SolarWinds Serv-U Managed File Transfer (MFT) Web client before 15.1.6 ...) NOT-FOR-US: SolarWinds CVE-2019-12768 RESERVED CVE-2019-12767 (An issue was discovered on D-Link DAP-1650 devices before 1.04B02_J65H ...) NOT-FOR-US: D-Link CVE-2019-12766 (An issue was discovered in Joomla! before 3.9.7. The subform fieldtype ...) NOT-FOR-US: Joomla! CVE-2019-12765 (An issue was discovered in Joomla! before 3.9.7. The CSV export of com ...) NOT-FOR-US: Joomla! CVE-2019-12764 (An issue was discovered in Joomla! before 3.9.7. The update server URL ...) NOT-FOR-US: Joomla! CVE-2019-12763 (The Security Camera CZ application through 1.6.8 for Android stores po ...) NOT-FOR-US: Security Camera CZ application for Android CVE-2019-12762 (Xiaomi Mi 5s Plus devices allow attackers to trigger touchscreen anoma ...) NOT-FOR-US: Xiaomi Mi 5s Plus devices CVE-2019-12761 (A code injection issue was discovered in PyXDG before 0.26 via crafted ...) {DLA-1819-1} - pyxdg (low; bug #930099) [buster] - pyxdg (Minor issue) [stretch] - pyxdg (Minor issue) NOTE: https://snyk.io/vuln/SNYK-PYTHON-PYXDG-174562 NOTE: https://gitlab.freedesktop.org/xdg/pyxdg/issues/14 CVE-2019-12760 (** DISPUTED ** A deserialization vulnerability exists in the way parso ...) - parso 0.5.1-0.1 (unimportant; bug #930356) NOTE: https://gist.github.com/dhondta/f71ae7e5c4234f8edfd2f12503a5dcc7 NOTE: https://github.com/davidhalter/parso/issues/75 NOTE: Not considered a security issue by upstream CVE-2019-12759 (Symantec Endpoint Protection Manager (SEPM) and Symantec Mail Security ...) NOT-FOR-US: Symantec CVE-2019-12758 (Symantec Endpoint Protection, prior to 14.2 RU2, may be susceptible to ...) NOT-FOR-US: Symantec CVE-2019-12757 (Symantec Endpoint Protection (SEP), prior to 14.2 RU2 & 12.1 RU6 M ...) NOT-FOR-US: Symantec CVE-2019-12756 (Symantec Endpoint Protection (SEP), prior to 14.2 RU2 may be susceptib ...) NOT-FOR-US: Symantec CVE-2019-12755 (Norton Password Manager, prior to 6.5.0.2104, may be susceptible to an ...) NOT-FOR-US: Norton CVE-2019-12754 (Symantec My VIP portal, previous version which has already been auto u ...) NOT-FOR-US: Symantec My VIP portal CVE-2019-12753 (An information disclosure vulnerability in Symantec Reporter web UI 10 ...) NOT-FOR-US: Symantec CVE-2019-12752 (The Symantec SONAR component, prior to 12.0.2, may be susceptible to a ...) NOT-FOR-US: Symantec CVE-2019-12751 (Symantec Messaging Gateway, prior to 10.7.1, may be susceptible to a p ...) NOT-FOR-US: Symantec CVE-2019-12750 (Symantec Endpoint Protection, prior to 14.2 RU1 & 12.1 RU6 MP10 an ...) NOT-FOR-US: Symantec Endpoint Protection CVE-2019-12749 (dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, ...) {DSA-4462-1 DLA-1818-1} - dbus 1.12.16-1 (bug #930375) NOTE: https://www.openwall.com/lists/oss-security/2019/06/11/2 NOTE: https://gitlab.freedesktop.org/dbus/dbus/issues/269 NOTE: https://gitlab.freedesktop.org/dbus/dbus/commit/47b1a4c41004bf494b87370987b222c934b19016 CVE-2019-12748 (TYPO3 8.3.0 through 8.7.26 and 9.0.0 through 9.5.7 allows XSS. ...) NOT-FOR-US: TYPO3 CVE-2019-12747 (TYPO3 8.x through 8.7.26 and 9.x through 9.5.7 allows Deserialization ...) NOT-FOR-US: TYPO3 CVE-2019-12746 (An issue was discovered in Open Ticket Request System (OTRS) Community ...) {DLA-1877-1} - otrs2 6.0.20-1 [buster] - otrs2 (Non-free not supported) [stretch] - otrs2 (Non-free not supported) NOTE: https://community.otrs.com/security-advisory-2019-10-security-update-for-otrs-framework/ NOTE: OTRS 6: https://github.com/OTRS/otrs/commit/fab16a8e54aaf033f460e5f98c673248f29ea49c NOTE: OTRS 6: https://github.com/OTRS/otrs/commit/cc08cb7df9f6dde05de2f8c6cbd59cd5d0952627 NOTE: OTRS 5: https://github.com/OTRS/otrs/commit/7ab33e51a4db9f712e979040f644d0d0c39ff0af CVE-2019-12745 (out/out.UsrMgr.php in SeedDMS before 5.1.11 allows Stored Cross-Site S ...) NOT-FOR-US: SeedDMS CVE-2019-12744 (SeedDMS before 5.1.11 allows Remote Command Execution (RCE) because of ...) NOT-FOR-US: SeedDMS CVE-2019-12743 (HumHub Social Network Kit Enterprise v1.3.13 allows remote attackers t ...) NOT-FOR-US: HumHub Social Network Kit Enterprise CVE-2019-12742 (Bludit prior to 3.9.1 allows a non-privileged user to change the passw ...) NOT-FOR-US: bludit CVE-2019-12741 (XSS exists in the HAPI FHIR testpage overlay module of the HAPI FHIR l ...) NOT-FOR-US: HAPI FHIR library CVE-2019-12740 RESERVED CVE-2019-12739 (lib/Controller/ExtractionController.php in the Extract add-on before 1 ...) - nextcloud (bug #835086) CVE-2019-12738 RESERVED CVE-2019-12737 (UserHashedTableAuth in JetBrains Ktor framework before 1.2.0-rc uses a ...) NOT-FOR-US: JetBrains Ktor CVE-2019-12736 (JetBrains Ktor framework before 1.2.0-rc does not sanitize the usernam ...) NOT-FOR-US: JetBrains Ktor CVE-2019-12734 (SiteVision 4 has Incorrect Access Control. ...) NOT-FOR-US: SiteVision CVE-2019-12733 (SiteVision 4 allows Remote Code Execution. ...) NOT-FOR-US: SiteVision CVE-2019-12735 (getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote ...) {DSA-4487-1 DSA-4467-1 DLA-1871-1} - vim 2:8.1.0875-4 (bug #930020) - neovim 0.3.4-3 (bug #930024) NOTE: https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md NOTE: vim patches: https://github.com/vim/vim/commit/53575521406739cf20bbe4e384d88e7dca11f040 NOTE: neovim pull request: https://github.com/neovim/neovim/pull/10082 CVE-2019-12732 (The Chartkick gem through 3.1.0 for Ruby allows XSS. ...) NOT-FOR-US: Chartkick Ruby gem CVE-2019-12731 (The Windows versions of Snapview Mikogo, versions before 5.10.2 are af ...) NOT-FOR-US: Snapview Mikogo CVE-2019-12730 (aa_read_header in libavformat/aadec.c in FFmpeg before 3.2.14 and 4.x ...) {DSA-4502-1 DSA-4449-1} - ffmpeg 7:4.1.4-1 (low; bug #932469) NOTE: https://github.com/FFmpeg/FFmpeg/commit/ed188f6dcdf0935c939ed813cf8745d50742014b CVE-2019-12729 RESERVED CVE-2019-12728 (Grails before 3.3.10 used cleartext HTTP to resolve the SDKMan notific ...) - grails (bug #473213) CVE-2019-12727 (On Ubiquiti airCam 3.1.4 devices, a Denial of Service vulnerability ex ...) NOT-FOR-US: Ubiquiti airCam devices CVE-2019-12726 RESERVED CVE-2019-12725 (Zeroshell 3.9.0 is prone to a remote command execution vulnerability. ...) NOT-FOR-US: Zeroshell CVE-2019-12724 (An issue was discovered in the Teclib News plugin through 1.5.2 for GL ...) NOT-FOR-US: Teclib CVE-2019-12723 (An issue was discovered in the Teclib Fields plugin through 1.9.2 for ...) NOT-FOR-US: Teclib CVE-2019-12722 RESERVED CVE-2019-12721 RESERVED CVE-2019-12720 (AUO SunVeillance Monitoring System before v1.1.9e is vulnerable to mvc ...) NOT-FOR-US: AUO SunVeillance Monitoring System CVE-2019-12719 (An issue was discovered in Picture_Manage_mvc.aspx in AUO SunVeillance ...) NOT-FOR-US: AUO SunVeillance Monitoring System CVE-2019-12718 (A vulnerability in the web-based interface of Cisco Small Business Sma ...) NOT-FOR-US: Cisco CVE-2019-12717 (A vulnerability in a CLI command related to the virtualization manager ...) NOT-FOR-US: Cisco CVE-2019-12716 (A vulnerability in the web-based interface of Cisco Unified Communicat ...) NOT-FOR-US: Cisco CVE-2019-12715 (A vulnerability in the web-based interface of Cisco Unified Communicat ...) NOT-FOR-US: Cisco CVE-2019-12714 (A vulnerability in the web-based management interface of Cisco IC3000 ...) NOT-FOR-US: Cisco CVE-2019-12713 (A vulnerability in the web-based management interface of Cisco Prime I ...) NOT-FOR-US: Cisco CVE-2019-12712 (A vulnerability in the web-based management interface of Cisco Prime I ...) NOT-FOR-US: Cisco CVE-2019-12711 (A vulnerability in the web-based interface of Cisco Unified Communicat ...) NOT-FOR-US: Cisco CVE-2019-12710 (A vulnerability in the web-based interface of Cisco Unified Communicat ...) NOT-FOR-US: Cisco CVE-2019-12709 (A vulnerability in a CLI command related to the virtualization manager ...) NOT-FOR-US: Cisco CVE-2019-12708 (A vulnerability in the web-based management interface of Cisco SPA100 ...) NOT-FOR-US: Cisco CVE-2019-12707 (A vulnerability in the web-based interface of multiple Cisco Unified C ...) NOT-FOR-US: Cisco CVE-2019-12706 (A vulnerability in the Sender Policy Framework (SPF) functionality of ...) NOT-FOR-US: Cisco CVE-2019-12705 (A vulnerability in the web-based management interface of Cisco Express ...) NOT-FOR-US: Cisco CVE-2019-12704 (A vulnerability in the web-based management interface of Cisco SPA100 ...) NOT-FOR-US: Cisco CVE-2019-12703 (A vulnerability in the web-based management interface of Cisco SPA122 ...) NOT-FOR-US: Cisco CVE-2019-12702 (A vulnerability in the web-based management interface of Cisco SPA100 ...) NOT-FOR-US: Cisco CVE-2019-12701 (A vulnerability in the file and malware inspection feature of Cisco Fi ...) NOT-FOR-US: Cisco CVE-2019-12700 (A vulnerability in the configuration of the Pluggable Authentication M ...) NOT-FOR-US: Cisco CVE-2019-12699 (Multiple vulnerabilities in the CLI of Cisco FXOS Software and Cisco F ...) NOT-FOR-US: Cisco CVE-2019-12698 (A vulnerability in the WebVPN feature of Cisco Adaptive Security Appli ...) NOT-FOR-US: Cisco CVE-2019-12697 (Multiple vulnerabilities in the Cisco Firepower System Software Detect ...) NOT-FOR-US: Cisco CVE-2019-12696 (Multiple vulnerabilities in the Cisco Firepower System Software Detect ...) NOT-FOR-US: Cisco CVE-2019-12695 (A vulnerability in the Clientless SSL VPN (WebVPN) portal of Cisco Ada ...) NOT-FOR-US: Cisco CVE-2019-12694 (A vulnerability in the command line interface (CLI) of Cisco Firepower ...) NOT-FOR-US: Cisco CVE-2019-12693 (A vulnerability in the Secure Copy (SCP) feature of Cisco Adaptive Sec ...) NOT-FOR-US: Cisco CVE-2019-12692 RESERVED CVE-2019-12691 (A vulnerability in the web-based management interface of Cisco Firepow ...) NOT-FOR-US: Cisco CVE-2019-12690 (A vulnerability in the web UI of the Cisco Firepower Management Center ...) NOT-FOR-US: Cisco CVE-2019-12689 (A vulnerability in the web-based management interface of Cisco Firepow ...) NOT-FOR-US: Cisco CVE-2019-12688 (A vulnerability in the web UI of the Cisco Firepower Management Center ...) NOT-FOR-US: Cisco CVE-2019-12687 (A vulnerability in the web UI of the Cisco Firepower Management Center ...) NOT-FOR-US: Cisco CVE-2019-12686 (Multiple vulnerabilities in the web-based management interface of Cisc ...) NOT-FOR-US: Cisco CVE-2019-12685 (Multiple vulnerabilities in the web-based management interface of Cisc ...) NOT-FOR-US: Cisco CVE-2019-12684 (Multiple vulnerabilities in the web-based management interface of Cisc ...) NOT-FOR-US: Cisco CVE-2019-12683 (Multiple vulnerabilities in the web-based management interface of Cisc ...) NOT-FOR-US: Cisco CVE-2019-12682 (Multiple vulnerabilities in the web-based management interface of Cisc ...) NOT-FOR-US: Cisco CVE-2019-12681 (Multiple vulnerabilities in the web-based management interface of Cisc ...) NOT-FOR-US: Cisco CVE-2019-12680 (Multiple vulnerabilities in the web-based management interface of Cisc ...) NOT-FOR-US: Cisco CVE-2019-12679 (Multiple vulnerabilities in the web-based management interface of Cisc ...) NOT-FOR-US: Cisco CVE-2019-12678 (A vulnerability in the Session Initiation Protocol (SIP) inspection mo ...) NOT-FOR-US: Cisco CVE-2019-12677 (A vulnerability in the Secure Sockets Layer (SSL) VPN feature of Cisco ...) NOT-FOR-US: Cisco CVE-2019-12676 (A vulnerability in the Open Shortest Path First (OSPF) implementation ...) NOT-FOR-US: Cisco CVE-2019-12675 (Multiple vulnerabilities in the multi-instance feature of Cisco Firepo ...) NOT-FOR-US: Cisco CVE-2019-12674 (Multiple vulnerabilities in the multi-instance feature of Cisco Firepo ...) NOT-FOR-US: Cisco CVE-2019-12673 (A vulnerability in the FTP inspection engine of Cisco Adaptive Securit ...) NOT-FOR-US: Cisco CVE-2019-12672 (A vulnerability in the filesystem of Cisco IOS XE Software could allow ...) NOT-FOR-US: Cisco CVE-2019-12671 (A vulnerability in the CLI of Cisco IOS XE Software could allow an aut ...) NOT-FOR-US: Cisco CVE-2019-12670 (A vulnerability in the filesystem of Cisco IOS XE Software could allow ...) NOT-FOR-US: Cisco CVE-2019-12669 (A vulnerability in the RADIUS Change of Authorization (CoA) code of Ci ...) NOT-FOR-US: Cisco CVE-2019-12668 (A vulnerability in the web framework code of Cisco IOS and Cisco IOS X ...) NOT-FOR-US: Cisco CVE-2019-12667 (A vulnerability in the web framework code of Cisco IOS XE Software cou ...) NOT-FOR-US: Cisco CVE-2019-12666 (A vulnerability in the Guest Shell of Cisco IOS XE Software could allo ...) NOT-FOR-US: Cisco CVE-2019-12665 (A vulnerability in the HTTP client feature of Cisco IOS and IOS XE Sof ...) NOT-FOR-US: Cisco CVE-2019-12664 (A vulnerability in the Dialer interface feature for ISDN connections i ...) NOT-FOR-US: Cisco CVE-2019-12663 (A vulnerability in the Cisco TrustSec (CTS) Protected Access Credentia ...) NOT-FOR-US: Cisco CVE-2019-12662 (A vulnerability in Cisco NX-OS Software and Cisco IOS XE Software coul ...) NOT-FOR-US: Cisco CVE-2019-12661 (A vulnerability in a Virtualization Manager (VMAN) related CLI command ...) NOT-FOR-US: Cisco CVE-2019-12660 (A vulnerability in the CLI of Cisco IOS XE Software could allow an aut ...) NOT-FOR-US: Cisco CVE-2019-12659 (A vulnerability in the HTTP server code of Cisco IOS XE Software could ...) NOT-FOR-US: Cisco CVE-2019-12658 (A vulnerability in the filesystem resource management code of Cisco IO ...) NOT-FOR-US: Cisco CVE-2019-12657 (A vulnerability in Unified Threat Defense (UTD) in Cisco IOS XE Softwa ...) NOT-FOR-US: Cisco CVE-2019-12656 (A vulnerability in the IOx application environment of multiple Cisco p ...) NOT-FOR-US: Cisco CVE-2019-12655 (A vulnerability in the FTP application layer gateway (ALG) functionali ...) NOT-FOR-US: Cisco CVE-2019-12654 (A vulnerability in the common Session Initiation Protocol (SIP) librar ...) NOT-FOR-US: Cisco CVE-2019-12653 (A vulnerability in the Raw Socket Transport feature of Cisco IOS XE So ...) NOT-FOR-US: Cisco CVE-2019-12652 (A vulnerability in the ingress packet processing function of Cisco IOS ...) NOT-FOR-US: Cisco CVE-2019-12651 (Multiple vulnerabilities in the web-based user interface (Web UI) of C ...) NOT-FOR-US: Cisco CVE-2019-12650 (Multiple vulnerabilities in the web-based user interface (Web UI) of C ...) NOT-FOR-US: Cisco CVE-2019-12649 (A vulnerability in the Image Verification feature of Cisco IOS XE Soft ...) NOT-FOR-US: Cisco CVE-2019-12648 (A vulnerability in the IOx application environment for Cisco IOS Softw ...) NOT-FOR-US: Cisco CVE-2019-12647 (A vulnerability in the Ident protocol handler of Cisco IOS and IOS XE ...) NOT-FOR-US: Cisco CVE-2019-12646 (A vulnerability in the Network Address Translation (NAT) Session Initi ...) NOT-FOR-US: Cisco CVE-2019-12645 (A vulnerability in Cisco Jabber Client Framework (JCF) for Mac Softwar ...) NOT-FOR-US: Cisco CVE-2019-12644 (A vulnerability in the web-based management interface of Cisco Identit ...) NOT-FOR-US: Cisco CVE-2019-12643 (A vulnerability in the Cisco REST API virtual service container for Ci ...) NOT-FOR-US: Cisco CVE-2019-12642 RESERVED CVE-2019-12641 RESERVED CVE-2019-12640 RESERVED CVE-2019-12639 RESERVED CVE-2019-12638 (A vulnerability in the web-based management interface of Cisco Identit ...) NOT-FOR-US: Cisco CVE-2019-12637 (Multiple vulnerabilities in the web-based management interface of Cisc ...) NOT-FOR-US: Cisco CVE-2019-12636 (A vulnerability in the web-based management interface of Cisco Small B ...) NOT-FOR-US: Cisco CVE-2019-12635 (A vulnerability in the authorization module of Cisco Content Security ...) NOT-FOR-US: Cisco CVE-2019-12634 (A vulnerability in the web-based management interface of Cisco Integra ...) NOT-FOR-US: Cisco CVE-2019-12633 (A vulnerability in Cisco Unified Contact Center Express (Unified CCX) ...) NOT-FOR-US: Cisco CVE-2019-12632 (A vulnerability in Cisco Finesse could allow an unauthenticated, remot ...) NOT-FOR-US: Cisco CVE-2019-12631 (A vulnerability in the web-based guest portal of Cisco Identity Servic ...) NOT-FOR-US: Cisco CVE-2019-12630 (A vulnerability in the Java deserialization function used by Cisco Sec ...) NOT-FOR-US: Cisco CVE-2019-12629 (A vulnerability in the WebUI of the Cisco SD-WAN Solution could allow ...) NOT-FOR-US: Cisco CVE-2019-12628 RESERVED CVE-2019-12627 (A vulnerability in the application policy configuration of the Cisco F ...) NOT-FOR-US: Cisco CVE-2019-12626 (A vulnerability in the web-based management interface of Cisco Unified ...) NOT-FOR-US: Cisco CVE-2019-12624 (A vulnerability in the web-based management interface of Cisco IOS XE ...) NOT-FOR-US: Cisco CVE-2019-12623 (A vulnerability in the web server functionality of Cisco Enterprise Ne ...) NOT-FOR-US: Cisco CVE-2019-12622 (A vulnerability in Cisco RoomOS Software could allow an authenticated, ...) NOT-FOR-US: Cisco CVE-2019-12621 (A vulnerability in Cisco HyperFlex Software could allow an unauthentic ...) NOT-FOR-US: Cisco CVE-2019-12620 (A vulnerability in the statistics collection service of Cisco HyperFle ...) NOT-FOR-US: Cisco CVE-2019-12619 (A vulnerability in the web interface for Cisco SD-WAN Solution vManage ...) NOT-FOR-US: Cisco CVE-2019-12618 (HashiCorp Nomad 0.9.0 through 0.9.1 has Incorrect Access Control via t ...) - nomad (Vulnerability introduced in 0.9.0) NOTE: https://www.hashicorp.com/blog/hashicorp-nomad-0-9-2 NOTE: https://github.com/hashicorp/nomad/issues/5783 CVE-2019-12617 (In SilverStripe through 4.3.3, there is access escalation for CMS user ...) NOT-FOR-US: SilverStripe CVE-2019-12616 (An issue was discovered in phpMyAdmin before 4.9.0. A vulnerability wa ...) {DLA-1821-1} - phpmyadmin 4:4.9.1+dfsg1-2 (bug #930017) [stretch] - phpmyadmin (Minor issue; can be fixed via point release) NOTE: https://www.phpmyadmin.net/security/PMASA-2019-4/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/015c404038c44279d95b6430ee5a0dddc97691ec CVE-2019-12613 REJECTED CVE-2019-12612 (An issue was discovered in Bitdefender BOX firmware versions before 2. ...) NOT-FOR-US: Bitdefender BOX firmware CVE-2019-12611 (An issue was discovered in Bitdefender BOX firmware versions before 2. ...) NOT-FOR-US: Bitdefender BOX firmware CVE-2019-12610 RESERVED CVE-2019-12609 RESERVED CVE-2019-12608 RESERVED CVE-2019-12607 RESERVED CVE-2019-12606 RESERVED CVE-2019-12605 RESERVED CVE-2019-12604 RESERVED CVE-2019-12603 RESERVED CVE-2019-12602 RESERVED CVE-2019-12615 (An issue was discovered in get_vdev_port_node_info in arch/sparc/kerne ...) - linux 5.2.6-1 (unimportant) NOTE: https://git.kernel.org/linus/80caf43549e7e41a695c6d1e11066286538b336f NOTE: This is a potential null pointer dereference that looks like it can NOTE: only be invoked by root or the hypervisor. Probably no security impact. CVE-2019-12614 (An issue was discovered in dlpar_parse_cc_property in arch/powerpc/pla ...) - linux 5.3.7-1 (unimportant) [buster] - linux 4.19.98-1 [stretch] - linux 4.9.210-1 NOTE: https://lkml.org/lkml/2019/6/3/526 NOTE: This is a potential null pointer dereference that looks like it can NOTE: only be invoked by root or the hypervisor. Probably no security impact. CVE-2019-12601 (SuiteCRM 7.8.x before 7.8.30, 7.10.x before 7.10.17, and 7.11.x before ...) NOT-FOR-US: SuiteCRM CVE-2019-12600 (SuiteCRM 7.8.x before 7.8.30, 7.10.x before 7.10.17, and 7.11.x before ...) NOT-FOR-US: SuiteCRM CVE-2019-12599 (SuiteCRM 7.10.x before 7.10.17 and 7.11.x before 7.11.5 allows SQL Inj ...) NOT-FOR-US: SuiteCRM CVE-2019-12598 (SuiteCRM 7.8.x before 7.8.30, 7.10.x before 7.10.17, and 7.11.x before ...) NOT-FOR-US: SuiteCRM CVE-2019-12597 (An issue was discovered in Zoho ManageEngine AssetExplorer. There is X ...) NOT-FOR-US: Zoho ManageEngine AssetExplorer CVE-2019-12596 (An issue was discovered in Zoho ManageEngine AssetExplorer. There is X ...) NOT-FOR-US: Zoho ManageEngine AssetExplorer CVE-2019-12595 (An issue was discovered in Zoho ManageEngine AssetExplorer. There is X ...) NOT-FOR-US: Zoho ManageEngine AssetExplorer CVE-2019-12594 (DOSBox 0.74-2 has Incorrect Access Control. ...) {DSA-4478-1 DLA-1845-1} - dosbox 0.74-3-1 (bug #931222) NOTE: Fixed in 0.74-3 upstream. NOTE: https://github.com/Alexandre-Bartel/CVE-2019-12594 NOTE: Upstream clarification https://sourceforge.net/p/dosbox/bugs/508/ NOTE: Fixed by https://sourceforge.net/p/dosbox/code-0/4246/ CVE-2019-12593 (IceWarp Mail Server through 10.4.4 is prone to a local file inclusion ...) NOT-FOR-US: IceWarp Mail Server CVE-2019-12592 (A universal Cross-site scripting (UXSS) vulnerability in the Evernote ...) NOT-FOR-US: Evernote CVE-2019-12591 (NETGEAR Insight Cloud with firmware before Insight 5.6 allows remote a ...) NOT-FOR-US: NETGEAR CVE-2019-12590 RESERVED CVE-2019-12588 (The client 802.11 mac implementation in Espressif ESP8266_NONOS_SDK 2. ...) NOT-FOR-US: Espressif CVE-2019-12587 (The EAP peer implementation in Espressif ESP-IDF 2.0.0 through 4.0.0 a ...) NOT-FOR-US: Espressif CVE-2019-12586 (The EAP peer implementation in Espressif ESP-IDF 2.0.0 through 4.0.0 a ...) NOT-FOR-US: Espressif CVE-2019-12585 (Apcupsd 0.3.91_5, as used in pfSense through 2.4.4-RELEASE-p3 and othe ...) - apcupsd (Vulnerable code in pfSense-specific status page) CVE-2019-12584 (Apcupsd 0.3.91_5, as used in pfSense through 2.4.4-RELEASE-p3 and othe ...) - apcupsd (Vulnerable code in pfSense-specific status page) CVE-2019-12583 (Missing Access Control in the "Free Time" component of several Zyxel U ...) NOT-FOR-US: Zyxel CVE-2019-12582 REJECTED CVE-2019-12581 (A reflective Cross-site scripting (XSS) vulnerability in the free_time ...) NOT-FOR-US: Zyxel CVE-2019-12580 RESERVED CVE-2019-12579 (A vulnerability in the London Trust Media Private Internet Access (PIA ...) NOT-FOR-US: Private Internet Access client CVE-2019-12578 (A vulnerability in the London Trust Media Private Internet Access (PIA ...) NOT-FOR-US: Private Internet Access client CVE-2019-12577 (A vulnerability in the London Trust Media Private Internet Access (PIA ...) NOT-FOR-US: Private Internet Access client CVE-2019-12576 (A vulnerability in the London Trust Media Private Internet Access (PIA ...) NOT-FOR-US: Private Internet Access client CVE-2019-12575 (A vulnerability in the London Trust Media Private Internet Access (PIA ...) NOT-FOR-US: Private Internet Access client CVE-2019-12574 (A vulnerability in the London Trust Media Private Internet Access (PIA ...) NOT-FOR-US: Private Internet Access client CVE-2019-12573 (A vulnerability in the London Trust Media Private Internet Access (PIA ...) NOT-FOR-US: Private Internet Access client CVE-2019-12572 (A vulnerability in the London Trust Media Private Internet Access (PIA ...) NOT-FOR-US: London Trust Media Private Internet Access (PIA) VPN Client CVE-2019-12571 (A vulnerability in the London Trust Media Private Internet Access (PIA ...) NOT-FOR-US: Private Internet Access client CVE-2019-12570 (A SQL injection vulnerability in the Xpert Solution "Server Status by ...) NOT-FOR-US: Xpert Solution "Server Status by Hostname/IP" plugin for WordPress CVE-2019-12569 (A vulnerability in Viber before 10.7.0 for Desktop (Windows) could all ...) NOT-FOR-US: Viber CVE-2019-12568 (Stack-based overflow vulnerability in the logMess function in Open TFT ...) NOT-FOR-US: Open TFTP Server CVE-2019-12567 (Stack-based overflow vulnerability in the logMess function in Open TFT ...) NOT-FOR-US: Open TFTP Server CVE-2019-12566 (The WP Statistics plugin through 12.6.5 for Wordpress has stored XSS i ...) NOT-FOR-US: WP Statistics plugin for WordPress CVE-2019-12565 RESERVED CVE-2019-12564 (In DouCo DouPHP v1.5 Release 20190516, remote attackers can view the d ...) NOT-FOR-US: DouCo DouPHP CVE-2019-12563 RESERVED CVE-2019-12562 (Stored Cross-Site Scripting in DotNetNuke (DNN) Version before 9.4.0 a ...) NOT-FOR-US: DNN CVE-2019-12561 RESERVED CVE-2019-12560 RESERVED CVE-2019-12559 RESERVED CVE-2019-12558 RESERVED CVE-2019-12557 RESERVED CVE-2019-12556 RESERVED CVE-2019-12555 (In SweetScape 010 Editor 9.0.1, improper validation of arguments in th ...) NOT-FOR-US: SweetScape 010 Editor CVE-2019-12554 (In SweetScape 010 Editor 9.0.1, improper validation of arguments in th ...) NOT-FOR-US: SweetScape 010 Editor CVE-2019-12553 (In SweetScape 010 Editor 9.0.1, improper validation of arguments in th ...) NOT-FOR-US: SweetScape 010 Editor CVE-2019-12552 (In SweetScape 010 Editor 9.0.1, an integer overflow during the initial ...) NOT-FOR-US: SweetScape 010 Editor CVE-2019-12551 (In SweetScape 010 Editor 9.0.1, improper validation of arguments in th ...) NOT-FOR-US: SweetScape 010 Editor CVE-2019-12550 (WAGO 852-303 before FW06, 852-1305 before FW06, and 852-1505 before FW ...) NOT-FOR-US: WAGO devices CVE-2019-12549 (WAGO 852-303 before FW06, 852-1305 before FW06, and 852-1505 before FW ...) NOT-FOR-US: WAGO devices CVE-2019-12548 (Bludit before 3.9.0 allows remote code execution for an authenticated ...) NOT-FOR-US: bludit CVE-2019-12547 RESERVED CVE-2019-12546 RESERVED CVE-2019-12545 RESERVED CVE-2019-12544 RESERVED CVE-2019-12543 (An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. The ...) NOT-FOR-US: Zoho ManageEngine ServiceDesk CVE-2019-12542 (An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. The ...) NOT-FOR-US: Zoho ManageEngine ServiceDesk CVE-2019-12541 (An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. The ...) NOT-FOR-US: Zoho ManageEngine ServiceDesk CVE-2019-12540 (An issue was discovered in Zoho ManageEngine ServiceDesk Plus 10.5. Th ...) NOT-FOR-US: Zoho ManageEngine ServiceDesk CVE-2019-12539 (An issue was discovered in the Purchase component of Zoho ManageEngine ...) NOT-FOR-US: Zoho ManageEngine ServiceDesk Plus CVE-2019-12538 (An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. The ...) NOT-FOR-US: Zoho ManageEngine ServiceDesk CVE-2019-12537 (An issue was discovered in Zoho ManageEngine AssetExplorer. There is X ...) NOT-FOR-US: Zoho ManageEngine AssetExplorer CVE-2019-12536 RESERVED CVE-2019-12535 RESERVED CVE-2019-12534 RESERVED CVE-2019-12533 RESERVED CVE-2019-12532 (Improper access control in the Insyde software tools may allow an auth ...) NOT-FOR-US: Insyde software tools CVE-2019-12531 RESERVED CVE-2019-12530 (Incorrect access control was discovered in the stdonato Dashboard plug ...) NOT-FOR-US: Dashboard plugin for GLPI CVE-2019-12529 (An issue was discovered in Squid 2.x through 2.7.STABLE9, 3.x through ...) {DSA-4507-1 DLA-1858-1} - squid 4.8-1 - squid3 NOTE: http://www.squid-cache.org/Advisories/SQUID-2019_2.txt NOTE: Squid 4: http://www.squid-cache.org/Versions/v4/changesets/squid-4-dd46b5417809647f561d8a5e0e74c3aacd235258.patch CVE-2019-12528 (An issue was discovered in Squid before 4.10. It allows a crafted FTP ...) {DSA-4682-1} - squid 4.10-1 (bug #950925) - squid3 NOTE: http://www.squid-cache.org/Advisories/SQUID-2020_2.txt NOTE: Squid 3: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-8cdb18ca1829a0b7faa1c9e472604ed0e7e105ac.patch NOTE: Squid 4: http://www.squid-cache.org/Versions/v4/changesets/squid-4-c1bebac9c1135b7add6589db35c62f16db195b8f.patch CVE-2019-12527 (An issue was discovered in Squid 4.0.23 through 4.7. When checking Bas ...) {DSA-4507-1} - squid 4.8-1 - squid3 (Vulnerable code introduced in 4.0.23) NOTE: http://www.squid-cache.org/Advisories/SQUID-2019_5.txt NOTE: http://www.squid-cache.org/Versions/v4/changesets/squid-4-7f73e9c5d17664b882ed32590e6af310c247f320.patch NOTE: The code in squid 3.x limits the amount of input data decoded to one byte less NOTE: than the length of the target buffer, whilst in 4.x the entire input is decoded NOTE: without regard for the size of the target buffer. CVE-2019-12526 (An issue was discovered in Squid before 4.9. URN response handling in ...) {DSA-4682-1 DLA-2028-1} - squid 4.9-1 - squid3 NOTE: Squid 4: http://www.squid-cache.org/Versions/v4/changesets/squid-4-7aa0184a720fd216191474e079f4fe87de7c4f5a.patch NOTE: http://www.squid-cache.org/Advisories/SQUID-2019_7.txt CVE-2019-12525 (An issue was discovered in Squid 3.3.9 through 3.5.28 and 4.x through ...) {DSA-4507-1 DLA-1858-1} - squid 4.8-1 - squid3 NOTE: http://www.squid-cache.org/Advisories/SQUID-2019_3.txt NOTE: Squid 4: http://www.squid-cache.org/Versions/v4/changesets/squid-4-409956536647b3a05ee1e367424a24ae6b8f13fd.patch NOTE: Squid 3.5: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-ec0d0f39cf28da14eead0ba5e777e95855bc2f67.patch CVE-2019-12524 (An issue was discovered in Squid through 4.7. When handling requests f ...) {DSA-4682-1} - squid 4.8-1 - squid3 NOTE: http://www.squid-cache.org/Advisories/SQUID-2019_4.txt NOTE: http://www.squid-cache.org/Versions/v4/changesets/SQUID-2019_4.patch CVE-2019-12523 (An issue was discovered in Squid before 4.9. When handling a URN reque ...) {DSA-4682-1} - squid 4.9-1 - squid3 NOTE: http://www.squid-cache.org/Advisories/SQUID-2019_8.txt NOTE: Squid 4: http://www.squid-cache.org/Versions/v4/changesets/squid-4-fbbdf75efd7a5cc244b4886a9d42ea458c5a3a73.patch CVE-2019-12522 (An issue was discovered in Squid through 4.7. When Squid is run as roo ...) TODO: check CVE-2019-12521 (An issue was discovered in Squid through 4.7. When Squid is parsing ES ...) {DSA-4682-1} - squid 4.11-1 - squid3 NOTE: http://www.squid-cache.org/Advisories/SQUID-2019_12.txt NOTE: Squid 4: http://www.squid-cache.org/Versions/v4/changesets/squid-4-fdd4123629320aa1ee4c3481bb392437c90d188d.patch CVE-2019-12520 (An issue was discovered in Squid through 4.7 and 5. When receiving a r ...) {DSA-4682-1} - squid 4.8-1 - squid3 NOTE: http://www.squid-cache.org/Advisories/SQUID-2019_4.txt NOTE: http://www.squid-cache.org/Versions/v4/changesets/SQUID-2019_4.patch CVE-2019-12519 (An issue was discovered in Squid through 4.7. When handling the tag es ...) {DSA-4682-1} - squid 4.11-1 - squid3 NOTE: http://www.squid-cache.org/Advisories/SQUID-2019_12.txt NOTE: Squid 4: http://www.squid-cache.org/Versions/v4/changesets/squid-4-fdd4123629320aa1ee4c3481bb392437c90d188d.patch CVE-2017-18376 (An improper authorization check in the User API in TheHive before 2.13 ...) NOT-FOR-US: User API in TheHive Project CVE-2019-12518 (Anviz CrossChex access control management software 4.3.8.0 and 4.3.12 ...) NOT-FOR-US: Anviz CrossChex CVE-2019-12517 (An XSS issue was discovered in the slickquiz plugin through 1.3.7.1 fo ...) NOT-FOR-US: slickquiz plugin for WordPress CVE-2019-12516 (The slickquiz plugin through 1.3.7.1 for WordPress allows SQL Injectio ...) NOT-FOR-US: slickquiz plugin for WordPress CVE-2019-12515 (There is an out-of-bounds read vulnerability in the function FlateStre ...) - xpdf (xpdf in Debian uses poppler, which is not affected or fixed) NOTE: https://github.com/PanguL4b/pocs/tree/master/xpdf/out-of-bounds-read-in-FlateStream__getChar CVE-2019-12514 RESERVED CVE-2019-12513 (In NETGEAR Nighthawk X10-R900 prior to 1.0.4.24, by sending a DHCP dis ...) NOT-FOR-US: Netgear CVE-2019-12512 (In NETGEAR Nighthawk X10-R900 prior to 1.0.4.24, an attacker may execu ...) NOT-FOR-US: Netgear CVE-2019-12511 (In NETGEAR Nighthawk X10-R9000 prior to 1.0.4.26, an attacker may exec ...) NOT-FOR-US: Netgear CVE-2019-12510 (In NETGEAR Nighthawk X10-R900 prior to 1.0.4.26, an attacker may bypas ...) NOT-FOR-US: Netgear CVE-2019-12509 RESERVED CVE-2019-12508 RESERVED CVE-2019-12507 (An XSS vulnerability exists in PHPRelativePath (aka Relative Path) thr ...) NOT-FOR-US: Relative Path PHP library CVE-2019-12506 (Due to unencrypted and unauthenticated data communication, the wireles ...) NOT-FOR-US: Logitech CVE-2019-12505 (Due to unencrypted and unauthenticated data communication, the wireles ...) NOT-FOR-US: Inateck CVE-2019-12504 (Due to unencrypted and unauthenticated data communication, the wireles ...) NOT-FOR-US: Inateck CVE-2019-12503 (Due to unencrypted and unauthenticated data communication, the wireles ...) NOT-FOR-US: Inateck CVE-2019-12502 (There is a lack of CSRF countermeasures on MOBOTIX S14 MX-V4.2.1.61 ca ...) NOT-FOR-US: MOBOTIX cameras CVE-2019-12501 RESERVED CVE-2019-12500 (The Xiaomi M365 scooter 2019-02-12 before 1.5.1 allows spoofing of "su ...) NOT-FOR-US: Xiaomi M365 scooter CVE-2019-12498 (The WP Live Chat Support plugin before 8.0.33 for WordPress accepts ce ...) NOT-FOR-US: WP Live Chat Support plugin for WordPress CVE-2019-12497 (An issue was discovered in Open Ticket Request System (OTRS) 7.0.x thr ...) {DLA-1816-1} - otrs2 6.0.19-1 [buster] - otrs2 (Non-free not supported) [stretch] - otrs2 (Non-free not supported) NOTE: https://community.otrs.com/security-advisory-2019-09-security-update-for-otrs-framework/ NOTE: OTRS 6: https://github.com/OTRS/otrs/commit/f8bcf08dfc5f06915c1352c07e5f626f9b5ecfc2 NOTE: OTRS 5: https://github.com/OTRS/otrs/commit/d4cc3f0e24937fa53870132003aec6af460b9b57 CVE-2019-12496 (An issue was discovered in Hybrid Group Gobot before 1.13.0. The mqtt ...) NOT-FOR-US: Hybrid Group Gobot CVE-2019-12495 (An issue was discovered in Tiny C Compiler (aka TinyCC or TCC) 0.9.27. ...) - tcc (bug #929872) [buster] - tcc (Minor issue) [stretch] - tcc (Minor issue) [jessie] - tcc (Minor issue) NOTE: https://lists.nongnu.org/archive/html/tinycc-devel/2019-05/msg00044.html NOTE: https://repo.or.cz/tinycc.git/commit/d04ce7772c2bc2781ab2502e0b1f1964488814b5 CVE-2019-12494 (In Gardener before 0.20.0, incorrect access control in seed clusters a ...) NOT-FOR-US: Gardener CVE-2019-12493 (A stack-based buffer over-read exists in PostScriptFunction::transform ...) {DLA-1939-1} - xpdf (xpdf in Debian uses poppler, which is not affected or fixed) - poppler 0.44.0-2 NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/37840827c4073dedfd37915a74eb8fe0c44843c3 CVE-2019-12492 (Gallagher Command Centre before 7.80.939, 7.90.x before 7.90.961, and ...) NOT-FOR-US: Gallagher Command Centre CVE-2019-12491 (OnApp before 5.0.0-88, 5.5.0-93, and 6.0.0-196 allows an attacker to r ...) NOT-FOR-US: OnApp CVE-2019-12490 (An issue was discovered in Simple Machines Forum (SMF) before 2.0.16. ...) NOT-FOR-US: Simple Machines Forum (SMF) CVE-2019-12489 (An issue was discovered on Fastweb Askey RTV1907VW 0.00.81_FW_200_Aske ...) NOT-FOR-US: Fastweb Askey RTV1907VW devices CVE-2019-12488 RESERVED CVE-2019-12487 RESERVED CVE-2019-12486 RESERVED CVE-2019-12485 RESERVED CVE-2019-12484 RESERVED CVE-2019-12483 (An issue was discovered in GPAC 0.7.1. There is a heap-based buffer ov ...) {DLA-1841-1} - gpac (bug #931088) [buster] - gpac (Minor issue) [stretch] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/issues/1249 NOTE: https://github.com/gpac/gpac/commit/f40aaaf959d4d1f7fa0dcd04c0666592e615c8f1 CVE-2019-12482 (An issue was discovered in GPAC 0.7.1. There is a NULL pointer derefer ...) {DLA-1841-1} - gpac (bug #931088) [buster] - gpac (Minor issue) [stretch] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/issues/1249 NOTE: https://github.com/gpac/gpac/commit/f40aaaf959d4d1f7fa0dcd04c0666592e615c8f1 CVE-2019-12481 (An issue was discovered in GPAC 0.7.1. There is a NULL pointer derefer ...) {DLA-1841-1} - gpac (bug #931088) [buster] - gpac (Minor issue) [stretch] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/issues/1249 NOTE: https://github.com/gpac/gpac/commit/f40aaaf959d4d1f7fa0dcd04c0666592e615c8f1 CVE-2019-12480 (BACnet Protocol Stack through 0.8.6 has a segmentation fault leading t ...) NOT-FOR-US: BACnet Protocol Stack CVE-2019-12479 (An issue was discovered in 20|20 Storage 2.11.0. A Path Traversal vuln ...) NOT-FOR-US: 20|20 Storage CVE-2019-12478 RESERVED CVE-2019-12477 (Supra Smart Cloud TV allows remote file inclusion in the openLiveURL f ...) NOT-FOR-US: Supra Smart Cloud TV CVE-2019-12476 (An authentication bypass vulnerability in the password reset functiona ...) NOT-FOR-US: Zoho ManageEngine ADSelfService Plus CVE-2019-12475 (In MicroStrategy Web before 10.4.6, there is stored XSS in metric due ...) NOT-FOR-US: MicroStrategy Web CVE-2019-12474 (Wikimedia MediaWiki 1.23.0 through 1.32.1 has an information leak. Pri ...) {DSA-4460-1} - mediawiki 1:1.31.2-1 NOTE: https://lists.wikimedia.org/pipermail/wikitech-l/2019-June/092152.html NOTE: https://phabricator.wikimedia.org/T212118 CVE-2019-12473 (Wikimedia MediaWiki 1.27.0 through 1.32.1 might allow DoS. Passing inv ...) {DSA-4460-1} - mediawiki 1:1.31.2-1 NOTE: https://lists.wikimedia.org/pipermail/wikitech-l/2019-June/092152.html NOTE: https://phabricator.wikimedia.org/T204729 CVE-2019-12472 (An Incorrect Access Control vulnerability was found in Wikimedia Media ...) {DSA-4460-1} - mediawiki 1:1.31.2-1 NOTE: https://lists.wikimedia.org/pipermail/wikitech-l/2019-June/092152.html NOTE: https://phabricator.wikimedia.org/T199540 CVE-2019-12471 (Wikimedia MediaWiki 1.30.0 through 1.32.1 has XSS. Loading user JavaSc ...) {DSA-4460-1} - mediawiki 1:1.31.2-1 NOTE: https://lists.wikimedia.org/pipermail/wikitech-l/2019-June/092152.html NOTE: https://phabricator.wikimedia.org/T207603 CVE-2019-12470 (Wikimedia MediaWiki through 1.32.1 has Incorrect Access Control. Suppr ...) {DSA-4460-1} - mediawiki 1:1.31.2-1 NOTE: https://lists.wikimedia.org/pipermail/wikitech-l/2019-June/092152.html NOTE: https://phabricator.wikimedia.org/T222038 CVE-2019-12469 (MediaWiki through 1.32.1 has Incorrect Access Control. Suppressed user ...) {DSA-4460-1} - mediawiki 1:1.31.2-1 NOTE: https://lists.wikimedia.org/pipermail/wikitech-l/2019-June/092152.html NOTE: https://phabricator.wikimedia.org/T222036 CVE-2019-12468 (An Incorrect Access Control vulnerability was found in Wikimedia Media ...) {DSA-4460-1} - mediawiki 1:1.31.2-1 NOTE: https://lists.wikimedia.org/pipermail/wikitech-l/2019-June/092152.html NOTE: https://phabricator.wikimedia.org/T197279 CVE-2019-12467 (MediaWiki through 1.32.1 has Incorrect Access Control (issue 1 of 3). ...) {DSA-4460-1} - mediawiki 1:1.31.2-1 NOTE: https://lists.wikimedia.org/pipermail/wikitech-l/2019-June/092152.html NOTE: https://phabricator.wikimedia.org/T209794 CVE-2019-12466 (Wikimedia MediaWiki through 1.32.1 allows CSRF. ...) {DSA-4460-1} - mediawiki 1:1.31.2-1 NOTE: https://lists.wikimedia.org/pipermail/wikitech-l/2019-June/092152.html NOTE: https://phabricator.wikimedia.org/T25227 CVE-2019-12465 (An issue was discovered in LibreNMS 1.50.1. A SQL injection flaw was i ...) NOT-FOR-US: LibreNMS CVE-2019-12464 (An issue was discovered in LibreNMS 1.50.1. An authenticated user can ...) NOT-FOR-US: LibreNMS CVE-2019-12463 (An issue was discovered in LibreNMS 1.50.1. The scripts that handle gr ...) NOT-FOR-US: LibreNMS CVE-2019-12462 RESERVED CVE-2019-12461 (Web Port 1.19.1 allows XSS via the /log type parameter. ...) NOT-FOR-US: Web Port CVE-2019-12460 (Web Port 1.19.1 allows XSS via the /access/setup type parameter. ...) NOT-FOR-US: Web Port CVE-2019-12459 (FileRun 2019.05.21 allows customizables/plugins/audio_player Directory ...) NOT-FOR-US: FileRun CVE-2019-12458 (FileRun 2019.05.21 allows css/ext-ux Directory Listing. This issue has ...) NOT-FOR-US: FileRun CVE-2019-12457 (FileRun 2019.05.21 allows images/extjs Directory Listing. This issue h ...) NOT-FOR-US: FileRun CVE-2018-20840 (An unhandled exception vulnerability exists during Google Sign-In with ...) NOT-FOR-US: Google Sign-In CVE-2019-12499 (Firejail before 0.9.60 allows truncation (resizing to length 0) of the ...) - firejail 0.9.58.2-2 (bug #929733) [stretch] - firejail (Minor issue) NOTE: https://github.com/netblue30/firejail/issues/2401 NOTE: https://github.com/netblue30/firejail/commit/eecf35c2f8249489a1d3e512bb07f0d427183134 CVE-2019-12589 (In Firejail before 0.9.60, seccomp filters are writable inside the jai ...) - firejail 0.9.58.2-2 (bug #929732) [stretch] - firejail (Minor issue) NOTE: https://github.com/netblue30/firejail/issues/2718 NOTE: https://github.com/netblue30/firejail/commit/eecf35c2f8249489a1d3e512bb07f0d427183134 CVE-2019-12456 (** DISPUTED ** An issue was discovered in the MPT3COMMAND case in _ctl ...) - linux (unimportant) NOTE: The double-fetched value is not used after the second fetch, thus an invalid issue NOTE: from security impact perspective. CVE should probably be rejected. CVE-2019-12455 (** DISPUTED ** An issue was discovered in sunxi_divs_clk_setup in driv ...) - linux (unimportant) NOTE: No/negligible security impact CVE-2019-12454 (** DISPUTED ** An issue was discovered in wcd9335_codec_enable_dec in ...) - linux (Vulnerable code not present, introduced in 5.1-rc1) CVE-2019-12453 (In MicroStrategy Web before 10.1 patch 10, stored XSS is possible in t ...) NOT-FOR-US: MicroStrategy Web CVE-2019-12452 (types/types.go in Containous Traefik 1.7.x through 1.7.11, when the -- ...) NOT-FOR-US: Containous Traefik CVE-2019-12451 RESERVED CVE-2019-13012 (The keyfile settings backend in GNOME GLib (aka glib2.0) before 2.60.0 ...) {DLA-1866-2 DLA-1866-1} [experimental] - glib2.0 2.60.0-1 - glib2.0 2.60.5-1 (bug #931234) [buster] - glib2.0 2.58.3-2+deb10u1 [stretch] - glib2.0 2.50.3-2+deb9u1 NOTE: https://gitlab.gnome.org/GNOME/glib/issues/1658 NOTE: https://gitlab.gnome.org/GNOME/glib/merge_requests/450 NOTE: https://gitlab.gnome.org/GNOME/glib/commit/5e4da714f00f6bfb2ccd6d73d61329c6f3a08429 CVE-2019-12450 (file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 ...) {DLA-1826-1} - glib2.0 2.58.3-2 (bug #929753) [stretch] - glib2.0 2.50.3-2+deb9u1 NOTE: https://gitlab.gnome.org/GNOME/glib/commit/d8f8f4d637ce43f8699ba94c9b7648beda0ca174 CVE-2019-12449 (An issue was discovered in GNOME gvfs 1.29.4 through 1.41.2. daemon/gv ...) - gvfs 1.38.1-4 (bug #929755) [stretch] - gvfs (Minor issue) [jessie] - gvfs (Vulnerable code introduced later) NOTE: https://gitlab.gnome.org/GNOME/gvfs/commit/d5dfd823c94045488aef8727c553f1e0f7666b90 CVE-2019-12448 (An issue was discovered in GNOME gvfs 1.29.4 through 1.41.2. daemon/gv ...) - gvfs 1.38.1-4 (bug #929755) [stretch] - gvfs (Minor issue) [jessie] - gvfs (Vulnerable code introduced later) NOTE: https://gitlab.gnome.org/GNOME/gvfs/commit/5cd76d627f4d1982b6e77a0e271ef9301732d09e CVE-2019-12447 (An issue was discovered in GNOME gvfs 1.29.4 through 1.41.2. daemon/gv ...) - gvfs 1.38.1-4 (bug #929755) [stretch] - gvfs (Minor issue) [jessie] - gvfs (Vulnerable code introduced later) NOTE: https://gitlab.gnome.org/GNOME/gvfs/commit/daf1163aba229afcfddf0f925aef7e97047e8959 NOTE: https://gitlab.gnome.org/GNOME/gvfs/commit/3895e09d784ebec0fbc4614d5c37068736120e1d CVE-2019-12446 (An issue was discovered in GitLab Community and Enterprise Edition 8.3 ...) [experimental] - gitlab 11.10.5+dfsg-1 - gitlab 12.6.8-3 (bug #930004) NOTE: https://about.gitlab.com/2019/06/03/security-release-gitlab-11-dot-11-dot-1-released/ CVE-2019-12445 (An issue was discovered in GitLab Community and Enterprise Edition 8.4 ...) [experimental] - gitlab 11.10.5+dfsg-1 - gitlab 12.6.8-3 (bug #930004) NOTE: https://about.gitlab.com/2019/06/03/security-release-gitlab-11-dot-11-dot-1-released/ CVE-2019-12444 (An issue was discovered in GitLab Community and Enterprise Edition 8.9 ...) [experimental] - gitlab 11.10.5+dfsg-1 - gitlab 12.6.8-3 (bug #930004) NOTE: https://about.gitlab.com/2019/06/03/security-release-gitlab-11-dot-11-dot-1-released/ CVE-2019-12443 (An issue was discovered in GitLab Community and Enterprise Edition 10. ...) [experimental] - gitlab 11.10.5+dfsg-1 - gitlab 12.6.8-3 (bug #930004) NOTE: https://about.gitlab.com/2019/06/03/security-release-gitlab-11-dot-11-dot-1-released/ CVE-2019-12442 (An issue was discovered in GitLab Enterprise Edition 11.7 through 11.1 ...) [experimental] - gitlab 11.10.5+dfsg-1 - gitlab 12.6.8-3 (bug #930004) NOTE: https://about.gitlab.com/2019/06/03/security-release-gitlab-11-dot-11-dot-1-released/ CVE-2019-12441 (An issue was discovered in GitLab Community and Enterprise Edition 8.4 ...) [experimental] - gitlab 11.10.5+dfsg-1 - gitlab 12.6.8-3 (bug #930004) NOTE: https://about.gitlab.com/2019/06/03/security-release-gitlab-11-dot-11-dot-1-released/ CVE-2019-12440 (The Sitecore Rocks plugin before 2.1.149 for Sitecore allows an unauth ...) NOT-FOR-US: Sitecore CMS CVE-2019-12438 RESERVED CVE-2019-12437 (In SilverStripe through 4.3.3, the previous fix for SS-2018-007 does n ...) NOT-FOR-US: SilverStripe CVE-2019-12436 (Samba 4.10.x before 4.10.5 has a NULL pointer dereference, leading to ...) - samba (Only affects Samba since 4.10.0) NOTE: https://www.samba.org/samba/security/CVE-2019-12436.html CVE-2019-12435 (Samba 4.9.x before 4.9.9 and 4.10.x before 4.10.5 has a NULL pointer d ...) - samba 2:4.9.5+dfsg-5 (bug #930748) [stretch] - samba (Only affects Samba since 4.9) [jessie] - samba (Only affects Samba since 4.9) NOTE: https://www.samba.org/samba/security/CVE-2019-12435.html CVE-2019-12434 (An issue was discovered in GitLab Community and Enterprise Edition 10. ...) [experimental] - gitlab 11.10.5+dfsg-1 - gitlab 12.6.8-3 (bug #930004) NOTE: https://about.gitlab.com/2019/06/03/security-release-gitlab-11-dot-11-dot-1-released/ CVE-2019-12433 (An issue was discovered in GitLab Community and Enterprise Edition 11. ...) [experimental] - gitlab 11.10.5+dfsg-1 - gitlab 12.6.8-3 (bug #930004) NOTE: https://about.gitlab.com/2019/06/03/security-release-gitlab-11-dot-11-dot-1-released/ CVE-2019-12432 (An issue was discovered in GitLab Community and Enterprise Edition 8.1 ...) [experimental] - gitlab 11.10.5+dfsg-1 - gitlab 12.6.8-3 (bug #930004) NOTE: https://about.gitlab.com/2019/06/03/security-release-gitlab-11-dot-11-dot-1-released/ CVE-2019-12431 (An issue was discovered in GitLab Community and Enterprise Edition 8.1 ...) [experimental] - gitlab 11.10.5+dfsg-1 - gitlab 12.6.8-3 (bug #930004) NOTE: https://about.gitlab.com/2019/06/03/security-release-gitlab-11-dot-11-dot-1-released/ CVE-2019-12430 (An issue was discovered in GitLab Community and Enterprise Edition 11. ...) - gitlab (Only affects 11.11) NOTE: https://about.gitlab.com/2019/06/03/security-release-gitlab-11-dot-11-dot-1-released/ CVE-2019-12429 (An issue was discovered in GitLab Community and Enterprise Edition 11. ...) - gitlab (Only affects 11.9 and later) NOTE: https://about.gitlab.com/2019/06/03/security-release-gitlab-11-dot-11-dot-1-released/ CVE-2019-12428 (An issue was discovered in GitLab Community and Enterprise Edition 6.8 ...) [experimental] - gitlab 11.10.5+dfsg-1 - gitlab 12.6.8-3 (bug #930004) NOTE: https://about.gitlab.com/2019/06/03/security-release-gitlab-11-dot-11-dot-1-released/ CVE-2019-12427 (Zimbra Collaboration before 8.8.15 Patch 1 is vulnerable to a non-pers ...) NOT-FOR-US: Zimbra Collaboration CVE-2019-12426 (an unauthenticated user could get access to information of some backen ...) NOT-FOR-US: Apache OFBiz CVE-2019-12425 (Apache OFBiz 17.12.01 is vulnerable to Host header injection by accept ...) NOT-FOR-US: Apache OFBiz CVE-2019-12424 REJECTED CVE-2019-12423 (Apache CXF ships with a OpenId Connect JWK Keys service, which allows ...) NOT-FOR-US: Apache CFX CVE-2019-12422 (Apache Shiro before 1.4.2, when using the default "remember me" config ...) - shiro (low; bug #947945) [buster] - shiro (Minor issue) [stretch] - shiro (Minor issue) [jessie] - shiro (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2019/11/18/1 NOTE: Fixed by https://github.com/apache/shiro/commit/44f6548b97610cdf661976969d5735c0be14a57b#diff-a8fc9cf5d6f24966aa18cdf0850a730e CVE-2019-12421 (When using an authentication mechanism other than PKI, when the user c ...) NOT-FOR-US: Apache NiFi CVE-2019-12420 (In Apache SpamAssassin before 3.4.3, a message can be crafted in a way ...) {DSA-4584-1 DLA-2037-1} - spamassassin 3.4.3~rc6-1 (bug #946653) NOTE: https://www.openwall.com/lists/oss-security/2019/12/12/2 NOTE: https://markmail.org/message/pyp425yrulfxyhrn NOTE: https://svn.apache.org/r1866128 CVE-2019-12419 (Apache CXF before 3.3.4 and 3.2.11 provides all of the components that ...) NOT-FOR-US: Apache CFX CVE-2019-12418 (When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0. ...) {DSA-4680-1 DSA-4596-1 DLA-2155-1 DLA-2077-1} - tomcat9 9.0.31-1 - tomcat8 - tomcat7 NOTE: https://github.com/apache/tomcat/commit/1fc9f589dbdd8295cf313b2667ab041c425f99c3 (9.0.29) NOTE: https://github.com/apache/tomcat/commit/a91d7db4047d372b2f12999d3cf2bc3254c20d00 (8.5.48) NOTE: https://github.com/apache/tomcat/commit/bef3f40400243348d12f4abfe9b413f43897c02b (7.0.98) CVE-2019-12417 (A malicious admin user could edit the state of objects in the Airflow ...) - airflow (bug #819700) CVE-2019-12416 (we got reports for 2 injection attacks against the DeltaSpike windowha ...) NOT-FOR-US: DeltaSpike CVE-2019-12415 (In Apache POI up to 4.1.0, when using the tool XSSFExportToXml to conv ...) - libapache-poi-java (bug #943565) [buster] - libapache-poi-java (Minor issue) [stretch] - libapache-poi-java (Minor issue) [jessie] - libapache-poi-java (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2019/10/23/1 CVE-2019-12414 (In Apache Incubator Superset before 0.32, a user can view database nam ...) NOT-FOR-US: Apache Superset CVE-2019-12413 (In Apache Incubator Superset before 0.31 user could query database met ...) NOT-FOR-US: Apache Superset CVE-2019-12411 RESERVED CVE-2019-12410 (While investigating UBSAN errors in https://github.com/apache/arrow/pu ...) NOT-FOR-US: Apache Arrow CVE-2019-12409 (The 8.1.1 and 8.2.0 releases of Apache Solr contain an insecure settin ...) - lucene-solr (Vulnerable code was introduced later) NOTE: https://lists.apache.org/thread.html/6640c7e370fce2b74e466a605a46244ccc40666ad9e3064a4e04a85d@%3Csolr-user.lucene.apache.org%3E CVE-2019-12408 (It was discovered that the C++ implementation (which underlies the R, ...) NOT-FOR-US: Apache Arrow CVE-2019-12407 (On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin ...) - jspwiki CVE-2019-12406 (Apache CXF before 3.3.4 and 3.2.11 does not restrict the number of mes ...) NOT-FOR-US: Apache CFX CVE-2019-12405 (Improper authentication is possible in Apache Traffic Control versions ...) NOT-FOR-US: Apache Traffic Control CVE-2019-12404 (On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin ...) - jspwiki CVE-2019-12403 REJECTED CVE-2019-12402 (The file name encoding algorithm used internally in Apache Commons Com ...) - libcommons-compress-java 1.18-3 (low; bug #939610) [buster] - libcommons-compress-java (Minor issue) [stretch] - libcommons-compress-java (Vulnerable code introduced later) [jessie] - libcommons-compress-java (Vulnerable code introduced later) NOTE: https://www.openwall.com/lists/oss-security/2019/08/27/1 NOTE: Fixed in upstream commit: https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commitdiff;h=4ad5d80a6272e007f64a6ac66829ca189a8093b9;hp=16a0c84e84b93cc8c107b7ff3080bd11317ab581 CVE-2019-12401 (Solr versions 1.3.0 to 1.4.1, 3.1.0 to 3.6.2 and 4.0.0 to 4.10.4 are v ...) - lucene-solr (system libraries of libwoodstox-java and libstax-api-java are used in Debian) NOTE: https://issues.apache.org/jira/browse/SOLR-13750 NOTE: https://www.openwall.com/lists/oss-security/2019/09/10/1 NOTE: Upstream's fix (upgrading dependencies) suggests the issue is in libwoodstox-java: NOTE: https://issues.apache.org/jira/browse/SOLR-6830 NOTE: May be related to the change in the 4.x series of libwoodstox-java to NOTE: disabling coalescing by default which can trigger large memory consumption NOTE: when parsing specially crafted XML data. CVE-2019-12400 (In version 2.0.3 Apache Santuario XML Security for Java, a caching mec ...) - libxml-security-java (bug #935548) [stretch] - libxml-security-java (Vulnerable code introduced in 2.0.3) [jessie] - libxml-security-java (Vulnerable code introduced in 2.0.3) NOTE: http://santuario.apache.org/secadv.data/CVE-2019-12400.asc CVE-2019-12399 (When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0 ...) - kafka (bug #786460) CVE-2019-12398 (In Apache Airflow before 1.10.5 when running with the "classic" UI, a ...) - airflow (bug #819700) CVE-2019-12397 (Policy import functionality in Apache Ranger 0.7.0 to 1.2.0 is vulnera ...) NOT-FOR-US: Apache Ranger CVE-2019-12396 REJECTED CVE-2019-12395 (In Webbukkit Dynmap 3.0-beta-3 or below, due to a missing login check ...) NOT-FOR-US: Webbukkit Dynmap CVE-2019-12394 (Anviz access control devices allow unverified password change which al ...) NOT-FOR-US: Anviz CVE-2019-12393 (Anviz access control devices are vulnerable to replay attacks which co ...) NOT-FOR-US: Anviz CVE-2019-12392 (Anviz access control devices allow remote attackers to issue commands ...) NOT-FOR-US: Anviz CVE-2019-12391 (The Anviz Management System for access control has insufficient loggin ...) NOT-FOR-US: Anviz CVE-2019-12390 (Anviz access control devices expose private Information (pin code and ...) NOT-FOR-US: Anviz CVE-2019-12389 (Anviz access control devices expose credentials (names and passwords) ...) NOT-FOR-US: Anviz CVE-2019-12388 (Anviz access control devices perform cleartext transmission of sensiti ...) NOT-FOR-US: Anviz CVE-2019-12387 (In Twisted before 19.2.1, twisted.web did not validate or sanitize URI ...) - twisted 18.9.0-7 (bug #930389) [buster] - twisted (Minor issue) [stretch] - twisted (Minor issue) [jessie] - twisted (Minor issue) NOTE: https://github.com/twisted/twisted/commit/6c61fc4503ae39ab8ecee52d10f10ee2c371d7e2 CVE-2019-12386 (An issue was discovered in Ampache through 3.9.1. A stored XSS exists ...) {DLA-1988-1} - ampache NOTE: https://github.com/ampache/ampache/issues/1872 NOTE: according to the github issue, it is not really fixed yet CVE-2019-12385 (An issue was discovered in Ampache through 3.9.1. The search engine is ...) {DLA-1988-1} - ampache NOTE: https://github.com/ampache/ampache/issues/1872 NOTE: according to the github issue, it is not really fixed yet CVE-2019-12384 (FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to ...) {DLA-1831-1} - jackson-databind 2.9.8-3 (bug #930750) [stretch] - jackson-databind 2.8.6-1+deb9u6 NOTE: https://github.com/FasterXML/jackson-databind/issues/2334 NOTE: https://github.com/FasterXML/jackson-databind/commit/c9ef4a10d6f6633cf470d6a469514b68fa2be234 CVE-2019-12383 (Tor Browser before 8.0.1 has an information exposure vulnerability. It ...) - firefox-esr (unimportant) - firefox (unimportant) NOTE: https://gitweb.torproject.org/tor-browser.git/commit/?id=cbb04b72c68272c2de42f157d40cd7d29a6b7b55 NOTE: https://hackerone.com/reports/282748 NOTE: https://trac.torproject.org/projects/tor/ticket/24056 NOTE: This affects Firefox, but it's not a security issue in Firefox by itself CVE-2019-12382 (** DISPUTED ** An issue was discovered in drm_load_edid_firmware in dr ...) - linux (unimportant) NOTE: Issue with no security impact, see kernel-sec, invalid issue CVE-2019-12381 (** DISPUTED ** An issue was discovered in ip_ra_control in net/ipv4/ip ...) - linux (unimportant) NOTE: Issue with no security impact, see kernel-sec, invalid issue CVE-2019-12380 (**DISPUTED** An issue was discovered in the efi subsystem in the Linux ...) - linux (unimportant) NOTE: No security impact, all code involved runs at boot before userland starts CVE-2019-12379 (** DISPUTED ** An issue was discovered in con_insert_unipair in driver ...) - linux (unimportant) NOTE: No real security issue and fix introduces real security issue, see kernel-sec CVE-2019-12378 (** DISPUTED ** An issue was discovered in ip6_ra_control in net/ipv6/i ...) - linux (unimportant) NOTE: Issue with no security impact, see kernel-sec, invalid issue CVE-2019-12377 (A vulnerable upl/async_upload.asp web API endpoint in Ivanti LANDESK M ...) NOT-FOR-US: LANDESK CVE-2019-12376 (Use of a hard-coded encryption key in Ivanti LANDESK Management Suite ...) NOT-FOR-US: LANDESK CVE-2019-12375 (Open directories in Ivanti LANDESK Management Suite (LDMS, aka Endpoin ...) NOT-FOR-US: LANDESK CVE-2019-12374 (A SQL Injection vulnerability exists in Ivanti LANDESK Management Suit ...) NOT-FOR-US: LANDESK CVE-2019-12373 (Improper access control and open directories in Ivanti LANDESK Managem ...) NOT-FOR-US: LANDESK CVE-2019-12372 (Petraware pTransformer ADC before 2.1.7.22827 allows SQL Injection via ...) NOT-FOR-US: Petraware pTransformer ADC CVE-2019-12371 RESERVED CVE-2019-12370 (The Spark application through 2.0.2 for Android allows XSS via an even ...) NOT-FOR-US: some Android application CVE-2019-12369 (The TypeApp application through 1.9.5.35 for Android allows XSS via an ...) NOT-FOR-US: some Android application CVE-2019-12368 (The Edison Mail application through 1.7.1 for Android allows XSS via a ...) NOT-FOR-US: some Android application CVE-2019-12367 (The BlueMail application through 1.9.5.36 for Android allows XSS via a ...) NOT-FOR-US: some Android application CVE-2019-12366 (The Nine application through 4.5.3a for Android allows XSS via an even ...) NOT-FOR-US: some Android application CVE-2019-12365 (The Newton application through 10.0.23 for Android allows XSS via an e ...) NOT-FOR-US: some Android application CVE-2019-12364 RESERVED CVE-2019-12363 (An CSRF issue was discovered in the JN-Jones MyBB-2FA plugin through 2 ...) NOT-FOR-US: MyBB plugin CVE-2019-12362 (EmpireCMS 7.5.0 has XSS via the HTTP Referer header to e/member/doacti ...) NOT-FOR-US: EmpireCMS CVE-2019-12361 (EmpireCMS 7.5.0 has XSS via the from parameter to e/member/doaction.ph ...) NOT-FOR-US: EmpireCMS CVE-2019-12360 (A stack-based buffer over-read exists in FoFiTrueType::dumpString in f ...) {DLA-1815-1} - xpdf (xpdf in Debian uses poppler, which is not affected or fixed) - poppler 0.38.0-2 NOTE: https://forum.xpdfreader.com/viewtopic.php?f=3&t=41801 NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/cdb7ad95f7c8fbf63ade040d8a07ec96467042fc (poppler-0.32.0) NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/bf4aae25a244b1033a2479b9a8f633224f7d5de5 (poppler-0.32.0) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=85243 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1136620 CVE-2019-12359 RESERVED CVE-2019-12358 RESERVED CVE-2019-12357 RESERVED CVE-2019-12356 RESERVED CVE-2019-12355 RESERVED CVE-2019-12354 RESERVED CVE-2019-12353 RESERVED CVE-2019-12352 RESERVED CVE-2019-12351 RESERVED CVE-2019-12350 RESERVED CVE-2019-12349 RESERVED CVE-2019-12348 RESERVED CVE-2019-12347 (In pfSense 2.4.4-p3, a stored XSS vulnerability occurs when attackers ...) NOT-FOR-US: pfSense CVE-2019-12346 (In the miniOrange SAML SP Single Sign On plugin before 4.8.73 for Word ...) NOT-FOR-US: miniOrange SAML SP Single Sign On plugin for WordPress CVE-2019-12345 (XSS exists in the Kiboko Hostel plugin before 1.1.4 for WordPress. ...) NOT-FOR-US: Kiboko Hostel plugin for WordPress CVE-2019-12344 RESERVED CVE-2019-12343 RESERVED CVE-2019-12342 RESERVED CVE-2019-12341 RESERVED CVE-2019-12340 RESERVED CVE-2019-12339 RESERVED CVE-2019-12338 RESERVED CVE-2019-12337 RESERVED CVE-2019-12336 RESERVED CVE-2019-12335 RESERVED CVE-2019-12334 RESERVED CVE-2019-12333 RESERVED CVE-2019-12332 RESERVED CVE-2019-12331 (PHPOffice PhpSpreadsheet before 1.8.0 has an XXE issue. The XmlScanner ...) NOT-FOR-US: PHPOffice PhpSpreadsheet CVE-2019-12330 RESERVED CVE-2019-12329 RESERVED CVE-2019-12328 (A command injection (missing input validation) issue in the remote pho ...) NOT-FOR-US: Atcom A10W VoIP phone CVE-2019-12327 (Hardcoded credentials in the Akuvox R50P VoIP phone 50.0.6.156 allow a ...) NOT-FOR-US: Akuvox R50P VoIP phone CVE-2019-12326 (Missing file and path validation in the ringtone upload function of th ...) NOT-FOR-US: Akuvox R50P VoIP phone CVE-2019-12325 (The Htek UC902 VoIP phone web management interface contains several bu ...) NOT-FOR-US: Htek UC902 VoIP phone CVE-2019-12324 (A command injection (missing input validation) issue in the IP address ...) NOT-FOR-US: Akuvox R50P VoIP phone CVE-2019-12323 (The HC.Server service in Hosting Controller HC10 10.14 allows an Inval ...) NOT-FOR-US: Hosting Controller HC10 CVE-2019-12322 RESERVED CVE-2019-12321 REJECTED CVE-2019-12320 RESERVED CVE-2019-12319 RESERVED CVE-2019-12318 RESERVED CVE-2019-12317 RESERVED CVE-2019-12316 RESERVED CVE-2019-12315 (Samsung SCX-824 printers allow a reflected Cross-Site-Scripting (XSS) ...) NOT-FOR-US: Samsung CVE-2019-12314 (Deltek Maconomy 2.2.5 is prone to local file inclusion via absolute pa ...) NOT-FOR-US: Deltek Maconomy CVE-2019-12313 (XSS exists in Shave before 2.5.3 because output encoding is mishandled ...) NOT-FOR-US: Shave CVE-2019-12312 (In Libreswan 3.27 an assertion failure can lead to a pluto IKE daemon ...) [experimental] - libreswan 3.28-1 - libreswan 3.27-5 (bug #929916) NOTE: https://github.com/libreswan/libreswan/issues/246 NOTE: https://github.com/libreswan/libreswan/commit/7142d2c37d58cf024595a7549f0fb0d3946682f8 NOTE: https://libreswan.org/security/CVE-2019-12312/CVE-2019-12312.txt NOTE: https://libreswan.org/security/CVE-2019-12312/libreswan-3.27-CVE-2019-12312.patch CVE-2017-18375 (Ampache 3.8.3 allows PHP Object Instantiation via democratic.ajax.php ...) - ampache [jessie] - ampache (Minor issue) NOTE: https://fenceposterror.github.io/2017/06/16/Hacking-For-Fun-And-Non-Profit.html NOTE: https://github.com/ampache/ampache/issues/1555 CVE-2016-10759 (The Xinha plugin in Precurio 2.1 allows Directory Traversal, with resu ...) NOT-FOR-US: Xinha plugin in Precurio CVE-2016-10758 (PHPKIT 1.6.6 allows arbitrary File Upload, as demonstrated by a .php f ...) NOT-FOR-US: PHPKIT CVE-2016-10757 (In Redaxo 5.2.0, the cron management of the admin panel suffers from C ...) NOT-FOR-US: Redaxo CVE-2016-10756 (Kliqqi 3.0.0.5 allows CSRF with resultant Arbitrary File Upload becaus ...) NOT-FOR-US: Kliqqi CVE-2016-10755 (AbanteCart 1.2.8 allows SQL Injection via the source_language paramete ...) NOT-FOR-US: AbanteCart CVE-2016-10754 (modules/Calendar/Activity.php in Vtiger CRM 6.5.0 allows SQL injection ...) NOT-FOR-US: Vtiger CRM CVE-2016-10753 (e107 2.1.2 allows PHP Object Injection with resultant SQL injection, b ...) NOT-FOR-US: e107 CVE-2016-10752 (serendipity_moveMediaDirectory in Serendipity 2.0.3 allows remote atta ...) - serendipity CVE-2016-10751 (osClass 3.6.1 allows oc-admin/plugins.php Directory Traversal via the ...) NOT-FOR-US: osClass CVE-2019-12311 (Sandline Centraleyezer (On Premises) allows Unrestricted File Upload l ...) NOT-FOR-US: Sandline Centraleyezer CVE-2019-12310 (ExaGrid appliances with firmware version v4.8.1.1044.P50 have a /monit ...) NOT-FOR-US: ExaGrid appliances CVE-2019-12309 (dotCMS before 5.1.0 has a path traversal vulnerability exploitable by ...) NOT-FOR-US: dotCMS CVE-2019-12308 (An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1. ...) {DSA-4476-1 DLA-1814-1} - python-django 1:1.11.21-1 (bug #929927) NOTE: https://github.com/django/django/commit/deeba6d92006999fee9adfbd8be79bf0a59e8008 (master) NOTE: https://github.com/django/django/commit/c238701859a52d584f349cce15d56c8e8137c52b (1.11.21) CVE-2019-12307 RESERVED CVE-2019-12306 RESERVED CVE-2019-12305 RESERVED CVE-2019-12304 RESERVED CVE-2019-12303 (In Rancher 2 through 2.2.3, Project owners can inject additional fluen ...) NOT-FOR-US: Rancher CVE-2019-12302 RESERVED CVE-2019-12301 (The Percona Server 5.6.44-85.0-1 packages for Debian and Ubuntu suffer ...) NOT-FOR-US: Percona server CVE-2019-12300 (Buildbot before 1.8.2 and 2.x before 2.3.1 accepts a user-submitted au ...) - buildbot 2.0.1-2 (bug #929849) [stretch] - buildbot (Vulnerable code introduced later) [jessie] - buildbot (Vulnerable code got added later) NOTE: https://github.com/buildbot/buildbot/wiki/OAuth-vulnerability-in-using-submitted-authorization-token-for-authentication CVE-2019-12299 (Sandline Centraleyezer (On Premises) allows Stored XSS using HTML enti ...) NOT-FOR-US: Sandline Centraleyezer CVE-2019-12298 (Leanify 0.4.3 allows remote attackers to trigger an out-of-bounds writ ...) NOT-FOR-US: Leanify CVE-2019-12297 (An issue was discovered in scopd on Motorola routers CX2 1.01 and M2 1 ...) NOT-FOR-US: Motorola CVE-2019-12296 RESERVED CVE-2019-12295 (In Wireshark 3.0.0 to 3.0.1, 2.6.0 to 2.6.8, and 2.4.0 to 2.4.14, the ...) - wireshark 2.6.8-1.1 (low; bug #929446) [stretch] - wireshark (Minor issue) [jessie] - wireshark (Minor, can be fixed along in a future update) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15778 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=7b6e197da4c497e229ed3ebf6952bae5c426a820 NOTE: https://www.wireshark.org/security/wnpa-sec-2019-19.html CVE-2019-12294 RESERVED CVE-2019-12293 (In Poppler through 0.76.1, there is a heap-based buffer over-read in J ...) {DLA-1815-1} - poppler 0.71.0-5 (bug #929423) NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/768 NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/89a5367d49b2556a2635dbb6d48d6a6b182a2c6c CVE-2019-12292 (Citrix AppDNA before 7 1906.1.0.472 has Incorrect Access Control. ...) NOT-FOR-US: Citrix AppDNA CVE-2019-12291 (HashiCorp Consul 1.4.0 through 1.5.0 has Incorrect Access Control. Key ...) - consul 1.4.5+dfsg1-1 [buster] - consul (Vulnerable code introduced in 1.4.0) NOTE: https://github.com/hashicorp/consul/issues/5888 CVE-2019-12290 (GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specifi ...) - libidn2 2.2.0-1 [buster] - libidn2 (Minor issue; intrusive to backport) NOTE: https://gitlab.com/libidn/libidn2/commit/241e8f486134793cb0f4a5b0e5817a97883401f5 (2.2.0) NOTE: https://gitlab.com/libidn/libidn2/merge_requests/71 CVE-2019-12289 (An issue was discovered in upgrade_firmware.cgi on VStarcam 100T (C782 ...) NOT-FOR-US: VStarcam CVE-2019-12288 (An issue was discovered in upgrade_htmls.cgi on VStarcam 100T (C7824WI ...) NOT-FOR-US: VStarcam CVE-2019-12287 RESERVED CVE-2019-12286 RESERVED CVE-2019-12285 RESERVED CVE-2019-12284 RESERVED CVE-2019-12283 RESERVED CVE-2019-12282 RESERVED CVE-2019-12281 RESERVED CVE-2019-12280 (PC-Doctor Toolbox before 7.3 has an Uncontrolled Search Path Element. ...) NOT-FOR-US: PC-Doctor Toolbox CVE-2019-12279 (** DISPUTED ** Nagios XI 5.6.1 allows SQL injection via the username p ...) NOT-FOR-US: Nagios XI CVE-2019-12278 (Opera through 53 on Android allows Address Bar Spoofing. Characters fr ...) NOT-FOR-US: Opera CVE-2019-12277 (Blogifier 2.3 before 2019-05-11 does not properly restrict APIs, as de ...) NOT-FOR-US: Blogifier CVE-2019-12276 (A Path Traversal vulnerability in Controllers/LetsEncryptController.cs ...) NOT-FOR-US: GrandNode CVE-2019-12275 RESERVED CVE-2016-10750 (In Hazelcast before 3.11, the cluster join procedure is vulnerable to ...) - hazelcast (bug #745640) CVE-2019-12274 (In Rancher 1 and 2 through 2.2.3, unprivileged users (if allowed to de ...) NOT-FOR-US: Rancher CVE-2019-12273 (** DISPUTED ** OutSystems Platform 10 through 11 allows ImageResourceD ...) NOT-FOR-US: OutSystems Platform CVE-2019-12272 (In OpenWrt LuCI through 0.10, the endpoints admin/status/realtime/band ...) NOT-FOR-US: OpenWrt LuCI CVE-2019-12271 (Sandline Centraleyezer (On Premises) allows unrestricted File Upload w ...) NOT-FOR-US: Sandline Centraleyezer CVE-2019-12270 (OpenText Brava! Enterprise and Brava! Server 7.5 through 16.4 configur ...) NOT-FOR-US: OpenText Brava! CVE-2019-12269 (Enigmail before 2.0.11 allows PGP signature spoofing: for an inline PG ...) - enigmail 2:2.0.11+ds1-1 (bug #929363) [buster] - enigmail 2:2.0.12+ds1-1~deb10u1 [stretch] - enigmail (Issue can be fixed via point release) [jessie] - enigmail (see https://lists.debian.org/debian-lts-announce/2019/02/msg00002.html) NOTE: https://sourceforge.net/p/enigmail/bugs/983/ CVE-2019-12268 RESERVED CVE-2019-12267 RESERVED CVE-2019-12266 RESERVED CVE-2019-12265 (Wind River VxWorks 6.5, 6.6, 6.7, 6.8, 6.9.3 and 6.9.4 has a Memory Le ...) NOT-FOR-US: Wind River VxWorks CVE-2019-12264 (Wind River VxWorks 6.6, 6.7, 6.8, 6.9.3, 6.9.4, and Vx7 has Incorrect ...) NOT-FOR-US: Wind River VxWorks CVE-2019-12263 (Wind River VxWorks 6.9.4 and vx7 has a Buffer Overflow in the TCP comp ...) NOT-FOR-US: Wind River VxWorks CVE-2019-12262 (Wind River VxWorks 6.6, 6.7, 6.8, 6.9 and 7 has Incorrect Access Contr ...) NOT-FOR-US: Wind River VxWorks CVE-2019-12261 (Wind River VxWorks 6.7 though 6.9 and vx7 has a Buffer Overflow in the ...) NOT-FOR-US: Wind River VxWorks CVE-2019-12260 (Wind River VxWorks 6.9 and vx7 has a Buffer Overflow in the TCP compon ...) NOT-FOR-US: Wind River VxWorks CVE-2019-12259 (Wind River VxWorks 6.6, 6.7, 6.8, 6.9 and vx7 has an array index error ...) NOT-FOR-US: Wind River VxWorks CVE-2019-12258 (Wind River VxWorks 6.6 through vx7 has Session Fixation in the TCP com ...) NOT-FOR-US: Wind River VxWorks CVE-2019-12257 (Wind River VxWorks 6.6 through 6.9 has a Buffer Overflow in the DHCP c ...) NOT-FOR-US: Wind River VxWorks CVE-2019-12256 (Wind River VxWorks 6.9 and vx7 has a Buffer Overflow in the IPv4 compo ...) NOT-FOR-US: Wind River VxWorks CVE-2019-12255 (Wind River VxWorks has a Buffer Overflow in the TCP component (issue 1 ...) NOT-FOR-US: Wind River VxWorks CVE-2019-12254 RESERVED CVE-2019-12253 (my little forum before 2.4.20 allows CSRF to delete posts, as demonstr ...) NOT-FOR-US: my little forum CVE-2019-12252 (In Zoho ManageEngine ServiceDesk Plus through 10.5, users with the low ...) NOT-FOR-US: Zoho ManageEngine ServiceDesk Plus CVE-2019-12251 (sadmin/ceditpost.php in UCMS 1.4.7 allows SQL Injection via the index. ...) NOT-FOR-US: UCMS CVE-2019-12250 (** DISPUTED ** IdentityServer IdentityServer4 through 2.4 has stored X ...) NOT-FOR-US: IdentityServer CVE-2019-12249 RESERVED CVE-2019-12248 (An issue was discovered in Open Ticket Request System (OTRS) 7.0.x thr ...) {DLA-1816-1} - otrs2 6.0.19-1 [buster] - otrs2 (Non-free not supported) [stretch] - otrs2 (Non-free not supported) NOTE: https://community.otrs.com/security-advisory-2019-08-security-update-for-otrs-framework/ NOTE: OTRS 6: https://github.com/OTRS/otrs/commit/4e06ef439c33e7d90af16451719415c780e0c29c NOTE: OTRS 6: https://github.com/OTRS/otrs/commit/0713999042e3ce7fa60067d3cd165206899224bf NOTE: OTRS 5: https://github.com/OTRS/otrs/commit/edbc7371a52fc5d0032e934d2456b5f39da317f1 NOTE: OTRS 5: https://github.com/OTRS/otrs/commit/2d85ce89515db8e94b36ea8ba97f21e27aa66efd CVE-2019-12247 (** DISPUTED ** QEMU 3.0.0 has an Integer Overflow because the qga/comm ...) - qemu (unimportant; bug #929365) - qemu-kvm (unimportant) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2019-05/msg04596.html NOTE: https://lists.gnu.org/archive/html/qemu-devel/2019-05/msg05457.html NOTE: Disputed upstream as not beeing exploitable. CVE-2019-12246 (SilverStripe through 4.3.3 allows a Denial of Service on flush and dev ...) NOT-FOR-US: SilverStripe CVE-2019-12245 (SilverStripe through 4.3.3 has incorrect access control for protected ...) NOT-FOR-US: SilverStripe CVE-2019-12244 RESERVED CVE-2019-12243 (Istio 1.1.x through 1.1.6 has Incorrect Access Control. ...) NOT-FOR-US: Istio CVE-2019-12242 RESERVED CVE-2019-12241 (The Carts Guru plugin 1.4.5 for WordPress allows Insecure Deserializat ...) NOT-FOR-US: Wordpress plugin CVE-2019-12240 (The Virim plugin 0.4 for WordPress allows Insecure Deserialization via ...) NOT-FOR-US: Wordpress plugin CVE-2019-12239 (The WP Booking System plugin 1.5.1 for WordPress has no CSRF protectio ...) NOT-FOR-US: Wordpress plugin CVE-2019-12238 RESERVED CVE-2019-12237 RESERVED CVE-2019-12236 RESERVED CVE-2019-12235 RESERVED CVE-2019-12234 RESERVED CVE-2019-12233 RESERVED CVE-2019-12232 RESERVED CVE-2019-12231 RESERVED CVE-2019-12230 RESERVED CVE-2019-12229 RESERVED CVE-2019-12228 RESERVED CVE-2019-12227 RESERVED CVE-2019-12226 RESERVED CVE-2019-12225 RESERVED CVE-2019-12224 RESERVED CVE-2019-12223 (An issue was discovered in NVR WebViewer on Hanwah Techwin SRN-472s 1. ...) NOT-FOR-US: Hanwah Techwin SRN-472s devices CVE-2019-12222 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) ...) {DLA-1865-1 DLA-1861-1} - libsdl2-image 2.0.5+dfsg1-1 (bug #932754) [buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1 [stretch] - libsdl2-image 2.0.1+dfsg-2+deb9u2 - sdl-image1.2 1.2.12-11 (bug #932755) [buster] - sdl-image1.2 1.2.12-10+deb10u1 [stretch] - sdl-image1.2 1.2.12-5+deb9u2 NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4621 NOTE: https://hg.libsdl.org/SDL_image/rev/e7e9786a1a34 CVE-2019-12221 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) ...) {DLA-1865-1 DLA-1861-1} - libsdl2-image 2.0.5+dfsg1-1 (bug #932754) [buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1 [stretch] - libsdl2-image 2.0.1+dfsg-2+deb9u2 - sdl-image1.2 1.2.12-11 (bug #932755) [buster] - sdl-image1.2 1.2.12-10+deb10u1 [stretch] - sdl-image1.2 1.2.12-5+deb9u2 NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4628 NOTE: https://hg.libsdl.org/SDL_image/rev/e7e9786a1a34 CVE-2019-12220 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) ...) {DLA-1865-1 DLA-1861-1} - libsdl2-image 2.0.5+dfsg1-1 (bug #932754) [buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1 [stretch] - libsdl2-image 2.0.1+dfsg-2+deb9u2 - sdl-image1.2 1.2.12-11 (bug #932755) [buster] - sdl-image1.2 1.2.12-10+deb10u1 [stretch] - sdl-image1.2 1.2.12-5+deb9u2 NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4627 NOTE: https://hg.libsdl.org/SDL_image/rev/e7e9786a1a34 CVE-2019-12219 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) ...) {DLA-1865-1 DLA-1861-1} - libsdl2-image 2.0.5+dfsg1-1 (bug #932754) [buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1 [stretch] - libsdl2-image 2.0.1+dfsg-2+deb9u2 - sdl-image1.2 1.2.12-11 (bug #932755) [buster] - sdl-image1.2 1.2.12-10+deb10u1 [stretch] - sdl-image1.2 1.2.12-5+deb9u2 NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4625 NOTE: https://hg.libsdl.org/SDL_image/rev/e7e9786a1a34 CVE-2019-12218 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) ...) {DLA-1865-1 DLA-1861-1} - libsdl2-image 2.0.5+dfsg1-1 (bug #932754) [buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1 [stretch] - libsdl2-image 2.0.1+dfsg-2+deb9u2 - sdl-image1.2 1.2.12-11 (bug #932755) [buster] - sdl-image1.2 1.2.12-10+deb10u1 [stretch] - sdl-image1.2 1.2.12-5+deb9u2 NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4620 NOTE: https://hg.libsdl.org/SDL_image/rev/7453e79c8cdb CVE-2019-12217 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) ...) {DLA-1865-1 DLA-1861-1} - libsdl2-image 2.0.5+dfsg1-1 (bug #932754) [buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1 [stretch] - libsdl2-image 2.0.1+dfsg-2+deb9u2 - sdl-image1.2 1.2.12-11 (bug #932755) [buster] - sdl-image1.2 1.2.12-10+deb10u1 [stretch] - sdl-image1.2 1.2.12-5+deb9u2 NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4626 NOTE: https://hg.libsdl.org/SDL_image/rev/e7e9786a1a34 CVE-2019-12216 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) ...) {DLA-1865-1 DLA-1861-1} - libsdl2-image 2.0.5+dfsg1-1 (bug #932754) [buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1 [stretch] - libsdl2-image 2.0.1+dfsg-2+deb9u2 - sdl-image1.2 1.2.12-11 (bug #932755) [buster] - sdl-image1.2 1.2.12-10+deb10u1 [stretch] - sdl-image1.2 1.2.12-5+deb9u2 NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4619 NOTE: https://hg.libsdl.org/SDL_image/rev/7453e79c8cdb CVE-2019-12215 (** DISPUTED ** A full path disclosure vulnerability was discovered in ...) - matomo (bug #448532) CVE-2019-12214 (In FreeImage 3.18.0, an out-of-bounds access occurs because of mishand ...) - freeimage (bug #947478) [buster] - freeimage (Revisit when upstream fixes are available) [stretch] - freeimage (Revisit when upstream fixes are available) [jessie] - freeimage (Revisit when upstream fixes are available) NOTE: https://sourceforge.net/p/freeimage/discussion/36111/thread/e06734bed5/ NOTE: very few information regarding this vulnerability, which is seemingly located NOTE: in libopenjpeg, not freeimage. Without reproducer or stacktrace, this is NOTE: nearly unfixable. CVE-2019-12213 (When FreeImage 3.18.0 reads a special TIFF file, the TIFFReadDirectory ...) {DSA-4593-1 DLA-2031-1} - freeimage 3.18.0+ds2-3 (bug #929597) [buster] - freeimage (Revisit when upstream fixes are available) [stretch] - freeimage (Revisit when upstream fixes are available) NOTE: https://sourceforge.net/p/freeimage/discussion/36111/thread/e06734bed5/ NOTE: https://sourceforge.net/p/freeimage/svn/1825/ CVE-2019-12212 (When FreeImage 3.18.0 reads a special JXR file, the StreamCalcIFDSize ...) - freeimage (bug #947477) [buster] - freeimage (Revisit when upstream fixes are available) [stretch] - freeimage (Revisit when upstream fixes are available) [jessie] - freeimage (Revisit when upstream fixes are available) NOTE: https://sourceforge.net/p/freeimage/discussion/36111/thread/e06734bed5/ CVE-2019-12211 (When FreeImage 3.18.0 reads a tiff file, it will be handed to the Load ...) {DSA-4593-1 DLA-2031-1} - freeimage 3.18.0+ds2-3 (bug #929597) [buster] - freeimage (Revisit when upstream fixes are available) [stretch] - freeimage (Revisit when upstream fixes are available) NOTE: https://sourceforge.net/p/freeimage/discussion/36111/thread/e06734bed5/ NOTE: https://sourceforge.net/p/freeimage/svn/1825/ CVE-2019-12210 (In Yubico pam-u2f 1.0.7, when configured with debug and a custom debug ...) - pam-u2f 1.0.8-1 (low; bug #930023) [buster] - pam-u2f 1.0.7-1+deb10u1 [stretch] - pam-u2f (Minor issue) NOTE: https://github.com/Yubico/pam-u2f/commit/18b1914e32b74ff52000f10e97067e841e5fff62 NOTE: https://www.openwall.com/lists/oss-security/2019/06/05/1 CVE-2019-12209 (Yubico pam-u2f 1.0.7 attempts parsing of the configured authfile (defa ...) - pam-u2f 1.0.8-1 (low; bug #930021) [buster] - pam-u2f 1.0.7-1+deb10u1 [stretch] - pam-u2f (Minor issue) NOTE: https://github.com/Yubico/pam-u2f/commit/7db3386fcdb454e33a3ea30dcfb8e8960d4c3aa3 NOTE: https://www.openwall.com/lists/oss-security/2019/06/05/1 CVE-2019-12208 (njs through 0.3.1, used in NGINX, has a heap-based buffer overflow in ...) NOT-FOR-US: njs CVE-2019-12207 (njs through 0.3.1, used in NGINX, has a heap-based buffer over-read in ...) NOT-FOR-US: njs CVE-2019-12206 (njs through 0.3.1, used in NGINX, has a heap-based buffer overflow in ...) NOT-FOR-US: njs CVE-2019-12205 (SilverStripe through 4.3.3 has Flash Clipboard Reflected XSS. ...) NOT-FOR-US: SilverStripe CVE-2019-12204 (In SilverStripe through 4.3.3, a missing warning about leaving install ...) NOT-FOR-US: SilverStripe CVE-2019-12203 (SilverStripe through 4.3.3 allows session fixation in the "change pass ...) NOT-FOR-US: SilverStripe CVE-2019-12202 RESERVED CVE-2019-12201 RESERVED CVE-2019-12200 RESERVED CVE-2019-12199 RESERVED CVE-2019-12198 (In GoHttp through 2017-07-25, there is a stack-based buffer over-read ...) NOT-FOR-US: GoHttp CVE-2019-12197 RESERVED CVE-2019-12196 (A SQL injection vulnerability in /client/api/json/v2/nfareports/compar ...) NOT-FOR-US: Zoho ManageEngine NetFlow Analyzer CVE-2019-12195 (TP-Link TL-WR840N v5 00000005 devices allow XSS via the network name. ...) NOT-FOR-US: TP-Link CVE-2019-12194 RESERVED CVE-2019-12193 (H3C H3Cloud OS all versions allows SQL injection via the ear/grid_even ...) NOT-FOR-US: H3C H3Cloud OS CVE-2019-12192 RESERVED CVE-2019-12191 RESERVED CVE-2019-12190 (XSS was discovered in CentOS-WebPanel.com (aka CWP) CentOS Web Panel t ...) NOT-FOR-US: CentOS-WebPanel.com CentOS Web Panel CVE-2019-12189 (An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. The ...) NOT-FOR-US: Zoho ManageEngine ServiceDesk Plus CVE-2019-12188 RESERVED CVE-2019-12187 RESERVED CVE-2019-12186 (An issue was discovered in Sylius products. Missing input sanitization ...) NOT-FOR-US: Sylius CVE-2019-12185 (eLabFTW 1.8.5 is vulnerable to arbitrary file uploads via the /app/con ...) NOT-FOR-US: eLabFTW CVE-2019-12184 (There is XSS in browser/components/MarkdownPreview.js in BoostIO Boost ...) NOT-FOR-US: Boostnote CVE-2019-12183 (Incorrect Access Control in Safescan Timemoto TM-616 and TA-8000 serie ...) NOT-FOR-US: Safescan Timemoto CVE-2019-12182 (Directory Traversal in Safescan Timemoto and TA-8000 series version 1. ...) NOT-FOR-US: Safescan Timemoto and TA-8000 series CVE-2019-12181 (A privilege escalation vulnerability exists in SolarWinds Serv-U befor ...) NOT-FOR-US: SolarWinds CVE-2019-12180 (An issue was discovered in SmartBear ReadyAPI through 2.8.2 and 3.0.0 ...) NOT-FOR-US: SmartBear ReadyAPI CVE-2019-12179 RESERVED CVE-2019-12178 RESERVED CVE-2019-12177 (Privilege escalation due to insecure directory permissions affecting V ...) NOT-FOR-US: HTC VIVEPORT CVE-2019-12176 (Privilege escalation in the "HTC Account Service" and "ViveportDesktop ...) NOT-FOR-US: HTC VIVEPORT CVE-2019-12175 (In Zeek Network Security Monitor (formerly known as Bro) before 2.6.2, ...) - bro 2.6.4+ds1-1 (low) [buster] - bro (Minor issue) [stretch] - bro (Minor issue) CVE-2019-12174 (hide.me before 2.4.4 on macOS suffers from a privilege escalation vuln ...) NOT-FOR-US: hide.me CVE-2019-12173 (MacDown 0.7.1 (870) allows remote code execution via a file:\\\ URI, w ...) NOT-FOR-US: MacDown CVE-2019-12172 (Typora 0.9.9.21.1 (1913) allows arbitrary code execution via a modifie ...) NOT-FOR-US: Typora CVE-2019-12171 (Dropbox.exe (and QtWebEngineProcess.exe in the Web Helper) in the Drop ...) NOT-FOR-US: Dropbox desktop application CVE-2019-12170 (ATutor through 2.2.4 is vulnerable to arbitrary file uploads via the m ...) NOT-FOR-US: ATutor CVE-2019-12169 (ATutor 2.2.4 allows Arbitrary File Upload and Directory Traversal, res ...) NOT-FOR-US: ATutor CVE-2019-12168 (Four-Faith Wireless Mobile Router F3x24 v1.0 devices allow remote code ...) NOT-FOR-US: Four-Faith Wireless Mobile Router F3x24 devices CVE-2019-12167 (httpGetSet/httpGet.htm on Emerson Network Power Liebert Challenger 5.1 ...) NOT-FOR-US: Emerson Network Power Liebert Challenger CVE-2019-12166 RESERVED CVE-2019-12165 (MiCollab 7.3 PR2 (7.3.0.204) and earlier, 7.2 (7.2.2.13) and earlier, ...) NOT-FOR-US: MiCollab CVE-2019-12164 (ubuntu-server.js in Status React Native Desktop before v0.57.8_mobile_ ...) NOT-FOR-US: Status React Native Desktop CVE-2019-12163 (GAT-Ship Web Module through 1.30 allows remote attackers to obtain pot ...) NOT-FOR-US: GAT-Ship Web Module CVE-2019-12162 (Upwork Time Tracker 5.2.2.716 doesn't verify the SHA256 hash of the do ...) NOT-FOR-US: Upwork Time Tracker CVE-2019-12161 (WPO WebPageTest 19.04 allows SSRF because ValidateURL in www/runtest.p ...) NOT-FOR-US: WPO WebPageTest CVE-2019-12160 (GoHTTP through 2017-07-25 has a sendHeader use-after-free. ...) NOT-FOR-US: GoHTTP CVE-2019-12159 (GoHTTP through 2017-07-25 has a stack-based buffer over-read in the sc ...) NOT-FOR-US: GoHTTP CVE-2019-12158 (GoHTTP through 2017-07-25 has a GetExtension heap-based buffer overflo ...) NOT-FOR-US: GoHTTP CVE-2019-12157 (In JetBrains TeamCity versions before 2018.2.5 and UpSource versions b ...) NOT-FOR-US: JetBrains TeamCity CVE-2019-12156 (Server metadata could be exposed because one of the error messages ref ...) NOT-FOR-US: JetBrains TeamCity CVE-2019-12155 (interface_release_resource in hw/display/qxl.c in QEMU 4.0.0 has a NUL ...) {DSA-4454-1 DLA-1927-1} - qemu 1:3.1+dfsg-8 (bug #929353) [buster] - qemu 1:3.1+dfsg-8~deb10u1 - qemu-kvm NOTE: https://www.openwall.com/lists/oss-security/2019/05/22/1 NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=d52680fc932efb8a2f334cc6993e705ed1e31e99 CVE-2019-12154 (XXE in the XML parser library in RealObjects PDFreactor before 10.1.10 ...) NOT-FOR-US: PDFreactor CVE-2019-12153 (Lack of validation in the HTML parser in RealObjects PDFreactor before ...) NOT-FOR-US: PDFreactor CVE-2019-12152 RESERVED CVE-2019-12151 RESERVED CVE-2019-12150 (Karamasoft UltimateEditor 1 does not ensure that an uploaded file is a ...) NOT-FOR-US: Karamasoft UltimateEditor CVE-2018-20839 (systemd 242 changes the VT1 mode upon a logout, which allows attackers ...) - plymouth 0.9.4-1 (low) [stretch] - plymouth (Minor issue) [jessie] - plymouth (Minor issue) NOTE: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1803993 NOTE: https://github.com/systemd/systemd/commit/9725f1a10f80f5e0ae7d9b60547458622aeb322f NOTE: https://github.com/systemd/systemd/pull/12378 NOTE: The fix for https://bugs.debian.org/929116 introduced a regression, cf. NOTE: https://bugs.debian.org/929229 . NOTE: Issue was originally fixed for unstable in 241-4 but was reverted in 241-5 NOTE: https://gitlab.freedesktop.org/xorg/xserver/issues/857 NOTE: Upstream from systemd claimed originally it's not an issue in systemd, but NOTE: might revisit. Furthermore the issue might be fixed in the xorg xserver. NOTE: Tentative merge request: https://gitlab.freedesktop.org/xorg/xserver/merge_requests/241 NOTE: Further analysis on the problem: https://gitlab.freedesktop.org/xorg/xserver/issues/857#note_201402 NOTE: plymouth fix: https://gitlab.freedesktop.org/plymouth/plymouth/commit/28ee4012c94b4045b97e5a2a66f66b7688b2dff3 (0.9.4) NOTE: The plymouth fix does not seem to be enough though, cf. NOTE: https://gitlab.freedesktop.org/xorg/xserver/issues/857#note_220255 CVE-2019-12149 (SQL injection vulnerability in silverstripe/restfulserver module 1.0.x ...) NOT-FOR-US: SilverStripe CVE-2019-12148 (The Sangoma Session Border Controller (SBC) 2.3.23-119 GA web interfac ...) NOT-FOR-US: Sangoma Session Border Controller CVE-2019-12147 (The Sangoma Session Border Controller (SBC) 2.3.23-119 GA web interfac ...) NOT-FOR-US: Sangoma Session Border Controller CVE-2019-12146 (A Directory Traversal issue was discovered in SSHServerAPI.dll in Prog ...) NOT-FOR-US: Progress ipswitch WS_FTP Server CVE-2019-12145 (A Directory Traversal issue was discovered in SSHServerAPI.dll in Prog ...) NOT-FOR-US: Progress ipswitch WS_FTP Server CVE-2019-12144 (An issue was discovered in SSHServerAPI.dll in Progress ipswitch WS_FT ...) NOT-FOR-US: Progress ipswitch WS_FTP Server CVE-2019-12143 (A Directory Traversal issue was discovered in SSHServerAPI.dll in Prog ...) NOT-FOR-US: Progress ipswitch WS_FTP Server CVE-2019-12142 RESERVED CVE-2019-12141 RESERVED CVE-2019-12140 RESERVED CVE-2019-12139 (An XSS issue was discovered in the Admin UI in eZ Platform 2.x. This a ...) NOT-FOR-US: eZ Platform CVE-2019-12138 (MacDown 0.7.1 allows directory traversal, for execution of arbitrary p ...) NOT-FOR-US: MacDown CVE-2019-12137 (Typora 0.9.9.24.6 on macOS allows directory traversal, for execution o ...) NOT-FOR-US: Typora CVE-2019-12136 (There is XSS in BoostIO Boostnote 0.11.15 via a label named mermaid, a ...) NOT-FOR-US: Boostnote CVE-2019-12135 (An unspecified vulnerability in the application server in PaperCut MF ...) NOT-FOR-US: PaperCut CVE-2019-12134 (CSV Injection (aka Excel Macro Injection or Formula Injection) exists ...) NOT-FOR-US: Workday CVE-2019-12133 (Multiple Zoho ManageEngine products suffer from local privilege escala ...) NOT-FOR-US: Zoho ManageEngine CVE-2019-12132 (An issue was discovered in ONAP SDNC before Dublin. By executing sla/d ...) NOT-FOR-US: ONAP CVE-2019-12131 (An issue was detected in ONAP APPC through Dublin and SDC through Dubl ...) NOT-FOR-US: ONAP CVE-2019-12130 (In ONAP CLI through Dublin, by accessing an applicable port (30234, 30 ...) NOT-FOR-US: ONAP CVE-2019-12129 (In ONAP MSB through Dublin, by accessing an applicable port (30234, 30 ...) NOT-FOR-US: ONAP CVE-2019-12128 (In ONAP SO through Dublin, by accessing an applicable port (30234, 302 ...) NOT-FOR-US: ONAP CVE-2019-12127 (In ONAP OOM through Dublin, by accessing an applicable port (30234, 30 ...) NOT-FOR-US: ONAP CVE-2019-12126 (In ONAP DCAE through Dublin, by accessing an applicable port (30234, 3 ...) NOT-FOR-US: ONAP CVE-2019-12125 (In ONAP Logging through Dublin, by accessing an applicable port (30234 ...) NOT-FOR-US: ONAP CVE-2019-12124 (An issue was discovered in ONAP APPC before Dublin. By using an expose ...) NOT-FOR-US: ONAP CVE-2019-12123 (An issue was discovered in ONAP SDNC before Dublin. By executing sla/p ...) NOT-FOR-US: ONAP CVE-2019-12122 (An issue was discovered in ONAP Portal through Dublin. By executing a ...) NOT-FOR-US: ONAP CVE-2019-12121 (An issue was detected in ONAP Portal through Dublin. By executing a pa ...) NOT-FOR-US: ONAP CVE-2019-12120 (An issue was discovered in ONAP VNFSDK through Dublin. By accessing po ...) NOT-FOR-US: ONAP CVE-2019-12119 (An issue was discovered in ONAP SDC through Dublin. By accessing port ...) NOT-FOR-US: ONAP CVE-2019-12118 (An issue was discovered in ONAP SDC through Dublin. By accessing port ...) NOT-FOR-US: ONAP CVE-2019-12117 (An issue was discovered in ONAP SDC through Dublin. By accessing port ...) NOT-FOR-US: ONAP CVE-2019-12116 (An issue was discovered in ONAP SDC through Dublin. By accessing port ...) NOT-FOR-US: ONAP CVE-2019-12115 (An issue was discovered in ONAP SDC through Dublin. By accessing port ...) NOT-FOR-US: ONAP CVE-2019-12114 (An issue was discovered in ONAP HOLMES before Dublin. By accessing por ...) NOT-FOR-US: ONAP CVE-2019-12113 (An issue was discovered in ONAP SDNC before Dublin. By executing sla/p ...) NOT-FOR-US: ONAP CVE-2019-12112 (An issue was discovered in ONAP SDNC before Dublin. By executing sla/u ...) NOT-FOR-US: ONAP CVE-2019-12111 (A Denial Of Service vulnerability in MiniUPnP MiniUPnPd through 2.1 ex ...) {DLA-1811-1} - miniupnpd 2.1-6 (bug #930050) [stretch] - miniupnpd (Minor issue) NOTE: copyIPv6IfDifferent helper introduced in https://github.com/miniupnp/miniupnp/commit/3b12b8fb4e64e90a6319ae0aef3c240a44093439 NOTE: but possible NULL pointer dereference on the respective argument is present before. NOTE: Fixed by: https://github.com/miniupnp/miniupnp/commit/cb8a02af7a5677cf608e86d57ab04241cf34e24f CVE-2019-12110 (An AddPortMapping Denial Of Service vulnerability in MiniUPnP MiniUPnP ...) {DLA-1811-1} - miniupnpd 2.1-6 (bug #930050) [stretch] - miniupnpd 1.8.20140523-4.1+deb9u2 NOTE: https://github.com/miniupnp/miniupnp/commit/f321c2066b96d18afa5158dfa2d2873a2957ef38 CVE-2019-12109 (A Denial Of Service vulnerability in MiniUPnP MiniUPnPd through 2.1 ex ...) {DLA-1811-1} - miniupnpd 2.1-6 (bug #930050) [stretch] - miniupnpd 1.8.20140523-4.1+deb9u2 NOTE: https://github.com/miniupnp/miniupnp/commit/13585f15c7f7dc28bbbba1661efb280d530d114c NOTE: https://github.com/miniupnp/miniupnp/commit/86030db849260dd8fb2ed975b9890aef1b62b692 CVE-2019-12108 (A Denial Of Service vulnerability in MiniUPnP MiniUPnPd through 2.1 ex ...) {DLA-1811-1} - miniupnpd 2.1-6 (bug #930050) [stretch] - miniupnpd 1.8.20140523-4.1+deb9u2 NOTE: https://github.com/miniupnp/miniupnp/commit/13585f15c7f7dc28bbbba1661efb280d530d114c NOTE: https://github.com/miniupnp/miniupnp/commit/86030db849260dd8fb2ed975b9890aef1b62b692 CVE-2019-12107 (The upnp_event_prepare function in upnpevents.c in MiniUPnP MiniUPnPd ...) {DLA-1811-1} - miniupnpd 2.1-6 (bug #930050) [stretch] - miniupnpd 1.8.20140523-4.1+deb9u2 NOTE: https://github.com/miniupnp/miniupnp/commit/bec6ccec63cadc95655721bc0e1dd49dac759d94 TODO: check, might affect minidlna CVE-2019-12106 (The updateDevice function in minissdpd.c in MiniUPnP MiniSSDPd 1.4 and ...) {DLA-1805-1} - minissdpd 1.5.20190210-1 (bug #929297) [stretch] - minissdpd 1.2.20130907-4.1+deb9u1 NOTE: https://github.com/miniupnp/miniupnp/commit/cd506a67e174a45c6a202eff182a712955ed6d6f CVE-2019-12105 (** DISPUTED ** In Supervisor through 4.0.2, an unauthenticated user ca ...) - supervisor (unimportant) NOTE: https://github.com/Supervisor/supervisor/issues/1245 NOTE: Disupted upstream to be vulnerability. inet_http_server is not enabled by NOTE: default (neither upstream nor in Debian packaging). Details in the upstream NOTE: issue. CVE-2019-12104 (The web-based configuration interface of the TP-Link M7350 V3 with fir ...) NOT-FOR-US: TP-Link CVE-2019-12103 (The web-based configuration interface of the TP-Link M7350 V3 with fir ...) NOT-FOR-US: TP-Link CVE-2019-12102 (** DISPUTED ** Kentico 11 through 12 lets attackers upload and explore ...) NOT-FOR-US: Kentico CVE-2019-12101 (coap_decode_option in coap.c in LibNyoci 0.07.00rc1 mishandles certain ...) NOT-FOR-US: LibNyoci CVE-2019-12100 RESERVED CVE-2019-12099 (In PHP-Fusion 9.03.00, edit_profile.php allows remote authenticated us ...) NOT-FOR-US: PHP-Fusion CVE-2019-12098 (In the client side of Heimdal before 7.6.0, failure to verify anonymou ...) {DSA-4455-1} - heimdal 7.5.0+dfsg-3 (bug #929064) [jessie] - heimdal (Minor issue) NOTE: Fixed by: https://github.com/heimdal/heimdal/commit/2f7f3d9960aa6ea21358bdf3687cee5149aa35cf (7.6.0) NOTE: Introduced by: https://github.com/heimdal/heimdal/commit/a1ef548600c5bb51cf52a9a9ea12676506ede19f (1.4.0) CVE-2019-12097 (Telerik Fiddler v5.0.20182.28034 doesn't verify the hash of EnableLoop ...) NOT-FOR-US: Telerik Fiddler CVE-2019-12096 RESERVED CVE-2019-12095 (Horde Trean, as used in Horde Groupware Webmail Edition through 5.2.22 ...) {DLA-2033-1} - php-horde-trean [buster] - php-horde-trean (Minor issue) [stretch] - php-horde-trean (Minor issue) [jessie] - php-horde-trean (Minor issue) - php-horde 5.2.21+debian0-1 [buster] - php-horde 5.2.20+debian0-1+deb10u1 [stretch] - php-horde 5.2.13+debian0-1+deb9u1 NOTE: https://github.com/horde/base/commit/81a7b53973506856db67e7f0b0263be29528aa75 NOTE: https://bugs.horde.org/ticket/14926 (for the stored XSS) CVE-2019-12094 (Horde Groupware Webmail Edition through 5.2.22 allows XSS via an admin ...) - php-horde [buster] - php-horde (Minor issue) [stretch] - php-horde (Minor issue) [jessie] - php-horde (Minor issue) NOTE: https://bugs.horde.org/ticket/14926 (for the reflected XSS) CVE-2019-12093 RESERVED CVE-2019-12092 RESERVED CVE-2019-12091 (The Netskope client service, v57 before 57.2.0.219 and v60 before 60.2 ...) NOT-FOR-US: Netskope CVE-2019-12090 RESERVED CVE-2019-12089 RESERVED CVE-2019-12088 RESERVED CVE-2019-12087 (** DISPUTED ** Samsung S9+, S10, and XCover 4 P(9.0) devices can becom ...) NOT-FOR-US: Samsung devices CVE-2019-12086 (A Polymorphic Typing issue was discovered in FasterXML jackson-databin ...) {DSA-4452-1 DLA-1798-1} - jackson-databind 2.9.8-2 (bug #929177) NOTE: https://github.com/FasterXML/jackson-databind/issues/2326 NOTE: https://github.com/FasterXML/jackson-databind/commit/dda513bd7251b4f32b7b60b1c13740e3b5a43024 CVE-2019-12085 RESERVED CVE-2019-12084 RESERVED CVE-2019-12083 (The Rust Programming Language Standard Library 1.34.x before 1.34.2 co ...) - rustc (Introduced in 1.34) NOTE: https://blog.rust-lang.org/2019/05/13/Security-advisory.html CVE-2019-12082 RESERVED CVE-2019-12081 RESERVED CVE-2019-12080 RESERVED CVE-2019-12079 RESERVED CVE-2019-12078 RESERVED CVE-2019-12077 RESERVED CVE-2019-12076 RESERVED CVE-2019-12075 RESERVED CVE-2019-12074 RESERVED CVE-2019-12073 RESERVED CVE-2019-12072 RESERVED CVE-2019-12071 RESERVED CVE-2019-12070 RESERVED CVE-2019-12069 RESERVED CVE-2019-12068 (In QEMU 1:4.1-1, 1:2.1+dfsg-12+deb8u6, 1:2.8+dfsg-6+deb9u8, 1:3.1+dfsg ...) {DSA-4665-1 DLA-1927-1} - qemu 1:4.1-2 (low) [stretch] - qemu (Minor issue, can be fixed along in future update) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2019-08/msg01518.html NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=de594e47659029316bbf9391efb79da0a1a08e08 CVE-2019-12067 [ide: ahci: add check to avoid null dereference] RESERVED - qemu (low) [buster] - qemu (Minor issue, can be fixed along in future update) [stretch] - qemu (Minor issue, can be fixed along in future update) [jessie] - qemu (Minor issue, can be fixed along in future update) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2019-08/msg01358.html NOTE: patch not sanctioned as of 20190909 NOTE: patched function introduced in 2014/2.1.50 but affected code pre-existed NOTE: https://github.com/qemu/qemu/commit/659142ecf71a0da240ab0ff7cf929ee25c32b9bc CVE-2019-12066 RESERVED CVE-2019-12065 RESERVED CVE-2019-12064 RESERVED CVE-2019-12063 RESERVED CVE-2019-12062 RESERVED CVE-2019-12061 RESERVED CVE-2019-12060 RESERVED CVE-2019-12059 RESERVED CVE-2019-12058 RESERVED CVE-2019-12057 RESERVED CVE-2019-12056 RESERVED CVE-2019-12055 RESERVED CVE-2019-12054 RESERVED CVE-2019-12053 RESERVED CVE-2019-12052 RESERVED CVE-2019-12051 RESERVED CVE-2019-12050 RESERVED CVE-2019-12049 RESERVED CVE-2019-12048 RESERVED CVE-2019-12047 (Gridea v0.8.0 has an XSS vulnerability through which the Nodejs module ...) NOT-FOR-US: Gridea CVE-2019-12045 RESERVED CVE-2019-12044 (A Buffer Overflow exists in Citrix NetScaler Gateway 10.5.x before 10. ...) NOT-FOR-US: Citrix NetScaler Gateway CVE-2019-12043 (In remarkable 1.7.1, lib/parser_inline.js mishandles URL filtering, wh ...) NOT-FOR-US: remarkable CVE-2019-12042 (Insecure permissions of the section object Global\PandaDevicesAgentSha ...) NOT-FOR-US: Panda products CVE-2019-12041 (lib/common/html_re.js in remarkable 1.7.1 allows Regular Expression De ...) NOT-FOR-US: remarkable CVE-2019-12040 REJECTED CVE-2019-12039 REJECTED CVE-2019-12038 REJECTED CVE-2019-12037 REJECTED CVE-2019-12036 REJECTED CVE-2019-12035 REJECTED CVE-2019-12034 REJECTED CVE-2019-12033 REJECTED CVE-2019-12032 REJECTED CVE-2019-12031 REJECTED CVE-2019-12030 REJECTED CVE-2019-12029 REJECTED CVE-2019-12028 REJECTED CVE-2019-12027 REJECTED CVE-2019-12026 REJECTED CVE-2019-12025 REJECTED CVE-2019-12024 REJECTED CVE-2019-12023 REJECTED CVE-2019-12022 REJECTED CVE-2019-12021 REJECTED CVE-2019-12020 REJECTED CVE-2019-12019 REJECTED CVE-2019-12018 REJECTED CVE-2019-12017 (A remote code execution vulnerability exists in MapR CLDB code, specif ...) NOT-FOR-US: MapR CVE-2019-12016 REJECTED CVE-2019-12015 REJECTED CVE-2019-12014 REJECTED CVE-2019-12013 REJECTED CVE-2019-12012 REJECTED CVE-2019-12011 REJECTED CVE-2019-12010 REJECTED CVE-2019-12009 REJECTED CVE-2019-12008 REJECTED CVE-2019-12007 REJECTED CVE-2019-12006 REJECTED CVE-2019-12005 REJECTED CVE-2019-12004 REJECTED CVE-2019-12003 REJECTED CVE-2019-12002 (A remote session reuse vulnerability leading to access restriction byp ...) NOT-FOR-US: HPE CVE-2019-12001 (A remote session reuse vulnerability leading to access restriction byp ...) NOT-FOR-US: HPE CVE-2019-12000 RESERVED CVE-2019-11999 (Potential security vulnerabilities have been identified in HPE OpenCal ...) NOT-FOR-US: HPE CVE-2019-11998 (HPE Superdome Flex Server is vulnerable to multiple remote vulnerabili ...) NOT-FOR-US: HPE Superdome Flex Server CVE-2019-11997 (A potential security vulnerability has been identified in HPE enhanced ...) NOT-FOR-US: HPE CVE-2019-11996 (Potential security vulnerabilities have been identified with HPE Nimbl ...) NOT-FOR-US: HPE CVE-2019-11995 (Security vulnerabilities in HPE UIoT version 1.2.4.2 could allow unaut ...) NOT-FOR-US: HPE UIoT CVE-2019-11994 (A security vulnerability has been identified in HPE SimpliVity 380 Gen ...) NOT-FOR-US: HPE CVE-2019-11993 (A security vulnerability has been identified in HPE SimpliVity 380 Gen ...) NOT-FOR-US: HPE CVE-2019-11992 (A security vulnerability in HPE OneView for VMware vCenter 9.5 could b ...) NOT-FOR-US: HPE OneView for VMware vCenter CVE-2019-11991 (HPE has identified a vulnerability in HPE 3PAR Service Processor (SP) ...) NOT-FOR-US: HPE 3PAR Service Processor CVE-2019-11990 (Security vulnerabilities in HPE UIoT versions 1.6, 1.5, 1.4.2, 1.4.1, ...) NOT-FOR-US: HPE IceWall CVE-2019-11989 (A security vulnerability in HPE IceWall SSO Agent Option and IceWall M ...) NOT-FOR-US: HPE IceWall CVE-2019-11988 (A Remote Unauthorized Access vulnerability was identified in HPE Smart ...) NOT-FOR-US: HPE CVE-2019-11987 (A security vulnerability in HPE Smart Update Manager (SUM) prior to v8 ...) NOT-FOR-US: HPE CVE-2019-11986 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-11985 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-11984 (A SQL injection code execution vulnerability was identified in HPE Int ...) NOT-FOR-US: HPE CVE-2019-11983 (A remote buffer overflow vulnerability was identified in HPE Integrate ...) NOT-FOR-US: HPE CVE-2019-11982 (A remote cross site scripting vulnerability was identified in HPE Inte ...) NOT-FOR-US: HPE CVE-2019-11981 REJECTED CVE-2019-11980 (A remote code exection vulnerability was identified in HPE Intelligent ...) NOT-FOR-US: HPE CVE-2019-11979 (A SQL injection code execution vulnerability was identified in HPE Int ...) NOT-FOR-US: HPE CVE-2019-11978 (A SQL injection code execution vulnerability was identified in HPE Int ...) NOT-FOR-US: HPE CVE-2019-11977 (A SQL injection code execution vulnerability was identified in HPE Int ...) NOT-FOR-US: HPE CVE-2019-11976 (A SQL injection code execution vulnerability was identified in HPE Int ...) NOT-FOR-US: HPE CVE-2019-11975 (A SQL injection code execution vulnerability was identified in HPE Int ...) NOT-FOR-US: HPE CVE-2019-11974 (A SQL injection code execution vulnerability was identified in HPE Int ...) NOT-FOR-US: HPE CVE-2019-11973 (A SQL injection code execution vulnerability was identified in HPE Int ...) NOT-FOR-US: HPE CVE-2019-11972 (A SQL injection code execution vulnerability was identified in HPE Int ...) NOT-FOR-US: HPE CVE-2019-11971 (A SQL injection code execution vulnerability was identified in HPE Int ...) NOT-FOR-US: HPE CVE-2019-11970 (A SQL injection code execution vulnerability was identified in HPE Int ...) NOT-FOR-US: HPE CVE-2019-11969 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-11968 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-11967 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-11966 (A remote privilege escalation vulnerability was identified in HPE Inte ...) NOT-FOR-US: HPE CVE-2019-11965 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-11964 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-11963 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-11962 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-11961 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-11960 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-11959 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-11958 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-11957 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-11956 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-11955 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-11954 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-11953 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-11952 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-11951 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-11950 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-11949 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-11948 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-11947 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-11946 (A remote credential disclosure vulnerability was identified in HPE Int ...) NOT-FOR-US: HPE CVE-2019-11945 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-11944 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-11943 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-11942 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-11941 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-11940 (In the course of decompressing HPACK inside the HTTP2 protocol, an une ...) NOT-FOR-US: Facebook Proxygen CVE-2019-11939 (Golang Facebook Thrift servers would not error upon receiving messages ...) - thrift NOTE: https://github.com/facebook/fbthrift/commit/483ed864d69f307e9e3b9dadec048216100c0757 CVE-2019-11938 (Java Facebook Thrift servers would not error upon receiving messages d ...) TODO: check CVE-2019-11937 (In Mcrouter prior to v0.41.0, a large struct input provided to the Car ...) NOT-FOR-US: mcrouter NOTE: https://github.com/facebook/mcrouter/releases CVE-2019-11936 (Various APC functions accept keys containing null bytes as input, lead ...) - hhvm CVE-2019-11935 (Insufficient boundary checks when processing a string in mb_ereg_repla ...) - hhvm CVE-2019-11934 (Improper handling of close_notify alerts can result in an out-of-bound ...) NOT-FOR-US: Facebook folly CVE-2019-11933 (A heap buffer overflow bug in libpl_droidsonroids_gif before 1.2.19, a ...) NOT-FOR-US: libpl_droidsonroids_gif CVE-2019-11932 (A double free vulnerability in the DDGifSlurp function in decoding.c i ...) NOT-FOR-US: libpl_droidsonroids_gif CVE-2019-11931 (A stack-based buffer overflow could be triggered in WhatsApp by sendin ...) NOT-FOR-US: WhatsApp CVE-2019-11930 (An invalid free in mb_detect_order can cause the application to crash ...) - hhvm CVE-2019-11929 (Insufficient boundary checks when formatting numbers in number_format ...) - hhvm CVE-2019-11928 RESERVED CVE-2019-11927 (An integer overflow in WhatsApp media parsing libraries allows a remot ...) NOT-FOR-US: WhatsApp CVE-2019-11926 (Insufficient boundary checks when processing M_SOFx markers from JPEG ...) - hhvm CVE-2019-11925 (Insufficient boundary checks when processing the JPEG APP12 block mark ...) - hhvm CVE-2019-11924 (A peer could send empty handshake fragments containing only padding wh ...) NOT-FOR-US: fizz CVE-2019-11923 (In Mcrouter prior to v0.41.0, the deprecated ASCII parser would alloca ...) NOT-FOR-US: mcrouter NOTE: https://github.com/facebook/mcrouter/releases CVE-2019-11922 (A race condition in the one-pass compression functions of Zstandard pr ...) - libzstd 1.3.8+dfsg-2 [stretch] - libzstd (Vulnerable code not present) NOTE: https://github.com/facebook/zstd/commit/3e5cdf1b6a85843e991d7d10f6a2567c15580da0 CVE-2019-11921 (An out of bounds write is possible via a specially crafted packet in c ...) NOT-FOR-US: Facebook Proxygen CVE-2019-11920 RESERVED CVE-2019-11919 RESERVED CVE-2019-11918 RESERVED CVE-2019-11917 RESERVED CVE-2019-11916 RESERVED CVE-2019-11915 RESERVED CVE-2019-11914 RESERVED CVE-2019-11913 RESERVED CVE-2019-11912 RESERVED CVE-2019-11911 RESERVED CVE-2019-11910 RESERVED CVE-2019-11909 RESERVED CVE-2019-11908 RESERVED CVE-2019-11907 RESERVED CVE-2019-11906 RESERVED CVE-2019-11905 RESERVED CVE-2019-11904 RESERVED CVE-2019-11903 RESERVED CVE-2019-11902 RESERVED CVE-2019-11901 RESERVED CVE-2019-11900 RESERVED CVE-2019-11899 (An unauthenticated attacker can achieve unauthorized access to sensiti ...) NOT-FOR-US: Bosch Access Professional Edition CVE-2019-11898 (Unauthorized APE administration privileges can be achieved by reverse ...) NOT-FOR-US: Bosch Access Professional Edition CVE-2019-11897 (A Server-Side Request Forgery (SSRF) vulnerability in the backup & ...) NOT-FOR-US: proSyst CVE-2019-11896 (A potential incorrect privilege assignment vulnerability exists in the ...) NOT-FOR-US: Bosch CVE-2019-11895 (A potential improper access control vulnerability exists in the JSON-R ...) NOT-FOR-US: Bosch CVE-2019-11894 (A potential improper access control vulnerability exists in the backup ...) NOT-FOR-US: Bosch CVE-2019-11893 (A potential incorrect privilege assignment vulnerability exists in the ...) NOT-FOR-US: Bosch CVE-2019-11892 (A potential improper access control vulnerability exists in the JSON-R ...) NOT-FOR-US: Bosch CVE-2019-11891 (A potential incorrect privilege assignment vulnerability exists in the ...) NOT-FOR-US: Bosch CVE-2019-12046 (LemonLDAP::NG -2.0.3 has Incorrect Access Control. ...) {DSA-4446-1 DLA-1790-1} - lemonldap-ng 2.0.2+ds-7+deb10u1 (bug #928944) NOTE: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1742 CVE-2019-11890 (Sony Bravia Smart TV devices allow remote attackers to cause a denial ...) NOT-FOR-US: Sony Bravia Smart TV devices CVE-2019-11889 (Sony BRAVIA Smart TV devices allow remote attackers to cause a denial ...) NOT-FOR-US: Sony BRAVIA Smart TV devices CVE-2019-11888 (Go through 1.12.5 on Windows mishandles process creation with a nil en ...) - golang-1.12 (Only affects Go on Windows) - golang-1.11 (Only affects Go on Windows) NOTE: https://go-review.googlesource.com/c/go/+/176619 CVE-2019-11887 (SimplyBook.me through 2019-05-11 does not properly restrict File Uploa ...) NOT-FOR-US: SimplyBook.me CVE-2019-11886 (The WaspThemes Visual CSS Style Editor (aka yellow-pencil-visual-theme ...) NOT-FOR-US: WaspThemes Visual CSS Style Editor plugin for WordPress CVE-2018-20838 (ampforwp_save_steps_data in the AMP for WP plugin before 0.9.97.21 for ...) NOT-FOR-US: AMP for WP plugin for WordPress CVE-2019-11885 (eyeDisk implements the unlock feature by sending a cleartext password. ...) NOT-FOR-US: eyeDisk CVE-2019-11884 (The do_hidp_sock_ioctl function in net/bluetooth/hidp/sock.c in the Li ...) {DSA-4465-1 DLA-1824-1 DLA-1823-1} - linux 4.19.37-4 NOTE: https://git.kernel.org/linus/a1616a5ac99ede5d605047a9012481ce7ff18b16 CVE-2019-11883 RESERVED CVE-2019-11882 RESERVED CVE-2019-11881 (A vulnerability exists in Rancher 2.1.4 in the login component, where ...) NOT-FOR-US: Rancher CVE-2019-11880 (CommSy through 8.6.5 has SQL Injection via the cid parameter. This is ...) NOT-FOR-US: CommSy CVE-2019-11879 (** DISPUTED ** The WEBrick gem 1.4.2 for Ruby allows directory travers ...) NOT-FOR-US: Non issue in webrick gem CVE-2019-11878 (An issue was discovered on XiongMai Besder IP20H1 V4.02.R12.00035520.1 ...) NOT-FOR-US: XiongMai Besder IP20H1 cameras CVE-2019-11877 (XSS on the PIX-Link Repeater/Router LV-WR09 with firmware v28K.MiniRou ...) NOT-FOR-US: PIX-Link Repeater/Router LV-WR09 CVE-2019-11876 (In PrestaShop 1.7.5.2, the shop_country parameter in the install/index ...) NOT-FOR-US: PrestaShop CVE-2019-11875 (In AutomateAppCore.dll in Blue Prism Robotic Process Automation 6.4.0. ...) NOT-FOR-US: Blue Prism Robotic Process Automation CVE-2019-11874 RESERVED CVE-2019-11873 (wolfSSL 4.0.0 has a Buffer Overflow in DoPreSharedKeys in tls13.c when ...) - wolfssl 4.1.0+dfsg-1 (bug #929468) CVE-2019-11872 (The Hustle (aka wordpress-popup) plugin 6.0.7 for WordPress is vulnera ...) NOT-FOR-US: Hustle (aka wordpress-popup) plugin for WordPress CVE-2019-11871 (The Custom Field Suite plugin before 2.5.15 for WordPress has XSS for ...) NOT-FOR-US: Custom Field Suite plugin for WordPress CVE-2019-11870 (Serendipity before 2.1.5 has XSS via EXIF data that is mishandled in t ...) - serendipity CVE-2019-11869 (The Yuzo Related Posts plugin 5.12.94 for WordPress has XSS because it ...) NOT-FOR-US: WordPress plugin yuzo-related-post CVE-2019-11868 (See.sys, up to version 4.25, in SoftEther VPN Server versions 4.29 or ...) NOT-FOR-US: SoftEther VPN Server CVE-2019-11867 (Realtek NDIS driver rt640x64.sys, file version 10.1.505.2015, fails to ...) NOT-FOR-US: Realtek NDIS driver rt640x64.sys CVE-2019-11866 RESERVED CVE-2019-11865 RESERVED CVE-2019-11864 RESERVED CVE-2019-11863 RESERVED CVE-2019-11862 RESERVED CVE-2019-11861 RESERVED CVE-2019-11860 RESERVED CVE-2019-11859 RESERVED CVE-2019-11858 RESERVED CVE-2019-11857 RESERVED CVE-2019-11856 RESERVED CVE-2019-11855 RESERVED CVE-2019-11854 RESERVED CVE-2019-11853 RESERVED CVE-2019-11852 RESERVED CVE-2019-11851 RESERVED CVE-2019-11850 RESERVED CVE-2019-11849 RESERVED CVE-2019-11848 RESERVED CVE-2019-11847 RESERVED CVE-2018-20837 (include/admin/Menu/Ajax.php in Typesetter 5.1 has index.php/Admin/Menu ...) NOT-FOR-US: Typesetter CMS CVE-2019-11846 (/servlets/ajax_file_upload?fieldName=binary3 in dotCMS 5.1.1 allows XS ...) NOT-FOR-US: dotCMS CVE-2019-11845 (An HTML Injection vulnerability has been discovered on the RICOH SP 45 ...) NOT-FOR-US: RICOH CVE-2019-11844 (An HTML Injection vulnerability has been discovered on the RICOH SP 45 ...) NOT-FOR-US: RICOH CVE-2019-11843 (The MailPoet plugin before 3.23.2 for WordPress allows remote attacker ...) NOT-FOR-US: MailPoet plugin for WordPress CVE-2019-11841 (A message-forgery issue was discovered in crypto/openpgp/clearsign/cle ...) {DLA-1920-1} - golang-go.crypto 1:0.0~git20200221.2aa609c-1 NOTE: https://go.googlesource.com/crypto/+/c05e17bb3b2dca130fc919668a96b4bec9eb9442 NOTE: Patch fixes the second part of the CVE ("prepend arbitrary text") NOTE: but not the first ("ignores the value of [the Hash] header"), as hinted at reporter's 2019-05-09 note: NOTE: https://packetstormsecurity.com/files/152840/Go-Cryptography-Libraries-Cleartext-Message-Spoofing.html CVE-2019-11840 (An issue was discovered in supplementary Go cryptography libraries, ak ...) {DLA-1840-1} - golang-go.crypto 1:0.0~git20200221.2aa609c-1 NOTE: https://github.com/golang/go/issues/30965 NOTE: https://go.googlesource.com/crypto/+/b7391e95e576cacdcdd422573063bc057239113d NOTE: https://groups.google.com/forum/#!msg/golang-announce/tjyNcJxb2vQ/n0NRBziSCAAJ CVE-2019-11839 (njs through 0.3.1, used in NGINX, has a heap-based buffer overflow in ...) NOT-FOR-US: njs CVE-2019-11838 (njs through 0.3.1, used in NGINX, has a heap-based buffer overflow in ...) NOT-FOR-US: njs CVE-2019-11837 (njs through 0.3.1, used in NGINX, has a segmentation fault in String.p ...) NOT-FOR-US: njs CVE-2019-11836 (The Rediffmail (aka com.rediff.mail.and) application 2.2.6 for Android ...) NOT-FOR-US: Rediffmail CVE-2019-11842 (An issue was discovered in Matrix Sydent before 1.0.3 and Synapse befo ...) - matrix-synapse 0.99.2-5 NOTE: https://matrix.org/blog/2019/05/03/security-updates-sydent-1-0-3-synapse-0-99-3-1-and-riot-android-0-9-0-0-8-99-0-8-28-a/ CVE-2019-11835 (cJSON before 1.7.11 allows out-of-bounds access, related to multiline ...) - cjson 1.7.10-1.1 (bug #928726) NOTE: https://github.com/DaveGamble/cJSON/issues/338 CVE-2019-11834 (cJSON before 1.7.11 allows out-of-bounds access, related to \x00 in a ...) - cjson 1.7.10-1.1 (bug #928726) NOTE: https://github.com/DaveGamble/cJSON/issues/337 CVE-2019-11833 (fs/ext4/extents.c in the Linux kernel through 5.1.2 does not zero out ...) {DSA-4465-1 DLA-1824-1 DLA-1823-1} - linux 4.19.37-4 NOTE: Fixed by: https://git.kernel.org/linus/592acbf16821288ecdc4192c47e3774a4c48bb64 CVE-2019-11832 (TYPO3 8.x before 8.7.25 and 9.x before 9.5.6 allows remote code execut ...) NOT-FOR-US: TYPO3 CVE-2019-11831 (The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1 ...) {DSA-4445-1 DLA-1797-1} - drupal7 (bug #928688) NOTE: https://www.drupal.org/SA-CORE-2019-007 CVE-2019-11830 (PharMetaDataInterceptor in the PharStreamWrapper (aka phar-stream-wrap ...) NOT-FOR-US: phar-stream-wrapper CVE-2019-11829 (OS command injection vulnerability in drivers_syno_import_user.php in ...) NOT-FOR-US: Synology CVE-2019-11828 (Cross-site scripting (XSS) vulnerability in Chart in Synology Office b ...) NOT-FOR-US: Synology CVE-2019-11827 (Cross-site scripting (XSS) vulnerability in SYNO.NoteStation.Shard in ...) NOT-FOR-US: Synology CVE-2019-11826 (Relative path traversal vulnerability in SYNO.PhotoTeam.Upload.Item in ...) NOT-FOR-US: Synology CVE-2019-11825 (Cross-site scripting (XSS) vulnerability in Event Editor in Synology C ...) NOT-FOR-US: Synology CVE-2019-11824 RESERVED CVE-2019-11823 (CRLF injection vulnerability in Network Center in Synology Router Mana ...) NOT-FOR-US: Synology CVE-2019-11822 (Relative path traversal vulnerability in SYNO.PhotoStation.File in Syn ...) NOT-FOR-US: Synology CVE-2019-11821 (SQL injection vulnerability in synophoto_csPhotoDB.php in Synology Pho ...) NOT-FOR-US: Synology CVE-2019-11820 (Information exposure through process environment vulnerability in Syno ...) NOT-FOR-US: Synology Calendar CVE-2019-11819 (Alkacon OpenCMS v10.5.4 and before is affected by CSV (aka Excel Macro ...) NOT-FOR-US: Alkacon OpenCMS CVE-2019-11818 (Alkacon OpenCMS v10.5.4 and before is affected by stored cross site sc ...) NOT-FOR-US: Alkacon OpenCMS CVE-2019-11817 RESERVED CVE-2019-11816 (Incorrect access control in the WebUI in OPNsense before version 19.1. ...) NOT-FOR-US: OPNsense CVE-2019-11814 (An issue was discovered in app/webroot/js/misp.js in MISP before 2.4.1 ...) NOT-FOR-US: MISP CVE-2019-11813 (An issue was discovered in app/View/Elements/Events/View/value_field.c ...) NOT-FOR-US: MISP CVE-2019-11812 (A persistent XSS issue was discovered in app/View/Helper/CommandHelper ...) NOT-FOR-US: MISP CVE-2019-11815 (An issue was discovered in rds_tcp_kill_sock in net/rds/tcp.c in the L ...) {DSA-4465-1 DLA-1824-1} - linux 4.19.37-1 (bug #928989) [jessie] - linux (Vulnerable code introduced later) NOTE: Fixed by: https://git.kernel.org/linus/cb66ddd156203daefb8d71158036b27b0e2caf63 CVE-2019-11811 (An issue was discovered in the Linux kernel before 5.0.4. There is a u ...) - linux 4.19.37-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/401e7e88d4ef80188ffa07095ac00456f901b8c4 CVE-2019-11810 (An issue was discovered in the Linux kernel before 5.0.7. A NULL point ...) {DLA-1823-1} - linux 4.19.37-1 [stretch] - linux 4.9.168-1 NOTE: Fixed by: https://git.kernel.org/linus/bcf3b67d16a4c8ffae0aa79de5853435e683945c CVE-2019-11809 (An issue was discovered in Joomla! before 3.9.6. The debug views of co ...) NOT-FOR-US: Joomla! CVE-2018-20836 (An issue was discovered in the Linux kernel before 4.20. There is a ra ...) {DSA-4497-1 DSA-4495-1 DLA-1885-1 DLA-1884-1} - linux 5.2.6-1 NOTE: Fixed by: https://git.kernel.org/linus/b90cd6f2b905905fb42671009dc0e27c310a16ae CVE-2019-11808 (Ratpack versions before 1.6.1 generate a session ID using a cryptograp ...) NOT-FOR-US: Ratpack CVE-2019-11807 (The WooCommerce Checkout Manager plugin before 4.3 for WordPress allow ...) NOT-FOR-US: WooCommerce Checkout Manager plugin for WordPress CVE-2019-11806 (OX App Suite 7.10.1 and earlier has Insecure Permissions. ...) NOT-FOR-US: OX App Suite CVE-2019-11805 RESERVED CVE-2019-11804 RESERVED CVE-2019-11803 RESERVED CVE-2019-11802 RESERVED CVE-2019-11801 RESERVED CVE-2019-11800 RESERVED CVE-2019-11799 RESERVED CVE-2019-11798 RESERVED CVE-2019-11797 RESERVED CVE-2019-11796 RESERVED CVE-2019-11795 RESERVED CVE-2019-11794 RESERVED CVE-2019-11793 RESERVED CVE-2019-11792 RESERVED CVE-2019-11791 RESERVED CVE-2019-11790 RESERVED CVE-2019-11789 RESERVED CVE-2019-11788 RESERVED CVE-2019-11787 RESERVED CVE-2019-11786 RESERVED CVE-2019-11785 RESERVED CVE-2019-11784 RESERVED CVE-2019-11783 RESERVED CVE-2019-11782 RESERVED CVE-2019-11781 RESERVED CVE-2019-11780 (Improper access control in the computed fields system of the framework ...) NOT-FOR-US: Odoo CVE-2019-11779 (In Eclipse Mosquitto 1.5.0 to 1.6.5 inclusive, if a malicious MQTT cli ...) {DSA-4570-1 DLA-1972-1} - mosquitto 1.6.6-1 (bug #940654) [stretch] - mosquitto (Vulnerable code introduced later) NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=551160 NOTE: https://github.com/eclipse/mosquitto/issues/1412 NOTE: Introduced by: https://github.com/eclipse/mosquitto/commit/883af8af5379092097c6552a7a4a8c52409d2566 (v1.5) NOTE: Fixed by: https://github.com/eclipse/mosquitto/commit/106675093177335b18521bc0e5ad1d95343ad652 (1.6.6) NOTE: Fixed by: https://github.com/eclipse/mosquitto/commit/84681d9728ceb7f6ea2b6751b4d87200d8a62f14 (1.5.9) NOTE: https://mosquitto.org/blog/2019/09/version-1-6-6-released/ NOTE: The issue manifests in versions 1.5.0 and onwards only, because some structs NOTE: increased in size enough to cause the stack overflow vulnerability for excessive NOTE: topic hierarchies. In earlier versions, the maximum possible hierarchy depth of NOTE: 65535 wouldn't cause a stack overflow. CVE-2019-11778 (If an MQTT v5 client connects to Eclipse Mosquitto versions 1.6.0 to 1 ...) - mosquitto 1.6.6-1 [buster] - mosquitto (Session expiry interval support introduced in 1.6) [stretch] - mosquitto (Session expiry interval support introduced in 1.6) [jessie] - mosquitto (Session expiry interval support introduced in 1.6) NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=551162 NOTE: https://github.com/eclipse/mosquitto/issues/1401 NOTE: https://github.com/eclipse/mosquitto/commit/8407c6d146d1e8299127737d9735afc782e04ea8 NOTE: https://github.com/eclipse/mosquitto/commit/6f3e7b9ceb43e2626a32340c26b69ac8ae5e9c8c NOTE: https://mosquitto.org/blog/2019/09/version-1-6-6-released/ CVE-2019-11777 (In the Eclipse Paho Java client library version 1.2.0, when connecting ...) NOT-FOR-US: Eclipse Paho Java client CVE-2019-11776 (In Eclipse BIRT versions 1.0 to 4.7, the Report Viewer allows Reflecte ...) NOT-FOR-US: Eclipse BIRT CVE-2019-11775 (All builds of Eclipse OpenJ9 prior to 0.15 contain a bug where the loo ...) NOT-FOR-US: Eclipse OpenJ9 CVE-2019-11774 (Prior to 0.1, all builds of Eclipse OMR contain a bug where the loop v ...) NOT-FOR-US: Eclipe OMR CVE-2019-11773 (Prior to 0.1, AIX builds of Eclipse OMR contain unused RPATHs which ma ...) NOT-FOR-US: Eclipe OMR CVE-2019-11772 (In Eclipse OpenJ9 prior to 0.15, the String.getBytes(int, int, byte[], ...) NOT-FOR-US: Eclipse OpenJ9 CVE-2019-11771 (AIX builds of Eclipse OpenJ9 before 0.15.0 contain unused RPATHs which ...) NOT-FOR-US: Eclipse OpenJ9 CVE-2019-11770 (In Eclipse Buildship versions prior to 3.1.1, the build files indicate ...) NOT-FOR-US: Eclipse Buildship CVE-2019-11769 (An issue was discovered in TeamViewer 14.2.2558. Updating the product ...) NOT-FOR-US: TeamViewer CVE-2019-11768 (An issue was discovered in phpMyAdmin before 4.9.0.1. A vulnerability ...) - phpmyadmin 4:4.9.1+dfsg1-2 (bug #930048) [stretch] - phpmyadmin (Minor issue; can be fixed via point release) [jessie] - phpmyadmin (vulnerable code is not present) NOTE: https://www.phpmyadmin.net/security/PMASA-2019-3/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/c1ecafc38319e8f768c9259d4d580e42acd5ee86 NOTE: Code in earlier versions in js/pmd/move.js. CVE-2019-11767 (Server side request forgery (SSRF) in phpBB before 3.2.6 allows checki ...) - phpbb3 [jessie] - phpbb3 (Minor issue, solution/workaround is to disable the remote avatar function) NOTE: https://www.phpbb.com/community/viewtopic.php?f=14&t=2509941 CVE-2019-11766 (dhcp6.c in dhcpcd before 6.11.7 and 7.x before 7.2.2 has a buffer over ...) - dhcpcd5 7.1.0-2 (bug #928440) [stretch] - dhcpcd5 (Minor issue) [jessie] - dhcpcd5 (Vulnerable code not present; D6_OPTION_PD_EXCLUDE support added later) NOTE: https://roy.marples.name/cgit/dhcpcd.git/commit/?&id=c1ebeaafeb324bac997984abdcee2d4e8b61a8a8 NOTE: https://roy.marples.name/cgit/dhcpcd.git/commit/?&id=896ef4a54b0578985e5e1360b141593f1d62837b CVE-2019-11765 (A compromised content process could send a message to the parent proce ...) - firefox 70.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-34/#CVE-2019-11765 CVE-2019-11764 (Mozilla developers and community members reported memory safety bugs p ...) {DSA-4571-1 DSA-4549-1 DLA-1997-1 DLA-1987-1} - firefox 70.0-1 - firefox-esr 68.2.0esr-1 - thunderbird 1:68.2.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-33/#CVE-2019-11764 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-34/#CVE-2019-11764 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-35/#CVE-2019-11764 CVE-2019-11763 (Failure to correctly handle null bytes when processing HTML entities r ...) {DSA-4571-1 DSA-4549-1 DLA-1997-1 DLA-1987-1} - firefox 70.0-1 - firefox-esr 68.2.0esr-1 - thunderbird 1:68.2.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-33/#CVE-2019-11763 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-34/#CVE-2019-11763 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-35/#CVE-2019-11763 CVE-2019-11762 (If two same-origin documents set document.domain differently to become ...) {DSA-4571-1 DSA-4549-1 DLA-1997-1 DLA-1987-1} - firefox 70.0-1 - firefox-esr 68.2.0esr-1 - thunderbird 1:68.2.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-33/#CVE-2019-11762 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-34/#CVE-2019-11762 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-35/#CVE-2019-11762 CVE-2019-11761 (By using a form with a data URI it was possible to gain access to the ...) {DSA-4571-1 DSA-4549-1 DLA-1997-1 DLA-1987-1} - firefox 70.0-1 - firefox-esr 68.2.0esr-1 - thunderbird 1:68.2.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-33/#CVE-2019-11761 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-34/#CVE-2019-11761 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-35/#CVE-2019-11761 CVE-2019-11760 (A fixed-size stack buffer could overflow in nrappkit when doing WebRTC ...) {DSA-4571-1 DSA-4549-1 DLA-1997-1 DLA-1987-1} - firefox 70.0-1 - firefox-esr 68.2.0esr-1 - thunderbird 1:68.2.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-33/#CVE-2019-11760 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-34/#CVE-2019-11760 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-35/#CVE-2019-11760 CVE-2019-11759 (An attacker could have caused 4 bytes of HMAC output to be written pas ...) {DSA-4571-1 DSA-4549-1 DLA-1997-1 DLA-1987-1} - firefox 70.0-1 - firefox-esr 68.2.0esr-1 - thunderbird 1:68.2.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-33/#CVE-2019-11759 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-34/#CVE-2019-11759 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-35/#CVE-2019-11759 CVE-2019-11758 (Mozilla community member Philipp reported a memory safety bug present ...) - firefox-esr (Only an issue in combination with 360 Total Security) - thunderbird (Only an issue in combination with 360 Total Security) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-33/#CVE-2019-11758 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-35/#CVE-2019-11758 CVE-2019-11757 (When following the value's prototype chain, it was possible to retain ...) {DSA-4571-1 DSA-4549-1 DLA-1997-1 DLA-1987-1} - firefox 70.0-1 - firefox-esr 68.2.0esr-1 - thunderbird 1:68.2.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-33/#CVE-2019-11757 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-34/#CVE-2019-11757 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-35/#CVE-2019-11757 CVE-2019-11756 (Improper refcounting of soft token session objects could cause a use-a ...) - firefox 71.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-36/#CVE-2019-11756 CVE-2019-11755 (A crafted S/MIME message consisting of an inner encryption layer and a ...) {DSA-4571-1 DLA-1997-1} [experimental] - thunderbird 1:68.1.1-1~exp1 - thunderbird 1:68.2.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-32/#CVE-2019-11755 CVE-2019-11754 (When the pointer lock is enabled by a website though requestPointerLoc ...) - firefox 69.0.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-31/#CVE-2019-11754 CVE-2019-11753 (The Firefox installer allows Firefox to be installed to a custom user ...) - firefox (Windows-specific) - firefox-esr (Windows-specific) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11753 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-26/#CVE-2019-11753 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-27/#CVE-2019-11753 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-29/#CVE-2019-11753 CVE-2019-11752 (It is possible to delete an IndexedDB key value and subsequently try t ...) {DSA-4523-1 DSA-4516-1 DLA-1926-1 DLA-1910-1} - firefox 69.0-1 - firefox-esr 68.1.0esr-1 - thunderbird 1:60.9.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11752 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-26/#CVE-2019-11752 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-27/#CVE-2019-11752 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-29/#CVE-2019-11742 CVE-2019-11751 (Logging-related command line parameters are not properly sanitized whe ...) - firefox (Windows-specific) - firefox-esr (Windows-specific) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11751 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-26/#CVE-2019-11751 CVE-2019-11750 (A type confusion vulnerability exists in Spidermonkey, which results i ...) - firefox 69.0-1 - firefox-esr 68.1.0esr-1 [buster] - firefox-esr (Doesn't affect ESR60) [stretch] - firefox-esr (Doesn't affect ESR60) [jessie] - firefox-esr (Doesn't affect ESR60) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11750 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-26/#CVE-2019-11750 CVE-2019-11749 (A vulnerability exists in WebRTC where malicious web content can use p ...) - firefox 69.0-1 - firefox-esr 68.1.0esr-1 [buster] - firefox-esr (Doesn't affect ESR60) [stretch] - firefox-esr (Doesn't affect ESR60) [jessie] - firefox-esr (Doesn't affect ESR60) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11749 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-26/#CVE-2019-11749 CVE-2019-11748 (WebRTC in Firefox will honor persisted permissions given to sites for ...) - firefox 69.0-1 - firefox-esr 68.1.0esr-1 [buster] - firefox-esr (Doesn't affect ESR60) [stretch] - firefox-esr (Doesn't affect ESR60) [jessie] - firefox-esr (Doesn't affect ESR60) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11748 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-26/#CVE-2019-11748 CVE-2019-11747 (The "Forget about this site" feature in the History pane is intended t ...) - firefox 69.0-1 - firefox-esr 68.1.0esr-1 [buster] - firefox-esr (Doesn't affect ESR60) [stretch] - firefox-esr (Doesn't affect ESR60) [jessie] - firefox-esr (Doesn't affect ESR60) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11747 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-26/#CVE-2019-11747 CVE-2019-11746 (A use-after-free vulnerability can occur while manipulating video elem ...) {DSA-4523-1 DSA-4516-1 DLA-1926-1 DLA-1910-1} - firefox 69.0-1 - firefox-esr 68.1.0esr-1 - thunderbird 1:60.9.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11746 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-26/#CVE-2019-11746 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-27/#CVE-2019-11746 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-29/#CVE-2019-11746 CVE-2019-11745 (When encrypting with a block cipher, if a call to NSC_EncryptUpdate wa ...) {DSA-4579-1 DLA-2008-1} - nss 2:3.47.1-1 NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1586176 (not public) NOTE: https://hg.mozilla.org/projects/nss/rev/1e22a0c93afe9f46545560c86caedef9dab6cfda NOTE: Fixed in 3.44.3 and 3.47.1 upstream. CVE-2019-11744 (Some HTML elements, such as &lt;title&gt; and &lt;textarea ...) {DSA-4523-1 DSA-4516-1 DLA-1926-1 DLA-1910-1} - firefox 69.0-1 - firefox-esr 68.1.0esr-1 - thunderbird 1:60.9.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11744 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-26/#CVE-2019-11744 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-27/#CVE-2019-11744 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-29/#CVE-2019-11744 CVE-2019-11743 (Navigation events were not fully adhering to the W3C's "Navigation-Tim ...) {DSA-4523-1 DSA-4516-1 DLA-1926-1 DLA-1910-1} - firefox 69.0-1 - firefox-esr 68.1.0esr-1 - thunderbird 1:60.9.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11743 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-26/#CVE-2019-11743 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-27/#CVE-2019-11743 CVE-2019-11742 (A same-origin policy violation occurs allowing the theft of cross-orig ...) {DSA-4523-1 DSA-4516-1 DLA-1926-1 DLA-1910-1} - firefox 69.0-1 - firefox-esr 68.1.0esr-1 - thunderbird 1:60.9.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11742 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-26/#CVE-2019-11742 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-27/#CVE-2019-11742 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-29/#CVE-2019-11742 CVE-2019-11741 (A compromised sandboxed content process can perform a Universal Cross- ...) - firefox 69.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11741 CVE-2019-11740 (Mozilla developers and community members reported memory safety bugs p ...) {DSA-4523-1 DSA-4516-1 DLA-1926-1 DLA-1910-1} - firefox 69.0-1 - firefox-esr 68.1.0esr-1 - thunderbird 1:60.9.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11740 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-26/#CVE-2019-11740 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-27/#CVE-2019-11740 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-29/#CVE-2019-11740 CVE-2019-11739 (Encrypted S/MIME parts in a crafted multipart/alternative message can ...) {DSA-4523-1 DLA-1926-1} - thunderbird 1:60.9.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-29/#CVE-2019-11739 CVE-2019-11738 (If a Content Security Policy (CSP) directive is defined that uses a ha ...) - firefox 69.0-1 - firefox-esr 68.1.0esr-1 [buster] - firefox-esr (Doesn't affect ESR60) [stretch] - firefox-esr (Doesn't affect ESR60) [jessie] - firefox-esr (Doesn't affect ESR60) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11738 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-26/#CVE-2019-11738 CVE-2019-11737 (If a wildcard ('*') is specified for the host in Content Security Poli ...) - firefox 69.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11737 CVE-2019-11736 (The Mozilla Maintenance Service does not guard against files being har ...) - firefox (Windows-specific) - firefox-esr (Windows-specific) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11736 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-26/#CVE-2019-11736 CVE-2019-11735 (Mozilla developers and community members reported memory safety bugs p ...) - firefox 69.0-1 - firefox-esr 68.1.0esr-1 [buster] - firefox-esr (Doesn't affect ESR60) [stretch] - firefox-esr (Doesn't affect ESR60) [jessie] - firefox-esr (Doesn't affect ESR60) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11735 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-26/#CVE-2019-11735 CVE-2019-11734 (Mozilla developers and community members reported memory safety bugs p ...) - firefox 69.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11734 CVE-2019-11733 (When a master password is set, it is required to be entered again befo ...) - firefox 68.0.2-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-24/#CVE-2019-11733 CVE-2019-11732 RESERVED CVE-2019-11731 RESERVED CVE-2019-11730 (A vulnerability exists where if a user opens a locally saved HTML file ...) {DSA-4482-1 DSA-4479-1 DLA-1870-1 DLA-1869-1} - firefox 68.0-1 - firefox-esr 60.8.0esr-1 - thunderbird 1:60.8.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11730 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11730 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-23/#CVE-2019-11730 CVE-2019-11729 (Empty or malformed p256-ECDH public keys may trigger a segmentation fa ...) {DLA-1857-1} - firefox 68.0-1 (unimportant) - firefox-esr 60.8.0esr-1 (unimportant) [buster] - firefox-esr 60.8.0esr-1~deb10u1 [stretch] - firefox-esr 60.8.0esr-1~deb9u1 - thunderbird 1:60.8.0-1 (unimportant) [buster] - thunderbird 1:60.8.0-1~deb10u1 [stretch] - thunderbird 1:60.8.0-1~deb9u1 - nss 2:3.45-1 [buster] - nss 2:3.42.1-1+deb10u1 [stretch] - nss (Minor issue) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11729 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11729 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-23/#CVE-2019-11729 NOTE: https://hg.mozilla.org/projects/nss/rev/dabfe1160c682b4d1d19c5a7a13ab3828bb9d37f NOTE: https://hg.mozilla.org/projects/nss/rev/ebc93d6daeaa9001d31fd18b5199779da99ae9aa NOTE: firefox-esr in older suites than buster use the embedded copy and thus issue NOTE: is just fixed by updating firefox-esr to 60.8.0. For the others an update to NOTE: src:nss is needed as firefox-esr uses the system library. CVE-2019-11728 (The HTTP Alternative Services header, Alt-Svc, can be used by a malici ...) - firefox 68.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11728 CVE-2019-11727 (A vulnerability exists where it possible to force Network Security Ser ...) - firefox 68.0-1 (unimportant) - nss 2:3.45-1 [buster] - nss 2:3.42.1-1+deb10u1 [stretch] - nss (Minor issue) [jessie] - nss (Issue is specific to TLS 1.3 and support was not really complete in 3.26; code has diverged significantly since and applying the fix would be very disruptive) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11727 NOTE: https://hg.mozilla.org/projects/nss/rev/0a4e8b72a92e144663c2f35d3836f7828cfc97f2 NOTE: firefox-esr in older suites than buster use the embedded copy and thus issue NOTE: is just fixed by updating firefox-esr to 60.8.0. For the others an update to NOTE: src:nss is needed as firefox-esr uses the system library. CVE-2019-11726 RESERVED CVE-2019-11725 (When a user navigates to site marked as unsafe by the Safebrowsing API ...) - firefox 68.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11725 CVE-2019-11724 (Application permissions give additional remote troubleshooting permiss ...) - firefox 68.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11724 CVE-2019-11723 (A vulnerability exists during the installation of add-ons where the in ...) - firefox 68.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11723 CVE-2019-11722 REJECTED CVE-2019-11721 (The unicode latin 'kra' character can be used to spoof a standard 'k' ...) - firefox 68.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11721 CVE-2019-11720 (Some unicode characters are incorrectly treated as whitespace during t ...) - firefox 68.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11720 CVE-2019-11719 (When importing a curve25519 private key in PKCS#8format with leading 0 ...) {DLA-1857-1} - firefox 68.0-1 (unimportant) - firefox-esr 60.8.0esr-1 (unimportant) [buster] - firefox-esr 60.8.0esr-1~deb10u1 [stretch] - firefox-esr 60.8.0esr-1~deb9u1 - thunderbird 1:60.8.0-1 (unimportant) [buster] - thunderbird 1:60.8.0-1~deb10u1 [stretch] - thunderbird 1:60.8.0-1~deb9u1 - nss 2:3.45-1 [buster] - nss 2:3.42.1-1+deb10u1 [stretch] - nss (Minor issue) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11719 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11719 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-23/#CVE-2019-11719 NOTE: https://hg.mozilla.org/projects/nss/rev/6cfb54d262d030783137aa6478b45ecb3cbfc624 NOTE: firefox-esr in older suites than buster use the embedded copy and thus issue NOTE: is just fixed by updating firefox-esr to 60.8.0. For the others an update to NOTE: src:nss is needed as firefox-esr uses the system library. CVE-2019-11718 (Activity Stream can display content from sent from the Snippet Service ...) - firefox 68.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11718 CVE-2019-11717 (A vulnerability exists where the caret ("^") character is improperly e ...) {DSA-4482-1 DSA-4479-1 DLA-1870-1 DLA-1869-1} - firefox 68.0-1 - firefox-esr 60.8.0esr-1 - thunderbird 1:60.8.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11717 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11717 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-23/#CVE-2019-11717 CVE-2019-11716 (Until explicitly accessed by script, window.globalThis is not enumerab ...) - firefox 68.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11716 CVE-2019-11715 (Due to an error while parsing page content, it is possible for properl ...) {DSA-4482-1 DSA-4479-1 DLA-1870-1 DLA-1869-1} - firefox 68.0-1 - firefox-esr 60.8.0esr-1 - thunderbird 1:60.8.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11715 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11715 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-23/#CVE-2019-11715 CVE-2019-11714 (Necko can access a child on the wrong thread during UDP connections, r ...) - firefox 68.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11714 CVE-2019-11713 (A use-after-free vulnerability can occur in HTTP/2 when a cached HTTP/ ...) {DSA-4482-1 DSA-4479-1 DLA-1870-1 DLA-1869-1} - firefox 68.0-1 - firefox-esr 60.8.0esr-1 - thunderbird 1:60.8.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11713 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11713 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-23/#CVE-2019-11713 CVE-2019-11712 (POST requests made by NPAPI plugins, such as Flash, that receive a sta ...) {DSA-4482-1 DSA-4479-1 DLA-1870-1 DLA-1869-1} - firefox 68.0-1 - firefox-esr 60.8.0esr-1 - thunderbird 1:60.8.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11712 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11712 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-23/#CVE-2019-11712 CVE-2019-11711 (When an inner window is reused, it does not consider the use of docume ...) {DSA-4482-1 DSA-4479-1 DLA-1870-1 DLA-1869-1} - firefox 68.0-1 - firefox-esr 60.8.0esr-1 - thunderbird 1:60.8.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11711 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11711 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-23/#CVE-2019-11711 CVE-2019-11710 (Mozilla developers and community members reported memory safety bugs p ...) - firefox 68.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11710 CVE-2019-11709 (Mozilla developers and community members reported memory safety bugs p ...) {DSA-4482-1 DSA-4479-1 DLA-1870-1 DLA-1869-1} - firefox 68.0-1 - firefox-esr 60.8.0esr-1 - thunderbird 1:60.8.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11709 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11709 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-23/#CVE-2019-11709 CVE-2019-11708 (Insufficient vetting of parameters passed with the Prompt:Open IPC mes ...) {DSA-4474-1 DSA-4471-1 DLA-1836-1} - firefox 67.0.4-1 - firefox-esr 60.7.2esr-1 - thunderbird 1:60.7.2-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-19/#CVE-2019-11708 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-20/#CVE-2019-11708 CVE-2019-11707 (A type confusion vulnerability can occur when manipulating JavaScript ...) {DSA-4471-1 DSA-4466-1 DLA-1836-1 DLA-1829-1} - firefox 67.0.3-1 - firefox-esr 60.7.1esr-1 - thunderbird 1:60.7.2-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-18/#CVE-2019-11707 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-20/#CVE-2019-11707 CVE-2019-11706 (A flaw in Thunderbird's implementation of iCal causes a type confusion ...) {DSA-4464-1 DLA-1820-1} - thunderbird 1:60.7.1-1 NOTE: https://www.openwall.com/lists/oss-security/2019/06/13/4 NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1555646 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-17/#CVE-2019-11706 CVE-2019-11705 (A flaw in Thunderbird's implementation of iCal causes a stack buffer o ...) {DSA-4464-1 DLA-1820-1} - thunderbird 1:60.7.1-1 NOTE: https://www.openwall.com/lists/oss-security/2019/06/13/3 NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1553808 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-17/#CVE-2019-11705 CVE-2019-11704 (A flaw in Thunderbird's implementation of iCal causes a heap buffer ov ...) {DSA-4464-1 DLA-1820-1} - thunderbird 1:60.7.1-1 NOTE: https://www.openwall.com/lists/oss-security/2019/06/13/1 NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1553814 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-17/#CVE-2019-11704 CVE-2019-11703 (A flaw in Thunderbird's implementation of iCal causes a heap buffer ov ...) {DSA-4464-1 DLA-1820-1} - thunderbird 1:60.7.1-1 NOTE: https://www.openwall.com/lists/oss-security/2019/06/13/2 NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1553820 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-17/#CVE-2019-11703 CVE-2019-11702 (A hyperlink using protocols associated with Internet Explorer, such as ...) - firefox (Windows-specific) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-16/#CVE-2019-11702 CVE-2019-11701 (The default webcal: protocol handler will load a web site vulnerable t ...) [experimental] - firefox 67.0-1 - firefox 67.0-2 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11701 CVE-2019-11700 (A hyperlink using the res: protocol can be used to open local files at ...) - firefox (Windows-specific) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11700 CVE-2019-11699 (A malicious page can briefly cause the wrong name to be highlighted as ...) [experimental] - firefox 67.0-1 - firefox 67.0-2 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11699 CVE-2019-11698 (If a crafted hyperlink is dragged and dropped to the bookmark bar or s ...) {DSA-4451-1 DSA-4448-1 DLA-1806-1 DLA-1800-1} [experimental] - firefox 67.0-1 - firefox 67.0-2 - firefox-esr 60.7.0esr-1 - thunderbird 1:60.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11698 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-14/#CVE-2019-11698 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/#CVE-2019-11698 CVE-2019-11697 (If the ALT and "a" keys are pressed when users receive an extension in ...) [experimental] - firefox 67.0-1 - firefox 67.0-2 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11697 CVE-2019-11696 (Files with the .JNLP extension used for "Java web start" applications ...) [experimental] - firefox 67.0-1 - firefox 67.0-2 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11696 CVE-2019-11695 (A custom cursor defined by scripting on a site can position itself ove ...) [experimental] - firefox 67.0-1 - firefox 67.0-2 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11695 CVE-2019-11694 (A vulnerability exists in the Windows sandbox where an uninitialized v ...) - firefox (Windows-specific) - firefox-esr (Windows-specific) - thunderbird (Windows-specific) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11694 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-14/#CVE-2019-11694 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/#CVE-2019-11694 CVE-2019-11693 (The bufferdata function in WebGL is vulnerable to a buffer overflow wi ...) {DSA-4451-1 DSA-4448-1 DLA-1806-1 DLA-1800-1} [experimental] - firefox 67.0-1 - firefox 67.0-2 - firefox-esr 60.7.0esr-1 - thunderbird 1:60.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11693 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-14/#CVE-2019-11693 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/#CVE-2019-11693 CVE-2019-11692 (A use-after-free vulnerability can occur when listeners are removed fr ...) {DSA-4451-1 DSA-4448-1 DLA-1806-1 DLA-1800-1} [experimental] - firefox 67.0-1 - firefox 67.0-2 - firefox-esr 60.7.0esr-1 - thunderbird 1:60.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11692 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-14/#CVE-2019-11692 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/#CVE-2019-11692 CVE-2019-11691 (A use-after-free vulnerability can occur when working with XMLHttpRequ ...) {DSA-4451-1 DSA-4448-1 DLA-1806-1 DLA-1800-1} [experimental] - firefox 67.0-1 - firefox 67.0-2 - firefox-esr 60.7.0esr-1 - thunderbird 1:60.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11691 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-14/#CVE-2019-11691 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/#CVE-2019-11691 CVE-2019-11690 (gen_rand_uuid in lib/uuid.c in Das U-Boot v2014.04 through v2019.04 la ...) - u-boot 2019.01+dfsg-6 (low; bug #928557) [stretch] - u-boot (Minor issue) [jessie] - u-boot (Minor issue) NOTE: https://patchwork.ozlabs.org/patch/1092945 CVE-2019-11689 (An issue was discovered in ASUSTOR exFAT Driver through 1.0.0.r20. Whe ...) NOT-FOR-US: ASUSTOR CVE-2019-11688 (An issue was discovered in ASUSTOR exFAT Driver through 1.0.0.r20. Whe ...) NOT-FOR-US: ASUSTOR CVE-2019-11687 (An issue was discovered in the DICOM Part 10 File Format in the NEMA D ...) NOT-FOR-US: DICOM CVE-2019-11686 (Western Digital SanDisk X300, X300s, X400, and X600 devices: A vulnera ...) NOT-FOR-US: Western Digital CVE-2019-11685 RESERVED CVE-2019-11684 RESERVED CVE-2019-11683 (udp_gro_receive_segment in net/ipv4/udp_offload.c in the Linux kernel ...) - linux (Vulnerable code introduced later) NOTE: Fixed by: https://git.kernel.org/linus/4dd2b82d5adfbe0b1587ccad7a8f76d826120f37 CVE-2019-11682 (A buffer overflow in the SMTP response service in MailCarrier 2.51 all ...) NOT-FOR-US: MailCarrier CVE-2019-11681 RESERVED CVE-2019-11680 (KonaKart 8.9.0.0 is vulnerable to Remote Code Execution by uploading a ...) NOT-FOR-US: KonaKart CVE-2019-11679 RESERVED CVE-2019-11678 (The "default reports" feature in Zoho ManageEngine Firewall Analyzer b ...) NOT-FOR-US: Zoho ManageEngine Firewall Analyzer CVE-2019-11677 (The Custom Report import function in Zoho ManageEngine Firewall Analyz ...) NOT-FOR-US: Zoho ManageEngine Firewall Analyzer CVE-2019-11676 (The user defined DNS name in Zoho ManageEngine Firewall Analyzer befor ...) NOT-FOR-US: Zoho ManageEngine Firewall Analyzer CVE-2017-18374 (The ZyXEL P660HN-T1A v1 TCLinux Fw $7.3.15.0 v001 / 3.40(ULM.0)b31 rou ...) NOT-FOR-US: ZyXEL CVE-2017-18373 (The Billion 5200W-T TCLinux Fw $7.3.8.0 v008 130603 router distributed ...) NOT-FOR-US: Billion 5200W-T TCLinux router CVE-2017-18372 (The Billion 5200W-T TCLinux Fw $7.3.8.0 v008 130603 router distributed ...) NOT-FOR-US: Billion 5200W-T TCLinux router CVE-2017-18371 (The ZyXEL P660HN-T1A v2 TCLinux Fw #7.3.37.6 router distributed by Tru ...) NOT-FOR-US: ZyXEL CVE-2017-18370 (The ZyXEL P660HN-T1A v2 TCLinux Fw #7.3.37.6 router distributed by Tru ...) NOT-FOR-US: ZyXEL CVE-2017-18369 (The Billion 5200W-T 1.02b.rc5.dt49 router distributed by TrueOnline ha ...) NOT-FOR-US: Billion 5200W-T router CVE-2017-18368 (The ZyXEL P660HN-T1A v1 TCLinux Fw $7.3.15.0 v001 / 3.40(ULM.0)b31 rou ...) NOT-FOR-US: ZyXEL CVE-2019-11674 (Man-in-the-middle vulnerability in Micro Focus Self Service Password R ...) NOT-FOR-US: Micro Focus CVE-2019-11673 RESERVED CVE-2019-11672 RESERVED CVE-2019-11671 RESERVED CVE-2019-11670 RESERVED CVE-2019-11669 (Modifiable read only check box In Micro Focus Service Manager, version ...) NOT-FOR-US: Micro Focus CVE-2019-11668 (HTTP cookie in Micro Focus Service manager, Versions 9.30, 9.31, 9.32, ...) NOT-FOR-US: Micro Focus CVE-2019-11667 (Unauthorized access to contact information in Micro Focus Service Mana ...) NOT-FOR-US: Micro Focus CVE-2019-11666 (Insecure deserialization of untrusted data in Micro Focus Service Mana ...) NOT-FOR-US: Micro Focus CVE-2019-11665 (Data exposure in Micro Focus Service Manager product versions 9.30, 9. ...) NOT-FOR-US: Micro Focus CVE-2019-11664 (Clear text password in browser in Micro Focus Service Manager product ...) NOT-FOR-US: Micro Focus CVE-2019-11663 (Clear text credentials are used to access managers app in Tomcat in Mi ...) NOT-FOR-US: Micro Focus CVE-2019-11662 (Class and method names in error message in Micro Focus Service Manager ...) NOT-FOR-US: Micro Focus CVE-2019-11661 (Allow changes to some table by non-SysAdmin in Micro Focus Service Man ...) NOT-FOR-US: Micro Focus CVE-2019-11660 (Privileges manipulation in Micro Focus Data Protector, versions 10.00, ...) NOT-FOR-US: Micro Focus CVE-2019-11659 RESERVED CVE-2019-11658 (Information exposure in Micro Focus Content Manager, versions 9.1, 9.2 ...) NOT-FOR-US: Micro Focus CVE-2019-11657 (Cross-Site Request Forgery vulnerability in all Micro Focus ArcSight L ...) NOT-FOR-US: Micro Focus CVE-2019-11656 (Stored XSS vulnerability in Micro Focus ArcSight Logger, affects versi ...) NOT-FOR-US: Micro Focus CVE-2019-11655 (Unrestricted file upload vulnerability in Micro Focus ArcSight Logger, ...) NOT-FOR-US: Micro Focus CVE-2019-11654 (Path traversal vulnerability in Micro Focus Verastream Host Integrator ...) NOT-FOR-US: Micro Focus CVE-2019-11653 (Remote Access Control Bypass in Micro Focus Content Manager. versions ...) NOT-FOR-US: Micro Focus CVE-2019-11652 (A potential authorization bypass issue was found in Micro Focus Self S ...) NOT-FOR-US: Micro Focus CVE-2019-11651 (Reflected XSS on Micro Focus Enterprise Developer and Enterprise Serve ...) NOT-FOR-US: Micro Focus CVE-2019-11650 (A potential Man in the Middle attack (MITM) was found in NetIQ Advance ...) NOT-FOR-US: NetIQ Advanced Authentication Framework CVE-2019-11649 (Cross-Site Scripting vulnerability in Micro Focus Fortify Software Sec ...) NOT-FOR-US: Micro Focus Fortify software security center server CVE-2019-11648 (An information leakage exists in Micro Focus NetIQ Self Service Passwo ...) NOT-FOR-US: Micro Focus NetIQ CVE-2019-11647 (A potential XSS exists in Self Service Password Reset, in Micro Focus ...) NOT-FOR-US: Micro Focus NetIQ CVE-2019-11646 (Remote unauthorized command execution and unauthorized disclosure of i ...) NOT-FOR-US: Micro Focus Service Manager CVE-2019-11645 RESERVED CVE-2019-11675 (The groonga-httpd package 6.1.5-1 for Debian sets the /var/log/groonga ...) - groonga 9.0.1-2 (bug #928304) [buster] - groonga 9.0.0-1+deb10u1 [stretch] - groonga 6.1.5-1+deb9u1 CVE-2019-11644 (In the F-Secure installer in F-Secure SAFE for Windows before 17.6, F- ...) NOT-FOR-US: F-Secure CVE-2019-11643 (Persistent XSS has been found in the OneShield Policy (Dragon Core) fr ...) NOT-FOR-US: OneShield Policy (Dragon Core) framework CVE-2019-11642 (A log poisoning vulnerability has been discovered in the OneShield Pol ...) NOT-FOR-US: OneShield Policy (Dragon Core) framework CVE-2019-11641 (Anomali Agave (formerly Drupot) through 1.0.0 fails to avoid fingerpri ...) NOT-FOR-US: Anomali Agave CVE-2019-11640 (An issue was discovered in GNU recutils 1.8. There is a heap-based buf ...) - recutils (unimportant) NOTE: Negligible security impact CVE-2019-11639 (An issue was discovered in GNU recutils 1.8. There is a stack-based bu ...) - recutils (unimportant) NOTE: Negligible security impact CVE-2019-11638 (An issue was discovered in GNU recutils 1.8. There is a NULL pointer d ...) - recutils (unimportant) NOTE: Negligible security impact CVE-2019-11637 (An issue was discovered in GNU recutils 1.8. There is a NULL pointer d ...) - recutils (unimportant) NOTE: Negligible security impact CVE-2019-11636 (Zcash 2.x allows an inexpensive approach to "fill all transactions of ...) - zcash (bug #842388) CVE-2019-11635 RESERVED CVE-2019-11634 (Citrix Workspace App before 1904 for Windows has Incorrect Access Cont ...) NOT-FOR-US: Citrix Workspace App CVE-2019-11633 (HoneyPress through 2016-09-27 can be fingerprinted by attackers becaus ...) NOT-FOR-US: HoneyPress CVE-2019-11632 (In Octopus Deploy 2019.1.0 through 2019.3.1 and 2019.4.0 through 2019. ...) NOT-FOR-US: Octopus Deploy CVE-2015-9287 (Directory Traversal was discovered in University of Cambridge mod_ucam ...) NOT-FOR-US: mod_ucam_webauth CVE-2019-11631 REJECTED CVE-2019-11630 RESERVED CVE-2019-11629 (Sonatype Nexus Repository Manager 2.x before 2.14.13 allows XSS. ...) NOT-FOR-US: Sonatype Nexus Repository Manager CVE-2019-11628 (An issue was discovered in QlikView Server before 11.20 SR19, 12.00 an ...) NOT-FOR-US: Qlik products CVE-2019-11626 (routers/ajaxRouter.php in doorGets 7.0 has a web site physical path le ...) NOT-FOR-US: doorGets CVE-2019-11625 (doorGets 7.0 has a SQL injection vulnerability in /doorgets/app/reques ...) NOT-FOR-US: doorGets CVE-2019-11624 (doorGets 7.0 has an arbitrary file deletion vulnerability in /doorgets ...) NOT-FOR-US: doorGets CVE-2019-11623 (doorGets 7.0 has a SQL injection vulnerability in /doorgets/app/reques ...) NOT-FOR-US: doorGets CVE-2019-11622 (doorGets 7.0 has a SQL injection vulnerability in /doorgets/app/reques ...) NOT-FOR-US: doorGets CVE-2019-11621 (doorGets 7.0 has a SQL injection vulnerability in /doorgets/app/reques ...) NOT-FOR-US: doorGets CVE-2019-11620 (doorGets 7.0 has a SQL injection vulnerability in /doorgets/app/reques ...) NOT-FOR-US: doorGets CVE-2019-11619 (doorGets 7.0 has a SQL injection vulnerability in /doorgets/app/reques ...) NOT-FOR-US: doorGets CVE-2019-11618 (doorGets 7.0 has a default administrator credential vulnerability. A r ...) NOT-FOR-US: doorGets CVE-2019-11617 (doorGets 7.0 has a CSRF vulnerability in /doorgets/app/requests/user/c ...) NOT-FOR-US: doorGets CVE-2019-11616 (doorGets 7.0 has a sensitive information disclosure vulnerability in / ...) NOT-FOR-US: doorGets CVE-2019-11615 (/fileman/php/upload.php in doorGets 7.0 has an arbitrary file upload v ...) NOT-FOR-US: doorGets CVE-2019-11614 (doorGets 7.0 has a SQL injection vulnerability in /doorgets/app/views/ ...) NOT-FOR-US: doorGets CVE-2019-11613 (doorGets 7.0 has a SQL injection vulnerability in /doorgets/app/views/ ...) NOT-FOR-US: doorGets CVE-2019-11612 (doorGets 7.0 has an arbitrary file deletion vulnerability in /fileman/ ...) NOT-FOR-US: doorGets CVE-2019-11611 (doorGets 7.0 has a sensitive information disclosure vulnerability in / ...) NOT-FOR-US: doorGets CVE-2019-11610 (doorGets 7.0 has a sensitive information disclosure vulnerability in / ...) NOT-FOR-US: doorGets CVE-2019-11609 (doorGets 7.0 has a sensitive information disclosure vulnerability in / ...) NOT-FOR-US: doorGets CVE-2019-11608 (doorGets 7.0 has a sensitive information disclosure vulnerability in / ...) NOT-FOR-US: doorGets CVE-2019-11607 (doorGets 7.0 has a sensitive information disclosure vulnerability in / ...) NOT-FOR-US: doorGets CVE-2019-11606 (doorGets 7.0 has a sensitive information disclosure vulnerability in / ...) NOT-FOR-US: doorGets CVE-2019-11605 (An issue was discovered in GitLab Community and Enterprise Edition 11. ...) - gitlab 11.8.10+dfsg-1 NOTE: https://about.gitlab.com/2019/04/30/security-release-gitlab-11-dot-10-dot-3-released/ CVE-2019-11604 (An issue was discovered in Quest KACE Systems Management Appliance bef ...) NOT-FOR-US: Quest KACE Systems Management Appliance CVE-2019-11603 (A HTTP Traversal Attack in earlier versions than ProSyst mBS SDK 8.2.6 ...) NOT-FOR-US: ProSyst mBS SDK and Bosch IoT Gateway Software CVE-2019-11602 (Leakage of stack traces in remote access to backup & restore in ea ...) NOT-FOR-US: ProSyst mBS SDK and Bosch IoT Gateway Software CVE-2019-11601 (A directory traversal vulnerability in remote access to backup & r ...) NOT-FOR-US: ProSyst mBS SDK and Bosch IoT Gateway Software CVE-2019-11600 (A SQL injection vulnerability in the activities API in OpenProject bef ...) NOT-FOR-US: OpenProject CVE-2018-20835 (A vulnerability was found in tar-fs before 1.16.2. An Arbitrary File O ...) - node-tar-fs (bug #897023) CVE-2018-20834 (A vulnerability was found in node-tar before version 4.4.2 (excluding ...) - node-tar 4.4.4+ds1-2 [stretch] - node-tar (Nodejs in stretch not covered by security support, minor issue) [jessie] - node-tar (Nodejs in jessie not covered by security support, minor issue) NOTE: https://github.com/npm/node-tar/commit/b0c58433c22f5e7fe8b1c76373f27e3f81dcd4c8 NOTE: https://hackerone.com/reports/344595 CVE-2018-20833 RESERVED CVE-2018-20832 RESERVED CVE-2018-20831 RESERVED CVE-2018-20830 RESERVED CVE-2018-20829 RESERVED CVE-2018-20828 RESERVED CVE-2018-20827 (The activity stream gadget in Jira before version 7.13.1 allows remote ...) NOT-FOR-US: Atlassian Jira CVE-2018-20826 (The inline-create rest resource in Jira before version 7.12.3 allows a ...) NOT-FOR-US: Atlassian Jira CVE-2018-20825 RESERVED CVE-2018-20824 (The WallboardServlet resource in Jira before version 7.13.1 allows rem ...) NOT-FOR-US: Atlassian CVE-2015-9286 (Controllers.outgoing in controllers/index.js in NodeBB before 0.7.3 ha ...) NOT-FOR-US: NodeBB CVE-2019-11627 (gpg-key2ps in signing-party 1.1.x and 2.x before 2.10-1 contains an un ...) {DLA-1773-1} - signing-party 2.10-1 (bug #928256) [stretch] - signing-party 2.5-1+deb9u1 NOTE: https://salsa.debian.org/signing-party-team/signing-party/commit/cd69b6c0426a6160ef3de03fce9c7f112166d5a8 CVE-2019-11599 (The coredump implementation in the Linux kernel before 5.0.10 does not ...) {DSA-4465-1 DLA-1824-1 DLA-1799-1} - linux 4.19.37-1 NOTE: https://marc.info/?l=linux-mm&m=155355419911404&w=2 NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1790 CVE-2019-11598 (In ImageMagick 7.0.8-40 Q16, there is a heap-based buffer over-read in ...) {DSA-4712-1 DLA-1785-1} - imagemagick (bug #928206) [stretch] - imagemagick (Fix along in next DSA) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1540 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/e2a21735e3a3f3930bd431585ec36334c4c2eb77 NOTE: patch introduces new (potentially security relevant) bugs, see: NOTE: https://github.com/ImageMagick/ImageMagick/issues/1540#issuecomment-491504100 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/dd8efbac0b7fa9dd2da527ea3f629f39bf1c02cb CVE-2019-11597 (In ImageMagick 7.0.8-43 Q16, there is a heap-based buffer over-read in ...) {DSA-4712-1 DLA-1785-1} - imagemagick (bug #928207) [stretch] - imagemagick (Fix along in next DSA) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1555 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/1d6c036f0388d7857c725342f7212b60e39a14c1 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/c979b348d64a25a04f12ea7fe7888b2b23f230a7 NOTE: fix appears to be insufficient: https://github.com/ImageMagick/ImageMagick/issues/1560 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/3c53413eb544cc567309b4c86485eae43e956112 NOTE: The followup-fix got assigned CVE-2019-15141 (which is only applicable if incomplete NOTE: fix is applied). Make sure to fix issue completely when addressing this issue. CVE-2019-11596 (In memcached before 1.5.14, a NULL pointer dereference was found in th ...) - memcached 1.5.6-1.1 (bug #928205) [stretch] - memcached (Vulnerable code introduced later) [jessie] - memcached (Vulnerable code introduced later) NOTE: https://github.com/memcached/memcached/commit/d35334f368817a77a6bd1f33c6a5676b2c402c02 NOTE: https://github.com/memcached/memcached/issues/474 CVE-2019-11595 (In uBlock before 0.9.5.15, the $rewrite filter option allows filter-li ...) NOT-FOR-US: uBlock CVE-2019-11594 (In AdBlock before 3.45.0, the $rewrite filter option allows filter-lis ...) NOT-FOR-US: AdBlock CVE-2019-11593 (In Adblock Plus before 3.5.2, the $rewrite filter option allows filter ...) NOT-FOR-US: AdBlock Plus CVE-2019-11592 (WeBid 1.2.2 has reflected XSS via the id parameter to admin/deletenews ...) NOT-FOR-US: WeBid Auction Script CVE-2019-11589 (The ChangeSharedFilterOwner resource in Jira before version 7.13.6, fr ...) NOT-FOR-US: Atlassian Jira CVE-2019-11588 (The ViewSystemInfo class doGarbageCollection method in Jira before ver ...) NOT-FOR-US: Atlassian Jira CVE-2019-11587 (Various exposed resources of the ViewLogging class in Jira before vers ...) NOT-FOR-US: Atlassian Jira CVE-2019-11586 (The AddResolution.jspa resource in Jira before version 7.13.6, from ve ...) NOT-FOR-US: Atlassian Jira CVE-2019-11585 (The startup.jsp resource in Jira before version 7.13.6, from version 8 ...) NOT-FOR-US: Atlassian Jira CVE-2019-11584 (The MigratePriorityScheme resource in Jira before version 8.3.2 allows ...) NOT-FOR-US: Atlassian Jira CVE-2019-11583 (The issue searching component in Jira before version 8.1.0 allows remo ...) NOT-FOR-US: issue searching component in Jira CVE-2019-11582 (An argument injection vulnerability in Atlassian Sourcetree for Window ...) NOT-FOR-US: Atlassian Sourcetree CVE-2019-11581 (There was a server-side template injection vulnerability in Jira Serve ...) NOT-FOR-US: Atlassian Jira CVE-2019-11580 (Atlassian Crowd and Crowd Data Center had the pdkinstall development p ...) NOT-FOR-US: Atlassian Crowd and Crowd Data Center CVE-2015-9285 (esoTalk 1.0.0g4 has XSS via the PATH_INFO to the conversations/ URI. ...) NOT-FOR-US: esoTalk CVE-2019-11591 (The WebDorado Contact Form plugin before 1.13.5 for WordPress allows C ...) NOT-FOR-US: WordPress plugin contact-form-maker CVE-2019-11590 (The 10Web Form Maker plugin before 1.13.5 for WordPress allows CSRF vi ...) NOT-FOR-US: WordPress plugin form-maker CVE-2019-11577 (dhcpcd before 7.2.1 contains a buffer overflow in dhcp6_findna in dhcp ...) - dhcpcd5 7.1.0-2 (bug #928105) [stretch] - dhcpcd5 (Vulnerable code not present) [jessie] - dhcpcd5 (Vulnerable code not present) NOTE: https://roy.marples.name/git/dhcpcd.git/commit/?id=8d11b33f6c60e2db257130fa383ba76b6018bcf6 CVE-2019-11579 (dhcp.c in dhcpcd before 7.2.1 contains a 1-byte read overflow with DHO ...) {DLA-1793-1} - dhcpcd5 7.1.0-2 (low; bug #928104) [stretch] - dhcpcd5 (Minor issue) NOTE: https://roy.marples.name/git/dhcpcd.git/commit/?id=4b67f6f1038fd4ad5ca7734eaaeba1b2ec4816b8 CVE-2019-11578 (auth.c in dhcpcd before 7.2.1 allowed attackers to infer secrets by pe ...) - dhcpcd5 7.1.0-2 (low; bug #928056) [stretch] - dhcpcd5 (Minor issue) [jessie] - dhcpcd5 (Authentication code added in later versions) NOTE: https://roy.marples.name/git/dhcpcd.git/commit/?id=7121040790b611ca3fbc400a1bbcd4364ef57233 NOTE: https://roy.marples.name/git/dhcpcd.git/commit/?id=cfde89ab66cb4e5957b1c4b68ad6a9449e2784da NOTE: https://roy.marples.name/git/dhcpcd.git/commit/?id=aee631aadeef4283c8a749c1caf77823304acf5e CVE-2019-11576 (Gitea before 1.8.0 allows 1FA for user accounts that have completed 2F ...) - gitea CVE-2019-11575 RESERVED CVE-2019-11574 (An issue was discovered in Simple Machines Forum (SMF) before release ...) NOT-FOR-US: Simple Machines Forum CVE-2019-11573 RESERVED CVE-2019-11572 RESERVED CVE-2019-11571 RESERVED CVE-2019-11570 RESERVED CVE-2019-11569 (Veeam ONE Reporter 9.5.0.3201 allows CSRF. ...) NOT-FOR-US: Veeam ONE Reporter CVE-2019-11568 (An issue was discovered in AikCms v2.0. There is a File upload vulnera ...) NOT-FOR-US: AikCms CVE-2019-11567 (An issue was discovered in AikCms v2.0. There is a SQL Injection vulne ...) NOT-FOR-US: AikCms CVE-2019-11566 RESERVED CVE-2019-11565 (Server Side Request Forgery (SSRF) exists in the Print My Blog plugin ...) NOT-FOR-US: Print My Blog plugin for WordPress CVE-2019-11564 (A cross-site scripting (XSS) vulnerability in HumHub 1.3.12 allows rem ...) NOT-FOR-US: HumHub CVE-2019-11563 REJECTED CVE-2019-11562 RESERVED CVE-2019-11561 (The Chuango 433 MHz burglar-alarm product line is vulnerable to a Deni ...) NOT-FOR-US: Chuango CVE-2019-11560 (A buffer overflow vulnerability in the streaming server provided by hi ...) NOT-FOR-US: hisilicon CVE-2019-11559 (A reflected Cross-site scripting (XSS) vulnerability in HRworks V 1.16 ...) NOT-FOR-US: HRworks CVE-2019-11558 RESERVED CVE-2019-11557 (The WebDorado Contact Form Builder plugin before 1.0.69 for WordPress ...) NOT-FOR-US: WebDorado Contact Form Builder plugi for WordPress CVE-2019-11556 RESERVED CVE-2019-11554 (The Audible application through 2.34.0 for Android has Missing SSL Cer ...) NOT-FOR-US: Audible application for Android CVE-2019-11553 (In Code42 for Enterprise through 6.8.4, an administrator without web r ...) NOT-FOR-US: Code42 for Enterprise CVE-2019-11552 (Code42 Enterprise and Crashplan for Small Business Client version 6.7 ...) NOT-FOR-US: Code42 CVE-2019-11551 (In Code42 Enterprise and Crashplan for Small Business through Client v ...) NOT-FOR-US: Code42 Enterprise and Crashplan for Small Business CVE-2019-11550 (Citrix SD-WAN 10.2.x before 10.2.1 and NetScaler SD-WAN 10.0.x before ...) NOT-FOR-US: Citrix CVE-2019-11549 (An issue was discovered in GitLab Community and Enterprise Edition 9.x ...) - gitlab 11.8.9+dfsg-1 (bug #928221) NOTE: https://about.gitlab.com/2019/04/29/security-release-gitlab-11-dot-10-dot-2-released/ CVE-2019-11548 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) - gitlab 11.8.9+dfsg-1 (bug #928221) NOTE: https://about.gitlab.com/2019/04/29/security-release-gitlab-11-dot-10-dot-2-released/ CVE-2019-11547 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) - gitlab 11.8.9+dfsg-1 (bug #928221) NOTE: https://about.gitlab.com/2019/04/29/security-release-gitlab-11-dot-10-dot-2-released/ CVE-2019-11546 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) - gitlab 11.8.9+dfsg-1 (bug #928221) NOTE: https://about.gitlab.com/2019/04/29/security-release-gitlab-11-dot-10-dot-2-released/ CVE-2019-11545 (An issue was discovered in GitLab Community Edition 11.9.x before 11.9 ...) - gitlab (Vulnerable code introduced in 11.9) NOTE: https://about.gitlab.com/2019/04/29/security-release-gitlab-11-dot-10-dot-2-released/ CVE-2019-11544 (An issue was discovered in GitLab Community and Enterprise Edition 8.x ...) - gitlab 11.8.9+dfsg-1 (bug #928221) NOTE: https://about.gitlab.com/2019/04/29/security-release-gitlab-11-dot-10-dot-2-released/ CVE-2019-11543 (XSS exists in the admin web console in Pulse Secure Pulse Connect Secu ...) NOT-FOR-US: Pulse Secure Pulse Connect Secure CVE-2019-11542 (In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3 ...) NOT-FOR-US: Pulse Secure Pulse Connect Secure CVE-2019-11541 (In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3 ...) NOT-FOR-US: Pulse Secure Pulse Connect Secure CVE-2019-11540 (In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4 and ...) NOT-FOR-US: Pulse Secure Pulse Connect Secure CVE-2019-11539 (In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3 ...) NOT-FOR-US: Pulse Secure Pulse Connect Secure CVE-2019-11538 (In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3 ...) NOT-FOR-US: Pulse Secure Pulse Connect Secure CVE-2019-11537 (In osTicket before 1.12, XSS exists via /upload/file.php, /upload/scp/ ...) NOT-FOR-US: osTicket CVE-2019-11536 (Kalki Kalkitech SYNC3000 Substation DCU GPC v2.22.6, 2.23.0, 2.24.0, 3 ...) NOT-FOR-US: Kalki Kalkitech CVE-2019-11535 (Unsanitized user input in the web interface for Linksys WiFi extender ...) NOT-FOR-US: Linksys CVE-2019-11534 RESERVED CVE-2019-11533 (Cross-site scripting (XSS) vulnerability in ProjectSend before r1070 a ...) NOT-FOR-US: ProjectSend CVE-2019-11532 RESERVED CVE-2019-11531 RESERVED CVE-2019-11530 RESERVED CVE-2019-11529 RESERVED CVE-2019-11528 (An issue was discovered in Softing uaGate SI 1.60.01. A system default ...) NOT-FOR-US: Softing uaGate CVE-2019-11527 (An issue was discovered in Softing uaGate SI 1.60.01. A CGI script is ...) NOT-FOR-US: Softing uaGate CVE-2019-11526 (An issue was discovered in Softing uaGate SI 1.60.01. A maintenance sc ...) NOT-FOR-US: Softing uaGate CVE-2019-11525 RESERVED CVE-2019-11524 RESERVED CVE-2019-11523 (Anviz Global M3 Outdoor RFID Access Control executes any command recei ...) NOT-FOR-US: Anviz Global M3 Outdoor RFID Access Control CVE-2019-11522 (OX App Suite 7.10.0 to 7.10.2 allows XSS. ...) NOT-FOR-US: OX App Suite CVE-2019-11521 (OX App Suite 7.10.1 allows Content Spoofing. ...) NOT-FOR-US: OX App Suite CVE-2019-11520 RESERVED CVE-2019-11519 (Libraries/Nop.Services/Localization/LocalizationService.cs in nopComme ...) NOT-FOR-US: nopCommerce CVE-2019-11518 (An issue was discovered in SEMCMS 3.8. SEMCMS_Inquiry.php allows AID[] ...) NOT-FOR-US: SEMCMS CVE-2019-11517 (WampServer before 3.1.9 has CSRF in add_vhost.php because the synchron ...) NOT-FOR-US: WampServer CVE-2019-11516 (An issue was discovered in the Bluetooth component of the Cypress (for ...) NOT-FOR-US: Cypress CVE-2018-20823 (The gyroscope on Xiaomi Mi 5s devices allows attackers to cause a deni ...) NOT-FOR-US: Xiaomi Mi 5s devices CVE-2019-11515 (core/classes/db_backup.php in Gila CMS 1.10.1 allows admin/db_backup?d ...) NOT-FOR-US: Gila CMS CVE-2019-11514 (User/Command/ConfirmEmailHandler.php in Flarum before 0.1.0-beta.8 mis ...) NOT-FOR-US: Flarum CVE-2019-11513 (The File Manager in CMS Made Simple through 2.2.10 has Reflected XSS v ...) NOT-FOR-US: CMS Made Simple CVE-2019-11512 (Contao 4.x allows SQL Injection. Fixed in Contao 4.4.39 and Contao 4.7 ...) NOT-FOR-US: Contao CVE-2019-11511 (Zoho ManageEngine ADSelfService Plus before build 5708 has XSS via the ...) NOT-FOR-US: Zoho ManageEngine ADSelfService Plus CVE-2019-11510 (In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 be ...) NOT-FOR-US: Pulse Secure Pulse Connect Secure CVE-2019-11509 (In Pulse Secure Pulse Connect Secure (PCS) before 8.1R15.1, 8.2 before ...) NOT-FOR-US: Pulse Secure Pulse Connect Secure CVE-2019-11508 (In Pulse Secure Pulse Connect Secure (PCS) before 8.1R15.1, 8.2 before ...) NOT-FOR-US: Pulse Secure Pulse Connect Secure CVE-2019-11507 (In Pulse Secure Pulse Connect Secure (PCS) 8.3.x before 8.3R7.1 and 9. ...) NOT-FOR-US: Pulse Secure Pulse Connect Secure CVE-2019-11506 (In GraphicsMagick from version 1.3.30 to 1.4 snapshot-20190403 Q8, the ...) {DLA-1795-1} - graphicsmagick 1.4~hg15968-1 [stretch] - graphicsmagick 1.3.30+hg15796-1~deb9u3 NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/57ac0ae85e2a NOTE: https://sourceforge.net/p/graphicsmagick/bugs/604/ CVE-2019-11505 (In GraphicsMagick from version 1.3.8 to 1.4 snapshot-20190403 Q8, ther ...) {DLA-1795-1} - graphicsmagick 1.4~hg15968-1 [stretch] - graphicsmagick 1.3.30+hg15796-1~deb9u3 NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/85f5bdcd246a NOTE: https://sourceforge.net/p/graphicsmagick/bugs/605/ CVE-2019-11504 (Zotonic before version 0.47 has mod_admin XSS. ...) NOT-FOR-US: Zotonic CVE-2019-11503 (snap-confine as included in snapd before 2.39 did not guard against sy ...) - snapd 2.40-1 (low; bug #928052) [buster] - snapd (Minor issue) [stretch] - snapd (Minor issue) NOTE: https://github.com/snapcore/snapd/pull/6642 CVE-2019-11502 (snap-confine in snapd before 2.38 incorrectly set the ownership of a s ...) - snapd 2.40-1 (low; bug #928052) [buster] - snapd (Minor issue) [stretch] - snapd (Minor issue) NOTE: https://github.com/snapcore/snapd/commit/bdbfeebef03245176ae0dc323392bb0522a339b1 CVE-2017-18367 (libseccomp-golang 0.9.0 and earlier incorrectly generates BPFs that OR ...) - golang-github-seccomp-libseccomp-golang 0.9.0-2 (bug #927981) NOTE: https://github.com/seccomp/libseccomp-golang/issues/22 NOTE: https://github.com/seccomp/libseccomp-golang/commit/06e7a29f36a34b8cf419aeb87b979ee508e58f9e CVE-2019-11501 RESERVED CVE-2019-11500 (In Dovecot before 2.2.36.4 and 2.3.x before 2.3.7.2 (and Pigeonhole be ...) {DSA-4510-1 DLA-1901-1} - dovecot 1:2.3.7.2-1 (bug #936014) NOTE: https://dovecot.org/pipermail/dovecot-news/2019-August/000418.html NOTE: core: https://github.com/dovecot/core/commit/85fcb895ca7f0bcb8ee72047fe0e1e78532ff90b NOTE: core: https://github.com/dovecot/core/commit/f904cbdfec25582bc5e2a7435bf82ff769f2526a NOTE: pigeonhole: https://github.com/dovecot/pigeonhole/commit/7ce9990a5e6ba59e89b7fe1c07f574279aed922c NOTE: pigeonhole: https://github.com/dovecot/pigeonhole/commit/4a299840cdb51f61f8d1ebc0210b19c40dfbc1cc CVE-2019-11499 (In the IMAP Server in Dovecot 2.3.3 through 2.3.5.2, the submission-lo ...) - dovecot 1:2.3.4.1-5 (bug #928235) [stretch] - dovecot (Vulnerable code not present, introduced in 2.3) [jessie] - dovecot (Vulnerable code not present, introduced in 2.3) NOTE: https://dovecot.org/pipermail/dovecot/2019-April/115758.html CVE-2019-11498 (WavpackSetConfiguration64 in pack_utils.c in libwavpack.a in WavPack t ...) - wavpack 5.1.0-6 (low; bug #927903) [stretch] - wavpack (Minor issue) [jessie] - wavpack (Vulnerable code not present, introduced in 5.0.0) NOTE: https://github.com/dbry/WavPack/issues/67 NOTE: https://github.com/dbry/WavPack/commit/bc6cba3f552c44565f7f1e66dc1580189addb2b4 CVE-2019-11497 (In Couchbase Server 5.0.0, when an invalid Remote Cluster Certificate ...) NOT-FOR-US: Couchbase CVE-2019-11496 (In versions of Couchbase Server prior to 5.0, the bucket named "defaul ...) NOT-FOR-US: Couchbase CVE-2019-11495 (In Couchbase Server 5.1.1, the cookie used for intra-node communicatio ...) NOT-FOR-US: Couchbase CVE-2019-11494 (In the IMAP Server in Dovecot 2.3.3 through 2.3.5.2, the submission-lo ...) - dovecot 1:2.3.4.1-5 (bug #928235) [stretch] - dovecot (Vulnerable code not present, introduced in 2.3) [jessie] - dovecot (Vulnerable code not present, introduced in 2.3) NOTE: https://dovecot.org/pipermail/dovecot/2019-April/115757.html CVE-2019-11493 (VeryPDF 4.1 has a Memory Overflow leading to Code Execution because pd ...) NOT-FOR-US: VeryPDF CVE-2019-11492 (ProjectSend before r1070 writes user passwords to the server logs. ...) NOT-FOR-US: ProjectSend CVE-2019-11491 RESERVED CVE-2019-11490 (An issue was discovered in Npcap 0.992. Sending a malformed .pcap file ...) NOT-FOR-US: Npcap CVE-2019-11489 (Incorrect Access Control in the Administrative Management Interface in ...) NOT-FOR-US: SimplyBook.me Enterprise CVE-2019-11488 (Incorrect Access Control in the Account Access / Password Reset Link i ...) NOT-FOR-US: SimplyBook.me Enterprise CVE-2019-11487 (The Linux kernel before 5.1-rc5 allows page->_refcount reference co ...) {DLA-1919-1} - linux 4.19.37-1 [stretch] - linux 4.9.184-1 [jessie] - linux (Minor issue and high risk of regression) NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1752 NOTE: https://lwn.net/Articles/786044/ CVE-2019-11486 (The Siemens R3964 line discipline driver in drivers/tty/n_r3964.c in t ...) {DSA-4465-1 DLA-1824-1 DLA-1799-1} - linux 4.19.37-1 NOTE: https://git.kernel.org/linus/c7084edc3f6d67750f50d4183134c4fb5712a5c8 NOTE: Upstream commits marks driver as BROKEN and can be considered fixed starting NOTE: from versions including this commit (or backport) or versions which disable NOTE: CONFIG_R3964 already. CVE-2019-11485 (Sander Bos discovered Apport's lock file was in a world-writable direc ...) NOT-FOR-US: Apport CVE-2019-11484 (Kevin Backhouse discovered an integer overflow in bson_ensure_space, a ...) NOT-FOR-US: whoopsie CVE-2019-11483 (Sander Bos discovered Apport mishandled crash dumps originating from c ...) NOT-FOR-US: Apport CVE-2019-11482 (Sander Bos discovered a time of check to time of use (TOCTTOU) vulnera ...) NOT-FOR-US: Apport CVE-2019-11481 (Kevin Backhouse discovered that apport would read a user-supplied conf ...) NOT-FOR-US: Apport CVE-2019-11480 (The pc-kernel snap build process hardcoded the --allow-insecure-reposi ...) NOT-FOR-US: Ubuntu tooling for Linux snaps CVE-2019-11479 (Jonathan Looney discovered that the Linux kernel default MSS is hard-c ...) {DSA-4465-1 DLA-1824-1 DLA-1823-1} - linux 4.19.37-4 CVE-2019-11478 (Jonathan Looney discovered that the TCP retransmission queue implement ...) {DSA-4465-1 DLA-1824-1 DLA-1823-1} - linux 4.19.37-4 CVE-2019-11477 (Jonathan Looney discovered that the TCP_SKB_CB(skb)->tcp_gso_segs v ...) {DSA-4465-1 DLA-1824-1 DLA-1823-1} - linux 4.19.37-4 CVE-2019-11476 (An integer overflow in whoopsie before versions 0.2.52.5ubuntu0.1, 0.2 ...) NOT-FOR-US: whoopsie CVE-2019-11475 RESERVED CVE-2019-11474 (coders/xwd.c in GraphicsMagick 1.3.31 allows attackers to cause a deni ...) {DLA-1795-1} - graphicsmagick 1.4~hg15976-1 [stretch] - graphicsmagick 1.3.30+hg15796-1~deb9u3 NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/5402c5cbd8bd NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/944dcbc457f8 NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/53d4a99c6dad CVE-2019-11473 (coders/xwd.c in GraphicsMagick 1.3.31 allows attackers to cause a deni ...) {DLA-1795-1} - graphicsmagick 1.4~hg15976-1 [stretch] - graphicsmagick 1.3.30+hg15796-1~deb9u3 NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/5402c5cbd8bd NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/944dcbc457f8 NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/53d4a99c6dad CVE-2019-11472 (ReadXWDImage in coders/xwd.c in the XWD image parsing component of Ima ...) {DSA-4712-1} - imagemagick (low; bug #927828) [stretch] - imagemagick (Minor issue) [jessie] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1546 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/f663dfb8431c97d95682a2b533cca1c8233d21b4 CVE-2019-11471 (libheif 1.4.0 has a use-after-free in heif::HeifContext::Image::set_al ...) - libheif 1.3.2-2 (bug #928210) [buster] - libheif 1.3.2-2~deb10u1 NOTE: https://github.com/strukturag/libheif/commit/995a4283d8ed2d0d2c1ceb1a577b993df2f0e014 NOTE: https://github.com/strukturag/libheif/issues/123 CVE-2019-11470 (The cineon parsing component in ImageMagick 7.0.8-26 Q16 allows attack ...) {DSA-4712-1 DLA-1968-1} - imagemagick (low; bug #927830) [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1472 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/a0473b29add9521ffd4c74f6f623b418811762b0 CVE-2018-20822 (LibSass 3.5.4 allows attackers to cause a denial-of-service (uncontrol ...) - libsass (low) [buster] - libsass (Minor issue) [stretch] - libsass (Minor issue) NOTE: https://github.com/sass/libsass/issues/2671 NOTE: Possibly introduced after https://github.com/sass/libsass/commit/25c9b4952f5838b615da996035453967d0420f57 (3.4.7) CVE-2018-20821 (The parsing component in LibSass through 3.5.5 allows attackers to cau ...) - libsass (low) [buster] - libsass (Minor issue) [stretch] - libsass (Vulnerable code introduced later) NOTE: https://github.com/sass/libsass/issues/2658 NOTE: Introduced by: https://github.com/sass/libsass/commit/efd97dae376de50b3e6ed724337c4f274a21491d (3.5.0) NOTE: Fixed by: https://github.com/sass/libsass/commit/f2db04883e5fff4e03777dcc1eb60d4373c45be1 CVE-2018-20820 (read_ujpg in jpgcoder.cc in Dropbox Lepton 1.2.1 allows attackers to c ...) - lepton (bug #927925) NOTE: https://github.com/dropbox/lepton/commit/6a5ceefac1162783fffd9506a3de39c85c725761 NOTE: https://github.com/dropbox/lepton/issues/111 CVE-2018-20819 (io/ZlibCompression.cc in the decompression component in Dropbox Lepton ...) - lepton (Vulnerable code introduced later) NOTE: https://github.com/dropbox/lepton/issues/112 NOTE: Fixed by: https://github.com/dropbox/lepton/commit/0b9967ec13b2c95771fa3da30bcc49d2fc055bfe NOTE: Introduced by: https://github.com/dropbox/lepton/commit/d62a8c0416c5a918bfd7d132cc1f6daa4e8bc055 CVE-2019-11469 (Zoho ManageEngine Applications Manager 12 through 14 allows FaultTempl ...) NOT-FOR-US: Zoho ManageEngine Applications Manager CVE-2019-11468 RESERVED CVE-2019-11467 (In Couchbase Server 4.6.3 and 5.5.0, secondary indexing encodes the en ...) NOT-FOR-US: Couchbase CVE-2019-11466 (In Couchbase Server 6.0.0 and 5.5.0, the eventing service exposes syst ...) NOT-FOR-US: Couchbase CVE-2019-11465 (An issue was discovered in Couchbase Server 5.5.x through 5.5.3 and 6. ...) NOT-FOR-US: Couchbase CVE-2019-11464 (Some enterprises require that REST API endpoints include security-rela ...) NOT-FOR-US: Couchbase CVE-2019-11463 (A memory leak in archive_read_format_zip_cleanup in archive_read_suppo ...) - libarchive (Vulnerable code not present) NOTE: Introduced in https://github.com/libarchive/libarchive/commit/121035c83e18b70d3128e9ac966109ebedb7e516 NOTE: Fix: https://github.com/libarchive/libarchive/commit/ba641f73f3d758d9032b3f0e5597a9c6e593a505 CVE-2019-11462 RESERVED CVE-2019-11461 (An issue was discovered in GNOME Nautilus 3.30 prior to 3.30.6 and 3.3 ...) - nautilus 3.30.5-2 (bug #928054) [stretch] - nautilus (Vulnerable embedded gnome-desktop thumbnail script introduced later) [jessie] - nautilus (Vulnerable embedded gnome-desktop thumbnail script introduced later) NOTE: https://gitlab.gnome.org/GNOME/nautilus/issues/987 NOTE: https://gitlab.gnome.org/GNOME/nautilus/commit/2ddba428ef2b13d0620bd599c3635b9c11044659 CVE-2019-11460 (An issue was discovered in GNOME gnome-desktop 3.26, 3.28, and 3.30 pr ...) [experimental] - gnome-desktop3 3.32.2-1 - gnome-desktop3 3.30.2.1-2 (low; bug #928732) [buster] - gnome-desktop3 (Minor issue) [stretch] - gnome-desktop3 (Vulnerable embedded gnome-desktop thumbnail script introduced later) [jessie] - gnome-desktop3 (Vulnerable embedded gnome-desktop thumbnail script introduced later) NOTE: https://gitlab.gnome.org/GNOME/gnome-desktop/issues/112 CVE-2019-11459 (The tiff_document_render() and tiff_document_get_thumbnail() functions ...) {DSA-4624-1 DLA-1882-1 DLA-1881-1} - atril 1.22.3-1 (unimportant; bug #927821) [buster] - atril 1.20.3-1+deb10u1 - evince 3.32.0-3 (unimportant; bug #927820) [buster] - evince 3.30.2-3+deb10u1 NOTE: https://gitlab.gnome.org/GNOME/evince/issues/1129 NOTE: Fixed by: https://gitlab.gnome.org/GNOME/evince/commit/3e38d5ad724a042eebadcba8c2d57b0f48b7a8c7 NOTE: Negligible security impact CVE-2013-7470 (cipso_v4_validate in include/net/cipso_ipv4.h in the Linux kernel befo ...) - linux 3.11.7-1 NOTE: Fixed by: https://git.kernel.org/linus/f2e5ddcc0d12f9c4c7b254358ad245c9dddce13b CVE-2019-11458 (An issue was discovered in SmtpTransport in CakePHP 3.7.6. An unserial ...) - cakephp (Vulnerable code introduced in 3.0.0) NOTE: https://github.com/cakephp/cakephp/commit/1a74e798309192a9895c9cedabd714ceee345f4e NOTE: https://github.com/cakephp/cakephp/pull/13153 CVE-2019-11457 (Multiple CSRF issues exist in MicroPyramid Django CRM 0.2.1 via /chang ...) NOT-FOR-US: MicroPyramid Django CRM CVE-2019-11456 (Gila CMS 1.10.1 allows fm/save CSRF for executing arbitrary PHP code. ...) NOT-FOR-US: Gila CMS CVE-2019-11455 (A buffer over-read in Util_urlDecode in util.c in Tildeslash Monit bef ...) {DLA-1767-1} - monit 1:5.25.3-1 (bug #927775) [stretch] - monit (Minor issue) NOTE: https://bitbucket.org/tildeslash/monit/commits/f12d0cdb42d4e74dffe1525d4062c815c48ac57a CVE-2019-11454 (Persistent cross-site scripting (XSS) in http/cervlet.c in Tildeslash ...) {DLA-1767-1} - monit 1:5.25.3-1 (bug #927775) [stretch] - monit (Minor issue) NOTE: https://bitbucket.org/tildeslash/monit/commits/1a8295eab6815072a18019b668fe084945b751f3 NOTE: https://bitbucket.org/tildeslash/monit/commits/328f60773057641c4b2075fab9820145e95b728c CVE-2019-11453 RESERVED CVE-2019-11452 (whatsns 4.0 allows index.php?admin_category/remove.html cid[] SQL inje ...) NOT-FOR-US: whatsns CVE-2019-11451 (whatsns 4.0 allows index.php?inform/add.html qid SQL injection. ...) NOT-FOR-US: whatsns CVE-2019-11450 (whatsns 4.0 allows index.php?question/ajaxadd.html title SQL injection ...) NOT-FOR-US: whatsns CVE-2019-11449 (I, Librarian 4.10 has XSS via the notes.php notes parameter. ...) - i-librarian (bug #649291) CVE-2019-11448 (An issue was discovered in Zoho ManageEngine Applications Manager 11.0 ...) NOT-FOR-US: Zoho ManageEngine Applications Manager CVE-2019-11447 (An issue was discovered in CutePHP CuteNews 2.1.2. An attacker can inf ...) NOT-FOR-US: CuteNews CVE-2019-11446 (An issue was discovered in ATutor through 2.2.4. It allows the user to ...) NOT-FOR-US: ATutor CVE-2019-11445 (OpenKM 6.3.2 through 6.3.7 allows an attacker to upload a malicious JS ...) NOT-FOR-US: OpenKM CVE-2019-11444 (** DISPUTED ** An issue was discovered in Liferay Portal CE 7.1.2 GA3. ...) NOT-FOR-US: Liferay Portal CE CVE-2019-11443 RESERVED CVE-2019-11442 RESERVED CVE-2019-11441 RESERVED CVE-2019-11440 RESERVED CVE-2019-11439 RESERVED CVE-2019-11438 RESERVED CVE-2019-11437 RESERVED CVE-2019-11436 RESERVED CVE-2019-11435 RESERVED CVE-2019-11434 RESERVED CVE-2019-11433 RESERVED CVE-2019-11432 RESERVED CVE-2019-11431 RESERVED CVE-2019-11430 RESERVED CVE-2019-11429 (CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.793 (Free/Open So ...) NOT-FOR-US: CentOS-WebPanel.com CVE-2019-11428 (I, Librarian 4.10 has XSS via the export.php export_files parameter. ...) - i-librarian (bug #649291) CVE-2019-11427 (An XSS issue was discovered in app/search/search.app.php in idreamsoft ...) NOT-FOR-US: idreamsoft iCMS CVE-2019-11426 (An XSS issue was discovered in app/admincp/template/admincp.header.php ...) NOT-FOR-US: idreamsoft iCMS CVE-2019-11425 RESERVED CVE-2019-11424 RESERVED CVE-2019-11423 RESERVED CVE-2019-11422 RESERVED CVE-2019-11421 RESERVED CVE-2019-11420 RESERVED CVE-2019-11419 (vcodec2_hls_filter in libvoipCodec_v7a.so in the WeChat application th ...) NOT-FOR-US: WeChat CVE-2019-11418 (apply.cgi on the TRENDnet TEW-632BRP 1.010B32 router has a buffer over ...) NOT-FOR-US: TRENDnet router CVE-2019-11417 (system.cgi on TRENDnet TV-IP110WN cameras has a buffer overflow caused ...) NOT-FOR-US: TRENDnet cameras CVE-2019-11416 (A CSRF issue was discovered on Intelbras IWR 3000N 1.5.0 devices, lead ...) NOT-FOR-US: Intelbras IWR 3000N 1.5.0 devices CVE-2019-11415 (An issue was discovered on Intelbras IWR 3000N 1.5.0 devices. A malfor ...) NOT-FOR-US: Intelbras IWR 3000N 1.5.0 devices CVE-2019-11414 (An issue was discovered on Intelbras IWR 3000N 1.5.0 devices. When the ...) NOT-FOR-US: Intelbras IWR 3000N 1.5.0 devices CVE-2019-11413 (An issue was discovered in Artifex MuJS 1.0.5. It has unlimited recurs ...) NOT-FOR-US: MuJS CVE-2019-11412 (An issue was discovered in Artifex MuJS 1.0.5. jscompile.c can cause a ...) NOT-FOR-US: MuJS CVE-2019-11411 (An issue was discovered in Artifex MuJS 1.0.5. The Number#toFixed() an ...) NOT-FOR-US: MuJS CVE-2018-20818 (A buffer overflow vulnerability was discovered in the OpenPLC controll ...) NOT-FOR-US: OpenPLC CVE-2019-11410 (app/backup/index.php in the Backup Module in FusionPBX 4.4.3 suffers f ...) NOT-FOR-US: FreePBX CVE-2019-11409 (app/operator_panel/exec.php in the Operator Panel module in FusionPBX ...) NOT-FOR-US: FreePBX CVE-2019-11408 (XSS in app/operator_panel/index_inc.php in the Operator Panel module i ...) NOT-FOR-US: FusionPBX CVE-2019-11407 (app/operator_panel/index_inc.php in the Operator Panel module in Fusio ...) NOT-FOR-US: FusionPBX CVE-2019-11406 (Subrion CMS 4.2.1 allows _core/en/contacts/ XSS via the name, email, o ...) NOT-FOR-US: Subrion CMS CVE-2019-11405 (OpenAPI Tools OpenAPI Generator before 4.0.0-20190419.052012-560 uses ...) NOT-FOR-US: OpenAPI Tools OpenAPI Generator CVE-2019-11404 (arrow-kt Arrow before 0.9.0 resolved Gradle build artifacts (for compi ...) NOT-FOR-US: arrow-kt Arrow CVE-2019-11403 (In Gradle Enterprise before 2018.5.2, Build Cache Nodes would reflect ...) NOT-FOR-US: Gradle Enterprise CVE-2019-11402 (In Gradle Enterprise before 2018.5.3, Build Cache Nodes did not store ...) NOT-FOR-US: Gradle Enterprise CVE-2019-11401 (A issue was discovered in SiteServer CMS 6.9.0. It allows remote attac ...) NOT-FOR-US: SiteServer CMS CVE-2019-11400 (An issue was discovered on TRENDnet TEW-651BR 2.04B1, TEW-652BRP 3.04b ...) NOT-FOR-US: TRENDnet CVE-2019-11399 (An issue was discovered on TRENDnet TEW-651BR 2.04B1, TEW-652BRP 3.04b ...) NOT-FOR-US: TRENDnet CVE-2019-11398 (Multiple cross-site scripting (XSS) vulnerabilities in UliCMS 2019.2 a ...) NOT-FOR-US: UliCMS CVE-2019-11397 (GetFile.aspx in Rapid4 RapidFlows Enterprise Application Builder 4.5M. ...) NOT-FOR-US: Rapid4 CVE-2019-11396 (An issue was discovered in Avira Free Security Suite 10. The permissiv ...) NOT-FOR-US: Avira Free Security Suite CVE-2019-11395 (A buffer overflow in MailCarrier 2.51 allows remote attackers to execu ...) NOT-FOR-US: MailCarrier CVE-2019-11394 RESERVED CVE-2019-11393 (An issue was discovered in /admin/users/update in M/Monit before 3.7.3 ...) NOT-FOR-US: M/Monit CVE-2019-11392 (BlogEngine.NET 3.3.7 and earlier allows XXE via an apml file to syndic ...) NOT-FOR-US: BlogEngine.NET CVE-2019-11391 (** DISPUTED ** An issue was discovered in OWASP ModSecurity Core Rule ...) - modsecurity-crs (unimportant; bug #928053) NOTE: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1357 NOTE: Negligible security impact, doesn't affect the CRS rule set as used NOTE: by libapache2-mod-security2, only affects libmodsecurity3 in non-standard settings CVE-2019-11390 (** DISPUTED ** An issue was discovered in OWASP ModSecurity Core Rule ...) - modsecurity-crs (unimportant; bug #928053) NOTE: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1358 NOTE: Negligible security impact, doesn't affect the CRS rule set as used NOTE: by libapache2-mod-security2, only affects libmodsecurity3 in non-standard settings CVE-2019-11389 (** DISPUTED ** An issue was discovered in OWASP ModSecurity Core Rule ...) - modsecurity-crs (unimportant; bug #928053) NOTE: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1356 NOTE: Negligible security impact, doesn't affect the CRS rule set as used NOTE: by libapache2-mod-security2, only affects libmodsecurity3 in non-standard settings CVE-2019-11388 (** DISPUTED ** An issue was discovered in OWASP ModSecurity Core Rule ...) - modsecurity-crs (unimportant; bug #928053) NOTE: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1354 NOTE: Negligible security impact, doesn't affect the CRS rule set as used NOTE: by libapache2-mod-security2, only affects libmodsecurity3 in non-standard settings CVE-2019-11387 (An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) throu ...) - modsecurity-crs 3.1.1-1 (unimportant; bug #928053) NOTE: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1359 NOTE: Negligible security impact, doesn't affect the CRS rule set as used NOTE: by libapache2-mod-security2, only affects libmodsecurity3 in non-standard settings CVE-2019-11386 RESERVED CVE-2019-11385 RESERVED CVE-2019-11384 (The Zalora application 6.15.1 for Android stores confidential informat ...) NOT-FOR-US: Zalora application for Android CVE-2019-11383 (An issue was discovered in the Medha WiFi FTP Server application 1.8.3 ...) NOT-FOR-US: Medha WiFi FTP Server application for Android CVE-2019-11382 RESERVED CVE-2019-11381 RESERVED CVE-2019-11380 (The master-password feature in the ES File Explorer File Manager appli ...) NOT-FOR-US: ES File Explorer File Manager application for Android CVE-2019-11379 RESERVED CVE-2019-11378 (An issue was discovered in ProjectSend r1053. upload-process-form.php ...) NOT-FOR-US: ProjectSend CVE-2019-11377 (wcms/wex/finder/action.php in WCMS v0.3.2 has a Arbitrary File Upload ...) NOT-FOR-US: WCMS CVE-2019-11376 (** DISPUTED ** SOY CMS v3.0.2 allows remote attackers to execute arbit ...) NOT-FOR-US: SOY CMS CVE-2019-11375 (Msvod v10 has a CSRF vulnerability to change user information via the ...) NOT-FOR-US: Msvod CVE-2019-11374 (74CMS v5.0.1 has a CSRF vulnerability to add a new admin user via the ...) NOT-FOR-US: 74CMS CVE-2019-11373 (An out-of-bounds read in File__Analyze::Get_L8 in File__Analyze_Buffer ...) [experimental] - libmediainfo 19.04+dfsg-1 - libmediainfo 18.12-2 (low; bug #927672) [stretch] - libmediainfo (Minor issue) [jessie] - libmediainfo (Minor issue) NOTE: https://github.com/MediaArea/MediaInfoLib/pull/1111 NOTE: https://sourceforge.net/p/mediainfo/bugs/1101/ CVE-2019-11372 (An out-of-bounds read in MediaInfoLib::File__Tags_Helper::Synched_Test ...) [experimental] - libmediainfo 19.04+dfsg-1 - libmediainfo 18.12-2 (low; bug #927672) [stretch] - libmediainfo (Minor issue) [jessie] - libmediainfo (Minor issue) NOTE: https://github.com/MediaArea/MediaInfoLib/pull/1111 NOTE: https://sourceforge.net/p/mediainfo/bugs/1101/ CVE-2019-11371 (BWA (aka Burrow-Wheeler Aligner) 0.7.17 r1198 has a Buffer Overflow vi ...) - bwa (unimportant) NOTE: https://github.com/lh3/bwa/issues/239 NOTE: Neutralised by toolchain hardening CVE-2019-11370 (Stored XSS was discovered in Carel pCOWeb prior to B1.2.4, as demonstr ...) NOT-FOR-US: Carel pCOWeb CVE-2019-11369 (An issue was discovered in Carel pCOWeb prior to B1.2.4. In /config/pw ...) NOT-FOR-US: Carel pCOWeb CVE-2019-11368 (Stored XSS was discovered in AUO Solar Data Recorder before 1.3.0 via ...) NOT-FOR-US: AUO Solar Data Recorder CVE-2019-11367 (An issue was discovered in AUO Solar Data Recorder before 1.3.0. The w ...) NOT-FOR-US: AUO Solar Data Recorder CVE-2019-11364 (An OS Command Injection vulnerability in Snare Central before 7.4.5 al ...) NOT-FOR-US: Snare Central CVE-2019-11363 (A SQL injection vulnerability in Snare Central before 7.4.5 allows rem ...) NOT-FOR-US: Snare Central CVE-2019-11362 (app/controllers/frontend/PostController.php in ROCBOSS V2.2.1 has SQL ...) NOT-FOR-US: ROCBOSS CVE-2019-11361 (Zoho ManageEngine Remote Access Plus 10.0.258 does not validate user p ...) NOT-FOR-US: Zoho CVE-2016-10748 RESERVED CVE-2016-10747 RESERVED CVE-2019-11366 (An issue was discovered in atftpd in atftp 0.7.1. It does not lock the ...) {DSA-4438-1 DLA-1783-1} - atftp 0.7.git20120829-3.1 (bug #927553) NOTE: https://pulsesecurity.co.nz/advisories/atftpd-multiple-vulnerabilities NOTE: https://sourceforge.net/p/atftp/code/ci/382f76a90b44f81fec00e2f609a94def4a5d3580/ CVE-2019-11365 (An issue was discovered in atftpd in atftp 0.7.1. A remote attacker ma ...) {DSA-4438-1 DLA-1783-1} - atftp 0.7.git20120829-3.1 (bug #927553) NOTE: https://pulsesecurity.co.nz/advisories/atftpd-multiple-vulnerabilities NOTE: https://sourceforge.net/p/atftp/code/ci/abed7d245d8e8bdfeab24f9f7f55a52c3140f96b/ CVE-2019-11360 (A buffer overflow in iptables-restore in netfilter iptables 1.8.2 allo ...) - iptables 1.8.3-2 (unimportant) NOTE: https://git.netfilter.org/iptables/commit/iptables/xshared.c?id=2ae1099a42e6a0f06de305ca13a842ac83d4683e (1.8.3) NOTE: https://0day.work/cve-2019-11360-bufferoverflow-in-iptables-restore-v1-8-2/ NOTE: Negligible security impact CVE-2019-11359 (Cross-site scripting (XSS) vulnerability in display.php in I, Libraria ...) - i-librarian (bug #649291) CVE-2019-11357 RESERVED CVE-2019-11356 (The CalDAV feature in httpd in Cyrus IMAP 2.5.x through 2.5.12 and 3.0 ...) {DSA-4458-1} - cyrus-imapd 3.0.8-6 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1717828 NOTE: https://github.com/cyrusimap/cyrus-imapd/commit/a5779db8163b99463e25e7c476f9cbba438b65f3 CVE-2019-11355 (An issue was discovered in Poly (formerly Polycom) HDX 3.1.13. A featu ...) NOT-FOR-US: Poly (formerly Polycom) HDX CVE-2019-11354 (The client in Electronic Arts (EA) Origin 10.5.36 on Windows allows te ...) NOT-FOR-US: client in Electronic Arts (EA) Origin on Windows CVE-2019-11353 (The EnGenius EWS660AP router with firmware 2.0.284 allows an attacker ...) NOT-FOR-US: EnGenius EWS660AP CVE-2019-11352 RESERVED CVE-2019-11351 (TeamSpeak 3 Client before 3.2.5 allows remote code execution in the Qt ...) - teamspeak-client CVE-2019-11350 (CloudBees Jenkins Operations Center 2.150.2.3, when an expired trial l ...) NOT-FOR-US: CloudBees Jenkins Operations Center CVE-2019-11349 RESERVED CVE-2019-11348 RESERVED CVE-2019-11347 RESERVED CVE-2018-20817 (SV_SteamAuthClient in various Activision Infinity Ward Call of Duty ga ...) NOT-FOR-US: Activision CVE-2019-11555 (The EAP-pwd implementation in hostapd (EAP server) before 2.8 and wpa_ ...) {DSA-4450-1 DLA-1867-1} - wpa 2:2.7+git20190128+0c1e29f-5 (bug #927463) NOTE: https://w1.fi/security/2019-5/eap-pwd-message-reassembly-issue-with-unexpected-fragment.txt NOTE: Patches: https://w1.fi/security/2019-5/ CVE-2019-11346 RESERVED CVE-2019-11345 (Citrix SD-WAN Center 10.2.x before 10.2.1 and NetScaler SD-WAN Center ...) NOT-FOR-US: Citrix CVE-2019-11344 (data/inc/files.php in Pluck 4.7.8 allows remote attackers to execute a ...) NOT-FOR-US: Pluck CMS CVE-2019-11343 (Torpedo Query before 2.5.3 mishandles the LIKE operator in ConditionBu ...) NOT-FOR-US: Torpedo Query CVE-2019-11342 RESERVED CVE-2019-11341 (On certain Samsung P(9.0) phones, an attacker with physical access can ...) NOT-FOR-US: Samsung CVE-2019-11340 (util/emailutils.py in Matrix Sydent before 1.0.2 mishandles registrati ...) NOT-FOR-US: Matrix Sydent CVE-2019-11339 (The studio profile decoder in libavcodec/mpeg4videodec.c in FFmpeg 4.0 ...) - ffmpeg 7:4.1.3-1 [stretch] - ffmpeg (Vulnerable code not present) - libav (Vulnerable code not present) NOTE: https://github.com/FFmpeg/FFmpeg/commit/1f686d023b95219db933394a7704ad9aa5f01cbb NOTE: https://github.com/FFmpeg/FFmpeg/commit/d227ed5d598340e719eff7156b1aa0a4469e9a6a CVE-2019-11338 (libavcodec/hevcdec.c in FFmpeg 4.1.2 mishandles detection of duplicate ...) {DSA-4449-1 DLA-1809-1} - ffmpeg 7:4.1.3-1 - libav NOTE: https://github.com/FFmpeg/FFmpeg/commit/54655623a82632e7624714d7b2a3e039dc5faa7e CVE-2019-11337 RESERVED CVE-2019-11336 (Sony Bravia Smart TV devices allow remote attackers to retrieve the st ...) NOT-FOR-US: Sony Bravia Smart TV devices CVE-2019-11335 RESERVED CVE-2019-11334 (An authentication bypass in website post requests in the Tzumi Electro ...) NOT-FOR-US: Tzumi Electronics Klic Lock application for mobile devices CVE-2019-11333 RESERVED CVE-2019-11332 (MKCMS 5.0 allows remote attackers to take over arbitrary user accounts ...) NOT-FOR-US: MKCMS CVE-2019-11331 (Network Time Protocol (NTP), as specified in RFC 5905, uses port 123 e ...) NOT-FOR-US: Generic NTP protocol flaw CVE-2019-11330 RESERVED CVE-2019-11329 RESERVED CVE-2019-11328 (An issue was discovered in Singularity 3.1.0 to 3.2.0-rc2, a malicious ...) - singularity-container (No released Debian version contains the issue, cf bug #929042) NOTE: https://www.openwall.com/lists/oss-security/2019/05/16/1 CVE-2019-11327 (An issue was discovered on Topcon Positioning Net-G5 GNSS Receiver dev ...) NOT-FOR-US: Topcon Positioning Net-G5 GNSS Receiver CVE-2019-11326 (An issue was discovered on Topcon Positioning Net-G5 GNSS Receiver dev ...) NOT-FOR-US: Topcon Positioning Net-G5 GNSS Receiver CVE-2019-11325 (An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3. ...) - symfony 4.3.8+dfsg-1 [buster] - symfony (Vulnerable code not present) [stretch] - symfony (Vulnerable code not present) [jessie] - symfony (Vulnerable code not present) NOTE: https://symfony.com/blog/cve-2019-11325-fix-escaping-of-strings-in-varexporter NOTE: https://github.com/symfony/symfony/commit/0524868cbf3d3a36e0af804432016d5a6d98169a CVE-2019-11323 (HAProxy before 1.9.7 mishandles a reload with rotated keys, which trig ...) - haproxy (Vulnerable code introduced in 1.9.x series in v1.9.2) NOTE: Introduced in: https://git.haproxy.org/?p=haproxy.git;a=commit;h=9e7547740cc2d0a6851de8ca9ac57488bdbb8bf2 NOTE: Fixed by: https://git.haproxy.org/?p=haproxy.git;a=commit;h=8ef706502aa2000531d36e4ac56dbdc7c30f718d CVE-2019-11324 (The urllib3 library before 1.24.2 for Python mishandles certain cases ...) - python-urllib3 1.25.6-4 (bug #927412) [buster] - python-urllib3 (Minor issue) [stretch] - python-urllib3 (Minor issue) [jessie] - python-urllib3 (Vulnerable code introduced later) NOTE: https://github.com/urllib3/urllib3/commit/1efadf43dc63317cd9eaa3e0fdb9e05ab07254b1 NOTE: https://www.openwall.com/lists/oss-security/2019/04/17/3 CVE-2019-11322 (An issue was discovered in Motorola CX2 1.01 and M2 1.01. There is a c ...) NOT-FOR-US: Motorola CVE-2019-11321 (An issue was discovered in Motorola CX2 1.01 and M2 1.01. The router o ...) NOT-FOR-US: Motorola CVE-2019-11320 (In Motorola CX2 1.01 and M2 1.01, users can access the router's /priv_ ...) NOT-FOR-US: Motorola CVE-2019-11319 (An issue was discovered in Motorola CX2 1.01 and M2 1.01. There is a c ...) NOT-FOR-US: Motorola CVE-2019-11318 (Zimbra Collaboration before 8.8.12 Patch 1 has persistent XSS. ...) NOT-FOR-US: Zimbra Collaboration CVE-2019-11317 RESERVED CVE-2019-11316 RESERVED CVE-2019-11315 RESERVED CVE-2019-11314 RESERVED CVE-2019-11313 RESERVED CVE-2019-11312 RESERVED CVE-2019-11311 RESERVED CVE-2019-11310 RESERVED CVE-2019-11309 RESERVED CVE-2019-11308 RESERVED CVE-2019-11307 RESERVED CVE-2019-11306 RESERVED CVE-2019-11305 RESERVED CVE-2019-11304 RESERVED CVE-2019-11303 RESERVED CVE-2019-11302 RESERVED CVE-2019-11301 RESERVED CVE-2019-11300 RESERVED CVE-2019-11299 RESERVED CVE-2019-11298 RESERVED CVE-2019-11297 RESERVED CVE-2019-11296 RESERVED CVE-2019-11295 RESERVED CVE-2019-11294 (Cloud Foundry Cloud Controller API (CAPI), version 1.88.0, allows spac ...) NOT-FOR-US: Cloud Foundry CVE-2019-11293 (Cloud Foundry UAA Release, versions prior to v74.10.0, when set to log ...) NOT-FOR-US: Cloud Foundry UAA Release CVE-2019-11292 (Pivotal Ops Manager, versions 2.4.x prior to 2.4.27, 2.5.x prior to 2. ...) NOT-FOR-US: Pivotal CVE-2019-11291 (Pivotal RabbitMQ, 3.7 versions prior to v3.7.20 and 3.8 version prior ...) - rabbitmq-server (bug #945601) [buster] - rabbitmq-server (Minor issue) [stretch] - rabbitmq-server (Minor issue) [jessie] - rabbitmq-server (Minor issue) NOTE: https://pivotal.io/security/cve-2019-11291 CVE-2019-11290 (Cloud Foundry UAA Release, versions prior to v74.8.0, logs all query p ...) NOT-FOR-US: Cloud Foundry CVE-2019-11289 (Cloud Foundry Routing, all versions before 0.193.0, does not properly ...) NOT-FOR-US: Cloud Foundry Routing CVE-2019-11288 (In Pivotal tc Server, 3.x versions prior to 3.2.19 and 4.x versions pr ...) NOT-FOR-US: Pivotal CVE-2019-11287 (Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3. ...) - rabbitmq-server (bug #945600) [buster] - rabbitmq-server (Minor issue) [stretch] - rabbitmq-server (Minor issue) [jessie] - rabbitmq-server (Minor issue) NOTE: https://pivotal.io/security/cve-2019-11287 CVE-2019-11286 RESERVED CVE-2019-11285 REJECTED CVE-2019-11284 (Pivotal Reactor Netty, versions prior to 0.8.11, passes headers throug ...) NOT-FOR-US: Pivotal CVE-2019-11283 (Cloud Foundry SMB Volume, versions prior to v2.0.3, accidentally outpu ...) NOT-FOR-US: Cloud Foundry CVE-2019-11282 (Cloud Foundry UAA, versions prior to v74.3.0, contains an endpoint tha ...) NOT-FOR-US: Cloud Foundry CVE-2019-11281 (Pivotal RabbitMQ, versions prior to v3.7.18, and RabbitMQ for PCF, ver ...) - rabbitmq-server 3.7.18-1 (low) [buster] - rabbitmq-server (Minor issue) [stretch] - rabbitmq-server (Minor issue) [jessie] - rabbitmq-server (Minor issue; one plugin not vulnerable, the other only exploitable by malicious admin) NOTE: https://pivotal.io/security/cve-2019-11281 NOTE: fix for vhost limit feature: https://github.com/rabbitmq/rabbitmq-management/commit/42def1b51243397c1cb9192d6d064351e358bacc NOTE: which was only introduced in 3.7.0-beta.19 NOTE: federation management plugin: exploitable only by a remote authenticated malicious user NOTE: with administrative access CVE-2019-11280 (Pivotal Apps Manager, included in Pivotal Application Service versions ...) NOT-FOR-US: Pivotal CVE-2019-11279 (CF UAA versions prior to 74.1.0 can request scopes for a client that s ...) NOT-FOR-US: Cloud Foundry CVE-2019-11278 (CF UAA versions prior to 74.1.0, allow external input to be directly q ...) NOT-FOR-US: Cloud Foundry CVE-2019-11277 (Cloud Foundry NFS Volume Service, 1.7.x versions prior to 1.7.11 and 2 ...) NOT-FOR-US: Cloud Foundry CVE-2019-11276 (Pivotal Apps Manager, included in Pivotal Application Service versions ...) NOT-FOR-US: Pivotal CVE-2019-11275 (Pivotal Application Manager, versions 666.0.x prior to 666.0.36, versi ...) NOT-FOR-US: Pivotal Application Manager CVE-2019-11274 (Cloud Foundry UAA, versions prior to 74.0.0, is vulnerable to an XSS a ...) NOT-FOR-US: Cloud Foundry UAA CVE-2019-11273 (Pivotal Container Services (PKS) versions 1.3.x prior to 1.3.7, and ve ...) NOT-FOR-US: Pivotal Container Services CVE-2019-11272 (Spring Security, versions 4.2.x up to 4.2.12, and older unsupported ve ...) {DLA-1848-1} - libspring-security-2.0-java NOTE: https://github.com/spring-projects/spring-security/commit/b2d4fec3617c497c5a8eb9c7e5270e0c7db293ee CVE-2019-11271 (Cloud Foundry BOSH 270.x versions prior to v270.1.1, contain a BOSH Di ...) NOT-FOR-US: Cloud Foundry CVE-2019-11270 (Cloud Foundry UAA versions prior to v73.4.0 contain a vulnerability wh ...) NOT-FOR-US: Cloud Foundry CVE-2019-11269 (Spring Security OAuth versions 2.3 prior to 2.3.6, 2.2 prior to 2.2.5, ...) NOT-FOR-US: Spring Security OAuth CVE-2019-11268 (Cloud Foundry UAA version prior to 73.3.0, contain endpoints that cont ...) NOT-FOR-US: Cloud Foundry UAA CVE-2019-11358 (jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other produc ...) {DSA-4460-1 DSA-4434-1 DLA-2118-1 DLA-1797-1 DLA-1777-1} - drupal7 (bug #927330) - jquery 3.3.1~dfsg-2 (bug #927385) [stretch] - jquery 3.1.1-2+deb9u1 - node-jquery 2.2.4+dfsg-4 (bug #927466) - mediawiki 1:1.31.2-1 - otrs2 6.0.26-1 [buster] - otrs2 (Non-free not supported) [stretch] - otrs2 (Non-free not supported) NOTE: https://www.drupal.org/sa-core-2019-006 NOTE: https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ NOTE: https://github.com/DanielRuf/snyk-js-jquery-174006?files=1 NOTE: https://snyk.io/vuln/SNYK-JS-JQUERY-174006 NOTE: https://phabricator.wikimedia.org/T221739 NOTE: https://lists.wikimedia.org/pipermail/wikitech-l/2019-June/092152.html NOTE: https://community.otrs.com/security-advisory-2020-05/ CVE-2019-11267 REJECTED CVE-2019-11266 REJECTED CVE-2019-11265 REJECTED CVE-2019-11264 REJECTED CVE-2019-11263 REJECTED CVE-2019-11262 REJECTED CVE-2019-11261 REJECTED CVE-2019-11260 REJECTED CVE-2019-11259 REJECTED CVE-2019-11258 REJECTED CVE-2019-11257 REJECTED CVE-2019-11256 REJECTED CVE-2019-11255 (Improper input validation in Kubernetes CSI sidecar containers for ext ...) NOT-FOR-US: kubernetes-csi CVE-2019-11254 (The Kubernetes API Server component in versions 1.1-1.14, and versions ...) - kubernetes 1.17.4-1 NOTE: https://github.com/kubernetes/kubernetes/issues/89535 CVE-2019-11253 (Improper input validation in the Kubernetes API server in versions v1. ...) - kubernetes 1.17.4-1 NOTE: https://github.com/kubernetes/kubernetes/issues/83253 CVE-2019-11252 RESERVED CVE-2019-11251 (The Kubernetes kubectl cp command in versions 1.1-1.12, and versions p ...) - kubernetes (Vulnerable code not present) CVE-2019-11250 (The Kubernetes client-go library logs request headers at verbosity lev ...) - kubernetes 1.17.4-1 (bug #934801) NOTE: https://github.com/kubernetes/kubernetes/issues/81114 CVE-2019-11249 (The kubectl cp command allows copying files between containers and the ...) - kubernetes (Vulnerable code not present; incomplete fix not applied) NOTE: https://github.com/kubernetes/kubernetes/issues/80984 CVE-2019-11248 (The debugging endpoint /debug/pprof is exposed over the unauthenticate ...) - kubernetes 1.17.4-1 (bug #934182) NOTE: https://github.com/kubernetes/kubernetes/issues/81023 NOTE: https://groups.google.com/forum/#!topic/kubernetes-security-announce/pKELclHIov8 CVE-2019-11247 (The Kubernetes kube-apiserver mistakenly allows access to a cluster-sc ...) - kubernetes 1.17.4-1 (bug #933988) NOTE: https://github.com/kubernetes/kubernetes/issues/80983 CVE-2019-11246 (The kubectl cp command allows copying files between containers and the ...) - kubernetes (Vulnerable code not present; incomplete fix not applied) NOTE: https://github.com/kubernetes/kubernetes/pull/76788 CVE-2019-11245 (In kubelet v1.13.6 and v1.14.2, containers for pods that do not specif ...) - kubernetes (Vulnerable code not present) NOTE: https://discuss.kubernetes.io/t/security-regression-in-kubernetes-kubelet-v1-13-6-and-v1-14-2-only-cve-2019-11245/6584 NOTE: https://github.com/kubernetes/kubernetes/issues/78308 CVE-2019-11244 (In Kubernetes v1.8.x-v1.14.x, schema info is cached by kubectl in the ...) - kubernetes (Vulnerable code introduced in 1.8.x onwards) NOTE: https://github.com/kubernetes/kubernetes/issues/76676 CVE-2019-11243 (In Kubernetes v1.12.0-v1.12.4 and v1.13.0, the rest.AnonymousClientCon ...) - kubernetes (Only affects v1.12.0-v1.12.4 and v1.13.0 upstream) NOTE: https://github.com/kubernetes/kubernetes/issues/76797 CVE-2019-11242 (A man-in-the-middle vulnerability related to vCenter access was found ...) NOT-FOR-US: Cohesity DataPlatform CVE-2019-11241 RESERVED CVE-2019-11240 RESERVED CVE-2019-11239 RESERVED CVE-2019-11238 RESERVED CVE-2019-11237 RESERVED CVE-2019-11236 (In the urllib3 library through 1.24.1 for Python, CRLF injection is po ...) {DLA-1828-1} [experimental] - python-urllib3 1.25.6-1 - python-urllib3 1.25.6-4 (bug #927172) [buster] - python-urllib3 (Minor issue) [stretch] - python-urllib3 (Minor issue) NOTE: https://github.com/urllib3/urllib3/issues/1553 NOTE: https://github.com/urllib3/urllib3/commit/9b76785331243689a9d52cef3db05ef7462cb02d NOTE: https://github.com/urllib3/urllib3/commit/efddd7e7bad26188c3b692d1090cba768afa9162 CVE-2019-11235 (FreeRADIUS before 3.0.19 mishandles the "each participant verifies tha ...) - freeradius 3.0.17+dfsg-1.1 (bug #926958) [stretch] - freeradius (Minor issue; plugin not enabled by default) [jessie] - freeradius (EAP-PWD only introduced in 3.0.0) NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/85497b5ff37ccb656895b826b88585898c209586 NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/ab4c767099f263a7cd4109bcdca80ee74210a769 CVE-2019-11234 (FreeRADIUS before 3.0.19 does not prevent use of reflection for authen ...) - freeradius 3.0.17+dfsg-1.1 (bug #926958) [stretch] - freeradius (Minor issue; plugin not enabled by default) [jessie] - freeradius (EAP-PWD only introduced in 3.0.0) NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/85497b5ff37ccb656895b826b88585898c209586 NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/ab4c767099f263a7cd4109bcdca80ee74210a769 CVE-2019-11233 (EXCELLENT INFOTEK BiYan v1.57 ~ v2.8 allows an attacker to leak user i ...) NOT-FOR-US: EXCELLENT INFOTEK BiYan CVE-2019-11232 (EXCELLENT INFOTEK BiYan v1.57 ~ v2.8 allows an attacker to leak user i ...) NOT-FOR-US: EXCELLENT INFOTEK BiYan CVE-2019-11231 (An issue was discovered in GetSimple CMS through 3.3.15. insufficient ...) NOT-FOR-US: GetSimple CMS CVE-2019-11230 (In Avast Antivirus before 19.4, a local administrator can trick the pr ...) NOT-FOR-US: Avast Antivirus CVE-2019-11229 (models/repo_mirror.go in Gitea before 1.7.6 and 1.8.x before 1.8-RC3 m ...) - gitea CVE-2019-11228 (repo/setting.go in Gitea before 1.7.6 and 1.8.x before 1.8-RC3 does no ...) - gitea CVE-2019-11227 RESERVED CVE-2019-11226 (CMS Made Simple 2.2.10 has XSS via the m1_name parameter in "Add Artic ...) NOT-FOR-US: CMS Made Simple CVE-2019-11225 RESERVED CVE-2019-11224 (HARMAN AMX MVP5150 v2.87.13 devices allow remote OS Command Injection. ...) NOT-FOR-US: HARMAN AMX MVP5150 devices CVE-2019-11223 (An Unrestricted File Upload Vulnerability in the SupportCandy plugin t ...) NOT-FOR-US: SupportCandy plugin for WordPress CVE-2017-18366 (Subrion CMS 4.1.5 has CSRF in blog/delete/. ...) NOT-FOR-US: Subrion CMS CVE-2019-11222 (gf_bin128_parse in utils/os_divers.c in GPAC 0.7.1 has a buffer overfl ...) {DLA-1765-1} - gpac 0.5.2-426-gc5ad4e4+dfsg5-5 (bug #926961) [stretch] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/commit/f36525c5beafb78959c3a07d6622c9028de348da NOTE: https://github.com/gpac/gpac/issues/1204 NOTE: https://github.com/gpac/gpac/issues/1205 CVE-2019-11221 (GPAC 0.7.1 has a buffer overflow issue in gf_import_message() in media ...) {DLA-1765-1} - gpac 0.5.2-426-gc5ad4e4+dfsg5-5 (bug #926963) [stretch] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/commit/f4616202e5578e65746cf7e7ceeba63bee1b094b NOTE: https://github.com/gpac/gpac/issues/1203 CVE-2019-11220 (An authentication flaw in Shenzhen Yunni Technology iLnkP2P allows rem ...) NOT-FOR-US: Shenzhen Yunni Technology iLnkP2P CVE-2019-11219 (The algorithm used to generate device IDs (UIDs) for devices that util ...) NOT-FOR-US: Shenzhen Yunni Technology iLnkP2P CVE-2019-11218 (Improper handling of extra parameters in the AccountController (User P ...) NOT-FOR-US: Bonobo Git Server CVE-2019-11217 (The GitController in Jakub Chodounsky Bonobo Git Server before 6.5.0 a ...) NOT-FOR-US: Bonobo Git Server CVE-2019-11216 (BMC Smart Reporting 7.3 20180418 allows authenticated XXE within the i ...) NOT-FOR-US: BMC Smart Reporting CVE-2019-11215 (In Combodo iTop 2.2.0 through 2.6.0, if the configuration file is writ ...) NOT-FOR-US: iTop (not the same as src:itop) CVE-2019-11214 RESERVED CVE-2019-11213 (In Pulse Secure Pulse Desktop Client and Network Connect, an attacker ...) NOT-FOR-US: Pulse Secure Pulse Desktop Client and Network Connect CVE-2019-11212 (The MDM server component of TIBCO Software Inc's TIBCO MDM contains mu ...) NOT-FOR-US: TIBCO CVE-2019-11211 (The server component of TIBCO Software Inc.'s TIBCO Enterprise Runtime ...) NOT-FOR-US: TIBCO CVE-2019-11210 (The server component of TIBCO Software Inc.'s TIBCO Enterprise Runtime ...) NOT-FOR-US: TIBCO CVE-2019-11209 (The realm configuration component of TIBCO Software Inc.'s TIBCO FTL C ...) NOT-FOR-US: TIBCO CVE-2019-11208 (The authorization component of TIBCO Software Inc.'s TIBCO API Exchang ...) NOT-FOR-US: TIBCO CVE-2019-11207 (The web server component of TIBCO Software Inc.'s TIBCO LogLogic Enter ...) NOT-FOR-US: TIBCO CVE-2019-11206 (The Spotfire library component of TIBCO Software Inc.'s TIBCO Spotfire ...) NOT-FOR-US: TIBCO CVE-2019-11205 (The web server component of TIBCO Software Inc.'s TIBCO Spotfire Analy ...) NOT-FOR-US: TIBCO CVE-2019-11204 (The web interface component of TIBCO Software Inc.'s TIBCO Spotfire St ...) NOT-FOR-US: TIBCO CVE-2019-11203 (The workspace client, openspace client, app development client, and RE ...) NOT-FOR-US: TIBCO CVE-2019-11202 (An issue was discovered that affects the following versions of Rancher ...) NOT-FOR-US: Rancher CVE-2019-11201 (Dolibarr ERP/CRM 9.0.1 provides a module named website that provides f ...) - dolibarr CVE-2019-11200 (Dolibarr ERP/CRM 9.0.1 provides a web-based functionality that backs u ...) - dolibarr CVE-2019-11199 (Dolibarr ERP/CRM 9.0.1 was affected by stored XSS within uploaded file ...) - dolibarr CVE-2019-11198 (Multiple cross-site scripting (XSS) vulnerabilities in Sitecore CMS 9. ...) NOT-FOR-US: Sitecore CMS CVE-2019-11197 RESERVED CVE-2019-11196 (An authentication bypass vulnerability in all versions of ValuePLUS In ...) NOT-FOR-US: ValuePLUS Integrated University Management System (IUMS) CVE-2019-11195 RESERVED CVE-2019-11194 RESERVED CVE-2019-11193 (The FileManager in InfinitumIT DirectAdmin through v1.561 has XSS via ...) NOT-FOR-US: DirectAdmin CVE-2019-11192 RESERVED CVE-2019-11189 (Authentication Bypass by Spoofing in org.onosproject.acl (access contr ...) NOT-FOR-US: Open Network Operating System (ONOS) CVE-2019-11191 (** DISPUTED ** The Linux kernel through 5.0.7, when CONFIG_IA32_AOUT i ...) - linux (unimportant) NOTE: https://www.openwall.com/lists/oss-security/2019/04/03/4 CVE-2019-11190 (The Linux kernel before 4.8 allows local users to bypass ASLR on setui ...) {DLA-1799-1} - linux 4.8.5-1 NOTE: https://git.kernel.org/linus/9f834ec18defc369d73ccf9e87a2790bfa05bf46 (4.8-rc5) NOTE: https://www.openwall.com/lists/oss-security/2019/04/03/4 CVE-2019-11188 RESERVED CVE-2019-11187 (Incorrect Access Control in the LDAP class of GONICUS GOsa through 201 ...) {DLA-1876-1 DLA-1875-1} - fusiondirectory 1.2.3-5 [buster] - fusiondirectory 1.2.3-4+deb10u1 [stretch] - fusiondirectory 1.0.19-1+deb9u1 - gosa 2.7.4+reloaded3-9 [buster] - gosa 2.7.4+reloaded3-8+deb10u1 [stretch] - gosa (Minor issue) CVE-2019-11186 RESERVED CVE-2019-11185 (The WP Live Chat Support Pro plugin through 8.0.26 for WordPress conta ...) NOT-FOR-US: WP Live Chat Support Pro plugin for WordPress CVE-2019-11184 (A race condition in specific microprocessors using Intel (R) DDIO cach ...) NOT-FOR-US: HW Issue with processors supporting Intel Data-Direct I/O Technology (Intel DDIO) and Remote Direct Memory Access (RDMA) CVE-2019-11183 RESERVED CVE-2019-11182 (Memory corruption in Intel(R) Baseboard Management Controller firmware ...) NOT-FOR-US: Intel CVE-2019-11181 (Out of bound read in Intel(R) Baseboard Management Controller firmware ...) NOT-FOR-US: Intel CVE-2019-11180 (Insufficient input validation in Intel(R) Baseboard Management Control ...) NOT-FOR-US: Intel CVE-2019-11179 (Insufficient input validation in Intel(R) Baseboard Management Control ...) NOT-FOR-US: Intel CVE-2019-11178 (Stack overflow in Intel(R) Baseboard Management Controller firmware ma ...) NOT-FOR-US: Intel CVE-2019-11177 (Unhandled exception in Intel(R) Baseboard Management Controller firmwa ...) NOT-FOR-US: Intel CVE-2019-11176 RESERVED CVE-2019-11175 (Insufficient input validation in Intel(R) Baseboard Management Control ...) NOT-FOR-US: Intel CVE-2019-11174 (Insufficient access control in Intel(R) Baseboard Management Controlle ...) NOT-FOR-US: Intel CVE-2019-11173 (Insufficient session validation in Intel(R) Baseboard Management Contr ...) NOT-FOR-US: Intel CVE-2019-11172 (Out of bound read in Intel(R) Baseboard Management Controller firmware ...) NOT-FOR-US: Intel CVE-2019-11171 (Heap corruption in Intel(R) Baseboard Management Controller firmware m ...) NOT-FOR-US: Intel CVE-2019-11170 (Authentication bypass in Intel(R) Baseboard Management Controller firm ...) NOT-FOR-US: Intel CVE-2019-11169 RESERVED CVE-2019-11168 (Insufficient session validation in Intel(R) Baseboard Management Contr ...) NOT-FOR-US: Intel CVE-2019-11167 (Improper file permission in software installer for Intel(R) Smart Conn ...) NOT-FOR-US: Intel CVE-2019-11166 (Improper file permissions in the installer for Intel(R) Easy Streaming ...) NOT-FOR-US: Intel CVE-2019-11165 (Improper conditions check in the Linux kernel driver for the Intel(R) ...) NOT-FOR-US: Intel, driver doesn't seem to be upstreamed CVE-2019-11164 RESERVED CVE-2019-11163 (Insufficient access control in a hardware abstraction driver for Intel ...) NOT-FOR-US: Intel(R) Processor Identification Utility for Windows CVE-2019-11162 (Insufficient access control in hardware abstraction in SEMA driver for ...) NOT-FOR-US: Intel CVE-2019-11161 RESERVED CVE-2019-11160 RESERVED CVE-2019-11159 RESERVED CVE-2019-11158 RESERVED CVE-2019-11157 (Improper conditions check in voltage settings for some Intel(R) Proces ...) NOT-FOR-US: Intel CVE-2019-11156 (Logic errors in Intel(R) PROSet/Wireless WiFi Software before version ...) NOT-FOR-US: Intel CVE-2019-11155 (Improper directory permissions in Intel(R) PROSet/Wireless WiFi Softwa ...) NOT-FOR-US: Intel CVE-2019-11154 (Improper directory permissions in Intel(R) PROSet/Wireless WiFi Softwa ...) NOT-FOR-US: Intel CVE-2019-11153 (Memory corruption issues in Intel(R) PROSet/Wireless WiFi Software ext ...) NOT-FOR-US: Intel CVE-2019-11152 (Memory corruption issues in Intel(R) WIFI Drivers before version 21.40 ...) NOT-FOR-US: Intel CVE-2019-11151 (Memory corruption issues in Intel(R) WIFI Drivers before version 21.40 ...) NOT-FOR-US: Intel CVE-2019-11150 RESERVED CVE-2019-11149 RESERVED CVE-2019-11148 (Improper permissions in the installer for Intel(R) Remote Displays SDK ...) NOT-FOR-US: Intel CVE-2019-11147 (Insufficient access control in hardware abstraction driver for MEInfo ...) NOT-FOR-US: Intel CVE-2019-11146 (Improper file verification in Intel® Driver & Support Assista ...) NOT-FOR-US: Intel CVE-2019-11145 (Improper file verification in Intel® Driver & Support Assista ...) NOT-FOR-US: Intel CVE-2019-11144 RESERVED CVE-2019-11143 (Improper permissions in the software installer for Intel(R) Authentica ...) NOT-FOR-US: Intel CVE-2019-11142 RESERVED CVE-2019-11141 RESERVED CVE-2019-11140 (Insufficient session validation in system firmware for Intel(R) NUC ma ...) NOT-FOR-US: Intel CVE-2019-11139 (Improper conditions check in the voltage modulation interface for some ...) {DSA-4565-1 DLA-2051-1} - intel-microcode 3.20191112.1 NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00271.html NOTE: The 3.20191112.1 release for intel-microcode did contain most updates, additional NOTE: update for CFL-S was added in 3.20191113.1. CVE-2019-11138 RESERVED CVE-2019-11137 (Insufficient input validation in system firmware for Intel(R) Xeon(R) ...) NOT-FOR-US: Intel CVE-2019-11136 (Insufficient access control in system firmware for Intel(R) Xeon(R) Sc ...) NOT-FOR-US: Intel CVE-2019-11135 (TSX Asynchronous Abort condition on some CPUs utilizing speculative ex ...) {DSA-4602-1 DSA-4565-1 DSA-4564-1 DLA-2051-1 DLA-1990-1 DLA-1989-1} - linux 5.3.9-2 - intel-microcode 3.20191112.1 - xen 4.11.3+24-g14b62ab3e5-1 (bug #947944) [jessie] - xen (Not supported in jessie LTS) NOTE: https://software.intel.com/security-software-guidance/insights/deep-dive-intel-transactional-synchronization-extensions-intel-tsx-asynchronous-abort NOTE: https://xenbits.xen.org/xsa/advisory-305.html NOTE: The 3.20191112.1 release for intel-microcode did contain most updates, additional NOTE: update for CFL-S was added in 3.20191113.1. CVE-2019-11134 RESERVED CVE-2019-11133 (Improper access control in the Intel(R) Processor Diagnostic Tool befo ...) NOT-FOR-US: Intel CVE-2019-11132 (Cross site scripting in subsystem in Intel(R) AMT before versions 11.8 ...) NOT-FOR-US: Intel CVE-2019-11131 (Logic issue in subsystem in Intel(R) AMT before versions 11.8.70, 11.1 ...) NOT-FOR-US: Intel CVE-2019-11130 RESERVED CVE-2019-11129 (Out of bound read/write in system firmware for Intel(R) NUC Kit may al ...) NOT-FOR-US: Intel CVE-2019-11128 (Insufficient input validation in system firmware for Intel(R) NUC Kit ...) NOT-FOR-US: Intel CVE-2019-11127 (Buffer overflow in system firmware for Intel(R) NUC Kit may allow a pr ...) NOT-FOR-US: Intel CVE-2019-11126 (Pointer corruption in system firmware for Intel(R) NUC Kit may allow a ...) NOT-FOR-US: Intel CVE-2019-11125 (Insufficient input validation in system firmware for Intel(R) NUC Kit ...) NOT-FOR-US: Intel CVE-2019-11124 (Out of bound read/write in system firmware for Intel(R) NUC Kit may al ...) NOT-FOR-US: Intel CVE-2019-11123 (Insufficient session validation in system firmware for Intel(R) NUC Ki ...) NOT-FOR-US: Intel CVE-2019-11122 RESERVED CVE-2019-11121 RESERVED CVE-2019-11120 (Insufficient path checking in the installer for Intel(R) Active System ...) NOT-FOR-US: Intel CVE-2019-11119 (Insufficient session validation in the service API for Intel(R) RWC3 v ...) NOT-FOR-US: Intel CVE-2019-11118 RESERVED CVE-2019-11117 (Improper permissions in the installer for Intel(R) Omni-Path Fabric Ma ...) NOT-FOR-US: Intel CVE-2019-11116 RESERVED CVE-2019-11115 RESERVED CVE-2019-11114 (Insufficient input validation in Intel(R) Driver & Support Assista ...) NOT-FOR-US: Intel(R) Driver & Support Assistant CVE-2019-11113 (Buffer overflow in Kernel Mode module for Intel(R) Graphics Driver bef ...) NOT-FOR-US: Intel Windows graphics driver CVE-2019-11112 (Memory corruption in Kernel Mode Driver in Intel(R) Graphics Driver be ...) NOT-FOR-US: Intel Windows graphics driver CVE-2019-11111 (Pointer corruption in the Unified Shader Compiler in Intel(R) Graphics ...) NOT-FOR-US: Intel Windows graphics driver CVE-2019-11110 (Authentication bypass in the subsystem for Intel(R) CSME before versio ...) NOT-FOR-US: Intel CVE-2019-11109 (Logic issue in the subsystem for Intel(R) SPS before versions SPS_E5_0 ...) NOT-FOR-US: Intel CVE-2019-11108 (Insufficient input validation in subsystem for Intel(R) CSME before ve ...) NOT-FOR-US: Intel CVE-2019-11107 (Insufficient input validation in the subsystem for Intel(R) AMT before ...) NOT-FOR-US: Intel CVE-2019-11106 (Insufficient session validation in the subsystem for Intel(R) CSME bef ...) NOT-FOR-US: Intel CVE-2019-11105 (Logic issue in subsystem for Intel(R) CSME before versions 12.0.45, 13 ...) NOT-FOR-US: Intel CVE-2019-11104 (Insufficient input validation in MEInfo software for Intel(R) CSME bef ...) NOT-FOR-US: Intel CVE-2019-11103 (Insufficient input validation in firmware update software for Intel(R) ...) NOT-FOR-US: Intel CVE-2019-11102 (Insufficient input validation in Intel(R) DAL software for Intel(R) CS ...) NOT-FOR-US: Intel CVE-2019-11101 (Insufficient input validation in the subsystem for Intel(R) CSME befor ...) NOT-FOR-US: Intel CVE-2019-11100 (Insufficient input validation in the subsystem for Intel(R) AMT before ...) NOT-FOR-US: Intel CVE-2019-11099 RESERVED CVE-2019-11098 RESERVED CVE-2019-11097 (Improper directory permissions in the installer for Intel(R) Managemen ...) NOT-FOR-US: Intel CVE-2019-11096 (Insufficient memory protection for Intel(R) Ethernet I218 Adapter driv ...) NOT-FOR-US: Intel(R) Ethernet I218 Adapter driver for Windows CVE-2019-11095 (Insufficient access control in Intel(R) Driver & Support Assistant ...) NOT-FOR-US: Intel(R) Driver & Support Assistant CVE-2019-11094 (Insufficient input validation in system firmware for Intel (R) NUC Kit ...) NOT-FOR-US: Intel (R) NUC Kit CVE-2019-11093 (Unquoted service path in the installer for the Intel(R) SCS Discovery ...) NOT-FOR-US: Intel(R) SCS Discovery Utility CVE-2019-11092 (Insufficient password protection in the attestation database for Open ...) NOT-FOR-US: Open CIT CVE-2019-11091 (Microarchitectural Data Sampling Uncacheable Memory (MDSUM): Uncacheab ...) {DSA-4447-1 DSA-4444-1 DLA-1789-2 DLA-1799-1 DLA-1789-1 DLA-1787-1} - intel-microcode 3.20190514.1 - linux 4.19.37-2 - xen 4.11.1+92-g6c33308a8d-1 (bug #929129) [stretch] - xen 4.8.5.final+shim4.10.4-1+deb9u12 [jessie] - xen (Depends on fix for CVE-2017-5715, CVE-2017-5753, CVE-2017-5754) NOTE: https://git.kernel.org/linus/fa4bff165070dc40a3de35b78e4f8da8e8d85ec5 NOTE: https://software.intel.com/security-software-guidance/software-guidance/microarchitectural-data-sampling NOTE: https://xenbits.xen.org/xsa/advisory-297.html NOTE: libvirt support for md-clear CPUID bit: NOTE: https://libvirt.org/git/?p=libvirt.git;a=commit;h=538d873571d7a682852dc1d70e5f4478f4d64e85 NOTE: qemu and libvirt need updates to passthrough md-clear, see #929067 for qemu and #929154 for libvirt CVE-2019-11090 (Cryptographic timing conditions in the subsystem for Intel(R) PTT befo ...) NOT-FOR-US: Intel CVE-2019-11089 (Insufficient input validation in Kernel Mode module for Intel(R) Graph ...) NOT-FOR-US: Intel Windows graphics driver CVE-2019-11088 (Insufficient input validation in subsystem in Intel(R) AMT before vers ...) NOT-FOR-US: Intel CVE-2019-11087 (Insufficient input validation in the subsystem for Intel(R) CSME befor ...) NOT-FOR-US: Intel CVE-2019-11086 (Insufficient input validation in subsystem for Intel(R) AMT before ver ...) NOT-FOR-US: Intel CVE-2019-11085 (Insufficient input validation in Kernel Mode Driver in Intel(R) i915 G ...) - linux 4.19.20-1 [stretch] - linux (Vulnerable code introduced later) [jessie] - linux (Vulnerable code introduced later) NOTE: https://git.kernel.org/linus/51b00d8509dc69c98740da2ad07308b630d3eb7d NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00249.html CVE-2019-11084 (GAuth 0.9.9 beta has stored XSS that shows a popup repeatedly and disc ...) NOT-FOR-US: GAuth CVE-2019-11083 RESERVED CVE-2019-11082 (core/api/datasets/internal/actions/Explode.java in the Dataset API in ...) NOT-FOR-US: DKPro Core CVE-2019-11081 (A default username and password in Dentsply Sirona Sidexis 4.3.1 and e ...) NOT-FOR-US: Dentsply Sirona Sidexis CVE-2019-11080 (Sitecore Experience Platform (XP) prior to 9.1.1 is vulnerable to remo ...) NOT-FOR-US: Sitecore Experience Platform CVE-2019-11079 RESERVED CVE-2019-11078 (MKCMS V5.0 has a CSRF vulnerability to add a new admin user via the uc ...) NOT-FOR-US: MKCMS CVE-2019-11077 (FastAdmin V1.0.0.20190111_beta has a CSRF vulnerability to add a new a ...) NOT-FOR-US: FastAdmin CVE-2019-11076 (Cribl UI 1.5.0 allows remote attackers to run arbitrary commands via a ...) NOT-FOR-US: Cribl UI CVE-2019-11075 RESERVED CVE-2019-11074 (A Write to Arbitrary Location in Disk vulnerability exists in PRTG Net ...) NOT-FOR-US: PRTG Network Monitor CVE-2019-11073 (A Remote Code Execution vulnerability exists in PRTG Network Monitor b ...) NOT-FOR-US: PRTG Network Monitor CVE-2019-11072 (** DISPUTED ** lighttpd before 1.4.54 has a signed integer overflow, w ...) - lighttpd 1.4.53-4 (bug #926885) [stretch] - lighttpd (Vulnerable code introduced later) [jessie] - lighttpd (Vulnerable code introduced later) NOTE: https://redmine.lighttpd.net/issues/2945 NOTE: Fixed by: https://github.com/lighttpd/lighttpd1.4/commit/32120d5b8b3203fc21ccb9eafb0eaf824bb59354 NOTE: Introduced with: https://github.com/lighttpd/lighttpd1.4/commit/3eb7902e10ba75b3f2eb159e244d0d8e5037ccd2 CVE-2019-11070 (WebKitGTK and WPE WebKit prior to version 2.24.1 failed to properly ap ...) - webkit2gtk 2.24.1-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0002.html CVE-2019-11069 (Sequelize version 5 before 5.3.0 does not properly ensure that standar ...) NOT-FOR-US: Sequelize CVE-2019-11068 (libxslt through 1.1.33 allows bypass of a protection mechanism because ...) {DLA-1756-1} - libxslt 1.1.32-2.1 (bug #926895; bug #933743) [buster] - libxslt 1.1.32-2.1~deb10u1 [stretch] - libxslt 1.1.29-2.1+deb9u1 NOTE: https://gitlab.gnome.org/GNOME/libxslt/issues/12 NOTE: https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6 CVE-2006-7254 (The nscd daemon in the GNU C Library (glibc) before version 2.5 does n ...) - glibc 2.5-1 NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=2498 CVE-2005-3590 (The getgrouplist function in the GNU C library (glibc) before version ...) - glibc 2.3.5-3 NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=661 CVE-2019-11067 RESERVED CVE-2019-1003050 (The f:validateButton form control for the Jenkins UI did not properly ...) NOT-FOR-US: Jenkins CVE-2019-1003049 (Users who cached their CLI authentication before Jenkins was updated t ...) NOT-FOR-US: Jenkins CVE-2019-11066 (openid.php in LightOpenID through 1.3.1 allows SSRF via a crafted Open ...) NOT-FOR-US: LightOpenID CVE-2019-11065 (Gradle versions from 1.4 to 5.3.1 use an insecure HTTP URL to download ...) - gradle 4.4.1-10 (bug #926923) [buster] - gradle (Minor issue) [stretch] - gradle (Minor issue) [jessie] - gradle (Minor issue) NOTE: https://github.com/gradle/gradle/pull/8927 NOTE: https://lists.debian.org/debian-lts/2019/05/msg00021.html CVE-2019-11071 (SPIP 3.1 before 3.1.10 and 3.2 before 3.2.4 allows authenticated visit ...) {DSA-4429-1} - spip 3.2.4-1 (bug #926764) [jessie] - spip (SPIP 3.0 and earlier are not affected) NOTE: https://blog.spip.net/Mise-a-jour-CRITIQUE-de-securite-Sortie-de-SPIP-3-1-10-et-SPIP-3-2-4.html NOTE: https://github.com/spip/SPIP/commit/3ef87c525bc0768c926646f999a54222b37b5d36 NOTE: https://github.com/spip/SPIP/commit/824d17f424bf77d17af89c18c3dc807a3199567e CVE-2019-11064 (A vulnerability of remote credential disclosure was discovered in Adva ...) NOT-FOR-US: Advan VD-1 firmware CVE-2019-11063 (A broken access control vulnerability in SmartHome app (Android versio ...) NOT-FOR-US: SmartHome app CVE-2019-11062 (The SUNNET WMPro v5.0 and v5.1 for eLearning system has OS Command Inj ...) NOT-FOR-US: SUNNET WMPro for eLearning system CVE-2019-11061 (A broken access control vulnerability in HG100 firmware versions up to ...) NOT-FOR-US: HG100 firmware CVE-2019-11060 (The web api server on Port 8080 of ASUS HG100 firmware up to 1.05.12, ...) NOT-FOR-US: ASUS HG100 firmware CVE-2019-11059 (Das U-Boot 2016.11-rc1 through 2019.04 mishandles the ext4 64-bit exte ...) - u-boot 2019.01+dfsg-6 (bug #928800) [stretch] - u-boot (Minor issue) [jessie] - u-boot (Minor issue) NOTE: https://git.denx.de/?p=u-boot.git;a=commit;h=febbc583319b567fe3d83e521cc2ace9be8d1501 CVE-2019-11058 RESERVED CVE-2019-11057 (SQL injection vulnerability in Vtiger CRM before 7.1.0 hotfix3 allows ...) NOT-FOR-US: Vtiger CRM CVE-2019-11056 RESERVED CVE-2019-11055 RESERVED CVE-2019-11054 RESERVED CVE-2019-11053 RESERVED CVE-2019-11052 RESERVED CVE-2019-11051 RESERVED CVE-2019-11050 (When PHP EXIF extension is parsing EXIF information from an image, e.g ...) {DSA-4628-1 DSA-4626-1 DLA-2050-1} - php7.3 7.3.15-1 - php7.0 - php5 NOTE: Fixed in PHP 7.4.1, 7.3.13 NOTE: PHP Bug: http://bugs.php.net/78793 CVE-2019-11049 (In PHP versions 7.3.x below 7.3.13 and 7.4.0 on Windows, when supplyin ...) - php7.3 (Windows specific issue) - php7.0 (Windows specific issue) - php5 (Windows specific issue) NOTE: Fixed in PHP 7.4.1, 7.3.13 NOTE: PHP Bug: http://bugs.php.net/78943 CVE-2019-11048 (In PHP versions 7.2.x below 7.2.31, 7.3.x below 7.3.18 and 7.4.x below ...) {DSA-4719-1 DSA-4717-1 DLA-2261-1} - php7.4 - php7.3 - php7.0 - php5 NOTE: Fixed in PHP 7.2.31, 7.3.18, 7.4.6 NOTE: PHP Bug: https://bugs.php.net/78875 NOTE: PHP Bug: https://bugs.php.net/78876 NOTE: https://github.com/php/php-src/commit/f43041250f82ed69bd4575655984fbfc842da266 NOTE: https://github.com/php/php-src/commit/1c9bd513ac5c7c1d13d7f0dfa7c16a7ad2ce0f87 NOTE: php-7.4: https://github.com/php/php-src/commit/a3924ab6542a358a3099de992b63b932a9570add NOTE: php-7.3: https://github.com/php/php-src/commit/f43041250f82ed69bd4575655984fbfc842da266 NOTE: php-7.2: https://github.com/php/php-src/commit/f43041250f82ed69bd4575655984fbfc842da266 NOTE: php-7.2: https://github.com/php/php-src/commit/1c9bd513ac5c7c1d13d7f0dfa7c16a7ad2ce0f87 CVE-2019-11047 (When PHP EXIF extension is parsing EXIF information from an image, e.g ...) {DSA-4628-1 DSA-4626-1 DLA-2050-1} - php7.3 7.3.15-1 - php7.0 - php5 NOTE: Fixed in PHP 7.4.1, 7.3.13 NOTE: PHP Bug: http://bugs.php.net/78910 CVE-2019-11046 (In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP ...) {DSA-4628-1 DSA-4626-1 DLA-2050-1} - php7.3 7.3.15-1 - php7.0 - php5 NOTE: Fixed in PHP 7.4.1, 7.3.13 NOTE: PHP Bug: http://bugs.php.net/78878 NOTE: http://git.php.net/?p=php-src.git;a=patch;h=2d07f00b73d8f94099850e0f5983e1cc5817c196 CVE-2019-11045 (In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP ...) {DSA-4628-1 DSA-4626-1 DLA-2050-1} - php7.3 7.3.15-1 - php7.0 - php5 NOTE: Fixed in PHP 7.4.1, 7.3.13 NOTE: PHP Bug: http://bugs.php.net/78863 NOTE: http://git.php.net/?p=php-src.git;a=patch;h=d74907b8575e6edb83b728c2a94df434c23e1f79 CVE-2019-11044 (In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 on Wi ...) - php7.3 (Windows specific issue) - php7.0 (Windows specific issue) - php5 (Windows specific issue) NOTE: Fixed in PHP 7.4.1, 7.3.13 NOTE: PHP Bug: http://bugs.php.net/78862 CVE-2019-11043 (In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below ...) {DSA-4553-1 DSA-4552-1 DLA-1970-1} - php7.3 7.3.11-1~deb10u1 (bug #943468; bug #943764) - php7.0 - php5 NOTE: Fixed in PHP 7.3.11, 7.2.24 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=78599 NOTE: https://www.tenable.com/blog/cve-2019-11043-vulnerability-in-php-fpm-could-lead-to-remote-code-execution-on-nginx NOTE: http://git.php.net/?p=php-src.git;a=commit;h=ab061f95ca966731b1c84cf5b7b20155c0a1c06a CVE-2019-11042 (When PHP EXIF extension is parsing EXIF information from an image, e.g ...) {DSA-4529-1 DSA-4527-1 DLA-1878-1} - php7.3 7.3.8-1 - php7.0 - php5 NOTE: Fixed in 7.1.31, 7.2.21, 7.3.8 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=78256 CVE-2019-11041 (When PHP EXIF extension is parsing EXIF information from an image, e.g ...) {DSA-4529-1 DSA-4527-1 DLA-1878-1} - php7.3 7.3.8-1 - php7.0 - php5 NOTE: Fixed in 7.1.31, 7.2.21, 7.3.8 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=78222 CVE-2019-11040 (When PHP EXIF extension is parsing EXIF information from an image, e.g ...) {DSA-4529-1 DSA-4527-1 DLA-1813-1} - php7.3 7.3.6-1 - php7.0 - php5 NOTE: Fixed in 7.1.30, 7.2.19, 7.3.6 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=77988 CVE-2019-11039 (Function iconv_mime_decode_headers() in PHP versions 7.1.x below 7.1.3 ...) {DSA-4529-1 DSA-4527-1 DLA-1813-1} - php7.3 7.3.6-1 - php7.0 - php5 NOTE: Fixed in 7.1.30, 7.2.19, 7.3.6 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=78069 CVE-2019-11038 (When using the gdImageCreateFromXbm() function in the GD Graphics Libr ...) {DSA-4529-1 DLA-1817-1} - libgd2 2.2.5-5.2 (low; bug #929821) [stretch] - libgd2 2.2.4-2+deb9u5 - php7.3 7.3.6-1 (unimportant) - php7.0 (unimportant) - php5 (unimportant) NOTE: Fixed in 7.1.30, 7.2.19, 7.3.6 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=77973 NOTE: https://github.com/libgd/libgd/issues/501 NOTE: https://github.com/libgd/libgd/commit/e13a342c079aeb73e31dfa19eaca119761bac3f3 CVE-2019-11037 (In PHP imagick extension in versions between 3.3.0 and 3.4.4, writing ...) {DSA-4576-1} - php-imagick 3.4.3-4.1 (bug #928420) [jessie] - php-imagick (vulnerable code is not present) NOTE: https://bugs.php.net/bug.php?id=77791 NOTE: https://github.com/mkoppanen/imagick/commits/bugfix_77791 NOTE: Introduced by: https://github.com/mkoppanen/imagick/commit/a3cc177f8ed38937960e27765816e2f7a6de7391 NOTE: Fixed by: https://github.com/Imagick/imagick/compare/d57a444766a321fa226266f51f1f42ee2cc29cc7...a827e4fd94aba346e919dc2ae8e8da2cec5a7445 CVE-2019-11036 (When processing certain files, PHP EXIF extension in versions 7.1.x be ...) {DSA-4529-1 DSA-4527-1 DLA-1803-1} - php7.3 7.3.6-1 (bug #928421) - php7.0 - php5 NOTE: Fixed in 7.1.29, 7.2.18, 7.3.5 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=77950 CVE-2019-11035 (When processing certain files, PHP EXIF extension in versions 7.1.x be ...) {DSA-4529-1 DLA-1803-1} - php7.3 7.3.4-1 - php7.0 - php5 NOTE: Fixed in 7.1.28, 7.2.17, 7.3.4 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=77831 CVE-2019-11034 (When processing certain files, PHP EXIF extension in versions 7.1.x be ...) {DSA-4529-1 DLA-1803-1} - php7.3 7.3.4-1 - php7.0 - php5 NOTE: Fixed in 7.1.28, 7.2.17, 7.3.4 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=77753 CVE-2019-11033 (Applaud HCM 4.0.42+ uses HTML tag fields for HTML inputs in a form. Th ...) NOT-FOR-US: Applaud HCM CVE-2019-11032 (In EasyToRecruit (E2R) before 2.11, the upload feature and the Candida ...) NOT-FOR-US: EasyToRecruit CVE-2019-11031 (Mirasys VMS before V7.6.1 and 8.x before V8.3.2 mishandles the auto-up ...) NOT-FOR-US: Mirasys VMS CVE-2019-11030 (Mirasys VMS before V7.6.1 and 8.x before V8.3.2 mishandles the Mirasys ...) NOT-FOR-US: Mirasys VMS CVE-2019-11029 (Mirasys VMS before V7.6.1 and 8.x before V8.3.2 mishandles the Downloa ...) NOT-FOR-US: Mirasys VMS CVE-2019-11028 (GAT-Ship Web Module before 1.40 suffers from a vulnerability allowing ...) NOT-FOR-US: GAT-Ship Web Module CVE-2015-9284 (The request phase of the OmniAuth Ruby gem (1.9.1 and earlier) is vuln ...) - ruby-omniauth [stretch] - ruby-omniauth (Minor issue) [jessie] - ruby-omniauth (Fix is in additional gem and needs CSRF protection in apps) NOTE: https://github.com/omniauth/omniauth/pull/809 NOTE: https://www.openwall.com/lists/oss-security/2015/05/26/11 CVE-2019-11027 (Ruby OpenID (aka ruby-openid) through 2.8.0 has a remotely exploitable ...) {DLA-1956-1} - ruby-openid 2.9.2debian-1 (bug #930388) [buster] - ruby-openid (Minor issue) [stretch] - ruby-openid (Minor issue) NOTE: https://github.com/openid/ruby-openid/issues/122 NOTE: https://github.com/openid/ruby-openid/issues/122#issuecomment-520304211 NOTE: https://github.com/openid/ruby-openid/commit/8a4c31a6740a949cdc29d956c276ba3c4021dfa8 NOTE: https://github.com/openid/ruby-openid/commit/f526132c6cb5d9195351c16ed36dced4ca3db496 CVE-2019-11026 (FontInfoScanner::scanFonts in FontInfo.cc in Poppler 0.75.0 has infini ...) [experimental] - poppler 0.81.0-1 - poppler (low; bug #926721) [buster] - poppler (Minor issue) [stretch] - poppler (Minor issue) [jessie] - poppler (Minor issue) NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/752 NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/8051f678b3b43326e5fdfd7c03f39de21059f426 CVE-2019-11025 (In clearFilter() in utilities.php in Cacti before 1.2.3, no escaping o ...) {DLA-1757-1} - cacti 1.2.2+ds1-2 (low; bug #926700) [stretch] - cacti (Minor issue) NOTE: https://github.com/Cacti/cacti/issues/2581 CVE-2019-11024 (The load_pnm function in frompnm.c in libsixel.a in libsixel 1.8.2 has ...) - libsixel 1.8.6-1 (unimportant) NOTE: https://github.com/saitoha/libsixel/issues/85 NOTE: Negligible security impact CVE-2019-11023 (The agroot() function in cgraph\obj.c in libcgraph.a in Graphviz 2.39. ...) - graphviz (unimportant; bug #926724) NOTE: https://gitlab.com/graphviz/graphviz/issues/1517 NOTE: https://gitlab.com/graphviz/graphviz/commit/839085f8026afd6f6920a0c31ad2a9d880d97932 NOTE: Crash in CLI tool, no security impact CVE-2019-11022 RESERVED CVE-2019-11021 (** DISPUTED ** admin/app/mediamanager in Schlix CMS 2.1.8-7 allows Aut ...) NOT-FOR-US: Schlix CMS CVE-2019-11020 (Lack of authentication in file-viewing components in DDRT Dashcom Live ...) NOT-FOR-US: DDRT Dashcom CVE-2019-11019 (Lack of authentication in case-exporting components in DDRT Dashcom Li ...) NOT-FOR-US: DDRT Dashcom CVE-2019-11018 (application\admin\controller\User.php in ThinkAdmin V4.0 does not prev ...) NOT-FOR-US: ThinkAdmin CVE-2019-11017 (On D-Link DI-524 V2.06RU devices, multiple Stored and Reflected XSS vu ...) NOT-FOR-US: D-Link CVE-2019-11016 (Elgg before 1.12.18 and 2.3.x before 2.3.11 has an open redirect. ...) NOT-FOR-US: Elgg CVE-2019-11015 (A vulnerability was found in the MIUI OS version 10.1.3.0 that allows ...) NOT-FOR-US: MIUI OS CVE-2019-11014 (The VStarCam vstc.vscam.client library and vstc.vscam shared object, a ...) NOT-FOR-US: VStarCam CVE-2019-11013 (Nimble Streamer 3.0.2-2 through 3.5.4-9 has a ../ directory traversal ...) NOT-FOR-US: Nimble Streamer CVE-2019-11012 RESERVED CVE-2019-11011 (Akamai CloudTest before 58.30 allows remote code execution. ...) NOT-FOR-US: Akamai CloudTest CVE-2019-11010 (In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a memory leak in ...) {DLA-1755-1} - graphicsmagick 1.4~hg15968-1 (bug #927029) [stretch] - graphicsmagick 1.3.30+hg15796-1~deb9u3 NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/a348d9661019 NOTE: https://sourceforge.net/p/graphicsmagick/bugs/601/ CVE-2019-11009 (In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a heap-based buff ...) {DLA-1755-1} - graphicsmagick 1.4~hg15968-1 (bug #927029) [stretch] - graphicsmagick 1.3.30+hg15796-1~deb9u3 NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/7cff2b1792de NOTE: https://sourceforge.net/p/graphicsmagick/bugs/597/ CVE-2019-11008 (In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a heap-based buff ...) {DLA-1755-1} - graphicsmagick 1.4~hg15968-1 (bug #927029) [stretch] - graphicsmagick 1.3.30+hg15796-1~deb9u3 NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/d823d23a474b NOTE: https://sourceforge.net/p/graphicsmagick/bugs/599/ CVE-2019-11007 (In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a heap-based buff ...) {DLA-1755-1} - graphicsmagick 1.4~hg15968-1 (bug #927029) [stretch] - graphicsmagick 1.3.30+hg15796-1~deb9u3 NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/40fc71472b98 NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/86a9295e7c83 NOTE: https://sourceforge.net/p/graphicsmagick/bugs/596/ CVE-2019-11006 (In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a heap-based buff ...) {DLA-1755-1} - graphicsmagick 1.4~hg15968-1 (bug #927029) [stretch] - graphicsmagick 1.3.30+hg15796-1~deb9u3 NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/f7610c1281c1 NOTE: https://sourceforge.net/p/graphicsmagick/bugs/598/ CVE-2019-11005 (In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a stack-based buf ...) - graphicsmagick 1.4~hg15968-1 (bug #927029) [stretch] - graphicsmagick 1.3.30+hg15796-1~deb9u3 [jessie] - graphicsmagick (The vulnerable code is not present) NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/b6fb77d7d54d NOTE: https://sourceforge.net/p/graphicsmagick/bugs/600/ CVE-2019-11004 (In Materialize through 1.0.0, XSS is possible via the Toast feature. ...) NOT-FOR-US: Materialize CVE-2019-11003 (In Materialize through 1.0.0, XSS is possible via the Autocomplete fea ...) NOT-FOR-US: Materialize CVE-2019-11002 (In Materialize through 1.0.0, XSS is possible via the Tooltip feature. ...) NOT-FOR-US: Materialize CVE-2019-11001 (On Reolink RLC-410W, C1 Pro, C2 Pro, RLC-422W, and RLC-511W devices th ...) NOT-FOR-US: Reolink devices CVE-2019-11000 (An issue was discovered in GitLab Enterprise Edition before 11.7.11, 1 ...) - gitlab (Only affects Gitlab EE) NOTE: https://about.gitlab.com/2019/04/10/critical-security-release-gitlab-11-dot-9-dot-7-released/ CVE-2019-10999 (The D-Link DCS series of Wi-Fi cameras contains a stack-based buffer o ...) NOT-FOR-US: D-Link CVE-2019-10998 (An issue was discovered on Phoenix Contact AXC F 2152 (No.2404267) bef ...) NOT-FOR-US: Phoenix Contact CVE-2019-10997 (An issue was discovered on Phoenix Contact AXC F 2152 (No.2404267) bef ...) NOT-FOR-US: Phoenix Contact CVE-2019-10996 (Red Lion Controls Crimson, version 3.0 and prior and version 3.1 prior ...) NOT-FOR-US: Red Lion Controls Crimson CVE-2019-10995 (ABB CP651 HMI products revision BSP UN30 v1.76 and prior implement hid ...) NOT-FOR-US: ABB CP651 HMI products CVE-2019-10994 (Processing a specially crafted project file in LAquis SCADA 4.3.1.71 m ...) NOT-FOR-US: LAquis SCADA CVE-2019-10993 (In WebAccess/SCADA Versions 8.3.5 and prior, multiple untrusted pointe ...) NOT-FOR-US: WebAccess/SCADA CVE-2019-10992 (Delta Electronics CNCSoft ScreenEditor, Versions 1.00.89 and prior. Mu ...) NOT-FOR-US: Delta Electronics CNCSoft ScreenEditor CVE-2019-10991 (In WebAccess/SCADA, Versions 8.3.5 and prior, multiple stack-based buf ...) NOT-FOR-US: WebAccess/SCADA CVE-2019-10990 (Red Lion Controls Crimson, version 3.0 and prior and version 3.1 prior ...) NOT-FOR-US: Red Lion Controls Crimson CVE-2019-10989 (In WebAccess/SCADA Versions 8.3.5 and prior, multiple heap-based buffe ...) NOT-FOR-US: WebAccess/SCADA CVE-2019-10988 (In Philips HDI 4000 Ultrasound Systems, all versions running on old, u ...) NOT-FOR-US: Philips HDI 4000 Ultrasound Systems CVE-2019-10987 (In WebAccess/SCADA Versions 8.3.5 and prior, multiple out-of-bounds wr ...) NOT-FOR-US: WebAccess/SCADA CVE-2019-10986 RESERVED CVE-2019-10985 (In WebAccess/SCADA, Versions 8.3.5 and prior, a path traversal vulnera ...) NOT-FOR-US: WebAccess/SCADA CVE-2019-10984 (Red Lion Controls Crimson, version 3.0 and prior and version 3.1 prior ...) NOT-FOR-US: Red Lion Controls Crimson CVE-2019-10983 (In WebAccess/SCADA Versions 8.3.5 and prior, an out-of-bounds read vul ...) NOT-FOR-US: WebAccess/SCADA CVE-2019-10982 (Delta Electronics CNCSoft ScreenEditor, Versions 1.00.89 and prior. Mu ...) NOT-FOR-US: Delta Electronics CNCSoft ScreenEditor CVE-2019-10981 (In Vijeo Citect 7.30 and 7.40, and CitectSCADA 7.30 and 7.40, a vulner ...) NOT-FOR-US: AVEVA CVE-2019-10980 (A type confusion vulnerability may be exploited when LAquis SCADA 4.3. ...) NOT-FOR-US: LAquis SCADA CVE-2019-10979 (SICK MSC800 all versions prior to Version 4.0, the affected firmware v ...) NOT-FOR-US: SICK MSC800 CVE-2019-10978 (Red Lion Controls Crimson, version 3.0 and prior and version 3.1 prior ...) NOT-FOR-US: Red Lion Controls Crimson CVE-2019-10977 (In Mitsubishi Electric MELSEC-Q series Ethernet module QJ71E71-100 ser ...) NOT-FOR-US: Mitsubishi CVE-2019-10976 (Mitsubishi Electric FR Configurator2, Version 1.16S and prior. This vu ...) NOT-FOR-US: Mitsubishi Electric FR Configurator2 CVE-2019-10975 (An out-of-bounds read vulnerability has been identified in Fuji Electr ...) NOT-FOR-US: Fuji Electric CVE-2019-10974 (NREL EnergyPlus, Versions 8.6.0 and possibly prior versions, The appli ...) NOT-FOR-US: NREL EnergyPlus CVE-2019-10973 (Quest KACE, all versions prior to version 8.0.x, 8.1.x, and 9.0.x, all ...) NOT-FOR-US: Quest KACE CVE-2019-10972 (Mitsubishi Electric FR Configurator2, Version 1.16S and prior. This vu ...) NOT-FOR-US: Mitsubishi Electric FR Configurator2 CVE-2019-10971 (The application (Network Configurator for DeviceNet Safety 3.41 and pr ...) NOT-FOR-US: Omron CVE-2019-10970 (In Rockwell Automation PanelView 5510 (all versions manufactured befor ...) NOT-FOR-US: Rockwell Automation PanelView CVE-2019-10969 (Moxa EDR 810, all versions 5.1 and prior, allows an authenticated atta ...) NOT-FOR-US: Moxa CVE-2019-10968 (Philips Holter 2010 Plus, all versions. A vulnerability has been ident ...) NOT-FOR-US: Philips Holter 2010 Plus CVE-2019-10967 (In Emerson Ovation OCR400 Controller 3.3.1 and earlier, a stack-based ...) NOT-FOR-US: Emerson CVE-2019-10966 (In GE Aestiva and Aespire versions 7100 and 7900, a vulnerability exis ...) NOT-FOR-US: GE Aestiva and Aespire CVE-2019-10965 (In Emerson Ovation OCR400 Controller 3.3.1 and earlier, a heap-based b ...) NOT-FOR-US: Emerson CVE-2019-10964 (In Medtronic MinMed 508 and Medtronic Minimed Paradigm Insulin Pumps, ...) NOT-FOR-US: Medtronic CVE-2019-10963 (Moxa EDR 810, all versions 5.1 and prior, allows an unauthenticated at ...) NOT-FOR-US: Moxa CVE-2019-10962 (BD Alaris Gateway versions, 1.0.13,1.1.3 Build 10,1.1.3 MR Build 11,1. ...) NOT-FOR-US: BD Alaris Gateway CVE-2019-10961 (In Advantech WebAccess HMI Designer Version 2.1.9.23 and prior, proces ...) NOT-FOR-US: Advantech WebAccess HMI Designer CVE-2019-10960 (Zebra Industrial Printers All Versions, Zebra printers are shipped wit ...) NOT-FOR-US: Zebra Industrial Printers CVE-2019-10959 (BD Alaris Gateway Workstation Versions, 1.1.3 Build 10, 1.1.3 MR Build ...) NOT-FOR-US: BD Alaris Gateway CVE-2019-10958 (Geutebruck IP Cameras G-Code(EEC-2xxx), G-Cam(EBC-21xx/EFD-22xx/ETHC-2 ...) NOT-FOR-US: Geutebruck IP Cameras CVE-2019-10957 (Geutebruck IP Cameras G-Code(EEC-2xxx), G-Cam(EBC-21xx/EFD-22xx/ETHC-2 ...) NOT-FOR-US: Geutebruck IP Cameras CVE-2019-10956 (Geutebruck IP Cameras G-Code(EEC-2xxx), G-Cam(EBC-21xx/EFD-22xx/ETHC-2 ...) NOT-FOR-US: Geutebruck IP Cameras CVE-2019-10955 (In Rockwell Automation MicroLogix 1400 Controllers Series A, All Versi ...) NOT-FOR-US: Rockwell Automation CVE-2019-10954 (An attacker could send crafted SMTP packets to cause a denial-of-servi ...) NOT-FOR-US: Rockwell Automation CVE-2019-10953 (ABB, Phoenix Contact, Schneider Electric, Siemens, WAGO - Programmable ...) NOT-FOR-US: Programmable Logic Controllers of various vendors CVE-2019-10952 (An attacker could send a crafted HTTP/HTTPS request to render the web ...) NOT-FOR-US: Rockwell Automation CVE-2019-10951 (Delta Industrial Automation CNCSoft, CNCSoft ScreenEditor Version 1.00 ...) NOT-FOR-US: Delta Electronics CVE-2019-10950 (Fujifilm FCR Capsula X/ Carbon X/ FCR XC-2, model versions CR-IR 357 F ...) NOT-FOR-US: Fujifilm CVE-2019-10949 (Delta Industrial Automation CNCSoft, CNCSoft ScreenEditor Version 1.00 ...) NOT-FOR-US: Delta Electronics CVE-2019-10948 (Fujifilm FCR Capsula X/ Carbon X/ FCR XC-2, model versions CR-IR 357 F ...) NOT-FOR-US: Fujifilm CVE-2019-10947 (Delta Industrial Automation CNCSoft, CNCSoft ScreenEditor Version 1.00 ...) NOT-FOR-US: Delta Electronics CVE-2019-10946 (An issue was discovered in Joomla! before 3.9.5. The "refresh list of ...) NOT-FOR-US: Joomla! CVE-2019-10945 (An issue was discovered in Joomla! before 3.9.5. The Media Manager com ...) NOT-FOR-US: Joomla! CVE-2019-10944 RESERVED CVE-2019-10943 (A vulnerability has been identified in SIMATIC ET 200SP Open Controlle ...) NOT-FOR-US: Siemens CVE-2019-10942 (A vulnerability has been identified in SCALANCE X-200 (All versions), ...) NOT-FOR-US: Siemens CVE-2019-10941 RESERVED CVE-2019-10940 (A vulnerability has been identified in SINEMA Server (All versions < ...) NOT-FOR-US: Siemens CVE-2019-10939 (A vulnerability has been identified in TIM 3V-IE (incl. SIPLUS NET var ...) NOT-FOR-US: Siemens CVE-2019-10938 (A vulnerability has been identified in SIPROTEC 5 devices with CPU var ...) NOT-FOR-US: Ethernet plug-in communication modules for SIPROTEC 5 devices CVE-2019-10937 (A vulnerability has been identified in SIMATIC TDC CP51M1 (All version ...) NOT-FOR-US: SIMATIC TDC CP51M1 CVE-2019-10936 (A vulnerability has been identified in Development/Evaluation Kits for ...) NOT-FOR-US: Siemens CVE-2019-10935 (A vulnerability has been identified in SIMATIC PCS 7 V8.0 and earlier ...) NOT-FOR-US: Siemens CVE-2019-10934 (A vulnerability has been identified in TIA Portal V14 (All versions), ...) NOT-FOR-US: Siemens CVE-2019-10933 (A vulnerability has been identified in Spectrum Power 3 (Corporate Use ...) NOT-FOR-US: Siemens CVE-2019-10932 RESERVED CVE-2019-10931 (A vulnerability has been identified in All other SIPROTEC 5 device typ ...) NOT-FOR-US: Siemens CVE-2019-10930 (A vulnerability has been identified in All other SIPROTEC 5 device typ ...) NOT-FOR-US: Siemens CVE-2019-10929 (A vulnerability has been identified in SIMATIC CP 1626 (All versions), ...) NOT-FOR-US: Siemens CVE-2019-10928 (A vulnerability has been identified in SCALANCE SC-600 (V2.0). An auth ...) NOT-FOR-US: Siemens CVE-2019-10927 (A vulnerability has been identified in SCALANCE SC-600 (V2.0), SCALANC ...) NOT-FOR-US: Siemens CVE-2019-10926 (A vulnerability has been identified in SIMATIC Ident MV420 family (All ...) NOT-FOR-US: Siemens CVE-2019-10925 (A vulnerability has been identified in SIMATIC Ident MV420 family (All ...) NOT-FOR-US: Siemens CVE-2019-10924 (A vulnerability has been identified in LOGO! Soft Comfort (All version ...) NOT-FOR-US: Siemens CVE-2019-10923 (A vulnerability has been identified in CP1604 (All versions < V2.8) ...) NOT-FOR-US: Siemens CVE-2019-10922 (A vulnerability has been identified in SIMATIC PCS 7 V8.0 and earlier ...) NOT-FOR-US: Siemens CVE-2019-10921 (A vulnerability has been identified in LOGO!8 BM (All versions). Unenc ...) NOT-FOR-US: Siemens CVE-2019-10920 (A vulnerability has been identified in LOGO!8 BM (All versions). Proje ...) NOT-FOR-US: Siemens CVE-2019-10919 (A vulnerability has been identified in LOGO!8 BM (All versions). Attac ...) NOT-FOR-US: Siemens CVE-2019-10918 (A vulnerability has been identified in SIMATIC PCS 7 V8.0 and earlier ...) NOT-FOR-US: Siemens CVE-2019-10917 (A vulnerability has been identified in SIMATIC PCS 7 V8.0 and earlier ...) NOT-FOR-US: Siemens CVE-2019-10916 (A vulnerability has been identified in SIMATIC PCS 7 V8.0 and earlier ...) NOT-FOR-US: Siemens CVE-2019-10915 (A vulnerability has been identified in TIA Administrator (All versions ...) NOT-FOR-US: Siemens CVE-2019-10914 (pubRsaDecryptSignedElementExt in MatrixSSL 4.0.1 Open, as used in Insi ...) - matrixssl NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1785 NOTE: https://github.com/matrixssl/matrixssl/issues/26 CVE-2019-10913 (In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x ...) {DSA-4441-1 DLA-1778-1} - symfony 3.4.22+dfsg-2 NOTE: https://symfony.com/blog/cve-2019-10913-reject-invalid-http-method-overrides CVE-2019-10912 (In Symfony before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4. ...) {DSA-4441-1} - symfony 3.4.22+dfsg-2 [jessie] - symfony (vulnerable code is not present) NOTE: https://symfony.com/blog/cve-2019-10912-prevent-destructors-with-side-effects-from-being-unserialized CVE-2019-10911 (In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x ...) {DSA-4441-1 DLA-1778-1} - drupal7 (Drupal 7 core not affected) - symfony 3.4.22+dfsg-2 NOTE: https://www.drupal.org/SA-CORE-2019-005 NOTE: https://symfony.com/blog/cve-2019-10911-add-a-separator-in-the-remember-me-cookie-hash CVE-2019-10910 (In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x ...) {DSA-4441-1 DLA-1778-1} - drupal7 (Drupal 7 core not affected) - symfony 3.4.22+dfsg-2 NOTE: https://www.drupal.org/SA-CORE-2019-005 NOTE: https://symfony.com/blog/cve-2019-10910-check-service-ids-are-valid CVE-2019-10909 (In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x ...) {DSA-4441-1 DLA-1778-1} - drupal7 (Drupal 7 core not affected) - symfony 3.4.22+dfsg-2 NOTE: https://www.drupal.org/SA-CORE-2019-005 NOTE: https://symfony.com/blog/cve-2019-10909-escape-validation-messages-in-the-php-templating-engine CVE-2019-10908 (In Airsonic 10.2.1, RecoverController.java generates passwords via org ...) NOT-FOR-US: Airsonic CVE-2019-10907 (Airsonic 10.2.1 uses Spring's default remember-me mechanism based on M ...) NOT-FOR-US: Airsonic CVE-2016-10745 (In Pallets Jinja before 2.8.1, str.format allows a sandbox escape. ...) - jinja2 2.9.4-1 [stretch] - jinja2 (Minor issue) [jessie] - jinja2 (Minor issue) NOTE: Fixed by: https://github.com/pallets/jinja/commit/9b53045c34e61013dc8f09b7e52a555fa16bed16 NOTE: Followup bugfix: https://github.com/pallets/jinja/commit/74bd64e56387f5b2931040dc7235a3509cde1611 CVE-2019-10906 (In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape ...) - jinja2 2.10-2 (bug #926602) [stretch] - jinja2 (Minor issue) [jessie] - jinja2 (Minor issue) NOTE: https://palletsprojects.com/blog/jinja-2-10-1-released/ NOTE: https://github.com/pallets/jinja/commit/a2a6c930bcca591a25d2b316fcfd2d6793897b26 CVE-2019-10905 (Parsedown before 1.7.2, when safe mode is used and HTML markup is disa ...) NOT-FOR-US: Parsedown CVE-2019-10904 (Roundup 1.6 allows XSS via the URI because frontends/roundup.cgi and r ...) {DLA-1750-1} - roundup (bug #926587) NOTE: https://github.com/python/bugs.python.org/issues/34 NOTE: https://issues.roundup-tracker.org/issue2551035 NOTE: https://bitbucket.org/python/roundup/commits/51682dc2cd7e28421d749117c25bec58f632ee5f CVE-2019-10903 (In Wireshark 2.4.0 to 2.4.13, 2.6.0 to 2.6.7, and 3.0.0, the DCERPC SP ...) {DLA-1802-1} - wireshark 2.6.8-1 (low; bug #926718) [stretch] - wireshark (Can be fixed along in next 2.6.x release) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15568 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=eafdcfa4b6d5187a5326442a82608ab03d9dddcb NOTE: https://www.wireshark.org/security/wnpa-sec-2019-18.html CVE-2019-10902 (In Wireshark 3.0.0, the TSDNS dissector could crash. This was addresse ...) - wireshark 2.6.8-1 (low; bug #926718) [stretch] - wireshark (Can be fixed along in next 2.6.x release) [jessie] - wireshark (vulnerable code is not present) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15619 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=95571f17d5e2de39735e62e5251583f930c06d51 NOTE: https://www.wireshark.org/security/wnpa-sec-2019-16.html CVE-2019-10901 (In Wireshark 2.4.0 to 2.4.13, 2.6.0 to 2.6.7, and 3.0.0, the LDSS diss ...) {DLA-1802-1} - wireshark 2.6.8-1 (low; bug #926718) [stretch] - wireshark (Can be fixed along in next 2.6.x release) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15620 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=cf801a25074f76dc3ae62d8ec53ace75f56ce2cd NOTE: https://www.wireshark.org/security/wnpa-sec-2019-17.html CVE-2019-10900 (In Wireshark 3.0.0, the Rbm dissector could go into an infinite loop. ...) - wireshark (Vulnerable code introduced later in 3.0.0) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15612 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=26eee01f57f0a86fb375892c7937eac24ede4610 NOTE: https://www.wireshark.org/security/wnpa-sec-2019-13.html CVE-2019-10899 (In Wireshark 2.4.0 to 2.4.13, 2.6.0 to 2.6.7, and 3.0.0, the SRVLOC di ...) {DLA-1802-1} - wireshark 2.6.8-1 (low; bug #926718) [stretch] - wireshark (Can be fixed along in next 2.6.x release) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15546 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=b16fea2f175a3297edac118c8844c7987d31c1cb NOTE: https://www.wireshark.org/security/wnpa-sec-2019-10.html CVE-2019-10898 (In Wireshark 3.0.0, the GSUP dissector could go into an infinite loop. ...) - wireshark (Vulnerable code introduced later; GSUP dissector introduced in 3.0.0) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15585 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=f80b7d1b279fb6c13f640019a1bbc42b18bf7469 NOTE: https://www.wireshark.org/security/wnpa-sec-2019-12.html CVE-2019-10897 (In Wireshark 3.0.0, the IEEE 802.11 dissector could go into an infinit ...) - wireshark (Vulnerable code introduced in 3.0.0) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15553 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=00d5e9e9fb377f52ab7696f25c1dbc011ef0244d NOTE: https://www.wireshark.org/security/wnpa-sec-2019-11.html CVE-2019-10896 (In Wireshark 2.4.0 to 2.4.13, 2.6.0 to 2.6.7, and 3.0.0, the DOF disse ...) - wireshark 2.6.8-1 (low; bug #926718) [stretch] - wireshark (Can be fixed along in next 2.6.x release) [jessie] - wireshark (vulnerable code is not present) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15617 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=441b6d9071d6341e58dfe10719375489c5b8e3f0 NOTE: https://www.wireshark.org/security/wnpa-sec-2019-15.html CVE-2019-10895 (In Wireshark 2.4.0 to 2.4.13, 2.6.0 to 2.6.7, and 3.0.0, the NetScaler ...) {DLA-1802-1} - wireshark 2.6.8-1 (low; bug #926718) [stretch] - wireshark (Can be fixed along in next 2.6.x release) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15497 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=2fbbde780e5d5d82e31dca656217daf278cf62bb NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=38680c4c69f9f4e0f39e29b66fe2b02d88eb629d NOTE: introduced bug: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=1660f7437198113c0c90cec22daa6abcd3af22cc NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=cab0cff6abdd7a5b5b0bfa4ee204eea951e129e9 NOTE: https://www.wireshark.org/security/wnpa-sec-2019-09.html CVE-2019-10894 (In Wireshark 2.4.0 to 2.4.13, 2.6.0 to 2.6.7, and 3.0.0, the GSS-API d ...) {DLA-1802-1} - wireshark 2.6.8-1 (low; bug #926718) [stretch] - wireshark (Can be fixed along in next 2.6.x release) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15613 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=b20e5d8aae2580e29c83ddaf0b6b2e640603e4aa NOTE: https://www.wireshark.org/security/wnpa-sec-2019-14.html CVE-2019-10893 (CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.793 (Free/Open So ...) NOT-FOR-US: CentOS-WebPanel.com CVE-2019-10892 (An issue was discovered in D-Link DIR-806 devices. There is a stack-ba ...) NOT-FOR-US: D-Link CVE-2019-10891 (An issue was discovered in D-Link DIR-806 devices. There is a command ...) NOT-FOR-US: D-Link CVE-2019-10890 RESERVED CVE-2019-10889 RESERVED CVE-2019-10888 (A CSRF Issue that can add an admin user was discovered in UKcms v1.1.1 ...) NOT-FOR-US: UKcms CVE-2019-10887 (A reflected HTML injection vulnerability on Salicru SLC-20-cube3(5) de ...) NOT-FOR-US: Salicru SLC-20-cube3(5) devices CVE-2019-10886 (An incorrect access control exists in the Sony Photo Sharing Plus appl ...) NOT-FOR-US: Sony Photo Sharing Plus application CVE-2019-10885 (An issue was discovered in Ivanti Workspace Control before 10.3.90.0. ...) NOT-FOR-US: Ivanti Workspace Control CVE-2019-10884 (Uniqkey Password Manager 1.14 contains a vulnerability because it fail ...) NOT-FOR-US: Uniqkey Password Manager CVE-2019-10883 (Citrix SD-WAN Center 10.2.x before 10.2.1 and NetScaler SD-WAN Center ...) NOT-FOR-US: Citrix CVE-2019-10882 (The Netskope client service, v57 before 57.2.0.219 and v60 before 60.2 ...) NOT-FOR-US: Netskope CVE-2019-10881 RESERVED CVE-2019-10880 (Within multiple XEROX products a vulnerability allows remote command e ...) NOT-FOR-US: XEROX CVE-2018-20816 (An XSS combined with CSRF vulnerability discovered in SalesAgility Sui ...) NOT-FOR-US: SalesAgility SuiteCRM CVE-2019-10879 (In Teeworlds 0.7.2, there is an integer overflow in CDataFileReader::O ...) - teeworlds 0.7.2-4 (bug #927152) [jessie] - teeworlds (Not supported in jessie LTS) NOTE: https://github.com/teeworlds/teeworlds/issues/2070 NOTE: https://github.com/teeworlds/teeworlds/commit/4d529dcd2d01022e979ebfa0b91167dee37cdb8e CVE-2019-10878 (In Teeworlds 0.7.2, there is a failed bounds check in CDataFileReader: ...) - teeworlds 0.7.2-5 (bug #927152) [jessie] - teeworlds (Not supported in jessie LTS) NOTE: https://github.com/teeworlds/teeworlds/issues/2073 NOTE: https://github.com/teeworlds/teeworlds/commit/e086f4b35b1adf7edc35b4ad332dc7ed1edc5988 NOTE: https://github.com/teeworlds/teeworlds/commit/cc3d59ae706752956d6cb8acc4187c8398b61c5c CVE-2019-10877 (In Teeworlds 0.7.2, there is an integer overflow in CMap::Load() in en ...) - teeworlds 0.7.2-4 (bug #927152) [jessie] - teeworlds (Not supported in jessie LTS) NOTE: https://github.com/teeworlds/teeworlds/issues/2071 NOTE: https://github.com/teeworlds/teeworlds/commit/d25869626a8cfbdd320929ba93ce73abed1402ce NOTE: https://github.com/teeworlds/teeworlds/commit/e086f4b35b1adf7edc35b4ad332dc7ed1edc5988 CVE-2019-10876 (An issue was discovered in OpenStack Neutron 11.x before 11.0.7, 12.x ...) - neutron 2:13.0.2-15 (bug #926502) [stretch] - neutron (Vulnerable code introduced later; Around Pike Openstack release) [jessie] - neutron (Vulnerable code introduced later; Around Pike Openstack release) NOTE: https://bugs.launchpad.net/ossa/+bug/1813007 NOTE: https://review.openstack.org/#/q/topic:bug/1813007 CVE-2019-10875 (A URL spoofing vulnerability was found in all international versions o ...) NOT-FOR-US: Xiaomi Mi browser CVE-2019-10874 (Cross Site Request Forgery (CSRF) in the bolt/upload File Upload featu ...) NOT-FOR-US: Bolt CMS CVE-2019-10873 (An issue was discovered in Poppler 0.74.0. There is a NULL pointer der ...) - poppler 0.71.0-4 (low; bug #926532) [stretch] - poppler (Minor issue) [jessie] - poppler (vulnerable code is not present) NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/748 NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/8dbe2e6c480405dab9347075cf4be626f90f1d05 CVE-2019-10872 (An issue was discovered in Poppler 0.74.0. There is a heap-based buffe ...) {DLA-1815-1} - poppler 0.71.0-5 (low; bug #926530) [stretch] - poppler (Revisit when fixed upstream) NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/750 NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/6a1580e84f492b5671d23be98192267bb73de250 CVE-2019-10871 (An issue was discovered in Poppler 0.74.0. There is a heap-based buffe ...) [experimental] - poppler 0.81.0-1 - poppler (low; bug #926529) [buster] - poppler (Revisit when fixed upstream) [stretch] - poppler (Revisit when fixed upstream) [jessie] - poppler (Revisit when fixed upstream) NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/751 NOTE: https://gitlab.freedesktop.org/poppler/poppler/merge_requests/266 (rejected in favor of always enabling SPLASH_CMYK) NOTE: https://gitlab.freedesktop.org/poppler/poppler/merge_requests/341 (always enable SPLASH_CMYK) CVE-2019-10870 RESERVED CVE-2019-10869 (Path Traversal and Unrestricted File Upload exists in the Ninja Forms ...) NOT-FOR-US: Ninja Forms plugin for WordPress CVE-2019-10867 (An issue was discovered in Pimcore before 5.7.1. An attacker with clas ...) NOT-FOR-US: Pimcore CVE-2019-10866 (In the Form Maker plugin before 1.13.3 for WordPress, it's possible to ...) NOT-FOR-US: Form Maker plugin for WordPress CVE-2019-10865 RESERVED CVE-2019-10864 (The WP Statistics plugin through 12.6.2 for WordPress has XSS, allowin ...) NOT-FOR-US: Wordpress plugin CVE-2019-10863 (A command injection vulnerability exists in TeemIp versions before 2.4 ...) NOT-FOR-US: TeemIp IPAM CVE-2019-10862 RESERVED CVE-2019-10861 RESERVED CVE-2019-10860 RESERVED CVE-2019-10859 RESERVED CVE-2019-10858 RESERVED CVE-2019-10857 RESERVED CVE-2019-10856 (In Jupyter Notebook before 5.7.8, an open redirect can occur via an em ...) - jupyter-notebook (Incomplete fix for CVE-2019-10255 not applied) NOTE: https://blog.jupyter.org/open-redirect-vulnerability-in-jupyter-jupyterhub-adf43583f1e4 NOTE: https://github.com/jupyter/notebook/commit/979e0bd15e794ceb00cc63737fcd5fd9addc4a99 CVE-2019-10855 (Computrols CBAS 18.0.0 mishandles password hashes. The approach is MD5 ...) NOT-FOR-US: Computrols CBAS CVE-2019-10854 (Computrols CBAS 18.0.0 allows Authenticated Command Injection. ...) NOT-FOR-US: Computrols CBAS CVE-2019-10853 (Computrols CBAS 18.0.0 allows Authentication Bypass. ...) NOT-FOR-US: Computrols CBAS CVE-2019-10852 (Computrols CBAS 18.0.0 allows Authenticated Blind SQL Injection via th ...) NOT-FOR-US: Computrols CBAS CVE-2019-10851 (Computrols CBAS 18.0.0 has hard-coded encryption keys. ...) NOT-FOR-US: Computrols CBAS CVE-2019-10850 (Computrols CBAS 18.0.0 has Default Credentials. ...) NOT-FOR-US: Computrols CBAS CVE-2019-10849 (Computrols CBAS 18.0.0 allows unprotected Subversion (SVN) directory / ...) NOT-FOR-US: Computrols CBAS CVE-2019-10848 (Computrols CBAS 18.0.0 allows Username Enumeration. ...) NOT-FOR-US: Computrols CBAS CVE-2019-10847 (Computrols CBAS 18.0.0 allows Cross-Site Request Forgery. ...) NOT-FOR-US: Computrols CBAS CVE-2019-10846 (Computrols CBAS 18.0.0 allows Unauthenticated Reflected Cross-Site Scr ...) NOT-FOR-US: Computrols CBAS CVE-2019-10845 (An issue was discovered in Uniqkey Password Manager 1.14. When enterin ...) NOT-FOR-US: Uniqkey Password Manager CVE-2019-10844 (nbla/logger.cpp in libnnabla.a in Sony Neural Network Libraries (aka n ...) NOT-FOR-US: Sony CVE-2019-10843 REJECTED CVE-2019-10842 (Arbitrary code execution (via backdoor code) was discovered in bootstr ...) NOT-FOR-US: backdoored version of bootstrap-sass CVE-2019-10841 RESERVED CVE-2019-10840 RESERVED CVE-2019-10839 RESERVED CVE-2019-10838 RESERVED CVE-2019-10837 RESERVED CVE-2019-10836 RESERVED CVE-2019-10835 RESERVED CVE-2019-10834 RESERVED CVE-2019-10833 RESERVED CVE-2019-10832 RESERVED CVE-2019-10831 RESERVED CVE-2019-10830 RESERVED CVE-2019-10829 RESERVED CVE-2019-10828 RESERVED CVE-2019-10827 RESERVED CVE-2019-10826 RESERVED CVE-2019-10825 RESERVED CVE-2019-10824 RESERVED CVE-2019-10823 RESERVED CVE-2019-10822 RESERVED CVE-2019-10821 RESERVED CVE-2019-10820 RESERVED CVE-2019-10819 RESERVED CVE-2019-10818 RESERVED CVE-2019-10817 RESERVED CVE-2019-10816 RESERVED CVE-2019-10815 RESERVED CVE-2019-10814 RESERVED CVE-2019-10813 RESERVED CVE-2019-10812 RESERVED CVE-2019-10811 RESERVED CVE-2019-10810 RESERVED CVE-2019-10809 RESERVED CVE-2019-10808 (utilitify prior to 1.0.3 allows modification of object properties. The ...) NOT-FOR-US: utilitify CVE-2019-10807 (Blamer versions prior to 1.0.1 allows execution of arbitrary commands. ...) NOT-FOR-US: Node blamer CVE-2019-10806 (vega-util prior to 1.13.1 allows manipulation of object prototype. The ...) NOT-FOR-US: Node vega-util CVE-2019-10805 (valib through 2.0.0 allows Internal Property Tampering. A maliciously ...) NOT-FOR-US: Node valib CVE-2019-10804 (serial-number through 1.3.0 allows execution of arbritary commands. Th ...) NOT-FOR-US: Node serial-number CVE-2019-10803 (push-dir through 0.4.1 allows execution of arbritary commands. Argumen ...) NOT-FOR-US: Node push-dir CVE-2019-10802 (giting version prior to 0.0.8 allows execution of arbritary commands. ...) NOT-FOR-US: Node giting CVE-2019-10801 (enpeem through 2.2.0 allows execution of arbitrary commands. The "opti ...) NOT-FOR-US: Node enpeem CVE-2019-10800 RESERVED CVE-2019-10799 (compile-sass prior to 1.0.5 allows execution of arbritary commands. Th ...) NOT-FOR-US: Node module compile-sass CVE-2019-10798 (rdf-graph-array through 0.3.0-rc6 manipulation of JavaScript objects r ...) NOT-FOR-US: Node module rdf-graph-array CVE-2019-10797 (Netty in WSO2 transport-http before v6.3.1 is vulnerable to HTTP Respo ...) NOT-FOR-US: WSO2 CVE-2019-10796 (rpi through 0.0.3 allows execution of arbritary commands. The variable ...) NOT-FOR-US: Node module rpi CVE-2019-10795 (undefsafe before 2.0.3 is vulnerable to Prototype Pollution. The 'a' f ...) NOT-FOR-US: undefsafe CVE-2019-10794 (All versions of component-flatten are vulnerable to Prototype Pollutio ...) NOT-FOR-US: Node module component-flatten CVE-2019-10793 (dot-object before 2.1.3 is vulnerable to Prototype Pollution. The set ...) NOT-FOR-US: Node module dot-object CVE-2019-10792 (bodymen before 1.1.1 is vulnerable to Prototype Pollution. The handler ...) NOT-FOR-US: Node module bodymen CVE-2019-10791 (promise-probe before 0.10.0 allows remote attackers to perform a comma ...) NOT-FOR-US: Node module promise-probe CVE-2019-10790 (taffy through 2.6.2 allows attackers to forge adding additional proper ...) NOT-FOR-US: Node module taffy CVE-2019-10789 (All versions of curling.js are vulnerable to Command Injection via the ...) NOT-FOR-US: curling.js CVE-2019-10788 (im-metadata through 3.0.1 allows remote attackers to execute arbitrary ...) NOT-FOR-US: im-metadata node module CVE-2019-10787 (im-resize through 2.3.2 allows remote attackers to execute arbitrary c ...) NOT-FOR-US: im-resize node module CVE-2019-10786 (network-manager through 1.0.2 allows remote attackers to execute arbit ...) NOT-FOR-US: network-manager node module CVE-2019-10785 (dojox is vulnerable to Cross-site Scripting in all versions before ver ...) {DLA-2127-1} - dojo 1.15.2+dfsg1-1 (bug #952771) [buster] - dojo 1.15.0+dfsg1-1+deb10u1 NOTE: https://github.com/dojo/dojox/security/advisories/GHSA-pg97-ww7h-5mjr NOTE: https://snyk.io/vuln/SNYK-JS-DOJOX-548257 NOTE: https://github.com/dojo/dojox/pull/315 CVE-2019-10784 (phppgadmin through 7.12.1 allows sensitive actions to be performed wit ...) - phppgadmin (bug #953945) [buster] - phppgadmin (Minor issue) [stretch] - phppgadmin (Minor issue) [jessie] - phppgadmin (Minor issue) NOTE: https://snyk.io/vuln/SNYK-PHP-PHPPGADMINPHPPGADMIN-543885 NOTE: https://github.com/phppgadmin/phppgadmin/issues/94 CVE-2019-10783 (All versions including 0.0.4 of lsof npm module are vulnerable to Comm ...) NOT-FOR-US: lsof node module CVE-2019-10781 (In schema-inspector before 1.6.9, a maliciously crafted JavaScript obj ...) NOT-FOR-US: schema-inspector node module CVE-2019-10780 (BibTeX-ruby before 5.1.0 allows shell command injection due to unsanit ...) NOT-FOR-US: BibTeX-ruby CVE-2019-10779 (All versions of stroom:stroom-app before 5.5.12 and all versions of th ...) NOT-FOR-US: Stroom CVE-2019-10778 (devcert-sanscache before 0.4.7 allows remote attackers to execute arbi ...) NOT-FOR-US: devcert-sanscache CVE-2019-10777 (In aws-lambda versions prior to version 1.0.5, the "config.FunctioName ...) NOT-FOR-US: aws-lambda CVE-2019-10776 (In "index.js" file line 240, the run command executes the git command ...) NOT-FOR-US: git-diff-apply CVE-2019-10775 (ecstatic have a denial of service vulnerability. Successful exploitati ...) - node-ecstatic (bug #910614) CVE-2019-10774 (php-shellcommand versions before 1.6.1 have a command injection vulner ...) - php-shellcommand 1.6.1-1 NOTE: https://snyk.io/vuln/SNYK-PHP-MIKEHAERTLPHPSHELLCOMMAND-538426 NOTE: https://github.com/mikehaertl/php-shellcommand/commit/8d98d8536e05abafe76a491da87296d824939076 NOTE: https://github.com/mikehaertl/php-shellcommand/issues/44 CVE-2019-10773 (In Yarn before 1.21.1, the package install functionality can be abused ...) - node-yarnpkg 1.21.1-1 NOTE: https://github.com/yarnpkg/yarn/issues/7761#issuecomment-565493023 NOTE: https://blog.daniel-ruf.de/critical-design-flaw-npm-pnpm-yarn/ NOTE: https://github.com/yarnpkg/yarn/commit/039bafd74b7b1a88a53a54f8fa6fa872615e90e7 NOTE: https://snyk.io/vuln/SNYK-JS-YARN-537806 CVE-2019-10772 (It is possible to bypass enshrined/svg-sanitize before 0.13.1 using th ...) NOT-FOR-US: svg-sanitize CVE-2019-10771 (Characters in the GET url path are not properly escaped and can be ref ...) NOT-FOR-US: IOBroker CVE-2019-10770 (All versions of io.ratpack:ratpack-core from 0.9.10 inclusive and befo ...) NOT-FOR-US: ratpack-core CVE-2019-10769 (safer-eval is a npm package to sandbox the he evaluation of code used ...) NOT-FOR-US: safer-eval Node module CVE-2019-10768 (In AngularJS before 1.7.9 the function `merge()` could be tricked into ...) - angular.js 1.7.9-1 (bug #945249) [buster] - angular.js (Minor issue; can be fixed via point release) [stretch] - angular.js (Nodejs in stretch not covered by security support) [jessie] - angular.js (vulnerable code is not present, deep merging introduced later) NOTE: https://github.com/angular/angular.js/commit/add78e62004e80bb1e16ab2dfe224afa8e513bc3 NOTE: https://snyk.io/vuln/SNYK-JS-ANGULAR-534884 CVE-2019-10767 (An attacker can include file contents from outside the `/adapter/xxx/` ...) NOT-FOR-US: ioBroker CVE-2019-10766 (Pixie versions 1.0.x before 1.0.3, and 2.0.x before 2.0.2 allow SQL In ...) NOT-FOR-US: Pixie CMS CVE-2019-10765 (iobroker.admin before 3.6.12 allows attacker to include file contents ...) NOT-FOR-US: ioBroker CVE-2019-10764 (In elliptic-php versions priot to 1.0.6, Timing attacks might be possi ...) NOT-FOR-US: elliptic-php CVE-2019-10763 (pimcore/pimcore before 6.3.0 is vulnerable to SQL Injection. An attack ...) NOT-FOR-US: Pimcore CVE-2019-10762 (columnQuote in medoo before 1.7.5 allows remote attackers to perform a ...) NOT-FOR-US: medoo CVE-2019-10761 RESERVED CVE-2019-10760 (safer-eval before 1.3.2 are vulnerable to Arbitrary Code Execution. A ...) NOT-FOR-US: safer-eval Node module CVE-2019-10759 (safer-eval before 1.3.4 are vulnerable to Arbitrary Code Execution. A ...) NOT-FOR-US: safer-eval Node module CVE-2019-10758 (mongo-express before 0.54.0 is vulnerable to Remote Code Execution via ...) NOT-FOR-US: mongo-express CVE-2019-10757 (knex.js versions before 0.19.5 are vulnerable to SQL Injection attack. ...) NOT-FOR-US: knex.js CVE-2019-10756 (It is possible to inject JavaScript within node-red-dashboard versions ...) NOT-FOR-US: node-red-dashboard CVE-2019-10755 (The SAML identifier generated within SAML2Utils.java was found to make ...) NOT-FOR-US: SAML2Utils.java CVE-2019-10754 (Multiple classes used within Apereo CAS before release 6.1.0-RC5 makes ...) NOT-FOR-US: Apereo Central Authentication Service CVE-2019-10753 (In all versions prior to version 3.9.6 for eclipse-wtp, all versions p ...) NOT-FOR-US: eclipse-wtp CVE-2019-10752 (Sequelize, all versions prior to version 4.44.3 and 5.15.1, is vulnera ...) NOT-FOR-US: sequelize Node module CVE-2019-10751 (All versions of the HTTPie package prior to version 1.0.3 are vulnerab ...) {DLA-1937-1} - httpie 1.0.3-1 (bug #940058) [buster] - httpie (Minor issue) [stretch] - httpie (Minor issue) NOTE: https://snyk.io/vuln/SNYK-PYTHON-HTTPIE-460107 NOTE: https://github.com/jakubroztocil/httpie/commit/df36d6255df5793129b02ac82f1010171bd8a0a8 CVE-2019-10750 (deeply is vulnerable to Prototype Pollution in versions before 3.1.0. ...) NOT-FOR-US: deeply CVE-2019-10749 (sequelize before version 3.35.1 allows attackers to perform a SQL Inje ...) NOT-FOR-US: sequelize CVE-2019-10748 (Sequelize all versions prior to 3.35.1, 4.44.3, and 5.8.11 are vulnera ...) NOT-FOR-US: sequelize CVE-2019-10747 (set-value is vulnerable to Prototype Pollution in versions lower than ...) [experimental] - node-set-value 3.0.1-1 - node-set-value 0.4.0-2 (bug #941189) [buster] - node-set-value 0.4.0-1+deb10u1 [stretch] - node-set-value (Nodejs in stretch not covered by security support) NOTE: https://snyk.io/vuln/SNYK-JS-SETVALUE-450213 CVE-2019-10746 (mixin-deep is vulnerable to Prototype Pollution in versions before 1.3 ...) - node-mixin-deep 2.0.1-1 (bug #932500) [buster] - node-mixin-deep 1.1.3-3+deb10u1 [stretch] - node-mixin-deep 1.1.3-1+deb9u1 NOTE: https://snyk.io/vuln/SNYK-JS-MIXINDEEP-450212 NOTE: https://github.com/jonschlinkert/mixin-deep/commit/8f464c8ce9761a8c9c2b3457eaeee9d404fa7af9 NOTE: https://github.com/jonschlinkert/mixin-deep/issues/6 CVE-2019-10745 (assign-deep is vulnerable to Prototype Pollution in versions before 0. ...) NOT-FOR-US: Node assign-deep CVE-2019-10744 (Versions of lodash lower than 4.17.12 are vulnerable to Prototype Poll ...) - node-lodash 4.17.15+dfsg-1 (bug #933079) [buster] - node-lodash 4.17.11+dfsg-2+deb10u1 [stretch] - node-lodash (Nodejs in stretch not covered by security support) [jessie] - node-lodash (Nodejs in jessie not covered by security support) NOTE: https://snyk.io/vuln/SNYK-JS-LODASH-450202 NOTE: https://github.com/lodash/lodash/issues/4348 NOTE: https://github.com/lodash/lodash/pull/4336 CVE-2019-10743 (All versions of archiver allow attacker to perform a Zip Slip attack v ...) NOT-FOR-US: archiver CVE-2019-10742 (Axios up to and including 0.18.0 allows attackers to cause a denial of ...) - node-axios 0.17.1+dfsg-2 (bug #928624) NOTE: https://app.snyk.io/vuln/SNYK-JS-AXIOS-174505 NOTE: https://github.com/axios/axios/issues/1098 NOTE: https://github.com/axios/axios/pull/1485 CVE-2019-10741 (K-9 Mail v5.600 can include the original quoted HTML code of a special ...) NOT-FOR-US: K-9 Mail CVE-2019-10740 (In Roundcube Webmail before 1.3.10, an attacker in possession of S/MIM ...) - roundcube 1.3.10+dfsg.1-1 (bug #927713) [buster] - roundcube 1.3.10+dfsg.1-1~deb10u1 [stretch] - roundcube (Relies on php-crypt-gpg, not in stretch. Old version in 1.3 doesn't verify signature anyway) NOTE: https://github.com/roundcube/roundcubemail/issues/6638 NOTE: https://github.com/roundcube/roundcubemail/commit/de25226d310de11f6a9eb0aa7ea1c90d82dc70d8 (release-1.3) NOTE: https://github.com/roundcube/roundcubemail/commit/8fe12e2fadac9b1ce212341ca3632f85781cfea4 (master) CVE-2019-10739 RESERVED CVE-2019-10738 RESERVED CVE-2019-10737 RESERVED CVE-2019-10736 RESERVED CVE-2019-10735 (In Claws Mail 3.14.1, an attacker in possession of S/MIME or PGP encry ...) - claws-mail (low; bug #926705) [buster] - claws-mail (Revisit when fixed upstream) [stretch] - claws-mail (Revisit when fixed upstream) [jessie] - claws-mail (Revisit when fixed upstream) NOTE: https://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=4159 CVE-2019-10734 (In KDE Trojita 0.7, an attacker in possession of S/MIME or PGP encrypt ...) - trojita (bug #795701) NOTE: https://bugs.kde.org/show_bug.cgi?id=404697 CVE-2019-10733 RESERVED CVE-2019-10732 (In KDE KMail 5.2.3, an attacker in possession of S/MIME or PGP encrypt ...) {DLA-1825-1} - kf5-messagelib 4:19.08.3-1 (bug #926996) [buster] - kf5-messagelib (Minor issue) [stretch] - kf5-messagelib (Minor issue) - kdepim [stretch] - kdepim (Minor issue) NOTE: https://bugs.kde.org/show_bug.cgi?id=404698 NOTE: https://cgit.kde.org/messagelib.git/commit/?id=8f9b85b664be0987014c5d2485e706ab5a198e1b (v19.04.2) CVE-2019-10731 RESERVED CVE-2019-10730 RESERVED CVE-2019-10729 RESERVED CVE-2019-10728 RESERVED CVE-2019-10727 RESERVED CVE-2019-10726 RESERVED CVE-2019-10725 RESERVED CVE-2019-10724 (There is a vulnerability with the Dolby DAX2 API system services in wh ...) NOT-FOR-US: Dolby CVE-2019-10723 (An issue was discovered in PoDoFo 0.9.6. The PdfPagesTreeCache class i ...) - libpodofo (low; bug #926667) [buster] - libpodofo (Minor issue) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (clean exception quit/DoS, low popcon) NOTE: https://sourceforge.net/p/podofo/tickets/46/ CVE-2019-1003099 (A missing permission check in Jenkins openid Plugin in the OpenIdSsoSe ...) NOT-FOR-US: Jenkins openid Plugin CVE-2019-1003098 (A cross-site request forgery vulnerability in Jenkins openid Plugin in ...) NOT-FOR-US: Jenkins openid Plugin CVE-2019-1003097 (Jenkins Crowd Integration Plugin stores credentials unencrypted in the ...) NOT-FOR-US: Jenkins Crowd Integration Plugin CVE-2019-1003096 (Jenkins TestFairy Plugin stores credentials unencrypted in job config. ...) NOT-FOR-US: Jenkins TestFairy Plugin CVE-2019-1003095 (Jenkins Perfecto Mobile Plugin stores credentials unencrypted in its g ...) NOT-FOR-US: Jenkins Perfecto Mobile Plugin CVE-2019-1003094 (Jenkins Open STF Plugin stores credentials unencrypted in its global c ...) NOT-FOR-US: Jenkins Open STF Plugin CVE-2019-1003093 (A missing permission check in Jenkins Nomad Plugin in the NomadCloud.D ...) NOT-FOR-US: Jenkins Nomad Plugin CVE-2019-1003092 (A cross-site request forgery vulnerability in Jenkins Nomad Plugin in ...) NOT-FOR-US: Jenkins Nomad Plugin CVE-2019-1003091 (A missing permission check in Jenkins SOASTA CloudTest Plugin in the C ...) NOT-FOR-US: Jenkins SOASTA CloudTest Plugin CVE-2019-1003090 (A cross-site request forgery vulnerability in Jenkins SOASTA CloudTest ...) NOT-FOR-US: Jenkins SOASTA CloudTest Plugin CVE-2019-1003089 (Jenkins Upload to pgyer Plugin stores credentials unencrypted in job c ...) NOT-FOR-US: Jenkins Upload to pgyer Plugin CVE-2019-1003088 (Jenkins Fabric Beta Publisher Plugin stores credentials unencrypted in ...) NOT-FOR-US: Jenkins Fabric Beta Publisher Plugin CVE-2019-1003087 (A missing permission check in Jenkins Chef Sinatra Plugin in the ChefB ...) NOT-FOR-US: Jenkins Chef Sinatra Plugin CVE-2019-1003086 (A cross-site request forgery vulnerability in Jenkins Chef Sinatra Plu ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003085 (A missing permission check in Jenkins Zephyr Enterprise Test Managemen ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003084 (A cross-site request forgery vulnerability in Jenkins Zephyr Enterpris ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003083 (A missing permission check in Jenkins Gearman Plugin in the GearmanPlu ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003082 (A cross-site request forgery vulnerability in Jenkins Gearman Plugin i ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003081 (A missing permission check in Jenkins OpenShift Deployer Plugin in the ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003080 (A cross-site request forgery vulnerability in Jenkins OpenShift Deploy ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003079 (A missing permission check in Jenkins VMware Lab Manager Slaves Plugin ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003078 (A cross-site request forgery vulnerability in Jenkins VMware Lab Manag ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003077 (A missing permission check in Jenkins Audit to Database Plugin in the ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003076 (A cross-site request forgery vulnerability in Jenkins Audit to Databas ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003075 (Jenkins Audit to Database Plugin stores credentials unencrypted in its ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003074 (Jenkins Hyper.sh Commons Plugin stores credentials unencrypted in its ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003073 (Jenkins VS Team Services Continuous Deployment Plugin stores credentia ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003072 (Jenkins WildFly Deployer Plugin stores credentials unencrypted in job ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003071 (Jenkins OctopusDeploy Plugin stores credentials unencrypted in its glo ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003070 (Jenkins veracode-scanner Plugin stores credentials unencrypted in its ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003069 (Jenkins Aqua Security Scanner Plugin stores credentials unencrypted in ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003068 (Jenkins VMware vRealize Automation Plugin stores credentials unencrypt ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003067 (Jenkins Trac Publisher Plugin stores credentials unencrypted in job co ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003066 (Jenkins Bugzilla Plugin stores credentials unencrypted in its global c ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003065 (Jenkins CloudShare Docker-Machine Plugin stores credentials unencrypte ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003064 (Jenkins aws-device-farm Plugin stores credentials unencrypted in its g ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003063 (Jenkins Amazon SNS Build Notifier Plugin stores credentials unencrypte ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003062 (Jenkins AWS CloudWatch Logs Publisher Plugin stores credentials unencr ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003061 (Jenkins jenkins-cloudformation-plugin Plugin stores credentials unencr ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003060 (Jenkins Official OWASP ZAP Plugin stores credentials unencrypted in it ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003059 (A missing permission check in Jenkins FTP publisher Plugin in the FTPP ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003058 (A cross-site request forgery vulnerability in Jenkins FTP publisher Pl ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003057 (Jenkins Bitbucket Approve Plugin stores credentials unencrypted in its ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003056 (Jenkins WebSphere Deployer Plugin stores credentials unencrypted in jo ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003055 (Jenkins FTP publisher Plugin stores credentials unencrypted in its glo ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003054 (Jenkins Jira Issue Updater Plugin stores credentials unencrypted in jo ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003053 (Jenkins HockeyApp Plugin stores credentials unencrypted in job config. ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003052 (Jenkins AWS Elastic Beanstalk Publisher Plugin stores credentials unen ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003051 (Jenkins IRC Plugin stores credentials unencrypted in its global config ...) NOT-FOR-US: Jenkins plugin CVE-2019-10868 (In trytond/model/modelstorage.py in Tryton 4.2 before 4.2.21, 4.4 befo ...) {DSA-4426-1} - tryton-server 5.0.4-2 [jessie] - tryton-server (vulnerable code is not present) NOTE: https://discuss.tryton.org/t/security-release-for-issue8189/1262 NOTE: https://bugs.tryton.org/issue8189 NOTE: https://hg.tryton.org/trytond/rev/f58bbfe0aefb CVE-2019-10722 RESERVED CVE-2019-10721 (BlogEngine.NET 3.3.7.0 allows a Client Side URL Redirect via the Retur ...) NOT-FOR-US: BlogEngine.NET CVE-2019-10720 (BlogEngine.NET 3.3.7.0 and earlier allows Directory Traversal and Remo ...) NOT-FOR-US: BlogEngine.NET CVE-2019-10719 (BlogEngine.NET 3.3.7.0 and earlier allows Directory Traversal and Remo ...) NOT-FOR-US: BlogEngine.NET CVE-2019-10718 (BlogEngine.NET 3.3.7.0 and earlier allows XML External Entity Blind In ...) NOT-FOR-US: BlogEngine.NET CVE-2019-10717 (BlogEngine.NET 3.3.7.0 allows /api/filemanager Directory Traversal via ...) NOT-FOR-US: BlogEngine.NET CVE-2019-10716 (An Information Disclosure issue in Verodin Director 3.5.3.1 and earlie ...) NOT-FOR-US: Verodin Director CVE-2019-10715 (There is Stored XSS in Verodin Director 3.5.3.0 and earlier via input ...) NOT-FOR-US: Verodin Director CVE-2019-10714 (LocaleLowercase in MagickCore/locale.c in ImageMagick before 7.0.8-32 ...) - imagemagick (Vulnerable code introduced later) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1495 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/aa6a769bd85f6750c26e53e53dcd8a2678745501 NOTE: Issue introduced while fixing https://github.com/ImageMagick/ImageMagick/issues/1455 CVE-2019-10713 RESERVED CVE-2019-10712 (The Web-GUI on WAGO Series 750-88x (750-330, 750-352, 750-829, 750-831 ...) NOT-FOR-US: WAGO Series devices CVE-2019-10711 (Incorrect access control in the RTSP stream and web portal on all IP c ...) NOT-FOR-US: IP cameras based on Hisilicon Hi3510 firmware CVE-2019-10710 (Insecure permissions in the Web management portal on all IP cameras ba ...) NOT-FOR-US: IP cameras based on Hisilicon Hi3510 firmware CVE-2019-10709 (AsusPTPFilter.sys on Asus Precision TouchPad 11.0.0.25 hardware has a ...) NOT-FOR-US: Asus CVE-2019-10708 (S-CMS PHP v1.0 has SQL injection via the 4/js/scms.php?action=unlike i ...) NOT-FOR-US: S-CMS PHP CVE-2019-10707 (MKCMS V5.0 has SQL injection via the bplay.php play parameter. ...) NOT-FOR-US: MKCMS CVE-2019-10706 (Western Digital SanDisk SanDisk X300, X300s, X400, and X600 devices: T ...) NOT-FOR-US: Western Digital CVE-2019-10705 (Western Digital SanDisk X600 devices in certain configurations, a vuln ...) NOT-FOR-US: Western Digital CVE-2019-10704 RESERVED CVE-2019-10703 RESERVED CVE-2019-10702 RESERVED CVE-2019-10701 RESERVED CVE-2019-10700 RESERVED CVE-2019-10699 RESERVED CVE-2019-10698 RESERVED CVE-2019-10697 RESERVED CVE-2019-10696 RESERVED CVE-2019-10695 (When using the cd4pe::root_configuration task to configure a Continuou ...) NOT-FOR-US: cd4pe Puppet module CVE-2019-10694 (The express install, which is the suggested way to install Puppet Ente ...) NOT-FOR-US: Puppet Enterprise CVE-2019-10693 RESERVED CVE-2019-10692 (In the wp-google-maps plugin before 7.11.18 for WordPress, includes/cl ...) NOT-FOR-US: wp-google-maps plugin for WordPress CVE-2019-10691 (The JSON encoder in Dovecot before 2.3.5.2 allows attackers to repeate ...) - dovecot 1:2.3.4.1-4 [stretch] - dovecot (Vulnerable code not present, introduced in 2.3) [jessie] - dovecot (Vulnerable code not present, introduced in 2.3) NOTE: https://www.openwall.com/lists/oss-security/2019/04/18/3 CVE-2019-10690 RESERVED CVE-2019-10689 (VVX products using UCS software version 5.9.2 and earlier with Better ...) NOT-FOR-US: VVX products using UCS software CVE-2019-10688 (VVX products with software versions including and prior to, UCS 5.9.2 ...) NOT-FOR-US: VVX products using UCS CVE-2019-10687 (KBPublisher 6.0.2.1 has SQL Injection via the admin/index.php?module=r ...) NOT-FOR-US: KBPublisher CVE-2019-10686 (An SSRF vulnerability was found in an API from Ctrip Apollo through 1. ...) NOT-FOR-US: Ctrip Apollo CVE-2019-10685 (A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in ...) NOT-FOR-US: Heidelberg Prinect Archiver CVE-2019-10684 (Application/Admin/Controller/ConfigController.class.php in 74cms v5.0. ...) NOT-FOR-US: 74cms CVE-2019-10683 RESERVED CVE-2019-10682 (django-nopassword before 5.0.0 stores cleartext secrets in the databas ...) NOT-FOR-US: django-nopassword CVE-2019-10681 RESERVED CVE-2019-10680 RESERVED CVE-2019-10679 RESERVED CVE-2019-10678 (Domoticz before 4.10579 neglects to categorize \n and \r as insecure a ...) - domoticz (bug #899058) CVE-2019-10677 (Multiple Cross-Site Scripting (XSS) issues in the web interface on DAS ...) NOT-FOR-US: DASAN CVE-2019-10676 (An issue was discovered in Uniqkey Password Manager 1.14. Upon enterin ...) NOT-FOR-US: Uniqkey Password Manager CVE-2019-10675 REJECTED CVE-2019-10674 RESERVED CVE-2019-10673 (A CSRF vulnerability in a logged-in user's profile edit form in the Ul ...) NOT-FOR-US: Ultimate Member plugin for WordPress CVE-2019-10671 (An issue was discovered in LibreNMS through 1.47. It does not paramete ...) NOT-FOR-US: LibreNMS CVE-2019-10670 (An issue was discovered in LibreNMS through 1.47. Many of the scripts ...) NOT-FOR-US: LibreNMS CVE-2019-10669 (An issue was discovered in LibreNMS through 1.47. There is a command i ...) NOT-FOR-US: LibreNMS CVE-2019-10668 (An issue was discovered in LibreNMS through 1.47. A number of scripts ...) NOT-FOR-US: LibreNMS CVE-2019-10667 (An issue was discovered in LibreNMS through 1.47. Information disclosu ...) NOT-FOR-US: LibreNMS CVE-2019-10666 (An issue was discovered in LibreNMS through 1.47. Several of the scrip ...) NOT-FOR-US: LibreNMS CVE-2019-10665 (An issue was discovered in LibreNMS through 1.47. The scripts that han ...) NOT-FOR-US: LibreNMS CVE-2019-10664 (Domoticz before 4.10578 allows SQL Injection via the idx parameter in ...) - domoticz (bug #899058) CVE-2019-10672 (treeRead in hdf/btree.c in libmysofa before 0.7 does not properly vali ...) - libmysofa 0.6~dfsg0-3 (bug #926125) NOTE: https://github.com/hoene/libmysofa/commit/d39a171e9c6a1c44dbdf43f9db6c3fbd887e38c1 CVE-2019-10663 (Grandstream UCM6204 before 1.0.19.20 devices allow remote authenticate ...) NOT-FOR-US: Grandstream CVE-2019-10662 (Grandstream UCM6204 before 1.0.19.20 devices allow remote authenticate ...) NOT-FOR-US: Grandstream CVE-2019-10661 (On Grandstream GXV3611IR_HD before 1.0.3.23 devices, the root account ...) NOT-FOR-US: Grandstream CVE-2019-10660 (Grandstream GXV3611IR_HD before 1.0.3.23 devices allow remote authenti ...) NOT-FOR-US: Grandstream CVE-2019-10659 (Grandstream GXV3370 before 1.0.1.41 and WP820 before 1.0.3.6 devices a ...) NOT-FOR-US: Grandstream CVE-2019-10658 (Grandstream GWN7610 before 1.0.8.18 devices allow remote authenticated ...) NOT-FOR-US: Grandstream CVE-2019-10657 (Grandstream GWN7000 before 1.0.6.32 and GWN7610 before 1.0.8.18 device ...) NOT-FOR-US: Grandstream CVE-2019-10656 (Grandstream GWN7000 before 1.0.6.32 devices allow remote authenticated ...) NOT-FOR-US: Grandstream CVE-2019-10655 (Grandstream GAC2500 1.0.3.35, GXP2200 1.0.3.27, GVC3202 1.0.3.51, GXV3 ...) NOT-FOR-US: Grandstream CVE-2019-10654 (The lzo1x_decompress function in liblzo2.so.2 in LZO 2.10, as used in ...) - lrzip (unimportant) NOTE: https://github.com/ckolivas/lrzip/issues/108 NOTE: Crash in CLI tool, no security impact CVE-2019-10653 (An issue was discovered in Hsycms V1.1. There is a SQL injection vulne ...) NOT-FOR-US: Hsycms CVE-2019-10652 (An issue was discovered in flatCore 1.4.7. acp/acp.php allows remote a ...) NOT-FOR-US: flatCore CVE-2019-10651 (An issue was discovered in the Core Server in Ivanti Endpoint Manager ...) NOT-FOR-US: Ivanti CVE-2019-10650 (In ImageMagick 7.0.8-36 Q16, there is a heap-based buffer over-read in ...) {DSA-4436-1 DLA-1785-1} - imagemagick 8:6.9.10.23+dfsg-2.1 (bug #926091) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1532 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/4800ae0dabdb3012f82820af946060c3ca9fdb87 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/d8d844c6f23f4d90d8fe893fe9225dd78fc1e6ef CVE-2019-10649 (In ImageMagick 7.0.8-36 Q16, there is a memory leak in the function SV ...) {DSA-4712-1} - imagemagick (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1533 NOTE: https://github.com/ImageMagick/ImageMagick/commit/d3ae9c19125c8704b4866381f7a064ca2cbdc006 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/e3417aebe17cbe274b7361aa92c83226ca5b646b CVE-2019-10648 (Robocode through 1.9.3.5 allows remote attackers to cause external ser ...) - robocode 1.9.3.3-2 (low; bug #926088) [stretch] - robocode (Minor issue) [jessie] - robocode (games are not supported) NOTE: https://github.com/robo-code/robocode/commit/836c84635e982e74f2f2771b2c8640c3a34221bd#diff-0296a8f9d4a509789f4dc4f052d9c36f NOTE: https://sourceforge.net/p/robocode/bugs/406/ CVE-2019-10647 (ZZZCMS zzzphp v1.6.3 allows remote attackers to execute arbitrary PHP ...) NOT-FOR-US: ZZZCMS zzzphp CVE-2019-10646 (Wolf CMS v0.8.3.1 is affected by cross site scripting (XSS) in the mod ...) NOT-FOR-US: Wolf CMS CVE-2019-10645 RESERVED CVE-2019-10644 (An issue was discovered in HYBBS 2.2. /?admin/user.html has a CSRF vul ...) NOT-FOR-US: HYBBS CVE-2019-10643 (Contao 4.7 allows Use of a Key Past its Expiration Date. ...) NOT-FOR-US: Contao CVE-2019-10642 (Contao 4.7 allows CSRF. ...) NOT-FOR-US: Contao CVE-2019-10641 (Contao before 3.5.39 and 4.x before 4.7.3 has a Weak Password Recovery ...) NOT-FOR-US: Contao CVE-2019-10640 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) - gitlab 11.8.6+dfsg-1 (bug #926482) NOTE: https://about.gitlab.com/2019/04/01/security-release-gitlab-11-dot-9-dot-4-released/ CVE-2019-10639 (The Linux kernel 4.x (starting from 4.1) and 5.x before 5.0.8 allows I ...) {DSA-4497-1 DLA-1885-1 DLA-1862-1} - linux 4.19.37-1 NOTE: https://arxiv.org/pdf/1906.10478.pdf CVE-2019-10638 (In the Linux kernel before 5.1.7, a device can be tracked by an attack ...) {DSA-4497-1 DSA-4495-1 DLA-1885-1 DLA-1884-1} - linux 5.2.6-1 NOTE: https://arxiv.org/pdf/1906.10478.pdf CVE-2019-10637 (Marvell SSD Controller (88SS1074, 88SS1079, 88SS1080, 88SS1093, 88SS10 ...) NOT-FOR-US: Marvell CVE-2019-10636 (Marvell SSD Controller (88SS1074, 88SS1079, 88SS1080, 88SS1093, 88SS10 ...) NOT-FOR-US: Marvell CVE-2019-10635 RESERVED CVE-2019-10634 (An XSS vulnerability in the Zyxel NAS 326 version 5.21 and below allow ...) NOT-FOR-US: Zyxel CVE-2019-10633 (An eval injection vulnerability in the Python web server routing on th ...) NOT-FOR-US: Zyxel CVE-2019-10632 (A directory traversal vulnerability in the file browser component on t ...) NOT-FOR-US: Zyxel CVE-2019-10631 (Shell Metacharacter Injection in the package installer on Zyxel NAS 32 ...) NOT-FOR-US: Zyxel CVE-2019-10630 (A plaintext password vulnerability in the Zyxel NAS 326 through 5.21 a ...) NOT-FOR-US: Zyxel CVE-2019-10629 RESERVED CVE-2019-10628 RESERVED CVE-2019-10627 (Integer overflow to buffer overflow vulnerability in PostScript image ...) NOT-FOR-US: Qualcomm CVE-2019-10626 (Payload size is not validated before reading memory that may cause iss ...) NOT-FOR-US: Snapdragon CVE-2019-10625 (Out of bound access in diag services when DCI command buffer reallocat ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10624 (While handling the vendor command there is an integer truncation issue ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10623 (Possible integer overflow can happen in host driver while processing u ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10622 (Out of bound memory access can happen while parsing ADSP message due t ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10621 (Use after free issue when MAP and UNMAP calls at same time as data str ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10620 (Kernel memory error in debug module due to improper check of user data ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10619 RESERVED CVE-2019-10618 (Driver may access an invalid address while processing IO control due t ...) NOT-FOR-US: Snapdragon CVE-2019-10617 (Low privilege users can access service configuration which contains re ...) NOT-FOR-US: Qualcomm CVE-2019-10616 (Possibility of null pointer access if the SPDM commands are executed i ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10615 RESERVED CVE-2019-10614 (Out of boundary access is possible as there is no validation of data a ...) NOT-FOR-US: Snapdragon CVE-2019-10613 RESERVED CVE-2019-10612 (UTCB object has a function pointer called by the reaper to deallocate ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10611 (Buffer overflow can occur while processing clip due to lack of check o ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10610 (Possible buffer over read when trying to process SDP message Video med ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10609 (Out of bound write can happen due to lack of check of array index valu ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10608 (Information disclosure issue occurs as there is no binding between the ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10607 (Out of bounds memcpy can occur by providing the embedded NULL characte ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10606 (Out-of-bound access will occur in USB driver due to lack of check to v ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10605 (Buffer overwrite can occur in IEEE80211 header filling function due to ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10604 (Possibility of heap-buffer-overflow during last iteration of loop whil ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10603 (Use after free issue occurs If the real device interface goes down and ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10602 (Potential use-after-free heap error during Validate/Present calls on d ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10601 (Out of bound access can occur while processing firmware event due to l ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10600 (Use of local variable as argument to netlink CB callback goes out of i ...) NOT-FOR-US: Snapdragon CVE-2019-10599 RESERVED CVE-2019-10598 (Out of bound access can occur while processing peer info in IBSS conne ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10597 (kernel writes to user passed address without any checks can lead to ar ...) NOT-FOR-US: Snapdragon CVE-2019-10596 RESERVED CVE-2019-10595 (Possible buffer overwrite in message handler due to lack of validation ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10594 (Stack overflow can occur when SDP is received with multiple payload ty ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10593 (Buffer overflow can occur when processing non standard SDP video Image ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10592 (Possible integer overflow while multiplying two integers of 32 bit in ...) NOT-FOR-US: Snapdragon CVE-2019-10591 (Null pointer dereference can happen when parsing udta atom which is no ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10590 (Out of bound access while parsing dts atom, which is non-standard as i ...) NOT-FOR-US: Snapdragon CVE-2019-10589 (Lack of length check of response buffer can lead to buffer over-flow w ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10588 (Copying RTCP messages into the output buffer without checking the dest ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10587 (Possible Stack overflow can occur when processing a large SDP body or ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10586 (Filling media attribute tag names without validating the destination b ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10585 (Possible integer overflow happens when mmap find function will increme ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10584 (Possibility of out of bound access in debug queue, if packet size fiel ...) NOT-FOR-US: Snapdragon CVE-2019-10583 (Use after free issue occurs when camera access sensors data through di ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10582 (Use after free issue due to using of invalidated iterator to delete an ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10581 (NULL is assigned to local instance of audio device pointer after free ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10580 RESERVED CVE-2019-10579 (Buffer over-read can occur while playing the video clip which is not s ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10578 (Null pointer dereference can occur while parsing the clip which is non ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10577 (Improper input validation while processing SIP URI received from the n ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10576 RESERVED CVE-2019-10575 (Wlan binary which is not signed with OEMs RoT is working on secure dev ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10574 (Lack of boundary checks for data offsets received from HLOS can lead t ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10573 RESERVED CVE-2019-10572 (Improper check in video driver while processing data from video firmwa ...) NOT-FOR-US: Snapdragon CVE-2019-10571 (Snapshot of IB can lead to invalid address access due to missing check ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10570 RESERVED CVE-2019-10569 (Stack buffer overflow due to instance id is misplaced inside definitio ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10568 RESERVED CVE-2019-10567 (There is a way to deceive the GPU kernel driver into thinking there is ...) NOT-FOR-US: Snapdragon CVE-2019-10566 (Buffer overflow can occur in wlan module if supported rates or extende ...) NOT-FOR-US: Snapdragon CVE-2019-10565 (Double free issue can happen when sensor power settings is freed by so ...) NOT-FOR-US: Snapdragon CVE-2019-10564 (Possible OOB issue in EEPROM due to lack of check while accessing memo ...) NOT-FOR-US: Snapdragon CVE-2019-10563 (Buffer over-read can occur in fast message handler due to improper inp ...) NOT-FOR-US: Snapdragon CVE-2019-10562 RESERVED CVE-2019-10561 (Improper initialization of local variables which are parameters to sfs ...) NOT-FOR-US: Snapdragon CVE-2019-10560 RESERVED CVE-2019-10559 (Accessing data buffer beyond the available data while parsing ogg clip ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10558 (While transferring data from APPS to DSP, Out of bound in FastRPC HLOS ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10557 (Out-of-bound read in the wireless driver in the Linux kernel due to la ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10556 (Missing length check before copying the data from kernel space to user ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10555 (Buffer overflow can occur due to usage of wrong datatype and missing l ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10554 (Multiple Read overflows issue due to improper length check while decod ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10553 (Multiple Read overflows due to improper length checks while decoding a ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10552 (Multiple Buffer Over-read issue can happen due to improper length chec ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10551 (String error while processing non standard SIP messages received can l ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10550 (Buffer Over-read when UE is trying to process the message received for ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10549 (Null pointer dereference issue can happen due to improper validation o ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10548 (While trying to obtain datad ipc handle during DPL initialization, Hea ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10547 (When issuing IOCTL calls to ION, Memory leak can occur due to failure ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10546 (Buffer overflow can occur in WLAN firmware while parsing beacon/probe_ ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10545 (Null pointer dereference issue in kernel due to missing check related ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10544 (Improper length check on source buffer to handle userspace data receiv ...) NOT-FOR-US: Snapdragon CVE-2019-10543 RESERVED CVE-2019-10542 (Buffer over-read may occur when downloading a corrupted firmware file ...) NOT-FOR-US: Snapdragon CVE-2019-10541 (Dereference on uninitialized buffer can happen when parsing FLV clip w ...) NOT-FOR-US: Snapdragon CVE-2019-10540 (Buffer overflow in WLAN NAN function due to lack of check of count val ...) NOT-FOR-US: Snapdragon CVE-2019-10539 (Possible buffer overflow issue due to lack of length check when parsin ...) NOT-FOR-US: Snapdragon CVE-2019-10538 (Lack of check of address range received from firmware response allows ...) NOT-FOR-US: Snapdragon CVE-2019-10537 (Improper validation of event buffer extracted from FW response can lea ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10536 (Potential double free scenario if driver receives another DIAG_EVENT_L ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10535 (Improper validation for loop variable received from firmware can lead ...) NOT-FOR-US: Snapdragon CVE-2019-10534 (Null-pointer dereference can occur while accessing the super index ent ...) NOT-FOR-US: Snapdragon CVE-2019-10533 (Out of bound access due to improper validation of array index cause th ...) NOT-FOR-US: Snapdragon CVE-2019-10532 (Null-pointer dereference issue can occur while calculating string leng ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10531 (Incorrect reading of system image resulting in buffer overflow when si ...) NOT-FOR-US: Snapdragon CVE-2019-10530 (Lack of check of data truncation on user supplied data in kernel leads ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10529 (Possible use after free issue due to race condition while attempting t ...) NOT-FOR-US: Snapdragon CVE-2019-10528 (Use after free issue in kernel while accessing freed mdlog session inf ...) NOT-FOR-US: Snapdragon CVE-2019-10527 RESERVED CVE-2019-10526 (Out of bound write in WLAN driver due to NULL character not properly p ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10525 (Buffer overflow during SIB read when network configures complete sib l ...) NOT-FOR-US: Snapdragon CVE-2019-10524 (Lack of check for a negative value returned for get_clk is wrongly int ...) NOT-FOR-US: Snapdragon CVE-2019-10523 (Target specific data is being sent to remote server and leads to infor ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10522 (While playing the clip which is nonstandard buffer overflow can occur ...) NOT-FOR-US: Snapdragon CVE-2019-10521 RESERVED CVE-2019-10520 (An unprivileged application can allocate GPU memory by calling memory ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10519 RESERVED CVE-2019-10518 (Use after free of a pointer in iWLAN scenario during netmgr state tran ...) NOT-FOR-US: Snapdragon CVE-2019-10517 (Memory is being freed up twice when two concurrent threads are executi ...) NOT-FOR-US: Snapdragon CVE-2019-10516 (Multiple read overflows in MM while decoding service accept,service re ...) NOT-FOR-US: Snapdragon CVE-2019-10515 (DCI client which might be preemptively freed up might be accessed for ...) NOT-FOR-US: Snapdragon CVE-2019-10514 RESERVED CVE-2019-10513 (Possibility of Null pointer access if the SPDM commands are executed i ...) NOT-FOR-US: Snapdragon CVE-2019-10512 (Payload size is not checked before using it as array index in audio in ...) NOT-FOR-US: Snapdragon CVE-2019-10511 (Possibility of memory overflow while decoding GSNDCP compressed mode P ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10510 (BT process died and BT toggled due to null pointer dereference when in ...) NOT-FOR-US: Snapdragon CVE-2019-10509 (Device record of the pairing device used after free during ACL disconn ...) NOT-FOR-US: Snapdragon CVE-2019-10508 (Lack of input validation for data received from user space can lead to ...) NOT-FOR-US: Snapdragon CVE-2019-10507 (Lack of check of extscan change results received from firmware can lea ...) NOT-FOR-US: Snapdragon CVE-2019-10506 (While processing QCA_NL80211_VENDOR_SUBCMD_AVOID_FREQUENCY vendor comm ...) NOT-FOR-US: Snapdragon CVE-2019-10505 (Out of bound access while processing a non-standard IE measurement req ...) NOT-FOR-US: Snapdragon CVE-2019-10504 (Firmware not able to send EXT scan response to host within 1 sec due t ...) NOT-FOR-US: Snapdragon CVE-2019-10503 (Out-of-bounds access can occur in camera driver due to improper valida ...) NOT-FOR-US: Snapdragon CVE-2019-10502 (Possible stack overflow when an index equal to io buffer size is acces ...) NOT-FOR-US: Snapdragon CVE-2019-10501 (Possible use after free issue due to improper input validation in volu ...) NOT-FOR-US: Snapdragon CVE-2019-10500 (While processing MT Secondary PDP request, Buffer overflow will happen ...) NOT-FOR-US: Snapdragon CVE-2019-10499 (Improper validation of read and write index of tx and rx fifo`s before ...) NOT-FOR-US: Snapdragon CVE-2019-10498 (Buffer overflow scenario if the client sends more than 5 io_vec reques ...) NOT-FOR-US: Snapdragon CVE-2019-10497 (Use after free issue occurs If another instance of open for voice_svc ...) NOT-FOR-US: Snapdragon CVE-2019-10496 (Lack of checking a variable received from driver and populating in Fir ...) NOT-FOR-US: Snapdragon CVE-2019-10495 (Arbitrary buffer write issue while processing sequence header during H ...) NOT-FOR-US: Snapdragon CVE-2019-10494 (Race condition between the camera functions due to lack of resource lo ...) NOT-FOR-US: Snapdragon CVE-2019-10493 (Position determination accuracy may be degraded due to wrongly decoded ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10492 (Boot image not getting verified by AVB in Snapdragon Auto, Snapdragon ...) NOT-FOR-US: Snapdragon CVE-2019-10491 (ADSP can be compromised since it`s a general-purpose CPU processing un ...) NOT-FOR-US: Snapdragon CVE-2019-10490 (Use after free issue in Xtra daemon shutdown due to static object inst ...) NOT-FOR-US: Snapdragon CVE-2019-10489 (Possible null-pointer dereference can occur while parsing avi clip dur ...) NOT-FOR-US: Snapdragon CVE-2019-10488 (Null pointer dereference can occur while parsing invalid chunks while ...) NOT-FOR-US: Snapdragon CVE-2019-10487 (Buffer over read can happen while parsing SMS OTA messages at transpor ...) NOT-FOR-US: Snapdragon CVE-2019-10486 (Race condition due to the lack of resource lock which will be concurre ...) NOT-FOR-US: Snapdragon CVE-2019-10485 (Infinite loop while decoding compressed data can lead to overrun condi ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10484 (Use after free issue occurs when command destructors access dynamicall ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10483 (Side channel issue in QTEE due to usage of non-time-constant compariso ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10482 (Due to the use of non-time-constant comparison functions there is issu ...) NOT-FOR-US: Snapdragon CVE-2019-10481 (Out of bound access occurs while handling the WMI FW event due to lack ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10480 (Out of bound write can happen in WMI firmware event handler due to lac ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10479 (An issue was discovered on Glory RBW-100 devices with firmware ISP-K05 ...) NOT-FOR-US: Glory RBW-100 devices CVE-2019-10478 (An issue was discovered on Glory RBW-100 devices with firmware ISP-K05 ...) NOT-FOR-US: Glory RBW-100 devices CVE-2019-10477 (The FusionInventory plugin before 1.4 for GLPI 9.3.x and before 1.1 fo ...) NOT-FOR-US: GLPI plugin CVE-2019-10476 (Jenkins Zulip Plugin 1.1.0 and earlier stored credentials unencrypted ...) NOT-FOR-US: Jenkins plugin CVE-2019-10475 (A reflected cross-site scripting vulnerability in Jenkins build-metric ...) NOT-FOR-US: Jenkins plugin CVE-2019-10474 (A missing permission check in Jenkins Global Post Script Plugin in all ...) NOT-FOR-US: Jenkins plugin CVE-2019-10473 (A missing permission check in Jenkins Libvirt Slaves Plugin in form-re ...) NOT-FOR-US: Jenkins plugin CVE-2019-10472 (A missing permission check in Jenkins Libvirt Slaves Plugin allows att ...) NOT-FOR-US: Jenkins plugin CVE-2019-10471 (A cross-site request forgery vulnerability in Jenkins Libvirt Slaves P ...) NOT-FOR-US: Jenkins plugin CVE-2019-10470 (A missing permission check in Jenkins ElasticBox Jenkins Kubernetes CI ...) NOT-FOR-US: Jenkins plugin CVE-2019-10469 (A missing permission check in Jenkins ElasticBox Jenkins Kubernetes CI ...) NOT-FOR-US: Jenkins plugin CVE-2019-10468 (A cross-site request forgery vulnerability in Jenkins ElasticBox Jenki ...) NOT-FOR-US: Jenkins plugin CVE-2019-10467 (Jenkins Sonar Gerrit Plugin stores credentials unencrypted in job conf ...) NOT-FOR-US: Jenkins plugin CVE-2019-10466 (An XML external entities (XXE) vulnerability in Jenkins 360 FireLine P ...) NOT-FOR-US: Jenkins plugin CVE-2019-10465 (A missing permission check in Jenkins Deploy WebLogic Plugin allows at ...) NOT-FOR-US: Jenkins plugin CVE-2019-10464 (A cross-site request forgery vulnerability in Jenkins Deploy WebLogic ...) NOT-FOR-US: Jenkins plugin CVE-2019-10463 (A missing permission check in Jenkins Dynatrace Application Monitoring ...) NOT-FOR-US: Jenkins plugin CVE-2019-10462 (A cross-site request forgery vulnerability in Jenkins Dynatrace Applic ...) NOT-FOR-US: Jenkins plugin CVE-2019-10461 (Jenkins Dynatrace Application Monitoring Plugin 2.1.3 and earlier stor ...) NOT-FOR-US: Jenkins plugin CVE-2019-10460 (Jenkins Bitbucket OAuth Plugin 0.9 and earlier stored credentials unen ...) NOT-FOR-US: Jenkins plugin CVE-2019-10459 (Jenkins Mattermost Notification Plugin 2.7.0 and earlier stored webhoo ...) NOT-FOR-US: Jenkins plugin CVE-2019-10458 (Jenkins Puppet Enterprise Pipeline 1.3.1 and earlier specifies unsafe ...) NOT-FOR-US: Jenkins plugin CVE-2019-10457 (A missing permission check in Jenkins Oracle Cloud Infrastructure Comp ...) NOT-FOR-US: Jenkins plugin CVE-2019-10456 (A cross-site request forgery vulnerability in Jenkins Oracle Cloud Inf ...) NOT-FOR-US: Jenkins plugin CVE-2019-10455 (A missing permission check in Jenkins Rundeck Plugin allows attackers ...) NOT-FOR-US: Jenkins plugin CVE-2019-10454 (A cross-site request forgery vulnerability in Jenkins Rundeck Plugin a ...) NOT-FOR-US: Jenkins plugin CVE-2019-10453 (Jenkins Delphix Plugin stores credentials unencrypted in its global co ...) NOT-FOR-US: Jenkins plugin CVE-2019-10452 (Jenkins View26 Test-Reporting Plugin stores credentials unencrypted in ...) NOT-FOR-US: Jenkins plugin CVE-2019-10451 (Jenkins SOASTA CloudTest Plugin stores credentials unencrypted in its ...) NOT-FOR-US: Jenkins plugin CVE-2019-10450 (Jenkins ElasticBox CI Plugin stores credentials unencrypted in the glo ...) NOT-FOR-US: Jenkins plugin CVE-2019-10449 (Jenkins Fortify on Demand Plugin stores credentials unencrypted in job ...) NOT-FOR-US: Jenkins plugin CVE-2019-10448 (Jenkins Extensive Testing Plugin stores credentials unencrypted in job ...) NOT-FOR-US: Jenkins plugin CVE-2019-10447 (Jenkins Sofy.AI Plugin stores credentials unencrypted in job config.xm ...) NOT-FOR-US: Jenkins plugin CVE-2019-10446 (Jenkins Cadence vManager Plugin 2.7.0 and earlier disabled SSL/TLS and ...) NOT-FOR-US: Jenkins plugin CVE-2019-10445 (A missing permission check in Jenkins Google Kubernetes Engine Plugin ...) NOT-FOR-US: Jenkins plugin CVE-2019-10444 (Jenkins Bumblebee HP ALM Plugin 4.1.3 and earlier unconditionally disa ...) NOT-FOR-US: Jenkins plugin CVE-2019-10443 (Jenkins iceScrum Plugin 1.1.4 and earlier stored credentials unencrypt ...) NOT-FOR-US: Jenkins plugin CVE-2019-10442 (A missing permission check in Jenkins iceScrum Plugin 1.1.5 and earlie ...) NOT-FOR-US: Jenkins plugin CVE-2019-10441 (A cross-site request forgery vulnerability in Jenkins iceScrum Plugin ...) NOT-FOR-US: Jenkins plugin CVE-2019-10440 (Jenkins NeoLoad Plugin 2.2.5 and earlier stored credentials unencrypte ...) NOT-FOR-US: Jenkins plugin CVE-2019-10439 (A missing permission check in Jenkins CRX Content Package Deployer Plu ...) NOT-FOR-US: Jenkins plugin CVE-2019-10438 (A missing permission check in Jenkins CRX Content Package Deployer Plu ...) NOT-FOR-US: Jenkins plugin CVE-2019-10437 (A cross-site request forgery vulnerability in Jenkins CRX Content Pack ...) NOT-FOR-US: Jenkins plugin CVE-2019-10436 (An arbitrary file read vulnerability in Jenkins Google OAuth Credentia ...) NOT-FOR-US: Jenkins plugin CVE-2019-10435 (Jenkins SourceGear Vault Plugin transmits configured credentials in pl ...) NOT-FOR-US: Jenkins plugin CVE-2019-10434 (Jenkins LDAP Email Plugin transmits configured credentials in plain te ...) NOT-FOR-US: Jenkins plugin CVE-2019-10433 (Jenkins Dingding[钉钉] Plugin stores credentials unencrypt ...) NOT-FOR-US: Jenkins plugin CVE-2019-10432 (Jenkins HTML Publisher Plugin 1.20 and earlier did not escape the proj ...) NOT-FOR-US: Jenkins plugin CVE-2019-10431 (A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.64 ...) NOT-FOR-US: Jenkins plugin CVE-2019-10430 (Jenkins NeuVector Vulnerability Scanner Plugin 1.5 and earlier stored ...) NOT-FOR-US: Jenkins plugin CVE-2019-10429 (Jenkins GitLab Logo Plugin stores credentials unencrypted in its globa ...) NOT-FOR-US: Jenkins plugin CVE-2019-10428 (Jenkins Aqua Security Scanner Plugin 3.0.17 and earlier transmitted co ...) NOT-FOR-US: Jenkins plugin CVE-2019-10427 (Jenkins Aqua MicroScanner Plugin 1.0.7 and earlier transmitted configu ...) NOT-FOR-US: Jenkins plugin CVE-2019-10426 (Jenkins Gem Publisher Plugin stores credentials unencrypted in its glo ...) NOT-FOR-US: Jenkins plugin CVE-2019-10425 (Jenkins Google Calendar Plugin stores credentials unencrypted in job c ...) NOT-FOR-US: Jenkins plugin CVE-2019-10424 (Jenkins elOyente Plugin stores credentials unencrypted in its global c ...) NOT-FOR-US: Jenkins plugin CVE-2019-10423 (Jenkins CodeScan Plugin stores credentials unencrypted in its global c ...) NOT-FOR-US: Jenkins plugin CVE-2019-10422 (Jenkins Call Remote Job Plugin stores credentials unencrypted in job c ...) NOT-FOR-US: Jenkins plugin CVE-2019-10421 (Jenkins Azure Event Grid Build Notifier Plugin stores credentials unen ...) NOT-FOR-US: Jenkins plugin CVE-2019-10420 (Jenkins Assembla Plugin stores credentials unencrypted in its global c ...) NOT-FOR-US: Jenkins plugin CVE-2019-10419 (Jenkins vFabric Application Director Plugin stores credentials unencry ...) NOT-FOR-US: Jenkins plugin CVE-2019-10418 (Jenkins Kubernetes :: Pipeline :: Arquillian Steps Plugin provides a c ...) NOT-FOR-US: Jenkins plugin CVE-2019-10417 (Jenkins Kubernetes :: Pipeline :: Kubernetes Steps Plugin provides a c ...) NOT-FOR-US: Jenkins plugin CVE-2019-10416 (Jenkins Violation Comments to GitLab Plugin 2.28 and earlier stored cr ...) NOT-FOR-US: Jenkins plugin CVE-2019-10415 (Jenkins Violation Comments to GitLab Plugin 2.28 and earlier stored cr ...) NOT-FOR-US: Jenkins plugin CVE-2019-10414 (Jenkins Git Changelog Plugin 2.17 and earlier stored credentials unenc ...) NOT-FOR-US: Jenkins plugin CVE-2019-10413 (Jenkins Data Theorem: CI/CD Plugin 1.3 and earlier stored credentials ...) NOT-FOR-US: Jenkins plugin CVE-2019-10412 (Jenkins Inedo ProGet Plugin 1.2 and earlier transmitted configured cre ...) NOT-FOR-US: Jenkins plugin CVE-2019-10411 (Jenkins Inedo BuildMaster Plugin 2.4.0 and earlier transmitted configu ...) NOT-FOR-US: Jenkins plugin CVE-2019-10410 (Jenkins Log Parser Plugin 2.0 and earlier did not escape an error mess ...) NOT-FOR-US: Jenkins plugin CVE-2019-10409 (A missing permission check in Jenkins Project Inheritance Plugin 2.0.0 ...) NOT-FOR-US: Jenkins plugin CVE-2019-10408 (A cross-site request forgery vulnerability in Jenkins Project Inherita ...) NOT-FOR-US: Jenkins plugin CVE-2019-10407 (Jenkins Project Inheritance Plugin 2.0.0 and earlier displayed a list ...) NOT-FOR-US: Jenkins plugin CVE-2019-10406 (Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not restrict or ...) NOT-FOR-US: Jenkins CVE-2019-10405 (Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value o ...) NOT-FOR-US: Jenkins CVE-2019-10404 (Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the ...) NOT-FOR-US: Jenkins CVE-2019-10403 (Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the ...) NOT-FOR-US: Jenkins CVE-2019-10402 (In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:combobox ...) NOT-FOR-US: Jenkins CVE-2019-10401 (In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:expandabl ...) NOT-FOR-US: Jenkins CVE-2019-10400 (A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 ...) NOT-FOR-US: Jenkins plugin CVE-2019-10399 (A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 ...) NOT-FOR-US: Jenkins plugin CVE-2019-10398 (Jenkins Beaker Builder Plugin 1.9 and earlier stored credentials unenc ...) NOT-FOR-US: Jenkins plugin CVE-2019-10397 (Jenkins Aqua Security Serverless Scanner Plugin 1.0.4 and earlier tran ...) NOT-FOR-US: Jenkins plugin CVE-2019-10396 (Jenkins Dashboard View Plugin 2.11 and earlier did not escape build de ...) NOT-FOR-US: Jenkins plugin CVE-2019-10395 (Jenkins Build Environment Plugin 1.6 and earlier did not escape variab ...) NOT-FOR-US: Jenkins plugin CVE-2019-10394 (A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 ...) NOT-FOR-US: Jenkins plugin CVE-2019-10393 (A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 ...) NOT-FOR-US: Jenkins plugin CVE-2019-10392 (Jenkins Git Client Plugin 2.8.4 and earlier did not properly restrict ...) NOT-FOR-US: Jenkins plugin CVE-2019-10391 (Jenkins IBM Application Security on Cloud Plugin 1.2.4 and earlier tra ...) NOT-FOR-US: IBM CVE-2019-10390 (A sandbox bypass vulnerability in Jenkins Splunk Plugin 1.7.4 and earl ...) NOT-FOR-US: Jenkins plugin CVE-2019-10389 (A missing permission check in Jenkins Relution Enterprise Appstore Pub ...) NOT-FOR-US: Jenkins plugin CVE-2019-10388 (A cross-site request forgery vulnerability in Jenkins Relution Enterpr ...) NOT-FOR-US: Jenkins plugin CVE-2019-10387 (A missing permission check in Jenkins XL TestView Plugin 1.2.0 and ear ...) NOT-FOR-US: Jenkins plugin CVE-2019-10386 (A cross-site request forgery vulnerability in Jenkins XL TestView Plug ...) NOT-FOR-US: Jenkins plugin CVE-2019-10385 (Jenkins eggPlant Plugin 2.2 and earlier stores credentials unencrypted ...) NOT-FOR-US: Jenkins plugin CVE-2019-10384 (Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to ob ...) NOT-FOR-US: Jenkins CVE-2019-10383 (A stored cross-site scripting vulnerability in Jenkins 2.191 and earli ...) NOT-FOR-US: Jenkins CVE-2019-10382 (Jenkins VMware Lab Manager Slaves Plugin 0.2.8 and earlier disables SS ...) NOT-FOR-US: Jenkins plugin CVE-2019-10381 (Jenkins Codefresh Integration Plugin 1.8 and earlier disables SSL/TLS ...) NOT-FOR-US: Jenkins plugin CVE-2019-10380 (Jenkins Simple Travis Pipeline Runner Plugin 1.0 and earlier specifies ...) NOT-FOR-US: Jenkins plugin CVE-2019-10379 (Jenkins Google Cloud Messaging Notification Plugin 1.0 and earlier sto ...) NOT-FOR-US: Jenkins plugin CVE-2019-10378 (Jenkins TestLink Plugin 3.16 and earlier stores credentials unencrypte ...) NOT-FOR-US: Jenkins plugin CVE-2019-10377 (A missing permission check in Jenkins Avatar Plugin 1.2 and earlier al ...) NOT-FOR-US: Jenkins plugin CVE-2019-10376 (A reflected cross-site scripting vulnerability in Jenkins Wall Display ...) NOT-FOR-US: Jenkins plugin CVE-2019-10375 (An arbitrary file read vulnerability in Jenkins File System SCM Plugin ...) NOT-FOR-US: Jenkins plugin CVE-2019-10374 (A stored cross-site scripting vulnerability in Jenkins PegDown Formatt ...) NOT-FOR-US: Jenkins plugin CVE-2019-10373 (A stored cross-site scripting vulnerability in Jenkins Build Pipeline ...) NOT-FOR-US: Jenkins plugin CVE-2019-10372 (An open redirect vulnerability in Jenkins Gitlab Authentication Plugin ...) NOT-FOR-US: Jenkins plugin CVE-2019-10371 (A session fixation vulnerability in Jenkins Gitlab Authentication Plug ...) NOT-FOR-US: Jenkins plugin CVE-2019-10370 (Jenkins Mask Passwords Plugin 2.12.0 and earlier transmits globally co ...) NOT-FOR-US: Jenkins plugin CVE-2019-10369 (A missing permission check in Jenkins JClouds Plugin 2.14 and earlier ...) NOT-FOR-US: Jenkins plugin CVE-2019-10368 (A cross-site request forgery vulnerability in Jenkins JClouds Plugin 2 ...) NOT-FOR-US: Jenkins plugin CVE-2019-10367 (Due to an incomplete fix of CVE-2019-10343, Jenkins Configuration as C ...) NOT-FOR-US: Jenkins plugin CVE-2019-10366 (Jenkins Skytap Cloud CI Plugin 2.06 and earlier stored credentials une ...) NOT-FOR-US: Jenkins Skytap Cloud CI Plugin CVE-2019-10365 (Jenkins Google Kubernetes Engine Plugin 0.6.2 and earlier created a te ...) NOT-FOR-US: Jenkins Google Kubernetes Engine Plugin CVE-2019-10364 (Jenkins Amazon EC2 Plugin 1.43 and earlier wrote the beginning of priv ...) NOT-FOR-US: Jenkins Amazon EC2 Plugin CVE-2019-10363 (Jenkins Configuration as Code Plugin 1.24 and earlier did not reliably ...) NOT-FOR-US: Jenkins Configuration as Code Plugin CVE-2019-10362 (Jenkins Configuration as Code Plugin 1.24 and earlier did not escape v ...) NOT-FOR-US: Jenkins Configuration as Code Plugin CVE-2019-10361 (Jenkins Maven Release Plugin 0.14.0 and earlier stored credentials une ...) NOT-FOR-US: Jenkins Maven Release Plugin CVE-2019-10360 (A stored cross site scripting vulnerability in Jenkins Maven Release P ...) NOT-FOR-US: Jenkins Maven Release Plugin CVE-2019-10359 (A cross-site request forgery vulnerability in Jenkins Maven Release Pl ...) NOT-FOR-US: Jenkins Maven Release Plugin CVE-2019-10358 (Jenkins Maven Integration Plugin 3.3 and earlier did not apply build l ...) NOT-FOR-US: Jenkins Maven Integration Plugi CVE-2019-10357 (A missing permission check in Jenkins Pipeline: Shared Groovy Librarie ...) NOT-FOR-US: Jenkins Pipeline: Shared Groovy Libraries Plugin CVE-2019-10356 (A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.61 ...) NOT-FOR-US: Jenkins Script Security Plugin CVE-2019-10355 (A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.61 ...) NOT-FOR-US: Jenkins Script Security Plugin CVE-2019-10354 (A vulnerability in the Stapler web framework used in Jenkins 2.185 and ...) NOT-FOR-US: Jenkins CVE-2019-10353 (CSRF tokens in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier did ...) NOT-FOR-US: Jenkins CVE-2019-10352 (A path traversal vulnerability in Jenkins 2.185 and earlier, LTS 2.176 ...) NOT-FOR-US: Jenkins CVE-2019-10351 (Jenkins Caliper CI Plugin stores credentials unencrypted in job config ...) NOT-FOR-US: Jenkins plugin CVE-2019-10350 (Jenkins Port Allocator Plugin stores credentials unencrypted in job co ...) NOT-FOR-US: Jenkins plugin CVE-2019-10349 (A stored cross site scripting vulnerability in Jenkins Dependency Grap ...) NOT-FOR-US: Jenkins plugin CVE-2019-10348 (Jenkins Gogs Plugin stored credentials unencrypted in job config.xml f ...) NOT-FOR-US: Jenkins plugin CVE-2019-10347 (Jenkins Mashup Portlets Plugin stored credentials unencrypted on the J ...) NOT-FOR-US: Jenkins plugin CVE-2019-10346 (A reflected cross site scripting vulnerability in Jenkins Embeddable B ...) NOT-FOR-US: Jenkins plugin CVE-2019-10345 (Jenkins Configuration as Code Plugin 1.20 and earlier did not treat th ...) NOT-FOR-US: Jenkins Configuration as Code Plugin CVE-2019-10344 (Missing permission checks in Jenkins Configuration as Code Plugin 1.24 ...) NOT-FOR-US: Jenkins Configuration as Code Plugin CVE-2019-10343 (Jenkins Configuration as Code Plugin 1.24 and earlier did not properly ...) NOT-FOR-US: Jenkins Configuration as Code Plugin CVE-2019-10342 (A missing permission check in Jenkins Docker Plugin 1.1.6 and earlier ...) NOT-FOR-US: Jenkins plugin CVE-2019-10341 (A missing permission check in Jenkins Docker Plugin 1.1.6 and earlier ...) NOT-FOR-US: Jenkins plugin CVE-2019-10340 (A cross-site request forgery vulnerability in Jenkins Docker Plugin 1. ...) NOT-FOR-US: Jenkins plugin CVE-2019-10339 (A missing permission check in Jenkins JX Resources Plugin 1.0.36 and e ...) NOT-FOR-US: Jenkins plugin CVE-2019-10338 (A cross-site request forgery vulnerability in Jenkins JX Resources Plu ...) NOT-FOR-US: Jenkins plugin CVE-2019-10337 (An XML external entities (XXE) vulnerability in Jenkins Token Macro Pl ...) NOT-FOR-US: Jenkins plugin CVE-2019-10336 (A reflected cross site scripting vulnerability in Jenkins ElectricFlow ...) NOT-FOR-US: Jenkins plugin CVE-2019-10335 (A stored cross site scripting vulnerability in Jenkins ElectricFlow Pl ...) NOT-FOR-US: Jenkins plugin CVE-2019-10334 (Jenkins ElectricFlow Plugin 1.1.5 and earlier disabled SSL/TLS and hos ...) NOT-FOR-US: Jenkins plugin CVE-2019-10333 (Missing permission checks in Jenkins ElectricFlow Plugin 1.1.5 and ear ...) NOT-FOR-US: Jenkins plugin CVE-2019-10332 (A missing permission check in Jenkins ElectricFlow Plugin 1.1.5 and ea ...) NOT-FOR-US: Jenkins plugin CVE-2019-10331 (A cross-site request forgery vulnerability in Jenkins ElectricFlow Plu ...) NOT-FOR-US: Jenkins plugin CVE-2019-10330 (Jenkins Gitea Plugin 1.1.1 and earlier did not implement trusted revis ...) NOT-FOR-US: Jenkins plugin CVE-2019-10329 (Jenkins InfluxDB Plugin 1.21 and earlier stored credentials unencrypte ...) NOT-FOR-US: Jenkins plugin CVE-2019-10328 (Jenkins Pipeline Remote Loader Plugin 1.4 and earlier provided a custo ...) NOT-FOR-US: Jenkins plugin CVE-2019-10327 (An XML external entities (XXE) vulnerability in Jenkins Pipeline Maven ...) NOT-FOR-US: Jenkins plugin CVE-2019-10326 (A cross-site request forgery vulnerability in Jenkins Warnings NG Plug ...) NOT-FOR-US: Jenkins plugin CVE-2019-10325 (A cross-site scripting vulnerability in Jenkins Warnings NG Plugin 5.0 ...) NOT-FOR-US: Jenkins plugin CVE-2019-10324 (A cross-site request forgery vulnerability in Jenkins Artifactory Plug ...) NOT-FOR-US: Jenkins plugin CVE-2019-10323 (A missing permission check in Jenkins Artifactory Plugin 3.2.3 and ear ...) NOT-FOR-US: Jenkins plugin CVE-2019-10322 (A missing permission check in Jenkins Artifactory Plugin 3.2.2 and ear ...) NOT-FOR-US: Jenkins plugin CVE-2019-10321 (A cross-site request forgery vulnerability in Jenkins Artifactory Plug ...) NOT-FOR-US: Jenkins plugin CVE-2019-10320 (Jenkins Credentials Plugin 2.1.18 and earlier allowed users with permi ...) NOT-FOR-US: Jenkins plugin CVE-2019-10319 (A missing permission check in Jenkins PAM Authentication Plugin 1.5 an ...) NOT-FOR-US: Jenkins plugin CVE-2019-10318 (Jenkins Azure AD Plugin 0.3.3 and earlier stored the client secret une ...) NOT-FOR-US: Jenkins Azure AD Plugin CVE-2019-10317 (Jenkins SiteMonitor Plugin 0.5 and earlier disabled SSL/TLS and hostna ...) NOT-FOR-US: Jenkins SiteMonitor Plugin CVE-2019-10316 (Jenkins Aqua MicroScanner Plugin 1.0.5 and earlier stored credentials ...) NOT-FOR-US: Jenkins Aqua MicroScanner Plugin CVE-2019-10315 (Jenkins GitHub Authentication Plugin 0.31 and earlier did not use the ...) NOT-FOR-US: Jenkins GitHub Authentication Plugin CVE-2019-10314 (Jenkins Koji Plugin disables SSL/TLS and hostname verification globall ...) NOT-FOR-US: Jenkins Koji Plugin CVE-2019-10313 (Jenkins Twitter Plugin stores credentials unencrypted in its global co ...) NOT-FOR-US: Jenkins Twitter Plugin CVE-2019-10312 (A missing permission check in Jenkins Ansible Tower Plugin 0.9.1 and e ...) NOT-FOR-US: Jenkins Ansible Tower Plugin CVE-2019-10311 (A missing permission check in Jenkins Ansible Tower Plugin 0.9.1 and e ...) NOT-FOR-US: Jenkins Ansible Tower Plugin CVE-2019-10310 (A cross-site request forgery vulnerability in Jenkins Ansible Tower Pl ...) NOT-FOR-US: Jenkins Ansible Tower Plugin CVE-2019-10309 (Jenkins Self-Organizing Swarm Plug-in Modules Plugin clients that use ...) NOT-FOR-US: Jenkins Self-Organizing Swarm Plug-in Modules Plugin clients CVE-2019-10308 (A missing permission check in Jenkins Static Analysis Utilities Plugin ...) NOT-FOR-US: Jenkins Static Analysis Utilities Plugin CVE-2019-10307 (A cross-site request forgery vulnerability in Jenkins Static Analysis ...) NOT-FOR-US: Jenkins Static Analysis Utilities Plugin CVE-2019-10306 (A sandbox bypass vulnerability in Jenkins ontrack Plugin 3.4 and earli ...) NOT-FOR-US: Jenkins plugin CVE-2019-10305 (A missing permission check in Jenkins XebiaLabs XL Deploy Plugin in th ...) NOT-FOR-US: Jenkins plugin CVE-2019-10304 (A cross-site request forgery vulnerability in Jenkins XebiaLabs XL Dep ...) NOT-FOR-US: Jenkins plugin CVE-2019-10303 (Jenkins Azure PublisherSettings Credentials Plugin 1.2 and earlier sto ...) NOT-FOR-US: Jenkins plugin CVE-2019-10302 (Jenkins jira-ext Plugin 0.8 and earlier stored credentials unencrypted ...) NOT-FOR-US: Jenkins plugin CVE-2019-10301 (A missing permission check in Jenkins GitLab Plugin 1.5.11 and earlier ...) NOT-FOR-US: Jenkins plugin CVE-2019-10300 (A cross-site request forgery vulnerability in Jenkins GitLab Plugin 1. ...) NOT-FOR-US: Jenkins plugin CVE-2019-10299 (Jenkins CloudCoreo DeployTime Plugin stores credentials unencrypted in ...) NOT-FOR-US: Jenkins CloudCoreo DeployTime Plugin CVE-2019-10298 (Jenkins Koji Plugin stores credentials unencrypted in its global confi ...) NOT-FOR-US: Jenkins Koji Plugin CVE-2019-10297 (Jenkins Sametime Plugin stores credentials unencrypted in its global c ...) NOT-FOR-US: Jenkins Sametime Plugin CVE-2019-10296 (Jenkins Serena SRA Deploy Plugin stores credentials unencrypted in its ...) NOT-FOR-US: Jenkins Serena SRA Deploy Plugin CVE-2019-10295 (Jenkins crittercism-dsym Plugin stores credentials unencrypted in job ...) NOT-FOR-US: Jenkins crittercism-dsym Plugin CVE-2019-10294 (Jenkins Kmap Plugin stores credentials unencrypted in job config.xml f ...) NOT-FOR-US: Jenkins Kmap Plugin CVE-2019-10293 (A missing permission check in Jenkins Kmap Plugin in KmapJenkinsBuilde ...) NOT-FOR-US: Jenkins Kmap Plugin CVE-2019-10292 (A cross-site request forgery vulnerability in Jenkins Kmap Plugin in K ...) NOT-FOR-US: Jenkins Kmap Plugin CVE-2019-10291 (Jenkins Netsparker Cloud Scan Plugin 1.1.5 and older stored credential ...) NOT-FOR-US: Jenkins Netsparker Cloud Scan Plugin CVE-2019-10290 (A missing permission check in Jenkins Netsparker Cloud Scan Plugin 1.1 ...) NOT-FOR-US: Jenkins Netsparker Cloud Scan Plugin CVE-2019-10289 (A cross-site request forgery vulnerability in Jenkins Netsparker Cloud ...) NOT-FOR-US: Jenkins Netsparker Cloud Scan Plugin CVE-2019-10288 (Jenkins Jabber Server Plugin stores credentials unencrypted in its glo ...) NOT-FOR-US: Jenkins Jabber Server Plugin CVE-2019-10287 (Jenkins youtrack-plugin Plugin 0.7.1 and older stored credentials unen ...) NOT-FOR-US: Jenkins youtrack-plugin Plugin CVE-2019-10286 (Jenkins DeployHub Plugin stores credentials unencrypted in job config. ...) NOT-FOR-US: Jenkins DeployHub Plugin CVE-2019-10285 (Jenkins Minio Storage Plugin stores credentials unencrypted in its glo ...) NOT-FOR-US: Jenkins Minio Storage Plugin CVE-2019-10284 (Jenkins Diawi Upload Plugin stores credentials unencrypted in job conf ...) NOT-FOR-US: Jenkins Diawi Upload Plugin CVE-2019-10283 (Jenkins mabl Plugin stores credentials unencrypted in job config.xml f ...) NOT-FOR-US: Jenkins mabl Plugin CVE-2019-10282 (Jenkins Klaros-Testmanagement Plugin stores credentials unencrypted in ...) NOT-FOR-US: Jenkins Klaros-Testmanagement Plugin CVE-2019-10281 (Jenkins Relution Enterprise Appstore Publisher Plugin stores credentia ...) NOT-FOR-US: Jenkins Relution Enterprise Appstore Publisher Plugin CVE-2019-10280 (Jenkins Assembla Auth Plugin stores credentials unencrypted in the glo ...) NOT-FOR-US: Jenkins Assembla Auth Plugin CVE-2019-10279 (A missing permission check in Jenkins jenkins-reviewbot Plugin in the ...) NOT-FOR-US: Jenkins jenkins-reviewbot Plugin CVE-2019-10278 (A cross-site request forgery vulnerability in Jenkins jenkins-reviewbo ...) NOT-FOR-US: Jenkins jenkins-reviewbot Plugin CVE-2019-10277 (Jenkins StarTeam Plugin stores credentials unencrypted in job config.x ...) NOT-FOR-US: Jenkins StarTeam Plugin CVE-2019-XXXX [insecure handling of /tmp/VMwareDnD] - open-vm-tools 2:10.3.10-1 (bug #925959; unimportant) [stretch] - open-vm-tools 2:10.1.5-5055683-4+deb9u2 NOTE: https://github.com/vmware/open-vm-tools/commit/e88f91b00a715b79255de6576506d80ecfdb064c NOTE: Neutralised by kernel hardening CVE-2019-10276 (Western Bridge Cobub Razor 0.8.0 has a file upload vulnerability via t ...) NOT-FOR-US: Western Bridge Cobub Razor CVE-2019-10275 RESERVED CVE-2019-10274 RESERVED CVE-2019-10273 (Information leakage vulnerability in the /mc login page in ManageEngin ...) NOT-FOR-US: ManageEngine ServiceDesk Plus CVE-2019-10272 (An issue was discovered in Weaver e-cology 9.0. There is a CRLF Inject ...) NOT-FOR-US: Weaver e-cology CVE-2019-10271 (An issue was discovered in the Ultimate Member plugin 2.39 for WordPre ...) NOT-FOR-US: Ultimate Member plugin for WordPress CVE-2019-10270 (An arbitrary password reset issue was discovered in the Ultimate Membe ...) NOT-FOR-US: Ultimate Member plugin for WordPress CVE-2019-10269 (BWA (aka Burrow-Wheeler Aligner) before 2019-01-23 has a stack-based b ...) - bwa 0.7.17-3 (low; bug #926014) [stretch] - bwa 0.7.15-2+deb9u1 [jessie] - bwa (vulnerable code is not present) NOTE: https://github.com/lh3/bwa/pull/232 NOTE: https://github.com/lh3/bwa/commit/20d0a13092aa4cb73230492b05f9697d5ef0b88e CVE-2019-10268 REJECTED CVE-2019-10267 (An insecure file upload and code execution issue was discovered in Ahs ...) NOT-FOR-US: Ahsay Cloud Backup Suite CVE-2019-10266 (An issue was discovered in Ahsay Cloud Backup Suite before 8.1.1.50. W ...) NOT-FOR-US: Ahsay Cloud Backup Suite CVE-2019-10265 (An issue was discovered in Ahsay Cloud Backup Suite before 8.1.1.50. O ...) NOT-FOR-US: Ahsay Cloud Backup Suite CVE-2019-10264 (An issue was discovered in Ahsay Cloud Backup Suite before 8.1.1.50. W ...) NOT-FOR-US: Ahsay Cloud Backup Suite CVE-2019-10263 (An issue was discovered in Ahsay Cloud Backup Suite before 8.1.1.50. W ...) NOT-FOR-US: Ahsay Cloud Backup Suite CVE-2019-10262 (A SQL Injection issue was discovered in BlueCMS 1.6. The variable $ad_ ...) NOT-FOR-US: BlueCMS CVE-2019-1002162 NOT-FOR-US: atomic-reactor CVE-2019-1002101 (The kubectl cp command allows copying files between containers and the ...) - kubernetes (Vulnerable code introduced later) NOTE: Introduced by: https://github.com/kubernetes/kubernetes/commit/b1f85e2dfec6e64d8e1bc272251277df0058ab20 NOTE: Upstream patch: https://github.com/kubernetes/kubernetes/pull/75037 CVE-2019-10261 (CentOS Web Panel (CWP) 0.9.8.789 is vulnerable to Stored/Persistent XS ...) NOT-FOR-US: CentOS Web Panel CVE-2019-10260 (Total.js CMS 12.0.0 has XSS related to themes/admin/views/index.html ( ...) NOT-FOR-US: Total.js CMS CVE-2019-10259 RESERVED CVE-2019-10258 RESERVED CVE-2019-10257 (Zucchetti HR Portal through 2019-03-15 allows Directory Traversal. Una ...) NOT-FOR-US: Zucchetti HR Portal CVE-2019-10256 (An authentication bypass vulnerability in VIVOTEK IPCam versions prior ...) NOT-FOR-US: VIVOTEK IPCam CVE-2019-10255 (An Open Redirect vulnerability for all browsers in Jupyter Notebook be ...) - jupyter-notebook 5.7.8-1 (bug #925939) NOTE: https://github.com/jupyter/notebook/commit/08c4c898182edbe97aadef1815cce50448f975cb NOTE: https://github.com/jupyter/notebook/commit/70fe9f0ddb3023162ece21fbb77d5564306b913b NOTE: When adressing this issue make sure to not open CVE-2019-10856 and apply the NOTE: complete fix. NOTE: https://blog.jupyter.org/open-redirect-vulnerability-in-jupyter-jupyterhub-adf43583f1e4 NOTE: https://github.com/jupyter/notebook/commit/979e0bd15e794ceb00cc63737fcd5fd9addc4a99 CVE-2019-10254 (In MISP before 2.4.105, the app/View/Layouts/default.ctp default layou ...) NOT-FOR-US: MISP CVE-2019-10253 (A Cross-Site Request Forgery (CSRF) vulnerability exists in TeamMate+ ...) NOT-FOR-US: TeamMate+ CVE-2019-10252 RESERVED CVE-2019-10251 (The UCWeb UC Browser application through 2019-03-26 for Android uses H ...) NOT-FOR-US: UCWeb UC Browser application for Android CVE-2019-10250 (UCWeb UC Browser 7.0.185.1002 on Windows uses HTTP for downloading cer ...) NOT-FOR-US: UCWeb UC Browser CVE-2019-1003048 (A vulnerability in Jenkins PRQA Plugin 3.1.0 and earlier allows attack ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003047 (A missing permission check in Jenkins Fortify on Demand Uploader Plugi ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003046 (A cross-site request forgery vulnerability in Jenkins Fortify on Deman ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003045 (A vulnerability in Jenkins ECS Publisher Plugin 1.0.0 and earlier allo ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003044 (A cross-site request forgery vulnerability in Jenkins Slack Notificati ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003043 (A missing permission check in Jenkins Slack Notification Plugin 2.19 a ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003042 (A cross site scripting vulnerability in Jenkins Lockable Resources Plu ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003041 (A sandbox bypass vulnerability in Jenkins Pipeline: Groovy Plugin 2.64 ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003040 (A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.55 ...) NOT-FOR-US: Jenkins plugin CVE-2019-10249 (All Xtext & Xtend versions prior to 2.18.0 were built using HTTP i ...) NOT-FOR-US: Eclipse Xtext & Xtend CVE-2019-10248 (Eclipse Vorto versions prior to 0.11 resolved Maven build artifacts fo ...) NOT-FOR-US: Eclipse Vorto CVE-2019-10247 (In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, ...) [experimental] - jetty9 9.4.18-1 - jetty9 (bug #928444) [buster] - jetty9 (Minor issue) [stretch] - jetty9 (Minor issue) - jetty8 [jessie] - jetty8 (Minor issue) - jetty [jessie] - jetty (Minor issue) NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=546577 NOTE: https://github.com/eclipse/jetty.project/issues/3555 CVE-2019-10246 (In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server runnin ...) - jetty9 (Only affects Jetty on Windows) - jetty8 (Only affects Jetty on Windows) - jetty (Only affects Jetty on Windows) NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=546576 NOTE: https://github.com/eclipse/jetty.project/issues/3549 CVE-2019-10245 (In Eclipse OpenJ9 prior to the 0.14.0 release, the Java bytecode verif ...) NOT-FOR-US: Eclipse OpenJ9 CVE-2019-10244 (In Eclipse Kura versions up to 4.0.0, the Web UI package and component ...) NOT-FOR-US: Eclipse Kura CVE-2019-10243 (In Eclipse Kura versions up to 4.0.0, Kura exposes the underlying Ui W ...) NOT-FOR-US: Eclipse Kura CVE-2019-10242 (In Eclipse Kura versions up to 4.0.0, the SkinServlet did not checked ...) NOT-FOR-US: Eclipse Kura CVE-2019-10241 (In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.1 ...) [experimental] - jetty9 9.4.18-1 - jetty9 (bug #928444) [buster] - jetty9 (Minor issue) [stretch] - jetty9 (Minor issue) - jetty8 [jessie] - jetty8 (Minor issue) - jetty [jessie] - jetty (Minor issue) NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=546121 CVE-2019-10240 (Eclipse hawkBit versions prior to 0.3.0M2 resolved Maven build artifac ...) NOT-FOR-US: Eclipse hawkBit CVE-2017-18365 (The Management Console in GitHub Enterprise 2.8.x before 2.8.7 has a d ...) NOT-FOR-US: GitHub Enterprise CVE-2019-10239 (Robotronic RunAsSpc 3.7.0.0 protects stored credentials insufficiently ...) NOT-FOR-US: Robotronic RunAsSpc CVE-2019-10238 (Sitemagic CMS v4.4 has XSS in SMFiles/FrmUpload.class.php via the file ...) NOT-FOR-US: Sitemagic CMS CVE-2019-10237 (S-CMS PHP v1.0 has a CSRF vulnerability to add a new admin user via th ...) NOT-FOR-US: S-CMS PHP CVE-2019-10236 RESERVED CVE-2019-10235 RESERVED CVE-2019-10234 RESERVED CVE-2019-10233 (Teclib GLPI before 9.4.1.1 is affected by a timing attack associated w ...) - glpi (unimportant) NOTE: https://github.com/glpi-project/glpi/pull/5562 NOTE: Only supported behind an authenticated HTTP zone CVE-2019-10232 (Teclib GLPI through 9.3.3 has SQL injection via the "cycle" parameter ...) - glpi (unimportant) NOTE: https://github.com/glpi-project/glpi/commit/684d4fc423652ec7dde21cac4d41c2df53f56b3c NOTE: Only supported behind an authenticated HTTP zone CVE-2019-10231 (Teclib GLPI before 9.4.1.1 is affected by a PHP type juggling vulnerab ...) - glpi (unimportant) NOTE: https://github.com/glpi-project/glpi/pull/5520 NOTE: Only supported behind an authenticated HTTP zone CVE-2019-10230 RESERVED CVE-2019-10229 (An issue was discovered in MailStore Server (and Service Provider Edit ...) NOT-FOR-US: MailStore CVE-2019-10228 RESERVED CVE-2019-10227 (openITCOCKPIT before 3.7.1 has reflected XSS in the 404-not-found comp ...) NOT-FOR-US: openITCOCKPIT CVE-2019-10226 (HTML Injection has been discovered in the v0.19.0 version of the Fat F ...) NOT-FOR-US: Fat Free CRM CVE-2019-10225 RESERVED NOT-FOR-US: OpenShift CVE-2019-10224 (A flaw has been found in 389-ds-base versions 1.4.x.x before 1.4.1.3. ...) - 389-ds-base 1.4.1.5-1 [buster] - 389-ds-base (Minor issue) [stretch] - 389-ds-base (vulnerable code not present) [jessie] - 389-ds-base (vulnerable code not present) - python-lib389 [stretch] - python-lib389 (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1677147 NOTE: https://pagure.io/389-ds-base/issue/50251 NOTE: https://pagure.io/389-ds-base/c/632ecb90d96ac0535656f5aaf67fd2be4b81d310 CVE-2019-10223 (A security issue was discovered in the kube-state-metrics versions v1. ...) NOT-FOR-US: kube-state-metrics CVE-2019-10222 (A flaw was found in the Ceph RGW configuration with Beast as the front ...) - ceph 14.2.4-1 (bug #936015) [buster] - ceph (Minor issue; only triggerable if experimental feature enabled) [stretch] - ceph (Vulnerable code not present) [jessie] - ceph (Vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2019/08/28/9 NOTE: https://github.com/ceph/ceph/pull/29967 NOTE: https://github.com/ceph/ceph/commit/6171399fdedd928b4249d135b4036e3de25079aa NOTE: 12.2.x installations only affected by the vulnerability if experimental NOTE: features are enabled. CVE-2019-10221 (A Reflected Cross Site Scripting vulnerability was found in all pki-co ...) - dogtag-pki NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1732565 CVE-2019-10220 (Linux kernel CIFS implementation, version 4.9.0 is vulnerable to a rel ...) {DLA-2114-1 DLA-2068-1} - linux 5.3.9-1 [buster] - linux 4.19.98-1 [stretch] - linux 4.9.210-1 CVE-2019-10219 (A vulnerability was found in Hibernate-Validator. The SafeHtml validat ...) - libhibernate-validator-java (bug #948235) [buster] - libhibernate-validator-java (Vulnerable code was introduced later) [stretch] - libhibernate-validator-java (Vulnerable code was introduced later) [jessie] - libhibernate-validator-java (Vulnerable code was introduced later) - libhibernate-validator4-java (Vulnerable code was introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1738673 NOTE: https://hibernate.atlassian.net/browse/HV-1739 NOTE: Fixed by https://github.com/hibernate/hibernate-validator/commit/124b7dd6d9a4ad24d4d49f74701f05a13e56ceee CVE-2019-10218 (A flaw was found in the samba client, all samba versions before samba ...) - samba 2:4.11.1+dfsg-2 [buster] - samba (Minor issue) [stretch] - samba (Minor issue) [jessie] - samba (Minor issue) NOTE: https://www.samba.org/samba/security/CVE-2019-10218.html CVE-2019-10217 (A flaw was found in ansible 2.8.0 before 2.8.4. Fields managing sensit ...) - ansible 2.8.6+dfsg-1 (bug #934128) [buster] - ansible (Vulnerable code introduced later) [stretch] - ansible (Vulnerable code introduced later) [jessie] - ansible (vulnerable code introduced later) NOTE: https://github.com/ansible/ansible/issues/56269 NOTE: https://github.com/ansible/ansible/pull/59427 NOTE: Introduced by: https://github.com/ansible/ansible/commit/08918c6c2bcd73eb40b89af31736d3fcbe55e75a (v2.8.0a1) NOTE: Fixed by: https://github.com/ansible/ansible/commit/c1ee1f142db1e669b710a65147ea32be47a91519 CVE-2019-10216 (In ghostscript before version 9.50, the .buildfont1 procedure did not ...) {DSA-4499-1 DLA-1880-1} - ghostscript 9.27~dfsg-3.1 (bug #934638) NOTE: https://www.openwall.com/lists/oss-security/2019/08/12/4 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=701394 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5b85ddd19 CVE-2019-10215 (Bootstrap-3-Typeahead after version 4.0.2 is vulnerable to a cross-sit ...) NOT-FOR-US: Bootstrap-3-Typeahead CVE-2019-10214 (The containers/image library used by the container tools Podman, Build ...) - golang-github-containers-image (Vulnerable version was never in unstable) - singularity-container 3.5.0+ds1-1 NOTE: https://github.com/containers/image/issues/654 NOTE: https://github.com/containers/image/pull/669 CVE-2019-10213 (OpenShift Container Platform, versions 4.1 and 4.2, does not sanitize ...) NOT-FOR-US: OpenShift CVE-2019-10212 (A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for i ...) - undertow 2.0.27-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1731984 NOTE: https://github.com/undertow-io/undertow/pull/817 CVE-2019-10211 (Postgresql Windows installer before versions 11.5, 10.10, 9.6.15, 9.5. ...) NOT-FOR-US: EnterpriseDB Windows installer CVE-2019-10210 (Postgresql Windows installer before versions 11.5, 10.10, 9.6.15, 9.5. ...) NOT-FOR-US: EnterpriseDB Windows installer CVE-2019-10209 (Postgresql, versions 11.x before 11.5, is vulnerable to a memory discl ...) {DSA-4493-1} - postgresql-11 11.5-1 - postgresql-9.6 (Only affects PostgreSQL 11) - postgresql-9.4 (Only affects PostgreSQL 11) NOTE: https://www.postgresql.org/about/news/1960/ CVE-2019-10208 (A flaw was discovered in postgresql versions 9.4.x before 9.4.24, 9.5. ...) {DSA-4493-1 DSA-4492-1 DLA-1874-1} - postgresql-11 11.5-1 - postgresql-9.6 - postgresql-9.4 NOTE: https://www.postgresql.org/about/news/1960/ CVE-2019-10207 (A flaw was found in the Linux kernel's Bluetooth implementation of UAR ...) {DSA-4497-1 DSA-4495-1 DLA-1885-1 DLA-1884-1} - linux 5.2.6-1 NOTE: https://www.openwall.com/lists/oss-security/2019/07/25/1 NOTE: https://lore.kernel.org/linux-bluetooth/20190725120909.31235-1-vdronov@redhat.com/T/#u NOTE: https://git.kernel.org/linus/b36a1552d7319bbfd5cf7f08726c23c5c66d4f73 CVE-2019-14856 (ansible before versions 2.8.6, 2.7.14, 2.6.20 is vulnerable to a None ...) - ansible (Incomplete fix for CVE-2019-10206 not applied) NOTE: https://github.com/ansible/ansible/pull/63351 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1760829 CVE-2019-10206 (ansible-playbook -k and ansible cli tools, all versions 2.8.x before 2 ...) - ansible 2.8.6+dfsg-1 (bug #933005) [buster] - ansible (Minor issue) [stretch] - ansible (Minor issue) [jessie] - ansible (Vulnerable code introduced later, password templating code introduced with 2.0 refactoring, '{{' supported in passwords) NOTE: https://github.com/ansible/ansible/pull/59246 NOTE: 2.8.x https://github.com/ansible/ansible/pull/59552 NOTE: 2.7.x https://github.com/ansible/ansible/pull/59553 NOTE: 2.6.x https://github.com/ansible/ansible/pull/59554 NOTE: When fixing this issue is needed to make the fix complete with NOTE: https://github.com/ansible/ansible/pull/63351 to not open NOTE: CVE-2019-14856. CVE-2019-10205 (A flaw was found in the way Red Hat Quay stores robot account tokens i ...) NOT-FOR-US: Red Hat Quay CVE-2019-10204 RESERVED CVE-2019-10203 (PowerDNS Authoritative daemon , pdns versions 4.0.x before 4.0.9, 4.1. ...) - pdns 4.2.0-1 (low) [buster] - pdns (Minor issue) [stretch] - pdns (Minor issue) [jessie] - pdns (Minor issue) NOTE: Fixed in 4.2.0, 4.1.11, 4.0.9, for existing installations a manual schema update NOTE: needs to be performed. NOTE: https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-06.html CVE-2019-10202 (A series of deserialization vulnerabilities have been discovered in Co ...) NOT-FOR-US: Codehaus CVE-2019-10201 (It was found that Keycloak's SAML broker, versions up to 6.0.1, did no ...) NOT-FOR-US: Keycloak CVE-2019-10200 RESERVED NOT-FOR-US: OpenShift CVE-2019-10199 (It was found that Keycloak's account console, up to 6.0.1, did not per ...) NOT-FOR-US: Keycloak CVE-2019-10198 (An authentication bypass vulnerability was discovered in foreman-tasks ...) - foreman (bug #663101) CVE-2019-10197 (A flaw was found in samba versions 4.9.x up to 4.9.13, samba 4.10.x up ...) {DSA-4513-1} - samba 2:4.9.13+dfsg-1 [stretch] - samba (Issue introduced in 4.9.0 upstream) [jessie] - samba (Issue introduced in 4.9.0 upstream) NOTE: https://www.samba.org/samba/security/CVE-2019-10197.html CVE-2019-10196 RESERVED NOT-FOR-US: nodejs-http-proxy-agent CVE-2019-10195 (A flaw was found in IPA, all 4.6.x versions before 4.6.7, all 4.7.x ve ...) - freeipa 4.8.3-1 [buster] - freeipa (Minor issue; can be fixed via point release) NOTE: https://pagure.io/freeipa/c/02ce407f5e10e670d4788778037892b58f80adc0 CVE-2019-10194 (Sensitive passwords used in deployment and configuration of oVirt Metr ...) NOT-FOR-US: ovirt-engine-metrics CVE-2019-10193 (A stack-buffer overflow vulnerability was found in the Redis hyperlogl ...) {DSA-4480-1} - redis 5:5.0.4-1 (bug #931625) [stretch] - redis (vulnerable code added later) [jessie] - redis (vulnerable code added later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1727668 NOTE: https://github.com/antirez/redis/issues/6214 NOTE: https://github.com/antirez/redis/issues/6215 (upstream announcement) NOTE: https://github.com/antirez/redis/commit/a4b90be9fcd5e1668ac941cabce3b1ab38dbe326 (master) NOTE: https://github.com/antirez/redis/commit/12b5ff109508c2a192f700c7738da7e7f09670f1 (5.0.4) CVE-2019-10192 (A heap-buffer overflow vulnerability was found in the Redis hyperloglo ...) {DSA-4480-1 DLA-1850-1} - redis 5:5.0.4-1 (bug #931625) NOTE: https://github.com/antirez/redis/issues/6215 (upstream announcement) NOTE: https://github.com/antirez/redis/commit/e216ceaf0e099536fe3658a29dcb725d812364e0 NOTE: https://github.com/antirez/redis/commit/9f13b2bd4967334b1701c6eccdf53760cb13f79e NOTE: https://github.com/antirez/redis/commit/ef1833b3f9d02261617b757fd6ebe0ec3f1be507 (5.0.4) NOTE: https://github.com/antirez/redis/commit/7f79849caa006f0d760b6c7e17f7796e3be92b4f (5.0.4) CVE-2019-10191 (A vulnerability was discovered in DNS resolver of knot resolver before ...) - knot-resolver 5.0.1-1 (bug #932048) NOTE: https://www.knot-resolver.cz/2019-07-10-knot-resolver-4.1.0.html NOTE: https://gitlab.labs.nic.cz/knot/knot-resolver/merge_requests/839 NOTE: https://www.openwall.com/lists/oss-security/2019/07/14/1 CVE-2019-10190 (A vulnerability was discovered in DNS resolver component of knot resol ...) - knot-resolver 5.0.1-1 (bug #932048) NOTE: https://www.knot-resolver.cz/2019-07-10-knot-resolver-4.1.0.html NOTE: https://gitlab.labs.nic.cz/knot/knot-resolver/merge_requests/827 NOTE: https://www.openwall.com/lists/oss-security/2019/07/14/1 CVE-2019-10189 (A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. Teache ...) - moodle CVE-2019-10188 (A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. Teache ...) - moodle CVE-2019-10187 (A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. Users ...) - moodle CVE-2019-10186 (A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. A sess ...) - moodle CVE-2019-10185 (It was found that icedtea-web up to and including 1.7.2 and 1.8.2 was ...) {DLA-1914-1} - icedtea-web 1.8.3-1 (bug #934319) [buster] - icedtea-web (Minor issue) [stretch] - icedtea-web (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2019/07/31/2 NOTE: https://github.com/AdoptOpenJDK/IcedTea-Web/commit/26305807b41a5b4e9813db42531acd754899207f (1.7) NOTE: https://github.com/AdoptOpenJDK/IcedTea-Web/commit/686213a6d68c21879d92cea3699b279c8f2662fa (1.8) CVE-2019-10184 (undertow before version 2.0.23.Final is vulnerable to an information l ...) - undertow 2.0.23-1 NOTE: https://issues.jboss.org/browse/UNDERTOW-1578 NOTE: https://github.com/undertow-io/undertow/pull/794 CVE-2019-10183 (Virt-install(1) utility used to provision new virtual machines has int ...) - virt-manager (Vulnerable code introduced in v2.2.0) NOTE: https://www.redhat.com/archives/virt-tools-list/2019-July/msg00014.html CVE-2019-10182 (It was found that icedtea-web though 1.7.2 and 1.8.2 did not properly ...) {DLA-1914-1} - icedtea-web 1.8.3-1 (bug #934319) [buster] - icedtea-web (Minor issue) [stretch] - icedtea-web (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2019/07/31/2 NOTE: https://github.com/AdoptOpenJDK/IcedTea-Web/commit/f9c2cf7fd24415ba2bb2619b69259035338ee5b6 (1.7) NOTE: https://github.com/AdoptOpenJDK/IcedTea-Web/commit/7958049eedc213be1ad4ae80ee312b167ddb320f (1.8) CVE-2019-10181 (It was found that in icedtea-web up to and including 1.7.2 and 1.8.2 e ...) {DLA-1914-1} - icedtea-web 1.8.3-1 (bug #934319) [buster] - icedtea-web (Minor issue) [stretch] - icedtea-web (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2019/07/31/2 NOTE: https://github.com/AdoptOpenJDK/IcedTea-Web/commit/32d174def953d801eb1cfc9d989bff5e80aac3cd (1.7) NOTE: https://github.com/AdoptOpenJDK/IcedTea-Web/commit/528cb8163b7053576a658b9602b5694b21957b0e (1.8) CVE-2019-10180 (A vulnerability was found in all pki-core 10.x.x version, where the To ...) - dogtag-pki NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1721137 CVE-2019-10179 (A vulnerability was found in all pki-core 10.x.x versions, where the K ...) - dogtag-pki NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1695901 CVE-2019-10178 (It was found that the Token Processing Service (TPS) did not properly ...) - dogtag-pki NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1719042 CVE-2019-10177 (A stored cross-site scripting (XSS) vulnerability was found in the PDF ...) NOT-FOR-US: Red Hat CloudForms CVE-2019-10176 (A flaw was found in OpenShift Container Platform, versions 3.11 and la ...) NOT-FOR-US: OpenShift CVE-2019-10175 (A flaw was found in the containerized-data-importer in virt-cdi-cloner ...) NOT-FOR-US: KubeVirt CVE-2019-10174 (A vulnerability was found in Infinispan such that the invokeAccessibly ...) NOT-FOR-US: infinispan CVE-2019-10173 (It was found that xstream API version 1.4.10 before 1.4.11 introduced ...) - libxstream-java 1.4.11-1 [stretch] - libxstream-java (Regression introduced in 1.4.10) [jessie] - libxstream-java (Regression introduced in 1.4.10) NOTE: http://x-stream.github.io/changes.html#1.4.11 NOTE: Regression introduced and present only in 1.4.10. CVE-2019-10172 (A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libr ...) {DLA-2091-1} - libjackson-json-java NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1715075 NOTE: https://stackoverflow.com/questions/38017676/small-fix-for-cve-2016-3720-with-older-versions-of-jackson-all-1-9-11-and-in-ja/38017721 CVE-2019-10171 (It was found that the fix for CVE-2018-14648 in 389-ds-base, versions ...) - 389-ds-base (Incomplete RHEL backport) CVE-2019-10170 (A flaw was found in the Keycloak admin console, where the realm manage ...) NOT-FOR-US: Keycloak CVE-2019-10169 (A flaw was found in Keycloak’s user-managed access interface, wh ...) NOT-FOR-US: Keycloak CVE-2019-10168 (The virConnectBaselineHypervisorCPU() and virConnectCompareHypervisorC ...) - libvirt 5.0.0-4 [stretch] - libvirt (Vulnerable code introduced later) [jessie] - libvirt (Vulnerable code introduced later) NOTE: https://access.redhat.com/libvirt-privesc-vulnerabilities NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1720118 NOTE: https://libvirt.org/git/?p=libvirt.git;a=commit;h=bf6c2830b6c338b1f5699b095df36f374777b291 CVE-2019-10167 (The virConnectGetDomainCapabilities() libvirt API, versions 4.x.x befo ...) {DSA-4469-1 DLA-1832-1} - libvirt 5.0.0-4 NOTE: https://access.redhat.com/libvirt-privesc-vulnerabilities NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1720117 NOTE: https://libvirt.org/git/?p=libvirt.git;a=commit;h=8afa68bac0cf99d1f8aaa6566685c43c22622f26 CVE-2019-10166 (It was discovered that libvirtd, versions 4.x.x before 4.10.1 and 5.x. ...) - libvirt 5.0.0-4 [stretch] - libvirt (Vulnerable code introduced in 3.6.1) [jessie] - libvirt (Vulnerable code introduced in 3.6.1) NOTE: https://access.redhat.com/libvirt-privesc-vulnerabilities NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1720114 NOTE: https://libvirt.org/git/?p=libvirt.git;a=commit;h=db0b78457f183e4c7ac45bc94de86044a1e2056a CVE-2019-10165 (OpenShift Container Platform before version 4.1.3 writes OAuth tokens ...) NOT-FOR-US: OpenShift CVE-2019-10164 (PostgreSQL versions 10.x before 10.9 and versions 11.x before 11.4 are ...) - postgresql-11 11.4-1 - postgresql-9.6 (Only affects 10.x and later) - postgresql-9.4 (Only affects 10.x and later) NOTE: https://www.postgresql.org/about/news/1949/ CVE-2019-10163 (A Vulnerability has been found in PowerDNS Authoritative Server before ...) {DSA-4470-1 DLA-1843-1} - pdns 4.1.6-3 NOTE: https://www.openwall.com/lists/oss-security/2019/06/21/5 NOTE: https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-05.html CVE-2019-10162 (A vulnerability has been found in PowerDNS Authoritative Server before ...) {DSA-4470-1 DLA-1843-1} - pdns 4.1.6-3 NOTE: https://www.openwall.com/lists/oss-security/2019/06/21/5 NOTE: https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-04.html CVE-2019-10161 (It was discovered that libvirtd before versions 4.10.1 and 5.4.1 would ...) {DSA-4469-1 DLA-1832-1} - libvirt 5.0.0-4 NOTE: https://access.redhat.com/libvirt-privesc-vulnerabilities NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1720115 NOTE: https://libvirt.org/git/?p=libvirt.git;a=commit;h=aed6a032cead4386472afb24b16196579e239580 CVE-2019-10160 (A security regression of CVE-2019-9636 was discovered in python since ...) - python3.7 3.7.4~rc2-2 [buster] - python3.7 3.7.3-2+deb10u1 - python3.6 (Fix for CVE-2019-9636 not applied) - python3.5 (Fix for CVE-2019-9636 not applied) - python3.4 (Vulnerable fix to regression introduced by fix for CVE-2019-9636 not applied) - python2.7 2.7.16-3 [buster] - python2.7 2.7.16-2+deb10u1 [stretch] - python2.7 (Incomplete fix for CVE-2019-9636 not applied) [jessie] - python2.7 (Incomplete fix for CVE-2019-9636 not applied) NOTE: Introduced by: https://github.com/python/cpython/commit/d537ab0ff9767ef024f26246899728f0116b1ec3 (v3.8.0a4) NOTE: Fixed by: https://github.com/python/cpython/commit/8d0ef0b5edeae52960c7ed05ae8a12388324f87e (v3.8.0b1) NOTE: https://github.com/python/cpython/commit/250b62acc59921d399f0db47db3b462cd6037e09 (3.7) NOTE: https://bugs.python.org/issue36742 NOTE: Patches for 2.7: NOTE: https://github.com/python/cpython/commit/98a4dcefbbc3bce5ab07e7c0830a183157250259 NOTE: https://github.com/python/cpython/commit/f61599b050c621386a3fc6bc480359e2d3bb93de NOTE: https://github.com/python/cpython/commit/2b578479b96aa3deeeb8bac313a02b5cf3cb1aff CVE-2019-10159 (cfme-gemset versions 5.10.4.3 and below, 5.9.9.3 and below are vulnera ...) NOT-FOR-US: Red Hat CloudForms Management Engine CVE-2019-10158 (A flaw was found in Infinispan through version 9.4.14.Final. An improp ...) NOT-FOR-US: infinispan CVE-2019-10157 (It was found that Keycloak's Node.js adapter before version 4.8.3 did ...) NOT-FOR-US: Keycloak CVE-2019-10156 (A flaw was discovered in the way Ansible templating was implemented in ...) {DLA-1923-1} - ansible 2.8.3+dfsg-1 (low; bug #930065) [buster] - ansible (Minor issue) [stretch] - ansible (Minor issue) NOTE: https://github.com/ansible/ansible/pull/57188 CVE-2019-10155 (The Libreswan Project has found a vulnerability in the processing of I ...) - libreswan 3.27-6 (bug #930338) - strongswan 5.1.0-1 - openswan - freeswan NOTE: https://libreswan.org/security/CVE-2019-10155/ NOTE: Not vulnerable: libreswan 3.29 and later, strongswan 5.0 and later, freeswan CVE-2019-10154 (A flaw was found in Moodle before versions 3.7, 3.6.4. A web service f ...) - moodle CVE-2019-10153 (A flaw was discovered in fence-agents, prior to version 4.3.4, where u ...) - fence-agents 4.3.3-2 (low; bug #930887) [stretch] - fence-agents 4.0.25-1+deb9u1 [jessie] - fence-agents (Vulnerable code introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1670460 NOTE: https://github.com/ClusterLabs/fence-agents/pull/255 NOTE: https://github.com/ClusterLabs/fence-agents/pull/272 CVE-2019-10152 (A path traversal vulnerability has been discovered in podman before ve ...) - libpod (Fixed before initial upload) CVE-2019-10151 RESERVED CVE-2019-10150 (It was found that OpenShift Container Platform versions 3.6.x - 4.6.0 ...) NOT-FOR-US: OpenShift CVE-2019-10149 (A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Improper v ...) {DSA-4456-1} - exim4 4.92~RC3-1 [jessie] - exim4 (Vulnerable code introduced in 4.87) NOTE: https://www.openwall.com/lists/oss-security/2019/06/04/1 NOTE: https://www.exim.org/static/doc/security/CVE-2019-10149.txt NOTE: https://www.openwall.com/lists/oss-security/2019/06/06/1 NOTE: https://github.com/Exim/exim/commit/7ea1237c783e380d7bdb86c90b13d8203c7ecf26 (exim-4.92-RC1) NOTE: https://git.exim.org/exim.git/commit/d740d2111f189760593a303124ff6b9b1f83453d (exim-4_91+fixes) CVE-2019-10148 REJECTED CVE-2019-10147 (rkt through version 1.30.0 does not isolate processes in containers th ...) - rkt (bug #929781) NOTE: https://www.twistlock.com/labs-blog/breaking-out-of-coresos-rkt-3-new-cves/ NOTE: https://github.com/rkt/rkt/issues/3998 CVE-2019-10146 (A Reflected Cross Site Scripting flaw was found in all pki-core 10.x.x ...) - dogtag-pki NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1710171 CVE-2019-10145 (rkt through version 1.30.0 does not isolate processes in containers th ...) - rkt (bug #929781) NOTE: https://www.twistlock.com/labs-blog/breaking-out-of-coresos-rkt-3-new-cves/ NOTE: https://github.com/rkt/rkt/issues/3998 CVE-2019-10144 (rkt through version 1.30.0 does not isolate processes in containers th ...) - rkt (bug #929781) NOTE: https://www.twistlock.com/labs-blog/breaking-out-of-coresos-rkt-3-new-cves/ NOTE: https://github.com/rkt/rkt/issues/3998 CVE-2019-10143 (** DISPUTED ** It was discovered freeradius up to and including versio ...) - freeradius (unimportant; bug #929466) NOTE: https://github.com/FreeRADIUS/freeradius-server/pull/2666 NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/1f233773962bf1a9c2d228a180eacddb9db2d574 NOTE: This is not a security issue per se CVE-2019-10142 (A flaw was found in the Linux kernel's freescale hypervisor manager im ...) - linux 5.2.6-1 (unimportant) [buster] - linux 4.19.67-1 [stretch] - linux 4.9.184-1 [jessie] - linux 3.16.70-1 NOTE: Fixed by: https://git.kernel.org/linus/6a024330650e24556b8a18cc654ad00cfecf6c6c NOTE: CONFIG_FSL_HV_MANAGER not enabled in kernel builds in Debian. CVE-2019-10141 (A vulnerability was found in openstack-ironic-inspector all versions e ...) - ironic-inspector 8.0.0-3 (bug #929332) [stretch] - ironic-inspector (Minor issue) NOTE: https://review.opendev.org/#/c/660234/ NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1711722 CVE-2019-10140 (A vulnerability was found in Linux kernel's, versions up to 3.10, impl ...) - linux (Vulnerability introduce in Red Hat specific backport) CVE-2019-10139 (During HE deployment via cockpit-ovirt, cockpit-ovirt generates an ans ...) NOT-FOR-US: cockpit-ovirt CVE-2019-10138 (A flaw was discovered in the python-novajoin plugin, all versions up t ...) NOT-FOR-US: python-novajoin plugin for OpenStack CVE-2019-10137 (A path traversal flaw was found in spacewalk-proxy, all versions throu ...) NOT-FOR-US: Red Hat Satellite / Spacewalk CVE-2019-10136 (It was found that Spacewalk, all versions through 2.9, did not safely ...) NOT-FOR-US: Red Hat Satellite / Spacewalk CVE-2019-10135 (A flaw was found in the yaml.load() function in the osbs-client versio ...) NOTE: OpenShift Build Service client CVE-2019-10134 (A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. ...) - moodle CVE-2019-10133 (A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. ...) - moodle CVE-2019-10132 (A vulnerability was found in libvirt >= 4.1.0 in the virtlockd-admi ...) - libvirt 5.0.0-3 (bug #929334) [stretch] - libvirt (Vulnerable code introduced in 4.1.0-rc1) [jessie] - libvirt (Vulnerable code introduced in 4.1.0-rc1) NOTE: https://security.libvirt.org/2019/0003.html CVE-2019-10131 (An off-by-one read vulnerability was discovered in ImageMagick before ...) [experimental] - imagemagick 8:6.9.10.2+dfsg-1 - imagemagick 8:6.9.10.2+dfsg-2 [stretch] - imagemagick (Minor issue) [jessie] - imagemagick (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1704762 NOTE: https://github.com/ImageMagick/ImageMagick/commit/cb1214c124e1bd61f7dd551b94a794864861592e NOTE: https://github.com/ImageMagick/ImageMagick6/commit/7ccc28ee4c777d915f95919ac3bcf8adf93037a7 CVE-2019-10130 (A vulnerability was found in PostgreSQL versions 11.x up to excluding ...) {DSA-4439-1} - postgresql-11 11.3-1 - postgresql-9.6 - postgresql-9.4 [jessie] - postgresql-9.4 (Row security was introduced in 9.5) NOTE: https://www.postgresql.org/about/news/1939/ CVE-2019-10129 (A vulnerability was found in postgresql versions 11.x prior to 11.3. U ...) - postgresql-11 11.3-1 NOTE: https://www.postgresql.org/about/news/1939/ CVE-2019-10128 RESERVED - postgresql-11 (Windows-specific) NOTE: https://www.postgresql.org/about/news/1939/ CVE-2019-10127 RESERVED - postgresql-11 (Windows-specific) NOTE: https://www.postgresql.org/about/news/1939/ CVE-2019-10126 (A flaw was found in the Linux kernel. A heap based buffer overflow in ...) {DSA-4465-1 DLA-1824-1 DLA-1823-1} - linux 4.19.37-4 NOTE: https://lore.kernel.org/linux-wireless/20190531131841.7552-1-tiwai@suse.de CVE-2017-18364 (phpFK lite has XSS via the faq.php, members.php, or search.php query s ...) NOT-FOR-US: phpFK CVE-2019-10125 (An issue was discovered in aio_poll() in fs/aio.c in the Linux kernel ...) - linux 4.19.37-1 [stretch] - linux (Vulnerable code introduced later) [jessie] - linux (Vulnerable code introduced later) NOTE: https://patchwork.kernel.org/patch/10828359/ NOTE: https://git.kernel.org/linus/84c4e1f89fefe70554da0ab33be72c9be7994379 CVE-2019-10124 REJECTED CVE-2019-10123 (SQL Injection in Advanced InfoData Systems (AIS) ESEL-Server 67 (which ...) NOT-FOR-US: Advanced InfoData Systems (AIS) CVE-2019-10122 (eQ-3 HomeMatic CCU2 devices before 2.41.9 and CCU3 devices before 3.43 ...) NOT-FOR-US: eQ-3 HomeMatic CCU2 and CCU3 devices CVE-2019-10121 (eQ-3 HomeMatic CCU2 devices before 2.41.8 and CCU3 devices before 3.43 ...) NOT-FOR-US: eQ-3 HomeMatic CCU2 and CCU3 devices CVE-2019-10120 (On eQ-3 HomeMatic CCU2 devices before 2.41.8 and CCU3 devices before 3 ...) NOT-FOR-US: eQ-3 HomeMatic CCU2 and CCU3 devices CVE-2019-10119 (eQ-3 HomeMatic CCU2 devices before 2.41.8 and CCU3 devices before 3.43 ...) NOT-FOR-US: eQ-3 HomeMatic CCU2 and CCU3 devices CVE-2019-10118 (Snipe-IT before 4.6.14 has XSS, as demonstrated by log_meta values and ...) NOT-FOR-US: Snipe-IT CVE-2019-10117 (An Open Redirect issue was discovered in GitLab Community and Enterpri ...) - gitlab (Only affects 11.9 and later) NOTE: https://about.gitlab.com/2019/04/01/security-release-gitlab-11-dot-9-dot-4-released/ CVE-2019-10116 (An Insecure Permissions issue (issue 3 of 3) was discovered in GitLab ...) - gitlab 11.8.6+dfsg-1 (bug #926482) NOTE: https://about.gitlab.com/2019/04/01/security-release-gitlab-11-dot-9-dot-4-released/ CVE-2019-10115 (An Insecure Permissions issue (issue 2 of 3) was discovered in GitLab ...) - gitlab 11.8.6+dfsg-1 (bug #926482) NOTE: https://about.gitlab.com/2019/04/01/security-release-gitlab-11-dot-9-dot-4-released/ CVE-2019-10114 (An Information Exposure issue (issue 2 of 2) was discovered in GitLab ...) - gitlab (Only affects 11.9 and later) NOTE: https://about.gitlab.com/2019/04/01/security-release-gitlab-11-dot-9-dot-4-released/ CVE-2019-10113 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) - gitlab 11.8.6+dfsg-1 (bug #926482) NOTE: https://about.gitlab.com/2019/04/01/security-release-gitlab-11-dot-9-dot-4-released/ CVE-2019-10112 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) - gitlab (Only affects 11.9 and later) NOTE: https://about.gitlab.com/2019/04/01/security-release-gitlab-11-dot-9-dot-4-released/ CVE-2019-10111 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) - gitlab 11.8.6+dfsg-1 (bug #926482) NOTE: https://about.gitlab.com/2019/04/01/security-release-gitlab-11-dot-9-dot-4-released/ CVE-2019-10110 (An Insecure Permissions issue (issue 1 of 3) was discovered in GitLab ...) - gitlab 11.8.6+dfsg-1 (bug #926482) NOTE: https://about.gitlab.com/2019/04/01/security-release-gitlab-11-dot-9-dot-4-released/ CVE-2019-10109 (An Information Exposure issue (issue 1 of 2) was discovered in GitLab ...) - gitlab 11.8.6+dfsg-1 (bug #926482) NOTE: https://about.gitlab.com/2019/04/01/security-release-gitlab-11-dot-9-dot-4-released/ CVE-2019-10108 (An Incorrect Access Control (issue 1 of 2) was discovered in GitLab Co ...) - gitlab (Only affects 11.8.4 and later) NOTE: https://about.gitlab.com/2019/04/01/security-release-gitlab-11-dot-9-dot-4-released/ CVE-2019-10107 (CMS Made Simple 2.2.10 has XSS via the myaccount.php "Email Address" f ...) NOT-FOR-US: CMS Made Simple CVE-2019-10106 (CMS Made Simple 2.2.10 has XSS via the 'moduleinterface.php' Name fiel ...) NOT-FOR-US: CMS Made Simple CVE-2019-10105 (CMS Made Simple 2.2.10 has a Self-XSS vulnerability via the Layout Des ...) NOT-FOR-US: CMS Made Simple CVE-2019-10104 (In several JetBrains IntelliJ IDEA Ultimate versions, an Application S ...) - intellij-idea (bug #747616) CVE-2019-10103 (JetBrains IntelliJ IDEA projects created using the Kotlin (JS Client/J ...) - intellij-idea (bug #747616) CVE-2019-10102 (JetBrains Ktor framework (created using the Kotlin IDE template) versi ...) NOT-FOR-US: JetBrains CVE-2019-10101 (JetBrains Kotlin versions before 1.3.30 were resolving artifacts using ...) NOT-FOR-US: JetBrains CVE-2019-10100 (In JetBrains YouTrack Confluence plugin versions before 1.8.1.3, it wa ...) NOT-FOR-US: JetBrains YouTrack Confluence plugin CVE-2019-1000031 (A disk space or quota exhaustion issue exists in article2pdf_getfile.p ...) NOT-FOR-US: article2pdf Wordpress plugin CVE-2018-20815 (In QEMU 3.1.0, load_device_tree in device_tree.c calls the deprecated ...) {DSA-4506-1 DLA-1781-1} - qemu 1:3.1+dfsg-7 - qemu-kvm NOTE: https://git.qemu.org/?p=qemu.git;a=commitdiff;h=da885fe1ee8b4589047484bd7fa05a4905b52b17 NOTE: https://www.openwall.com/lists/oss-security/2019/03/27/1 CVE-2016-10749 (parse_string in cJSON.c in cJSON before 2016-10-02 has a buffer over-r ...) - cjson (Fixed before initial upload to Debian) NOTE: https://github.com/DaveGamble/cJSON/issues/30 NOTE: https://www.openwall.com/lists/oss-security/2016/11/07/2 NOTE: https://github.com/DaveGamble/cJSON/commit/94df772485c92866ca417d92137747b2e3b0a917 CVE-2016-10744 (In Select2 through 4.0.5, as used in Snipe-IT and other products, rich ...) NOT-FOR-US: Snipe-IT CVE-2019-10099 (Prior to Spark 2.3.3, in certain situations Spark would write user dat ...) - apache-spark (bug #802194) CVE-2019-10098 (In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with mod_r ...) {DSA-4509-1 DLA-1900-1} - apache2 2.4.41-1 NOTE: Affects upstream versions 2.4.0 to 2.4.39 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2019-10098 NOTE: https://svn.apache.org/r1864213 NOTE: https://svn.apache.org/r1864192 CVE-2019-10097 (In Apache HTTP Server 2.4.32-2.4.39, when mod_remoteip was configured ...) - apache2 2.4.41-1 [buster] - apache2 2.4.38-3+deb10u1 [stretch] - apache2 (PROXY protocol support in mod_remoteip added later) [jessie] - apache2 (PROXY protocol support in mod_remoteip added later) NOTE: Affects upstream versions 2.4.32 to 2.4.39 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2019-10097 NOTE: https://svn.apache.org/r1864613 CVE-2019-10096 RESERVED CVE-2019-10095 RESERVED CVE-2019-10094 (A carefully crafted package/compressed file that, when unzipped/uncomp ...) - tika 1.22-1 (bug #933746) [buster] - tika (Minor issue) [jessie] - tika (Vulnerable feature introduced in 1.7) NOTE: https://www.openwall.com/lists/oss-security/2019/08/02/4 NOTE: https://github.com/apache/tika/commit/c4e63c9be8665cccea8b680c59a6f5cfbc03e0fc CVE-2019-10093 (In Apache Tika 1.19 to 1.21, a carefully crafted 2003ml or 2006ml file ...) - tika 1.22-1 (bug #933745) [buster] - tika (Minor issue) [jessie] - tika (The vulnerable code was introduced later) NOTE: https://www.openwall.com/lists/oss-security/2019/08/02/3 NOTE: https://github.com/apache/tika/commit/81c21ab0aac6b3e4102a1a8906c8c7eab6f96dae CVE-2019-10092 (In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting iss ...) {DSA-4509-3 DSA-4509-1 DLA-1900-1} - apache2 2.4.41-1 NOTE: Affects upstream versions 2.4.0 to 2.4.39 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2019-10092 NOTE: https://bz.apache.org/bugzilla/show_bug.cgi?id=63688#c5 NOTE: https://svn.apache.org/r1864191 NOTE: Regression: https://bugs.debian.org/941202 CVE-2019-10091 (When TLS is enabled with ssl-endpoint-identification-enabled set to tr ...) NOT-FOR-US: Apache Geode CVE-2019-10090 (On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin ...) - jspwiki CVE-2019-10089 (On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin ...) - jspwiki CVE-2019-10088 (A carefully crafted or corrupt zip file can cause an OOM in Apache Tik ...) - tika 1.22-1 (bug #933744) [buster] - tika (Minor issue) [jessie] - tika (Vulnerable feature introduced in 1.7) NOTE: https://www.openwall.com/lists/oss-security/2019/08/02/2 NOTE: https://github.com/apache/tika/commit/426be73b9e7500fa3d441231fa4e473de34743f6 CVE-2019-10087 (On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin ...) - jspwiki CVE-2019-10086 (In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class wa ...) {DLA-1896-1} - commons-beanutils 1.9.4-1 [buster] - commons-beanutils (Minor issue; can be fixed via point release) [stretch] - commons-beanutils (Minor issue; can be fixed via point release) NOTE: https://issues.apache.org/jira/browse/BEANUTILS-520 NOTE: https://github.com/apache/commons-beanutils/pull/7 NOTE: https://github.com/apache/commons-beanutils/commit/dd48f4e589462a8cdb1f29bbbccb35d6b0291d58 NOTE: With the patch applied, the libary is secured by default. To opt-out and allow NOTE: access to the 'class' property one needs to remove the feature explicitly. Cf. NOTE: https://github.com/apache/commons-beanutils/pull/7#issue-281406699 CVE-2019-10085 (In Apache Allura prior to 1.11.0, a vulnerability exists for stored XS ...) NOT-FOR-US: Apache Allura CVE-2019-10084 (In Apache Impala 2.7.0 to 3.2.0, an authenticated user with access to ...) NOT-FOR-US: Apache Impala CVE-2019-10083 (When updating a Process Group via the API in NiFi versions 1.3.0 to 1. ...) NOT-FOR-US: Apache NiFi CVE-2019-10082 (In Apache HTTP Server 2.4.18-2.4.39, using fuzzed network input, the h ...) {DSA-4509-1} - apache2 2.4.41-1 [jessie] - apache2 (HTTP/2 support only available since version 2.4.17 and later) NOTE: Affects upstream versions 2.4.18 to 2.4.39 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2019-10082 CVE-2019-10081 (HTTP/2 (2.4.20 through 2.4.39) very early pushes, for example configur ...) {DSA-4509-1} - apache2 2.4.41-1 [jessie] - apache2 (HTTP/2 support only available since version 2.4.17 and later) NOTE: Affects upstream versions 2.4.20 to 2.4.39 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2019-10081 CVE-2019-10080 (The XMLFileLookupService in NiFi versions 1.3.0 to 1.9.2 allowed trust ...) NOT-FOR-US: Apache NiFi CVE-2019-10079 (Apache Traffic Server is vulnerable to HTTP/2 setting flood attacks. E ...) {DSA-4520-1} - trafficserver 8.0.5+ds-1 NOTE: https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19@%3Cannounce.trafficserver.apache.org%3E CVE-2019-10078 (A carefully crafted plugin link invocation could trigger an XSS vulner ...) - jspwiki CVE-2019-10077 (A carefully crafted InterWiki link could trigger an XSS vulnerability ...) - jspwiki CVE-2019-10076 (A carefully crafted malicious attachment could trigger an XSS vulnerab ...) - jspwiki CVE-2019-10075 REJECTED CVE-2019-10074 (An RCE is possible by entering Freemarker markup in an Apache OFBiz Fo ...) NOT-FOR-US: Apache OFBiz CVE-2019-10073 (The "Blog", "Forum", "Contact Us" screens of the template "ecommerce" ...) NOT-FOR-US: Apache OFBiz CVE-2019-10072 (The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 co ...) {DSA-4680-1} - tomcat9 9.0.22-1 (bug #931131; bug #930872) - tomcat8 (bug #30873) [stretch] - tomcat8 (Incomplete fix for CVE-2019-0199 not applied) [jessie] - tomcat8 (HTTP/2 support not implemented) NOTE: https://lists.apache.org/thread.html/df1a2c1b87c8a6c500ecdbbaf134c7f1491c8d79d98b48c6b9f0fa6a@%3Cannounce.tomcat.apache.org%3E CVE-2019-10071 (The code which checks HMAC in form submissions used String.equals() fo ...) NOT-FOR-US: Apache Tapestry CVE-2019-10070 (Apache Atlas versions 0.8.3 and 1.1.0 were found vulnerable to Stored ...) NOT-FOR-US: Apache Atlas CVE-2019-10069 (In Godot through 3.1, remote code execution is possible due to the des ...) NOT-FOR-US: Godot CVE-2019-10068 (An issue was discovered in Kentico 12.0.x before 12.0.15, 11.0.x befor ...) NOT-FOR-US: Kentico CVE-2019-10067 (An issue was discovered in Open Ticket Request System (OTRS) 7.x throu ...) - otrs2 6.0.18-1 [buster] - otrs2 6.0.16-2 [stretch] - otrs2 (Non-free not supported) [jessie] - otrs2 (vulnerable code is not present) NOTE: OTRS 6: https://github.com/OTRS/otrs/commit/8a489236336ddc82e745c27abb32dfa1ceefb0f4 NOTE: OTRS 5: https://github.com/OTRS/otrs/commit/67158d8b08309859572c795982ecc7c52484ab0e NOTE: https://community.otrs.com/security-advisory-2019-05-security-update-for-otrs-framework/ CVE-2019-10066 (An issue was discovered in Open Ticket Request System (OTRS) 7.x throu ...) - otrs2 6.0.18-1 [buster] - otrs2 6.0.16-2 [stretch] - otrs2 (Vulnerable code introduced later) [jessie] - otrs2 (vulnerable code is not present) NOTE: OTRS 6: https://github.com/OTRS/otrs/commit/b99cad21f2dd1c2d52299424a589b0b2f20d7ba8 NOTE: https://community.otrs.com/security-advisory-2019-06-security-update-for-otrs-framework/ CVE-2019-10065 (An issue was discovered in Open Ticket Request System (OTRS) 7.0 throu ...) - otrs2 (Only affects 7.x series) NOTE: https://otrs.com/release-notes/otrs-security-advisory-2019-07/ CVE-2019-10064 (hostapd before 2.6, in EAP mode, makes calls to the rand() and random( ...) {DLA-2138-1} - wpa 2:2.6-7 [stretch] - wpa (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2020/02/27/1 NOTE: Comment from upstream: https://www.openwall.com/lists/oss-security/2020/02/27/2 NOTE: Issue fixed in conjunction with CVE-2016-10743. NOTE: https://w1.fi/cgit/hostap/commit/?id=4b16c15bbc8b20a85bb3d6f45bba5621a047618e NOTE: There was already a 2.6 upload late in 2016 but then reverted to a 2.4 based NOTE: version and only reuploaded as 2:2.6-7 to unstable. CVE-2019-10063 (Flatpak before 1.0.8, 1.1.x and 1.2.x before 1.2.4, and 1.3.x before 1 ...) - flatpak 1.2.3-2 (bug #925541) [stretch] - flatpak 0.8.9-0+deb9u3 NOTE: https://github.com/flatpak/flatpak/issues/2782 NOTE: https://github.com/flatpak/flatpak/commit/a9107feeb4b8275b78965b36bf21b92d5724699e CVE-2019-10062 RESERVED CVE-2019-10061 (utils/find-opencv.js in node-opencv (aka OpenCV bindings for Node.js) ...) - node-opencv 6.0.0+git20180416.cfc96ba0-3 (unimportant; bug #925571) NOTE: https://www.npmjs.com/advisories/789 NOTE: https://github.com/peterbraden/node-opencv/commit/81a4b8620188e89f7e4fc985f3c89b58d4bcc86b NOTE: https://github.com/peterbraden/node-opencv/commit/aaece6921d7368577511f06c94c99dd4e9653563 NOTE: Nodejs not covered by security support CVE-2019-10060 (The Verix Multi-app Conductor application 2.7 for Verifone Verix suffe ...) NOT-FOR-US: Verix Multi-app Conductor application for Verifone Verix CVE-2019-10059 (The legacy finger service (TCP port 79) is enabled by default on vario ...) NOT-FOR-US: Lexmark CVE-2019-10058 (Various Lexmark products have Incorrect Access Control. ...) NOT-FOR-US: Lexmark CVE-2019-10057 (Various Lexmark products have CSRF. ...) NOT-FOR-US: Lexmark CVE-2019-10056 (An issue was discovered in Suricata 4.1.3. The code mishandles the cas ...) - suricata 1:4.1.4-1 [buster] - suricata (Minor issue) [stretch] - suricata (Minor issue) [jessie] - suricata (Minor issue) NOTE: https://redmine.openinfosecfoundation.org/issues/2946 CVE-2019-10055 (An issue was discovered in Suricata 4.1.3. The function ftp_pasv_respo ...) - suricata 1:4.1.4-1 [buster] - suricata (Minor issue) [stretch] - suricata (Minor issue) [jessie] - suricata (Minor issue) NOTE: https://redmine.openinfosecfoundation.org/issues/2949 CVE-2019-10054 (An issue was discovered in Suricata 4.1.3. The function process_reply_ ...) - suricata 1:4.1.4-1 [buster] - suricata (Minor issue) [stretch] - suricata (Minor issue) [jessie] - suricata (Minor issue) NOTE: https://redmine.openinfosecfoundation.org/issues/2943 CVE-2019-10053 (An issue was discovered in Suricata 4.1.x before 4.1.4. If the input o ...) - suricata 1:4.1.4-1 [buster] - suricata (Minor issue) [stretch] - suricata (Minor issue) [jessie] - suricata (Minor issue) NOTE: https://redmine.openinfosecfoundation.org/issues/2883 NOTE: https://github.com/OISF/suricata/commit/51790d3824bc381e24aaeef20338dd6b8bd4e453 CVE-2019-10052 (An issue was discovered in Suricata 4.1.3. If the network packet does ...) - suricata 1:4.1.4-1 [buster] - suricata (Minor issue) [stretch] - suricata (Minor issue) [jessie] - suricata (Vulnerable code not present) NOTE: https://redmine.openinfosecfoundation.org/issues/2902 NOTE: https://redmine.openinfosecfoundation.org/issues/2947 CVE-2019-10051 (An issue was discovered in Suricata 4.1.3. If the function filetracker ...) - suricata 1:4.1.4-1 [buster] - suricata (Minor issue) [stretch] - suricata (Minor issue) [jessie] - suricata (Vulnerable code not present) NOTE: https://github.com/OISF/suricata/pull/3734 NOTE: https://redmine.openinfosecfoundation.org/issues/2896 CVE-2019-10050 (A buffer over-read issue was discovered in Suricata 4.1.x before 4.1.4 ...) - suricata 1:4.1.4-1 [buster] - suricata (Minor issue) [stretch] - suricata (Minor issue) [jessie] - suricata (Minor issue) NOTE: https://redmine.openinfosecfoundation.org/issues/2884 NOTE: https://github.com/OISF/suricata/commit/4609d5c80acda9adf02f8fb9a6aa8238495bfa13 CVE-2019-10049 (It is possible for an attacker with regular user access to the web app ...) - ajaxplorer (bug #668381) CVE-2019-10048 (The ImageMagick plugin that is installed by default in Pydio through 8 ...) - ajaxplorer (bug #668381) CVE-2019-10047 (A stored XSS vulnerability exists in the web application of Pydio thro ...) - ajaxplorer (bug #668381) CVE-2019-10046 (An unauthenticated attacker can obtain information about the Pydio 8.2 ...) - ajaxplorer (bug #668381) CVE-2019-10045 (The "action" get_sess_id in the web application of Pydio through 8.2.2 ...) - ajaxplorer (bug #668381) CVE-2019-10044 (Telegram Desktop before 1.5.12 on Windows, and the Telegram applicatio ...) - telegram-desktop 1.8.4-1 (bug #927711) [buster] - telegram-desktop (Minor issue) NOTE: https://github.com/blazeinfosec/advisories/blob/master/telegram-advisory.txt CVE-2019-10043 RESERVED CVE-2019-10042 (The D-Link DIR-816 A2 1.11 router only checks the random token when au ...) NOT-FOR-US: D-Link CVE-2019-10041 (The D-Link DIR-816 A2 1.11 router only checks the random token when au ...) NOT-FOR-US: D-Link CVE-2019-10040 (The D-Link DIR-816 A2 1.11 router only checks the random token when au ...) NOT-FOR-US: D-Link CVE-2019-10039 (The D-Link DIR-816 A2 1.11 router only checks the random token when au ...) NOT-FOR-US: D-Link CVE-2019-10038 (Evernote 7.9 on macOS allows attackers to execute arbitrary programs b ...) NOT-FOR-US: Evernote CVE-2019-10037 RESERVED CVE-2019-10036 RESERVED CVE-2019-10035 RESERVED CVE-2019-10034 RESERVED CVE-2019-10033 RESERVED CVE-2019-10032 RESERVED CVE-2019-10031 RESERVED CVE-2019-10030 RESERVED CVE-2019-10029 RESERVED CVE-2019-10028 (Denial of Service (DOS) in Dial Reference Source Code Used before June ...) NOT-FOR-US: Dial Reference Source Code Repo CVE-2019-10027 (PHPCMS 9.6.x through 9.6.3 has XSS via the mailbox (aka E-mail) field ...) NOT-FOR-US: PHPCMS CVE-2019-10026 (An issue was discovered in Xpdf 4.01.01. There is an FPE in the functi ...) - xpdf (xpdf in Debian uses poppler, which is not affected or fixed) CVE-2019-10025 (An issue was discovered in Xpdf 4.01.01. There is an FPE in the functi ...) - xpdf (xpdf in Debian uses poppler, which is not affected or fixed) CVE-2019-10024 (An issue was discovered in Xpdf 4.01.01. There is an FPE in the functi ...) - xpdf (xpdf in Debian uses poppler, which is not affected or fixed) CVE-2019-10023 (An issue was discovered in Xpdf 4.01.01. There is an FPE in the functi ...) - xpdf (xpdf in Debian uses poppler, which is not affected or fixed) CVE-2019-10022 (An issue was discovered in Xpdf 4.01.01. There is a NULL pointer deref ...) - xpdf (xpdf in Debian uses poppler, which is not affected or fixed) CVE-2019-10021 (An issue was discovered in Xpdf 4.01.01. There is an FPE in the functi ...) - xpdf (xpdf in Debian uses poppler, which is not affected or fixed) CVE-2019-10020 (An issue was discovered in Xpdf 4.01.01. There is an FPE in the functi ...) - xpdf (xpdf in Debian uses poppler, which is not affected or fixed) CVE-2019-10019 (An issue was discovered in Xpdf 4.01.01. There is an FPE in the functi ...) - xpdf (xpdf in Debian uses poppler, which is not affected or fixed) CVE-2019-10018 (An issue was discovered in Xpdf 4.01.01. There is an FPE in the functi ...) - poppler 0.57.0-2 (low; bug #926133) [stretch] - poppler (Minor issue) [jessie] - poppler (Minor issue) NOTE: https://forum.xpdfreader.com/viewtopic.php?f=3&t=41276 (PostScriptFunction::exec@Function.cc:1374-42___FPE PoC) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=101500 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=e2ab2fa9d8c41e0115b2c276a2594cd2f7c217e6 CVE-2019-10017 (CMS Made Simple 2.2.10 has XSS via the moduleinterface.php Name field, ...) NOT-FOR-US: CMS Made Simple CVE-2019-10016 (GForge Advanced Server 6.4.4 allows XSS via the commonsearch.php words ...) NOT-FOR-US: GForge Advanced Server CVE-2019-10015 (baigoStudio baigoSSO v3.0.1 allows remote attackers to execute arbitra ...) NOT-FOR-US: baigoStudio CVE-2019-10014 (In DedeCMS 5.7SP2, member/resetpassword.php allows remote authenticate ...) NOT-FOR-US: DedeCMS CVE-2019-9999 RESERVED CVE-2019-9998 RESERVED CVE-2019-9997 RESERVED CVE-2019-9996 RESERVED CVE-2019-9995 RESERVED CVE-2019-9994 RESERVED CVE-2019-9993 RESERVED CVE-2019-9992 RESERVED CVE-2019-9991 RESERVED CVE-2019-9990 RESERVED CVE-2019-9989 RESERVED CVE-2019-9988 RESERVED CVE-2019-9987 RESERVED CVE-2019-9986 RESERVED CVE-2019-9985 RESERVED CVE-2019-9984 RESERVED CVE-2019-9983 RESERVED CVE-2019-9982 RESERVED CVE-2019-9981 RESERVED CVE-2019-9980 RESERVED CVE-2019-9979 RESERVED CVE-2019-9978 (The social-warfare plugin before 3.5.3 for WordPress has stored XSS vi ...) NOT-FOR-US: social-warfare plugin for WordPress CVE-2019-9977 (The renderer process in the entertainment system on Tesla Model 3 vehi ...) NOT-FOR-US: entertainment system on Tesla Model 3 vehicles CVE-2019-9976 (The Boa server configuration on DASAN H660RM devices with firmware 1.0 ...) - boa CVE-2019-9975 (DASAN H660RM devices with firmware 1.03-0022 use a hard-coded key for ...) NOT-FOR-US: DASAN CVE-2019-9974 (diag_tool.cgi on DASAN H660RM GPON routers with firmware 1.03-0022 lac ...) NOT-FOR-US: DASAN CVE-2019-9973 RESERVED CVE-2019-10013 (The asn1_signature function in asn1.c in Cameron Hamilton-Rich axTLS t ...) - axtls (bug #953326) CVE-2019-10012 (Jenzabar JICS (aka Internet Campus Solution) before 9 allows remote at ...) NOT-FOR-US: Jenzabar CVE-2019-10011 (ICS/StaticPages/AddTestUsers.aspx in Jenzabar JICS (aka Internet Campu ...) NOT-FOR-US: Jenzabar CVE-2019-10010 (Cross-site scripting (XSS) vulnerability in the PHP League CommonMark ...) NOT-FOR-US: PHP League CommonMark library CVE-2019-10009 (A Directory Traversal issue was discovered in the Web GUI in Titan FTP ...) NOT-FOR-US: Titan FTP CVE-2019-10008 (Zoho ManageEngine ServiceDesk 9.3 allows session hijacking and privile ...) NOT-FOR-US: Zoho ManageEngine ServiceDesk CVE-2019-10007 RESERVED CVE-2019-10006 RESERVED CVE-2019-10005 RESERVED CVE-2019-10004 RESERVED CVE-2019-10003 RESERVED CVE-2019-10002 RESERVED CVE-2019-10001 RESERVED CVE-2019-10000 RESERVED CVE-2019-9972 RESERVED CVE-2019-9971 RESERVED CVE-2019-9970 (Open Whisper Signal (aka Signal-Desktop) through 1.23.1 and the Signal ...) - signal-desktop (bug #842943) CVE-2019-9969 (XnView Classic 2.48 on Windows allows remote attackers to cause a deni ...) NOT-FOR-US: XnView CVE-2019-9968 (XnView Classic 2.48 on Windows allows remote attackers to cause a deni ...) NOT-FOR-US: XnView CVE-2019-9967 (XnView Classic 2.48 on Windows allows remote attackers to cause a deni ...) NOT-FOR-US: XnView CVE-2019-9966 (XnView Classic 2.48 on Windows allows remote attackers to cause a deni ...) NOT-FOR-US: XnView CVE-2019-9965 (XnView MP 0.93.1 on Windows allows remote attackers to cause a denial ...) NOT-FOR-US: XnView CVE-2019-9964 (XnView MP 0.93.1 on Windows allows remote attackers to cause a denial ...) NOT-FOR-US: XnView CVE-2019-9963 (XnView MP 0.93.1 on Windows allows remote attackers to cause a denial ...) NOT-FOR-US: XnView CVE-2019-9962 (XnView MP 0.93.1 on Windows allows remote attackers to cause a denial ...) NOT-FOR-US: XnView CVE-2019-9961 (A cross-site scripting (XSS) vulnerability in ressource view in core/m ...) NOT-FOR-US: Wikindx CVE-2019-9960 (The downloadZip function in application/controllers/admin/export.php i ...) - limesurvey (bug #472802) CVE-2019-9959 (The JPXStream::init function in Poppler 0.78.0 and earlier doesn't che ...) {DLA-1963-1} [experimental] - poppler 0.81.0-1 - poppler (low; bug #941776) [buster] - poppler (Minor issue) [stretch] - poppler (Minor issue) NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/805 NOTE: Patch: https://gitlab.freedesktop.org/poppler/poppler/commit/68ef84e5968a4249c2162b839ca6d7975048a557 (poppler-0.79.0) NOTE: Reproducer: https://gitlab.freedesktop.org/poppler/poppler/uploads/3f22837ebd503f87e730b51221b89742/raiter_issue5465.pdf CVE-2019-9958 (CSRF within the admin panel in Quadbase EspressReport ES (ERES) v7.0 u ...) NOT-FOR-US: Quadbase EspressReport ES (ERES) CVE-2019-9957 (Stored XSS within Quadbase EspressReport ES (ERES) v7.0 update 7 allow ...) NOT-FOR-US: Quadbase EspressReport ES (ERES) CVE-2019-9956 (In ImageMagick 7.0.8-35 Q16, there is a stack-based buffer overflow in ...) {DSA-4436-1 DLA-1785-1} - imagemagick 8:6.9.10.23+dfsg-2.1 (bug #925395) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1523 NOTE: https://github.com/ImageMagick/ImageMagick/commit/34a6a5a45e83a4af852090b4e43f168a380df979 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/90401e430840c5ff31ad870f4370bbda1318ac94 CVE-2019-9955 (On Zyxel ATP200, ATP500, ATP800, USG20-VPN, USG20W-VPN, USG40, USG40W, ...) NOT-FOR-US: Zyxel CVE-2019-9954 RESERVED CVE-2019-9953 RESERVED CVE-2019-9952 RESERVED CVE-2019-9951 (Western Digital My Cloud, My Cloud Mirror Gen2, My Cloud EX2 Ultra, My ...) NOT-FOR-US: Western Digital CVE-2019-9950 (Western Digital My Cloud, My Cloud Mirror Gen2, My Cloud EX2 Ultra, My ...) NOT-FOR-US: Western Digital CVE-2019-9949 (Western Digital My Cloud Cloud, Mirror Gen2, EX2 Ultra, EX2100, EX4100 ...) NOT-FOR-US: Western Digital CVE-2019-9948 (urllib in Python 2.x through 2.7.16 supports the local_file: scheme, w ...) {DLA-1852-1 DLA-1834-1} - python3.7 3.7.4~rc2-2 [buster] - python3.7 3.7.3-2+deb10u1 - python3.6 - python3.5 - python3.4 - python2.7 2.7.16-2 [stretch] - python2.7 (Minor issue) NOTE: https://bugs.python.org/issue35907 NOTE: https://github.com/python/cpython/pull/11842 NOTE: https://github.com/python/cpython/commit/34bab215596671d0dec2066ae7d7450cd73f638b (3.7) NOTE: https://github.com/python/cpython/commit/4f06dae5d8d4400ba38d8502da620f07d4a5696e (3.6) NOTE: https://github.com/python/cpython/commit/b15bde8058e821b383d81fcae68b335a752083ca (2.7) NOTE: https://github.com/python/cpython/commit/942c31dffbe886ff02e25a319cc3891220b8c641 (2.7) CVE-2019-9947 (An issue was discovered in urllib2 in Python 2.x through 2.7.16 and ur ...) {DLA-1835-1 DLA-1834-1} - python3.7 3.7.4~rc2-2 [buster] - python3.7 3.7.3-2+deb10u1 - python3.6 - python3.5 - python3.4 - python2.7 2.7.16-3 [buster] - python2.7 2.7.16-2+deb10u1 [stretch] - python2.7 (Minor issue) NOTE: https://bugs.python.org/issue35906 NOTE: Introduced by: https://github.com/python/cpython/commit/cc54c1c0d2d05fe7404ba64c53df4b1352ed2262 NOTE: CVE-2019-9947 issue fixed with same fix as for CVE-2019-9740 NOTE: Patch 2.7: https://github.com/python/cpython/commit/bb8071a4cae5ab3fe321481dd3d73662ffb26052 CVE-2019-9946 (Cloud Native Computing Foundation (CNCF) CNI (Container Networking Int ...) - kubernetes NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1692712 TODO: singularity-container seems to embed as well a copy of cni CVE-2019-9945 (SoftNAS Cloud 4.2.0 and 4.2.1 allows remote command execution. The NGI ...) NOT-FOR-US: SoftNAS Cloud CVE-2019-9944 (In Open Microscopy Environment OMERO.server 5.0.0 through 5.6.0, the r ...) NOT-FOR-US: Open Microscopy Environment OMERO.server CVE-2019-9943 (In ome.services.graphs.GraphTraversal.findObjectDetails in Open Micros ...) NOT-FOR-US: Open Microscopy Environment OMERO.server CVE-2016-10743 (hostapd before 2.6 does not prevent use of the low-quality PRNG that i ...) {DLA-1733-1} - wpa 2:2.6-7 (unimportant) NOTE: https://w1.fi/cgit/hostap/commit/?id=98a516eae8260e6fd5c48ddecf8d006285da7389 NOTE: There was already a 2.6 upload late in 2016 but then reverted to a 2.4 based NOTE: version and only reuploaded as 2:2.6-7 to unstable. CVE-2019-9942 (A sandbox information disclosure exists in Twig before 1.38.0 and 2.x ...) {DSA-4419-1} [experimental] - twig 2.7.1-1 - twig 2.6.2-2 [jessie] - twig (low priority, sandbox disabled by default) NOTE: https://github.com/twigphp/Twig/commit/eac5422956e1dcca89a3669a03a3ff32f0502077 NOTE: https://symfony.com/blog/twig-sandbox-information-disclosure CVE-2019-9941 RESERVED CVE-2019-9940 RESERVED CVE-2019-9939 (The SHAREit application before 4.0.36 for Android allows a remote atta ...) NOT-FOR-US: SHAREit CVE-2019-9938 (The SHAREit application before 4.0.42 for Android allows a remote atta ...) NOT-FOR-US: SHAREit CVE-2019-9937 (In SQLite 3.27.2, interleaving reads and writes in a single transactio ...) - sqlite3 3.27.2-2 (low; bug #925290) [stretch] - sqlite3 (Minor issue) [jessie] - sqlite3 (fts5 introducded later, function not available for fts3) NOTE: https://sqlite.org/src/info/45c73deb440496e8 CVE-2019-9936 (In SQLite 3.27.2, running fts5 prefix queries inside a transaction cou ...) - sqlite3 3.27.2-2 (low; bug #925289) [stretch] - sqlite3 (Minor issue) [jessie] - sqlite3 (fts5 introducded later, function not available for fts3) NOTE: https://sqlite.org/src/info/b3fa58dd7403dbd4 CVE-2019-9935 (Various Lexmark products have Incorrect Access Control (issue 2 of 2). ...) NOT-FOR-US: Lexmark CVE-2019-9934 (Various Lexmark products have Incorrect Access Control (issue 1 of 2). ...) NOT-FOR-US: Lexmark CVE-2019-9933 (Various Lexmark products have a Buffer Overflow (issue 3 of 3). ...) NOT-FOR-US: Lexmark CVE-2019-9932 (Various Lexmark products have a Buffer Overflow (issue 2 of 3). ...) NOT-FOR-US: Lexmark CVE-2019-9931 (Various Lexmark printers contain a denial of service vulnerability in ...) NOT-FOR-US: Lexmark CVE-2019-9930 (Various Lexmark products have an Integer Overflow. ...) NOT-FOR-US: Lexmark CVE-2019-9929 (Northern.tech CFEngine Enterprise 3.12.1 has Insecure Permissions. ...) - cfengine3 (Issue only affecting CFEngine Enterprise 3.x version) NOTE: Issue is specific to Enterprise version leaking CFE_ROBOT user secrets on NOTE: installation of CFEngine Enterprise Hub package. CVE-2019-9928 (GStreamer before 1.16.0 has a heap-based buffer overflow in the RTSP c ...) {DSA-4437-1 DLA-1770-1 DLA-1769-1} [experimental] - gst-plugins-base1.0 1.15.90-1 - gst-plugins-base1.0 1.14.4-2 (bug #927978) - gst-plugins-base0.10 NOTE: https://gstreamer.freedesktop.org/security/sa-2019-0001.html NOTE: https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/merge_requests/157 NOTE: https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/commit/f672277509705c4034bc92a141eefee4524d15aa (1.15.90) CVE-2019-9927 (Caret before 2019-02-22 allows Remote Code Execution. ...) NOT-FOR-US: Caret editor CVE-2019-9926 (An issue was discovered in LabKey Server 19.1.0. It is possible to for ...) NOT-FOR-US: LabKey Server CVE-2019-9925 (S-CMS PHP v1.0 has XSS in 4.edu.php via the S_id parameter. ...) NOT-FOR-US: S-CMS PHP CVE-2019-9924 (rbash in Bash before 4.4-beta2 did not prevent the shell user from mod ...) {DLA-1726-1} - bash 4.4-1 (low) NOTE: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1803441 CVE-2019-9923 (pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointe ...) - tar (unimportant; bug #925286) NOTE: http://git.savannah.gnu.org/cgit/tar.git/commit/?id=cb07844454d8cc9fb21f53ace75975f91185a120 NOTE: http://savannah.gnu.org/bugs/?55369 (private) NOTE: https://bugs.launchpad.net/ubuntu/+source/tar/+bug/1810241 NOTE: Crash in CLI tool, no security impact CVE-2019-9922 (An issue was discovered in the Harmis JE Messenger component 1.2.2 for ...) NOT-FOR-US: Harmis JE Messenger component for Joomla! CVE-2019-9921 (An issue was discovered in the Harmis JE Messenger component 1.2.2 for ...) NOT-FOR-US: Harmis JE Messenger component for Joomla! CVE-2019-9920 (An issue was discovered in the Harmis JE Messenger component 1.2.2 for ...) NOT-FOR-US: Harmis JE Messenger component for Joomla! CVE-2019-9919 (An issue was discovered in the Harmis JE Messenger component 1.2.2 for ...) NOT-FOR-US: Harmis JE Messenger component for Joomla! CVE-2019-9918 (An issue was discovered in the Harmis JE Messenger component 1.2.2 for ...) NOT-FOR-US: Harmis JE Messenger component for Joomla! CVE-2019-9917 (ZNC before 1.7.3-rc1 allows an existing remote user to cause a Denial ...) {DSA-4463-1} - znc 1.7.2-2 (bug #925285) [jessie] - znc (Minor issue, workaround is to disable modpython) NOTE: https://github.com/znc/znc/commit/64613bc8b6b4adf1e32231f9844d99cd512b8973 NOTE: Every version between 0.096 and 1.7.2 (incl) is vulnerable to the issue, NOTE: but earlier versions could not be fixed without a major rewrite. A workaround NOTE: though is to disable modpython. CVE-2019-9916 RESERVED CVE-2019-9915 (GetSimpleCMS 3.3.13 has an Open Redirect via the admin/index.php redir ...) NOT-FOR-US: GetSimpleCMS CVE-2019-9914 (The yop-poll plugin before 6.0.3 for WordPress has wp-admin/admin.php? ...) NOT-FOR-US: Wordpress plugin CVE-2019-9913 (The wp-live-chat-support plugin before 8.0.18 for WordPress has wp-adm ...) NOT-FOR-US: Wordpress plugin CVE-2019-9912 (The wp-google-maps plugin before 7.10.43 for WordPress has XSS via the ...) NOT-FOR-US: Wordpress plugin CVE-2019-9911 (The social-networks-auto-poster-facebook-twitter-g plugin before 4.2.8 ...) NOT-FOR-US: Wordpress plugin CVE-2019-9910 (The kingcomposer plugin 2.7.6 for WordPress has wp-admin/admin.php?pag ...) NOT-FOR-US: Wordpress plugin CVE-2019-9909 (The "Donation Plugin and Fundraising Platform" plugin before 2.3.1 for ...) NOT-FOR-US: Wordpress plugin CVE-2019-9908 (The font-organizer plugin 2.1.1 for WordPress has wp-admin/options-gen ...) NOT-FOR-US: Wordpress plugin CVE-2019-9907 RESERVED CVE-2019-9906 RESERVED CVE-2019-9905 RESERVED CVE-2019-9904 (An issue was discovered in lib\cdt\dttree.c in libcdt.a in graphviz 2. ...) - graphviz (low; bug #925284) [buster] - graphviz (Minor issue) [stretch] - graphviz (Minor issue) [jessie] - graphviz (Minor issue) NOTE: https://gitlab.com/graphviz/graphviz/issues/1512 CVE-2019-9903 (PDFDoc::markObject in PDFDoc.cc in Poppler 0.74.0 mishandles dict mark ...) [experimental] - poppler 0.81.0-1 - poppler (low; bug #925264) [buster] - poppler (Minor issue) [stretch] - poppler (Minor issue) [jessie] - poppler (Vulnerable code not present) NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/741 NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/fada09a2ccc11a3a1d308e810f1336d8df6011fd CVE-2019-9902 RESERVED CVE-2019-9901 (Envoy 1.9.0 and before does not normalize HTTP URL paths. A remote att ...) NOT-FOR-US: envoy proxy (not the same as itp'ed envoy, #758651) CVE-2019-9900 (When parsing HTTP/1.x header values, Envoy 1.9.0 and before does not r ...) NOT-FOR-US: envoy proxy (not the same as itp'ed envoy, #758651) CVE-2019-9899 RESERVED CVE-2019-9898 (Potential recycling of random numbers used in cryptography exists with ...) {DSA-4423-1 DLA-1763-1} - putty 0.70-6 NOTE: https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-rng-reuse.html NOTE: https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=320bf8479ff5bcbad239db4f9f4aa63656b0675e CVE-2019-9897 (Multiple denial-of-service attacks that can be triggered by writing to ...) {DSA-4423-1 DLA-1763-1} - putty 0.70-6 NOTE: https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-terminal-dos-one-column-cjk.html NOTE: https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=03777723e553024e94d8bfcf182f3a2e92ffb914 NOTE: https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-terminal-dos-combining-chars-double-width-gtk.html NOTE: https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=daf91ef8ae9780bb1dfb534afa79e4babb89ba26 NOTE: https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-terminal-dos-combining-chars.html NOTE: https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=da1c8f15b1bc14c855f0027cf06ba7f1a9c36f3c CVE-2019-9896 (In PuTTY versions before 0.71 on Windows, local attackers could hijack ...) - putty (Only affects PuTTY specific on Windows) CVE-2019-9895 (In PuTTY versions before 0.71 on Unix, a remotely triggerable buffer o ...) {DSA-4423-1} - putty 0.70-6 [jessie] - putty (Too intrusive to backport, patch uses callback handling that is not yet available in Jessie) NOTE: https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-fd-set-overflow.html NOTE: https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=5c926d9ea4a9e0a0a2384f06c7583648cdff3ed6 CVE-2019-9894 (A remotely triggerable memory overwrite in RSA key exchange in PuTTY b ...) {DSA-4423-1 DLA-1763-1} - putty 0.70-6 NOTE: https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-rsa-kex-integer-overflow.html NOTE: https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=d82854999516046122501b2e145099740ed0284f CVE-2019-9892 (An issue was discovered in Open Ticket Request System (OTRS) 5.x throu ...) {DLA-1774-1} - otrs2 6.0.18-1 [buster] - otrs2 6.0.16-2 [stretch] - otrs2 (Non-free not supported) NOTE: OTRS 6: https://github.com/OTRS/otrs/commit/3617488c6c28e06203e4127c7b031140f775a685 NOTE: OTRS 5: https://github.com/OTRS/otrs/commit/c3b9342a85c6f2c9382e074ad9cc440ce80a6f34 NOTE: https://community.otrs.com/security-advisory-2019-04-security-update-for-otrs-framework/ CVE-2019-9891 (The function getopt_simple as described in Advanced Bash Scripting Gui ...) NOT-FOR-US: Advanced Bash Scripting Guide CVE-2019-9890 (An issue was discovered in GitLab Community and Enterprise Edition 10. ...) [experimental] - gitlab 11.8.2-1 - gitlab 11.8.2-2 (bug #924447) NOTE: https://about.gitlab.com/2019/03/04/security-release-gitlab-11-dot-8-dot-1-released/ CVE-2019-9889 (In Vanilla before 2.6.4, a flaw exists within the getSingleIndex funct ...) NOT-FOR-US: Vanilla Forums CVE-2019-9888 RESERVED CVE-2019-1010319 (WavPack 5.1.0 and earlier is affected by: CWE-457: Use of Uninitialize ...) - wavpack 5.1.0-7 (low; bug #932061) [buster] - wavpack (Minor issue) [stretch] - wavpack (Minor issue) [jessie] - wavpack (Minor issue) NOTE: https://github.com/dbry/WavPack/commit/33a0025d1d63ccd05d9dbaa6923d52b1446a62fe NOTE: https://github.com/dbry/WavPack/issues/68 CVE-2019-1010318 REJECTED CVE-2019-1010317 (WavPack 5.1.0 and earlier is affected by: CWE-457: Use of Uninitialize ...) - wavpack 5.1.0-7 (low; bug #932060) [buster] - wavpack (Minor issue) [stretch] - wavpack (Minor issue) [jessie] - wavpack (Minor issue) NOTE: https://github.com/dbry/WavPack/commit/f68a9555b548306c5b1ee45199ccdc4a16a6101b NOTE: https://github.com/dbry/WavPack/issues/66 CVE-2019-1010316 (pyxtrlock 0.3 and earlier is affected by: Incorrect Access Control. Th ...) NOT-FOR-US: pyxtrlock CVE-2019-1010315 (WavPack 5.1 and earlier is affected by: CWE 369: Divide by Zero. The i ...) - wavpack 5.1.0-6 (low) [stretch] - wavpack (Minor issue) [jessie] - wavpack (Minor issue) NOTE: https://github.com/dbry/WavPack/commit/4c0faba32fddbd0745cbfaf1e1aeb3da5d35b9fc NOTE: https://github.com/dbry/WavPack/issues/65 CVE-2019-1010314 (Gitea 1.7.2, 1.7.3 is affected by: Cross Site Scripting (XSS). The imp ...) - gitea CVE-2019-1010313 RESERVED CVE-2019-1010312 REJECTED CVE-2019-1010311 REJECTED CVE-2019-1010310 (GLPI GLPI Product 9.3.1 is affected by: Frame and Form tags Injection ...) - glpi (unimportant) NOTE: https://github.com/glpi-project/glpi/pull/5519 NOTE: Only supported behind an authenticated HTTP zone CVE-2019-1010309 REJECTED CVE-2019-1010308 (Aquaverde GmbH Aquarius CMS prior to version 4.1.1 is affected by: Inc ...) NOT-FOR-US: Aquaverde GmbH Aquarius CMS CVE-2019-1010307 (GLPI GLPI Product 9.3.1 is affected by: Cross Site Scripting (XSS). Th ...) - glpi (unimportant) NOTE: Only supported behind an authenticated HTTP zone CVE-2019-1010306 (Slanger 0.6.0 is affected by: Remote Code Execution (RCE). The impact ...) NOT-FOR-US: Slanger CVE-2019-1010305 (libmspack 0.9.1alpha is affected by: Buffer Overflow. The impact is: I ...) {DLA-1895-1} - libmspack 0.10.1-1 [stretch] - libmspack (Minor issue) NOTE: https://github.com/kyz/libmspack/commit/2f084136cfe0d05e5bf5703f3e83c6d955234b4d NOTE: https://github.com/kyz/libmspack/issues/27 CVE-2019-1010304 (Saleor Issue was introduced by merge commit: e1b01bad0703afd08d297ed3f ...) NOT-FOR-US: Mirumee Saleor CVE-2019-1010303 RESERVED CVE-2019-1010302 (jhead 3.03 is affected by: Incorrect Access Control. The impact is: De ...) {DLA-2054-1} - jhead 1:3.03-2 (unimportant; bug #932146) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1679978 NOTE: No security impact, crash in CLI tool CVE-2019-1010301 (jhead 3.03 is affected by: Buffer Overflow. The impact is: Denial of s ...) {DLA-2054-1} - jhead 1:3.03-2 (unimportant; bug #932145) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1679952 NOTE: No security impact, crash in CLI tool CVE-2019-1010300 (mz-automation libiec61850 1.3.2 1.3.1 1.3.0 is affected by: Buffer Ove ...) NOT-FOR-US: libIEC61850 CVE-2019-1010299 (The Rust Programming Language Standard Library 1.18.0 and later is aff ...) - rustc 1.30.0+dfsg1-1 [stretch] - rustc (Minor issue) [jessie] - rustc (Minor issue) NOTE: https://github.com/rust-lang/rust/issues/53566 NOTE: https://github.com/rust-lang/rust/pull/53571/commits/b85e4cc8fadaabd41da5b9645c08c68b8f89908d CVE-2019-1010298 (Linaro/OP-TEE OP-TEE 3.3.0 and earlier is affected by: Buffer Overflow ...) NOT-FOR-US: Linaro/OP-TEE OP-TEE CVE-2019-1010297 (Linaro/OP-TEE OP-TEE 3.3.0 and earlier is affected by: Buffer Overflow ...) NOT-FOR-US: Linaro/OP-TEE OP-TEE CVE-2019-1010296 (Linaro/OP-TEE OP-TEE 3.3.0 and earlier is affected by: Buffer Overflow ...) NOT-FOR-US: Linaro/OP-TEE OP-TEE CVE-2019-1010295 (Linaro/OP-TEE OP-TEE 3.3.0 and earlier is affected by: Buffer Overflow ...) NOT-FOR-US: Linaro/OP-TEE OP-TEE CVE-2019-1010294 (Linaro/OP-TEE OP-TEE 3.3.0 and earlier is affected by: Rounding error. ...) NOT-FOR-US: Linaro/OP-TEE OP-TEE CVE-2019-1010293 (Linaro/OP-TEE OP-TEE 3.3.0 and earlier is affected by: Boundary crossi ...) NOT-FOR-US: Linaro/OP-TEE OP-TEE CVE-2019-1010292 (Linaro/OP-TEE OP-TEE Prior to version v3.4.0 is affected by: Boundary ...) NOT-FOR-US: Linaro/OP-TEE OP-TEE CVE-2019-1010291 RESERVED CVE-2019-1010290 (Babel: Multilingual site Babel All is affected by: Open Redirection. T ...) NOT-FOR-US: Babel: Multilingual CVE-2019-1010289 RESERVED CVE-2019-1010288 RESERVED CVE-2019-1010287 (Timesheet Next Gen 1.5.3 and earlier is affected by: Cross Site Script ...) NOT-FOR-US: Timesheet Next Gen CVE-2019-1010286 RESERVED CVE-2019-1010285 RESERVED CVE-2019-1010284 RESERVED CVE-2019-1010283 (Univention Corporate Server univention-directory-notifier 12.0.1-3 and ...) NOT-FOR-US: Univention Corporate Server univention-directory-notifier CVE-2019-1010282 RESERVED CVE-2019-1010281 RESERVED CVE-2019-1010280 RESERVED CVE-2019-1010279 (Open Information Security Foundation Suricata prior to version 4.1.3 i ...) - suricata 1:4.1.3-1 (low) [buster] - suricata (Minor issue) [stretch] - suricata (Minor issue) [jessie] - suricata (Minor issue) NOTE: https://github.com/OISF/suricata/pull/3625 NOTE: https://github.com/OISF/suricata/commit/d8634daf74c882356659addb65fb142b738a186b NOTE: https://redmine.openinfosecfoundation.org/issues/2770 CVE-2019-1010278 RESERVED CVE-2019-1010277 RESERVED CVE-2019-1010276 RESERVED CVE-2019-1010275 (helm Before 2.7.2 is affected by: CWE-295: Improper Certificate Valida ...) - helm-kubernetes (bug #910799) CVE-2019-1010274 RESERVED CVE-2019-1010273 RESERVED CVE-2019-1010272 RESERVED CVE-2019-1010271 RESERVED CVE-2019-1010270 RESERVED CVE-2019-1010269 RESERVED CVE-2019-1010268 (Ladon since 0.6.1 (since ebef0aae48af78c159b6fce81bc6f5e7e0ddb059) is ...) NOT-FOR-US: Ladon CVE-2019-1010267 RESERVED CVE-2019-1010266 (lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource ...) - node-lodash 4.17.11+dfsg-1 (unimportant) NOTE: https://github.com/lodash/lodash/issues/3359 NOTE: https://snyk.io/vuln/SNYK-JS-LODASH-73639 NOTE: nodejs not covered by security support CVE-2019-1010265 RESERVED CVE-2019-1010264 RESERVED CVE-2019-1010263 (Perl Crypt::JWT prior to 0.023 is affected by: Incorrect Access Contro ...) - libcrypt-jwt-perl (Fixed with the initial upload to Debian) NOTE: https://github.com/DCIT/perl-Crypt-JWT/commit/b98a59b42ded9f9e51b2560410106207c2152d6c NOTE: https://www.openwall.com/lists/oss-security/2018/09/07/1 CVE-2019-1010262 REJECTED CVE-2019-1010261 (Gitea 1.7.0 and earlier is affected by: Cross Site Scripting (XSS). Th ...) - gitea CVE-2019-1010260 (Using ktlint to download and execute custom rulesets can result in arb ...) NOT-FOR-US: ktlint CVE-2019-1010259 (SaltStack Salt 2018.3, 2019.2 is affected by: SQL Injection. The impac ...) - salt 2018.3.4~git20180207+dfsg1-1 [jessie] - salt (vulnerable MySQL queries are not present) NOTE: https://github.com/saltstack/salt/pull/51462 CVE-2019-1010258 (nanosvg library nanosvg after commit c1f6e209c16b18b46aa9f45d7e619acf4 ...) NOT-FOR-US: nanosvg CVE-2019-1010257 (An Information Disclosure / Data Modification issue exists in article2 ...) NOT-FOR-US: article2pdf Wordpress plugin CVE-2019-1010256 RESERVED CVE-2019-1010255 RESERVED CVE-2019-1010254 RESERVED CVE-2019-1010253 RESERVED CVE-2019-1010252 (The Linux Foundation ONOS 2.0.0 and earlier is affected by: Poor Input ...) NOT-FOR-US: ONOS CVE-2019-1010251 (Open Information Security Foundation Suricata prior to version 4.1.2 i ...) - suricata 1:4.1.2-2 (low) [buster] - suricata (Minor issue) [stretch] - suricata (Minor issue) [jessie] - suricata (Minor issue) NOTE: https://github.com/OISF/suricata/commit/11f3659f64a4e42e90cb3c09fcef66894205aefe NOTE: https://github.com/OISF/suricata/commit/8357ef3f8ffc7d99ef6571350724160de356158b NOTE: https://redmine.openinfosecfoundation.org/issues/2736 CVE-2019-1010250 (The Linux Foundation ONOS 2.0.0 and earlier is affected by: Poor Input ...) NOT-FOR-US: ONOS CVE-2019-1010249 (The Linux Foundation ONOS 2.0.0 and earlier is affected by: Integer Ov ...) NOT-FOR-US: ONOS CVE-2019-1010248 (Synetics GmbH I-doit 1.12 and earlier is affected by: SQL Injection. T ...) NOT-FOR-US: ONOS CVE-2019-1010247 (ZmartZone IAM mod_auth_openidc 2.3.10.1 and earlier is affected by: Cr ...) {DLA-1894-1} - libapache2-mod-auth-openidc 2.3.10.2-1 NOTE: Fixed by: https://github.com/zmartzone/mod_auth_openidc/commit/132a4111bf3791e76437619a66336dce2ce4c79b (v2.3.10.2) NOTE: https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2019-001_mod_auth_openidc_reflected_xss.txt CVE-2019-1010246 (MailCleaner before c888fbb6aaa7c5f8400f637bcf1cbb844de46cd9 is affecte ...) NOT-FOR-US: MailCleaner CVE-2019-1010245 (The Linux Foundation ONOS SDN Controller 1.15 and earlier versions is ...) NOT-FOR-US: ONOS CVE-2019-1010244 RESERVED CVE-2019-1010243 RESERVED CVE-2019-1010242 RESERVED CVE-2019-1010241 (Jenkins Credentials Binding Plugin Jenkins 1.17 is affected by: CWE-25 ...) NOT-FOR-US: Jenkins plugin CVE-2019-1010240 RESERVED CVE-2019-1010239 (DaveGamble/cJSON cJSON 1.7.8 is affected by: Improper Check for Unusua ...) - cjson 1.7.10-1 NOTE: https://github.com/DaveGamble/cJSON/commit/be749d7efa7c9021da746e685bd6dec79f9dd99b NOTE: https://github.com/DaveGamble/cJSON/issues/315 CVE-2019-1010238 (Gnome Pango 1.42 and later is affected by: Buffer Overflow. The impact ...) {DSA-4496-1} - pango1.0 1.42.4-7 (bug #933860) [stretch] - pango1.0 (Vulnerable code introduced later) [jessie] - pango1.0 (Vulnerable code introduced later) NOTE: https://gitlab.gnome.org/GNOME/pango/issues/342 NOTE: https://gitlab.gnome.org/GNOME/pango/commit/490f8979a260c16b1df055eab386345da18a2d54 (1.44) CVE-2019-1010237 (Ilias 5.3 before 5.3.12; 5.2 before 5.2.21 is affected by: Cross Site ...) NOT-FOR-US: ILIAS CVE-2019-1010236 RESERVED CVE-2019-1010235 (Frog CMS 1.1 is affected by: Cross Site Scripting (XSS). The impact is ...) NOT-FOR-US: Frog CMS CVE-2019-1010234 (The Linux Foundation ONOS 1.15.0 and ealier is affected by: Improper I ...) NOT-FOR-US: ONOS CVE-2019-1010233 RESERVED CVE-2019-1010232 (Juniper juniper/libslax libslax latest version (as of commit 084ddf6ab ...) NOT-FOR-US: Juniper CVE-2019-1010231 RESERVED CVE-2019-1010230 RESERVED CVE-2019-1010229 RESERVED CVE-2019-1010228 (OFFIS.de DCMTK 3.6.3 and below is affected by: Buffer Overflow. The im ...) - dcmtk 3.6.4-1 (low) [stretch] - dcmtk (Minor issue) [jessie] - dcmtk (Minor issue) NOTE: https://support.dcmtk.org/redmine/issues/858 NOTE: https://github.com/commontk/DCMTK/commit/40917614e CVE-2019-1010227 RESERVED CVE-2019-1010226 RESERVED CVE-2019-1010225 RESERVED CVE-2019-1010224 REJECTED CVE-2019-1010223 REJECTED CVE-2019-1010222 REJECTED CVE-2019-1010221 (LineageOS 16.0 and earlier is affected by: Incorrect Access Control. T ...) NOT-FOR-US: LineageOS CVE-2019-1010220 (tcpdump.org tcpdump 4.9.2 is affected by: CWE-126: Buffer Over-read. T ...) - tcpdump (unimportant) NOTE: No security impact CVE-2019-1010219 RESERVED CVE-2019-1010218 (Cherokee Webserver Latest Cherokee Web server Upto Version 1.2.103 (Cu ...) - cherokee CVE-2019-1010217 RESERVED CVE-2019-1010216 RESERVED CVE-2019-1010215 RESERVED CVE-2019-1010214 RESERVED CVE-2019-1010213 RESERVED CVE-2019-1010212 RESERVED CVE-2019-1010211 RESERVED CVE-2019-1010210 RESERVED CVE-2019-1010209 (GoUrl.io GoURL Wordpress Plugin 1.4.13 and earlier is affected by: CWE ...) NOT-FOR-US: GoUrl.io GoURL Wordpress Plugin CVE-2019-1010208 (IDRIX, Truecrypt Veracrypt, Truecrypt Prior to 1.23-Hotfix-1 (Veracryp ...) NOT-FOR-US: VeraCrypt CVE-2019-1010207 (Genetechsolutions Pie Register 3.0.15 is affected by: Cross Site Scrip ...) NOT-FOR-US: Genetechsolutions Pie Register CVE-2019-1010206 (OSS Http Request (Apache Cordova Plugin) 6 is affected by: Missing SSL ...) NOT-FOR-US: OSS Http Request (Apache Cordova Plugin) CVE-2019-1010205 (LINAGORA hublin latest (commit 72ead897082403126bf8df9264e70f0a9de247f ...) NOT-FOR-US: LINAGORA hublin CVE-2019-1010204 (GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is aff ...) - binutils (unimportant) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23765 NOTE: binutils not covered by security support CVE-2019-1010203 RESERVED CVE-2019-1010202 (Jeesite 1.2.7 is affected by: XML External Entity (XXE). The impact is ...) NOT-FOR-US: Jeesite CVE-2019-1010201 (Jeesite 1.2.7 is affected by: SQL Injection. The impact is: sensitive ...) NOT-FOR-US: Jeesite CVE-2019-1010200 (Voice Builder Prior to commit c145d4604df67e6fc625992412eef0bf9a85e26b ...) NOT-FOR-US: Voice Builder CVE-2019-1010199 (ServiceStack ServiceStack Framework 4.5.14 is affected by: Cross Site ...) NOT-FOR-US: ServiceStack ServiceStack Framework CVE-2019-1010198 RESERVED CVE-2019-1010197 RESERVED CVE-2019-1010196 RESERVED CVE-2019-1010195 RESERVED CVE-2019-1010194 RESERVED CVE-2019-1010193 (hisiphp 1.0.8 is affected by: Cross Site Scripting (XSS). ...) NOT-FOR-US: hisiphp CVE-2019-1010192 RESERVED CVE-2019-1010191 (marginalia < 1.6 is affected by: SQL Injection. The impact is: The ...) NOT-FOR-US: marginalia CVE-2019-1010190 (mgetty prior to 1.2.1 is affected by: out-of-bounds read. The impact i ...) - mgetty 1.2.1-1 [stretch] - mgetty (Minor issue) [jessie] - mgetty (Minor issue) NOTE: https://www.x41-dsec.de/lab/advisories/x41-2018-007-mgetty/ CVE-2019-1010189 (mgetty prior to version 1.2.1 is affected by: Infinite Loop. The impac ...) - mgetty 1.2.1-1 [stretch] - mgetty (Minor issue) [jessie] - mgetty (Minor issue) NOTE: https://www.x41-dsec.de/lab/advisories/x41-2018-007-mgetty/ CVE-2019-1010188 RESERVED CVE-2019-1010187 RESERVED CVE-2019-1010186 RESERVED CVE-2019-1010185 RESERVED CVE-2019-1010184 RESERVED CVE-2019-1010183 (serde serde_yaml 0.6.0 to 0.8.3 is affected by: Uncontrolled Recursion ...) NOT-FOR-US: serde_yaml CVE-2019-1010182 (yaml-rust 0.4.0 and earlier is affected by: Uncontrolled Recursion. Th ...) - rust-yaml-rust (Fixed before initial release to Debian) NOTE: https://github.com/chyh1990/yaml-rust/pull/109 CVE-2019-1010181 RESERVED CVE-2019-1010180 (GNU gdb All versions is affected by: Buffer Overflow - Out of bound me ...) - binutils 2.32.51.20190707-1 (unimportant) NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8ff71a9c80cfcf64c54d4ae938c644b1b1ea19fb NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23657 CVE-2019-1010179 (PHKP including commit 88fd9cfdf14ea4b6ac3e3967feea7bcaabb6f03b is affe ...) NOT-FOR-US: PHKP CVE-2019-1010178 (Fred MODX Revolution < 1.0.0-beta5 is affected by: Incorrect Access ...) NOT-FOR-US: Fred MODX Revolution CVE-2019-1010177 (Jsish 2.4.70 2.047 is affected by: Use After Free. The impact is: deni ...) NOT-FOR-US: Jsish CVE-2019-1010176 (JerryScript commit 4e58ccf68070671e1fff5cd6673f0c1d5b80b166 is affecte ...) NOT-FOR-US: JerryScript CVE-2019-1010175 RESERVED CVE-2019-1010174 (CImg The CImg Library v.2.3.3 and earlier is affected by: command inje ...) {DLA-1934-1} - cimg 2.3.6+dfsg-1 NOTE: https://framagit.org/dtschump/CImg/commit/5ce7a426b77f814973e56182a0e76a2b04904146 (v.2.3.4) CVE-2019-1010173 (Jsish 2.4.84 2.0484 is affected by: Reachable Assertion. The impact is ...) NOT-FOR-US: Jsish CVE-2019-1010172 (Jsish 2.4.84 2.0484 is affected by: Uncontrolled Resource Consumption. ...) NOT-FOR-US: Jsish CVE-2019-1010171 (Jsish 2.4.83 2.0483 is affected by: Nullpointer dereference. The impac ...) NOT-FOR-US: Jsish CVE-2019-1010170 (Jsish 2.4.77 2.0477 is affected by: Use After Free. The impact is: den ...) NOT-FOR-US: Jsish CVE-2019-1010169 (Jsish 2.4.77 2.0477 is affected by: Out-of-bounds Read. The impact is: ...) NOT-FOR-US: Jsish CVE-2019-1010168 RESERVED CVE-2019-1010167 RESERVED CVE-2019-1010166 RESERVED CVE-2019-1010165 RESERVED CVE-2019-1010164 RESERVED CVE-2019-1010163 (Socusoft Co Photo 2 Video Converter 8.0.0 is affected by: Buffer Overf ...) NOT-FOR-US: Socusoft Co Photo 2 Video Converter CVE-2019-1010162 (jsish 2.4.74 2.0474 is affected by: CWE-476: NULL Pointer Dereference. ...) NOT-FOR-US: Jsish CVE-2019-1010161 (perl-CRYPT-JWT 0.022 and earlier is affected by: Incorrect Access Cont ...) - libcrypt-jwt-perl (Fixed with initial upload to Debian) NOTE: https://github.com/DCIT/perl-Crypt-JWT/issues/3#issuecomment-417947483 CVE-2019-1010160 RESERVED CVE-2019-1010159 RESERVED CVE-2019-1010158 RESERVED CVE-2019-1010157 RESERVED CVE-2019-1010156 REJECTED CVE-2019-1010155 (** DISPUTED ** D-Link DSL-2750U 1.11 is affected by: Authentication By ...) NOT-FOR-US: D-Link CVE-2019-1010154 RESERVED CVE-2019-1010153 (zzcms 8.3 and earlier is affected by: SQL Injection. The impact is: sq ...) NOT-FOR-US: zzcms CVE-2019-1010152 (zzcms 8.3 and earlier is affected by: File Delete to Code Execution. T ...) NOT-FOR-US: zzcms CVE-2019-1010151 (zzcms zzmcms 8.3 and earlier is affected by: File Delete to getshell. ...) NOT-FOR-US: zzcms CVE-2019-1010150 (zzcms 8.3 and earlier is affected by: File Delete to Code Execution. T ...) NOT-FOR-US: zzcms CVE-2019-1010149 (zzcms version 8.3 and earlier is affected by: File Delete to Code Exec ...) NOT-FOR-US: zzcms CVE-2019-1010148 (zzcms version 8.3 and earlier is affected by: SQL Injection. The impac ...) NOT-FOR-US: zzcms CVE-2019-1010147 (Yellowfin Smart Reporting All Versions Prior to 7.3 is affected by: In ...) NOT-FOR-US: Yellowfin Smart Reporting CVE-2019-1010146 RESERVED CVE-2019-1010145 RESERVED CVE-2019-1010144 RESERVED CVE-2019-1010143 RESERVED CVE-2019-1010142 (scapy 2.4.0 is affected by: Denial of Service. The impact is: infinite ...) - scapy 2.4.2-1 [buster] - scapy (Minor issue) [stretch] - scapy (Vulnerable code not present) [jessie] - scapy (Vulnerable code not present) NOTE: https://github.com/secdev/scapy/pull/1409 NOTE: https://github.com/secdev/scapy/commit/0d7ae2b039f650a40e511d09eb961c782da025d9 (v2.4.1) NOTE: https://github.com/secdev/scapy/pull/1409/files#diff-441eff981e466959968111fc6314fe93L1058 CVE-2019-1010141 RESERVED CVE-2019-1010140 RESERVED CVE-2019-1010139 RESERVED CVE-2019-1010138 RESERVED CVE-2019-1010137 RESERVED CVE-2019-1010136 (ChinaMobile GPN2.4P21-C-CN W2001EN-00 is affected by: Incorrect Access ...) NOT-FOR-US: ChinaMobile GPN2.4P21-C-CN W2001EN-00 CVE-2019-1010135 RESERVED CVE-2019-1010134 RESERVED CVE-2019-1010133 RESERVED CVE-2019-1010132 RESERVED CVE-2019-1010131 RESERVED CVE-2019-1010130 RESERVED CVE-2019-1010129 REJECTED CVE-2019-1010128 RESERVED CVE-2019-1010127 (VCFTools vcftools prior to version 0.1.15 is affected by: Use-after-fr ...) - vcftools 0.1.16-1 [stretch] - vcftools 0.1.14+dfsg-4+deb9u1 [jessie] - vcftools 0.1.12+dfsg-1+deb8u1 NOTE: https://github.com/vcftools/vcftools/commit/00a5b615a61054f23c01a04ebb6790a55029f695 (v0.1.16) NOTE: https://github.com/vcftools/vcftools/commit/e94e2992e2c0f4cc95864a42fe470c040f95712e (v0.1.16) NOTE: https://github.com/vcftools/vcftools/commit/d657d60e37f5d705f9dbb578b516db6e420fb424 (v0.1.16) NOTE: https://github.com/vcftools/vcftools/commit/f6453c581b8113053a25689226920f7ded2e8270 (fix for typo in warning log message)) NOTE: CVE-2019-1010127 is a different issue than CVE-2018-11099, CVE-2018-11129 and NOTE: CVE-2018-11130 but covered with same set of upstream commits. CVE-2019-1010126 RESERVED CVE-2019-1010125 RESERVED CVE-2019-1010124 (WebAppick WooCommerce Product Feed 2.2.18 and earlier is affected by: ...) NOT-FOR-US: WebAppick WooCommerce Product Feed CVE-2019-1010123 (MODX Revolution Gallery 1.7.0 is affected by: CWE-434: Unrestricted Up ...) NOT-FOR-US: MODX Revolution Gallery CVE-2019-1010122 RESERVED CVE-2019-1010121 RESERVED CVE-2019-1010120 RESERVED CVE-2019-1010119 RESERVED CVE-2019-1010118 RESERVED CVE-2019-1010117 RESERVED CVE-2019-1010116 RESERVED CVE-2019-1010115 RESERVED CVE-2019-1010114 RESERVED CVE-2019-1010113 (Premium Software CLEditor 1.4.5 and earlier is affected by: Cross Site ...) NOT-FOR-US: Premium Software CLEditor CVE-2019-1010112 (OECMS v4.3.R60321 and v4.3 later is affected by: Cross Site Request Fo ...) NOT-FOR-US: OECMS CVE-2019-1010111 RESERVED CVE-2019-1010110 RESERVED CVE-2019-1010109 RESERVED CVE-2019-1010108 RESERVED CVE-2019-1010107 RESERVED CVE-2019-1010106 RESERVED CVE-2019-1010105 RESERVED CVE-2019-1010104 (TechyTalk Quick Chat WordPress Plugin All up to the latest is affected ...) NOT-FOR-US: TechyTalk Quick Chat WordPress Plugin All CVE-2019-1010103 RESERVED CVE-2019-1010102 RESERVED CVE-2019-1010101 (Akeo Consulting Rufus 3.0 and earlier is affected by: Insecure Permiss ...) NOT-FOR-US: Akeo Consulting Rufus CVE-2019-1010100 (Akeo Consulting Rufus 3.0 and earlier is affected by: DLL search order ...) NOT-FOR-US: Akeo Consulting Rufus CVE-2019-1010099 RESERVED CVE-2019-1010098 RESERVED CVE-2019-1010097 RESERVED CVE-2019-1010096 (DomainMOD v4.10.0 is affected by: Cross Site Request Forgery (CSRF). T ...) NOT-FOR-US: domainmod CVE-2019-1010095 (DomainMOD v4.10.0 is affected by: Cross Site Request Forgery (CSRF). T ...) NOT-FOR-US: domainmod CVE-2019-1010094 (domainmod v4.10.0 is affected by: Cross Site Request Forgery (CSRF). T ...) NOT-FOR-US: domainmod CVE-2019-1010093 RESERVED CVE-2019-1010092 RESERVED CVE-2019-1010091 (tinymce 4.7.11, 4.7.12 is affected by: CWE-79: Improper Neutralization ...) - tinymce [jessie] - tinymce (Minor issue, requires manually copy/pasting javascript to execute it, can't reproduce on Jessie) NOTE: https://github.com/tinymce/tinymce/issues/4394 TODO: check CVE-2019-1010090 RESERVED CVE-2019-1010089 RESERVED CVE-2019-1010088 RESERVED CVE-2019-1010087 RESERVED CVE-2019-1010086 RESERVED CVE-2019-1010085 RESERVED CVE-2019-1010084 (Dancer::Plugin::SimpleCRUD 1.14 and earlier is affected by: Incorrect ...) NOT-FOR-US: Dancer::Plugin::SimpleCRUD CVE-2019-1010083 (The Pallets Project Flask before 1.0 is affected by: unexpected memory ...) - flask 1.0.2-1 [stretch] - flask (Minor issue) [jessie] - flask (Minor issue) NOTE: https://www.palletsprojects.com/blog/flask-1-0-released/ NOTE: https://github.com/pallets/flask/pull/2691/commits/ab4142215d836b0298fc47fa1e4b75408b9c37a0 NOTE: After communication with MITRE, this CVE *might* overlap CVE-2018-1000656. NOTE: CVE-2019-1010083 was back then assigned by the DWF CNA, but the exact scope NOTE: of the CVE is unclear and might for instance be for an incomplete fix of NOTE: CVE-2018-1000656. As such it was only noted with a "may overlap". The NOTE: CVE-2019-1010083 only refers to the 1.0 release announcement and it is NOTE: guaranteed that it relates as well to pull request 2691. Upstream itself did NOTE: not comment on direct pings/questions back. CVE-2019-1010082 RESERVED CVE-2019-1010081 RESERVED CVE-2019-1010080 RESERVED CVE-2019-1010079 RESERVED CVE-2019-1010078 RESERVED CVE-2019-1010077 RESERVED CVE-2019-1010076 RESERVED CVE-2019-1010075 RESERVED CVE-2019-1010074 RESERVED CVE-2019-1010073 REJECTED CVE-2019-1010072 RESERVED CVE-2019-1010071 RESERVED CVE-2019-1010070 RESERVED CVE-2019-1010069 (moinejf abcm2ps 8.13.20 is affected by: Incorrect Access Control. The ...) - abcm2ps 8.14.2-0.1 (unimportant) NOTE: https://github.com/leesavide/abcm2ps/issues/18 NOTE: https://github.com/leesavide/abcm2ps/commit/08aef597656d065e86075f3d53fda89765845eae (v8.13.21) NOTE: Crash in CLI tool, no security impact CVE-2019-1010068 RESERVED CVE-2019-1010067 RESERVED CVE-2019-1010066 (Lawrence Livermore National Laboratory msr-safe v1.1.0 is affected by: ...) NOT-FOR-US: Lawrence Livermore National Laboratory msr-safe CVE-2019-1010065 (The Sleuth Kit 4.6.0 and earlier is affected by: Integer Overflow. The ...) - sleuthkit 4.6.1-1 (unimportant) NOTE: https://github.com/sleuthkit/sleuthkit/commit/114cd3d0aac8bd1aeaf4b33840feb0163d342d5b (4.6.1) NOTE: Negligible security impact CVE-2019-1010064 RESERVED CVE-2019-1010063 RESERVED CVE-2019-1010062 (PluckCMS 4.7.4 and earlier is affected by: CWE-434 Unrestricted Upload ...) NOT-FOR-US: PluckCMS CVE-2019-1010061 REJECTED CVE-2019-1010060 (NASA CFITSIO prior to 3.43 is affected by: Buffer Overflow. The impact ...) - cfitsio 3.430-1 (low; bug #892458) [stretch] - cfitsio (Minor issue) [jessie] - cfitsio (Minor issue) NOTE: The issue is specifically to other issues not covered by CVE-2018-3846, NOTE: CVE-2018-3847, CVE-2018-3848, and CVE-2018-3849 but fixed in 3.43. One NOTE: example is ftp_status in drvrnet.c mishandling a long string beginning NOTE: with a '4' character. CVE-2019-1010059 RESERVED CVE-2019-1010058 RESERVED CVE-2019-1010057 (nfdump 1.6.16 and earlier is affected by: Buffer Overflow. The impact ...) - nfdump 1.6.17-1 [stretch] - nfdump (Minor issue; can be fixed via point release) NOTE: https://github.com/phaag/nfdump/issues/104 NOTE: https://github.com/phaag/nfdump/commit/9f0fe9563366f62a71d34c92229da3432ec5cf0e CVE-2019-1010056 RESERVED CVE-2019-1010055 RESERVED CVE-2019-1010054 (Dolibarr 7.0.0 is affected by: Cross Site Request Forgery (CSRF). The ...) - dolibarr CVE-2019-1010053 RESERVED CVE-2019-1010052 RESERVED CVE-2019-1010051 RESERVED CVE-2019-1010050 RESERVED CVE-2019-1010049 RESERVED CVE-2019-1010048 REJECTED CVE-2019-1010047 RESERVED CVE-2019-1010046 RESERVED CVE-2019-1010045 RESERVED CVE-2019-1010044 (borg-reducer c6d5240 is affected by: Buffer Overflow. The impact is: P ...) NOT-FOR-US: borg-reducer CVE-2019-1010043 (Quake3e < 5ed740d is affected by: Buffer Overflow. The impact is: P ...) - ioquake3 (unimportant) NOTE: https://github.com/ec-/Quake3e/issues/9 NOTE: https://github.com/ec-/Quake3e/commit/fea3c4144c7b325634cdf638d1582c772a2db3bd NOTE: No security impact CVE-2019-1010042 REJECTED CVE-2019-1010041 RESERVED CVE-2019-1010040 RESERVED CVE-2019-1010039 (uLaunchELF < commit 170827a is affected by: Buffer Overflow. The im ...) NOT-FOR-US: uLaunchELF CVE-2019-1010038 (OpenModelica OMCompiler is affected by: Buffer Overflow. The impact is ...) NOT-FOR-US: OpenModelica OMCompiler CVE-2019-1010037 RESERVED CVE-2019-1010036 RESERVED CVE-2019-1010035 RESERVED CVE-2019-1010034 (Deepwoods Software WebLibrarian 3.5.2 and earlier is affected by: SQL ...) NOT-FOR-US: Deepwoods Software WebLibrarian CVE-2019-1010033 RESERVED CVE-2019-1010032 RESERVED CVE-2019-1010031 RESERVED CVE-2019-1010030 REJECTED CVE-2019-1010029 RESERVED CVE-2019-1010028 (phpscriptsmall.com School College Portal with ERP Script 2.6.1 and ear ...) NOT-FOR-US: School College Portal CVE-2019-1010027 RESERVED CVE-2019-1010026 RESERVED CVE-2019-1010025 (** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The ...) - glibc (unimportant) NOTE: Not treated as a security issue by upstream NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22853 CVE-2019-1010024 (GNU Libc current is affected by: Mitigation bypass. The impact is: Att ...) - glibc (unimportant) NOTE: Not treated as a security issue by upstream NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22852 CVE-2019-1010023 (GNU Libc current is affected by: Re-mapping current loaded libray with ...) - glibc (unimportant) NOTE: Not treated as a security issue by upstream NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22851 CVE-2019-1010022 (GNU Libc current is affected by: Mitigation bypass. The impact is: Att ...) - glibc (unimportant) NOTE: Not treated as a security issue by upstream NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22850 CVE-2019-1010021 RESERVED CVE-2019-1010020 RESERVED CVE-2019-1010019 RESERVED CVE-2019-1010018 (Zammad GmbH Zammad 2.3.0 and earlier is affected by: Cross Site Script ...) - zammad (bug #841355) CVE-2019-1010017 (libnmap < v0.6.3 is affected by: XML Injection. The impact is: Deni ...) - python-libnmap (low) [buster] - python-libnmap (Minor issue) NOTE: https://github.com/savon-noir/python-libnmap/issues/87 CVE-2019-1010016 (Dolibarr 6.0.4 is affected by: Cross Site Scripting (XSS). The impact ...) - dolibarr NOTE: https://github.com/Dolibarr/dolibarr/issues/7962 CVE-2019-1010015 RESERVED CVE-2019-1010014 RESERVED CVE-2019-1010013 RESERVED CVE-2019-1010012 RESERVED CVE-2019-1010011 REJECTED CVE-2019-1010010 RESERVED CVE-2019-1010009 (DGLogik Inc DGLux Server All Versions is affected by: Insecure Permiss ...) NOT-FOR-US: DGLogik Inc DGLux Server CVE-2019-1010008 (OpenEnergyMonitor Project Emoncms 9.8.8 is affected by: Cross Site Scr ...) NOT-FOR-US: OpenEnergyMonitor Project Emoncms CVE-2019-1010007 RESERVED CVE-2019-1010006 (Evince 3.26.0 is affected by buffer overflow. The impact is: DOS / Pos ...) {DSA-4624-1 DLA-1882-1 DLA-1881-1} - atril 1.22.2-1 [buster] - atril 1.20.3-1+deb10u1 - evince 3.27.92-1 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=788980 NOTE: https://gitlab.gnome.org/GNOME/evince/commit/e6ed0d4cdb6326e329c8f61f9cc19ff9331cb0ce (3.27.91) NOTE: https://gitlab.gnome.org/GNOME/evince/commit/e02fe9170ad0ac2fd46c75329c4f1d4502d4a362 (3.27.91) CVE-2019-1010005 (HexoEditor v1.1.8-beta is affected by: XSS to code execution. ...) NOT-FOR-US: HexoEditor CVE-2019-1010004 (SoX - Sound eXchange 14.4.2 and earlier is affected by: Out-of-bounds ...) {DLA-1695-1 DLA-1197-1} - sox 14.4.2-2 (bug #881121) [stretch] - sox 14.4.1-5+deb9u2 NOTE: https://github.com/mansr/sox/commit/7a8ceb86212b28243bbb6d0de636f0dfbe833e53 CVE-2019-1010003 (Leanote prior to version 2.6 is affected by: Cross Site Scripting (XSS ...) NOT-FOR-US: Leanote CVE-2019-1010002 RESERVED CVE-2019-1010001 RESERVED CVE-2019-6341 (In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.1 ...) {DSA-4412-1 DLA-1746-1} - drupal7 (bug #925176) NOTE: https://www.drupal.org/SA-CORE-2019-004 CVE-2019-9893 (libseccomp before 2.4.0 did not correctly generate 64-bit syscall argu ...) - libseccomp 2.4.1-1 (unimportant; bug #924646) NOTE: https://github.com/seccomp/libseccomp/issues/139 NOTE: No security issue by itself CVE-2019-9887 RESERVED CVE-2019-9886 (Any URLs with download_attachment.php under templates or home folders ...) NOT-FOR-US: BroadLearning eClass CVE-2019-9885 (eClass platform < ip.2.5.10.2.1 allows an attacker to execute SQL c ...) NOT-FOR-US: eClass platform CVE-2019-9884 (eClass platform < ip.2.5.10.2.1 allows an attacker to use GETS meth ...) NOT-FOR-US: eClass platform CVE-2019-9883 (Multi modules of MailSherlock MSR35 and MSR45 lead to a CSRF vulnerabi ...) NOT-FOR-US: MailSherlock CVE-2019-9882 (Multi modules of MailSherlock MSR35 and MSR45 lead to a CSRF vulnerabi ...) NOT-FOR-US: MailSherlock CVE-2019-9881 (The createComment mutation in the WPGraphQL 0.2.3 plugin for WordPress ...) NOT-FOR-US: WPGraphQL plugin for WordPress CVE-2019-9880 (An issue was discovered in the WPGraphQL 0.2.3 plugin for WordPress. B ...) NOT-FOR-US: WPGraphQL plugin for WordPress CVE-2019-9879 (The WPGraphQL 0.2.3 plugin for WordPress allows remote attackers to re ...) NOT-FOR-US: WPGraphQL plugin for WordPress CVE-2019-9878 (There is an invalid memory access in the function GfxIndexedColorSpace ...) - xpdf (xpdf in Debian uses poppler, which is not affected or fixed) CVE-2019-9877 (There is an invalid memory access vulnerability in the function TextPa ...) - xpdf (xpdf in Debian uses poppler, which doesn't contain the vulnerable code) CVE-2019-9876 RESERVED CVE-2019-9875 (Deserialization of Untrusted Data in the anti CSRF module in Sitecore ...) NOT-FOR-US: Sitecore CMS CVE-2019-9874 (Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (a ...) NOT-FOR-US: Sitecore CMS CVE-2019-9873 (In several versions of JetBrains IntelliJ IDEA Ultimate, creating Task ...) - intellij-idea (bug #747616) CVE-2019-9872 (In several versions of JetBrains IntelliJ IDEA Ultimate, creating run ...) - intellij-idea (bug #747616) CVE-2019-9871 (Jector Smart TV FM-K75 devices allow remote code execution because the ...) NOT-FOR-US: Jector Smart TV FM-K75 devices CVE-2019-9870 (plugin.js in the w8tcha oEmbed plugin before 2019-03-14 for CKEditor m ...) NOT-FOR-US: w8tcha oEmbed plugin for CKEditor CVE-2019-9869 RESERVED CVE-2019-9868 (An issue was discovered in the Web Console in Veritas NetBackup Applia ...) NOT-FOR-US: Veritas NetBackup Appliance CVE-2019-9867 (An issue was discovered in the Web Console in Veritas NetBackup Applia ...) NOT-FOR-US: Veritas NetBackup Appliance CVE-2019-9866 (An issue was discovered in GitLab Community and Enterprise Edition 11. ...) - gitlab 11.8.3-1 (bug #925196) NOTE: https://about.gitlab.com/2019/03/20/critical-security-release-gitlab-11-dot-8-dot-3-released/ CVE-2019-9865 (When RPC is enabled in Wind River VxWorks 6.9 prior to 6.9.1, a specia ...) NOT-FOR-US: Wind River VxWorks CVE-2019-9864 (PHP Scripts Mall Amazon Affiliate Store 2.1.6 allows Parameter Tamperi ...) NOT-FOR-US: PHP Scripts Mall Amazon Affiliate Store CVE-2019-9863 (Due to the use of an insecure algorithm for rolling codes in the ABUS ...) NOT-FOR-US: ABUS CVE-2019-9862 (An issue was discovered on ABUS Secvest wireless alarm system FUAA5000 ...) NOT-FOR-US: ABUS CVE-2019-9861 (Due to the use of an insecure RFID technology (MIFARE Classic), ABUS p ...) NOT-FOR-US: ABUS CVE-2019-9860 (Due to unencrypted signal communication and predictability of rolling ...) NOT-FOR-US: ABUS CVE-2019-9859 (Vesta Control Panel (VestaCP) 0.9.7 through 0.9.8-23 is vulnerable to ...) NOT-FOR-US: Vesta Control Panel (VestaCP) CVE-2019-9858 (Remote code execution was discovered in Horde Groupware Webmail 5.2.22 ...) {DSA-4468-1 DLA-1822-1} - php-horde-form 2.0.18-3.1 (bug #930321) NOTE: https://ssd-disclosure.com/archives/3814/ssd-advisory-horde-groupware-webmail-authenticated-arbitrary-file-injection-to-rce NOTE: https://github.com/horde/Form/commit/c916ba979ad1613d76a9407dd0b67968a9594c0e CVE-2019-9856 RESERVED CVE-2019-9855 (LibreOffice is typically bundled with LibreLogo, a programmable turtle ...) - libreoffice (Windows-specific) NOTE: https://www.libreoffice.org/about-us/security/advisories/cve-2019-9855/ CVE-2019-9854 (LibreOffice has a feature where documents can specify that pre-install ...) {DSA-4519-1 DLA-1947-1} - libreoffice 1:6.3.1~rc2-1 NOTE: https://www.libreoffice.org/about-us/security/advisories/cve-2019-9854/ CVE-2019-9853 (LibreOffice documents can contain macros. The execution of those macro ...) {DSA-4501-1 DLA-1947-1} - libreoffice 1:6.3.0-1 NOTE: https://www.libreoffice.org/about-us/security/advisories/cve-2019-9853 CVE-2019-9852 (LibreOffice has a feature where documents can specify that pre-install ...) {DSA-4501-1 DLA-1947-1} - libreoffice 1:6.3.0-1 NOTE: https://www.libreoffice.org/about-us/security/advisories/cve-2019-9852/ CVE-2019-9851 (LibreOffice is typically bundled with LibreLogo, a programmable turtle ...) {DSA-4501-1 DLA-1947-1} - libreoffice 1:6.3.0-1 NOTE: https://www.libreoffice.org/about-us/security/advisories/cve-2019-9851/ CVE-2019-9850 (LibreOffice is typically bundled with LibreLogo, a programmable turtle ...) {DSA-4501-1 DLA-1947-1} - libreoffice 1:6.3.0-1 NOTE: https://www.libreoffice.org/about-us/security/advisories/cve-2019-9850/ CVE-2019-9849 (LibreOffice has a 'stealth mode' in which only documents from location ...) {DSA-4483-1 DLA-1947-1} [experimental] - libreoffice 1:6.3.0~beta2-1 - libreoffice 1:6.3.0~rc1-1 NOTE: https://www.libreoffice.org/about-us/security/advisories/cve-2019-9849/ CVE-2019-9848 (LibreOffice has a feature where documents can specify that pre-install ...) {DSA-4483-1 DLA-1947-1} [experimental] - libreoffice 1:6.3.0~beta2-1 - libreoffice 1:6.3.0~rc1-1 NOTE: https://www.libreoffice.org/about-us/security/advisories/cve-2019-9848/ CVE-2019-9847 (A vulnerability in LibreOffice hyperlink processing allows an attacker ...) - libreoffice (Only affects Libreoffice on Windows and macOS) NOTE: https://www.libreoffice.org/about-us/security/advisories/cve-2019-9847/ CVE-2019-9857 (In the Linux kernel through 5.0.2, the function inotify_update_existin ...) - linux 4.19.37-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/62c9d2674b31d4c8a674bee86b7edc6da2803aea CVE-2019-9846 (RockOA 1.8.7 allows remote attackers to obtain sensitive information b ...) NOT-FOR-US: RockOA CVE-2019-9845 (madskristensen Miniblog.Core through 2019-01-16 allows remote attacker ...) NOT-FOR-US: madskristensen Miniblog.Core CVE-2019-9844 (simple-markdown.js in Khan Academy simple-markdown before 0.4.4 allows ...) NOT-FOR-US: Khan Academy simple-markdown CVE-2019-9843 (In DiffPlug Spotless before 1.20.0 (library and Maven plugin) and befo ...) NOT-FOR-US: DiffPlug Spotless CVE-2019-9842 (madskristensen MiniBlog through 2018-05-18 allows remote attackers to ...) NOT-FOR-US: madskristensen Miniblog CVE-2019-9841 (Vesta Control Panel 0.9.8-23 allows XSS via a crafted URL. ...) NOT-FOR-US: Vesta Control Panel CVE-2019-9840 RESERVED CVE-2018-20814 (An XSS issue was found with Psaldownload.cgi in Pulse Secure Pulse Con ...) NOT-FOR-US: Pulse Secure Pulse Connect Secure CVE-2018-20813 (An input validation issue has been found with login_meeting.cgi in Pul ...) NOT-FOR-US: Pulse Secure Pulse Connect Secure CVE-2018-20812 (An information exposure issue where IPv6 DNS traffic would be sent out ...) NOT-FOR-US: Pulse Secure Pulse Connect Secure CVE-2018-20811 (A hidden RPC service issue was found with Pulse Secure Pulse Connect S ...) NOT-FOR-US: Pulse Secure Pulse Connect Secure CVE-2018-20810 (Session data between cluster nodes during cluster synchronization is n ...) NOT-FOR-US: Pulse Secure Pulse Connect Secure CVE-2018-20809 (A crafted message can cause the web server to crash with Pulse Secure ...) NOT-FOR-US: Pulse Secure Pulse Connect Secure CVE-2018-20808 (An XSS issue has been found with rd.cgi in Pulse Secure Pulse Connect ...) NOT-FOR-US: Pulse Secure Pulse Connect Secure CVE-2018-20807 (An XSS issue has been found in welcome.cgi in Pulse Secure Pulse Conne ...) NOT-FOR-US: Pulse Secure Pulse Connect Secure CVE-2018-20806 (Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the ...) - phamm (low; bug #924731) [stretch] - phamm (Minor issue) [jessie] - phamm (Minor issue) NOTE: https://github.com/lota/phamm/issues/24 CVE-2019-9839 (VFront 0.99.5 has Reflected XSS via the admin/menu_registri.php descri ...) NOT-FOR-US: VFront CVE-2019-9838 (VFront 0.99.5 has stored XSS via the admin/sync_reg_tab.php azzera par ...) NOT-FOR-US: VFront CVE-2019-9837 (Doorkeeper::OpenidConnect (aka the OpenID Connect extension for Doorke ...) - ruby-doorkeeper-openid-connect 1.5.5-1 (bug #924747) NOTE: https://github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/61 NOTE: https://github.com/doorkeeper-gem/doorkeeper-openid_connect/pull/66 CVE-2019-9836 (Secure Encrypted Virtualization (SEV) on Advanced Micro Devices (AMD) ...) NOT-FOR-US: AMD Secure Encrypted Virtualization (SEV) CVE-2019-9835 (The receiver (aka bridge) component of Fujitsu Wireless Keyboard Set L ...) NOT-FOR-US: Fujitsu Wireless Keyboard Set LX901 GK900 devices CVE-2019-9834 (** DISPUTED ** The Netdata web application through 1.13.0 allows remot ...) - netdata (unimportant) NOTE: https://github.com/netdata/netdata/issues/5800#issuecomment-510986112 NOTE: Risk disupted by upstream because there is a clear warning next to the NOTE: button for importing a snapshot, thus treat the issue as unimportant with NOTE: negligible impact. CVE-2019-9833 (The Screen Stream application through 3.0.15 for Android allows remote ...) NOT-FOR-US: Screen Stream application for Android CVE-2019-9832 (The AirDrop application through 2.0 for Android allows remote attacker ...) NOT-FOR-US: AirDrop application for Android CVE-2019-9831 (The AirMore application through 1.6.1 for Android allows remote attack ...) NOT-FOR-US: AirMore application for Android CVE-2018-20805 RESERVED CVE-2018-20804 RESERVED CVE-2018-20803 RESERVED CVE-2018-20802 RESERVED CVE-2017-18363 RESERVED CVE-2015-9283 RESERVED CVE-2019-9830 RESERVED CVE-2019-9829 (Maccms 10 allows remote attackers to execute arbitrary PHP code by ent ...) NOT-FOR-US: Maccms CVE-2019-9828 RESERVED CVE-2019-9827 (Hawt Hawtio through 2.5.0 is vulnerable to SSRF, allowing a remote att ...) NOT-FOR-US: Hawtio CVE-2019-9826 (The fulltext search component in phpBB before 3.2.6 allows Denial of S ...) {DLA-1775-1} - phpbb3 NOTE: https://www.openwall.com/lists/oss-security/2019/04/29/3 NOTE: Fixed by https://github.com/phpbb/phpbb/commit/3075d2fecc9f5bb780bb478c0851a704c7f9b392 CVE-2019-9825 (FeiFeiCMS 4.1.190209 allows remote attackers to upload and execute arb ...) NOT-FOR-US: FeiFeiCMS CVE-2019-9824 (tcp_emu in slirp/tcp_subr.c (aka slirp/src/tcp_subr.c) in QEMU 3.0.0 u ...) {DSA-4454-1 DLA-1781-1} - qemu 1:3.1+dfsg-6 - qemu-kvm - slirp4netns 0.3.1-1 [buster] - slirp4netns 0.2.3-1 NOTE: https://lists.gnu.org/archive/html/qemu-devel/2019-03/msg01871.html NOTE: https://www.openwall.com/lists/oss-security/2019/03/18/1 NOTE: https://github.com/qemu/qemu/commit/d3222975c7d6cda9e25809dea05241188457b113 CVE-2019-9823 (In several JetBrains IntelliJ IDEA versions, creating remote run confi ...) - intellij-idea (bug #747616) CVE-2019-9822 RESERVED CVE-2019-9821 (A use-after-free vulnerability can occur in AssertWorkerThread due to ...) [experimental] - firefox 67.0-1 - firefox 67.0-2 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-9821 CVE-2019-9820 (A use-after-free vulnerability can occur in the chrome event handler w ...) {DSA-4451-1 DSA-4448-1 DLA-1806-1 DLA-1800-1} [experimental] - firefox 67.0-1 - firefox 67.0-2 - firefox-esr 60.7.0esr-1 - thunderbird 1:60.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-9820 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-14/#CVE-2019-9820 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/#CVE-2019-9820 CVE-2019-9819 (A vulnerability where a JavaScript compartment mismatch can occur whil ...) {DSA-4451-1 DSA-4448-1 DLA-1806-1 DLA-1800-1} [experimental] - firefox 67.0-1 - firefox 67.0-2 - firefox-esr 60.7.0esr-1 - thunderbird 1:60.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-9819 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-14/#CVE-2019-9819 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/#CVE-2019-9819 CVE-2019-9818 (A race condition is present in the crash generation server used to gen ...) - firefox (Windows-specific) - firefox-esr (Windows-specific) - thunderbird (Windows-specific) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-9818 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-14/#CVE-2019-9818 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/#CVE-2019-9818 CVE-2019-9817 (Images from a different domain can be read using a canvas object in so ...) {DSA-4451-1 DSA-4448-1 DLA-1806-1 DLA-1800-1} [experimental] - firefox 67.0-1 - firefox 67.0-2 - firefox-esr 60.7.0esr-1 - thunderbird 1:60.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-9817 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-14/#CVE-2019-9817 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/#CVE-2019-9817 CVE-2019-9816 (A possible vulnerability exists where type confusion can occur when ma ...) {DSA-4451-1 DSA-4448-1 DLA-1806-1 DLA-1800-1} [experimental] - firefox 67.0-1 - firefox 67.0-2 - firefox-esr 60.7.0esr-1 - thunderbird 1:60.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-9816 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-14/#CVE-2019-9816 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/#CVE-2019-9816 CVE-2019-9815 (If hyperthreading is not disabled, a timing attack vulnerability exist ...) - firefox (MacOS-specific) - firefox-esr (MacOS-specific) - thunderbird (MacOS-specific) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-9815 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-14/#CVE-2019-9815 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/#CVE-2019-9815 CVE-2019-9814 (Mozilla developers and community members reported memory safety bugs p ...) [experimental] - firefox 67.0-1 - firefox 67.0-2 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-9814 CVE-2019-9813 (Incorrect handling of __proto__ mutations may lead to type confusion i ...) {DSA-4417-1 DLA-1727-1} - firefox 66.0.1-1 - firefox-esr 60.6.1esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-09/#CVE-2019-9813 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-10/#CVE-2019-9813 CVE-2019-9812 (Given a compromised sandboxed content process due to a separate vulner ...) {DSA-4516-1 DLA-1910-1} - firefox 69.0-1 - firefox-esr 68.1.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-9812 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-26/#CVE-2019-9812 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-27/#CVE-2019-9812 CVE-2019-9811 (As part of a winning Pwn2Own entry, a researcher demonstrated a sandbo ...) {DSA-4482-1 DSA-4479-1 DLA-1870-1 DLA-1869-1} - firefox 68.0-1 - firefox-esr 60.8.0esr-1 - thunderbird 1:60.8.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-9811 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-9811 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-23/#CVE-2019-9811 CVE-2019-9810 (Incorrect alias information in IonMonkey JIT compiler for Array.protot ...) {DSA-4417-1 DLA-1727-1} - firefox 66.0.1-1 - firefox-esr 60.6.1esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-09/#CVE-2019-9810 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-10/#CVE-2019-9810 CVE-2019-9809 (If the source for resources on a page is through an FTP connection, it ...) - firefox 66.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9809 CVE-2019-9808 (If WebRTC permission is requested from documents with data: or blob: U ...) - firefox 66.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9808 CVE-2019-9807 (When arbitrary text is sent over an FTP connection and a page reload i ...) - firefox 66.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9807 CVE-2019-9806 (A vulnerability exists during authorization prompting for FTP transact ...) - firefox 66.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9806 CVE-2019-9805 (A latent vulnerability exists in the Prio library where data may be re ...) - firefox 66.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9805 CVE-2019-9804 (In Firefox Developer Tools it is possible that pasting the result of t ...) - firefox (MacOS-specific) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9804 CVE-2019-9803 (The Upgrade-Insecure-Requests (UIR) specification states that if UIR i ...) - firefox 66.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9803 CVE-2019-9802 (If a Sandbox content process is compromised, it can initiate an FTP do ...) - firefox 66.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9802 CVE-2019-9801 (Firefox will accept any registered Program ID as an external protocol ...) - firefox-esr (Windows-specific) - firefox (Windows-specific) - thunderbird (Windows-specific) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-08/#CVE-2019-9801 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9801 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-11/#CVE-2019-9801 CVE-2019-9800 (Mozilla developers and community members reported memory safety bugs p ...) {DSA-4451-1 DSA-4448-1 DLA-1806-1 DLA-1800-1} [experimental] - firefox 67.0-1 - firefox 67.0-2 - firefox-esr 60.7.0esr-1 - thunderbird 1:60.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-9800 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-14/#CVE-2019-9800 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/#CVE-2019-9800 CVE-2019-9799 (Insufficient bounds checking of data during inter-process communicatio ...) - firefox 66.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9799 CVE-2019-9798 (On Android systems, Firefox can load a library from APITRACE_LIB, whic ...) - firefox (Android-specific) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9798 CVE-2019-9797 (Cross-origin images can be read in violation of the same-origin policy ...) {DSA-4451-1 DSA-4448-1 DLA-1806-1 DLA-1800-1} - firefox 66.0-1 - firefox-esr 60.7.0esr-1 - thunderbird 1:60.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9797 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-14/#CVE-2019-9797 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/#CVE-2019-9797 CVE-2019-9796 (A use-after-free vulnerability can occur when the SMIL animation contr ...) {DSA-4420-1 DSA-4411-1 DLA-1743-1 DLA-1722-1} - firefox-esr 60.6.0esr-1 - firefox 66.0-1 - thunderbird 1:60.6.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-08/#CVE-2019-9796 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9796 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-11/#CVE-2019-9796 CVE-2019-9795 (A vulnerability where type-confusion in the IonMonkey just-in-time (JI ...) {DSA-4420-1 DSA-4411-1 DLA-1743-1 DLA-1722-1} - firefox-esr 60.6.0esr-1 - firefox 66.0-1 - thunderbird 1:60.6.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-08/#CVE-2019-9795 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9795 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-11/#CVE-2019-9795 CVE-2019-9794 (A vulnerability was discovered where specific command line arguments a ...) - firefox-esr (Windows-specific) - firefox (Windows-specific) - thunderbird (Windows-specific) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-08/#CVE-2019-9794 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9794 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-11/#CVE-2019-9794 CVE-2019-9793 (A mechanism was discovered that removes some bounds checking for strin ...) {DSA-4420-1 DSA-4411-1 DLA-1743-1 DLA-1722-1} - firefox-esr 60.6.0esr-1 - firefox 66.0-1 - thunderbird 1:60.6.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-08/#CVE-2019-9793 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9793 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-11/#CVE-2019-9793 CVE-2019-9792 (The IonMonkey just-in-time (JIT) compiler can leak an internal JS_OPTI ...) {DSA-4420-1 DSA-4411-1 DLA-1743-1 DLA-1722-1} - firefox-esr 60.6.0esr-1 - firefox 66.0-1 - thunderbird 1:60.6.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-08/#CVE-2019-9792 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9792 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-11/#CVE-2019-9792 CVE-2019-9791 (The type inference system allows the compilation of functions that can ...) {DSA-4420-1 DSA-4411-1 DLA-1743-1 DLA-1722-1} - firefox-esr 60.6.0esr-1 - firefox 66.0-1 - thunderbird 1:60.6.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-08/#CVE-2019-9791 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9791 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-11/#CVE-2019-9791 CVE-2019-9790 (A use-after-free vulnerability can occur when a raw pointer to a DOM e ...) {DSA-4420-1 DSA-4411-1 DLA-1743-1 DLA-1722-1} - firefox-esr 60.6.0esr-1 - firefox 66.0-1 - thunderbird 1:60.6.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-08/#CVE-2019-9790 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9790 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-11/#CVE-2019-9790 CVE-2019-9789 (Mozilla developers and community members reported memory safety bugs p ...) - firefox 66.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9789 CVE-2019-9788 (Mozilla developers and community members reported memory safety bugs p ...) {DSA-4420-1 DSA-4411-1 DLA-1743-1 DLA-1722-1} - firefox-esr 60.6.0esr-1 - firefox 66.0-1 - thunderbird 1:60.6.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-08/#CVE-2019-9788 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9788 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-11/#CVE-2019-9788 CVE-2019-9786 RESERVED CVE-2019-9785 (gitnote 3.1.0 allows remote attackers to execute arbitrary code via a ...) NOT-FOR-US: gitnote CVE-2019-9784 RESERVED CVE-2019-9783 RESERVED CVE-2019-9782 RESERVED CVE-2019-9781 RESERVED CVE-2019-9780 RESERVED CVE-2018-20801 (In js/parts/SvgRenderer.js in Highcharts JS before 6.1.0, the use of b ...) NOT-FOR-US: Highcharts JS CVE-2019-9787 (WordPress before 5.1.1 does not properly filter comment content, leadi ...) {DLA-1742-1} - wordpress 5.1.1+dfsg1-1 (bug #924546) [buster] - wordpress 5.0.4+dfsg1-1 [stretch] - wordpress 4.7.5+dfsg-2+deb9u6 NOTE: https://blog.ripstech.com/2019/wordpress-csrf-to-rce/ NOTE: Fixed by: https://github.com/WordPress/WordPress/commit/0292de60ec78c5a44956765189403654fe4d080b CVE-2019-9779 (An issue was discovered in GNU LibreDWG 0.7 and 0.7.1645. There is a N ...) - libredwg (bug #595191) CVE-2019-9778 (An issue was discovered in GNU LibreDWG 0.7 and 0.7.1645. There is a h ...) - libredwg (bug #595191) CVE-2019-9777 (An issue was discovered in GNU LibreDWG 0.7 and 0.7.1645. There is a h ...) - libredwg (bug #595191) CVE-2019-9776 (An issue was discovered in GNU LibreDWG 0.7 and 0.7.1645. There is a N ...) - libredwg (bug #595191) CVE-2019-9775 (An issue was discovered in GNU LibreDWG 0.7 and 0.7.1645. There is an ...) - libredwg (bug #595191) CVE-2019-9774 (An issue was discovered in GNU LibreDWG 0.7 and 0.7.1645. There is an ...) - libredwg (bug #595191) CVE-2019-9773 (An issue was discovered in GNU LibreDWG 0.7 and 0.7.1645. There is a h ...) - libredwg (bug #595191) CVE-2019-9772 (An issue was discovered in GNU LibreDWG 0.7 and 0.7.1645. There is a N ...) - libredwg (bug #595191) CVE-2019-9771 (An issue was discovered in GNU LibreDWG 0.7 and 0.7.1645. There is a N ...) - libredwg (bug #595191) CVE-2019-9770 (An issue was discovered in GNU LibreDWG 0.7 and 0.7.1645. There is a h ...) - libredwg (bug #595191) CVE-2019-9769 (PilusCart 1.4.1 is vulnerable to index.php?module=users&action=new ...) NOT-FOR-US: PilusCart CVE-2019-9768 (Thinkst Canarytokens through commit hash 4e89ee0 (2019-03-01) relies o ...) NOT-FOR-US: Thinkst Canarytokens CVE-2019-9767 (Stack-based buffer overflow in Free MP3 CD Ripper 2.6, when converting ...) NOT-FOR-US: Free MP3 CD Ripper CVE-2019-9766 (Stack-based buffer overflow in Free MP3 CD Ripper 2.6, when converting ...) NOT-FOR-US: Free MP3 CD Ripper CVE-2019-9765 (In Blog_mini 1.0, XSS exists via the author name of a comment reply in ...) NOT-FOR-US: Blog_mini CVE-2019-9764 (HashiCorp Consul 1.4.3 lacks server hostname verification for agent-to ...) - consul (Only affected 1.4.3 version) NOTE: https://github.com/hashicorp/consul/issues/5519 CVE-2019-9763 (An issue was discovered in Openfind Mail2000 6.0 and 7.0 Webmail. XSS ...) NOT-FOR-US: Openfind Mail2000 Webmail CVE-2019-9762 (A SQL Injection was discovered in PHPSHE 1.7 in include/plugin/payment ...) NOT-FOR-US: PHPSHE CVE-2019-9761 (An XXE issue was discovered in PHPSHE 1.7, which can be used to read a ...) NOT-FOR-US: PHPSHE CVE-2019-9760 (FTPGetter Standard v.5.97.0.177 allows remote code execution when a us ...) NOT-FOR-US: FTPGetter CVE-2019-9759 (An issue was discovered in TONGDA Office Anywhere 10.18.190121. There ...) NOT-FOR-US: TONGDA Office Anywhere CVE-2019-9758 (An issue was discovered in LabKey Server 19.1.0. The display name of a ...) NOT-FOR-US: LabKey Server CVE-2019-9757 (An issue was discovered in LabKey Server 19.1.0. Sending an SVG contai ...) NOT-FOR-US: LabKey Server CVE-2019-9756 (An issue was discovered in GitLab Community and Enterprise Edition 10. ...) [experimental] - gitlab 11.8.2-1 - gitlab 11.8.2-2 (bug #924447) NOTE: https://about.gitlab.com/2019/03/04/security-release-gitlab-11-dot-8-dot-1-released/ CVE-2019-9755 (An integer underflow issue exists in ntfs-3g 2017.3.23. A local attack ...) {DSA-4413-1 DLA-1724-1} - ntfs-3g 1:2017.3.23AR.3-3 (bug #925255) NOTE: https://sourceforge.net/p/ntfs-3g/ntfs-3g/ci/85c1634a26faa572d3c558d4cf8aaaca5202d4e9/ CVE-2019-9754 (An issue was discovered in Tiny C Compiler (aka TinyCC or TCC) 0.9.27. ...) - tcc (low; bug #925127) [buster] - tcc (Minor issue) [stretch] - tcc (Minor issue) [jessie] - tcc (Minor issue) NOTE: https://lists.nongnu.org/archive/html/tinycc-devel/2019-03/msg00038.html CVE-2019-9753 (An issue was discovered in Open Ticket Request System (OTRS) 7.x befor ...) - otrs2 (Only affects 7.x series) NOTE: https://community.otrs.com/security-advisory-2019-03-security-update-for-otrs-framework CVE-2019-9752 (An issue was discovered in Open Ticket Request System (OTRS) 5.x befor ...) {DLA-1721-1} - otrs2 6.0.16-1 [stretch] - otrs2 (Non-free not supported) NOTE: https://community.otrs.com/security-advisory-2019-01-security-update-for-otrs-framework/ NOTE: OTRS 6: https://github.com/OTRS/otrs/commit/341c4096222819a108feb02256aba878943bf810 NOTE: OTRS 5: https://github.com/OTRS/otrs/commit/d4e3dfbaa054762b29df54705aa412685dd37e15 CVE-2019-9751 (An issue was discovered in Open Ticket Request System (OTRS) 6.x befor ...) - otrs2 6.0.17-1 [buster] - otrs2 6.0.16-2 [stretch] - otrs2 (Non-free not supported) [jessie] - otrs2 (Vulnerable code not present) NOTE: https://community.otrs.com/security-advisory-2019-02-security-update-for-otrs-framework NOTE: OTRS 6: https://github.com/OTRS/otrs/commit/1afb2b995e59551b927c2105e234e8b87efcc37a CVE-2018-20800 (An issue was discovered in Open Ticket Request System (OTRS) 5.0.31 an ...) - otrs2 6.0.14-1 [stretch] - otrs2 (Non-free not supported) [jessie] - otrs2 (Vulnerable code not present) NOTE: https://community.otrs.com/security-advisory-2018-10-security-update-for-otrs-framework/ NOTE: OTRS 6: https://github.com/OTRS/otrs/commit/8d17d58029efbb0bba25c4208e09e2d320eeb0c3 NOTE: OTRS 5: https://github.com/OTRS/otrs/commit/7d3c56d5b9bb38207695dae174dbba89a132e7b9 NOTE: For upstream versions only did affect OTRS 6.0.13 and OTRS 5.0.31. CVE-2019-9750 (In IoTivity through 1.3.1, the CoAP server interface can be used for D ...) - iotivity (bug #824155) CVE-2019-9749 (An issue was discovered in the MQTT input plugin in Fluent Bit through ...) NOT-FOR-US: Fluent Bit CVE-2019-9748 (In tinysvcmdns through 2018-01-16, an mDNS server processing a crafted ...) NOT-FOR-US: tinysvcmdns CVE-2019-9747 (In tinysvcmdns through 2018-01-16, a maliciously crafted mDNS (Multica ...) NOT-FOR-US: tinysvcmdns CVE-2019-9746 (In libwebm before 2019-03-08, a NULL pointer dereference caused by the ...) NOT-FOR-US: libwebm NOTE: Chromium and qtwebengine bundle the library, but not a security issue there CVE-2019-9745 (CloudCTI HIP Integrator Recognition Configuration Tool allows privileg ...) NOT-FOR-US: CloudCTI HIP Integrator Recognition Configuration Tool CVE-2019-9744 (An issue was discovered on PHOENIX CONTACT FL NAT SMCS 8TX, FL NAT SMN ...) NOT-FOR-US: PHOENIX CVE-2019-9743 (An issue was discovered on PHOENIX CONTACT RAD-80211-XD and RAD-80211- ...) NOT-FOR-US: PHOENIX CONTACT RAD-80211-XD and RAD-80211-XD/HP-BUS devices CVE-2019-9742 (gdwfpcd.sys in G Data Total Security before 2019-02-22 allows an attac ...) NOT-FOR-US: G Data Total Security CVE-2019-9741 (An issue was discovered in net/http in Go 1.11.5. CRLF injection is po ...) {DLA-1749-1} - golang-1.12 1.12-1 - golang-1.11 1.11.6-1 (bug #924630) - golang-1.8 [stretch] - golang-1.8 (Minor issue) - golang-1.7 [stretch] - golang-1.7 (Minor issue) - golang NOTE: https://github.com/golang/go/issues/30794 NOTE: https://github.com/golang/go/commit/829c5df58694b3345cb5ea41206783c8ccf5c3ca#diff-b97af51863ce82bf2a13003b52034aa9 NOTE: https://github.com/golang/go/commit/f1d662f34788f4a5f087581d0951cdf4e0f6e708#diff-b97af51863ce82bf2a13003b52034aa9 CVE-2019-9740 (An issue was discovered in urllib2 in Python 2.x through 2.7.16 and ur ...) {DLA-1835-1 DLA-1834-1} - python3.7 3.7.4~rc2-2 [buster] - python3.7 3.7.3-2+deb10u1 - python3.6 - python3.5 - python3.4 - python2.7 2.7.16-3 [buster] - python2.7 2.7.16-2+deb10u1 [stretch] - python2.7 (Minor issue) NOTE: https://bugs.python.org/issue36276 NOTE: https://bugs.python.org/issue30458 NOTE: CVE-2019-9947 issue fixed with same fix as for CVE-2019-9740 NOTE: Patch 2.7: https://github.com/python/cpython/commit/bb8071a4cae5ab3fe321481dd3d73662ffb26052 CVE-2019-9739 RESERVED CVE-2019-9738 (jimmykuu Gopher 2.0 has DOM-based XSS via vectors involving the '<E ...) NOT-FOR-US: jimmykuu Gopher CVE-2019-9737 (Editor.md 1.5.0 has DOM-based XSS via vectors involving the '<EMBED ...) NOT-FOR-US: pandao Editor.md CVE-2019-9736 (DOM-based XSS exists in 1024Tools Markdown 1.0 via vectors involving t ...) NOT-FOR-US: 1024Tools Markdown CVE-2019-9735 (An issue was discovered in the iptables firewall module in OpenStack N ...) {DSA-4409-1} - neutron 2:13.0.2-13 (bug #924508) [jessie] - neutron (Vulnerable code not present, all supported protocols are handled correctly) NOTE: https://launchpad.net/bugs/1818385 CVE-2019-9734 (Aquarius CMS through 4.3.5 writes POST and GET parameters (including p ...) NOT-FOR-US: aquaverde Aquarius CMS CVE-2019-9733 (An issue was discovered in JFrog Artifactory 6.7.3. By default, the ac ...) NOT-FOR-US: JFrog Artifactory CVE-2019-9732 (An issue was discovered in GitLab Community and Enterprise Edition 10. ...) [experimental] - gitlab 11.8.2-1 - gitlab 11.8.2-2 NOTE: https://about.gitlab.com/2019/03/14/gitlab-11-8-2-released/ CVE-2019-9731 RESERVED CVE-2019-9730 (Incorrect access control in the CxUtilSvc component of the Synaptics S ...) NOT-FOR-US: Lenovo CVE-2019-9729 (In Shanda MapleStory Online V160, the SdoKeyCrypt.sys driver allows pr ...) NOT-FOR-US: Shanda MapleStory Online CVE-2019-9728 RESERVED CVE-2019-9727 (Unauthenticated password hash disclosure in the User.getUserPWD method ...) NOT-FOR-US: eQ-3 AG Homematic CCU3 CVE-2019-9726 (Directory Traversal / Arbitrary File Read in eQ-3 AG Homematic CCU3 3. ...) NOT-FOR-US: eQ-3 AG Homematic CCU3 CVE-2019-9725 (The Web manager (aka Commander) on Korenix JetPort 5601 and 5601f devi ...) NOT-FOR-US: Korenix JetPort devices CVE-2019-9724 (aquaverde Aquarius CMS through 4.3.5 allows Information Exposure throu ...) NOT-FOR-US: aquaverde Aquarius CMS CVE-2019-9723 (LogicalDOC Community Edition 8.x before 8.2.1 has a path traversal vul ...) NOT-FOR-US: LogicalDOC CVE-2019-9722 RESERVED CVE-2019-9721 (A denial of service in the subtitle decoder in FFmpeg 4.1 allows attac ...) - ffmpeg 7:4.1.3-1 (bug #926666) [stretch] - ffmpeg (Vulnerable code not present) NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/894995c41e0795c7a44f81adc4838dedc3932e65 - libav [jessie] - libav (Vulnerable code not present) CVE-2019-9720 (A stack-based buffer overflow in the subtitle decoder in Libav 12.3 al ...) - libav (unimportant) NOTE: Actual vulnerability description is (https://lgtm.com/security/): NOTE: "Denial of service due to quadratic call to strstr in srtdec.c" NOTE: Using strstr is not an actual DoS CVE-2019-9719 (** DISPUTED ** A stack-based buffer overflow in the subtitle decoder i ...) - libav (unimportant) NOTE: Generic low-certainty warning about snprintf usage without rationale CVE-2019-9718 (In FFmpeg 4.1, a denial of service in the subtitle decoder allows atta ...) {DSA-4449-1} - ffmpeg 7:4.1.3-1 (low; bug #926666) NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/1f00c97bc3475c477f3c468cf2d924d5761d0982 - libav [jessie] - libav (Vulnerable code not present) CVE-2019-9717 (In Libav 12.3, a denial of service in the subtitle decoder allows atta ...) - libav (unimportant) NOTE: Non-trivial sscanf format is not an actual DoS CVE-2019-9716 RESERVED CVE-2019-9715 RESERVED CVE-2019-9714 (An issue was discovered in Joomla! before 3.9.4. The media form field ...) NOT-FOR-US: Joomla! CVE-2019-9713 (An issue was discovered in Joomla! before 3.9.4. The sample data plugi ...) NOT-FOR-US: Joomla! CVE-2019-9712 (An issue was discovered in Joomla! before 3.9.4. The JSON handler in c ...) NOT-FOR-US: Joomla! CVE-2019-9711 (An issue was discovered in Joomla! before 3.9.4. The item_title layout ...) NOT-FOR-US: Joomla! CVE-2019-9710 (An issue was discovered in webargs before 5.1.3, as used with marshmal ...) NOT-FOR-US: webargs CVE-2019-9709 (An issue was discovered in Mahara 17.10 before 17.10.8, 18.04 before 1 ...) - mahara CVE-2019-9708 (An issue was discovered in Mahara 17.10 before 17.10.8, 18.04 before 1 ...) - mahara CVE-2019-9707 RESERVED CVE-2019-9705 (Vixie Cron before the 3.0pl1-133 Debian package allows local users to ...) {DLA-1723-1} - cron 3.0pl1-133 (low) [stretch] - cron (Minor issue, will be fixed via point update) NOTE: Fixed by: https://salsa.debian.org/debian/cron/commit/26814a26 CVE-2019-9706 (Vixie Cron before the 3.0pl1-133 Debian package allows local users to ...) {DLA-1723-1} - cron 3.0pl1-133 (bug #809167) [stretch] - cron (Minor issue, will be fixed via point update) NOTE: Fixed by: https://salsa.debian.org/debian/cron/commit/40791b93 CVE-2019-9704 (Vixie Cron before the 3.0pl1-133 Debian package allows local users to ...) {DLA-1723-1} - cron 3.0pl1-133 (low) [stretch] - cron (Minor issue, will be fixed via point update) NOTE: Fixed by: https://salsa.debian.org/debian/cron/commit/f2525567 CVE-2019-9703 (Symantec Endpoint Encryption, prior to SEE 11.3.0, may be susceptible ...) NOT-FOR-US: Symantec CVE-2019-9702 (Symantec Endpoint Encryption, prior to SEE 11.3.0, may be susceptible ...) NOT-FOR-US: Symantec CVE-2019-9701 (DLP 15.5 MP1 and all prior versions may be susceptible to a cross-site ...) NOT-FOR-US: DLP (Symantec) CVE-2019-9700 (Norton Password Manager, prior to 6.3.0.2082, may be susceptible to an ...) NOT-FOR-US: Norton Password Manager CVE-2019-9699 (Symantec Messaging Gateway (prior to 10.7.0), may be susceptible to an ...) NOT-FOR-US: Symantec CVE-2019-9698 (Symantec AV Engine, prior to 13.0.9r17, may be susceptible to an arbit ...) NOT-FOR-US: Symantec CVE-2019-9697 (An information disclosure vulnerability in the Management Center (MC) ...) NOT-FOR-US: Symantec CVE-2019-9696 (Symantec VIP Enterprise Gateway (all versions) may be susceptible to a ...) NOT-FOR-US: Symantec CVE-2019-9695 (Norton Core prior to v278 may be susceptible to an arbitrary code exec ...) NOT-FOR-US: Norton Core CVE-2019-9694 (Symantec Endpoint Encryption prior to SEE 11.2.1 MP1 may be susceptibl ...) NOT-FOR-US: Symantec CVE-2019-9693 (In CMS Made Simple (CMSMS) before 2.2.10, an authenticated user can ac ...) NOT-FOR-US: CMS Made Simple CVE-2019-9692 (class.showtime2_image.php in CMS Made Simple (CMSMS) before 2.2.10 doe ...) NOT-FOR-US: CMS Made Simple CVE-2019-9691 RESERVED CVE-2019-9690 RESERVED CVE-2019-9689 (process_certificate in tls1.c in Cameron Hamilton-Rich axTLS through 2 ...) - axtls (bug #953326) CVE-2019-9688 (sftnow through 2018-12-29 allows index.php?g=Admin&m=User&a=ad ...) NOT-FOR-US: sftnow CVE-2019-9687 (PoDoFo 0.9.6 has a heap-based buffer overflow in PdfString::ConvertUTF ...) - libpodofo 0.9.6+dfsg-5 (bug #924430) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) NOTE: https://sourceforge.net/p/podofo/code/1969 CVE-2019-9686 (pacman before 5.1.3 allows directory traversal when installing a remot ...) NOT-FOR-US: pacman package manager for arch, different from src:pacman CVE-2019-9685 RESERVED CVE-2019-9684 RESERVED CVE-2019-9683 RESERVED CVE-2019-9682 (Dahua devices with Build time before December 2019 use strong security ...) NOT-FOR-US: Dahua CVE-2019-9681 (Online upgrade information in some firmware packages of Dahua products ...) NOT-FOR-US: Dahua CVE-2019-9680 (Some Dahua products have information leakage issues. Attackers can obt ...) NOT-FOR-US: Dahua CVE-2019-9679 (Some of Dahua's Debug functions do not have permission separation. Low ...) NOT-FOR-US: Dahua CVE-2019-9678 (Some Dahua products have the problem of denial of service during the l ...) NOT-FOR-US: Dahua CVE-2019-9677 (The specific fields of CGI interface of some Dahua products are not st ...) NOT-FOR-US: Dahua CVE-2019-9676 (Buffer overflow vulnerability found in some Dahua IP Camera devices IP ...) NOT-FOR-US: Dahua IP Camera devices CVE-2019-9675 (** DISPUTED ** An issue was discovered in PHP 7.x before 7.1.27 and 7. ...) {DSA-4403-1} - php7.3 7.3.3-1 (unimportant) - php7.0 (unimportant) - php5 (unimportant) NOTE: Fixed in 7.1.27, 7.3.3 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=77586 CVE-2019-9674 (Lib/zipfile.py in Python through 3.7.2 allows remote attackers to caus ...) - python3.8 (unimportant) - python3.7 (unimportant) - python3.5 (unimportant) - python3.4 (unimportant) - python2.7 (unimportant) NOTE: https://bugs.python.org/issue36260 NOTE: https://bugs.python.org/issue36462 NOTE: Improved documentation: https://github.com/python/cpython/commit/3ba51d587f6897a45301ce9126300c14fcd4eba2 CVE-2019-9673 (Freenet 1483 has a MIME type bypass that allows arbitrary JavaScript e ...) NOT-FOR-US: Freenet CVE-2019-9672 RESERVED CVE-2019-9671 RESERVED CVE-2019-9670 (mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before ...) NOT-FOR-US: Synacor Zimbra Collaboration Suite CVE-2019-9669 (The Wordfence plugin 7.2.3 for WordPress allows XSS via a unique attac ...) NOT-FOR-US: Wordfence plugin for WordPress CVE-2019-9668 (An issue was discovered in rovinbhandari FTP through 2012-03-28. recei ...) NOT-FOR-US: rovinbhandari FTP CVE-2019-9667 RESERVED CVE-2019-9666 RESERVED CVE-2019-9665 RESERVED CVE-2019-9664 RESERVED CVE-2019-9663 RESERVED CVE-2019-9662 (An issue was discovered in JTBC(PHP) 3.0.1.8. Its cache management mod ...) NOT-FOR-US: JTBC(PHP) CVE-2019-9661 (Stored XSS exists in YzmCMS 5.2 via the admin/system_manage/user_confi ...) NOT-FOR-US: YzmCMS CVE-2019-9660 (Stored XSS exists in YzmCMS 5.2 via the admin/category/edit.html "catn ...) NOT-FOR-US: YzmCMS CVE-2019-9659 (The Chuango 433 MHz burglar-alarm product line uses static codes in th ...) NOT-FOR-US: Chuango CVE-2019-10782 (All versions of com.puppycrawl.tools:checkstyle before 8.29 are vulner ...) {DLA-2099-1} - checkstyle 8.29-1 [buster] - checkstyle (Incomplete fix for CVE-2019-9658 not applied) [stretch] - checkstyle (Incomplete fix for CVE-2019-9658 not applied) NOTE: https://snyk.io/vuln/SNYK-JAVA-COMPUPPYCRAWLTOOLS-543266 NOTE: https://github.com/checkstyle/checkstyle/issues/7468 NOTE: https://github.com/checkstyle/checkstyle/security/advisories/GHSA-763g-fqq7-48wg CVE-2019-9658 (Checkstyle before 8.18 loads external DTDs by default. ...) {DLA-1768-1} - checkstyle 8.26-1 (low; bug #924598) [buster] - checkstyle 8.15-1+deb10u1 [stretch] - checkstyle (Minor issue) NOTE: https://github.com/checkstyle/checkstyle/issues/6474 NOTE: https://github.com/checkstyle/checkstyle/issues/6478 NOTE: https://github.com/checkstyle/checkstyle/pull/6476 NOTE: https://github.com/checkstyle/checkstyle/commit/180b4fe37a2249d4489d584505f2b7b3ab162ec6 NOTE: When fixing this issue make sure to apply the complete fix to not open NOTE: CVE-2019-10782. CVE-2019-9657 (Alarm.com ADC-V522IR 0100b9 devices have Incorrect Access Control, a d ...) NOT-FOR-US: Alarm.com ADC-V522IR 0100b9 devices CVE-2019-9656 (An issue was discovered in LibOFX 0.9.14. There is a NULL pointer dere ...) {DLA-2001-1} - libofx 1:0.9.15-1 (unimportant; bug #924350) [buster] - libofx 1:0.9.14-1+deb10u1 [stretch] - libofx 1:0.9.10-2+deb9u2 NOTE: https://github.com/libofx/libofx/issues/22 NOTE: Negligible security impact CVE-2019-9655 RESERVED CVE-2019-9654 RESERVED CVE-2019-9653 (NUUO Network Video Recorder Firmware 1.7.x through 3.3.x allows unauth ...) NOT-FOR-US: NUUO Network Video Recorder Firmware CVE-2019-9652 (There is a CSRF in SDCMS V1.7 via an m=admin&c=theme&a=edit re ...) NOT-FOR-US: SDCMS CVE-2019-9651 (An issue was discovered in SDCMS V1.7. In the \app\admin\controller\th ...) NOT-FOR-US: SDCMS CVE-2019-9650 (An XSS issue was discovered in upcoming_events.php in the Upcoming Eve ...) NOT-FOR-US: MyBB plugin CVE-2019-9649 (An issue was discovered in the SFTP Server component in Core FTP 2.0 B ...) NOT-FOR-US: Core FTP CVE-2019-9648 (An issue was discovered in the SFTP Server component in Core FTP 2.0 B ...) NOT-FOR-US: Core FTP CVE-2019-9647 (Gila CMS 1.9.1 has XSS. ...) NOT-FOR-US: Gila CMS CVE-2019-9645 RESERVED CVE-2019-9646 (The Contact Form Email plugin before 1.2.66 for WordPress allows wp-ad ...) NOT-FOR-US: WordPress plugin contact-form-to-email CVE-2019-9644 (An XSSI (cross-site inclusion) vulnerability in Jupyter Notebook befor ...) - jupyter-notebook 5.7.8-1 (bug #924515) NOTE: https://github.com/jupyter/notebook/commit/cfc335b76466ccf1538ce545b654b29b5ab0097c NOTE: https://github.com/jupyter/notebook/commit/b5105814fc41c6d789b317fa59f786bad7f9d798 NOTE: https://github.com/jupyter/notebook/commit/bfaa61385729ed4fb453863053f9a79141f01119 CVE-2019-9643 RESERVED CVE-2019-9642 (An issue was discovered in proxy.php in pydio-core in Pydio through 8. ...) - extplorer CVE-2019-9636 (Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Impr ...) {DLA-1835-1 DLA-1834-1} - python3.7 3.7.3~rc1-1 (bug #924072) - python3.6 - python3.5 - python3.4 - python2.7 2.7.16-2 (bug #924073) [stretch] - python2.7 (Minor issue) NOTE: https://bugs.python.org/issue36216 NOTE: https://github.com/python/cpython/pull/12201 NOTE: https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization.html NOTE: https://github.com/python/cpython/commit/daad2c482c91de32d8305abbccc76a5de8b3a8be (3.7.x) NOTE: https://github.com/python/cpython/commit/e37ef41289b77e0f0bb9a6aedb0360664c55bdd5 (2.7.x) NOTE: Regression fix: https://bugs.python.org/issue36742 NOTE: When fixing this issue make sure to not open CVE-2019-10160. CVE-2019-9635 (NULL pointer dereference in Google TensorFlow before 1.12.2 could caus ...) - tensorflow (bug #804612) CVE-2019-1003039 (An insufficiently protected credentials vulnerability exists in Jenkin ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003038 (An insufficiently protected credentials vulnerability exists in Jenkin ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003037 (An information exposure vulnerability exists in Jenkins Azure VM Agent ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003036 (A data modification vulnerability exists in Jenkins Azure VM Agents Pl ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003035 (An information exposure vulnerability exists in Jenkins Azure VM Agent ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003034 (A sandbox bypass vulnerability exists in Jenkins Job DSL Plugin 1.71 a ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003033 (A sandbox bypass vulnerability exists in Jenkins Groovy Plugin 2.1 and ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003032 (A sandbox bypass vulnerability exists in Jenkins Email Extension Plugi ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003031 (A sandbox bypass vulnerability exists in Jenkins Matrix Project Plugin ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003030 (A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plug ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003029 (A sandbox bypass vulnerability exists in Jenkins Script Security Plugi ...) NOT-FOR-US: Jenkins plugin CVE-2019-9634 (Go through 1.12 on Windows misuses certain LoadLibrary functionality, ...) - golang-1.12 (Only affects Go on Windows) - golang-1.11 (Only affects Go on Windows) - golang-1.10 (Only affects Go on Windows) CVE-2019-9637 (An issue was discovered in PHP before 7.1.27, 7.2.x before 7.2.16, and ...) {DSA-4403-1 DLA-1741-1} - php7.3 7.3.3-1 - php7.0 - php5 NOTE: Fixed in 7.1.27, 7.2.16, 7.3.3 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=77630 CVE-2019-9641 (An issue was discovered in the EXIF component in PHP before 7.1.27, 7. ...) {DSA-4403-1 DLA-1741-1} - php7.3 7.3.3-1 - php7.0 - php5 NOTE: Fixed in 7.1.27, 7.2.16, 7.3.3 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=77509 CVE-2019-9640 (An issue was discovered in the EXIF component in PHP before 7.1.27, 7. ...) {DSA-4403-1 DLA-1741-1} - php7.3 7.3.3-1 - php7.0 - php5 NOTE: Fixed in 7.1.27, 7.2.16, 7.3.3 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=77540 CVE-2019-9639 (An issue was discovered in the EXIF component in PHP before 7.1.27, 7. ...) {DSA-4403-1 DLA-1741-1} - php7.3 7.3.3-1 (unimportant) - php7.0 (unimportant) - php5 (unimportant) NOTE: Fixed in 7.1.27, 7.2.16, 7.3.3 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=77659 CVE-2019-9638 (An issue was discovered in the EXIF component in PHP before 7.1.27, 7. ...) {DSA-4403-1 DLA-1741-1} - php7.3 7.3.3-1 - php7.0 - php5 NOTE: Fixed in 7.1.27, 7.2.16, 7.3.3 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=77563 CVE-2019-9633 (gio/gsocketclient.c in GNOME GLib 2.59.2 does not ensure that a parent ...) - glib2.0 (Vulnerable code introduced in 2.59.1, cf #924344) NOTE: https://gitlab.gnome.org/GNOME/glib/issues/1649 NOTE: https://gitlab.gnome.org/GNOME/glib/commit/d553d92d6e9f53cbe5a34166fcb919ba652c6a8e (2.59.2) NOTE: Issue only in 2.59.1 and fixed in 2.59.2. CVE-2019-9632 (ESAFENET CDG V3 and V5 has an arbitrary file download vulnerability vi ...) NOT-FOR-US: ESAFENET CDG CVE-2019-9631 (Poppler 0.74.0 has a heap-based buffer over-read in the CairoRescaleBo ...) {DLA-1752-1} - poppler 0.71.0-4 (bug #926673) NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/736 NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/8122f6d6d409b53151a20c5578fc525ee97315e8 CVE-2019-9630 (Sonatype Nexus Repository Manager before 3.17.0 has a weak default of ...) NOT-FOR-US: Sonatype Nexus Repository Manager CVE-2019-9629 (Sonatype Nexus Repository Manager before 3.17.0 establishes a default ...) NOT-FOR-US: Sonatype Nexus Repository Manager CVE-2019-9628 (The XMLTooling library all versions prior to V3.0.4, provided with the ...) {DSA-4407-1 DLA-1710-1} - xmltooling 3.0.4-1 (bug #924346) NOTE: https://shibboleth.net/community/advisories/secadv_20190311.txt NOTE: https://issues.shibboleth.net/jira/browse/CPPXT-143 NOTE: https://git.shibboleth.net/view/?p=cpp-xmltooling.git;a=commit;h=af27c422f551e16989ff6f1722d83614c8550eb5 CVE-2019-9627 (A buffer overflow in the kernel driver CybKernelTracker.sys in CyberAr ...) NOT-FOR-US: CyberArk Endpoint Privilege Manager CVE-2019-9626 (PHPSHE 1.7 allows module/index/cart.php pintuan_id SQL Injection to in ...) NOT-FOR-US: PHPSHE CVE-2019-9625 (JBMC DirectAdmin 1.55 allows CSRF via the /CMD_ACCOUNT_ADMIN URI to cr ...) NOT-FOR-US: JBMC DirectAdmin CVE-2019-XXXX [high memory usage with some long running sessions] - proftpd-dfsg 1.3.5d-1 (bug #923926) [stretch] - proftpd-dfsg (Minor issue) [jessie] - proftpd-dfsg 1.3.5e-0+deb8u1 NOTE: https://github.com/proftpd/proftpd/issues/330#issuecomment-276891713 NOTE: https://forum.armbian.com/topic/9692-nanopi-neo-2-memory-leak-in-proftpd-even-worse-if-ssl-encrypted/?do=findComment&comment=73069 CVE-2019-9624 (Webmin 1.900 allows remote attackers to execute arbitrary code by leve ...) - webmin CVE-2019-9623 (Feng Office 3.7.0.5 allows remote attackers to execute arbitrary code ...) NOT-FOR-US: Feng Office CVE-2019-9622 (eBrigade through 4.5 allows Arbitrary File Download via ../ directory ...) NOT-FOR-US: eBrigade CVE-2019-9621 (Zimbra Collaboration Suite before 8.6 patch 13, 8.7.x before 8.7.11 pa ...) NOT-FOR-US: Zimbra CVE-2019-9620 RESERVED CVE-2019-9619 REJECTED CVE-2019-9618 (The GraceMedia Media Player plugin 1.0 for WordPress allows Local File ...) NOT-FOR-US: GraceMedia Media Player plugin for WordPress CVE-2019-9617 (An issue was discovered in OFCMS before 1.1.3. Remote attackers can ex ...) NOT-FOR-US: OFCMS CVE-2019-9616 (An issue was discovered in OFCMS before 1.1.3. Remote attackers can ex ...) NOT-FOR-US: OFCMS CVE-2019-9615 (An issue was discovered in OFCMS before 1.1.3. It allows admin/system/ ...) NOT-FOR-US: OFCMS CVE-2019-9614 (An issue was discovered in OFCMS before 1.1.3. A command execution vul ...) NOT-FOR-US: OFCMS CVE-2019-9613 (An issue was discovered in OFCMS before 1.1.3. Remote attackers can ex ...) NOT-FOR-US: OFCMS CVE-2019-9612 (An issue was discovered in OFCMS before 1.1.3. Remote attackers can ex ...) NOT-FOR-US: OFCMS CVE-2019-9611 (An issue was discovered in OFCMS before 1.1.3. It allows admin/cms/tem ...) NOT-FOR-US: OFCMS CVE-2019-9610 (An issue was discovered in OFCMS before 1.1.3. It has admin/cms/templa ...) NOT-FOR-US: OFCMS CVE-2019-9609 (An issue was discovered in OFCMS before 1.1.3. Remote attackers can ex ...) NOT-FOR-US: OFCMS CVE-2019-9608 (An issue was discovered in OFCMS before 1.1.3. Remote attackers can ex ...) NOT-FOR-US: OFCMS CVE-2019-9607 (PHP Scripts Mall Medical Store Script 3.0.3 allows Path Traversal by n ...) NOT-FOR-US: PHP Scripts Mall Medical Store Script CVE-2019-9606 (PHP Scripts Mall Personal Video Collection Script 4.0.4 has Stored XSS ...) NOT-FOR-US: PHP Scripts Mall Personal Video Collection Script CVE-2019-9605 (PHP Scripts Mall Online Lottery PHP Readymade Script 1.7.0 has Reflect ...) NOT-FOR-US: PHP Scripts Mall Online Lottery PHP Readymade Script CVE-2019-9604 (PHP Scripts Mall Online Lottery PHP Readymade Script 1.7.0 has Cross-S ...) NOT-FOR-US: PHP Scripts Mall Online Lottery PHP Readymade Script CVE-2019-9603 (MiniCMS 1.10 allows mc-admin/post.php?state=publish&delete= CSRF t ...) NOT-FOR-US: MiniCMS CVE-2019-9602 RESERVED CVE-2019-9601 (The ApowerManager application through 3.1.7 for Android allows remote ...) NOT-FOR-US: ApowerManager application for Android CVE-2019-9600 (The Olive Tree FTP Server (aka com.theolivetree.ftpserver) application ...) NOT-FOR-US: Olive Tree FTP Server application for Android CVE-2019-9599 (The AirDroid application through 4.2.1.6 for Android allows remote att ...) NOT-FOR-US: AirDroid application for Android CVE-2019-9598 (An issue was discovered in Cscms 4.1.0. There is an admin.php/pay CSRF ...) NOT-FOR-US: Cscms CVE-2019-9597 (Darktrace Enterprise Immune System before 3.1 allows CSRF via the /con ...) NOT-FOR-US: Darktrace Enterprise Immune System CVE-2019-9596 (Darktrace Enterprise Immune System before 3.1 allows CSRF via the /whi ...) NOT-FOR-US: Darktrace Enterprise Immune System CVE-2019-9595 (AppCMS 2.0.101 allows XSS via the upload/callback.php params parameter ...) NOT-FOR-US: AppCMS CVE-2019-9594 (BlueCMS 1.6 allows SQL Injection via the user_id parameter in an uploa ...) NOT-FOR-US: BlueCMS CVE-2019-9593 (A reflected Cross-site scripting (XSS) vulnerability in ShoreTel Conne ...) NOT-FOR-US: ShoreTel Connect CVE-2019-9592 (A reflected Cross-site scripting (XSS) vulnerability in ShoreTel Conne ...) NOT-FOR-US: ShoreTel Connect CVE-2019-9591 (A reflected Cross-site scripting (XSS) vulnerability in ShoreTel Conne ...) NOT-FOR-US: ShoreTel Connect CVE-2019-9590 (An issue was discovered on TENGCONTROL T-920 PLC v5.5 devices. It allo ...) NOT-FOR-US: TENGCONTROL devices CVE-2019-9589 (There is a NULL pointer dereference vulnerability in PSOutputDev::setu ...) - xpdf (xpdf in Debian uses poppler, which doesn't contain the vulnerable code) CVE-2019-9588 (There is an Invalid memory access in gAtomicIncrement() located at GMu ...) - xpdf (xpdf in Debian uses poppler, which doesn't contain the vulnerable code) CVE-2019-9587 (There is a stack consumption issue in md5Round1() located in Decrypt.c ...) - xpdf (xpdf in Debian uses poppler, which is not affected or fixed) CVE-2019-9586 RESERVED CVE-2019-9585 (eQ-3 Homematic CCU2 prior to 2.47.10 and CCU3 prior to 3.47.10 JSON AP ...) NOT-FOR-US: eQ-3 Homematic CVE-2019-9584 (eQ-3 Homematic AddOn 'CloudMatic' on CCU2 and CCU3 allows uncontrolled ...) NOT-FOR-US: eQ-3 Homematic CVE-2019-9583 (eQ-3 Homematic CCU2 and CCU3 obtain session IDs without login. This al ...) NOT-FOR-US: eQ-3 Homematic CVE-2019-9582 (eQ-3 Homematic CCU2 outdated base software packages allows Denial of S ...) NOT-FOR-US: eQ-3 Homematic CVE-2019-9581 (phpscheduleit Booked Scheduler 2.7.5 allows arbitrary file upload via ...) NOT-FOR-US: phpscheduleit Booked Scheduler CVE-2019-9580 (In st2web in StackStorm Web UI before 2.9.3 and 2.10.x before 2.10.3, ...) NOT-FOR-US: StackStorm CVE-2019-9579 RESERVED CVE-2019-9578 (In devs.c in Yubico libu2f-host before 1.1.8, the response to init is ...) - libu2f-host 1.1.9-1 (low; bug #923874) [stretch] - libu2f-host 1.1.2-2+deb9u2 NOTE: https://github.com/Yubico/libu2f-host/commit/e4bb58cc8b6202a421e65f8230217d8ae6e16eb5 CVE-2019-9577 RESERVED CVE-2019-17350 (An issue was discovered in Xen through 4.12.x allowing Arm domU attack ...) {DSA-4602-1} - xen 4.11.3+24-g14b62ab3e5-1 [jessie] - xen (Not supported in jessie LTS) NOTE: https://xenbits.xen.org/xsa/advisory-295.html CVE-2019-17349 (An issue was discovered in Xen through 4.12.x allowing Arm domU attack ...) {DSA-4602-1} - xen 4.11.3+24-g14b62ab3e5-1 [jessie] - xen (Not supported in jessie LTS) NOTE: https://xenbits.xen.org/xsa/advisory-295.html CVE-2019-17348 (An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS ...) - xen 4.11.1+92-g6c33308a8d-1 (bug #929992) [stretch] - xen 4.8.5.final+shim4.10.4-1+deb9u12 [jessie] - xen (PCID support not backported) NOTE: https://xenbits.xen.org/xsa/advisory-294.html CVE-2019-17347 (An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS ...) - xen 4.11.1+92-g6c33308a8d-1 (bug #929999) [stretch] - xen 4.8.5.final+shim4.10.4-1+deb9u12 [jessie] - xen (Not supported in jessie LTS) NOTE: https://xenbits.xen.org/xsa/advisory-293.html CVE-2019-17346 (An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS ...) - xen 4.11.1+92-g6c33308a8d-1 (bug #929993) [stretch] - xen 4.8.5.final+shim4.10.4-1+deb9u12 [jessie] - xen (PCID support not backported) NOTE: https://xenbits.xen.org/xsa/advisory-292.html CVE-2019-17345 (An issue was discovered in Xen 4.8.x through 4.11.x allowing x86 PV gu ...) - xen 4.11.1+92-g6c33308a8d-1 (bug #929995) [stretch] - xen 4.8.5.final+shim4.10.4-1+deb9u12 [jessie] - xen (only 4.8 and later affected) NOTE: https://xenbits.xen.org/xsa/advisory-291.html CVE-2019-17344 (An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS ...) - xen 4.11.1+92-g6c33308a8d-1 (bug #929996) [stretch] - xen 4.8.5.final+shim4.10.4-1+deb9u12 [jessie] - xen (Introduced by ignored fix for CVE-2018-3646) NOTE: https://xenbits.xen.org/xsa/advisory-290.html CVE-2019-17343 (An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS ...) {DLA-1949-1} - xen 4.11.1+92-g6c33308a8d-1 (bug #929994) [stretch] - xen 4.8.5.final+shim4.10.4-1+deb9u12 NOTE: https://xenbits.xen.org/xsa/advisory-288.html CVE-2019-17342 (An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS ...) {DLA-1949-1} - xen 4.11.1+92-g6c33308a8d-1 (bug #930001) [stretch] - xen 4.8.5.final+shim4.10.4-1+deb9u12 NOTE: https://xenbits.xen.org/xsa/advisory-287.html CVE-2019-17341 (An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS ...) {DLA-1949-1} - xen 4.11.1+92-g6c33308a8d-1 (bug #929998) [stretch] - xen 4.8.5.final+shim4.10.4-1+deb9u12 NOTE: https://xenbits.xen.org/xsa/advisory-285.html CVE-2019-17340 (An issue was discovered in Xen through 4.11.x allowing x86 guest OS us ...) - xen 4.11.1+92-g6c33308a8d-1 (bug #929991) [stretch] - xen 4.8.5.final+shim4.10.4-1+deb9u12 [jessie] - xen (memory leak on huge memory machines) NOTE: https://xenbits.xen.org/xsa/advisory-284.html CVE-2019-9576 (The Blog2Social plugin before 5.0.3 for WordPress allows wp-admin/admi ...) NOT-FOR-US: WordPress plugin blog2social CVE-2019-9575 (The Quiz And Survey Master plugin 6.0.4 for WordPress allows wp-admin/ ...) NOT-FOR-US: WordPress plugin quiz-master-next CVE-2019-9574 (The WP Human Resource Management plugin before 2.2.6 for WordPress doe ...) NOT-FOR-US: WordPress plugin hrm CVE-2019-9573 (The WP Human Resource Management plugin before 2.2.6 for WordPress mis ...) NOT-FOR-US: WordPress plugin hrm CVE-2019-9572 (SchoolCMS version 2.3.1 allows file upload via the theme upload featur ...) NOT-FOR-US: SchoolCMS CVE-2019-9571 RESERVED CVE-2019-9570 (An issue was discovered in YzmCMS 5.2.0. It has XSS via the bottom tex ...) NOT-FOR-US: YzmCMS CVE-2019-9569 (Buffer Overflow in dactetra in Delta Controls enteliBUS Manager V3.40_ ...) NOT-FOR-US: Delta Controls enteliBUS Manager CVE-2019-9568 (The "Forminator Contact Form, Poll & Quiz Builder" plugin before 1 ...) NOT-FOR-US: WordPress plugin forminator CVE-2019-9567 (The "Forminator Contact Form, Poll & Quiz Builder" plugin before 1 ...) NOT-FOR-US: WordPress plugin forminator CVE-2019-9566 (FlarumChina v0.1.0-beta.7C has SQL injection via a /?q= request. ...) NOT-FOR-US: FlarumChina CVE-2019-9565 (Druide Antidote RX, HD, 8 before 8.05.2287, 9 before 9.5.3937 and 10 b ...) NOT-FOR-US: Druide Antidote CVE-2019-9564 RESERVED CVE-2019-9563 (In BlueMind 3.5.x before 3.5.11 Hotfix 7 and 4.x before 4.0-beta3, the ...) NOT-FOR-US: BlueMind CVE-2019-9562 RESERVED CVE-2019-9561 RESERVED CVE-2019-9560 RESERVED CVE-2019-9559 RESERVED CVE-2019-9558 (Mailtraq WebMail version 2.17.7.3550 has Persistent Cross Site Scripti ...) NOT-FOR-US: Mailtraq WebMail CVE-2019-9557 (Ability Mail Server 4.2.6 has Persistent Cross Site Scripting (XSS) vi ...) NOT-FOR-US: Ability Mail Server CVE-2019-9556 (FiberHome an5506-04-f RP2669 devices have XSS. ...) NOT-FOR-US: FiberHome an5506-04-f RP2669 devices CVE-2019-9555 (Sagemcom F@st 5260 routers using firmware version 0.4.39, in WPA mode, ...) NOT-FOR-US: Sagemcom routers CVE-2019-9554 (In the 3.1.12 Pro version of Craft CMS, XSS has been discovered in the ...) NOT-FOR-US: Craft CMS CVE-2019-9553 (Bolt 3.6.4 has XSS via the slug, teaser, or title parameter to editcon ...) NOT-FOR-US: Bolt CMS CVE-2019-9552 (Eloan V3.0 through 2018-09-20 allows remote attackers to list files vi ...) NOT-FOR-US: Eloan CVE-2019-9551 (An issue was discovered in DOYO (aka doyocms) 2.3 through 2015-05-06. ...) NOT-FOR-US: doyocms CVE-2019-9550 (DhCms through 2017-09-18 has admin.php?r=admin/Index/index XSS. ...) NOT-FOR-US: DhCms CVE-2019-9549 (An issue was discovered in PopojiCMS v2.0.1. It has CSRF via the po-ad ...) NOT-FOR-US: PopojiCMS CVE-2019-12439 (bubblewrap.c in Bubblewrap before 0.3.3 misuses temporary directories ...) - bubblewrap 0.3.1-3 (unimportant; bug #923557) NOTE: https://github.com/projectatomic/bubblewrap/issues/304 NOTE: Negligable security impact CVE-2019-1002100 (In all Kubernetes versions prior to v1.11.8, v1.12.6, and v1.13.4, use ...) - kubernetes 1.17.4-1 (bug #923686) NOTE: https://github.com/kubernetes/kubernetes/issues/74534 NOTE: https://github.com/kubernetes/kubernetes/pull/74000 CVE-2019-9548 (Citrix Application Delivery Management (ADM) 12.1.x before 12.1.50.33 ...) NOT-FOR-US: Citrix Application Delivery Management CVE-2019-9547 (In Storage Performance Development Kit (SPDK) before 19.01, a maliciou ...) NOT-FOR-US: Storage Performance Development Kit (SPDK) CVE-2019-9546 (SolarWinds Orion Platform before 2018.4 Hotfix 2 allows privilege esca ...) NOT-FOR-US: SolarWinds Orion Platform CVE-2019-9545 (An issue was discovered in Poppler 0.74.0. A recursive function call, ...) - poppler (low; bug #923552) [buster] - poppler (Minor issue) [stretch] - poppler (Minor issue) [jessie] - poppler (Minor issue) NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/731 CVE-2019-9544 (An issue was discovered in Bento4 1.5.1-628. An out of bounds write oc ...) NOT-FOR-US: Bento4 CVE-2019-9543 (An issue was discovered in Poppler 0.74.0. A recursive function call, ...) - poppler (low; bug #923553) [buster] - poppler (Minor issue) [stretch] - poppler (Minor issue) [jessie] - poppler (Minor issue; revisit when fixed upstream) NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/730 CVE-2019-9542 (: Improper Neutralization of Input During Web Page Generation ('Cross- ...) NOT-FOR-US: Telos Automated Message Handling System CVE-2019-9541 (: Information Exposure vulnerability in itemlookup.asp of Telos Automa ...) NOT-FOR-US: Telos Automated Message Handling System CVE-2019-9540 (: Improper Neutralization of Input During Web Page Generation ('Cross- ...) NOT-FOR-US: Telos Automated Message Handling System CVE-2019-9539 (: Improper Neutralization of Input During Web Page Generation ('Cross- ...) NOT-FOR-US: Telos Automated Message Handling System CVE-2019-9538 (: Improper Neutralization of Input During Web Page Generation ('Cross- ...) NOT-FOR-US: Telos Automated Message Handling System CVE-2019-9537 (: Improper Neutralization of Input During Web Page Generation ('Cross- ...) NOT-FOR-US: Telos Automated Message Handling System CVE-2019-9536 (Apple iPhone 3GS bootrom malloc implementation returns a non-NULL poin ...) NOT-FOR-US: Apple iPhone 3GS CVE-2019-9535 (A vulnerability exists in the way that iTerm2 integrates with tmux's c ...) NOT-FOR-US: iTerm2 CVE-2019-9534 (The Cobham EXPLORER 710, firmware version 1.07, does not validate its ...) NOT-FOR-US: Cobham EXPLORER CVE-2019-9533 (The root password of the Cobham EXPLORER 710 is the same for all versi ...) NOT-FOR-US: Cobham EXPLORER CVE-2019-9532 (The web application portal of the Cobham EXPLORER 710, firmware versio ...) NOT-FOR-US: Cobham EXPLORER CVE-2019-9531 (The web application portal of the Cobham EXPLORER 710, firmware versio ...) NOT-FOR-US: Cobham EXPLORER CVE-2019-9530 (The web root directory of the Cobham EXPLORER 710, firmware version 1. ...) NOT-FOR-US: Cobham EXPLORER CVE-2019-9529 (The web application portal of the Cobham EXPLORER 710, firmware versio ...) NOT-FOR-US: Cobham EXPLORER CVE-2019-9528 RESERVED CVE-2019-9527 RESERVED CVE-2019-9526 RESERVED CVE-2019-9525 RESERVED CVE-2019-9524 RESERVED CVE-2019-9523 RESERVED CVE-2019-9522 RESERVED CVE-2019-9521 RESERVED CVE-2019-9520 RESERVED CVE-2019-9519 RESERVED CVE-2019-9518 (Some HTTP/2 implementations are vulnerable to a flood of empty frames, ...) {DSA-4520-1} - trafficserver 8.0.5+ds-1 (bug #935314) NOTE: https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md NOTE: https://github.com/apache/trafficserver/pull/5850 NOTE: https://github.com/apache/trafficserver/blob/8.0.x/CHANGELOG-8.0.5 CVE-2019-9517 (Some HTTP/2 implementations are vulnerable to unconstrained interal da ...) {DSA-4509-1} - apache2 2.4.41-1 [jessie] - apache2 (HTTP/2 support only available since version 2.4.17 and later) NOTE: Affects upstream versions 2.4.20 to 2.4.39 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2019-9517 NOTE: https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md CVE-2019-9516 (Some HTTP/2 implementations are vulnerable to a header leak, potential ...) {DSA-4505-1} - nginx 1.14.2-3 (bug #935037) [jessie] - nginx (HTTP2 support only exists since version 1.9.5) NOTE: https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/ NOTE: https://github.com/nginx/nginx/commit/6dfbc8b1c2116f362bb871efebbf9df576738e89 (master) NOTE: https://github.com/nginx/nginx/commit/dbdd9ffea81d9db46fb88b5eba828f2ad080d388 (release-1.16.1) NOTE: https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md CVE-2019-9515 (Some HTTP/2 implementations are vulnerable to a settings flood, potent ...) {DSA-4520-1 DSA-4508-1} - trafficserver 8.0.5+ds-1 (bug #934887) - h2o 2.2.5+dfsg2-3 (bug #934886) NOTE: https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md NOTE: https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/ NOTE: https://raw.githubusercontent.com/apache/trafficserver/8.0.x/CHANGELOG-8.0.4 NOTE: https://github.com/h2o/h2o/issues/2090 NOTE: https://github.com/h2o/h2o/commit/743d6b6118c29b75d0b84ef7950a2721c32dfe3f CVE-2019-9514 (Some HTTP/2 implementations are vulnerable to a reset flood, potential ...) {DSA-4669-1 DSA-4520-1 DSA-4508-1 DSA-4503-1} - golang-1.13 1.13~beta1-3 (bug #934955) - golang-1.12 1.12.8-1 - golang-1.11 1.11.13-1 - golang-1.8 [stretch] - golang-1.8 (Minor issue) - golang-1.7 [stretch] - golang-1.7 (Minor issue) - golang [jessie] - golang (No HTTP2 support yet) - golang-golang-x-net-dev 1:0.0+git20190811.74dc4d7+dfsg-1 - nodejs 10.16.3~dfsg-1 (bug #934885) [stretch] - nodejs (No HTTP2 support yet) [jessie] - nodejs (No HTTP2 support yet) - trafficserver 8.0.5+ds-1 (bug #934887) - h2o 2.2.5+dfsg2-3 (bug #934886) NOTE: Issue: https://github.com/golang/go/issues/33606 NOTE: https://github.com/golang/go/commit/e152b01a468a1c18a290bf9aec52ccea7693c7f2 (golang-1.11) NOTE: https://github.com/golang/go/commit/7139b45d1410ded14e1e131151fd8dfc435ede6c (golang-1.12) NOTE: https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md NOTE: https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/ NOTE: https://raw.githubusercontent.com/apache/trafficserver/8.0.x/CHANGELOG-8.0.4 NOTE: https://github.com/h2o/h2o/issues/2090 NOTE: https://github.com/h2o/h2o/commit/743d6b6118c29b75d0b84ef7950a2721c32dfe3f CVE-2019-9513 (Some HTTP/2 implementations are vulnerable to resource loops, potentia ...) {DSA-4669-1 DSA-4511-1 DSA-4505-1} - nginx 1.14.2-3 (bug #935037) [jessie] - nginx (HTTP2 support only exists since version 1.9.5) - nodejs 10.16.3~dfsg-1 (bug #934885) [stretch] - nodejs (No HTTP2 support yet) [jessie] - nodejs (No HTTP2 support yet) - nghttp2 1.39.2-1 [jessie] - nghttp2 (Vulnerable code not present) NOTE: https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/ NOTE: https://github.com/nginx/nginx/commit/5ae726912654da10a9a81b2c8436829f3e94f69f (master) NOTE: https://github.com/nginx/nginx/commit/39bb3b9d4a33bd03c8ae0134dedc8a7700ae7b2b (release-1.16.1) NOTE: https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md NOTE: https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/ NOTE: https://github.com/nghttp2/nghttp2/releases/tag/v1.39.2 CVE-2019-9512 (Some HTTP/2 implementations are vulnerable to ping floods, potentially ...) {DSA-4520-1 DSA-4508-1 DSA-4503-1} - golang-1.13 1.13~beta1-3 (bug #934955) - golang-1.12 1.12.8-1 - golang-1.11 1.11.13-1 - golang-1.8 [stretch] - golang-1.8 (Minor issue) - golang-1.7 [stretch] - golang-1.7 (Minor issue) - golang [jessie] - golang (No HTTP2 support yet) - golang-golang-x-net-dev 1:0.0+git20190811.74dc4d7+dfsg-1 - trafficserver 8.0.5+ds-1 (bug #934887) - h2o 2.2.5+dfsg2-3 (bug #934886) NOTE: Issue: https://github.com/golang/go/issues/33606 NOTE: https://github.com/golang/go/commit/e152b01a468a1c18a290bf9aec52ccea7693c7f2 (golang-1.11) NOTE: https://github.com/golang/go/commit/7139b45d1410ded14e1e131151fd8dfc435ede6c (golang-1.12) NOTE: https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md NOTE: https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/ NOTE: https://raw.githubusercontent.com/apache/trafficserver/8.0.x/CHANGELOG-8.0.4 NOTE: https://github.com/h2o/h2o/issues/2090 NOTE: https://github.com/h2o/h2o/commit/743d6b6118c29b75d0b84ef7950a2721c32dfe3f CVE-2019-9511 (Some HTTP/2 implementations are vulnerable to window size manipulation ...) {DSA-4669-1 DSA-4511-1 DSA-4505-1} - nginx 1.14.2-3 (bug #935037) [jessie] - nginx (HTTP2 support only exists since version 1.9.5) - nodejs 10.16.3~dfsg-1 (bug #934885) [stretch] - nodejs (No HTTP2 support yet) [jessie] - nodejs (No HTTP2 support yet) - nghttp2 1.39.2-1 [jessie] - nghttp2 (Vulnerable code not present) NOTE: https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/ NOTE: https://github.com/nginx/nginx/commit/a987f81dd19210bc30b62591db331e31d3d74089 (master) NOTE: https://github.com/nginx/nginx/commit/94c5eb142e58a86f81eb1369fa6fcb96c2f23d6b (release-1.16.1) NOTE: https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md NOTE: https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/ NOTE: https://github.com/nghttp2/nghttp2/releases/tag/v1.39.2 CVE-2019-9510 (A vulnerability in Microsoft Windows 10 1803 and Windows Server 2019 a ...) NOT-FOR-US: Microsoft CVE-2019-9509 (The web interface of the Vertiv Avocent UMG-4000 version 4.2.1.19 is v ...) NOT-FOR-US: Vertiv Avocent UMG-4000 CVE-2019-9508 (The web interface of the Vertiv Avocent UMG-4000 version 4.2.1.19 is v ...) NOT-FOR-US: Vertiv Avocent UMG-4000 CVE-2019-9507 (The web interface of the Vertiv Avocent UMG-4000 version 4.2.1.19 is v ...) NOT-FOR-US: Vertiv Avocent UMG-4000 CVE-2019-9506 (The Bluetooth BR/EDR specification up to and including version 5.1 per ...) {DLA-1930-1 DLA-1919-1} - linux 5.2.6-1 [buster] - linux 4.19.67-1 [stretch] - linux 4.9.185-1 NOTE: Hardware issue, but mitigation in Linux kernel can be applied: NOTE: https://git.kernel.org/linus/d5bb334a8e171b262e48f378bd2096c0ea458265 (5.2-rc1) NOTE: https://git.kernel.org/linus/693cd8ce3f882524a5d06f7800dd8492411877b3 (5.2-rc6) NOTE: https://git.kernel.org/linus/eca94432934fe5f141d084f2e36ee2c0e614cc04 (5.2) CVE-2019-9505 (The PrinterLogic Print Management software, versions up to and includi ...) NOT-FOR-US: PrinterLogic Print Management CVE-2019-9504 RESERVED CVE-2019-9503 (The Broadcom brcmfmac WiFi driver prior to commit a4176ec356c73a46c07c ...) {DSA-4465-1 DLA-1824-1 DLA-1799-1} - linux 4.19.37-4 NOTE: https://git.kernel.org/linus/a4176ec356c73a46c07c181c6d04039fafa34a9f (5.1-rc1) CVE-2019-9502 (The Broadcom wl WiFi driver is vulnerable to a heap buffer overflow. I ...) NOT-FOR-US: Broadcom CVE-2019-9501 (The Broadcom wl WiFi driver is vulnerable to a heap buffer overflow. B ...) NOT-FOR-US: Broadcom CVE-2019-9500 (The Broadcom brcmfmac WiFi driver prior to commit 1b5e2423164b3670e8bc ...) {DSA-4465-1 DLA-1824-1} - linux 4.19.37-4 [jessie] - linux (Vulnerable code introduced later) NOTE: https://git.kernel.org/linus/1b5e2423164b3670e8bc9174e4762d297990deff (5.1-rc1) CVE-2019-9499 (The implementations of EAP-PWD in wpa_supplicant EAP Peer, when built ...) {DSA-4430-1 DLA-1867-1} - wpa 2:2.7+git20190128+0c1e29f-4 (bug #926801) NOTE: https://w1.fi/security/2019-4/eap-pwd-missing-commit-validation.txt NOTE: Patches: https://w1.fi/security/2019-4/ CVE-2019-9498 (The implementations of EAP-PWD in hostapd EAP Server, when built again ...) {DSA-4430-1 DLA-1867-1} - wpa 2:2.7+git20190128+0c1e29f-4 (bug #926801) NOTE: https://w1.fi/security/2019-4/eap-pwd-missing-commit-validation.txt NOTE: Patches: https://w1.fi/security/2019-4/ CVE-2019-9497 (The implementations of EAP-PWD in hostapd EAP Server and wpa_supplican ...) {DSA-4430-1 DLA-1867-1} - wpa 2:2.7+git20190128+0c1e29f-4 (bug #926801) NOTE: https://w1.fi/security/2019-4/eap-pwd-missing-commit-validation.txt NOTE: Patches: https://w1.fi/security/2019-4/ CVE-2019-9496 (An invalid authentication sequence could result in the hostapd process ...) - wpa 2:2.7+git20190128+0c1e29f-4 (bug #926801) [stretch] - wpa (SAE code not enabled for build in stretch) [jessie] - wpa (SAE code not enabled for build in jessie) NOTE: https://w1.fi/security/2019-3/sae-confirm-missing-state-validation.txt NOTE: Patches: https://w1.fi/security/2019-3/ NOTE: CONFIG_SAE=y enabled since 2:2.7~git20180706+420b5dd-1 CVE-2019-9495 (The implementations of EAP-PWD in hostapd and wpa_supplicant are vulne ...) {DSA-4430-1 DLA-1867-1} - wpa 2:2.7+git20190128+0c1e29f-4 (bug #926801) NOTE: https://w1.fi/security/2019-2/eap-pwd-side-channel-attack.txt NOTE: Patches: https://w1.fi/security/2019-2/ CVE-2019-9494 (The implementations of SAE in hostapd and wpa_supplicant are vulnerabl ...) - wpa 2:2.7+git20190128+0c1e29f-4 (bug #926801) [stretch] - wpa (SAE code not enabled for build in stretch) [jessie] - wpa (SAE code not enabled for build in jessie) NOTE: https://w1.fi/security/2019-1/sae-side-channel-attacks.txt NOTE: Patches: https://w1.fi/security/2019-1/ NOTE: CONFIG_SAE=y enabled since 2:2.7~git20180706+420b5dd-1 CVE-2019-9493 (The MyCar Controls of AutoMobility Distribution Inc., mobile applicati ...) NOT-FOR-US: MyCar Controls CVE-2019-9492 (A DLL side-loading vulnerability in Trend Micro OfficeScan 11.0 SP1 an ...) NOT-FOR-US: Trend Micro CVE-2019-9491 (Trend Micro Anti-Threat Toolkit (ATTK) versions 1.62.0.1218 and below ...) NOT-FOR-US: Trend Micro CVE-2019-9490 (A vulnerability in Trend Micro InterScan Web Security Virtual Applianc ...) NOT-FOR-US: Trend Micro InterScan Web Security Virtual Appliance CVE-2019-9489 (A directory traversal vulnerability in Trend Micro Apex One, OfficeSca ...) NOT-FOR-US: Trend Micro CVE-2019-9488 (Trend Micro Deep Security Manager (10.x, 11.x) and Vulnerability Prote ...) NOT-FOR-US: Trend Micro CVE-2018-20799 (In pfSense 2.4.4_1, blocking of source IP addresses on the basis of fa ...) NOT-FOR-US: pfSense CVE-2018-20798 (The expiretable configuration in pfSense 2.4.4_1 establishes block dur ...) NOT-FOR-US: pfSense CVE-2019-9487 RESERVED CVE-2019-9486 (STRATO HiDrive Desktop Client 5.0.1.0 for Windows suffers from a SYSTE ...) NOT-FOR-US: STRATO HiDrive Desktop Client CVE-2019-9485 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) [experimental] - gitlab 11.8.2-1 - gitlab 11.8.2-2 (bug #924447) NOTE: https://about.gitlab.com/2019/03/04/security-release-gitlab-11-dot-8-dot-1-released/ CVE-2019-9484 (The Glen Dimplex Deutschland GmbH implementation of the Carel pCOWeb c ...) NOT-FOR-US: Glen Dimplex Deutschland GmbH implementation of the Carel pCOWeb configuration tool CVE-2019-9483 (Amazon Ring Doorbell before 3.4.7 mishandles encryption, which allows ...) NOT-FOR-US: Amazon Ring Doorbell CVE-2019-9482 (In MISP 2.4.102, an authenticated user can view sightings that they sh ...) NOT-FOR-US: MISP CVE-2019-9481 RESERVED CVE-2019-9480 RESERVED CVE-2019-9479 RESERVED CVE-2019-9478 RESERVED CVE-2019-9477 RESERVED CVE-2019-9476 RESERVED CVE-2019-9475 RESERVED CVE-2019-9474 (In Bluetooth, there is a possible out of bounds read due to a missing ...) NOT-FOR-US: Android CVE-2019-9473 (In Bluetooth, there is a possible out of bounds read due to a missing ...) NOT-FOR-US: Android CVE-2019-9472 (In DCRYPTO_equals of compare.c, there is a possible timing attack due ...) NOT-FOR-US: Android CVE-2019-9471 (In set_outbound_iatu of abc-pcie.c, there is a possible out of bounds ...) NOT-FOR-US: Android CVE-2019-9470 (In dma_sblk_start of abc-pcie.c, there is a possible out of bounds wri ...) NOT-FOR-US: Android CVE-2019-9469 (In km_compute_shared_hmac of km4.c, there is a possible out of bounds ...) NOT-FOR-US: Android CVE-2019-9468 (In export_key_der of export_key.cpp, there is possible memory corrupti ...) NOT-FOR-US: Android CVE-2019-9467 (In the Bootloader, there is a possible kernel command injection due to ...) NOT-FOR-US: LG components for Android CVE-2019-9466 REJECTED CVE-2019-9465 (In the Titan M handling of cryptographic operations, there is a possib ...) NOT-FOR-US: Android CVE-2019-9464 (In various functions of RecentLocationApps.java, DevicePolicyManagerSe ...) NOT-FOR-US: Android CVE-2019-9463 (In Platform, there is a possible bypass of user interaction requiremen ...) NOT-FOR-US: Android CVE-2019-9462 (In Bluetooth, there is a possible out of bounds read due to an incorre ...) NOT-FOR-US: Android CVE-2019-9461 (In the Android kernel in VPN routing there is a possible information d ...) NOT-FOR-US: Android CVE-2019-9460 REJECTED CVE-2019-9459 (In libttspico, there is a possible OOB write due to a heap buffer over ...) NOT-FOR-US: Android CVE-2019-9458 (In the Android kernel in the video driver there is a use after free du ...) - linux 4.18.20-1 [stretch] - linux 4.9.135-1 [jessie] - linux 3.16.64-1 NOTE: https://git.kernel.org/linus/ad608fbcf166fec809e402d548761768f602702c CVE-2019-9457 REJECTED CVE-2019-9456 (In the Android kernel in Pixel C USB monitor driver there is a possibl ...) - linux 4.15.11-1 [stretch] - linux 4.9.88-1 [jessie] - linux 3.16.57-1 NOTE: https://git.kernel.org/linus/a5f596830e27e15f7a0ecd6be55e433d776986d8 CVE-2019-9455 (In the Android kernel in the video driver there is a kernel pointer le ...) - linux 4.19.37-1 [stretch] - linux 4.9.168-1 [jessie] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/5e99456c20f712dcc13d9f6ca4278937d5367355 CVE-2019-9454 (In the Android kernel in i2c driver there is a possible out of bounds ...) - linux 4.14.17-1 [stretch] - linux 4.9.168-1 [jessie] - linux 3.16.56-1 NOTE: https://git.kernel.org/linus/89c6efa61f5709327ecfa24bff18e57a4e80c7fa NOTE: Commit wise a duplicate of CVE-2017-18551 CVE-2019-9453 (In the Android kernel in F2FS touch driver there is a possible out of ...) - linux 5.2.6-1 [buster] - linux 4.19.67-1 [jessie] - linux (f2fs is not supportable) NOTE: https://git.kernel.org/linus/2777e654371dd4207a3a7f4fb5fa39550053a080 CVE-2019-9452 (In the Android kernel in SEC_TS touch driver there is a possible out o ...) NOT-FOR-US: Android kernel (sec_ts not in mainline) CVE-2019-9451 (In the Android kernel in the touchscreen driver there is a possible ou ...) NOT-FOR-US: Android kernel (sec_ts not in mainline) CVE-2019-9450 (In the Android kernel in the FingerTipS touchscreen driver there is a ...) NOT-FOR-US: Android kernel (stm not in mainline) CVE-2019-9449 (In the Android kernel in FingerTipS touchscreen driver there is a poss ...) NOT-FOR-US: Android kernel (stm not in mainline) CVE-2019-9448 (In the Android kernel in the FingerTipS touchscreen driver there is a ...) NOT-FOR-US: Android kernel (stm not in mainline) CVE-2019-9447 (In the Android kernel in the FingerTipS touchscreen driver there is a ...) NOT-FOR-US: Android kernel CVE-2019-9446 (In the Android kernel in the FingerTipS touchscreen driver there is a ...) NOT-FOR-US: Android kernel CVE-2019-9445 (In the Android kernel in F2FS driver there is a possible out of bounds ...) - linux 5.2.6-1 [buster] - linux 4.19.98-1 [jessie] - linux (f2fs is not supportable) NOTE: https://git.kernel.org/linus/720db068634c91553a8e1d9a0fcd8c7050e06d2b CVE-2019-9444 (In the Android kernel in sync debug fs driver there is a kernel pointe ...) - linux 4.15.4-1 [stretch] - linux (Minor issue) [jessie] - linux (Minor issue) NOTE: https://lore.kernel.org/patchwork/patch/902287/ CVE-2019-9443 (In the Android kernel in the vl53L0 driver there is a possible out of ...) NOT-FOR-US: Android kernel CVE-2019-9442 (In the Android kernel in the mnh driver there is possible memory corru ...) NOT-FOR-US: Android kernel CVE-2019-9441 (In the Android kernel in the mnh driver there is a possible out of bou ...) NOT-FOR-US: Android kernel CVE-2019-9440 (In AOSP Email, there is a possible information disclosure due to a con ...) NOT-FOR-US: Android CVE-2019-9439 RESERVED CVE-2019-9438 (In the Package Manager service, there is a possible information disclo ...) NOT-FOR-US: Android CVE-2019-9437 RESERVED CVE-2019-9436 (In the Android kernel in the bootloader there is a possible secure boo ...) NOT-FOR-US: LG components for Android CVE-2019-9435 (In Bluetooth, there is a possible out of bounds read due to a missing ...) NOT-FOR-US: Android CVE-2019-9434 (In Bluetooth, there is a possible out of bounds read due to a missing ...) NOT-FOR-US: Android CVE-2019-9433 (In libvpx, there is a possible information disclosure due to improper ...) {DSA-4578-1 DLA-2012-1} - libvpx 1.8.1-2 NOTE: https://github.com/webmproject/libvpx/commit/52add5896661d186dec284ed646a4b33b607d2c7 CVE-2019-9432 (In Bluetooth, there is a possible out of bounds read due to improper i ...) NOT-FOR-US: Android CVE-2019-9431 (In Bluetooth, there is a possible out of bounds read due to a use afte ...) NOT-FOR-US: Android CVE-2019-9430 (In Bluetooth, there is a possible null pointer dereference due to a mi ...) NOT-FOR-US: Android CVE-2019-9429 (In profman, there is a possible out of bounds write due to memory corr ...) NOT-FOR-US: Android CVE-2019-9428 (In the Framework, it is possible to set up BROWSEABLE intents to take ...) NOT-FOR-US: Android CVE-2019-9427 (In Bluetooth, there is a possible information disclosure due to a use ...) NOT-FOR-US: Android CVE-2019-9426 (In the Android kernel in Bluetooth there is a possible out of bounds w ...) NOT-FOR-US: Broadcom components for Android CVE-2019-9425 (In Bluetooth, there is a possible out of bounds read due to a missing ...) NOT-FOR-US: Android CVE-2019-9424 (In the Screen Lock, there is a possible information disclosure due to ...) NOT-FOR-US: Android CVE-2019-9423 (In opencv calls that use libpng, there is a possible out of bounds wri ...) - opencv NOTE: Currently no further information available CVE-2019-9422 (In Bluetooth, there is a possible out of bounds read due to a missing ...) NOT-FOR-US: Android CVE-2019-9421 (In libandroidfw, there is a possible OOB read due to an integer overfl ...) NOT-FOR-US: Android CVE-2019-9420 (In libhevc, there is a possible out of bounds read due to an integer o ...) NOT-FOR-US: Android CVE-2019-9419 (In Bluetooth, there is a possible out of bounds read due to a missing ...) NOT-FOR-US: Android CVE-2019-9418 (In libstagefright, there is a possible resource exhaustion due to a mi ...) NOT-FOR-US: Android CVE-2019-9417 (In Bluetooth, there is a possible out of bounds read due to a missing ...) NOT-FOR-US: Android CVE-2019-9416 (In libstagefright there is a possible information disclosure due to un ...) NOT-FOR-US: Android CVE-2019-9415 (In libstagefright there is a possible information disclosure due to un ...) NOT-FOR-US: Android CVE-2019-9414 (In wpa_supplicant, there is a possible man in the middle vulnerability ...) NOT-FOR-US: Android CVE-2019-9413 (In Bluetooth, there is a possible out of bounds read due to a missing ...) NOT-FOR-US: Android CVE-2019-9412 (In libSBRdec there is a possible out of bounds read due to incorrect b ...) NOT-FOR-US: Android CVE-2019-9411 (In libavc there is a possible information disclosure due to uninitiali ...) NOT-FOR-US: Android CVE-2019-9410 (In libavc there is a possible information disclosure due to uninitiali ...) NOT-FOR-US: Android CVE-2019-9409 (In libhevc there is a possible information disclosure due to uninitial ...) NOT-FOR-US: Android CVE-2019-9408 (In libavc there is a possible information disclosure due to uninitiali ...) NOT-FOR-US: Android CVE-2019-9407 (In notification management of the service manager, there is a possible ...) NOT-FOR-US: Android CVE-2019-9406 (In libhevc there is a possible information disclosure due to uninitial ...) NOT-FOR-US: Android CVE-2019-9405 (In libAACdec, there is a possible out of bounds write due to an intege ...) NOT-FOR-US: Android CVE-2019-9404 (In Bluetooth, there is possible controlled termination due to a missin ...) NOT-FOR-US: Android CVE-2019-9403 (In cn-cbor, there is a possible out of bounds read due to improper cas ...) NOT-FOR-US: Android CVE-2019-9402 (In Bluetooth, there is possible controlled termination due to a missin ...) NOT-FOR-US: Android CVE-2019-9401 (In Bluetooth, there is possible controlled termination due to a missin ...) NOT-FOR-US: Android CVE-2019-9400 (In Bluetooth, there is a possible null pointer dereference due to a mi ...) NOT-FOR-US: Android CVE-2019-9399 (The Print Service is susceptible to man in the middle attacks due to i ...) NOT-FOR-US: Android CVE-2019-9398 (In Bluetooth, there is possible controlled termination due to a missin ...) NOT-FOR-US: Android CVE-2019-9397 (In Bluetooth, there is possible controlled termination due to a missin ...) NOT-FOR-US: Android CVE-2019-9396 (In Bluetooth, there is possible controlled termination due to a missin ...) NOT-FOR-US: Android CVE-2019-9395 (In Bluetooth, there is possible controlled termination due to a missin ...) NOT-FOR-US: Android CVE-2019-9394 (In Bluetooth, there is possible controlled termination due to a missin ...) NOT-FOR-US: Android CVE-2019-9393 (In Bluetooth, there is possible controlled termination due to a missin ...) NOT-FOR-US: Android CVE-2019-9392 RESERVED CVE-2019-9391 (In libxaac, there is a possible out of bounds read due to uninitialize ...) NOT-FOR-US: Android CVE-2019-9390 (In Bluetooth, there is a possible out of bounds read due to a missing ...) NOT-FOR-US: Android CVE-2019-9389 (In Bluetooth, there is a possible out of bounds read due to a missing ...) NOT-FOR-US: Android CVE-2019-9388 (In Bluetooth, there is a possible out of bounds read due to a missing ...) NOT-FOR-US: Android CVE-2019-9387 (In Bluetooth, there is a possible out of bounds read due to a missing ...) NOT-FOR-US: Android CVE-2019-9386 (In NFC server, there is a possible out of bounds write due to a missin ...) NOT-FOR-US: Android CVE-2019-9385 (In libxaac, there is a possible out of bounds read due to a missing bo ...) NOT-FOR-US: Android CVE-2019-9384 (In LockPatternUtils, there is a possible escalation of privilege due t ...) NOT-FOR-US: Android CVE-2019-9383 (In NFC server, there is a possible out of bounds read due to a missing ...) NOT-FOR-US: Android CVE-2019-9382 (In libeffects, there is a possible out of bounds write due to a missin ...) NOT-FOR-US: Android CVE-2019-9381 (In netd, there is a possible out of bounds read due to a use after fre ...) NOT-FOR-US: Android CVE-2019-9380 (In the settings UI, there is a possible spoofing vulnerability due to ...) NOT-FOR-US: Android CVE-2019-9379 (In libstagefright, there is a possible resource exhaustion due to a mi ...) NOT-FOR-US: Android CVE-2019-9378 (In the Activity Manager service, there is a possible permission bypass ...) NOT-FOR-US: Android CVE-2019-9377 (In FingerprintService, there is a possible bypass for operating system ...) NOT-FOR-US: Android CVE-2019-9376 (In the Accounts package, there is a possible crash due to improper inp ...) NOT-FOR-US: Android CVE-2019-9375 (In hostapd, there is a possible out of bounds write due to a race cond ...) NOT-FOR-US: Android CVE-2019-9374 REJECTED CVE-2019-9373 (In JobStore, there is a mismatched serialization/deserialization for t ...) NOT-FOR-US: Android CVE-2019-9372 (In libskia, there is a possible crash due to a missing null check. Thi ...) - skia (bug #818180) CVE-2019-9371 (In libvpx, there is a possible resource exhaustion due to improper inp ...) - libvpx 1.8.1-2 (low) [buster] - libvpx 1.7.0-3+deb10u1 [stretch] - libvpx (Minor issue) [jessie] - libvpx (Vunerable code introduced in 1.4.0) NOTE: Commits in libwebm: NOTE: https://chromium.googlesource.com/webm/libwebm/+/027a472efe49ff3a24be619442d2150658dbaaa0 NOTE: https://chromium.googlesource.com/webm/libwebm/+/cb5a9477073cf7ae4a28356d6e3e5638aba78dc9 NOTE: Sync to libvpx via: NOTE: https://github.com/webmproject/libvpx/commit/34d54b04e98dd0bac32e9aab0fbda0bf501bc742 NOTE: https://github.com/webmproject/libvpx/commit/f00890eecdf8365ea125ac16769a83aa6b68792d CVE-2019-9370 (In sonivox, there is a possible out of bounds read due to an incorrect ...) NOT-FOR-US: Android CVE-2019-9369 (In Bluetooth, there is a use of uninitialized variable. This could lea ...) NOT-FOR-US: Android CVE-2019-9368 (In Bluetooth, there is a possible out of bounds read due to a missing ...) NOT-FOR-US: Android CVE-2019-9367 (In Bluetooth, there is a possible out of bounds read due to a missing ...) NOT-FOR-US: Android CVE-2019-9366 (In libSBRdec there is a possible out of bounds read due to a missing b ...) NOT-FOR-US: Android CVE-2019-9365 (In Bluetooth, there is a possible deserialization error due to missing ...) NOT-FOR-US: Android CVE-2019-9364 (In AudioService, there is a possible trigger of background user audio ...) NOT-FOR-US: Android CVE-2019-9363 (In Bluetooth, there is a possible out of bounds write due to a missing ...) NOT-FOR-US: Android CVE-2019-9362 (In libSACdec, there is a possible out of bounds read due to a missing ...) NOT-FOR-US: Android CVE-2019-9361 (In libavc there is a possible information disclosure due to uninitiali ...) NOT-FOR-US: Android CVE-2019-9360 (In the TEE, there's a possible out of bounds read due to a missing bou ...) NOT-FOR-US: Android CVE-2019-9359 (In libavc there is a possible information disclosure due to uninitiali ...) NOT-FOR-US: Android CVE-2019-9358 (In NFC, there is a possible out of bounds write due to a missing bound ...) NOT-FOR-US: Android CVE-2019-9357 (In libAACdec, there is a possible out of bounds write due to an intege ...) NOT-FOR-US: Android CVE-2019-9356 (In NFC server, there is a possible out of bounds read due to a missing ...) NOT-FOR-US: Android CVE-2019-9355 (In Bluetooth, there is a possible out of bounds read due to a missing ...) NOT-FOR-US: Android CVE-2019-9354 (In NFC server, there's a possible out of bounds read due to a missing ...) NOT-FOR-US: Android CVE-2019-9353 (In Bluetooth, there is a possible out of bounds read due to a missing ...) NOT-FOR-US: Android CVE-2019-9352 (In libstagefright, there is a possible resource exhaustion due to a mi ...) NOT-FOR-US: Android CVE-2019-9351 (In SyncStatusObserver, there is a possible bypass for operating system ...) NOT-FOR-US: Android CVE-2019-9350 (In Keymaster, there is a possible EoP due to a use after free. This co ...) NOT-FOR-US: Android CVE-2019-9349 (In libstagefright, there is a possible resource exhaustion due to impr ...) NOT-FOR-US: Android CVE-2019-9348 (In libstagefright, there is a possible resource exhaustion due to impr ...) NOT-FOR-US: Android CVE-2019-9347 (In the m4v_h263 codec, there is a possible out of bounds read due to a ...) NOT-FOR-US: Android CVE-2019-9346 (In libstagefright, there is a possible out of bounds write due to a he ...) NOT-FOR-US: Android CVE-2019-9345 (In the Android kernel in sdcardfs there is a possible violation of the ...) NOT-FOR-US: Android kernel CVE-2019-9344 (In NFC server, there is a possible out of bounds read due to a missing ...) NOT-FOR-US: Android CVE-2019-9343 (In Bluetooth, there is a possible out of bounds read due to a missing ...) NOT-FOR-US: Android CVE-2019-9342 (In Bluetooth, there is a possible out of bounds read due to a missing ...) NOT-FOR-US: Android CVE-2019-9341 (In Bluetooth, there is a possible out of bounds read due to a missing ...) NOT-FOR-US: Android CVE-2019-9340 RESERVED CVE-2019-9339 RESERVED CVE-2019-9338 (In libavc there is a possible information disclosure due to uninitiali ...) NOT-FOR-US: Android CVE-2019-9337 (In libavc there is a possible information disclosure due to uninitiali ...) NOT-FOR-US: Android CVE-2019-9336 (In libavc there is a possible information disclosure due to uninitiali ...) NOT-FOR-US: Android CVE-2019-9335 (In libavc there is a possible information disclosure due to uninitiali ...) NOT-FOR-US: Android CVE-2019-9334 (In libhevc there is a possible information disclosure due to uninitial ...) NOT-FOR-US: Android CVE-2019-9333 (In Bluetooth, there is a possible out of bounds read due to a missing ...) NOT-FOR-US: Android CVE-2019-9332 (In Bluetooth, there is a possible out of bounds read due to a missing ...) NOT-FOR-US: Android CVE-2019-9331 (In Bluetooth, there is a possible out of bounds read due to a missing ...) NOT-FOR-US: Android CVE-2019-9330 (In Bluetooth, there is a possible out of bounds read due to a missing ...) NOT-FOR-US: Android CVE-2019-9329 (In Bluetooth, there is a possible out of bounds read due to uninitiali ...) NOT-FOR-US: Android CVE-2019-9328 (In Bluetooth, there is a possible out of bounds read due to a missing ...) NOT-FOR-US: Android CVE-2019-9327 (In Bluetooth, there is a possible out of bounds read due to a missing ...) NOT-FOR-US: Android CVE-2019-9326 (In Bluetooth, there is a possible out of bounds read due to a missing ...) NOT-FOR-US: Android CVE-2019-9325 (In libvpx, there is a possible out of bounds read due to a missing bou ...) {DSA-4578-1} - libvpx 1.8.1-2 [jessie] - libvpx (Vunerable code introduced in 1.4.0) NOTE: https://github.com/webmproject/libvpx/commit/0681cff1ad36b3ef8ec242f59b5a6c4234ccfb88 CVE-2019-9324 RESERVED CVE-2019-9323 (In the Wallpaper Manager service, there is a possible information disc ...) NOT-FOR-US: Android CVE-2019-9322 (In libavc there is a possible information disclosure due to uninitiali ...) NOT-FOR-US: Android CVE-2019-9321 (In libavc, there is a missing variable initialization. This could lead ...) NOT-FOR-US: Android CVE-2019-9320 (In libavc, there is a missing variable initialization. This could lead ...) NOT-FOR-US: Android CVE-2019-9319 (In libavc, there is a missing variable initialization. This could lead ...) NOT-FOR-US: Android CVE-2019-9318 (In libhevc, there is a missing variable initialization. This could lea ...) NOT-FOR-US: Android CVE-2019-9317 (In libstagefright, there is a missing variable initialization. This co ...) NOT-FOR-US: Android CVE-2019-9316 (In libstagefright, there is a missing variable initialization. This co ...) NOT-FOR-US: Android CVE-2019-9315 (In libhevc, there is a missing variable initialization. This could lea ...) NOT-FOR-US: Android CVE-2019-9314 (In libavc, there is a missing variable initialization. This could lead ...) NOT-FOR-US: Android CVE-2019-9313 (In libstagefright, there is a missing variable initialization. This co ...) NOT-FOR-US: Android CVE-2019-9312 (In Bluetooth, there is a possible out of bounds read due to a missing ...) NOT-FOR-US: Android CVE-2019-9311 (In Bluetooth, there is a possible crash due to an integer overflow. Th ...) NOT-FOR-US: Android CVE-2019-9310 (In libFDK, there is a possible out of bounds write due to an integer o ...) NOT-FOR-US: Android CVE-2019-9309 (In NFC, there is a possible out of bounds write due to a missing bound ...) NOT-FOR-US: Android CVE-2019-9308 (In libAACdec, there is a possible out of bounds write due to an intege ...) NOT-FOR-US: Android CVE-2019-9307 (In libAACdec, there is a possible out of bounds write due to an intege ...) NOT-FOR-US: Android CVE-2019-9306 (In libMpegTPDec, there is a possible out of bounds write due to an int ...) NOT-FOR-US: Android CVE-2019-9305 (In libAACdec, there is a possible out of bounds write due to an intege ...) NOT-FOR-US: Android CVE-2019-9304 (In libMpegTPDec, there is a possible out of bounds write due to an int ...) NOT-FOR-US: Android CVE-2019-9303 (In libFDK, there is a possible out of bounds write due to an integer o ...) NOT-FOR-US: Android CVE-2019-9302 (In libAACdec, there is a possible out of bounds write due to an intege ...) NOT-FOR-US: Android CVE-2019-9301 (In libAACdec, there is a possible out of bounds write due to an intege ...) NOT-FOR-US: Android CVE-2019-9300 (In libAACdec, there is a possible out of bounds write due to an intege ...) NOT-FOR-US: Android CVE-2019-9299 (In libAACdec, there is a possible out of bounds write due to an intege ...) NOT-FOR-US: Android CVE-2019-9298 (In libAACdec, there is a possible out of bounds write due to an intege ...) NOT-FOR-US: Android CVE-2019-9297 (In libAACdec, there is a possible out of bounds write due to an intege ...) NOT-FOR-US: Android CVE-2019-9296 (In NFC, there is a possible out of bounds read due to a missing bounds ...) NOT-FOR-US: Android CVE-2019-9295 (In com.android.apps.tag, there is a possible bypass of user interactio ...) NOT-FOR-US: Android CVE-2019-9294 (In libstagefright, there is a possible out of bounds read due to a mis ...) NOT-FOR-US: Android CVE-2019-9293 (In libstagefright, there is a possible out of bounds read due to a mis ...) NOT-FOR-US: Android CVE-2019-9292 (In the Activity Manager service, there is a possible information discl ...) NOT-FOR-US: Android CVE-2019-9291 (In Bluetooth, there is a possible remote code execution due to an impr ...) NOT-FOR-US: Android CVE-2019-9290 (In tzdata there is possible memory corruption due to a mismatch betwee ...) NOT-FOR-US: Android CVE-2019-9289 (In Bluetooth, there is a possible out of bounds read due to a missing ...) NOT-FOR-US: Android CVE-2019-9288 (In libhidcommand_jni, there is a possible out of bounds write due to a ...) NOT-FOR-US: Android CVE-2019-9287 (In Bluetooth, there is a possible out of bounds read due to a missing ...) NOT-FOR-US: Android CVE-2019-9286 (In Bluetooth, there is a possible out of bounds read due to a missing ...) NOT-FOR-US: Android CVE-2019-9285 (In Bluetooth, there is a possible out of bounds read due to a missing ...) NOT-FOR-US: Android CVE-2019-9284 (In Bluetooth, there is a possible out of bounds read due to a missing ...) NOT-FOR-US: Android CVE-2019-9283 (In AAC Codec, there is a possible resource exhaustion due to improper ...) NOT-FOR-US: Android CVE-2019-9282 (In skia, there is a possible out of bounds read due to a missing bound ...) - skia (bug #818180) CVE-2019-9281 (In GoogleContactsSyncAdapter, there is a possible path traversal due t ...) NOT-FOR-US: Android CVE-2019-9280 (In keyguard, there is a possible escalation of privilege due to improp ...) NOT-FOR-US: Android CVE-2019-9279 (In the wifi hotspot service, there is a possible denial of service due ...) NOT-FOR-US: Android CVE-2019-9278 (In libexif, there is a possible out of bounds write due to an integer ...) {DSA-4618-1 DLA-2100-1} - libexif 0.6.21-6 (bug #945948) NOTE: https://android.googlesource.com/platform/external/libexif/+/a5e8e5812a11ec9686294de8a5d68aaf2ab72475%5E%21/#F0 NOTE: https://github.com/libexif/libexif/issues/26 NOTE: https://github.com/libexif/libexif/commit/75aa73267fdb1e0ebfbc00369e7312bac43d0566 CVE-2019-9277 (In the proc filesystem, there is a possible information disclosure due ...) NOT-FOR-US: Android CVE-2019-9276 (In the Android kernel in the synaptics_dsx_htc touchscreen driver ther ...) NOT-FOR-US: Android kernel CVE-2019-9275 (In the Android kernel in the mnh driver there is a use after free due ...) NOT-FOR-US: Android kernel CVE-2019-9274 (In the Android kernel in the mnh driver there is a possible out of bou ...) NOT-FOR-US: Android kernel CVE-2019-9273 (In the Android kernel in the synaptics_dsx_htc touchscreen driver ther ...) NOT-FOR-US: Android kernel CVE-2019-9272 (In WiFi, there is a possible leak of WiFi state due to a permissions b ...) NOT-FOR-US: Android CVE-2019-9271 (In the Android kernel in the mnh driver there is a race condition due ...) NOT-FOR-US: Android kernel CVE-2019-9270 (In the Android kernel in unifi and r8180 WiFi drivers there is a possi ...) NOT-FOR-US: Android kernel CVE-2019-9269 (In System Settings, there is a possible permissions bypass due to a ca ...) NOT-FOR-US: Android CVE-2019-9268 (In libstagefright, there is a possible use-after-free due to improper ...) NOT-FOR-US: Android CVE-2019-9267 RESERVED CVE-2019-9266 (In sensorservice, there is a possible out of bounds write due to a mis ...) NOT-FOR-US: Android CVE-2019-9265 (In Bluetooth, there is a possible out of bounds read due to an incorre ...) NOT-FOR-US: Android CVE-2019-9264 (In libxaac there is a possible out of bounds read due to missing bound ...) NOT-FOR-US: Android CVE-2019-9263 (In telephony, there is a possible bypass of user interaction requireme ...) NOT-FOR-US: Android CVE-2019-9262 (In MPEG4Extractor, there is a possible out of bounds write due to an i ...) NOT-FOR-US: Android CVE-2019-9261 (In libxaac there is a possible out of bounds read due to missing bound ...) NOT-FOR-US: Android CVE-2019-9260 (In Bluetooth, there is a possible out of bounds read due to an incorre ...) NOT-FOR-US: Android CVE-2019-9259 (In the Bluetooth stack, there is a possible out of bounds write due to ...) NOT-FOR-US: Android CVE-2019-9258 (In wifilogd, there is a possible out of bounds write due to a missing ...) NOT-FOR-US: Android CVE-2019-9257 (In Bluetooth, there is a possible out of bounds write due to an intege ...) NOT-FOR-US: Android CVE-2019-9256 (In libmediaextractor there is a possible out of bounds write due to an ...) NOT-FOR-US: Android CVE-2019-9255 RESERVED CVE-2019-9254 (In readArgumentList of zygote.java in Android 10, there is a possible ...) NOT-FOR-US: Android CVE-2019-9253 (In KeyStore, there is a possible storage of symmetric keys in the TEE ...) NOT-FOR-US: Android CVE-2019-9252 (In libavc there is a possible out of bounds read due to uninitialized ...) NOT-FOR-US: Android CVE-2019-9251 (In NFC, there is a possible out of bounds read due to a missing bounds ...) NOT-FOR-US: Android CVE-2019-9250 (In Bluetooth, there is a possible out of bounds read due to a missing ...) NOT-FOR-US: Android CVE-2019-9249 (In Bluetooth, there is a possible out of bounds read due to a missing ...) NOT-FOR-US: Android CVE-2019-9248 (In the Android kernel in the FingerTipS touchscreen driver there is a ...) NOT-FOR-US: Android kernel CVE-2019-9247 (In AAC Codec, there is a missing variable initialization. This could l ...) NOT-FOR-US: Android CVE-2019-9246 (In NFC, there is a possible out of bounds read due to a missing bounds ...) NOT-FOR-US: Android CVE-2019-9245 (In the Android kernel in the f2fs driver there is a possible out of bo ...) - linux 4.19.16-1 [jessie] - linux (f2fs is not supportable) NOTE: https://git.kernel.org/linus/64beba0558fce7b59e9a8a7afd77290e82a22163 CVE-2019-9244 (In NFC, there is a possible out of bounds read due to a missing bounds ...) NOT-FOR-US: Android CVE-2019-9243 (In wpa_supplicant_8, there is a possible out of bounds read due to a m ...) NOT-FOR-US: Android CVE-2019-9242 (In NFC, there is a possible out of bounds read due to a missing bounds ...) NOT-FOR-US: Android CVE-2019-9241 (In Bluetooth, there is a possible out of bounds read due to a missing ...) NOT-FOR-US: Android CVE-2019-9240 (In NFC, there is a possible out of bounds read due to a missing bounds ...) NOT-FOR-US: Android CVE-2019-9239 (In NFC, there is a possible out of bounds read due to a missing bounds ...) NOT-FOR-US: Android CVE-2019-9238 (In the NFC stack, there is a possible out of bounds write due to a mis ...) NOT-FOR-US: Android CVE-2019-9237 (In Bluetooth, there is a possible out of bounds read due to a missing ...) NOT-FOR-US: Android CVE-2019-9236 (In NFC, there is a possible out of bounds read due to a missing bounds ...) NOT-FOR-US: Android CVE-2019-9235 (In NFC, there is a possible out of bounds read due to a missing bounds ...) NOT-FOR-US: Android CVE-2019-9234 (In wpa_supplicant_8, there is a possible out of bounds read due to a m ...) NOT-FOR-US: Android CVE-2019-9233 (In wpa_supplicant_8, there is a possible out of bounds read due to an ...) NOT-FOR-US: Android CVE-2019-9232 (In libvpx, there is a possible out of bounds read due to a missing bou ...) {DSA-4578-1 DLA-2012-1} - libvpx 1.8.1-2 NOTE: https://github.com/webmproject/libvpx/commit/46e17f0cb4a80b36755c84b8bf15731d3386c08f CVE-2019-9231 (An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M80 ...) NOT-FOR-US: AudioCodes Mediant devices CVE-2019-9230 (An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M80 ...) NOT-FOR-US: AudioCodes Mediant devices CVE-2019-9229 (An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M80 ...) NOT-FOR-US: AudioCodes CVE-2019-9228 (** DISPUTED ** An issue was discovered on AudioCodes Mediant 500L-MSBR ...) NOT-FOR-US: AudioCodes CVE-2019-9227 (An issue was discovered in baigo CMS 2.1.1. There is a vulnerability t ...) NOT-FOR-US: baigo CMS CVE-2019-9226 (An issue was discovered in baigo CMS 2.1.1. There is a persistent XSS ...) NOT-FOR-US: baigo CMS CVE-2019-9225 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) [experimental] - gitlab 11.8.2-1 - gitlab 11.8.2-2 (bug #924447) NOTE: https://about.gitlab.com/2019/03/04/security-release-gitlab-11-dot-8-dot-1-released/ CVE-2019-9224 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) [experimental] - gitlab 11.8.2-1 - gitlab 11.8.2-2 (bug #924447) NOTE: https://about.gitlab.com/2019/03/04/security-release-gitlab-11-dot-8-dot-1-released/ CVE-2019-9223 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) [experimental] - gitlab 11.8.2-1 - gitlab 11.8.2-2 (bug #924447) NOTE: https://about.gitlab.com/2019/03/04/security-release-gitlab-11-dot-8-dot-1-released/ CVE-2019-9222 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) [experimental] - gitlab 11.8.2-1 - gitlab 11.8.2-2 (bug #924447) NOTE: https://about.gitlab.com/2019/03/04/security-release-gitlab-11-dot-8-dot-1-released/ CVE-2019-9221 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) [experimental] - gitlab 11.8.2-1 - gitlab 11.8.2-2 (bug #924447) NOTE: https://about.gitlab.com/2019/03/04/security-release-gitlab-11-dot-8-dot-1-released/ CVE-2019-9220 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) [experimental] - gitlab 11.8.2-1 - gitlab 11.8.2-2 (bug #924447) NOTE: https://about.gitlab.com/2019/03/04/security-release-gitlab-11-dot-8-dot-1-released/ CVE-2019-9219 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) [experimental] - gitlab 11.8.2-1 - gitlab 11.8.2-2 (bug #924447) NOTE: https://about.gitlab.com/2019/03/04/security-release-gitlab-11-dot-8-dot-1-released/ CVE-2019-9218 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) [experimental] - gitlab 11.8.2-1 - gitlab 11.8.2-2 (bug #924447) NOTE: https://about.gitlab.com/2019/03/04/security-release-gitlab-11-dot-8-dot-1-released/ CVE-2019-9217 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) [experimental] - gitlab 11.8.2-1 - gitlab 11.8.2-2 (bug #924447) NOTE: https://about.gitlab.com/2019/03/04/security-release-gitlab-11-dot-8-dot-1-released/ CVE-2019-9216 RESERVED CVE-2019-9215 (In Live555 before 2019.02.27, malformed headers lead to invalid memory ...) {DSA-4408-1 DLA-1720-1} [experimental] - liblivemedia 2019.02.27-1 - liblivemedia 2018.11.26-1.1 (bug #924655) NOTE: Reporter advisory and analysis: https://tools.cisco.com/security/center/viewAlert.x?alertId=59708 CVE-2019-9214 (In Wireshark 2.4.0 to 2.4.12 and 2.6.0 to 2.6.6, the RPCAP dissector c ...) {DSA-4416-1} - wireshark 2.6.7-1 (bug #923611) [jessie] - wireshark (Vulnerable code not present) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15536 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=c557bb0910be271e49563756411a690a1bc53ce5 NOTE: https://www.wireshark.org/security/wnpa-sec-2019-08.html CVE-2019-9213 (In the Linux kernel before 4.20.14, expand_downwards in mm/mmap.c lack ...) {DLA-1771-1 DLA-1731-1} - linux 4.19.28-1 [stretch] - linux 4.9.168-1 NOTE: Fixed by: https://git.kernel.org/linus/0a1d52994d440e21def1c2174932410b4f2a98a1 (5.0) NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1792 CVE-2019-9212 (** DISPUTED ** SOFA-Hessian through 4.0.2 allows remote attackers to e ...) NOT-FOR-US: SOFA-Hessian CVE-2019-9211 (There is a reachable assertion abort in the function write_long_string ...) - pspp 1.2.0-4 (unimportant; bug #923417) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1683499 NOTE: Crash in CLI tool, no security impact CVE-2019-9210 (In AdvanceCOMP 2.1, png_compress in pngex.cc in advpng has an integer ...) {DLA-1702-1} - advancecomp 2.1-2 (low; bug #923416) [stretch] - advancecomp (Minor issue) NOTE: https://sourceforge.net/p/advancemame/bugs/277/ NOTE: Fixed by https://github.com/amadvance/advancecomp/commit/fcf71a89265c78fc26243574dda3a872574a5c02 CVE-2018-20797 (An issue was discovered in PoDoFo 0.9.6. There is an attempted excessi ...) - libpodofo (low; bug #923415) [buster] - libpodofo (Minor issue) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) NOTE: https://sourceforge.net/p/podofo/tickets/34/ CVE-2019-9209 (In Wireshark 2.4.0 to 2.4.12 and 2.6.0 to 2.6.6, the ASN.1 BER and rel ...) {DSA-4416-1 DLA-1729-1} - wireshark 2.6.7-1 (bug #923611) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15447 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=f8fbe9f934d65b2694fa74622e5eb2e1dc8cd20b NOTE: https://www.wireshark.org/security/wnpa-sec-2019-06.html CVE-2019-9208 (In Wireshark 2.4.0 to 2.4.12 and 2.6.0 to 2.6.6, the TCAP dissector co ...) {DSA-4416-1} - wireshark 2.6.7-1 (bug #923611) [jessie] - wireshark (Vulnerable code not present) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15464 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=3d1b8004ed3a07422ca5d4e4ee8097150b934fd2 NOTE: https://www.wireshark.org/security/wnpa-sec-2019-07.html CVE-2019-9207 (PRTG Network Monitor v7.1.3.3378 allows XSS via the /search.htm search ...) NOT-FOR-US: PRTG Network Monitor CVE-2019-9206 (PRTG Network Monitor v7.1.3.3378 allows XSS via the /public/login.htm ...) NOT-FOR-US: PRTG Network Monitor CVE-2019-9205 RESERVED CVE-2019-9204 (SQL injection vulnerability in Nagios IM (component of Nagios XI) befo ...) NOT-FOR-US: Nagios XI CVE-2019-9203 (Authorization bypass in Nagios IM (component of Nagios XI) before 2.2. ...) NOT-FOR-US: Nagios XI CVE-2019-9202 (Nagios IM (component of Nagios XI) before 2.2.7 allows authenticated u ...) NOT-FOR-US: Nagios XI CVE-2019-9201 (Phoenix Contact ILC 131 ETH, ILC 131 ETH/XC, ILC 151 ETH, ILC 151 ETH/ ...) NOT-FOR-US: Phoenix Contact ILC CVE-2019-9200 (A heap-based buffer underwrite exists in ImageStream::getLine() locate ...) {DLA-1706-1} - poppler 0.71.0-4 (bug #923414) NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/728 NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/f4136a6353162db249f63ddb0f20611622ab61b4 CVE-2019-9199 (PoDoFo::Impose::PdfTranslator::setSource() in pdftranslator.cpp in PoD ...) - libpodofo 0.9.6+dfsg-5 (low; bug #923469) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) NOTE: https://sourceforge.net/p/podofo/tickets/40/ NOTE: upstream fix: https://sourceforge.net/p/podofo/code/1971/ CVE-2019-9198 RESERVED CVE-2019-9197 (The com.unity3d.kharma protocol handler in Unity Editor 2018.3 allows ...) NOT-FOR-US: Unity Editor CVE-2019-9196 (The Face authentication component in Aware mobile liveness 2.2.1 sdk 2 ...) NOT-FOR-US: Aware mobile liveness CVE-2019-9195 (util/src/zip.rs in Grin before 1.0.2 mishandles suspicious files. An a ...) NOT-FOR-US: Grin CVE-2019-9194 (elFinder before 2.1.48 has a command injection vulnerability in the PH ...) NOT-FOR-US: elFinder CVE-2019-9193 (** DISPUTED ** In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGR ...) - postgresql-11 (unimportant) - postgresql-9.6 (unimportant) - postgresql-9.4 (unimportant) NOTE: https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5 NOTE: https://paquier.xyz/postgresql-2/postgres-9-3-feature-highlight-copy-tofrom-program/ NOTE: Upstream statement: https://www.postgresql.org/about/news/1935/ NOTE: Issue is not to be considered a vulnerability and disupted to be valid. CVE-2019-9191 (The ETSI Enterprise Transport Security (ETS, formerly known as eTLS) p ...) NOT-FOR-US: ETSI protocol CVE-2019-9190 RESERVED CVE-2019-9189 (Prima Systems FlexAir, Versions 2.4.9api3 and prior. The application a ...) NOT-FOR-US: Prima Systems FlexAir devices CVE-2019-9188 RESERVED CVE-2019-9187 (ikiwiki before 3.20170111.1 and 3.2018x and 3.2019x before 3.20190228 ...) {DSA-4399-1 DLA-1716-1} - ikiwiki 3.20190228-1 NOTE: https://ikiwiki.info/security/#cve-2019-9187 NOTE: https://www.openwall.com/lists/oss-security/2019/02/28/1 NOTE: http://source.ikiwiki.branchable.com/?p=source.git;a=commitdiff;h=e7b0d4a NOTE: http://source.ikiwiki.branchable.com/?p=source.git;a=commitdiff;h=67543ce NOTE: http://source.ikiwiki.branchable.com/?p=source.git;a=commitdiff;h=d283e4c NOTE: http://source.ikiwiki.branchable.com/?p=source.git;a=commitdiff;h=9a275b2 CVE-2019-9186 (In several JetBrains IntelliJ IDEA versions, a Spring Boot run configu ...) - intellij-idea (bug #747616) CVE-2019-9185 (Controller/Async/FilesystemManager.php in the filemanager in Bolt befo ...) NOT-FOR-US: Bolt CMS CVE-2019-9184 (SQL injection vulnerability in the J2Store plugin 3.x before 3.3.7 for ...) NOT-FOR-US: J2Store plugin for Joomla! CVE-2019-9183 (An issue was discovered in Contiki-NG through 4.3 and Contiki through ...) NOT-FOR-US: Contiki-NG CVE-2019-9182 (There is a CSRF in ZZZCMS zzzphp V1.6.1 via a /admin015/save.php?act=e ...) NOT-FOR-US: ZZZCMS CVE-2019-9181 (SchoolCMS version 2.3.1 allows file upload via the logo upload feature ...) NOT-FOR-US: SchoolCMS CVE-2019-9180 RESERVED CVE-2019-9179 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) [experimental] - gitlab 11.8.2-1 - gitlab 11.8.2-2 (bug #924447) NOTE: https://about.gitlab.com/2019/03/04/security-release-gitlab-11-dot-8-dot-1-released/ CVE-2019-9178 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) [experimental] - gitlab 11.8.2-1 - gitlab 11.8.2-2 (bug #924447) NOTE: https://about.gitlab.com/2019/03/04/security-release-gitlab-11-dot-8-dot-1-released/ CVE-2019-9177 REJECTED CVE-2019-9176 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) [experimental] - gitlab 11.8.2-1 - gitlab 11.8.2-2 (bug #924447) NOTE: https://about.gitlab.com/2019/03/04/security-release-gitlab-11-dot-8-dot-1-released/ CVE-2019-9175 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) [experimental] - gitlab 11.8.2-1 - gitlab 11.8.2-2 (bug #924447) NOTE: https://about.gitlab.com/2019/03/04/security-release-gitlab-11-dot-8-dot-1-released/ CVE-2019-9174 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) [experimental] - gitlab 11.8.2-1 - gitlab 11.8.2-2 (bug #924447) NOTE: https://about.gitlab.com/2019/03/04/security-release-gitlab-11-dot-8-dot-1-released/ CVE-2019-9173 RESERVED CVE-2019-9172 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) [experimental] - gitlab 11.8.2-1 - gitlab 11.8.2-2 (bug #924447) NOTE: https://about.gitlab.com/2019/03/04/security-release-gitlab-11-dot-8-dot-1-released/ CVE-2019-9171 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) [experimental] - gitlab 11.8.2-1 - gitlab 11.8.2-2 (bug #924447) NOTE: https://about.gitlab.com/2019/03/04/security-release-gitlab-11-dot-8-dot-1-released/ CVE-2019-9170 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) [experimental] - gitlab 11.8.2-1 - gitlab 11.8.2-2 (bug #924447) NOTE: https://about.gitlab.com/2019/03/04/security-release-gitlab-11-dot-8-dot-1-released/ CVE-2019-9169 (In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_n ...) - glibc 2.28-9 (bug #924612) [stretch] - glibc (Minor issue) [jessie] - glibc (Minor issue) - eglibc NOTE: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140 NOTE: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142 NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24114 NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9 CVE-2019-9168 (WooCommerce before 3.5.5 allows XSS via a Photoswipe caption. ...) NOT-FOR-US: WooCommerce CVE-2019-9167 (Cross-site scripting (XSS) vulnerability in Nagios XI before 5.5.11 al ...) NOT-FOR-US: Nagios XI CVE-2019-9166 (Privilege escalation in Nagios XI before 5.5.11 allows local attackers ...) NOT-FOR-US: Nagios XI CVE-2019-9165 (SQL injection vulnerability in Nagios XI before 5.5.11 allows attacker ...) NOT-FOR-US: Nagios XI CVE-2019-9164 (Command injection in Nagios XI before 5.5.11 allows an authenticated u ...) NOT-FOR-US: Nagios XI CVE-2019-9163 (The connection initiation process in March Networks Command Client bef ...) NOT-FOR-US: March Networks CVE-2019-9161 (WAC on the Sangfor Sundray WLAN Controller version 3.7.4.2 and earlier ...) NOT-FOR-US: Sangfor Sundray WLAN Controller CVE-2019-9160 (WAC on the Sangfor Sundray WLAN Controller version 3.7.4.2 and earlier ...) NOT-FOR-US: Sangfor Sundray WLAN Controller CVE-2019-9159 RESERVED CVE-2019-9158 (Gemalto DS3 Authentication Server 2.6.1-SP01 has Broken Access Control ...) NOT-FOR-US: Gemalto DS3 Authentication Server CVE-2019-9157 (Gemalto DS3 Authentication Server 2.6.1-SP01 allows Local File Disclos ...) NOT-FOR-US: Gemalto DS3 Authentication Server CVE-2019-9156 (Gemalto DS3 Authentication Server 2.6.1-SP01 allows OS Command Injecti ...) NOT-FOR-US: Gemalto DS3 Authentication Server CVE-2019-9192 (** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, ...) - glibc (unimportant) - eglibc (unimportant) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24269 CVE-2018-20796 (In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limi ...) - glibc (unimportant) - eglibc (unimportant) NOTE: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141 NOTE: https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html NOTE: No treated as vulnerability: https://sourceware.org/glibc/wiki/Security%20Exceptions CVE-2009-5155 (In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp i ...) [experimental] - gnulib 20180621~6979c25-1 - gnulib 20140202+stable-3.2 (bug #924613) [stretch] - gnulib (Minor issue) [jessie] - gnulib (Minor issue) - glibc 2.28-1 [stretch] - glibc (Minor issue) [jessie] - glibc (Minor issue) - eglibc NOTE: http://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=5513b40999149090987a0341c018d05d3eea1272 NOTE: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=22793 NOTE: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=32806 NOTE: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34238 NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=11053 NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=18986 NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=eb04c21373e2a2885f3d52ff192b0499afe3c672 CVE-2019-9162 (In the Linux kernel before 4.20.12, net/ipv4/netfilter/nf_nat_snmp_bas ...) - linux 4.19.28-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/c4c07b4d6fa1f11880eab8e076d3d060ef3f55fc NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1776 CVE-2019-9155 (A cryptographic issue in OpenPGP.js <=4.2.0 allows an attacker who ...) - node-openpgp (bug #787774) CVE-2019-9154 (Improper Verification of a Cryptographic Signature in OpenPGP.js <= ...) - node-openpgp (bug #787774) CVE-2019-9153 (Improper Verification of a Cryptographic Signature in OpenPGP.js <= ...) - node-openpgp (bug #787774) CVE-2019-9152 (An issue was discovered in the HDF HDF5 1.10.4 library. There is an ou ...) - hdf5 [buster] - hdf5 (Minor issue) [stretch] - hdf5 (Minor issue) [jessie] - hdf5 (Minor issue) NOTE: https://github.com/magicSwordsMan/PAAFS/tree/master/vul8 NOTE: issue in upstream bug tracker: https://jira.hdfgroup.org/browse/HDFFV-10719 CVE-2019-9151 (An issue was discovered in the HDF HDF5 1.10.4 library. There is an ou ...) - hdf5 [buster] - hdf5 (Minor issue) [stretch] - hdf5 (Minor issue) [jessie] - hdf5 (Minor issue) NOTE: https://github.com/magicSwordsMan/PAAFS/tree/master/vul7 NOTE: issue in upstream bug tracker: https://jira.hdfgroup.org/browse/HDFFV-10718 CVE-2019-9150 (Mailvelope prior to 3.3.0 does not require user interaction to import ...) NOT-FOR-US: Mailvelope CVE-2019-9149 (Mailvelope prior to 3.3.0 allows private key operations without user i ...) NOT-FOR-US: Mailvelope CVE-2019-9148 (Mailvelope prior to 3.3.0 accepts or operates with invalid PGP public ...) NOT-FOR-US: Mailvelope CVE-2019-9147 (Mailvelope prior to 3.1.0 is vulnerable to a clickjacking attack again ...) NOT-FOR-US: Mailvelope CVE-2019-9146 (Jamf Self Service 10.9.0 allows man-in-the-middle attackers to obtain ...) NOT-FOR-US: Jamf Self Service CVE-2019-9145 (An issue was discovered in Hsycms V1.1. There is an XSS vulnerability ...) NOT-FOR-US: Hsycms CVE-2019-9144 (An issue was discovered in Exiv2 0.27. There is infinite recursion at ...) - exiv2 0.27.2-8 (low; bug #923473) [buster] - exiv2 (Vulnerable code introduced later) [stretch] - exiv2 (Vulnerable code introduced later) [jessie] - exiv2 (Vulnerable code introduced later) NOTE: https://github.com/Exiv2/exiv2/issues/712 CVE-2019-9143 (An issue was discovered in Exiv2 0.27. There is infinite recursion at ...) - exiv2 0.27.2-8 (low; bug #923472) [buster] - exiv2 (Vulnerable code introduced later) [stretch] - exiv2 (Vulnerable code introduced later) [jessie] - exiv2 (Vulnerable code introduced later) NOTE: https://github.com/Exiv2/exiv2/issues/711 CVE-2019-9142 (An issue was discovered in b3log Symphony (aka Sym) before v3.4.7. XSS ...) NOT-FOR-US: b3log Symphony (aka Sym) CVE-2019-9141 (ZInsVX.dll ActiveX Control 2018.02 and earlier in Zoneplayer contains ...) NOT-FOR-US: Zoneplayer CVE-2019-9140 (When processing Deeplink scheme, Happypoint mobile app 6.3.19 and earl ...) NOT-FOR-US: Happypoint mobile app CVE-2019-9139 (DaviewIndy 8.98.7 and earlier versions have a Integer overflow vulnera ...) NOT-FOR-US: DaviewIndy CVE-2019-9138 (DaviewIndy 8.98.7 and earlier versions have a Integer overflow vulnera ...) NOT-FOR-US: DaviewIndy CVE-2019-9137 (DaviewIndy 8.98.7 and earlier versions have a Integer overflow vulnera ...) NOT-FOR-US: DaviewIndy CVE-2019-9136 (DaviewIndy 8.98.7 and earlier versions have a Heap-based overflow vuln ...) NOT-FOR-US: DaviewIndy CVE-2019-9135 (DaviewIndy 8.98.7 and earlier versions have a Heap-based overflow vuln ...) NOT-FOR-US: DaviewIndy CVE-2019-9134 (Architectural Information System 1.0 and earlier versions have a Stack ...) NOT-FOR-US: Architectural Information System CVE-2019-9133 (When processing subtitles format media file, KMPlayer version 2018.12. ...) NOT-FOR-US: KMPlayer (different from src:kmplayer) CVE-2019-9132 (Remote code execution vulnerability exists in KaKaoTalk PC messenger w ...) NOT-FOR-US: KaKaoTalk PC messenger CVE-2019-9131 RESERVED CVE-2019-9130 RESERVED CVE-2019-9129 RESERVED CVE-2019-9128 RESERVED CVE-2019-9127 RESERVED CVE-2019-9126 (An issue was discovered on D-Link DIR-825 Rev.B 2.10 devices. There is ...) NOT-FOR-US: D-Link CVE-2019-9125 (An issue was discovered on D-Link DIR-878 1.12B01 devices. Because str ...) NOT-FOR-US: D-Link CVE-2019-9124 (An issue was discovered on D-Link DIR-878 1.12B01 devices. At the /HNA ...) NOT-FOR-US: D-Link CVE-2019-9123 (An issue was discovered on D-Link DIR-825 Rev.B 2.10 devices. The "use ...) NOT-FOR-US: D-Link CVE-2019-9122 (An issue was discovered on D-Link DIR-825 Rev.B 2.10 devices. They all ...) NOT-FOR-US: D-Link CVE-2019-9121 (An issue was discovered on Motorola C1 and M2 devices with firmware 1. ...) NOT-FOR-US: Motorola CVE-2019-9120 (An issue was discovered on Motorola C1 and M2 devices with firmware 1. ...) NOT-FOR-US: Motorola CVE-2019-9119 (An issue was discovered on Motorola C1 and M2 devices with firmware 1. ...) NOT-FOR-US: Motorola CVE-2019-9118 (An issue was discovered on Motorola C1 and M2 devices with firmware 1. ...) NOT-FOR-US: Motorola CVE-2019-9117 (An issue was discovered on Motorola C1 and M2 devices with firmware 1. ...) NOT-FOR-US: Motorola CVE-2019-9116 (** DISPUTED ** DLL hijacking is possible in Sublime Text 3 version 3.1 ...) NOT-FOR-US: Sublime Text Windows build CVE-2019-9115 (In irisnet-crypto before 1.1.7 for IRISnet, the util/utils.js file all ...) NOT-FOR-US: IRISnet CVE-2019-9114 (Ming (aka libming) 0.4.8 has an out of bounds write vulnerability in t ...) - ming NOTE: https://github.com/libming/libming/issues/170 CVE-2019-9113 (Ming (aka libming) 0.4.8 has a NULL pointer dereference in the functio ...) - ming NOTE: https://github.com/libming/libming/issues/171 CVE-2019-9112 (The msm gpu driver for custom Linux kernels on the Xiaomi perseus-p-os ...) NOT-FOR-US: Xiaomi-specific driver not in the mainline msm driver CVE-2019-9111 (The msm gpu driver for custom Linux kernels on the Xiaomi perseus-p-os ...) NOT-FOR-US: Xiaomi-specific driver not in the mainline msm driver CVE-2019-9110 (XSS exists in WUZHI CMS 4.1.0 via index.php?m=content&f=postinfo&a ...) NOT-FOR-US: WUZHI CMS CVE-2019-9109 (XSS exists in WUZHI CMS 4.1.0 via index.php?m=message&f=message&am ...) NOT-FOR-US: WUZHI CMS CVE-2019-9108 (XSS exists in WUZHI CMS 4.1.0 via index.php?m=core&f=map&v=bai ...) NOT-FOR-US: WUZHI CMS CVE-2019-9107 (XSS exists in WUZHI CMS 4.1.0 via index.php?m=attachment&f=imagecu ...) NOT-FOR-US: WUZHI CMS CVE-2019-9106 (The WebApp v04.68 in the supervisor on SAET Impianti Speciali TEBE Sma ...) NOT-FOR-US: SAET Impianti Speciali TEBE Small devices CVE-2019-9105 (The WebApp v04.68 in the supervisor on SAET Impianti Speciali TEBE Sma ...) NOT-FOR-US: SAET Impianti Speciali TEBE Small devices CVE-2019-9104 (An issue was discovered on Moxa MGate MB3170 and MB3270 devices before ...) NOT-FOR-US: Moxa CVE-2019-9103 (An issue was discovered on Moxa MGate MB3170 and MB3270 devices before ...) NOT-FOR-US: Moxa CVE-2019-9102 (An issue was discovered on Moxa MGate MB3170 and MB3270 devices before ...) NOT-FOR-US: Moxa CVE-2019-9101 (An issue was discovered on Moxa MGate MB3170 and MB3270 devices before ...) NOT-FOR-US: Moxa CVE-2019-9100 RESERVED CVE-2019-9099 (An issue was discovered on Moxa MGate MB3170 and MB3270 devices before ...) NOT-FOR-US: Moxa CVE-2019-9098 (An issue was discovered on Moxa MGate MB3170 and MB3270 devices before ...) NOT-FOR-US: Moxa CVE-2019-9097 (An issue was discovered on Moxa MGate MB3170 and MB3270 devices before ...) NOT-FOR-US: Moxa CVE-2019-9096 (An issue was discovered on Moxa MGate MB3170 and MB3270 devices before ...) NOT-FOR-US: Moxa CVE-2019-9095 (An issue was discovered on Moxa MGate MB3170 and MB3270 devices before ...) NOT-FOR-US: Moxa CVE-2019-9094 (A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in ...) NOT-FOR-US: Humhub CVE-2019-9093 (A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in ...) NOT-FOR-US: Humhub CVE-2019-9092 RESERVED CVE-2019-9091 RESERVED CVE-2019-9090 RESERVED CVE-2019-9089 RESERVED CVE-2019-9088 RESERVED CVE-2019-9087 (HotelDruid before v2.3.1 has SQL Injection via the /tab_tariffe.php nu ...) - hoteldruid 2.3.2-1 [stretch] - hoteldruid (Minor issue) [jessie] - hoteldruid (low popcon) CVE-2019-9086 (HotelDruid before v2.3.1 has SQL Injection via the /visualizza_tabelle ...) - hoteldruid 2.3.2-1 [stretch] - hoteldruid (Minor issue) [jessie] - hoteldruid (low popcon) CVE-2019-9085 (Hoteldruid before v2.3.1 allows remote authenticated users to cause a ...) - hoteldruid 2.3.2-1 [stretch] - hoteldruid (Minor issue) [jessie] - hoteldruid (low popcon) CVE-2019-9084 (In Hoteldruid before 2.3.1, a division by zero was discovered in $num_ ...) - hoteldruid 2.3.2-1 [stretch] - hoteldruid (Minor issue) [jessie] - hoteldruid (low popcon) CVE-2019-9083 (SQLiteManager 1.20 and 1.24 allows SQL injection via the /sqlitemanage ...) NOT-FOR-US: SQLiteManager CVE-2018-20795 (tecrail Responsive FileManager 9.13.4 allows remote attackers to read ...) NOT-FOR-US: tecrail Responsive FileManager CVE-2018-20794 (tecrail Responsive FileManager 9.13.4 allows remote attackers to write ...) NOT-FOR-US: tecrail Responsive FileManager CVE-2018-20793 (tecrail Responsive FileManager 9.13.4 allows remote attackers to write ...) NOT-FOR-US: tecrail Responsive FileManager CVE-2018-20792 (tecrail Responsive FileManager 9.13.4 allows remote attackers to read ...) NOT-FOR-US: tecrail Responsive FileManager CVE-2018-20791 (tecrail Responsive FileManager 9.13.4 allows XSS via a media file uplo ...) NOT-FOR-US: tecrail Responsive FileManager CVE-2018-20790 (tecrail Responsive FileManager 9.13.4 allows remote attackers to delet ...) NOT-FOR-US: tecrail Responsive FileManager CVE-2018-20789 (tecrail Responsive FileManager 9.13.4 allows remote attackers to delet ...) NOT-FOR-US: tecrail Responsive FileManager CVE-2018-20788 (drivers/leds/leds-aw2023.c in the led driver for custom Linux kernels ...) NOT-FOR-US: led driver for custom Linux kernels on the Xiaomi Redmi 6pro daisy-o-oss phone CVE-2018-20787 (The ft5x46 touchscreen driver for custom Linux kernels on the Xiaomi p ...) NOT-FOR-US: touchscreen driver for custom Linux kernels on the Xiaomi perseus-p-oss MIX 3 device CVE-2019-9082 (ThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other pro ...) NOT-FOR-US: ThinkPHP CVE-2019-9081 (The Illuminate component of Laravel Framework 5.7.x has a deserializat ...) NOT-FOR-US: Laravel Framework CVE-2019-9080 RESERVED CVE-2019-9079 RESERVED CVE-2019-9078 (zzcms 2019 has XSS via an arbitrary user/ask.php?do=modify parameter b ...) NOT-FOR-US: zzcms CVE-2018-20786 (libvterm through 0+bzr726, as used in Vim and other products, mishandl ...) - vim 2:8.1.0693-1 (unimportant) [stretch] - vim (Vulnerable code introduced later) [jessie] - vim (Vulnerable code introduced later) - libvterm (unimportant) NOTE: Introduced by: https://github.com/vim/vim/commit/e4f25e4a8db2c8a8a71a4ba2a68540b3ab341e42 (v8.0.0693) NOTE: Fixed by: https://github.com/vim/vim/commit/cd929f7ba8cc5b6d6dcf35c8b34124e969fed6b8 (v8.1.0633) NOTE: MISC:https://github.com/vim/vim/issues/3711 NOTE: No security impact CVE-2019-9077 (An issue was discovered in GNU Binutils 2.32. It is a heap-based buffe ...) - binutils 2.32.51.20190707-1 (unimportant) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24243 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7fc0c668f2aceb8582d74db1ad2528e2bba8a921 NOTE: binutils not covered by security support CVE-2019-9076 (An issue was discovered in the Binary File Descriptor (BFD) library (a ...) NOTE: Disputed by binutils upstream, not considered a bug NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24238 CVE-2019-9075 (An issue was discovered in the Binary File Descriptor (BFD) library (a ...) - binutils 2.32.51.20190707-1 (unimportant) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24236 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8abac8031ed369a2734b1cdb7df28a39a54b4b49 NOTE: binutils not covered by security support CVE-2019-9074 (An issue was discovered in the Binary File Descriptor (BFD) library (a ...) - binutils 2.32.51.20190707-1 (unimportant) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24235 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=179f2db0d9c397d7dd8a59907b84208b79f7f48c NOTE: binutils not covered by security support CVE-2019-9073 (An issue was discovered in the Binary File Descriptor (BFD) library (a ...) - binutils 2.32.51.20190707-1 (unimportant) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24233 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7d272a55caebfc26ab2e15d1e9439bac978b9bb7 NOTE: binutils not covered by security support CVE-2019-9072 (An issue was discovered in the Binary File Descriptor (BFD) library (a ...) NOTE: Disputed by binutils upstream, not considered a bug NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=89396 NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24232 NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24237 CVE-2019-9071 (An issue was discovered in GNU libiberty, as distributed in GNU Binuti ...) - binutils 2.32.51.20190707-1 (unimportant) NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=89394 NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24227 NOTE: binutils not covered by security support CVE-2019-9070 (An issue was discovered in GNU libiberty, as distributed in GNU Binuti ...) - binutils 2.32.51.20190707-1 (unimportant) NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=89395 NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24229 NOTE: binutils not covered by security support CVE-2019-9069 RESERVED CVE-2019-9068 RESERVED CVE-2019-9067 RESERVED CVE-2019-9066 (PHP Scripts Mall PHP Appointment Booking Script 3.0.3 allows HTML inje ...) NOT-FOR-US: PHP Scripts Mall PHP Appointment Booking Script CVE-2019-9065 (PHP Scripts Mall Custom T-Shirt Ecommerce Script 3.1.1 allows paramete ...) NOT-FOR-US: PHP Scripts Mall Custom T-Shirt Ecommerce Script CVE-2019-9064 (PHP Scripts Mall Cab Booking Script 1.0.3 allows Directory Traversal i ...) NOT-FOR-US: PHP Scripts Mall Cab Booking Script CVE-2019-9063 (PHP Scripts Mall Auction website script 2.0.4 allows parameter tamperi ...) NOT-FOR-US: PHP Scripts Mall Auction website script CVE-2019-9062 (PHP Scripts Mall Online Food Ordering Script 1.0 has Cross-Site Reques ...) NOT-FOR-US: PHP Scripts Mall Online Food Ordering Script CVE-2019-9061 (An issue was discovered in CMS Made Simple 2.2.8. In the module Module ...) NOT-FOR-US: CMS Made Simple CVE-2019-9060 RESERVED CVE-2019-9059 (An issue was discovered in CMS Made Simple 2.2.8. It is possible, with ...) NOT-FOR-US: CMS Made Simple CVE-2019-9058 (An issue was discovered in CMS Made Simple 2.2.8. In the administrator ...) NOT-FOR-US: CMS Made Simple CVE-2019-9057 (An issue was discovered in CMS Made Simple 2.2.8. In the module FilePi ...) NOT-FOR-US: CMS Made Simple CVE-2019-9056 (An issue was discovered in CMS Made Simple 2.2.8. In the module FrontE ...) NOT-FOR-US: CMS Made Simple CVE-2019-9055 (An issue was discovered in CMS Made Simple 2.2.8. In the module Design ...) NOT-FOR-US: CMS Made Simple CVE-2019-9054 RESERVED CVE-2019-9053 (An issue was discovered in CMS Made Simple 2.2.8. It is possible with ...) NOT-FOR-US: CMS Made Simple CVE-2019-9052 (An issue was discovered in Pluck 4.7.9-dev1. There is a CSRF vulnerabi ...) NOT-FOR-US: Pluck CMS CVE-2019-9051 (An issue was discovered in Pluck 4.7.9-dev1. There is a CSRF vulnerabi ...) NOT-FOR-US: Pluck CMS CVE-2019-9050 (An issue was discovered in Pluck 4.7.9-dev1. It allows administrators ...) NOT-FOR-US: Pluck CMS CVE-2019-9049 (An issue was discovered in Pluck 4.7.9-dev1. There is a CSRF vulnerabi ...) NOT-FOR-US: Pluck CMS CVE-2019-9048 (An issue was discovered in Pluck 4.7.9-dev1. There is a CSRF vulnerabi ...) NOT-FOR-US: Pluck CMS CVE-2019-9047 (GoRose v1.0.4 has SQL Injection when the order_by or group_by paramete ...) NOT-FOR-US: GoRose CVE-2019-9046 RESERVED CVE-2019-9045 RESERVED CVE-2019-9044 RESERVED CVE-2019-9043 RESERVED CVE-2019-9042 (** DISPUTED ** An issue was discovered in Sitemagic CMS v4.4. In the i ...) NOT-FOR-US: Sitemagic CMS CVE-2019-9041 (An issue was discovered in ZZZCMS zzzphp V1.6.1. In the inc/zzz_templa ...) NOT-FOR-US: ZZZCMS CVE-2019-9040 (S-CMS PHP v3.0 has a CSRF vulnerability to add a new admin user via th ...) NOT-FOR-US: S-CMS CVE-2019-9039 (In Couchbase Sync Gateway 2.1.2, an attacker with access to the Sync G ...) NOT-FOR-US: Couchbase Sync Gateway CVE-2019-9038 (An issue was discovered in libmatio.a in matio (aka MAT File I/O Libra ...) - libmatio 1.5.13-2 (low; bug #924185) [stretch] - libmatio (Minor issue) [jessie] - libmatio (Minor issue, hard to backport) NOTE: https://github.com/tbeu/matio/issues/103 NOTE: https://github.com/tbeu/matio/commit/a0539135c9b1ab7613aa7953279da9224da88775 NOTE: https://github.com/tbeu/matio/commit/2c20d2178017b3eb13ab160cef239648f9915bdb CVE-2019-9037 (An issue was discovered in libmatio.a in matio (aka MAT File I/O Libra ...) - libmatio 1.5.13-2 (low; bug #924185) [stretch] - libmatio (Minor issue) [jessie] - libmatio (Minor issue, hard to backport) NOTE: https://github.com/tbeu/matio/issues/103 NOTE: https://github.com/tbeu/matio/commit/a0539135c9b1ab7613aa7953279da9224da88775 NOTE: https://github.com/tbeu/matio/commit/2c20d2178017b3eb13ab160cef239648f9915bdb CVE-2019-9036 (An issue was discovered in libmatio.a in matio (aka MAT File I/O Libra ...) - libmatio 1.5.13-2 (low; bug #924185) [stretch] - libmatio (Minor issue) [jessie] - libmatio (Minor issue, hard to backport) NOTE: https://github.com/tbeu/matio/issues/103 NOTE: https://github.com/tbeu/matio/commit/a0539135c9b1ab7613aa7953279da9224da88775 NOTE: https://github.com/tbeu/matio/commit/2c20d2178017b3eb13ab160cef239648f9915bdb NOTE: Not completely fixed with the initial two commits, cf. NOTE: https://github.com/tbeu/matio/issues/103#issuecomment-472020538 ff CVE-2019-9035 (An issue was discovered in libmatio.a in matio (aka MAT File I/O Libra ...) - libmatio 1.5.13-2 (low; bug #924185) [stretch] - libmatio (Minor issue) [jessie] - libmatio (Minor issue, hard to backport) NOTE: https://github.com/tbeu/matio/issues/103 NOTE: https://github.com/tbeu/matio/commit/a0539135c9b1ab7613aa7953279da9224da88775 NOTE: https://github.com/tbeu/matio/commit/2c20d2178017b3eb13ab160cef239648f9915bdb CVE-2019-9034 (An issue was discovered in libmatio.a in matio (aka MAT File I/O Libra ...) - libmatio 1.5.13-2 (low; bug #924185) [stretch] - libmatio (Minor issue) [jessie] - libmatio (Minor issue, hard to backport) NOTE: https://github.com/tbeu/matio/issues/103 NOTE: https://github.com/tbeu/matio/commit/a0539135c9b1ab7613aa7953279da9224da88775 NOTE: https://github.com/tbeu/matio/commit/2c20d2178017b3eb13ab160cef239648f9915bdb CVE-2019-9033 (An issue was discovered in libmatio.a in matio (aka MAT File I/O Libra ...) - libmatio 1.5.13-2 (low; bug #924185) [stretch] - libmatio (Minor issue) [jessie] - libmatio (Minor issue, hard to backport) NOTE: https://github.com/tbeu/matio/issues/103 NOTE: https://github.com/tbeu/matio/commit/a0539135c9b1ab7613aa7953279da9224da88775 NOTE: https://github.com/tbeu/matio/commit/2c20d2178017b3eb13ab160cef239648f9915bdb CVE-2019-9032 (An issue was discovered in libmatio.a in matio (aka MAT File I/O Libra ...) - libmatio 1.5.13-2 (low; bug #924185) [stretch] - libmatio (Minor issue) [jessie] - libmatio (Minor issue, hard to backport) NOTE: https://github.com/tbeu/matio/issues/103 NOTE: https://github.com/tbeu/matio/commit/a0539135c9b1ab7613aa7953279da9224da88775 NOTE: https://github.com/tbeu/matio/commit/2c20d2178017b3eb13ab160cef239648f9915bdb CVE-2019-9031 (An issue was discovered in libmatio.a in matio (aka MAT File I/O Libra ...) - libmatio 1.5.13-2 (low; bug #924185) [stretch] - libmatio (Minor issue) [jessie] - libmatio (Minor issue, hard to backport) NOTE: https://github.com/tbeu/matio/issues/103 NOTE: https://github.com/tbeu/matio/commit/a0539135c9b1ab7613aa7953279da9224da88775 NOTE: https://github.com/tbeu/matio/commit/2c20d2178017b3eb13ab160cef239648f9915bdb CVE-2019-9030 (An issue was discovered in libmatio.a in matio (aka MAT File I/O Libra ...) - libmatio 1.5.13-2 (low; bug #924185) [stretch] - libmatio (Minor issue) [jessie] - libmatio (Minor issue, hard to backport) NOTE: https://github.com/tbeu/matio/issues/103 NOTE: https://github.com/tbeu/matio/commit/a0539135c9b1ab7613aa7953279da9224da88775 NOTE: https://github.com/tbeu/matio/commit/2c20d2178017b3eb13ab160cef239648f9915bdb CVE-2019-9029 (An issue was discovered in libmatio.a in matio (aka MAT File I/O Libra ...) - libmatio 1.5.13-2 (low; bug #924185) [stretch] - libmatio (Minor issue) [jessie] - libmatio (Minor issue, hard to backport) NOTE: https://github.com/tbeu/matio/issues/103 NOTE: https://github.com/tbeu/matio/commit/a0539135c9b1ab7613aa7953279da9224da88775 NOTE: https://github.com/tbeu/matio/commit/2c20d2178017b3eb13ab160cef239648f9915bdb CVE-2019-9028 (An issue was discovered in libmatio.a in matio (aka MAT File I/O Libra ...) - libmatio 1.5.13-2 (low; bug #924185) [stretch] - libmatio (Minor issue) [jessie] - libmatio (Minor issue, hard to backport) NOTE: https://github.com/tbeu/matio/issues/103 NOTE: https://github.com/tbeu/matio/commit/a0539135c9b1ab7613aa7953279da9224da88775 NOTE: https://github.com/tbeu/matio/commit/2c20d2178017b3eb13ab160cef239648f9915bdb CVE-2019-9027 (An issue was discovered in libmatio.a in matio (aka MAT File I/O Libra ...) - libmatio 1.5.13-2 (low; bug #924185) [stretch] - libmatio (Minor issue) [jessie] - libmatio (Minor issue, hard to backport) NOTE: https://github.com/tbeu/matio/issues/103 NOTE: https://github.com/tbeu/matio/commit/a0539135c9b1ab7613aa7953279da9224da88775 NOTE: https://github.com/tbeu/matio/commit/2c20d2178017b3eb13ab160cef239648f9915bdb CVE-2019-9026 (An issue was discovered in libmatio.a in matio (aka MAT File I/O Libra ...) - libmatio 1.5.13-2 (low; bug #924185) [stretch] - libmatio (Minor issue) [jessie] - libmatio (Minor issue, hard to backport) NOTE: https://github.com/tbeu/matio/issues/103 NOTE: https://github.com/tbeu/matio/commit/a0539135c9b1ab7613aa7953279da9224da88775 NOTE: https://github.com/tbeu/matio/commit/2c20d2178017b3eb13ab160cef239648f9915bdb CVE-2018-20785 (Secure boot bypass and memory extraction can be achieved on Neato Botv ...) NOT-FOR-US: Neato CVE-2014-10079 (In Vembu StoreGrid 4.4.x, the front page of the server web interface l ...) NOT-FOR-US: Vembu StoreGrid CVE-2014-10078 (Vembu StoreGrid 4.4.x has XSS in interface/registercustomer/onlineregs ...) NOT-FOR-US: Vembu StoreGrid CVE-2019-9019 (The British Airways Entertainment System, as installed on Boeing 777-3 ...) NOT-FOR-US: British Airways Entertainment System CVE-2019-9025 (An issue was discovered in PHP 7.3.x before 7.3.1. An invalid multibyt ...) - php7.3 7.3.1-1 NOTE: Fixed in 7.3.1 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=77367 CVE-2019-9024 (An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x ...) {DSA-4398-1 DLA-1679-1} - php7.3 7.3.1-1 - php7.0 - php5 NOTE: Fixed in 5.6.40, 7.1.26, 7.2.14, 7.3.1 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=77380 NOTE: https://github.com/php/php-src/commit/4feb9e66ff9636ad44bc23a91b7ebd37d83ddf1d (7.1) CVE-2019-9023 (An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x ...) {DSA-4398-1 DLA-1679-1} - php7.3 7.3.1-1 - php7.0 - php5 NOTE: Fixed in 5.6.40, 7.1.26, 7.2.14, 7.3.1 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=77370 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=77371 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=77381 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=77382 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=77385 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=77394 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=77418 NOTE: https://github.com/php/php-src/commit/20407d06ca3cb5eeb10f876a812b40c381574bcc (7.1) NOTE: https://github.com/php/php-src/commit/31f59e1f3074ab344b473dde6077a6844ca87264 (7.1) NOTE: https://github.com/php/php-src/commit/28362ed4fae6969b5a8878591a5a06eadf114e03 (7.1) NOTE: https://github.com/php/php-src/commit/9d6c59eeea88a3e9d7039cb4fed5126ef704593a (7.1) CVE-2019-9022 (An issue was discovered in PHP 7.x before 7.1.26, 7.2.x before 7.2.14, ...) {DSA-4398-1 DLA-1741-1} - php7.3 7.3.2-1 - php7.0 - php5 NOTE: Fixed in 7.1.26, 7.2.14, 7.3.2 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=77369 NOTE: https://github.com/php/php-src/commit/8d3dfabef459fe7815e8ea2fd68753fd17859d7b (7.1) CVE-2019-9021 (An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x ...) {DSA-4398-1 DLA-1679-1} - php7.3 7.3.1-1 - php7.0 - php5 NOTE: Fixed in 5.6.40, 7.1.26, 7.2.14, 7.3.1 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=77247 NOTE: https://github.com/php/php-src/commit/78bd3477745f1ada9578a79f61edb41886bec1cb (7.1) CVE-2019-9020 (An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x ...) {DSA-4398-1 DLA-1679-1} - php7.3 7.3.1-1 - php7.0 - php5 NOTE: Fixed in 5.6.40, 7.1.26, 7.2.14, 7.3.1 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=77242 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=77249 NOTE: https://github.com/php/php-src/commit/9c62b95e5e6a1ac3922a8819f2d56d8ea998d97a (7.1) CVE-2019-9018 RESERVED CVE-2019-9017 (DWRCC in SolarWinds DameWare Mini Remote Control 10.0 x64 has a Buffer ...) NOT-FOR-US: SolarWinds CVE-2019-9016 (An XSS vulnerability was discovered in MOPCMS through 2018-11-30. Ther ...) NOT-FOR-US: MOPCMS CVE-2019-9015 (A Path Traversal vulnerability was discovered in MOPCMS through 2018-1 ...) NOT-FOR-US: MOPCMS CVE-2019-9014 RESERVED CVE-2019-9013 (An issue was discovered in 3S-Smart CODESYS V3 products. The applicati ...) NOT-FOR-US: 3S-Smart CODESYS V3 CVE-2019-9012 (An issue was discovered in 3S-Smart CODESYS V3 products. A crafted com ...) NOT-FOR-US: 3S-Smart CODESYS V3 CVE-2019-9011 RESERVED CVE-2019-9010 (An issue was discovered in 3S-Smart CODESYS V3 products. The CODESYS G ...) NOT-FOR-US: 3S-Smart CODESYS V3 CVE-2019-9009 (An issue was discovered in 3S-Smart CODESYS before 3.5.15.0 . Crafted ...) NOT-FOR-US: 3S-Smart CVE-2019-9008 (An issue was discovered in 3S-Smart CODESYS V3 through 3.5.12.30. A us ...) NOT-FOR-US: 3S-Smart CVE-2019-9007 RESERVED CVE-2019-9006 RESERVED CVE-2019-9005 (The Cprime Power Scripts app before 4.0.14 for Atlassian Jira allows D ...) NOT-FOR-US: Cprime Power Scripts app for Atlassian Jira CVE-2019-9004 (In Eclipse Wakaama (formerly liblwm2m) 1.0, core/er-coap-13/er-coap-13 ...) NOT-FOR-US: Eclipse Wakaama CVE-2019-9003 (In the Linux kernel before 4.20.5, attackers can trigger a drivers/cha ...) - linux 4.19.20-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/77f8269606bf95fcb232ee86f6da80886f1dfae8 CVE-2019-9002 (An issue was discovered in Tiny Issue 1.3.1 and pixeline Bugs through ...) NOT-FOR-US: Tiny Issue CVE-2019-9001 RESERVED CVE-2019-9000 RESERVED CVE-2019-8999 (An XML External Entity vulnerability in the UEM Core of BlackBerry UEM ...) NOT-FOR-US: BlackBerry CVE-2019-8998 (An information disclosure vulnerability leading to a potential local e ...) NOT-FOR-US: BlackBerry QNX Software Development Platform CVE-2019-8997 (An XML External Entity Injection (XXE) vulnerability in the Management ...) NOT-FOR-US: BlackBerry CVE-2019-8996 (In Signiant Manager+Agents before 13.5, the implementation of the set ...) NOT-FOR-US: Signiant CVE-2019-8995 (The workspace client, openspace client, and app development client of ...) NOT-FOR-US: TIBCO CVE-2019-8994 (The workspace client of TIBCO Software Inc.'s TIBCO ActiveMatrix BPM, ...) NOT-FOR-US: TIBCO CVE-2019-8993 (The administrative web server component of TIBCO Software Inc.'s TIBCO ...) NOT-FOR-US: TIBCO CVE-2019-8992 (The administrative server component of TIBCO Software Inc.'s TIBCO Act ...) NOT-FOR-US: TIBCO CVE-2019-8991 (The administrator web interface of TIBCO Software Inc.'s TIBCO ActiveM ...) NOT-FOR-US: TIBCO CVE-2019-8990 (The HTTP Connector component of TIBCO Software Inc.'s TIBCO ActiveMatr ...) NOT-FOR-US: TIBCO CVE-2019-8989 (The application server component of TIBCO Software Inc.'s TIBCO Data S ...) NOT-FOR-US: TIBCO CVE-2019-8988 (The application server component of TIBCO Software Inc.'s TIBCO Data S ...) NOT-FOR-US: TIBCO CVE-2019-8987 (The application server component of TIBCO Software Inc.'s TIBCO Data S ...) NOT-FOR-US: TIBCO CVE-2019-8986 (The SOAP API component vulnerability of TIBCO Software Inc.'s TIBCO Ja ...) NOT-FOR-US: TIBCO CVE-2019-8985 (On Netis WF2411 with firmware 2.1.36123 and other Netis WF2xxx devices ...) NOT-FOR-US: Netis devices CVE-2019-8984 (MDaemon Webmail 14.x through 18.x before 18.5.2 has XSS (issue 2 of 2) ...) NOT-FOR-US: MDaemon Webmail CVE-2019-8983 (MDaemon Webmail 14.x through 18.x before 18.5.2 has XSS (issue 1 of 2) ...) NOT-FOR-US: MDaemon Webmail CVE-2019-8982 (com/wavemaker/studio/StudioService.java in WaveMaker Studio 6.6 mishan ...) NOT-FOR-US: WaveMaker Studio CVE-2019-8981 (tls1.c in Cameron Hamilton-Rich axTLS before 2.1.5 has a Buffer Overfl ...) - axtls (Fixed with initial upload to Debian) CVE-2018-20784 (In the Linux kernel before 4.20.2, kernel/sched/fair.c mishandles leaf ...) - linux 4.19.16-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/c40f7d74c741a907cfaeb73a7697081881c497d0 CVE-2018-20783 (In PHP before 5.6.39, 7.x before 7.0.33, 7.1.x before 7.1.25, and 7.2. ...) {DSA-4353-1 DLA-1608-1} - php7.3 7.3.0-1 - php7.0 - php5 NOTE: Fixed in 5.6.39, 7.0.33, 7.1.25, 7.2.13 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=77143 CVE-2018-1002161 [SQL injection in multiple remote calls] - koji 1.16.2-1 (bug #922922) [stretch] - koji 1.10.0-1+deb9u1 NOTE: https://docs.pagure.org/koji/CVE-2018-1002161/ NOTE: https://pagure.io/koji/issue/1183 CVE-2019-8980 (A memory leak in the kernel_read_file function in fs/exec.c in the Lin ...) {DLA-1771-1} - linux 4.19.28-1 [stretch] - linux 4.9.168-1 [jessie] - linux (Vulnerable code not present) NOTE: https://lore.kernel.org/lkml/20190219021038.11340-1-yuehaibing@huawei.com/ NOTE: https://lore.kernel.org/lkml/20190219022512.GW2217@ZenIV.linux.org.uk/ CVE-2019-8979 (Kohana through 3.3.6 has SQL Injection when the order_by() parameter c ...) - libkohana2-php [jessie] - libkohana2-php (orderby function properly checks for allowed values) NOTE: https://github.com/huzr2018/orderby_SQLi/tree/master/kohana NOTE: https://github.com/koseven/koseven/issues/323 CVE-2019-8978 (An improper authentication vulnerability can be exploited through a ra ...) NOT-FOR-US: Ellucian Banner Web Tailor CVE-2019-8977 RESERVED CVE-2019-8976 RESERVED CVE-2019-8975 RESERVED CVE-2019-8974 RESERVED CVE-2019-8973 RESERVED CVE-2019-8972 RESERVED CVE-2019-8971 RESERVED CVE-2019-8970 RESERVED CVE-2019-8969 RESERVED CVE-2019-8968 RESERVED CVE-2019-8967 RESERVED CVE-2019-8966 RESERVED CVE-2019-8965 RESERVED CVE-2019-8964 RESERVED CVE-2019-8963 RESERVED CVE-2019-8962 RESERVED CVE-2019-8961 (A Denial of Service vulnerability related to stack exhaustion has been ...) NOT-FOR-US: FlexNet Publisher CVE-2019-8960 (A Denial of Service vulnerability related to command handling has been ...) NOT-FOR-US: FlexNet Publisher CVE-2019-8959 RESERVED CVE-2019-8958 RESERVED CVE-2019-8957 RESERVED CVE-2019-8956 (In the Linux Kernel before versions 4.20.8 and 4.19.21 a use-after-fre ...) - linux 4.19.28-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/ba59fb0273076637f0add4311faa990a5eec27c0 CVE-2019-1000049 REJECTED CVE-2019-1000048 REJECTED CVE-2019-1000047 REJECTED CVE-2019-1000041 REJECTED CVE-2019-1000030 REJECTED CVE-2019-8955 (In Tor before 0.3.3.12, 0.3.4.x before 0.3.4.11, 0.3.5.x before 0.3.5. ...) - tor 0.3.5.8-1 [stretch] - tor (Only affects 0.3.2.1 and later) [jessie] - tor (Only affects 0.3.2.1 and later) NOTE: https://blog.torproject.org/new-releases-tor-0402-alpha-0358-03411-and-03312 NOTE: https://trac.torproject.org/projects/tor/ticket/29168 CVE-2019-8954 (In Indexhibit 2.1.5, remote attackers can execute arbitrary code via t ...) NOT-FOR-US: Indexhibit CVE-2019-8953 (The HAProxy package before 0.59_16 for pfSense has XSS via the desc (a ...) NOT-FOR-US: HAProxy package for pfSense CVE-2019-8952 (A Path Traversal vulnerability located in the webserver affects severa ...) NOT-FOR-US: Bosch CVE-2019-8951 (An Open Redirect vulnerability located in the webserver affects severa ...) NOT-FOR-US: Bosch CVE-2019-1003028 (A server-side request forgery vulnerability exists in Jenkins JMS Mess ...) NOT-FOR-US: Jenkins CVE-2019-1003027 (A server-side request forgery vulnerability exists in Jenkins OctopusD ...) NOT-FOR-US: Jenkins CVE-2019-1003026 (A server-side request forgery vulnerability exists in Jenkins Mattermo ...) NOT-FOR-US: Jenkins CVE-2019-1003025 (A exposure of sensitive information vulnerability exists in Jenkins Cl ...) NOT-FOR-US: Jenkins CVE-2019-1003024 (A sandbox bypass vulnerability exists in Jenkins Script Security Plugi ...) NOT-FOR-US: Jenkins CVE-2019-8950 (The backdoor account dnsekakf2$$ in /bin/login on DASAN H665 devices w ...) NOT-FOR-US: DASAN CVE-2019-8949 RESERVED CVE-2019-8948 (PaperCut MF before 18.3.6 and PaperCut NG before 18.3.6 allow script i ...) NOT-FOR-US: PaperCut MF CVE-2019-8947 (Zimbra Collaboration 8.7.x - 8.8.11P2 contains non-persistent XSS. ...) NOT-FOR-US: Zimbra Collaboration CVE-2019-8946 (Zimbra Collaboration 8.7.x - 8.8.11P2 contains persistent XSS. ...) NOT-FOR-US: Zimbra Collaboration CVE-2019-8945 (Zimbra Collaboration 8.7.x - 8.8.11P2 contains persistent XSS. ...) NOT-FOR-US: Zimbra Collaboration CVE-2019-8944 (An Information Exposure issue in the Terraform deployment step in Octo ...) NOT-FOR-US: Terraform CVE-2019-8943 (WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An a ...) - wordpress (bug #923583) [jessie] - wordpress (requires privileged account, not directly exploitable as CVE-2019-8942 is fixed, no official patch) NOTE: https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/ NOTE: This CVE is explicitly for the mentioned Path Traversal in wp_crop_image(). NOTE: Patching CVE-2019-8942 makes CVE-2019-8943 (RCE) not directly exploitable NOTE: RCE would now require a vulnerable plugin, and a crop-resistant PHP webshell embedded in an image (preserved EXIF data, PNG IDAT reverse deflate...) NOTE: https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/#path-traversal-via-modified-post-meta NOTE: https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/#exploiting-the-path-traversal-lfi-in-theme-directory CVE-2019-8942 (WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code executi ...) {DSA-4401-1 DLA-1742-1} - wordpress 5.0.1+dfsg1-1 NOTE: https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/ NOTE: Issue fixed in 4.9.9 and 5.0.1 upstream CVE-2019-8941 RESERVED CVE-2019-8940 RESERVED CVE-2019-8939 (data/interfaces/default/history.html in Tautulli 2.1.26 has XSS via a ...) NOT-FOR-US: Tautulli CVE-2019-8938 (VertrigoServ 2.17 allows XSS via the /inc/extensions.php ext parameter ...) NOT-FOR-US: VertrigoServ CVE-2019-8937 (HotelDruid 2.3.0 has XSS affecting the nsextt, cambia1, mese_fine, ori ...) - hoteldruid 2.3.2-1 (bug #929136) [stretch] - hoteldruid (Minor issue) [jessie] - hoteldruid (Minor issue) NOTE: https://www.exploit-db.com/exploits/46429/ CVE-2019-8936 (NTP through 4.2.8p12 has a NULL Pointer Dereference. ...) [experimental] - ntp 1:4.2.8p13+dfsg-1 - ntp 1:4.2.8p12+dfsg-4 (bug #924228) [stretch] - ntp (Introduced with the fix for CVE-2018-7182, not backported to stretch) [jessie] - ntp (Introduced with the fix for CVE-2018-7182, not backported to jessie) NOTE: http://bugs.ntp.org/show_bug.cgi?id=3565 NOTE: http://bk.ntp.org/ntp-stable/ntpd/ntp_control.c?PAGE=diffs&REV=5c8106e7wWtXdh0lzg1ytlWribBTcQ NOTE: Relates/corresponds to https://gitlab.com/NTPsec/ntpsec/issues/509 for ntpsec NOTE: which has a separate CVE id CVE-2019-6445 specifically for src:ntpsec CVE-2019-8934 (hw/ppc/spapr.c in QEMU through 3.1.0 allows Information Exposure becau ...) - qemu 1:4.1-1 (low; bug #922923) [buster] - qemu (Too intrusive to backport, marginal impact) [stretch] - qemu (Too intrusive to backport, marginal impact) [jessie] - qemu (Too intrusive to backport, marginal impact, ppc not supported in jessie-lts) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2019-02/msg04821.html CVE-2019-8933 (In DedeCMS 5.7SP2, attackers can upload a .php file to the uploads/ di ...) NOT-FOR-US: DedeCMS CVE-2019-8935 (Collabtive 3.1 allows XSS via the manageuser.php?action=profile id par ...) - collabtive [jessie] - collabtive (Minor issue) CVE-2019-8932 (Redbrick Shift through 3.4.3 allows an attacker to extract authenticat ...) NOT-FOR-US: Redbrick Shift CVE-2019-8931 (Redbrick Shift through 3.4.3 allows an attacker to extract emails of s ...) NOT-FOR-US: Redbrick Shift CVE-2019-8930 RESERVED CVE-2019-8929 (An issue was discovered in Zoho ManageEngine Netflow Analyzer Professi ...) NOT-FOR-US: Zoho ManageEngine Netflow Analyzer Professional CVE-2019-8928 (An issue was discovered in Zoho ManageEngine Netflow Analyzer Professi ...) NOT-FOR-US: Zoho ManageEngine Netflow Analyzer Professional CVE-2019-8927 (An issue was discovered in Zoho ManageEngine Netflow Analyzer Professi ...) NOT-FOR-US: Zoho ManageEngine Netflow Analyzer Professional CVE-2019-8926 (An issue was discovered in Zoho ManageEngine Netflow Analyzer Professi ...) NOT-FOR-US: Zoho ManageEngine Netflow Analyzer Professional CVE-2019-8925 (An issue was discovered in Zoho ManageEngine Netflow Analyzer Professi ...) NOT-FOR-US: Zoho ManageEngine Netflow Analyzer Professional CVE-2019-8924 (XAMPP through 5.6.8 allows XSS via the cds-fpdf.php interpret or titel ...) NOT-FOR-US: XAMPP CVE-2019-8923 (XAMPP through 5.6.8 and previous allows SQL injection via the cds-fpdf ...) NOT-FOR-US: XAMPP CVE-2019-8922 RESERVED CVE-2019-8921 RESERVED CVE-2019-8920 (iart.php in XAMPP 1.7.0 has XSS, a related issue to CVE-2008-3569. ...) NOT-FOR-US: XAMPP CVE-2019-8919 (The seadroid (aka Seafile Android Client) application through 2.2.13 f ...) NOT-FOR-US: Seafile Android Client CVE-2019-8918 RESERVED CVE-2019-8917 (SolarWinds Orion NPM before 12.4 suffers from a SYSTEM remote code exe ...) NOT-FOR-US: SolarWinds Orion NPM CVE-2019-8916 RESERVED CVE-2019-8915 RESERVED CVE-2019-8914 RESERVED CVE-2019-8913 RESERVED CVE-2019-8912 (In the Linux kernel through 4.20.11, af_alg_release() in crypto/af_alg ...) - linux 4.19.28-1 [stretch] - linux (Vulnerable code introduced later) [jessie] - linux (Vulnerable code introduced later) CVE-2019-8911 (An issue was discovered in WTCMS 1.0. It has stored XSS via the third ...) NOT-FOR-US: WTCMS CVE-2019-8910 (An issue was discovered in WTCMS 1.0. It allows index.php?g=admin& ...) NOT-FOR-US: WTCMS CVE-2019-8909 (An issue was discovered in WTCMS 1.0. It allows remote attackers to ca ...) NOT-FOR-US: WTCMS CVE-2019-8908 (An issue was discovered in WTCMS 1.0. It allows remote attackers to ex ...) NOT-FOR-US: WTCMS CVE-2019-8907 (do_core_note in readelf.c in libmagic.a in file 5.35 allows remote att ...) {DLA-1698-1} - file 1:5.35-3 (bug #922968) [stretch] - file (Minor issue; will be fixed in point release) NOTE: https://bugs.astron.com/view.php?id=65 NOTE: https://github.com/file/file/commit/d65781527c8134a1202b2649695d48d5701ac60b CVE-2019-8906 (do_core_note in readelf.c in libmagic.a in file 5.35 has an out-of-bou ...) - file 1:5.35-3 (bug #922969) [stretch] - file (vulnerable code introduced later) [jessie] - file (vulnerable code introduced later) NOTE: https://bugs.astron.com/view.php?id=64 NOTE: Introduced by: https://github.com/file/file/commit/0ac0678c52e248fd2a632a84b638694f205aef9d (FILE5_31) NOTE: Fixed by: https://github.com/file/file/commit/2858eaf99f6cc5aae129bcbf1e24ad160240185f (FILE5_36) CVE-2019-8905 (do_core_note in readelf.c in libmagic.a in file 5.35 has a stack-based ...) {DLA-1698-1} - file 1:5.35-3 (bug #922968) [stretch] - file (Minor issue; will be fixed in point release) NOTE: https://bugs.astron.com/view.php?id=63 NOTE: https://github.com/file/file/commit/d65781527c8134a1202b2649695d48d5701ac60b CVE-2019-8904 (do_bid_note in readelf.c in libmagic.a in file 5.35 has a stack-based ...) - file 1:5.35-3 (bug #922967) [stretch] - file (vulnerable code introduced later) [jessie] - file (vulnerable code introduced later) NOTE: https://bugs.astron.com/view.php?id=62 NOTE: Introduced by: https://github.com/file/file/commit/76c55eae2f9b0b378332762f6dce544d05eb24d7 (FILE5_34) NOTE: Fixed by: https://github.com/file/file/commit/94b7501f48e134e77716e7ebefc73d6bbe72ba55 (FILE5_36) CVE-2019-8903 (index.js in Total.js Platform before 3.2.3 allows path traversal. ...) NOT-FOR-US: Total.js Platform CVE-2019-8902 (An issue was discovered in idreamsoft iCMS through 7.0.14. A CSRF vuln ...) NOT-FOR-US: idreamsoft iCMS CVE-2019-8901 RESERVED CVE-2019-8900 RESERVED CVE-2019-8899 RESERVED CVE-2019-8898 RESERVED CVE-2019-8897 RESERVED CVE-2019-8896 RESERVED CVE-2019-8895 RESERVED CVE-2019-8894 RESERVED CVE-2019-8893 RESERVED CVE-2019-8892 RESERVED CVE-2019-8891 RESERVED CVE-2019-8890 RESERVED CVE-2019-8889 RESERVED CVE-2019-8888 RESERVED CVE-2019-8887 RESERVED CVE-2019-8886 RESERVED CVE-2019-8885 RESERVED CVE-2019-8884 RESERVED CVE-2019-8883 RESERVED CVE-2019-8882 RESERVED CVE-2019-8881 RESERVED CVE-2019-8880 RESERVED CVE-2019-8879 RESERVED CVE-2019-8878 RESERVED CVE-2019-8877 RESERVED CVE-2019-8876 RESERVED CVE-2019-8875 RESERVED CVE-2019-8874 RESERVED CVE-2019-8873 RESERVED CVE-2019-8872 RESERVED CVE-2019-8871 RESERVED CVE-2019-8870 RESERVED CVE-2019-8869 RESERVED CVE-2019-8868 RESERVED CVE-2019-8867 RESERVED CVE-2019-8866 RESERVED CVE-2019-8865 RESERVED CVE-2019-8864 RESERVED CVE-2019-8863 RESERVED CVE-2019-8862 RESERVED CVE-2019-8861 RESERVED CVE-2019-8860 RESERVED CVE-2019-8859 RESERVED CVE-2019-8858 RESERVED CVE-2019-8857 RESERVED CVE-2019-8856 RESERVED CVE-2019-8855 RESERVED CVE-2019-8854 RESERVED CVE-2019-8853 RESERVED CVE-2019-8852 RESERVED CVE-2019-8851 RESERVED CVE-2019-8850 RESERVED CVE-2019-8849 (The issue was addressed by signaling that an executable stack is not r ...) NOT-FOR-US: Apple CVE-2019-8848 RESERVED CVE-2019-8847 RESERVED CVE-2019-8846 RESERVED {DSA-4610-1} - webkit2gtk 2.26.3-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2020-0001.html CVE-2019-8845 RESERVED CVE-2019-8844 RESERVED {DSA-4610-1} - webkit2gtk 2.26.3-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2020-0001.html CVE-2019-8843 RESERVED CVE-2019-8842 [he `ippReadIO` function may under-read an extension field] RESERVED {DLA-2237-1} - cups 2.3.1-12 [buster] - cups 2.2.10-6+deb10u3 [stretch] - cups (Minor issue) NOTE: https://github.com/apple/cups/commit/82e3ee0e3230287b76a76fb8f16b92ca6e50b444 (cups/ipp.c: ippReadIO) CVE-2019-8841 RESERVED CVE-2019-8840 RESERVED CVE-2019-8839 RESERVED CVE-2019-8838 RESERVED CVE-2019-8837 RESERVED CVE-2019-8836 RESERVED CVE-2019-8835 RESERVED {DSA-4610-1} - webkit2gtk 2.26.3-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2020-0001.html CVE-2019-8834 RESERVED CVE-2019-8833 RESERVED CVE-2019-8832 RESERVED CVE-2019-8831 RESERVED CVE-2019-8830 RESERVED CVE-2019-8829 RESERVED CVE-2019-8828 RESERVED CVE-2019-8827 RESERVED CVE-2019-8826 RESERVED CVE-2019-8825 RESERVED CVE-2019-8824 RESERVED CVE-2019-8823 (Multiple memory corruption issues were addressed with improved memory ...) {DSA-4558-1} - webkit2gtk 2.26.1-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0006.html CVE-2019-8822 (Multiple memory corruption issues were addressed with improved memory ...) {DSA-4515-1} - webkit2gtk 2.24.4-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0006.html CVE-2019-8821 (Multiple memory corruption issues were addressed with improved memory ...) {DSA-4515-1} - webkit2gtk 2.24.4-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0006.html CVE-2019-8820 (Multiple memory corruption issues were addressed with improved memory ...) {DSA-4558-1} - webkit2gtk 2.26.1-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0006.html CVE-2019-8819 (Multiple memory corruption issues were addressed with improved memory ...) {DSA-4558-1} - webkit2gtk 2.26.1-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0006.html CVE-2019-8818 RESERVED CVE-2019-8817 (A validation issue was addressed with improved input sanitization. Thi ...) NOT-FOR-US: Apple CVE-2019-8816 (Multiple memory corruption issues were addressed with improved memory ...) {DSA-4558-1} - webkit2gtk 2.26.1-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0006.html CVE-2019-8815 (Multiple memory corruption issues were addressed with improved memory ...) {DSA-4558-1} - webkit2gtk 2.26.0-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0006.html CVE-2019-8814 (Multiple memory corruption issues were addressed with improved memory ...) {DSA-4563-1} - webkit2gtk 2.26.2-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0006.html CVE-2019-8813 (A logic issue was addressed with improved state management. This issue ...) {DSA-4558-1} - webkit2gtk 2.26.1-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0006.html CVE-2019-8812 (Multiple memory corruption issues were addressed with improved memory ...) {DSA-4563-1} - webkit2gtk 2.26.2-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0006.html CVE-2019-8811 (Multiple memory corruption issues were addressed with improved memory ...) {DSA-4558-1} - webkit2gtk 2.26.1-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0006.html CVE-2019-8810 RESERVED CVE-2019-8809 RESERVED CVE-2019-8808 (Multiple memory corruption issues were addressed with improved memory ...) {DSA-4558-1} - webkit2gtk 2.26.0-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0006.html CVE-2019-8807 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2019-8806 (A memory corruption issue was addressed with improved validation. This ...) NOT-FOR-US: Apple CVE-2019-8805 (A validation issue existed in the entitlement verification. This issue ...) NOT-FOR-US: Apple CVE-2019-8804 (An inconsistency in Wi-Fi network configuration settings was addressed ...) NOT-FOR-US: Apple CVE-2019-8803 (An authentication issue was addressed with improved state management. ...) NOT-FOR-US: Apple CVE-2019-8802 (A validation issue was addressed with improved logic. This issue is fi ...) NOT-FOR-US: Apple CVE-2019-8801 (A dynamic library loading issue existed in iTunes setup. This was addr ...) NOT-FOR-US: Apple CVE-2019-8800 (A memory corruption issue was addressed with improved validation. This ...) NOT-FOR-US: Apple CVE-2019-8799 RESERVED CVE-2019-8798 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2019-8797 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2019-8796 RESERVED CVE-2019-8795 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2019-8794 (A validation issue was addressed with improved input sanitization. Thi ...) NOT-FOR-US: Apple CVE-2019-8793 (A consistency issue existed in deciding when to show the screen record ...) NOT-FOR-US: Apple CVE-2019-8792 (An injection issue was addressed with improved validation. This issue ...) NOT-FOR-US: Shazam Android App CVE-2019-8791 (An issue existed in the parsing of URL schemes. This issue was address ...) NOT-FOR-US: Shazam Android App CVE-2019-8790 RESERVED CVE-2019-8789 (A validation issue existed in the handling of symlinks. This issue was ...) NOT-FOR-US: Apple CVE-2019-8788 (An issue existed in the parsing of URLs. This issue was addressed with ...) NOT-FOR-US: Apple CVE-2019-8787 (An out-of-bounds read was addressed with improved input validation. Th ...) NOT-FOR-US: Apple CVE-2019-8786 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2019-8785 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2019-8784 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2019-8783 (Multiple memory corruption issues were addressed with improved memory ...) {DSA-4558-1} - webkit2gtk 2.26.1-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0006.html CVE-2019-8782 (Multiple memory corruption issues were addressed with improved memory ...) {DSA-4558-1} - webkit2gtk 2.26.0-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0006.html CVE-2019-8781 (A memory corruption issue was addressed with improved state management ...) NOT-FOR-US: Apple CVE-2019-8780 RESERVED CVE-2019-8779 (A logic issue applied the incorrect restrictions. This issue was addre ...) NOT-FOR-US: Apple CVE-2019-8778 RESERVED CVE-2019-8777 RESERVED CVE-2019-8776 RESERVED CVE-2019-8775 (The issue was addressed by restricting options offered on a locked dev ...) NOT-FOR-US: Apple CVE-2019-8774 RESERVED CVE-2019-8773 RESERVED CVE-2019-8772 (An issue existed in the handling of links in encrypted PDFs. This issu ...) NOT-FOR-US: Apple CVE-2019-8771 RESERVED {DSA-4558-1} - webkit2gtk 2.26.0-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0005.html CVE-2019-8770 (The issue was addressed with improved permissions logic. This issue is ...) NOT-FOR-US: Apple CVE-2019-8769 (An issue existed in the drawing of web page elements. The issue was ad ...) {DSA-4558-1} - webkit2gtk 2.26.0-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0005.html CVE-2019-8768 ("Clear History and Website Data" did not clear the history. The issue ...) - webkit2gtk 2.24.0-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0005.html CVE-2019-8767 RESERVED CVE-2019-8766 (Multiple memory corruption issues were addressed with improved memory ...) {DSA-4558-1} - webkit2gtk 2.26.0-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0006.html CVE-2019-8765 (Multiple memory corruption issues were addressed with improved memory ...) {DSA-4515-1} - webkit2gtk 2.24.4-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0006.html CVE-2019-8764 (A logic issue was addressed with improved state management. This issue ...) {DSA-4558-1} - webkit2gtk 2.26.0-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0006.html CVE-2019-8763 (Multiple memory corruption issues were addressed with improved memory ...) {DSA-4515-1} - webkit2gtk 2.24.4-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0005.html CVE-2019-8762 RESERVED CVE-2019-8761 RESERVED CVE-2019-8760 (This issue was addressed by improving Face ID machine learning models. ...) NOT-FOR-US: Apple CVE-2019-8759 RESERVED CVE-2019-8758 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2019-8757 (A race condition existed when reading and writing user preferences. Th ...) NOT-FOR-US: Apple CVE-2019-8756 RESERVED CVE-2019-8755 (A logic issue was addressed with improved restrictions. This issue is ...) NOT-FOR-US: Apple CVE-2019-8754 RESERVED CVE-2019-8753 RESERVED CVE-2019-8752 RESERVED CVE-2019-8751 RESERVED CVE-2019-8750 (Multiple memory corruption issues were addressed with improved input v ...) NOT-FOR-US: Apple CVE-2019-8749 RESERVED CVE-2019-8748 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2019-8747 (A memory corruption vulnerability was addressed with improved locking. ...) NOT-FOR-US: Apple CVE-2019-8746 RESERVED CVE-2019-8745 (A buffer overflow was addressed with improved bounds checking. This is ...) NOT-FOR-US: Apple CVE-2019-8744 RESERVED CVE-2019-8743 (Multiple memory corruption issues were addressed with improved memory ...) {DSA-4558-1} - webkit2gtk 2.26.0-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0006.html CVE-2019-8742 (The issue was addressed by restricting options offered on a locked dev ...) NOT-FOR-US: Apple CVE-2019-8741 (A denial of service issue was addressed with improved input validation ...) NOT-FOR-US: Apple CVE-2019-8740 RESERVED CVE-2019-8739 (A memory corruption issue was addressed with improved state management ...) NOT-FOR-US: Apple CVE-2019-8738 (A memory corruption issue was addressed with improved state management ...) NOT-FOR-US: Apple CVE-2019-8737 RESERVED CVE-2019-8736 RESERVED CVE-2019-8735 (Multiple memory corruption issues were addressed with improved memory ...) - webkit2gtk 2.24.2-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0005.html CVE-2019-8734 RESERVED CVE-2019-8733 (Multiple memory corruption issues were addressed with improved memory ...) {DSA-4515-1} - webkit2gtk 2.24.4-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0005.html CVE-2019-8732 RESERVED CVE-2019-8731 (A permissions issue existed in which execute permission was incorrectl ...) NOT-FOR-US: Apple CVE-2019-8730 (The contents of locked notes sometimes appeared in search results. Thi ...) NOT-FOR-US: Apple CVE-2019-8729 RESERVED CVE-2019-8728 RESERVED CVE-2019-8727 (A logic issue was addressed with improved state management. This issue ...) NOT-FOR-US: Apple CVE-2019-8726 (Multiple memory corruption issues were addressed with improved memory ...) - webkit2gtk 2.24.3-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0005.html CVE-2019-8725 (The issue was addressed with improved handling of service worker lifet ...) NOT-FOR-US: Apple CVE-2019-8724 (Multiple issues in ld64 in the Xcode toolchains were addressed by upda ...) NOT-FOR-US: Apple CVE-2019-8723 (Multiple issues in ld64 in the Xcode toolchains were addressed by upda ...) NOT-FOR-US: Apple CVE-2019-8722 (Multiple issues in ld64 in the Xcode toolchains were addressed by upda ...) NOT-FOR-US: Apple CVE-2019-8721 (Multiple issues in ld64 in the Xcode toolchains were addressed by upda ...) NOT-FOR-US: Apple CVE-2019-8720 RESERVED {DSA-4558-1} - webkit2gtk 2.26.0-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0005.html CVE-2019-8719 (A logic issue was addressed with improved state management. This issue ...) {DSA-4515-1} - webkit2gtk 2.24.4-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0005.html CVE-2019-8718 RESERVED CVE-2019-8717 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2019-8716 RESERVED CVE-2019-8715 RESERVED CVE-2019-8714 RESERVED CVE-2019-8713 RESERVED CVE-2019-8712 RESERVED CVE-2019-8711 (A logic issue existed with the display of notification previews. This ...) NOT-FOR-US: Apple CVE-2019-8710 (Multiple memory corruption issues were addressed with improved memory ...) {DSA-4558-1} - webkit2gtk 2.26.0-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0006.html CVE-2019-8709 RESERVED CVE-2019-8708 RESERVED CVE-2019-8707 (Multiple memory corruption issues were addressed with improved memory ...) {DSA-4515-1} - webkit2gtk 2.24.4-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0005.html CVE-2019-8706 RESERVED CVE-2019-8705 (A memory corruption issue was addressed with improved validation. This ...) NOT-FOR-US: Apple CVE-2019-8704 (An authentication issue was addressed with improved state management. ...) NOT-FOR-US: Apple CVE-2019-8703 RESERVED CVE-2019-8702 RESERVED CVE-2019-8701 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2019-8700 RESERVED CVE-2019-8699 (A logic issue existed in the handling of answering phone calls. The is ...) NOT-FOR-US: Apple CVE-2019-8698 (A validation issue existed in the entitlement verification. This issue ...) NOT-FOR-US: Apple CVE-2019-8697 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2019-8696 [stack-buffer-overflow in libcups's asn1_get_packed function] RESERVED {DLA-1893-1} - cups 2.2.12-1 (bug #934957) [buster] - cups 2.2.10-6+deb10u1 [stretch] - cups 2.2.1-8+deb9u4 NOTE: https://github.com/apple/cups/commit/f24e6cf6a39300ad0c3726a41a4aab51ad54c109 CVE-2019-8695 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2019-8694 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2019-8693 (A validation issue was addressed with improved input sanitization. Thi ...) NOT-FOR-US: Apple CVE-2019-8692 (A validation issue was addressed with improved input sanitization. Thi ...) NOT-FOR-US: Apple CVE-2019-8691 (A validation issue was addressed with improved input sanitization. Thi ...) NOT-FOR-US: Apple CVE-2019-8690 (A logic issue existed in the handling of document loads. This issue wa ...) {DSA-4515-1} - webkit2gtk 2.24.3-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0004.html CVE-2019-8689 (Multiple memory corruption issues were addressed with improved memory ...) {DSA-4515-1} - webkit2gtk 2.24.3-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0004.html CVE-2019-8688 (Multiple memory corruption issues were addressed with improved memory ...) {DSA-4515-1} - webkit2gtk 2.24.4-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0004.html CVE-2019-8687 (Multiple memory corruption issues were addressed with improved memory ...) {DSA-4515-1} - webkit2gtk 2.24.3-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0004.html CVE-2019-8686 (Multiple memory corruption issues were addressed with improved memory ...) {DSA-4515-1} - webkit2gtk 2.24.2-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0004.html CVE-2019-8685 (Multiple memory corruption issues were addressed with improved memory ...) NOT-FOR-US: Apple CVE-2019-8684 (Multiple memory corruption issues were addressed with improved memory ...) {DSA-4515-1} - webkit2gtk 2.24.4-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0004.html CVE-2019-8683 (Multiple memory corruption issues were addressed with improved memory ...) {DSA-4515-1} - webkit2gtk 2.24.4-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0004.html CVE-2019-8682 (The issue was addressed with improved UI handling. This issue is fixed ...) NOT-FOR-US: Apple CVE-2019-8681 (Multiple memory corruption issues were addressed with improved memory ...) {DSA-4515-1} - webkit2gtk 2.24.3-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0004.html CVE-2019-8680 (Multiple memory corruption issues were addressed with improved memory ...) {DSA-4515-1} - webkit2gtk 2.24.4-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0004.html CVE-2019-8679 (Multiple memory corruption issues were addressed with improved memory ...) {DSA-4515-1} - webkit2gtk 2.24.2-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0004.html CVE-2019-8678 (Multiple memory corruption issues were addressed with improved memory ...) {DSA-4515-1} - webkit2gtk 2.24.4-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0004.html CVE-2019-8677 (Multiple memory corruption issues were addressed with improved memory ...) {DSA-4515-1} - webkit2gtk 2.24.2-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0004.html CVE-2019-8676 (Multiple memory corruption issues were addressed with improved memory ...) {DSA-4515-1} - webkit2gtk 2.24.3-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0004.html CVE-2019-8675 [stack-buffer-overflow in libcups's asn1_get_type function] RESERVED {DLA-1893-1} - cups 2.2.12-1 (bug #934957) [buster] - cups 2.2.10-6+deb10u1 [stretch] - cups 2.2.1-8+deb9u4 NOTE: https://github.com/apple/cups/commit/f24e6cf6a39300ad0c3726a41a4aab51ad54c109 CVE-2019-8674 (A logic issue was addressed with improved state management. This issue ...) {DSA-4515-1} - webkit2gtk 2.24.4-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0005.html CVE-2019-8673 (Multiple memory corruption issues were addressed with improved memory ...) {DSA-4515-1} - webkit2gtk 2.24.3-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0004.html CVE-2019-8672 (Multiple memory corruption issues were addressed with improved memory ...) {DSA-4515-1} - webkit2gtk 2.24.2-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0004.html CVE-2019-8671 (Multiple memory corruption issues were addressed with improved memory ...) {DSA-4515-1} - webkit2gtk 2.24.2-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0004.html CVE-2019-8670 (An inconsistent user interface issue was addressed with improved state ...) NOT-FOR-US: Apple CVE-2019-8669 (Multiple memory corruption issues were addressed with improved memory ...) {DSA-4515-1} - webkit2gtk 2.24.4-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0004.html CVE-2019-8668 RESERVED CVE-2019-8667 (An inconsistent user interface issue was addressed with improved state ...) NOT-FOR-US: Apple CVE-2019-8666 (Multiple memory corruption issues were addressed with improved memory ...) {DSA-4515-1} - webkit2gtk 2.24.3-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0004.html CVE-2019-8665 (A denial of service issue was addressed with improved validation. This ...) NOT-FOR-US: Apple CVE-2019-8664 RESERVED CVE-2019-8663 (This issue was addressed with improved checks. This issue is fixed in ...) NOT-FOR-US: Apple CVE-2019-8662 (This issue was addressed with improved checks. This issue is fixed in ...) NOT-FOR-US: Apple CVE-2019-8661 (A use after free issue was addressed with improved memory management. ...) NOT-FOR-US: Apple CVE-2019-8660 (A memory corruption issue was addressed with improved input validation ...) NOT-FOR-US: Apple CVE-2019-8659 (This issue was addressed with improved checks. This issue is fixed in ...) NOT-FOR-US: Apple CVE-2019-8658 (A logic issue was addressed with improved state management. This issue ...) {DSA-4515-1} - webkit2gtk 2.24.4-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0004.html CVE-2019-8657 (An out-of-bounds read was addressed with improved input validation. Th ...) NOT-FOR-US: Apple CVE-2019-8656 RESERVED CVE-2019-8655 RESERVED CVE-2019-8654 (An inconsistent user interface issue was addressed with improved state ...) NOT-FOR-US: Apple CVE-2019-8653 RESERVED CVE-2019-8652 RESERVED CVE-2019-8651 RESERVED CVE-2019-8650 RESERVED CVE-2019-8649 (A logic issue existed in the handling of synchronous page loads. This ...) {DSA-4515-1} - webkit2gtk 2.24.4-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0004.html CVE-2019-8648 (A memory corruption issue was addressed with improved input validation ...) NOT-FOR-US: Apple CVE-2019-8647 (A use after free issue was addressed with improved memory management. ...) NOT-FOR-US: Apple CVE-2019-8646 (An out-of-bounds read was addressed with improved input validation. Th ...) NOT-FOR-US: Apple CVE-2019-8645 RESERVED CVE-2019-8644 (Multiple memory corruption issues were addressed with improved memory ...) {DSA-4515-1} - webkit2gtk 2.24.4-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0004.html CVE-2019-8643 RESERVED CVE-2019-8642 RESERVED CVE-2019-8641 (An out-of-bounds read was addressed with improved input validation. ...) NOT-FOR-US: Apple CVE-2019-8640 RESERVED CVE-2019-8639 RESERVED CVE-2019-8638 RESERVED CVE-2019-8637 (An input validation issue was addressed with improved input validation ...) NOT-FOR-US: Apple CVE-2019-8636 RESERVED CVE-2019-8635 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2019-8634 (An authentication issue was addressed with improved state management. ...) NOT-FOR-US: Apple CVE-2019-8633 RESERVED CVE-2019-8632 (Some analytics data was sent using HTTP rather than HTTPS. This was ad ...) NOT-FOR-US: Apple CVE-2019-8631 RESERVED CVE-2019-8630 (The issue was addressed with improved UI handling. This issue is fixed ...) NOT-FOR-US: Apple CVE-2019-8629 (A memory initialization issue was addressed with improved memory handl ...) NOT-FOR-US: Apple CVE-2019-8628 (Multiple memory corruption issues were addressed with improved memory ...) NOT-FOR-US: Apple CVE-2019-8627 RESERVED CVE-2019-8626 (An input validation issue was addressed with improved input validation ...) NOT-FOR-US: Apple CVE-2019-8625 (A logic issue was addressed with improved state management. This issue ...) {DSA-4558-1} - webkit2gtk 2.26.0-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0005.html CVE-2019-8624 (An out-of-bounds read was addressed with improved input validation. Th ...) NOT-FOR-US: Apple CVE-2019-8623 (Multiple memory corruption issues were addressed with improved memory ...) - webkit2gtk 2.24.1-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0003.html CVE-2019-8622 (Multiple memory corruption issues were addressed with improved memory ...) - webkit2gtk 2.24.1-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0003.html CVE-2019-8621 RESERVED CVE-2019-8620 (A user privacy issue was addressed by removing the broadcast MAC addre ...) NOT-FOR-US: Apple CVE-2019-8619 (Multiple memory corruption issues were addressed with improved memory ...) - webkit2gtk 2.24.1-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0003.html CVE-2019-8618 RESERVED CVE-2019-8617 (An access issue was addressed with additional sandbox restrictions. Th ...) NOT-FOR-US: Apple CVE-2019-8616 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2019-8615 (Multiple memory corruption issues were addressed with improved memory ...) - webkit2gtk 2.24.2-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) CVE-2019-8614 RESERVED CVE-2019-8613 (A use after free issue was addressed with improved memory management. ...) NOT-FOR-US: Apple CVE-2019-8612 RESERVED CVE-2019-8611 (Multiple memory corruption issues were addressed with improved memory ...) - webkit2gtk 2.24.1-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0003.html CVE-2019-8610 (Multiple memory corruption issues were addressed with improved memory ...) - webkit2gtk 2.24.1-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0003.html CVE-2019-8609 (Multiple memory corruption issues were addressed with improved memory ...) - webkit2gtk 2.24.1-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0003.html CVE-2019-8608 (Multiple memory corruption issues were addressed with improved memory ...) - webkit2gtk 2.24.1-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0003.html CVE-2019-8607 (An out-of-bounds read was addressed with improved input validation. Th ...) - webkit2gtk 2.24.2-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) CVE-2019-8606 (A validation issue existed in the handling of symlinks. This issue was ...) NOT-FOR-US: Apple CVE-2019-8605 (A use after free issue was addressed with improved memory management. ...) NOT-FOR-US: Apple CVE-2019-8604 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2019-8603 (A validation issue was addressed with improved input sanitization. Thi ...) NOT-FOR-US: Apple CVE-2019-8602 (A memory corruption issue was addressed by removing the vulnerable cod ...) NOT-FOR-US: Apple CVE-2019-8601 (Multiple memory corruption issues were addressed with improved memory ...) - webkit2gtk 2.24.1-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0003.html CVE-2019-8600 (A memory corruption issue was addressed with improved input validation ...) NOT-FOR-US: Apple CVE-2019-8599 (A logic issue was addressed with improved restrictions. This issue is ...) NOT-FOR-US: Apple CVE-2019-8598 (An input validation issue was addressed with improved input validation ...) NOT-FOR-US: Apple CVE-2019-8597 (Multiple memory corruption issues were addressed with improved memory ...) - webkit2gtk 2.24.1-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0003.html CVE-2019-8596 (Multiple memory corruption issues were addressed with improved memory ...) - webkit2gtk 2.24.1-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0003.html CVE-2019-8595 (Multiple memory corruption issues were addressed with improved memory ...) - webkit2gtk 2.24.2-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) CVE-2019-8594 (Multiple memory corruption issues were addressed with improved memory ...) - webkit2gtk 2.24.1-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0003.html CVE-2019-8593 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2019-8592 RESERVED CVE-2019-8591 (A type confusion issue was addressed with improved memory handling. Th ...) NOT-FOR-US: Apple CVE-2019-8590 (A logic issue was addressed with improved restrictions. This issue is ...) NOT-FOR-US: Apple CVE-2019-8589 (This issue was addressed with improved checks. This issue is fixed in ...) NOT-FOR-US: Apple CVE-2019-8588 RESERVED CVE-2019-8587 (Multiple memory corruption issues were addressed with improved memory ...) - webkit2gtk 2.24.1-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0003.html CVE-2019-8586 (Multiple memory corruption issues were addressed with improved memory ...) - webkit2gtk 2.24.1-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0003.html CVE-2019-8585 (An out-of-bounds read was addressed with improved input validation. Th ...) NOT-FOR-US: Apple CVE-2019-8584 (Multiple memory corruption issues were addressed with improved memory ...) - webkit2gtk 2.24.1-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0003.html CVE-2019-8583 (Multiple memory corruption issues were addressed with improved memory ...) - webkit2gtk 2.24.1-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0003.html CVE-2019-8582 RESERVED CVE-2019-8581 RESERVED CVE-2019-8580 RESERVED CVE-2019-8579 RESERVED CVE-2019-8578 RESERVED CVE-2019-8577 (An input validation issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2019-8576 (An out-of-bounds read was addressed with improved bounds checking. Thi ...) NOT-FOR-US: Apple CVE-2019-8575 RESERVED CVE-2019-8574 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2019-8573 RESERVED CVE-2019-8572 RESERVED CVE-2019-8571 (Multiple memory corruption issues were addressed with improved memory ...) - webkit2gtk 2.24.1-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0003.html CVE-2019-8570 RESERVED CVE-2019-8569 RESERVED CVE-2019-8568 (A validation issue existed in the handling of symlinks. This issue was ...) NOT-FOR-US: Apple CVE-2019-8567 (A user privacy issue was addressed by removing the broadcast MAC addre ...) NOT-FOR-US: Apple CVE-2019-8566 (An API issue existed in the handling of microphone data. This issue wa ...) NOT-FOR-US: Apple CVE-2019-8565 (A race condition was addressed with additional validation. This issue ...) NOT-FOR-US: Apple CVE-2019-8564 RESERVED CVE-2019-8563 (Multiple memory corruption issues were addressed with improved memory ...) - webkit2gtk 2.24.1-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0002.html CVE-2019-8562 (A memory corruption issue was addressed with improved validation. This ...) NOT-FOR-US: Apple CVE-2019-8561 (A logic issue was addressed with improved validation. This issue is fi ...) NOT-FOR-US: Apple CVE-2019-8560 (An out-of-bounds read was addressed with improved bounds checking. Thi ...) NOT-FOR-US: Apple CVE-2019-8559 (Multiple memory corruption issues were addressed with improved memory ...) - webkit2gtk 2.24.1-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0002.html CVE-2019-8558 (Multiple memory corruption issues were addressed with improved memory ...) - webkit2gtk 2.24.1-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0002.html CVE-2019-8557 RESERVED CVE-2019-8556 (A use after free issue was addressed with improved memory management. ...) NOT-FOR-US: Apple CVE-2019-8555 (A buffer overflow was addressed with improved size validation. This is ...) NOT-FOR-US: Apple CVE-2019-8554 (A permissions issue existed in the handling of motion and orientation ...) NOT-FOR-US: Apple CVE-2019-8553 (A memory corruption issue was addressed with improved validation. This ...) NOT-FOR-US: Apple CVE-2019-8552 (A memory initialization issue was addressed with improved memory handl ...) NOT-FOR-US: Apple CVE-2019-8551 (A logic issue was addressed with improved validation. This issue is fi ...) - webkit2gtk 2.24.1-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0002.html CVE-2019-8550 (An issue existed in the pausing of FaceTime video. The issue was resol ...) NOT-FOR-US: Apple CVE-2019-8549 (Multiple input validation issues existed in MIG generated code. These ...) NOT-FOR-US: Apple CVE-2019-8548 (An issue existed where partially entered passcodes may not clear when ...) NOT-FOR-US: Apple CVE-2019-8547 RESERVED CVE-2019-8546 (An access issue was addressed with additional sandbox restrictions. Th ...) NOT-FOR-US: Apple CVE-2019-8545 (A memory corruption issue was addressed with improved state management ...) NOT-FOR-US: Apple CVE-2019-8544 (A memory corruption issue was addressed with improved memory handling. ...) - webkit2gtk 2.24.1-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0002.html CVE-2019-8543 RESERVED CVE-2019-8542 (A buffer overflow was addressed with improved bounds checking. This is ...) NOT-FOR-US: Apple CVE-2019-8541 (A privacy issue existed in motion sensor calibration. This issue was a ...) NOT-FOR-US: Apple CVE-2019-8540 (A memory initialization issue was addressed with improved memory handl ...) NOT-FOR-US: Apple CVE-2019-8539 RESERVED CVE-2019-8538 RESERVED CVE-2019-8537 (An access issue was addressed with improved memory management. This is ...) NOT-FOR-US: Apple CVE-2019-8536 (A memory corruption issue was addressed with improved memory handling. ...) - webkit2gtk 2.24.1-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0002.html CVE-2019-8535 (A memory corruption issue was addressed with improved state management ...) - webkit2gtk 2.24.1-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0002.html CVE-2019-8534 RESERVED CVE-2019-8533 (A lock handling issue was addressed with improved lock handling. This ...) NOT-FOR-US: Apple CVE-2019-8532 RESERVED CVE-2019-8531 RESERVED CVE-2019-8530 (This issue was addressed with improved checks. This issue is fixed in ...) NOT-FOR-US: Apple CVE-2019-8529 (A memory corruption issue was addressed with improved input validation ...) NOT-FOR-US: Apple CVE-2019-8528 RESERVED CVE-2019-8527 (A buffer overflow was addressed with improved size validation. This is ...) NOT-FOR-US: Apple CVE-2019-8526 (A use after free issue was addressed with improved memory management. ...) NOT-FOR-US: Apple CVE-2019-8525 RESERVED CVE-2019-8524 (Multiple memory corruption issues were addressed with improved memory ...) - webkit2gtk 2.24.1-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0002.html CVE-2019-8523 (Multiple memory corruption issues were addressed with improved memory ...) - webkit2gtk 2.24.1-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0002.html CVE-2019-8522 (A logic issue was addressed with improved state management. This issue ...) NOT-FOR-US: Apple CVE-2019-8521 (This issue was addressed with improved checks. This issue is fixed in ...) NOT-FOR-US: Apple CVE-2019-8520 (An out-of-bounds read was addressed with improved bounds checking. Thi ...) NOT-FOR-US: Apple CVE-2019-8519 (An out-of-bounds read was addressed with improved bounds checking. Thi ...) NOT-FOR-US: Apple CVE-2019-8518 (Multiple memory corruption issues were addressed with improved memory ...) - webkit2gtk 2.24.1-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0002.html CVE-2019-8517 (An out-of-bounds read was addressed with improved bounds checking. Thi ...) NOT-FOR-US: Apple CVE-2019-8516 (A validation issue was addressed with improved logic. This issue is fi ...) NOT-FOR-US: Apple CVE-2019-8515 (A cross-origin issue existed with the fetch API. This was addressed wi ...) - webkit2gtk 2.24.1-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0002.html CVE-2019-8514 (A logic issue was addressed with improved state management. This issue ...) NOT-FOR-US: Apple CVE-2019-8513 (This issue was addressed with improved checks. This issue is fixed in ...) NOT-FOR-US: Apple CVE-2019-8512 (This issue was addressed with improved transparency. This issue is fix ...) NOT-FOR-US: Apple CVE-2019-8511 (A buffer overflow issue was addressed with improved memory handling. T ...) NOT-FOR-US: Apple CVE-2019-8510 (An out-of-bounds read issue existed that led to the disclosure of kern ...) NOT-FOR-US: Apple CVE-2019-8509 RESERVED CVE-2019-8508 (A buffer overflow was addressed with improved bounds checking. This is ...) NOT-FOR-US: Apple CVE-2019-8507 (Multiple memory corruption issues were addressed with improved input v ...) NOT-FOR-US: Apple CVE-2019-8506 (A type confusion issue was addressed with improved memory handling. Th ...) - webkit2gtk 2.24.1-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0002.html CVE-2019-8505 (A logic issue was addressed with improved validation. This issue is fi ...) NOT-FOR-US: Apple CVE-2019-8504 (A memory initialization issue was addressed with improved memory handl ...) NOT-FOR-US: Apple CVE-2019-8503 (A logic issue was addressed with improved validation. This issue is fi ...) - webkit2gtk 2.24.1-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0002.html CVE-2019-8502 (An API issue existed in the handling of dictation requests. This issue ...) NOT-FOR-US: Apple CVE-2019-8501 RESERVED CVE-2019-8500 RESERVED CVE-2019-8499 RESERVED CVE-2019-8498 RESERVED CVE-2019-8497 RESERVED CVE-2019-8496 RESERVED CVE-2019-8495 RESERVED CVE-2019-8494 RESERVED CVE-2019-8493 RESERVED CVE-2019-8492 RESERVED CVE-2019-8491 RESERVED CVE-2019-8490 RESERVED CVE-2019-8489 RESERVED CVE-2019-8488 RESERVED CVE-2019-8487 RESERVED CVE-2019-8486 RESERVED CVE-2019-8485 RESERVED CVE-2019-8484 RESERVED CVE-2019-8483 RESERVED CVE-2019-8482 RESERVED CVE-2019-8481 RESERVED CVE-2019-8480 RESERVED CVE-2019-8479 RESERVED CVE-2019-8478 RESERVED CVE-2019-8477 RESERVED CVE-2019-8476 RESERVED CVE-2019-8475 RESERVED CVE-2019-8474 RESERVED CVE-2019-8473 RESERVED CVE-2019-8472 RESERVED CVE-2019-8471 RESERVED CVE-2019-8470 RESERVED CVE-2019-8469 RESERVED CVE-2019-8468 RESERVED CVE-2019-8467 RESERVED CVE-2019-8466 RESERVED CVE-2019-8465 RESERVED CVE-2019-8464 RESERVED CVE-2019-8463 (A denial of service vulnerability was reported in Check Point Endpoint ...) NOT-FOR-US: Check Point Endpoint Security Client for Windows CVE-2019-8462 (In a rare scenario, Check Point R80.30 Security Gateway before JHF Tak ...) NOT-FOR-US: Check Point R80.30 Security Gateway CVE-2019-8461 (Check Point Endpoint Security Initial Client for Windows before versio ...) NOT-FOR-US: Check Point CVE-2019-8460 (OpenBSD kernel version <= 6.5 can be forced to create long chains o ...) NOT-FOR-US: Check Point CVE-2019-8459 (Check Point Endpoint Security Client for Windows, with the VPN blade, ...) NOT-FOR-US: Check Point Endpoint Security Client for Windows CVE-2019-8458 (Check Point Endpoint Security Client for Windows, with Anti-Malware bl ...) NOT-FOR-US: Check Point Endpoint Security Client for Windows CVE-2019-8457 (SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-o ...) - sqlite3 3.27.2-3 (bug #929775) [stretch] - sqlite3 (Minor issue; can be fixed via point release) [jessie] - sqlite3 (Minor issue) NOTE: Fixed by: https://www.sqlite.org/src/info/90acdbfce9c08858 NOTE: Make the internal dynamic string interface available to extensions: NOTE: https://sqlite.org/src/info/87f261f0cb800b06 NOTE: Affected function is not used in Debian and meant for debugging purposes, NOTE: backporting the fix would be very complex. NOTE: https://lists.debian.org/debian-lts/2019/06/msg00013.html NOTE: https://lists.debian.org/debian-lts/2019/06/msg00036.html CVE-2019-8456 (Check Point IKEv2 IPsec VPN up to R80.30, in some less common conditio ...) NOT-FOR-US: Check Point CVE-2019-8455 (A hard-link created from the log file of Check Point ZoneAlarm up to 1 ...) NOT-FOR-US: Check Point ZoneAlarm CVE-2019-8454 (A local attacker can create a hard-link between a file to which the Ch ...) NOT-FOR-US: Check Point Endpoint Security client for Windows CVE-2019-8453 (Some of the DLLs loaded by Check Point ZoneAlarm up to 15.4.062 are ta ...) NOT-FOR-US: Check Point ZoneAlarm CVE-2019-8452 (A hard-link created from log file archive of Check Point ZoneAlarm up ...) NOT-FOR-US: Check Point ZoneAlarm CVE-2019-8451 (The /plugins/servlet/gadgets/makeRequest resource in Jira before versi ...) NOT-FOR-US: Jira CVE-2019-8450 (Various templates of the Optimization plugin in Jira before version 7. ...) NOT-FOR-US: Jira CVE-2019-8449 (The /rest/api/latest/groupuserpicker resource in Jira before version 8 ...) NOT-FOR-US: Jira CVE-2019-8448 (The login.jsp resource in Jira before version 7.13.4, and from version ...) NOT-FOR-US: Atlassian Jira CVE-2019-8447 (The ServiceExecutor resource in Jira before version 8.3.2 allows remot ...) NOT-FOR-US: Atlassian Jira CVE-2019-8446 (The /rest/issueNav/1/issueTable resource in Jira before version 8.3.2 ...) NOT-FOR-US: Atlassian Jira CVE-2019-8445 (Several worklog rest resources in Jira before version 7.13.7, and from ...) NOT-FOR-US: Atlassian Jira CVE-2019-8444 (The wikirenderer component in Jira before version 7.13.6, and from ver ...) NOT-FOR-US: Atlassian Jira CVE-2019-8443 (The ViewUpgrades resource in Jira before version 7.13.4, from version ...) NOT-FOR-US: Atlassian Jira CVE-2019-8442 (The CachingResourceDownloadRewriteRule class in Jira before version 7. ...) NOT-FOR-US: Atlassian Jira CVE-2019-8441 RESERVED CVE-2019-8440 (An issue was discovered in DiliCMS 2.4.0. There is a Stored XSS Vulner ...) NOT-FOR-US: DiliCMS CVE-2019-8439 (An issue was discovered in DiliCMS 2.4.0. There is a Stored XSS Vulner ...) NOT-FOR-US: DiliCMS CVE-2019-8438 (An issue was discovered in DiliCMS 2.4.0. There is a Stored XSS Vulner ...) NOT-FOR-US: DiliCMS CVE-2019-8437 (njiandan-cms through 2013-05-23 has index.php/admin/user_new CSRF to a ...) NOT-FOR-US: njiandan-cms CVE-2019-8436 (imcat 4.5 has Stored XSS via the root/run/adm.php fm[instop][note] par ...) NOT-FOR-US: imcat CVE-2019-8435 (admin/default.php in PHPMyWind v5.5 has XSS via an HTTP Host header. ...) NOT-FOR-US: PHPMyWind CVE-2019-8434 (In CmsEasy 7.0, there is XSS via the ckplayer.php autoplay parameter. ...) NOT-FOR-US: CmsEasy CVE-2019-8433 (JTBC(PHP) 3.0.1.8 allows Arbitrary File Upload via the console/#/conso ...) NOT-FOR-US: JTBC(PHP) CVE-2019-8432 (In CmsEasy 7.0, there is XSS via the ckplayer.php url parameter. ...) NOT-FOR-US: CmsEasy CVE-2019-8431 RESERVED CVE-2019-8430 RESERVED CVE-2019-8429 (ZoneMinder before 1.32.3 has SQL Injection via the ajax/status.php fil ...) - zoneminder (bug #922724) CVE-2019-8428 (ZoneMinder before 1.32.3 has SQL Injection via the skins/classic/views ...) - zoneminder (bug #922724) CVE-2019-8427 (daemonControl in includes/functions.php in ZoneMinder before 1.32.3 al ...) - zoneminder (bug #922724) CVE-2019-8426 (skins/classic/views/controlcap.php in ZoneMinder before 1.32.3 has XSS ...) - zoneminder (bug #922724) CVE-2019-8425 (includes/database.php in ZoneMinder before 1.32.3 has XSS in the const ...) - zoneminder (bug #922724) CVE-2019-8424 (ZoneMinder before 1.32.3 has SQL Injection via the ajax/status.php sor ...) - zoneminder (bug #922724) CVE-2019-8423 (ZoneMinder through 1.32.3 has SQL Injection via the skins/classic/view ...) - zoneminder (bug #922724) CVE-2019-8422 (A SQL Injection vulnerability exists in PbootCMS v1.3.2 via the descri ...) NOT-FOR-US: PbootCMS CVE-2019-8421 (upload/protected/modules/admini/views/post/index.php in BageCMS throug ...) NOT-FOR-US: BageCMS CVE-2019-8420 RESERVED CVE-2019-8419 (VNote 2.2 has XSS via a new text note. ...) NOT-FOR-US: VNote CVE-2019-8418 (SeaCMS 7.2 mishandles member.php?mod=repsw4 requests. ...) NOT-FOR-US: SeaCMS CVE-2019-8417 RESERVED CVE-2019-8416 RESERVED CVE-2019-8415 RESERVED CVE-2019-8414 RESERVED CVE-2013-7469 (Seafile through 6.2.11 always uses the same Initialization Vector (IV) ...) - seafile (bug #923009) [buster] - seafile (Minor issue) NOTE: https://github.com/haiwen/seafile/issues/350 CVE-2019-8413 (On Xiaomi MIX 2 devices with the 4.4.78 kernel, a NULL pointer derefer ...) NOT-FOR-US: Xiaomi CVE-2019-8412 (FeiFeiCms 4.0.181010 on Windows allows remote attackers to read or del ...) NOT-FOR-US: FeiFeiCms CVE-2019-8411 (admin/dl_data.php in zzcms 2018 (2018-10-19) allows remote attackers t ...) NOT-FOR-US: zzcms CVE-2019-8410 (Maccms 8.0 allows XSS via the inc/config/cache.php t_key parameter bec ...) NOT-FOR-US: Maccms CVE-2019-8409 RESERVED CVE-2019-8408 (OneFileCMS 3.6.13 allows remote attackers to modify onefilecms.php by ...) NOT-FOR-US: OneFileCMS CVE-2019-8407 (HongCMS 3.0.0 allows arbitrary file read and write operations via a .. ...) NOT-FOR-US: HongCMS CVE-2019-8406 RESERVED CVE-2019-8405 RESERVED CVE-2019-8404 (An issue was discovered in Webiness Inventory 2.3. The ProductModel co ...) NOT-FOR-US: Webiness Inventory CVE-2019-8403 RESERVED CVE-2019-8402 RESERVED CVE-2018-20782 (The GloBee plugin before 1.1.2 for WooCommerce mishandles IPN messages ...) NOT-FOR-US: WooCommerce plugin CVE-2016-10742 (Zabbix before 2.2.21rc1, 3.x before 3.0.13rc1, 3.1.x and 3.2.x before ...) {DLA-1708-1} - zabbix 1:3.0.17+dfsg-1 (low) [stretch] - zabbix (Minor issue) NOTE: https://support.zabbix.com/browse/ZBX-10272 NOTE: https://support.zabbix.com/browse/ZBX-13133 CVE-2019-8401 REJECTED CVE-2019-8400 (ORY Hydra before v1.0.0-rc.3+oryOS.9 has Reflected XSS via the oauth2/ ...) NOT-FOR-US: ORY Hydra CVE-2019-8399 RESERVED CVE-2019-8398 (An issue was discovered in the HDF HDF5 1.10.4 library. There is an ou ...) - hdf5 NOTE: https://github.com/magicSwordsMan/PAAFS/tree/master/vul6 NOTE: https://jira.hdfgroup.org/browse/HDFFV-10710 CVE-2019-8397 (An issue was discovered in the HDF HDF5 1.10.4 library. There is an ou ...) - hdf5 [buster] - hdf5 (Minor issue) [stretch] - hdf5 (Minor issue) [jessie] - hdf5 (Minor issue) NOTE: https://github.com/magicSwordsMan/PAAFS/tree/master/vul5 NOTE: issue in upstream bug tracker: https://jira.hdfgroup.org/browse/HDFFV-10711 CVE-2019-8396 (A buffer overflow in H5O__layout_encode in H5Olayout.c in the HDF HDF5 ...) - hdf5 NOTE: https://github.com/magicSwordsMan/PAAFS/tree/master/vul4 NOTE: https://jira.hdfgroup.org/browse/HDFFV-10712 CVE-2019-8395 (An Insecure Direct Object Reference (IDOR) vulnerability exists in Zoh ...) NOT-FOR-US: Zoho ManageEngine ServiceDesk Plus CVE-2019-8394 (Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allow ...) NOT-FOR-US: Zoho ManageEngine ServiceDesk Plus CVE-2019-8393 (Hotels_Server through 2018-11-05 has SQL Injection via the API because ...) NOT-FOR-US: Hotels_Server CVE-2019-8392 (An issue was discovered on D-Link DIR-823G devices with firmware 1.02B ...) NOT-FOR-US: D-Link CVE-2019-8391 (qdPM 9.1 suffers from Cross-site Scripting (XSS) via configuration?typ ...) NOT-FOR-US: qdPM CVE-2019-8390 (qdPM 9.1 suffers from Cross-site Scripting (XSS) in the search[keyword ...) NOT-FOR-US: qdPM CVE-2019-8389 (A file-read vulnerability was identified in the Wi-Fi transfer feature ...) NOT-FOR-US: Musicloud CVE-2019-8388 RESERVED CVE-2019-8387 (MASTER IPCAMERA01 3.3.4.2103 devices allow Remote Command Execution, r ...) NOT-FOR-US: MASTER IPCAMERA01 devices CVE-2019-8386 RESERVED CVE-2019-8385 (An issue was discovered in Thomson Reuters Desktop Extensions 1.9.0.35 ...) NOT-FOR-US: Thomson Reuters Desktop Extensions CVE-2019-8384 RESERVED CVE-2019-8383 (An issue was discovered in AdvanceCOMP through 2.1. An invalid memory ...) - advancecomp 2.1-2.1 (bug #928730) [stretch] - advancecomp (Minor issue) [jessie] - advancecomp (Minor issue) NOTE: https://sourceforge.net/p/advancemame/bugs/272/ NOTE: https://github.com/amadvance/advancecomp/commit/78a56b21340157775be2462a19276b4d31d2bd01 CVE-2019-8382 (An issue was discovered in Bento4 1.5.1-628. A NULL pointer dereferenc ...) NOT-FOR-US: Bento4 CVE-2019-8381 (An issue was discovered in Tcpreplay 4.3.1. An invalid memory access o ...) - tcpreplay 4.3.1-2 (unimportant; bug #922622) NOTE: https://github.com/appneta/tcpreplay/issues/538 NOTE: Crash in a CLI tool, no security impact CVE-2019-8380 (An issue was discovered in Bento4 1.5.1-628. A NULL pointer dereferenc ...) NOT-FOR-US: Bento4 CVE-2019-8379 (An issue was discovered in AdvanceCOMP through 2.1. A NULL pointer der ...) - advancecomp 2.1-2.1 (bug #928729) [stretch] - advancecomp (Minor issue) [jessie] - advancecomp (Minor issue) NOTE: https://sourceforge.net/p/advancemame/bugs/271/ NOTE: https://github.com/amadvance/advancecomp/commit/7894a6e684ce68ddff9f4f4919ab8e3911ac8040 CVE-2019-8378 (An issue was discovered in Bento4 1.5.1-628. A heap-based buffer over- ...) NOT-FOR-US: Bento4 CVE-2019-8377 (An issue was discovered in Tcpreplay 4.3.1. A NULL pointer dereference ...) - tcpreplay 4.3.1-2 (unimportant; bug #922623) NOTE: https://github.com/appneta/tcpreplay/issues/536 NOTE: Crash in a CLI tool, no security impact CVE-2019-8376 (An issue was discovered in Tcpreplay 4.3.1. A NULL pointer dereference ...) - tcpreplay 4.3.1-2 (unimportant; bug #922624) NOTE: https://github.com/appneta/tcpreplay/issues/537 NOTE: Crash in a CLI tool, no security impact CVE-2019-8375 (The UIProcess subsystem in WebKit, as used in WebKitGTK through 2.23.9 ...) - webkit2gtk 2.24.1-1 (unimportant) NOTE: https://github.com/WebKit/webkit/commit/6f9b511a115311b13c06eb58038ddc2c78da5531 NOTE: https://trac.webkit.org/changeset/241515/webkit NOTE: https://www.inputzero.io/2019/02/fuzzing-webkit.html NOTE: Not covered by security support CVE-2019-8374 RESERVED CVE-2019-8373 RESERVED CVE-2019-8372 (The LHA.sys driver before 1.1.1811.2101 in LG Device Manager exposes f ...) NOT-FOR-US: LG CVE-2019-8371 (OpenEMR v5.0.1-6 allows code execution. ...) NOT-FOR-US: OpenEMR CVE-2019-8370 REJECTED CVE-2019-8369 REJECTED CVE-2019-8368 (OpenEMR v5.0.1-6 allows XSS. ...) NOT-FOR-US: OpenEMR CVE-2019-8367 RESERVED CVE-2019-8366 RESERVED CVE-2019-8365 RESERVED CVE-2019-8364 RESERVED CVE-2019-8363 (Verydows 2.0 has XSS via the index.php?c=main a parameter, as demonstr ...) NOT-FOR-US: Verydows CVE-2019-8362 (DedeCMS through V5.7SP2 allows arbitrary file upload in dede/album_edi ...) NOT-FOR-US: DedeCMS CVE-2019-8361 (PHP Scripts Mall Responsive Video News Script has XSS via the Search B ...) NOT-FOR-US: PHP Scripts Mall Responsive Video News Script CVE-2019-8360 (Themerig Find a Place CMS Directory 1.5 has SQL Injection via the find ...) NOT-FOR-US: Themerig Find a Place CMS Directory CVE-2019-8359 (An issue was discovered in Contiki-NG through 4.3 and Contiki through ...) NOT-FOR-US: Contiki-NG CVE-2019-8358 (In Hiawatha before 10.8.4, a remote attacker is able to do directory t ...) NOT-FOR-US: Hiawatha CVE-2019-8357 (An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c ...) {DLA-1808-1} - sox 14.4.2+git20190427-1 (low; bug #927906) [stretch] - sox 14.4.1-5+deb9u2 NOTE: https://sourceforge.net/p/sox/bugs/318 NOTE: https://sourceforge.net/p/sox/code/ci/2ce02fea7b350de9ddfbcf542ba4dd59a8ab255b/ CVE-2019-8356 (An issue was discovered in SoX 14.4.2. One of the arguments to bitrv2 ...) {DLA-1808-1} - sox 14.4.2+git20190427-1 (bug #927906) [stretch] - sox 14.4.1-5+deb9u2 NOTE: https://sourceforge.net/p/sox/bugs/321 NOTE: https://sourceforge.net/p/sox/code/ci/b7883ae1398499daaa926ae6621f088f0f531ed8/ CVE-2019-8355 (An issue was discovered in SoX 14.4.2. In xmalloc.h, there is an integ ...) {DLA-1808-1} - sox 14.4.2+git20190427-1 (bug #927906) [stretch] - sox 14.4.1-5+deb9u2 NOTE: https://sourceforge.net/p/sox/bugs/320 NOTE: https://sourceforge.net/p/sox/code/ci/f8587e2d50dad72d40453ac1191c539ee9e50381/ CVE-2019-8354 (An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c ...) {DLA-1808-1} - sox 14.4.2+git20190427-1 (bug #927906) [stretch] - sox 14.4.1-5+deb9u2 NOTE: https://sourceforge.net/p/sox/bugs/319 NOTE: https://sourceforge.net/p/sox/code/ci/f70911261a84333b077c29908e1242f69d7439eb CVE-2019-8353 RESERVED CVE-2019-8352 (By default, BMC PATROL Agent through 11.3.01 uses a static encryption ...) NOT-FOR-US: BMC PATROL Agent CVE-2019-8351 (Heimdal Thor Agent 2.5.17x before 2.5.173 does not verify X.509 certif ...) NOT-FOR-US: Heimdal Thor Agent CVE-2019-8350 (The Simple - Better Banking application 2.45.0 through 2.45.3 (fixed i ...) NOT-FOR-US: Simple - Better Banking application for Android CVE-2019-8349 (Multiple cross-site scripting (XSS) vulnerabilities in HTMLy 2.7.4 all ...) NOT-FOR-US: HTMLy CVE-2019-8348 RESERVED CVE-2019-8347 (BEESCMS 4.0 has a CSRF vulnerability to add arbitrary VIP accounts via ...) NOT-FOR-US: BEESCMS CVE-2019-8346 (In Zoho ManageEngine ADSelfService Plus 5.x through 5704, an authoriza ...) NOT-FOR-US: Zoho ManageEngine ADSelfService Plus CVE-2019-8345 (The Help feature in the ES File Explorer File Manager application 4.1. ...) NOT-FOR-US: ES File Explorer File Manager CVE-2019-8344 RESERVED CVE-2019-8343 (In Netwide Assembler (NASM) 2.14.02, there is a use-after-free in past ...) - nasm (unimportant; bug #922433) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392556 NOTE: Crash in CLI tool, no security impact CVE-2019-8342 (A Local Privilege Escalation in libqcocoa.dylib in Foxit Reader 3.1.0. ...) NOT-FOR-US: Foxit Reader CVE-2019-8341 (** DISPUTED ** An issue was discovered in Jinja2 2.10. The from_string ...) - jinja2 (unimportant) NOTE: https://github.com/JameelNabbo/Jinja2-Code-execution NOTE: No real security impact and upstream indicates the CVE is invalid CVE-2019-8340 RESERVED CVE-2019-8339 (An issue was discovered in Falco through 0.14.0. A missing indicator f ...) NOT-FOR-US: Falco CVE-2019-8338 (The signature verification routine in the Airmail GPG-PGP Plugin, vers ...) NOT-FOR-US: Airmail CVE-2019-8336 (HashiCorp Consul (and Consul Enterprise) 1.4.x before 1.4.3 allows a c ...) - consul (Only affected 1.4.x series up, vulnerable code never present in Debian) NOTE: https://github.com/hashicorp/consul/issues/5423 CVE-2019-8335 (An issue was discovered in SchoolCMS 2.3.1. There is an XSS vulnerabil ...) NOT-FOR-US: SchoolCMS CVE-2019-8334 (An issue was discovered in SchoolCMS 2.3.1. There is an XSS vulnerabil ...) NOT-FOR-US: SchoolCMS CVE-2019-8333 RESERVED CVE-2019-8332 RESERVED CVE-2019-8331 (In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in t ...) - twitter-bootstrap4 4.3.1+dfsg2-1 - twitter-bootstrap3 3.4.1+dfsg-1 [stretch] - twitter-bootstrap3 3.3.7+dfsg-2+deb9u2 [jessie] - twitter-bootstrap3 (Minor issue) - twitter-bootstrap [stretch] - twitter-bootstrap (Minor issue; XSS in developer-issued input when HTML is enabled) [jessie] - twitter-bootstrap (Minor issue; XSS in developer-issued input when HTML is enabled) NOTE: https://github.com/twbs/bootstrap/pull/28236 CVE-2019-8330 RESERVED CVE-2019-8329 RESERVED CVE-2019-8328 RESERVED CVE-2019-8327 RESERVED CVE-2019-8326 RESERVED CVE-2019-8325 (An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since ...) {DSA-4433-1 DLA-1796-1 DLA-1735-1} - ruby2.5 2.5.5-1 - ruby2.3 - ruby2.1 - rubygems - jruby 9.1.17.0-3 (bug #925987) NOTE: https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/ NOTE: https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html NOTE: https://github.com/rubygems/rubygems/commit/56c0bbb69e4506bda7ef7f447dfec5db820df20b CVE-2019-8324 (An issue was discovered in RubyGems 2.6 and later through 3.0.2. A cra ...) {DSA-4433-1 DLA-1796-1 DLA-1735-1} - ruby2.5 2.5.5-1 - ruby2.3 - ruby2.1 - rubygems - jruby 9.1.17.0-3 (bug #925987) NOTE: https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/ NOTE: https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html NOTE: https://github.com/rubygems/rubygems/commit/56c0bbb69e4506bda7ef7f447dfec5db820df20b CVE-2019-8323 (An issue was discovered in RubyGems 2.6 and later through 3.0.2. Gem:: ...) {DSA-4433-1 DLA-1796-1 DLA-1735-1} - ruby2.5 2.5.5-1 - ruby2.3 - ruby2.1 - rubygems - jruby 9.1.17.0-3 (bug #925987) NOTE: https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/ NOTE: https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html NOTE: https://github.com/rubygems/rubygems/commit/56c0bbb69e4506bda7ef7f447dfec5db820df20b CVE-2019-8322 (An issue was discovered in RubyGems 2.6 and later through 3.0.2. The g ...) {DSA-4433-1 DLA-1796-1 DLA-1735-1} - ruby2.5 2.5.5-1 - ruby2.3 - ruby2.1 - rubygems - jruby 9.1.17.0-3 (bug #925987) NOTE: https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/ NOTE: https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html NOTE: https://github.com/rubygems/rubygems/commit/56c0bbb69e4506bda7ef7f447dfec5db820df20b CVE-2019-8321 (An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since ...) {DSA-4433-1 DLA-1796-1} - ruby2.5 2.5.5-1 - ruby2.3 - ruby2.1 [jessie] - ruby2.1 (Vulnerable code introduced later) - rubygems - jruby 9.1.17.0-3 (bug #925987) NOTE: https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/ NOTE: https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html NOTE: https://github.com/rubygems/rubygems/commit/56c0bbb69e4506bda7ef7f447dfec5db820df20b CVE-2019-8320 (A Directory Traversal issue was discovered in RubyGems 2.7.6 and later ...) {DSA-4433-1 DLA-1735-1} - ruby2.5 2.5.5-1 - ruby2.3 - ruby2.1 - rubygems - jruby 9.1.17.0-3 (bug #925987) [jessie] - jruby (Vulnerable code introduced later) NOTE: https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/ NOTE: https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html NOTE: https://github.com/rubygems/rubygems/commit/56c0bbb69e4506bda7ef7f447dfec5db820df20b CVE-2019-8319 (An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1 ...) NOT-FOR-US: D-Link CVE-2019-8318 (An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1 ...) NOT-FOR-US: D-Link CVE-2019-8317 (An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1 ...) NOT-FOR-US: D-Link CVE-2019-8316 (An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1 ...) NOT-FOR-US: D-Link CVE-2019-8315 (An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1 ...) NOT-FOR-US: D-Link CVE-2019-8314 (An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1 ...) NOT-FOR-US: D-Link CVE-2019-8313 (An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1 ...) NOT-FOR-US: D-Link CVE-2019-8312 (An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1 ...) NOT-FOR-US: D-Link CVE-2019-8337 (In msmtp 1.8.2 and mpop 1.4.3, when tls_trust_file has its default con ...) - mpop 1.4.3-1 [stretch] - mpop (Vulnerable code introduced later) [jessie] - mpop (Vulnerable code introduced later) - msmtp 1.8.3-1 (bug #922345) [stretch] - msmtp (Vulnerable code introduced later) [jessie] - msmtp (Vulnerable code introduced later) NOTE: mpop: Introduced by: https://git.marlam.de/gitweb/?p=mpop.git;a=commit;h=3162356734663a0ea0f88857c4ace21fac1b023b (1.4.2) NOTE: mpop: Fixed by: https://git.marlam.de/gitweb/?p=mpop.git;a=commit;h=95b96da443a24a4a9cb6664aefff9f6fcc7ac86e (1.4.3) NOTE: msmtp: Introduced by: https://git.marlam.de/gitweb/?p=msmtp.git;a=commit;h=37371fa07729bfc11761b6d11befd7271528090d (1.8.2) NOTE: msmtp: Fixed by: https://git.marlam.de/gitweb/?p=msmtp.git;a=commit;h=a81d0a5126304f9f8b29a75d058044dc67d07663 (1.8.3) CVE-2019-8311 RESERVED CVE-2019-8310 RESERVED CVE-2019-8309 RESERVED CVE-2019-8307 RESERVED CVE-2019-8306 RESERVED CVE-2019-8305 RESERVED CVE-2019-8304 RESERVED CVE-2019-8303 RESERVED CVE-2019-8302 RESERVED CVE-2019-8301 RESERVED CVE-2019-8300 RESERVED CVE-2019-8299 RESERVED CVE-2019-8298 RESERVED CVE-2019-8297 RESERVED CVE-2019-8296 RESERVED CVE-2019-8295 RESERVED CVE-2019-8294 RESERVED CVE-2019-8293 (Due to a logic error in the code, upload-image-with-ajax v1.0 allows a ...) NOT-FOR-US: upload-image-with-ajax CVE-2019-8292 (Online Store System v1.0 delete_product.php doesn't check to see if a ...) NOT-FOR-US: Online Store System CVE-2019-8291 (Online Store System v1.0 delete_file.php doesn't check to see if a use ...) NOT-FOR-US: Online Store System CVE-2019-8290 (Vulnerability in Online Store v1.0, The registration form requirements ...) NOT-FOR-US: Online Store System CVE-2019-8289 (Vulnerability in Online Store v1.0, stored XSS in admin/user_view.php ...) NOT-FOR-US: Online Store System CVE-2019-8288 (Vulnerability in Online Store v1.0, Stored XSS in user_view.php where ...) NOT-FOR-US: Online Store System CVE-2019-8287 (TightVNC code version 1.3.10 contains global buffer overflow in Handle ...) {DLA-2045-1} - tightvnc 1:1.3.9-9.1 (bug #945364) [buster] - tightvnc 1:1.3.9-9deb10u1 [stretch] - tightvnc 1:1.3.9-9+deb9u1 NOTE: https://www.openwall.com/lists/oss-security/2018/12/10/5 NOTE: same as CVE-2018-20020/libvncserver CVE-2019-8286 (Information Disclosure in Kaspersky Anti-Virus, Kaspersky Internet Sec ...) NOT-FOR-US: Kaspersky CVE-2019-8285 (Kaspersky Lab Antivirus Engine version before 04.apr.2019 has a heap-b ...) NOT-FOR-US: Kaspersky Lab Antivirus Engine CVE-2019-8284 RESERVED CVE-2019-8283 (Hasplm cookie in Gemalto Admin Control Center, all versions prior to 7 ...) NOT-FOR-US: Gemalto Admin Control Center CVE-2019-8282 (Gemalto Admin Control Center, all versions prior to 7.92, uses clearte ...) NOT-FOR-US: Gemalto Admin Control Center CVE-2019-8281 RESERVED CVE-2019-8280 (UltraVNC revision 1203 has out-of-bounds access vulnerability in VNC c ...) NOT-FOR-US: UltraVNC CVE-2019-8279 (Multiple stored XSS in Vanilla Forums before 2.5 allow remote attacker ...) NOT-FOR-US: Vanilla Forums CVE-2019-8278 (Stored XSS in Invision Power Board versions 3.3.1 - 3.4.8 leads to Rem ...) NOT-FOR-US: Invision Power Board CVE-2019-8277 (UltraVNC revision 1211 contains multiple memory leaks (CWE-665) in VNC ...) NOT-FOR-US: UltraVNC CVE-2019-8276 (UltraVNC revision 1211 has a stack buffer overflow vulnerability in VN ...) NOT-FOR-US: UltraVNC CVE-2019-8275 (UltraVNC revision 1211 has multiple improper null termination vulnerab ...) NOT-FOR-US: UltraVNC CVE-2019-8274 (UltraVNC revision 1211 has a heap buffer overflow vulnerability in VNC ...) NOT-FOR-US: UltraVNC CVE-2019-8273 (UltraVNC revision 1211 has a heap buffer overflow vulnerability in VNC ...) NOT-FOR-US: UltraVNC CVE-2019-8272 (UltraVNC revision 1211 has multiple off-by-one vulnerabilities in VNC ...) NOT-FOR-US: UltraVNC CVE-2019-8271 (UltraVNC revision 1211 has a heap buffer overflow vulnerability in VNC ...) NOT-FOR-US: UltraVNC CVE-2019-8270 (UltraVNC revision 1210 has out-of-bounds read vulnerability in VNC cli ...) NOT-FOR-US: UltraVNC CVE-2019-8269 (UltraVNC revision 1206 has stack-based Buffer overflow vulnerability i ...) NOT-FOR-US: UltraVNC CVE-2019-8268 (UltraVNC revision 1206 has multiple off-by-one vulnerabilities in VNC ...) NOT-FOR-US: UltraVNC CVE-2019-8267 (UltraVNC revision 1207 has out-of-bounds read vulnerability in VNC cli ...) NOT-FOR-US: UltraVNC CVE-2019-8266 (UltraVNC revision 1207 has multiple out-of-bounds access vulnerabiliti ...) NOT-FOR-US: UltraVNC CVE-2019-8265 (UltraVNC revision 1207 has multiple out-of-bounds access vulnerabiliti ...) NOT-FOR-US: UltraVNC CVE-2019-8264 (UltraVNC revision 1203 has out-of-bounds access vulnerability in VNC c ...) NOT-FOR-US: UltraVNC CVE-2019-8263 (UltraVNC revision 1205 has stack-based buffer overflow vulnerability i ...) NOT-FOR-US: UltraVNC CVE-2019-8262 (UltraVNC revision 1203 has multiple heap buffer overflow vulnerabiliti ...) NOT-FOR-US: UltraVNC CVE-2019-8261 (UltraVNC revision 1199 has a out-of-bounds read vulnerability in VNC c ...) NOT-FOR-US: UltraVNC CVE-2019-8260 (UltraVNC revision 1199 has a out-of-bounds read vulnerability in VNC c ...) NOT-FOR-US: UltraVNC CVE-2019-8259 (UltraVNC revision 1198 contains multiple memory leaks (CWE-655) in VNC ...) NOT-FOR-US: UltraVNC CVE-2019-8258 (UltraVNC revision 1198 has a heap buffer overflow vulnerability in VNC ...) NOT-FOR-US: UltraVNC CVE-2019-8257 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8256 (ColdFusion versions Update 6 and earlier have an insecure inherited pe ...) NOT-FOR-US: ColdFusion CVE-2019-8255 (Brackets versions 1.14 and earlier have a command injection vulnerabil ...) NOT-FOR-US: Adobe CVE-2019-8254 (Adobe Photoshop CC versions before 20.0.8 and 21.0.x before 21.0.2 hav ...) NOT-FOR-US: Adobe CVE-2019-8253 (Adobe Photoshop CC versions before 20.0.8 and 21.0.x before 21.0.2 hav ...) NOT-FOR-US: Adobe CVE-2019-8252 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) TODO: check CVE-2019-8251 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) TODO: check CVE-2019-8250 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) TODO: check CVE-2019-8249 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) TODO: check CVE-2019-8248 (Adobe Illustrator CC versions 23.1 and earlier have a memory corruptio ...) NOT-FOR-US: Adobe CVE-2019-8247 (Adobe Illustrator CC versions 23.1 and earlier have a memory corruptio ...) NOT-FOR-US: Adobe CVE-2019-8246 (Adobe Media Encoder versions 13.1 and earlier have an out-of-bounds wr ...) NOT-FOR-US: Adobe CVE-2019-8245 RESERVED CVE-2019-8244 (Adobe Media Encoder versions 13.1 and earlier have an out-of-bounds re ...) NOT-FOR-US: Adobe CVE-2019-8243 (Adobe Media Encoder versions 13.1 and earlier have an out-of-bounds re ...) NOT-FOR-US: Adobe CVE-2019-8242 (Adobe Media Encoder versions 13.1 and earlier have an out-of-bounds re ...) NOT-FOR-US: Adobe CVE-2019-8241 (Adobe Media Encoder versions 13.1 and earlier have an out-of-bounds re ...) NOT-FOR-US: Adobe CVE-2019-8240 (Adobe Bridge CC versions 9.1 and earlier have a memory corruption vuln ...) NOT-FOR-US: Adobe CVE-2019-8239 (Adobe Bridge CC versions 9.1 and earlier have a memory corruption vuln ...) NOT-FOR-US: Adobe CVE-2019-8238 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier; 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-8237 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8236 (Creative Cloud Desktop Application version 4.6.1 and earlier versions ...) NOT-FOR-US: Adobe CVE-2019-8235 (An insecure direct object reference (IDOR) vulnerability exists in Mag ...) NOT-FOR-US: Magento CVE-2019-8234 (Adobe Experience Manager versions 6.4, 6.3 and 6.2 have a cross-site r ...) NOT-FOR-US: Adobe CVE-2019-8233 (In Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1 ...) NOT-FOR-US: Magento CVE-2019-8232 (In Magento prior to 1.9.4.3, Magento prior to 1.14.4.3, Magento 2.2 pr ...) NOT-FOR-US: Magento CVE-2019-8231 (In Magento to 1.9.4.3 and Magento prior to 1.14.4.3, an authenticated ...) NOT-FOR-US: Magento CVE-2019-8230 (In Magentoprior to 1.9.4.3, and Magento prior to 1.14.4.3, an authenti ...) NOT-FOR-US: Magento CVE-2019-8229 (In Magento prior to 1.9.4.3, and Magento prior to 1.14.4.3, an authent ...) NOT-FOR-US: Magento CVE-2019-8228 (in Magento prior to 1.9.4.3 and Magento prior to 1.14.4.3, an authenti ...) NOT-FOR-US: Magento CVE-2019-8227 (In Magento prior to 1.9.4.3 and Magento prior to 1.14.4.3, an authenti ...) NOT-FOR-US: Magento CVE-2019-8226 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8225 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8224 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8223 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8222 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8221 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8220 (Adobe Acrobat and Reader versions, 2019.012.20040 and earlier, 2017.01 ...) NOT-FOR-US: Adobe CVE-2019-8219 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8218 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8217 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8216 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8215 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8214 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8213 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8212 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8211 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8210 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8209 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8208 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8207 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8206 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8205 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8204 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8203 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8202 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8201 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8200 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8199 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8198 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8197 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8196 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8195 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8194 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8193 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8192 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8191 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8190 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8189 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8188 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8187 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8186 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8185 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8184 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8183 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8182 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8181 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8180 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8179 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8178 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8177 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8176 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8175 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8174 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8173 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8172 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8171 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8170 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8169 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8168 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8167 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8166 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8165 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8164 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8163 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8162 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8161 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8160 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8159 (A remote code execution vulnerability exists in Magento 2.2 prior to 2 ...) NOT-FOR-US: Magento CVE-2019-8158 (An XPath entity injection vulnerability exists in Magento 2.2 prior to ...) NOT-FOR-US: Magento CVE-2019-8157 (A stored cross-site scripting (XSS) vulnerability exists in Magento 2. ...) NOT-FOR-US: Magento CVE-2019-8156 (A server-side request forgery (SSRF) vulnerability exists in Magento 2 ...) NOT-FOR-US: Magento CVE-2019-8155 (Magento prior to 1.9.4.3 and prior to 1.14.4.3 included a user's CSRF ...) NOT-FOR-US: Magento CVE-2019-8154 (A remote code execution vulnerability exists in Magento 2.2 prior to 2 ...) NOT-FOR-US: Magento CVE-2019-8153 (A mitigation bypass to prevent cross-site scripting (XSS) exists in Ma ...) NOT-FOR-US: Magento CVE-2019-8152 (A stored cross-site scripting (XSS) vulnerability exists in in Magento ...) NOT-FOR-US: Magento CVE-2019-8151 (A remote code execution vulnerability exists in Magento 2.2 prior to 2 ...) NOT-FOR-US: Magento CVE-2019-8150 (A remote code execution vulnerability exists in Magento 2.2 prior to 2 ...) NOT-FOR-US: Magento CVE-2019-8149 (Insecure authentication and session management vulnerability exists in ...) NOT-FOR-US: Magento CVE-2019-8148 (A stored cross-site scripting (XSS) vulnerability exists in Magento 2. ...) NOT-FOR-US: Magento CVE-2019-8147 (A stored cross-site scripting (XSS) vulnerability exists in Magento 2. ...) NOT-FOR-US: Magento CVE-2019-8146 (A stored cross-site scripting (XSS) vulnerability exists in Magento 2. ...) NOT-FOR-US: Magento CVE-2019-8145 (A stored cross-site scripting (XSS) vulnerability exists in Magento 2. ...) NOT-FOR-US: Magento CVE-2019-8144 (A remote code execution vulnerability exists in Magento 2.3 prior to 2 ...) NOT-FOR-US: Magento CVE-2019-8143 (A SQL injection vulnerability exists in Magento 2.2 prior to 2.2.10, M ...) NOT-FOR-US: Magento CVE-2019-8142 (A stored cross-site scripting (XSS) vulnerability exists in Magento 2. ...) NOT-FOR-US: Magento CVE-2019-8141 (A remote code execution vulnerability exists in Magento 2.1 prior to 2 ...) NOT-FOR-US: Magento CVE-2019-8140 (An unrestricted file upload vulnerability exists in Magento 2.2 prior ...) NOT-FOR-US: Magento CVE-2019-8139 (A stored cross-site scripting (XSS) vulnerability exists in Magento 2. ...) NOT-FOR-US: Magento CVE-2019-8138 (A stored cross-site scripting (XSS) vulnerability exists in Magento 2. ...) NOT-FOR-US: Magento CVE-2019-8137 (A remote code execution vulnerability exists in Magento 2.2 prior to 2 ...) NOT-FOR-US: Magento CVE-2019-8136 (An insecure component vulnerability exists in Magento 2.2 prior to 2.2 ...) NOT-FOR-US: Magento CVE-2019-8135 (A remote code execution vulnerability exists in Magento 2.2 prior to 2 ...) NOT-FOR-US: Magento CVE-2019-8134 (A SQL injection vulnerability exists in Magento 2.2 prior to 2.2.10, M ...) NOT-FOR-US: Magento CVE-2019-8133 (A security bypass vulnerability exists in Magento 2.2 prior to 2.2.10, ...) NOT-FOR-US: Magento CVE-2019-8132 (A stored cross-site scripting (XSS) vulnerability exists in Magento 2. ...) NOT-FOR-US: Magento CVE-2019-8131 (A stored cross-site scripting (XSS) vulnerability exists in Magento 2. ...) NOT-FOR-US: Magento CVE-2019-8130 (A SQL injection vulnerability exists in Magento 2.2 prior to 2.2.10, M ...) NOT-FOR-US: Magento CVE-2019-8129 (A stored cross-site scripting (XSS) vulnerability exists in Magento 2. ...) NOT-FOR-US: Magento CVE-2019-8128 (A stored cross-site scripting (XSS) vulnerability exists in Magento 2. ...) NOT-FOR-US: Magento CVE-2019-8127 (A SQL injection vulnerability exists in Magento 2.2 prior to 2.2.10, M ...) NOT-FOR-US: Magento CVE-2019-8126 (An XML entity injection vulnerability exists in Magento 2.2 prior to 2 ...) NOT-FOR-US: Magento CVE-2019-8125 (A remote code execution vulnerability exists in Magento 1 prior to 1.9 ...) NOT-FOR-US: Magento CVE-2019-8124 (An insufficient logging and monitoring vulnerability exists in Magento ...) NOT-FOR-US: Magento CVE-2019-8123 (An insufficient logging and monitoring vulnerability exists in Magento ...) NOT-FOR-US: Magento CVE-2019-8122 (A remote code execution vulnerability exists in Magento 2.1 prior to 2 ...) NOT-FOR-US: Magento CVE-2019-8121 (An insecure component vulnerability exists in Magento 2.1 prior to 2.1 ...) NOT-FOR-US: Magento CVE-2019-8120 (A stored cross-site scripting (XSS) vulnerability exists in Magento 2. ...) NOT-FOR-US: Magento CVE-2019-8119 (A remote code execution vulnerability exists in Magento 2.1 prior to 2 ...) NOT-FOR-US: Magento CVE-2019-8118 (Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 ...) NOT-FOR-US: Magento CVE-2019-8117 (A stored cross-site scripting (XSS) vulnerability exists in Magento 2. ...) NOT-FOR-US: Magento CVE-2019-8116 (Insecure authentication and session management vulnerability exists in ...) NOT-FOR-US: Magento CVE-2019-8115 (A reflected cross-site scripting (XSS) vulnerability exists in Magento ...) NOT-FOR-US: Magento CVE-2019-8114 (A remote code execution vulnerability exists in Magento 1 prior to 1.9 ...) NOT-FOR-US: Magento CVE-2019-8113 (Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1 us ...) NOT-FOR-US: Magento CVE-2019-8112 (A security bypass vulnerability exists in Magento 2.2 prior to 2.2.10, ...) NOT-FOR-US: Magento CVE-2019-8111 (A remote code execution vulnerability exists in Magento 2.2 prior to 2 ...) NOT-FOR-US: Magento CVE-2019-8110 (A remote code execution vulnerability exists in Magento 2.2 prior to 2 ...) NOT-FOR-US: Magento CVE-2019-8109 (A remote code execution vulnerability exists in Magento 2.2 prior to 2 ...) NOT-FOR-US: Magento CVE-2019-8108 (Insecure authentication and session management vulnerability exists in ...) NOT-FOR-US: Magento CVE-2019-8107 (An arbitrary file deletion vulnerability exists in Magento 2.2 prior t ...) NOT-FOR-US: Magento CVE-2019-8106 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8105 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8104 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8103 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8102 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8101 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8100 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8099 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8098 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8097 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8096 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8095 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8094 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8093 (An arbitrary file access vulnerability exists in Magento 2.2 prior to ...) NOT-FOR-US: Magento CVE-2019-8092 (A reflected cross-site scripting (XSS) vulnerability exists in Magento ...) NOT-FOR-US: Magento CVE-2019-8091 (A remote code execution vulnerability exists in Magento 1 prior to 1.9 ...) NOT-FOR-US: Magento CVE-2019-8090 (An arbitrary file deletion vulnerability exists in Magento 2.1 prior t ...) NOT-FOR-US: Magento CVE-2019-8089 (Adobe Experience Manager Forms versions 6.3-6.5 have a reflected cross ...) NOT-FOR-US: Adobe CVE-2019-8088 (Adobe Experience Manager versions 6.5, 6.4, 6.3 and 6.2 have a command ...) NOT-FOR-US: Adobe CVE-2019-8087 (Adobe Experience Manager versions 6.5, 6.4, 6.3 and 6.2 have a xml ext ...) NOT-FOR-US: Adobe CVE-2019-8086 (Adobe Experience Manager versions 6.5, 6.4, 6.3 and 6.2 have a xml ext ...) NOT-FOR-US: Adobe CVE-2019-8085 (Adobe Experience Manager versions 6.5, 6.4, 6.3 and 6.2 have a reflect ...) NOT-FOR-US: Adobe CVE-2019-8084 (Adobe Experience Manager versions 6.5, 6.4, 6.3 and 6.2 have a reflect ...) NOT-FOR-US: Adobe CVE-2019-8083 (Adobe Experience Manager versions 6.5, 6.4 and 6.3 have a cross site s ...) NOT-FOR-US: Adobe CVE-2019-8082 (Adobe Experience Manager versions 6.4, 6.3 and 6.2 have a xml external ...) NOT-FOR-US: Adobe CVE-2019-8081 (Adobe Experience Manager versions 6.5, 6.4, 6.3 and 6.2 have an authen ...) NOT-FOR-US: Adobe CVE-2019-8080 (Adobe Experience Manager versions 6.4 and 6.3 have a stored cross site ...) NOT-FOR-US: Adobe CVE-2019-8079 (Adobe Experience Manager versions 6.4, 6.3, 6.2, 6.1, and 6.0 have a s ...) NOT-FOR-US: Adobe CVE-2019-8078 (Adobe Experience Manager versions 6.4, 6.3 and 6.2 have a reflected cr ...) NOT-FOR-US: Adobe CVE-2019-8077 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8076 (Adobe application manager installer version 10.0 have an Insecure Libr ...) NOT-FOR-US: Adobe CVE-2019-8075 (Adobe Flash Player version 32.0.0.192 and earlier versions have a Same ...) NOT-FOR-US: Adobe CVE-2019-8074 (ColdFusion 2018- update 4 and earlier and ColdFusion 2016- update 11 a ...) NOT-FOR-US: Adobe CVE-2019-8073 (ColdFusion 2018- update 4 and earlier and ColdFusion 2016- update 11 a ...) NOT-FOR-US: Adobe CVE-2019-8072 (ColdFusion 2018- update 4 and earlier and ColdFusion 2016- update 11 a ...) NOT-FOR-US: Adobe CVE-2019-8071 (Adobe Download Manager versions 2.0.0.363 have an insecure file permis ...) NOT-FOR-US: Adobe CVE-2019-8070 (Adobe Flash Player 32.0.0.238 and earlier versions, 32.0.0.207 and ear ...) NOT-FOR-US: Adobe CVE-2019-8069 (Adobe Flash Player 32.0.0.238 and earlier versions, 32.0.0.207 and ear ...) NOT-FOR-US: Adobe CVE-2019-8068 RESERVED CVE-2019-8067 RESERVED CVE-2019-8066 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) TODO: check CVE-2019-8065 RESERVED CVE-2019-8064 (Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.0 ...) NOT-FOR-US: Adobe CVE-2019-8063 (Creative Cloud Desktop Application 4.6.1 and earlier versions have an ...) NOT-FOR-US: Creative Cloud Desktop Application CVE-2019-8062 (Adobe After Effects versions 16 and earlier have an insecure library l ...) NOT-FOR-US: Adobe CVE-2019-8061 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8060 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8059 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8058 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8057 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8056 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8055 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8054 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8053 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8052 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8051 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8050 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8049 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8048 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8047 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8046 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8045 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8044 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8043 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8042 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8041 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8040 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8039 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8038 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8037 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8036 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8035 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8034 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8033 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8032 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8031 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8030 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8029 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8028 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8027 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8026 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8025 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8024 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8023 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8022 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8021 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8020 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8019 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8018 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8017 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8016 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8015 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8014 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8013 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8012 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8011 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8010 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8009 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8008 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8007 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8006 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8005 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8004 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8003 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8002 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-8001 (Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier ...) NOT-FOR-US: Adobe CVE-2019-8000 (Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier ...) NOT-FOR-US: Adobe CVE-2019-7999 (Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier ...) NOT-FOR-US: Adobe CVE-2019-7998 (Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier ...) NOT-FOR-US: Adobe CVE-2019-7997 (Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier ...) NOT-FOR-US: Adobe CVE-2019-7996 (Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier ...) NOT-FOR-US: Adobe CVE-2019-7995 (Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier ...) NOT-FOR-US: Adobe CVE-2019-7994 (Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier ...) NOT-FOR-US: Adobe CVE-2019-7993 (Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier ...) NOT-FOR-US: Adobe CVE-2019-7992 (Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier ...) NOT-FOR-US: Adobe CVE-2019-7991 (Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier ...) NOT-FOR-US: Adobe CVE-2019-7990 (Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier ...) NOT-FOR-US: Adobe CVE-2019-7989 (Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier ...) NOT-FOR-US: Adobe CVE-2019-7988 (Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier ...) NOT-FOR-US: Adobe CVE-2019-7987 (Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier ...) NOT-FOR-US: Adobe CVE-2019-7986 (Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier ...) NOT-FOR-US: Adobe CVE-2019-7985 (Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier ...) NOT-FOR-US: Adobe CVE-2019-7984 (Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier ...) NOT-FOR-US: Adobe CVE-2019-7983 (Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier ...) NOT-FOR-US: Adobe CVE-2019-7982 (Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier ...) NOT-FOR-US: Adobe CVE-2019-7981 (Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier ...) NOT-FOR-US: Adobe CVE-2019-7980 (Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier ...) NOT-FOR-US: Adobe CVE-2019-7979 (Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier ...) NOT-FOR-US: Adobe CVE-2019-7978 (Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier ...) NOT-FOR-US: Adobe CVE-2019-7977 (Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier ...) NOT-FOR-US: Adobe CVE-2019-7976 (Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier ...) NOT-FOR-US: Adobe CVE-2019-7975 (Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier ...) NOT-FOR-US: Adobe CVE-2019-7974 (Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier ...) NOT-FOR-US: Adobe CVE-2019-7973 (Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier ...) NOT-FOR-US: Adobe CVE-2019-7972 (Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier ...) NOT-FOR-US: Adobe CVE-2019-7971 (Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier ...) NOT-FOR-US: Adobe CVE-2019-7970 (Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier ...) NOT-FOR-US: Adobe CVE-2019-7969 (Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier ...) NOT-FOR-US: Adobe CVE-2019-7968 (Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier ...) NOT-FOR-US: Adobe CVE-2019-7967 RESERVED CVE-2019-7966 RESERVED CVE-2019-7965 (Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012 ...) NOT-FOR-US: Adobe CVE-2019-7964 (Adobe Experience Manager versions 6.5, and 6.4 have an authentication ...) NOT-FOR-US: Adobe Experience Manager CVE-2019-7963 (Adobe Bridge CC version 9.0.2 and earlier versions have an out of boun ...) NOT-FOR-US: Adobe Bridge CC CVE-2019-7962 (Adobe Illustrator CC versions 23.1 and earlier have an insecure librar ...) NOT-FOR-US: Adobe CVE-2019-7961 (Adobe Prelude CC versions 8.1 and earlier have an insecure library loa ...) NOT-FOR-US: Adobe CVE-2019-7960 (Adobe Animate CC versions 19.2.1 and earlier have an insecure library ...) NOT-FOR-US: Adobe CVE-2019-7959 (Creative Cloud Desktop Application versions 4.6.1 and earlier have a u ...) NOT-FOR-US: Creative Cloud Desktop Application CVE-2019-7958 (Creative Cloud Desktop Application versions 4.6.1 and earlier have an ...) NOT-FOR-US: Creative Cloud Desktop Application CVE-2019-7957 (Creative Cloud Desktop Application versions 4.6.1 and earlier have a s ...) NOT-FOR-US: Creative Cloud Desktop Application CVE-2019-7956 (Adobe Dreamweaver direct download installer versions 19.0 and below, 1 ...) NOT-FOR-US: Adobe CVE-2019-7955 (Adobe Experience Manager version 6.4 and ealier have a Reflected Cross ...) NOT-FOR-US: Adobe CVE-2019-7954 (Adobe Experience Manager version 6.4 and ealier have a Stored Cross-si ...) NOT-FOR-US: Adobe CVE-2019-7953 (Adobe Experience Manager version 6.4 and ealier have a Cross-Site Requ ...) NOT-FOR-US: Adobe CVE-2019-7952 RESERVED CVE-2019-7951 (An information leakage vulnerability exists in Magento 2.1 prior to 2. ...) NOT-FOR-US: Magento CVE-2019-7950 (An access control bypass vulnerability exists in Magento 2.1 prior to ...) NOT-FOR-US: Magento CVE-2019-7949 RESERVED CVE-2019-7948 RESERVED CVE-2019-7947 (A cross-site request forgery vulnerability exists in the GiftCardAccou ...) NOT-FOR-US: Magento CVE-2019-7946 RESERVED CVE-2019-7945 (A stored cross-cite scripting vulnerability exists in Magento Open Sou ...) NOT-FOR-US: Magento CVE-2019-7944 (A stored cross-site scripting vulnerability exists in the product comm ...) NOT-FOR-US: Magento CVE-2019-7943 RESERVED CVE-2019-7942 (A remote code execution vulnerability exists in Magento 2.1 prior to 2 ...) NOT-FOR-US: Magento CVE-2019-7941 (Adobe Campaign Classic version 18.10.5-8984 and earlier versions have ...) NOT-FOR-US: Adobe CVE-2019-7940 (A stored cross-site scripting vulnerability exists in the admin panel ...) NOT-FOR-US: Magento CVE-2019-7939 (A reflected cross-site scripting vulnerability exists on the customer ...) NOT-FOR-US: Magento CVE-2019-7938 (A stored cross-site scripting vulnerability exists in the admin panel ...) NOT-FOR-US: Magento CVE-2019-7937 (A stored cross-site scripting vulnerability exists in the admin panel ...) NOT-FOR-US: Magento CVE-2019-7936 (A stored cross-site scripting vulnerability exists in the admin panel ...) NOT-FOR-US: Magento CVE-2019-7935 (A stored cross-site scripting vulnerability exists in the admin panel ...) NOT-FOR-US: Magento CVE-2019-7934 (A stored cross-site scripting vulnerability exists in the admin panel ...) NOT-FOR-US: Magento CVE-2019-7933 RESERVED CVE-2019-7932 (A remote code execution vulnerability exists in Magento Open Source pr ...) NOT-FOR-US: Magento CVE-2019-7931 (Adobe Premiere Pro CC versions 13.1.2 and earlier have an insecure lib ...) NOT-FOR-US: Adobe CVE-2019-7930 (A file upload restriction bypass exists in Magento 2.1 prior to 2.1.18 ...) NOT-FOR-US: Magento CVE-2019-7929 (An information leakage vulnerability exists in Magento 2.1 prior to 2. ...) NOT-FOR-US: Magento CVE-2019-7928 (A denial-of-service (DoS) vulnerability exists in Magento 2.1 prior to ...) NOT-FOR-US: Magento CVE-2019-7927 (A stored cross-site scripting vulnerability exists in the admin panel ...) NOT-FOR-US: Magento CVE-2019-7926 (A stored cross-site scripting vulnerability exists in the admin panel ...) NOT-FOR-US: Magento CVE-2019-7925 (An insecure direct object reference (IDOR) vulnerability exists in Mag ...) NOT-FOR-US: Magento CVE-2019-7924 RESERVED CVE-2019-7923 (A server-side request forgery (SSRF) vulnerability exists in Magento 2 ...) NOT-FOR-US: Magento CVE-2019-7922 RESERVED CVE-2019-7921 (A stored cross-site scripting vulnerability exists in the product cata ...) NOT-FOR-US: Magento CVE-2019-7920 RESERVED CVE-2019-7919 RESERVED CVE-2019-7918 RESERVED CVE-2019-7917 RESERVED CVE-2019-7916 RESERVED CVE-2019-7915 (A denial-of-service vulnerability exists in Magento 2.1 prior to 2.1.1 ...) NOT-FOR-US: Magento CVE-2019-7914 RESERVED CVE-2019-7913 (A server-side request forgery (SSRF) vulnerability exists in Magento 2 ...) NOT-FOR-US: Magento CVE-2019-7912 (A file upload filter bypass exists in Magento 2.1 prior to 2.1.18, Mag ...) NOT-FOR-US: Magento CVE-2019-7911 (A server-side request forgery (SSRF) vulnerability exists in Magento O ...) NOT-FOR-US: Magento CVE-2019-7910 RESERVED CVE-2019-7909 (A stored cross-site scripting vulnerability exists in the admin panel ...) NOT-FOR-US: Magento CVE-2019-7908 (A stored cross-site scripting vulnerability exists in the admin panel ...) NOT-FOR-US: Magento CVE-2019-7907 RESERVED CVE-2019-7906 RESERVED CVE-2019-7905 RESERVED CVE-2019-7904 (Insufficient enforcement of user access controls in Magento 2.1 prior ...) NOT-FOR-US: Magento CVE-2019-7903 (A remote code execution vulnerability exists in Magento 2.1 prior to 2 ...) NOT-FOR-US: Magento CVE-2019-7902 RESERVED CVE-2019-7901 RESERVED CVE-2019-7900 RESERVED CVE-2019-7899 (Names of disabled downloadable products could be disclosed due to inad ...) NOT-FOR-US: Magento CVE-2019-7898 (Samples of disabled downloadable products are accessible in Magento Op ...) NOT-FOR-US: Magento CVE-2019-7897 (A stored cross-site scripting vulnerability exists in the admin panel ...) NOT-FOR-US: Magento CVE-2019-7896 (A remote code execution vulnerability exists in Magento 2.1 prior to 2 ...) NOT-FOR-US: Magento CVE-2019-7895 (A remote code execution vulnerability exists in Magento 2.1 prior to 2 ...) NOT-FOR-US: Magento CVE-2019-7894 RESERVED CVE-2019-7893 RESERVED CVE-2019-7892 (A remote code execution vulnerability exists in Magento 2.1 prior to 2 ...) NOT-FOR-US: Magento CVE-2019-7891 RESERVED CVE-2019-7890 (An Insecure Direct Object Reference (IDOR) vulnerability exists in the ...) NOT-FOR-US: Magento CVE-2019-7889 (An injection vulnerability exists in Magento Open Source prior to 1.9. ...) NOT-FOR-US: Magento CVE-2019-7888 (An information disclosure vulnerability exists in Magento 2.1 prior to ...) NOT-FOR-US: Magento CVE-2019-7887 (A reflected cross-site scripting vulnerability exists in the admin pan ...) NOT-FOR-US: Magento CVE-2019-7886 (A cryptograhic flaw exists in Magento 2.1 prior to 2.1.18, Magento 2.2 ...) NOT-FOR-US: Magento CVE-2019-7885 (Insufficient input validation in the config builder of the Elastic sea ...) NOT-FOR-US: Magento CVE-2019-7884 RESERVED CVE-2019-7883 RESERVED CVE-2019-7882 (A stored cross-site scripting vulnerability exists in the WYSIWYG edit ...) NOT-FOR-US: Magento CVE-2019-7881 (A cross-site scripting mitigation bypass exists in Magento 2.1 prior t ...) NOT-FOR-US: Magento CVE-2019-7880 (A stored cross-site scripting vulnerability exists in the admin panel ...) NOT-FOR-US: Magento CVE-2019-7879 RESERVED CVE-2019-7878 RESERVED CVE-2019-7877 (A stored cross-site scripting vulnerability exists in the admin panel ...) NOT-FOR-US: Magento CVE-2019-7876 (A remote code execution vulnerability exists in Magento 2.1 prior to 2 ...) NOT-FOR-US: Magento CVE-2019-7875 (A stored cross-site scripting vulnerability exists in the admin panel ...) NOT-FOR-US: Magento CVE-2019-7874 (A cross-site request forgery vulnerability exists in Magento 2.1 prior ...) NOT-FOR-US: Magento CVE-2019-7873 (A cross-site request forgery vulnerability exists in Magento 2.1 prior ...) NOT-FOR-US: Magento CVE-2019-7872 (An insecure direct object reference (IDOR) vulnerability exists in Mag ...) NOT-FOR-US: Magento CVE-2019-7871 (A security bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 p ...) NOT-FOR-US: Magento CVE-2019-7870 (Adobe Character Animator versions 2.1 and earlier have an insecure lib ...) NOT-FOR-US: Adobe CVE-2019-7869 (A stored cross-site scripting vulnerability exists in the admin panel ...) NOT-FOR-US: Magento CVE-2019-7868 (A stored cross-site scripting vulnerability exists in the admin panel ...) NOT-FOR-US: Magento CVE-2019-7867 (A stored cross-site scripting vulnerability exists in the admin panel ...) NOT-FOR-US: Magento CVE-2019-7866 (A stored cross-site scripting vulnerability exists in the admin panel ...) NOT-FOR-US: Magento CVE-2019-7865 (A cross-site request forgery (CSRF) vulnerability exists in the checko ...) NOT-FOR-US: Magento CVE-2019-7864 (An insecure direct object reference (IDOR) vulnerability exists in the ...) NOT-FOR-US: Magento CVE-2019-7863 (A stored cross-site scripting vulnerability exists in the admin panel ...) NOT-FOR-US: Magento CVE-2019-7862 (A reflected cross-site scripting vulnerability exists in the Product w ...) NOT-FOR-US: Magento CVE-2019-7861 (Insufficient server-side validation of user input could allow an attac ...) NOT-FOR-US: Magento CVE-2019-7860 (A cryptographically weak pseudo-rando number generator is used in mult ...) NOT-FOR-US: Magento CVE-2019-7859 (A path traversal vulnerability in the WYSIWYG editor for Magento 2.1 p ...) NOT-FOR-US: Magento CVE-2019-7858 (A cryptographic flaw in Magento 2.1 prior to 2.1.18, Magento 2.2 prior ...) NOT-FOR-US: Magento CVE-2019-7857 (A cross-site request forgery vulnerability in Magento 2.1 prior to 2.1 ...) NOT-FOR-US: Magento CVE-2019-7856 RESERVED CVE-2019-7855 (A cryptograhic flaw in Magento 2.1 prior to 2.1.18, Magento 2.2 prior ...) NOT-FOR-US: Magento CVE-2019-7854 (An insecure direct object reference (IDOR) vulnerability in Magento 2. ...) NOT-FOR-US: Magento CVE-2019-7853 (A stored cross-site scripting vulnerability exists in Magento 2.1 prio ...) NOT-FOR-US: Magento CVE-2019-7852 (A path disclosure vulnerability exists in Magento 2.1 prior to 2.1.18, ...) NOT-FOR-US: Magento CVE-2019-7851 (A cross-site request forgery vulnerability in Magento 2.1 prior to 2.1 ...) NOT-FOR-US: Magento CVE-2019-7850 (Adobe Campaign Classic version 18.10.5-8984 and earlier versions have ...) NOT-FOR-US: Adobe CVE-2019-7849 (A defense-in-depth check was added to mitigate inadequate session vali ...) NOT-FOR-US: Magento CVE-2019-7848 (Adobe Campaign Classic version 18.10.5-8984 and earlier versions have ...) NOT-FOR-US: Adobe CVE-2019-7847 (Adobe Campaign Classic version 18.10.5-8984 and earlier versions have ...) NOT-FOR-US: Adobe CVE-2019-7846 (Adobe Campaign Classic version 18.10.5-8984 and earlier versions have ...) NOT-FOR-US: Adobe CVE-2019-7845 (Adobe Flash Player versions 32.0.0.192 and earlier, 32.0.0.192 and ear ...) NOT-FOR-US: Adobe CVE-2019-7844 (Adobe Media Encoder version 13.0.2 has an out-of-bounds read vulnerabi ...) NOT-FOR-US: Adobe CVE-2019-7843 (Adobe Campaign Classic version 18.10.5-8984 and earlier versions have ...) NOT-FOR-US: Adobe CVE-2019-7842 (Adobe Media Encoder version 13.0.2 has a use-after-free vulnerability. ...) NOT-FOR-US: Adobe CVE-2019-7841 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7840 (ColdFusion versions Update 3 and earlier, Update 10 and earlier, and U ...) NOT-FOR-US: Adobe ColdFusion CVE-2019-7839 (ColdFusion versions Update 3 and earlier, Update 10 and earlier, and U ...) NOT-FOR-US: Adobe ColdFusion CVE-2019-7838 (ColdFusion versions Update 3 and earlier, Update 10 and earlier, and U ...) NOT-FOR-US: Adobe ColdFusion CVE-2019-7837 (Adobe Flash Player versions 32.0.0.171 and earlier, 32.0.0.171 and ear ...) NOT-FOR-US: Adobe CVE-2019-7836 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7835 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7834 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7833 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7832 (Adobe Acrobat and Reader versions , 2019.012.20035 and earlier, 2019.0 ...) NOT-FOR-US: Adobe CVE-2019-7831 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7830 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7829 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7828 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7827 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7826 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7825 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7824 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7823 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7822 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7821 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7820 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7819 RESERVED CVE-2019-7818 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7817 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7816 (ColdFusion versions Update 2 and earlier, Update 9 and earlier, and Up ...) NOT-FOR-US: Adobe CVE-2019-7815 (Adobe Acrobat and Reader versions 2019.010.20091 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7814 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7813 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7812 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7811 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7810 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7809 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7808 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7807 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7806 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7805 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7804 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7803 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7802 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7801 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7800 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7799 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7798 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7797 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7796 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7795 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7794 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7793 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7792 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7791 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7790 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7789 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7788 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7787 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7786 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7785 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7784 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7783 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7782 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7781 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7780 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7779 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7778 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7777 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7776 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7775 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7774 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7773 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7772 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7771 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7770 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7769 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7768 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7767 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7766 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7765 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7764 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7763 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7762 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7761 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7760 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7759 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7758 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7757 RESERVED CVE-2019-7756 RESERVED CVE-2019-7755 (In webERP 4.15, the Import Bank Transactions function fails to sanitiz ...) NOT-FOR-US: webERP CVE-2019-7754 RESERVED CVE-2019-7753 (Verydows 2.0 has XSS via the index.php?m=api&c=stats&a=count r ...) NOT-FOR-US: Verydows CVE-2018-20781 (In pam/gkr-pam-module.c in GNOME Keyring before 3.27.2, the user's pas ...) - gnome-keyring 3.28.0-1 (unimportant) NOTE: https://bugs.launchpad.net/ubuntu/+source/gnome-keyring/+bug/1772919 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=781486 NOTE: https://gitlab.gnome.org/GNOME/gnome-keyring/issues/3 NOTE: Not a vulnerability, just a hardening patch CVE-2019-7752 RESERVED CVE-2019-7751 (A directory traversal and local file inclusion vulnerability in FPProd ...) NOT-FOR-US: Ricoh CVE-2019-7750 RESERVED CVE-2019-7749 RESERVED CVE-2019-7748 (_includes\online.php in DbNinja 3.2.7 allows XSS via the data.php task ...) NOT-FOR-US: DbNinja CVE-2019-7747 (DbNinja 3.2.7 allows session fixation via the data.php sessid paramete ...) NOT-FOR-US: DbNinja CVE-2019-7746 (JioFi 4 jmr1140 Amtel_JMR1140_R12.07 devices allow remote attackers to ...) NOT-FOR-US: JioFi 4 jmr1140 Amtel_JMR1140_R12.07 devices CVE-2019-7745 (JioFi 4 jmr1140 Amtel_JMR1140_R12.07 devices allow remote attackers to ...) NOT-FOR-US: JioFi 4 jmr1140 Amtel_JMR1140_R12.07 devices CVE-2019-7744 (An issue was discovered in Joomla! before 3.9.3. Inadequate filtering ...) NOT-FOR-US: Joomla! CVE-2019-7743 (An issue was discovered in Joomla! before 3.9.3. The phar:// stream wr ...) NOT-FOR-US: Joomla! CVE-2019-7742 (An issue was discovered in Joomla! before 3.9.3. A combination of spec ...) NOT-FOR-US: Joomla! CVE-2019-7741 (An issue was discovered in Joomla! before 3.9.3. Inadequate checks at ...) NOT-FOR-US: Joomla! CVE-2019-7740 (An issue was discovered in Joomla! before 3.9.3. Inadequate parameter ...) NOT-FOR-US: Joomla! CVE-2019-7739 (An issue was discovered in Joomla! before 3.9.3. The "No Filtering" te ...) NOT-FOR-US: Joomla! CVE-2019-7738 (C.P.Sub before 5.3 allows CSRF via a manage.php?p=article_del&id= ...) NOT-FOR-US: C.P.Sub CVE-2019-7737 (A CSRF vulnerability was found in Verydows v2.0 that can add an admin ...) NOT-FOR-US: Verydows CVE-2019-7736 (D-Link DIR-600M C1 3.04 devices allow authentication bypass via a dire ...) NOT-FOR-US: D-Link CVE-2019-7735 RESERVED CVE-2019-7734 RESERVED CVE-2019-7733 (In Live555 0.95, there is a buffer overflow via a large integer in a C ...) [experimental] - liblivemedia 2019.05.12-1 - liblivemedia 2019.10.11-2 (low; bug #929948) [buster] - liblivemedia (Minor issue) [stretch] - liblivemedia (Minor issue) [jessie] - liblivemedia (Minor issue) NOTE: https://github.com/rgaufman/live555/issues/21 NOTE: fixed in 2019.05.12: http://www.live555.com/liveMedia/public/changelog.txt CVE-2019-7732 (In Live555 0.95, a setup packet can cause a memory leak leading to DoS ...) - liblivemedia (unimportant) [stretch] - liblivemedia (Minor issue) [jessie] - liblivemedia (Minor issue, unlikely to be exploited in practice) NOTE: https://github.com/rgaufman/live555/issues/20 NOTE: upstream considers this issue invalid: http://lists.live555.com/pipermail/live-devel/2019-May/021218.html CVE-2019-7731 (MyWebSQL 3.7 has a remote code execution (RCE) vulnerability after an ...) NOT-FOR-US: MyWebSQL CVE-2019-7730 (MyWebSQL 3.7 has a Cross-site request forgery (CSRF) vulnerability for ...) NOT-FOR-US: MyWebSQL CVE-2019-7729 (An issue was discovered in the Bosch Smart Camera App before 1.3.1 for ...) NOT-FOR-US: Bosch Smart Camera App CVE-2019-7728 (An issue was discovered in the Bosch Smart Camera App before 1.3.1 for ...) NOT-FOR-US: Bosch Smart Camera App CVE-2019-7727 (In NICE Engage through 6.5, the default configuration binds an unauthe ...) NOT-FOR-US: NICE Engage CVE-2019-7726 RESERVED CVE-2019-7725 RESERVED CVE-2019-7724 RESERVED CVE-2019-7723 RESERVED CVE-2019-7722 (PMD 5.8.1 and earlier processes XML external entities in ruleset files ...) NOT-FOR-US: PMD CVE-2019-XXXX [fuse mount exposes backup to unauthorized users] - borgbackup 1.1.9-1 (bug #922080) [stretch] - borgbackup (Minor issue) NOTE: https://github.com/borgbackup/borg/issues/3903 CVE-2019-7721 (lib/NCCms.class.php in nc-cms 3.5 allows upload of .php files via the ...) NOT-FOR-US: nc-cms CVE-2019-7720 (taocms through 2014-05-24 allows eval injection by placing PHP code in ...) NOT-FOR-US: taocms CVE-2019-7719 (Nibbleblog 4.0.5 allows eval injection by placing PHP code in the inst ...) NOT-FOR-US: Nibbleblog CVE-2019-7718 (An issue was discovered in Metinfo 6.x. An attacker can leverage a rac ...) NOT-FOR-US: Metinfo CVE-2019-7717 RESERVED CVE-2019-7716 RESERVED CVE-2019-7715 (An issue was discovered in the Interpeak IPCOMShell TELNET server on G ...) NOT-FOR-US: Interpeak CVE-2019-7714 (An issue was discovered in Interpeak IPWEBS on Green Hills INTEGRITY R ...) NOT-FOR-US: Interpeak CVE-2019-7713 (An issue was discovered in the Interpeak IPCOMShell TELNET server on G ...) NOT-FOR-US: Interpeak CVE-2019-7712 (An issue was discovered in handler_ipcom_shell_pwd in the Interpeak IP ...) NOT-FOR-US: Interpeak CVE-2019-7711 (An issue was discovered in the Interpeak IPCOMShell TELNET server on G ...) NOT-FOR-US: Interpeak CVE-2019-7710 RESERVED CVE-2019-7709 RESERVED CVE-2019-7708 RESERVED CVE-2019-7707 RESERVED CVE-2019-7706 RESERVED CVE-2019-7705 RESERVED CVE-2019-7704 (wasm::WasmBinaryBuilder::readUserSection in wasm-binary.cpp in Binarye ...) - binaryen 64-1 NOTE: https://github.com/WebAssembly/binaryen/issues/1866 CVE-2019-7703 (In Binaryen 1.38.22, there is a use-after-free problem in wasm::WasmBi ...) - binaryen 64-1 NOTE: https://github.com/WebAssembly/binaryen/issues/1865 CVE-2019-7702 (A NULL pointer dereference was discovered in wasm::SExpressionWasmBuil ...) - binaryen 64-1 NOTE: https://github.com/WebAssembly/binaryen/issues/1867 CVE-2019-7701 (A heap-based buffer over-read was discovered in wasm::SExpressionParse ...) - binaryen 64-1 NOTE: https://github.com/WebAssembly/binaryen/issues/1863 CVE-2019-7700 (A heap-based buffer over-read was discovered in wasm::WasmBinaryBuilde ...) - binaryen 64-1 NOTE: https://github.com/WebAssembly/binaryen/issues/1864 CVE-2019-7699 (A heap-based buffer over-read occurs in AP4_BitStream::WriteBytes in C ...) NOT-FOR-US: Bento4 CVE-2019-7698 (An issue was discovered in AP4_Array<AP4_CttsTableEntry>::Ensure ...) NOT-FOR-US: Bento4 CVE-2019-7697 (An issue was discovered in Bento4 v1.5.1-627. There is an assertion fa ...) NOT-FOR-US: Bento4 CVE-2018-20780 (Traq 3.7.1 allows admin/users/new CSRF to create an admin account (aka ...) NOT-FOR-US: Traq CVE-2018-20779 (Traq 3.7.1 allows SQL Injection via a tickets?search= URI. ...) NOT-FOR-US: Traq CVE-2018-20778 (admin/?/plugin/file_manager in Frog CMS 0.9.5 allows XSS by creating a ...) NOT-FOR-US: Frog CMS CVE-2018-20777 (Frog CMS 0.9.5 has XSS via the admin/?/snippet/edit/1 Body field. ...) NOT-FOR-US: Frog CMS CVE-2018-20776 (Frog CMS 0.9.5 provides a directory listing for a /public request. ...) NOT-FOR-US: Frog CMS CVE-2018-20775 (admin/?/plugin/file_manager in Frog CMS 0.9.5 allows PHP code executio ...) NOT-FOR-US: Frog CMS CVE-2018-20774 (Frog CMS 0.9.5 has XSS via the admin/?/layout/edit/1 Body field. ...) NOT-FOR-US: Frog CMS CVE-2018-20773 (Frog CMS 0.9.5 allows PHP code execution by visiting admin/?/page/edit ...) NOT-FOR-US: Frog CMS CVE-2018-20772 (Frog CMS 0.9.5 allows PHP code execution via <?php to the admin/?/l ...) NOT-FOR-US: Frog CMS CVE-2019-7696 RESERVED CVE-2019-7695 RESERVED CVE-2019-7694 RESERVED CVE-2019-7693 (Axios Italia Axios RE 1.7.0/7.0.0 devices have XSS via the RELogOff.as ...) NOT-FOR-US: Axios Italia Axios RE devices CVE-2019-7692 (install/install.php in CIM 0.9.3 allows remote attackers to execute ar ...) NOT-FOR-US: CIM CVE-2019-7691 RESERVED CVE-2019-7690 (In MobaTek MobaXterm Personal Edition v11.1 Build 3860, the SSH privat ...) NOT-FOR-US: MobaTek MobaXterm CVE-2019-7689 RESERVED CVE-2019-7688 RESERVED CVE-2019-7687 (cgi-bin/qcmap_web_cgi on JioFi 4 jmr1140 Amtel_JMR1140_R12.07 devices ...) NOT-FOR-US: JioFi 4 jmr1140 Amtel_JMR1140_R12.07 devices CVE-2018-20771 (An issue was discovered on Xerox WorkCentre 3655, 3655i, 58XX, 58XXi, ...) NOT-FOR-US: Xerox devices CVE-2018-20770 (An issue was discovered on Xerox WorkCentre 3655, 3655i, 58XX, 58XXi, ...) NOT-FOR-US: Xerox devices CVE-2018-20769 (An issue was discovered on Xerox WorkCentre 3655, 3655i, 58XX, 58XXi, ...) NOT-FOR-US: Xerox devices CVE-2018-20768 (An issue was discovered on Xerox WorkCentre 3655, 3655i, 58XX, 58XXi, ...) NOT-FOR-US: Xerox devices CVE-2018-20767 (An issue was discovered on Xerox WorkCentre 3655, 3655i, 58XX, 58XXi, ...) NOT-FOR-US: Xerox devices CVE-2018-20766 RESERVED CVE-2018-20765 RESERVED CVE-2019-7686 RESERVED CVE-2019-7685 RESERVED CVE-2019-7684 (inxedu through 2018-12-24 has a vulnerability that can lead to the upl ...) NOT-FOR-US: inxedu CVE-2019-7683 RESERVED CVE-2019-7682 RESERVED CVE-2019-7681 RESERVED CVE-2019-7680 RESERVED CVE-2019-7679 RESERVED CVE-2019-7678 (A directory traversal vulnerability was discovered in Enphase Envoy R3 ...) NOT-FOR-US: Enphase Envoy CVE-2019-7677 (XSS exists in Enphase Envoy R3.*.* via the profileName parameter to th ...) NOT-FOR-US: Enphase Envoy CVE-2019-7676 (A weak password vulnerability was discovered in Enphase Envoy R3.*.*. ...) NOT-FOR-US: Enphase Envoy CVE-2019-7675 (An issue was discovered on MOBOTIX S14 MX-V4.2.1.61 devices. The defau ...) NOT-FOR-US: MOBOTIX CVE-2019-7674 (An issue was discovered on MOBOTIX S14 MX-V4.2.1.61 devices. /admin/ac ...) NOT-FOR-US: MOBOTIX CVE-2019-7673 (An issue was discovered on MOBOTIX S14 MX-V4.2.1.61 devices. Administr ...) NOT-FOR-US: MOBOTIX CVE-2019-7672 (Prima Systems FlexAir, Versions 2.3.38 and prior. The flash version of ...) NOT-FOR-US: Prima Systems FlexAir devices CVE-2019-7671 (Prima Systems FlexAir, Versions 2.3.38 and prior. Parameters sent to s ...) NOT-FOR-US: Prima Systems FlexAir devices CVE-2019-7670 (Prima Systems FlexAir, Versions 2.3.38 and prior. The application inco ...) NOT-FOR-US: Prima Systems FlexAir devices CVE-2019-7669 (Prima Systems FlexAir, Versions 2.3.38 and prior. Improper validation ...) NOT-FOR-US: Prima Systems FlexAir devices CVE-2019-7668 (Prima Systems FlexAir devices have Default Credentials. ...) NOT-FOR-US: Prima Systems FlexAir devices CVE-2019-7667 (Prima Systems FlexAir, Versions 2.3.38 and prior. The application gene ...) NOT-FOR-US: Prima Systems FlexAir devices CVE-2019-7666 (Prima Systems FlexAir, Versions 2.3.38 and prior. The application allo ...) NOT-FOR-US: Prima Systems FlexAir devices CVE-2019-7665 (In elfutils 0.175, a heap-based buffer over-read was discovered in the ...) {DLA-1689-1} - elfutils 0.176-1 (low; bug #921880) [stretch] - elfutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24089 NOTE: https://sourceware.org/ml/elfutils-devel/2019-q1/msg00049.html NOTE: https://sourceware.org/git/?p=elfutils.git;a=commit;h=de01cc6f9446187d69b9748bb3636361c79e77a4 CVE-2019-7664 (In elfutils 0.175, a negative-sized memcpy is attempted in elf_cvt_not ...) - elfutils 0.176-1 (low; bug #921881) [stretch] - elfutils (Minor issue) [jessie] - elfutils (Vulnerable code introduced later) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24084 NOTE: https://sourceware.org/git/?p=elfutils.git;a=commit;h=e65d91d21cb09d83b001fef9435e576ba447db32 CVE-2019-7663 (An Invalid Address dereference was discovered in TIFFWriteDirectoryTag ...) {DSA-4670-1 DLA-1680-1} - tiff 4.0.10-4 - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2833 NOTE: Fixed by: https://gitlab.com/libtiff/libtiff/commit/802d3cbf3043be5dce5317e140ccb1c17a6a2d39 NOTE: Same patch as CVE-2018-17000 but different issue. As well different NOTE: issue than CVE-2018-12900. CVE-2019-7662 (An assertion failure was discovered in wasm::WasmBinaryBuilder::getTyp ...) - binaryen 66-1 NOTE: https://github.com/WebAssembly/binaryen/issues/1872 CVE-2019-7661 (An issue was discovered in PHPMyWind 5.5. The method parameter of the ...) NOT-FOR-US: PHPMyWind CVE-2019-7660 (An issue was discovered in PHPMyWind 5.5. The username parameter of th ...) NOT-FOR-US: PHPMyWind CVE-2019-7659 (Genivia gSOAP 2.7.x and 2.8.x before 2.8.75 allows attackers to cause ...) {DLA-1681-1} - gsoap 2.8.75-1 [stretch] - gsoap 2.8.35-4+deb9u2 - r-other-x4r 1.0.1+git20150806.c6bd9bd-2 NOTE: https://www.genivia.com/advisory.html#Bug_in_gSOAP_versions_2.7.0_to_2.8.74_for_applications_built_with_the_WITH_COOKIES_flag_enabled_ NOTE: https://lists.debian.org/debian-lts/2019/02/msg00131.html CVE-2009-5154 (An issue was discovered on MOBOTIX S14 MX-V4.2.1.61 devices. There is ...) NOT-FOR-US: MOBOTIX CVE-2019-7658 RESERVED CVE-2019-7657 RESERVED CVE-2019-7656 (A privilege escalation vulnerability in Wowza Streaming Engine 4.8.0 a ...) NOT-FOR-US: Wowza Streaming Engine CVE-2019-7655 (Wowza Streaming Engine 4.8.0 and earlier from multiple authenticated X ...) NOT-FOR-US: Wowza Streaming Engine CVE-2019-7654 (Wowza Streaming Engine 4.8.0 and earlier suffers from multiple CSRF vu ...) NOT-FOR-US: Wowza Streaming Engine CVE-2019-7652 (TheHive Project UnshortenLink analyzer before 1.1, included in Cortex- ...) NOT-FOR-US: TheHive Project UnshortenLink analyzer CVE-2019-7651 (EPP.sys in Emsisoft Anti-Malware prior to version 2018.12 allows an at ...) NOT-FOR-US: Emsisoft Anti-Malware CVE-2019-7650 RESERVED CVE-2019-7653 (The Debian python-rdflib-tools 4.2.2-1 package for RDFLib 4.2.2 has CL ...) {DLA-1717-1} - rdflib 4.2.2-2 (low; bug #921751) [stretch] - rdflib (Minor issue) NOTE: Debian specific issue as respective scripts are overwritten in Debian NOTE: packaging as wrappers invoking python -m. CVE-2019-7649 (global.encryptPassword in bootstrap/global.js in CMSWing 1.3.7 relies ...) NOT-FOR-US: CMSWing CVE-2019-7648 (controller/fetchpwd.php and controller/doAction.php in Hotels_Server t ...) NOT-FOR-US: Hotels_Server CVE-2019-7647 RESERVED CVE-2019-7646 (CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.763 is vu ...) NOT-FOR-US: CentOS Web Panel CVE-2019-7645 RESERVED CVE-2019-7644 (Auth0 Auth0-WCF-Service-JWT before 1.0.4 leaks the expected JWT signat ...) NOT-FOR-US: Auth0 Auth0-WCF-Service-JWT CVE-2019-7643 RESERVED CVE-2019-7642 (D-Link routers with the mydlink feature have some web interfaces witho ...) NOT-FOR-US: D-Link CVE-2019-7641 RESERVED CVE-2019-7640 RESERVED CVE-2019-7639 (An issue was discovered in gsi-openssh-server 7.9p1 on Fedora 29. If P ...) NOT-FOR-US: gsi-openssh-server (OpenSSH patched with openssh-7.9p1-gsissh.patch) CVE-2019-7638 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 ha ...) {DLA-1714-1 DLA-1713-1} - libsdl1.2 1.2.15+dfsg2-5 (bug #924609) [buster] - libsdl1.2 (Minor issue) [stretch] - libsdl1.2 (Minor issue) - libsdl2 2.0.10+dfsg1-1 (bug #924610) [buster] - libsdl2 (Minor issue) [stretch] - libsdl2 (Minor issue) NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4500 NOTE: https://hg.libsdl.org/SDL/rev/19d8c3b9c251 (SDL-1.2) NOTE: https://hg.libsdl.org/SDL/rev/07c39cbbeacf CVE-2019-7637 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 ha ...) {DLA-1714-1 DLA-1713-1} - libsdl1.2 1.2.15+dfsg2-5 (bug #924609) [buster] - libsdl1.2 (Minor issue) [stretch] - libsdl1.2 (Minor issue) - libsdl2 2.0.6+dfsg1-4 (bug #924610) [stretch] - libsdl2 (Minor issue) NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4497 NOTE: https://hg.libsdl.org/SDL/rev/9b0e5c555c0f (SDL-1.2) NOTE: https://hg.libsdl.org/SDL/rev/32075e9e2135 (SDL-1.2) NOTE: Patch causes regressions for some applications/games: NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1124825 NOTE: https://hg.libsdl.org/SDL/rev/81a4950907a0 (SDL-2) NOTE: For SDL-2 the fix for CVE-2017-2888 fixes as well CVE-2019-7637. CVE-2019-7636 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 ha ...) {DLA-1714-1 DLA-1713-1} - libsdl1.2 1.2.15+dfsg2-5 (bug #924609) [buster] - libsdl1.2 (Minor issue) [stretch] - libsdl1.2 (Minor issue) - libsdl2 2.0.10+dfsg1-1 (bug #924610) [buster] - libsdl2 (Minor issue) [stretch] - libsdl2 (Minor issue) NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4499 NOTE: https://hg.libsdl.org/SDL/rev/19d8c3b9c251 (SDL-1.2) NOTE: https://hg.libsdl.org/SDL/rev/07c39cbbeacf (SDL-2) CVE-2019-7635 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 ha ...) {DLA-1865-1 DLA-1861-1 DLA-1714-1 DLA-1713-1} - libsdl1.2 1.2.15+dfsg2-5 (bug #924609) [buster] - libsdl1.2 (Minor issue) [stretch] - libsdl1.2 (Minor issue) - libsdl2 2.0.10+dfsg1-1 (bug #924610) [buster] - libsdl2 (Minor issue) [stretch] - libsdl2 (Minor issue) - sdl-image1.2 1.2.12-11 (bug #932755) [buster] - sdl-image1.2 1.2.12-10+deb10u1 [stretch] - sdl-image1.2 1.2.12-5+deb9u2 - libsdl2-image 2.0.5+dfsg1-1 (bug #932754) [buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1 [stretch] - libsdl2-image 2.0.1+dfsg-2+deb9u2 NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4498 NOTE: https://hg.libsdl.org/SDL/rev/7c643f1c1887 (SDL-2) NOTE: two patches initially merged for SDL-1.2: NOTE: https://hg.libsdl.org/SDL/rev/08f3b4992538 (SDL-1.2) (correct) NOTE: https://hg.libsdl.org/SDL/rev/4646533663ae (SDL-1.2) (broken) NOTE: the second one is incorrect as was reverted in NOTE: https://hg.libsdl.org/SDL/rev/33940ce0a0ba NOTE: https://hg.libsdl.org/SDL_image/rev/03bd33e8cb49 (SDL_image-2) NOTE: https://hg.libsdl.org/SDL_image/rev/a3a7cac00d5f (SDL_image-1.2) CVE-2018-20764 (A buffer overflow exists in HelpSystems tcpcrypt on Linux, used for Bo ...) NOT-FOR-US: BoKS NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1676393 NOTE: https://community.helpsystems.com/knowledge-base/fox-technologies/hotfix/515/ NOTE: No specific information is provided, but seems caused by BoKS shipping tcpcrypt setuid CVE-2019-7634 (SUAP V2 allows XSS during the update of user information. ...) NOT-FOR-US: SUAP CVE-2019-7633 RESERVED CVE-2019-7632 (LifeSize Team, Room, Passport, and Networker 220 devices allow Authent ...) NOT-FOR-US: LifeSize devices CVE-2019-7631 RESERVED CVE-2019-7630 (An issue was discovered in gdrv.sys in Gigabyte APP Center before 19.0 ...) NOT-FOR-US: Gigabyte APP Center CVE-2019-7629 (Stack-based buffer overflow in the strip_vt102_codes function in TinTi ...) - tintin++ 2.01.5-2 (low; bug #924348) [stretch] - tintin++ (Minor issue) [jessie] - tintin++ (Minor issue) CVE-2019-7628 (Pagure 5.2 leaks API keys by e-mailing them to users. Few e-mail serve ...) - pagure (Fixed before initial upload to the archive) CVE-2019-7627 RESERVED CVE-2019-7626 RESERVED CVE-2019-7625 RESERVED CVE-2019-7624 RESERVED CVE-2019-7623 RESERVED CVE-2019-7622 RESERVED CVE-2019-7621 (Kibana versions before 6.8.6 and 7.5.1 contain a cross site scripting ...) - kibana (bug #700337) CVE-2019-7620 (Logstash versions before 7.4.1 and 6.8.4 contain a denial of service f ...) NOT-FOR-US: Logstash Beats CVE-2019-7619 (Elasticsearch versions 7.0.0-7.3.2 and 6.7.0-6.8.3 contain a username ...) - elasticsearch CVE-2019-7618 (A local file disclosure flaw was found in Elastic Code versions 7.3.0, ...) NOT-FOR-US: Elastic Code CVE-2019-7617 (When the Elastic APM agent for Python versions before 5.1.0 is run as ...) NOT-FOR-US: Elastic APM agent for Python CVE-2019-7616 (Kibana versions before 6.8.2 and 7.2.1 contain a server side request f ...) - kibana (bug #700337) CVE-2019-7615 (A TLS certificate validation flaw was found in Elastic APM agent for R ...) NOT-FOR-US: Elastic CVE-2019-7614 (A race condition flaw was found in the response headers Elasticsearch ...) - elasticsearch CVE-2019-7613 (Winlogbeat versions before 5.6.16 and 6.6.2 had an insufficient loggin ...) NOT-FOR-US: Winlogbeat CVE-2019-7612 (A sensitive data disclosure flaw was found in the way Logstash version ...) - logstash (bug #664841) CVE-2019-7611 (A permission issue was found in Elasticsearch versions before 5.6.15 a ...) - elasticsearch CVE-2019-7610 (Kibana versions before 6.6.1 contain an arbitrary code execution flaw ...) - kibana (bug #700337) CVE-2019-7609 (Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code exec ...) - kibana (bug #700337) CVE-2019-7608 (Kibana versions before 5.6.15 and 6.6.1 had a cross-site scripting (XS ...) - kibana (bug #700337) CVE-2019-7607 RESERVED CVE-2019-7606 RESERVED CVE-2019-7605 RESERVED CVE-2019-7604 RESERVED CVE-2019-7603 RESERVED CVE-2019-7602 RESERVED CVE-2019-7601 RESERVED CVE-2019-7600 RESERVED CVE-2019-7599 RESERVED CVE-2019-7598 RESERVED CVE-2019-7597 RESERVED CVE-2019-7596 RESERVED CVE-2019-7595 RESERVED CVE-2019-7594 (Metasys® ADS/ADX servers and NAE/NIE/NCE engines prior to 9.0 mak ...) NOT-FOR-US: Metasys ADS/ADX CVE-2019-7593 (Metasys® ADS/ADX servers and NAE/NIE/NCE engines prior to 9.0 mak ...) NOT-FOR-US: Metasys ADS/ADX CVE-2019-7592 RESERVED CVE-2019-7591 RESERVED CVE-2019-7590 (ExacqVision Server’s services 'exacqVisionServer', 'dvrdhcpserve ...) NOT-FOR-US: ExacqVision CVE-2019-7589 (A vulnerability with the SmartService API Service option exists whereb ...) NOT-FOR-US: SmartService API Service CVE-2019-7588 (A vulnerability in the exacqVision Enterprise System Manager (ESM) v5. ...) NOT-FOR-US: exacqVision Enterprise System Manager CVE-2019-7587 (Bo-blog Wind through 1.6.0-r allows SQL Injection via the admin.php/co ...) NOT-FOR-US: Bo-blog Wind CVE-2019-7586 RESERVED CVE-2019-7585 (An issue was discovered in Waimai Super Cms 20150505. web/Lib/Action/P ...) NOT-FOR-US: Waimai Super Cms CVE-2019-7584 RESERVED CVE-2019-7583 RESERVED CVE-2019-7582 (The readBytes function in util/read.c in libming through 0.4.8 allows ...) - ming NOTE: https://github.com/libming/libming/issues/172 CVE-2019-7581 (The parseSWF_ACTIONRECORD function in util/parser.c in libming through ...) - ming NOTE: https://github.com/libming/libming/issues/173 CVE-2019-7580 (ThinkCMF 5.0.190111 allows remote attackers to execute arbitrary PHP c ...) NOT-FOR-US: ThinkCMF CVE-2019-7579 (An issue was discovered on Linksys WRT1900ACS 1.0.3.187766 devices. An ...) NOT-FOR-US: Linksys CVE-2019-7578 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 ha ...) {DLA-1714-1 DLA-1713-1} - libsdl1.2 1.2.15+dfsg2-5 (bug #924609) [buster] - libsdl1.2 (Minor issue) [stretch] - libsdl1.2 (Minor issue) - libsdl2 2.0.10+dfsg1-1 (bug #924610) [buster] - libsdl2 (Minor issue) [stretch] - libsdl2 (Minor issue) NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4494 NOTE: https://hg.libsdl.org/SDL/rev/388987dff7bf (SDL-1.2) NOTE: https://hg.libsdl.org/SDL/rev/f9a9d6c76b21 (SDL-2) CVE-2019-7577 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 ha ...) {DLA-1714-1 DLA-1713-1} - libsdl1.2 1.2.15+dfsg2-5 (bug #924609) [buster] - libsdl1.2 (Minor issue) [stretch] - libsdl1.2 (Minor issue) - libsdl2 2.0.10+dfsg1-1 (bug #924610) [buster] - libsdl2 (Minor issue) [stretch] - libsdl2 (Minor issue) NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4492 NOTE: https://hg.libsdl.org/SDL/rev/faf9abbcfb5f (SDL-1.2) NOTE: https://hg.libsdl.org/SDL/rev/416136310b88 (SDL-1.2) NOTE: SDL2 was probably fixed during a refactoring, no targeted fix available: NOTE: https://hg.libsdl.org/SDL/rev/b06fa7da012b (SDL-2) CVE-2019-7576 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 ha ...) {DLA-1714-1 DLA-1713-1} - libsdl1.2 1.2.15+dfsg2-5 (bug #924609) [buster] - libsdl1.2 (Minor issue) [stretch] - libsdl1.2 (Minor issue) - libsdl2 2.0.10+dfsg1-1 (bug #924610) [buster] - libsdl2 (Minor issue) [stretch] - libsdl2 (Minor issue) NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4490 NOTE: Proposed patch: https://bugzilla.libsdl.org/attachment.cgi?id=3620&action=diff NOTE: very similar bug to CVE-2019-7573, fix for CVE-2019-7573 is applicable to this CVE-2019-7575 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 ha ...) {DLA-1714-1 DLA-1713-1} - libsdl1.2 1.2.15+dfsg2-5 (bug #924609) [buster] - libsdl1.2 (Minor issue) [stretch] - libsdl1.2 (Minor issue) - libsdl2 2.0.10+dfsg1-1 (bug #924610) [buster] - libsdl2 (Minor issue) [stretch] - libsdl2 (Minor issue) NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4493 NOTE: https://hg.libsdl.org/SDL/rev/a936f9bd3e38 (SDL-1.2) NOTE: SDL2 was probably fixed during a refactoring, no targeted fix available: NOTE: https://hg.libsdl.org/SDL/rev/b06fa7da012b (SDL-2) CVE-2019-7574 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 ha ...) {DLA-1714-1 DLA-1713-1} - libsdl1.2 1.2.15+dfsg2-5 (bug #924609) [buster] - libsdl1.2 (Minor issue) [stretch] - libsdl1.2 (Minor issue) - libsdl2 2.0.10+dfsg1-1 (bug #924610) [buster] - libsdl2 (Minor issue) [stretch] - libsdl2 (Minor issue) NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4496 NOTE: https://hg.libsdl.org/SDL/rev/a6e3d2f5183e (SDL-1.2) NOTE: SDL2 was probably fixed during a refactoring, no targeted fix available: NOTE: https://hg.libsdl.org/SDL/rev/b06fa7da012b (SDL-2) CVE-2019-7573 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 ha ...) {DLA-1714-1 DLA-1713-1} - libsdl1.2 1.2.15+dfsg2-5 (bug #924609) [buster] - libsdl1.2 (Minor issue) [stretch] - libsdl1.2 (Minor issue) - libsdl2 2.0.10+dfsg1-1 (bug #924610) [buster] - libsdl2 (Minor issue) [stretch] - libsdl2 (Minor issue) NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4491 NOTE: same patch as CVE-2019-7576 NOTE: https://hg.libsdl.org/SDL/rev/fcbecae42795 (SDL-1.2) NOTE: SDL2 was probably fixed during a refactoring, no targeted fix available: NOTE: https://hg.libsdl.org/SDL/rev/b06fa7da012b (SDL-2) CVE-2019-7572 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 ha ...) {DLA-1714-1 DLA-1713-1} - libsdl1.2 1.2.15+dfsg2-5 (bug #924609) [buster] - libsdl1.2 (Minor issue) [stretch] - libsdl1.2 (Minor issue) - libsdl2 2.0.10+dfsg1-1 (bug #924610) [buster] - libsdl2 (Minor issue) [stretch] - libsdl2 (Minor issue) NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4495 NOTE: https://hg.libsdl.org/SDL/rev/e52413f52586 (SDL-1.2) NOTE: https://hg.libsdl.org/SDL/rev/a8afedbcaea0 (SDL-1.2) NOTE: SDL2 was probably fixed during a refactoring, no targeted fix available: NOTE: https://hg.libsdl.org/SDL/rev/b06fa7da012b (SDL-2) CVE-2019-7571 RESERVED CVE-2019-7570 (A CSRF vulnerability was found in PbootCMS v1.3.6 that can delete user ...) NOT-FOR-US: PbootCMS CVE-2019-7569 (An issue was discovered in DOYO (aka doyocms) 2.3(20140425 update). Th ...) NOT-FOR-US: doyocms CVE-2019-7568 (An issue was discovered in baijiacms V4 that can result in time-based ...) NOT-FOR-US: baijiacms CVE-2019-7567 (An issue was discovered in Waimai Super Cms 20150505. admin.php?m=Memb ...) NOT-FOR-US: Waimai Super Cms CVE-2019-7566 (CSZ CMS 1.1.8 has CSRF via admin/users/new/add. ...) NOT-FOR-US: CSZ CMS CVE-2019-7565 RESERVED CVE-2019-7564 (An issue was discovered on Shenzhen Coship WM3300 WiFi Router 5.0.0.55 ...) NOT-FOR-US: Shenzhen Coship WM3300 WiFi Router devices CVE-2019-7563 RESERVED CVE-2019-7562 RESERVED CVE-2019-7561 RESERVED CVE-2019-7560 (In parser/btorsmt2.c in Boolector 3.0.0, opening a specially crafted i ...) - boolector (Vulnerable code introduced later) NOTE: https://github.com/Boolector/boolector/issues/28 NOTE: https://github.com/Boolector/boolector/issues/29 NOTE: https://github.com/Boolector/boolector/commit/8d979d02e0482c7137c9f3a34e6d430dbfd1f5c5 CVE-2019-7559 (In btor2parser/btor2parser.c in Boolector Btor2Tools before 2019-01-15 ...) NOT-FOR-US: Boolector Btor2Tools CVE-2019-7558 RESERVED CVE-2019-7557 RESERVED CVE-2019-7556 RESERVED CVE-2019-7555 RESERVED CVE-2019-7554 (An issue was discovered in PHP Scripts Mall API Based Travel Booking 3 ...) NOT-FOR-US: PHP Scripts Mall API Based Travel Booking CVE-2019-7553 (PHP Scripts Mall Chartered Accountant : Auditor Website 2.0.1 has Stor ...) NOT-FOR-US: PHP Scripts Mall Chartered Accountant : Auditor Website CVE-2019-7552 (An issue was discovered in PHP Scripts Mall Investment MLM Software 2. ...) NOT-FOR-US: PHP Scripts Mall Investment MLM Software CVE-2019-7551 (Cantemo Portal before 3.2.13, 3.3.x before 3.3.8, and 3.4.x before 3.4 ...) NOT-FOR-US: Cantemo Portal CVE-2019-7550 (In JForum 2.1.8, an unauthenticated, remote attacker can enumerate whe ...) NOT-FOR-US: JForum CVE-2019-7549 (An issue was discovered in GitLab Community and Enterprise Edition 10. ...) - gitlab 11.5.10+dfsg-1 (bug #921059) NOTE: https://about.gitlab.com/2019/01/31/security-release-gitlab-11-dot-7-dot-3-released/ CVE-2019-7548 (SQLAlchemy 1.2.17 has SQL Injection when the group_by parameter can be ...) {DLA-1718-1} [experimental] - sqlalchemy 1.3.0~b3+ds1-1 - sqlalchemy 1.2.18+ds1-2 (bug #922669) [stretch] - sqlalchemy (Minor issue) NOTE: https://github.com/sqlalchemy/sqlalchemy/issues/4481 NOTE: https://github.com/sqlalchemy/sqlalchemy/commit/30307c4616ad67c01ddae2e1e8e34fabf6028414 CVE-2019-7547 (An issue was discovered in SIDU 6.0. Because the database name is not ...) NOT-FOR-US: SIDU CVE-2019-7546 (An issue was discovered in SIDU 6.0. The dbs parameter of the conn.php ...) NOT-FOR-US: SIDU CVE-2019-7545 (In DbNinja 3.2.7, the Add Host function of the Manage Hosts pages has ...) NOT-FOR-US: DbNinja CVE-2019-7544 (An issue was discovered in MyWebSQL 3.7. The Add User function of the ...) NOT-FOR-US: MyWebSQL CVE-2019-7543 (In KindEditor 4.1.11, the php/demo.php content1 parameter has a reflec ...) NOT-FOR-US: KindEditor CVE-2019-7542 RESERVED CVE-2018-20763 (In GPAC 0.7.1 and earlier, gf_text_get_utf8_line in media_tools/text_i ...) {DLA-1693-1} - gpac 0.5.2-426-gc5ad4e4+dfsg5-4.1 (bug #921969) [stretch] - gpac 0.5.2-426-gc5ad4e4+dfsg5-3+deb9u1 NOTE: https://github.com/gpac/gpac/commit/1c449a34fe0b50aaffb881bfb9d7c5ab0bb18cdd NOTE: https://github.com/gpac/gpac/issues/1188 CVE-2018-20762 (GPAC version 0.7.1 and earlier has a buffer overflow vulnerability in ...) {DLA-1693-1} - gpac 0.5.2-426-gc5ad4e4+dfsg5-4.1 (bug #921969) [stretch] - gpac 0.5.2-426-gc5ad4e4+dfsg5-3+deb9u1 NOTE: https://github.com/gpac/gpac/commit/35ab4475a7df9b2a4bcab235e379c0c3ec543658 NOTE: https://github.com/gpac/gpac/issues/1187 CVE-2018-20761 (GPAC version 0.7.1 and earlier has a Buffer Overflow vulnerability in ...) {DLA-1693-1} - gpac 0.5.2-426-gc5ad4e4+dfsg5-4.1 (bug #921969) [stretch] - gpac 0.5.2-426-gc5ad4e4+dfsg5-3+deb9u1 NOTE: https://github.com/gpac/gpac/commit/35ab4475a7df9b2a4bcab235e379c0c3ec543658 NOTE: https://github.com/gpac/gpac/issues/1186 CVE-2018-20760 (In GPAC 0.7.1 and earlier, gf_text_get_utf8_line in media_tools/text_i ...) {DLA-1693-1} - gpac 0.5.2-426-gc5ad4e4+dfsg5-4.1 (bug #921969) [stretch] - gpac 0.5.2-426-gc5ad4e4+dfsg5-3+deb9u1 NOTE: https://github.com/gpac/gpac/commit/4c1360818fc8948e9307059fba4dc47ba8ad255d NOTE: https://github.com/gpac/gpac/issues/1177 CVE-2019-7541 (Rukovoditel through 2.4.1 allows XSS via a URL that lacks a module=use ...) NOT-FOR-US: Rukovoditel CVE-2019-7540 RESERVED CVE-2019-7539 (A code injection issue was discovered in ipycache through 2016-05-31. ...) NOT-FOR-US: ipycache CVE-2019-7538 RESERVED CVE-2019-7537 (An issue was discovered in Donfig 0.3.0. There is a vulnerability in t ...) NOT-FOR-US: Donfig CVE-2019-7536 RESERVED CVE-2019-7535 (index.php in Gurock TestRail 5.3.0.3603 returns potentially sensitive ...) NOT-FOR-US: Gurock TestRail CVE-2019-7534 RESERVED CVE-2019-7533 RESERVED CVE-2019-7532 RESERVED CVE-2019-7531 RESERVED CVE-2019-7530 RESERVED CVE-2019-7529 RESERVED CVE-2019-7528 RESERVED CVE-2019-7527 RESERVED CVE-2019-7526 RESERVED CVE-2019-7525 RESERVED CVE-2019-7524 (In Dovecot before 2.2.36.3 and 2.3.x before 2.3.5.1, a local attacker ...) {DSA-4418-1 DLA-1736-1} - dovecot 1:2.3.4.1-3 NOTE: https://github.com/dovecot/core/commit/37eeaef1587a3b99be97cb090094de19e374905c NOTE: https://github.com/dovecot/core/commit/a02c16889f1f3411e9a16b96221c2795d5fdb974 CVE-2019-7523 RESERVED CVE-2019-7522 RESERVED CVE-2019-7521 RESERVED CVE-2019-7520 RESERVED CVE-2019-7519 RESERVED CVE-2019-7518 RESERVED CVE-2019-7517 RESERVED CVE-2019-7516 RESERVED CVE-2019-7515 RESERVED CVE-2019-7514 RESERVED CVE-2019-7513 RESERVED CVE-2019-7512 RESERVED CVE-2019-7511 RESERVED CVE-2019-7510 RESERVED CVE-2019-7509 RESERVED CVE-2019-7508 RESERVED CVE-2019-7507 RESERVED CVE-2019-7506 RESERVED CVE-2019-7505 RESERVED CVE-2019-7504 RESERVED CVE-2019-7503 RESERVED CVE-2019-7502 RESERVED CVE-2019-7501 RESERVED CVE-2019-7500 RESERVED CVE-2019-7499 RESERVED CVE-2019-7498 RESERVED CVE-2019-7497 RESERVED CVE-2019-7496 RESERVED CVE-2019-7495 RESERVED CVE-2019-7494 RESERVED CVE-2019-7493 RESERVED CVE-2019-7492 RESERVED CVE-2019-7491 RESERVED CVE-2019-7490 RESERVED CVE-2019-7489 (A vulnerability in SonicWall Email Security appliance allow an unauthe ...) NOT-FOR-US: SonicWall Email Security appliance CVE-2019-7488 (Weak default password cause vulnerability in SonicWall Email Security ...) NOT-FOR-US: SonicWall Email Security appliance CVE-2019-7487 (Installation of the SonicOS SSLVPN NACagent 3.5 on the Windows operati ...) NOT-FOR-US: onicOS SSLVPN NACagent CVE-2019-7486 (Code injection in SonicWall SMA100 allows an authenticated user to exe ...) NOT-FOR-US: SonicWall SMA100 CVE-2019-7485 (Buffer overflow in SonicWall SMA100 allows an authenticated user to ex ...) NOT-FOR-US: SonicWall SMA100 CVE-2019-7484 (Authenticated SQL Injection in SonicWall SMA100 allow user to gain rea ...) NOT-FOR-US: SonicWall SMA100 CVE-2019-7483 (In SonicWall SMA100, an unauthenticated Directory Traversal vulnerabil ...) NOT-FOR-US: SonicWall SMA100 CVE-2019-7482 (Stack-based buffer overflow in SonicWall SMA100 allows an unauthentica ...) NOT-FOR-US: SonicWall SMA100 CVE-2019-7481 (Vulnerability in SonicWall SMA100 allow unauthenticated user to gain r ...) NOT-FOR-US: SonicWall SMA100 CVE-2019-7480 RESERVED CVE-2019-7479 (A vulnerability in SonicOS allow authenticated read-only admin can ele ...) NOT-FOR-US: SonicOS CVE-2019-7478 (A vulnerability in GMS allow unauthenticated user to SQL injection in ...) NOT-FOR-US: SonicWall CVE-2019-7477 (A vulnerability in SonicWall SonicOS and SonicOSv TLS CBC Cipher allow ...) NOT-FOR-US: SonicWall CVE-2019-7476 (A vulnerability in SonicWall Global Management System (GMS), allow a r ...) NOT-FOR-US: SonicWall Global Management System CVE-2019-7475 (A vulnerability in SonicWall SonicOS and SonicOSv with management enab ...) NOT-FOR-US: SonicWall CVE-2019-7474 (A vulnerability in SonicWall SonicOS and SonicOSv, allow authenticated ...) NOT-FOR-US: SonicWall CVE-2019-7473 RESERVED CVE-2019-7472 RESERVED CVE-2019-7471 RESERVED CVE-2019-7470 RESERVED CVE-2019-7469 RESERVED CVE-2019-7468 RESERVED CVE-2019-7467 RESERVED CVE-2019-7466 RESERVED CVE-2019-7465 RESERVED CVE-2019-7464 RESERVED CVE-2019-7463 RESERVED CVE-2019-7462 RESERVED CVE-2018-20759 RESERVED CVE-2018-20758 (MODX Revolution through v2.7.0-pl allows XSS via User Settings such as ...) NOT-FOR-US: MODX Revolution CVE-2018-20757 (MODX Revolution through v2.7.0-pl allows XSS via an extended user fiel ...) NOT-FOR-US: MODX Revolution CVE-2018-20756 (MODX Revolution through v2.7.0-pl allows XSS via a document resource ( ...) NOT-FOR-US: MODX Revolution CVE-2018-20755 (MODX Revolution through v2.7.0-pl allows XSS via the User Photo field. ...) NOT-FOR-US: MODX Revolution CVE-2018-20754 RESERVED CVE-2015-9282 (The Pie Chart Panel plugin through 2019-01-02 for Grafana is vulnerabl ...) NOT-FOR-US: Grafana plugin CVE-2019-XXXX [netmask: buffer overflow vulnerability] - netmask 2.4.4-1 (unimportant; bug #921565) [jessie] - netmask 2.3.12+deb8u1 NOTE: https://github.com/tlby/netmask/issues/3 NOTE: https://github.com/tlby/netmask/commit/29a9c239bd1008363f5b34ffd6c2cef906f3660c NOTE: No security impact due to toolchain hardening in stretch, negligable impact in older suites CVE-2019-1003023 (A cross-site scripting vulnerability exists in Jenkins Warnings Next G ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003022 (A denial of service vulnerability exists in Jenkins Monitoring Plugin ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003021 (An exposure of sensitive information vulnerability exists in Jenkins O ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003020 (A server-side request forgery vulnerability exists in Jenkins Kanboard ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003019 (An session fixation vulnerability exists in Jenkins GitHub Authenticat ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003018 (An exposure of sensitive information vulnerability exists in Jenkins G ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003017 (A data modification vulnerability exists in Jenkins Job Import Plugin ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003016 (An exposure of sensitive information vulnerability exists in Jenkins J ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003015 (An XML external entity processing vulnerability exists in Jenkins Job ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003014 (An cross-site scripting vulnerability exists in Jenkins Config File Pr ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003013 (An cross-site scripting vulnerability exists in Jenkins Blue Ocean Plu ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003012 (A data modification vulnerability exists in Jenkins Blue Ocean Plugins ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003011 (An information exposure and denial of service vulnerability exists in ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003010 (A cross-site request forgery vulnerability exists in Jenkins Git Plugi ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003009 (An improper certificate validation vulnerability exists in Jenkins Act ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003008 (A cross-site request forgery vulnerability exists in Jenkins Warnings ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003007 (A cross-site request forgery vulnerability exists in Jenkins Warnings ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003006 (A sandbox bypass vulnerability exists in Jenkins Groovy Plugin 2.0 and ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003005 (A sandbox bypass vulnerability exists in Jenkins Script Security Plugi ...) NOT-FOR-US: Jenkins plugin CVE-2019-7461 RESERVED CVE-2019-7460 RESERVED CVE-2019-7459 RESERVED CVE-2019-7458 RESERVED CVE-2019-7457 RESERVED CVE-2019-7456 RESERVED CVE-2019-7455 RESERVED CVE-2019-7454 RESERVED CVE-2019-7453 RESERVED CVE-2019-7452 RESERVED CVE-2019-7451 RESERVED CVE-2019-7450 RESERVED CVE-2019-7449 RESERVED CVE-2019-7448 RESERVED CVE-2019-7447 RESERVED CVE-2019-7446 RESERVED CVE-2019-7445 RESERVED CVE-2019-7444 RESERVED CVE-2019-7443 (KDE KAuth before 5.55 allows the passing of parameters with arbitrary ...) - kauth 5.54.0-2 (bug #921995) [stretch] - kauth 5.28.0-2+deb9u1 - kde4libs (bug #922727) [buster] - kde4libs (Minor issue) [stretch] - kde4libs (Minor issue) [jessie] - kde4libs (Minor issue) NOTE: https://mail.kde.org/pipermail/kde-announce/2019-February/000011.html NOTE: https://cgit.kde.org/kauth.git/commit/?id=fc70fb0161c1b9144d26389434d34dd135cd3f4a CVE-2019-7442 (An XML external entity (XXE) vulnerability in the Password Vault Web A ...) NOT-FOR-US: CyberArk Enterprise Password Vault CVE-2019-7441 (** DISPUTED ** cgi-bin/webscr?cmd=_cart in the WooCommerce PayPal Chec ...) NOT-FOR-US: WooCommerce CVE-2019-7440 (JioFi 4G M2S 1.0.2 devices have CSRF via the SSID name and Security Ke ...) NOT-FOR-US: JioFi CVE-2019-7439 (cgi-bin/qcmap_web_cgi on JioFi 4G M2S 1.0.2 devices allows a DoS (Hang ...) NOT-FOR-US: JioFi CVE-2019-7438 (cgi-bin/qcmap_web_cgi on JioFi 4G M2S 1.0.2 devices has XSS and HTML i ...) NOT-FOR-US: JioFi CVE-2019-7437 (PHP Scripts Mall Opensource Classified Ads Script 3.2.2 has reflected ...) NOT-FOR-US: PHP Scripts Mall CVE-2019-7436 (PHP Scripts Mall Opensource Classified Ads Script 3.2.2 has directory ...) NOT-FOR-US: PHP Scripts Mall CVE-2019-7435 (PHP Scripts Mall Opensource Classified Ads Script 3.2.2 has reflected ...) NOT-FOR-US: PHP Scripts Mall CVE-2019-7434 (PHP Scripts Mall Rental Bike Script 2.0.3 has directory traversal via ...) NOT-FOR-US: PHP Scripts Mall CVE-2019-7433 (PHP Scripts Mall Rental Bike Script 2.0.3 has Cross-Site Request Forge ...) NOT-FOR-US: PHP Scripts Mall CVE-2019-7432 (PHP Scripts Mall Rental Bike Script 2.0.3 has HTML injection via the S ...) NOT-FOR-US: PHP Scripts Mall CVE-2019-7431 (PHP Scripts Mall Image Sharing Script 1.3.4 has directory traversal vi ...) NOT-FOR-US: PHP Scripts Mall CVE-2019-7430 (PHP Scripts Mall Image Sharing Script 1.3.4 has HTML injection via the ...) NOT-FOR-US: PHP Scripts Mall CVE-2019-7429 (PHP Scripts Mall Property Rental Software 2.1.4 has directory traversa ...) NOT-FOR-US: PHP Scripts Mall CVE-2019-7428 RESERVED CVE-2019-7427 (XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 ...) NOT-FOR-US: Zoho ManageEngine Netflow Analyzer Professional CVE-2019-7426 (XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 ...) NOT-FOR-US: Zoho ManageEngine Netflow Analyzer Professional CVE-2019-7425 (XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 ...) NOT-FOR-US: Zoho ManageEngine Netflow Analyzer Professional CVE-2019-7424 (XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 ...) NOT-FOR-US: Zoho ManageEngine Netflow Analyzer Professional CVE-2019-7423 (XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 ...) NOT-FOR-US: Zoho ManageEngine Netflow Analyzer Professional CVE-2019-7422 (XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 ...) NOT-FOR-US: Zoho ManageEngine Netflow Analyzer Professional CVE-2019-7421 (XSS exists in SAMSUNG X7400GX SyncThru Web Service V6.A6.25 V11.01.05. ...) NOT-FOR-US: SAMSUNG X7400GX SyncThru Web Service CVE-2019-7420 (XSS exists in SAMSUNG X7400GX SyncThru Web Service V6.A6.25 V11.01.05. ...) NOT-FOR-US: SAMSUNG X7400GX SyncThru Web Service CVE-2019-7419 (XSS exists in SAMSUNG X7400GX SyncThru Web Service V6.A6.25 V11.01.05. ...) NOT-FOR-US: SAMSUNG X7400GX SyncThru Web Service CVE-2019-7418 (XSS exists in SAMSUNG X7400GX SyncThru Web Service V6.A6.25 V11.01.05. ...) NOT-FOR-US: SAMSUNG X7400GX SyncThru Web Service CVE-2019-7417 (XSS exists in Ericsson Active Library Explorer (ALEX) 14.3 in multiple ...) NOT-FOR-US: Ericsson Active Library Explorer (ALEX) CVE-2019-7416 (XSS and/or a Client Side URL Redirect exists in OpenText Documentum We ...) NOT-FOR-US: OpenText Documentum Webtop CVE-2019-7415 RESERVED CVE-2019-7414 RESERVED CVE-2019-7413 (In the Parallax Scroll (aka adamrob-parallax-scroll) plugin before 2.1 ...) NOT-FOR-US: Wordpress plugin CVE-2019-7412 (The PS PHPCaptcha WP plugin before v1.2.0 for WordPress mishandles san ...) NOT-FOR-US: Wordpress plugin CVE-2019-7411 (Multiple stored cross-site scripting (XSS) in the MyThemeShop Launcher ...) NOT-FOR-US: MyThemeShop Launcher plugin for WordPress CVE-2019-7410 RESERVED CVE-2019-7409 (Multiple cross-site scripting (XSS) vulnerabilities in ProfileDesign C ...) NOT-FOR-US: ProfileDesign CMS CVE-2019-7408 RESERVED CVE-2019-7407 RESERVED CVE-2019-7406 RESERVED CVE-2019-7405 RESERVED CVE-2019-7404 (An issue was discovered on LG GAMP-7100, GAPM-7200, and GAPM-8000 rout ...) NOT-FOR-US: LG routers CVE-2019-7403 (An issue was discovered in PHPMyWind 5.5. It allows remote attackers t ...) NOT-FOR-US: PHPMyWind CVE-2019-7402 (An issue was discovered in PHPMyWind 5.5. The GetQQ function in includ ...) NOT-FOR-US: PHPMyWind CVE-2019-7401 (NGINX Unit before 1.7.1 might allow an attacker to cause a heap-based ...) NOT-FOR-US: NGINX Unit (different from FLOSS nginx) CVE-2017-1000000 REJECTED CVE-2014-1000000 REJECTED CVE-2019-7400 (Rukovoditel before 2.4.1 allows XSS. ...) NOT-FOR-US: Rukovoditel CVE-2019-7399 (Amazon Fire OS before 5.3.6.4 allows a man-in-the-middle attack agains ...) NOT-FOR-US: Amazon Fire OS CVE-2019-7398 (In ImageMagick before 7.0.8-25, a memory leak exists in WriteDIBImage ...) {DSA-4712-1} - imagemagick (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1453 CVE-2019-7397 (In ImageMagick before 7.0.8-25 and GraphicsMagick through 1.3.31, seve ...) {DSA-4712-1} - imagemagick (unimportant) - graphicsmagick 1.4~hg15896-1 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/commit/306c1f0fa5754ca78efd16ab752f0e981d4f6b82 NOTE: https://github.com/ImageMagick/ImageMagick/issues/1454 CVE-2019-7396 (In ImageMagick before 7.0.8-25, a memory leak exists in ReadSIXELImage ...) {DSA-4712-1} - imagemagick (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/commit/748a03651e5b138bcaf160d15133de2f4b1b89ce NOTE: https://github.com/ImageMagick/ImageMagick/issues/1452 CVE-2019-7395 (In ImageMagick before 7.0.8-25, a memory leak exists in WritePSDChanne ...) {DSA-4712-1} - imagemagick (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/commit/8a43abefb38c5e29138e1c9c515b313363541c06 NOTE: https://github.com/ImageMagick/ImageMagick/issues/1451 CVE-2019-7394 (A privilege escalation vulnerability in the administrative user interf ...) NOT-FOR-US: CA Technologies CVE-2019-7393 (A UI redress vulnerability in the administrative user interface of CA ...) NOT-FOR-US: CA Technologies CVE-2019-7392 (An improper authentication vulnerability in CA Privileged Access Manag ...) NOT-FOR-US: CA Privileged Access Manager CVE-2019-7391 (ZyXEL VMG3312-B10B DSL-491HNU-B1B v2 devices allow login/login-page.cg ...) NOT-FOR-US: ZyXEL CVE-2019-7390 (An issue was discovered in /bin/goahead on D-Link DIR-823G devices wit ...) NOT-FOR-US: D-Link CVE-2019-7389 (An issue was discovered in /bin/goahead on D-Link DIR-823G devices wit ...) NOT-FOR-US: D-Link CVE-2019-7388 (An issue was discovered in /bin/goahead on D-Link DIR-823G devices wit ...) NOT-FOR-US: D-Link CVE-2019-7387 (A local file inclusion vulnerability exists in the web interface of Sy ...) NOT-FOR-US: Systrome CVE-2019-7386 (A Denial of Service issue has been discovered in the Gecko component o ...) NOT-FOR-US: KaiOS on Nokia devices CVE-2019-7385 (An authenticated shell command injection issue has been discovered in ...) NOT-FOR-US: Raisecom GPON Devices CVE-2019-7384 (An authenticated shell command injection issue has been discovered in ...) NOT-FOR-US: Raisecom GPON Devices CVE-2019-7383 (An issue was discovered on Systrome Cumilon ISG-600C, ISG-600H, and IS ...) NOT-FOR-US: Systrome devices CVE-2019-7382 RESERVED CVE-2019-7381 RESERVED CVE-2019-7380 RESERVED CVE-2019-7379 RESERVED CVE-2019-7378 RESERVED CVE-2019-7377 RESERVED CVE-2019-7376 RESERVED CVE-2019-7375 RESERVED CVE-2019-7374 RESERVED CVE-2019-7373 RESERVED CVE-2019-7372 RESERVED CVE-2019-7371 RESERVED CVE-2019-7370 RESERVED CVE-2019-7369 RESERVED CVE-2019-7368 RESERVED CVE-2019-7367 RESERVED CVE-2019-7366 (Buffer overflow vulnerability in Autodesk FBX Software Development Kit ...) NOT-FOR-US: Autodesk FBX Software Development Kit CVE-2019-7365 (DLL preloading vulnerability in Autodesk Desktop Application versions ...) NOT-FOR-US: Autodesk Desktop Application CVE-2019-7364 (DLL preloading vulnerability in versions 2017, 2018, 2019, and 2020 of ...) NOT-FOR-US: Autodesk CVE-2019-7363 (Use-after-free vulnerability in Autodesk Design Review versions 2011, ...) NOT-FOR-US: Autodesk CVE-2019-7362 (DLL preloading vulnerability in Autodesk Design Review versions 2011, ...) NOT-FOR-US: Autodesk CVE-2019-7361 (An attacker may convince a victim to open a malicious action micro (.a ...) NOT-FOR-US: Autodesk CVE-2019-7360 (An exploitable use-after-free vulnerability in the DXF-parsing functio ...) NOT-FOR-US: Autodesk CVE-2019-7359 (An exploitable heap overflow vulnerability in the AcCellMargin handlin ...) NOT-FOR-US: Autodesk CVE-2019-7358 (An exploitable heap overflow vulnerability in the DXF-parsing function ...) NOT-FOR-US: Autodesk CVE-2019-7357 RESERVED CVE-2019-7356 RESERVED CVE-2019-1000024 (OPT/NET BV NG-NetMS version v3.6-2 and earlier versions contains a Cro ...) NOT-FOR-US: OPT/NET BV CVE-2019-1000023 (OPT/NET BV OPTOSS Next Gen Network Management System (NG-NetMS) versio ...) NOT-FOR-US: OPT/NET BV CVE-2019-1000022 (Taoensso Sente version Prior to version 1.14.0 contains a Cross Site R ...) NOT-FOR-US: Taoensso Sente CVE-2019-1000021 (slixmpp version before commit 7cd73b594e8122dddf847953fcfc85ab4d316416 ...) - slixmpp 1.4.2-1 (bug #922509) [stretch] - slixmpp (Minor issue) NOTE: https://lab.louiz.org/poezio/slixmpp/commit/7cd73b594e8122dddf847953fcfc85ab4d316416 CVE-2019-1000020 (libarchive version commit 5a98dcf8a86364b3c2c469c85b93647dfb139961 onw ...) {DLA-1668-1} - libarchive 3.3.3-4 (low) [stretch] - libarchive 3.2.2-2+deb9u2 NOTE: https://github.com/libarchive/libarchive/pull/1120 NOTE: https://github.com/libarchive/libarchive/commit/8312eaa576014cd9b965012af51bc1f967b12423 CVE-2019-1000019 (libarchive version commit bf9aec176c6748f0ee7a678c5f9f9555b9a757c1 onw ...) {DLA-1668-1} - libarchive 3.3.3-4 (low) [stretch] - libarchive 3.2.2-2+deb9u2 NOTE: https://github.com/libarchive/libarchive/pull/1120 NOTE: https://github.com/libarchive/libarchive/commit/65a23f5dbee4497064e9bb467f81138a62b0dae1 CVE-2019-1000017 (Chamilo Chamilo-lms version 1.11.8 and earlier contains an Incorrect A ...) NOT-FOR-US: Chamilo Chamilo-lms CVE-2019-1000016 (FFMPEG version 4.1 contains a CWE-129: Improper Validation of Array In ...) - ffmpeg 7:4.1.1-1 (low; bug #922066) [stretch] - ffmpeg (Vulnerable code not present) NOTE: https://github.com/FFmpeg/FFmpeg/commit/b97a4b658814b2de8b9f2a3bce491c002d34de31#diff-cd7e24986650014d67f484f3ffceef3f - libav [jessie] - libav (Vulnerable code not present) CVE-2019-1000015 (Chamilo Chamilo-lms version 1.11.8 and earlier contains a Cross Site S ...) NOT-FOR-US: Chamilo Chamilo-lms CVE-2019-1000014 (Erlang/OTP Rebar3 version 3.7.0 through 3.7.5 contains a Signing oracl ...) - rebar (vulnerable code is not present) NOTE: https://github.com/erlang/rebar3/pull/1986 CVE-2019-1000013 (Hex package manager hex_core version 0.3.0 and earlier contains a Sign ...) NOT-FOR-US: Hex package manager CVE-2019-1000012 (Hex package manager version 0.14.0 through 0.18.2 contains a Signing o ...) NOT-FOR-US: Hex package manager CVE-2019-1000011 (API Platform version from 2.2.0 to 2.3.5 contains an Incorrect Access ...) NOT-FOR-US: API Platform CVE-2019-1000010 (phpIPAM version 1.3.2 and earlier contains a Cross Site Scripting (XSS ...) NOT-FOR-US: phpIPAM CVE-2019-1000009 (Helm ChartMuseum version >=0.1.0 and < 0.8.1 contains a CWE-22: ...) NOT-FOR-US: Helm ChartMuseum CVE-2019-1000008 (All versions of Helm between Helm >=2.0.0 and < 2.12.2 contains ...) - helm-kubernetes (bug #910799) CVE-2019-1000007 (aioxmpp version 0.10.2 and earlier contains a Improper Handling of Str ...) - python-aioxmpp 0.10.3-1 NOTE: https://github.com/horazont/aioxmpp/pull/268 CVE-2019-1000006 (RIOT RIOT-OS version after commit 7af03ab624db0412c727eed9ab7630a5282e ...) NOT-FOR-US: RIOT RIOT-OS CVE-2019-1000005 (mPDF version 7.1.7 and earlier contains a CWE-502: Deserialization of ...) NOT-FOR-US: mPDF CVE-2019-1000004 (yugandhargangu JspMyAdmin2 version 1.0.6 and earlier contains a Cross ...) NOT-FOR-US: yugandhargangu JspMyAdmin2 CVE-2019-1000003 (MapSVG MapSVG Lite version 3.2.3 contains a Cross Site Request Forgery ...) NOT-FOR-US: Wordpress plugin CVE-2019-1000002 (Gitea version 1.6.2 and earlier contains a Incorrect Access Control vu ...) - gitea NOTE: https://github.com/go-gitea/gitea/pull/5631 CVE-2019-1000001 (TeamPass version 2.1.27 and earlier contains a Storing Passwords in a ...) - teampass (bug #730180) CVE-2018-20753 (Kaseya VSA RMM before R9.3 9.3.0.35, R9.4 before 9.4.0.36, and R9.5 be ...) NOT-FOR-US: Kaseya VSA RMM CVE-2018-20752 (An issue was discovered in Recon-ng before 4.9.5. Lack of validation i ...) - recon-ng 4.9.5-1 NOTE: https://bitbucket.org/LaNMaSteR53/recon-ng/issues/285/csv-injection-vulnerability-identified-in CVE-2018-1000999 REJECTED CVE-2018-1000998 (FreeBSD CVSweb version 2.x contains a Cross Site Scripting (XSS) vulne ...) - cvsweb 3:3.0.0-1 NOTE: https://www.kvakil.me/posts/cvsweb/ CVE-2017-18362 (ConnectWise ManagedITSync integration through 2017 for Kaseya VSA is v ...) NOT-FOR-US: ConnectWise ManagedITSync CVE-2016-1000282 (Haraka version 2.8.8 and earlier comes with a plugin for processing at ...) NOT-FOR-US: Haraka CVE-2016-1000276 REJECTED CVE-2016-1000271 (Joomla extension DT Register version before 3.1.12 (Joomla 3.x) / 2.8. ...) NOT-FOR-US: Joomla extension CVE-2019-7355 RESERVED CVE-2019-7354 RESERVED CVE-2019-7353 (An Incorrect Access Control issue was discovered in GitLab Community a ...) - gitlab (Only affects 11.7) NOTE: https://about.gitlab.com/2019/02/05/critical-security-release-gitlab-11-dot-7-dot-4-released/ CVE-2019-7352 (Self - Stored Cross Site Scripting (XSS) exists in ZoneMinder through ...) - zoneminder (bug #922724) NOTE: https://github.com/ZoneMinder/zoneminder/issues/2475 CVE-2019-7351 (Log Injection exists in ZoneMinder through 1.32.3, as an attacker can ...) - zoneminder (bug #922724) NOTE: https://github.com/ZoneMinder/zoneminder/issues/2466 CVE-2019-7350 (Session fixation exists in ZoneMinder through 1.32.3, as an attacker c ...) - zoneminder (bug #922724) NOTE: https://github.com/ZoneMinder/zoneminder/issues/2471 CVE-2019-7349 (Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32 ...) - zoneminder (bug #922724) NOTE: https://github.com/ZoneMinder/zoneminder/issues/2465 CVE-2019-7348 (Self - Stored Cross Site Scripting (XSS) exists in ZoneMinder through ...) - zoneminder (bug #922724) NOTE: https://github.com/ZoneMinder/zoneminder/issues/2467 CVE-2019-7347 (A Time-of-check Time-of-use (TOCTOU) Race Condition exists in ZoneMind ...) - zoneminder (bug #922724) NOTE: https://github.com/ZoneMinder/zoneminder/issues/2476 CVE-2019-7346 (A CSRF check issue exists in ZoneMinder through 1.32.3 as whenever a C ...) - zoneminder (bug #922724) NOTE: https://github.com/ZoneMinder/zoneminder/issues/2469 CVE-2019-7345 (Self - Stored Cross Site Scripting (XSS) exists in ZoneMinder through ...) - zoneminder (bug #922724) NOTE: https://github.com/ZoneMinder/zoneminder/issues/2468 CVE-2019-7344 (Reflected XSS exists in ZoneMinder through 1.32.3, allowing an attacke ...) - zoneminder (bug #922724) NOTE: https://github.com/ZoneMinder/zoneminder/issues/2455 CVE-2019-7343 (Reflected - Cross Site Scripting (XSS) exists in ZoneMinder through 1. ...) - zoneminder (bug #922724) NOTE: https://github.com/ZoneMinder/zoneminder/issues/2464 CVE-2019-7342 (POST - Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, ...) - zoneminder (bug #922724) NOTE: https://github.com/ZoneMinder/zoneminder/issues/2461 CVE-2019-7341 (Reflected - Cross Site Scripting (XSS) exists in ZoneMinder through 1. ...) - zoneminder (bug #922724) NOTE: https://github.com/ZoneMinder/zoneminder/issues/2463 CVE-2019-7340 (POST - Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, ...) - zoneminder (bug #922724) NOTE: https://github.com/ZoneMinder/zoneminder/issues/2462 CVE-2019-7339 (POST - Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, ...) - zoneminder (bug #922724) NOTE: https://github.com/ZoneMinder/zoneminder/issues/2460 CVE-2019-7338 (Self - Stored XSS exists in ZoneMinder through 1.32.3, allowing an att ...) - zoneminder (bug #922724) NOTE: https://github.com/ZoneMinder/zoneminder/issues/2454 CVE-2019-7337 (Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32 ...) - zoneminder (bug #922724) NOTE: https://github.com/ZoneMinder/zoneminder/issues/2456 CVE-2019-7336 (Self - Stored Cross Site Scripting (XSS) exists in ZoneMinder through ...) - zoneminder (bug #922724) NOTE: https://github.com/ZoneMinder/zoneminder/issues/2457 CVE-2019-7335 (Self - Stored XSS exists in ZoneMinder through 1.32.3, allowing an att ...) - zoneminder (bug #922724) NOTE: https://github.com/ZoneMinder/zoneminder/issues/2453 CVE-2019-7334 (Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32 ...) - zoneminder (bug #922724) NOTE: https://github.com/ZoneMinder/zoneminder/issues/2443 CVE-2019-7333 (Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32 ...) - zoneminder (bug #922724) NOTE: https://github.com/ZoneMinder/zoneminder/issues/2441 CVE-2019-7332 (Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32 ...) - zoneminder (bug #922724) NOTE: https://github.com/ZoneMinder/zoneminder/issues/2442 CVE-2019-7331 (Self - Stored Cross Site Scripting (XSS) exists in ZoneMinder through ...) - zoneminder (bug #922724) NOTE: https://github.com/ZoneMinder/zoneminder/issues/2451 CVE-2019-7330 (Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32 ...) - zoneminder (bug #922724) NOTE: https://github.com/ZoneMinder/zoneminder/issues/2448 CVE-2019-7329 (Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32 ...) - zoneminder (bug #922724) NOTE: https://github.com/ZoneMinder/zoneminder/issues/2446 CVE-2019-7328 (Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32 ...) - zoneminder (bug #922724) NOTE: https://github.com/ZoneMinder/zoneminder/issues/2449 CVE-2019-7327 (Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32 ...) - zoneminder (bug #922724) NOTE: https://github.com/ZoneMinder/zoneminder/issues/2447 CVE-2019-7326 (Self - Stored Cross Site Scripting (XSS) exists in ZoneMinder through ...) - zoneminder (bug #922724) NOTE: https://github.com/ZoneMinder/zoneminder/issues/2452 CVE-2019-7325 (Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32 ...) - zoneminder (bug #922724) NOTE: https://github.com/ZoneMinder/zoneminder/issues/2450 CVE-2019-7324 (app/Core/Paginator.php in Kanboard before 1.2.8 has XSS in pagination ...) - kanboard (bug #790814) CVE-2019-7323 (GUP (generic update process) in LightySoft LogMX before 7.4.0 does not ...) NOT-FOR-US: LightySoft LogMX CVE-2019-7322 RESERVED CVE-2019-7321 (Usage of an uninitialized variable in the function fz_load_jpeg in Art ...) - mupdf (Vulnerable code introduced later) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=700560 NOTE: Introduced by: http://git.ghostscript.com/?p=mupdf.git;h=7d52765c5b8a5c76e459d148cd94dbaf51e562ec (1.15.0-rc1) NOTE: Fixed by: http://git.ghostscript.com/?p=mupdf.git;h=2be83b57e77938fddbb06bdffb11979ad89a9c7d (1.15.0-rc1) CVE-2019-7320 RESERVED CVE-2018-20751 (An issue was discovered in crop_page in PoDoFo 0.9.6. For a crafted PD ...) - libpodofo 0.9.6+dfsg-4 [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) NOTE: https://sourceforge.net/p/podofo/tickets/33/ NOTE: https://sourceforge.net/p/podofo/code/1954 CVE-2019-7319 (An issue was discovered in Cloudera Hue 6.0.0 through 6.1.0. When usin ...) NOT-FOR-US: Cloudera CVE-2019-7318 RESERVED CVE-2019-7317 (png_image_free in png.c in libpng 1.6.x before 1.6.37 has a use-after- ...) {DSA-4451-1 DSA-4448-1 DSA-4435-1 DLA-1806-1 DLA-1800-1} - libpng1.6 1.6.36-4 (bug #921355) - libpng [jessie] - libpng (Vulnerable code not present) [experimental] - firefox 67.0-1 - firefox 67.0-2 - firefox-esr 60.7.0esr-1 - thunderbird 1:60.7.0-1 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12803 NOTE: https://github.com/glennrp/libpng/issues/275 NOTE: https://github.com/glennrp/libpng/commit/9c0d5c77bf5bf2d7c1e11f388de40a70e0191550 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-7317 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-14/#CVE-2019-7317 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/#CVE-2019-7317 CVE-2019-7316 (An issue was discovered in CSS-TRICKS Chat2 through 2015-05-05. The us ...) NOT-FOR-US: CSS-TRICKS Chat2 CVE-2019-7315 (Genie Access WIP3BVAF WISH IP 3MP IR Auto Focus Bullet Camera devices ...) NOT-FOR-US: Genie Access WIP3BVAF WISH IP 3MP IR Auto Focus Bullet Camera devices CVE-2019-7314 (liblivemedia in Live555 before 2019.02.03 mishandles the termination o ...) {DSA-4408-1 DLA-1690-1} [experimental] - liblivemedia 2019.02.03-1 - liblivemedia 2018.11.26-1.1 (bug #924656) NOTE: http://lists.live555.com/pipermail/live-devel/2019-February/021143.html CVE-2019-7313 (www/resource.py in Buildbot before 1.8.1 allows CRLF injection in the ...) - buildbot 2.0.0-1 (bug #921271) [stretch] - buildbot (Vulnerable code introduced in 0.9.0) [jessie] - buildbot (Vulnerable code introduced in 0.9.0) NOTE: https://github.com/buildbot/buildbot/wiki/CRLF-injection-in-Buildbot-login-and-logout-redirect-code NOTE: https://github.com/buildbot/buildbot/pull/4584/files#diff-a2e7e3ee5f6a1d3cd9c6abf0328c21e0 CVE-2019-7312 (Limited plaintext disclosure exists in PRIMX Zed Entreprise for Window ...) NOT-FOR-US: PRIMX Zed Enterprise CVE-2019-7311 (An issue was discovered on Linksys WRT1900ACS 1.0.3.187766 devices. A ...) NOT-FOR-US: Linksys CVE-2019-7310 (In Poppler 0.73.0, a heap-based buffer over-read (due to an integer si ...) {DLA-1706-1} - poppler 0.71.0-4 (bug #921215) [stretch] - poppler (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12797 NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/717 NOTE: https://gitlab.freedesktop.org/poppler/poppler/merge_requests/172 NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/b54e1fc3e0d2600621a28d50f9f085b9e38619c2 CVE-2019-7309 (In the GNU C Library (aka glibc or libc6) through 2.29, the memcmp fun ...) - glibc 2.28-6 (unimportant) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24155 NOTE: https://sourceware.org/ml/libc-alpha/2019-02/msg00041.html NOTE: x32 not officially supported CVE-2019-7308 (kernel/bpf/verifier.c in the Linux kernel before 4.20.6 performs undes ...) - linux 4.19.20-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1711 NOTE: Fixed by: https://git.kernel.org/linus/979d63d50c0c0f7bc537bf821e056cc9fe5abd38 NOTE: Fixed by: https://git.kernel.org/linus/d3bd7413e0ca40b60cf60d4003246d067cafdeda CVE-2019-7307 (Apport before versions 2.14.1-0ubuntu3.29+esm1, 2.20.1-0ubuntu2.19, 2. ...) NOT-FOR-US: Apport CVE-2019-7306 (Byobu Apport hook may disclose sensitive information since it automati ...) - byobu (unimportant) NOTE: https://bugs.launchpad.net/ubuntu/+source/byobu/+bug/1827202 NOTE: Issue in /usr/share/apport/package-hooks/source_byobu.py hook, NOTE: non-issue in Debian as Apport not present. CVE-2019-7305 (Information Exposure vulnerability in eXtplorer makes the /usr/ and /e ...) - extplorer NOTE: https://bugs.launchpad.net/ubuntu/+source/extplorer/+bug/1822013 CVE-2019-7304 (Canonical snapd before version 2.37.1 incorrectly performed socket own ...) - snapd 2.37.1-1 [stretch] - snapd (Vulnerable code introduced later) NOTE: https://bugs.launchpad.net/snapd/+bug/1813365 NOTE: Introduced in 2.28, fixed in 2.37.1 CVE-2019-7303 (A vulnerability in the seccomp filters of Canonical snapd before versi ...) - snapd 2.37.4-1 (low) [stretch] - snapd (Minor issue) NOTE: https://bugs.launchpad.net/snapd/+bug/1812973 CVE-2019-7302 RESERVED CVE-2019-7301 (Zen Load Balancer 3.10.1 allows remote authenticated admin users to ex ...) NOT-FOR-US: Zen Load Balancer CVE-2019-7300 (Artica Proxy 3.06.200056 allows remote attackers to execute arbitrary ...) NOT-FOR-US: Artica Proxy CVE-2019-7299 (A stored cross-site scripting (XSS) vulnerability in the submit_ticket ...) NOT-FOR-US: WP Support Plus Responsive Ticket System plugin for WordPress CVE-2017-18361 (In Pylons Colander through 1.6, the URL validator allows an attacker t ...) - python-colander [stretch] - python-colander (Minor issue) [jessie] - python-colander (Minor issue) NOTE: https://github.com/Pylons/colander/issues/290 NOTE: https://github.com/Pylons/colander/pull/323 CVE-2019-7298 (An issue was discovered on D-Link DIR-823G devices with firmware throu ...) NOT-FOR-US: D-Link CVE-2019-7297 (An issue was discovered on D-Link DIR-823G devices with firmware throu ...) NOT-FOR-US: D-Link CVE-2019-7296 (typora through 0.9.64 has XSS, with resultant remote command execution ...) NOT-FOR-US: typora CVE-2019-7295 (typora through 0.9.63 has XSS, with resultant remote command execution ...) NOT-FOR-US: typora CVE-2019-7294 RESERVED CVE-2019-7293 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2019-7292 (A validation issue was addressed with improved logic. This issue is fi ...) - webkit2gtk 2.24.1-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0002.html CVE-2019-7291 RESERVED CVE-2019-7290 (An access issue was addressed with additional sandbox restrictions. Th ...) NOT-FOR-US: Shortcuts for iOS CVE-2019-7289 (A parsing issue in the handling of directory paths was addressed with ...) NOT-FOR-US: Shortcuts for iOS CVE-2019-7288 RESERVED CVE-2019-7287 (A memory corruption issue was addressed with improved input validation ...) NOT-FOR-US: Apple CVE-2019-7286 (A memory corruption issue was addressed with improved input validation ...) NOT-FOR-US: Apple CVE-2019-7285 (A use after free issue was addressed with improved memory management. ...) - webkit2gtk 2.24.1-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0002.html CVE-2019-7284 (This issue was addressed with improved checks. This issue is fixed in ...) NOT-FOR-US: Apple CVE-2019-7281 (Prima Systems FlexAir, Versions 2.3.38 and prior. An unauthenticated u ...) NOT-FOR-US: Prima Systems FlexAir CVE-2019-7280 (Prima Systems FlexAir, Versions 2.3.38 and prior. The session-ID is of ...) NOT-FOR-US: Prima Systems FlexAir CVE-2019-7279 (Optergy Proton/Enterprise devices have Hard-coded Credentials. ...) NOT-FOR-US: Optergy Proton CVE-2019-7278 (Optergy Proton/Enterprise devices have an Unauthenticated SMS Sending ...) NOT-FOR-US: Optergy Proton CVE-2019-7277 (Optergy Proton/Enterprise devices allow Unauthenticated Internal Netwo ...) NOT-FOR-US: Optergy Proton CVE-2019-7276 (Optergy Proton/Enterprise devices allow Remote Root Code Execution via ...) NOT-FOR-US: Optergy Proton CVE-2019-7275 (Optergy Proton/Enterprise devices allow Open Redirect. ...) NOT-FOR-US: Optergy Proton CVE-2019-7274 (Optergy Proton/Enterprise devices allow Authenticated File Upload with ...) NOT-FOR-US: Optergy Proton CVE-2019-7273 (Optergy Proton/Enterprise devices allow Cross-Site Request Forgery (CS ...) NOT-FOR-US: Optergy Proton CVE-2019-7272 (Optergy Proton/Enterprise devices allow Username Disclosure. ...) NOT-FOR-US: Optergy Proton CVE-2019-7271 (Nortek Linear eMerge 50P/5000P devices have Default Credentials. ...) NOT-FOR-US: Nortek Linear CVE-2019-7270 (Linear eMerge 50P/5000P devices allow Cross-Site Request Forgery (CSRF ...) NOT-FOR-US: Linear eMerge 50P/5000P devices CVE-2019-7269 (Linear eMerge 50P/5000P devices allow Authenticated Command Injection ...) NOT-FOR-US: Linear eMerge 50P/5000P devices CVE-2019-7268 (Linear eMerge 50P/5000P devices allow Unauthenticated File Upload. ...) NOT-FOR-US: Linear eMerge 50P/5000P devices CVE-2019-7267 (Linear eMerge 50P/5000P devices allow Cookie Path Traversal. ...) NOT-FOR-US: Linear eMerge 50P/5000P devices CVE-2019-7266 (Linear eMerge 50P/5000P devices allow Authentication Bypass. ...) NOT-FOR-US: Linear eMerge 50P/5000P devices CVE-2019-7265 (Linear eMerge E3-Series devices allow Remote Code Execution (root acce ...) NOT-FOR-US: Linear eMerge E3-Series devices CVE-2019-7264 (Linear eMerge E3-Series devices allow a Stack-based Buffer Overflow on ...) NOT-FOR-US: Linear eMerge E3-Series devices CVE-2019-7263 (Linear eMerge E3-Series devices have a Version Control Failure. ...) NOT-FOR-US: Linear eMerge E3-Series devices CVE-2019-7262 (Linear eMerge E3-Series devices allow Cross-Site Request Forgery (CSRF ...) NOT-FOR-US: Linear eMerge E3-Series devices CVE-2019-7261 (Linear eMerge E3-Series devices have Hard-coded Credentials. ...) NOT-FOR-US: Linear eMerge E3-Series devices CVE-2019-7260 (Linear eMerge E3-Series devices have Cleartext Credentials in a Databa ...) NOT-FOR-US: Linear eMerge E3-Series devices CVE-2019-7259 (Linear eMerge E3-Series devices allow Authorization Bypass with Inform ...) NOT-FOR-US: Linear eMerge E3-Series devices CVE-2019-7258 (Linear eMerge E3-Series devices allow Privilege Escalation. ...) NOT-FOR-US: Linear eMerge E3-Series devices CVE-2019-7257 (Linear eMerge E3-Series devices allow Unrestricted File Upload. ...) NOT-FOR-US: Linear eMerge E3-Series devices CVE-2019-7256 (Linear eMerge E3-Series devices allow Command Injections. ...) NOT-FOR-US: Linear eMerge E3-Series devices CVE-2019-7255 (Linear eMerge E3-Series devices allow XSS. ...) NOT-FOR-US: Linear eMerge E3-Series devices CVE-2019-7254 (Linear eMerge E3-Series devices allow File Inclusion. ...) NOT-FOR-US: Linear eMerge E3-Series devices CVE-2019-7253 (Linear eMerge E3-Series devices allow Directory Traversal. ...) NOT-FOR-US: Linear eMerge E3-Series devices CVE-2019-7252 (Linear eMerge E3-Series devices have Default Credentials. ...) NOT-FOR-US: Linear eMerge E3-Series devices CVE-2019-7251 (An Integer Signedness issue (for a return code) in the res_pjsip_sdp_r ...) - asterisk 1:16.2.1~dfsg-1 (bug #923690) [stretch] - asterisk (Vulnerable code not present) [jessie] - asterisk (Vulnerable code introduced later) NOTE: https://downloads.asterisk.org/pub/security/AST-2019-001.html CVE-2019-7250 (An issue was discovered in the Cross Reference Add-on 36 for Google Do ...) NOT-FOR-US: Cross Reference Add-on for Google Docs CVE-2019-7249 (In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susc ...) NOT-FOR-US: Keybase on MacOS CVE-2019-7283 (An issue was discovered in rcp in NetKit through 0.17. For an rcp oper ...) - netkit-rsh 0.17-20 (bug #920486) [stretch] - netkit-rsh (Minor issue) [jessie] - netkit-rsh (Minor issue) CVE-2019-7282 (In NetKit through 0.17, rcp.c in the rcp client allows remote rsh serv ...) - netkit-rsh 0.17-20 (bug #920486) [stretch] - netkit-rsh (Minor issue) [jessie] - netkit-rsh (Minor issue) CVE-2019-7248 RESERVED CVE-2019-7247 (An issue was discovered in AODDriver2.sys in AMD OverDrive. The vulner ...) NOT-FOR-US: AMD CVE-2019-7246 (An issue was discovered in atillk64.sys in AMD ATI Diagnostics Hardwar ...) NOT-FOR-US: AMD CVE-2019-7245 (An issue was discovered in GPU-Z.sys in TechPowerUp GPU-Z before 2.23. ...) NOT-FOR-US: TechPowerUp GPU-Z CVE-2019-7244 (An issue was discovered in kerneld.sys in AIDA64 before 5.99. The vuln ...) NOT-FOR-US: AIDA64 CVE-2019-7243 RESERVED CVE-2019-7242 RESERVED CVE-2019-7241 RESERVED CVE-2019-7240 (An issue was discovered in WinRing0x64.sys in Moo0 System Monitor 1.83 ...) NOT-FOR-US: Moo0 System Monitor CVE-2019-7239 RESERVED CVE-2019-7238 (Sonatype Nexus Repository Manager before 3.15.0 has Incorrect Access C ...) NOT-FOR-US: Sonatype Nexus Repository Manager CVE-2019-7237 (An issue was discovered in idreamsoft iCMS 7.0.13 on Windows. editor/e ...) NOT-FOR-US: idreamsoft iCMS CVE-2019-7236 (An issue was discovered in idreamsoft iCMS 7.0.13. editor/editor.admin ...) NOT-FOR-US: idreamsoft iCMS CVE-2019-7235 (An issue was discovered in idreamsoft iCMS 7.0.13. admincp.php?app=app ...) NOT-FOR-US: idreamsoft iCMS CVE-2019-7234 (An issue was discovered in idreamsoft iCMS 7.0.13. admincp.php?app=app ...) NOT-FOR-US: idreamsoft iCMS CVE-2019-7233 (In libdoc through 2019-01-28, doc2text in catdoc.c has a NULL pointer ...) - catdoc (unimportant) NOTE: https://github.com/uvoteam/libdoc/issues/6 NOTE: Crash in CLI tool, no security impact CVE-2019-7232 (The ABB IDAL HTTP server is vulnerable to a buffer overflow when a lon ...) NOT-FOR-US: ABB IDAL HTTP server CVE-2019-7231 (The ABB IDAL FTP server is vulnerable to a buffer overflow when a long ...) NOT-FOR-US: ABB IDAL FTP server CVE-2019-7230 (The ABB IDAL FTP server mishandles format strings in a username during ...) NOT-FOR-US: ABB IDAL FTP server CVE-2019-7229 (The ABB CP635 HMI uses two different transmission methods to upgrade i ...) NOT-FOR-US: ABB CP635 HMI CVE-2019-7228 (The ABB IDAL HTTP server mishandles format strings in a username or co ...) NOT-FOR-US: ABB IDAL HTTP server CVE-2019-7227 (In the ABB IDAL FTP server, an authenticated attacker can traverse to ...) NOT-FOR-US: ABB IDAL FTP server CVE-2019-7226 (The ABB IDAL HTTP server CGI interface contains a URL that allows an u ...) NOT-FOR-US: ABB IDAL HTTP server CVE-2019-7225 (The ABB HMI components implement hidden administrative accounts that a ...) NOT-FOR-US: ABB HMI components CVE-2019-7224 RESERVED CVE-2019-7223 (InvoicePlane 1.5 has stored XSS via the index.php/invoices/ajax/save i ...) NOT-FOR-US: InvoicePlane CVE-2019-7222 (The KVM implementation in the Linux kernel through 4.20.5 has an Infor ...) {DLA-1771-1 DLA-1731-1} - linux 4.19.20-1 [stretch] - linux 4.9.161-1 NOTE: https://git.kernel.org/linus/353c0956a618a07ba4bbe7ad00ff29fe70e8412a NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1759&desc=2 CVE-2019-7221 (The KVM implementation in the Linux kernel through 4.20.5 has a Use-af ...) {DLA-1771-1 DLA-1731-1} - linux 4.19.20-1 [stretch] - linux 4.9.161-1 NOTE: https://git.kernel.org/linus/ecec76885bcfe3294685dc363fd1273df0d5d65f NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1760 CVE-2019-7220 (X-Cart V5 is vulnerable to XSS via the CategoryFilter2 parameter. ...) NOT-FOR-US: X-Cart CVE-2019-7219 (Unauthenticated reflected cross-site scripting (XSS) exists in Zarafa ...) - zarafa (bug #658433) CVE-2019-7218 (Citrix ShareFile before 19.23 allows a downgrade from two-factor authe ...) NOT-FOR-US: Citrix ShareFile CVE-2019-7217 (Citrix ShareFile before 19.12 allows User Enumeration. It is possible ...) NOT-FOR-US: Citrix ShareFile CVE-2019-7216 (An issue was discovered in FileChucker 4.99e-free-e02. filechucker.cgi ...) NOT-FOR-US: FileChucker CVE-2019-7215 (Progress Sitefinity 10.1.6536 does not invalidate session cookies upon ...) NOT-FOR-US: Progress Sitefinity CVE-2019-7214 (SmarterTools SmarterMail 16.x before build 6985 allows deserialization ...) NOT-FOR-US: SmarterTools SmarterMail CVE-2019-7213 (SmarterTools SmarterMail 16.x before build 6985 allows directory trave ...) NOT-FOR-US: SmarterTools SmarterMail CVE-2019-7212 (SmarterTools SmarterMail 16.x before build 6985 has hardcoded secret k ...) NOT-FOR-US: SmarterTools SmarterMail CVE-2019-7211 (SmarterTools SmarterMail 16.x before build 6995 has stored XSS. JavaSc ...) NOT-FOR-US: SmarterTools SmarterMail CVE-2019-7210 RESERVED CVE-2019-7209 RESERVED CVE-2019-7208 RESERVED CVE-2019-7207 RESERVED CVE-2019-7206 RESERVED CVE-2019-7205 RESERVED CVE-2019-7204 RESERVED CVE-2019-7203 RESERVED CVE-2019-7202 RESERVED CVE-2019-7201 (An unquoted service path vulnerability is reported to affect the servi ...) NOT-FOR-US: QNAP NetBak Replicator CVE-2019-7200 RESERVED CVE-2019-7199 RESERVED CVE-2019-7198 RESERVED CVE-2019-7197 (A stored cross-site scripting (XSS) vulnerability has been reported to ...) NOT-FOR-US: QNAP CVE-2019-7196 RESERVED CVE-2019-7195 (This external control of file name or path vulnerability allows remote ...) NOT-FOR-US: QNAP CVE-2019-7194 (This external control of file name or path vulnerability allows remote ...) NOT-FOR-US: QNAP CVE-2019-7193 (This improper input validation vulnerability allows remote attackers t ...) NOT-FOR-US: QNAP CVE-2019-7192 (This improper access control vulnerability allows remote attackers to ...) NOT-FOR-US: QNAP CVE-2019-7191 RESERVED CVE-2019-7190 RESERVED CVE-2019-7189 RESERVED CVE-2019-7188 RESERVED CVE-2019-7187 RESERVED CVE-2019-7186 RESERVED CVE-2019-7185 (This cross-site scripting (XSS) vulnerability in Music Station allows ...) NOT-FOR-US: QNAP CVE-2019-7184 (This cross-site scripting (XSS) vulnerability in Video Station allows ...) NOT-FOR-US: QNAP CVE-2019-7183 (This improper link resolution vulnerability allows remote attackers to ...) NOT-FOR-US: QNAP CVE-2019-7182 RESERVED CVE-2019-7181 (Buffer Overflow vulnerability in myQNAPcloud Connect 1.3.3.0925 and ea ...) NOT-FOR-US: myQNAPcloud Connect CVE-2019-7180 RESERVED CVE-2019-7179 RESERVED CVE-2018-20747 RESERVED CVE-2018-20746 RESERVED CVE-2019-7178 RESERVED CVE-2019-7177 RESERVED CVE-2019-7176 (An issue was discovered in GitLab Community and Enterprise Edition 8.x ...) - gitlab 11.5.10+dfsg-1 (bug #921059) NOTE: https://about.gitlab.com/2019/01/31/security-release-gitlab-11-dot-7-dot-3-released/ CVE-2019-7175 (In ImageMagick before 7.0.8-25, some memory leaks exist in DecodeImage ...) {DSA-4712-1} - imagemagick (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/commit/1e6a3ace073c9ec9c71e439c111d23c6e66cb6ae NOTE: https://github.com/ImageMagick/ImageMagick/issues/1450 CVE-2019-7174 (Roxy Fileman 1.4.5 allows attackers to execute renamefile.php (aka Ren ...) NOT-FOR-US: Roxy Fileman CVE-2019-7173 (A stored-self XSS exists in Croogo through v3.0.5, allowing an attacke ...) NOT-FOR-US: Croogo CVE-2019-7172 (A stored-self XSS exists in ATutor through v2.2.4, allowing an attacke ...) NOT-FOR-US: ATutor CVE-2019-7171 (A stored-self XSS exists in Croogo through v3.0.5, allowing an attacke ...) NOT-FOR-US: Croogo CVE-2019-7170 (A stored-self XSS exists in Croogo through v3.0.5, allowing an attacke ...) NOT-FOR-US: Croogo CVE-2019-7169 (A stored-self XSS exists in Croogo through v3.0.5, allowing an attacke ...) NOT-FOR-US: Croogo CVE-2019-7168 (A stored-self XSS exists in Croogo through v3.0.5, allowing an attacke ...) NOT-FOR-US: Croogo CVE-2019-7167 (Zcash, before the Sapling network upgrade (2018-10-28), had a counterf ...) NOT-FOR-US: Zcash CVE-2019-7166 RESERVED CVE-2019-7165 (A buffer overflow in DOSBox 0.74-2 allows attackers to execute arbitra ...) {DSA-4478-1 DLA-1845-1} - dosbox 0.74-3-1 (bug #931222) NOTE: Fixed in 0.74-3 upstream. NOTE: Upstream clarification https://sourceforge.net/p/dosbox/bugs/508/ NOTE: Fixed by https://sourceforge.net/p/dosbox/code-0/3925/ CVE-2019-7164 (SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injecti ...) {DLA-1718-1} [experimental] - sqlalchemy 1.3.0~b3+ds1-1 - sqlalchemy 1.2.18+ds1-2 (bug #922669) [stretch] - sqlalchemy (Minor issue) NOTE: https://github.com/sqlalchemy/sqlalchemy/issues/4481 NOTE: https://github.com/sqlalchemy/sqlalchemy/commit/30307c4616ad67c01ddae2e1e8e34fabf6028414 CVE-2019-7163 (The web interface of Alcatel LINKZONE MW40-V-V1.0 MW40_LU_02.00_02 dev ...) NOT-FOR-US: Alcatel CVE-2019-7162 (An issue was discovered in Zoho ManageEngine ADSelfService Plus 5.6 Bu ...) NOT-FOR-US: Zoho ManageEngine CVE-2019-7161 (An issue was discovered in Zoho ManageEngine ADSelfService Plus 5.x th ...) NOT-FOR-US: Zoho ManageEngine ADSelfService Plus CVE-2019-7160 (idreamsoft iCMS 7.0.13 allows admincp.php?app=files ../ Directory Trav ...) NOT-FOR-US: idreamsoft iCMS CVE-2019-7159 (OX App Suite 7.10.1 and earlier allows Information Exposure. ...) NOT-FOR-US: Open-Xchange App Suite CVE-2019-7158 (OX App Suite 7.10.0 and earlier has Incorrect Access Control. ...) NOT-FOR-US: Open-Xchange App Suite CVE-2019-7157 RESERVED CVE-2019-7156 (In libdoc through 2019-01-28, calcFileBlockOffset in ole.c allows divi ...) - catdoc (unimportant) NOTE: https://github.com/uvoteam/libdoc/issues/5 NOTE: catdoc embeds the code; crash in CLI tool, no security impact CVE-2019-7155 (An issue was discovered in GitLab Community and Enterprise Edition 9.x ...) - gitlab 11.5.10+dfsg-1 (bug #921059) NOTE: https://about.gitlab.com/2019/01/31/security-release-gitlab-11-dot-7-dot-3-released/ CVE-2019-7154 (The main function in tools/wasm2js.cpp in Binaryen 1.38.22 has a heap- ...) - binaryen 66-1 (bug #920853) NOTE: https://github.com/WebAssembly/binaryen/issues/1876 NOTE: https://github.com/WebAssembly/binaryen/commit/79a4fbc80d7ffce4cbcfd04315ce3a0efa88d7fa CVE-2019-7153 (A NULL pointer dereference was discovered in wasm::WasmBinaryBuilder:: ...) - binaryen 66-1 (bug #920853) NOTE: https://github.com/WebAssembly/binaryen/issues/1879 NOTE: https://github.com/WebAssembly/binaryen/commit/2127e64f42da55bb5b9b0ab1995b3ca7fc4e0d0b NOTE: https://github.com/WebAssembly/binaryen/commit/85e95e315a8023c46eb804fe80ebc244bcfdae3e CVE-2019-7152 (A heap-based buffer over-read was discovered in wasm::WasmBinaryBuilde ...) - binaryen 66-1 (bug #920853) NOTE: https://github.com/WebAssembly/binaryen/issues/1880 NOTE: Same set of fixes as for https://github.com/WebAssembly/binaryen/issues/1879 NOTE: address the issue. NOTE: https://github.com/WebAssembly/binaryen/commit/2127e64f42da55bb5b9b0ab1995b3ca7fc4e0d0b NOTE: https://github.com/WebAssembly/binaryen/commit/85e95e315a8023c46eb804fe80ebc244bcfdae3e CVE-2019-7151 (A NULL pointer dereference was discovered in wasm::Module::getFunction ...) - binaryen 66-1 (bug #920853) NOTE: https://github.com/WebAssembly/binaryen/issues/1881 NOTE: Same set of fixes as for https://github.com/WebAssembly/binaryen/issues/1879 NOTE: address the issue. NOTE: https://github.com/WebAssembly/binaryen/commit/2127e64f42da55bb5b9b0ab1995b3ca7fc4e0d0b NOTE: https://github.com/WebAssembly/binaryen/commit/85e95e315a8023c46eb804fe80ebc244bcfdae3e CVE-2019-7150 (An issue was discovered in elfutils 0.175. A segmentation fault can oc ...) {DLA-1689-1} - elfutils 0.176-1 (low; bug #920909) [stretch] - elfutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24103 NOTE: https://sourceware.org/ml/elfutils-devel/2019-q1/msg00070.html NOTE: https://sourceware.org/git/?p=elfutils.git;a=commit;h=da5c5336a1eaf519de246f7d9f0f5585e1d4ac59 CVE-2019-7149 (A heap-based buffer over-read was discovered in the function read_srcl ...) {DLA-1689-1} - elfutils 0.176-1 (low; bug #920910) [stretch] - elfutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24102 NOTE: https://sourceware.org/ml/elfutils-devel/2019-q1/msg00068.html NOTE: https://sourceware.org/git/?p=elfutils.git;a=commit;h=2562759d6fe5b364fe224852e64e8bda39eb2e35 CVE-2019-7148 (**DISPUTED** An attempted excessive memory allocation was discovered i ...) - elfutils 0.176-1 (unimportant) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24085 NOTE: https://sourceware.org/git/?p=elfutils.git;a=commit;h=e32380ecefbb23448541367283d3b94930762986 NOTE: malloc can fail on invalid file, but "nothing" bad with security implication will NOTE: happen, negligible security impact. CVE-2019-7147 (A buffer over-read exists in the function crc64ib in crc64.c in nasmli ...) - nasm (Vulnerable code introduced later) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392544 CVE-2019-7146 (In elfutils 0.175, there is a buffer over-read in the ebl_object_note ...) - elfutils 0.176-1 (bug #920911) [stretch] - elfutils (Vulnerable code introduced in 0.175) [jessie] - elfutils (Vulnerable code introduced in 0.175) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24075 NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24081 NOTE: https://sourceware.org/git/?p=elfutils.git;a=commit;h=012018907ca05eb0ab51d424a596ef38fc87cae1 NOTE: https://sourceware.org/git/?p=elfutils.git;a=commit;h=cd7ded3df43f655af945c869976401a602e46fcd CVE-2019-7145 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7144 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7143 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7142 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7141 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7140 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7139 (An unauthenticated user can execute SQL statements that allow arbitrar ...) NOT-FOR-US: Magento CVE-2019-7138 (Adobe Bridge CC versions 9.0.2 have an out-of-bounds read vulnerabilit ...) NOT-FOR-US: Adobe CVE-2019-7137 (Adobe Bridge CC versions 9.0.2 have a memory corruption vulnerability. ...) NOT-FOR-US: Adobe CVE-2019-7136 (Adobe Bridge CC versions 9.0.2 have an use after free vulnerability. S ...) NOT-FOR-US: Adobe CVE-2019-7135 (Adobe Bridge CC versions 9.0.2 have an out-of-bounds read vulnerabilit ...) NOT-FOR-US: Adobe CVE-2019-7134 (Adobe Bridge CC versions 9.0.2 have an out-of-bounds read vulnerabilit ...) NOT-FOR-US: Adobe CVE-2019-7133 (Adobe Bridge CC versions 9.0.2 have an out-of-bounds read vulnerabilit ...) NOT-FOR-US: Adobe CVE-2019-7132 (Adobe Bridge CC versions 9.0.2 have an out-of-bounds write vulnerabili ...) NOT-FOR-US: Adobe CVE-2019-7131 (Adobe Acrobat and Reader versions 2019.010.20064 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7130 (Adobe Bridge CC versions 9.0.2 have a heap overflow vulnerability. Suc ...) NOT-FOR-US: Adobe CVE-2019-7129 (Adobe Experience Manager Forms versions 6.2, 6.3 and 6.4 have a stored ...) NOT-FOR-US: Adobe CVE-2019-7128 (Adobe Acrobat and Reader versions 2019.010.20098 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7127 (Adobe Acrobat and Reader versions 2019.010.20098 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7126 RESERVED CVE-2019-7125 (Adobe Acrobat and Reader versions 2019.010.20098 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7124 (Adobe Acrobat and Reader versions 2019.010.20098 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7123 (Adobe Acrobat and Reader versions 2019.010.20098 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7122 (Adobe Acrobat and Reader versions 2019.010.20098 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7121 (Adobe Acrobat and Reader versions 2019.010.20098 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7120 (Adobe Acrobat and Reader versions 2019.010.20098 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7119 (Adobe Acrobat and Reader versions 2019.010.20098 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7118 (Adobe Acrobat and Reader versions 2019.010.20098 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7117 (Adobe Acrobat and Reader versions 2019.010.20098 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7116 (Adobe Acrobat and Reader versions 2019.010.20098 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7115 (Adobe Acrobat and Reader versions 2019.010.20098 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7114 (Adobe Acrobat and Reader versions 2019.010.20098 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7113 (Adobe Acrobat and Reader versions 2019.010.20098 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7112 (Adobe Acrobat and Reader versions 2019.010.20098 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7111 (Adobe Acrobat and Reader versions 2019.010.20098 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7110 (Adobe Acrobat and Reader versions 2019.010.20098 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7109 (Adobe Acrobat and Reader versions 2019.010.20098 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7108 (Adobe Flash Player versions 32.0.0.156 and earlier, 32.0.0.156 and ear ...) NOT-FOR-US: Adobe Flash Player CVE-2019-7107 (Adobe InDesign versions 14.0.1 and below have an unsafe hyperlink proc ...) NOT-FOR-US: Adobe CVE-2019-7106 (Adobe XD versions 16.0 and earlier have a path traversal vulnerability ...) NOT-FOR-US: Adobe CVE-2019-7105 (Adobe XD versions 16.0 and earlier have a path traversal vulnerability ...) NOT-FOR-US: Adobe CVE-2019-7104 (Adobe Shockwave Player versions 12.3.4.204 and earlier have a memory c ...) NOT-FOR-US: Adobe CVE-2019-7103 (Adobe Shockwave Player versions 12.3.4.204 and earlier have a memory c ...) NOT-FOR-US: Adobe CVE-2019-7102 (Adobe Shockwave Player versions 12.3.4.204 and earlier have a memory c ...) NOT-FOR-US: Adobe CVE-2019-7101 (Adobe Shockwave Player versions 12.3.4.204 and earlier have a memory c ...) NOT-FOR-US: Adobe CVE-2019-7100 (Adobe Shockwave Player versions 12.3.4.204 and earlier have a memory c ...) NOT-FOR-US: Adobe CVE-2019-7099 (Adobe Shockwave Player versions 12.3.4.204 and earlier have a memory c ...) NOT-FOR-US: Adobe CVE-2019-7098 (Adobe Shockwave Player versions 12.3.4.204 and earlier have a memory c ...) NOT-FOR-US: Adobe CVE-2019-7097 (Adobe Dreamweaver versions 19.0 and earlier have an insecure protocol ...) NOT-FOR-US: Adobe CVE-2019-7096 (Adobe Flash Player versions 32.0.0.156 and earlier, 32.0.0.156 and ear ...) NOT-FOR-US: Adobe Flash Player CVE-2019-7095 (Adobe Digital Editions versions 4.5.10.185749 and below have a heap ov ...) NOT-FOR-US: Adobe CVE-2019-7094 (Adobe Photoshop CC 19.1.7 and earlier, and 20.0.2 and earlier have a h ...) NOT-FOR-US: Adobe CVE-2019-7093 (Creative Cloud Desktop Application (installer) versions 4.7.0.400 and ...) NOT-FOR-US: Adobe CVE-2019-7092 (ColdFusion versions Update 1 and earlier, Update 7 and earlier, and Up ...) NOT-FOR-US: Adobe CVE-2019-7091 (ColdFusion versions Update 1 and earlier, Update 7 and earlier, and Up ...) NOT-FOR-US: Adobe CVE-2019-7090 (Flash Player Desktop Runtime versions 32.0.0.114 and earlier, Flash Pl ...) NOT-FOR-US: Adobe CVE-2019-7089 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7088 (Adobe Acrobat and Reader versions 2019.010.20098 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7087 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7086 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7085 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7084 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7083 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7082 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7081 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7080 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7079 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7078 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7077 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7076 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7075 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7074 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7073 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7072 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7071 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7070 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7069 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7068 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7067 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7066 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7065 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7064 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7063 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7062 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7061 (Adobe Acrobat and Reader versions 2019.010.20098 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7060 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7059 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7058 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7057 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7056 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7055 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7054 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7053 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7052 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7051 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7050 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7049 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7048 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7047 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7046 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7045 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7044 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7043 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7042 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7041 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7040 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7039 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7038 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7037 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7036 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7035 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7034 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7033 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7032 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7031 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7030 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7029 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7028 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7027 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7026 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7025 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7024 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7023 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7022 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7021 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7020 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7019 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7018 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7017 REJECTED CVE-2019-7016 REJECTED CVE-2019-7015 REJECTED CVE-2019-7014 REJECTED CVE-2019-7013 REJECTED CVE-2019-7012 REJECTED CVE-2019-7011 REJECTED CVE-2019-7010 REJECTED CVE-2019-7009 REJECTED CVE-2019-7008 REJECTED CVE-2019-7007 (A directory traversal vulnerability has been found in the Avaya Equino ...) NOT-FOR-US: Avaya CVE-2019-7006 (Avaya one-X Communicator uses weak cryptographic algorithms in the cli ...) NOT-FOR-US: Avaya CVE-2019-7005 RESERVED CVE-2019-7004 (A Cross-Site Scripting (XSS) vulnerability in the WebUI component of I ...) NOT-FOR-US: Avaya CVE-2019-7003 (A SQL injection vulnerability in the reporting component of Avaya Cont ...) NOT-FOR-US: Avaya CVE-2019-7002 RESERVED CVE-2019-7001 (A SQL injection vulnerability in the WebUI component of IP Office Cont ...) NOT-FOR-US: IP Office Contact Center CVE-2019-7000 (A Cross-Site Scripting (XSS) vulnerability in the Web UI of Avaya Aura ...) NOT-FOR-US: Web UI of Avaya Aura Conferencing CVE-2019-6999 REJECTED CVE-2019-6998 RESERVED CVE-2019-6997 (An issue was discovered in GitLab Community and Enterprise Edition 10. ...) - gitlab 11.5.10+dfsg-1 (bug #921059) NOTE: https://about.gitlab.com/2019/01/31/security-release-gitlab-11-dot-7-dot-3-released/ CVE-2019-6996 (An issue was discovered in GitLab Enterprise Edition 10.x (starting in ...) - gitlab (Only affects EE) NOTE: https://about.gitlab.com/2019/01/31/security-release-gitlab-11-dot-7-dot-3-released/ CVE-2019-6995 (An issue was discovered in GitLab Community and Enterprise Edition 8.x ...) - gitlab 11.5.10+dfsg-1 (bug #921059) NOTE: https://about.gitlab.com/2019/01/31/security-release-gitlab-11-dot-7-dot-3-released/ CVE-2019-6994 RESERVED CVE-2019-6993 RESERVED CVE-2019-6992 (A stored-self XSS exists in web/skins/classic/views/controlcaps.php of ...) - zoneminder 1.32.3-2 (bug #920999) NOTE: https://github.com/ZoneMinder/zoneminder/commit/8c5687ca308e441742725e0aff9075779fa1a498 NOTE: https://github.com/ZoneMinder/zoneminder/issues/2445 CVE-2019-6991 (A classic Stack-based buffer overflow exists in the zmLoadUser() funct ...) - zoneminder 1.32.3-2 (bug #921000) NOTE: https://github.com/ZoneMinder/zoneminder/issues/2478 NOTE: https://github.com/ZoneMinder/zoneminder/pull/2482 CVE-2019-6990 (A stored-self XSS exists in web/skins/classic/views/zones.php of ZoneM ...) - zoneminder 1.32.3-2 (bug #921001) NOTE: https://github.com/ZoneMinder/zoneminder/commit/a3e8fd4fd5b579865f35aac3b964bc78d5b7a94a NOTE: https://github.com/ZoneMinder/zoneminder/issues/2444 CVE-2016-10741 (In the Linux kernel before 4.9.3, fs/xfs/xfs_aops.c allows local users ...) {DLA-1731-1} - linux 4.9.6-1 NOTE: Fixed by: https://git.kernel.org/linus/04197b341f23b908193308b8d63d17ff23232598 CVE-2016-10740 (Various resources in Atlassian Crowd before version 2.10.1 allow remot ...) NOT-FOR-US: Atlassian Crowd CVE-2019-1000018 (rssh version 2.3.4 contains a CWE-77: Improper Neutralization of Speci ...) {DSA-4377-1 DLA-1650-1} - rssh 2.3.4-9 (bug #919623) NOTE: https://sourceforge.net/p/rssh/mailman/message/36519118/ CVE-2019-6989 (TP-Link TL-WR940N is vulnerable to a stack-based buffer overflow, caus ...) NOT-FOR-US: TP-Link CVE-2019-6988 (An issue was discovered in OpenJPEG 2.3.0. It allows remote attackers ...) - openjpeg2 (low; bug #922648) [buster] - openjpeg2 (Minor issue) [stretch] - openjpeg2 (Minor issue) [jessie] - openjpeg2 (Minor issue) NOTE: https://github.com/uclouvain/openjpeg/issues/1178 CVE-2019-6987 RESERVED CVE-2019-6986 (SPARQL Injection in VIVO Vitro v1.10.0 allows a remote attacker to exe ...) NOT-FOR-US: VIVO Vitro CVE-2019-6985 (An issue was discovered in Foxit 3D Plugin Beta before 9.4.0.16807 for ...) NOT-FOR-US: Foxit Reader CVE-2019-6984 (An issue was discovered in Foxit 3D Plugin Beta before 9.4.0.16807 for ...) NOT-FOR-US: Foxit Reader CVE-2019-6983 (An issue was discovered in Foxit 3D Plugin Beta before 9.4.0.16807 for ...) NOT-FOR-US: Foxit Reader CVE-2019-6982 (An issue was discovered in Foxit 3D Plugin Beta before 9.4.0.16807 for ...) NOT-FOR-US: Foxit Reader CVE-2019-6981 (Zimbra Collaboration Suite 8.7.x through 8.8.11 allows Blind SSRF in t ...) NOT-FOR-US: Zimbra CVE-2019-6980 (Synacor Zimbra Collaboration Suite 8.7.x through 8.8.11 allows insecur ...) NOT-FOR-US: Zimbra CVE-2019-6979 (An issue was discovered in the User IP History Logs (aka IP_History_Lo ...) NOT-FOR-US: IP History Logs plugin for MyBB CVE-2018-20745 (Yii 2.x through 2.0.15.1 actively converts a wildcard CORS policy into ...) - yii (bug #597899) CVE-2018-20744 (The Olivier Poitrey Go CORS handler through 1.3.0 actively converts a ...) NOT-FOR-US: Olivier Poitrey Go CORS handler CVE-2019-6978 (The GD Graphics Library (aka LibGD) 2.2.5 has a double free in the gdI ...) {DSA-4384-1 DLA-1651-1} - libgd2 2.2.5-5.1 (bug #920728) NOTE: https://github.com/libgd/libgd/issues/492 NOTE: https://github.com/libgd/libgd/commit/553702980ae89c83f2d6e254d62cf82e204956d0 CVE-2019-1000029 [DoS due to changing # of allowed users in root channel] - mumble 1.3.0~git20190125.440b173+dfsg-1 (bug #920476) [stretch] - mumble (Vulnerable code introduced later) [jessie] - mumble (Vulnerable code introduced later) NOTE: https://github.com/mumble-voip/mumble/issues/3585 NOTE: Introduced in: https://github.com/mumble-voip/mumble/commit/84b1bcecef790a84d10b2d1f2060c1681a2bb836 NOTE: Fixed by: https://github.com/mumble-voip/mumble/commit/3edc46ff7308691d342f8c08ce1afaaefce35a5c CVE-2019-6977 (gdImageColorMatch in gd_color_match.c in the GD Graphics Library (aka ...) {DSA-4384-1 DLA-1651-1} - libgd2 2.2.5-5.1 (bug #920645) - php7.3 7.3.1-1 (unimportant) - php7.0 (unimportant) - php5 (unimportant) NOTE: Fixed in 5.6.40, 7.1.26, 7.2.14, 7.3.1 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=77270 NOTE: Proposed patch: https://gist.github.com/cmb69/1f36d285eb297ed326f5c821d7aafced CVE-2019-6976 (libvips before 8.7.4 generates output images from uninitialized memory ...) - vips 8.7.4-1 (low) [stretch] - vips 8.4.5-1+deb9u1 [jessie] - vips (Minor Issue) NOTE: https://github.com/libvips/libvips/commit/00622428bda8d7521db8d74260b519fa41d69d0a CVE-2019-6975 (Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2. ...) {DSA-4476-1} - python-django 1:1.11.20-1 (low; bug #922027) [jessie] - python-django (Vulnerable code not present) NOTE: Upstream re-released https://code.djangoproject.com/ticket/30175 NOTE: https://www.djangoproject.com/weblog/2019/feb/11/security-releases/ NOTE: https://github.com/django/django/commit/0bbb560183fabf0533289700845dafa94951f227 (1.11 branch) CVE-2019-6974 (In the Linux kernel before 4.20.8, kvm_ioctl_create_device in virt/kvm ...) {DLA-1771-1 DLA-1731-1} - linux 4.19.20-1 [stretch] - linux 4.9.161-1 NOTE: https://git.kernel.org/linus/cfa39381173d5f969daf43582c95ad679189cbc9 CVE-2019-6973 (Sricam IP CCTV cameras are vulnerable to denial of service via multipl ...) NOT-FOR-US: Sricam IP CCTV cameras CVE-2019-6972 (An issue was discovered on TP-Link TL-WR1043ND V2 devices. The credent ...) NOT-FOR-US: TP-Link CVE-2019-6971 (An issue was discovered on TP-Link TL-WR1043ND V2 devices. An attacker ...) NOT-FOR-US: TP-Link CVE-2019-6970 (Moodle 3.5.x before 3.5.4 allows SSRF. ...) - moodle CVE-2019-6969 (The web interface of the D-Link DVA-5592 20180823 is vulnerable to an ...) NOT-FOR-US: D-Link CVE-2019-6968 (The web interface of the D-Link DVA-5592 20180823 is vulnerable to XSS ...) NOT-FOR-US: D-Link CVE-2019-6967 (AirTies Air5341 1.0.0.12 devices allow cgi-bin/login CSRF. ...) NOT-FOR-US: AirTies devices CVE-2019-6966 (An issue was discovered in Bento4 1.5.1-628. The AP4_ElstAtom class in ...) NOT-FOR-US: Bento4 CVE-2019-6965 (An XSS issue was discovered in i-doit Open 1.12 via the src/tools/php/ ...) NOT-FOR-US: i-doit CVE-2019-6964 (A heap-based buffer over-read in Service_SetParamStringValue in cosa_x ...) NOT-FOR-US: RDK (Reference Design Kit) CVE-2019-6963 (A heap-based buffer overflow in cosa_dhcpv4_dml.c in the RDK RDKB-2018 ...) NOT-FOR-US: RDK (Reference Design Kit) CVE-2019-6962 (A shell injection issue in cosa_wifi_apis.c in the RDK RDKB-20181217-1 ...) NOT-FOR-US: RDK (Reference Design Kit) CVE-2019-6961 (Incorrect access control in actionHandlerUtility.php in the RDK RDKB-2 ...) NOT-FOR-US: RDK (Reference Design Kit) CVE-2019-6960 (An issue was discovered in GitLab Community and Enterprise Edition 9.x ...) - gitlab 11.5.10+dfsg-1 (bug #921059) NOTE: https://about.gitlab.com/2019/01/31/security-release-gitlab-11-dot-7-dot-3-released/ CVE-2019-6959 RESERVED CVE-2019-6958 (A recently discovered security vulnerability affects all Bosch Video M ...) NOT-FOR-US: Bosch CVE-2019-6957 (A recently discovered security vulnerability affects all Bosch Video M ...) NOT-FOR-US: Bosch CVE-2019-6956 (An issue was discovered in Freeware Advanced Audio Decoder 2 (FAAD2) 2 ...) {DLA-1899-1} - faad2 2.8.8-3.1 (bug #914641) [buster] - faad2 (Minor issue) [stretch] - faad2 (Minor issue) NOTE: https://sourceforge.net/p/faac/bugs/240/ NOTE: https://github.com/knik0/faad2/issues/39 NOTE: https://github.com/knik0/faad2/commit/6823e6610c9af1b0080cb22b9da03efb208d7d57 CVE-2019-6955 RESERVED CVE-2019-6954 RESERVED CVE-2019-6953 RESERVED CVE-2019-6952 RESERVED CVE-2019-6951 RESERVED CVE-2019-6950 RESERVED CVE-2019-6949 RESERVED CVE-2019-6948 RESERVED CVE-2019-6947 RESERVED CVE-2019-6946 RESERVED CVE-2019-6945 RESERVED CVE-2019-6944 RESERVED CVE-2019-6943 RESERVED CVE-2019-6942 RESERVED CVE-2019-6941 RESERVED CVE-2019-6940 RESERVED CVE-2019-6939 RESERVED CVE-2019-6938 RESERVED CVE-2019-6937 RESERVED CVE-2019-6936 RESERVED CVE-2019-6935 RESERVED CVE-2019-6934 RESERVED CVE-2019-6933 RESERVED CVE-2019-6932 RESERVED CVE-2019-6931 RESERVED CVE-2019-6930 RESERVED CVE-2019-6929 RESERVED CVE-2019-6928 RESERVED CVE-2019-6927 RESERVED CVE-2019-6926 RESERVED CVE-2019-6925 RESERVED CVE-2019-6924 RESERVED CVE-2019-6923 RESERVED CVE-2019-6922 RESERVED CVE-2019-6921 RESERVED CVE-2019-6920 RESERVED CVE-2019-6919 RESERVED CVE-2019-6918 RESERVED CVE-2019-6917 RESERVED CVE-2019-6916 RESERVED CVE-2019-6915 RESERVED CVE-2019-6914 RESERVED CVE-2019-6913 RESERVED CVE-2019-6912 RESERVED CVE-2019-6911 RESERVED CVE-2019-6910 RESERVED CVE-2019-6909 RESERVED CVE-2019-6908 RESERVED CVE-2019-6907 RESERVED CVE-2019-6906 RESERVED CVE-2019-6905 RESERVED CVE-2019-6904 RESERVED CVE-2019-6903 RESERVED CVE-2019-6902 RESERVED CVE-2019-6901 RESERVED CVE-2019-6900 RESERVED CVE-2019-6899 RESERVED CVE-2019-6898 RESERVED CVE-2019-6897 RESERVED CVE-2019-6896 RESERVED CVE-2019-6895 RESERVED CVE-2019-6894 RESERVED CVE-2019-6893 RESERVED CVE-2019-6892 RESERVED CVE-2019-6891 RESERVED CVE-2019-6890 RESERVED CVE-2019-6889 RESERVED CVE-2019-6888 RESERVED CVE-2019-6887 RESERVED CVE-2019-6886 RESERVED CVE-2019-6885 RESERVED CVE-2019-6884 RESERVED CVE-2019-6883 RESERVED CVE-2019-6882 RESERVED CVE-2019-6881 RESERVED CVE-2019-6880 RESERVED CVE-2019-6879 RESERVED CVE-2019-6878 RESERVED CVE-2019-6877 RESERVED CVE-2019-6876 RESERVED CVE-2019-6875 RESERVED CVE-2019-6874 RESERVED CVE-2019-6873 RESERVED CVE-2019-6872 RESERVED CVE-2019-6871 RESERVED CVE-2019-6870 RESERVED CVE-2019-6869 RESERVED CVE-2019-6868 RESERVED CVE-2019-6867 RESERVED CVE-2019-6866 RESERVED CVE-2019-6865 RESERVED CVE-2019-6864 RESERVED CVE-2019-6863 RESERVED CVE-2019-6862 RESERVED CVE-2019-6861 RESERVED CVE-2019-6860 RESERVED CVE-2019-6859 (A CWE-798: Use of Hardcoded Credentials vulnerability exists in Modico ...) NOT-FOR-US: Modicon CVE-2019-6858 (A CWE-427:Uncontrolled Search Path Element vulnerability exists in MSX ...) NOT-FOR-US: MSX Configurator CVE-2019-6857 (A CWE-754: Improper Check for Unusual or Exceptional Conditions vulner ...) NOT-FOR-US: Modicon CVE-2019-6856 (A CWE-754: Improper Check for Unusual or Exceptional Conditions vulner ...) NOT-FOR-US: Modicon CVE-2019-6855 (An Improper Authorization - CWE-285 vulnerability exists in EcoStruxur ...) NOT-FOR-US: EcoStruxure Control Expert CVE-2019-6854 (A CWE-264 Permissions, Privileges, and Access Controls vulnerability e ...) NOT-FOR-US: EcoStruxure Geo SCADA Expert CVE-2019-6853 (A CWE-79: Failure to Preserve Web Page Structure vulnerability exists ...) NOT-FOR-US: Andover Continuum CVE-2019-6852 (A CWE-200: Information Exposure vulnerability exists in Modicon Contro ...) NOT-FOR-US: Schneider Electric CVE-2019-6851 (A CWE-538: File and Directory Information Exposure vulnerability exist ...) NOT-FOR-US: Modicon CVE-2019-6850 (A CWE-200: Information Exposure vulnerability exists in Modicon M580, ...) NOT-FOR-US: Modicon CVE-2019-6849 (A CWE-200: Information Exposure vulnerability exists in Modicon M580, ...) NOT-FOR-US: Modicon CVE-2019-6848 (A CWE-248: Uncaught Exception vulnerability exists in Modicon M580, Mo ...) NOT-FOR-US: Modicon CVE-2019-6847 (A CWE-248: Uncaught Exception vulnerability exists in Modicon M580, Mo ...) NOT-FOR-US: Modicon CVE-2019-6846 (A CWE-319: Cleartext Transmission of Sensitive Information vulnerabili ...) NOT-FOR-US: Modicon CVE-2019-6845 (A CWE-319: Cleartext Transmission of Sensitive Information vulnerabili ...) NOT-FOR-US: Modicon CVE-2019-6844 (A CWE-248: Uncaught Exception vulnerability exists in Modicon M580, Mo ...) NOT-FOR-US: Modicon CVE-2019-6843 (A CWE-248: Uncaught Exception vulnerability exists in Modicon M580, Mo ...) NOT-FOR-US: Modicon CVE-2019-6842 (A CWE-248: Uncaught Exception vulnerability exists in Modicon M580, Mo ...) NOT-FOR-US: Modicon CVE-2019-6841 (A CWE-248: Uncaught Exception vulnerability exists in Modicon M580, Mo ...) NOT-FOR-US: Modicon CVE-2019-6840 (A Format String: CWE-134 vulnerability exists in U.motion Server (MEG6 ...) NOT-FOR-US: Schneider CVE-2019-6839 (An Improper Access Control: CWE-284 vulnerability exists in U.motion S ...) NOT-FOR-US: Schneider CVE-2019-6838 (An Improper Access Control: CWE-284 vulnerability exists in U.motion S ...) NOT-FOR-US: Schneider CVE-2019-6837 (A Server-Side Request Forgery (SSRF): CWE-918 vulnerability exists in ...) NOT-FOR-US: Schneider CVE-2019-6836 (An Improper Access Control: CWE-284 vulnerability exists in U.motion S ...) NOT-FOR-US: Schneider CVE-2019-6835 (A Cross-Site Scripting (XSS) CWE-79 vulnerability exists in U.motion S ...) NOT-FOR-US: Schneider CVE-2019-6834 RESERVED CVE-2019-6833 (A CWE-754 – Improper Check for Unusual or Exceptional Conditions ...) NOT-FOR-US: Schneider CVE-2019-6832 (A CWE-287: Authentication vulnerability exists in spaceLYnk (all versi ...) NOT-FOR-US: Schneider CVE-2019-6831 (A CWE-754: Improper Check for Unusual or Exceptional Conditions vulner ...) NOT-FOR-US: Schneider CVE-2019-6830 (A CWE-248: Uncaught Exception vulnerability exists IN Modicon M580 all ...) NOT-FOR-US: Schneider CVE-2019-6829 (A CWE-248: Uncaught Exception vulnerability exists in Modicon M580 (fi ...) NOT-FOR-US: Schneider CVE-2019-6828 (A CWE-248: Uncaught Exception vulnerability exists Modicon M580 (firmw ...) NOT-FOR-US: Schneider CVE-2019-6827 (A CWE-787: Out-of-bounds Write vulnerability exists in Interactive Gra ...) NOT-FOR-US: Interactive Graphical SCADA System (IGSS) CVE-2019-6826 (A CWE-426: Untrusted Search Path vulnerability exists in SoMachine HVA ...) NOT-FOR-US: Schneider CVE-2019-6825 (A CWE-427: Uncontrolled Search Path Element vulnerability exists in Pr ...) NOT-FOR-US: ProClima CVE-2019-6824 (A CWE-119: Buffer Errors vulnerability exists in ProClima (all version ...) NOT-FOR-US: ProClima CVE-2019-6823 (A CWE-94: Code Injection vulnerability exists in ProClima (all version ...) NOT-FOR-US: ProClima CVE-2019-6822 (A Use After Free: CWE-416 vulnerability exists in Zelio Soft 2, V5.2 a ...) NOT-FOR-US: Zelio Soft 2 CVE-2019-6821 (CWE-330: Use of Insufficiently Random Values vulnerability, which coul ...) NOT-FOR-US: Schneider Electric CVE-2019-6820 (A CWE-306: Missing Authentication for Critical Function vulnerability ...) NOT-FOR-US: Schneider Electric CVE-2019-6819 (A CWE-754: Improper Check for Unusual or Exceptional Conditions vulner ...) NOT-FOR-US: Schneider Electric CVE-2019-6818 RESERVED CVE-2019-6817 RESERVED CVE-2019-6816 (In Modicon Quantum all firmware versions, a CWE-94: Code Injection vul ...) NOT-FOR-US: Schneider Electric CVE-2019-6815 (In Modicon Quantum all firmware versions, CWE-264: Permissions, Privil ...) NOT-FOR-US: Schneider Electric CVE-2019-6814 (An Improper Access Control: CWE-284 vulnerability exists in the NET55X ...) NOT-FOR-US: Schneider Electric CVE-2019-6813 (A CWE-754: Improper Check for Unusual or Exceptional Conditions vulner ...) NOT-FOR-US: Schneider CVE-2019-6812 (A CWE-798 use of hardcoded credentials vulnerability exists in BMX-NOR ...) NOT-FOR-US: Schneider Electric CVE-2019-6811 (An Improper Check for Unusual or Exceptional Conditions (CWE-754) vuln ...) NOT-FOR-US: Schneider CVE-2019-6810 (CWE-284: Improper Access Control vulnerability exists in BMXNOR0200H E ...) NOT-FOR-US: Schneider CVE-2019-6809 (A CWE-248: Uncaught Exception vulnerability exists in Modicon M580 (fi ...) NOT-FOR-US: Schneider CVE-2019-6808 (A CWE-284: Improper Access Control vulnerability exists in all version ...) NOT-FOR-US: Schneider Electric CVE-2019-6807 (A CWE-248: Uncaught Exception vulnerability exists in all versions of ...) NOT-FOR-US: Schneider Electric CVE-2019-6806 (A CWE-200: Information Exposure vulnerability exists in all versions o ...) NOT-FOR-US: Schneider Electric CVE-2019-6805 (SQL Injection was found in S-CMS version V3.0 via the alipay/alipayapi ...) NOT-FOR-US: S-CMS CVE-2019-6804 (An XSS issue was discovered on the Job Edit page in Rundeck Community ...) NOT-FOR-US: Rundeck Community Edition CVE-2019-6803 (typora through 0.9.9.20.3 beta has XSS, with resultant remote command ...) NOT-FOR-US: Typora CVE-2019-6802 (CRLF Injection in pypiserver 1.2.5 and below allows attackers to set a ...) NOT-FOR-US: pypiserver CVE-2019-6801 RESERVED CVE-2019-6800 (In TitanHQ SpamTitan through 7.03, a vulnerability exists in the spam ...) NOT-FOR-US: TitanHQ SpamTitan CVE-2019-6799 (An issue was discovered in phpMyAdmin before 4.8.5. When the AllowArbi ...) {DLA-1692-1} - phpmyadmin 4:4.9.1+dfsg1-2 (bug #920823) [stretch] - phpmyadmin (Minor issue; can be fixed via point release) NOTE: https://www.phpmyadmin.net/security/PMASA-2019-1/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/aeac90623e525057a7672ab3d98154b5c57c15ec NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/c5e01f84ad48c5c626001cb92d7a95500920a900 CVE-2019-6798 (An issue was discovered in phpMyAdmin before 4.8.5. A vulnerability wa ...) - phpmyadmin 4:4.9.1+dfsg1-2 (bug #920822) [stretch] - phpmyadmin (Minor issue; can be fixed via point release) [jessie] - phpmyadmin (Vulnerable code introduced later >= 4.5.0) NOTE: https://www.phpmyadmin.net/security/PMASA-2019-2/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/469934cf7d3bd19a839eb78670590f7511399435 CVE-2019-6797 (An information disclosure issue was discovered in GitLab Enterprise Ed ...) - gitlab (Only affects EE) NOTE: https://about.gitlab.com/2019/01/31/security-release-gitlab-11-dot-7-dot-3-released/ CVE-2019-6796 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) - gitlab 11.5.10+dfsg-1 (bug #921059) NOTE: https://about.gitlab.com/2019/01/31/security-release-gitlab-11-dot-7-dot-3-released/ CVE-2019-6795 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) - gitlab 11.5.10+dfsg-1 (bug #921059) NOTE: https://about.gitlab.com/2019/01/31/security-release-gitlab-11-dot-7-dot-3-released/ CVE-2019-6794 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) - gitlab 11.5.10+dfsg-1 (bug #921059) NOTE: https://about.gitlab.com/2019/01/31/security-release-gitlab-11-dot-7-dot-3-released/ CVE-2019-6793 (An issue was discovered in GitLab Enterprise Edition before 11.5.8, 11 ...) - gitlab (Only affects EE) NOTE: https://about.gitlab.com/2019/01/31/security-release-gitlab-11-dot-7-dot-3-released/ CVE-2019-6792 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) - gitlab 11.5.10+dfsg-1 (bug #921059) NOTE: https://about.gitlab.com/2019/01/31/security-release-gitlab-11-dot-7-dot-3-released/ CVE-2019-6791 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) - gitlab 11.5.10+dfsg-1 (bug #921059) NOTE: https://about.gitlab.com/2019/01/31/security-release-gitlab-11-dot-7-dot-3-released/ CVE-2019-6790 (An Incorrect Access Control (issue 2 of 3) issue was discovered in Git ...) - gitlab 11.5.10+dfsg-1 (bug #921059) NOTE: https://about.gitlab.com/2019/01/31/security-release-gitlab-11-dot-7-dot-3-released/ CVE-2019-6789 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) - gitlab 11.5.10+dfsg-1 (bug #921059) NOTE: https://about.gitlab.com/2019/01/31/security-release-gitlab-11-dot-7-dot-3-released/ CVE-2019-6788 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) - gitlab 11.5.10+dfsg-1 (bug #921059) NOTE: https://about.gitlab.com/2019/01/31/security-release-gitlab-11-dot-7-dot-3-released/ CVE-2019-6787 (An Incorrect Access Control issue was discovered in GitLab Community a ...) - gitlab 11.5.10+dfsg-1 (bug #921059) NOTE: https://about.gitlab.com/2019/01/31/security-release-gitlab-11-dot-7-dot-3-released/ CVE-2019-6786 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) - gitlab 11.5.10+dfsg-1 (bug #921059) NOTE: https://about.gitlab.com/2019/01/31/security-release-gitlab-11-dot-7-dot-3-released/ CVE-2019-6785 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) - gitlab 11.5.10+dfsg-1 (bug #921059) NOTE: https://about.gitlab.com/2019/01/31/security-release-gitlab-11-dot-7-dot-3-released/ CVE-2019-6784 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) - gitlab 11.5.10+dfsg-1 (bug #921059) NOTE: https://about.gitlab.com/2019/01/31/security-release-gitlab-11-dot-7-dot-3-released/ CVE-2019-6783 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) - gitlab 11.5.10+dfsg-1 (bug #921059) NOTE: https://about.gitlab.com/2019/01/31/security-release-gitlab-11-dot-7-dot-3-released/ CVE-2019-6782 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) - gitlab 11.5.10+dfsg-1 (bug #921059) NOTE: https://about.gitlab.com/2019/01/31/security-release-gitlab-11-dot-7-dot-3-released/ CVE-2019-6781 (An Improper Input Validation issue was discovered in GitLab Community ...) - gitlab 11.5.10+dfsg-1 (bug #921059) NOTE: https://about.gitlab.com/2019/01/31/security-release-gitlab-11-dot-7-dot-3-released/ CVE-2019-6780 (The Wise Chat plugin before 2.7 for WordPress mishandles external link ...) NOT-FOR-US: WordPress plugin wise-chat CVE-2017-18360 (In change_port_settings in drivers/usb/serial/io_ti.c in the Linux ker ...) - linux 4.9.30-1 [jessie] - linux 3.16.48-1 NOTE: Fixed by: https://git.kernel.org/linus/6aeb75e6adfaed16e58780309613a578fe1ee90b CVE-2017-18359 (PostGIS 2.x before 2.3.3, as used with PostgreSQL, allows remote attac ...) {DLA-1653-1} - postgis 2.3.3+dfsg-1 (low) [stretch] - postgis (Minor issue) NOTE: https://trac.osgeo.org/postgis/ticket/3704 NOTE: https://trac.osgeo.org/postgis/changeset/15444 NOTE: https://trac.osgeo.org/postgis/changeset/15445 CVE-2019-6779 (Cscms 4.1.8 allows admin.php/links/save CSRF to add, modify, or delete ...) NOT-FOR-US: Cscms CVE-2019-6778 (In QEMU 3.0.0, tcp_emu in slirp/tcp_subr.c has a heap-based buffer ove ...) {DSA-4454-1 DLA-1694-1} - qemu 1:3.1+dfsg-3 (bug #921525) - qemu-kvm - slirp4netns 0.2.1-1 NOTE: https://lists.gnu.org/archive/html/qemu-devel/2019-01/msg03132.html NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=a7104eda7dab99d0cdbd3595c211864cba415905 CVE-2019-6777 (An issue was discovered in ZoneMinder v1.32.3. Reflected XSS exists in ...) - zoneminder 1.32.3-2 (bug #920375) NOTE: https://github.com/ZoneMinder/zoneminder/issues/2436 NOTE: https://github.com/mnoorenberghe/ZoneMinder/commit/59cc65411f02c7e39a270fda3ecb4966d7b48d41 CVE-2019-6776 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit PhantomPDF CVE-2019-6775 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2019-6774 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2019-6773 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2019-6772 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2019-6771 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2019-6770 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2019-6769 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2019-6768 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2019-6767 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2019-6766 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2019-6765 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit PhantomPDF CVE-2019-6764 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2019-6763 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2019-6762 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit PhantomPDF CVE-2019-6761 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2019-6760 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2019-6759 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2019-6758 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2019-6757 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2019-6756 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit PhantomPDF CVE-2019-6755 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2019-6754 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2019-6753 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2019-6752 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit PhantomPDF CVE-2019-6751 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Studio Photo CVE-2019-6750 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Studio Photo CVE-2019-6749 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Studio Photo CVE-2019-6748 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Studio Photo CVE-2019-6747 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Studio Photo CVE-2019-6746 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Studio Photo CVE-2019-6745 REJECTED CVE-2019-6744 (This vulnerability allows local attackers to disclose sensitive inform ...) NOT-FOR-US: Samsung CVE-2019-6743 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Xiaomi Mi6 Browser CVE-2019-6742 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: GameServiceReceiver update mechanism as used in Samsung Galaxy S9 CVE-2019-6741 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Samsung CVE-2019-6740 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Samsung CVE-2019-6739 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Malwarebytes Antimalware CVE-2019-6738 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Bitdefender SafePay CVE-2019-6737 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Bitdefender SafePay CVE-2019-6736 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Bitdefender SafePay CVE-2019-6735 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2019-6734 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit PhantomPDF CVE-2019-6733 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit PhantomPDF CVE-2019-6732 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit PhantomPDF CVE-2019-6731 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit PhantomPDF CVE-2019-6730 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2019-6729 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2019-6728 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2019-6727 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2019-6726 (The WP Fastest Cache plugin through 0.8.9.0 for WordPress allows remot ...) NOT-FOR-US: WP Fastest Cache plugin for WordPress CVE-2019-6725 (The rpWLANRedirect.asp ASP page is accessible without authentication o ...) NOT-FOR-US: ZyXEL CVE-2019-6724 (The barracudavpn component of the Barracuda VPN Client prior to versio ...) NOT-FOR-US: Barracuda VPN Client CVE-2019-6723 RESERVED CVE-2019-6722 RESERVED CVE-2019-6721 RESERVED CVE-2019-6720 RESERVED CVE-2019-6719 (An issue has been found in libIEC61850 v1.3.1. There is a use-after-fr ...) NOT-FOR-US: libIEC61850 CVE-2019-6718 RESERVED CVE-2019-6717 RESERVED CVE-2019-6716 (An unauthenticated Insecure Direct Object Reference (IDOR) in Wicket C ...) NOT-FOR-US: LogonBox Nervepoint Access Manager CVE-2019-6715 (pub/sns.php in the W3 Total Cache plugin before 0.9.4 for WordPress al ...) NOT-FOR-US: W3 Total Cache plugin for WordPress CVE-2019-6714 (An issue was discovered in BlogEngine.NET through 3.3.6.0. A path trav ...) NOT-FOR-US: BlogEngine.NET CVE-2019-6713 (app\admin\controller\RouteController.php in ThinkCMF 5.0.190111 allows ...) NOT-FOR-US: ThinkCMF CVE-2019-6712 RESERVED CVE-2019-6711 RESERVED CVE-2019-6710 (Zyxel NBG-418N v2 v1.00(AAXM.4)C0 devices allow login.cgi CSRF. ...) NOT-FOR-US: Zyxel CVE-2018-20742 (An issue was discovered in UC Berkeley RISE Opaque before 2018-12-01. ...) NOT-FOR-US: UC Berkeley RISE Opaque CVE-2019-6709 RESERVED CVE-2019-6708 (PHPSHE 1.7 has SQL injection via the admin.php?mod=order state paramet ...) NOT-FOR-US: PHPSHE CVE-2019-6707 (PHPSHE 1.7 has SQL injection via the admin.php?mod=product&act=sta ...) NOT-FOR-US: PHPSHE CVE-2019-6706 (Lua 5.3.5 has a use-after-free in lua_upvaluejoin in lapi.c. For examp ...) - lua5.3 (bug #920321) [buster] - lua5.3 (Minor issue, revisit when fixed upstream) [stretch] - lua5.3 (Minor issue, revisit when fixed upstream) - lua5.2 (Vulnerable code introduced later) - lua5.1 (Vulnerable code introduced later) - lua50 (Vulnerable code introduced later) NOTE: http://lua.2524044.n2.nabble.com/Bug-Report-Use-after-free-in-debug-upvaluejoin-tc7685506.html NOTE: lua50 and lua5.1 don't have the affected code. NOTE: lua5.2 is not vulnerable as it doesn't free the value before using it. CVE-2019-6705 RESERVED CVE-2019-6704 RESERVED CVE-2019-6703 (Incorrect access control in migla_ajax_functions.php in the Calmar Web ...) NOT-FOR-US: Calmar Webmedia Total Donations plugin for WordPress CVE-2019-6702 (The MasterCard Qkr! app before 5.0.8 for iOS has Missing SSL Certifica ...) NOT-FOR-US: MasterCard Qkr! app CVE-2019-6701 RESERVED CVE-2019-6700 (An information exposure vulnerability in the external authentication p ...) NOT-FOR-US: FortiSIEM (Fortiguard) CVE-2019-6699 (An improper neutralization of input vulnerability in Fortinet FortiADC ...) NOT-FOR-US: Fortiguard CVE-2019-6698 (Use of Hard-coded Credentials vulnerability in FortiRecorder all versi ...) NOT-FOR-US: Fortinet CVE-2019-6697 RESERVED CVE-2019-6696 (An improper input validation vulnerability in FortiOS 6.2.1, 6.2.0, 6. ...) NOT-FOR-US: Fortiguard CVE-2019-6695 (Lack of root file system integrity checking in Fortinet FortiManager V ...) NOT-FOR-US: Fortinet CVE-2019-6694 RESERVED CVE-2019-6693 (Use of a hard-coded cryptographic key to cipher sensitive data in Fort ...) NOT-FOR-US: Fortinet CVE-2019-6692 (A malicious DLL preload vulnerability in Fortinet FortiClient for Wind ...) NOT-FOR-US: Fortinet CVE-2019-6691 (phpwind 9.0.2.170426 UTF8 allows SQL Injection via the admin.php?m=bac ...) NOT-FOR-US: phpwind CVE-2019-6690 (python-gnupg 0.4.3 allows context-dependent attackers to trick gnupg t ...) {DLA-1675-1} - python-gnupg 0.4.4-1 [stretch] - python-gnupg (Minor issue) NOTE: https://github.com/stigtsp/CVE-2019-6690-python-gnupg-vulnerability NOTE: https://github.com/vsajip/python-gnupg/commit/39eca266dd837e2ad89c94eb17b7a6f50b25e7cf#diff-88b99bb28683bd5b7e3a204826ead112 NOTE: https://github.com/vsajip/python-gnupg/commit/3003b654ca1c29b0510a54b9848571b3ad57df19#diff-88b99bb28683bd5b7e3a204826ead112 CVE-2018-1000997 (A path traversal vulnerability exists in the Stapler web framework use ...) NOT-FOR-US: Jenkins CVE-2019-6689 (An issue was discovered in Dillon Kane Tidal Workload Automation Agent ...) NOT-FOR-US: Dillon Kane Tidal Workload Automation Agent CVE-2019-6688 (On BIG-IP versions 15.0.0-15.0.1.1, 14.1.0-14.1.2.2, 14.0.0-14.0.1, 13 ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6687 (On versions 15.0.0-15.0.1.1, the BIG-IP ASM Cloud Security Services pr ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6686 (On BIG-IP versions 15.0.0-15.0.1.1, 14.1.0-14.1.2, 14.0.0-14.0.1, 13.1 ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6685 (On BIG-IP versions 15.0.0-15.0.1.1, 14.1.0-14.1.2.2, 14.0.0-14.0.1, 13 ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6684 (On versions 15.0.0-15.0.1.1, 14.0.0-14.1.2.2, 13.1.0-13.1.3.1, 12.1.0- ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6683 (On versions 15.0.0-15.0.1.1, 14.1.0-14.1.2.2, 14.0.0-14.0.1, 13.1.0-13 ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6682 (On versions 15.0.0-15.0.1.1, 14.0.0-14.1.2.2, 13.1.0-13.1.3.1, 12.1.0- ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6681 (On BIG-IP versions 15.0.0-15.0.1.1, 14.1.0-14.1.2, 14.0.0-14.0.1, 13.1 ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6680 (On BIG-IP versions 15.0.0-15.0.1, 14.1.0-14.1.2, 14.0.0-14.0.1, 13.1.0 ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6679 (On BIG-IP versions 15.0.0-15.0.1, 14.1.0.2-14.1.2.2, 14.0.0.5-14.0.1, ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6678 (On BIG-IP versions 15.0.0-15.0.1, 14.1.0-14.1.2.2, 14.0.0-14.0.1, and ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6677 (On BIG-IP versions 15.0.0-15.0.1, 14.1.0-14.1.2, 14.0.0-14.0.1, 13.1.0 ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6676 (On versions 15.0.0-15.0.1, 14.0.0-14.1.2.2, and 13.1.0-13.1.3.1, TMM m ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6675 (BIG-IP configurations using Active Directory, LDAP, or Client Certific ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6674 (On F5 SSL Orchestrator 15.0.0-15.0.1 and 14.0.0-14.1.2, TMM may crash ...) NOT-FOR-US: F5 CVE-2019-6673 (On versions 15.0.0-15.0.1 and 14.0.0-14.1.2, when the BIG-IP is config ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6672 (On BIG-IP AFM 15.0.0-15.0.1, 14.0.0-14.1.2, and 13.1.0-13.1.3.1, when ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6671 (On BIG-IP 15.0.0-15.0.1, 14.1.0-14.1.2, 14.0.0-14.0.1, and 13.1.0-13.1 ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6670 (On BIG-IP 15.0.0-15.0.1, 14.1.0-14.1.2, 14.0.0-14.0.1, 13.1.0-13.1.3.1 ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6669 (On BIG-IP 15.0.0-15.0.1, 14.1.0-14.1.2, 14.0.0-14.0.1, 13.1.0-13.1.3.1 ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6668 (The BIG-IP APM Edge Client for macOS bundled with BIG-IP APM 15.0.0-15 ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6667 (On BIG-IP 15.0.0-15.0.1, 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.1.0-13.1 ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6666 (On BIG-IP 15.0.0-15.0.1, 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, and 13.1.0- ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6665 (On BIG-IP ASM 15.0.0-15.0.1, 14.1.0-14.1.2, 14.0.0-14.0.1, and 13.1.0- ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6664 (On BIG-IP 15.0.0 and 14.1.0-14.1.0.6, under certain conditions, networ ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6663 (The BIG-IP 15.0.0-15.0.1, 14.0.0-14.1.2.2, 13.1.0-13.1.3.1, 12.1.0-12. ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6662 (On BIG-IP 13.1.0-13.1.1.4, sensitive information is logged into the lo ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6661 (When the BIG-IP APM 14.1.0-14.1.2, 14.0.0-14.0.1, 13.1.0-13.1.3.1, 12. ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6660 (On BIG-IP 14.1.0-14.1.2, 14.0.0-14.0.1, and 13.1.0-13.1.1, undisclosed ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6659 (On version 14.0.0-14.1.0.1, BIG-IP virtual servers with TLSv1.3 enable ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6658 (On BIG-IP AFM 15.0.0-15.0.1, 14.0.0-14.1.2, 13.1.0-13.1.3.1, and 12.1. ...) NOT-FOR-US: F5 CVE-2019-6657 (On BIG-IP 13.1.0-13.1.3.1, 12.1.0-12.1.5, and 11.5.2-11.6.5.1, a refle ...) NOT-FOR-US: F5 CVE-2019-6656 (BIG-IP APM Edge Client before version 7.1.8 (7180.2019.508.705) logs t ...) NOT-FOR-US: F5 CVE-2019-6655 (On versions 13.0.0-13.1.0.1, 12.1.0-12.1.4.1, 11.6.1-11.6.4, and 11.5. ...) NOT-FOR-US: F5 CVE-2019-6654 (On versions 14.0.0-14.1.2, 13.0.0-13.1.3, 12.1.0-12.1.5, and 11.5.1-11 ...) NOT-FOR-US: F5 CVE-2019-6653 (There is a Stored Cross Site Scripting vulnerability in the undisclose ...) NOT-FOR-US: F5 CVE-2019-6652 (In BIG-IQ 6.0.0-6.1.0, services for stats do not require authenticatio ...) NOT-FOR-US: F5 CVE-2019-6651 (In BIG-IP 15.0.0, 14.1.0-14.1.0.6, 14.0.0-14.0.0.5, 13.0.0-13.1.1.5, 1 ...) NOT-FOR-US: F5 CVE-2019-6650 (F5 BIG-IP ASM 15.0.0, 14.1.0-14.1.0.6, 14.0.0-14.0.0.5, 13.0.0-13.1.1. ...) NOT-FOR-US: F5 CVE-2019-6649 (F5 BIG-IP 15.0.0, 14.1.0-14.1.0.6, 14.0.0-14.0.0.5, 13.0.0-13.1.1.5, 1 ...) NOT-FOR-US: F5 CVE-2019-6648 (On version 1.9.0, If DEBUG logging is enable, F5 Container Ingress Ser ...) NOT-FOR-US: F5 CVE-2019-6647 (On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.2, 12.1.0-12.1 ...) NOT-FOR-US: F5 CVE-2019-6646 (On BIG-IP 11.5.2-11.6.4 and Enterprise Manager 3.1.1, REST users with ...) NOT-FOR-US: F5 CVE-2019-6645 (On BIG-IP 14.0.0-14.1.0.5, 13.0.0-13.1.2, 12.1.0-12.1.4.1, 11.5.2-11.6 ...) NOT-FOR-US: F5 CVE-2019-6644 (Similar to the issue identified in CVE-2018-12120, on versions 14.1.0- ...) NOT-FOR-US: F5 CVE-2019-6643 (On versions 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.2, 12.1.0-12 ...) NOT-FOR-US: F5 CVE-2019-6642 (In BIG-IP 15.0.0, 14.0.0-14.1.0.5, 13.0.0-13.1.1.5, 12.1.0-12.1.4.2, a ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6641 (On BIG-IP 12.1.0-12.1.4.1, undisclosed requests can cause iControl RES ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6640 (On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12 ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6639 (On BIG-IP (AFM, PEM) 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4 ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6638 (On BIG-IP 14.1.0-14.1.0.5 and 14.0.0-14.0.0.4, Malformed http requests ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6637 (On BIG-IP (ASM) 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, and ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6636 (On BIG-IP (AFM, ASM) 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4 ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6635 (On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12 ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6634 (On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, and 12.1. ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6633 (On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12 ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6632 (On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, and 12.1. ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6631 (On BIG-IP 11.5.1-11.6.4, iRules performing HTTP header manipulation ma ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6630 (On F5 SSL Orchestrator 14.1.0-14.1.0.5 and 14.0.0-14.0.0.4, undisclose ...) NOT-FOR-US: F5 SSL Orchestrator CVE-2019-6629 (On BIG-IP 14.1.0-14.1.0.5, undisclosed SSL traffic to a virtual server ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6628 (On BIG-IP PEM 14.1.0-14.1.0.5 and 14.0.0-14.0.0.4, under certain condi ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6627 (On F5 SSL Orchestrator 14.1.0-14.1.0.5, on rare occasions, specific to ...) NOT-FOR-US: F5 SSL Orchestrator CVE-2019-6626 (On BIG-IP (AFM, Analytics, ASM) 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0 ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6625 (On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12 ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6624 (On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, and 12.1. ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6623 (On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, and 12.1. ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6622 (On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.5, 13.0.0-13.1.1.4, 12.1.0-12 ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6621 (On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.5, 13.0.0-13.1.1.4, 12.1.0-12 ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6620 (On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.5, 13.0.0-13.1.1.4, 12.1.0-12 ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6619 (On BIG-IP 14.0.0-14.1.0.1, 13.0.0-13.1.1.4, and 12.1.0-12.1.4, the Tra ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6618 (On BIG-IP 14.0.0-14.1.0.1, 13.0.0-13.1.1.4, 12.1.0-12.1.4, 11.6.1-11.6 ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6617 (On BIG-IP 14.0.0-14.1.0.1, 13.0.0-13.1.1.4, 12.1.0-12.1.4, 11.6.1-11.6 ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6616 (On BIG-IP 14.0.0-14.1.0.1, 13.0.0-13.1.1.4, 12.1.0-12.1.4, 11.6.1-11.6 ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6615 (On BIG-IP 14.0.0-14.1.0.1, 13.0.0-13.1.1.4, 12.1.0-12.1.4, 11.6.1-11.6 ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6614 (On BIG-IP 14.0.0-14.1.0.1, 13.0.0-13.1.1.4, and 12.1.0-12.1.4, interna ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6613 (On BIG-IP 13.0.0-13.1.1.4, 12.1.0-12.1.4, 11.6.1-11.6.3.4, and 11.5.2- ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6612 (On BIG-IP 14.0.0-14.1.0.1, 13.0.0-13.1.1.4, 12.1.0-12.1.4, 11.6.1-11.6 ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6611 (When BIG-IP 14.0.0-14.1.0.1, 13.0.0-13.1.1.4, 12.1.0-12.1.4, 11.6.1-11 ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6610 (On BIG-IP versions 14.0.0-14.0.0.4, 13.0.0-13.1.1.1, 12.1.0-12.1.4, 11 ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6609 (Platform dependent weakness. This issue only impacts iSeries platforms ...) NOT-FOR-US: BIG-IP APM CVE-2019-6608 (On BIG-IP 11.5.1-11.6.3, 12.1.0-12.1.3, 13.0.0-13.1.1.1, and 14.0.0-14 ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6607 (On BIG-IP ASM 11.5.1-11.5.8, 11.6.1-11.6.3, 12.1.0-12.1.3, 13.0.0-13.1 ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6606 (On BIG-IP 11.5.1-11.6.3.4, 12.1.0-12.1.3.7, 13.0.0-13.1.1.3, and 14.0. ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6605 (On BIG-IP 11.5.1-11.5.8, 11.6.1-11.6.3, and 12.0.x, an undisclosed seq ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6604 (On BIG-IP 11.5.1-11.5.8, 11.6.1-11.6.3, 12.1.0-12.1.3.6, 13.0.0-13.1.1 ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6603 (In BIG-IP 11.5.1-11.5.8, 11.6.1-11.6.3, 12.1.0-12.1.3, and 13.0.0-13.0 ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6602 (In BIG-IP 11.5.1-11.5.8 and 11.6.1-11.6.3, the Configuration Utility l ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6601 (In BIG-IP 13.0.0, 12.1.0-12.1.3.7, 11.6.1-11.6.3.2, or 11.5.1-11.5.8, ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6600 (In BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.1.3, 12.1.0-12.1.3.7, 11.6.1-11 ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6599 (In BIG-IP 11.6.1-11.6.3.2 or 11.5.1-11.5.8, or Enterprise Manager 3.1. ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6598 (In BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.0.7, 12.1.0-12.1.3.5, 11.6.1-11 ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6597 (In BIG-IP 13.0.0-13.1.1.1, 12.1.0-12.1.3.7, 11.6.1-11.6.3.2, or 11.5.1 ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6596 (In BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.1.1, 12.1.0-12.1.3.6, 11.6.1-11 ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6595 (Cross-site scripting (XSS) vulnerability in F5 BIG-IP Access Policy Ma ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6594 (On BIG-IP 11.5.1-11.6.3.2, 12.1.3.4-12.1.3.7, 13.0.0 HF1-13.1.1.1, and ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6593 (On BIG-IP 11.5.1-11.5.4, 11.6.1, and 12.1.0, a virtual server configur ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6592 (On BIG-IP 14.1.0-14.1.0.1, TMM may restart and produce a core file whe ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6591 (On BIG-IP APM 14.0.0 to 14.0.0.4, 13.0.0 to 13.1.1.3 and 12.1.0 to 12. ...) NOT-FOR-US: BIG-IP CVE-2019-6590 (On BIG-IP LTM 13.0.0 to 13.0.1 and 12.1.0 to 12.1.3.6, under certain c ...) NOT-FOR-US: BIG-IP CVE-2019-6589 (On BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.1.3, 12.1.0-12.1.3.7, and 11.6. ...) NOT-FOR-US: F5 BIG-IP CVE-2019-6588 (In Liferay Portal before 7.1 CE GA4, an XSS vulnerability exists in th ...) NOT-FOR-US: Liferay Portal CE CVE-2019-6587 RESERVED CVE-2019-6586 RESERVED CVE-2019-6585 (A vulnerability has been identified in SCALANCE S602 (All versions > ...) NOT-FOR-US: Siemens CVE-2019-6584 (A vulnerability has been identified in SIEMENS LOGO!8 (6ED1052-xyyxx-0 ...) NOT-FOR-US: Siemens CVE-2019-6583 RESERVED CVE-2019-6582 (A vulnerability has been identified in Siveillance VMS 2017 R2 (All ve ...) NOT-FOR-US: Siemens CVE-2019-6581 (A vulnerability has been identified in Siveillance VMS 2017 R2 (All ve ...) NOT-FOR-US: Siemens CVE-2019-6580 (A vulnerability has been identified in Siveillance VMS 2017 R2 (All ve ...) NOT-FOR-US: Siemens CVE-2019-6579 (A vulnerability has been identified in Spectrum Power 4 (with Web Offi ...) NOT-FOR-US: Spectrum Power CVE-2019-6578 (A vulnerability has been identified in SINAMICS PERFECT HARMONY GH180 ...) NOT-FOR-US: Siemens CVE-2019-6577 (A vulnerability has been identified in SIMATIC HMI Comfort Panels 4" - ...) NOT-FOR-US: Siemens CVE-2019-6576 (A vulnerability has been identified in SIMATIC HMI Comfort Panels 4" - ...) NOT-FOR-US: Siemens CVE-2019-6575 (A vulnerability has been identified in SIMATIC CP 443-1 OPC UA (All ve ...) NOT-FOR-US: Siemens CVE-2019-6574 (A vulnerability has been identified in SINAMICS PERFECT HARMONY GH180 ...) NOT-FOR-US: Siemens CVE-2019-6573 RESERVED CVE-2019-6572 (A vulnerability has been identified in SIMATIC HMI Comfort Panels 4" - ...) NOT-FOR-US: Siemens CVE-2019-6571 (A vulnerability has been identified in SIEMENS LOGO!8 (6ED1052-xyyxx-0 ...) NOT-FOR-US: Siemens CVE-2019-6570 (A vulnerability has been identified in SINEMA Remote Connect Server (A ...) NOT-FOR-US: Siemens CVE-2019-6569 (A vulnerability has been identified in SCALANCE X-200 switch family (i ...) NOT-FOR-US: Scalance CVE-2019-6568 (A vulnerability has been identified in CP1604, CP1616, CP343-1 Advance ...) NOT-FOR-US: Siemens CVE-2019-6567 (A vulnerability has been identified in SCALANCE X-200 switch family (i ...) NOT-FOR-US: Siemens CVE-2019-6566 (GE Communicator, all versions prior to 4.0.517, allows a non-administr ...) NOT-FOR-US: GE Communicator CVE-2019-6565 (Moxa IKS and EDS fails to properly validate user input, giving unauthe ...) NOT-FOR-US: Moxa CVE-2019-6564 (GE Communicator, all versions prior to 4.0.517, allows a non-administr ...) NOT-FOR-US: GE Communicator CVE-2019-6563 (Moxa IKS and EDS generate a predictable cookie calculated with an MD5 ...) NOT-FOR-US: Moxa CVE-2019-6562 (In Philips Tasy EMR, Tasy EMR Versions 3.02.1744 and prior, the softwa ...) NOT-FOR-US: Philips CVE-2019-6561 (Cross-site request forgery has been identified in Moxa IKS and EDS, wh ...) NOT-FOR-US: Moxa CVE-2019-6560 (In Auto-Maskin RP210E Versions 3.7 and prior, DCU210E Versions 3.7 and ...) NOT-FOR-US: Auto-Maskin RP210E CVE-2019-6559 (Moxa IKS and EDS allow remote authenticated users to cause a denial of ...) NOT-FOR-US: Moxa CVE-2019-6558 (In Auto-Maskin RP210E Versions 3.7 and prior, DCU210E Versions 3.7 and ...) NOT-FOR-US: Auto-Maskin RP210E CVE-2019-6557 (Several buffer overflow vulnerabilities have been identified in Moxa I ...) NOT-FOR-US: Moxa CVE-2019-6556 (When processing project files, the application (Omron CX-Programmer v9 ...) NOT-FOR-US: Omron CVE-2019-6555 (Cscape, 9.80 SP4 and prior. An improper input validation vulnerability ...) NOT-FOR-US: Cscape CVE-2019-6554 (Advantech WebAccess/SCADA, Versions 8.3.5 and prior. An improper acces ...) NOT-FOR-US: Advantech WebAccess/SCADA CVE-2019-6553 (A vulnerability was found in Rockwell Automation RSLinx Classic versio ...) NOT-FOR-US: Rockwell Automation CVE-2019-6552 (Advantech WebAccess/SCADA, Versions 8.3.5 and prior. Multiple command ...) NOT-FOR-US: Advantech WebAccess/SCADA CVE-2019-6551 (Pangea Communications Internet FAX ATA all Versions 3.1.8 and prior al ...) NOT-FOR-US: Pangea Communications Internet FAX ATA CVE-2019-6550 (Advantech WebAccess/SCADA, Versions 8.3.5 and prior. Multiple stack-ba ...) NOT-FOR-US: Advantech WebAccess/SCADA CVE-2019-6549 (An attacker could retrieve plain-text credentials stored in a XML file ...) NOT-FOR-US: PR100088 Modbus CVE-2019-6548 (GE Communicator, all versions prior to 4.0.517, contains two backdoor ...) NOT-FOR-US: GE Communicator CVE-2019-6547 (Delta Industrial Automation CNCSoft, CNCSoft ScreenEditor Version 1.00 ...) NOT-FOR-US: Delta Industrial Automation CNCSoft CVE-2019-6546 (GE Communicator, all versions prior to 4.0.517, allows an attacker to ...) NOT-FOR-US: GE Communicator CVE-2019-6545 (AVEVA Software, LLC InduSoft Web Studio prior to Version 8.1 SP3 and I ...) NOT-FOR-US: AVEVA CVE-2019-6544 (GE Communicator, all versions prior to 4.0.517, has a service running ...) NOT-FOR-US: GE Communicator CVE-2019-6543 (AVEVA Software, LLC InduSoft Web Studio prior to Version 8.1 SP3 and I ...) NOT-FOR-US: AVEVA CVE-2019-6542 (ENTTEC Datagate MK2, Storm 24, Pixelator all firmware versions prior t ...) NOT-FOR-US: ENTTEC firmware CVE-2019-6541 (A memory corruption vulnerability has been identified in WECON LeviStu ...) NOT-FOR-US: WECON CVE-2019-6540 (The Conexus telemetry protocol utilized within Medtronic MyCareLink Mo ...) NOT-FOR-US: Medtronic CVE-2019-6539 (Several heap-based buffer overflow vulnerabilities in WECON LeviStudio ...) NOT-FOR-US: WECON CVE-2019-6538 (The Conexus telemetry protocol utilized within Medtronic MyCareLink Mo ...) NOT-FOR-US: Medtronic CVE-2019-6537 (Multiple stack-based buffer overflow vulnerabilities in WECON LeviStud ...) NOT-FOR-US: WECON CVE-2019-6536 (Opening a specially crafted LCDS LAquis SCADA before 4.3.1.71 ELS file ...) NOT-FOR-US: LCDS CVE-2019-6535 (Mitsubishi Electric Q03/04/06/13/26UDVCPU: serial number 20081 and pri ...) NOT-FOR-US: Mitsubishi Electric MELSEC-Q Series PLCs CVE-2019-6534 (The uncontrolled search path element vulnerability in Gemalto Sentinel ...) NOT-FOR-US: Gemalto Sentinel UltraPro Client Library ux32w.dll CVE-2019-6533 (Registers used to store Modbus values can be read and written from the ...) NOT-FOR-US: PR100088 Modbus CVE-2019-6532 (Panasonic FPWIN Pro version 7.3.0.0 and prior allows attacker-created ...) NOT-FOR-US: Panasonic CVE-2019-6531 (An attacker could retrieve passwords from a HTTP GET request from the ...) NOT-FOR-US: Kunbus CVE-2019-6530 (Panasonic FPWIN Pro version 7.3.0.0 and prior allows attacker-created ...) NOT-FOR-US: Panasonic CVE-2019-6529 (An attacker could specially craft an FTP request that could crash the ...) NOT-FOR-US: Kunbus CVE-2019-6528 (PSI GridConnect GmbH Telecontrol Gateway and Smart Telecontrol Unit fa ...) NOT-FOR-US: PSI GridConnect GmbH CVE-2019-6527 (PR100088 Modbus gateway versions prior to Release R02 (or Software Ver ...) NOT-FOR-US: PR100088 Modbus CVE-2019-6526 (Moxa IKS-G6824A series Versions 4.5 and prior, EDS-405A series Version ...) NOT-FOR-US: Moxa CVE-2019-6525 (AVEVA Wonderware System Platform 2017 Update 2 and prior uses an Arche ...) NOT-FOR-US: AVEVA Wonderware System Platform CVE-2019-6524 (Moxa IKS and EDS do not implement sufficient measures to prevent multi ...) NOT-FOR-US: Moxa CVE-2019-6523 (WebAccess/SCADA, Version 8.3. The software does not properly sanitize ...) NOT-FOR-US: Advantech WebAccess/SCADA CVE-2019-6522 (Moxa IKS and EDS fails to properly check array bounds which may allow ...) NOT-FOR-US: Moxa CVE-2019-6521 (WebAccess/SCADA, Version 8.3. Specially crafted requests could allow a ...) NOT-FOR-US: Advantech WebAccess/SCADA CVE-2019-6520 (Moxa IKS and EDS does not properly check authority on server side, whi ...) NOT-FOR-US: Moxa CVE-2019-6519 (WebAccess/SCADA, Version 8.3. An improper authentication vulnerability ...) NOT-FOR-US: Advantech WebAccess/SCADA CVE-2019-6518 (Moxa IKS and EDS store plaintext passwords, which may allow sensitive ...) NOT-FOR-US: Moxa CVE-2019-6517 (BD FACSLyric Research Use Only, Windows 10 Professional Operating Syst ...) NOT-FOR-US: BD FACSLyric CVE-2019-6516 (An issue was discovered in WSO2 Dashboard Server 2.0.0. It is possible ...) NOT-FOR-US: WSO2 CVE-2019-6515 (An issue was discovered in WSO2 API Manager 2.6.0. Uploaded documents ...) NOT-FOR-US: WSO2 CVE-2019-6514 (An issue was discovered in WSO2 Dashboard Server 2.0.0. It is possible ...) NOT-FOR-US: WSO2 CVE-2019-6513 (An issue was discovered in WSO2 API Manager 2.6.0. It is possible for ...) NOT-FOR-US: WSO2 CVE-2019-6512 (An issue was discovered in WSO2 API Manager 2.6.0. It is possible to f ...) NOT-FOR-US: WSO2 CVE-2019-6511 RESERVED CVE-2019-6510 (An issue was discovered in creditease-sec insight through 2018-09-11. ...) NOT-FOR-US: creditease-sec CVE-2019-6509 (An issue was discovered in creditease-sec insight through 2018-09-11. ...) NOT-FOR-US: creditease-sec CVE-2019-6508 (An issue was discovered in creditease-sec insight through 2018-09-11. ...) NOT-FOR-US: creditease-sec CVE-2019-6507 (An issue was discovered in creditease-sec insight through 2018-09-11. ...) NOT-FOR-US: creditease-sec CVE-2019-6506 (SuiteCRM before 7.8.28, 7.9.x and 7.10.x before 7.10.15, and 7.11.x be ...) NOT-FOR-US: SalesAgility SuiteCRM CVE-2019-6505 RESERVED CVE-2019-6504 (Insufficient output sanitization in the Automic Web Interface (AWI), i ...) NOT-FOR-US: CA Automic Workload Automation CVE-2019-6503 (There is a deserialization vulnerability in Chatopera cosin v3.10.0. A ...) NOT-FOR-US: Chatopera cosin CVE-2019-6502 (sc_context_create in ctx.c in libopensc in OpenSC 0.19.0 has a memory ...) - opensc 0.20.0-1 (unimportant) NOTE: https://github.com/OpenSC/OpenSC/issues/1586 NOTE: https://github.com/OpenSC/OpenSC/commit/0d7967549751b7032f22b437106b41444aff0ba9 (0.20.0-rc1) NOTE: Negligible security impact, assigning a CVE seems out of proportion... CVE-2019-1003004 (An improper authorization vulnerability exists in Jenkins 2.158 and ea ...) NOT-FOR-US: Jenkins CVE-2019-1003003 (An improper authorization vulnerability exists in Jenkins 2.158 and ea ...) NOT-FOR-US: Jenkins CVE-2019-1003002 (A sandbox bypass vulnerability exists in Pipeline: Declarative Plugin ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003001 (A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.61 ...) NOT-FOR-US: Jenkins plugin CVE-2019-1003000 (A sandbox bypass vulnerability exists in Script Security Plugin 1.49 a ...) NOT-FOR-US: Jenkins plugin CVE-2019-6501 (In QEMU 3.1, scsi_handle_inquiry_reply in hw/scsi/scsi-generic.c allow ...) - qemu 1:3.1+dfsg-3 (bug #920222) [stretch] - qemu (vulnerable code introduced later) [jessie] - qemu (vulnerable code introduced later) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2019-01/msg02324.html NOTE: Code introduced by https://git.qemu.org/?p=qemu.git;a=commit;h=6c219fc8a1 , NOTE: but but the overflow was already possible before. NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=e909ff93698851777faac3c45d03c1b73f311ea6 NOTE: Overflow introduced by https://git.qemu.org/?p=qemu.git;a=commit;h=a71c775b24, NOTE: vulnerability not present prior 2.12.50 CVE-2016-10739 (In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinf ...) - glibc 2.28-6 (bug #920047) [stretch] - glibc (Minor issue) [jessie] - glibc (Minor issue) - eglibc NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1347549 NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=20018 NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=108bc4049f8ae82710aec26a92ffdb4b439c83fd CVE-2019-6500 (In Axway File Transfer Direct 2.7.1, an unauthenticated Directory Trav ...) NOT-FOR-US: Axway File Transfer Direct CVE-2019-6499 (Teradata Viewpoint before 14.0 and 16.20.00.02-b80 contains a hardcode ...) NOT-FOR-US: Teradata Viewpoint CVE-2019-6498 (GattLib 0.2 has a stack-based buffer over-read in gattlib_connect in d ...) NOT-FOR-US: GattLib CVE-2019-6497 (Hotels_Server through 2018-11-05 has SQL Injection via the controller/ ...) NOT-FOR-US: Hotels_Server CVE-2019-6496 (The ThreadX-based firmware on Marvell Avastar Wi-Fi devices, models 88 ...) NOT-FOR-US: ThreadX-based firmware on Marvell Avastar Wi-Fi devices CVE-2019-6495 RESERVED CVE-2019-6494 (IMFForceDelete.sys in IObit Malware Fighter 6.2 allows a low privilege ...) NOT-FOR-US: IObit Malware Fighter CVE-2019-6493 (SmartDefragDriver.sys (2.0) in IObit Smart Defrag 6 never frees an exe ...) NOT-FOR-US: IObit Smart Defrag CVE-2019-6492 (SmartDefragDriver.sys (2.0) in IObit Smart Defrag 6 never frees an exe ...) NOT-FOR-US: IObit Smart Defrag CVE-2019-6491 (RISI Gestao de Horarios v3201.09.08 rev.23 allows SQL Injection. ...) NOT-FOR-US: RISI Gestao de Horarios CVE-2019-6490 RESERVED CVE-2019-6489 (Certain Lexmark CX, MX, X, XC, XM, XS, and 6500e devices before 2019-0 ...) NOT-FOR-US: Lexmark CVE-2018-20741 RESERVED CVE-2018-20740 RESERVED CVE-2018-20739 RESERVED CVE-2018-20738 RESERVED CVE-2018-20737 (An issue was discovered in WSO2 API Manager 2.1.0 and 2.6.0. Reflected ...) NOT-FOR-US: WSO2 API Manager CVE-2018-20736 (An issue was discovered in WSO2 API Manager 2.1.0 and 2.6.0. A DOM-bas ...) NOT-FOR-US: WSO2 API Manager CVE-2019-6488 (The string component in the GNU C Library (aka glibc or libc6) through ...) - glibc 2.28-6 (unimportant) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24097 NOTE: x32 not officially supported CVE-2019-6487 (TP-Link WDR Series devices through firmware v3 (such as TL-WDR5620 V3. ...) NOT-FOR-US: TP-Link CVE-2019-6486 (Go before 1.10.8 and 1.11.x before 1.11.5 mishandles P-521 and P-384 e ...) {DSA-4380-1 DSA-4379-1 DLA-1664-1} - golang-1.12 1.12~beta2-2 (bug #920548) - golang-1.11 1.11.5-1 - golang-1.10 - golang-1.8 - golang-1.7 - golang NOTE: https://groups.google.com/forum/m/#!topic/golang-announce/mVeX35iXuSw NOTE: https://golang.org/issue/29903 NOTE: https://github.com/golang/go/commit/42b42f71 CVE-2019-6485 (Citrix NetScaler Gateway 12.1 before build 50.31, 12.0 before build 60 ...) NOT-FOR-US: Citrix CVE-2019-6484 RESERVED CVE-2018-20735 (** DISPUTED ** An issue was discovered in BMC PATROL Agent through 11. ...) NOT-FOR-US: BMC PATROL Agent CVE-2018-20734 RESERVED CVE-2019-6338 (In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8. ...) {DSA-4370-1 DLA-1685-1} - drupal7 NOTE: https://www.drupal.org/sa-core-2019-001 CVE-2019-6339 (In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8. ...) {DSA-4370-1 DLA-1659-1} - drupal7 NOTE: https://www.drupal.org/sa-core-2019-002 CVE-2019-6483 RESERVED CVE-2019-6482 RESERVED CVE-2019-6481 (Abine Blur 7.8.2431 allows remote attackers to conduct "Second-Factor ...) NOT-FOR-US: Abine Blur CVE-2019-6480 RESERVED CVE-2019-6479 REJECTED CVE-2019-6478 REJECTED CVE-2019-6477 (With pipelining enabled each incoming query on a TCP connection requir ...) - bind9 1:9.11.14+dfsg-1 (bug #945171) [buster] - bind9 1:9.11.5.P4+dfsg-5.1+deb10u1 [stretch] - bind9 (Vulnerable code not present, no TCP pipelining support) [jessie] - bind9 (Vulnerable code not present) NOTE: https://kb.isc.org/docs/cve-2019-6477 CVE-2019-6476 (A defect in code added to support QNAME minimization can cause named t ...) - bind9 (Vulnerable code not present) NOTE: https://kb.isc.org/docs/cve-2019-6476 CVE-2019-6475 (Mirror zones are a BIND feature allowing recursive servers to pre-cach ...) - bind9 (Vulnerable code not present) NOTE: https://kb.isc.org/docs/cve-2019-6475 CVE-2019-6474 (A missing check on incoming client requests can be exploited to cause ...) - isc-kea 1.7.5-1 (bug #936040) [stretch] - isc-kea (Minor issue) NOTE: https://kb.isc.org/docs/cve-2019-6474 CVE-2019-6473 (An invalid hostname option can trigger an assertion failure in the Kea ...) - isc-kea 1.7.5-1 (bug #936040) [stretch] - isc-kea (Minor issue) NOTE: https://kb.isc.org/docs/cve-2019-6473 CVE-2019-6472 (A packet containing a malformed DUID can cause the Kea DHCPv6 server p ...) - isc-kea 1.7.5-1 (bug #936040) [stretch] - isc-kea (Minor issue) NOTE: https://kb.isc.org/docs/cve-2019-6472 CVE-2019-6471 (A race condition which may occur when discarding malformed packets can ...) - bind9 1:9.11.5.P4+dfsg-5.1 (bug #930746) [stretch] - bind9 (Only affects 9.11 and later) [jessie] - bind9 (Only affects 9.11 and later) NOTE: https://kb.isc.org/v1/docs/cve-2019-6471 NOTE: https://gitlab.isc.org/isc-projects/bind9/commit/60c42f849d520564ed42e5ed0ba46b4b69c07712 (master) NOTE: https://gitlab.isc.org/isc-projects/bind9/commit/3a9c7bb80d4a609b86427406d9dd783199920b5b (v9_11) CVE-2019-6470 (There had existed in one of the ISC BIND libraries a bug in a function ...) - isc-dhcp 4.4.1-2 (bug #896122) [stretch] - isc-dhcp (Issue triggerable only when build against bind >= 9.11.3) [jessie] - isc-dhcp (Issue triggerable only when build against bind >= 9.11.3) NOTE: https://bugs.isc.org/Public/Ticket/Display.html?id=48804 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1641246 NOTE: https://bugs.launchpad.net/ubuntu/%2Bsource/isc-dhcp/%2Bbug/1781699 NOTE: Issue is caused by https://gitlab.isc.org/wpk/bind9/commit/65a483106e45704e19781bfe4f4634db4f77562e NOTE: isc-dhcp builds against system bind library, and commit for upstream NOTE: issue 4829 is first introduced in 9.11.3+dfsg-1. The underlying issue NOTE: is only uncovered when build gainst versions >= 9.11.3. CVE-2019-6469 (An error in the EDNS Client Subnet (ECS) feature for recursive resolve ...) - bind9 (Only affects Supported Preview Edition/Subscription Edition) NOTE: https://kb.isc.org/docs/cve-2019-6469 CVE-2019-6468 (In BIND Supported Preview Edition, an error in the nxdomain-redirect f ...) - bind9 (Only affects Supported Preview Edition/Subscription Edition) NOTE: https://kb.isc.org/docs/cve-2019-6468 CVE-2019-6467 (A programming error in the nxdomain-redirect feature can cause an asse ...) - bind9 (Vulnerable code only present in 9.12 onwards) NOTE: https://kb.isc.org/docs/cve-2019-6467 CVE-2019-6466 REJECTED CVE-2019-6465 (Controls for zone transfers may not be properly applied to Dynamically ...) {DSA-4440-1 DLA-1697-1} - bind9 1:9.11.5.P4+dfsg-1 (low; bug #922955) NOTE: https://kb.isc.org/docs/cve-2019-6465 NOTE: https://gitlab.isc.org/isc-projects/bind9/commit/a9307de85e147f4756c75d15aa221d2262df7d67 CVE-2019-6464 RESERVED CVE-2019-6463 RESERVED CVE-2018-20733 (BI Web Services in SAS Web Infrastructure Platform before 9.4M6 allows ...) NOT-FOR-US: SAS Web Infrastructure Platform CVE-2018-20732 (SAS Web Infrastructure Platform before 9.4M6 allows remote attackers t ...) NOT-FOR-US: SAS Web Infrastructure Platform CVE-2018-20731 (A stored cross site scripting (XSS) vulnerability in NeDi before 1.7Cp ...) NOT-FOR-US: NeDi CVE-2018-20730 (A SQL injection vulnerability in NeDi before 1.7Cp3 allows any user to ...) NOT-FOR-US: NeDi CVE-2018-20729 (A reflected cross site scripting (XSS) vulnerability in NeDi before 1. ...) NOT-FOR-US: NeDi CVE-2018-20728 (A cross site request forgery (CSRF) vulnerability in NeDi before 1.7Cp ...) NOT-FOR-US: NeDi CVE-2018-20727 (Multiple command injection vulnerabilities in NeDi before 1.7Cp3 allow ...) NOT-FOR-US: NeDi CVE-2015-9281 (Logon Manager in SAS Web Infrastructure Platform before 9.4M3 allows r ...) NOT-FOR-US: SAS Web Infrastructure Platform CVE-2019-6462 (An issue was discovered in cairo 1.16.0. There is an infinite loop in ...) - cairo (low; bug #929945) [buster] - cairo (Minor issue) [stretch] - cairo (Minor issue) [jessie] - cairo (Minor issue) NOTE: https://gitlab.freedesktop.org/cairo/cairo/issues/353 CVE-2019-6461 (An issue was discovered in cairo 1.16.0. There is an assertion problem ...) - cairo (low; bug #929944) [buster] - cairo (Minor issue) [stretch] - cairo (Minor issue) [jessie] - cairo (Minor issue) NOTE: https://gitlab.freedesktop.org/cairo/cairo/issues/352 CVE-2019-6460 (An issue was discovered in GNU Recutils 1.8. There is a NULL pointer d ...) - recutils (unimportant) NOTE: Negligible security impact CVE-2019-6459 (An issue was discovered in GNU Recutils 1.8. There is a memory leak in ...) - recutils (unimportant) NOTE: Negligible security impact CVE-2019-6458 (An issue was discovered in GNU Recutils 1.8. There is a memory leak in ...) - recutils (unimportant) NOTE: Negligible security impact CVE-2019-6457 (An issue was discovered in GNU Recutils 1.8. There is a memory leak in ...) - recutils (unimportant) NOTE: Negligible security impact CVE-2019-6456 (An issue was discovered in GNU Recutils 1.8. There is a NULL pointer d ...) - recutils (unimportant) NOTE: Negligible security impact CVE-2019-6455 (An issue was discovered in GNU Recutils 1.8. There is a double-free pr ...) - recutils (unimportant) NOTE: Negligible security impact CVE-2019-6454 (An issue was discovered in sd-bus in systemd 239. bus_process_object() ...) {DSA-4393-1 DLA-1684-1} - systemd 240-6 NOTE: https://www.openwall.com/lists/oss-security/2019/02/18/3 NOTE: https://github.com/systemd/systemd/commit/798ebaf9aea9b8ae3b8a0cc2702bc8de71acb3c6 NOTE: https://github.com/systemd/systemd/commit/6d586a13717ae057aa1b4127400c3de61cd5b9e7 NOTE: https://github.com/systemd/systemd/commit/f519a19bcd5afe674a9b8fc462cd77d8bad403c1 CVE-2019-6453 (mIRC before 7.55 allows remote command execution by using argument inj ...) NOT-FOR-US: mIRC CVE-2019-6452 (Kyocera Command Center RX TASKalfa4501i and TASKalfa5052ci allows remo ...) NOT-FOR-US: Kyocera Command Center CVE-2019-6451 (On SOYAL AR-727H and AR-829Ev5 devices, all CGI programs allow unauthe ...) NOT-FOR-US: SOYAL AR-727H and AR-829Ev5 devices CVE-2019-6450 RESERVED CVE-2019-6449 RESERVED CVE-2019-6448 RESERVED CVE-2019-6447 (The ES File Explorer File Manager application through 4.1.9.7.4 for An ...) NOT-FOR-US: ES File Explorer File Manager application CVE-2018-20726 (A cross-site scripting (XSS) vulnerability exists in host.php (via tre ...) - cacti 1.2.1+ds1-1 (low) [stretch] - cacti (Minor issue) [jessie] - cacti (Minor issue) NOTE: https://github.com/Cacti/cacti/commit/80c2a88fb2afb93f87703ba4641f9970478c102d NOTE: https://github.com/Cacti/cacti/issues/2213 CVE-2018-20725 (A cross-site scripting (XSS) vulnerability exists in graph_templates.p ...) - cacti 1.2.1+ds1-1 (low) [stretch] - cacti (Minor issue) [jessie] - cacti (Minor issue) NOTE: https://github.com/Cacti/cacti/commit/80c2a88fb2afb93f87703ba4641f9970478c102d NOTE: https://github.com/Cacti/cacti/issues/2214 CVE-2018-20724 (A cross-site scripting (XSS) vulnerability exists in pollers.php in Ca ...) - cacti 1.2.1+ds1-1 (low) [stretch] - cacti (Minor issue) [jessie] - cacti (Minor issue) NOTE: https://github.com/Cacti/cacti/commit/1f42478506d83d188f68ce5ff41728a7bd159f53 NOTE: https://github.com/Cacti/cacti/issues/2212 CVE-2018-20723 (A cross-site scripting (XSS) vulnerability exists in color_templates.p ...) - cacti 1.2.1+ds1-1 (low) [stretch] - cacti (Minor issue) [jessie] - cacti (Minor issue) NOTE: https://github.com/Cacti/cacti/commit/80c2a88fb2afb93f87703ba4641f9970478c102d NOTE: https://github.com/Cacti/cacti/issues/2215 CVE-2018-20722 RESERVED CVE-2018-20721 (URI_FUNC() in UriParse.c in uriparser before 0.9.1 has an out-of-bound ...) {DLA-1682-1} - uriparser 0.9.1-1 (low) [stretch] - uriparser (Minor issue) NOTE: https://github.com/uriparser/uriparser/commit/cef25028de5ff872c2e1f0a6c562eb3ea9ecbce4 CVE-2015-9280 (MailEnable before 8.60 allows XXE via an XML document in the request.a ...) NOT-FOR-US: MailEnable CVE-2015-9279 (MailEnable before 8.60 allows Stored XSS via malformed use of "<img ...) NOT-FOR-US: MailEnable CVE-2015-9278 (MailEnable before 8.60 allows Privilege Escalation because admin accou ...) NOT-FOR-US: MailEnable CVE-2015-9277 (MailEnable before 8.60 allows Directory Traversal for reading the mess ...) NOT-FOR-US: MailEnable CVE-2015-9276 (SmarterTools SmarterMail before 13.3.5535 was vulnerable to stored XSS ...) NOT-FOR-US: SmarterTools SmarterMail CVE-2019-6446 - python-numpy 1:1.10.4-1 [jessie] - python-numpy (Minor issue) NOTE: https://github.com/numpy/numpy/issues/12759 NOTE: For upstream this works as intended and is documented. NOTE: https://github.com/numpy/numpy/commit/a2bd3a7eabfe053d6d16a2130fdcad9e5211f6bb NOTE: added support to disable use of picke in load/save, marking that as the fixed NOTE: version. The use of that is at the discretion of anyone using numpy NOTE: Further discussion at https://github.com/numpy/numpy/pull/12889 CVE-2019-6445 (An issue was discovered in NTPsec before 1.1.3. An authenticated attac ...) - ntpsec 1.1.3+dfsg1-1 (bug #919513) NOTE: https://gitlab.com/NTPsec/ntpsec/issues/509 NOTE: https://gitlab.com/NTPsec/ntpsec/commit/acb2ecdcabad2ab42e9c6352999e174dd102eb3f CVE-2019-6444 (An issue was discovered in NTPsec before 1.1.3. process_control() in n ...) - ntpsec 1.1.3+dfsg1-1 (bug #919513) CVE-2019-6443 (An issue was discovered in NTPsec before 1.1.3. Because of a bug in ct ...) - ntpsec 1.1.3+dfsg1-1 (bug #919513) CVE-2019-6442 (An issue was discovered in NTPsec before 1.1.3. An authenticated attac ...) - ntpsec 1.1.3+dfsg1-1 (bug #919513) CVE-2019-6441 (An issue was discovered on Shenzhen Coship RT3050 4.0.0.40, RT3052 4.0 ...) NOT-FOR-US: Shenzhen Coship devices CVE-2019-6440 (Zemana AntiMalware before 3.0.658 Beta mishandles update logic. ...) NOT-FOR-US: Zemana AntiMalware CVE-2019-6439 (examples/benchmark/tls_bench.c in a benchmark tool in wolfSSL through ...) - wolfssl 4.1.0+dfsg-1 (unimportant) NOTE: https://github.com/wolfSSL/wolfssl/issues/2032 NOTE: Issue only in example code CVE-2019-6438 (SchedMD Slurm before 17.11.13 and 18.x before 18.08.5 mishandles 32-bi ...) {DLA-2143-1} - slurm-llnl 18.08.5.2-1 (low; bug #920997) [stretch] - slurm-llnl 16.05.9-1+deb9u3 NOTE: https://www.schedmd.com/news.php?id=213 NOTE: https://lists.schedmd.com/pipermail/slurm-announce/2019/000018.html NOTE: https://github.com/SchedMD/slurm/commit/750cc23edcc6fddfff21d33bdaf4fb7deb28cfda NOTE: https://github.com/SchedMD/slurm/commit/a8159065d1a57d6eadf802efa6837ebf4e56f671 CVE-2019-6437 RESERVED CVE-2019-6436 RESERVED CVE-2019-6435 RESERVED CVE-2019-6434 RESERVED CVE-2019-6433 RESERVED CVE-2019-6432 RESERVED CVE-2019-6431 RESERVED CVE-2019-6430 RESERVED CVE-2019-6429 RESERVED CVE-2019-6428 RESERVED CVE-2019-6427 RESERVED CVE-2019-6426 RESERVED CVE-2019-6425 RESERVED CVE-2019-6424 RESERVED CVE-2019-6423 RESERVED CVE-2019-6422 RESERVED CVE-2019-6421 RESERVED CVE-2019-6420 RESERVED CVE-2019-6419 RESERVED CVE-2019-6418 RESERVED CVE-2019-6417 RESERVED CVE-2019-6416 RESERVED CVE-2019-6415 RESERVED CVE-2019-6414 RESERVED CVE-2019-6413 RESERVED CVE-2019-6412 RESERVED CVE-2019-6411 RESERVED CVE-2019-6410 RESERVED CVE-2019-6409 RESERVED CVE-2019-6408 RESERVED CVE-2019-6407 RESERVED CVE-2019-6406 RESERVED CVE-2019-6405 RESERVED CVE-2019-6404 RESERVED CVE-2019-6403 RESERVED CVE-2019-6402 RESERVED CVE-2019-6401 RESERVED CVE-2019-6400 RESERVED CVE-2019-6399 RESERVED CVE-2019-6398 RESERVED CVE-2019-6397 RESERVED CVE-2019-6396 RESERVED CVE-2019-6395 RESERVED CVE-2019-6394 RESERVED CVE-2019-6393 RESERVED CVE-2019-6392 RESERVED CVE-2019-6391 RESERVED CVE-2019-6390 RESERVED CVE-2019-6389 RESERVED CVE-2019-6388 RESERVED CVE-2019-6387 RESERVED CVE-2019-6386 RESERVED CVE-2019-6385 RESERVED CVE-2019-6384 RESERVED CVE-2019-6383 RESERVED CVE-2019-6382 RESERVED CVE-2019-6381 RESERVED CVE-2019-6380 RESERVED CVE-2019-6379 RESERVED CVE-2019-6378 RESERVED CVE-2019-6377 RESERVED CVE-2019-6376 RESERVED CVE-2019-6375 RESERVED CVE-2019-6374 RESERVED CVE-2019-6373 RESERVED CVE-2019-6372 RESERVED CVE-2019-6371 RESERVED CVE-2019-6370 RESERVED CVE-2019-6369 RESERVED CVE-2019-6368 RESERVED CVE-2019-6367 RESERVED CVE-2019-6366 RESERVED CVE-2019-6365 RESERVED CVE-2019-6364 RESERVED CVE-2019-6363 RESERVED CVE-2019-6362 RESERVED CVE-2019-6361 RESERVED CVE-2019-6360 RESERVED CVE-2019-6359 RESERVED CVE-2019-6358 RESERVED CVE-2019-6357 RESERVED CVE-2019-6356 RESERVED CVE-2019-6355 RESERVED CVE-2019-6354 RESERVED CVE-2019-6353 RESERVED CVE-2019-6352 RESERVED CVE-2019-6351 RESERVED CVE-2019-6350 RESERVED CVE-2019-6349 RESERVED CVE-2019-6348 RESERVED CVE-2019-6347 RESERVED CVE-2019-6346 RESERVED CVE-2019-6345 RESERVED CVE-2019-6344 RESERVED CVE-2019-6343 RESERVED CVE-2019-6342 (An access bypass vulnerability exists when the experimental Workspaces ...) - drupal7 (Drupal 7 not affected) NOTE: https://www.drupal.org/sa-core-2019-008 CVE-2019-6340 (Some field types do not properly sanitize data from non-form sources i ...) - drupal7 (Drupal 7 core not affected) NOTE: https://www.drupal.org/sa-core-2019-003 CVE-2019-6337 (For the printers listed a maliciously crafted print file might cause c ...) NOT-FOR-US: HP Inkjet printers CVE-2019-6336 RESERVED CVE-2019-6335 (A potential security vulnerability has been identified with Samsung La ...) NOT-FOR-US: Samsung Laser Printers CVE-2019-6334 (HP LaserJet, PageWide, OfficeJet Enterprise, and LaserJet Managed Prin ...) NOT-FOR-US: HP printers CVE-2019-6333 (A potential security vulnerability has been identified with certain ve ...) NOT-FOR-US: HP Touchpoint Analytics CVE-2019-6332 (A potential security vulnerability has been identified with certain HP ...) NOT-FOR-US: HP InkJet printers CVE-2019-6331 (An issue was found in Samsung Mobile Print (Android) versions prior to ...) NOT-FOR-US: HP CVE-2019-6330 (A potential security vulnerability has been identified in the software ...) NOT-FOR-US: HP Access Control CVE-2019-6329 (HP Support Assistant 8.7.50 and earlier allows a user to gain system p ...) NOT-FOR-US: HP Support Assistant CVE-2019-6328 (HP Support Assistant 8.7.50 and earlier allows a user to gain system p ...) NOT-FOR-US: HP Support Assistant CVE-2019-6327 (HP Color LaserJet Pro M280-M281 Multifunction Printer series (before v ...) NOT-FOR-US: HP CVE-2019-6326 (HP Color LaserJet Pro M280-M281 Multifunction Printer series (before v ...) NOT-FOR-US: HP CVE-2019-6325 (HP Color LaserJet Pro M280-M281 Multifunction Printer series (before v ...) NOT-FOR-US: HP CVE-2019-6324 (HP Color LaserJet Pro M280-M281 Multifunction Printer series (before v ...) NOT-FOR-US: HP CVE-2019-6323 (HP Color LaserJet Pro M280-M281 Multifunction Printer series (before v ...) NOT-FOR-US: HP CVE-2019-6322 (HP has identified a security vulnerability with some versions of Works ...) NOT-FOR-US: HP CVE-2019-6321 (HP has identified a security vulnerability with some versions of Works ...) NOT-FOR-US: HP CVE-2019-6320 (Certain HP DeskJet 3630 All-in-One Printers models F5S43A - F5S57A, K4 ...) NOT-FOR-US: HP DeskJet 3630 All-in-One Printers models CVE-2019-6319 (HP DeskJet 3630 All-in-One Printers models F5S43A - F5S57A, K4T93A - K ...) NOT-FOR-US: HP DeskJet 3630 All-in-One Printers models CVE-2019-6318 (HP LaserJet Enterprise printers, HP PageWide Enterprise printers, HP L ...) NOT-FOR-US: HP CVE-2018-20720 (ABB Relion 630 devices 1.1 before 1.1.0.C0, 1.2 before 1.2.0.B3, and 1 ...) NOT-FOR-US: ABB Relion 630 devices CVE-2016-10738 (Zenbership v107 has CSRF via admin/cp-functions/event-add.php. ...) NOT-FOR-US: Zenbership CVE-2016-10737 (Serendipity 2.0.4 has XSS via the serendipity_admin.php serendipity[bo ...) - serendipity CVE-2018-20743 (murmur in Mumble through 1.2.19 before 2018-08-31 mishandles multiple ...) {DSA-4402-1 DLA-1661-1} - mumble 1.3.0~git20190114.9fcc588+dfsg-1 (bug #919249) NOTE: https://github.com/mumble-voip/mumble/issues/3505 NOTE: https://github.com/mumble-voip/mumble/pull/3510 NOTE: https://github.com/mumble-voip/mumble/pull/3512 CVE-2019-6317 RESERVED CVE-2019-6316 RESERVED CVE-2019-6315 RESERVED CVE-2019-6314 RESERVED CVE-2019-6313 RESERVED CVE-2019-6312 RESERVED CVE-2019-6311 RESERVED CVE-2019-6310 RESERVED CVE-2019-6309 RESERVED CVE-2019-6308 RESERVED CVE-2019-6307 RESERVED CVE-2019-6306 RESERVED CVE-2019-6305 RESERVED CVE-2019-6304 RESERVED CVE-2019-6303 RESERVED CVE-2019-6302 RESERVED CVE-2019-6301 RESERVED CVE-2019-6300 RESERVED CVE-2019-6299 RESERVED CVE-2019-6298 RESERVED CVE-2019-6297 RESERVED CVE-2019-6296 (Cleanto 5.0 has SQL Injection via the assets/lib/export_ajax.php id pa ...) NOT-FOR-US: Cleanto CVE-2019-6295 (Cleanto 5.0 has SQL Injection via the assets/lib/service_method_ajax.p ...) NOT-FOR-US: Cleanto CVE-2019-6294 (An issue was discovered in EasyCMS 1.5. There is CSRF via the index.ph ...) NOT-FOR-US: EasyCMS CVE-2018-20719 (In Tiki before 17.2, the user task component is vulnerable to a SQL In ...) - tikiwiki CVE-2018-20718 (In Pydio before 8.2.2, an attack is possible via PHP Object Injection ...) - ajaxplorer (bug #668381) CVE-2018-20717 (In the orders section of PrestaShop before 1.7.2.5, an attack is possi ...) NOT-FOR-US: PrestaShop CVE-2018-20716 (CubeCart before 6.1.13 has SQL Injection via the validate[] parameter ...) NOT-FOR-US: CubeCart CVE-2018-20715 (The DB abstraction layer of OXID eSales 4.10.6 is vulnerable to SQL in ...) NOT-FOR-US: OXID eSales CVE-2018-20714 (The logging system of the Automattic WooCommerce plugin before 3.4.6 f ...) NOT-FOR-US: Automattic WooCommerce plugin for WordPress CVE-2018-20713 (Shopware before 5.4.3 allows SQL Injection by remote authenticated use ...) NOT-FOR-US: Shopware CVE-2017-18358 (LimeSurvey before 2.72.4 has Stored XSS by using the Continue Later (a ...) - limesurvey (bug #472802) CVE-2017-18357 (Shopware before 5.3.4 has a PHP Object Instantiation issue via the sor ...) NOT-FOR-US: Shopware CVE-2017-18356 (In the Automattic WooCommerce plugin before 3.2.4 for WordPress, an at ...) NOT-FOR-US: Automattic WooCommerce plugin for WordPress CVE-2019-6293 (An issue was discovered in the function mark_beginning_as_normal in nf ...) - flex (low; bug #919428) [buster] - flex (Minor issue) [stretch] - flex (Minor issue) [jessie] - flex (Minor issue) NOTE: https://github.com/westes/flex/issues/414 CVE-2019-6292 (An issue was discovered in singledocparser.cpp in yaml-cpp (aka LibYam ...) - yaml-cpp 0.6.3-1 (low; bug #919430) [buster] - yaml-cpp (Minor issue) [stretch] - yaml-cpp (Minor issue) [jessie] - yaml-cpp (Minor issue) - yaml-cpp0.3 [stretch] - yaml-cpp0.3 (Minor issue) [jessie] - yaml-cpp0.3 (Minor issue) NOTE: https://github.com/jbeder/yaml-cpp/issues/657 CVE-2019-6291 (An issue was discovered in the function expr6 in eval.c in Netwide Ass ...) - nasm (unimportant) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392549 NOTE: Crash in CLI tool, no security impact CVE-2019-6290 (An infinite recursion issue was discovered in eval.c in Netwide Assemb ...) - nasm (unimportant) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392548 NOTE: Crash in CLI tool, no security impact CVE-2019-6289 (uploads/include/dialog/select_soft.php in DedeCMS V57_UTF8_SP2 allows ...) NOT-FOR-US: DedeCMS CVE-2019-6288 RESERVED CVE-2019-6287 (In Rancher 2.0.0 through 2.1.5, project members have continued access ...) NOT-FOR-US: Rancher CVE-2019-6286 (In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelex ...) - libsass 3.5.5-3 (low) [stretch] - libsass (Minor issue) NOTE: https://github.com/sass/libsass/issues/2815 CVE-2019-6285 (The SingleDocParser::HandleFlowSequence function in yaml-cpp (aka LibY ...) - yaml-cpp 0.6.3-1 (low; bug #919432) [buster] - yaml-cpp (Minor issue) [stretch] - yaml-cpp (Minor issue) [jessie] - yaml-cpp (Minor issue) - yaml-cpp0.3 [stretch] - yaml-cpp0.3 (Minor issue) [jessie] - yaml-cpp0.3 (Minor issue) NOTE: https://github.com/jbeder/yaml-cpp/issues/660 CVE-2019-6284 (In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelex ...) - libsass 3.5.5-3 (low) [stretch] - libsass (Minor issue) NOTE: https://github.com/sass/libsass/issues/2816 CVE-2019-6283 (In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelex ...) - libsass 3.5.5-3 (low) [stretch] - libsass (Minor issue) NOTE: https://github.com/sass/libsass/issues/2814 CVE-2019-6282 (ChinaMobile PLC Wireless Router GPN2.4P21-C-CN devices with firmware W ...) NOT-FOR-US: ChinaMobile PLC Wireless Router GPN2.4P21-C-CN devices CVE-2019-6281 RESERVED CVE-2019-6280 RESERVED CVE-2019-6279 (ChinaMobile PLC Wireless Router GPN2.4P21-C-CN devices with firmware W ...) NOT-FOR-US: ChinaMobile PLC Wireless Router GPN2.4P21-C-CN devices CVE-2018-20712 (A heap-based buffer over-read exists in the function d_expression_1 in ...) - binutils (unimportant) NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88629 NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24043 NOTE: binutils not covered by security support CVE-2018-20711 RESERVED CVE-2018-20710 REJECTED CVE-2018-20709 RESERVED CVE-2018-20708 RESERVED CVE-2019-6278 (XSS exists in JPress v1.0.4 via Markdown input, or Markdown input with ...) NOT-FOR-US: JPress CVE-2019-6277 RESERVED CVE-2019-6276 RESERVED CVE-2019-6275 (Command injection vulnerability in firmware_cgi in GL.iNet GL-AR300M-L ...) NOT-FOR-US: GL.iNet GL-AR300M-Lite devices CVE-2019-6274 (Directory traversal vulnerability in storage_cgi in GL.iNet GL-AR300M- ...) NOT-FOR-US: GL.iNet GL-AR300M-Lite devices CVE-2019-6273 (download_file in GL.iNet GL-AR300M-Lite devices with firmware 2.27 all ...) NOT-FOR-US: GL.iNet GL-AR300M-Lite devices CVE-2019-6272 (Command injection vulnerability in login_cgi in GL.iNet GL-AR300M-Lite ...) NOT-FOR-US: GL.iNet GL-AR300M-Lite devices CVE-2019-6271 RESERVED CVE-2019-6270 RESERVED CVE-2019-6269 RESERVED CVE-2019-6268 RESERVED CVE-2019-6267 (The Premium WP Suite Easy Redirect Manager plugin 28.07-17 for WordPre ...) NOT-FOR-US: Premium WP Suite Easy Redirect Manager plugin for WordPress CVE-2019-6266 (Cordaware bestinformed Microsoft Windows client before 6.2.1.0 is affe ...) NOT-FOR-US: Cordaware bestinformed CVE-2019-6265 (The Scripting and AutoUpdate functionality in Cordaware bestinformed M ...) NOT-FOR-US: Cordaware bestinformed CVE-2019-6264 (An issue was discovered in Joomla! before 3.9.2. Inadequate escaping i ...) NOT-FOR-US: Joomla! CVE-2019-6263 (An issue was discovered in Joomla! before 3.9.2. Inadequate checks of ...) NOT-FOR-US: Joomla! CVE-2019-6262 (An issue was discovered in Joomla! before 3.9.2. Inadequate checks of ...) NOT-FOR-US: Joomla! CVE-2019-6261 (An issue was discovered in Joomla! before 3.9.2. Inadequate escaping i ...) NOT-FOR-US: Joomla! CVE-2019-6260 (The ASPEED ast2400 and ast2500 Baseband Management Controller (BMC) ha ...) NOT-FOR-US: ASPEED CVE-2019-6259 (An issue was discovered in idreamsoft iCMS V7.0.13. There is SQL Injec ...) NOT-FOR-US: idreamsoft iCMS CVE-2018-20707 RESERVED CVE-2018-20706 RESERVED CVE-2018-20705 RESERVED CVE-2018-20704 RESERVED CVE-2019-6258 RESERVED CVE-2019-6257 (A Server Side Request Forgery (SSRF) vulnerability in elFinder before ...) NOT-FOR-US: elFinder CVE-2019-6256 (A Denial of Service issue was discovered in the LIVE555 Streaming Medi ...) {DSA-4408-1 DLA-1690-1} - liblivemedia 2018.11.26-1 (bug #919529) NOTE: https://github.com/rgaufman/live555/issues/19 CVE-2019-6255 RESERVED CVE-2019-6254 RESERVED CVE-2019-6253 RESERVED CVE-2019-6252 RESERVED CVE-2019-6251 (WebKitGTK and WPE WebKit prior to version 2.24.1 are vulnerable to add ...) - webkit2gtk 2.24.1-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://gitlab.gnome.org/GNOME/epiphany/issues/532 NOTE: https://bugs.webkit.org/show_bug.cgi?id=194131 NOTE: https://bugs.webkit.org/show_bug.cgi?id=194208 NOTE: https://webkitgtk.org/security/WSA-2019-0002.html CVE-2019-6249 (An issue was discovered in HuCart v5.7.4. There is a CSRF vulnerabilit ...) NOT-FOR-US: HuCart CVE-2019-6250 (A pointer overflow, with code execution, was discovered in ZeroMQ libz ...) {DSA-4368-1} - zeromq3 4.3.1-1 (bug #919098) [jessie] - zeromq3 (Vulnerable code introduced later) NOTE: https://github.com/zeromq/libzmq/issues/3351 CVE-2019-6248 (PHP Scripts Mall Citysearch / Hotfrog / Gelbeseiten Clone Script 2.0.1 ...) NOT-FOR-US: PHP Scripts Mall Citysearch / Hotfrog / Gelbeseiten Clone Script CVE-2019-6247 (An issue was discovered in Anti-Grain Geometry (AGG) 2.4 as used in SV ...) - svgpp (unimportant; bug #919321) NOTE: https://github.com/svgpp/svgpp/issues/70 NOTE: Issue only in src:svgpp which does not call the AGG-API in correct way. NOTE: No security impact, only used to build examples, see #921097 CVE-2019-6246 (An issue was discovered in SVG++ (aka svgpp) 1.2.3. After calling the ...) - svgpp 1.2.3+dfsg1-5 (bug #919321) NOTE: https://github.com/svgpp/svgpp/issues/70 CVE-2019-6245 (An issue was discovered in Anti-Grain Geometry (AGG) 2.4 as used in SV ...) {DLA-1656-1} - agg 1:2.4-r127+dfsg1-1 (low; bug #919322) [stretch] - agg (Minor issue) - svgpp (unimportant; bug #919321) NOTE: https://github.com/svgpp/svgpp/issues/70 NOTE: Fixed in src:agg with: https://sourceforge.net/p/agg/svn/119/ NOTE: and possibly already fixed with the inclusion of 05-fix-recursion-crash.patch NOTE: in 2.5+dfsg1-3. NOTE: No security impact on svgpp, only used to build examples, see #921097 CVE-2018-20703 (CubeCart 6.2.2 has Reflected XSS via a /{ADMIN-FILE}/ query string. ...) NOT-FOR-US: CubeCart CVE-2018-20702 RESERVED CVE-2018-20701 RESERVED CVE-2018-20700 RESERVED CVE-2019-6244 (An issue was discovered in UsualToolCMS 8.0. cmsadmin/a_sqlbackx.php?t ...) NOT-FOR-US: UsualToolCMS CVE-2019-6243 (Frog CMS 0.9.5 allows XSS via the forgot password page (aka the /admin ...) NOT-FOR-US: Frog CMS CVE-2019-6242 (** DISPUTED ** Kentico v10.0.42 allows Global Administrators to read t ...) NOT-FOR-US: Kentico CVE-2019-6241 (In Bevywise MQTTRoute 1.1 build 1018-002, a connect packet combined wi ...) NOT-FOR-US: Bevywise MQTTRoute CVE-2019-6240 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) - gitlab 11.5.7+dfsg-1 (bug #919822) NOTE: https://about.gitlab.com/2019/01/16/critical-security-release-gitlab-11-dot-6-dot-4-released/ CVE-2018-20699 (Docker Engine before 18.09 allows attackers to cause a denial of servi ...) - docker.io 18.09.1+dfsg1-2 (unimportant) NOTE: https://github.com/docker/engine/pull/70 NOTE: https://github.com/moby/moby/pull/37967 NOTE: Negligible security impact CVE-2019-6239 (This issue was addressed with improved handling of file metadata. This ...) NOT-FOR-US: Apple CVE-2019-6238 RESERVED CVE-2019-6237 (Multiple memory corruption issues were addressed with improved memory ...) - webkit2gtk 2.24.1-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0003.html CVE-2019-6236 (A race condition existed during the installation of iCloud for Windows ...) NOT-FOR-US: Apple CVE-2019-6235 (A memory corruption issue was addressed with improved validation. This ...) NOT-FOR-US: Apple CVE-2019-6234 (A memory corruption issue was addressed with improved memory handling. ...) - webkit2gtk 2.22.4-1 (unimportant) NOTE: Not covered by security support CVE-2019-6233 (A memory corruption issue was addressed with improved memory handling. ...) - webkit2gtk 2.22.4-1 (unimportant) NOTE: Not covered by security support CVE-2019-6232 (A race condition existed during the installation of iTunes for Windows ...) NOT-FOR-US: Apple CVE-2019-6231 (An out-of-bounds read was addressed with improved bounds checking. Thi ...) NOT-FOR-US: Apple CVE-2019-6230 (A memory initialization issue was addressed with improved memory handl ...) NOT-FOR-US: Apple CVE-2019-6229 (A logic issue was addressed with improved validation. This issue is fi ...) - webkit2gtk 2.22.5-1 (unimportant) NOTE: Not covered by security support CVE-2019-6228 (A cross-site scripting issue existed in Safari. This issue was address ...) NOT-FOR-US: Apple Safari CVE-2019-6227 (A memory corruption issue was addressed with improved memory handling. ...) - webkit2gtk 2.22.5-1 (unimportant) NOTE: Not covered by security support CVE-2019-6226 (Multiple memory corruption issues were addressed with improved memory ...) - webkit2gtk 2.22.0-2 (unimportant) NOTE: Not covered by security support CVE-2019-6225 (A memory corruption issue was addressed with improved validation. This ...) NOT-FOR-US: Apple CVE-2019-6224 (A buffer overflow issue was addressed with improved memory handling. T ...) NOT-FOR-US: Apple CVE-2019-6223 (A logic issue existed in the handling of Group FaceTime calls. The iss ...) NOT-FOR-US: Apple CVE-2019-6222 (A consistency issue was addressed with improved state handling. This i ...) NOT-FOR-US: Apple CVE-2019-6221 (An out-of-bounds read was addressed with improved bounds checking. Thi ...) NOT-FOR-US: Apple CVE-2019-6220 (An out-of-bounds read was addressed with improved input validation. Th ...) NOT-FOR-US: Apple CVE-2019-6219 (A denial of service issue was addressed with improved validation. This ...) NOT-FOR-US: Apple CVE-2019-6218 (A memory corruption issue was addressed with improved input validation ...) NOT-FOR-US: Apple CVE-2019-6217 (Multiple memory corruption issues were addressed with improved memory ...) - webkit2gtk 2.22.5-1 (unimportant) NOTE: Not covered by security support CVE-2019-6216 (Multiple memory corruption issues were addressed with improved memory ...) - webkit2gtk 2.22.5-1 (unimportant) NOTE: Not covered by security support CVE-2019-6215 (A type confusion issue was addressed with improved memory handling. Th ...) - webkit2gtk 2.22.6-1 (unimportant) NOTE: Not covered by security support CVE-2019-6214 (A type confusion issue was addressed with improved memory handling. Th ...) NOT-FOR-US: Apple CVE-2019-6213 (A buffer overflow was addressed with improved bounds checking. This is ...) NOT-FOR-US: Apple CVE-2019-6212 (Multiple memory corruption issues were addressed with improved memory ...) - webkit2gtk 2.22.6-1 (unimportant) NOTE: Not covered by security support CVE-2019-6211 (A memory corruption issue was addressed with improved state management ...) NOT-FOR-US: Apple CVE-2019-6210 (A memory corruption issue was addressed with improved input validation ...) NOT-FOR-US: Apple CVE-2019-6209 (An out-of-bounds read issue existed that led to the disclosure of kern ...) NOT-FOR-US: Apple CVE-2019-6208 (A memory initialization issue was addressed with improved memory handl ...) NOT-FOR-US: Apple CVE-2019-6207 (An out-of-bounds read issue existed that led to the disclosure of kern ...) NOT-FOR-US: Apple CVE-2019-6206 (An issue existed with autofill resuming after it was canceled. The iss ...) NOT-FOR-US: autofill in iOS CVE-2019-6205 (A memory corruption issue was addressed with improved lock state check ...) NOT-FOR-US: Apple CVE-2019-6204 (A logic issue was addressed with improved validation. This issue is fi ...) NOT-FOR-US: Apple CVE-2019-6203 (A logic issue was addressed with improved state management. This issue ...) NOT-FOR-US: Apple CVE-2019-6202 (An out-of-bounds read was addressed with improved bounds checking. Thi ...) NOT-FOR-US: Apple CVE-2019-6201 (Multiple memory corruption issues were addressed with improved memory ...) - webkit2gtk 2.24.1-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0002.html CVE-2019-6200 (An out-of-bounds read was addressed with improved input validation. Th ...) NOT-FOR-US: Apple CVE-2019-6199 RESERVED CVE-2019-6198 RESERVED CVE-2019-6197 RESERVED CVE-2019-6196 (A symbolic link vulnerability in some Lenovo installation packages, pr ...) NOT-FOR-US: Lenovo CVE-2019-6195 (An authorization bypass exists in Lenovo XClarity Controller (XCC) ver ...) NOT-FOR-US: Lenovo CVE-2019-6194 (An XML External Entity (XXE) processing vulnerability was reported in ...) NOT-FOR-US: Lenovo CVE-2019-6193 (An information disclosure vulnerability was reported in Lenovo XClarit ...) NOT-FOR-US: Lenovo CVE-2019-6192 (A potential vulnerability has been reported in Lenovo Power Management ...) NOT-FOR-US: Lenovo CVE-2019-6191 (A potential vulnerability in the discontinued LenovoPaper software ver ...) NOT-FOR-US: Lenovo CVE-2019-6190 (Lenovo was notified of a potential denial of service vulnerability, af ...) NOT-FOR-US: Lenovo CVE-2019-6189 (A potential vulnerability was reported in Lenovo System Interface Foun ...) NOT-FOR-US: Lenovo CVE-2019-6188 (The BIOS tamper detection mechanism was not triggered in Lenovo ThinkP ...) NOT-FOR-US: Lenovo CVE-2019-6187 (A stored CSV Injection vulnerability was reported in Lenovo XClarity C ...) NOT-FOR-US: Lenovo CVE-2019-6186 (A potential vulnerability was reported in Lenovo System Interface Foun ...) NOT-FOR-US: Lenovo CVE-2019-6185 RESERVED CVE-2019-6184 (A potential vulnerability in the discontinued Customer Engagement Serv ...) NOT-FOR-US: Lenovo CVE-2019-6183 (A denial of service vulnerability has been reported in Lenovo Energy M ...) NOT-FOR-US: Lenovo CVE-2019-6182 (A stored CSV Injection vulnerability was reported in Lenovo XClarity A ...) NOT-FOR-US: Lenovo CVE-2019-6181 (A reflected cross-site scripting (XSS) vulnerability was reported in L ...) NOT-FOR-US: Lenovo CVE-2019-6180 (A stored cross-site scripting (XSS) vulnerability was reported in Leno ...) NOT-FOR-US: Lenovo CVE-2019-6179 (An XML External Entity (XXE) processing vulnerability was reported in ...) NOT-FOR-US: Lenovo CVE-2019-6178 (An information leakage vulnerability in Iomega and LenovoEMC NAS produ ...) NOT-FOR-US: Iomega and LenovoEMC NAS products CVE-2019-6177 (A vulnerability reported in Lenovo Solution Center version 03.12.003, ...) NOT-FOR-US: Lenovo CVE-2019-6176 (A potential vulnerability reported in ThinkPad USB-C Dock Firmware ver ...) NOT-FOR-US: Lenovo CVE-2019-6175 (A denial of service vulnerability was reported in Lenovo System Update ...) NOT-FOR-US: Lenovo CVE-2019-6174 RESERVED CVE-2019-6173 (A DLL search path vulnerability could allow privilege escalation in so ...) NOT-FOR-US: Lenovo CVE-2019-6172 (A potential vulnerability in the SMI callback function in some Lenovo ...) NOT-FOR-US: Lenovo CVE-2019-6171 (A vulnerability was reported in various BIOS versions of older ThinkPa ...) NOT-FOR-US: Lenovo CVE-2019-6170 (A potential vulnerability in some Lenovo ThinkPads may allow an attack ...) NOT-FOR-US: Lenovo CVE-2019-6169 (A vulnerability reported in Lenovo Service Bridge before version 4.1.0 ...) NOT-FOR-US: Lenovo Service Bridge CVE-2019-6168 (A vulnerability reported in Lenovo Service Bridge before version 4.1.0 ...) NOT-FOR-US: Lenovo Service Bridge CVE-2019-6167 (A vulnerability reported in Lenovo Service Bridge before version 4.1.0 ...) NOT-FOR-US: Lenovo Service Bridge CVE-2019-6166 (A vulnerability reported in Lenovo Service Bridge before version 4.1.0 ...) NOT-FOR-US: Lenovo Service Bridge CVE-2019-6165 (A DLL search path vulnerability was reported in PaperDisplay Hotkey Se ...) NOT-FOR-US: Lenovo CVE-2019-6164 RESERVED CVE-2019-6163 (A denial of service vulnerability was reported in Lenovo System Update ...) NOT-FOR-US: Lenovo System Update CVE-2019-6162 RESERVED CVE-2019-6161 (An internal product security audit discovered a session handling vulne ...) NOT-FOR-US: Lenovo CVE-2019-6160 (A vulnerability in various versions of Iomega and LenovoEMC NAS produc ...) NOT-FOR-US: Iomega and LenovoEMC NAS products CVE-2019-6159 (A stored cross-site scripting (XSS) vulnerability exists in various fi ...) NOT-FOR-US: IBM CVE-2019-6158 (An internal product security audit of Lenovo XClarity Administrator (L ...) NOT-FOR-US: Lenovo XClarity Administrator (LXCA) CVE-2019-6157 (In various firmware versions of Lenovo System x, the integrated manage ...) NOT-FOR-US: Lenovo CVE-2019-6156 (In Lenovo systems, SMM BIOS Write Protection is used to prevent writes ...) NOT-FOR-US: Lenovo CVE-2019-6155 (A potential vulnerability was found in an SMI handler in various BIOS ...) NOT-FOR-US: Lenovo CVE-2019-6154 (A DLL search path vulnerability was reported in Lenovo Bootable Genera ...) NOT-FOR-US: Lenovo CVE-2019-6153 REJECTED CVE-2019-6152 REJECTED CVE-2019-6151 REJECTED CVE-2019-6150 REJECTED CVE-2019-6149 (An unquoted search path vulnerability was identified in Lenovo Dynamic ...) NOT-FOR-US: Lenovo CVE-2019-6148 RESERVED CVE-2019-6147 (Forcepoint NGFW Security Management Center (SMC) versions lower than 6 ...) NOT-FOR-US: Forcepoint NGFW Security Management Center CVE-2019-6146 (It has been reported that cross-site scripting (XSS) is possible in Fo ...) NOT-FOR-US: Forcepoint Web Security CVE-2019-6145 (Forcepoint VPN Client for Windows versions lower than 6.6.1 have an un ...) NOT-FOR-US: Forcepoint CVE-2019-6144 (This vulnerability allows a normal (non-admin) user to disable the For ...) NOT-FOR-US: Forcepoint CVE-2019-6143 (Forcepoint Next Generation Firewall (Forcepoint NGFW) 6.4.x before 6.4 ...) NOT-FOR-US: Forcepoint Next Generation Firewall (Forcepoint NGFW) CVE-2019-6142 (It has been reported that XSS is possible in Forcepoint Email Security ...) NOT-FOR-US: Forcepoint CVE-2019-6141 RESERVED CVE-2019-6140 (A configuration issue has been discovered in Forcepoint Email Security ...) NOT-FOR-US: Forcepoint Email Security CVE-2019-6139 (Forcepoint User ID (FUID) server versions up to 1.2 have a remote arbi ...) NOT-FOR-US: Forcepoint User ID (FUID) server CVE-2019-6138 (An issue has been found in libIEC61850 v1.3.1. Memory_malloc and Memor ...) NOT-FOR-US: libIEC61850 CVE-2019-6137 (An issue was discovered in lib60870 2.1.1. LinkLayer_setAddress in lin ...) NOT-FOR-US: lib60870 CVE-2019-6136 (An issue has been found in libIEC61850 v1.3.1. Ethernet_setProtocolFil ...) NOT-FOR-US: libIEC61850 CVE-2019-6135 (An issue has been found in libIEC61850 v1.3.1. Memory_malloc in hal/me ...) NOT-FOR-US: libIEC61850 CVE-2019-6134 RESERVED CVE-2019-6133 (In PolicyKit (aka polkit) 0.115, the "start time" protection mechanism ...) {DLA-1799-1 DLA-1644-1} - linux 4.19.16-1 [stretch] - linux 4.9.161-1 - policykit-1 0.105-25 (bug #918985) [stretch] - policykit-1 (Minor issue, kernel mitigation will land in next 4.9.x rebase) NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1692 NOTE: https://gitlab.freedesktop.org/polkit/polkit/merge_requests/19 NOTE: https://gitlab.freedesktop.org/polkit/polkit/commit/c898fdf4b1aafaa04f8ada9d73d77c8bb76e2f81 NOTE: Issue can be mitigated in kernel with NOTE: https://git.kernel.org/linus/7b55851367136b1efd84d98fea81ba57a98304cf (landed in 4.9.150) CVE-2019-6132 (An issue was discovered in Bento4 v1.5.1-627. There is a memory leak i ...) NOT-FOR-US: Bento4 CVE-2019-6131 (svg-run.c in Artifex MuPDF 1.14.0 has infinite recursion with stack co ...) - mupdf 1.14.0+ds1-3 (bug #918970) [stretch] - mupdf (Minor issue) [jessie] - mupdf (vulnerable code not present) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=700442 NOTE: http://www.ghostscript.com/cgi-bin/findgit.cgi?c8f7e48ff74720a5e984ae19d978a5ab4d5dde5b CVE-2019-6130 (Artifex MuPDF 1.14.0 has a SEGV in the function fz_load_page of the fi ...) {DLA-1838-1} - mupdf 1.14.0+ds1-3 (bug #918971) [stretch] - mupdf (Minor issue) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=700446 NOTE: http://www.ghostscript.com/cgi-bin/findgit.cgi?faf47b94e24314d74907f3f6bc874105f2c962ed CVE-2019-6129 (** DISPUTED ** png_create_info_struct in png.c in libpng 1.6.36 has a ...) - libpng1.6 (unimportant) - libpng (unimportant) NOTE: https://github.com/glennrp/libpng/issues/269 NOTE: Memory leak in CLI tool, no security impact CVE-2019-6128 (The TIFFFdOpen function in tif_unix.c in LibTIFF 4.0.10 has a memory l ...) {DLA-2009-1} - tiff 4.0.10-4 (bug #921157; unimportant) - tiff3 (unimportant) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2836 NOTE: Fixed by: https://gitlab.com/libtiff/libtiff/commit/ae0bed1fe530a82faf2e9ea1775109dbf301a971 CVE-2019-6127 (An issue was discovered in XiaoCms 20141229. It allows admin/index.php ...) NOT-FOR-US: XiaoCms CVE-2019-6126 (The Admin Panel of PHP Scripts Mall Advance Peer to Peer MLM Script v1 ...) NOT-FOR-US: Admin Panel of PHP Scripts Mall Advance Peer to Peer MLM Script CVE-2019-6125 RESERVED CVE-2019-6124 RESERVED CVE-2019-6123 RESERVED CVE-2019-6122 (A Username Enumeration via Error Message issue was discovered in NiceH ...) NOT-FOR-US: NiceHash Miner CVE-2019-6121 (An issue was discovered in NiceHash Miner before 2.0.3.0. Missing Auth ...) NOT-FOR-US: NiceHash Miner CVE-2019-6120 (An issue was discovered in NiceHash Miner before 2.0.3.0. A missing ra ...) NOT-FOR-US: NiceHash Miner CVE-2019-6119 RESERVED CVE-2019-6118 RESERVED CVE-2019-6117 (The wpape APE GALLERY plugin 1.6.14 for WordPress has stored XSS via t ...) NOT-FOR-US: wpape APE GALLERY plugin for WordPress CVE-2019-6116 (In Artifex Ghostscript through 9.26, ephemeral or transient procedures ...) {DSA-4372-1 DLA-1670-1} - ghostscript 9.26a~dfsg-1 NOTE: https://www.openwall.com/lists/oss-security/2019/01/23/5 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=13b0a36f8181db66a91bcc8cea139998b53a8996 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2db98f9c66135601efb103d8db7d020a672308db NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=99f13091a3f309bdc95d275ea9fec10bb9f42d9a NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=59d8f4deef90c1598ff50616519d5576756b4495 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2768d1a6dddb83f5c061207a7ed2813999c1b5c9 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=49c8092da88ef6bb0aa281fe294ae0925a44b5b9 NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1729 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=700317 CVE-2019-6115 RESERVED CVE-2019-6114 (An issue was discovered in Corel PaintShop Pro 2019 21.0.0.119. An int ...) NOT-FOR-US: Corel PaintShop Pro CVE-2019-6113 (Directory traversal vulnerability on ONKYO TX-NR686 1030-5000-1040-001 ...) NOT-FOR-US: ONKYO CVE-2019-6112 RESERVED CVE-2019-6111 (An issue was discovered in OpenSSH 7.9. Due to the scp implementation ...) {DSA-4387-2 DSA-4387-1 DLA-1728-1} - openssh 1:7.9p1-9 (bug #923486) NOTE: https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt NOTE: https://github.com/openssh/openssh-portable/commit/391ffc4b9d31fa1f4ad566499fef9176ff8a07dc NOTE: https://github.com/openssh/openssh-portable/commit/3d896c157c722bc47adca51a58dca859225b5874 NOTE: For unstable partially fixed in 1:7.9p1-6, applied complete fix in 1:7.9p1-9. CVE-2019-6110 (In OpenSSH 7.9, due to accepting and displaying arbitrary stderr outpu ...) - openssh (unimportant) NOTE: https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt NOTE: Not considered a vulnerability by upstream, cf. NOTE: https://lists.mindrot.org/pipermail/openssh-unix-dev/2019-January/037475.html CVE-2019-6109 (An issue was discovered in OpenSSH 7.9. Due to missing character encod ...) {DSA-4387-1 DLA-1728-1} - openssh 1:7.9p1-6 (bug #793412) NOTE: https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt NOTE: https://bugzilla.mindrot.org/show_bug.cgi?id=2434 NOTE: Patch: https://bugzilla.mindrot.org/attachment.cgi?id=3228 NOTE: Fixed by: https://github.com/openssh/openssh-portable/commit/8976f1c4b2721c26e878151f52bdf346dfe2d54c NOTE: possibly additionally needed: https://github.com/openssh/openssh-portable/commit/bdc6c63c80b55bcbaa66b5fde31c1cb1d09a41eb CVE-2018-20698 (The floragunn Search Guard plugin before 6.x-16 for Kibana allows URL ...) NOT-FOR-US: floragunn Search Guard plugin for Kibana CVE-2018-20697 RESERVED CVE-2018-20696 RESERVED CVE-2018-20695 RESERVED CVE-2018-20694 RESERVED CVE-2018-20693 RESERVED CVE-2018-20692 RESERVED CVE-2018-20691 RESERVED CVE-2018-20690 RESERVED CVE-2018-20689 RESERVED CVE-2018-20688 RESERVED CVE-2018-20687 (An XML external entity (XXE) vulnerability in CommandCenterWebServices ...) NOT-FOR-US: Raritan CommandCenter Secure Gateway CVE-2018-20686 RESERVED CVE-2018-20684 (In WinSCP before 5.14 beta, due to missing validation, the scp impleme ...) NOT-FOR-US: WinSCP CVE-2017-1002157 (modulemd 1.3.1 and earlier uses an unsafe function for processing exte ...) NOT-FOR-US: modulemd CVE-2017-1002152 (Bodhi 2.9.0 and lower is vulnerable to cross-site scripting resulting ...) NOT-FOR-US: Bodhi CVE-2019-6108 RESERVED CVE-2019-6107 RESERVED CVE-2019-6106 RESERVED CVE-2019-6105 RESERVED CVE-2019-6104 RESERVED CVE-2019-6103 RESERVED CVE-2019-6102 RESERVED CVE-2019-6101 RESERVED CVE-2019-6100 RESERVED CVE-2019-6099 RESERVED CVE-2019-6098 RESERVED CVE-2019-6097 RESERVED CVE-2019-6096 RESERVED CVE-2019-6095 RESERVED CVE-2019-6094 RESERVED CVE-2019-6093 RESERVED CVE-2019-6092 RESERVED CVE-2019-6091 RESERVED CVE-2019-6090 RESERVED CVE-2019-6089 RESERVED CVE-2019-6088 RESERVED CVE-2019-6087 RESERVED CVE-2019-6086 RESERVED CVE-2019-6085 RESERVED CVE-2019-6084 RESERVED CVE-2019-6083 RESERVED CVE-2019-6082 RESERVED CVE-2019-6081 RESERVED CVE-2019-6080 RESERVED CVE-2019-6079 RESERVED CVE-2019-6078 RESERVED CVE-2019-6077 RESERVED CVE-2019-6076 RESERVED CVE-2019-6075 RESERVED CVE-2019-6074 RESERVED CVE-2019-6073 RESERVED CVE-2019-6072 RESERVED CVE-2019-6071 RESERVED CVE-2019-6070 RESERVED CVE-2019-6069 RESERVED CVE-2019-6068 RESERVED CVE-2019-6067 RESERVED CVE-2019-6066 RESERVED CVE-2019-6065 RESERVED CVE-2019-6064 RESERVED CVE-2019-6063 RESERVED CVE-2019-6062 RESERVED CVE-2019-6061 RESERVED CVE-2019-6060 RESERVED CVE-2019-6059 RESERVED CVE-2019-6058 RESERVED CVE-2019-6057 RESERVED CVE-2019-6056 RESERVED CVE-2019-6055 RESERVED CVE-2019-6054 RESERVED CVE-2019-6053 RESERVED CVE-2019-6052 RESERVED CVE-2019-6051 RESERVED CVE-2019-6050 RESERVED CVE-2019-6049 RESERVED CVE-2019-6048 RESERVED CVE-2019-6047 RESERVED CVE-2019-6046 RESERVED CVE-2019-6045 RESERVED CVE-2019-6044 RESERVED CVE-2019-6043 RESERVED CVE-2019-6042 RESERVED CVE-2019-6041 RESERVED CVE-2019-6040 RESERVED CVE-2019-6039 RESERVED CVE-2019-6038 RESERVED CVE-2019-6037 RESERVED CVE-2019-6036 (Cross-site scripting vulnerability in F-RevoCRM 6.0 to F-RevoCRM 6.5 p ...) NOT-FOR-US: F-RevoCRM CVE-2019-6035 (Open redirect vulnerability in Athenz v1.8.24 and earlier allows remot ...) NOT-FOR-US: Athenz CVE-2019-6034 (a-blog cms versions prior to Ver.2.10.23 (Ver.2.10.x), Ver.2.9.26 (Ver ...) NOT-FOR-US: a-blog cms CVE-2019-6033 (Cross-site scripting vulnerability in a-blog cms versions prior to Ver ...) NOT-FOR-US: a-blog cms CVE-2019-6032 (The NTV News24 prior to Ver.3.0.0 does not verify X.509 certificates f ...) NOT-FOR-US: NTV News24 CVE-2019-6031 (Cross-site scripting vulnerability in KINZA for Windows version 5.9.2 ...) NOT-FOR-US: KINZA for Windows CVE-2019-6030 (Cross-site request forgery (CSRF) vulnerability in Custom Body Class 0 ...) NOT-FOR-US: Custom Body Class CVE-2019-6029 (Cross-site scripting vulnerability in Custom Body Class 0.6.0 and earl ...) NOT-FOR-US: Custom Body Class CVE-2019-6028 RESERVED CVE-2019-6027 (Cross-site request forgery (CSRF) vulnerability in WP Spell Check 7.1. ...) NOT-FOR-US: WP Spell Check Wordpress Plugin CVE-2019-6026 (Privilege escalation vulnerability in Multiple MOTEX products (LanScop ...) NOT-FOR-US: MOTEX CVE-2019-6025 (Open redirect vulnerability in Movable Type series Movable Type 7 r.46 ...) - movabletype-opensource CVE-2019-6024 (Rakuma App for Android version 7.15.0 and earlier, and for iOS version ...) NOT-FOR-US: Rakuma App for Android CVE-2019-6023 (Cybozu Office 10.0.0 to 10.8.3 allows remote authenticated attackers t ...) NOT-FOR-US: Cybozu Office CVE-2019-6022 (Directory traversal vulnerability in Cybozu Office 10.0.0 to 10.8.3 al ...) NOT-FOR-US: Cybozu Office CVE-2019-6021 (Open redirect vulnerability in Library Information Management System L ...) NOT-FOR-US: Library Information Management System LIMEDIO CVE-2019-6020 (Open redirect vulnerability in PowerCMS 5.12 and earlier (PowerCMS 5.x ...) NOT-FOR-US: PowerCMS CVE-2019-6019 (Untrusted search path vulnerability in STAMP Workbench installer all v ...) NOT-FOR-US: STAMP Workbench installer CVE-2019-6018 (Cross-site scripting vulnerability in NetCommons 3.2.2 and earlier (Ne ...) NOT-FOR-US: NetCommons CVE-2019-6017 (REMISE Payment Module (2.11, 2.12 and 2.13) version 3.0.12 and earlier ...) NOT-FOR-US: REMISE Payment Module CVE-2019-6016 (Cross-site scripting vulnerability in REMISE Payment Module (2.11, 2.1 ...) NOT-FOR-US: REMISE Payment Module CVE-2019-6015 (FON2601E-SE, FON2601E-RE, FON2601E-FSW-S, and FON2601E-FSW-B with firm ...) NOT-FOR-US: FON routers CVE-2019-6014 (DBA-1510P firmware 1.70b009 and earlier allows an attacker to execute ...) NOT-FOR-US: DBA-1510P firmware CVE-2019-6013 (DBA-1510P firmware 1.70b009 and earlier allows authenticated attackers ...) NOT-FOR-US: DBA-1510P firmware CVE-2019-6012 (SQL injection vulnerability in the wpDataTables Lite Version 2.0.11 an ...) NOT-FOR-US: wpDataTables Lite CVE-2019-6011 (Cross-site scripting vulnerability in wpDataTables Lite Version 2.0.11 ...) NOT-FOR-US: wpDataTables Lite CVE-2019-6010 (Integer overflow vulnerability in LINE(Android) from 4.4.0 to the vers ...) NOT-FOR-US: LINE(Android) CVE-2019-6009 (Open redirect vulnerability in SHIRASAGI v1.7.0 and earlier allows rem ...) NOT-FOR-US: SHIRASAGI CVE-2019-6008 (An unquoted search path vulnerability in Multiple Yokogawa products fo ...) NOT-FOR-US: Yokogawa CVE-2019-6007 (Integer overflow vulnerability in apng-drawable 1.0.0 to 1.6.0 allows ...) NOT-FOR-US: apng-drawable CVE-2019-6006 RESERVED CVE-2019-6005 (Smart TV Box firmware version prior to 1300 allows remote attackers to ...) NOT-FOR-US: Smart TV Box CVE-2019-6004 (Open redirect vulnerability in ApeosWare Management Suite Ver.1.4.0.18 ...) NOT-FOR-US: ApeosWare Management Suite CVE-2019-6003 (Cross-site scripting vulnerability in EC-CUBE plugin 'Amazon Pay Plugi ...) NOT-FOR-US: EC-CUBE CVE-2019-6002 (Cross-site scripting vulnerability in Central Dogma 0.17.0 to 0.40.1 a ...) NOT-FOR-US: Central Dogma CVE-2019-6001 (Buffer overflow in PTP (Picture Transfer Protocol) of EOS series digit ...) NOT-FOR-US: Canon CVE-2019-6000 (Buffer overflow in PTP (Picture Transfer Protocol) of EOS series digit ...) NOT-FOR-US: Canon CVE-2019-5999 (Buffer overflow in PTP (Picture Transfer Protocol) of EOS series digit ...) NOT-FOR-US: Canon CVE-2019-5998 (Buffer overflow in PTP (Picture Transfer Protocol) of EOS series digit ...) NOT-FOR-US: Canon CVE-2019-5997 (Video Insight VMS 7.5 and earlier allows remote attackers to conduct c ...) NOT-FOR-US: Video Insight VMS CVE-2019-5996 (SQL injection vulnerability in the Video Insight VMS 7.3.2.5 and earli ...) NOT-FOR-US: Video Insight VMS CVE-2019-5995 (Missing authorization vulnerability exists in EOS series digital camer ...) NOT-FOR-US: Canon CVE-2019-5994 (Buffer overflow in PTP (Picture Transfer Protocol) of EOS series digit ...) NOT-FOR-US: Canon CVE-2019-5993 (Cross-site request forgery (CSRF) vulnerability in Category Specific R ...) NOT-FOR-US: Category Specific RSS feed Subscription CVE-2019-5992 (Cross-site request forgery (CSRF) vulnerability in WordPress Ultra Sim ...) NOT-FOR-US: WordPress Ultra Simple Paypal Shopping Cart CVE-2019-5991 (SQL injection vulnerability in the Cybozu Garoon 4.0.0 to 4.10.3 allow ...) NOT-FOR-US: Cybozu Garoon CVE-2019-5990 (Access analysis CGI An-Analyzer released in 2019 June 24 and earlier a ...) NOT-FOR-US: CGI An-Analyzer CVE-2019-5989 (DOM-based cross-site scripting vulnerability in Access analysis CGI An ...) NOT-FOR-US: CGI An-Analyzer CVE-2019-5988 (Stored cross-site scripting vulnerability in Access analysis CGI An-An ...) NOT-FOR-US: CGI An-Analyzer CVE-2019-5987 (Access analysis CGI An-Analyzer released in 2019 June 24 and earlier a ...) NOT-FOR-US: CGI An-Analyzer CVE-2019-5986 (Cross-site request forgery (CSRF) vulnerability in Hikari Denwa router ...) NOT-FOR-US: Hikari CVE-2019-5985 (Cross-site scripting vulnerability in Hikari Denwa router/Home GateWay ...) NOT-FOR-US: Hikari CVE-2019-5984 (Cross-site request forgery (CSRF) vulnerability in Custom CSS Pro 1.0. ...) NOT-FOR-US: Custom CSS Pro CVE-2019-5983 (Cross-site request forgery (CSRF) vulnerability in HTML5 Maps 1.6.5.6 ...) NOT-FOR-US: HTML5 Maps CVE-2019-5982 (Improper download file verification vulnerability in VAIO Update 7.3.0 ...) NOT-FOR-US: VAIO Update CVE-2019-5981 (Improper authorization vulnerability in VAIO Update 7.3.0.03150 and ea ...) NOT-FOR-US: VAIO Update CVE-2019-5980 (Cross-site request forgery (CSRF) vulnerability in Related YouTube Vid ...) NOT-FOR-US: Related YouTube Videos CVE-2019-5979 (Cross-site request forgery (CSRF) vulnerability in Personalized WooCom ...) NOT-FOR-US: Personalized WooCommerce Cart Page CVE-2019-5978 (Open redirect vulnerability in Cybozu Garoon 4.0.0 to 4.10.2 allows re ...) NOT-FOR-US: Cybozu Garoon CVE-2019-5977 (Mail header injection vulnerability in Cybozu Garoon 4.0.0 to 4.10.2 m ...) NOT-FOR-US: Cybozu Garoon CVE-2019-5976 (Cybozu Garoon 4.0.0 to 4.10.2 allows an attacker with administrative r ...) NOT-FOR-US: Cybozu Garoon CVE-2019-5975 (DOM-based cross-site scripting vulnerability in Cybozu Garoon 4.6.0 to ...) NOT-FOR-US: Cybozu Garoon CVE-2019-5974 (Cross-site request forgery (CSRF) vulnerability in Contest Gallery ver ...) NOT-FOR-US: Contest Gallery CVE-2019-5973 (Cross-site request forgery (CSRF) vulnerability in Online Lesson Booki ...) NOT-FOR-US: Online Lesson Booking CVE-2019-5972 (Cross-site scripting vulnerability in Online Lesson Booking 0.8.6 and ...) NOT-FOR-US: Online Lesson Booking CVE-2019-5971 (Cross-site request forgery (CSRF) vulnerability in Attendance Manager ...) NOT-FOR-US: Attendance Manager CVE-2019-5970 (Cross-site scripting vulnerability in Attendance Manager 0.5.6 and ear ...) NOT-FOR-US: Attendance Manager CVE-2019-5969 (Open redirect vulnerability in GROWI v3.4.6 and earlier allows remote ...) NOT-FOR-US: GROWI CVE-2019-5968 (Cross-site request forgery (CSRF) vulnerability in GROWI v3.4.6 and ea ...) NOT-FOR-US: GROWI CVE-2019-5967 (Cross-site scripting vulnerability in Joruri CMS 2017 Release2 and ear ...) NOT-FOR-US: Joruri CMS CVE-2019-5966 (Joruri Mail 2.1.4 and earlier does not properly manage sessions, which ...) NOT-FOR-US: Joruri Mail CVE-2019-5965 (Open redirect vulnerability in Joruri Mail 2.1.4 and earlier allows re ...) NOT-FOR-US: Joruri Mail CVE-2019-5964 (iDoors Reader 2.10.17 and earlier allows an attacker on the same netwo ...) NOT-FOR-US: iDoors Reader CVE-2019-5963 (Cross-site request forgery (CSRF) vulnerability in Zoho SalesIQ 1.0.8 ...) NOT-FOR-US: Zoho SalesIQ CVE-2019-5962 (Cross-site scripting vulnerability in Zoho SalesIQ 1.0.8 and earlier a ...) NOT-FOR-US: Zoho SalesIQ CVE-2019-5961 (The Android App 'Tootdon for Mastodon' version 3.4.1 and earlier does ...) NOT-FOR-US: Android App 'Tootdon for Mastodon' CVE-2019-5960 (Cross-site request forgery (CSRF) vulnerability in WP Open Graph 1.6.1 ...) NOT-FOR-US: WP Open Graph CVE-2019-5959 RESERVED CVE-2019-5958 (Untrusted search path vulnerability in Electronic reception and examin ...) NOT-FOR-US: Electronic reception and examination of application for radio licenses Offline CVE-2019-5957 (Untrusted search path vulnerability in Installer of Electronic recepti ...) NOT-FOR-US: Electronic reception and examination of application for radio licenses Online CVE-2019-5956 (Directory traversal vulnerability in WonderCMS 2.6.0 and earlier allow ...) NOT-FOR-US: WonderCMS CVE-2019-5955 (CREATE SD official App for Android version 1.0.2 and earlier allows re ...) NOT-FOR-US: CREATE SD official App for Android CVE-2019-5954 (JR East Japan train operation information push notification App for An ...) NOT-FOR-US: JR East Japan train operation information push notification App for Android CVE-2019-5953 (Buffer overflow in GNU Wget 1.20.1 and earlier allows remote attackers ...) {DSA-4425-1 DLA-1760-1} - wget 1.20.1-1.1 (bug #926389) NOTE: https://jvn.jp/en/jp/JVN25261088/ NOTE: https://lists.gnu.org/archive/html/bug-wget/2019-04/msg00001.html NOTE: https://lists.gnu.org/archive/html/bug-wget/2019-04/msg00012.html NOTE: https://git.savannah.gnu.org/cgit/wget.git/commit/?id=692d5c5215de0db482c252492a92fc424cc6a97c NOTE: https://git.savannah.gnu.org/cgit/wget.git/commit/?id=562eacb76a2b64d5dc80a443f0f739bc9ef76c17 (removed unneeded debug lines in fixing commit) NOTE: Fixed in 1.20.3 CVE-2019-5952 RESERVED CVE-2019-5951 RESERVED CVE-2019-5950 RESERVED CVE-2019-5949 RESERVED CVE-2019-5948 RESERVED CVE-2019-5947 (Cross-site scripting vulnerability in Cybozu Garoon 4.6.0 to 4.10.1 al ...) NOT-FOR-US: Cybozu Garoon CVE-2019-5946 (Open redirect vulnerability in Cybozu Garoon 4.2.4 to 4.10.1 allows re ...) NOT-FOR-US: Cybozu Garoon CVE-2019-5945 (Cybozu Garoon 4.2.4 to 4.10.1 allow remote attackers to obtain the use ...) NOT-FOR-US: Cybozu Garoon CVE-2019-5944 (Cybozu Garoon 4.0.0 to 4.10.1 allows remote authenticated attackers to ...) NOT-FOR-US: Cybozu Garoon CVE-2019-5943 (Cybozu Garoon 4.0.0 to 4.10.1 allows remote authenticated attackers to ...) NOT-FOR-US: Cybozu Garoon CVE-2019-5942 (Cybozu Garoon 4.0.0 to 4.10.1 allows remote authenticated attackers to ...) NOT-FOR-US: Cybozu Garoon CVE-2019-5941 (Cybozu Garoon 4.0.0 to 4.10.1 allows remote authenticated attackers to ...) NOT-FOR-US: Cybozu Garoon CVE-2019-5940 (Cross-site scripting vulnerability in Cybozu Garoon 4.0.0 to 4.10.1 al ...) NOT-FOR-US: Cybozu Garoon CVE-2019-5939 (Cross-site scripting vulnerability in Cybozu Garoon 4.0.0 to 4.10.1 al ...) NOT-FOR-US: Cybozu Garoon CVE-2019-5938 (Cross-site scripting vulnerability in Cybozu Garoon 4.0.0 to 4.10.1 al ...) NOT-FOR-US: Cybozu Garoon CVE-2019-5937 (Cross-site scripting vulnerability in Cybozu Garoon 4.0.0 to 4.10.1 al ...) NOT-FOR-US: Cybozu Garoon CVE-2019-5936 (Directory traversal vulnerability in Cybozu Garoon 4.0.0 to 4.10.1 all ...) NOT-FOR-US: Cybozu Garoon CVE-2019-5935 (Cybozu Garoon 4.0.0 to 4.10.1 allows remote authenticated attackers to ...) NOT-FOR-US: Cybozu Garoon CVE-2019-5934 (SQL injection vulnerability in the Cybozu Garoon 4.0.0 to 4.10.0 allow ...) NOT-FOR-US: Cybozu Garoon CVE-2019-5933 (Cybozu Garoon 4.0.0 to 4.10.0 allows remote authenticated attackers to ...) NOT-FOR-US: Cybozu Garoon CVE-2019-5932 (Cross-site scripting vulnerability in Cybozu Garoon 4.6.0 to 4.6.3 all ...) NOT-FOR-US: Cybozu Garoon CVE-2019-5931 (Cybozu Garoon 4.0.0 to 4.6.3 allows authenticated attackers to alter t ...) NOT-FOR-US: Cybozu Garoon CVE-2019-5930 (Cybozu Garoon 4.0.0 to 4.6.3 allows remote attackers to bypass access ...) NOT-FOR-US: Cybozu Garoon CVE-2019-5929 (Cross-site scripting vulnerability in Cybozu Garoon 4.0.0 to 4.6.3 all ...) NOT-FOR-US: Cybozu Garoon CVE-2019-5928 (Cross-site scripting vulnerability in Cybozu Garoon 4.0.0 to 4.6.3 all ...) NOT-FOR-US: Cybozu Garoon CVE-2019-5927 (Directory traversal vulnerability in 'an' App for iOS Version 3.2.0 an ...) NOT-FOR-US: 'an' App for iOS CVE-2019-5926 (Cross-site scripting vulnerability in KinagaCMS versions prior to 6.5 ...) NOT-FOR-US: KinagaCMS CVE-2019-5925 (Cross-site scripting vulnerability in Dradis Community Edition Dradis ...) NOT-FOR-US: Dradis CVE-2019-5924 (Cross-site request forgery (CSRF) vulnerability in Smart Forms 2.6.15 ...) NOT-FOR-US: Smart Forms CVE-2019-5923 (Directory traversal vulnerability in iChain Insurance Wallet App for i ...) NOT-FOR-US: iChain Insurance Wallet App for iOS CVE-2019-5922 (Untrusted search path vulnerability in The installer of Microsoft Team ...) NOT-FOR-US: Microsoft CVE-2019-5921 (Untrusted search path vulnerability in Windows 7 allows an attacker to ...) NOT-FOR-US: Microsoft Windows CVE-2019-5920 (Cross-site request forgery (CSRF) vulnerability in FormCraft 1.2.1 and ...) NOT-FOR-US: FormCraft CVE-2019-5919 (An incomplete cryptography of the data store function by using hidden ...) NOT-FOR-US: Nablarch CVE-2019-5918 (Nablarch 5 (5, and 5u1 to 5u13) allows remote attackers to conduct XML ...) NOT-FOR-US: Nablarch CVE-2019-5917 (azure-umqtt-c (available through GitHub prior to 2017 October 6) allow ...) NOT-FOR-US: azure-umqtt-c CVE-2019-5916 (Input validation issue in POWER EGG(Ver 2.0.1, Ver 2.02 Patch 3 and ea ...) NOT-FOR-US: POWER EGG CVE-2019-5915 (Open redirect vulnerability in OpenAM (Open Source Edition) 13.0 allow ...) NOT-FOR-US: OpenAM (different from src:openam) CVE-2019-5914 (V20 PRO L-01J software version L01J20c and L01J20d has a NULL pointer ...) NOT-FOR-US: V20 PRO L-01J CVE-2019-5913 (Untrusted search path vulnerability in the installer of LHMelting (LHM ...) NOT-FOR-US: LHMelting CVE-2019-5912 (Untrusted search path vulnerability in the installer of UNARJ32.DLL (U ...) NOT-FOR-US: Some Windows installer CVE-2019-5911 (Untrusted search path vulnerability in the installer of UNLHA32.DLL (U ...) NOT-FOR-US: Some Windows installer CVE-2019-5910 (Directory traversal vulnerability in HOUSE GATE App for iOS 1.7.8 and ...) NOT-FOR-US: HOUSE GATE App for iOS CVE-2019-5909 (License Manager Service of YOKOGAWA products (CENTUM VP (R5.01.00 - R6 ...) NOT-FOR-US: Yokogawa License Manager Service CVE-2019-5908 RESERVED CVE-2019-5907 RESERVED CVE-2019-5906 RESERVED CVE-2019-5905 RESERVED CVE-2019-5904 RESERVED CVE-2019-5903 RESERVED CVE-2019-5902 RESERVED CVE-2019-5901 RESERVED CVE-2019-5900 RESERVED CVE-2019-5899 RESERVED CVE-2019-5898 RESERVED CVE-2019-5897 RESERVED CVE-2019-5896 RESERVED CVE-2019-5895 RESERVED CVE-2019-5894 RESERVED CVE-2019-5893 (Nelson Open Source ERP v6.3.1 allows SQL Injection via the db/utils/qu ...) NOT-FOR-US: Nelson Open Source ERP CVE-2019-5892 (bgpd in FRRouting FRR (aka Free Range Routing) 2.x and 3.x before 3.0. ...) - frr (Fixed before initial upload) CVE-2019-5891 (An issue was discovered in OverIT Geocall 6.3 before build 2:346977. A ...) NOT-FOR-US: OverIT Geocall CVE-2019-5890 (An issue was discovered in OverIT Geocall 6.3 before build 2:346977. W ...) NOT-FOR-US: OverIT Geocall CVE-2019-5889 (An log-management directory traversal issue was discovered in OverIT G ...) NOT-FOR-US: OverIT Geocall CVE-2019-5888 (Multiple XSS vulnerabilities were discovered in OverIT Geocall 6.3 bef ...) NOT-FOR-US: OverIT Geocall CVE-2019-5887 (An issue was discovered in ShopXO 1.2.0. In the UnlinkDir method of th ...) NOT-FOR-US: ShopXO CVE-2019-5886 (An issue was discovered in ShopXO 1.2.0. In the application\install\co ...) NOT-FOR-US: ShopXO CVE-2019-5885 (Matrix Synapse before 0.34.0.1, when the macaroon_secret_key authentic ...) - matrix-synapse 0.34.1.1-1 NOTE: https://matrix.org/blog/2019/01/10/critical-security-update-synapse-0-34-0-1-synapse-0-34-1-1/ NOTE: https://matrix.org/blog/2019/01/15/further-details-on-critical-security-update-in-synapse-affecting-all-versions-prior-to-0-34-1-cve-2019-5885/ CVE-2019-5884 (php/elFinder.class.php in elFinder before 2.1.45 leaks information if ...) NOT-FOR-US: elFinder CVE-2019-5883 (An Incorrect Access Control issue was discovered in GitLab Community a ...) - gitlab 11.3.11+dfsg-1 NOTE: https://about.gitlab.com/2018/11/28/security-release-gitlab-11-dot-5-dot-1-released/ CVE-2019-5881 (Out of bounds read in SwiftShader in Google Chrome prior to 77.0.3865. ...) - chromium 78.0.3904.87-1 CVE-2019-5880 (Insufficient policy enforcement in Blink in Google Chrome prior to 77. ...) {DSA-4562-1} - chromium 78.0.3904.87-1 CVE-2019-5879 (Insufficient policy enforcement in extensions in Google Chrome prior t ...) {DSA-4562-1} - chromium 78.0.3904.87-1 CVE-2019-5878 (Use after free in V8 in Google Chrome prior to 77.0.3865.75 allowed a ...) {DSA-4562-1} - chromium 78.0.3904.87-1 CVE-2019-5877 (Out of bounds memory access in JavaScript in Google Chrome prior to 77 ...) {DSA-4562-1} - chromium 78.0.3904.87-1 CVE-2019-5876 (Use after free in media in Google Chrome on Android prior to 77.0.3865 ...) {DSA-4562-1} - chromium 78.0.3904.87-1 CVE-2019-5875 (Insufficient data validation in downloads in Google Chrome prior to 77 ...) {DSA-4562-1} - chromium 78.0.3904.87-1 CVE-2019-5874 (Insufficient filtering in URI schemes in Google Chrome on Windows prio ...) {DSA-4562-1} - chromium 78.0.3904.87-1 CVE-2019-5873 (Insufficient policy validation in navigation in Google Chrome on iOS p ...) - chromium (iOS specific issue) CVE-2019-5872 (Use after free in Mojo in Google Chrome prior to 77.0.3865.75 allowed ...) {DSA-4562-1} - chromium 78.0.3904.87-1 CVE-2019-5871 (Heap buffer overflow in Skia in Google Chrome prior to 77.0.3865.75 al ...) {DSA-4562-1} - chromium 78.0.3904.87-1 CVE-2019-5870 (Use after free in media in Google Chrome prior to 77.0.3865.75 allowed ...) {DSA-4562-1} - chromium 78.0.3904.87-1 CVE-2019-5869 (Use after free in Blink in Google Chrome prior to 76.0.3809.132 allowe ...) {DSA-4562-1} - chromium 78.0.3904.87-1 CVE-2019-5868 (Use after free in PDFium in Google Chrome prior to 76.0.3809.100 allow ...) {DSA-4500-1} - chromium 76.0.3809.100-1 CVE-2019-5867 (Out of bounds read in JavaScript in Google Chrome prior to 76.0.3809.1 ...) {DSA-4500-1} - chromium 76.0.3809.100-1 CVE-2019-5866 (Out of bounds memory access in JavaScript in Google Chrome prior to 75 ...) - chromium 76.0.3809.71-1 CVE-2019-5865 (Insufficient policy enforcement in navigations in Google Chrome prior ...) {DSA-4500-1} - chromium 76.0.3809.87-1 CVE-2019-5864 (Insufficient data validation in CORS in Google Chrome prior to 76.0.38 ...) {DSA-4500-1} - chromium 76.0.3809.87-1 CVE-2019-5863 RESERVED - chromium (Windows-specific) CVE-2019-5862 (Insufficient data validation in AppCache in Google Chrome prior to 76. ...) {DSA-4500-1} - chromium 76.0.3809.87-1 CVE-2019-5861 (Insufficient data validation in Blink in Google Chrome prior to 76.0.3 ...) {DSA-4500-1} - chromium 76.0.3809.87-1 CVE-2019-5860 (Use after free in PDFium in Google Chrome prior to 76.0.3809.87 allowe ...) {DSA-4500-1} - chromium 76.0.3809.87-1 CVE-2019-5859 (Insufficient filtering in URI schemes in Google Chrome on Windows prio ...) {DSA-4500-1} - chromium 76.0.3809.87-1 CVE-2019-5858 (Incorrect security UI in MacOS services integration in Google Chrome o ...) {DSA-4500-1} - chromium 76.0.3809.87-1 CVE-2019-5857 (Inappropriate implementation in JavaScript in Google Chrome prior to 7 ...) {DSA-4500-1} - chromium 76.0.3809.87-1 CVE-2019-5856 (Insufficient policy enforcement in storage in Google Chrome prior to 7 ...) {DSA-4500-1} - chromium 76.0.3809.87-1 CVE-2019-5855 (Integer overflow in PDFium in Google Chrome prior to 76.0.3809.87 allo ...) {DSA-4500-1} - chromium 76.0.3809.87-1 CVE-2019-5854 (Integer overflow in PDFium in Google Chrome prior to 76.0.3809.87 allo ...) {DSA-4500-1} - chromium 76.0.3809.87-1 CVE-2019-5853 (Inappropriate implementation in JavaScript in Google Chrome prior to 7 ...) {DSA-4500-1} - chromium 76.0.3809.87-1 CVE-2019-5852 (Inappropriate implementation in JavaScript in Google Chrome prior to 7 ...) {DSA-4500-1} - chromium 76.0.3809.87-1 CVE-2019-5851 (Use after free in WebAudio in Google Chrome prior to 76.0.3809.87 allo ...) {DSA-4500-1} - chromium 76.0.3809.87-1 CVE-2019-5850 (Use after free in offline mode in Google Chrome prior to 76.0.3809.87 ...) {DSA-4500-1} - chromium 76.0.3809.87-1 CVE-2019-5849 (Out of bounds read in Skia in Google Chrome prior to 75.0.3770.80 allo ...) {DSA-4500-1} - chromium 76.0.3809.87-1 - firefox 69.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-5849 CVE-2019-5848 (Incorrect font handling in autofill in Google Chrome prior to 75.0.377 ...) {DSA-4500-1} - chromium 76.0.3809.87-1 CVE-2019-5847 (Inappropriate implementation in JavaScript in Google Chrome prior to 7 ...) {DSA-4500-1} - chromium 76.0.3809.87-1 CVE-2019-5846 (Out of bounds access in SwiftShader in Google Chrome prior to 73.0.368 ...) {DSA-4421-1} - chromium 73.0.3683.75-1 CVE-2019-5845 (Out of bounds access in SwiftShader in Google Chrome prior to 73.0.368 ...) {DSA-4421-1} - chromium 73.0.3683.75-1 CVE-2019-5844 (Out of bounds access in SwiftShader in Google Chrome prior to 73.0.368 ...) {DSA-4421-1} - chromium 73.0.3683.75-1 CVE-2019-5843 (Out of bounds memory access in JavaScript in Google Chrome prior to 74 ...) {DSA-4500-1} - chromium 74.0.3729.108-1 CVE-2019-5842 (Use after free in Blink in Google Chrome prior to 75.0.3770.90 allowed ...) {DSA-4500-1} - chromium 75.0.3770.90-1 CVE-2019-5841 (Out of bounds memory access in JavaScript in Google Chrome prior to 75 ...) {DSA-4500-1} - chromium 75.0.3770.80-1 CVE-2019-5840 (Incorrect security UI in popup blocker in Google Chrome on iOS prior t ...) {DSA-4500-1} - chromium 75.0.3770.80-1 CVE-2019-5839 (Excessive data validation in URL parser in Google Chrome prior to 75.0 ...) {DSA-4500-1} - chromium 75.0.3770.80-1 CVE-2019-5838 (Insufficient policy enforcement in extensions API in Google Chrome pri ...) {DSA-4500-1} - chromium 75.0.3770.80-1 CVE-2019-5837 (Resource size information leakage in Blink in Google Chrome prior to 7 ...) {DSA-4500-1} - chromium 75.0.3770.80-1 CVE-2019-5836 (Heap buffer overflow in ANGLE in Google Chrome prior to 75.0.3770.80 a ...) {DSA-4500-1} - chromium 75.0.3770.80-1 CVE-2019-5835 (Object lifecycle issue in SwiftShader in Google Chrome prior to 75.0.3 ...) - chromium 75.0.3770.80-1 CVE-2019-5834 (Insufficient data validation in Blink in Google Chrome prior to 75.0.3 ...) {DSA-4500-1} - chromium (iOS-specific) CVE-2019-5833 (Incorrect dialog box scoping in browser in Google Chrome on Android pr ...) {DSA-4500-1} - chromium 75.0.3770.80-1 CVE-2019-5832 (Insufficient policy enforcement in XMLHttpRequest in Google Chrome pri ...) {DSA-4500-1} - chromium 75.0.3770.80-1 CVE-2019-5831 (Object lifecycle issue in V8 in Google Chrome prior to 75.0.3770.80 al ...) {DSA-4500-1} - chromium 75.0.3770.80-1 CVE-2019-5830 (Insufficient policy enforcement in CORS in Google Chrome prior to 75.0 ...) {DSA-4500-1} - chromium 75.0.3770.80-1 CVE-2019-5829 (Integer overflow in download manager in Google Chrome prior to 75.0.37 ...) {DSA-4500-1} - chromium 75.0.3770.80-1 CVE-2019-5828 (Object lifecycle issue in ServiceWorker in Google Chrome prior to 75.0 ...) {DSA-4500-1} - chromium 75.0.3770.80-1 CVE-2019-5827 (Integer overflow in SQLite via WebSQL in Google Chrome prior to 74.0.3 ...) {DSA-4500-1} - chromium 75.0.3770.80-1 - sqlite3 3.27.2-3 [stretch] - sqlite3 (Minor issue; mainly with inpact in chromium) [jessie] - sqlite3 (Minor issue; mainly with inpact in chromium) NOTE: https://www.sqlite.org/src/info/07ee06fd390bfebe NOTE: https://www.sqlite.org/src/info/0b6ae032c28e7fe3 CVE-2019-5826 (Use after free in IndexedDB in Google Chrome prior to 73.0.3683.86 all ...) {DSA-4500-1} - chromium 75.0.3770.80-1 CVE-2019-5825 (Out of bounds write in JavaScript in Google Chrome prior to 73.0.3683. ...) {DSA-4500-1} - chromium 75.0.3770.80-1 CVE-2019-5824 (Parameter passing error in media in Google Chrome prior to 74.0.3729.1 ...) {DSA-4500-1} - chromium 75.0.3770.80-1 CVE-2019-5823 (Insufficient policy enforcement in service workers in Google Chrome pr ...) {DSA-4500-1} - chromium 74.0.3729.108-1 CVE-2019-5822 (Inappropriate implementation in Blink in Google Chrome prior to 74.0.3 ...) {DSA-4500-1} - chromium 74.0.3729.108-1 CVE-2019-5821 (Integer overflow in PDFium in Google Chrome prior to 74.0.3729.108 all ...) {DSA-4500-1} - chromium 74.0.3729.108-1 CVE-2019-5820 (Integer overflow in PDFium in Google Chrome prior to 74.0.3729.108 all ...) {DSA-4500-1} - chromium 74.0.3729.108-1 CVE-2019-5819 (Insufficient data validation in developer tools in Google Chrome on OS ...) {DSA-4500-1} - chromium 74.0.3729.108-1 CVE-2019-5818 (Uninitialized data in media in Google Chrome prior to 74.0.3729.108 al ...) {DSA-4500-1} - chromium 74.0.3729.108-1 CVE-2019-5817 (Heap buffer overflow in ANGLE in Google Chrome on Windows prior to 74. ...) - chromium (Windows-specific) CVE-2019-5816 (Process lifetime issue in Chrome in Google Chrome on Android prior to ...) - chromium (Android-specific issue) CVE-2019-5815 (Type confusion in xsltNumberFormatGetMultipleLevel prior to libxslt 1. ...) {DSA-4500-1} - chromium 74.0.3729.108-1 CVE-2019-5814 (Insufficient policy enforcement in Blink in Google Chrome prior to 74. ...) {DSA-4500-1} - chromium 74.0.3729.108-1 CVE-2019-5813 (Use after free in V8 in Google Chrome prior to 74.0.3729.108 allowed a ...) {DSA-4500-1} - chromium 74.0.3729.108-1 CVE-2019-5812 (Inadequate security UI in iOS UI in Google Chrome prior to 74.0.3729.1 ...) - chromium (iOS specific) CVE-2019-5811 (Incorrect handling of CORS in ServiceWorker in Google Chrome prior to ...) {DSA-4500-1} - chromium 74.0.3729.108-1 CVE-2019-5810 (Information leak in autofill in Google Chrome prior to 74.0.3729.108 a ...) {DSA-4500-1} - chromium 74.0.3729.108-1 CVE-2019-5809 (Use after free in file chooser in Google Chrome prior to 74.0.3729.108 ...) {DSA-4500-1} - chromium 74.0.3729.108-1 CVE-2019-5808 (Use after free in Blink in Google Chrome prior to 74.0.3729.108 allowe ...) {DSA-4500-1} - chromium 74.0.3729.108-1 CVE-2019-5807 (Object lifetime issue in V8 in Google Chrome prior to 74.0.3729.108 al ...) {DSA-4500-1} - chromium 74.0.3729.108-1 CVE-2019-5806 (Integer overflow in ANGLE in Google Chrome on Windows prior to 74.0.37 ...) {DSA-4500-1} - chromium 74.0.3729.108-1 CVE-2019-5805 (Use-after-free in PDFium in Google Chrome prior to 74.0.3729.108 allow ...) {DSA-4500-1} - chromium 74.0.3729.108-1 CVE-2019-5804 (Incorrect command line processing in Chrome in Google Chrome prior to ...) - chromium (Windows-specific) CVE-2019-5803 (Insufficient policy enforcement in Content Security Policy in Google C ...) {DSA-4421-1} - chromium 73.0.3683.75-1 CVE-2019-5802 (Incorrect handling of download origins in Navigation in Google Chrome ...) {DSA-4421-1} - chromium 73.0.3683.75-1 CVE-2019-5801 (Incorrect eliding of URLs in Omnibox in Google Chrome on iOS prior to ...) - chromium (iOS specific) CVE-2019-5800 (Insufficient policy enforcement in Blink in Google Chrome prior to 73. ...) {DSA-4421-1} - chromium 73.0.3683.75-1 CVE-2019-5799 (Incorrect inheritance of a new document's policy in Content Security P ...) {DSA-4421-1} - chromium 73.0.3683.75-1 CVE-2019-5798 (Lack of correct bounds checking in Skia in Google Chrome prior to 73.0 ...) {DSA-4451-1 DSA-4448-1 DSA-4421-1 DLA-1806-1 DLA-1800-1} - chromium 73.0.3683.75-1 - firefox-esr 60.7.0esr-1 - thunderbird 1:60.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-14/#CVE-2019-5798 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/#CVE-2019-5798 CVE-2019-5797 RESERVED {DSA-4421-1} - chromium 73.0.3683.75-1 CVE-2019-5796 (Data race in extensions guest view in Google Chrome prior to 73.0.3683 ...) {DSA-4421-1} - chromium 73.0.3683.75-1 CVE-2019-5795 (Integer overflow in PDFium in Google Chrome prior to 73.0.3683.75 allo ...) {DSA-4421-1} - chromium 73.0.3683.75-1 CVE-2019-5794 (Incorrect handling of cancelled requests in Navigation in Google Chrom ...) {DSA-4421-1} - chromium 73.0.3683.75-1 CVE-2019-5793 (Insufficient policy enforcement in extensions in Google Chrome prior t ...) {DSA-4421-1} - chromium 73.0.3683.75-1 CVE-2019-5792 (Integer overflow in PDFium in Google Chrome prior to 73.0.3683.75 allo ...) {DSA-4421-1} - chromium 73.0.3683.75-1 CVE-2019-5791 (Inappropriate optimization in V8 in Google Chrome prior to 73.0.3683.7 ...) {DSA-4421-1} - chromium 73.0.3683.75-1 CVE-2019-5790 (An integer overflow leading to an incorrect capacity of a buffer in Ja ...) {DSA-4421-1} - chromium 73.0.3683.75-1 CVE-2019-5789 (An integer overflow that leads to a use-after-free in WebMIDI in Googl ...) {DSA-4421-1} - chromium 73.0.3683.75-1 CVE-2019-5788 (An integer overflow that leads to a use-after-free in Blink Storage in ...) {DSA-4421-1} - chromium 73.0.3683.75-1 CVE-2019-5787 (Use-after-garbage-collection in Blink in Google Chrome prior to 73.0.3 ...) {DSA-4421-1} - chromium 73.0.3683.75-1 CVE-2019-5786 (Object lifetime issue in Blink in Google Chrome prior to 72.0.3626.121 ...) {DSA-4404-1} - chromium 72.0.3626.121-1 CVE-2019-5785 (Incorrect convexity calculations in Skia in Google Chrome prior to 72. ...) {DSA-4392-1 DSA-4391-1 DLA-1678-1 DLA-1677-1} - firefox 65.0.1-1 - firefox-esr 60.5.1esr-1 - thunderbird 1:60.5.1-1 - skia (bug #818180) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-04/#CVE-2019-5785 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-05/#CVE-2019-5785 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-06/#CVE-2019-5785 CVE-2019-5784 (Incorrect handling of deferred code in V8 in Google Chrome prior to 72 ...) {DSA-4395-1} - chromium 72.0.3626.109-1 CVE-2019-5783 (Missing URI encoding of untrusted input in DevTools in Google Chrome p ...) {DSA-4395-1} - chromium 72.0.3626.81-1 CVE-2019-5782 (Incorrect optimization assumptions in V8 in Google Chrome prior to 72. ...) {DSA-4395-1} - chromium 72.0.3626.81-1 CVE-2019-5781 (Incorrect handling of a confusable character in Omnibox in Google Chro ...) {DSA-4395-1} - chromium 72.0.3626.81-1 CVE-2019-5780 (Insufficient restrictions on what can be done with Apple Events in Goo ...) {DSA-4395-1} - chromium 72.0.3626.81-1 CVE-2019-5779 (Insufficient policy validation in ServiceWorker in Google Chrome prior ...) {DSA-4395-1} - chromium 72.0.3626.81-1 CVE-2019-5778 (A missing case for handling special schemes in permission request chec ...) {DSA-4395-1} - chromium 72.0.3626.81-1 CVE-2019-5777 (Incorrect handling of a confusable character in Omnibox in Google Chro ...) {DSA-4395-1} - chromium 72.0.3626.81-1 CVE-2019-5776 (Incorrect handling of a confusable character in Omnibox in Google Chro ...) {DSA-4395-1} - chromium 72.0.3626.81-1 CVE-2019-5775 (Incorrect handling of a confusable character in Omnibox in Google Chro ...) {DSA-4395-1} - chromium 72.0.3626.81-1 CVE-2019-5774 (Omission of the .desktop filetype from the Safe Browsing checklist in ...) {DSA-4395-1} - chromium 72.0.3626.81-1 CVE-2019-5773 (Insufficient origin validation in IndexedDB in Google Chrome prior to ...) {DSA-4395-1} - chromium 72.0.3626.81-1 CVE-2019-5772 (Sharing of objects over calls into JavaScript runtime in PDFium in Goo ...) {DSA-4395-1} - chromium 72.0.3626.81-1 CVE-2019-5771 (An incorrect JIT of GLSL shaders in SwiftShader in Google Chrome prior ...) - chromium (chromium package does not build swiftshader) CVE-2019-5770 (Insufficient input validation in WebGL in Google Chrome prior to 72.0. ...) {DSA-4395-1} - chromium 72.0.3626.81-1 CVE-2019-5769 (Incorrect handling of invalid end character position when front render ...) {DSA-4395-1} - chromium 72.0.3626.81-1 CVE-2019-5768 (DevTools API not correctly gating on extension capability in DevTools ...) {DSA-4395-1} - chromium 72.0.3626.81-1 CVE-2019-5767 (Insufficient protection of permission UI in WebAPKs in Google Chrome o ...) {DSA-4395-1} - chromium 72.0.3626.81-1 CVE-2019-5766 (Incorrect handling of origin taint checking in Canvas in Google Chrome ...) {DSA-4395-1} - chromium 72.0.3626.81-1 CVE-2019-5765 (An exposed debugging endpoint in the browser in Google Chrome on Andro ...) {DSA-4395-1} - chromium 72.0.3626.81-1 CVE-2019-5764 (Incorrect pointer management in WebRTC in Google Chrome prior to 72.0. ...) {DSA-4395-1} - chromium 72.0.3626.81-1 CVE-2019-5763 (Failure to check error conditions in V8 in Google Chrome prior to 72.0 ...) {DSA-4395-1} - chromium 72.0.3626.81-1 CVE-2019-5762 (Inappropriate memory management when caching in PDFium in Google Chrom ...) {DSA-4395-1} - chromium 72.0.3626.81-1 CVE-2019-5761 (Incorrect object lifecycle management in SwiftShader in Google Chrome ...) - chromium (chromium package does not build swiftshader) CVE-2019-5760 (Insufficient checks of pointer validity in WebRTC in Google Chrome pri ...) {DSA-4395-1} - chromium 72.0.3626.81-1 CVE-2019-5759 (Incorrect lifetime handling in HTML select elements in Google Chrome o ...) {DSA-4395-1} - chromium 72.0.3626.81-1 CVE-2019-5758 (Incorrect object lifecycle management in Blink in Google Chrome prior ...) {DSA-4395-1} - chromium 72.0.3626.81-1 CVE-2019-5757 (An incorrect object type assumption in SVG in Google Chrome prior to 7 ...) {DSA-4395-1} - chromium 72.0.3626.81-1 CVE-2019-5756 (Inappropriate memory management when caching in PDFium in Google Chrom ...) {DSA-4395-1} - chromium 72.0.3626.81-1 CVE-2019-5755 (Incorrect handling of negative zero in V8 in Google Chrome prior to 72 ...) {DSA-4395-1} - chromium 72.0.3626.81-1 CVE-2019-5754 (Implementation error in QUIC Networking in Google Chrome prior to 72.0 ...) {DSA-4395-1} - chromium 72.0.3626.81-1 CVE-2018-20685 (In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to b ...) {DSA-4387-1 DLA-1728-1} - openssh 1:7.9p1-5 (bug #919101) NOTE: https://github.com/openssh/openssh-portable/commit/6010c0303a422a9c5fa8860c061bf7105eb7f8b2 NOTE: https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt CVE-2018-20682 (Fork CMS 5.0.6 allows stored XSS via the private/en/settings facebook_ ...) NOT-FOR-US: Fork CMS CVE-2018-20681 (mate-screensaver before 1.20.2 in MATE Desktop Environment allows phys ...) - mate-screensaver 1.20.2-1 (low) [stretch] - mate-screensaver (Minor issue) [jessie] - mate-screensaver (Vulnerability only manifests when built against GTK-3.22) NOTE: https://github.com/mate-desktop/mate-screensaver/issues/152 NOTE: https://github.com/mate-desktop/mate-screensaver/issues/155 NOTE: https://github.com/mate-desktop/mate-screensaver/issues/170 NOTE: https://github.com/mate-desktop/mate-screensaver/pull/167 CVE-2018-1000426 (A cross-site scripting vulnerability exists in Jenkins Git Changelog P ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000425 (An insufficiently protected credentials vulnerability exists in Jenkin ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000424 (An insufficiently protected credentials vulnerability exists in Jenkin ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000423 (An insufficiently protected credentials vulnerability exists in Jenkin ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000422 (An improper authorization vulnerability exists in Jenkins Crowd 2 Inte ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000421 (An improper authorization vulnerability exists in Jenkins Mesos Plugin ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000420 (An improper authorization vulnerability exists in Jenkins Mesos Plugin ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000419 (An improper authorization vulnerability exists in Jenkins HipChat Plug ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000418 (An improper authorization vulnerability exists in Jenkins HipChat Plug ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000417 (A cross-site request forgery vulnerability exists in Jenkins Email Ext ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000416 (A reflected cross-site scripting vulnerability exists in Jenkins Job C ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000415 (A cross-site scripting vulnerability exists in Jenkins Rebuilder Plugi ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000414 (A cross-site request forgery vulnerability exists in Jenkins Config Fi ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000413 (A cross-site scripting vulnerability exists in Jenkins Config File Pro ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000412 (An improper authorization vulnerability exists in Jenkins Jira Plugin ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000411 (A cross-site request forgery vulnerability exists in Jenkins JUnit Plu ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000410 (An information exposure vulnerability exists in Jenkins 2.145 and earl ...) NOT-FOR-US: Jenkins CVE-2018-1000409 (A session fixation vulnerability exists in Jenkins 2.145 and earlier, ...) NOT-FOR-US: Jenkins CVE-2018-1000408 (A denial of service vulnerability exists in Jenkins 2.145 and earlier, ...) NOT-FOR-US: Jenkins CVE-2018-1000407 (A cross-site scripting vulnerability exists in Jenkins 2.145 and earli ...) NOT-FOR-US: Jenkins CVE-2018-1000406 (A path traversal vulnerability exists in Jenkins 2.145 and earlier, LT ...) NOT-FOR-US: Jenkins CVE-2016-10736 (The "Social Pug - Easy Social Share Buttons" plugin before 1.2.6 for W ...) NOT-FOR-US: WordPress plugin social-pug CVE-2019-5882 (Irssi 1.1.x before 1.1.2 has a use after free when hidden lines are ex ...) - irssi 1.1.2-1 (bug #918865) [stretch] - irssi (Vulnerable code not present) [jessie] - irssi (Vulnerable code not present) NOTE: https://irssi.org/security/irssi_sa_2019_01.txt NOTE: https://github.com/irssi/irssi/pull/948 NOTE: https://github.com/irssi/irssi//commit/8684ccb45c267fdeaaa779fce9323047aa5a9e38 NOTE: Introduced with support for hidden lines in https://github.com/irssi/irssi/commit/8dfeca57ede1e726de07522a87203ce13676882d CVE-2018-20683 (commands/rsync in Gitolite before 3.6.11, if .gitolite.rc enables rsyn ...) - gitolite3 3.6.11-1 (bug #918849) [stretch] - gitolite3 (Minor issue) [jessie] - gitolite3 (Minor issue) - gitolite NOTE: https://github.com/sitaramc/gitolite/commit/5df2b817255ee919991da6c310239e08c8fcc1ae NOTE: https://groups.google.com/forum/#!topic/gitolite-announce/6xbjjmpLePQ CVE-2019-5753 RESERVED CVE-2019-5752 RESERVED CVE-2019-5751 RESERVED CVE-2019-5750 RESERVED CVE-2019-5749 RESERVED CVE-2019-5748 (In Traccar Server version 4.2, protocol/SpotProtocolDecoder.java might ...) NOT-FOR-US: Traccar Server CVE-2019-5747 (An issue was discovered in BusyBox through 1.30.0. An out of bounds re ...) - busybox 1:1.30.1-2 [buster] - busybox (Incomplete fix for CVE-2018-20679 did not reach buster) [stretch] - busybox (Incomplete fix for CVE-2018-20679 not applied) [jessie] - busybox (Incomplete fix for CVE-2018-20679 not applied) NOTE: https://bugs.busybox.net/show_bug.cgi?id=11506 NOTE: https://git.busybox.net/busybox/commit/?id=74d9f1ba37010face4bd1449df4d60dd84450b06 CVE-2019-5746 RESERVED CVE-2019-5745 RESERVED CVE-2019-5744 RESERVED CVE-2019-5743 RESERVED CVE-2019-5742 RESERVED CVE-2019-5741 RESERVED CVE-2019-5740 RESERVED CVE-2019-5739 (Keep-alive HTTP and HTTPS connections can remain open and inactive for ...) - nodejs 8.9.3~dfsg-5 (unimportant) NOTE: https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/ NOTE: Nodejs not covered by security support CVE-2019-5738 RESERVED CVE-2019-5737 (In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before ...) - nodejs 10.15.2~dfsg-1 (unimportant) NOTE: https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/ NOTE: Nodejs not covered by security support CVE-2018-20680 (Frog CMS 0.9.5 has XSS in the admin/?/page/edit/1 body field. ...) NOT-FOR-US: Frog CMS CVE-2018-20679 (An issue was discovered in BusyBox before 1.30.0. An out of bounds rea ...) - busybox 1:1.30.1-1 (low; bug #918846) [stretch] - busybox (Minor issue) [jessie] - busybox (Minor issue) NOTE: https://bugs.busybox.net/show_bug.cgi?id=11506 NOTE: https://git.busybox.net/busybox/commit/?id=6d3b4bb24da9a07c263f3c1acf8df85382ff562c NOTE: When fixing this issue make sure to not open CVE-2019-5747 by only NOTE: applying the partial fix. The followup commit NOTE: https://git.busybox.net/busybox/commit/?id=74d9f1ba37010face4bd1449df4d60dd84450b06 NOTE: is needed to fix the issue completely. CVE-2018-20678 (LibreNMS through 1.47 allows SQL injection via the html/ajax_table.php ...) NOT-FOR-US: LibreNMS CVE-2019-8308 (Flatpak before 1.0.7, and 1.1.x and 1.2.x before 1.2.3, exposes /proc ...) {DSA-4390-1} - flatpak 1.2.3-1 (bug #922059) CVE-2019-5736 (runc through 1.0-rc6, as used in Docker before 18.09.2 and other produ ...) - lxc 1:3.1.0+really3.0.3-4 (bug #922169; unimportant) - runc 1.0.0~rc6+dfsg1-2 (bug #922050) [stretch] - runc 0.1.1+dfsg1-2+deb9u1 NOTE: https://www.openwall.com/lists/oss-security/2019/02/11/2 NOTE: runc: Fixed by: https://github.com/opencontainers/runc/commit/0a8e4117e7f715d5fbeef398405813ce8e88558b NOTE: lxc: Fixed by: https://github.com/lxc/lxc/commit/6400238d08cdf1ca20d49bafb85f4e224348bf9d NOTE: Not considered a security issue by LXC upstream CVE-2019-5735 REJECTED CVE-2019-5734 RESERVED CVE-2019-5733 RESERVED CVE-2019-5732 REJECTED CVE-2019-5731 REJECTED CVE-2019-5730 RESERVED CVE-2019-5729 (Splunk-SDK-Python before 1.6.6 does not properly verify untrusted TLS ...) NOT-FOR-US: Splunk CVE-2019-5728 RESERVED CVE-2019-5727 (Splunk Web in Splunk Enterprise 6.5.x before 6.5.5, 6.4.x before 6.4.9 ...) NOT-FOR-US: Splunk CVE-2019-5726 RESERVED CVE-2019-5725 (qibosoft through V7 allows remote attackers to read arbitrary files vi ...) NOT-FOR-US: qibosoft CVE-2019-5724 RESERVED CVE-2019-5723 (An issue was discovered in portier vision 4.4.4.2 and 4.4.4.6. Passwor ...) NOT-FOR-US: portier vision CVE-2019-5722 (An issue was discovered in portier vision 4.4.4.2 and 4.4.4.6. Due to ...) NOT-FOR-US: portier vision CVE-2019-5721 (In Wireshark 2.4.0 to 2.4.11, the ENIP dissector could crash. This was ...) - wireshark 2.6.1-1 [stretch] - wireshark 2.6.3-1~deb9u1 [jessie] - wireshark (Vulnerable code not present) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14470 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=1c66174ec7aa19e2ddc79178cf59f15a654fc4fe NOTE: https://www.wireshark.org/security/wnpa-sec-2019-05.html NOTE: Fix for 2.4.x was a cherry pick of: NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=177962a5b4a05759b40fb6fc07a4a6eec306a9bf (2.5.1) CVE-2018-20677 (In Bootstrap before 3.4.0, XSS is possible in the affix configuration ...) - twitter-bootstrap [stretch] - twitter-bootstrap (Minor issue) [jessie] - twitter-bootstrap (Minor issue) - twitter-bootstrap3 3.4.0+dfsg-1 [stretch] - twitter-bootstrap3 3.3.7+dfsg-2+deb9u1 [jessie] - twitter-bootstrap3 (Minor issue) NOTE: https://github.com/twbs/bootstrap/issues/27045 NOTE: https://github.com/twbs/bootstrap/issues/27915#issuecomment-452140906 NOTE: https://github.com/twbs/bootstrap/issues/27915#issuecomment-452196628 NOTE: https://github.com/twbs/bootstrap/pull/27047 NOTE: https://github.com/twbs/bootstrap/commit/2a5ba23ce8f041f3548317acc992ed8a736b609d (v3.4.0) CVE-2018-20676 (In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewpor ...) - twitter-bootstrap [stretch] - twitter-bootstrap (Minor issue) [jessie] - twitter-bootstrap (Minor issue) - twitter-bootstrap3 3.4.0+dfsg-1 [stretch] - twitter-bootstrap3 3.3.7+dfsg-2+deb9u1 [jessie] - twitter-bootstrap3 (Minor issue) NOTE: https://github.com/twbs/bootstrap/issues/27044 NOTE: https://github.com/twbs/bootstrap/issues/27915#issuecomment-452140906 NOTE: https://github.com/twbs/bootstrap/issues/27915#issuecomment-452196628 NOTE: https://github.com/twbs/bootstrap/pull/27047 NOTE: https://github.com/twbs/bootstrap/commit/2a5ba23ce8f041f3548317acc992ed8a736b609d (v3.4.0) CVE-2018-20675 (D-Link DIR-822 C1 before v3.11B01Beta, DIR-822-US C1 before v3.11B01Be ...) NOT-FOR-US: D-Link CVE-2018-20674 (D-Link DIR-822 C1 before v3.11B01Beta, DIR-822-US C1 before v3.11B01Be ...) NOT-FOR-US: D-Link CVE-2016-10735 (In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is ...) - twitter-bootstrap4 (Fixed before initial upload to Debian) - twitter-bootstrap3 3.4.0+dfsg-1 [stretch] - twitter-bootstrap3 3.3.7+dfsg-2+deb9u1 [jessie] - twitter-bootstrap3 (Minor issue) NOTE: https://github.com/twbs/bootstrap/commit/bcad4bcb5f5a9ef079b2883a48a698b35261e083 (v4.0.0-beta.2) NOTE: https://github.com/twbs/bootstrap/commit/29f9237f735b90dbc89e003db0c62dec2db0b308 (v3.4.0) NOTE: https://github.com/twbs/bootstrap/commit/13bf8aeae3db71e28af69782328c22215795c169 (v3.4.0) NOTE: https://github.com/twbs/bootstrap/issues/20184 NOTE: hhtps://github.com/twbs/bootstrap/issues/27915#issuecomment-452140906 NOTE: https://github.com/twbs/bootstrap/pull/23679 NOTE: https://github.com/twbs/bootstrap/pull/23687 NOTE: https://github.com/twbs/bootstrap/pull/26460 CVE-2019-5720 (includes/db/class.reflines_db.inc in FrontAccounting 2.4.6 contains a ...) - frontaccounting CVE-2019-5719 (In Wireshark 2.6.0 to 2.6.5 and 2.4.0 to 2.4.11, the ISAKMP dissector ...) {DSA-4416-1 DLA-1645-1} - wireshark 2.6.6-1 (low) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15374 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=b5b02f2a9b8772d8814096f86c60a32889d61f2c NOTE: https://www.wireshark.org/security/wnpa-sec-2019-04.html CVE-2019-5718 (In Wireshark 2.6.0 to 2.6.5 and 2.4.0 to 2.4.11, the RTSE dissector an ...) {DSA-4416-1} - wireshark 2.6.6-1 (low) [jessie] - wireshark (Vulnerable code introduced later) NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1746 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15373 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=cd09cb5cfb673beca3cce20b1d6a9bc67a134ae1 NOTE: https://www.wireshark.org/security/wnpa-sec-2019-03.html CVE-2019-5717 (In Wireshark 2.6.0 to 2.6.5 and 2.4.0 to 2.4.11, the P_MUL dissector c ...) {DSA-4416-1 DLA-1645-1} - wireshark 2.6.6-1 (low) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15337 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=bf9272a92f3df1e4ccfaad434e123222ae5313f7 NOTE: https://www.wireshark.org/security/wnpa-sec-2019-02.html CVE-2019-5716 (In Wireshark 2.6.0 to 2.6.5, the 6LoWPAN dissector could crash. This w ...) {DSA-4416-1 DLA-1645-1} - wireshark 2.6.6-1 (low) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15217 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=2b2eea1793dbff813896e1ae9dff1bedb39ee010 NOTE: https://www.wireshark.org/security/wnpa-sec-2019-01.html CVE-2019-5715 (All versions of SilverStripe 3 prior to 3.6.7 and 3.7.3, and all versi ...) NOT-FOR-US: SilverStripe CVE-2019-5714 REJECTED CVE-2019-5713 REJECTED CVE-2019-5712 REJECTED CVE-2019-5711 REJECTED CVE-2019-5710 REJECTED CVE-2019-5709 REJECTED CVE-2019-5708 REJECTED CVE-2019-5707 REJECTED CVE-2019-5706 REJECTED CVE-2019-5705 REJECTED CVE-2019-5704 REJECTED CVE-2019-5703 REJECTED CVE-2019-5702 (NVIDIA GeForce Experience, all versions prior to 3.20.2, contains a vu ...) NOT-FOR-US: NVIDIA CVE-2019-5701 (NVIDIA GeForce Experience, all versions prior to 3.20.0.118, contains ...) NOT-FOR-US: NVIDIA GeForce Experience CVE-2019-5700 (NVIDIA Shield TV Experience prior to v8.0.1, NVIDIA Tegra software con ...) NOT-FOR-US: NVIDIA Shield TV Experience CVE-2019-5699 (NVIDIA Shield TV Experience prior to v8.0.1, NVIDIA Tegra bootloader c ...) NOT-FOR-US: NVIDIA Shield TV Experience CVE-2019-5698 (NVIDIA Virtual GPU Manager, all versions, contains a vulnerability in ...) NOT-FOR-US: NVIDIA Virtual GPU Manager CVE-2019-5697 (NVIDIA Virtual GPU Manager, all versions, contains a vulnerability in ...) NOT-FOR-US: NVIDIA Virtual GPU Manager CVE-2019-5696 (NVIDIA Virtual GPU Manager, all versions, contains a vulnerability in ...) NOT-FOR-US: NVIDIA Virtual GPU Manager CVE-2019-5695 (NVIDIA GeForce Experience (prior to 3.20.1) and Windows GPU Display Dr ...) NOT-FOR-US: NVIDIA CVE-2019-5694 (NVIDIA Windows GPU Display Driver, R390 driver version, contains a vul ...) NOT-FOR-US: NVIDIA Windows GPU Display Driver CVE-2019-5693 (NVIDIA Windows GPU Display Driver, all versions, contains a vulnerabil ...) NOT-FOR-US: NVIDIA Windows GPU Display Driver CVE-2019-5692 (NVIDIA Windows GPU Display Driver, all versions, contains a vulnerabil ...) NOT-FOR-US: NVIDIA Windows GPU Display Driver CVE-2019-5691 (NVIDIA Windows GPU Display Driver, all versions, contains a vulnerabil ...) NOT-FOR-US: NVIDIA Windows GPU Display Driver CVE-2019-5690 (NVIDIA Windows GPU Display Driver, all versions, contains a vulnerabil ...) NOT-FOR-US: NVIDIA Windows GPU Display Driver CVE-2019-5689 (NVIDIA GeForce Experience, all versions prior to 3.20.1, contains a vu ...) NOT-FOR-US: NVIDIA GeForce Experience CVE-2019-5688 (NVIDIA NVFlash, NVUFlash Tool prior to v5.588.0 and GPUModeSwitch Tool ...) NOT-FOR-US: NVIDIA CVE-2019-5687 (NVIDIA Windows GPU Display Driver (all versions) contains a vulnerabil ...) NOT-FOR-US: NVIDIA Windows driver CVE-2019-5686 (NVIDIA Windows GPU Display Driver (all versions) contains a vulnerabil ...) NOT-FOR-US: NVIDIA Windows driver CVE-2019-5685 (NVIDIA Windows GPU Display Driver (all versions) contains a vulnerabil ...) NOT-FOR-US: NVIDIA Windows driver CVE-2019-5684 (NVIDIA Windows GPU Display Driver (all versions) contains a vulnerabil ...) NOT-FOR-US: NVIDIA Windows driver CVE-2019-5683 (NVIDIA Windows GPU Display Driver (all versions) contains a vulnerabil ...) NOT-FOR-US: NVIDIA Windows driver CVE-2019-5682 (NVIDIA Shield TV Experience prior to v8.0, contains a vulnerability in ...) NOT-FOR-US: NVIDIA Shield CVE-2019-5681 (NVIDIA Shield TV Experience prior to v8.0, contains a vulnerability in ...) NOT-FOR-US: NVIDIA Shield CVE-2019-5680 (In NVIDIA Jetson TX1 L4T R32 version branch prior to R32.2, Tegra boot ...) NOT-FOR-US: NVIDIA CVE-2019-5679 (NVIDIA Shield TV Experience prior to v8.0, NVIDIA Tegra bootloader con ...) NOT-FOR-US: NVIDIA Shield CVE-2019-5678 (NVIDIA GeForce Experience versions prior to 3.19 contains a vulnerabil ...) NOT-FOR-US: NVIDIA GeForce Experience CVE-2019-5677 (NVIDIA Windows GPU Display driver software for Windows (all versions) ...) NOT-FOR-US: NVIDIA Windows GPU Display driver software for Windows CVE-2019-5676 (NVIDIA Windows GPU Display driver software for Windows (all versions) ...) NOT-FOR-US: NVIDIA Windows GPU Display driver software for Windows CVE-2019-5675 (NVIDIA Windows GPU Display driver software for Windows (all versions) ...) NOT-FOR-US: NVIDIA Windows GPU Display driver software for Windows CVE-2019-5674 (NVIDIA GeForce Experience before 3.18 contains a vulnerability when Sh ...) NOT-FOR-US: NVIDIA GeForce Experience CVE-2019-5673 (NVIDIA Jetson TX2 contains a vulnerability in the kernel driver (on al ...) NOT-FOR-US: Nvidia Tegra CVE-2019-5672 (NVIDIA Jetson TX1 and TX2 contain a vulnerability in the Linux for Teg ...) NOT-FOR-US: Nvidia Tegra CVE-2019-5671 (NVIDIA Windows GPU Display Driver contains a vulnerability in the kern ...) NOT-FOR-US: Nvidia drivers on Windows CVE-2019-5670 (NVIDIA Windows GPU Display Driver contains a vulnerability in the kern ...) NOT-FOR-US: Nvidia drivers on Windows CVE-2019-5669 (NVIDIA Windows GPU Display Driver contains a vulnerability in the kern ...) NOT-FOR-US: Nvidia drivers on Windows CVE-2019-5668 (NVIDIA Windows GPU Display Driver contains a vulnerability in the kern ...) NOT-FOR-US: Nvidia drivers on Windows CVE-2019-5667 (NVIDIA Windows GPU Display Driver contains a vulnerability in the kern ...) NOT-FOR-US: Nvidia drivers on Windows CVE-2019-5666 (NVIDIA Windows GPU Display Driver contains a vulnerability in the kern ...) NOT-FOR-US: Nvidia drivers on Windows CVE-2019-5665 (NVIDIA Windows GPU Display driver contains a vulnerability in the 3D v ...) NOT-FOR-US: Nvidia drivers on Windows CVE-2019-5664 REJECTED CVE-2019-5663 REJECTED CVE-2019-5662 REJECTED CVE-2019-5661 REJECTED CVE-2019-5660 REJECTED CVE-2019-5659 REJECTED CVE-2019-5658 REJECTED CVE-2019-5657 REJECTED CVE-2019-5656 REJECTED CVE-2019-5655 REJECTED CVE-2019-5654 REJECTED CVE-2019-5653 REJECTED CVE-2019-5652 REJECTED CVE-2019-5651 REJECTED CVE-2019-5650 REJECTED CVE-2019-5649 RESERVED CVE-2019-5648 (Authenticated, administrative access to a Barracuda Load Balancer ADC ...) NOT-FOR-US: Barracuda CVE-2019-5647 (The Chrome Plugin for Rapid7 AppSpider can incorrectly keep browser se ...) NOT-FOR-US: Chrome Plugin for Rapid7 AppSpider CVE-2019-5646 RESERVED CVE-2019-5645 RESERVED CVE-2019-5644 (Computing For Good's Basic Laboratory Information System (also known a ...) NOT-FOR-US: Computing For Good's Basic Laboratory Information System CVE-2019-5643 (Computing For Good's Basic Laboratory Information System (also known a ...) NOT-FOR-US: Computing For Good's Basic Laboratory Information System CVE-2019-5642 (Rapid7 Metasploit Pro version 4.16.0-2019081901 and prior suffers from ...) NOT-FOR-US: Rapid7 Metasploit Pro CVE-2019-5641 RESERVED CVE-2019-5640 RESERVED CVE-2019-5639 RESERVED CVE-2019-5638 (Rapid7 Nexpose versions 6.5.50 and prior suffer from insufficient sess ...) NOT-FOR-US: Rapid7 Nexpose CVE-2019-5637 (When Beckhoff TwinCAT is configured to use the Profinet driver, a deni ...) NOT-FOR-US: Beckhoff CVE-2019-5636 (When a Beckhoff TwinCAT Runtime receives a malformed UDP packet, the A ...) NOT-FOR-US: Beckhoff CVE-2019-5635 (A cleartext transmission of sensitive information vulnerability is pre ...) NOT-FOR-US: Hickory CVE-2019-5634 (An inclusion of sensitive information in log files vulnerability is pr ...) NOT-FOR-US: Hickory CVE-2019-5633 (An insecure storage of sensitive information vulnerability is present ...) NOT-FOR-US: Hickory CVE-2019-5632 (An insecure storage of sensitive information vulnerability is present ...) NOT-FOR-US: Hickory CVE-2019-5631 (The Rapid7 InsightAppSec broker suffers from a DLL injection vulnerabi ...) NOT-FOR-US: Rapid7 InsightAppSec broker CVE-2019-5630 (A Cross-Site Request Forgery (CSRF) vulnerability was found in Rapid7 ...) NOT-FOR-US: Rapid7 Nexpose InsightVM Security Console CVE-2019-5629 (Rapid7 Insight Agent, version 2.6.3 and prior, suffers from a local pr ...) NOT-FOR-US: Rapid7 Insight Agent CVE-2019-5628 RESERVED CVE-2019-5627 (The iOS mobile application BlueCats Reveal before 5.14 stores the user ...) NOT-FOR-US: iOS mobile application BlueCats Reveal CVE-2019-5626 (The Android mobile application BlueCats Reveal before 3.0.19 stores th ...) NOT-FOR-US: Android mobile application BlueCats Reveal CVE-2019-5625 (The Android mobile application Halo Home before 1.11.0 stores OAuth au ...) NOT-FOR-US: Android mobile application Halo Home CVE-2019-5624 (Rapid7 Metasploit Framework suffers from an instance of CWE-22, Improp ...) NOT-FOR-US: Rapid7 Metasploit Framework CVE-2019-5623 (Accellion File Transfer Appliance version FTA_8_0_540 suffers from an ...) NOT-FOR-US: Accellion File Transfer Appliance CVE-2019-5622 (Accellion File Transfer Appliance version FTA_8_0_540 suffers from an ...) NOT-FOR-US: Accellion File Transfer Appliance CVE-2019-5621 (ABBS Software Audio Media Player version 3.1 suffers from an instance ...) NOT-FOR-US: ABBS Software Audio Media Player CVE-2019-5620 (ABB MicroSCADA Pro SYS600 version 9.3 suffers from an instance of CWE- ...) NOT-FOR-US: ABB MicroSCADA Pro SYS600 CVE-2019-5619 (AASync.com AASync version 2.2.1.0 suffers from an instance of CWE-121: ...) NOT-FOR-US: AASync.com AASync CVE-2019-5618 (A-PDF WAV to MP3 version 1.0.0 suffers from an instance of CWE-121: St ...) NOT-FOR-US: A-PDF CVE-2019-5617 (Computing For Good's Basic Laboratory Information System (also known a ...) NOT-FOR-US: Computing For Good's Basic Laboratory Information System CVE-2019-5616 (CircuitWerkes Sicon-8, a hardware device used for managing electrical ...) NOT-FOR-US: CircuitWerkes Sicon-8 CVE-2019-5615 (Users with Site-level permissions can access files containing the user ...) NOT-FOR-US: Rapid7 InsightVM CVE-2019-5614 (In FreeBSD 12.1-STABLE before r356035, 12.1-RELEASE before 12.1-RELEAS ...) - kfreebsd-10 (unimportant) NOTE: https://www.freebsd.org/security/advisories/FreeBSD-SA-20:10.ipfw.asc CVE-2019-5613 (In FreeBSD 12.0-RELEASE before 12.0-RELEASE-p13, a missing check in th ...) - kfreebsd-10 (Only affects kfreebsd 12) NOTE: https://www.freebsd.org/security/advisories/FreeBSD-SA-20:02.ipsec.asc CVE-2019-5612 (In FreeBSD 12.0-STABLE before r351264, 12.0-RELEASE before 12.0-RELEAS ...) - kfreebsd-10 (unimportant) NOTE: https://www.freebsd.org/security/advisories/FreeBSD-SA-19:23.midi.asc CVE-2019-5611 (In FreeBSD 12.0-STABLE before r350828, 12.0-RELEASE before 12.0-RELEAS ...) - kfreebsd-10 (unimportant) NOTE: https://www.freebsd.org/security/advisories/FreeBSD-SA-19:22.mbuf.asc CVE-2019-5610 (In FreeBSD 12.0-STABLE before r350637, 12.0-RELEASE before 12.0-RELEAS ...) NOT-FOR-US: FreeBSD CVE-2019-5609 (In FreeBSD 12.0-STABLE before r350619, 12.0-RELEASE before 12.0-RELEAS ...) - kfreebsd-10 (unimportant) NOTE: https://www.freebsd.org/security/advisories/FreeBSD-SA-19:21.bhyve.asc CVE-2019-5608 (In FreeBSD 12.0-STABLE before r350648, 12.0-RELEASE before 12.0-RELEAS ...) NOT-FOR-US: FreeBSD CVE-2019-5607 (In FreeBSD 12.0-STABLE before r350222, 12.0-RELEASE before 12.0-RELEAS ...) NOT-FOR-US: FreeBSD userspace CVE-2019-5606 (In FreeBSD 12.0-STABLE before r349805, 12.0-RELEASE before 12.0-RELEAS ...) - kfreebsd-10 (unimportant) NOTE: https://www.freebsd.org/security/advisories/FreeBSD-SA-19:13.pts.asc CVE-2019-5605 (In FreeBSD 11.3-STABLE before r350217, 11.3-RELEASE before 11.3-RELEAS ...) - kfreebsd-10 (unimportant) NOTE: https://www.freebsd.org/security/advisories/FreeBSD-SA-19:14.freebsd32.asc CVE-2019-5604 (In FreeBSD 12.0-STABLE before r350246, 12.0-RELEASE before 12.0-RELEAS ...) NOT-FOR-US: bhyve CVE-2019-5603 (In FreeBSD 12.0-STABLE before r350261, 12.0-RELEASE before 12.0-RELEAS ...) - kfreebsd-10 (unimportant) NOTE: https://www.freebsd.org/security/advisories/FreeBSD-SA-19:15.mqueuefs.asc CVE-2019-5602 (In FreeBSD 12.0-STABLE before r349628, 12.0-RELEASE before 12.0-RELEAS ...) - kfreebsd-10 (unimportant) NOTE: https://www.freebsd.org/security/advisories/FreeBSD-SA-19:11.cd_ioctl.asc NOTE: kfreebsd not covered by security support CVE-2019-5601 (In FreeBSD 12.0-STABLE before r347474, 12.0-RELEASE before 12.0-RELEAS ...) - kfreebsd-10 (unimportant) NOTE: https://www.freebsd.org/security/advisories/FreeBSD-SA-19:10.ufs.asc NOTE: kfreebsd not covered by security support CVE-2019-5600 (In FreeBSD 12.0-STABLE before r349622, 12.0-RELEASE before 12.0-RELEAS ...) NOT-FOR-US: FreeBSD iconv CVE-2019-5599 (In FreeBSD 12.0-STABLE before r349197 and 12.0-RELEASE before 12.0-REL ...) - kfreebsd-10 (Only affects FreeBSD 12) CVE-2019-5598 (In FreeBSD 11.3-PRERELEASE before r345378, 12.0-STABLE before r345377, ...) - kfreebsd-10 (unimportant) NOTE: https://security.FreeBSD.org/advisories/FreeBSD-SA-19:06.pf.asc NOTE: kfreebsd not covered by security support CVE-2019-5597 (In FreeBSD 11.3-PRERELEASE and 12.0-STABLE before r347591, 11.2-RELEAS ...) - kfreebsd-10 (unimportant) NOTE: https://security.FreeBSD.org/advisories/FreeBSD-SA-19:05.pf.asc NOTE: kfreebsd not covered by security support CVE-2019-5596 (In FreeBSD 11.2-STABLE after r338618 and before r343786, 12.0-STABLE b ...) - kfreebsd-10 (unimportant) NOTE: https://www.freebsd.org/security/advisories/FreeBSD-SA-19:02.fd.asc NOTE: kfreebsd not covered by security support CVE-2019-5595 (In FreeBSD before 11.2-STABLE(r343782), 11.2-RELEASE-p9, 12.0-STABLE(r ...) - kfreebsd-10 (unimportant) NOTE: https://www.freebsd.org/security/advisories/FreeBSD-SA-19:01.syscall.asc NOTE: kfreebsd not covered by security support CVE-2019-5594 (An Improper Neutralization of Input During Web Page Generation ("Cross ...) NOT-FOR-US: Fortinet CVE-2019-5593 (Improper permission or value checking in the CLI console may allow a n ...) NOT-FOR-US: FortiOS CVE-2019-5592 (Multiple padding oracle vulnerabilities (Zombie POODLE, GOLDENDOODLE, ...) NOT-FOR-US: Fortinet CVE-2019-5591 RESERVED CVE-2019-5590 (The URL part of the report message is not encoded in Fortinet FortiWeb ...) NOT-FOR-US: Fortinet CVE-2019-5589 (An Unsafe Search Path vulnerability in FortiClient Online Installer (W ...) NOT-FOR-US: FortiGuard CVE-2019-5588 (A reflected Cross-Site-Scripting (XSS) vulnerability in Fortinet Forti ...) NOT-FOR-US: Fortinet FortiOS CVE-2019-5587 (Lack of root file system integrity checking in Fortinet FortiOS VM app ...) NOT-FOR-US: Fortinet FortiOS CVE-2019-5586 (A reflected Cross-Site-Scripting (XSS) vulnerability in Fortinet Forti ...) NOT-FOR-US: Fortinet FortiOS CVE-2019-5585 (An improper access control vulnerability in FortiClientMac before 6.0. ...) NOT-FOR-US: Fortiguard FortiClientMac CVE-2019-5584 REJECTED CVE-2019-5583 REJECTED CVE-2019-5582 REJECTED CVE-2019-5581 REJECTED CVE-2019-5580 REJECTED CVE-2019-5579 REJECTED CVE-2019-5578 REJECTED CVE-2019-5577 REJECTED CVE-2019-5576 REJECTED CVE-2019-5575 REJECTED CVE-2019-5574 REJECTED CVE-2019-5573 REJECTED CVE-2019-5572 REJECTED CVE-2019-5571 REJECTED CVE-2019-5570 REJECTED CVE-2019-5569 REJECTED CVE-2019-5568 REJECTED CVE-2019-5567 REJECTED CVE-2019-5566 REJECTED CVE-2019-5565 REJECTED CVE-2019-5564 REJECTED CVE-2019-5563 REJECTED CVE-2019-5562 REJECTED CVE-2019-5561 REJECTED CVE-2019-5560 REJECTED CVE-2019-5559 REJECTED CVE-2019-5558 REJECTED CVE-2019-5557 REJECTED CVE-2019-5556 REJECTED CVE-2019-5555 REJECTED CVE-2019-5554 REJECTED CVE-2019-5553 REJECTED CVE-2019-5552 REJECTED CVE-2019-5551 REJECTED CVE-2019-5550 REJECTED CVE-2019-5549 REJECTED CVE-2019-5548 REJECTED CVE-2019-5547 REJECTED CVE-2019-5546 REJECTED CVE-2019-5545 RESERVED CVE-2019-5544 (OpenSLP as used in ESXi and the Horizon DaaS appliances has a heap ove ...) {DLA-2025-1} - openslp-dfsg NOTE: https://www.openwall.com/lists/oss-security/2019/12/06/1 CVE-2019-5543 (For VMware Horizon Client for Windows (5.x and prior before 5.3.0), VM ...) NOT-FOR-US: VMware CVE-2019-5542 (VMware Workstation (15.x before 15.5.1) and Fusion (11.x before 11.5.1 ...) NOT-FOR-US: VMware CVE-2019-5541 (VMware Workstation (15.x before 15.5.1) and Fusion (11.x before 11.5.1 ...) NOT-FOR-US: VMware CVE-2019-5540 (VMware Workstation (15.x before 15.5.1) and Fusion (11.x before 11.5.1 ...) NOT-FOR-US: VMware CVE-2019-5539 (VMware Workstation (15.x prior to 15.5.1) and Horizon View Agent (7.10 ...) NOT-FOR-US: VMware CVE-2019-5538 (Sensitive information disclosure vulnerability resulting from a lack o ...) NOT-FOR-US: VMware CVE-2019-5537 (Sensitive information disclosure vulnerability resulting from a lack o ...) NOT-FOR-US: VMware CVE-2019-5536 (VMware ESXi (6.7 before ESXi670-201908101-SG and 6.5 before ESXi650-20 ...) NOT-FOR-US: VMware CVE-2019-5535 (VMware Workstation and Fusion contain a network denial-of-service vuln ...) NOT-FOR-US: VMware CVE-2019-5534 (VMware vCenter Server (6.7.x prior to 6.7 U3, 6.5 prior to 6.5 U3 and ...) NOT-FOR-US: VMware CVE-2019-5533 (In VMware SD-WAN by VeloCloud versions 3.x prior to 3.3.0, the VeloClo ...) NOT-FOR-US: VMware CVE-2019-5532 (VMware vCenter Server (6.7.x prior to 6.7 U3, 6.5 prior to 6.5 U3 and ...) NOT-FOR-US: VMware CVE-2019-5531 (VMware vSphere ESXi (6.7 prior to ESXi670-201810101-SG, 6.5 prior to E ...) NOT-FOR-US: VMware CVE-2019-5530 (Windows binaries generated with InstallBuilder versions earlier than 1 ...) NOT-FOR-US: InstallBuilder CVE-2019-5529 RESERVED CVE-2019-5528 (VMware ESXi 6.5 suffers from partial denial of service vulnerability i ...) NOT-FOR-US: VMware CVE-2019-5527 (ESXi, Workstation, Fusion, VMRC and Horizon Client contain a use-after ...) NOT-FOR-US: VMware CVE-2019-5526 (VMware Workstation (15.x before 15.1.0) contains a DLL hijacking issue ...) NOT-FOR-US: VMware CVE-2019-5525 (VMware Workstation (15.x before 15.1.0) contains a use-after-free vuln ...) NOT-FOR-US: VMware CVE-2019-5524 (VMware Workstation (14.x before 14.1.6) and Fusion (10.x before 10.1.6 ...) NOT-FOR-US: VMware CVE-2019-5523 (VMware vCloud Director for Service Providers 9.5.x prior to 9.5.0.3 up ...) NOT-FOR-US: VMware vCloud Director for Service Providers CVE-2019-5522 (VMware Tools for Windows update addresses an out of bounds read vulner ...) NOT-FOR-US: VMware CVE-2019-5521 (VMware ESXi (6.7 before ESXi670-201904101-SG and 6.5 before ESXi650-20 ...) NOT-FOR-US: VMware CVE-2019-5520 (VMware ESXi (6.7 before ESXi670-201904101-SG and 6.5 before ESXi650-20 ...) NOT-FOR-US: VMware CVE-2019-5519 (VMware ESXi (6.7 before ESXi670-201903001, 6.5 before ESXi650-20190300 ...) NOT-FOR-US: VMware CVE-2019-5518 (VMware ESXi (6.7 before ESXi670-201903001, 6.5 before ESXi650-20190300 ...) NOT-FOR-US: VMware CVE-2019-5517 (VMware ESXi (6.7 before ESXi670-201904101-SG and 6.5 before ESXi650-20 ...) NOT-FOR-US: VMware CVE-2019-5516 (VMware ESXi (6.7 before ESXi670-201904101-SG and 6.5 before ESXi650-20 ...) NOT-FOR-US: VMware CVE-2019-5515 (VMware Workstation (15.x before 15.0.3, 14.x before 14.1.6) and Fusion ...) NOT-FOR-US: VMware CVE-2019-5514 (VMware VMware Fusion (11.x before 11.0.3) contains a security vulnerab ...) NOT-FOR-US: VMware CVE-2019-5513 (VMware Horizon Connection Server (7.x before 7.8, 7.5.x before 7.5.2, ...) NOT-FOR-US: VMware CVE-2019-5512 (VMware Workstation (15.x before 15.0.3, 14.x before 14.1.6) running on ...) NOT-FOR-US: VMware CVE-2019-5511 (VMware Workstation (15.x before 15.0.3, 14.x before 14.1.6) running on ...) NOT-FOR-US: VMware CVE-2019-5510 RESERVED CVE-2019-5509 (ONTAP Select Deploy administration utility versions 2.11.2 through 2.1 ...) NOT-FOR-US: ONTAP Select Deploy administration utility CVE-2019-5508 (Clustered Data ONTAP versions 9.2 through 9.4 are susceptible to a vul ...) NOT-FOR-US: Clustered Data ONTAP CVE-2019-5507 (SnapManager for Oracle prior to version 3.4.2P1 are susceptible to a v ...) NOT-FOR-US: SnapManager for Oracle CVE-2019-5506 (Clustered Data ONTAP versions 9.0 and higher do not enforce hostname v ...) NOT-FOR-US: Clustered Data ONTAP CVE-2019-5505 (ONTAP Select Deploy administration utility versions 2.2 through 2.12.1 ...) NOT-FOR-US: ONTAP CVE-2019-5504 (ONTAP Select Deploy administration utility versions 2.12 & 2.12.1 ...) NOT-FOR-US: ONTAP CVE-2019-5503 (OnCommand Workflow Automation versions prior to 5.0 shipped without ce ...) NOT-FOR-US: OnCommand Workflow Automation CVE-2019-5502 (SMB in Data ONTAP operating in 7-Mode versions prior to 8.2.5P3 has we ...) NOT-FOR-US: Data ONTAP CVE-2019-5501 (Data ONTAP operating in 7-Mode versions prior to 8.2.5P3 may disclose ...) NOT-FOR-US: Data ONTAP CVE-2019-5500 (Certain versions of the NetApp Service Processor and Baseboard Managem ...) NOT-FOR-US: NetApp CVE-2019-5499 REJECTED CVE-2019-5498 (OnCommand Insight versions through 7.3.6 may disclose sensitive accoun ...) NOT-FOR-US: OnCommand Insight CVE-2019-5497 (NetApp AFF A700s Baseboard Management Controller (BMC) firmware versio ...) NOT-FOR-US: NetApp AFF A700s Baseboard Management Controller firmware CVE-2019-5496 (Oncommand Insight versions prior to 7.3.5 shipped without certain HTTP ...) NOT-FOR-US: Oncommand Insight / Netapp CVE-2019-5495 (OnCommand Unified Manager for VMware vSphere, Linux and Windows prior ...) NOT-FOR-US: OnCommand Unified Manager for VMware vSphere, Linux and Windows / Netapp CVE-2019-5494 (OnCommand Unified Manager 7-Mode prior to version 5.2.4 shipped withou ...) NOT-FOR-US: OnCommand Unified Manager 7-Mode / Netapp CVE-2019-5493 (Data ONTAP operating in 7-Mode versions prior to 8.2.5P3 are susceptib ...) NOT-FOR-US: Data ONTAP CVE-2019-5492 (Element Plug-in for vCenter Server versions prior to 4.2.3 may disclos ...) NOT-FOR-US: NetApp HCI Compute Node CVE-2019-5491 (Clustered Data ONTAP versions prior to 9.1P15 and 9.3 prior to 9.3P7 a ...) NOT-FOR-US: Clustered Data ONTAP CVE-2019-5490 (Certain versions between 2.x to 5.x (refer to advisory) of the NetApp ...) NOT-FOR-US: NetApp CVE-2019-5488 (EARCLINK ESPCMS-P8 has SQL injection in the install_pack/index.php?ac= ...) NOT-FOR-US: EARCLINK ESPCMS-P8 CVE-2019-5489 (The mincore() implementation in mm/mincore.c in the Linux kernel throu ...) {DSA-4465-1 DLA-1824-1 DLA-1823-1} - linux 4.19.37-4 CVE-2019-5487 (An improper access control vulnerability exists in Gitlab EE <v12.3 ...) - gitlab (Only affects Gitlab EE) NOTE: https://hackerone.com/reports/692252 CVE-2019-5486 (A authentication bypass vulnerability exists in GitLab CE/EE <v12.3 ...) - gitlab 12.6.8-3 NOTE: https://hackerone.com/reports/617896 NOTE: https://about.gitlab.com/releases/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/ CVE-2019-5485 (NPM package gitlabhook version 0.0.17 is vulnerable to a Command Injec ...) NOT-FOR-US: node gitlabhook CVE-2019-5484 (Bower before 1.8.8 has a path traversal vulnerability permitting file ...) NOT-FOR-US: Bower CVE-2019-5483 (Seneca < 3.9.0 contains a vulnerability that could lead to exposing ...) NOT-FOR-US: Seneca CVE-2019-5482 (Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7. ...) {DSA-4633-1 DLA-1917-1} - curl 7.66.0-1 (bug #940010) NOTE: https://curl.haxx.se/docs/CVE-2019-5482.html NOTE: Introduced by: https://github.com/curl/curl/commit/0516ce7786e9500c2e447d48aa9b3f24a6ca70f9 NOTE: Fixed by: https://github.com/curl/curl/commit/facb0e4662415b5f28163e853dc6742ac5fafb3d (curl-7_66_0) CVE-2019-5481 (Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7 ...) {DSA-4633-1} - curl 7.66.0-1 (bug #940009) [jessie] - curl (Vulnerable code introduced later) NOTE: https://curl.haxx.se/docs/CVE-2019-5481.html NOTE: Introduced by: https://github.com/curl/curl/commit/0649433da53c7165f839e24e889e131e2894dd32 (curl-7_52_0) NOTE: Fixed by: https://github.com/curl/curl/commit/9069838b30fb3b48af0123e39f664cea683254a5 (curl-7_66_0) CVE-2019-5480 (A path traversal vulnerability in <= v0.9.7 of statichttpserver npm ...) NOT-FOR-US: Node statichttpserver CVE-2019-5479 (An unintended require vulnerability in <v0.5.5 larvitbase-api may a ...) NOT-FOR-US: Node larvitbase-api CVE-2019-5478 (A weakness was found in Encrypt Only boot mode in Zynq UltraScale+ dev ...) NOT-FOR-US: Encrypt Only boot mode in Zynq UltraScale+ devices CVE-2019-5477 (A command injection vulnerability in Nokogiri v1.10.3 and earlier allo ...) {DLA-1933-1} - rexical 1.0.7-1 (bug #940905) [buster] - rexical (Minor issue, can be fixed via point release) [stretch] - rexical (Minor issue, can be fixed via point release) - ruby-nokogiri 1.10.4+dfsg1-1 (bug #934802) [buster] - ruby-nokogiri (Minor issue, can be fixed via point release) [stretch] - ruby-nokogiri (Minor issue, can be fixed via point release) NOTE: https://github.com/sparklemotion/nokogiri/issues/1915 NOTE: Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizer#load_file NOTE: is being passed untrusted user input. NOTE: https://github.com/tenderlove/rexical/commit/a652474dbc66be350055db3e8f9b3a7b3fd75926 NOTE: Change in rexical is covered by the scope of this CVE. CVE-2019-5476 (An SQL Injection in the Nextcloud Lookup-Server < v0.3.0 (running o ...) NOT-FOR-US: Nextcloud Lookup-Server CVE-2019-5475 (The Nexus Yum Repository Plugin in v2 is vulnerable to Remote Code Exe ...) NOT-FOR-US: Nexus Yum Repository Plugin CVE-2019-5474 (An authorization issue was discovered in GitLab EE < 12.1.2, < 1 ...) - gitlab (Only affects Gitlab EE 11.8 and later) NOTE: https://about.gitlab.com/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/ CVE-2019-5473 (An authentication issue was discovered in GitLab that allowed a bypass ...) - gitlab (Only affects Gitlab EE 12.0 and later) NOTE: https://about.gitlab.com/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/ CVE-2019-5472 (An authorization issue was discovered in Gitlab versions < 12.1.2, ...) - gitlab (Only affects Gitlab EE 10.7 and later) NOTE: https://about.gitlab.com/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/ CVE-2019-5471 (An input validation and output encoding issue was discovered in the Gi ...) - gitlab (Only affects Gitlab EE 8.9 and later) NOTE: https://about.gitlab.com/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/ CVE-2019-5470 (An information disclosure issue was discovered GitLab versions < 12 ...) [experimental] - gitlab 11.11.7+dfsg-1 - gitlab 12.6.8-3 (bug #933785) NOTE: https://about.gitlab.com/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/ CVE-2019-5469 (An IDOR vulnerability exists in GitLab <v12.1.2, <v12.0.4, and & ...) [experimental] - gitlab 11.11.7+dfsg-1 - gitlab 12.6.8-3 (bug #933785) NOTE: https://about.gitlab.com/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/ CVE-2019-5468 (An privilege escalation issue was discovered in Gitlab versions < 1 ...) [experimental] - gitlab 11.11.7+dfsg-1 - gitlab 12.6.8-3 (bug #933785) NOTE: https://about.gitlab.com/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/ CVE-2019-5467 (An input validation and output encoding issue was discovered in the Gi ...) - gitlab (Only affects 11.10 and later) NOTE: https://about.gitlab.com/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/ CVE-2019-5466 (An IDOR was discovered in GitLab CE/EE 11.5 and later that allowed new ...) [experimental] - gitlab 11.11.7+dfsg-1 - gitlab 12.6.8-3 (bug #933785) NOTE: https://about.gitlab.com/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/ CVE-2019-5465 (An information disclosure issue was discovered in GitLab CE/EE 8.14 an ...) [experimental] - gitlab 11.11.7+dfsg-1 - gitlab 12.6.8-3 (bug #933785) NOTE: https://about.gitlab.com/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/ CVE-2019-5464 (A flawed DNS rebinding protection issue was discovered in GitLab CE/EE ...) [experimental] - gitlab 11.11.7+dfsg-1 - gitlab 12.6.8-3 (bug #933785) NOTE: https://about.gitlab.com/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/ CVE-2019-5463 (An authorization issue was discovered in the GitLab CE/EE CI badge ima ...) [experimental] - gitlab 11.11.7+dfsg-1 - gitlab 12.6.8-3 (bug #933785) NOTE: https://about.gitlab.com/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/ CVE-2019-5462 (A privilege escalation issue was discovered in GitLab CE/EE 9.0 and la ...) [experimental] - gitlab 11.11.7+dfsg-1 - gitlab 12.6.8-3 (bug #933785) NOTE: https://about.gitlab.com/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/ CVE-2019-5461 (An input validation problem was discovered in the GitHub service integ ...) [experimental] - gitlab 11.11.7+dfsg-1 - gitlab 12.6.8-3 (bug #933785) NOTE: https://about.gitlab.com/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/ CVE-2019-5460 (Double Free in VLC versions <= 3.0.6 leads to a crash. ...) {DSA-4459-1} - vlc 3.0.7-1 [jessie] - vlc (https://lists.debian.org/debian-security-announce/2018/msg00130.html) NOTE: https://hackerone.com/reports/503208 CVE-2019-5459 (An Integer underflow in VLC Media Player versions < 3.0.7 leads to ...) {DSA-4459-1} - vlc 3.0.7-1 [jessie] - vlc (https://lists.debian.org/debian-security-announce/2018/msg00130.html) NOTE: https://hackerone.com/reports/502816 CVE-2019-5458 (Cross-site scripting (XSS) vulnerability in http-file-server (all vers ...) NOT-FOR-US: http-file-server Node.js module CVE-2019-5457 (Cross-site scripting (XSS) vulnerability in min-http-server (all versi ...) NOT-FOR-US: min-http-server Node module CVE-2019-5456 (SMTP MITM refers to a malicious actor setting up an SMTP proxy server ...) NOT-FOR-US: SMTP MITM CVE-2019-5455 (Bypassing lock protection exists in Nextcloud Android app 3.6.0 when c ...) NOT-FOR-US: Nextcloud Android app CVE-2019-5454 (SQL Injection in the Nextcloud Android app prior to version 3.0.0 allo ...) NOT-FOR-US: Nextcloud Android app CVE-2019-5453 (Bypass lock protection in the Nextcloud Android app prior to version 3 ...) NOT-FOR-US: Nextcloud Android app CVE-2019-5452 (Bypass lock protection in the Nextcloud Android app prior to version 3 ...) NOT-FOR-US: Nextcloud Android app CVE-2019-5451 (Bypass lock protection in the Nextcloud Android app prior to version 3 ...) NOT-FOR-US: Nextcloud Android app CVE-2019-5450 (Improper sanitization of HTML in directory names in the Nextcloud Andr ...) NOT-FOR-US: Nextcloud Android app CVE-2019-5449 (A missing check in the Nextcloud Server prior to version 15.0.1 causes ...) - nextcloud (bug #835086) CVE-2019-5448 (Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Da ...) - node-yarnpkg 1.13.0-3 (bug #941354) [buster] - node-yarnpkg 1.13.0-1+deb10u1 NOTE: https://hackerone.com/reports/640904 NOTE: https://github.com/ChALkeR/notes/blob/master/Yarn-vuln.md NOTE: https://github.com/yarnpkg/yarn/pull/7393 NOTE: https://github.com/yarnpkg/yarn/commit/2f08a7405cc3f6fe47c30293050bb0ac94850932 CVE-2019-5447 (A path traversal vulnerability in <= v0.2.6 of http-file-server npm ...) NOT-FOR-US: http-file-server Node.js module CVE-2019-5446 (Command Injection in EdgeMAX EdgeSwitch prior to 1.8.2 allow an Admin ...) NOT-FOR-US: EdgeSwitch CVE-2019-5445 (DoS in EdgeMAX EdgeSwitch prior to 1.8.2 allow an Admin user to Crash ...) NOT-FOR-US: EdgeSwitch CVE-2019-5444 (Path traversal vulnerability in version up to v1.1.3 in serve-here.js ...) NOT-FOR-US: serve-here.js npm module CVE-2019-5443 (A non-privileged user or program can put code and a config file in a k ...) - curl (Windows-specific build issue) CVE-2019-5442 (XML Entity Expansion (Billion Laughs Attack) on Pippo 1.12.0 results i ...) NOT-FOR-US: Pippo CVE-2019-5441 REJECTED CVE-2019-5440 (Use of cryptographically weak PRNG in the password recovery token gene ...) NOT-FOR-US: Revive Adserver CVE-2019-5438 (Path traversal using symlink in npm harp module versions <= 0.29.0. ...) NOT-FOR-US: npm harp module CVE-2019-5437 (Information exposure through the directory listing in npm's harp modul ...) NOT-FOR-US: npm harp module CVE-2019-5436 (A heap buffer overflow in the TFTP receiving code allows for DoS or ar ...) {DLA-1804-1} - curl 7.64.0-4 (bug #929351) [stretch] - curl 7.52.1-5+deb9u10 NOTE: https://curl.haxx.se/docs/CVE-2019-5436.html NOTE: Introduced by: https://github.com/curl/curl/commit/0516ce7786e95 NOTE: Fixed by: https://github.com/curl/curl/commit/2576003415625d7b5f0e390902f8097830b82275 CVE-2019-5435 (An integer overflow in curl's URL API results in a buffer overflow in ...) - curl 7.64.0-4 (bug #929352) [stretch] - curl (Vulnerable code introduced later) [jessie] - curl (Vulnerable code introduced later) NOTE: https://curl.haxx.se/docs/CVE-2019-5435.html NOTE: Introduced by: https://github.com/curl/curl/commit/fb30ac5a2d63773c52 NOTE: Fixed by: https://github.com/curl/curl/commit/5fc28510a4664f4 CVE-2019-5434 (An attacker could send a specifically crafted payload to the XML-RPC i ...) NOT-FOR-US: Revive Adserver CVE-2019-5433 (A user having access to the UI of a Revive Adserver instance could be ...) NOT-FOR-US: Revive Adserver CVE-2019-5432 (A specifically malformed MQTT Subscribe packet crashes MQTT Brokers us ...) - node-mqtt-packet 6.0.0-2 (bug #928673) NOTE: https://hackerone.com/reports/541354 CVE-2019-5431 (This vulnerability was caused by an incomplete fix to CVE-2017-0911. T ...) NOT-FOR-US: Twitter Kit for iOS CVE-2019-5430 (In UniFi Video 3.10.0 and prior, due to the lack of CSRF protection, i ...) NOT-FOR-US: Ubiquiti Networks UniFi Video CVE-2019-5429 (Untrusted search path in FileZilla before 3.41.0-rc1 allows an attacke ...) - filezilla 3.45.1-1 (low; bug #928282) [buster] - filezilla 3.39.0-2+deb10u1 [stretch] - filezilla (Minor issue) [jessie] - filezilla (Minor issue) NOTE: https://svn.filezilla-project.org/filezilla?revision=9097&view=revision NOTE: https://www.tenable.com/security/research/tra-2019-14 CVE-2019-5428 REJECTED CVE-2019-5427 (c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack ...) - c3p0 (low; bug #927936) [buster] - c3p0 (Minor issue) [stretch] - c3p0 (Minor issue) [jessie] - c3p0 (Minor issue) NOTE: https://hackerone.com/reports/509315 NOTE: Fixed by: https://github.com/swaldman/c3p0/commit/f38f27635c384806c2a9d6500d80183d9f09d78b CVE-2019-5426 (In Ubiquiti Networks EdgeSwitch X v1.1.0 and prior, an unauthenticated ...) NOT-FOR-US: Ubiquiti CVE-2019-5425 (In Ubiquiti Networks EdgeSwitch X v1.1.0 and prior, an authenticated u ...) NOT-FOR-US: Ubiquiti CVE-2019-5424 (In Ubiquiti Networks EdgeSwitch X v1.1.0 and prior, a privileged user ...) NOT-FOR-US: Ubiquiti CVE-2019-5423 (Path traversal vulnerability in http-live-simulator npm package versio ...) NOT-FOR-US: http-live-simulator node module CVE-2019-5422 (XSS in buttle npm package version 0.2.0 causes execution of attacker-p ...) NOT-FOR-US: buttle node module CVE-2019-5421 (Plataformatec Devise version 4.5.0 and earlier, using the lockable mod ...) - ruby-devise 4.5.0-3 (bug #926348) [stretch] - ruby-devise (Minor issue) NOTE: https://github.com/plataformatec/devise/issues/4981 NOTE: https://github.com/plataformatec/devise/pull/4996 CVE-2019-5420 (A remote code execution vulnerability in development mode Rails <5. ...) - rails 2:5.2.2.1+dfsg-1 (bug #924521) [stretch] - rails (Vulnerable code not present) [jessie] - rails (vulnerable code is not present in 4.x) NOTE: https://www.openwall.com/lists/oss-security/2019/03/13/3 NOTE: Introduced in https://github.com/rails/rails/commit/69f976b859cae7f9d050152103da018b7f5dda6d CVE-2019-5419 (There is a possible denial of service vulnerability in Action View (Ra ...) {DLA-1739-1} - rails 2:5.2.2.1+dfsg-1 (bug #924520) [stretch] - rails 2:4.2.7.1-1+deb9u1 NOTE: https://www.openwall.com/lists/oss-security/2019/03/13/4 CVE-2019-5418 (There is a File Content Disclosure vulnerability in Action View <5. ...) {DLA-1739-1} - rails 2:5.2.2.1+dfsg-1 (bug #924520) [stretch] - rails 2:4.2.7.1-1+deb9u1 NOTE: https://www.openwall.com/lists/oss-security/2019/03/13/5 CVE-2019-5417 (A path traversal vulnerability in serve npm package version 7.0.1 allo ...) NOT-FOR-US: node serve module CVE-2019-5416 (A path traversal vulnerability in localhost-now npm package version 1. ...) NOT-FOR-US: node localhost-now module CVE-2019-5415 (A bug in handling the ignore files and directories feature in serve 6. ...) NOT-FOR-US: node serve module CVE-2019-5414 (If an attacker can control the port, which in itself is a very sensiti ...) NOT-FOR-US: kill-port node module CVE-2019-5413 (An attacker can use the format parameter to inject arbitrary commands ...) NOT-FOR-US: morgan node module CVE-2019-5412 REJECTED CVE-2019-5411 REJECTED CVE-2019-5410 REJECTED CVE-2019-5409 REJECTED CVE-2019-5408 (Command View Advanced Edition (CVAE) products contain a vulnerability ...) NOT-FOR-US: Command View Advanced Edition (CVAE) products CVE-2019-5407 (A remote information disclosure vulnerability was discovered in HPE 3P ...) NOT-FOR-US: HPE 3PAR StoreServ Management and Core Software Media CVE-2019-5406 (A remote session reuse vulnerability was discovered in HPE 3PAR StoreS ...) NOT-FOR-US: HPE 3PAR StoreServ Management and Core Software Media CVE-2019-5405 (A remote authorization bypass vulnerability was discovered in HPE 3PAR ...) NOT-FOR-US: HPE 3PAR StoreServ Management and Core Software Media CVE-2019-5404 (A remote script injection vulnerability was discovered in HPE 3PAR Sto ...) NOT-FOR-US: HPE 3PAR StoreServ Management and Core Software Media CVE-2019-5403 (A remote multiple cross-site scripting vulnerability was discovered in ...) NOT-FOR-US: HPE 3PAR StoreServ Management and Core Software Media CVE-2019-5402 (A remote authorization bypass vulnerability was discovered in HPE 3PAR ...) NOT-FOR-US: HPE 3PAR StoreServ Management and Core Software Media CVE-2019-5401 (A potential security vulnerability has been identified in HP2910al-48G ...) NOT-FOR-US: HP HP2910al-48G CVE-2019-5400 (A remote session reuse vulnerability was discovered in HPE 3PAR Servic ...) NOT-FOR-US: HPE CVE-2019-5399 (A remote gain authorized access vulnerability was discovered in HPE 3P ...) NOT-FOR-US: HPE CVE-2019-5398 (A remote multiple multiple cross-site vulnerability was discovered in ...) NOT-FOR-US: HPE CVE-2019-5397 (A remote bypass of security restrictions vulnerability was discovered ...) NOT-FOR-US: HPE CVE-2019-5396 (A remote authentication bypass vulnerability was discovered in HPE 3PA ...) NOT-FOR-US: HPE CVE-2019-5395 (A remote arbitrary file upload vulnerability was discovered in HPE 3PA ...) NOT-FOR-US: HPE CVE-2019-5394 (The HPE Nonstop Maintenance Entity family of products are vulnerable t ...) NOT-FOR-US: HPE CVE-2019-5393 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-5392 (A disclosure of information vulnerability was identified in HPE Intell ...) NOT-FOR-US: HPE CVE-2019-5391 (A stack buffer overflow vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-5390 (A remote command injection vulnerability was identified in HPE Intelli ...) NOT-FOR-US: HPE CVE-2019-5389 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-5388 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-5387 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-5386 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-5385 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-5384 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-5383 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-5382 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-5381 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-5380 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-5379 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-5378 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-5377 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-5376 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-5375 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-5374 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-5373 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-5372 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-5371 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-5370 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-5369 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-5368 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-5367 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-5366 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-5365 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-5364 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-5363 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-5362 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-5361 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-5360 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-5359 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-5358 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-5357 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-5356 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-5355 (A remote denial of service vulnerability was identified in HPE Intelli ...) NOT-FOR-US: HPE CVE-2019-5354 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-5353 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-5352 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-5351 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-5350 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-5349 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-5348 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-5347 (A remote authentication bypass vulnerability was identified in HPE Int ...) NOT-FOR-US: HPE CVE-2019-5346 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-5345 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-5344 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-5343 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-5342 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-5341 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-5340 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-5339 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-5338 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2019-5337 REJECTED CVE-2019-5336 REJECTED CVE-2019-5335 REJECTED CVE-2019-5334 REJECTED CVE-2019-5333 REJECTED CVE-2019-5332 REJECTED CVE-2019-5331 REJECTED CVE-2019-5330 REJECTED CVE-2019-5329 REJECTED CVE-2019-5328 REJECTED CVE-2019-5327 REJECTED CVE-2019-5326 (An administrative application user of or application user with write a ...) NOT-FOR-US: Aruba Airwave VisualRF CVE-2019-5325 RESERVED CVE-2019-5324 REJECTED CVE-2019-5323 (There are command injection vulnerabilities present in the AirWave app ...) NOT-FOR-US: Aruba Airwave CVE-2019-5322 (A remotely exploitable information disclosure vulnerability is present ...) NOT-FOR-US: Edge Switch models CVE-2019-5321 RESERVED CVE-2019-5320 RESERVED CVE-2019-5319 RESERVED CVE-2019-5318 RESERVED CVE-2019-5317 RESERVED CVE-2019-5316 RESERVED CVE-2019-5315 (A command injection vulnerability is present in the web management int ...) NOT-FOR-US: ArubaOS CVE-2019-5314 (Some web components in the ArubaOS software are vulnerable to HTTP Res ...) NOT-FOR-US: ArubaOS CVE-2019-5313 RESERVED CVE-2019-5312 (An issue was discovered in weixin-java-tools v3.3.0. There is an XXE v ...) NOT-FOR-US: weixin-java-tools CVE-2019-5311 (An issue was discovered in YUNUCMS V1.1.8. app/index/controller/Show.p ...) NOT-FOR-US: YUNUCMS CVE-2019-5310 (YUNUCMS 1.1.8 has XSS in app/admin/controller/System.php because craft ...) NOT-FOR-US: YUNUCMS CVE-2019-5309 (Honor play smartphones with versions earlier than 9.1.0.333(C00E333R1P ...) NOT-FOR-US: Honor play smartphones CVE-2019-5308 (Mate 20 RS smartphones with versions earlier than 9.1.0.135(C786E133R3 ...) NOT-FOR-US: Mate 20 RS smartphones CVE-2019-5307 (Some Huawei 4G LTE devices, P30 versions before ELE-AL00 9.1.0.162(C01 ...) NOT-FOR-US: Huawei CVE-2019-5306 (There is a Factory Reset Protection (FRP) bypass security vulnerabilit ...) NOT-FOR-US: Huawei CVE-2019-5305 (The image processing module of some Huawei Mate 10 smartphones version ...) NOT-FOR-US: Huawei CVE-2019-5304 (Some Huawei products have a buffer error vulnerability. An unauthentic ...) NOT-FOR-US: Huawei CVE-2019-5303 (There are two denial of service vulnerabilities on some Huawei smartph ...) NOT-FOR-US: Huawei CVE-2019-5302 (There are two denial of service vulnerabilities on some Huawei smartph ...) NOT-FOR-US: Huawei CVE-2019-5301 (Huawei smart phones Honor V20 with the versions before 9.0.1.161(C00E1 ...) NOT-FOR-US: Huawei CVE-2019-5300 (There is a digital signature verification bypass vulnerability in AR12 ...) NOT-FOR-US: Huawei CVE-2019-5299 (Huawei mobile phones Hima-AL00Bhave with Versions earlier than HMA-AL0 ...) NOT-FOR-US: Huawei CVE-2019-5298 (There is an improper authentication vulnerability in some Huawei AP pr ...) NOT-FOR-US: Huawei CVE-2019-5297 (Emily-L29C Huawei phones versions earlier than 9.0.0.159 (C185E2R1P12T ...) NOT-FOR-US: Huawei CVE-2019-5296 (Mate20 Huawei smartphones versions earlier than HMA-AL00C00B175 have a ...) NOT-FOR-US: Huawei CVE-2019-5295 (Huawei Honor V10 smartphones versions earlier than Berkeley-AL20 9.0.0 ...) NOT-FOR-US: Huawei CVE-2019-5294 (There is an out of bound read vulnerability in some Huawei products. A ...) NOT-FOR-US: Huawei CVE-2019-5293 (Some Huawei products have a memory leak vulnerability when handling so ...) NOT-FOR-US: Huawei CVE-2019-5292 (Honor 10 Lite, Honor 8A, Huawei Y6 mobile phones with the versions bef ...) NOT-FOR-US: Huawei CVE-2019-5291 (Some Huawei products have an insufficient verification of data authent ...) NOT-FOR-US: Huawei CVE-2019-5290 (Huawei S5700 and S6700 have a DoS security vulnerability. Attackers wi ...) NOT-FOR-US: Huawei CVE-2019-5289 (Gauss100 OLTP database in ManageOne with versions of 6.5.0 have an out ...) NOT-FOR-US: Huawei CVE-2019-5288 (P30 smart phones with versions earlier than ELLE-AL00B 9.1.0.193(C00E1 ...) NOT-FOR-US: Huawei CVE-2019-5287 (P30 smart phones with versions earlier than ELLE-AL00B 9.1.0.193(C00E1 ...) NOT-FOR-US: Huawei CVE-2019-5286 (There is a reflection XSS vulnerability in the HedEx products. Remote ...) NOT-FOR-US: HedEx / Huawei CVE-2019-5285 (Some Huawei S series switches have a DoS vulnerability. An unauthentic ...) NOT-FOR-US: Huawei CVE-2019-5284 (There is a DoS vulnerability in RTSP module of Leland-AL00A Huawei sma ...) NOT-FOR-US: Huawei CVE-2019-5283 (There is Factory Reset Protection (FRP) bypass security vulnerability ...) NOT-FOR-US: Huawei CVE-2019-5282 (Bastet module of some Huawei smartphones with Versions earlier than Em ...) NOT-FOR-US: Huawei CVE-2019-5281 (There is an information leak vulnerability in some Huawei phones, vers ...) NOT-FOR-US: Huawei CVE-2019-5280 (The SIP TLS module of Huawei CloudLink Phone 7900 with V600R019C10 has ...) NOT-FOR-US: Huawei CVE-2019-5279 (Huawei smart phones Emily-L29C with Versions earlier than 9.1.0.311(C1 ...) NOT-FOR-US: Huawei CVE-2019-5278 (There is an out-of-bounds read vulnerability in the Advanced Packages ...) NOT-FOR-US: Huawei CVE-2019-5277 (Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak v ...) NOT-FOR-US: Huawei CVE-2019-5276 (Huawei smart phones with earlier versions than ELLE-AL00B 9.1.0.222(C0 ...) NOT-FOR-US: Huawei CVE-2019-5275 (USG9500 with versions of V500R001C30;V500R001C60 have a denial of serv ...) NOT-FOR-US: Huawei CVE-2019-5274 (USG9500 with versions of V500R001C30;V500R001C60 have a denial of serv ...) NOT-FOR-US: Huawei CVE-2019-5273 (USG9500 with versions of V500R001C30;V500R001C60 have a denial of serv ...) NOT-FOR-US: Huawei CVE-2019-5272 (USG9500 with versions of V500R001C30;V500R001C60 have a missing integr ...) NOT-FOR-US: Huawei CVE-2019-5271 (There is an information leak vulnerability in Huawei smart speaker Myn ...) NOT-FOR-US: Huawei CVE-2019-5270 RESERVED CVE-2019-5269 (Some Huawei home routers have an improper authorization vulnerability. ...) NOT-FOR-US: Huawei CVE-2019-5268 (Some Huawei home routers have an input validation vulnerability. Due t ...) NOT-FOR-US: Huawei CVE-2019-5267 (Huawei OceanStor SNS3096 V100R002C01 have an information disclosure vu ...) NOT-FOR-US: Huawei CVE-2019-5266 (Huawei Share function in P30 9.1.0.193(C00E190R2P1) smartphone has an ...) NOT-FOR-US: Huawei CVE-2019-5265 (Huawei Share function in P30 9.1.0.193(C00E190R2P1) smartphone has an ...) NOT-FOR-US: Huawei CVE-2019-5264 (There is an information disclosure vulnerability in certain Huawei sma ...) NOT-FOR-US: Huawei CVE-2019-5263 (HiSuite with 9.1.0.305 and earlier versions and 9.1.0.305(MAC) and ear ...) NOT-FOR-US: Huawei CVE-2019-5262 RESERVED CVE-2019-5261 RESERVED CVE-2019-5260 (Huawei smartphones HUAWEI Y9 2019 and Honor View 20 have a denial of s ...) NOT-FOR-US: Huawei CVE-2019-5259 (There is an information leakage vulnerability on some Huawei products( ...) NOT-FOR-US: Huawei CVE-2019-5258 (Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600 ...) NOT-FOR-US: Huawei CVE-2019-5257 (Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600 ...) NOT-FOR-US: Huawei CVE-2019-5256 (Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600 ...) NOT-FOR-US: Huawei CVE-2019-5255 (Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600 ...) NOT-FOR-US: Huawei CVE-2019-5254 (Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600 ...) NOT-FOR-US: Huawei CVE-2019-5253 (E5572-855 with versions earlier than 8.0.1.3(H335SP1C233) has an impro ...) NOT-FOR-US: Huawei CVE-2019-5252 (There is an improper authentication vulnerability in Huawei smartphone ...) NOT-FOR-US: Huawei CVE-2019-5251 (There is a path traversal vulnerability in several Huawei smartphones. ...) NOT-FOR-US: Huawei CVE-2019-5250 (Mate 20 Pro smartphones with versions earlier than 9.1.0.135(C00E133R3 ...) NOT-FOR-US: Mate 20 Pro smartphones CVE-2019-5249 RESERVED CVE-2019-5248 (CloudEngine 12800 has a DoS vulnerability. An attacker of a neighborin ...) NOT-FOR-US: CloudEngine 12800 CVE-2019-5247 (Huawei Atlas 300, Atlas 500 have a buffer overflow vulnerability. A lo ...) NOT-FOR-US: Huawei CVE-2019-5246 (Smartphones with software of ELLE-AL00B 9.1.0.109(C00E106R1P21), 9.1.0 ...) NOT-FOR-US: Huawei CVE-2019-5245 (HiSuite 9.1.0.300 versions and earlier contains a DLL hijacking vulner ...) NOT-FOR-US: Huawei CVE-2019-5244 (Mate 9 Pro Huawei smartphones earlier than LON-L29C 8.0.0.361(C636) ve ...) NOT-FOR-US: Huawei CVE-2019-5243 (There is a Clickjacking vulnerability in Huawei HG255s product. An att ...) NOT-FOR-US: Huawei CVE-2019-5242 (There is a code execution vulnerability in Huawei PCManager versions e ...) NOT-FOR-US: Huawei CVE-2019-5241 (There is a privilege escalation vulnerability in Huawei PCManager vers ...) NOT-FOR-US: Huawei CVE-2019-5240 RESERVED CVE-2019-5239 (Huawei PCManager with the versions before 9.0.1.66 (Oversea) and versi ...) NOT-FOR-US: Huawei CVE-2019-5238 (Huawei PCManager with the versions before 9.0.1.66 (Oversea) and versi ...) NOT-FOR-US: Huawei CVE-2019-5237 (Huawei PCManager with the versions before 9.0.1.66 (Oversea) and versi ...) NOT-FOR-US: Huawei CVE-2019-5236 (Huawei smart phones Emily-L29C with versions of 8.1.0.132a(C432), 8.1. ...) NOT-FOR-US: Huawei CVE-2019-5235 (Some Huawei smart phones have a null pointer dereference vulnerability ...) NOT-FOR-US: Huawei CVE-2019-5234 RESERVED CVE-2019-5233 (Huawei smartphones with versions earlier than Taurus-AL00B 10.0.0.41(S ...) NOT-FOR-US: Huawei CVE-2019-5232 (There is a use of insufficiently random values vulnerability in Huawei ...) NOT-FOR-US: Huawei CVE-2019-5231 (P30 smartphones with versions earlier than ELLE-AL00B 9.1.0.186(C00E18 ...) NOT-FOR-US: Huawei CVE-2019-5230 (P20 Pro, P20, Mate RS smartphones with versions earlier than Charlotte ...) NOT-FOR-US: Huawei CVE-2019-5229 (P30 smartphones with versions earlier than ELLE-AL00B 9.1.0.193(C00E19 ...) NOT-FOR-US: P30 smartphones CVE-2019-5228 (Certain detection module of P30, P30 Pro, Honor V20 smartphone whith V ...) NOT-FOR-US: Huawei CVE-2019-5227 (P30, P30 Pro, Mate 20 smartphones with software of versions earlier th ...) NOT-FOR-US: Huawei CVE-2019-5226 (P30, P30 Pro, Mate 20 smartphones with software of versions earlier th ...) NOT-FOR-US: Huawei CVE-2019-5225 (P30, Mate 20, P30 Pro smartphones with software of versions earlier th ...) NOT-FOR-US: Huawei CVE-2019-5224 (P30 smartphones with versions earlier than ELLE-AL00B 9.1.0.193(C00E19 ...) NOT-FOR-US: Huawei CVE-2019-5223 (PCManager 9.1.3.1 has an improper authentication vulnerability. The ce ...) NOT-FOR-US: PCManager CVE-2019-5222 (There is an information disclosure vulnerability on Secure Input of ce ...) NOT-FOR-US: Huawei CVE-2019-5221 (There is a path traversal vulnerability on Huawei Share. The software ...) NOT-FOR-US: Huawei CVE-2019-5220 (There is a Factory Reset Protection (FRP) bypass vulnerability on seve ...) NOT-FOR-US: Huawei CVE-2019-5219 (There is a double free vulnerability on certain drivers of Huawei Mate ...) NOT-FOR-US: Huawei CVE-2019-5218 (There is an insufficient authentication vulnerability in Huawei Band 2 ...) NOT-FOR-US: Huawei CVE-2019-5217 (There is an information disclosure vulnerability on Mate 9 Pro Huawei ...) NOT-FOR-US: Huawei CVE-2019-5216 (There is a race condition vulnerability on Huawei Honor V10 smartphone ...) NOT-FOR-US: Huawei CVE-2019-5215 (There is a man-in-the-middle (MITM) vulnerability on Huawei P30 smartp ...) NOT-FOR-US: Huawei CVE-2019-5214 (There is a use after free vulnerability on certain driver component in ...) NOT-FOR-US: Huawei CVE-2019-5213 (Honor play smartphones with versions earlier than Cornell-AL00A 9.1.0. ...) NOT-FOR-US: Honor play smartphones CVE-2019-5212 (There is an improper access control vulnerability in Huawei Share. The ...) NOT-FOR-US: Huawei CVE-2019-5211 (The Huawei Share function of P20 phones with versions earlier than Emi ...) NOT-FOR-US: Huawei CVE-2019-5210 (Nova 5i pro and Nova 5 smartphones with versions earlier than 9.1.1.19 ...) NOT-FOR-US: Huawei CVE-2019-5209 REJECTED CVE-2019-5208 REJECTED CVE-2019-5207 REJECTED CVE-2019-5206 REJECTED CVE-2019-5205 REJECTED CVE-2019-5204 RESERVED CVE-2019-5203 RESERVED CVE-2019-5202 RESERVED CVE-2019-5201 RESERVED CVE-2019-5200 RESERVED CVE-2019-5199 RESERVED CVE-2019-5198 RESERVED CVE-2019-5197 RESERVED CVE-2019-5196 RESERVED CVE-2019-5195 RESERVED CVE-2019-5194 RESERVED CVE-2019-5193 RESERVED CVE-2019-5192 RESERVED CVE-2019-5191 RESERVED CVE-2019-5190 RESERVED CVE-2019-5189 RESERVED CVE-2019-5188 (A code execution vulnerability exists in the directory rehashing funct ...) {DLA-2156-1} - e2fsprogs 1.45.5-1 (bug #948508) [buster] - e2fsprogs 1.44.5-1+deb10u3 [stretch] - e2fsprogs (Minor issue) NOTE: Fixed by: https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/commit/?id=8dd73c149f418238f19791f9d666089ef9734dff NOTE: Further hardening: https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/commit/?id=71ba137571ba13755337e19c9a826dfc874562a36e1b24d3 NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973 CVE-2019-5187 (An exploitable out-of-bounds write vulnerability exists in the TIFread ...) NOT-FOR-US: Accusoft ImageGear CVE-2019-5186 (An exploitable stack buffer overflow vulnerability vulnerability exist ...) NOT-FOR-US: WAGO CVE-2019-5185 (An exploitable stack buffer overflow vulnerability vulnerability exist ...) NOT-FOR-US: WAGO CVE-2019-5184 (An exploitable double free vulnerability exists in the iocheckd servic ...) NOT-FOR-US: WAGO CVE-2019-5183 (An exploitable type confusion vulnerability exists in AMD ATIDXX64.DLL ...) NOT-FOR-US: AMD ATIDXX64.DLL driver CVE-2019-5182 (An exploitable stack buffer overflow vulnerability vulnerability exist ...) NOT-FOR-US: WAGO CVE-2019-5181 (An exploitable stack buffer overflow vulnerability vulnerability exist ...) NOT-FOR-US: WAGO CVE-2019-5180 (An exploitable stack buffer overflow vulnerability vulnerability exist ...) NOT-FOR-US: WAGO CVE-2019-5179 (An exploitable stack buffer overflow vulnerability vulnerability exist ...) NOT-FOR-US: WAGO CVE-2019-5178 (An exploitable stack buffer overflow vulnerability vulnerability exist ...) NOT-FOR-US: WAGO CVE-2019-5177 (An exploitable stack buffer overflow vulnerability vulnerability exist ...) NOT-FOR-US: WAGO CVE-2019-5176 (An exploitable stack buffer overflow vulnerability vulnerability exist ...) NOT-FOR-US: WAGO CVE-2019-5175 (An exploitable command injection vulnerability exists in the iocheckd ...) NOT-FOR-US: WAGO CVE-2019-5174 (An exploitable command injection vulnerability exists in the iocheckd ...) NOT-FOR-US: WAGO CVE-2019-5173 (An exploitable command injection vulnerability exists in the iocheckd ...) NOT-FOR-US: WAGO CVE-2019-5172 (An exploitable command injection vulnerability exists in the iocheckd ...) NOT-FOR-US: WAGO CVE-2019-5171 (An exploitable command injection vulnerability exists in the iocheckd ...) NOT-FOR-US: WAGO CVE-2019-5170 (An exploitable command injection vulnerability exists in the iocheckd ...) NOT-FOR-US: WAGO CVE-2019-5169 (An exploitable command injection vulnerability exists in the iocheckd ...) NOT-FOR-US: WAGO CVE-2019-5168 (An exploitable command injection vulnerability exists in the iocheckd ...) NOT-FOR-US: WAGO CVE-2019-5167 (An exploitable command injection vulnerability exists in the iocheckd ...) NOT-FOR-US: WAGO CVE-2019-5166 (An exploitable stack buffer overflow vulnerability exists in the ioche ...) NOT-FOR-US: WAGO CVE-2019-5165 (An exploitable authentication bypass vulnerability exists in the hostn ...) NOT-FOR-US: Moxa CVE-2019-5164 (An exploitable code execution vulnerability exists in the ss-manager b ...) - shadowsocks-libev 3.3.3+ds-2 [buster] - shadowsocks-libev (Minor issue) [stretch] - shadowsocks-libev (Minor issue) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0958 NOTE: https://github.com/shadowsocks/shadowsocks-libev/issues/2537 NOTE: Mitigation: Using a unix socket with ss-manager via --manager-socket. NOTE: Exposing ss-manager to pubic is always dangerous. CVE-2019-5163 (An exploitable denial-of-service vulnerability exists in the UDPRelay ...) - shadowsocks-libev 3.3.3+ds-2 [buster] - shadowsocks-libev (Minor issue) [stretch] - shadowsocks-libev (Minor issue) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0956 NOTE: https://github.com/shadowsocks/shadowsocks-libev/issues/2536 CVE-2019-5162 (An exploitable improper access control vulnerability exists in the iw_ ...) NOT-FOR-US: Moxa CVE-2019-5161 (An exploitable remote code execution vulnerability exists in the Cloud ...) NOT-FOR-US: WAGO CVE-2019-5160 (An exploitable improper host validation vulnerability exists in the Cl ...) NOT-FOR-US: WAGO CVE-2019-5159 (An exploitable improper input validation vulnerability exists in the f ...) NOT-FOR-US: WAGO CVE-2019-5158 (An exploitable firmware downgrade vulnerability exists in the firmware ...) NOT-FOR-US: WAGO CVE-2019-5157 (An exploitable command injection vulnerability exists in the Cloud Con ...) NOT-FOR-US: WAGO CVE-2019-5156 (An exploitable command injection vulnerability exists in the cloud con ...) NOT-FOR-US: WAGO CVE-2019-5155 (An exploitable command injection vulnerability exists in the cloud con ...) NOT-FOR-US: WAGO CVE-2019-5154 (An exploitable heap overflow vulnerability exists in the JPEG2000 pars ...) NOT-FOR-US: LEADTOOLS CVE-2019-5153 (An exploitable remote code execution vulnerability exists in the iw_we ...) NOT-FOR-US: Moxa CVE-2019-5152 (An exploitable information disclosure vulnerability exists in the netw ...) - shadowsocks-libev (unimportant) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0942 NOTE: https://github.com/shadowsocks/shadowsocks-libev/issues/2525 NOTE: Upstream has no plan to remove stream ciphers as per NOTE: https://github.com/shadowsocks/shadowsocks-libev/issues/2525#issuecomment-557551274 NOTE: Documented insecure use case provided for backwards compatibility. CVE-2019-5151 (An exploitable SQL injection vulnerability exist in YouPHPTube 7.7. A ...) NOT-FOR-US: YouPHPTube CVE-2019-5150 (An exploitable SQL injection vulnerability exist in YouPHPTube 7.7. Wh ...) NOT-FOR-US: YouPHPTube CVE-2019-5149 (The WBM web application on firmwares prior to 03.02.02 and 03.01.07 on ...) NOT-FOR-US: WAGO CVE-2019-5148 (An exploitable denial-of-service vulnerability exists in ServiceAgent ...) NOT-FOR-US: Moxa CVE-2019-5147 (An exploitable out-of-bounds read vulnerability exists in AMD ATIDXX64 ...) NOT-FOR-US: AMD ATIDXX64.DLL driver CVE-2019-5146 (An exploitable out-of-bounds read vulnerability exists in AMD ATIDXX64 ...) NOT-FOR-US: AMD ATIDXX64.DLL driver CVE-2019-5145 (An exploitable use-after-free vulnerability exists in the JavaScript e ...) NOT-FOR-US: Foxit PDF Reader CVE-2019-5144 (An exploitable heap underflow vulnerability exists in the derive_taps_ ...) NOT-FOR-US: Kakadu Software SDK CVE-2019-5143 (An exploitable format string vulnerability exists in the iw_console co ...) NOT-FOR-US: Moxa CVE-2019-5142 (An exploitable command injection vulnerability exists in the hostname ...) NOT-FOR-US: Moxa CVE-2019-5141 (An exploitable command injection vulnerability exists in the iw_webs f ...) NOT-FOR-US: Moxa CVE-2019-5140 (An exploitable command injection vulnerability exists in the iwwebs fu ...) NOT-FOR-US: Moxa CVE-2019-5139 (An exploitable use of hard-coded credentials vulnerability exists in m ...) NOT-FOR-US: Moxa CVE-2019-5138 (An exploitable command injection vulnerability exists in encrypted dia ...) NOT-FOR-US: Moxa CVE-2019-5137 (The usage of hard-coded cryptographic keys within the ServiceAgent bin ...) NOT-FOR-US: Moxa CVE-2019-5136 (An exploitable privilege escalation vulnerability exists in the iw_con ...) NOT-FOR-US: Moxa CVE-2019-5135 (An exploitable timing discrepancy vulnerability exists in the authenti ...) NOT-FOR-US: WAGO CVE-2019-5134 (An exploitable regular expression without anchors vulnerability exists ...) NOT-FOR-US: WAGO CVE-2019-5133 (An exploitable out-of-bounds write vulnerability exists in the igcore1 ...) NOT-FOR-US: ImageGear CVE-2019-5132 (An exploitable out-of-bounds write vulnerability exists in the igcore1 ...) NOT-FOR-US: ImageGear CVE-2019-5131 (An exploitable use-after-free vulnerability exists in the JavaScript e ...) NOT-FOR-US: Foxit PDF Reader CVE-2019-5130 (An exploitable use-after-free vulnerability exists in the JavaScript e ...) NOT-FOR-US: Foxit PDF Reader CVE-2019-5129 (A command injection have been found in YouPHPTube Encoder. A successfu ...) NOT-FOR-US: YouPHPTube Encoder CVE-2019-5128 (A command injection have been found in YouPHPTube Encoder. A successfu ...) NOT-FOR-US: YouPHPTube Encoder CVE-2019-5127 (A command injection have been found in YouPHPTube Encoder. A successfu ...) NOT-FOR-US: YouPHPTube Encoder CVE-2019-5126 (An exploitable use-after-free vulnerability exists in the JavaScript e ...) NOT-FOR-US: Foxit PDF Reader CVE-2019-5125 (An exploitable heap overflow vulnerability exists in the JPEG2000 pars ...) NOT-FOR-US: LEADTOOLS CVE-2019-5124 (An exploitable out-of-bounds read vulnerability exists in AMD ATIDXX64 ...) NOT-FOR-US: AMD ATIDXX64.DLL driver CVE-2019-5123 (Specially crafted web requests can cause SQL injections in YouPHPTube ...) NOT-FOR-US: YouPHPTube CVE-2019-5122 (SQL injection vulnerabilities exists in the authenticated part of YouP ...) NOT-FOR-US: YouPHPTube CVE-2019-5121 (SQL injection vulnerabilities exists in the authenticated part of YouP ...) NOT-FOR-US: YouPHPTube CVE-2019-5120 (An exploitable SQL injection vulnerability exists in the authenticated ...) NOT-FOR-US: YouPHPTube CVE-2019-5119 (An exploitable SQL injection vulnerability exist in the authenticated ...) NOT-FOR-US: YouPHPTube CVE-2019-5118 RESERVED CVE-2019-5117 (Exploitable SQL injection vulnerabilities exists in the authenticated ...) NOT-FOR-US: YouPHPTube CVE-2019-5116 (An exploitable SQL injection vulnerability exists in the authenticated ...) NOT-FOR-US: YouPHPTube CVE-2019-5115 RESERVED CVE-2019-5114 (An exploitable SQL injection vulnerability exists in the authenticated ...) NOT-FOR-US: YouPHPTube CVE-2019-5113 RESERVED CVE-2019-5112 (Exploitable SQL injection vulnerability exists in the authenticated po ...) NOT-FOR-US: Forma LMS CVE-2019-5111 (Exploitable SQL injection vulnerability exists in the authenticated po ...) NOT-FOR-US: Forma LMS CVE-2019-5110 (Exploitable SQL injection vulnerabilities exist in the authenticated p ...) NOT-FOR-US: Forma LMS CVE-2019-5109 (Exploitable SQL injection vulnerabilities exists in the authenticated ...) NOT-FOR-US: Forma LMS CVE-2019-5108 (An exploitable denial-of-service vulnerability exists in the Linux ker ...) {DSA-4698-1 DLA-2242-1 DLA-2241-1} - linux 5.3.7-1 [buster] - linux 4.19.98-1 NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0900 NOTE: https://git.kernel.org/linus/3e493173b7841259a08c5c8e5cbe90adb349da7e CVE-2019-5107 (A cleartext transmission vulnerability exists in the network communica ...) NOT-FOR-US: WAGO CVE-2019-5106 (A hard-coded encryption key vulnerability exists in the authentication ...) NOT-FOR-US: WAGO CVE-2019-5105 (An exploitable memory corruption vulnerability exists in the Name Serv ...) NOT-FOR-US: 3S-Smart Software Solutions CODESYS GatewayService CVE-2019-5104 REJECTED CVE-2019-5103 RESERVED CVE-2019-5102 (An exploitable information leak vulnerability exists in the ustream-ss ...) NOT-FOR-US: ustream-ssl library of OpenWrt CVE-2019-5101 (An exploitable information leak vulnerability exists in the ustream-ss ...) NOT-FOR-US: ustream-ssl library of OpenWrt CVE-2019-5100 (An exploitable integer overflow vulnerability exists in the BMP header ...) NOT-FOR-US: LEADTOOLS CVE-2019-5099 (An exploitable integer underflow vulnerability exists in the CMP-parsi ...) NOT-FOR-US: LEADTOOLS CVE-2019-5098 (An exploitable out-of-bounds read vulnerability exists in AMD ATIDXX64 ...) NOT-FOR-US: AMD ATIDXX64.DLL driver CVE-2019-5097 (A denial-of-service vulnerability exists in the processing of multi-pa ...) NOT-FOR-US: GoAhead CVE-2019-5096 (An exploitable code execution vulnerability exists in the processing o ...) NOT-FOR-US: GoAhead CVE-2019-5095 (An issue summary information disclosure vulnerability exists in Atlass ...) NOT-FOR-US: Atlassian CVE-2019-5094 (An exploitable code execution vulnerability exists in the quota file f ...) {DSA-4535-1 DLA-1935-1} - e2fsprogs 1.45.4-1 (bug #941139) NOTE: https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/commit/?h=maint&id=8dbe7b475ec5e91ed767239f0e85880f416fc384 NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0887 CVE-2019-5093 (An exploitable code execution vulnerability exists in the DICOM networ ...) NOT-FOR-US: LEADTOOLS CVE-2019-5092 (An exploitable heap out of bounds write vulnerability exists in the UI ...) NOT-FOR-US: LEADTOOLS CVE-2019-5091 (An exploitable denial-of-service vulnerability exists in the Dicom-pac ...) NOT-FOR-US: LEADTOOLS CVE-2019-5090 (An exploitable information disclosure vulnerability exists in the DICO ...) NOT-FOR-US: LEADTOOLS CVE-2019-5089 (An exploitable memory corruption vulnerability exists in Investintech ...) NOT-FOR-US: Investintech CVE-2019-5088 (An exploitable memory corruption vulnerability exists in Investintech ...) NOT-FOR-US: Investintech CVE-2019-5087 (An exploitable integer overflow vulnerability exists in the flattenInc ...) - xcftools (bug #945317) NOTE: https://github.com/j-jorge/xcftools/issues/13 NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0879 CVE-2019-5086 (An exploitable integer overflow vulnerability exists in the flattenInc ...) - xcftools (bug #945317) NOTE: https://github.com/j-jorge/xcftools/issues/12 NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0878 CVE-2019-5085 (An exploitable code execution vulnerability exists in the DICOM packet ...) NOT-FOR-US: LEADTOOLS CVE-2019-5084 (An exploitable heap out-of-bounds write vulnerability exists in the TI ...) NOT-FOR-US: LEADTOOLS CVE-2019-5083 (An exploitable out-of-bounds write vulnerability exists in the igcore1 ...) NOT-FOR-US: Accusoft ImageGear CVE-2019-5082 (An exploitable heap buffer overflow vulnerability exists in the iochec ...) NOT-FOR-US: WAGO Firmware CVE-2019-5081 (An exploitable heap buffer overflow vulnerability exists in the iochec ...) NOT-FOR-US: WAGO CVE-2019-5080 (An exploitable denial-of-service vulnerability exists in the iocheckd ...) NOT-FOR-US: WAGO CVE-2019-5079 (An exploitable heap buffer overflow vulnerability exists in the iochec ...) NOT-FOR-US: WAGO CVE-2019-5078 (An exploitable denial of service vulnerability exists in the iocheckd ...) NOT-FOR-US: WAGO CVE-2019-5077 (An exploitable denial-of-service vulnerability exists in the iocheckd ...) NOT-FOR-US: WAGO CVE-2019-5076 (An exploitable out-of-bounds write vulnerability exists in the igcore1 ...) NOT-FOR-US: Accusoft ImageGear CVE-2019-5075 (An exploitable stack buffer overflow vulnerability exists in the comma ...) NOT-FOR-US: WAGO CVE-2019-5074 (An exploitable stack buffer overflow vulnerability exists in the ioche ...) NOT-FOR-US: WAGO CVE-2019-5073 (An exploitable information exposure vulnerability exists in the iochec ...) NOT-FOR-US: WAGO CVE-2019-5072 (An exploitable command injection vulnerability exists in the /goform/W ...) NOT-FOR-US: Tenda CVE-2019-5071 (An exploitable command injection vulnerability exists in the /goform/W ...) NOT-FOR-US: Tenda CVE-2019-5070 (An exploitable SQL injection vulnerability exists in the unauthenticat ...) NOT-FOR-US: eFront LMS CVE-2019-5069 (A code execution vulnerability exists in Epignosis eFront LMS v5.2.12. ...) NOT-FOR-US: Epignosis eFront LMS CVE-2019-5068 (An exploitable shared memory permissions vulnerability exists in the f ...) {DLA-1993-1} - mesa 19.2.6-1 (low; bug #944298) [buster] - mesa 18.3.6-2+deb10u1 [stretch] - mesa (Minor issue) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0857 NOTE: https://lists.freedesktop.org/pipermail/mesa-dev/2019-October/223704.html NOTE: https://cgit.freedesktop.org/mesa/mesa/commit/?id=02c3dad0f3b4d26e0faa5cc51d06bc50d693dcdc CVE-2019-5067 (An uninitialized memory access vulnerability exists in the way Aspose. ...) NOT-FOR-US: Aspose CVE-2019-5066 (An exploitable use-after-free vulnerability exists in the way LZW-comp ...) NOT-FOR-US: Aspose CVE-2019-5065 (An exploitable information disclosure vulnerability exists in the pack ...) NOT-FOR-US: Blynk CVE-2019-5064 (An exploitable heap buffer overflow vulnerability exists in the data s ...) [experimental] - opencv 4.2.0+dfsg-1 - opencv (bug #948180) [buster] - opencv (Vulnerable code introduced later) [stretch] - opencv (Vulnerable code introduced later) [jessie] - opencv (The vulnerable code was introduced later) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0853 NOTE: Fixed by: https://github.com/opencv/opencv/commit/f42d5399aac80d371b17d689851406669c9b9111 (4.2.0) NOTE: https://github.com/opencv/opencv/issues/15857 NOTE: Persistence implementation refactored in: https://github.com/opencv/opencv/pull/13011 CVE-2019-5063 (An exploitable heap buffer overflow vulnerability exists in the data s ...) [experimental] - opencv 4.2.0+dfsg-1 - opencv (bug #948180) [buster] - opencv (Vulnerable code introduced later) [stretch] - opencv (Vulnerable code introduced later) [jessie] - opencv (The vulnerable code was introduced later) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0852 NOTE: Fixed by: https://github.com/opencv/opencv/commit/f42d5399aac80d371b17d689851406669c9b9111 (4.2.0) NOTE: https://github.com/opencv/opencv/issues/15857 NOTE: Persistence implementation refactored in: https://github.com/opencv/opencv/pull/13011 CVE-2019-5062 (An exploitable denial-of-service vulnerability exists in the 802.11w s ...) - wpa (unimportant) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0850 NOTE: Issue is not considered the report recieved bogus and at most with very NOTE: negligible impact. Issue likely would need to be disputed or rejected. CVE-2019-5061 (An exploitable denial-of-service vulnerability exists in the hostapd 2 ...) - wpa 2:2.9+git20200213+877d9a0-1 (unimportant) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0849 NOTE: https://w1.fi/cgit/hostap/commit/?id=018edec9b2bd3db20605117c32ff79c1e625c432 NOTE: removes IAPP functionality from hostapd. IAPP implementation furthermore NOTE: was never really completed on wpa side and this obsoleted functionality in NOTE: hostapd had been moved to the kernel driver already. CVE-2019-5060 (An exploitable code execution vulnerability exists in the XPM image re ...) - libsdl2-image 2.0.5+dfsg1-1 [buster] - libsdl2-image (Minor issue) [stretch] - libsdl2-image (Minor issue) [jessie] - libsdl2-image (Minor issue) - sdl-image1.2 1.2.12-12 [buster] - sdl-image1.2 (Minor issue) [stretch] - sdl-image1.2 (Minor issue) [jessie] - sdl-image1.2 (Minor issue) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0844 NOTE: https://hg.libsdl.org/SDL_image/rev/26061e601c81 CVE-2019-5059 (An exploitable code execution vulnerability exists in the XPM image re ...) - libsdl2-image 2.0.5+dfsg1-1 [buster] - libsdl2-image (Minor issue) [stretch] - libsdl2-image (Minor issue) [jessie] - libsdl2-image (Minor issue) - sdl-image1.2 1.2.12-12 [buster] - sdl-image1.2 (Minor issue) [stretch] - sdl-image1.2 (Minor issue) [jessie] - sdl-image1.2 (Minor issue) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0843 NOTE: https://hg.libsdl.org/SDL_image/rev/95fc7da55247 CVE-2019-5058 (An exploitable code execution vulnerability exists in the XCF image re ...) - libsdl2-image 2.0.5+dfsg1-1 (bug #932754) [buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1 [stretch] - libsdl2-image 2.0.1+dfsg-2+deb9u2 [jessie] - libsdl2-image 2.0.0+dfsg-3+deb8u2 - sdl-image1.2 1.2.12-11 (bug #932755) [buster] - sdl-image1.2 1.2.12-10+deb10u1 [stretch] - sdl-image1.2 1.2.12-5+deb9u2 [jessie] - sdl-image1.2 1.2.12-5+deb8u2 NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0842 NOTE: https://hg.libsdl.org/SDL_image/rev/b1a80aec2b10 NOTE: CVE-2019-5058 can be considered a CVE for an incomplete fix for CVE-2018-3977. CVE-2019-5057 (An exploitable code execution vulnerability exists in the PCX image-re ...) - libsdl2-image 2.0.5+dfsg1-1 (bug #932754) [buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1 [stretch] - libsdl2-image 2.0.1+dfsg-2+deb9u2 [jessie] - libsdl2-image (Minor issue) - sdl-image1.2 1.2.12-11 (bug #932755) [buster] - sdl-image1.2 1.2.12-10+deb10u1 [stretch] - sdl-image1.2 1.2.12-5+deb9u2 [jessie] - sdl-image1.2 (Minor issue) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0841 NOTE: https://hg.libsdl.org/SDL_image/rev/7453e79c8cdb CVE-2019-5056 RESERVED CVE-2019-5055 (An exploitable denial-of-service vulnerability exists in the Host Acce ...) NOT-FOR-US: Netgear CVE-2019-5054 (An exploitable denial-of-service vulnerability exists in the session h ...) NOT-FOR-US: Netgear CVE-2019-5053 (An exploitable use-after-free vulnerability exists in the Length parsi ...) NOT-FOR-US: NitroPDF CVE-2019-5052 (An exploitable integer overflow vulnerability exists when loading a PC ...) {DLA-1865-1 DLA-1861-1} - libsdl2-image 2.0.5+dfsg1-1 (bug #932754) [buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1 [stretch] - libsdl2-image 2.0.1+dfsg-2+deb9u2 - sdl-image1.2 1.2.12-11 (bug #932755) [buster] - sdl-image1.2 1.2.12-10+deb10u1 [stretch] - sdl-image1.2 1.2.12-5+deb9u2 NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0821 NOTE: https://hg.libsdl.org/SDL_image/rev/b920be2b3fc6 CVE-2019-5051 (An exploitable heap-based buffer overflow vulnerability exists when lo ...) {DLA-1865-1 DLA-1861-1} - libsdl2-image 2.0.5+dfsg1-1 (bug #932754) [buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1 [stretch] - libsdl2-image 2.0.1+dfsg-2+deb9u2 - sdl-image1.2 1.2.12-11 (bug #932755) [buster] - sdl-image1.2 1.2.12-10+deb10u1 [stretch] - sdl-image1.2 1.2.12-5+deb9u2 NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0820 NOTE: https://hg.libsdl.org/SDL_image/rev/e7e9786a1a34 CVE-2019-5050 (A specifically crafted PDF file can lead to a heap corruption when ope ...) NOT-FOR-US: NitroPDF CVE-2019-5049 (An exploitable memory corruption vulnerability exists in AMD ATIDXX64. ...) NOT-FOR-US: AMD Windows driver CVE-2019-5048 (A specifically crafted PDF file can lead to a heap corruption when ope ...) NOT-FOR-US: NitroPDF CVE-2019-5047 (An exploitable Use After Free vulnerability exists in the CharProcs pa ...) NOT-FOR-US: NitroPDF CVE-2019-5046 (A specifically crafted jpeg2000 file embedded in a PDF file can lead t ...) NOT-FOR-US: NitroPDF CVE-2019-5045 (A specifically crafted jpeg2000 file embedded in a PDF file can lead t ...) NOT-FOR-US: NitroPDF CVE-2019-5044 REJECTED CVE-2019-5043 (An exploitable denial-of-service vulnerability exists in the Weave dae ...) NOT-FOR-US: Nest CVE-2019-5042 (An exploitable Use-After-Free vulnerability exists in the way Function ...) NOT-FOR-US: Aspose CVE-2019-5041 (An exploitable Stack Based Buffer Overflow vulnerability exists in the ...) NOT-FOR-US: Aspose CVE-2019-5040 (An exploitable information disclosure vulnerability exists in the Weav ...) NOT-FOR-US: OpenWeave CVE-2019-5039 (An exploitable command execution vulnerability exists in the ASN1 cert ...) NOT-FOR-US: OpenWeave CVE-2019-5038 (An exploitable command execution vulnerability exists in the print-tlv ...) NOT-FOR-US: OpenWeave CVE-2019-5037 (An exploitable denial-of-service vulnerability exists in the Weave cer ...) NOT-FOR-US: Nest CVE-2019-5036 (An exploitable denial-of-service vulnerability exists in the Weave err ...) NOT-FOR-US: Nest CVE-2019-5035 (An exploitable information disclosure vulnerability exists in the Weav ...) NOT-FOR-US: Nest CVE-2019-5034 (An exploitable information disclosure vulnerability exists in the Weav ...) NOT-FOR-US: Nest CVE-2019-5033 (An exploitable out-of-bounds read vulnerability exists in the Number r ...) NOT-FOR-US: Aspose CVE-2019-5032 (An exploitable out-of-bounds read vulnerability exists in the LabelSst ...) NOT-FOR-US: Aspose CVE-2019-5031 (An exploitable memory corruption vulnerability exists in the JavaScrip ...) NOT-FOR-US: Foxit PDF Reader CVE-2019-5030 (A buffer overflow vulnerability exists in the PowerPoint document conv ...) NOT-FOR-US: Rainbow PDF Office Server Document Converter CVE-2019-5029 (An exploitable command injection vulnerability exists in the Config ed ...) NOT-FOR-US: Exhibitor Web UI CVE-2019-5028 REJECTED CVE-2019-5027 REJECTED CVE-2019-5026 REJECTED CVE-2019-5025 REJECTED CVE-2019-5024 (A restricted environment escape vulnerability exists in the "kiosk mod ...) NOT-FOR-US: Capsule Technologies SmartLinx Neuron CVE-2019-5023 (An exploitable vulnerability exists in the grsecurity PaX patch for th ...) - linux-grsec CVE-2019-5022 REJECTED CVE-2019-5021 (Versions of the Official Alpine Linux Docker images (since v3.3) conta ...) NOT-FOR-US: Official Alpine Linux Docker images CVE-2019-5020 (An exploitable denial of service vulnerability exists in the object lo ...) - yara 3.9.0-1 [stretch] - yara (dex module introduced in 3.8.0) [jessie] - yara (dex module introduced in 3.8.0) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0781 NOTE: https://github.com/VirusTotal/yara/issues/1023 NOTE: https://github.com/VirusTotal/yara/commit/1ecb0e66431bf5c5b4c2fdf622be969eb5f4a7cc NOTE: https://github.com/VirusTotal/yara/commit/a3784d3855029bd0ad24071e72746cc0c31b8cba CVE-2019-5019 (A heap-based overflow vulnerability exists in the PowerPoint document ...) NOT-FOR-US: Rainbow PDF Office Server Document Converter CVE-2019-5018 (An exploitable use after free vulnerability exists in the window funct ...) - sqlite3 3.27.2-3 (bug #928770) [stretch] - sqlite3 (windowfuncs introduced in 3.25.0) [jessie] - sqlite3 (windowfuncs introduced in 3.25.0) NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0777 CVE-2019-5017 (An exploitable information disclosure vulnerability exists in the KCod ...) NOT-FOR-US: NETGEAR CVE-2019-5016 (An exploitable arbitrary memory read vulnerability exists in the KCode ...) NOT-FOR-US: NETGEAR CVE-2019-5015 (A local privilege escalation vulnerability exists in the Mac OS X vers ...) NOT-FOR-US: Apple CVE-2019-5014 (An exploitable improper access control vulnerability exists in the blu ...) NOT-FOR-US: Winco Fireworks FireFly FW-1007 CVE-2019-5013 (An exploitable privilege escalation vulnerability exists in the Wacom, ...) NOT-FOR-US: Wacom MacOS driver CVE-2019-5012 (An exploitable privilege escalation vulnerability exists in the Wacom, ...) NOT-FOR-US: Wacom MacOS driver CVE-2019-5011 (An exploitable privilege escalation vulnerability exists in the helper ...) NOT-FOR-US: CleanMyMac CVE-2019-5010 (An exploitable denial-of-service vulnerability exists in the X509 cert ...) {DLA-1834-1 DLA-1663-1} - python3.7 3.7.2-2 (bug #921064) - python3.6 (bug #921063) - python3.5 [stretch] - python3.5 (Minor issue, can be fixed along in a future DSA) - python3.4 - python2.7 2.7.15-6 (bug #921040) [stretch] - python2.7 (Minor issue, can be fixed along in a future DSA) NOTE: https://bugs.python.org/issue35746 NOTE: https://github.com/python/cpython/pull/11569 NOTE: https://github.com/python/cpython/commit/be5de958e9052e322b0087c6dba81cdad0c3e031 (3.7.x) NOTE: https://github.com/python/cpython/commit/216a4d83c3b72f4fdcd81b588dc3f42cc461739a (3.6.x) NOTE: https://github.com/python/cpython/commit/06b15424b0dcacb1c551b2a36e739fffa8d0c595 (2.7.x) CVE-2019-5009 (Vtiger CRM 7.1.0 before Hotfix2 allows uploading files with the extens ...) NOT-FOR-US: Vtiger CRM CVE-2018-20673 (The demangle_template function in cplus-dem.c in GNU libiberty, as dis ...) - binutils (unimportant) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24039 NOTE: binutils not covered by security support CVE-2018-20672 RESERVED CVE-2018-20671 (load_specific_debug_section in objdump.c in GNU Binutils through 2.31. ...) - binutils 2.32.51.20190707-1 (unimportant) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24005 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=11fa9f134fd658075c6f74499c780df045d9e9ca NOTE: binutils not covered by security support CVE-2018-20670 RESERVED CVE-2019-5008 (hw/sparc64/sun4u.c in QEMU 3.1.50 is vulnerable to a NULL pointer dere ...) - qemu 1:3.1+dfsg-8 (low; bug #927439) [buster] - qemu 1:3.1+dfsg-8~deb10u1 [stretch] - qemu (Minor issue) [jessie] - qemu (Vulnerable code not present) - qemu-kvm NOTE: https://fakhrizulkifli.github.io/posts/2019/01/03/CVE-2019-5008/ NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=ad280559c68360c9f1cd7be063857853759e6a73 (4.0.0-rc0) CVE-2019-5007 (An issue was discovered in Foxit Reader and PhantomPDF before 9.4 on W ...) NOT-FOR-US: Foxit Reader and PhantomPDF CVE-2019-5006 (An issue was discovered in Foxit Reader and PhantomPDF before 9.4 on W ...) NOT-FOR-US: Foxit Reader and PhantomPDF CVE-2019-5005 (An issue was discovered in Foxit Reader and PhantomPDF before 9.4 on W ...) NOT-FOR-US: Foxit Reader and PhantomPDF CVE-2019-5004 RESERVED CVE-2019-5003 REJECTED CVE-2019-5002 REJECTED CVE-2019-5001 REJECTED CVE-2019-5000 REJECTED CVE-2019-4999 REJECTED CVE-2019-4998 REJECTED CVE-2019-4997 REJECTED CVE-2019-4996 REJECTED CVE-2019-4995 REJECTED CVE-2019-4994 REJECTED CVE-2019-4993 REJECTED CVE-2019-4992 REJECTED CVE-2019-4991 REJECTED CVE-2019-4990 REJECTED CVE-2019-4989 REJECTED CVE-2019-4988 REJECTED CVE-2019-4987 REJECTED CVE-2019-4986 REJECTED CVE-2019-4985 REJECTED CVE-2019-4984 REJECTED CVE-2019-4983 REJECTED CVE-2019-4982 REJECTED CVE-2019-4981 REJECTED CVE-2019-4980 REJECTED CVE-2019-4979 REJECTED CVE-2019-4978 REJECTED CVE-2019-4977 REJECTED CVE-2019-4976 REJECTED CVE-2019-4975 REJECTED CVE-2019-4974 REJECTED CVE-2019-4973 REJECTED CVE-2019-4972 REJECTED CVE-2019-4971 REJECTED CVE-2019-4970 REJECTED CVE-2019-4969 REJECTED CVE-2019-4968 REJECTED CVE-2019-4967 REJECTED CVE-2019-4966 REJECTED CVE-2019-4965 REJECTED CVE-2019-4964 REJECTED CVE-2019-4963 REJECTED CVE-2019-4962 REJECTED CVE-2019-4961 REJECTED CVE-2019-4960 REJECTED CVE-2019-4959 REJECTED CVE-2019-4958 REJECTED CVE-2019-4957 REJECTED CVE-2019-4956 REJECTED CVE-2019-4955 REJECTED CVE-2019-4954 REJECTED CVE-2019-4953 REJECTED CVE-2019-4952 REJECTED CVE-2019-4951 REJECTED CVE-2019-4950 REJECTED CVE-2019-4949 REJECTED CVE-2019-4948 REJECTED CVE-2019-4947 REJECTED CVE-2019-4946 REJECTED CVE-2019-4945 REJECTED CVE-2019-4944 REJECTED CVE-2019-4943 REJECTED CVE-2019-4942 REJECTED CVE-2019-4941 REJECTED CVE-2019-4940 REJECTED CVE-2019-4939 REJECTED CVE-2019-4938 REJECTED CVE-2019-4937 REJECTED CVE-2019-4936 REJECTED CVE-2019-4935 REJECTED CVE-2019-4934 REJECTED CVE-2019-4933 REJECTED CVE-2019-4932 REJECTED CVE-2019-4931 REJECTED CVE-2019-4930 REJECTED CVE-2019-4929 REJECTED CVE-2019-4928 REJECTED CVE-2019-4927 REJECTED CVE-2019-4926 REJECTED CVE-2019-4925 REJECTED CVE-2019-4924 REJECTED CVE-2019-4923 REJECTED CVE-2019-4922 REJECTED CVE-2019-4921 REJECTED CVE-2019-4920 REJECTED CVE-2019-4919 REJECTED CVE-2019-4918 REJECTED CVE-2019-4917 REJECTED CVE-2019-4916 REJECTED CVE-2019-4915 REJECTED CVE-2019-4914 REJECTED CVE-2019-4913 REJECTED CVE-2019-4912 REJECTED CVE-2019-4911 REJECTED CVE-2019-4910 REJECTED CVE-2019-4909 REJECTED CVE-2019-4908 REJECTED CVE-2019-4907 REJECTED CVE-2019-4906 REJECTED CVE-2019-4905 REJECTED CVE-2019-4904 REJECTED CVE-2019-4903 REJECTED CVE-2019-4902 REJECTED CVE-2019-4901 REJECTED CVE-2019-4900 REJECTED CVE-2019-4899 REJECTED CVE-2019-4898 REJECTED CVE-2019-4897 REJECTED CVE-2019-4896 REJECTED CVE-2019-4895 REJECTED CVE-2019-4894 REJECTED CVE-2019-4893 REJECTED CVE-2019-4892 REJECTED CVE-2019-4891 REJECTED CVE-2019-4890 REJECTED CVE-2019-4889 REJECTED CVE-2019-4888 REJECTED CVE-2019-4887 REJECTED CVE-2019-4886 REJECTED CVE-2019-4885 REJECTED CVE-2019-4884 REJECTED CVE-2019-4883 REJECTED CVE-2019-4882 REJECTED CVE-2019-4881 REJECTED CVE-2019-4880 REJECTED CVE-2019-4879 REJECTED CVE-2019-4878 REJECTED CVE-2019-4877 REJECTED CVE-2019-4876 REJECTED CVE-2019-4875 REJECTED CVE-2019-4874 REJECTED CVE-2019-4873 REJECTED CVE-2019-4872 REJECTED CVE-2019-4871 REJECTED CVE-2019-4870 REJECTED CVE-2019-4869 REJECTED CVE-2019-4868 REJECTED CVE-2019-4867 REJECTED CVE-2019-4866 REJECTED CVE-2019-4865 REJECTED CVE-2019-4864 REJECTED CVE-2019-4863 REJECTED CVE-2019-4862 REJECTED CVE-2019-4861 REJECTED CVE-2019-4860 REJECTED CVE-2019-4859 REJECTED CVE-2019-4858 REJECTED CVE-2019-4857 REJECTED CVE-2019-4856 REJECTED CVE-2019-4855 REJECTED CVE-2019-4854 REJECTED CVE-2019-4853 REJECTED CVE-2019-4852 REJECTED CVE-2019-4851 REJECTED CVE-2019-4850 REJECTED CVE-2019-4849 REJECTED CVE-2019-4848 REJECTED CVE-2019-4847 REJECTED CVE-2019-4846 REJECTED CVE-2019-4845 REJECTED CVE-2019-4844 REJECTED CVE-2019-4843 REJECTED CVE-2019-4842 REJECTED CVE-2019-4841 REJECTED CVE-2019-4840 REJECTED CVE-2019-4839 REJECTED CVE-2019-4838 REJECTED CVE-2019-4837 REJECTED CVE-2019-4836 REJECTED CVE-2019-4835 REJECTED CVE-2019-4834 REJECTED CVE-2019-4833 REJECTED CVE-2019-4832 REJECTED CVE-2019-4831 REJECTED CVE-2019-4830 REJECTED CVE-2019-4829 REJECTED CVE-2019-4828 REJECTED CVE-2019-4827 REJECTED CVE-2019-4826 REJECTED CVE-2019-4825 REJECTED CVE-2019-4824 REJECTED CVE-2019-4823 REJECTED CVE-2019-4822 REJECTED CVE-2019-4821 REJECTED CVE-2019-4820 REJECTED CVE-2019-4819 REJECTED CVE-2019-4818 REJECTED CVE-2019-4817 REJECTED CVE-2019-4816 REJECTED CVE-2019-4815 REJECTED CVE-2019-4814 REJECTED CVE-2019-4813 REJECTED CVE-2019-4812 REJECTED CVE-2019-4811 REJECTED CVE-2019-4810 REJECTED CVE-2019-4809 REJECTED CVE-2019-4808 REJECTED CVE-2019-4807 REJECTED CVE-2019-4806 REJECTED CVE-2019-4805 REJECTED CVE-2019-4804 REJECTED CVE-2019-4803 REJECTED CVE-2019-4802 REJECTED CVE-2019-4801 REJECTED CVE-2019-4800 REJECTED CVE-2019-4799 REJECTED CVE-2019-4798 REJECTED CVE-2019-4797 REJECTED CVE-2019-4796 REJECTED CVE-2019-4795 REJECTED CVE-2019-4794 REJECTED CVE-2019-4793 REJECTED CVE-2019-4792 REJECTED CVE-2019-4791 REJECTED CVE-2019-4790 REJECTED CVE-2019-4789 REJECTED CVE-2019-4788 REJECTED CVE-2019-4787 REJECTED CVE-2019-4786 REJECTED CVE-2019-4785 REJECTED CVE-2019-4784 REJECTED CVE-2019-4783 REJECTED CVE-2019-4782 REJECTED CVE-2019-4781 REJECTED CVE-2019-4780 REJECTED CVE-2019-4779 REJECTED CVE-2019-4778 REJECTED CVE-2019-4777 REJECTED CVE-2019-4776 REJECTED CVE-2019-4775 REJECTED CVE-2019-4774 REJECTED CVE-2019-4773 REJECTED CVE-2019-4772 REJECTED CVE-2019-4771 REJECTED CVE-2019-4770 REJECTED CVE-2019-4769 REJECTED CVE-2019-4768 REJECTED CVE-2019-4767 REJECTED CVE-2019-4766 REJECTED CVE-2019-4765 REJECTED CVE-2019-4764 REJECTED CVE-2019-4763 REJECTED CVE-2019-4762 (IBM MQ 9.0 and 9.1 is vulnerable to a denial of service attack due to ...) NOT-FOR-US: IBM CVE-2019-4761 RESERVED CVE-2019-4760 RESERVED CVE-2019-4759 RESERVED CVE-2019-4758 RESERVED CVE-2019-4757 RESERVED CVE-2019-4756 RESERVED CVE-2019-4755 RESERVED CVE-2019-4754 RESERVED CVE-2019-4753 RESERVED CVE-2019-4752 (IBM Emptoris Spend Analysis and IBM Emptoris Strategic Supply Manageme ...) NOT-FOR-US: IBM CVE-2019-4751 (IBM Cloud App Management 2019.3.0 and 2019.4.0 reveals a stack trace o ...) NOT-FOR-US: IBM CVE-2019-4750 (IBM Cloud App Management 2019.3.0 and 2019.4.0 is vulnerable to cross- ...) NOT-FOR-US: IBM CVE-2019-4749 (IBM Maximo Asset Management 7.6 is vulnerable to cross-site scripting. ...) NOT-FOR-US: IBM CVE-2019-4748 RESERVED CVE-2019-4747 RESERVED CVE-2019-4746 (IBM DOORS Next Generation (DNG/RRC) 6.0.2. 6.0.6, and 6.0.61 is vulner ...) NOT-FOR-US: IBM CVE-2019-4745 (IBM Maximo Asset Management 7.6.1.0 could allow a remote attacker to d ...) NOT-FOR-US: IBM CVE-2019-4744 (IBM Financial Transaction Manager 3.0 is vulnerable to cross-site scri ...) NOT-FOR-US: IBM CVE-2019-4743 (IBM Financial Transaction Manager 3.0 does not set the secure attribut ...) NOT-FOR-US: IBM CVE-2019-4742 (IBM Financial Transaction Manager 3.0 could allow a remote attacker to ...) NOT-FOR-US: IBM CVE-2019-4741 (IBM Content Navigator 3.0CD is vulnerable to Server Side Request Forge ...) NOT-FOR-US: IBM CVE-2019-4740 (IBM DOORS Next Generation (DNG/RRC) 6.0.2. 6.0.6, and 6.0.61 is vulner ...) NOT-FOR-US: IBM CVE-2019-4739 RESERVED CVE-2019-4738 RESERVED CVE-2019-4737 (IBM DOORS Next Generation (DNG/RRC) 6.0.2. 6.0.6, and 6.0.61 is vulner ...) NOT-FOR-US: IBM CVE-2019-4736 (IBM Financial Transaction Manager 3.0 is vulnerable to cross-site requ ...) NOT-FOR-US: IBM CVE-2019-4735 (IBM MaaS360 3.96.62 for iOS could allow an attacker with physical acce ...) NOT-FOR-US: IBM CVE-2019-4734 RESERVED CVE-2019-4733 RESERVED CVE-2019-4732 (IBM SDK, Java Technology Edition Version 7.0.0.0 through 7.0.10.55, 7. ...) NOT-FOR-US: IBM CVE-2019-4731 RESERVED CVE-2019-4730 RESERVED CVE-2019-4729 (IBM Cognos Analytics 11.0 and 11.1 could allow a remote attacker to ob ...) NOT-FOR-US: IBM CVE-2019-4728 RESERVED CVE-2019-4727 RESERVED CVE-2019-4726 (IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 5.2.6.5 i ...) NOT-FOR-US: IBM CVE-2019-4725 RESERVED CVE-2019-4724 RESERVED CVE-2019-4723 RESERVED CVE-2019-4722 RESERVED CVE-2019-4721 RESERVED CVE-2019-4720 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable ...) NOT-FOR-US: IBM CVE-2019-4719 (IBM MQ and IBM MQ Appliance 7.1, 7.5, 8.0, 9.0 LTS, 9.1 LTS, and 9.1 C ...) NOT-FOR-US: IBM CVE-2019-4718 (IBM Jazz for Service Management 3.13 is vulnerable to cross-site scrip ...) NOT-FOR-US: IBM CVE-2019-4717 RESERVED CVE-2019-4716 (IBM Planning Analytics 2.0.0 through 2.0.8 is vulnerable to a configur ...) NOT-FOR-US: IBM CVE-2019-4715 (IBM Spectrum Scale 4.2 and 5.0 could allow a remote authenticated atta ...) NOT-FOR-US: IBM CVE-2019-4714 RESERVED CVE-2019-4713 RESERVED CVE-2019-4712 RESERVED CVE-2019-4711 RESERVED CVE-2019-4710 RESERVED CVE-2019-4709 RESERVED CVE-2019-4708 RESERVED CVE-2019-4707 (IBM Security Access Manager Appliance 9.0.7.0 is vulnerable to an XML ...) NOT-FOR-US: IBM CVE-2019-4706 (IBM Security Identity Manager Virtual Appliance 7.0.2 writes informati ...) NOT-FOR-US: IBM CVE-2019-4705 (IBM Security Identity Manager Virtual Appliance 7.0.2 discloses sensit ...) NOT-FOR-US: IBM CVE-2019-4704 (IBM Security Identity Manager Virtual Appliance 7.0.2 does not set the ...) NOT-FOR-US: IBM CVE-2019-4703 (IBM Spectrum Protect Plus 10.1.0 and 10.5.0, when protecting Microsoft ...) NOT-FOR-US: IBM CVE-2019-4702 RESERVED CVE-2019-4701 RESERVED CVE-2019-4700 RESERVED CVE-2019-4699 RESERVED CVE-2019-4698 RESERVED CVE-2019-4697 RESERVED CVE-2019-4696 RESERVED CVE-2019-4695 RESERVED CVE-2019-4694 RESERVED CVE-2019-4693 RESERVED CVE-2019-4692 RESERVED CVE-2019-4691 RESERVED CVE-2019-4690 RESERVED CVE-2019-4689 RESERVED CVE-2019-4688 RESERVED CVE-2019-4687 RESERVED CVE-2019-4686 RESERVED CVE-2019-4685 RESERVED CVE-2019-4684 RESERVED CVE-2019-4683 RESERVED CVE-2019-4682 RESERVED CVE-2019-4681 (IBM Tivoli Netcool Impact 7.1.0.0 through 7.1.0.17 is vulnerable to cr ...) NOT-FOR-US: IBM CVE-2019-4680 RESERVED CVE-2019-4679 (IBM Content Navigator 3.0CD could allow an authenticated user to gain ...) NOT-FOR-US: IBM CVE-2019-4678 RESERVED CVE-2019-4677 RESERVED CVE-2019-4676 (IBM Security Identity Manager Virtual Appliance 7.0.2 stores user cred ...) NOT-FOR-US: IBM CVE-2019-4675 (IBM Security Identity Manager 7.0.1 contains hard-coded credentials, s ...) NOT-FOR-US: IBM CVE-2019-4674 (IBM Security Identity Manager 7.0.1 could allow a remote attacker to t ...) NOT-FOR-US: IBM CVE-2019-4673 RESERVED CVE-2019-4672 (IBM QRadar Advisor 1.1 through 2.5 could allow an unauthorized attacke ...) NOT-FOR-US: IBM CVE-2019-4671 RESERVED CVE-2019-4670 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a ...) NOT-FOR-US: IBM CVE-2019-4669 (IBM Business Process Manager 8.5.7.0 through 8.5.7.0 2017.06, 8.6.0.0 ...) NOT-FOR-US: IBM CVE-2019-4668 (IBM UrbanCode Deploy (UCD) 7.0.4.0 stores user credentials in plain in ...) NOT-FOR-US: IBM CVE-2019-4667 (IBM UrbanCode Deploy (UCD) 7.0.5.2 could allow a remote attacker to ob ...) NOT-FOR-US: IBM CVE-2019-4666 (IBM UrbanCode Deploy (UCD) 7.0.3 and IBM UrbanCode Build 6.1.5 could a ...) NOT-FOR-US: IBM CVE-2019-4665 (IBM Spectrum Scale 4.2 and 5.0 is vulnerable to cross-site scripting. ...) NOT-FOR-US: IBM CVE-2019-4664 RESERVED CVE-2019-4663 (IBM WebSphere Application Server - Liberty is vulnerable to cross-site ...) NOT-FOR-US: IBM CVE-2019-4662 RESERVED CVE-2019-4661 RESERVED CVE-2019-4660 RESERVED CVE-2019-4659 RESERVED CVE-2019-4658 RESERVED CVE-2019-4657 RESERVED CVE-2019-4656 (IBM MQ and IBM MQ Appliance 7.1, 7.5, 8.0, 9.0 LTS, 9.1 LTS, and 9.1 C ...) NOT-FOR-US: IBM CVE-2019-4655 (IBM MQ 9.1.0.0, 9.1.0.1, 9.1.0.2, 9.1.0.3, 9.1.1, 9.1.2, and 9.1.3 is ...) NOT-FOR-US: IBM CVE-2019-4654 (IBM QRadar 7.3.0 to 7.3.3 Patch 2 does not validate, or incorrectly va ...) NOT-FOR-US: IBM CVE-2019-4653 RESERVED CVE-2019-4652 (IBM Spectrum Protect Plus 10.1.0 through 10.1.4 uses insecure file per ...) NOT-FOR-US: IBM Spectrum Protect Plus CVE-2019-4651 (IBM Jazz Reporting Service (JRS) 6.0.6.1 is vulnerable to SQL injectio ...) NOT-FOR-US: IBM CVE-2019-4650 (IBM Maximo Asset Management 7.6.1.1 is vulnerable to SQL injection. A ...) NOT-FOR-US: IBM CVE-2019-4649 RESERVED CVE-2019-4648 RESERVED CVE-2019-4647 RESERVED CVE-2019-4646 RESERVED CVE-2019-4645 (IBM Cognos Analytics 11.0 and 11.1 is vulnerable to cross-site scripti ...) NOT-FOR-US: IBM CVE-2019-4644 (IBM Maximo Asset Management 7.6 is vulnerable to cross-site scripting. ...) NOT-FOR-US: IBM CVE-2019-4643 RESERVED CVE-2019-4642 RESERVED CVE-2019-4641 RESERVED CVE-2019-4640 (IBM Security Secret Server 10.7 processes patches, image backups and o ...) NOT-FOR-US: IBM CVE-2019-4639 (IBM Security Secret Server 10.7 uses weaker than expected cryptographi ...) NOT-FOR-US: IBM CVE-2019-4638 (IBM Security Secret Server 10.7 does not set the secure attribute on a ...) NOT-FOR-US: IBM CVE-2019-4637 (IBM Security Secret Server 10.7 uses incomplete blacklisting for input ...) NOT-FOR-US: IBM CVE-2019-4636 (IBM Security Secret Server 10.7 could disclose sensitive information t ...) NOT-FOR-US: IBM CVE-2019-4635 (IBM Security Secret Server 10.7 could allow a privileged user to perfo ...) NOT-FOR-US: IBM CVE-2019-4634 RESERVED CVE-2019-4633 (IBM Security Secret Server 10.7 could allow an attacker to obtain sens ...) NOT-FOR-US: IBM CVE-2019-4632 (IBM Security Secret Server 10.7 is vulnerable to cross-site scripting. ...) NOT-FOR-US: IBM CVE-2019-4631 (IBM Security Secret Server 10.7 could allow a remote attacker to condu ...) NOT-FOR-US: IBM CVE-2019-4630 RESERVED CVE-2019-4629 RESERVED CVE-2019-4628 RESERVED CVE-2019-4627 RESERVED CVE-2019-4626 RESERVED CVE-2019-4625 RESERVED CVE-2019-4624 RESERVED CVE-2019-4623 (IBM Cognos Analytics 11.0 and 11.1 is vulnerable to cross-site scripti ...) NOT-FOR-US: IBM CVE-2019-4622 RESERVED CVE-2019-4621 (IBM DataPower Gateway 7.6.0.0-7 throug 6.0.14 and 2018.4.1.0 through 2 ...) NOT-FOR-US: IBM CVE-2019-4620 (IBM MQ Appliance 8.0 and 9.0 LTS could allow a local attacker to bypas ...) NOT-FOR-US: IBM CVE-2019-4619 (IBM MQ and IBM MQ Appliance 7.1, 7.5, 8.0, 9.0 LTS, 9.1 LTS, and 9.1 C ...) NOT-FOR-US: IBM CVE-2019-4618 RESERVED CVE-2019-4617 (IBM Cloud Automation Manager 3.2.1.0 does not renew a session variable ...) NOT-FOR-US: IBM CVE-2019-4616 (IBM Cloud Automation Manager 3.2.1.0 does not set the secure attribute ...) NOT-FOR-US: IBM CVE-2019-4615 RESERVED CVE-2019-4614 (IBM MQ and IBM MQ Appliance 8.0 and 9.0 LTS client connecting to a Que ...) NOT-FOR-US: IBM CVE-2019-4613 (IBM Planning Analytics 2.0 is vulnerable to cross-site request forgery ...) NOT-FOR-US: IBM CVE-2019-4612 (IBM Planning Analytics 2.0 is vulnerable to malicious file upload in t ...) NOT-FOR-US: IBM CVE-2019-4611 (IBM Planning Analytics 2.0 is vulnerable to cross-site scripting. This ...) NOT-FOR-US: IBM CVE-2019-4610 RESERVED CVE-2019-4609 (IBM API Connect 2018.4.1.7 uses weaker than expected cryptographic alg ...) NOT-FOR-US: IBM CVE-2019-4608 (IBM Tivoli Workload Scheduler 9.3 is vulnerable to cross-site scriptin ...) NOT-FOR-US: IBM CVE-2019-4607 RESERVED CVE-2019-4606 (IBM DB2 High Performance Unload load for LUW 6.1 and 6.5 could allow a ...) NOT-FOR-US: IBM CVE-2019-4605 RESERVED CVE-2019-4604 RESERVED CVE-2019-4603 (IBM Quality Manager (RQM) 6.02, 6.06, and 6.0.6.1 could allow an authe ...) NOT-FOR-US: IBM CVE-2019-4602 (IBM Quality Manager (RQM) 6.02, 6.06, and 6.0.6.1 is vulnerable to cro ...) NOT-FOR-US: IBM CVE-2019-4601 (IBM Quality Manager (RQM) 6.02, 6.06, and 6.0.6.1 could allow an authe ...) NOT-FOR-US: IBM CVE-2019-4600 (IBM API Connect version V5.0.0.0 through 5.0.8.7 could reveal sensitiv ...) NOT-FOR-US: IBM CVE-2019-4599 RESERVED CVE-2019-4598 (IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 5.2.6.5 i ...) NOT-FOR-US: IBM CVE-2019-4597 (IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 5.2.6.5 i ...) NOT-FOR-US: IBM CVE-2019-4596 (IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 5.2.6.5 i ...) NOT-FOR-US: IBM CVE-2019-4595 (IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 5.2.6.5 c ...) NOT-FOR-US: IBM CVE-2019-4594 (IBM QRadar 7.3.0 to 7.3.3 Patch 2 could allow a remote attacker to obt ...) NOT-FOR-US: IBM CVE-2019-4593 (IBM QRadar 7.3.0 to 7.3.3 Patch 2 generates an error message that incl ...) NOT-FOR-US: IBM CVE-2019-4592 (IBM Tivoli Monitoring Service 6.3.0.7.3 through 6.3.0.7.10 could allow ...) NOT-FOR-US: IBM CVE-2019-4591 RESERVED CVE-2019-4590 RESERVED CVE-2019-4589 RESERVED CVE-2019-4588 RESERVED CVE-2019-4587 RESERVED CVE-2019-4586 RESERVED CVE-2019-4585 RESERVED CVE-2019-4584 RESERVED CVE-2019-4583 (IBM Maximo Asset Management 7.6.0.10 and 7.6.1.1 could allow an authen ...) NOT-FOR-US: IBM CVE-2019-4582 RESERVED CVE-2019-4581 (IBM QRadar 7.3.0 to 7.3.2 Patch 4 is vulnerable to cross-site scriptin ...) NOT-FOR-US: IBM CVE-2019-4580 RESERVED CVE-2019-4579 RESERVED CVE-2019-4578 RESERVED CVE-2019-4577 RESERVED CVE-2019-4576 (IBM QRadar Network Packet Capture 7.3.0 - 7.3.3 Patch 1 and 7.4.0 GA d ...) NOT-FOR-US: IBM CVE-2019-4575 RESERVED CVE-2019-4574 RESERVED CVE-2019-4573 RESERVED CVE-2019-4572 (IBM FileNet Content Manager 5.5.2 and 5.5.3 in specific configurations ...) NOT-FOR-US: IBM CVE-2019-4571 (IBM Content Navigator 3.0CD is vulnerable to cross-site scripting. Thi ...) NOT-FOR-US: IBM CVE-2019-4570 (IBM Tivoli Netcool Impact 7.1.0 through 7.1.0.16 generates an error me ...) NOT-FOR-US: IBM CVE-2019-4569 (IBM Tivoli Netcool Impact 7.1.0.0 through 7.1.0.16 is vulnerable to cr ...) NOT-FOR-US: IBM CVE-2019-4568 (IBM MQ and IBM MQ Appliance 8.0 and 9.0 LTS could allow a remote attac ...) NOT-FOR-US: IBM CVE-2019-4567 RESERVED CVE-2019-4566 (IBM Security Key Lifecycle Manager 3.0 and 3.0.1 stores user credentia ...) NOT-FOR-US: IBM CVE-2019-4565 (IBM Security Key Lifecycle Manager 3.0 and 3.0.1 does not require that ...) NOT-FOR-US: IBM CVE-2019-4564 (IBM Security Key Lifecycle Manager 2.6, 2.7, 3.0, and 3.0.1 is vulnera ...) NOT-FOR-US: IBM CVE-2019-4563 RESERVED CVE-2019-4562 (IBM Security Directory Server 6.4.0 stores sensitive information in UR ...) NOT-FOR-US: IBM CVE-2019-4561 (IBM Security Identity Manager 6.0.0 could allow a remote attacker to e ...) NOT-FOR-US: IBM CVE-2019-4560 (IBM MQ and IBM MQ Appliance 9.1 CD, 9.1 LTS, 9.0 LTS, and 8.0 is vulne ...) NOT-FOR-US: IBM CVE-2019-4559 (IBM QRadar SIEM 7.3.0 through 7.3.3 discloses sensitive information to ...) NOT-FOR-US: IBM CVE-2019-4558 (A security vulnerability has been identified in all levels of IBM Spec ...) NOT-FOR-US: IBM CVE-2019-4557 (IBM Qradar Advisor 1.1 through 2.5 with Watson uses weaker than expect ...) NOT-FOR-US: IBM CVE-2019-4556 (IBM QRadar Advisor 1.0.0 through 2.4.0 uses incomplete blacklisting fo ...) NOT-FOR-US: IBM CVE-2019-4555 (IBM Cognos Analytics 11.0 and 11.0 is vulnerable to cross-site scripti ...) NOT-FOR-US: IBM CVE-2019-4554 RESERVED CVE-2019-4553 (IBM API Connect V5.0.0.0 through 5.0.8.7iFix3 uses weaker than expecte ...) NOT-FOR-US: IBM CVE-2019-4552 RESERVED CVE-2019-4551 (IBM Security Directory Server 6.4.0 does not perform an authentication ...) NOT-FOR-US: IBM CVE-2019-4550 (IBM Security Directory Server 6.4.0 is deployed with active debugging ...) NOT-FOR-US: IBM CVE-2019-4549 (IBM Security Directory Server 6.4.0 discloses sensitive information to ...) NOT-FOR-US: IBM CVE-2019-4548 (IBM Security Directory Server 6.4.0 could allow a remote attacker to h ...) NOT-FOR-US: IBM CVE-2019-4547 RESERVED CVE-2019-4546 (After installing the IBM Maximo Health- Safety and Environment Manager ...) NOT-FOR-US: IBM CVE-2019-4545 RESERVED CVE-2019-4544 RESERVED CVE-2019-4543 RESERVED CVE-2019-4542 (IBM Security Directory Server 6.4.0 is vulnerable to cross-site script ...) NOT-FOR-US: IBM CVE-2019-4541 (IBM Security Directory Server 6.4.0 uses incomplete blacklisting for i ...) NOT-FOR-US: IBM CVE-2019-4540 (IBM Security Directory Server 6.4.0 uses weaker than expected cryptogr ...) NOT-FOR-US: IBM CVE-2019-4539 (IBM Security Directory Server 6.4.0 does not properly neutralize speci ...) NOT-FOR-US: IBM CVE-2019-4538 (IBM Security Directory Server 6.4.0 could allow a remote attacker to c ...) NOT-FOR-US: IBM CVE-2019-4537 (IBM WebSphere Service Registry and Repository 8.5 could allow a user t ...) NOT-FOR-US: IBM CVE-2019-4536 (IBM i 7.4 users who have done a Restore User Profile (RSTUSRPRF) on a ...) NOT-FOR-US: IBM CVE-2019-4535 RESERVED CVE-2019-4534 RESERVED CVE-2019-4533 RESERVED CVE-2019-4532 RESERVED CVE-2019-4531 RESERVED CVE-2019-4530 (IBM Maximo Asset Management 7.6, 7.6.1, and 7.6.1.1 could allow an aut ...) NOT-FOR-US: IBM CVE-2019-4529 RESERVED CVE-2019-4528 RESERVED CVE-2019-4527 RESERVED CVE-2019-4526 RESERVED CVE-2019-4525 RESERVED CVE-2019-4524 RESERVED CVE-2019-4523 (IBM DB2 High Performance Unload load for LUW 6.1 and 6.5 is vulnerable ...) NOT-FOR-US: IBM CVE-2019-4522 RESERVED CVE-2019-4521 (Platform System Manager in IBM Cloud Pak System 2.3 is potentially vul ...) NOT-FOR-US: IBM CVE-2019-4520 (IBM Security Directory Server 6.4.0 uses an inadequate account lockout ...) NOT-FOR-US: IBM CVE-2019-4519 RESERVED CVE-2019-4518 RESERVED CVE-2019-4517 RESERVED CVE-2019-4516 RESERVED CVE-2019-4515 (IBM Security Key Lifecycle Manager 3.0 and 3.0.1 is vulnerable to cros ...) NOT-FOR-US: IBM CVE-2019-4514 (IBM Security Key Lifecycle Manager 2.6, 2.7, 3.0, and 3.0.1 discloses ...) NOT-FOR-US: IBM CVE-2019-4513 (IBM Security Access Manager for Enterprise Single Sign-On 8.2.2 is vul ...) NOT-FOR-US: IBM CVE-2019-4512 (IBM Maximo Asset Management 7.6.1.1 generates an error message that in ...) NOT-FOR-US: IBM CVE-2019-4511 RESERVED CVE-2019-4510 RESERVED CVE-2019-4509 (IBM QRadar 7.3.0 to 7.3.2 Patch 4 is vulnerable to incorrect authoriza ...) NOT-FOR-US: IBM CVE-2019-4508 (IBM QRadar SIEM 7.3.0 through 7.3.3 uses weak credential storage in so ...) NOT-FOR-US: IBM CVE-2019-4507 RESERVED CVE-2019-4506 RESERVED CVE-2019-4505 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 Network Deploy ...) NOT-FOR-US: IBM CVE-2019-4504 RESERVED CVE-2019-4503 RESERVED CVE-2019-4502 RESERVED CVE-2019-4501 RESERVED CVE-2019-4500 RESERVED CVE-2019-4499 RESERVED CVE-2019-4498 RESERVED CVE-2019-4497 (IBM Jazz Reporting Service (JRS) 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0. ...) NOT-FOR-US: IBM CVE-2019-4496 RESERVED CVE-2019-4495 (IBM Jazz Reporting Service (JRS) 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0. ...) NOT-FOR-US: IBM CVE-2019-4494 (IBM Jazz Reporting Service (JRS) 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0. ...) NOT-FOR-US: IBM CVE-2019-4493 RESERVED CVE-2019-4492 RESERVED CVE-2019-4491 RESERVED CVE-2019-4490 RESERVED CVE-2019-4489 RESERVED CVE-2019-4488 RESERVED CVE-2019-4487 RESERVED CVE-2019-4486 (IBM Maximo Asset Management 7.6 is vulnerable to cross-site scripting. ...) NOT-FOR-US: IBM CVE-2019-4485 (IBM Emptoris Sourcing 10.1.0 through 10.1.3, IBM Contract Management 1 ...) NOT-FOR-US: IBM CVE-2019-4484 (IBM Emptoris Sourcing 10.1.0 through 10.1.3, IBM Contract Management 1 ...) NOT-FOR-US: IBM CVE-2019-4483 (IBM Contract Management 10.1.0 through 10.1.3 and IBM Emptoris Spend A ...) NOT-FOR-US: IBM CVE-2019-4482 (IBM Emptoris Spend Analysis 10.1.0 through 10.1.3 is vulnerable to cro ...) NOT-FOR-US: IBM CVE-2019-4481 (IBM Contract Management 10.1.0 through 10.1.3 and IBM Emptoris Spend A ...) NOT-FOR-US: IBM CVE-2019-4480 RESERVED CVE-2019-4479 RESERVED CVE-2019-4478 (IBM Maximo Asset Management 7.6.0, and 7.6.1 could allow an authentica ...) NOT-FOR-US: IBM CVE-2019-4477 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a ...) NOT-FOR-US: IBM CVE-2019-4476 RESERVED CVE-2019-4475 RESERVED CVE-2019-4474 RESERVED CVE-2019-4473 (Multiple binaries in IBM SDK, Java Technology Edition 7, 7R, and 8 on ...) NOT-FOR-US: IBM CVE-2019-4472 RESERVED CVE-2019-4471 RESERVED CVE-2019-4470 (IBM QRadar 7.3.0 to 7.3.2 Patch 4 is vulnerable to cross-site scriptin ...) NOT-FOR-US: IBM CVE-2019-4469 RESERVED CVE-2019-4468 (IBM Cloud Pak System 2.3 and 2.3.0.1 is vulnerable to cross-site scrip ...) NOT-FOR-US: IBM CVE-2019-4467 (IBM Cloud Pak System 2.3 and 2.3.0.1 is vulnerable to cross-site scrip ...) NOT-FOR-US: IBM CVE-2019-4466 RESERVED CVE-2019-4465 (IBM Cloud Pak System 2.3 and 2.3.0.1 allows web pages to be stored loc ...) NOT-FOR-US: IBM CVE-2019-4464 RESERVED CVE-2019-4463 RESERVED CVE-2019-4462 RESERVED CVE-2019-4461 (IBM Cloud Orchestrator 2.4 through 2.4.0.5 and 2.5 through 2.5.0.9 is ...) NOT-FOR-US: IBM CVE-2019-4460 (IBM API Connect 5.0.0.0 through 5.0.8.6 developer portal could allow a ...) NOT-FOR-US: IBM CVE-2019-4459 (IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise 2.5 throu ...) NOT-FOR-US: IBM CVE-2019-4458 RESERVED CVE-2019-4457 (IBM Jazz Foundation 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, and ...) NOT-FOR-US: IBM CVE-2019-4456 (IBM Daeja ViewONE Professional, Standard & Virtual 5.0.5 and 5.0.6 ...) NOT-FOR-US: IBM CVE-2019-4455 RESERVED CVE-2019-4454 (IBM QRadar 7.3.0 to 7.3.2 Patch 4 is vulnerable to cross-site scriptin ...) NOT-FOR-US: IBM CVE-2019-4453 RESERVED CVE-2019-4452 RESERVED CVE-2019-4451 (IBM Security Identity Manager 6.0.0 is vulnerable to cross-site script ...) NOT-FOR-US: IBM CVE-2019-4450 (IBM i 7.2, 7.3, and 7.4 for i is vulnerable to cross-site scripting. T ...) NOT-FOR-US: IBM CVE-2019-4449 RESERVED CVE-2019-4448 (IBM DB2 High Performance Unload load for LUW 6.1, 6.1.0.1, 6.1.0.1 IF1 ...) NOT-FOR-US: IBM CVE-2019-4447 (IBM DB2 High Performance Unload load for LUW 6.1, 6.1.0.1, 6.1.0.1 IF1 ...) NOT-FOR-US: IBM CVE-2019-4446 (IBM Maximo Asset Management 7.6 could allow an authenticated user perf ...) NOT-FOR-US: IBM CVE-2019-4445 RESERVED CVE-2019-4444 (IBM API Connect 2018.1 through 2018.4.1.7 Developer Portal's user regi ...) NOT-FOR-US: IBM CVE-2019-4443 RESERVED CVE-2019-4442 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9,0 could allow a ...) NOT-FOR-US: IBM CVE-2019-4441 (IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0, and Liberty could ...) NOT-FOR-US: IBM CVE-2019-4440 RESERVED CVE-2019-4439 (IBM Cloud Private 3.1.0, 3.1.1, and 3.1.2 does not invalidate session ...) NOT-FOR-US: IBM CVE-2019-4438 RESERVED CVE-2019-4437 (IBM API Connect 2018.1 through 2018.4.1.6 may inadvertently leak sensi ...) NOT-FOR-US: IBM CVE-2019-4436 RESERVED CVE-2019-4435 RESERVED CVE-2019-4434 RESERVED CVE-2019-4433 (IBM InfoSphere Global Name Management 5.0 and 6.0 and IBM InfoSphere I ...) NOT-FOR-US: IBM CVE-2019-4432 RESERVED CVE-2019-4431 (IBM Rational Publishing Engine 6.0.6 and 6.0.6.1 is vulnerable to cros ...) NOT-FOR-US: IBM CVE-2019-4430 (IBM Maximo Asset Management 7.6 could allow a remote attacker to trave ...) NOT-FOR-US: IBM CVE-2019-4429 (IBM Maximo Asset Management 7.6.0 and 7.6.1 is vulnerable to cross-sit ...) NOT-FOR-US: IBM CVE-2019-4428 (IBM Watson Assistant for IBM Cloud Pak for Data 1.0.0 through 1.3.0 is ...) NOT-FOR-US: IBM CVE-2019-4427 (IBM Cloud CLI 0.6.0 through 0.16.1 windows installers are signed using ...) NOT-FOR-US: IBM CVE-2019-4426 (The Case Builder component shipped with 18.0.0.1 through 19.0.0.2 and ...) NOT-FOR-US: IBM CVE-2019-4425 (IBM Business Automation Workflow 18.0.0.0, 18.0.0.1, and 18.0.0.2 coul ...) NOT-FOR-US: IBM CVE-2019-4424 (IBM Business Automation Workflow 18.0.0.0, 18.0.0.1, 18.0.0.2, 19.0.0. ...) NOT-FOR-US: IBM CVE-2019-4423 (IBM Sterling File Gateway 2.2.0.0 through 6.0.1.0 could allow a remote ...) NOT-FOR-US: IBM CVE-2019-4422 (IBM Security Guardium 9.0, 9.5, and 10.6 are vulnerable to a privilege ...) NOT-FOR-US: IBM CVE-2019-4421 RESERVED CVE-2019-4420 (IBM Intelligent Operations Center V5.1.0 through V5.2.0 could disclose ...) NOT-FOR-US: IBM CVE-2019-4419 (IBM Intelligent Operations Center V5.1.0 through V5.2.0 is vulnerable ...) NOT-FOR-US: IBM CVE-2019-4418 RESERVED CVE-2019-4417 RESERVED CVE-2019-4416 RESERVED CVE-2019-4415 (IBM Cloud Private 3.1.1 and 3.1.2 could allow a local user to obtain e ...) NOT-FOR-US: IBM CVE-2019-4414 RESERVED CVE-2019-4413 RESERVED CVE-2019-4412 (IBM Cognos Controller stores sensitive information in URL parameters. ...) NOT-FOR-US: IBM CVE-2019-4411 (IBM Cognos Controller 10.3.0, 10.3.1, 10.4.0, and 10.4.1 could allow a ...) NOT-FOR-US: IBM CVE-2019-4410 (IBM Business Automation Workflow 18.0.0.0, 18.0.0.1, 18.0.0.2, and 19. ...) NOT-FOR-US: IBM CVE-2019-4409 (HCL Traveler versions 9.x and earlier are susceptible to cross-site sc ...) NOT-FOR-US: HCL Traveler CVE-2019-4408 RESERVED CVE-2019-4407 RESERVED CVE-2019-4406 (IBM Spectrum Protect Backup-Archive Client 7.1 and 8.1 may be vulnerab ...) NOT-FOR-US: IBM CVE-2019-4405 RESERVED CVE-2019-4404 RESERVED CVE-2019-4403 (IBM Connections 6.0 is vulnerable to cross-site scripting. This vulner ...) NOT-FOR-US: IBM CVE-2019-4402 (IBM API Connect 2018.1 through 2018.4.1.6 developer portal could allow ...) NOT-FOR-US: IBM CVE-2019-4401 RESERVED CVE-2019-4400 (IBM Cloud Orchestrator 2.4 through 2.4.0.5 and 2.5 through 2.5.0.9 cou ...) NOT-FOR-US: IBM CVE-2019-4399 (IBM Cloud Orchestrator 2.4 through 2.4.0.5 and 2.5 through 2.5.0.9 use ...) NOT-FOR-US: IBM CVE-2019-4398 (IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise 2.5 throu ...) NOT-FOR-US: IBM CVE-2019-4397 (IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise 2.5 throu ...) NOT-FOR-US: IBM CVE-2019-4396 (IBM Cloud Orchestrator 2.4 through 2.4.0.5 and 2.5 through 2.5.0.9 is ...) NOT-FOR-US: IBM CVE-2019-4395 (IBM Cloud Orchestrator 2.4 through 2.4.0.5 and 2.5 through 2.5.0.9 cou ...) NOT-FOR-US: IBM CVE-2019-4394 (IBM Cloud Orchestrator 2.4 through 2.4.0.5 and 2.5 through 2.5.0.9 con ...) NOT-FOR-US: IBM CVE-2019-4393 (HCL AppScan Standard is vulnerable to excessive authorization attempts ...) NOT-FOR-US: HCL AppScan CVE-2019-4392 (HCL AppScan Standard Edition 9.0.3.13 and earlier uses hard-coded cred ...) NOT-FOR-US: HCL AppScan CVE-2019-4391 (HCL AppScan Standard is vulnerable to XML External Entity Injection (X ...) NOT-FOR-US: HCL AppScan CVE-2019-4390 RESERVED CVE-2019-4389 RESERVED CVE-2019-4388 (HCL AppScan Source 9.0.3.13 and earlier is susceptible to cross-site s ...) NOT-FOR-US: HCL AppScan Source CVE-2019-4387 (IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.2.0 i ...) NOT-FOR-US: IBM CVE-2019-4386 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.1 ...) NOT-FOR-US: IBM CVE-2019-4385 (IBM Spectrum Protect Plus 10.1.2 may display the vSnap CIFS password i ...) NOT-FOR-US: IBM CVE-2019-4384 (IBM Campaign 9.1.2 and 10.1 could allow a remote attacker to traverse ...) NOT-FOR-US: IBM CVE-2019-4383 (When using IBM Spectrum Protect Plus 10.1.0, 10.1.2, and 10.1.3 to pro ...) NOT-FOR-US: IBM CVE-2019-4382 (IBM API Connect 5.0.0.0 through 5.0.8.6 could allow an unauthorized us ...) NOT-FOR-US: IBM CVE-2019-4381 (IBM i 7.27.3 Clustering could allow a local attacker to obtain sensiti ...) NOT-FOR-US: IBM CVE-2019-4380 RESERVED CVE-2019-4379 RESERVED CVE-2019-4378 (IBM MQ 7.5.0.0 - 7.5.0.9, 7.1.0.0 - 7.1.0.9, 8.0.0.0 - 8.0.0.12, 9.0.0 ...) NOT-FOR-US: IBM CVE-2019-4377 (IBM Sterling B2B Integrator 6.0.0.0 and 6.0.0.1 reveals sensitive info ...) NOT-FOR-US: IBM CVE-2019-4376 RESERVED CVE-2019-4375 RESERVED CVE-2019-4374 RESERVED CVE-2019-4373 RESERVED CVE-2019-4372 RESERVED CVE-2019-4371 RESERVED CVE-2019-4370 RESERVED CVE-2019-4369 (IBM BigFix Inventory v9 (SUA v9 / ILMT v9) discloses sensitive informa ...) NOT-FOR-US: IBM CVE-2019-4368 RESERVED CVE-2019-4367 RESERVED CVE-2019-4366 RESERVED CVE-2019-4365 RESERVED CVE-2019-4364 (IBM Maximo Asset Management 7.6 is vulnerable to CSV injection, which ...) NOT-FOR-US: IBM CVE-2019-4363 RESERVED CVE-2019-4362 RESERVED CVE-2019-4361 RESERVED CVE-2019-4360 RESERVED CVE-2019-4359 RESERVED CVE-2019-4358 RESERVED CVE-2019-4357 (When using IBM Spectrum Protect Plus 10.1.0, 10.1.2, and 10.1.3 to pro ...) NOT-FOR-US: IBM CVE-2019-4356 RESERVED CVE-2019-4355 RESERVED CVE-2019-4354 RESERVED CVE-2019-4353 RESERVED CVE-2019-4352 RESERVED CVE-2019-4351 RESERVED CVE-2019-4350 RESERVED CVE-2019-4349 RESERVED CVE-2019-4348 RESERVED CVE-2019-4347 RESERVED CVE-2019-4346 RESERVED CVE-2019-4345 RESERVED CVE-2019-4344 RESERVED CVE-2019-4343 (IBM Cognos Analytics 11.0 and 11.1 allows overly permissive cross-orig ...) NOT-FOR-US: IBM CVE-2019-4342 (IBM Cognos Analytics 11.0 and 11.1 is vulnerable to cross-site scripti ...) NOT-FOR-US: IBM CVE-2019-4341 RESERVED CVE-2019-4340 (IBM Security Guardium Big Data Intelligence 4.0 (SonarG) is vulnerable ...) NOT-FOR-US: IBM CVE-2019-4339 (IBM Security Guardium Big Data Intelligence (SonarG) 4.0 uses weaker t ...) NOT-FOR-US: IBM CVE-2019-4338 (IBM Security Guardium Big Data Intelligence 4.0 (SonarG) does not prop ...) NOT-FOR-US: IBM CVE-2019-4337 (IBM Robotic Process Automation with Automation Anywhere 11 could allow ...) NOT-FOR-US: IBM CVE-2019-4336 (IBM Robotic Process Automation with Automation Anywhere 11 uses an ina ...) NOT-FOR-US: IBM CVE-2019-4335 (IBM Watson Studio Local 1.2.3 stores key files in the user's home dire ...) NOT-FOR-US: IBM CVE-2019-4334 (IBM Cognos Analytics 11.0 and 11.1 could reveal sensitive information ...) NOT-FOR-US: IBM CVE-2019-4333 RESERVED CVE-2019-4332 RESERVED CVE-2019-4331 RESERVED CVE-2019-4330 (IBM Security Guardium Big Data Intelligence (SonarG) 4.0 does not set ...) NOT-FOR-US: IBM CVE-2019-4329 (IBM Security Guardium Big Data Intelligence (SonarG) 4.0 uses incomple ...) NOT-FOR-US: IBM CVE-2019-4328 RESERVED CVE-2019-4327 ("HCL AppScan Enterprise uses hard-coded credentials which can be explo ...) NOT-FOR-US: HCL AppScan Enterprise CVE-2019-4326 RESERVED CVE-2019-4325 RESERVED CVE-2019-4324 ("HCL AppScan Enterprise is susceptible to Cross-Site Scripting while i ...) TODO: check CVE-2019-4323 ("HCL AppScan Enterprise advisory API documentation is susceptible to c ...) TODO: check CVE-2019-4322 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, ...) NOT-FOR-US: IBM CVE-2019-4321 (IBM Intelligent Operations Center V5.1.0 - V5.2.0, IBM Intelligent Ope ...) NOT-FOR-US: IBM CVE-2019-4320 RESERVED CVE-2019-4319 RESERVED CVE-2019-4318 RESERVED CVE-2019-4317 RESERVED CVE-2019-4316 RESERVED CVE-2019-4315 RESERVED CVE-2019-4314 (IBM Security Guardium Big Data Intelligence (SonarG) 4.0 stores sensit ...) NOT-FOR-US: IBM CVE-2019-4313 RESERVED CVE-2019-4312 RESERVED CVE-2019-4311 (IBM Security Guardium Big Data Intelligence (SonarG) 4.0 discloses sen ...) NOT-FOR-US: IBM CVE-2019-4310 (IBM Security Guardium Big Data Intelligence 4.0 (SonarG) uses an inade ...) NOT-FOR-US: IBM CVE-2019-4309 (IBM Security Guardium Big Data Intelligence (SonarG) 4.0 uses hard cod ...) NOT-FOR-US: IBM CVE-2019-4308 (IBM Emptoris Sourcing 10.1.0 through 10.1.3, IBM Contract Management 1 ...) NOT-FOR-US: IBM CVE-2019-4307 (IBM Security Guardium Big Data Intelligence (SonarG) 4.0 stores user c ...) NOT-FOR-US: IBM CVE-2019-4306 (IBM Security Guardium Big Data Intelligence (SonarG) 4.0 specifies per ...) NOT-FOR-US: IBM CVE-2019-4305 (IBM WebSphere Application Server Liberty could allow a remote attacker ...) NOT-FOR-US: IBM CVE-2019-4304 (IBM WebSphere Application Server - Liberty could allow a remote attack ...) NOT-FOR-US: IBM CVE-2019-4303 (IBM Maximo Asset Management 7.6 is vulnerable to cross-site scripting. ...) NOT-FOR-US: IBM CVE-2019-4302 RESERVED CVE-2019-4301 (BigFix Self-Service Application (SSA) is vulnerable to arbitrary code ...) NOT-FOR-US: BigFix Self-Service Application CVE-2019-4300 RESERVED CVE-2019-4299 (IBM Robotic Process Automation with Automation Anywhere 11 could allow ...) NOT-FOR-US: IBM CVE-2019-4298 (IBM Robotic Process Automation with Automation Anywhere 11 uses a high ...) NOT-FOR-US: IBM CVE-2019-4297 (IBM Robotic Process Automation with Automation Anywhere 11 could allow ...) NOT-FOR-US: IBM CVE-2019-4296 (IBM Robotic Process Automation with Automation Anywhere 11 information ...) NOT-FOR-US: IBM CVE-2019-4295 (IBM Robotic Process Automation with Automation Anywhere 11 could allow ...) NOT-FOR-US: IBM CVE-2019-4294 (IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.6, 7.6.0.0 through 7 ...) NOT-FOR-US: IBM CVE-2019-4293 (IBM Storwize V7000 Unified (2073) 1.6 configuration may allow an attac ...) NOT-FOR-US: IBM CVE-2019-4292 (IBM Security Guardium 10.5 could allow a remote attacker to upload arb ...) NOT-FOR-US: IBM CVE-2019-4291 RESERVED CVE-2019-4290 RESERVED CVE-2019-4289 RESERVED CVE-2019-4288 (IBM Maximo Anywhere 7.6.2.0, 7.6.2.1, 7.6.3.0, and 7.6.3.1 could discl ...) NOT-FOR-US: IBM CVE-2019-4287 RESERVED CVE-2019-4286 (IBM Maximo Anywhere 7.6.2.0, 7.6.2.1, 7.6.3.0, and 7.6.3.1 could discl ...) NOT-FOR-US: IBM CVE-2019-4285 (IBM WebSphere Application Server - Liberty Admin Center could allow a ...) NOT-FOR-US: IBM CVE-2019-4284 (IBM Cloud Private 2.1.0 , 3.1.0, 3.1.1, and 3.1.2 could allow a local ...) NOT-FOR-US: IBM CVE-2019-4283 RESERVED CVE-2019-4282 RESERVED CVE-2019-4281 RESERVED CVE-2019-4280 (IBM Sterling File Gateway 2.2.0.0 through 6.0.1.0 displays sensitive i ...) NOT-FOR-US: IBM CVE-2019-4279 (IBM WebSphere Application Server 8.5 and 9.0 could allow a remote atta ...) NOT-FOR-US: IBM CVE-2019-4278 RESERVED CVE-2019-4277 RESERVED CVE-2019-4276 RESERVED CVE-2019-4275 (IBM Jazz for Service Management 1.1.3, 1.1.3.1, and 1.1.3.2 could allo ...) NOT-FOR-US: IBM CVE-2019-4274 RESERVED CVE-2019-4273 RESERVED CVE-2019-4272 RESERVED CVE-2019-4271 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 Admin console ...) NOT-FOR-US: IBM CVE-2019-4270 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 Admin Console ...) NOT-FOR-US: IBM CVE-2019-4269 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 Admin Console ...) NOT-FOR-US: IBM CVE-2019-4268 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a ...) NOT-FOR-US: IBM CVE-2019-4267 (The IBM Spectrum Protect 7.1 and 8.1 Backup-Archive Client is vulnerab ...) NOT-FOR-US: IBM CVE-2019-4266 (IBM Maximo Anywhere 7.6.2.0, 7.6.2.1, 7.6.3.0, and 7.6.3.1 does not ha ...) NOT-FOR-US: IBM CVE-2019-4265 (IBM Maximo Anywhere 7.6.0, 7.6.1, 7.6.2, and 7.6.3 does not have devic ...) NOT-FOR-US: IBM CVE-2019-4264 (IBM QRadar SIEM 7.2.8 WinCollect could allow an attacker to obtain sen ...) NOT-FOR-US: IBM CVE-2019-4263 (IBM Content Navigator 3.0CD is vulnerable to local file inclusion, all ...) NOT-FOR-US: IBM CVE-2019-4262 (IBM QRadar SIEM 7.2 and 7.3 is vulnerable to Server Side Request Forge ...) NOT-FOR-US: IBM CVE-2019-4261 (IBM WebSphere MQ V7.1, 7.5, IBM MQ V8, IBM MQ V9.0LTS, IBM MQ V9.1 LTS ...) NOT-FOR-US: IBM CVE-2019-4260 (IBM Daeja ViewONE Professional, Standard & Virtual 5.0 through 5.0 ...) NOT-FOR-US: IBM CVE-2019-4259 (A security vulnerability has been identified in IBM Spectrum Scale 4.1 ...) NOT-FOR-US: IBM CVE-2019-4258 (IBM Sterling B2B Integrator 6.0.0.0 and 6.0.0.1 Standard Edition is vu ...) NOT-FOR-US: IBM CVE-2019-4257 (IBM InfoSphere Information Server 11.5 and 11.7 is affected by an info ...) NOT-FOR-US: IBM CVE-2019-4256 (IBM API Connect 5.0.0.0 through 5.0.8.6 uses weaker than expected cryp ...) NOT-FOR-US: IBM CVE-2019-4255 RESERVED CVE-2019-4254 RESERVED CVE-2019-4253 (IBM Informix Dynamic Server Enterprise Edition 12.1 could allow a loca ...) NOT-FOR-US: IBM CVE-2019-4252 (IBM Rational Collaborative Lifecycle Management 6.0 through 6.0.6.1 co ...) NOT-FOR-US: IBM CVE-2019-4251 RESERVED CVE-2019-4250 (IBM Jazz Foundation products (IBM Rational Collaborative Lifecycle Man ...) NOT-FOR-US: IBM CVE-2019-4249 (IBM Rational Collaborative Lifecycle Management 6.0 through 6.0.6.1 is ...) NOT-FOR-US: IBM CVE-2019-4248 RESERVED CVE-2019-4247 RESERVED CVE-2019-4246 (IBM Daeja ViewONE Virtual 5.0 through 5.0.6 could expose internal para ...) NOT-FOR-US: IBM CVE-2019-4245 RESERVED CVE-2019-4244 (IBM SmartCloud Analytics 1.3.1 through 1.3.5 could allow a remote atta ...) NOT-FOR-US: IBM CVE-2019-4243 (IBM SmartCloud Analytics 1.3.1 through 1.3.5 allows unauthorized discl ...) NOT-FOR-US: IBM CVE-2019-4242 RESERVED CVE-2019-4241 (IBM PureApplication System 2.2.3.0 through 2.2.5.3 could allow an auth ...) NOT-FOR-US: IBM CVE-2019-4240 RESERVED CVE-2019-4239 (IBM MQ Advanced Cloud Pak (IBM Cloud Private 1.0.0 through 3.0.1) stor ...) NOT-FOR-US: IBM CVE-2019-4238 (IBM InfoSphere Information Server 11.3, 11.5, and 11.7 is vulnerable t ...) NOT-FOR-US: IBM CVE-2019-4237 (A Cross-Frame Scripting vulnerability in IBM InfoSphere Information Se ...) NOT-FOR-US: IBM CVE-2019-4236 (A IBM Spectrum Protect 7.l client backup or archive operation running ...) NOT-FOR-US: IBM CVE-2019-4235 (IBM PureApplication System 2.2.3.0 through 2.2.5.3 does not require th ...) NOT-FOR-US: IBM CVE-2019-4234 (IBM PureApplication System 2.2.3.0 through 2.2.5.3 weakness in the imp ...) NOT-FOR-US: IBM CVE-2019-4233 RESERVED CVE-2019-4232 RESERVED CVE-2019-4231 (IBM Cognos Analytics 11.0 and 11.1 is vulnerable to cross-site request ...) NOT-FOR-US: IBM CVE-2019-4230 RESERVED CVE-2019-4229 RESERVED CVE-2019-4228 RESERVED CVE-2019-4227 (IBM MQ 8.0.0.4 - 8.0.0.12, 9.0.0.0 - 9.0.0.6, 9.1.0.0 - 9.1.0.2, and 9 ...) NOT-FOR-US: IBM CVE-2019-4226 (IBM Cloud Pak System 2.3 and 2.3.0.1 is vulnerable to cross-site scrip ...) NOT-FOR-US: IBM CVE-2019-4225 (IBM PureApplication System 2.2.3.0 through 2.2.5.3 stores potentially ...) NOT-FOR-US: IBM CVE-2019-4224 (IBM PureApplication System 2.2.3.0 through 2.2.5.3 is vulnerable to SQ ...) NOT-FOR-US: IBM CVE-2019-4223 RESERVED CVE-2019-4222 (IBM Sterling B2B Integrator Standard Edition 6.0.0.0 and 6.0.0.1 could ...) NOT-FOR-US: IBM CVE-2019-4221 RESERVED CVE-2019-4220 (IBM InfoSphere Information Server 11.7.1.0 stores a common hard coded ...) NOT-FOR-US: IBM CVE-2019-4219 (IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, and 1.0.2 generate ...) NOT-FOR-US: IBM CVE-2019-4218 (IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, and 1.0.2 allows w ...) NOT-FOR-US: IBM CVE-2019-4217 (IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, and 1.0.2 could al ...) NOT-FOR-US: IBM CVE-2019-4216 (IBM SmartCloud Analytics 1.3.1 through 1.3.5 is vulnerable to possible ...) NOT-FOR-US: IBM CVE-2019-4215 (IBM SmartCloud Analytics 1.3.1 through 1.3.5 could allow a remote atta ...) NOT-FOR-US: IBM CVE-2019-4214 (IBM SmartCloud Analytics 1.3.1 through 1.3.5 does not set the secure a ...) NOT-FOR-US: IBM CVE-2019-4213 RESERVED CVE-2019-4212 (IBM QRadar SIEM 7.2 and 7.3 is vulnerable to cross-site request forger ...) NOT-FOR-US: IBM CVE-2019-4211 (IBM QRadar SIEM 7.2 and 7.3 is vulnerable to cross-site scripting. Thi ...) NOT-FOR-US: IBM CVE-2019-4210 (IBM QRadar SIEM 7.3.2 could allow a user to bypass authentication expo ...) NOT-FOR-US: IBM CVE-2019-4209 (HCL Connections v5.5, v6.0, and v6.5 contains an open redirect vulnera ...) NOT-FOR-US: HCL CVE-2019-4208 (IBM TRIRIGA Application Platform 3.5.3 and 3.6.0 is vulnerable to an X ...) NOT-FOR-US: IBM CVE-2019-4207 (IBM TRIRIGA Application Platform 3.5.3 and 3.6.0 may disclose sensitiv ...) NOT-FOR-US: IBM CVE-2019-4206 RESERVED CVE-2019-4205 RESERVED CVE-2019-4204 (IBM Business Automation Workflow 18.0.0.0, 18.0.0.1, 18.0.0.2, and 19. ...) NOT-FOR-US: IBM CVE-2019-4203 (IBM API Connect 5.0.0.0 and 5.0.8.6 Developer Portal can be exploited ...) NOT-FOR-US: IBM CVE-2019-4202 (IBM API Connect 5.0.0.0 and 5.0.8.6 Developer Portal is vulnerable to ...) NOT-FOR-US: IBM CVE-2019-4201 (IBM Jazz for Service Management 1.1.3, 1.1.3.1, and 1.1.3.2 could allo ...) NOT-FOR-US: IBM CVE-2019-4200 RESERVED CVE-2019-4199 RESERVED CVE-2019-4198 RESERVED CVE-2019-4197 RESERVED CVE-2019-4196 RESERVED CVE-2019-4195 RESERVED CVE-2019-4194 (IBM Jazz for Service Management 1.1.3, 1.1.3.1, and 1.1.3.2 is missing ...) NOT-FOR-US: IBM CVE-2019-4193 (IBM Jazz for Service Management 1.1.3 and 1.1.3.2 stores sensitive inf ...) NOT-FOR-US: IBM CVE-2019-4192 RESERVED CVE-2019-4191 RESERVED CVE-2019-4190 RESERVED CVE-2019-4189 RESERVED CVE-2019-4188 RESERVED CVE-2019-4187 RESERVED CVE-2019-4186 (IBM Jazz for Service Management 1.1.3 is vulnerable to HTTP header inj ...) NOT-FOR-US: IBM CVE-2019-4185 (IBM InfoSphere Information Server 11.7.1 containers are vulnerable to ...) NOT-FOR-US: IBM CVE-2019-4184 (IBM Jazz Reporting Service 6.0 through 6.0.6.1 is vulnerable to cross- ...) NOT-FOR-US: IBM CVE-2019-4183 (IBM Cognos Analytics 11.0, and 11.1 is vulnerable to a denial of servi ...) NOT-FOR-US: IBM CVE-2019-4182 RESERVED CVE-2019-4181 RESERVED CVE-2019-4180 RESERVED CVE-2019-4179 RESERVED CVE-2019-4178 (IBM Cognos Analytics 11 could allow a remote attacker to traverse dire ...) NOT-FOR-US: IBM CVE-2019-4177 (IBM Cognos Controller 10.2.0, 10.2.1, 10.3.0, 10.3.1, and 10.4.0 allow ...) NOT-FOR-US: IBM CVE-2019-4176 (IBM Cognos Controller 10.2.0, 10.2.1, 10.3.0, 10.3.1, and 10.4.0 could ...) NOT-FOR-US: IBM CVE-2019-4175 (IBM Cognos Controller 10.3.0, 10.3.1, 10.4.0, and 10.4.1 uses weaker t ...) NOT-FOR-US: IBM CVE-2019-4174 (IBM Cognos Controller 10.2.0, 10.2.1, 10.3.0, 10.3.1, and 10.4.0 allow ...) NOT-FOR-US: IBM CVE-2019-4173 (IBM Cognos Controller 10.2.0, 10.2.1, 10.3.0, 10.3.1, and 10.4.0 could ...) NOT-FOR-US: IBM CVE-2019-4172 RESERVED CVE-2019-4171 (IBM Cognos Controller 10.3.0, 10.3.1, 10.4.0, and 10.4.1 does not set ...) NOT-FOR-US: IBM CVE-2019-4170 RESERVED CVE-2019-4169 (IBM Open Power Firmware OP910 and OP920 could allow access to BMC via ...) NOT-FOR-US: IBM CVE-2019-4168 RESERVED CVE-2019-4167 (IBM StoredIQ 7.6.0 is vulnerable to cross-site request forgery which c ...) NOT-FOR-US: IBM CVE-2019-4166 (IBM StoredIQ 7.6 could allow a remote attacker to conduct phishing att ...) NOT-FOR-US: IBM CVE-2019-4165 (IBM StoreIQ 7.6.0.0. through 7.6.0.18 could allow a remote attacker to ...) NOT-FOR-US: IBM CVE-2019-4164 RESERVED CVE-2019-4163 (IBM StoreIQ 7.6.0.0. through 7.6.0.18 could allow an authenticated use ...) NOT-FOR-US: IBM CVE-2019-4162 (IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, and 1.0.2 is missi ...) NOT-FOR-US: IBM CVE-2019-4161 (IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, and 1.0.2 disclose ...) NOT-FOR-US: IBM CVE-2019-4160 RESERVED CVE-2019-4159 REJECTED CVE-2019-4158 (IBM Security Access Manager 9.0.1 through 9.0.6 does not prove that a ...) NOT-FOR-US: IBM CVE-2019-4157 (IBM Security Access Manager 9.0.1 through 9.0.6 is vulnerable to cross ...) NOT-FOR-US: IBM CVE-2019-4156 (IBM Security Access Manager 9.0.1 through 9.0.6 uses weaker than expec ...) NOT-FOR-US: IBM CVE-2019-4155 (IBM API Connect's Developer Portal 2018.1 and 2018.4.1.3 is impacted b ...) NOT-FOR-US: IBM CVE-2019-4154 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, ...) NOT-FOR-US: IBM CVE-2019-4153 (IBM Security Access Manager 9.0.1 through 9.0.6 could allow a remote a ...) NOT-FOR-US: IBM CVE-2019-4152 (IBM Security Access Manager 9.0.1 through 9.0.6 does not invalidate se ...) NOT-FOR-US: IBM CVE-2019-4151 (IBM Security Access Manager 9.0.1 through 9.0.6 uses weaker than expec ...) NOT-FOR-US: IBM CVE-2019-4150 (IBM Security Access Manager 9.0.1 through 9.0.6 does not validate, or ...) NOT-FOR-US: IBM CVE-2019-4149 (IBM Business Automation Workflow V18.0.0.0 through V18.0.0.2 and IBM B ...) NOT-FOR-US: IBM CVE-2019-4148 (IBM Sterling B2B Integrator Standard Edition 6.0.0.0 and 6.0.0.1 is vu ...) NOT-FOR-US: IBM CVE-2019-4147 (IBM Sterling File Gateway 2.2.0.0 through 6.0.1.0 is vulnerable to SQL ...) NOT-FOR-US: IBM CVE-2019-4146 (IBM Sterling B2B Integrator Standard Edition 6.0.0.0 and 6.0.0.1 could ...) NOT-FOR-US: IBM CVE-2019-4145 (IBM Security Access Manager 9.0.1 through 9.0.6 could reveal highly se ...) NOT-FOR-US: IBM CVE-2019-4144 RESERVED CVE-2019-4143 (The IBM Cloud Private Key Management Service (IBM Cloud Private 3.1.1 ...) NOT-FOR-US: IBM CVE-2019-4142 (IBM Cloud Private 2.1.0, 3.1.0, 3.1.1, and 3.1.2 is vulnerable to cros ...) NOT-FOR-US: IBM CVE-2019-4141 (IBM MQ 7.1.0.0 - 7.1.0.9, 7.5.0.0 - 7.5.0.9, 8.0.0.0 - 8.0.0.11, 9.0.0 ...) NOT-FOR-US: IBM CVE-2019-4140 (IBM Tivoli Storage Manager Server (IBM Spectrum Protect 7.1 and 8.1) c ...) NOT-FOR-US: IBM CVE-2019-4139 (IBM Cognos Analytics 11.0, 11.1.0, and 11.1.1 is vulnerable to cross-s ...) NOT-FOR-US: IBM CVE-2019-4138 (IBM Tivoli Storage Productivity Center 5.2.13 through 5.3.0.1 could al ...) NOT-FOR-US: IBM CVE-2019-4137 (IBM Tivoli Storage Productivity Center 5.2.13 through 5.3.0.1 is vulne ...) NOT-FOR-US: IBM CVE-2019-4136 (IBM Cognos Controller 10.2.0, 10.2.1, 10.3.0, 10.3.1, and 10.4.0 is vu ...) NOT-FOR-US: IBM CVE-2019-4135 (IBM Security Access Manager 9.0.1 through 9.0.6 is affected by a secur ...) NOT-FOR-US: IBM CVE-2019-4134 (IBM Planning Analytics 2.0 is vulnerable to cross-site scripting. This ...) NOT-FOR-US: IBM CVE-2019-4133 (IBM Cloud Automation Manager 3.1.2 could allow a malicious user on the ...) NOT-FOR-US: IBM CVE-2019-4132 (IBM Cloud Automation Manager 3.1.2 could allow a user to be impropertl ...) NOT-FOR-US: IBM CVE-2019-4131 (IBM Application Performance Management (IBM Monitoring 8.1.4) could al ...) NOT-FOR-US: IBM CVE-2019-4130 (IBM Cloud Pak System 2.3 and 2.3.0.1 could allow a remote attacker to ...) NOT-FOR-US: IBM CVE-2019-4129 (IBM Spectrum Protect Operations Center 7.1 and 8.1 could allow a remot ...) NOT-FOR-US: IBM CVE-2019-4128 RESERVED CVE-2019-4127 RESERVED CVE-2019-4126 RESERVED CVE-2019-4125 RESERVED CVE-2019-4124 RESERVED CVE-2019-4123 RESERVED CVE-2019-4122 RESERVED CVE-2019-4121 RESERVED CVE-2019-4120 (IBM Cloud Private 3.1.1 and 3.1.2 is vulnerable to cross-site scriptin ...) NOT-FOR-US: IBM CVE-2019-4119 (IBM Cloud Private Kubernetes API server 2.1.0, 3.1.0, 3.1.1, and 3.1.2 ...) NOT-FOR-US: IBM CVE-2019-4118 (IBM Multicloud Manager 3.1.0, 3.1.1, and 3.1.2 ibm-mcm-chart could all ...) NOT-FOR-US: IBM CVE-2019-4117 (IBM Cloud Private 3.1.1 and 3.1.2 is vulnerable to cross-site request ...) NOT-FOR-US: IBM CVE-2019-4116 (IBM Cloud Private 2.1.0, 3.1.0, and 3.1.1 could disclose highly sensit ...) NOT-FOR-US: IBM CVE-2019-4115 (IBM WebSphere eXtreme Scale 8.6 Admin API is vulnerable to cross-site ...) NOT-FOR-US: IBM CVE-2019-4114 RESERVED CVE-2019-4113 RESERVED CVE-2019-4112 (IBM WebSphere eXtreme Scale 8.6 Admin Console allows web pages to be s ...) NOT-FOR-US: IBM CVE-2019-4111 RESERVED CVE-2019-4110 RESERVED CVE-2019-4109 (IBM WebSphere eXtreme Scale 8.6 Admin Console could allow a remote att ...) NOT-FOR-US: IBM CVE-2019-4108 RESERVED CVE-2019-4107 RESERVED CVE-2019-4106 (IBM WebSphere eXtreme Scale 8.6 Admin Console is vulnerable to cross-s ...) NOT-FOR-US: IBM CVE-2019-4105 RESERVED CVE-2019-4104 RESERVED CVE-2019-4103 (IBM Tivoli Netcool/Impact 7.1.0 allows for remote execution of command ...) NOT-FOR-US: IBM CVE-2019-4102 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, ...) NOT-FOR-US: IBM CVE-2019-4101 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 10.1 ...) NOT-FOR-US: IBM CVE-2019-4100 RESERVED CVE-2019-4099 RESERVED CVE-2019-4098 (IBM Cloud Pak System 2.3 and 2.3.0.1 is vulnerable to cross-site scrip ...) NOT-FOR-US: IBM CVE-2019-4097 RESERVED CVE-2019-4096 RESERVED CVE-2019-4095 (IBM Cloud Pak System 2.3 is vulnerable to cross-site request forgery w ...) NOT-FOR-US: IBM CVE-2019-4094 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, ...) NOT-FOR-US: IBM CVE-2019-4093 (IBM Tivoli Storage Manager (IBM Spectrum Protect 8.1.7) could allow a ...) NOT-FOR-US: IBM CVE-2019-4092 (IBM Content Navigator 2.0.3 and 3.0CD could allow a remote attacker to ...) NOT-FOR-US: IBM CVE-2019-4091 RESERVED CVE-2019-4090 RESERVED CVE-2019-4089 RESERVED CVE-2019-4088 (IBM Spectrum Protect Servers 7.1 and 8.1 and Storage Agents could allo ...) NOT-FOR-US: IBM CVE-2019-4087 (IBM Spectrum Protect Servers 7.1 and 8.1 and Storage Agents are vulner ...) NOT-FOR-US: IBM CVE-2019-4086 (IBM Cloud Application Performance Management 8.1.4 could allow a remot ...) NOT-FOR-US: IBM CVE-2019-4085 RESERVED CVE-2019-4084 (IBM Jazz Foundation products (IBM Rational Collaborative Lifecycle Man ...) NOT-FOR-US: IBM CVE-2019-4083 (IBM Jazz Foundation products (IBM Rational Collaborative Lifecycle Man ...) NOT-FOR-US: IBM CVE-2019-4082 RESERVED CVE-2019-4081 RESERVED CVE-2019-4080 (IBM WebSphere Application Server Admin Console 7.5, 8.0, 8.5, and 9.0 ...) NOT-FOR-US: IBM CVE-2019-4079 RESERVED CVE-2019-4078 (IBM WebSphere MQ 8.0.0.0 through 8.0.0.9 and 9.0.0.0 through 9.1.1 cou ...) NOT-FOR-US: IBM CVE-2019-4077 (IBM Sterling B2B Integrator Standard Edition 6.0.0.0 and 6.0.0.1 is vu ...) NOT-FOR-US: IBM CVE-2019-4076 (IBM Sterling B2B Integrator Standard Edition 6.0.0.0 and 6.0.0.1 is vu ...) NOT-FOR-US: IBM CVE-2019-4075 (IBM Sterling B2B Integrator Standard Edition 6.0.0.0 and 6.0.0.1 is vu ...) NOT-FOR-US: IBM CVE-2019-4074 (IBM Sterling B2B Integrator Standard Edition 6.0.0.0 and 6.0.0.1 is vu ...) NOT-FOR-US: IBM CVE-2019-4073 (IBM Sterling B2B Integrator Standard Edition 6.0.0.0 and 6.0.0.1 is vu ...) NOT-FOR-US: IBM CVE-2019-4072 (IBM Tivoli Storage Productivity Center (IBM Spectrum Control Standard ...) NOT-FOR-US: IBM CVE-2019-4071 (IBM Tivoli Storage Productivity Center (IBM Spectrum Control Standard ...) NOT-FOR-US: IBM CVE-2019-4070 (IBM Intelligent Operations Center (IOC) 5.1.0 through 5.2.0 is vulnera ...) NOT-FOR-US: IBM CVE-2019-4069 (IBM Intelligent Operations Center (IOC) 5.1.0 through 5.2.0 does not p ...) NOT-FOR-US: IBM CVE-2019-4068 (IBM Intelligent Operations Center (IOC) 5.1.0 through 5.2.0 is vulnera ...) NOT-FOR-US: IBM CVE-2019-4067 (IBM Intelligent Operations Center (IOC) 5.1.0 through 5.2.0 does not r ...) NOT-FOR-US: IBM CVE-2019-4066 (IBM Intelligent Operations Center (IOC) 5.1.0 through 5.2.0 could allo ...) NOT-FOR-US: IBM CVE-2019-4065 RESERVED CVE-2019-4064 RESERVED CVE-2019-4063 (IBM Sterling B2B Integrator 5.2.0.1 through 6.0.0.0 Standard Edition c ...) NOT-FOR-US: IBM CVE-2019-4062 (IBM i2 Intelligent Analyis Platform 9.0.0 through 9.1.1 is vulnerable ...) NOT-FOR-US: IBM CVE-2019-4061 (IBM BigFix Platform 9.2 and 9.5 could allow an attacker to query the r ...) NOT-FOR-US: IBM CVE-2019-4060 RESERVED CVE-2019-4059 (IBM Rational ClearCase 1.0.0.0 GIT connector does not sufficiently pro ...) NOT-FOR-US: IBM CVE-2019-4058 (IBM BigFix Platform 9.2 and 9.5 could allow a low-privilege user to ma ...) NOT-FOR-US: IBM CVE-2019-4057 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, ...) NOT-FOR-US: IBM CVE-2019-4056 (IBM Maximo Asset Management 7.6 Work Centers' application does not val ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2019-4055 (IBM MQ 8.0.0.0 through 8.0.0.10, 9.0.0.0 through 9.0.0.5, and 9.1.0.0 ...) NOT-FOR-US: IBM CVE-2019-4054 (IBM QRadar SIEM 7.2 and 7.3 could allow a local user to obtain sensiti ...) NOT-FOR-US: IBM CVE-2019-4053 RESERVED CVE-2019-4052 (IBM API Connect 2018.1 and 2018.4.1.2 apis can be leveraged by unauthe ...) NOT-FOR-US: IBM CVE-2019-4051 (Some URIs in IBM API Connect 2018.1 and 2018.4.1.3 disclose system spe ...) NOT-FOR-US: IBM CVE-2019-4050 RESERVED CVE-2019-4049 (IBM MQ 9.1.0.0, 9.1.0.1, 9.1.1, and 9.1.0.2 is vulnerable to a denial ...) NOT-FOR-US: IBM CVE-2019-4048 (IBM Maximo Asset Management 7.6 could allow a physical user of the sys ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2019-4047 (IBM Jazz Reporting Service (JRS) 6.0.6 could allow an authenticated us ...) NOT-FOR-US: IBM CVE-2019-4046 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable ...) NOT-FOR-US: IBM CVE-2019-4045 (IBM Business Automation Workflow and IBM Business Process Manager 18.0 ...) NOT-FOR-US: IBM CVE-2019-4044 RESERVED CVE-2019-4043 (IBM Sterling B2B Integrator Standard Edition 5.2.0 snf 6.0.0.0 is vuln ...) NOT-FOR-US: IBM CVE-2019-4042 RESERVED CVE-2019-4041 RESERVED CVE-2019-4040 (IBM I 7.2 and 7.3 is vulnerable to cross-site scripting. This vulnerab ...) NOT-FOR-US: IBM CVE-2019-4039 (IBM WebSphere MQ 8.0.0.0 through 8.0.0.9 and 9.0.0.0 through 9.1.1 cou ...) NOT-FOR-US: IBM CVE-2019-4038 (IBM Security Identity Manager 6.0 and 7.0 could allow an attacker to c ...) NOT-FOR-US: IBM CVE-2019-4037 RESERVED CVE-2019-4036 (IBM Security Access Manager Appliance could allow unauthenticated atta ...) NOT-FOR-US: IBM CVE-2019-4035 (IBM Content Navigator 3.0CD could allow attackers to direct web traffi ...) NOT-FOR-US: IBM CVE-2019-4034 (IBM Content Navigator 3.0CD is could allow an attacker to execute arbi ...) NOT-FOR-US: IBM CVE-2019-4033 (IBM Content Navigator 2.0.3 and 3.0CD is vulnerable to cross-site scri ...) NOT-FOR-US: IBM CVE-2019-4032 (IBM Financial Transaction Manager for Digital Payments for Multi-Platf ...) NOT-FOR-US: IBM CVE-2019-4031 (IBM Workload Scheduler Distributed 9.2, 9.3, 9.4, and 9.5 contains a v ...) NOT-FOR-US: IBM CVE-2019-4030 (IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to cross-si ...) NOT-FOR-US: IBM CVE-2019-4029 (IBM Sterling B2B Integrator 5.2.0.1 through 6.0.0.0 is vulnerable to c ...) NOT-FOR-US: IBM CVE-2019-4028 (IBM Sterling B2B Integrator 5.2.0.1 through 6.0.0.0 is vulnerable to c ...) NOT-FOR-US: IBM CVE-2019-4027 (IBM Sterling B2B Integrator 5.2.0.1 through 6.0.0.0 is vulnerable to c ...) NOT-FOR-US: IBM CVE-2019-4026 RESERVED CVE-2019-4025 RESERVED CVE-2019-4024 RESERVED CVE-2019-4023 RESERVED CVE-2019-4022 RESERVED CVE-2019-4021 RESERVED CVE-2019-4020 RESERVED CVE-2019-4019 RESERVED CVE-2019-4018 RESERVED CVE-2019-4017 RESERVED CVE-2019-4016 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, ...) NOT-FOR-US: IBM CVE-2019-4015 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, ...) NOT-FOR-US: IBM CVE-2019-4014 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, ...) NOT-FOR-US: IBM CVE-2019-4013 (IBM BigFix Platform 9.5 could allow any authenticated user to upload a ...) NOT-FOR-US: IBM CVE-2019-4012 (IBM BigFix WebUI Profile Management 6 and Software Distribution 23 is ...) NOT-FOR-US: IBM CVE-2019-4011 (IBM BigFix Platform 9.2 and 9.5 is vulnerable to cross-site scripting. ...) NOT-FOR-US: IBM CVE-2019-4010 RESERVED CVE-2019-4009 RESERVED CVE-2019-4008 (API Connect V2018.1 through 2018.4.1.1 is impacted by access token lea ...) NOT-FOR-US: IBM CVE-2019-4007 RESERVED CVE-2019-4006 RESERVED CVE-2019-4005 RESERVED CVE-2019-4004 RESERVED CVE-2019-4003 RESERVED CVE-2019-4002 RESERVED CVE-2019-4001 (Improper input validation in Druva inSync Client 6.5.0 allows a local, ...) NOT-FOR-US: Druva inSync Client CVE-2019-4000 (Improper neutralization of directives in dynamically evaluated code in ...) NOT-FOR-US: Druva inSync Mac OS Client CVE-2019-3999 (Improper neutralization of special elements used in an OS command in D ...) NOT-FOR-US: Druva inSync Windows Client CVE-2019-3998 (Authentication bypass using an alternate path or channel in SimpliSafe ...) NOT-FOR-US: SimpliSafe SS3 firmware CVE-2019-3997 (Authentication bypass using an alternate path or channel in SimpliSafe ...) NOT-FOR-US: SimpliSafe SS3 firmware CVE-2019-3996 (ELOG 3.1.4-57bea22 and below can be used as an HTTP GET request proxy ...) NOT-FOR-US: Electronic Logbook (ELOG) CVE-2019-3995 (ELOG 3.1.4-57bea22 and below is affected by a denial of service vulner ...) NOT-FOR-US: Electronic Logbook (ELOG) CVE-2019-3994 (ELOG 3.1.4-57bea22 and below is affected by a denial of service vulner ...) NOT-FOR-US: Electronic Logbook (ELOG) CVE-2019-3993 (ELOG 3.1.4-57bea22 and below is affected by an information disclosure ...) NOT-FOR-US: Electronic Logbook (ELOG) CVE-2019-3992 (ELOG 3.1.4-57bea22 and below is affected by an information disclosure ...) NOT-FOR-US: Electronic Logbook (ELOG) CVE-2019-3991 RESERVED CVE-2019-3990 (A User Enumeration flaw exists in Harbor. The issue is present in the ...) NOT-FOR-US: Harbor CVE-2019-3989 (Blink XT2 Sync Module firmware prior to 2.13.11 allows remote attacker ...) NOT-FOR-US: Blink XT2 CVE-2019-3988 (Blink XT2 Sync Module firmware prior to 2.13.11 allows remote attacker ...) NOT-FOR-US: Blink XT2 CVE-2019-3987 (Blink XT2 Sync Module firmware prior to 2.13.11 allows remote attacker ...) NOT-FOR-US: Blink XT2 CVE-2019-3986 (Blink XT2 Sync Module firmware prior to 2.13.11 allows remote attacker ...) NOT-FOR-US: Blink XT2 CVE-2019-3985 (Blink XT2 Sync Module firmware prior to 2.13.11 allows remote attacker ...) NOT-FOR-US: Blink XT2 CVE-2019-3984 (Blink XT2 Sync Module firmware prior to 2.13.11 allows remote attacker ...) NOT-FOR-US: Blink XT2 Sync Module firmware CVE-2019-3983 (Blink XT2 Sync Module firmware prior to 2.13.11 allows remote attacker ...) NOT-FOR-US: Blink XT2 CVE-2019-3982 (Nessus versions 8.6.0 and earlier were found to contain a Denial of Se ...) NOT-FOR-US: Nessus CVE-2019-3981 (MikroTik Winbox 3.20 and below is vulnerable to man in the middle atta ...) NOT-FOR-US: MikroTik Winbox CVE-2019-3980 (The Solarwinds Dameware Mini Remote Client agent v12.1.0.89 supports s ...) NOT-FOR-US: Solarwinds CVE-2019-3979 (RouterOS versions 6.45.6 Stable, 6.44.5 Long-term, and below are vulne ...) NOT-FOR-US: RouterOS CVE-2019-3978 (RouterOS versions 6.45.6 Stable, 6.44.5 Long-term, and below allow rem ...) NOT-FOR-US: RouterOS CVE-2019-3977 (RouterOS 6.45.6 Stable, RouterOS 6.44.5 Long-term, and below insuffici ...) NOT-FOR-US: RouterOS CVE-2019-3976 (RouterOS 6.45.6 Stable, RouterOS 6.44.5 Long-term, and below are vulne ...) NOT-FOR-US: RouterOS CVE-2019-3975 (Stack-based buffer overflow in Advantech WebAccess/SCADA 8.4.1 allows ...) NOT-FOR-US: Advantech WebAccess/SCADA CVE-2019-3974 (Nessus 8.5.2 and earlier on Windows platforms were found to contain an ...) NOT-FOR-US: Nessus CVE-2019-3973 (Comodo Antivirus versions 11.0.0.6582 and below are vulnerable to Deni ...) NOT-FOR-US: Comodo Antivirus CVE-2019-3972 (Comodo Antivirus versions 12.0.0.6810 and below are vulnerable to Deni ...) NOT-FOR-US: Comodo Antivirus CVE-2019-3971 (Comodo Antivirus versions up to 12.0.0.6810 are vulnerable to a local ...) NOT-FOR-US: Comodo Antivirus CVE-2019-3970 (Comodo Antivirus versions up to 12.0.0.6810 are vulnerable to Arbitrar ...) NOT-FOR-US: Comodo Antivirus CVE-2019-3969 (Comodo Antivirus versions up to 12.0.0.6810 are vulnerable to Local Pr ...) NOT-FOR-US: Comodo Antivirus CVE-2019-3968 (In OpenEMR 5.0.1 and earlier, an authenticated attacker can execute ar ...) NOT-FOR-US: OpenEMR CVE-2019-3967 (In OpenEMR 5.0.1 and earlier, the patient file download interface cont ...) NOT-FOR-US: OpenEMR CVE-2019-3966 (In OpenEMR 5.0.1 and earlier, controller.php contains a reflected XSS ...) NOT-FOR-US: OpenEMR CVE-2019-3965 (In OpenEMR 5.0.1 and earlier, controller.php contains a reflected XSS ...) NOT-FOR-US: OpenEMR CVE-2019-3964 (In OpenEMR 5.0.1 and earlier, controller.php contains a reflected XSS ...) NOT-FOR-US: OpenEMR CVE-2019-3963 (In OpenEMR 5.0.1 and earlier, controller.php contains a reflected XSS ...) NOT-FOR-US: OpenEMR CVE-2019-3962 (Content Injection vulnerability in Tenable Nessus prior to 8.5.0 may a ...) NOT-FOR-US: Nessus CVE-2019-3961 (Nessus versions 8.4.0 and earlier were found to contain a reflected XS ...) NOT-FOR-US: Nessus CVE-2019-3960 (Unrestricted upload of file with dangerous type in WallacePOS 1.4.3 al ...) NOT-FOR-US: WallacePOS CVE-2019-3959 (Cross-site request forgery in WallacePOS 1.4.3 allows a remote attacke ...) NOT-FOR-US: WallacePOS CVE-2019-3958 (Insufficient output sanitization in WallacePOS 1.4.3 allows a remote, ...) NOT-FOR-US: WallacePOS CVE-2019-3957 (Dameware Remote Mini Control version 12.1.0.34 and prior contains an u ...) NOT-FOR-US: Dameware Remote Mini Control CVE-2019-3956 (Dameware Remote Mini Control version 12.1.0.34 and prior contains an u ...) NOT-FOR-US: Dameware Remote Mini Control CVE-2019-3955 (Dameware Remote Mini Control version 12.1.0.34 and prior contains a un ...) NOT-FOR-US: Dameware Remote Mini Control CVE-2019-3954 (Stack-based buffer overflow in Advantech WebAccess/SCADA 8.4.0 allows ...) NOT-FOR-US: Advantech WebAccess/SCADA CVE-2019-3953 (Stack-based buffer overflow in Advantech WebAccess/SCADA 8.4.0 allows ...) NOT-FOR-US: Advantech WebAccess/SCADA CVE-2019-3952 RESERVED CVE-2019-3951 (Advantech WebAccess before 8.4.3 allows unauthenticated remote attacke ...) NOT-FOR-US: Advantech WebAccess CVE-2019-3950 (Arlo Basestation firmware 1.12.0.1_27940 and prior contain a hardcoded ...) NOT-FOR-US: Arlo Basestation firmware CVE-2019-3949 (Arlo Basestation firmware 1.12.0.1_27940 and prior firmware contain a ...) NOT-FOR-US: Arlo Basestation firmware CVE-2019-3948 (The Amcrest IP2M-841B V2.520.AC00.18.R, Dahua IPC-XXBXX V2.622.0000000 ...) NOT-FOR-US: Amcrest IP2M-841B IP camera firmware CVE-2019-3947 (Fuji Electric V-Server before 6.0.33.0 stores database credentials in ...) NOT-FOR-US: Fuji Electric V-Server CVE-2019-3946 (Fuji Electric V-Server before 6.0.33.0 is vulnerable to denial of serv ...) NOT-FOR-US: Fuji Electric V-Server CVE-2019-3945 (Web server running on Parrot ANAFI can be crashed due to the SDK comma ...) NOT-FOR-US: Parrot ANAFI CVE-2019-3944 (Parrot ANAFI is vulnerable to Wi-Fi deauthentication attack, allowing ...) NOT-FOR-US: Parrot ANAFI CVE-2019-3943 (MikroTik RouterOS versions Stable 6.43.12 and below, Long-term 6.42.12 ...) NOT-FOR-US: MikroTik CVE-2019-3942 (Advantech WebAccess 8.3.4 does not properly restrict an RPC call that ...) NOT-FOR-US: Advantech WebAccess CVE-2019-3941 (Advantech WebAccess 8.3.4 allows unauthenticated, remote attackers to ...) NOT-FOR-US: Advantech WebAccess CVE-2019-3940 (Advantech WebAccess 8.3.4 is vulnerable to file upload attacks via una ...) NOT-FOR-US: Advantech WebAccess CVE-2019-3939 (Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 ...) NOT-FOR-US: Crestron AM-100 CVE-2019-3938 (Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 ...) NOT-FOR-US: Crestron AM-100 CVE-2019-3937 (Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 ...) NOT-FOR-US: Crestron AM-100 CVE-2019-3936 (Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 ...) NOT-FOR-US: Crestron AM-100 CVE-2019-3935 (Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 ...) NOT-FOR-US: Crestron AM-100 CVE-2019-3934 (Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 ...) NOT-FOR-US: Crestron AM-100 CVE-2019-3933 (Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 ...) NOT-FOR-US: Crestron AM-100 CVE-2019-3932 (Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 ...) NOT-FOR-US: Crestron AM-100 CVE-2019-3931 (Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 ...) NOT-FOR-US: Crestron AM-100 CVE-2019-3930 (The Crestron AM-100 firmware 1.6.0.2, Crestron AM-101 firmware 2.7.0.1 ...) NOT-FOR-US: Crestron AM-100 CVE-2019-3929 (The Crestron AM-100 firmware 1.6.0.2, Crestron AM-101 firmware 2.7.0.1 ...) NOT-FOR-US: Crestron AM-100 CVE-2019-3928 (Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 ...) NOT-FOR-US: Crestron AM-100 CVE-2019-3927 (Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 ...) NOT-FOR-US: Crestron AM-100 CVE-2019-3926 (Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 ...) NOT-FOR-US: Crestron AM-100 CVE-2019-3925 (Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 ...) NOT-FOR-US: Crestron AM-100 CVE-2019-3924 (MikroTik RouterOS before 6.43.12 (stable) and 6.42.12 (long-term) is v ...) NOT-FOR-US: MikroTik CVE-2019-3923 (Nessus versions 8.2.1 and earlier were found to contain a stored XSS v ...) NOT-FOR-US: Nessus CVE-2019-3922 (The Alcatel Lucent I-240W-Q GPON ONT using firmware version 3FE54567BO ...) NOT-FOR-US: Alcatel Lucent CVE-2019-3921 (The Alcatel Lucent I-240W-Q GPON ONT using firmware version 3FE54567BO ...) NOT-FOR-US: Alcatel Lucent CVE-2019-3920 (The Alcatel Lucent I-240W-Q GPON ONT using firmware version 3FE54567BO ...) NOT-FOR-US: Alcatel Lucent CVE-2019-3919 (The Alcatel Lucent I-240W-Q GPON ONT using firmware version 3FE54567BO ...) NOT-FOR-US: Alcatel Lucent CVE-2019-3918 (The Alcatel Lucent I-240W-Q GPON ONT using firmware version 3FE54567BO ...) NOT-FOR-US: Alcatel Lucent CVE-2019-3917 (The Alcatel Lucent I-240W-Q GPON ONT using firmware version 3FE54567BO ...) NOT-FOR-US: Alcatel Lucent CVE-2019-3916 (Information disclosure vulnerability in Verizon Fios Quantum Gateway ( ...) NOT-FOR-US: Verizon CVE-2019-3915 (Authentication Bypass by Capture-replay vulnerability in Verizon Fios ...) NOT-FOR-US: Verizon CVE-2019-3914 (Remote command injection vulnerability in Verizon Fios Quantum Gateway ...) NOT-FOR-US: Verizon CVE-2019-3913 (Command manipulation in LabKey Server Community Edition before 18.3.0- ...) NOT-FOR-US: LabKey Server CVE-2019-3912 (An open redirect vulnerability in LabKey Server Community Edition befo ...) NOT-FOR-US: LabKey Server CVE-2019-3911 (Reflected cross-site scripting (XSS) vulnerability in LabKey Server Co ...) NOT-FOR-US: LabKey Server CVE-2019-3910 (Crestron AM-100 before firmware version 1.6.0.2 contains an authentica ...) NOT-FOR-US: Creston CVE-2019-3909 (Premisys Identicard version 3.1.190 database uses default credentials. ...) NOT-FOR-US: Premisys Identicard CVE-2019-3908 (Premisys Identicard version 3.1.190 stores backup files as encrypted z ...) NOT-FOR-US: Premisys Identicard CVE-2019-3907 (Premisys Identicard version 3.1.190 stores user credentials and other ...) NOT-FOR-US: Premisys Identicard CVE-2019-3906 (Premisys Identicard version 3.1.190 contains hardcoded credentials in ...) NOT-FOR-US: Premisys Identicard CVE-2018-20669 (An issue where a provided address with access_ok() is not checked was ...) - linux 5.2.6-1 (unimportant) NOTE: Fixed by: https://git.kernel.org/linus/594cc251fdd0d231d342d88b2fdff4bc42fb0690 CVE-2018-20668 RESERVED CVE-2018-20667 RESERVED CVE-2018-20666 RESERVED CVE-2018-20665 RESERVED CVE-2019-3905 (Zoho ManageEngine ADSelfService Plus 5.x before build 5703 has SSRF. ...) NOT-FOR-US: Zoho ManageEngine ADSelfService Plus CVE-2019-3904 RESERVED CVE-2019-3903 RESERVED CVE-2019-3902 (A flaw was found in Mercurial before 4.9. It was possible to use symli ...) {DLA-1764-1} - mercurial 4.9-1 (bug #927674) [buster] - mercurial 4.8.2-1+deb10u1 NOTE: https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.9_.282019-02-01.29 NOTE: https://www.mercurial-scm.org/repo/hg/rev/6c10eba6b9cd NOTE: https://www.mercurial-scm.org/repo/hg/rev/31286c9282df NOTE: https://www.mercurial-scm.org/repo/hg/rev/83377b4b4ae0 CVE-2019-3901 (A race condition in perf_event_open() allows local attackers to leak s ...) {DLA-1799-1} - linux 4.6.1-1 NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=807 NOTE: Fixed by: https://git.kernel.org/linus/79c9ce57eb2d5f1497546a3946b4ae21b6fdc438 CVE-2019-3900 (An infinite loop issue was found in the vhost_net kernel module in Lin ...) {DSA-4497-1 DLA-1885-1 DLA-1884-1} - linux 5.2.6-1 [buster] - linux 4.19.67-1 CVE-2019-3899 (It was found that default configuration of Heketi does not require any ...) - heketi (bug #903384) CVE-2019-3898 RESERVED CVE-2019-3897 RESERVED NOT-FOR-US: redhat-certification CVE-2019-3896 (A double-free can happen in idr_remove_all() in lib/idr.c in the Linux ...) - linux 3.2.41-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1694812 CVE-2019-3895 (An access-control flaw was found in the Octavia service when the cloud ...) - octavia (Fixed before initial upload to the archive) NOTE: https://bugs.launchpad.net/octavia/+bug/1620629 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1694608 CVE-2019-3894 (It was discovered that the ElytronManagedThread in Wildfly's Elytron s ...) - wildfly (bug #752018) CVE-2019-3893 (In Foreman it was discovered that the delete compute resource operatio ...) - foreman (bug #663101) CVE-2019-3892 REJECTED CVE-2019-3891 (It was discovered that a world-readable log file belonging to Candlepi ...) NOT-FOR-US: Candlepin CVE-2019-3890 (It was discovered evolution-ews before 3.31.3 does not check the valid ...) [experimental] - evolution-ews 3.31.90-1 - evolution-ews 3.30.5-1.1 (bug #926712) [stretch] - evolution-ews (Minor issue) [jessie] - evolution-ews (Minor issue) NOTE: https://gitlab.gnome.org/GNOME/evolution-ews/issues/27 NOTE: https://gitlab.gnome.org/GNOME/evolution-ews/issues/36 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1678313 NOTE: https://gitlab.gnome.org/GNOME/evolution-ews/commit/915226eca9454b8b3e5adb6f2fff9698451778de NOTE: Depends on evolution-data-server patch: https://gitlab.gnome.org/GNOME/evolution-data-server/commit/6672b8236139bd6ef41ecb915f4c72e2a052dba5 CVE-2019-3889 (A reflected XSS vulnerability exists in authorization flow of OpenShif ...) NOT-FOR-US: OpenShift CVE-2019-3888 (A vulnerability was found in Undertow web server before 2.0.21. An inf ...) - undertow 2.0.23-1 (bug #930349) NOTE: https://github.com/undertow-io/undertow/pull/736 CVE-2019-3887 (A flaw was found in the way KVM hypervisor handled x2APIC Machine Spec ...) - linux 4.19.37-1 [stretch] - linux (Vulnerability introduced later) [jessie] - linux (Vulnerability introduced later) NOTE: Fixed by: https://git.kernel.org/linus/acff78477b9b4f26ecdf65733a4ed77fe837e9dc NOTE: Fixed by: https://git.kernel.org/linus/c73f4c998e1fd4249b9edfa39e23f4fda2b9b041 CVE-2016-10746 (libvirt-domain.c in libvirt before 1.3.1 supports virDomainGetTime API ...) {DLA-1772-1} - libvirt 1.3.1-1 NOTE: Fixed by: https://libvirt.org/git/?p=libvirt.git;a=commit;h=506e9d6c2d4baaf580d489fff0690c0ff2ff588f (v1.3.1-rc1) CVE-2019-3886 (An incorrect permissions check was discovered in libvirt 4.8.0 and abo ...) - libvirt 5.0.0-2 (low; bug #926418) [stretch] - libvirt (Vulnerable code not present) [jessie] - libvirt (Vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1694880 NOTE: https://www.redhat.com/archives/libvir-list/2019-April/msg00339.html NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1131595#c3 NOTE: Introduced in: https://libvirt.org/git/?p=libvirt.git;a=commit;h=25736a4c7ed50c101b4f87935f350f1a39a89f6e (v4.8.0-rc1) NOTE: Fixed by: https://libvirt.org/git/?p=libvirt.git;a=commit;h=2a07c990bd9143d7a0fe8d1b6b7c763c52185240 NOTE: Fixed by: https://libvirt.org/git/?p=libvirt.git;a=commit;h=ae076bb40e0e150aef41361b64001138d04d6c60 CVE-2019-3885 (A use-after-free flaw was found in pacemaker up to and including versi ...) - pacemaker 2.0.1-3 (bug #927714) [stretch] - pacemaker (Vulnerable code introduced later) NOTE: https://www.openwall.com/lists/oss-security/2019/04/17/1 NOTE: https://github.com/ClusterLabs/pacemaker/pull/1749 (master) NOTE: https://github.com/ClusterLabs/pacemaker/pull/1750 (1.1) NOTE: https://lists.clusterlabs.org/pipermail/users/2019-May/025822.html CVE-2019-3884 (A vulnerability exists in the garbage collection mechanism of atomic-o ...) NOT-FOR-US: atomic-openshift CVE-2019-3883 (In 389-ds-base up to version 1.4.1.2, requests are handled by workers ...) {DLA-1779-1} - 389-ds-base 1.4.1.5-1 (bug #927939) [buster] - 389-ds-base (Minor issue) [stretch] - 389-ds-base (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1693612 NOTE: https://pagure.io/389-ds-base/issue/50329 NOTE: https://pagure.io/389-ds-base/c/4d9cc24da (master) NOTE: https://pagure.io/389-ds-base/c/fcf2b5ddb (389-ds-base-1.4.0) NOTE: https://pagure.io/389-ds-base/c/dd4b69b55 (389-ds-base-1.3.9) NOTE: Patch was applied upstream but then reverted again, as it introduces NOTE: regressions: NOTE: https://pagure.io/389-ds-base/c/f35ad37100ab5915445d6d37f8921dd46f83656e NOTE: Fixed properly via: NOTE: https://pagure.io/389-ds-base/pull-request/50398 NOTE: https://pagure.io/389-ds-base/c/f20e982c68a700b5ba2c41e5b6f3cdeb5fcb5fab (389-ds-base-1.4.1.4) NOTE: https://pagure.io/389-ds-base/c/7b0e7f6f51f6a117f6a40aa3967cad656eafb811 (389-ds-base-1.4.0.24) NOTE: https://pagure.io/389-ds-base/c/33ac4f5a78d1a42385d1c011d88cef26771e99f5 (389-ds-base-1.3.9 branch) CVE-2019-3882 (A flaw was found in the Linux kernel's vfio interface implementation t ...) {DSA-4497-1 DLA-1885-1 DLA-1799-1} - linux 4.19.37-1 NOTE: https://www.openwall.com/lists/oss-security/2019/04/03/1 NOTE: https://lore.kernel.org/lkml/155414977872.12780.13728555131525362206.stgit@gimli.home/T/#u NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1689426 NOTE: Fixed by: https://git.kernel.org/linus/492855939bdb59c6f947b0b5b44af9ad82b7e38c CVE-2019-3881 [tmp_home_path insecure] RESERVED - bundler 1.16.1-2 (bug #881749; bug #796383) [stretch] - bundler (Minor issue) [jessie] - bundler (This version just uses mktmpdir which creates temporary directories with 0700 permissions by default.) NOTE: Upstream issue: https://github.com/bundler/bundler/issues/6501 NOTE: https://salsa.debian.org/ruby-team/bundler/blob/debian/1.16.1-2/debian/patches/0006-Don-t-use-insecure-temporary-directory-as-home-direc.patch NOTE: https://salsa.debian.org/ruby-team/bundler/blob/debian/1.16.1-2/debian/patches/0007-Remove-temporary-home-directories.patch CVE-2019-3880 (A flaw was found in the way samba implemented an RPC endpoint emulatin ...) {DSA-4427-1 DLA-1754-1} - samba 2:4.9.5+dfsg-3 NOTE: https://www.samba.org/samba/security/CVE-2019-3880.html CVE-2019-3879 (It was discovered that in the ovirt's REST API before version 4.3.2.1, ...) NOT-FOR-US: ovirt-engine CVE-2019-3878 (A vulnerability was found in mod_auth_mellon before v0.14.2. If Apache ...) {DSA-4414-1} - libapache2-mod-auth-mellon 0.14.2-1 (bug #925197) [jessie] - libapache2-mod-auth-mellon (Vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1576719 NOTE: https://github.com/Uninett/mod_auth_mellon/pull/196 NOTE: https://github.com/Uninett/mod_auth_mellon/commit/e09a28a30e13e5c22b481010f26b4a7743a09280 CVE-2019-3877 (A vulnerability was found in mod_auth_mellon before v0.14.2. An open r ...) {DSA-4414-1} - libapache2-mod-auth-mellon 0.14.2-1 [jessie] - libapache2-mod-auth-mellon (Open redirect protection not present in the first place) NOTE: https://github.com/Uninett/mod_auth_mellon/commit/62041428a32de402e0be6ba45fe12df6a83bedb8 CVE-2019-3876 (A flaw was found in the /oauth/token/request custom endpoint of the Op ...) NOT-FOR-US: Openshift OAuth server CVE-2019-3875 (A vulnerability was found in keycloak before 6.0.2. The X.509 authenti ...) NOT-FOR-US: Keycloak CVE-2019-3874 (The SCTP socket buffer used by a userspace application is not accounte ...) - linux 5.2.6-1 [buster] - linux (Minor issue) [stretch] - linux (Minor issue) [jessie] - linux (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1686373 CVE-2019-3873 (It was found that Picketlink as shipped with Jboss Enterprise Applicat ...) NOT-FOR-US: Picketlink CVE-2019-3872 (It was found that a SAMLRequest containing a script could be processed ...) NOT-FOR-US: Picketlink CVE-2019-3871 (A vulnerability was found in PowerDNS Authoritative Server before 4.0. ...) {DSA-4424-1 DLA-1737-1} - pdns 4.1.6-2 (bug #924966) NOTE: https://github.com/PowerDNS/pdns/issues/7573 NOTE: https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-03.html NOTE: Patches: https://downloads.powerdns.com/patches/2019-03/ CVE-2019-3870 (A vulnerability was found in Samba from version (including) 4.9 to ver ...) - samba 2:4.9.5+dfsg-3 [stretch] - samba (Vulnerable code not present) [jessie] - samba (Vulnerable code not present) NOTE: https://www.samba.org/samba/security/CVE-2019-3870.html CVE-2019-3869 (When running Tower before 3.4.3 on OpenShift or Kubernetes, applicatio ...) NOT-FOR-US: Ansible Tower CVE-2019-3868 (Keycloak up to version 6.0.0 allows the end user token (access or id t ...) NOT-FOR-US: Keycloak CVE-2019-3867 RESERVED NOT-FOR-US: OpenShift (web-cosnole issue specific to OpenShift only) CVE-2019-3866 (An information-exposure vulnerability was discovered where openstack-m ...) - python-oslo.utils 3.41.3-1 (low; bug #946060) [buster] - python-oslo.utils 3.36.5-0+deb10u1 [stretch] - python-oslo.utils (Minor issue; can be fixed via point release) [jessie] - python-oslo.utils (regex pattern rewrite) - python-mistral-lib 1.2.0-3 [buster] - python-mistral-lib (Minor issue) - mistral 5.1.0-2 [stretch] - mistral (Minor issue; can be fixed via point release) NOTE: In mistral/5.0.0 the problematic code was moved to the python library. NOTE: To be apply the fixes in mistral/python-mistral-lib as pre-requiste the NOTE: python-oslo.utils package needs an update. NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1768731 NOTE: https://bugs.launchpad.net/tripleo/+bug/1850843 NOTE: https://opendev.org/openstack/oslo.utils/commit/b41268417cecb12d1d5955ee3107067edf050221 NOTE: Patch for Pike and newer: https://launchpadlibrarian.net/449473654/0001-Ensure-we-mask-sensitive-data-from-Mistral-Action-lo.patch NOTE: Patch for Pike and newer: https://launchpadlibrarian.net/449472809/0001-Ensure-we-mask-sensitive-data-from-Mistral-Action-lo.patch CVE-2019-3865 (A vulnerability was found in quay-2, where a stored XSS vulnerability ...) NOT-FOR-US: Quay CVE-2019-3864 (A vulnerability was discovered in all quay-2 versions before quay-3.0. ...) NOT-FOR-US: Quay CVE-2019-3863 (A flaw was found in libssh2 before 1.8.1. A server could send a multip ...) {DSA-4431-1 DLA-1730-1} - libssh2 1.8.0-2.1 (bug #924965) NOTE: https://www.libssh2.org/CVE-2019-3863.html NOTE: Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3863.patch NOTE: https://github.com/libssh2/libssh2/pull/315 CVE-2019-3862 (An out of bounds read flaw was discovered in libssh2 before 1.8.1 in t ...) {DSA-4431-1 DLA-1730-1} - libssh2 1.8.0-2.1 (bug #924965) NOTE: https://libssh2.org/CVE-2019-3862.html NOTE: Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3862.patch NOTE: https://github.com/libssh2/libssh2/pull/316 CVE-2019-3861 (An out of bounds read flaw was discovered in libssh2 before 1.8.1 in t ...) {DSA-4431-1 DLA-1730-1} - libssh2 1.8.0-2.1 (bug #924965) NOTE: https://libssh2.org/CVE-2019-3861.html NOTE: Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3861.patch NOTE: https://github.com/libssh2/libssh2/pull/316 CVE-2019-3860 (An out of bounds read flaw was discovered in libssh2 before 1.8.1 in t ...) {DSA-4431-1 DLA-1730-4 DLA-1730-1} - libssh2 1.8.0-2.1 (bug #924965) NOTE: https://libssh2.org/CVE-2019-3860.html NOTE: Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3860.patch NOTE: https://github.com/libssh2/libssh2/pull/316 CVE-2019-3859 (An out of bounds read flaw was discovered in libssh2 before 1.8.1 in t ...) {DSA-4431-1 DLA-1730-3 DLA-1730-1} - libssh2 1.8.0-2.1 (bug #924965) NOTE: https://www.libssh2.org/CVE-2019-3859.html NOTE: Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3859.patch NOTE: https://github.com/libssh2/libssh2/pull/315 CVE-2019-3858 (An out of bounds read flaw was discovered in libssh2 before 1.8.1 when ...) {DSA-4431-1 DLA-1730-1} - libssh2 1.8.0-2.1 (bug #924965) NOTE: https://libssh2.org/CVE-2019-3858.html NOTE: Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3858.patch NOTE: https://github.com/libssh2/libssh2/pull/316 CVE-2019-3857 (An integer overflow flaw which could lead to an out of bounds write wa ...) {DSA-4431-1 DLA-1730-1} - libssh2 1.8.0-2.1 (bug #924965) NOTE: https://www.libssh2.org/CVE-2019-3857.html NOTE: Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3857.patch NOTE: https://github.com/libssh2/libssh2/pull/315 CVE-2019-3856 (An integer overflow flaw, which could lead to an out of bounds write, ...) {DSA-4431-1 DLA-1730-1} - libssh2 1.8.0-2.1 (bug #924965) NOTE: https://www.libssh2.org/CVE-2019-3856.html NOTE: Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3856.patch NOTE: https://github.com/libssh2/libssh2/pull/315 CVE-2019-3855 (An integer overflow flaw which could lead to an out of bounds write wa ...) {DSA-4431-1 DLA-1730-1} - libssh2 1.8.0-2.1 (bug #924965) NOTE: https://www.libssh2.org/CVE-2019-3855.html NOTE: Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3855.patch NOTE: https://github.com/libssh2/libssh2/pull/315 CVE-2019-3854 REJECTED CVE-2019-3853 RESERVED CVE-2019-3852 (A vulnerability was found in moodle before version 3.6.3. The get_with ...) - moodle CVE-2019-3851 (A vulnerability was found in moodle before versions 3.6.3 and 3.5.5. T ...) - moodle CVE-2019-3850 (A vulnerability was found in moodle before versions 3.6.3, 3.5.5, 3.4. ...) - moodle CVE-2019-3849 (A vulnerability was found in moodle before versions 3.6.3, 3.5.5 and 3 ...) - moodle CVE-2019-3848 (A vulnerability was found in moodle before versions 3.6.3, 3.5.5 and 3 ...) - moodle CVE-2019-3847 (A vulnerability was found in moodle before versions 3.6.3, 3.5.5, 3.4. ...) - moodle CVE-2019-3846 (A flaw that allowed an attacker to corrupt memory and possibly escalat ...) {DSA-4465-1 DLA-1824-1 DLA-1823-1} - linux 4.19.37-4 NOTE: https://lore.kernel.org/linux-wireless/20190529125220.17066-1-tiwai@suse.de/ CVE-2019-3845 (A lack of access control was found in the message queues maintained by ...) NOT-FOR-US: qpid dispatch router CVE-2019-3844 (It was discovered that a systemd service that uses DynamicUser propert ...) [experimental] - systemd 242-1 - systemd 242-4 (bug #928102) [buster] - systemd (Minor issue; exploit vector needs control both of the service and a helper outside) [stretch] - systemd (Minor issue; exploit vector needs control both of the service and a helper outside) [jessie] - systemd (Vulnerable code introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1684610 NOTE: https://github.com/systemd/systemd/commit/bf65b7e0c9fc215897b676ab9a7c9d1c688143ba NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1771 NOTE: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1814596 CVE-2019-3843 (It was discovered that a systemd service that uses DynamicUser propert ...) [experimental] - systemd 242-1 - systemd 242-4 (bug #928102) [buster] - systemd (Minor issue; exploit vector needs control both of the service and a helper outside) [stretch] - systemd (Minor issue; exploit vector needs control both of the service and a helper outside) [jessie] - systemd (Vulnerable code introduced later) NOTE: https://github.com/systemd/systemd/commit/3c27973b13724ede05a06a5d346a569794cda433 NOTE: https://github.com/systemd/systemd/commit/f69567cbe26d09eac9d387c0be0fc32c65a83ada NOTE: https://github.com/systemd/systemd/commit/9d880b70ba5c6ca83c82952f4c90e86e56c7b70c NOTE: https://github.com/systemd/systemd/commit/7445db6eb70e8d5989f481d0c5a08ace7047ae5b NOTE: https://github.com/systemd/systemd/commit/62aa29247c3d74bcec0607c347f2be23cd90675d NOTE: https://github.com/systemd/systemd/commit/bf65b7e0c9fc215897b676ab9a7c9d1c688143ba NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1771 NOTE: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1814596 NOTE: https://github.com/systemd/systemd-stable/pull/54 (backport for v241-stable) CVE-2019-3842 (In systemd before v242-rc4, it was discovered that pam_systemd does no ...) {DSA-4428-1 DLA-1762-1} - systemd 241-3 NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1756 NOTE: https://bugs.launchpad.net/bugs/1812316 NOTE: https://github.com/systemd/systemd/commit/83d4ab55336ff8a0643c6aa627b31e351a24040a CVE-2019-3841 (Kubevirt/virt-cdi-importer, versions 1.4.0 to 1.5.3 inclusive, were re ...) NOT-FOR-US: KubeVirt CVE-2019-3840 (A NULL pointer dereference flaw was discovered in libvirt before versi ...) - libvirt 5.0.0-1 [stretch] - libvirt (Minor issue) [jessie] - libvirt (vulnerable code was introduced in 1.2.14) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1663051 NOTE: https://www.redhat.com/archives/libvir-list/2019-January/msg00241.html NOTE: https://libvirt.org/git/?p=libvirt.git;a=commit;h=7cfd1fbb1332ae5df678b9f41a62156cb2e88c73 CVE-2019-3839 (It was found that in ghostscript some privileged operators remained ac ...) {DSA-4442-1 DLA-1792-1} - ghostscript 9.27~dfsg-1 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=4ec9ca74bed49f2a82acb4bf430eae0d8b3b75c9 NOTE: To prevent pdf2dsc regression additionally: NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=db24f253409d5d085c2760c814c3e1d3fa2dac59 CVE-2019-3838 (It was found that the forceput operator could be extracted from the De ...) {DSA-4432-1 DLA-1761-1} [experimental] - ghostscript 9.27~~dc1~dfsg-1 - ghostscript 9.27~dfsg-1 (bug #925257) NOTE: https://www.openwall.com/lists/oss-security/2019/03/21/1 NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ed9fcd95bb01f0768bf273b2526732e381202319 NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a82601e8f95a2f2147f3b3b9e44ec2b8f3a6be8b NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=700576 CVE-2019-3837 (It was found that the net_dma code in tcp_recvmsg() in the 2.6.32 kern ...) - linux 3.13.4-1 NOTE: https://git.kernel.org/linus/77873803363c9e831fc1d1e6895c084279090c22 NOTE: https://git.kernel.org/linus/7bced397510ab569d31de4c70b39e13355046387 CVE-2019-3836 (It was discovered in gnutls before version 3.6.7 upstream that there i ...) [experimental] - gnutls28 3.6.7-1 - gnutls28 3.6.7-2 [stretch] - gnutls28 (Vulnerable code introduced later in 3.6.4) [jessie] - gnutls28 (vulnerable code was introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1678411 NOTE: https://gitlab.com/gnutls/gnutls/issues/704 NOTE: https://gitlab.com/gnutls/gnutls/commit/96e07075e8f105b13e76b11e493d5aa2dd937226 NOTE: https://www.gnutls.org/security-new.html#GNUTLS-SA-2019-03-27 NOTE: Upstream versions affected are 3.6.4 and later before 3.6.7 CVE-2019-3835 (It was found that the superexec operator was available in the internal ...) {DSA-4432-1 DLA-1761-1} [experimental] - ghostscript 9.27~~dc1~dfsg-1 - ghostscript 9.27~dfsg-1 (bug #925256) NOTE: https://www.openwall.com/lists/oss-security/2019/03/21/1 NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=205591753126802da850ada6511a0ff8411aa287 NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d683d1e6450d74619e6277efeebfc222d9a5cb91 (needed dependency) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=700585 CVE-2019-3834 (It was found that the fix for CVE-2014-0114 had been reverted in JBoss ...) NOT-FOR-US: JBoss Operations Network 3 (JON) specific CVE assignment CVE-2019-3833 (Openwsman, versions up to and including 2.6.9, are vulnerable to infin ...) - openwsman (bug #754501) CVE-2019-3832 (It was discovered the fix for CVE-2018-19758 (libsndfile) was not comp ...) {DLA-1712-1} - libsndfile 1.0.28-6 (bug #922372) [stretch] - libsndfile (Incomplete fix for CVE-2018-19758 not applied) NOTE: https://github.com/erikd/libsndfile/issues/456#issuecomment-463542436 NOTE: https://github.com/erikd/libsndfile/pull/460 NOTE: https://github.com/erikd/libsndfile/commit/6d7ce94c020cc720a6b28719d1a7879181790008 CVE-2019-3831 (A vulnerability was discovered in vdsm, version 4.19 through 4.30.3 an ...) - vdsm (bug #668538) CVE-2019-3830 (A vulnerability was found in ceilometer before version 12.0.0.0rc1. An ...) - ceilometer 1:11.0.1-5 (bug #925298) [stretch] - ceilometer (Vulnerable code not present) [jessie] - ceilometer (vulnerable code is not present) NOTE: https://bugs.launchpad.net/ceilometer/+bug/1811098/ NOTE: Introduced in https://github.com/openstack/ceilometer/commit/50415c0d08a3199d2280f3638dd121779585f0fe (10.0.0.0) NOTE: Fixed in https://github.com/openstack/ceilometer/commit/8881a42af169a2d7c912b1434911f978883c83f3 CVE-2019-3829 (A vulnerability was found in gnutls versions from 3.5.8 before 3.6.7. ...) [experimental] - gnutls28 3.6.7-1 - gnutls28 3.6.7-2 [stretch] - gnutls28 (Minor issue, can be fixed via point release) [jessie] - gnutls28 (vulnerable code was introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1677048 NOTE: https://gitlab.com/gnutls/gnutls/issues/694 NOTE: Fixed by: https://gitlab.com/gnutls/gnutls/commit/d39778e43d1674cb3ab3685157fd299816d535c0 NOTE: Fixed by: https://gitlab.com/gnutls/gnutls/commit/372821c883a3d36ed3ed683844ad9d90818f6392 NOTE: Fixed by: https://gitlab.com/gnutls/gnutls/commit/6b5cbc9ea5bdca704bdbe2f8fb551f720d634bc6 NOTE: Test: https://gitlab.com/gnutls/gnutls/commit/ad27713bef613e6c4600a0fb83ae48c6d390ff5b NOTE: https://www.gnutls.org/security-new.html#GNUTLS-SA-2019-03-27 NOTE: Upstream versions affected are from 3.5.8 and before 3.6.7. CVE-2019-3828 (Ansible fetch module before versions 2.5.15, 2.6.14, 2.7.8 has a path ...) {DSA-4396-1} - ansible 2.7.7+dfsg-1 (bug #922537) [jessie] - ansible (No remote expansion in fetch module) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1676689 NOTE: https://github.com/ansible/ansible/pull/52133 NOTE: https://github.com/ansible/ansible/pull/68720 (CVE-2020-1735 follow-up) NOTE: Introduced in https://github.com/ansible/ansible/commit/bc4272d2a26e47418c7d588208482d05a34a34cd (1.8) CVE-2019-3827 (An incorrect permission check in the admin backend in gvfs before vers ...) - gvfs 1.38.1-3 (bug #921816) [stretch] - gvfs (Minor issue) [jessie] - gvfs (Vulnerable code not present) NOTE: https://gitlab.gnome.org/GNOME/gvfs/issues/355 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1665578 NOTE: Affecting gvfs since 1.29.4 where admin backend was introduced. CVE-2019-3826 (A stored, DOM based, cross-site scripting (XSS) flaw was found in Prom ...) - prometheus 2.7.1+ds-1 (bug #921615) [stretch] - prometheus (Only affects 2.1.0 onwards) NOTE: https://github.com/prometheus/prometheus/pull/5163 CVE-2019-3825 (A vulnerability was discovered in gdm before 3.31.4. When timed login ...) - gdm3 3.30.2-3 (low; bug #921764) [stretch] - gdm3 (Minor issue) [jessie] - gdm3 (Minor issue) NOTE: https://gitlab.gnome.org/GNOME/gdm/issues/460 CVE-2019-3824 (A flaw was found in the way an LDAP search expression could crash the ...) {DSA-4397-1 DLA-1699-1} - ldb 2:1.5.1+really1.4.3-2 - samba 2:4.9.5+dfsg-1 (unimportant) NOTE: https://bugzilla.samba.org/show_bug.cgi?id=13773 NOTE: Samba uses the System ldb library CVE-2019-3823 (libcurl versions from 7.34.0 to before 7.64.0 are vulnerable to a heap ...) {DSA-4386-1 DLA-1672-1} - curl 7.64.0-1 NOTE: https://curl.haxx.se/docs/CVE-2019-3823.html NOTE: Fixed by: https://github.com/curl/curl/commit/39df4073e5413fcdbb5a38da0c1ce6f1c0ceb484 NOTE: Introduced by: https://github.com/curl/curl/commit/2766262a68688c1dd8143f9c4be84b46c408b70a CVE-2019-3822 (libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stac ...) {DSA-4386-1 DLA-1672-1} - curl 7.64.0-1 NOTE: https://curl.haxx.se/docs/CVE-2019-3822.html NOTE: Fixed by: https://github.com/curl/curl/commit/50c9484278c63b958655a717844f0721263939cc NOTE: Introduced by: https://github.com/curl/curl/commit/86724581b6c02d160b52f817550cfdfc9c93af62 CVE-2019-3821 (A flaw was found in the way civetweb frontend was handling requests fo ...) - ceph (Vulnerable code introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1656852 NOTE: https://github.com/ceph/civetweb/pull/33 CVE-2019-3820 (It was discovered that the gnome-shell lock screen since version 3.15. ...) - gnome-shell 3.30.2-3 (bug #921490) [stretch] - gnome-shell (Minor issue) [jessie] - gnome-shell (Vulnerable code not present) NOTE: Introduced by: https://bugzilla.gnome.org/show_bug.cgi?id=745039 NOTE: Introduced by: https://gitlab.gnome.org/GNOME/gnome-shell/commit/c79d24b60e773262091023feb6ee1b3deef1c471 NOTE: Upstream issue: https://gitlab.gnome.org/GNOME/gnome-shell/issues/851 CVE-2019-3819 (A flaw was found in the Linux kernel in the function hid_debug_events_ ...) {DLA-1771-1 DLA-1731-1} - linux 4.19.20-1 [stretch] - linux 4.9.161-1 NOTE: Proposed patch: https://marc.info/?l=linux-input&m=154841031101012&w=2 CVE-2019-3818 (The kube-rbac-proxy container before version 0.4.1 as used in Red Hat ...) NOT-FOR-US: kube-rbac-proxy CVE-2019-3817 (A use-after-free flaw has been discovered in libcomps before version 0 ...) NOT-FOR-US: libcomps CVE-2019-3816 (Openwsman, versions up to and including 2.6.9, are vulnerable to arbit ...) - openwsman (bug #754501) CVE-2019-3815 (A memory leak was discovered in the backport of fixes for CVE-2018-168 ...) {DLA-1711-1} - systemd (This only affected backports to older suites, not the version in sid) [stretch] - systemd 232-25+deb9u8 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1666690 NOTE: For stable it affected DSA-4367-1 and was corrected in DSA-4367-2 NOTE: specifically the backport of the fix for CVE-2018-16864. CVE-2019-3814 (It was discovered that Dovecot before versions 2.2.36.1 and 2.3.4.1 in ...) {DSA-4385-1 DLA-1667-1} - dovecot 1:2.3.4.1-1 NOTE: https://www.openwall.com/lists/oss-security/2019/02/05/1 CVE-2019-3813 (Spice, versions 0.5.2 through 0.14.1, are vulnerable to an out-of-boun ...) {DSA-4375-1 DLA-1649-1} - spice 0.14.0-1.3 (bug #920762) NOTE: https://www.openwall.com/lists/oss-security/2019/01/28/2 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1665371 CVE-2019-3812 (QEMU, through version 2.10 and through version 3.1.0, is vulnerable to ...) {DSA-4454-1} - qemu 1:3.1+dfsg-5 (bug #922635) [jessie] - qemu (vulnerable code introduced later) - qemu-kvm NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=b05b267840515730dbf6753495d5b7bd8b04ad1c NOTE: vulnerable code not present prior 2.6.50, introduced in NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=78c71af8049c40657b646d9dd722867fa15c0f1b CVE-2019-3811 (A vulnerability was found in sssd. If a user was configured with no ho ...) {DLA-1635-1} - sssd 2.2.0-1 (bug #919051) [buster] - sssd (Minor issue) [stretch] - sssd (Minor issue) NOTE: Upstream ticket: https://pagure.io/SSSD/sssd/issue/3901 NOTE: Pull request: https://github.com/SSSD/sssd/pull/703 NOTE: Fixed by: https://github.com/SSSD/sssd/commit/90f32399b4100ce39cf665649fde82d215e5eb49 (master) NOTE: Fixed by: https://github.com/SSSD/sssd/commit/28792523a01a7d21bcc8931794164f253e691a68 (sssd-1-16) CVE-2019-3810 (A flaw was found in moodle versions 3.6 to 3.6.1, 3.5 to 3.5.3, 3.4 to ...) - moodle NOTE: https://moodle.org/mod/forum/discuss.php?d=381230#p1536767 NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64372 CVE-2019-3809 (A flaw was found in Moodle versions 3.1 to 3.1.15 and earlier unsuppor ...) - moodle NOTE: https://moodle.org/mod/forum/discuss.php?d=381229#p1536766 NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64222 CVE-2019-3808 (A flaw was found in Moodle versions 3.6 to 3.6.1, 3.5 to 3.5.3, 3.4 to ...) - moodle NOTE: https://moodle.org/mod/forum/discuss.php?d=381228#p1536765 NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64395 CVE-2019-3807 (An issue has been found in PowerDNS Recursor versions 4.1.x before 4.1 ...) - pdns-recursor 4.1.9-1 [stretch] - pdns-recursor (Only affects 4.1.x) [jessie] - pdns-recursor (Only affects 4.1.x) NOTE: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2019-02.html CVE-2019-3806 (An issue has been found in PowerDNS Recursor versions after 4.1.3 befo ...) - pdns-recursor 4.1.9-1 [stretch] - pdns-recursor (Only affects 4.1.x) [jessie] - pdns-recursor (Only affects 4.1.x) NOTE: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2019-01.html CVE-2019-3805 (A flaw was discovered in wildfly versions up to 16.0.0.Final that woul ...) - wildfly (bug #752018) CVE-2019-3804 (It was found that cockpit before version 184 used glib's base64 decode ...) - cockpit 184-1 NOTE: https://github.com/cockpit-project/cockpit/pull/10819 NOTE: https://github.com/cockpit-project/cockpit/commit/c51f6177576d7e12 CVE-2019-3803 (Pivotal Concourse, all versions prior to 4.2.2, puts the user access t ...) NOT-FOR-US: Pivotal Concourse CVE-2019-3802 (This affects Spring Data JPA in versions up to and including 2.1.6, 2. ...) NOT-FOR-US: Pivotal Spring Data JPA CVE-2019-3801 (Cloud Foundry cf-deployment, versions prior to 7.9.0, contain java com ...) NOT-FOR-US: Cloud Foundry CVE-2019-3800 (CF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes t ...) NOT-FOR-US: Cloud Foundry CVE-2019-3799 (Spring Cloud Config, versions 2.1.x prior to 2.1.2, versions 2.0.x pri ...) NOT-FOR-US: Spring Cloud Config CVE-2019-3798 (Cloud Foundry Cloud Controller API Release, versions prior to 1.79.0, ...) NOT-FOR-US: Cloud Foundry CVE-2019-3797 (This affects Spring Data JPA in versions up to and including 2.1.5, 2. ...) NOT-FOR-US: Spring Data JPA CVE-2019-3796 REJECTED CVE-2019-3795 (Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, ...) {DLA-1794-1} - libspring-security-2.0-java NOTE: https://github.com/spring-projects/spring-security/commit/6f02f690ac65ccf99d8df47ac3d730a68f87c569 CVE-2019-3794 (Cloud Foundry UAA, versions prior to v73.4.0, does not set an X-FRAME- ...) NOT-FOR-US: Cloud Foundry CVE-2019-3793 (Pivotal Apps Manager Release, versions 665.0.x prior to 665.0.28, vers ...) NOT-FOR-US: Pivotal CVE-2019-3792 (Pivotal Concourse version 5.0.0, contains an API that is vulnerable to ...) NOT-FOR-US: Pivotal CVE-2019-3791 REJECTED CVE-2019-3790 (The Pivotal Ops Manager, 2.2.x versions prior to 2.2.23, 2.3.x version ...) NOT-FOR-US: Pivotal Ops Manager CVE-2019-3789 (Cloud Foundry Routing Release, all versions prior to 0.188.0, contains ...) NOT-FOR-US: Cloud Foundry CVE-2019-3788 (Cloud Foundry UAA Release, versions prior to 71.0, allows clients to b ...) NOT-FOR-US: Cloud Foundry CVE-2019-3787 (Cloud Foundry UAA, versions prior to 73.0.0, falls back to appending & ...) NOT-FOR-US: Cloud Foundry UAA CVE-2019-3786 (Cloud Foundry BOSH Backup and Restore CLI, all versions prior to 1.5.0 ...) NOT-FOR-US: Cloud Foundry CVE-2019-3785 (Cloud Foundry Cloud Controller, versions prior to 1.78.0, contain an e ...) NOT-FOR-US: Cloud Foundry CVE-2019-3784 (Cloud Foundry Stratos, versions prior to 2.3.0, contains an insecure s ...) NOT-FOR-US: Cloud Foundry Stratos CVE-2019-3783 (Cloud Foundry Stratos, versions prior to 2.3.0, deploys with a public ...) NOT-FOR-US: Cloud Foundry Stratos CVE-2019-3782 (Cloud Foundry CredHub CLI, versions prior to 2.2.1, inadvertently writ ...) NOT-FOR-US: Cloud Foundry CVE-2019-3781 (Cloud Foundry CLI, versions prior to v6.43.0, improperly exposes passw ...) NOT-FOR-US: Cloud Foundry CLI CVE-2019-3780 (Cloud Foundry Container Runtime, versions prior to 0.28.0, deploys K8s ...) NOT-FOR-US: Cloud Foundry CVE-2019-3779 (Cloud Foundry Container Runtime, versions prior to 0.29.0, deploys Kub ...) NOT-FOR-US: Cloud Foundry CVE-2019-3778 (Spring Security OAuth, versions 2.3 prior to 2.3.5, and 2.2 prior to 2 ...) NOT-FOR-US: Spring Security OAuth CVE-2019-3777 (Pivotal Application Service (PAS), versions 2.2.x prior to 2.2.12, 2.3 ...) NOT-FOR-US: Pivotal CVE-2019-3776 (Pivotal Operations Manager, 2.1.x versions prior to 2.1.20, 2.2.x vers ...) NOT-FOR-US: Pivotal CVE-2019-3775 (Cloud Foundry UAA, versions prior to v70.0, allows a user to update th ...) NOT-FOR-US: Cloud Foundry UAA CVE-2019-3774 (Spring Batch versions 3.0.9, 4.0.1, 4.1.0, and older unsupported versi ...) NOT-FOR-US: Spring Batch CVE-2019-3773 (Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported vers ...) NOT-FOR-US: Spring Web Services CVE-2019-3772 (Spring Integration (spring-integration-xml and spring-integration-ws m ...) NOT-FOR-US: Spring Integration CVE-2019-3771 RESERVED CVE-2019-3770 (Dell Wyse Management Suite versions prior to 1.4.1 contain a stored cr ...) NOT-FOR-US: Dell CVE-2019-3769 (Dell Wyse Management Suite versions prior to 1.4.1 contain a stored cr ...) NOT-FOR-US: Dell CVE-2019-3768 (RSA Authentication Manager versions prior to 8.4 P7 contain an XML Ent ...) NOT-FOR-US: RSA Authentication Manager CVE-2019-3767 (Dell ImageAssist versions prior to 8.7.15 contain an information discl ...) NOT-FOR-US: Dell ImageAssist CVE-2019-3766 (Dell EMC ECS versions prior to 3.4.0.0 contain an improper restriction ...) NOT-FOR-US: EMC CVE-2019-3765 (Dell EMC Avamar Server versions 7.4.1, 7.5.0, 7.5.1, 18.2 and 19.1 and ...) NOT-FOR-US: EMC CVE-2019-3764 (Dell EMC iDRAC7 versions prior to 2.65.65.65, iDRAC8 versions prior to ...) NOT-FOR-US: EMC CVE-2019-3763 (The RSA Identity Governance and Lifecycle software and RSA Via Lifecyc ...) NOT-FOR-US: RSA CVE-2019-3762 (Data Protection Central versions 1.0, 1.0.1, 18.1, 18.2, and 19.1 cont ...) NOT-FOR-US: Dell CVE-2019-3761 (The RSA Identity Governance and Lifecycle software and RSA Via Lifecyc ...) NOT-FOR-US: RSA CVE-2019-3760 (The RSA Identity Governance and Lifecycle software and RSA Via Lifecyc ...) NOT-FOR-US: RSA CVE-2019-3759 (The RSA Identity Governance and Lifecycle software and RSA Via Lifecyc ...) NOT-FOR-US: RSA CVE-2019-3758 (RSA Archer, versions prior to 6.6 P2 (6.6.0.2), contain an improper au ...) NOT-FOR-US: RSA CVE-2019-3757 RESERVED CVE-2019-3756 (RSA Archer, versions prior to 6.6 P3 (6.6.0.3), contain an information ...) NOT-FOR-US: RSA CVE-2019-3755 RESERVED CVE-2019-3754 (Dell EMC Unity Operating Environment versions prior to 5.0.0.0.5.116, ...) NOT-FOR-US: EMC CVE-2019-3753 (Dell EMC PowerConnect 8024, 7000, M6348, M6220, M8024 and M8024-K runn ...) NOT-FOR-US: EMC CVE-2019-3752 RESERVED CVE-2019-3751 (Dell EMC Enterprise Copy Data Management (eCDM) versions 1.0, 1.1, 2.0 ...) NOT-FOR-US: EMC CVE-2019-3750 (Dell Command Update versions prior to 3.1 contain an Arbitrary File De ...) NOT-FOR-US: Dell Command Update CVE-2019-3749 (Dell Command Update versions prior to 3.1 contain an Arbitrary File De ...) NOT-FOR-US: Dell Command Update CVE-2019-3748 RESERVED CVE-2019-3747 (Dell EMC Integrated Data Protection Appliance versions prior to 2.3 co ...) NOT-FOR-US: EMC CVE-2019-3746 (Dell EMC Integrated Data Protection Appliance versions prior to 2.3 do ...) NOT-FOR-US: EMC CVE-2019-3745 (The vulnerability is limited to the installers of Dell Encryption Ente ...) NOT-FOR-US: Dell CVE-2019-3744 (Dell/Alienware Digital Delivery versions prior to 4.0.41 contain a pri ...) NOT-FOR-US: Dell/Alienware Digital Delivery CVE-2019-3743 RESERVED CVE-2019-3742 (Dell/Alienware Digital Delivery versions prior to 3.5.2013 contain a p ...) NOT-FOR-US: Dell/Alienware Digital Delivery CVE-2019-3741 (Dell EMC Unity and UnityVSA versions prior to 5.0.0.0.5.116 contain a ...) NOT-FOR-US: EMC CVE-2019-3740 (RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Inform ...) NOT-FOR-US: RSA CVE-2019-3739 (RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to Informati ...) NOT-FOR-US: RSA CVE-2019-3738 (RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to a Missing ...) NOT-FOR-US: RSA CVE-2019-3737 (Dell EMC Avamar ADMe Web Interface 1.0.50 and 1.0.51 are affected by a ...) NOT-FOR-US: Dell EMC Avamar ADMe Web Interface CVE-2019-3736 (Dell EMC Integrated Data Protection Appliance versions prior to 2.3 co ...) NOT-FOR-US: EMC CVE-2019-3735 (Dell SupportAssist for Business PCs version 2.0 and Dell SupportAssist ...) NOT-FOR-US: Dell SupportAssist CVE-2019-3734 (Dell EMC Unity and UnityVSA versions prior to 5.0.0.0.5.116 contain an ...) NOT-FOR-US: EMC CVE-2019-3733 (RSA BSAFE Crypto-C Micro Edition, all versions prior to 4.1.4, is vuln ...) NOT-FOR-US: RSA CVE-2019-3732 (RSA BSAFE Crypto-C Micro Edition, versions prior to 4.0.5.3 (in 4.0.x) ...) NOT-FOR-US: RSA CVE-2019-3731 (RSA BSAFE Crypto-C Micro Edition versions prior to 4.1.4 and RSA Micro ...) NOT-FOR-US: RSA CVE-2019-3730 (RSA BSAFE Micro Edition Suite versions prior to 4.1.6.3 (in 4.1.x) and ...) NOT-FOR-US: RSA CVE-2019-3729 (RSA BSAFE Micro Edition Suite versions prior to 4.4 (in 4.0.x, 4.1.x, ...) NOT-FOR-US: RSA CVE-2019-3728 (RSA BSAFE Crypto-C Micro Edition versions prior to 4.0.5.4 (in 4.0.x) ...) NOT-FOR-US: RSA CVE-2019-3727 (Dell EMC RecoverPoint versions prior to 5.1.3 and RecoverPoint for VMs ...) NOT-FOR-US: Dell EMC RecoverPoint CVE-2019-3726 (An Uncontrolled Search Path Vulnerability is applicable to the followi ...) NOT-FOR-US: EMC CVE-2019-3725 (RSA Netwitness Platform versions prior to 11.2.1.1 and RSA Security An ...) NOT-FOR-US: RSA Netwitness Platform CVE-2019-3724 (RSA Netwitness Platform versions prior to 11.2.1.1 is vulnerable to an ...) NOT-FOR-US: RSA Netwitness Platform CVE-2019-3723 (Dell EMC OpenManage Server Administrator (OMSA) versions prior to 9.1. ...) NOT-FOR-US: Dell EMC OpenManage Server Administrator CVE-2019-3722 (Dell EMC OpenManage Server Administrator (OMSA) versions prior to 9.1. ...) NOT-FOR-US: Dell EMC OpenManage Server Administrator CVE-2019-3721 (Dell EMC Open Manage System Administrator (OMSA) versions prior to 9.3 ...) NOT-FOR-US: Dell CVE-2019-3720 (Dell EMC Open Manage System Administrator (OMSA) versions prior to 9.3 ...) NOT-FOR-US: Dell CVE-2019-3719 (Dell SupportAssist Client versions prior to 3.2.0.90 contain a remote ...) NOT-FOR-US: Dell CVE-2019-3718 (Dell SupportAssist Client versions prior to 3.2.0.90 contain an improp ...) NOT-FOR-US: Dell CVE-2019-3717 (Select Dell Client Commercial and Consumer platforms contain an Improp ...) NOT-FOR-US: Select Dell Client Commercial and Consumer platforms CVE-2019-3716 (RSA Archer versions, prior to 6.5 SP2, contain an information exposure ...) NOT-FOR-US: RSA CVE-2019-3715 (RSA Archer versions, prior to 6.5 SP1, contain an information exposure ...) NOT-FOR-US: RSA CVE-2019-3714 RESERVED CVE-2019-3713 RESERVED CVE-2019-3712 (Dell WES Wyse Device Agent versions prior to 14.1.2.9 and Dell Wyse Th ...) NOT-FOR-US: Dell CVE-2019-3711 (RSA Authentication Manager versions prior to 8.4 P1 contain an Insecur ...) NOT-FOR-US: RSA CVE-2019-3710 (Dell EMC Networking OS10 versions prior to 10.4.3 contain a cryptograp ...) NOT-FOR-US: Dell Networking OS10 CVE-2019-3709 (IsilonSD Management Server 1.1.0 contains a cross-site scripting vulne ...) NOT-FOR-US: IsilonSD Management Server CVE-2019-3708 (IsilonSD Management Server 1.1.0 contains a cross-site scripting vulne ...) NOT-FOR-US: IsilonSD Management Server CVE-2019-3707 (Dell EMC iDRAC9 versions prior to 3.30.30.30 contain an authentication ...) NOT-FOR-US: EMC CVE-2019-3706 (Dell EMC iDRAC9 versions prior to 3.24.24.24, 3.21.26.22, 3.22.22.22 a ...) NOT-FOR-US: EMC CVE-2019-3705 (Dell EMC iDRAC6 versions prior to 2.92, iDRAC7/iDRAC8 versions prior t ...) NOT-FOR-US: EMC CVE-2019-3704 (VNX Control Station in Dell EMC VNX2 OE for File versions prior to 8.1 ...) NOT-FOR-US: EMC CVE-2019-3703 RESERVED CVE-2019-3702 (A Remote Code Execution issue in the DNS Query Web UI in Lifesize Icon ...) NOT-FOR-US: Lifesize CVE-2019-3701 (An issue was discovered in can_can_gw_rcv in net/can/gw.c in the Linux ...) {DLA-1771-1 DLA-1731-1} - linux 4.19.20-1 (unimportant) [stretch] - linux 4.9.161-1 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1120386 NOTE: https://marc.info/?l=linux-netdev&m=154651842302479&w=2 CVE-2019-3700 (yast2-security didn't use secure defaults to protect passwords. This b ...) NOT-FOR-US: yast2 CVE-2019-3699 (UNIX Symbolic Link (Symlink) Following vulnerability in the packaging ...) NOT-FOR-US: SUSE-specific privoxy issue CVE-2019-3698 (UNIX Symbolic Link (Symlink) Following vulnerability in the cronjob sh ...) NOT-FOR-US: SUSE-specific Nagios issue CVE-2019-3697 (UNIX Symbolic Link (Symlink) Following vulnerability in the packaging ...) NOT-FOR-US: SuSE-specific issue in gnump3d (removed for a decade from Debian) CVE-2019-3696 (A Improper Limitation of a Pathname to a Restricted Directory vulnerab ...) NOT-FOR-US: SAP CVE-2019-3695 (A Improper Control of Generation of Code vulnerability in the packagin ...) NOT-FOR-US: SAP CVE-2019-3694 (A Symbolic Link (Symlink) Following vulnerability in the packaging of ...) NOT-FOR-US: SuSE packaging of munin CVE-2019-3693 (A symlink following vulnerability in the packaging of mailman in SUSE ...) NOT-FOR-US: SuSE packaging of mailman CVE-2019-3692 (The packaging of inn on SUSE Linux Enterprise Server 11; openSUSE Fact ...) NOT-FOR-US: SUSE packaging of inn CVE-2019-3691 (A Symbolic Link (Symlink) Following vulnerability in the packaging of ...) NOT-FOR-US: SUSE packaging of munge CVE-2019-3690 (The chkstat tool in the permissions package followed symlinks before c ...) NOT-FOR-US: SuSE-specific tool CVE-2019-3689 (The nfs-utils package in SUSE Linux Enterprise Server 12 before and in ...) {DLA-1965-1} - nfs-utils 1:1.3.4-3 (bug #940848) [buster] - nfs-utils (Minor issue) [stretch] - nfs-utils (Minor issue) NOTE: https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commitdiff;h=fee2cc29e888f2ced6a76990923aef19d326dc0e CVE-2019-3688 (The /usr/sbin/pinger binary packaged with squid in SUSE Linux Enterpri ...) - squid (/usr/lib/squid/pinger permissions are root:root) - squid3 (/usr/lib/squid/pinger permissions are root:root) CVE-2019-3687 (The permission package in SUSE Linux Enterprise Server allowed all loc ...) NOT-FOR-US: SuSE CVE-2019-3686 (openQA before commit c172e8883d8f32fced5e02f9b6faaacc913df27b was vuln ...) - openqa (bug #840253) CVE-2019-3685 (Open Build Service before version 0.165.4 diddn't validate TLS certifi ...) - osc (Affects 0.165.x only, bug #941667) CVE-2019-3684 (SUSE Manager until version 4.0.7 and Uyuni until commit 1b426ad5ed0a71 ...) NOT-FOR-US: SUSE Manager CVE-2019-3683 (The keystone-json-assignment package in SUSE Openstack Cloud 8 before ...) NOT-FOR-US: SuSE Openstack Cloud CVE-2019-3682 (The docker-kubic package in SUSE CaaS Platform 3.0 before 17.09.1_ce-7 ...) NOT-FOR-US: SuSE CVE-2019-3681 (A External Control of File Name or Path vulnerability in osc of SUSE L ...) TODO: check CVE-2019-3680 RESERVED CVE-2019-3679 RESERVED CVE-2019-3678 RESERVED CVE-2019-3677 RESERVED CVE-2019-3676 RESERVED CVE-2019-3675 RESERVED CVE-2019-3674 RESERVED CVE-2019-3673 RESERVED CVE-2019-3672 RESERVED CVE-2019-3671 RESERVED CVE-2019-3670 (Remote Code Execution vulnerability in the web interface in McAfee Web ...) NOT-FOR-US: McAfee CVE-2019-3669 RESERVED CVE-2019-3668 RESERVED CVE-2019-3667 (DLL Search Order Hijacking vulnerability in the Microsoft Windows clie ...) NOT-FOR-US: McAfee CVE-2019-3666 (API Abuse/Misuse vulnerability in the web interface in McAfee Web Advi ...) NOT-FOR-US: McAfee CVE-2019-3665 (Code Injection vulnerability in the web interface in McAfee Web Adviso ...) NOT-FOR-US: McAfee CVE-2019-3664 RESERVED CVE-2019-3663 (Unprotected Storage of Credentials vulnerability in McAfee Advanced Th ...) NOT-FOR-US: McAfee CVE-2019-3662 (Path Traversal: '/absolute/pathname/here' vulnerability in McAfee Adva ...) NOT-FOR-US: McAfee CVE-2019-3661 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) NOT-FOR-US: McAfee CVE-2019-3660 (Improper Neutralization of HTTP requests in McAfee Advanced Threat Def ...) NOT-FOR-US: McAfee CVE-2019-3659 RESERVED CVE-2019-3658 RESERVED CVE-2019-3657 RESERVED CVE-2019-3656 RESERVED CVE-2019-3655 RESERVED CVE-2019-3654 (Authentication Bypass vulnerability in the Microsoft Windows client in ...) NOT-FOR-US: McAfee CVE-2019-3653 (Improper access control vulnerability in Configuration tool in McAfee ...) NOT-FOR-US: McAfee Endpoint Security (ENS) CVE-2019-3652 (Code Injection vulnerability in EPSetup.exe in McAfee Endpoint Securit ...) NOT-FOR-US: McAfee Endpoint Security (ENS) CVE-2019-3651 (Information Disclosure vulnerability in McAfee Advanced Threat Defense ...) NOT-FOR-US: McAfee CVE-2019-3650 (Information Disclosure vulnerability in McAfee Advanced Threat Defense ...) NOT-FOR-US: McAfee CVE-2019-3649 (Information Disclosure vulnerability in McAfee Advanced Threat Defense ...) NOT-FOR-US: McAfee CVE-2019-3648 (A Privilege Escalation vulnerability in the Microsoft Windows client i ...) NOT-FOR-US: McAfee Total Protection CVE-2019-3647 RESERVED CVE-2019-3646 (DLL Search Order Hijacking vulnerability in Microsoft Windows client i ...) NOT-FOR-US: McAfee CVE-2019-3645 RESERVED CVE-2019-3644 (McAfee Web Gateway (MWG) earlier than 7.8.2.13 is vulnerable to a remo ...) NOT-FOR-US: McAfee CVE-2019-3643 (McAfee Web Gateway (MWG) earlier than 7.8.2.13 is vulnerable to a remo ...) NOT-FOR-US: McAfee CVE-2019-3642 RESERVED CVE-2019-3641 (Abuse of Authorization vulnerability in APIs exposed by TIE server in ...) NOT-FOR-US: McAfee CVE-2019-3640 (Unprotected Transport of Credentials in ePO extension in McAfee Data L ...) NOT-FOR-US: McAfee CVE-2019-3639 (Clickjack vulnerability in Adminstrator web console in McAfee Web Gate ...) NOT-FOR-US: McAfee CVE-2019-3638 (Reflected Cross Site Scripting vulnerability in Administrators web con ...) NOT-FOR-US: McAfee CVE-2019-3637 (Privilege Escalation vulnerability in McAfee FRP 5.x prior to 5.1.0.20 ...) NOT-FOR-US: McAfee CVE-2019-3636 (A File Masquerade vulnerability in McAfee Total Protection (MTP) versi ...) NOT-FOR-US: McAfee CVE-2019-3635 (Exfiltration of Data in McAfee Web Gateway (MWG) 7.8.2.x prior to 7.8. ...) NOT-FOR-US: McAfee CVE-2019-3634 (Buffer overflow in McAfee Data Loss Prevention (DLPe) for Windows 11.x ...) NOT-FOR-US: McAfee CVE-2019-3633 (Buffer overflow in McAfee Data Loss Prevention (DLPe) for Windows 11.x ...) NOT-FOR-US: McAfee CVE-2019-3632 (Directory Traversal vulnerability in McAfee Enterprise Security Manage ...) NOT-FOR-US: McAfee CVE-2019-3631 (Command Injection vulnerability in McAfee Enterprise Security Manager ...) NOT-FOR-US: McAfee CVE-2019-3630 (Command Injection vulnerability in McAfee Enterprise Security Manager ...) NOT-FOR-US: McAfee CVE-2019-3629 (Application protection bypass vulnerability in McAfee Enterprise Secur ...) NOT-FOR-US: McAfee CVE-2019-3628 (Privilege escalation in McAfee Enterprise Security Manager (ESM) 11.x ...) NOT-FOR-US: McAfee CVE-2019-3627 RESERVED CVE-2019-3626 RESERVED CVE-2019-3625 RESERVED CVE-2019-3624 RESERVED CVE-2019-3623 RESERVED CVE-2019-3622 (Files or Directories Accessible to External Parties in McAfee Data Los ...) NOT-FOR-US: McAfee CVE-2019-3621 (Authentication protection bypass vulnerability in McAfee Data Loss Pre ...) NOT-FOR-US: McAfee CVE-2019-3620 RESERVED CVE-2019-3619 (Information Disclosure vulnerability in the Agent Handler in McAfee eP ...) NOT-FOR-US: McAfee CVE-2019-3618 RESERVED CVE-2019-3617 (Privilege escalation vulnerability in McAfee Total Protection (ToPS) f ...) NOT-FOR-US: McAfee CVE-2019-3616 RESERVED CVE-2019-3615 (Data Leakage Attacks vulnerability in the web interface in McAfee Data ...) NOT-FOR-US: McAfee CVE-2019-3614 RESERVED CVE-2019-3613 (DLL Search Order Hijacking vulnerability in McAfee Agent (MA) prior to ...) NOT-FOR-US: McAfee CVE-2019-3612 (Information Disclosure vulnerability in McAfee DXL Platform and TIE Se ...) NOT-FOR-US: McAFee CVE-2019-3611 RESERVED CVE-2019-3610 (Data Leakage Attacks vulnerability in Microsoft Windows client in McAf ...) NOT-FOR-US: McAfee True Key CVE-2019-3609 RESERVED CVE-2019-3608 RESERVED CVE-2019-3607 RESERVED CVE-2019-3606 (Data Leakage Attacks vulnerability in the web portal component when in ...) NOT-FOR-US: McAfee CVE-2019-3605 RESERVED CVE-2019-3604 (Cross-Site Request Forgery (CSRF) vulnerability in McAfee ePO (legacy) ...) NOT-FOR-US: McAfee CVE-2019-3603 RESERVED CVE-2019-3602 (Cross Site Scripting (XSS) vulnerability in McAfee Network Security Ma ...) NOT-FOR-US: McAfee CVE-2019-3601 RESERVED CVE-2019-3600 RESERVED CVE-2019-3599 (Information Disclosure vulnerability in Remote logging (which is disab ...) NOT-FOR-US: McAfee Agent CVE-2019-3598 (Buffer Access with Incorrect Length Value in McAfee Agent (MA) 5.x all ...) NOT-FOR-US: McAfee Agent CVE-2019-3597 (Authentication Bypass vulnerability in McAfee Network Security Manager ...) NOT-FOR-US: McAfee CVE-2019-3596 RESERVED CVE-2019-3595 (Improper Neutralization of Special Elements used in a Command ('Comman ...) NOT-FOR-US: McAfee CVE-2019-3594 RESERVED CVE-2019-3593 (Exploitation of Privilege/Trust vulnerability in Microsoft Windows cli ...) NOT-FOR-US: McAfee CVE-2019-3592 (Privilege escalation vulnerability in McAfee Agent (MA) before 5.6.1 H ...) NOT-FOR-US: McAfee CVE-2019-3591 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) NOT-FOR-US: McAfee CVE-2019-3590 RESERVED CVE-2019-3589 RESERVED CVE-2019-3588 (Privilege Escalation vulnerability in Microsoft Windows client (McTray ...) NOT-FOR-US: McAfee CVE-2019-3587 (DLL Search Order Hijacking vulnerability in Microsoft Windows client i ...) NOT-FOR-US: McAfee CVE-2019-3586 (Protection Mechanism Failure in the Firewall in McAfee Endpoint Securi ...) NOT-FOR-US: McAfee CVE-2019-3585 (Privilege Escalation vulnerability in Microsoft Windows client (McTray ...) NOT-FOR-US: McAfee CVE-2019-3584 (Exploitation of Authentication vulnerability in MVision Endpoint in Mc ...) NOT-FOR-US: McAfee CVE-2019-3583 RESERVED CVE-2019-3582 (Privilege Escalation vulnerability in Microsoft Windows client in McAf ...) NOT-FOR-US: McAfee CVE-2019-3581 (Improper input validation in the proxy component of McAfee Web Gateway ...) NOT-FOR-US: McAfee CVE-2018-20664 (Zoho ManageEngine ADSelfService Plus 5.x before build 5701 has XXE via ...) NOT-FOR-US: Zoho ManageEngine ADSelfService Plus CVE-2018-20663 (The Reporting Addon (aka Reports Addon) through 2019-01-02 for CUBA Pl ...) NOT-FOR-US: Reporting Addon for CUBA Platform CVE-2018-20662 (In Poppler 0.72.0, PDFDoc::setup in PDFDoc.cc allows attackers to caus ...) {DLA-1706-1} - poppler 0.71.0-4 (low; bug #918158) [stretch] - poppler (Minor issue) NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/706 NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/7b4e372deeb716eb3fe3a54b31ed41af759224f9 CVE-2019-3580 (OpenRefine through 3.1 allows arbitrary file write because Directory T ...) NOT-FOR-US: OpenRefine CVE-2019-3579 (MyBB 1.8.19 allows remote attackers to obtain sensitive information be ...) NOT-FOR-US: MyBB CVE-2019-3578 (MyBB 1.8.19 has XSS in the resetpassword function. ...) NOT-FOR-US: MyBB CVE-2019-3577 (An issue was discovered in Waimai Super Cms 20150505. web/Lib/Action/P ...) NOT-FOR-US: Waimai Super Cms CVE-2019-3576 (inxedu through 2018-12-24 has a SQL Injection vulnerability that can l ...) NOT-FOR-US: inxedu CVE-2019-3575 (Sqla_yaml_fixtures 0.9.1 allows local users to execute arbitrary pytho ...) NOT-FOR-US: Sqla_yaml_fixtures CVE-2019-3574 (In libsixel v1.8.2, there is a heap-based buffer over-read in the func ...) - libsixel 1.8.2-2 (low; bug #922460) [buster] - libsixel 1.8.2-1+deb10u1 [stretch] - libsixel 1.5.2-2+deb9u1 [jessie] - libsixel (Minor issue) NOTE: https://github.com/saitoha/libsixel/issues/83 CVE-2019-3573 (In libsixel v1.8.2, there is an infinite loop in the function sixel_de ...) - libsixel 1.8.2-2 (low; bug #922460) [buster] - libsixel 1.8.2-1+deb10u1 [stretch] - libsixel 1.5.2-2+deb9u1 [jessie] - libsixel (Minor issue) NOTE: https://github.com/saitoha/libsixel/issues/83 CVE-2019-3572 (An issue was discovered in libming 0.4.8. There is a heap-based buffer ...) - ming NOTE: https://github.com/libming/libming/issues/169 CVE-2019-3571 (An input validation issue affected WhatsApp Desktop versions prior to ...) NOT-FOR-US: WhatsApp Desktop CVE-2019-3570 (Call to the scrypt_enc() function in HHVM can lead to heap corruption ...) - hhvm NOTE: https://hhvm.com/blog/2019/06/10/hhvm-4.9.0.html CVE-2019-3569 (HHVM, when used with FastCGI, would bind by default to all available i ...) - hhvm NOTE: https://hhvm.com/blog/2019/06/10/hhvm-4.9.0.html CVE-2019-3568 (A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote ...) NOT-FOR-US: Whatsapp CVE-2019-3567 (In some configurations an attacker can inject a new executable path in ...) NOT-FOR-US: osquery CVE-2019-3566 (A bug in WhatsApp for Android's messaging logic would potentially allo ...) NOT-FOR-US: WhatsApp for Android CVE-2019-3565 (Legacy C++ Facebook Thrift servers (using cpp instead of cpp2) would n ...) NOT-FOR-US: Thrift servers CVE-2019-3564 (Go Facebook Thrift servers would not error upon receiving messages wit ...) NOT-FOR-US: Thrift servers CVE-2019-3563 (Wangle's LineBasedFrameDecoder contains logic for identifying newlines ...) NOT-FOR-US: Facebook Wangle CVE-2019-3562 (A remote web page could inject arbitrary HTML code into the Oculus Bro ...) NOT-FOR-US: Oculus Browser UI CVE-2019-3561 (Insufficient boundary checks for the strrpos and strripos functions al ...) - hhvm CVE-2019-3560 (An improperly performed length calculation on a buffer in PlaintextRec ...) NOT-FOR-US: Fizz CVE-2019-3559 (Java Facebook Thrift servers would not error upon receiving messages w ...) NOT-FOR-US: Thrift servers CVE-2019-3558 (Python Facebook Thrift servers would not error upon receiving messages ...) NOT-FOR-US: Thrift servers CVE-2019-3557 (The implementations of streams for bz2 and php://output improperly imp ...) - hhvm CVE-2019-3556 RESERVED CVE-2019-3555 RESERVED CVE-2019-3554 (Wangle's AcceptRoutingHandler incorrectly casts a socket when acceptin ...) NOT-FOR-US: Facebook Wangle CVE-2019-3553 (C++ Facebook Thrift servers would not error upon receiving messages de ...) NOT-FOR-US: Thrift servers CVE-2019-3552 (C++ Facebook Thrift servers (using cpp2) would not error upon receivin ...) NOT-FOR-US: Thrift servers CVE-2019-3551 RESERVED CVE-2019-3550 RESERVED CVE-2019-3549 RESERVED CVE-2019-3548 RESERVED CVE-2019-3547 RESERVED CVE-2019-3546 RESERVED CVE-2019-3545 RESERVED CVE-2019-3544 RESERVED CVE-2019-3543 RESERVED CVE-2019-3542 RESERVED CVE-2019-3541 RESERVED CVE-2019-3540 RESERVED CVE-2019-3539 RESERVED CVE-2019-3538 RESERVED CVE-2019-3537 RESERVED CVE-2019-3536 RESERVED CVE-2019-3535 RESERVED CVE-2019-3534 RESERVED CVE-2019-3533 RESERVED CVE-2019-3532 RESERVED CVE-2019-3531 RESERVED CVE-2019-3530 RESERVED CVE-2019-3529 RESERVED CVE-2019-3528 RESERVED CVE-2019-3527 RESERVED CVE-2019-3526 RESERVED CVE-2019-3525 RESERVED CVE-2019-3524 RESERVED CVE-2019-3523 RESERVED CVE-2019-3522 RESERVED CVE-2019-3521 RESERVED CVE-2019-3520 RESERVED CVE-2019-3519 RESERVED CVE-2019-3518 RESERVED CVE-2019-3517 RESERVED CVE-2019-3516 RESERVED CVE-2019-3515 RESERVED CVE-2019-3514 RESERVED CVE-2019-3513 RESERVED CVE-2019-3512 RESERVED CVE-2019-3511 RESERVED CVE-2019-3510 RESERVED CVE-2019-3509 RESERVED CVE-2019-3508 RESERVED CVE-2019-3507 RESERVED CVE-2019-3506 RESERVED CVE-2019-3505 RESERVED CVE-2019-3504 RESERVED CVE-2019-3503 RESERVED CVE-2019-3502 RESERVED CVE-2019-3501 (The OUGC Awards plugin before 1.8.19 for MyBB allows XSS via a crafted ...) NOT-FOR-US: OUGC Awards plugin for MyBB CVE-2018-20661 RESERVED CVE-2018-20660 RESERVED CVE-2018-20659 (An issue was discovered in Bento4 1.5.1-627. The AP4_StcoAtom class in ...) NOT-FOR-US: Bento4 CVE-2018-20658 (The server in Core FTP 2.0 build 653 on 32-bit platforms allows remote ...) NOT-FOR-US: Core FTP CVE-2018-20657 (The demangle_template function in cplus-dem.c in GNU libiberty, as dis ...) NOTE: Short-lived, small memleak, not considered a real bug by upstream NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88539 CVE-2018-20656 RESERVED CVE-2018-20655 (When receiving calls using WhatsApp for iOS, a missing size check when ...) NOT-FOR-US: WhatsApp CVE-2019-3500 (aria2c in aria2 1.33.1, when --log is used, can store an HTTP Basic Au ...) {DLA-1636-1} - aria2 1.34.0-4 (low; bug #918058) [stretch] - aria2 (Minor issue) NOTE: https://github.com/aria2/aria2/issues/1329 NOTE: Masking of all authorization and cookie header fields (but not userinfo in URL): NOTE: https://github.com/aria2/aria2/commit/37368130ca7de5491a75fd18a20c5c5cc641824a CVE-2019-3499 RESERVED CVE-2019-3498 (In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before ...) {DSA-4363-1 DLA-1629-1} - python-django 1:1.11.18-1 (bug #918230) NOTE: https://www.djangoproject.com/weblog/2019/jan/04/security-releases/ NOTE: https://github.com/django/django/commit/1cd00fcf52d089ef0fe03beabd05d59df8ea052a (1.11.x) NOTE: https://github.com/django/django/commit/64d2396e83aedba3fcc84ca40f23fbd22f0b9b5b (2.1.x) CVE-2018-20654 RESERVED CVE-2019-3497 (An issue was discovered on Wifi-soft UniBox controller 0.x through 2.x ...) NOT-FOR-US: Wifi-soft UniBox controller devices CVE-2019-3496 (An issue was discovered on Wifi-soft UniBox controller 3.x devices. Th ...) NOT-FOR-US: Wifi-soft UniBox controller devices CVE-2019-3495 (An issue was discovered on Wifi-soft UniBox controller 0.x through 2.x ...) NOT-FOR-US: Wifi-soft UniBox controller devices CVE-2019-3494 (Simply-Blog through 2019-01-01 has SQL Injection via the admin/deleteC ...) NOT-FOR-US: Simply-Blog CVE-2018-20653 RESERVED CVE-2018-20652 (An attempted excessive memory allocation was discovered in the functio ...) NOT-FOR-US: tinyexr CVE-2018-20651 (A NULL pointer dereference was discovered in elf_link_add_object_symbo ...) - binutils 2.32.51.20190707-1 (unimportant) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24041 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=54025d5812ff100f5f0654eb7e1ffd50f2e37f5f NOTE: binutils not covered by security support CVE-2018-20650 (A reachable Object::dictLookup assertion in Poppler 0.72.0 allows atta ...) {DLA-1939-1} [experimental] - poppler 0.81.0-1 - poppler (low; bug #917974) [buster] - poppler (Minor issue) [stretch] - poppler (Minor issue) NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/de0c0b8324e776f0b851485e0fc9622fc35695b7 NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/704 CVE-2018-20649 RESERVED CVE-2018-20648 (PHP Scripts Mall Car Rental Script 2.0.8 has Cross-Site Request Forger ...) NOT-FOR-US: PHP Scripts Mall CVE-2018-20647 (PHP Scripts Mall Car Rental Script 2.0.8 has directory traversal via a ...) NOT-FOR-US: PHP Scripts Mall CVE-2018-20646 (PHP Scripts Mall Basic B2B Script 2.0.9 has has directory traversal vi ...) NOT-FOR-US: PHP Scripts Mall CVE-2018-20645 (PHP Scripts Mall Basic B2B Script 2.0.9 has HTML injection via the Fir ...) NOT-FOR-US: PHP Scripts Mall CVE-2018-20644 (PHP Scripts Mall Basic B2B Script 2.0.9 has Cross-Site Request Forgery ...) NOT-FOR-US: PHP Scripts Mall CVE-2018-20643 (PHP Scripts Mall Entrepreneur Job Portal Script 3.0.1 has directory tr ...) NOT-FOR-US: PHP Scripts Mall Entrepreneur Job Portal Script CVE-2018-20642 (PHP Scripts Mall Entrepreneur Job Portal Script 3.0.1 allows remote at ...) NOT-FOR-US: PHP Scripts Mall Entrepreneur Job Portal Script CVE-2018-20641 (PHP Scripts Mall Entrepreneur Job Portal Script 3.0.1 has Cross-Site R ...) NOT-FOR-US: PHP Scripts Mall Entrepreneur Job Portal Script CVE-2018-20640 (PHP Scripts Mall Entrepreneur Job Portal Script 3.0.1 has stored Cross ...) NOT-FOR-US: PHP Scripts Mall Entrepreneur Job Portal Script CVE-2018-20639 (PHP Scripts Mall Entrepreneur Job Portal Script 3.0.1 has HTML injecti ...) NOT-FOR-US: PHP Scripts Mall Entrepreneur Job Portal Script CVE-2018-20638 (PHP Scripts Mall Chartered Accountant : Auditor Website 2.0.1 has dire ...) NOT-FOR-US: PHP Scripts Mall Chartered Accountant : Auditor Website CVE-2018-20637 (PHP Scripts Mall Chartered Accountant : Auditor Website 2.0.1 allows r ...) NOT-FOR-US: PHP Scripts Mall Chartered Accountant : Auditor Website CVE-2018-20636 (PHP Scripts Mall Chartered Accountant : Auditor Website 2.0.1 has HTML ...) NOT-FOR-US: PHP Scripts Mall Chartered Accountant : Auditor Website CVE-2018-20635 (PHP Scripts Mall Advance B2B Script 2.1.4 has directory traversal via ...) NOT-FOR-US: PHP Scripts Mall Advance B2B Script CVE-2018-20634 (PHP Scripts Mall Advance B2B Script 2.1.4 allows remote attackers to c ...) NOT-FOR-US: PHP Scripts Mall Advance B2B Script CVE-2018-20633 (PHP Scripts Mall Advance B2B Script 2.1.4 has Cross-Site Request Forge ...) NOT-FOR-US: PHP Scripts Mall Advance B2B Script CVE-2018-20632 (PHP Scripts Mall Advance B2B Script 2.1.4 has stored Cross-Site Script ...) NOT-FOR-US: PHP Scripts Mall Advance B2B Script CVE-2018-20631 (PHP Scripts Mall Website Seller Script 2.0.5 allows full Path Disclosu ...) NOT-FOR-US: PHP Scripts Mall Website Seller Script CVE-2018-20630 (PHP Scripts Mall Advance Crowdfunding Script 2.0.3 has directory trave ...) NOT-FOR-US: PHP Scripts Mall Advance Crowdfunding Script CVE-2018-20629 (PHP Scripts Mall Charity Donation Script readymadeb2bscript has direct ...) NOT-FOR-US: PHP Scripts Mall Charity Donation Script readymadeb2bscript CVE-2018-20628 (PHP Scripts Mall Charity Foundation Script 1 through 3 allows director ...) NOT-FOR-US: PHP Scripts Mall Charity Foundation Script CVE-2018-20627 (PHP Scripts Mall Consumer Reviews Script 4.0.3 has HTML injection via ...) NOT-FOR-US: PHP Scripts Mall Consumer Reviews Script CVE-2018-20626 (PHP Scripts Mall Consumer Reviews Script 4.0.3 has directory traversal ...) NOT-FOR-US: PHP Scripts Mall Consumer Reviews Script CVE-2018-20625 RESERVED CVE-2018-20624 RESERVED CVE-2019-3493 (A potential security vulnerability has been identified in Micro Focus ...) NOT-FOR-US: Micro Focus CVE-2019-3492 RESERVED CVE-2019-3491 RESERVED CVE-2019-3490 (A DOM based XSS vulnerability has been identified in the Netstorage co ...) NOT-FOR-US: Micro Focus Netstorage CVE-2019-3489 (An unauthenticated file upload vulnerability has been identified in th ...) NOT-FOR-US: Micro Focus Content Manager CVE-2019-3488 RESERVED CVE-2019-3487 RESERVED CVE-2019-3486 (Mitigates a stored cross site scripting issue in ArcSight Security Man ...) NOT-FOR-US: ArcSight Security Management Center CVE-2019-3485 (Mitigates a stored cross site scripting issue in ArcSight Logger versi ...) NOT-FOR-US: ArcSight Logger CVE-2019-3484 (Mitigates a remote code execution issue in ArcSight Logger versions pr ...) NOT-FOR-US: ArcSight Logger CVE-2019-3483 (Mitigates a potential information leakage issue in ArcSight Logger ver ...) NOT-FOR-US: ArcSight Logger CVE-2019-3482 (Mitigates a directory traversal issue in ArcSight Logger versions prio ...) NOT-FOR-US: ArcSight Logger CVE-2019-3481 (Mitigates a XML External Entity Parsing issue in ArcSight Logger versi ...) NOT-FOR-US: ArcSight Logger CVE-2019-3480 (Mitigates a stored/reflected XSS issue in ArcSight Logger versions pri ...) NOT-FOR-US: ArcSight Logger CVE-2019-3479 (Mitigates a potential remote code execution issue in ArcSight Logger v ...) NOT-FOR-US: ArcSight Logger CVE-2019-3478 RESERVED CVE-2019-3477 (Micro Focus Solution Business Manager versions prior to 11.4.2 is susc ...) NOT-FOR-US: Micro Focus Solution Business Manager CVE-2019-3476 (Remote arbitrary code execution in Micro Focus Data Protector, version ...) NOT-FOR-US: Micro Focus Data Protector CVE-2019-3475 (A local privilege escalation vulnerability in the famtd component of M ...) NOT-FOR-US: Micro Focus Filr CVE-2019-3474 (A path traversal vulnerability in the web application component of Mic ...) NOT-FOR-US: Micro Focus Filr CVE-2019-3473 REJECTED CVE-2019-3472 REJECTED CVE-2019-3471 REJECTED CVE-2019-3470 REJECTED CVE-2019-3469 REJECTED CVE-2019-3468 REJECTED CVE-2019-3466 (The pg_ctlcluster script in postgresql-common in versions prior to 210 ...) {DSA-4568-1 DLA-1994-1} - postgresql-common 210 NOTE: https://salsa.debian.org/postgresql/postgresql-common/commit/ec9d984b62ed79f61be97b786a9ff4381309979c NOTE: https://blog.mirch.io/2019/11/15/cve-2019-3466-debian-ubuntu-pg_ctlcluster-privilege-escalation/ CVE-2019-3465 (Rob Richards XmlSecLibs, all versions prior to v3.0.3, as used for exa ...) {DSA-4560-1 DLA-1983-1} - simplesamlphp 1.17.6-2 (bug #944107) NOTE: https://groups.google.com/forum/#!msg/simplesamlphp-announce/2odMqz63z7k/6zQQeM91EwAJ NOTE: https://simplesamlphp.org/security/201911-01 CVE-2019-3464 (Insufficient sanitization of environment variables passed to rsync can ...) {DSA-4382-1 DLA-1660-1} - rssh 2.3.4-10 CVE-2019-3463 (Insufficient sanitization of arguments passed to rsync can bypass the ...) {DSA-4382-1 DLA-1660-1} - rssh 2.3.4-10 CVE-2019-3462 (Incorrect sanitation of the 302 redirect field in HTTP transport metho ...) {DSA-4371-1 DLA-1637-1} - apt 1.8.0~alpha3.1 NOTE: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1812353 NOTE: https://justi.cz/security/2019/01/22/apt-rce.html CVE-2019-3461 (Debian tmpreaper version 1.6.13+nmu1 has a race condition when doing a ...) {DSA-4365-1 DLA-1640-1} - tmpreaper 1.6.14 (bug #918956) CVE-2019-3460 (A heap data infoleak in multiple locations including L2CAP_PARSE_CONF_ ...) {DLA-1799-1 DLA-1771-1} - linux 4.19.37-1 [stretch] - linux 4.9.168-1 NOTE: https://lore.kernel.org/linux-bluetooth/20190110062917.GB15047@kroah.com/ NOTE: https://git.kernel.org/linus/af3d5d1c87664a4f150fcf3534c6567cb19909b0 CVE-2019-3459 (A heap address information leak while using L2CAP_GET_CONF_OPT was dis ...) {DLA-1799-1 DLA-1771-1} - linux 4.19.37-1 [stretch] - linux 4.9.168-1 NOTE: https://lore.kernel.org/linux-bluetooth/20190110062833.GA15047@kroah.com/ NOTE: https://git.kernel.org/linus/7c9cbd0b5e38a1672fcd137894ace3b042dfbf69 CVE-2019-3458 RESERVED CVE-2019-3457 RESERVED CVE-2019-3456 RESERVED CVE-2019-3455 RESERVED CVE-2019-3454 RESERVED CVE-2019-3453 RESERVED CVE-2019-3452 RESERVED CVE-2019-3451 RESERVED CVE-2019-3450 RESERVED CVE-2019-3449 RESERVED CVE-2019-3448 RESERVED CVE-2019-3447 RESERVED CVE-2019-3446 RESERVED CVE-2019-3445 RESERVED CVE-2019-3444 RESERVED CVE-2019-3443 RESERVED CVE-2019-3442 RESERVED CVE-2019-3441 RESERVED CVE-2019-3440 RESERVED CVE-2019-3439 RESERVED CVE-2019-3438 RESERVED CVE-2019-3437 RESERVED CVE-2019-3436 RESERVED CVE-2019-3435 RESERVED CVE-2019-3434 RESERVED CVE-2019-3433 RESERVED CVE-2019-3432 RESERVED CVE-2019-3431 (All versions up to V4.01.01.02 of ZTE ZXCLOUD GoldenData VAP product h ...) NOT-FOR-US: ZTE CVE-2019-3430 (All versions up to V4.01.01.02 of ZTE ZXCLOUD GoldenData VAP product h ...) NOT-FOR-US: ZTE CVE-2019-3429 (All versions up to V4.01.01.02 of ZTE ZXCLOUD GoldenData VAP product h ...) NOT-FOR-US: ZTE CVE-2019-3428 (The version V6.01.03.01 of ZTE ZXCDN IAMWEB product is impacted by a c ...) NOT-FOR-US: ZTE CVE-2019-3427 (The version V6.01.03.01 of ZTE ZXCDN IAMWEB product is impacted by a c ...) NOT-FOR-US: ZTE CVE-2019-3426 (The 9000EV5.0R1B12 version, and all earlier versions of ZTE product ZX ...) NOT-FOR-US: ZTE CVE-2019-3425 (The 9000EV5.0R1B12 version, and all earlier versions of ZTE product ZX ...) NOT-FOR-US: ZTE CVE-2019-3424 (authentication issues vulnerability, which exists in V2.1.14 and below ...) NOT-FOR-US: C520V21 smart camera devices CVE-2019-3423 (permission and access control vulnerability, which exists in V2.1.14 a ...) NOT-FOR-US: C520V21 smart camera devices CVE-2019-3422 (The Sec Consult Security Lab reported an information disclosure vulner ...) NOT-FOR-US: ZTE CVE-2019-3421 (The 7520V3V1.0.0B09P27 version, and all earlier versions of ZTE produc ...) NOT-FOR-US: ZTE CVE-2019-3420 (All versions up to V2.5.0_EG1T5_TED of ZTE ZXHN H108N product are impa ...) NOT-FOR-US: ZTE CVE-2019-3419 (A security vulnerability exists in a management port in the version of ...) NOT-FOR-US: ZTE CVE-2019-3418 (All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are impacted ...) NOT-FOR-US: ZTE CVE-2019-3417 (All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are impacted ...) NOT-FOR-US: ZTE CVE-2019-3416 (All versions up to V81511329.1008 of ZTE ZXV10 B860A products are impa ...) NOT-FOR-US: ZTE CVE-2019-3415 (ZTE MW NR8000V2.4.4.03 and NR8000V2.4.4.04 are impacted by path traver ...) NOT-FOR-US: ZTE CVE-2019-3414 (All versions up to V1.19.20.02 of ZTE OTCP product are impacted by XSS ...) NOT-FOR-US: ZTE CVE-2019-3413 (All versions up to V20.18.40.R7.B1of ZTE NetNumen DAP product have an ...) NOT-FOR-US: ZTE CVE-2019-3412 (All versions up to BD_R218V2.4 of ZTE MF920 product are impacted by co ...) NOT-FOR-US: ZTE CVE-2019-3411 (All versions up to BD_R218V2.4 of ZTE MF920 product are impacted by in ...) NOT-FOR-US: ZTE CVE-2019-3410 (All versions up to UKBB_WF820+_1.0.0B06 of ZTE WF820+ LTE Outdoor CPE ...) NOT-FOR-US: ZTE CVE-2019-3409 (All versions up to UKBB_WF820+_1.0.0B06 of ZTE WF820+ LTE Outdoor CPE ...) NOT-FOR-US: ZTE CVE-2018-20623 (In GNU Binutils 2.31.1, there is a use-after-free in the error functio ...) - binutils (unimportant) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24049 NOTE: binutils not covered by security support CVE-2018-20622 (JasPer 2.0.14 has a memory leak in base/jas_malloc.c in libjasper.a wh ...) {DLA-1628-1} - jasper NOTE: https://github.com/mdadams/jasper/issues/193 CVE-2018-20621 (An issue was discovered in Microvirt MEmu 6.0.6. The MemuService.exe s ...) NOT-FOR-US: Microvirt MEmu CVE-2018-20620 RESERVED CVE-2018-20619 RESERVED CVE-2018-20618 (ok-file-formats through 2018-10-16 has a heap-based buffer over-read i ...) NOT-FOR-US: ok-file-formats CVE-2018-20617 (ok-file-formats through 2018-10-16 has a heap-based buffer overflow in ...) NOT-FOR-US: ok-file-formats CVE-2018-20616 (ok-file-formats through 2018-10-16 has a heap-based buffer overflow in ...) NOT-FOR-US: ok-file-formats CVE-2018-20615 (An out-of-bounds read issue was discovered in the HTTP/2 protocol deco ...) - haproxy 1.8.16-2 [stretch] - haproxy (Vulnerable code introduced later) [jessie] - haproxy (Vulnerable code introduced later) NOTE: https://github.com/haproxy/haproxy/commit/a01f45e3ced23c799f6e78b5efdbd32198a75354 CVE-2018-20614 (public\install\install.php in CIM 0.9.3 allows remote attackers to rel ...) NOT-FOR-US: CIM CVE-2018-20613 (TEMMOKU T1.09 Beta allows admin/user/add CSRF. ...) NOT-FOR-US: TEMMOKU CVE-2018-20612 (UWA 2.3.11 allows index.php?g=admin&c=admin&a=add_admin_do CSR ...) NOT-FOR-US: UWA CVE-2018-20611 (imcat 4.4 allow XSS via a crafted cookie to the root/tools/adbug/binfo ...) NOT-FOR-US: imcat CVE-2018-20610 (imcat 4.4 allows directory traversal via the root/run/adm.php efile pa ...) NOT-FOR-US: imcat CVE-2018-20609 (imcat 4.4 allows remote attackers to obtain potentially sensitive conf ...) NOT-FOR-US: imcat CVE-2018-20608 (imcat 4.4 allows remote attackers to read phpinfo output via the root/ ...) NOT-FOR-US: imcat CVE-2018-20607 (imcat 4.4 allows remote attackers to obtain potentially sensitive debu ...) NOT-FOR-US: imcat CVE-2018-20606 (imcat 4.4 allows full path disclosure via a dev.php?tools-ipaddr&a ...) NOT-FOR-US: imcat CVE-2018-20605 (imcat 4.4 allows remote attackers to execute arbitrary PHP code by usi ...) NOT-FOR-US: imcat CVE-2018-20604 (Lei Feng TV CMS (aka LFCMS) 3.8.6 allows Directory Traversal via craft ...) NOT-FOR-US: Lei Feng TV CMS CVE-2018-20603 (Lei Feng TV CMS (aka LFCMS) 3.8.6 allows admin.php?s=/Member/add.html ...) NOT-FOR-US: Lei Feng TV CMS CVE-2018-20602 (Lei Feng TV CMS (aka LFCMS) 3.8.6 allows full path disclosure via the ...) NOT-FOR-US: Lei Feng TV CMS CVE-2018-20601 (UCMS 1.4.7 has XSS via the description parameter in an index.php list_ ...) NOT-FOR-US: UCMS CVE-2018-20600 (sadmin\cedit.php in UCMS 1.4.7 has XSS via an index.php sadmin_cedit a ...) NOT-FOR-US: UCMS CVE-2018-20599 (UCMS 1.4.7 allows remote attackers to execute arbitrary PHP code by en ...) NOT-FOR-US: UCMS CVE-2018-20598 (UCMS 1.4.7 has ?do=user_addpost CSRF. ...) NOT-FOR-US: UCMS CVE-2018-20597 (UCMS 1.4.7 has XSS via the dir parameter in an index.php sadmin_fileed ...) NOT-FOR-US: UCMS CVE-2018-20596 (Jspxcms v9.0.0 allows SSRF. ...) NOT-FOR-US: Jspxcms CVE-2018-20595 (A CSRF issue was discovered in web/authorization/oauth2/controller/OAu ...) NOT-FOR-US: hsweb CVE-2018-20594 (An issue was discovered in hsweb 3.0.4. It is a reflected XSS vulnerab ...) NOT-FOR-US: hsweb CVE-2018-20593 (In Mini-XML (aka mxml) v2.12, there is stack-based buffer overflow in ...) - mxml (low; bug #924353) [buster] - mxml (Minor issue) [stretch] - mxml (Minor issue) [jessie] - mxml (Minor issue, only affects the mxmldoc tool) NOTE: https://github.com/ntu-sec/pocs/blob/master/mxml-53c75b0/crashes/so_mxmldoc.c:2971_1.txt NOTE: https://github.com/ntu-sec/pocs/blob/master/mxml-53c75b0/crashes/so_mxmldoc.c:2971_1.txt.err (error output) NOTE: https://github.com/ntu-sec/pocs/blob/master/mxml-53c75b0/crashes/so_mxmldoc.c:2987_1.txt NOTE: https://github.com/ntu-sec/pocs/blob/master/mxml-53c75b0/crashes/so_mxmldoc.c:2987_1.txt.err (error output) NOTE: https://github.com/michaelrsweet/mxml/issues/237 NOTE: upstream tagged the issue with 'wontfix' and removed mxmldoc code completely CVE-2018-20592 (In Mini-XML (aka mxml) v2.12, there is a use-after-free in the mxmlAdd ...) - mxml (low; bug #924353) [buster] - mxml (Minor issue) [stretch] - mxml (Minor issue) [jessie] - mxml (Minor issue, only affected the mxmldoc tool) NOTE: https://github.com/ntu-sec/pocs/blob/master/mxml-53c75b0/crashes/uaf_mxml-node.c:128_1.txt NOTE: https://github.com/ntu-sec/pocs/blob/master/mxml-53c75b0/crashes/uaf_mxml-node.c:128_1.txt.err (error output) NOTE: https://github.com/ntu-sec/pocs/blob/master/mxml-53c75b0/crashes/uaf_mxml-node.c:128_2.txt NOTE: https://github.com/ntu-sec/pocs/blob/master/mxml-53c75b0/crashes/uaf_mxml-node.c:128_2.txt.err (error output) NOTE: https://github.com/michaelrsweet/mxml/issues/237 NOTE: upstream tagged the issue with 'wontfix' and removed mxmldoc code completely CVE-2018-20591 (A heap-based buffer over-read was discovered in decompileJUMP function ...) - ming NOTE: https://github.com/libming/libming/issues/168 CVE-2018-20590 (Ivan Cordoba Generic Content Management System (CMS) through 2018-04-2 ...) NOT-FOR-US: Ivan Cordoba Generic Content Management System (CMS) CVE-2018-20589 (Ivan Cordoba Generic Content Management System (CMS) through 2018-04-2 ...) NOT-FOR-US: Ivan Cordoba Generic Content Management System (CMS) CVE-2018-20588 (lib/support/unicodeconv/unicodeconv.c in libotfcc.a in otfcc v0.10.3-a ...) NOT-FOR-US: otfcc CVE-2018-20587 (Bitcoin Core 0.12.0 through 0.17.1 and Bitcoin Knots 0.12.0 through 0. ...) - bitcoin NOTE: https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures#CVE-2018-20587 CVE-2018-20586 (bitcoind and Bitcoin-Qt prior to 0.17.1 allow injection of arbitrary d ...) - bitcoin 0.17.1~dfsg-1 CVE-2018-20585 RESERVED CVE-2018-20584 (JasPer 2.0.14 allows remote attackers to cause a denial of service (ap ...) {DLA-1628-1} - jasper NOTE: https://github.com/mdadams/jasper/issues/192 CVE-2018-20583 (Cross-site scripting (XSS) vulnerability in the PHP League CommonMark ...) NOT-FOR-US: PHP League CommonMark library CVE-2018-20582 (The GREE+ (aka com.gree.greeplus) application 1.4.0.8 for Android suff ...) NOT-FOR-US: GREE+ (aka com.gree.greeplus) application CVE-2018-20581 RESERVED CVE-2018-20580 (The WSDL import functionality in SmartBear ReadyAPI 2.5.0 and 2.6.0 al ...) NOT-FOR-US: SmartBear ReadyAPI CVE-2018-20579 (Contiki-NG before 4.2 has a stack-based buffer overflow in the push fu ...) NOT-FOR-US: Contiki-NG CVE-2018-20578 (An issue was discovered in NuttX before 7.27. The function netlib_pars ...) NOT-FOR-US: NuttX CVE-2018-20577 (Orange Livebox 00.96.320S devices allow cgi-bin/restore.exe, cgi-bin/f ...) NOT-FOR-US: Orange Livebox 00.96.320S devices CVE-2018-20576 (Orange Livebox 00.96.320S devices allow cgi-bin/autodialing.exe and cg ...) NOT-FOR-US: Orange Livebox 00.96.320S devices CVE-2018-20575 (Orange Livebox 00.96.320S devices have an undocumented /system_firmwar ...) NOT-FOR-US: Orange Livebox 00.96.320S devices CVE-2018-20574 (The SingleDocParser::HandleFlowMap function in yaml-cpp (aka LibYaml-C ...) - yaml-cpp 0.6.3-1 (low; bug #918145) [buster] - yaml-cpp (Minor issue) [stretch] - yaml-cpp (Minor issue) [jessie] - yaml-cpp (Minor issue) - yaml-cpp0.3 (low; bug #918146) [stretch] - yaml-cpp0.3 (Minor issue) [jessie] - yaml-cpp0.3 (Minor issue) NOTE: https://github.com/jbeder/yaml-cpp/issues/654 CVE-2018-20573 (The Scanner::EnsureTokensInQueue function in yaml-cpp (aka LibYaml-C++ ...) - yaml-cpp 0.6.3-1 (low; bug #918147) [buster] - yaml-cpp (Minor issue) [stretch] - yaml-cpp (Minor issue) [jessie] - yaml-cpp (Minor issue) - yaml-cpp0.3 (low; bug #918148) [stretch] - yaml-cpp0.3 (Minor issue) [jessie] - yaml-cpp0.3 (Minor issue) NOTE: https://github.com/jbeder/yaml-cpp/issues/655 CVE-2018-20572 (WUZHI CMS 4.1.0 allows coreframe/app/coupon/admin/copyfrom.php SQL inj ...) NOT-FOR-US: WUZHI CMS CVE-2018-20571 (DamiCMS 6.0.1 allows remote attackers to read arbitrary files via a cr ...) NOT-FOR-US: DamiCMS CVE-2018-20570 (jp2_encode in jp2/jp2_enc.c in JasPer 2.0.14 has a heap-based buffer o ...) {DLA-1628-1} - jasper NOTE: https://github.com/mdadams/jasper/issues/191 CVE-2018-20569 (user/index.php in Ivan Cordoba Generic Content Management System (CMS) ...) NOT-FOR-US: Ivan Cordoba Generic Content Management System (CMS) CVE-2018-20568 (Administrator/index.php in Ivan Cordoba Generic Content Management Sys ...) NOT-FOR-US: Ivan Cordoba Generic Content Management System (CMS) CVE-2018-20567 (An issue was discovered in DouCo DouPHP 1.5 20181221. \install\index.p ...) NOT-FOR-US: DouCo DouPHP CVE-2018-20566 (An issue was discovered in DouCo DouPHP 1.5 20181221. It allows full p ...) NOT-FOR-US: DouCo DouPHP CVE-2018-20565 (An issue was discovered in DouCo DouPHP 1.5 20181221. admin/nav.php?re ...) NOT-FOR-US: DouCo DouPHP CVE-2018-20564 (An issue was discovered in DouCo DouPHP 1.5 20181221. admin/product_ca ...) NOT-FOR-US: DouCo DouPHP CVE-2018-20563 (An issue was discovered in DouCo DouPHP 1.5 20181221. admin/mobile.php ...) NOT-FOR-US: DouCo DouPHP CVE-2018-20562 (An issue was discovered in DouCo DouPHP 1.5 20181221. admin/article_ca ...) NOT-FOR-US: DouCo DouPHP CVE-2018-20561 (An issue was discovered in DouCo DouPHP 1.5 20181221. admin/article.ph ...) NOT-FOR-US: DouCo DouPHP CVE-2018-20560 (An issue was discovered in DouCo DouPHP 1.5 20181221. admin/show.php?r ...) NOT-FOR-US: DouCo DouPHP CVE-2018-20559 (An issue was discovered in DouCo DouPHP 1.5 20181221. admin/product.ph ...) NOT-FOR-US: DouCo DouPHP CVE-2018-20558 (An issue was discovered in DouCo DouPHP 1.5 20181221. admin/system.php ...) NOT-FOR-US: DouCo DouPHP CVE-2018-20557 (An issue was discovered in DouCo DouPHP 1.5 20181221. admin/page.php?r ...) NOT-FOR-US: DouCo DouPHP CVE-2018-20556 (SQL injection vulnerability in Booking Calendar plugin 8.4.3 for WordP ...) NOT-FOR-US: Booking Calendar plugin for WordPress CVE-2018-20555 (The Design Chemical Social Network Tabs plugin 1.7.1 for WordPress all ...) NOT-FOR-US: Design Chemical Social Network Tabs plugin for WordPress CVE-2018-20554 RESERVED CVE-2018-20553 (Tcpreplay before 4.3.1 has a heap-based buffer over-read in get_l2len ...) - tcpreplay 4.3.1-1 (low; bug #917574) [stretch] - tcpreplay (Minor issue) [jessie] - tcpreplay (hard to exploit) NOTE: https://github.com/appneta/tcpreplay/issues/530 NOTE: https://github.com/appneta/tcpreplay/pull/532/commits/6b830a1640ca20528032c89a4fdd8291a4d2d8b2 NOTE: initial set of fixes got additional hardening, see: NOTE: https://github.com/appneta/tcpreplay/issues/530#issuecomment-480312372 NOTE: https://github.com/appneta/tcpreplay/pull/584 CVE-2018-20552 (Tcpreplay before 4.3.1 has a heap-based buffer over-read in packet2tre ...) - tcpreplay 4.3.1-1 (low; bug #917574) [stretch] - tcpreplay (Minor issue) [jessie] - tcpreplay (hard to exploit) NOTE: https://github.com/appneta/tcpreplay/issues/530 NOTE: https://github.com/appneta/tcpreplay/pull/532/commits/6b830a1640ca20528032c89a4fdd8291a4d2d8b2 NOTE: initial set of fixes got additional hardening, see: NOTE: https://github.com/appneta/tcpreplay/issues/530#issuecomment-480312372 NOTE: https://github.com/appneta/tcpreplay/pull/584 CVE-2018-1000893 RESERVED CVE-2018-1000892 RESERVED CVE-2018-1000891 RESERVED CVE-2018-20551 (A reachable Object::getString assertion in Poppler 0.72.0 allows attac ...) - poppler 0.71.0-4 (low; bug #917525) [stretch] - poppler (Minor issue) [jessie] - poppler (vulnerable code is not present) NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/703 NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/7f87dc10b6adccd6d1b977a28b064add254aa2da CVE-2018-20550 RESERVED CVE-2018-20549 (There is an illegal WRITE memory access at caca/file.c (function caca_ ...) {DLA-1631-1} - libcaca 0.99.beta19-2.1 (low; bug #917807) [stretch] - libcaca 0.99.beta19-2.1~deb9u1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1652628 NOTE: https://github.com/cacalabs/libcaca/issues/41 NOTE: Fixed by: https://github.com/cacalabs/libcaca/commit/3e52dabe3e64dc50f4422effe364a1457a8a8592 CVE-2018-20548 (There is an illegal WRITE memory access at common-image.c (function lo ...) - libcaca 0.99.beta19-2.1 (unimportant; bug #917807) [stretch] - libcaca 0.99.beta19-2.1~deb9u1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1652625 NOTE: https://github.com/cacalabs/libcaca/issues/40 NOTE: Upstream fix: https://github.com/cacalabs/libcaca/commit/f6c61faa26b3e150c3daf514589afa737f42f152 NOTE: https://github.com/cacalabs/libcaca/commit/3e52dabe3e64dc50f4422effe364a1457a8a8592 NOTE: Debian binary packages built with the Imlib2 library CVE-2018-20547 (There is an illegal READ memory access at caca/dither.c (function get_ ...) {DLA-1631-1} - libcaca 0.99.beta19-2.1 (low; bug #917807) [stretch] - libcaca 0.99.beta19-2.1~deb9u1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1652624 NOTE: https://github.com/cacalabs/libcaca/issues/39 NOTE: Fixed by: https://github.com/cacalabs/libcaca/commit/02a09ec9e5ed8981e7a810bfb6a0172dc24f0790 CVE-2018-20546 (There is an illegal READ memory access at caca/dither.c (function get_ ...) {DLA-1631-1} - libcaca 0.99.beta19-2.1 (low; bug #917807) [stretch] - libcaca 0.99.beta19-2.1~deb9u1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1652622 NOTE: https://github.com/cacalabs/libcaca/issues/38 NOTE: Fixed by: https://github.com/cacalabs/libcaca/commit/02a09ec9e5ed8981e7a810bfb6a0172dc24f0790 CVE-2018-20545 (There is an illegal WRITE memory access at common-image.c (function lo ...) - libcaca 0.99.beta19-2.1 (unimportant; bug #917807) [stretch] - libcaca 0.99.beta19-2.1~deb9u1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1652621 NOTE: https://github.com/cacalabs/libcaca/issues/37 NOTE: Upstream fix: https://github.com/cacalabs/libcaca/commit/f6c61faa26b3e150c3daf514589afa737f42f152 NOTE: https://github.com/cacalabs/libcaca/commit/3e52dabe3e64dc50f4422effe364a1457a8a8592 NOTE: Debian binary packages built with the Imlib2 library CVE-2018-20544 (There is floating point exception at caca/dither.c (function caca_dith ...) {DLA-1631-1} - libcaca 0.99.beta19-2.1 (low; bug #917807) [stretch] - libcaca 0.99.beta19-2.1~deb9u1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1652627 NOTE: https://github.com/cacalabs/libcaca/issues/36 NOTE: Upstream fix: https://github.com/cacalabs/libcaca/commit/84bd155087b93ab2d8d7cb5b1ac94ecd4cf4f93c CVE-2018-20543 (There is an attempted excessive memory allocation at libxsmm_sparse_cs ...) - libxsmm (bug #917573) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1652634 CVE-2018-20542 (There is a heap-based buffer-overflow at generator_spgemm_csc_reader.c ...) - libxsmm (bug #917526) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1652633 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1652635 NOTE: https://github.com/hfp/libxsmm/commit/151481489192e6d1997f8bde52c5c425ea41741d NOTE: https://github.com/hfp/libxsmm/issues/287 CVE-2018-20541 (There is a heap-based buffer overflow in libxsmm_sparse_csc_reader at ...) - libxsmm (bug #917526) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1652632 NOTE: https://github.com/hfp/libxsmm/commit/151481489192e6d1997f8bde52c5c425ea41741d NOTE: https://github.com/hfp/libxsmm/issues/287 CVE-2018-20540 (There is memory leak at liblas::Open (liblas/liblas.hpp) in libLAS 1.8 ...) - liblas 1.8.1-10 (low; bug #922459) [stretch] - liblas (Minor issue) [jessie] - liblas (Minor issue) NOTE: https://github.com/libLAS/libLAS/issues/158 NOTE: https://github.com/libLAS/libLAS/commit/ba7346d349fb00b18d0c12e226ac3090eac25d7b CVE-2018-20539 (There is a Segmentation fault triggered by illegal address access at l ...) - liblas (low; bug #924614) [buster] - liblas (Minor issue) [stretch] - liblas (Minor issue) [jessie] - liblas (Minor issue) NOTE: https://github.com/libLAS/libLAS/issues/159 NOTE: https://github.com/libLAS/libLAS/pull/183 NOTE: https://github.com/libLAS/libLAS/commit/ca88a11a8a0548d3aa78b643e6c701708b826fa9 CVE-2018-20538 (There is a use-after-free at asm/preproc.c (function pp_getline) in Ne ...) - nasm (unimportant; bug #918269) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392531 NOTE: Crash in CLI tool, no security impact CVE-2018-20537 (There is a NULL pointer dereference at liblas::SpatialReference::GetGT ...) - liblas (low; bug #924614) [buster] - liblas (Minor issue) [stretch] - liblas (Minor issue) [jessie] - liblas (Minor issue) NOTE: https://github.com/libLAS/libLAS/issues/160 NOTE: https://github.com/libLAS/libLAS/pull/184 NOTE: https://github.com/libLAS/libLAS/commit/1e854ec110d9bcebcae9db3136953c873f919235 CVE-2018-20536 (There is a heap-based buffer over-read at liblas::SpatialReference::Ge ...) - liblas (low; bug #924614) [buster] - liblas (Minor issue) [stretch] - liblas (Minor issue) [jessie] - liblas (Minor issue) NOTE: https://github.com/libLAS/libLAS/issues/161 NOTE: https://github.com/libLAS/libLAS/pull/183 NOTE: https://github.com/libLAS/libLAS/commit/ca88a11a8a0548d3aa78b643e6c701708b826fa9 CVE-2018-20535 (There is a use-after-free at asm/preproc.c (function pp_getline) in Ne ...) - nasm (unimportant; bug #918270) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392530 NOTE: Crash in CLI tool, no security impact CVE-2018-20534 (** DISPUTED ** There is an illegal address access at ext/testcase.c in ...) - libsolv 0.6.36-1 (unimportant; bug #923002) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1652604 NOTE: https://github.com/openSUSE/libsolv/pull/291 NOTE: https://github.com/openSUSE/libsolv/commit/4830af9d979d3685de538b80fbeba51ad590525e NOTE: Only affects the test suite CVE-2018-20533 (There is a NULL pointer dereference at ext/testcase.c (function testca ...) - libsolv 0.6.36-1 (low; bug #923002) [buster] - libsolv (Minor issue) [stretch] - libsolv (Minor issue) [jessie] - libsolv (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1652599 NOTE: https://github.com/openSUSE/libsolv/pull/291 NOTE: https://github.com/openSUSE/libsolv/commit/4830af9d979d3685de538b80fbeba51ad590525e CVE-2018-20532 (There is a NULL pointer dereference at ext/testcase.c (function testca ...) - libsolv 0.6.36-1 (low; bug #923002) [buster] - libsolv (Minor issue) [stretch] - libsolv (Minor issue) [jessie] - libsolv (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1652605 NOTE: https://github.com/openSUSE/libsolv/pull/291 NOTE: https://github.com/openSUSE/libsolv/commit/4830af9d979d3685de538b80fbeba51ad590525e CVE-2018-20531 RESERVED CVE-2018-20530 (PHP Scripts Mall Website Seller Script 2.0.5 has XSS via a Profile fie ...) NOT-FOR-US: PHP Scripts Mall Website Seller Script CVE-2018-20529 RESERVED CVE-2018-20528 (JEECMS 9 has SSRF via the ueditor/getRemoteImage.jspx upfile parameter ...) NOT-FOR-US: JEECMS CVE-2018-20527 RESERVED CVE-2018-20526 (Roxy Fileman 1.4.5 allows unrestricted file upload in upload.php. ...) NOT-FOR-US: Roxy Fileman CVE-2018-20525 (Roxy Fileman 1.4.5 allows Directory Traversal in copydir.php, copyfile ...) NOT-FOR-US: Roxy Fileman CVE-2018-20524 (The Chat Anywhere extension 2.4.0 for Chrome allows XSS via crafted us ...) NOT-FOR-US: Chat Anywhere Chrome extension CVE-2018-20523 (Xiaomi Stock Browser 10.2.4.g on Xiaomi Redmi Note 5 Pro devices and o ...) NOT-FOR-US: Xiaomi CVE-2018-20522 RESERVED CVE-2018-20521 RESERVED CVE-2018-20520 (MiniCMS V1.10 has XSS via the mc-admin/post-edit.php query string, a r ...) NOT-FOR-US: MiniCMS CVE-2018-20519 (An issue was discovered in 74cms v4.2.111. It allows remote authentica ...) NOT-FOR-US: 74cms CVE-2018-20518 RESERVED CVE-2018-20517 RESERVED CVE-2018-20516 RESERVED CVE-2018-20515 RESERVED CVE-2018-20514 RESERVED CVE-2018-20513 RESERVED CVE-2018-20512 (EPON CPE-WiFi devices 2.0.4-X000 are vulnerable to escalation of privi ...) NOT-FOR-US: EPON CPE-WiFi devices CVE-2018-20510 (The print_binder_transaction_ilocked function in drivers/android/binde ...) - linux 4.16.5-1 [stretch] - linux 4.9.184-1 [jessie] - linux 3.16.57-1 NOTE: https://git.kernel.org/linus/8ca86f1639ec5890d400fff9211aca22d0a392eb CVE-2018-20509 (The print_binder_ref_olocked function in drivers/android/binder.c in t ...) - linux 4.14.2-1 [stretch] - linux 4.9.184-1 [jessie] - linux (debugfs restricted to root by default) NOTE: https://security.netapp.com/advisory/ntap-20190517-0002/ CVE-2018-20508 (CrashFix 1.0.4 has SQL Injection via the User[status] parameter. This ...) NOT-FOR-US: CrashFix CVE-2018-1000890 (FrontAccounting 2.4.5 contains a Time Based Blind SQL Injection vulner ...) - frontaccounting CVE-2018-1000889 (Logisim Evolution version 2.14.3 and earlier contains an XML External ...) NOT-FOR-US: Logisim Evolution CVE-2018-1000888 (PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 ...) {DSA-4378-1 DLA-1674-1} - php-pear 1:1.10.6+submodules+notgz-1.1 (bug #919147) - php5 NOTE: https://pear.php.net/bugs/bug.php?id=23782 NOTE: https://github.com/pear/Archive_Tar/commit/59ace120ac5ceb5f0d36e40e48e1884de1badf76 CVE-2018-1000887 (Peel shopping peel-shopping_9_1_0 version contains a Cross Site Script ...) NOT-FOR-US: Peel shopping CVE-2018-20511 (An issue was discovered in the Linux kernel before 4.18.11. The ipddp_ ...) {DLA-1731-1} - linux 4.18.20-1 [stretch] - linux 4.9.130-1 NOTE: Fixed by: https://git.kernel.org/linus/9824dfae5741275473a23a7ed5756c7b6efacc9d (4.19-rc5) CVE-2018-20507 (An issue was discovered in GitLab Enterprise Edition 11.2.x through 11 ...) - gitlab 11.5.6+dfsg-1 (bug #918086) NOTE: https://about.gitlab.com/2018/12/31/security-release-gitlab-11-dot-6-dot-1-released/ CVE-2018-20506 (SQLite before 3.25.3, when the FTS3 extension is enabled, encounters a ...) - sqlite3 3.25.3-1 [stretch] - sqlite3 (Minor issue) [jessie] - sqlite3 (Minor issue) NOTE: https://sqlite.org/src/info/940f2adc8541a838 CVE-2018-20505 (SQLite 3.25.2, when queries are run on a table with a malformed PRIMAR ...) - sqlite3 3.25.3-1 [stretch] - sqlite3 (Minor issue) [jessie] - sqlite3 (Vulnerable code introduced later) NOTE: https://sqlite.org/src/info/1a84668dcfdebaf12415d CVE-2018-20504 RESERVED CVE-2018-20503 (Allied Telesis 8100L/8 devices allow XSS via the edit-ipv4_interface.p ...) NOT-FOR-US: Allied Telesis 8100L/8 devices CVE-2018-20502 (An issue was discovered in Bento4 1.5.1-627. There is an attempt at ex ...) NOT-FOR-US: Bento4 CVE-2018-20501 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) - gitlab 11.5.6+dfsg-1 (bug #918086) NOTE: https://about.gitlab.com/2018/12/31/security-release-gitlab-11-dot-6-dot-1-released/ CVE-2018-20500 (An insecure permissions issue was discovered in GitLab Community and E ...) - gitlab 11.5.6+dfsg-1 (bug #918086) NOTE: https://about.gitlab.com/2018/12/31/security-release-gitlab-11-dot-6-dot-1-released/ CVE-2018-20499 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) - gitlab 11.5.6+dfsg-1 (bug #918086) NOTE: https://about.gitlab.com/2018/12/31/security-release-gitlab-11-dot-6-dot-1-released/ CVE-2018-20498 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) - gitlab 11.5.6+dfsg-1 (bug #918086) NOTE: https://about.gitlab.com/2018/12/31/security-release-gitlab-11-dot-6-dot-1-released/ CVE-2018-20497 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) - gitlab 11.5.6+dfsg-1 (bug #918086) NOTE: https://about.gitlab.com/2018/12/31/security-release-gitlab-11-dot-6-dot-1-released/ CVE-2018-20496 (An issue was discovered in GitLab Community and Enterprise Edition 11. ...) - gitlab 11.5.6+dfsg-1 (bug #918086) NOTE: https://about.gitlab.com/2018/12/31/security-release-gitlab-11-dot-6-dot-1-released/ CVE-2018-20495 (An issue was discovered in GitLab Community and Enterprise Edition 11. ...) - gitlab 11.5.6+dfsg-1 (bug #918086) NOTE: https://about.gitlab.com/2018/12/31/security-release-gitlab-11-dot-6-dot-1-released/ CVE-2018-20494 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) - gitlab 11.5.6+dfsg-1 (bug #918086) NOTE: https://about.gitlab.com/2018/12/31/security-release-gitlab-11-dot-6-dot-1-released/ CVE-2018-20493 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) - gitlab 11.5.6+dfsg-1 (bug #918086) NOTE: https://about.gitlab.com/2018/12/31/security-release-gitlab-11-dot-6-dot-1-released/ CVE-2018-20492 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) - gitlab 11.5.6+dfsg-1 (bug #918086) NOTE: https://about.gitlab.com/2018/12/31/security-release-gitlab-11-dot-6-dot-1-released/ CVE-2018-20491 (An issue was discovered in GitLab Enterprise Edition 11.3.x and 11.4.x ...) - gitlab 11.5.6+dfsg-1 (bug #918086) NOTE: https://about.gitlab.com/2018/12/31/security-release-gitlab-11-dot-6-dot-1-released/ CVE-2018-20490 (An issue was discovered in GitLab Community and Enterprise Edition 11. ...) - gitlab 11.5.6+dfsg-1 (bug #918086) NOTE: https://about.gitlab.com/2018/12/31/security-release-gitlab-11-dot-6-dot-1-released/ CVE-2018-20489 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) - gitlab 11.5.6+dfsg-1 (bug #918086) NOTE: https://about.gitlab.com/2018/12/31/security-release-gitlab-11-dot-6-dot-1-released/ CVE-2018-20488 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) - gitlab 11.5.6+dfsg-1 (bug #918086) NOTE: https://about.gitlab.com/2018/12/31/security-release-gitlab-11-dot-6-dot-1-released/ CVE-2018-20487 (An issue was discovered in the firewall3 component in Inteno IOPSYS 1. ...) NOT-FOR-US: Inteno IOPSYS CVE-2018-20486 (MetInfo 6.x through 6.1.3 has XSS via the /admin/login/login_check.php ...) NOT-FOR-US: MetInfo CVE-2018-20485 (Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has XSS in ...) NOT-FOR-US: Zoho ManageEngine ADSelfService Plus CVE-2018-20484 (Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has XSS in ...) NOT-FOR-US: Zoho ManageEngine ADSelfService Plus CVE-2018-20483 (set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's ...) - wget 1.20.1-1 (bug #917375) [stretch] - wget (Vulnerable code introduced in 1.19) [jessie] - wget (Vulnerable code introduced in 1.19) NOTE: https://twitter.com/marcan42/status/1077676739877232640 NOTE: Fixed by: https://git.savannah.gnu.org/cgit/wget.git/commit/?id=3cdfb594cf75f11cdbb9702ac5e856c332ccacfa NOTE: Don't use extended attributes by default: https://git.savannah.gnu.org/cgit/wget.git/commit/?id=c125d24762962d91050d925fbbd9e6f30b2302f8 NOTE: Introduced by: https://git.savannah.gnu.org/cgit/wget.git/commit/?id=a933bdd31eee9c956a3b5cc142f004ef1fa94cb3 (v1.19) CVE-2018-20482 (GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage ...) {DLA-1623-1} - tar 1.30+dfsg-3.1 (bug #917377) [stretch] - tar (Minor issue) NOTE: https://utcc.utoronto.ca/~cks/space/blog/sysadmin/TarFindingTruncateBug NOTE: https://news.ycombinator.com/item?id=18745431 NOTE: https://twitter.com/thatcks/status/1076166645708668928 NOTE: https://lists.gnu.org/archive/html/bug-tar/2018-12/msg00023.html NOTE: Fixed by https://git.savannah.gnu.org/cgit/tar.git/commit/?id=c15c42c CVE-2018-20481 (XRef::getEntry in XRef.cc in Poppler 0.72.0 mishandles unallocated XRe ...) {DLA-1706-1} - poppler 0.71.0-4 (low; bug #917325) [stretch] - poppler (Minor issue) NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/692 NOTE: Proposed fix: https://gitlab.freedesktop.org/poppler/poppler/merge_requests/143 NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/39a251b1b3a3343400a08e2f03c5518a26624626 CVE-2018-20480 (An issue was discovered in S-CMS 1.0. It allows SQL Injection via the ...) NOT-FOR-US: S-CMS CVE-2018-20479 (An issue was discovered in S-CMS 1.0. It allows SQL Injection via the ...) NOT-FOR-US: S-CMS CVE-2018-20478 (An issue was discovered in S-CMS 1.0. It allows reading certain files, ...) NOT-FOR-US: S-CMS CVE-2018-20477 (An issue was discovered in S-CMS 3.0. It allows SQL Injection via the ...) NOT-FOR-US: S-CMS CVE-2018-20476 (An issue was discovered in S-CMS 3.0. It allows XSS via the admin/demo ...) NOT-FOR-US: S-CMS CVE-2018-20475 RESERVED CVE-2018-20474 RESERVED CVE-2018-20473 RESERVED CVE-2018-20472 (An issue was discovered in Tyto Sahi Pro through 7.x.x and 8.0.0. The ...) NOT-FOR-US: Tyto Sahi Pro CVE-2018-20471 RESERVED CVE-2018-20470 (An issue was discovered in Tyto Sahi Pro through 7.x.x and 8.0.0. A di ...) NOT-FOR-US: Tyto Sahi Pro CVE-2018-20469 (An issue was discovered in Tyto Sahi Pro through 7.x.x and 8.0.0. A pa ...) NOT-FOR-US: Tyto Sahi Pro CVE-2018-20468 (An issue was discovered in Tyto Sahi Pro through 7.x.x and 8.0.0. A we ...) NOT-FOR-US: Tyto Sahi Pro CVE-2018-20467 (In coders/bmp.c in ImageMagick before 7.0.8-16, an input file can resu ...) - imagemagick 8:6.9.10.23+dfsg-1 (low; bug #917326) [stretch] - imagemagick (Minor issue) [jessie] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1408 NOTE: https://github.com/ImageMagick/ImageMagick/commit/db0add932fb850d762b02604ca3053b7d7ab6deb NOTE: https://github.com/ImageMagick/ImageMagick6/commit/4dd53a3f790147aaf18b2dd4d15f2a19f9432d3f CVE-2018-20466 RESERVED CVE-2018-20465 (Craft CMS through 3.0.34 allows remote authenticated administrators to ...) NOT-FOR-US: Craft CMS CVE-2018-20464 (There is a reflected XSS vulnerability in the CMS Made Simple 2.2.8 ad ...) NOT-FOR-US: CMS Made Simple CVE-2018-20463 (An issue was discovered in the JSmol2WP plugin 1.07 for WordPress. The ...) NOT-FOR-US: JSmol2WP plugin for WordPress CVE-2018-20462 (An issue was discovered in the JSmol2WP plugin 1.07 for WordPress. A c ...) NOT-FOR-US: JSmol2WP plugin for WordPress CVE-2018-20461 (In radare2 prior to 3.1.1, core_anal_bytes in libr/core/cmd_anal.c all ...) - radare2 3.1.2+dfsg-1 (low) [jessie] - radare2 (vulnerable code not present) NOTE: https://github.com/radare/radare2/commit/a1bc65c3db593530775823d6d7506a457ed95267 NOTE: https://github.com/radare/radare2/issues/12375 CVE-2018-20460 (In radare2 prior to 3.1.2, the parseOperands function in libr/asm/arch ...) - radare2 3.1.2+dfsg-1 (low) [jessie] - radare2 (vulnerable code not present) NOTE: https://github.com/radare/radare2/commit/df167c7db545953bb7f71c72e98e7a3ca0c793bf NOTE: https://github.com/radare/radare2/issues/12376 CVE-2018-20459 (In radare2 through 3.1.3, the armass_assemble function in libr/asm/arc ...) - radare2 3.2.1+dfsg-1 (low; bug #917322) [jessie] - radare2 (vulnerable code not present) NOTE: https://github.com/radare/radare2/commit/e5c14c167b0dcf0a53d76bd50bacbbcc0dfc1ae7 NOTE: https://github.com/radare/radare2/issues/12418 CVE-2018-20458 (In radare2 prior to 3.1.1, r_bin_dyldcache_extract in libr/bin/format/ ...) - radare2 3.1.2+dfsg-1 (low) [jessie] - radare2 (vulnerable code not present) NOTE: https://github.com/radare/radare2/commit/30f4c7b52a4e2dc0d0b1bae487d90f5437c69d19 NOTE: https://github.com/radare/radare2/issues/12374 CVE-2018-20457 (In radare2 through 3.1.3, the assemble function inside libr/asm/p/asm_ ...) - radare2 3.2.1+dfsg-1 (low; bug #917322) [jessie] - radare2 (vulnerable code not present) NOTE: https://github.com/radare/radare2/commit/e5c14c167b0dcf0a53d76bd50bacbbcc0dfc1ae7 NOTE: https://github.com/radare/radare2/issues/12417 CVE-2018-20456 (In radare2 prior to 3.1.1, the parseOperand function inside libr/asm/p ...) - radare2 3.1.2+dfsg-1 (low) [jessie] - radare2 (vulnerable code not present) NOTE: https://github.com/radare/radare2/commit/9b46d38dd3c4de6048a488b655c7319f845af185 NOTE: https://github.com/radare/radare2/issues/12372 CVE-2018-20455 (In radare2 prior to 3.1.1, the parseOperand function inside libr/asm/p ...) - radare2 3.1.2+dfsg-1 (low) [jessie] - radare2 (vulnerable code not present) NOTE: https://github.com/radare/radare2/commit/9b46d38dd3c4de6048a488b655c7319f845af185 NOTE: https://github.com/radare/radare2/issues/12373 CVE-2018-20454 (An issue was discovered in 74cms v4.2.111. upload/index.php?c=resume&a ...) NOT-FOR-US: 74cms CVE-2018-20453 (The getlong function in numutils.c in libdoc through 2017-10-23 has a ...) - catdoc (unimportant; bug #919526) NOTE: Crash in CLI tool, no security impact CVE-2018-20452 (The read_MSAT_body function in ole.c in libxls 1.4.0 has an invalid fr ...) - r-cran-readxl 1.2.0.9000-1 (bug #919324) [stretch] - r-cran-readxl 0.1.1-1+deb9u2 NOTE: https://github.com/evanmiller/libxls/issues/35 CVE-2018-20451 (The process_file function in reader.c in libdoc through 2017-10-23 has ...) - catdoc (unimportant; bug #919526) NOTE: Crash in CLI tool, no security impact CVE-2018-20450 (The read_MSAT function in ole.c in libxls 1.4.0 has a double free that ...) - r-cran-readxl 1.2.0.9000-1 (bug #919324) [stretch] - r-cran-readxl 0.1.1-1+deb9u2 NOTE: https://github.com/evanmiller/libxls/issues/34 CVE-2018-20449 (The hidma_chan_stats function in drivers/dma/qcom/hidma_dbg.c in the L ...) - linux 4.15.4-1 [stretch] - linux (Minor issue) [jessie] - linux (Vulnerable code introduced later) NOTE: https://lists.debian.org/debian-security-tracker/2019/01/msg00029.html CVE-2018-20448 (Frog CMS 0.9.5 has XSS via the Database name field to the /install/ind ...) NOT-FOR-US: Frog CMS CVE-2018-20447 RESERVED CVE-2018-20446 RESERVED CVE-2018-20445 (D-Link DCM-604 DCM604_C1_ViaCabo_1.04_20130606 and DCM-704 EU_DCM-704_ ...) NOT-FOR-US: D-Link CVE-2018-20444 (Technicolor CGA0111 CGA0111E-ES-13-E23E-c8000r5712-170217-0829-TRU dev ...) NOT-FOR-US: Technicolor CVE-2018-20443 (Technicolor TC7200.d1I TC7200.d1IE-N23E-c7000r5712-170406-HAT devices ...) NOT-FOR-US: Technicolor CVE-2018-20442 (Technicolor TC7110.B STC8.62.02 devices allow remote attackers to disc ...) NOT-FOR-US: Technicolor CVE-2018-20441 (Technicolor TC7200.TH2v2 SC05.00.22 devices allow remote attackers to ...) NOT-FOR-US: Technicolor CVE-2018-20440 (Technicolor CWA0101 CWA0101E-A23E-c7000r5712-170315-SKC devices allow ...) NOT-FOR-US: Technicolor CVE-2018-20439 (Technicolor DPC3928SL D3928SL-PSIP-13-A010-c3420r55105-170214a devices ...) NOT-FOR-US: Technicolor CVE-2018-20438 (Technicolor TC7110.AR STD3.38.03 devices allow remote attackers to dis ...) NOT-FOR-US: Technicolor CVE-2018-20437 (** DISPUTED ** An issue was discovered in the fileDownload function in ...) NOT-FOR-US: FEBS-Shiro CVE-2018-20436 (** DISPUTED ** The "secret chat" feature in Telegram 4.9.1 for Android ...) NOT-FOR-US: Telegram for Android CVE-2018-20435 RESERVED CVE-2018-20434 (LibreNMS 1.46 allows remote attackers to execute arbitrary OS commands ...) NOT-FOR-US: LibreNMS CVE-2018-20433 (c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in com/mcha ...) {DLA-1621-1} - c3p0 0.9.1.2-10 (bug #917257) [stretch] - c3p0 0.9.1.2-9+deb9u1 NOTE: https://github.com/swaldman/c3p0/commit/7dfdda63f42759a5ec9b63d725b7412f74adb3e1 CVE-2018-20432 RESERVED CVE-2018-20431 (GNU Libextractor through 1.8 has a NULL Pointer Dereference vulnerabil ...) {DSA-4361-1 DLA-1616-1} - libextractor 1:1.8-2 (bug #917213) NOTE: https://gnunet.org/bugs/view.php?id=5494 NOTE: https://git.gnunet.org/libextractor.git/commit/?id=489c4a540bb2c4744471441425b8932b97a153e7 CVE-2018-20430 (GNU Libextractor through 1.8 has an out-of-bounds read vulnerability i ...) {DSA-4361-1 DLA-1616-1} - libextractor 1:1.8-2 (bug #917214) NOTE: https://gnunet.org/bugs/view.php?id=5493 NOTE: https://git.gnunet.org/libextractor.git/commit/?id=b405d707b36e0654900cba78e89f49779efea110 CVE-2018-20429 (libming 0.4.8 has a NULL pointer dereference in the getName function o ...) - ming NOTE: https://github.com/libming/libming/issues/160 CVE-2018-20428 (libming 0.4.8 has a NULL pointer dereference in the strlenext function ...) - ming NOTE: https://github.com/libming/libming/issues/161 CVE-2018-20427 (libming 0.4.8 has a NULL pointer dereference in the getInt function of ...) - ming NOTE: https://github.com/libming/libming/issues/164 CVE-2018-20426 (libming 0.4.8 has a NULL pointer dereference in the newVar3 function o ...) - ming NOTE: https://github.com/libming/libming/issues/162 CVE-2018-20425 (libming 0.4.8 has a NULL pointer dereference in the pushdup function o ...) - ming NOTE: https://github.com/libming/libming/issues/163 CVE-2018-20424 (Discuz! DiscuzX 3.4, when WeChat login is enabled, allows remote attac ...) NOT-FOR-US: DiscuzX CVE-2018-20423 (Discuz! DiscuzX 3.4, when WeChat login is enabled, allows remote attac ...) NOT-FOR-US: DiscuzX CVE-2018-20422 (Discuz! DiscuzX 3.4, when WeChat login is enabled, allows remote attac ...) NOT-FOR-US: DiscuzX CVE-2018-20421 (Go Ethereum (aka geth) 1.8.19 allows attackers to cause a denial of se ...) NOT-FOR-US: Go Ethereum CVE-2018-20420 (In webERP 4.15, Z_CreateCompanyTemplateFile.php has Incorrect Access C ...) NOT-FOR-US: webERP CVE-2018-20419 (DouCo DouPHP 1.5 has upload/admin/manager.php?rec=insert CSRF to add a ...) NOT-FOR-US: DouCo DouPHP CVE-2018-20418 (index.php?p=admin/actions/entries/save-entry in Craft CMS 3.0.25 allow ...) NOT-FOR-US: Craft CMS CVE-2018-20417 RESERVED CVE-2018-20416 RESERVED CVE-2018-20415 RESERVED CVE-2018-20414 RESERVED CVE-2018-20413 RESERVED CVE-2018-20412 RESERVED CVE-2018-20411 RESERVED CVE-2018-20410 (WellinTech KingSCADA before 3.7.0.0.1 contains a stack-based buffer ov ...) NOT-FOR-US: WellinTech KingSCADA CVE-2018-20409 (An issue was discovered in Bento4 1.5.1-627. There is a heap-based buf ...) NOT-FOR-US: Bento4 CVE-2018-20408 (An issue was discovered in Bento4 1.5.1-627. There is a memory leak in ...) NOT-FOR-US: Bento4 CVE-2018-20407 (An issue was discovered in Bento4 1.5.1-627. There is a memory leak in ...) NOT-FOR-US: Bento4 CVE-2018-20406 (Modules/_pickle.c in Python before 3.7.1 has an integer overflow via a ...) {DLA-1663-1} - python3.7 3.7.0-7 (unimportant) - python3.6 3.6.7~rc1-1 (unimportant) - python3.5 (unimportant) - python3.4 (unimportant) NOTE: https://bugs.python.org/issue34656 NOTE: https://github.com/python/cpython/commit/a4ae828ee416a66d8c7bf5ee71d653c2cc6a26dd (master) NOTE: https://github.com/python/cpython/commit/ef4306b24c9034d6b37bb034e2ebe82e745d4b77 (3.7) NOTE: https://github.com/python/cpython/commit/71a9c65e74a70b6ed39adc4ba81d311ac1aa2acc (3.6) NOTE: Negligible security impact CVE-2018-20405 (** DISPUTED ** BigTree 4.3 allows full path disclosure via authenticat ...) NOT-FOR-US: BigTree CMS CVE-2018-20404 (ETK_E900.sys, a SmartETK driver for VIA Technologies EPIA-E900 system ...) NOT-FOR-US: ETK_E900.sys (SmartETK driver for VIA Technologies EPIA-E900 system board) CVE-2018-20403 RESERVED CVE-2018-20402 (Safe Software FME Server through 2018.1 creates and enables three addi ...) NOT-FOR-US: Safe Software FME Server CVE-2018-20401 (Zoom 5352 v5.5.8.6Y devices allow remote attackers to discover credent ...) NOT-FOR-US: Zoom 5352 v5.5.8.6Y devices CVE-2018-20400 (Ubee DVW2108 6.28.1017 and DVW2110 6.28.2012 devices allow remote atta ...) NOT-FOR-US: Ubee devices CVE-2018-20399 (Motorola SBG901 SBG901-2.10.1.1-GA-00-581-NOSH, SBG941 SBG941-2.11.0.0 ...) NOT-FOR-US: Motorola CVE-2018-20398 (Skyworth CM5100 V1.1.0, CM5100-440 V1.2.1, CM5100-511 4.1.0.14, CM5100 ...) NOT-FOR-US: Skyworth devices CVE-2018-20397 (mplus CBC383Z CBC383Z_mplus_MDr026 devices allow remote attackers to d ...) NOT-FOR-US: mplus devices CVE-2018-20396 (NET&SYS MNG2120J 5.76.1006c and MNG6300 5.83.6305jrc2 devices allo ...) NOT-FOR-US: NET&SYS devices CVE-2018-20395 (NETWAVE MNG6200 C4835805jrc12FU121413.cpr devices allow remote attacke ...) NOT-FOR-US: NETWAVE devices CVE-2018-20394 (Thomson DWG849 STC0.01.16, DWG850-4 ST9C.05.25, DWG855 ST80.20.26, and ...) NOT-FOR-US: Thomson devices CVE-2018-20393 (Technicolor CGA0111 CGA0111E-ES-13-E23E-c8000r5712-170217-0829-TRU, CW ...) NOT-FOR-US: Technicolor devices CVE-2018-20392 (S-A WebSTAR DPC2100 v2.0.2r1256-060303 devices allow remote attackers ...) NOT-FOR-US: S-A WebSTAR devices CVE-2018-20391 (TEKNOTEL CBW700N 81.447.392110.729.024 devices allow remote attackers ...) NOT-FOR-US: TEKNOTEL devices CVE-2018-20390 (Kaonmedia CG2001-AN22A 1.2.1, CG2001-UDBNA 3.0.8, and CG2001-UN2NA 3.0 ...) NOT-FOR-US: Kaonmedia devices CVE-2018-20389 (D-Link DCM-604 DCM604_C1_ViaCabo_1.04_20130606 and DCM-704 EU_DCM-704_ ...) NOT-FOR-US: D-Link CVE-2018-20388 (Comtrend CM-6200un 123.447.007 and CM-6300n 123.553mp1.005 devices all ...) NOT-FOR-US: Comtrend devices CVE-2018-20387 (Bnmux BCW700J 5.20.7, BCW710J 5.30.6a, and BCW710J2 5.30.16 devices al ...) NOT-FOR-US: Bnmux devices CVE-2018-20386 (ARRIS SBG6580-2 D30GW-SEAEAGLE-1.5.2.5-GA-00-NOSH devices allow remote ...) NOT-FOR-US: ARRIS devices CVE-2018-20385 (CastleNet CBV38Z4EC 125.553mp1.39219mp1.899.007, CBV38Z4ECNIT 125.553m ...) NOT-FOR-US: CastleNet devices CVE-2018-20384 (iNovo Broadband IB-8120-W21 139.4410mp1.004200.002 and IB-8120-W21E1 1 ...) NOT-FOR-US: iNovo devices CVE-2018-20383 (ARRIS DG950A 7.10.145 and DG950S 7.10.145.EURO devices allow remote at ...) NOT-FOR-US: ARRIS devices CVE-2018-20382 (Jiuzhou BCM93383WRG 139.4410mp1.3921132mp1.899.004404.004 devices allo ...) NOT-FOR-US: Jiuzhou devices CVE-2018-20381 (Technicolor DPC2320 dpc2300r2-v202r1244101-150420a-v6 devices allow re ...) NOT-FOR-US: Technicolor devices CVE-2018-20380 (Ambit DDW2600 5.100.1009, DDW2602 5.105.1003, T60C926 4.64.1012, and U ...) NOT-FOR-US: Ambit devices CVE-2018-20379 (Technicolor DPC3928SL D3928SL-PSIP-13-A010-c3420r55105-160428a devices ...) NOT-FOR-US: Technicolor devices CVE-2018-20378 (The L2CAP signaling channel implementation and SDP server implementati ...) NOT-FOR-US: OpenSynergy Blue SDK CVE-2018-20377 (Orange Livebox 00.96.320S devices allow remote attackers to discover W ...) NOT-FOR-US: Orange Livebox CVE-2018-20376 (An issue was discovered in Tiny C Compiler (aka TinyCC or TCC) 0.9.27. ...) - tcc (unimportant) NOTE: Negligible security impact NOTE: https://lists.nongnu.org/archive/html/tinycc-devel/2018-12/msg00013.html CVE-2018-20375 (An issue was discovered in Tiny C Compiler (aka TinyCC or TCC) 0.9.27. ...) - tcc (unimportant) NOTE: Negligible security impact NOTE: https://lists.nongnu.org/archive/html/tinycc-devel/2018-12/msg00014.html CVE-2018-20374 (An issue was discovered in Tiny C Compiler (aka TinyCC or TCC) 0.9.27. ...) - tcc (unimportant) NOTE: Negligible security impact NOTE: https://lists.nongnu.org/archive/html/tinycc-devel/2018-12/msg00015.html CVE-2018-20373 (Tenda ADSL modem routers 1.0.1 allow XSS via the hostname of a DHCP cl ...) NOT-FOR-US: Tenda ADSL modem routers CVE-2018-20372 (TP-Link TD-W8961ND devices allow XSS via the hostname of a DHCP client ...) NOT-FOR-US: TP-Link TD-W8961ND devices CVE-2018-20371 (PhotoRange Photo Vault 1.2 appends the password to the URI for authori ...) NOT-FOR-US: PhotoRange Photo Vault CVE-2018-20370 (SZ NetChat before 7.9 has XSS in the MyName input field of the Options ...) NOT-FOR-US: SZ NetChat CVE-2018-20369 (Barracuda Message Archiver 2018 has XSS in the error_msg exception-han ...) NOT-FOR-US: Barracuda CVE-2018-20368 (The Master Slider plugin 3.2.7 and 3.5.1 for WordPress has XSS via the ...) NOT-FOR-US: Master Slider plugin for WordPress CVE-2018-20367 (The "mall some commodity details: commodity consultation" component in ...) NOT-FOR-US: WSTMart CVE-2018-20366 RESERVED CVE-2018-20365 (LibRaw::raw2image() in libraw_cxx.cpp has a heap-based buffer overflow ...) - libraw 0.19.2-2 (bug #917111) [stretch] - libraw (Minor issue) [jessie] - libraw (Vulnerable code not present) NOTE: https://github.com/LibRaw/LibRaw/issues/195 NOTE: Fixed by: https://github.com/LibRaw/LibRaw/commit/7e29b9f29449fde30cc878fbb137d61c14bba3a4 NOTE: Additionally needed: https://github.com/LibRaw/LibRaw/commit/a7c17cb6bbec1e79f058d84511f9c3b142cbdfa7 NOTE: CVE-2018-20363, CVE-2018-20364 and CVE-2018-20365 have same root cause CVE-2018-20364 (LibRaw::copy_bayer in libraw_cxx.cpp in LibRaw 0.19.1 has a NULL point ...) - libraw 0.19.2-2 (bug #917112) [stretch] - libraw (Minor issue) [jessie] - libraw (Vulnerable code not present) NOTE: https://github.com/LibRaw/LibRaw/issues/194 NOTE: Fixed by: https://github.com/LibRaw/LibRaw/commit/7e29b9f29449fde30cc878fbb137d61c14bba3a4 NOTE: Additionally needed: https://github.com/LibRaw/LibRaw/commit/a7c17cb6bbec1e79f058d84511f9c3b142cbdfa7 NOTE: CVE-2018-20363, CVE-2018-20364 and CVE-2018-20365 have same root cause CVE-2018-20363 (LibRaw::raw2image in libraw_cxx.cpp in LibRaw 0.19.1 has a NULL pointe ...) - libraw 0.19.2-2 (bug #917113) [stretch] - libraw (Minor issue) [jessie] - libraw (Vulnerable code not present) NOTE: https://github.com/LibRaw/LibRaw/issues/193 NOTE: Fixed by: https://github.com/LibRaw/LibRaw/commit/7e29b9f29449fde30cc878fbb137d61c14bba3a4 NOTE: Additionally needed: https://github.com/LibRaw/LibRaw/commit/a7c17cb6bbec1e79f058d84511f9c3b142cbdfa7 NOTE: CVE-2018-20363, CVE-2018-20364 and CVE-2018-20365 have same root cause CVE-2018-20362 (A NULL pointer dereference was discovered in ifilter_bank of libfaad/f ...) {DSA-4522-1 DLA-1791-1} - faad2 2.8.8-2 (low) NOTE: https://github.com/knik0/faad2/issues/26 NOTE: https://github.com/knik0/faad2/commit/466b01d504d7e45 CVE-2018-20361 (An invalid memory address dereference was discovered in the hf_assembl ...) {DSA-4522-1} - faad2 2.8.8-2 (low) [buster] - faad2 (Minor issue) [jessie] - faad2 2.7-8+deb8u2 NOTE: https://github.com/knik0/faad2/issues/30 NOTE: https://github.com/knik0/faad2/commit/6b4a7cde30f2e2c CVE-2018-20360 (An invalid memory address dereference was discovered in the sbr_proces ...) {DLA-1899-1} - faad2 2.8.8-3.1 (low) [buster] - faad2 (Minor issue) [stretch] - faad2 (Minor issue) NOTE: https://github.com/knik0/faad2/issues/32 NOTE: https://github.com/knik0/faad2/commit/3b80a57483a6bc822d3ce3cc640fa81737a87c54 CVE-2018-20359 (An invalid memory address dereference was discovered in the sbrDecodeS ...) {DSA-4522-1} - faad2 2.8.8-2 (low) [jessie] - faad2 2.7-8+deb8u2 NOTE: https://github.com/knik0/faad2/issues/29 NOTE: https://github.com/knik0/faad2/commit/6b4a7cde30f2e2cb03e78ef476cc73179cfffda3 CVE-2018-20358 (An invalid memory address dereference was discovered in the lt_predict ...) {DSA-4522-1} - faad2 2.8.8-2 (low) [buster] - faad2 (Minor issue) [jessie] - faad2 2.7-8+deb8u2 NOTE: https://github.com/knik0/faad2/issues/31 NOTE: https://github.com/knik0/faad2/commit/466b01d504d7e45 CVE-2018-20357 (A NULL pointer dereference was discovered in sbr_process_channel of li ...) {DSA-4522-1} - faad2 2.8.8-2 (low) [jessie] - faad2 2.7-8+deb8u2 NOTE: https://github.com/knik0/faad2/issues/28 NOTE: https://github.com/knik0/faad2/commit/6b4a7cde30f2e2c CVE-2018-20356 (An invalid read of 8 bytes due to a use-after-free vulnerability in th ...) NOT-FOR-US: Cesanta Mongoose NOTE: smplayer embeds a copy, which is unused in any released version and disabled since 18.5.0~ds1-1 CVE-2018-20355 (An invalid write of 8 bytes due to a use-after-free vulnerability in t ...) NOT-FOR-US: Cesanta Mongoose NOTE: smplayer embeds a copy, which is unused in any released version and disabled since 18.5.0~ds1-1 CVE-2018-20354 (An invalid read of 8 bytes due to a use-after-free vulnerability durin ...) NOT-FOR-US: Cesanta Mongoose NOTE: smplayer embeds a copy, which is unused in any released version and disabled since 18.5.0~ds1-1 CVE-2018-20353 (An invalid read of 8 bytes due to a use-after-free vulnerability durin ...) NOT-FOR-US: Cesanta Mongoose NOTE: smplayer embeds a copy, which is unused in any released version and disabled since 18.5.0~ds1-1 CVE-2018-20352 (Use-after-free vulnerability in the mg_cgi_ev_handler function in mong ...) NOT-FOR-US: Cesanta Mongoose NOTE: smplayer embeds a copy, which is unused in any released version and disabled since 18.5.0~ds1-1 CVE-2018-20351 (The Markdown component in Evernote (Chinese) before 8.3.2 on macOS all ...) NOT-FOR-US: Evernote CVE-2018-20350 RESERVED CVE-2018-20349 (The igraph_i_strdiff function in igraph_trie.c in igraph through 0.7.1 ...) {DLA-2055-1} - igraph 0.7.1-3 (bug #917211) [stretch] - igraph 0.7.1-2.1+deb9u1 - r-cran-igraph 1.2.2-2 (bug #917212) [stretch] - r-cran-igraph 1.0.1-1+deb9u1 NOTE: https://github.com/igraph/igraph/issues/1141 NOTE: Fixed by: https://github.com/igraph/igraph/commit/e3a9566e6463186230f215151b57b893df6d9ce2 CVE-2018-20348 (libpff_item_tree_create_node in libpff_item_tree.c in libpff before ex ...) - libpff 20180714-1 [stretch] - libpff (Minor issue) [jessie] - libpff (Minor issue) NOTE: https://github.com/libyal/libpff/issues/48 CVE-2018-20347 REJECTED CVE-2018-20345 (Incorrect access control in StackStorm API (st2api) in StackStorm befo ...) NOT-FOR-US: SlackStorm CVE-2018-20344 RESERVED CVE-2018-20343 (Multiple buffer overflow vulnerabilities have been found in Ken Silver ...) NOT-FOR-US: Ken Silverman Build Engine CVE-2018-20342 (The Floureon IP Camera SP012 provides a root terminal on a UART serial ...) NOT-FOR-US: Floureon IP Camera SP012 CVE-2018-20341 (WINMAGIC SecureDoc Disk Encryption software before 8.3 has an Unquoted ...) NOT-FOR-US: WINMAGIC SecureDoc Disk Encryption CVE-2018-20340 (Yubico libu2f-host 1.1.6 contains unchecked buffers in devs.c, which c ...) {DSA-4389-1} - libu2f-host 1.1.7-1 (bug #921726) NOTE: https://www.yubico.com/support/security-advisories/ysa-2019-01/ NOTE: https://github.com/Yubico/libu2f-host/commit/f526546bb29f2ef704ae9850f0f4b41fea7b62a4 NOTE: https://github.com/Yubico/libu2f-host/commit/e77a109f8cf60d9eafdf005ab5c851d5f576c01e CVE-2018-20339 (Zoho ManageEngine OpManager 12.3 before build 123239 allows XSS in the ...) NOT-FOR-US: Zoho ManageEngine OpManager CVE-2018-20338 (Zoho ManageEngine OpManager 12.3 before build 123239 allows SQL inject ...) NOT-FOR-US: Zoho ManageEngine OpManager CVE-2018-20337 (There is a stack-based buffer overflow in the parse_makernote function ...) - libraw 0.19.2-1 (bug #917080) [stretch] - libraw (Minor issue) [jessie] - libraw (Vulnerable code not present) NOTE: https://github.com/LibRaw/LibRaw/issues/192 CVE-2018-20336 (An issue was discovered in ASUSWRT 3.0.0.4.384.20308. There is a stack ...) NOT-FOR-US: ASUSWRT CVE-2018-20335 (An issue was discovered in ASUSWRT 3.0.0.4.384.20308. An unauthenticat ...) NOT-FOR-US: ASUSWRT CVE-2018-20334 (An issue was discovered in ASUSWRT 3.0.0.4.384.20308. When processing ...) NOT-FOR-US: ASUSWRT CVE-2018-20333 (An issue was discovered in ASUSWRT 3.0.0.4.384.20308. An unauthenticat ...) NOT-FOR-US: ASUSWRT CVE-2018-20332 (An issue has been discovered in the OpenWebif plugin through 1.2.4 for ...) NOT-FOR-US: OpenWebif plugin CVE-2018-20331 (Local attackers can trigger a Kernel Pool Buffer Overflow in Antiy AVL ...) NOT-FOR-US: Antiy AVL ATool CVE-2018-20330 (The tjLoadImage function in libjpeg-turbo 2.0.1 has an integer overflo ...) - libjpeg-turbo (Vulnerable code introduced later) NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/issues/304 NOTE: Fixed by: https://github.com/libjpeg-turbo/libjpeg-turbo/commit/3d9c64e9f8aa1ee954d1d0bb3390fc894bb84da3 CVE-2018-20329 (Chamilo LMS version 1.11.8 contains a main/inc/lib/CoursesAndSessionsC ...) NOT-FOR-US: Chamilo LMS CVE-2018-20328 (Chamilo LMS version 1.11.8 contains XSS in main/social/group_view.php ...) NOT-FOR-US: Chamilo LMS CVE-2018-20327 (Chamilo LMS version 1.11.8 contains XSS in main/template/default/admin ...) NOT-FOR-US: Chamilo LMS CVE-2018-20326 (ChinaMobile PLC Wireless Router GPN2.4P21-C-CN devices with firmware W ...) NOT-FOR-US: ChinaMobile PLC Wireless Router CVE-2018-20325 (There is a vulnerability in load() method in definitions/parser.py in ...) NOT-FOR-US: Danijar Hafner CVE-2018-20324 RESERVED CVE-2018-20323 (www/soap/application/MCSoap/Logs.php in MailCleaner Community Edition ...) NOT-FOR-US: MailCleaner CVE-2018-20322 (LimeSurvey version 3.15.5 contains a Cross-site scripting (XSS) vulner ...) - limesurvey (bug #472802) CVE-2018-20321 (An issue was discovered in Rancher 2 through 2.1.5. Any project member ...) NOT-FOR-US: Rancher CVE-2018-20320 REJECTED CVE-2018-20319 RESERVED CVE-2018-20318 (An issue was discovered in weixin-java-tools v3.2.0. There is an XXE v ...) NOT-FOR-US: weixin-java-tools CVE-2018-1000886 (nasm version 2.14.01rc5, 2.15 contains a Buffer Overflow vulnerability ...) - nasm (unimportant) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392514 NOTE: Crash in CLI, no security impact CVE-2018-1000885 (PHKP version including commit 88fd9cfdf14ea4b6ac3e3967feea7bcaabb6f03b ...) NOT-FOR-US: PHKP CVE-2018-1000884 (Vesta CP version Prior to commit f6f6f9cfbbf2979e301956d1c6ab5c4438682 ...) NOT-FOR-US: Vesta CP CVE-2018-1000883 (Elixir Plug Plug version All contains a Header Injection vulnerability ...) NOT-FOR-US: Elixir Plug, different from src:elixir-lang CVE-2018-20317 RESERVED CVE-2018-20316 RESERVED CVE-2018-20315 RESERVED CVE-2018-20314 RESERVED CVE-2018-20313 RESERVED CVE-2018-20312 RESERVED CVE-2018-20311 RESERVED CVE-2018-20310 RESERVED CVE-2018-20309 RESERVED CVE-2018-20308 RESERVED CVE-2018-1000882 (WeBid version up to current version 1.2.2 contains a Directory Travers ...) NOT-FOR-US: WeBid Auction Script CVE-2018-1000881 (Traccar Traccar Server version 4.0 and earlier contains a CWE-94: Impr ...) NOT-FOR-US: Traccar Traccar Server CVE-2018-1000880 (libarchive version commit 9693801580c0cf7c70e862d305270a16b52826a7 onw ...) {DSA-4360-1} - libarchive 3.3.3-2 (bug #916960) [jessie] - libarchive (Vulnerable code introduced later) NOTE: https://bugs.launchpad.net/ubuntu/+source/libarchive/+bug/1794909 NOTE: https://github.com/libarchive/libarchive/pull/1105 NOTE: Introduced by: https://github.com/libarchive/libarchive/commit/9693801580c0cf7c70e862d305270a16b52826a7 NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/9c84b7426660c09c18cc349f6d70b5f8168b5680 CVE-2018-1000879 (libarchive version commit 379867ecb330b3a952fb7bfa7bffb7bbd5547205 onw ...) - libarchive 3.3.3-2 (bug #916962) [stretch] - libarchive (Vulnerable code introduced later) [jessie] - libarchive (Vulnerable code introduced later) NOTE: https://bugs.launchpad.net/ubuntu/+source/libarchive/+bug/1794909 NOTE: https://github.com/libarchive/libarchive/pull/1105 NOTE: Introduced in: https://github.com/libarchive/libarchive/commit/379867ecb330b3a952fb7bfa7bffb7bbd5547205 (3.3.0) NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/15bf44fd2c1ad0e3fd87048b3fcc90c4dcff1175 CVE-2018-1000878 (libarchive version commit 416694915449219d505531b1096384f3237dd6cc onw ...) {DSA-4360-1 DLA-1612-1} - libarchive 3.3.3-2 (bug #916963) NOTE: https://bugs.launchpad.net/ubuntu/+source/libarchive/+bug/1794909 NOTE: https://github.com/libarchive/libarchive/pull/1105 NOTE: Introduced after: https://github.com/libarchive/libarchive/commit/416694915449219d505531b1096384f3237dd6cc NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/bfcfe6f04ed20db2504db8a254d1f40a1d84eb28 CVE-2018-1000877 (libarchive version commit 416694915449219d505531b1096384f3237dd6cc onw ...) {DSA-4360-1 DLA-1612-1} - libarchive 3.3.3-2 (bug #916964) NOTE: https://bugs.launchpad.net/ubuntu/+source/libarchive/+bug/1794909 NOTE: https://github.com/libarchive/libarchive/pull/1105 NOTE: Introduced after: https://github.com/libarchive/libarchive/commit/416694915449219d505531b1096384f3237dd6cc NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/021efa522ad729ff0f5806c4ce53e4a6cc1daa31 CVE-2018-1000876 (binutils version 2.32 and earlier contains a Integer Overflow vulnerab ...) - binutils 2.32.51.20190707-1 (unimportant) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23994 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=3a551c7a1b80fca579461774860574eabfd7f18f NOTE: binutils not covered by security support CVE-2018-1000875 (Berkeley Open Infrastructure for Network Computing BOINC Server and We ...) NOT-FOR-US: BOINC server (src:boinc only covers the client) CVE-2018-1000874 (** DISPUTED ** PHP cebe markdown parser version 1.2.0 and earlier cont ...) NOT-FOR-US: cebe markdown parser (different from src:php-markdown) CVE-2018-1000873 (Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Inp ...) NOT-FOR-US: Fasterxml Jackson Jackson-Modules-Java8 module CVE-2018-1000872 (OpenKMIP PyKMIP version All versions before 0.8.0 contains a CWE 399: ...) - python-pykmip 0.7.0-3 (low; bug #917030) [stretch] - python-pykmip 0.5.0-4+deb9u1 NOTE: https://github.com/OpenKMIP/PyKMIP/commit/3a7b880bdf70d295ed8af3a5880bab65fa6b3932 NOTE: https://github.com/OpenKMIP/PyKMIP/issues/430 CVE-2018-1000871 (HotelDruid HotelDruid 2.3.0 version 2.3.0 and earlier contains a SQL I ...) - hoteldruid 2.3.0-2 (low; bug #917099) [stretch] - hoteldruid (Minor issue) [jessie] - hoteldruid (Minor issue) NOTE: https://www.exploit-db.com/exploits/45976 CVE-2018-1000870 (PHPipam version 1.3.2 and earlier contains a CWE-79 vulnerability in / ...) - phpipam (bug #731713) NOTE: https://github.com/phpipam/phpipam/commit/552fbb0fc7ecb84bda4a131b4f290a3de9980040 NOTE: https://github.com/phpipam/phpipam/issues/2326 CVE-2018-1000869 (phpIPAM version 1.3.2 contains a CWE-89 vulnerability in /app/admin/na ...) - phpipam (bug #731713) NOTE: https://github.com/phpipam/phpipam/commit/856b10ca85a24c04ed8651f4e13f867ec78a353d NOTE: https://github.com/phpipam/phpipam/issues/2344 CVE-2018-1000868 (WeBid version up to current version 1.2.2 contains a Cross Site Script ...) NOT-FOR-US: WeBid Auction Script CVE-2018-1000867 (WeBid version up to current version 1.2.2 contains a SQL Injection vul ...) NOT-FOR-US: WeBid Auction Script CVE-2018-1000860 (phpipam version 1.3.2 and earlier contains a Cross Site Scripting (XSS ...) - phpipam (bug #731713) NOTE: https://github.com/phpipam/phpipam/issues/2338 CVE-2018-1000858 (GnuPG version 2.1.12 - 2.2.11 contains a Cross ite Request Forgery (CS ...) - gnupg2 2.2.12-1 [stretch] - gnupg2 (Minor issue) [jessie] - gnupg2 (Vulnerable code was introduced later) - gnupg1 (Vulnerable code introduced in 2.x in 2.1.12) - gnupg (Vulnerable code introduced in 2.x in 2.1.12) NOTE: WKD (Web Key Directory) feature introduced in 2.1.12 NOTE: https://sektioneins.de/en/advisories/advisory-012018-gnupg-wkd.html NOTE: https://sektioneins.de/en/blog/18-11-23-gnupg-wkd.html NOTE: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=fa1b1eaa4241ff3f0634c8bdf8591cbc7c464144 (master) NOTE: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=4a4bb874f63741026bd26264c43bb32b1099f060 (2.2.12) CVE-2018-1000857 (log-user-session version 0.7 and earlier contains a Directory Traversa ...) NOT-FOR-US: log-user-session CVE-2018-1000856 (DomainMOD version 4.09.03 and above. Also verified in the latest versi ...) NOT-FOR-US: DomainMOD CVE-2018-1000855 (easymon version 1.4 and earlier contains a Cross Site Scripting (XSS) ...) NOT-FOR-US: easymon CVE-2018-1000854 (esigate.org esigate version 5.2 and earlier contains a CWE-74: Imprope ...) NOT-FOR-US: esigate CVE-2018-1000852 (FreeRDP FreeRDP 2.0.0-rc3 released version before commit 205c612820dac ...) - freerdp2 2.0.0~git20181120.1.e21b72c95+dfsg1-1 - freerdp (Vulnerable code not present) NOTE: https://github.com/FreeRDP/FreeRDP/issues/4866 NOTE: https://github.com/FreeRDP/FreeRDP/pull/4871 NOTE: https://github.com/FreeRDP/FreeRDP/commit/baee520e3dd9be6511c45a14c5f5e77784de1471 CVE-2018-1000851 (Copay Bitcoin Wallet version 5.01 to 5.1.0 included. contains a Other/ ...) NOT-FOR-US: Copay Bitcoin Wallet CVE-2018-1000850 (Square Retrofit version versions from (including) 2.0 and 2.5.0 (exclu ...) NOT-FOR-US: Square Retrofit CVE-2018-1000849 (Alpine Linux version Versions prior to 2.6.10, 2.7.6, and 2.10.1 conta ...) NOT-FOR-US: Alpine Linux CVE-2018-1000848 (Wampserver version prior to version 3.1.5 contains a Cross Site Script ...) NOT-FOR-US: Wampserver CVE-2018-1000847 (FreshDNS version 1.0.3 and prior contains a Cross Site Scripting (XSS) ...) NOT-FOR-US: FreshDNS CVE-2018-1000846 (FreshDNS version 1.0.3 and earlier contains a Cross ite Request Forger ...) NOT-FOR-US: FreshDNS CVE-2018-1000845 REJECTED CVE-2018-1000844 (Square Open Source Retrofit version Prior to commit 4a693c5aeeef2be6c7 ...) NOT-FOR-US: Square Retrofit CVE-2018-1000843 (Luigi version prior to version 2.8.0; after commit 53b52e12745075a8acc ...) NOT-FOR-US: Luigi CVE-2018-1000842 (FatFreeCRM version <=0.14.1, >=0.15.0 <=0.15.1, >=0.16.0 & ...) NOT-FOR-US: FatFreeCRM CVE-2018-1000841 (Zend.To version Prior to 5.15-1 contains a Cross Site Scripting (XSS) ...) NOT-FOR-US: Zend.To CVE-2018-1000840 (Processing Foundation Processing version 3.4 and earlier contains a XM ...) NOT-FOR-US: Processing Foundation Processing CVE-2018-1000839 (LH-EHR version REL-2_0_0 contains a Arbitrary File Upload vulnerabilit ...) NOT-FOR-US: LH-EHR CVE-2018-1000838 (autopsy version <= 4.9.0 contains a XML External Entity (XXE) vulne ...) - autopsy (The ancient version in Debian predates the Java rewrite) CVE-2018-1000837 (UML Designer version <= 8.0.0 contains a XML External Entity (XXE) ...) NOT-FOR-US: UML designer CVE-2018-1000836 (bw-calendar-engine version <= bw-calendar-engine-3.12.0 contains a ...) NOT-FOR-US: bw-calendar-engine CVE-2018-1000835 (KeePassDX version <= 2.5.0.0beta17 contains a XML External Entity ( ...) NOT-FOR-US: KeePassDX CVE-2018-1000834 (runelite version <= runelite-parent-1.4.23 contains a XML External ...) NOT-FOR-US: runelite CVE-2018-1000833 (ZoneMinder version <= 1.32.2 contains a Other/Unknown vulnerability ...) [experimental] - zoneminder 1.32.3-1 - zoneminder 1.32.3-2 (bug #917024) NOTE: https://0dd.zone/2018/10/28/zoneminder-Object-Injection-2/ NOTE: https://github.com/ZoneMinder/zoneminder/issues/2272 NOTE: https://github.com/ZoneMinder/zoneminder/pull/2273 NOTE: https://github.com/ZoneMinder/zoneminder/commit/f790eacc92f687442ae24df7a48f54861a4518b3 (1.32.3) CVE-2018-1000832 (ZoneMinder version <= 1.32.2 contains a Other/Unknown vulnerability ...) [experimental] - zoneminder 1.32.3-1 - zoneminder 1.32.3-2 (bug #917024) NOTE: https://0dd.zone/2018/10/28/zoneminder-Object-Injection/ NOTE: https://github.com/ZoneMinder/zoneminder/issues/2271 NOTE: https://github.com/ZoneMinder/zoneminder/pull/2273 NOTE: https://github.com/ZoneMinder/zoneminder/commit/f790eacc92f687442ae24df7a48f54861a4518b3 (1.32.3) CVE-2018-1000831 (K9Mail version <= v5.600 contains a XML External Entity (XXE) vulne ...) NOT-FOR-US: K9Mail CVE-2018-1000830 (XR3Player version <= V3.124 contains a XML External Entity (XXE) vu ...) NOT-FOR-US: XR3Player CVE-2018-1000829 (Anyplace version before commit 80359b4 contains a XML External Entity ...) NOT-FOR-US: Anyplace navigation service CVE-2018-1000828 (FrostWire version <= frostwire-desktop-6.7.4-build-272 contains a X ...) NOT-FOR-US: FrostWire CVE-2018-1000827 (Ubilling version <= 0.9.2 contains a Other/Unknown vulnerability in ...) NOT-FOR-US: Ubilling CVE-2018-1000826 (Microweber version <= 1.0.7 contains a Cross Site Scripting (XSS) v ...) NOT-FOR-US: Microweber CVE-2018-1000825 (FreeCol version <= nightly-2018-08-22 contains a XML External Entit ...) - freecol 0.11.6+dfsg2-3 (bug #917023; low) [buster] - freecol (Minor issue) [stretch] - freecol (Minor issue) [jessie] - freecol (Games are not supported) NOTE: https://github.com/FreeCol/freecol/issues/26 NOTE: https://github.com/FreeCol/freecol/commit/8963506897e3270a75b062f28486934bcb79b1e3 CVE-2018-1000824 (MegaMek version < v0.45.1 contains a Other/Unknown vulnerability in ...) NOT-FOR-US: MegaMek CVE-2018-1000823 (exist version <= 5.0.0-RC4 contains a XML External Entity (XXE) vul ...) NOT-FOR-US: eXist DB CVE-2018-1000822 (codelibs fess version before commit faa265b contains a XML External En ...) NOT-FOR-US: codelibs fess CVE-2018-1000821 (MicroMathematics version before commit 5c05ac8 contains a XML External ...) NOT-FOR-US: MicroMathematics CVE-2018-1000820 (neo4j-contrib neo4j-apoc-procedures version before commit 45bc09c cont ...) NOT-FOR-US: neo4j-apoc-procedures CVE-2018-1000817 (Asset Pipeline Grails Plugin Asset-pipeline plugin version Prior to 2. ...) NOT-FOR-US: Asset Pipeline Grails Plugin CVE-2018-1000816 (Grafana version confirmed for 5.2.4 and 5.3.0 contains a Cross Site Sc ...) - grafana NOTE: https://github.com/grafana/grafana/issues/13667 CVE-2018-1000815 (Brave Software Inc. Brave version version 0.22.810 to 0.24.0 contains ...) NOT-FOR-US: Brave Software Inc. Brave CVE-2018-1000814 (aio-libs aiohttp-session version 2.6.0 and earlier contains a Other/Un ...) NOT-FOR-US: aio-libs aiohttp-session CVE-2018-1000813 (Backdrop CMS version 1.11.0 and earlier contains a Cross Site Scriptin ...) - backdrop (bug #914257) CVE-2018-1000812 (Artica Integria IMS version 5.0 MR56 Package 58, likely earlier versio ...) NOT-FOR-US: Integria IMS CVE-2018-1000811 (bludit version 3.0.0 contains a Unrestricted Upload of File with Dange ...) NOT-FOR-US: bludit CVE-2018-20307 (Pulse Secure Virtual Traffic Manager 9.9 versions prior to 9.9r2 and 1 ...) NOT-FOR-US: Pulse Secure Virtual Traffic Manager CVE-2018-20306 (A stored cross-site scripting (XSS) vulnerability in the web administr ...) NOT-FOR-US: Pulse Secure Virtual Traffic Manager CVE-2018-20305 (D-Link DIR-816 A2 1.10 B05 devices allow arbitrary remote code executi ...) NOT-FOR-US: D-Link CVE-2018-20304 (wbook_addworksheet in workbook.c in libexcel.a in libexcel 0.01 allows ...) NOT-FOR-US: libexcel CVE-2018-20303 (In pkg/tool/path.go in Gogs before 0.11.82.1218, a directory traversal ...) NOT-FOR-US: Go Git Service CVE-2018-20302 (An XSS issue was discovered in Steve Pallen Xain before 0.6.2 via the ...) NOT-FOR-US: Steve Pallen Xain CVE-2018-20301 (An issue was discovered in Steve Pallen Coherence before 0.5.2 that is ...) NOT-FOR-US: Steve Pallen Coherence CVE-2018-20300 (Empire CMS 7.5 allows remote attackers to execute arbitrary PHP code v ...) NOT-FOR-US: Empire CMS CVE-2018-20299 (An issue was discovered in several Bosch Smart Home cameras (360 degre ...) NOT-FOR-US: Bosch Smart Home cameras CVE-2019-3408 RESERVED CVE-2019-3407 RESERVED CVE-2019-3406 RESERVED CVE-2019-3405 RESERVED CVE-2019-3404 (By adding some special fields to the uri ofrouter app function, the us ...) NOT-FOR-US: ofrouter CVE-2019-3403 (The /rest/api/2/user/picker rest resource in Jira before version 7.13. ...) NOT-FOR-US: Atlassian Jira CVE-2019-3402 (The ConfigurePortalPages.jspa resource in Jira before version 7.13.3 a ...) NOT-FOR-US: Atlassian Jira CVE-2019-3401 (The ManageFilters.jspa resource in Jira before version 7.13.3 and from ...) NOT-FOR-US: Atlassian Jira CVE-2019-3400 (The labels gadget in Jira before version 7.13.2, and from version 8.0. ...) NOT-FOR-US: Atlassian CVE-2019-3399 (The BrowseProjects.jspa resource in Jira before version 7.13.2, and fr ...) NOT-FOR-US: Atlassian CVE-2019-3398 (Confluence Server and Data Center had a path traversal vulnerability i ...) NOT-FOR-US: Confluence Server and Data Center CVE-2019-3397 (Atlassian Bitbucket Data Center licensed instances starting with versi ...) NOT-FOR-US: Atlassian CVE-2019-3396 (The Widget Connector macro in Atlassian Confluence Server before versi ...) NOT-FOR-US: Atlassian Confluence Server CVE-2019-3395 (The WebDAV endpoint in Atlassian Confluence Server and Data Center bef ...) NOT-FOR-US: Atlassian Confluence Server CVE-2019-3394 (There was a local file disclosure vulnerability in Confluence Server a ...) NOT-FOR-US: Confluence CVE-2018-20298 (S3 Browser before 8.1.5 contains an XML external entity (XXE) vulnerab ...) NOT-FOR-US: S3 Browser CVE-2018-20297 RESERVED CVE-2018-20296 RESERVED CVE-2018-20295 RESERVED CVE-2018-20294 RESERVED CVE-2018-20293 RESERVED CVE-2018-20292 RESERVED CVE-2018-20291 RESERVED CVE-2018-20290 RESERVED CVE-2018-20289 RESERVED CVE-2018-20288 RESERVED CVE-2018-20287 RESERVED CVE-2018-20286 RESERVED CVE-2018-20285 RESERVED CVE-2018-20284 RESERVED CVE-2018-20283 RESERVED CVE-2018-20282 RESERVED CVE-2018-20281 RESERVED CVE-2018-20280 RESERVED CVE-2018-20279 RESERVED CVE-2018-20278 RESERVED CVE-2018-20277 RESERVED CVE-2018-20276 RESERVED CVE-2018-20275 RESERVED CVE-2018-20274 RESERVED CVE-2018-20273 RESERVED CVE-2018-20272 RESERVED CVE-2018-20271 RESERVED CVE-2018-20270 RESERVED CVE-2018-20269 RESERVED CVE-2018-20268 RESERVED CVE-2018-20267 RESERVED CVE-2018-20266 RESERVED CVE-2018-20265 RESERVED CVE-2018-20264 RESERVED CVE-2018-20263 RESERVED CVE-2018-20262 RESERVED CVE-2018-20261 RESERVED CVE-2018-20260 RESERVED CVE-2018-20259 RESERVED CVE-2018-20258 RESERVED CVE-2018-20257 RESERVED CVE-2018-20256 RESERVED CVE-2018-20255 RESERVED CVE-2018-20254 RESERVED CVE-2018-20253 (In WinRAR versions prior to and including 5.60, There is an out-of-bou ...) NOT-FOR-US: WinRAR CVE-2018-20252 (In WinRAR versions prior to and including 5.60, there is an out-of-bou ...) NOT-FOR-US: WinRAR CVE-2018-20251 (In WinRAR versions prior to and including 5.61, there is path traversa ...) NOT-FOR-US: WinRAR CVE-2018-20250 (In WinRAR versions prior to and including 5.61, There is path traversa ...) NOT-FOR-US: WinRAR CVE-2018-20249 (In Foxit Quick PDF Library (all versions prior to 16.12), issue where ...) NOT-FOR-US: Foxit Quick PDF Library CVE-2018-20248 (In Foxit Quick PDF Library (all versions prior to 16.12), issue where ...) NOT-FOR-US: Foxit Quick PDF Library CVE-2018-20247 (In Foxit Quick PDF Library (all versions prior to 16.12), issue where ...) NOT-FOR-US: Foxit Quick PDF Library CVE-2018-20246 REJECTED CVE-2018-20245 (The LDAP auth backend (airflow.contrib.auth.backends.ldap_auth) prior ...) - airflow (bug #819700) CVE-2018-20244 (In Apache Airflow before 1.10.2, a malicious admin user could edit the ...) - airflow (bug #819700) CVE-2018-20243 RESERVED CVE-2018-20242 (A carefully crafted URL could trigger an XSS vulnerability on Apache J ...) - jspwiki CVE-2018-20241 (The Edit upload resource for a review in Atlassian Fisheye and Crucibl ...) NOT-FOR-US: Atlassian CVE-2018-20240 (The administrative linker functionality in Atlassian Fisheye and Cruci ...) NOT-FOR-US: Atlassian CVE-2018-20239 (Application Links before version 5.0.11, from version 5.1.0 before 5.2 ...) NOT-FOR-US: Atlassian CVE-2018-20238 (Various rest resources in Atlassian Crowd before version 3.2.7 and fro ...) NOT-FOR-US: Atlassian CVE-2018-20237 (Atlassian Confluence Server and Data Center before version 6.13.1 allo ...) NOT-FOR-US: Atlassian CVE-2018-20236 (There was an command injection vulnerability in Sourcetree for Windows ...) NOT-FOR-US: Atlassian Sourcetree CVE-2018-20235 (There was an argument injection vulnerability in Atlassian Sourcetree ...) NOT-FOR-US: Atlassian Sourcetree CVE-2018-20234 (There was an argument injection vulnerability in Atlassian Sourcetree ...) NOT-FOR-US: Atlassian Sourcetree CVE-2018-20233 (The Upload add-on resource in Atlassian Universal Plugin Manager befor ...) NOT-FOR-US: Atlassian CVE-2018-20232 (The labels widget gadget in Atlassian Jira before version 7.6.11 and f ...) NOT-FOR-US: Atlassian CVE-2018-20231 (Cross Site Request Forgery (CSRF) in the two-factor-authentication plu ...) NOT-FOR-US: two-factor-authentication plugin for WordPress CVE-2018-20230 (An issue was discovered in PSPP 1.2.0. There is a heap-based buffer ov ...) - pspp 1.2.0-3 (bug #916902) [stretch] - pspp (Minor issue) [jessie] - pspp (Crash cannot be observed under normal conditions) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1660318 NOTE: https://git.savannah.gnu.org/cgit/pspp.git/commit/?id=abd1f816ca3b4f382bddf4564ad092aa934f0ccc CVE-2018-20229 (GitLab Community and Enterprise Edition before 11.3.14, 11.4.x before ...) - gitlab 11.5.5+dfsg-1 NOTE: https://about.gitlab.com/2018/12/20/critical-security-release-gitlab-11-dot-5-dot-5-released/ CVE-2018-20228 (Subsonic V6.1.5 allows internetRadioSettings.view streamUrl CSRF, with ...) NOT-FOR-US: Subsonic CVE-2018-20227 (RDF4J 2.4.2 allows Directory Traversal via ../ in an entry in a ZIP ar ...) NOT-FOR-US: RDF4J CVE-2018-20226 (An organization administrator can add a super administrator in THEHIVE ...) NOT-FOR-US: THEHIVE CVE-2018-20225 (** DISPUTED ** An issue was discovered in pip (all versions) because i ...) - python-pip (unimportant) NOTE: https://cowlicks.website/posts/arbitrary-code-execution-from-pips-extra-index-url.html NOTE: pip is inherently affected by malicious packages, use packages from Debian instead :-) CVE-2018-20224 RESERVED CVE-2018-20223 RESERVED CVE-2018-20222 (XXE issue in Airsonic before 10.1.2 during parse. ...) NOT-FOR-US: Airsonic CVE-2018-20221 (Secure/SAService.rem in Deltek Ajera Timesheets 9.10.16 and prior are ...) NOT-FOR-US: Deltek CVE-2018-20220 (An issue was discovered on Teracue ENC-400 devices with firmware 2.56 ...) NOT-FOR-US: Teracue ENC-400 devices CVE-2018-20219 (An issue was discovered on Teracue ENC-400 devices with firmware 2.56 ...) NOT-FOR-US: Teracue ENC-400 devices CVE-2018-20218 (An issue was discovered on Teracue ENC-400 devices with firmware 2.56 ...) NOT-FOR-US: Teracue ENC-400 devices CVE-2018-20217 (A Reachable Assertion issue was discovered in the KDC in MIT Kerberos ...) {DLA-1643-1} - krb5 1.16.2-1 (low; bug #917387) [stretch] - krb5 (Minor issue) NOTE: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763 NOTE: https://github.com/krb5/krb5/commit/5e6d1796106df8ba6bc1973ee0917c170d929086 CVE-2018-20216 (QEMU can have an infinite loop in hw/rdma/vmw/pvrdma_dev_ring.c becaus ...) - qemu 1:4.1-1 (unimportant) [stretch] - qemu (Vulnerable code not present) [jessie] - qemu (Vulnerable code not present) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2018-12/msg03052.html NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=f1e2e38ee0136b7710a2caa347049818afd57a1b NOTE: PVRDMA support not enabled in the binary packages until 1:3.1+dfsg-3, disabled again in 1:3.1+dfsg-4 CVE-2018-20215 RESERVED CVE-2018-20214 RESERVED CVE-2018-20213 (wbook_addworksheet in workbook.c in libexcel.a in libexcel 0.01 allows ...) NOT-FOR-US: libexcel CVE-2018-20212 (bin/statistics in TWiki 6.0.2 allows cross-site scripting (XSS) via th ...) - twiki CVE-2018-20211 (ExifTool 8.32 allows local users to gain privileges by creating a %TEM ...) NOT-FOR-US: Report for a Windows-specific flaw in a vintage version of libimage-exiftool-perl CVE-2018-20210 RESERVED CVE-2018-20209 RESERVED CVE-2018-20208 RESERVED CVE-2018-20207 RESERVED CVE-2018-20206 RESERVED CVE-2018-20205 RESERVED CVE-2018-20204 RESERVED CVE-2018-20203 RESERVED CVE-2018-20202 RESERVED CVE-2018-20201 (There is a stack-based buffer over-read in the jsfNameFromString funct ...) NOT-FOR-US: Espruino 2V00 CVE-2018-20200 (** DISPUTED ** CertificatePinner.java in OkHttp 3.x through 3.12.0 all ...) - libokhttp-java (unimportant) NOTE: https://github.com/square/okhttp/issues/4967 NOTE: No practicable security imapacting relevance CVE-2018-20199 (A NULL pointer dereference was discovered in ifilter_bank of libfaad/f ...) {DLA-1899-1} - faad2 2.8.8-3.1 (low) [buster] - faad2 (Minor issue) [stretch] - faad2 (Minor issue) NOTE: https://github.com/knik0/faad2/issues/24 NOTE: https://github.com/knik0/faad2/commit/3b80a57483a6bc822d3ce3cc640fa81737a87c54 CVE-2018-20198 (A NULL pointer dereference was discovered in ifilter_bank of libfaad/f ...) {DSA-4522-1 DLA-1791-1} - faad2 2.8.8-2 (low) NOTE: https://github.com/knik0/faad2/issues/23 NOTE: same underlying issue as CVE-2018-20362, same fix: NOTE: https://github.com/knik0/faad2/commit/466b01d504d7e45 CVE-2018-20197 (There is a stack-based buffer underflow in the third instance of the c ...) {DSA-4522-1 DLA-1791-1} - faad2 2.8.8-2 NOTE: https://github.com/knik0/faad2/issues/20 NOTE: very similar to CVE-2018-20194, same fix: NOTE: https://github.com/knik0/faad2/commit/6b4a7cde30f2e2c CVE-2018-20196 (There is a stack-based buffer overflow in the third instance of the ca ...) {DLA-1899-1} - faad2 2.8.8-3.1 (low) [buster] - faad2 (Minor issue) [stretch] - faad2 (Minor issue) NOTE: https://github.com/knik0/faad2/issues/19 NOTE: https://github.com/knik0/faad2/commit/6aeeaa1af0caf986daf22852a97f7c13c5edd879 CVE-2018-20195 (A NULL pointer dereference was discovered in ic_predict of libfaad/ic_ ...) {DSA-4522-1} - faad2 2.8.8-2 (low) [jessie] - faad2 2.7-8+deb8u2 NOTE: https://github.com/knik0/faad2/issues/25 NOTE: https://github.com/knik0/faad2/commit/466b01d504d7e45f1e9169ac90b3e34ab94aed14 CVE-2018-20194 (There is a stack-based buffer underflow in the third instance of the c ...) {DSA-4522-1 DLA-1791-1} - faad2 2.8.8-2 NOTE: https://github.com/knik0/faad2/issues/21 NOTE: https://github.com/knik0/faad2/commit/6b4a7cde30f2e2c CVE-2018-20193 (Certain Secure Access SA Series SSL VPN products (originally developed ...) NOT-FOR-US: Juniper CVE-2018-20192 RESERVED CVE-2018-20191 (hw/rdma/vmw/pvrdma_main.c in QEMU does not implement a read operation ...) - qemu 1:4.1-1 (unimportant) [stretch] - qemu (Vulnerable code not present) [jessie] - qemu (Vulnerable code not present) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2018-12/msg03066.html NOTE: PVRDMA support not enabled in the binary packages until 1:3.1+dfsg-3, disabled again in 1:3.1+dfsg-4 CVE-2018-20190 (In LibSass 3.5.5, a NULL Pointer Dereference in the function Sass::Eva ...) - libsass 3.5.5-4 (low) [stretch] - libsass (Minor issue) NOTE: https://github.com/sass/libsass/issues/2786 CVE-2018-20189 (In GraphicsMagick 1.3.31, the ReadDIBImage function of coders/dib.c ha ...) {DLA-1619-1} - graphicsmagick 1.4~hg15873-1 (bug #916752) [stretch] - graphicsmagick 1.3.30+hg15796-1~deb9u3 NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/648e2b406589 NOTE: https://sourceforge.net/p/graphicsmagick/bugs/585/ CVE-2018-20188 (FUEL CMS 1.4.3 has CSRF via users/create/ to add an administrator acco ...) NOT-FOR-US: FUEL CMS CVE-2018-20187 (A side-channel issue was discovered in Botan before 2.9.0. An attacker ...) [experimental] - botan 2.9.0-1 - botan 2.9.0-2 (bug #918732) - botan1.10 (Vulnerable code introduced in 1.11.20) NOTE: https://github.com/randombit/botan/pull/1792 NOTE: https://github.com/randombit/botan/commit/70aa7303acfff9eefc24598c289a84db3579ebd1 CVE-2018-20186 (An issue was discovered in Bento4 1.5.1-627. AP4_Sample::ReadData in C ...) NOT-FOR-US: Bento4 CVE-2018-20185 (In GraphicsMagick 1.4 snapshot-20181209 Q8 on 32-bit platforms, there ...) {DLA-1619-1} - graphicsmagick 1.4~hg15880-1 (bug #916719) [stretch] - graphicsmagick 1.3.30+hg15796-1~deb9u3 NOTE: Partial fix: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/648e3977a293 NOTE: https://sourceforge.net/p/graphicsmagick/bugs/582/ NOTE: Partial fix adressed in 1.4~hg15873-1, but according to maintainer not yet NOTE: complete: Cf. https://bugs.debian.org/916719#15 NOTE: Fix causes more issues: https://bugzilla.suse.com/show_bug.cgi?id=1119823#c1 NOTE: Followup: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/c38fc0e3e465 CVE-2018-20184 (In GraphicsMagick 1.4 snapshot-20181209 Q8, there is a heap-based buff ...) {DLA-1619-1} - graphicsmagick 1.4~hg15873-1 (bug #916721) [stretch] - graphicsmagick 1.3.30+hg15796-1~deb9u3 NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/15d1b5fd003b NOTE: Upstream patch contains unrelated refactoring, trimmed down version available on NOTE: the Debian bug report: https://bugs.debian.org/916721#15 NOTE: https://sourceforge.net/p/graphicsmagick/bugs/583/ CVE-2018-20183 RESERVED CVE-2018-20182 (rdesktop versions up to and including v1.8.3 contain a Buffer Overflow ...) {DSA-4394-1 DLA-1683-1} - rdesktop 1.8.4-1 NOTE: https://github.com/rdesktop/rdesktop/commit/766ebcf6f23ccfe8323ac10242ae6e127d4505d2 (v1.8.4) CVE-2018-20181 (rdesktop versions up to and including v1.8.3 contain an Integer Underf ...) {DSA-4394-1 DLA-1683-1} - rdesktop 1.8.4-1 NOTE: https://github.com/rdesktop/rdesktop/commit/766ebcf6f23ccfe8323ac10242ae6e127d4505d2 (v1.8.4) CVE-2018-20180 (rdesktop versions up to and including v1.8.3 contain an Integer Underf ...) {DSA-4394-1 DLA-1683-1} - rdesktop 1.8.4-1 NOTE: https://github.com/rdesktop/rdesktop/commit/766ebcf6f23ccfe8323ac10242ae6e127d4505d2 (v1.8.4) CVE-2018-20179 (rdesktop versions up to and including v1.8.3 contain an Integer Underf ...) {DSA-4394-1 DLA-1683-1} - rdesktop 1.8.4-1 NOTE: https://github.com/rdesktop/rdesktop/commit/766ebcf6f23ccfe8323ac10242ae6e127d4505d2 (v1.8.4) CVE-2018-20178 (rdesktop versions up to and including v1.8.3 contain an Out-Of-Bounds ...) {DSA-4394-1 DLA-1683-1} - rdesktop 1.8.4-1 NOTE: https://github.com/rdesktop/rdesktop/commit/766ebcf6f23ccfe8323ac10242ae6e127d4505d2 (v1.8.4) CVE-2018-20177 (rdesktop versions up to and including v1.8.3 contain an Integer Overfl ...) {DSA-4394-1 DLA-1683-1} - rdesktop 1.8.4-1 NOTE: https://github.com/rdesktop/rdesktop/commit/766ebcf6f23ccfe8323ac10242ae6e127d4505d2 (v1.8.4) CVE-2018-20176 (rdesktop versions up to and including v1.8.3 contain several Out-Of- B ...) {DSA-4394-1 DLA-1683-1} - rdesktop 1.8.4-1 NOTE: https://github.com/rdesktop/rdesktop/commit/766ebcf6f23ccfe8323ac10242ae6e127d4505d2 (v1.8.4) CVE-2018-20175 (rdesktop versions up to and including v1.8.3 contains several Integer ...) {DSA-4394-1 DLA-1683-1} - rdesktop 1.8.4-1 NOTE: https://github.com/rdesktop/rdesktop/commit/766ebcf6f23ccfe8323ac10242ae6e127d4505d2 (v1.8.4) CVE-2018-20174 (rdesktop versions up to and including v1.8.3 contain an Out-Of-Bounds ...) {DSA-4394-1 DLA-1683-1} - rdesktop 1.8.4-1 NOTE: https://github.com/rdesktop/rdesktop/commit/766ebcf6f23ccfe8323ac10242ae6e127d4505d2 (v1.8.4) CVE-2018-20173 (Zoho ManageEngine OpManager 12.3 before 123238 allows SQL injection vi ...) NOT-FOR-US: Zoho ManageEngine OpManager CVE-2018-20346 (SQLite before 3.25.3, when the FTS3 extension is enabled, encounters a ...) {DSA-4352-1 DLA-1613-1} - sqlite3 3.25.3-1 [stretch] - sqlite3 (Minor issue) - chromium 71.0.3578.80-1 NOTE: https://blade.tencent.com/magellan/index_en.html NOTE: RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1659379 NOTE: Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1659677 NOTE: Fedora patch: https://src.fedoraproject.org/rpms/sqlite/c/d8da047b90b7eff583c50bf7fa7dc3bc37414249?branch=f28 NOTE: https://www.mail-archive.com/sqlite-users@mailinglists.sqlite.org/msg113218.html NOTE: Upstream change: https://www.sqlite.org/src/info/940f2adc8541a838 CVE-2018-20172 (An issue was discovered in Nagios XI before 5.5.8. The rss_url paramet ...) NOT-FOR-US: Nagios XI CVE-2018-20171 (An issue was discovered in Nagios XI before 5.5.8. The url parameter o ...) NOT-FOR-US: Nagios XI CVE-2018-20170 (** DISPUTED ** OpenStack Keystone through 14.0.1 has a user enumeratio ...) NOT-FOR-US: Disputed issue in Keystone, no need to track for src:keystone CVE-2018-20169 (An issue was discovered in the Linux kernel before 4.19.9. The USB sub ...) {DLA-1771-1 DLA-1731-1} - linux 4.19.9-1 [stretch] - linux 4.9.161-1 NOTE: https://git.kernel.org/linus/704620afc70cf47abb9d6a1a57f3825d2bca49cf CVE-2018-20168 (Google gVisor before 2018-08-22 reuses a pagetable in a different leve ...) NOT-FOR-US: gVisor CVE-2018-20166 (A file-upload vulnerability exists in Rukovoditel 2.3.1. index.php?mod ...) NOT-FOR-US: Rukovoditel CVE-2017-18355 (Installed packages are exposed by node_modules in Rendertron 1.0.0, al ...) NOT-FOR-US: Rendertron CVE-2017-18354 (Rendertron 1.0.0 allows for alternative protocols such as 'file://' in ...) NOT-FOR-US: Rendertron CVE-2017-18353 (Rendertron 1.0.0 includes an _ah/stop route to shutdown the Chrome ins ...) NOT-FOR-US: Rendertron CVE-2017-18352 (Error reporting within Rendertron 1.0.0 allows reflected Cross Site Sc ...) NOT-FOR-US: Rendertron CVE-2018-20167 (Terminology before 1.3.1 allows Remote Code Execution because popmedia ...) - terminology 1.3.1-1 (bug #916630) [jessie] - terminology (vulnerable code is not present) NOTE: https://phab.enlightenment.org/T7504 NOTE: https://git.enlightenment.org/apps/terminology.git/commit/?id=1ac204da9148e7bccb1b5f34b523e2094dfc39e2 CVE-2018-20165 (Cross-site scripting (XSS) vulnerability in OpenText Portal 7.4.4 allo ...) NOT-FOR-US: OpenText Portal CVE-2018-20164 (An issue was discovered in regex.yaml (aka regexes.yaml) in UA-Parser ...) - uap-core 20190213-1 (bug #922717) NOTE: https://github.com/ua-parser/uap-core/commit/010ccdc7303546cd22b9da687c29f4a996990014 NOTE: https://github.com/ua-parser/uap-core/commit/156f7e12b215bddbaf3df4514c399d683e6cdadc NOTE: https://www.x41-dsec.de/lab/advisories/x41-2018-009-uaparser/ CVE-2018-20163 RESERVED CVE-2018-20162 (Digi TransPort LR54 4.4.0.26 and possible earlier devices have Imprope ...) NOT-FOR-US: Digi TransPort CVE-2018-20161 (A design flaw in the BlinkForHome (aka Blink For Home) Sync Module 2.1 ...) NOT-FOR-US: BlinkForHome (aka Blink For Home) Sync Module CVE-2018-20160 (ZxChat (aka ZeXtras Chat), as used for zimbra-chat and zimbra-talk in ...) NOT-FOR-US: ZxChat CVE-2018-20159 (i-doit open 1.11.2 allows Remote Code Execution because ZIP archives a ...) NOT-FOR-US: i-doit CVE-2018-20158 RESERVED CVE-2018-20157 (The data import functionality in OpenRefine through 3.1 allows an XML ...) NOT-FOR-US: OpenRefine CVE-2018-20156 (The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remot ...) NOT-FOR-US: WordPress plugin wp-maintenance-mode CVE-2018-20155 (The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remot ...) NOT-FOR-US: WordPress plugin wp-maintenance-mode CVE-2018-20154 (The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remot ...) NOT-FOR-US: WordPress plugin wp-maintenance-mode CVE-2019-3393 RESERVED CVE-2019-3392 RESERVED CVE-2019-3391 RESERVED CVE-2019-3390 RESERVED CVE-2019-3389 RESERVED CVE-2019-3388 RESERVED CVE-2019-3387 RESERVED CVE-2019-3386 RESERVED CVE-2019-3385 RESERVED CVE-2019-3384 RESERVED CVE-2019-3383 RESERVED CVE-2019-3382 RESERVED CVE-2019-3381 RESERVED CVE-2019-3380 RESERVED CVE-2019-3379 RESERVED CVE-2019-3378 RESERVED CVE-2019-3377 RESERVED CVE-2019-3376 RESERVED CVE-2019-3375 RESERVED CVE-2019-3374 RESERVED CVE-2019-3373 RESERVED CVE-2019-3372 RESERVED CVE-2019-3371 RESERVED CVE-2019-3370 RESERVED CVE-2019-3369 RESERVED CVE-2019-3368 RESERVED CVE-2019-3367 RESERVED CVE-2019-3366 RESERVED CVE-2019-3365 RESERVED CVE-2019-3364 RESERVED CVE-2019-3363 RESERVED CVE-2019-3362 RESERVED CVE-2019-3361 RESERVED CVE-2019-3360 RESERVED CVE-2019-3359 RESERVED CVE-2019-3358 RESERVED CVE-2019-3357 RESERVED CVE-2019-3356 RESERVED CVE-2019-3355 RESERVED CVE-2019-3354 RESERVED CVE-2019-3353 RESERVED CVE-2019-3352 RESERVED CVE-2019-3351 RESERVED CVE-2019-3350 RESERVED CVE-2019-3349 RESERVED CVE-2019-3348 RESERVED CVE-2019-3347 RESERVED CVE-2019-3346 RESERVED CVE-2019-3345 RESERVED CVE-2019-3344 RESERVED CVE-2019-3343 RESERVED CVE-2019-3342 RESERVED CVE-2019-3341 RESERVED CVE-2019-3340 RESERVED CVE-2019-3339 RESERVED CVE-2019-3338 RESERVED CVE-2019-3337 RESERVED CVE-2019-3336 RESERVED CVE-2019-3335 RESERVED CVE-2019-3334 RESERVED CVE-2019-3333 RESERVED CVE-2019-3332 RESERVED CVE-2019-3331 RESERVED CVE-2019-3330 RESERVED CVE-2019-3329 RESERVED CVE-2019-3328 RESERVED CVE-2019-3327 RESERVED CVE-2019-3326 RESERVED CVE-2019-3325 RESERVED CVE-2019-3324 RESERVED CVE-2019-3323 RESERVED CVE-2019-3322 RESERVED CVE-2019-3321 RESERVED CVE-2019-3320 RESERVED CVE-2019-3319 RESERVED CVE-2019-3318 RESERVED CVE-2019-3317 RESERVED CVE-2019-3316 RESERVED CVE-2019-3315 RESERVED CVE-2019-3314 RESERVED CVE-2019-3313 RESERVED CVE-2019-3312 RESERVED CVE-2019-3311 RESERVED CVE-2019-3310 RESERVED CVE-2019-3309 RESERVED - virtualbox 5.2.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-3308 RESERVED CVE-2019-3307 RESERVED CVE-2019-3306 RESERVED CVE-2019-3305 RESERVED CVE-2019-3304 RESERVED CVE-2019-3303 RESERVED CVE-2019-3302 RESERVED CVE-2019-3301 RESERVED CVE-2019-3300 RESERVED CVE-2019-3299 RESERVED CVE-2019-3298 RESERVED CVE-2019-3297 RESERVED CVE-2019-3296 RESERVED CVE-2019-3295 RESERVED CVE-2019-3294 RESERVED CVE-2019-3293 RESERVED CVE-2019-3292 RESERVED CVE-2019-3291 RESERVED CVE-2019-3290 RESERVED CVE-2019-3289 RESERVED CVE-2019-3288 RESERVED CVE-2019-3287 RESERVED CVE-2019-3286 RESERVED CVE-2019-3285 RESERVED CVE-2019-3284 RESERVED CVE-2019-3283 RESERVED CVE-2019-3282 RESERVED CVE-2019-3281 RESERVED CVE-2019-3280 RESERVED CVE-2019-3279 RESERVED CVE-2019-3278 RESERVED CVE-2019-3277 RESERVED CVE-2019-3276 RESERVED CVE-2019-3275 RESERVED CVE-2019-3274 RESERVED CVE-2019-3273 RESERVED CVE-2019-3272 RESERVED CVE-2019-3271 RESERVED CVE-2019-3270 RESERVED CVE-2019-3269 RESERVED CVE-2019-3268 RESERVED CVE-2019-3267 RESERVED CVE-2019-3266 RESERVED CVE-2019-3265 RESERVED CVE-2019-3264 RESERVED CVE-2019-3263 RESERVED CVE-2019-3262 RESERVED CVE-2019-3261 RESERVED CVE-2019-3260 RESERVED CVE-2019-3259 RESERVED CVE-2019-3258 RESERVED CVE-2019-3257 RESERVED CVE-2019-3256 RESERVED CVE-2019-3255 RESERVED CVE-2019-3254 RESERVED CVE-2019-3253 RESERVED CVE-2019-3252 RESERVED CVE-2019-3251 RESERVED CVE-2019-3250 RESERVED CVE-2019-3249 RESERVED CVE-2019-3248 RESERVED CVE-2019-3247 RESERVED CVE-2019-3246 RESERVED CVE-2019-3245 RESERVED CVE-2019-3244 RESERVED CVE-2019-3243 RESERVED CVE-2019-3242 RESERVED CVE-2019-3241 RESERVED CVE-2019-3240 RESERVED CVE-2019-3239 RESERVED CVE-2019-3238 RESERVED CVE-2019-3237 RESERVED CVE-2019-3236 RESERVED CVE-2019-3235 RESERVED CVE-2019-3234 RESERVED CVE-2019-3233 RESERVED CVE-2019-3232 RESERVED CVE-2019-3231 RESERVED CVE-2019-3230 RESERVED CVE-2019-3229 RESERVED CVE-2019-3228 RESERVED CVE-2019-3227 RESERVED CVE-2019-3226 RESERVED CVE-2019-3225 RESERVED CVE-2019-3224 RESERVED CVE-2019-3223 RESERVED CVE-2019-3222 RESERVED CVE-2019-3221 RESERVED CVE-2019-3220 RESERVED CVE-2019-3219 RESERVED CVE-2019-3218 RESERVED CVE-2019-3217 RESERVED CVE-2019-3216 RESERVED CVE-2019-3215 RESERVED CVE-2019-3214 RESERVED CVE-2019-3213 RESERVED CVE-2019-3212 RESERVED CVE-2019-3211 RESERVED CVE-2019-3210 RESERVED CVE-2019-3209 RESERVED CVE-2019-3208 RESERVED CVE-2019-3207 RESERVED CVE-2019-3206 RESERVED CVE-2019-3205 RESERVED CVE-2019-3204 RESERVED CVE-2019-3203 RESERVED CVE-2019-3202 RESERVED CVE-2019-3201 RESERVED CVE-2019-3200 RESERVED CVE-2019-3199 RESERVED CVE-2019-3198 RESERVED CVE-2019-3197 RESERVED CVE-2019-3196 RESERVED CVE-2019-3195 RESERVED CVE-2019-3194 RESERVED CVE-2019-3193 RESERVED CVE-2019-3192 RESERVED CVE-2019-3191 RESERVED CVE-2019-3190 RESERVED CVE-2019-3189 RESERVED CVE-2019-3188 RESERVED CVE-2019-3187 RESERVED CVE-2019-3186 RESERVED CVE-2019-3185 RESERVED CVE-2019-3184 RESERVED CVE-2019-3183 RESERVED CVE-2019-3182 RESERVED CVE-2019-3181 RESERVED CVE-2019-3180 RESERVED CVE-2019-3179 RESERVED CVE-2019-3178 RESERVED CVE-2019-3177 RESERVED CVE-2019-3176 RESERVED CVE-2019-3175 RESERVED CVE-2019-3174 RESERVED CVE-2019-3173 RESERVED CVE-2019-3172 RESERVED CVE-2019-3171 RESERVED CVE-2019-3170 RESERVED CVE-2019-3169 RESERVED CVE-2019-3168 RESERVED CVE-2019-3167 RESERVED CVE-2019-3166 RESERVED CVE-2019-3165 RESERVED CVE-2019-3164 RESERVED CVE-2019-3163 RESERVED CVE-2019-3162 RESERVED CVE-2019-3161 RESERVED CVE-2019-3160 RESERVED CVE-2019-3159 RESERVED CVE-2019-3158 RESERVED CVE-2019-3157 RESERVED CVE-2019-3156 RESERVED CVE-2019-3155 RESERVED CVE-2019-3154 RESERVED CVE-2019-3153 RESERVED CVE-2019-3152 RESERVED CVE-2019-3151 RESERVED CVE-2019-3150 RESERVED CVE-2019-3149 RESERVED CVE-2019-3148 RESERVED CVE-2019-3147 RESERVED CVE-2019-3146 RESERVED CVE-2019-3145 RESERVED CVE-2019-3144 RESERVED CVE-2019-3143 RESERVED CVE-2019-3142 RESERVED CVE-2019-3141 RESERVED CVE-2019-3140 RESERVED CVE-2019-3139 RESERVED CVE-2019-3138 RESERVED CVE-2019-3137 RESERVED CVE-2019-3136 RESERVED CVE-2019-3135 RESERVED CVE-2019-3134 RESERVED CVE-2019-3133 RESERVED CVE-2019-3132 RESERVED CVE-2019-3131 RESERVED CVE-2019-3130 RESERVED CVE-2019-3129 RESERVED CVE-2019-3128 RESERVED CVE-2019-3127 RESERVED CVE-2019-3126 RESERVED CVE-2019-3125 RESERVED CVE-2019-3124 RESERVED CVE-2019-3123 RESERVED CVE-2019-3122 RESERVED CVE-2019-3121 RESERVED CVE-2019-3120 RESERVED CVE-2019-3119 RESERVED CVE-2019-3118 RESERVED CVE-2019-3117 RESERVED CVE-2019-3116 RESERVED CVE-2019-3115 RESERVED CVE-2019-3114 RESERVED CVE-2019-3113 RESERVED CVE-2019-3112 RESERVED CVE-2019-3111 RESERVED CVE-2019-3110 RESERVED CVE-2019-3109 RESERVED CVE-2019-3108 RESERVED CVE-2019-3107 RESERVED CVE-2019-3106 RESERVED CVE-2019-3105 RESERVED CVE-2019-3104 RESERVED CVE-2019-3103 RESERVED CVE-2019-3102 RESERVED CVE-2019-3101 RESERVED CVE-2019-3100 RESERVED CVE-2019-3099 RESERVED CVE-2019-3098 RESERVED CVE-2019-3097 RESERVED CVE-2019-3096 RESERVED CVE-2019-3095 RESERVED CVE-2019-3094 RESERVED CVE-2019-3093 RESERVED CVE-2019-3092 RESERVED CVE-2019-3091 RESERVED CVE-2019-3090 RESERVED CVE-2019-3089 RESERVED CVE-2019-3088 RESERVED CVE-2019-3087 RESERVED CVE-2019-3086 RESERVED CVE-2019-3085 RESERVED CVE-2019-3084 RESERVED CVE-2019-3083 RESERVED CVE-2019-3082 RESERVED CVE-2019-3081 RESERVED CVE-2019-3080 RESERVED CVE-2019-3079 RESERVED CVE-2019-3078 RESERVED CVE-2019-3077 RESERVED CVE-2019-3076 RESERVED CVE-2019-3075 RESERVED CVE-2019-3074 RESERVED CVE-2019-3073 RESERVED CVE-2019-3072 RESERVED CVE-2019-3071 RESERVED CVE-2019-3070 RESERVED CVE-2019-3069 RESERVED CVE-2019-3068 RESERVED CVE-2019-3067 RESERVED CVE-2019-3066 RESERVED CVE-2019-3065 RESERVED CVE-2019-3064 RESERVED CVE-2019-3063 RESERVED CVE-2019-3062 RESERVED CVE-2019-3061 RESERVED CVE-2019-3060 RESERVED CVE-2019-3059 RESERVED CVE-2019-3058 RESERVED CVE-2019-3057 RESERVED CVE-2019-3056 RESERVED CVE-2019-3055 RESERVED CVE-2019-3054 RESERVED CVE-2019-3053 RESERVED CVE-2019-3052 RESERVED CVE-2019-3051 RESERVED CVE-2019-3050 RESERVED CVE-2019-3049 RESERVED CVE-2019-3048 RESERVED CVE-2019-3047 RESERVED CVE-2019-3046 RESERVED CVE-2019-3045 RESERVED CVE-2019-3044 RESERVED CVE-2019-3043 RESERVED CVE-2019-3042 RESERVED CVE-2019-3041 RESERVED CVE-2019-3040 RESERVED CVE-2019-3039 RESERVED CVE-2019-3038 RESERVED CVE-2019-3037 RESERVED CVE-2019-3036 RESERVED CVE-2019-3035 RESERVED CVE-2019-3034 RESERVED CVE-2019-3033 RESERVED CVE-2019-3032 RESERVED CVE-2019-3031 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox 6.0.14-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-3030 RESERVED CVE-2019-3029 RESERVED CVE-2019-3028 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox 6.0.14-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-3027 (Vulnerability in the Oracle Application Object Library product of Orac ...) NOT-FOR-US: Oracle CVE-2019-3026 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox 6.0.14-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-3025 (Vulnerability in the Oracle Hospitality RES 3700 component of Oracle F ...) NOT-FOR-US: Oracle CVE-2019-3024 (Vulnerability in the Oracle Installed Base product of Oracle E-Busines ...) NOT-FOR-US: Oracle CVE-2019-3023 (Vulnerability in the PeopleSoft Enterprise PeopleTools product of Orac ...) NOT-FOR-US: Oracle CVE-2019-3022 (Vulnerability in the Oracle Content Manager product of Oracle E-Busine ...) NOT-FOR-US: Oracle CVE-2019-3021 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox 6.0.14-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-3020 (Vulnerability in the Primavera P6 Enterprise Project Portfolio Managem ...) NOT-FOR-US: Oracle CVE-2019-3019 (Vulnerability in the Oracle Banking Digital Experience product of Orac ...) NOT-FOR-US: Oracle CVE-2019-3018 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-3017 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox 6.0.14-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-3016 (In a Linux KVM guest that has PV TLB enabled, a process in the guest k ...) {DSA-4699-1} - linux 5.4.19-1 [stretch] - linux (Vulnerability introduced later) [jessie] - linux (Vulnerability introduced later) CVE-2019-3015 (Vulnerability in the PeopleSoft Enterprise PeopleTools product of Orac ...) NOT-FOR-US: Oracle CVE-2019-3014 (Vulnerability in the PeopleSoft Enterprise PeopleTools product of Orac ...) NOT-FOR-US: Oracle CVE-2019-3013 RESERVED CVE-2019-3012 (Vulnerability in the Oracle Business Intelligence Enterprise Edition p ...) NOT-FOR-US: Oracle CVE-2019-3011 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-3010 (Vulnerability in the Oracle Solaris product of Oracle Systems (compone ...) NOT-FOR-US: Oracle CVE-2019-3009 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-3008 (Vulnerability in the Oracle Solaris product of Oracle Systems (compone ...) NOT-FOR-US: Oracle CVE-2019-3007 RESERVED CVE-2019-3006 RESERVED CVE-2019-3005 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox 6.0.14-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-3004 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-3003 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-3002 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox 6.0.14-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-3001 (Vulnerability in the PeopleSoft Enterprise SCM eProcurement product of ...) NOT-FOR-US: Oracle CVE-2019-3000 (Vulnerability in the Oracle Marketing product of Oracle E-Business Sui ...) NOT-FOR-US: Oracle CVE-2019-2999 (Vulnerability in the Java SE product of Oracle Java SE (component: Jav ...) {DSA-4548-1 DSA-4546-1 DLA-2023-1} - openjdk-11 11.0.5+10-1 - openjdk-8 8u232-b09-1 - openjdk-7 CVE-2019-2998 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2997 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2996 (Vulnerability in the Java SE, Java SE Embedded product of Oracle Java ...) - openjdk-8 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2019-2995 (Vulnerability in the Oracle Marketing product of Oracle E-Business Sui ...) NOT-FOR-US: Oracle CVE-2019-2994 (Vulnerability in the Oracle Marketing product of Oracle E-Business Sui ...) NOT-FOR-US: Oracle CVE-2019-2993 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (bug #942443) NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html#AppendixMSQL CVE-2019-2992 (Vulnerability in the Java SE, Java SE Embedded product of Oracle Java ...) {DSA-4548-1 DSA-4546-1 DLA-2023-1} - openjdk-11 11.0.5+10-1 - openjdk-8 8u232-b09-1 - openjdk-7 CVE-2019-2991 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2990 (Vulnerability in the Oracle iStore product of Oracle E-Business Suite ...) NOT-FOR-US: Oracle CVE-2019-2989 (Vulnerability in the Java SE, Java SE Embedded product of Oracle Java ...) {DSA-4548-1 DSA-4546-1 DLA-2023-1} - openjdk-11 11.0.5+10-1 - openjdk-8 8u232-b09-1 - openjdk-7 CVE-2019-2988 (Vulnerability in the Java SE, Java SE Embedded product of Oracle Java ...) {DSA-4548-1 DSA-4546-1 DLA-2023-1} - openjdk-11 11.0.5+10-1 - openjdk-8 8u232-b09-1 - openjdk-7 CVE-2019-2987 (Vulnerability in the Java SE product of Oracle Java SE (component: 2D) ...) {DSA-4548-1 DSA-4546-1 DLA-2023-1} - openjdk-11 11.0.5+10-1 - openjdk-8 8u232-b09-1 CVE-2019-2986 (Vulnerability in the Oracle GraalVM Enterprise Edition product of Orac ...) NOT-FOR-US: Oracle CVE-2019-2985 (Vulnerability in the PeopleSoft Enterprise PeopleTools product of Orac ...) NOT-FOR-US: Oracle CVE-2019-2984 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox 6.0.14-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2983 (Vulnerability in the Java SE, Java SE Embedded product of Oracle Java ...) {DSA-4548-1 DSA-4546-1 DLA-2023-1} - openjdk-11 11.0.5+10-1 - openjdk-8 8u232-b09-1 - openjdk-7 CVE-2019-2982 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2981 (Vulnerability in the Java SE, Java SE Embedded product of Oracle Java ...) {DSA-4548-1 DSA-4546-1 DLA-2023-1} - openjdk-11 11.0.5+10-1 - openjdk-8 8u232-b09-1 - openjdk-7 CVE-2019-2980 (Vulnerability in the Oracle FLEXCUBE Direct Banking product of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2979 (Vulnerability in the Oracle FLEXCUBE Direct Banking product of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2978 (Vulnerability in the Java SE, Java SE Embedded product of Oracle Java ...) {DSA-4548-1 DSA-4546-1 DLA-2023-1} - openjdk-11 11.0.5+10-1 - openjdk-8 8u232-b09-1 - openjdk-7 CVE-2019-2977 (Vulnerability in the Java SE product of Oracle Java SE (component: Hot ...) {DSA-4546-1} - openjdk-11 11.0.5+10-1 CVE-2019-2976 (Vulnerability in the Primavera P6 Enterprise Project Portfolio Managem ...) NOT-FOR-US: Oracle CVE-2019-2975 (Vulnerability in the Java SE, Java SE Embedded product of Oracle Java ...) {DSA-4548-1 DSA-4546-1} - openjdk-11 11.0.5+10-1 - openjdk-8 8u232-b09-1 CVE-2019-2974 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mariadb-10.3 1:10.3.19-1 [buster] - mariadb-10.3 1:10.3.22-0+deb10u1 - mariadb-10.1 [stretch] - mariadb-10.1 10.1.44-0+deb9u1 - mysql-5.7 (bug #942443) NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html#AppendixMSQL NOTE: MySQL: https://github.com/mysql/mysql-server/commit/52d9daf06478851548251ec2103cdc22178c48c4 NOTE: MariaDB: https://github.com/MariaDB/server/commit/719ac0ad4af0dd1e20dbc94eff8f8c9f786b3393 NOTE: Fixed in MariaDB: 10.3.19, 10.1.42 CVE-2019-2973 (Vulnerability in the Java SE, Java SE Embedded product of Oracle Java ...) {DSA-4548-1 DSA-4546-1 DLA-2023-1} - openjdk-11 11.0.5+10-1 - openjdk-8 8u232-b09-1 - openjdk-7 CVE-2019-2972 (Vulnerability in the Oracle Outside In Technology product of Oracle Fu ...) NOT-FOR-US: Oracle CVE-2019-2971 (Vulnerability in the Oracle Outside In Technology product of Oracle Fu ...) NOT-FOR-US: Oracle CVE-2019-2970 (Vulnerability in the Oracle Outside In Technology product of Oracle Fu ...) NOT-FOR-US: Oracle CVE-2019-2969 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (bug #942443) NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html#AppendixMSQL CVE-2019-2968 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2967 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2966 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2965 (Vulnerability in the Siebel Core - DB Deployment and Configuration pro ...) NOT-FOR-US: Oracle CVE-2019-2964 (Vulnerability in the Java SE, Java SE Embedded product of Oracle Java ...) {DSA-4548-1 DSA-4546-1 DLA-2023-1} - openjdk-11 11.0.5+10-1 - openjdk-8 8u232-b09-1 - openjdk-7 CVE-2019-2963 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2962 (Vulnerability in the Java SE, Java SE Embedded product of Oracle Java ...) {DSA-4548-1 DSA-4546-1 DLA-2023-1} - openjdk-11 11.0.5+10-1 - openjdk-8 8u232-b09-1 - openjdk-7 CVE-2019-2961 (Vulnerability in the Oracle Solaris product of Oracle Systems (compone ...) NOT-FOR-US: Oracle CVE-2019-2960 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (bug #942443) NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html#AppendixMSQL CVE-2019-2959 (Vulnerability in the Hyperion Financial Reporting product of Oracle Hy ...) NOT-FOR-US: Oracle CVE-2019-2958 (Vulnerability in the Java SE, Java SE Embedded product of Oracle Java ...) {DLA-2023-1} - openjdk-11 (Apparently specific to Oracle Java) - openjdk-7 (Apparently specific to Oracle Java) - openjdk-8 (Apparently specific to Oracle Java) CVE-2019-2957 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2956 (Vulnerability in the Core RDBMS (jackson-databind) component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2955 (Vulnerability in the Core RDBMS component of Oracle Database Server. S ...) NOT-FOR-US: Oracle CVE-2019-2954 (Vulnerability in the Core RDBMS component of Oracle Database Server. S ...) NOT-FOR-US: Oracle CVE-2019-2953 (Vulnerability in the Oracle Hospitality Cruise Dining Room Management ...) NOT-FOR-US: Oracle CVE-2019-2952 (Vulnerability in the Oracle Hospitality Reporting and Analytics compon ...) NOT-FOR-US: Oracle CVE-2019-2951 (Vulnerability in the PeopleSoft Enterprise HCM Human Resources product ...) NOT-FOR-US: Oracle CVE-2019-2950 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2949 (Vulnerability in the Java SE, Java SE Embedded product of Oracle Java ...) {DSA-4548-1 DSA-4546-1 DLA-2023-1} - openjdk-11 11.0.5+10-1 - openjdk-8 8u232-b09-1 - openjdk-7 CVE-2019-2948 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (bug #942443) NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html#AppendixMSQL CVE-2019-2947 (Vulnerability in the Oracle Hospitality Reporting and Analytics compon ...) NOT-FOR-US: Oracle CVE-2019-2946 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (bug #942443) NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html#AppendixMSQL CVE-2019-2945 (Vulnerability in the Java SE, Java SE Embedded product of Oracle Java ...) {DSA-4548-1 DSA-4546-1 DLA-2023-1} - openjdk-11 11.0.5+10-1 - openjdk-8 8u232-b09-1 - openjdk-7 CVE-2019-2944 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox 6.0.14-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2943 (Vulnerability in the Oracle Data Integrator product of Oracle Fusion M ...) NOT-FOR-US: Oracle CVE-2019-2942 (Vulnerability in the Oracle Advanced Outbound Telephony product of Ora ...) NOT-FOR-US: Oracle CVE-2019-2941 (Vulnerability in the Hyperion Profitability and Cost Management produc ...) NOT-FOR-US: Oracle CVE-2019-2940 (Vulnerability in the Core RDBMS component of Oracle Database Server. S ...) NOT-FOR-US: Oracle CVE-2019-2939 (Vulnerability in the Core RDBMS component of Oracle Database Server. S ...) NOT-FOR-US: Oracle CVE-2019-2938 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (bug #942443) - mariadb-10.3 1:10.3.19-1 [buster] - mariadb-10.3 1:10.3.22-0+deb10u1 NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html#AppendixMSQL CVE-2019-2937 (Vulnerability in the Oracle Hospitality Reporting and Analytics compon ...) NOT-FOR-US: Oracle CVE-2019-2936 (Vulnerability in the Oracle Hospitality Reporting and Analytics compon ...) NOT-FOR-US: Oracle CVE-2019-2935 (Vulnerability in the Siebel UI Framework product of Oracle Siebel CRM ...) NOT-FOR-US: Oracle CVE-2019-2934 (Vulnerability in the Oracle Hospitality Reporting and Analytics compon ...) NOT-FOR-US: Oracle CVE-2019-2933 (Vulnerability in the Java SE, Java SE Embedded product of Oracle Java ...) {DLA-2023-1} - openjdk-11 (Apparently specific to Oracle Java) - openjdk-7 (Apparently specific to Oracle Java) - openjdk-8 (Apparently specific to Oracle Java) CVE-2019-2932 (Vulnerability in the PeopleSoft Enterprise PeopleTools product of Orac ...) NOT-FOR-US: Oracle CVE-2019-2931 (Vulnerability in the PeopleSoft Enterprise PeopleTools product of Orac ...) NOT-FOR-US: Oracle CVE-2019-2930 (Vulnerability in the Oracle Field Service product of Oracle E-Business ...) NOT-FOR-US: Oracle CVE-2019-2929 (Vulnerability in the PeopleSoft Enterprise PeopleTools product of Orac ...) NOT-FOR-US: Oracle CVE-2019-2928 RESERVED CVE-2019-2927 (Vulnerability in the Hyperion Data Relationship Management product of ...) NOT-FOR-US: Oracle CVE-2019-2926 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox 6.0.14-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2925 (Vulnerability in the Oracle Workflow product of Oracle E-Business Suit ...) NOT-FOR-US: Oracle CVE-2019-2924 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (bug #942443) NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html#AppendixMSQL CVE-2019-2923 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (bug #942443) NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html#AppendixMSQL CVE-2019-2922 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (bug #942443) NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html#AppendixMSQL CVE-2019-2921 RESERVED CVE-2019-2920 (Vulnerability in the MySQL Connectors product of Oracle MySQL (compone ...) - mysql-5.7 (bug #942443) NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html#AppendixMSQL CVE-2019-2919 RESERVED CVE-2019-2918 RESERVED CVE-2019-2917 RESERVED CVE-2019-2916 RESERVED CVE-2019-2915 (Vulnerability in the PeopleSoft Enterprise PeopleTools product of Orac ...) NOT-FOR-US: Oracle CVE-2019-2914 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (bug #942443) NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html#AppendixMSQL CVE-2019-2913 (Vulnerability in the Core RDBMS component of Oracle Database Server. S ...) NOT-FOR-US: Oracle CVE-2019-2912 RESERVED CVE-2019-2911 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (bug #942443) NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html#AppendixMSQL CVE-2019-2910 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 (bug #942443) NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html#AppendixMSQL CVE-2019-2909 (Vulnerability in the Java VM component of Oracle Database Server. Supp ...) NOT-FOR-US: Oracle CVE-2019-2908 RESERVED CVE-2019-2907 (Vulnerability in the Oracle Web Services product of Oracle Fusion Midd ...) NOT-FOR-US: Oracle CVE-2019-2906 (Vulnerability in the BI Publisher (formerly XML Publisher) product of ...) NOT-FOR-US: Oracle CVE-2019-2905 (Vulnerability in the Oracle Business Intelligence Enterprise Edition p ...) NOT-FOR-US: Oracle CVE-2019-2904 (Vulnerability in the Oracle JDeveloper and ADF product of Oracle Fusio ...) NOT-FOR-US: Oracle CVE-2019-2903 (Vulnerability in the Oracle Outside In Technology product of Oracle Fu ...) NOT-FOR-US: Oracle CVE-2019-2902 (Vulnerability in the Oracle Outside In Technology product of Oracle Fu ...) NOT-FOR-US: Oracle CVE-2019-2901 (Vulnerability in the Oracle Outside In Technology product of Oracle Fu ...) NOT-FOR-US: Oracle CVE-2019-2900 (Vulnerability in the Oracle Business Intelligence Enterprise Edition p ...) NOT-FOR-US: Oracle CVE-2019-2899 (Vulnerability in the Oracle JDeveloper and ADF product of Oracle Fusio ...) NOT-FOR-US: Oracle CVE-2019-2898 (Vulnerability in the BI Publisher (formerly XML Publisher) product of ...) NOT-FOR-US: Oracle CVE-2019-2897 (Vulnerability in the Oracle Business Intelligence Enterprise Edition p ...) NOT-FOR-US: Oracle CVE-2019-2896 (Vulnerability in the MICROS Relate CRM Software product of Oracle Reta ...) NOT-FOR-US: Oracle CVE-2019-2895 (Vulnerability in the Enterprise Manager for Exadata product of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2894 (Vulnerability in the Java SE, Java SE Embedded product of Oracle Java ...) {DSA-4548-1 DSA-4546-1 DLA-2023-1} - openjdk-11 11.0.5+10-1 - openjdk-8 8u232-b09-1 - openjdk-7 CVE-2019-2893 RESERVED CVE-2019-2892 RESERVED CVE-2019-2891 (Vulnerability in the Oracle WebLogic Server product of Oracle Fusion M ...) NOT-FOR-US: Oracle CVE-2019-2890 (Vulnerability in the Oracle WebLogic Server product of Oracle Fusion M ...) NOT-FOR-US: Oracle CVE-2019-2889 (Vulnerability in the Oracle WebLogic Server product of Oracle Fusion M ...) NOT-FOR-US: Oracle CVE-2019-2888 (Vulnerability in the Oracle WebLogic Server product of Oracle Fusion M ...) NOT-FOR-US: Oracle CVE-2019-2887 (Vulnerability in the Oracle WebLogic Server product of Oracle Fusion M ...) NOT-FOR-US: Oracle CVE-2019-2886 (Vulnerability in the Oracle Forms product of Oracle Fusion Middleware ...) NOT-FOR-US: Oracle CVE-2019-2885 RESERVED CVE-2019-2884 (Vulnerability in the Oracle Retail Customer Management and Segmentatio ...) NOT-FOR-US: Oracle CVE-2019-2883 (Vulnerability in the Oracle Retail Customer Management and Segmentatio ...) NOT-FOR-US: Oracle CVE-2019-2882 RESERVED CVE-2019-2881 RESERVED CVE-2019-2880 (Vulnerability in the Oracle Retail Store Inventory Management product ...) NOT-FOR-US: Oracle CVE-2019-2879 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2878 (Vulnerability in the Sun ZFS Storage Appliance Kit (AK) component of O ...) NOT-FOR-US: Oracle CVE-2019-2877 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 6.0.10-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2876 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 6.0.10-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2875 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 6.0.10-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2874 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 6.0.10-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2873 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 6.0.10-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2872 (Vulnerability in the Oracle Retail Xstore Point of Service product of ...) NOT-FOR-US: Oracle CVE-2019-2871 (Vulnerability in the Data Store component of Oracle Berkeley DB. Suppo ...) NOT-FOR-US: Oracle CVE-2019-2870 (Vulnerability in the Data Store component of Oracle Berkeley DB. Suppo ...) NOT-FOR-US: Oracle CVE-2019-2869 (Vulnerability in the Data Store component of Oracle Berkeley DB. Suppo ...) NOT-FOR-US: Oracle CVE-2019-2868 (Vulnerability in the Data Store component of Oracle Berkeley DB. Suppo ...) NOT-FOR-US: Oracle CVE-2019-2867 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 6.0.10-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2866 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 6.0.10-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2865 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 6.0.10-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2864 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 6.0.10-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2863 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 6.0.10-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2862 (Vulnerability in the Oracle GraalVM Enterprise Edition component of Or ...) NOT-FOR-US: Oracle CVE-2019-2861 (Vulnerability in the Oracle Hyperion Planning component of Oracle Hype ...) NOT-FOR-US: Oracle CVE-2019-2860 (Vulnerability in the Oracle Clusterware component of Oracle Support To ...) NOT-FOR-US: Oracle CVE-2019-2859 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 6.0.10-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2858 (Vulnerability in the Oracle Identity Manager component of Oracle Fusio ...) NOT-FOR-US: Oracle CVE-2019-2857 (Vulnerability in the Siebel UI Framework component of Oracle Siebel CR ...) NOT-FOR-US: Oracle CVE-2019-2856 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2019-2855 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2854 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2853 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2852 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2851 RESERVED CVE-2019-2850 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 6.0.10-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2849 RESERVED CVE-2019-2848 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 6.0.10-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2847 (Vulnerability in the Oracle FLEXCUBE Investor Servicing component of O ...) NOT-FOR-US: Oracle CVE-2019-2846 (Vulnerability in the Oracle FLEXCUBE Investor Servicing component of O ...) NOT-FOR-US: Oracle CVE-2019-2845 (Vulnerability in the Oracle FLEXCUBE Investor Servicing component of O ...) NOT-FOR-US: Oracle CVE-2019-2844 (Vulnerability in the Oracle Solaris component of Oracle Sun Systems Pr ...) NOT-FOR-US: Oracle CVE-2019-2843 (Vulnerability in the Oracle FLEXCUBE Investor Servicing component of O ...) NOT-FOR-US: Oracle CVE-2019-2842 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...) {DSA-4485-1} - openjdk-8 8u222-b10-1 CVE-2019-2841 (Vulnerability in the Oracle FLEXCUBE Investor Servicing component of O ...) NOT-FOR-US: Oracle CVE-2019-2840 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle CVE-2019-2839 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle CVE-2019-2838 (Vulnerability in the Oracle Solaris component of Oracle Sun Systems Pr ...) NOT-FOR-US: Oracle CVE-2019-2837 (Vulnerability in the Oracle CRM Technical Foundation component of Orac ...) NOT-FOR-US: Oracle CVE-2019-2836 (Vulnerability in the Oracle Hospitality Simphony component of Oracle F ...) NOT-FOR-US: Oracle CVE-2019-2835 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2834 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2833 (Vulnerability in the Oracle Hospitality Simphony component of Oracle F ...) NOT-FOR-US: Oracle CVE-2019-2832 (Vulnerability in the Oracle Solaris component of Oracle Sun Systems Pr ...) NOT-FOR-US: Oracle CVE-2019-2831 (Vulnerability in the PeopleSoft Enterprise FIN Project Costing compone ...) NOT-FOR-US: Oracle CVE-2019-2830 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2829 (Vulnerability in the Oracle iSupport component of Oracle E-Business Su ...) NOT-FOR-US: Oracle CVE-2019-2828 (Vulnerability in the Oracle Field Service component of Oracle E-Busine ...) NOT-FOR-US: Oracle CVE-2019-2827 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2019-2826 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2825 (Vulnerability in the Oracle Applications Manager component of Oracle E ...) NOT-FOR-US: Oracle CVE-2019-2824 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2019-2823 (Vulnerability in the Oracle Financial Services Analytical Applications ...) NOT-FOR-US: Oracle CVE-2019-2822 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2821 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...) {DSA-4486-1} - openjdk-12 12.0.2+9-1 - openjdk-11 11.0.4+11-1 CVE-2019-2820 (Vulnerability in the Oracle Solaris component of Oracle Sun Systems Pr ...) NOT-FOR-US: Oracle CVE-2019-2819 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (bug #932340) NOTE: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html#AppendixMSQL CVE-2019-2818 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...) {DSA-4486-1} - openjdk-12 12.0.2+9-1 - openjdk-11 11.0.4+11-1 CVE-2019-2817 (Vulnerability in the Oracle Agile PLM component of Oracle Supply Chain ...) NOT-FOR-US: Oracle CVE-2019-2816 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-4486-1 DSA-4485-1 DLA-1886-1} - openjdk-12 12.0.2+9-1 - openjdk-11 11.0.4+11-1 - openjdk-8 8u222-b10-1 - openjdk-7 CVE-2019-2815 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2814 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2813 (Vulnerability in the Oracle GraalVM Enterprise Edition component of Or ...) NOT-FOR-US: Oracle CVE-2019-2812 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2811 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2810 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2809 (Vulnerability in the Oracle iRecruitment component of Oracle E-Busines ...) NOT-FOR-US: Oracle CVE-2019-2808 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2807 (Vulnerability in the Oracle Solaris component of Oracle Sun Systems Pr ...) NOT-FOR-US: Oracle CVE-2019-2806 RESERVED CVE-2019-2805 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mariadb-10.3 1:10.3.17-1 [buster] - mariadb-10.3 1:10.3.17-0+deb10u1 - mariadb-10.1 [stretch] - mariadb-10.1 10.1.41-0+deb9u1 - mysql-5.7 (bug #932340) NOTE: Fixed in MariaDB: 10.3.17, 10.1.41 NOTE: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html#AppendixMSQL CVE-2019-2804 (Vulnerability in the Oracle Solaris component of Oracle Sun Systems Pr ...) NOT-FOR-US: Oracle CVE-2019-2803 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2802 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2801 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2800 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2799 (Vulnerability in the Oracle ODBC Driver component of Oracle Database S ...) NOT-FOR-US: Oracle CVE-2019-2798 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2797 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (bug #932340) NOTE: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html#AppendixMSQL CVE-2019-2796 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2795 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2794 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle CVE-2019-2793 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle CVE-2019-2792 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2791 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (bug #932340) NOTE: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html#AppendixMSQL CVE-2019-2790 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle CVE-2019-2789 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2788 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Oracle CVE-2019-2787 (Vulnerability in the Oracle Solaris component of Oracle Sun Systems Pr ...) NOT-FOR-US: Oracle CVE-2019-2786 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-4486-1 DSA-4485-1} - openjdk-12 12.0.2+9-1 - openjdk-11 11.0.4+11-1 - openjdk-8 8u222-b10-1 CVE-2019-2785 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2784 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2783 (Vulnerability in the Oracle Payments component of Oracle E-Business Su ...) NOT-FOR-US: Oracle CVE-2019-2782 (Vulnerability in the Oracle Payments component of Oracle E-Business Su ...) NOT-FOR-US: Oracle CVE-2019-2781 (Vulnerability in the Oracle Hospitality Suite8 component of Oracle Hos ...) NOT-FOR-US: Oracle CVE-2019-2780 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2779 (Vulnerability in the Siebel Core - Common Components component of Orac ...) NOT-FOR-US: Oracle CVE-2019-2778 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (bug #932340) NOTE: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html#AppendixMSQL CVE-2019-2777 (Vulnerability in the Siebel Core - Server Framework component of Oracl ...) NOT-FOR-US: Oracle CVE-2019-2776 (Vulnerability in the Core RDBMS component of Oracle Database Server. S ...) NOT-FOR-US: Oracle CVE-2019-2775 (Vulnerability in the Oracle Payments component of Oracle E-Business Su ...) NOT-FOR-US: Oracle CVE-2019-2774 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (bug #932340) NOTE: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html#AppendixMSQL CVE-2019-2773 (Vulnerability in the Oracle Payments component of Oracle E-Business Su ...) NOT-FOR-US: Oracle CVE-2019-2772 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2019-2771 (Vulnerability in the BI Publisher (formerly XML Publisher) component o ...) NOT-FOR-US: Oracle CVE-2019-2770 (Vulnerability in the Oracle Hyperion Planning component of Oracle Hype ...) NOT-FOR-US: Oracle CVE-2019-2769 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-4486-1 DSA-4485-1 DLA-1886-1} - openjdk-12 12.0.2+9-1 - openjdk-11 11.0.4+11-1 - openjdk-8 8u222-b10-1 - openjdk-7 CVE-2019-2768 (Vulnerability in the BI Publisher (formerly XML Publisher) component o ...) NOT-FOR-US: Oracle CVE-2019-2767 (Vulnerability in the BI Publisher (formerly XML Publisher) component o ...) NOT-FOR-US: Oracle CVE-2019-2766 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) - openjdk-12 (Windows-specific) - openjdk-11 (Windows-specific) - openjdk-8 (Windows-specific) - openjdk-7 (Windows-specific) CVE-2019-2765 (Vulnerability in the Oracle Solaris product of Oracle Systems (compone ...) NOT-FOR-US: Oracle CVE-2019-2764 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2763 (Vulnerability in the Oracle Hospitality Gift and Loyalty component of ...) NOT-FOR-US: Oracle CVE-2019-2762 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-4486-1 DSA-4485-1 DLA-1886-1} - openjdk-12 12.0.2+9-1 - openjdk-11 11.0.4+11-1 - openjdk-8 8u222-b10-1 - openjdk-7 CVE-2019-2761 (Vulnerability in the Oracle Application Object Library component of Or ...) NOT-FOR-US: Oracle CVE-2019-2760 (Vulnerability in the Data Store component of Oracle Berkeley DB. Suppo ...) NOT-FOR-US: Oracle CVE-2019-2759 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2758 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mariadb-10.3 1:10.3.17-1 [buster] - mariadb-10.3 1:10.3.17-0+deb10u1 - mysql-5.7 (bug #932340) NOTE: Fixed in MariaDB: 10.3.17 NOTE: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html#AppendixMSQL CVE-2019-2757 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (bug #932340) NOTE: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html#AppendixMSQL CVE-2019-2756 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2755 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.26-1 CVE-2019-2754 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle CVE-2019-2753 (Vulnerability in the Oracle Text component of Oracle Database Server. ...) NOT-FOR-US: Oracle CVE-2019-2752 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2751 (Vulnerability in the Oracle HTTP Server component of Oracle Fusion Mid ...) NOT-FOR-US: Oracle CVE-2019-2750 (Vulnerability in the MICROS Retail-J component of Oracle Retail Applic ...) NOT-FOR-US: Oracle CVE-2019-2749 (Vulnerability in the Java VM component of Oracle Database Server. Supp ...) NOT-FOR-US: Oracle CVE-2019-2748 (Vulnerability in the PeopleSoft Enterprise PT PeopleTools component of ...) NOT-FOR-US: Oracle CVE-2019-2747 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2746 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2745 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...) {DSA-4486-1 DSA-4485-1 DLA-1886-1} - openjdk-11 11.0.4+11-1 - openjdk-8 8u222-b10-1 - openjdk-7 CVE-2019-2744 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle CVE-2019-2743 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2742 (Vulnerability in the Oracle BI Publisher component of Oracle Fusion Mi ...) NOT-FOR-US: Oracle CVE-2019-2741 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (bug #932340) NOTE: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html#AppendixMSQL CVE-2019-2740 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mariadb-10.3 1:10.3.17-1 [buster] - mariadb-10.3 1:10.3.17-0+deb10u1 - mariadb-10.1 [stretch] - mariadb-10.1 10.1.41-0+deb9u1 - mysql-5.7 (bug #932340) NOTE: Fixed in MariaDB: 10.3.17, 10.1.41 NOTE: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html#AppendixMSQL CVE-2019-2739 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mariadb-10.3 1:10.3.17-1 [buster] - mariadb-10.3 1:10.3.17-0+deb10u1 - mariadb-10.1 [stretch] - mariadb-10.1 10.1.41-0+deb9u1 - mysql-5.7 (bug #932340) NOTE: Fixed in MariaDB: 10.3.17, 10.1.41 NOTE: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html#AppendixMSQL CVE-2019-2738 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (bug #932340) NOTE: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html#AppendixMSQL CVE-2019-2737 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mariadb-10.3 1:10.3.17-1 [buster] - mariadb-10.3 1:10.3.17-0+deb10u1 - mariadb-10.1 [stretch] - mariadb-10.1 10.1.41-0+deb9u1 - mysql-5.7 (bug #932340) NOTE: Fixed in MariaDB: 10.3.17, 10.1.41 NOTE: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html#AppendixMSQL CVE-2019-2736 (Vulnerability in the Oracle FLEXCUBE Investor Servicing component of O ...) NOT-FOR-US: Oracle CVE-2019-2735 (Vulnerability in the Oracle Hyperion Workspace component of Oracle Hyp ...) NOT-FOR-US: Oracle CVE-2019-2734 (Vulnerability in the Core RDBMS component of Oracle Database Server. S ...) NOT-FOR-US: Oracle CVE-2019-2733 (Vulnerability in the Oracle Demantra Demand Management component of Or ...) NOT-FOR-US: Oracle CVE-2019-2732 (Vulnerability in the Oracle Demantra Demand Management component of Or ...) NOT-FOR-US: Oracle CVE-2019-2731 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.24-1 CVE-2019-2730 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.20-1 CVE-2019-2729 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2019-2728 (Vulnerability in the Enterprise Manager Ops Center component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2727 (Vulnerability in the Oracle Application Testing Suite component of Ora ...) NOT-FOR-US: Oracle CVE-2019-2726 (Vulnerability in the Enterprise Manager Ops Center component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2725 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2019-2724 RESERVED CVE-2019-2723 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 6.0.6-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2722 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 6.0.6-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2721 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 6.0.6-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2720 (Vulnerability in the Oracle Data Integrator component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2019-2719 (Vulnerability in the Oracle Knowledge component of Oracle Siebel CRM ( ...) NOT-FOR-US: Oracle CVE-2019-2718 RESERVED CVE-2019-2717 RESERVED CVE-2019-2716 RESERVED CVE-2019-2715 RESERVED CVE-2019-2714 RESERVED CVE-2019-2713 (Vulnerability in the Oracle Commerce Merchandising component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2712 (Vulnerability in the Oracle Commerce Platform component of Oracle Comm ...) NOT-FOR-US: Oracle CVE-2019-2711 RESERVED CVE-2019-2710 RESERVED CVE-2019-2709 (Vulnerability in the Oracle Transportation Management component of Ora ...) NOT-FOR-US: Oracle CVE-2019-2708 (Vulnerability in the Data Store component of Oracle Berkeley DB. Suppo ...) NOT-FOR-US: Oracle CVE-2019-2707 (Vulnerability in the PeopleSoft Enterprise ELM Enterprise Learning Man ...) NOT-FOR-US: Oracle CVE-2019-2706 (Vulnerability in the Oracle Business Process Management Suite componen ...) NOT-FOR-US: Oracle CVE-2019-2705 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2704 (Vulnerability in the Oracle Solaris component of Oracle Sun Systems Pr ...) NOT-FOR-US: Oracle CVE-2019-2703 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 6.0.6-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2702 (Vulnerability in the Oracle Hospitality Cruise Dining Room Management ...) NOT-FOR-US: Oracle CVE-2019-2701 (Vulnerability in the Primavera P6 Enterprise Project Portfolio Managem ...) NOT-FOR-US: Oracle CVE-2019-2700 (Vulnerability in the PeopleSoft Enterprise ELM component of Oracle Peo ...) NOT-FOR-US: Oracle CVE-2019-2699 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...) - openjdk-8 (Windows-specific) CVE-2019-2698 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...) {DSA-4453-1 DLA-1782-1} - openjdk-7 (low) - openjdk-8 8u212-b03-1 (low) - openjdk-11 11.0.3+7-1 (low) CVE-2019-2697 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...) - openjdk-7 (proprietary 2D component only present in Oracle Java) - openjdk-8 (proprietary 2D component only present in Oracle Java) CVE-2019-2696 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 6.0.6-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2695 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2694 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2693 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2692 (Vulnerability in the MySQL Connectors component of Oracle MySQL (subco ...) - mysql-connector-java (Only affects 8.x) NOTE: It's not clear whether older versions are affected, but Oracle doesn't provide NOTE: further information, so there's not really anything we can do about this anyway CVE-2019-2691 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2690 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 6.0.6-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2689 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2688 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2687 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2686 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2685 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2684 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-4453-1 DLA-1782-1} - openjdk-7 - openjdk-8 8u212-b03-1 - openjdk-11 11.0.3+7-1 CVE-2019-2683 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.26-1 (bug #927308) NOTE: https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html#AppendixMSQL CVE-2019-2682 (Vulnerability in the Oracle Applications Framework component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2681 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2680 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 6.0.6-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2679 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 6.0.6-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2678 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 6.0.6-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2677 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2019-2676 (Vulnerability in the Oracle CRM Technical Foundation component of Orac ...) NOT-FOR-US: Oracle CVE-2019-2675 (Vulnerability in the Oracle CRM Technical Foundation component of Orac ...) NOT-FOR-US: Oracle CVE-2019-2674 (Vulnerability in the Oracle One-to-One Fulfillment component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2673 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2019-2672 (Vulnerability in the Oracle One-to-One Fulfillment component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2671 (Vulnerability in the Oracle CRM Technical Foundation component of Orac ...) NOT-FOR-US: Oracle CVE-2019-2670 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2019-2669 (Vulnerability in the Oracle CRM Technical Foundation component of Orac ...) NOT-FOR-US: Oracle CVE-2019-2668 (Vulnerability in the Oracle One-to-One Fulfillment component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2667 RESERVED CVE-2019-2666 (Vulnerability in the Oracle One-to-One Fulfillment component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2665 (Vulnerability in the Oracle Common Applications component of Oracle E- ...) NOT-FOR-US: Oracle CVE-2019-2664 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2019-2663 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2019-2662 (Vulnerability in the Oracle Territory Management component of Oracle E ...) NOT-FOR-US: Oracle CVE-2019-2661 (Vulnerability in the Oracle Email Center component of Oracle E-Busines ...) NOT-FOR-US: Oracle CVE-2019-2660 (Vulnerability in the Oracle Knowledge Management component of Oracle E ...) NOT-FOR-US: Oracle CVE-2019-2659 (Vulnerability in the Oracle Commerce Platform component of Oracle Comm ...) NOT-FOR-US: Oracle CVE-2019-2658 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2019-2657 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 6.0.6-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2656 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 6.0.6-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2655 (Vulnerability in the Oracle Interaction Center Intelligence component ...) NOT-FOR-US: Oracle CVE-2019-2654 (Vulnerability in the Oracle One-to-One Fulfillment component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2653 (Vulnerability in the Oracle One-to-One Fulfillment component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2652 (Vulnerability in the Oracle iStore component of Oracle E-Business Suit ...) NOT-FOR-US: Oracle CVE-2019-2651 (Vulnerability in the Oracle Email Center component of Oracle E-Busines ...) NOT-FOR-US: Oracle CVE-2019-2650 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2019-2649 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2019-2648 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2019-2647 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2019-2646 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2019-2645 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2019-2644 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2643 (Vulnerability in the Oracle Trade Management component of Oracle E-Bus ...) NOT-FOR-US: Oracle CVE-2019-2642 (Vulnerability in the Oracle Trade Management component of Oracle E-Bus ...) NOT-FOR-US: Oracle CVE-2019-2641 (Vulnerability in the Oracle Trade Management component of Oracle E-Bus ...) NOT-FOR-US: Oracle CVE-2019-2640 (Vulnerability in the Oracle Trade Management component of Oracle E-Bus ...) NOT-FOR-US: Oracle CVE-2019-2639 (Vulnerability in the Oracle CRM Technical Foundation component of Orac ...) NOT-FOR-US: Oracle CVE-2019-2638 (Vulnerability in the Oracle General Ledger component of Oracle E-Busin ...) NOT-FOR-US: Oracle CVE-2019-2637 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2019-2636 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2635 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2634 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2633 (Vulnerability in the Oracle Work in Process component of Oracle E-Busi ...) NOT-FOR-US: Oracle CVE-2019-2632 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.26-1 (bug #927308) NOTE: https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html#AppendixMSQL CVE-2019-2631 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2630 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2629 (Vulnerability in the Oracle Health Sciences Data Management Workbench ...) NOT-FOR-US: Oracle CVE-2019-2628 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mariadb-10.3 1:10.3.15-1 (bug #928393) - mysql-5.7 5.7.26-1 (bug #927308) NOTE: https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html#AppendixMSQL NOTE: Fixed in MariaDB: 10.3.15 CVE-2019-2627 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mariadb-10.3 1:10.3.15-1 (bug #928393) - mariadb-10.1 [stretch] - mariadb-10.1 10.1.41-0+deb9u1 - mariadb-10.0 [jessie] - mariadb-10.0 (Minor issue) - mysql-5.7 5.7.26-1 (bug #927308) NOTE: https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html#AppendixMSQL NOTE: Fixed in MariaDB: 10.3.15, 10.1.39 CVE-2019-2626 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2625 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2624 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2623 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2622 (Vulnerability in the Oracle Service Contracts component of Oracle E-Bu ...) NOT-FOR-US: Oracle CVE-2019-2621 (Vulnerability in the Oracle Application Object Library component of Or ...) NOT-FOR-US: Oracle CVE-2019-2620 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2619 (Vulnerability in the Portable Clusterware component of Oracle Database ...) NOT-FOR-US: Oracle CVE-2019-2618 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2019-2617 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2616 (Vulnerability in the BI Publisher (formerly XML Publisher) component o ...) NOT-FOR-US: Oracle CVE-2019-2615 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2019-2614 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mariadb-10.3 1:10.3.15-1 (bug #928393) - mariadb-10.1 [stretch] - mariadb-10.1 10.1.41-0+deb9u1 - mariadb-10.0 [jessie] - mariadb-10.0 (Minor issue) - mysql-5.7 5.7.26-1 (bug #927308) NOTE: https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html#AppendixMSQL NOTE: Fixed in MariaDB 10.3.15, 10.1.39 CVE-2019-2613 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2612 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2611 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2610 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2609 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2608 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2607 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2606 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2605 (Vulnerability in the Oracle Business Intelligence Enterprise Edition c ...) NOT-FOR-US: Oracle CVE-2019-2604 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2019-2603 (Vulnerability in the Oracle One-to-One Fulfillment component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2602 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-4453-1 DLA-1782-1} - openjdk-7 - openjdk-8 8u212-b03-1 - openjdk-11 11.0.3+7-1 CVE-2019-2601 (Vulnerability in the BI Publisher (formerly XML Publisher) component o ...) NOT-FOR-US: Oracle CVE-2019-2600 (Vulnerability in the Oracle Email Center component of Oracle E-Busines ...) NOT-FOR-US: Oracle CVE-2019-2599 (Vulnerability in the PeopleSoft Enterprise PT PeopleTools component of ...) NOT-FOR-US: Oracle CVE-2019-2598 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2019-2597 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2019-2596 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2595 (Vulnerability in the BI Publisher (formerly XML Publisher) component o ...) NOT-FOR-US: Oracle CVE-2019-2594 (Vulnerability in the PeopleSoft Enterprise PT PeopleTools component of ...) NOT-FOR-US: Oracle CVE-2019-2593 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2592 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.26-1 (bug #927308) NOTE: https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html#AppendixMSQL CVE-2019-2591 (Vulnerability in the PeopleSoft Enterprise HRMS component of Oracle Pe ...) NOT-FOR-US: Oracle CVE-2019-2590 (Vulnerability in the PeopleSoft Enterprise HCM Talent Acquisition Mana ...) NOT-FOR-US: Oracle CVE-2019-2589 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2588 (Vulnerability in the BI Publisher (formerly XML Publisher) component o ...) NOT-FOR-US: Oracle CVE-2019-2587 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2586 (Vulnerability in the PeopleSoft Enterprise PT PeopleTools component of ...) NOT-FOR-US: Oracle CVE-2019-2585 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2584 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2583 (Vulnerability in the Oracle iSupplier Portal component of Oracle E-Bus ...) NOT-FOR-US: Oracle CVE-2019-2582 (Vulnerability in the Core RDBMS component of Oracle Database Server. S ...) NOT-FOR-US: Oracle CVE-2019-2581 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.26-1 (bug #927308) NOTE: https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html#AppendixMSQL CVE-2019-2580 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) CVE-2019-2579 (Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2019-2578 (Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2019-2577 (Vulnerability in the Oracle Solaris component of Oracle Sun Systems Pr ...) NOT-FOR-US: Oracle CVE-2019-2576 (Vulnerability in the Oracle Service Bus component of Oracle Fusion Mid ...) NOT-FOR-US: Oracle CVE-2019-2575 (Vulnerability in the Oracle AutoVue 3D Professional Advanced component ...) NOT-FOR-US: Oracle CVE-2019-2574 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 6.0.6-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2573 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2019-2572 (Vulnerability in the Oracle SOA Suite component of Oracle Fusion Middl ...) NOT-FOR-US: Oracle CVE-2019-2571 (Vulnerability in the RDBMS DataPump component of Oracle Database Serve ...) NOT-FOR-US: Oracle CVE-2019-2570 (Vulnerability in the Siebel Core - Server BizLogic Script component of ...) NOT-FOR-US: Oracle CVE-2019-2569 (Vulnerability in the Core RDBMS component of Oracle Database Server. S ...) NOT-FOR-US: Oracle CVE-2019-2568 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2019-2567 (Vulnerability in the Oracle Configurator component of Oracle Supply Ch ...) NOT-FOR-US: Oracle CVE-2019-2566 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.26-1 (bug #927308) NOTE: https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html#AppendixMSQL CVE-2019-2565 (Vulnerability in the JD Edwards World Technical Foundation component o ...) NOT-FOR-US: Oracle CVE-2019-2564 (Vulnerability in the JD Edwards EnterpriseOne Tools component of Oracl ...) NOT-FOR-US: Oracle CVE-2019-2563 RESERVED CVE-2019-2562 RESERVED CVE-2019-2561 (Vulnerability in the Oracle Retail Xstore Office component of Oracle R ...) NOT-FOR-US: Oracle CVE-2019-2560 RESERVED CVE-2019-2559 RESERVED CVE-2019-2558 (Vulnerability in the Oracle Retail Point-of-Service component of Oracl ...) NOT-FOR-US: Oracle CVE-2019-2557 (Vulnerability in the Oracle Application Testing Suite component of Ora ...) NOT-FOR-US: Oracle CVE-2019-2556 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2555 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2554 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2553 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2552 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2551 (Vulnerability in the Oracle One-to-One Fulfillment component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2550 (Vulnerability in the Oracle FLEXCUBE Direct Banking component of Oracl ...) NOT-FOR-US: Oracle CVE-2019-2549 (Vulnerability in the Oracle FLEXCUBE Direct Banking component of Oracl ...) NOT-FOR-US: Oracle CVE-2019-2548 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2547 (Vulnerability in the Java VM component of Oracle Database Server. Supp ...) NOT-FOR-US: Oracle CVE-2019-2546 (Vulnerability in the Oracle Applications Manager component of Oracle E ...) NOT-FOR-US: Oracle CVE-2019-2545 (Vulnerability in the Oracle Solaris component of Oracle Sun Systems Pr ...) NOT-FOR-US: Oracle CVE-2019-2544 (Vulnerability in the Oracle Solaris component of Oracle Sun Systems Pr ...) NOT-FOR-US: Oracle CVE-2019-2543 (Vulnerability in the Oracle Solaris component of Oracle Sun Systems Pr ...) NOT-FOR-US: Oracle CVE-2019-2542 RESERVED CVE-2019-2541 (Vulnerability in the Oracle Solaris component of Oracle Sun Systems Pr ...) NOT-FOR-US: Oracle CVE-2019-2540 (Vulnerability in the Java Advanced Management Console component of Ora ...) NOT-FOR-US: Java Advanced Management Console CVE-2019-2539 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Specific to 8.x) CVE-2019-2538 (Vulnerability in the Oracle Managed File Transfer component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2537 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DLA-1655-1} - mysql-5.7 5.7.25-1 (bug #919817) - mariadb-10.3 1:10.3.13-1 (bug #920933) - mariadb-10.1 [stretch] - mariadb-10.1 10.1.38-0+deb9u1 - mariadb-10.0 NOTE: Fixed in MariaDB: 10.3.13, 10.1.38, 10.0.38 CVE-2019-2536 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Specific to 8) CVE-2019-2535 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Specific to 8) CVE-2019-2534 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.25-1 (bug #919817) CVE-2019-2533 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Specific to 8.x) CVE-2019-2532 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.25-1 (bug #919817) CVE-2019-2531 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.25-1 (bug #919817) CVE-2019-2530 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Specific to 8) CVE-2019-2529 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DLA-1655-1} - mysql-5.7 5.7.25-1 (bug #919817) - mariadb-10.1 [stretch] - mariadb-10.1 10.1.38-0+deb9u1 - mariadb-10.0 NOTE: Fixed in MariaDB: 10.1.38, 10.0.38 CVE-2019-2528 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.25-1 (bug #919817) CVE-2019-2527 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2526 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2525 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2524 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2523 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2522 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2521 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2520 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2519 (Vulnerability in the PeopleSoft Enterprise SCM eProcurement component ...) NOT-FOR-US: Oracle CVE-2019-2518 (Vulnerability in the Java VM component of Oracle Database Server. Supp ...) NOT-FOR-US: Oracle CVE-2019-2517 (Vulnerability in the Core RDBMS component of Oracle Database Server. S ...) NOT-FOR-US: Oracle CVE-2019-2516 (Vulnerability in the Portable Clusterware component of Oracle Database ...) NOT-FOR-US: Oracle CVE-2019-2515 RESERVED CVE-2019-2514 RESERVED CVE-2019-2513 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Specific to 8) CVE-2019-2512 (Vulnerability in the Primavera P6 Enterprise Project Portfolio Managem ...) NOT-FOR-US: Oracle CVE-2019-2511 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2510 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.25-1 (bug #919817) - mariadb-10.3 1:10.3.13-1 (bug #920933) NOTE: Fixed in MariaDB: 10.3.13 CVE-2019-2509 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2508 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2507 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.25-1 (bug #919817) CVE-2019-2506 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2505 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2504 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2503 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-4341-1 DLA-1570-1} - mysql-5.7 5.7.25-1 (bug #919817) - mariadb-10.0 NOTE: Fixed in MariaDB: 10.0.37 CVE-2019-2502 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Specific to 8) CVE-2019-2501 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2500 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2499 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2019-2498 (Vulnerability in the Oracle Partner Management component of Oracle E-B ...) NOT-FOR-US: Oracle CVE-2019-2497 (Vulnerability in the Oracle CRM Technical Foundation component of Orac ...) NOT-FOR-US: Oracle CVE-2019-2496 (Vulnerability in the Oracle CRM Technical Foundation component of Orac ...) NOT-FOR-US: Oracle CVE-2019-2495 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Specific to 8) CVE-2019-2494 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Specific to 8) CVE-2019-2493 (Vulnerability in the PeopleSoft Enterprise CS Campus Community compone ...) NOT-FOR-US: Oracle CVE-2019-2492 (Vulnerability in the Oracle Email Center component of Oracle E-Busines ...) NOT-FOR-US: Oracle CVE-2019-2491 (Vulnerability in the Oracle Email Center component of Oracle E-Busines ...) NOT-FOR-US: Oracle CVE-2019-2490 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2019-2489 (Vulnerability in the Oracle One-to-One Fulfillment component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2488 (Vulnerability in the Oracle CRM Technical Foundation component of Orac ...) NOT-FOR-US: Oracle CVE-2019-2487 (Vulnerability in the Oracle Transportation Management component of Ora ...) NOT-FOR-US: Oracle CVE-2019-2486 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.25-1 (bug #919817) CVE-2019-2485 (Vulnerability in the Oracle Mobile Field Service component of Oracle E ...) NOT-FOR-US: Oracle CVE-2019-2484 (Vulnerability in the Application Express component of Oracle Database ...) NOT-FOR-US: Oracle CVE-2019-2483 RESERVED CVE-2019-2482 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.25-1 (bug #919817) CVE-2019-2481 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.25-1 (bug #919817) CVE-2019-2480 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2479 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2478 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2477 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2476 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2475 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2474 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2473 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2472 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2471 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2019-2470 (Vulnerability in the Oracle Partner Management component of Oracle E-B ...) NOT-FOR-US: Oracle CVE-2019-2469 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2468 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2467 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2466 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2465 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2464 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2463 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2462 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2461 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2460 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2459 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2458 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2457 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2456 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2455 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.25-1 (bug #919817) CVE-2019-2454 RESERVED CVE-2019-2453 (Vulnerability in the Oracle Performance Management component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2452 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2019-2451 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2450 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2449 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...) - openjdk-8 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2019-2448 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2447 (Vulnerability in the Oracle Partner Management component of Oracle E-B ...) NOT-FOR-US: Oracle CVE-2019-2446 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2445 (Vulnerability in the Oracle Content Manager component of Oracle E-Busi ...) NOT-FOR-US: Oracle CVE-2019-2444 (Vulnerability in the Core RDBMS component of Oracle Database Server. S ...) NOT-FOR-US: Oracle CVE-2019-2443 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2019-2442 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2019-2441 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2019-2440 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2019-2439 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2019-2438 (Vulnerability in the Oracle Web Cache component of Oracle Fusion Middl ...) NOT-FOR-US: Oracle CVE-2019-2437 (Vulnerability in the Oracle Solaris component of Oracle Sun Systems Pr ...) NOT-FOR-US: Oracle CVE-2019-2436 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Specific to 8) CVE-2019-2435 (Vulnerability in the MySQL Connectors component of Oracle MySQL (subco ...) - mysql-connector-python 8.0.14-1 (bug #919820) [stretch] - mysql-connector-python (No security details disclosed, no 2.1.x release by Oracle) [jessie] - mysql-connector-python (No security details disclosed, no 1.2.x release by Oracle) NOTE: http://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html#CVE-2019-2435 CVE-2019-2434 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.25-1 (bug #919817) CVE-2019-2433 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2019-2432 (Vulnerability in the Oracle Argus Safety component of Oracle Health Sc ...) NOT-FOR-US: Oracle CVE-2019-2431 (Vulnerability in the Oracle Argus Safety component of Oracle Health Sc ...) NOT-FOR-US: Oracle CVE-2019-2430 (Vulnerability in the Oracle Argus Safety component of Oracle Health Sc ...) NOT-FOR-US: Oracle CVE-2019-2429 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2019-2428 RESERVED CVE-2019-2427 (Vulnerability in the Oracle WebCenter Portal component of Oracle Fusio ...) NOT-FOR-US: Oracle CVE-2019-2426 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...) - openjdk-7 (Specific to Java on Windows) - openjdk-8 (Specific to Java on Windows) - openjdk-11 (Specific to Java on Windows) CVE-2019-2425 (Vulnerability in the Oracle Hospitality Reporting and Analytics compon ...) NOT-FOR-US: Oracle CVE-2019-2424 (Vulnerability in the Oracle Retail Convenience Store Back Office compo ...) NOT-FOR-US: Oracle CVE-2019-2423 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2019-2422 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...) {DSA-4410-1 DLA-1732-1} [experimental] - openjdk-7 7u211-2.6.17-1 - openjdk-7 - openjdk-8 8u202-b26-1 - openjdk-11 11.0.2+9-1 CVE-2019-2421 (Vulnerability in the PeopleSoft Enterprise HCM eProfile Manager Deskto ...) NOT-FOR-US: Oracle CVE-2019-2420 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.25-1 (bug #919817) CVE-2019-2419 (Vulnerability in the PeopleSoft Enterprise CC Common Application Objec ...) NOT-FOR-US: Oracle CVE-2019-2418 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2019-2417 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2019-2416 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2019-2415 (Vulnerability in the Hyperion BI+ component of Oracle Hyperion (subcom ...) NOT-FOR-US: Oracle CVE-2019-2414 (Vulnerability in the Oracle HTTP Server component of Oracle Fusion Mid ...) NOT-FOR-US: Oracle CVE-2019-2413 (Vulnerability in the Oracle Reports Developer component of Oracle Fusi ...) NOT-FOR-US: Oracle CVE-2019-2412 (Vulnerability in the Sun ZFS Storage Appliance Kit (AK) component of O ...) NOT-FOR-US: Oracle CVE-2019-2411 (Vulnerability in the Oracle Hospitality Cruise Shipboard Property Mana ...) NOT-FOR-US: Oracle CVE-2019-2410 (Vulnerability in the Oracle Hospitality Cruise Shipboard Property Mana ...) NOT-FOR-US: Oracle CVE-2019-2409 (Vulnerability in the Oracle Hospitality Cruise Shipboard Property Mana ...) NOT-FOR-US: Oracle CVE-2019-2408 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2019-2407 (Vulnerability in the Oracle Hospitality Reporting and Analytics compon ...) NOT-FOR-US: Oracle CVE-2019-2406 (Vulnerability in the Core RDBMS component of Oracle Database Server. S ...) NOT-FOR-US: Oracle CVE-2019-2405 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2019-2404 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2019-2403 (Vulnerability in the Oracle Hospitality Simphony component of Oracle F ...) NOT-FOR-US: Oracle CVE-2019-2402 (Vulnerability in the Oracle Hospitality Simphony component of Oracle F ...) NOT-FOR-US: Oracle CVE-2019-2401 (Vulnerability in the Oracle Hospitality Reporting and Analytics compon ...) NOT-FOR-US: Oracle CVE-2019-2400 (Vulnerability in the Oracle iStore component of Oracle E-Business Suit ...) NOT-FOR-US: Oracle CVE-2019-2399 (Vulnerability in the Oracle Communications Diameter Signaling Router ( ...) NOT-FOR-US: Oracle CVE-2019-2398 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2019-2397 (Vulnerability in the Oracle Hospitality Reporting and Analytics compon ...) NOT-FOR-US: Oracle CVE-2019-2396 (Vulnerability in the Oracle CRM Technical Foundation component of Orac ...) NOT-FOR-US: Oracle CVE-2019-2395 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2018-20146 (An issue was discovered in Liquidware ProfileUnity before 6.8.0 with L ...) NOT-FOR-US: Liquidware ProfileUnity CVE-2018-20153 (In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could mod ...) {DSA-4401-1 DLA-1673-1} - wordpress 5.0.1+dfsg1-1 (bug #916403) NOTE: https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/ CVE-2018-20152 (In WordPress before 4.9.9 and 5.x before 5.0.1, authors could bypass i ...) {DSA-4401-1 DLA-1673-1} - wordpress 5.0.1+dfsg1-1 (bug #916403) NOTE: https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/ CVE-2018-20151 (In WordPress before 4.9.9 and 5.x before 5.0.1, the user-activation pa ...) {DSA-4401-1 DLA-1673-1} - wordpress 5.0.1+dfsg1-1 (bug #916403) NOTE: https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/ CVE-2018-20150 (In WordPress before 4.9.9 and 5.x before 5.0.1, crafted URLs could tri ...) {DSA-4401-1 DLA-1673-1} - wordpress 5.0.1+dfsg1-1 (bug #916403) NOTE: https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/ NOTE: https://github.com/WordPress/WordPress/commit/fb3c6ea0618fcb9a51d4f2c1940e9efcd4a2d460 CVE-2018-20149 (In WordPress before 4.9.9 and 5.x before 5.0.1, when the Apache HTTP S ...) {DSA-4401-1 DLA-1673-1} - wordpress 5.0.1+dfsg1-1 (bug #916403) NOTE: https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/ NOTE: https://github.com/WordPress/WordPress/commit/246a70bdbfac3bd45ff71c7941deef1bb206b19a CVE-2018-20148 (In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could con ...) {DSA-4401-1 DLA-1673-1} - wordpress 5.0.1+dfsg1-1 (bug #916403) NOTE: https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/ CVE-2018-20147 (In WordPress before 4.9.9 and 5.x before 5.0.1, authors could modify m ...) {DSA-4401-1 DLA-1673-1} - wordpress 5.0.1+dfsg1-1 (bug #916403) NOTE: https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/ CVE-2018-20144 (GitLab Community and Enterprise Edition 11.x before 11.3.13, 11.4.x be ...) - gitlab 11.5.4+dfsg-1 NOTE: https://about.gitlab.com/2018/12/13/critical-security-release-gitlab-11-dot-5-dot-4-released/ CVE-2018-20143 RESERVED CVE-2018-20142 RESERVED CVE-2018-20141 (AbanteCart 1.2.12 has reflected cross-site scripting (XSS) via the sor ...) NOT-FOR-US: AbanteCart CVE-2018-20140 (Zenphoto 1.4.14 has multiple cross-site scripting (XSS) vulnerabilitie ...) NOT-FOR-US: Zenphoto CVE-2018-20139 RESERVED CVE-2018-20138 (PHP Scripts Mall Entrepreneur B2B Script 3.0.6 allows Stored XSS via A ...) NOT-FOR-US: PHP Scripts Mall Entrepreneur B2B Script CVE-2018-20137 (XSS exists in FUEL CMS 1.4.3 via the Page title, Meta description, or ...) NOT-FOR-US: FUEL CMS CVE-2018-20136 (XSS exists in FUEL CMS 1.4.3 via the Header or Body in the Layout Vari ...) NOT-FOR-US: FUEL CMS CVE-2018-20135 (Samsung Galaxy Apps before 4.4.01.7 allows modification of the hostnam ...) NOT-FOR-US: Samsung Galaxy Apps CVE-2018-20134 RESERVED CVE-2018-20133 (ymlref allows code injection. ...) NOT-FOR-US: ymlref CVE-2018-20132 REJECTED CVE-2018-20131 (The Code42 app before 6.8.4, as used in Code42 for Enterprise, on Linu ...) NOT-FOR-US: Code42 CVE-2018-20130 RESERVED CVE-2018-20129 (An issue was discovered in DedeCMS V5.7 SP2. uploads/include/dialog/se ...) NOT-FOR-US: DedeCMS CVE-2018-20128 (An issue was discovered in UsualToolCMS v8.0. cmsadmin\a_sqlback.php a ...) NOT-FOR-US: UsualToolCMS CVE-2018-20127 (An issue was discovered in zzzphp cms 1.5.8. del_file in /admin/save.p ...) NOT-FOR-US: zzzphp cms CVE-2018-20126 (hw/rdma/vmw/pvrdma_cmd.c in QEMU allows create_cq and create_qp memory ...) - qemu 1:4.1-1 (unimportant) [stretch] - qemu (Vulnerable code not present) [jessie] - qemu (Vulnerable code not present) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2018-12/msg02824.html NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=509f57c98e7536905bb4902363d0cba66ce7e089 NOTE: PVRDMA support not enabled in the binary packages until 1:3.1+dfsg-3, disabled again in 1:3.1+dfsg-4 CVE-2018-20125 (hw/rdma/vmw/pvrdma_cmd.c in QEMU allows attackers to cause a denial of ...) - qemu 1:4.1-1 (unimportant) [stretch] - qemu (Vulnerable code not present) [jessie] - qemu (Vulnerable code not present) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2018-12/msg02823.html NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=2c858ce5da8ae6689c75182b73bc455a291cad41 NOTE: PVRDMA support not enabled in the binary packages until 1:3.1+dfsg-3, disabled again in 1:3.1+dfsg-4 CVE-2018-20124 (hw/rdma/rdma_backend.c in QEMU allows guest OS users to trigger out-of ...) - qemu 1:4.1-1 (bug #922461; unimportant) [stretch] - qemu (Vulnerable code not present) [jessie] - qemu (Vulnerable code not present) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2018-12/msg02822.html NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=0e68373cc2b3a063ce067bc0cc3edaf370752890 NOTE: PVRDMA support not enabled in the binary packages until 1:3.1+dfsg-3, disabled again in 1:3.1+dfsg-4 NOTE: The issue is in PVRDMA support, cf. https://bugs.debian.org/922461#18 CVE-2018-20123 (pvrdma_realize in hw/rdma/vmw/pvrdma_main.c in QEMU has a Memory leak ...) - qemu 1:4.1-1 (unimportant; bug #916442) [stretch] - qemu (Vulnerable code not present) [jessie] - qemu (Vulnerable code not present) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2018-12/msg02817.html NOTE: PVRDMA support not enabled until 1:3.1+dfsg-3, disabled again in 1:3.1+dfsg-4, and NOTE: applied patch in 1:3.1+dfsg-3 reverted. CVE-2018-20145 (Eclipse Mosquitto 1.5.x before 1.5.5 allows ACL bypass: if the option ...) - mosquitto 1.5.5-1 [stretch] - mosquitto (Only affects 1.5.x) [jessie] - mosquitto (Only affects 1.5.x) NOTE: https://github.com/eclipse/mosquitto/commit/9097577b49b7fdcf45d30975976dd93808ccc0c4 NOTE: https://github.com/eclipse/mosquitto/issues/1073 CVE-2018-20122 (The web interface on FASTGate Fastweb devices with firmware through 0. ...) NOT-FOR-US: FASTGate Fastweb CVE-2018-20121 (Podcast Generator 2.7 has stored cross-site scripting (XSS) via the UR ...) NOT-FOR-US: Podcast Generator CVE-2018-20120 RESERVED CVE-2018-20119 RESERVED CVE-2018-20118 RESERVED CVE-2018-20117 RESERVED CVE-2018-20116 RESERVED CVE-2018-20115 RESERVED CVE-2018-20114 (On D-Link DIR-818LW Rev.A 2.05.B03 and DIR-860L Rev.B 2.03.B03 devices ...) NOT-FOR-US: D-Link CVE-2018-20113 REJECTED CVE-2018-20112 REJECTED CVE-2018-20111 REJECTED CVE-2018-20110 REJECTED CVE-2018-20109 REJECTED CVE-2018-20108 REJECTED CVE-2018-20107 REJECTED CVE-2018-20106 (In yast2-printer up to and including version 4.0.2 the SMB printer set ...) NOT-FOR-US: yast2-printer CVE-2018-20105 (A Inclusion of Sensitive Information in Log Files vulnerability in yas ...) NOT-FOR-US: yast-rmt CVE-2018-20104 RESERVED CVE-2018-20103 (An issue was discovered in dns.c in HAProxy through 1.8.14. In the cas ...) - haproxy 1.8.15-1 (bug #916307) [stretch] - haproxy (Minor issue; can be fixed via point release) [jessie] - haproxy (Vulnerable code not present) NOTE: http://git.haproxy.org/?p=haproxy.git;a=commit;h=58df5aea0a0c926b2238f65908f5e9f83d1cca25 CVE-2018-20102 (An out-of-bounds read in dns_validate_dns_response in dns.c was discov ...) - haproxy 1.8.15-1 (bug #916308) [stretch] - haproxy (Minor issue; can be fixed via point release) [jessie] - haproxy (Vulnerable code not present) NOTE: http://git.haproxy.org/?p=haproxy.git;a=commit;h=efbbdf72992cd20458259962346044cafd9331c0 CVE-2018-20101 (The codection "Import users from CSV with meta" plugin before 1.12.1 f ...) NOT-FOR-US: codection "Import users from CSV with meta" plugin for WordPress CVE-2018-20100 (An issue was discovered on August Connect devices. Insecure data trans ...) NOT-FOR-US: August Connect CVE-2018-20099 (There is an infinite loop in Exiv2::Jp2Image::encodeJp2Header of jp2im ...) [experimental] - exiv2 (low) - exiv2 (Vulnerable code introduced later) NOTE: https://github.com/Exiv2/exiv2/issues/590 NOTE: https://github.com/Exiv2/exiv2/commit/eff0f52d0466d81beabf304e2500f3039fd90252 CVE-2018-20098 (There is a heap-based buffer over-read in Exiv2::Jp2Image::encodeJp2He ...) [experimental] - exiv2 (low) - exiv2 (Vulnerable code introduced later) NOTE: https://github.com/Exiv2/exiv2/issues/590 NOTE: https://github.com/Exiv2/exiv2/commit/eff0f52d0466d81beabf304e2500f3039fd90252 NOTE: https://github.com/TeamSeri0us/pocs/tree/master/exiv2/20181206 CVE-2018-20097 (There is a SEGV in Exiv2::Internal::TiffParserWorker::findPrimaryGroup ...) {DLA-1691-1} - exiv2 0.27.2-6 (low) [buster] - exiv2 (Minor issue) [stretch] - exiv2 (Minor issue) NOTE: https://github.com/Exiv2/exiv2/issues/590 NOTE: https://github.com/Exiv2/exiv2/commit/203ab0db28c9666b16069d4056ac5f66f753a51d CVE-2018-20096 (There is a heap-based buffer over-read in the Exiv2::tEXtToDataBuf fun ...) [experimental] - exiv2 (low) - exiv2 (Vulnerable code introduced later) NOTE: https://github.com/Exiv2/exiv2/issues/590 CVE-2018-20095 (An issue was discovered in EnsureCapacity in Core/Ap4Array.h in Bento4 ...) NOT-FOR-US: Bento4 CVE-2018-20094 (An issue was discovered in XXL-CONF 1.6.0. There is a path traversal v ...) NOT-FOR-US: XXL-CONF CVE-2018-20093 RESERVED CVE-2018-20092 (PTC ThingWorx Platform through 8.3.0 is vulnerable to a directory trav ...) NOT-FOR-US: PTC ThingWorx Platform CVE-2018-20091 (An SQL injection vulnerability was found in Cloudera Data Science Work ...) NOT-FOR-US: Cloudera Data Science Workbench CVE-2018-20090 (An issue was discovered in Cloudera Data Science Workbench (CDSW) 1.4. ...) NOT-FOR-US: Cloudera CVE-2018-20089 RESERVED CVE-2018-20088 RESERVED CVE-2018-20087 RESERVED CVE-2018-20086 RESERVED CVE-2018-20085 RESERVED CVE-2018-20084 RESERVED CVE-2018-20083 RESERVED CVE-2018-20082 RESERVED CVE-2018-20081 RESERVED CVE-2018-20080 RESERVED CVE-2018-20079 RESERVED CVE-2018-20078 RESERVED CVE-2018-20077 RESERVED CVE-2018-20076 RESERVED CVE-2018-20075 RESERVED CVE-2018-20074 RESERVED CVE-2018-20073 (Use of extended attributes in downloads in Google Chrome prior to 72.0 ...) {DSA-4395-1} - chromium 72.0.3626.81-1 (low) CVE-2018-20072 RESERVED CVE-2018-20071 (Insufficiently strict origin checks during JIT payment app installatio ...) {DSA-4330-1} - chromium-browser 70.0.3538.67-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-20070 (Incorrect handling of confusable characters in URL Formatter in Google ...) {DSA-4352-1} - chromium 71.0.3578.80-1 CVE-2018-20069 (Failure to prevent navigation to top frame to data URLs in Navigation ...) - chromium (Specific to iOS) CVE-2018-20068 (Incorrect handling of 304 status codes in Navigation in Google Chrome ...) {DSA-4352-1} - chromium 71.0.3578.80-1 CVE-2018-20067 (A renderer initiated back navigation was incorrectly allowed to cancel ...) {DSA-4352-1} - chromium 71.0.3578.80-1 CVE-2018-20066 (Incorrect object lifecycle in Extensions in Google Chrome prior to 71. ...) {DSA-4352-1} - chromium 71.0.3578.80-1 CVE-2018-20065 (Handling of URI action in PDFium in Google Chrome prior to 71.0.3578.8 ...) {DSA-4352-1} - chromium 71.0.3578.80-1 CVE-2018-20064 (doorGets 7.0 allows remote attackers to write to arbitrary files via d ...) NOT-FOR-US: doorGets CVE-2018-20063 (An issue was discovered in Gurock TestRail 5.6.0.3853. An "Unrestricte ...) NOT-FOR-US: Gurock TestRail CVE-2018-20062 (An issue was discovered in NoneCms V1.3. thinkphp/library/think/App.ph ...) NOT-FOR-US: NoneCms CVE-2018-20061 (A SQL injection issue was discovered in ERPNext 10.x and 11.x through ...) NOT-FOR-US: Frappe ERPNext CVE-2018-20060 (urllib3 before version 1.23 does not remove the Authorization HTTP hea ...) - python-urllib3 1.24-1 [stretch] - python-urllib3 (Minor issue) [jessie] - python-urllib3 (Minor issue) NOTE: https://github.com/urllib3/urllib3/issues/1316 NOTE: https://github.com/urllib3/urllib3/pull/1346 NOTE: https://github.com/urllib3/urllib3/commit/3d7f98b07b6e6e04c2e89cdf5afb18024a2d804c NOTE: https://github.com/urllib3/urllib3/commit/f99912beeaf230ee3634b938d3ea426ffd1f3e57 NOTE: https://github.com/urllib3/urllib3/commit/48dba048081dfcb999afcda715d17147aa15b6ea NOTE: https://github.com/urllib3/urllib3/commit/23e2eb56af23db5a1eeb8ad9b51dd99a27c15522 NOTE: https://github.com/urllib3/urllib3/commit/5e9c6b9175d66170ef65fc703f2e46788a59ca0c NOTE: https://github.com/urllib3/urllib3/commit/9c9dd6f3014e89bb9c532b641abcf1b24c3896ab NOTE: https://github.com/urllib3/urllib3/commit/6245ddddb7f80740c5c15e1750e5b9f68c5b2b5f NOTE: https://github.com/urllib3/urllib3/commit/3b5f27449e153ad05186beca8fbd9b134936fe50 NOTE: https://github.com/urllib3/urllib3/commit/1742538d57865e61125c6c12a755b5db41636fe7 NOTE: https://github.com/urllib3/urllib3/commit/2a42e70ff077006d5a6da92251ddbb2939303f94 NOTE: https://github.com/urllib3/urllib3/commit/e8a727a0b8389f5f75981858a8bbb319646f4450 NOTE: https://github.com/urllib3/urllib3/commit/63948f3a607ed8e7a3ce9ac4e20782359896e27e NOTE: https://github.com/urllib3/urllib3/commit/560bd227b90f74417ffaedebf5f8d05a8ee4f532 NOTE: Fixed upstream in 1.23 CVE-2018-20059 (jaxb/JaxbEngine.java in Pippo 1.11.0 allows XXE. ...) NOT-FOR-US: Pippo CVE-2018-20058 (In Evernote before 7.6 on macOS, there is a local file path traversal ...) NOT-FOR-US: Evernote CVE-2018-20057 (An issue was discovered in /bin/boa on D-Link DIR-619L Rev.B 2.06B1 an ...) NOT-FOR-US: D-Link CVE-2018-20056 (An issue was discovered in /bin/boa on D-Link DIR-619L Rev.B 2.06B1 an ...) NOT-FOR-US: D-Link CVE-2018-20055 RESERVED CVE-2018-20054 RESERVED CVE-2018-20053 (An issue was discovered on Cerner Connectivity Engine (CCE) 4 devices. ...) NOT-FOR-US: Cerner Connectivity Engine (CCE) 4 devices CVE-2018-20052 (An issue was discovered on Cerner Connectivity Engine (CCE) 4 devices. ...) NOT-FOR-US: Cerner Connectivity Engine (CCE) 4 devices CVE-2018-20051 (Mishandling of '>' on the Jooan JA-Q1H Wi-Fi camera with firmware 2 ...) NOT-FOR-US: Jooan JA-Q1H Wi-Fi camera CVE-2018-20050 (Mishandling of an empty string on the Jooan JA-Q1H Wi-Fi camera with f ...) NOT-FOR-US: Jooan JA-Q1H Wi-Fi camera CVE-2018-20049 RESERVED CVE-2018-20048 RESERVED CVE-2018-20047 RESERVED CVE-2018-20046 RESERVED CVE-2018-20045 RESERVED CVE-2018-20044 RESERVED CVE-2018-20043 RESERVED CVE-2018-20042 RESERVED CVE-2018-20041 RESERVED CVE-2018-20040 RESERVED CVE-2018-20039 RESERVED CVE-2018-20038 RESERVED CVE-2018-20037 RESERVED CVE-2018-20036 RESERVED CVE-2018-20035 RESERVED CVE-2018-20034 (A Denial of Service vulnerability related to adding an item to a list ...) NOT-FOR-US: FlexNet Publisher CVE-2018-20033 (A Remote Code Execution vulnerability in lmgrd and vendor daemon compo ...) NOT-FOR-US: FlexNet Publisher CVE-2018-20032 (A Denial of Service vulnerability related to message decoding in lmgrd ...) NOT-FOR-US: FlexNet Publisher CVE-2018-20031 (A Denial of Service vulnerability related to preemptive item deletion ...) NOT-FOR-US: FlexNet Publisher CVE-2018-20030 (An error when processing the EXIF_IFD_INTEROPERABILITY and EXIF_IFD_EX ...) {DLA-2222-1 DLA-2214-1} - libexif 0.6.21-5.1 (bug #918730) [stretch] - libexif (Minor issue) NOTE: https://secuniaresearch.flexerasoftware.com/secunia_research/2018-28/ NOTE: https://github.com/libexif/libexif/commit/6aa11df549114ebda520dde4cdaea2f9357b2c89 CVE-2018-20029 (The nxfs.sys driver in the DokanFS library 0.6.0 in NoMachine before 6 ...) NOT-FOR-US: nxfs.sys driver in the DokanFS library in NoMachine on Windows CVE-2019-2394 RESERVED CVE-2019-2393 RESERVED CVE-2019-2392 RESERVED CVE-2019-2391 (Incorrect parsing of certain JSON input may result in js-bson not corr ...) [experimental] - node-mongodb 3.5.5+~cs11.12.19-1 - node-mongodb 3.5.6+~cs11.12.19-1 [buster] - node-mongodb 3.1.13+~3.1.11-2+deb10u1 NOTE: Fixed in js-bson v1.1.4 included in 3.5.5+~cs11.12.19 CVE-2019-2390 (An unprivileged user or program on Microsoft Windows which can create ...) NOT-FOR-US: Microsoft CVE-2019-2389 (Incorrect scoping of kill operations in MongoDB Server's packaged SysV ...) - mongodb (low) [stretch] - mongodb (Minor issue) [jessie] - mongodb (Minor issue) CVE-2019-2388 (In affected Ops Manager versions there is an exposed http route was th ...) NOT-FOR-US: MongoDB Ops Manager CVE-2019-2387 RESERVED CVE-2019-2386 (After user deletion in MongoDB Server the improper invalidation of aut ...) - mongodb (low; bug #934783) [stretch] - mongodb (Minor issue) [jessie] - mongodb (Trivial workaround available) NOTE: https://jira.mongodb.org/browse/SERVER-38984 NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0829 CVE-2019-2385 RESERVED CVE-2019-2384 RESERVED CVE-2019-2383 RESERVED CVE-2019-2382 RESERVED CVE-2019-2381 RESERVED CVE-2019-2380 RESERVED CVE-2019-2379 RESERVED CVE-2019-2378 RESERVED CVE-2019-2377 RESERVED CVE-2019-2376 RESERVED CVE-2019-2375 RESERVED CVE-2019-2374 RESERVED CVE-2019-2373 RESERVED CVE-2019-2372 RESERVED CVE-2019-2371 RESERVED CVE-2019-2370 RESERVED CVE-2019-2369 RESERVED CVE-2019-2368 RESERVED CVE-2019-2367 RESERVED CVE-2019-2366 RESERVED CVE-2019-2365 RESERVED CVE-2019-2364 RESERVED CVE-2019-2363 RESERVED CVE-2019-2362 RESERVED CVE-2019-2361 RESERVED CVE-2019-2360 RESERVED CVE-2019-2359 RESERVED CVE-2019-2358 RESERVED CVE-2019-2357 RESERVED CVE-2019-2356 RESERVED CVE-2019-2355 RESERVED CVE-2019-2354 RESERVED CVE-2019-2353 RESERVED CVE-2019-2352 RESERVED CVE-2019-2351 RESERVED CVE-2019-2350 RESERVED CVE-2019-2349 RESERVED CVE-2019-2348 RESERVED CVE-2019-2347 RESERVED CVE-2019-2346 (Firmware is getting into loop of overwriting memory when scan command ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-2345 (Race condition while accessing DMA buffer in jpeg driver in Snapdragon ...) NOT-FOR-US: Snapdragon CVE-2019-2344 RESERVED CVE-2019-2343 (Out of bound read and information disclosure in firmware due to insuff ...) NOT-FOR-US: Snapdragon CVE-2019-2342 RESERVED CVE-2019-2341 (Buffer overflow when the audio buffer size provided by user is larger ...) NOT-FOR-US: Snapdragon CVE-2019-2340 RESERVED CVE-2019-2339 (Out of bound access due to lack of check of whiltelist array size whil ...) NOT-FOR-US: Snapdragon CVE-2019-2338 (Crafted image that has a valid signature from a non-QC entity can be l ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-2337 (While Skipping unknown IES, EMM is reading the buffer even if the no o ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-2336 (Subsequent use of the CBO listener may result in further memory corrup ...) NOT-FOR-US: Snapdragon CVE-2019-2335 (While processing Attach Reject message, Valid exit condition is not me ...) NOT-FOR-US: Snapdragon CVE-2019-2334 (Null pointer dereferencing can happen when playing the clip with wrong ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-2333 (Buffer overflow due to improper validation of buffer size while IPA dr ...) NOT-FOR-US: Snapdragon CVE-2019-2332 (Memory corruption while accessing the memory as payload size is not va ...) NOT-FOR-US: Snapdragon CVE-2019-2331 (Possible Integer overflow because of subtracting two integers without ...) NOT-FOR-US: Snapdragon CVE-2019-2330 (improper input validation in allocation request for secure allocations ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-2329 (Use after free issue in cleanup routine due to missing pointer sanitiz ...) NOT-FOR-US: Snapdragon CVE-2019-2328 (Possible buffer overflow when number of channels passed is more than s ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-2327 (Possible buffer overflow can occur when playing clip with incorrect el ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-2326 (Data token is received from ADSP and is used without validation as an ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-2325 (Out of boundary access due to token received from ADSP and is used wit ...) NOT-FOR-US: Snapdragon CVE-2019-2324 (When ADSP is compromised, the audio port index that`s returned from AD ...) NOT-FOR-US: Snapdragon CVE-2019-2323 (Lack of check to ensure crypto engine data passed by user is initializ ...) NOT-FOR-US: Snapdragon CVE-2019-2322 (Buffer overflow can occur when playing specific clip which is non-stan ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-2321 (Incorrect length used while validating the qsee log buffer sent from H ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-2320 (Possible out of bounds write in a MT SMS/SS scenario due to improper v ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-2319 (HLOS could corrupt CPZ page table memory for S1 managed VMs in Snapdra ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-2318 (Non Secure Kernel can cause Trustzone to do an arbitrary memory read w ...) NOT-FOR-US: Snapdragon CVE-2019-2317 (The secret key used to make the Initial Sequence Number in the TCP SYN ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-2316 (When computing the digest a local variable is used after going out of ...) NOT-FOR-US: Snapdragon CVE-2019-2315 (While invoking the API to copy from fd or local buffer to the secure b ...) NOT-FOR-US: Snapdragon CVE-2019-2314 (Possible race condition that will cause a use-after-free when writing ...) NOT-FOR-US: Snapdragon CVE-2019-2313 RESERVED CVE-2019-2312 (When handling the vendor command there exists a potential buffer overf ...) NOT-FOR-US: Snapdragon CVE-2019-2311 (Possible buffer overflow in WLAN handler due to lack of validation of ...) NOT-FOR-US: Snapdragon CVE-2019-2310 (Out of bound read would occur while trying to read action category and ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-2309 (While storing calibrated data from firmware in cache, An integer overf ...) NOT-FOR-US: Snapdragon CVE-2019-2308 (User application could potentially make RPC call to the fastrpc driver ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-2307 (Possible integer underflow due to lack of validation before calculatio ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-2306 (Improper casting of structure while handling the buffer leads to out o ...) NOT-FOR-US: Snapdragon CVE-2019-2305 (Out of bound access when reason code is extracted from frame data with ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-2304 (Integer overflow to buffer overflow due to lack of validation of event ...) NOT-FOR-US: Snapdragon CVE-2019-2303 (SNDCP module may access array out side its boundary when it receives m ...) NOT-FOR-US: Snapdragon CVE-2019-2302 (While processing vendor command which contains corrupted channel count ...) NOT-FOR-US: Snapdragon CVE-2019-2301 (Possibility of out-of-bound read if id received from SPI is not in ran ...) NOT-FOR-US: Snapdragon CVE-2019-2300 (Possible buffer overflow in WLAN handler due to lack of validation of ...) NOT-FOR-US: Snapdragon CVE-2019-2299 (An out-of-bound write can be triggered by a specially-crafted command ...) NOT-FOR-US: Snapdragon CVE-2019-2298 (Protection is missing while accessing md sessions info via macro which ...) NOT-FOR-US: Snapdragon CVE-2019-2297 (Buffer overflow can occur while processing non-standard NAN message fr ...) NOT-FOR-US: Snapdragon CVE-2019-2296 RESERVED CVE-2019-2295 (Information disclosure due to lack of address range check done on the ...) NOT-FOR-US: Snapdragon CVE-2019-2294 (Usage of hard-coded magic number for calculating heap guard bytes can ...) NOT-FOR-US: Snapdragon CVE-2019-2293 (Pointer dereference while freeing IFE resources due to lack of length ...) NOT-FOR-US: Snapdragon CVE-2019-2292 (Out of bound access can occur due to buffer copy without checking size ...) NOT-FOR-US: Snapdragon CVE-2019-2291 RESERVED CVE-2019-2290 (Multiple open and close from multiple threads will lead camera driver ...) NOT-FOR-US: Snapdragon CVE-2019-2289 (Lack of integrity check allows MODEM to accept any NAS messages which ...) NOT-FOR-US: Snapdragon CVE-2019-2288 (Out of bound write in TZ while copying the secure dump structure on HL ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-2287 (Improper validation for inputs received from firmware can lead to an o ...) NOT-FOR-US: Snapdragon CVE-2019-2286 RESERVED CVE-2019-2285 (Out of bound write issue is observed while giving information about pr ...) NOT-FOR-US: Snapdragon CVE-2019-2284 (Possible use-after-free issue due to a race condition while calling ca ...) NOT-FOR-US: Snapdragon CVE-2019-2283 (Improper validation of read and write index of tx and rx fifo`s before ...) NOT-FOR-US: Snapdragon CVE-2019-2282 RESERVED CVE-2019-2281 (An unauthenticated bitmap image can be loaded in to memory and subsequ ...) NOT-FOR-US: Snapdragon CVE-2019-2280 RESERVED CVE-2019-2279 (Shared memory gets updated with invalid data and may lead to access be ...) NOT-FOR-US: Snapdragon CVE-2019-2278 (User keystore signature is ignored in boot and can lead to bypass boot ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-2277 (Out of bound read can happen due to lack of NULL termination on user c ...) NOT-FOR-US: Snapdragon CVE-2019-2276 (Possible out of bound read occurs while processing beaconing request d ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-2275 (While deserializing any key blob during key operations, buffer overflo ...) NOT-FOR-US: Snapdragon CVE-2019-2274 (Improper Access Control for RPU write access from secure processor in ...) NOT-FOR-US: Snapdragon CVE-2019-2273 (IOMMU page fault while playing h265 video file leads to denial of serv ...) NOT-FOR-US: Snapdragon CVE-2019-2272 (Buffer overflow can occur in display function due to lack of validatio ...) NOT-FOR-US: Snapdragon CVE-2019-2271 (Buffer over read can happen while parsing downlink session management ...) NOT-FOR-US: Snapdragon CVE-2019-2270 RESERVED CVE-2019-2269 (Possible buffer overflow while processing the high level lim process a ...) NOT-FOR-US: Snapdragon CVE-2019-2268 (Possible OOB read issue in P2P action frames while handling WLAN manag ...) NOT-FOR-US: Snapdragon CVE-2019-2267 (Locked regions may be modified through other interfaces in secure boot ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-2266 (Possible double free issue in kernel while handling the camera sensor ...) NOT-FOR-US: Snapdragon CVE-2019-2265 RESERVED CVE-2019-2264 (Null pointer dereference occurs for channel context while opening glin ...) NOT-FOR-US: Snapdragon CVE-2019-2263 (Access to freed memory can happen while reading from diag driver due t ...) NOT-FOR-US: Snapdragon CVE-2019-2262 RESERVED CVE-2019-2261 (Unauthorized access from GPU subsystem to HLOS or other non secure sub ...) NOT-FOR-US: Snapdragon CVE-2019-2260 (A race condition occurs while processing perf-event which can lead to ...) NOT-FOR-US: Snapdragon CVE-2019-2259 (Resource allocation error while playing the video whose dimensions are ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-2258 (Improper validation of array index causes OOB write and then leads to ...) NOT-FOR-US: Snapdragon CVE-2019-2257 (Wrong permissions in configuration file can lead to unauthorized permi ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-2256 (An unprivileged user can craft a bitstream such that the payload encod ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-2255 (An unprivileged user can craft a bitstream such that the payload encod ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-2254 (Position determination accuracy may be degraded due to wrongly decoded ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-2253 (Buffer over-read can occur while parsing an ogg file with a corrupted ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-2252 (Classic buffer overflow vulnerability while playing the specific video ...) NOT-FOR-US: Snapdragon CVE-2019-2251 (If a bitmap file is loaded from any un-authenticated source, there is ...) NOT-FOR-US: Snapdragon CVE-2019-2250 (Kernel can write to arbitrary memory address passed by user while free ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-2249 (Kernel can do a memory read from arbitrary address passed by user duri ...) NOT-FOR-US: Snapdragon CVE-2019-2248 (Buffer overflow can occur if invalid header tries to overwrite the exi ...) NOT-FOR-US: Snapdragon CVE-2019-2247 (Possibility of double free issue while running multiple instances of s ...) NOT-FOR-US: Snapdragon CVE-2019-2246 (Thread start can cause invalid memory writes to arbitrary memory locat ...) NOT-FOR-US: Snapdragon CVE-2019-2245 (Possible integer underflow can happen when calculating length of eleme ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-2244 (Possible integer underflow can happen when calculating length of eleme ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-2243 (Possible buffer overflow at the end of iterating loop while getting th ...) NOT-FOR-US: Snapdragon CVE-2019-2242 (Device memory may get corrupted because of buffer overflow/underflow. ...) NOT-FOR-US: Snapdragon CVE-2019-2241 (While rendering the layout background, Error status check is not caugh ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-2240 (While sending the rendered surface content to the screen, Error handli ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-2239 (Sanity checks are missing in layout which can lead to SUI Corruption o ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-2238 (Lack of check of data type can lead to subsequent loop-expression pote ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-2237 (Failure in taking appropriate action to handle the error case If keypa ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-2236 (Null pointer dereference during secure application termination using s ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-2235 (Buffer overflow occurs when emulated RPMB is used due to sector size a ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-2234 RESERVED CVE-2019-2233 (In getUserCount and getCount of UserSwitcherController.java, there is ...) NOT-FOR-US: Android CVE-2019-2232 (In handleRun of TextLine.java, there is a possible application crash d ...) NOT-FOR-US: Android CVE-2019-2231 (In Blob::Blob of blob.cpp, there is a possible unencrypted master key ...) NOT-FOR-US: Android CVE-2019-2230 (In nfcManager_routeAid and nfcManager_unrouteAid of NativeNfcManager.c ...) NOT-FOR-US: Android CVE-2019-2229 (In updateWidget of BaseWidgetProvider.java, there is a possible leak o ...) NOT-FOR-US: Android CVE-2019-2228 (In array_find of array.c, there is a possible out-of-bounds read due t ...) {DLA-2047-1} - cups 2.3.1-1 (bug #946782) [buster] - cups 2.2.10-6+deb10u2 [stretch] - cups 2.2.1-8+deb9u5 NOTE: https://github.com/apple/cups/commit/b018978c278d42c7abf78941251b887c95dfdb07 (master, v2.3.1) NOTE: https://github.com/apple/cups/commit/8c9b3606cca99e5dfc51784a9de1634345db7579 (v2.2.13) CVE-2019-2227 (In DeepCopy of btif_av.cc, there is a possible out of bounds read due ...) NOT-FOR-US: Android CVE-2019-2226 (In device_class_to_int of device_class.cc, there is a possible out of ...) NOT-FOR-US: Android CVE-2019-2225 (When pairing with a Bluetooth device, it may be possible to pair a mal ...) NOT-FOR-US: Android CVE-2019-2224 REJECTED CVE-2019-2223 (In ihevcd_ref_list of ihevcd_ref_list.c, there is a possible out of bo ...) NOT-FOR-US: Android Media Framework CVE-2019-2222 (n ihevcd_parse_slice_data of ihevcd_parse_slice.c, there is a possible ...) NOT-FOR-US: Android Media Framework CVE-2019-2221 (In hasActivityInVisibleTask of WindowProcessController.java there̵ ...) NOT-FOR-US: Android CVE-2019-2220 (In checkOperation of AppOpsService.java, there is a possible bypass of ...) NOT-FOR-US: Android CVE-2019-2219 (In System UI, there is a possible bypass of user's consent for access ...) NOT-FOR-US: Android CVE-2019-2218 (In createSessionInternal of PackageInstallerService.java, there is a p ...) NOT-FOR-US: Android CVE-2019-2217 (In setCpuVulkanInUse of GpuStats.cpp, there is possible memory corrupt ...) NOT-FOR-US: Android CVE-2019-2216 (In overlay notifications, there is a possible hidden notification due ...) NOT-FOR-US: Android CVE-2019-2215 (A use-after-free in binder.c allows an elevation of privilege from an ...) {DLA-2114-1 DLA-2068-1} - linux 4.15.4-1 [stretch] - linux 4.9.210-1 NOTE: Fixed by: https://git.kernel.org/linus/f5cb779ba16334b45ba8946d6bfa6d9834d1527f CVE-2019-2214 (In binder_transaction of binder.c, there is a possible out of bounds w ...) - linux 5.2.6-1 [buster] - linux (Vulnerability introduced later) [stretch] - linux (Vulnerability introduced later) [jessie] - linux (Vulnerability introduced later) NOTE: https://lore.kernel.org/driverdev-devel/20190709110923.220736-1-maco@android.com/ NOTE: https://git.kernel.org/linus/a56587065094fd96eb4c2b5ad65571daad32156d CVE-2019-2213 (In binder_free_transaction of binder.c, there is a possible use-after- ...) - linux 5.2.6-1 [buster] - linux 4.19.67-1 [jessie] - linux (Android drivers not supported) NOTE: https://lore.kernel.org/patchwork/patch/1087916/ CVE-2019-2212 (In poisson_distribution of random, there is an out of bounds read. Thi ...) - libc++ [stretch] - libc++ (Minor issue) [jessie] - libc++ (Minor issue, Jessie versions of software that uses poisson distribution have low popcon) - llvm-toolchain-6.0 [buster] - llvm-toolchain-6.0 (Minor issue) [jessie] - llvm-toolchain-6.0 (Minor issue, Jessie versions of software that uses poisson distribution have low popcon) - llvm-toolchain-8 NOTE: https://android.googlesource.com/platform/external/libcxx/+/4cebe6f1f01a34546b3b843b5267619a61bd7d39 NOTE: https://android.googlesource.com/platform/external/libcxx/+/8260b5d56f6880a29b57f73b7f4866e47e9e4818 NOTE: https://android.googlesource.com/platform/external/libcxx/+/a16cd9df50f22ccf65cf27eddc0403791116c75a NOTE: template is affected, so dependencies need a rebuild CVE-2019-2211 (In createProjectionMapForQuery of TvProvider.java, there is possible S ...) NOT-FOR-US: Android CVE-2019-2210 (In load_logging_config of qmi_vs_service.cc, there is a possible out o ...) NOT-FOR-US: Android CVE-2019-2209 (In BTA_DmPinReply of bta_dm_api.cc, there is a possible out of bounds ...) NOT-FOR-US: Android CVE-2019-2208 (In PromiseBuiltinsAssembler::NewPromiseCapability of builtins-promise. ...) NOT-FOR-US: Android CVE-2019-2207 (In nfa_hci_handle_admin_gate_rsp of nfa_hci_act.cc, there is a possibl ...) NOT-FOR-US: Android CVE-2019-2206 (In rw_i93_sm_set_read_only of rw_i93.cc, there is a possible out of bo ...) NOT-FOR-US: Android CVE-2019-2205 (In ProxyResolverV8::SetPacScript of proxy_resolver_v8.cc, there is a p ...) NOT-FOR-US: Android CVE-2019-2204 (In FindSharedFunctionInfo of objects.cc, there is a possible out of bo ...) NOT-FOR-US: Android CVE-2019-2203 (In CryptoPlugin::decrypt of CryptoPlugin.cpp, there is a possible out ...) NOT-FOR-US: Android media framework CVE-2019-2202 (In CryptoPlugin::decrypt of CryptoPlugin.cpp, there is a possible out ...) NOT-FOR-US: Android media framework CVE-2019-2201 (In generate_jsimd_ycc_rgb_convert_neon of jsimd_arm64_neon.S, there is ...) [experimental] - libjpeg-turbo 1:2.0.3-1~exp1 - libjpeg-turbo (low) [buster] - libjpeg-turbo (Minor issue) [stretch] - libjpeg-turbo (Minor issue) [jessie] - libjpeg-turbo (No package in Debian jessie uses the TurboJPEG API) NOTE: https://source.android.com/security/bulletin/2019-11-01 NOTE: https://android.googlesource.com/platform/external/libjpeg-turbo/+/d3db2a2634c422286f75c4b38af98837f3d2f0ff NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/issues/361 NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/commit/2a9e3bd7430cfda1bc812d139e0609c6aca0b884 NOTE: https://github.com/clearlinux-pkgs/libjpeg-turbo/commit/0a5d06c3dd4a64754d7e6ffa081fd9132714f74c CVE-2019-2200 (In updatePermissions of PermissionManagerService.java, it may be possi ...) NOT-FOR-US: Android CVE-2019-2199 (In createSessionInternal of PackageInstallerService.java, there is a p ...) NOT-FOR-US: Android CVE-2019-2198 (In Download Provider, there is a possible SQL injection vulnerability. ...) NOT-FOR-US: Android CVE-2019-2197 (In processPhonebookAccess of CachedBluetoothDevice.java, there is a po ...) NOT-FOR-US: Android CVE-2019-2196 (In Download Provider, there is possible SQL injection. This could lead ...) NOT-FOR-US: Android CVE-2019-2195 (In tokenize of sqlite3_android.cpp, there is a possible attacker contr ...) NOT-FOR-US: Android CVE-2019-2194 RESERVED NOT-FOR-US: Android CVE-2019-2193 (In WelcomeActivity.java and related files, there is a possible permiss ...) NOT-FOR-US: Android CVE-2019-2192 (In call of SliceProvider.java, there is a possible permissions bypass ...) NOT-FOR-US: Android CVE-2019-2191 (In LG's LAF component, there is a possible leak of information in a pr ...) NOT-FOR-US: LG components for Android CVE-2019-2190 (In LG's LAF component, there is a possible leak of information in a pr ...) NOT-FOR-US: LG components for Android CVE-2019-2189 (In the Easel driver, there is possible memory corruption due to race c ...) NOT-FOR-US: Android CVE-2019-2188 (In the Easel driver, there is possible memory corruption due to race c ...) NOT-FOR-US: Android CVE-2019-2187 (In nfc_ncif_decode_rf_params of nfc_ncif.cc, there is a possible out o ...) NOT-FOR-US: Android CVE-2019-2186 (In GetMBheader of combined_decode.cpp, there is a possible out of boun ...) NOT-FOR-US: Android Media Framework CVE-2019-2185 (In VlcDequantH263IntraBlock_SH of vlc_dequant.cpp, there is a possible ...) NOT-FOR-US: Android Media Framework CVE-2019-2184 (In PV_DecodePredictedIntraDC of dec_pred_intra_dc.cpp, there is a poss ...) NOT-FOR-US: Android Media Framework CVE-2019-2183 (In generateServicesMap of RegisteredServicesCache.java, there is a pos ...) NOT-FOR-US: Android CVE-2019-2182 (In the Android kernel in the kernel MMU code there is a possible execu ...) {DSA-4698-1 DLA-2242-1} - linux 4.16.5-1 [jessie] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/15122ee2c515a253b0c66a3e618bc7ebe35105eb CVE-2019-2181 (In binder_transaction of binder.c in the Android kernel, there is a po ...) - linux 5.2.6-1 [buster] - linux (Vulnerable code not present) [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/0b0509508beff65c1d50541861bc0d4973487dc5 CVE-2019-2180 (In ippSetValueTag of ipp.c in Android 8.0, 8.1 and 9, there is a possi ...) {DLA-1893-1} - cups 2.2.12-1 (bug #934957) [buster] - cups 2.2.10-6+deb10u1 [stretch] - cups 2.2.1-8+deb9u4 NOTE: Covers the "Fixed IPP buffer overflow (rdar://50035411)" angle of NOTE: https://github.com/apple/cups/commit/f24e6cf6a39300ad0c3726a41a4aab51ad54c109 CVE-2019-2179 (In NDEF_MsgValidate of ndef_utils in Android 7.1.1, 7.1.2, 8.0, 8.1 an ...) NOT-FOR-US: Android CVE-2019-2178 (In rw_t4t_sm_read_ndef of rw_t4t in Android 7.1.1, 7.1.2, 8.0, 8.1 and ...) NOT-FOR-US: Android CVE-2019-2177 (In isPreferred of HidProfile.java in Android 7.1.1, 7.1.2, 8.0, 8.1 an ...) NOT-FOR-US: Android CVE-2019-2176 (In ihevcd_parse_buffering_period_sei of ihevcd_parse_headers.c in Andr ...) NOT-FOR-US: Android media framework CVE-2019-2175 (In checkAccess of SliceManagerService.java in Android 9, there is a po ...) NOT-FOR-US: Android CVE-2019-2174 (In SensorManager::assertStateLocked of SensorManager.cpp in Android 7. ...) NOT-FOR-US: Android CVE-2019-2173 (In startActivityMayWait of ActivityStarter.java, there is a possible i ...) NOT-FOR-US: Android CVE-2019-2172 (In libxaac there is a possible information disclosure due to uninitial ...) NOT-FOR-US: Android CVE-2019-2171 (In libxaac there is a possible information disclosure due to uninitial ...) NOT-FOR-US: Android CVE-2019-2170 (In libxaac there is a possible information disclosure due to uninitial ...) NOT-FOR-US: Android CVE-2019-2169 (In libxaac there is a possible information disclosure due to uninitial ...) NOT-FOR-US: Android CVE-2019-2168 (In libxaac there is a possible information disclosure due to uninitial ...) NOT-FOR-US: Android CVE-2019-2167 (In libxaac there is a possible information disclosure due to uninitial ...) NOT-FOR-US: Android CVE-2019-2166 (In libxaac there is a possible information disclosure due to uninitial ...) NOT-FOR-US: Android CVE-2019-2165 (In libxaac there is a possible out of bounds read due to a missing bou ...) NOT-FOR-US: Android CVE-2019-2164 (In libxaac there is a possible out of bounds read due to a missing bou ...) NOT-FOR-US: Android CVE-2019-2163 (In libxaac there is a possible out of bounds read due to a missing bou ...) NOT-FOR-US: Android CVE-2019-2162 (In libxaac there is a possible out of bounds read due to a missing bou ...) NOT-FOR-US: Android CVE-2019-2161 (In libxaac there is a possible out of bounds read due to a missing bou ...) NOT-FOR-US: Android CVE-2019-2160 (In libxaac there is a possible out of bounds read due to a missing bou ...) NOT-FOR-US: Android CVE-2019-2159 (In libxaac there is a possible out of bounds write due to a missing bo ...) NOT-FOR-US: Android CVE-2019-2158 (In libxaac, there is a possible out of bounds read due to a missing bo ...) NOT-FOR-US: Android CVE-2019-2157 (In libxaac, there is a possible out of bounds read due to a missing bo ...) NOT-FOR-US: Android CVE-2019-2156 (In libxaac, there is a possible out of bounds read due to a missing bo ...) NOT-FOR-US: Android CVE-2019-2155 (In libxaac, there is a possible out of bounds read due to a missing bo ...) NOT-FOR-US: Android CVE-2019-2154 (In libxaac, there is a possible out of bounds read due to a missing bo ...) NOT-FOR-US: Android CVE-2019-2153 (In libxaac, there is a possible out of bounds read due to a missing bo ...) NOT-FOR-US: Android CVE-2019-2152 (In libxaac, there is a possible out of bounds read due to a missing bo ...) NOT-FOR-US: Android CVE-2019-2151 (In libxaac, there is a possible out of bounds read due to a missing bo ...) NOT-FOR-US: Android CVE-2019-2150 (In libxaac, there is a possible out of bounds read due to a missing bo ...) NOT-FOR-US: Android CVE-2019-2149 (In libxaac, there is a possible out of bounds read due to a missing bo ...) NOT-FOR-US: Android CVE-2019-2148 (In libxaac, there is a possible out of bounds read due to a missing bo ...) NOT-FOR-US: Android CVE-2019-2147 (In libxaac, there is a possible out of bounds read due to a missing bo ...) NOT-FOR-US: Android CVE-2019-2146 (In libxaac, there is a possible out of bounds read due to a missing bo ...) NOT-FOR-US: Android CVE-2019-2145 (In libxaac, there is a possible out of bounds read due to a missing bo ...) NOT-FOR-US: Android CVE-2019-2144 (In libxaac, there is a possible out of bounds read due to a missing bo ...) NOT-FOR-US: Android CVE-2019-2143 (In libxaac, there is a possible out of bounds read due to a missing bo ...) NOT-FOR-US: Android CVE-2019-2142 (In libxaac, there is a possible out of bounds read due to a missing bo ...) NOT-FOR-US: Android CVE-2019-2141 (In libxaac there is a possible out of bounds write due to a missing bo ...) NOT-FOR-US: Android CVE-2019-2140 (In libxaac, there is a possible information disclosure due to uninitia ...) NOT-FOR-US: Android CVE-2019-2139 (In libxaac, there is a possible out of bounds read due to a missing bo ...) NOT-FOR-US: Android CVE-2019-2138 (In libxaac, there is a possible out of bounds read due to a missing bo ...) NOT-FOR-US: Android CVE-2019-2137 (In the endCall() function of TelecomManager.java, there is a possible ...) NOT-FOR-US: Android CVE-2019-2136 (In Status::readFromParcel of Status.cpp, there is a possible out of bo ...) NOT-FOR-US: Android CVE-2019-2135 (In Mfc_Transceive of phNxpExtns_MifareStd.cpp, there is a possible out ...) NOT-FOR-US: Android CVE-2019-2134 (In phFriNfc_ExtnsTransceive of phNxpExtns_MifareStd.cpp, there is a po ...) NOT-FOR-US: Android CVE-2019-2133 (In Mfc_Transceive of phNxpExtns_MifareStd.cpp, there is a possible out ...) NOT-FOR-US: Android CVE-2019-2132 (It is possible to overlay the VPN dialog by a malicious application. T ...) NOT-FOR-US: Android CVE-2019-2131 (An application with overlay permission can display overlays on top of ...) NOT-FOR-US: Android CVE-2019-2130 (In CompilationJob::FinalizeJob of compiler.cc, there is a possible rem ...) NOT-FOR-US: Android CVE-2019-2129 (In extract3GPPGlobalDescriptions of TextDescriptions.cpp, there is a p ...) NOT-FOR-US: Android media framework CVE-2019-2128 (In ACELP_4t64_fx of c4t64fx.c, there is a possible out of bounds write ...) NOT-FOR-US: Android media framework CVE-2019-2127 (In AudioInputDescriptor::setClientActive of AudioInputDescriptor.cpp, ...) NOT-FOR-US: Android media framework CVE-2019-2126 (In ParseContentEncodingEntry of mkvparser.cc, there is a possible doub ...) NOT-FOR-US: Android media framework CVE-2019-2125 (In ChangeDefaultDialerDialog.java, there is a possible escalation of p ...) NOT-FOR-US: Android CVE-2019-2124 (In ComposeActivityEmailExternal of ComposeActivityEmailExternal.java i ...) NOT-FOR-US: Android CVE-2019-2123 (In execTransact of Binder.java in Android 7.1.1, 7.1.2, 8.0, 8.1, and ...) NOT-FOR-US: Android CVE-2019-2122 (In LockTaskController.lockKeyguardIfNeeded of the LockTaskController.j ...) NOT-FOR-US: Android CVE-2019-2121 (In ActivityManagerService.attachApplication of ActivityManagerService, ...) NOT-FOR-US: Android CVE-2019-2120 (In OatFileAssistant::GenerateOatFile of oat_file_assistant.cc, there i ...) NOT-FOR-US: Android CVE-2019-2119 (In multiple functions of key_store_service.cpp, there is a possible In ...) NOT-FOR-US: Android CVE-2019-2118 (In various functions of Parcel.cpp, there are uninitialized or partial ...) NOT-FOR-US: Android CVE-2019-2117 (In checkQueryPermission of TelephonyProvider.java, there is a possible ...) NOT-FOR-US: Android CVE-2019-2116 (In save_attr_seq of sdp_discovery.cc, there is a possible out-of-bound ...) NOT-FOR-US: Android CVE-2019-2115 (In GateKeeper::MintAuthToken of gatekeeper.cpp in Android 7.1.1, 7.1.2 ...) NOT-FOR-US: Android CVE-2019-2114 (In the default privileges of NFC, there is a possible local bypass of ...) NOT-FOR-US: Android CVE-2019-2113 (In setup wizard there is a bypass of some checks when wifi connection ...) NOT-FOR-US: Android CVE-2019-2112 (In several functions of alarm.cc, there is possible memory corruption ...) NOT-FOR-US: Android CVE-2019-2111 (In loop of DnsTlsSocket.cpp, there is a possible heap memory corruptio ...) NOT-FOR-US: Android CVE-2019-2110 (In ScreenRotationAnimation of ScreenRotationAnimation.java, there is a ...) NOT-FOR-US: Android CVE-2019-2109 (In MakeMPEG4VideoCodecSpecificData of AVIExtractor.cpp, there is a pos ...) NOT-FOR-US: Android media framework CVE-2019-2108 (In ihevcd_ref_list of ihevcd_ref_list.c in Android 10, there is a poss ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-2107 (In ihevcd_parse_pps of ihevcd_parse_headers.c, there is a possible out ...) NOT-FOR-US: Android media framework CVE-2019-2106 (In ihevcd_sao_shift_ctb of ihevcd_sao.c, there is a possible out of bo ...) NOT-FOR-US: Android media framework CVE-2019-2105 (In FileInputStream::Read of file_input_stream.cc, there is a possible ...) NOT-FOR-US: Android CVE-2019-2104 (In HIDL, safe_union, and other C++ structs/unions being sent to applic ...) NOT-FOR-US: Android CVE-2019-2103 (In Google Assistant in Android 9, there is a possible permissions bypa ...) NOT-FOR-US: Android CVE-2019-2102 (In the Bluetooth Low Energy (BLE) specification, there is a provided e ...) NOT-FOR-US: Android CVE-2019-2101 (In uvc_parse_standard_control of uvc_driver.c, there is a possible out ...) {DLA-1862-1} - linux 4.19.37-1 [stretch] - linux 4.9.168-1 NOTE: https://git.kernel.org/linus/47bb117911b051bbc90764a8bff96543cbd2005f CVE-2019-2100 RESERVED CVE-2019-2099 (In nfa_rw_store_ndef_rx_buf of nfa_rw_act.cc, there is a possible out- ...) NOT-FOR-US: Android CVE-2019-2098 (In areNotificationsEnabledForPackage of NotificationManagerService.jav ...) NOT-FOR-US: Android CVE-2019-2097 (In HAliasAnalyzer.Query of hydrogen-alias-analysis.h, there is possibl ...) NOT-FOR-US: Android CVE-2019-2096 (In EffectRelease of EffectBundle.cpp, there is a possible memory corru ...) NOT-FOR-US: Android CVE-2019-2095 (In callGenIDChangeListeners and related functions of SkPixelRef.cpp, t ...) NOT-FOR-US: Android CVE-2019-2094 (In parseMPEGCCData of NuPlayerCCDecoder.cpp, there is a possible out o ...) NOT-FOR-US: Android CVE-2019-2093 (In huff_dec_1D of nlc_dec.cpp, there is a possible out of bounds write ...) NOT-FOR-US: Android CVE-2019-2092 (In isSeparateProfileChallengeAllowed of DevicePolicyManagerService.jav ...) NOT-FOR-US: Android CVE-2019-2091 (In GetPermittedAccessibilityServicesForUser of DevicePolicyManagerServ ...) NOT-FOR-US: Android CVE-2019-2090 (In isPackageDeviceAdminOnAnyUser of PackageManagerService.java, there ...) NOT-FOR-US: Android CVE-2019-2089 (In app uninstallation, there is a possible set of permissions that may ...) NOT-FOR-US: Android CVE-2019-2088 (In StatsService, there is a possible out of bounds read. This could le ...) NOT-FOR-US: Android CVE-2019-2087 (In libxaac, there is a possible out of bounds write due to a missing b ...) NOT-FOR-US: Android CVE-2019-2086 (In libxaac, there is a possible out of bounds write due to a missing b ...) NOT-FOR-US: Android CVE-2019-2085 (In libxaac there is a possible out of bounds write due to a missing bo ...) NOT-FOR-US: Android CVE-2019-2084 (In libxaac there is a possible out of bounds write due to a missing bo ...) NOT-FOR-US: Android CVE-2019-2083 (In libxaac there is a possible out of bounds write due to a missing bo ...) NOT-FOR-US: Android CVE-2019-2082 (In libxaac there is a possible out of bounds write due to a missing bo ...) NOT-FOR-US: Android CVE-2019-2081 (In libxaac there is a possible out of bounds write due to a missing bo ...) NOT-FOR-US: Android CVE-2019-2080 (In libxaac, there is a possible out of bounds write due to a missing b ...) NOT-FOR-US: Android CVE-2019-2079 (In libxaac, there is a possible out of bounds read due to a missing bo ...) NOT-FOR-US: Android CVE-2019-2078 (In libxaac there is a possible out of bounds write due to a missing bo ...) NOT-FOR-US: Android CVE-2019-2077 (In libxaac there is a possible out of bounds write due to a missing bo ...) NOT-FOR-US: Android CVE-2019-2076 (In libxaac there is a possible out of bounds write due to a missing bo ...) NOT-FOR-US: Android CVE-2019-2075 (In libxaac there is a possible out of bounds write due to a missing bo ...) NOT-FOR-US: Android CVE-2019-2074 (In libxaac there is a possible out of bounds write due to a missing bo ...) NOT-FOR-US: Android CVE-2019-2073 (In libxaac there is a possible out of bounds write to missing bounds c ...) NOT-FOR-US: Android CVE-2019-2072 (In libxaac there is a possible out of bounds write due to a missing bo ...) NOT-FOR-US: Android CVE-2019-2071 (In libxaac there is a possible out of bounds write due to a missing bo ...) NOT-FOR-US: Android CVE-2019-2070 (In libxaac, there is a possible out of bounds write due to a missing b ...) NOT-FOR-US: Android CVE-2019-2069 (In libxaac, there is a possible out of bounds write due to a missing b ...) NOT-FOR-US: Android CVE-2019-2068 (In libxaac, there is a possible out of bounds write due to a missing b ...) NOT-FOR-US: Android CVE-2019-2067 (In libxaac, there is a possible out of bounds write due to a missing b ...) NOT-FOR-US: Android CVE-2019-2066 (In libxaac, there is a possible out of bounds write due to a missing b ...) NOT-FOR-US: Android CVE-2019-2065 (In libxaac, there is a possible out of bounds write due to a missing b ...) NOT-FOR-US: Android CVE-2019-2064 (In libxaac, there is a possible out of bounds write due to a missing b ...) NOT-FOR-US: Android CVE-2019-2063 (In libxaac, there is a possible out of bounds write due to a missing b ...) NOT-FOR-US: Android CVE-2019-2062 (In libxaac, there is a possible out of bounds write due to a missing b ...) NOT-FOR-US: Android CVE-2019-2061 (In libxaac, there is a possible out of bounds write due to a missing b ...) NOT-FOR-US: Android CVE-2019-2060 (In libxaac, there is a possible out of bounds read due to a missing bo ...) NOT-FOR-US: Android CVE-2019-2059 (In libxaac, there is a possible out of bounds write due to a missing b ...) NOT-FOR-US: Android CVE-2019-2058 (In libAACdec, there is a possible out of bounds read. This could lead ...) NOT-FOR-US: Android CVE-2019-2057 RESERVED CVE-2019-2056 (There is a possible disclosure of RAM using a shared crypto key due to ...) NOT-FOR-US: Android CVE-2019-2055 (In libxaac, there is a possible out of bounds write due to a missing b ...) NOT-FOR-US: Android CVE-2019-2054 (In the seccomp implementation prior to kernel version 4.8, there is a ...) - linux 4.8.5-1 [jessie] - linux (Documented limitation) NOTE: https://git.kernel.org/linus/0f3912fd934cdfd03d93f2dc6f064099795bf638 CVE-2019-2053 (In wnm_parse_neighbor_report_elem of wnm_sta.c, there is a possible ou ...) NOT-FOR-US: Android CVE-2019-2052 (In VisitPointers of heap.cc, there is a possible out-of-bounds read du ...) NOT-FOR-US: Android CVE-2019-2051 (In heap of spaces.h, there is a possible out of bounds read due to imp ...) NOT-FOR-US: Android CVE-2019-2050 (In tearDownClientInterface of WificondControl.java, there is a possibl ...) NOT-FOR-US: Android CVE-2019-2049 (In SendMediaUpdate and SendFolderUpdate of avrcp_service.cc, there is ...) NOT-FOR-US: Android CVE-2019-2048 RESERVED CVE-2019-2047 (In UpdateLoadElement of ic.cc, there is a possible out-of-bounds write ...) NOT-FOR-US: Android CVE-2019-2046 (In CalculateInstanceSizeForDerivedClass of objects.cc, there is possib ...) NOT-FOR-US: Android CVE-2019-2045 (In JSCallTyper of typer.cc, there is an out of bounds write due to an ...) NOT-FOR-US: Android CVE-2019-2044 (In MakeMP>G4VideoCodecSpecificData of APacketSource.cpp, there is a ...) NOT-FOR-US: Android Media Framework CVE-2019-2043 (In SmsDefaultDialog.onStart of SmsDefaultDialog.java, there is a possi ...) NOT-FOR-US: Android CVE-2019-2042 RESERVED CVE-2019-2041 (In the configuration of NFC modules on certain devices, there is a pos ...) NOT-FOR-US: Android CVE-2019-2040 (In rw_i93_process_ext_sys_info of rw_i93.cc, there is a possible out-o ...) NOT-FOR-US: Android CVE-2019-2039 (In rw_i93_sm_detect_ndef of rw_i93.cc, there is a possible out-of-boun ...) NOT-FOR-US: Android CVE-2019-2038 (In rw_i93_process_sys_info of rw_i93.cc, there is a possible out-of-bo ...) NOT-FOR-US: Android CVE-2019-2037 (In l2cu_send_peer_config_rej of l2c_utils.cc, there is a possible out- ...) NOT-FOR-US: Android CVE-2019-2036 (In okToConnect of HidHostService.java, there is a possible permission ...) NOT-FOR-US: Android CVE-2019-2035 (In rw_i93_sm_update_ndef of rw_i93.cc, there is a possible out-of-boun ...) NOT-FOR-US: Android CVE-2019-2034 (In rw_i93_sm_read_ndef of rw_i93.cc, there is a possible out-of-bounds ...) NOT-FOR-US: Android CVE-2019-2033 (In create_hdr of dnssd_clientstub.c, there is a possible use after fre ...) NOT-FOR-US: Android CVE-2019-2032 (In SetScanResponseData of ble_advertiser_hci_interface.cc, there is a ...) NOT-FOR-US: Android CVE-2019-2031 (In rw_t3t_act_handle_check_ndef_rsp of rw_t3t.cc, there is a possible ...) NOT-FOR-US: Android CVE-2019-2030 (In removeInterfaceAddress of NetworkController.cpp, there is a possibl ...) NOT-FOR-US: Android CVE-2019-2029 (In btm_proc_smp_cback of tm_ble.cc, there is a possible memory corrupt ...) NOT-FOR-US: Android CVE-2019-2028 (In numerous hand-crafted functions in libmpeg2, NEON registers are not ...) NOT-FOR-US: Android Media Framework CVE-2019-2027 (In floor0_inverse1 of floor0.c, there is a possible out of bounds writ ...) NOT-FOR-US: Android Media Framework CVE-2019-2026 (In updateAssistMenuItems of Editor.java, there is a possible escape fr ...) NOT-FOR-US: Android CVE-2019-2025 (In binder_thread_read of binder.c, there is a possible use-after-free ...) - linux 4.19.9-1 [stretch] - linux (Vulnerability introduced later) [jessie] - linux (Vulnerability introduced later) NOTE: Fixed by: https://git.kernel.org/linus/7bada55ab50697861eee6bb7d60b41e68a961a9c (4.20-rc5) CVE-2019-2024 (In em28xx_unregister_dvb of em28xx-dvb.c, there is a possible use afte ...) {DLA-1799-1} - linux 4.16.5-1 [stretch] - linux 4.9.144-1 NOTE: Fixed by: https://git.kernel.org/linus/910b0797fa9e8af09c44a3fa36cb310ba7a7218d (4.16-rc1) CVE-2019-2023 (In ServiceManager::add function in the hardware service manager, there ...) NOT-FOR-US: Android CVE-2019-2022 (In rw_t3t_act_handle_fmt_rsp and rw_t3t_act_handle_sro_rsp of rw_t3t.c ...) NOT-FOR-US: Android CVE-2019-2021 (In rw_t3t_act_handle_ndef_detect_rsp of rw_t3t.cc, there is a possible ...) NOT-FOR-US: Android CVE-2019-2020 (In llcp_dlc_proc_rr_rnr_pdu of llcp_dlc.cc, there is a possible out-of ...) NOT-FOR-US: Android CVE-2019-2019 (In ce_t4t_data_cback of ce_t4t.cc, there is a possible out-of-bound re ...) NOT-FOR-US: Android CVE-2019-2018 (In resetPasswordInternal of DevicePolicyManagerService.java, there is ...) NOT-FOR-US: Android CVE-2019-2017 (In rw_t2t_handle_tlv_detect_rsp of rw_t2t_ndef.cc, there is a possible ...) NOT-FOR-US: Android CVE-2019-2016 (In NFA_SendRawFrame of nfa_dm_api.cc, there is a possible out-of-bound ...) NOT-FOR-US: Android CVE-2019-2015 (In rw_t3t_act_handle_check_rsp of rw_t3t.cc, there is a possible out-o ...) NOT-FOR-US: Android CVE-2019-2014 (In rw_t3t_handle_get_sc_poll_rsp of rw_t3t.cc, there is a possible out ...) NOT-FOR-US: Android CVE-2019-2013 (In rw_t3t_act_handle_sro_rsp of rw_t3t.cc, there is a possible out-of- ...) NOT-FOR-US: Android CVE-2019-2012 (In rw_t3t_act_handle_fmt_rsp of rw_t3t.cc, there is a possible out-of- ...) NOT-FOR-US: Android CVE-2019-2011 (In readNullableNativeHandleNoDup of Parcel.cpp, there is a possible ou ...) NOT-FOR-US: Android CVE-2019-2010 (In phNxpNciHal_process_ext_rsp of phNxpNciHal_ext.cc, there is a possi ...) NOT-FOR-US: Android CVE-2019-2009 (In l2c_lcc_proc_pdu of l2c_fcr.cc, there is a possible out of bounds w ...) NOT-FOR-US: Android CVE-2019-2008 (In createEffect of AudioFlinger.cpp, there is a possible memory corrup ...) NOT-FOR-US: Android Media Framework CVE-2019-2007 (In getReadIndex and getWriteIndex of FifoControllerBase.cpp, there is ...) NOT-FOR-US: Android Media Framework CVE-2019-2006 (In serviceDied of HalDeathHandlerHidl.cpp, there is a possible memory ...) NOT-FOR-US: Android Media Framework CVE-2019-2005 (In onPermissionGrantResult of GrantPermissionsActivity.java, there is ...) NOT-FOR-US: Android CVE-2019-2004 (In publishKeyEvent, publishMotionEvent and sendUnchainedFinishedSignal ...) NOT-FOR-US: Android CVE-2019-2003 (In addLinks of Linkify.java, there is a possible phishing vector due t ...) NOT-FOR-US: Android CVE-2019-2002 RESERVED CVE-2019-2001 (The permissions on /proc/iomem were world-readable. This could lead to ...) NOT-FOR-US: Android kernel (no source release, so apparently not in mainline) CVE-2019-2000 (In several functions of binder.c, there is possible memory corruption ...) NOT-FOR-US: Android kernel (no source release, so apparently not in mainline) CVE-2019-1999 (In binder_alloc_free_page of binder_alloc.c, there is a possible doubl ...) {DSA-4495-1} - linux 5.2.6-1 [stretch] - linux (Vulnerable code introduced later) [jessie] - linux (Vulnerable code introduced later) NOTE: https://git.kernel.org/linus/5cec2d2e5839f9c0fec319c523a911e0a7fd299f CVE-2019-1998 (In event_handler of keymaster_app.c, there is possible resource exhaus ...) NOT-FOR-US: Android CVE-2019-1997 (In random_get_bytes of random.c, there is a possible degradation of ra ...) NOT-FOR-US: Android CVE-2019-1996 (In avrc_pars_browse_rsp of avrc_pars_ct.cc, there is a possible out of ...) NOT-FOR-US: Android CVE-2019-1995 (In ComposeActivityEmail of ComposeActivityEmail.java, there is a possi ...) NOT-FOR-US: Android CVE-2019-1994 (In refresh of DevelopmentTiles.java, there is the possibility of leavi ...) NOT-FOR-US: Android CVE-2019-1993 (In register_app of btif_hd.cc, there is a possible memory corruption d ...) NOT-FOR-US: Android CVE-2019-1992 (In bta_hl_sdp_query_results of bta_hl_main.cc, there is a possible use ...) NOT-FOR-US: Android CVE-2019-1991 (In btif_dm_data_copy of btif_core.cc, there is a possible out of bound ...) NOT-FOR-US: Android CVE-2019-1990 (In ihevcd_fmt_conv_420sp_to_420p of ihevcd_fmt_conv.c, there is a poss ...) NOT-FOR-US: Android Media Framework CVE-2019-1989 (In ih264d_fmt_conv_420sp_to_420p of ih264d_format_conv.c, there is a p ...) NOT-FOR-US: Android Media Framework CVE-2019-1988 (In sample6 of SkSwizzler.cpp, there is a possible out of bounds write ...) NOT-FOR-US: Android CVE-2019-1987 (In onSetSampleX of SkSwizzler.cpp, there is a possible out of bounds w ...) NOT-FOR-US: Android CVE-2019-1986 (In SkSwizzler::onSetSampleX of SkSwizzler.cpp, there is a possible out ...) NOT-FOR-US: Android CVE-2019-1985 (In findAvailSpellCheckerLocked of TextServicesManagerService.java, the ...) NOT-FOR-US: Android CVE-2018-20028 (Contao 3.x before 3.5.37, 4.4.x before 4.4.31 and 4.6.x before 4.6.11 ...) NOT-FOR-US: Contao CVE-2018-20027 (The yaml_parse.load method in Pylearn2 allows code injection. ...) NOT-FOR-US: Pylearn2 CVE-2018-20026 (Improper Communication Address Filtering exists in CODESYS V3 products ...) NOT-FOR-US: 3S-Smart Software Solutions GmbH CODESYS V3 Products CVE-2018-20025 (Use of Insufficiently Random Values exists in CODESYS V3 products vers ...) NOT-FOR-US: 3S-Smart Software Solutions GmbH CODESYS V3 Products CVE-2018-20024 (LibVNC before commit 4a21bbd097ef7c44bb000c3bd0907f96a10e4ce7 contains ...) {DSA-4383-1 DLA-2016-1 DLA-1979-1 DLA-1617-1} - libvncserver 0.9.11+dfsg-1.2 (bug #916941) - italc [stretch] - italc 1:3.0.3+dfsg1-1+deb9u1 - ssvnc 1.0.29-5 (bug #945827) [buster] - ssvnc (Minor issue) [stretch] - ssvnc (Minor issue) - veyon 4.1.4+repack1-1 NOTE: https://github.com/LibVNC/libvncserver/issues/254 NOTE: https://github.com/LibVNC/libvncserver/commit/4a21bbd097ef7c44bb000c3bd0907f96a10e4ce7 NOTE: https://ics-cert.kaspersky.com/advisories/klcert-advisories/2018/12/19/klcert-18-034-libvnc-null-pointer-dereference/ CVE-2018-20023 (LibVNC before 8b06f835e259652b0ff026898014fc7297ade858 contains CWE-66 ...) {DSA-4383-1 DLA-1979-1 DLA-1617-1} - libvncserver 0.9.11+dfsg-1.2 (bug #916941) - italc [stretch] - italc 1:3.0.3+dfsg1-1+deb9u1 - veyon 4.1.4+repack1-1 NOTE: https://github.com/LibVNC/libvncserver/issues/253 NOTE: https://github.com/LibVNC/libvncserver/commit/8b06f835e259652b0ff026898014fc7297ade858 NOTE: https://ics-cert.kaspersky.com/advisories/klcert-advisories/2018/12/19/klcert-18-033-libvnc-memory-leak/ CVE-2018-20022 (LibVNC before 2f5b2ad1c6c99b1ac6482c95844a84d66bb52838 contains multip ...) {DSA-4383-1 DLA-2045-1 DLA-2016-1 DLA-1979-1 DLA-1617-1} - libvncserver 0.9.11+dfsg-1.2 (bug #916941) - italc [stretch] - italc 1:3.0.3+dfsg1-1+deb9u1 - ssvnc 1.0.29-5 (bug #945827) [buster] - ssvnc (Minor issue) [stretch] - ssvnc (Minor issue) - tightvnc 1:1.3.9-9.1 [buster] - tightvnc 1:1.3.9-9deb10u1 [stretch] - tightvnc 1:1.3.9-9+deb9u1 - veyon 4.1.4+repack1-1 NOTE: https://github.com/LibVNC/libvncserver/issues/252 NOTE: https://github.com/LibVNC/libvncserver/commit/2f5b2ad1c6c99b1ac6482c95844a84d66bb52838 NOTE: https://ics-cert.kaspersky.com/advisories/klcert-advisories/2018/12/19/klcert-18-032-libvnc-multiple-memory-leaks/ CVE-2018-20021 (LibVNC before commit c3115350eb8bb635d0fdb4dbbb0d0541f38ed19c contains ...) {DSA-4383-1 DLA-2045-1 DLA-2016-1 DLA-1979-1 DLA-1617-1} - libvncserver 0.9.11+dfsg-1.2 (bug #916941) - italc [stretch] - italc 1:3.0.3+dfsg1-1+deb9u1 - ssvnc 1.0.29-5 (bug #945827) [buster] - ssvnc (Minor issue) [stretch] - ssvnc (Minor issue) - tightvnc 1:1.3.9-9.1 [buster] - tightvnc 1:1.3.9-9deb10u1 [stretch] - tightvnc 1:1.3.9-9+deb9u1 - veyon 4.1.4+repack1-1 NOTE: https://github.com/LibVNC/libvncserver/issues/251 NOTE: https://github.com/LibVNC/libvncserver/commit/c3115350eb8bb635d0fdb4dbbb0d0541f38ed19c NOTE: https://ics-cert.kaspersky.com/advisories/klcert-advisories/2018/12/19/klcert-18-031-libvnc-infinite-loop/ CVE-2018-20020 (LibVNC before commit 7b1ef0ffc4815cab9a96c7278394152bdc89dc4d contains ...) {DSA-4383-1 DLA-2016-1 DLA-1979-1 DLA-1617-1} - libvncserver 0.9.11+dfsg-1.2 (bug #916941) - italc [stretch] - italc (Incomplete fix for CVE-2018-20019 not applied) - ssvnc 1.0.29-5 (bug #945827) [buster] - ssvnc (Minor issue) [stretch] - ssvnc (Minor issue) - veyon 4.1.4+repack1-1 NOTE: https://github.com/LibVNC/libvncserver/issues/250 NOTE: https://github.com/LibVNC/libvncserver/commit/09f2f3fb6a5a163e453e5c2979054670c39694bc NOTE: https://github.com/LibVNC/libvncserver/commit/7b1ef0ffc4815cab9a96c7278394152bdc89dc4d NOTE: https://ics-cert.kaspersky.com/advisories/klcert-advisories/2018/12/19/klcert-18-030-libvnc-heap-out-of-bound-write/ NOTE: same as CVE-2019-8287/tightvnc CVE-2018-20748 (LibVNC before 0.9.12 contains multiple heap out-of-bounds write vulner ...) {DLA-1979-1 DLA-1652-1} - libvncserver 0.9.11+dfsg-1.3 (bug #920941) [stretch] - libvncserver (Incomplete fix for CVE-2018-20019 not applied) - italc [stretch] - italc (Incomplete fix for CVE-2018-20019 not applied) - veyon 4.1.7+repack1-1 NOTE: https://github.com/LibVNC/libvncserver/commit/c5ba3fee85a7ecbbca1df5ffd46d32b92757bc2a NOTE: https://github.com/LibVNC/libvncserver/commit/e34bcbb759ca5bef85809967a268fdf214c1ad2c NOTE: https://github.com/LibVNC/libvncserver/commit/c2c4b81e6cb3b485fb1ec7ba9e7defeb889f6ba7 NOTE: https://github.com/LibVNC/libvncserver/commit/a64c3b37af9a6c8f8009d7516874b8d266b42bae CVE-2018-20019 (LibVNC before commit a83439b9fbe0f03c48eb94ed05729cb016f8b72f contains ...) {DSA-4383-1 DLA-1979-1 DLA-1617-1} - libvncserver 0.9.11+dfsg-1.2 (bug #916941) - italc [stretch] - italc 1:3.0.3+dfsg1-1+deb9u1 NOTE: https://github.com/LibVNC/libvncserver/issues/247 NOTE: https://github.com/LibVNC/libvncserver/commit/a83439b9fbe0f03c48eb94ed05729cb016f8b72f NOTE: https://ics-cert.kaspersky.com/advisories/klcert-advisories/2018/12/19/klcert-18-029-libvnc-multiple-heap-out-of-bound-vulnerabilities/ NOTE: When fixing this issue apply the complete set of fixes to not open CVE-2018-20748. NOTE: Additional commits: NOTE: https://github.com/LibVNC/libvncserver/commit/c5ba3fee85a7ecbbca1df5ffd46d32b92757bc2a NOTE: https://github.com/LibVNC/libvncserver/commit/e34bcbb759ca5bef85809967a268fdf214c1ad2c NOTE: https://github.com/LibVNC/libvncserver/commit/c2c4b81e6cb3b485fb1ec7ba9e7defeb889f6ba7 NOTE: https://github.com/LibVNC/libvncserver/commit/a64c3b37af9a6c8f8009d7516874b8d266b42bae CVE-2018-20018 (S-CMS V3.0 has SQL injection via the S_id parameter, as demonstrated b ...) NOT-FOR-US: S-CMS CVE-2018-20017 (SEMCMS 3.5 has XSS via the first text box to the SEMCMS_Main.php URI. ...) NOT-FOR-US: SEMCMS CVE-2018-20016 RESERVED CVE-2018-20015 (YzmCMS v5.2 has admin/role/add.html CSRF. ...) NOT-FOR-US: YzmCMS CVE-2018-20014 (In UrBackup 2.2.6, an attacker can send a malformed request to the cli ...) NOT-FOR-US: UrBackup CVE-2018-20013 (In UrBackup 2.2.6, an attacker can send a malformed request to the cli ...) NOT-FOR-US: UrBackup CVE-2018-20012 (PHPCMF 4.1.3 has XSS via the first input field to the index.php?s=memb ...) NOT-FOR-US: PHPCMF CVE-2018-20011 (DomainMOD 4.11.01 has XSS via the assets/add/category.php Category Nam ...) NOT-FOR-US: DomainMOD CVE-2018-20010 (DomainMOD 4.11.01 has XSS via the assets/add/ssl-provider-account.php ...) NOT-FOR-US: DomainMOD CVE-2018-20009 (DomainMOD 4.11.01 has XSS via the assets/add/ssl-provider.php SSL Prov ...) NOT-FOR-US: DomainMOD CVE-2018-1000866 (A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.59 ...) NOT-FOR-US: Jenkins CVE-2018-1000865 (A sandbox bypass vulnerability exists in Script Security Plugin 1.47 a ...) NOT-FOR-US: Jenkins CVE-2018-1000864 (A denial of service vulnerability exists in Jenkins 2.153 and earlier, ...) NOT-FOR-US: Jenkins CVE-2018-1000863 (A data modification vulnerability exists in Jenkins 2.153 and earlier, ...) NOT-FOR-US: Jenkins CVE-2018-1000862 (An information exposure vulnerability exists in Jenkins 2.153 and earl ...) NOT-FOR-US: Jenkins CVE-2018-1000861 (A code execution vulnerability exists in the Stapler web framework use ...) NOT-FOR-US: Jenkins CVE-2018-20008 (iBall Baton iB-WRB302N20122017 devices have improper access control ov ...) NOT-FOR-US: iBall Baton iB-WRB302N20122017 devices CVE-2018-20007 (Yeelight Smart AI Speaker 3.3.10_0074 devices have improper access con ...) NOT-FOR-US: Yeelight Smart AI Speaker devices CVE-2018-20006 (An issue was discovered in PHPok v5.0.055. There is a Stored XSS vulne ...) NOT-FOR-US: PHPok CVE-2018-20005 (An issue has been found in Mini-XML (aka mxml) 2.12. It is a use-after ...) - mxml (unimportant) NOTE: https://github.com/michaelrsweet/mxml/issues/234 NOTE: Crash in mxmldoc CLI tool, no security impact CVE-2018-20004 (An issue has been found in Mini-XML (aka mxml) 2.12. It is a stack-bas ...) {DLA-1641-1} - mxml 2.12-2 (low; bug #918007) [stretch] - mxml (Minor issue) NOTE: https://github.com/michaelrsweet/mxml/issues/233 NOTE: Fixed by https://github.com/michaelrsweet/mxml/commit/4f5577dd4672d228e4180f06bdbd66f343ea45e0 CVE-2018-20003 RESERVED CVE-2018-20002 (The _bfd_generic_read_minisymbols function in syms.c in the Binary Fil ...) - binutils 2.32.51.20190707-1 (unimportant) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23952 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=c2f5dc30afa34696f2da0081c4ac50b958ecb0e9 NOTE: binutils not covered by security support CVE-2018-20001 (In Libav 12.3, there is a floating point exception in the range_decode ...) - libav [jessie] - libav (not reproducible, requested more info from finder) NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1141 CVE-2018-20000 (Apereo Bedework bw-webdav before 4.0.3 allows XXE attacks, as demonstr ...) NOT-FOR-US: Apereo Bedework bw-webdav CVE-2018-19999 (The local management interface in SolarWinds Serv-U FTP Server 15.1.6. ...) NOT-FOR-US: SolarWinds CVE-2018-19998 (SQL injection vulnerability in user/card.php in Dolibarr version 8.0.2 ...) - dolibarr NOTE: https://github.com/Dolibarr/dolibarr/commit/2b088a73c121a52e006c0d76ea4da7ffeb7b4f4a NOTE: https://github.com/Dolibarr/dolibarr/commit/bacd5110fbdc81a35030fdc322775fa15ea85924 CVE-2018-19997 RESERVED CVE-2018-19996 RESERVED CVE-2018-19995 (A stored cross-site scripting (XSS) vulnerability in Dolibarr 8.0.2 al ...) - dolibarr NOTE: https://github.com/Dolibarr/dolibarr/commit/4b8be6ed64763327018ac1c076f81ddffa87855e NOTE: https://github.com/Dolibarr/dolibarr/commit/bacd5110fbdc81a35030fdc322775fa15ea85924 CVE-2018-19994 (An error-based SQL injection vulnerability in product/card.php in Doli ...) - dolibarr NOTE: https://github.com/Dolibarr/dolibarr/commit/850b939ffd2c7a4443649331b923d5e0da2d6446 CVE-2018-19993 (A reflected cross-site scripting (XSS) vulnerability in Dolibarr 8.0.2 ...) - dolibarr NOTE: https://github.com/Dolibarr/dolibarr/commit/fc3fcc5455d9a610b85723e89e8be43a41ad1378 CVE-2018-19992 (A stored cross-site scripting (XSS) vulnerability in Dolibarr 8.0.2 al ...) - dolibarr NOTE: https://github.com/Dolibarr/dolibarr/commit/0f06e39d23636bd1e4039ac61a743c79725c798b CVE-2018-19991 (VeryNginx 0.3.3 allows remote attackers to bypass the Web Application ...) NOT-FOR-US: VeryNginx CVE-2018-19990 (In the /HNAP1/SetWiFiVerifyAlpha message, the WPSPIN parameter is vuln ...) NOT-FOR-US: D-Link CVE-2018-19989 (In the /HNAP1/SetQoSSettings message, the uplink parameter is vulnerab ...) NOT-FOR-US: D-Link CVE-2018-19988 (In the /HNAP1/SetClientInfoDemo message, the AudioMute and AudioEnable ...) NOT-FOR-US: D-Link CVE-2018-19987 (D-Link DIR-822 Rev.B 202KRb06, DIR-822 Rev.C 3.10B06, DIR-860L Rev.B 2 ...) NOT-FOR-US: D-Link CVE-2018-19986 (In the /HNAP1/SetRouterSettings message, the RemotePort parameter is v ...) NOT-FOR-US: D-Link CVE-2018-19985 (The function hso_get_config_data in drivers/net/usb/hso.c in the Linux ...) {DLA-1771-1 DLA-1731-1} - linux 4.19.13-1 [stretch] - linux 4.9.161-1 NOTE: https://git.kernel.org/linus/5146f95df782b0ac61abde36567e718692725c89 CVE-2018-19984 RESERVED CVE-2018-19983 (An issue was discovered on Sigma Design Z-Wave S0 through S2 devices. ...) NOT-FOR-US: Sigma Design Z-Wave devices CVE-2018-19982 (An issue was discovered on KT MC01507L Z-Wave S0 devices. It occurs be ...) NOT-FOR-US: KT MC01507L Z-Wave S0 devices CVE-2018-19981 (Amazon AWS SDK <=2.8.5 for Android uses Android SharedPreferences t ...) NOT-FOR-US: Amazon AWS SDK CVE-2018-19980 (Anker Nebula Capsule Pro NBUI_M1_V2.1.9 devices allow attackers to cau ...) NOT-FOR-US: Anker Nebula Capsule Pro devices CVE-2018-19979 RESERVED CVE-2018-19978 (A buffer overflow vulnerability in the DHCP and PPPOE configuration in ...) NOT-FOR-US: Auerswald COMfort CVE-2018-19977 (A command injection (missing input validation, escaping) in the ftp up ...) NOT-FOR-US: Auerswald COMfort CVE-2018-19976 (In YARA 3.8.1, bytecode in a specially crafted compiled rule is expose ...) - yara 3.8.1-2 (bug #916932) [stretch] - yara (Minor issue) [jessie] - yara (Minor issue) NOTE: https://github.com/VirusTotal/yara/issues/999 NOTE: https://bnbdr.github.io/posts/extracheese/ NOTE: https://github.com/bnbdr/swisscheese/ NOTE: https://github.com/VirusTotal/yara/commit/6acc08d7329413f60e0976be017e18a581450d7a NOTE: https://github.com/VirusTotal/yara/commit/d8f714891ed92da15d50b397b74d1d9431e9c54c CVE-2018-19975 (In YARA 3.8.1, bytecode in a specially crafted compiled rule can read ...) - yara 3.8.1-2 (bug #916932) [stretch] - yara (Minor issue) [jessie] - yara (Minor issue) NOTE: https://github.com/VirusTotal/yara/issues/999 NOTE: https://bnbdr.github.io/posts/extracheese/ NOTE: https://github.com/bnbdr/swisscheese/ NOTE: https://github.com/VirusTotal/yara/commit/6acc08d7329413f60e0976be017e18a581450d7a NOTE: https://github.com/VirusTotal/yara/commit/d8f714891ed92da15d50b397b74d1d9431e9c54c CVE-2018-19974 (In YARA 3.8.1, bytecode in a specially crafted compiled rule can read ...) - yara 3.8.1-2 (bug #916932) [stretch] - yara (Minor issue) [jessie] - yara (Minor issue) NOTE: https://github.com/VirusTotal/yara/issues/999 NOTE: https://bnbdr.github.io/posts/extracheese/ NOTE: https://github.com/bnbdr/swisscheese/ NOTE: https://github.com/VirusTotal/yara/commit/6acc08d7329413f60e0976be017e18a581450d7a NOTE: https://github.com/VirusTotal/yara/commit/d8f714891ed92da15d50b397b74d1d9431e9c54c CVE-2018-19973 RESERVED CVE-2018-19972 RESERVED CVE-2018-19971 (JFrog Artifactory Pro 6.5.9 has Incorrect Access Control. ...) NOT-FOR-US: JFrog Artifactory Pro CVE-2018-19970 (In phpMyAdmin before 4.8.4, an XSS vulnerability was found in the navi ...) {DLA-1658-1} - phpmyadmin 4:4.9.1+dfsg1-2 [stretch] - phpmyadmin (Minor issue; can be fixed via point release) NOTE: https://www.phpmyadmin.net/security/PMASA-2018-8/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/b293ff5f234ef493336ed8638f623a12164d359e CVE-2018-19969 (phpMyAdmin 4.7.x and 4.8.x versions prior to 4.8.4 are affected by a s ...) - phpmyadmin 4:4.9.1+dfsg1-2 [stretch] - phpmyadmin (Minor issue and too intrusive to backport) [jessie] - phpmyadmin (invasive with 49 patches to backport, only mitigate with _REQUEST->_POST instead of adding CSRF tokens) NOTE: https://www.phpmyadmin.net/security/PMASA-2018-7/ NOTE: Upstream explicitly fixed only the 4.7/4.8 branch but the problem exists in NOTE: earlier versions as well. At least parts of the listed commits are needed. CVE-2018-19968 (An attacker can exploit phpMyAdmin before 4.8.4 to leak the contents o ...) {DLA-1658-1} - phpmyadmin 4:4.9.1+dfsg1-2 [stretch] - phpmyadmin (Minor issue; can be fixed via point release) NOTE: https://www.phpmyadmin.net/security/PMASA-2018-6/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/6a1ba61e29002f0305a9322a8af4eaaeb11c0732 CVE-2018-19959 RESERVED CVE-2018-19958 RESERVED CVE-2018-19957 RESERVED CVE-2018-19956 RESERVED CVE-2018-19955 RESERVED CVE-2018-19954 RESERVED CVE-2018-19953 RESERVED CVE-2018-19952 RESERVED CVE-2018-19951 RESERVED CVE-2018-19950 RESERVED CVE-2018-19949 RESERVED CVE-2018-19948 RESERVED CVE-2018-19947 RESERVED CVE-2018-19946 RESERVED CVE-2018-19945 RESERVED CVE-2018-19944 RESERVED CVE-2018-19943 RESERVED CVE-2018-19942 RESERVED CVE-2018-19941 RESERVED CVE-2018-19940 RESERVED CVE-2018-19939 (The Goodix GT9xx touchscreen driver for custom Linux kernels on Xiaomi ...) NOT-FOR-US: Goodix GT9xx touchscreen driver CVE-2018-19938 RESERVED CVE-2018-19937 (A local, authenticated attacker can bypass the passcode in the VideoLA ...) NOT-FOR-US: VLC port/application for iOS CVE-2018-19936 (PrinterOn Enterprise 4.1.4 allows Arbitrary File Deletion. ...) NOT-FOR-US: PrinterOn Enterprise CVE-2018-19934 (SolarWinds Serv-U FTP Server 15.1.6.25 has reflected cross-site script ...) NOT-FOR-US: SolarWinds CVE-2018-19933 (Bolt CMS <3.6.2 allows XSS via text input click preview button as d ...) NOT-FOR-US: Bolt CMS CVE-2019-1984 (A vulnerability in Cisco Enterprise Network Functions Virtualization I ...) NOT-FOR-US: Cisco CVE-2019-1983 RESERVED CVE-2019-1982 (A vulnerability in the HTTP traffic filtering component of Cisco Firep ...) NOT-FOR-US: Cisco CVE-2019-1981 (A vulnerability in the normalization functionality of Cisco Firepower ...) NOT-FOR-US: Cisco CVE-2019-1980 (A vulnerability in the protocol detection component of Cisco Firepower ...) NOT-FOR-US: Cisco CVE-2019-1979 RESERVED CVE-2019-1978 (A vulnerability in the stream reassembly component of Cisco Firepower ...) NOT-FOR-US: Cisco CVE-2019-1977 (A vulnerability within the Endpoint Learning feature of Cisco Nexus 90 ...) NOT-FOR-US: Cisco CVE-2019-1976 (A vulnerability in the &ldquo;plug-and-play&rdquo; services co ...) NOT-FOR-US: Cisco CVE-2019-1975 (A vulnerability in the web-based interface of Cisco HyperFlex Software ...) NOT-FOR-US: Cisco CVE-2019-1974 (A vulnerability in the web-based management interface of Cisco Integra ...) NOT-FOR-US: Cisco CVE-2019-1973 (A vulnerability in the web portal framework of Cisco Enterprise NFV In ...) NOT-FOR-US: Cisco CVE-2019-1972 (A vulnerability the Cisco Enterprise NFV Infrastructure Software (NFVI ...) NOT-FOR-US: Cisco CVE-2019-1971 (A vulnerability in the web portal of Cisco Enterprise NFV Infrastructu ...) NOT-FOR-US: Cisco CVE-2019-1970 (A vulnerability in the Secure Sockets Layer (SSL)/Transport Layer Secu ...) NOT-FOR-US: Cisco CVE-2019-1969 (A vulnerability in the implementation of the Simple Network Management ...) NOT-FOR-US: Cisco CVE-2019-1968 (A vulnerability in the NX-API feature of Cisco NX-OS Software could al ...) NOT-FOR-US: Cisco CVE-2019-1967 (A vulnerability in the Network Time Protocol (NTP) feature of Cisco NX ...) NOT-FOR-US: Cisco CVE-2019-1966 (A vulnerability in a specific CLI command within the local management ...) NOT-FOR-US: Cisco CVE-2019-1965 (A vulnerability in the Virtual Shell (VSH) session management for Cisc ...) NOT-FOR-US: Cisco CVE-2019-1964 (A vulnerability in the IPv6 traffic processing of Cisco NX-OS Software ...) NOT-FOR-US: Cisco CVE-2019-1963 (A vulnerability in the Simple Network Management Protocol (SNMP) input ...) NOT-FOR-US: Cisco CVE-2019-1962 (A vulnerability in the Cisco Fabric Services component of Cisco NX-OS ...) NOT-FOR-US: Cisco CVE-2019-1961 (A vulnerability in Cisco Enterprise NFV Infrastructure Software (NFVIS ...) NOT-FOR-US: Cisco CVE-2019-1960 (Multiple vulnerabilities in Cisco Enterprise NFV Infrastructure Softwa ...) NOT-FOR-US: Cisco CVE-2019-1959 (Multiple vulnerabilities in Cisco Enterprise NFV Infrastructure Softwa ...) NOT-FOR-US: Cisco CVE-2019-1958 (A vulnerability in the web-based management interface of Cisco HyperFl ...) NOT-FOR-US: Cisco CVE-2019-1957 (A vulnerability in the web interface of Cisco IoT Field Network Direct ...) NOT-FOR-US: Cisco CVE-2019-1956 (A vulnerability in the web-based interface of the Cisco SPA112 2-Port ...) NOT-FOR-US: Cisco CVE-2019-1955 (A vulnerability in the Sender Policy Framework (SPF) functionality of ...) NOT-FOR-US: Cisco CVE-2019-1954 (A vulnerability in the web-based management interface of Cisco Webex M ...) NOT-FOR-US: Cisco CVE-2019-1953 (A vulnerability in the web portal of Cisco Enterprise NFV Infrastructu ...) NOT-FOR-US: Cisco CVE-2019-1952 (A vulnerability in the CLI of Cisco Enterprise NFV Infrastructure Soft ...) NOT-FOR-US: Cisco CVE-2019-1951 (A vulnerability in the packet filtering features of Cisco SD-WAN Solut ...) NOT-FOR-US: Cisco CVE-2019-1950 (A vulnerability in Cisco IOS XE SD-WAN Software could allow an unauthe ...) NOT-FOR-US: Cisco CVE-2019-1949 (A vulnerability in the web-based management interface of Cisco Firepow ...) NOT-FOR-US: Cisco CVE-2019-1948 (A vulnerability in Cisco Webex Meetings Mobile (iOS) could allow an un ...) NOT-FOR-US: Cisco CVE-2019-1947 RESERVED CVE-2019-1946 (A vulnerability in the web-based management interface of Cisco Enterpr ...) NOT-FOR-US: Cisco CVE-2019-1945 (Multiple vulnerabilities in the smart tunnel functionality of Cisco Ad ...) NOT-FOR-US: Cisco CVE-2019-1944 (Multiple vulnerabilities in the smart tunnel functionality of Cisco Ad ...) NOT-FOR-US: Cisco CVE-2019-1943 (A vulnerability in the web interface of Cisco Small Business 200, 300, ...) NOT-FOR-US: Cisco CVE-2019-1942 (A vulnerability in the sponsor portal web interface for Cisco Identity ...) NOT-FOR-US: Cisco CVE-2019-1941 (A vulnerability in the web-based management interface of Cisco Identit ...) NOT-FOR-US: Cisco CVE-2019-1940 (A vulnerability in the Web Services Management Agent (WSMA) feature of ...) NOT-FOR-US: Cisco CVE-2019-1939 (A vulnerability in the Cisco Webex Teams client for Windows could allo ...) NOT-FOR-US: Cisco CVE-2019-1938 (A vulnerability in the web-based management interface of Cisco UCS Dir ...) NOT-FOR-US: Cisco CVE-2019-1937 (A vulnerability in the web-based management interface of Cisco Integra ...) NOT-FOR-US: Cisco CVE-2019-1936 (A vulnerability in the web-based management interface of Cisco Integra ...) NOT-FOR-US: Cisco CVE-2019-1935 (A vulnerability in Cisco Integrated Management Controller (IMC) Superv ...) NOT-FOR-US: Cisco CVE-2019-1934 (A vulnerability in the web-based management interface of Cisco Adaptiv ...) NOT-FOR-US: Cisco CVE-2019-1933 (A vulnerability in the email message scanning of Cisco AsyncOS Softwar ...) NOT-FOR-US: Cisco CVE-2019-1932 (A vulnerability in Cisco Advanced Malware Protection (AMP) for Endpoin ...) NOT-FOR-US: Cisco CVE-2019-1931 (Multiple vulnerabilities in the RSS dashboard in the web-based managem ...) NOT-FOR-US: Cisco CVE-2019-1930 (Multiple vulnerabilities in the RSS dashboard in the web-based managem ...) NOT-FOR-US: Cisco CVE-2019-1929 (Multiple vulnerabilities in Cisco Webex Network Recording Player for M ...) NOT-FOR-US: Cisco CVE-2019-1928 (Multiple vulnerabilities in Cisco Webex Network Recording Player for M ...) NOT-FOR-US: Cisco CVE-2019-1927 (Multiple vulnerabilities in Cisco Webex Network Recording Player for M ...) NOT-FOR-US: Cisco CVE-2019-1926 (Multiple vulnerabilities in Cisco Webex Network Recording Player for M ...) NOT-FOR-US: Cisco CVE-2019-1925 (Multiple vulnerabilities in Cisco Webex Network Recording Player for M ...) NOT-FOR-US: Cisco CVE-2019-1924 (Multiple vulnerabilities in Cisco Webex Network Recording Player for M ...) NOT-FOR-US: Cisco CVE-2019-1923 (A vulnerability in Cisco Small Business SPA500 Series IP Phones could ...) NOT-FOR-US: Cisco CVE-2019-1922 (A vulnerability in Cisco SIP IP Phone Software for Cisco IP Phone 7800 ...) NOT-FOR-US: Cisco CVE-2019-1921 (A vulnerability in the attachment scanning of Cisco AsyncOS Software f ...) NOT-FOR-US: Cisco CVE-2019-1920 (A vulnerability in the 802.11r Fast Transition (FT) implementation for ...) NOT-FOR-US: Cisco CVE-2019-1919 (A vulnerability in the Cisco FindIT Network Management Software virtua ...) NOT-FOR-US: Cisco CVE-2019-1918 (A vulnerability in the implementation of Intermediate System&ndash ...) NOT-FOR-US: Cisco CVE-2019-1917 (A vulnerability in the REST API interface of Cisco Vision Dynamic Sign ...) NOT-FOR-US: Cisco CVE-2019-1916 RESERVED CVE-2019-1915 (A vulnerability in the web-based interface of Cisco Unified Communicat ...) NOT-FOR-US: Cisco CVE-2019-1914 (A vulnerability in the web management interface of Cisco Small Busines ...) NOT-FOR-US: Cisco CVE-2019-1913 (Multiple vulnerabilities in the web management interface of Cisco Smal ...) NOT-FOR-US: Cisco CVE-2019-1912 (A vulnerability in the web management interface of Cisco Small Busines ...) NOT-FOR-US: Cisco CVE-2019-1911 (A vulnerability in the CLI of Cisco Unified Communications Domain Mana ...) NOT-FOR-US: Cisco CVE-2019-1910 (A vulnerability in the implementation of the Intermediate System&n ...) NOT-FOR-US: Cisco CVE-2019-1909 (A vulnerability in the implementation of Border Gateway Protocol (BGP) ...) NOT-FOR-US: Cisco CVE-2019-1908 (A vulnerability in the Intelligent Platform Management Interface (IPMI ...) NOT-FOR-US: Cisco CVE-2019-1907 (A vulnerability in the web server of Cisco Integrated Management Contr ...) NOT-FOR-US: Cisco CVE-2019-1906 (A vulnerability in the Virtual Domain system of Cisco Prime Infrastruc ...) NOT-FOR-US: Cisco CVE-2019-1905 (A vulnerability in the GZIP decompression engine of Cisco AsyncOS Soft ...) NOT-FOR-US: Cisco CVE-2019-1904 (A vulnerability in the web-based UI (web UI) of Cisco IOS XE Software ...) NOT-FOR-US: Cisco CVE-2019-1903 (A vulnerability in Cisco Security Manager could allow an unauthenticat ...) NOT-FOR-US: Cisco CVE-2019-1902 RESERVED CVE-2019-1901 (A vulnerability in the Link Layer Discovery Protocol (LLDP) subsystem ...) NOT-FOR-US: Cisco CVE-2019-1900 (A vulnerability in the web server of Cisco Integrated Management Contr ...) NOT-FOR-US: Cisco CVE-2019-1899 (A vulnerability in the web interface of Cisco RV110W, RV130W, and RV21 ...) NOT-FOR-US: Cisco CVE-2019-1898 (A vulnerability in the web-based management interface of Cisco RV110W, ...) NOT-FOR-US: Cisco CVE-2019-1897 (A vulnerability in the web-based management interface of Cisco RV110W, ...) NOT-FOR-US: Cisco CVE-2019-1896 (A vulnerability in the web-based management interface of Cisco Integra ...) NOT-FOR-US: Cisco CVE-2019-1895 (A vulnerability in the Virtual Network Computing (VNC) console impleme ...) NOT-FOR-US: Cisco CVE-2019-1894 (A vulnerability in Cisco Enterprise NFV Infrastructure Software (NFVIS ...) NOT-FOR-US: Cisco CVE-2019-1893 (A vulnerability in Cisco Enterprise NFV Infrastructure Software (NFVIS ...) NOT-FOR-US: Cisco CVE-2019-1892 (A vulnerability in the Secure Sockets Layer (SSL) input packet process ...) NOT-FOR-US: Cisco CVE-2019-1891 (A vulnerability in the web interface of Cisco Small Business 200, 300, ...) NOT-FOR-US: Cisco CVE-2019-1890 (A vulnerability in the fabric infrastructure VLAN connection establish ...) NOT-FOR-US: Cisco CVE-2019-1889 (A vulnerability in the REST API for software device management in Cisc ...) NOT-FOR-US: Cisco CVE-2019-1888 RESERVED CVE-2019-1887 (A vulnerability in the Session Initiation Protocol (SIP) protocol impl ...) NOT-FOR-US: Cisco CVE-2019-1886 (A vulnerability in the HTTPS decryption feature of Cisco Web Security ...) NOT-FOR-US: Cisco CVE-2019-1885 (A vulnerability in the Redfish protocol of Cisco Integrated Management ...) NOT-FOR-US: Cisco CVE-2019-1884 (A vulnerability in the web proxy functionality of Cisco AsyncOS Softwa ...) NOT-FOR-US: Cisco CVE-2019-1883 (A vulnerability in the command-line interface of Cisco Integrated Mana ...) NOT-FOR-US: Cisco CVE-2019-1882 (A vulnerability in Cisco Industrial Network Director could allow an au ...) NOT-FOR-US: Cisco CVE-2019-1881 (A vulnerability in the web-based management interface of Cisco Industr ...) NOT-FOR-US: Cisco CVE-2019-1880 (A vulnerability in the BIOS upgrade utility of Cisco Unified Computing ...) NOT-FOR-US: Cisco CVE-2019-1879 (A vulnerability in the CLI of Cisco Integrated Management Controller ( ...) NOT-FOR-US: Cisco CVE-2019-1878 (A vulnerability in the Cisco Discovery Protocol (CDP) implementation f ...) NOT-FOR-US: Cisco CVE-2019-1877 (A vulnerability in the HTTP API of Cisco Enterprise Chat and Email cou ...) NOT-FOR-US: Cisco CVE-2019-1876 (A vulnerability in the HTTPS proxy feature of Cisco Wide Area Applicat ...) NOT-FOR-US: Cisco CVE-2019-1875 (A vulnerability in the web-based management interface of Cisco Prime S ...) NOT-FOR-US: Cisco CVE-2019-1874 (A vulnerability in the web-based management interface of Cisco Prime S ...) NOT-FOR-US: Cisco CVE-2019-1873 (A vulnerability in the cryptographic driver for Cisco Adaptive Securit ...) NOT-FOR-US: Cisco CVE-2019-1872 (A vulnerability in Cisco TelePresence Video Communication Server (VCS) ...) NOT-FOR-US: Cisco CVE-2019-1871 (A vulnerability in the Import Cisco IMC configuration utility of Cisco ...) NOT-FOR-US: Cisco CVE-2019-1870 (A vulnerability in the web-based management interface of Cisco Enterpr ...) NOT-FOR-US: Cisco CVE-2019-1869 (A vulnerability in the internal packet-processing functionality of the ...) NOT-FOR-US: Cisco CVE-2019-1868 (A vulnerability in the web-based management interface of Cisco Webex M ...) NOT-FOR-US: Cisco CVE-2019-1867 (A vulnerability in the REST API of Cisco Elastic Services Controller ( ...) NOT-FOR-US: Cisco CVE-2019-1866 (Cisco Webex Business Suite before 39.1.0 contains a vulnerability that ...) NOT-FOR-US: Cisco CVE-2019-1865 (A vulnerability in the web-based management interface of Cisco Integra ...) NOT-FOR-US: Cisco CVE-2019-1864 (A vulnerability in the web-based management interface of Cisco Integra ...) NOT-FOR-US: Cisco CVE-2019-1863 (A vulnerability in the web-based management interface of Cisco Integra ...) NOT-FOR-US: Cisco CVE-2019-1862 (A vulnerability in the web-based user interface (Web UI) of Cisco IOS ...) NOT-FOR-US: Cisco CVE-2019-1861 (A vulnerability in the software update feature of Cisco Industrial Net ...) NOT-FOR-US: Cisco CVE-2019-1860 (A vulnerability in the dashboard gadget rendering of Cisco Unified Int ...) NOT-FOR-US: Cisco CVE-2019-1859 (A vulnerability in the Secure Shell (SSH) authentication process of Ci ...) NOT-FOR-US: Cisco CVE-2019-1858 (A vulnerability in the Simple Network Management Protocol (SNMP) input ...) NOT-FOR-US: Cisco CVE-2019-1857 (A vulnerability in the web-based management interface of Cisco HyperFl ...) NOT-FOR-US: Cisco CVE-2019-1856 (A vulnerability in the web-based management interface of Cisco Prime C ...) NOT-FOR-US: Cisco CVE-2019-1855 (A vulnerability in the loading mechanism of specific dynamic link libr ...) NOT-FOR-US: Cisco CVE-2019-1854 (A vulnerability in the management web interface of Cisco Expressway Se ...) NOT-FOR-US: Cisco CVE-2019-1853 (A vulnerability in the HostScan component of Cisco AnyConnect Secure M ...) NOT-FOR-US: Cisco CVE-2019-1852 (A vulnerability in the web-based management interface of Cisco Prime N ...) NOT-FOR-US: Cisco CVE-2019-1851 (A vulnerability in the External RESTful Services (ERS) API of the Cisc ...) NOT-FOR-US: Cisco CVE-2019-1850 (A vulnerability in the web-based management interface of Cisco Integra ...) NOT-FOR-US: Cisco CVE-2019-1849 (A vulnerability in the Border Gateway Patrol (BGP) Multiprotocol Label ...) NOT-FOR-US: Cisco CVE-2019-1848 (A vulnerability in Cisco Digital Network Architecture (DNA) Center cou ...) NOT-FOR-US: Cisco CVE-2019-1847 RESERVED CVE-2019-1846 (A vulnerability in the Multiprotocol Label Switching (MPLS) Operations ...) NOT-FOR-US: Cisco CVE-2019-1845 (A vulnerability in the authentication service of the Cisco Unified Com ...) NOT-FOR-US: Cisco CVE-2019-1844 (A vulnerability in certain attachment detection mechanisms of the Cisc ...) NOT-FOR-US: Cisco CVE-2019-1843 (A vulnerability in the web-based management interface of the Cisco RV1 ...) NOT-FOR-US: Cisco CVE-2019-1842 (A vulnerability in the Secure Shell (SSH) authentication function of C ...) NOT-FOR-US: Cisco CVE-2019-1841 (A vulnerability in the Software Image Management feature of Cisco DNA ...) NOT-FOR-US: Cisco CVE-2019-1840 (A vulnerability in the DHCPv6 input packet processor of Cisco Prime Ne ...) NOT-FOR-US: Cisco CVE-2019-1839 (A vulnerability in Cisco Remote PHY Device Software could allow an aut ...) NOT-FOR-US: Cisco CVE-2019-1838 (A vulnerability in the web-based management interface of Cisco Applica ...) NOT-FOR-US: Cisco CVE-2019-1837 (A vulnerability in the User Data Services (UDS) API of Cisco Unified C ...) NOT-FOR-US: Cisco CVE-2019-1836 (A vulnerability in the system shell for Cisco Nexus 9000 Series Fabric ...) NOT-FOR-US: Cisco CVE-2019-1835 (A vulnerability in the CLI of Cisco Aironet Access Points (APs) could ...) NOT-FOR-US: Cisco CVE-2019-1834 (A vulnerability in the internal packet processing of Cisco Aironet Ser ...) NOT-FOR-US: Cisco CVE-2019-1833 (A vulnerability in the Secure Sockets Layer (SSL)/Transport Layer Secu ...) NOT-FOR-US: Cisco CVE-2019-1832 (A vulnerability in the detection engine of Cisco Firepower Threat Defe ...) NOT-FOR-US: Cisco CVE-2019-1831 (A vulnerability in the email message scanning of Cisco AsyncOS Softwar ...) NOT-FOR-US: Cisco CVE-2019-1830 (A vulnerability in Locally Significant Certificate (LSC) management fo ...) NOT-FOR-US: Cisco CVE-2019-1829 (A vulnerability in the CLI of Cisco Aironet Series Access Points (APs) ...) NOT-FOR-US: Cisco CVE-2019-1828 (A vulnerability in the web-based management interface of Cisco Small B ...) NOT-FOR-US: Cisco CVE-2019-1827 (A vulnerability in the Online Help web service of Cisco Small Business ...) NOT-FOR-US: Cisco CVE-2019-1826 (A vulnerability in the quality of service (QoS) feature of Cisco Airon ...) NOT-FOR-US: Cisco CVE-2019-1825 (A vulnerability in the web-based management interface of Cisco Prime I ...) NOT-FOR-US: Cisco CVE-2019-1824 (A vulnerability in the web-based management interface of Cisco Prime I ...) NOT-FOR-US: Cisco CVE-2019-1823 (A vulnerability in the web-based management interface of Cisco Prime I ...) NOT-FOR-US: Cisco CVE-2019-1822 (A vulnerability in the web-based management interface of Cisco Prime I ...) NOT-FOR-US: Cisco CVE-2019-1821 (A vulnerability in the web-based management interface of Cisco Prime I ...) NOT-FOR-US: Cisco CVE-2019-1820 (A vulnerability in the web-based management interface of Cisco Prime I ...) NOT-FOR-US: Cisco CVE-2019-1819 (A vulnerability in the web-based management interface of Cisco Prime I ...) NOT-FOR-US: Cisco CVE-2019-1818 (A vulnerability in the web-based management interface of Cisco Prime I ...) NOT-FOR-US: Cisco CVE-2019-1817 (A vulnerability in the web proxy functionality of Cisco AsyncOS Softwa ...) NOT-FOR-US: Cisco CVE-2019-1816 (A vulnerability in the log subscription subsystem of the Cisco Web Sec ...) NOT-FOR-US: Cisco CVE-2019-1815 RESERVED CVE-2019-1814 (A vulnerability in the interactions between the DHCP and TFTP features ...) NOT-FOR-US: Cisco CVE-2019-1813 (A vulnerability in the Image Signature Verification feature of Cisco N ...) NOT-FOR-US: Cisco CVE-2019-1812 (A vulnerability in the Image Signature Verification feature of Cisco N ...) NOT-FOR-US: Cisco CVE-2019-1811 (A vulnerability in the Image Signature Verification feature of Cisco N ...) NOT-FOR-US: Cisco CVE-2019-1810 (A vulnerability in the Image Signature Verification feature used in an ...) NOT-FOR-US: Cisco CVE-2019-1809 (A vulnerability in the Image Signature Verification feature of Cisco N ...) NOT-FOR-US: Cisco CVE-2019-1808 (A vulnerability in the Image Signature Verification feature of Cisco N ...) NOT-FOR-US: Cisco CVE-2019-1807 (A vulnerability in the session management functionality of the web UI ...) NOT-FOR-US: Cisco CVE-2019-1806 (A vulnerability in the Simple Network Management Protocol (SNMP) input ...) NOT-FOR-US: Cisco CVE-2019-1805 (A vulnerability in certain access control mechanisms for the Secure Sh ...) NOT-FOR-US: Cisco CVE-2019-1804 (A vulnerability in the SSH key management for the Cisco Nexus 9000 Ser ...) NOT-FOR-US: Cisco CVE-2019-1803 (A vulnerability in the filesystem management for the Cisco Nexus 9000 ...) NOT-FOR-US: Cisco CVE-2019-1802 (A vulnerability in the web-based management interface of Cisco Firepow ...) NOT-FOR-US: Cisco CVE-2019-1801 RESERVED CVE-2019-1800 (A vulnerability in the handling of Inter-Access Point Protocol (IAPP) ...) NOT-FOR-US: Cisco CVE-2019-1799 (A vulnerability in the handling of Inter-Access Point Protocol (IAPP) ...) NOT-FOR-US: Cisco CVE-2019-1798 (A vulnerability in the Portable Executable (PE) file scanning function ...) - libclamunrar 0.101.2-1 [stretch] - libclamunrar (Vulnerable code only present in 0.101.1 and 0.101.0) [jessie] - libclamunrar (Vulnerable code only present in 0.101.1 and 0.101.0) - clamav 0.101.2+dfsg-1 [stretch] - clamav (Vulnerable code only present in 0.101.1 and 0.101.0) [jessie] - clamav (Vulnerable code introduced later) NOTE: https://blog.clamav.net/2019/03/clamav-01012-and-01003-patches-have.html CVE-2019-1797 (A vulnerability in the web-based management interface of Cisco Wireles ...) NOT-FOR-US: Cisco CVE-2019-1796 (A vulnerability in the handling of Inter-Access Point Protocol (IAPP) ...) NOT-FOR-US: Cisco CVE-2019-1795 (A vulnerability in the CLI of Cisco FXOS Software and Cisco NX-OS Soft ...) NOT-FOR-US: Cisco CVE-2019-1794 (A vulnerability in the search path processing of Cisco Directory Conne ...) NOT-FOR-US: Cisco CVE-2019-1793 RESERVED CVE-2019-1792 (A vulnerability in the URL block page of Cisco Umbrella could allow an ...) NOT-FOR-US: Cisco CVE-2019-1791 (A vulnerability in the CLI of Cisco NX-OS Software could allow an auth ...) NOT-FOR-US: Cisco CVE-2019-1790 (A vulnerability in the CLI of Cisco NX-OS Software could allow an auth ...) NOT-FOR-US: Cisco CVE-2019-1789 (ClamAV versions prior to 0.101.2 are susceptible to a denial of servic ...) {DLA-1759-1} - clamav 0.101.2+dfsg-1 [stretch] - clamav 0.100.3+dfsg-0+deb9u1 NOTE: https://blog.clamav.net/2019/03/clamav-01012-and-01003-patches-have.html CVE-2019-1788 (A vulnerability in the Object Linking & Embedding (OLE2) file scan ...) {DLA-1759-1} - clamav 0.101.2+dfsg-1 [stretch] - clamav 0.100.3+dfsg-0+deb9u1 NOTE: https://blog.clamav.net/2019/03/clamav-01012-and-01003-patches-have.html CVE-2019-1787 (A vulnerability in the Portable Document Format (PDF) scanning functio ...) {DLA-1759-1} - clamav 0.101.2+dfsg-1 [stretch] - clamav 0.100.3+dfsg-0+deb9u1 NOTE: https://blog.clamav.net/2019/03/clamav-01012-and-01003-patches-have.html CVE-2019-1786 (A vulnerability in the Portable Document Format (PDF) scanning functio ...) - clamav 0.101.2+dfsg-1 [stretch] - clamav (Vulnerable code only present in 0.101.1 and 0.101.0) [jessie] - clamav (Vulnerable code introduced later) NOTE: https://blog.clamav.net/2019/03/clamav-01012-and-01003-patches-have.html CVE-2019-1785 (A vulnerability in the RAR file scanning functionality of Clam AntiVir ...) - libclamunrar 0.101.2-1 [stretch] - libclamunrar (Vulnerable code only present in 0.101.1 and 0.101.0) [jessie] - libclamunrar (Vulnerable code introduced later) - clamav 0.101.2+dfsg-1 [stretch] - clamav (Vulnerable code only present in 0.101.1 and 0.101.0) [jessie] - clamav (Vulnerable code introduced later) NOTE: https://blog.clamav.net/2019/03/clamav-01012-and-01003-patches-have.html CVE-2019-1784 (A vulnerability in the CLI of Cisco NX-OS Software could allow an auth ...) NOT-FOR-US: Cisco CVE-2019-1783 (A vulnerability in the CLI of Cisco NX-OS Software could allow an auth ...) NOT-FOR-US: Cisco CVE-2019-1782 (A vulnerability in the CLI of Cisco FXOS Software and Cisco NX-OS Soft ...) NOT-FOR-US: Cisco CVE-2019-1781 (A vulnerability in the CLI of Cisco FXOS Software and Cisco NX-OS Soft ...) NOT-FOR-US: Cisco CVE-2019-1780 (A vulnerability in the CLI of Cisco FXOS Software and Cisco NX-OS Soft ...) NOT-FOR-US: Cisco CVE-2019-1779 (A vulnerability in the CLI of Cisco FXOS Software and Cisco NX-OS Soft ...) NOT-FOR-US: Cisco CVE-2019-1778 (A vulnerability in the CLI of Cisco NX-OS Software could allow an auth ...) NOT-FOR-US: Cisco CVE-2019-1777 (A vulnerability in the web-based interface of the Cisco Registered Env ...) NOT-FOR-US: Cisco CVE-2019-1776 (A vulnerability in the CLI of Cisco NX-OS Software could allow an auth ...) NOT-FOR-US: Cisco CVE-2019-1775 (A vulnerability in the CLI of Cisco NX-OS Software could allow an auth ...) NOT-FOR-US: Cisco CVE-2019-1774 (A vulnerability in the CLI of Cisco NX-OS Software could allow an auth ...) NOT-FOR-US: Cisco CVE-2019-1773 (A vulnerability in the Cisco Webex Network Recording Player for Micros ...) NOT-FOR-US: Cisco CVE-2019-1772 (A vulnerability in the Cisco Webex Network Recording Player for Micros ...) NOT-FOR-US: Cisco CVE-2019-1771 (A vulnerability in the Cisco Webex Network Recording Player for Micros ...) NOT-FOR-US: Cisco CVE-2019-1770 (A vulnerability in the CLI of Cisco NX-OS Software could allow an auth ...) NOT-FOR-US: Cisco CVE-2019-1769 (A vulnerability in the CLI of Cisco NX-OS Software could allow an auth ...) NOT-FOR-US: Cisco CVE-2019-1768 (A vulnerability in the implementation of a specific CLI command for Ci ...) NOT-FOR-US: Cisco CVE-2019-1767 (A vulnerability in the implementation of a specific CLI command for Ci ...) NOT-FOR-US: Cisco CVE-2019-1766 (A vulnerability in the web-based management interface of Session Initi ...) NOT-FOR-US: Cisco CVE-2019-1765 (A vulnerability in the web-based management interface of Session Initi ...) NOT-FOR-US: Cisco CVE-2019-1764 (A vulnerability in the web-based management interface of Session Initi ...) NOT-FOR-US: Cisco CVE-2019-1763 (A vulnerability in the web-based management interface of Session Initi ...) NOT-FOR-US: Cisco CVE-2019-1762 (A vulnerability in the Secure Storage feature of Cisco IOS and IOS XE ...) NOT-FOR-US: Cisco CVE-2019-1761 (A vulnerability in the Hot Standby Router Protocol (HSRP) subsystem of ...) NOT-FOR-US: Cisco CVE-2019-1760 (A vulnerability in Performance Routing Version 3 (PfRv3) of Cisco IOS ...) NOT-FOR-US: Cisco CVE-2019-1759 (A vulnerability in access control list (ACL) functionality of the Giga ...) NOT-FOR-US: Cisco CVE-2019-1758 (A vulnerability in 802.1x function of Cisco IOS Software on the Cataly ...) NOT-FOR-US: Cisco CVE-2019-1757 (A vulnerability in the Cisco Smart Call Home feature of Cisco IOS and ...) NOT-FOR-US: Cisco CVE-2019-1756 (A vulnerability in Cisco IOS XE Software could allow an authenticated, ...) NOT-FOR-US: Cisco CVE-2019-1755 (A vulnerability in the Web Services Management Agent (WSMA) function o ...) NOT-FOR-US: Cisco CVE-2019-1754 (A vulnerability in the authorization subsystem of Cisco IOS XE Softwar ...) NOT-FOR-US: Cisco CVE-2019-1753 (A vulnerability in the web UI of Cisco IOS XE Software could allow an ...) NOT-FOR-US: Cisco CVE-2019-1752 (A vulnerability in the ISDN functions of Cisco IOS Software and Cisco ...) NOT-FOR-US: Cisco CVE-2019-1751 (A vulnerability in the Network Address Translation 64 (NAT64) function ...) NOT-FOR-US: Cisco CVE-2019-1750 (A vulnerability in the Easy Virtual Switching System (VSS) of Cisco IO ...) NOT-FOR-US: Cisco CVE-2019-1749 (A vulnerability in the ingress traffic validation of Cisco IOS XE Soft ...) NOT-FOR-US: Cisco CVE-2019-1748 (A vulnerability in the Cisco Network Plug-and-Play (PnP) agent of Cisc ...) NOT-FOR-US: Cisco CVE-2019-1747 (A vulnerability in the implementation of the Short Message Service (SM ...) NOT-FOR-US: Cisco CVE-2019-1746 (A vulnerability in the Cluster Management Protocol (CMP) processing co ...) NOT-FOR-US: Cisco CVE-2019-1745 (A vulnerability in Cisco IOS XE Software could allow an authenticated, ...) NOT-FOR-US: Cisco CVE-2019-1744 RESERVED CVE-2019-1743 (A vulnerability in the web UI framework of Cisco IOS XE Software could ...) NOT-FOR-US: Cisco CVE-2019-1742 (A vulnerability in the web UI of Cisco IOS XE Software could allow an ...) NOT-FOR-US: Cisco CVE-2019-1741 (A vulnerability in the Cisco Encrypted Traffic Analytics (ETA) feature ...) NOT-FOR-US: Cisco CVE-2019-1740 (A vulnerability in the Network-Based Application Recognition (NBAR) fe ...) NOT-FOR-US: Cisco CVE-2019-1739 (A vulnerability in the Network-Based Application Recognition (NBAR) fe ...) NOT-FOR-US: Cisco CVE-2019-1738 (A vulnerability in the Network-Based Application Recognition (NBAR) fe ...) NOT-FOR-US: Cisco CVE-2019-1737 (A vulnerability in the processing of IP Service Level Agreement (SLA) ...) NOT-FOR-US: Cisco CVE-2019-1736 RESERVED CVE-2019-1735 (A vulnerability in the CLI of Cisco NX-OS Software could allow an auth ...) NOT-FOR-US: Cisco CVE-2019-1734 (A vulnerability in the implementation of a CLI diagnostic command in C ...) NOT-FOR-US: Cisco CVE-2019-1733 (A vulnerability in the NX API (NX-API) Sandbox interface for Cisco NX- ...) NOT-FOR-US: Cisco CVE-2019-1732 (A vulnerability in the Remote Package Manager (RPM) subsystem of Cisco ...) NOT-FOR-US: Cisco CVE-2019-1731 (A vulnerability in the SSH CLI key management functionality of Cisco N ...) NOT-FOR-US: Cisco CVE-2019-1730 (A vulnerability in the Bash shell implementation for Cisco NX-OS Softw ...) NOT-FOR-US: Cisco CVE-2019-1729 (A vulnerability in the CLI implementation of a specific command used f ...) NOT-FOR-US: Cisco CVE-2019-1728 (A vulnerability in the Secure Configuration Validation functionality o ...) NOT-FOR-US: Cisco CVE-2019-1727 (A vulnerability in the Python scripting subsystem of Cisco NX-OS Softw ...) NOT-FOR-US: Cisco CVE-2019-1726 (A vulnerability in the CLI of Cisco NX-OS Software could allow an auth ...) NOT-FOR-US: Cisco CVE-2019-1725 (A vulnerability in the local management CLI implementation for specifi ...) NOT-FOR-US: Cisco CVE-2019-1724 (A vulnerability in the session management functionality of the web-bas ...) NOT-FOR-US: Cisco CVE-2019-1723 (A vulnerability in the Cisco Common Services Platform Collector (CSPC) ...) NOT-FOR-US: Cisco CVE-2019-1722 (A vulnerability in the FindMe feature of Cisco Expressway Series and C ...) NOT-FOR-US: Cisco CVE-2019-1721 (A vulnerability in the phone book feature of Cisco Expressway Series a ...) NOT-FOR-US: Cisco CVE-2019-1720 (A vulnerability in the XML API of Cisco Expressway Series and Cisco Te ...) NOT-FOR-US: Cisco CVE-2019-1719 (A vulnerability in the web-based guest portal of Cisco Identity Servic ...) NOT-FOR-US: Cisco CVE-2019-1718 (A vulnerability in the web interface of Cisco Identity Services Engine ...) NOT-FOR-US: Cisco CVE-2019-1717 (A vulnerability in the web-based management interface of Cisco Video S ...) NOT-FOR-US: Cisco CVE-2019-1716 (A vulnerability in the web-based management interface of Session Initi ...) NOT-FOR-US: Cisco CVE-2019-1715 (A vulnerability in the Deterministic Random Bit Generator (DRBG), also ...) NOT-FOR-US: Cisco CVE-2019-1714 (A vulnerability in the implementation of Security Assertion Markup Lan ...) NOT-FOR-US: Cisco CVE-2019-1713 (A vulnerability in the web-based management interface of Cisco Adaptiv ...) NOT-FOR-US: Cisco CVE-2019-1712 (A vulnerability in the Protocol Independent Multicast (PIM) feature of ...) NOT-FOR-US: Cisco CVE-2019-1711 (A vulnerability in the Event Management Service daemon (emsd) of Cisco ...) NOT-FOR-US: Cisco CVE-2019-1710 (A vulnerability in the sysadmin virtual machine (VM) on Cisco ASR 9000 ...) NOT-FOR-US: Cisco CVE-2019-1709 (A vulnerability in the CLI of Cisco Firepower Threat Defense (FTD) Sof ...) NOT-FOR-US: Cisco CVE-2019-1708 (A vulnerability in the Internet Key Exchange Version 2 Mobility and Mu ...) NOT-FOR-US: Cisco CVE-2019-1707 (A vulnerability in the web-based management interface of Cisco DNA Cen ...) NOT-FOR-US: Cisco CVE-2019-1706 (A vulnerability in the software cryptography module of the Cisco Adapt ...) NOT-FOR-US: Cisco CVE-2019-1705 (A vulnerability in the remote access VPN session manager of Cisco Adap ...) NOT-FOR-US: Cisco CVE-2019-1704 (Multiple vulnerabilities in the Server Message Block (SMB) Protocol pr ...) NOT-FOR-US: Cisco CVE-2019-1703 (A vulnerability in the internal packet-processing functionality of Cis ...) NOT-FOR-US: Cisco CVE-2019-1702 (Multiple vulnerabilities in the web-based management interface of Cisc ...) NOT-FOR-US: Cisco CVE-2019-1701 (Multiple vulnerabilities in the WebVPN service of Cisco Adaptive Secur ...) NOT-FOR-US: Cisco CVE-2019-1700 (A vulnerability in field-programmable gate array (FPGA) ingress buffer ...) NOT-FOR-US: Cisco CVE-2019-1699 (A vulnerability in the CLI of Cisco Firepower Threat Defense (FTD) Sof ...) NOT-FOR-US: Cisco CVE-2019-1698 (A vulnerability in the web-based user interface of Cisco Internet of T ...) NOT-FOR-US: Cisco CVE-2019-1697 (A vulnerability in the implementation of the Lightweight Directory Acc ...) NOT-FOR-US: Cisco CVE-2019-1696 (Multiple vulnerabilities in the Server Message Block (SMB) Protocol pr ...) NOT-FOR-US: Cisco CVE-2019-1695 (A vulnerability in the detection engine of Cisco Adaptive Security App ...) NOT-FOR-US: Cisco CVE-2019-1694 (A vulnerability in the TCP processing engine of Cisco Adaptive Securit ...) NOT-FOR-US: Cisco CVE-2019-1693 (A vulnerability in the WebVPN service of Cisco Adaptive Security Appli ...) NOT-FOR-US: Cisco CVE-2019-1692 (A vulnerability in the web-based management interface of Cisco Applica ...) NOT-FOR-US: Cisco CVE-2019-1691 (A vulnerability in the detection engine of Cisco Firepower Threat Defe ...) NOT-FOR-US: Cisco CVE-2019-1690 (A vulnerability in the management interface of Cisco Application Polic ...) NOT-FOR-US: Cisco CVE-2019-1689 (A vulnerability in the client application for iOS of Cisco Webex Teams ...) NOT-FOR-US: Cisco CVE-2019-1688 (A vulnerability in the management web interface of Cisco Network Assur ...) NOT-FOR-US: Cisco CVE-2019-1687 (A vulnerability in the TCP proxy functionality for Cisco Adaptive Secu ...) NOT-FOR-US: Cisco CVE-2019-1686 (A vulnerability in the TCP flags inspection feature for access control ...) NOT-FOR-US: Cisco CVE-2019-1685 (A vulnerability in the Security Assertion Markup Language (SAML) singl ...) NOT-FOR-US: Cisco CVE-2019-1684 (A vulnerability in the Cisco Discovery Protocol or Link Layer Discover ...) NOT-FOR-US: Cisco CVE-2019-1683 (A vulnerability in the certificate handling component of the Cisco SPA ...) NOT-FOR-US: Cisco CVE-2019-1682 (A vulnerability in the FUSE filesystem functionality for Cisco Applica ...) NOT-FOR-US: Cisco CVE-2019-1681 (A vulnerability in the TFTP service of Cisco Network Convergence Syste ...) NOT-FOR-US: Cisco CVE-2019-1680 (A vulnerability in Cisco Webex Business Suite could allow an unauthent ...) NOT-FOR-US: Cisco CVE-2019-1679 (A vulnerability in the web interface of Cisco TelePresence Conductor, ...) NOT-FOR-US: Cisco CVE-2019-1678 (A vulnerability in Cisco Meeting Server could allow an authenticated, ...) NOT-FOR-US: Cisco CVE-2019-1677 (A vulnerability in Cisco Webex Meetings for Android could allow an una ...) NOT-FOR-US: Cisco CVE-2019-1676 (A vulnerability in the Session Initiation Protocol (SIP) call processi ...) NOT-FOR-US: Cisco CVE-2019-1675 (A vulnerability in the default configuration of the Cisco Aironet Acti ...) NOT-FOR-US: Cisco CVE-2019-1674 (A vulnerability in the update service of Cisco Webex Meetings Desktop ...) NOT-FOR-US: Cisco CVE-2019-1673 (A vulnerability in the web-based management interface of Cisco Identit ...) NOT-FOR-US: Cisco CVE-2019-1672 (A vulnerability in the Decryption Policy Default Action functionality ...) NOT-FOR-US: Cisco CVE-2019-1671 (A vulnerability in the web-based management interface of Cisco Firepow ...) NOT-FOR-US: Cisco CVE-2019-1670 (A vulnerability in the web-based management interface of Cisco Unified ...) NOT-FOR-US: Cisco CVE-2019-1669 (A vulnerability in the data acquisition (DAQ) component of Cisco Firep ...) NOT-FOR-US: Cisco CVE-2019-1668 (A vulnerability in the chat feed feature of Cisco SocialMiner could al ...) NOT-FOR-US: Cisco CVE-2019-1667 (A vulnerability in the Graphite interface of Cisco HyperFlex software ...) NOT-FOR-US: Cisco CVE-2019-1666 (A vulnerability in the Graphite service of Cisco HyperFlex software co ...) NOT-FOR-US: Cisco CVE-2019-1665 (A vulnerability in the web-based management interface of Cisco HyperFl ...) NOT-FOR-US: Cisco CVE-2019-1664 (A vulnerability in the hxterm service of Cisco HyperFlex Software coul ...) NOT-FOR-US: Cisco CVE-2019-1663 (A vulnerability in the web-based management interface of the Cisco RV1 ...) NOT-FOR-US: Cisco CVE-2019-1662 (A vulnerability in the Quality of Voice Reporting (QOVR) service of Ci ...) NOT-FOR-US: Cisco CVE-2019-1661 (A vulnerability in the web-based management interface of Cisco TelePre ...) NOT-FOR-US: Cisco CVE-2019-1660 (A vulnerability in the Simple Object Access Protocol (SOAP) of Cisco T ...) NOT-FOR-US: Cisco CVE-2019-1659 (A vulnerability in the Identity Services Engine (ISE) integration feat ...) NOT-FOR-US: Cisco CVE-2019-1658 (A vulnerability in the web-based management interface of Cisco Unified ...) NOT-FOR-US: Cisco CVE-2019-1657 (A vulnerability in Cisco AMP Threat Grid could allow an authenticated, ...) NOT-FOR-US: Cisco CVE-2019-1656 (A vulnerability in the CLI of Cisco Enterprise NFV Infrastructure Soft ...) NOT-FOR-US: Cisco CVE-2019-1655 (A vulnerability in the web-based management interface of Cisco Webex M ...) NOT-FOR-US: Cisco CVE-2019-1654 (A vulnerability in the development shell (devshell) authentication for ...) NOT-FOR-US: Cisco CVE-2019-1653 (A vulnerability in the web-based management interface of Cisco Small B ...) NOT-FOR-US: Cisco CVE-2019-1652 (A vulnerability in the web-based management interface of Cisco Small B ...) NOT-FOR-US: Cisco CVE-2019-1651 (A vulnerability in the vContainer of the Cisco SD-WAN Solution could a ...) NOT-FOR-US: Cisco CVE-2019-1650 (A vulnerability in the Cisco SD-WAN Solution could allow an authentica ...) NOT-FOR-US: Cisco CVE-2019-1649 (A vulnerability in the logic that handles access control to one of the ...) NOT-FOR-US: Cisco CVE-2019-1648 (A vulnerability in the user group configuration of the Cisco SD-WAN So ...) NOT-FOR-US: Cisco CVE-2019-1647 (A vulnerability in the Cisco SD-WAN Solution could allow an authentica ...) NOT-FOR-US: Cisco CVE-2019-1646 (A vulnerability in the local CLI of the Cisco SD-WAN Solution could al ...) NOT-FOR-US: Cisco CVE-2019-1645 (A vulnerability in the Cisco Connected Mobile Experiences (CMX) softwa ...) NOT-FOR-US: Cisco CVE-2019-1644 (A vulnerability in the UDP protocol implementation for Cisco IoT Field ...) NOT-FOR-US: Cisco CVE-2019-1643 (A vulnerability in the web-based management interface of Cisco Prime I ...) NOT-FOR-US: Cisco CVE-2019-1642 (A vulnerability in the web-based management interface of Cisco Firepow ...) NOT-FOR-US: Cisco CVE-2019-1641 (A vulnerability in the Cisco Webex Network Recording Player for Micros ...) NOT-FOR-US: Cisco CVE-2019-1640 (A vulnerability in the Cisco Webex Network Recording Player for Micros ...) NOT-FOR-US: Cisco CVE-2019-1639 (A vulnerability in the Cisco Webex Network Recording Player for Micros ...) NOT-FOR-US: Cisco CVE-2019-1638 (A vulnerability in the Cisco Webex Network Recording Player for Micros ...) NOT-FOR-US: Cisco CVE-2019-1637 (A vulnerability in the Cisco Webex Network Recording Player for Micros ...) NOT-FOR-US: Cisco CVE-2019-1636 (A vulnerability in the Cisco Webex Teams client, formerly Cisco Spark, ...) NOT-FOR-US: Cisco CVE-2019-1635 (A vulnerability in the call-handling functionality of Session Initiati ...) NOT-FOR-US: Cisco CVE-2019-1634 (A vulnerability in the Intelligent Platform Management Interface (IPMI ...) NOT-FOR-US: Cisco CVE-2019-1633 RESERVED CVE-2019-1632 (A vulnerability in the web-based management interface of Cisco Integra ...) NOT-FOR-US: Cisco CVE-2019-1631 (A vulnerability in the web-based management interface of Cisco Integra ...) NOT-FOR-US: Cisco CVE-2019-1630 (A vulnerability in the firmware signature checking program of Cisco In ...) NOT-FOR-US: Cisco CVE-2019-1629 (A vulnerability in the configuration import utility of Cisco Integrate ...) NOT-FOR-US: Cisco CVE-2019-1628 (A vulnerability in the web server of Cisco Integrated Management Contr ...) NOT-FOR-US: Cisco CVE-2019-1627 (A vulnerability in the Server Utilities of Cisco Integrated Management ...) NOT-FOR-US: Cisco CVE-2019-1626 (A vulnerability in the vManage web-based UI (Web UI) of the Cisco SD-W ...) NOT-FOR-US: Cisco CVE-2019-1625 (A vulnerability in the CLI of Cisco SD-WAN Solution could allow an aut ...) NOT-FOR-US: Cisco CVE-2019-1624 (A vulnerability in the vManage web-based UI (Web UI) in the Cisco SD-W ...) NOT-FOR-US: Cisco CVE-2019-1623 (A vulnerability in the CLI configuration shell of Cisco Meeting Server ...) NOT-FOR-US: Cisco CVE-2019-1622 (A vulnerability in the web-based management interface of Cisco Data Ce ...) NOT-FOR-US: Cisco CVE-2019-1621 (A vulnerability in the web-based management interface of Cisco Data Ce ...) NOT-FOR-US: Cisco CVE-2019-1620 (A vulnerability in the web-based management interface of Cisco Data Ce ...) NOT-FOR-US: Cisco CVE-2019-1619 (A vulnerability in the web-based management interface of Cisco Data Ce ...) NOT-FOR-US: Cisco CVE-2019-1618 (A vulnerability in the Tetration Analytics agent for Cisco Nexus 9000 ...) NOT-FOR-US: Cisco CVE-2019-1617 (A vulnerability in the Fibre Channel over Ethernet (FCoE) N-port Virtu ...) NOT-FOR-US: Cisco CVE-2019-1616 (A vulnerability in the Cisco Fabric Services component of Cisco NX-OS ...) NOT-FOR-US: Cisco CVE-2019-1615 (A vulnerability in the Image Signature Verification feature of Cisco N ...) NOT-FOR-US: Cisco CVE-2019-1614 (A vulnerability in the NX-API feature of Cisco NX-OS Software could al ...) NOT-FOR-US: Cisco CVE-2019-1613 (A vulnerability in the CLI of Cisco NX-OS Software could allow an auth ...) NOT-FOR-US: Cisco CVE-2019-1612 (A vulnerability in the CLI of Cisco NX-OS Software could allow an auth ...) NOT-FOR-US: Cisco CVE-2019-1611 (A vulnerability in the CLI of Cisco NX-OS Software and Cisco FXOS Soft ...) NOT-FOR-US: Cisco CVE-2019-1610 (A vulnerability in the CLI of Cisco NX-OS Software could allow an auth ...) NOT-FOR-US: Cisco CVE-2019-1609 (A vulnerability in the CLI of Cisco NX-OS Software could allow an auth ...) NOT-FOR-US: Cisco CVE-2019-1608 (A vulnerability in the CLI of Cisco NX-OS Software could allow an auth ...) NOT-FOR-US: Cisco CVE-2019-1607 (A vulnerability in the CLI of Cisco NX-OS Software could allow an auth ...) NOT-FOR-US: Cisco CVE-2019-1606 (A vulnerability in the CLI of Cisco NX-OS Software could allow an auth ...) NOT-FOR-US: Cisco CVE-2019-1605 (A vulnerability in the NX-API feature of Cisco NX-OS Software could al ...) NOT-FOR-US: Cisco CVE-2019-1604 (A vulnerability in the user account management interface of Cisco NX-O ...) NOT-FOR-US: Cisco CVE-2019-1603 (A vulnerability in the CLI of Cisco NX-OS Software could allow an auth ...) NOT-FOR-US: Cisco CVE-2019-1602 (A vulnerability in the filesystem permissions of Cisco NX-OS Software ...) NOT-FOR-US: Cisco CVE-2019-1601 (A vulnerability in the filesystem permissions of Cisco NX-OS Software ...) NOT-FOR-US: Cisco CVE-2019-1600 (A vulnerability in the file system permissions of Cisco FXOS Software ...) NOT-FOR-US: Cisco CVE-2019-1599 (A vulnerability in the network stack of Cisco NX-OS Software could all ...) NOT-FOR-US: Cisco CVE-2019-1598 (Multiple vulnerabilities in the implementation of the Lightweight Dire ...) NOT-FOR-US: Cisco CVE-2019-1597 (Multiple vulnerabilities in the implementation of the Lightweight Dire ...) NOT-FOR-US: Cisco CVE-2019-1596 (A vulnerability in the Bash shell implementation for Cisco NX-OS Softw ...) NOT-FOR-US: Cisco CVE-2019-1595 (A vulnerability in the Fibre Channel over Ethernet (FCoE) protocol imp ...) NOT-FOR-US: Cisco CVE-2019-1594 (A vulnerability in the 802.1X implementation for Cisco NX-OS Software ...) NOT-FOR-US: Cisco CVE-2019-1593 (A vulnerability in the Bash shell implementation for Cisco NX-OS Softw ...) NOT-FOR-US: Cisco CVE-2019-1592 (A vulnerability in the background operations functionality of Cisco Ne ...) NOT-FOR-US: Cisco CVE-2019-1591 (A vulnerability in a specific CLI command implementation of Cisco Nexu ...) NOT-FOR-US: Cisco CVE-2019-1590 (A vulnerability in the Transport Layer Security (TLS) certificate vali ...) NOT-FOR-US: Cisco CVE-2019-1589 (A vulnerability in the Trusted Platform Module (TPM) functionality of ...) NOT-FOR-US: Cisco CVE-2019-1588 (A vulnerability in the Cisco Nexus 9000 Series Fabric Switches running ...) NOT-FOR-US: Cisco CVE-2019-1587 (A vulnerability in Cisco Nexus 9000 Series Fabric Switches in Applicat ...) NOT-FOR-US: Cisco CVE-2019-1586 (A vulnerability in Cisco Application Policy Infrastructure Controller ...) NOT-FOR-US: Cisco CVE-2019-1585 (A vulnerability in the controller authorization functionality of Cisco ...) NOT-FOR-US: Cisco CVE-2018-19960 (The debug_mode function in web/web.py in OnionShare through 1.3.1, whe ...) - onionshare 1.3.2-1 (bug #915859; unimportant) [jessie] - onionshare (contrib not supported) NOTE: https://github.com/micahflee/onionshare/issues/837 NOTE: Negligible (and disputable) security impact, as the debug mode is not enabled by default CVE-2018-19935 (ext/imap/php_imap.c in PHP 5.x and 7.x before 7.3.0 allows remote atta ...) {DSA-4353-1 DLA-1608-1} - php7.3 7.3.0-1 - php7.2 - php7.0 - php5 NOTE: Fixed in 5.6.39, 7.0.33, 7.1.26, 7.2.14, 7.3.0 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=77020 NOTE: https://git.php.net/?p=php-src.git;a=commit;h=648fc1e369fc05fb9200a42c7938912236b2a318 CVE-2018-19932 (An issue was discovered in the Binary File Descriptor (BFD) library (a ...) [experimental] - binutils 2.31.51.20181204-1 - binutils 2.32.51.20190707-1 (unimportant) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23932 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=beab453223769279cc1cef68a1622ab8978641f7 NOTE: binutils not covered by security support CVE-2018-19931 (An issue was discovered in the Binary File Descriptor (BFD) library (a ...) [experimental] - binutils 2.31.51.20181204-1 - binutils 2.32.51.20190707-1 (unimportant) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23942 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=5f60af5d24d181371d67534fa273dd221df20c07 NOTE: binutils not covered by security support CVE-2018-19930 RESERVED CVE-2018-19929 RESERVED CVE-2018-19928 RESERVED CVE-2018-19927 (Zenitel Norway IP-StationWeb before 4.2.3.9 allows stored XSS via the ...) NOT-FOR-US: Zenitel Norway IP-StationWeb CVE-2018-19926 (Zenitel Norway IP-StationWeb before 4.2.3.9 allows reflected XSS via t ...) NOT-FOR-US: Zenitel Norway IP-StationWeb CVE-2018-19925 (An issue was discovered in Sales & Company Management System (SCMS ...) NOT-FOR-US: Sales & Company Management System (SCMS) CVE-2018-19924 (An issue was discovered in Sales & Company Management System (SCMS ...) NOT-FOR-US: Sales & Company Management System (SCMS) CVE-2018-19923 (An issue was discovered in Sales & Company Management System (SCMS ...) NOT-FOR-US: Sales & Company Management System (SCMS) CVE-2018-19922 (Persistent Cross-Site Scripting (XSS) in the advancedsetup_websitebloc ...) NOT-FOR-US: Actiontec C1000A router CVE-2018-19921 (Zoho ManageEngine OpManager 12.3 before 123237 has XSS in the domain c ...) NOT-FOR-US: Zoho ManageEngine OpManager CVE-2018-19920 RESERVED CVE-2018-19919 (Pixelimity 1.0 has Persistent XSS via the admin/portfolio.php data[tit ...) NOT-FOR-US: Pixelimity CVE-2018-19918 (CuppaCMS has XSS via an SVG document uploaded to the administrator/#/c ...) NOT-FOR-US: CuppaCMS CVE-2019-1584 (A security vulnerability exists in Zingbox Inspector version 1.293 and ...) NOT-FOR-US: Zingbox Inspector CVE-2019-1583 (Escalation of privilege vulnerability in the Palo Alto Networks Twistl ...) NOT-FOR-US: Palo Alto Networks CVE-2019-1582 (Memory corruption in PAN-OS 8.1.9 and earlier, and PAN-OS 9.0.3 and ea ...) NOT-FOR-US: PAN-OS CVE-2019-1581 (A remote code execution vulnerability in the PAN-OS SSH device managem ...) NOT-FOR-US: PAN-OS CVE-2019-1580 (Memory corruption in PAN-OS 7.1.24 and earlier, PAN-OS 8.0.19 and earl ...) NOT-FOR-US: PAN-OS CVE-2019-1579 (Remote Code Execution in PAN-OS 7.1.18 and earlier, PAN-OS 8.0.11-h1 a ...) NOT-FOR-US: PAN-OS CVE-2019-1578 (Cross-site scripting vulnerability in Palo Alto Networks MineMeld vers ...) NOT-FOR-US: Palo Alto Networks MineMeld CVE-2019-1577 (Code injection vulnerability in Palo Alto Networks Traps 5.0.5 and ear ...) NOT-FOR-US: Palo Alto Networks Traps CVE-2019-1576 (Command injection in PAN-0S 9.0.2 and earlier may allow an authenticat ...) NOT-FOR-US: PAN-0S CVE-2019-1575 (Information disclosure in PAN-OS 7.1.23 and earlier, PAN-OS 8.0.18 and ...) NOT-FOR-US: PAN-0S CVE-2019-1574 (Cross-site scripting (XSS) vulnerability in Palo Alto Networks Expedit ...) NOT-FOR-US: Palo Alto Networks Expedition Migration tool CVE-2019-1573 (GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 a ...) NOT-FOR-US: GlobalProtect CVE-2019-1572 (PAN-OS 9.0.0 may allow an unauthenticated remote user to access php fi ...) NOT-FOR-US: PAN-OS CVE-2019-1571 (The Expedition Migration tool 1.1.8 and earlier may allow an authentic ...) NOT-FOR-US: Expedition Migration tool CVE-2019-1570 (The Expedition Migration tool 1.1.8 and earlier may allow an authentic ...) NOT-FOR-US: Expedition Migration tool CVE-2019-1569 (The Expedition Migration tool 1.1.8 and earlier may allow an authentic ...) NOT-FOR-US: Expedition Migration tool CVE-2019-1568 (Cross-site scripting (XSS) vulnerability in Palo Alto Networks Demisto ...) NOT-FOR-US: Palo Alto Networks Demisto CVE-2019-1567 (The Expedition Migration tool 1.1.6 and earlier may allow an authentic ...) NOT-FOR-US: Expedition Migration tool CVE-2019-1566 (The PAN-OS management web interface in PAN-OS 7.1.21 and earlier, PAN- ...) NOT-FOR-US: PAN-OS CVE-2019-1565 (The PAN-OS external dynamics lists in PAN-OS 7.1.21 and earlier, PAN-O ...) NOT-FOR-US: PAN-OS CVE-2018-19917 (Microweber 1.0.8 has reflected cross-site scripting (XSS) vulnerabilit ...) NOT-FOR-US: Microweber CVE-2018-19916 RESERVED CVE-2018-19915 (DomainMOD through 4.11.01 has XSS via the assets/edit/host.php Web Hos ...) NOT-FOR-US: DomainMOD CVE-2018-19914 (DomainMOD through 4.11.01 has XSS via the assets/add/dns.php Profile N ...) NOT-FOR-US: DomainMOD CVE-2018-19913 (DomainMOD through 4.11.01 has XSS via the assets/add/registrar-account ...) NOT-FOR-US: DomainMOD CVE-2018-19912 RESERVED CVE-2018-19911 (FreeSWITCH through 1.8.2, when mod_xml_rpc is enabled, allows remote a ...) - freeswitch (bug #389591) CVE-2018-19910 RESERVED CVE-2018-19909 RESERVED CVE-2018-19908 (An issue was discovered in MISP 2.4.9x before 2.4.99. In app/Model/Eve ...) NOT-FOR-US: MISP CVE-2018-1000859 REJECTED CVE-2018-1000853 REJECTED CVE-2018-19907 (A Server-Side Template Injection issue was discovered in Crafter CMS 3 ...) NOT-FOR-US: Crafter CMS CVE-2018-19906 (Stored XSS exists in razorCMS 3.4.8 via the /#/page description parame ...) NOT-FOR-US: razorCMS CVE-2018-19905 (HTML injection exists in razorCMS 3.4.8 via the /#/page keywords param ...) NOT-FOR-US: razorCMS CVE-2018-19904 (Persistent XSS exists in XSLT CMS via the create/?action=items.edit&am ...) NOT-FOR-US: XSLT CMS CVE-2018-19903 (Persistent XSS exists in XSLT CMS via the create/?action=items.edit&am ...) NOT-FOR-US: XSLT CMS CVE-2018-19902 (No-CMS 1.1.3 is prone to Persistent XSS via the blog/manage_article "k ...) NOT-FOR-US: NO-CMS CVE-2018-19901 (No-CMS 1.1.3 is prone to Persistent XSS via the blog/manage_article/in ...) NOT-FOR-US: NO-CMS CVE-2018-19900 RESERVED CVE-2018-19899 RESERVED CVE-2018-19898 (ThinkCMF X2.2.2 has SQL Injection via the method edit_post in ArticleC ...) NOT-FOR-US: ThinkCMF CVE-2018-19897 (ThinkCMF X2.2.2 has SQL Injection via the function _listorders() in Ad ...) NOT-FOR-US: ThinkCMF CVE-2018-19896 (ThinkCMF X2.2.2 has SQL Injection via the function delete() in SlideCo ...) NOT-FOR-US: ThinkCMF CVE-2018-19895 (ThinkCMF X2.2.2 has SQL Injection via the function edit_post() in NavC ...) NOT-FOR-US: ThinkCMF CVE-2018-19894 (ThinkCMF X2.2.2 has SQL Injection via the functions check() and delete ...) NOT-FOR-US: ThinkCMF CVE-2018-19893 (SearchController.php in PbootCMS 1.2.1 has SQL injection via the index ...) NOT-FOR-US: PbootCMS CVE-2018-19892 (DomainMOD through 4.11.01 has XSS via the admin/dw/add-server.php Disp ...) NOT-FOR-US: DomainMOD CVE-2018-19891 (An invalid memory address dereference was discovered in the huffcode f ...) - faac 1.30-1 (unimportant; bug #915763) NOTE: https://github.com/knik0/faac/issues/24 NOTE: Negligable security impact, crash in CLI tool (builds a lib, but only internal) CVE-2018-19890 (An invalid memory address dereference was discovered in the huffcode f ...) - faac 1.30-1 (unimportant; bug #915763) NOTE: https://github.com/knik0/faac/issues/20 NOTE: Negligable security impact, crash in CLI tool (builds a lib, but only internal) CVE-2018-19889 (An invalid memory address dereference was discovered in the huffcode f ...) - faac 1.30-1 (unimportant; bug #915763) NOTE: https://github.com/knik0/faac/issues/22 NOTE: Negligable security impact, crash in CLI tool (builds a lib, but only internal) CVE-2018-19888 (An invalid memory address dereference was discovered in the huffcode f ...) - faac 1.30-1 (unimportant; bug #915763) NOTE: https://github.com/knik0/faac/issues/25 NOTE: Negligable security impact, crash in CLI tool (builds a lib, but only internal) CVE-2018-19887 (An invalid memory address dereference was discovered in the huffcode f ...) - faac 1.30-1 (unimportant; bug #915763) NOTE: https://github.com/knik0/faac/issues/21 NOTE: Negligable security impact, crash in CLI tool (builds a lib, but only internal) CVE-2018-19886 (An invalid memory address dereference was discovered in the huffcode f ...) - faac 1.30-1 (unimportant; bug #915763) NOTE: https://github.com/knik0/faac/issues/23 NOTE: Negligable security impact, crash in CLI tool (builds a lib, but only internal) CVE-2018-19885 RESERVED CVE-2018-19884 RESERVED CVE-2018-19883 RESERVED CVE-2018-19882 (In Artifex MuPDF 1.14.0, the svg_run_image function in svg/svg-run.c a ...) - mupdf (unimportant) NOTE: Negligable security impact, crash in CLI tool NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=700342 NOTE: https://github.com/TeamSeri0us/pocs/tree/master/mupdf/20181203 CVE-2018-19881 (In Artifex MuPDF 1.14.0, svg/svg-run.c allows remote attackers to caus ...) - mupdf (unimportant) NOTE: Negligable security impact, crash in CLI tool NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=700342 NOTE: https://github.com/TeamSeri0us/pocs/tree/master/mupdf/20181203 CVE-2018-19880 RESERVED CVE-2018-19879 (An issue was discovered in /cgi-bin/luci on Teltonika RTU9XX (e.g., RU ...) NOT-FOR-US: Teltonika devices CVE-2018-19878 (An issue was discovered on Teltonika RTU950 R_31.04.89 devices. The ap ...) NOT-FOR-US: Teltonika devices CVE-2018-19877 (login.php in Adiscon LogAnalyzer before 4.1.7 has XSS via the Login Bu ...) NOT-FOR-US: Adiscon LogAnalyzer CVE-2018-19876 (cairo 1.16.0, in cairo_ft_apply_variations() in cairo-ft-font.c, would ...) - cairo 1.16.0-4 (bug #915801; bug #916389) [stretch] - cairo (Vulnerable code introduced later) [jessie] - cairo (Vulnerable code introduced later) NOTE: https://bugs.webkit.org/show_bug.cgi?id=191595 NOTE: https://gitlab.freedesktop.org/cairo/cairo/merge_requests/5 NOTE: Code introduced in NOTE: https://gitlab.freedesktop.org/cairo/cairo/commit/616fb7a9f2612f6cc3472542a70ba3e8ccf16584 and NOTE: https://gitlab.freedesktop.org/cairo/cairo/commit/0fd0fd0ae9ad8cfb177bb844091de98c0235917e, NOTE: and became vulnerable with freetype 2.9 which allows to define a different allocator. Partially NOTE: fixed in https://gitlab.freedesktop.org/cairo/cairo/commit/c3659d7ef662b55949307ece7b1f613a7dc32620 NOTE: https://gitlab.freedesktop.org/cairo/cairo/commit/90e85c2493fdfa3551f202ff10282463f1e36645 CVE-2018-1002104 (Versions < 1.5 of the Kubernetes ingress default backend, which han ...) NOT-FOR-US: Kubernetes NGINX Ingress Controller CVE-2018-1002103 (In Minikube versions 0.3.0-0.29.0, minikube exposes the Kubernetes Das ...) NOT-FOR-US: minikube CVE-2018-1002102 (Improper validation of URL redirection in the Kubernetes API server in ...) - kubernetes 1.17.4-1 NOTE: https://github.com/kubernetes/kubernetes/issues/85867 CVE-2018-19875 RESERVED CVE-2018-19874 RESERVED CVE-2018-19873 (An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer ...) {DSA-4374-1 DLA-1786-1 DLA-1627-1} [experimental] - qtbase-opensource-src 5.11.3+dfsg-1 - qtbase-opensource-src 5.11.3+dfsg-2 (low) - qt4-x11 4:4.8.7+dfsg-18 (low; bug #923003) [stretch] - qt4-x11 (Minor issue) NOTE: https://blog.qt.io/blog/2018/12/04/qt-5-11-3-released-important-security-updates/ NOTE: https://codereview.qt-project.org/#/c/238749/ NOTE: https://github.com/qt/qtbase/commit/621ab8ab59901cc3f9bd98be709929c9eac997a8 CVE-2018-19872 (An issue was discovered in Qt 5.11. A malformed PPM image causes a div ...) - qtbase-opensource-src 5.11.2+dfsg-3 (low) [stretch] - qtbase-opensource-src (Minor issue) [jessie] - qtbase-opensource-src (Minor issue) - qt4-x11 4:4.8.7+dfsg-18 [stretch] - qt4-x11 (Minor issue) [jessie] - qt4-x11 (Minor issue) NOTE: https://bugreports.qt.io/browse/QTBUG-69449 NOTE: qt4-x11: POC doesn't crash on neither jessie nor stretch, it's possibly incomplete; patch applies though. CVE-2018-19871 (An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontr ...) {DLA-1786-1} - qtimageformats-opensource-src 5.11.3-2 (low) [stretch] - qtimageformats-opensource-src (Minor issue) [jessie] - qtimageformats-opensource-src (Minor issue) - qt4-x11 4:4.8.7+dfsg-18 (low; bug #923003) [stretch] - qt4-x11 (Minor issue) NOTE: https://blog.qt.io/blog/2018/12/04/qt-5-11-3-released-important-security-updates/ NOTE: https://codereview.qt-project.org/#/c/237761/ NOTE: qt4-x11 affected in src/plugins/imageformats/tga/qtgafile.cpp NOTE: https://github.com/qt/qtimageformats/commit/7cfe47a8fe2f987fb2a066a696fb3d9d0afe4d65 CVE-2018-19870 (An issue was discovered in Qt before 5.11.3. A malformed GIF image cau ...) {DSA-4374-1 DLA-1786-1 DLA-1627-1} [experimental] - qtbase-opensource-src 5.11.3+dfsg-1 - qtbase-opensource-src 5.11.3+dfsg-2 (low) - qt4-x11 4:4.8.7+dfsg-18 (low; bug #923003) [stretch] - qt4-x11 (Minor issue) NOTE: https://blog.qt.io/blog/2018/12/04/qt-5-11-3-released-important-security-updates/ NOTE: https://codereview.qt-project.org/#/c/235998/ NOTE: affected code can be in src/gui/image/qgifhandler.cpp or in NOTE: src/plugins/imageformats/gif/qgifhandler.cpp depending on the version NOTE: https://github.com/qt/qtbase/commit/2841e2b61e32f26900bde987d469c8b97ea31999 CVE-2018-19869 (An issue was discovered in Qt before 5.11.3. A malformed SVG image cau ...) {DLA-1786-1} [experimental] - qtsvg-opensource-src 5.11.3-1 - qtsvg-opensource-src 5.11.3-2 (low) [stretch] - qtsvg-opensource-src (Minor issue) [jessie] - qtsvg-opensource-src (Minor issue) - qt4-x11 4:4.8.7+dfsg-18 (low) [stretch] - qt4-x11 (Minor issue) NOTE: https://blog.qt.io/blog/2018/12/04/qt-5-11-3-released-important-security-updates/ NOTE: https://codereview.qt-project.org/#/c/234142/ NOTE: https://github.com/qt/qtsvg/commit/8c199714e9bc638fb3f6ec747fb7a23373e49335 CVE-2018-19868 RESERVED CVE-2018-19867 RESERVED CVE-2018-19866 RESERVED CVE-2018-19865 (A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7 ...) [experimental] - qtvirtualkeyboard-opensource-src 5.11.3+dfsg-1 - qtvirtualkeyboard-opensource-src 5.11.3+dfsg-2 NOTE: http://blog.qt.io/blog/2018/12/04/qt-5-11-3-released-important-security-updates/ CVE-2018-19864 (NUUO NVRmini2 Network Video Recorder firmware through 3.9.1 allows rem ...) NOT-FOR-US: NUUO NVRmini2 Network Video Recorder firmware CVE-2018-19863 (An issue was discovered in 1Password 7.2.3.BETA before 7.2.3.BETA-3 on ...) NOT-FOR-US: 1Password CVE-2018-19862 (Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers ...) NOT-FOR-US: MiniShare CVE-2018-19861 (Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers ...) NOT-FOR-US: MiniShare CVE-2018-19860 (Broadcom firmware before summer 2014 on Nexus 5 BCM4335C0 2012-12-11, ...) NOT-FOR-US: Broadcom components for Android CVE-2018-19859 (OpenRefine before 3.2 beta allows directory traversal via a relative p ...) NOT-FOR-US: OpenRefine CVE-2018-19858 (PrinceXML, versions 10 and below, is vulnerable to XXE due to the lack ...) NOT-FOR-US: PrinceXML CVE-2018-19857 (The CAF demuxer in modules/demux/caf.c in VideoLAN VLC media player 3. ...) {DSA-4366-1} - vlc 3.0.4-4 (bug #915760) [jessie] - vlc (See https://lists.debian.org/debian-security-announce/2018/msg00130.html) NOTE: https://dyntopia.com/advisories/013-vlc NOTE: https://git.videolan.org/?p=vlc.git;a=commit;h=0cc5ea748ee5ff7705dde61ab15dff8f58be39d0 CVE-2018-19856 (GitLab CE/EE before 11.3.12, 11.4.x before 11.4.10, and 11.5.x before ...) - gitlab 11.5.4+dfsg-1 NOTE: https://about.gitlab.com/2018/12/06/critical-security-release-gitlab-11-dot-5-dot-3-released/ NOTE: https://gitlab.com/gitlab-org/gitlab-ce/issues/54857 CVE-2018-19855 (UiPath Orchestrator before 2018.3.4 allows CSV Injection, related to t ...) NOT-FOR-US: UiPath Orchestrator CVE-2018-19854 (An issue was discovered in the Linux kernel before 4.19.3. crypto_repo ...) - linux 4.18.20-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/f43f39958beb206b53292801e216d9b8a660f087 CVE-2018-19853 (An issue was discovered in hitshop through 2014-07-15. There is an ele ...) NOT-FOR-US: hitshop CVE-2018-19852 RESERVED CVE-2018-19851 RESERVED CVE-2018-19850 RESERVED CVE-2018-19849 (An issue was discovered in YzmCMS 5.2. XSS exists via the admin/conten ...) NOT-FOR-US: YzmCMS CVE-2018-19848 RESERVED CVE-2018-19847 RESERVED CVE-2018-19846 RESERVED CVE-2018-19845 (There is Stored XSS in GetSimple CMS 3.3.12 via the admin/edit.php "po ...) NOT-FOR-US: GetSimple CMS CVE-2018-19844 (FROG CMS 0.9.5 has XSS via the admin/?/snippet/add name parameter, whi ...) NOT-FOR-US: FROG CMS CVE-2018-19843 (opmov in libr/asm/p/asm_x86_nz.c in radare2 before 3.1.0 allows attack ...) - radare2 3.1.0+dfsg-1 (low) [jessie] - radare2 (Vulnerable code not present in libr/asm/p/asm_x86_nz.c) NOTE: https://github.com/radare/radare2/commit/f17bfd9f1da05f30f23a4dd05e9d2363e1406948 NOTE: https://github.com/radare/radare2/issues/12242 CVE-2018-19842 (getToken in libr/asm/p/asm_x86_nz.c in radare2 before 3.1.0 allows att ...) - radare2 3.1.0+dfsg-1 (low) [jessie] - radare2 (Vulnerable code not present in libr/asm/p/asm_x86_nz.c) NOTE: https://github.com/radare/radare2/commit/66191f780863ea8c66ace4040d0d04a8842e8432 NOTE: https://github.com/radare/radare2/issues/12239 CVE-2018-19841 (The function WavpackVerifySingleBlock in open_utils.c in libwavpack.a ...) - wavpack 5.1.0-5 (bug #915565) [stretch] - wavpack (Minor issue) [jessie] - wavpack (Minor issue) NOTE: https://github.com/dbry/WavPack/commit/bba5389dc598a92bdf2b297c3ea34620b6679b5b NOTE: https://github.com/dbry/WavPack/issues/54 CVE-2018-19840 (The function WavpackPackInit in pack_utils.c in libwavpack.a in WavPac ...) - wavpack 5.1.0-5 (bug #915564) [stretch] - wavpack (Minor issue) [jessie] - wavpack (Minor issue) NOTE: https://github.com/dbry/WavPack/commit/070ef6f138956d9ea9612e69586152339dbefe51 NOTE: https://github.com/dbry/WavPack/issues/53 CVE-2018-19839 (In LibSass prior to 3.5.5, the function handle_error in sass_context.c ...) - libsass 3.5.5-4 [stretch] - libsass (Minor issue) NOTE: https://github.com/sass/libsass/issues/2657 NOTE: https://github.com/sass/libsass/pull/2767 CVE-2018-19838 (In LibSass prior to 3.5.5, functions inside ast.cpp for IMPLEMENT_AST_ ...) - libsass (low) [buster] - libsass (Minor issue) [stretch] - libsass (Minor issue) NOTE: https://github.com/sass/libsass/issues/2660 CVE-2018-19837 (In LibSass prior to 3.5.5, Sass::Eval::operator()(Sass::Binary_Express ...) - libsass 3.5.4+20180621~c0a6cf3-1 [stretch] - libsass (Minor issue) NOTE: https://github.com/sass/libsass/commit/210fdff7a65370c2ae24e022a2b35da8c423cc5f NOTE: https://github.com/sass/libsass/issues/2659 CVE-2018-19836 (In Metinfo 6.1.3, include/interface/applogin.php allows setting arbitr ...) NOT-FOR-US: Metinfo CVE-2018-19835 (Metinfo 6.1.3 has reflected XSS via the admin/column/move.php lang_col ...) NOT-FOR-US: Metinfo CVE-2018-19834 (The quaker function of a smart contract implementation for BOMBBA (BOM ...) NOT-FOR-US: BOMBBA (BOMB) (tradable Ethereum ERC20 token) CVE-2018-19833 (The owned function of a smart contract implementation for DDQ, an trad ...) NOT-FOR-US: DDQ (tradable Ethereum ERC20 token) CVE-2018-19832 (The NETM() function of a smart contract implementation for NewIntelTec ...) NOT-FOR-US: NewIntelTechMedia (NETM) CVE-2018-19831 (The ToOwner() function of a smart contract implementation for Cryptbon ...) NOT-FOR-US: Cryptbond Network (CBN) CVE-2018-19830 (The UBSexToken() function of a smart contract implementation for Busin ...) NOT-FOR-US: Business Alliance Financial Circle (BAFC) CVE-2018-19829 (Artica Integria IMS 5.0.83 has CSRF in godmode/usuarios/lista_usuarios ...) NOT-FOR-US: Artica Integria IMS CVE-2018-19828 (Artica Integria IMS 5.0.83 has XSS via the search_string parameter. ...) NOT-FOR-US: Artica Integria IMS CVE-2018-19827 (In LibSass 3.5.5, a use-after-free vulnerability exists in the SharedP ...) - libsass 3.5.5-3 [stretch] - libsass (Minor issue) NOTE: https://github.com/sass/libsass/issues/2782 CVE-2018-19826 (** DISPUTED ** In inspect.cpp in LibSass 3.5.5, a high memory footprin ...) NOTE: https://github.com/sass/libsass/issues/2781 NOTE: Per libsass upstream this is not a security issues, but works as designed CVE-2018-19825 RESERVED CVE-2018-19824 (In the Linux kernel through 4.19.6, a local user could exploit a use-a ...) {DLA-1771-1 DLA-1731-1} - linux 4.19.9-1 [stretch] - linux 4.9.161-1 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1118152 CVE-2018-19823 RESERVED CVE-2018-19822 (Cross Site Scripting exists in InfoVista VistaPortal SE Version 5.1 (b ...) NOT-FOR-US: InfoVista VistaPortal SE CVE-2018-19821 (Cross Site Scripting exists in InfoVista VistaPortal SE Version 5.1 (b ...) NOT-FOR-US: InfoVista VistaPortal SE CVE-2018-19820 (Cross Site Scripting exists in InfoVista VistaPortal SE Version 5.1 (b ...) NOT-FOR-US: InfoVista VistaPortal SE CVE-2018-19819 (Cross Site Scripting exists in InfoVista VistaPortal SE Version 5.1 (b ...) NOT-FOR-US: InfoVista VistaPortal SE CVE-2018-19818 (Cross Site Scripting exists in InfoVista VistaPortal SE Version 5.1 (b ...) NOT-FOR-US: InfoVista VistaPortal SE CVE-2018-19817 (Cross Site Scripting exists in InfoVista VistaPortal SE Version 5.1 (b ...) NOT-FOR-US: InfoVista VistaPortal SE CVE-2018-19816 (Cross Site Scripting exists in InfoVista VistaPortal SE Version 5.1 (b ...) NOT-FOR-US: InfoVista VistaPortal SE CVE-2018-19815 (Cross Site Scripting exists in InfoVista VistaPortal SE Version 5.1 (b ...) NOT-FOR-US: InfoVista VistaPortal SE CVE-2018-19814 (Cross Site Scripting exists in InfoVista VistaPortal SE Version 5.1 (b ...) NOT-FOR-US: InfoVista VistaPortal SE CVE-2018-19813 (Cross Site Scripting exists in InfoVista VistaPortal SE Version 5.1 (b ...) NOT-FOR-US: InfoVista VistaPortal SE CVE-2018-19812 (Cross Site Scripting exists in InfoVista VistaPortal SE Version 5.1 (b ...) NOT-FOR-US: InfoVista VistaPortal SE CVE-2018-19811 (Cross Site Scripting exists in InfoVista VistaPortal SE Version 5.1 (b ...) NOT-FOR-US: InfoVista VistaPortal SE CVE-2018-19810 (Cross Site Scripting exists in InfoVista VistaPortal SE Version 5.1 (b ...) NOT-FOR-US: InfoVista VistaPortal SE CVE-2018-19809 (Cross Site Scripting exists in InfoVista VistaPortal SE Version 5.1 (b ...) NOT-FOR-US: InfoVista VistaPortal SE CVE-2018-1002105 (In all Kubernetes versions prior to v1.10.11, v1.11.5, and v1.12.3, in ...) - kubernetes 1.17.4-1 (bug #915828) NOTE: https://groups.google.com/forum/#!topic/kubernetes-announce/GVllWCg6L88 NOTE: https://github.com/kubernetes/kubernetes/issues/71411 CVE-2018-19808 RESERVED CVE-2018-19807 RESERVED CVE-2018-19806 RESERVED CVE-2018-19805 RESERVED CVE-2018-19804 RESERVED CVE-2018-19803 RESERVED CVE-2018-19802 (aubio v0.4.0 to v0.4.8 has a new_aubio_onset NULL pointer dereference. ...) - aubio 0.4.9-1 (bug #930186) [buster] - aubio (Minor issue) [stretch] - aubio (Minor issue) [jessie] - aubio (Minor issue) CVE-2018-19801 (aubio v0.4.0 to v0.4.8 has a NULL pointer dereference in new_aubio_fil ...) - aubio 0.4.9-1 (bug #930186) [buster] - aubio (Minor issue) [stretch] - aubio (Minor issue) [jessie] - aubio (Minor issue) CVE-2018-19800 (aubio v0.4.0 to v0.4.8 has a Buffer Overflow in new_aubio_tempo. ...) - aubio 0.4.9-1 (bug #930186) [buster] - aubio (Minor issue) [stretch] - aubio (Minor issue) [jessie] - aubio (Minor issue) CVE-2018-19799 (Dolibarr ERP/CRM through 8.0.3 has /exports/export.php?datatoexport= X ...) - dolibarr CVE-2018-19798 (Fleetco Fleet Maintenance Management (FMM) 1.2 and earlier allows uplo ...) NOT-FOR-US: Fleetco Fleet Maintenance Management (FMM) CVE-2018-19797 (In LibSass 3.5.5, a NULL Pointer Dereference in the function Sass::Sel ...) - libsass [buster] - libsass (Minor issue) [stretch] - libsass (Minor issue) NOTE: https://github.com/sass/libsass/issues/2779 CVE-2018-19796 (An open redirect in the Ninja Forms plugin before 3.3.19.1 for WordPre ...) NOT-FOR-US: Ninja Forms plugin for WordPress CVE-2018-19795 (ChipsBank UMPTool saves the password to the NAND with a simple substit ...) NOT-FOR-US: Ninja Forms plugin for WordPress CVE-2018-19794 (Cross-site scripting (XSS) vulnerability in UiV2Public.index in Intern ...) NOT-FOR-US: ChipsBank UMPTool CVE-2018-19793 (jiacrontab 1.4.5 allows remote attackers to execute arbitrary commands ...) NOT-FOR-US: Internet2 Grouper CVE-2018-19792 (The server in LiteSpeed OpenLiteSpeed before 1.5.0 RC6 allows local us ...) NOT-FOR-US: OpenLiteSpeed CVE-2018-19791 (The server in LiteSpeed OpenLiteSpeed before 1.5.0 RC6 does not correc ...) NOT-FOR-US: OpenLiteSpeed CVE-2018-19790 (An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x ...) {DSA-4441-1 DLA-1707-1} - symfony 3.4.20+dfsg-1 NOTE: https://symfony.com/blog/cve-2018-19790-open-redirect-vulnerability-when-using-security-http CVE-2018-19789 (An issue was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2 ...) {DSA-4441-1 DLA-1707-1} - symfony 3.4.20+dfsg-1 NOTE: https://symfony.com/blog/cve-2018-19789-disclosure-of-uploaded-files-full-path CVE-2018-19788 (A flaw was found in PolicyKit (aka polkit) 0.115 that allows a user wi ...) {DSA-4350-1 DLA-1644-1} - policykit-1 0.105-23 (bug #915332) NOTE: https://gitlab.freedesktop.org/polkit/polkit/issues/74 NOTE: https://gitlab.freedesktop.org/polkit/polkit/merge_requests/14 NOTE: https://gitlab.freedesktop.org/polkit/polkit/commit/2cb40c4d5feeaa09325522bd7d97910f1b59e379 NOTE: https://gitlab.freedesktop.org/polkit/polkit/commit/b534a10727455409acd54018a9c91000e7626126 CVE-2018-19787 (An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in th ...) {DLA-1604-1} - lxml 4.2.5-1 [stretch] - lxml (Minor issue) NOTE: Fixed by: https://github.com/lxml/lxml/commit/6be1d081b49c97cfd7b3fbd934a193b668629109 (lxml-4.2.5) CVE-2018-19786 (HashiCorp Vault before 1.0.0 writes the master key to the server log i ...) NOT-FOR-US: HashiCorp Vault CVE-2018-19785 (PHP-Proxy through 5.1.0 has Cross-Site Scripting (XSS) via the URL fie ...) NOT-FOR-US: PHP-Proxy CVE-2018-19784 (The str_rot_pass function in vendor/atholn1600/php-proxy/src/helpers.p ...) NOT-FOR-US: PHP-Proxy CVE-2018-19783 (Kentix MultiSensor-LAN 5.63.00 devices and previous allow Authenticati ...) NOT-FOR-US: Kentix MultiSensor-LAN CVE-2018-19782 (Multiple cross-site scripting (XSS) vulnerabilities in GET requests in ...) NOT-FOR-US: FreshRSS CVE-2018-19781 RESERVED CVE-2018-19780 RESERVED CVE-2018-19779 RESERVED CVE-2018-19778 RESERVED CVE-2018-19777 (In Artifex MuPDF 1.14.0, there is an infinite loop in the function svg ...) - mupdf 1.15.0+ds1-1 (unimportant; bug #915137) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=700301 NOTE: No security impact, hang in GUI/CLI tool CVE-2018-19776 RESERVED CVE-2018-19775 (Cross Site Scripting exists in InfoVista VistaPortal SE Version 5.1 (b ...) NOT-FOR-US: InfoVista VistaPortal SE CVE-2018-19774 (Cross Site Scripting exists in InfoVista VistaPortal SE Version 5.1 (b ...) NOT-FOR-US: InfoVista VistaPortal SE CVE-2018-19773 (Cross Site Scripting exists in InfoVista VistaPortal SE Version 5.1 (b ...) NOT-FOR-US: InfoVista VistaPortal SE CVE-2018-19772 (Cross Site Scripting exists in InfoVista VistaPortal SE Version 5.1 (b ...) NOT-FOR-US: InfoVista VistaPortal SE CVE-2018-19771 (Cross Site Scripting exists in InfoVista VistaPortal SE Version 5.1 (b ...) NOT-FOR-US: InfoVista VistaPortal SE CVE-2018-19770 (Cross Site Scripting exists in InfoVista VistaPortal SE Version 5.1 (b ...) NOT-FOR-US: InfoVista VistaPortal SE CVE-2018-19769 (Cross Site Scripting exists in InfoVista VistaPortal SE Version 5.1 (b ...) NOT-FOR-US: InfoVista VistaPortal SE CVE-2018-19768 (Cross Site Scripting exists in InfoVista VistaPortal SE Version 5.1 (b ...) NOT-FOR-US: InfoVista VistaPortal SE CVE-2018-19767 (Cross Site Scripting exists in InfoVista VistaPortal SE Version 5.1 (b ...) NOT-FOR-US: InfoVista VistaPortal SE CVE-2018-19766 (Cross Site Scripting exists in InfoVista VistaPortal SE Version 5.1 (b ...) NOT-FOR-US: InfoVista VistaPortal SE CVE-2018-19765 (Cross Site Scripting exists in InfoVista VistaPortal SE Version 5.1 (b ...) NOT-FOR-US: InfoVista VistaPortal SE CVE-2018-19764 REJECTED CVE-2018-19763 (There is a heap-based buffer over-read at writer.c (function: write_pn ...) - libsixel 1.8.2-2 (bug #931311) [buster] - libsixel 1.8.2-1+deb10u1 [stretch] - libsixel 1.5.2-2+deb9u1 [jessie] - libsixel (The vulnerable code is not present) NOTE: https://github.com/saitoha/libsixel/issues/82 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1649201 (reproducer) CVE-2018-19762 (There is a heap-based buffer overflow at fromsixel.c (function: image_ ...) - libsixel 1.8.2-2 (bug #931311) [buster] - libsixel 1.8.2-1+deb10u1 [stretch] - libsixel 1.5.2-2+deb9u1 [jessie] - libsixel (The vulnerable code is not present) NOTE: https://github.com/saitoha/libsixel/issues/81 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1649199 (reproducer) CVE-2018-19761 (There is an illegal address access at fromsixel.c (function: sixel_dec ...) - libsixel 1.8.2-2 (bug #931311) [buster] - libsixel 1.8.2-1+deb10u1 [stretch] - libsixel 1.5.2-2+deb9u1 [jessie] - libsixel (Minor issue) NOTE: https://github.com/saitoha/libsixel/issues/78 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1649200 (reproducer) CVE-2018-19760 (cfg_init in confuse.c in libConfuse 3.2.2 has a memory leak. ...) - confuse (unimportant) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1649152 NOTE: https://github.com/martinh/libconfuse/issues/120 NOTE: https://github.com/martinh/libconfuse/commit/5f0e9ea4213d4047649c462e4f1b59a082af58e2 NOTE: Issue caused by premature exit without cleanup on an error in the caller NOTE: not in the library; Negligible security impact in itself and disputed. CVE-2018-19759 (There is a heap-based buffer over-read at stb_image_write.h (function: ...) - libsixel 1.8.2-2 (bug #931311) [buster] - libsixel 1.8.2-1+deb10u1 [stretch] - libsixel 1.5.2-2+deb9u1 [jessie] - libsixel (Minor issue) NOTE: https://github.com/saitoha/libsixel/issues/77 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1649202 (reproducer) NOTE: CVE description is misleading, not an issue in libstb CVE-2018-19758 (There is a heap-based buffer over-read at wav.c in wav_write_header in ...) {DLA-1632-1} - libsndfile 1.0.28-5 (bug #917416) [stretch] - libsndfile (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1643812 NOTE: https://github.com/erikd/libsndfile/issues/435 NOTE: https://github.com/erikd/libsndfile/commit/42132c543358cee9f7c3e9e9b15bb6c1063a608e NOTE: when fixing this issue, the fix needs to be made complete to not open CVE-2019-3832 CVE-2018-19757 (There is a NULL pointer dereference at function sixel_helper_set_addit ...) - libsixel 1.8.2-2 (bug #931311) [buster] - libsixel 1.8.2-1+deb10u1 [stretch] - libsixel 1.5.2-2+deb9u1 [jessie] - libsixel (Minor issue) NOTE: https://github.com/saitoha/libsixel/issues/79 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1649197 (reproducer) CVE-2018-19756 (There is a heap-based buffer over-read at stb_image.h (function: stbi_ ...) - libsixel 1.8.2-2 (bug #931311) [buster] - libsixel 1.8.2-1+deb10u1 [stretch] - libsixel 1.5.2-2+deb9u1 [jessie] - libsixel (The vulnerable code is not present) NOTE: https://github.com/saitoha/libsixel/issues/80 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1649198 (reproducer) NOTE: CVE description is misleading, not an issue in libstb CVE-2018-19755 (There is an illegal address access at asm/preproc.c (function: is_mmac ...) - nasm (unimportant; bug #915087) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392528 NOTE: https://repo.or.cz/nasm.git/commit/3079f7966dbed4497e36d5067cbfd896a90358cb NOTE: Crash in CLI tool, no security impact CVE-2018-19754 (Tarantella Enterprise before 3.11 allows bypassing Access Control. ...) NOT-FOR-US: Tarantella Enterprise CVE-2018-19753 (Tarantella Enterprise before 3.11 allows Directory Traversal. ...) NOT-FOR-US: Tarantella Enterprise CVE-2018-19752 (DomainMOD through 4.11.01 has XSS via the assets/add/registrar.php not ...) NOT-FOR-US: DomainMOD CVE-2018-19751 (DomainMOD through 4.11.01 has XSS via the admin/ssl-fields/add.php not ...) NOT-FOR-US: DomainMOD CVE-2018-19750 (DomainMOD through 4.11.01 has XSS via the admin/domain-fields/ notes f ...) NOT-FOR-US: DomainMOD CVE-2018-19749 (DomainMOD through 4.11.01 has XSS via the assets/add/account-owner.php ...) NOT-FOR-US: DomainMOD CVE-2018-19748 (app/plug/attachment/controller/admincontroller.php in SDCMS 1.6 allows ...) NOT-FOR-US: SDCMS CVE-2018-19747 REJECTED CVE-2018-19746 REJECTED CVE-2018-19745 REJECTED CVE-2018-19744 REJECTED CVE-2018-19743 REJECTED CVE-2018-19742 REJECTED CVE-2018-19741 REJECTED CVE-2018-19740 REJECTED CVE-2018-19739 REJECTED CVE-2018-19738 REJECTED CVE-2018-19737 REJECTED CVE-2018-19736 REJECTED CVE-2018-19735 REJECTED CVE-2018-19734 REJECTED CVE-2018-19733 REJECTED CVE-2018-19732 REJECTED CVE-2018-19731 REJECTED CVE-2018-19730 REJECTED CVE-2018-19729 REJECTED CVE-2018-19728 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-19727 (Adobe Experience Manager versions 6.4, 6.3, 6.2, 6.1, and 6.0 have a r ...) NOT-FOR-US: Adobe CVE-2018-19726 (Adobe Experience Manager versions 6.4, 6.3, 6.2, 6.1, and 6.0 have a s ...) NOT-FOR-US: Adobe CVE-2018-19725 (Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-19724 (Adobe Experience Manager Forms versions 6.2, 6.3 and 6.4 have a stored ...) NOT-FOR-US: Adobe CVE-2018-19723 (Adobe Acrobat and Reader versions 2018.011.20058 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-19722 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-19721 (Adobe Acrobat and Reader versions 2018.011.20058 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-19720 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-19719 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-19718 (Adobe Connect versions 9.8.1 and earlier have a session token exposure ...) NOT-FOR-US: Adobe CVE-2018-19717 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-19716 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-19715 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-19714 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-19713 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-19712 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-19711 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-19710 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-19709 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-19708 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-19707 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-19706 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-19705 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-19704 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-19703 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-19702 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-19701 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-19700 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-19699 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-19698 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-1000819 REJECTED CVE-2018-1000818 REJECTED CVE-2018-19697 RESERVED CVE-2018-19696 RESERVED CVE-2018-19695 RESERVED CVE-2018-19694 (HMS Industrial Networks Netbiter WS100 3.30.5 devices and previous hav ...) NOT-FOR-US: HMS Industrial Networks Netbiter WS100 CVE-2018-19693 (An issue was discovered in tp5cms through 2017-05-25. admin.php/system ...) NOT-FOR-US: tp5cms CVE-2018-19692 (An issue was discovered in tp5cms through 2017-05-25. admin.php/upload ...) NOT-FOR-US: tp5cms CVE-2018-19691 RESERVED CVE-2018-19690 RESERVED CVE-2018-19689 RESERVED CVE-2018-19688 RESERVED CVE-2018-19687 RESERVED CVE-2018-19686 RESERVED CVE-2018-19685 RESERVED CVE-2018-19684 RESERVED CVE-2018-19683 RESERVED CVE-2018-19682 RESERVED CVE-2018-19681 RESERVED CVE-2018-19680 RESERVED CVE-2018-19679 RESERVED CVE-2018-19678 RESERVED CVE-2018-19677 RESERVED CVE-2018-19676 RESERVED CVE-2018-19675 RESERVED CVE-2018-19674 RESERVED CVE-2018-19673 RESERVED CVE-2018-19672 RESERVED CVE-2018-19671 RESERVED CVE-2018-19670 RESERVED CVE-2018-19669 RESERVED CVE-2018-19668 REJECTED CVE-2018-19667 RESERVED CVE-2018-19666 (The agent in OSSEC through 3.1.0 on Windows allows local users to gain ...) - ossec-hids (bug #361954) CVE-2018-19665 (The Bluetooth subsystem in QEMU mishandles negative values for length ...) - qemu 1:3.1+dfsg-2 (low; bug #916278) [stretch] - qemu (Minor issue) [jessie] - qemu (Minor issue, bluetooth subsystem unmaintained/unusable and now deprecated, no sanctioned patch) - qemu-kvm NOTE: initial patch disputed NOTE: https://lists.gnu.org/archive/html/qemu-devel/2018-10/msg03822.html NOTE: second patch never accepted, no activity as of 20190909 NOTE: https://lists.gnu.org/archive/html/qemu-devel/2018-11/msg03570.html NOTE: https://lists.debian.org/debian-lts/2019/01/msg00073.html NOTE: 3.1 marked bluetooth subsystem deprecated NOTE: https://github.com/qemu/qemu/commit/c0188e69d CVE-2018-19664 (libjpeg-turbo 2.0.1 has a heap-based buffer over-read in the put_pixel ...) - libjpeg-turbo (Vulnerable code introduced later) NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/issues/305 NOTE: Introduced in: https://github.com/libjpeg-turbo/libjpeg-turbo/commit/aa7459050d7a50e1d8a99488902d41fbc118a50f NOTE: Fixed by: https://github.com/libjpeg-turbo/libjpeg-turbo/commit/f8cca819a4fb42aafa5f70df43c45e8c416d716f CVE-2018-19663 RESERVED CVE-2018-19662 (An issue was discovered in libsndfile 1.0.28. There is a buffer over-r ...) {DLA-1618-1} - libsndfile 1.0.28-5 (low) [stretch] - libsndfile (Minor issue) NOTE: https://github.com/erikd/libsndfile/issues/429 NOTE: https://github.com/erikd/libsndfile/commit/8ddc442d539ca775d80cdbc7af17a718634a743f NOTE: similar to CVE-2017-17456/CVE-2017-17457 (but not duplicate) CVE-2018-19661 (An issue was discovered in libsndfile 1.0.28. There is a buffer over-r ...) {DLA-1618-1} - libsndfile 1.0.28-5 (low) [stretch] - libsndfile (Minor issue) NOTE: https://github.com/erikd/libsndfile/issues/429 NOTE: https://github.com/erikd/libsndfile/commit/8ddc442d539ca775d80cdbc7af17a718634a743f NOTE: similar to CVE-2017-17456/CVE-2017-17457 (but not duplicate) CVE-2018-19660 (An exploitable authenticated command-injection vulnerability exists in ...) NOT-FOR-US: Moxa CVE-2018-19659 (An exploitable authenticated command-injection vulnerability exists in ...) NOT-FOR-US: Moxa CVE-2018-19658 (The Markdown editor in YXBJ before 8.3.2 on macOS has stored XSS. This ...) NOT-FOR-US: YXBJ CVE-2018-19657 RESERVED CVE-2018-19656 RESERVED CVE-2018-19655 (A stack-based buffer overflow in the find_green() function of dcraw th ...) - ufraw 0.22-3.1 (unimportant; bug #890086) - dcraw 9.28-2 (unimportant; bug #906529) NOTE: No security impact, crash in CLI tool CVE-2018-19654 (An issue was discovered in Sales & Company Management System (SCMS ...) NOT-FOR-US: Sales & Company Management System (SCMS) CVE-2018-19653 (HashiCorp Consul 0.5.1 through 1.4.0 can use cleartext agent-to-agent ...) - consul 1.4.4~dfsg1-1 [buster] - consul (Minor issue) NOTE: https://github.com/hashicorp/consul/pull/5069 CVE-2018-19652 RESERVED CVE-2018-19651 (admin/functions/remote.php in Interspire Email Marketer through 6.1.6 ...) NOT-FOR-US: Interspire Email Marketer CVE-2018-19650 (Local attackers can trigger a stack-based buffer overflow on vulnerabl ...) NOT-FOR-US: Antiy-AVL ATool security management CVE-2019-1564 RESERVED CVE-2019-1563 (In situations where an attacker receives automated notification of the ...) {DSA-4540-1 DSA-4539-1 DLA-1932-1} - openssl 1.1.1d-1 - openssl1.0 NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64 (OpenSSL_1_1_1d) NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97 (OpenSSL_1_1_0l) NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f (OpenSSL_1_0_2t) NOTE: https://www.openssl.org/news/secadv/20190910.txt CVE-2019-1562 RESERVED CVE-2019-1561 RESERVED CVE-2019-1560 RESERVED CVE-2019-1559 (If an application encounters a fatal protocol error and then calls SSL ...) {DSA-4400-1 DLA-1701-1} - openssl1.0 - openssl 1.1.0b-2 NOTE: OpenSSL_1_0_2-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e NOTE: OpenSSL_1_0_2-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=48c8bcf5bca0ce7751f49599381e143de1b61786 NOTE: OpenSSL_1_1_0-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=5741d5bb74797e4532acc9f42e54c44a2726c179 (only hardening) NOTE: 1.1.0 is not impacted by CVE-2019-1559. The CVE is a result of applications NOTE: calling SSL_shutdown after a fatal alert has occurred. 1.1.0 is not vulnerable NOTE: to this issue, marking first 1.1 upload of src:openssl as fixed NOTE: https://www.openssl.org/news/secadv/20190226.txt CVE-2019-1558 RESERVED CVE-2019-1557 RESERVED CVE-2019-1556 RESERVED CVE-2019-1555 RESERVED CVE-2019-1554 RESERVED CVE-2019-1553 RESERVED CVE-2019-1552 (OpenSSL has internal defaults for a directory tree where it can find a ...) - openssl (Windows-specific) - openssl1.0 (Windows-specific) NOTE: https://www.openssl.org/news/secadv/20190730.txt CVE-2019-1551 (There is an overflow bug in the x64_64 Montgomery squaring procedure u ...) {DSA-4594-1} - openssl 1.1.1e-1 (low; bug #947949) [buster] - openssl (Wait until next upstream security release) [stretch] - openssl (Wait until next upstream security release) [jessie] - openssl (Affected modules are not present in Jessie) - openssl1.0 (low) NOTE: https://www.openssl.org/news/secadv/20191206.txt NOTE: OpenSSL_1_1_1-stable: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f NOTE: OpenSSL_1_0_2-stable: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98 CVE-2019-1550 RESERVED CVE-2019-1549 (OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). Th ...) - openssl 1.1.1d-1 [buster] - openssl 1.1.1d-0+deb10u1 [stretch] - openssl (Only affects OpenSSL 1.1.1 to 1.1.1c) [jessie] - openssl (Only affects OpenSSL 1.1.1 to 1.1.1c) - openssl1.0 (Only affects OpenSSL 1.1.1 to 1.1.1c) NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be NOTE: https://www.openssl.org/news/secadv/20190910.txt CVE-2019-1548 RESERVED CVE-2019-1547 (Normally in OpenSSL EC groups always have a co-factor present and this ...) {DSA-4540-1 DSA-4539-1 DLA-1932-1} - openssl 1.1.1d-1 - openssl1.0 NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46 (OpenSSL_1_0_2t) NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a (OpenSSL_1_1_0l) NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8 (OpenSSL_1_1_1d) NOTE: https://www.openssl.org/news/secadv/20190910.txt CVE-2019-1546 RESERVED CVE-2019-1545 RESERVED CVE-2019-1544 RESERVED CVE-2019-1543 (ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input ...) {DSA-4475-1} - openssl 1.1.1c-1 (low) [jessie] - openssl (Vulnerability does not impact 1.0.1 series) - openssl1.0 (Vulnerability does not impact 1.0.2 series) NOTE: https://www.openssl.org/news/secadv/20190306.txt NOTE: OpenSSL_1_1_1-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=f426625b6ae9a7831010750490a5f0ad689c5ba3 (OpenSSL_1_1_1c) NOTE: OpenSSL_1_1_0-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=ee22257b1418438ebaf54df98af4e24f494d1809 (OpenSSL_1_1_0k) CVE-2019-1542 RESERVED CVE-2019-1541 RESERVED CVE-2019-1540 RESERVED CVE-2019-1539 RESERVED CVE-2019-1538 RESERVED CVE-2019-1537 RESERVED CVE-2019-1536 RESERVED CVE-2019-1535 RESERVED CVE-2018-19649 (XSS exists in InfoVista VistaPortal SE Version 5.1 (build 51029). VPor ...) NOT-FOR-US: InfoVista VistaPortal CVE-2018-19648 (An issue was discovered in ADTRAN PMAA 1.6.2-1, 1.6.3, and 1.6.4. NETC ...) NOT-FOR-US: ADTRAN CVE-2018-19647 RESERVED CVE-2018-19646 (The Python CGI scripts in PWS in Imperva SecureSphere 13.0.10, 13.1.10 ...) NOT-FOR-US: Imperva SecureSphere CVE-2018-19645 (An Authentication Bypass issue exists in Solutions Business Manager (S ...) NOT-FOR-US: Solutions Business Manager (SBM) CVE-2018-19644 (Reflected cross site script issue in Micro Focus Solutions Business Ma ...) NOT-FOR-US: Micro Focus Solutions Business Manager CVE-2018-19643 (Information leakage issue in Micro Focus Solutions Business Manager (S ...) NOT-FOR-US: Micro Focus Solutions Business Manager CVE-2018-19642 (Denial of service issue in Micro Focus Solutions Business Manager (SBM ...) NOT-FOR-US: Micro Focus Solutions Business Manager CVE-2018-19641 (Unauthenticated remote code execution issue in Micro Focus Solutions B ...) NOT-FOR-US: Micro Focus Solutions Business Manager CVE-2018-19640 (If the attacker manages to create files in the directory used to colle ...) NOT-FOR-US: SLES support scripts CVE-2018-19639 (If supportutils before version 3.1-5.7.1 is run with -v to perform rpm ...) NOT-FOR-US: SLES support scripts CVE-2018-19638 (In supportutils, before version 3.1-5.7.1 and if pacemaker is installe ...) NOT-FOR-US: SLES support scripts CVE-2018-19637 (Supportutils, before version 3.1-5.7.1, wrote data to static file /tmp ...) NOT-FOR-US: SLES support scripts CVE-2018-19636 (Supportutils, before version 3.1-5.7.1, when run with command line arg ...) NOT-FOR-US: SLES support scripts CVE-2018-19635 (CA Service Desk Manager 14.1 and 17 contain a vulnerability that can a ...) NOT-FOR-US: CA Service Desk Manager CVE-2018-19634 (CA Service Desk Manager 14.1 and 17 contain a vulnerability that can a ...) NOT-FOR-US: CA Service Desk Manager CVE-2018-19633 RESERVED CVE-2018-19632 RESERVED CVE-2018-19631 RESERVED CVE-2018-19630 (cgi_handle_request in uhttpd in OpenWrt through 18.06.1 and LEDE throu ...) NOT-FOR-US: uhttpd (in OpenWRT and LEDE) CVE-2018-19629 (A Denial of Service vulnerability in the ImageNow Server service in Hy ...) NOT-FOR-US: Hyland Perceptive Content Server CVE-2018-19628 (In Wireshark 2.6.0 to 2.6.4, the ZigBee ZCL dissector could crash. Thi ...) {DSA-4359-1} - wireshark 2.6.5-1 [jessie] - wireshark (Vulnerable code not present, zigbee color control support added in v2.1.0) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15281 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=212b18825d9b668cda23d334c48867dfa66b2b36 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-57.html CVE-2018-19627 (In Wireshark 2.6.0 to 2.6.4 and 2.4.0 to 2.4.10, the IxVeriWave file p ...) {DSA-4359-1} - wireshark 2.6.5-1 [jessie] - wireshark (Vulnerable code not present, variable buffer to find_signature introduced in 2.4.0 with OCTO support) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15279 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=bdc33cfaecb1b4cf2c114ed9015713ddf8569a60 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-55.html CVE-2018-19626 (In Wireshark 2.6.0 to 2.6.4 and 2.4.0 to 2.4.10, the DCOM dissector co ...) {DSA-4359-1 DLA-1634-1} - wireshark 2.6.5-1 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15130 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=c5a65115ebab55cfd5ce0a855c2256e01cab6449 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-52.html CVE-2018-19625 (In Wireshark 2.6.0 to 2.6.4 and 2.4.0 to 2.4.10, the dissection engine ...) {DSA-4359-1 DLA-1634-1} - wireshark 2.6.5-1 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14466 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=dc4d209f39132a4ae05675a11609176ae9705cfc NOTE: https://www.wireshark.org/security/wnpa-sec-2018-51.html CVE-2018-19624 (In Wireshark 2.6.0 to 2.6.4 and 2.4.0 to 2.4.10, the PVFS dissector co ...) {DSA-4359-1 DLA-1634-1} - wireshark 2.6.5-1 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15280 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=3e319db1107b08fc3be804b6d449143ec9aa0dec NOTE: https://www.wireshark.org/security/wnpa-sec-2018-56.html CVE-2018-19623 (In Wireshark 2.6.0 to 2.6.4 and 2.4.0 to 2.4.10, the LBMPDM dissector ...) {DSA-4359-1 DLA-1634-1} - wireshark 2.6.5-1 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15132 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=9c8645ec7b28e4d7193962ecd2a418613bf6a84f NOTE: https://www.wireshark.org/security/wnpa-sec-2018-53.html CVE-2018-19622 (In Wireshark 2.6.0 to 2.6.4 and 2.4.0 to 2.4.10, the MMSE dissector co ...) {DSA-4359-1 DLA-1634-1} - wireshark 2.6.5-1 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15250 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=3b7555d32d11862f0e500ec466ad6bfe54190076 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-54.html CVE-2018-19621 (server/index.php?s=/api/teamMember/save in ShowDoc 2.4.2 has a CSRF th ...) NOT-FOR-US: ShowDoc CVE-2018-19620 (ShowDoc 2.4.1 allows remote attackers to edit other users' notes by na ...) NOT-FOR-US: ShowDoc CVE-2018-19619 RESERVED CVE-2018-19618 RESERVED CVE-2018-19617 RESERVED CVE-2018-19616 (An issue was discovered in Rockwell Automation Allen-Bradley PowerMoni ...) NOT-FOR-US: Rockwell Automation Allen-Bradley PowerMonitor 1000 CVE-2018-19615 (Rockwell Automation Allen-Bradley PowerMonitor 1000 all versions. A re ...) NOT-FOR-US: Rockwell Automation Allen-Bradley PowerMonitor 1000 CVE-2018-19614 (XSS exists in the /cmdexec/cmdexe?cmd= function in Westermo DR-250 Pre ...) NOT-FOR-US: Westermo routers CVE-2018-19613 (Westermo DR-250 Pre-5162 and DR-260 Pre-5162 routers allow CSRF. ...) NOT-FOR-US: Westermo routers CVE-2018-19612 (The /uploadfile? functionality in Westermo DR-250 Pre-5162 and DR-260 ...) NOT-FOR-US: Westermo routers CVE-2018-19611 RESERVED CVE-2018-19610 RESERVED CVE-2018-19609 (ShowDoc 2.4.1 allows remote attackers to obtain sensitive information ...) NOT-FOR-US: ShowDoc CVE-2018-19608 (Arm Mbed TLS before 2.14.1, before 2.7.8, and before 2.1.17 allows a l ...) - mbedtls 2.14.1-1 (bug #915796) [stretch] - mbedtls (Minor issue) - polarssl [jessie] - polarssl (Minor issue) NOTE: http://cat.eyalro.net/ NOTE: https://tls.mbed.org/tech-updates/releases/mbedtls-2.14.1-2.7.8-and-2.1.17-released NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-03 CVE-2019-1534 REJECTED CVE-2019-1533 REJECTED CVE-2019-1532 REJECTED CVE-2019-1531 REJECTED CVE-2019-1530 REJECTED CVE-2019-1529 REJECTED CVE-2019-1528 REJECTED CVE-2019-1527 REJECTED CVE-2019-1526 REJECTED CVE-2019-1525 REJECTED CVE-2019-1524 REJECTED CVE-2019-1523 REJECTED CVE-2019-1522 REJECTED CVE-2019-1521 REJECTED CVE-2019-1520 REJECTED CVE-2019-1519 REJECTED CVE-2019-1518 REJECTED CVE-2019-1517 REJECTED CVE-2019-1516 REJECTED CVE-2019-1515 REJECTED CVE-2019-1514 REJECTED CVE-2019-1513 REJECTED CVE-2019-1512 REJECTED CVE-2019-1511 REJECTED CVE-2019-1510 REJECTED CVE-2019-1509 REJECTED CVE-2019-1508 REJECTED CVE-2019-1507 REJECTED CVE-2019-1506 REJECTED CVE-2019-1505 REJECTED CVE-2019-1504 REJECTED CVE-2019-1503 REJECTED CVE-2019-1502 REJECTED CVE-2019-1501 REJECTED CVE-2019-1500 REJECTED CVE-2019-1499 REJECTED CVE-2019-1498 REJECTED CVE-2019-1497 REJECTED CVE-2019-1496 REJECTED CVE-2019-1495 REJECTED CVE-2019-1494 REJECTED CVE-2019-1493 REJECTED CVE-2019-1492 REJECTED CVE-2019-1491 RESERVED CVE-2019-1490 (A spoofing vulnerability exists when a Skype for Business Server does ...) NOT-FOR-US: Skype CVE-2019-1489 (An information disclosure vulnerability exists when the Windows Remote ...) NOT-FOR-US: Microsoft CVE-2019-1488 (A security feature bypass vulnerability exists when Microsoft Defender ...) NOT-FOR-US: Microsoft CVE-2019-1487 (An information disclosure vulnerability in Android Apps using Microsof ...) NOT-FOR-US: Microsoft CVE-2019-1486 (A spoofing vulnerability exists in Visual Studio Live Share when a gue ...) NOT-FOR-US: Microsoft CVE-2019-1485 (A remote code execution vulnerability exists in the way that the VBScr ...) NOT-FOR-US: Microsoft CVE-2019-1484 (A remote code execution vulnerability exists when Microsoft Windows OL ...) NOT-FOR-US: Microsoft CVE-2019-1483 (An elevation of privilege vulnerability exists when the Windows AppX D ...) NOT-FOR-US: Microsoft CVE-2019-1482 REJECTED CVE-2019-1481 (An information disclosure vulnerability exists in Windows Media Player ...) NOT-FOR-US: Microsoft CVE-2019-1480 (An information disclosure vulnerability exists in Windows Media Player ...) NOT-FOR-US: Microsoft CVE-2019-1479 REJECTED CVE-2019-1478 (An elevation of privilege vulnerability exists when Windows improperly ...) NOT-FOR-US: Microsoft CVE-2019-1477 (An elevation of privilege vulnerability exists when the Windows Printe ...) NOT-FOR-US: Microsoft CVE-2019-1476 (An elevation of privilege vulnerability exists when Windows AppX Deplo ...) NOT-FOR-US: Microsoft CVE-2019-1475 REJECTED CVE-2019-1474 (An information disclosure vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2019-1473 REJECTED CVE-2019-1472 (An information disclosure vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2019-1471 (A remote code execution vulnerability exists when Windows Hyper-V on a ...) NOT-FOR-US: Microsoft CVE-2019-1470 (An information disclosure vulnerability exists when Windows Hyper-V on ...) NOT-FOR-US: Microsoft CVE-2019-1469 (An information disclosure vulnerability exists when the win32k compone ...) NOT-FOR-US: Microsoft CVE-2019-1468 (A remote code execution vulnerability exists when the Windows font lib ...) NOT-FOR-US: Microsoft CVE-2019-1467 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft CVE-2019-1466 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft CVE-2019-1465 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft CVE-2019-1464 (An information disclosure vulnerability exists when Microsoft Excel im ...) NOT-FOR-US: Microsoft CVE-2019-1463 (An information disclosure vulnerability exists in Microsoft Access sof ...) NOT-FOR-US: Microsoft CVE-2019-1462 (A remote code execution vulnerability exists in Microsoft PowerPoint s ...) NOT-FOR-US: Microsoft CVE-2019-1461 (A denial of service vulnerability exists in Microsoft Word software wh ...) NOT-FOR-US: Microsoft CVE-2019-1460 (A spoofing vulnerability exists in the way Microsoft Outlook for Andro ...) NOT-FOR-US: Microsoft Outlook for Android software CVE-2019-1459 REJECTED CVE-2019-1458 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft CVE-2019-1457 (A security feature bypass vulnerability exists in Microsoft Office sof ...) NOT-FOR-US: Microsoft CVE-2019-1456 (A remote code execution vulnerability exists in Microsoft Windows when ...) NOT-FOR-US: Microsoft CVE-2019-1455 REJECTED CVE-2019-1454 (An elevation of privilege vulnerability exists when the Windows User P ...) NOT-FOR-US: Microsoft CVE-2019-1453 (A denial of service vulnerability exists in Remote Desktop Protocol (R ...) NOT-FOR-US: Microsoft CVE-2019-1452 REJECTED CVE-2019-1451 REJECTED CVE-2019-1450 REJECTED CVE-2019-1449 (A security feature bypass vulnerability exists in the way that Office ...) NOT-FOR-US: Microsoft CVE-2019-1448 (A remote code execution vulnerability exists in Microsoft Excel softwa ...) NOT-FOR-US: Microsoft CVE-2019-1447 (A spoofing vulnerability exists when Office Online does not validate o ...) NOT-FOR-US: Microsoft CVE-2019-1446 (An information disclosure vulnerability exists when Microsoft Excel im ...) NOT-FOR-US: Microsoft CVE-2019-1445 (A spoofing vulnerability exists when Office Online does not validate o ...) NOT-FOR-US: Microsoft CVE-2019-1444 REJECTED CVE-2019-1443 (An information disclosure vulnerability exists in Microsoft SharePoint ...) NOT-FOR-US: Microsoft CVE-2019-1442 (A security feature bypass vulnerability exists when Microsoft Office d ...) NOT-FOR-US: Microsoft CVE-2019-1441 (A remote code execution vulnerability exists when the Windows font lib ...) NOT-FOR-US: Microsoft CVE-2019-1440 (An information disclosure vulnerability exists when the win32k compone ...) NOT-FOR-US: Microsoft CVE-2019-1439 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft CVE-2019-1438 (An elevation of privilege vulnerability exists when the Windows Graphi ...) NOT-FOR-US: Microsoft CVE-2019-1437 (An elevation of privilege vulnerability exists when the Windows Graphi ...) NOT-FOR-US: Microsoft CVE-2019-1436 (An information disclosure vulnerability exists when the win32k compone ...) NOT-FOR-US: Microsoft CVE-2019-1435 (An elevation of privilege vulnerability exists when the Windows Graphi ...) NOT-FOR-US: Microsoft CVE-2019-1434 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft CVE-2019-1433 (An elevation of privilege vulnerability exists when the Windows Graphi ...) NOT-FOR-US: Microsoft CVE-2019-1432 (An information disclosure vulnerability exists when DirectWrite improp ...) NOT-FOR-US: Microsoft CVE-2019-1431 REJECTED CVE-2019-1430 (A remote code execution vulnerability exists when Windows Media Founda ...) NOT-FOR-US: Microsoft CVE-2019-1429 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2019-1428 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2019-1427 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2019-1426 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2019-1425 (An elevation of privilege vulnerability exists when Visual Studio fail ...) NOT-FOR-US: Microsoft CVE-2019-1424 (A security feature bypass vulnerability exists when Windows Netlogon i ...) NOT-FOR-US: Microsoft CVE-2019-1423 (An elevation of privilege vulnerability exists in the way that the Sta ...) NOT-FOR-US: Microsoft CVE-2019-1422 (An elevation of privilege vulnerability exists in the way that the iph ...) NOT-FOR-US: Microsoft CVE-2019-1421 REJECTED CVE-2019-1420 (An elevation of privilege vulnerability exists in the way that the dss ...) NOT-FOR-US: Microsoft CVE-2019-1419 (A remote code execution vulnerability exists in Microsoft Windows when ...) NOT-FOR-US: Microsoft CVE-2019-1418 (An information vulnerability exists when Windows Modules Installer Ser ...) NOT-FOR-US: Microsoft CVE-2019-1417 (An elevation of privilege vulnerability exists when the Windows Data S ...) NOT-FOR-US: Microsoft CVE-2019-1416 (An elevation of privilege vulnerability exists due to a race condition ...) NOT-FOR-US: Microsoft CVE-2019-1415 (An elevation of privilege vulnerability exists in Windows Installer be ...) NOT-FOR-US: Microsoft CVE-2019-1414 (An elevation of privilege vulnerability exists in Visual Studio Code w ...) NOT-FOR-US: Microsoft CVE-2019-1413 (A security feature bypass vulnerability exists when Microsoft Edge imp ...) NOT-FOR-US: Microsoft CVE-2019-1412 (An information disclosure vulnerability exists in Windows Adobe Type M ...) NOT-FOR-US: Microsoft CVE-2019-1411 (An information disclosure vulnerability exists when DirectWrite improp ...) NOT-FOR-US: Microsoft CVE-2019-1410 REJECTED CVE-2019-1409 (An information disclosure vulnerability exists when the Windows Remote ...) NOT-FOR-US: Microsoft CVE-2019-1408 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft CVE-2019-1407 (An elevation of privilege vulnerability exists when the Windows Graphi ...) NOT-FOR-US: Microsoft CVE-2019-1406 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-1405 (An elevation of privilege vulnerability exists when the Windows Univer ...) NOT-FOR-US: Microsoft CVE-2019-1404 REJECTED CVE-2019-1403 REJECTED CVE-2019-1402 (An information disclosure vulnerability exists in Microsoft Office sof ...) NOT-FOR-US: Microsoft CVE-2019-1401 REJECTED CVE-2019-1400 (An information disclosure vulnerability exists in Microsoft Access sof ...) NOT-FOR-US: Microsoft CVE-2019-1399 (A denial of service vulnerability exists when Microsoft Hyper-V on a h ...) NOT-FOR-US: Microsoft CVE-2019-1398 (A remote code execution vulnerability exists when Windows Hyper-V on a ...) NOT-FOR-US: Microsoft CVE-2019-1397 (A remote code execution vulnerability exists when Windows Hyper-V on a ...) NOT-FOR-US: Microsoft CVE-2019-1396 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft CVE-2019-1395 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft CVE-2019-1394 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft CVE-2019-1393 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft CVE-2019-1392 (An elevation of privilege vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2019-1391 (A denial of service vulnerability exists when Windows improperly handl ...) NOT-FOR-US: Microsoft CVE-2019-1390 (A remote code execution vulnerability exists in the way that the VBScr ...) NOT-FOR-US: Microsoft CVE-2019-1389 (A remote code execution vulnerability exists when Windows Hyper-V on a ...) NOT-FOR-US: Microsoft CVE-2019-1388 (An elevation of privilege vulnerability exists in the Windows Certific ...) NOT-FOR-US: Microsoft CVE-2019-1387 (An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v ...) {DSA-4581-1 DLA-2059-1} - git 1:2.24.0-2 NOTE: https://git.kernel.org/pub/scm/git/git.git/commit/?id=a8dee3ca610f5a1d403634492136c887f83b59d2 NOTE: https://www.openwall.com/lists/oss-security/2019/12/13/1 CVE-2019-1386 REJECTED CVE-2019-1385 (An elevation of privilege vulnerability exists when the Windows AppX D ...) NOT-FOR-US: Microsoft CVE-2019-1384 (A security feature bypass vulnerability exists where a NETLOGON messag ...) NOT-FOR-US: Microsoft CVE-2019-1383 (An elevation of privilege vulnerability exists when the Windows Data S ...) NOT-FOR-US: Microsoft CVE-2019-1382 (An elevation of privilege vulnerability exists when ActiveX Installer ...) NOT-FOR-US: Microsoft CVE-2019-1381 (An information disclosure vulnerability exists when the Windows Servic ...) NOT-FOR-US: Microsoft CVE-2019-1380 (A local elevation of privilege vulnerability exists in how splwow64.ex ...) NOT-FOR-US: Microsoft CVE-2019-1379 (An elevation of privilege vulnerability exists when the Windows Data S ...) NOT-FOR-US: Microsoft CVE-2019-1378 (An elevation of privilege vulnerability exists in Windows 10 Update As ...) NOT-FOR-US: Microsoft CVE-2019-1377 REJECTED CVE-2019-1376 (An information disclosure vulnerability exists in Microsoft SQL Server ...) NOT-FOR-US: Microsoft CVE-2019-1375 (A cross site scripting vulnerability exists when Microsoft Dynamics 36 ...) NOT-FOR-US: Microsoft CVE-2019-1374 (An information disclosure vulnerability exists in the way Windows Erro ...) NOT-FOR-US: Microsoft CVE-2019-1373 (A remote code execution vulnerability exists in Microsoft Exchange thr ...) NOT-FOR-US: Microsoft CVE-2019-1372 (An remote code execution vulnerability exists when Azure App Service/ ...) NOT-FOR-US: Microsoft CVE-2019-1371 (A remote code execution vulnerability exists when Internet Explorer im ...) NOT-FOR-US: Microsoft CVE-2019-1370 (An information disclosure vulnerability exists when affected Open Encl ...) NOT-FOR-US: Microsoft CVE-2019-1369 (An information disclosure vulnerability exists when affected Open Encl ...) NOT-FOR-US: Microsoft CVE-2019-1368 (A security feature bypass exists when Windows Secure Boot improperly r ...) NOT-FOR-US: Microsoft CVE-2019-1367 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2019-1366 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2019-1365 (An elevation of privilege vulnerability exists when Microsoft IIS Serv ...) NOT-FOR-US: Microsoft CVE-2019-1364 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft CVE-2019-1363 (An information disclosure vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2019-1362 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft CVE-2019-1361 (An information disclosure vulnerability exists in the way that Microso ...) NOT-FOR-US: Microsoft CVE-2019-1360 REJECTED CVE-2019-1359 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-1358 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-1357 (A spoofing vulnerability exists when Microsoft Browsers improperly han ...) NOT-FOR-US: Microsoft CVE-2019-1356 (An information disclosure vulnerability exists when Microsoft Edge bas ...) NOT-FOR-US: Microsoft CVE-2019-1355 REJECTED CVE-2019-1354 (A remote code execution vulnerability exists when Git for Visual Studi ...) - git 1:2.24.0-2 (unimportant) [buster] - git 1:2.20.1-2+deb10u1 NOTE: https://git.kernel.org/pub/scm/git/git.git/commit/?id=e1d911dd4c7b76a5a8cec0f5c8de15981e34da83 NOTE: https://www.openwall.com/lists/oss-security/2019/12/13/1 CVE-2019-1353 (An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v ...) {DSA-4581-1 DLA-2059-1} - git 1:2.24.0-2 NOTE: https://git.kernel.org/pub/scm/git/git.git/commit/?id=9102f958ee5254b10c0be72672aa3305bf4f4704 NOTE: https://www.openwall.com/lists/oss-security/2019/12/13/1 CVE-2019-1352 (A remote code execution vulnerability exists when Git for Visual Studi ...) {DSA-4581-1 DLA-2059-1} - git 1:2.24.0-2 NOTE: https://git.kernel.org/pub/scm/git/git.git/commit/?id=7c3745fc6185495d5765628b4dfe1bd2c25a2981 NOTE: https://www.openwall.com/lists/oss-security/2019/12/13/1 NOTE: Additional hardening for .gitmodules (but not part of the CVE): NOTE: https://git.kernel.org/pub/scm/git/git.git/commit/?id=91bd46588e6959e6903e275f78b10bd07830d547 CVE-2019-1351 (A tampering vulnerability exists when Git for Visual Studio improperly ...) - git 1:2.24.0-2 (unimportant) [buster] - git 1:2.20.1-2+deb10u1 NOTE: https://git.kernel.org/pub/scm/git/git.git/commit/?id=f82a97eb9197c1e3768e72648f37ce0ca3233734 NOTE: https://www.openwall.com/lists/oss-security/2019/12/13/1 CVE-2019-1350 (A remote code execution vulnerability exists when Git for Visual Studi ...) - git 1:2.24.0-2 (unimportant) [buster] - git 1:2.20.1-2+deb10u1 NOTE: https://git.kernel.org/pub/scm/git/git.git/commit/?id=6d8684161ee9c03bed5cb69ae76dfdddb85a0003 NOTE: https://www.openwall.com/lists/oss-security/2019/12/13/1 CVE-2019-1349 (A remote code execution vulnerability exists when Git for Visual Studi ...) {DSA-4581-1 DLA-2059-1} - git 1:2.24.0-2 NOTE: https://git.kernel.org/pub/scm/git/git.git/commit/?id=0060fd1511b94c918928fa3708f69a3f33895a4a NOTE: https://www.openwall.com/lists/oss-security/2019/12/13/1 CVE-2019-1348 (An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v ...) {DSA-4581-1 DLA-2059-1} - git 1:2.24.0-2 NOTE: https://git.kernel.org/pub/scm/git/git.git/commit/?id=68061e3470210703cb15594194718d35094afdc0 NOTE: https://www.openwall.com/lists/oss-security/2019/12/13/1 CVE-2019-1347 (A denial of service vulnerability exists when Windows improperly handl ...) NOT-FOR-US: Microsoft CVE-2019-1346 (A denial of service vulnerability exists when Windows improperly handl ...) NOT-FOR-US: Microsoft CVE-2019-1345 (An information disclosure vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2019-1344 (An information disclosure vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2019-1343 (A denial of service vulnerability exists when Windows improperly handl ...) NOT-FOR-US: Microsoft CVE-2019-1342 (An elevation of privilege vulnerability exists when Windows Error Repo ...) NOT-FOR-US: Microsoft CVE-2019-1341 (An elevation of privilege vulnerability exists when umpo.dll of the Po ...) NOT-FOR-US: Microsoft CVE-2019-1340 (An elevation of privilege vulnerability exists in Windows AppX Deploym ...) NOT-FOR-US: Microsoft CVE-2019-1339 (An elevation of privilege vulnerability exists when Windows Error Repo ...) NOT-FOR-US: Microsoft CVE-2019-1338 (A security feature bypass vulnerability exists in Microsoft Windows wh ...) NOT-FOR-US: Microsoft CVE-2019-1337 (An information disclosure vulnerability exists when Windows Update Cli ...) NOT-FOR-US: Microsoft CVE-2019-1336 (An elevation of privilege vulnerability exists in the Microsoft Window ...) NOT-FOR-US: Microsoft CVE-2019-1335 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2019-1334 (An information disclosure vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2019-1333 (A remote code execution vulnerability exists in the Windows Remote Des ...) NOT-FOR-US: Microsoft CVE-2019-1332 (A cross-site scripting (XSS) vulnerability exists when Microsoft SQL S ...) NOT-FOR-US: Microsoft CVE-2019-1331 (A remote code execution vulnerability exists in Microsoft Excel softwa ...) NOT-FOR-US: Microsoft CVE-2019-1330 (An elevation of privilege vulnerability exists in Microsoft SharePoint ...) NOT-FOR-US: Microsoft CVE-2019-1329 (An elevation of privilege vulnerability exists when Microsoft SharePoi ...) NOT-FOR-US: Microsoft CVE-2019-1328 (A spoofing vulnerability exists when Microsoft SharePoint Server does ...) NOT-FOR-US: Microsoft CVE-2019-1327 (A remote code execution vulnerability exists in Microsoft Excel softwa ...) NOT-FOR-US: Microsoft CVE-2019-1326 (A denial of service vulnerability exists in Remote Desktop Protocol (R ...) NOT-FOR-US: Microsoft CVE-2019-1325 (An elevation of privilege vulnerability exists in the Windows redirect ...) NOT-FOR-US: Microsoft CVE-2019-1324 (An information disclosure vulnerability exists when the Windows TCP/IP ...) NOT-FOR-US: Microsoft CVE-2019-1323 (An elevation of privilege vulnerability exists in the Microsoft Window ...) NOT-FOR-US: Microsoft CVE-2019-1322 (An elevation of privilege vulnerability exists when Windows improperly ...) NOT-FOR-US: Microsoft CVE-2019-1321 (An elevation of privilege vulnerability exists when Windows CloudStore ...) NOT-FOR-US: Microsoft CVE-2019-1320 (An elevation of privilege vulnerability exists when Windows improperly ...) NOT-FOR-US: Microsoft CVE-2019-1319 (An elevation of privilege vulnerability exists in Windows Error Report ...) NOT-FOR-US: Microsoft CVE-2019-1318 (A spoofing vulnerability exists when Transport Layer Security (TLS) ac ...) NOT-FOR-US: Microsoft CVE-2019-1317 (A denial of service vulnerability exists when Windows improperly handl ...) NOT-FOR-US: Microsoft CVE-2019-1316 (An elevation of privilege vulnerability exists in Microsoft Windows Se ...) NOT-FOR-US: Microsoft CVE-2019-1315 (An elevation of privilege vulnerability exists when Windows Error Repo ...) NOT-FOR-US: Microsoft CVE-2019-1314 (A security feature bypass vulnerability exists in Windows 10 Mobile wh ...) NOT-FOR-US: Microsoft CVE-2019-1313 (An information disclosure vulnerability exists in Microsoft SQL Server ...) NOT-FOR-US: Microsoft CVE-2019-1312 REJECTED CVE-2019-1311 (A remote code execution vulnerability exists when the Windows Imaging ...) NOT-FOR-US: Microsoft CVE-2019-1310 (A denial of service vulnerability exists when Microsoft Hyper-V Networ ...) NOT-FOR-US: Microsoft CVE-2019-1309 (A denial of service vulnerability exists when Microsoft Hyper-V Networ ...) NOT-FOR-US: Microsoft CVE-2019-1308 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2019-1307 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2019-1306 (A remote code execution vulnerability exists when Azure DevOps Server ...) NOT-FOR-US: Microsoft CVE-2019-1305 (A Cross-site Scripting (XSS) vulnerability exists when Team Foundation ...) NOT-FOR-US: Microsoft CVE-2019-1304 REJECTED CVE-2019-1303 (An elevation of privilege vulnerability exists when the Windows AppX D ...) NOT-FOR-US: Microsoft CVE-2019-1302 (An elevation of privilege vulnerability exists when a ASP.NET Core web ...) NOT-FOR-US: Microsoft CVE-2019-1301 (A denial of service vulnerability exists when .NET Core improperly han ...) NOT-FOR-US: Microsoft CVE-2019-1300 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2019-1299 (An information disclosure vulnerability exists when Microsoft Edge bas ...) NOT-FOR-US: Microsoft CVE-2019-1298 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2019-1297 (A remote code execution vulnerability exists in Microsoft Excel softwa ...) NOT-FOR-US: Microsoft CVE-2019-1296 (A remote code execution vulnerability exists in Microsoft SharePoint w ...) NOT-FOR-US: Microsoft CVE-2019-1295 (A remote code execution vulnerability exists in Microsoft SharePoint w ...) NOT-FOR-US: Microsoft CVE-2019-1294 (A security feature bypass exists when Windows Secure Boot improperly r ...) NOT-FOR-US: Microsoft CVE-2019-1293 (An information disclosure vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft CVE-2019-1292 (A denial of service vulnerability exists when Windows improperly handl ...) NOT-FOR-US: Microsoft CVE-2019-1291 (A remote code execution vulnerability exists in the Windows Remote Des ...) NOT-FOR-US: Microsoft CVE-2019-1290 (A remote code execution vulnerability exists in the Windows Remote Des ...) NOT-FOR-US: Microsoft CVE-2019-1289 (An elevation of privilege vulnerability exists when the Windows Update ...) NOT-FOR-US: Microsoft CVE-2019-1288 REJECTED CVE-2019-1287 (An elevation of privilege vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2019-1286 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft CVE-2019-1285 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft CVE-2019-1284 (An elevation of privilege vulnerability exists when DirectX improperly ...) NOT-FOR-US: Microsoft CVE-2019-1283 (An information disclosure vulnerability exists in the way that Microso ...) NOT-FOR-US: Microsoft CVE-2019-1282 (An information disclosure exists in the Windows Common Log File System ...) NOT-FOR-US: Microsoft CVE-2019-1281 REJECTED CVE-2019-1280 (A remote code execution vulnerability exists in Microsoft Windows that ...) NOT-FOR-US: Microsoft CVE-2019-1279 REJECTED CVE-2019-1278 (An elevation of privilege vulnerability exists in the way that the uni ...) NOT-FOR-US: Microsoft CVE-2019-1277 (An elevation of privilege vulnerability exists in Windows Audio Servic ...) NOT-FOR-US: Microsoft CVE-2019-1276 REJECTED CVE-2019-1275 REJECTED CVE-2019-1274 (An information disclosure vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2019-1273 (A cross-site-scripting (XSS) vulnerability exists when Active Director ...) NOT-FOR-US: Microsoft CVE-2019-1272 (An elevation of privilege vulnerability exists when Windows improperly ...) NOT-FOR-US: Microsoft CVE-2019-1271 (An elevation of privilege exists in hdAudio.sys which may lead to an o ...) NOT-FOR-US: Microsoft CVE-2019-1270 (An elevation of privilege vulnerability exists in Windows store instal ...) NOT-FOR-US: Microsoft CVE-2019-1269 (An elevation of privilege vulnerability exists when Windows improperly ...) NOT-FOR-US: Microsoft CVE-2019-1268 (An elevation of privilege exists when Winlogon does not properly handl ...) NOT-FOR-US: Microsoft CVE-2019-1267 (An elevation of privilege vulnerability exists in Microsoft Compatibil ...) NOT-FOR-US: Microsoft CVE-2019-1266 (A spoofing vulnerability exists in Microsoft Exchange Server when Outl ...) NOT-FOR-US: Microsoft CVE-2019-1265 (A security feature bypass vulnerability exists when Microsoft Yammer A ...) NOT-FOR-US: Microsoft CVE-2019-1264 (A security feature bypass vulnerability exists when Microsoft Office i ...) NOT-FOR-US: Microsoft CVE-2019-1263 (An information disclosure vulnerability exists when Microsoft Excel im ...) NOT-FOR-US: Microsoft CVE-2019-1262 (A cross-site-scripting (XSS) vulnerability exists when Microsoft Share ...) NOT-FOR-US: Microsoft CVE-2019-1261 (A spoofing vulnerability exists in Microsoft SharePoint when it improp ...) NOT-FOR-US: Microsoft CVE-2019-1260 (An elevation of privilege vulnerability exists in Microsoft SharePoint ...) NOT-FOR-US: Microsoft CVE-2019-1259 (A spoofing vulnerability exists in Microsoft SharePoint when it improp ...) NOT-FOR-US: Microsoft CVE-2019-1258 (An elevation of privilege vulnerability exists in Azure Active Directo ...) NOT-FOR-US: Microsoft CVE-2019-1257 (A remote code execution vulnerability exists in Microsoft SharePoint w ...) NOT-FOR-US: Microsoft CVE-2019-1256 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft CVE-2019-1255 (A denial of service vulnerability exists when Microsoft Defender impro ...) NOT-FOR-US: Microsoft CVE-2019-1254 (An information disclosure vulnerability exists when Windows Hyper-V wr ...) NOT-FOR-US: Microsoft CVE-2019-1253 (An elevation of privilege vulnerability exists when the Windows AppX D ...) NOT-FOR-US: Microsoft CVE-2019-1252 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft CVE-2019-1251 (An information disclosure vulnerability exists when DirectWrite improp ...) NOT-FOR-US: Microsoft CVE-2019-1250 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-1249 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-1248 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-1247 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-1246 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-1245 (An information disclosure vulnerability exists when DirectWrite improp ...) NOT-FOR-US: Microsoft CVE-2019-1244 (An information disclosure vulnerability exists when DirectWrite improp ...) NOT-FOR-US: Microsoft CVE-2019-1243 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-1242 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-1241 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-1240 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-1239 (A remote code execution vulnerability exists in the way that the VBScr ...) NOT-FOR-US: Microsoft CVE-2019-1238 (A remote code execution vulnerability exists in the way that the VBScr ...) NOT-FOR-US: Microsoft CVE-2019-1237 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2019-1236 (A remote code execution vulnerability exists in the way that the VBScr ...) NOT-FOR-US: Microsoft CVE-2019-1235 (An elevation of privilege vulnerability exists in Windows Text Service ...) NOT-FOR-US: Microsoft CVE-2019-1234 (A spoofing vulnerability exists when Azure Stack fails to validate cer ...) NOT-FOR-US: Microsoft CVE-2019-1233 (A denial of service vulnerability exists in Microsoft Exchange Server ...) NOT-FOR-US: Microsoft CVE-2019-1232 (An elevation of privilege vulnerability exists when the Diagnostics Hu ...) NOT-FOR-US: Microsoft CVE-2019-1231 (An information disclosure vulnerability exists in the way Rome SDK han ...) NOT-FOR-US: Microsoft CVE-2019-1230 (An information disclosure vulnerability exists when the Windows Hyper- ...) NOT-FOR-US: Microsoft CVE-2019-1229 (An elevation of privilege vulnerability exists in Dynamics On-Premise ...) NOT-FOR-US: Microsoft CVE-2019-1228 (An information disclosure vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2019-1227 (An information disclosure vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2019-1226 (A remote code execution vulnerability exists in Remote Desktop Service ...) NOT-FOR-US: Microsoft CVE-2019-1225 (An information disclosure vulnerability exists when the Windows RDP se ...) NOT-FOR-US: Microsoft CVE-2019-1224 (An information disclosure vulnerability exists when the Windows RDP se ...) NOT-FOR-US: Microsoft CVE-2019-1223 (A denial of service vulnerability exists in Remote Desktop Protocol (R ...) NOT-FOR-US: Microsoft CVE-2019-1222 (A remote code execution vulnerability exists in Remote Desktop Service ...) NOT-FOR-US: Microsoft CVE-2019-1221 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2019-1220 (A security feature bypass vulnerability exists when Microsoft Browsers ...) NOT-FOR-US: Microsoft CVE-2019-1219 (An information disclosure vulnerability exists when the Windows Transa ...) NOT-FOR-US: Microsoft CVE-2019-1218 (A spoofing vulnerability exists in the way Microsoft Outlook iOS softw ...) NOT-FOR-US: Microsoft CVE-2019-1217 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2019-1216 (An information disclosure vulnerability exists when DirectX improperly ...) NOT-FOR-US: Microsoft CVE-2019-1215 (An elevation of privilege vulnerability exists in the way that ws2ifsl ...) NOT-FOR-US: Microsoft CVE-2019-1214 (An elevation of privilege vulnerability exists when the Windows Common ...) NOT-FOR-US: Microsoft CVE-2019-1213 (A memory corruption vulnerability exists in the Windows Server DHCP se ...) NOT-FOR-US: Microsoft CVE-2019-1212 (A memory corruption vulnerability exists in the Windows Server DHCP se ...) NOT-FOR-US: Microsoft CVE-2019-1211 (An elevation of privilege vulnerability exists in Git for Visual Studi ...) NOT-FOR-US: Microsoft CVE-2019-1210 REJECTED CVE-2019-1209 (An information disclosure vulnerability exists in Lync 2013, aka 'Lync ...) NOT-FOR-US: Microsoft CVE-2019-1208 (A remote code execution vulnerability exists in the way that the VBScr ...) NOT-FOR-US: Microsoft CVE-2019-1207 REJECTED CVE-2019-1206 (A memory corruption vulnerability exists in the Windows Server DHCP se ...) NOT-FOR-US: Microsoft CVE-2019-1205 (A remote code execution vulnerability exists in Microsoft Word softwar ...) NOT-FOR-US: Microsoft CVE-2019-1204 (An elevation of privilege vulnerability exists when Microsoft Outlook ...) NOT-FOR-US: Microsoft CVE-2019-1203 (A cross-site-scripting (XSS) vulnerability exists when Microsoft Share ...) NOT-FOR-US: Microsoft CVE-2019-1202 (An information disclosure vulnerability exists in the way Microsoft Sh ...) NOT-FOR-US: Microsoft CVE-2019-1201 (A remote code execution vulnerability exists in Microsoft Word softwar ...) NOT-FOR-US: Microsoft CVE-2019-1200 (A remote code execution vulnerability exists in Microsoft Outlook soft ...) NOT-FOR-US: Microsoft CVE-2019-1199 (A remote code execution vulnerability exists in Microsoft Outlook when ...) NOT-FOR-US: Microsoft CVE-2019-1198 (An elevation of privilege exists in SyncController.dll, aka 'Microsoft ...) NOT-FOR-US: Microsoft CVE-2019-1197 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2019-1196 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2019-1195 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2019-1194 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2019-1193 (A remote code execution vulnerability exists in the way that Microsoft ...) NOT-FOR-US: Microsoft CVE-2019-1192 (A security feature bypass vulnerability exists when Microsoft browsers ...) NOT-FOR-US: Microsoft CVE-2019-1191 REJECTED CVE-2019-1190 (An elevation of privilege vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2019-1189 REJECTED CVE-2019-1188 (A remote code execution vulnerability exists in Microsoft Windows that ...) NOT-FOR-US: Microsoft CVE-2019-1187 (A denial of service vulnerability exists when the XmlLite runtime (Xml ...) NOT-FOR-US: Microsoft CVE-2019-1186 (An elevation of privilege vulnerability exists in the way that the wcm ...) NOT-FOR-US: Microsoft CVE-2019-1185 (An elevation of privilege vulnerability exists due to a stack corrupti ...) NOT-FOR-US: Microsoft CVE-2019-1184 (An elevation of privilege vulnerability exists when Windows Core Shell ...) NOT-FOR-US: Microsoft CVE-2019-1183 (A remote code execution vulnerability exists in the way that the VBScr ...) NOT-FOR-US: Microsoft CVE-2019-1182 (A remote code execution vulnerability exists in Remote Desktop Service ...) NOT-FOR-US: Microsoft CVE-2019-1181 (A remote code execution vulnerability exists in Remote Desktop Service ...) NOT-FOR-US: Microsoft CVE-2019-1180 (An elevation of privilege vulnerability exists in the way that the wcm ...) NOT-FOR-US: Microsoft CVE-2019-1179 (An elevation of privilege vulnerability exists in the way that the uni ...) NOT-FOR-US: Microsoft CVE-2019-1178 (An elevation of privilege vulnerability exists in the way that the ssd ...) NOT-FOR-US: Microsoft CVE-2019-1177 (An elevation of privilege vulnerability exists in the way that the rpc ...) NOT-FOR-US: Microsoft CVE-2019-1176 (An elevation of privilege vulnerability exists when DirectX improperly ...) NOT-FOR-US: Microsoft CVE-2019-1175 (An elevation of privilege vulnerability exists in the way that the psm ...) NOT-FOR-US: Microsoft CVE-2019-1174 (An elevation of privilege vulnerability exists in the way that the Psm ...) NOT-FOR-US: Microsoft CVE-2019-1173 (An elevation of privilege vulnerability exists in the way that the Psm ...) NOT-FOR-US: Microsoft CVE-2019-1172 (An information disclosure vulnerability exists in Azure Active Directo ...) NOT-FOR-US: Microsoft CVE-2019-1171 (An information disclosure vulnerability exists in SymCrypt during the ...) NOT-FOR-US: Microsoft CVE-2019-1170 (An elevation of privilege vulnerability exists when reparse points are ...) NOT-FOR-US: Microsoft CVE-2019-1169 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft CVE-2019-1168 (An elevation of privilege exists in the p2pimsvc service where an atta ...) NOT-FOR-US: Microsoft CVE-2019-1167 (A security feature bypass vulnerability exists in Windows Defender App ...) NOT-FOR-US: Microsoft CVE-2019-1166 (A tampering vulnerability exists in Microsoft Windows when a man-in-th ...) NOT-FOR-US: Microsoft CVE-2019-1165 REJECTED CVE-2019-1164 (An elevation of privilege vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2019-1163 (A security feature bypass exists when Windows incorrectly validates CA ...) NOT-FOR-US: Microsoft CVE-2019-1162 (An elevation of privilege vulnerability exists when Windows improperly ...) NOT-FOR-US: Microsoft CVE-2019-1161 (An elevation of privilege vulnerability exists when the MpSigStub.exe ...) NOT-FOR-US: Microsoft CVE-2019-1160 REJECTED CVE-2019-1159 (An elevation of privilege vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2019-1158 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft CVE-2019-1157 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-1156 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-1155 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-1154 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft CVE-2019-1153 (An information disclosure vulnerability exists when the Microsoft Wind ...) NOT-FOR-US: Microsoft CVE-2019-1152 (A remote code execution vulnerability exists when the Windows font lib ...) NOT-FOR-US: Microsoft CVE-2019-1151 (A remote code execution vulnerability exists when the Windows font lib ...) NOT-FOR-US: Microsoft CVE-2019-1150 (A remote code execution vulnerability exists when the Windows font lib ...) NOT-FOR-US: Microsoft CVE-2019-1149 (A remote code execution vulnerability exists when the Windows font lib ...) NOT-FOR-US: Microsoft CVE-2019-1148 (An information disclosure vulnerability exists when the Microsoft Wind ...) NOT-FOR-US: Microsoft CVE-2019-1147 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-1146 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-1145 (A remote code execution vulnerability exists when the Windows font lib ...) NOT-FOR-US: Microsoft CVE-2019-1144 (A remote code execution vulnerability exists when the Windows font lib ...) NOT-FOR-US: Microsoft CVE-2019-1143 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft CVE-2019-1142 (An elevation of privilege vulnerability exists when the .NET Framework ...) NOT-FOR-US: Microsoft CVE-2019-1141 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2019-1140 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2019-1139 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2019-1138 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2019-1137 (A cross-site-scripting (XSS) vulnerability exists when Microsoft Excha ...) NOT-FOR-US: Microsoft CVE-2019-1136 (An elevation of privilege vulnerability exists in Microsoft Exchange S ...) NOT-FOR-US: Microsoft CVE-2019-1135 REJECTED CVE-2019-1134 (A cross-site-scripting (XSS) vulnerability exists when Microsoft Share ...) NOT-FOR-US: Microsoft CVE-2019-1133 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2019-1132 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft CVE-2019-1131 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2019-1130 (An elevation of privilege vulnerability exists when Windows AppX Deplo ...) NOT-FOR-US: Microsoft CVE-2019-1129 (An elevation of privilege vulnerability exists when Windows AppX Deplo ...) NOT-FOR-US: Microsoft CVE-2019-1128 (A remote code execution vulnerability exists in the way that DirectWri ...) NOT-FOR-US: Microsoft CVE-2019-1127 (A remote code execution vulnerability exists in the way that DirectWri ...) NOT-FOR-US: Microsoft CVE-2019-1126 (A security feature bypass vulnerability exists in Active Directory Fed ...) NOT-FOR-US: Microsoft CVE-2019-1125 (An information disclosure vulnerability exists when certain central pr ...) {DSA-4497-1 DSA-4495-1 DLA-1885-1 DLA-1884-1} - linux 5.2.7-1 NOTE: https://access.redhat.com/articles/4329821 CVE-2019-1124 (A remote code execution vulnerability exists in the way that DirectWri ...) NOT-FOR-US: Microsoft CVE-2019-1123 (A remote code execution vulnerability exists in the way that DirectWri ...) NOT-FOR-US: Microsoft CVE-2019-1122 (A remote code execution vulnerability exists in the way that DirectWri ...) NOT-FOR-US: Microsoft CVE-2019-1121 (A remote code execution vulnerability exists in the way that DirectWri ...) NOT-FOR-US: Microsoft CVE-2019-1120 (A remote code execution vulnerability exists in the way that DirectWri ...) NOT-FOR-US: Microsoft CVE-2019-1119 (A remote code execution vulnerability exists in the way that DirectWri ...) NOT-FOR-US: Microsoft CVE-2019-1118 (A remote code execution vulnerability exists in the way that DirectWri ...) NOT-FOR-US: Microsoft CVE-2019-1117 (A remote code execution vulnerability exists in the way that DirectWri ...) NOT-FOR-US: Microsoft CVE-2019-1116 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft CVE-2019-1115 REJECTED CVE-2019-1114 REJECTED CVE-2019-1113 (A remote code execution vulnerability exists in .NET software when the ...) NOT-FOR-US: Microsoft .NET CVE-2019-1112 (An information disclosure vulnerability exists when Microsoft Excel im ...) NOT-FOR-US: Microsoft CVE-2019-1111 (A remote code execution vulnerability exists in Microsoft Excel softwa ...) NOT-FOR-US: Microsoft CVE-2019-1110 (A remote code execution vulnerability exists in Microsoft Excel softwa ...) NOT-FOR-US: Microsoft CVE-2019-1109 (A spoofing vulnerability exists when Microsoft Office Javascript does ...) NOT-FOR-US: Microsoft CVE-2019-1108 (An information disclosure vulnerability exists when the Windows RDP cl ...) NOT-FOR-US: Microsoft CVE-2019-1107 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2019-1106 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2019-1105 (A spoofing vulnerability exists in the way Microsoft Outlook for Andro ...) NOT-FOR-US: Microsoft CVE-2019-1104 (A remote code execution vulnerability exists in the way that Microsoft ...) NOT-FOR-US: Microsoft CVE-2019-1103 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2019-1102 (A remote code execution vulnerability exists in the way that the Windo ...) NOT-FOR-US: Microsoft CVE-2019-1101 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft CVE-2019-1100 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft CVE-2019-1099 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft CVE-2019-1098 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft CVE-2019-1097 (An information disclosure vulnerability exists when DirectWrite improp ...) NOT-FOR-US: Microsoft CVE-2019-1096 (An information disclosure vulnerability exists when the win32k compone ...) NOT-FOR-US: Microsoft CVE-2019-1095 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft CVE-2019-1094 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft CVE-2019-1093 (An information disclosure vulnerability exists when DirectWrite improp ...) NOT-FOR-US: Microsoft CVE-2019-1092 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2019-1091 (An information disclosure vulnerability exists when Unistore.dll fails ...) NOT-FOR-US: Microsoft CVE-2019-1090 (An elevation of privilege vulnerability exists in the way that the dns ...) NOT-FOR-US: Microsoft CVE-2019-1089 (An elevation of privilege vulnerability exists in rpcss.dll when the R ...) NOT-FOR-US: Microsoft CVE-2019-1088 (An elevation of privilege exists in Windows Audio Service, aka 'Window ...) NOT-FOR-US: Microsoft CVE-2019-1087 (An elevation of privilege exists in Windows Audio Service, aka 'Window ...) NOT-FOR-US: Microsoft CVE-2019-1086 (An elevation of privilege exists in Windows Audio Service, aka 'Window ...) NOT-FOR-US: Microsoft CVE-2019-1085 (An elevation of privilege vulnerability exists in the way that the wla ...) NOT-FOR-US: Microsoft CVE-2019-1084 (An information disclosure vulnerability exists when Exchange allows cr ...) NOT-FOR-US: Microsoft CVE-2019-1083 (A denial of service vulnerability exists when Microsoft Common Object ...) NOT-FOR-US: Microsoft CVE-2019-1082 (An elevation of privilege vulnerability exists in Microsoft Windows wh ...) NOT-FOR-US: Microsoft CVE-2019-1081 (An information disclosure vulnerability exists when affected Microsoft ...) NOT-FOR-US: Microsoft CVE-2019-1080 (A remote code execution vulnerability exists in the way the scripting ...) NOT-FOR-US: Microsoft CVE-2019-1079 (An information disclosure vulnerability exists when Visual Studio impr ...) NOT-FOR-US: Microsoft CVE-2019-1078 (An information disclosure vulnerability exists when the Windows Graphi ...) NOT-FOR-US: Microsoft CVE-2019-1077 (An elevation of privilege vulnerability exists when the Visual Studio ...) NOT-FOR-US: Microsoft CVE-2019-1076 (A Cross-site Scripting (XSS) vulnerability exists when Team Foundation ...) NOT-FOR-US: Microsoft CVE-2019-1075 (A spoofing vulnerability exists in ASP.NET Core that could lead to an ...) NOT-FOR-US: Microsoft CVE-2019-1074 (An elevation of privilege vulnerability exists in Microsoft Windows wh ...) NOT-FOR-US: Microsoft CVE-2019-1073 (An information disclosure vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2019-1072 (A remote code execution vulnerability exists when Azure DevOps Server ...) NOT-FOR-US: Microsoft CVE-2019-1071 (An information disclosure vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2019-1070 (A cross-site-scripting (XSS) vulnerability exists when Microsoft Share ...) NOT-FOR-US: Microsoft CVE-2019-1069 (An elevation of privilege vulnerability exists in the way the Task Sch ...) NOT-FOR-US: Microsoft CVE-2019-1068 (A remote code execution vulnerability exists in Microsoft SQL Server w ...) NOT-FOR-US: Microsoft CVE-2019-1067 (An elevation of privilege vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2019-1066 REJECTED CVE-2019-1065 (An elevation of privilege vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2019-1064 (An elevation of privilege vulnerability exists when Windows AppX Deplo ...) NOT-FOR-US: Microsoft CVE-2019-1063 (A remote code execution vulnerability exists when Internet Explorer im ...) NOT-FOR-US: Microsoft CVE-2019-1062 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2019-1061 REJECTED CVE-2019-1060 (A remote code execution vulnerability exists when the Microsoft XML Co ...) NOT-FOR-US: Microsoft CVE-2019-1059 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2019-1058 REJECTED CVE-2019-1057 (A remote code execution vulnerability exists when the Microsoft XML Co ...) NOT-FOR-US: Microsoft CVE-2019-1056 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2019-1055 (A remote code execution vulnerability exists in the way the scripting ...) NOT-FOR-US: Microsoft CVE-2019-1054 (A security feature bypass vulnerability exists in Edge that allows for ...) NOT-FOR-US: Microsoft CVE-2019-1053 (An elevation of privilege vulnerability exists when the Windows Shell ...) NOT-FOR-US: Microsoft CVE-2019-1052 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2019-1051 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2019-1050 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft CVE-2019-1049 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft CVE-2019-1048 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft CVE-2019-1047 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft CVE-2019-1046 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft CVE-2019-1045 (An elevation of privilege vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2019-1044 (A security feature bypass vulnerability exists when Windows Secure Ker ...) NOT-FOR-US: Microsoft CVE-2019-1043 (A remote code execution vulnerability exists in the way that comctl32. ...) NOT-FOR-US: Microsoft CVE-2019-1042 REJECTED CVE-2019-1041 (An elevation of privilege vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2019-1040 (A tampering vulnerability exists in Microsoft Windows when a man-in-th ...) NOT-FOR-US: Microsoft CVE-2019-1039 (An information disclosure vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2019-1038 (A remote code execution vulnerability exists in the way that Microsoft ...) NOT-FOR-US: Microsoft CVE-2019-1037 (An elevation of privilege vulnerability exists in the way Windows Erro ...) NOT-FOR-US: Microsoft CVE-2019-1036 (A cross-site-scripting (XSS) vulnerability exists when Microsoft Share ...) NOT-FOR-US: Microsoft CVE-2019-1035 (A remote code execution vulnerability exists in Microsoft Word softwar ...) NOT-FOR-US: Microsoft CVE-2019-1034 (A remote code execution vulnerability exists in Microsoft Word softwar ...) NOT-FOR-US: Microsoft CVE-2019-1033 (A cross-site-scripting (XSS) vulnerability exists when Microsoft Share ...) NOT-FOR-US: Microsoft CVE-2019-1032 (A cross-site-scripting (XSS) vulnerability exists when Microsoft Share ...) NOT-FOR-US: Microsoft CVE-2019-1031 (A cross-site-scripting (XSS) vulnerability exists when Microsoft Share ...) NOT-FOR-US: Microsoft CVE-2019-1030 (An information disclosure vulnerability exists when Microsoft Edge imp ...) NOT-FOR-US: Microsoft CVE-2019-1029 (A denial of service vulnerability exists in Skype for Business, aka 'S ...) NOT-FOR-US: Skype CVE-2019-1028 (An elevation of privilege exists in Windows Audio Service, aka 'Window ...) NOT-FOR-US: Microsoft CVE-2019-1027 (An elevation of privilege exists in Windows Audio Service, aka 'Window ...) NOT-FOR-US: Microsoft CVE-2019-1026 (An elevation of privilege exists in Windows Audio Service, aka 'Window ...) NOT-FOR-US: Microsoft CVE-2019-1025 (A denial of service vulnerability exists when Windows improperly handl ...) NOT-FOR-US: Microsoft CVE-2019-1024 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2019-1023 (An information disclosure vulnerability exists when the scripting engi ...) NOT-FOR-US: Microsoft CVE-2019-1022 (An elevation of privilege exists in Windows Audio Service, aka 'Window ...) NOT-FOR-US: Microsoft CVE-2019-1021 (An elevation of privilege exists in Windows Audio Service, aka 'Window ...) NOT-FOR-US: Microsoft CVE-2019-1020 REJECTED CVE-2019-1019 (A security feature bypass vulnerability exists where a NETLOGON messag ...) NOT-FOR-US: Microsoft CVE-2019-1018 (An elevation of privilege vulnerability exists when DirectX improperly ...) NOT-FOR-US: Microsoft CVE-2019-1017 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft CVE-2019-1016 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft CVE-2019-1015 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft CVE-2019-1014 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft CVE-2019-1013 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft CVE-2019-1012 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft CVE-2019-1011 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft CVE-2019-1010 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft CVE-2019-1009 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft CVE-2019-1008 (A security feature bypass vulnerability exists in Dynamics On Premise, ...) NOT-FOR-US: Microsoft Dynamics On-Premise CVE-2019-1007 (An elevation of privilege exists in Windows Audio Service, aka 'Window ...) NOT-FOR-US: Microsoft CVE-2019-1006 (An authentication bypass vulnerability exists in Windows Communication ...) NOT-FOR-US: Microsoft CVE-2019-1005 (A remote code execution vulnerability exists in the way the scripting ...) NOT-FOR-US: Microsoft CVE-2019-1004 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2019-1003 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2019-1002 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2019-1001 (A remote code execution vulnerability exists in the way the scripting ...) NOT-FOR-US: Microsoft CVE-2019-1000 (An elevation of privilege vulnerability exists in Microsoft Azure Acti ...) NOT-FOR-US: Microsoft CVE-2019-0999 (An elevation of privilege vulnerability exists when DirectX improperly ...) NOT-FOR-US: Microsoft CVE-2019-0998 (An elevation of privilege vulnerability exists when the Storage Servic ...) NOT-FOR-US: Microsoft CVE-2019-0997 REJECTED CVE-2019-0996 (A spoofing vulnerability exists in Azure DevOps Server when it imprope ...) NOT-FOR-US: Azure DevOps Server / Microsoft CVE-2019-0995 (A security feature bypass vulnerability exists when urlmon.dll imprope ...) NOT-FOR-US: Microsoft CVE-2019-0994 REJECTED CVE-2019-0993 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2019-0992 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2019-0991 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2019-0990 (An information disclosure vulnerability exists when the scripting engi ...) NOT-FOR-US: Microsoft CVE-2019-0989 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2019-0988 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2019-0987 REJECTED CVE-2019-0986 (An elevation of privilege vulnerability exists when the Windows User P ...) NOT-FOR-US: Microsoft CVE-2019-0985 (A remote code execution vulnerability exists when the Microsoft Speech ...) NOT-FOR-US: Microsoft CVE-2019-0984 (An elevation of privilege vulnerability exists when the Windows Common ...) NOT-FOR-US: Microsoft CVE-2019-0983 (An elevation of privilege vulnerability exists when the Storage Servic ...) NOT-FOR-US: Microsoft CVE-2019-0982 (A denial of service vulnerability exists when ASP.NET Core improperly ...) NOT-FOR-US: Microsoft CVE-2019-0981 (A denial of service vulnerability exists when .NET Framework or .NET C ...) NOT-FOR-US: Microsoft .NET Core CVE-2019-0980 (A denial of service vulnerability exists when .NET Framework or .NET C ...) NOT-FOR-US: Microsoft .NET Core CVE-2019-0979 (A Cross-site Scripting (XSS) vulnerability exists when Azure DevOps Se ...) NOT-FOR-US: Microsoft CVE-2019-0978 REJECTED CVE-2019-0977 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft CVE-2019-0976 (A tampering vulnerability exists in the NuGet Package Manager for Linu ...) - nuget (Vulnerable code introduced in 5.0.0) NOTE: Fixed in NuGet.Client 5.0.2. NOTE: https://github.com/NuGet/Home/issues/7908 NOTE: https://github.com/NuGet/NuGet.Client/commit/e32a2ea7096debd3e513188f6779bb1041593326 (5.0.2.5988) CVE-2019-0975 (A security feature bypass vulnerability exists when Active Directory F ...) NOT-FOR-US: Microsoft CVE-2019-0974 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-0973 (An elevation of privilege vulnerability exists in the Windows Installe ...) NOT-FOR-US: Microsoft CVE-2019-0972 (This security update corrects a denial of service in the Local Securit ...) NOT-FOR-US: Microsoft CVE-2019-0971 (An information disclosure vulnerability exists when Azure DevOps Serve ...) NOT-FOR-US: Microsoft CVE-2019-0970 REJECTED CVE-2019-0969 REJECTED CVE-2019-0968 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft CVE-2019-0967 REJECTED CVE-2019-0966 (A denial of service vulnerability exists when Microsoft Hyper-V on a h ...) NOT-FOR-US: Microsoft CVE-2019-0965 (A remote code execution vulnerability exists when Windows Hyper-V on a ...) NOT-FOR-US: Microsoft CVE-2019-0964 REJECTED CVE-2019-0963 (A cross-site-scripting (XSS) vulnerability exists when Microsoft Share ...) NOT-FOR-US: Microsoft CVE-2019-0962 (An elevation of privilege vulnerability exists in Azure Automation "Ru ...) NOT-FOR-US: Microsoft CVE-2019-0961 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft CVE-2019-0960 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft CVE-2019-0959 (An elevation of privilege vulnerability exists when the Windows Common ...) NOT-FOR-US: Microsoft CVE-2019-0958 (An elevation of privilege vulnerability exists when Microsoft SharePoi ...) NOT-FOR-US: Microsoft CVE-2019-0957 (An elevation of privilege vulnerability exists when Microsoft SharePoi ...) NOT-FOR-US: Microsoft CVE-2019-0956 (An information disclosure vulnerability exists when Microsoft SharePoi ...) NOT-FOR-US: Microsoft CVE-2019-0955 REJECTED CVE-2019-0954 REJECTED CVE-2019-0953 (A remote code execution vulnerability exists in Microsoft Word softwar ...) NOT-FOR-US: Microsoft CVE-2019-0952 (A remote code execution vulnerability exists in Microsoft SharePoint S ...) NOT-FOR-US: Microsoft CVE-2019-0951 (A spoofing vulnerability exists when Microsoft SharePoint Server does ...) NOT-FOR-US: Microsoft CVE-2019-0950 (A spoofing vulnerability exists when Microsoft SharePoint Server does ...) NOT-FOR-US: Microsoft CVE-2019-0949 (A spoofing vulnerability exists when Microsoft SharePoint Server does ...) NOT-FOR-US: Microsoft CVE-2019-0948 (An information disclosure vulnerability exists in the Windows Event Vi ...) NOT-FOR-US: Microsoft CVE-2019-0947 (A remote code execution vulnerability exists when the Microsoft Office ...) NOT-FOR-US: Microsoft CVE-2019-0946 (A remote code execution vulnerability exists when the Microsoft Office ...) NOT-FOR-US: Microsoft CVE-2019-0945 (A remote code execution vulnerability exists when the Microsoft Office ...) NOT-FOR-US: Microsoft CVE-2019-0944 REJECTED CVE-2019-0943 (An elevation of privilege vulnerability exists when Windows improperly ...) NOT-FOR-US: Microsoft CVE-2019-0942 (An elevation of privilege vulnerability exists in the Unified Write Fi ...) NOT-FOR-US: Microsoft CVE-2019-0941 (A denial of service exists in Microsoft IIS Server when the optional r ...) NOT-FOR-US: Microsoft CVE-2019-0940 (A remote code execution vulnerability exists in the way that Microsoft ...) NOT-FOR-US: Microsoft CVE-2019-0939 REJECTED CVE-2019-0938 (An elevation of privilege vulnerability exists in Microsoft Edge that ...) NOT-FOR-US: Microsoft CVE-2019-0937 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2019-0936 (An elevation of privilege vulnerability exists in Microsoft Windows wh ...) NOT-FOR-US: Microsoft CVE-2019-0935 REJECTED CVE-2019-0934 REJECTED CVE-2019-0933 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2019-0932 (An information disclosure vulnerability exists in Skype for Android, a ...) NOT-FOR-US: Skype CVE-2019-0931 (An elevation of privilege vulnerability exists when the Storage Servic ...) NOT-FOR-US: Microsoft CVE-2019-0930 (An information disclosure vulnerability exists when Internet Explorer ...) NOT-FOR-US: Microsoft CVE-2019-0929 (A remote code execution vulnerability exists when Internet Explorer im ...) NOT-FOR-US: Microsoft CVE-2019-0928 (A denial of service vulnerability exists when Microsoft Hyper-V on a h ...) NOT-FOR-US: Microsoft CVE-2019-0927 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2019-0926 (A remote code execution vulnerability exists when Microsoft Edge impro ...) NOT-FOR-US: Microsoft CVE-2019-0925 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2019-0924 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2019-0923 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2019-0922 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2019-0921 (An spoofing vulnerability exists when Internet Explorer improperly han ...) NOT-FOR-US: Microsoft CVE-2019-0920 (A remote code execution vulnerability exists in the way the scripting ...) NOT-FOR-US: Microsoft CVE-2019-0919 REJECTED CVE-2019-0918 (A remote code execution vulnerability exists in the way the scripting ...) NOT-FOR-US: Microsoft CVE-2019-0917 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2019-0916 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2019-0915 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2019-0914 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2019-0913 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2019-0912 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2019-0911 (A remote code execution vulnerability exists in the way the scripting ...) NOT-FOR-US: Microsoft CVE-2019-0910 REJECTED CVE-2019-0909 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-0908 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-0907 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-0906 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-0905 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-0904 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-0903 (A remote code execution vulnerability exists in the way that the Windo ...) NOT-FOR-US: Microsoft CVE-2019-0902 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-0901 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-0900 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-0899 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-0898 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-0897 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-0896 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-0895 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-0894 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-0893 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-0892 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft CVE-2019-0891 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-0890 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-0889 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-0888 (A remote code execution vulnerability exists in the way that ActiveX D ...) NOT-FOR-US: Microsoft CVE-2019-0887 (A remote code execution vulnerability exists in Remote Desktop Service ...) NOT-FOR-US: Microsoft CVE-2019-0886 (An information disclosure vulnerability exists when Windows Hyper-V on ...) NOT-FOR-US: Microsoft CVE-2019-0885 (A remote code execution vulnerability exists when Microsoft Windows OL ...) NOT-FOR-US: Microsoft CVE-2019-0884 (A remote code execution vulnerability exists in the way the scripting ...) NOT-FOR-US: Microsoft CVE-2019-0883 REJECTED CVE-2019-0882 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft CVE-2019-0881 (An elevation of privilege vulnerability exists when the Windows Kernel ...) NOT-FOR-US: Microsoft CVE-2019-0880 (A local elevation of privilege vulnerability exists in how splwow64.ex ...) NOT-FOR-US: Microsoft CVE-2019-0879 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-0878 REJECTED CVE-2019-0877 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-0876 (An information disclosure vulnerability exists when affected Open Encl ...) NOT-FOR-US: Microsoft CVE-2019-0875 (An elevation of privilege vulnerability exists when Azure DevOps Serve ...) NOT-FOR-US: Microsoft CVE-2019-0874 (A Cross-site Scripting (XSS) vulnerability exists when Azure DevOps Se ...) NOT-FOR-US: Microsoft CVE-2019-0873 REJECTED CVE-2019-0872 (A Cross-site Scripting (XSS) vulnerability exists when Azure DevOps Se ...) NOT-FOR-US: Microsoft CVE-2019-0871 (A Cross-site Scripting (XSS) vulnerability exists when Azure DevOps Se ...) NOT-FOR-US: Microsoft CVE-2019-0870 (A Cross-site Scripting (XSS) vulnerability exists when Azure DevOps Se ...) NOT-FOR-US: Microsoft CVE-2019-0869 (A spoofing vulnerability exists in Microsoft Azure DevOps Server when ...) NOT-FOR-US: Microsoft CVE-2019-0868 (A Cross-site Scripting (XSS) vulnerability exists when Azure DevOps Se ...) NOT-FOR-US: Microsoft CVE-2019-0867 (A Cross-site Scripting (XSS) vulnerability exists when Azure DevOps Se ...) NOT-FOR-US: Microsoft CVE-2019-0866 (A Cross-site Scripting (XSS) vulnerability exists when Azure DevOps Se ...) NOT-FOR-US: Microsoft CVE-2019-0865 (A denial of service vulnerability exists when SymCrypt improperly hand ...) NOT-FOR-US: Microsoft CVE-2019-0864 (A denial of service vulnerability exists when .NET Framework improperl ...) NOT-FOR-US: .NET Framework CVE-2019-0863 (An elevation of privilege vulnerability exists in the way Windows Erro ...) NOT-FOR-US: Microsoft CVE-2019-0862 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2019-0861 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2019-0860 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2019-0859 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft CVE-2019-0858 (A spoofing vulnerability exists in Microsoft Exchange Server when Outl ...) NOT-FOR-US: Microsoft CVE-2019-0857 (A spoofing vulnerability that could allow a security feature bypass ex ...) NOT-FOR-US: Microsoft CVE-2019-0856 (A remote code execution vulnerability exists when Windows improperly h ...) NOT-FOR-US: Microsoft Windows CVE-2019-0855 REJECTED CVE-2019-0854 REJECTED CVE-2019-0853 (A remote code execution vulnerability exists in the way that the Windo ...) NOT-FOR-US: Microsoft CVE-2019-0852 REJECTED CVE-2019-0851 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-0850 REJECTED CVE-2019-0849 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft CVE-2019-0848 (An information disclosure vulnerability exists when the win32k compone ...) NOT-FOR-US: Microsoft CVE-2019-0847 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-0846 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-0845 (A remote code execution vulnerability exists when the IOleCvt interfac ...) NOT-FOR-US: Microsoft CVE-2019-0844 (An information disclosure vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft Windows CVE-2019-0843 REJECTED CVE-2019-0842 (A remote code execution vulnerability exists in the way that the VBScr ...) NOT-FOR-US: Microsoft CVE-2019-0841 (An elevation of privilege vulnerability exists when Windows AppX Deplo ...) NOT-FOR-US: Microsoft CVE-2019-0840 (An information disclosure vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft Windows CVE-2019-0839 (An information disclosure vulnerability exists when the Terminal Servi ...) NOT-FOR-US: Microsoft CVE-2019-0838 (An information disclosure vulnerability exists when Windows Task Sched ...) NOT-FOR-US: Microsoft CVE-2019-0837 (An information disclosure vulnerability exists when DirectX improperly ...) NOT-FOR-US: Microsoft CVE-2019-0836 (An elevation of privilege vulnerability exists when Windows improperly ...) NOT-FOR-US: Microsoft CVE-2019-0835 (An information disclosure vulnerability exists when the scripting engi ...) NOT-FOR-US: Microsoft CVE-2019-0834 REJECTED CVE-2019-0833 (An information disclosure vulnerability exists when Microsoft Edge imp ...) NOT-FOR-US: Microsoft CVE-2019-0832 REJECTED CVE-2019-0831 (A cross-site-scripting (XSS) vulnerability exists when Microsoft Share ...) NOT-FOR-US: Microsoft CVE-2019-0830 (A cross-site-scripting (XSS) vulnerability exists when Microsoft Share ...) NOT-FOR-US: Microsoft CVE-2019-0829 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2019-0828 (A remote code execution vulnerability exists in Microsoft Excel softwa ...) NOT-FOR-US: Microsoft CVE-2019-0827 (A remote code execution vulnerability exists when the Microsoft Office ...) NOT-FOR-US: Microsoft CVE-2019-0826 (A remote code execution vulnerability exists when the Microsoft Office ...) NOT-FOR-US: Microsoft CVE-2019-0825 (A remote code execution vulnerability exists when the Microsoft Office ...) NOT-FOR-US: Microsoft CVE-2019-0824 (A remote code execution vulnerability exists when the Microsoft Office ...) NOT-FOR-US: Microsoft CVE-2019-0823 (A remote code execution vulnerability exists when the Microsoft Office ...) NOT-FOR-US: Microsoft CVE-2019-0822 (A remote code execution vulnerability exists in the way that Microsoft ...) NOT-FOR-US: Microsoft CVE-2019-0821 (An information disclosure vulnerability exists in the way that the Win ...) NOT-FOR-US: Windows SMB Server CVE-2019-0820 (A denial of service vulnerability exists when .NET Framework and .NET ...) NOT-FOR-US: Microsoft .NET Core CVE-2019-0819 (An information disclosure vulnerability exists in Microsoft SQL Server ...) NOT-FOR-US: Microsoft CVE-2019-0818 REJECTED CVE-2019-0817 (A spoofing vulnerability exists in Microsoft Exchange Server when Outl ...) NOT-FOR-US: Microsoft CVE-2019-0816 (A security feature bypass exists in Azure SSH Keypairs, due to a chang ...) - cloud-init 18.3-6 (low; bug #926043) [stretch] - cloud-init (Doesn't affect default provisioning for Azure, only limited use cases) [jessie] - cloud-init (version uses a different mechanism to set public keys.) NOTE: https://code.launchpad.net/~jasonzio/cloud-init/+git/cloud-init/+merge/363445 NOTE: https://support.microsoft.com/en-us/help/4491476/extraneous-ssh-public-keys-added-to-authorized-keys-file-on-linux-vm CVE-2019-0815 (A denial of service vulnerability exists when ASP.NET Core improperly ...) NOT-FOR-US: Microsoft CVE-2019-0814 (An information disclosure vulnerability exists when the win32k compone ...) NOT-FOR-US: Microsoft CVE-2019-0813 (An elevation of privilege vulnerability exists when Windows Admin Cent ...) NOT-FOR-US: Microsoft CVE-2019-0812 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2019-0811 (A denial of service vulnerability exists in Windows DNS Server when it ...) NOT-FOR-US: Microsoft CVE-2019-0810 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2019-0809 (A remote code execution vulnerability exists when the Visual Studio C+ ...) NOT-FOR-US: Microsoft CVE-2019-0808 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft Windows CVE-2019-0807 REJECTED CVE-2019-0806 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2019-0805 (An elevation of privilege vulnerability exists when Windows improperly ...) NOT-FOR-US: Microsoft CVE-2019-0804 (An information disclosure vulnerability exists in the way Azure WaLinu ...) {DSA-4406-1 DLA-1709-1} - waagent 2.2.34-3 CVE-2019-0803 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft CVE-2019-0802 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft CVE-2019-0801 (A remote code execution vulnerability exists when Microsoft Office fai ...) NOT-FOR-US: Microsoft CVE-2019-0800 REJECTED CVE-2019-0799 REJECTED CVE-2019-0798 (A spoofing vulnerability exists when a Lync Server or Skype for Busine ...) NOT-FOR-US: Microsoft CVE-2019-0797 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft Windows CVE-2019-0796 (An elevation of privilege vulnerability exists when Windows improperly ...) NOT-FOR-US: Microsoft CVE-2019-0795 (A remote code execution vulnerability exists when the Microsoft XML Co ...) NOT-FOR-US: Microsoft CVE-2019-0794 (A remote code execution vulnerability exists when OLE automation impro ...) NOT-FOR-US: Microsoft CVE-2019-0793 (A remote code execution vulnerability exists when the Microsoft XML Co ...) NOT-FOR-US: Microsoft CVE-2019-0792 (A remote code execution vulnerability exists when the Microsoft XML Co ...) NOT-FOR-US: Microsoft CVE-2019-0791 (A remote code execution vulnerability exists when the Microsoft XML Co ...) NOT-FOR-US: Microsoft CVE-2019-0790 (A remote code execution vulnerability exists when the Microsoft XML Co ...) NOT-FOR-US: Microsoft CVE-2019-0789 REJECTED CVE-2019-0788 (A remote code execution vulnerability exists in the Windows Remote Des ...) NOT-FOR-US: Microsoft CVE-2019-0787 (A remote code execution vulnerability exists in the Windows Remote Des ...) NOT-FOR-US: Microsoft CVE-2019-0786 (An elevation of privilege vulnerability exists in the Microsoft Server ...) NOT-FOR-US: Microsoft CVE-2019-0785 (A memory corruption vulnerability exists in the Windows Server DHCP se ...) NOT-FOR-US: Microsoft CVE-2019-0784 (A remote code execution vulnerability exists in the way that the Activ ...) NOT-FOR-US: Microsoft CVE-2019-0783 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2019-0782 (An information disclosure vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft Windows CVE-2019-0781 REJECTED CVE-2019-0780 (A remote code execution vulnerability exists in the way that Microsoft ...) NOT-FOR-US: Microsoft CVE-2019-0779 (A remote code execution vulnerability exists when Microsoft Edge impro ...) NOT-FOR-US: Microsoft CVE-2019-0778 (A cross-site-scripting (XSS) vulnerability exists when Microsoft Share ...) NOT-FOR-US: Microsoft CVE-2019-0777 (A Cross-site Scripting (XSS) vulnerability exists when Team Foundation ...) NOT-FOR-US: Microsoft CVE-2019-0776 (An information disclosure vulnerability exists when the win32k compone ...) NOT-FOR-US: Microsoft CVE-2019-0775 (An information disclosure vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft Windows CVE-2019-0774 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft Windows CVE-2019-0773 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2019-0772 (A remote code execution vulnerability exists in the way that the VBScr ...) NOT-FOR-US: Microsoft CVE-2019-0771 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2019-0770 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2019-0769 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2019-0768 (A security feature bypass vulnerability exists when Internet Explorer ...) NOT-FOR-US: Microsoft CVE-2019-0767 (An information disclosure vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft Windows CVE-2019-0766 (An elevation of privilege vulnerability exists in Windows AppX Deploym ...) NOT-FOR-US: Microsoft CVE-2019-0765 (A remote code execution vulnerability exists in the way that comctl32. ...) NOT-FOR-US: Microsoft CVE-2019-0764 (A tampering vulnerability exists when Microsoft browsers do not proper ...) NOT-FOR-US: Microsoft CVE-2019-0763 (A remote code execution vulnerability exists when Internet Explorer im ...) NOT-FOR-US: Microsoft CVE-2019-0762 (A security feature bypass vulnerability exists when Microsoft browsers ...) NOT-FOR-US: Microsoft CVE-2019-0761 (A security feature bypass vulnerability exists when Internet Explorer ...) NOT-FOR-US: Microsoft CVE-2019-0760 REJECTED CVE-2019-0759 (An information disclosure vulnerability exists when the Windows Print ...) NOT-FOR-US: Microsoft CVE-2019-0758 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft CVE-2019-0757 (A tampering vulnerability exists in the NuGet Package Manager for Linu ...) - nuget (NuGet older than 4.3 is not affected, bug #926122) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1685475 NOTE: https://github.com/NuGet/Home/issues/7673 NOTE: https://github.com/NuGet/NuGet.Client/commit/d62db666c710bf95121fe8f5c6a6cbe01985456f?w=1 NOTE: https://github.com/NuGet/Home/issues/7673#issuecomment-478738369 CVE-2019-0756 (A remote code execution vulnerability exists when the Microsoft XML Co ...) NOT-FOR-US: Microsoft CVE-2019-0755 (An information disclosure vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft Windows CVE-2019-0754 (A denial of service vulnerability exists when Windows improperly handl ...) NOT-FOR-US: Microsoft Windows CVE-2019-0753 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2019-0752 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2019-0751 REJECTED CVE-2019-0750 REJECTED CVE-2019-0749 REJECTED CVE-2019-0748 (A remote code execution vulnerability exists when the Microsoft Office ...) NOT-FOR-US: Microsoft CVE-2019-0747 REJECTED CVE-2019-0746 (An information disclosure vulnerability exists when the scripting engi ...) NOT-FOR-US: Microsoft CVE-2019-0745 REJECTED CVE-2019-0744 REJECTED CVE-2019-0743 (A Cross-site Scripting (XSS) vulnerability exists when Team Foundation ...) NOT-FOR-US: Microsoft Team Foundation Server CVE-2019-0742 (A Cross-site Scripting (XSS) vulnerability exists when Team Foundation ...) NOT-FOR-US: Microsoft Team Foundation Server CVE-2019-0741 (An information disclosure vulnerability exists in the way Azure IoT Ja ...) NOT-FOR-US: Microsoft CVE-2019-0740 REJECTED CVE-2019-0739 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2019-0738 REJECTED CVE-2019-0737 REJECTED CVE-2019-0736 (A memory corruption vulnerability exists in the Windows DHCP client wh ...) NOT-FOR-US: Microsoft CVE-2019-0735 (An elevation of privilege vulnerability exists when the Windows Client ...) NOT-FOR-US: Microsoft CVE-2019-0734 (An elevation of privilege vulnerability exists in Microsoft Windows wh ...) NOT-FOR-US: Microsoft CVE-2019-0733 (A security feature bypass vulnerability exists in Windows Defender App ...) NOT-FOR-US: Microsoft CVE-2019-0732 (A security feature bypass vulnerability exists in Windows which could ...) NOT-FOR-US: Microsoft CVE-2019-0731 (An elevation of privilege vulnerability exists when Windows improperly ...) NOT-FOR-US: Microsoft CVE-2019-0730 (An elevation of privilege vulnerability exists when Windows improperly ...) NOT-FOR-US: Microsoft CVE-2019-0729 (An Elevation of Privilege vulnerability exists in the way Azure IoT Ja ...) NOT-FOR-US: Microsoft CVE-2019-0728 (A remote code execution vulnerability exists in Visual Studio Code whe ...) NOT-FOR-US: Microsoft CVE-2019-0727 (An elevation of privilege vulnerability exists when the Diagnostics Hu ...) NOT-FOR-US: Microsoft CVE-2019-0726 (A memory corruption vulnerability exists in the Windows DHCP client wh ...) NOT-FOR-US: Microsoft CVE-2019-0725 (A memory corruption vulnerability exists in the Windows Server DHCP se ...) NOT-FOR-US: Microsoft CVE-2019-0724 (An elevation of privilege vulnerability exists in Microsoft Exchange S ...) NOT-FOR-US: Microsoft CVE-2019-0723 (A denial of service vulnerability exists when Microsoft Hyper-V Networ ...) NOT-FOR-US: Microsoft CVE-2019-0722 (A remote code execution vulnerability exists when Windows Hyper-V on a ...) NOT-FOR-US: Microsoft CVE-2019-0721 (A remote code execution vulnerability exists when Windows Hyper-V Netw ...) NOT-FOR-US: Microsoft CVE-2019-0720 (A remote code execution vulnerability exists when Windows Hyper-V Netw ...) NOT-FOR-US: Microsoft CVE-2019-0719 (A remote code execution vulnerability exists when Windows Hyper-V Netw ...) NOT-FOR-US: Microsoft CVE-2019-0718 (A denial of service vulnerability exists when Microsoft Hyper-V Networ ...) NOT-FOR-US: Microsoft CVE-2019-0717 (A denial of service vulnerability exists when Microsoft Hyper-V Networ ...) NOT-FOR-US: Microsoft CVE-2019-0716 (A denial of service vulnerability exists when Windows improperly handl ...) NOT-FOR-US: Microsoft CVE-2019-0715 (A denial of service vulnerability exists when Microsoft Hyper-V Networ ...) NOT-FOR-US: Microsoft CVE-2019-0714 (A denial of service vulnerability exists when Microsoft Hyper-V Networ ...) NOT-FOR-US: Microsoft CVE-2019-0713 (A denial of service vulnerability exists when Microsoft Hyper-V on a h ...) NOT-FOR-US: Microsoft CVE-2019-0712 (A denial of service vulnerability exists when Microsoft Hyper-V Networ ...) NOT-FOR-US: Microsoft CVE-2019-0711 (A denial of service vulnerability exists when Microsoft Hyper-V on a h ...) NOT-FOR-US: Microsoft CVE-2019-0710 (A denial of service vulnerability exists when Microsoft Hyper-V on a h ...) NOT-FOR-US: Microsoft CVE-2019-0709 (A remote code execution vulnerability exists when Windows Hyper-V on a ...) NOT-FOR-US: Microsoft CVE-2019-0708 (A remote code execution vulnerability exists in Remote Desktop Service ...) NOT-FOR-US: Microsoft CVE-2019-0707 (An elevation of privilege vulnerability exists in the Network Driver I ...) NOT-FOR-US: Microsoft CVE-2019-0706 REJECTED CVE-2019-0705 REJECTED CVE-2019-0704 (An information disclosure vulnerability exists in the way that the Win ...) NOT-FOR-US: Windows SMB Server CVE-2019-0703 (An information disclosure vulnerability exists in the way that the Win ...) NOT-FOR-US: Windows SMB Server CVE-2019-0702 (An information disclosure vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft Windows CVE-2019-0701 (A denial of service vulnerability exists when Microsoft Hyper-V on a h ...) NOT-FOR-US: Microsoft CVE-2019-0700 REJECTED CVE-2019-0699 REJECTED CVE-2019-0698 (A memory corruption vulnerability exists in the Windows DHCP client wh ...) NOT-FOR-US: Microsoft CVE-2019-0697 (A memory corruption vulnerability exists in the Windows DHCP client wh ...) NOT-FOR-US: Microsoft CVE-2019-0696 (An elevation of privilege vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft Windows CVE-2019-0695 (A denial of service vulnerability exists when Microsoft Hyper-V on a h ...) NOT-FOR-US: Microsoft CVE-2019-0694 (An elevation of privilege vulnerability exists due to an integer overf ...) NOT-FOR-US: Microsoft Windows Subsystem for Linux CVE-2019-0693 (An elevation of privilege vulnerability exists due to an integer overf ...) NOT-FOR-US: Microsoft Windows Subsystem for Linux CVE-2019-0692 (An elevation of privilege vulnerability exists due to an integer overf ...) NOT-FOR-US: Microsoft Windows Subsystem for Linux CVE-2019-0691 REJECTED CVE-2019-0690 (A denial of service vulnerability exists when Microsoft Hyper-V Networ ...) NOT-FOR-US: Microsoft CVE-2019-0689 (An elevation of privilege vulnerability exists due to an integer overf ...) NOT-FOR-US: Microsoft Windows Subsystem for Linux CVE-2019-0688 (An information disclosure vulnerability exists when the Windows TCP/IP ...) NOT-FOR-US: Microsoft Windows CVE-2019-0687 REJECTED CVE-2019-0686 (An elevation of privilege vulnerability exists in Microsoft Exchange S ...) NOT-FOR-US: Microsoft CVE-2019-0685 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft Windows CVE-2019-0684 REJECTED CVE-2019-0683 (An elevation of privilege vulnerability exists in Active Directory For ...) NOT-FOR-US: Microsoft CVE-2019-0682 (An elevation of privilege vulnerability exists due to an integer overf ...) NOT-FOR-US: Microsoft Windows Subsystem for Linux CVE-2019-0681 REJECTED CVE-2019-0680 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2019-0679 REJECTED CVE-2019-0678 (An elevation of privilege vulnerability exists when Microsoft Edge doe ...) NOT-FOR-US: Microsoft CVE-2019-0677 REJECTED CVE-2019-0676 (An information disclosure vulnerability exists when Internet Explorer ...) NOT-FOR-US: Microsoft CVE-2019-0675 (A remote code execution vulnerability exists when the Microsoft Office ...) NOT-FOR-US: Microsoft CVE-2019-0674 (A remote code execution vulnerability exists when the Microsoft Office ...) NOT-FOR-US: Microsoft CVE-2019-0673 (A remote code execution vulnerability exists when the Microsoft Office ...) NOT-FOR-US: Microsoft CVE-2019-0672 (A remote code execution vulnerability exists when the Microsoft Office ...) NOT-FOR-US: Microsoft CVE-2019-0671 (A remote code execution vulnerability exists when the Microsoft Office ...) NOT-FOR-US: Microsoft CVE-2019-0670 (A spoofing vulnerability exists in Microsoft SharePoint when the appli ...) NOT-FOR-US: Microsoft CVE-2019-0669 (An information disclosure vulnerability exists when Microsoft Excel im ...) NOT-FOR-US: Microsoft CVE-2019-0668 (An elevation of privilege vulnerability exists when Microsoft SharePoi ...) NOT-FOR-US: Microsoft CVE-2019-0667 (A remote code execution vulnerability exists in the way that the VBScr ...) NOT-FOR-US: Microsoft CVE-2019-0666 (A remote code execution vulnerability exists in the way that the VBScr ...) NOT-FOR-US: Microsoft CVE-2019-0665 (A remote code execution vulnerability exists in the way that the VBScr ...) NOT-FOR-US: Microsoft CVE-2019-0664 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft CVE-2019-0663 (An information disclosure vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2019-0662 (A remote code execution vulnerability exists in the way that the Windo ...) NOT-FOR-US: Microsoft CVE-2019-0661 (An information disclosure vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2019-0660 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft CVE-2019-0659 (An elevation of privilege vulnerability exists when the Storage Servic ...) NOT-FOR-US: Microsoft CVE-2019-0658 (An information disclosure vulnerability exists when the scripting engi ...) NOT-FOR-US: Microsoft CVE-2019-0657 (A vulnerability exists in certain .Net Framework API's and Visual Stud ...) NOT-FOR-US: .NET core CVE-2019-0656 (An elevation of privilege vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2019-0655 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2019-0654 (A spoofing vulnerability exists when Microsoft browsers improperly han ...) NOT-FOR-US: Microsoft CVE-2019-0653 REJECTED CVE-2019-0652 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2019-0651 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2019-0650 (A remote code execution vulnerability exists when Microsoft Edge impro ...) NOT-FOR-US: Microsoft CVE-2019-0649 (A vulnerability exists in Microsoft Chakra JIT server, aka 'Scripting ...) NOT-FOR-US: Microsoft CVE-2019-0648 (An information disclosure vulnerability exists when Chakra improperly ...) NOT-FOR-US: Microsoft CVE-2019-0647 (An information disclosure vulnerability exists when Team Foundation Se ...) NOT-FOR-US: Microsoft CVE-2019-0646 (A Cross-site Scripting (XSS) vulnerability exists when Team Foundation ...) NOT-FOR-US: Microsoft CVE-2019-0645 (A remote code execution vulnerability exists when Microsoft Edge impro ...) NOT-FOR-US: Microsoft CVE-2019-0644 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2019-0643 (An information disclosure vulnerability exists in the way that Microso ...) NOT-FOR-US: Microsoft CVE-2019-0642 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2019-0641 (A security feature bypass vulnerability exists in Microsoft Edge handl ...) NOT-FOR-US: Microsoft CVE-2019-0640 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2019-0639 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2019-0638 REJECTED CVE-2019-0637 (A security feature bypass vulnerability exists when Windows Defender F ...) NOT-FOR-US: Microsoft CVE-2019-0636 (An information vulnerability exists when Windows improperly discloses ...) NOT-FOR-US: Microsoft CVE-2019-0635 (An information disclosure vulnerability exists when Windows Hyper-V on ...) NOT-FOR-US: Microsoft CVE-2019-0634 (A remote code execution vulnerability exists when Microsoft Edge impro ...) NOT-FOR-US: Microsoft CVE-2019-0633 (A remote code execution vulnerability exists in the way that the Micro ...) NOT-FOR-US: Microsoft CVE-2019-0632 (A security feature bypass vulnerability exists in Windows which could ...) NOT-FOR-US: Microsoft CVE-2019-0631 (A security feature bypass vulnerability exists in Windows which could ...) NOT-FOR-US: Microsoft CVE-2019-0630 (A remote code execution vulnerability exists in the way that the Micro ...) NOT-FOR-US: Microsoft CVE-2019-0629 REJECTED CVE-2019-0628 (An information disclosure vulnerability exists when the win32k compone ...) NOT-FOR-US: Microsoft CVE-2019-0627 (A security feature bypass vulnerability exists in Windows which could ...) NOT-FOR-US: Microsoft CVE-2019-0626 (A memory corruption vulnerability exists in the Windows Server DHCP se ...) NOT-FOR-US: Microsoft CVE-2019-0625 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-0624 (A spoofing vulnerability exists when a Skype for Business 2015 server ...) NOT-FOR-US: Microsoft CVE-2019-0623 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft CVE-2019-0622 (An elevation of privilege vulnerability exists when Skype for Andriod ...) NOT-FOR-US: Skype for Android CVE-2019-0621 (An information disclosure vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2019-0620 (A remote code execution vulnerability exists when Windows Hyper-V on a ...) NOT-FOR-US: Microsoft CVE-2019-0619 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft CVE-2019-0618 (A remote code execution vulnerability exists in the way that the Windo ...) NOT-FOR-US: Microsoft CVE-2019-0617 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-0616 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft CVE-2019-0615 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft CVE-2019-0614 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft CVE-2019-0613 (A remote code execution vulnerability exists in .NET Framework and Vis ...) NOT-FOR-US: Microsoft CVE-2019-0612 (A security feature bypass vulnerability exists when Click2Play protect ...) NOT-FOR-US: Microsoft CVE-2019-0611 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2019-0610 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2019-0609 (A remote code execution vulnerability exists in the way the scripting ...) NOT-FOR-US: Microsoft CVE-2019-0608 (A spoofing vulnerability exists when Microsoft Browsers does not prope ...) NOT-FOR-US: Microsoft CVE-2019-0607 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2019-0606 (A remote code execution vulnerability exists when Internet Explorer im ...) NOT-FOR-US: Microsoft CVE-2019-0605 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2019-0604 (A remote code execution vulnerability exists in Microsoft SharePoint w ...) NOT-FOR-US: Microsoft CVE-2019-0603 (A remote code execution vulnerability exists in the way that Windows D ...) NOT-FOR-US: Microsoft CVE-2019-0602 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft CVE-2019-0601 (An information disclosure vulnerability exists when the Human Interfac ...) NOT-FOR-US: Microsoft CVE-2019-0600 (An information disclosure vulnerability exists when the Human Interfac ...) NOT-FOR-US: Microsoft CVE-2019-0599 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-0598 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-0597 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-0596 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-0595 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-0594 (A remote code execution vulnerability exists in Microsoft SharePoint w ...) NOT-FOR-US: Microsoft CVE-2019-0593 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2019-0592 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2019-0591 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2019-0590 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2019-0589 REJECTED CVE-2019-0588 (An information disclosure vulnerability exists when the Microsoft Exch ...) NOT-FOR-US: Microsoft CVE-2019-0587 REJECTED CVE-2019-0586 (A remote code execution vulnerability exists in Microsoft Exchange sof ...) NOT-FOR-US: Microsoft CVE-2019-0585 (A remote code execution vulnerability exists in Microsoft Word softwar ...) NOT-FOR-US: Microsoft CVE-2019-0584 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-0583 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-0582 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-0581 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-0580 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-0579 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-0578 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-0577 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-0576 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-0575 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-0574 (An elevation of privilege vulnerability exists when the Windows Data S ...) NOT-FOR-US: Microsoft CVE-2019-0573 (An elevation of privilege vulnerability exists when the Windows Data S ...) NOT-FOR-US: Microsoft CVE-2019-0572 (An elevation of privilege vulnerability exists when the Windows Data S ...) NOT-FOR-US: Microsoft CVE-2019-0571 (An elevation of privilege vulnerability exists when the Windows Data S ...) NOT-FOR-US: Microsoft CVE-2019-0570 (An elevation of privilege vulnerability exists when the Windows Runtim ...) NOT-FOR-US: Microsoft CVE-2019-0569 (An information disclosure vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2019-0568 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2019-0567 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2019-0566 (An elevation of privilege vulnerability exists in Microsoft Edge Brows ...) NOT-FOR-US: Microsoft CVE-2019-0565 (A remote code execution vulnerability exists when Microsoft Edge impro ...) NOT-FOR-US: Microsoft CVE-2019-0564 (A denial of service vulnerability exists when ASP.NET Core improperly ...) NOT-FOR-US: .NET core CVE-2019-0563 REJECTED CVE-2019-0562 (An elevation of privilege vulnerability exists when Microsoft SharePoi ...) NOT-FOR-US: Microsoft CVE-2019-0561 (An information disclosure vulnerability exists when Microsoft Word mac ...) NOT-FOR-US: Microsoft CVE-2019-0560 (An information disclosure vulnerability exists when Microsoft Office i ...) NOT-FOR-US: Microsoft CVE-2019-0559 (An information disclosure vulnerability exists when Microsoft Outlook ...) NOT-FOR-US: Microsoft CVE-2019-0558 (A cross-site-scripting (XSS) vulnerability exists when Microsoft Share ...) NOT-FOR-US: Microsoft CVE-2019-0557 (A cross-site-scripting (XSS) vulnerability exists when Microsoft Share ...) NOT-FOR-US: Microsoft CVE-2019-0556 (A cross-site-scripting (XSS) vulnerability exists when Microsoft Share ...) NOT-FOR-US: Microsoft CVE-2019-0555 (An elevation of privilege vulnerability exists in the Microsoft XmlDoc ...) NOT-FOR-US: Microsoft CVE-2019-0554 (An information disclosure vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2019-0553 (An information disclosure vulnerability exists when Windows Subsystem ...) NOT-FOR-US: Microsoft CVE-2019-0552 (An elevation of privilege exists in Windows COM Desktop Broker, aka "W ...) NOT-FOR-US: Microsoft CVE-2019-0551 (A remote code execution vulnerability exists when Windows Hyper-V on a ...) NOT-FOR-US: Microsoft CVE-2019-0550 (A remote code execution vulnerability exists when Windows Hyper-V on a ...) NOT-FOR-US: Microsoft CVE-2019-0549 (An information disclosure vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2019-0548 (A denial of service vulnerability exists when ASP.NET Core improperly ...) NOT-FOR-US: .NET core CVE-2019-0547 (A memory corruption vulnerability exists in the Windows DHCP client wh ...) NOT-FOR-US: Microsoft CVE-2019-0546 (A remote code execution vulnerability exists in Visual Studio when the ...) NOT-FOR-US: Microsoft CVE-2019-0545 (An information disclosure vulnerability exists in .NET Framework and . ...) NOT-FOR-US: .NET core CVE-2019-0544 REJECTED CVE-2019-0543 (An elevation of privilege vulnerability exists when Windows improperly ...) NOT-FOR-US: Microsoft CVE-2019-0542 (A remote code execution vulnerability exists in Xterm.js when the comp ...) - node-xterm 3.8.1-1 (unimportant; bug #926670) NOTE: nodejs not covered by security support CVE-2019-0541 (A remote code execution vulnerability exists in the way that the MSHTM ...) NOT-FOR-US: Microsoft CVE-2019-0540 (A security feature bypass vulnerability exists when Microsoft Office d ...) NOT-FOR-US: Microsoft CVE-2019-0539 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2019-0538 (A remote code execution vulnerability exists when the Windows Jet Data ...) NOT-FOR-US: Microsoft CVE-2019-0537 (An information disclosure vulnerability exists when Visual Studio impr ...) NOT-FOR-US: Microsoft CVE-2019-0536 (An information disclosure vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2018-19607 (Exiv2::isoSpeed in easyaccess.cpp in Exiv2 v0.27-RC2 allows remote att ...) - exiv2 (Vulnerable code introduced later; only affected experimental; bug #915134) NOTE: Introduced by: https://github.com/Exiv2/exiv2/commit/97e7905a8b90fcbd5e8c440ad7d55bf8ffe007e5 NOTE: Fixed by: https://github.com/Exiv2/exiv2/commit/6e42c1b55e0fc4f360cc56010b0ffe19aa6062d9 CVE-2018-19606 RESERVED CVE-2018-19605 RESERVED CVE-2018-19604 RESERVED CVE-2018-19603 RESERVED CVE-2018-19602 RESERVED CVE-2018-19601 (Rhymix CMS 1.9.8.1 allows SSRF via an index.php?module=admin&act=d ...) NOT-FOR-US: Rhymix CMS CVE-2018-19600 (Rhymix CMS 1.9.8.1 allows XSS via an index.php?module=admin&act=di ...) NOT-FOR-US: Rhymix CMS CVE-2018-19599 (Monstra CMS 1.6 allows XSS via an uploaded SVG document to the admin/i ...) NOT-FOR-US: Monstra CMS CVE-2018-19598 (Statamic 2.10.3 allows XSS via First Name or Last Name to the /users U ...) NOT-FOR-US: Statamic CVE-2018-19597 (CMS Made Simple 2.2.8 allows XSS via an uploaded SVG document, a relat ...) NOT-FOR-US: CMS Made Simple CVE-2018-19596 (Zurmo 3.2.4 allows HTML Injection via an admin's use of HTML in the re ...) NOT-FOR-US: Zurmo CVE-2018-19595 (PbootCMS V1.3.1 build 2018-11-14 allows remote attackers to execute ar ...) NOT-FOR-US: PbootCMS CVE-2018-19594 RESERVED CVE-2018-19593 RESERVED CVE-2018-19592 (The "CLink4Service" service is installed with Corsair Link 4.9.7.35 wi ...) NOT-FOR-US: Corsair CVE-2018-19591 (In the GNU C Library (aka glibc or libc6) through 2.28, attempting to ...) - glibc 2.28-1 (bug #914837) [stretch] - glibc (Vulnerable code introduced later and not backported to stretch) [jessie] - glibc (Vulnerable code introduced later and not backported to jessie) - eglibc NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23927 NOTE: Fixed by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d527c860f5a3f0ed687bd03f0cb464612dc23408 NOTE: Introduced by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=2180fee114b778515b3f560e5ff1e795282e60b0 CVE-2018-19590 RESERVED CVE-2018-19589 (Incorrect Access Controls of Security Officer (SO) in PKCS11 R2 provid ...) NOT-FOR-US: Utimaco CryptoServer HSM CVE-2018-19588 (Alarm.com ADC-V522IR 0100b9 devices have Incorrect Access Control. ...) NOT-FOR-US: Alarm.com ADC-V522IR 0100b9 devices CVE-2018-19587 (In Cesanta Mongoose 6.13, a SIGSEGV exists in the mongoose.c mg_mqtt_a ...) NOT-FOR-US: Cesanta Mongoose NOTE: smplayer embeds a copy, which is unused in any released version and disabled since 18.5.0~ds1-1 CVE-2018-19586 (Silverpeas 5.15 through 6.0.2 is affected by an authenticated Director ...) NOT-FOR-US: Silverpeas CVE-2018-19585 (GitLab CE/EE versions 8.18 up to 11.x before 11.3.11, 11.4.x before 11 ...) - gitlab 11.3.11+dfsg-1 NOTE: https://about.gitlab.com/2018/11/28/security-release-gitlab-11-dot-5-dot-1-released/ CVE-2018-19584 (GitLab EE, versions 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 ...) - gitlab (Specific to Enterprise edition) NOTE: https://about.gitlab.com/2018/11/28/security-release-gitlab-11-dot-5-dot-1-released/ CVE-2018-19583 (GitLab CE/EE, versions 8.0 up to 11.x before 11.3.11, 11.4 before 11.4 ...) - gitlab 11.3.11+dfsg-1 NOTE: https://about.gitlab.com/2018/11/28/security-release-gitlab-11-dot-5-dot-1-released/ CVE-2018-19582 (GitLab EE, versions 11.4 before 11.4.8 and 11.5 before 11.5.1, is affe ...) - gitlab (Specific to Enterprise edition) NOTE: https://about.gitlab.com/2018/11/28/security-release-gitlab-11-dot-5-dot-1-released/ CVE-2018-19581 (GitLab EE, versions 8.3 up to 11.x before 11.3.11, 11.4 before 11.4.8, ...) - gitlab (Specific to Enterprise edition) NOTE: https://about.gitlab.com/2018/11/28/security-release-gitlab-11-dot-5-dot-1-released/ CVE-2018-19580 (All versions of GitLab prior to 11.5.1, 11.4.8, and 11.3.11 do not sen ...) - gitlab 11.3.11+dfsg-1 NOTE: https://about.gitlab.com/2018/11/28/security-release-gitlab-11-dot-5-dot-1-released/ CVE-2018-19579 (GitLab EE version 11.5 is vulnerable to a persistent XSS vulnerability ...) - gitlab (Specific to Enterprise edition) NOTE: https://about.gitlab.com/2018/11/28/security-release-gitlab-11-dot-5-dot-1-released/ CVE-2018-19578 (GitLab EE, version 11.5 before 11.5.1, is vulnerable to an insecure ob ...) - gitlab (Specific to Enterprise edition) NOTE: https://about.gitlab.com/2018/11/28/security-release-gitlab-11-dot-5-dot-1-released/ CVE-2018-19577 (Gitlab CE/EE, versions 8.6 up to 11.x before 11.3.11, 11.4 before 11.4 ...) - gitlab 11.3.11+dfsg-1 NOTE: https://about.gitlab.com/2018/11/28/security-release-gitlab-11-dot-5-dot-1-released/ CVE-2018-19576 (GitLab CE/EE, versions 8.6 up to 11.x before 11.3.11, 11.4 before 11.4 ...) - gitlab 11.3.11+dfsg-1 NOTE: https://about.gitlab.com/2018/11/28/security-release-gitlab-11-dot-5-dot-1-released/ CVE-2018-19575 (GitLab CE/EE, versions 10.1 up to 11.x before 11.3.11, 11.4 before 11. ...) - gitlab 11.3.11+dfsg-1 NOTE: https://about.gitlab.com/2018/11/28/security-release-gitlab-11-dot-5-dot-1-released/ CVE-2018-19574 (GitLab CE/EE, versions 7.6 up to 11.x before 11.3.11, 11.4 before 11.4 ...) - gitlab 11.3.11+dfsg-1 NOTE: https://about.gitlab.com/2018/11/28/security-release-gitlab-11-dot-5-dot-1-released/ CVE-2018-19573 (GitLab CE/EE, versions 10.3 up to 11.x before 11.3.11, 11.4 before 11. ...) - gitlab 11.3.11+dfsg-1 NOTE: https://about.gitlab.com/2018/11/28/security-release-gitlab-11-dot-5-dot-1-released/ CVE-2018-19572 (GitLab CE 8.17 and later and EE 8.3 and later have a symlink time-of-c ...) - gitlab 11.3.11+dfsg-1 NOTE: https://about.gitlab.com/2018/11/28/security-release-gitlab-11-dot-5-dot-1-released/ CVE-2018-19571 (GitLab CE/EE, versions 8.18 up to 11.x before 11.3.11, 11.4 before 11. ...) - gitlab 11.3.11+dfsg-1 NOTE: https://about.gitlab.com/2018/11/28/security-release-gitlab-11-dot-5-dot-1-released/ CVE-2018-19570 (GitLab CE/EE, versions 11.3 before 11.3.11, 11.4 before 11.4.8, and 11 ...) - gitlab 11.3.11+dfsg-1 NOTE: https://about.gitlab.com/2018/11/28/security-release-gitlab-11-dot-5-dot-1-released/ CVE-2018-19569 (GitLab CE/EE, versions 8.8 up to 11.x before 11.3.11, 11.4 before 11.4 ...) - gitlab 11.3.11+dfsg-1 NOTE: https://about.gitlab.com/2018/11/28/security-release-gitlab-11-dot-5-dot-1-released/ CVE-2018-19568 (A floating point exception in kodak_radc_load_raw in dcraw through 9.2 ...) - dcraw (unimportant) NOTE: https://www.openwall.com/lists/oss-security/2018/11/23/1 NOTE: No security impact, crash in CLI tool CVE-2018-19567 (A floating point exception in parse_tiff_ifd in dcraw through 9.28 cou ...) - dcraw (unimportant) NOTE: https://www.openwall.com/lists/oss-security/2018/11/23/1 NOTE: No security impact, crash in CLI tool CVE-2018-19566 (A heap buffer over-read in parse_tiff_ifd in dcraw through 9.28 could ...) - dcraw (unimportant) NOTE: https://www.openwall.com/lists/oss-security/2018/11/23/1 NOTE: No security impact, crash in CLI tool CVE-2018-19565 (A buffer over-read in crop_masked_pixels in dcraw through 9.28 could b ...) - dcraw (unimportant) NOTE: https://www.openwall.com/lists/oss-security/2018/11/23/1 NOTE: No security impact, crash in CLI tool CVE-2019-0535 RESERVED CVE-2019-0534 RESERVED CVE-2019-0533 RESERVED CVE-2019-0532 RESERVED CVE-2019-0531 RESERVED CVE-2019-0530 RESERVED CVE-2019-0529 RESERVED CVE-2019-0528 RESERVED CVE-2019-0527 RESERVED CVE-2019-0526 RESERVED CVE-2019-0525 RESERVED CVE-2019-0524 RESERVED CVE-2019-0523 RESERVED CVE-2019-0522 RESERVED CVE-2019-0521 RESERVED CVE-2019-0520 RESERVED CVE-2019-0519 RESERVED CVE-2019-0518 RESERVED CVE-2019-0517 RESERVED CVE-2019-0516 RESERVED CVE-2019-0515 RESERVED CVE-2019-0514 RESERVED CVE-2019-0513 RESERVED CVE-2019-0512 RESERVED CVE-2019-0511 RESERVED CVE-2019-0510 RESERVED CVE-2019-0509 RESERVED CVE-2019-0508 RESERVED CVE-2019-0507 RESERVED CVE-2019-0506 RESERVED CVE-2019-0505 RESERVED CVE-2019-0504 RESERVED CVE-2019-0503 RESERVED CVE-2019-0502 RESERVED CVE-2019-0501 RESERVED CVE-2019-0500 RESERVED CVE-2019-0499 RESERVED CVE-2019-0498 RESERVED CVE-2019-0497 RESERVED CVE-2019-0496 RESERVED CVE-2019-0495 RESERVED CVE-2019-0494 RESERVED CVE-2019-0493 RESERVED CVE-2019-0492 RESERVED CVE-2019-0491 RESERVED CVE-2019-0490 RESERVED CVE-2019-0489 RESERVED CVE-2019-0488 RESERVED CVE-2019-0487 RESERVED CVE-2019-0486 RESERVED CVE-2019-0485 RESERVED CVE-2019-0484 RESERVED CVE-2019-0483 RESERVED CVE-2019-0482 RESERVED CVE-2019-0481 RESERVED CVE-2019-0480 RESERVED CVE-2019-0479 RESERVED CVE-2019-0478 RESERVED CVE-2019-0477 RESERVED CVE-2019-0476 RESERVED CVE-2019-0475 RESERVED CVE-2019-0474 RESERVED CVE-2019-0473 RESERVED CVE-2019-0472 RESERVED CVE-2019-0471 RESERVED CVE-2019-0470 RESERVED CVE-2019-0469 RESERVED CVE-2019-0468 RESERVED CVE-2019-0467 RESERVED CVE-2019-0466 RESERVED CVE-2019-0465 RESERVED CVE-2019-0464 RESERVED CVE-2019-0463 RESERVED CVE-2019-0462 RESERVED CVE-2019-0461 RESERVED CVE-2019-0460 RESERVED CVE-2019-0459 RESERVED CVE-2019-0458 RESERVED CVE-2019-0457 RESERVED CVE-2019-0456 RESERVED CVE-2019-0455 RESERVED CVE-2019-0454 RESERVED CVE-2019-0453 RESERVED CVE-2019-0452 RESERVED CVE-2019-0451 RESERVED CVE-2019-0450 RESERVED CVE-2019-0449 RESERVED CVE-2019-0448 RESERVED CVE-2019-0447 RESERVED CVE-2019-0446 RESERVED CVE-2019-0445 RESERVED CVE-2019-0444 RESERVED CVE-2019-0443 RESERVED CVE-2019-0442 RESERVED CVE-2019-0441 RESERVED CVE-2019-0440 RESERVED CVE-2019-0439 RESERVED CVE-2019-0438 RESERVED CVE-2019-0437 RESERVED CVE-2019-0436 RESERVED CVE-2019-0435 RESERVED CVE-2019-0434 RESERVED CVE-2019-0433 RESERVED CVE-2019-0432 RESERVED CVE-2019-0431 RESERVED CVE-2019-0430 RESERVED CVE-2019-0429 RESERVED CVE-2019-0428 RESERVED CVE-2019-0427 RESERVED CVE-2019-0426 RESERVED CVE-2019-0425 RESERVED CVE-2019-0424 RESERVED CVE-2019-0423 RESERVED CVE-2019-0422 RESERVED CVE-2019-0421 RESERVED CVE-2019-0420 RESERVED CVE-2019-0419 RESERVED CVE-2019-0418 RESERVED CVE-2019-0417 RESERVED CVE-2019-0416 RESERVED CVE-2019-0415 RESERVED CVE-2019-0414 RESERVED CVE-2019-0413 RESERVED CVE-2019-0412 RESERVED CVE-2019-0411 RESERVED CVE-2019-0410 RESERVED CVE-2019-0409 RESERVED CVE-2019-0408 RESERVED CVE-2019-0407 RESERVED CVE-2019-0406 RESERVED CVE-2019-0405 (SAP Enable Now, before version 1911, leaks information about the exist ...) NOT-FOR-US: SAP CVE-2019-0404 (SAP Enable Now, before version 1911, leaks information about network c ...) NOT-FOR-US: SAP CVE-2019-0403 (SAP Enable Now, before version 1911, allows an attacker to input comma ...) NOT-FOR-US: SAP CVE-2019-0402 (SAP Adaptive Server Enterprise, before versions 15.7 and 16.0, under c ...) NOT-FOR-US: SAP CVE-2019-0401 RESERVED CVE-2019-0400 RESERVED CVE-2019-0399 (SAP Portfolio and Project Management, before versions S4CORE 102, 103, ...) NOT-FOR-US: SAP CVE-2019-0398 (Due to insufficient CSRF protection, SAP BusinessObjects Business Inte ...) NOT-FOR-US: SAP CVE-2019-0397 RESERVED CVE-2019-0396 (SAP BusinessObjects Business Intelligence Platform (Web Intelligence H ...) NOT-FOR-US: SAP CVE-2019-0395 (SAP BusinessObjects Business Intelligence Platform (Fiori BI Launchpad ...) NOT-FOR-US: SAP CVE-2019-0394 RESERVED CVE-2019-0393 (An SQL Injection vulnerability in SAP Quality Management (corrected in ...) NOT-FOR-US: SAP CVE-2019-0392 RESERVED CVE-2019-0391 (Under certain conditions SAP NetWeaver AS Java (corrected in 7.10, 7.2 ...) NOT-FOR-US: SAP CVE-2019-0390 (Under certain conditions SAP Data Hub (corrected in DH_Foundation vers ...) NOT-FOR-US: SAP CVE-2019-0389 (An administrator of SAP NetWeaver Application Server Java (J2EE-Framew ...) NOT-FOR-US: SAP CVE-2019-0388 (SAP UI5 HTTP Handler (corrected in SAP_UI versions 7.5, 7.51, 7.52, 7. ...) NOT-FOR-US: SAP CVE-2019-0387 RESERVED CVE-2019-0386 (Order processing in SAP ERP Sales (corrected in SAP_APPL 6.0, 6.02, 6. ...) NOT-FOR-US: SAP CVE-2019-0385 (SAP Enable Now, before version 1908, does not sufficiently encode user ...) NOT-FOR-US: SAP CVE-2019-0384 (Transaction Management in SAP Treasury and Risk Management (corrected ...) NOT-FOR-US: SAP CVE-2019-0383 (Transaction Management in SAP Treasury and Risk Management (corrected ...) NOT-FOR-US: SAP CVE-2019-0382 (A Cross-Site Scripting vulnerability exists in SAP BusinessObjects Bus ...) NOT-FOR-US: SAP CVE-2019-0381 (A binary planting in SAP SQL Anywhere, before version 17.0, SAP IQ, be ...) NOT-FOR-US: SAP CVE-2019-0380 (Under certain conditions, SAP Landscape Management enterprise edition, ...) NOT-FOR-US: SAP CVE-2019-0379 (SAP Process Integration, business-to-business add-on, versions 1.0, 2. ...) NOT-FOR-US: SAP CVE-2019-0378 (SAP BusinessObjects Business Intelligence Platform (Web Intelligence H ...) NOT-FOR-US: SAP CVE-2019-0377 (SAP BusinessObjects Business Intelligence Platform (Web Intelligence H ...) NOT-FOR-US: SAP CVE-2019-0376 (SAP BusinessObjects Business Intelligence Platform (Web Intelligence H ...) NOT-FOR-US: SAP CVE-2019-0375 (SAP BusinessObjects Business Intelligence Platform (Web Intelligence H ...) NOT-FOR-US: SAP CVE-2019-0374 (SAP BusinessObjects Business Intelligence Platform (Web Intelligence H ...) NOT-FOR-US: SAP CVE-2019-0373 RESERVED CVE-2019-0372 RESERVED CVE-2019-0371 RESERVED CVE-2019-0370 (Due to missing input validation, SAP Financial Consolidation, before v ...) NOT-FOR-US: SAP CVE-2019-0369 (SAP Financial Consolidation, before versions 10.0 and 10.1, does not s ...) NOT-FOR-US: SAP CVE-2019-0368 (SAP Customer Relationship Management (Email Management), versions: S4C ...) NOT-FOR-US: SAP CVE-2019-0367 (SAP NetWeaver Process Integration (B2B Toolkit), before versions 1.0 a ...) NOT-FOR-US: SAP CVE-2019-0366 RESERVED CVE-2019-0365 (SAP Kernel (RFC), KRNL32NUC, KRNL32UC and KRNL64NUC before versions 7. ...) NOT-FOR-US: SAP CVE-2019-0364 (Attackers may misuse an HTTP/REST endpoint of SAP HANA Extended Applic ...) NOT-FOR-US: SAP CVE-2019-0363 (Attackers may misuse an HTTP/REST endpoint of SAP HANA Extended Applic ...) NOT-FOR-US: SAP CVE-2019-0362 RESERVED CVE-2019-0361 (SAP Supplier Relationship Management (Master Data Management Catalog - ...) NOT-FOR-US: SAP CVE-2019-0360 RESERVED CVE-2019-0359 RESERVED CVE-2019-0358 RESERVED CVE-2019-0357 (The administrator of SAP HANA database, before versions 1.0 and 2.0, c ...) NOT-FOR-US: SAP CVE-2019-0356 (Under certain conditions SAP NetWeaver Process Integration Runtime Wor ...) NOT-FOR-US: SAP CVE-2019-0355 (SAP NetWeaver Application Server Java Web Container, ENGINEAPI (before ...) NOT-FOR-US: SAP CVE-2019-0354 RESERVED CVE-2019-0353 (Under certain conditions SAP Business One client (B1_ON_HANA, SAP-M-BO ...) NOT-FOR-US: SAP CVE-2019-0352 (In SAP Business Objects Business Intelligence Platform, before version ...) NOT-FOR-US: SAP CVE-2019-0351 (A remote code execution vulnerability exists in the SAP NetWeaver UDDI ...) NOT-FOR-US: SAP CVE-2019-0350 (SAP HANA Database, versions 1.0, 2.0, allows an unauthorized attacker ...) NOT-FOR-US: SAP CVE-2019-0349 (SAP Kernel (ABAP Debugger), versions KRNL32NUC 7.21, 7.21EXT, 7.22, 7. ...) NOT-FOR-US: SAP CVE-2019-0348 (SAP BusinessObjects Business Intelligence Platform (Web Intelligence), ...) NOT-FOR-US: SAP CVE-2019-0347 RESERVED CVE-2019-0346 (Unencrypted communication error in SAP Business Objects Business Intel ...) NOT-FOR-US: SAP CVE-2019-0345 (A remote unauthenticated attacker can abuse a web service in SAP NetWe ...) NOT-FOR-US: SAP CVE-2019-0344 (Due to unsafe deserialization used in SAP Commerce Cloud (virtualjdbc ...) NOT-FOR-US: SAP CVE-2019-0343 (SAP Commerce Cloud (Mediaconversion Extension), versions 6.4, 6.5, 6.6 ...) NOT-FOR-US: SAP CVE-2019-0342 RESERVED CVE-2019-0341 (The session cookie used by SAP Enable Now, version 1902, does not have ...) NOT-FOR-US: SAP CVE-2019-0340 (The XML parser, which is being used by SAP Enable Now, before version ...) NOT-FOR-US: SAP CVE-2019-0339 RESERVED CVE-2019-0338 (During an OData V2/V4 request in SAP Gateway, versions 750, 751, 752, ...) NOT-FOR-US: SAP CVE-2019-0337 (Java Proxy Runtime of SAP NetWeaver Process Integration, versions 7.10 ...) NOT-FOR-US: SAP CVE-2019-0336 RESERVED CVE-2019-0335 (Under certain conditions SAP BusinessObjects Business Intelligence Pla ...) NOT-FOR-US: SAP CVE-2019-0334 (When creating a module in SAP BusinessObjects Business Intelligence Pl ...) NOT-FOR-US: SAP CVE-2019-0333 (In some situations, when a client cancels a query in SAP BusinessObjec ...) NOT-FOR-US: SAP CVE-2019-0332 (SAP BusinessObjects Business Intelligence Platform (Info View), versio ...) NOT-FOR-US: SAP CVE-2019-0331 (Under certain conditions, SAP BusinessObjects Business Intelligence Pl ...) NOT-FOR-US: SAP CVE-2019-0330 (The OS Command Plugin in the transaction GPA_ADMIN and the OSCommand C ...) NOT-FOR-US: SAP CVE-2019-0329 (SAP Information Steward, version 4.2, does not sufficiently encode use ...) NOT-FOR-US: SAP CVE-2019-0328 (ABAP Tests Modules (SAP Basis, versions 7.0, 7.1, 7.3, 7.31, 7.4, 7.5) ...) NOT-FOR-US: SAP CVE-2019-0327 (SAP NetWeaver for Java Application Server - Web Container, (engineapi, ...) NOT-FOR-US: SAP CVE-2019-0326 (SAP BusinessObjects Business Intelligence Platform (BI Workspace) (Ent ...) NOT-FOR-US: SAP CVE-2019-0325 (SAP ERP HCM (SAP_HRCES) , version 3, does not perform necessary author ...) NOT-FOR-US: SAP CVE-2019-0324 RESERVED CVE-2019-0323 RESERVED CVE-2019-0322 (SAP Commerce Cloud (previously known as SAP Hybris Commerce), (HY_COM, ...) NOT-FOR-US: SAP CVE-2019-0321 (ABAP Server and ABAP Platform (SAP Basis), versions, 7.31, 7.4, 7.5, d ...) NOT-FOR-US: SAP CVE-2019-0320 RESERVED CVE-2019-0319 (The SAP Gateway, versions 7.5, 7.51, 7.52 and 7.53, allows an attacker ...) NOT-FOR-US: SAP CVE-2019-0318 (Under certain conditions SAP NetWeaver Application Server for Java (St ...) NOT-FOR-US: SAP CVE-2019-0317 RESERVED CVE-2019-0316 (SAP NetWeaver Process Integration, versions: SAP_XIESR: 7.20, SAP_XITO ...) NOT-FOR-US: SAP NetWeaver Process Integration CVE-2019-0315 (Under certain conditions the PI Integration Builder Web UI of SAP NetW ...) NOT-FOR-US: SAP CVE-2019-0314 (SAP Work Manager, versions: 6.3, 6.4, 6.5 and SAP Inventory Manager, v ...) NOT-FOR-US: SAP Work Manager CVE-2019-0313 RESERVED CVE-2019-0312 (Several web pages provided SAP NetWeaver Process Integration (versions ...) NOT-FOR-US: SAP CVE-2019-0311 (Automotive Dealer Portal in SAP R/3 Enterprise Application (versions: ...) NOT-FOR-US: SAP CVE-2019-0310 RESERVED CVE-2019-0309 RESERVED CVE-2019-0308 (An authenticated attacker in SAP E-Commerce (Business-to-Consumer appl ...) NOT-FOR-US: SAP CVE-2019-0307 (Diagnostics Agent in Solution Manager, version 7.2, stores several cre ...) NOT-FOR-US: SAP / Solution Manager CVE-2019-0306 (SAP HANA Extended Application Services (advanced model), version 1, al ...) NOT-FOR-US: SAP HANA Extended Application Services CVE-2019-0305 (Java Server Pages (JSPs) provided by the SAP NetWeaver Process Integra ...) NOT-FOR-US: SAP NetWeaver Process Integration CVE-2019-0304 (FTP Function of SAP NetWeaver AS ABAP Platform, versions- KRNL32NUC 7. ...) NOT-FOR-US: SAP NetWeaver AS ABAP Platform CVE-2019-0303 (SAP BusinessObjects Business Intelligence Platform (Administration Con ...) NOT-FOR-US: SAP BusinessObjects Business Intelligence Platform CVE-2019-0302 RESERVED CVE-2019-0301 (Under certain conditions, it is possible to request the modification o ...) NOT-FOR-US: SAP CVE-2019-0300 RESERVED CVE-2019-0299 RESERVED CVE-2019-0298 (SAP E-Commerce (Business-to-Consumer) application does not sufficientl ...) NOT-FOR-US: SAP CVE-2019-0297 RESERVED CVE-2019-0296 RESERVED CVE-2019-0295 RESERVED CVE-2019-0294 RESERVED CVE-2019-0293 (Read of RFC destination does not always perform necessary authorizatio ...) NOT-FOR-US: SAP CVE-2019-0292 RESERVED CVE-2019-0291 (Under certain conditions Solution Manager, version 7.2, allows an atta ...) NOT-FOR-US: SAP CVE-2019-0290 RESERVED CVE-2019-0289 (Under certain conditions SAP BusinessObjects Business Intelligence pla ...) NOT-FOR-US: SAP CVE-2019-0288 RESERVED CVE-2019-0287 (Under certain conditions SAP BusinessObjects Business Intelligence pla ...) NOT-FOR-US: SAP CVE-2019-0286 RESERVED CVE-2019-0285 (The .NET SDK WebForm Viewer in SAP Crystal Reports for Visual Studio ( ...) NOT-FOR-US: SAP CVE-2019-0284 (SLD Registration in SAP HANA (fixed in versions 1.0, 2.0) does not suf ...) NOT-FOR-US: SAP CVE-2019-0283 (SAP NetWeaver Process Integration (Adapter Engine), fixed in versions ...) NOT-FOR-US: SAP CVE-2019-0282 (Several web pages in SAP NetWeaver Process Integration (Runtime Workbe ...) NOT-FOR-US: SAP CVE-2019-0281 (SAPUI5 and OpenUI5, before versions 1.38.39, 1.44.39, 1.52.25, 1.60.6 ...) NOT-FOR-US: SAP CVE-2019-0280 (SAP Treasury and Risk Management (EA-FINSERV 6.0, 6.03, 6.04, 6.05, 6. ...) NOT-FOR-US: SAP CVE-2019-0279 (ABAP BASIS function modules INST_CREATE_R3_RFC_DEST, INST_CREATE_TCPIP ...) NOT-FOR-US: SAP CVE-2019-0278 (Under certain conditions the Monitoring Servlet of the SAP NetWeaver P ...) NOT-FOR-US: SAP CVE-2019-0277 (SAP HANA extended application services, version 1, advanced does not s ...) NOT-FOR-US: SAP CVE-2019-0276 (Banking services from SAP 9.0 (FSAPPL version 5) and SAP S/4HANA Finan ...) NOT-FOR-US: SAP CVE-2019-0275 (SAML 1.1 SSO Demo Application in SAP NetWeaver Java Application Server ...) NOT-FOR-US: SAP CVE-2019-0274 (SAP Mobile Platform SDK allows an attacker to prevent legitimate users ...) NOT-FOR-US: SAP CVE-2019-0273 RESERVED CVE-2019-0272 RESERVED CVE-2019-0271 (ABAP Server (used in NetWeaver and Suite/ERP) and ABAP Platform does n ...) NOT-FOR-US: SAP CVE-2019-0270 (ABAP Server of SAP NetWeaver and ABAP Platform fail to perform necessa ...) NOT-FOR-US: SAP CVE-2019-0269 (SAP BusinessObjects Business Intelligence Platform (BI Workspace), ver ...) NOT-FOR-US: SAP CVE-2019-0268 (SAP BusinessObjects Business Intelligence Platform (CMC Module), versi ...) NOT-FOR-US: SAP CVE-2019-0267 (SAP Manufacturing Integration and Intelligence, versions 15.0, 15.1 an ...) NOT-FOR-US: SAP CVE-2019-0266 (Under certain conditions SAP HANA Extended Application Services, versi ...) NOT-FOR-US: SAP CVE-2019-0265 (SLD Registration of ABAP Platform allows an attacker to prevent legiti ...) NOT-FOR-US: ABAP Platform CVE-2019-0264 RESERVED CVE-2019-0263 RESERVED CVE-2019-0262 (SAP WebIntelligence BILaunchPad, versions 4.10, 4.20, does not suffici ...) NOT-FOR-US: SAP CVE-2019-0261 (Under certain circumstances, SAP HANA Extended Application Services, a ...) NOT-FOR-US: SAP CVE-2019-0260 RESERVED CVE-2019-0259 (SAP BusinessObjects, versions 4.2 and 4.3, (Visual Difference) allows ...) NOT-FOR-US: SAP CVE-2019-0258 (SAP Disclosure Management, version 10.01, does not perform necessary a ...) NOT-FOR-US: SAP CVE-2019-0257 (Customizing functionality of SAP NetWeaver AS ABAP Platform (fixed in ...) NOT-FOR-US: SAP CVE-2019-0256 (Under certain conditions SAP Business One Mobile Android App, version ...) NOT-FOR-US: SAP CVE-2019-0255 (SAP NetWeaver AS ABAP Platform, Krnl64nuc 7.74, krnl64UC 7.73, 7.74, K ...) NOT-FOR-US: SAP CVE-2019-0254 (SAP Disclosure Management (before version 10.1 Stack 1301) does not su ...) NOT-FOR-US: SAP CVE-2019-0253 RESERVED CVE-2019-0252 RESERVED CVE-2019-0251 (The Fiori Launchpad of SAP BusinessObjects, before versions 4.2 and 4. ...) NOT-FOR-US: SAP CVE-2019-0250 RESERVED CVE-2019-0249 (Under certain conditions SAP Landscape Management (VCM 3.0) allows an ...) NOT-FOR-US: SAP CVE-2019-0248 (Under certain conditions SAP Gateway of ABAP Application Server (fixed ...) NOT-FOR-US: SAP CVE-2019-0247 (SAP Cloud Connector, before version 2.11.3, allows an attacker to inje ...) NOT-FOR-US: SAP CVE-2019-0246 (SAP Cloud Connector, before version 2.11.3, does not perform any authe ...) NOT-FOR-US: SAP CVE-2019-0245 (SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31 ...) NOT-FOR-US: SAP CVE-2019-0244 (SAP CRM WebClient UI (fixed in SAPSCORE 1.12; S4FND 1.02; WEBCUIF 7.31 ...) NOT-FOR-US: SAP CVE-2019-0243 (Under some circumstances, masterdata maintenance in SAP BW/4HANA (fixe ...) NOT-FOR-US: SAP CVE-2019-0242 RESERVED CVE-2019-0241 (SAP Work and Inventory Manager (Agentry_SDK , before 7.0, 7.1) allows ...) NOT-FOR-US: SAP CVE-2019-0240 (SAP Business Objects Mobile for Android (before 6.3.5) application all ...) NOT-FOR-US: SAP CVE-2019-0239 RESERVED CVE-2019-0238 (SAP Commerce (previously known as SAP Hybris Commerce), before version ...) NOT-FOR-US: SAP CVE-2019-0237 RESERVED CVE-2019-0236 RESERVED CVE-2018-19564 (Stored XSS was discovered in the Easy Testimonials plugin 3.2 for Word ...) NOT-FOR-US: Easy Testimonials plugin for WordPress CVE-2018-19563 RESERVED CVE-2018-19562 (An issue was discovered in PHPok 4.9.015. admin.php?c=update&f=unz ...) NOT-FOR-US: PHPok CVE-2018-19561 (sikcms 1.1 has CSRF via admin.php?m=Admin&c=Users&a=userAdd to ...) NOT-FOR-US: sikcms CVE-2018-19560 (BageCMS 3.1.3 has CSRF via upload/index.php?r=admini/admin/ownerUpdate ...) NOT-FOR-US: BageCMS CVE-2018-19559 (CuppaCMS before 2018-11-12 has SQL Injection in administrator/classes/ ...) NOT-FOR-US: CuppaCMS CVE-2018-19558 (An issue was discovered in arcms through 2018-03-19. SQL injection exi ...) NOT-FOR-US: arcms CVE-2018-19557 (An issue was discovered in arcms through 2018-03-19. No authentication ...) NOT-FOR-US: arcms CVE-2018-19556 (** DISPUTED ** zb_system/admin/index.php?act=UploadMng in Z-BlogPHP 1. ...) NOT-FOR-US: Z-BlogPHP CVE-2018-19555 (tp4a TELEPORT 3.1.0 has CSRF via user/do-reset-password to change any ...) NOT-FOR-US: tp4a TELEPORT CVE-2018-19554 (An issue was discovered in Dotcms through 5.0.3. Attackers may perform ...) NOT-FOR-US: dotCMS CVE-2018-19553 (Interspire Email Marketer through 6.1.6 has SQL Injection via an updat ...) NOT-FOR-US: Interspire Email Marketer CVE-2018-19552 (Interspire Email Marketer through 6.1.6 has SQL Injection via a delete ...) NOT-FOR-US: Interspire Email Marketer CVE-2018-19551 (Interspire Email Marketer through 6.1.6 has SQL Injection via a checkd ...) NOT-FOR-US: Interspire Email Marketer CVE-2018-19550 (Interspire Email Marketer through 6.1.6 allows arbitrary file upload v ...) NOT-FOR-US: Interspire Email Marketer CVE-2018-19549 (Interspire Email Marketer through 6.1.6 has SQL Injection via a tagids ...) NOT-FOR-US: Interspire Email Marketer CVE-2018-19548 (index.php?r=site%2Flogin in EduSec through 4.2.6 does not restrict sen ...) NOT-FOR-US: EduSec CVE-2018-19547 (JTBC(PHP) 3.0.1.7 has XSS via the console/xml/manage.php?type=action&a ...) NOT-FOR-US: JTBC(PHP) CVE-2018-19546 (JTBC(PHP) 3.0.1.7 has CSRF via the console/xml/manage.php?type=action& ...) NOT-FOR-US: JTBC(PHP) CVE-2018-19545 (JEECMS 9.3 has CSRF via the api/admin/role/save URI to add a user. ...) NOT-FOR-US: JEECMS CVE-2018-19544 (JEECMS 9.3 has CSRF via the api/admin/content/save URI to add news. ...) NOT-FOR-US: JEECMS CVE-2018-19543 (An issue was discovered in JasPer 2.0.14. There is a heap-based buffer ...) - jasper [jessie] - jasper (Code appears to work correctly but wait for more information) NOTE: https://github.com/mdadams/jasper/issues/182 NOTE: This issue is reproducible with ASAN, however without ASAN the guard, NOTE: introduced with the fix for CVE-2014-8138, works as expected and NOTE: jasper terminates properly. Still I am going to mark this bug as NOTE: postponed until we receive feedback from upstream. CVE-2018-19542 (An issue was discovered in JasPer 2.0.14. There is a NULL pointer dere ...) {DLA-1628-1} - jasper NOTE: https://github.com/mdadams/jasper/issues/182 CVE-2018-19541 (An issue was discovered in JasPer 2.0.14. There is a heap-based buffer ...) {DLA-1628-1} - jasper NOTE: https://github.com/mdadams/jasper/issues/182 CVE-2018-19540 (An issue was discovered in JasPer 2.0.14. There is a heap-based buffer ...) {DLA-1628-1} - jasper NOTE: https://github.com/mdadams/jasper/issues/182 CVE-2018-19539 (An issue was discovered in JasPer 2.0.14. There is an access violation ...) {DLA-1628-1} - jasper NOTE: https://github.com/mdadams/jasper/issues/182 CVE-2018-19538 RESERVED CVE-2018-19537 (TP-Link Archer C5 devices through V2_160201_US allow remote command ex ...) NOT-FOR-US: TP-Link Archer C5 devices CVE-2018-19536 RESERVED CVE-2018-19535 (In Exiv2 0.26 and previous versions, PngChunk::readRawProfile in pngch ...) {DLA-1691-1} - exiv2 0.27.2-6 (bug #915135) [buster] - exiv2 (Minor issue) [stretch] - exiv2 (Minor issue) NOTE: https://github.com/Exiv2/exiv2/issues/428 NOTE: https://github.com/Exiv2/exiv2/pull/430 CVE-2018-19534 RESERVED CVE-2018-19533 RESERVED CVE-2018-19532 (A NULL pointer dereference vulnerability exists in the function PdfTra ...) - libpodofo 0.9.6+dfsg-4 (low; bug #916085) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) NOTE: https://sourceforge.net/p/podofo/tickets/32/ NOTE: https://sourceforge.net/p/podofo/code/1950/ CVE-2018-19531 (HTTL (aka Hyper-Text Template Language) through 1.0.11 allows remote c ...) NOT-FOR-US: HTTL CVE-2018-19530 (HTTL (aka Hyper-Text Template Language) through 1.0.11 allows remote c ...) NOT-FOR-US: HTTL CVE-2018-19529 RESERVED CVE-2018-19528 (TP-Link TL-WR886N 7.0 1.1.0 devices allow remote attackers to cause a ...) NOT-FOR-US: TP-Link CVE-2018-19527 (i4 assistant 7.85 allows XSS via a crafted machine name field within i ...) NOT-FOR-US: i4 assistant CVE-2018-19526 RESERVED CVE-2018-19525 (An issue was discovered on Systrome ISG-600C, ISG-600H, and ISG-800W 1 ...) NOT-FOR-US: Systrome CVE-2018-19524 (An issue was discovered on Shenzhen Skyworth DT741 Converged Intellige ...) NOT-FOR-US: Shenzhen Skyworth CVE-2018-19523 (DriverAgent 2.2015.7.14, which includes DrvAgent64.sys 1.0.0.1, allows ...) NOT-FOR-US: DriverAgent CVE-2018-19522 (DriverAgent 2.2015.7.14, which includes DrvAgent64.sys 1.0.0.1, allows ...) NOT-FOR-US: DriverAgent CVE-2018-19521 RESERVED CVE-2018-19520 (An issue was discovered in SDCMS 1.6 with PHP 5.x. app/admin/controlle ...) NOT-FOR-US: SDCMS CVE-2018-19519 (In tcpdump 4.9.2, a stack-based buffer over-read exists in the print_p ...) - tcpdump (unimportant) NOTE: https://github.com/the-tcpdump-group/tcpdump/issues/763 NOTE: https://github.com/zyingp/temp/blob/master/tcpdump.md NOTE: Crash in CLI tool, no security impact CVE-2018-19516 (messagepartthemes/default/defaultrenderer.cpp in messagelib in KDE App ...) - kf5-messagelib 4:18.08.3-2 (bug #915039) [stretch] - kf5-messagelib (Minor issue) NOTE: https://www.kde.org/info/security/advisory-20181128-1.txt NOTE: https://cgit.kde.org/messagelib.git/commit/?id=34765909cdf8e55402a8567b48fb288839c61612 CVE-2018-19515 (In Webgalamb through 7.0, system/ajax.php functionality is supposed to ...) NOT-FOR-US: Webgalamb CVE-2018-19514 (In Webgalamb through 7.0, an arbitrary code execution vulnerability co ...) NOT-FOR-US: Webgalamb CVE-2018-19513 (In Webgalamb through 7.0, log files are exposed to the internet with p ...) NOT-FOR-US: Webgalamb CVE-2018-19512 (In Webgalamb through 7.0, a system/ajax.php "wgmfile restore" director ...) NOT-FOR-US: Webgalamb CVE-2018-19511 (wg7.php in Webgalamb 7.0 lacks security measures to prevent CSRF attac ...) NOT-FOR-US: Webgalamb CVE-2018-19510 (subscriber.php in Webgalamb through 7.0 is vulnerable to SQL injection ...) NOT-FOR-US: Webgalamb CVE-2018-19509 (wg7.php in Webgalamb 7.0 makes opportunistic calls to htmlspecialchars ...) NOT-FOR-US: Webgalamb CVE-2018-19508 (CMSimple 4.7.5 has XSS via an admin's upload of an SVG file at a ?user ...) NOT-FOR-US: CMSimple CVE-2018-19507 (CMSimple 4.7.5 has XSS via an admin's use of a ?file=config&action ...) NOT-FOR-US: CMSimple CVE-2018-19506 (Zurmo 3.2.4 has XSS via an admin's use of the name parameter in the re ...) NOT-FOR-US: Zurmo CVE-2018-19505 (Remedy AR System Server in BMC Remedy 7.1 may fail to set the correct ...) NOT-FOR-US: Remedy AR System Server in BMC Remedy CVE-2018-19504 (An issue was discovered in Freeware Advanced Audio Decoder 2 (FAAD2) 2 ...) {DSA-4522-1} - faad2 2.8.8-2 (low; bug #914641) [jessie] - faad2 2.7-8+deb8u2 NOTE: https://sourceforge.net/p/faac/bugs/240/ NOTE: https://github.com/knik0/faad2/issues/26 NOTE: https://github.com/knik0/faad2/commit/466b01d504d7e45 CVE-2018-19503 (An issue was discovered in Freeware Advanced Audio Decoder 2 (FAAD2) 2 ...) {DSA-4522-1} - faad2 2.8.8-2 (bug #914641) [jessie] - faad2 2.7-8+deb8u2 NOTE: https://sourceforge.net/p/faac/bugs/240/ NOTE: https://github.com/knik0/faad2/issues/18 NOTE: https://github.com/knik0/faad2/commit/6b4a7cde30f2e2cb03e78ef476cc73179cfffda3 CVE-2018-19502 (An issue was discovered in Freeware Advanced Audio Decoder 2 (FAAD2) 2 ...) {DSA-4522-1 DLA-1899-1} - faad2 2.8.8-3 (bug #914641) NOTE: https://sourceforge.net/p/faac/bugs/240/ NOTE: https://github.com/knik0/faad2/issues/22 NOTE: https://github.com/knik0/faad2/commit/942c3e0aee748ea6fe97cb2c1aa5893225316174 CVE-2018-19501 RESERVED CVE-2018-19500 RESERVED CVE-2018-19499 (Vanilla before 2.5.5 and 2.6.x before 2.6.2 allows Remote Code Executi ...) NOT-FOR-US: Vanilla CVE-2018-19498 (The Simplenia Pages plugin 2.6.0 for Atlassian Bitbucket Server has XS ...) NOT-FOR-US: Atlassian plugin CVE-2018-19497 (In The Sleuth Kit (TSK) through 4.6.4, hfs_cat_traverse in tsk/fs/hfs. ...) {DLA-1610-1} - sleuthkit 4.6.5-1 (low; bug #914796) [stretch] - sleuthkit (Minor issue) NOTE: https://github.com/sleuthkit/sleuthkit/pull/1374 NOTE: https://github.com/sleuthkit/sleuthkit/commit/bc04aa017c0bd297de8a3b7fc40ffc6ddddbb95d CVE-2018-19496 (An issue was discovered in GitLab Community and Enterprise Edition 10. ...) - gitlab 11.3.11+dfsg-1 NOTE: https://about.gitlab.com/2018/11/28/security-release-gitlab-11-dot-5-dot-1-released/ CVE-2018-19495 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) - gitlab 11.3.11+dfsg-1 NOTE: https://about.gitlab.com/2018/11/28/security-release-gitlab-11-dot-5-dot-1-released/ CVE-2018-19494 (An issue was discovered in GitLab Community and Enterprise Edition 11. ...) - gitlab 11.3.11+dfsg-1 NOTE: https://about.gitlab.com/2018/11/28/security-release-gitlab-11-dot-5-dot-1-released/ CVE-2018-19493 (An issue was discovered in GitLab Community and Enterprise Edition 11. ...) - gitlab 11.3.11+dfsg-1 NOTE: https://about.gitlab.com/2018/11/28/security-release-gitlab-11-dot-5-dot-1-released/ CVE-2018-19492 (An issue was discovered in cairo.trm in Gnuplot 5.2.5. This issue allo ...) {DLA-1597-1 DLA-1595-1} - gnuplot (unimportant) - gnuplot5 (unimportant) NOTE: https://sourceforge.net/p/gnuplot/bugs/2089/ NOTE: https://sourceforge.net/p/gnuplot/gnuplot-main/ci/d5020716834582b20a5e12cdd49f39ee4f9dd949/ NOTE: No security impact, neutralised by toolchain hardening NOTE: No security impact, gnuplot can execute arbitrary commands and need to come from a trusted source, NOTE: see README.Debian.security (added in 5.2.6) CVE-2018-19491 (An issue was discovered in post.trm in Gnuplot 5.2.5. This issue allow ...) {DLA-1597-1 DLA-1595-1} - gnuplot (unimportant) - gnuplot5 (unimportant) NOTE: https://sourceforge.net/p/gnuplot/bugs/2094/ NOTE: https://sourceforge.net/p/gnuplot/gnuplot-main/ci/d5020716834582b20a5e12cdd49f39ee4f9dd949/ NOTE: No security impact, gnuplot can execute arbitrary commands and need to come from a trusted source, NOTE: see README.Debian.security (added in 5.2.6) CVE-2018-19490 (An issue was discovered in datafile.c in Gnuplot 5.2.5. This issue all ...) {DLA-1597-1 DLA-1595-1} - gnuplot (unimportant) - gnuplot5 (unimportant) NOTE: https://sourceforge.net/p/gnuplot/bugs/2093/ NOTE: https://sourceforge.net/p/gnuplot/gnuplot-main/ci/d5020716834582b20a5e12cdd49f39ee4f9dd949/ NOTE: No security impact, gnuplot can execute arbitrary commands and need to come from a trusted source, NOTE: see README.Debian.security (added in 5.2.6) CVE-2018-19489 (v9fs_wstat in hw/9pfs/9p.c in QEMU allows guest OS users to cause a de ...) {DSA-4454-1 DLA-1646-1} - qemu 1:3.1+dfsg-1 (bug #914727) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2018-11/msg04489.html NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=1d20398694a3b67a388d955b7a945ba4aa90a8a8 (master) CVE-2018-19488 (The WP-jobhunt plugin before version 2.4 for WordPress does not contro ...) NOT-FOR-US: Wordpress plugin CVE-2018-19487 (The WP-jobhunt plugin before version 2.4 for WordPress does not contro ...) NOT-FOR-US: Wordpress plugin CVE-2018-19485 RESERVED CVE-2018-19484 RESERVED CVE-2018-19483 RESERVED CVE-2018-19482 RESERVED CVE-2018-19481 RESERVED CVE-2018-19480 RESERVED CVE-2018-19479 RESERVED CVE-2018-19478 (In Artifex Ghostscript before 9.26, a carefully crafted PDF file can t ...) {DSA-4346-1 DLA-1620-1} - ghostscript 9.26~dfsg-1 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=699856 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0a7e5a1c309fa0911b892fa40996a7d55d90bace CVE-2018-19474 RESERVED CVE-2018-19473 RESERVED CVE-2018-19472 RESERVED CVE-2018-19471 RESERVED CVE-2018-19470 RESERVED CVE-2018-19469 (ArticleCMS through 2017-02-19 has XSS via the /update_personal_infomat ...) NOT-FOR-US: ArticleCMS CVE-2018-19468 (HuCart 5.7.4 has SQL injection in get_ip() in system/class/helper_clas ...) NOT-FOR-US: HuCart CVE-2018-19467 RESERVED CVE-2018-19466 (A vulnerability was found in Portainer before 1.20.0. Portainer stores ...) NOT-FOR-US: Portainer CVE-2018-19465 (Maccms through 8.0 allows XSS via the site_keywords field to index.php ...) NOT-FOR-US: Maccms CVE-2018-19464 (Discuz! X3.4 allows XSS via admin.php because admincp/admincp_setting. ...) NOT-FOR-US: Discuz! CVE-2018-19463 (** DISPUTED ** zb_system/function/lib/upload.php in Z-BlogPHP through ...) NOT-FOR-US: Z-BlogPHP CVE-2018-19462 (admin\db\DoSql.php in EmpireCMS through 7.5 allows remote attackers to ...) NOT-FOR-US: EmpireCMS CVE-2018-19461 (admin\db\DoSql.php in EmpireCMS through 7.5 allows XSS via crafted SQL ...) NOT-FOR-US: EmpireCMS CVE-2018-19460 RESERVED CVE-2018-19459 (Adult Filter 1.0 has a Buffer Overflow via a crafted Black Domain List ...) NOT-FOR-US: Adult Filter CVE-2018-19458 (In PHP Proxy 3.0.3, any user can read files from the server without au ...) NOT-FOR-US: PHP Proxy CVE-2018-19457 (Logicspice FAQ Script 2.9.7 allows uploading arbitrary files, which le ...) NOT-FOR-US: Logicspice FAQ Script CVE-2018-19456 (The WP Backup+ (aka WPbackupplus) plugin through 2018-11-22 for WordPr ...) NOT-FOR-US: WP Backup+ (aka WPbackupplus) plugin for WordPress CVE-2018-19455 RESERVED CVE-2018-19486 (Git before 2.19.2 on Linux and UNIX executes commands from the current ...) - git 1:2.19.2-1 [stretch] - git (Vulnerable code introduced later) [jessie] - git (Vulnerable code introduced later) NOTE: Fixed by: https://git.kernel.org/pub/scm/git/git.git/commit/?id=321fd82389742398d2924640ce3a61791fd27d60 NOTE: Introduced by: https://git.kernel.org/pub/scm/git/git.git/commit/?id=e3a434468fecca7c14a6bef32050dfa60534fde6 CVE-2018-19477 (psi/zfjbig2.c in Artifex Ghostscript before 9.26 allows remote attacke ...) {DSA-4346-1 DLA-1598-1} - ghostscript 9.26~dfsg-1 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=ef252e7dc214bcbd9a2539216aab9202848602bb (ghostscript-9.26) NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=606a22e77e7f081781e99e44644cd0119f559e03 (master) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=700168 CVE-2018-19476 (psi/zicc.c in Artifex Ghostscript before 9.26 allows remote attackers ...) {DSA-4346-1 DLA-1598-1} - ghostscript 9.26~dfsg-1 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=67d760ab775dae4efe803b5944b0439aa3c0b04a (ghostscript-9.26) NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=434753adbe8be5534bfb9b7d91746023e8073d16 (master) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=700169 CVE-2018-19475 (psi/zdevice2.c in Artifex Ghostscript before 9.26 allows remote attack ...) {DSA-4346-1 DLA-1598-1} - ghostscript 9.26~dfsg-1 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=3005fcb9bb160af199e761e03bc70a9f249a987e (ghostscript-9.26) NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=aeea342904978c9fe17d85f4906a0f6fcce2d315 (master) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=700153 CVE-2018-19518 (University of Washington IMAP Toolkit 2007f on UNIX, as used in imap_o ...) {DSA-4353-1 DLA-1700-1 DLA-1608-1} - php7.3 7.3.0-1 (bug #913775) - php7.2 (bug #913835) - php7.0 (bug #913836) - php5 - uw-imap 8:2007f~dfsg-6 (bug #914632) [stretch] - uw-imap (Minor issue) NOTE: Fixed in 5.6.39, 7.0.33, 7.1.25, 7.2.13, 7.3.0 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=76428 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=77153 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=77160 NOTE: https://www.openwall.com/lists/oss-security/2018/11/22/3 NOTE: https://git.php.net/?p=php-src.git;a=commit;h=e5bfea64c81ae34816479bb05d17cdffe45adddb CVE-2018-19454 RESERVED CVE-2018-19453 (Kentico CMS before 11.0.45 allows unrestricted upload of a file with a ...) NOT-FOR-US: Kentico CMS CVE-2018-19452 (A use after free in the TextBox field Mouse Enter action in IReader_Co ...) NOT-FOR-US: Foxit Reader CVE-2018-19451 (A command injection can occur for specially crafted PDF files in Foxit ...) NOT-FOR-US: Foxit Reader CVE-2018-19450 (A command injection can occur for specially crafted PDF files in Foxit ...) NOT-FOR-US: Foxit Reader SDK CVE-2018-19449 (A File Write can occur for specially crafted PDF files in Foxit Reader ...) NOT-FOR-US: Foxit Reader SDK CVE-2018-19448 (In Foxit Reader SDK (ActiveX) Professional 5.4.0.1031, an uninitialize ...) NOT-FOR-US: Foxit Reader SDK CVE-2018-19447 (A stack-based buffer overflow can occur for specially crafted PDF file ...) NOT-FOR-US: Foxit Reader SDK CVE-2018-19446 (A File Write can occur for specially crafted PDF files in Foxit Reader ...) NOT-FOR-US: Foxit Reader SDK CVE-2018-19445 (A command injection can occur for specially crafted PDF files in Foxit ...) NOT-FOR-US: Foxit Reader SDK CVE-2018-19444 (A use after free in the TextBox field Validate action in IReader_Conte ...) NOT-FOR-US: Foxit Reader SDK CVE-2018-19442 (A Buffer Overflow in Network::AuthenticationClient::VerifySignature in ...) NOT-FOR-US: Neato Botvac Connected CVE-2018-19441 (An issue was discovered in Neato Botvac Connected 2.2.0. The GenerateR ...) NOT-FOR-US: Neato Botvac Connected CVE-2018-19440 (ARM Trusted Firmware-A allows information disclosure. ...) NOT-FOR-US: ARM Trusted Firmware-A CVE-2018-19439 (XSS exists in the Administration Console in Oracle Secure Global Deskt ...) NOT-FOR-US: Oracle CVE-2018-19438 RESERVED CVE-2018-19443 (The client in Tryton 5.x before 5.0.1 tries to make a connection to th ...) - tryton-client (Only affects 5.x, vulnerable 5.0.0 version never in Debian) NOTE: https://discuss.tryton.org/t/security-release-for-issue7792/830 NOTE: https://bugs.tryton.org/issue7792 CVE-2018-19437 (UCMS 1.4.7 allows remote authenticated users to change the administrat ...) NOT-FOR-US: UCMS CVE-2018-19436 (An issue was discovered in the Manufacturing component in webERP 4.15. ...) NOT-FOR-US: webERP CVE-2018-19435 (An issue was discovered in the Sales component in webERP 4.15. SalesIn ...) NOT-FOR-US: webERP CVE-2018-19434 (An issue was discovered on the "Bank Account Matching - Receipts" scre ...) NOT-FOR-US: webERP CVE-2018-19433 (ShowDoc 2.4.1 has XSS via the lang parameter because install/database. ...) NOT-FOR-US: ShowDoc CVE-2018-19432 (An issue was discovered in libsndfile 1.0.28. There is a NULL pointer ...) {DLA-1618-1} - libsndfile 1.0.28-5 (unimportant; bug #914381) NOTE: https://github.com/erikd/libsndfile/issues/427 NOTE: https://github.com/erikd/libsndfile/commit/aaea680337267bfb6d2544da878890ee7f1c5077 NOTE: Similar underlying issue as CVE-2018-13139 but not considered a duplicate. NOTE: Missing channel number check in sndfile-deinterleave program, not a NOTE: security issue in the library. CVE-2018-19431 RESERVED CVE-2018-19430 RESERVED CVE-2018-19429 RESERVED CVE-2018-19428 RESERVED CVE-2018-19427 RESERVED CVE-2018-19426 RESERVED CVE-2018-19425 RESERVED CVE-2018-19424 (ClipperCMS 1.3.3 allows remote authenticated administrators to upload ...) NOT-FOR-US: ClipperCMS CVE-2018-19423 (Codiad 2.8.4 allows remote authenticated administrators to execute arb ...) NOT-FOR-US: Codiad CVE-2018-19422 (/panel/uploads in Subrion CMS 4.2.1 allows remote attackers to execute ...) NOT-FOR-US: Subrion CMS CVE-2018-19421 (In GetSimpleCMS 3.3.15, admin/upload.php blocks .html uploads but Inte ...) NOT-FOR-US: GetSimpleCMS CVE-2018-19420 (In GetSimpleCMS 3.3.15, admin/upload.php blocks .html uploads but ther ...) NOT-FOR-US: GetSimpleCMS CVE-2018-19419 RESERVED CVE-2018-19418 RESERVED CVE-2018-19417 (An issue was discovered in the MQTT server in Contiki-NG before 4.2. T ...) NOT-FOR-US: Contiki-NG CVE-2018-19517 (An issue was discovered in sysstat 12.1.1. The remap_struct function i ...) [experimental] - sysstat 12.0.3-1 - sysstat 12.0.3-2 (low; bug #914553) [stretch] - sysstat (Vulnerable code introduced later) [jessie] - sysstat (Vulnerable code introduced later) NOTE: https://github.com/sysstat/sysstat/issues/199 NOTE: Fixed by: https://github.com/sysstat/sysstat/commit/fbc691eaaa10d0bcea6741d5a223dc3906106548 CVE-2018-19416 (An issue was discovered in sysstat 12.1.1. The remap_struct function i ...) [experimental] - sysstat 12.0.3-1 - sysstat 12.0.3-2 (low; bug #914384) [stretch] - sysstat (Vulnerable code introduced later) [jessie] - sysstat (vulnerable code was introduced later) NOTE: https://github.com/sysstat/sysstat/issues/196 NOTE: Fixed by: https://github.com/sysstat/sysstat/commit/fbc691eaaa10d0bcea6741d5a223dc3906106548 NOTE: Vulnerable code introduced with https://github.com/sysstat/sysstat/commit/65ac30359e49ee717397e39950d7c24a6610d57c#diff-cccb0877d1539c562536a98e0d17428f CVE-2018-19415 (Multiple SQL injection vulnerabilities in Plikli CMS 4.0.0 allow remot ...) NOT-FOR-US: Plikli CMS CVE-2018-19414 (Multiple cross-site scripting (XSS) vulnerabilities in Plikli CMS 4.0. ...) NOT-FOR-US: Plikli CMS CVE-2018-19413 (A vulnerability in the API of SonarSource SonarQube before 7.4 could a ...) NOT-FOR-US: SonarQube CVE-2018-19412 RESERVED CVE-2018-19411 (PRTG Network Monitor before 18.2.40.1683 allows an authenticated user ...) NOT-FOR-US: PRTG Network Monitor CVE-2018-19410 (PRTG Network Monitor before 18.2.40.1683 allows remote unauthenticated ...) NOT-FOR-US: PRTG Network Monitor CVE-2018-19409 (An issue was discovered in Artifex Ghostscript before 9.26. LockSafety ...) {DSA-4346-1 DLA-1598-1} - ghostscript 9.26~dfsg-1 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=700176 NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=661e8d8fb8248c38d67958beda32f3a5876d0c3f NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=ea1b3ef437f39e45874f821c06bd953196625ac5 CVE-2009-5153 (In Novell NetWare before 6.5 SP8, a stack buffer overflow in processin ...) NOT-FOR-US: Novell NetWare CVE-2018-19408 RESERVED CVE-2018-19407 (The vcpu_scan_ioapic function in arch/x86/kvm/x86.c in the Linux kerne ...) {DLA-1715-1} - linux 4.19.9-1 [stretch] - linux 4.9.144-1 [jessie] - linux (Vulnerable code not present) NOTE: https://lkml.org/lkml/2018/11/20/580 CVE-2018-19406 (kvm_pv_send_ipi in arch/x86/kvm/lapic.c in the Linux kernel through 4. ...) - linux (Vulnerable code introduced later) NOTE: https://lkml.org/lkml/2018/11/20/411 NOTE: Introduced by: https://git.kernel.org/linus/4180bf1b655a791a0a6ef93a2ffffc762722c782 (4.19-rc1) NOTE: Fixed by: https://git.kernel.org/linus/38ab012f109caf10f471db1adf284e620dd8d701 (4.20-rc5) CVE-2018-19405 RESERVED CVE-2018-19404 (In YXcms 1.4.7, protected/apps/appmanage/controller/indexController.ph ...) NOT-FOR-US: YXcms CVE-2018-19403 RESERVED CVE-2018-19402 RESERVED CVE-2018-19401 RESERVED CVE-2018-19400 RESERVED CVE-2018-19399 RESERVED CVE-2018-19398 RESERVED CVE-2018-19397 RESERVED CVE-2018-19396 (ext/standard/var_unserializer.c in PHP 5.x through 7.1.24 allows attac ...) - php7.3 (Windows-specific) - php7.2 (Windows-specific) - php7.1 (Windows-specific) - php7.0 (Windows-specific) - php5 (Windows-specific) NOTE: https://bugs.php.net/bug.php?id=77177 CVE-2018-19395 (ext/standard/var.c in PHP 5.x through 7.1.24 on Windows allows attacke ...) - php7.3 (Windows-specific) - php7.2 (Windows-specific) - php7.1 (Windows-specific) - php7.0 (Windows-specific) - php5 (Windows-specific) NOTE: https://bugs.php.net/bug.php?id=77177 CVE-2018-19394 (Cobham Satcom Sailor 800 and 900 devices contained persistent XSS, whi ...) NOT-FOR-US: Cobham Satcom Sailor CVE-2018-19393 (Cobham Satcom Sailor 800 and 900 devices contained a vulnerability tha ...) NOT-FOR-US: Cobham Satcom Sailor CVE-2018-19392 (Cobham Satcom Sailor 250 and 500 devices before 1.25 contained an unau ...) NOT-FOR-US: Cobham Satcom Sailor CVE-2018-19391 (Cobham Satcom Sailor 250 and 500 devices before 1.25 contained persist ...) NOT-FOR-US: Cobham Satcom Sailor CVE-2018-19390 (FoxitReader.exe in Foxit Reader 9.3.0.10826 allows remote attackers to ...) NOT-FOR-US: Foxit CVE-2018-19389 (FoxitReader.exe in Foxit Reader 9.3.0.10826 allows remote attackers to ...) NOT-FOR-US: Foxit CVE-2018-19388 (FoxitReader.exe in Foxit Reader 9.3.0.10826 allows remote attackers to ...) NOT-FOR-US: Foxit CVE-2018-19387 REJECTED CVE-2018-19386 (SolarWinds Database Performance Analyzer 11.1.457 contains an instance ...) NOT-FOR-US: SolarWinds Database Performance Analyzer CVE-2018-19385 RESERVED CVE-2018-19384 RESERVED CVE-2018-19383 RESERVED CVE-2018-19382 RESERVED CVE-2018-19381 RESERVED CVE-2018-19380 RESERVED CVE-2018-19379 RESERVED CVE-2018-19378 RESERVED CVE-2018-19377 RESERVED CVE-2018-19376 (An issue was discovered in GreenCMS v2.3.0603. There is a CSRF vulnera ...) NOT-FOR-US: GreenCMS CVE-2018-19375 RESERVED CVE-2018-19374 (Zoho ManageEngine ADManager Plus 6.6 Build 6657 allows local users to ...) NOT-FOR-US: Zoho ManageEngine ADManager Plus CVE-2018-19373 RESERVED CVE-2018-19372 RESERVED CVE-2018-19371 (The SaveUserSettings service in Content Manager in SDL Web 8.5.0 has a ...) NOT-FOR-US: SDL Web CVE-2018-19370 (A Race condition vulnerability in unzip_file in admin/import/class-imp ...) NOT-FOR-US: Wordpress plugin CVE-2018-19369 RESERVED CVE-2018-19368 RESERVED CVE-2018-19367 (Portainer through 1.19.2 provides an API endpoint (/api/users/admin/ch ...) NOT-FOR-US: Portainer CVE-2018-19966 (An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS ...) {DSA-4369-1 DLA-1949-1} - xen 4.11.1-1 NOTE: https://xenbits.xen.org/xsa/advisory-280.txt CVE-2018-19965 (An issue was discovered in Xen through 4.11.x allowing 64-bit PV guest ...) {DSA-4369-1} - xen 4.11.1-1 [jessie] - xen (Depends on fix for CVE-2017-5715, CVE-2017-5753, CVE-2017-5754) NOTE: https://xenbits.xen.org/xsa/advisory-279.txt CVE-2018-19964 (An issue was discovered in Xen 4.11.x allowing x86 guest OS users to c ...) - xen 4.11.1-1 [stretch] - xen (Only affects 4.11) [jessie] - xen (Only affects 4.11) NOTE: https://xenbits.xen.org/xsa/advisory-277.txt CVE-2018-19963 (An issue was discovered in Xen 4.11 allowing HVM guest OS users to cau ...) - xen 4.11.1-1 [stretch] - xen (Only affects 4.11) [jessie] - xen (Only affects 4.11) NOTE: https://xenbits.xen.org/xsa/advisory-276.txt CVE-2018-19962 (An issue was discovered in Xen through 4.11.x on AMD x86 platforms, po ...) {DSA-4369-1 DLA-1949-1} - xen 4.11.1-1 NOTE: https://xenbits.xen.org/xsa/advisory-275.txt CVE-2018-19961 (An issue was discovered in Xen through 4.11.x on AMD x86 platforms, po ...) {DSA-4369-1 DLA-1949-1} - xen 4.11.1-1 NOTE: https://xenbits.xen.org/xsa/advisory-275.txt CVE-2018-19366 RESERVED CVE-2018-19365 (The REST API in Wowza Streaming Engine 4.7.4.01 allows traversal of th ...) NOT-FOR-US: Wowza Streaming Engine CVE-2018-19364 (hw/9pfs/cofile.c and hw/9pfs/9p.c in QEMU can modify an fid path while ...) {DSA-4454-1 DLA-1646-1} - qemu 1:3.1+dfsg-1 (bug #914599) - qemu-kvm NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=5b76ef50f62079a2389ba28cacaf6cce68b1a0ed NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=5b3c77aa581ebb215125c84b0742119483571e55 CVE-2018-19363 RESERVED CVE-2018-19362 (FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to h ...) {DSA-4452-1 DLA-1703-1} - jackson-databind 2.9.8-1 NOTE: https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b NOTE: https://github.com/FasterXML/jackson-databind/issues/2186 NOTE: https://issues.apache.org/jira/browse/TINKERPOP-2121 CVE-2018-19361 (FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to h ...) {DSA-4452-1 DLA-1703-1} - jackson-databind 2.9.8-1 NOTE: https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b NOTE: https://github.com/FasterXML/jackson-databind/issues/2186 NOTE: https://issues.apache.org/jira/browse/TINKERPOP-2121 CVE-2018-19360 (FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to h ...) {DSA-4452-1 DLA-1703-1} - jackson-databind 2.9.8-1 NOTE: https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b NOTE: https://github.com/FasterXML/jackson-databind/issues/2186 NOTE: https://issues.apache.org/jira/browse/TINKERPOP-2121 CVE-2018-19359 (GitLab Community and Enterprise Edition 8.9 and later and before 11.5. ...) - gitlab 11.3.10+dfsg-2 (bug #914166) NOTE: https://about.gitlab.com/2018/11/19/critical-security-release-gitlab-11-dot-4-dot-6-released/ CVE-2018-19358 (GNOME Keyring through 3.28.2 allows local users to retrieve login cred ...) - gnome-keyring (unimportant; bug #914154) NOTE: https://bugs.launchpad.net/ubuntu/+source/gnome-keyring/+bug/1780365 NOTE: https://github.com/sungjungk/keyring_crack NOTE: The default keyring is automatically unlocked upon successful login. NOTE: The current behavior to access passwords via DBus is expected but NOTE: cannot be compromised by another user on the system. Users can choose NOTE: to use a separate keyring if they prefer to be prompted. NOTE: Non issue NOTE: https://wiki.gnome.org/Projects/GnomeKeyring/SecurityFAQ NOTE: https://gitlab.gnome.org/GNOME/gnome-keyring/issues/5 CVE-2018-19357 (XMPlay 3.8.3 allows remote attackers to execute arbitrary code or caus ...) NOT-FOR-US: XMPlay CVE-2018-19356 RESERVED CVE-2018-19355 (modules/orderfiles/ajax/upload.php in the Customer Files Upload addon ...) NOT-FOR-US: Customer Files Upload addon for PrestaShop CVE-2018-19354 RESERVED CVE-2018-19353 (The ansilove_ansi function in loaders/ansi.c in libansilove 1.0.0 allo ...) NOT-FOR-US: libansilove CVE-2018-19352 (Jupyter Notebook before 5.7.2 allows XSS via a crafted directory name ...) - jupyter-notebook 5.7.4-1 (bug #917408) NOTE: https://github.com/jupyter/notebook/commit/288b73e1edbf527740e273fcc69b889460871648 CVE-2018-19351 (Jupyter Notebook before 5.7.1 allows XSS via an untrusted notebook bec ...) - jupyter-notebook 5.7.4-1 (bug #917409) NOTE: https://github.com/jupyter/notebook/commit/107a89fce5f413fb5728c1c5d2c7788e1fb17491 CVE-2008-7320 (** DISPUTED ** GNOME Seahorse through 3.30 allows physically proximate ...) - seahorse (unimportant) NOTE: https://bugs.launchpad.net/ubuntu/+source/seahorse/+bug/189774 NOTE: https://bugs.launchpad.net/ubuntu/+source/seahorse/+bug/189774/comments/13 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=551036 NOTE: Explicitly a design decision by upstream and not considered a security issue CVE-2018-19350 (In SeaCMS v6.6.4, there is stored XSS via the member.php?action=chgpwd ...) NOT-FOR-US: SeaCMS CVE-2018-19349 (In SeaCMS v6.64, there is SQL injection via the admin_makehtml.php top ...) NOT-FOR-US: SeaCMS CVE-2018-19348 (The u3d plugin 9.3.0.10809 (aka plugins\U3DBrowser.fpi) in FoxitReader ...) NOT-FOR-US: Foxit Reader CVE-2018-19347 (The u3d plugin 9.3.0.10809 (aka plugins\U3DBrowser.fpi) in FoxitReader ...) NOT-FOR-US: Foxit Reader CVE-2018-19346 (The u3d plugin 9.3.0.10809 (aka plugins\U3DBrowser.fpi) in FoxitReader ...) NOT-FOR-US: Foxit Reader CVE-2018-19345 (The u3d plugin 9.3.0.10809 (aka plugins\U3DBrowser.fpi) in FoxitReader ...) NOT-FOR-US: Foxit Reader CVE-2018-19344 (The u3d plugin 9.3.0.10809 (aka plugins\U3DBrowser.fpi) in FoxitReader ...) NOT-FOR-US: Foxit Reader CVE-2018-19343 (The u3d plugin 9.3.0.10809 (aka plugins\U3DBrowser.fpi) in FoxitReader ...) NOT-FOR-US: Foxit Reader CVE-2018-19342 (The u3d plugin 9.3.0.10809 (aka plugins\U3DBrowser.fpi) in FoxitReader ...) NOT-FOR-US: Foxit Reader CVE-2018-19341 (The u3d plugin 9.3.0.10809 (aka plugins\U3DBrowser.fpi) in FoxitReader ...) NOT-FOR-US: Foxit Reader CVE-2018-19340 (Guriddo Form PHP 5.3 has XSS via the demos/jqform/defaultnodb/default. ...) NOT-FOR-US: Guriddo Form PHP CVE-2018-19339 RESERVED CVE-2018-19338 RESERVED CVE-2018-19337 RESERVED CVE-2018-19336 RESERVED CVE-2018-19335 (Google Monorail before 2018-06-07 has a Cross-Site Search (XS-Search) ...) NOT-FOR-US: Google Monorail CVE-2018-19334 (Google Monorail before 2018-05-04 has a Cross-Site Search (XS-Search) ...) NOT-FOR-US: Google Monorail CVE-2018-19333 (pkg/sentry/kernel/shm/shm.go in Google gVisor before 2018-11-01 allows ...) NOT-FOR-US: gVisor CVE-2018-19332 (An issue was discovered in S-CMS v1.5. There is a CSRF vulnerability t ...) NOT-FOR-US: S-CMS CVE-2018-19331 (An issue was discovered in S-CMS v1.5. There is a SQL injection vulner ...) NOT-FOR-US: S-CMS CVE-2018-19330 RESERVED CVE-2018-19329 (GreenCMS v2.3.0603 allows remote authenticated administrators to delet ...) NOT-FOR-US: GreenCMS CVE-2018-19328 (LAOBANCMS 2.0 allows install/mysql_hy.php?riqi=../ Directory Traversal ...) NOT-FOR-US: LAOBANCMS CVE-2018-19327 (An issue was discovered in JTBC(PHP) 3.0.1.7. aboutus/manage.php?type= ...) NOT-FOR-US: JTBC(PHP) CVE-2018-19326 (Zyxel VMG1312-B10D devices before 5.13(AAXA.8)C0 allow ../ Directory T ...) NOT-FOR-US: Zyxel CVE-2018-19325 REJECTED CVE-2018-19324 (kimsQ Rb 2.3.0 allows XSS via the second input field to the /?r=home&a ...) NOT-FOR-US: kimsQ Rb CVE-2018-19323 (The GDrv low-level driver in GIGABYTE APP Center v1.05.21 and earlier, ...) NOT-FOR-US: GIGABYTE APP Center CVE-2018-19322 (The GPCIDrv and GDrv low-level drivers in GIGABYTE APP Center v1.05.21 ...) NOT-FOR-US: GIGABYTE APP Center CVE-2018-19321 (The GPCIDrv and GDrv low-level drivers in GIGABYTE APP Center v1.05.21 ...) NOT-FOR-US: GIGABYTE APP Center CVE-2018-19320 (The GDrv low-level driver in GIGABYTE APP Center v1.05.21 and earlier, ...) NOT-FOR-US: GIGABYTE APP Center CVE-2018-19319 (SRCMS 3.0.0 allows CSRF via admin.php?m=Admin&c=gifts&a=update ...) NOT-FOR-US: SRCMS CVE-2018-19318 (SRCMS 3.0.0 allows CSRF via admin.php?m=Admin&c=manager&a=upda ...) NOT-FOR-US: SRCMS CVE-2018-19317 RESERVED CVE-2018-19316 RESERVED CVE-2018-19315 RESERVED CVE-2018-19314 RESERVED CVE-2018-19313 RESERVED CVE-2018-19312 (Centreon 3.4.x (fixed in Centreon 18.10.0 and Centreon web 2.8.24) all ...) - centreon-web (bug #913903) CVE-2018-19311 (Centreon 3.4.x (fixed in Centreon 18.10.0) allows XSS via the Service ...) - centreon-web (bug #913903) CVE-2018-19310 RESERVED CVE-2018-19309 RESERVED CVE-2018-19308 RESERVED CVE-2018-19307 RESERVED CVE-2018-19306 RESERVED CVE-2018-19305 RESERVED CVE-2018-19304 RESERVED CVE-2018-19303 RESERVED CVE-2018-19302 RESERVED CVE-2018-19301 (tp4a TELEPORT 3.1.0 allows XSS via the login page because a crafted us ...) NOT-FOR-US: tp4a TELEPORT CVE-2018-19300 (On D-Link DAP-1530 (A1) before firmware version 1.06b01, DAP-1610 (A1) ...) NOT-FOR-US: D-Link CVE-2018-19299 RESERVED CVE-2018-19298 RESERVED CVE-2018-19297 RESERVED CVE-2018-19296 (PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an objec ...) {DSA-4351-1 DLA-1591-1} - libphp-phpmailer 5.2.14+dfsg-2.4 (bug #913912) NOTE: https://github.com/PHPMailer/PHPMailer/commit/f1231a9771505f4f34da060390d82eadb8448271 CVE-2018-19295 (Sylabs Singularity 2.4 to 2.6 allows local users to conduct Improper I ...) - singularity-container 2.6.1-1 NOTE: https://www.openwall.com/lists/oss-security/2018/12/12/2 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1111411 CVE-2018-19294 RESERVED CVE-2018-19293 RESERVED CVE-2018-19292 RESERVED CVE-2018-19291 (An issue was discovered in DiliCMS 2.4.0. There is a CSRF vulnerabilit ...) NOT-FOR-US: DiliCMS CVE-2018-19290 (In modules/HELPBOT_MODULE in Budabot 0.6 through 4.0, lax syntax valid ...) NOT-FOR-US: Budabot CVE-2018-19289 (An issue was discovered in Valine v1.3.3. It allows HTML injection, wh ...) NOT-FOR-US: Valine CVE-2018-19288 (Zoho ManageEngine OpManager 12.3 before Build 123223 has XSS via the u ...) NOT-FOR-US: Zoho ManageEngine OpManager CVE-2018-19287 (XSS in the Ninja Forms plugin before 3.3.18 for WordPress allows Remot ...) NOT-FOR-US: Ninja Forms plugin for WordPress CVE-2018-19286 (The server in mubu note 2018-11-11 has XSS by configuring an account w ...) NOT-FOR-US: mubu note CVE-2018-19285 RESERVED CVE-2018-19284 REJECTED CVE-2018-19283 RESERVED CVE-2018-19282 (Rockwell Automation PowerFlex 525 AC Drives 5.001 and earlier allow re ...) NOT-FOR-US: Rockwell Automation CVE-2018-19281 (Centreon 3.4.x (fixed in Centreon 18.10.0 and Centreon web 2.8.27) all ...) - centreon-web (bug #913903) CVE-2018-19280 (Centreon 3.4.x (fixed in Centreon 18.10.0) has XSS via the resource na ...) - centreon-web (bug #913903) CVE-2018-19279 (PRIMX ZoneCentral before 6.1.2236 on Windows sometimes leaks the plain ...) NOT-FOR-US: PRIMX ZoneCentral CVE-2018-19278 (Buffer overflow in DNS SRV and NAPTR lookups in Digium Asterisk 15.x b ...) - asterisk (Vulnerable code introduced in 15.x and 16.x releases) NOTE: https://downloads.asterisk.org/pub/security/AST-2018-010.html NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-28127 CVE-2015-9274 (HarfBuzz before 1.0.4 allows remote attackers to cause a denial of ser ...) - harfbuzz 1.2.6-1 [jessie] - harfbuzz (Vulnerable code introduced later) NOTE: https://github.com/harfbuzz/harfbuzz/commit/c917965b9e6fe2b21ed6c51559673288fa3af4b7 CVE-2019-0235 (Apache OFBiz 17.12.01 is vulnerable to some CSRF attacks. ...) NOT-FOR-US: Apache OFBiz CVE-2019-0234 (A Reflected Cross-site Scripting (XSS) vulnerability exists in Apache ...) NOT-FOR-US: Apache Roller CVE-2019-0233 RESERVED CVE-2019-0232 (When running on Windows with enableCmdLineArguments enabled, the CGI S ...) - tomcat9 (Windows-specific) - tomcat8 (Windows-specific) NOTE: https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html CVE-2019-0231 (Handling of the close_notify SSL/TLS message does not lead to a connec ...) NOT-FOR-US: Apache MINA CVE-2019-0230 RESERVED CVE-2019-0229 (A number of HTTP endpoints in the Airflow webserver (both RBAC and cla ...) - airflow (bug #819700) CVE-2019-0228 (Apache PDFBox 2.0.14 does not properly initialize the XML parser, whic ...) - libpdfbox2-java (Vulnerable code introduced in 2.0.14) - libpdfbox-java (Vulnerable code introduced in 2.0.14) NOTE: https://www.openwall.com/lists/oss-security/2019/04/12/1 NOTE: https://issues.apache.org/jira/browse/PDFBOX-4505 NOTE: Fixed by: https://svn.apache.org/r1856952 (2.0.15) CVE-2019-0227 (A Server Side Request Forgery (SSRF) vulnerability affected the Apache ...) - axis (bug #929266; unimportant) NOTE: https://rhinosecuritylabs.com/application-security/cve-2019-0227-expired-domain-rce-apache-axis/ NOTE: https://github.com/apache/axis1-java/commit/7043f1ab0397d1ae35f879f2bcc99be1e9b55644 NOTE: StockQuoteService.jws not present in Debian binary packages NOTE: disclosure mentions "03/12/2019 - Apache applied SSRF patch": NOTE: https://github.com/RhinoSecurityLabs/CVEs/issues/1 NOTE: https://github.com/apache/axis1-java/commit/35511b872a6460129cfc0cd35baaccbd820977b5 CVE-2019-0226 (Apache Karaf Config service provides a install method (via service or ...) - apache-karaf (bug #881297) CVE-2019-0225 (A specially crafted url could be used to access files under the ROOT d ...) - jspwiki CVE-2019-0224 (In Apache JSPWiki 2.9.0 to 2.11.0.M2, a carefully crafted URL could ex ...) - jspwiki CVE-2019-0223 (While investigating bug PROTON-2014, we discovered that under some cir ...) - qpid-proton 0.22.0-1 [stretch] - qpid-proton (Minor issue) [jessie] - qpid-proton (Minor issue) NOTE: https://issues.apache.org/jira/browse/PROTON-2014 NOTE: https://qpid.apache.org/cves/CVE-2019-0223.html NOTE: https://gitbox.apache.org/repos/asf?p=qpid-proton.git;h=97c7733 NOTE: https://gitbox.apache.org/repos/asf?p=qpid-proton.git;h=159fac1 NOTE: https://gitbox.apache.org/repos/asf?p=qpid-proton.git;h=4aea0fd NOTE: https://gitbox.apache.org/repos/asf?p=qpid-proton.git;h=2d3ba8a NOTE: Source-wise only fixed in 0.27.1 upstream, but 0.22.0-1 upload in NOTE: unstable switched to build against OpenSSL 1.1 adressing the issue. NOTE: The description tells that the vulnerability was introduced in 0.9 but the NOTE: version in jessie (0.7) seems to be vulnerable too even though one file is NOTE: not present in the jessie version. That part do not seem to be essential for NOTE: the package to be vulnerable. CVE-2019-0222 (In Apache ActiveMQ 5.0.0 - 5.15.8, unmarshalling corrupt MQTT frame ca ...) - activemq 5.15.9-1 (bug #925964) [buster] - activemq (Minor issue) [stretch] - activemq (Minor issue) [jessie] - activemq (MQTT support not enabled) NOTE: http://activemq.apache.org/security-advisories.data/CVE-2019-0222-announcement.txt CVE-2019-0221 (The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 ...) {DSA-4596-1 DLA-1883-1 DLA-1810-1} - tomcat9 9.0.16-4 (bug #929895) - tomcat8 - tomcat7 NOTE: affects debug channel, unlikely to be present in production websites: NOTE: https://mail-archives.apache.org/mod_mbox/www-announce/201905.mbox/%3Cb1905aa6-f340-8d0b-58c4-8ac3ebcbfa54@apache.org%3E NOTE: https://github.com/apache/tomcat/commit/15fcd16 (9.0.19) NOTE: https://github.com/apache/tomcat/commit/4fcdf70 (8.5.39) NOTE: https://github.com/apache/tomcat/commit/44ec74c (7.0.93) CVE-2019-0220 (A vulnerability was found in Apache HTTP Server 2.4.0 to 2.4.38. When ...) {DSA-4422-1 DLA-1748-1} - apache2 2.4.38-3 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2019-0220 NOTE: https://svn.apache.org/r1855737 NOTE: https://svn.apache.org/r1855751 CVE-2019-0219 (A website running in the InAppBrowser webview on Android could execute ...) NOT-FOR-US: Apache Cordova CVE-2019-0218 (A vulnerability was discovered wherein a specially crafted URL could e ...) NOT-FOR-US: Apache Pony Mail CVE-2019-0217 (In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition i ...) {DSA-4422-1 DLA-1748-1} - apache2 2.4.38-3 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2019-0217 NOTE: https://svn.apache.org/r1855298 CVE-2019-0216 (A malicious admin user could edit the state of objects in the Airflow ...) - airflow (bug #819700) CVE-2019-0215 (In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in mod_ssl ...) - apache2 2.4.38-3 [stretch] - apache2 (Vulnerable code introduced later) [jessie] - apache2 (Vulnerable code introduced later) NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2019-0215 CVE-2019-0214 (In Apache Archiva 2.0.0 - 2.2.3, it is possible to write files to the ...) NOT-FOR-US: Apache Archiva CVE-2019-0213 (In Apache Archiva before 2.2.4, it may be possible to store malicious ...) NOT-FOR-US: Apache Archiva CVE-2019-0212 (In all previously released Apache HBase 2.x versions (2.0.0-2.0.4, 2.1 ...) NOT-FOR-US: Apache HBase CVE-2019-0211 (In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, w ...) {DSA-4422-1} - apache2 2.4.38-3 [jessie] - apache2 (Vulnerable code introduced later) NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2019-0211 NOTE: https://svn.apache.org/r1855378 CVE-2019-0210 (In Apache Thrift 0.9.3 to 0.12.0, a server implemented in Go using TJS ...) [experimental] - thrift 0.13.0-1 - thrift 0.13.0-2 NOTE: https://www.openwall.com/lists/oss-security/2019/10/17/2 CVE-2019-0209 REJECTED CVE-2019-0208 REJECTED CVE-2019-0207 (Tapestry processes assets `/assets/ctx` using classes chain `StaticFil ...) NOT-FOR-US: Apache Tapestry CVE-2019-0206 REJECTED CVE-2019-0205 (In Apache Thrift all versions up to and including 0.12.0, a server or ...) [experimental] - thrift 0.13.0-1 - thrift 0.13.0-2 NOTE: https://www.openwall.com/lists/oss-security/2019/10/17/1 CVE-2019-0204 (A specifically crafted Docker image running under the root user can ov ...) - apache-mesos (bug #760315) CVE-2019-0203 (In Apache Subversion versions up to and including 1.9.10, 1.10.4, 1.12 ...) {DSA-4490-1 DLA-1903-1} - subversion 1.10.6-1 NOTE: https://subversion.apache.org/security/CVE-2019-0203-advisory.txt CVE-2019-0202 (The Apache Storm Logviewer daemon exposes HTTP-accessible endpoints to ...) NOT-FOR-US: Apache Storm CVE-2019-0201 (An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alph ...) {DSA-4461-1 DLA-1801-1} - zookeeper 3.4.13-2 (bug #929283) NOTE: https://issues.apache.org/jira/browse/ZOOKEEPER-1392 NOTE: Patch (3.4 branch): https://gitbox.apache.org/repos/asf?p=zookeeper.git;a=commit;h=5ff19e3672987bdde2843a3f031e2bf0010e35f1 CVE-2019-0200 (A Denial of Service vulnerability was found in Apache Qpid Broker-J ve ...) - qpid-java (bug #840131) CVE-2019-0199 (The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5. ...) {DSA-4596-1} - tomcat9 9.0.16-1 - tomcat8 8.5.38-1 [jessie] - tomcat8 (HTTP/2 support not implemented) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1693325 NOTE: When fixing this issue make sure to fix it completely to not open CVE-2019-10072. CVE-2019-0198 REJECTED CVE-2019-0197 (A vulnerability was found in Apache HTTP Server 2.4.34 to 2.4.38. When ...) - apache2 2.4.38-3 [stretch] - apache2 (Vulnerable code introduced later) [jessie] - apache2 (Vulnerable code introduced later) NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2019-0197 CVE-2019-0196 (A vulnerability was found in Apache HTTP Server 2.4.17 to 2.4.38. Usin ...) {DSA-4422-1} - apache2 2.4.38-3 [jessie] - apache2 (Vulnerable code introduced later) NOTE: HTTP/2 support introduced in 2.4.17 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2019-0196 NOTE: https://svn.apache.org/r1852989 CVE-2019-0195 (Manipulating classpath asset file URLs, an attacker could guess the pa ...) NOT-FOR-US: Apache Tapestry CVE-2019-0194 (Apache Camel's File is vulnerable to directory traversal. Camel 2.21.0 ...) NOT-FOR-US: Apache Camel CVE-2019-0193 (In Apache Solr, the DataImportHandler, an optional but popular module ...) {DLA-1954-1} - lucene-solr 3.6.2+dfsg-22 (low) NOTE: https://issues.apache.org/jira/browse/SOLR-13669 NOTE: upstream recommends everybody upgrade or rework their configuration NOTE: consider backporting enable.dih.dataConfigParam instead: NOTE: https://github.com/apache/lucene-solr/commit/325824cd391c8e71f36f17d687f52344e50e9715 CVE-2019-0192 (In Apache Solr versions 5.0.0 to 5.5.5 and 6.0.0 to 6.6.5, the Config ...) - lucene-solr (vulnerable code is not present) NOTE: https://issues.apache.org/jira/browse/SOLR-13301 CVE-2019-0191 (Apache Karaf kar deployer reads .kar archives and extracts the paths f ...) - apache-karaf (bug #881297) CVE-2019-0190 (A bug exists in the way mod_ssl handled client renegotiations. A remot ...) - apache2 2.4.38-1 (bug #920220) [stretch] - apache2 (Only affects 2.4.37) [jessie] - apache2 (Only affects 2.4.37) NOTE: https://www.openwall.com/lists/oss-security/2019/01/22/4 CVE-2019-0189 (The java.io.ObjectInputStream is known to cause Java serialisation iss ...) NOT-FOR-US: Apache OFBiz CVE-2019-0188 (Apache Camel prior to 2.24.0 contains an XML external entity injection ...) NOT-FOR-US: Apache Camel CVE-2019-0187 (Unauthenticated RCE is possible when JMeter is used in distributed mod ...) - jakarta-jmeter [buster] - jakarta-jmeter (Minor issue) [stretch] - jakarta-jmeter (Minor issue) [jessie] - jakarta-jmeter (Minor issue) NOTE: https://bz.apache.org/bugzilla/show_bug.cgi?id=62743 CVE-2019-0186 (The input fields of the Apache Pluto "Chat Room" demo portlet 3.0.0 an ...) NOT-FOR-US: Apache Pluto "Chat Room" demo portlet CVE-2018-19277 (securityScan() in PHPOffice PhpSpreadsheet through 1.5.0 allows a bypa ...) NOT-FOR-US: PHPOffice CVE-2018-19276 (OpenMRS before 2.24.0 is affected by an Insecure Object Deserializatio ...) NOT-FOR-US: OpenMRS CVE-2018-19275 (The BluStar component in Mitel InAttend before 2.5 SP3 and CMG before ...) NOT-FOR-US: Mitel CVE-2018-19274 (Passing an absolute path to a file_exists check in phpBB before 3.2.4 ...) {DLA-1593-1} - phpbb3 NOTE: https://www.phpbb.com/community/viewtopic.php?f=14&t=2492206 NOTE: https://github.com/phpbb/phpbb/commit/0dfbb60bc322ccda7a6e670a5f5ec9ab2f536eac CVE-2018-19273 RESERVED CVE-2018-19272 RESERVED CVE-2018-19271 (Centreon 3.4.x (fixed in Centreon 18.10.0 and Centreon web 2.8.28) all ...) - centreon-web (bug #913903) CVE-2018-19270 REJECTED CVE-2019-0185 (Insufficient access control in protected memory subsystem for SMM for ...) NOT-FOR-US: Intel CVE-2019-0184 (Insufficient access control in protected memory subsystem for Intel(R) ...) NOT-FOR-US: Intel CVE-2019-0183 (Insufficient password protection in the attestation database for Open ...) NOT-FOR-US: Open CIT CVE-2019-0182 (Insufficient password protection in the attestation database for Open ...) NOT-FOR-US: Open CIT CVE-2019-0181 (Insufficient password protection in the attestation database for Open ...) NOT-FOR-US: Open CIT CVE-2019-0180 (Insufficient password protection in the attestation database for Open ...) NOT-FOR-US: Open CIT CVE-2019-0179 (Insufficient password protection in the attestation database for Open ...) NOT-FOR-US: Open CIT CVE-2019-0178 (Insufficient password protection in the attestation database for Open ...) NOT-FOR-US: Open CIT CVE-2019-0177 (Insufficient password protection in the attestation database for Open ...) NOT-FOR-US: Open CIT CVE-2019-0176 RESERVED CVE-2019-0175 (Insufficient password protection in the attestation database for Open ...) NOT-FOR-US: Open CIT CVE-2019-0174 (Logic condition in specific microprocessors may allow an authenticated ...) NOT-FOR-US: RamBleed hardware vulnerability NOTE: https://rambleed.com/ CVE-2019-0173 (Authentication bypass in the web console for Intel(R) Raid Web Console ...) NOT-FOR-US: Intel CVE-2019-0172 (A logic issue in Intel Unite(R) Client for Android prior to version 4. ...) NOT-FOR-US: Intel Unite(R) Client for Android CVE-2019-0171 (Improper directory permissions in the installer for Intel(R) Quartus(R ...) NOT-FOR-US: Intel CVE-2019-0170 (Buffer overflow in subsystem in Intel(R) DAL before version 12.0.35 ma ...) NOT-FOR-US: Intel(R) DAL CVE-2019-0169 (Heap overflow in subsystem in Intel(R) CSME before versions 11.8.70, 1 ...) NOT-FOR-US: Intel CVE-2019-0168 (Insufficient input validation in the subsystem for Intel(R) CSME befor ...) NOT-FOR-US: Intel CVE-2019-0167 RESERVED CVE-2019-0166 (Insufficient input validation in the subsystem for Intel(R) AMT before ...) NOT-FOR-US: Intel CVE-2019-0165 (Insufficient Input validation in the subsystem for Intel(R) CSME befor ...) NOT-FOR-US: Intel CVE-2019-0164 (Improper permissions in the installer for Intel(R) Turbo Boost Max Tec ...) NOT-FOR-US: installer for Intel(R) Turbo Boost Max Technology driver CVE-2019-0163 (Insufficient input validation in system firmware for Intel(R) Broadwel ...) NOT-FOR-US: Intel CVE-2019-0162 (Memory access in virtual memory mapping for some microprocessors may a ...) NOT-FOR-US: F5 CVE-2019-0161 (Stack overflow in XHCI for EDK II may allow an unauthenticated user to ...) - edk2 0~20180803.dd4cae4d-1 (low) [stretch] - edk2 (Minor issue) [jessie] - edk2 (non-free) NOTE: https://github.com/tianocore/edk2/commit/acebdf14c985c5c9f50b37ece0b15ada87767359 NOTE: https://github.com/tianocore/edk2/commit/72750e3bf9174f15c17e78f0f117b5e7311bb49f CVE-2019-0160 (Buffer overflow in system firmware for EDK II may allow unauthenticate ...) - edk2 0~20181115.85588389-1 (low) [stretch] - edk2 (Minor issue) [jessie] - edk2 (non-free) NOTE: https://github.com/tianocore/edk2/commit/4df8f5bfa28b8b881e506437e8f08d92c1a00370 NOTE: https://github.com/tianocore/edk2/commit/b9ae1705adfdd43668027a25a2b03c2e81960219 NOTE: https://github.com/tianocore/edk2/commit/5c0748f43f4e1cc15fdd0be64a764eacd7df92f6 NOTE: https://github.com/tianocore/edk2/commit/89f75aa04a97293a8ed9db2a90851a5053730cf5 NOTE: https://github.com/tianocore/edk2/commit/3b30351b75d70ea65701ac999875fbb81a89a5ca CVE-2019-0159 (Insufficient memory protection in the Linux Administrative Tools for I ...) NOT-FOR-US: Linux Administrative Tools for Intel Network Adapters CVE-2019-0158 (Insufficient path checking in the installation package for Intel(R) Gr ...) NOT-FOR-US: Intel CVE-2019-0157 (Insufficient input validation in the Intel(R) SGX driver for Linux may ...) NOT-FOR-US: Intel CVE-2019-0156 RESERVED CVE-2019-0155 (Insufficient access control in a subsystem for Intel (R) processor gra ...) {DSA-4564-1 DLA-1990-1} - linux 5.3.9-2 [jessie] - linux (Driver doesn't support this hardware) CVE-2019-0154 (Insufficient access control in subsystem for Intel (R) processor graph ...) {DSA-4564-1 DLA-1990-1 DLA-1989-1} - linux 5.3.9-2 CVE-2019-0153 (Buffer overflow in subsystem in Intel(R) CSME 12.0.0 through 12.0.34 m ...) NOT-FOR-US: Intel(R) CSME CVE-2019-0152 (Insufficient memory protection in System Management Mode (SMM) and Int ...) NOT-FOR-US: Intel CVE-2019-0151 (Insufficient memory protection in Intel(R) TXT for certain Intel(R) Co ...) NOT-FOR-US: Intel CVE-2019-0150 (Insufficient access control in firmware Intel(R) Ethernet 700 Series C ...) NOT-FOR-US: Intel firmware for Ethernet 700 Series CVE-2019-0149 (Insufficient input validation in i40e driver for Intel(R) Ethernet 700 ...) TODO: check CVE-2019-0148 (Resource leak in i40e driver for Intel(R) Ethernet 700 Series Controll ...) TODO: check CVE-2019-0147 (Insufficient input validation in i40e driver for Intel(R) Ethernet 700 ...) TODO: check CVE-2019-0146 (Resource leak in i40e driver for Intel(R) Ethernet 700 Series Controll ...) TODO: check CVE-2019-0145 (Buffer overflow in i40e driver for Intel(R) Ethernet 700 Series Contro ...) TODO: check CVE-2019-0144 (Unhandled exception in firmware for Intel(R) Ethernet 700 Series Contr ...) NOT-FOR-US: Intel firmware for Ethernet 700 Series CVE-2019-0143 (Unhandled exception in Kernel-mode drivers for Intel(R) Ethernet 700 S ...) NOT-FOR-US: Windows driver for Intel Ethernet 700 Series CVE-2019-0142 (Insufficient access control in ilp60x64.sys driver for Intel(R) Ethern ...) NOT-FOR-US: ilp60x64.sys driver for Intel CVE-2019-0141 REJECTED CVE-2019-0140 (Buffer overflow in firmware for Intel(R) Ethernet 700 Series Controlle ...) NOT-FOR-US: Intel firmware for Ethernet 700 Series CVE-2019-0139 (Insufficient access control in firmware for Intel(R) Ethernet 700 Seri ...) NOT-FOR-US: Intel firmware for Ethernet 700 Series CVE-2019-0138 (Improper directory permissions in Intel(R) ACU Wizard version 12.0.0.1 ...) NOT-FOR-US: Intel(R) ACU Wizard CVE-2019-0137 RESERVED CVE-2019-0136 (Insufficient access control in the Intel(R) PROSet/Wireless WiFi Softw ...) {DLA-2114-1 DLA-1930-1 DLA-1919-1} - linux 5.2.6-1 [buster] - linux 4.19.67-1 [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/79c92ca42b5a3e0ea172ea2ce8df8e125af237da NOTE: https://git.kernel.org/linus/588f7d39b3592a36fb7702ae3b8bdd9be4621e2f CVE-2019-0135 (Improper permissions in the installer for Intel(R) Accelerated Storage ...) NOT-FOR-US: Intel CVE-2019-0134 (Improper permissions in the Intel(R) Dynamic Platform and Thermal Fram ...) NOT-FOR-US: Intel CVE-2019-0133 RESERVED CVE-2019-0132 (Data Corruption in Intel Unite(R) Client before version 3.3.176.13 may ...) NOT-FOR-US: Intel Unite(R) Client CVE-2019-0131 (Insufficient input validation in subsystem in Intel(R) AMT before vers ...) NOT-FOR-US: Intel CVE-2019-0130 (Reflected XSS in web interface for Intel(R) Accelerated Storage Manage ...) NOT-FOR-US: Intel CVE-2019-0129 (Improper permissions for Intel(R) USB 3.0 Creator Utility all versions ...) NOT-FOR-US: Intel CVE-2019-0128 (Improper permissions in the installer for Intel(R) Chipset Device Soft ...) NOT-FOR-US: Intel CVE-2019-0127 (Logic error in the installer for Intel(R) OpenVINO(TM) 2018 R3 and bef ...) NOT-FOR-US: Intel CVE-2019-0126 (Insufficient access control in silicon reference firmware for Intel(R) ...) NOT-FOR-US: Intel CVE-2019-0125 RESERVED CVE-2019-0124 (Insufficient memory protection in Intel(R) 6th Generation Core Process ...) NOT-FOR-US: Intel CVE-2019-0123 (Insufficient memory protection in Intel(R) 6th Generation Core Process ...) NOT-FOR-US: Intel CVE-2019-0122 (Double free in Intel(R) SGX SDK for Linux before version 2.2 and Intel ...) NOT-FOR-US: Intel CVE-2019-0121 (Improper permissions in Intel(R) Matrix Storage Manager 8.9.0.1023 and ...) NOT-FOR-US: Intel CVE-2019-0120 (Insufficient key protection vulnerability in silicon reference firmwar ...) NOT-FOR-US: Intel CVE-2019-0119 (Buffer overflow vulnerability in system firmware for Intel(R) Xeon(R) ...) NOT-FOR-US: Intel CVE-2019-0118 RESERVED CVE-2019-0117 (Insufficient access control in protected memory subsystem for Intel(R) ...) NOT-FOR-US: Intel SGX vulnerabilities NOTE: Fixes included in intel-microcode/3.20191112.1 CVE-2019-0116 (An out of bound read in KMD module for Intel(R) Graphics Driver before ...) NOT-FOR-US: Intel CVE-2019-0115 (Insufficient input validation in KMD module for Intel(R) Graphics Driv ...) NOT-FOR-US: Intel CVE-2019-0114 (A race condition in Intel(R) Graphics Drivers before version 10.18.14. ...) NOT-FOR-US: Intel CVE-2019-0113 (Insufficient bounds checking in Intel(R) Graphics Drivers before versi ...) NOT-FOR-US: Intel CVE-2019-0112 (Improper flow control in crypto routines for Intel(R) Data Center Mana ...) NOT-FOR-US: Intel CVE-2019-0111 (Improper file permissions for Intel(R) Data Center Manager SDK before ...) NOT-FOR-US: Intel CVE-2019-0110 (Insufficient key management for Intel(R) Data Center Manager SDK befor ...) NOT-FOR-US: Intel CVE-2019-0109 (Improper folder permissions in Intel(R) Data Center Manager SDK before ...) NOT-FOR-US: Intel CVE-2019-0108 (Improper file permissions for Intel(R) Data Center Manager SDK before ...) NOT-FOR-US: Intel CVE-2019-0107 (Insufficient user prompt in install routine for Intel(R) Data Center M ...) NOT-FOR-US: Intel CVE-2019-0106 (Insufficient run protection in install routine for Intel(R) Data Cente ...) NOT-FOR-US: Intel CVE-2019-0105 (Insufficient file permissions checking in install routine for Intel(R) ...) NOT-FOR-US: Intel CVE-2019-0104 (Insufficient file protection in uninstall routine for Intel(R) Data Ce ...) NOT-FOR-US: Intel CVE-2019-0103 (Insufficient file protection in install routine for Intel(R) Data Cent ...) NOT-FOR-US: Intel CVE-2019-0102 (Insufficient session authentication in web server for Intel(R) Data Ce ...) NOT-FOR-US: Intel CVE-2019-0101 (Authentication bypass in the Intel Unite(R) solution versions 3.2 thro ...) NOT-FOR-US: Intel CVE-2019-0100 RESERVED CVE-2019-0099 (Insufficient access control vulnerability in subsystem in Intel(R) SPS ...) NOT-FOR-US: Intel CVE-2019-0098 (Logic bug vulnerability in subsystem for Intel(R) CSME before version ...) NOT-FOR-US: Intel CVE-2019-0097 (Insufficient input validation vulnerability in subsystem for Intel(R) ...) NOT-FOR-US: Intel CVE-2019-0096 (Out of bound write vulnerability in subsystem for Intel(R) AMT before ...) NOT-FOR-US: Intel CVE-2019-0095 RESERVED CVE-2019-0094 (Insufficient input validation vulnerability in subsystem for Intel(R) ...) NOT-FOR-US: Intel CVE-2019-0093 (Insufficient data sanitization vulnerability in HECI subsystem for Int ...) NOT-FOR-US: Intel CVE-2019-0092 (Insufficient input validation vulnerability in subsystem for Intel(R) ...) NOT-FOR-US: Intel CVE-2019-0091 (Code injection vulnerability in installer for Intel(R) CSME before ver ...) NOT-FOR-US: Intel CVE-2019-0090 (Insufficient access control vulnerability in subsystem for Intel(R) CS ...) NOT-FOR-US: Intel CVE-2019-0089 (Improper data sanitization vulnerability in subsystem in Intel(R) SPS ...) NOT-FOR-US: Intel CVE-2019-0088 (Insufficient path checking in Intel(R) System Support Utility for Wind ...) NOT-FOR-US: Intel CVE-2019-0087 RESERVED CVE-2019-0086 (Insufficient access control vulnerability in Dynamic Application Loade ...) NOT-FOR-US: Intel CVE-2018-19269 REJECTED CVE-2018-19268 REJECTED CVE-2018-19267 REJECTED CVE-2018-19266 REJECTED CVE-2018-19265 REJECTED CVE-2018-19264 REJECTED CVE-2018-19263 REJECTED CVE-2018-19262 REJECTED CVE-2018-19261 REJECTED CVE-2018-19260 REJECTED CVE-2018-19259 REJECTED CVE-2018-19258 REJECTED CVE-2018-19257 REJECTED CVE-2018-19256 REJECTED CVE-2018-19255 REJECTED CVE-2018-19254 REJECTED CVE-2018-19253 REJECTED CVE-2018-19252 REJECTED CVE-2018-19251 REJECTED CVE-2018-19250 REJECTED CVE-2018-19249 (The Stripe API v1 allows remote attackers to bypass intended access re ...) NOT-FOR-US: Stripe API CVE-2018-19248 (The web service on Epson WorkForce WF-2861 10.48 LQ22I3(Recovery-mode) ...) NOT-FOR-US: Epson CVE-2018-19247 RESERVED CVE-2018-19246 (PHP-Proxy 5.1.0 allows remote attackers to read local files if the def ...) NOT-FOR-US: PHP-Proxy CVE-2018-19245 RESERVED CVE-2018-19244 (An XML External Entity (XXE) vulnerability exists in the Charles 4.2.7 ...) NOT-FOR-US: Charles CVE-2018-19243 RESERVED CVE-2018-19242 (Buffer overflow in apply.cgi on TRENDnet TEW-632BRP 1.010B32 and TEW-6 ...) NOT-FOR-US: TRENDnet CVE-2018-19241 (Buffer overflow in video.cgi on TRENDnet TV-IP110WN V1.2.2 build 68, V ...) NOT-FOR-US: TRENDnet CVE-2018-19240 (Buffer overflow in network.cgi on TRENDnet TV-IP110WN V1.2.2 build 68, ...) NOT-FOR-US: TRENDnet CVE-2018-19239 (TRENDnet TEW-673GRU v1.00b40 devices have an OS command injection vuln ...) NOT-FOR-US: TRENDnet CVE-2018-19238 RESERVED CVE-2018-19237 RESERVED CVE-2018-19236 RESERVED CVE-2018-19235 RESERVED CVE-2018-19234 (The Miss Marple Updater Service in COMPAREX Miss Marple Enterprise Edi ...) NOT-FOR-US: Miss Marple Enterprise CVE-2018-19233 (COMPAREX Miss Marple Enterprise Edition before 2.0 allows local users ...) NOT-FOR-US: Miss Marple Enterprise CVE-2018-19232 (The web service on Epson WorkForce WF-2861 10.48 LQ22I3(Recovery-mode) ...) NOT-FOR-US: Epson CVE-2018-19231 RESERVED CVE-2018-19230 RESERVED CVE-2018-19229 (An issue was discovered in LAOBANCMS 2.0. It allows XSS via the admin/ ...) NOT-FOR-US: LAOBANCMS CVE-2018-19228 (An issue was discovered in LAOBANCMS 2.0. It allows arbitrary file del ...) NOT-FOR-US: LAOBANCMS CVE-2018-19227 (An issue was discovered in LAOBANCMS 2.0. It allows XSS via the admin/ ...) NOT-FOR-US: LAOBANCMS CVE-2018-19226 (An issue was discovered in LAOBANCMS 2.0. It allows remote attackers t ...) NOT-FOR-US: LAOBANCMS CVE-2018-19225 (An issue was discovered in LAOBANCMS 2.0. admin/mima.php has CSRF. ...) NOT-FOR-US: LAOBANCMS CVE-2018-19224 (An issue was discovered in LAOBANCMS 2.0. /admin/login.php allows spoo ...) NOT-FOR-US: LAOBANCMS CVE-2018-19223 (An issue was discovered in LAOBANCMS 2.0. It allows XSS via the first ...) NOT-FOR-US: LAOBANCMS CVE-2018-19222 (An issue was discovered in LAOBANCMS 2.0. It allows a /install/mysql_h ...) NOT-FOR-US: LAOBANCMS CVE-2018-19221 (An issue was discovered in LAOBANCMS 2.0. It allows SQL Injection via ...) NOT-FOR-US: LAOBANCMS CVE-2018-19220 (An issue was discovered in LAOBANCMS 2.0. It allows remote attackers t ...) NOT-FOR-US: LAOBANCMS CVE-2018-19219 (In LibSass 3.5-stable, there is an illegal address access at Sass::Eva ...) - libsass NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1643760 CVE-2018-19218 (In LibSass 3.5-stable, there is an illegal address access at Sass::Par ...) - libsass NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1643758 CVE-2018-19217 (** DISPUTED ** In ncurses, possibly a 6.x version, there is a NULL poi ...) - ncurses 6.0+20170701-1 [stretch] - ncurses 6.0+20161126-1+deb9u1 [jessie] - ncurses 5.9+20140913-1+deb8u1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1643753 NOTE: https://lists.gnu.org/archive/html/bug-ncurses/2019-04/msg00020.html CVE-2018-19216 (Netwide Assembler (NASM) before 2.13.02 has a use-after-free in detoke ...) - nasm 2.13.02-0.1 [stretch] - nasm (Minor issue) [jessie] - nasm (Minor issue) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392425 NOTE: Fix: https://repo.or.cz/nasm.git/commitdiff/9b7ee09abfd426b99aa1ea81d19a3b2818eeabf9 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1115758#c7 CVE-2018-19215 (Netwide Assembler (NASM) 2.14rc16 has a heap-based buffer over-read in ...) - nasm 2.14-1 (unimportant) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392525 NOTE: https://repo.or.cz/nasm.git/commit/4b5b737d4991578b1918303dc0fd9c9ab5c7ce4f NOTE: No security impact, crash in CLI tool CVE-2018-19214 (Netwide Assembler (NASM) 2.14rc15 has a heap-based buffer over-read in ...) - nasm 2.14-1 (unimportant) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392521 NOTE: https://repo.or.cz/nasm.git/commit/661f723d39e03ca6eb05d7376a43ca33db478354 NOTE: No security impact, crash in CLI tool CVE-2018-19213 (Netwide Assembler (NASM) through 2.14rc16 has memory leaks that may le ...) - nasm (unimportant) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392524 NOTE: No security impact, crash in CLI tool CVE-2018-19212 (In libwebm through 2018-10-03, there is an abort caused by libwebm::We ...) NOT-FOR-US: libwebm NOTE: Chromium and qtwebengine bundle the library, but not a security issue there CVE-2018-19211 (In ncurses 6.1, there is a NULL pointer dereference at function _nc_pa ...) - ncurses 6.1+20180210-3 (low) [stretch] - ncurses (Minor issue) [jessie] - ncurses (Minor issue) [wheezy] - ncurses (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1643754 CVE-2018-19210 (In LibTIFF 4.0.9, there is a NULL pointer dereference in the TIFFWrite ...) {DSA-4670-1 DLA-1680-1} - tiff 4.0.10-4 (bug #913675) - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2820 NOTE: https://gitlab.com/libtiff/libtiff/commit/d0a842c5dbad2609aed43c701a12ed12461d3405 NOTE: https://gitlab.com/libtiff/libtiff/commit/38ede78b13810ff0fa8e61f86ef9aa0ab2964668 CVE-2018-19209 (Netwide Assembler (NASM) 2.14rc15 has a NULL pointer dereference in th ...) - nasm 2.14-1 (unimportant) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392522 NOTE: No security impact, crash in CLI tool CVE-2018-19208 (In libwpd 0.10.2, there is a NULL pointer dereference in the function ...) - libwpd 0.10.2-3 (low; bug #913702) [stretch] - libwpd (Minor issue) [jessie] - libwpd (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1643752 NOTE: Patch used in Fedora: https://src.fedoraproject.org/rpms/libwpd/raw/e42834b844f3282d8ccb0889abf1b33f3f71e02f/f/0001-Resolves-rhbz-1643752-bounds-check-m_currentTable-ac.patch CVE-2018-19204 (PRTG Network Monitor before 18.3.44.2054 allows a remote authenticated ...) NOT-FOR-US: PRTG Network Monitor CVE-2018-19203 (PRTG Network Monitor before 18.2.41.1652 allows remote unauthenticated ...) NOT-FOR-US: PRTG Network Monitor CVE-2018-19202 (A reflected XSS vulnerability in index.php in MyBB 1.8.x through 1.8.1 ...) NOT-FOR-US: MyBB CVE-2018-19201 (A reflected XSS vulnerability in the ModCP Profile Editor in MyBB befo ...) NOT-FOR-US: MyBB CVE-2018-19200 (An issue was discovered in uriparser before 0.9.0. UriCommon.c allows ...) {DLA-1581-1} - uriparser 0.9.0-1 (bug #913817) [stretch] - uriparser 0.8.4-1+deb9u1 NOTE: https://github.com/uriparser/uriparser/commit/f58c25069cf4a986fe17a80c5b38687e31feb539 CVE-2018-19199 (An issue was discovered in uriparser before 0.9.0. UriQuery.c allows a ...) {DLA-1581-1} - uriparser 0.9.0-1 (bug #913817) [stretch] - uriparser 0.8.4-1+deb9u1 NOTE: https://github.com/uriparser/uriparser/commit/f76275d4a91b28d687250525d3a0c5509bbd666f CVE-2018-19198 (An issue was discovered in uriparser before 0.9.0. UriQuery.c allows a ...) {DLA-1581-1} - uriparser 0.9.0-1 (bug #913817) [stretch] - uriparser 0.8.4-1+deb9u1 NOTE: https://github.com/uriparser/uriparser/commit/864f5d4c127def386dd5cc926ad96934b297f04e CVE-2018-19207 (The Van Ons WP GDPR Compliance (aka wp-gdpr-compliance) plugin before ...) NOT-FOR-US: WordPress plugin wp-gdpr-compliance CVE-2018-19206 (steps/mail/func.inc in Roundcube before 1.3.8 has XSS via crafted use ...) {DSA-4344-1} - roundcube 1.3.8+dfsg.1-1 NOTE: https://roundcube.net/news/2018/10/26/update-1.3.8-released NOTE: https://github.com/roundcube/roundcubemail/issues/6410 NOTE: https://github.com/roundcube/roundcubemail/commit/102fbf1169116fef32a940b9fb1738bc45276059 (released-1.3) NOTE: https://github.com/roundcube/roundcubemail/commit/adcac3b9de2728c34c4d2b107e54823b6a7f6a5b (master) CVE-2018-19205 (Roundcube before 1.3.7 mishandles GnuPG MDC integrity-protection warni ...) - roundcube 1.3.8+dfsg.1-1 [stretch] - roundcube (Relies on php-crypt-gpg, not in stretch. Old version in 1.3 doesn't verify signature anyway) NOTE: https://roundcube.net/news/2018/07/27/update-1.3.7-released NOTE: https://github.com/roundcube/roundcubemail/issues/6289 NOTE: https://github.com/roundcube/roundcubemail/commit/94da947855329c5062ec2a7098eb86fb675aac37 (release-1.3) NOTE: https://github.com/roundcube/roundcubemail/commit/2fa112bd836e5e144e270bda11c9fda1a66a22ae (master) CVE-2018-19197 (An issue was discovered in XiaoCms 20141229. admin\controller\database ...) NOT-FOR-US: XiaoCms CVE-2018-19196 (An issue was discovered in XiaoCms 20141229. It allows remote attacker ...) NOT-FOR-US: XiaoCms CVE-2018-19195 (An issue was discovered in XiaoCms 20141229. There is XSS related to t ...) NOT-FOR-US: XiaoCms CVE-2018-19194 (An issue was discovered in XiaoCms 20141229. /admin/index.php?c=databa ...) NOT-FOR-US: XiaoCms CVE-2018-19193 (An issue was discovered in XiaoCms 20141229. There is XSS via the larg ...) NOT-FOR-US: XiaoCms CVE-2018-19192 (An issue was discovered in XiaoCms 20141229. admin/index.php?c=content ...) NOT-FOR-US: XiaoCms CVE-2018-19191 (Webmin 1.890 has XSS via /config.cgi?webmin, the /shell/index.cgi hist ...) - webmin CVE-2018-19190 (The Amazon PAYFORT payfort-php-SDK payment gateway SDK through 2018-04 ...) NOT-FOR-US: Amazon PAYFORT payfort-php-SDK payment gateway SDK CVE-2018-19189 (The Amazon PAYFORT payfort-php-SDK payment gateway SDK through 2018-04 ...) NOT-FOR-US: Amazon PAYFORT payfort-php-SDK payment gateway SDK CVE-2018-19188 (The Amazon PAYFORT payfort-php-SDK payment gateway SDK through 2018-04 ...) NOT-FOR-US: Amazon PAYFORT payfort-php-SDK payment gateway SDK CVE-2018-19187 (The Amazon PAYFORT payfort-php-SDK payment gateway SDK through 2018-04 ...) NOT-FOR-US: Amazon PAYFORT payfort-php-SDK payment gateway SDK CVE-2018-19186 (The Amazon PAYFORT payfort-php-SDK payment gateway SDK through 2018-04 ...) NOT-FOR-US: Amazon PAYFORT payfort-php-SDK payment gateway SDK CVE-2018-19185 (An issue has been found in libIEC61850 v1.3. It is a heap-based buffer ...) NOT-FOR-US: libIEC61850 CVE-2018-19184 (cmd/evm/runner.go in Go Ethereum (aka geth) 1.8.17 allows attackers to ...) NOT-FOR-US: Go Ethereum CVE-2018-19183 (ethereumjs-vm 2.4.0 allows attackers to cause a denial of service (vm. ...) NOT-FOR-US: ethereumjs-vm CVE-2018-19182 (Engelsystem before commit hash 2e28336 allows CSRF. ...) NOT-FOR-US: Engelsystem CVE-2018-19181 (statics/ueditor/php/vendor/Local.class.php in YUNUCMS 1.1.5 allows arb ...) NOT-FOR-US: YUNUCMS CVE-2018-19180 (statics/app/index/controller/Install.php in YUNUCMS 1.1.5 (if install. ...) NOT-FOR-US: YUNUCMS CVE-2018-19179 RESERVED CVE-2018-19178 (In JEESNS 1.3, com/lxinet/jeesns/core/utils/XssHttpServletRequestWrapp ...) NOT-FOR-US: JEESNS CVE-2018-19177 RESERVED CVE-2018-19176 RESERVED CVE-2018-19175 RESERVED CVE-2018-19174 RESERVED CVE-2018-19173 RESERVED CVE-2018-19172 RESERVED CVE-2018-19171 RESERVED CVE-2018-19170 (In JPress v1.0-rc.5, there is stored XSS via each of the first three i ...) NOT-FOR-US: JPress CVE-2018-19169 RESERVED CVE-2018-19168 (Shell Metacharacter Injection in www/modules/save.php in FruityWifi (a ...) NOT-FOR-US: FruityWifi CVE-2018-19167 (CloakCoin through 2.2.2.0 (a chain-based proof-of-stake cryptocurrency ...) NOT-FOR-US: CloakCoin CVE-2018-19166 (peercoin through 0.6.4 (a chain-based proof-of-stake cryptocurrency) a ...) NOT-FOR-US: peercoin CVE-2018-19165 (neblio through 1.5.1 (a chain-based proof-of-stake cryptocurrency) all ...) NOT-FOR-US: neblio CVE-2018-19164 (reddcoin through 2.1.0.5 (a chain-based proof-of-stake cryptocurrency) ...) NOT-FOR-US: reddcoin CVE-2018-19163 (stratisX through 2.0.0.5 (a chain-based proof-of-stake cryptocurrency) ...) NOT-FOR-US: stratisX CVE-2018-19162 (Divi through 4.0.5 (a chain-based proof-of-stake cryptocurrency) allow ...) NOT-FOR-US: Divi CVE-2018-19161 (alqo through 4.1 (a chain-based proof-of-stake cryptocurrency) allows ...) NOT-FOR-US: alqo CVE-2018-19160 (Diamond through 3.0.1.2 (a chain-based proof-of-stake cryptocurrency) ...) NOT-FOR-US: Diamond CVE-2018-19159 (lux through 5.2.2 (a chain-based proof-of-stake cryptocurrency) allows ...) NOT-FOR-US: lux CVE-2018-19158 (ColossusCoinXT through 1.0.5 (a chain-based proof-of-stake cryptocurre ...) NOT-FOR-US: ColossusCoinXT CVE-2018-19157 (Phore through 1.3.3.1 (a chain-based proof-of-stake cryptocurrency) al ...) NOT-FOR-US: Phore CVE-2018-19156 (PIVX through 3.1.03 (a chain-based proof-of-stake cryptocurrency) allo ...) NOT-FOR-US: PIVX CVE-2018-19155 (navcoin through 4.3.0 (a chain-based proof-of-stake cryptocurrency) al ...) NOT-FOR-US: navcoin CVE-2018-19154 (HTMLCOIN through 2.12 (a chain-based proof-of-stake cryptocurrency) al ...) NOT-FOR-US: HTMLCOIN CVE-2018-19153 (particl through 0.17 (a chain-based proof-of-stake cryptocurrency) all ...) NOT-FOR-US: particl CVE-2018-19152 (emercoin through 0.7 (a chain-based proof-of-stake cryptocurrency) all ...) NOT-FOR-US: emercoin CVE-2018-19151 (qtum through 0.16 (a chain-based proof-of-stake cryptocurrency) allows ...) NOT-FOR-US: qtum CVE-2018-19150 (Memory corruption in PDMODELProvidePDModelHFT in pdmodel.dll in pdffor ...) NOT-FOR-US: pdfforge PDF Architect CVE-2018-19149 (Poppler before 0.70.0 has a NULL pointer dereference in _poppler_attac ...) - poppler (unimportant; bug #914600) NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/664 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1649457#c3 NOTE: https://github.com/freedesktop/poppler/commit/f162ecdea0dda5dbbdb45503c1d55d9afaa41d44 CVE-2018-19148 (Caddy through 0.11.0 sends incorrect certificates for certain invalid ...) - caddy (bug #810890) CVE-2018-19147 RESERVED CVE-2018-19146 (Concrete5 8.4.3 has XSS because config/concrete.php allows uploads (by ...) NOT-FOR-US: Concrete5 CVE-2018-19145 (An issue was discovered in S-CMS v1.5. There is an XSS vulnerability i ...) NOT-FOR-US: S-CMS CVE-2018-19144 RESERVED CVE-2018-19140 RESERVED CVE-2018-19139 (An issue has been found in JasPer 2.0.14. There is a memory leak in ja ...) - jasper (low) [jessie] - jasper (can be fixed later) NOTE: https://github.com/mdadams/jasper/issues/188 CVE-2018-19138 (WSTMart 2.0.7 has CSRF via the index.php/admin/staffs/add.html URI. ...) NOT-FOR-US: WSTMart CVE-2018-19137 (DomainMOD through 4.11.01 has XSS via the assets/edit/ip-address.php i ...) NOT-FOR-US: DomainMOD CVE-2018-19136 (DomainMOD through 4.11.01 has XSS via the assets/edit/registrar-accoun ...) NOT-FOR-US: DomainMOD CVE-2018-19135 (ClipperCMS 1.3.3 does not have CSRF protection on its kcfinder file up ...) NOT-FOR-US: ClipperCMS CVE-2018-19134 (In Artifex Ghostscript through 9.25, the setpattern operator did not p ...) {DSA-4346-1 DLA-1620-1} - ghostscript 9.26~dfsg-1 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=700141 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=693baf02152119af6e6afd30bb8ec76d14f84bbf (master) NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=7c8f85a23db24031945af3cacb2c0b4740e67072 (ghostscript-9.26) CVE-2018-19133 (In Flarum Core 0.1.0-beta.7.1, a serious leak can get everyone's email ...) NOT-FOR-US: Flarum Core CVE-2018-19130 (** DISPUTED ** In Libav 12.3, there is an invalid memory access in vc1 ...) {DLA-2021-1} - libav NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1139 NOTE: Duplicate of CVE-2017-17127 CVE-2018-19129 (In Libav 12.3, a NULL pointer dereference (RIP points to zero) issue i ...) - libav [jessie] - libav (no patch, ffmpeg backport fails, sent info upstream) NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1138 NOTE: Duplicate of CVE-2019-14441 CVE-2018-19128 (In Libav 12.3, there is a heap-based buffer over-read in decode_frame ...) {DLA-2021-1} - libav NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1137 CVE-2018-19127 (A code injection vulnerability in /type.php in PHPCMS 2008 allows atta ...) NOT-FOR-US: PHPCMS CVE-2018-19126 (PrestaShop 1.6.x before 1.6.1.23 and 1.7.x before 1.7.4.4 allows remot ...) NOT-FOR-US: PrestaShop CVE-2018-19125 (PrestaShop 1.6.x before 1.6.1.23 and 1.7.x before 1.7.4.4 allows remot ...) NOT-FOR-US: PrestaShop CVE-2018-19124 (PrestaShop 1.6.x before 1.6.1.23 and 1.7.x before 1.7.4.4 on Windows a ...) NOT-FOR-US: PrestaShop CVE-2018-19123 RESERVED CVE-2018-19122 (An issue has been found in libIEC61850 v1.3. It is a NULL pointer dere ...) NOT-FOR-US: libIEC61850 CVE-2018-19121 (An issue has been found in libIEC61850 v1.3. It is a SEGV in Ethernet_ ...) NOT-FOR-US: libIEC61850 CVE-2018-19141 (Open Ticket Request System (OTRS) 4.0.x before 4.0.33 and 5.0.x before ...) {DLA-1592-1} - otrs2 6.0.1-1 [stretch] - otrs2 (Non-free not supported) NOTE: https://community.otrs.com/security-advisory-2018-09-security-update-for-otrs-framework/ NOTE: Only the 4.x and 5.x series are affected (and possibly earlier versions). NOTE: Add workaround and mark first 6.x version as fixing version CVE-2018-19142 (Open Ticket Request System (OTRS) 6.0.x before 6.0.13 allows an admin ...) - otrs2 6.0.13-1 [stretch] - otrs2 (Only affects 6.x) [jessie] - otrs2 (Only affects 6.x) NOTE: https://community.otrs.com/security-advisory-2018-08-security-update-for-otrs-framework/ CVE-2018-19143 (Open Ticket Request System (OTRS) 4.0.x before 4.0.33, 5.0.x before 5. ...) {DLA-1592-1} - otrs2 6.0.13-1 [stretch] - otrs2 (Non-free not supported) NOTE: https://community.otrs.com/security-advisory-2018-07-security-update-for-otrs-framework/ CVE-2018-19120 (The HTML thumbnailer plugin in KDE Applications before 18.12.0 allows ...) - kio-extras 4:18.08.3-1 (bug #913595) [stretch] - kio-extras (Minor issue) - kde-runtime (bug #913596) [buster] - kde-runtime (Minor issue) [stretch] - kde-runtime (Minor issue) [jessie] - kde-runtime (Minor issue) NOTE: https://www.kde.org/info/security/advisory-20181012-1.txt CVE-2018-19119 RESERVED CVE-2018-19118 (Zoho ManageEngine ADAudit before 5.1 build 5120 allows remote attacker ...) NOT-FOR-US: Zoho CVE-2018-19117 RESERVED CVE-2018-19116 RESERVED CVE-2018-19967 (An issue was discovered in Xen through 4.11.x on Intel x86 platforms a ...) {DSA-4369-1 DLA-1577-1} - xen 4.11.1-1 NOTE: https://xenbits.xen.org/xsa/advisory-282.txt CVE-2018-19115 (keepalived before 2.0.7 has a heap-based buffer overflow when parsing ...) {DLA-1589-1} - keepalived 1:2.0.10-1 (low; bug #914393) [stretch] - keepalived (Minor issue) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1015141 NOTE: https://github.com/acassen/keepalived/pull/961 NOTE: https://github.com/acassen/keepalived/pull/961/commits/f28015671a4b04785859d1b4b1327b367b6a10e9 CVE-2018-19114 (An issue was discovered in MinDoc through v1.0.2. It allows attackers ...) NOT-FOR-US: MinDoc CVE-2018-19113 (The Pronestor PNHM (aka Health Monitoring or HealthMonitor) add-in bef ...) NOT-FOR-US: Pronestor PNHM CVE-2018-19112 RESERVED CVE-2018-19111 (The Google Cardboard application 1.8 for Android and 1.2 for iOS sends ...) NOT-FOR-US: Google Cardboard application for Android and iOS CVE-2018-19110 (The skin-management feature in tianti 2.3 allows remote authenticated ...) NOT-FOR-US: tianti CVE-2018-19109 (tianti 2.3 allows remote authenticated users to bypass intended permis ...) NOT-FOR-US: tianti CVE-2018-19108 (In Exiv2 0.26, Exiv2::PsdImage::readMetadata in psdimage.cpp in the PS ...) {DLA-1691-1} - exiv2 0.27.2-6 (bug #913272) [buster] - exiv2 (Minor issue) [stretch] - exiv2 (Minor issue) NOTE: https://github.com/Exiv2/exiv2/issues/426 NOTE: https://github.com/Exiv2/exiv2/pull/518 NOTE: https://github.com/Exiv2/exiv2/commit/68966932510213b5656fcf433ab6d7e26f48e23b NOTE: https://github.com/Exiv2/exiv2/commit/b7c71f3ad0386cd7af3b73443c0615ada073f0d5 CVE-2018-19107 (In Exiv2 0.26, Exiv2::IptcParser::decode in iptc.cpp (called from psdi ...) {DLA-1691-1} - exiv2 0.27.2-6 (low; bug #913273) [buster] - exiv2 (Minor issue) [stretch] - exiv2 (Minor issue) NOTE: https://github.com/Exiv2/exiv2/issues/427 NOTE: https://github.com/Exiv2/exiv2/pull/518 NOTE: https://github.com/Exiv2/exiv2/commit/68966932510213b5656fcf433ab6d7e26f48e23b NOTE: https://github.com/Exiv2/exiv2/commit/b7c71f3ad0386cd7af3b73443c0615ada073f0d5 CVE-2018-19106 (Avi Vantage before 17.2.13 uses an invalid URL encoding during a redir ...) NOT-FOR-US: Avi Vantage CVE-2018-19105 (LibreCAD 2.1.3 allows remote attackers to cause a denial of service (0 ...) {DLA-1776-1} - librecad 2.1.3-1.2 (bug #928477) [stretch] - librecad 2.1.2-1+deb9u1 NOTE: https://code610.blogspot.com/2018/11/crashing-librecad-213.html NOTE: https://github.com/LibreCAD/LibreCAD/issues/1038 NOTE: Fixed by https://github.com/LibreCAD/LibreCAD/commit/6da7cc5f7f31afb008f03dbd11e07207ccd82085 NOTE: Regression fix https://github.com/LibreCAD/LibreCAD/commit/8604f171ee380f294102da6154adf77ab754d403 CVE-2018-19104 (In BageCMS 3.1.3, upload/index.php has a CSRF vulnerability that can b ...) NOT-FOR-US: BageCMS CVE-2018-19103 RESERVED CVE-2018-19102 RESERVED CVE-2018-19101 RESERVED CVE-2018-19100 RESERVED CVE-2018-19099 RESERVED CVE-2018-19098 RESERVED CVE-2018-19097 RESERVED CVE-2018-19096 RESERVED CVE-2018-19095 RESERVED CVE-2018-19094 RESERVED CVE-2018-19093 (** DISPUTED ** An issue has been found in libIEC61850 v1.3. It is a SE ...) NOT-FOR-US: libIEC61850 CVE-2018-19092 (An issue was discovered in YzmCMS v5.2. It has XSS via a search/index/ ...) NOT-FOR-US: YzmCMS CVE-2018-19091 (tianti 2.3 has reflected XSS in the user management module via the tia ...) NOT-FOR-US: tianti CVE-2018-19090 (tianti 2.3 has stored XSS in the article management module via an arti ...) NOT-FOR-US: tianti CVE-2018-19089 (tianti 2.3 has stored XSS in the userlist module via the tianti-module ...) NOT-FOR-US: tianti CVE-2018-19088 RESERVED CVE-2018-19087 (RegFilter.sys in IOBit Malware Fighter 6.2 is susceptible to a stack-b ...) NOT-FOR-US: IOBit Malware Fighter CVE-2018-19086 (RegFilter.sys in IOBit Malware Fighter 6.2 is susceptible to a stack-b ...) NOT-FOR-US: IOBit Malware Fighter CVE-2018-19085 (RegFilter.sys in IOBit Malware Fighter 6.2 is susceptible to a stack-b ...) NOT-FOR-US: IOBit Malware Fighter CVE-2018-19084 (RegFilter.sys in IOBit Malware Fighter 6.2 is susceptible to a stack-b ...) NOT-FOR-US: IOBit Malware Fighter CVE-2018-19083 (WeCenter 3.2.0 through 3.2.2 has XSS in the views/default/question/ind ...) NOT-FOR-US: WeCenter CVE-2018-19082 (An issue was discovered on Foscam Opticam i5 devices with System Firmw ...) NOT-FOR-US: Foscam Opticam i5 devices CVE-2018-19081 (An issue was discovered on Foscam Opticam i5 devices with System Firmw ...) NOT-FOR-US: Foscam Opticam i5 devices CVE-2018-19080 (An issue was discovered on Foscam Opticam i5 devices with System Firmw ...) NOT-FOR-US: Foscam Opticam i5 devices CVE-2018-19079 (An issue was discovered on Foscam Opticam i5 devices with System Firmw ...) NOT-FOR-US: Foscam Opticam i5 devices CVE-2018-19078 (An issue was discovered on Foscam Opticam i5 devices with System Firmw ...) NOT-FOR-US: Foscam Opticam i5 devices CVE-2018-19077 (An issue was discovered on Foscam Opticam i5 devices with System Firmw ...) NOT-FOR-US: Foscam Opticam i5 devices CVE-2018-19076 (An issue was discovered on Foscam C2 devices with System Firmware 1.11 ...) NOT-FOR-US: Foscam C2 devices CVE-2018-19075 (An issue was discovered on Foscam C2 devices with System Firmware 1.11 ...) NOT-FOR-US: Foscam C2 devices CVE-2018-19074 (An issue was discovered on Foscam C2 devices with System Firmware 1.11 ...) NOT-FOR-US: Foscam C2 devices CVE-2018-19073 (An issue was discovered on Foscam C2 devices with System Firmware 1.11 ...) NOT-FOR-US: Foscam C2 devices CVE-2018-19072 (An issue was discovered on Foscam C2 devices with System Firmware 1.11 ...) NOT-FOR-US: Foscam C2 devices CVE-2018-19071 (An issue was discovered on Foscam C2 devices with System Firmware 1.11 ...) NOT-FOR-US: Foscam C2 devices CVE-2018-19070 (An issue was discovered on Foscam C2 devices with System Firmware 1.11 ...) NOT-FOR-US: Foscam C2 devices CVE-2018-19069 (An issue was discovered on Foscam C2 devices with System Firmware 1.11 ...) NOT-FOR-US: Foscam C2 devices CVE-2018-19068 (An issue was discovered on Foscam Opticam i5 devices with System Firmw ...) NOT-FOR-US: Foscam Opticam i5 devices CVE-2018-19067 (An issue was discovered on Foscam C2 devices with System Firmware 1.11 ...) NOT-FOR-US: Foscam C2 devices CVE-2018-19066 (An issue was discovered on Foscam C2 devices with System Firmware 1.11 ...) NOT-FOR-US: Foscam C2 devices CVE-2018-19065 (An issue was discovered on Foscam C2 devices with System Firmware 1.11 ...) NOT-FOR-US: Foscam C2 devices CVE-2018-19064 (An issue was discovered on Foscam C2 devices with System Firmware 1.11 ...) NOT-FOR-US: Foscam C2 devices CVE-2018-19063 (An issue was discovered on Foscam C2 devices with System Firmware 1.11 ...) NOT-FOR-US: Foscam C2 devices CVE-2018-19062 RESERVED CVE-2018-19061 (DedeCMS 5.7 SP2 has SQL Injection via the dede\co_do.php ids parameter ...) NOT-FOR-US: DedeCMS CVE-2018-19060 (An issue was discovered in Poppler 0.71.0. There is a NULL pointer der ...) - poppler (unimportant; bug #913182) NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/660 NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/d2f5d424ba8752f9a9e9dad410546ec1b46caa0a NOTE: Issue in pdfdetach cli tool leading to crash CVE-2018-19059 (An issue was discovered in Poppler 0.71.0. There is a out-of-bounds re ...) - poppler (unimportant; bug #913180) NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/661 NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/77a30e94d96220d7e22dff5b3f0a7f296f01b118 NOTE: Issue in pdfdetach cli tool leading to crash CVE-2018-19058 (An issue was discovered in Poppler 0.71.0. There is a reachable abort ...) {DLA-1706-1} [experimental] - poppler 0.81.0-1 - poppler (low; bug #913177) [buster] - poppler (Minor issue) [stretch] - poppler (Minor issue) NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/659 NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/6912e06d9ab19ba28991b5cab3319d61d856bd6d CVE-2018-19057 (SimpleMDE 1.11.2 has XSS via an onerror attribute of a crafted IMG ele ...) NOT-FOR-US: SimpleMDE CVE-2018-19056 (pandao Editor.md 1.5.0 has DOM XSS via input starting with a "<< ...) NOT-FOR-US: pandao Editor.md CVE-2018-XXXX [VirtualBox E1000 Guest-to-Host Escape] - virtualbox 5.2.22-dfsg-1 (bug #913137) [jessie] - virtualbox (DSA-3699-1) NOTE: https://github.com/MorteNoir1/virtualbox_e1000_0day NOTE: Changes between 5.2.20 and 5.2.22: https://paste.debian.net/plain/1051089 NOTE: https://github.com/MorteNoir1/virtualbox_e1000_0day/issues/12 CVE-2018-19055 RESERVED CVE-2018-19054 RESERVED CVE-2018-19053 (PbootCMS 1.2.2 allows remote attackers to execute arbitrary PHP code b ...) NOT-FOR-US: PbootCMS CVE-2018-19051 (MetInfo 6.1.3 has XSS via the admin/index.php?a=dogetpassword abt_type ...) NOT-FOR-US: MetInfo CVE-2018-19050 (MetInfo 6.1.3 has XSS via the admin/index.php?a=dogetpassword langset ...) NOT-FOR-US: MetInfo CVE-2018-19049 RESERVED CVE-2017-18351 RESERVED CVE-2018-19052 (An issue was discovered in mod_alias_physical_handler in mod_alias.c i ...) - lighttpd 1.4.52-1 (bug #913528) [stretch] - lighttpd (Minor issue) [jessie] - lighttpd (Minor issue) NOTE: https://github.com/lighttpd/lighttpd1.4/commit/2105dae0f9d7a964375ce681e53cb165375f84c1 CVE-2018-19048 (Simditor through 2.3.21 allows DOM XSS via an onload attribute within ...) NOT-FOR-US: Simditor CVE-2018-19047 (** DISPUTED ** mPDF through 7.1.6, if deployed as a web application th ...) NOT-FOR-US: mPDF CVE-2018-19046 (keepalived 2.0.8 didn't check for existing plain files when writing da ...) - keepalived 1:2.0.10-1 (unimportant) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1015141 NOTE: https://github.com/acassen/keepalived/issues/1048 NOTE: Neutralised by kernel hardening CVE-2018-19045 (keepalived 2.0.8 used mode 0666 when creating new temporary files upon ...) - keepalived 1:2.0.10-1 (unimportant) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1015141 NOTE: https://github.com/acassen/keepalived/commit/5241e4d7b177d0b6f073cfc9ed5444bf51ec89d6 NOTE: https://github.com/acassen/keepalived/commit/c6247a9ef2c7b33244ab1d3aa5d629ec49f0a067 NOTE: https://github.com/acassen/keepalived/issues/1048 CVE-2018-19044 (keepalived 2.0.8 didn't check for pathnames with symlinks when writing ...) - keepalived 1:2.0.10-1 (unimportant) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1015141 NOTE: https://github.com/acassen/keepalived/commit/04f2d32871bb3b11d7dc024039952f2fe2750306 NOTE: https://github.com/acassen/keepalived/issues/1048 CVE-2018-19043 (The Media File Manager plugin 1.4.2 for WordPress allows arbitrary fil ...) NOT-FOR-US: Wordpress plugin CVE-2018-19042 (The Media File Manager plugin 1.4.2 for WordPress allows arbitrary fil ...) NOT-FOR-US: Wordpress plugin CVE-2018-19041 (The Media File Manager plugin 1.4.2 for WordPress allows XSS via the d ...) NOT-FOR-US: Wordpress plugin CVE-2018-19040 (The Media File Manager plugin 1.4.2 for WordPress allows directory lis ...) NOT-FOR-US: Wordpress plugin CVE-2018-19039 (Grafana before 4.6.5 and 5.x before 5.3.3 allows remote authenticated ...) - grafana NOTE: https://community.grafana.com/t/grafana-5-3-3-and-4-6-5-security-update/11961 CVE-2018-19038 RESERVED CVE-2018-19037 (On Virgin Media wireless router 3.0 hub devices, the web interface is ...) NOT-FOR-US: Virgin Media wireless router CVE-2018-19036 (An issue was discovered in several Bosch IP cameras for firmware versi ...) NOT-FOR-US: Bosch CVE-2018-19035 RESERVED CVE-2018-19034 RESERVED CVE-2018-19033 RESERVED CVE-2018-19032 RESERVED CVE-2018-19031 (A command injection vulnerability exists when the authorized user pass ...) NOT-FOR-US: 360 routers CVE-2018-19030 RESERVED CVE-2018-19029 (LCDS Laquis SCADA prior to version 4.1.0.4150 allows an attacker using ...) NOT-FOR-US: LCDS Laquis SCADA CVE-2018-19028 RESERVED CVE-2018-19027 (Three type confusion vulnerabilities exist in CX-One Versions 4.50 and ...) NOT-FOR-US: CX-One CVE-2018-19026 RESERVED CVE-2018-19025 RESERVED CVE-2018-19024 RESERVED CVE-2018-19023 (Hetronic Nova-M prior to verson r161 uses fixed codes that are reprodu ...) NOT-FOR-US: Hetronic Nova-M radio control systems CVE-2018-19022 RESERVED CVE-2018-19021 (A specially crafted script could bypass the authentication of a mainte ...) NOT-FOR-US: Emerson DeltaV DCS CVE-2018-19020 (When CX-Supervisor (Versions 3.42 and prior) processes project files a ...) NOT-FOR-US: CX-Supervisor CVE-2018-19019 (A type confusion vulnerability exists when processing project files in ...) NOT-FOR-US: CX-Supervisor CVE-2018-19018 (An access of uninitialized pointer vulnerability in CX-Supervisor (Ver ...) NOT-FOR-US: CX-Supervisor CVE-2018-19017 (Several use after free vulnerabilities have been identified in CX-Supe ...) NOT-FOR-US: CX-Supervisor CVE-2018-19016 (Rockwell Automation EtherNet/IP Web Server Modules 1756-EWEB (includes ...) NOT-FOR-US: Rockwell Automation CVE-2018-19015 (An attacker could inject commands to launch programs and create, write ...) NOT-FOR-US: CX-Supervisor CVE-2018-19014 (Drager Infinity Delta, Infinity Delta, all versions, Delta XL, all ver ...) NOT-FOR-US: Drager patient monitoring medical devices CVE-2018-19013 (An attacker could inject commands to delete files and/or delete the co ...) NOT-FOR-US: CX-Supervisor CVE-2018-19012 (Drager Infinity Delta, Infinity Delta, all versions, Delta XL, all ver ...) NOT-FOR-US: Drager patient monitoring medical devices CVE-2018-19011 (CX-Supervisor (Versions 3.42 and prior) can execute code that has been ...) NOT-FOR-US: CX-Supervisor CVE-2018-19010 (Drager Infinity Delta, Infinity Delta, all versions, Delta XL, all ver ...) NOT-FOR-US: Drager patient monitoring medical devices CVE-2018-19009 (Pilz PNOZmulti Configurator prior to version 10.9 allows an authentica ...) NOT-FOR-US: Pilz PNOZmulti Configurator CVE-2018-19008 (The TextEditor 2.0 in ABB CP400 Panel Builder versions 2.0.7.05 and ea ...) NOT-FOR-US: TextEditor 2.0 in ABB CP400 Panel Builder CVE-2018-19007 (In Geutebrueck GmbH E2 Camera Series versions prior to 1.12.0.25 the D ...) NOT-FOR-US: Geutebrueck cameras CVE-2018-19006 (OSIsoft PI Vision, versions PI Vision 2017, and PI Vision 2017 R2, The ...) NOT-FOR-US: OSIsoft PI Vision CVE-2018-19005 (Cscape, Version 9.80.75.3 SP3 and prior. An improper input validation ...) NOT-FOR-US: Cscape CVE-2018-19004 (LCDS Laquis SCADA prior to version 4.1.0.4150 allows out of bounds rea ...) NOT-FOR-US: LCDS Laquis SCADA CVE-2018-19003 (GE Mark VIe, EX2100e, EX2100e_Reg, and LS2100e Versions 03.03.28C to 0 ...) NOT-FOR-US: GE Mark CVE-2018-19002 (LCDS Laquis SCADA prior to version 4.1.0.4150 allows improper control ...) NOT-FOR-US: LCDS Laquis SCADA CVE-2018-19001 (Philips HealthSuite Health Android App, all versions. The software use ...) NOT-FOR-US: Philips HealthSuite Health Android App CVE-2018-19000 (LCDS Laquis SCADA prior to version 4.1.0.4150 allows an authentication ...) NOT-FOR-US: LCDS Laquis SCADA CVE-2018-18999 (WebAccess/SCADA, WebAccess/SCADA Version 8.3.2 installed on Windows 20 ...) NOT-FOR-US: Advantech WebAccess/SCADA CVE-2018-18998 (LCDS Laquis SCADA prior to version 4.1.0.4150 uses hard coded credenti ...) NOT-FOR-US: LCDS Laquis SCADA CVE-2018-18997 (Pluto Safety PLC Gateway Ethernet devices in ABB GATE-E1 and GATE-E2 a ...) NOT-FOR-US: ABB GATE-E2 CVE-2018-18996 (LCDS Laquis SCADA prior to version 4.1.0.4150 allows taking in user in ...) NOT-FOR-US: LCDS Laquis SCADA CVE-2018-18995 (Pluto Safety PLC Gateway Ethernet devices ABB GATE-E1 and GATE-E2 all ...) NOT-FOR-US: ABB GATE-E2 CVE-2018-18994 (LCDS Laquis SCADA prior to version 4.1.0.4150 allows an out of bounds ...) NOT-FOR-US: LCDS Laquis SCADA CVE-2018-18993 (Two stack-based buffer overflow vulnerabilities have been discovered i ...) NOT-FOR-US: CX-One CVE-2018-18992 (LCDS Laquis SCADA prior to version 4.1.0.4150 allows taking in user in ...) NOT-FOR-US: LCDS Laquis SCADA CVE-2018-18991 (Reflected cross-site scripting (non-persistent) in SCADA WebServer (Ve ...) NOT-FOR-US: SCADA WebServer CVE-2018-18990 (LCDS Laquis SCADA prior to version 4.1.0.4150 allows a user-supplied p ...) NOT-FOR-US: LCDS Laquis SCADA CVE-2018-18989 (In CX-One Versions 4.42 and prior (CX-Programmer Versions 9.66 and pri ...) NOT-FOR-US: CX-One CVE-2018-18988 (LCDS Laquis SCADA prior to version 4.1.0.4150 allows execution of scri ...) NOT-FOR-US: LCDS Laquis SCADA CVE-2018-18987 (VT-Designer Version 2.1.7.31 is vulnerable by the program populating o ...) NOT-FOR-US: VT-Designer CVE-2018-18986 (LCDS Laquis SCADA prior to version 4.1.0.4150 allows the opening of a ...) NOT-FOR-US: LCDS Laquis SCADA CVE-2018-18985 (Tridium Niagara Enterprise Security 2.3u1, all versions prior to 2.3.1 ...) NOT-FOR-US: Tridium Niagara Enterprise CVE-2018-18984 (Medtronic CareLink 2090 Programmer CareLink 9790 Programmer 29901 Enco ...) NOT-FOR-US: Medtronic CVE-2018-18983 (VT-Designer Version 2.1.7.31 is vulnerable by the program reading the ...) NOT-FOR-US: VT-Designer CVE-2018-18982 (NUUO CMS All versions 3.3 and prior the web server application allows ...) NOT-FOR-US: NUUO CMS CVE-2018-18981 (In Rockwell Automation FactoryTalk Services Platform 2.90 and earlier, ...) NOT-FOR-US: Rockwell Automation FactoryTalk Services Platform CVE-2014-10077 (Hash#slice in lib/i18n/core_ext/hash.rb in the i18n gem before 0.8.0 f ...) {DLA-1584-1} - ruby-i18n 0.7.0-3 (bug #913093) [stretch] - ruby-i18n 0.7.0-2+deb9u1 NOTE: https://github.com/svenfuchs/i18n/pull/289 NOTE: https://github.com/svenfuchs/i18n/commit/24e71a9a4901ed18c9cab5c53109fd9bf2416bcb CVE-2018-18980 (An XML External Entity injection (XXE) vulnerability exists in Zoho Ma ...) NOT-FOR-US: Zoho ManageEngine Network Configuration Manager and OpManager CVE-2018-18979 (An issue was discovered in the Ascensia Contour NEXT ONE application f ...) NOT-FOR-US: Ascensia Contour NEXT ONE application for Android CVE-2018-18978 (An issue was discovered in the Ascensia Contour NEXT ONE application f ...) NOT-FOR-US: Ascensia Contour NEXT ONE application for Android CVE-2018-18977 (An issue was discovered in the Ascensia Contour NEXT ONE application f ...) NOT-FOR-US: Ascensia Contour NEXT ONE application for Android CVE-2018-18976 (An issue was discovered in the Ascensia Contour NEXT ONE application f ...) NOT-FOR-US: Ascensia Contour NEXT ONE application for iOS CVE-2018-18975 (An issue was discovered in the Ascensia Contour NEXT ONE app for iOS b ...) NOT-FOR-US: Ascensia Contour NEXT ONE application for iOS CVE-2018-18974 RESERVED CVE-2018-18973 RESERVED CVE-2018-18972 RESERVED CVE-2018-18971 RESERVED CVE-2018-18970 RESERVED CVE-2018-18969 RESERVED CVE-2018-18968 RESERVED CVE-2018-18967 RESERVED CVE-2018-18966 (osCommerce 2.3.4.1 has an incomplete '.htaccess' for blacklist filteri ...) NOT-FOR-US: osCommerce CVE-2018-18965 (osCommerce 2.3.4.1 has an incomplete '.htaccess' for blacklist filteri ...) NOT-FOR-US: osCommerce CVE-2018-18964 (osCommerce 2.3.4.1 has an incomplete '.htaccess' for blacklist filteri ...) NOT-FOR-US: osCommerce CVE-2018-18963 (Busca.aspx.cs in Degrau Publicidade e Internet Plataforma de E-commerc ...) NOT-FOR-US: Degrau Publicidade e Internet Plataforma de E-commerce CVE-2018-18962 RESERVED CVE-2018-18961 RESERVED CVE-2018-18960 (An issue was discovered on Epson WorkForce WF-2861 10.48 LQ22I3, 10.51 ...) NOT-FOR-US: Epson CVE-2018-18959 (An issue was discovered on Epson WorkForce WF-2861 10.48 LQ22I3, 10.51 ...) NOT-FOR-US: Epson CVE-2018-18958 (OPNsense 18.7.x before 18.7.7 has Incorrect Access Control. ...) NOT-FOR-US: OPNsense CVE-2018-18957 (An issue has been found in libIEC61850 v1.3. It is a stack-based buffe ...) NOT-FOR-US: libIEC61850 CVE-2018-18956 (The ProcessMimeEntity function in util-decode-mime.c in Suricata 4.x b ...) - suricata 1:4.0.6-1 [stretch] - suricata (Minor issue) [jessie] - suricata (Vulnerable code not present, no MIME support in this version) NOTE: https://lists.openinfosecfoundation.org/pipermail/oisf-users/2018-October/016227.html NOTE: https://redmine.openinfosecfoundation.org/issues/2658#change-10374 CVE-2018-18955 (In the Linux kernel 4.15.x through 4.19.x before 4.19.2, map_write() i ...) - linux 4.18.20-1 [stretch] - linux (Introduced in 4.15-rc1) [jessie] - linux (Introduced in 4.15-rc1) NOTE: https://git.kernel.org/linus/d2f007dbe7e4c9583eea6eb04d60001e85c6f1bd NOTE: Introduced in https://git.kernel.org/linus/6397fac4915a NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1712 CVE-2018-18954 (The pnv_lpc_do_eccb function in hw/ppc/pnv_lpc.c in Qemu before 3.1 al ...) {DSA-4454-1} - qemu 1:3.1+dfsg-1 (low; bug #914604) [jessie] - qemu (Vulnerable code not present. ppc/pnv lpc was added in 2.7) - qemu-kvm NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=d07945e78eb6b593cd17a4640c1fc9eb35e3245d CVE-2018-18953 RESERVED CVE-2018-18952 (JEECMS 9.3 has XSS via an index.do#/content/update?type=update URI. ...) NOT-FOR-US: JEECMS CVE-2018-18951 RESERVED CVE-2018-18950 (KindEditor through 4.1.11 has a path traversal vulnerability in php/up ...) NOT-FOR-US: KindEditor CVE-2018-18949 (Zoho ManageEngine OpManager 12.3 before 123222 has SQL Injection via M ...) NOT-FOR-US: Zoho ManageEngine OpManager CVE-2018-18948 RESERVED CVE-2018-18947 RESERVED CVE-2018-18946 RESERVED CVE-2018-18945 RESERVED CVE-2018-18944 (Artha ~ The Open Thesaurus 1.0.3.0 has a Buffer Overflow. ...) NOT-FOR-US: Artha ~ The Open Thesaurus CVE-2018-18943 (An issue was discovered in baserCMS before 4.1.4. In the Register New ...) NOT-FOR-US: baserCMS CVE-2018-18942 (In baserCMS before 4.1.4, lib\Baser\Model\ThemeConfig.php allows remot ...) NOT-FOR-US: baserCMS CVE-2018-18941 (In Vignette Content Management version 6, it is possible to gain remot ...) NOT-FOR-US: Vignette Content Management CVE-2018-18940 (servlet/SnoopServlet (a servlet installed by default) in Netscape Ente ...) NOT-FOR-US: Netscape Enterprise CVE-2018-18939 (An issue was discovered in WUZHI CMS 4.1.0. There is stored XSS in ind ...) NOT-FOR-US: WUZHI CMS CVE-2018-18938 (An issue was discovered in WUZHI CMS 4.1.0. There is stored XSS in ind ...) NOT-FOR-US: WUZHI CMS CVE-2018-18937 (An issue has been found in libIEC61850 v1.3. It is a NULL pointer dere ...) NOT-FOR-US: libIEC61850 CVE-2018-18936 (An issue was discovered in PopojiCMS v2.0.1. admin_library.php allows ...) NOT-FOR-US: PopojiCMS CVE-2018-18935 (An issue was discovered in PopojiCMS v2.0.1. It has CSRF via the po-ad ...) NOT-FOR-US: PopojiCMS CVE-2018-18934 (An issue was discovered in PopojiCMS v2.0.1. admin_component.php is ex ...) NOT-FOR-US: PopojiCMS CVE-2018-18933 (The u3d plugin 9.3.0.10809 (aka plugins\U3DBrowser.fpi) in FoxitReader ...) NOT-FOR-US: Foxit Reader CVE-2018-18932 RESERVED CVE-2018-18931 (An issue was discovered in the Tightrope Media Carousel digital signag ...) NOT-FOR-US: Tightrope Media Carousel CVE-2018-18930 (The Tightrope Media Carousel digital signage product 7.0.4.104 contain ...) NOT-FOR-US: Tightrope Media Carousel CVE-2018-18929 (The Tightrope Media Carousel Seneca HDn Windows-based appliance 7.0.4. ...) NOT-FOR-US: Tightrope Media Carousel CVE-2018-18928 (International Components for Unicode (ICU) for C/C++ 63.1 has an integ ...) - icu 63.1-3 [stretch] - icu (Vulnerable code not present) [jessie] - icu (Vulnerable code not present) NOTE: https://bugs.chromium.org/p/chromium/issues/detail?id=900059 NOTE: Fixed by: https://github.com/unicode-org/icu/commit/53d8c8f3d181d87a6aa925b449b51c4a2c922a51 NOTE: https://unicode-org.atlassian.net/browse/ICU-20246 CVE-2018-18927 (An issue was discovered in PublicCMS V4.0. It allows XSS by modifying ...) NOT-FOR-US: PublicCMS CVE-2018-18926 (Gitea before 1.5.4 allows remote code execution because it does not pr ...) - gitea NOTE: https://github.com/go-gitea/gitea/issues/5140 CVE-2018-18925 (Gogs 0.11.66 allows remote code execution because it does not properly ...) NOT-FOR-US: Go Git Service CVE-2018-18924 (The image-upload feature in ProjeQtOr 7.2.5 allows remote attackers to ...) NOT-FOR-US: ProjeQtOr CVE-2018-18923 (AbiSoft Ticketly 1.0 is affected by multiple SQL Injection vulnerabili ...) NOT-FOR-US: AbiSoft Ticketly CVE-2018-18922 (add_user in AbiSoft Ticketly 1.0 allows remote attackers to create adm ...) NOT-FOR-US: AbiSoft Ticketly CVE-2018-18921 (PHP Server Monitor before 3.3.2 has CSRF, as demonstrated by a Delete ...) NOT-FOR-US: PHP Server Monitor CVE-2018-18920 (Py-EVM v0.2.0-alpha.33 allows attackers to make a vm.execute_bytecode ...) - python3-py-evm (bug #884796) CVE-2018-18919 (The WP Editor.md plugin 10.0.1 for WordPress allows XSS via the commen ...) NOT-FOR-US: WP Editor.md plugin for WordPress CVE-2018-18918 RESERVED CVE-2018-18917 RESERVED CVE-2018-18916 RESERVED CVE-2018-18915 (There is an infinite loop in the Exiv2::Image::printIFDStructure funct ...) - exiv2 (Vulnerable code introduced later; only affected experimental; bug #912828) NOTE: https://github.com/Exiv2/exiv2/issues/511 CVE-2018-18914 RESERVED CVE-2018-18913 (Opera before 57.0.3098.106 is vulnerable to a DLL Search Order hijacki ...) NOT-FOR-US: Opera CVE-2018-18912 (An issue was discovered in Easy File Sharing (EFS) Web Server 7.2. A s ...) NOT-FOR-US: Easy File Sharing CVE-2018-18911 RESERVED CVE-2018-18910 RESERVED CVE-2018-18909 (xhEditor 1.2.2 allows XSS via JavaScript code in the SRC attribute of ...) NOT-FOR-US: xhEditor CVE-2018-18908 (The Sky Go Desktop application 1.0.19-1 through 1.0.23-1 for Windows p ...) NOT-FOR-US: Sky Go Desktop CVE-2018-18907 RESERVED CVE-2018-18906 RESERVED CVE-2018-18905 RESERVED CVE-2018-18904 RESERVED CVE-2018-18903 (Vanilla 2.6.x before 2.6.4 allows remote code execution. ...) NOT-FOR-US: Vanilla CVE-2018-18902 RESERVED CVE-2018-18901 RESERVED CVE-2018-18900 RESERVED CVE-2018-18899 RESERVED CVE-2018-18898 (The email-ingestion feature in Best Practical Request Tracker 4.1.13 t ...) {DLA-2101-1} - libemail-address-list-perl 0.06-1 [stretch] - libemail-address-list-perl 0.05-1+deb9u1 NOTE: https://github.com/bestpractical/email-address-list/commit/a22e6b233443fe3ad1a408e50ecbd7237674817d NOTE: https://github.com/bestpractical/email-address-list/commit/6dd5021a6e5df2e8c86a163dc2e180a76a38e63b NOTE: https://github.com/bestpractical/email-address-list/commit/31bd4dc2dfb26fd6a17e4436df3d3c8904856f30 CVE-2018-18897 (An issue was discovered in Poppler 0.71.0. There is a memory leak in G ...) [experimental] - poppler 0.81.0-1 - poppler (low; bug #913164) [buster] - poppler (Negligible security impact) [stretch] - poppler (Negligible security impact) [jessie] - poppler (Negligible security impact; memory leak) NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/654 NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/e07c8b4784234383cb5ddcf1133ea91a772506e2 CVE-2018-18896 RESERVED CVE-2018-18895 REJECTED CVE-2018-18894 (Certain older Lexmark devices (C, M, X, and 6500e before 2018-12-18) c ...) NOT-FOR-US: Lexmark CVE-2018-18893 (Jinjava before 2.4.6 does not block the getClass method, related to co ...) NOT-FOR-US: Jinjava CVE-2018-18892 (MiniCMS 1.10 allows execution of arbitrary PHP code via the install.ph ...) NOT-FOR-US: MiniCMS CVE-2018-18891 (MiniCMS 1.10 allows file deletion via /mc-admin/post.php?state=delete& ...) NOT-FOR-US: MiniCMS CVE-2018-18890 (MiniCMS 1.10 allows full path disclosure via /mc-admin/post.php?state= ...) NOT-FOR-US: MiniCMS CVE-2018-18889 RESERVED CVE-2018-18888 (An issue was discovered in laravelCMS through 2018-04-02. \app\Http\Co ...) NOT-FOR-US: laravelCMS CVE-2018-18887 (S-CMS PHP 1.0 has SQL injection in member/member_news.php via the type ...) NOT-FOR-US: S-CMS CVE-2018-18886 (Helpy v2.1.0 has Stored XSS via the Ticket title. ...) NOT-FOR-US: Helpy CVE-2018-18885 RESERVED CVE-2018-18884 RESERVED CVE-2018-18882 (A stored cross-site scripting (XSS) issue was discovered in ControlByW ...) NOT-FOR-US: ControlByWeb CVE-2018-18881 (A Denial of Service (DOS) issue was discovered in ControlByWeb X-320M- ...) NOT-FOR-US: ControlByWeb CVE-2018-18880 (In firmware version MS_2.6.9900 of Columbia Weather MicroServer, a net ...) NOT-FOR-US: Columbia Weather MicroServer CVE-2018-18879 (In firmware version MS_2.6.9900 of Columbia Weather MicroServer, an au ...) NOT-FOR-US: Columbia Weather MicroServer CVE-2018-18878 (In firmware version MS_2.6.9900 of Columbia Weather MicroServer, the B ...) NOT-FOR-US: Columbia Weather MicroServer CVE-2018-18877 (In firmware version MS_2.6.9900 of Columbia Weather MicroServer, an au ...) NOT-FOR-US: Columbia Weather MicroServer CVE-2018-18876 (In firmware version MS_2.6.9900 of Columbia Weather MicroServer, a rea ...) NOT-FOR-US: Columbia Weather MicroServer CVE-2018-18875 (In firmware version MS_2.6.9900 of Columbia Weather MicroServer, a sto ...) NOT-FOR-US: Columbia Weather MicroServer CVE-2018-18874 (nc-cms through 2017-03-10 allows remote attackers to execute arbitrary ...) NOT-FOR-US: nc-cms CVE-2018-18873 (An issue was discovered in JasPer 2.0.14. There is a NULL pointer dere ...) {DLA-1628-1} - jasper NOTE: https://github.com/mdadams/jasper/issues/184 CVE-2018-18872 (The Kieran O'Shea Calendar plugin before 1.3.11 for WordPress has Stor ...) NOT-FOR-US: Kieran O'Shea Calendar plugin for WordPress CVE-2018-18871 (Missing password verification in the web interface on Gigaset Maxwell ...) NOT-FOR-US: Gigaset CVE-2018-18870 RESERVED CVE-2018-18869 (EmpireCMS V7.5 allows remote attackers to upload and execute arbitrary ...) NOT-FOR-US: EmpireCMS CVE-2018-18868 (No-CMS 1.1.3 is prone to Persistent XSS via a contact_us name paramete ...) NOT-FOR-US: No-CMS CVE-2018-18867 (An SSRF issue was discovered in tecrail Responsive FileManager 9.13.4 ...) NOT-FOR-US: tecrail Responsive FileManager CVE-2018-18866 RESERVED CVE-2018-18865 (The Royal browser extensions TS before 4.3.60728 (Release Date 2018-07 ...) NOT-FOR-US: Royal browser extensions TS CVE-2018-18864 (Loadbalancer.org Enterprise VA MAX before 8.3.3 has XSS because Apache ...) NOT-FOR-US: Loadbalancer.org Enterprise VA MAX CVE-2018-18863 (NGA ResourceLink 20.0.2.1 allows local file inclusion. ...) NOT-FOR-US: NGA ResourceLink CVE-2018-18862 (BMC Remedy Mid-Tier 7.1.00 and 9.1.02.003 for BMC Remedy AR System has ...) NOT-FOR-US: BMC CVE-2018-18861 (Buffer overflow in PCMan FTP Server 2.0.7 allows for remote code execu ...) NOT-FOR-US: PCMan FTP Server CVE-2018-18860 (A local privilege escalation vulnerability has been identified in the ...) NOT-FOR-US: SwitchVPN for macOS CVE-2018-18859 (Multiple local privilege escalation vulnerabilities have been identifi ...) NOT-FOR-US: LiquidVPN client for macOS CVE-2018-18858 (Multiple local privilege escalation vulnerabilities have been identifi ...) NOT-FOR-US: LiquidVPN client for macOS CVE-2018-18857 (Multiple local privilege escalation vulnerabilities have been identifi ...) NOT-FOR-US: LiquidVPN client for macOS CVE-2018-18856 (Multiple local privilege escalation vulnerabilities have been identifi ...) NOT-FOR-US: LiquidVPN client for macOS CVE-2018-18855 RESERVED CVE-2018-18854 (Lightbend Spray spray-json through 1.3.4 allows remote attackers to ca ...) NOT-FOR-US: Lightbend Spray spray-json CVE-2018-18853 (Lightbend Spray spray-json through 1.3.4 allows remote attackers to ca ...) NOT-FOR-US: Lightbend Spray spray-json CVE-2018-18852 (Cerio DT-300N 1.1.6 through 1.1.12 devices allow OS command injection ...) NOT-FOR-US: Cerio devices CVE-2018-18851 RESERVED CVE-2018-18850 (In Octopus Deploy 2018.8.0 through 2018.9.x before 2018.9.1, an authen ...) NOT-FOR-US: Octopus Deploy CVE-2018-18849 (In Qemu 3.0.0, lsi_do_msgin in hw/scsi/lsi53c895a.c allows out-of-boun ...) {DSA-4454-1 DLA-1781-1} - qemu 1:3.1+dfsg-1 (bug #912535) - qemu-kvm NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=e58ccf039650065a9442de43c9816f81e88f27f6 NOTE: https://www.openwall.com/lists/oss-security/2018/11/01/1 CVE-2018-18848 RESERVED CVE-2018-18847 RESERVED CVE-2018-18846 RESERVED CVE-2018-18845 (internal/advanced_comment_system/index.php and internal/advanced_comme ...) NOT-FOR-US: Advanced Comment System CVE-2018-18844 RESERVED CVE-2018-18843 (The Kubernetes integration in GitLab Enterprise Edition 11.x before 11 ...) - gitlab (Only affects Enterprise edition) NOTE: https://about.gitlab.com/2018/11/01/critical-security-release-gitlab-11-dot-4-dot-4-released/ CVE-2018-18842 (CSRF exists in zb_users/plugin/AppCentre/theme.js.php in Z-BlogPHP 1.5 ...) NOT-FOR-US: Z-BlogPHP CVE-2018-18841 (XSS was discovered in SEMCMS PHP V3.4 via the SEMCMS_SeoAndTag.php?Cla ...) NOT-FOR-US: SEMCMS PHP CVE-2018-18840 (XSS was discovered in SEMCMS PHP V3.4 via the SEMCMS_SeoAndTag.php?Cla ...) NOT-FOR-US: SEMCMS PHP CVE-2018-18839 (** DISPUTED ** An issue was discovered in Netdata 1.10.0. Full Path Di ...) - netdata 1.11.1+dfsg-1 NOTE: https://github.com/netdata/netdata/commit/92327c9ec211bd1616315abcb255861b130b97ca NOTE: https://github.com/netdata/netdata/pull/4521 CVE-2018-18838 (An issue was discovered in Netdata 1.10.0. Log Injection (or Log Forge ...) - netdata 1.11.1+dfsg-1 NOTE: https://github.com/netdata/netdata/pull/4521 NOTE: https://github.com/netdata/netdata/commit/92327c9ec211bd1616315abcb255861b130b97ca CVE-2018-18837 (An issue was discovered in Netdata 1.10.0. HTTP Header Injection exist ...) - netdata 1.11.1+dfsg-1 NOTE: https://github.com/netdata/netdata/pull/4521 NOTE: https://github.com/netdata/netdata/commit/92327c9ec211bd1616315abcb255861b130b97ca CVE-2018-18836 (An issue was discovered in Netdata 1.10.0. JSON injection exists via t ...) - netdata 1.11.1+dfsg-1 NOTE: https://github.com/netdata/netdata/pull/4521 NOTE: https://github.com/netdata/netdata/commit/92327c9ec211bd1616315abcb255861b130b97ca CVE-2018-18835 (upload_template() in system/changeskin.php in DocCms 2016.5.12 allows ...) NOT-FOR-US: DocCms CVE-2018-18834 (An issue has been found in libIEC61850 v1.3. It is a heap-based buffer ...) NOT-FOR-US: libIEC61850 CVE-2018-18833 RESERVED CVE-2018-18832 (admin/check.asp in DKCMS 9.4 allows SQL Injection via an ASPSESSIONID ...) NOT-FOR-US: DKCMS CVE-2018-18831 (An issue was discovered in com\mingsoft\cms\action\GeneraterAction.jav ...) NOT-FOR-US: MCMS CVE-2018-18830 (An issue was discovered in com\mingsoft\basic\action\web\FileAction.ja ...) NOT-FOR-US: MCMS CVE-2018-18829 (There exists a NULL pointer dereference in ff_vc1_parse_frame_header_a ...) - libav [jessie] - libav (Minor issue, clean crash, no patch) NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1136 NOTE: ffmpeg PoC crash fixed but different vector: NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commitdiff/c79cf0129edafc388ba1c47cd7b6a620557e48de CVE-2018-18828 (There exists a heap-based buffer overflow in vc1_decode_i_block_adv in ...) - libav [jessie] - libav (vulnerable code is not present) NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1135 CVE-2018-18827 (There exists a heap-based buffer over-read in ff_vc1_pred_dc in vc1_bl ...) - libav [jessie] - libav (vulnerable code is not present) NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1135 CVE-2018-18826 (There exists a heap-based buffer overflow in vc1_decode_p_mb_intfi in ...) - libav [jessie] - libav (vulnerable code is not present) NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1135 CVE-2018-18825 (Pagoda Linux panel V6.0 has XSS via the verification code associated w ...) NOT-FOR-US: Pagoda Linux panel CVE-2018-18824 (WolfCMS v0.8.3.1 allows XSS via an SVG file to /?/admin/plugin/file_ma ...) NOT-FOR-US: WolfCMS CVE-2018-18823 (WolfCMS 0.8.3.1 allows XSS via an SVG file to /?/admin/plugin/file_man ...) NOT-FOR-US: WolfCMS CVE-2018-18822 (Grapixel New Media v2.0 allows SQL Injection via the pages.aspx pagere ...) NOT-FOR-US: Grapixel New Media CVE-2018-18821 RESERVED CVE-2018-18820 (A buffer overflow was discovered in the URL-authentication backend of ...) {DSA-4333-1 DLA-1588-1} - icecast2 2.4.4-1 (bug #912611) NOTE: https://www.openwall.com/lists/oss-security/2018/11/01/3 NOTE: https://gitlab.xiph.org/xiph/icecast-server/issues/2342 NOTE: Fixed by: https://gitlab.xiph.org/xiph/icecast-server/commit/b21a7283bd1598c5af0bbb250a041ba8198f98f2 NOTE: Additional issue fixed with https://gitlab.xiph.org/xiph/icecast-server/commit/03ea74c04a5966114c2fe66e4e6892d11a68181e NOTE: https://lgtm.com/blog/icecast_snprintf_CVE-2018-18820 CVE-2018-18819 (A vulnerability in the web conference chat component of MiCollab, vers ...) NOT-FOR-US: Mitel CVE-2018-18818 RESERVED CVE-2018-18817 (The Leostream Agent before Build 7.0.1.0 when used with Leostream Conn ...) NOT-FOR-US: Leostream Agent CVE-2018-18816 (The repository component of TIBCO Software Inc.'s TIBCO JasperReports ...) NOT-FOR-US: TIBCO CVE-2018-18815 (The REST API component of TIBCO Software Inc.'s TIBCO JasperReports Se ...) NOT-FOR-US: TIBCO CVE-2018-18814 (The TIBCO Spotfire authentication component of TIBCO Software Inc.'s T ...) NOT-FOR-US: TIBCO CVE-2018-18813 (The Spotfire web server component of TIBCO Software Inc.'s TIBCO Spotf ...) NOT-FOR-US: TIBCO CVE-2018-18812 (The Spotfire Library component of TIBCO Software Inc.'s TIBCO Spotfire ...) NOT-FOR-US: TIBCO CVE-2018-18811 REJECTED CVE-2018-18810 (The Administrator Service component of TIBCO Software Inc.'s TIBCO Man ...) NOT-FOR-US: TIBCO CVE-2018-18809 (The default server implementation of TIBCO Software Inc.'s TIBCO Jaspe ...) NOT-FOR-US: TIBCO CVE-2018-18808 (The domain management component of TIBCO Software Inc.'s TIBCO JasperR ...) NOT-FOR-US: TIBCO CVE-2018-18807 (The web application of the TIBCO Statistica component of TIBCO Softwar ...) NOT-FOR-US: TIBCO CVE-2017-18350 (bitcoind and Bitcoin-Qt prior to 0.15.1 have a stack-based buffer over ...) - bitcoin 0.15.1~dfsg-1 CVE-2018-19132 (Squid before 4.4, when SNMP is enabled, allows a denial of service (Me ...) {DLA-1596-1} - squid 4.4-1 (low; bug #912294) - squid3 (low) NOTE: http://www.squid-cache.org/Advisories/SQUID-2018_5.txt NOTE: 3.5: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-bc9786119f058a76ddf0625424bc33d36460b9a2.patch NOTE: 4.x: http://www.squid-cache.org/Versions/v4/changesets/squid-4-983c5c36e5f109512ed1af38a329d0b5d0967498.patch CVE-2018-19131 (Squid before 4.4 has XSS via a crafted X.509 certificate during HTTP(S ...) - squid 4.4-1 (unimportant; bug #912293) - squid3 (unimportant) NOTE: http://www.squid-cache.org/Advisories/SQUID-2018_4.txt NOTE: Squid in Debian builds without TLS support CVE-2018-18806 (School Equipment Monitoring System 1.0 allows SQL injection via the lo ...) NOT-FOR-US: School Equipment Monitoring System CVE-2018-18805 (PointOfSales 1.0 allows SQL injection via the login screen, related to ...) NOT-FOR-US: PointOfSales CVE-2018-18804 (Bakeshop Inventory System 1.0 has SQL injection via the login screen, ...) NOT-FOR-US: Bakeshop Inventory System CVE-2018-18803 (Curriculum Evaluation System 1.0 allows SQL Injection via the login sc ...) NOT-FOR-US: Curriculum Evaluation System CVE-2018-18802 (The Tubigan "Welcome to our Resort" 1.0 software allows CSRF via admin ...) NOT-FOR-US: Tubigan "Welcome to our Resort" software CVE-2018-18801 (The BSEN Ordering software 1.0 has SQL Injection via student/index.php ...) NOT-FOR-US: BSEN Ordering software CVE-2018-18800 (The Tubigan "Welcome to our Resort" 1.0 software allows SQL Injection ...) NOT-FOR-US: Tubigan "Welcome to our Resort" software CVE-2018-18799 (School Attendance Monitoring System 1.0 has CSRF via event/controller. ...) NOT-FOR-US: School Attendance Monitoring System CVE-2018-18798 (Attendance Monitoring System 1.0 has SQL Injection via the 'id' parame ...) NOT-FOR-US: School Attendance Monitoring System CVE-2018-18797 (School Attendance Monitoring System 1.0 has CSRF via /user/user/edit.p ...) NOT-FOR-US: School Attendance Monitoring System CVE-2018-18796 (Library Management System 1.0 has SQL Injection via the "Search for Bo ...) NOT-FOR-US: Library Management System CVE-2018-18795 (School Event Management System 1.0 has SQL Injection via the student/i ...) NOT-FOR-US: School Event Management System CVE-2018-18794 (School Event Management System 1.0 allows CSRF via user/controller.php ...) NOT-FOR-US: School Event Management System CVE-2018-18793 (School Event Management System 1.0 allows Arbitrary File Upload via ev ...) NOT-FOR-US: School Event Management System CVE-2018-18792 (An issue was discovered in zzcms 8.3. SQL Injection exists in zs/zs_li ...) NOT-FOR-US: zzcms CVE-2018-18791 (An issue was discovered in zzcms 8.3. SQL Injection exists in zs/searc ...) NOT-FOR-US: zzcms CVE-2018-18790 (An issue was discovered in zzcms 8.3. SQL Injection exists in admin/sp ...) NOT-FOR-US: zzcms CVE-2018-18789 (An issue was discovered in zzcms 8.3. SQL Injection exists in zt/top.p ...) NOT-FOR-US: zzcms CVE-2018-18788 (An issue was discovered in zzcms 8.3. SQL Injection exists in admin/cl ...) NOT-FOR-US: zzcms CVE-2018-18787 (An issue was discovered in zzcms 8.3. SQL Injection exists in zs/zs.ph ...) NOT-FOR-US: zzcms CVE-2018-18786 (An issue was discovered in zzcms 8.3. SQL Injection exists in ajax/zs. ...) NOT-FOR-US: zzcms CVE-2018-18785 (An issue was discovered in zzcms 8.3. SQL Injection exists in zs/subzs ...) NOT-FOR-US: zzcms CVE-2018-18784 (An issue was discovered in zzcms 8.3. SQL Injection exists in admin/ta ...) NOT-FOR-US: zzcms CVE-2018-18783 (XSS was discovered in SEMCMS V3.4 via the semcms_remail.php?type=ok um ...) NOT-FOR-US: SEMCMS CVE-2018-18782 (Reflected XSS exists in DedeCMS 5.7 SP2 via the /member/myfriend.php f ...) NOT-FOR-US: DedeCMS CVE-2018-18781 (DedeCMS 5.7 SP2 allows XSS via the /member/uploads_select.php f or key ...) NOT-FOR-US: DedeCMS CVE-2018-18780 RESERVED CVE-2018-18779 RESERVED CVE-2018-18778 (ACME mini_httpd before 1.30 lets remote users read arbitrary files. ...) - mini-httpd 1.30-0.1 (bug #913095) [stretch] - mini-httpd (Minor issue) CVE-2018-18777 (Directory traversal vulnerability in Microstrategy Web, version 7, in ...) NOT-FOR-US: Microstrategy Web CVE-2018-18776 (Microstrategy Web, version 7, does not sufficiently encode user-contro ...) NOT-FOR-US: Microstrategy Web CVE-2018-18775 (Microstrategy Web, version 7, does not sufficiently encode user-contro ...) NOT-FOR-US: Microstrategy Web CVE-2018-18774 (CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.740 allow ...) NOT-FOR-US: CentOS Web Panel CVE-2018-18773 (CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.740 allow ...) NOT-FOR-US: CentOS Web Panel CVE-2018-18772 (CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.740 allow ...) NOT-FOR-US: CentOS Web Panel CVE-2018-18771 (An issue was discovered in LuLu CMS through 2015-05-14. backend\module ...) NOT-FOR-US: Lulu CMS CVE-2018-18770 RESERVED CVE-2018-18769 RESERVED CVE-2018-18768 RESERVED CVE-2018-18767 (An issue was discovered in D-Link 'myDlink Baby App' version 2.04.06. ...) NOT-FOR-US: D-Link CVE-2018-18766 (An elevation of privilege vulnerability exists in the Call Dispatcher ...) NOT-FOR-US: Provisio SiteKiosk CVE-2018-18765 (An exploitable arbitrary memory read vulnerability exists in the MQTT ...) - smplayer 18.5.0~ds1-1 [stretch] - smplayer (Vulnerable code not present) [jessie] - smplayer (Vulnerable code not present) NOTE: 18.5.0~ds1-1 isn't fixed on the source level, but no longer builds the Chromecast support CVE-2018-18764 (An exploitable arbitrary memory read vulnerability exists in the MQTT ...) - smplayer 18.5.0~ds1-1 [stretch] - smplayer (Vulnerable code not present) [jessie] - smplayer (Vulnerable code not present) NOTE: 18.5.0~ds1-1 isn't fixed on the source level, but no longer builds the Chromecast support CVE-2018-18763 (SaltOS 3.1 r8126 allows action=ajax&query=numbers&page=usuario ...) NOT-FOR-US: SaltOS CVE-2018-18762 (SaltOS 3.1 r8126 contains a database download vulnerability. ...) NOT-FOR-US: SaltOS CVE-2018-18761 (SaltOS 3.1 r8126 allows action=login&querystring=&user=[SQL] S ...) NOT-FOR-US: SaltOS CVE-2018-18760 (RhinOS 3.0 build 1190 allows CSRF. ...) NOT-FOR-US: RhinOS CVE-2018-18759 (Modbus Slave 7.0.0 in modbus tools has a Buffer Overflow. ...) NOT-FOR-US: Modbus Slave CVE-2018-18758 (Open Faculty Evaluation System 7 for PHP 7 allows submit_feedback.php ...) NOT-FOR-US: Open Faculty Evaluation System CVE-2018-18757 (Open Faculty Evaluation System 5.6 for PHP 5.6 allows submit_feedback. ...) NOT-FOR-US: Open Faculty Evaluation System CVE-2018-18756 (Local Server 1.0.9 has a Buffer Overflow via crafted data on Port 4008 ...) NOT-FOR-US: Local Server CVE-2018-18755 (K-iwi Framework 1775 has SQL Injection via the admin/user/group/update ...) NOT-FOR-US: K-iwi Framework CVE-2018-18754 (ZyXEL VMG3312-B10B 1.00(AAPP.7) devices have a backdoor root account w ...) NOT-FOR-US: ZyXEL CVE-2018-18753 (Typecho V1.1 allows remote attackers to send shell commands via base64 ...) NOT-FOR-US: Typecho CVE-2018-18752 (Webiness Inventory 2.3 suffers from an Arbitrary File upload vulnerabi ...) NOT-FOR-US: Webiness Inventory CVE-2018-18751 (An issue was discovered in GNU gettext 0.19.8. There is a double free ...) - gettext 0.19.8.1-9 (unimportant; bug #913173) NOTE: https://git.savannah.gnu.org/gitweb/?p=gettext.git;a=commitdiff;h=dce3a16e5e9368245735e29bf498dcd5e3e474a4 NOTE: Negligible security impact CVE-2018-18750 RESERVED CVE-2018-18749 (data-tools through 2017-07-26 has an Integer Overflow leading to an in ...) NOT-FOR-US: data-tools CVE-2018-18748 (** DISPUTED ** Sandboxie 5.26 allows a Sandbox Escape via an "import o ...) NOT-FOR-US: Sandboxie CVE-2018-18747 RESERVED CVE-2018-18746 RESERVED CVE-2018-18745 (An XSS issue was discovered in SEMCMS 3.4 via admin/SEMCMS_Menu.php?lg ...) NOT-FOR-US: SEMCMS CVE-2018-18744 (An XSS issue was discovered in SEMCMS 3.4 via the fifth text box to th ...) NOT-FOR-US: SEMCMS CVE-2018-18743 (An XSS issue was discovered in SEMCMS 3.4 via the second text field to ...) NOT-FOR-US: SEMCMS CVE-2018-18742 (A CSRF issue was discovered in SEMCMS 3.4 via the admin/SEMCMS_User.ph ...) NOT-FOR-US: SEMCMS CVE-2018-18741 (An XSS issue was discovered in SEMCMS 3.4 via admin/SEMCMS_Download.ph ...) NOT-FOR-US: SEMCMS CVE-2018-18740 (An XSS issue was discovered in SEMCMS 3.4 via the first input field to ...) NOT-FOR-US: SEMCMS CVE-2018-18739 (An XSS issue was discovered in SEMCMS 3.4 via the admin/SEMCMS_Product ...) NOT-FOR-US: SEMCMS CVE-2018-18738 (An XSS issue was discovered in SEMCMS 3.4 via the admin/SEMCMS_Categor ...) NOT-FOR-US: SEMCMS CVE-2018-18737 (An XXE issue was discovered in Douchat 4.0.4 because Data\notify.php c ...) NOT-FOR-US: Douchat CVE-2018-18736 (An XSS issue was discovered in catfish blog 2.0.33, related to "write ...) NOT-FOR-US: catfish blog (different from src:catfish) CVE-2018-18735 (A CSRF issue was discovered in admin/Index/tiquan in catfish blog 2.0. ...) NOT-FOR-US: catfish blog (different from src:catfish) CVE-2018-18734 (A CSRF issue was discovered in admin/Index/addmanageuser.html in Catfi ...) NOT-FOR-US: Catfish CMS CVE-2018-18733 (An XSS issue was discovered in Catfish CMS 4.8.30, related to "write s ...) NOT-FOR-US: Catfish CMS CVE-2018-18732 (An issue was discovered on Tenda AC7 V15.03.06.44_CN, AC9 V15.03.05.19 ...) NOT-FOR-US: Tenda devices CVE-2018-18731 (An issue was discovered on Tenda AC7 V15.03.06.44_CN, AC9 V15.03.05.19 ...) NOT-FOR-US: Tenda devices CVE-2018-18730 (An issue was discovered on Tenda AC7 V15.03.06.44_CN, AC9 V15.03.05.19 ...) NOT-FOR-US: Tenda devices CVE-2018-18729 (An issue was discovered on Tenda AC7 V15.03.06.44_CN, AC9 V15.03.05.19 ...) NOT-FOR-US: Tenda devices CVE-2018-18728 (An issue was discovered on Tenda AC9 V15.03.05.19(6318)_CN, AC15 V15.0 ...) NOT-FOR-US: Tenda devices CVE-2018-18727 (An issue was discovered on Tenda AC7 V15.03.06.44_CN, AC9 V15.03.05.19 ...) NOT-FOR-US: Tenda devices CVE-2018-18726 (An XSS issue was discovered in admin/sitelink/editsitelink?id=16 in YU ...) NOT-FOR-US: YUNUCMS CVE-2018-18725 (An XSS issue was discovered in admin/banner/editbanner?id=20 in YUNUCM ...) NOT-FOR-US: YUNUCMS CVE-2018-18724 (An XSS issue was discovered in index.php/admin/category/editcategory?i ...) NOT-FOR-US: YUNUCMS CVE-2018-18723 (An XSS issue was discovered in index.php/admin/area/editarea/id/110000 ...) NOT-FOR-US: YUNUCMS CVE-2018-18722 (An XSS issue was discovered in admin/content/editcontent?id=29&gop ...) NOT-FOR-US: YUNUCMS CVE-2018-18721 (An XSS issue was discovered in admin/link/editlink?id=5 in YUNUCMS 1.1 ...) NOT-FOR-US: YUNUCMS CVE-2018-18720 (An XSS issue was discovered in index.php/admin/system/basic in YUNUCMS ...) NOT-FOR-US: YUNUCMS CVE-2018-18719 RESERVED CVE-2018-18718 (An issue was discovered in gThumb through 3.6.2. There is a double-fre ...) {DLA-1567-1} - gthumb 3:3.6.2-2 (unimportant; bug #912290) [stretch] - gthumb 3:3.4.4.1-5+deb9u1 NOTE: https://gitlab.gnome.org/GNOME/gthumb/issues/18 NOTE: https://gitlab.gnome.org/GNOME/gthumb/commit/06c39346fda502bd37429006d4822dd977995661 (master) NOTE: https://gitlab.gnome.org/GNOME/gthumb/commit/f3edf6952757f887569e8c26cf18d40409f3fdca (3.6) NOTE: Crash in end user application, no security impact CVE-2018-18717 (An issue was discovered in Eleanor CMS through 2015-03-19. XSS exists ...) NOT-FOR-US: Eleanor CMS CVE-2018-18716 (Zoho ManageEngine OpManager 12.3 before 123219 has a Self XSS Vulnerab ...) NOT-FOR-US: Zoho ManageEngine OpManager CVE-2018-18715 (Zoho ManageEngine OpManager 12.3 before 123219 has stored XSS. ...) NOT-FOR-US: Zoho ManageEngine OpManager CVE-2018-18714 (RegFilter.sys in IOBit Malware Fighter 6.2 and earlier is susceptible ...) NOT-FOR-US: IOBit Malware Fighter CVE-2018-18713 (The function down_sql_action() in /admin/model/database.class.php in P ...) NOT-FOR-US: PHPYun CVE-2018-18712 (An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerabil ...) NOT-FOR-US: WUZHI CMS CVE-2018-18711 (An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerabil ...) NOT-FOR-US: WUZHI CMS CVE-2018-18709 (An issue was discovered on Tenda AC7 V15.03.06.44_CN, AC9 V15.03.05.19 ...) NOT-FOR-US: Tenda devices CVE-2018-18708 (An issue was discovered on Tenda AC7 V15.03.06.44_CN, AC9 V15.03.05.19 ...) NOT-FOR-US: Tenda devices CVE-2018-18707 (An issue was discovered on Tenda AC7 V15.03.06.44_CN, AC9 V15.03.05.19 ...) NOT-FOR-US: Tenda devices CVE-2018-18706 (An issue was discovered on Tenda AC7 V15.03.06.44_CN, AC9 V15.03.05.19 ...) NOT-FOR-US: Tenda devices CVE-2016-10734 (ProjectSend (formerly cFTP) r582 allows Insecure Direct Object Referen ...) NOT-FOR-US: ProjectSend CVE-2016-10733 (ProjectSend (formerly cFTP) r582 allows directory traversal via file=. ...) NOT-FOR-US: ProjectSend CVE-2016-10732 (ProjectSend (formerly cFTP) r582 allows authentication bypass via a di ...) NOT-FOR-US: ProjectSend CVE-2016-10731 (ProjectSend (formerly cFTP) r582 allows SQL injection via manage-files ...) NOT-FOR-US: ProjectSend CVE-2018-18710 (An issue was discovered in the Linux kernel through 4.19. An informati ...) {DLA-1731-1 DLA-1715-1} - linux 4.18.20-1 [stretch] - linux 4.9.144-1 NOTE: https://git.kernel.org/linus/e4f3aa2e1e67bb48dfbaaf1cad59013d5a5bc276 CVE-2018-18705 (PhpTpoint hospital management system suffers from multiple SQL injecti ...) NOT-FOR-US: PhpTpoint hospital management system CVE-2018-18704 (PhpTpoint Pharmacy Management System suffers from a SQL injection vuln ...) NOT-FOR-US: PhpTpoint Pharmacy Management System CVE-2018-18703 (PhpTpoint Mailing Server Using File Handling 1.0 suffers from multiple ...) NOT-FOR-US: PhpTpoint Mailing Server Using File Handling CVE-2018-18702 (spider.admincp.php in iCMS v7.0.11 allows SQL injection via admincp.ph ...) NOT-FOR-US: iCMS CVE-2018-18701 (An issue was discovered in cp-demangle.c in GNU libiberty, as distribu ...) - binutils 2.32.51.20190707-1 (unimportant) NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87675 NOTE: Fixed by: https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=03e51746ed98d9106803f6009ebd71ea670ad3b9 NOTE: binutils not covered by security support CVE-2018-18700 (An issue was discovered in cp-demangle.c in GNU libiberty, as distribu ...) - binutils 2.32.51.20190707-1 (unimportant) NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87681 NOTE: Fixed by: https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=03e51746ed98d9106803f6009ebd71ea670ad3b9 NOTE: binutils not covered by security support CVE-2018-18699 (An issue was discovered in GoPro gpmf-parser 1.2.1. There is an out-of ...) NOT-FOR-US: GoPro gpmf-parser CVE-2018-18698 (An issue was discovered on Xiaomi Mi A1 tissot_sprout:8.1.0/OPM1.17101 ...) NOT-FOR-US: Xiaomi Mi A1 devices CVE-2018-18697 RESERVED CVE-2018-18696 (** DISPUTED ** main.aspx in Microstrategy Analytics 10.4.0026.0049 and ...) NOT-FOR-US: Microstrategy Analytics CVE-2018-18695 (M2SOFT Report Designer Viewer 5.0 allows a Buffer Overflow with Extend ...) NOT-FOR-US: M2SOFT Report Designer Viewer CVE-2018-18694 (admin/index.php?id=filesmanager in Monstra CMS 3.0.4 allows remote aut ...) NOT-FOR-US: Monstra CMS CVE-2018-18693 RESERVED CVE-2018-18692 (A reflected Cross-Site scripting (XSS) vulnerability in SEMCO Semcosof ...) NOT-FOR-US: SEMCO CVE-2018-18691 RESERVED CVE-2018-18690 (In the Linux kernel before 4.17, a local attacker able to set attribut ...) {DLA-1731-1 DLA-1715-1} - linux 4.17.3-1 [stretch] - linux 4.9.144-1 NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=199119 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1105025 NOTE: https://git.kernel.org/linus/7b38460dc8e4eafba06c78f8e37099d3b34d473c CVE-2018-18689 RESERVED CVE-2018-18688 RESERVED CVE-2018-18687 RESERVED CVE-2018-18686 RESERVED CVE-2018-18685 RESERVED CVE-2018-18684 RESERVED CVE-2018-18683 RESERVED CVE-2018-18682 RESERVED CVE-2018-18681 RESERVED CVE-2018-18680 RESERVED CVE-2018-18679 RESERVED CVE-2018-18678 (GNUBOARD5 before 5.3.2.0 has XSS that allows remote attackers to injec ...) NOT-FOR-US: GNU Board CVE-2018-18677 RESERVED CVE-2018-18676 (GNUBOARD5 5.3.1.9 has XSS that allows remote attackers to inject arbit ...) NOT-FOR-US: GNU Board CVE-2018-18675 (GNUBOARD5 5.3.1.9 has XSS that allows remote attackers to inject arbit ...) NOT-FOR-US: GNU Board CVE-2018-18674 (GNUBOARD5 5.3.1.9 has XSS that allows remote attackers to inject arbit ...) NOT-FOR-US: GNU Board CVE-2018-18673 (GNUBOARD5 5.3.1.9 has XSS that allows remote attackers to inject arbit ...) NOT-FOR-US: GNU Board CVE-2018-18672 (GNUBOARD5 5.3.1.9 has XSS that allows remote attackers to inject arbit ...) NOT-FOR-US: GNU Board CVE-2018-18671 (GNUBOARD5 5.3.1.9 has XSS that allows remote attackers to inject arbit ...) NOT-FOR-US: GNU Board CVE-2018-18670 (GNUBOARD5 5.3.1.9 has XSS that allows remote attackers to inject arbit ...) NOT-FOR-US: GNU Board CVE-2018-18669 (GNUBOARD5 5.3.1.9 has XSS that allows remote attackers to inject arbit ...) NOT-FOR-US: GNU Board CVE-2018-18668 (GNUBOARD5 before 5.3.2.0 has XSS that allows remote attackers to injec ...) NOT-FOR-US: GNU Board CVE-2018-18667 (The mintToken function of Pylon (PYLNT) aka PylonToken, an Ethereum to ...) NOT-FOR-US: Some Ethereum token CVE-2018-18666 (The mintToken function of SwftCoin (SWFTC) aka SwftCoin, an Ethereum t ...) NOT-FOR-US: Some Ethereum token CVE-2018-18665 (The mintToken function of Nexxus (NXX) aka NexxusToken, an Ethereum to ...) NOT-FOR-US: Some Ethereum token CVE-2018-18664 RESERVED CVE-2018-18663 RESERVED CVE-2018-18662 (There is an out-of-bounds read in fz_run_t3_glyph in fitz/font.c in Ar ...) - mupdf 1.14.0+ds1-3 (bug #912013) [jessie] - mupdf (vulnerable code introduced later) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=700043 NOTE: http://git.ghostscript.com/?p=mupdf.git;h=164ddc22ee0d5b63a81d5148f44c37dd132a9356 CVE-2018-18661 (An issue was discovered in LibTIFF 4.0.9. There is a NULL pointer dere ...) {DLA-2009-1} - tiff 4.0.10-1 (unimportant; bug #912012) - tiff3 (unimportant) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2819 NOTE: https://gitlab.com/libtiff/libtiff/commit/99b10edde9a0fc28cc0e7b7757aa18ac4c8c225f NOTE: No security impact, crash in CLI tool CVE-2018-18660 (An issue was discovered in Arcserve Unified Data Protection (UDP) thro ...) NOT-FOR-US: Arcserve Unified Data Protection CVE-2018-18659 (An issue was discovered in Arcserve Unified Data Protection (UDP) thro ...) NOT-FOR-US: Arcserve Unified Data Protection CVE-2018-18658 (An issue was discovered in Arcserve Unified Data Protection (UDP) thro ...) NOT-FOR-US: Arcserve Unified Data Protection CVE-2018-18657 (An issue was discovered in Arcserve Unified Data Protection (UDP) thro ...) NOT-FOR-US: Arcserve Unified Data Protection CVE-2018-18656 (The PureVPN client before 6.1.0 for Windows stores Login Credentials ( ...) NOT-FOR-US: PureVPN client for Windows CVE-2018-18653 (The Linux kernel, as used in Ubuntu 18.10 and when booted with UEFI Se ...) - linux TODO: check, this should be very Ubuntu specific, but it is introduced with the out-of-tree patch from the Lockdown patchset https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/cosmic/commit/?id=03c7de9e956395f3b36f86f89b62780ad9501eef and so possibly affect our kernel as well in some way. CVE-2018-18652 (A remote command execution vulnerability in Veritas NetBackup Applianc ...) NOT-FOR-US: Veritas NetBackup Appliance CVE-2018-18655 (Prayer through 1.3.5 sends a Referer header, containing a user's usern ...) - prayer 1.3.5-dfsg1-5 (low; bug #911842) [stretch] - prayer (Minor issue) [jessie] - prayer (Minor issue) CVE-2018-18654 (Crossroads 2.81 does not properly handle the /tmp directory during a b ...) - crossroads (unimportant; bug #911877) NOTE: Issue exploitable only during build of package CVE-2018-18651 (An issue was discovered in Xpdf 4.00. catalog->getNumPages() in Acr ...) - xpdf (xpdf in Debian uses poppler, which is not affected or fixed) CVE-2018-18650 (An issue was discovered in Xpdf 4.00. XRef::readXRefStream in XRef.cc ...) - xpdf (xpdf in Debian uses poppler, which is not affected or fixed) CVE-2018-18649 (An issue was discovered in the wiki API in GitLab Community and Enterp ...) - gitlab (Only affects 11.3 and later) NOTE: https://about.gitlab.com/2018/10/29/security-release-gitlab-11-dot-4-dot-3-released/ CVE-2018-18648 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) - gitlab (Only affects 11.2 and later) NOTE: https://about.gitlab.com/2018/10/29/security-release-gitlab-11-dot-4-dot-3-released/ CVE-2018-18647 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) - gitlab (Only affects GitLab EE) NOTE: https://about.gitlab.com/2018/10/29/security-release-gitlab-11-dot-4-dot-3-released/ CVE-2018-18646 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) [experimental] - gitlab 11.2.8+dfsg-1 - gitlab 11.2.8+dfsg-2 NOTE: https://about.gitlab.com/2018/10/29/security-release-gitlab-11-dot-4-dot-3-released/ CVE-2018-18645 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) [experimental] - gitlab 11.2.8+dfsg-1 - gitlab 11.2.8+dfsg-2 NOTE: https://about.gitlab.com/2018/10/29/security-release-gitlab-11-dot-4-dot-3-released/ CVE-2018-18644 (An issue was discovered in GitLab Community and Enterprise Edition 11. ...) - gitlab (Only affects GitLab EE) NOTE: https://about.gitlab.com/2018/10/29/security-release-gitlab-11-dot-4-dot-3-released/ CVE-2018-18643 (GitLab CE & EE 11.2 and later and before 11.5.0-rc12, 11.4.6, and ...) - gitlab (Only affects 11.2 and later) NOTE: https://about.gitlab.com/2018/10/29/security-release-gitlab-11-dot-4-dot-3-released/ CVE-2018-18642 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) - gitlab (Only affects GitLab EE) NOTE: https://about.gitlab.com/2018/10/29/security-release-gitlab-11-dot-4-dot-3-released/ CVE-2018-18641 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) [experimental] - gitlab 11.2.8+dfsg-1 - gitlab 11.2.8+dfsg-2 NOTE: https://about.gitlab.com/2018/10/29/security-release-gitlab-11-dot-4-dot-3-released/ CVE-2018-18640 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) [experimental] - gitlab 11.2.8+dfsg-1 - gitlab 11.2.8+dfsg-2 NOTE: https://about.gitlab.com/2018/10/29/security-release-gitlab-11-dot-4-dot-3-released/ CVE-2018-18639 RESERVED CVE-2018-18638 (A command injection vulnerability in the setup API in the Neato Botvac ...) NOT-FOR-US: Neato CVE-2018-18637 RESERVED CVE-2018-18636 (XSS exists in cgi-bin/webcm on D-link DSL-2640T routers via the var:Re ...) NOT-FOR-US: D-Link CVE-2018-18635 (www/guis/admin/application/controllers/UserController.php in the admin ...) NOT-FOR-US: MailCleaner CVE-2018-18634 RESERVED CVE-2018-18633 RESERVED CVE-2018-18632 RESERVED CVE-2016-10730 (An issue was discovered in Amanda 3.3.1. A user with backup privileges ...) - amanda (unimportant) NOTE: https://www.exploit-db.com/exploits/39244/ NOTE: /usr/lib/amanda/application/amstar can only be run by members of the backup NOTE: group (which is root-equivalent due to being able to perform restores e.g.) CVE-2016-10729 (An issue was discovered in Amanda 3.3.1. A user with backup privileges ...) - amanda (unimportant) NOTE: https://www.exploit-db.com/exploits/39217/ NOTE: /usr/lib/amanda/runtar can only be run by members of the backup NOTE: group (which is root-equivalent due to being able to perform restores e.g.) CVE-2018-18883 (An issue was discovered in Xen 4.9.x through 4.11.x, on Intel x86 plat ...) - xen 4.11.1-1 [stretch] - xen (Only affects 4.9 and later) [jessie] - xen (Only affects 4.9 and later) NOTE: https://xenbits.xen.org/xsa/advisory-278.txt CVE-2018-18631 (mailboxd component in Synacor Zimbra Collaboration Suite 8.6, 8.7 befo ...) NOT-FOR-US: Synacor Zimbra Collaboration Suite CVE-2018-18630 (A vulnerability was found in McKesson Cardiology product 13.x and 14.x ...) NOT-FOR-US: McKesson Cardiology CVE-2018-18629 (An issue was discovered in the Keybase command-line client before 2.8. ...) NOT-FOR-US: Keybase command-line client CVE-2018-18628 (An issue was discovered in Pippo 1.11.0. The function SerializationSes ...) NOT-FOR-US: Pippo CVE-2017-18349 (parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pi ...) NOT-FOR-US: FastjsonEngine CVE-2018-18627 RESERVED CVE-2018-18626 (An issue was discovered in PHPYun V4.6. There is a vulnerability that ...) NOT-FOR-US: PHPYun CVE-2018-18625 (Grafana 5.3.1 has XSS via a link on the "Dashboard > All Panels > ...) - grafana CVE-2018-18624 (Grafana 5.3.1 has XSS via a column style on the "Dashboard > Table ...) - grafana CVE-2018-18623 (Grafana 5.3.1 has XSS via the "Dashboard > Text Panel" screen. NOTE ...) - grafana CVE-2018-18622 (An issue was discovered in Waimai Super Cms 20150505. There is XSS via ...) NOT-FOR-US: Waimai Super Cms CVE-2018-18621 (CommuniGate Pro 6.2 allows stored XSS via a message body in Pronto! Ma ...) NOT-FOR-US: CommuniGate Pro CVE-2018-18620 RESERVED CVE-2018-18619 (internal/advanced_comment_system/admin.php in Advanced Comment System ...) NOT-FOR-US: Advanced Comment System CVE-2018-18618 RESERVED CVE-2018-18617 RESERVED CVE-2018-18616 RESERVED CVE-2018-18615 RESERVED CVE-2018-18614 RESERVED CVE-2018-18613 RESERVED CVE-2018-18612 RESERVED CVE-2018-18611 RESERVED CVE-2018-18610 RESERVED CVE-2018-18609 RESERVED CVE-2018-18608 (DedeCMS 5.7 SP2 allows XSS via the function named GetPageList defined ...) NOT-FOR-US: DedeCMS CVE-2018-18607 (An issue was discovered in elf_link_input_bfd in elflink.c in the Bina ...) [experimental] - binutils 2.31.51.20181204-1 - binutils 2.32.51.20190707-1 (unimportant) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23805 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=102def4da826b3d9e169741421e5e67e8731909a NOTE: binutils not covered by security support CVE-2018-18606 (An issue was discovered in the merge_strings function in merge.c in th ...) [experimental] - binutils 2.31.51.20181204-1 - binutils 2.32.51.20190707-1 (unimportant) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23806 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=45a0eaf77022963d639d6d19871dbab7b79703fc NOTE: binutils not covered by security support CVE-2018-18605 (A heap-based buffer over-read issue was discovered in the function sec ...) [experimental] - binutils 2.31.51.20181204-1 - binutils 2.32.51.20190707-1 (unimportant) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23804 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ab419ddbb2cdd17ca83618990f2cacf904ce1d61 NOTE: binutils not covered by security support CVE-2018-18604 RESERVED CVE-2018-18603 (** DISPUTED ** 360 Total Security 3.5.0.1033 allows a Sandbox Escape v ...) NOT-FOR-US: 360 Total Security CVE-2018-18602 (The Cloud API on Guardzilla smart cameras allows user enumeration, wit ...) NOT-FOR-US: Guardzilla CVE-2018-18601 (The TK_set_deviceModel_req_handle function in the cloud communication ...) NOT-FOR-US: Guardzilla CVE-2018-18600 (The remote upgrade feature in Guardzilla GZ180 devices allow command i ...) NOT-FOR-US: Guardzilla CVE-2018-18599 (Stegdetect through 2018-05-26 has an out-of-bounds write in f5_compres ...) - stegdetect CVE-2018-18598 RESERVED CVE-2018-18597 RESERVED CVE-2018-18596 RESERVED CVE-2018-18595 RESERVED CVE-2018-18594 RESERVED CVE-2018-18593 (Remote Directory Traversal and Remote Disclosure of Privileged Informa ...) NOT-FOR-US: UCMDB Configuration Management Service CVE-2018-18592 RESERVED CVE-2018-18591 (A potential unauthorized disclosure of data vulnerability has been ide ...) NOT-FOR-US: Micro Focus CVE-2018-18590 (A potential remote code execution and information disclosure vulnerabi ...) NOT-FOR-US: Micro Focus CVE-2018-18589 (A potential Remote Arbitrary Code Execution vulnerability has been ide ...) NOT-FOR-US: Micro Focus CVE-2018-18588 RESERVED CVE-2018-18587 (BigProf AppGini 5.70 stores the passwords in the database using the MD ...) NOT-FOR-US: BigProf AppGini CVE-2018-18583 (An issue has been found in LuPng through 2017-03-10. It is a heap-base ...) NOT-FOR-US: LuPng CVE-2018-18582 (An issue has been found in LuPng through 2017-03-10. It is a heap-base ...) NOT-FOR-US: LuPng CVE-2018-18581 (An issue has been found in LuPng through 2017-03-10. It is a heap-base ...) NOT-FOR-US: LuPng CVE-2018-18580 RESERVED CVE-2018-18579 (Reflected XSS exists in DedeCMS 5.7 SP2 via the /member/pm.php folder ...) NOT-FOR-US: DedeCMS CVE-2018-18578 (DedeCMS 5.7 SP2 allows XSS via the plus/qrcode.php type parameter. ...) NOT-FOR-US: DedeCMS CVE-2018-18577 RESERVED CVE-2018-18576 (The Hustle (aka wordpress-popup) plugin through 6.0.5 for WordPress al ...) NOT-FOR-US: Hustle (aka wordpress-popup) plugin for WordPress CVE-2018-18585 (chmd_read_headers in mspack/chmd.c in libmspack before 0.8alpha accept ...) {DLA-1555-1} - libmspack 0.8-1 (bug #911637) [stretch] - libmspack 0.5-1+deb9u3 NOTE: https://github.com/kyz/libmspack/commit/8759da8db6ec9e866cb8eb143313f397f925bb4f NOTE: https://www.openwall.com/lists/oss-security/2018/10/22/1 CVE-2018-18586 (** DISPUTED ** chmextract.c in the chmextract sample program, as distr ...) - libmspack 0.8-1 (unimportant; bug #911639) NOTE: https://github.com/kyz/libmspack/commit/7cadd489698be117c47efcadd742651594429e6d NOTE: https://www.openwall.com/lists/oss-security/2018/10/22/1 NOTE: src/chmextract.c was renamed from originally test/chmx.c NOTE: This sample code is not installed into the binary packages and was as well NOTE: never the idea to use it in "productised" binaries, but rather just simple NOTE: examples of the library use. CVE-2018-18584 (In mspack/cab.h in libmspack before 0.8alpha and cabextract before 1.8 ...) {DLA-1555-1} - cabextract 1.4-5 NOTE: Starting with 1.4-5 cabextract uses the mspack system library - libmspack 0.8-1 (bug #911640) [stretch] - libmspack 0.5-1+deb9u3 NOTE: https://github.com/kyz/libmspack/commit/40ef1b4093d77ad3a5cfcee1f5cb6108b3a3bcc2 NOTE: https://www.openwall.com/lists/oss-security/2018/10/22/1 CVE-2018-18575 RESERVED CVE-2018-18574 RESERVED CVE-2018-18573 (osCommerce 2.3.4.1 has an incomplete '.htaccess' for blacklist filteri ...) NOT-FOR-US: osCommerce CVE-2018-18572 (osCommerce 2.3.4.1 has an incomplete '.htaccess' for blacklist filteri ...) NOT-FOR-US: osCommerce CVE-2018-18571 (An Incorrect Access Control vulnerability has been identified in Citri ...) NOT-FOR-US: Citrix CVE-2018-18570 (Planon before Live Build 41 has XSS. ...) NOT-FOR-US: Planon CVE-2018-18569 (The Dundas BI server before 5.0.1.1010 is vulnerable to a Server-Side ...) NOT-FOR-US: Dundas BI CVE-2018-18568 (Polycom VVX 500 and 601 devices 5.8.0.12848 and earlier allows man-in- ...) NOT-FOR-US: Polycom CVE-2018-18567 (AudioCodes 440HD and 450HD devices 3.1.2.89 and earlier allows man-in- ...) NOT-FOR-US: AudioCodes devices CVE-2018-18566 (The SIP service in Polycom VVX 500 and 601 devices 5.8.0.12848 and ear ...) NOT-FOR-US: Polycom CVE-2018-18565 (An issue was discovered in Roche Accu-Chek Inform II Instrument before ...) NOT-FOR-US: Roche Diagnostics CVE-2018-18564 (An issue was discovered in Roche Accu-Chek Inform II Instrument before ...) NOT-FOR-US: Roche Diagnostics CVE-2018-18563 (An issue was discovered in Roche Accu-Chek Inform II Instrument before ...) NOT-FOR-US: Roche Diagnostics CVE-2018-18562 (An issue was discovered in Roche Accu-Chek Inform II Base Unit / Base ...) NOT-FOR-US: Roche Diagnostics CVE-2018-18561 (An issue was discovered in Roche Accu-Chek Inform II Base Unit / Base ...) NOT-FOR-US: Roche Diagnostics CVE-2018-18560 RESERVED CVE-2018-18559 (In the Linux kernel through 4.19, a use-after-free can occur due to a ...) - linux 4.14.7-1 [stretch] - linux 4.9.80-1 [jessie] - linux 3.16.56-1 NOTE: Fixed by: https://git.kernel.org/linus/15fe076edea787807a7cdc168df832544b58eba6 CVE-2018-18558 (An issue was discovered in Espressif ESP-IDF 2.x and 3.x before 3.0.6 ...) NOT-FOR-US: Espressif ESP-IDF CVE-2018-18557 (LibTIFF 4.0.9 (with JBIG enabled) decodes arbitrarily-sized JBIG into ...) {DSA-4349-1 DLA-1557-1} - tiff 4.0.9+git181026-1 (bug #911635) - tiff3 NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1697 NOTE: https://gitlab.com/libtiff/libtiff/merge_requests/38 NOTE: https://gitlab.com/libtiff/libtiff/commit/681748ec2f5ce88da5f9fa6831e1653e46af8a66 CVE-2018-20860 (libopenmpt before 0.3.13 allows a crash with malformed MED files. ...) - libopenmpt 0.3.13-1 (low; bug #911584) [stretch] - libopenmpt (Minor issue) NOTE: https://lib.openmpt.org/libopenmpt/2018/10/21/security-updates-0.3.13-0.2.10933-beta36-0.2.7561-beta20.5-p11-0.2.7386-beta20.3-p14/ NOTE: https://source.openmpt.org/browse/openmpt/trunk/?op=revision&rev=10903 CVE-2018-18556 (A privilege escalation issue was discovered in VyOS 1.1.8. The default ...) NOT-FOR-US: VyOS CVE-2018-18555 (A sandbox escape issue was discovered in VyOS 1.1.8. It provides a res ...) NOT-FOR-US: VyOS CVE-2018-18554 RESERVED CVE-2018-18553 (Leanote 2.6.1 has XSS via the Blog Basic Setting title field, which is ...) NOT-FOR-US: Leanote CVE-2018-18552 (ServersCheck Monitoring Software through 14.3.3 allows local users to ...) NOT-FOR-US: ServersCheck Monitoring Software CVE-2018-18551 (ServersCheck Monitoring Software through 14.3.3 has Persistent and Ref ...) NOT-FOR-US: ServersCheck Monitoring Software CVE-2018-18550 (ServersCheck Monitoring Software before 14.3.4 allows SQL Injection by ...) NOT-FOR-US: ServersCheck Monitoring Software CVE-2018-18549 RESERVED CVE-2018-18548 (ajenticp (aka Ajenti Docker control panel) for Ajenti through v1.2.23. ...) NOT-FOR-US: Ajenti CVE-2018-18547 (Vesta Control Panel through 0.9.8-22 has XSS via the edit/web/ domain ...) NOT-FOR-US: Vesta Control Panel CVE-2018-18546 (ThinkPHP 3.2.4 has SQL Injection via the order parameter because the L ...) NOT-FOR-US: ThinkPHP CVE-2018-18545 (Fiyo CMS 2.0.7 has XSS via the dapur\apps\app_user\edit_user.php name ...) NOT-FOR-US: Fiyo CMS CVE-2018-18544 (There is a memory leak in the function WriteMSLImage of coders/msl.c i ...) - imagemagick 8:6.9.10.14+dfsg-1 (unimportant) - graphicsmagick 1.3.31-1 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1360 CVE-2018-18543 RESERVED CVE-2018-18542 RESERVED CVE-2018-18540 (TeaKKi 2.7 allows XSS via a crafted onerror attribute for a picture's ...) NOT-FOR-US: TeaKKi CVE-2018-18539 RESERVED CVE-2018-18541 (In Teeworlds before 0.6.5, connection packets could be forged. There w ...) {DSA-4329-1} - teeworlds 0.7.0-1 (bug #911487) [jessie] - teeworlds (Not supported in jessie LTS) NOTE: https://www.teeworlds.com/forum/viewtopic.php?id=12544 NOTE: https://github.com/teeworlds/teeworlds/issues/1536 NOTE: https://github.com/teeworlds/teeworlds/commit/a263185571903ead01f6b351a91ea219ac9d215f NOTE: https://github.com/teeworlds/teeworlds/commit/aababc63eeeee1bc41672502ca6c7a1dd9f61d94 NOTE: https://github.com/teeworlds/teeworlds/commit/f5fa1a92ed81ed8da721e803a036b1553a38e39e CVE-2018-18538 RESERVED CVE-2018-18537 (The GLCKIo low-level driver in ASUS Aura Sync v1.07.22 and earlier exp ...) NOT-FOR-US: ASUS CVE-2018-18536 (The GLCKIo and Asusgio low-level drivers in ASUS Aura Sync v1.07.22 an ...) NOT-FOR-US: ASUS CVE-2018-18535 (The Asusgio low-level driver in ASUS Aura Sync v1.07.22 and earlier ex ...) NOT-FOR-US: ASUS CVE-2018-18534 RESERVED CVE-2018-18533 RESERVED CVE-2018-18532 RESERVED CVE-2018-18531 (text/impl/DefaultTextCreator.java, text/impl/ChineseTextProducer.java, ...) NOT-FOR-US: kaptcha CVE-2018-18530 (ThinkPHP 5.1.25 has SQL Injection via the count parameter because the ...) NOT-FOR-US: ThinkPHP CVE-2018-18529 (ThinkPHP 3.2.4 has SQL Injection via the count parameter because the L ...) NOT-FOR-US: ThinkPHP CVE-2018-18528 RESERVED CVE-2018-18527 (OwnTicket 2018-05-23 allows SQL Injection via the showTicketId or edit ...) NOT-FOR-US: OwnTicket CVE-2018-18526 RESERVED CVE-2018-18525 RESERVED CVE-2018-18524 (Evernote 6.15 on Windows has an incorrectly repaired stored XSS vulner ...) NOT-FOR-US: Evernote CVE-2018-18523 RESERVED CVE-2018-18522 RESERVED CVE-2018-18521 (Divide-by-zero vulnerabilities in the function arlib_add_symbols() in ...) {DLA-1689-1} - elfutils 0.175-1 (low; bug #911413) [stretch] - elfutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23786 NOTE: https://sourceware.org/ml/elfutils-devel/2018-q4/msg00055.html NOTE: https://sourceware.org/git/?p=elfutils.git;a=commit;h=2b16a9be69939822dcafe075413468daac98b327 CVE-2018-18520 (An Invalid Memory Address Dereference exists in the function elf_end i ...) {DLA-1689-1} - elfutils 0.175-1 (low; bug #911414) [stretch] - elfutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23787 NOTE: https://sourceware.org/ml/elfutils-devel/2018-q4/msg00057.html NOTE: https://sourceware.org/git/?p=elfutils.git;a=commit;h=22d2d082d57a7470fadc0eae67179553f4919209 CVE-2018-18519 (BestXsoftware Best Free Keylogger before 6.0.0 allows local users to g ...) NOT-FOR-US: BestXsoftware Best Free Keylogger CVE-2018-18518 RESERVED CVE-2018-18517 (Citrix NetScaler Gateway 10.5.x before 10.5.69.003, 11.1.x before 11.1 ...) NOT-FOR-US: Citrix CVE-2018-18516 REJECTED CVE-2018-18515 REJECTED CVE-2018-18514 REJECTED CVE-2018-18513 (A crash can occur when processing a crafted S/MIME message or an XPI p ...) {DSA-4392-1 DLA-1678-1} - thunderbird 1:60.5.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-03/#CVE-2018-18513 CVE-2018-18512 (A use-after-free vulnerability can occur while playing a sound notific ...) {DSA-4392-1 DLA-1678-1} - thunderbird 1:60.5.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-03/#CVE-2018-18512 CVE-2018-18511 (Cross-origin images can be read from a canvas element in violation of ...) {DSA-4451-1 DSA-4448-1 DLA-1806-1 DLA-1800-1} - firefox 65.0.1-1 - firefox-esr 60.7.0esr-1 - thunderbird 1:60.7.0-1 - skia (bug #818180) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-04/#CVE-2018-18511 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-14/#CVE-2018-18511 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/#CVE-2018-18511 CVE-2018-18510 (The about:crashcontent and about:crashparent pages can be triggered by ...) - firefox 64.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-29/#CVE-2018-18510 CVE-2018-18509 (A flaw during verification of certain S/MIME signatures causes emails ...) {DSA-4392-1 DLA-1678-1} - thunderbird 1:60.5.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-06/#CVE-2018-18511 CVE-2018-18508 [NULL pointer dereference in several CMS functions resulting in a denial of service] RESERVED {DLA-1704-1} - nss 2:3.42.1-1 (bug #921614) NOTE: https://hg.mozilla.org/projects/nss/rev/08d1b0c1117f NOTE: https://hg.mozilla.org/projects/nss/rev/5e70b72131ac NOTE: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.42.1_release_notes CVE-2018-18507 REJECTED CVE-2018-18506 (When proxy auto-detection is enabled, if a web server serves a Proxy A ...) {DSA-4420-1 DSA-4411-1 DLA-1743-1 DLA-1722-1} - firefox 65.0-1 - firefox-esr 60.6.0esr-1 - thunderbird 1:60.6.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-08/#CVE-2018-18506 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-01/#CVE-2018-18506 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-11/#CVE-2018-18506 CVE-2018-18505 (An earlier fix for an Inter-process Communication (IPC) vulnerability, ...) {DSA-4392-1 DSA-4376-1 DLA-1678-1 DLA-1648-1} - firefox 65.0-1 - firefox-esr 60.5.0esr-1 - thunderbird 1:60.5.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-01/#CVE-2018-18505 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-02/#CVE-2018-18505 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-03/#CVE-2018-18505 CVE-2018-18504 (A crash and out-of-bounds read can occur when the buffer of a texture ...) - firefox 65.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-01/#CVE-2018-18504 CVE-2018-18503 (When JavaScript is used to create and manipulate an audio buffer, a po ...) - firefox 65.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-01/#CVE-2018-18503 CVE-2018-18502 (Mozilla developers and community members reported memory safety bugs p ...) - firefox 65.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-01/#CVE-2018-18502 CVE-2018-18501 (Mozilla developers and community members reported memory safety bugs p ...) {DSA-4392-1 DSA-4376-1 DLA-1678-1 DLA-1648-1} - firefox 65.0-1 - firefox-esr 60.5.0esr-1 - thunderbird 1:60.5.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-01/#CVE-2018-18501 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-02/#CVE-2018-18501 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-03/#CVE-2018-18501 CVE-2018-18500 (A use-after-free vulnerability can occur while parsing an HTML5 stream ...) {DSA-4392-1 DSA-4376-1 DLA-1678-1 DLA-1648-1} - firefox 65.0-1 - firefox-esr 60.5.0esr-1 - thunderbird 1:60.5.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-01/#CVE-2018-18500 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-02/#CVE-2018-18500 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-03/#CVE-2018-18500 CVE-2018-18499 (A same-origin policy violation allowing the theft of cross-origin URL ...) {DSA-4327-1 DSA-4287-1 DLA-1575-1 DLA-1571-1} - firefox 62.0-1 - firefox-esr 60.2.0esr-1 - thunderbird 1:60.2.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-20/#CVE-2018-18499 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-21/#CVE-2018-18499 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-25/#CVE-2018-18499 CVE-2018-18498 (A potential vulnerability leading to an integer overflow can occur dur ...) {DSA-4362-1 DSA-4354-1 DLA-1624-1 DLA-1605-1} - firefox 64.0-1 - firefox-esr 60.4.0esr-1 - thunderbird 1:60.4.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-29/#CVE-2018-18498 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-30/#CVE-2018-18498 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-31/#CVE-2018-18498 CVE-2018-18497 (Limitations on the URIs allowed to WebExtensions by the browser.window ...) - firefox 64.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-29/#CVE-2018-18497 CVE-2018-18496 (When the RSS Feed preview about:feeds page is framed within another pa ...) - firefox (Windows-specific) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-29/#CVE-2018-18496 CVE-2018-18495 (WebExtension content scripts can be loaded into about: pages in some c ...) - firefox 64.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-29/#CVE-2018-18495 CVE-2018-18494 (A same-origin policy violation allowing the theft of cross-origin URL ...) {DSA-4362-1 DSA-4354-1 DLA-1624-1 DLA-1605-1} - firefox 64.0-1 - firefox-esr 60.4.0esr-1 - thunderbird 1:60.4.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-29/#CVE-2018-18494 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-30/#CVE-2018-18494 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-31/#CVE-2018-18494 CVE-2018-18493 (A buffer overflow can occur in the Skia library during buffer offset c ...) {DSA-4362-1 DSA-4354-1 DLA-1624-1 DLA-1605-1} - firefox 64.0-1 - firefox-esr 60.4.0esr-1 - thunderbird 1:60.4.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-29/#CVE-2018-18493 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-30/#CVE-2018-18493 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-31/#CVE-2018-18493 CVE-2018-18492 (A use-after-free vulnerability can occur after deleting a selection el ...) {DSA-4362-1 DSA-4354-1 DLA-1624-1 DLA-1605-1} - firefox 64.0-1 - firefox-esr 60.4.0esr-1 - thunderbird 1:60.4.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-29/#CVE-2018-18492 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-30/#CVE-2018-18492 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-31/#CVE-2018-18492 CVE-2018-18491 RESERVED CVE-2018-18490 RESERVED CVE-2018-18489 (The ping feature in the Diagnostic functionality on TP-LINK WR840N v2 ...) NOT-FOR-US: TP-LINK CVE-2018-18488 (In \lib\admin\action\dataaction.class.php in Gxlcms v2.0, SQL Injectio ...) NOT-FOR-US: Gxlcms CVE-2018-18487 (In \lib\admin\action\dataaction.class.php in Gxlcms v2.0, the database ...) NOT-FOR-US: Gxlcms CVE-2018-18486 (An issue was discovered in PHPSHE 1.7. SQL injection exists via the ad ...) NOT-FOR-US: PHPSHE CVE-2018-18485 (An issue was discovered in PHPSHE 1.7. admin.php?mod=db&act=del al ...) NOT-FOR-US: PHPSHE CVE-2018-18484 (An issue was discovered in cp-demangle.c in GNU libiberty, as distribu ...) - binutils 2.32.51.20190707-1 (unimportant) NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87636 NOTE: Fixed by: https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=03e51746ed98d9106803f6009ebd71ea670ad3b9 NOTE: binutils not covered by security support CVE-2018-18483 (The get_count function in cplus-dem.c in GNU libiberty, as distributed ...) - binutils (unimportant) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23767 NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87602 NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=83472 NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79111 NOTE: binutils not covered by security support CVE-2018-18482 (An issue was discovered in libpg_query 10-1.0.2. There is a memory lea ...) NOT-FOR-US: libpg_query CVE-2018-18481 (A heap-based buffer over-read exists in libopencad 0.2.0 in the ReadCH ...) NOT-FOR-US: libopencad CVE-2018-18480 (A heap-based buffer over-read exists in libopencad 0.2.0 in the ReadMC ...) NOT-FOR-US: libopencad CVE-2018-18479 REJECTED CVE-2018-18478 (Persistent Cross-Site Scripting (XSS) issues in LibreNMS before 1.44 a ...) NOT-FOR-US: LibreNMS CVE-2018-18477 RESERVED CVE-2018-18476 (mysql-binuuid-rails 1.1.0 and earlier allows SQL Injection because it ...) NOT-FOR-US: mysql-binuuid-rails CVE-2018-18475 (Zoho ManageEngine OpManager before 12.3 build 123214 allows Unrestrict ...) NOT-FOR-US: Zoho CVE-2018-18474 RESERVED CVE-2018-18473 (A hidden backdoor on PATLITE NH-FB Series devices with firmware versio ...) NOT-FOR-US: PATLITE NBM-D88N CVE-2018-18472 (Western Digital WD My Book Live (all versions) has a root Remote Comma ...) NOT-FOR-US: Western Digital WD My Book Live CVE-2018-18471 (/api/2.0/rest/aggregator/xml in Axentra firmware, used by NETGEAR Stor ...) NOT-FOR-US: Axentra firmware CVE-2018-18470 RESERVED CVE-2018-18469 RESERVED CVE-2018-18468 RESERVED CVE-2018-18467 (An issue was discovered in Daniel Gultsch Conversations 2.3.4. It is p ...) NOT-FOR-US: Daniel Gultsch Conversations CVE-2018-18466 (** DISPUTED ** An issue was discovered in SecurEnvoy SecurAccess 9.3.5 ...) NOT-FOR-US: SecurEnvoy SecurAccess CVE-2018-18465 RESERVED CVE-2018-18464 RESERVED CVE-2018-18463 RESERVED CVE-2018-18462 RESERVED CVE-2018-XXXX [Injection in DefaultMailSystem::mail()] - drupal7 (bug #911337) [stretch] - drupal7 7.52-2+deb9u5 [jessie] - drupal7 7.32-1+deb8u13 NOTE: https://www.drupal.org/sa-core-2018-006 NOTE: http://cgit.drupalcode.org/drupal/commit/?id=ee301cf5ebff3534b59fcece583b3a0e4f094f15 CVE-2018-XXXX [External URL injection through URL aliases] - drupal7 (bug #911336) [stretch] - drupal7 7.52-2+deb9u5 [jessie] - drupal7 7.32-1+deb8u13 NOTE: https://www.drupal.org/sa-core-2018-006 NOTE: http://cgit.drupalcode.org/drupal/commit/?id=ee301cf5ebff3534b59fcece583b3a0e4f094f15 CVE-2018-18461 (The Arigato Autoresponder and Newsletter (aka bft-autoresponder) v2.5. ...) NOT-FOR-US: Arigato CVE-2018-18460 (XSS exists in the wp-live-chat-support v8.0.15 plugin for WordPress vi ...) NOT-FOR-US: Wordpress plugin CVE-2018-18459 (The function DCTStream::getBlock in Stream.cc in Xpdf 4.00 allows remo ...) - xpdf (unimportant) NOTE: https://forum.xpdfreader.com/viewtopic.php?f=3&t=41217 NOTE: https://github.com/TeamSeri0us/pocs/tree/master/xpdf/2018_10_16/pdftoppm NOTE: no security impact, crash in CLI tool CVE-2018-18458 (The function DCTStream::decodeImage in Stream.cc in Xpdf 4.00 allows r ...) - xpdf (unimportant) NOTE: https://forum.xpdfreader.com/viewtopic.php?f=3&t=41217 NOTE: https://github.com/TeamSeri0us/pocs/tree/master/xpdf/2018_10_16/pdftoppm NOTE: no security impact, crash in CLI tool CVE-2018-18457 (The function DCTStream::readScan in Stream.cc in Xpdf 4.00 allows remo ...) - xpdf (unimportant) NOTE: https://forum.xpdfreader.com/viewtopic.php?f=3&t=41217 NOTE: https://github.com/TeamSeri0us/pocs/tree/master/xpdf/2018_10_16/pdftoppm NOTE: no security impact, crash in CLI tool CVE-2018-18456 (The function Object::isName() in Object.h (called from Gfx::opSetFillC ...) - xpdf (unimportant) NOTE: https://forum.xpdfreader.com/viewtopic.php?f=3&t=41217 NOTE: https://github.com/TeamSeri0us/pocs/tree/master/xpdf/2018_10_16/pdftoppm NOTE: no security impact, crash in CLI tool CVE-2018-18455 (The GfxImageColorMap class in GfxState.cc in Xpdf 4.00 allows remote a ...) - xpdf (unimportant) NOTE: https://forum.xpdfreader.com/viewtopic.php?f=3&t=41217 NOTE: https://github.com/TeamSeri0us/pocs/tree/master/xpdf/2018_10_16/pdftoppm NOTE: no security impact, crash in CLI tool CVE-2018-18454 (CCITTFaxStream::readRow() in Stream.cc in Xpdf 4.00 allows remote atta ...) - xpdf (unimportant) NOTE: https://forum.xpdfreader.com/viewtopic.php?f=3&t=41217 NOTE: https://github.com/TeamSeri0us/pocs/tree/master/xpdf/2018_10_16/pdftoppm NOTE: no security impact, crash in CLI tool CVE-2018-18453 RESERVED CVE-2018-18452 RESERVED CVE-2018-18451 RESERVED CVE-2018-18450 (apps\admin\controller\content\SingleController.php in PbootCMS before ...) NOT-FOR-US: PbooCMS CVE-2018-18449 (EmpireCMS 7.5 allows CSRF for adding a user account via an enews=AddUs ...) NOT-FOR-US: EmpireCMS CVE-2018-18448 RESERVED CVE-2018-18447 RESERVED CVE-2018-18446 RESERVED CVE-2018-18444 (makeMultiView.cpp in exrmultiview in OpenEXR 2.3.0 has an out-of-bound ...) - openexr (unimportant) NOTE: Issue in exrmultiview which is not installed in the binary package. NOTE: https://github.com/openexr/openexr/issues/351 CVE-2018-18443 (OpenEXR 2.3.0 has a memory leak in ThreadPool in IlmBase/IlmThread/Ilm ...) - openexr (unimportant) NOTE: https://github.com/openexr/openexr/issues/350 NOTE: https://github.com/openexr/openexr/commit/adbc1900cb9d25fcc4df008d4008b781cf2fa4f8 NOTE: Memory leak with overall negligible security impact CVE-2018-18442 (D-Link DCS-825L devices with firmware 1.08 do not employ a suitable me ...) NOT-FOR-US: D-Link CVE-2018-18441 (D-Link DCS series Wi-Fi cameras expose sensitive information regarding ...) NOT-FOR-US: D-Link CVE-2018-18440 (DENX U-Boot through 2018.09-rc1 has a locally exploitable buffer overf ...) - u-boot (unimportant) NOTE: https://www.openwall.com/lists/oss-security/2018/11/02/2 NOTE: No security impact as supported/packaged in Debian CVE-2018-18439 (DENX U-Boot through 2018.09-rc1 has a remotely exploitable buffer over ...) - u-boot (unimportant) NOTE: https://www.openwall.com/lists/oss-security/2018/11/02/2 NOTE: No security impact as supported/packaged in Debian CVE-2018-18445 (In the Linux kernel 4.14.x, 4.15.x, 4.16.x, 4.17.x, and 4.18.x before ...) - linux 4.18.20-1 [stretch] - linux (Vulnerable code introduced later) [jessie] - linux (Vulnerable code introduced later) NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1686 NOTE: https://git.kernel.org/linus/b799207e1e1816b09e7a5920fbb2d5fcf6edd681 CVE-2018-18438 (Qemu has integer overflows because IOReadHandler and its associated fu ...) - qemu 1:3.1+dfsg-1 (bug #911470) [stretch] - qemu (Minor issue, too intrusive to backport) [jessie] - qemu (Minor issue, too intrusive to backport) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2018-10/msg02396.html NOTE: https://lists.gnu.org/archive/html/qemu-devel/2018-10/msg02402.html NOTE: https://www.openwall.com/lists/oss-security/2018/10/17/3 CVE-2018-18437 (In AXIOS ITALIA Axioscloud Sissiweb Registro Elettronico 1.7.0, secret ...) NOT-FOR-US: AXIOS CVE-2018-18436 (JTBC(PHP) 3.0 allows CSRF for creating an account via the console/acco ...) NOT-FOR-US: JTBC(PHP) CVE-2018-18435 (KioWare Server version 4.9.6 and older installs by default to "C:\kiow ...) NOT-FOR-US: KioWare Server CVE-2018-18434 (An issue was discovered in litemall 0.9.0. Arbitrary file download is ...) NOT-FOR-US: litemall CVE-2018-18433 (An issue was discovered in DESTOON B2B 7.0. admin/category.inc.php has ...) NOT-FOR-US: DESTOON B2B CVE-2018-18432 (An issue was discovered in DESTOON B2B 7.0. CSRF exists via the admin. ...) NOT-FOR-US: DESTOON B2B CVE-2018-18431 (An issue was discovered in DESTOON B2B 7.0. XSS exists via certain tex ...) NOT-FOR-US: DESTOON B2B CVE-2018-18430 (An issue was discovered in DESTOON B2B 7.0. admin\setting.inc.php has ...) NOT-FOR-US: DESTOON B2B CVE-2018-18429 RESERVED CVE-2018-18428 (TP-Link TL-SC3130 1.6.18P12_121101 devices allow unauthenticated RTSP ...) NOT-FOR-US: TP-Link CVE-2018-18427 (s-cms 3.0 allows SQL Injection via the member/post.php 0_id parameter ...) NOT-FOR-US: s-cms CVE-2018-18426 (s-cms 3.0 allows remote attackers to execute arbitrary PHP code by pla ...) NOT-FOR-US: s-cms CVE-2018-18425 (The doAirdrop function of a smart contract implementation for Primeo ( ...) NOT-FOR-US: Primeo CVE-2018-18424 RESERVED CVE-2018-18423 RESERVED CVE-2018-18422 (UsualToolCMS 8.0 allows CSRF for adding a user account via the cmsadmi ...) NOT-FOR-US: UsualToolCMS CVE-2018-18421 RESERVED CVE-2018-18420 (Cross-Site Request Forgery (CSRF) vulnerability was discovered in the ...) NOT-FOR-US: Zenario Content Management System CVE-2018-18419 (Stored XSS has been discovered in the upload section of ARDAWAN.COM Us ...) NOT-FOR-US: ARDAWAN.COM User Management CVE-2018-18418 RESERVED CVE-2018-18417 (In the 3.1 version of Ekushey Project Manager CRM, Stored XSS has been ...) NOT-FOR-US: Ekushey Project Manager CRM CVE-2018-18416 (LANGO Codeigniter Multilingual Script 1.0 has XSS in the input and upl ...) NOT-FOR-US: LANGO Codeigniter Multilingual Scrip CVE-2018-18415 RESERVED CVE-2018-18414 RESERVED CVE-2018-18413 RESERVED CVE-2018-18412 RESERVED CVE-2018-18411 RESERVED CVE-2018-18410 RESERVED CVE-2018-18409 (A stack-based buffer over-read exists in setbit() at iptree.h of TCPFL ...) - tcpflow 1.5.2+repack1-1 (unimportant; bug #911263) NOTE: https://github.com/simsong/tcpflow/issues/195 NOTE: https://github.com/simsong/tcpflow/commit/89c04b4fb0e46b3c4f1388686e83966e531cbea9 NOTE: Crash in CLI tool, no security impact CVE-2018-18408 (A use-after-free was discovered in the tcpbridge binary of Tcpreplay 4 ...) - tcpreplay 4.3.1-1 (bug #911493) [stretch] - tcpreplay (Minor issue) [jessie] - tcpreplay (Minor issue) NOTE: https://github.com/appneta/tcpreplay/issues/489 NOTE: https://github.com/appneta/tcpreplay/commit/59dc76a1d641b1a6b22fd7cd409bee6e0a015616 CVE-2018-18407 (A heap-based buffer over-read was discovered in the tcpreplay-edit bin ...) - tcpreplay 4.3.1-1 (bug #911454) [stretch] - tcpreplay (Minor issue) [jessie] - tcpreplay (Minor issue) NOTE: https://github.com/appneta/tcpreplay/issues/488 NOTE: https://github.com/appneta/tcpreplay/commit/1d7561a4d542842a1aeabf55bfd4aaf88b3a1071 CVE-2018-18406 (An issue was discovered in Tufin SecureTrack 18.1 with TufinOS 2.16 bu ...) NOT-FOR-US: Tufin SecureTrack CVE-2018-18405 (** DISPUTED ** jQuery v2.2.2 allows XSS via a crafted onerror attribut ...) - jquery (unimportant) CVE-2018-18404 RESERVED CVE-2018-18403 RESERVED CVE-2018-18402 RESERVED CVE-2018-18401 RESERVED CVE-2018-18400 RESERVED CVE-2018-18399 (SQL injection vulnerability in the "ContentPlaceHolder1_uxTitle" compo ...) NOT-FOR-US: KARMA CVE-2018-18398 (Xfce Thunar 1.6.15, when Xfce 4.12 is used, mishandles the IBus-Unikey ...) - thunar (unimportant) NOTE: https://0xd0ff9.wordpress.com/2018/10/18/cve-2018-18398/ NOTE: no security impact, crash in end user tool CVE-2018-18397 (The userfaultfd implementation in the Linux kernel before 4.19.7 misha ...) - linux 4.19.9-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) NOTE: https://lore.kernel.org/lkml/20181126173452.26955-1-aarcange@redhat.com/T/#u NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1700 CVE-2018-18396 (Remote Code Execution in Moxa ThingsPro IIoT Gateway and Device Manage ...) NOT-FOR-US: Moxa CVE-2018-18395 (Hidden Token Access in Moxa ThingsPro IIoT Gateway and Device Manageme ...) NOT-FOR-US: Moxa CVE-2018-18394 (Sensitive Information Stored in Clear Text in Moxa ThingsPro IIoT Gate ...) NOT-FOR-US: Moxa CVE-2018-18393 (Password Management Issue in Moxa ThingsPro IIoT Gateway and Device Ma ...) NOT-FOR-US: Moxa CVE-2018-18392 (Privilege Escalation via Broken Access Control in Moxa ThingsPro IIoT ...) NOT-FOR-US: Moxa CVE-2018-18391 (User Privilege Escalation in Moxa ThingsPro IIoT Gateway and Device Ma ...) NOT-FOR-US: Moxa CVE-2018-18390 (User Enumeration in Moxa ThingsPro IIoT Gateway and Device Management ...) NOT-FOR-US: Moxa CVE-2018-18389 (Due to incorrect access control in Neo4j Enterprise Database Server 3. ...) NOT-FOR-US: Neo4J server CVE-2018-18388 (eScan Agent Application (MWAGENT.EXE) 4.0.2.98 in MicroWorld Technolog ...) NOT-FOR-US: MicroWorld Technologies eScan CVE-2018-18387 (playSMS through 1.4.2 allows Privilege Escalation through Daemon abuse ...) NOT-FOR-US: playSMS CVE-2018-18386 (drivers/tty/n_tty.c in the Linux kernel before 4.14.11 allows local at ...) - linux 4.14.12-1 [stretch] - linux 4.9.82-1+deb9u1 [jessie] - linux 3.16.56-1 NOTE: Fixed by: https://git.kernel.org/linus/966031f340185eddd05affcf72b740549f056348 CVE-2018-18385 (Asciidoctor in versions < 1.5.8 allows remote attackers to cause a ...) - asciidoctor 1.5.8-1 (low; bug #913892) [stretch] - asciidoctor (Minor issue) [jessie] - asciidoctor (Minor issue) NOTE: https://github.com/asciidoctor/asciidoctor/issues/2888 CVE-2018-18384 (Info-ZIP UnZip 6.0 has a buffer overflow in list.c, when a ZIP archive ...) - unzip 6.0-11 (bug #741384) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1110194 NOTE: https://sourceforge.net/p/infozip/bugs/53/ NOTE: The cfactorstr buffer was already increased to 12 with the NOTE: 07-increase-size-of-cfactorstr.patch patch as applied for #741384 NOTE: Upstream confirmed as well this is indeed enough as per NOTE: https://sourceforge.net/p/infozip/bugs/53/#ba07 CVE-2018-18383 RESERVED CVE-2018-18382 (Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php f ...) NOT-FOR-US: Advanced HRM CVE-2018-18381 (Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_syste ...) NOT-FOR-US: Z-BlogPHP CVE-2018-18380 (A Session Fixation issue was discovered in Bigtree before 4.2.24. admi ...) NOT-FOR-US: Bigtree CMS CVE-2018-18379 (The elementor-edit-template class in wp-admin/customize.php in the Ele ...) NOT-FOR-US: Elementor Pro plugin for WordPress CVE-2018-18378 RESERVED CVE-2018-18377 (goform/setReset on Orange AirBox Y858_FL_01.16_04 devices allows attac ...) NOT-FOR-US: Orange AirBox Y858_FL_01.16_04 devices CVE-2018-18376 (goform/getWlanClientInfo in Orange AirBox Y858_FL_01.16_04 allows remo ...) NOT-FOR-US: Orange AirBox CVE-2018-18375 (goform/getProfileList in Orange AirBox Y858_FL_01.16_04 allows attacke ...) NOT-FOR-US: Orange AirBox CVE-2018-18374 (XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid par ...) NOT-FOR-US: MetInfo CVE-2018-18373 (In the Schiocco "Support Board - Chat And Help Desk" plugin 1.2.3 for ...) NOT-FOR-US: Wordpress plugin CVE-2018-18372 (A Stored XSS vulnerability has been discovered in KAASoft Library CMS ...) NOT-FOR-US: KAASoft Library CMS CVE-2018-18371 (The ASG/ProxySG FTP proxy WebFTP mode allows intercepting FTP connecti ...) NOT-FOR-US: ASG/ProxySG FTP proxy WebFTP CVE-2018-18370 (The ASG/ProxySG FTP proxy WebFTP mode allows intercepting FTP connecti ...) NOT-FOR-US: ASG/ProxySG FTP proxy WebFTP CVE-2018-18369 (Norton Security (Windows client) prior to 22.16.3 and SEP SBE (Windows ...) NOT-FOR-US: Norton Security CVE-2018-18368 (Symantec Endpoint Protection Manager (SEPM), prior to 14.2 RU1, may be ...) NOT-FOR-US: Symantec CVE-2018-18367 (Symantec Endpoint Protection Manager (SEPM) prior to and including 12. ...) NOT-FOR-US: Symantec CVE-2018-18366 (Symantec Norton Security prior to 22.16.3, SEP (Windows client) prior ...) NOT-FOR-US: Symantec CVE-2018-18365 (Norton Password Manager may be susceptible to an address spoofing issu ...) NOT-FOR-US: Norton Password Manager CVE-2018-18364 (Symantec Ghost Solution Suite (GSS) versions prior to 3.3 RU1 may be s ...) NOT-FOR-US: Symantec CVE-2018-18363 (Norton App Lock prior to 1.4.0.445 can be susceptible to a bypass expl ...) NOT-FOR-US: Norton App Lock CVE-2018-18362 (Norton Password Manager for Android (formerly Norton Identity Safe) ma ...) NOT-FOR-US: Norton Password Manager for Android CVE-2018-18361 (An issue was discovered in nc-cms through 2017-03-10. index.php?action ...) NOT-FOR-US: nc-cms CVE-2018-18360 RESERVED CVE-2018-18359 (Incorrect handling of Reflect.construct in V8 in Google Chrome prior t ...) {DSA-4352-1} - chromium 71.0.3578.80-1 CVE-2018-18358 (Lack of special casing of localhost in WPAD files in Google Chrome pri ...) {DSA-4352-1} - chromium 71.0.3578.80-1 CVE-2018-18357 (Incorrect handling of confusable characters in URL Formatter in Google ...) {DSA-4352-1} - chromium 71.0.3578.80-1 CVE-2018-18356 (An integer overflow in path handling lead to a use after free in Skia ...) {DSA-4392-1 DSA-4391-1 DSA-4352-1 DLA-1678-1 DLA-1677-1} - chromium 71.0.3578.80-1 - firefox 65.0.1-1 - firefox-esr 60.5.1esr-1 - thunderbird 1:60.5.1-1 - skia (bug #818180) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-04/#CVE-2018-18356 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-05/#CVE-2018-18356 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-06/#CVE-2018-18356 CVE-2018-18355 (Incorrect handling of confusable characters in URL Formatter in Google ...) {DSA-4352-1} - chromium 71.0.3578.80-1 CVE-2018-18354 (Insufficient validate of external protocols in Shell Integration in Go ...) {DSA-4352-1} - chromium 71.0.3578.80-1 CVE-2018-18353 (Failure to dismiss http auth dialogs on navigation in Network Authenti ...) {DSA-4352-1} - chromium 71.0.3578.80-1 CVE-2018-18352 (Service works could inappropriately gain access to cross origin audio ...) {DSA-4352-1} - chromium 71.0.3578.80-1 CVE-2018-18351 (Lack of proper validation of ancestor frames site when sending lax coo ...) {DSA-4352-1} - chromium 71.0.3578.80-1 CVE-2018-18350 (Incorrect handling of CSP enforcement during navigations in Blink in G ...) {DSA-4352-1} - chromium 71.0.3578.80-1 CVE-2018-18349 (Remote frame navigations was incorrectly permitted to local resources ...) {DSA-4352-1} - chromium 71.0.3578.80-1 CVE-2018-18348 (Incorrect handling of bidirectional domain names with RTL characters i ...) {DSA-4352-1} - chromium 71.0.3578.80-1 CVE-2018-18347 (Incorrect handling of failed navigations with invalid URLs in Navigati ...) {DSA-4352-1} - chromium 71.0.3578.80-1 CVE-2018-18346 (Incorrect handling of alert box display in Blink in Google Chrome prio ...) {DSA-4352-1} - chromium 71.0.3578.80-1 CVE-2018-18345 (Incorrect handling of blob URLS in Site Isolation in Google Chrome pri ...) {DSA-4352-1} - chromium 71.0.3578.80-1 CVE-2018-18344 (Inappropriate allowance of the setDownloadBehavior devtools protocol f ...) {DSA-4352-1} - chromium 71.0.3578.80-1 CVE-2018-18343 (Incorrect handing of paths leading to a use after free in Skia in Goog ...) {DSA-4352-1} - chromium 71.0.3578.80-1 CVE-2018-18342 (Execution of user supplied Javascript during object deserialization ca ...) {DSA-4352-1} - chromium 71.0.3578.80-1 CVE-2018-18341 (An integer overflow leading to a heap buffer overflow in Blink in Goog ...) {DSA-4352-1} - chromium 71.0.3578.80-1 CVE-2018-18340 (Incorrect object lifecycle in MediaRecorder in Google Chrome prior to ...) {DSA-4352-1} - chromium 71.0.3578.80-1 CVE-2018-18339 (Incorrect object lifecycle in WebAudio in Google Chrome prior to 71.0. ...) {DSA-4352-1} - chromium 71.0.3578.80-1 CVE-2018-18338 (Incorrect, thread-unsafe use of SkImage in Canvas in Google Chrome pri ...) {DSA-4352-1} - chromium 71.0.3578.80-1 CVE-2018-18337 (Incorrect handling of stylesheets leading to a use after free in Blink ...) {DSA-4352-1} - chromium 71.0.3578.80-1 CVE-2018-18336 (Incorrect object lifecycle in PDFium in Google Chrome prior to 71.0.35 ...) {DSA-4352-1} - chromium 71.0.3578.80-1 CVE-2018-18335 (Heap buffer overflow in Skia in Google Chrome prior to 71.0.3578.80 al ...) {DSA-4352-1} - chromium 71.0.3578.80-1 - firefox-esr (Only affects MacOS specific which had Canvas 2D acceleration enabled) - thunderbird (Only affects MacOS specific which had Canvas 2D acceleration enabled) - skia (bug #818180) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-05/#CVE-2018-18335 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-06/#CVE-2018-18335 CVE-2018-18334 (A vulnerability in the Private Browser of Trend Micro Dr. Safety for A ...) NOT-FOR-US: Trend Micro CVE-2018-18333 (A DLL hijacking vulnerability in Trend Micro Security 2019 (Consumer) ...) NOT-FOR-US: Trend Micro CVE-2018-18332 (A Trend Micro OfficeScan XG weak file permissions vulnerability may al ...) NOT-FOR-US: Trend Micro CVE-2018-18331 (A Trend Micro OfficeScan XG weak file permissions vulnerability on a p ...) NOT-FOR-US: Trend Micro CVE-2018-18330 (An Address Bar Spoofing vulnerability in Trend Micro Dr. Safety for An ...) NOT-FOR-US: Trend Micro CVE-2018-18329 (A KERedirect Untrusted Pointer Dereference Privilege Escalation vulner ...) NOT-FOR-US: Trend Micro CVE-2018-18328 (A KERedirect Untrusted Pointer Dereference Privilege Escalation vulner ...) NOT-FOR-US: Trend Micro CVE-2018-18327 (A KERedirect Untrusted Pointer Dereference Privilege Escalation vulner ...) NOT-FOR-US: Trend Micro CVE-2018-18326 (DNN (aka DotNetNuke) 9.2 through 9.2.2 incorrectly converts encryption ...) NOT-FOR-US: DNN CVE-2018-18325 (DNN (aka DotNetNuke) 9.2 through 9.2.2 uses a weak encryption algorith ...) NOT-FOR-US: DNN CVE-2018-18324 (CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.480 has XSS via t ...) NOT-FOR-US: CentOS Web Panel CVE-2018-18323 (CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.480 has Local Fil ...) NOT-FOR-US: CentOS Web Panel CVE-2018-18322 (CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.480 has Command I ...) NOT-FOR-US: CentOS Web Panel CVE-2018-18321 RESERVED CVE-2018-18320 (** DISPUTED ** An issue was discovered in the Merlin.PHP component 0.6 ...) NOT-FOR-US: Merlin.PHP component for Asuswrt-Merlin devices CVE-2018-18319 (** DISPUTED ** An issue was discovered in the Merlin.PHP component 0.6 ...) NOT-FOR-US: Merlin.PHP component for Asuswrt-Merlin devices CVE-2018-18318 (The /dev/block/mmcblk0rpmb driver kernel module on Qiku 360 Phone N6 P ...) NOT-FOR-US: Qiku 360 Phone CVE-2018-18317 (DESHANG DSCMS 1.1 has CSRF via the public/index.php/admin/admin/add.ht ...) NOT-FOR-US: DESHANG DSCMS CVE-2018-18316 (emlog v6.0.0 has CSRF via the admin/user.php?action=new URI. ...) NOT-FOR-US: emlog CVE-2018-18315 (com/mossle/cdn/CdnController.java in lemon 1.9.0 allows attackers to u ...) NOT-FOR-US: lemon, different from src:lemon CVE-2018-18314 (Perl before 5.26.3 has a buffer overflow via a crafted regular express ...) {DSA-4347-1} - perl 5.28.0-3 [jessie] - perl (Vulnerable code introduced later) NOTE: https://rt.perl.org/Ticket/Display.html?id=131649 NOTE: maint-5.28: https://perl5.git.perl.org/perl.git/commitdiff/19a498a461d7c81ae3507c450953d1148efecf4f CVE-2018-18313 (Perl before 5.26.3 has a buffer over-read via a crafted regular expres ...) {DSA-4347-1} - perl 5.28.0-3 [jessie] - perl (Vulnerable code introduced later) NOTE: https://rt.perl.org/Ticket/Display.html?id=133192 NOTE: maint-5.28: https://perl5.git.perl.org/perl.git/commitdiff/43b2f4ef399e2fd7240b4eeb0658686ad95f8e62 CVE-2018-18312 (Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via ...) {DSA-4347-1} - perl 5.28.1-1 [jessie] - perl (Vulnerable code introduced later) NOTE: https://rt.perl.org/Ticket/Display.html?id=133423 NOTE: maint-5.28: https://perl5.git.perl.org/perl.git/commitdiff/9b0464aa670d0a59bda5b75d54f2a6b6f9d1288a CVE-2018-18311 (Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via ...) {DSA-4347-1 DLA-1601-1} - perl 5.28.1-1 NOTE: https://rt.perl.org/Ticket/Display.html?id=133204 NOTE: Introduced by: https://perl5.git.perl.org/perl.git/commitdiff/e658793210bbe632a5e80a876acfcd0984c46b87 NOTE: maint-5.28: https://perl5.git.perl.org/perl.git/commitdiff/0589f071dc6836de80b24fd798c3336c72ead850 CVE-2018-18310 (An invalid memory address dereference was discovered in dwfl_segment_r ...) {DLA-1689-1} - elfutils 0.175-1 (bug #911083) [stretch] - elfutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23752 NOTE: https://sourceware.org/ml/elfutils-devel/2018-q4/msg00022.html NOTE: https://sourceware.org/git/?p=elfutils.git;a=commit;h=20f9de9b5f704cec55df92406a50bcbcfca96acd CVE-2018-18309 (An issue was discovered in the Binary File Descriptor (BFD) library (a ...) [experimental] - binutils 2.31.51.20181022-1 - binutils 2.32.51.20190707-1 (unimportant) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23770 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0930cb3021b8078b34cf216e79eb8608d017864f NOTE: binutils not covered by security support CVE-2018-18308 (In the 4.2.23 version of BigTree, a Stored XSS vulnerability has been ...) NOT-FOR-US: BigTree CMS CVE-2018-18307 (A Stored XSS vulnerability has been discovered in version 4.1.0 of Alc ...) NOT-FOR-US: AlchemyCMS CVE-2018-18306 RESERVED CVE-2018-18305 RESERVED CVE-2018-18304 RESERVED CVE-2018-18303 RESERVED CVE-2018-18302 RESERVED CVE-2018-18301 RESERVED CVE-2018-18300 RESERVED CVE-2018-18299 RESERVED CVE-2018-18298 RESERVED CVE-2018-18297 RESERVED CVE-2018-18296 (MetInfo 6.1.2 has XSS via the /admin/index.php bigclass parameter in a ...) NOT-FOR-US: MetInfo CVE-2018-18295 RESERVED CVE-2018-18294 RESERVED CVE-2018-18293 RESERVED CVE-2018-18292 RESERVED CVE-2018-18291 (A cross site scripting (XSS) vulnerability on ASUS RT-AC58U 3.0.0.4.38 ...) NOT-FOR-US: ASUS RT-AC58U devices CVE-2018-18290 (** DISPUTED ** An issue was discovered in nc-cms through 2017-03-10. i ...) NOT-FOR-US: nc-cms CVE-2018-18289 (The MESILAT Zabbix plugin before 1.1.15 for Atlassian Confluence allow ...) NOT-FOR-US: Zabbix Plugin for Confluence CVE-2018-18288 (CrushFTP through 8.3.0 is vulnerable to credentials theft via URL redi ...) NOT-FOR-US: CrushFTP CVE-2018-18287 (On ASUS RT-AC58U 3.0.0.4.380_6516 devices, remote attackers can discov ...) NOT-FOR-US: ASUS RT-AC58U devices CVE-2018-18286 (SQL injection vulnerabilities in CMG Suite 8.4 SP2 and earlier, could ...) NOT-FOR-US: CMG Suite CVE-2018-18285 (SQL injection vulnerabilities in CMG Suite 8.4 SP2 and earlier, could ...) NOT-FOR-US: CMG Suite CVE-2018-18284 (Artifex Ghostscript 9.25 and earlier allows attackers to bypass a sand ...) {DSA-4336-1 DLA-1552-1} - ghostscript 9.25~dfsg-3 (bug #911175) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=699963 NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1696 NOTE: https://www.openwall.com/lists/oss-security/2018/10/16/2 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;h=8d19fdf63f91f50466b08f23e2d93d37a4c5ea0b CVE-2018-18283 RESERVED CVE-2018-18282 (Next.js 7.0.0 and 7.0.1 has XSS via the 404 or 500 /_error page. ...) NOT-FOR-US: Next.js CVE-2018-18281 (Since Linux kernel version 3.2, the mremap() syscall performs TLB flus ...) {DLA-1731-1 DLA-1715-1} - linux 4.18.20-1 [stretch] - linux 4.9.135-1 NOTE: https://git.kernel.org/linus/eb66ae030829605d61fbef1909ce310e29f78821 CVE-2018-18280 RESERVED CVE-2018-18279 RESERVED CVE-2018-18278 RESERVED CVE-2018-18277 RESERVED CVE-2018-18276 (XSS exists in the ProFiles 1.5 component for Joomla! via the name or p ...) NOT-FOR-US: ProFiles for Joomla! CVE-2018-18275 RESERVED CVE-2018-18274 (A issue was found in pdfalto 0.2. There is a heap-based buffer overflo ...) NOT-FOR-US: pdfalto CVE-2018-18273 RESERVED CVE-2018-18272 RESERVED CVE-2018-18271 (XSS exists in CMS Made Simple version 2.2.7 via the m1_extra parameter ...) NOT-FOR-US: CMS Made Simple CVE-2018-18270 (XSS exists in CMS Made Simple version 2.2.7 via the m1_news_url parame ...) NOT-FOR-US: CMS Made Simple CVE-2018-18269 RESERVED CVE-2018-18268 RESERVED CVE-2018-18267 RESERVED CVE-2018-18266 RESERVED CVE-2018-18265 RESERVED CVE-2018-18264 (Kubernetes Dashboard before 1.10.1 allows attackers to bypass authenti ...) NOT-FOR-US: Kubernetes Dashboard CVE-2018-18263 RESERVED CVE-2018-18262 (Zoho ManageEngine OpManager 12.3 before build 123214 has XSS. ...) NOT-FOR-US: Zoho CVE-2018-18261 (In waimai Super Cms 20150505, there is an XSS vulnerability via the /a ...) NOT-FOR-US: waimai Super Cms CVE-2018-18260 (In the 2.4 version of Camaleon CMS, Stored XSS has been discovered. Th ...) NOT-FOR-US: Camaleon CMS CVE-2018-18259 (Stored XSS has been discovered in version 1.0.12 of the LUYA CMS softw ...) NOT-FOR-US: LUYA CMS CVE-2018-18258 (An issue was discovered in BageCMS 3.1.3. The attacker can execute arb ...) NOT-FOR-US: BageCMS CVE-2018-18257 (An issue was discovered in BageCMS 3.1.3. An attacker can delete any f ...) NOT-FOR-US: BageCMS CVE-2018-18256 (An issue was discovered in CapMon Access Manager 5.4.1.1005. A regular ...) NOT-FOR-US: CapMon Access Manager CVE-2018-18255 (An issue was discovered in CapMon Access Manager 5.4.1.1005. The clien ...) NOT-FOR-US: CapMon Access Manager CVE-2018-18254 (An issue was discovered in CapMon Access Manager 5.4.1.1005. An unpriv ...) NOT-FOR-US: CapMon Access Manager CVE-2018-18253 (An issue was discovered in CapMon Access Manager 5.4.1.1005. CALRunEle ...) NOT-FOR-US: CapMon Access Manager CVE-2018-18252 (An issue was discovered in CapMon Access Manager 5.4.1.1005. CALRunEle ...) NOT-FOR-US: CapMon Access Manager CVE-2018-18251 (Deltek Vision 7.x before 7.6 permits the execution of any attacker sup ...) NOT-FOR-US: Deltek Vision CVE-2019-0085 RESERVED CVE-2019-0084 RESERVED CVE-2019-0083 RESERVED CVE-2019-0082 RESERVED CVE-2019-0081 RESERVED CVE-2019-0080 RESERVED CVE-2019-0079 RESERVED CVE-2019-0078 RESERVED CVE-2019-0077 RESERVED CVE-2019-0076 RESERVED CVE-2019-0075 (A vulnerability in the srxpfe process on Protocol Independent Multicas ...) NOT-FOR-US: Juniper CVE-2019-0074 (A path traversal vulnerability in NFX150 Series and QFX10K Series, EX9 ...) NOT-FOR-US: Juniper CVE-2019-0073 (The PKI keys exported using the command "run request security pki key- ...) NOT-FOR-US: Juniper CVE-2019-0072 (An Unprotected Storage of Credentials vulnerability in the identity an ...) NOT-FOR-US: Juniper CVE-2019-0071 (Veriexec is a kernel-based file integrity subsystem in Junos OS that e ...) NOT-FOR-US: Juniper CVE-2019-0070 (An Improper Input Validation weakness allows a malicious local attacke ...) NOT-FOR-US: Juniper CVE-2019-0069 (On EX4600, QFX5100 Series, NFX Series, QFX10K Series, QFX5110, QFX5200 ...) NOT-FOR-US: Juniper CVE-2019-0068 (The SRX flowd process, responsible for packet forwarding, may crash an ...) NOT-FOR-US: Juniper CVE-2019-0067 (Receipt of a specific link-local IPv6 packet destined to the RE may ca ...) NOT-FOR-US: Juniper CVE-2019-0066 (An unexpected status return value weakness in the Next-Generation Mult ...) NOT-FOR-US: Juniper CVE-2019-0065 (On MX Series, when the SIP ALG is enabled, receipt of a certain malfor ...) NOT-FOR-US: Juniper CVE-2019-0064 (On SRX5000 Series devices, if 'set security zones security-zone <zo ...) NOT-FOR-US: Juniper CVE-2019-0063 (When an MX Series Broadband Remote Access Server (BRAS) is configured ...) NOT-FOR-US: Juniper CVE-2019-0062 (A session fixation vulnerability in J-Web on Junos OS may allow an att ...) NOT-FOR-US: Juniper CVE-2019-0061 (The management daemon (MGD) is responsible for all configuration and m ...) NOT-FOR-US: Juniper CVE-2019-0060 (The flowd process, responsible for forwarding traffic in SRX Series se ...) NOT-FOR-US: Juniper CVE-2019-0059 (A memory leak vulnerability in the of Juniper Networks Junos OS allows ...) NOT-FOR-US: Juniper CVE-2019-0058 (A vulnerability in the Veriexec subsystem of Juniper Networks Junos OS ...) NOT-FOR-US: Juniper CVE-2019-0057 (An improper authorization weakness in Juniper Networks Junos OS allows ...) NOT-FOR-US: Juniper CVE-2019-0056 (This issue only affects devices with three (3) or more MPC10's install ...) NOT-FOR-US: Juniper CVE-2019-0055 (A vulnerability in the SIP ALG packet processing service of Juniper Ne ...) NOT-FOR-US: Juniper CVE-2019-0054 (An Improper Certificate Validation weakness in the SRX Series Applicat ...) NOT-FOR-US: Juniper CVE-2019-0053 (Insufficient validation of environment variables in the telnet client ...) - socks4-server (low) [buster] - socks4-server (Minor issue) [stretch] - socks4-server (Minor issue) - inetutils 2:1.9.4-11 (low; bug #945861) [buster] - inetutils (Minor issue) [stretch] - inetutils (Minor issue) [jessie] - inetutils (Minor issue) NOTE: https://www.freebsd.org/security/advisories/FreeBSD-SA-19:12.telnet.asc NOTE: https://raw.githubusercontent.com/hackerhouse-opensource/exploits/master/inetutils-telnet.txt NOTE: https://www.openwall.com/lists/oss-security/2018/12/14/8 CVE-2019-0052 (The srxpfe process may crash on SRX Series services gateways when the ...) NOT-FOR-US: Juniper CVE-2019-0051 (SSL-Proxy feature on SRX devices fails to handle a hardware resource l ...) NOT-FOR-US: Juniper CVE-2019-0050 (Under certain heavy traffic conditions srxpfe process can crash and re ...) NOT-FOR-US: Juniper CVE-2019-0049 (On Junos devices with the BGP graceful restart helper mode enabled or ...) NOT-FOR-US: Juniper CVE-2019-0048 (On EX4300 Series switches with TCAM optimization enabled, incoming mul ...) NOT-FOR-US: Juniper CVE-2019-0047 (A persistent Cross-Site Scripting (XSS) vulnerability in Junos OS J-We ...) NOT-FOR-US: Juniper CVE-2019-0046 (A vulnerability in the pfe-chassisd Chassis Manager (CMLC) daemon of J ...) NOT-FOR-US: Juniper CVE-2019-0045 RESERVED CVE-2019-0044 (Receipt of a specific packet on the out-of-band management interface f ...) NOT-FOR-US: Juniper CVE-2019-0043 (In MPLS environments, receipt of a specific SNMP packet may cause the ...) NOT-FOR-US: Juniper CVE-2019-0042 (Juniper Identity Management Service (JIMS) for Windows versions prior ...) NOT-FOR-US: Juniper CVE-2019-0041 (On EX4300-MP Series devices with any lo0 filters applied, transit netw ...) NOT-FOR-US: Juniper CVE-2019-0040 (On Junos OS, rpcbind should only be listening to port 111 on the inter ...) NOT-FOR-US: Juniper CVE-2019-0039 (If REST API is enabled, the Junos OS login credentials are vulnerable ...) NOT-FOR-US: Juniper CVE-2019-0038 (Crafted packets destined to the management interface (fxp0) of an SRX3 ...) NOT-FOR-US: Juniper CVE-2019-0037 (In a Dynamic Host Configuration Protocol version 6 (DHCPv6) environmen ...) NOT-FOR-US: Juniper CVE-2019-0036 (When configuring a stateless firewall filter in Junos OS, terms named ...) NOT-FOR-US: Juniper CVE-2019-0035 (When "set system ports console insecure" is enabled, root login is dis ...) NOT-FOR-US: Juniper CVE-2019-0034 REJECTED CVE-2019-0033 (A firewall bypass vulnerability in the proxy ARP service of Juniper Ne ...) NOT-FOR-US: Juniper CVE-2019-0032 (A password management issue exists where the Organization authenticati ...) NOT-FOR-US: Juniper CVE-2019-0031 (Specific IPv6 DHCP packets received by the jdhcpd daemon will cause a ...) NOT-FOR-US: Juniper CVE-2019-0030 (Juniper ATP uses DES and a hardcoded salt for password hashing, allowi ...) NOT-FOR-US: Juniper CVE-2019-0029 (Juniper ATP Series Splunk credentials are logged in a file readable by ...) NOT-FOR-US: Juniper CVE-2019-0028 (On Junos devices with the BGP graceful restart helper mode enabled or ...) NOT-FOR-US: Juniper CVE-2019-0027 (A persistent cross-site scripting (XSS) vulnerability in the Snort Rul ...) NOT-FOR-US: Juniper CVE-2019-0026 (A persistent cross-site scripting (XSS) vulnerability in the Zone conf ...) NOT-FOR-US: Juniper CVE-2019-0025 (A persistent cross-site scripting (XSS) vulnerability in RADIUS config ...) NOT-FOR-US: Juniper CVE-2019-0024 (A persistent cross-site scripting (XSS) vulnerability in the Email Col ...) NOT-FOR-US: Juniper CVE-2019-0023 (A persistent cross-site scripting (XSS) vulnerability in the Golden VM ...) NOT-FOR-US: Juniper CVE-2019-0022 (Juniper ATP ships with hard coded credentials in the Cyphort Core inst ...) NOT-FOR-US: Juniper CVE-2019-0021 (On Juniper ATP, secret passphrase CLI inputs, such as "set mcm", are l ...) NOT-FOR-US: Juniper CVE-2019-0020 (Juniper ATP ships with hard coded credentials in the Web Collector ins ...) NOT-FOR-US: Juniper CVE-2019-0019 (When BGP tracing is enabled an incoming BGP message may cause the Juno ...) NOT-FOR-US: Juniper CVE-2019-0018 (A persistent cross-site scripting (XSS) vulnerability in the file uplo ...) NOT-FOR-US: Juniper CVE-2019-0017 (The Junos Space application, which allows Device Image files to be upl ...) NOT-FOR-US: Juniper CVE-2019-0016 (A malicious authenticated user may be able to delete a device from the ...) NOT-FOR-US: Juniper CVE-2019-0015 (A vulnerability in the SRX Series Service Gateway allows deleted dynam ...) NOT-FOR-US: Juniper CVE-2019-0014 (On QFX and PTX Series, receipt of a malformed packet for J-Flow sampli ...) NOT-FOR-US: Juniper CVE-2019-0013 (The routing protocol daemon (RPD) process will crash and restart when ...) NOT-FOR-US: Juniper CVE-2019-0012 (A Denial of Service (DoS) vulnerability in BGP in Juniper Networks Jun ...) NOT-FOR-US: Juniper CVE-2019-0011 (The Junos OS kernel crashes after processing a specific incoming packe ...) NOT-FOR-US: Juniper CVE-2019-0010 (An SRX Series Service Gateway configured for Unified Threat Management ...) NOT-FOR-US: Juniper CVE-2019-0009 (On EX2300 and EX3400 series, high disk I/O operations may disrupt the ...) NOT-FOR-US: Juniper CVE-2019-0008 (A certain sequence of valid BGP or IPv6 BFD packets may trigger a stac ...) NOT-FOR-US: Juniper CVE-2019-0007 (The vMX Series software uses a predictable IP ID Sequence Number. This ...) NOT-FOR-US: Juniper CVE-2019-0006 (A certain crafted HTTP packet can trigger an uninitialized function po ...) NOT-FOR-US: Juniper CVE-2019-0005 (On EX2300, EX3400, EX4600, QFX3K and QFX5K series, firewall filter con ...) NOT-FOR-US: Juniper CVE-2019-0004 (On Juniper ATP, the API key and the device key are logged in a file re ...) NOT-FOR-US: Juniper CVE-2019-0003 (When a specific BGP flowspec configuration is enabled and upon receipt ...) NOT-FOR-US: Juniper CVE-2019-0002 (On EX2300 and EX3400 series, stateless firewall filter configuration t ...) NOT-FOR-US: Juniper CVE-2019-0001 (Receipt of a malformed packet on MX Series devices with dynamic vlan c ...) NOT-FOR-US: Juniper CVE-2018-18250 (Icinga Web 2 before 2.6.2 allows parameters that break navigation dash ...) - icingaweb2 2.6.2-1 [stretch] - icingaweb2 (Minor issue) NOTE: https://herolab.usd.de/wp-content/uploads/sites/4/2018/12/usd20180030.txt CVE-2018-18249 (Icinga Web 2 before 2.6.2 allows injection of PHP ini-file directives ...) - icingaweb2 2.6.2-1 [stretch] - icingaweb2 (Minor issue) NOTE: https://herolab.usd.de/wp-content/uploads/sites/4/2018/12/usd20180030.txt CVE-2018-18248 (Icinga Web 2 has XSS via the /icingaweb2/monitoring/list/services dir ...) - icingaweb2 2.6.2-1 [stretch] - icingaweb2 (Minor issue) NOTE: https://herolab.usd.de/wp-content/uploads/sites/4/2018/12/usd20180028.txt CVE-2018-18247 (Icinga Web 2 before 2.6.2 has XSS via the /icingaweb2/navigation/add i ...) - icingaweb2 2.6.2-1 [stretch] - icingaweb2 (Minor issue) NOTE: https://herolab.usd.de/wp-content/uploads/sites/4/2018/12/usd20180029.txt CVE-2018-18246 (Icinga Web 2 before 2.6.2 has CSRF via /icingaweb2/config/moduledisabl ...) - icingaweb2 2.6.2-1 [stretch] - icingaweb2 (Minor issue) NOTE: https://herolab.usd.de/wp-content/uploads/sites/4/2018/12/usd20180027.txt CVE-2018-18245 (Nagios Core 4.4.2 has XSS via the alert summary reports of plugin resu ...) {DLA-1615-1} - nagios4 4.3.4-3 (unimportant; bug #917138) - nagios3 (unimportant) NOTE: https://herolab.usd.de/wp-content/uploads/sites/4/2018/12/usd20180026.txt NOTE: https://github.com/NagiosEnterprises/nagioscore/issues/602 NOTE: Fixed by: https://github.com/NagiosEnterprises/nagioscore/commit/0329033db9a1d0954c304f209ea88824e8f78b8a NOTE: No real security impact, plugins need to be trusted to begin with CVE-2018-18244 (Cross-site scripting in syslog.html in VIVOTEK Network Camera Series p ...) NOT-FOR-US: VIVOTEK Network Camera CVE-2018-18243 RESERVED CVE-2018-18242 (youke365 v1.1.5 has SQL injection via admin/login.html, as demonstrate ...) NOT-FOR-US: youke365 CVE-2018-18241 RESERVED CVE-2018-18240 (Pippo through 1.11.0 allows remote code execution via a command to jav ...) NOT-FOR-US: Pippo CVE-2018-18239 RESERVED CVE-2018-18238 RESERVED CVE-2018-18237 RESERVED CVE-2018-18236 RESERVED CVE-2018-18235 RESERVED CVE-2018-18234 RESERVED CVE-2018-18233 RESERVED CVE-2018-18232 RESERVED CVE-2018-18231 RESERVED CVE-2018-18230 RESERVED CVE-2018-18229 RESERVED CVE-2018-18228 RESERVED CVE-2018-18227 (In Wireshark 2.6.0 to 2.6.3 and 2.4.0 to 2.4.9, the MS-WSP protocol di ...) {DSA-4359-1} - wireshark 2.6.4-1 [jessie] - wireshark (Vulnerable code not present, mswsp support added in v1.99.9) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15119 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=d443be449a52f95df5754adc39e1f3472fec2f03 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-47.html CVE-2018-18226 (In Wireshark 2.6.0 to 2.6.3, the Steam IHS Discovery dissector could c ...) {DSA-4359-1} - wireshark 2.6.4-1 [jessie] - wireshark (Vulnerable code not present) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15171 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=6e920ddc3cad2886ef07ca1a8e50e2a5c50986f7 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-48.html CVE-2018-18225 (In Wireshark 2.6.0 to 2.6.3, the CoAP dissector could crash. This was ...) {DSA-4359-1} - wireshark 2.6.4-1 [jessie] - wireshark (Vulnerable code not present, 2.31-continue-code added in v2.1.0) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15172 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=09a02cc1ea6de9f6c6cae75b3510a5477ef5f555 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-49.html CVE-2018-18224 (A vulnerability exists in the file reading procedure in Open Design Al ...) NOT-FOR-US: Open Design Alliance Drawings CVE-2018-18223 (Open Design Alliance Drawings SDK 2019Update1 has a vulnerability duri ...) NOT-FOR-US: Open Design Alliance Drawings CVE-2018-18222 RESERVED CVE-2018-18221 RESERVED CVE-2018-18220 RESERVED CVE-2018-18219 RESERVED CVE-2018-18218 RESERVED CVE-2018-18217 RESERVED CVE-2018-18216 RESERVED CVE-2018-18215 (In youke365 v1.1.5, admin/user.html has a CSRF vulnerability that can ...) NOT-FOR-US: youke365 CVE-2018-18214 RESERVED CVE-2018-18213 RESERVED CVE-2018-18212 RESERVED CVE-2018-18211 (PbootCMS 1.2.1 has SQL injection via the HTTP POST data to the api.php ...) NOT-FOR-US: PbootCMS CVE-2018-18210 (XSS exists in DiliCMS 2.4.0 via the admin/index.php/setting/site?tab=s ...) NOT-FOR-US: DiliCMS CVE-2018-18209 (XSS exists in DiliCMS 2.4.0 via the admin/index.php/setting/site?tab=s ...) NOT-FOR-US: DiliCMS CVE-2018-18208 (Virtualmin 6.03 allows XSS via the query string, as demonstrated by th ...) NOT-FOR-US: Virtualmin CVE-2018-18207 (Virtualmin 6.03 allows Frame Injection via the settings-editor_read.cg ...) NOT-FOR-US: Virtualmin CVE-2018-18206 (In the client in Bytom before 1.0.6, checkTopicRegister in p2p/discove ...) NOT-FOR-US: Bytom CVE-2018-18205 (Topvision CC8800 CMTS C-E devices allow remote attackers to obtain sen ...) NOT-FOR-US: Topvision CC8800 CMTS C-E devices CVE-2018-18204 RESERVED CVE-2018-18203 (A vulnerability in the update mechanism of Subaru StarLink Harman head ...) NOT-FOR-US: Subaru CVE-2018-18202 (The QLogic 4Gb Fibre Channel 5.5.2.6.0 and 4/8Gb SAN 7.10.1.20.0 modul ...) NOT-FOR-US: IBM CVE-2018-18201 (qibosoft V7.0 allows CSRF via admin/index.php?lfj=member&action=ad ...) NOT-FOR-US: qibosoft CVE-2018-18200 (There is a SQL injection in Benutzerverwaltung in REDAXO before 5.6.4. ...) NOT-FOR-US: REDAXO CVE-2018-18199 (Mediamanager in REDAXO before 5.6.4 has XSS. ...) NOT-FOR-US: REDAXO CVE-2018-18198 (The $opener_input_field variable in addons/mediapool/pages/index.php i ...) NOT-FOR-US: REDAXO CVE-2018-18197 (An issue was discovered in libgig 4.1.0. There is an operator new[] fa ...) - libgig (low; bug #931309) [buster] - libgig (Minor issue) [stretch] - libgig (Minor issue) [jessie] - libgig (Minor issue) NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README-1008.md CVE-2018-18196 (An issue was discovered in libgig 4.1.0. There is a heap-based buffer ...) - libgig (low; bug #931309) [buster] - libgig (Minor issue) [stretch] - libgig (Minor issue) [jessie] - libgig (Minor issue) NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README-1008.md CVE-2018-18195 (An issue was discovered in libgig 4.1.0. There is an FPE (divide-by-ze ...) - libgig (low; bug #931309) [buster] - libgig (Minor issue) [stretch] - libgig (Minor issue) [jessie] - libgig (Minor issue) NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README-1008.md CVE-2018-18194 (An issue was discovered in libgig 4.1.0. There is a heap-based buffer ...) - libgig (low; bug #931309) [buster] - libgig (Minor issue) [stretch] - libgig (Minor issue) [jessie] - libgig (Minor issue) NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README-1008.md CVE-2018-18193 (An issue was discovered in libgig 4.1.0. There is operator new[] failu ...) - libgig (low; bug #931309) [buster] - libgig (Minor issue) [stretch] - libgig (Minor issue) [jessie] - libgig (Minor issue) NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README-1008.md CVE-2018-18192 (An issue was discovered in libgig 4.1.0. There is a NULL pointer deref ...) - libgig (low; bug #931309) [buster] - libgig (Minor issue) [stretch] - libgig (Minor issue) [jessie] - libgig (Minor issue) NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README-1008.md CVE-2018-18191 (Cross-site request forgery (CSRF) vulnerability in /admin.php?c=member ...) NOT-FOR-US: FineCms CVE-2018-18190 (An issue was discovered in GoPro gpmf-parser before 1.2.1. There is a ...) NOT-FOR-US: GoPro gpmf-parser CVE-2018-18189 RESERVED CVE-2018-18188 RESERVED CVE-2018-18187 RESERVED CVE-2018-18186 RESERVED CVE-2018-18185 RESERVED CVE-2018-18184 RESERVED CVE-2018-18183 RESERVED CVE-2018-18182 RESERVED CVE-2018-18181 RESERVED CVE-2018-18180 RESERVED CVE-2018-18179 RESERVED CVE-2018-18178 RESERVED CVE-2018-18177 RESERVED CVE-2018-18176 RESERVED CVE-2018-18175 RESERVED CVE-2018-18174 RESERVED CVE-2018-18173 RESERVED CVE-2018-18172 RESERVED CVE-2018-18171 RESERVED CVE-2018-18170 RESERVED CVE-2018-18169 RESERVED CVE-2018-18168 RESERVED CVE-2018-18167 RESERVED CVE-2018-18166 RESERVED CVE-2018-18165 RESERVED CVE-2018-18164 RESERVED CVE-2018-18163 RESERVED CVE-2018-18162 RESERVED CVE-2018-18161 RESERVED CVE-2018-18160 RESERVED CVE-2018-18159 RESERVED CVE-2018-18158 RESERVED CVE-2018-18157 RESERVED CVE-2018-18156 RESERVED CVE-2018-18155 RESERVED CVE-2018-18154 RESERVED CVE-2018-18153 RESERVED CVE-2018-18152 RESERVED CVE-2018-18151 RESERVED CVE-2018-18150 RESERVED CVE-2018-18149 RESERVED CVE-2018-18148 RESERVED CVE-2018-18147 RESERVED CVE-2018-18146 RESERVED CVE-2018-18145 RESERVED CVE-2018-18144 RESERVED CVE-2018-18143 RESERVED CVE-2018-18142 RESERVED CVE-2018-18141 RESERVED CVE-2018-18140 RESERVED CVE-2018-18139 RESERVED CVE-2018-18138 RESERVED CVE-2018-18137 RESERVED CVE-2018-18136 RESERVED CVE-2018-18135 RESERVED CVE-2018-18134 RESERVED CVE-2018-18133 RESERVED CVE-2018-18132 RESERVED CVE-2018-18131 RESERVED CVE-2018-18130 RESERVED CVE-2018-18129 RESERVED CVE-2018-18128 RESERVED CVE-2018-18127 RESERVED CVE-2018-18126 RESERVED CVE-2018-18125 RESERVED CVE-2018-18124 RESERVED CVE-2018-18123 RESERVED CVE-2018-18122 RESERVED CVE-2018-18121 RESERVED CVE-2018-18120 RESERVED CVE-2018-18119 RESERVED CVE-2018-18118 RESERVED CVE-2018-18117 RESERVED CVE-2018-18116 RESERVED CVE-2018-18115 RESERVED CVE-2018-18114 RESERVED CVE-2018-18113 RESERVED CVE-2018-18112 RESERVED CVE-2018-18111 RESERVED CVE-2018-18110 RESERVED CVE-2018-18109 RESERVED CVE-2018-18108 RESERVED CVE-2018-18107 RESERVED CVE-2018-18106 RESERVED CVE-2018-18105 RESERVED CVE-2018-18104 RESERVED CVE-2018-18103 RESERVED CVE-2018-18102 RESERVED CVE-2018-18101 RESERVED CVE-2018-18100 RESERVED CVE-2018-18099 RESERVED CVE-2018-18098 (Improper file verification in install routine for Intel(R) SGX SDK and ...) NOT-FOR-US: Intel CVE-2018-18097 (Improper directory permissions in Intel Solid State Drive Toolbox befo ...) NOT-FOR-US: Intel Solid State Drive Toolbox CVE-2018-18096 (Improper memory handling in Intel QuickAssist Technology for Linux (al ...) NOT-FOR-US: Intel QuickAssist Technology for Linux CVE-2018-18095 (Improper authentication in firmware for Intel(R) SSD DC S4500 Series a ...) NOT-FOR-US: Intel CVE-2018-18094 (Improper directory permissions in installer for Intel(R) Media SDK bef ...) NOT-FOR-US: Intel CVE-2018-18093 (Improper file permissions in the installer for Intel VTune Amplifier 2 ...) NOT-FOR-US: Intel VTune Amplifier CVE-2018-18092 RESERVED CVE-2018-18091 (Use after free in Kernel Mode Driver in Intel(R) Graphics Driver for W ...) NOT-FOR-US: Intel CVE-2018-18090 (Out of bounds read in igdkm64.sys in Intel(R) Graphics Driver for Wind ...) NOT-FOR-US: Intel CVE-2018-18089 (Multiple out of bounds read in igdkm64.sys in Intel(R) Graphics Driver ...) NOT-FOR-US: Intel CVE-2018-18088 (OpenJPEG 2.3.0 has a NULL pointer dereference for "red" in the imageto ...) {DSA-4405-1 DLA-1579-1} - openjpeg2 2.3.0-2 (low; bug #910763) NOTE: https://github.com/uclouvain/openjpeg/issues/1152 NOTE: https://github.com/uclouvain/openjpeg/commit/cab352e249ed3372dd9355c85e837613fff98fa2 CVE-2018-18087 (The Bixie Portfolio plugin 1.2.0 for Pagekit has XSS: a logged-in user ...) NOT-FOR-US: Bixie Portfolio plugin for Pagekit CVE-2018-18086 (EmpireCMS v7.5 has an arbitrary file upload vulnerability in the LoadI ...) NOT-FOR-US: EmpireCMS CVE-2018-18085 RESERVED CVE-2018-18084 (An issue was discovered in DuomiCMS 3.0. SQL injection exists in the a ...) NOT-FOR-US: DuomiCMS CVE-2018-18083 (An issue was discovered in DuomiCMS 3.0. Remote PHP code execution is ...) NOT-FOR-US: DuomiCMS CVE-2018-18082 (XSS exists in Waimai Super Cms 20150505 via the fname parameter to the ...) NOT-FOR-US: Waimai Super Cms CVE-2018-18081 RESERVED CVE-2018-18080 RESERVED CVE-2018-18079 RESERVED CVE-2018-18078 RESERVED CVE-2018-18077 RESERVED CVE-2018-18076 RESERVED CVE-2018-18075 (WikidForum 2.20 has SQL Injection via the rpc.php parent_post_id or nu ...) NOT-FOR-US: WikidForum CVE-2018-18074 (The Requests package before 2.20.0 for Python sends an HTTP Authorizat ...) - requests 2.20.0-1 (low; bug #910766) [stretch] - requests (Minor issue) [jessie] - requests (Minor issue) NOTE: https://github.com/requests/requests/issues/4716 NOTE: https://github.com/requests/requests/pull/4718 NOTE: https://github.com/requests/requests/commit/c45d7c49ea75133e52ab22a8e9e13173938e36ff CVE-2018-18073 (Artifex Ghostscript allows attackers to bypass a sandbox protection me ...) {DSA-4336-1 DLA-1552-1} - ghostscript 9.25~dfsg-3 (bug #910758) NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1690 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=699927 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=34cc326eb2c5695833361887fe0b32e8d987741c NOTE: https://www.openwall.com/lists/oss-security/2018/10/10/12 CVE-2018-18072 RESERVED CVE-2018-18071 (An issue was discovered in the Daimler Mercedes-Benz Me app 2.11.0-846 ...) NOT-FOR-US: Daimler Mercedes-Benz Me app for iOS CVE-2018-18070 (An issue was discovered in Daimler Mercedes-Benz COMAND 17/13.0 50.12 ...) NOT-FOR-US: Daimler Mercedes-Benz COMAND on Mercedes-Benz C-Class 2018 vehicles CVE-2018-18069 (process_forms in the WPML (aka sitepress-multilingual-cms) plugin thro ...) NOT-FOR-US: Wordpress plugin CVE-2018-18068 (The ARM-based hardware debugging feature on Raspberry Pi 3 module B+ a ...) NOT-FOR-US: ARM-based hardware debugging feature on Raspberry Pi 3 module B+ (and possibly other devices) CVE-2018-18067 RESERVED CVE-2018-18066 (snmp_oid_compare in snmplib/snmp_api.c in Net-SNMP before 5.8 has a NU ...) - net-snmp 5.7.3+dfsg-1.1 [jessie] - net-snmp 5.7.2.1+dfsg-1+deb8u1 NOTE: https://sourceforge.net/p/net-snmp/code/ci/f23bcd3ac6ddee5d0a48f9703007ccc738914791/ NOTE: The same commit as for other CVEs (CVE-2018-1000116, CVE-2015-5621) adresses this NOTE: issue, but might still not be just a duplicate but an independent issue fixed with NOTE: same commit. CVE-2018-18065 (_set_key in agent/helpers/table_container.c in Net-SNMP before 5.8 has ...) {DSA-4314-1 DLA-1540-1} - net-snmp 5.7.3+dfsg-4 (bug #910638) NOTE: https://dumpco.re/blog/net-snmp-5.7.3-remote-dos NOTE: https://sourceforge.net/p/net-snmp/code/ci/7ffb8e25a0db851953155de91f0170e9bf8c457d/ CVE-2018-18064 (cairo through 1.15.14 has an out-of-bounds stack-memory write during p ...) - cairo (low; bug #916083) [buster] - cairo (Minor issue) [stretch] - cairo (Minor issue) [jessie] - cairo (Minor issue) NOTE: https://gitlab.freedesktop.org/cairo/cairo/issues/341 CVE-2018-18063 RESERVED CVE-2018-18062 (An issue was discovered in dialog.php in tecrail Responsive FileManage ...) NOT-FOR-US: tecrail Responsive FileManager CVE-2018-18061 (An issue was discovered in dialog.php in tecrail Responsive FileManage ...) NOT-FOR-US: tecrail Responsive FileManager CVE-2018-18060 (An issue was discovered in Bitdefender Engines before 7.76808. A vulne ...) NOT-FOR-US: Bitdefender CVE-2018-18059 (An issue was discovered in Bitdefender Engines before 7.76675. A vulne ...) NOT-FOR-US: Bitdefender CVE-2018-18058 (An issue was discovered in Bitdefender Engines before 7.76662. A vulne ...) NOT-FOR-US: Bitdefender CVE-2018-18057 RESERVED CVE-2018-18056 (An issue was discovered in the Texas Instruments (TI) TM4C, MSP432E an ...) NOT-FOR-US: Texas Instruments CVE-2018-1000810 (The Rust Programming Language Standard Library version 1.29.0, 1.28.0, ...) - rustc 1.30.0+dfsg1-1 [stretch] - rustc (Introduced in 1.26) [jessie] - rustc (Vulnerable code not present) NOTE: https://blog.rust-lang.org/2018/09/21/Security-advisory-for-std.html NOTE: https://groups.google.com/forum/#!topic/rustlang-security-announcements/CmSuTm-SaU0 CVE-2018-1000809 (privacyIDEA version 2.23.1 and earlier contains a Improper Input Valid ...) NOT-FOR-US: privacyIDEA CVE-2018-1000808 (Python Cryptographic Authority pyopenssl version Before 17.5.0 contain ...) - pyopenssl 17.5.0-1 (low) [stretch] - pyopenssl (Minor issue) [jessie] - pyopenssl (Minor issue, but also requires at least cryptography 2.1.4 which exposes the X509_up_ref method) NOTE: https://github.com/pyca/pyopenssl/pull/723 NOTE: https://github.com/pyca/pyopenssl/commit/e73818600065821d588af475b024f4eb518c3509 CVE-2018-1000807 (Python Cryptographic Authority pyopenssl version prior to version 17.5 ...) - pyopenssl 17.5.0-1 [stretch] - pyopenssl (Minor issue) [jessie] - pyopenssl (Minor issue, but also requires at least cryptography 2.1.4 which exposes the X509_up_ref method) NOTE: https://github.com/pyca/pyopenssl/pull/723 NOTE: https://github.com/pyca/pyopenssl/commit/e73818600065821d588af475b024f4eb518c3509 CVE-2018-1000805 (Paramiko version 2.4.1, 2.3.2, 2.2.3, 2.1.5, 2.0.8, 1.18.5, 1.17.6 con ...) {DLA-1556-1} - paramiko 2.4.2-0.1 (bug #910760) [stretch] - paramiko (Minor issue) NOTE: https://github.com/paramiko/paramiko/issues/1283 NOTE: https://github.com/paramiko/paramiko/commit/56c96a659658acdbb873aef8809a7b508434dcce CVE-2018-1000804 (contiki-ng version 4 contains a Buffer Overflow vulnerability in AQL ( ...) NOT-FOR-US: contiki-ng CVE-2018-1000803 (Gitea version prior to version 1.5.1 contains a CWE-200 vulnerability ...) - gitea NOTE: https://github.com/go-gitea/gitea/pull/4664 NOTE: https://github.com/go-gitea/gitea/pull/4664/files#diff-146e0c2b5bb1ea96c9fb73d509456e57 CVE-2018-18055 RESERVED CVE-2018-18054 RESERVED CVE-2018-18053 RESERVED CVE-2018-18052 RESERVED CVE-2018-18051 RESERVED CVE-2018-18050 RESERVED CVE-2018-18049 RESERVED CVE-2018-18048 RESERVED CVE-2018-18047 RESERVED CVE-2018-18046 RESERVED CVE-2018-18045 RESERVED CVE-2018-18044 RESERVED CVE-2018-18043 RESERVED CVE-2018-18042 RESERVED CVE-2018-18041 RESERVED CVE-2018-18040 RESERVED CVE-2018-18039 RESERVED CVE-2018-18038 RESERVED CVE-2018-18037 RESERVED CVE-2018-18036 RESERVED CVE-2018-18035 (A vulnerability in flashcanvas.swf in OpenEMR before 5.0.1 Patch 6 cou ...) NOT-FOR-US: OpenEMR CVE-2018-18034 RESERVED CVE-2018-18033 RESERVED CVE-2018-18032 RESERVED CVE-2018-18031 RESERVED CVE-2018-18030 RESERVED CVE-2018-18029 (Navigate CMS has Stored XSS via the navigate.php Title field in an edi ...) NOT-FOR-US: Navigate CMS CVE-2018-18028 RESERVED CVE-2018-18027 RESERVED CVE-2018-18026 (IMFCameraProtect.sys in IObit Malware Fighter 6.2 (and possibly lower ...) NOT-FOR-US: IObit Malware Fighter CVE-2018-18025 (In ImageMagick 7.0.8-13 Q16, there is a heap-based buffer over-read in ...) {DLA-1574-1} - imagemagick 8:6.9.10.14+dfsg-1 (low; bug #911435) [stretch] - imagemagick (Fix along in next DSA) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1335 NOTE: https://github.com/ImageMagick/ImageMagick/commit/1a22fc0c8837838e60daecc0bf01648f359dd6fd NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/394b3e6edf74d1337ce338927da053bb40c00ae9 CVE-2018-18024 (In ImageMagick 7.0.8-13 Q16, there is an infinite loop in the ReadBMPI ...) - imagemagick 8:6.9.10.14+dfsg-1 (low) [stretch] - imagemagick (Minor issue) [jessie] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1337 NOTE: https://github.com/ImageMagick/ImageMagick/commit/948f1c86d649a29df08a38d2ff8b91cdf3e92b82 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/b268ce7a59440972f4476b9fd98104b6a836d971 CVE-2018-18023 (In ImageMagick 7.0.8-13 Q16, there is a heap-based buffer over-read in ...) - imagemagick 8:6.9.10.14+dfsg-1 [stretch] - imagemagick (Vulnerable code not present) [jessie] - imagemagick (Vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1336 NOTE: https://github.com/ImageMagick/ImageMagick/commit/5d71e23b853461dd3628cd1218834fcf13938365 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/a5db4873626f702d2ddd8bc293573493e0a412c0 CVE-2018-18022 RESERVED CVE-2012-6710 (ext_find_user in eXtplorer through 2.1.2 allows remote attackers to by ...) - extplorer CVE-2018-18020 (In QPDF 8.2.1, in libqpdf/QPDFWriter.cc, QPDFWriter::unparseObject and ...) - qpdf 9.0.0-1 [buster] - qpdf (Minor issue) [stretch] - qpdf (Minor issue) [jessie] - qpdf (Minor issue) NOTE: https://github.com/qpdf/qpdf/issues/243 NOTE: https://github.com/qpdf/qpdf/commit/cf469d789024cdda41684f1ea48b41829b98c242 CVE-2018-1000806 REJECTED CVE-2018-18019 (XSS exists in the Tribulant Slideshow Gallery plugin 1.6.8 for WordPre ...) NOT-FOR-US: Tribulant Slideshow Gallery plugin for WordPress CVE-2018-18018 (SQL Injection exists in the Tribulant Slideshow Gallery plugin 1.6.8 f ...) NOT-FOR-US: Tribulant Slideshow Gallery plugin for WordPress CVE-2018-18017 (XSS exists in the Tribulant Slideshow Gallery plugin 1.6.8 for WordPre ...) NOT-FOR-US: Tribulant Slideshow Gallery plugin for WordPress CVE-2018-18016 (ImageMagick 7.0.7-28 has a memory leak vulnerability in WritePCXImage ...) - imagemagick 8:6.9.10.14+dfsg-1 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1049 CVE-2018-18015 RESERVED CVE-2018-18014 (** DISPUTED *** Lack of authentication in Citrix Xen Mobile through 10 ...) NOT-FOR-US: Citrix CVE-2018-18013 (** DISPUTED *** Xen Mobile through 10.8.0 includes a service listening ...) NOT-FOR-US: Citrix CVE-2018-18012 RESERVED CVE-2018-18011 RESERVED CVE-2018-18010 RESERVED CVE-2018-18009 (dirary0.js on D-Link DIR-140L, DIR-640L devices allows remote unauthen ...) NOT-FOR-US: D-Link CVE-2018-18008 (spaces.htm on multiple D-Link devices (DSL, DIR, DWR) allows remote un ...) NOT-FOR-US: D-Link CVE-2018-18007 (atbox.htm on D-Link DSL-2770L devices allows remote unauthenticated at ...) NOT-FOR-US: D-Link CVE-2018-18006 (Hardcoded credentials in the Ricoh myPrint application 2.9.2.4 for Win ...) NOT-FOR-US: Ricoh myPrint application CVE-2018-18005 (Cross-site scripting in event_script.js in VIVOTEK Network Camera Seri ...) NOT-FOR-US: VIVOTEK Network Camera CVE-2018-18004 (Incorrect Access Control in mod_inetd.cgi in VIVOTEK Network Camera Se ...) NOT-FOR-US: VIVOTEK Network Camera CVE-2018-18003 RESERVED CVE-2018-18002 RESERVED CVE-2018-18001 RESERVED CVE-2018-18000 RESERVED CVE-2018-17999 RESERVED CVE-2018-17998 RESERVED CVE-2018-17997 (LayerBB 1.1.1 allows XSS via the titles of conversations (PMs). ...) NOT-FOR-US: LayerBB CVE-2018-17996 (LayerBB before 1.1.3 allows CSRF for adding a user via admin/new_user. ...) NOT-FOR-US: LayerBB CVE-2018-17995 RESERVED CVE-2018-17994 RESERVED CVE-2018-17993 RESERVED CVE-2018-17992 RESERVED CVE-2018-17991 RESERVED CVE-2018-17990 (An issue was discovered on D-Link DSL-3782 devices with firmware 1.01. ...) NOT-FOR-US: D-Link CVE-2018-17989 (A stored XSS vulnerability exists in the web interface on D-Link DSL-3 ...) NOT-FOR-US: D-Link CVE-2018-17988 (LayerBB 1.1.1 has SQL Injection via the search.php search_query parame ...) NOT-FOR-US: LayerBB CVE-2018-17987 (The determineWinner function of a smart contract implementation for Ha ...) NOT-FOR-US: Some Ethereum application CVE-2018-17986 (rars/user/data in razorCMS 3.4.8 allows CSRF for changing the password ...) NOT-FOR-US: razorCMS CVE-2018-17985 (An issue was discovered in cp-demangle.c in GNU libiberty, as distribu ...) - binutils 2.32.51.20190707-1 (unimportant) NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87335 NOTE: Fixed by: https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=03e51746ed98d9106803f6009ebd71ea670ad3b9 NOTE: binutils not covered by security support CVE-2018-17984 (An unanchored /[a-z]{2}/ regular expression in ISPConfig before 3.1.13 ...) NOT-FOR-US: ISPConfig CVE-2018-17982 RESERVED CVE-2018-17981 (Lifesize Express ls ex2_4.7.10 2000 (14) devices allow XSS via the int ...) NOT-FOR-US: Lifesize Express CVE-2018-17980 (NoMachine before 5.3.27 and 6.x before 6.3.6 allows attackers to gain ...) NOT-FOR-US: NoMachine CVE-2015-9273 (The wp-slimstat (aka Slimstat Analytics) plugin before 4.1.6.1 for Wor ...) NOT-FOR-US: WordPress plugin wp-slimstat CVE-2015-9272 (The videowhisper-video-presentation plugin 3.31.17 for WordPress allow ...) NOT-FOR-US: videowhisper-video-presentation plugin for WordPress CVE-2014-10076 (The wp-db-backup plugin 2.2.4 for WordPress relies on a five-character ...) NOT-FOR-US: wp-db-backup plugin WordPress CVE-2014-10075 (The karo gem 2.3.8 for Ruby allows Remote command injection via the ho ...) NOT-FOR-US: karo gem CVE-2013-7468 (Simple Machines Forum (SMF) 2.0.4 allows PHP Code Injection via the in ...) NOT-FOR-US: Simple Machines Forum (SMF) CVE-2013-7467 (Simple Machines Forum (SMF) 2.0.4 allows XSS via the index.php?action= ...) NOT-FOR-US: Simple Machines Forum (SMF) CVE-2013-7466 (Simple Machines Forum (SMF) 2.0.4 allows local file inclusion, with re ...) NOT-FOR-US: Simple Machines Forum (SMF) CVE-2013-7465 (Ice Cold Apps Servers Ultimate 6.0.2(12) does not require authenticati ...) NOT-FOR-US: Ice Cold Apps Servers Ultimate CVE-2018-17983 (cext/manifest.c in Mercurial before 4.7.2 has an out-of-bounds read du ...) - mercurial 4.7.2-1 (unimportant) [jessie] - mercurial (Vulnerable code not present) NOTE: https://www.mercurial-scm.org/repo/hg/rev/5405cb1a7901 NOTE: Crash in CLI tool, no security impact CVE-2018-17979 RESERVED CVE-2018-17978 RESERVED CVE-2018-17977 (The Linux kernel 4.14.67 mishandles certain interaction among XFRM Net ...) - linux CVE-2018-17976 (An issue was discovered in GitLab Community Edition 11.x before 11.1.8 ...) - gitlab 11.1.8+dfsg-2 NOTE: https://about.gitlab.com/2018/10/05/critical-security-release-11-3-4/ NOTE: https://gitlab.com/gitlab-org/gitlab-ce/issues/51581 CVE-2018-17975 (An issue was discovered in GitLab Community Edition 11.x before 11.1.8 ...) - gitlab 11.1.8+dfsg-2 NOTE: https://about.gitlab.com/2018/10/05/critical-security-release-11-3-4/ NOTE: https://gitlab.com/gitlab-org/gitlab-ce/issues/50744 CVE-2018-17974 (An issue was discovered in Tcpreplay 4.3.0 beta1. A heap-based buffer ...) - tcpreplay 4.3.1-1 (bug #910598) [stretch] - tcpreplay (Minor issue) [jessie] - tcpreplay (Minor issue) NOTE: https://github.com/appneta/tcpreplay/issues/486 CVE-2018-17973 RESERVED CVE-2018-17971 RESERVED CVE-2018-17970 RESERVED CVE-2018-17972 (An issue was discovered in the proc_pid_stack function in fs/proc/base ...) {DLA-1731-1 DLA-1715-1} - linux 4.18.20-1 [stretch] - linux 4.9.135-1 NOTE: https://marc.info/?l=linux-fsdevel&m=153806242024956&w=2 NOTE: https://git.kernel.org/linus/f8a00cef17206ecd1b30d3d9f99e10d9fa707aa7 CVE-2018-17969 (Samsung SCX-6545X V2.00.03.01 03-23-2012 devices allows remote attacke ...) NOT-FOR-US: Samsung SCX-6545X V2.00.03.01 03-23-2012 devices CVE-2018-17968 (A gambling smart contract implementation for RuletkaIo, an Ethereum ga ...) NOT-FOR-US: RuletkaIo CVE-2018-17967 (ImageMagick 7.0.7-28 has a memory leak vulnerability in ReadBGRImage i ...) - imagemagick 8:6.9.10.14+dfsg-1 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1051 CVE-2018-17966 (ImageMagick 7.0.7-28 has a memory leak vulnerability in WritePDBImage ...) - imagemagick 8:6.9.10.14+dfsg-1 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1050 CVE-2018-17965 (ImageMagick 7.0.7-28 has a memory leak vulnerability in WriteSGIImage ...) - imagemagick 8:6.9.10.14+dfsg-1 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1052 CVE-2018-17964 (Aryanic HighPortal 12.5 has XSS via an Add Tags action. ...) NOT-FOR-US: Aryanic HighPortal CVE-2018-17963 (qemu_deliver_packet_iov in net/net.c in Qemu accepts packet sizes grea ...) {DSA-4338-1 DLA-1599-1} - qemu 1:3.1+dfsg-1 (bug #911469) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2018-09/msg03267.html NOTE: https://www.openwall.com/lists/oss-security/2018/10/08/1 NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=1592a9947036d60dde5404204a5d45975133caf5 CVE-2018-17962 (Qemu has a Buffer Overflow in pcnet_receive in hw/net/pcnet.c because ...) {DSA-4338-1 DLA-1599-1} - qemu 1:3.1+dfsg-1 (bug #911468) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2018-09/msg03268.html NOTE: https://www.openwall.com/lists/oss-security/2018/10/08/1 NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=b1d80d12c5f7ff081bb80ab4f4241d4248691192 CVE-2018-17961 (Artifex Ghostscript 9.25 and earlier allows attackers to bypass a sand ...) {DSA-4336-1 DLA-1552-1} - ghostscript 9.25~dfsg-3 (bug #910678) NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1682 NOTE: https://www.openwall.com/lists/oss-security/2018/10/09/4 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a54c9e61e7d02bbc620bcba9b1c208462a876afb NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a6807394bd94b708be24758287b606154daaaed9 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a5a9bf8c6a63aa4ac6874234fe8cd63e72077291 CVE-2018-17960 (CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a source ...) - ckeditor 4.11.1+dfsg-1 (low) [stretch] - ckeditor (Minor issue) [jessie] - ckeditor (Minor issue) - fckeditor CVE-2018-17959 RESERVED CVE-2018-17958 (Qemu has a Buffer Overflow in rtl8139_do_receive in hw/net/rtl8139.c b ...) {DSA-4454-1 DLA-1646-1} - qemu 1:3.1+dfsg-1 (bug #911499) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2018-09/msg03269.html NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=1a326646fef38782e5542280040ec3ea23e4a730 NOTE: https://www.openwall.com/lists/oss-security/2018/10/08/1 CVE-2018-17957 (The YaST2 RMT module for configuring the SUSE Repository Mirroring Too ...) NOT-FOR-US: YaST2 RMT module CVE-2018-17956 (In yast2-samba-provision up to and including version 1.0.1 the passwor ...) NOT-FOR-US: yast2-samba-provision CVE-2018-17955 (In yast2-multipath before version 4.1.1 a static temporary filename al ...) NOT-FOR-US: yast2-multipath CVE-2018-17954 (A Least Privilege Violation vulnerability in crowbar of SUSE OpenStack ...) NOT-FOR-US: crowbar CVE-2018-17953 (A incorrect variable in a SUSE specific patch for pam_access rule matc ...) - pam (Issue introduced by SUSE specific patch) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1115640 NOTE: Issue introduced by SUSE specific patch (pam-hostnames-in-access_conf.patch) NOTE: https://build.opensuse.org/package/view_file/Linux-PAM/pam/pam-hostnames-in-access_conf.patch NOTE: And fixed with (use-correct-IP-address.patch) NOTE: https://build.opensuse.org/package/view_file/Linux-PAM/pam/use-correct-IP-address.patch CVE-2018-17952 (Cross site scripting vulnerability in eDirectory prior to 9.1 SP2 ...) NOT-FOR-US: eDirectory CVE-2018-17951 RESERVED CVE-2018-17950 (Incorrect enforcement of authorization checks in eDirectory prior to 9 ...) NOT-FOR-US: eDirectory CVE-2018-17949 (Cross site scripting vulnerability in iManager prior to 3.1 SP2. ...) NOT-FOR-US: iManager CVE-2018-17948 (An open redirect vulnerability exists in the Access Manager Identity P ...) NOT-FOR-US: Microfocus CVE-2018-17947 (The Snazzy Maps plugin before 1.1.5 for WordPress has XSS via the text ...) NOT-FOR-US: WordPress plugin snazzy-maps CVE-2018-17946 (The Tribulant Slideshow Gallery plugin before 1.6.6.1 for WordPress ha ...) NOT-FOR-US: WordPress plugin slideshow-gallery CVE-2018-17945 RESERVED CVE-2018-17944 (On certain Lexmark devices that communicate with an LDAP or SMTP serve ...) NOT-FOR-US: Lexmark CVE-2018-17943 RESERVED CVE-2018-17942 (The convert_to_decimal function in vasnprintf.c in Gnulib before 2018- ...) {DLA-1543-1} - gnulib 20140202+stable-3.1 (low; bug #910757) [stretch] - gnulib 20140202+stable-2+deb9u1 NOTE: pspp affecting bug: https://savannah.gnu.org/bugs/?func=detailitem&item_id=54686 NOTE: https://lists.gnu.org/archive/html/bug-gnulib/2018-09/msg00107.html NOTE: https://github.com/coreutils/gnulib/commit/278b4175c9d7dd47c1a3071554aac02add3b3c35 CVE-2018-17941 RESERVED CVE-2018-17940 RESERVED CVE-2018-17939 (An issue was discovered in GitLab Community and Enterprise Edition 11. ...) - gitlab 11.1.8+dfsg-2 NOTE: https://about.gitlab.com/2018/10/05/critical-security-release-11-3-4/ NOTE: https://gitlab.com/gitlab-org/gitlab-ce/issues/51956 CVE-2018-17938 (Zimbra Collaboration before 8.8.10 GA allows text content spoofing via ...) NOT-FOR-US: Zimbra CVE-2018-17937 (gpsd versions 2.90 to 3.17 and microjson versions 1.0 to 1.3, an open ...) {DLA-1738-1} [experimental] - gpsd 3.18.1-1 - gpsd 3.17-6 (low; bug #925327) [stretch] - gpsd (Minor issue) NOTE: http://git.savannah.nongnu.org/cgit/gpsd.git/commit/?id=7646cbd04055a50b157312ba6b376e88bd398c19 CVE-2018-17936 (NUUO CMS All versions 3.3 and prior the application allows the upload ...) NOT-FOR-US: NUUO CMS CVE-2018-17935 (All versions of Telecrane F25 Series Radio Controls before 00.0A use f ...) NOT-FOR-US: Telecrane CVE-2018-17934 (NUUO CMS All versions 3.3 and prior the application allows external in ...) NOT-FOR-US: NUUO CMS CVE-2018-17933 (VGo Robot (Versions 3.0.3.52164 and 3.0.3.53662. Prior versions may al ...) NOT-FOR-US: VGo Robot CVE-2018-17932 RESERVED CVE-2018-17931 (If an attacker has physical access to the VGo Robot (Versions 3.0.3.52 ...) NOT-FOR-US: VGo Robot CVE-2018-17930 (A stack-based buffer overflow vulnerability has been identified in Tel ...) NOT-FOR-US: Teledyne DALSA Sherlock CVE-2018-17929 (In Delta Industrial Automation TPEditor, TPEditor Versions 1.90 and pr ...) NOT-FOR-US: TPEditor CVE-2018-17928 (The product CMS-770 (Software Versions 1.7.1 and prior)is vulnerable t ...) NOT-FOR-US: ABB CMS-770 CVE-2018-17927 (In Delta Industrial Automation TPEditor, TPEditor Versions 1.90 and pr ...) NOT-FOR-US: TPEditor CVE-2018-17926 (The product M2M ETHERNET (FW Versions 2.22 and prior, ETH-FW Versions ...) NOT-FOR-US: ABB M2M ETHERNET CVE-2018-17925 (Multiple instances of this vulnerability (Unsafe ActiveX Control Marke ...) NOT-FOR-US: Gigasoft CVE-2018-17924 (Rockwell Automation MicroLogix 1400 Controllers and 1756 ControlLogix ...) NOT-FOR-US: Rockwell CVE-2018-17923 (SAGA1-L8B with any firmware versions prior to A0.10 are vulnerable to ...) NOT-FOR-US: SAGA1-L8B CVE-2018-17922 (Circontrol CirCarLife all versions prior to 4.3.1, the PAP credentials ...) NOT-FOR-US: Circontrol CirCarLife CVE-2018-17921 (SAGA1-L8B with any firmware versions prior to A0.10 are vulnerable to ...) NOT-FOR-US: SAGA1-L8B CVE-2018-17920 RESERVED CVE-2018-17919 (All versions of Hangzhou Xiongmai Technology Co., Ltd XMeye P2P Cloud ...) NOT-FOR-US: P2P Cloud Server CVE-2018-17918 (Circontrol CirCarLife all versions prior to 4.3.1, authentication to t ...) NOT-FOR-US: Circontrol CirCarLife CVE-2018-17917 (All versions of Hangzhou Xiongmai Technology Co., Ltd XMeye P2P Cloud ...) NOT-FOR-US: P2P Cloud Server CVE-2018-17916 (InduSoft Web Studio versions prior to 8.1 SP2, and InTouch Edge HMI (f ...) NOT-FOR-US: InduSoft Web Studio CVE-2018-17915 (All versions of Hangzhou Xiongmai Technology Co., Ltd XMeye P2P Cloud ...) NOT-FOR-US: P2P Cloud Server CVE-2018-17914 (InduSoft Web Studio versions prior to 8.1 SP2, and InTouch Edge HMI (f ...) NOT-FOR-US: InduSoft Web Studio CVE-2018-17913 (A type confusion vulnerability exists when processing project files in ...) NOT-FOR-US: Omron CX-Supervisor CVE-2018-17912 (An XXE vulnerability exists in CASE Suite Versions 3.10 and prior when ...) NOT-FOR-US: CASE Suite CVE-2018-17911 (LAquis SCADA Versions 4.1.0.3870 and prior has several stack-based buf ...) NOT-FOR-US: LAquis SCADA CVE-2018-17910 (WebAccess Versions 8.3.2 and prior. The application fails to properly ...) NOT-FOR-US: Advantech WebAccess CVE-2018-17909 (When processing project files in Omron CX-Supervisor Versions 3.4.1.0 ...) NOT-FOR-US: Omron CX-Supervisor CVE-2018-17908 (WebAccess Versions 8.3.2 and prior. During installation, the applicati ...) NOT-FOR-US: Advantech WebAccess CVE-2018-17907 (When processing project files in Omron CX-Supervisor Versions 3.4.1.0 ...) NOT-FOR-US: Omron CX-Supervisor CVE-2018-17906 (Philips iSite and IntelliSpace PACS, iSite PACS, all versions, and Int ...) NOT-FOR-US: Philips CVE-2018-17905 (When processing project files in Omron CX-Supervisor Versions 3.4.1.0 ...) NOT-FOR-US: Omron CX-Supervisor CVE-2018-17904 (Reliance 4 SCADA/HMI, Version 4.7.3 Update 3 and prior. This vulnerabi ...) NOT-FOR-US: Reliance 4 SCADA/HMI CVE-2018-17903 (SAGA1-L8B with any firmware versions prior to A0.10 are vulnerable to ...) NOT-FOR-US: SAGA1-L8B CVE-2018-17902 (Yokogawa STARDOM Controllers FCJ, FCN-100, FCN-RTU, FCN-500, All versi ...) NOT-FOR-US: Yokogawa STARDOM Controllers CVE-2018-17901 (LAquis SCADA Versions 4.1.0.3870 and prior, when processing project fi ...) NOT-FOR-US: LAquis SCADA CVE-2018-17900 (Yokogawa STARDOM Controllers FCJ, FCN-100, FCN-RTU, FCN-500, All versi ...) NOT-FOR-US: Yokogawa STARDOM Controllers CVE-2018-17899 (LAquis SCADA Versions 4.1.0.3870 and prior has a path traversal vulner ...) NOT-FOR-US: LAquis SCADA CVE-2018-17898 (Yokogawa STARDOM Controllers FCJ,FCN-100, FCN-RTU, FCN-500, All versio ...) NOT-FOR-US: Yokogawa STARDOM Controllers CVE-2018-17897 (LAquis SCADA Versions 4.1.0.3870 and prior has several integer overflo ...) NOT-FOR-US: LAquis SCADA CVE-2018-17896 (Yokogawa STARDOM Controllers FCJ, FCN-100, FCN-RTU, FCN-500, All versi ...) NOT-FOR-US: Yokogawa STARDOM Controllers CVE-2018-17895 (LAquis SCADA Versions 4.1.0.3870 and prior has several out-of-bounds r ...) NOT-FOR-US: LAquis SCADA CVE-2018-17894 (NUUO CMS all versions 3.1 and prior, The application creates default a ...) NOT-FOR-US: NUUO CMS CVE-2018-17893 (LAquis SCADA Versions 4.1.0.3870 and prior has an untrusted pointer de ...) NOT-FOR-US: LAquis SCADA CVE-2018-17892 (NUUO CMS all versions 3.1 and prior, The application implements a meth ...) NOT-FOR-US: NUUO CMS CVE-2018-17891 (Carestream Vue RIS, RIS Client Builds: Version 11.2 and prior running ...) NOT-FOR-US: Carestream Vue RIS, RIS Client Builds CVE-2018-17890 (NUUO CMS all versions 3.1 and prior, The application uses insecure and ...) NOT-FOR-US: NUUO CMS CVE-2018-17889 (In WECON Technology Co., Ltd. PI Studio HMI versions 4.1.9 and prior a ...) NOT-FOR-US: PI Studio HMI CVE-2018-17888 (NUUO CMS all versions 3.1 and prior, The application uses a session id ...) NOT-FOR-US: NUUO CMS CVE-2018-17887 RESERVED CVE-2018-17886 (An issue was discovered in JEESNS 1.3. The XSS filter in com.lxinet.je ...) NOT-FOR-US: JEESNS CVE-2018-17885 RESERVED CVE-2018-17883 RESERVED - otrs2 6.0.12-1 [stretch] - otrs2 (Only affects 6.x) [jessie] - otrs2 (Only affects 6.x) NOTE: https://community.otrs.com/security-advisory-2018-06-security-update-for-otrs-framework/ NOTE: https://github.com/OTRS/otrs/commit/40bbcc261a77c2f4c0383658cd99c07d577179ce CVE-2018-18021 (arch/arm64/kvm/guest.c in KVM in the Linux kernel before 4.18.12 on th ...) {DSA-4313-1 DLA-1715-1} - linux 4.18.10-2 [jessie] - linux (arm64 not supported in jessie LTS) NOTE: https://git.kernel.org/linus/d26c25a9d19b5976b319af528886f89cf455692d NOTE: https://git.kernel.org/linus/2a3f93459d689d990b3ecfbe782fec89b97d3279 CVE-2018-17884 (XSS exists in admin/gb-dashboard-widget.php in the Gwolle Guestbook (g ...) NOT-FOR-US: WordPress plugin gwolle-gb CVE-2018-17882 (An Integer overflow vulnerability exists in the batchTransfer function ...) NOT-FOR-US: CryptoBotsBattle CVE-2018-17881 (On D-Link DIR-823G 2018-09-19 devices, the GoAhead configuration allow ...) NOT-FOR-US: D-Link DIR-823G 2018-09-19 devices CVE-2018-17880 (On D-Link DIR-823G 2018-09-19 devices, the GoAhead configuration allow ...) NOT-FOR-US: D-Link DIR-823G 2018-09-19 devices CVE-2018-17879 RESERVED CVE-2018-17878 RESERVED CVE-2018-17877 (A lottery smart contract implementation for Greedy 599, an Ethereum ga ...) NOT-FOR-US: Greedy 599 CVE-2018-17876 (A Stored XSS vulnerability has been discovered in the v5.5.0 version o ...) NOT-FOR-US: Coaster CMS CVE-2018-17875 RESERVED CVE-2018-17874 (ExpressionEngine before 4.3.5 has reflected XSS. ...) NOT-FOR-US: ExpressionEngine CVE-2018-17873 (An incorrect access control vulnerability in the FTP configuration of ...) NOT-FOR-US: WifiRanger CVE-2018-17872 (Verba Collaboration Compliance and Quality Management Platform before ...) NOT-FOR-US: Verba Collaboration Compliance and Quality Management Platform CVE-2018-17871 (Verba Collaboration Compliance and Quality Management Platform before ...) NOT-FOR-US: Verba Collaboration Compliance and Quality Management Platform CVE-2018-17870 (An issue was discovered in BTITeam XBTIT 2.5.4. The "returnto" paramet ...) NOT-FOR-US: BTITeam XBTIT CVE-2018-17869 (DASAN H660GW devices do not implement any CSRF protection mechanism. ...) NOT-FOR-US: DASAN H660GW devices CVE-2018-17868 (DASAN H660GW devices have Stored XSS in the Port Forwarding functional ...) NOT-FOR-US: DASAN H660GW devices CVE-2018-17867 (The Port Forwarding functionality on DASAN H660GW devices allows remot ...) NOT-FOR-US: DASAN H660GW device CVE-2018-17866 (Multiple cross-site scripting (XSS) vulnerabilities in includes/core/u ...) NOT-FOR-US: "Ultimate Member - User Profile & Membership" plugin for WordPress CVE-2018-17865 RESERVED CVE-2018-17864 RESERVED CVE-2018-17863 RESERVED CVE-2018-17862 RESERVED CVE-2018-17861 RESERVED CVE-2018-17860 (Cloudera CDH has Insecure Permissions because ALL cannot be revoked.Th ...) NOT-FOR-US: Cloudera CVE-2018-17859 (An issue was discovered in Joomla! before 3.8.13. Inadequate checks in ...) NOT-FOR-US: Joomla! CVE-2018-17858 (An issue was discovered in Joomla! before 3.8.13. com_installer action ...) NOT-FOR-US: Joomla! CVE-2018-17857 (An issue was discovered in Joomla! before 3.8.13. Inadequate checks on ...) NOT-FOR-US: Joomla! CVE-2018-17856 (An issue was discovered in Joomla! before 3.8.13. com_joomlaupdate all ...) NOT-FOR-US: Joomla! CVE-2018-17855 (An issue was discovered in Joomla! before 3.8.13. If an attacker gets ...) NOT-FOR-US: Joomla! CVE-2015-9271 (The VideoWhisper videowhisper-video-conference-integration plugin 4.91 ...) NOT-FOR-US: WordPress plugin videowhisper-video-conference-integration CVE-2015-9270 (XSS exists in the the-holiday-calendar plugin before 1.11.3 for WordPr ...) NOT-FOR-US: the-holiday-calendar plugin for WordPress CVE-2015-9269 (The export/content.php exportarticle feature in the wordpress-mobile-p ...) NOT-FOR-US: wordpress-mobile-pack plugin for WordPress CVE-2018-17854 (SIMDComp before 0.1.1 allows remote attackers to cause a denial of ser ...) NOT-FOR-US: SIMDComp CVE-2018-17853 RESERVED CVE-2018-17852 (A SQL injection was discovered in WUZHI CMS 4.1.0 in coreframe/app/cou ...) NOT-FOR-US: WUZHI CMS CVE-2018-17851 REJECTED CVE-2018-17850 REJECTED CVE-2018-17849 (Navigate CMS 2.8 has Stored XSS via a navigate_upload.php (aka File Up ...) NOT-FOR-US: Navigate CMS CVE-2018-17848 (The html package (aka x/net/html) through 2018-09-25 in Go mishandles ...) - golang-golang-x-net-dev 1:0.0+git20181201.351d144+dfsg-3 (bug #911795) [stretch] - golang-golang-x-net-dev (Vulnerable code not present) - golang-go.net-dev [jessie] - golang-go.net-dev (Minor issue) NOTE: https://github.com/golang/go/issues/27846 NOTE: https://github.com/golang/net/commit/4b62a64f59f73840b9ab79204c94fee61cd1ba2c CVE-2018-17847 (The html package (aka x/net/html) through 2018-09-25 in Go mishandles ...) - golang-golang-x-net-dev 1:0.0+git20181201.351d144+dfsg-3 (bug #911795) [stretch] - golang-golang-x-net-dev (Vulnerable code not present) - golang-go.net-dev [jessie] - golang-go.net-dev (Minor issue) NOTE: https://github.com/golang/go/issues/27846 NOTE: https://github.com/golang/net/commit/4b62a64f59f73840b9ab79204c94fee61cd1ba2c CVE-2018-17846 (The html package (aka x/net/html) through 2018-09-25 in Go mishandles ...) - golang-golang-x-net-dev 1:0.0+git20181201.351d144+dfsg-3 (bug #911795) [stretch] - golang-golang-x-net-dev (Vulnerable code not present) - golang-go.net-dev [jessie] - golang-go.net-dev (Minor issue) NOTE: https://github.com/golang/go/issues/27842 NOTE: https://github.com/golang/net/commit/d26f9f9a57f3fab6a695bec0d84433c2c50f8bbf CVE-2018-17845 RESERVED CVE-2018-17844 RESERVED CVE-2018-17843 (SQL injection exists in ADD Clicking MLM Software 1.0, Binary MLM Soft ...) NOT-FOR-US: ADD Clicking MLM CVE-2018-17842 (SQL injection exists in Scriptzee Hotel Booking Engine 1.0 via the hot ...) NOT-FOR-US: Scriptzee Hotel Booking Engine CVE-2018-17841 (SQL injection exists in Scriptzee Flippa Marketplace Clone 1.0 via the ...) NOT-FOR-US: Scriptzee Flippa Marketplace Clone CVE-2018-17840 (SQL injection exists in Scriptzee Education Website 1.0 via the colleg ...) NOT-FOR-US: Scriptzee Education Website CVE-2018-17839 RESERVED CVE-2018-17838 (An issue was discovered in JTBC(PHP) 3.0.1.6. Arbitrary file read oper ...) NOT-FOR-US: JTBC CVE-2018-17837 (An issue was discovered in JTBC(PHP) 3.0.1.6. Arbitrary file deletion ...) NOT-FOR-US: JTBC CVE-2018-17836 (An issue was discovered in JTBC(PHP) 3.0.1.6. It allows remote attacke ...) NOT-FOR-US: JTBC CVE-2018-17835 (An issue was discovered in GetSimple CMS 3.3.15. An administrator can ...) NOT-FOR-US: GetSimple CMS CVE-2018-17834 RESERVED CVE-2018-17833 RESERVED CVE-2018-17832 (XSS exists in WUZHI CMS 2.0 via the index.php v or f parameter. ...) NOT-FOR-US: WUZHI CMS CVE-2018-17831 (In REDAXO before 5.6.3, a critical SQL injection vulnerability has bee ...) NOT-FOR-US: REDAXO CVE-2018-17830 (The $args variable in addons/mediapool/pages/index.php in REDAXO 5.6.2 ...) NOT-FOR-US: REDAXO CVE-2018-17829 RESERVED CVE-2018-17828 (Directory traversal vulnerability in ZZIPlib 0.13.69 allows attackers ...) - zziplib (unimportant) NOTE: https://github.com/gdraheim/zziplib/issues/62 NOTE: unzzipcat-mem not installed into the binary packages CVE-2018-17827 (HisiPHP 1.0.8 allows remote attackers to execute arbitrary PHP code by ...) NOT-FOR-US: HisiPHP CVE-2018-17826 (HisiPHP 1.0.8 allows CSRF via admin.php/admin/user/adduser.html to add ...) NOT-FOR-US: HisiPHP CVE-2018-17825 (An issue was discovered in AdPlug 2.3.1. There are several double-free ...) {DLA-1534-1} - adplug 2.2.1+dfsg3-1 (low; bug #910534) [stretch] - adplug (Minor issue) NOTE: https://github.com/adplug/adplug/issues/67 NOTE: https://github.com/adplug/adplug/commit/19ebb61bf92262dc1868de10ba5a211db249ce76 CVE-2018-17824 RESERVED CVE-2018-17823 RESERVED CVE-2018-17822 RESERVED CVE-2018-17821 RESERVED CVE-2018-17820 RESERVED CVE-2018-17819 RESERVED CVE-2018-17818 RESERVED CVE-2018-17817 RESERVED CVE-2018-17816 RESERVED CVE-2018-17815 RESERVED CVE-2018-17814 RESERVED CVE-2018-17813 RESERVED CVE-2018-17812 RESERVED CVE-2018-17811 RESERVED CVE-2018-17810 RESERVED CVE-2018-17809 RESERVED CVE-2018-17808 RESERVED CVE-2018-17807 RESERVED CVE-2018-17806 RESERVED CVE-2018-17805 RESERVED CVE-2018-17804 RESERVED CVE-2018-17803 RESERVED CVE-2018-17802 RESERVED CVE-2018-17801 RESERVED CVE-2018-17800 RESERVED CVE-2018-17799 RESERVED CVE-2018-17798 (An issue was discovered in zzcms 8.3. user/ztconfig.php allows remote ...) NOT-FOR-US: zzcms CVE-2018-17797 (An issue was discovered in zzcms 8.3. user/zssave.php allows remote at ...) NOT-FOR-US: zzcms CVE-2018-17796 (An issue was discovered in MRCMS (aka mushroom) through 3.1.2. The Web ...) NOT-FOR-US: MRCMS CVE-2018-17795 (The function t2p_write_pdf in tiff2pdf.c in LibTIFF 4.0.9 allows remot ...) - tiff 4.0.9-2 [stretch] - tiff 4.0.8-2+deb9u2 [jessie] - tiff 4.0.3-12.3+deb8u5 - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2816 NOTE: Similar issue as CVE-2017-9935 but not considered the same, but adressed NOTE: with same commit. NOTE: https://gitlab.com/libtiff/libtiff/commit/3dd8f6a357981a4090f126ab9025056c938b6940 CVE-2018-17794 (An issue was discovered in cplus-dem.c in GNU libiberty, as distribute ...) - binutils 2.32.51.20190707-1 (unimportant) NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87350 NOTE: Fixed by: https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=03e51746ed98d9106803f6009ebd71ea670ad3b9 NOTE: binutils not covered by security support CVE-2015-9268 (Nullsoft Scriptable Install System (NSIS) before 2.49 has unsafe impli ...) {DLA-1602-1} - nsis 2.50-1 NOTE: https://sourceforge.net/p/nsis/bugs/1125/ CVE-2015-9267 (Nullsoft Scriptable Install System (NSIS) before 2.49 uses temporary f ...) {DLA-1602-1} - nsis 2.50-1 NOTE: https://sourceforge.net/p/nsis/bugs/1125/ CVE-2018-17793 REJECTED CVE-2018-17792 (MDaemon Webmail (formerly WorldClient) has CSRF. ...) NOT-FOR-US: MDaemon Webmail CVE-2018-17791 (Newgen OmniFlow Intelligent Business Process Suite (iBPS) 7.0 has an " ...) NOT-FOR-US: Newgen OmniFlow Intelligent Business Process Suite CVE-2018-17790 (Prospecta Master Data Online (MDO) 2.0 has Stored XSS. ...) NOT-FOR-US: Prospecta Master Data Online (MDO) CVE-2018-17789 (Prospecta Master Data Online (MDO) allows CSRF. ...) NOT-FOR-US: Prospecta Master Data Online (MDO) CVE-2018-17788 RESERVED CVE-2018-17787 (On D-Link DIR-823G devices, the GoAhead configuration allows /HNAP1 Co ...) NOT-FOR-US: D-Link DIR-823G devices CVE-2018-17786 (On D-Link DIR-823G devices, ExportSettings.sh, upload_settings.cgi, Ge ...) NOT-FOR-US: D-Link DIR-823G devices CVE-2018-17785 (In blynk-server in Blynk before 0.39.7, Directory Traversal exists via ...) NOT-FOR-US: blynk-server in Blynk CVE-2018-17784 (Multiple vulnerabilities in YUI and FlashCanvas embedded in SugarCRM C ...) NOT-FOR-US: SugarCRM CVE-2018-17783 (A cross-site scripting (XSS) vulnerability in the Edit Filter page (ma ...) - mantis NOTE: https://mantisbt.org/blog/archives/mantisbt/613 NOTE: https://mantisbt.org/bugs/view.php?id=24814 CVE-2018-17782 (A cross-site scripting (XSS) vulnerability in the Manage Filters page ...) - mantis NOTE: https://mantisbt.org/blog/archives/mantisbt/613 NOTE: https://mantisbt.org/bugs/view.php?id=24813 CVE-2018-17781 (Foxit PhantomPDF and Reader before 9.3 allow remote attackers to trigg ...) NOT-FOR-US: Foxit CVE-2018-17780 (Telegram Desktop (aka tdesktop) 1.3.14, and Telegram 3.3.0.0 WP8.1 on ...) - telegram-desktop 1.4.0-1 NOTE: https://www.inputzero.io/2018/09/bug-bounty-telegram-cve-2018-17780.html NOTE: https://github.com/telegramdesktop/tdesktop/commit/c4ca180745300e3d1ac755341e9879fca9087b74 CVE-2018-17779 RESERVED CVE-2018-17778 RESERVED CVE-2018-17777 (An issue was discovered on D-Link DVA-5592 A1_WI_20180823 devices. If ...) NOT-FOR-US: D-Link CVE-2018-17776 (PCProtect Anti-Virus v4.8.35 has "Everyone: (F)" permission for %PROGR ...) NOT-FOR-US: PCProtect Anti-Virus CVE-2018-17775 (Seqrite End Point Security v7.4 has "Everyone: (F)" permission for %PR ...) NOT-FOR-US: Seqrite End Point Security CVE-2018-17774 RESERVED CVE-2018-17773 RESERVED CVE-2018-17772 RESERVED CVE-2018-17771 RESERVED CVE-2018-17770 RESERVED CVE-2018-17769 RESERVED CVE-2018-17768 RESERVED CVE-2018-17767 RESERVED CVE-2018-17766 RESERVED CVE-2018-17765 RESERVED CVE-2018-17764 RESERVED CVE-2018-17763 RESERVED CVE-2018-17762 RESERVED CVE-2018-17761 RESERVED CVE-2018-17760 RESERVED CVE-2018-17759 RESERVED CVE-2018-17758 RESERVED CVE-2018-17757 RESERVED CVE-2018-17756 RESERVED CVE-2018-17755 RESERVED CVE-2018-17754 RESERVED CVE-2018-17753 RESERVED CVE-2018-17752 RESERVED CVE-2018-17751 RESERVED CVE-2018-17750 RESERVED CVE-2018-17749 RESERVED CVE-2018-17748 RESERVED CVE-2018-17747 RESERVED CVE-2018-17746 RESERVED CVE-2018-17745 RESERVED CVE-2018-17744 RESERVED CVE-2018-17743 RESERVED CVE-2018-17742 RESERVED CVE-2018-17741 RESERVED CVE-2018-17740 RESERVED CVE-2018-17739 RESERVED CVE-2018-17738 RESERVED CVE-2018-17737 RESERVED CVE-2018-17736 RESERVED CVE-2018-17735 RESERVED CVE-2018-17734 RESERVED CVE-2018-17733 RESERVED CVE-2018-17732 RESERVED CVE-2018-17731 RESERVED CVE-2018-17730 RESERVED CVE-2018-17729 RESERVED CVE-2018-17728 RESERVED CVE-2018-17727 RESERVED CVE-2018-17726 RESERVED CVE-2018-17725 RESERVED CVE-2018-17724 RESERVED CVE-2018-17723 RESERVED CVE-2018-17722 RESERVED CVE-2018-17721 RESERVED CVE-2018-17720 RESERVED CVE-2018-17719 RESERVED CVE-2018-17718 RESERVED CVE-2018-17717 RESERVED CVE-2018-17716 RESERVED CVE-2018-17715 RESERVED CVE-2018-17714 RESERVED CVE-2018-17713 RESERVED CVE-2018-17712 RESERVED CVE-2018-17711 RESERVED CVE-2018-17710 RESERVED CVE-2018-17709 RESERVED CVE-2018-17708 RESERVED CVE-2018-17707 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Epic Games CVE-2018-17706 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit PhantomPDF Phantom PDF CVE-2018-17705 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17704 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17703 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17702 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17701 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit CVE-2018-17700 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit CVE-2018-17699 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2018-17698 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17697 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17696 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17695 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit CVE-2018-17694 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit CVE-2018-17693 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit CVE-2018-17692 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit CVE-2018-17691 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit CVE-2018-17690 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit CVE-2018-17689 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit CVE-2018-17688 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit CVE-2018-17687 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit CVE-2018-17686 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2018-17685 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17684 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17683 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17682 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17681 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17680 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17679 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17678 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17677 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17676 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17675 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17674 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17673 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17672 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17671 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2018-17670 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17669 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17668 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17667 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17666 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17665 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17664 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17663 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17662 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17661 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17660 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17659 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17658 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17657 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17656 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17655 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17654 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17653 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17652 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17651 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17650 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17649 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17648 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17647 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17646 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17645 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17644 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17643 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17642 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17641 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17640 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17639 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17638 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17637 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17636 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17635 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17634 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17633 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17632 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17631 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17630 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17629 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17628 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17627 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17626 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17625 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17624 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17623 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17622 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2018-17621 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17620 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17619 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17618 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17617 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17616 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17615 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-17614 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Losant Arduino MQTT Client CVE-2018-17613 (Telegram Desktop (aka tdesktop) 1.3.16 alpha, when "Use proxy" is enab ...) - telegram-desktop (unimportant; bug #921133) NOTE: https://www.inputzero.io/2018/09/telegram-share-password-in-cleartext.html NOTE: Non issue, works as expected, should probably be rejected CVE-2018-17612 (Sennheiser HeadSetup 7.3.4903 places Certification Authority (CA) cert ...) NOT-FOR-US: Sennheiser CVE-2018-17611 (Foxit PhantomPDF and Reader before 9.3 allow remote attackers to execu ...) NOT-FOR-US: Foxit CVE-2018-17610 (Foxit PhantomPDF and Reader before 9.3 allow remote attackers to execu ...) NOT-FOR-US: Foxit CVE-2018-17609 (Foxit PhantomPDF and Reader before 9.3 allow remote attackers to execu ...) NOT-FOR-US: Foxit CVE-2018-17608 (Foxit PhantomPDF and Reader before 9.3 allow remote attackers to execu ...) NOT-FOR-US: Foxit CVE-2018-17607 (Foxit PhantomPDF and Reader before 9.3 allow remote attackers to execu ...) NOT-FOR-US: Foxit CVE-2018-17606 REJECTED CVE-2018-17605 (An issue was discovered in the Asset Pipeline plugin before 3.0.4 for ...) NOT-FOR-US: Grails plugin CVE-2018-17604 RESERVED CVE-2018-17603 RESERVED CVE-2018-17602 RESERVED CVE-2018-17601 RESERVED CVE-2018-17600 RESERVED CVE-2018-17599 RESERVED CVE-2018-17598 RESERVED CVE-2018-17597 RESERVED CVE-2018-17596 (In Zoho ManageEngine AssetExplorer, a Stored XSS vulnerability was dis ...) NOT-FOR-US: Zoho ManageEngine AssetExplorer CVE-2018-17595 (In the 5.4.0 version of the Fork CMS software, HTML Injection and Stor ...) NOT-FOR-US: Fork CMS CVE-2018-17594 (AirTies Air 5443v2 devices with software 1.0.0.18 have XSS via the top ...) NOT-FOR-US: AirTies Air 5443v2 devices CVE-2018-17593 (AirTies Air 5453 devices with software 1.0.0.18 have XSS via the top.h ...) NOT-FOR-US: AirTies Air 5453 devices CVE-2018-17592 RESERVED CVE-2018-17591 (AirTies Air 5343v2 devices with software 1.0.0.18 have XSS via the top ...) NOT-FOR-US: AirTies Air 5343v2 devices CVE-2018-17590 (AirTies Air 5442 devices with software 1.0.0.18 have XSS via the top.h ...) NOT-FOR-US: AirTies Air 5442 devices CVE-2018-17589 (AirTies Air 5650 devices with software 1.0.0.18 have XSS via the top.h ...) NOT-FOR-US: AirTies Air 5650 devices CVE-2018-17588 (AirTies Air 5021 devices with software 1.0.0.18 have XSS via the top.h ...) NOT-FOR-US: AirTies Air 5021 devices CVE-2018-17587 (AirTies Air 5750 devices with software 1.0.0.18 have XSS via the top.h ...) NOT-FOR-US: AirTies Air 5750 devices CVE-2018-17586 (The WP Fastest Cache plugin 0.8.8.5 for WordPress has XSS via the rule ...) NOT-FOR-US: WP Fastest Cache plugin for WordPress CVE-2018-17585 (The WP Fastest Cache plugin 0.8.8.5 for WordPress has XSS via the wpfa ...) NOT-FOR-US: WP Fastest Cache plugin for WordPress CVE-2018-17584 (The WP Fastest Cache plugin 0.8.8.5 for WordPress has CSRF via the wp- ...) NOT-FOR-US: WP Fastest Cache plugin for WordPress CVE-2018-17583 (The WP Fastest Cache plugin 0.8.8.5 for WordPress has XSS via the rule ...) NOT-FOR-US: WP Fastest Cache plugin for WordPress CVE-2018-17582 (Tcpreplay v4.3.0 beta1 contains a heap-based buffer over-read. The get ...) - tcpreplay 4.3.1-1 (bug #910597) [stretch] - tcpreplay (Minor issue) [jessie] - tcpreplay (Minor issue) NOTE: https://github.com/appneta/tcpreplay/issues/484 NOTE: https://github.com/appneta/tcpreplay/commit/68f67b1a3a4d319543692afb5bd5b191ec984287 CVE-2018-17581 (CiffDirectory::readDirectory() at crwimage_int.cpp in Exiv2 0.26 has e ...) {DLA-1691-1} - exiv2 0.27.2-6 (low; bug #910060) [buster] - exiv2 (Minor issue) [stretch] - exiv2 (Minor issue) NOTE: https://github.com/Exiv2/exiv2/issues/460 NOTE: Fixed in: https://github.com/Exiv2/exiv2/commit/b3d077dcaefb6747fff8204490f33eba5a144edb CVE-2018-17580 (A heap-based buffer over-read exists in the function fast_edit_packet( ...) - tcpreplay 4.3.1-1 (bug #910596) [stretch] - tcpreplay (Minor issue) [jessie] - tcpreplay (Minor issue) NOTE: https://github.com/appneta/tcpreplay/issues/485 CVE-2018-17579 RESERVED CVE-2018-17578 RESERVED CVE-2018-17577 RESERVED CVE-2018-17576 RESERVED CVE-2018-17575 (SWA SWA.JACAD 3.1.37 Build 024 has SQL Injection via the /academico/al ...) NOT-FOR-US: SWA SWA.JACAD CVE-2018-17574 (An issue was discovered in YMFE YApi 1.3.23. There is stored XSS in th ...) NOT-FOR-US: YMFE YApi CVE-2018-17573 (The Wp-Insert plugin through 2.4.2 for WordPress allows upload of arbi ...) NOT-FOR-US: Wp-Insert plugin for WordPress CVE-2018-17572 (InfluxDB 0.9.5 has Reflected XSS in the Write Data module. ...) - influxdb 0.9.6.1+dfsg1-1 NOTE: https://gist.github.com/Raghavrao29/1cb84f1f2d8ce993fd7b2d1366d35f48 CVE-2018-17571 (Vanilla before 2.6.1 allows XSS via the email field of a profile. ...) NOT-FOR-US: Vanilla CVE-2018-17570 (utils/ut_ws_svr.c in ViaBTC Exchange Server before 2018-08-21 has an i ...) NOT-FOR-US: ViaBTC Exchange Server CVE-2018-17569 (network/nw_buf.c in ViaBTC Exchange Server before 2018-08-21 has an in ...) NOT-FOR-US: ViaBTC Exchange Server CVE-2018-17568 (utils/ut_rpc.c in ViaBTC Exchange Server before 2018-08-21 has an inte ...) NOT-FOR-US: ViaBTC Exchange Server CVE-2018-17567 (Jekyll through 3.6.2, 3.7.x through 3.7.3, and 3.8.x through 3.8.3 all ...) {DLA-1541-1} - jekyll 3.8.3+dfsg-3.1 (low; bug #909933) [stretch] - jekyll (Minor issue) NOTE: https://github.com/jekyll/jekyll/pull/7224 NOTE: https://jekyllrb.com/news/2018/09/19/security-fixes-for-3-6-3-7-3-8/ CVE-2018-17566 (In ThinkPHP 5.1.24, the inner function delete can be used for SQL inje ...) NOT-FOR-US: ThinkPHP CVE-2018-17565 (Shell Metacharacter Injection in the SSH configuration interface on Gr ...) NOT-FOR-US: Grandstream GXP16xx VoIP phones CVE-2018-17564 (A Malformed Input String to /cgi-bin/delete_CA on Grandstream GXP16xx ...) NOT-FOR-US: Grandstream GXP16xx VoIP phones CVE-2018-17563 (A Malformed Input String to /cgi-bin/api-get_line_status on Grandstrea ...) NOT-FOR-US: Grandstream GXP16xx VoIP phones CVE-2018-17562 (Multi-Tech FaxFinder before 5.1.6 has SQL Injection via a status/call_ ...) NOT-FOR-US: Multi-Tech FaxFinder CVE-2018-17561 RESERVED CVE-2018-17560 (The admin interface of the Grouptime Teamwire Client 1.5.1 prior to 1. ...) NOT-FOR-US: Grouptime Teamwire Client CVE-2018-17559 RESERVED CVE-2018-17558 RESERVED CVE-2018-17557 REJECTED CVE-2018-17556 (MODX Revolution v2.6.5-pl allows stored XSS via a Create New Media Sou ...) NOT-FOR-US: MODX Revolution CVE-2018-17555 (The web component on ARRIS TG2492LG-NA 061213 devices allows remote at ...) NOT-FOR-US: ARRIS TG2492LG-NA 061213 devices CVE-2018-17554 RESERVED CVE-2018-17553 (An "Unrestricted Upload of File with Dangerous Type" issue with direct ...) NOT-FOR-US: Naviwebs Navigate CMS CVE-2018-17552 (SQL Injection in login.php in Naviwebs Navigate CMS 2.8 allows remote ...) NOT-FOR-US: Naviwebs Navigate CMS CVE-2018-17551 RESERVED CVE-2018-17550 RESERVED CVE-2018-17549 RESERVED CVE-2018-17548 RESERVED CVE-2018-17547 RESERVED CVE-2018-17546 RESERVED CVE-2018-17545 RESERVED CVE-2018-17544 RESERVED CVE-2018-17543 RESERVED CVE-2018-17542 (SQL Injection exists in MailSherlock before 1.5.235 for OAKlouds allow ...) NOT-FOR-US: MailSherlock CVE-2018-17541 RESERVED CVE-2018-17540 (The gmp plugin in strongSwan before 5.7.1 has a Buffer Overflow via a ...) {DSA-4309-1 DLA-1528-1} - strongswan 5.7.1-1 NOTE: https://www.strongswan.org/blog/2018/10/01/strongswan-vulnerability-(cve-2018-17540).html CVE-2018-17539 (The BGP daemon (bgpd) in all IP Infusion ZebOS versions to 7.10.6 and ...) NOT-FOR-US: BGP daemon (bgpd) in IP Infusion ZebOS and OcNOS CVE-2018-17538 (** DISPUTED ** Axon (formerly TASER International) Evidence Sync 3.15. ...) NOT-FOR-US: Axon Evidence Sync CVE-2018-17537 [Persistent XSS package.json] RESERVED [experimental] - gitlab 11.1.8+dfsg-1 - gitlab 11.1.8+dfsg-2 [stretch] - gitlab (Only affects 10.4 and later) NOTE: https://about.gitlab.com/2018/10/01/security-release-gitlab-11-dot-3-dot-1-released/ CVE-2018-17536 [Persistent XSS merge request project import] RESERVED [experimental] - gitlab 11.1.8+dfsg-1 - gitlab 11.1.8+dfsg-2 [stretch] - gitlab (Only affects 10.4 and later) NOTE: https://about.gitlab.com/2018/10/01/security-release-gitlab-11-dot-3-dot-1-released/ CVE-2018-17535 RESERVED CVE-2018-17534 (Teltonika RUT9XX routers with firmware before 00.04.233 provide a root ...) NOT-FOR-US: Teltonika RUT9XX routers CVE-2018-17533 (Teltonika RUT9XX routers with firmware before 00.05.01.1 are prone to ...) NOT-FOR-US: Teltonika RUT9XX routers CVE-2018-17532 (Teltonika RUT9XX routers with firmware before 00.04.233 are prone to m ...) NOT-FOR-US: Teltonika RUT9XX routers CVE-2018-17531 RESERVED CVE-2018-17530 RESERVED CVE-2018-17529 RESERVED CVE-2018-17528 RESERVED CVE-2018-17527 RESERVED CVE-2018-17526 RESERVED CVE-2018-17525 RESERVED CVE-2018-17524 RESERVED CVE-2018-17523 RESERVED CVE-2018-17522 RESERVED CVE-2018-17521 RESERVED CVE-2018-17520 RESERVED CVE-2018-17519 RESERVED CVE-2018-17518 RESERVED CVE-2018-17517 RESERVED CVE-2018-17516 RESERVED CVE-2018-17515 RESERVED CVE-2018-17514 RESERVED CVE-2018-17513 RESERVED CVE-2018-17512 RESERVED CVE-2018-17511 RESERVED CVE-2018-17510 RESERVED CVE-2018-17509 RESERVED CVE-2018-17508 RESERVED CVE-2018-17507 RESERVED CVE-2018-17506 RESERVED CVE-2018-17505 RESERVED CVE-2018-17504 RESERVED CVE-2018-17503 RESERVED CVE-2018-17502 (The Receptionist for iPad could allow a local attacker to obtain sensi ...) NOT-FOR-US: Receptionist for iPad CVE-2018-17501 RESERVED CVE-2018-17500 (Envoy Passport for Android and Envoy Passport for iPhone could allow a ...) NOT-FOR-US: Envoy Passport CVE-2018-17499 (Envoy Passport for Android and Envoy Passport for iPhone could allow a ...) NOT-FOR-US: Envoy Passport CVE-2018-17498 RESERVED CVE-2018-17497 (eVisitorPass contains default administrative credentials. An attacker ...) NOT-FOR-US: eVisitorPass CVE-2018-17496 (eVisitorPass could allow a local attacker to gain elevated privileges ...) NOT-FOR-US: eVisitorPass CVE-2018-17495 (eVisitorPass could allow a local attacker to gain elevated privileges ...) NOT-FOR-US: eVisitorPass CVE-2018-17494 (eVisitorPass could allow a local attacker to gain elevated privileges ...) NOT-FOR-US: eVisitorPass CVE-2018-17493 (eVisitorPass could allow a local attacker to gain elevated privileges ...) NOT-FOR-US: eVisitorPass CVE-2018-17492 (EasyLobby Solo contains default administrative credentials. An attacke ...) NOT-FOR-US: EasyLobby Solo CVE-2018-17491 (EasyLobby Solo could allow a local attacker to gain elevated privilege ...) NOT-FOR-US: EasyLobby Solo CVE-2018-17490 (EasyLobby Solo is vulnerable to a denial of service. By visiting the k ...) NOT-FOR-US: EasyLobby Solo CVE-2018-17489 (EasyLobby Solo could allow a local attacker to obtain sensitive inform ...) NOT-FOR-US: EasyLobby Solo CVE-2018-17488 (Lobby Track Desktop could allow a local attacker to gain elevated priv ...) NOT-FOR-US: Lobby Track Desktop CVE-2018-17487 (Lobby Track Desktop could allow a local attacker to gain elevated priv ...) NOT-FOR-US: Lobby Track Desktop CVE-2018-17486 (Lobby Track Desktop could allow a local attacker to bypass security re ...) NOT-FOR-US: Lobby Track Desktop CVE-2018-17485 (Lobby Track Desktop contains default administrative credentials. An at ...) NOT-FOR-US: Lobby Track Desktop CVE-2018-17484 (Lobby Track Desktop could allow a local attacker to obtain sensitive i ...) NOT-FOR-US: Lobby Track Desktop CVE-2018-17483 (Lobby Track Desktop could allow a local attacker to obtain sensitive i ...) NOT-FOR-US: Lobby Track Desktop CVE-2018-17482 (Lobby Track Desktop could allow a local attacker to obtain sensitive i ...) NOT-FOR-US: Lobby Track Desktop CVE-2018-17481 (Incorrect object lifecycle handling in PDFium in Google Chrome prior t ...) {DSA-4395-1 DSA-4352-1} - chromium 71.0.3578.80-1 CVE-2018-17480 (Execution of user supplied Javascript during array deserialization lea ...) {DSA-4352-1} - chromium 71.0.3578.80-1 CVE-2018-17479 (Incorrect object lifetime calculations in GPU code in Google Chrome pr ...) {DSA-4342-1} - chromium-browser 70.0.3538.110-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-17478 (Incorrect array position calculations in V8 in Google Chrome prior to ...) {DSA-4340-1} - chromium-browser 70.0.3538.102-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-17477 (Incorrect dialog placement in Extensions in Google Chrome prior to 70. ...) {DSA-4330-1} - chromium-browser 70.0.3538.67-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-17476 (Incorrect dialog placement in Cast UI in Google Chrome prior to 70.0.3 ...) {DSA-4330-1} - chromium-browser 70.0.3538.67-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-17475 (Incorrect handling of history on iOS in Navigation in Google Chrome pr ...) {DSA-4330-1} - chromium-browser 70.0.3538.67-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-17474 (Use after free in HTMLImportsController in Blink in Google Chrome prio ...) {DSA-4330-1} - chromium-browser 70.0.3538.67-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-17473 (Incorrect handling of confusable characters in Omnibox in Google Chrom ...) {DSA-4330-1} - chromium-browser 70.0.3538.67-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-17472 (Incorrect handling of googlechrome:// URL scheme on iOS in Intents in ...) {DSA-4330-1} - chromium-browser 70.0.3538.67-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-17471 (Incorrect dialog placement in WebContents in Google Chrome prior to 70 ...) {DSA-4330-1} - chromium-browser 70.0.3538.67-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-17470 (A heap buffer overflow in GPU in Google Chrome prior to 70.0.3538.67 a ...) {DSA-4330-1} - chromium-browser 70.0.3538.67-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-17469 (Incorrect handling of PDF filter chains in PDFium in Google Chrome pri ...) {DSA-4330-1} - chromium-browser 70.0.3538.67-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-17468 (Incorrect handling of timer information during navigation in Blink in ...) {DSA-4330-1} - chromium-browser 70.0.3538.67-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-17467 (Insufficiently quick clearing of stale rendered content in Navigation ...) {DSA-4330-1} - chromium-browser 70.0.3538.67-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-17466 (Incorrect texture handling in Angle in Google Chrome prior to 70.0.353 ...) {DSA-4362-1 DSA-4354-1 DSA-4330-1 DLA-1624-1 DLA-1605-1} - chromium-browser 70.0.3538.67-1 [jessie] - chromium-browser (End of life, see DSA 4020) - firefox 64.0-1 - firefox-esr 60.4.0esr-1 - thunderbird 1:60.4.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-29/#CVE-2018-17466 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-30/#CVE-2018-17466 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-31/#CVE-2018-17466 CVE-2018-17465 (Incorrect implementation of object trimming in V8 in Google Chrome pri ...) {DSA-4330-1} - chromium-browser 70.0.3538.67-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-17464 (Incorrect handling of history on iOS in Navigation in Google Chrome pr ...) {DSA-4330-1} - chromium-browser 70.0.3538.67-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-17463 (Incorrect side effect annotation in V8 in Google Chrome prior to 70.0. ...) {DSA-4330-1} - chromium-browser 70.0.3538.67-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-17462 (Incorrect refcounting in AppCache in Google Chrome prior to 70.0.3538. ...) {DSA-4330-1} - chromium-browser 70.0.3538.67-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-17461 (An out of bounds read in PDFium in Google Chrome prior to 68.0.3440.75 ...) {DSA-4256-1} - chromium-browser 68.0.3440.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-17460 (Insufficient data validation in filesystem URIs in Google Chrome prior ...) {DSA-4256-1} - chromium-browser 68.0.3440.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-17457 (An object lifecycle issue in Blink could lead to a use after free in W ...) {DSA-4289-1} - chromium-browser 69.0.3497.81-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-17456 (Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x ...) {DSA-4311-1 DLA-1533-1} - git 1:2.19.1-1 NOTE: https://public-inbox.org/git/xmqqy3bcuy3l.fsf@gitster-ct.c.googlers.com/ NOTE: https://git.kernel.org/pub/scm/git/git.git/commit/?id=98afac7a7cefdca0d2c4917dd8066a59f7088265 NOTE: https://git.kernel.org/pub/scm/git/git.git/commit/?id=f6adec4e329ef0e25e14c63b735a5956dc67b8bc NOTE: https://git.kernel.org/pub/scm/git/git.git/commit/?id=273c61496f88c6495b886acb1041fe57965151da NOTE: https://git.kernel.org/pub/scm/git/git.git/commit/?id=a124133e1e6ab5c7a9fef6d0e6bcb084e3455b46 NOTE: https://git.kernel.org/pub/scm/git/git.git/commit/?id=1a7fd1fb2998002da6e9ff2ee46e1bdd25ee8404 CVE-2018-17455 [IDOR merge request approvals] RESERVED [experimental] - gitlab 11.1.8+dfsg-1 - gitlab 11.1.8+dfsg-2 NOTE: https://about.gitlab.com/2018/10/01/security-release-gitlab-11-dot-3-dot-1-released/ CVE-2018-17454 [Persistent XSS on issue details] RESERVED [experimental] - gitlab 11.1.8+dfsg-1 - gitlab 11.1.8+dfsg-2 [stretch] - gitlab (Only affects 9.3 and later) NOTE: https://about.gitlab.com/2018/10/01/security-release-gitlab-11-dot-3-dot-1-released/ CVE-2018-17453 [GRPC::Unknown logging token disclosure] RESERVED [experimental] - gitlab 11.1.8+dfsg-1 - gitlab 11.1.8+dfsg-2 [stretch] - gitlab (Only affects 10.4 and later) NOTE: https://about.gitlab.com/2018/10/01/security-release-gitlab-11-dot-3-dot-1-released/ CVE-2018-17452 [validate_localhost function in url_blocker.rb could be bypassed] RESERVED [experimental] - gitlab 11.1.8+dfsg-1 - gitlab 11.1.8+dfsg-2 NOTE: https://about.gitlab.com/2018/10/01/security-release-gitlab-11-dot-3-dot-1-released/ CVE-2018-17451 [Slack integration CSRF Oauth2] RESERVED [experimental] - gitlab 11.1.8+dfsg-1 - gitlab 11.1.8+dfsg-2 [stretch] - gitlab (Only affects 9.4 and later) NOTE: https://about.gitlab.com/2018/10/01/security-release-gitlab-11-dot-3-dot-1-released/ CVE-2018-17450 [SSRF GCP access token disclosure] RESERVED [experimental] - gitlab 11.1.8+dfsg-1 - gitlab 11.1.8+dfsg-2 [stretch] - gitlab (Only affects 10.2 and later) NOTE: https://about.gitlab.com/2018/10/01/security-release-gitlab-11-dot-3-dot-1-released/ CVE-2018-17449 [Confidential information disclosure in events API endpoint] RESERVED [experimental] - gitlab 11.1.8+dfsg-1 - gitlab 11.1.8+dfsg-2 [stretch] - gitlab (Only affects 9.3 and later) NOTE: https://about.gitlab.com/2018/10/01/security-release-gitlab-11-dot-3-dot-1-released/ CVE-2018-17448 (An Incorrect Access Control issue was discovered in Citrix SD-WAN 10.1 ...) NOT-FOR-US: Citrix CVE-2018-17447 (An Information Exposure Through Log Files issue was discovered in Citr ...) NOT-FOR-US: Citrix CVE-2018-17446 (A SQL Injection issue was discovered in Citrix SD-WAN 10.1.0 and NetSc ...) NOT-FOR-US: Citrix CVE-2018-17445 (A Command Injection issue was discovered in Citrix SD-WAN 10.1.0 and N ...) NOT-FOR-US: Citrix CVE-2018-17444 (A Directory Traversal issue was discovered in Citrix SD-WAN 10.1.0 and ...) NOT-FOR-US: Citrix CVE-2018-17443 (An issue was discovered on D-Link Central WiFi Manager before v 1.03r0 ...) NOT-FOR-US: D-Link CVE-2018-17442 (An issue was discovered on D-Link Central WiFi Manager before v 1.03r0 ...) NOT-FOR-US: D-Link CVE-2018-17441 (An issue was discovered on D-Link Central WiFi Manager before v 1.03r0 ...) NOT-FOR-US: D-Link CVE-2018-17440 (An issue was discovered on D-Link Central WiFi Manager before v 1.03r0 ...) NOT-FOR-US: D-Link CVE-2018-17439 (An issue was discovered in the HDF HDF5 1.10.3 library. There is a sta ...) - hdf5 NOTE: https://github.com/SegfaultMasters/covering360/tree/master/HDF5/vuln5#stack-overflow-in-h5s_extent_get_dims NOTE: https://jira.hdfgroup.org/browse/HDFFV-10589 CVE-2018-17438 (A SIGFPE signal is raised in the function H5D__select_io() of H5Dselec ...) - hdf5 (low) [buster] - hdf5 (Minor issue) [stretch] - hdf5 (Minor issue) [jessie] - hdf5 (Minor issue) NOTE: https://github.com/SegfaultMasters/covering360/tree/master/HDF5/vuln4#divided-by-zero---poc_h5d__select_io_h5dselect NOTE: https://jira.hdfgroup.org/browse/HDFFV-10587 NOTE: fix in develop branch: https://bitbucket.hdfgroup.org/projects/HDFFV/repos/hdf5/commits/7add52ff4f2443357648d53d52add274d1b18b5f CVE-2018-17437 (Memory leak in the H5O_dtype_decode_helper() function in H5Odtype.c in ...) [experimental] - hdf5 1.10.5+repack-1~exp1 - hdf5 (low) [buster] - hdf5 (Minor issue) [stretch] - hdf5 (Minor issue) [jessie] - hdf5 (Minor issue) NOTE: https://github.com/SegfaultMasters/covering360/tree/master/HDF5/vuln5#memory-leak-in-h5o_dtype_decode_helper NOTE: https://jira.hdfgroup.org/browse/HDFFV-10588 NOTE: fixed in 1.10.5, release notes: https://support.hdfgroup.org/ftp/HDF5/releases/hdf5-1.10/hdf5-1.10.5/src/hdf5-1.10.5-RELEASE.txt NOTE: https://bitbucket.hdfgroup.org/projects/HDFFV/repos/hdf5/commits/02d03b4624122955ee3de635699a4e3880fea377 CVE-2018-17436 (ReadCode() in decompress.c in the HDF HDF5 through 1.10.3 library allo ...) - hdf5 NOTE: https://github.com/SegfaultMasters/covering360/tree/master/HDF5/vuln8#invalid-write-memory-access-in-decompressc CVE-2018-17435 (A heap-based buffer over-read in H5O_attr_decode() in H5Oattr.c in the ...) - hdf5 NOTE: https://github.com/SegfaultMasters/covering360/tree/master/HDF5/vuln7#heap-overflow-in-h5o_attr_decode NOTE: https://jira.hdfgroup.org/browse/HDFFV-10591 CVE-2018-17434 (A SIGFPE signal is raised in the function apply_filters() of h5repack_ ...) [experimental] - hdf5 1.10.5+repack-1~exp1 - hdf5 (low) [buster] - hdf5 (Minor issue) [stretch] - hdf5 (Minor issue) [jessie] - hdf5 (Minor issue) NOTE: https://github.com/SegfaultMasters/covering360/tree/master/HDF5/vuln4#divided-by-zero---poc_apply_filters_h5repack_filters NOTE: https://jira.hdfgroup.org/browse/HDFFV-10586 NOTE: fixed in 1.10.5, release notes: https://support.hdfgroup.org/ftp/HDF5/releases/hdf5-1.10/hdf5-1.10.5/src/hdf5-1.10.5-RELEASE.txt NOTE: https://bitbucket.hdfgroup.org/projects/HDFFV/repos/hdf5/commits/02d03b4624122955ee3de635699a4e3880fea377 CVE-2018-17433 (A heap-based buffer overflow in ReadGifImageDesc() in gifread.c in the ...) - hdf5 NOTE: https://github.com/SegfaultMasters/covering360/tree/master/HDF5/vuln8#heap-overflow-in-readgifimagedesc NOTE: https://jira.hdfgroup.org/browse/HDFFV-10592 CVE-2018-17432 (A NULL pointer dereference in H5O_sdspace_encode() in H5Osdspace.c in ...) - hdf5 [buster] - hdf5 (Minor issue) [stretch] - hdf5 (Minor issue) [jessie] - hdf5 (Minor issue) NOTE: https://github.com/SegfaultMasters/covering360/tree/master/HDF5/vuln6#null-pointer-dereference-in-h5o_sdspace_encode NOTE: upstream bug tracker (not public): https://jira.hdfgroup.org/browse/HDFFV-10590 NOTE: fix planned for HDF5-1.10.6 (will also be backported to HDF5-1.8) CVE-2018-17431 (Web Console in Comodo UTM Firewall before 2.7.0 allows remote attacker ...) NOT-FOR-US: Comodo UTM CVE-2018-17430 RESERVED CVE-2018-17429 (/console/account/manage.php?type=action&action=add in JTBC v3.0(C) ...) NOT-FOR-US: JTBC CVE-2018-17428 (An issue was discovered in OPAC EasyWeb Five 5.7. There is SQL injecti ...) NOT-FOR-US: OPAC EasyWeb Five CVE-2018-17427 (SIMDComp before 0.1.0 allows remote attackers to cause a denial of ser ...) NOT-FOR-US: SIMDComp CVE-2018-17426 (WUZHI CMS 4.1.0 has stored XSS via the "Extension module" "SMS in stat ...) NOT-FOR-US: WUZHI CMS CVE-2018-17425 (WUZHI CMS 4.1.0 has stored XSS via the "Membership Center" "I want to ...) NOT-FOR-US: WUZHI CMS CVE-2018-17424 RESERVED CVE-2018-17423 (An issue was discovered in e107 v2.1.9. There is a XSS attack on e107_ ...) NOT-FOR-US: e107 CVE-2018-17422 (dotCMS before 5.0.2 has open redirects via the html/common/forward_js. ...) NOT-FOR-US: dotCMS CVE-2018-17421 (An issue was discovered in ZrLog 2.0.3. There is stored XSS in the fil ...) NOT-FOR-US: ZrLog CVE-2018-17420 (An issue was discovered in ZrLog 2.0.3. There is a SQL injection vulne ...) NOT-FOR-US: ZrLog CVE-2018-17419 (An issue was discovered in setTA in scan_rr.go in the Miek Gieben DNS ...) NOT-FOR-US: Miek Gieben DNS library for Go CVE-2018-17418 (Monstra CMS 3.0.4 allows remote attackers to execute arbitrary PHP cod ...) NOT-FOR-US: Monstra CMS CVE-2018-17417 RESERVED CVE-2018-17416 (A SQL injection vulnerability exists in zzcms v8.3 via the /admin/adcl ...) NOT-FOR-US: zzcms CVE-2018-17415 (zzcms V8.3 has a SQL injection in /user/zs_elite.php via the id parame ...) NOT-FOR-US: zzcms CVE-2018-17414 (zzcms v8.3 has a SQL injection in /user/jobmanage.php via the bigclass ...) NOT-FOR-US: zzcms CVE-2018-17413 (XSS exists in zzcms v8.3 via the /uploadimg_form.php noshuiyin paramet ...) NOT-FOR-US: zzcms CVE-2018-17412 (zzcms v8.3 contains a SQL Injection vulnerability in /user/logincheck. ...) NOT-FOR-US: zzcms CVE-2018-17411 (An XML External Entity (XXE) vulnerability exists in iWay Data Quality ...) NOT-FOR-US: iWay Data Quality Suite Web Console CVE-2018-17410 (Horus CMS allows SQL Injection, as demonstrated by a request to the /b ...) NOT-FOR-US: Horus CMS CVE-2018-17409 RESERVED CVE-2018-17408 (Stack-based buffer overflows in Zahir Accounting Enterprise Plus 6 thr ...) NOT-FOR-US: Zahir Accounting Enterprise Plus CVE-2018-17406 RESERVED CVE-2018-17405 RESERVED CVE-2018-17404 (The SBIbuddy (aka com.sbi.erupee) application 1.41 and 1.42 for Androi ...) NOT-FOR-US: SBIbuddy application CVE-2018-17403 (** DISPUTED ** The PhonePe wallet (aka com.PhonePe.app) application 3. ...) NOT-FOR-US: PhonePe wallet application CVE-2018-17402 (** DISPUTED ** The PhonePe wallet (aka com.PhonePe.app) application 3. ...) NOT-FOR-US: PhonePe wallet application CVE-2018-17401 (** DISPUTED ** The PhonePe wallet (aka com.PhonePe.app) application 3. ...) NOT-FOR-US: PhonePe wallet application CVE-2018-17400 (** DISPUTED ** The PhonePe wallet (aka com.PhonePe.app) application 3. ...) NOT-FOR-US: PhonePe wallet application CVE-2018-17399 (SQL Injection exists in the Jimtawl 2.2.7 component for Joomla! via th ...) NOT-FOR-US: Jimtawl CVE-2018-17398 (SQL Injection exists in the AMGallery 1.2.3 component for Joomla! via ...) NOT-FOR-US: AMGallery CVE-2018-17397 (SQL Injection exists in the AlphaIndex Dictionaries 1.0 component for ...) NOT-FOR-US: AlphaIndex Dictionaries component for Joomla! CVE-2018-17396 RESERVED CVE-2018-17395 RESERVED CVE-2018-17394 (SQL Injection exists in the Timetable Schedule 3.6.8 component for Joo ...) NOT-FOR-US: Timetable Schedule component for Joomla! CVE-2018-17393 (SQL Injection exists in HealthNode Hospital Management System 1.0 via ...) NOT-FOR-US: HealthNode Hospital Management System CVE-2018-17392 RESERVED CVE-2018-17391 (SQL Injection exists in authors_post.php in Super Cms Blog Pro 1.0 via ...) NOT-FOR-US: Super Cms Blog Pro CVE-2018-17390 RESERVED CVE-2018-17389 (CSRF exists in server.php in Live Call Support Application 1.5 for add ...) NOT-FOR-US: Live Call Support Application CVE-2018-17388 (SQL Injection exists in Twilio WEB To Fax Machine System 1.0 via the e ...) NOT-FOR-US: Twilio WEB To Fax Machine System CVE-2018-17387 (CSRF exists in Nimble Messaging Bulk SMS Marketing Application 1.0 for ...) NOT-FOR-US: Nimble Messaging Bulk SMS Marketing Application CVE-2018-17386 (SQL Injection exists in the Micro Deal Factory 2.4.0 component for Joo ...) NOT-FOR-US: Micro Deal Factory component for Joomla! CVE-2018-17385 (SQL Injection exists in the Social Factory 3.8.3 component for Joomla! ...) NOT-FOR-US: Social Factory component for Joomla! CVE-2018-17384 (SQL Injection exists in the Swap Factory 2.2.1 component for Joomla! v ...) NOT-FOR-US: Swap Factory component for Joomla! CVE-2018-17383 (SQL Injection exists in the Collection Factory 4.1.9 component for Joo ...) NOT-FOR-US: Collection Factory component for Joomla! CVE-2018-17382 (SQL Injection exists in the Jobs Factory 2.0.4 component for Joomla! v ...) NOT-FOR-US: Jobs Factory component for Joomla! CVE-2018-17381 (SQL Injection exists in the Dutch Auction Factory 2.0.2 component for ...) NOT-FOR-US: Dutch Auction Factory component for Joomla! CVE-2018-17380 (SQL Injection exists in the Article Factory Manager 4.3.9 component fo ...) NOT-FOR-US: Article Factory Manager component for Joomla! CVE-2018-17379 (SQL Injection exists in the Raffle Factory 3.5.2 component for Joomla! ...) NOT-FOR-US: Raffle Factory component for Joomla! CVE-2018-17378 (SQL Injection exists in the Penny Auction Factory 2.0.4 component for ...) NOT-FOR-US: Penny Auction Factory component for Joomla! CVE-2018-17377 (SQL Injection exists in the Questions 1.4.3 component for Joomla! via ...) NOT-FOR-US: Questions component for Joomla! CVE-2018-17376 (SQL Injection exists in the Reverse Auction Factory 4.3.8 component fo ...) NOT-FOR-US: Reverse Auction Factory component for Joomla! CVE-2018-17375 (SQL Injection exists in the Music Collection 3.0.3 component for Jooml ...) NOT-FOR-US: Music Collection component for Joomla! CVE-2018-17374 (SQL Injection exists in the Auction Factory 4.5.5 component for Joomla ...) NOT-FOR-US: Auction Factory component for Joomla! CVE-2018-17373 RESERVED CVE-2018-17372 RESERVED CVE-2018-17371 RESERVED CVE-2018-17370 RESERVED CVE-2018-17369 (An issue was discovered in springboot_authority through 2017-03-06. Th ...) NOT-FOR-US: springboot_authority CVE-2018-17368 (An issue was discovered in PublicCMS V4.0.180825. For an invalid login ...) NOT-FOR-US: PublicCMS CVE-2018-17367 RESERVED CVE-2018-17366 (An issue was discovered in MCMS 4.6.5. There is a CSRF vulnerability t ...) NOT-FOR-US: MCMS CVE-2018-17365 (SeaCMS 6.64 allows remote attackers to delete arbitrary files via the ...) NOT-FOR-US: SeaCMS CVE-2018-17364 (OTCMS 3.61 allows remote attackers to execute arbitrary PHP code via t ...) NOT-FOR-US: OTCMS CVE-2018-17363 RESERVED CVE-2018-17362 RESERVED CVE-2018-17361 (Multiple XSS vulnerabilities in WeaselCMS v0.3.6 allow remote attacker ...) NOT-FOR-US: WeaselCMS CVE-2018-17360 (An issue was discovered in the Binary File Descriptor (BFD) library (a ...) [experimental] - binutils 2.31.51.20181022-1 - binutils 2.32.51.20190707-1 (unimportant) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23685 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=cf93e9c2cf8f8b2566f8fc86e961592b51b5980d NOTE: binutils not covered by security support CVE-2018-17359 (An issue was discovered in the Binary File Descriptor (BFD) library (a ...) [experimental] - binutils 2.31.51.20181022-1 - binutils 2.32.51.20190707-1 (unimportant) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23686 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=30838132997e6a3cfe3ec11c58b32b22f6f6b102 NOTE: binutils not covered by security support CVE-2018-17358 (An issue was discovered in the Binary File Descriptor (BFD) library (a ...) [experimental] - binutils 2.31.51.20181022-1 - binutils 2.32.51.20190707-1 (unimportant) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23686 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=30838132997e6a3cfe3ec11c58b32b22f6f6b102 NOTE: binutils not covered by security support CVE-2018-17357 RESERVED CVE-2018-17356 RESERVED CVE-2018-17355 RESERVED CVE-2018-17354 RESERVED CVE-2018-17353 RESERVED CVE-2018-17352 RESERVED CVE-2018-17351 RESERVED CVE-2018-17350 RESERVED CVE-2018-17349 RESERVED CVE-2018-17348 RESERVED CVE-2018-17347 RESERVED CVE-2018-17346 RESERVED CVE-2018-17345 RESERVED CVE-2018-17344 RESERVED CVE-2018-17343 RESERVED CVE-2018-17342 RESERVED CVE-2018-17341 (BigTree 4.2.23 on Windows, when Advanced or Simple Rewrite routing is ...) NOT-FOR-US: BigTree CMS CVE-2018-17340 RESERVED CVE-2018-17339 RESERVED CVE-2018-17338 (An issue has been found in pdfalto through 0.2. It is a heap-based buf ...) NOT-FOR-US: pdfalto CVE-2018-17337 (Intelbras NPLUG 1.0.0.14 devices have XSS via a crafted SSID that is r ...) NOT-FOR-US: Intelbras NPLUG CVE-2018-17336 (UDisks 2.8.0 has a format string vulnerability in udisks_log in udisks ...) - udisks2 2.8.1-1 (bug #909607) [stretch] - udisks2 (Vulnerable code introduced later) [jessie] - udisks2 (Vulnerable code introduced later) NOTE: https://github.com/storaged-project/udisks/issues/578 NOTE: Fixed by: https://github.com/storaged-project/udisks/commit/e369a9b4b08e9373c814c05328b366c938284eb5 NOTE: Introduced by: https://github.com/storaged-project/udisks/commit/ad2ce6714e911be58011dd6b838ec0f6fd0f950f (udisks-2.6.4) CVE-2018-17335 RESERVED CVE-2018-17334 (An issue was discovered in libsvg2 through 2012-10-19. A stack-based b ...) NOT-FOR-US: libsvg2 CVE-2018-17333 (An issue was discovered in libsvg2 through 2012-10-19. A stack-based b ...) NOT-FOR-US: libsvg2 CVE-2018-17332 (An issue was discovered in libsvg2 through 2012-10-19. The svgGetNextP ...) NOT-FOR-US: libsvg2 CVE-2018-17331 RESERVED CVE-2018-17330 RESERVED CVE-2018-17329 RESERVED CVE-2018-17328 RESERVED CVE-2018-17327 RESERVED CVE-2018-17326 RESERVED CVE-2018-17325 RESERVED CVE-2018-17324 RESERVED CVE-2018-17323 RESERVED CVE-2018-17322 (Cross-site scripting (XSS) vulnerability in index.php/index/category/i ...) NOT-FOR-US: YUNUCMS CVE-2018-17321 (An issue was discovered in SeaCMS 6.64. XSS exists in admin_datarelate ...) NOT-FOR-US: SeaCMS CVE-2018-17320 (An issue was discovered in UCMS 1.4.6. aaddpost.php has stored XSS via ...) NOT-FOR-US: UCMS CVE-2018-17319 RESERVED CVE-2018-17318 RESERVED CVE-2018-17317 (FruityWifi (aka PatatasFritas/PatataWifi) 2.1 allows remote attackers ...) NOT-FOR-US: FruityWifi CVE-2018-17316 (On the RICOH MP C6003 printer, HTML Injection and Stored XSS vulnerabi ...) NOT-FOR-US: RICOH MP C6003 printer CVE-2018-17315 (On the RICOH MP C2003 printer, HTML Injection and Stored XSS vulnerabi ...) NOT-FOR-US: RICOH MP C2003 printer CVE-2018-17314 (On the RICOH Aficio MP 305+ printer, HTML Injection and Stored XSS vul ...) NOT-FOR-US: RICOH Aficio MP 305+ printer CVE-2018-17313 (On the RICOH MP C307 printer, HTML Injection and Stored XSS vulnerabil ...) NOT-FOR-US: RICOH MP C307 printer CVE-2018-17312 (On the RICOH Aficio MP 301 printer, HTML Injection and Stored XSS vuln ...) NOT-FOR-US: RICOH Aficio MP 301 printer CVE-2018-17311 (On the RICOH MP C6503 Plus printer, HTML Injection and Stored XSS vuln ...) NOT-FOR-US: RICOH MP C6503 Plus printer CVE-2018-17310 (On the RICOH MP C1803 JPN printer, HTML Injection and Stored XSS vulne ...) NOT-FOR-US: RICOH MP C1803 JPN printer CVE-2018-17309 (On the RICOH MP C406Z printer, HTML Injection and Stored XSS vulnerabi ...) NOT-FOR-US: RICOH MP C406Z printer CVE-2018-17308 RESERVED CVE-2018-17307 RESERVED CVE-2018-17306 RESERVED CVE-2018-17305 (UiPath Orchestrator through 2018.2.4 allows any authenticated user to ...) NOT-FOR-US: UiPath Orchestrator CVE-2018-17304 RESERVED CVE-2018-17303 RESERVED CVE-2018-17302 (Stored XSS exists in views/fields/wysiwyg.js in EspoCRM 5.3.6 via a /# ...) NOT-FOR-US: EspoCRM CVE-2018-17301 (Reflected XSS exists in client/res/templates/global-search/name-field. ...) NOT-FOR-US: EspoCRM CVE-2018-17300 (Stored XSS exists in CuppaCMS through 2018-09-03 via an administrator/ ...) NOT-FOR-US: CuppaCMS CVE-2018-17299 RESERVED CVE-2018-17298 (An issue was discovered in Enalean Tuleap before 10.5. Reset password ...) NOT-FOR-US: Enalean Tuleap CVE-2018-17297 (The unzip function in ZipUtil.java in Hutool before 4.1.12 allows remo ...) NOT-FOR-US: Hutool CVE-2018-17296 RESERVED CVE-2018-17295 RESERVED CVE-2018-17294 (The matchCurrentInput function inside lou_translateString.c of Libloui ...) - liblouis 3.7.0-1 [stretch] - liblouis (Minor issue) [jessie] - liblouis (Minor issue) NOTE: https://github.com/liblouis/liblouis/commit/5e4089659bb49b3095fa541fa6387b4c40d7396e NOTE: https://github.com/liblouis/liblouis/issues/635 CVE-2018-17293 (An issue was discovered in WAVM before 2018-09-16. The run function in ...) NOT-FOR-US: WAVM CVE-2018-17292 (An issue was discovered in WAVM before 2018-09-16. The loadModule func ...) NOT-FOR-US: WAVM CVE-2018-17291 RESERVED CVE-2018-17290 RESERVED CVE-2018-17289 (An XML external entity (XXE) vulnerability in Kofax Front Office Serve ...) NOT-FOR-US: Kofax Front Office Server Administration Console CVE-2018-17288 (Kofax Front Office Server version 4.1.1.11.0.5212 (both Thin Client an ...) NOT-FOR-US: Kofax Front Office Server CVE-2018-17287 (In Kofax Front Office Server Administration Console 4.1.1.11.0.5212, s ...) NOT-FOR-US: Kofax Front Office Server Administration Console CVE-2018-17286 RESERVED CVE-2018-17285 RESERVED CVE-2018-17284 RESERVED CVE-2018-17283 (Zoho ManageEngine OpManager before 12.3 Build 123196 does not require ...) NOT-FOR-US: Zoho ManageEngine OpManager CVE-2018-17282 (An issue was discovered in Exiv2 v0.26. The function Exiv2::DataValue: ...) - exiv2 (Vulnerable code introduced later) NOTE: https://github.com/Exiv2/exiv2/issues/457 NOTE: Fixed by: https://github.com/Exiv2/exiv2/commit/670fb73dd5ee8acab90971c4878de29f9fc43a02 NOTE: Introduced with: https://github.com/Exiv2/exiv2/commit/afb98cbc6e288dc8ea75f3394a347fb9b37abc55 CVE-2018-17407 (An issue was discovered in t1_check_unusual_charstring functions in wr ...) {DSA-4299-1 DLA-1514-1} - texlive-bin 2018.20180907.48586-2 (bug #909317) NOTE: Fixed by: https://github.com/TeX-Live/texlive-source/commit/6ed0077520e2b0da1fd060c7f88db7b2e6068e4c NOTE: Introduced in: https://github.com/TeX-Live/texlive-source/commit/59cbb8f96b0543c2912d6370ce8021181661e1cf CVE-2018-17281 (There is a stack consumption vulnerability in the res_http_websocket.s ...) {DSA-4320-1 DLA-1523-1} - asterisk 1:13.23.1~dfsg-1 (bug #909554) NOTE: https://downloads.asterisk.org/pub/security/AST-2018-009.html NOTE: :https://issues.asterisk.org/jira/browse/ASTERISK-28013 CVE-2018-17280 REJECTED CVE-2018-17279 REJECTED CVE-2018-17278 REJECTED CVE-2018-17277 REJECTED CVE-2018-17276 REJECTED CVE-2018-17275 REJECTED CVE-2018-17274 REJECTED CVE-2018-17273 REJECTED CVE-2018-17272 REJECTED CVE-2018-17271 REJECTED CVE-2018-17270 REJECTED CVE-2018-17269 REJECTED CVE-2018-17268 REJECTED CVE-2018-17267 REJECTED CVE-2018-17266 REJECTED CVE-2018-17265 REJECTED CVE-2018-17264 REJECTED CVE-2018-17263 REJECTED CVE-2018-17262 REJECTED CVE-2018-17261 REJECTED CVE-2018-17260 REJECTED CVE-2018-17259 REJECTED CVE-2018-17258 REJECTED CVE-2018-17257 REJECTED CVE-2018-17256 (Persistent cross-site scripting (XSS) vulnerability in Umbraco CMS 7.1 ...) NOT-FOR-US: Umbraco CMS CVE-2018-17255 (Navigate CMS 2.8 has Reflected XSS via the navigate.php fid parameter. ...) NOT-FOR-US: Navigate CMS CVE-2018-17254 (The JCK Editor component 6.4.4 for Joomla! allows SQL Injection via th ...) NOT-FOR-US: JCK Editor component for Joomla! CVE-2018-17253 REJECTED CVE-2018-17252 REJECTED CVE-2018-17251 REJECTED CVE-2018-17250 REJECTED CVE-2018-17249 REJECTED CVE-2018-17248 REJECTED CVE-2018-17247 (Elasticsearch Security versions 6.5.0 and 6.5.1 contain an XXE flaw in ...) - elasticsearch CVE-2018-17246 (Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file incl ...) - kibana (bug #700337) CVE-2018-17245 (Kibana versions 4.0 to 4.6, 5.0 to 5.6.12, and 6.0 to 6.4.2 contain an ...) - kibana (bug #700337) CVE-2018-17244 (Elasticsearch Security versions 6.4.0 to 6.4.2 contain an error in the ...) - elasticsearch CVE-2018-17243 (Global Search in Zoho ManageEngine OpManager before 12.3 123205 allows ...) NOT-FOR-US: Zoho ManageEngine OpManager CVE-2018-17242 RESERVED CVE-2018-17241 RESERVED CVE-2018-17240 RESERVED CVE-2018-17239 RESERVED CVE-2018-17238 RESERVED CVE-2018-17237 (A SIGFPE signal is raised in the function H5D__chunk_set_info_real() o ...) - hdf5 (low) [buster] - hdf5 (Minor issue) [stretch] - hdf5 (Minor issue) [jessie] - hdf5 (Minor issue) NOTE: https://github.com/SegfaultMasters/covering360/blob/master/HDF5/README.md#divided-by-zero---h5d__chunk_set_info_real_div_by_zero NOTE: https://jira.hdfgroup.org/browse/HDFFV-10571 (not public) NOTE: does not appear in 1.10.5 release notes, but fixed in NOTE: https://bitbucket.hdfgroup.org/projects/HDFFV/repos/hdf5/commits/4e31361dad4add06792b652dbe5b97e501f9031d CVE-2018-17236 (The function MP4Free() in mp4property.cpp in libmp4v2 2.1.0 internally ...) - mp4v2 (bug #909277) [stretch] - mp4v2 (Minor issue) [jessie] - mp4v2 (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1629453 CVE-2018-17235 (The function mp4v2::impl::MP4Track::FinishSdtp() in mp4track.cpp in li ...) - mp4v2 (bug #909278) [stretch] - mp4v2 (Minor issue) [jessie] - mp4v2 (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1629451 CVE-2018-17234 (Memory leak in the H5O__chunk_deserialize() function in H5Ocache.c in ...) - hdf5 (low) [buster] - hdf5 (Minor issue) [stretch] - hdf5 (Minor issue) [jessie] - hdf5 (Minor issue) NOTE: https://github.com/SegfaultMasters/covering360/tree/master/HDF5/vuln3#memory-leak---h5o__chunk_deserialize_memory_leak NOTE: https://jira.hdfgroup.org/browse/HDFFV-10578 (not public) NOTE: does not appear in 1.10.5 release notes, but fixed in NOTE: https://bitbucket.hdfgroup.org/projects/HDFFV/repos/hdf5/commits/f4138013dbc6851e968ea3d37b32776538ef306b CVE-2018-17233 (A SIGFPE signal is raised in the function H5D__create_chunk_file_map_h ...) [experimental] - hdf5 1.10.5+repack-1~exp1 - hdf5 (low) [buster] - hdf5 (Minor issue) [stretch] - hdf5 (Minor issue) [jessie] - hdf5 (Minor issue) NOTE: https://github.com/SegfaultMasters/covering360/tree/master/HDF5/vuln2#divided-by-zero---h5d__create_chunk_file_map_hyper_div_zero NOTE: https://jira.hdfgroup.org/browse/HDFFV-10577 NOTE: fixed in 1.10.5, release notes: https://support.hdfgroup.org/ftp/HDF5/releases/hdf5-1.10/hdf5-1.10.5/src/hdf5-1.10.5-RELEASE.txt NOTE: https://bitbucket.hdfgroup.org/projects/HDFFV/repos/hdf5/commits/f891c38c6e724e9032a534512618b9650be76377 CVE-2018-17232 (SQL injection vulnerability in archivebot.py in docmarionum1 Slack Arc ...) NOT-FOR-US: docmarionum1 Slack ArchiveBot (slack-archive-bot) CVE-2018-17231 (** DISPUTED ** Telegram Desktop (aka tdesktop) 1.3.14 might allow atta ...) - telegram-desktop (unimportant) NOTE: Disputed as attack scenario does not cross a privilege boundary. CVE-2018-17230 (Exiv2::ul2Data in types.cpp in Exiv2 v0.26 allows remote attackers to ...) - exiv2 (Vulnerable code introduced later; only affected experimental) NOTE: https://github.com/Exiv2/exiv2/issues/455 NOTE: Introduced in: https://github.com/Exiv2/exiv2/commit/3d57bbc6e6036723df3c7da352e40267c90d1640 NOTE: Fixed by: https://github.com/Exiv2/exiv2/commit/afb98cbc6e288dc8ea75f3394a347fb9b37abc55 NOTE: Some extra care needs to be applied when fixing isolately the issue in NOTE: experimental, as the commit afb98cbc6e288dc8ea75f3394a347fb9b37abc55 NOTE: would introduce/uncover CVE-2018-17282. CVE-2018-17229 (Exiv2::d2Data in types.cpp in Exiv2 v0.26 allows remote attackers to c ...) - exiv2 (Vulnerable code introduced later; only affected experimental) NOTE: https://github.com/Exiv2/exiv2/issues/453 NOTE: Introduced in: https://github.com/Exiv2/exiv2/commit/3d57bbc6e6036723df3c7da352e40267c90d1640 NOTE: Fixed by: https://github.com/Exiv2/exiv2/commit/afb98cbc6e288dc8ea75f3394a347fb9b37abc55 NOTE: Some extra care needs to be applied when fixing isolately the issue in NOTE: experimental, as the commit afb98cbc6e288dc8ea75f3394a347fb9b37abc55 NOTE: would introduce/uncover CVE-2018-17282. CVE-2018-17228 (nmap4j 1.1.0 allows attackers to execute arbitrary commands via shell ...) NOT-FOR-US: nmap4j CVE-2018-17227 RESERVED CVE-2018-17226 RESERVED CVE-2018-17225 RESERVED CVE-2018-17224 RESERVED CVE-2018-17223 RESERVED CVE-2018-17222 RESERVED CVE-2018-17221 RESERVED CVE-2018-17220 RESERVED CVE-2018-17219 RESERVED CVE-2018-17218 (An issue was discovered in PTC ThingWorx Platform 6.5 through 8.2. The ...) NOT-FOR-US: PTC ThingWorx Platform CVE-2018-17217 (An issue was discovered in PTC ThingWorx Platform 6.5 through 8.2. The ...) NOT-FOR-US: PTC ThingWorx Platform CVE-2018-17216 (An issue was discovered in PTC ThingWorx Platform 6.5 through 8.2. The ...) NOT-FOR-US: PTC ThingWorx Platform CVE-2018-17215 (An information-disclosure issue was discovered in Postman through 6.3. ...) NOT-FOR-US: Postman CVE-2018-17214 RESERVED CVE-2018-17213 (An issue was discovered in PrinterOn Central Print Services (CPS) thro ...) NOT-FOR-US: PrinterOn Central Print Services CVE-2018-17212 RESERVED CVE-2018-17211 (An issue was discovered in PrinterOn Central Print Services (CPS) thro ...) NOT-FOR-US: PrinterOn Central Print Services CVE-2018-17210 (An issue was discovered in PrinterOn Central Print Services (CPS) thro ...) NOT-FOR-US: PrinterOn Central Print Services CVE-2018-17209 RESERVED CVE-2018-17208 (Linksys Velop 1.1.2.187020 devices allow unauthenticated command injec ...) NOT-FOR-US: Linksys Velop CVE-2018-17207 (An issue was discovered in Snap Creek Duplicator before 1.2.42. By acc ...) NOT-FOR-US: Snap Creek Duplicator CVE-2018-17206 (An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6. The ...) - openvswitch 2.10.0+2018.08.28+git.8ca7c82b7d+ds1-1 [stretch] - openvswitch (Minor issue) [jessie] - openvswitch (Vulnerable code does not exist; no such function) NOTE: https://github.com/openvswitch/ovs/commit/5026a263d7846077eee540de42192d27da513226 (master) NOTE: https://github.com/openvswitch/ovs/commit/20626d38c1a1d4cebb5a6911ea3cb6a7f4f993f8 (branch-2.8) NOTE: https://github.com/openvswitch/ovs/commit/9237a63c47bd314b807cda0bd2216264e82edbe8 (branch-2.7) CVE-2018-17205 (An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6, aff ...) - openvswitch 2.10.0+2018.08.28+git.8ca7c82b7d+ds1-1 [stretch] - openvswitch (Vulnerable code introduced later) [jessie] - openvswitch (Vulnerable code does not exist; no such function) NOTE: https://github.com/openvswitch/ovs/commit/9a0ac025de9303334688ff08f01fc08604d2f624 (master) NOTE: https://github.com/openvswitch/ovs/commit/638d406e3b647359f3d82189d7a6ee56b4a54928 (branch-2.8) NOTE: https://github.com/openvswitch/ovs/commit/0befd1f3745055c32940f5faf9559be6a14395e6 (branch-2.7) CVE-2018-17204 (An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6, aff ...) - openvswitch 2.10.0+2018.08.28+git.8ca7c82b7d+ds1-1 [stretch] - openvswitch (Minor issue) [jessie] - openvswitch (Vulnerable code does not exist; no such function) NOTE: https://github.com/openvswitch/ovs/commit/9740d81d94888cb158fa99a9366fe2b32b3e4aaa (master) NOTE: https://github.com/openvswitch/ovs/commit/8976ea1d680ab7a2d726a50e5666aa8fefd24168 (branch-2.8) NOTE: https://github.com/openvswitch/ovs/commit/4af6da3b275b764b1afe194df6499b33d2bf4cde (branch-2.7) NOTE: ovs-vswitchd does not enable support for OpenFlow 1.5 by default. CVE-2018-17203 REJECTED CVE-2018-17202 (Certain input files could make the code to enter into an infinite loop ...) NOTE: Apache Commons Imaging CVE-2018-17201 (Certain input files could make the code hang when Apache Sanselan 0.97 ...) NOTE: Apache Commons Imaging CVE-2018-17200 (The Apache OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngi ...) NOT-FOR-US: Apache OFBiz CVE-2018-17199 (In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks ...) {DSA-4422-1 DLA-1647-1} - apache2 2.4.38-1 (low; bug #920303) NOTE: https://www.openwall.com/lists/oss-security/2019/01/22/3 NOTE: 2.4.x http://svn.apache.org/r1851409 NOTE: 2.5.x http://svn.apache.org/r1850947 CVE-2018-17198 (Server-side Request Forgery (SSRF) and File Enumeration vulnerability ...) NOT-FOR-US: Apache Roller CVE-2018-17197 (A carefully crafted or corrupt sqlite file can cause an infinite loop ...) - tika 1.20-1 [jessie] - tika (Only affects 1.8 to 1.19.1) NOTE: https://www.openwall.com/lists/oss-security/2018/12/22/2 CVE-2018-17196 (In Apache Kafka versions between 0.11.0.0 and 2.1.0, it is possible to ...) - kafka (bug #786460) CVE-2018-17195 (The template upload API endpoint accepted requests from different doma ...) NOT-FOR-US: Apache NiFi CVE-2018-17194 (When a client request to a cluster node was replicated to other nodes ...) NOT-FOR-US: Apache NiFi CVE-2018-17193 (The message-page.jsp error page used the value of the HTTP request hea ...) NOT-FOR-US: Apache NiFi CVE-2018-17192 (The X-Frame-Options headers were applied inconsistently on some HTTP r ...) NOT-FOR-US: Apache NiFi CVE-2018-17191 (Apache NetBeans (incubating) 9.0 NetBeans Proxy Auto-Configuration (PA ...) - netbeans 10.0-1 [stretch] - netbeans (Nashorn module is not enabled. Javascript support is incomplete) NOTE: Fixed upstream in version 10.0 NOTE: https://www.openwall.com/lists/oss-security/2018/12/30/1 CVE-2018-17190 (In all versions of Apache Spark, its standalone resource manager accep ...) - apache-spark (bug #802194) CVE-2018-17189 (In Apache HTTP server versions 2.4.37 and prior, by sending request bo ...) {DSA-4422-1} - apache2 2.4.38-1 (low; bug #920302) [jessie] - apache2 (Vulnerable code not present) NOTE: HTTP/2 support introduced in 2.4.17 NOTE: https://www.openwall.com/lists/oss-security/2019/01/22/2 NOTE: https://svn.apache.org/r1851329 CVE-2018-17188 (Prior to CouchDB version 2.3.0, CouchDB allowed for runtime-configurat ...) - couchdb NOTE: https://www.openwall.com/lists/oss-security/2018/12/17/1 CVE-2018-17187 (The Apache Qpid Proton-J transport includes an optional wrapper layer ...) - qpid-proton 0.22.0-1 (unimportant) NOTE: https://qpid.apache.org/cves/CVE-2018-17187.html NOTE: https://issues.apache.org/jira/browse/PROTON-1962 NOTE: https://github.com/apache/qpid-proton-j/commit/0cb8ca03cec42120dcfc434561592d89a89a805e NOTE: Up to 0.17.0-rc1 upstream proton-j was included in the qpid-proton distribution NOTE: but then moved out to a own repository. NOTE: Cf. https://github.com/apache/qpid-proton/commit/ccdcf32932f04b387da9d4dbd810da29cae223aa CVE-2018-17186 (An administrator with workflow definition entitlements can use DTD to ...) NOT-FOR-US: Apache Syncope CVE-2018-17185 REJECTED CVE-2018-17184 (A malicious user with enough administration entitlements can inject ht ...) NOT-FOR-US: Apache Syncope CVE-2018-17182 (An issue was discovered in the Linux kernel through 4.18.8. The vmacac ...) {DSA-4308-1 DLA-1531-1 DLA-1529-1} - linux 4.18.10-1 NOTE: https://git.kernel.org/linus/7a9cdebdcc17e426fb5287e4a82db1dfe86339b2 NOTE: https://googleprojectzero.blogspot.com/2018/09/a-cache-invalidation-bug-in-linux.html CVE-2018-17181 (An issue was discovered in OpenEMR before 5.0.1 Patch 7. SQL Injection ...) NOT-FOR-US: OpenEMR CVE-2018-17180 (An issue was discovered in OpenEMR before 5.0.1 Patch 7. Directory Tra ...) NOT-FOR-US: OpenEMR CVE-2018-17179 (An issue was discovered in OpenEMR before 5.0.1 Patch 7. There is SQL ...) NOT-FOR-US: OpenEMR CVE-2018-17178 (An issue was discovered on Neato Botvac Connected 2.2.0 devices. They ...) NOT-FOR-US: Neato Botvac Connected devices CVE-2018-17177 (An issue was discovered on Neato Botvac Connected 2.2.0 and Botvac 85 ...) NOT-FOR-US: Neato Botvac Connected and Botvac 85 devices CVE-2018-17176 (A replay issue was discovered on Neato Botvac Connected 2.2.0 devices. ...) NOT-FOR-US: Neato Botvac Connected devices CVE-2018-17175 (In the marshmallow library before 2.15.1 and 3.x before 3.0.0b9 for Py ...) - python-marshmallow 3.0.0b14-1 (bug #909140) NOTE: https://github.com/marshmallow-code/marshmallow/issues/772 CVE-2018-17174 (A stack-based buffer overflow was discovered in the xtimor NMEA librar ...) NOT-FOR-US: nmealib CVE-2018-17173 (LG SuperSign CMS allows remote attackers to execute arbitrary code via ...) NOT-FOR-US: LG SuperSign CMS CVE-2018-17172 (The web application on Xerox AltaLink B80xx before 100.008.028.05200, ...) NOT-FOR-US: Xerox CVE-2018-17171 RESERVED CVE-2018-17170 (Grouptime Teamwire Desktop Client 1.5.1 prior to 1.9.0 on Windows allo ...) NOT-FOR-US: Grouptime Teamwire Desktop Client CVE-2018-17169 (An XML external entity (XXE) vulnerability in PrinterOn version 4.1.4 ...) NOT-FOR-US: PrinterOn Enterprise CVE-2018-17168 (PrinterOn Enterprise 4.1.4 contains multiple Cross Site Request Forger ...) NOT-FOR-US: PrinterOn Enterprise CVE-2018-17167 (PrinterOn Enterprise 4.1.4 suffers from multiple authenticated stored ...) NOT-FOR-US: PrinterOn Enterprise CVE-2018-17166 RESERVED CVE-2018-17165 RESERVED CVE-2018-17164 RESERVED CVE-2018-17163 REJECTED CVE-2018-17162 REJECTED CVE-2018-17161 (In FreeBSD before 11.2-STABLE(r348229), 11.2-RELEASE-p7, 12.0-STABLE(r ...) NOT-FOR-US: FreeBSD bootpd CVE-2018-17160 (In FreeBSD before 11.2-STABLE(r341486) and 11.2-RELEASE-p6, insufficie ...) NOT-FOR-US: FreeBSD bhyve CVE-2018-17159 (In FreeBSD before 11.2-STABLE(r340854) and 11.2-RELEASE-p5, the NFS se ...) NOT-FOR-US: FreeBSD nfs server CVE-2018-17158 (In FreeBSD before 11.2-STABLE(r340854) and 11.2-RELEASE-p5, an integer ...) NOT-FOR-US: FreeBSD nfs server CVE-2018-17157 (In FreeBSD before 11.2-STABLE(r340854) and 11.2-RELEASE-p5, an integer ...) NOT-FOR-US: FreeBSD nfs server CVE-2018-17156 (In FreeBSD before 11.2-STABLE(r340268) and 11.2-RELEASE-p5, due to inc ...) - kfreebsd-10 (unimportant) NOTE: https://www.freebsd.org/security/advisories/FreeBSD-EN-18:13.icmp.asc NOTE: kfreebsd not covered by security support CVE-2018-17155 (In FreeBSD before 11.2-STABLE(r338983), 11.2-RELEASE-p4, 11.1-RELEASE- ...) - kfreebsd-10 (unimportant) NOTE: https://security.FreeBSD.org/advisories/FreeBSD-EN-18:12.mem.asc NOTE: kfreebsd not covered by security support CVE-2018-17154 (In FreeBSD before 11.2-STABLE(r338987), 11.2-RELEASE-p4, and 11.1-RELE ...) - kfreebsd-10 (unimportant) NOTE: https://security.FreeBSD.org/advisories/FreeBSD-EN-18:10.syscall.asc NOTE: kfreebsd not covered by security support CVE-2018-1000802 (Python Software Foundation Python (CPython) version 2.7 contains a CWE ...) {DSA-4306-1 DLA-1520-1 DLA-1519-1} - python3.7 (Fixed before initial upload) - python3.6 (Fixed before initial upload) - python3.5 (Fixed before initial upload) - python3.4 - python2.7 2.7.15-5 (bug #909673) NOTE: https://bugs.python.org/issue34540 NOTE: https://github.com/python/cpython/commit/d8b103b8b3ef9644805341216963a64098642435 NOTE: Later versions did remove _call_external_zip with NOTE: https://github.com/python/cpython/commit/a0934b2c1b939fdebee8dc18d49a0f6c52324773 NOTE: which used distutils.spawn. NOTE: PoC: https://mega.nz/#!JUFiCC4R!mq-jQ8ySFwIhX6WMDujaZuNBfttDVt7DETlfOIQE1ig CVE-2018-17153 (It was discovered that the Western Digital My Cloud device before 2.30 ...) NOT-FOR-US: Western Digital My Cloud device CVE-2018-17152 (Intersystems Cache 2017.2.2.865.0 allows XXE. ...) NOT-FOR-US: Intersystems Cache CVE-2018-17151 (Intersystems Cache 2017.2.2.865.0 has Incorrect Access Control. ...) NOT-FOR-US: Intersystems Cache CVE-2018-17150 (Intersystems Cache 2017.2.2.865.0 allows XSS. ...) NOT-FOR-US: Intersystems Cache CVE-2018-17149 RESERVED CVE-2018-17148 (An Insufficient Access Control vulnerability (leading to credential di ...) NOT-FOR-US: Nagios XI CVE-2018-17147 (Nagios XI before 5.5.4 has XSS in the auto login admin management page ...) NOT-FOR-US: Nagios XI CVE-2018-17146 (A cross-site scripting vulnerability exists in Nagios XI before 5.5.4 ...) NOT-FOR-US: Nagios XI CVE-2018-17145 RESERVED CVE-2018-17144 (Bitcoin Core 0.14.x before 0.14.3, 0.15.x before 0.15.2, and 0.16.x be ...) - bitcoin 0.16.3~dfsg-1 - litecoin 0.16.3-1 NOTE: https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures#CVE-2018-17144 CVE-2018-17143 (The html package (aka x/net/html) through 2018-09-17 in Go mishandles ...) - golang-golang-x-net-dev (Vulnerable code introduced later) - golang-go.net-dev (Vulnerable code introduced later) NOTE: https://github.com/golang/go/issues/27704 NOTE: Fixed by: https://github.com/golang/net/commit/2f5d2388922f370f4355f327fcf4cfe9f5583908 NOTE: Introduced by: https://github.com/golang/net/commit/500e7a4f953ddaf55d316b4d3adc516aa0379622 CVE-2018-17142 (The html package (aka x/net/html) through 2018-09-17 in Go mishandles ...) - golang-golang-x-net-dev (Vulnerable code introduced later) - golang-go.net-dev (Vulnerable code introduced later) NOTE: https://github.com/golang/go/issues/27702 NOTE: Fixed by: https://github.com/golang/net/commit/cf3bd585ca2a5a21b057abd8be7eea2204af89d0 NOTE: Introduced by: https://github.com/golang/net/commit/500e7a4f953ddaf55d316b4d3adc516aa0379622 CVE-2018-17141 (HylaFAX 6.0.6 and HylaFAX+ 5.6.0 allow remote attackers to execute arb ...) {DSA-4298-1 DLA-1515-1} - hylafax 3:6.0.6-8.1 (bug #909161) NOTE: http://git.hylafax.org/HylaFAX?a=commit;h=82fa7bdbffc253de4d3e80a87d47fdbf68eabe36 CVE-2018-17140 (The Quizlord plugin through 2.0 for WordPress is prone to Stored XSS v ...) NOT-FOR-US: Wordpress plugin CVE-2018-17139 (UltimatePOS 2.5 allows users to upload arbitrary files, which leads to ...) NOT-FOR-US: UltimatePOS CVE-2018-17138 (The Jibu Pro plugin through 1.7 for WordPress is prone to Stored XSS v ...) NOT-FOR-US: Wordpress plugin CVE-2018-17137 (Prezi Next 1.3.101.11 has a documented purpose of creating HTML5 prese ...) NOT-FOR-US: Prezi Next CVE-2018-17136 (zzcms 8.3 contains a SQL Injection vulnerability in /user/check.php vi ...) NOT-FOR-US: zzcms CVE-2018-17135 RESERVED CVE-2018-17134 (admin/web_config.php in PHPMyWind 5.5 allows Admin users to execute ar ...) NOT-FOR-US: PHPMyWind CVE-2018-17133 (admin/web_config.php in PHPMyWind 5.5 allows Admin users to execute ar ...) NOT-FOR-US: PHPMyWind CVE-2018-17132 (admin/goods_update.php in PHPMyWind 5.5 allows Admin users to execute ...) NOT-FOR-US: PHPMyWind CVE-2018-17131 (admin/web_config.php in PHPMyWind 5.5 allows Admin users to execute ar ...) NOT-FOR-US: PHPMyWind CVE-2018-17130 (PHPMyWind 5.5 has XSS in member.php via an HTTP Referer header, ...) NOT-FOR-US: PHPMyWind CVE-2018-17129 (MetInfo 6.1.0 has SQL injection in doexport() in app/system/feedback/a ...) NOT-FOR-US: MetInfo CVE-2018-17128 (A Persistent XSS issue was discovered in the Visual Editor in MyBB bef ...) NOT-FOR-US: MyBB CVE-2018-17127 (blocking_request.cgi on ASUS GT-AC5300 devices through 3.0.0.4.384_327 ...) NOT-FOR-US: ASUS CVE-2018-17126 (CScms 4.1 allows remote code execution, as demonstrated by 1');eval($_ ...) NOT-FOR-US: CScms CVE-2018-17125 (CScms 4.1 allows arbitrary directory deletion via a dir=..\\ substring ...) NOT-FOR-US: CScms CVE-2018-17124 RESERVED CVE-2018-17123 RESERVED CVE-2018-17122 RESERVED CVE-2018-17121 RESERVED CVE-2018-17120 RESERVED CVE-2018-17119 RESERVED CVE-2018-17118 RESERVED CVE-2018-17117 RESERVED CVE-2018-17116 RESERVED CVE-2018-17115 RESERVED CVE-2018-17114 RESERVED CVE-2018-17113 (App/Modules/Admin/Tpl/default/Public/dwz/uploadify/scripts/uploadify.s ...) NOT-FOR-US: EasyCMS CVE-2018-17112 RESERVED CVE-2018-17111 (The onlyOwner modifier of a smart contract implementation for Coinlanc ...) NOT-FOR-US: onlyOwner modifier of a smart contract implementation for Coinlancer (CL) CVE-2018-17110 (Simple POS 4.0.24 allows SQL Injection via a products/get_products/ co ...) NOT-FOR-US: Simple POS CVE-2018-17109 RESERVED CVE-2018-17108 (The SBIbuddy (aka com.sbi.erupee) application 1.41 and 1.42 for Androi ...) NOT-FOR-US: SBIbuddy CVE-2018-17107 (In Tgstation tgstation-server 3.2.4.0 through 3.2.1.0 (fixed in 3.2.5. ...) NOT-FOR-US: Tgstation tgstation-server CVE-2018-17106 (In Tinyftp Tinyftpd 1.1, a buffer overflow exists in the text variable ...) NOT-FOR-US: Tinyftpd CVE-2018-17105 RESERVED CVE-2018-17104 (An issue was discovered in Microweber 1.0.7. There is a CSRF attack (a ...) NOT-FOR-US: Microweber CVE-2018-17103 (** DISPUTED ** An issue was discovered in GetSimple CMS v3.3.13. There ...) NOT-FOR-US: GetSimple CMS CVE-2018-17102 (An issue was discovered in QuickAppsCMS (aka QACMS) through 2.0.0-beta ...) NOT-FOR-US: QuickAppsCMS CVE-2018-17101 (An issue was discovered in LibTIFF 4.0.9. There are two out-of-bounds ...) {DSA-4349-1 DLA-1557-1} - tiff 4.0.9+git181026-1 (bug #909037) - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2807 NOTE: https://gitlab.com/libtiff/libtiff/commit/f1b94e8a3ba49febdd3361c0214a1d1149251577 CVE-2018-17100 (An issue was discovered in LibTIFF 4.0.9. There is a int32 overflow in ...) {DSA-4670-1 DLA-1557-1} - tiff 4.0.9+git181026-1 (low; bug #909038) - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2810 NOTE: https://gitlab.com/libtiff/libtiff/merge_requests/33/diffs?commit_id=6da1fb3f64d43be37e640efbec60400d1f1ac39e NOTE: https://gitlab.com/libtiff/libtiff/commit/6da1fb3f64d43be37e640efbec60400d1f1ac39e CVE-2018-17099 RESERVED CVE-2018-17098 (The WavFileBase class in WavFile.cpp in Olli Parviainen SoundTouch 2.0 ...) - soundtouch 2.1.2+ds1-1 (low; bug #913894) [stretch] - soundtouch (Minor issue) [jessie] - soundtouch (Minor issue) NOTE: https://gitlab.com/soundtouch/soundtouch/issues/14 CVE-2018-17097 (The WavFileBase class in WavFile.cpp in Olli Parviainen SoundTouch 2.0 ...) - soundtouch 2.1.2+ds1-1 (low; bug #913895) [stretch] - soundtouch (Minor issue) [jessie] - soundtouch (Minor issue) NOTE: https://gitlab.com/soundtouch/soundtouch/issues/14 CVE-2018-17096 (The BPMDetect class in BPMDetect.cpp in libSoundTouch.a in Olli Parvia ...) - soundtouch 2.1.2+ds1-1 (low) [stretch] - soundtouch (Minor issue) [jessie] - soundtouch (Minor issue) NOTE: https://gitlab.com/soundtouch/soundtouch/issues/14 CVE-2018-17183 (Artifex Ghostscript before 9.25 allowed a user-writable error exceptio ...) {DSA-4294-1 DLA-1527-1} - ghostscript 9.25~dfsg-1 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=699708 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=fb713b3818b52d8a6cf62c951eba2e1795ff9624 CVE-2018-17095 (An issue has been discovered in mpruett Audio File Library (aka audiof ...) - audiofile 0.3.6-5 (low; bug #913166) [stretch] - audiofile 0.3.6-4+deb9u1 [jessie] - audiofile (Can be fixed along in future DLA) NOTE: https://github.com/mpruett/audiofile/issues/50 NOTE: https://github.com/mpruett/audiofile/issues/51 CVE-2018-17094 REJECTED CVE-2018-17093 REJECTED CVE-2018-17092 (An issue was discovered in DonLinkage 6.6.8. SQL injection in /pages/p ...) NOT-FOR-US: DonLinkage CVE-2018-17091 (An issue was discovered in DonLinkage 6.6.8. It allows remote attacker ...) NOT-FOR-US: DonLinkage CVE-2018-17090 (An issue was discovered in DonLinkage 6.6.8. The modules /pages/bazy/b ...) NOT-FOR-US: DonLinkage CVE-2018-17089 RESERVED CVE-2018-17087 RESERVED CVE-2018-17086 (An issue was discovered in OTCMS 3.61. XSS exists in admin/share_switc ...) NOT-FOR-US: OTCMS CVE-2018-17085 (An issue was discovered in OTCMS 3.61. XSS exists in admin/users.php v ...) NOT-FOR-US: OTCMS CVE-2018-17084 RESERVED CVE-2018-17083 RESERVED CVE-2018-17082 (The Apache2 component in PHP before 5.6.38, 7.0.x before 7.0.32, 7.1.x ...) {DSA-4353-1 DLA-1509-1} - php7.3 7.3.0~rc2-1 - php7.2 - php7.1 - php7.0 7.0.32-1 - php5 NOTE: Fixed in 5.6.38, 7.0.32, 7.1.22, 7.2.10, 7.3.0RC1 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=76582 NOTE: https://github.com/php/php-src/commit/23b057742e3cf199612fa8050ae86cae675e214e CVE-2018-17081 (e107 2.1.9 allows CSRF via e107_admin/wmessage.php?mode=&action=in ...) NOT-FOR-US: e107 CVE-2018-17080 RESERVED CVE-2018-17079 (An issue was discovered in ZRLOG 2.0.1. There is a Stored XSS vulnerab ...) NOT-FOR-US: ZRLOG CVE-2018-17078 RESERVED CVE-2018-17077 (An issue was discovered in yiqicms through 2016-11-20. There is stored ...) NOT-FOR-US: yiqicms CVE-2018-17076 (GPP through 2.25 will try to use more memory space than is available o ...) - gpp (unimportant; bug #908939) NOTE: https://github.com/logological/gpp/issues/26 NOTE: https://github.com/logological/gpp/commit/329aa63a70d32d1e2ae529130a792e0c6ae4ce79 NOTE: Crash in CLI tool, no security impact CVE-2018-17075 (The html package (aka x/net/html) before 2018-07-13 in Go mishandles " ...) - golang-golang-x-net-dev (Vulnerable code introduced later) - golang-go.net-dev (Vulnerable code introduced later) NOTE: https://github.com/golang/go/issues/27016 NOTE: Fixed by: https://github.com/golang/net/commit/aaf60122140d3fcf75376d319f0554393160eb50 NOTE: Introduced in: https://github.com/golang/net/commit/500e7a4f953ddaf55d316b4d3adc516aa0379622 CVE-2018-17074 (The Feed Statistics plugin before 4.0 for WordPress has an Open Redire ...) NOT-FOR-US: Feed Statistics plugin for WordPress CVE-2018-17073 (wernsey/bitmap before 2018-08-18 allows a NULL pointer dereference via ...) NOT-FOR-US: bitmap CVE-2018-17072 (JSON++ through 2016-06-15 has a buffer over-read in yyparse() in json. ...) NOT-FOR-US: JSON++ CVE-2018-17071 (The fallback function of a simple lottery smart contract implementatio ...) NOT-FOR-US: fallback function of a simple lottery smart contract implementation for Lucky9io CVE-2018-17070 (An issue was discovered in UNL-CMS 7.59. A CSRF attack can update the ...) NOT-FOR-US: UNL-CMS CVE-2018-17069 (An issue was discovered in UNL-CMS 7.59. A CSRF attack can create new ...) NOT-FOR-US: UNL-CMS CVE-2018-17068 (An issue was discovered on D-Link DIR-816 A2 1.10 B05 devices. An HTTP ...) NOT-FOR-US: D-Link CVE-2018-17067 (An issue was discovered on D-Link DIR-816 A2 1.10 B05 devices. A very ...) NOT-FOR-US: D-Link CVE-2018-17066 (An issue was discovered on D-Link DIR-816 A2 1.10 B05 devices. An HTTP ...) NOT-FOR-US: D-Link CVE-2018-17065 (An issue was discovered on D-Link DIR-816 A2 1.10 B05 devices. Within ...) NOT-FOR-US: D-Link CVE-2018-17064 (An issue was discovered on D-Link DIR-816 A2 1.10 B05 devices. An HTTP ...) NOT-FOR-US: D-Link CVE-2018-17063 (An issue was discovered on D-Link DIR-816 A2 1.10 B05 devices. An HTTP ...) NOT-FOR-US: D-Link CVE-2018-17062 (An issue was discovered in SeaCMS 6.64. XSS exists in admin_video.php ...) NOT-FOR-US: SeaCMS CVE-2018-17061 (BullGuard Safe Browsing before 18.1.355.9 allows XSS on Google, Bing, ...) NOT-FOR-US: BullGuard Safe Browsing CVE-2018-17060 (Telerik Extensions for ASP.NET MVC (all versions) does not whitelist r ...) NOT-FOR-US: Telerik Extensions for ASP.NET MVC CVE-2018-17059 RESERVED CVE-2018-17058 (An issue was discovered in JABA XPress Online Shop through 2018-09-14. ...) NOT-FOR-US: JABA CVE-2018-17057 (An issue was discovered in TCPDF before 6.2.22. Attackers can trigger ...) - tcpdf 6.2.26+dfsg-1 (bug #908866) [stretch] - tcpdf (Minor issue) [jessie] - tcpdf (Minor issue) NOTE: https://github.com/tecnickcom/TCPDF/commit/1861e33fe05f653b67d070f7c106463e7a5c26e NOTE: Was considered minor for jessie since arbitrary deserialization NOTE: is still possible using http and https. CVE-2018-17056 (Cross-site scripting (XSS) vulnerability in ServiceStack in Progress S ...) NOT-FOR-US: Progress Sitefinity CMS CVE-2018-17055 (An arbitrary file upload vulnerability in Progress Sitefinity CMS vers ...) NOT-FOR-US: Progress Sitefinity CMS CVE-2018-17054 (Cross-site scripting (XSS) vulnerability in Identity Server in Progres ...) NOT-FOR-US: Progress Sitefinity CMS CVE-2018-17053 (Cross-site scripting (XSS) vulnerability in Identity Server in Progres ...) NOT-FOR-US: Progress Sitefinity CMS CVE-2018-17052 RESERVED CVE-2018-17051 (K-Net Cisco Configuration Manager through 2014-11-19 has XSS via devic ...) NOT-FOR-US: K-Net Cisco Configuration Manager CVE-2018-17050 (The mintToken function of a smart contract implementation for PolyAi ( ...) NOT-FOR-US: smart contract CVE-2018-17049 (CQU-LANKERS through 2017-11-02 has XSS via the public/api.php callback ...) NOT-FOR-US: CQU-LANKERS CVE-2018-17048 (admin/Lib/Action/FpluginAction.class.php in FDCMS (aka Fangfa Content ...) NOT-FOR-US: FDCMS CVE-2018-17047 RESERVED CVE-2018-17046 (translate man before 2018-08-21 has XSS via containers/outputBox/outpu ...) NOT-FOR-US: translate-man CVE-2018-17045 (An issue was discovered in CMS MaeloStore V.1.5.0. There is a CSRF vul ...) NOT-FOR-US: CMS MaeloStore CVE-2018-17044 (In YzmCMS 5.1, stored XSS exists via the admin/system_manage/user_conf ...) NOT-FOR-US: YzmCMS CVE-2018-17043 (An issue has been found in doc2txt through 2014-03-19. It is a heap-ba ...) NOT-FOR-US: doc2txt CVE-2018-17042 (An issue has been found in dbf2txt through 2012-07-19. It is a infinit ...) NOT-FOR-US: doc2txt CVE-2018-17041 RESERVED CVE-2018-17040 RESERVED CVE-2018-17039 (MiniCMS 1.10, when Internet Explorer is used, allows XSS via a crafted ...) NOT-FOR-US: MiniCMS CVE-2018-17038 RESERVED CVE-2018-17037 (user/editpost.php in UCMS 1.4.6 mishandles levels, which allows escala ...) NOT-FOR-US: UCMS CVE-2018-17036 (An issue was discovered in UCMS 1.4.6. It allows PHP code injection du ...) NOT-FOR-US: UCMS CVE-2018-17035 (UCMS 1.4.6 has SQL injection during installation via the install/index ...) NOT-FOR-US: UCMS CVE-2018-17034 (UCMS 1.4.6 has XSS via the install/index.php mysql_dbname parameter. ...) NOT-FOR-US: UCMS CVE-2018-17033 RESERVED CVE-2018-17032 RESERVED CVE-2018-17031 (In Gogs 0.11.53, an attacker can use a crafted .eml file to trigger MI ...) NOT-FOR-US: Go Git Service CVE-2018-17030 (BigTree CMS 4.2.23 allows remote authenticated users, if possessing pr ...) NOT-FOR-US: BigTree CMS CVE-2018-17029 RESERVED CVE-2018-17028 RESERVED CVE-2018-17027 RESERVED CVE-2018-17026 (admin/index.php in Monstra CMS 3.0.4 allows XSS via the page_meta_titl ...) NOT-FOR-US: Monstra CMS CVE-2018-17025 (admin/index.php in Monstra CMS 3.0.4 allows XSS via the page_meta_titl ...) NOT-FOR-US: Monstra CMS CVE-2018-17024 (admin/index.php in Monstra CMS 3.0.4 allows XSS via the page_meta_titl ...) NOT-FOR-US: Monstra CMS CVE-2018-17023 (Cross-site request forgery (CSRF) vulnerability on ASUS GT-AC5300 rout ...) NOT-FOR-US: ASUS GT-AC5300 routers CVE-2018-17022 (Stack-based buffer overflow on the ASUS GT-AC5300 router through 3.0.0 ...) NOT-FOR-US: ASUS GT-AC5300 routers CVE-2018-17021 (Cross-site scripting (XSS) vulnerability on ASUS GT-AC5300 devices wit ...) NOT-FOR-US: ASUS GT-AC5300 devices CVE-2018-17020 (ASUS GT-AC5300 devices with firmware through 3.0.0.4.384_32738 allow r ...) NOT-FOR-US: ASUS GT-AC5300 devices CVE-2018-17019 (In Bro through 2.5.5, there is a DoS in IRC protocol names command par ...) - bro 2.6.1+ds1-1 (bug #908779) [buster] - bro 2.5.5-1+deb10u1 [stretch] - bro (Minor issue) NOTE: https://github.com/bro/bro/commit/c2b18849f8bb833253538f5dfedb4ed1dc176a30 CVE-2018-17018 (An issue was discovered on TP-Link TL-WR886N 6.0 2.3.4 and TL-WR886N 7 ...) NOT-FOR-US: TP-Link CVE-2018-17017 (An issue was discovered on TP-Link TL-WR886N 6.0 2.3.4 and TL-WR886N 7 ...) NOT-FOR-US: TP-Link CVE-2018-17016 (An issue was discovered on TP-Link TL-WR886N 6.0 2.3.4 and TL-WR886N 7 ...) NOT-FOR-US: TP-Link CVE-2018-17015 (An issue was discovered on TP-Link TL-WR886N 6.0 2.3.4 and TL-WR886N 7 ...) NOT-FOR-US: TP-Link CVE-2018-17014 (An issue was discovered on TP-Link TL-WR886N 6.0 2.3.4 and TL-WR886N 7 ...) NOT-FOR-US: TP-Link CVE-2018-17013 (An issue was discovered on TP-Link TL-WR886N 6.0 2.3.4 and TL-WR886N 7 ...) NOT-FOR-US: TP-Link CVE-2018-17012 (An issue was discovered on TP-Link TL-WR886N 6.0 2.3.4 and TL-WR886N 7 ...) NOT-FOR-US: TP-Link CVE-2018-17011 (An issue was discovered on TP-Link TL-WR886N 6.0 2.3.4 and TL-WR886N 7 ...) NOT-FOR-US: TP-Link CVE-2018-17010 (An issue was discovered on TP-Link TL-WR886N 6.0 2.3.4 and TL-WR886N 7 ...) NOT-FOR-US: TP-Link CVE-2018-17009 (An issue was discovered on TP-Link TL-WR886N 6.0 2.3.4 and TL-WR886N 7 ...) NOT-FOR-US: TP-Link CVE-2018-17008 (An issue was discovered on TP-Link TL-WR886N 6.0 2.3.4 and TL-WR886N 7 ...) NOT-FOR-US: TP-Link CVE-2018-17007 (An issue was discovered on TP-Link TL-WR886N 6.0 2.3.4 and TL-WR886N 7 ...) NOT-FOR-US: TP-Link CVE-2018-17006 (An issue was discovered on TP-Link TL-WR886N 6.0 2.3.4 and TL-WR886N 7 ...) NOT-FOR-US: TP-Link CVE-2018-17005 (An issue was discovered on TP-Link TL-WR886N 6.0 2.3.4 and TL-WR886N 7 ...) NOT-FOR-US: TP-Link CVE-2018-17004 (An issue was discovered on TP-Link TL-WR886N 6.0 2.3.4 and TL-WR886N 7 ...) NOT-FOR-US: TP-Link CVE-2018-17003 (In LimeSurvey 3.14.7, HTML Injection and Stored XSS have been discover ...) - limesurvey (bug #472802) CVE-2018-17002 (On the RICOH MP 2001 printer, HTML Injection and Stored XSS vulnerabil ...) NOT-FOR-US: RICOH CVE-2018-17001 (On the RICOH SP 4510SF printer, HTML Injection and Stored XSS vulnerab ...) NOT-FOR-US: RICOH CVE-2018-17000 (A NULL pointer dereference in the function _TIFFmemcmp at tif_unix.c ( ...) {DSA-4670-1 DLA-1680-1} - tiff 4.0.10-4 (bug #908778) - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2811 NOTE: Relates to http://bugzilla.maptools.org/show_bug.cgi?id=2833 NOTE: Fixed by: https://gitlab.com/libtiff/libtiff/commit/802d3cbf3043be5dce5317e140ccb1c17a6a2d39 CVE-2018-16999 (Netwide Assembler (NASM) 2.14rc15 has an invalid memory write (segment ...) - nasm 2.14-1 (unimportant) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392508 NOTE: https://github.com/netwide-assembler/nasm/commit/980dd658b521afe4a688c4195410c4449a8e2468 NOTE: Crash in CLI tool, no security impact CVE-2018-16998 RESERVED CVE-2018-16997 RESERVED CVE-2018-16996 RESERVED CVE-2018-16995 RESERVED CVE-2018-16994 (An issue was discovered on PHOENIX CONTACT AXL F BK PN <=1.0.4, AXL ...) NOT-FOR-US: PHOENIX CONTACT AXL CVE-2018-16993 RESERVED CVE-2018-16992 RESERVED CVE-2018-16991 RESERVED CVE-2018-16990 RESERVED CVE-2018-16989 RESERVED CVE-2018-16988 (An issue was discovered in Open XDMoD through 7.5.0. An authentication ...) NOT-FOR-US: Open XDMoD CVE-2018-16987 (Squash TM through 1.18.0 presents the cleartext passwords of external ...) NOT-FOR-US: Squash TM CVE-2018-16986 (Texas Instruments BLE-STACK v2.2.1 for SimpleLink CC2640 and CC2650 de ...) NOT-FOR-US: Texas Instruments BLE-STACK v2.2.1 for SimpleLink CC2640 and CC2650 devices CVE-2018-16985 (In Lizard (formerly LZ5) 2.0, use of an invalid memory address was dis ...) NOT-FOR-US: Lizard CVE-2018-16984 (An issue was discovered in Django 2.1 before 2.1.2, in which unprivile ...) [experimental] - python-django 2:2.1.2-1 - python-django (bug #910016; vulnerable code not present) NOTE: https://www.djangoproject.com/weblog/2018/oct/01/security-release/ NOTE: https://github.com/django/django/commit/bf39978a53f117ca02e9a0c78b76664a41a54745 (master) NOTE: https://github.com/django/django/commit/c4bd5b597e0aa2432e4c867b86650f18af117851 (2.1) CVE-2018-16983 (NoScript Classic before 5.1.8.7, as used in Tor Browser 7.x and other ...) - mozilla-noscript (unimportant) NOTE: This is not a security issue in NoScript by itself CVE-2018-16982 (Open Chinese Convert (OpenCC) 1.0.5 allows attackers to cause a denial ...) NOT-FOR-US: Open Chinese Convert (OpenCC) CVE-2018-16981 (stb stb_image.h 2.19, as used in catimg, Emscripten, and other product ...) - libstb 0.0~git20190617.5.c72a95d-1 [buster] - libstb (Minor issue) NOTE: https://github.com/nothings/stb/issues/656 NOTE: https://github.com/nothings/stb/commit/50b1bfba583b12ceb23ef949567bdd914461e524 NOTE: Potentially affects libsixel, libsfml, love, mame, darknet, gem, ccextractor, zynaddsubfx, osgearth, goxel, yquake2, renderdoc, catimg, libstb, zam-plugins, retroarch CVE-2018-16980 (dotCMS V5.0.1 has XSS in the /html/portlet/ext/contentlet/image_tools/ ...) NOT-FOR-US: dotCMS CVE-2018-16979 (Monstra CMS V3.0.4 allows HTTP header injection in the plugins/captcha ...) NOT-FOR-US: Monstra CMS CVE-2018-16978 (Monstra CMS V3.0.4 has XSS when ones tries to register an account with ...) NOT-FOR-US: Monstra CMS CVE-2018-16977 (Monstra CMS V3.0.4 has an information leakage risk (e.g., PATH, DOCUME ...) NOT-FOR-US: Monstra CMS CVE-2018-16975 (An issue was discovered in Elefant CMS before 2.0.7. There is a PHP Co ...) NOT-FOR-US: Elefant CMS CVE-2018-16974 (An issue was discovered in Elefant CMS before 2.0.7. There is a PHP Co ...) NOT-FOR-US: Elefant CMS CVE-2018-16973 RESERVED CVE-2018-16972 RESERVED CVE-2018-16971 (Wisetail Learning Ecosystem (LE) through v4.11.6 allows insecure direc ...) NOT-FOR-US: Wisetail Learning Ecosystem CVE-2018-16970 (Wisetail Learning Ecosystem (LE) through v4.11.6 allows insecure direc ...) NOT-FOR-US: Wisetail Learning Ecosystem CVE-2018-16969 (Citrix ShareFile StorageZones Controller before 5.4.2 has Information ...) NOT-FOR-US: Citrix ShareFile StorageZones Controller CVE-2018-16968 (Citrix ShareFile StorageZones Controller before 5.4.2 allows Directory ...) NOT-FOR-US: Citrix ShareFile StorageZones Controller CVE-2018-16967 (There is an XSS vulnerability in the mndpsingh287 File Manager plugin ...) NOT-FOR-US: mndpsingh287 File Manager plugin for WordPress CVE-2018-16966 (There is a CSRF vulnerability in the mndpsingh287 File Manager plugin ...) NOT-FOR-US: mndpsingh287 File Manager plugin for WordPress CVE-2018-16965 (In Zoho ManageEngine SupportCenter Plus before 8.1 Build 8109, there i ...) NOT-FOR-US: Zoho CVE-2018-16964 RESERVED CVE-2018-16963 RESERVED CVE-2018-16962 (Webroot SecureAnywhere before 9.0.8.34 on macOS mishandles access to t ...) NOT-FOR-US: Webroot SecureAnywhere CVE-2018-16961 (An issue was discovered in Open XDMoD through 7.5.0. html/gui/general/ ...) NOT-FOR-US: Open XDMoD CVE-2018-16960 (An issue was discovered in Open XDMoD through 7.5.0. html/gui/general/ ...) NOT-FOR-US: Open XDMoD CVE-2018-16959 (An issue was discovered in Oracle WebCenter Interaction Portal 10.3.3. ...) NOT-FOR-US: Oracle WebCenter Interaction Portal CVE-2018-16958 (An issue was discovered in Oracle WebCenter Interaction Portal 10.3.3. ...) NOT-FOR-US: Oracle WebCenter Interaction Portal CVE-2018-16957 (The Oracle WebCenter Interaction 10.3.3 search service queryd.exe bina ...) NOT-FOR-US: Oracle WebCenter Interaction CVE-2018-16956 (The AjaxControl component of Oracle WebCenter Interaction Portal 10.3. ...) NOT-FOR-US: Oracle WebCenter Interaction Portal CVE-2018-16955 (The login function of Oracle WebCenter Interaction Portal 10.3.3 is vu ...) NOT-FOR-US: Oracle WebCenter Interaction Portal CVE-2018-16954 (An issue was discovered in Oracle WebCenter Interaction Portal 10.3.3. ...) NOT-FOR-US: Oracle WebCenter Interaction Portal CVE-2018-16953 (The AjaxView::DisplayResponse() function of the portalpages.dll assemb ...) NOT-FOR-US: Oracle WebCenter Interaction Portal CVE-2018-16952 (The Oracle WebCenter Interaction Portal 10.3.3 does not implement prot ...) NOT-FOR-US: Oracle WebCenter Interaction Portal CVE-2017-18348 (Splunk Enterprise 6.6.x, when configured to run as root but drop privi ...) NOT-FOR-US: Splunk CVE-2017-18347 (Incorrect access control in RDP Level 1 on STMicroelectronics STM32F0 ...) NOT-FOR-US: STMicroelectronics STM32F0 series devices CVE-2018-16976 (Gitolite before 3.6.9 does not (in certain configurations involving @a ...) - gitolite3 3.6.9-1 (bug #908699) [stretch] - gitolite3 (Minor issue) [jessie] - gitolite3 (Minor issue) - gitolite NOTE: https://groups.google.com/forum/#!topic/gitolite-announce/WrwDTYdbfRg NOTE: https://github.com/sitaramc/gitolite/commit/dc13dfca8fdae5634bb0865f7e9822d2a268ed59 CVE-2018-16951 (xunfeng 0.2.0 allows command execution via CSRF because masscan.py mis ...) NOT-FOR-US: xunfeng CVE-2018-16950 (Inteno DG400 WU7U_ELION3.11.6-170614_1328 devices allow remote attacke ...) NOT-FOR-US: Inteno DG400 WU7U_ELION3.11.6-170614_1328 devices CVE-2018-16946 (LG LNB*, LND*, LNU*, and LNV* smart network camera devices have broken ...) NOT-FOR-US: LG smart network camera device CVE-2018-16945 RESERVED CVE-2018-16944 RESERVED CVE-2018-16943 RESERVED CVE-2018-16942 RESERVED CVE-2018-16941 RESERVED CVE-2018-16940 RESERVED CVE-2018-16939 RESERVED CVE-2018-16938 RESERVED CVE-2018-16937 RESERVED CVE-2018-16936 RESERVED CVE-2018-16935 RESERVED CVE-2018-16934 RESERVED CVE-2018-16933 RESERVED CVE-2018-16932 RESERVED CVE-2018-16931 RESERVED CVE-2018-16930 RESERVED CVE-2018-16929 RESERVED CVE-2018-16928 RESERVED CVE-2018-16927 RESERVED CVE-2018-16926 RESERVED CVE-2018-16925 RESERVED CVE-2018-16924 RESERVED CVE-2018-16923 RESERVED CVE-2018-16922 RESERVED CVE-2018-16921 RESERVED CVE-2018-16920 RESERVED CVE-2018-16919 RESERVED CVE-2018-16918 RESERVED CVE-2018-16917 RESERVED CVE-2018-16916 RESERVED CVE-2018-16915 RESERVED CVE-2018-16914 RESERVED CVE-2018-16913 RESERVED CVE-2018-16912 RESERVED CVE-2018-16911 RESERVED CVE-2018-16910 RESERVED CVE-2018-16909 RESERVED CVE-2018-16908 RESERVED CVE-2018-16907 RESERVED CVE-2018-16906 RESERVED CVE-2018-16905 RESERVED CVE-2018-16904 RESERVED CVE-2018-16903 RESERVED CVE-2018-16902 RESERVED CVE-2018-16901 RESERVED CVE-2018-16900 RESERVED CVE-2018-16899 RESERVED CVE-2018-16898 RESERVED CVE-2018-16897 RESERVED CVE-2018-16896 RESERVED CVE-2018-16895 RESERVED CVE-2018-16894 RESERVED CVE-2018-16893 RESERVED CVE-2018-16892 RESERVED CVE-2018-16891 RESERVED CVE-2018-16890 (libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap ...) {DSA-4386-1 DLA-1672-1} - curl 7.64.0-1 NOTE: https://curl.haxx.se/docs/CVE-2018-16890.html NOTE: Fixed by: https://github.com/curl/curl/commit/b780b30d1377adb10bbe774835f49e9b237fb9bb NOTE: Introduced by: https://github.com/curl/curl/commit/86724581b6c02d160b52f817550cfdfc9c93af62 CVE-2018-16889 (Ceph does not properly sanitize encryption keys in debug logging for v ...) - ceph 12.2.11+dfsg1-1 (low; bug #918969) [stretch] - ceph (Minor issue) [jessie] - ceph (Vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1665334 NOTE: http://tracker.ceph.com/issues/37847 NOTE: https://github.com/ceph/ceph/commit/ba55e2a96c9dfcc7aa2311431beaaa23cb05c30d CVE-2018-16888 (It was discovered systemd does not correctly check the content of PIDF ...) - systemd 237-1 (low) [stretch] - systemd (Minor issue, too intrusive to backport) [jessie] - systemd (low priority because this is inherently a bug in the PID file logic, too intrusive to backport) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1662867 NOTE: Upstream issue: https://github.com/systemd/systemd/issues/6632 NOTE: Upstream patches: https://github.com/systemd/systemd/pull/7816 CVE-2018-16887 (A cross-site scripting (XSS) flaw was found in the katello component o ...) NOT-FOR-US: Katello CVE-2018-16886 (etcd versions 3.2.x before 3.2.26 and 3.3.x before 3.3.11 are vulnerab ...) - etcd 3.2.26+dfsg-1 (bug #923008) NOTE: Introduced by: https://github.com/etcd-io/etcd/commit/0191509637546621d6f2e18e074e955ab8ef374d NOTE: Upstream issue: https://github.com/etcd-io/etcd/pull/10366 NOTE: https://github.com/etcd-io/etcd/commit/bf9d0d8291dc71ecbfb2690612954e1a298154b2 NOTE: https://github.com/etcd-io/etcd/commit/a9a9466fb8ba11ad7bb6a44d7446fbd072d59887 NOTE: https://github.com/etcd-io/etcd/commit/99704e2a97e8710da942bdc737417fc9c9a2c03f NOTE: https://github.com/etcd-io/etcd/commit/83c051b701d33261eef91a719e4421c81b000ba4 CVE-2018-16885 (A flaw was found in the Linux kernel that allows the userspace to call ...) - linux 3.16.2-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1661503 NOTE: https://git.kernel.org/linus/06ebb06d49486676272a3c030bfeef4bd969a8e6 CVE-2018-16884 (A flaw was found in the Linux kernel's NFS41+ subsystem. NFS41+ shares ...) {DLA-1771-1 DLA-1731-1} - linux 4.19.16-1 [stretch] - linux 4.9.161-1 NOTE: https://patchwork.kernel.org/cover/10733767/ NOTE: https://patchwork.kernel.org/patch/10733769/ NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1660375 CVE-2018-16883 (sssd versions from 1.13.0 to before 2.0.0 did not properly restrict ac ...) - sssd 2.2.0-1 (bug #916824) [buster] - sssd (Minor issue) [stretch] - sssd (Minor issue) [jessie] - sssd (Issue got introduced with 1.13.0) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1659862 NOTE: Fixed in upstream 2.0.0 while refactoring code NOTE: Fixed by https://pagure.io/SSSD/sssd/c/fbe2476a3dd9be83ffa85c29dca26f734618d72d?branch=master CVE-2018-16882 (A use-after-free issue was found in the way the Linux kernel's KVM hyp ...) - linux 4.19.13-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) NOTE: https://marc.info/?l=kvm&m=154514994222809&w=2 NOTE: Fixed by: https://git.kernel.org/linus/c2dd5146e9fe1f22c77c1b011adf84eea0245806 CVE-2018-16881 (A denial of service vulnerability was found in rsyslog in the imptcp m ...) - rsyslog 8.27.0-2 [stretch] - rsyslog (Minor issue; imptcp not enabled by default) [jessie] - rsyslog (Vulnerable code introduced in 8.13.1) NOTE: Fixed by: https://github.com/rsyslog/rsyslog/commit/0381a0de64a5a048c3d48b79055bd9848d0c7fc2 NOTE: Introduced by: https://github.com/rsyslog/rsyslog/commit/6c52f29d593a27f934a1871d40eed84ebde3f3a6 CVE-2018-16880 (A flaw was found in the Linux kernel's handle_rx() function in the [vh ...) - linux 4.19.20-1 [stretch] - linux (Vulnerable code introduced in 4.16-rc1) [jessie] - linux (Vulnerable code introduced in 4.16-rc1) NOTE: https://www.openwall.com/lists/oss-security/2019/01/25/1 CVE-2018-16879 (Ansible Tower before version 3.3.3 does not set a secure channel as it ...) NOT-FOR-US: Ansible Tower CVE-2018-16878 (A flaw was found in pacemaker up to and including version 2.0.1. An in ...) - pacemaker 2.0.1-3 (bug #927714) [stretch] - pacemaker (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2019/04/17/1 NOTE: https://github.com/ClusterLabs/pacemaker/pull/1749 (master) NOTE: https://github.com/ClusterLabs/pacemaker/pull/1750 (1.1) NOTE: https://lists.clusterlabs.org/pipermail/users/2019-May/025822.html CVE-2018-16877 (A flaw was found in the way pacemaker's client-server authentication w ...) - pacemaker 2.0.1-3 (bug #927714) [stretch] - pacemaker (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2019/04/17/1 NOTE: https://github.com/ClusterLabs/pacemaker/pull/1749 (master) NOTE: https://github.com/ClusterLabs/pacemaker/pull/1750 (1.1) NOTE: https://lists.clusterlabs.org/pipermail/users/2019-May/025822.html CVE-2018-16876 (ansible before versions 2.5.14, 2.6.11, 2.7.5 is vulnerable to a infor ...) {DSA-4396-1} - ansible 2.7.6+dfsg-1 (bug #916102) [jessie] - ansible (Vulnerable code not present) NOTE: https://github.com/ansible/ansible/pull/49569 NOTE: https://github.com/ansible/ansible/commit/4c6d714aefb05366cb329e139214c89ebb364899 CVE-2018-16875 (The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 d ...) - golang-1.11 1.11.3-1 - golang-1.10 1.10.6-1 NOTE: https://github.com/golang/go/issues/29233 NOTE: https://github.com/golang/go/commit/df523969435b8945d939c7e2a849b50910ef4c25 (1.11.3) NOTE: https://github.com/golang/go/commit/0a4a37f1f0a36e55d8ae5c34210a79499f9f2a9d (1.10.6) CVE-2018-16874 (In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is ...) - golang-1.11 1.11.3-1 - golang-1.10 1.10.6-1 NOTE: https://github.com/golang/go/issues/29231 NOTE: https://github.com/golang/go/commit/8954addb3294a5e664a9833354bafa58f163fe8f (1.11.3) NOTE: https://github.com/golang/go/commit/90d609ba6156299642d08afc06d85ab770a03972 (1.10.6) CVE-2018-16873 (In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is ...) - golang-1.11 1.11.3-1 - golang-1.10 1.10.6-1 NOTE: https://github.com/golang/go/issues/29230 NOTE: https://github.com/golang/go/commit/8954addb3294a5e664a9833354bafa58f163fe8f (1.11.3) NOTE: https://github.com/golang/go/commit/5aedc8af94c0a8ffc58cbd09993192dea9b238db (1.11.3) NOTE: https://github.com/golang/go/commit/90d609ba6156299642d08afc06d85ab770a03972 (1.10.6) NOTE: https://github.com/golang/go/commit/7ef6ee2c5727f0d11206b4d1866c18e6ab4785be (1.10.6) CVE-2018-16872 (A flaw was found in qemu Media Transfer Protocol (MTP). The code openi ...) {DSA-4454-1 DLA-1694-1} - qemu 1:3.1+dfsg-2 (bug #916397) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2018-12/msg03135.html NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=bab9df35ce73d1c8e19a37e2737717ea1c984dc1 CVE-2018-16871 (A flaw was found in the Linux kernel's NFS implementation, all version ...) - linux 4.18.20-1 [stretch] - linux 4.9.144-1 [jessie] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/01310bb7c9c98752cc763b36532fab028e0f8f81 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1655162 CVE-2018-16870 (It was found that wolfssl before 3.15.7 is vulnerable to a new variant ...) - wolfssl 4.1.0+dfsg-1 (bug #918952) NOTE: https://github.com/wolfSSL/wolfssl/pull/1950 CVE-2018-16869 (A Bleichenbacher type side-channel based padding oracle attack was fou ...) - nettle 3.4.1~rc1-1 [stretch] - nettle (Minor issue) [jessie] - nettle (Minor issue - https://lists.debian.org/debian-lts/2019/03/msg00021.html) NOTE: http://cat.eyalro.net/ NOTE: https://lists.lysator.liu.se/pipermail/nettle-bugs/2018/007363.html NOTE: The upstream correction also makes a new public function that packages using NOTE: nettle should use. This means that fixing this CVE is a pre-requisite for NOTE: fixing other CVEs like CVE-2018-16868. CVE-2018-16868 (A Bleichenbacher type side-channel based padding oracle attack was fou ...) [experimental] - gnutls28 3.6.5-1 - gnutls28 3.6.5-2 [stretch] - gnutls28 (Minor issue) [jessie] - gnutls28 (Too invasive to fix, requires newer nettle shared lib - https://lists.debian.org/debian-lts/2019/03/msg00021.html) - gnutls26 NOTE: http://cat.eyalro.net/ NOTE: https://gitlab.com/gnutls/gnutls/issues/630 NOTE: https://gitlab.com/gnutls/gnutls/merge_requests/832 NOTE: CVE-2018-16869 must be fixed first and a new build dependency on this new NOTE: nettle version. CVE-2018-16867 (A flaw was found in qemu Media Transfer Protocol (MTP) before version ...) - qemu 1:3.1+dfsg-1 (bug #915884) [stretch] - qemu (Vulnerable code not present) [jessie] - qemu (Vulnerable code not present) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2018-12/msg00390.html NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=c52d46e041b42bb1ee6f692e00a0abe37a9659f6 (master) NOTE: vulnerable code introduced in NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=88d5f381ecb2d2828fd77676572ff9a99da699fb CVE-2018-16866 (An out of bounds read was discovered in systemd-journald in the way it ...) {DSA-4367-1} - systemd 240-1 [jessie] - systemd (Vulnerable code not present) NOTE: Introduced in: https://github.com/systemd/systemd/commit/ec5ff4445cca6a1d786b8da36cf6fe0acc0b94c8 (v221) NOTE: Fixed by: https://github.com/systemd/systemd/commit/a6aadf4ae0bae185dc4c414d492a4a781c80ffe5 (v240) [1/2] NOTE: Fixed by: https://github.com/systemd/systemd/commit/8595102d3ddde6d25c282f965573a6de34ab4421 (v240) [2/2] NOTE: https://www.openwall.com/lists/oss-security/2019/01/09/3 NOTE: https://www.qualys.com/2019/01/09/system-down/system-down.txt CVE-2018-16865 (An allocation of memory without limits, that could result in the stack ...) {DSA-4367-1 DLA-1639-1} - systemd 240-4 (bug #918848) NOTE: Intorduced in: https://github.com/systemd/systemd/commit/cf244689e9d1ab50082c9ddd0f3c4d1eb982badc (v38) NOTE: Exploitable since: https://github.com/systemd/systemd/commit/c4aa09b06f835c91cea9e021df4c3605cff2318d (v201) NOTE: Fixed by: https://github.com/systemd/systemd/commit/052c57f132f04a3cf4148f87561618da1a6908b4 NOTE: Fixed by: https://github.com/systemd/systemd/commit/ef4d6abe7c7fab6cbff975b32e76b09feee56074 NOTE: Fixes for master: https://github.com/systemd/systemd/pull/11374 NOTE: https://www.openwall.com/lists/oss-security/2019/01/09/3 NOTE: https://www.qualys.com/2019/01/09/system-down/system-down.txt CVE-2018-16864 (An allocation of memory without limits, that could result in the stack ...) {DSA-4367-1 DLA-1639-1} - systemd 240-4 (bug #918841) NOTE: Introduced in: https://github.com/systemd/systemd/commit/ae018d9bc900d6355dea4af05119b49c67945184 (v203) NOTE: Exploitable since: https://github.com/systemd/systemd/commit/ac2e41f5103ce2c679089c4f8fb6be61d7caec07 (v230) NOTE: Fixed by: https://github.com/systemd/systemd/commit/084eeb865ca63887098e0945fb4e93c852b91b0f NOTE: Fixes for master: https://github.com/systemd/systemd/pull/11374 NOTE: https://www.openwall.com/lists/oss-security/2019/01/09/3 NOTE: https://www.qualys.com/2019/01/09/system-down/system-down.txt CVE-2018-16863 (It was found that RHSA-2018:2918 did not fully fix CVE-2018-16509. An ...) - ghostscript (Red Hat-specific issue) NOTE: Debian updates backported all fixes to released suites CVE-2018-16862 (A security flaw was found in the Linux kernel in a way that the cleanc ...) {DLA-1731-1 DLA-1715-1} - linux 4.19.9-1 [stretch] - linux 4.9.144-1 NOTE: https://lore.kernel.org/patchwork/patch/1011367/ NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1649017 NOTE: Fixed by: https://git.kernel.org/linus/6ff38bd40230af35e446239396e5fc8ebd6a5248 CVE-2018-16861 (A cross-site scripting (XSS) flaw was found in the foreman component o ...) - foreman (bug #663101) CVE-2018-16860 (A flaw was found in samba's Heimdal KDC implementation, versions 4.8.x ...) {DSA-4455-1 DSA-4443-1 DLA-1788-1} - heimdal 7.5.0+dfsg-3 (bug #928966) [jessie] - heimdal (Minor issue) - samba 2:4.9.5+dfsg-4 NOTE: https://www.samba.org/samba/security/CVE-2018-16860.html NOTE: https://github.com/heimdal/heimdal/commit/c6257cc2c842c0faaeb4ef34e33890ee88c4cbba CVE-2018-16859 (Execution of Ansible playbooks on Windows platforms with PowerShell Sc ...) - ansible (Only issue when executing Ansible playbooks on Windows platforms) CVE-2018-16858 (It was found that libreoffice before versions 6.0.7 and 6.1.3 was vuln ...) {DSA-4381-1 DLA-1669-1} - libreoffice 1:6.1.3-1 NOTE: https://insert-script.blogspot.com/2019/02/libreoffice-cve-2018-16858-remote-code.html CVE-2018-16857 (Samba from version 4.9.0 and before version 4.9.3 that have AD DC conf ...) - samba 2:4.9.2+dfsg-2 [stretch] - samba (Vulnerable code not present) [jessie] - samba (Vulnerable code not present) NOTE: https://www.samba.org/samba/security/CVE-2018-16857.html CVE-2018-16856 (In a default Red Hat Openstack Platform Director installation, opensta ...) - octavia (Red Hat-specific, see bug #920769) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1649165 CVE-2018-16855 (An issue has been found in PowerDNS Recursor before version 4.1.8 wher ...) - pdns-recursor 4.1.8-1 [stretch] - pdns-recursor (Only affects 4.1.x) [jessie] - pdns-recursor (Only affects 4.1.x) NOTE: https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-09.html CVE-2018-16854 (A flaw was found in moodle versions 3.5 to 3.5.2, 3.4 to 3.4.5, 3.3 to ...) - moodle NOTE: https://moodle.org/mod/forum/discuss.php?d=378731 NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-63183 CVE-2018-16853 (Samba from version 4.7.0 has a vulnerability that allows a user in a S ...) - samba 2:4.9.2+dfsg-2 (unimportant) [stretch] - samba (Vulnerable code not present) [jessie] - samba (Vulnerable code not present) NOTE: https://www.samba.org/samba/security/CVE-2018-16853.html NOTE: Samba in Debian is built with the default Heimdal Kerberos build CVE-2018-16852 (Samba from version 4.9.0 and before version 4.9.3 is vulnerable to a N ...) - samba 2:4.9.2+dfsg-2 [stretch] - samba (Vulnerable code not present) [jessie] - samba (Vulnerable code not present) NOTE: https://www.samba.org/samba/security/CVE-2018-16852.html CVE-2018-16851 (Samba from version 4.0.0 and before versions 4.7.12, 4.8.7, 4.9.3 is v ...) {DSA-4345-1 DLA-1607-1} - samba 2:4.9.2+dfsg-2 NOTE: https://www.samba.org/samba/security/CVE-2018-16851.html CVE-2018-16850 (postgresql before versions 11.1, 10.6 is vulnerable to a to SQL inject ...) - postgresql-11 11.1-1 - postgresql-10 - postgresql-9.6 (Only affects 11.x and 10.x) - postgresql-9.4 (Only affects 11.x and 10.x) - postgresql-9.1 (Only affects 11.x and 10.x) NOTE: https://www.postgresql.org/about/news/1905/ NOTE: Fixed in 11.1, 10.6 CVE-2018-16849 (A flaw was found in openstack-mistral. By manipulating the SSH private ...) - mistral 7.0.0-2 (low; bug #912714) [stretch] - mistral 3.0.0-4+deb9u1 NOTE: https://bugs.launchpad.net/mistral/+bug/1783708 CVE-2018-16848 (A Denial of Service (DoS) condition is possible in OpenStack Mistral i ...) - mistral NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1645332 CVE-2018-16847 (An OOB heap buffer r/w access issue was found in the NVM Express Contr ...) - qemu 1:3.1+dfsg-1 (bug #912655) [stretch] - qemu (support for Controller Memory Buffers added later) [jessie] - qemu (support for Controller Memory Buffers added later) - qemu-kvm (support for Controller Memory Buffers added later) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2018-11/msg00200.html NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=87ad860c622cc8f8916b5232bd8728c08f938fce CVE-2018-16846 (It was found in Ceph versions before 13.2.4 that authenticated ceph RG ...) {DLA-1696-1} - ceph 12.2.11+dfsg1-1 (bug #921947) NOTE: http://tracker.ceph.com/issues/35994 NOTE: https://github.com/ceph/ceph/commit/4337e6a7d9f92c8549ebee20d0dd67a01e49857f NOTE: https://github.com/ceph/ceph/commit/ab29bed2fc9f961fe895de1086a8208e21ddaddc NOTE: Backport to 12.2.11: https://tracker.ceph.com/issues/37831 CVE-2018-16845 (nginx before versions 1.15.6, 1.14.1 has a vulnerability in the ngx_ht ...) {DSA-4335-1 DLA-1572-1} - nginx 1.14.1-1 (bug #913090) NOTE: http://mailman.nginx.org/pipermail/nginx-announce/2018/000221.html NOTE: https://nginx.org/download/patch.2018.mp4.txt NOTE: http://hg.nginx.org/nginx/rev/fdc19a3289c1 NOTE: Fixed in 1.15.6, 1.14.1. CVE-2018-16844 (nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the imp ...) {DSA-4335-1} - nginx 1.14.1-1 (bug #913090) [jessie] - nginx (HTTP 2.0 support added later) NOTE: http://mailman.nginx.org/pipermail/nginx-announce/2018/000220.html NOTE: http://hg.nginx.org/nginx/rev/9200b41db765 NOTE: Fixed in 1.15.6, 1.14.1. CVE-2018-16843 (nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the imp ...) {DSA-4335-1} - nginx 1.14.1-1 (bug #913090) [jessie] - nginx (HTTP 2.0 support added later) NOTE: http://mailman.nginx.org/pipermail/nginx-announce/2018/000220.html NOTE: http://hg.nginx.org/nginx/rev/d4448892a294 NOTE: Fixed in 1.15.6, 1.14.1. CVE-2018-16842 (Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buf ...) {DSA-4331-1 DLA-1568-1} - curl 7.62.0-1 NOTE: https://curl.haxx.se/docs/CVE-2018-16842.html NOTE: Fixed by: https://github.com/curl/curl/commit/d530e92f59ae9bb2d47066c3c460b25d2ffeb211 CVE-2018-16841 (Samba from version 4.3.0 and before versions 4.7.12, 4.8.7 and 4.9.3 a ...) {DSA-4345-1} - samba 2:4.9.2+dfsg-2 [jessie] - samba (Vulnerable code not present) NOTE: https://www.samba.org/samba/security/CVE-2018-16841.html CVE-2018-16840 (A heap use-after-free flaw was found in curl versions from 7.59.0 thro ...) - curl 7.62.0-1 [stretch] - curl (Use-after-free issue introduced later) [jessie] - curl (Use-after-free issue introduced later) NOTE: https://curl.haxx.se/docs/CVE-2018-16840.html NOTE: Fixed by: https://github.com/curl/curl/commit/81d135d67155c5295b1033679c606165d4e28f3f NOTE: Introduced by: https://github.com/curl/curl/commit/b46cfbc068ebe90f18e9777b9e877e4934c1b5e3 CVE-2018-16839 (Curl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun ...) {DSA-4331-1 DLA-1568-1} - curl 7.62.0-1 NOTE: https://curl.haxx.se/docs/CVE-2018-16839.html NOTE: Fixed by: https://github.com/curl/curl/commit/f3a24d7916b9173c69a3e0ee790102993833d6c5 CVE-2018-16838 (A flaw was found in sssd Group Policy Objects implementation. When the ...) - sssd 2.2.0-1 (bug #931432) [buster] - sssd (Minor issue) [stretch] - sssd (Minor issue) [jessie] - sssd (GPO based access control introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1640820 NOTE: GPO based access control introduced in https://github.com/SSSD/sssd/commit/60cab26b12 NOTE: seems to presuppose configuration mistake: if sssd is not given enough permissions NOTE: to read GPO, access is systematically granted instead of denied NOTE: https://pagure.io/SSSD/sssd/issue/3867 NOTE: https://pagure.io/SSSD/sssd/c/ad058011b6b75b15c674be46a3ae9b3cc5228175 CVE-2018-16837 (Ansible "User" module leaks any data which is passed on as a parameter ...) {DSA-4396-1 DLA-1576-1} - ansible 2.7.1+dfsg-1 (bug #912297) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1640642 NOTE: https://github.com/ansible/ansible/pull/47436 CVE-2018-16836 (Rubedo through 3.4.0 contains a Directory Traversal vulnerability in t ...) NOT-FOR-US: Rubedo CMS CVE-2018-16835 RESERVED CVE-2018-16834 RESERVED CVE-2018-16833 (Zoho ManageEngine Desktop Central 10.0.271 has XSS via the "Features & ...) NOT-FOR-US: Zoho CVE-2018-16832 (CSRF in the anti-csrf decorator in xunfeng 0.2.0 allows an attacker to ...) NOT-FOR-US: xunfeng CVE-2018-16949 (An issue was discovered in OpenAFS before 1.6.23 and 1.8.x before 1.8. ...) {DSA-4302-1 DLA-1513-1} - openafs 1.8.2-1 (bug #908616) NOTE: http://openafs.org/pages/security/OPENAFS-SA-2018-003.txt CVE-2018-16948 (An issue was discovered in OpenAFS before 1.6.23 and 1.8.x before 1.8. ...) {DSA-4302-1 DLA-1513-1} - openafs 1.8.2-1 (bug #908616) NOTE: http://openafs.org/pages/security/OPENAFS-SA-2018-002.txt CVE-2018-16947 (An issue was discovered in OpenAFS before 1.6.23 and 1.8.x before 1.8. ...) {DSA-4302-1 DLA-1513-1} - openafs 1.8.2-1 (bug #908616) NOTE: http://openafs.org/pages/security/OPENAFS-SA-2018-001.txt CVE-2018-17458 (An improper update of the WebAssembly dispatch table in WebAssembly in ...) {DSA-4297-1} - chromium-browser 69.0.3497.92-1 (bug #908806) [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-17459 (Incorrect handling of clicks in the omnibox in Navigation in Google Ch ...) {DSA-4297-1} - chromium-browser 69.0.3497.92-1 (bug #908806) [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-1002009 (There is a reflected XSS vulnerability in WordPress Arigato Autorespon ...) NOTE: Wordpress plugin CVE-2018-1002008 (There is a reflected XSS vulnerability in WordPress Arigato Autorespon ...) NOTE: Wordpress plugin CVE-2018-1002007 (There is a reflected XSS vulnerability in WordPress Arigato Autorespon ...) NOTE: Wordpress plugin CVE-2018-1002006 (These vulnerabilities require administrative privileges to exploit. Th ...) NOTE: Wordpress plugin CVE-2018-1002005 (These vulnerabilities require administrative privileges to exploit. Th ...) NOTE: Wordpress plugin CVE-2018-1002004 (There is a reflected XSS vulnerability in WordPress Arigato Autorespon ...) NOTE: Wordpress plugin CVE-2018-1002003 (There is a reflected XSS vulnerability in WordPress Arigato Autorespon ...) NOTE: Wordpress plugin CVE-2018-1002002 (There is a reflected XSS vulnerability in WordPress Arigato Autorespon ...) NOTE: Wordpress plugin CVE-2018-1002001 (There is a reflected XSS vulnerability in WordPress Arigato Autorespon ...) NOTE: Wordpress plugin CVE-2018-1002000 (There is blind SQL injection in WordPress Arigato Autoresponder and Ne ...) NOTE: Wordpress plugin CVE-2018-16831 (Smarty before 3.1.33-dev-4 allows attackers to bypass the trusted_dir ...) - smarty3 3.1.33+20180830.1.3a78a21f+selfpack1-1 (bug #908698) [stretch] - smarty3 (Minor issue; can be fixed via point release) [jessie] - smarty3 (vulnerable code not present) NOTE: https://github.com/smarty-php/smarty/issues/486 NOTE: CVE is about the include tag as an attack vector. NOTE: vulnerable code introduced in realpath() rewrite (c09b05cbe) released in 3.1.28 CVE-2018-16830 RESERVED CVE-2018-16829 RESERVED CVE-2018-16828 RESERVED CVE-2018-16827 RESERVED CVE-2018-16826 RESERVED CVE-2018-16825 RESERVED CVE-2018-16824 RESERVED CVE-2018-16823 RESERVED CVE-2018-16822 (SeaCMS 6.64 allows SQL Injection via the upload/admin/admin_video.php ...) NOT-FOR-US: SeaCMS CVE-2018-16821 (SeaCMS 6.64 allows arbitrary directory listing via upload/admin/admin_ ...) NOT-FOR-US: SeaCMS CVE-2018-16820 (admin/index.php in Monstra CMS 3.0.4 allows arbitrary directory listin ...) NOT-FOR-US: Monstra CMS CVE-2018-16819 (admin/index.php in Monstra CMS 3.0.4 allows arbitrary file deletion vi ...) NOT-FOR-US: Monstra CMS CVE-2018-16818 RESERVED CVE-2018-16817 RESERVED CVE-2018-16816 RESERVED CVE-2018-16815 RESERVED CVE-2018-16814 RESERVED CVE-2018-16813 RESERVED CVE-2018-16812 RESERVED CVE-2018-16811 RESERVED CVE-2018-16810 RESERVED CVE-2018-16809 (An issue was discovered in Dolibarr through 7.0.0. expensereport/card. ...) - dolibarr NOTE: https://github.com/Dolibarr/dolibarr/issues/9449 CVE-2018-16808 (An issue was discovered in Dolibarr through 7.0.0. There is Stored XSS ...) - dolibarr NOTE: https://github.com/Dolibarr/dolibarr/issues/9449 CVE-2018-16807 (In Bro through 2.5.5, there is a memory leak potentially leading to Do ...) - bro 2.6.1+ds1-1 (low; bug #908614) [buster] - bro 2.5.5-1+deb10u1 [stretch] - bro (Minor issue) NOTE: https://github.com/bro/bro/commit/34d0cf886ca16c665f673a299e295b2a2bc14533 CVE-2018-16806 (A Pektron Passive Keyless Entry and Start (PKES) system, as used on th ...) NOT-FOR-US: Tesla CVE-2018-16805 (In b3log Solo 2.9.3, XSS in the Input page under the Publish Articles ...) NOT-FOR-US: b3log CVE-2018-16804 (An issue was discovered in UCMS 1.4.6. There is XSS in the title bar, ...) NOT-FOR-US: UCMS CVE-2018-16803 (In CIMTechniques CIMScan 6.x through 6.2, the SOAP WSDL parser allows ...) NOT-FOR-US: CIMTechniques CIMScan CVE-2018-16801 RESERVED CVE-2018-16800 RESERVED CVE-2018-16799 RESERVED CVE-2018-16798 RESERVED CVE-2018-16797 (A heap-based buffer overflow in PotPlayerMini.exe in PotPlayer 1.7.855 ...) NOT-FOR-US: PotPlayer CVE-2018-16796 (HiScout GRC Suite before 3.1.5 allows Unrestricted Upload of Files wit ...) NOT-FOR-US: HiScout GRC Suite CVE-2018-16795 RESERVED CVE-2018-16794 (Microsoft ADFS 4.0 Windows Server 2016 and previous (Active Directory ...) NOT-FOR-US: Microsoft ADFS 4.0 Windows Server CVE-2018-16793 (Rollup 18 for Microsoft Exchange Server 2010 SP3 and previous versions ...) NOT-FOR-US: Rollup 18 for Microsoft Exchange Server CVE-2018-16802 (An issue was discovered in Artifex Ghostscript before 9.25. Incorrect ...) {DSA-4294-1 DLA-1504-1} [experimental] - ghostscript 9.25~dfsg-1~exp1 - ghostscript 9.25~dfsg-1 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=3e5d316b72e3965b7968bb1d96baa137cd063ac6 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=643b24dbd002fb9c131313253c307cf3951b3d47 NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5812b1b78fc4d36fdc293b7859de69241140d590 CVE-2018-16792 (SolarWinds SFTP/SCP server through 2018-09-10 is vulnerable to XXE via ...) NOT-FOR-US: SolarWinds SFTP/SCP server CVE-2018-16791 (In SolarWinds SFTP/SCP Server through 2018-09-10, the configuration fi ...) NOT-FOR-US: SolarWinds SFTP/SCP server CVE-2018-16790 (_bson_iter_next_internal in bson-iter.c in libbson 1.12.0, as used in ...) - libbson (bug #913896) [stretch] - libbson (Minor issue) - mongo-c-driver 1.13.0-1 (bug #913963) NOTE: https://jira.mongodb.org/browse/CDRIVER-2819 NOTE: https://github.com/mongodb/mongo-c-driver/commit/0d9a4d98bfdf4acd2c0138d4aaeb4e2e0934bd84 CVE-2018-16789 (libhttp/url.c in shellinabox through 2.20 has an implementation flaw i ...) - shellinabox 2.21 (low) [stretch] - shellinabox (Minor issue) [jessie] - shellinabox (Minor issue) NOTE: https://github.com/shellinabox/shellinabox/pull/446 CVE-2018-16788 RESERVED CVE-2018-16787 RESERVED CVE-2018-16786 (DedeCMS 5.7 SP2 allows XSS via an onhashchange attribute in the msg pa ...) NOT-FOR-US: DedeCMS CVE-2018-16785 (XML injection vulnerability exists in the file of DedeCMS V5.7 SP2 ver ...) NOT-FOR-US: DedeCMS CVE-2018-16784 (DedeCMS 5.7 SP2 allows XML injection, and resultant remote code execut ...) NOT-FOR-US: DedeCMS CVE-2018-16783 RESERVED CVE-2018-16782 (libimageworsener.a in ImageWorsener 1.3.2 has a buffer overflow in the ...) NOT-FOR-US: ImageWorsener CVE-2018-16781 (ffjpeg.dll in ffjpeg before 2018-08-22 allows remote attackers to caus ...) NOT-FOR-US: Some Windows picture viewer using ffmpeg incorrectly CVE-2018-16780 (Complete Responsive CMS Blog through 2018-05-20 has XSS via a comment. ...) NOT-FOR-US: Complete Responsive CMS Blog CVE-2018-16779 (BlogCMS through 2016-10-25 has XSS via a comment. ...) NOT-FOR-US: BlogCMS CVE-2018-16778 (Cross-site scripting (XSS) vulnerability in Jenzabar v8.2.1 through 9. ...) NOT-FOR-US: Jenzabar CVE-2018-16777 RESERVED CVE-2018-16776 (wityCMS 0.6.2 has XSS via the "Site Name" field found in the "Contact" ...) NOT-FOR-US: wityCMS CVE-2018-16775 (An issue was discovered in Victor CMS through 2018-05-10. There is XSS ...) NOT-FOR-US: Victor CMS CVE-2018-16774 (HongCMS 3.0.0 allows arbitrary file deletion via a ../ in the file par ...) NOT-FOR-US: HongCMS CVE-2018-16773 (EasyCMS 1.5 allows XSS via the index.php?s=/admin/fields/update/navTab ...) NOT-FOR-US: EasyCMS CVE-2018-16772 (Hoosk v1.7.0 allows XSS via the Navigation Title of a new page entered ...) NOT-FOR-US: Hoosk CVE-2018-16771 (Hoosk v1.7.0 allows PHP code execution via a SiteUrl that is provided ...) NOT-FOR-US: Hoosk CVE-2018-16770 (In WAVM through 2018-07-26, a crafted file sent to the WebAssembly Vir ...) NOT-FOR-US: WAVM CVE-2018-16769 (In WAVM through 2018-07-26, a crafted file sent to the WebAssembly Vir ...) NOT-FOR-US: WAVM CVE-2018-16768 (In WAVM through 2018-07-26, a crafted file sent to the WebAssembly Vir ...) NOT-FOR-US: WAVM CVE-2018-16767 (In WAVM through 2018-07-26, a crafted file sent to the WebAssembly Vir ...) NOT-FOR-US: WAVM CVE-2018-16766 (In WAVM through 2018-07-26, a crafted file sent to the WebAssembly Vir ...) NOT-FOR-US: WAVM CVE-2018-16765 (In WAVM through 2018-07-26, a crafted file sent to the WebAssembly Vir ...) NOT-FOR-US: WAVM CVE-2018-16764 (In WAVM through 2018-07-26, a crafted file sent to the WebAssembly Vir ...) NOT-FOR-US: WAVM CVE-2018-16763 (FUEL CMS 1.4.1 allows PHP Code Evaluation via the pages/select/ filter ...) NOT-FOR-US: FUEL CMS CVE-2018-16762 (FUEL CMS 1.4.1 allows SQL Injection via the layout, published, or sear ...) NOT-FOR-US: FUEL CMS CVE-2018-16761 (Eventum before 3.4.0 has an open redirect vulnerability. ...) NOT-FOR-US: Eventum CVE-2018-16760 RESERVED CVE-2018-16759 (The removeXSS function in App/Common/common.php (called from App/Modul ...) NOT-FOR-US: EasyCMS CVE-2018-16758 (Missing message authentication in the meta-protocol in Tinc VPN versio ...) {DSA-4312-1 DLA-1538-1} - tinc 1.0.35-1 NOTE: http://www.tinc-vpn.org/git/browse?p=tinc;a=commit;h=e97943b7cc9c851ae36f5a41e2b6102faa74193f CVE-2018-16757 RESERVED CVE-2018-16756 RESERVED CVE-2018-16755 RESERVED CVE-2018-16754 RESERVED CVE-2018-16753 RESERVED CVE-2018-16752 (LINK-NET LW-N605R devices with firmware 12.20.2.1486 allow Remote Code ...) NOT-FOR-US: LINK-NET LW-N605R devices CVE-2018-16751 RESERVED CVE-2018-16750 (In ImageMagick 7.0.7-29 and earlier, a memory leak in the formatIPTCfr ...) - imagemagick 8:6.9.10.2+dfsg-2 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1118 NOTE: https://github.com/ImageMagick/ImageMagick/commit/33d1b9590c401d4aee666ffd10b16868a38cf705 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/359331c61193138ce2b85331df25235b81499cfc CVE-2018-16749 (In ImageMagick 7.0.7-29 and earlier, a missing NULL check in ReadOneJN ...) {DLA-1530-1} - imagemagick 8:6.9.10.2+dfsg-2 (low) [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1119 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/1007b98f8795ad4bea6bc5f68a32d83e982fdae4 CVE-2018-16748 RESERVED CVE-2018-16747 RESERVED CVE-2018-16746 RESERVED CVE-2018-16745 (An issue was discovered in mgetty before 1.2.1. In fax_notify_mail() i ...) - mgetty 1.2.1-1 [stretch] - mgetty (Minor issue) [jessie] - mgetty (Minor issue) NOTE: https://www.x41-dsec.de/lab/advisories/x41-2018-007-mgetty/ NOTE: Upstream commit: 750939dfcaea9aa93dcea99526c49da7cafafe7f (1.2.1) CVE-2018-16744 (An issue was discovered in mgetty before 1.2.1. In fax_notify_mail() i ...) - mgetty 1.2.1-1 [stretch] - mgetty (Minor issue) [jessie] - mgetty (Minor issue) NOTE: https://www.x41-dsec.de/lab/advisories/x41-2018-007-mgetty/ NOTE: Upstream commit: 750939dfcaea9aa93dcea99526c49da7cafafe7f (1.2.1) CVE-2018-16743 (An issue was discovered in mgetty before 1.2.1. In contrib/next-login/ ...) - mgetty 1.2.1-1 (unimportant) NOTE: contrib/next-login/ not built in Debian packaging NOTE: https://www.x41-dsec.de/lab/advisories/x41-2018-007-mgetty/ NOTE: Upstream commit: 5feff135626b8dde886213ce0c99cc4349028a7e (1.2.1) CVE-2018-16742 (An issue was discovered in mgetty before 1.2.1. In contrib/scrts.c, a ...) - mgetty 1.2.1-1 (unimportant) NOTE: contrib/scrts not built in Debian packaging NOTE: https://www.x41-dsec.de/lab/advisories/x41-2018-007-mgetty/ NOTE: Upstream removed contrib/scrts in 7d018d471f4c737f77ef281f5859a3b1c9ded42f (1.2.1) CVE-2018-16741 (An issue was discovered in mgetty before 1.2.1. In fax/faxq-helper.c, ...) {DSA-4291-1 DLA-1502-1} - mgetty 1.2.1-1 (bug #910448) NOTE: https://www.x41-dsec.de/lab/advisories/x41-2018-007-mgetty/ NOTE: Upstream commit: 1a7b3a30f79bae4cfbc6404fe4648689cd0ade62 (1.2.1) CVE-2018-16740 RESERVED CVE-2018-16739 RESERVED CVE-2018-16738 (tinc 1.0.30 through 1.0.34 has a broken authentication protocol, altho ...) {DSA-4312-1} - tinc 1.0.35-1 [jessie] - tinc (Only affects 1.0.30 to 1.0.34) NOTE: http://www.tinc-vpn.org/git/browse?p=tinc;a=commit;h=d3297fbd3b8c8c8a4661f5bbf89aca5cacba8b5a NOTE: This CVE is specific for tinc versions which did had mitigations put NOTE: in place for the Sweet32 attack in tinc 1.0.30. CVE-2018-16737 (tinc before 1.0.30 has a broken authentication protocol, without even ...) {DLA-1538-1} - tinc 1.0.31-1 NOTE: http://www.tinc-vpn.org/git/browse?p=tinc;a=commit;h=d3297fbd3b8c8c8a4661f5bbf89aca5cacba8b5a CVE-2018-16736 (In the rcfilters plugin 2.1.6 for Roundcube, XSS exists via the _whatf ...) NOT-FOR-US: rcfilters plugin for Roundcube CVE-2018-16735 RESERVED CVE-2018-16734 RESERVED CVE-2018-16733 (In Go Ethereum (aka geth) before 1.8.14, TraceChain in eth/api_tracer. ...) NOT-FOR-US: Go Ethereum CVE-2018-16732 (\upload\plugins\sys\admin\Setting.php in CScms 4.1 allows CSRF via adm ...) NOT-FOR-US: CScms CVE-2018-16731 (CScms 4.1 allows arbitrary file upload by (for example) adding the php ...) NOT-FOR-US: CScms CVE-2018-16730 (\upload\plugins\sys\Install.php in CScms 4.1 has XSS via the site name ...) NOT-FOR-US: CScms CVE-2018-16729 (Pluck 4.7.7 allows XSS via an SVG file that contains Javascript in a S ...) NOT-FOR-US: Pluck CMS CVE-2018-16728 (feindura 2.0.7 allows XSS via the tags field of a new page created at ...) NOT-FOR-US: feindura CVE-2018-16727 (razorCMS 3.4.7 allows Stored XSS via the keywords of the homepage with ...) NOT-FOR-US: razorCMS CVE-2018-16726 (razorCMS 3.4.7 allows HTML injection via the description of the homepa ...) NOT-FOR-US: razorCMS CVE-2018-16725 (An issue is discovered in baijiacms V4. XSS exists via the assets/ween ...) NOT-FOR-US: baijiacms CVE-2018-16724 (An issue is discovered in baijiacms V4. Blind SQL Injection exists via ...) NOT-FOR-US: baijiacms CVE-2018-16723 RESERVED CVE-2018-16722 RESERVED CVE-2018-16721 RESERVED CVE-2018-16720 RESERVED CVE-2018-16719 RESERVED CVE-2018-16718 (An XSS vulnerability exists in wwwblast.c in the 2.0.7 through 2.2.26 ...) NOT-FOR-US: NCBI ToolBox CVE-2018-16717 (A heap-based buffer overflow exists in nph-viewgif.cgi in the 2.0.7 th ...) NOT-FOR-US: NCBI ToolBox CVE-2018-16716 (A path traversal vulnerability exists in viewcgi.c in the 2.0.7 throug ...) NOT-FOR-US: NCBI ToolBox CVE-2018-16715 (An issue was discovered in Absolute Software CTES Windows Agent throug ...) NOT-FOR-US: Absolute Software CTES Windows Agent CVE-2018-16714 RESERVED CVE-2018-16713 (IObit Advanced SystemCare, which includes Monitor_win10_x64.sys or Mon ...) NOT-FOR-US: IObit Advanced SystemCare CVE-2018-16712 (IObit Advanced SystemCare, which includes Monitor_win10_x64.sys or Mon ...) NOT-FOR-US: IObit Advanced SystemCare CVE-2018-16711 (IObit Advanced SystemCare, which includes Monitor_win10_x64.sys or Mon ...) NOT-FOR-US: IObit Advanced SystemCare CVE-2018-16710 (** DISPUTED ** OctoPrint through 1.3.9 allows remote attackers to obta ...) - octoprint (bug #718591) NOTE: https://github.com/foosel/OctoPrint/issues/2814 CVE-2018-16709 (Fuji Xerox DocuCentre-V 3065, ApeosPort-VI C3371, ApeosPort-V C4475, A ...) NOT-FOR-US: Fuji Xerox devices CVE-2018-16708 RESERVED CVE-2018-16707 RESERVED CVE-2018-16706 (LG SuperSign CMS allows TVs to be rebooted remotely without authentica ...) NOT-FOR-US: LG SuperSign CMS CVE-2018-16705 (FURUNO FELCOM 250 and 500 devices allow unauthenticated access to the ...) NOT-FOR-US: FURUNO FELCOM 250 and 500 devices CVE-2018-16704 (An issue was discovered in Gleez CMS v1.2.0. Because of an Insecure Di ...) NOT-FOR-US: Gleez CMS CVE-2018-16703 (A vulnerability in the Gleez CMS 1.2.0 login page could allow an unaut ...) NOT-FOR-US: Gleez CMS CVE-2018-16702 RESERVED CVE-2018-16701 RESERVED CVE-2018-16700 RESERVED CVE-2018-16699 RESERVED CVE-2018-16698 RESERVED CVE-2018-16697 RESERVED CVE-2018-16696 RESERVED CVE-2018-16695 RESERVED CVE-2018-16694 RESERVED CVE-2018-16693 RESERVED CVE-2018-16692 RESERVED CVE-2018-16691 RESERVED CVE-2018-16690 RESERVED CVE-2018-16689 RESERVED CVE-2018-16688 RESERVED CVE-2018-16687 RESERVED CVE-2018-16686 RESERVED CVE-2018-16685 RESERVED CVE-2018-16684 RESERVED CVE-2018-16683 RESERVED CVE-2018-16682 RESERVED CVE-2018-16681 RESERVED CVE-2018-16680 RESERVED CVE-2018-16679 RESERVED CVE-2018-16678 RESERVED CVE-2018-16677 RESERVED CVE-2018-16676 RESERVED CVE-2018-16675 RESERVED CVE-2018-16674 RESERVED CVE-2018-16673 RESERVED CVE-2018-16672 (An issue was discovered in CIRCONTROL CirCarLife before 4.3. Due to th ...) NOT-FOR-US: CIRCONTROL CirCarLife CVE-2018-16671 (An issue was discovered in CIRCONTROL CirCarLife before 4.3. There is ...) NOT-FOR-US: CIRCONTROL CirCarLife CVE-2018-16670 (An issue was discovered in CIRCONTROL CirCarLife before 4.3. There is ...) NOT-FOR-US: CIRCONTROL CirCarLife CVE-2018-16669 (An issue was discovered in CIRCONTROL Open Charge Point Protocol (OCPP ...) NOT-FOR-US: CIRCONTROL Open Charge Point Protocol CVE-2018-16668 (An issue was discovered in CIRCONTROL CirCarLife before 4.3. There is ...) NOT-FOR-US: CIRCONTROL CirCarLife CVE-2018-16667 (An issue was discovered in Contiki-NG through 4.1. There is a buffer o ...) NOT-FOR-US: Contiki Operating System CVE-2018-16666 (An issue was discovered in Contiki-NG through 4.1. There is a stack-ba ...) NOT-FOR-US: Contiki Operating System CVE-2018-16665 (An issue was discovered in Contiki-NG through 4.1. There is a buffer o ...) NOT-FOR-US: Contiki Operating System CVE-2018-16664 (An issue was discovered in Contiki-NG through 4.1. There is a buffer o ...) NOT-FOR-US: Contiki Operating System CVE-2018-16663 (An issue was discovered in Contiki-NG through 4.1. There is a stack-ba ...) NOT-FOR-US: Contiki Operating System CVE-2018-16662 RESERVED CVE-2018-16661 RESERVED CVE-2018-16660 (A command injection vulnerability in PWS in Imperva SecureSphere 13.0. ...) NOT-FOR-US: Imperva SecureSphere CVE-2018-16659 (An issue was discovered in Rausoft ID.prove 2.95. The login page allow ...) NOT-FOR-US: Rausoft ID.prove CVE-2018-16657 (In Kamailio before 5.0.7 and 5.1.x before 5.1.4, a crafted SIP message ...) {DSA-4292-1 DLA-1503-1} - kamailio 5.1.4-1 (bug #908324) NOTE: https://skalatan.de/blog/advisory-hw-2018-06 NOTE: https://github.com/kamailio/kamailio/commit/ad68e402ece8089f133c10de6ce319f9e28c0692 (master) NOTE: https://github.com/kamailio/kamailio/commit/d67b2f9874ca23bd69f18df71b8f53b1b6151f6d (5.1) NOTE: https://github.com/kamailio/kamailio/commit/f07dabffef98c7088cdbc2bd695a4ae7a241b159 (5.0) CVE-2018-16658 (An issue was discovered in the Linux kernel before 4.18.6. An informat ...) {DSA-4308-1 DLA-1531-1 DLA-1529-1} - linux 4.18.6-1 NOTE: Fixed by: https://git.kernel.org/linus/8f3fafc9c2f0ece10832c25f7ffcb07c97a32ad4 (4.19-rc2) CVE-2018-16656 (DoBox_CstmBox_Info.model.htm on Kyocera TASKalfa 4002i and 6002i devic ...) NOT-FOR-US: Kyocera CVE-2018-16655 (Gxlcms 1.0 has XSS via the PATH_INFO to gx/lib/ThinkPHP/Tpl/ThinkExcep ...) NOT-FOR-US: Gxlcms CVE-2018-16654 (Zurmo 3.2.4 Stable allows XSS via app/index.php/accounts/default/detai ...) NOT-FOR-US: Zurmo CVE-2018-16653 (rejucms 2.1 has XSS via the ucenter/cms_user_add.php u_name parameter. ...) NOT-FOR-US: rejucms CVE-2018-16652 RESERVED CVE-2018-16651 (The admin backend in phpMyFAQ before 2.9.11 allows CSV injection in re ...) NOT-FOR-US: phpMyFAQ CVE-2018-16650 (phpMyFAQ before 2.9.11 allows CSRF. ...) NOT-FOR-US: phpMyFAQ CVE-2018-16649 RESERVED CVE-2018-16648 (In Artifex MuPDF 1.13.0, the fz_append_byte function in fitz/buffer.c ...) - mupdf 1.14.0+ds1-4 (bug #924351) [jessie] - mupdf (Minor issue) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=699685 NOTE: http://www.ghostscript.com/cgi-bin/findgit.cgi?38f883fe129a5e89306252a4676eaaf4bc968824 CVE-2018-16647 (In Artifex MuPDF 1.13.0, the pdf_get_xref_entry function in pdf/pdf-xr ...) - mupdf 1.14.0+ds1-4 (bug #924351) [jessie] - mupdf (Minor issue) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=699686 NOTE: http://www.ghostscript.com/cgi-bin/findgit.cgi?351c99d8ce23bbf7099dbd52771a095f67e45a2c CVE-2018-16646 (In Poppler 0.68.0, the Parser::getObj() function in Parser.cc may caus ...) {DLA-1562-3 DLA-1562-2 DLA-1562-1} - poppler 0.71.0-4 (low; bug #909802) [stretch] - poppler (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1622951 NOTE: https://gitlab.freedesktop.org/poppler/poppler/merge_requests/91 NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/3d35d209c19c1d3b09b794a0c863ba5de44a9c0a NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/89fccf45fc5bfca3756102e6bec1950ec1d436a9 (regression fix) NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/08572e1bdca03baed694dd9828bb2b878865e669 (regression fix) CVE-2018-16645 (There is an excessive memory allocation issue in the functions ReadBMP ...) {DSA-4316-1 DLA-1530-1} - imagemagick 8:6.9.10.14+dfsg-1 (bug #910889) NOTE: https://github.com/ImageMagick/ImageMagick/commit/ecb31dbad39ccdc65868d5d2a37f0f0521250832 NOTE: https://github.com/ImageMagick/ImageMagick/issues/1268 CVE-2018-16644 (There is a missing check for length in the functions ReadDCMImage of c ...) {DSA-4316-1 DLA-1530-1} - imagemagick 8:6.9.10.14+dfsg-1 (bug #910888) NOTE: https://github.com/ImageMagick/ImageMagick/commit/16916c8979c32765c542e216b31cee2671b7afe7 NOTE: https://github.com/ImageMagick/ImageMagick/commit/afa878a689870c28b6994ecf3bb8dbfb2b76d135 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/00ef0f1bbf9eb1efdf0f38f51c72ecb26cc9a306 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/01ca29604515fa4ddf3180870827df5c8ec93ada NOTE: https://github.com/ImageMagick/ImageMagick/issues/1269 CVE-2018-16643 (The functions ReadDCMImage in coders/dcm.c, ReadPWPImage in coders/pwp ...) {DLA-1530-1} - imagemagick 8:6.9.10.8+dfsg-1 (low) [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/commit/6b6bff054d569a77973f2140c0e86366e6168a6c NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/11d9dac3d991c62289d1ef7a097670166480e76c NOTE: https://github.com/ImageMagick/ImageMagick/issues/1199 CVE-2018-16642 (The function InsertRow in coders/cut.c in ImageMagick 7.0.7-37 allows ...) {DSA-4316-1 DLA-1530-1} - imagemagick 8:6.9.10.2+dfsg-2 NOTE: https://github.com/ImageMagick/ImageMagick/commit/cc4ac341f29fa368da6ef01c207deaf8c61f6a2e NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/97bb5dc5aad1584557057d5062601aa151bf9a13 NOTE: https://github.com/ImageMagick/ImageMagick/issues/1162 CVE-2018-16641 (ImageMagick 7.0.8-6 has a memory leak vulnerability in the TIFFWritePh ...) - imagemagick (Vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/commit/256825d4eb33dc301496710d15cf5a7ae924088b NOTE: https://github.com/ImageMagick/ImageMagick/issues/1206 CVE-2018-16640 (ImageMagick 7.0.8-5 has a memory leak vulnerability in the function Re ...) - imagemagick 8:6.9.10.8+dfsg-1 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/commit/76efa969342568841ecf320b5a041685a6d24e0b NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/3449a06f0122d4d9e68b4739417a3eaad0b24265 NOTE: https://github.com/ImageMagick/ImageMagick/issues/1201 CVE-2018-16639 (Typesetter 5.1 allows XSS via the index.php/Admin LABEL parameter duri ...) NOT-FOR-US: Typesetter CMS CVE-2018-16638 (Evolution CMS 1.4.x allows XSS via the manager/ search parameter. ...) NOT-FOR-US: Evolution CMS CVE-2018-16637 (Evolution CMS 1.4.x allows XSS via the page weblink title parameter to ...) NOT-FOR-US: Evolution CMS CVE-2018-16636 (Nucleus CMS 3.70 allows HTML Injection via the index.php body paramete ...) NOT-FOR-US: Nucleus CMS CVE-2018-16635 (Blackcat CMS 1.3.2 allows XSS via the willkommen.php?lang=DE page titl ...) NOT-FOR-US: Blackcat CMS CVE-2018-16634 (Pluck v4.7.7 allows CSRF via admin.php?action=settings. ...) NOT-FOR-US: Pluck CMS CVE-2018-16633 (Pluck v4.7.7 allows XSS via the admin.php?action=editpage&page= pa ...) NOT-FOR-US: Pluck CMS CVE-2018-16632 (Mezzanine CMS v4.3.1 allows XSS via the /admin/blog/blogcategory/add/? ...) NOT-FOR-US: Mezzanine CMS CVE-2018-16631 (Subrion CMS v4.2.1 allows XSS via the panel/configuration/general/ SIT ...) NOT-FOR-US: Subrion CMS CVE-2018-16630 (Kirby v2.5.12 allows XSS by using the "site files" Add option to uploa ...) NOT-FOR-US: Kirby CVE-2018-16629 (panel/uploads/#elf_l1_XA in Subrion CMS v4.2.1 allows XSS via an SVG f ...) NOT-FOR-US: Subrion CMS CVE-2018-16628 (panel/login in Kirby v2.5.12 allows XSS via a blog name. ...) NOT-FOR-US: Kirby CVE-2018-16627 (panel/login in Kirby v2.5.12 allows Host header injection via the "for ...) NOT-FOR-US: Kirby CVE-2018-16626 (index.php/Admin/Classes in Typesetter 5.1 allows XSS via the descripti ...) NOT-FOR-US: Typesetter CMS CVE-2018-16625 (index.php/Admin/Uploaded in Typesetter 5.1 allows XSS via an SVG file ...) NOT-FOR-US: Typesetter CMS CVE-2018-16624 (panel/pages/home/edit in Kirby v2.5.12 allows XSS via the title of a n ...) NOT-FOR-US: Kirby CVE-2018-16623 (Kirby V2.5.12 is prone to a Persistent XSS attack via the Title of the ...) NOT-FOR-US: Kirby CVE-2018-16622 (Multiple cross-site scripting (XSS) vulnerabilities in /api/content/ad ...) NOT-FOR-US: DoraCMS CVE-2018-16621 (Sonatype Nexus Repository Manager before 3.14 allows Java Expression L ...) NOT-FOR-US: Sonatype Nexus Repository Manager CVE-2018-16620 (Sonatype Nexus Repository Manager before 3.14 has Incorrect Access Con ...) NOT-FOR-US: Sonatype Nexus Repository Manager CVE-2018-16619 (Sonatype Nexus Repository Manager before 3.14 allows XSS. ...) NOT-FOR-US: Sonatype Nexus Repository Manager CVE-2018-16618 (VTech Storio Max before 56.D3JM6 allows remote command execution via s ...) NOT-FOR-US: VTech CVE-2018-1000670 (KOHA Library System version 16.11.x (up until 16.11.13) and 17.05.x (u ...) - koha (bug #702134) NOTE: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19086 CVE-2018-1000669 (KOHA Library System version 16.11.x (up until 16.11.13) and 17.05.x (u ...) - koha (bug #702134) NOTE: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19117 CVE-2018-16617 RESERVED CVE-2018-16616 RESERVED CVE-2018-16615 RESERVED CVE-2018-16614 RESERVED CVE-2018-16613 (An issue was discovered in the update function in the wpForo Forum plu ...) NOT-FOR-US: update function in the wpForo Forum plugin for WordPress CVE-2018-16612 RESERVED CVE-2018-16611 RESERVED CVE-2018-16610 RESERVED CVE-2018-16609 RESERVED CVE-2018-16608 (In Monstra CMS 3.0.4, an attacker with 'Editor' privileges can change ...) NOT-FOR-US: Monstra CMS CVE-2018-16607 (Cross-site scripting (XSS) vulnerability in the Orgs Page in Open-AudI ...) NOT-FOR-US: Orgs Page in Open-AudIT Professional CVE-2018-16606 (In ProConf before 6.1, an Insecure Direct Object Reference (IDOR) allo ...) NOT-FOR-US: ProConf CVE-2018-16605 (D-Link DIR-600M devices allow XSS via the Hostname and Username fields ...) NOT-FOR-US: D-Link DIR-600M devices CVE-2018-16604 (An issue was discovered in Nibbleblog v4.0.5. With an admin's username ...) NOT-FOR-US: Nibbleblog CVE-2018-16603 (An issue was discovered in Amazon Web Services (AWS) FreeRTOS through ...) NOT-FOR-US: FreeRTOS CVE-2018-16602 (An issue was discovered in Amazon Web Services (AWS) FreeRTOS through ...) NOT-FOR-US: FreeRTOS CVE-2018-16601 (An issue was discovered in Amazon Web Services (AWS) FreeRTOS through ...) NOT-FOR-US: FreeRTOS CVE-2018-16600 (An issue was discovered in Amazon Web Services (AWS) FreeRTOS through ...) NOT-FOR-US: FreeRTOS CVE-2018-16599 (An issue was discovered in Amazon Web Services (AWS) FreeRTOS through ...) NOT-FOR-US: FreeRTOS CVE-2018-16598 (An issue was discovered in Amazon Web Services (AWS) FreeRTOS through ...) NOT-FOR-US: FreeRTOS CVE-2018-16597 (An issue was discovered in the Linux kernel before 4.8. Incorrect acce ...) - linux 4.8.5-1 [jessie] - linux (Vulnerable code not present) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1106512 NOTE: https://git.kernel.org/linus/c0ca3d70e8d3cf81e2255a217f7ca402f5ed0862 CVE-2018-16596 (A stack-based buffer overflow in the LAN UPnP service running on UDP p ...) NOT-FOR-US: Swisscom CVE-2018-16595 (The Photo Sharing Plus component on Sony Bravia TV through 8.587 devic ...) NOT-FOR-US: Sony Bravia TV devices CVE-2018-16594 (The Photo Sharing Plus component on Sony Bravia TV through 8.587 devic ...) NOT-FOR-US: Sony Bravia TV devices CVE-2018-16593 (The Photo Sharing Plus component on Sony Bravia TV through 8.587 devic ...) NOT-FOR-US: Sony Bravia TV devices CVE-2018-16592 RESERVED CVE-2018-16591 (FURUNO FELCOM 250 and 500 devices allow unauthenticated users to chang ...) NOT-FOR-US: FURUNO FELCOM 250 and 500 devices CVE-2018-16590 (FURUNO FELCOM 250 and 500 devices use only client-side JavaScript in l ...) NOT-FOR-US: FURUNO FELCOM CVE-2018-16589 RESERVED CVE-2018-16588 (Privilege escalation can occur in the SUSE useradd.c code in useradd, ...) - shadow (SuSE-specific patch) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1106914 NOTE: The SUSE specific patch was a first iteration of https://github.com/shadow-maint/shadow/pull/2 CVE-2018-16587 (In Open Ticket Request System (OTRS) 4.0.x before 4.0.32, 5.0.x before ...) {DSA-4317-1 DLA-1521-1} - otrs2 6.0.11-1 NOTE: https://community.otrs.com/security-advisory-2018-04-security-update-for-otrs-framework/ NOTE: OTRS 6: https://github.com/OTRS/otrs/commit/a4a1a01f84fac7ab032570ee50b660e2ebb15c01 NOTE: OTRS 5: https://github.com/OTRS/otrs/commit/d9db0c6a15caafda7689320ecf61777993c33711 NOTE: OTRS 4: https://github.com/OTRS/otrs/commit/d8cae00b0f78c2a07bb10cedb817304139395843 CVE-2018-16586 (In Open Ticket Request System (OTRS) 4.0.x before 4.0.32, 5.0.x before ...) {DSA-4317-1 DLA-1521-1} - otrs2 6.0.11-1 NOTE: https://community.otrs.com/security-advisory-2018-05-security-update-for-otrs-framework/ NOTE: OTRS 6: https://github.com/OTRS/otrs/commit/09e80c7752b0d9080688e4597c7495dd109e0963 NOTE: OTRS 5: https://github.com/OTRS/otrs/commit/a808859a75c59ae3b7568f5cc4708c53462aa4c7 NOTE: OTRS 4: https://github.com/OTRS/otrs/commit/baa92df09145b8ae2702a3a0e85d8ba55ec96302 CVE-2018-16584 REJECTED CVE-2018-16583 REJECTED CVE-2018-16582 REJECTED CVE-2018-16581 REJECTED CVE-2018-16580 REJECTED CVE-2018-16579 REJECTED CVE-2018-16578 REJECTED CVE-2018-16577 REJECTED CVE-2018-16576 REJECTED CVE-2018-16575 REJECTED CVE-2018-16574 REJECTED CVE-2018-16573 REJECTED CVE-2018-16572 REJECTED CVE-2018-16571 REJECTED CVE-2018-16570 REJECTED CVE-2018-16569 REJECTED CVE-2018-16568 REJECTED CVE-2018-16567 REJECTED CVE-2018-16566 REJECTED CVE-2018-16565 REJECTED CVE-2018-16564 REJECTED CVE-2018-16563 (A vulnerability has been identified in Firmware variant IEC 61850 for ...) NOT-FOR-US: Siemens CVE-2018-16562 REJECTED CVE-2018-16561 (A vulnerability has been identified in SIMATIC S7-300 CPUs (All versio ...) NOT-FOR-US: Siemens CVE-2018-16560 REJECTED CVE-2018-16559 (A vulnerability has been identified in SIMATIC S7-1500 CPU (All versio ...) NOT-FOR-US: Siemens CVE-2018-16558 (A vulnerability has been identified in SIMATIC S7-1500 CPU (All versio ...) NOT-FOR-US: Siemens CVE-2018-16557 (A vulnerability has been identified in SIMATIC S7-400 (incl. F) V6 and ...) NOT-FOR-US: Siemens CVE-2018-16556 (A vulnerability has been identified in SIMATIC S7-400 (incl. F) V6 and ...) NOT-FOR-US: Siemens CVE-2018-16555 (A vulnerability has been identified in SCALANCE S602 (All versions < ...) NOT-FOR-US: Siemens CVE-2018-1000801 (okular version 18.08 and earlier contains a Directory Traversal vulner ...) {DSA-4303-1 DLA-1516-1} - okular 4:17.12.2-2.1 (bug #908168) NOTE: https://bugs.kde.org/show_bug.cgi?id=398096 NOTE: https://cgit.kde.org/okular.git/commit/?id=8ff7abc14d41906ad978b6bc67e69693863b9d47 CVE-2018-1000800 (zephyr-rtos version 1.12.0 contains a NULL base pointer reference vuln ...) NOT-FOR-US: zephyr-rtos CVE-2018-1000773 (WordPress version 4.9.8 and earlier contains a CWE-20 Input Validation ...) - wordpress [jessie] - wordpress (cf. CVE-2017-1000600) NOTE: This CVE exists due to an incomplete fix in 4.9 for CVE-2017-1000600. CVE-2018-1000673 REJECTED CVE-2018-1000671 (sympa version 6.2.16 and later contains a CWE-601: URL Redirection to ...) {DLA-1512-1} - sympa 6.2.36~dfsg-1 (bug #908165) [stretch] - sympa (Minor issue) NOTE: https://github.com/sympa-community/sympa/issues/268 NOTE: https://github.com/sympa-community/sympa/commit/c6ce32a6c203070702eac45a4442a17d2bf7b0c1 NOTE: https://github.com/sympa-community/sympa/commit/03314a9baf7f7903283253829877afd0ae50e325 CVE-2018-1000668 (jsish version 2.4.70 2.047 contains a CWE-125: Out-of-bounds Read vuln ...) NOT-FOR-US: jsish CVE-2018-1000667 (NASM nasm-2.13.03 nasm- 2.14rc15 version 2.14rc15 and earlier contains ...) - nasm 2.14-1 (unimportant) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392507 NOTE: https://github.com/netwide-assembler/nasm/commit/c713b5f994cf7b29164c3b6838b91f0499591434 NOTE: https://github.com/cyrillos/nasm/issues/3 NOTE: Crash in CLI tool, no security impact CVE-2018-1000666 (GIG Technology NV JumpScale Portal 7 version before commit 15443122ed2 ...) NOT-FOR-US: GIG Technology NV JumpScale Portal CVE-2018-1000665 (Dojo Dojo Objective Harness (DOH) version prior to version 1.14 contai ...) - dojo 1.14.1+dfsg1-1 (unimportant) NOTE: https://github.com/dojo/dojo/pull/307 CVE-2018-1000664 (daneren2005 DSub for Subsonic (Android client) version 5.4.1 contains ...) NOT-FOR-US: daneren2005 DSub for Subsonic CVE-2018-1000663 (jsish version 2.4.70 2.047 contains a Buffer Overflow vulnerability in ...) NOT-FOR-US: jsish CVE-2018-1000661 (jsish version 2.4.67 contains a CWE-476: NULL Pointer Dereference vuln ...) NOT-FOR-US: jsish CVE-2018-1000660 (TOCK version prior to commit 42f7f36e74088036068d62253e1d8fb26605feed. ...) NOT-FOR-US: TOCK CVE-2018-1000659 (LimeSurvey version 3.14.4 and earlier contains a directory traversal i ...) - limesurvey (bug #472802) CVE-2018-1000658 (LimeSurvey version prior to 3.14.4 contains a file upload vulnerabilit ...) - limesurvey (bug #472802) CVE-2017-1000600 (WordPress version <4.9 contains a CWE-20 Input Validation vulnerabi ...) - wordpress 4.9.1+dfsg-1 [jessie] - wordpress (requires authenticated user, root cause in PHP phar:// unserialization and requires thorough application-level checks, no upstream patch) NOTE: https://www.theregister.co.uk/2018/08/20/php_unserialisation_wordpress_vuln/ NOTE: https://cdn2.hubspot.net/hubfs/3853213/us-18-Thomas-It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-....pdf NOTE: https://twitter.com/_s_n_t/status/1030573635617124353 (possible mitigation) NOTE: https://www.slideshare.net/_s_n_t/php-unserialization-vulnerabilities-what-are-we-missing (75-76, pre-4.9 POP chain) NOTE: https://github.com/WordPress/WordPress/commit/0a3b7d8e31def538cf531791efe8bf33e6e243cc (4.9 POP chain break) NOTE: Wordpress before 4.9 is vulnerable on its own. After 4.9 you need to have NOTE: vulnerable module installed on the site as well. Due to an incomplete fix NOTE: in 4.9 there exists CVE-2018-1000773. CVE-2018-16553 (In Jspxcms 9.0.0, a vulnerable URL routing implementation allows remot ...) NOT-FOR-US: Jspxcms CVE-2018-16552 (MicroPyramid Django-CRM 0.2 allows CSRF for /users/create/, /users/##/ ...) NOT-FOR-US: MicroPyramid Django-CRM CVE-2018-16551 (LavaLite 5.5 has XSS via a /edit URI, as demonstrated by client/job/jo ...) NOT-FOR-US: LavaLite CVE-2018-16550 (TeamViewer 10.x through 13.x allows remote attackers to bypass the bru ...) NOT-FOR-US: TeamViewer CVE-2018-16549 (HScripts PHP File Browser Script v1.0 allows Directory Traversal via t ...) NOT-FOR-US: HScripts PHP File Browser Script CVE-2018-16548 (An issue was discovered in ZZIPlib through 0.13.69. There is a memory ...) {DLA-2258-1} - zziplib 0.13.62-3.2 (low; bug #910335) [stretch] - zziplib 0.13.62-3.2~deb9u1 NOTE: https://github.com/gdraheim/zziplib/issues/58 NOTE: https://github.com/gdraheim/zziplib/commit/9411bde3e4a70a81ff3ffd256b71927b2d90dcbb NOTE: https://github.com/gdraheim/zziplib/commit/d2e5d5c53212e54a97ad64b793a4389193fec687 NOTE: https://github.com/gdraheim/zziplib/commit/0e1dadb05c1473b9df2d7b8f298dab801778ef99 CVE-2018-16547 RESERVED CVE-2018-16546 (Amcrest networked devices use the same hardcoded SSL private key acros ...) NOT-FOR-US: Amcrest CVE-2018-16545 (Kaizen Asset Manager (Enterprise Edition) and Training Manager (Enterp ...) NOT-FOR-US: Kaizen Asset Manager CVE-2018-16544 RESERVED CVE-2018-16538 REJECTED CVE-2018-16537 REJECTED CVE-2018-16536 REJECTED CVE-2018-16535 REJECTED CVE-2018-16534 REJECTED CVE-2018-16533 REJECTED CVE-2018-16532 REJECTED CVE-2018-16531 REJECTED CVE-2018-16530 (A stack-based buffer overflow in Forcepoint Email Security version 8.5 ...) NOT-FOR-US: Forcepoint Email Security CVE-2018-16529 (A password reset vulnerability has been discovered in Forcepoint Email ...) NOT-FOR-US: Forcepoint Email Security CVE-2018-16528 (Amazon Web Services (AWS) FreeRTOS through 1.3.1 allows remote attacke ...) NOT-FOR-US: FreeRTOS CVE-2018-16527 (Amazon Web Services (AWS) FreeRTOS through 1.3.1, FreeRTOS up to V10.0 ...) NOT-FOR-US: FreeRTOS CVE-2018-16526 (Amazon Web Services (AWS) FreeRTOS through 1.3.1, FreeRTOS up to V10.0 ...) NOT-FOR-US: FreeRTOS CVE-2018-16525 (Amazon Web Services (AWS) FreeRTOS through 1.3.1, FreeRTOS up to V10.0 ...) NOT-FOR-US: FreeRTOS CVE-2018-16524 (Amazon Web Services (AWS) FreeRTOS through 1.3.1, FreeRTOS up to V10.0 ...) NOT-FOR-US: FreeRTOS CVE-2018-16523 (Amazon Web Services (AWS) FreeRTOS through 1.3.1, FreeRTOS up to V10.0 ...) NOT-FOR-US: FreeRTOS CVE-2018-16522 (Amazon Web Services (AWS) FreeRTOS through 1.3.1 has an uninitialized ...) NOT-FOR-US: FreeRTOS CVE-2018-16521 (An XML External Entity (XXE) vulnerability exists in HTML Form Entry 3 ...) NOT-FOR-US: OpenMRS CVE-2018-16520 RESERVED CVE-2018-16519 (COYO 9.0.8, 10.0.11 and 12.0.4 has cross-site scripting (XSS) via URLs ...) NOT-FOR-US: COYO CVE-2018-16518 (A directory traversal vulnerability with remote code execution in Prim ...) NOT-FOR-US: Prim'X Zed! FREE CVE-2018-16517 (asm/labels.c in Netwide Assembler (NASM) is prone to NULL Pointer Dere ...) - nasm 2.14-1 (unimportant) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392513 NOTE: https://fakhrizulkifli.github.io/CVE-2018-16517.html NOTE: https://github.com/netwide-assembler/nasm/commit/e996d28c70d45008085322b442b44a9224308548 NOTE: Crash in CLI tool, no security impact CVE-2018-16516 (helpers.py in Flask-Admin 1.5.2 has Reflected XSS via a crafted URL. ...) - python-flask-admin (bug #765509) CVE-2018-16514 (A cross-site scripting (XSS) vulnerability in the View Filters page (v ...) - mantis NOTE: https://mantisbt.org/bugs/view.php?id=24731 CVE-2018-17088 (The ProcessGpsInfo function of the gpsinfo.c file of jhead 3.00 may al ...) {DLA-2054-1} - jhead 1:3.00-8 (bug #907925) [stretch] - jhead 1:3.00-4+deb9u1 CVE-2018-16554 (The ProcessGpsInfo function of the gpsinfo.c file of jhead 3.00 may al ...) {DLA-2054-1} - jhead 1:3.00-8 (bug #908176) [stretch] - jhead 1:3.00-4+deb9u1 CVE-2018-16515 (Matrix Synapse before 0.33.3.1 allows remote attackers to spoof events ...) - matrix-synapse 0.33.3.1-1 (bug #908044) NOTE: https://matrix.org/blog/2018/09/05/pre-disclosure-upcoming-critical-security-fix-for-synapse/ NOTE: https://matrix.org/blog/2018/09/06/critical-security-update-synapse-0-33-3-1/ NOTE: https://github.com/matrix-org/synapse/issues/3796#event-1833126269 CVE-2018-16512 RESERVED CVE-2018-16508 RESERVED CVE-2018-16507 RESERVED CVE-2018-16506 RESERVED CVE-2018-16505 RESERVED CVE-2018-16504 RESERVED CVE-2018-16503 RESERVED CVE-2018-16502 RESERVED CVE-2018-16501 RESERVED CVE-2018-16500 RESERVED CVE-2018-16499 RESERVED CVE-2018-16498 RESERVED CVE-2018-16497 RESERVED CVE-2018-16496 RESERVED CVE-2018-16495 RESERVED CVE-2018-16494 RESERVED CVE-2018-16493 (A path traversal vulnerability was found in module static-resource-ser ...) NOT-FOR-US: node static-resource-server CVE-2018-16492 (A prototype pollution vulnerability was found in module extend <2.0 ...) - node-extend 3.0.2-1 (unimportant) NOTE: https://snyk.io/vuln/npm:extend:20180424 NOTE: https://github.com/justmoon/node-extend/commit/0e68e71d93507fcc391e398bc84abd0666b28190 NOTE: https://github.com/justmoon/node-extend/pull/48 NOTE: nodejs not covered by security support CVE-2018-16491 (A prototype pollution vulnerability was found in node.extend <1.1.7 ...) - node-extend 3.0.2-1 (unimportant) NOTE: https://hackerone.com/reports/430831 NOTE: nodejs not covered by security support CVE-2018-16490 (A prototype pollution vulnerability was found in module mpath <0.5. ...) NOT-FOR-US: node mpath CVE-2018-16489 (A prototype pollution vulnerability was found in just-extend <4.0.0 ...) NOT-FOR-US: node just-extend CVE-2018-16488 RESERVED CVE-2018-16487 (A prototype pollution vulnerability was found in lodash <4.17.11 wh ...) - node-lodash 4.17.11+dfsg-1 (unimportant) NOTE: https://hackerone.com/reports/380873 NOTE: nodejs not covered by security support CVE-2018-16486 (A prototype pollution vulnerability was found in defaults-deep <=0. ...) NOT-FOR-US: node defaults-deep CVE-2018-16485 (Path Traversal vulnerability in module m-server <1.4.1 allows malic ...) NOT-FOR-US: node m-server CVE-2018-16484 (A XSS vulnerability was found in module m-server <1.4.2 that allows ...) NOT-FOR-US: node m-server CVE-2018-16483 (A deficiency in the access control in module express-cart <=1.1.5 a ...) NOT-FOR-US: node express-cart CVE-2018-16482 (A server directory traversal vulnerability was found on node module mc ...) NOT-FOR-US: node mcstatic CVE-2018-16481 (A XSS vulnerability was found in html-page <=2.1.1 that allows mali ...) NOT-FOR-US: node html-page CVE-2018-16480 (A XSS vulnerability was found in module public <0.1.4 that allows m ...) NOT-FOR-US: node public CVE-2018-16479 (Path traversal vulnerability in http-live-simulator <1.0.7 causes u ...) NOT-FOR-US: node http-live-simulator CVE-2018-16478 (A Path Traversal in simplehttpserver versions <=0.2.1 allows to lis ...) NOT-FOR-US: simplehttpserver CVE-2018-16477 (A bypass vulnerability in Active Storage >= 5.2.0 for Google Cloud ...) - rails 2:5.2.2+dfsg-1 (bug #914848) [stretch] - rails (Only affects >= 5.2.0; vulnerable code not present) [jessie] - rails (Only affects >= 5.2.0; vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2018/11/27/5 NOTE: Originally no version was affected until 2:5.2.0+dfsg-2 was uploaded to unstable. CVE-2018-16476 (A Broken Access Control vulnerability in Active Job versions >= 4.2 ...) - rails 2:5.2.2+dfsg-1 (bug #914847) [stretch] - rails 2:4.2.7.1-1+deb9u1 [jessie] - rails (only affects >= 4.2.0) NOTE: https://www.openwall.com/lists/oss-security/2018/11/27/4 CVE-2018-16475 (A Path Traversal in Knightjs versions <= 0.0.1 allows an attacker t ...) NOT-FOR-US: Knightjs CVE-2018-16474 (A stored xss in tianma-static module versions <=1.0.4 allows an att ...) NOT-FOR-US: tianma-static CVE-2018-16473 (A path traversal in takeapeek module versions <=0.2.2 allows an att ...) NOT-FOR-US: takeapeek CVE-2018-16472 (A prototype pollution attack in cached-path-relative versions <=1.0 ...) NOT-FOR-US: cached-path-relative CVE-2018-16471 (There is a possible XSS vulnerability in Rack before 2.0.6 and 1.6.11. ...) {DLA-1585-1} - ruby-rack 1.6.4-6 (bug #913005) [stretch] - ruby-rack 1.6.4-4+deb9u1 NOTE: Fixed by: https://github.com/rack/rack/commit/e5d58031b766e49687157b45edab1b8457d972bd (master) NOTE: Fixed by: https://github.com/rack/rack/commit/313dd6a05a5924ed6c82072299c53fed09e39ae7 (2.0.6) NOTE: Fixed by: https://github.com/rack/rack/commit/97ca63d87d88b4088fb1995b14103d4fe6a5e594 (1.6.11) CVE-2018-16470 (There is a possible DoS vulnerability in the multipart parser in Rack ...) [experimental] - ruby-rack 2.0.6-1 (bug #913003) - ruby-rack (Only affects >= 2.0.4) NOTE: Introduced by: https://github.com/rack/rack/commit/c43217a81917de03aa6ceb1aa485ae69b8bb4598 (2.0.4) NOTE: Fixed by: https://github.com/rack/rack/commit/37c1160b2360074d20858792f23a7eb3afeabebd (2.0.6) CVE-2018-16469 (The merge.recursive function in the merge package <1.2.1 can be tri ...) NOT-FOR-US: merge package v CVE-2018-16468 (In the Loofah gem for Ruby, through v2.2.2, unsanitized JavaScript may ...) {DSA-4364-1} - ruby-loofah 2.2.3-1 (bug #912398) NOTE: https://github.com/flavorjones/loofah/issues/154 NOTE: https://github.com/flavorjones/loofah/commit/71e4b5434fbcb2ad87643f0c9fecfc3a847943c4 (v2.2.3) CVE-2018-16467 (A missing check in Nextcloud Server prior to 14.0.0 could give unautho ...) - nextcloud (bug #835086) CVE-2018-16466 (Improper revalidation of permissions in Nextcloud Server prior to 14.0 ...) - nextcloud (bug #835086) CVE-2018-16465 (Missing state in Nextcloud Server prior to 14.0.0 would not enforce th ...) - nextcloud (bug #835086) CVE-2018-16464 (A missing access check in Nextcloud Server prior to 14.0.0 could lead ...) - nextcloud (bug #835086) CVE-2018-16463 (A bug causing session fixation in Nextcloud Server prior to 14.0.0, 13 ...) - nextcloud (bug #835086) CVE-2018-16462 (A command injection vulnerability in the apex-publish-static-files npm ...) NOT-FOR-US: apex-publish-static-files npm CVE-2018-16461 (A command injection vulnerability in libnmapp package for versions < ...) NOT-FOR-US: libnmapp CVE-2018-16460 (A command Injection in ps package versions <1.0.0 for Node.js allow ...) NOT-FOR-US: ps node module CVE-2018-16459 (An unescaped payload in exceljs <v1.6 allows a possible XSS via cel ...) NOT-FOR-US: exceljs CVE-2018-1000672 REJECTED CVE-2018-1000662 REJECTED CVE-2015-9266 (The web management interface of Ubiquiti airMAX, airFiber, airGateway ...) NOT-FOR-US: Ubiquiti CVE-2018-16458 (An issue was discovered in baigo CMS v2.1.1. There is an index.php?m=a ...) NOT-FOR-US: baigo CMS CVE-2018-16457 (PHP Scripts Mall Open Source Real-estate Script 3.6.2 allows remote at ...) NOT-FOR-US: PHP Scripts Mall Open Source Real-estate Script CVE-2018-16456 (PHP Scripts Mall Website Seller Script 2.0.5 has XSS via a keyword. NO ...) NOT-FOR-US: PHP Scripts Mall Website Seller Script CVE-2018-16455 (PHP Scripts Mall Market Place Script 1.0.1 allows XSS via a keyword. ...) NOT-FOR-US: PHP Scripts Mall Market Place Script CVE-2018-16454 (PHP Scripts Mall Currency Converter Script 2.0.5 allows remote attacke ...) NOT-FOR-US: PHP Scripts Mall Olx Clone CVE-2018-16453 (PHP Scripts Mall Domain Lookup Script 3.0.5 allows XSS in the search b ...) NOT-FOR-US: PHP Scripts Mall Domain Lookup Script CVE-2018-16452 (The SMB parser in tcpdump before 4.9.3 has stack exhaustion in smbutil ...) {DSA-4547-1 DLA-1955-1} - tcpdump 4.9.3-1 (bug #941698) NOTE: https://github.com/the-tcpdump-group/tcpdump/commit/24182d959f661327525a20d9a94c98a8ec016778 CVE-2018-16451 (The SMB parser in tcpdump before 4.9.3 has buffer over-reads in print- ...) {DSA-4547-1 DLA-1955-1} - tcpdump 4.9.3-1 (bug #941698) NOTE: https://github.com/the-tcpdump-group/tcpdump/commit/96480ab95308cd9234b4f09b175ebf60e17792c6 CVE-2018-16450 (CraftedWeb through 2013-09-24 has reflected XSS via the p parameter. ...) NOT-FOR-US: CraftedWeb CVE-2018-16449 (OneThink 1.1.141212 allows CSRF for adding a page via admin.php?s=/Cha ...) NOT-FOR-US: OneThink CVE-2018-16448 (Cscms 4 allows CSRF for creating a member via upload/admin.php/user/sa ...) NOT-FOR-US: Cscms CVE-2018-16447 (Frog CMS 0.9.5 has admin/?/user/edit/1 CSRF. ...) NOT-FOR-US: Frog CMS CVE-2018-16446 (An issue was discovered in SeaCMS through 6.61. adm1n/admin_database.p ...) NOT-FOR-US: SeaCMS CVE-2018-16445 (An issue was discovered in SeaCMS through 6.61. SQL injection exists v ...) NOT-FOR-US: SeaCMS CVE-2018-16444 (An issue was discovered in SeaCMS 6.61. adm1n/admin_reslib.php has SSR ...) NOT-FOR-US: SeaCMS CVE-2018-16443 RESERVED CVE-2018-16442 RESERVED CVE-2018-16441 RESERVED CVE-2018-16440 RESERVED CVE-2018-16439 RESERVED CVE-2018-16438 (An issue was discovered in the HDF HDF5 1.8.20 library. There is an ou ...) - hdf5 NOTE: H5L_extern_query@H5Lexternal.c:498-10___out-of-bounds-read CVE-2018-16437 (Gxlcms 2.0 before bug fix 20180915 has Directory Traversal exploitable ...) NOT-FOR-US: Gxlcms CVE-2018-16436 (Gxlcms 2.0 before bug fix 20180915 has SQL Injection exploitable by an ...) NOT-FOR-US: Gxlcms CVE-2018-16435 (Little CMS (aka Little Color Management System) 2.9 has an integer ove ...) {DSA-4289-1 DSA-4284-1 DLA-1496-1} - lcms2 2.9-3 (bug #907983) - lcms - chromium-browser 69.0.3497.81-1 [jessie] - chromium-browser (End of life, see DSA 4020) NOTE: https://github.com/mm2/Little-CMS/issues/171 NOTE: https://github.com/mm2/Little-CMS/commit/768f70ca405cd3159d990e962d54456773bb8cf8 CVE-2018-16434 RESERVED CVE-2018-16433 RESERVED CVE-2018-16432 (BlueCMS 1.6 allows SQL Injection via the user_name parameter to upload ...) NOT-FOR-US: BlueCMS CVE-2018-16431 (admin/admin/adminsave.html in YFCMF v3.0 allows CSRF to add an adminis ...) NOT-FOR-US: YFCMF CVE-2018-16430 (GNU Libextractor through 1.7 has an out-of-bounds read vulnerability i ...) {DSA-4290-1 DLA-1501-1} - libextractor 1:1.7-1 (bug #907987) NOTE: https://gnunet.org/bugs/view.php?id=5405 NOTE: https://git.gnunet.org/libextractor.git/commit/?id=24c8d489797499c0331f4d1039e357ece1ae98a7 CVE-2018-16429 (GNOME GLib 2.56.1 has an out-of-bounds read vulnerability in g_markup_ ...) {DLA-1866-1} - glib2.0 2.58.0-1 (low) [stretch] - glib2.0 2.50.3-2+deb9u1 NOTE: https://gitlab.gnome.org/GNOME/glib/commit/cec71705406f0b2790422f0c1aa0ff3b4b464b1b NOTE: https://gitlab.gnome.org/GNOME/glib/issues/1361 CVE-2018-16428 (In GNOME GLib 2.56.1, g_markup_parse_context_end_parse() in gmarkup.c ...) {DLA-1866-1} - glib2.0 2.58.0-1 (low) [stretch] - glib2.0 (Minor issue) NOTE: https://gitlab.gnome.org/GNOME/glib/commit/fccef3cc822af74699cca84cd202719ae61ca3b9 NOTE: https://gitlab.gnome.org/GNOME/glib/issues/1364 CVE-2018-16427 (Various out of bounds reads when handling responses in OpenSC before 0 ...) {DLA-1916-1} - opensc 0.19.0~rc1-1 (low; bug #909444) [stretch] - opensc 0.16.0-3+deb9u1 NOTE: https://github.com/OpenSC/OpenSC/pull/1447/commits/8fe377e93b4b56060e5bbfb6f3142ceaeca744fa NOTE: https://www.x41-dsec.de/lab/advisories/x41-2018-002-OpenSC/ CVE-2018-16426 (Endless recursion when handling responses from an IAS-ECC card in iase ...) {DLA-1916-1} - opensc 0.19.0~rc1-1 (low; bug #909444) [stretch] - opensc 0.16.0-3+deb9u1 NOTE: https://github.com/OpenSC/OpenSC/commit/03628449b75a93787eb2359412a3980365dda49b#diff-f8c0128e14031ed9307d47f10f601b54 NOTE: https://www.x41-dsec.de/lab/advisories/x41-2018-002-OpenSC/ CVE-2018-16425 (A double free when handling responses from an HSM Card in sc_pkcs15emu ...) {DLA-1916-1} - opensc 0.19.0~rc1-1 (low; bug #909444) [stretch] - opensc 0.16.0-3+deb9u1 NOTE: https://github.com/OpenSC/OpenSC/commit/360e95d45ac4123255a4c796db96337f332160ad#diff-d643a0fa169471dbf2912f4866dc49c5 NOTE: https://www.x41-dsec.de/lab/advisories/x41-2018-002-OpenSC/ CVE-2018-16424 (A double free when handling responses in read_file in tools/egk-tool.c ...) {DLA-1916-1} - opensc 0.19.0~rc1-1 (low; bug #909444) [stretch] - opensc 0.16.0-3+deb9u1 NOTE: https://github.com/OpenSC/OpenSC/commit/360e95d45ac4123255a4c796db96337f332160ad#diff-476b3b2a03c4eef331b4b0bfece4b063 NOTE: https://www.x41-dsec.de/lab/advisories/x41-2018-002-OpenSC/ CVE-2018-16423 (A double free when handling responses from a smartcard in sc_file_set_ ...) {DLA-1916-1} - opensc 0.19.0~rc1-1 (low; bug #909444) [stretch] - opensc 0.16.0-3+deb9u1 NOTE: https://github.com/OpenSC/OpenSC/commit/360e95d45ac4123255a4c796db96337f332160ad#diff-db0cd89ff279ad8c7b3bb780cdf2770a NOTE: https://www.x41-dsec.de/lab/advisories/x41-2018-002-OpenSC/ CVE-2018-16422 (A single byte buffer overflow when handling responses from an esteid C ...) {DLA-1916-1} - opensc 0.19.0~rc1-1 (low; bug #909444) [stretch] - opensc 0.16.0-3+deb9u1 NOTE: https://github.com/OpenSC/OpenSC/commit/360e95d45ac4123255a4c796db96337f332160ad#diff-d64c08c80437cf0006ada91e50f20ba0 NOTE: https://www.x41-dsec.de/lab/advisories/x41-2018-002-OpenSC/ CVE-2018-16421 (Several buffer overflows when handling responses from a CAC Card in ca ...) {DLA-1916-1} - opensc 0.19.0~rc1-1 (low; bug #909444) [stretch] - opensc 0.16.0-3+deb9u1 NOTE: https://github.com/OpenSC/OpenSC/commit/360e95d45ac4123255a4c796db96337f332160ad#diff-848b13147a344ba2c6361d91ca77feb1 NOTE: https://www.x41-dsec.de/lab/advisories/x41-2018-002-OpenSC/ CVE-2018-16420 (Several buffer overflows when handling responses from an ePass 2003 Ca ...) {DLA-1916-1} - opensc 0.19.0~rc1-1 (low; bug #909444) [stretch] - opensc 0.16.0-3+deb9u1 NOTE: https://github.com/OpenSC/OpenSC/commit/360e95d45ac4123255a4c796db96337f332160ad#diff-b36536074d13447fbbec061e0e64d15d NOTE: https://www.x41-dsec.de/lab/advisories/x41-2018-002-OpenSC/ CVE-2018-16419 (Several buffer overflows when handling responses from a Cryptoflex car ...) {DLA-1916-1} - opensc 0.19.0~rc1-1 (low; bug #909444) [stretch] - opensc 0.16.0-3+deb9u1 NOTE: https://github.com/OpenSC/OpenSC/commit/360e95d45ac4123255a4c796db96337f332160ad#diff-a6074523a9cbd875e26c58e20868fb15 NOTE: https://www.x41-dsec.de/lab/advisories/x41-2018-002-OpenSC/ CVE-2018-16418 (A buffer overflow when handling string concatenation in util_acl_to_st ...) {DLA-1916-1} - opensc 0.19.0~rc1-1 (low; bug #909444) [stretch] - opensc 0.16.0-3+deb9u1 NOTE: https://github.com/OpenSC/OpenSC/commit/360e95d45ac4123255a4c796db96337f332160ad#diff-628c8445c4e7ae92bbc4be08ba11a4c3 NOTE: https://www.x41-dsec.de/lab/advisories/x41-2018-002-OpenSC/ CVE-2018-16417 (Aruba Instant 4.x prior to 6.4.4.8-4.2.4.12, 6.5.x prior to 6.5.4.11, ...) NOT-FOR-US: Aruba Instant CVE-2018-16416 (Cross-site request forgery (CSRF) vulnerability in my_profile/edit?inl ...) NOT-FOR-US: FUEL CMS CVE-2018-16415 RESERVED CVE-2018-16414 RESERVED CVE-2018-16413 (ImageMagick 7.0.8-11 Q16 has a heap-based buffer over-read in the Magi ...) {DSA-4316-1 DLA-1530-1} - imagemagick 8:6.9.10.14+dfsg-1 (bug #910887) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1249 NOTE: https://github.com/ImageMagick/ImageMagick/issues/1251 NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/17a1a6f97fd088a71931bdc422f4e96bb6ffc549 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/4745eb1047617330141e9abfd5ae01236a71ae12 CVE-2018-16412 (ImageMagick 7.0.8-11 Q16 has a heap-based buffer over-read in the code ...) {DSA-4316-1 DLA-1530-1} - imagemagick 8:6.9.10.14+dfsg-1 (bug #910887) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1250 NOTE: Fixed with same patch as for issue #1249, as per upstream discussion at NOTE: https://github.com/ImageMagick/ImageMagick/issues/1250#issuecomment-422361868 NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/17a1a6f97fd088a71931bdc422f4e96bb6ffc549 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/4745eb1047617330141e9abfd5ae01236a71ae12 CVE-2018-16411 RESERVED CVE-2018-16410 (Vanilla before 2.6.1 allows SQL injection via an invitationID array to ...) NOT-FOR-US: Vanilla CVE-2018-16409 (In Gogs 0.11.53, an attacker can use migrate to send arbitrary HTTP GE ...) NOT-FOR-US: Go Git Service CVE-2018-16408 (D-Link DIR-846 devices with firmware 100.26 allow remote attackers to ...) NOT-FOR-US: D-Link DIR-846 devices CVE-2018-16407 (An issue was discovered in Mayan EDMS before 3.0.3. The Tags app has X ...) - mayan-edms (bug #718580) CVE-2018-16406 (An issue was discovered in Mayan EDMS before 3.0.2. The Cabinets app h ...) - mayan-edms (bug #718580) CVE-2018-16405 (An issue was discovered in Mayan EDMS before 3.0.2. The Appearance app ...) - mayan-edms (bug #718580) CVE-2018-16404 RESERVED CVE-2018-16403 (libdw in elfutils 0.173 checks the end of the attributes list incorrec ...) - elfutils 0.175-1 (low) [stretch] - elfutils (Minor issue) [jessie] - elfutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23529 NOTE: https://sourceware.org/git/?p=elfutils.git;a=commit;h=6983e59b727458a6c64d9659c85f08218bc4fcda CVE-2018-16402 (libelf/elf_end.c in elfutils 0.173 allows remote attackers to cause a ...) - elfutils 0.175-1 (low) [stretch] - elfutils (Minor issue) [jessie] - elfutils (vulnerable code introduced later) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23528 NOTE: https://sourceware.org/git/?p=elfutils.git;a=commit;h=56b18521fb8d46d40fc090c0de9d11a08bc982fa CVE-2018-16401 RESERVED CVE-2018-16400 RESERVED CVE-2018-16399 RESERVED CVE-2018-16398 (In Twistlock AuthZ Broker 0.1, regular expressions are mishandled, as ...) NOT-FOR-US: Twistlock AuthZ Broker CVE-2018-16397 (In LimeSurvey before 3.14.7, an admin user can leverage a "file upload ...) - limesurvey (bug #472802) CVE-2018-16396 (An issue was discovered in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5. ...) {DSA-4332-1 DLA-1558-1} - ruby2.5 2.5.3-1 (bug #911920) - ruby2.3 - ruby2.1 NOTE: https://www.ruby-lang.org/en/news/2018/10/17/not-propagated-taint-flag-in-some-formats-of-pack-cve-2018-16396/ NOTE: https://github.com/ruby/ruby/commit/a2958f6743664006d21fc0bafd4ca6214df1d429 CVE-2018-16395 (An issue was discovered in the OpenSSL library in Ruby before 2.3.8, 2 ...) {DSA-4332-1 DLA-1558-1} - ruby-openssl 2.1.2-1 (bug #911918) - ruby2.5 2.5.3-1 (bug #911919) - ruby2.3 - ruby2.1 NOTE: https://www.ruby-lang.org/en/news/2018/10/17/openssl-x509-name-equality-check-does-not-work-correctly-cve-2018-16395/ NOTE: https://github.com/ruby/openssl/commit/f653cfa43f0f20e8c440122ea982382b6228e7f5 CVE-2018-16394 RESERVED CVE-2018-16393 (Several buffer overflows when handling responses from a Gemsafe V1 Sma ...) {DLA-1916-1} - opensc 0.19.0~rc1-1 (low; bug #909444) [stretch] - opensc 0.16.0-3+deb9u1 NOTE: https://github.com/OpenSC/OpenSC/commit/360e95d45ac4123255a4c796db96337f332160ad NOTE: https://www.x41-dsec.de/lab/advisories/x41-2018-002-OpenSC/ CVE-2018-16392 (Several buffer overflows when handling responses from a TCOS Card in t ...) {DLA-1916-1} - opensc 0.19.0~rc1-1 (low; bug #909444) [stretch] - opensc 0.16.0-3+deb9u1 NOTE: https://github.com/OpenSC/OpenSC/commit/360e95d45ac4123255a4c796db96337f332160ad#diff-b2a356323a9ff2024d041cf2d7e89dd3 NOTE: https://www.x41-dsec.de/lab/advisories/x41-2018-002-OpenSC/ CVE-2018-16391 (Several buffer overflows when handling responses from a Muscle Card in ...) {DLA-1916-1} - opensc 0.19.0~rc1-1 (low; bug #909444) [stretch] - opensc 0.16.0-3+deb9u1 NOTE: https://github.com/OpenSC/OpenSC/commit/360e95d45ac4123255a4c796db96337f332160ad#diff-477b7a40136bb418b10ce271c8664536 NOTE: https://www.x41-dsec.de/lab/advisories/x41-2018-002-OpenSC/ CVE-2018-16390 RESERVED CVE-2018-16389 (e107_admin/banlist.php in e107 2.1.8 allows SQL injection via the old_ ...) NOT-FOR-US: e107 CVE-2018-16388 (e107_web/js/plupload/upload.php in e107 2.1.8 allows remote attackers ...) NOT-FOR-US: e107 CVE-2018-16387 (An issue was discovered in Elefant CMS before 2.0.5. There is a CSRF v ...) NOT-FOR-US: Elefant CMS CVE-2018-16386 (An issue was discovered in SWIFT Alliance Web Platform 7.1.23. A log i ...) NOT-FOR-US: SWIFT Alliance Web Platform CVE-2018-16385 (ThinkPHP before 5.1.23 allows SQL Injection via the public/index/index ...) NOT-FOR-US: ThinkPHP CVE-2018-16384 (A SQL injection bypass (aka PL1 bypass) exists in OWASP ModSecurity Co ...) - modsecurity-crs (low; bug #924352) [buster] - modsecurity-crs (Minor issue) [stretch] - modsecurity-crs (Minor issue) [jessie] - modsecurity-crs (Minor issue) NOTE: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1167 CVE-2018-16383 RESERVED CVE-2018-16382 (Netwide Assembler (NASM) 2.14rc15 has a buffer over-read in x86/regfla ...) - nasm 2.14-1 (unimportant; bug #907866) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392503 NOTE: Duplicate of/relate to https://bugzilla.nasm.us/show_bug.cgi?id=3392447 NOTE: https://github.com/netwide-assembler/nasm/commit/3c755dac88039b718d52ef56e8f74b5f65f3b55b NOTE: Crash in CLI tool, no security impact CVE-2018-16381 (e107 2.1.8 has XSS via the e107_admin/users.php?mode=main&action=l ...) NOT-FOR-US: e107 CVE-2018-16380 (An issue was discovered in Ogma CMS 0.4 Beta. There is a CSRF vulnerab ...) NOT-FOR-US: Ogma CMS CVE-2018-16379 (Ogma CMS 0.4 Beta has XSS via the "Footer Text footer" field on the "T ...) NOT-FOR-US: Ogma CMS CVE-2018-16378 RESERVED CVE-2018-16377 RESERVED CVE-2018-16376 (An issue was discovered in OpenJPEG 2.3.0. A heap-based buffer overflo ...) - openjpeg2 (unimportant) NOTE: https://github.com/uclouvain/openjpeg/issues/1127 NOTE: We build with -DBUILD_MJ2:BOOL=OFF CVE-2018-16375 (An issue was discovered in OpenJPEG 2.3.0. Missing checks for header_i ...) - openjpeg2 (unimportant) NOTE: https://github.com/uclouvain/openjpeg/issues/1126 NOTE: We build with -DBUILD_JPWL:BOOL=OFF CVE-2018-16374 (Frog CMS 0.9.5 has stored XSS via /admin/?/plugin/comment/settings. ...) NOT-FOR-US: Frog CMS CVE-2018-16373 (Frog CMS 0.9.5 has an Upload vulnerability that can create files via / ...) NOT-FOR-US: Frog CMS CVE-2018-16372 (The issue was discovered in IdeaCMS through 2016-04-30. There is refle ...) NOT-FOR-US: IdeaCMS CVE-2018-16371 (PESCMS Team 2.2.1 has multiple reflected XSS via the keyword parameter ...) NOT-FOR-US: PESCMS Team CVE-2018-16370 (In PESCMS Team 2.2.1, attackers may upload and execute arbitrary PHP c ...) NOT-FOR-US: PESCMS Team CVE-2018-16369 (XRef::fetch in XRef.cc in Xpdf 4.00 allows remote attackers to cause a ...) - xpdf (unimportant) NOTE: Crash in GUI/CLI tool, no security impact CVE-2018-16368 (SplashXPath::strokeAdjust in splash/SplashXPath.cc in Xpdf 4.00 allows ...) - xpdf (unimportant) NOTE: Crash in GUI/CLI tool, no security impact CVE-2018-16367 (In OnlineJudge 2.0, the sandbox has an incorrect access control vulner ...) NOT-FOR-US: OnlineJudge CVE-2018-16366 (An issue was discovered in idreamsoft iCMS V7.0.10. admincp.php?app=us ...) NOT-FOR-US: idreamsoft iCMS CVE-2018-16365 (An issue was discovered in idreamsoft iCMS V7.0.10. admincp.php?app=gr ...) NOT-FOR-US: idreamsoft iCMS CVE-2018-16364 (A serialization vulnerability in Zoho ManageEngine Applications Manage ...) NOT-FOR-US: Zoho ManageEngine Applications Manager CVE-2018-16363 (The mndpsingh287 File Manager plugin V2.9 for WordPress has XSS via th ...) NOT-FOR-US: mndpsingh287 File Manager plugin for WordPress CVE-2018-16362 (An issue was discovered in the Source Integration plugin before 1.5.9 ...) NOT-FOR-US: Mantis plugin CVE-2018-16361 (An issue was discovered in BTITeam XBTIT 2.5.4. news.php allows XSS vi ...) NOT-FOR-US: BTITeam XBTIT CVE-2018-16360 RESERVED CVE-2018-16359 (Google gVisor before 2018-08-23, within the seccomp sandbox, permits a ...) NOT-FOR-US: gVisor CVE-2018-16358 (A cross-site scripting (XSS) vulnerability in inc/core/class.dc.core.p ...) - dotclear CVE-2018-16357 (An issue was discovered in PbootCMS. There is a SQL injection via the ...) NOT-FOR-US: PbootCMS CVE-2018-16356 (An issue was discovered in PbootCMS. There is a SQL injection via the ...) NOT-FOR-US: PbootCMS CVE-2018-16355 RESERVED CVE-2018-16354 (An issue was discovered in FHCRM through 2018-02-11. There is a SQL in ...) NOT-FOR-US: FHCRM CVE-2018-16353 (An issue was discovered in FHCRM through 2018-02-11. There is a SQL in ...) NOT-FOR-US: FHCRM CVE-2018-16352 (There is a PHP code upload vulnerability in WeaselCMS 0.3.6 via index. ...) NOT-FOR-US: WeaselCMS CVE-2018-16351 RESERVED CVE-2018-16350 (WUZHI CMS 4.1.0 has XSS via the index.php?m=core&f=set&v=basic ...) NOT-FOR-US: WUZHI CMS CVE-2018-16349 (WUZHI CMS 4.1.0 has XSS via the index.php?m=link&f=index&v=add ...) NOT-FOR-US: WUZHI CMS CVE-2018-16348 (SeaCMS V6.61 has XSS via the admin_video.php v_content parameter, rela ...) NOT-FOR-US: SeaCMS CVE-2018-16347 (An issue was discovered in Gleez CMS v1.2.0. There is XSS via media/im ...) NOT-FOR-US: Gleez CMS CVE-2018-16346 (ChemCMS 1.0.6 has XSS via the "setting -> website information" fiel ...) NOT-FOR-US: ChemCMS CVE-2018-16345 (An issue was discovered in EasyCMS 1.5. There is a CSRF vulnerability ...) NOT-FOR-US: EasyCMS CVE-2018-16344 (An issue was discovered in zzcms 8.3. It allows remote attackers to de ...) NOT-FOR-US: zzcms CVE-2018-16343 (SeaCMS 6.61 allows remote attackers to execute arbitrary code because ...) NOT-FOR-US: SeaCMS CVE-2018-16342 (ShowDoc v1.8.0 has XSS via a new page. ...) NOT-FOR-US: ShowDoc CVE-2018-16341 RESERVED CVE-2018-16340 RESERVED CVE-2018-16339 (An issue was discovered in EmpireCMS 7.0. There is a CSRF vulnerabilit ...) NOT-FOR-US: EmpireCMS CVE-2018-16338 (An issue was discovered in AuraCMS 2.3. There is a CSRF vulnerability ...) NOT-FOR-US: AuraCMS CVE-2018-16337 (An issue was discovered in Cscms V4.1.8. There is a CSRF vulnerability ...) NOT-FOR-US: Cscms CVE-2018-16336 (Exiv2::Internal::PngChunk::parseTXTChunk in Exiv2 v0.26 allows remote ...) {DLA-1551-1} - exiv2 0.27.2-6 (bug #916081) [buster] - exiv2 (Minor issue) [stretch] - exiv2 (Minor issue) NOTE: https://github.com/Exiv2/exiv2/issues/400 NOTE: https://github.com/Exiv2/exiv2/commit/35b3e596edacd2437c2c5d3dd2b5c9502626163d CVE-2018-16335 (newoffsets handling in ChopUpSingleUncompressedStrip in tif_dirread.c ...) {DSA-4349-1} - tiff 4.0.9-5 (bug #907795) [jessie] - tiff 4.0.3-12.3+deb8u6 - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2809 NOTE: Different issue than CVE-2017-11613 but adressed with same set of commits. NOTE: Upstream fix 1/2: https://gitlab.com/libtiff/libtiff/commit/3719385a3fac5cfb20b487619a5f08abbf967cf8 NOTE: Upstream fix 2/2: https://gitlab.com/libtiff/libtiff/commit/7a092f8af2568d61993a8cc2e7a35a998d7d37be CVE-2018-16334 (An issue was discovered on Tenda AC9 V15.03.05.19(6318)_CN and AC10 V1 ...) NOT-FOR-US: Tenda CVE-2018-16333 (An issue was discovered on Tenda AC7 V15.03.06.44_CN, AC9 V15.03.05.19 ...) NOT-FOR-US: Tenda CVE-2018-16332 (An issue was discovered in iCMS 7.0.9. There is an admincp.php?app=art ...) NOT-FOR-US: iCMS CVE-2018-16331 (admin.php?s=/Admin/doedit in DamiCMS v6.0.0 allows CSRF to change the ...) NOT-FOR-US: DamiCMS CVE-2018-16330 (Pandao Editor.md 1.5.0 allows XSS via crafted attributes of an invalid ...) NOT-FOR-US: Pandao Editor.md CVE-2018-16329 (In ImageMagick before 7.0.8-8, a NULL pointer dereference exists in th ...) - imagemagick (Only affects 7.x) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1225 NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick/commit/2c75f301d9ac84f91071393b02d8c88c8341c91c CVE-2018-16328 (In ImageMagick before 7.0.8-8, a NULL pointer dereference exists in th ...) - imagemagick 8:6.9.10.8+dfsg-1 [stretch] - imagemagick (Vulnerable code introduced later) [jessie] - imagemagick (Vulnerable code introduced later) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1224 NOTE: https://github.com/ImageMagick/ImageMagick/commit/107ce8577e818cf4801e5a59641cb769d645cc95 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/68e4f4d22abaf97b61019ea85f74e2f639d0e93e CVE-2018-16327 (There is Stored XSS in Subrion 4.2.1 via the admin panel URL configura ...) NOT-FOR-US: Subrion CMS CVE-2018-16326 (PHP Scripts Mall Olx Clone 3.4.2 has XSS. ...) NOT-FOR-US: PHP Scripts Mall Olx Clone CVE-2018-16325 (There is XSS in GetSimple CMS 3.4.0.9 via the admin/edit.php title fie ...) NOT-FOR-US: GetSimple CMS CVE-2018-16324 (In IceWarp Server 12.0.3.1 and before, there is XSS in the /webmail/ u ...) NOT-FOR-US: IceWarp Server CVE-2018-16323 (ReadXBMImage in coders/xbm.c in ImageMagick before 7.0.8-9 leaves data ...) - imagemagick 8:6.9.10.14+dfsg-1 (bug #907776) [stretch] - imagemagick (Introduced by b8c63b156bf26b52e710b1a0643c846a6cd01e56 which wasn't backported to stretch) [jessie] - imagemagick (Introduced by b8c63b156bf26b52e710b1a0643c846a6cd01e56 which wasn't backported to jessie) NOTE: https://github.com/ImageMagick/ImageMagick/commit/216d117f05bff87b9dc4db55a1b1fadb38bcb786 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/57565dace66d550042522e203f522da711d551a6 CVE-2018-16322 RESERVED CVE-2018-16321 RESERVED CVE-2018-16320 (idreamsoft iCMS 7.0.11 allows admincp.php?app=config Directory Travers ...) NOT-FOR-US: idreamsoft iCMS CVE-2018-16319 RESERVED CVE-2018-16318 RESERVED CVE-2018-16317 RESERVED CVE-2018-16316 (A stored Cross-site scripting (XSS) vulnerability in Portainer through ...) NOT-FOR-US: Portainer CVE-2018-16315 (In waimai Super Cms 20150505, there is a CSRF vulnerability that can c ...) NOT-FOR-US: waimai Super Cms CVE-2018-16314 (An issue was discovered in admincp.php in idreamsoft iCMS 7.0.11. When ...) NOT-FOR-US: idreamsoft iCMS CVE-2018-16313 (Bludit 2.3.4 allows XSS via a user name. ...) NOT-FOR-US: Bludit CVE-2018-16312 RESERVED CVE-2018-16311 RESERVED CVE-2018-16310 (** DISPUTED ** Technicolor TG588V V2 devices allow remote attackers to ...) NOT-FOR-US: Technicolor CVE-2018-16309 REJECTED CVE-2018-16308 (The Ninja Forms plugin before 3.3.14.1 for WordPress allows CSV inject ...) NOT-FOR-US: Ninja Forms plugin for WordPress CVE-2018-16307 (An "Out-of-band resource load" issue was discovered on Xiaomi MIWiFi X ...) NOT-FOR-US: Xiaomi CVE-2018-16306 RESERVED CVE-2018-16305 RESERVED CVE-2018-16304 RESERVED CVE-2018-16303 (PDF-XChange Editor through 7.0.326.1 allows remote attackers to cause ...) NOT-FOR-US: PDF-XChange Editor CVE-2018-16302 (MediaComm Zip-n-Go before 4.95 has a Buffer Overflow via a crafted fil ...) NOT-FOR-US: MediaComm Zip-n-Go CVE-2018-16301 REJECTED CVE-2018-16300 (The BGP parser in tcpdump before 4.9.3 allows stack consumption in pri ...) {DSA-4547-1 DLA-1955-1} - tcpdump 4.9.3-1 (bug #941698) NOTE: https://github.com/the-tcpdump-group/tcpdump/commit/af2cf04a9394c1a56227c2289ae8da262828294a CVE-2018-16299 (The Localize My Post plugin 1.0 for WordPress allows Directory Travers ...) NOT-FOR-US: Wordpress plugin CVE-2018-16298 (An issue was discovered in MiniCMS 1.10. There is an mc-admin/post.php ...) NOT-FOR-US: MiniCMS CVE-2018-16297 (An exploitable use-after-free vulnerability exists in the JavaScript e ...) NOT-FOR-US: Foxit CVE-2018-16296 (An exploitable use-after-free vulnerability exists in the JavaScript e ...) NOT-FOR-US: Foxit CVE-2018-16295 (An exploitable use-after-free vulnerability exists in the JavaScript e ...) NOT-FOR-US: Foxit CVE-2018-16294 (An exploitable use-after-free vulnerability exists in the JavaScript e ...) NOT-FOR-US: Foxit CVE-2018-16293 (An exploitable use-after-free vulnerability exists in the JavaScript e ...) NOT-FOR-US: Foxit CVE-2018-16292 (An exploitable use-after-free vulnerability exists in the JavaScript e ...) NOT-FOR-US: Foxit CVE-2018-16291 (An exploitable use-after-free vulnerability exists in the JavaScript e ...) NOT-FOR-US: Foxit CVE-2018-16290 RESERVED CVE-2018-16289 RESERVED CVE-2018-16288 (LG SuperSign CMS allows reading of arbitrary files via signEzUI/playli ...) NOT-FOR-US: LG SuperSign CMS CVE-2018-16287 (LG SuperSign CMS allows file upload via signEzUI/playlist/edit/upload/ ...) NOT-FOR-US: LG SuperSign CMS CVE-2018-16286 (LG SuperSign CMS allows authentication bypass because the CAPTCHA requ ...) NOT-FOR-US: LG SuperSign CMS CVE-2018-16285 (The UserPro plugin through 4.9.23 for WordPress allows XSS via the sho ...) NOT-FOR-US: Wordpress plugin CVE-2018-16284 RESERVED CVE-2018-16283 (The Wechat Broadcast plugin 1.2.0 and earlier for WordPress allows Dir ...) NOT-FOR-US: Wordpress plugin CVE-2018-16282 (A command injection vulnerability in the web server functionality of M ...) NOT-FOR-US: Moxa CVE-2018-16281 (The DEISER "Profields - Project Custom Fields" app before 6.0.2 for Ji ...) NOT-FOR-US: DEISER CVE-2018-16280 RESERVED CVE-2018-16279 RESERVED CVE-2018-16278 (phpkaiyuancms PhpOpenSourceCMS (POSCMS) V3.2.0 allows an unauthenticat ...) NOT-FOR-US: phpkaiyuancms PhpOpenSourceCMS (POSCMS) CVE-2018-16277 (The Image Import function in XWiki through 10.7 has XSS. ...) NOT-FOR-US: XWiki CVE-2018-16275 (OPSWAT MetaDefender before v4.11.2 allows CSV injection. ...) NOT-FOR-US: OPSWAT MetaDefender CVE-2018-16276 (An issue was discovered in yurex_read in drivers/usb/misc/yurex.c in t ...) {DSA-4308-1 DLA-1531-1 DLA-1529-1} - linux 4.17.8-1 NOTE: Fixed by: https://git.kernel.org/linus/f1e255d60ae66a9f672ff9a207ee6cd8e33d2679 (4.18-rc5) CVE-2018-16274 RESERVED CVE-2018-16273 RESERVED CVE-2018-16272 (The wpa_supplicant system service in Samsung Galaxy Gear series allows ...) NOT-FOR-US: Samsung CVE-2018-16271 (The wemail_consumer_service (from the built-in application wemail) in ...) NOT-FOR-US: Samsung CVE-2018-16270 (Samsung Galaxy Gear series before build RE2 includes the hcidump utili ...) NOT-FOR-US: Samsung CVE-2018-16269 (The wnoti system service in Samsung Galaxy Gear series allows an unpri ...) NOT-FOR-US: Samsung CVE-2018-16268 (The SoundServer/FocusServer system services in Tizen allow an unprivil ...) NOT-FOR-US: Tizen CVE-2018-16267 (The system-popup system service in Tizen allows an unprivileged proces ...) NOT-FOR-US: Tizen CVE-2018-16266 (The Enlightenment system service in Tizen allows an unprivileged proce ...) NOT-FOR-US: Tizen CVE-2018-16265 (The bt/bt_core system service in Tizen allows an unprivileged process ...) NOT-FOR-US: Tizen CVE-2018-16264 (The BlueZ system service in Tizen allows an unprivileged process to pa ...) NOT-FOR-US: Tizen CVE-2018-16263 (The PulseAudio system service in Tizen allows an unprivileged process ...) NOT-FOR-US: Tizen CVE-2018-16262 (The pkgmgr system service in Tizen allows an unprivileged process to p ...) NOT-FOR-US: Tizen CVE-2018-16261 (In Pulse Secure Pulse Desktop Client 5.3RX before 5.3R5 and 9.0R1, the ...) NOT-FOR-US: Pulse Secure Pulse Desktop Client CVE-2018-16260 RESERVED CVE-2018-16259 (** DISPUTED ** There is an XSS vulnerability in WP All Import plugin 3 ...) NOT-FOR-US: WP All Import plugin for WordPress CVE-2018-16258 (** DISPUTED ** There is an XSS vulnerability in WP All Import plugin 3 ...) NOT-FOR-US: WP All Import plugin for WordPress CVE-2018-16257 (** DISPUTED ** There are multiple XSS vulnerabilities in WP All Import ...) NOT-FOR-US: WP All Import plugin for WordPress CVE-2018-16256 (** DISPUTED ** There is an XSS vulnerability in WP All Import plugin 3 ...) NOT-FOR-US: WP All Import plugin for WordPress CVE-2018-16255 (** DISPUTED ** There is an XSS vulnerability in WP All Import plugin 3 ...) NOT-FOR-US: WP All Import plugin for WordPress CVE-2018-16254 (** DISPUTED ** There is an XSS vulnerability in WP All Import plugin 3 ...) NOT-FOR-US: WP All Import plugin for WordPress CVE-2018-16253 (In sig_verify() in x509.c in axTLS version 2.1.3 and before, the PKCS# ...) - axtls (Fixed before initial upload to Debian) CVE-2018-16252 (FsPro Labs Event Log Explorer 4.6.1.2115 has ".elx" FileType XML Exter ...) NOT-FOR-US: FsPro Labs Event Log Explorer CVE-2018-16251 (A "search for user discovery" injection issue exists in Creatiwity wit ...) NOT-FOR-US: Creatiwity wityCMS CVE-2018-16250 (The "utilisateur" menu in Creatiwity wityCMS 0.6.2 modifies the presen ...) NOT-FOR-US: Creatiwity wityCMS CVE-2018-16249 (In Symphony before 3.3.0, there is XSS in the Title under Post. The ID ...) NOT-FOR-US: b3log CVE-2018-16248 (b3log Solo 2.9.3 has XSS in the Input page under the "Publish Articles ...) NOT-FOR-US: b3log CVE-2018-16247 (YzmCMS 5.1 has XSS via the admin/system_manage/user_config_add.html ti ...) NOT-FOR-US: YzmCMS CVE-2018-16246 RESERVED CVE-2018-16245 RESERVED CVE-2018-16244 RESERVED CVE-2018-16243 RESERVED CVE-2018-16242 (oBike relies on Hangzhou Luoping Smart Locker to lock bicycles, which ...) NOT-FOR-US: oBike CVE-2018-16241 RESERVED CVE-2018-16240 RESERVED CVE-2018-16239 (An issue was discovered in damiCMS V6.0.1. It relies on the PHP time() ...) NOT-FOR-US: damiCMS CVE-2018-16238 (An issue was discovered in damiCMS V6.0.1. Remote code execution can o ...) NOT-FOR-US: damiCMS CVE-2018-16237 (An issue was discovered in damiCMS V6.0.1. There is Directory Traversa ...) NOT-FOR-US: damiCMS CVE-2018-16236 (cPanel through 74 allows XSS via a crafted filename in the logs subdir ...) NOT-FOR-US: cPanel CVE-2018-16235 (Telligent Community 6.x, 7.x, 8.x, 9.x before 9.2.10.11796, 10.1.x bef ...) NOT-FOR-US: Telligent Community CVE-2018-16234 (MorningStar WhatWeb 0.4.9 has XSS via JSON report files. ...) NOT-FOR-US: MorningStar WhatWeb CVE-2018-16233 (MiniCMS V1.10 has XSS via the mc-admin/post-edit.php tags parameter. ...) NOT-FOR-US: MiniCMS CVE-2018-16232 (An authenticated command injection vulnerability exists in IPFire Fire ...) NOT-FOR-US: IPFire CVE-2018-16231 (Michael Roth Software Personal FTP Server (PFTP) through 8.4f allows r ...) NOT-FOR-US: Michael Roth Software Personal FTP Server CVE-2018-16230 (The BGP parser in tcpdump before 4.9.3 has a buffer over-read in print ...) {DSA-4547-1 DLA-1955-1} - tcpdump 4.9.3-1 (bug #941698) NOTE: https://github.com/the-tcpdump-group/tcpdump/commit/13d52e9c0e7caf7e6325b0051bc90a49968be67f CVE-2018-16229 (The DCCP parser in tcpdump before 4.9.3 has a buffer over-read in prin ...) {DSA-4547-1 DLA-1955-1} - tcpdump 4.9.3-1 (bug #941698) NOTE: https://github.com/the-tcpdump-group/tcpdump/commit/211124b972e74f0da66bc8b16f181f78793e2f66 CVE-2018-16228 (The HNCP parser in tcpdump before 4.9.3 has a buffer over-read in prin ...) {DSA-4547-1 DLA-1955-1} - tcpdump 4.9.3-1 (bug #941698) NOTE: https://github.com/the-tcpdump-group/tcpdump/commit/83a412a5275cac973c5841eca3511c766bed778d CVE-2018-16227 (The IEEE 802.11 parser in tcpdump before 4.9.3 has a buffer over-read ...) {DSA-4547-1 DLA-1955-1} - tcpdump 4.9.3-1 (bug #941698) NOTE: https://github.com/the-tcpdump-group/tcpdump/commit/4846b3c5d0a850e860baf4f07340495d29837d09 CVE-2018-16226 (A vulnerability in the web admin component of Mitel MiVoice Office 400 ...) NOT-FOR-US: Mitel CVE-2018-16225 (The QBee MultiSensor Camera through 4.16.4 accepts unencrypted network ...) NOT-FOR-US: QBee MultiSensor Camera CVE-2018-16224 (Incorrect access control for the diagnostic files of the iSmartAlarm C ...) NOT-FOR-US: iSmartAlarm Cube One CVE-2018-16223 (Insecure Cryptographic Storage of credentials in com.vestiacom.qbeecam ...) NOT-FOR-US: QBee Cam application for Android CVE-2018-16222 (Cleartext Storage of credentials in the iSmartAlarmData.xml configurat ...) NOT-FOR-US: iSmartAlarm application for Android CVE-2018-16221 (The diagnostics web interface in the Yeahlink Ultra-elegant IP Phone S ...) NOT-FOR-US: Yeahlink CVE-2018-16220 (Cross Site Scripting in different input fields (domain field and perso ...) NOT-FOR-US: AudioCodes 405HD VoIP phone CVE-2018-16219 (A missing password verification in the web interface in AudioCodes 405 ...) NOT-FOR-US: AudioCodes 405HD VoIP phone CVE-2018-16218 (A CSRF (Cross Site Request Forgery) in the web interface of the Yeahli ...) NOT-FOR-US: Yeahlink CVE-2018-16217 (The network diagnostic function (ping) in the Yeahlink Ultra-elegant I ...) NOT-FOR-US: Yeahlink CVE-2018-16216 (A command injection (missing input validation, escaping) in the monito ...) NOT-FOR-US: AudioCodes 405HD VoIP phone CVE-2018-16215 RESERVED CVE-2018-16214 RESERVED CVE-2018-16213 RESERVED CVE-2018-16212 RESERVED CVE-2018-16211 RESERVED CVE-2018-16210 (WAGO 750-88X and WAGO 750-89X Ethernet Controller devices, versions 01 ...) NOT-FOR-US: WAGO CVE-2018-16209 RESERVED CVE-2018-16208 RESERVED CVE-2018-16207 (PowerAct Pro Master Agent for Windows Version 5.13 and earlier allows ...) NOT-FOR-US: PowerAct Pro Master Agent for Windows CVE-2018-16206 (Cross-site scripting vulnerability in WordPress plugin spam-byebye 2.2 ...) NOT-FOR-US: Wordpress plugin CVE-2018-16205 (Cross-site scripting vulnerability in GROWI v3.2.3 and earlier allows ...) NOT-FOR-US: GROWI CVE-2018-16204 (Cross-site scripting vulnerability in Google XML Sitemaps Version 4.0. ...) NOT-FOR-US: WordPress plugin google-sitemap-generator CVE-2018-16203 (PgpoolAdmin 4.0 and earlier allows remote attackers to bypass the logi ...) NOT-FOR-US: postgresql-pgpoolAdmin CVE-2018-16202 (Directory traversal vulnerability in cordova-plugin-ionic-webview vers ...) NOT-FOR-US: cordova-plugin-ionic-webview CVE-2018-16201 (Toshiba Home gateway HEM-GW16A 1.2.9 and earlier, Toshiba Home gateway ...) NOT-FOR-US: Toshiba CVE-2018-16200 (Toshiba Home gateway HEM-GW16A 1.2.9 and earlier, Toshiba Home gateway ...) NOT-FOR-US: Toshiba CVE-2018-16199 (Cross-site scripting vulnerability in Toshiba Home gateway HEM-GW16A 1 ...) NOT-FOR-US: Toshiba CVE-2018-16198 (Toshiba Home gateway HEM-GW16A 1.2.9 and earlier, Toshiba Home gateway ...) NOT-FOR-US: Toshiba CVE-2018-16197 (Toshiba Home gateway HEM-GW16A 1.2.9 and earlier, Toshiba Home gateway ...) NOT-FOR-US: Toshiba CVE-2018-16196 (Multiple Yokogawa products that contain Vnet/IP Open Communication Dri ...) NOT-FOR-US: Yokogawa CVE-2018-16195 (Aterm WF1200CR and Aterm WG1200CR (Aterm WF1200CR firmware Ver1.1.1 an ...) NOT-FOR-US: Aterm firmware CVE-2018-16194 (Aterm WF1200CR and Aterm WG1200CR (Aterm WF1200CR firmware Ver1.1.1 an ...) NOT-FOR-US: Aterm firmware CVE-2018-16193 (Cross-site scripting vulnerability in Aterm WF1200CR and Aterm WG1200C ...) NOT-FOR-US: Aterm firmware CVE-2018-16192 (Aterm WF1200CR and Aterm WG1200CR (Aterm WF1200CR firmware Ver1.1.1 an ...) NOT-FOR-US: Aterm firmware CVE-2018-16191 (Open redirect vulnerability in EC-CUBE (EC-CUBE 3.0.0, EC-CUBE 3.0.1, ...) NOT-FOR-US: EC-CUBE CVE-2018-16190 (Untrusted search path vulnerability in UNARJ32.DLL for Win32, LHMeltin ...) NOT-FOR-US: Some Windows installer CVE-2018-16189 (Untrusted search path vulnerability in Self-Extracting Archives create ...) NOT-FOR-US: Some Windows installer CVE-2018-16188 (SQL injection vulnerability in the RICOH Interactive Whiteboard D2200 ...) NOT-FOR-US: RICOH CVE-2018-16187 (The RICOH Interactive Whiteboard D2200 V1.3 to V2.2, D5500 V1.3 to V2. ...) NOT-FOR-US: RICOH CVE-2018-16186 (RICOH Interactive Whiteboard D2200 V1.1 to V2.2, D5500 V1.1 to V2.2, D ...) NOT-FOR-US: RICOH CVE-2018-16185 (RICOH Interactive Whiteboard D2200 V1.1 to V2.2, D5500 V1.1 to V2.2, D ...) NOT-FOR-US: RICOH CVE-2018-16184 (RICOH Interactive Whiteboard D2200 V1.6 to V2.2, D5500 V1.6 to V2.2, D ...) NOT-FOR-US: RICOH CVE-2018-16183 (An unquoted search path vulnerability in some pre-installed applicatio ...) NOT-FOR-US: Panasonic PC applications CVE-2018-16182 (Untrusted search path vulnerability in the installer of MARKET SPEED V ...) NOT-FOR-US: MARKET SPEED CVE-2018-16181 (HTTP header injection vulnerability in i-FILTER Ver.9.50R05 and earlie ...) NOT-FOR-US: i-FILTER CVE-2018-16180 (Cross-site scripting vulnerability in i-FILTER Ver.9.50R05 and earlier ...) NOT-FOR-US: i-FILTER CVE-2018-16179 (The Mizuho Direct App for Android version 3.13.0 and earlier does not ...) NOT-FOR-US: Mizuho Direct App for Android CVE-2018-16178 (Cybozu Garoon 3.0.0 to 4.10.0 allows remote attackers to bypass access ...) NOT-FOR-US: Cybozu Garoon CVE-2018-16177 (Untrusted search path vulnerability in The installer of Windows10 Fall ...) NOT-FOR-US: Random Windows installer CVE-2018-16176 (Untrusted search path vulnerability in Installer of Mapping Tool 2.0.1 ...) NOT-FOR-US: Random Windows installer CVE-2018-16175 (SQL injection vulnerability in the LearnPress prior to version 3.1.0 a ...) NOT-FOR-US: LearnPress CVE-2018-16174 (Open redirect vulnerability in LearnPress prior to version 3.1.0 allow ...) NOT-FOR-US: LearnPress CVE-2018-16173 (Cross-site scripting vulnerability in LearnPress prior to version 3.1. ...) NOT-FOR-US: LearnPress CVE-2018-16172 (Improper countermeasure against clickjacking attack in client certific ...) NOT-FOR-US: Cybozu Remote Service CVE-2018-16171 (Directory traversal vulnerability in Cybozu Remote Service 3.0.0 to 3. ...) NOT-FOR-US: Cybozu Remote Service CVE-2018-16170 (Directory traversal vulnerability in Cybozu Remote Service 3.0.0 to 3. ...) NOT-FOR-US: Cybozu Remote Service CVE-2018-16169 (Cybozu Remote Service 3.0.0 to 3.1.0 allows remote authenticated attac ...) NOT-FOR-US: Cybozu Remote Service CVE-2018-16168 (LogonTracer 1.2.0 and earlier allows remote attackers to conduct Pytho ...) NOT-FOR-US: LogonTracer CVE-2018-16167 (LogonTracer 1.2.0 and earlier allows remote attackers to execute arbit ...) NOT-FOR-US: LogonTracer CVE-2018-16166 (LogonTracer 1.2.0 and earlier allows remote attackers to conduct XML E ...) NOT-FOR-US: LogonTracer CVE-2018-16165 (Cross-site scripting vulnerability in LogonTracer 1.2.0 and earlier al ...) NOT-FOR-US: LogonTracer CVE-2018-16164 (Cross-site scripting vulnerability in Event Calendar WD version 1.1.21 ...) NOT-FOR-US: Event Calendar WD CVE-2018-16163 (OpenDolphin 2.7.0 and earlier allows authenticated attackers to bypass ...) NOT-FOR-US: OpenDolphin CVE-2018-16162 (OpenDolphin 2.7.0 and earlier allows authenticated attackers to obtain ...) NOT-FOR-US: OpenDolphin CVE-2018-16161 (OpenDolphin 2.7.0 and earlier allows authenticated users to gain admin ...) NOT-FOR-US: OpenDolphin CVE-2018-16160 (SecureCore Standard Edition Version 2.x allows an attacker to bypass t ...) NOT-FOR-US: SecureCore Standard Edition CVE-2018-16159 (The Gift Vouchers plugin through 2.0.1 for WordPress allows SQL Inject ...) NOT-FOR-US: Gift Vouchers plugin for WordPress CVE-2018-16048 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) - gitlab (Only affects Enterprise edition) NOTE: https://gitlab.com/gitlab-org/gitlab-ce/issues/49947 NOTE: https://about.gitlab.com/2018/08/28/security-release-gitlab-11-dot-2-dot-2-released/ CVE-2018-16051 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) - gitlab 11.1.8+dfsg-2 NOTE: https://gitlab.com/gitlab-org/gitlab-ee/issues/6012 NOTE: https://about.gitlab.com/2018/08/28/security-release-gitlab-11-dot-2-dot-2-released/ CVE-2018-XXXX [gitlab: Missing CSRF in System Hooks] - gitlab 11.1.8+dfsg-2 NOTE: https://about.gitlab.com/2018/08/28/security-release-gitlab-11-dot-2-dot-2-released/ CVE-2018-16049 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) - gitlab 11.1.8+dfsg-2 NOTE: https://gitlab.com/gitlab-org/gitlab-ce/issues/46967 NOTE: https://gitlab.com/gitlab-org/gitlab-ce/issues/49272 NOTE: https://about.gitlab.com/2018/08/28/security-release-gitlab-11-dot-2-dot-2-released/ CVE-2018-16050 (An issue was discovered in GitLab Community and Enterprise Edition 11. ...) - gitlab 11.1.8+dfsg-2 [stretch] - gitlab (Only affects 11.1 and 11.2) NOTE: https://gitlab.com/gitlab-org/gitlab-ce/issues/49085 NOTE: https://about.gitlab.com/2018/08/28/security-release-gitlab-11-dot-2-dot-2-released/ CVE-2018-XXXX [gitlab: Persistent XSS in Pipeline Tooltip] - gitlab 11.1.8+dfsg-2 [stretch] - gitlab (Only affects 10.7 and later) NOTE: https://about.gitlab.com/2018/08/28/security-release-gitlab-11-dot-2-dot-2-released/ CVE-2018-16158 (Eaton Power Xpert Meter 4000, 6000, and 8000 devices before 13.4.0.10 ...) NOT-FOR-US: Eaton Power Xpert Meter CVE-2018-16157 (waimai Super Cms 20150505 has a logic flaw allowing attackers to modif ...) NOT-FOR-US: waimai Super Cms CVE-2018-16156 (In PaperStream IP (TWAIN) 1.42.0.5685 (Service Update 7), the FJTWSVIC ...) NOT-FOR-US: PaperStream IP (TWAIN) CVE-2018-16155 RESERVED CVE-2018-16154 RESERVED CVE-2018-16153 RESERVED CVE-2018-16152 (In verify_emsa_pkcs1_signature() in gmp_rsa_public_key.c in the gmp pl ...) {DSA-4305-1 DLA-1522-1} - strongswan 5.7.0-1 NOTE: https://strongswan.org/blog/2018/09/24/strongswan-vulnerability-(cve-2018-16151,-cve-2018-16152).html CVE-2018-16151 (In verify_emsa_pkcs1_signature() in gmp_rsa_public_key.c in the gmp pl ...) {DSA-4305-1 DLA-1522-1} - strongswan 5.7.0-1 NOTE: https://strongswan.org/blog/2018/09/24/strongswan-vulnerability-(cve-2018-16151,-cve-2018-16152).html CVE-2018-16150 (In sig_verify() in x509.c in axTLS version 2.1.3 and before, the PKCS# ...) - axtls (Fixed before initial upload to Debian) CVE-2018-16149 (In sig_verify() in x509.c in axTLS version 2.1.3 and before, the PKCS# ...) - axtls (Fixed before initial upload to Debian) CVE-2018-16148 (The diagnosticsb2ksy parameter of the /rest endpoint in Opsview Monito ...) NOT-FOR-US: Opsview Monitor CVE-2018-16147 (The data parameter of the /settings/api/router endpoint in Opsview Mon ...) NOT-FOR-US: Opsview Monitor CVE-2018-16146 (The web management console of Opsview Monitor 5.4.x before 5.4.2 provi ...) NOT-FOR-US: Opsview Monitor CVE-2018-16145 (The /etc/init.d/opsview-reporting-module script that runs at boot time ...) NOT-FOR-US: Opsview Monitor CVE-2018-16144 (The test connection functionality in the NetAudit section of Opsview M ...) NOT-FOR-US: Opsview Monitor CVE-2018-16143 RESERVED CVE-2018-16142 (PHPOK 4.8.278 has a Reflected XSS vulnerability in framework/www/login ...) NOT-FOR-US: PHPOK CVE-2018-16141 (ThinkCMF X2.2.3 has an arbitrary file deletion vulnerability in do_ava ...) NOT-FOR-US: ThinkCMF CVE-2018-16140 (A buffer underwrite vulnerability in get_line() (read.c) in fig2dev 3. ...) {DLA-2073-1} - fig2dev 1:3.2.7a-3 (unimportant; bug #907660) - transfig (unimportant) NOTE: https://sourceforge.net/p/mcj/tickets/28/ NOTE: https://sourceforge.net/p/mcj/fig2dev/ci/e0c4b02429116b15ad1568c2c425f06b95b95830 NOTE: Crash in CLI tool, no security impact CVE-2018-16139 (Cross-site scripting (XSS) vulnerability in BIBLIOsoft BIBLIOpac 2008 ...) NOT-FOR-US: BIBLIOsoft BIBLIOpac CVE-2018-16138 (An issue was discovered in the administration page in IPBRICK OS 6.3. ...) NOT-FOR-US: IPBRICK OS CVE-2018-16137 (An issue was discovered in the Web Management Console in IPBRICK OS 6. ...) NOT-FOR-US: IPBRICK OS CVE-2018-16136 (An issue was discovered in the administrator interface in IPBRICK OS 6 ...) NOT-FOR-US: IPBRICK OS CVE-2018-16135 RESERVED CVE-2018-16134 (Cybrotech CyBroHttpServer 1.0.3 allows XSS via a URI. ...) NOT-FOR-US: Cybrotech CVE-2018-16133 (Cybrotech CyBroHttpServer 1.0.3 allows Directory Traversal via a ../ i ...) NOT-FOR-US: Cybrotech CVE-2018-16132 (The image rendering component (createGenericPreview) of the Open Whisp ...) NOT-FOR-US: Signal app (specific on iOS) CVE-2018-16131 (The decodeRequest and decodeRequestWith directives in Lightbend Akka H ...) NOT-FOR-US: Lightbend Akka CVE-2018-16130 (System command injection in request_mitv in Xiaomi Mi Router 3 version ...) NOT-FOR-US: Xiaomi Mi Router CVE-2018-558213 REJECTED CVE-2018-16129 RESERVED CVE-2018-16128 RESERVED CVE-2018-16127 RESERVED CVE-2018-16126 RESERVED CVE-2018-16125 RESERVED CVE-2018-16124 RESERVED CVE-2018-16123 RESERVED CVE-2018-16122 RESERVED CVE-2018-16121 RESERVED CVE-2018-16120 RESERVED CVE-2018-16119 (Stack-based buffer overflow in the httpd server of TP-Link WR1043nd (F ...) NOT-FOR-US: TP-Link CVE-2018-16118 (A shell escape vulnerability in /webconsole/APIController in the API C ...) NOT-FOR-US: Sophos CVE-2018-16117 (A shell escape vulnerability in /webconsole/Controller in Admin Portal ...) NOT-FOR-US: Sophos CVE-2018-16116 (SQL injection vulnerability in AccountStatus.jsp in Admin Portal of So ...) NOT-FOR-US: Sophos CVE-2018-16115 (Lightbend Akka 2.5.x before 2.5.16 allows message disclosure and modif ...) NOT-FOR-US: Lightbend Akka CVE-2018-16114 RESERVED CVE-2018-16113 REJECTED CVE-2018-16112 REJECTED CVE-2018-16111 REJECTED CVE-2018-16110 REJECTED CVE-2018-16109 REJECTED CVE-2018-16108 REJECTED CVE-2018-16107 REJECTED CVE-2018-16106 REJECTED CVE-2018-16105 REJECTED CVE-2018-16104 REJECTED CVE-2018-16103 REJECTED CVE-2018-16102 REJECTED CVE-2018-16101 REJECTED CVE-2018-16100 REJECTED CVE-2018-16099 REJECTED CVE-2018-16098 (In some Lenovo ThinkPads, an unquoted search path vulnerability was fo ...) NOT-FOR-US: Lenovo CVE-2018-16097 (LXCI for VMware versions prior to 5.5 and LXCI for Microsoft System Ce ...) NOT-FOR-US: LXCI (Lenovo XClarity Integrator) CVE-2018-16096 (In System Management Module (SMM) versions prior to 1.06, the SMM web ...) NOT-FOR-US: Lenovo / System Management Module (SMM) CVE-2018-16095 (In System Management Module (SMM) versions prior to 1.06, the SMM reco ...) NOT-FOR-US: Lenovo / System Management Module (SMM) CVE-2018-16094 (In System Management Module (SMM) versions prior to 1.06, an internal ...) NOT-FOR-US: Lenovo / System Management Module (SMM) CVE-2018-16093 (In versions prior to 5.5, LXCI for VMware allows an authenticated user ...) NOT-FOR-US: LXCI (Lenovo XClarity Integrator) CVE-2018-16092 (In System Management Module (SMM) versions prior to 1.06, the FFDC fea ...) NOT-FOR-US: Lenovo / System Management Module (SMM) CVE-2018-16091 (In System Management Module (SMM) versions prior to 1.06, the SMM cert ...) NOT-FOR-US: Lenovo / System Management Module (SMM) CVE-2018-16090 (In System Management Module (SMM) versions prior to 1.06, the SMM cert ...) NOT-FOR-US: Lenovo / System Management Module (SMM) CVE-2018-16089 (In System Management Module (SMM) versions prior to 1.06, a field in t ...) NOT-FOR-US: Lenovo / System Management Module (SMM) CVE-2018-16088 (A missing check for JS-simulated input events in Blink in Google Chrom ...) {DSA-4289-1} - chromium-browser 69.0.3497.81-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-16087 (Lack of proper state tracking in Permissions in Google Chrome prior to ...) {DSA-4289-1} - chromium-browser 69.0.3497.81-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-16086 (Insufficient policy enforcement in extensions API in Google Chrome pri ...) {DSA-4289-1} - chromium-browser 69.0.3497.81-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-16085 (A use after free in ResourceCoordinator in Google Chrome prior to 69.0 ...) {DSA-4289-1} - chromium-browser 69.0.3497.81-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-16084 (The default selected dialog button in CustomHandlers in Google Chrome ...) {DSA-4289-1} - chromium-browser 69.0.3497.81-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-16083 (An out of bounds read in forward error correction code in WebRTC in Go ...) {DSA-4289-1} - chromium-browser 69.0.3497.81-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-16082 (An out of bounds read in Swiftshader in Google Chrome prior to 69.0.34 ...) {DSA-4289-1} - chromium-browser 69.0.3497.81-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-16081 (Allowing the chrome.debugger API to run on file:// URLs in DevTools in ...) {DSA-4289-1} - chromium-browser 69.0.3497.81-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-16080 (A missing check for popup window handling in Fullscreen in Google Chro ...) {DSA-4289-1} - chromium-browser 69.0.3497.81-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-16079 (A race condition between permission prompts and navigations in Prompts ...) {DSA-4289-1} - chromium-browser 69.0.3497.81-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-16078 (Unsafe handling of credit card details in Autofill in Google Chrome pr ...) {DSA-4289-1} - chromium-browser 69.0.3497.81-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-16077 (Object lifecycle issue in Blink in Google Chrome prior to 69.0.3497.81 ...) {DSA-4289-1} - chromium-browser 69.0.3497.81-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-16076 (Missing bounds check in PDFium in Google Chrome prior to 69.0.3497.81 ...) {DSA-4289-1} - chromium-browser 69.0.3497.81-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-16075 (Insufficient file type enforcement in Blink in Google Chrome prior to ...) {DSA-4289-1} - chromium-browser 69.0.3497.81-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-16074 (Insufficient policy enforcement in site isolation in Google Chrome pri ...) {DSA-4289-1} - chromium-browser 69.0.3497.81-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-16073 (Insufficient policy enforcement in site isolation in Google Chrome pri ...) {DSA-4289-1} - chromium-browser 69.0.3497.81-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-16072 (A missing origin check related to HLS manifests in Blink in Google Chr ...) - chromium-browser (Android-specific) CVE-2018-16071 (A use after free in WebRTC in Google Chrome prior to 69.0.3497.81 allo ...) {DSA-4289-1} - chromium-browser 69.0.3497.81-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-16070 (Integer overflows in Skia in Google Chrome prior to 69.0.3497.81 allow ...) {DSA-4289-1} - chromium-browser 69.0.3497.81-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-16069 (Unintended floating-point error accumulation in SwiftShader in Google ...) {DSA-4289-1} - chromium-browser 69.0.3497.81-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-16068 (Missing validation in Mojo in Google Chrome prior to 69.0.3497.81 allo ...) {DSA-4289-1} - chromium-browser 69.0.3497.81-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-16067 (A use after free in WebAudio in Google Chrome prior to 69.0.3497.81 al ...) {DSA-4289-1} - chromium-browser 69.0.3497.81-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-16066 (A use after free in Blink in Google Chrome prior to 69.0.3497.81 allow ...) {DSA-4289-1} - chromium-browser 69.0.3497.81-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-16065 (A Javascript reentrancy issues that caused a use-after-free in V8 in G ...) {DSA-4289-1} - chromium-browser 69.0.3497.81-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-16064 (Insufficient data validation in Extensions API in Google Chrome prior ...) {DSA-4256-1} - chromium-browser 68.0.3440.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-16063 RESERVED CVE-2018-16062 (dwarf_getaranges in dwarf_getaranges.c in libdw in elfutils before 201 ...) {DLA-1689-1} - elfutils 0.175-1 (bug #907562) [stretch] - elfutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23541 NOTE: https://sourceware.org/git/?p=elfutils.git;a=commit;h=29e31978ba51c1051743a503ee325b5ebc03d7e9 CVE-2018-16061 RESERVED CVE-2018-16060 RESERVED CVE-2018-16059 (Endress+Hauser WirelessHART Fieldgate SWG70 3.x devices allow Director ...) NOT-FOR-US: Endress+Hauser WirelessHART Fieldgate SWG70 3.x devices CVE-2018-16058 (In Wireshark 2.6.0 to 2.6.2, 2.4.0 to 2.4.8, and 2.2.0 to 2.2.16, the ...) {DSA-4315-1 DLA-1634-1} - wireshark 2.6.3-1 (low) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14884 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=c48d6a6d60c5c9111838a945966b6cb8750777be NOTE: https://www.wireshark.org/security/wnpa-sec-2018-44.html CVE-2018-16057 (In Wireshark 2.6.0 to 2.6.2, 2.4.0 to 2.4.8, and 2.2.0 to 2.2.16, the ...) {DSA-4315-1 DLA-1634-1} - wireshark 2.6.3-1 (low) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15022 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=4ac83382dc49f9f7b62bffb3cfc508cdaa1e7be5 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-46.html CVE-2018-16056 (In Wireshark 2.6.0 to 2.6.2, 2.4.0 to 2.4.8, and 2.2.0 to 2.2.16, the ...) {DSA-4315-1} - wireshark 2.6.3-1 (low) [jessie] - wireshark (vulnerable code not present) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14994 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=f98fbce64cb230e94a2cafc410a3cedad657b485 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-45.html CVE-2018-16055 (An authenticated command injection vulnerability exists in status_inte ...) NOT-FOR-US: pfSense CVE-2018-16054 RESERVED CVE-2018-16053 RESERVED CVE-2018-16052 RESERVED CVE-2018-16047 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-16046 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-16045 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-16044 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-16043 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-16042 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-16041 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-16040 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-16039 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-16038 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-16037 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-16036 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-16035 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-16034 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-16033 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-16032 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-16031 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-16030 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-16029 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-16028 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-16027 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-16026 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-16025 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-16024 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-16023 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-16022 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-16021 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-16020 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-16019 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-16018 (Adobe Acrobat and Reader versions 2019.010.20064 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2018-16017 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-16016 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-16015 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-16014 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-16013 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-16012 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-16011 (Adobe Acrobat and Reader versions 2019.010.20064 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2018-16010 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-16009 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-16008 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-16007 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-16006 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-16005 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-16004 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-16003 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-16002 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-16001 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-16000 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-15999 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-15998 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-15997 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-15996 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-15995 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-15994 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-15993 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-15992 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-15991 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-15990 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-15989 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-15988 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-15987 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-15986 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-15985 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-15984 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-15983 (Flash Player versions 31.0.0.153 and earlier, and 31.0.0.108 and earli ...) NOT-FOR-US: Adobe CVE-2018-15982 (Flash Player versions 31.0.0.153 and earlier, and 31.0.0.108 and earli ...) NOT-FOR-US: Adobe CVE-2018-15981 (Flash Player versions 31.0.0.148 and earlier have a type confusion vul ...) NOT-FOR-US: Adobe CVE-2018-15980 (Adobe Photoshop CC versions 19.1.6 and earlier have an out-of-bounds r ...) NOT-FOR-US: Adobe CVE-2018-15979 (Adobe Acrobat and Reader versions 2019.008.20080 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-15978 (Flash Player versions 31.0.0.122 and earlier have an out-of-bounds rea ...) NOT-FOR-US: Adobe CVE-2018-15977 REJECTED CVE-2018-15976 (Adobe Technical Communications Suite versions 1.0.5.1 and below have a ...) NOT-FOR-US: Adobe CVE-2018-15975 REJECTED CVE-2018-15974 (Adobe Framemaker versions 1.0.5.1 and below have an insecure library l ...) NOT-FOR-US: Adobe CVE-2018-15973 (Adobe Experience Manager versions 6.4, 6.3, 6.2, 6.1, and 6.0 have a s ...) NOT-FOR-US: Adobe CVE-2018-15972 (Adobe Experience Manager versions 6.4, 6.3, 6.2, 6.1, and 6.0 have a s ...) NOT-FOR-US: Adobe CVE-2018-15971 (Adobe Experience Manager versions 6.4, 6.3, 6.2, 6.1, and 6.0 have a r ...) NOT-FOR-US: Adobe CVE-2018-15970 (Adobe Experience Manager versions 6.4, 6.3, 6.2, 6.1, and 6.0 have a r ...) NOT-FOR-US: Adobe CVE-2018-15969 (Adobe Experience Manager versions 6.4, 6.3, 6.2, 6.1, and 6.0 have a s ...) NOT-FOR-US: Adobe CVE-2018-15968 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-15967 (Adobe Flash Player versions 30.0.0.154 and earlier have a privilege es ...) NOT-FOR-US: Adobe CVE-2018-15966 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-15965 (Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 ...) NOT-FOR-US: Adobe CVE-2018-15964 (Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 ...) NOT-FOR-US: Adobe CVE-2018-15963 (Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 ...) NOT-FOR-US: Adobe CVE-2018-15962 (Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 ...) NOT-FOR-US: Adobe CVE-2018-15961 (Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 ...) NOT-FOR-US: Adobe CVE-2018-15960 (Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 ...) NOT-FOR-US: Adobe CVE-2018-15959 (Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 ...) NOT-FOR-US: Adobe CVE-2018-15958 (Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 ...) NOT-FOR-US: Adobe CVE-2018-15957 (Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 ...) NOT-FOR-US: Adobe CVE-2018-15956 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-15955 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-15954 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-15953 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-15952 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-15951 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-15950 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-15949 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-15948 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-15947 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-15946 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-15945 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-15944 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-15943 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-15942 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-15941 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-15940 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-15939 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-15938 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-15937 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-15936 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-15935 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-15934 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-15933 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-15932 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-15931 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-15930 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-15929 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-15928 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-15927 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-15926 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-15925 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-15924 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-15923 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-15922 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-15921 REJECTED CVE-2018-15920 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-15918 (An issue was discovered in Jorani 0.6.5. SQL Injection (error-based) a ...) NOT-FOR-US: Jorani CVE-2018-15917 (Persistent cross-site scripting (XSS) issues in Jorani 0.6.5 allow rem ...) NOT-FOR-US: Jorani CVE-2018-15916 RESERVED CVE-2018-15915 RESERVED CVE-2018-15914 RESERVED CVE-2018-15913 (An issue was discovered in Cloudera Manager 5.x through 5.15.0. One ty ...) NOT-FOR-US: Cloudera CVE-2018-15912 (An issue was discovered in manjaro-update-system.sh in manjaro-system ...) NOT-FOR-US: manjaro-update-system.sh in manjaro-system on Manjaro Linux CVE-2018-15919 (Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 co ...) - openssh (low; bug #907503) [buster] - openssh (Minor issue) [stretch] - openssh (Minor issue) [jessie] - openssh (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2018/08/27/2 CVE-2018-15911 (In Artifex Ghostscript 9.23 before 2018-08-24, attackers able to suppl ...) {DSA-4288-1 DLA-1504-1} - ghostscript 9.22~dfsg-3 (bug #907332) NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=8e9ce5016db968b40e4ec255a3005f2786cce45f NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=699665 NOTE: https://www.kb.cert.org/vuls/id/332928 CVE-2018-15910 (In Artifex Ghostscript before 9.24, attackers able to supply crafted P ...) {DSA-4288-1 DLA-1504-1} - ghostscript 9.22~dfsg-3 (bug #907332) NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=c3476dde7743761a4e1d39a631716199b696b880 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=699656 NOTE: https://www.kb.cert.org/vuls/id/332928 CVE-2018-15909 (In Artifex Ghostscript 9.23 before 2018-08-24, a type confusion using ...) {DSA-4288-1 DLA-1504-1} - ghostscript 9.22~dfsg-3 (bug #907332) NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=0b6cd1918e1ec4ffd087400a754a845180a4522b NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=e01e77a36cbb2e0277bc3a63852244bec41be0f6 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=699660 NOTE: https://www.kb.cert.org/vuls/id/332928 CVE-2018-15908 (In Artifex Ghostscript 9.23 before 2018-08-23, attackers are able to s ...) {DSA-4288-1 DLA-1504-1} - ghostscript 9.22~dfsg-3 (bug #907332) NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=0d3901189f245232f0161addf215d7268c4d05a3 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=699657 NOTE: https://www.kb.cert.org/vuls/id/332928 CVE-2018-15907 (** DISPUTED ** Technicolor (formerly RCA) TC8305C devices allow remote ...) NOT-FOR-US: Technicolor (formerly RCA) TC8305C devices CVE-2018-15906 (SolarWinds Serv-U FTP Server 15.1.6 allows remote authenticated users ...) NOT-FOR-US: SolarWinds CVE-2018-15905 RESERVED CVE-2018-15904 (A10 ACOS Web Application Firewall (WAF) 2.7.1 and 2.7.2 before 2.7.2-P ...) NOT-FOR-US: A10 ACOS Web Application Firewall CVE-2018-15903 (The Discuss v1.2.1 module in Claromentis 8.2.2 is vulnerable to stored ...) NOT-FOR-US: Claromentis CVE-2018-15902 RESERVED CVE-2018-15901 (e107 2.1.8 has CSRF in 'usersettings.php' with an impact of changing d ...) NOT-FOR-US: e107 CVE-2018-15900 RESERVED CVE-2018-15899 (An issue was discovered in MiniCMS 1.10. There is a post.php?date= XSS ...) NOT-FOR-US: MiniCMS CVE-2018-15898 (The Subsonic Music Streamer application 4.4 for Android has Improper C ...) NOT-FOR-US: Subsonic Music Streamer application for Android CVE-2018-15897 (PHP Scripts Mall Website Seller Script 2.0.5 allows remote attackers t ...) NOT-FOR-US: PHP Scripts Mall Website Seller Script CVE-2018-15896 (PHP Scripts Mall Website Seller Script 2.0.5 has XSS via Personal Addr ...) NOT-FOR-US: PHP Scripts Mall Website Seller Script CVE-2018-15895 (An SSRF vulnerability was discovered in idreamsoft iCMS 7.0.11 because ...) NOT-FOR-US: iCMS CVE-2018-15894 (A SQL injection was discovered in /coreframe/app/admin/pay/admin/index ...) NOT-FOR-US: WUZHI CMS CVE-2018-15893 (A SQL injection was discovered in /coreframe/app/admin/copyfrom.php in ...) NOT-FOR-US: WUZHI CMS CVE-2018-15892 (FreePBX 13 and 14 has SQL Injection in the DISA module via the hangup ...) NOT-FOR-US: FreePBX CVE-2018-15891 (An issue was discovered in FreePBX core before 3.0.122.43, 14.0.18.34, ...) NOT-FOR-US: FreePBX CVE-2018-15890 (An issue was discovered in EthereumJ 1.8.2. There is Unsafe Deserializ ...) NOT-FOR-US: EthereumJ CVE-2018-15889 REJECTED CVE-2018-15888 (An issue was discovered in ASPCMS 2.5.6. When registering ordinary use ...) NOT-FOR-US: ASPCMS CVE-2017-18346 (SQL injection vulnerability in /wbg/core/_includes/authorization.inc.p ...) NOT-FOR-US: CMS Web-Gooroo CVE-2015-9265 REJECTED CVE-2015-9264 (Lansweeper 4.x through 6.x before 6.0.0.48 allows attackers to execute ...) NOT-FOR-US: Lansweeper CVE-2015-9263 (An issue was discovered in post2file.php in Up.Time Monitoring Station ...) NOT-FOR-US: Up.Time CVE-2014-10074 (Umbraco before 7.2.0 has a remote PHP code execution vulnerability bec ...) NOT-FOR-US: Umbraco CVE-2018-15887 (Main_Analysis_Content.asp in ASUS DSL-N12E_C1 1.1.2.3_345 is prone to ...) NOT-FOR-US: ASUS DSL-N12E_C1 CVE-2018-15886 (Monstra CMS 3.0.4 does not properly restrict modified Snippet content, ...) NOT-FOR-US: Monstra CMS CVE-2018-15885 (Ovation FindMe 1.4-1083-1 is intended to support transmission of netwo ...) NOT-FOR-US: Ovation FindMe CVE-2018-15884 (RICOH MP C4504ex devices allow HTML Injection via the /web/entry/en/ad ...) NOT-FOR-US: RICOH MP C4504ex devices CVE-2018-15883 RESERVED CVE-2018-15882 (An issue was discovered in Joomla! before 3.8.12. Inadequate checks in ...) NOT-FOR-US: Joomla! CVE-2018-15881 (An issue was discovered in Joomla! before 3.8.12. Inadequate checks re ...) NOT-FOR-US: Joomla! CVE-2018-15880 (An issue was discovered in Joomla! before 3.8.12. Inadequate output fi ...) NOT-FOR-US: Joomla! CVE-2018-15879 REJECTED CVE-2018-15878 REJECTED CVE-2017-18345 (The Joomanager component through 2.0.0 for Joomla! has an arbitrary fi ...) NOT-FOR-US: Joomla addon CVE-2018-16543 (In Artifex Ghostscript before 9.24, gssetresolution and gsgetresolutio ...) {DSA-4288-1 DLA-1527-1} [experimental] - ghostscript 9.25~dfsg-1~exp1 - ghostscript 9.25~dfsg-1 (bug #908303) NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=5b5536fa88a9e885032bc0df3852c3439399a5c0 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=699670 CVE-2018-16542 (In Artifex Ghostscript before 9.24, attackers able to supply crafted P ...) {DSA-4288-1 DLA-1504-1} - ghostscript 9.22~dfsg-3 (bug #907332) NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=b575e1ec42cc86f6a58c603f2a88fcc2af699cc8 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=699668 CVE-2018-16541 (In Artifex Ghostscript before 9.24, attackers able to supply crafted P ...) {DSA-4288-1 DLA-1504-1} - ghostscript 9.22~dfsg-3 (bug #907332) NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=241d91112771a6104de10b3948c3f350d6690c1d NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=699664 CVE-2018-16540 (In Artifex Ghostscript before 9.24, attackers able to supply crafted P ...) {DSA-4288-1 DLA-1504-1} - ghostscript 9.22~dfsg-3 (bug #907332) NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=c432131c3fdb2143e148e8ba88555f7f7a63b25e NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=699661 CVE-2018-16539 (In Artifex Ghostscript before 9.24, attackers able to supply crafted P ...) {DSA-4288-1 DLA-1504-1} - ghostscript 9.22~dfsg-3 (bug #907332) NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=a054156d425b4dbdaaa9fda4b5f1182b27598c2b NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=699658 NOTE: To not break cups with https://github.com/apple/cups/issues/5392 NOTE: an additional (no-security) followup fix is needed as: NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=150c8f69646b854a99f35f27edaae012eb2e900f NOTE: Cf. https://bugs.debian.org/908300 CVE-2018-16513 (In Artifex Ghostscript before 9.24, attackers able to supply crafted P ...) {DSA-4288-1 DLA-1504-1} - ghostscript 9.22~dfsg-3 (bug #907332) NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=b326a71659b7837d3acde954b18bda1a6f5e9498 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=699655 CVE-2018-16511 (An issue was discovered in Artifex Ghostscript before 9.24. A type con ...) {DSA-4288-1 DLA-1504-1} - ghostscript 9.22~dfsg-3 (bug #907332) NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=0edd3d6c634a577db261615a9dc2719bca7f6e01 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=699659 CVE-2018-16510 (An issue was discovered in Artifex Ghostscript before 9.24. Incorrect ...) [experimental] - ghostscript 9.25~dfsg-1~exp1 - ghostscript 9.25~dfsg-1 (bug #908304) [stretch] - ghostscript (Introduced in 9.22) [jessie] - ghostscript (vulnerable code is not present) NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=ea735ba37dc0fd5f5622d031830b9a559dec1cc9 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=699671 CVE-2018-16509 (An issue was discovered in Artifex Ghostscript before 9.24. Incorrect ...) {DSA-4294-1 DLA-1504-1} [experimental] - ghostscript 9.25~dfsg-1~exp1 - ghostscript 9.25~dfsg-1 (bug #907332; bug #907703) NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=78911a01b67d590b4a91afac2e8417360b934156 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=5516c614dc33662a2afdc377159f70218e67bde5 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=79cccf641486a6595c43f1de1cd7ade696020a31 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=520bb0ea7519aa3e79db78aaf0589dae02103764 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=699654 NOTE: Partially fixed in 9.22~dfsg-3, see #907703 CVE-2018-16585 (** DISPUTED ** An issue was discovered in Artifex Ghostscript before 9 ...) {DSA-4288-1 DLA-1504-1} [experimental] - ghostscript 9.25~dfsg-1~exp1 - ghostscript 9.25~dfsg-1 (bug #908305) NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=1497d65039885a52b598b137dd8622bd4672f9be NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=971472c83a345a16dac9f90f91258bb22dd77f22 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=699663 CVE-2018-15877 (The Plainview Activity Monitor plugin before 20180826 for WordPress is ...) NOT-FOR-US: Wordpress plugin CVE-2018-15876 (An issue was discovered in the ajax-bootmodal-login plugin 1.4.3 for W ...) NOT-FOR-US: Wordpress plugin CVE-2018-15875 (Cross-site scripting (XSS) vulnerability on D-Link DIR-615 routers 20. ...) NOT-FOR-US: D-Link CVE-2018-15874 (Cross-site scripting (XSS) vulnerability on D-Link DIR-615 routers 20. ...) NOT-FOR-US: D-Link CVE-2018-15873 (A SQL Injection issue was discovered in Sentrifugo 3.2 via the deptid ...) NOT-FOR-US: Sentrifugo CVE-2018-15872 RESERVED CVE-2018-15871 (An invalid memory address dereference was discovered in decompileSingl ...) - ming NOTE: https://github.com/libming/libming/issues/123 CVE-2018-15870 (An invalid memory address dereference was discovered in decompileGETVA ...) - ming NOTE: https://github.com/libming/libming/issues/122 CVE-2018-15869 (An Amazon Web Services (AWS) developer who does not specify the --owne ...) - packer 1.3.1+dfsg-1 (low; bug #907298) [stretch] - packer (Vulnerable code added later) NOTE: https://github.com/hashicorp/packer/issues/6584 NOTE: https://github.com/aws/aws-cli/issues/3629 CVE-2018-15868 (SQL injection vulnerability in ChronoScan version 1.5.4.3 and earlier ...) NOT-FOR-US: ChronoScan CVE-2018-15867 RESERVED CVE-2018-15866 RESERVED CVE-2018-15865 (The Pulse Secure Desktop (macOS) has a Privilege Escalation Vulnerabil ...) NOT-FOR-US: Pulse Secure Desktop CVE-2018-15864 (Unchecked NULL pointer usage in resolve_keysym in xkbcomp/parser.y in ...) - libxkbcommon 0.8.2-1 (low; bug #907302) [stretch] - libxkbcommon (Minor issue) [jessie] - libxkbcommon (Minor issue) NOTE: https://github.com/xkbcommon/libxkbcommon/commit/a8ea7a1d3daa7bdcb877615ae0a252c189153bd2 NOTE: https://lists.freedesktop.org/archives/wayland-devel/2018-August/039243.html CVE-2018-15863 (Unchecked NULL pointer usage in ResolveStateAndPredicate in xkbcomp/co ...) - libxkbcommon 0.8.2-1 (low; bug #907302) [stretch] - libxkbcommon (Minor issue) [jessie] - libxkbcommon (Minor issue) NOTE: https://github.com/xkbcommon/libxkbcommon/commit/96df3106d49438e442510c59acad306e94f3db4d NOTE: https://lists.freedesktop.org/archives/wayland-devel/2018-August/039243.html CVE-2018-15862 (Unchecked NULL pointer usage in LookupModMask in xkbcomp/expr.c in xkb ...) - libxkbcommon 0.8.2-1 (low; bug #907302) [stretch] - libxkbcommon (Minor issue) [jessie] - libxkbcommon (Minor issue) NOTE: https://github.com/xkbcommon/libxkbcommon/commit/4e2ee9c3f6050d773f8bbe05bc0edb17f1ff8371 NOTE: https://lists.freedesktop.org/archives/wayland-devel/2018-August/039243.html CVE-2018-15861 (Unchecked NULL pointer usage in ExprResolveLhs in xkbcomp/expr.c in xk ...) - libxkbcommon 0.8.2-1 (low; bug #907302) [stretch] - libxkbcommon (Minor issue) [jessie] - libxkbcommon (Minor issue) NOTE: https://github.com/xkbcommon/libxkbcommon/commit/38e1766bc6e20108948aec8a0b222a4bad0254e9 NOTE: https://lists.freedesktop.org/archives/wayland-devel/2018-August/039243.html CVE-2018-15860 RESERVED CVE-2018-15859 (Unchecked NULL pointer usage when parsing invalid atoms in ExprResolve ...) - libxkbcommon 0.8.2-1 (low; bug #907302) [stretch] - libxkbcommon (Minor issue) [jessie] - libxkbcommon (Minor issue) NOTE: https://github.com/xkbcommon/libxkbcommon/commit/bb4909d2d8fa6b08155e449986a478101e2b2634 NOTE: https://lists.freedesktop.org/archives/wayland-devel/2018-August/039243.html CVE-2018-15858 (Unchecked NULL pointer usage when handling invalid aliases in CopyKeyA ...) - libxkbcommon 0.8.2-1 (low; bug #907302) [stretch] - libxkbcommon (Minor issue) [jessie] - libxkbcommon (Minor issue) NOTE: https://github.com/xkbcommon/libxkbcommon/commit/badb428e63387140720f22486b3acbd3d738859f NOTE: https://lists.freedesktop.org/archives/wayland-devel/2018-August/039232.html CVE-2018-15857 (An invalid free in ExprAppendMultiKeysymList in xkbcomp/ast-build.c in ...) - libxkbcommon 0.8.2-1 (low; bug #907302) [stretch] - libxkbcommon (Minor issue) [jessie] - libxkbcommon (Minor issue) NOTE: https://github.com/xkbcommon/libxkbcommon/commit/c1e5ac16e77a21f87bdf3bc4dea61b037a17dddb NOTE: https://lists.freedesktop.org/archives/wayland-devel/2018-August/039232.html CVE-2018-15856 (An infinite loop when reaching EOL unexpectedly in compose/parser.c (a ...) - libxkbcommon 0.8.2-1 (low; bug #907302) [stretch] - libxkbcommon (Minor issue) [jessie] - libxkbcommon (Minor issue) NOTE: https://github.com/xkbcommon/libxkbcommon/commit/842e4351c2c97de6051cab6ce36b4a81e709a0e1 NOTE: https://lists.freedesktop.org/archives/wayland-devel/2018-August/039232.html CVE-2018-15855 (Unchecked NULL pointer usage in xkbcommon before 0.8.1 could be used b ...) - libxkbcommon 0.8.2-1 (low; bug #907302) [stretch] - libxkbcommon (Minor issue) [jessie] - libxkbcommon (Minor issue) NOTE: https://github.com/xkbcommon/libxkbcommon/commit/917636b1d0d70205a13f89062b95e3a0fc31d4ff NOTE: https://lists.freedesktop.org/archives/wayland-devel/2018-August/039232.html CVE-2018-15854 (Unchecked NULL pointer usage in xkbcommon before 0.8.1 could be used b ...) - libxkbcommon 0.8.2-1 (low; bug #907302) [stretch] - libxkbcommon (Minor issue) [jessie] - libxkbcommon (Minor issue) NOTE: https://github.com/xkbcommon/libxkbcommon/commit/e3cacae7b1bfda0d839c280494f23284a1187adf NOTE: https://lists.freedesktop.org/archives/wayland-devel/2018-August/039232.html CVE-2018-15853 (Endless recursion exists in xkbcomp/expr.c in xkbcommon and libxkbcomm ...) - libxkbcommon 0.8.2-1 (low; bug #907302) [stretch] - libxkbcommon (Minor issue) [jessie] - libxkbcommon (Minor issue) NOTE: https://github.com/xkbcommon/libxkbcommon/commit/1f9d1248c07cda8aaff762429c0dce146de8632a NOTE: https://lists.freedesktop.org/archives/wayland-devel/2018-August/039232.html CVE-2018-15852 (** DISPUTED ** Technicolor TC7200.20 devices allow remote attackers to ...) NOT-FOR-US: Technicolor CVE-2018-15851 (An issue was discovered in Flexo CMS v0.1.6. There is a CSRF vulnerabi ...) NOT-FOR-US: Flexo CMS CVE-2018-15850 (An issue was discovered in REDAXO CMS 4.7.2. There is a CSRF vulnerabi ...) NOT-FOR-US: REDAXO CMS CVE-2018-15849 (An issue was discovered in portfolioCMS 1.0.5. There is CSRF to update ...) NOT-FOR-US: portfolioCMS CVE-2018-15848 (An issue was discovered in portfolioCMS 1.0.5. There is CSRF to create ...) NOT-FOR-US: portfolioCMS CVE-2018-15847 (An issue was discovered in puppyCMS 5.1. There is an XSS vulnerability ...) NOT-FOR-US: puppyCMS CVE-2018-15846 (An issue was discovered in fledrCMS through 2014-02-03. There is a CSR ...) NOT-FOR-US: fledrCMS CVE-2018-15845 (There is a CSRF vulnerability that can add an administrator account in ...) NOT-FOR-US: Gleez CMS CVE-2018-15844 (An issue was discovered in DamiCMS 6.0.0. There is an CSRF vulnerabili ...) NOT-FOR-US: DamiCMS CVE-2018-15843 (GetSimple CMS 3.3.14 has XSS via the admin/edit.php "Add New Page" fie ...) NOT-FOR-US: GetSimple CMS CVE-2018-15842 (WolfCMS 0.8.3.1 has XSS via the /?/admin/page/add slug parameter. ...) NOT-FOR-US: WolfCMS CVE-2018-15841 RESERVED CVE-2018-15840 (TP-Link TL-WR840N devices allow remote attackers to cause a denial of ...) NOT-FOR-US: TP-Link CVE-2018-15839 (D-Link DIR-615 devices have a buffer overflow via a long Authorization ...) NOT-FOR-US: D-Link DIR-615 devices CVE-2018-15838 RESERVED CVE-2018-15837 RESERVED CVE-2018-15836 (In verify_signed_hash() in lib/liboswkeys/signatures.c in Openswan bef ...) - openswan NOTE: https://github.com/xelerance/Openswan/commit/0b460be9e287fd335c8ce58129c67bf06065ef51 NOTE: https://lists.openswan.org/pipermail/users/2018-August/023761.html CVE-2018-15835 (Android 1.0 through 9.0 has Insecure Permissions. The Android bug ID i ...) NOT-FOR-US: Android CVE-2018-15834 (In radare2 before 2.9.0, a heap overflow vulnerability exists in the r ...) - radare2 2.9.0+dfsg-1 [jessie] - radare2 (Vulnerable code added later in 0.9.8) NOTE: https://github.com/radare/radare2/issues/11274 NOTE: https://github.com/radare/radare2/pull/11300 CVE-2018-15833 (In Vanilla before 2.6.1, the polling functionality allows Insecure Dir ...) NOT-FOR-US: Vanilla CVE-2018-15832 (upc.exe in Ubisoft Uplay Desktop Client versions 63.0.5699.0 allows re ...) NOT-FOR-US: upc.exe in Ubisoft Uplay Desktop Client CVE-2018-15831 RESERVED CVE-2018-15830 RESERVED CVE-2018-15829 RESERVED CVE-2018-15828 RESERVED CVE-2018-15827 RESERVED CVE-2018-15826 RESERVED CVE-2018-15825 RESERVED CVE-2018-15824 RESERVED CVE-2018-15823 RESERVED CVE-2018-15822 (The flv_write_packet function in libavformat/flvenc.c in FFmpeg throug ...) {DSA-4449-1 DLA-1809-1} - ffmpeg 7:4.0.3-1 (low) NOTE: https://github.com/FFmpeg/FFmpeg/commit/6b67d7f05918f7a1ee8fc6ff21355d7e8736aa10 - libav CVE-2018-15821 RESERVED CVE-2018-15820 (EasyIO EasyIO-30P devices before 2.0.5.27 allow XSS via the dev.htm GD ...) NOT-FOR-US: EasyIO CVE-2018-15819 (EasyIO EasyIO-30P devices before 2.0.5.27 have Incorrect Access Contro ...) NOT-FOR-US: EasyIO CVE-2018-15818 (An issue was discovered in Repute ARForms 3.5.1 and prior. An attacker ...) NOT-FOR-US: Repute ARForms CVE-2018-15817 (FastStone Image Viewer 6.5 has a Read Access Violation on Block Data M ...) NOT-FOR-US: FastStone Image Viewer CVE-2018-15816 (FastStone Image Viewer 6.5 has a Read Access Violation on Block Data M ...) NOT-FOR-US: FastStone Image Viewer CVE-2018-15815 (FastStone Image Viewer 6.5 has an Exception Handler Chain Corrupted is ...) NOT-FOR-US: FastStone Image Viewer CVE-2018-15814 (FastStone Image Viewer 6.5 has a User Mode Write AV starting at image0 ...) NOT-FOR-US: FastStone Image Viewer CVE-2018-15813 (FastStone Image Viewer 6.5 has a User Mode Write AV starting at image0 ...) NOT-FOR-US: FastStone Image Viewer CVE-2018-15812 (DNN (aka DotNetNuke) 9.2 through 9.2.1 incorrectly converts encryption ...) NOT-FOR-US: DNN CVE-2018-15811 (DNN (aka DotNetNuke) 9.2 through 9.2.1 uses a weak encryption algorith ...) NOT-FOR-US: DNN CVE-2018-15810 (Visiology Flipbox Software Suite before 2.7.0 allows directory travers ...) NOT-FOR-US: Visiology Flipbox Software Suite CVE-2018-15809 (AccuPOS 2017.8 is installed with the insecure "Authenticated Users: Mo ...) NOT-FOR-US: AccuPOS CVE-2018-15808 (POSIM EVO 15.13 for Windows includes hardcoded database credentials fo ...) NOT-FOR-US: POSIM EVO for Windows CVE-2018-15807 (POSIM EVO 15.13 for Windows includes an "Emergency Override" administr ...) NOT-FOR-US: POSIM EVO for Windows CVE-2018-15806 RESERVED CVE-2018-15805 (Accusoft PrizmDoc HTML5 Document Viewer before 13.5 contains an XML ex ...) NOT-FOR-US: Accusoft PrizmDoc HTML5 Document Viewer CVE-2018-15804 (An issue was discovered in the MapR File System in MapR Converged Data ...) NOT-FOR-US: MapR File System CVE-2018-15803 REJECTED CVE-2018-15802 REJECTED CVE-2018-15801 (Spring Security versions 5.1.x prior to 5.1.2 contain an authorization ...) - libspring-security-2.0-java [jessie] - libspring-security-2.0-java (Minor issue) CVE-2018-15800 (Cloud Foundry Bits Service, versions prior to 2.18.0, includes an info ...) NOT-FOR-US: Cloud Foundry CVE-2018-15799 REJECTED CVE-2018-15798 (Pivotal Concourse Release, versions 4.x prior to 4.2.2, login flow all ...) NOT-FOR-US: Pivotal CVE-2018-15797 (Cloud Foundry NFS volume release, 1.2.x prior to 1.2.5, 1.5.x prior to ...) NOT-FOR-US: Cloud Foundry CVE-2018-15796 (Cloud Foundry Bits Service Release, versions prior to 2.14.0, uses an ...) NOT-FOR-US: Cloud Foundry CVE-2018-15795 (Pivotal CredHub Service Broker, versions prior to 1.1.0, uses a guessa ...) NOT-FOR-US: Pivotal CVE-2018-15794 REJECTED CVE-2018-15793 REJECTED CVE-2018-15792 REJECTED CVE-2018-15791 REJECTED CVE-2018-15790 REJECTED CVE-2018-15789 REJECTED CVE-2018-15788 REJECTED CVE-2018-15787 REJECTED CVE-2018-15786 REJECTED CVE-2018-15785 REJECTED CVE-2018-15784 (Dell Networking OS10 versions prior to 10.4.3.0 contain a vulnerabilit ...) NOT-FOR-US: Dell CVE-2018-15783 REJECTED CVE-2018-15782 (The Quick Setup component of RSA Authentication Manager versions prior ...) NOT-FOR-US: RSA CVE-2018-15781 (The Dell Wyse Password Encoder in ThinLinux2 versions prior to 2.1.0.0 ...) NOT-FOR-US: Dell CVE-2018-15780 (RSA Archer versions prior to 6.5.0.1 contain an improper access contro ...) NOT-FOR-US: RSA Archer CVE-2018-15779 REJECTED CVE-2018-15778 (Dell OS10 versions prior to 10.4.2.1 contain a vulnerability caused by ...) NOT-FOR-US: Dell CVE-2018-15777 REJECTED CVE-2018-15776 (Dell EMC iDRAC7/iDRAC8 versions prior to 2.61.60.60 contain an imprope ...) NOT-FOR-US: EMC iDRAC CVE-2018-15775 REJECTED CVE-2018-15774 (Dell EMC iDRAC7/iDRAC8 versions prior to 2.61.60.60 and iDRAC9 version ...) NOT-FOR-US: EMC iDRAC CVE-2018-15773 (Dell Encryption (formerly Dell Data Protection | Encryption) v10.1.0 a ...) NOT-FOR-US: Dell CVE-2018-15772 (Dell EMC RecoverPoint versions prior to 5.1.2.1 and RecoverPoint for V ...) NOT-FOR-US: EMC RecoverPoint CVE-2018-15771 (Dell EMC RecoverPoint versions prior to 5.1.2.1 and RecoverPoint for V ...) NOT-FOR-US: EMC RecoverPoint CVE-2018-15770 REJECTED CVE-2018-15769 (RSA BSAFE Micro Edition Suite versions prior to 4.0.11 (in 4.0.x serie ...) NOT-FOR-US: RSA BSAFE Micro Edition Suite CVE-2018-15768 (Dell OpenManage Network Manager versions prior to 6.5.0 enabled read/w ...) NOT-FOR-US: Dell OpenManage Network Manager CVE-2018-15767 (The Dell OpenManage Network Manager virtual appliance versions prior t ...) NOT-FOR-US: Dell OpenManage Network Manager CVE-2018-15766 (On install, Dell Encryption versions prior 10.0.1 and Dell Endpoint Se ...) NOT-FOR-US: Dell CVE-2018-15765 (Dell EMC Secure Remote Services, versions prior to 3.32.00.08, contain ...) NOT-FOR-US: EMC Secure Remote Services CVE-2018-15764 (Dell EMC ESRS Policy Manager versions 6.8 and prior contain a remote c ...) NOT-FOR-US: EMC ESRS Policy Manager CVE-2018-15763 (Pivotal Container Service, versions prior to 1.2.0, contains an inform ...) NOT-FOR-US: Pivotal Container Service CVE-2018-15762 (Pivotal Operations Manager, versions 2.0.x prior to 2.0.24, versions 2 ...) NOT-FOR-US: Pivotal CVE-2018-15761 (Cloud Foundry UAA release, versions prior to v64.0, and UAA, versions ...) NOT-FOR-US: Cloud Foundry CVE-2018-15760 REJECTED CVE-2018-15759 (Pivotal Cloud Foundry On Demand Services SDK, versions prior to 0.24 c ...) NOT-FOR-US: Cloud Foundry CVE-2018-15758 (Spring Security OAuth, versions 2.3 prior to 2.3.4, and 2.2 prior to 2 ...) NOT-FOR-US: Spring Security OAuth CVE-2018-15757 REJECTED CVE-2018-15756 (Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, version ...) - libspring-java 4.3.21-1 (bug #911786) [stretch] - libspring-java (Minor issue) [jessie] - libspring-java (vulnerable code introduced in later version) NOTE: https://pivotal.io/security/cve-2018-15756 CVE-2018-15755 (Cloud Foundry CF Networking Release, versions 2.11.0 prior to 2.16.0, ...) NOT-FOR-US: Cloud Foundry CVE-2018-15754 (Cloud Foundry UAA, versions 60 prior to 66.0, contain an authorization ...) NOT-FOR-US: Cloud Foundry CVE-2018-15753 (An issue was discovered in the MensaMax (aka com.breustedt.mensamax) a ...) NOT-FOR-US: MensaMax application for Android CVE-2018-15752 (An issue was discovered in the MensaMax (aka com.breustedt.mensamax) a ...) NOT-FOR-US: MensaMax application for Android CVE-2018-15751 (SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allow remo ...) - salt 2018.3.3+dfsg1-1 (bug #913475) [jessie] - salt (REST netapi code was first introduced with v2014.7) NOTE: Fixed in 2016.11.10, 2017.7.8, 2018.3.3 NOTE: https://docs.saltstack.com/en/latest/topics/releases/2016.11.10.html#security-fix NOTE: minimal patch: https://github.com/saltstack/salt/compare/v2016.11.9..v2016.11.10 CVE-2018-15750 (Directory Traversal vulnerability in salt-api in SaltStack Salt before ...) - salt 2018.3.3+dfsg1-1 (bug #913476) [stretch] - salt (Minor issue) [jessie] - salt (REST netapi code was first introduced with v2014.7) NOTE: Fixed in 2016.11.10, 2017.7.8, 2018.3.3 NOTE: https://docs.saltstack.com/en/latest/topics/releases/2016.11.10.html#security-fix NOTE: minimal patch: https://github.com/saltstack/salt/compare/v2016.11.9..v2016.11.10 CVE-2018-15749 (The Pulse Secure Desktop (macOS) 5.3RX before 5.3R5 and 9.0R1 has a Fo ...) NOT-FOR-US: Pulse Secure Desktop CVE-2018-15748 (On Dell 2335dn printers with Printer Firmware Version 2.70.05.02, Engi ...) NOT-FOR-US: Dell 2335dn printers CVE-2018-15747 (The default configuration of glot-www through 2018-05-19 allows remote ...) NOT-FOR-US: glot-www CVE-2018-15746 (qemu-seccomp.c in QEMU might allow local OS guest users to cause a den ...) - qemu 1:3.1+dfsg-1 (low; bug #907500) [stretch] - qemu (Minor issue, too risky to backport, not enabled by default) [jessie] - qemu (Minor issue, id. + patch requires Linux kernel >= 3.17 and libseccomp >= 2.2.0) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2018-08/msg02289.html NOTE: https://lists.gnu.org/archive/html/qemu-devel/2018-08/msg04892.html NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=70dfabeaa79ba4d7a3b699abe1a047c8012db114 CVE-2018-15745 (Argus Surveillance DVR 4.0.0.0 devices allow Unauthenticated Directory ...) NOT-FOR-US: Argus Surveillance DVR CVE-2018-15744 RESERVED CVE-2018-15743 RESERVED CVE-2018-15742 RESERVED CVE-2018-15741 RESERVED CVE-2018-15740 (Zoho ManageEngine ADManager Plus 6.5.7 has XSS on the "Workflow Delega ...) NOT-FOR-US: Zoho ManageEngine ADManager Plus CVE-2018-15739 RESERVED CVE-2018-15738 (An issue was discovered in STOPzilla AntiMalware 6.5.2.59. The driver ...) NOT-FOR-US: STOPzilla AntiMalware CVE-2018-15737 (An issue was discovered in STOPzilla AntiMalware 6.5.2.59. The driver ...) NOT-FOR-US: STOPzilla CVE-2018-15736 (An issue was discovered in STOPzilla AntiMalware 6.5.2.59. The driver ...) NOT-FOR-US: STOPzilla CVE-2018-15735 (An issue was discovered in STOPzilla AntiMalware 6.5.2.59. The driver ...) NOT-FOR-US: STOPzilla CVE-2018-15734 (An issue was discovered in STOPzilla AntiMalware 6.5.2.59. The driver ...) NOT-FOR-US: STOPzilla CVE-2018-15733 (An issue was discovered in STOPzilla AntiMalware 6.5.2.59. The driver ...) NOT-FOR-US: STOPzilla CVE-2018-15732 (An issue was discovered in STOPzilla AntiMalware 6.5.2.59. The driver ...) NOT-FOR-US: STOPzilla CVE-2018-15731 (An issue was discovered in STOPzilla AntiMalware 6.5.2.59. The driver ...) NOT-FOR-US: STOPzilla CVE-2018-15730 (An issue was discovered in STOPzilla AntiMalware 6.5.2.59. The driver ...) NOT-FOR-US: STOPzilla CVE-2018-15729 (An issue was discovered in STOPzilla AntiMalware 6.5.2.59. The driver ...) NOT-FOR-US: STOPzilla CVE-2018-15728 (Couchbase Server exposed the '/diag/eval' endpoint which by default is ...) NOT-FOR-US: Couchbase CVE-2018-15727 (Grafana 2.x, 3.x, and 4.x before 4.6.4 and 5.x before 5.2.3 allows aut ...) - grafana (bug #907590) NOTE: https://grafana.com/blog/2018/08/29/grafana-5.2.3-and-4.6.4-released-with-important-security-fix/ CVE-2018-1999047 (A improper authorization vulnerability exists in Jenkins 2.137 and ear ...) - jenkins CVE-2018-1999046 (A exposure of sensitive information vulnerability exists in Jenkins 2. ...) - jenkins CVE-2018-1999045 (A improper authentication vulnerability exists in Jenkins 2.137 and ea ...) - jenkins CVE-2018-1999044 (A denial of service vulnerability exists in Jenkins 2.137 and earlier, ...) - jenkins CVE-2018-1999043 (A denial of service vulnerability exists in Jenkins 2.137 and earlier, ...) - jenkins CVE-2018-1999042 (A vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earli ...) - jenkins CVE-2018-15726 (The Pulse Secure Desktop (macOS) 5.3RX before 5.3R5 and 9.0R1 has a Pr ...) NOT-FOR-US: Pulse Secure Desktop CVE-2018-15725 RESERVED CVE-2018-15724 RESERVED CVE-2018-15723 (The Logitech Harmony Hub before version 4.15.206 is vulnerable to appl ...) NOT-FOR-US: Logitech Harmony Hub CVE-2018-15722 (The Logitech Harmony Hub before version 4.15.206 is vulnerable to OS c ...) NOT-FOR-US: Logitech Harmony Hub CVE-2018-15721 (The XMPP server in Logitech Harmony Hub before version 4.15.206 is vul ...) NOT-FOR-US: Logitech Harmony Hub CVE-2018-15720 (Logitech Harmony Hub before version 4.15.206 contained two hard-coded ...) NOT-FOR-US: Logitech Harmony Hub CVE-2018-15719 (Open Dental before version 18.4 installs a mysql database and uses the ...) NOT-FOR-US: Open Dental CVE-2018-15718 (Open Dental before version 18.4 transmits the entire user database ove ...) NOT-FOR-US: Open Dental CVE-2018-15717 (Open Dental before version 18.4 stores user passwords as base64 encode ...) NOT-FOR-US: Open Dental CVE-2018-15716 (NUUO NVRMini2 version 3.9.1 is vulnerable to authenticated remote comm ...) NOT-FOR-US: NUUO NVRMini2 CVE-2018-15715 (Zoom clients on Windows (before version 4.1.34814.1119), Mac OS (befor ...) NOT-FOR-US: Zoom CVE-2018-15714 (Nagios XI 5.5.6 allows reflected cross site scripting from remote unau ...) NOT-FOR-US: Nagios XI CVE-2018-15713 (Nagios XI 5.5.6 allows persistent cross site scripting from remote aut ...) NOT-FOR-US: Nagios XI CVE-2018-15712 (Nagios XI 5.5.6 allows reflected cross site scripting from remote unau ...) NOT-FOR-US: Nagios XI CVE-2018-15711 (Nagios XI 5.5.6 allows remote authenticated attackers to reset and reg ...) NOT-FOR-US: Nagios XI CVE-2018-15710 (Nagios XI 5.5.6 allows local authenticated attackers to escalate privi ...) NOT-FOR-US: Nagios XI CVE-2018-15709 (Nagios XI 5.5.6 allows remote authenticated attackers to execute arbit ...) NOT-FOR-US: Nagios XI CVE-2018-15708 (Snoopy 1.0 in Nagios XI 5.5.6 allows remote unauthenticated attackers ...) NOT-FOR-US: Nagios XI CVE-2018-15707 (Advantech WebAccess 8.3.1 and 8.3.2 are vulnerable to cross-site scrip ...) NOT-FOR-US: Advantech WebAccess CVE-2018-15706 (WADashboard API in Advantech WebAccess 8.3.1 and 8.3.2 allows remote a ...) NOT-FOR-US: Advantech WebAccess CVE-2018-15705 (WADashboard API in Advantech WebAccess 8.3.1 and 8.3.2 allows remote a ...) NOT-FOR-US: Advantech WebAccess CVE-2018-15704 (Advantech WebAccess 8.3.2 and below is vulnerable to a stack buffer ov ...) NOT-FOR-US: Advantech WebAccess CVE-2018-15703 (Advantech WebAccess 8.3.2 and below is vulnerable to multiple reflecte ...) NOT-FOR-US: Advantech WebAccess CVE-2018-15702 (The web interface in TP-Link TL-WRN841N 0.9.1 4.16 v0348.0 is vulnerab ...) NOT-FOR-US: TP-Link CVE-2018-15701 (The web interface in TP-Link TL-WRN841N 0.9.1 4.16 v0348.0 is vulnerab ...) NOT-FOR-US: TP-Link CVE-2018-15700 (The web interface in TP-Link TL-WRN841N 0.9.1 4.16 v0348.0 is vulnerab ...) NOT-FOR-US: TP-Link CVE-2018-15699 (ASUSTOR Data Master 3.1.5 and below makes an HTTP request for a config ...) NOT-FOR-US: ASUSTOR Data Master CVE-2018-15698 (ASUSTOR Data Master 3.1.5 and below allows authenticated remote non-ad ...) NOT-FOR-US: ASUSTOR Data Master CVE-2018-15697 (ASUSTOR Data Master 3.1.5 and below allows authenticated remote non-ad ...) NOT-FOR-US: ASUSTOR Data Master CVE-2018-15696 (ASUSTOR Data Master 3.1.5 and below allows authenticated remote non-ad ...) NOT-FOR-US: ASUSTOR Data Master CVE-2018-15695 (ASUSTOR Data Master 3.1.5 and below allows authenticated remote non-ad ...) NOT-FOR-US: ASUSTOR Data Master CVE-2018-15694 (ASUSTOR Data Master 3.1.5 and below allows authenticated remote non-ad ...) NOT-FOR-US: ASUSTOR Data Master CVE-2018-15693 (Inova Partner 5.0.5-RELEASE, Build 0510-0906 and earlier allows authen ...) NOT-FOR-US: Inova Partner CVE-2018-15692 (Inova Partner 5.0.5-RELEASE, Build 0510-0906 and earlier allows authen ...) NOT-FOR-US: Inova Partner CVE-2018-15691 (Insecure deserialization of a specially crafted serialized object, in ...) NOT-FOR-US: CA Release Automation CVE-2018-15690 REJECTED CVE-2018-15689 REJECTED CVE-2018-15688 (A buffer overflow vulnerability in the dhcp6 client of systemd allows ...) {DLA-1580-1} - network-manager 1.14.4-2 [stretch] - network-manager 1.6.2-3+deb9u2 [jessie] - network-manager (vulnerable code not present) - systemd 239-11 (bug #912008) [stretch] - systemd 232-25+deb9u6 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1639067 NOTE: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1795921 NOTE: https://github.com/systemd/systemd/commit/49653743f69658aeeebdb14faf1ab158f1f2cb20 NOTE: systemd-networkd not enabled by default in Debian NOTE: NetworkManager: https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=01ca2053bbea09f35b958c8cc7631e15469acb79 CVE-2018-15687 (A race condition in chown_one() of systemd allows an attacker to cause ...) - systemd 239-11 (bug #912007) [stretch] - systemd (Vulnerable code introduced later in v235) [jessie] - systemd (Vulnerable code introduced later in v235) NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1689 NOTE: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1796692 NOTE: https://github.com/systemd/systemd/pull/10517 CVE-2018-15686 (A vulnerability in unit_deserialize of systemd allows an attacker to s ...) {DLA-1580-1} - systemd 239-12 (bug #912005) [stretch] - systemd 232-25+deb9u10 NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1687 NOTE: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1796402 NOTE: https://github.com/systemd/systemd/pull/10519 NOTE: https://github.com/systemd/systemd/commit/9f1c81d80a435d15ca1bd536a6d043c18c81c047 CVE-2018-15685 (GitHub Electron 1.7.15, 1.8.7, 2.0.7, and 3.0.0-beta.6, in certain sce ...) - electron (bug #842420) CVE-2018-15684 (An issue was discovered in BTITeam XBTIT. PHP error logs are stored in ...) NOT-FOR-US: BTITeam XBTIT CVE-2018-15683 (An issue was discovered in BTITeam XBTIT. The "returnto" parameter of ...) NOT-FOR-US: BTITeam XBTIT CVE-2018-15682 (An issue was discovered in BTITeam XBTIT. Due to a lack of cross-site ...) NOT-FOR-US: BTITeam XBTIT CVE-2018-15681 (An issue was discovered in BTITeam XBTIT 2.5.4. When a user logs in, t ...) NOT-FOR-US: BTITeam XBTIT CVE-2018-15680 (An issue was discovered in BTITeam XBTIT 2.5.4. The hashed passwords s ...) NOT-FOR-US: BTITeam XBTIT CVE-2018-15679 (An issue was discovered in BTITeam XBTIT 2.5.4. The "keywords" paramet ...) NOT-FOR-US: BTITeam XBTIT CVE-2018-15678 (An issue was discovered in BTITeam XBTIT 2.5.4. The "act" parameter in ...) NOT-FOR-US: BTITeam XBTIT CVE-2018-15677 (The newsfeed (aka /index.php?page=viewnews) in BTITeam XBTIT 2.5.4 has ...) NOT-FOR-US: BTITeam XBTIT CVE-2018-15676 (An issue was discovered in BTITeam XBTIT. By using String.replace and ...) NOT-FOR-US: BTITeam XBTIT CVE-2018-15675 RESERVED CVE-2018-15674 RESERVED CVE-2018-15673 RESERVED CVE-2018-15672 REJECTED CVE-2018-15671 (An issue was discovered in the HDF HDF5 1.10.2 library. Excessive stac ...) - hdf5 NOTE: https://github.com/SegfaultMasters/covering360/tree/master/HDF5#stack-overflow---stackoverflow_h5p__get_cb NOTE: https://jira.hdfgroup.org/browse/HDFFV-10557 CVE-2018-15670 (An issue was discovered in Bloop Airmail 3 3.5.9 for macOS. Its primar ...) NOT-FOR-US: Bloop Airmail CVE-2018-15669 (An issue was discovered in Bloop Airmail 3 3.5.9 for macOS. Its primar ...) NOT-FOR-US: Bloop Airmail CVE-2018-15668 (An issue was discovered in Bloop Airmail 3 3.5.9 for macOS. The "send" ...) NOT-FOR-US: Bloop Airmail CVE-2018-15667 (An issue was discovered in Bloop Airmail 3 3.5.9 for macOS. It registe ...) NOT-FOR-US: Bloop Airmail CVE-2018-15666 RESERVED CVE-2018-15665 (An issue was discovered in Cloudera Data Science Workbench (CDSW) 1.2. ...) NOT-FOR-US: Cloudera CVE-2018-15664 (In Docker through 18.06.1-ce-rc2, the API endpoints behind the 'docker ...) - docker.io 18.09.1+dfsg1-7.1 (bug #929662) NOTE: https://www.openwall.com/lists/oss-security/2019/05/28/1 NOTE: https://github.com/moby/moby/pull/39252 CVE-2018-15663 RESERVED CVE-2018-15662 RESERVED CVE-2018-15661 (** DISPUTED ** An issue was discovered in the Ola Money (aka com.olaca ...) NOT-FOR-US: Ola Money application for Android CVE-2018-15660 (** DISPUTED ** An issue was discovered in the Ola Money (aka com.olaca ...) NOT-FOR-US: Ola Money application for Android CVE-2018-15659 (An issue was discovered in 42Gears SureMDM before 2018-11-27, related ...) NOT-FOR-US: 42Gears CVE-2018-15658 (An issue was discovered in 42Gears SureMDM before 2018-11-27. By visit ...) NOT-FOR-US: 42Gears CVE-2018-15657 (An SSRF issue was discovered in 42Gears SureMDM before 2018-11-27 via ...) NOT-FOR-US: 42Gears CVE-2018-15656 (An issue was discovered in the registration API endpoint in 42Gears Su ...) NOT-FOR-US: 42Gears CVE-2018-15655 (An issue was discovered in 42Gears SureMDM before 2018-11-27, related ...) NOT-FOR-US: 42Gears CVE-2018-15654 RESERVED CVE-2018-15653 RESERVED CVE-2018-15652 RESERVED CVE-2018-15651 RESERVED CVE-2018-15650 RESERVED CVE-2018-15649 RESERVED CVE-2018-15648 RESERVED CVE-2018-15647 RESERVED CVE-2018-15646 RESERVED CVE-2018-15645 RESERVED CVE-2018-15644 RESERVED CVE-2018-15643 RESERVED CVE-2018-15642 RESERVED CVE-2018-15641 RESERVED CVE-2018-15640 (Improper access control in the Helpdesk App of Odoo Enterprise 10.0 th ...) NOT-FOR-US: Odoo CVE-2018-15639 RESERVED CVE-2018-15638 RESERVED CVE-2018-15637 RESERVED CVE-2018-15636 RESERVED CVE-2018-15635 (Cross-site scripting vulnerability in the Discuss App of Odoo Communit ...) NOT-FOR-US: Odoo CVE-2018-15634 RESERVED CVE-2018-15633 RESERVED CVE-2018-15632 RESERVED CVE-2018-15631 (Improper access control in the Discuss App of Odoo Community 12.0 and ...) NOT-FOR-US: Odoo CVE-2018-15630 RESERVED CVE-2018-15629 REJECTED CVE-2018-15628 REJECTED CVE-2018-15627 REJECTED CVE-2018-15626 REJECTED CVE-2018-15625 REJECTED CVE-2018-15624 REJECTED CVE-2018-15623 REJECTED CVE-2018-15622 REJECTED CVE-2018-15621 REJECTED CVE-2018-15620 REJECTED CVE-2018-15619 REJECTED CVE-2018-15618 REJECTED CVE-2018-15617 (A vulnerability in the "capro" (Call Processor) process component of A ...) NOT-FOR-US: Avaya CVE-2018-15616 (A vulnerability in the Web UI component of Avaya Aura System Platform ...) NOT-FOR-US: Avaya Aura System Platform CVE-2018-15615 (A vulnerability in the Supervisor component of Avaya Call Management S ...) NOT-FOR-US: Avaya CVE-2018-15614 (A vulnerability in the one-x Portal component of IP Office could allow ...) NOT-FOR-US: IP Office CVE-2018-15613 (A cross-site scripting (XSS) vulnerability in the Runtime Config compo ...) NOT-FOR-US: Avaya CVE-2018-15612 (A CSRF vulnerability in the Runtime Config component of Avaya Aura Orc ...) NOT-FOR-US: Avaya CVE-2018-15611 (A vulnerability in the local system administration component of Avaya ...) NOT-FOR-US: Avaya Aura Communication Manager CVE-2018-15610 (A vulnerability in the one-X Portal component of Avaya IP Office allow ...) NOT-FOR-US: Avaya CVE-2018-15609 RESERVED CVE-2018-15608 (Zoho ManageEngine ADManager Plus 6.5.7 allows HTML Injection on the "A ...) NOT-FOR-US: Zoho ManageEngine ADManager Plus CVE-2018-15607 (In ImageMagick 7.0.8-11 Q16, a tiny input file 0x50 0x36 0x36 0x36 0x3 ...) - imagemagick (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1255 NOTE: This is mitigated by the default policies, if anyone modifies those they need NOTE: be tuned to the deployment's memory buildout CVE-2018-15606 (An XSS issue was discovered in SalesAgility SuiteCRM 7.x before 7.8.21 ...) NOT-FOR-US: SuiteCRM CVE-2018-15605 (An issue was discovered in phpMyAdmin before 4.8.3. A Cross-Site Scrip ...) - phpmyadmin (Vulnerable code introduced later) NOTE: https://www.phpmyadmin.net/security/PMASA-2018-5/ NOTE: Introduced by: https://github.com/phpmyadmin/phpmyadmin/commit/9404287ac09415b627b6fa68c7d04a13f7ef41e2 NOTE: Fixed by: https://github.com/phpmyadmin/phpmyadmin/commit/00d90b3ae415b31338f76263359467a9fbebd0a1 CVE-2018-XXXX [security issue with the PASS command and duplicate server instances] - charybdis 4.1.1-1 (bug #906879) [stretch] - charybdis (Vulnerable code added later) [jessie] - charybdis (Vulnerable code added later) NOTE: partial fix: https://github.com/charybdis-ircd/charybdis/commit/d4b2529a61fb48ebcd54bc0fcc6f400f97bfe251 CVE-2018-15604 RESERVED CVE-2018-15603 (An issue was discovered in Victor CMS through 2018-05-10. There is XSS ...) NOT-FOR-US: Victor CMS CVE-2018-15602 (Zyxel VMG3312 B10B devices are affected by a persistent XSS vulnerabil ...) NOT-FOR-US: Zyxel CVE-2018-15601 (apps/filemanager/handlers/upload/drop.php in Elefant CMS 2.0.3 perform ...) NOT-FOR-US: Elefant CMS CVE-2018-15600 RESERVED CVE-2018-15599 (The recv_msg_userauth_request function in svr-auth.c in Dropbear throu ...) {DLA-1476-1} - dropbear 2018.76-4 (bug #906890) [stretch] - dropbear 2016.74-5+deb9u1 NOTE: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2018q3/002108.html NOTE: https://secure.ucc.asn.au/hg/dropbear/rev/5d2d1021ca00 CVE-2018-15598 (Containous Traefik 1.6.x before 1.6.6, when --api is used, exposes the ...) NOT-FOR-US: Traefik CVE-2018-15597 RESERVED CVE-2018-15596 (An issue was discovered in inc/class_feedgeneration.php in MyBB 1.8.17 ...) NOT-FOR-US: MyBB CVE-2018-1000226 (Cobbler version Verified as present in Cobbler versions 2.6.11+, but c ...) - cobbler CVE-2018-1000225 (Cobbler version Verified as present in Cobbler versions 2.6.11+, but c ...) - cobbler CVE-2018-1000224 (Godot Engine version All versions prior to 2.1.5, all 3.0 versions pri ...) NOT-FOR-US: Godot CVE-2018-1000222 (Libgd version 2.2.5 contains a Double Free Vulnerability vulnerability ...) {DLA-1651-1} - libgd2 2.2.5-4.1 (low; bug #906886) [stretch] - libgd2 2.2.4-2+deb9u3 NOTE: https://github.com/libgd/libgd/issues/447 NOTE: https://github.com/libgd/libgd/commit/ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5 CVE-2018-1000221 (pkgconf version 1.5.0 to 1.5.2 contains a Buffer Overflow vulnerabilit ...) - pkgconf (Vulnerable code introduced post 1.5.0) NOTE: Fixed by: https://github.com/pkgconf/pkgconf/commit/9b7affe0b1e6512c6c73d19e1220c94fdb5c8159 NOTE: Introduced by: https://github.com/pkgconf/pkgconf/commit/b46bb93cd1fe221dc4d6ff5e3ce99feda4ea31f1 CVE-2018-1000220 REJECTED CVE-2018-1000219 (OpenEMR version v5_0_1_4 contains a Cross Site Scripting (XSS) vulnera ...) NOT-FOR-US: OpenEMR CVE-2018-1000218 (OpenEMR version v5_0_1_4 contains a Cross Site Scripting (XSS) vulnera ...) NOT-FOR-US: OpenEMR CVE-2018-1000217 (Dave Gamble cJSON version 1.7.3 and earlier contains a CWE-416: Use Af ...) - cjson (Fixed before initial upload to Debian) NOTE: https://github.com/DaveGamble/cJSON/issues/248 CVE-2018-1000216 (Dave Gamble cJSON version 1.7.2 and earlier contains a CWE-415: Double ...) - cjson (Fixed before initial upload to Debian) NOTE: https://github.com/DaveGamble/cJSON/issues/241 CVE-2018-1000215 (Dave Gamble cJSON version 1.7.6 and earlier contains a CWE-772 vulnera ...) - cjson 1.7.7-1 NOTE: https://github.com/DaveGamble/cJSON/issues/267 CVE-2018-1000214 REJECTED CVE-2018-1000213 REJECTED CVE-2018-1000212 REJECTED CVE-2018-15595 RESERVED CVE-2018-15593 (An issue was discovered in Ivanti Workspace Control before 10.3.10.0 a ...) NOT-FOR-US: Ivanti Workspace Control CVE-2018-15592 (An issue was discovered in Ivanti Workspace Control before 10.3.10.0 a ...) NOT-FOR-US: Ivanti Workspace Control CVE-2018-15591 (An issue was discovered in Ivanti Workspace Control before 10.3.10.0 a ...) NOT-FOR-US: Ivanti Workspace Control CVE-2018-15590 (An issue was discovered in Ivanti Workspace Control before 10.3.0.0 an ...) NOT-FOR-US: Ivanti Workspace Control CVE-2018-15589 RESERVED CVE-2018-15588 (MailMate before 1.11.3 mishandles a suspicious HTML/MIME structure in ...) NOT-FOR-US: MailMate CVE-2018-15587 (GNOME Evolution through 3.28.2 is prone to OpenPGP signatures being sp ...) {DSA-4457-1 DLA-1766-1} - evolution 3.30.5-1.1 (bug #924616) NOTE: https://gitlab.gnome.org/GNOME/evolution/issues/120 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=796424 NOTE: https://gitlab.gnome.org/GNOME/evolution/commit/9c55a311325f5905d8b8403b96607e46cf343f21 (evolution) NOTE: https://gitlab.gnome.org/GNOME/evolution/commit/f66cd3e1db301d264563b4222a3574e2e58e2b85 (evolution) CVE-2018-15586 (Enigmail before 2.0.6 is prone to to OpenPGP signatures being spoofed ...) - enigmail 2:2.0.6.1-2 [jessie] - enigmail (see https://lists.debian.org/debian-lts-announce/2019/02/msg00002.html) NOTE: https://sourceforge.net/p/enigmail/bugs/849/ CVE-2018-1000657 (Rust Programming Language Rust standard library version Commit bfa0e1f ...) - rustc 1.22.1+dfsg1-1 (bug #906585) NOTE: Introduced by: https://github.com/rust-lang/rust/commit/bfa0e1f58acf1c28d500c34ed258f09ae021893e (1.3.0) NOTE: Fixed by: https://github.com/rust-lang/rust/commit/f71b37bc28326e272a37b938e835d4f99113eec2 (1.22.0) NOTE: https://github.com/rust-lang/rust/issues/44800 CVE-2018-1000656 (The Pallets Project flask version Before 0.12.3 contains a CWE-20: Imp ...) {DLA-1892-1} - flask 1.0.2-1 [stretch] - flask (Minor issue) NOTE: https://github.com/pallets/flask/pull/2691 CVE-2018-1000655 (Jsish version 2.4.65 contains a CWE-476: NULL Pointer Dereference vuln ...) NOT-FOR-US: Jsish CVE-2018-1000654 (GNU Libtasn1-4.13 libtasn1-4.13 version libtasn1-4.13, libtasn1-4.12 c ...) [experimental] - libtasn1-6 4.14-1 - libtasn1-6 4.14-2 (unimportant; bug #906768) - libtasn1-3 NOTE: https://gitlab.com/gnutls/libtasn1/issues/4 NOTE: No security impact, does not affect libtasn, but only the asn1Parser from NOTE: libtasn1-bin CVE-2018-1000653 (zzcms version 8.3 and earlier contains a SQL Injection vulnerability i ...) NOT-FOR-US: zzcms CVE-2018-1000652 (JabRef version <=4.3.1 contains a XML External Entity (XXE) vulnera ...) - jabref 3.8.2+ds-12 (low; bug #921772) [stretch] - jabref 3.8.1+ds-3+deb9u1 [jessie] - jabref (Minor issue) NOTE: https://github.com/JabRef/jabref/issues/4229 NOTE: https://github.com/JabRef/jabref/commit/89f855d76713b4cd25ac0830c719cd61c511851e CVE-2018-1000651 (Stroom version <5.4.5 contains a XML External Entity (XXE) vulnerab ...) NOT-FOR-US: Stroom CVE-2018-1000650 (LibreHealthIO lh-ehr version REL-2.0.0 contains a SQL Injection vulner ...) NOT-FOR-US: LibreHealthIO CVE-2018-1000649 (LibreHealthIO lh-ehr version REL-2.0.0 contains a Authenticated Unrest ...) NOT-FOR-US: LibreHealthIO CVE-2018-1000648 (LibreHealthIO lh-ehr version REL-2.0.0 contains a Authenticated Unrest ...) NOT-FOR-US: LibreHealthIO CVE-2018-1000647 (LibreHealthIO lh-ehr version REL-2.0.0 contains a Authenticated Unrest ...) NOT-FOR-US: LibreHealthIO CVE-2018-1000646 (LibreHealthIO LH-EHR version REL-2.0.0 contains an Authenticated Unres ...) NOT-FOR-US: LibreHealthIO CVE-2018-1000645 (LibreHealthIO lh-ehr version <REL-2.0.0 contains an Authenticated L ...) NOT-FOR-US: LibreHealthIO CVE-2018-1000644 (Eclipse RDF4j version < 2.4.0 Milestone 2 contains a XML External E ...) NOT-FOR-US: Eclipse RDF4j CVE-2018-1000643 REJECTED CVE-2018-1000642 (FlightAirMap version <=v1.0-beta.21 contains a Cross Site Scripting ...) NOT-FOR-US: FlightAirMap CVE-2018-1000641 (YesWiki version <= cercopitheque beta 1 contains a PHP Object Injec ...) NOT-FOR-US: YesWiki CVE-2018-1000640 (OpenCart-Overclocked version <=1.11.1 contains a Cross Site Scripti ...) NOT-FOR-US: OpenCart-Overclocked CVE-2018-1000639 (LatexDraw version <=4.0 contains a XML External Entity (XXE) vulner ...) NOT-FOR-US: LatexDraw CVE-2018-1000638 (MiniCMS version 1.1 contains a Cross Site Scripting (XSS) vulnerabilit ...) NOT-FOR-US: MiniCMS CVE-2018-1000636 (JerryScript version Tested on commit f86d7459d195c8ba58479d1861b0cc726 ...) NOT-FOR-US: JerryScript CVE-2018-1000635 (The Open Microscopy Environment OMERO.server version 5.4.0 to 5.4.6 co ...) NOT-FOR-US: Open Microscopy Environment CVE-2018-1000634 (The Open Microscopy Environment OMERO.server version 5.4.0 to 5.4.6 co ...) NOT-FOR-US: Open Microscopy Environment CVE-2018-1000633 (The Open Microscopy Environment OMERO.web version prior to 5.4.7 conta ...) NOT-FOR-US: Open Microscopy Environment CVE-2018-1000632 (dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection ...) {DLA-1517-1} - dom4j 2.1.1-1 (low) [stretch] - dom4j 1.6.1+dfsg.3-2+deb9u1 NOTE: https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387 NOTE: https://github.com/dom4j/dom4j/issues/48 CVE-2003-1605 (curl 7.x before 7.10.7 sends CONNECT proxy credentials to the remote s ...) - curl 7.10.7-1 NOTE: https://curl.haxx.se/docs/CVE-2003-1605.html CVE-2018-15585 (Cross-Site Scripting (XSS) vulnerability in newwinform.php in GNUBOARD ...) NOT-FOR-US: GNU Board CVE-2018-15584 (Cross-Site Scripting (XSS) vulnerability in adm/boardgroup_form_update ...) NOT-FOR-US: GNU Board CVE-2018-15583 (Cross-Site Scripting (XSS) vulnerability in point_list.php in GNUBOARD ...) NOT-FOR-US: GNU Board CVE-2018-15582 (Cross-Site Scripting (XSS) vulnerability in adm/sms_admin/num_book_wri ...) NOT-FOR-US: GNU Board CVE-2018-15581 (Cross-Site Scripting (XSS) vulnerability in adm/faqmasterformupdate.ph ...) NOT-FOR-US: GNU Board CVE-2018-15580 (Cross-Site Scripting (XSS) vulnerability in adm/contentformupdate.php ...) NOT-FOR-US: GNU Board CVE-2018-15579 RESERVED CVE-2018-15578 RESERVED CVE-2018-15577 RESERVED CVE-2018-15576 (An issue was discovered in EasyLogin Pro through 1.3.0. Encryptor.php ...) NOT-FOR-US: EasyLogin Pro CVE-2018-15575 RESERVED CVE-2018-15574 (** DISPUTED ** An issue was discovered in the license editor in Repris ...) NOT-FOR-US: Reprise License Manager CVE-2018-15573 (** DISPUTED ** An issue was discovered in Reprise License Manager (RLM ...) NOT-FOR-US: Reprise License Manager CVE-2018-15594 (arch/x86/kernel/paravirt.c in the Linux kernel before 4.18.1 mishandle ...) {DSA-4308-1 DLA-1531-1 DLA-1529-1} - linux 4.17.15-1 NOTE: https://twitter.com/grsecurity/status/1029324426142199808 NOTE: https://git.kernel.org/linus/5800dc5c19f34e6e03b5adab1282535cb102fafd CVE-2018-15572 (The spectre_v2_select_mitigation function in arch/x86/kernel/cpu/bugs. ...) {DSA-4308-1 DLA-1531-1 DLA-1529-1} - linux 4.17.15-1 NOTE: https://git.kernel.org/linus/fdf82a7856b32d905c39afc85e34364491e46346 CVE-2018-15571 (The Export Users to CSV plugin through 1.1.1 for WordPress allows CSV ...) NOT-FOR-US: Export Users to CSV plugin for WordPress CVE-2018-15570 (In waimai Super Cms 20150505, there is stored XSS via the /admin.php/F ...) NOT-FOR-US: waimai Super Cms CVE-2018-15569 (my little forum 2.4.12 allows CSRF for deletion of users. ...) NOT-FOR-US: my little forum CVE-2018-15568 (tp5cms through 2017-05-25 has CSRF via admin.php/category/delete.html. ...) NOT-FOR-US: tp5cms CVE-2018-15567 (CMSUno before 1.5.3 has XSS via the title field. ...) NOT-FOR-US: CMSUno CVE-2018-15566 (tp5cms through 2017-05-25 has XSS via the admin.php/article/index.html ...) NOT-FOR-US: tp5cms CVE-2018-15565 (An issue was discovered in daveismyname simple-cms through 2014-03-11. ...) NOT-FOR-US: simple-cms CVE-2018-15564 (An issue was discovered in daveismyname simple-cms through 2014-03-11. ...) NOT-FOR-US: simple-cms CVE-2018-15563 (_core/admin/pages/add/ in Subrion CMS 4.2.1 has XSS via the titles[en] ...) NOT-FOR-US: Subrion CMS CVE-2018-15562 (CMS ISWEB 3.5.3 has XSS via the ordineRis, sezioneRicerca, or oggettiR ...) NOT-FOR-US: CMS ISWEB CVE-2018-15561 RESERVED CVE-2018-15560 (PyCryptodome before 3.6.6 has an integer overflow in the data_len vari ...) - pycryptodome (Vulnerable code introduced later) NOTE: https://github.com/Legrandin/pycryptodome/issues/198 NOTE: Introduced by: https://github.com/Legrandin/pycryptodome/commit/e1c7272f732abf3f2e2ea1326444ccbd339d17f2 (3.6.2) NOTE: Fixed by: https://github.com/Legrandin/pycryptodome/commit/d1739c62b9b845f8a5b342de08d6bf6e2722d247 (3.6.6) CVE-2018-15559 (The editor in Xiuno BBS 4.0.4 allows stored XSS. ...) NOT-FOR-US: Xiuno BBS CVE-2018-15558 RESERVED CVE-2018-15557 (An issue was discovered in the Quantenna WiFi Controller on Telus Acti ...) NOT-FOR-US: Telus Actiontec WEB6000Q devices CVE-2018-15556 (The Quantenna WiFi Controller on Telus Actiontec WEB6000Q v1.1.02.22 a ...) NOT-FOR-US: Telus Actiontec WEB6000Q devices CVE-2018-15555 (On Telus Actiontec WEB6000Q v1.1.02.22 devices, an attacker can login ...) NOT-FOR-US: Telus Actiontec WEB6000Q devices CVE-2018-15554 RESERVED CVE-2018-15553 (fileshare.cmd on Telus Actiontec T2200H T2200H-31.128L.03 devices allo ...) NOT-FOR-US: Telus CVE-2018-15552 (The "PayWinner" function of a simplelottery smart contract implementat ...) NOT-FOR-US: simplelottery smart contract implementation for The Ethereum Lottery CVE-2018-15551 RESERVED CVE-2018-15550 RESERVED CVE-2018-15549 RESERVED CVE-2018-15548 RESERVED CVE-2018-15547 RESERVED CVE-2018-15546 (Accusoft PrizmDoc version 13.3 and earlier contains a Stored Cross-Sit ...) NOT-FOR-US: Accusoft PrizmDoc CVE-2018-15545 RESERVED CVE-2018-15544 RESERVED CVE-2018-15543 (** DISPUTED ** An issue was discovered in the org.telegram.messenger a ...) NOT-FOR-US: org.telegram.messenger for Android CVE-2018-15542 (** DISPUTED ** An issue was discovered in the org.telegram.messenger a ...) NOT-FOR-US: org.telegram.messenger for Android CVE-2018-15541 RESERVED CVE-2018-15540 (Agentejo Cockpit performs actions on files without appropriate validat ...) NOT-FOR-US: Agentejo Cockpit CVE-2018-15539 (Agentejo Cockpit lacks an anti-CSRF protection mechanism. Thus, an att ...) NOT-FOR-US: Agentejo Cockpit CVE-2018-15538 (Agentejo Cockpit has multiple Cross-Site Scripting vulnerabilities. ...) NOT-FOR-US: Agentejo Cockpit CVE-2018-15537 (Unrestricted file upload (with remote code execution) in OCS Inventory ...) - ocsinventory-server (unimportant) NOTE: Authentication is needed, only supported in trusted environments, see debtags CVE-2018-15536 (/filemanager/ajax_calls.php in tecrail Responsive FileManager before 9 ...) NOT-FOR-US: tecrail Responsive FileManager CVE-2018-15535 (/filemanager/ajax_calls.php in tecrail Responsive FileManager before 9 ...) NOT-FOR-US: tecrail Responsive FileManager CVE-2018-15534 (Geutebrueck re_porter 16 before 7.8.974.20 has a possibility of unauth ...) NOT-FOR-US: Geutebrueck CVE-2018-15533 (A reflected cross-site scripting vulnerability exists in Geutebrueck r ...) NOT-FOR-US: Geutebrueck CVE-2018-15532 (SynTP.sys in Synaptics Touchpad drivers before 2018-06-06 allows local ...) NOT-FOR-US: Synaptics Touchpad drivers CVE-2018-15531 (JavaMelody before 1.74.0 has XXE via parseSoapMethodName in bull/javam ...) NOT-FOR-US: JavaMelody CVE-2018-15530 (Cross-site scripting (XSS) in the web interface of the Xerox ColorQube ...) NOT-FOR-US: Xerox CVE-2018-15529 (A command injection vulnerability in maintenance.cgi in Mutiny "Monito ...) NOT-FOR-US: Mutiny appliance CVE-2018-15528 (Reflected Cross-Site Scripting exists in the Java System Solutions SSO ...) NOT-FOR-US: Java System Solutions SSO plugin CVE-2018-15527 RESERVED CVE-2018-15526 RESERVED CVE-2018-15525 RESERVED CVE-2018-15524 RESERVED CVE-2018-15523 RESERVED CVE-2018-15522 RESERVED CVE-2018-15521 RESERVED CVE-2018-15520 (Various Lexmark devices have a Buffer Overflow (issue 2 of 2). ...) NOT-FOR-US: Lexmark devices CVE-2018-15519 (Various Lexmark devices have a Buffer Overflow (issue 1 of 2). ...) NOT-FOR-US: Lexmark devices CVE-2018-15518 (QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption dur ...) {DSA-4374-1 DLA-1786-1 DLA-1627-1} [experimental] - qtbase-opensource-src 5.11.3+dfsg-1 - qtbase-opensource-src 5.11.3+dfsg-2 - qt4-x11 4:4.8.7+dfsg-18 (low) [stretch] - qt4-x11 (Minor issue) NOTE: https://blog.qt.io/blog/2018/12/04/qt-5-11-3-released-important-security-updates/ NOTE: https://codereview.qt-project.org/#/c/236691/ CVE-2018-15517 (The MailConnect feature on D-Link Central WiFiManager CWM-100 1.03 r00 ...) NOT-FOR-US: D-Link CVE-2018-15516 (The FTP service on D-Link Central WiFiManager CWM-100 1.03 r0098 devic ...) NOT-FOR-US: D-Link CVE-2018-15515 (The CaptivelPortal service on D-Link Central WiFiManager CWM-100 1.03 ...) NOT-FOR-US: D-Link CVE-2018-15514 (HandleRequestAsync in Docker for Windows before 18.06.0-ce-rc3-win68 ( ...) NOT-FOR-US: Docker for Windows CVE-2018-15513 (Log viewer in totemomail 6.0.0 build 570 allows access to sessionIDs o ...) NOT-FOR-US: totemomail CVE-2018-15512 (Cross-site scripting (XSS) vulnerability in the 'Authorisation Service ...) NOT-FOR-US: totemomail CVE-2018-15511 (Cross-site scripting (XSS) vulnerability in the 'Notification template ...) NOT-FOR-US: totemomail CVE-2018-15510 (Cross-site scripting (XSS) vulnerability in the 'Certificate' feature ...) NOT-FOR-US: totemomail CVE-2018-15509 (Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 ...) NOT-FOR-US: Five9 Agent Desktop Plus CVE-2018-15508 (Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control allowing ...) NOT-FOR-US: Five9 Agent Desktop Plus CVE-2018-15507 RESERVED CVE-2018-15506 (In BubbleUPnP 0.9 update 30, the XML parsing engine for SSDP/UPnP func ...) NOT-FOR-US: BubbleUPnP CVE-2018-15505 (An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb b ...) NOT-FOR-US: Embedthis GoAhead CVE-2018-15504 (An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb b ...) NOT-FOR-US: Embedthis GoAhead CVE-2018-15503 (The unpack implementation in Swoole version 4.0.4 lacks correct size c ...) NOT-FOR-US: Swoole CVE-2018-15502 (Insecure permissions in Lone Wolf Technologies loadingDOCS 2018-08-13 ...) NOT-FOR-US: Lone Wolf Technologies loadingDOCS CVE-2018-15501 (In ng_pkt in transports/smart_pkt.c in libgit2 before 0.26.6 and 0.27. ...) {DLA-1477-1} - libgit2 0.27.4+dfsg.1-0.1 (low) [stretch] - libgit2 (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9406 NOTE: https://github.com/libgit2/libgit2/commit/1f9a8510e1d2f20ed7334eeeddb92c4dd8e7c649 CVE-2018-15500 RESERVED CVE-2018-15499 (GEAR Software products that include GEARAspiWDM.sys, 2.2.5.0, allow lo ...) NOT-FOR-US: GEAR Software CVE-2018-15498 (YSoft SafeQ Server 6 allows a replay attack. ...) NOT-FOR-US: YSoft SafeQ CVE-2018-15497 (The Mitel MiVoice 5330e VoIP device is affected by memory corruption f ...) NOT-FOR-US: Mitel CVE-2018-15496 RESERVED CVE-2018-15495 (/filemanager/upload.php in Responsive FileManager before 9.13.3 allows ...) NOT-FOR-US: Responsive FileManager CVE-2018-15494 (In Dojo Toolkit before 1.14, there is unescaped string injection in do ...) {DLA-1492-1} - dojo 1.14.1+dfsg1-1 (bug #906540) NOTE: https://github.com/dojo/dojox/pull/283 CVE-2018-15493 (vBulletin 5.4.3 has an Open Redirect. ...) NOT-FOR-US: vBulletin CVE-2018-15492 (A vulnerability in the lservnt.exe component of Sentinel License Manag ...) NOT-FOR-US: Sentinel License Manager CVE-2018-15491 (A vulnerability in the permission and encryption implementation of Zem ...) NOT-FOR-US: Zemana Anti-Logger CVE-2018-15490 (An issue was discovered in ExpressVPN on Windows. The Xvpnd.exe proces ...) NOT-FOR-US: ExpressVPN CVE-2018-15489 RESERVED CVE-2018-15488 RESERVED CVE-2018-15487 RESERVED CVE-2018-15486 (An issue was discovered on KONE Group Controller (KGC) devices before ...) NOT-FOR-US: KONE Group Controller (KGC) devices CVE-2018-15485 (An issue was discovered on KONE Group Controller (KGC) devices before ...) NOT-FOR-US: KONE Group Controller (KGC) devices CVE-2018-15484 (An issue was discovered on KONE Group Controller (KGC) devices before ...) NOT-FOR-US: KONE Group Controller (KGC) devices CVE-2018-15483 (An issue was discovered on KONE Group Controller (KGC) devices before ...) NOT-FOR-US: KONE Group Controller (KGC) devices CVE-2018-15482 (Certain LG devices based on Android 6.0 through 8.1 have incorrect acc ...) NOT-FOR-US: LG devices specific issue CVE-2018-15481 (Improper input sanitization within the restricted administration shell ...) NOT-FOR-US: UCOPIA CVE-2018-15480 (An issue was discovered in myStrom WiFi Switch V1 before 2.66, WiFi Sw ...) NOT-FOR-US: myStrom CVE-2018-15479 (An issue was discovered in myStrom WiFi Switch V1 before 2.66, WiFi Sw ...) NOT-FOR-US: myStrom CVE-2018-15478 (An issue was discovered in myStrom WiFi Switch V1 before 2.66, WiFi Sw ...) NOT-FOR-US: myStrom CVE-2018-15477 (myStrom WiFi Switch V1 devices before 2.66 did not sanitize a paramete ...) NOT-FOR-US: myStrom CVE-2018-15476 (An issue was discovered in myStrom WiFi Switch V1 before 2.66, WiFi Sw ...) NOT-FOR-US: myStrom CVE-2018-15475 RESERVED CVE-2018-15474 (** DISPUTED ** CSV Injection (aka Excel Macro Injection or Formula Inj ...) NOTE: Dokuwiki non-issue CVE-2018-15472 [Diff formatter DoS in Sidekiq jobs] RESERVED [experimental] - gitlab 11.1.8+dfsg-1 - gitlab 11.1.8+dfsg-2 NOTE: https://about.gitlab.com/2018/10/01/security-release-gitlab-11-dot-3-dot-1-released/ CVE-2018-15467 (A vulnerability in the web-based management interface of Cisco TelePre ...) NOT-FOR-US: Cisco CVE-2018-15466 (A vulnerability in the Graphite web interface of the Policy and Chargi ...) NOT-FOR-US: Cisco CVE-2018-15465 (A vulnerability in the authorization subsystem of Cisco Adaptive Secur ...) NOT-FOR-US: Cisco CVE-2018-15464 (A vulnerability in Cisco 900 Series Aggregation Services Router (ASR) ...) NOT-FOR-US: Cisco CVE-2018-15463 (A vulnerability in the web-based management interface of Cisco Identit ...) NOT-FOR-US: Cisco CVE-2018-15462 (A vulnerability in the TCP ingress handler for the data interfaces tha ...) NOT-FOR-US: Cisco CVE-2018-15461 (A vulnerability in the MyWebex component of Cisco Webex Business Suite ...) NOT-FOR-US: Cisco CVE-2018-15460 (A vulnerability in the email message filtering feature of Cisco AsyncO ...) NOT-FOR-US: Cisco CVE-2018-15459 (A vulnerability in the administrative web interface of Cisco Identity ...) NOT-FOR-US: Cisco CVE-2018-15458 (A vulnerability in the Shell Access Filter feature of Cisco Firepower ...) NOT-FOR-US: Cisco CVE-2018-15457 (A vulnerability in the web-based management interface of Cisco Prime I ...) NOT-FOR-US: Cisco CVE-2018-15456 (A vulnerability in the Admin Portal of Cisco Identity Services Engine ...) NOT-FOR-US: Cisco CVE-2018-15455 (A vulnerability in the logging component of Cisco Identity Services En ...) NOT-FOR-US: Cisco CVE-2018-15454 (A vulnerability in the Session Initiation Protocol (SIP) inspection en ...) NOT-FOR-US: Cisco CVE-2018-15453 (A vulnerability in the Secure/Multipurpose Internet Mail Extensions (S ...) NOT-FOR-US: Cisco CVE-2018-15452 (A vulnerability in the DLL loading component of Cisco Advanced Malware ...) NOT-FOR-US: Cisco CVE-2018-15451 (A vulnerability in the web-based management interface of Cisco Prime S ...) NOT-FOR-US: Cisco CVE-2018-15450 (A vulnerability in the web-based UI of Cisco Prime Collaboration Assur ...) NOT-FOR-US: Cisco CVE-2018-15449 (A vulnerability in the web-based management interface of Cisco Video S ...) NOT-FOR-US: Cisco CVE-2018-15448 (A vulnerability in the user management functions of Cisco Registered E ...) NOT-FOR-US: Cisco CVE-2018-15447 (A vulnerability in the web framework code of Cisco Integrated Manageme ...) NOT-FOR-US: Cisco CVE-2018-15446 (A vulnerability in Cisco Meeting Server could allow an unauthenticated ...) NOT-FOR-US: Cisco CVE-2018-15445 (A vulnerability in the web-based management interface of Cisco Energy ...) NOT-FOR-US: Cisco CVE-2018-15444 (A vulnerability in the web-based user interface of Cisco Energy Manage ...) NOT-FOR-US: Cisco CVE-2018-15443 (A vulnerability in the detection engine of Cisco Firepower System Soft ...) NOT-FOR-US: Cisco CVE-2018-15442 (A vulnerability in the update service of Cisco Webex Meetings Desktop ...) NOT-FOR-US: Cisco CVE-2018-15441 (A vulnerability in the web framework code of Cisco Prime License Manag ...) NOT-FOR-US: Cisco CVE-2018-15440 (A vulnerability in the web-based management interface of Cisco Identit ...) NOT-FOR-US: Cisco CVE-2018-15439 (A vulnerability in the Cisco Small Business Switches software could al ...) NOT-FOR-US: Cisco CVE-2018-15438 (A vulnerability in the web-based management interface of Cisco Prime C ...) NOT-FOR-US: Cisco CVE-2018-15437 (A vulnerability in the system scanning component of Cisco Immunet and ...) NOT-FOR-US: Cisco CVE-2018-15436 (A vulnerability in the web-based management interface of Cisco Webex E ...) NOT-FOR-US: Cisco CVE-2018-15435 (A vulnerability in the web-based management interface of Cisco SocialM ...) NOT-FOR-US: Cisco CVE-2018-15434 (A vulnerability in the web-based management interface of Cisco Unified ...) NOT-FOR-US: Cisco CVE-2018-15433 (A vulnerability in the server backup function of Cisco Prime Infrastru ...) NOT-FOR-US: Cisco CVE-2018-15432 (A vulnerability in the server backup function of Cisco Prime Infrastru ...) NOT-FOR-US: Cisco CVE-2018-15431 (A vulnerability in the Cisco Webex Network Recording Player for Micros ...) NOT-FOR-US: Cisco CVE-2018-15430 (A vulnerability in the administrative web interface of Cisco Expresswa ...) NOT-FOR-US: Cisco CVE-2018-15429 (A vulnerability in the web-based UI of Cisco HyperFlex HX Data Platfor ...) NOT-FOR-US: Cisco CVE-2018-15428 (A vulnerability in the implementation of Border Gateway Protocol (BGP) ...) NOT-FOR-US: Cisco CVE-2018-15427 (A vulnerability in Cisco Video Surveillance Manager (VSM) Software run ...) NOT-FOR-US: Cisco CVE-2018-15426 (A vulnerability in the web-based interface of Cisco Unity Connection c ...) NOT-FOR-US: Cisco CVE-2018-15425 (A vulnerability in the web-based management interface of Cisco Identit ...) NOT-FOR-US: Cisco CVE-2018-15424 (A vulnerability in the web-based management interface of Cisco Identit ...) NOT-FOR-US: Cisco CVE-2018-15423 (A vulnerability in the web UI of Cisco HyperFlex Software could allow ...) NOT-FOR-US: Cisco CVE-2018-15422 (A vulnerability in the Cisco Webex Network Recording Player for Micros ...) NOT-FOR-US: Cisco CVE-2018-15421 (A vulnerability in the Cisco Webex Network Recording Player for Micros ...) NOT-FOR-US: Cisco CVE-2018-15420 (A vulnerability in the Cisco Webex Network Recording Player for Micros ...) NOT-FOR-US: Cisco CVE-2018-15419 (A vulnerability in the Cisco Webex Network Recording Player for Micros ...) NOT-FOR-US: Cisco CVE-2018-15418 (A vulnerability in the Cisco Webex Network Recording Player for Micros ...) NOT-FOR-US: Cisco CVE-2018-15417 (A vulnerability in the Cisco Webex Network Recording Player for Micros ...) NOT-FOR-US: Cisco CVE-2018-15416 (A vulnerability in the Cisco Webex Network Recording Player for Micros ...) NOT-FOR-US: Cisco CVE-2018-15415 (A vulnerability in the Cisco Webex Network Recording Player for Micros ...) NOT-FOR-US: Cisco CVE-2018-15414 (A vulnerability in the Cisco Webex Network Recording Player for Micros ...) NOT-FOR-US: Cisco CVE-2018-15413 (A vulnerability in the Cisco Webex Network Recording Player for Micros ...) NOT-FOR-US: Cisco CVE-2018-15412 (A vulnerability in the Cisco Webex Network Recording Player for Micros ...) NOT-FOR-US: Cisco CVE-2018-15411 (A vulnerability in the Cisco Webex Network Recording Player for Micros ...) NOT-FOR-US: Cisco CVE-2018-15410 (A vulnerability in the Cisco Webex Network Recording Player for Micros ...) NOT-FOR-US: Cisco CVE-2018-15409 (A vulnerability in the Cisco Webex Network Recording Player for Micros ...) NOT-FOR-US: Cisco CVE-2018-15408 (A vulnerability in the Cisco Webex Network Recording Player for Micros ...) NOT-FOR-US: Cisco CVE-2018-15407 (A vulnerability in the installation process of Cisco HyperFlex Softwar ...) NOT-FOR-US: Cisco CVE-2018-15406 (A vulnerability in the web-based management interface of Cisco UCS Dir ...) NOT-FOR-US: Cisco CVE-2018-15405 (A vulnerability in the web interface for specific feature sets of Cisc ...) NOT-FOR-US: Cisco CVE-2018-15404 (A vulnerability in the web interface of Cisco Integrated Management Co ...) NOT-FOR-US: Cisco CVE-2018-15403 (A vulnerability in the web interface of Cisco Emergency Responder, Cis ...) NOT-FOR-US: Cisco CVE-2018-15402 (A vulnerability in Cisco Enterprise NFV Infrastructure Software (NFVIS ...) NOT-FOR-US: Cisco CVE-2018-15401 (A vulnerability in the web-based management interface of Cisco Hosted ...) NOT-FOR-US: Cisco CVE-2018-15400 (A vulnerability in the web-based management interface of Cisco Cloud S ...) NOT-FOR-US: Cisco CVE-2018-15399 (A vulnerability in the TCP syslog module of Cisco Adaptive Security Ap ...) NOT-FOR-US: Cisco CVE-2018-15398 (A vulnerability in the per-user-override feature of Cisco Adaptive Sec ...) NOT-FOR-US: Cisco CVE-2018-15397 (A vulnerability in the implementation of Traffic Flow Confidentiality ...) NOT-FOR-US: Cisco CVE-2018-15396 (A vulnerability in the Bulk Administration Tool (BAT) for Cisco Unity ...) NOT-FOR-US: Cisco CVE-2018-15395 (A vulnerability in the authentication and authorization checking mecha ...) NOT-FOR-US: Cisco CVE-2018-15394 (A vulnerability in the Stealthwatch Management Console (SMC) of Cisco ...) NOT-FOR-US: Cisco CVE-2018-15393 (A vulnerability in the web-based management interface of Cisco Content ...) NOT-FOR-US: Cisco CVE-2018-15392 (A vulnerability in the DHCP service of Cisco Industrial Network Direct ...) NOT-FOR-US: Cisco CVE-2018-15391 (A vulnerability in certain IPv4 fragment-processing functions of Cisco ...) NOT-FOR-US: Cisco CVE-2018-15390 (A vulnerability in the FTP inspection engine of Cisco Firepower Threat ...) NOT-FOR-US: Cisco CVE-2018-15389 (A vulnerability in the install function of Cisco Prime Collaboration P ...) NOT-FOR-US: Cisco CVE-2018-15388 (A vulnerability in the WebVPN login process of Cisco Adaptive Security ...) NOT-FOR-US: Cisco CVE-2018-15387 (A vulnerability in the Cisco SD-WAN Solution could allow an unauthenti ...) NOT-FOR-US: Cisco CVE-2018-15386 (A vulnerability in Cisco Digital Network Architecture (DNA) Center cou ...) NOT-FOR-US: Cisco CVE-2018-15385 RESERVED CVE-2018-15384 RESERVED CVE-2018-15383 (A vulnerability in the cryptographic hardware accelerator driver of Ci ...) NOT-FOR-US: Cisco CVE-2018-15382 (A vulnerability in Cisco HyperFlex Software could allow an unauthentic ...) NOT-FOR-US: Cisco CVE-2018-15381 (A Java deserialization vulnerability in Cisco Unity Express (CUE) coul ...) NOT-FOR-US: Cisco CVE-2018-15380 (A vulnerability in the cluster service manager of Cisco HyperFlex Soft ...) NOT-FOR-US: Cisco CVE-2018-15379 (A vulnerability in which the HTTP web server for Cisco Prime Infrastru ...) NOT-FOR-US: Cisco CVE-2018-15378 (A vulnerability in ClamAV versions prior to 0.100.2 could allow an att ...) {DLA-1553-1} - clamav 0.100.2+dfsg-1 (bug #910430) [stretch] - clamav 0.100.2+dfsg-0+deb9u1 NOTE: https://blog.clamav.net/2018/10/clamav-01002-has-been-released.html NOTE: http://lists.clamav.net/pipermail/clamav-announce/2018/000033.html CVE-2018-15377 (A vulnerability in the Cisco Network Plug and Play agent, also referre ...) NOT-FOR-US: Cisco CVE-2018-15376 (A vulnerability in the embedded test subsystem of Cisco IOS Software f ...) NOT-FOR-US: Cisco CVE-2018-15375 (A vulnerability in the embedded test subsystem of Cisco IOS Software f ...) NOT-FOR-US: Cisco CVE-2018-15374 (A vulnerability in the Image Verification feature of Cisco IOS XE Soft ...) NOT-FOR-US: Cisco CVE-2018-15373 (A vulnerability in the implementation of Cisco Discovery Protocol func ...) NOT-FOR-US: Cisco CVE-2018-15372 (A vulnerability in the MACsec Key Agreement (MKA) using Extensible Aut ...) NOT-FOR-US: Cisco CVE-2018-15371 (A vulnerability in the shell access request mechanism of Cisco IOS XE ...) NOT-FOR-US: Cisco CVE-2018-15370 (A vulnerability in Cisco IOS ROM Monitor (ROMMON) Software for Cisco C ...) NOT-FOR-US: Cisco CVE-2018-15369 (A vulnerability in the TACACS+ client subsystem of Cisco IOS Software ...) NOT-FOR-US: Cisco CVE-2018-15368 (A vulnerability in the CLI parser of Cisco IOS XE Software could allow ...) NOT-FOR-US: Cisco CVE-2018-15367 (A ctl_set KERedirect Untrusted Pointer Dereference Privilege Escalatio ...) NOT-FOR-US: Trend Micro CVE-2018-15366 (A UrlfWTPPagePtr KERedirect Use-After-Free Privilege Escalation vulner ...) NOT-FOR-US: Trend Micro CVE-2018-15365 (A Reflected Cross-Site Scripting (XSS) vulnerability in Trend Micro De ...) NOT-FOR-US: Trend Micro CVE-2018-15364 (A Named Pipe Request Processing Out-of-Bounds Read Information Disclos ...) NOT-FOR-US: Trend Micro CVE-2018-15363 (An Out-of-Bounds Read Privilege Escalation vulnerability in Trend Micr ...) NOT-FOR-US: Trend Micro CVE-2018-15362 (XXE in GE Proficy Cimplicity GDS versions 9.0 R2, 9.5, 10.0 ...) NOT-FOR-US: GE Proficy Cimplicity GDS CVE-2018-15361 (UltraVNC revision 1198 has a buffer underflow vulnerability in VNC cli ...) NOT-FOR-US: UltraVNC CVE-2018-15360 (An attacker without authentication can login with default credentials ...) NOT-FOR-US: Eltex ESP-200 firmware CVE-2018-15359 (An authenticated attacker with low privileges can use insecure sudo co ...) NOT-FOR-US: Eltex ESP-200 firmware CVE-2018-15358 (An authenticated attacker with low privileges can activate high privil ...) NOT-FOR-US: Eltex ESP-200 firmware CVE-2018-15357 (An authenticated attacker with low privileges can extract password has ...) NOT-FOR-US: Eltex ESP-200 firmware CVE-2018-15356 (An authenticated attacker can execute arbitrary code using command eje ...) NOT-FOR-US: Eltex ESP-200 firmware CVE-2018-15355 (Usage of SSLv2 and SSLv3 leads to transmitted data decryption in Kraft ...) NOT-FOR-US: Kraftway 24F2XG Router firmware CVE-2018-15354 (A Buffer Overflow exploited through web interface by remote attacker c ...) NOT-FOR-US: Kraftway 24F2XG Router firmware CVE-2018-15353 (A Buffer Overflow exploited through web interface by remote attacker c ...) NOT-FOR-US: Kraftway 24F2XG Router firmware CVE-2018-15352 (An attacker with low privileges can cause denial of service in Kraftwa ...) NOT-FOR-US: Kraftway 24F2XG Router firmware CVE-2018-15351 (Denial of service via crafting malicious link and sending it to a priv ...) NOT-FOR-US: Kraftway 24F2XG Router firmware CVE-2018-15350 (Router Default Credentials in Kraftway 24F2XG Router firmware version ...) NOT-FOR-US: Kraftway 24F2XG Router firmware CVE-2018-15473 (OpenSSH through 7.7 is prone to a user enumeration vulnerability due t ...) {DSA-4280-1 DLA-1474-1} - openssh 1:7.7p1-4 (bug #906236) NOTE: http://www.openwall.com/lists/oss-security/2018/08/15/5 NOTE: https://anongit.mindrot.org/openssh.git/commit/?id=74287f5df9966a0648b4a68417451dd18f079ab8 NOTE: https://github.com/openbsd/src/commit/779974d35b4859c07bc3cb8a12c74b43b0a7d1e0 NOTE: PoC at https://bugfuzz.com/stuff/ssh-check-username.py CVE-2018-15349 REJECTED CVE-2018-15348 REJECTED CVE-2018-15347 REJECTED CVE-2018-15346 REJECTED CVE-2018-15345 REJECTED CVE-2018-15344 REJECTED CVE-2018-15343 REJECTED CVE-2018-15342 REJECTED CVE-2018-15341 REJECTED CVE-2018-15340 REJECTED CVE-2018-15339 REJECTED CVE-2018-15338 REJECTED CVE-2018-15337 REJECTED CVE-2018-15336 REJECTED CVE-2018-15335 (When APM 13.0.0-13.1.x is deployed as an OAuth Resource Server, APM be ...) NOT-FOR-US: F5 CVE-2018-15334 (A cross-site request forgery (CSRF) vulnerability in the APM webtop 11 ...) NOT-FOR-US: F5 CVE-2018-15333 (On versions 11.2.1. and greater, unrestricted Snapshot File Access all ...) NOT-FOR-US: F5 BIG-IP CVE-2018-15332 (The svpn component of the F5 BIG-IP APM client prior to version 7.1.7. ...) NOT-FOR-US: F5 BIG-IP CVE-2018-15331 (On BIG-IP AAM 13.0.0 or 12.1.0-12.1.3.7, the dcdb_convert utility used ...) NOT-FOR-US: F5 BIG-IP CVE-2018-15330 (On BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.1.1, or 12.1.0-12.1.3.7, when a ...) NOT-FOR-US: F5 BIG-IP CVE-2018-15329 (On BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.1.1, or 12.1.0-12.1.3.7, or Ent ...) NOT-FOR-US: F5 BIG-IP CVE-2018-15328 (On BIG-IP 14.0.x, 13.x, 12.x, and 11.x, Enterprise Manager 3.1.1, BIG- ...) NOT-FOR-US: F5 BIG-IP CVE-2018-15327 (In BIG-IP 14.0.0-14.0.0.2 or 13.0.0-13.1.1.1 or Enterprise Manager 3.1 ...) NOT-FOR-US: F5 BIG-IP CVE-2018-15326 (In some situations on BIG-IP APM 14.0.0-14.0.0.2, 13.0.0-13.1.0.7, 12. ...) NOT-FOR-US: F5 BIG-IP CVE-2018-15325 (In BIG-IP 14.0.0-14.0.0.2 or 13.0.0-13.1.1.1, iControl and TMSH usage ...) NOT-FOR-US: F5 BIG-IP CVE-2018-15324 (On BIG-IP APM 14.0.0-14.0.0.2 or 13.0.0-13.1.1.1, TMM may restart when ...) NOT-FOR-US: F5 BIG-IP CVE-2018-15323 (On BIG-IP 14.0.0-14.0.0.2 or 13.0.0-13.1.1.1, in certain circumstances ...) NOT-FOR-US: F5 BIG-IP CVE-2018-15322 (On BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.0.7, 12.1.0-12.1.3.5, 11.6.0-11 ...) NOT-FOR-US: F5 BIG-IP CVE-2018-15321 (When BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.0.5, 12.1.0-12.1.3.5, 11.6.0- ...) NOT-FOR-US: F5 BIG-IP CVE-2018-15320 (On BIG-IP 14.0.0-14.0.0.2 or 13.0.0-13.1.1.1, undisclosed traffic patt ...) NOT-FOR-US: F5 BIG-IP CVE-2018-15319 (On BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.1.1, or 12.1.0-12.1.3.6, malici ...) NOT-FOR-US: F5 BIG-IP CVE-2018-15318 (In BIG-IP 14.0.0-14.0.0.2, 13.1.0.4-13.1.1.1, or 12.1.3.4-12.1.3.6, If ...) NOT-FOR-US: F5 BIG-IP CVE-2018-15317 (In BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.1.5, 12.1.0-12.1.4.1, and 11.2. ...) NOT-FOR-US: F5 BIG-IP CVE-2018-15316 (In F5 BIG-IP APM 13.0.0-13.1.1.1, APM Client 7.1.5-7.1.6, and/or Edge ...) NOT-FOR-US: F5 BIG-IP CVE-2018-15315 (On F5 BIG-IP 13.0.0-13.1.1.1 and 12.1.0-12.1.3.6, there is a reflected ...) NOT-FOR-US: F5 BIG-IP CVE-2018-15314 (On F5 BIG-IP AFM 13.0.0-13.1.1.1 and 12.1.0-12.1.3.6, there is a Refle ...) NOT-FOR-US: F5 BIG-IP CVE-2018-15313 (On F5 BIG-IP AFM 13.0.0-13.1.1.1 and 12.1.0-12.1.3.6, there is a Refle ...) NOT-FOR-US: F5 BIG-IP CVE-2018-15312 (On F5 BIG-IP 13.0.0-13.1.1.1 and 12.1.0-12.1.3.6, a reflected Cross-Si ...) NOT-FOR-US: F5 BIG-IP CVE-2018-15311 (When F5 BIG-IP 13.0.0-13.1.0.5, 12.1.0-12.1.3.5, 11.6.0-11.6.3.2, or 1 ...) NOT-FOR-US: F5 BIG-IP CVE-2018-15310 (A vulnerability in BIG-IP APM portal access 11.5.1-11.5.7, 11.6.0-11.6 ...) NOT-FOR-US: F5 BIG-IP CVE-2018-XXXX [libykneomgr memory corruption] - libykneomgr (low; bug #906138) [stretch] - libykneomgr (Minor issue) [jessie] - libykneomgr (Minor issue) NOTE: https://www.x41-dsec.de/lab/advisories/x41-2018-004-libykneomgr/ CVE-2018-15470 (An issue was discovered in Xen through 4.11.x. The logic in oxenstored ...) {DSA-4274-1 DLA-1577-1} - xen 4.11.1~pre.20180911.5acdd26fdc+dfsg-2 (unimportant) NOTE: https://xenbits.xen.org/xsa/advisory-272.html CVE-2018-15471 (An issue was discovered in xenvif_set_hash_mapping in drivers/net/xen- ...) {DSA-4313-1 DLA-1715-1} - linux 4.18.10-2 [jessie] - linux (Vulnerable code introduced later) NOTE: https://xenbits.xen.org/xsa/advisory-270.html NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1607 CVE-2018-15468 (An issue was discovered in Xen through 4.11.x. The DEBUGCTL MSR contai ...) {DSA-4274-1} - xen 4.11.1~pre.20180911.5acdd26fdc+dfsg-2 [jessie] - xen (Only affects 4.6 and later) NOTE: https://xenbits.xen.org/xsa/advisory-269.html CVE-2018-15469 (An issue was discovered in Xen through 4.11.x. ARM never properly impl ...) {DSA-4274-1 DLA-1577-1} - xen 4.11.1~pre.20180911.5acdd26fdc+dfsg-2 NOTE: https://xenbits.xen.org/xsa/advisory-268.html CVE-2018-15309 RESERVED CVE-2018-15308 RESERVED CVE-2018-15307 RESERVED CVE-2018-15306 RESERVED CVE-2018-15305 RESERVED CVE-2018-15304 RESERVED CVE-2018-15303 RESERVED CVE-2018-15302 RESERVED CVE-2018-15301 RESERVED CVE-2018-15300 RESERVED CVE-2018-15299 RESERVED CVE-2018-15298 RESERVED CVE-2018-15297 RESERVED CVE-2018-15296 RESERVED CVE-2018-15295 RESERVED CVE-2018-15294 RESERVED CVE-2018-15293 RESERVED CVE-2018-15292 RESERVED CVE-2018-15291 RESERVED CVE-2018-15290 RESERVED CVE-2018-15289 RESERVED CVE-2018-15288 RESERVED CVE-2018-15287 RESERVED CVE-2018-15286 RESERVED CVE-2018-15285 RESERVED CVE-2018-15284 RESERVED CVE-2018-15283 RESERVED CVE-2018-15282 RESERVED CVE-2018-15281 RESERVED CVE-2018-15280 RESERVED CVE-2018-15279 RESERVED CVE-2018-15278 RESERVED CVE-2018-15277 RESERVED CVE-2018-15276 RESERVED CVE-2018-15275 RESERVED CVE-2018-15274 RESERVED CVE-2018-15273 RESERVED CVE-2018-15272 RESERVED CVE-2018-15271 RESERVED CVE-2018-15270 RESERVED CVE-2018-15269 RESERVED CVE-2018-15268 RESERVED CVE-2018-15267 RESERVED CVE-2018-15266 RESERVED CVE-2018-15265 RESERVED CVE-2018-15264 RESERVED CVE-2018-15263 RESERVED CVE-2018-15262 RESERVED CVE-2018-15261 RESERVED CVE-2018-15260 RESERVED CVE-2018-15259 RESERVED CVE-2018-15258 RESERVED CVE-2018-15257 RESERVED CVE-2018-15256 RESERVED CVE-2018-15255 RESERVED CVE-2018-15254 RESERVED CVE-2018-15253 RESERVED CVE-2018-15252 RESERVED CVE-2018-15251 RESERVED CVE-2018-15250 RESERVED CVE-2018-15249 RESERVED CVE-2018-15248 RESERVED CVE-2018-15247 RESERVED CVE-2018-15246 RESERVED CVE-2018-15245 RESERVED CVE-2018-15244 RESERVED CVE-2018-15243 RESERVED CVE-2018-15242 RESERVED CVE-2018-15241 RESERVED CVE-2018-15240 RESERVED CVE-2018-15239 RESERVED CVE-2018-15238 RESERVED CVE-2018-15237 RESERVED CVE-2018-15236 RESERVED CVE-2018-15235 RESERVED CVE-2018-15234 RESERVED CVE-2018-15233 RESERVED CVE-2018-15232 RESERVED CVE-2018-15231 RESERVED CVE-2018-15230 RESERVED CVE-2018-15229 RESERVED CVE-2018-15228 RESERVED CVE-2018-15227 RESERVED CVE-2018-15226 RESERVED CVE-2018-15225 RESERVED CVE-2018-15224 RESERVED CVE-2018-15223 RESERVED CVE-2018-15222 RESERVED CVE-2018-15221 RESERVED CVE-2018-15220 RESERVED CVE-2018-15219 RESERVED CVE-2018-15218 RESERVED CVE-2018-15217 RESERVED CVE-2018-15216 RESERVED CVE-2018-15215 RESERVED CVE-2018-15214 RESERVED CVE-2018-15213 RESERVED CVE-2018-15212 RESERVED CVE-2018-15211 RESERVED CVE-2018-15210 RESERVED CVE-2018-15209 (ChopUpSingleUncompressedStrip in tif_dirread.c in LibTIFF 4.0.9 allows ...) {DSA-4349-1} - tiff 4.0.9-5 (bug #905798) [jessie] - tiff (Cannot reproduce with crash file) - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2808 NOTE: Different issue than CVE-2017-11613 but adressed with same set of commits. NOTE: Upstream fix 1/2: https://gitlab.com/libtiff/libtiff/commit/3719385a3fac5cfb20b487619a5f08abbf967cf8 NOTE: Upstream fix 2/2: https://gitlab.com/libtiff/libtiff/commit/7a092f8af2568d61993a8cc2e7a35a998d7d37be CVE-2018-15208 (BPC SmartVista 2 has Session Fixation via the JSESSIONID parameter. ...) NOT-FOR-US: BPC SmartVista CVE-2018-15207 (BPC SmartVista 2 has Improper Access Control in the SVFE module, where ...) NOT-FOR-US: BPC SmartVista CVE-2018-15206 (BPC SmartVista 2 has CSRF via SVFE2/pages/admpages/roles/createrole.js ...) NOT-FOR-US: BPC SmartVista CVE-2018-15205 RESERVED CVE-2018-15204 RESERVED CVE-2018-15203 (An issue was discovered in Ignited CMS through 2017-02-19. ign/index.p ...) NOT-FOR-US: Ignited CMS CVE-2018-15202 (An issue was discovered in Juunan06 eCommerce through 2018-08-05. Ther ...) NOT-FOR-US: Juunan06 eCommerce CVE-2018-15201 RESERVED CVE-2018-15200 RESERVED CVE-2018-15199 (AuraCMS 2.3 allows XSS via a Bukutamu -> AddGuestbook action. ...) NOT-FOR-US: AuraCMS CVE-2018-15198 (An issue was discovered in OneThink v1.1. There is a CSRF vulnerabilit ...) NOT-FOR-US: OneThink CVE-2018-15197 (An issue was discovered in OneThink v1.1. There is a CSRF vulnerabilit ...) NOT-FOR-US: OneThink CVE-2018-15196 RESERVED CVE-2018-15195 RESERVED CVE-2018-15194 RESERVED CVE-2018-15193 (A CSRF vulnerability in the admin panel in Gogs through 0.11.53 allows ...) NOT-FOR-US: Go Git Service CVE-2018-15192 (An SSRF vulnerability in webhooks in Gitea through 1.5.0-rc2 and Gogs ...) - gitea NOTE: https://github.com/go-gitea/gitea/issues/4624 CVE-2018-15191 (PHP Scripts Mall hotel-booking-script 2.0.4 allows remote attackers to ...) NOT-FOR-US: PHP Scripts Mall CVE-2018-15190 (PHP Scripts Mall hotel-booking-script 2.0.4 allows XSS via the First N ...) NOT-FOR-US: PHP Scripts Mall CVE-2018-15189 (PHP Scripts Mall advanced-real-estate-script has XSS via the Name fiel ...) NOT-FOR-US: PHP Scripts Mall CVE-2018-15188 (PHP Scripts Mall advanced-real-estate-script 4.0.9 allows remote attac ...) NOT-FOR-US: PHP Scripts Mall CVE-2018-15187 (PHP Scripts Mall advanced-real-estate-script 4.0.9 has CSRF via edit-p ...) NOT-FOR-US: PHP Scripts Mall CVE-2018-15186 (PHP Scripts Mall Chartered Accountant : Auditor Website 2.0.1 has CSRF ...) NOT-FOR-US: PHP Scripts Mall CVE-2018-15185 (PHP Scripts Mall Naukri / Shine / Jobsite Clone Script 3.0.4 allows re ...) NOT-FOR-US: PHP Scripts Mall CVE-2018-15184 (PHP Scripts Mall Naukri / Shine / Jobsite Clone Script 3.0.4 has Store ...) NOT-FOR-US: PHP Scripts Mall Naukri / Shine / Jobsite Clone Script CVE-2018-15183 (PHP Scripts Mall Myperfectresume / JobHero / Resume Clone Script 2.0.6 ...) NOT-FOR-US: PHP Scripts Mall Myperfectresume / JobHero / Resume Clone Script CVE-2018-15182 (PHP Scripts Mall Car Rental Script 2.0.8 has XSS via the FirstName and ...) NOT-FOR-US: PHP Scripts Mall Car Rental Script CVE-2018-15181 (JioFi 4G Hotspot M2S devices allow attackers to cause a denial of serv ...) NOT-FOR-US: JioFi 4G Hotspot M2S devices CVE-2018-15180 (qTest Portal in QASymphony qTest Manager 9.0.0 has an Open Redirect vi ...) NOT-FOR-US: QASymphony qTest Manager CVE-2018-15179 RESERVED CVE-2018-15178 (Open redirect vulnerability in Gogs before 0.12 allows remote attacker ...) NOT-FOR-US: Go Git Service CVE-2018-15177 (In Gxlcms 2.0, a news/index.php?s=Admin-Admin-Insert CSRF attack can a ...) NOT-FOR-US: Gxlcms CVE-2018-15176 (XnView 2.45 allows remote attackers to cause a denial of service (User ...) NOT-FOR-US: XnView CVE-2018-15175 (XnView 2.45 allows remote attackers to cause a denial of service (User ...) NOT-FOR-US: XnView CVE-2018-15174 (XnView 2.45 allows remote attackers to cause a denial of service (Read ...) NOT-FOR-US: XnView CVE-2018-15173 (Nmap through 7.70, when the -sV option is used, allows remote attacker ...) - nmap (unimportant) NOTE: No security impact CVE-2018-15172 (TP-Link WR840N devices have a buffer overflow via a long Authorization ...) NOT-FOR-US: TP-Link WR840N devices CVE-2018-15171 RESERVED CVE-2018-15170 RESERVED CVE-2018-15169 (A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEng ...) NOT-FOR-US: Zoho ManageEngine Applications Manager CVE-2018-15168 (A SQL Injection vulnerability exists in the Zoho ManageEngine Applicat ...) NOT-FOR-US: Zoho ManageEngine Applications Manager CVE-2018-15167 RESERVED CVE-2018-15166 RESERVED CVE-2018-15165 RESERVED CVE-2018-15164 RESERVED CVE-2018-15163 RESERVED CVE-2018-15162 RESERVED CVE-2018-15161 (** DISPUTED ** The libesedb_key_append_data function in libesedb_key.c ...) - libesedb NOTE: https://github.com/libyal/libesedb/issues/43 CVE-2018-15160 (** DISPUTED ** The libesedb_catalog_definition_read function in libese ...) - libesedb NOTE: https://github.com/libyal/libesedb/issues/43 CVE-2018-15159 (** DISPUTED ** The libesedb_page_read_tags function in libesedb_page.c ...) - libesedb NOTE: https://github.com/libyal/libesedb/issues/43 CVE-2018-15158 (** DISPUTED ** The libesedb_page_read_values function in libesedb_page ...) - libesedb NOTE: https://github.com/libyal/libesedb/issues/43 CVE-2018-15157 (** DISPUTED ** The libfsclfs_block_read function in libfsclfs_block.c ...) NOT-FOR-US: libfsclfs CVE-2018-15156 (OS command injection occurring in versions of OpenEMR before 5.0.1.4 a ...) NOT-FOR-US: OpenEMR CVE-2018-15155 (OS command injection occurring in versions of OpenEMR before 5.0.1.4 a ...) NOT-FOR-US: OpenEMR CVE-2018-15154 (OS command injection occurring in versions of OpenEMR before 5.0.1.4 a ...) NOT-FOR-US: OpenEMR CVE-2018-15153 (OS command injection occurring in versions of OpenEMR before 5.0.1.4 a ...) NOT-FOR-US: OpenEMR CVE-2018-15152 (Authentication bypass vulnerability in portal/account/register.php in ...) NOT-FOR-US: OpenEMR CVE-2018-15151 (SQL injection vulnerability in interface/de_identification_forms/find_ ...) NOT-FOR-US: OpenEMR CVE-2018-15150 (SQL injection vulnerability in interface/de_identification_forms/de_id ...) NOT-FOR-US: OpenEMR CVE-2018-15149 (SQL injection vulnerability in interface/forms/eye_mag/php/Anything_si ...) NOT-FOR-US: OpenEMR CVE-2018-15148 (SQL injection vulnerability in interface/patient_file/encounter/search ...) NOT-FOR-US: OpenEMR CVE-2018-15147 (SQL injection vulnerability in interface/forms_admin/forms_admin.php f ...) NOT-FOR-US: OpenEMR CVE-2018-15146 (SQL injection vulnerability in interface/de_identification_forms/find_ ...) NOT-FOR-US: OpenEMR CVE-2018-15145 (Multiple SQL injection vulnerabilities in portal/add_edit_event_user.p ...) NOT-FOR-US: OpenEMR CVE-2018-15144 (SQL injection vulnerability in interface/de_identification_forms/find_ ...) NOT-FOR-US: OpenEMR CVE-2018-15143 (Multiple SQL injection vulnerabilities in portal/find_appt_popup_user. ...) NOT-FOR-US: OpenEMR CVE-2018-15142 (Directory traversal in portal/import_template.php in versions of OpenE ...) NOT-FOR-US: OpenEMR CVE-2018-15141 (Directory traversal in portal/import_template.php in versions of OpenE ...) NOT-FOR-US: OpenEMR CVE-2018-15140 (Directory traversal in portal/import_template.php in versions of OpenE ...) NOT-FOR-US: OpenEMR CVE-2018-15139 (Unrestricted file upload in interface/super/manage_site_files.php in v ...) NOT-FOR-US: OpenEMR CVE-2018-15138 (Ericsson-LG iPECS NMS 30M allows directory traversal via ipecs-cm/down ...) NOT-FOR-US: Ericsson-LG iPECS NMS 30M CVE-2018-15137 (CeLa Link CLR-M20 devices allow unauthorized users to upload any file ...) NOT-FOR-US: CeLa Link CLR-M20 devices CVE-2018-15136 (TitanHQ SpamTitan before 7.01 has Improper input validation. This allo ...) NOT-FOR-US: TitanHQ CVE-2018-15135 RESERVED CVE-2018-15134 RESERVED CVE-2018-15133 (In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote c ...) NOT-FOR-US: Laravel CVE-2018-15132 (An issue was discovered in ext/standard/link_win32.c in PHP before 5.6 ...) - php7.2 (Windows-specific) - php7.1 (Windows-specific) - php7.0 (Windows-specific) - php5 (Windows-specific) NOTE: Fixed in 5.6.37, 7.0.31, 7.1.20, 7.2.8 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=76459 NOTE: https://github.com/php/php-src/commit/f151e048ed27f6f4eef729f3310d053ab5da71d4 CVE-2018-15131 (An issue was discovered in Synacor Zimbra Collaboration Suite 8.6.x be ...) NOT-FOR-US: Synacor Zimbra Collaboration Suite CVE-2018-15130 (ThinkSAAS through 2018-07-25 has XSS via the index.php?app=group&a ...) NOT-FOR-US: ThinkSAAS CVE-2013-7464 (In csrf-magic before 1.0.4, if $GLOBALS['csrf']['secret'] is not confi ...) - zoneminder (Vulnerable code never in a embedded copy version for zoneminder) - cacti (Vulnerable code never in any release inclusing embedded copy, i.e. pre 1.0.4) NOTE: Issue is in embedded csrf-magic NOTE: http://repo.or.cz/csrf-magic.git/commit/9d2537f70d58b16aeba89779aaf1573b8d618e11 (v1.0.4) CVE-2018-15129 (ThinkSAAS through 2018-07-25 has XSS via the index.php?app=article& ...) NOT-FOR-US: ThinkSAAS CVE-2018-15128 (An issue was discovered in Polycom Group Series 6.1.6.1 and earlier, H ...) NOT-FOR-US: Polycom Group Series CVE-2018-20750 (LibVNC through 0.9.12 contains a heap out-of-bounds write vulnerabilit ...) {DLA-1979-1 DLA-1652-1} - libvncserver 0.9.11+dfsg-1.3 (bug #920941) [stretch] - libvncserver (Incomplete fix for CVE-2018-15127 not applied) - italc [stretch] - italc (Incomplete fix for CVE-2018-15127 not applied) NOTE: https://github.com/LibVNC/libvncserver/commit/09e8fc02f59f16e2583b34fe1a270c238bd9ffec CVE-2018-20749 (LibVNC before 0.9.12 contains a heap out-of-bounds write vulnerability ...) {DLA-1979-1 DLA-1652-1} - libvncserver 0.9.11+dfsg-1.3 (bug #920941) [stretch] - libvncserver (Incomplete fix for CVE-2018-15127 not applied) - italc [stretch] - italc (Incomplete fix for CVE-2018-15127 not applied) NOTE: https://github.com/LibVNC/libvncserver/commit/15bb719c03cc70f14c36a843dcb16ed69b405707 CVE-2018-15127 (LibVNC before commit 502821828ed00b4a2c4bef90683d0fd88ce495de contains ...) {DSA-4383-1 DLA-1979-1 DLA-1617-1} - libvncserver 0.9.11+dfsg-1.2 (bug #916941) - italc [stretch] - italc 1:3.0.3+dfsg1-1+deb9u1 NOTE: https://github.com/LibVNC/libvncserver/issues/243 NOTE: https://github.com/LibVNC/libvncserver/commit/502821828ed00b4a2c4bef90683d0fd88ce495de NOTE: https://ics-cert.kaspersky.com/advisories/klcert-advisories/2018/12/19/klcert-18-028-libvnc-heap-out-of-bound-write/ NOTE: When fixing this issue make sure to not open CVE-2018-20749 and CVE-2018-20750 NOTE: Additional commits: NOTE: https://github.com/LibVNC/libvncserver/commit/15bb719c03cc70f14c36a843dcb16ed69b405707 NOTE: https://github.com/LibVNC/libvncserver/commit/09e8fc02f59f16e2583b34fe1a270c238bd9ffec CVE-2018-15126 (LibVNC before commit 73cb96fec028a576a5a24417b57723b55854ad7b contains ...) {DSA-4383-1 DLA-1979-1 DLA-1652-1} - libvncserver 0.9.11+dfsg-1.2 (bug #916941) NOTE: https://github.com/LibVNC/libvncserver/issues/242 NOTE: Fixed by: https://github.com/LibVNC/libvncserver/commit/162d716b4c095a87aab2261857d583d68e3b3ea6 (merge of fix-#242) NOTE: Individual commits: NOTE: https://github.com/LibVNC/libvncserver/commit/89419fb1a0cef42b63528e6930f4e545cfef4c95 NOTE: https://github.com/LibVNC/libvncserver/commit/f8912fee5a58fb3975eda2589f6d4686f0c1ae68 NOTE: https://github.com/LibVNC/libvncserver/commit/73cb96fec028a576a5a24417b57723b55854ad7b (main part of the fix) NOTE: https://github.com/LibVNC/libvncserver/commit/2d939267a176bf4976dbad36399638956ad8cc34 NOTE: https://github.com/LibVNC/libvncserver/commit/495ffa3f3a213ab058eee1d7da48fa5ef71914d8 NOTE: https://ics-cert.kaspersky.com/advisories/klcert-advisories/2018/12/19/klcert-18-027-libvnc-heap-use-after-free/ CVE-2018-15125 (Sensitive Information Disclosure in Zipato Zipabox Smart Home Controll ...) NOT-FOR-US: Zipato CVE-2018-15124 (Weak hashing algorithm in Zipato Zipabox Smart Home Controller BOARD R ...) NOT-FOR-US: Zipato CVE-2018-15123 (Insecure configuration storage in Zipato Zipabox Smart Home Controller ...) NOT-FOR-US: Zipato CVE-2018-15122 (An issue found in Progress Telerik JustAssembly through 2018.1.323.2 a ...) NOT-FOR-US: Telerik CVE-2018-15121 (An issue was discovered in Auth0 auth0-aspnet and auth0-aspnet-owin. A ...) NOT-FOR-US: Auth0 auth0-aspnet CVE-2018-15120 (libpango in Pango 1.40.8 through 1.42.3, as used in hexchat and other ...) - pango1.0 1.42.4-1 (low) [stretch] - pango1.0 (Vulnerable code not present) [jessie] - pango1.0 (Vulnerable code not present) NOTE: https://gitlab.gnome.org/GNOME/pango/commit/71aaeaf020340412b8d012fe23a556c0420eda5f CVE-2018-15119 RESERVED CVE-2018-15118 RESERVED CVE-2018-15117 RESERVED CVE-2018-15116 RESERVED CVE-2018-15115 RESERVED CVE-2018-15114 RESERVED CVE-2018-15113 RESERVED CVE-2018-15112 RESERVED CVE-2018-15111 RESERVED CVE-2018-15110 RESERVED CVE-2018-15109 RESERVED CVE-2018-15108 RESERVED CVE-2018-15107 RESERVED CVE-2018-15106 RESERVED CVE-2018-15105 RESERVED CVE-2018-15104 RESERVED CVE-2018-15103 RESERVED CVE-2018-15102 RESERVED CVE-2018-15101 RESERVED CVE-2018-15100 RESERVED CVE-2018-15099 RESERVED CVE-2018-15098 RESERVED CVE-2018-15097 RESERVED CVE-2018-15096 RESERVED CVE-2018-15095 RESERVED CVE-2018-15094 RESERVED CVE-2018-15093 RESERVED CVE-2018-15092 RESERVED CVE-2018-15091 RESERVED CVE-2018-15090 RESERVED CVE-2018-15089 RESERVED CVE-2018-15088 RESERVED CVE-2018-15087 RESERVED CVE-2018-15086 RESERVED CVE-2018-15085 RESERVED CVE-2018-15084 RESERVED CVE-2018-15083 RESERVED CVE-2018-15082 RESERVED CVE-2018-15081 RESERVED CVE-2018-15080 RESERVED CVE-2018-15079 RESERVED CVE-2018-15078 RESERVED CVE-2018-15077 RESERVED CVE-2018-15076 RESERVED CVE-2018-15075 RESERVED CVE-2018-15074 RESERVED CVE-2018-15073 RESERVED CVE-2018-15072 RESERVED CVE-2018-15071 RESERVED CVE-2018-15070 RESERVED CVE-2018-15069 RESERVED CVE-2018-15068 RESERVED CVE-2018-15067 RESERVED CVE-2018-15066 RESERVED CVE-2018-15065 RESERVED CVE-2018-15064 RESERVED CVE-2018-15063 RESERVED CVE-2018-15062 RESERVED CVE-2018-15061 RESERVED CVE-2018-15060 RESERVED CVE-2018-15059 RESERVED CVE-2018-15058 RESERVED CVE-2018-15057 RESERVED CVE-2018-15056 RESERVED CVE-2018-15055 RESERVED CVE-2018-15054 RESERVED CVE-2018-15053 RESERVED CVE-2018-15052 RESERVED CVE-2018-15051 RESERVED CVE-2018-15050 RESERVED CVE-2018-15049 RESERVED CVE-2018-15048 RESERVED CVE-2018-15047 RESERVED CVE-2018-15046 RESERVED CVE-2018-15045 RESERVED CVE-2018-15044 RESERVED CVE-2018-15043 RESERVED CVE-2018-15042 RESERVED CVE-2018-15041 RESERVED CVE-2018-15040 RESERVED CVE-2018-15039 RESERVED CVE-2018-15038 RESERVED CVE-2018-15037 RESERVED CVE-2018-15036 RESERVED CVE-2018-15035 RESERVED CVE-2018-15034 RESERVED CVE-2018-15033 RESERVED CVE-2018-15032 RESERVED CVE-2018-15031 RESERVED CVE-2018-15030 RESERVED CVE-2018-15029 RESERVED CVE-2018-15028 RESERVED CVE-2018-15027 RESERVED CVE-2018-15026 RESERVED CVE-2018-15025 RESERVED CVE-2018-15024 RESERVED CVE-2018-15023 RESERVED CVE-2018-15022 RESERVED CVE-2018-15021 RESERVED CVE-2018-15020 RESERVED CVE-2018-15019 RESERVED CVE-2018-15018 RESERVED CVE-2018-15017 RESERVED CVE-2018-15016 RESERVED CVE-2018-15015 RESERVED CVE-2018-15014 RESERVED CVE-2018-15013 RESERVED CVE-2018-15012 RESERVED CVE-2018-15011 RESERVED CVE-2018-15010 RESERVED CVE-2018-15009 RESERVED CVE-2018-15008 RESERVED CVE-2018-15007 (The Sky Elite 6.0L+ Android device with a build fingerprint of SKY/x60 ...) NOT-FOR-US: Sky Elite CVE-2018-15006 (The ZTE ZMAX Champ Android device with a build fingerprint of ZTE/Z917 ...) NOT-FOR-US: ZTE CVE-2018-15005 (The ZTE ZMAX Champ Android device with a build fingerprint of ZTE/Z917 ...) NOT-FOR-US: ZTE CVE-2018-15004 (The Coolpad Canvas device with a build fingerprint of Coolpad/cp3636a/ ...) NOT-FOR-US: Coolpad CVE-2018-15003 (The Coolpad Defiant (Coolpad/cp3632a/cp3632a:7.1.1/NMF26F/099480857:us ...) NOT-FOR-US: Coolpad CVE-2018-15002 (The Vivo V7 device with a build fingerprint of vivo/1718/1718:7.1.2/N2 ...) NOT-FOR-US: Vivo V7 device CVE-2018-15001 (The Vivo V7 Android device with a build fingerprint of vivo/1718/1718: ...) NOT-FOR-US: Vivo V7 device CVE-2018-15000 (The Vivo V7 Android device with a build fingerprint of vivo/1718/1718: ...) NOT-FOR-US: Vivo V7 device CVE-2018-14999 (The Leagoo P1 device with a build fingerprint of sp7731c_1h10_32v4_bir ...) NOT-FOR-US: Leagoo P1 Android device CVE-2018-14998 (The Leagoo P1 Android device with a build fingerprint of sp7731c_1h10_ ...) NOT-FOR-US: Leagoo P1 Android device CVE-2018-14997 (The Leagoo P1 Android device with a build fingerprint of sp7731c_1h10_ ...) NOT-FOR-US: Leagoo P1 Android device CVE-2018-14996 (The Oppo F5 Android device with a build fingerprint of OPPO/CPH1723/CP ...) NOT-FOR-US: Oppo F5 CVE-2018-14995 (The ZTE Blade Vantage Android device with a build fingerprint of ZTE/Z ...) NOT-FOR-US: ZTE CVE-2018-14994 (The Essential Phone Android device with a build fingerprint of essenti ...) NOT-FOR-US: Essential Phone CVE-2018-14993 (The ASUS Zenfone V Live Android device with a build fingerprint of asu ...) NOT-FOR-US: ASUS ZenFone 3 Max Android device CVE-2018-14992 (The ASUS ZenFone 3 Max Android device with a build fingerprint of asus ...) NOT-FOR-US: ASUS ZenFone 3 Max Android device CVE-2018-14991 (The Coolpad Defiant device with a build fingerprint of Coolpad/cp3632a ...) NOT-FOR-US: Coolpad Defiant CVE-2018-14990 (The Coolpad Defiant device with a build fingerprint of Coolpad/cp3632a ...) NOT-FOR-US: Coolpad Defiant CVE-2018-14989 (The Plum Compass Android device with a build fingerprint of PLUM/c179_ ...) NOT-FOR-US: Plum Compass CVE-2018-14988 (The MXQ TV Box 4.4.2 Android device with a build fingerprint of MBX/m2 ...) NOT-FOR-US: MXQ TV Box CVE-2018-14987 (The MXQ TV Box 4.4.2 Android device with a build fingerprint of MBX/m2 ...) NOT-FOR-US: MXQ TV Box CVE-2018-14986 (The Leagoo Z5C Android device with a build fingerprint of sp7731c_1h10 ...) NOT-FOR-US: Leagoo Z5C Android device CVE-2018-14985 (The Leagoo Z5C Android device with a build fingerprint of sp7731c_1h10 ...) NOT-FOR-US: Leagoo Z5C Android device CVE-2018-14984 (The Leagoo Z5C Android device with a build fingerprint of sp7731c_1h10 ...) NOT-FOR-US: Leagoo Z5C Android device CVE-2018-14983 (The Sony Xperia L1 Android device with a build fingerprint of Sony/G33 ...) NOT-FOR-US: Sony Xperia CVE-2018-14982 (Certain LG devices based on Android 6.0 through 8.1 have incorrect acc ...) NOT-FOR-US: LG devices specific issue CVE-2018-14981 (Certain LG devices based on Android 6.0 through 8.1 have incorrect acc ...) NOT-FOR-US: LG devices specific issue CVE-2018-14980 (The ASUS ZenFone 3 Max Android device with a build fingerprint of asus ...) NOT-FOR-US: ASUS ZenFone 3 Max Android device CVE-2018-14979 (The ASUS ZenFone 3 Max Android device with a build fingerprint of asus ...) NOT-FOR-US: ASUS ZenFone 3 Max Android device CVE-2018-14978 (An issue was discovered in QCMS 3.0.1. CSRF exists via the backend/use ...) NOT-FOR-US: QCMS CVE-2018-14977 (An issue was discovered in QCMS 3.0.1. upload/System/Controller/guest. ...) NOT-FOR-US: QCMS CVE-2018-14976 (An issue was discovered in QCMS 3.0.1. upload/System/Controller/backen ...) NOT-FOR-US: QCMS CVE-2018-14975 (An issue was discovered in QCMS 3.0.1. upload/System/Controller/backen ...) NOT-FOR-US: QCMSQCMS CVE-2018-14974 (An issue was discovered in QCMS 3.0.1. upload/System/Controller/backen ...) NOT-FOR-US: QCMS CVE-2018-14973 (An issue was discovered in QCMS 3.0.1. upload/System/Controller/backen ...) NOT-FOR-US: QCMS CVE-2018-14972 (An issue was discovered in QCMS 3.0.1. upload/System/Controller/backen ...) NOT-FOR-US: QCMS CVE-2018-14971 (An issue was discovered in QCMS 3.0.1. upload/System/Controller/backen ...) NOT-FOR-US: QCMS CVE-2018-14970 (An issue was discovered in QCMS 3.0.1. upload/System/Controller/backen ...) NOT-FOR-US: QCMS CVE-2018-14969 (An issue was discovered in QCMS 3.0.1. upload/System/Controller/backen ...) NOT-FOR-US: QCMS CVE-2018-14968 (An issue was discovered in EMLsoft 5.4.5. upload\eml\action\action.add ...) NOT-FOR-US: EMLsoft CVE-2018-14967 (An issue was discovered in EMLsoft 5.4.5. upload\eml\action\action.use ...) NOT-FOR-US: EMLsoft CVE-2018-14966 (An issue was discovered in EMLsoft 5.4.5. The eml/upload/eml/?action=u ...) NOT-FOR-US: EMLsoft CVE-2018-14965 (An issue was discovered in EMLsoft 5.4.5. The eml/upload/eml/?action=a ...) NOT-FOR-US: EMLsoft CVE-2018-14964 (An issue was discovered in EMLsoft 5.4.5. XSS exists via the eml/uploa ...) NOT-FOR-US: EMLsoft CVE-2018-14963 (zzcms 8.3 has CSRF via the admin/adminadd.php?action=add URI. ...) NOT-FOR-US: zzcms CVE-2018-14962 (zzcms 8.3 has stored XSS related to the content variable in user/manag ...) NOT-FOR-US: zzcms CVE-2018-14961 (dl/dl_sendmail.php in zzcms 8.3 has SQL Injection via the sql paramete ...) NOT-FOR-US: zzcms CVE-2018-14960 (Xiao5uCompany 1.7 has CSRF via admin/Admin.asp. ...) NOT-FOR-US: Xiao5uCompany CVE-2018-14959 (An issue was discovered in WeaselCMS v0.3.5. CSRF can create new pages ...) NOT-FOR-US: WeaselCMS CVE-2018-14958 (An issue was discovered in WeaselCMS v0.3.5. CSRF can update the websi ...) NOT-FOR-US: WeaselCMS CVE-2018-14957 (CMS ISWEB 3.5.3 is vulnerable to directory traversal and local file do ...) NOT-FOR-US: CMS ISWEB CVE-2018-14956 (CMS ISWEB 3.5.3 is vulnerable to multiple SQL injection flaws. An atta ...) NOT-FOR-US: CMS ISWEB CVE-2018-14949 RESERVED CVE-2018-14948 (An issue has been found in dilawar sound through 2017-11-27. The end o ...) NOT-FOR-US: dilawar CVE-2018-14947 (An issue has been found in PDF2JSON 0.69. XmlFontAccu::CSStyle in XmlF ...) NOT-FOR-US: PDF2JSON CVE-2018-14946 (An issue has been found in PDF2JSON 0.69. The HtmlString class in ImgO ...) NOT-FOR-US: PDF2JSON CVE-2018-14945 (An issue has been found in jpeg_encoder through 2015-11-27. It is a he ...) NOT-FOR-US: jpeg_encoder CVE-2018-14944 (An issue has been found in jpeg_encoder through 2015-11-27. It is a SE ...) NOT-FOR-US: jpeg_encoder CVE-2018-14943 (Harmonic NSG 9000 devices have a default password of nsgadmin for the ...) NOT-FOR-US: Harmonic NSG 9000 devices CVE-2018-14942 (Harmonic NSG 9000 devices allow remote authenticated users to conduct ...) NOT-FOR-US: Harmonic NSG 9000 devices CVE-2018-14941 (Harmonic NSG 9000 devices allow remote authenticated users to read the ...) NOT-FOR-US: Harmonic NSG 9000 devices CVE-2018-14940 (PHPCMS 9 allows remote attackers to cause a denial of service (resourc ...) NOT-FOR-US: PHPCMS CVE-2018-14939 (The get_app_path function in desktop/unx/source/start.c in LibreOffice ...) - libreoffice (Doesn't affect LibreOffice running on glibc) CVE-2018-1000637 (zutils version prior to version 1.8-pre2 contains a Buffer Overflow vu ...) {DLA-1505-1} - zutils 1.7-3 (bug #902936; bug #904819) [stretch] - zutils 1.5-5+deb9u1 NOTE: http://www.openwall.com/lists/oss-security/2018/08/05/1 NOTE: https://lists.nongnu.org/archive/html/zutils-bug/2018-08/msg00000.html NOTE: Fixed by: upstream/0001-zcat-buffer-overrun.patch (in 1.7-3) CVE-2018-14938 (An issue was discovered in wifipcap/wifipcap.cpp in TCPFLOW through 1. ...) - tcpflow 1.5.0+repack1-1 (bug #905483) [stretch] - tcpflow (Minor issue) [jessie] - tcpflow (Minor issue) NOTE: https://github.com/simsong/tcpflow/commit/a4e1cd14eb5ccc51ed271b65b3420f7d692c40eb NOTE: https://github.com/simsong/tcpflow/issues/182 CVE-2018-14937 (The Add page option in my little forum 2.4.12 allows XSS via the Menu ...) NOT-FOR-US: My Little Forum CVE-2018-14936 (The Add page option in my little forum 2.4.12 allows XSS via the Title ...) NOT-FOR-US: My Little Forum CVE-2018-14935 (The Web administration console on Polycom Trio devices with software b ...) NOT-FOR-US: Polycom Trio CVE-2018-14934 (The Bluetooth subsystem on Polycom Trio devices with software before 5 ...) NOT-FOR-US: Polycom Trio CVE-2018-14933 (upgrade_handle.php on NUUO NVRmini devices allows Remote Command Execu ...) NOT-FOR-US: NUUO NVRmini devices CVE-2018-14932 RESERVED CVE-2018-14931 (An issue was discovered in the Core and Portal modules in Polaris FT I ...) NOT-FOR-US: Polaris FT Intellect Core Banking CVE-2018-14930 (An issue was discovered in the Armor module in Polaris FT Intellect Co ...) NOT-FOR-US: Polaris FT Intellect Core Banking CVE-2018-14929 (Matera Banco 1.0.0 is vulnerable to multiple reflected XSS, as demonst ...) NOT-FOR-US: Metara CVE-2018-14928 (/contingency/servlet/ServletFileDownload executes as root and provides ...) NOT-FOR-US: Metara CVE-2018-14927 (Matera Banco 1.0.0 is vulnerable to path traversal (allowing access to ...) NOT-FOR-US: Metara CVE-2018-14926 (Matera Banco 1.0.0 allows CSRF, as demonstrated by a /contingency/web/ ...) NOT-FOR-US: Metara CVE-2018-14925 (Matera Banco 1.0.0 mishandles Java errors in the backend, as demonstra ...) NOT-FOR-US: Metara CVE-2018-14924 (Matera Banco 1.0.0 is vulnerable to multiple stored XSS, as demonstrat ...) NOT-FOR-US: Metara CVE-2018-14923 (A vulnerability in uniview EZPlayer 1.0.6 could allow an attacker to e ...) NOT-FOR-US: EZPlayer CVE-2018-14922 (Multiple cross-site scripting (XSS) vulnerabilities in Monstra CMS 3.0 ...) NOT-FOR-US: Monstra CMS CVE-2018-14921 RESERVED CVE-2018-14920 RESERVED CVE-2018-14919 (LOYTEC LGATE-902 6.3.2 devices allow XSS. ...) NOT-FOR-US: LOYTEC LGATE-902 devices CVE-2018-14918 (LOYTEC LGATE-902 6.3.2 devices allow Directory Traversal. ...) NOT-FOR-US: LOYTEC LGATE-902 devices CVE-2018-14917 REJECTED CVE-2018-14916 (LOYTEC LGATE-902 6.3.2 devices allow Arbitrary file deletion. ...) NOT-FOR-US: LOYTEC LGATE-902 devices CVE-2018-14915 REJECTED CVE-2018-1000223 (soundtouch version up to and including 2.0.0 contains a Buffer Overflo ...) - soundtouch 2.1.2+ds1-1 (bug #905491) [stretch] - soundtouch (Minor issue) [jessie] - soundtouch (Minor issue) NOTE: https://gitlab.com/soundtouch/soundtouch/issues/6 CVE-2018-14914 RESERVED CVE-2018-14913 RESERVED CVE-2018-14912 (cgit_clone_objects in CGit before 1.2.1 has a directory traversal vuln ...) {DSA-4263-1 DLA-1459-1} - cgit 1.1+git2.10.2-3.1 (bug #905382) NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1627 NOTE: https://lists.zx2c4.com/pipermail/cgit/2018-August/004176.html NOTE: https://git.zx2c4.com/cgit/commit/?id=53efaf30b50f095cad8c160488c74bba3e3b2680 CVE-2018-14911 (A file upload vulnerability exists in ukcms v1.1.7 and earlier. The vu ...) NOT-FOR-US: ukcms CVE-2018-14910 (SeaCMS v6.61 allows Remote Code execution by placing PHP code in an al ...) NOT-FOR-US: SeaCMS CVE-2018-14909 RESERVED CVE-2018-14908 (Samsung Syncthru Web Service V4.05.61 is vulnerable to CSRF on every r ...) NOT-FOR-US: Samsung Syncthru Web Service CVE-2018-14907 (The Web server in 3CX version 15.5.8801.3 is vulnerable to Information ...) NOT-FOR-US: 3CX CVE-2018-14906 (The Web server in 3CX version 15.5.8801.3 is vulnerable to Reflected X ...) NOT-FOR-US: 3CX CVE-2018-14905 (The Web server in 3CX version 15.5.8801.3 is vulnerable to Reflected X ...) NOT-FOR-US: 3CX CVE-2018-14904 (Samsung Syncthru Web Service V4.05.61 is vulnerable to Multiple unauth ...) NOT-FOR-US: Samsung Syncthru Web Service CVE-2018-14903 (EPSON WF-2750 printers with firmware JP02I2 do not properly validate f ...) NOT-FOR-US: EPSON WF-2750 printers CVE-2018-14902 (The ContentProvider in the EPSON iPrint application 6.6.3 for Android ...) NOT-FOR-US: EPSON iPrint application for Android CVE-2018-14901 (The EPSON iPrint application 6.6.3 for Android contains hard-coded API ...) NOT-FOR-US: EPSON iPrint application for Android CVE-2018-14900 (On EPSON WF-2750 printers with firmware JP02I2, there is no filtering ...) NOT-FOR-US: EPSON WF-2750 printers CVE-2018-14899 (On the EPSON WF-2750 printer with firmware JP02I2, the Web interface A ...) NOT-FOR-US: EPSON WF-2750 printer CVE-2018-14898 RESERVED CVE-2018-14897 RESERVED CVE-2018-14896 RESERVED CVE-2018-14895 RESERVED CVE-2018-14894 (CyberArk Endpoint Privilege Manager 10.2.1.603 and earlier allows an a ...) NOT-FOR-US: CyberArk Endpoint Privilege Manager CVE-2018-14893 (A system command injection vulnerability in zyshclient in ZyXEL NSA325 ...) NOT-FOR-US: ZyXEL CVE-2018-14892 (Missing protections against Cross-Site Request Forgery in the web appl ...) NOT-FOR-US: ZyXEL CVE-2018-14891 (Management Console in Vectra Networks Cognito Brain and Sensor before ...) NOT-FOR-US: Vectra Networks Cognito Brain and Sensor CVE-2018-14890 (Vectra Networks Cognito Brain and Sensor before 4.2 contains a cross-s ...) NOT-FOR-US: Vectra Networks Cognito Brain and Sensor CVE-2018-14889 (CouchDB in Vectra Networks Cognito Brain and Sensor before 4.3 contain ...) NOT-FOR-US: Vectra Networks Cognito Brain and Sensor CVE-2018-14888 (inc/plugins/thankyoulike.php in the Eldenroot Thank You/Like plugin be ...) NOT-FOR-US: Eldenroot Thank You/Like plugin for MyBB CVE-2018-14887 (Improper Host header sanitization in the dbfilter routing component in ...) NOT-FOR-US: Odoo CVE-2018-14886 (The module-description renderer in Odoo Community 11.0 and earlier and ...) NOT-FOR-US: Odoo CVE-2018-14885 (Incorrect access control in the database manager component in Odoo Com ...) NOT-FOR-US: Odoo CVE-2018-14884 (An issue was discovered in PHP 7.0.x before 7.0.27, 7.1.x before 7.1.1 ...) - php7.2 7.2.1-1 - php7.1 7.1.13-1 - php7.0 7.0.27-1 - php5 (vulnerable code not present) NOTE: Fixed in 7.0.27, 7.1.13, 7.2.1 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=75535 NOTE: Fixed by: https://github.com/php/php-src/commit/0e097f2c96ce31b16fa371981045f224e5a37160 NOTE: Introduced in: https://github.com/php/php-src/commit/5146d9f8ac170d8ba7109370d732d56dc0777578 CVE-2018-14883 (An issue was discovered in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1 ...) {DSA-4353-1 DLA-1490-1} - php7.2 7.2.8-1 - php7.1 7.1.20-1 - php7.0 7.0.31-1 - php5 NOTE: Fixed in 5.6.37, 7.0.31, 7.1.20, 7.2.8 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=76423 CVE-2018-14882 (The ICMPv6 parser in tcpdump before 4.9.3 has a buffer over-read in pr ...) {DSA-4547-1 DLA-1955-1} - tcpdump 4.9.3-1 (bug #941698) NOTE: https://github.com/the-tcpdump-group/tcpdump/commit/d7505276842e85bfd067fa21cdb32b8a2dc3c5e4 CVE-2018-14881 (The BGP parser in tcpdump before 4.9.3 has a buffer over-read in print ...) {DSA-4547-1 DLA-1955-1} - tcpdump 4.9.3-1 (bug #941698) NOTE: https://github.com/the-tcpdump-group/tcpdump/commit/86326e880d31b328a151d45348c35220baa9a1ff CVE-2018-14880 (The OSPFv3 parser in tcpdump before 4.9.3 has a buffer over-read in pr ...) {DSA-4547-1 DLA-1955-1} - tcpdump 4.9.3-1 (bug #941698) NOTE: https://github.com/the-tcpdump-group/tcpdump/commit/e01c9bf76740802025c9328901b55ee4a0c49ed6 CVE-2018-14879 (The command-line argument parser in tcpdump before 4.9.3 has a buffer ...) {DSA-4547-1 DLA-1955-1} - tcpdump 4.9.3-1 (bug #941698) NOTE: https://github.com/the-tcpdump-group/tcpdump/commit/9ba91381954ad325ea4fd26b9c65a8bd9a2a85b6 CVE-2018-XXXX [DSA verification crashes OpenSSL on invalid combinations of key content] - xml-security-c 2.0.2-2 (bug #913136) [stretch] - xml-security-c 1.7.3-4+deb9u2 [jessie] - xml-security-c 1.7.2-3+deb8u2 NOTE: temporary entry for DLA-1594-1 NOTE: https://issues.apache.org/jira/browse/SANTUARIO-496 NOTE: patch 1/2: http://svn.apache.org/r1843562 NOTE: patch 2/2: http://svn.apache.org/r1843566 CVE-2018-XXXX [Default KeyInfo resolver doesn't check for empty element content.] [experimental] - xml-security-c 2.0.1-1 - xml-security-c 1.7.3-4+deb9u1 (bug #905332) [stretch] - xml-security-c 1.7.3-4+deb9u1 [jessie] - xml-security-c 1.7.2-3+deb8u1 NOTE: https://issues.apache.org/jira/projects/SANTUARIO/issues/SANTUARIO-491 NOTE: https://shibboleth.net/community/advisories/secadv_20180803.txt CVE-2018-14878 (JetBrains dotPeek before 2018.2 and ReSharper Ultimate before 2018.1.4 ...) NOT-FOR-US: JetBrains dotPeek CVE-2018-14877 (An issue was discovered in WeaselCMS v0.3.5. XSS exists via Site Langu ...) NOT-FOR-US: WeaselCMS CVE-2018-14876 (An issue was discovered in image_save_png in image/image-png.cpp in Fr ...) - flif NOTE: https://github.com/FLIF-hub/FLIF/issues/520 CVE-2018-14875 (An issue was discovered in the Core and Portal modules in Polaris FT I ...) NOT-FOR-US: Polaris FT Intellect Core Banking CVE-2018-14874 (An issue was discovered in the Armor module in Polaris FT Intellect Co ...) NOT-FOR-US: Polaris FT Intellect Core Banking CVE-2018-14873 (An issue was discovered in Rincewind 0.1. There is a cross-site script ...) NOT-FOR-US: Rincewind CVE-2018-14872 (An issue was discovered in Rincewind 0.1. A reinstall vulnerability ex ...) NOT-FOR-US: Rincewind CVE-2018-14871 RESERVED CVE-2018-14870 RESERVED CVE-2018-14869 (PHP Template Store Script 3.0.6 allows XSS via the Address line 1, Add ...) NOT-FOR-US: PHP Template Store Script CVE-2018-14868 (Incorrect access control in the Password Encryption module in Odoo Com ...) NOT-FOR-US: Odoo CVE-2018-14867 (Incorrect access control in the portal messaging system in Odoo Commun ...) NOT-FOR-US: Odoo CVE-2018-14866 (Incorrect access control in the TransientModel framework in Odoo Commu ...) NOT-FOR-US: Odoo CVE-2018-14865 (Report engine in Odoo Community 9.0 through 11.0 and earlier and Odoo ...) NOT-FOR-US: Odoo CVE-2018-14864 (Incorrect access control in asset bundles in Odoo Community 9.0 throug ...) NOT-FOR-US: Odoo CVE-2018-14863 (Incorrect access control in the RPC framework in Odoo Community 8.0 th ...) NOT-FOR-US: Odoo CVE-2018-14862 (Incorrect access control in the mail templating system in Odoo Communi ...) NOT-FOR-US: Odoo CVE-2018-14861 (Improper data access control in Odoo Community 10.0 and 11.0 and Odoo ...) NOT-FOR-US: Odoo CVE-2018-14860 (Improper sanitization of dynamic user expressions in Odoo Community 11 ...) NOT-FOR-US: Odoo CVE-2018-14859 (Incorrect access control in the password reset component in Odoo Commu ...) NOT-FOR-US: Odoo CVE-2018-14858 (An SSRF vulnerability was discovered in idreamsoft iCMS before V7.0.11 ...) NOT-FOR-US: idreamsoft iCMS CVE-2018-14857 (Unrestricted file upload (with remote code execution) in require/mail/ ...) - ocsinventory-server (unimportant) NOTE: Authentication is needed, only supported in trusted environments, see debtags CVE-2018-14856 (Buffer overflow in dhd_bus_flow_ring_create_response in drivers/net/wi ...) NOT-FOR-US: Samsung wifi driver for Android CVE-2018-14855 (Buffer overflow in dhd_bus_flow_ring_flush_response in drivers/net/wir ...) NOT-FOR-US: Samsung wifi driver for Android CVE-2018-14854 (Buffer overflow in dhd_bus_flow_ring_delete_response in drivers/net/wi ...) NOT-FOR-US: Samsung wifi driver for Android CVE-2018-14853 (A NULL pointer dereference in dhd_prot_txdata_write_flush in drivers/n ...) NOT-FOR-US: Samsung wifi driver for Android CVE-2018-14852 (Out-of-bounds array access in dhd_rx_frame in drivers/net/wireless/bcm ...) NOT-FOR-US: Samsung wifi driver for Android CVE-2018-14851 (exif_process_IFD_in_MAKERNOTE in ext/exif/exif.c in PHP before 5.6.37, ...) {DSA-4353-1 DLA-1490-1} - php7.2 7.2.8-1 - php7.1 7.1.20-1 - php7.0 7.0.31-1 - php5 NOTE: Fixed in 5.6.37, 7.0.31, 7.1.20, 7.2.8 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=76557 CVE-2018-14850 (Stored XSS vulnerabilities in Tiki before 18.2, 15.7 and 12.14 allow a ...) - tikiwiki NOTE: https://sourceforge.net/p/tikiwiki/code/66990 CVE-2018-14849 (Tiki before 18.2, 15.7 and 12.14 has XSS via link attributes, related ...) - tikiwiki NOTE: https://sourceforge.net/p/tikiwiki/code/66809 CVE-2018-14848 RESERVED CVE-2018-14847 (MikroTik RouterOS through 6.42 allows unauthenticated remote attackers ...) NOT-FOR-US: Winbox for MikroTik RouterOS CVE-2018-14846 (The Mondula Multi Step Form plugin before 1.2.8 for WordPress has mult ...) NOT-FOR-US: Mondula Multi Step Form plugin for WordPress CVE-2018-14845 RESERVED CVE-2018-14844 RESERVED CVE-2018-14843 RESERVED CVE-2018-14842 RESERVED CVE-2018-14841 RESERVED CVE-2018-14840 (uploads/.htaccess in Subrion CMS 4.2.1 allows XSS because it does not ...) NOT-FOR-US: Subrion CMS CVE-2018-14839 (LG N1A1 NAS 3718.510 is affected by: Remote Command Execution. The imp ...) NOT-FOR-US: LG N1A1 NAS CVE-2018-14838 (rejucms 2.1 has stored XSS via the admin/book.php content parameter. ...) NOT-FOR-US: rejucms CVE-2018-14837 (Wolf CMS 0.8.3.1 has XSS in the Snippets tab, as demonstrated by a ?/a ...) NOT-FOR-US: Wolf CMS CVE-2018-14836 (Subrion 4.2.1 is vulnerable to Improper Access control because user gr ...) NOT-FOR-US: Subrion CMS CVE-2018-14835 (Subrion CMS v4.2.1 is vulnerable to Stored XSS because of no escaping ...) NOT-FOR-US: Subrion CMS CVE-2018-14834 RESERVED CVE-2018-14833 (Intuit Lacerte 2017 has Incorrect Access Control. ...) NOT-FOR-US: Intuit CVE-2018-14832 RESERVED CVE-2018-14831 (An arbitrary file read vulnerability in DamiCMS v6.0.0 allows remote a ...) NOT-FOR-US: DamiCMS CVE-2018-14830 RESERVED CVE-2018-14829 (Rockwell Automation RSLinx Classic Versions 4.00.01 and prior. This vu ...) NOT-FOR-US: Rockwell Automation RSLinx Classic CVE-2018-14828 (Advantech WebAccess 8.3.1 and earlier has an improper privilege manage ...) NOT-FOR-US: Advantech WebAccess CVE-2018-14827 (Rockwell Automation RSLinx Classic Versions 4.00.01 and prior. A remot ...) NOT-FOR-US: Rockwell Automation RSLinx Classic CVE-2018-14826 (Entes EMG12 versions 2.57 and prior The application uses a web interfa ...) NOT-FOR-US: Entes EMG12 CVE-2018-14825 (On Honeywell Mobile Computers (CT60 running Android OS 7.1, CN80 runni ...) NOT-FOR-US: Honeywell CVE-2018-14824 (Delta Electronics Delta Industrial Automation PMSoft v2.11 or prior ha ...) NOT-FOR-US: Delta Electronics Delta Industrial Automation PMSoft CVE-2018-14823 (Fuji Electric V-Server 4.0.3.0 and prior, A stack-based buffer overflo ...) NOT-FOR-US: Fuji Electric V-Server CVE-2018-14822 (Entes EMG12 versions 2.57 and prior an information exposure through qu ...) NOT-FOR-US: Entes EMG12 CVE-2018-14821 (Rockwell Automation RSLinx Classic Versions 4.00.01 and prior. This vu ...) NOT-FOR-US: Rockwell Automation RSLinx Classic CVE-2018-14820 (Advantech WebAccess 8.3.1 and earlier has a .dll component that is sus ...) NOT-FOR-US: Advantech WebAccess CVE-2018-14819 (Fuji Electric V-Server 4.0.3.0 and prior, An out-of-bounds read vulner ...) NOT-FOR-US: Fuji Electric V-Server CVE-2018-14818 (WECON Technology Co., Ltd. PI Studio HMI versions 4.1.9 and prior and ...) NOT-FOR-US: PI Studio HMI CVE-2018-14817 (Fuji Electric V-Server 4.0.3.0 and prior, An integer underflow vulnera ...) NOT-FOR-US: Fuji Electric V-Server CVE-2018-14816 (Advantech WebAccess 8.3.1 and earlier has several stack-based buffer o ...) NOT-FOR-US: Advantech WebAccess CVE-2018-14815 (Fuji Electric V-Server 4.0.3.0 and prior, Several out-of-bounds write ...) NOT-FOR-US: Fuji Electric V-Server CVE-2018-14814 (WECON Technology PI Studio HMI versions 4.1.9 and prior and PI Studio ...) NOT-FOR-US: WECON CVE-2018-14813 (Fuji Electric V-Server 4.0.3.0 and prior, A heap-based buffer overflow ...) NOT-FOR-US: Fuji Electric V-Server CVE-2018-14812 (An uncontrolled search path element (DLL Hijacking) vulnerability has ...) NOT-FOR-US: Fuji CVE-2018-14811 (Fuji Electric V-Server 4.0.3.0 and prior, Multiple untrusted pointer d ...) NOT-FOR-US: Fuji Electric V-Server CVE-2018-14810 (WECON Technology Co., Ltd. PI Studio HMI versions 4.1.9 and prior and ...) NOT-FOR-US: PI Studio HMI CVE-2018-14809 (Fuji Electric V-Server 4.0.3.0 and prior, A use after free vulnerabili ...) NOT-FOR-US: Fuji Electric V-Server CVE-2018-14808 (Emerson AMS Device Manager v12.0 to v13.5. Non-administrative users a ...) NOT-FOR-US: Emerson AMS Device Manager CVE-2018-14807 (A stack-based buffer overflow vulnerability in Opto 22 PAC Control Bas ...) NOT-FOR-US: Opto CVE-2018-14806 (Advantech WebAccess 8.3.1 and earlier has a path traversal vulnerabili ...) NOT-FOR-US: Advantech WebAccess CVE-2018-14805 (ABB eSOMS version 6.0.2 may allow unauthorized access to the system wh ...) NOT-FOR-US: ABB eSOMS CVE-2018-14804 (Emerson AMS Device Manager v12.0 to v13.5. A specially crafted script ...) NOT-FOR-US: Emerson AMS Device Manager CVE-2018-14803 (Philips e-Alert Unit (non-medical device), Version R2.1 and prior. The ...) NOT-FOR-US: Philips e-Alert Unit CVE-2018-14802 (Fuji Electric FRENIC LOADER v3.3 v7.3.4.1a of FRENIC-Mini (C1), FRENIC ...) NOT-FOR-US: Fuji Electric CVE-2018-14801 (In Philips PageWriter TC10, TC20, TC30, TC50, TC70 Cardiographs, all v ...) NOT-FOR-US: Philips PageWriter CVE-2018-14800 (Delta Electronics ISPSoft version 3.0.5 and prior allow an attacker, b ...) NOT-FOR-US: Delta Electronics ISPSoft CVE-2018-14799 (In Philips PageWriter TC10, TC20, TC30, TC50, TC70 Cardiographs, all v ...) NOT-FOR-US: Philips PageWriter CVE-2018-14798 (Fuji Electric FRENIC LOADER v3.3 v7.3.4.1a of FRENIC-Mini (C1), FRENIC ...) NOT-FOR-US: Fuji Electric CVE-2018-14797 (Emerson DeltaV DCS versions 11.3.1, 12.3.1, 13.3.0, 13.3.1, R5 allow a ...) NOT-FOR-US: Emerson DeltaV DCS CVE-2018-14796 (Tec4Data SmartCooler, all versions prior to firmware 180806, the devic ...) NOT-FOR-US: Tec4Data SmartCooler CVE-2018-14795 (DeltaV Versions 11.3.1, 12.3.1, 13.3.0, 13.3.1, and R5 is vulnerable d ...) NOT-FOR-US: DeltaV CVE-2018-14794 (Fuji Electric Alpha5 Smart Loader Versions 3.7 and prior. The device d ...) NOT-FOR-US: Fuji Electric CVE-2018-14793 (DeltaV Versions 11.3.1, 12.3.1, 13.3.0, 13.3.1, and R5 is vulnerable t ...) NOT-FOR-US: DeltaV CVE-2018-14792 (WECON PLC Editor version 1.3.3U may allow an attacker to execute code ...) NOT-FOR-US: WECON CVE-2018-14791 (Emerson DeltaV DCS versions 11.3.1, 12.3.1, 13.3.0, 13.3.1, R5 may all ...) NOT-FOR-US: Emerson DeltaV DCS CVE-2018-14790 (Fuji Electric FRENIC LOADER v3.3 v7.3.4.1a of FRENIC-Mini (C1), FRENIC ...) NOT-FOR-US: Fuji Electric CVE-2018-14789 (In Philips' IntelliSpace Cardiovascular (ISCV) products (ISCV Version ...) NOT-FOR-US: Philips CVE-2018-14788 (Fuji Electric Alpha5 Smart Loader Versions 3.7 and prior. A buffer ove ...) NOT-FOR-US: Fuji Electric CVE-2018-14787 (In Philips' IntelliSpace Cardiovascular (ISCV) products (ISCV Version ...) NOT-FOR-US: Philips CVE-2018-14786 (Becton, Dickinson and Company (BD) Alaris Plus medical syringe pumps ( ...) NOT-FOR-US: medical pumps CVE-2018-14785 (NetComm Wireless G LTE Light Industrial M2M Router (NWL-25) with firmw ...) NOT-FOR-US: NetComm Wireless G LTE Light Industrial M2M Router CVE-2018-14784 (NetComm Wireless G LTE Light Industrial M2M Router (NWL-25) with firmw ...) NOT-FOR-US: NetComm Wireless G LTE Light Industrial M2M Router CVE-2018-14783 (NetComm Wireless G LTE Light Industrial M2M Router (NWL-25) with firmw ...) NOT-FOR-US: NetComm Wireless G LTE Light Industrial M2M Router CVE-2018-14782 (NetComm Wireless G LTE Light Industrial M2M Router (NWL-25) with firmw ...) NOT-FOR-US: NetComm Wireless G LTE Light Industrial M2M Router CVE-2018-14781 (Medtronic MMT 508 MiniMed insulin pump, 522 / MMT - 722 Paradigm REAL- ...) NOT-FOR-US: Medtronic CVE-2018-14780 (An out-of-bounds read issue was discovered in the Yubico-Piv 1.5.0 sma ...) - yubico-piv-tool 1.6.1-1 (low; bug #906128) [stretch] - yubico-piv-tool 1.4.2-2+deb9u1 NOTE: https://www.x41-dsec.de/lab/advisories/x41-2018-001-Yubico-Piv/ CVE-2018-14779 (A buffer overflow issue was discovered in the Yubico-Piv 1.5.0 smartca ...) - yubico-piv-tool 1.6.1-1 (low; bug #906128) [stretch] - yubico-piv-tool 1.4.2-2+deb9u1 NOTE: https://www.x41-dsec.de/lab/advisories/x41-2018-001-Yubico-Piv/ CVE-2018-14778 RESERVED CVE-2015-9262 (_XcursorThemeInherits in library.c in libXcursor before 1.1.15 allows ...) {DLA-1469-1} - libxcursor 1:1.1.15-1 (low; bug #906012) [stretch] - libxcursor 1:1.1.14-1+deb9u2 NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=90857 NOTE: https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=897213f36baf6926daf6d192c709cf627aa5fd05 CVE-2018-14777 (An issue was discovered in DataLife Engine (DLE) through 13.0. An atta ...) NOT-FOR-US: DataLife Engine CVE-2018-1000631 (Battelle V2I Hub 3.0 is vulnerable to SQL injection. A remote attacker ...) NOT-FOR-US: Battelle V2I Hub CVE-2018-1000630 (Battelle V2I Hub 2.5.1 is vulnerable to SQL injection. A remote authen ...) NOT-FOR-US: Battelle V2I Hub CVE-2018-1000629 (Battelle V2I Hub 2.5.1 is vulnerable to cross-site scripting, caused b ...) NOT-FOR-US: Battelle V2I Hub CVE-2018-1000628 (Battelle V2I Hub 2.5.1 could allow a remote attacker to bypass securit ...) NOT-FOR-US: Battelle V2I Hub CVE-2018-1000627 (Battelle V2I Hub 2.5.1 could allow a remote attacker to obtain sensiti ...) NOT-FOR-US: Battelle V2I Hub CVE-2018-1000626 (Battelle V2I Hub 2.5.1 could allow a remote attacker to bypass securit ...) NOT-FOR-US: Battelle V2I Hub CVE-2018-1000625 (Battelle V2I Hub 2.5.1 contains hard-coded credentials for the adminis ...) NOT-FOR-US: Battelle V2I Hub CVE-2018-1000624 (Battelle V2I Hub 2.5.1 is vulnerable to a denial of service, caused by ...) NOT-FOR-US: Battelle V2I Hub CVE-2018-14776 (Click Studios Passwordstate before 8.3 Build 8397 allows XSS by authen ...) NOT-FOR-US: Click Studios Passwordstate CVE-2018-14775 (tss_alloc in sys/arch/i386/i386/gdt.c in OpenBSD 6.2 and 6.3 has a Loc ...) NOT-FOR-US: OpenBSD CVE-2018-14774 (An issue was discovered in HttpKernel in Symfony 2.7.0 through 2.7.48, ...) - symfony 3.4.14+dfsg-1 [stretch] - symfony (Minor issue) [jessie] - symfony (Vulnerable code not present, introduced later in commit 4c8a25a6e2) NOTE: https://symfony.com/blog/cve-2018-14774-possible-host-header-injection-when-using-httpcache CVE-2018-14773 (An issue was discovered in Http Foundation in Symfony 2.7.0 through 2. ...) {DSA-4441-1 DLA-1707-1} - symfony 3.4.14+dfsg-1 NOTE: https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers CVE-2018-14772 (Pydio 4.2.1 through 8.2.1 has an authenticated remote code execution v ...) - ajaxplorer (bug #668381) CVE-2018-14771 (VIVOTEK FD8177 devices before XXXXXX-VVTK-xx06a allow remote attackers ...) NOT-FOR-US: VIVOTEK FD8177 devices CVE-2018-14770 (VIVOTEK FD8177 devices before XXXXXX-VVTK-xx06a allow remote attackers ...) NOT-FOR-US: VIVOTEK FD8177 devices CVE-2018-14769 (VIVOTEK FD8177 devices before XXXXXX-VVTK-xx06a allow CSRF. ...) NOT-FOR-US: VIVOTEK FD8177 devices CVE-2018-14768 (Various VIVOTEK FD8*, FD9*, FE9*, IB8*, IB9*, IP9*, IZ9*, MS9*, SD9*, ...) NOT-FOR-US: VIVOTEK devices CVE-2018-1999025 (A man in the middle vulnerability exists in Jenkins TraceTronic ECU-TE ...) NOT-FOR-US: Jenkins plugin CVE-2018-1999026 (A server-side request forgery vulnerability exists in Jenkins TraceTro ...) NOT-FOR-US: Jenkins plugin CVE-2018-1999027 (An exposure of sensitive information vulnerability exists in Jenkins S ...) NOT-FOR-US: Jenkins plugin CVE-2018-1999028 (An exposure of sensitive information vulnerability exists in Jenkins A ...) NOT-FOR-US: Jenkins plugin CVE-2018-1999029 (A cross-site scripting vulnerability exists in Jenkins Shelve Project ...) NOT-FOR-US: Jenkins plugin CVE-2018-1999041 (An exposure of sensitive information vulnerability exists in Jenkins T ...) NOT-FOR-US: Jenkins plugin CVE-2018-1999040 (An exposure of sensitive information vulnerability exists in Jenkins K ...) NOT-FOR-US: Jenkins plugin CVE-2018-1999039 (A server-side request forgery vulnerability exists in Jenkins Confluen ...) NOT-FOR-US: Jenkins plugin CVE-2018-1999038 (A confused deputy vulnerability exists in Jenkins Publisher Over CIFS ...) NOT-FOR-US: Jenkins plugin CVE-2018-1999037 (A data modification vulnerability exists in Jenkins Resource Disposer ...) NOT-FOR-US: Jenkins plugin CVE-2018-1999036 (An exposure of sensitive information vulnerability exists in Jenkins S ...) NOT-FOR-US: Jenkins plugin CVE-2018-1999030 (An exposure of sensitive information vulnerability exists in Jenkins M ...) NOT-FOR-US: Jenkins plugin CVE-2018-1999031 (An exposure of sensitive information vulnerability exists in Jenkins m ...) NOT-FOR-US: Jenkins plugin CVE-2018-1999032 (A data modification vulnerability exists in Jenkins Agiletestware Pang ...) NOT-FOR-US: Jenkins plugin CVE-2018-1999033 (An exposure of sensitive information vulnerability exists in Jenkins A ...) NOT-FOR-US: Jenkins plugin CVE-2018-1999034 (A man in the middle vulnerability exists in Jenkins Inedo ProGet Plugi ...) NOT-FOR-US: Jenkins plugin CVE-2018-1999035 (A man in the middle vulnerability exists in Jenkins Inedo BuildMaster ...) NOT-FOR-US: Jenkins plugin CVE-2018-14767 (In Kamailio before 5.0.7 and 5.1.x before 5.1.4, a crafted SIP message ...) {DSA-4267-1 DLA-1471-1} - kamailio 5.1.4-1 NOTE: https://skalatan.de/blog/advisory-hw-2018-05 NOTE: https://www.kamailio.org/w/2018/07/kamailio-security-announcement-for-kamailio-core/ NOTE: https://github.com/kamailio/kamailio/commit/281a6c6b6eaaf30058b603325e8ded20b99e1456 CVE-2018-14766 RESERVED CVE-2018-14765 RESERVED CVE-2018-14764 RESERVED CVE-2018-14763 RESERVED CVE-2018-14762 RESERVED CVE-2018-14761 RESERVED CVE-2018-14760 RESERVED CVE-2018-14759 RESERVED CVE-2018-14758 RESERVED CVE-2018-14757 RESERVED CVE-2018-14756 RESERVED CVE-2018-14755 RESERVED CVE-2018-14754 RESERVED CVE-2018-14753 RESERVED CVE-2018-14752 RESERVED CVE-2018-14751 RESERVED CVE-2018-14750 RESERVED CVE-2018-14749 (Buffer Overflow vulnerability in QTS 4.3.5 build 20181013, QTS 4.3.4 b ...) NOT-FOR-US: QNAP CVE-2018-14748 (Improper Authorization vulnerability in QTS 4.3.5 build 20181013, QTS ...) NOT-FOR-US: QNAP CVE-2018-14747 (NULL Pointer Dereference vulnerability in QTS 4.3.5 build 20181013, QT ...) NOT-FOR-US: QNAP CVE-2018-14746 (Command Injection vulnerability in QTS 4.3.5 build 20181013, QTS 4.3.4 ...) NOT-FOR-US: QNAP CVE-2018-14955 (The mail message display page in SquirrelMail through 1.4.22 has XSS v ...) {DLA-1484-1} - squirrelmail (bug #905023) NOTE: https://sourceforge.net/p/squirrelmail/bugs/2831/ CVE-2018-14954 (The mail message display page in SquirrelMail through 1.4.22 has XSS v ...) {DLA-1484-1} - squirrelmail (bug #905023) NOTE: https://sourceforge.net/p/squirrelmail/bugs/2831/ CVE-2018-14953 (The mail message display page in SquirrelMail through 1.4.22 has XSS v ...) {DLA-1484-1} - squirrelmail (bug #905023) NOTE: https://sourceforge.net/p/squirrelmail/bugs/2831/ CVE-2018-14952 (The mail message display page in SquirrelMail through 1.4.22 has XSS v ...) {DLA-1484-1} - squirrelmail (bug #905023) NOTE: https://sourceforge.net/p/squirrelmail/bugs/2831/ CVE-2018-14951 (The mail message display page in SquirrelMail through 1.4.22 has XSS v ...) {DLA-1484-1} - squirrelmail (bug #905023) NOTE: https://sourceforge.net/p/squirrelmail/bugs/2831/ CVE-2018-14950 (The mail message display page in SquirrelMail through 1.4.22 has XSS v ...) {DLA-1484-1} - squirrelmail (bug #905023) NOTE: https://sourceforge.net/p/squirrelmail/bugs/2831/ CVE-2018-14745 (Buffer overflow in prot_get_ring_space in the bcmdhd4358 Wi-Fi driver ...) NOT-FOR-US: bcmdhd4538 wifi driver (not in mainline) CVE-2018-14744 (An issue was discovered in libpbc.a in cloudwu PBC through 2017-03-02. ...) NOT-FOR-US: cloudwu PBC CVE-2018-14743 (An issue was discovered in libpbc.a in cloudwu PBC through 2017-03-02. ...) NOT-FOR-US: cloudwu PBC CVE-2018-14742 (An issue was discovered in libpbc.a in cloudwu PBC through 2017-03-02. ...) NOT-FOR-US: cloudwu PBC CVE-2018-14741 (An issue was discovered in libpbc.a in cloudwu PBC through 2017-03-02. ...) NOT-FOR-US: cloudwu PBC CVE-2018-14740 (An issue was discovered in libpbc.a in cloudwu PBC through 2017-03-02. ...) NOT-FOR-US: cloudwu PBC CVE-2018-14739 (An issue was discovered in libpbc.a in cloudwu PBC through 2017-03-02. ...) NOT-FOR-US: cloudwu PBC CVE-2018-14738 (An issue was discovered in libpbc.a in cloudwu PBC through 2017-03-02. ...) NOT-FOR-US: cloudwu PBC CVE-2018-14737 (An issue was discovered in libpbc.a in cloudwu PBC through 2017-03-02. ...) NOT-FOR-US: cloudwu PBC CVE-2018-14736 (An issue was discovered in libpbc.a in cloudwu PBC through 2017-03-02. ...) NOT-FOR-US: cloudwu PBC CVE-2018-14735 (An Information Exposure issue was discovered in Hitachi Command Suite ...) NOT-FOR-US: Hitachi CVE-2018-14733 (The Odoo Community Association (OCA) dbfilter_from_header module makes ...) NOT-FOR-US: Odoo CVE-2018-14734 (drivers/infiniband/core/ucma.c in the Linux kernel through 4.17.11 all ...) {DSA-4308-1 DLA-1531-1 DLA-1529-1} - linux 4.17.14-1 NOTE: https://git.kernel.org/linus/cb2595c1393b4a5211534e6f0a0fbad369e21ad8 (4.18-rc1) CVE-2018-14732 (An issue was discovered in lib/Server.js in webpack-dev-server before ...) NOT-FOR-US: webpack-dev-server CVE-2018-14731 (An issue was discovered in HMRServer.js in Parcel parcel-bundler. Atta ...) NOT-FOR-US: parcel-bundler CVE-2018-14730 (An issue was discovered in Browserify-HMR. Attackers are able to steal ...) NOT-FOR-US: Browserify-HMR CVE-2018-14729 (The database backup feature in upload/source/admincp/admincp_db.php in ...) NOT-FOR-US: Discuz! CVE-2018-14728 (upload.php in Responsive FileManager 9.13.1 allows SSRF via the url pa ...) NOT-FOR-US: Responsive FileManager CVE-2018-14727 RESERVED CVE-2018-14726 RESERVED CVE-2018-14725 RESERVED CVE-2018-14724 (In the Ban List plugin 1.0 for MyBB, any forum user with mod privilege ...) NOT-FOR-US: MyBB plugin CVE-2018-14723 RESERVED CVE-2018-14722 (An issue was discovered in evaluate_auto_mountpoint in btrfsmaintenanc ...) - btrfsmaintenance 0.4.1-2 (bug #906131) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1102721 CVE-2018-14721 (FasterXML jackson-databind 2.x before 2.9.7 might allow remote attacke ...) {DSA-4452-1 DLA-1703-1} - jackson-databind 2.9.8-1 NOTE: https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44 NOTE: https://github.com/FasterXML/jackson-databind/issues/2097 CVE-2018-14720 (FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to c ...) {DSA-4452-1 DLA-1703-1} - jackson-databind 2.9.8-1 NOTE: https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44 NOTE: https://github.com/FasterXML/jackson-databind/issues/2097 CVE-2018-14719 (FasterXML jackson-databind 2.x before 2.9.7 might allow remote attacke ...) {DSA-4452-1 DLA-1703-1} - jackson-databind 2.9.8-1 NOTE: https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44 NOTE: https://github.com/FasterXML/jackson-databind/issues/2097 CVE-2018-14718 (FasterXML jackson-databind 2.x before 2.9.7 might allow remote attacke ...) {DSA-4452-1 DLA-1703-1} - jackson-databind 2.9.8-1 NOTE: https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44 NOTE: https://github.com/FasterXML/jackson-databind/issues/2097 CVE-2018-14717 RESERVED CVE-2018-14716 (A Server Side Template Injection (SSTI) was discovered in the SEOmatic ...) NOT-FOR-US: SEOmatic plugin for Craft CMS CVE-2018-14715 (The endCoinFlip function and throwSlammer function of the smart contra ...) NOT-FOR-US: smart contract implementations for Cryptogs CVE-2018-14714 (System command injection in appGet.cgi on ASUS RT-AC3200 version 3.0.0 ...) NOT-FOR-US: ASUS RT-AC3200 CVE-2018-14713 (Format string vulnerability in appGet.cgi on ASUS RT-AC3200 version 3. ...) NOT-FOR-US: ASUS RT-AC3200 CVE-2018-14712 (Buffer overflow in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50 ...) NOT-FOR-US: ASUS RT-AC3200 CVE-2018-14711 (Missing cross-site request forgery protection in appGet.cgi on ASUS RT ...) NOT-FOR-US: ASUS RT-AC3200 CVE-2018-14710 (Cross-site scripting in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.3 ...) NOT-FOR-US: ASUS RT-AC3200 CVE-2018-14709 (Incorrect access control in the Dashboard API on Drobo 5N2 NAS version ...) NOT-FOR-US: Dashboard API on Drobo 5N2 NAS CVE-2018-14708 (An insecure transport protocol used by Drobo Dashboard API on Drobo 5N ...) NOT-FOR-US: Drobo Dashboard API on Drobo 5N2 NAS CVE-2018-14707 (Directory traversal in the Drobo Pix web application on Drobo 5N2 NAS ...) NOT-FOR-US: Drobo Pix web application on Drobo 5N2 NAS CVE-2018-14706 (System command injection in the /DroboPix/api/drobopix/demo endpoint o ...) NOT-FOR-US: Drobo 5N2 NAS CVE-2018-14705 (In Drobo 5N2 4.0.5, all optional applications lack any form of authent ...) NOT-FOR-US: Drobo 5N2 CVE-2018-14704 (Cross-site scripting in the MySQL API error page in Drobo 5N2 NAS vers ...) NOT-FOR-US: Drobo 5N2 NAS CVE-2018-14703 (Incorrect access control in the /mysql/api/droboapp/data endpoint in D ...) NOT-FOR-US: Drobo 5N2 NAS CVE-2018-14702 (Incorrect access control in the /drobopix/api/drobo.php endpoint in Dr ...) NOT-FOR-US: Drobo 5N2 NAS CVE-2018-14701 (System command injection in the /DroboAccess/delete_user endpoint in D ...) NOT-FOR-US: Drobo 5N2 NAS CVE-2018-14700 (Incorrect access control in the /mysql/api/logfile.php endpoint in Dro ...) NOT-FOR-US: Drobo 5N2 NAS CVE-2018-14699 (System command injection in the /DroboAccess/enable_user endpoint in D ...) NOT-FOR-US: Drobo 5N2 NAS CVE-2018-14698 (Cross-site scripting in the /DroboAccess/delete_user endpoint in Drobo ...) NOT-FOR-US: Drobo 5N2 NAS CVE-2018-14697 (Cross-site scripting in the /DroboAccess/enable_user endpoint in Drobo ...) NOT-FOR-US: Drobo 5N2 NAS CVE-2018-14696 (Incorrect access control in the /mysql/api/drobo.php endpoint in Drobo ...) NOT-FOR-US: Drobo 5N2 NAS CVE-2018-14695 (Incorrect access control in the /mysql/api/diags.php endpoint in Drobo ...) NOT-FOR-US: Drobo 5N2 NAS CVE-2018-14694 RESERVED CVE-2018-14693 RESERVED CVE-2018-14692 RESERVED CVE-2018-14691 (An issue was discovered in Subsonic 6.1.1. The music tags feature is a ...) NOT-FOR-US: Subsonic CVE-2018-14690 (An issue was discovered in Subsonic 6.1.1. The general settings are af ...) NOT-FOR-US: Subsonic CVE-2018-14689 (An issue was discovered in Subsonic 6.1.1. The transcoding settings ar ...) NOT-FOR-US: Subsonic CVE-2018-14688 (An issue was discovered in Subsonic 6.1.1. The radio settings are affe ...) NOT-FOR-US: Subsonic CVE-2018-14687 RESERVED CVE-2018-14686 (system/edit_book.php in XYCMS 1.7 has stored XSS via a crafted add_do. ...) NOT-FOR-US: XYCMS CVE-2018-14685 (The add function in www/Lib/Lib/Action/Admin/TplAction.class.php in Gx ...) NOT-FOR-US: Gxlcms CVE-2018-14684 RESERVED CVE-2018-14683 (PRTG before 19.1.49.1966 has Cross Site Scripting (XSS) in the WEBGUI. ...) NOT-FOR-US: Paessler PRTG Network Monitor CVE-2018-14678 (An issue was discovered in the Linux kernel through 4.17.11, as used i ...) {DSA-4308-1 DLA-1531-1 DLA-1529-1} - linux 4.17.14-1 NOTE: https://xenbits.xen.org/xsa/advisory-274.html NOTE: https://git.kernel.org/linus/b3681dd548d06deb2e1573890829dff4b15abf46 CVE-2018-14677 RESERVED CVE-2018-14676 RESERVED CVE-2018-14675 RESERVED CVE-2018-14674 RESERVED CVE-2018-14673 RESERVED CVE-2018-14672 (In ClickHouse before 18.12.13, functions for loading CatBoost models a ...) NOT-FOR-US: ClickHouse CVE-2018-14671 (In ClickHouse before 18.10.3, unixODBC allowed loading arbitrary share ...) NOT-FOR-US: ClickHouse CVE-2018-14670 (Incorrect configuration in deb package in ClickHouse before 1.1.54131 ...) NOT-FOR-US: ClickHouse CVE-2018-14669 (ClickHouse MySQL client before versions 1.1.54390 had "LOAD DATA LOCAL ...) NOT-FOR-US: ClickHouse CVE-2018-14668 (In ClickHouse before 1.1.54388, "remote" table function allowed arbitr ...) NOT-FOR-US: ClickHouse CVE-2018-14679 (An issue was discovered in mspack/chmd.c in libmspack before 0.7alpha. ...) {DSA-4260-1 DLA-1460-1} - libmspack 0.7-1 (bug #904802) NOTE: https://github.com/kyz/libmspack/commit/72e70a921f0f07fee748aec2274b30784e1d312a NOTE: http://www.openwall.com/lists/oss-security/2018/07/26/1 CVE-2018-14680 (An issue was discovered in mspack/chmd.c in libmspack before 0.7alpha. ...) {DSA-4260-1 DLA-1460-1} - libmspack 0.7-1 (bug #904801) NOTE: https://github.com/kyz/libmspack/commit/72e70a921f0f07fee748aec2274b30784e1d312a NOTE: http://www.openwall.com/lists/oss-security/2018/07/26/1 CVE-2018-14682 (An issue was discovered in mspack/chmd.c in libmspack before 0.7alpha. ...) {DSA-4260-1 DLA-1460-1} - libmspack 0.7-1 (bug #904800) NOTE: https://github.com/kyz/libmspack/commit/4fd9ccaa54e1aebde1e4b95fb0163b699fd7bcc8 NOTE: http://www.openwall.com/lists/oss-security/2018/07/26/1 CVE-2018-14681 (An issue was discovered in kwajd_read_headers in mspack/kwajd.c in lib ...) {DSA-4260-1 DLA-1460-1} - libmspack 0.7-1 (bug #904799) NOTE: https://github.com/kyz/libmspack/commit/0b0ef9344255ff5acfac6b7af09198ac9c9756c8 NOTE: http://www.openwall.com/lists/oss-security/2018/07/26/1 CVE-2018-14667 (The RichFaces Framework 3.X through 3.3.4 is vulnerable to Expression ...) NOT-FOR-US: RichFaces CVE-2018-14666 (An improper authorization flaw was found in the Smart Class feature of ...) - foreman (bug #663101) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1638156 CVE-2018-14665 (A flaw was found in xorg-x11-server before 1.20.3. An incorrect permis ...) {DSA-4328-1} - xorg-server 2:1.20.3-1 [jessie] - xorg-server (Vulnerable code not present) NOTE: Introduced by: https://gitlab.freedesktop.org/xorg/xserver/commit/032b1d79b7d04d47814a5b3a9fdd162249fea74c (1.19.0) NOTE: Fixed by: https://gitlab.freedesktop.org/xorg/xserver/commit/50c0cf885a6e91c0ea71fb49fa8f1b7c86fe330e CVE-2018-14664 (A flaw was found in foreman from versions 1.18. A stored cross-site sc ...) - foreman (bug #663101) CVE-2018-14663 (An issue has been found in PowerDNS DNSDist before 1.3.3 allowing a re ...) - dnsdist 1.3.3-1 (bug #913231) [stretch] - dnsdist (Minor issue) NOTE: https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2018-08.html CVE-2018-14662 (It was found Ceph versions before 13.2.4 that authenticated ceph users ...) {DLA-1696-1} - ceph 12.2.11+dfsg1-1 (bug #921948) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1637327 NOTE: https://github.com/ceph/ceph/commit/a2acedd2a7e12d58af6db35edbd8a9d29c557578 CVE-2018-14661 (It was found that usage of snprintf function in feature/locks translat ...) {DLA-1565-1} - glusterfs 5.1-1 (bug #912997) [stretch] - glusterfs (Minor issue; can be fixed via point release) NOTE: https://www.openwall.com/lists/oss-security/2018/10/31/5 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1636880 NOTE: https://review.gluster.org/#/c/glusterfs/+/21532/ NOTE: http://git.gluster.org/cgit/glusterfs.git/commit/?id=74dbf0a9aac4b960832029ec122685b5b5009127 CVE-2018-14660 (A flaw was found in glusterfs server through versions 4.1.4 and 3.1.2 ...) - glusterfs 5.1-1 (bug #912997) [stretch] - glusterfs (Minor issue; can be fixed via point release) [jessie] - glusterfs (vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2018/10/31/5 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1635926 NOTE: https://review.gluster.org/#/c/glusterfs/+/21531/ NOTE: http://git.gluster.org/cgit/glusterfs.git/commit/?id=c2c70552188ee1b15bb748b4f2272062505c7696 CVE-2018-14659 (The Gluster file system through versions 4.1.4 and 3.1.2 is vulnerable ...) {DLA-1565-1} - glusterfs 5.1-1 (bug #912997) [stretch] - glusterfs (Minor issue; can be fixed via point release) NOTE: https://www.openwall.com/lists/oss-security/2018/10/31/5 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1635929 NOTE: https://review.gluster.org/#/c/glusterfs/+/21530/ NOTE: http://git.gluster.org/cgit/glusterfs.git/commit/?id=be1e1785e2e4f3d6345ea5b5b684a1429784a01c CVE-2018-14658 (A flaw was found in JBOSS Keycloak 3.2.1.Final. The Redirect URL for b ...) NOT-FOR-US: Keycloak CVE-2018-14657 (A flaw was found in Keycloak 4.2.1.Final, 4.3.0.Final. When TOPT enabl ...) NOT-FOR-US: Keycloak CVE-2018-14656 (A missing address check in the callers of the show_opcodes() in the Li ...) - linux 4.18.6-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/342db04ae71273322f0011384a9ed414df8bdae4 CVE-2018-14655 (A flaw was found in Keycloak 3.4.3.Final, 4.0.0.Beta2, 4.3.0.Final. Wh ...) NOT-FOR-US: Keycloak CVE-2018-14654 (The Gluster file system through version 4.1.4 is vulnerable to abuse o ...) - glusterfs 5.1-1 (bug #912997) [stretch] - glusterfs (Minor issue; can be fixed via point release) [jessie] - glusterfs (vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2018/10/31/5 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1631576 NOTE: https://review.gluster.org/#/c/glusterfs/+/21534/ NOTE: http://git.gluster.org/cgit/glusterfs.git/commit/?id=5f4ae8a80543332a2e92dfa5c7f833ae7b93a664 (release-4.1) NOTE: http://git.gluster.org/cgit/glusterfs.git/commit/?id=dc775c4ae052d1e9d0f61ace3be999f73f0ffa23 (release-5) CVE-2018-14653 (The Gluster file system through versions 4.1.4 and 3.12 is vulnerable ...) {DLA-1565-1} - glusterfs 5.1-1 (bug #912997) [stretch] - glusterfs (Minor issue; can be fixed via point release) NOTE: https://www.openwall.com/lists/oss-security/2018/10/31/5 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1633431 NOTE: https://review.gluster.org/#/c/glusterfs/+/21528/ NOTE: https://review.gluster.org/#/c/glusterfs/+/21529/ NOTE: http://git.gluster.org/cgit/glusterfs.git/commit/?id=d3ec5f5a089edb68206b5d4a469358867340d4f7 NOTE: http://git.gluster.org/cgit/glusterfs.git/commit/?id=e2712fbd38477e736f157c9dbfbbae9c253b6c13 CVE-2018-14652 (The Gluster file system through versions 3.12 and 4.1.4 is vulnerable ...) {DLA-1565-1} - glusterfs 5.0-1 (bug #912997) [stretch] - glusterfs (Minor issue; can be fixed via point release) NOTE: https://www.openwall.com/lists/oss-security/2018/10/31/5 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1632974 NOTE: https://review.gluster.org/#/c/glusterfs/+/21535/ NOTE: http://git.gluster.org/cgit/glusterfs.git/commit/?id=e2c195712a9ecbda4fa02f5308138a1257a2558a CVE-2018-14651 (It was found that the fix for CVE-2018-10927, CVE-2018-10928, CVE-2018 ...) {DLA-1565-1} - glusterfs 5.1-1 (bug #912997) [stretch] - glusterfs (Incomplete fixes for CVE-2018-109{26,27,28,29,30} not applied) NOTE: https://www.openwall.com/lists/oss-security/2018/10/31/5 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1632557 NOTE: https://review.gluster.org/#/c/glusterfs/+/21527/ NOTE: http://git.gluster.org/cgit/glusterfs.git/commit/?id=5fdb7ae37f602894f81a2cadc5a4c609a4c85427 CVE-2018-14650 (It was discovered that sos-collector does not properly set the default ...) NOT-FOR-US: sos-collector (not same as sosreport itself, additional tool to sosreport) CVE-2018-14649 (It was found that ceph-isci-cli package as shipped by Red Hat Ceph Sto ...) NOT-FOR-US: ceph-iscsi-cli CVE-2018-14648 (A flaw was found in 389 Directory Server. A specially crafted search q ...) {DLA-1554-1} - 389-ds-base 1.4.0.18-1 [stretch] - 389-ds-base (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1630668 NOTE: https://pagure.io/389-ds-base/c/a49bd03d6 (1.4.0.17) NOTE: 1.3.7: https://pagure.io/389-ds-base/c/c8ec6e58c NOTE: 1.3.8: https://pagure.io/389-ds-base/c/5fc374b43 NOTE: Note that these patches are incomplete and cause a regression (crash). Bundle with NOTE: https://pagure.io/389-ds-base/c/a6369790c (1.4.0.17) NOTE: 1.3.7: https://pagure.io/389-ds-base/c/722a6f867 NOTE: 1.3.8: https://pagure.io/389-ds-base/c/bdb1af66c NOTE: see https://pagure.io/389-ds-base/issue/49969 CVE-2018-14647 (Python's elementtree C accelerator failed to initialise Expat's hash s ...) {DSA-4307-1 DSA-4306-1 DLA-1835-1 DLA-1834-1} - python3.7 3.7.0-7 - python3.6 3.6.7~rc1-1 - python3.5 - python3.4 [jessie] - python3.4 (minor issue) - python2.7 2.7.15-5 (bug #921039) NOTE: https://bugs.python.org/issue34623 NOTE: master: https://github.com/python/cpython/commit/cb5778f00ce48631c7140f33ba242496aaf7102b NOTE: 3.7: https://github.com/python/cpython/commit/470a435f3b42c9be5fdb7f7b04f3df5663ba7305 NOTE: 3.6: https://github.com/python/cpython/commit/f7666e828cc3d5873136473ea36ba2013d624fa1 NOTE: 2.7: https://github.com/python/cpython/commit/18b20bad75b4ff0486940fba4ec680e96e70f3a2 CVE-2018-14646 (The Linux kernel before 4.15-rc8 was found to be vulnerable to a NULL ...) - linux (Vulnerable code not present in any version released; apart experimental) NOTE: Fixed by: https://git.kernel.org/linus/f428fe4a04cc339166c8bbd489789760de3a0cee CVE-2018-14645 (A flaw was discovered in the HPACK decoder of HAProxy, before 1.8.14, ...) - haproxy 1.8.13-2 [stretch] - haproxy (Only affects 1.8.x) [jessie] - haproxy (Only affects 1.8.x) NOTE: https://git.haproxy.org/?p=haproxy-1.8.git;a=commit;h=b4e05a3daa30f657db01ec144a0e48850c48f813 CVE-2018-14644 (An issue has been found in PowerDNS Recursor from 4.0.0 up to and incl ...) - pdns-recursor 4.1.7-1 (bug #913162) [stretch] - pdns-recursor 4.0.4-1+deb9u4 [jessie] - pdns-recursor (Minor issue) NOTE: https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-07.html NOTE: https://downloads.powerdns.com/patches/2018-07/ NOTE: Patch backported for jessie https://git.fosscommunity.in/bhe/patches/raw/master/CVE-2018-14644.patch CVE-2018-14643 (An authentication bypass flaw was found in the smart_proxy_dynflow com ...) - foreman (bug #663101) NOTE: Issue in a foreman component: smart_proxy_dynflow, which might land in separate source. CVE-2018-14642 (An information leak vulnerability was found in Undertow. If all header ...) - undertow 2.0.23-1 (bug #911796) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1628702 CVE-2018-14641 (A security flaw was found in the ip_frag_reasm() function in net/ipv4/ ...) - linux (Vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2018/09/18/1 NOTE: Fixed by: https://git.kernel.org/linus/5d407b071dc369c26a38398326ee2be53651cfe4 CVE-2018-14640 RESERVED CVE-2018-14639 RESERVED CVE-2018-14638 (A flaw was found in 389-ds-base before version 1.3.8.4-13. The process ...) - 389-ds-base 1.4.0.18-1 (bug #908859) [stretch] - 389-ds-base (Minor issue) [jessie] - 389-ds-base (Vulnerable code not present) NOTE: https://pagure.io/389-ds-base/c/78fc627accacfa4061ce48977e22301f81ea8d73 CVE-2018-14637 (The SAML broker consumer endpoint in Keycloak before version 4.6.0.Fin ...) NOT-FOR-US: Keycloak CVE-2018-14636 (Live-migrated instances are briefly able to inspect traffic for other ...) - neutron 2:13.0.0-1 (low) [stretch] - neutron (Minor issue) [jessie] - neutron (Minor issue) CVE-2018-14635 (When using the Linux bridge ml2 driver, non-privileged tenants are abl ...) - neutron 2:13.0.0-1 [stretch] - neutron (Minor issue) [jessie] - neutron (Minor issue) NOTE: https://bugs.launchpad.net/neutron/+bug/1757482 NOTE: https://git.openstack.org/cgit/openstack/neutron/commit/?id=54aa6e81cb17b33ce4d5d469cc11dec2869c762d CVE-2018-14634 (An integer overflow flaw was found in the Linux kernel's create_elf_ta ...) {DLA-1529-1} - linux 4.12.6-1 [stretch] - linux 4.9.47-1 NOTE: https://www.openwall.com/lists/oss-security/2018/09/25/4 CVE-2018-14633 (A security flaw was found in the chap_server_compute_md5() function in ...) {DSA-4308-1 DLA-1531-1 DLA-1529-1} - linux 4.18.10-1 NOTE: https://www.openwall.com/lists/oss-security/2018/09/24/2 CVE-2018-14632 (An out of bound write can occur when patching an Openshift object usin ...) NOT-FOR-US: OpenShift CVE-2018-14631 (moodle before versions 3.5.2, 3.4.5, 3.3.8 is vulnerable to a boost th ...) - moodle CVE-2018-14630 (moodle before versions 3.5.2, 3.4.5, 3.3.8, 3.1.14 is vulnerable to an ...) - moodle CVE-2018-14629 (A denial of service vulnerability was discovered in Samba's LDAP serve ...) {DSA-4345-1 DLA-1607-1} - samba 2:4.9.2+dfsg-2 NOTE: https://www.samba.org/samba/security/CVE-2018-14629.html CVE-2018-14628 RESERVED CVE-2018-14627 (The IIOP OpenJDK Subsystem in WildFly before version 14.0.0 does not h ...) - wildfly (bug #752018) NOTE: https://issues.jboss.org/browse/WFLY-9107 NOTE: https://github.com/wildfly/wildfly/pull/10675 CVE-2018-14626 (PowerDNS Authoritative Server 4.1.0 up to 4.1.4 inclusive and PowerDNS ...) - pdns 4.1.5-1 (bug #913163) [stretch] - pdns (Vulnerable code present only in >= 4.1.0) [jessie] - pdns (Vulnerable code not present) - pdns-recursor 4.1.7-1 (bug #913162) [stretch] - pdns-recursor 4.0.4-1+deb9u4 [jessie] - pdns-recursor (Vulnerable code not present) NOTE: https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-05.html NOTE: https://downloads.powerdns.com/patches/2018-05/ NOTE: https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-06.html NOTE: https://downloads.powerdns.com/patches/2018-06/ CVE-2018-14625 (A flaw was found in the Linux Kernel where an attacker may be able to ...) {DLA-1771-1} - linux 4.19.9-1 [stretch] - linux 4.9.161-1 [jessie] - linux (Vulnerable code not present) NOTE: https://syzkaller.appspot.com/bug?extid=bd391451452fb0b93039 CVE-2018-14624 (A vulnerability was discovered in 389-ds-base through versions 1.3.7.1 ...) {DLA-1526-1} - 389-ds-base 1.4.0.18-1 (bug #907778) [stretch] - 389-ds-base (Minor issue) NOTE: https://pagure.io/389-ds-base/issue/49937 NOTE: https://pagure.io/389-ds-base/c/8ff8cb850 (master) NOTE: https://pagure.io/389-ds-base/c/c5e78249d (389-ds-base-1.3.8) NOTE: https://pagure.io/389-ds-base/c/9f28620d2 (389-ds-base-1.3.7) CVE-2018-14623 (A SQL injection flaw was found in katello's errata-related API. An aut ...) NOT-FOR-US: Katello CVE-2018-14622 (A null-pointer dereference vulnerability was found in libtirpc before ...) {DLA-1487-1} [experimental] - libtirpc 1.0.2-0.1 - libtirpc 0.2.5-1.3 (bug #907608) [stretch] - libtirpc 0.2.5-1.2+deb9u1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1620293 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=968175 NOTE: http://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=1c77f7a869bdea2a34799d774460d1f9983d45f0 CVE-2018-14621 (An infinite loop vulnerability was found in libtirpc before version 1. ...) - libtirpc (Vulnerable code not in a released version) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1620290 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=968175 NOTE: Introduced by: http://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=b2c9430f46c4ac848957fb8adaac176a3f6ac03f (0.3.3-rc3) NOTE: Fixed by: http://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=fce98161d9815ea016855d9f00274276452c2c4b CVE-2018-14620 (The OpenStack RabbitMQ container image insecurely retrieves the rabbit ...) NOT-FOR-US: Insecure Red Hat container config CVE-2018-14619 (A flaw was found in the crypto subsystem of the Linux kernel before ve ...) - linux 4.14.12-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/b32a7dc8aef1882fbf983eb354837488cc9d54dc NOTE: http://www.openwall.com/lists/oss-security/2018/08/28/1 CVE-2018-14618 (curl before version 7.61.1 is vulnerable to a buffer overrun in the NT ...) {DSA-4286-1 DLA-1498-1} - curl 7.62.0-1 (bug #908327) NOTE: https://curl.haxx.se/docs/CVE-2018-14618.html NOTE: https://github.com/curl/curl/issues/2756 NOTE: https://github.com/curl/curl/commit/57d299a499155d4b327e341c6024e293b0418243 CVE-2018-14617 (An issue was discovered in the Linux kernel through 4.17.10. There is ...) {DSA-4308-1 DLA-1531-1 DLA-1529-1} - linux 4.18.8-1 NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=200297 NOTE: https://www.spinics.net/lists/linux-fsdevel/msg130021.html CVE-2018-14616 (An issue was discovered in the Linux kernel through 4.17.10. There is ...) {DLA-1715-1} - linux 4.19.9-1 [stretch] - linux 4.9.144-1 [jessie] - linux (Vulnerable code not present) NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=200465 CVE-2018-14615 (An issue was discovered in the Linux kernel through 4.17.10. There is ...) - linux 4.19.9-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=200421 CVE-2018-14614 (An issue was discovered in the Linux kernel through 4.17.10. There is ...) {DLA-1715-1} - linux 4.19.9-1 [stretch] - linux 4.9.144-1 [jessie] - linux (Hard to backport and low priority outside of Android) NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=200419 CVE-2018-14613 (An issue was discovered in the Linux kernel through 4.17.10. There is ...) {DLA-2241-1 DLA-1715-1} - linux 4.19.9-1 [stretch] - linux 4.9.144-1 NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=199849 NOTE: https://patchwork.kernel.org/patch/10503147/ CVE-2018-14612 (An issue was discovered in the Linux kernel through 4.17.10. There is ...) {DLA-2241-1 DLA-1715-1} - linux 4.18.8-1 [stretch] - linux 4.9.144-1 NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=199847 NOTE: https://patchwork.kernel.org/patch/10503403/ NOTE: https://patchwork.kernel.org/patch/10503413/ CVE-2018-14611 (An issue was discovered in the Linux kernel through 4.17.10. There is ...) {DLA-2241-1 DLA-1715-1} - linux 4.19.9-1 [stretch] - linux 4.9.144-1 NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=199839 NOTE: https://patchwork.kernel.org/patch/10503099/ CVE-2018-14610 (An issue was discovered in the Linux kernel through 4.17.10. There is ...) {DLA-2241-1 DLA-1715-1} - linux 4.19.9-1 [stretch] - linux 4.9.144-1 NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=199837 NOTE: https://patchwork.kernel.org/patch/10503415/ CVE-2018-14609 (An issue was discovered in the Linux kernel through 4.17.10. There is ...) {DSA-4308-1 DLA-1531-1 DLA-1529-1} - linux 4.18.8-1 NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=199833 NOTE: https://patchwork.kernel.org/patch/10500521/ CVE-2018-14608 (Thomson Reuters UltraTax CS 2017 on Windows has a password protection ...) NOT-FOR-US: Thomson Reuters UltraTax CS 2017 CVE-2018-14607 (Thomson Reuters UltraTax CS 2017 on Windows, in a client/server config ...) NOT-FOR-US: Thomson Reuters UltraTax CS 2017 CVE-2018-14600 (An issue was discovered in libX11 through 1.6.5. The function XListExt ...) {DLA-1482-1} - libx11 2:1.6.6-1 (low) [stretch] - libx11 2:1.6.4-3+deb9u1 [wheezy] - libx11 (Minor issue) NOTE: https://gitlab.freedesktop.org/xorg/lib/libx11/commit/dbf72805fd9d7b1846fe9a11b46f3994bfc27fea CVE-2018-14599 (An issue was discovered in libX11 through 1.6.5. The function XListExt ...) {DLA-1482-1} - libx11 2:1.6.6-1 (low) [stretch] - libx11 2:1.6.4-3+deb9u1 [wheezy] - libx11 (Minor issue) NOTE: https://gitlab.freedesktop.org/xorg/lib/libx11/commit/b469da1430cdcee06e31c6251b83aede072a1ff0 CVE-2018-14598 (An issue was discovered in XListExtensions in ListExt.c in libX11 thro ...) {DLA-1482-1} - libx11 2:1.6.6-1 (low) [stretch] - libx11 2:1.6.4-3+deb9u1 [wheezy] - libx11 (Minor issue) NOTE: https://gitlab.freedesktop.org/xorg/lib/libx11/commit/e83722768fd5c467ef61fa159e8c6278770b45c2 CVE-2018-14606 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) - gitlab 10.8.7+dfsg-1 [stretch] - gitlab (Only affects 10.6 and later) NOTE: https://about.gitlab.com/2018/07/26/security-release-gitlab-11-dot-1-dot-2-released/ CVE-2018-14605 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) - gitlab 10.8.7+dfsg-1 [stretch] - gitlab (Only affects 10.7 and later) NOTE: https://about.gitlab.com/2018/07/26/security-release-gitlab-11-dot-1-dot-2-released/ CVE-2018-14604 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) - gitlab 10.8.7+dfsg-1 [stretch] - gitlab (Only affects 10.7 and later) NOTE: https://about.gitlab.com/2018/07/26/security-release-gitlab-11-dot-1-dot-2-released/ CVE-2018-14603 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) - gitlab 10.8.7+dfsg-1 NOTE: https://about.gitlab.com/2018/07/26/security-release-gitlab-11-dot-1-dot-2-released/ CVE-2018-14602 (An issue was discovered in GitLab Community and Enterprise Edition bef ...) - gitlab 10.8.7+dfsg-1 [stretch] - gitlab (Affects 9.0 and later only) NOTE: https://about.gitlab.com/2018/07/26/security-release-gitlab-11-dot-1-dot-2-released/ CVE-2018-14601 (An issue was discovered in GitLab Community and Enterprise Edition 11. ...) - gitlab (11.1.0 specific regression) NOTE: https://about.gitlab.com/2018/07/26/security-release-gitlab-11-dot-1-dot-2-released/ CVE-2017-18344 (The timer_create syscall implementation in kernel/time/posix-timers.c ...) - linux 4.14.12-1 [stretch] - linux 4.9.82-1+deb9u1 [jessie] - linux 3.16.56-1 NOTE: Fixed by: https://git.kernel.org/linus/cef31d9af908243421258f1df35a4a644604efbe CVE-2018-14597 (CA Technologies Identity Governance 12.6, 14.0, 14.1, and 14.2 and CA ...) NOT-FOR-US: CA Technologies Identity Governance CVE-2018-1002208 (SharpZipLib before 1.0 RC1 is vulnerable to directory traversal, allow ...) - mono 5.18.0.240+dfsg-1 [stretch] - mono (Minor issue) [jessie] - mono (Minor issue) - mono-reference-assemblies (unimportant) NOTE: https://snyk.io/vuln/SNYK-DOTNET-SHARPZIPLIB-60247 NOTE: https://github.com/icsharpcode/SharpZipLib/issues/232 NOTE: https://github.com/mono/mono/issues/11492 CVE-2018-1002207 (mholt/archiver golang package before e4ef56d48eb029648b0e895bb0b6a393e ...) NOT-FOR-US: golang-github-mholt-archiver CVE-2018-1002206 (SharpCompress before 0.21.0 is vulnerable to directory traversal, allo ...) NOT-FOR-US: SharpCompress library (for .NET Standard 1.0) CVE-2018-1002205 (DotNetZip.Semvered before 1.11.0 is vulnerable to directory traversal, ...) NOT-FOR-US: DotNetZip.Semvered library (.NET) CVE-2018-1002203 (unzipper npm library before 0.8.13 is vulnerable to directory traversa ...) NOT-FOR-US: unzipper nodejs module CVE-2018-14596 (wancms 1.0 through 5.0 allows remote attackers to cause a denial of se ...) NOT-FOR-US: wancms CVE-2018-14595 RESERVED CVE-2018-14594 RESERVED CVE-2018-14593 (An issue was discovered in Open Ticket Request System (OTRS) 6.0.x thr ...) {DSA-4317-1 DLA-1473-1} - otrs2 6.0.10-1 NOTE: https://community.otrs.com/security-advisory-2018-03-security-update-for-otrs-framework/ NOTE: OTRS-6: https://github.com/OTRS/otrs/commit/57cda14db8fdbcbfb8cabb32d85fbc89fde48c62 NOTE: OTRS-5: https://github.com/OTRS/otrs/commit/7b6802723e1f5d1764b617e9fcf0a8dd21e96216 NOTE: OTRS-4: https://github.com/OTRS/otrs/commit/78331ea187181d6130189d4563a50b4c30256320 CVE-2018-14592 (The CWJoomla CW Article Attachments PRO extension before 2.0.7 and CW ...) NOT-FOR-US: CWJoomla CVE-2018-14591 RESERVED CVE-2018-14590 (An issue has been discovered in Bento4 1.5.1-624. A SEGV can occur in ...) NOT-FOR-US: Bento4 CVE-2018-14589 (An issue has been discovered in Bento4 1.5.1-624. AP4_Mp4AudioDsiParse ...) NOT-FOR-US: Bento4 CVE-2018-14588 (An issue has been discovered in Bento4 1.5.1-624. A NULL pointer deref ...) NOT-FOR-US: Bento4 CVE-2018-14587 (An issue has been discovered in Bento4 1.5.1-624. AP4_MemoryByteStream ...) NOT-FOR-US: Bento4 CVE-2018-14586 (An issue has been discovered in Bento4 1.5.1-624. A SEGV can occur in ...) NOT-FOR-US: Bento4 CVE-2018-14585 (An issue has been discovered in Bento4 1.5.1-624. AP4_BytesToUInt16BE ...) NOT-FOR-US: Bento4 CVE-2018-14584 (An issue has been discovered in Bento4 1.5.1-624. AP4_AvccAtom::Create ...) NOT-FOR-US: Bento4 CVE-2018-14583 (xyhai.php?s=/Auth/addUser in XYHCMS 3.5 allows CSRF to add a backgroun ...) NOT-FOR-US: XYHCMS CVE-2018-14582 (index.php?r=admini/admin/create in BageCMS V3.1.3 allows CSRF to add a ...) NOT-FOR-US: BageCMS CVE-2018-14581 (Redgate .NET Reflector before 10.0.7.774 and SmartAssembly before 6.12 ...) NOT-FOR-US: Redgate .NET Reflector and SmartAssembly CVE-2018-14580 RESERVED CVE-2018-14579 (GolemCMS through 2008-12-24, if the install/ directory remains active ...) NOT-FOR-US: GolemCMS CVE-2018-14578 RESERVED CVE-2018-14577 RESERVED CVE-2018-14576 (The mintToken function of a smart contract implementation for SunContr ...) NOT-FOR-US: smart contract implementation for SunContract CVE-2018-14575 (Trash Bin plugin 1.1.3 for MyBB has cross-site scripting (XSS) via a t ...) NOT-FOR-US: MyBB plugin CVE-2018-14574 (django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11 ...) {DSA-4264-1} - python-django 1:1.11.15-1 (bug #905216) [jessie] - python-django (Vulnerable code not present) NOTE: https://www.djangoproject.com/weblog/2018/aug/01/security-releases/ NOTE: https://github.com/django/django/commit/a656a681272f8f3734b6eb38e9a88aa0d91806f1 (master) NOTE: https://github.com/django/django/commit/c4e5ff7fdb5fce447675e90291fd33fddd052b3c (2.1 release branch) NOTE: https://github.com/django/django/commit/d6eaee092709aad477a9894598496c6deec532ff (1.11 release branch) NOTE: https://github.com/django/django/commit/434d309ef6dbecbfd2b322d3a1da78aa5cb05fa8 (vuln. introduced here?) CVE-2018-14573 (A Local File Inclusion (LFI) vulnerability exists in the Web Interface ...) NOT-FOR-US: TightRope Media Carousel Digital Signage CVE-2018-14572 (In conference-scheduler-cli, a pickle.load call on imported data allow ...) NOT-FOR-US: conference-scheduler-cli CVE-2018-14571 RESERVED CVE-2018-14570 (A file upload vulnerability in application/shop/controller/member.php ...) NOT-FOR-US: Niushop B2B2C Multi-business basic CVE-2018-14569 RESERVED CVE-2018-1999024 (MathJax version prior to version 2.7.4 contains a Cross Site Scripting ...) - mathjax 2.7.4+dfsg-1 [stretch] - mathjax (Minor issue) [jessie] - mathjax (Minor issue) NOTE: https://github.com/mathjax/MathJax/commit/a55da396c18cafb767a26aa9ad96f6f4199852f1 CVE-2018-1999021 (Gleezcms Gleez Cms version 1.3.0 contains a Cross Site Scripting (XSS) ...) NOT-FOR-US: Gleezcms Gleez Cms CVE-2018-1999020 (Open Networking Foundation (ONF) ONOS version 1.13.2 and earlier versi ...) NOT-FOR-US: ONOS CVE-2018-1999019 (Chamilo LMS version 11.x contains an Unserialization vulnerability in ...) NOT-FOR-US: Chamilo LMS CVE-2018-1999018 (Pydio version 8.2.1 and prior contains an Unvalidated user input leadi ...) - ajaxplorer (bug #668381) CVE-2018-1999017 (Pydio version 8.2.0 and earlier contains a Server-Side Request Forgery ...) - ajaxplorer (bug #668381) CVE-2018-1999016 (Pydio version 8.2.0 and earlier contains a Cross Site Scripting (XSS) ...) - ajaxplorer (bug #668381) CVE-2018-1999015 (FFmpeg before commit 5aba5b89d0b1d73164d3b81764828bb8b20ff32a contains ...) - ffmpeg 7:4.0.2-1 [stretch] - ffmpeg (Vulnerable code not present) - libav [jessie] - libav (Vulnerable code not present) NOTE: https://github.com/FFmpeg/FFmpeg/commit/5aba5b89d0b1d73164d3b81764828bb8b20ff32 CVE-2018-1999014 (FFmpeg before commit bab0716c7f4793ec42e05a5aa7e80d82a0dd4e75 contains ...) - ffmpeg 7:4.0.2-1 [stretch] - ffmpeg (Vulnerable code not present) - libav [jessie] - libav (Vulnerable code not present) NOTE: https://github.com/FFmpeg/FFmpeg/commit/bab0716c7f4793ec42e05a5aa7e80d82a0dd4e7 CVE-2018-1999013 (FFmpeg before commit a7e032a277452366771951e29fd0bf2bd5c029f0 contains ...) {DSA-4249-1} - ffmpeg 7:4.0.2-1 - libav [jessie] - libav (Vulnerable code not present) NOTE: https://github.com/FFmpeg/FFmpeg/commit/a7e032a277452366771951e29fd0bf2bd5c029f CVE-2018-1999012 (FFmpeg before commit 9807d3976be0e92e4ece3b4b1701be894cd7c2e1 contains ...) {DSA-4249-1 DLA-1740-1} - ffmpeg 7:4.0.2-1 - libav NOTE: https://github.com/FFmpeg/FFmpeg/commit/9807d3976be0e92e4ece3b4b1701be894cd7c2e CVE-2018-1999011 (FFmpeg before commit 2b46ebdbff1d8dec7a3d8ea280a612b91a582869 contains ...) {DSA-4449-1} - ffmpeg 7:4.0.2-1 - libav [jessie] - libav (Vulnerable code not present) NOTE: https://github.com/FFmpeg/FFmpeg/commit/2b46ebdbff1d8dec7a3d8ea280a612b91a58286 CVE-2018-1999010 (FFmpeg before commit cced03dd667a5df6df8fd40d8de0bff477ee02e8 contains ...) {DSA-4249-1 DLA-1630-1} - ffmpeg 7:4.0.2-1 - libav NOTE: https://github.com/FFmpeg/FFmpeg/commit/cced03dd667a5df6df8fd40d8de0bff477ee02e CVE-2018-1999009 (October CMS version prior to Build 437 contains a Local File Inclusion ...) NOT-FOR-US: October CMS CVE-2018-1999008 (October CMS version prior to build 437 contains a Cross Site Scripting ...) NOT-FOR-US: October CMS CVE-2018-14568 (Suricata before 4.0.5 stops TCP stream inspection upon a TCP RST from ...) - suricata 1:4.0.5-1 [stretch] - suricata (Minor issue) [jessie] - suricata (Minor issue) NOTE: https://github.com/OISF/suricata/pull/3428/commits/843d0b7a10bb45627f94764a6c5d468a24143345 NOTE: https://redmine.openinfosecfoundation.org/issues/2501 CVE-2018-14567 (libxml2 2.9.8, if --with-lzma is used, allows remote attackers to caus ...) {DLA-1524-1} [experimental] - libxml2 2.9.9+dfsg1-1~exp1 - libxml2 2.9.10+dfsg-2 [buster] - libxml2 (Minor issue) [stretch] - libxml2 (Minor issue) NOTE: https://gitlab.gnome.org/GNOME/libxml2/issues/13 (not public yet) NOTE: https://gitlab.gnome.org/GNOME/libxml2/commit/2240fbf5912054af025fb6e01e26375100275e74 CVE-2018-14566 RESERVED CVE-2018-14565 (An issue was discovered in libthulac.so in THULAC through 2018-02-25. ...) NOT-FOR-US: THULAC CVE-2018-14564 (An issue was discovered in libthulac.so in THULAC through 2018-02-25. ...) NOT-FOR-US: THULAC CVE-2018-14563 (An issue was discovered in libthulac.so in THULAC through 2018-02-25. ...) NOT-FOR-US: THULAC CVE-2018-14562 (An issue was discovered in libthulac.so in THULAC through 2018-02-25. ...) NOT-FOR-US: THULAC CVE-2018-14561 RESERVED CVE-2018-14560 RESERVED CVE-2018-14559 (An issue was discovered on Tenda AC7 devices with firmware through V15 ...) NOT-FOR-US: Tenda AC7 devices CVE-2018-14558 (An issue was discovered on Tenda AC7 devices with firmware through V15 ...) NOT-FOR-US: Tenda AC7 devices CVE-2018-14557 (An issue was discovered on Tenda AC7 devices with firmware through V15 ...) NOT-FOR-US: Tenda AC7 devices CVE-2018-14556 RESERVED CVE-2018-14555 RESERVED CVE-2018-14554 RESERVED CVE-2018-14553 (gdImageClone in gd.c in libgd 2.1.0-rc2 through 2.2.5 has a NULL point ...) {DLA-2106-1} - libgd2 2.3.0-1 (low; bug #951287) [buster] - libgd2 (Minor issue) [stretch] - libgd2 (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1599032 NOTE: https://github.com/libgd/libgd/commit/a93eac0e843148dc2d631c3ba80af17e9c8c860f NOTE: https://github.com/libgd/libgd/pull/580 CVE-2016-10728 (An issue was discovered in Suricata before 3.1.2. If an ICMPv4 error p ...) {DLA-1508-1} - suricata 3.1.2-1 NOTE: https://redmine.openinfosecfoundation.org/issues/1880 NOTE: https://github.com/OISF/suricata/pull/2210 CVE-2018-14552 RESERVED CVE-2018-14551 (The ReadMATImageV4 function in coders/mat.c in ImageMagick 7.0.8-7 use ...) - imagemagick 8:6.9.10.8+dfsg-1 (bug #904713) [stretch] - imagemagick (Can be fixed along in a future DSA) [jessie] - imagemagick (vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1221 NOTE: https://github.com/ImageMagick/ImageMagick/commit/389ecc365a7c61404ba078a72c3fa5a3cf1b4101 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/db7a4be592328af06d776ce3bab24b8c6de5be20 CVE-2018-14550 (An issue has been found in third-party PNM decoding associated with li ...) [experimental] - libpng1.6 1.6.37-1~exp1 - libpng1.6 1.6.37-1 (unimportant) - libpng (unimportant) NOTE: https://github.com/glennrp/libpng/issues/246 NOTE: https://github.com/glennrp/libpng/commit/1f0221fad7e7888ada87eda511dcbfd701de7d21 CVE-2018-14549 (An issue has been found in libwav through 2017-04-20. It is a SEGV in ...) NOT-FOR-US: libwav CVE-2018-14548 RESERVED CVE-2018-14547 RESERVED CVE-2018-14546 RESERVED CVE-2018-14545 (There exists one invalid memory read bug in AP4_SampleDescription::Get ...) NOT-FOR-US: Bento4 CVE-2018-14544 (There exists one invalid memory read bug in AP4_SampleDescription::Get ...) NOT-FOR-US: Bento4 CVE-2018-14543 (There exists one NULL pointer dereference vulnerability in AP4_JsonIns ...) NOT-FOR-US: Bento4 CVE-2018-14542 RESERVED CVE-2018-14541 (PHP Scripts Mall Basic B2B Script 2.0.0 has Reflected and Stored XSS v ...) NOT-FOR-US: PHP Scripts Mall Basic B2B Script CVE-2018-14540 RESERVED CVE-2018-14539 RESERVED CVE-2018-14538 RESERVED CVE-2018-14537 RESERVED CVE-2018-14536 RESERVED CVE-2018-14535 RESERVED CVE-2018-14534 RESERVED CVE-2018-14533 (read_tmp and write_tmp in Inteno IOPSYS allow attackers to gain privil ...) NOT-FOR-US: Inteno IOPSYS CVE-2018-14532 (An issue was discovered in Bento4 1.5.1-624. There is a heap-based buf ...) NOT-FOR-US: Bento4 CVE-2018-14531 (An issue was discovered in Bento4 1.5.1-624. There is an unspecified " ...) NOT-FOR-US: Bento4 CVE-2018-14530 RESERVED CVE-2018-14529 (Invoxia NVX220 devices allow access to /bin/sh via escape from a restr ...) NOT-FOR-US: Invoxia NVX220 devices CVE-2018-14528 (Invoxia NVX220 devices allow TELNET access as admin with a default pas ...) NOT-FOR-US: Invoxia NVX220 devices CVE-2018-14527 (Feedback.asp in Xiao5uCompany 1.7 has XSS because the XSS protection m ...) NOT-FOR-US: Xiao5uCompany CVE-2018-14526 (An issue was discovered in rsn_supp/wpa.c in wpa_supplicant 2.0 throug ...) {DLA-1462-1} - wpa 2:2.6-18 (bug #905739) [stretch] - wpa 2:2.4-1+deb9u2 NOTE: https://w1.fi/security/2018-1/unauthenticated-eapol-key-decryption.txt NOTE: https://w1.fi/security/2018-1/0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch NOTE: https://w1.fi/security/2018-1/rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch CVE-2018-14525 RESERVED CVE-2018-14524 (dwg_decode_eed in decode.c in GNU LibreDWG before 0.6 leads to a doubl ...) - libredwg (bug #595191) CVE-2018-14523 (An issue was discovered in aubio 0.4.6. A buffer over-read can occur i ...) - aubio 0.4.6-1 (bug #904906) [stretch] - aubio (Minor issue) [jessie] - aubio (Minor issue) NOTE: https://github.com/aubio/aubio/issues/189 CVE-2018-14522 (An issue was discovered in aubio 0.4.6. A SEGV signal can occur in aub ...) - aubio 0.4.6-1 (bug #904907) [stretch] - aubio (Minor issue) [jessie] - aubio (Minor issue) NOTE: https://github.com/aubio/aubio/issues/188 CVE-2018-14521 (An issue was discovered in aubio 0.4.6. A SEGV signal can occur in aub ...) - aubio 0.4.6-1 (bug #904908) [stretch] - aubio (Minor issue) [jessie] - aubio (Minor issue) NOTE: https://github.com/aubio/aubio/issues/187 CVE-2018-14520 RESERVED CVE-2018-14519 RESERVED CVE-2018-14518 RESERVED CVE-2018-14517 (SeaCMS 6.61 has two XSS issues in the admin_config.php file via certai ...) NOT-FOR-US: SeaCMS CVE-2018-14516 RESERVED CVE-2018-14515 (A SQL injection was discovered in WUZHI CMS 4.1.0 that allows remote a ...) NOT-FOR-US: WUZHI CMS CVE-2018-14514 (An SSRF vulnerability was discovered in idreamsoft iCMS V7.0.9 that al ...) NOT-FOR-US: idreamsoft iCMS CVE-2018-14513 (An XSS vulnerability was discovered in WUZHI CMS 4.1.0. There is persi ...) NOT-FOR-US: WUZHI CMS CVE-2018-14512 (An XSS vulnerability was discovered in WUZHI CMS 4.1.0. There is persi ...) NOT-FOR-US: WUZHI CMS CVE-2018-14511 RESERVED CVE-2018-14510 RESERVED CVE-2018-14509 RESERVED CVE-2018-14508 RESERVED CVE-2018-14507 RESERVED CVE-2018-14506 RESERVED CVE-2018-14504 (An issue was discovered in manage_filter_edit_page.php in MantisBT 2.x ...) - mantis NOTE: http://github.com/mantisbt/mantisbt/commit/8b5fa243dbf04344a55fe880135ec149fc1f439f NOTE: https://mantisbt.org/blog/archives/mantisbt/602 NOTE: https://mantisbt.org/bugs/view.php?id=24608 CVE-2018-14503 (Cross-site scripting (XSS) vulnerability in intervalCheck.jsp in Corem ...) NOT-FOR-US: Coremail XT CVE-2018-14502 (controllers/quizzes.php in the Kiboko Chained Quiz plugin before 1.0.9 ...) NOT-FOR-US: Kiboko Chained Quiz plugin for WordPress CVE-2018-14501 (manager/admin_ajax.php in joyplus-cms 1.6.0 has SQL Injection, as demo ...) NOT-FOR-US: joyplus-cms CVE-2018-14500 (joyplus-cms 1.6.0 has XSS via the manager/collect/collect_vod_zhuiju.p ...) NOT-FOR-US: joyplus-cms CVE-2018-1999023 (The Battle for Wesnoth Project version 1.7.0 through 1.14.3 contains a ...) - wesnoth-1.14 1:1.14.4-1 - wesnoth-1.12 [stretch] - wesnoth-1.12 1:1.12.6-1+deb9u1 - wesnoth-1.10 [jessie] - wesnoth-1.10 (Games are not supported in Jessie) NOTE: http://www.openwall.com/lists/oss-security/2018/07/20/1 NOTE: https://github.com/wesnoth/wesnoth/commit/d911268a783467842d38eae7ac1630f1fea41318 (1.14.x) CVE-2018-14505 (mitmweb in mitmproxy v4.0.3 allows DNS Rebinding attacks, related to t ...) - mitmproxy 3.0.4-1 (bug #904293) [stretch] - mitmproxy (Minor issue) [jessie] - mitmproxy (Minor issue) NOTE: https://github.com/mitmproxy/mitmproxy/issues/3234 NOTE: https://github.com/mitmproxy/mitmproxy/pull/3243 CVE-2018-14499 (An issue was found in HYBBS through 2016-03-08. There is an XSS vulner ...) NOT-FOR-US: HYBBS CVE-2018-14498 (get_8bit_row in rdbmp.c in libjpeg-turbo through 1.5.90 and MozJPEG th ...) {DLA-1719-1} [experimental] - libjpeg-turbo 1:2.0.2-1~exp1 - libjpeg-turbo (low; bug #924678) [buster] - libjpeg-turbo (Minor issue) [stretch] - libjpeg-turbo (Minor issue) - mozjpeg (bug #741487) NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/commit/9c78a04df4e44ef6487eee99c4258397f4fdca55 NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/issues/258 NOTE: https://github.com/mozilla/mozjpeg/issues/299 CVE-2018-14497 (Tenda D152 ADSL routers allow XSS via a crafted SSID. ...) NOT-FOR-US: Tenda D152 ADSL routers CVE-2018-14496 (** DISPUTED ** Vivotek FD8136 devices allow remote memory corruption a ...) NOT-FOR-US: Vivotek FD8136 devices CVE-2018-14495 (** DISPUTED ** Vivotek FD8136 devices allow Remote Command Injection, ...) NOT-FOR-US: Vivotek FD8136 devices CVE-2018-14494 (** DISPUTED ** Vivotek FD8136 devices allow Remote Command Injection, ...) NOT-FOR-US: Vivotek FD8136 devices CVE-2018-14493 (Cross-site scripting (XSS) vulnerability in the Groups Page in Open-Au ...) NOT-FOR-US: Open-Audit Community CVE-2018-14492 (Tenda AC7 through V15.03.06.44_CN, AC9 through V15.03.05.19(6318)_CN, ...) NOT-FOR-US: Tenda devices CVE-2018-1999022 (PEAR HTML_QuickForm version 3.2.14 contains an eval injection (CWE-95) ...) - civicrm 5.3.1+dfsg-1 (bug #904215) NOTE: https://civicrm.org/advisory/civi-sa-2018-07-remote-code-execution-in-quickform CVE-2018-14491 RESERVED CVE-2018-14490 RESERVED CVE-2018-14489 RESERVED CVE-2018-14488 RESERVED CVE-2018-14487 RESERVED CVE-2018-14486 (DNN (formerly DotNetNuke) 9.1.1 allows cross-site scripting (XSS) via ...) NOT-FOR-US: DNN CVE-2018-14485 (BlogEngine.NET 3.3 allows XXE attacks via the POST body to metaweblog. ...) NOT-FOR-US: BlogEngine.NET CVE-2018-14484 RESERVED CVE-2018-14483 RESERVED CVE-2018-14482 RESERVED CVE-2018-14481 (Osclass 3.7.4 has XSS via the query string to index.php, a different v ...) NOT-FOR-US: Osclass CVE-2018-14480 RESERVED CVE-2018-14479 RESERVED CVE-2018-14478 (ecard.php in Coppermine Photo Gallery (CPG) 1.5.46 has XSS via the sen ...) NOT-FOR-US: Coppermine Photo Gallery CVE-2018-14477 RESERVED CVE-2018-14476 (GeniXCMS 1.1.5 has XSS via the dbuser or dbhost parameter during step ...) NOT-FOR-US: GeniXCMS CVE-2018-14475 RESERVED CVE-2018-14474 (views/auth.go in Orange Forum 1.4.0 allows Open Redirection via the ne ...) NOT-FOR-US: Orange Forum CVE-2018-14473 (OCS Inventory 2.4.1 lacks a proper XML parsing configuration, allowing ...) - ocsinventory-server 2.5+dfsg-1 (unimportant; bug #905396) NOTE: Authentication is needed, only supported in trusted environments, see debtags CVE-2018-14472 (An issue was discovered in WUZHI CMS 4.1.0. The vulnerable file is cor ...) NOT-FOR-US: WUZHI CMS CVE-2018-14471 (dwg_obj_block_control_get_block_headers in dwg_api.c in GNU LibreDWG 0 ...) - libredwg (bug #595191) CVE-2018-14470 (The Babel parser in tcpdump before 4.9.3 has a buffer over-read in pri ...) {DSA-4547-1 DLA-1955-1} - tcpdump 4.9.3-1 (bug #941698) NOTE: https://github.com/the-tcpdump-group/tcpdump/commit/12f66f69f7bf1ec1266ddbee90a7616cbf33696b CVE-2018-14469 (The IKEv1 parser in tcpdump before 4.9.3 has a buffer over-read in pri ...) {DSA-4547-1 DLA-1955-1} - tcpdump 4.9.3-1 (bug #941698) NOTE: https://github.com/the-tcpdump-group/tcpdump/commit/396e94ff55a80d554b1fe46bf107db1e91008d6c CVE-2018-14468 (The FRF.16 parser in tcpdump before 4.9.3 has a buffer over-read in pr ...) {DSA-4547-1 DLA-1955-1} - tcpdump 4.9.3-1 (bug #941698) NOTE: https://github.com/the-tcpdump-group/tcpdump/commit/aa3e54f594385ce7e1e319b0c84999e51192578b CVE-2018-14467 (The BGP parser in tcpdump before 4.9.3 has a buffer over-read in print ...) {DSA-4547-1 DLA-1955-1} - tcpdump 4.9.3-1 (bug #941698) NOTE: https://github.com/the-tcpdump-group/tcpdump/commit/e3f3b445e2d20ac5d5b7fcb7559ce6beb55da0c9 CVE-2018-14466 (The Rx parser in tcpdump before 4.9.3 has a buffer over-read in print- ...) {DSA-4547-1 DLA-1955-1} - tcpdump 4.9.3-1 (bug #941698) NOTE: https://github.com/the-tcpdump-group/tcpdump/commit/c24922e692a52121e853a84ead6b9337f4c08a94 CVE-2018-14465 (The RSVP parser in tcpdump before 4.9.3 has a buffer over-read in prin ...) {DSA-4547-1 DLA-1955-1} - tcpdump 4.9.3-1 (bug #941698) NOTE: https://github.com/the-tcpdump-group/tcpdump/commit/bea2686c296b79609060a104cc139810785b0739 CVE-2018-14464 (The LMP parser in tcpdump before 4.9.3 has a buffer over-read in print ...) {DSA-4547-1 DLA-1955-1} - tcpdump 4.9.3-1 (bug #941698) NOTE: https://github.com/the-tcpdump-group/tcpdump/commit/d97e94223720684c6aa740ff219e0d19426c2220 CVE-2018-14463 (The VRRP parser in tcpdump before 4.9.3 has a buffer over-read in prin ...) {DSA-4547-1 DLA-1955-1} - tcpdump 4.9.3-1 (bug #941698) NOTE: https://github.com/the-tcpdump-group/tcpdump/commit/3de07c772166b7e8e8bb4b9d1d078f1d901b570b CVE-2018-14462 (The ICMP parser in tcpdump before 4.9.3 has a buffer over-read in prin ...) {DSA-4547-1 DLA-1955-1} - tcpdump 4.9.3-1 (bug #941698) NOTE: https://github.com/the-tcpdump-group/tcpdump/commit/1a1bce0526a77b62e41531b00f8bb5e21fd4f3a3 CVE-2018-14461 (The LDP parser in tcpdump before 4.9.3 has a buffer over-read in print ...) {DSA-4547-1 DLA-1955-1} - tcpdump 4.9.3-1 (bug #941698) NOTE: https://github.com/the-tcpdump-group/tcpdump/commit/aa5c6b710dfd8020d2c908d6b3bd41f1da719b3b CVE-2018-14460 (An issue was discovered in the HDF HDF5 1.8.20 library. There is a hea ...) - hdf5 NOTE: https://github.com/TeamSeri0us/pocs/blob/master/hdf5/README3.md CVE-2018-14459 (An issue was discovered in libgig 4.1.0. There is an out-of-bounds wri ...) - libgig (low; bug #931309) [buster] - libgig (Minor issue) [stretch] - libgig (Minor issue) [jessie] - libgig (Minor issue) NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README.md CVE-2018-14458 (An issue was discovered in libgig 4.1.0. There is a heap-based buffer ...) - libgig (low; bug #931309) [buster] - libgig (Minor issue) [stretch] - libgig (Minor issue) [jessie] - libgig (Minor issue) NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README.md CVE-2018-14457 (An issue was discovered in libgig 4.1.0. There is an out-of-bounds wri ...) - libgig (low; bug #931309) [buster] - libgig (Minor issue) [stretch] - libgig (Minor issue) [jessie] - libgig (Minor issue) NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README.md CVE-2018-14456 (An issue was discovered in libgig 4.1.0. There is an out-of-bounds wri ...) - libgig (low; bug #931309) [buster] - libgig (Minor issue) [stretch] - libgig (Minor issue) [jessie] - libgig (Minor issue) NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README.md CVE-2018-14455 (An issue was discovered in libgig 4.1.0. There is an out-of-bounds wri ...) - libgig (low; bug #931309) [buster] - libgig (Minor issue) [stretch] - libgig (Minor issue) [jessie] - libgig (Minor issue) NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README.md CVE-2018-14454 (An issue was discovered in libgig 4.1.0. There is an out-of-bounds rea ...) - libgig (low; bug #931309) [buster] - libgig (Minor issue) [stretch] - libgig (Minor issue) [jessie] - libgig (Minor issue) NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README.md CVE-2018-14453 (An issue was discovered in libgig 4.1.0. There is a heap-based buffer ...) - libgig (low; bug #931309) [buster] - libgig (Minor issue) [stretch] - libgig (Minor issue) [jessie] - libgig (Minor issue) NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README.md CVE-2018-14452 (An issue was discovered in libgig 4.1.0. There is an out-of-bounds rea ...) - libgig (low; bug #931309) [buster] - libgig (Minor issue) [stretch] - libgig (Minor issue) [jessie] - libgig (Minor issue) NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README.md CVE-2018-14451 (An issue was discovered in libgig 4.1.0. There is a heap-based buffer ...) - libgig (low; bug #931309) [buster] - libgig (Minor issue) [stretch] - libgig (Minor issue) [jessie] - libgig (Minor issue) NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README.md CVE-2018-14450 (An issue was discovered in libgig 4.1.0. There is an out-of-bounds rea ...) - libgig (low; bug #931309) [buster] - libgig (Minor issue) [stretch] - libgig (Minor issue) [jessie] - libgig (Minor issue) NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README.md CVE-2018-14449 (An issue was discovered in libgig 4.1.0. There is an out of bounds rea ...) - libgig (low; bug #931309) [buster] - libgig (Minor issue) [stretch] - libgig (Minor issue) [jessie] - libgig (Minor issue) NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README.md CVE-2018-14448 (Codec::parse in track.cpp in Untrunc through 2018-06-07 has a NULL poi ...) - untrunc (bug #702476) CVE-2018-14447 (trim_whitespace in lexer.l in libConfuse v3.2.1 has an out-of-bounds r ...) {DLA-1470-1} - confuse 3.2.1+dfsg-5 (bug #904159) [stretch] - confuse 3.0+dfsg-2+deb9u1 NOTE: https://github.com/martinh/libconfuse/issues/109 CVE-2018-14446 (MP4Integer32Property::Read in atom_avcC.cpp in MP4v2 2.1.0 allows remo ...) - mp4v2 (bug #904896) [stretch] - mp4v2 (Minor issue) [jessie] - mp4v2 (Minor issue) NOTE: https://github.com/TechSmith/mp4v2/issues/20 CVE-2018-14445 (In Bento4 v1.5.1-624, AP4_File::ParseStream in Ap4File.cpp allows remo ...) NOT-FOR-US: Bento4 CVE-2018-14444 (libdxfrw 0.6.3 has an Integer Overflow in dwgCompressor::decompress18 ...) NOT-FOR-US: libdxfrw CVE-2018-14443 (get_first_owned_object in dwg.c in GNU LibreDWG 0.5.1036 allows remote ...) - libredwg (bug #595191) CVE-2018-14442 (Foxit Reader before 9.2 and PhantomPDF before 9.2 have a Use-After-Fre ...) NOT-FOR-US: Foxit Reader CVE-2018-14441 (An issue was discovered in cckevincyh SSH CompanyWebsite through 2018- ...) NOT-FOR-US: cckevincyh SSH CompanyWebsite CVE-2018-14440 (An issue was discovered in cckevincyh SSH CompanyWebsite through 2018- ...) NOT-FOR-US: cckevincyh SSH CompanyWebsite CVE-2018-14439 (espritblock eos4j, an unofficial SDK for EOS, through 2018-07-12 misha ...) NOT-FOR-US: eos4j CVE-2018-14438 (In Wireshark through 2.6.2, the create_app_running_mutex function in w ...) - wireshark (Problem with SetSecurityDescriptorDacl() is Windows specific issue) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14921 CVE-2018-14437 (ImageMagick 7.0.8-4 has a memory leak in parse8BIM in coders/meta.c. ...) - imagemagick 8:6.9.10.8+dfsg-1 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1190 NOTE: https://github.com/ImageMagick/ImageMagick/commit/082223fb992448dbb574747deac9a30f986c116e NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/0812674565df667b1b3e4122ad259096de311c6c CVE-2018-14436 (ImageMagick 7.0.8-4 has a memory leak in ReadMIFFImage in coders/miff. ...) - imagemagick 8:6.9.10.8+dfsg-1 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1191 NOTE: https://github.com/ImageMagick/ImageMagick/commit/4b352c0be410ad900469a079e389178f878aded8 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/ae3eecad2f59e27123c1a6c891be75d06fc03656 CVE-2018-14435 (ImageMagick 7.0.8-4 has a memory leak in DecodeImage in coders/pcd.c. ...) - imagemagick 8:6.9.10.8+dfsg-1 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1193 NOTE: https://github.com/ImageMagick/ImageMagick/commit/957b6397b958a5881005df27eb97319b3175a3c9 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/e8f4f5e776002aa6ed490d7c6f65e10fa67359dd CVE-2018-14434 (ImageMagick 7.0.8-4 has a memory leak for a colormap in WriteMPCImage ...) - imagemagick 8:6.9.10.8+dfsg-1 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1192 NOTE: https://github.com/ImageMagick/ImageMagick/commit/98a2cceae0dceccbfe54051167c2c80be1f13c3f CVE-2018-14433 RESERVED CVE-2018-14432 (In the Federation component of OpenStack Keystone before 11.0.4, 12.0. ...) {DSA-4275-1} - keystone 2:13.0.0-7 (bug #904616) [jessie] - keystone (Not supported in Jessie) NOTE: http://www.openwall.com/lists/oss-security/2018/07/25/2 NOTE: https://bugs.launchpad.net/keystone/+bug/1779205 CVE-2018-14431 RESERVED CVE-2018-14430 (The Mondula Multi Step Form plugin through 1.2.5 for WordPress allows ...) NOT-FOR-US: Mondula Multi Step Form plugin for WordPress CVE-2018-14429 (man-cgi before 1.16 allows Local File Inclusion via absolute path trav ...) NOT-FOR-US: man-cgi CVE-2018-14428 RESERVED CVE-2018-14427 RESERVED CVE-2018-14426 RESERVED CVE-2018-14425 (There is a Persistent XSS vulnerability in the briefcase component of ...) NOT-FOR-US: Synacor Zimbra Collaboration Suite CVE-2017-18343 (** DISPUTED ** The debug handler in Symfony before v2.7.33, 2.8.x befo ...) - symfony 3.4.0+dfsg-1 (unimportant) NOTE: https://github.com/symfony/debug/pull/7/commits/e48bda29143bd1a83001780b4a78e483822d985c NOTE: https://github.com/symfony/symfony/issues/27987 NOTE: https://github.com/symfony/symfony/pull/23684 CVE-2016-10727 (camel/providers/imapx/camel-imapx-server.c in the IMAPx component in G ...) {DLA-1443-1} - evolution-data-server 3.22.0-2 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1334842 NOTE: https://gitlab.gnome.org/GNOME/evolution-data-server/commit/f26a6f67 CVE-2018-14424 (The daemon in GDM through 3.29.1 does not properly unexport display ob ...) {DSA-4270-1 DLA-1494-1} - gdm3 3.28.2-4 NOTE: https://gitlab.gnome.org/GNOME/gdm/issues/401 NOTE: https://gitlab.gnome.org/GNOME/gdm/commit/6060db704a19b0db68f2e9e6a2d020c0c78b6bba NOTE: https://gitlab.gnome.org/GNOME/gdm/commit/765b306c364885dd89d47fe9fe8618ce6a467bc1 CVE-2018-14423 (Division-by-zero vulnerabilities in the functions pi_next_pcrl, pi_nex ...) {DSA-4405-1 DLA-1614-1} - openjpeg2 2.3.0-2 (low; bug #904873) NOTE: https://github.com/uclouvain/openjpeg/issues/1123 NOTE: https://github.com/uclouvain/openjpeg/commit/bd88611ed9ad7144ec4f3de54790cd848175891b CVE-2018-14422 (blog/index.php in SansCMS 0.7 has XSS via the q parameter. ...) NOT-FOR-US: SansCMS CVE-2018-14421 (SeaCMS v6.61 allows Remote Code execution by placing PHP code in a mov ...) NOT-FOR-US: SeaCMS CVE-2018-14420 (MetInfo 6.0.0 allows a CSRF attack to add a user account via a doaddsa ...) NOT-FOR-US: MetInfo CVE-2018-14419 (MetInfo 6.0.0 allows XSS via a modified name of the navigation bar on ...) NOT-FOR-US: MetInfo CVE-2018-14418 (In Msvod Cms v10, SQL Injection exists via an images/lists?cid= URI. ...) NOT-FOR-US: Msvod Cms CVE-2018-14417 (A command injection vulnerability was found in the web administration ...) NOT-FOR-US: SoftNAS CVE-2018-14416 RESERVED CVE-2018-14415 (An issue was discovered in idreamsoft iCMS before 7.0.10. XSS exists v ...) NOT-FOR-US: idreamsoft iCMS CVE-2018-14414 RESERVED CVE-2018-14413 RESERVED CVE-2018-14412 RESERVED CVE-2018-14411 RESERVED CVE-2018-14410 RESERVED CVE-2018-14409 RESERVED CVE-2018-14408 RESERVED CVE-2018-14407 RESERVED CVE-2018-14406 RESERVED CVE-2018-14405 RESERVED CVE-2018-14404 (A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPat ...) {DLA-1524-1} [experimental] - libxml2 2.9.9+dfsg1-1~exp1 - libxml2 2.9.10+dfsg-2 (low; bug #901817) [buster] - libxml2 (Minor issue) [stretch] - libxml2 (Minor issue) NOTE: https://gitlab.gnome.org/GNOME/libxml2/issues/5 NOTE: https://gitlab.gnome.org/GNOME/libxml2/issues/10 NOTE: https://gitlab.gnome.org/GNOME/libxml2/commit/a436374994c47b12d5de1b8b1d191a098fa23594 CVE-2018-14403 (MP4NameFirstMatches in mp4util.cpp in MP4v2 2.0.0 mishandles substring ...) - mp4v2 (bug #904897) [stretch] - mp4v2 (Minor issue) [jessie] - mp4v2 (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2018/07/18/3 CVE-2018-14402 (axmldec 1.2.0 has an out-of-bounds write in the jitana::axml_parser::p ...) NOT-FOR-US: axmldec CVE-2018-14401 (CopyData in AxmlParser.c in AXML Parser through 2018-01-04 has an out- ...) NOT-FOR-US: AXML Parser CVE-2018-14400 REJECTED CVE-2018-14399 (libs\classes\attachment.class.php in PHPCMS 9.6.0 allows remote attack ...) NOT-FOR-US: PHPCMS CVE-2018-14398 (An issue was discovered in Creme CRM 1.6.12. The value of the cancel b ...) NOT-FOR-US: Creme CRM CVE-2018-14397 (An issue was discovered in Creme CRM 1.6.12. The organization creation ...) NOT-FOR-US: Creme CRM CVE-2018-14396 (An issue was discovered in Creme CRM 1.6.12. The salesman creation pag ...) NOT-FOR-US: Creme CRM CVE-2018-14395 (libavformat/movenc.c in FFmpeg before 4.0.2 allows attackers to cause ...) {DSA-4258-1} - ffmpeg 7:4.0.2-1 - libav [jessie] - libav (only version 2 is supported) NOTE: https://github.com/FFmpeg/FFmpeg/commit/fa19fbcf712a6a6cc5a5cfdc3254a97b9bce6582 CVE-2018-14394 (libavformat/movenc.c in FFmpeg before 4.0.2 allows attackers to cause ...) {DSA-4249-1 DLA-1630-1} - ffmpeg 7:4.0.2-1 - libav NOTE: https://github.com/FFmpeg/FFmpeg/commit/3a2d21bc5f97aa0161db3ae731fc2732be6108b8 CVE-2018-14393 RESERVED CVE-2018-14392 (The New Threads plugin before 1.2 for MyBB has XSS. ...) NOT-FOR-US: New Threads plugin for MyBB CVE-2018-14391 RESERVED CVE-2018-14390 RESERVED CVE-2018-1999001 (A unauthorized modification of configuration vulnerability exists in J ...) NOT-FOR-US: Jenkins CVE-2018-1999002 (A arbitrary file read vulnerability exists in Jenkins 2.132 and earlie ...) NOT-FOR-US: Jenkins CVE-2018-1999003 (A Improper authorization vulnerability exists in Jenkins 2.132 and ear ...) NOT-FOR-US: Jenkins CVE-2018-1999004 (A Improper authorization vulnerability exists in Jenkins 2.132 and ear ...) NOT-FOR-US: Jenkins CVE-2018-1999005 (A cross-site scripting vulnerability exists in Jenkins 2.132 and earli ...) NOT-FOR-US: Jenkins CVE-2018-1999006 (A exposure of sensitive information vulnerability exists in Jenkins 2. ...) NOT-FOR-US: Jenkins CVE-2018-1999007 (A cross-site scripting vulnerability exists in Jenkins 2.132 and earli ...) NOT-FOR-US: Jenkins CVE-2018-14389 (joyplus-cms 1.6.0 has SQL Injection via the manager/admin_ajax.php val ...) NOT-FOR-US: joyplus-cms CVE-2018-14388 (joyplus-cms 1.6.0 has XSS via the manager/admin_ajax.php can_search_de ...) NOT-FOR-US: joyplus-cms CVE-2018-14387 (An issue was discovered in WonderCMS before 2.5.2. An attacker can cre ...) NOT-FOR-US: WonderCMS CVE-2018-14386 RESERVED CVE-2018-14385 RESERVED CVE-2018-14384 (The Website Manager module in SEO Panel 3.13.0 and earlier is affected ...) NOT-FOR-US: SEO Panel CVE-2018-14383 (The Transition Technologies "The Scheduler" app 5.1.3 for Jira allows ...) NOT-FOR-US: Transition Technologies "The Scheduler" app for Jira CVE-2018-14382 (InstantCMS 2.10.1 has /redirect?url= XSS. ...) NOT-FOR-US: InstantCMS CVE-2018-14381 (Pagekit before 1.0.14 has a /user/login?redirect= open redirect vulner ...) NOT-FOR-US: Pagekit CMS CVE-2018-14380 (In Graylog before 2.4.6, XSS was possible in typeahead components, rel ...) - graylog2 (bug #652273) CVE-2018-14379 (MP4Atom::factory in mp4atom.cpp in MP4v2 2.0.0 incorrectly uses the MP ...) - mp4v2 (bug #904898) [stretch] - mp4v2 (Minor issue) [jessie] - mp4v2 (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2018/07/17/1 CVE-2018-14378 REJECTED CVE-2018-14377 RESERVED CVE-2018-14376 RESERVED CVE-2018-14375 REJECTED CVE-2018-14374 REJECTED CVE-2018-14373 REJECTED CVE-2018-14372 RESERVED CVE-2018-14371 (The getLocalePrefix function in ResourceManager.java in Eclipse Mojarr ...) - mojarra (Vulnerable code introduced later) NOTE: https://github.com/eclipse-ee4j/mojarra/commit/1b434748d9239f42eae8aa7d37d7a0930c061e24 CVE-2018-14370 (In Wireshark 2.6.0 to 2.6.1 and 2.4.0 to 2.4.7, the IEEE 802.11 protoc ...) - wireshark 2.6.2-1 [stretch] - wireshark (Vulnerable code not present) [jessie] - wireshark (Vulnerable code not present) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14686 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=b1446124eebc3ea5591d18e719c2a5cff3630638 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-43.html CVE-2018-14369 (In Wireshark 2.6.0 to 2.6.1, 2.4.0 to 2.4.7, and 2.2.0 to 2.2.15, the ...) {DLA-1451-1} - wireshark 2.6.2-1 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14869 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=038cd225bfa54e2a7ade4043118796334920a61e NOTE: https://www.wireshark.org/security/wnpa-sec-2018-41.html CVE-2018-14368 (In Wireshark 2.6.0 to 2.6.1, 2.4.0 to 2.4.7, and 2.2.0 to 2.2.15, the ...) {DLA-1451-1} - wireshark 2.6.2-1 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14841 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=6c44312f465014eb409d766a9828b7f101f6251c NOTE: https://www.wireshark.org/security/wnpa-sec-2018-40.html CVE-2018-14367 (In Wireshark 2.6.0 to 2.6.1 and 2.4.0 to 2.4.7, the CoAP protocol diss ...) - wireshark 2.6.2-1 [stretch] - wireshark (Vulnerable code not present) [jessie] - wireshark (Vulnerable code not present) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14966 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=81ce5fcb3e37a0aaeb7532f7a2a09366f16fa310 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-42.html CVE-2018-14366 (download.cgi in Pulse Secure Pulse Connect Secure 8.1RX before 8.1R13 ...) NOT-FOR-US: Pulse Secure Pulse Connect Secure CVE-2018-14365 RESERVED CVE-2018-14364 (GitLab Community and Enterprise Edition before 10.7.7, 10.8.x before 1 ...) - gitlab 10.7.7+dfsg-2 (bug #904026) NOTE: https://about.gitlab.com/2018/07/17/critical-security-release-gitlab-11-dot-0-dot-4-released/ CVE-2018-14363 (An issue was discovered in NeoMutt before 2018-07-16. newsrc.c does no ...) {DSA-4277-1 DLA-1455-1} - neomutt 20180716+dfsg.1-1 (bug #904021) - mutt 1.9.1-1 NOTE: https://github.com/neomutt/neomutt/commit/9bfab35522301794483f8f9ed60820bdec9be59e NOTE: src:mutt 1.9.1-1 switches to official mutt.org source code without neomutt patchset NOTE: previous versions ship a neomutt patchset. CVE-2018-14362 (An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018- ...) {DSA-4277-1 DLA-1455-1} - neomutt 20180716+dfsg.1-1 (bug #904021) - mutt 1.10.1-1 (bug #904051) NOTE: https://github.com/neomutt/neomutt/commit/9bfab35522301794483f8f9ed60820bdec9be59e NOTE: https://gitlab.com/muttmua/mutt/commit/6aed28b40a0410ec47d40c8c7296d8d10bae7576 CVE-2018-14361 (An issue was discovered in NeoMutt before 2018-07-16. nntp.c proceeds ...) {DSA-4277-1 DLA-1455-1} - neomutt 20180716+dfsg.1-1 (bug #904021) - mutt 1.9.1-1 NOTE: https://github.com/neomutt/neomutt/commit/9e927affe3a021175f354af5fa01d22657c20585 NOTE: src:mutt 1.9.1-1 switches to official mutt.org source code without neomutt patchset NOTE: previous versions ship a neomutt patchset. CVE-2018-14360 (An issue was discovered in NeoMutt before 2018-07-16. nntp_add_group i ...) {DSA-4277-1 DLA-1455-1} - neomutt 20180716+dfsg.1-1 (bug #904021) - mutt 1.9.1-1 NOTE: https://github.com/neomutt/neomutt/commit/6296f7153f0c9d5e5cd3aaf08f9731e56621bdd3 NOTE: src:mutt 1.9.1-1 switches to official mutt.org source code without neomutt patchset NOTE: previous versions ship a neomutt patchset. CVE-2018-14359 (An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018- ...) {DSA-4277-1 DLA-1455-1} - neomutt 20180716+dfsg.1-1 (bug #904021) - mutt 1.10.1-1 (bug #904051) NOTE: https://github.com/neomutt/neomutt/commit/6f163e07ae68654d7ac5268cbb7565f6df79ad85 NOTE: https://gitlab.com/muttmua/mutt/commit/3d9028fec8f4d08db2251096307c0bbbebce669a CVE-2018-14358 (An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018- ...) {DSA-4277-1 DLA-1455-1} - neomutt 20180716+dfsg.1-1 (bug #904021) - mutt 1.10.1-1 (bug #904051) NOTE: https://github.com/neomutt/neomutt/commit/1b0f0d0988e6df4e32e9f4bf8780846ea95d4485 NOTE: https://gitlab.com/muttmua/mutt/commit/3287534daa3beac68e2e83ca4b4fe8a3148ff870 CVE-2018-14357 (An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018- ...) {DSA-4277-1 DLA-1455-1} - neomutt 20180716+dfsg.1-1 (bug #904021) - mutt 1.10.1-1 (bug #904051) NOTE: https://github.com/neomutt/neomutt/commit/e52393740334443ae0206cab2d7caef381646725 NOTE: https://gitlab.com/muttmua/mutt/commit/185152818541f5cdc059cbff3f3e8b654fc27c1d CVE-2018-14356 (An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018- ...) {DSA-4277-1 DLA-1455-1} - neomutt 20180716+dfsg.1-1 (bug #904021) - mutt 1.10.1-1 (bug #904051) NOTE: https://github.com/neomutt/neomutt/commit/93b8ac558752d09e1c56d4f1bc82631316fa9c82 NOTE: https://gitlab.com/muttmua/mutt/commit/e154cba1b3fc52bb8cb8aa846353c0db79b5d9c6 CVE-2018-14355 (An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018- ...) {DSA-4277-1 DLA-1455-1} - neomutt 20180716+dfsg.1-1 (bug #904021) - mutt 1.10.1-1 (bug #904051) NOTE: https://github.com/neomutt/neomutt/commit/57971dba06346b2d7179294f4528b8d4427a7c5d NOTE: https://gitlab.com/muttmua/mutt/commit/31eef6c766f47df8281942d19f76e35f475c781d CVE-2018-14354 (An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018- ...) {DSA-4277-1 DLA-1455-1} - neomutt 20180716+dfsg.1-1 (bug #904021) - mutt 1.10.1-1 (bug #904051) NOTE: https://github.com/neomutt/neomutt/commit/95e80bf9ff10f68cb6443f760b85df4117cb15eb NOTE: https://gitlab.com/muttmua/mutt/commit/185152818541f5cdc059cbff3f3e8b654fc27c1d CVE-2018-14353 (An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018- ...) {DSA-4277-1 DLA-1455-1} - neomutt 20180716+dfsg.1-1 (bug #904021) - mutt 1.10.1-1 (bug #904051) NOTE: https://github.com/neomutt/neomutt/commit/65d64a5b60a4a3883f2cd799d92c6091d8854f23 NOTE: https://gitlab.com/muttmua/mutt/commit/e0131852c6059107939893016c8ff56b6e42865d CVE-2018-14352 (An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018- ...) {DSA-4277-1 DLA-1455-1} - neomutt 20180716+dfsg.1-1 (bug #904021) - mutt 1.10.1-1 (bug #904051) NOTE: https://github.com/neomutt/neomutt/commit/e27b65b3bf8defa34db58919496056caf3850cd4 NOTE: https://gitlab.com/muttmua/mutt/commit/e0131852c6059107939893016c8ff56b6e42865d CVE-2018-14351 (An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018- ...) {DSA-4277-1 DLA-1455-1} - neomutt 20180716+dfsg.1-1 (bug #904021) - mutt 1.10.1-1 (bug #904051) NOTE: https://github.com/neomutt/neomutt/commit/3c49c44be9b459d9c616bcaef6eb5d51298c1741 NOTE: https://gitlab.com/muttmua/mutt/commit/e57a8602b45f58edf7b3ffb61bb17525d75dfcb1 CVE-2018-14350 (An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018- ...) {DSA-4277-1 DLA-1455-1} - neomutt 20180716+dfsg.1-1 (bug #904021) - mutt 1.10.1-1 (bug #904051) NOTE: https://github.com/neomutt/neomutt/commit/1b0f0d0988e6df4e32e9f4bf8780846ea95d4485 NOTE: https://gitlab.com/muttmua/mutt/commit/3287534daa3beac68e2e83ca4b4fe8a3148ff870 CVE-2018-14349 (An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018- ...) {DSA-4277-1 DLA-1455-1} - neomutt 20180716+dfsg.1-1 (bug #904021) - mutt 1.10.1-1 (bug #904051) NOTE: https://github.com/neomutt/neomutt/commit/36a29280448097f34ce9c94606195f2ac643fed1 NOTE: https://gitlab.com/muttmua/mutt/commit/9347b5c01dc52682cb6be11539d9b7ebceae4416 CVE-2018-14348 (libcgroup up to and including 0.41 creates /var/log/cgred with mode 06 ...) {DLA-1472-1} - libcgroup 0.41-8.1 (low; bug #906308) [stretch] - libcgroup 0.41-8+deb9u1 NOTE: https://sourceforge.net/p/libcg/libcg/ci/0d88b73d189ea3440ccaab00418d6469f76fa590/ NOTE: cgred not enabled by default, shipped example config logs to syslog by default CVE-2018-14347 (GNU Libextractor before 1.7 contains an infinite loop vulnerability in ...) {DSA-4290-1 DLA-1478-1} - libextractor 1:1.7-1 (bug #904905) NOTE: http://lists.gnu.org/archive/html/bug-libextractor/2018-07/msg00000.html NOTE: https://gnunet.org/bugs/view.php?id=5399 NOTE: https://git.gnunet.org/libextractor.git/commit/?id=f033468cd36e2b8bf92d747fbd683b2ace8da394 CVE-2018-14346 (GNU Libextractor before 1.7 has a stack-based buffer overflow in ec_re ...) {DSA-4290-1 DLA-1478-1} - libextractor 1:1.7-1 (bug #904903) NOTE: http://lists.gnu.org/archive/html/bug-libextractor/2018-07/msg00001.html NOTE: https://git.gnunet.org/libextractor.git/commit/?id=ad19e7fe0adc99d5710eff1ed48d91a7b75a950e CVE-2018-14345 (An issue was discovered in SDDM through 0.17.0. If configured with Reu ...) - sddm 0.18.0-1 [stretch] - sddm (Re-use session feature introduced in 0.16.0) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1101450 NOTE: https://github.com/sddm/sddm/commit/147cec383892d143b5e02daa70f1e7def50f5d98 CVE-2018-14344 (In Wireshark 2.6.0 to 2.6.1, 2.4.0 to 2.4.7, and 2.2.0 to 2.2.15, the ...) - wireshark 2.6.2-1 [jessie] - wireshark (Vulnerable code not present, introduced in v1.99.1rc0-224-g6720c80bab) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14672 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=4f7153685b39a164aea09ba7f96ebb648b8328ae NOTE: https://www.wireshark.org/security/wnpa-sec-2018-35.html CVE-2018-14343 (In Wireshark 2.6.0 to 2.6.1, 2.4.0 to 2.4.7, and 2.2.0 to 2.2.15, the ...) {DLA-1451-1} - wireshark 2.6.2-1 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14682 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=9402f2f80c6bc7d25178a0875c5a1f5ee36361db NOTE: https://www.wireshark.org/security/wnpa-sec-2018-37.html CVE-2018-14342 (In Wireshark 2.6.0 to 2.6.1, 2.4.0 to 2.4.7, and 2.2.0 to 2.2.15, the ...) {DLA-1451-1} - wireshark 2.6.2-1 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13741 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=36af43dbb7673495948cd65d0346e8b9812b941c NOTE: https://www.wireshark.org/security/wnpa-sec-2018-34.html CVE-2018-14341 (In Wireshark 2.6.0 to 2.6.1, 2.4.0 to 2.4.7, and 2.2.0 to 2.2.15, the ...) {DLA-1451-1} - wireshark 2.6.2-1 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14742 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=2e716c32be6aa20e1813b0002878853e71f8b2f4 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-39.html CVE-2018-14340 (In Wireshark 2.6.0 to 2.6.1, 2.4.0 to 2.4.7, and 2.2.0 to 2.2.15, diss ...) {DLA-1451-1} - wireshark 2.6.2-1 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14675 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=672d882a53f96730e4ef1e5b1639c585823b0df8 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-36.html CVE-2018-14339 (In Wireshark 2.6.0 to 2.6.1, 2.4.0 to 2.4.7, and 2.2.0 to 2.2.15, the ...) {DLA-1451-1} - wireshark 2.6.2-1 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14738 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=3b77c0a596a8071aebc1de71e3f79e5e15e919ca NOTE: https://www.wireshark.org/security/wnpa-sec-2018-38.html CVE-2018-14338 (samples/geotag.cpp in the example code of Exiv2 0.26 misuses the realp ...) - exiv2 (unimportant) NOTE: https://github.com/Exiv2/exiv2/issues/382 NOTE: Issue in example code of Exiv2 CVE-2018-14337 (The CHECK macro in mrbgems/mruby-sprintf/src/sprintf.c in mruby 1.4.1 ...) - mruby 2.0.0-1 (low; bug #903985) [stretch] - mruby (Minor issue) [jessie] - mruby (Minor issue) NOTE: https://github.com/mruby/mruby/issues/4062 NOTE: https://github.com/mruby/mruby/commit/695f29cd604787f43be1af16e38d13610bf8312b NOTE: https://github.com/mruby/mruby/commit/adb1eae912659d680a9c5b7832e22cf73d36a69a CVE-2018-14336 (TP-Link WR840N devices allow remote attackers to cause a denial of ser ...) NOT-FOR-US: TP-Link CVE-2018-14335 (An issue was discovered in H2 1.4.197. Insecure handling of permission ...) NOT-FOR-US: H2 (different from src:python-h2) CVE-2018-14334 (manager/editor/upload.php in joyplus-cms 1.6.0 allows arbitrary file u ...) NOT-FOR-US: joyplus-cms CVE-2018-14333 (TeamViewer through 13.1.1548 stores a password in Unicode format withi ...) NOT-FOR-US: TeamViewer CVE-2018-14332 (An issue was discovered in Clementine Music Player 1.3.1. Clementine.e ...) - clementine (unimportant) NOTE: https://github.com/clementine-player/Clementine/issues/6078 NOTE: https://github.com/MostafaSoliman/Security-Advisories/blob/master/CVE-2018-14332 NOTE: Crash in enduser tool, no security impact CVE-2018-14331 (An issue was discovered in XiaoCms X1 v20140305. There is a CSRF vulne ...) NOT-FOR-US: XiaoCms CVE-2018-14330 RESERVED CVE-2018-14329 (In HTSlib 1.8, a race condition in cram/cram_io.c might allow local us ...) - htslib (unimportant) NOTE: https://github.com/samtools/htslib/issues/736 NOTE: Neutralised by kernel hardening CVE-2018-14328 (Brynamics "Online Trade - Online trading and cryptocurrency investment ...) NOT-FOR-US: Brynamics "Online Trade - Online trading and cryptocurrency investment system" CVE-2018-14327 (The installer for the Alcatel OSPREY3_MINI Modem component on EE EE40V ...) NOT-FOR-US: Alcatel CVE-2018-14324 (The demo feature in Oracle GlassFish Open Source Edition 5.0 has TCP p ...) - glassfish (Vulnerable code not included, only builds a few classes) CVE-2018-14323 RESERVED CVE-2018-14322 RESERVED CVE-2018-14321 RESERVED CVE-2018-14320 (This vulnerability allows remote attackers to disclose sensitive infor ...) - libpodofo 0.9.6+dfsg-4 (bug #916240) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) NOTE: https://www.zerodayinitiative.com/advisories/ZDI-18-1046/ NOTE: https://sourceforge.net/p/podofo/code/1953 CVE-2018-14319 RESERVED CVE-2018-14318 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Samsung CVE-2018-14317 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14316 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2018-14315 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14314 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14313 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14312 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14311 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14310 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14309 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14308 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14307 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14306 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14305 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14304 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14303 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14302 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14301 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14300 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14299 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14298 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14297 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14296 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14295 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit CVE-2018-14294 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14293 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14292 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14291 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14290 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14289 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2018-14288 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14287 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14286 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14285 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14284 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14283 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14282 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14281 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14280 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14279 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14278 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14277 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14276 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14275 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14274 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14273 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14272 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14271 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14270 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14269 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14268 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14267 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14266 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14265 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14264 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14263 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14262 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14261 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14260 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14259 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14258 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14257 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14256 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14255 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14254 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14253 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14252 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14251 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14250 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14249 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14248 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14247 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14246 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14245 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14244 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14243 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14242 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14241 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-14326 (In MP4v2 2.0.0, there is an integer overflow (with resultant memory co ...) - mp4v2 (bug #904900) [stretch] - mp4v2 (Minor issue) [jessie] - mp4v2 (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2018/07/16/1 CVE-2018-14325 (In MP4v2 2.0.0, there is an integer underflow (with resultant memory c ...) - mp4v2 (bug #904901) [stretch] - mp4v2 (Minor issue) [jessie] - mp4v2 (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2018/07/16/1 CVE-2018-14240 RESERVED CVE-2018-14239 RESERVED CVE-2018-14238 RESERVED CVE-2018-14237 RESERVED CVE-2018-14236 RESERVED CVE-2018-14235 RESERVED CVE-2018-14234 RESERVED CVE-2018-14233 RESERVED CVE-2018-14232 RESERVED CVE-2018-14231 RESERVED CVE-2018-14230 RESERVED CVE-2018-14229 RESERVED CVE-2018-14228 RESERVED CVE-2018-14227 RESERVED CVE-2018-14226 RESERVED CVE-2018-14225 RESERVED CVE-2018-14224 RESERVED CVE-2018-14223 RESERVED CVE-2018-14222 RESERVED CVE-2018-14221 RESERVED CVE-2018-14220 RESERVED CVE-2018-14219 RESERVED CVE-2018-14218 RESERVED CVE-2018-14217 RESERVED CVE-2018-14216 RESERVED CVE-2018-14215 RESERVED CVE-2018-14214 RESERVED CVE-2018-14213 RESERVED CVE-2018-14212 RESERVED CVE-2018-14211 RESERVED CVE-2018-14210 RESERVED CVE-2018-14209 RESERVED CVE-2018-14208 RESERVED CVE-2018-14207 RESERVED CVE-2018-14206 RESERVED CVE-2018-14205 RESERVED CVE-2018-14204 RESERVED CVE-2018-14203 RESERVED CVE-2018-14202 RESERVED CVE-2018-14201 RESERVED CVE-2018-14200 RESERVED CVE-2018-14199 RESERVED CVE-2018-14198 RESERVED CVE-2018-14197 RESERVED CVE-2018-14196 RESERVED CVE-2018-14195 RESERVED CVE-2018-14194 RESERVED CVE-2018-14193 RESERVED CVE-2018-14192 RESERVED CVE-2018-14191 RESERVED CVE-2018-14190 RESERVED CVE-2018-14189 RESERVED CVE-2018-14188 RESERVED CVE-2018-14187 RESERVED CVE-2018-14186 RESERVED CVE-2018-14185 RESERVED CVE-2018-14184 RESERVED CVE-2018-14183 RESERVED CVE-2018-14182 RESERVED CVE-2018-14181 RESERVED CVE-2018-14180 RESERVED CVE-2018-14179 RESERVED CVE-2018-14178 RESERVED CVE-2018-14177 RESERVED CVE-2018-14176 RESERVED CVE-2018-14175 RESERVED CVE-2018-14174 RESERVED CVE-2018-14173 RESERVED CVE-2018-14172 RESERVED CVE-2018-14171 RESERVED CVE-2018-14170 RESERVED CVE-2018-14169 RESERVED CVE-2018-14168 RESERVED CVE-2018-14167 RESERVED CVE-2018-14166 RESERVED CVE-2018-14165 RESERVED CVE-2018-14164 RESERVED CVE-2018-14163 RESERVED CVE-2018-14162 RESERVED CVE-2018-14161 RESERVED CVE-2018-14160 RESERVED CVE-2018-14159 RESERVED CVE-2018-14158 RESERVED CVE-2018-14157 RESERVED CVE-2018-14156 RESERVED CVE-2018-14155 RESERVED CVE-2018-14154 RESERVED CVE-2018-14153 RESERVED CVE-2018-14152 RESERVED CVE-2018-14151 RESERVED CVE-2018-14150 RESERVED CVE-2018-14149 RESERVED CVE-2018-14148 RESERVED CVE-2018-14147 RESERVED CVE-2018-14146 RESERVED CVE-2018-14145 RESERVED CVE-2018-14144 RESERVED CVE-2018-14143 RESERVED CVE-2018-14142 RESERVED CVE-2018-14141 RESERVED CVE-2018-14140 RESERVED CVE-2018-14139 RESERVED CVE-2018-14138 RESERVED CVE-2018-14137 RESERVED CVE-2018-14136 RESERVED CVE-2018-14135 RESERVED CVE-2018-14134 RESERVED CVE-2018-14133 RESERVED CVE-2018-14132 RESERVED CVE-2018-14131 RESERVED CVE-2018-14130 RESERVED CVE-2018-14129 RESERVED CVE-2018-14128 RESERVED CVE-2018-14127 RESERVED CVE-2018-14126 RESERVED CVE-2018-14125 RESERVED CVE-2018-14124 RESERVED CVE-2018-14123 RESERVED CVE-2018-14122 RESERVED CVE-2018-14121 RESERVED CVE-2018-14120 RESERVED CVE-2018-14119 RESERVED CVE-2018-14118 RESERVED CVE-2018-14117 RESERVED CVE-2018-14116 RESERVED CVE-2018-14115 RESERVED CVE-2018-14114 RESERVED CVE-2018-14113 RESERVED CVE-2018-14112 RESERVED CVE-2018-14111 RESERVED CVE-2018-14110 RESERVED CVE-2018-14109 RESERVED CVE-2018-14108 RESERVED CVE-2018-14107 RESERVED CVE-2018-14106 RESERVED CVE-2018-14105 RESERVED CVE-2018-14104 RESERVED CVE-2018-14103 RESERVED CVE-2018-14102 RESERVED CVE-2018-14101 RESERVED CVE-2018-14100 RESERVED CVE-2018-14099 RESERVED CVE-2018-14098 RESERVED CVE-2018-14097 RESERVED CVE-2018-14096 RESERVED CVE-2018-14095 RESERVED CVE-2018-14094 RESERVED CVE-2018-14093 RESERVED CVE-2018-14092 RESERVED CVE-2018-14091 RESERVED CVE-2018-14090 RESERVED CVE-2018-14089 (An issue was discovered in a smart contract implementation for Virgo_Z ...) NOT-FOR-US: smart contract implementation for Virgo_ZodiacToken CVE-2018-14088 (An issue was discovered in a smart contract implementation for STeX Wh ...) NOT-FOR-US: smart contract implementation for STeX White List (STE(WL)) CVE-2018-14087 (An issue was discovered in a smart contract implementation for EUC (EU ...) NOT-FOR-US: smart contract implementation for EUC (EUC) CVE-2018-14086 (An issue was discovered in a smart contract implementation for Singapo ...) NOT-FOR-US: smart contract implementation for SingaporeCoinOrigin (SCO) CVE-2018-14085 (An issue was discovered in a smart contract implementation for UserWal ...) NOT-FOR-US: smart contract implementation for UserWallet 0x0a7bca9FB7AfF26c6ED8029BB6f0F5D291587c42 CVE-2018-14084 (An issue was discovered in a smart contract implementation for MKCB, a ...) NOT-FOR-US: smart contract implementation for MKCB CVE-2018-14083 (LICA miniCMTS E8K(u/i/...) devices allow remote attackers to obtain se ...) NOT-FOR-US: LICA miniCMTS E8K(u/i/...) devices CVE-2018-14082 (PHP Scripts Mall JOB SITE (aka Job Portal) 3.0.1 has Cross-site Script ...) NOT-FOR-US: PHP Scripts Mall JOB SITE (aka Job Portal) CVE-2018-14081 (An issue was discovered on D-Link DIR-809 A1 through 1.09, A2 through ...) NOT-FOR-US: D-Link CVE-2018-14080 (An issue was discovered on D-Link DIR-809 A1 through 1.09, A2 through ...) NOT-FOR-US: D-Link CVE-2018-14079 (Wi2be SMART HP WMT R1.2.20_201400922 allows unauthorized remote attack ...) NOT-FOR-US: Wi2be SMART HP WMT CVE-2018-14078 (Wi2be SMART HP WMT R1.2.20_201400922 allows unauthorized remote attack ...) NOT-FOR-US: Wi2be SMART HP WMT CVE-2018-14077 (Wi2be SMART HP WMT R1.2.20_201400922 allows unauthorized remote attack ...) NOT-FOR-US: Wi2be SMART HP WMT CVE-2018-14076 RESERVED CVE-2018-14075 RESERVED CVE-2018-14074 RESERVED CVE-2018-14073 (libsixel 1.8.1 has a memory leak in sixel_allocator_new in allocator.c ...) - libsixel 1.8.2-1 (low; bug #903858) [stretch] - libsixel 1.5.2-2+deb9u1 [jessie] - libsixel (Minor issue) NOTE: https://github.com/saitoha/libsixel/issues/67#issuecomment-404989926 NOTE: https://github.com/saitoha/libsixel/commit/f94bc6fec696abd77be275226f28409602bd1f27 CVE-2018-14072 (libsixel 1.8.1 has a memory leak in sixel_decoder_decode in decoder.c, ...) - libsixel 1.8.2-1 (low; bug #903858) [stretch] - libsixel 1.5.2-2+deb9u1 [jessie] - libsixel (Minor issue) NOTE: https://github.com/saitoha/libsixel/issues/67#issue-341198610 NOTE: https://github.com/saitoha/libsixel/commit/f94bc6fec696abd77be275226f28409602bd1f27 CVE-2018-14071 (The Geo Mashup plugin before 1.10.4 for WordPress has insufficient san ...) NOT-FOR-US: Geo Mashup plugin for WordPress CVE-2018-14070 RESERVED CVE-2018-14069 (An issue was discovered in SRCMS V2.3.1. There is a CSRF vulnerability ...) NOT-FOR-US: SRCMS CVE-2018-14068 (An issue was discovered in SRCMS V2.3.1. There is a CSRF vulnerability ...) NOT-FOR-US: SRCMS CVE-2018-14067 RESERVED CVE-2018-14066 (The content://wappush content provider in com.android.provider.telepho ...) NOT-FOR-US: Lenovo CVE-2018-14065 (XMLReader.php in PHPOffice Common before 0.2.9 allows XXE. ...) NOT-FOR-US: PHPOffice CVE-2018-14064 (The uc-http service 1.0.0 on VelotiSmart WiFi B-380 camera devices all ...) NOT-FOR-US: VelotiSmart WiFi B-380 camera devices CVE-2018-14063 (The increaseApproval function of a smart contract implementation for T ...) NOT-FOR-US: smart contract CVE-2018-14062 (The COSPAS-SARSAT protocol allows remote attackers to forge messages, ...) NOT-FOR-US: COSPAS-SARSAT protocol CVE-2018-14061 RESERVED CVE-2018-14060 (OS command injection in the AP mode settings feature in /cgi-bin/luci ...) NOT-FOR-US: Xiaomi R3D CVE-2018-14059 (Pimcore allows XSS via Users, Assets, Data Objects, Video Thumbnails, ...) NOT-FOR-US: Pimcore CVE-2018-14058 (Pimcore before 5.3.0 allows SQL Injection via the REST web service API ...) NOT-FOR-US: Pimcore CVE-2018-14057 (Pimcore before 5.3.0 allows remote attackers to conduct cross-site req ...) NOT-FOR-US: Pimcore CVE-2018-14055 (ZNC before 1.7.1-rc1 does not properly validate untrusted lines coming ...) {DSA-4252-1 DLA-1427-1} - znc 1.7.1-1 (bug #903787) NOTE: https://github.com/znc/znc/commit/a7bfbd93812950b7444841431e8e297e62cb524e NOTE: https://github.com/znc/znc/commit/d22fef8620cdd87490754f607e7153979731c69d NOTE: http://www.openwall.com/lists/oss-security/2018/07/18/4 CVE-2018-14056 (ZNC before 1.7.1-rc1 is prone to a path traversal flaw via ../ in a we ...) {DSA-4252-1 DLA-1427-1} - znc 1.7.1-1 (bug #903788) NOTE: https://github.com/znc/znc/commit/a4a5aeeb17d32937d8c7d743dae9a4cc755ce773 NOTE: http://www.openwall.com/lists/oss-security/2018/07/18/5 CVE-2018-14053 RESERVED CVE-2018-14052 (An issue has been found in libwav through 2017-04-20. It is a SEGV in ...) NOT-FOR-US: libwav CVE-2018-14051 (The function wav_read in libwav.c in libwav through 2017-04-20 has an ...) NOT-FOR-US: libwav CVE-2018-14050 (An issue has been found in libwav through 2017-04-20. It is a SEGV in ...) NOT-FOR-US: libwav CVE-2018-14049 (An issue has been found in libwav through 2017-04-20. It is a SEGV in ...) NOT-FOR-US: libwav CVE-2018-14048 (An issue has been found in libpng 1.6.34. It is a SEGV in the function ...) [experimental] - libpng1.6 1.6.37-1~exp1 - libpng1.6 1.6.37-1 (unimportant) - libpng (unimportant) NOTE: https://github.com/glennrp/libpng/issues/238 NOTE: Issue in use of libpng in pnm2png not shipped in binary packages. CVE-2018-14047 (** DISPUTED ** An issue has been found in PNGwriter 0.7.0. It is a SEG ...) - pngwriter NOTE: https://github.com/pngwriter/pngwriter/issues/129 CVE-2018-14046 (Exiv2 0.26 has a heap-based buffer over-read in WebPImage::decodeChunk ...) - exiv2 (Vulnerable code not present; only affecte experimental; bug #903763) NOTE: https://github.com/Exiv2/exiv2/issues/378 NOTE: https://github.com/D4N/exiv2/commit/49bfe84b4b7277cc425572fb68db23c8820181c1 CVE-2018-14045 (The FIRFilter::evaluateFilterMulti function in FIRFilter.cpp in libSou ...) - soundtouch 2.1.2+ds1-1 (low; bug #905504) [stretch] - soundtouch (Minor issue) [jessie] - soundtouch (Minor issue) NOTE: https://gitlab.com/soundtouch/soundtouch/issues/7 NOTE: https://github.com/TeamSeri0us/pocs/blob/master/soundtouch/readme.md CVE-2018-14044 (The RateTransposer::setChannels function in RateTransposer.cpp in libS ...) - soundtouch 2.1.2+ds1-1 (low; bug #905504) [stretch] - soundtouch (Minor issue) [jessie] - soundtouch (Minor issue) NOTE: https://gitlab.com/soundtouch/soundtouch/issues/7 NOTE: https://github.com/TeamSeri0us/pocs/blob/master/soundtouch/readme.md CVE-2018-14043 (mstdlib (aka the M Standard Library for C) 1.2.0 has incorrect file ac ...) NOT-FOR-US: mstdlib CVE-2018-14042 (In Bootstrap before 4.1.2, XSS is possible in the data-container prope ...) - twitter-bootstrap [stretch] - twitter-bootstrap (Minor issue) [jessie] - twitter-bootstrap (Minor issue) - twitter-bootstrap3 3.4.0+dfsg-1 (low; bug #907414) [stretch] - twitter-bootstrap3 3.3.7+dfsg-2+deb9u1 [jessie] - twitter-bootstrap3 (Vulnerable code not present) NOTE: https://blog.getbootstrap.com/2018/07/12/bootstrap-4-1-2/ NOTE: https://github.com/twbs/bootstrap/issues/26423 NOTE: https://github.com/twbs/bootstrap/issues/26628 NOTE: https://github.com/twbs/bootstrap/pull/26630 NOTE: https://github.com/twbs/bootstrap/pull/26630/commits/efca80bb5bb34546a2e7a9488b89f71457d2ad92 NOTE: https://snyk.io/vuln/npm:bootstrap:20180529 NOTE: https://github.com/twbs/bootstrap/commit/2d90d369bbc2bd2647620246c55cec8c4705e3d0 (v4.1.2) NOTE: https://github.com/twbs/bootstrap/commit/2a5ba23ce8f041f3548317acc992ed8a736b609d (v3.4.0) CVE-2018-14041 (In Bootstrap before 4.1.2, XSS is possible in the data-target property ...) - twitter-bootstrap (Vulnerable code not present) - twitter-bootstrap3 (Vulnerable code not present) NOTE: https://blog.getbootstrap.com/2018/07/12/bootstrap-4-1-2/ NOTE: https://github.com/twbs/bootstrap/issues/26423 NOTE: https://github.com/twbs/bootstrap/issues/26627 NOTE: https://github.com/twbs/bootstrap/pull/26630 NOTE: https://github.com/twbs/bootstrap/pull/26630/commits/3229efc0811df29765c1d0a949c85362378b0628 NOTE: https://snyk.io/vuln/npm:bootstrap:20160627 NOTE: https://snyk.io/vuln/npm:bootstrap:20180529 NOTE: https://github.com/twbs/bootstrap/commit/cc61edfa8af7b5ec9d4888c59bf94377e499b78b (v4.1.2) CVE-2018-14040 (In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent ...) {DLA-1479-1} - twitter-bootstrap [stretch] - twitter-bootstrap (Minor issue) [jessie] - twitter-bootstrap (Minor issue) - twitter-bootstrap3 3.4.0+dfsg-1 (low; bug #907414) [stretch] - twitter-bootstrap3 3.3.7+dfsg-2+deb9u1 NOTE: https://blog.getbootstrap.com/2018/07/12/bootstrap-4-1-2/ NOTE: https://github.com/twbs/bootstrap/issues/26423 NOTE: https://github.com/twbs/bootstrap/issues/26625 NOTE: https://github.com/twbs/bootstrap/pull/26630 NOTE: https://github.com/twbs/bootstrap/pull/26630/commits/3ba186313e9e651bbd52a6a3a0305891dee0a621 NOTE: https://snyk.io/vuln/npm:bootstrap:20180529 NOTE: https://github.com/twbs/bootstrap/commit/149096016f70fd815540d62c0989fd99cdc809e0 (v4.1.2) NOTE: https://github.com/twbs/bootstrap/commit/2a5ba23ce8f041f3548317acc992ed8a736b609d (v3.4.0) CVE-2018-14039 RESERVED CVE-2018-14038 REJECTED CVE-2018-14037 (Cross-site scripting (XSS) vulnerability in Progress Kendo UI Editor v ...) NOT-FOR-US: Progress Kendo UI Editor CVE-2018-1000211 (Doorkeeper version 4.2.0 and later contains a Incorrect Access Control ...) - ruby-doorkeeper 4.4.2-1 (bug #903980) [stretch] - ruby-doorkeeper (Minor issue) NOTE: https://github.com/doorkeeper-gem/doorkeeper/issues/891 NOTE: https://github.com/doorkeeper-gem/doorkeeper/pull/1119 NOTE: https://github.com/doorkeeper-gem/doorkeeper/pull/1031 CVE-2018-1000210 (YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object ...) NOT-FOR-US: YamlDotNet CVE-2018-1000209 (Sensu, Inc. Sensu Core version Before version 1.4.2-3 contains a Insec ...) NOT-FOR-US: Sensu CVE-2018-1000208 (MODX Revolution version <=2.6.4 contains a Directory Traversal vuln ...) NOT-FOR-US: MODX Revolution CVE-2018-1000207 (MODX Revolution version <=2.6.4 contains a Incorrect Access Control ...) NOT-FOR-US: MODX Revolution CVE-2018-1000206 (JFrog Artifactory version since 5.11 contains a Cross ite Request Forg ...) NOT-FOR-US: JFrog Artifactory CVE-2018-14054 (A double free exists in the MP4StringProperty class in mp4property.cpp ...) - mp4v2 (bug #903859) [stretch] - mp4v2 (Minor issue) [jessie] - mp4v2 (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2018/07/13/1 CVE-2018-14036 (Directory Traversal with ../ sequences occurs in AccountsService befor ...) - accountsservice 0.6.45-2 (low; bug #903828) [stretch] - accountsservice (Minor issue) [jessie] - accountsservice (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2018/07/02/2 NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=107085 NOTE: https://gitlab.freedesktop.org/accountsservice/accountsservice/commit/f9abd359f71a5bce421b9ae23432f539a067847a CVE-2018-14035 (An issue was discovered in the HDF HDF5 1.8.20 library. There is a hea ...) - hdf5 NOTE: https://github.com/TeamSeri0us/pocs/blob/master/hdf5/README2.md CVE-2018-14034 (An issue was discovered in the HDF HDF5 1.8.20 library. There is an ou ...) - hdf5 NOTE: https://github.com/TeamSeri0us/pocs/blob/master/hdf5/README2.md CVE-2018-14033 (An issue was discovered in the HDF HDF5 1.8.20 library. There is a hea ...) - hdf5 NOTE: https://github.com/TeamSeri0us/pocs/blob/master/hdf5/README2.md CVE-2018-14032 REJECTED CVE-2018-14031 (An issue was discovered in the HDF HDF5 1.8.20 library. There is a hea ...) - hdf5 NOTE: https://github.com/TeamSeri0us/pocs/blob/master/hdf5/README2.md CVE-2018-14030 RESERVED CVE-2018-14029 (CSRF vulnerability in admin/user/edit in Creatiwity wityCMS 0.6.2 allo ...) NOT-FOR-US: Creatiwity wityCMS CVE-2018-14028 (In WordPress 4.9.7, plugins uploaded via the admin area are not verifi ...) - wordpress (bug #906565) [stretch] - wordpress (Minor issue) [jessie] - wordpress (no sanctioned patch) NOTE: https://core.trac.wordpress.org/ticket/44710 NOTE: https://rastating.github.io/unrestricted-file-upload-via-plugin-uploader-in-wordpress/ CVE-2018-14027 (Digisol Wireless Wifi Home Router HR-3300 allows XSS via the userid or ...) NOT-FOR-US: Digisol Wireless Wifi Home Router HR-3300 CVE-2018-14026 RESERVED CVE-2018-14025 RESERVED CVE-2018-14024 RESERVED CVE-2018-14023 (Open Whisper Signal (aka Signal-Desktop) before 1.15.0-beta.10 allows ...) - signal-desktop (bug #842943) CVE-2018-14022 RESERVED CVE-2018-14021 RESERVED CVE-2018-14020 (An issue was discovered in the Paymorrow module 1.0.0 before 1.0.2 and ...) NOT-FOR-US: Paymorrow module for OXID shop CVE-2018-14019 RESERVED CVE-2018-14018 RESERVED CVE-2018-14017 (The r_bin_java_annotation_new function in shlr/java/class.c in radare2 ...) - radare2 2.8.0+dfsg-1 (bug #903726) [jessie] - radare2 (Minor issue) NOTE: https://github.com/radare/radare2/commit/e9ce0d64faf19fa4e9c260250fbdf25e3c11e152 NOTE: https://github.com/radare/radare2/issues/10498 CVE-2018-14016 (The r_bin_mdmp_init_directory_entry function in mdmp.c in radare2 2.7. ...) - radare2 2.8.0+dfsg-1 (bug #903725) [jessie] - radare2 (Minor issue) NOTE: https://github.com/radare/radare2/commit/eb7deb281df54771fb8ecf5890dc325a7d22d3e2 NOTE: https://github.com/radare/radare2/issues/10464 CVE-2018-14015 (The sdb_set_internal function in sdb.c in radare2 2.7.0 allows remote ...) - radare2 2.8.0+dfsg-1 (bug #903724) [jessie] - radare2 (Minor issue) NOTE: https://github.com/radare/radare2/commit/d37d2b858ac47f2f108034be0bcecadaddfbc8b3 NOTE: https://github.com/radare/radare2/issues/10465 CVE-2018-14014 (In waimai Super Cms 20150505, there is a CSRF vulnerability that can a ...) NOT-FOR-US: waimai Super Cms CVE-2018-14013 (Synacor Zimbra Collaboration Suite Collaboration before 8.8.11 has XSS ...) NOT-FOR-US: Zimbra CVE-2018-14012 (WolfSight CMS 3.2 allows SQL injection via the PATH_INFO to the defaul ...) NOT-FOR-US: WolfSight CMS CVE-2018-14011 RESERVED CVE-2018-14010 (OS command injection in the guest Wi-Fi settings feature in /cgi-bin/l ...) NOT-FOR-US: Xiaomi CVE-2018-14009 (Codiad through 2.8.4 allows Remote Code Execution, a different vulnera ...) NOT-FOR-US: Codiad CVE-2018-14008 (Arista EOS through 4.21.0F allows a crash because 802.1x authenticatio ...) NOT-FOR-US: Arista EOS CVE-2018-14007 (Citrix XenServer 7.1 and newer allows Directory Traversal. ...) NOT-FOR-US: xapi CVE-2018-14006 (An integer overflow vulnerability exists in the function multipleTrans ...) NOT-FOR-US: Neo Genesis Token (NGT) CVE-2018-14005 (An integer overflow vulnerability exists in the function transferAny o ...) NOT-FOR-US: Malaysia coins (Xmc) CVE-2018-14004 (An integer overflow vulnerability exists in the function transfer_toke ...) NOT-FOR-US: GlobeCoin (GLB) CVE-2018-14003 (An integer overflow vulnerability exists in the function batchTransfer ...) NOT-FOR-US: WeMediaChain (WMC) CVE-2018-14002 (An integer overflow vulnerability exists in the function distribute of ...) NOT-FOR-US: MP3 Coin (MP3) CVE-2018-14001 (An integer overflow vulnerability exists in the function batchTransfer ...) NOT-FOR-US: SHARKTECH (SKT) CVE-2018-14000 RESERVED CVE-2018-13999 (Catfish CMS v4.7.9 allows XSS via the admin/Index/write.html editorVal ...) NOT-FOR-US: Catfish CMS CVE-2018-13998 (ClipperCMS 1.3.3 has stored XSS via the Full Name field of (1) Securit ...) NOT-FOR-US: ClipperCMS CVE-2018-13997 (Genann through 2018-07-08 has a SEGV in genann_run in genann.c. ...) NOT-FOR-US: Genann CVE-2018-13996 (Genann through 2018-07-08 has a stack-based buffer over-read in genann ...) NOT-FOR-US: Genann CVE-2018-13995 RESERVED NOT-FOR-US: Phoenix Contact FL switch CVE-2018-13994 (The WebUI of PHOENIX CONTACT FL SWITCH 3xxx, 4xxx, 48xx versions 1.0 t ...) NOT-FOR-US: Phoenix Contact FL switch CVE-2018-13993 (The WebUI of PHOENIX CONTACT FL SWITCH 3xxx, 4xxx, 48xx versions 1.0 t ...) NOT-FOR-US: Phoenix Contact FL switch CVE-2018-13992 (The WebUI of PHOENIX CONTACT FL SWITCH 3xxx, 4xxx, 48xx versions 1.0 t ...) NOT-FOR-US: Phoenix Contact FL switch CVE-2018-13991 (The WebUI of PHOENIX CONTACT FL SWITCH 3xxx, 4xxx, 48xx versions 1.0 t ...) NOT-FOR-US: Phoenix Contact FL switch CVE-2018-13990 (The WebUI of PHOENIX CONTACT FL SWITCH 3xxx, 4xxx, 48xx versions prior ...) NOT-FOR-US: Phoenix Contact FL switch CVE-2018-13989 (Grundig Smart Inter@ctive TV 3.0 devices allow CSRF attacks via a POST ...) NOT-FOR-US: Grundig Smart Inter@ctive TV 3.0 devices CVE-2018-13988 (Poppler through 0.62 contains an out of bounds read vulnerability due ...) {DLA-1562-1} - poppler 0.69.0-2 (low; bug #904922) [stretch] - poppler (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1602838 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=004e3c10df0abda214f0c293f9e269fdd979c5ee (poppler-0.67.0) CVE-2018-13987 RESERVED CVE-2018-13986 RESERVED CVE-2018-13985 RESERVED CVE-2018-13984 RESERVED CVE-2018-13983 (ImpressCMS 1.3.10 has XSS via the PATH_INFO to htdocs/install/index.ph ...) NOT-FOR-US: ImpressCMS CVE-2018-13982 (Smarty_Security::isTrustedResourceDir() in Smarty before 3.1.33 is pro ...) - smarty3 3.1.33+20180830.1.3a78a21f+selfpack1-1 [stretch] - smarty3 (Minor issue; can be fixed via point release) [jessie] - smarty3 (vulnerable code not present) NOTE: https://github.com/smarty-php/smarty/commit/8d21f38dc35c4cd6b31c2f23fc9b8e5adbc56dfe NOTE: https://github.com/smarty-php/smarty/commit/f9ca3c63d1250bb56b2bda609dcc9dd81f0065f8 NOTE: https://github.com/smarty-php/smarty/commit/2e081a51b1effddb23f87952959139ac62654d50 NOTE: https://github.com/smarty-php/smarty/commit/c9dbe1d08c081912d02bd851d1d1b6388f6133d1 NOTE: https://www.openwall.com/lists/oss-security/2018/09/17/4 NOTE: https://github.com/sbaresearch/advisories/tree/public/2018/SBA-ADV-20180420-01_Smarty_Path_Traversal NOTE: CVE is about the fetch tag as an attack vector. NOTE: vulnerable code introduced in realpath() rewrite (c09b05cbe) released in 3.1.28 CVE-2018-13981 (The websites that were built from Zeta Producer Desktop CMS before 14. ...) NOT-FOR-US: Zeta Producer Desktop CMS CVE-2018-13980 (The websites that were built from Zeta Producer Desktop CMS before 14. ...) NOT-FOR-US: Zeta Producer Desktop CMS CVE-2018-13979 RESERVED CVE-2018-13978 RESERVED CVE-2018-13977 RESERVED CVE-2018-13976 RESERVED CVE-2018-13975 RESERVED CVE-2018-13974 RESERVED CVE-2018-13973 RESERVED CVE-2018-13972 RESERVED CVE-2018-13971 RESERVED CVE-2018-13970 RESERVED CVE-2018-13969 RESERVED CVE-2018-13968 RESERVED CVE-2018-13967 RESERVED CVE-2018-13966 RESERVED CVE-2018-13965 RESERVED CVE-2018-13964 RESERVED CVE-2018-13963 RESERVED CVE-2018-13962 RESERVED CVE-2018-13961 RESERVED CVE-2018-13960 RESERVED CVE-2018-13959 RESERVED CVE-2018-13958 RESERVED CVE-2018-13957 RESERVED CVE-2018-13956 RESERVED CVE-2018-13955 RESERVED CVE-2018-13954 RESERVED CVE-2018-13953 RESERVED CVE-2018-13952 RESERVED CVE-2018-13951 RESERVED CVE-2018-13950 RESERVED CVE-2018-13949 RESERVED CVE-2018-13948 RESERVED CVE-2018-13947 RESERVED CVE-2018-13946 RESERVED CVE-2018-13945 RESERVED CVE-2018-13944 RESERVED CVE-2018-13943 RESERVED CVE-2018-13942 RESERVED CVE-2018-13941 RESERVED CVE-2018-13940 RESERVED CVE-2018-13939 RESERVED CVE-2018-13938 RESERVED CVE-2018-13937 RESERVED CVE-2018-13936 RESERVED CVE-2018-13935 RESERVED CVE-2018-13934 RESERVED CVE-2018-13933 RESERVED CVE-2018-13932 RESERVED CVE-2018-13931 RESERVED CVE-2018-13930 RESERVED CVE-2018-13929 RESERVED CVE-2018-13928 RESERVED CVE-2018-13927 (Debug policy with invalid signature can be loaded when the debug polic ...) NOT-FOR-US: Snapdragon CVE-2018-13926 RESERVED CVE-2018-13925 (Error in parsing PMT table frees the memory allocated for the map sect ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-13924 (Lack of check to prevent the buffer length taking negative values can ...) NOT-FOR-US: Snapdragon CVE-2018-13923 RESERVED CVE-2018-13922 RESERVED CVE-2018-13921 RESERVED CVE-2018-13920 (Use-after-free condition due to Improper handling of hrtimers when the ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-13919 (Use-after-free vulnerability will occur if reset of the routing table ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-13918 (kernel could return a received message length higher than expected, wh ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-13917 RESERVED NOT-FOR-US: Qualcomm components for Android CVE-2018-13916 (Out-of-bounds memory access in Qurt kernel function when using the ide ...) NOT-FOR-US: Snapdragon CVE-2018-13915 RESERVED CVE-2018-13914 (Lack of input validation for data received from user space can lead to ...) NOT-FOR-US: CodeAurora components for Android CVE-2018-13913 (Improper validation of array index can lead to unauthorized access whi ...) NOT-FOR-US: CodeAurora components for Android CVE-2018-13912 (Arbitrary write issue can occur when user provides kernel address in c ...) NOT-FOR-US: CodeAurora components for Android CVE-2018-13911 (Out of bounds memory read and access may lead to unexpected behavior i ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-13910 (Out-of-Bounds access in TZ due to invalid index calculated to check ag ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-13909 (Metadata verification and partial hash system calls by bootloader may ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-13908 (Truncated access authentication token leads to weakened access control ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-13907 (While deserializing any key blob during key operations, buffer overflo ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-13906 (The HMAC authenticating the message from QSEE is vulnerable to timing ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-13905 (KGSL syncsource lock not handled properly during syncsource cleanup ca ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-13904 (Improper input validation in SCM handler to access storage in TZ can l ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-13903 RESERVED CVE-2018-13902 (Out of bounds memory read and access due to improper array index valid ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-13901 (Due to missing permissions in Android Manifest file, Sensitive informa ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-13900 (Use-after-free vulnerability will occur as there is no protection for ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-13899 (Processing messages after error may result in user after free memory f ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-13898 (Out-of-Bounds write due to incorrect array index check in PMIC in Snap ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-13897 (Clients hostname gets added to DNS record on device which is running d ...) NOT-FOR-US: Snapdragon CVE-2018-13896 (XBL_SEC image authentication and other crypto related validations are ...) NOT-FOR-US: Snapdragon CVE-2018-13895 (Due to the missing permissions on several content providers of the RCS ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-13894 RESERVED CVE-2018-13893 (In all android releases(Android for MSM, Firefox OS for MSM, QRD Andro ...) NOT-FOR-US: CodeAurora components for Android CVE-2018-13892 RESERVED CVE-2018-13891 RESERVED CVE-2018-13890 RESERVED CVE-2018-13889 (In all android releases(Android for MSM, Firefox OS for MSM, QRD Andro ...) NOT-FOR-US: CodeAurora components for Android CVE-2018-13888 (There is potential for memory corruption in the RIL daemon due to de r ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-13887 (Untrusted header fields in GNSS XTRA3 function can lead to integer ove ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-13886 (Unchecked OTA field in GNSS XTRA3 lead to integer overflow and then bu ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-13885 (Possible memory overread may be lead to access of sensitive data in Sn ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-13884 REJECTED CVE-2018-13883 RESERVED CVE-2018-13882 RESERVED CVE-2018-13881 RESERVED CVE-2018-13880 RESERVED CVE-2018-13879 (A reflected XSS issue was discovered in the registration form in Rocke ...) NOT-FOR-US: Rocket.Chat CVE-2018-13878 (An XSS issue was discovered in packages/rocketchat-mentions/Mentions.j ...) NOT-FOR-US: Rocket.Chat CVE-2018-13877 (The doPayouts() function of the smart contract implementation for Mega ...) NOT-FOR-US: MegaCryptoPolis CVE-2018-13876 (An issue was discovered in the HDF HDF5 1.8.20 library. There is a sta ...) - hdf5 NOTE: https://github.com/TeamSeri0us/pocs/tree/master/hdf5 CVE-2018-13875 (An issue was discovered in the HDF HDF5 1.8.20 library. There is an ou ...) - hdf5 NOTE: https://github.com/TeamSeri0us/pocs/tree/master/hdf5 CVE-2018-13874 (An issue was discovered in the HDF HDF5 1.8.20 library. There is a sta ...) - hdf5 NOTE: https://github.com/TeamSeri0us/pocs/tree/master/hdf5 CVE-2018-13873 (An issue was discovered in the HDF HDF5 1.8.20 library. There is a buf ...) - hdf5 NOTE: https://github.com/TeamSeri0us/pocs/tree/master/hdf5 CVE-2018-13872 (An issue was discovered in the HDF HDF5 1.8.20 library. There is a hea ...) - hdf5 NOTE: https://github.com/TeamSeri0us/pocs/tree/master/hdf5 CVE-2018-13871 (An issue was discovered in the HDF HDF5 1.8.20 library. There is a hea ...) - hdf5 NOTE: https://github.com/TeamSeri0us/pocs/tree/master/hdf5 CVE-2018-13870 (An issue was discovered in the HDF HDF5 1.8.20 library. There is a hea ...) - hdf5 NOTE: https://github.com/TeamSeri0us/pocs/tree/master/hdf5 CVE-2018-13869 (An issue was discovered in the HDF HDF5 1.8.20 library. There is a mem ...) - hdf5 NOTE: https://github.com/TeamSeri0us/pocs/tree/master/hdf5 CVE-2018-13868 (An issue was discovered in the HDF HDF5 1.8.20 library. There is a hea ...) - hdf5 NOTE: https://github.com/TeamSeri0us/pocs/tree/master/hdf5 CVE-2018-13867 (An issue was discovered in the HDF HDF5 1.8.20 library. There is an ou ...) - hdf5 NOTE: https://github.com/TeamSeri0us/pocs/tree/master/hdf5 CVE-2018-13866 (An issue was discovered in the HDF HDF5 1.8.20 library. There is a sta ...) - hdf5 NOTE: https://github.com/TeamSeri0us/pocs/tree/master/hdf5 CVE-2018-13865 (An issue was discovered in idreamsoft iCMS 7.0.9. XSS exists via the c ...) NOT-FOR-US: idreamsoft iCMS CVE-2018-13864 (A directory traversal vulnerability has been found in the Assets contr ...) NOT-FOR-US: Play Framework CVE-2018-13862 (Touchpad / Trivum WebTouch Setup V9 V2.53 build 13163 of Apr 6 2018 09 ...) NOT-FOR-US: Touchpad / Trivum WebTouch Setup CVE-2018-13861 (Touchpad / Trivum WebTouch Setup V9 V2.53 build 13163 of Apr 6 2018 09 ...) NOT-FOR-US: Touchpad / Trivum WebTouch Setup CVE-2018-13860 (MusicCenter / Trivum Multiroom Setup Tool V8.76 - SNR 8604.26 - C4 Pro ...) NOT-FOR-US: MusicCenter / Trivum Multiroom Setup CVE-2018-13859 (MusicCenter / Trivum Multiroom Setup Tool V8.76 - SNR 8604.26 - C4 Pro ...) NOT-FOR-US: MusicCenter / Trivum Multiroom Setup CVE-2018-13858 (MusicCenter / Trivum Multiroom Setup Tool V8.76 - SNR 8604.26 - C4 Pro ...) NOT-FOR-US: MusicCenter / Trivum Multiroom Setup CVE-2018-13863 (The MongoDB bson JavaScript module (also known as js-bson) versions 0. ...) - node-mongodb 3.1.10+~3.1.9-1 NOTE: https://github.com/mongodb/js-bson/commit/bd61c45157c53a1698ff23770160cf4783e9ea4a (1.0.5) CVE-2018-13857 RESERVED CVE-2018-13856 RESERVED CVE-2018-13855 RESERVED CVE-2018-13854 RESERVED CVE-2018-13853 RESERVED CVE-2018-13852 RESERVED CVE-2018-13851 RESERVED CVE-2018-13850 (The "Firebase Cloud Messaging (FCM) + Advance Admin Panel" component s ...) NOT-FOR-US: Firebase Cloud Messaging CVE-2018-13849 (edit_requests.php in yTakkar Instagram-clone through 2018-04-23 has XS ...) NOT-FOR-US: yTakkar Instagram-clone CVE-2018-13848 (An issue has been found in Bento4 1.5.1-624. It is a SEGV in AP4_StszA ...) NOT-FOR-US: Bento4 CVE-2018-13847 (An issue has been found in Bento4 1.5.1-624. It is a SEGV in AP4_StcoA ...) NOT-FOR-US: Bento4 CVE-2018-13846 (An issue has been found in Bento4 1.5.1-624. AP4_Mpeg2TsVideoSampleStr ...) NOT-FOR-US: Bento4 CVE-2018-13845 (An issue has been found in HTSlib 1.8. It is a buffer over-read in sam ...) - htslib 1.9-2 (low) [stretch] - htslib (Minor issue) [jessie] - htslib (Minor issue) NOTE: https://github.com/samtools/htslib/issues/731#issuecomment-403681105 CVE-2018-13844 (An issue has been found in HTSlib 1.8. It is a memory leak in fai_read ...) - htslib 1.9-2 (low) [stretch] - htslib (Minor issue) [jessie] - htslib (Minor issue) NOTE: https://github.com/samtools/htslib/issues/731#issuecomment-403675330 CVE-2018-13843 (** DISPUTED ** An issue has been found in HTSlib 1.8. It is a memory l ...) - htslib 1.9-2 (low) [stretch] - htslib (Minor issue) [jessie] - htslib (Minor issue) NOTE: https://github.com/samtools/htslib/issues/731#issue-339662537 CVE-2018-13842 RESERVED CVE-2018-13841 RESERVED CVE-2018-13840 RESERVED CVE-2018-13839 RESERVED CVE-2018-13838 RESERVED CVE-2018-13837 RESERVED CVE-2018-13836 (An integer overflow vulnerability exists in the function multiTransfer ...) NOT-FOR-US: Rocket Coin (XRC) CVE-2018-13835 RESERVED CVE-2018-13834 RESERVED CVE-2018-13833 (An issue was discovered in cmft through 2017-09-24. The cmft::rwReadFi ...) NOT-FOR-US: cmft CVE-2018-13832 (Multiple Persistent cross-site scripting (XSS) issues in the Techotron ...) NOT-FOR-US: Techotronic all-in-one-favicon (aka All In One Favicon) plugin for WordPress CVE-2018-13831 RESERVED CVE-2018-13830 RESERVED CVE-2018-13829 REJECTED CVE-2018-13828 REJECTED CVE-2018-13827 REJECTED CVE-2018-13826 (An XML external entity vulnerability in the XOG functionality, in CA P ...) NOT-FOR-US: CA PPM CVE-2018-13825 (Insufficient input validation in the gridExcelExport functionality, in ...) NOT-FOR-US: CA PPM CVE-2018-13824 (Insufficient input sanitization of two parameters in CA PPM 14.3 and b ...) NOT-FOR-US: CA PPM CVE-2018-13823 (An XML external entity vulnerability in the XOG functionality, in CA P ...) NOT-FOR-US: CA PPM CVE-2018-13822 (Unprotected storage of credentials in CA PPM 14.3 and below, 14.4, 15. ...) NOT-FOR-US: CA PPM CVE-2018-13821 (A lack of authentication, in CA Unified Infrastructure Management 8.5. ...) NOT-FOR-US: CA Unified Infrastructure Management CVE-2018-13820 (A hardcoded passphrase, in CA Unified Infrastructure Management 8.5.1, ...) NOT-FOR-US: CA Unified Infrastructure Management CVE-2018-13819 (A hardcoded secret key, in CA Unified Infrastructure Management 8.5.1, ...) NOT-FOR-US: CA Unified Infrastructure Management CVE-2018-13818 (** DISPUTED ** Twig before 2.4.4 allows Server-Side Template Injection ...) - twig 2.4.4-2 (unimportant) NOTE: Fixed upstream in 2.4.4 NOTE: Vendor of Twig disputes issue as Twig itself is not a web application and NOTE: it is the repsonsibility of the web applications using Twig to properly wrap NOTE: input to it. CVE-2018-13817 REJECTED CVE-2018-13816 (A vulnerability has been identified in TIM 1531 IRC (All version < ...) NOT-FOR-US: Siemens TIM 1531 IRC Modules CVE-2018-13815 (A vulnerability has been identified in SIMATIC S7-1200 (All versions), ...) NOT-FOR-US: Siemens CVE-2018-13814 (A vulnerability has been identified in SIMATIC HMI Comfort Panels 4" - ...) NOT-FOR-US: Siemens CVE-2018-13813 (A vulnerability has been identified in SIMATIC HMI Comfort Panels 4" - ...) NOT-FOR-US: Siemens CVE-2018-13812 (A vulnerability has been identified in SIMATIC HMI Comfort Panels 4" - ...) NOT-FOR-US: Siemens CVE-2018-13811 (A vulnerability has been identified in SIMATIC STEP 7 (TIA Portal) (Al ...) NOT-FOR-US: Siemens CVE-2018-13810 (A vulnerability has been identified in CP 1604 (All versions), CP 1616 ...) NOT-FOR-US: Siemens CVE-2018-13809 (A vulnerability has been identified in CP 1604 (All versions), CP 1616 ...) NOT-FOR-US: Siemens CVE-2018-13808 (A vulnerability has been identified in CP 1604 (All versions), CP 1616 ...) NOT-FOR-US: Siemens CVE-2018-13807 (A vulnerability has been identified in SCALANCE X300 (All versions < ...) NOT-FOR-US: Siemens CVE-2018-13806 (A vulnerability has been identified in SIEMENS TD Keypad Designer (All ...) NOT-FOR-US: Siemens CVE-2018-13805 (A vulnerability has been identified in SIMATIC ET 200SP Open Controlle ...) NOT-FOR-US: SIMATIC CVE-2018-13804 (A vulnerability has been identified in SIMATIC IT LMS (All versions), ...) NOT-FOR-US: Siemens CVE-2018-13803 REJECTED CVE-2018-13802 (A vulnerability has been identified in ROX II (All versions < V2.12 ...) NOT-FOR-US: Siemens / ROX II CVE-2018-13801 (A vulnerability has been identified in ROX II (All versions < V2.12 ...) NOT-FOR-US: Siemens / ROX II CVE-2018-13800 (A vulnerability has been identified in SIMATIC S7-1200 CPU family vers ...) NOT-FOR-US: SIMATIC CVE-2018-13799 (A vulnerability has been identified in SIMATIC WinCC OA V3.14 and prio ...) NOT-FOR-US: SIMATIC CVE-2018-13798 (A vulnerability has been identified in SICAM A8000 CP-8000 (All versio ...) NOT-FOR-US: Siemens CVE-2018-13796 (An issue was discovered in GNU Mailman before 2.1.28. A crafted URL ca ...) {DLA-1442-1} - mailman 1:2.1.27-1.1 (bug #903674) [stretch] - mailman 1:2.1.23-1+deb9u4 NOTE: Fixed in 2.1.28; Regression fix in 2.1.29 NOTE: https://mail.python.org/pipermail/mailman-users/2018-July/083536.html NOTE: https://bugs.launchpad.net/mailman/+bug/1780874 NOTE: https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1796 NOTE: Needs as well a further regression fix as per NOTE: https://bugs.launchpad.net/mailman/+bug/1783417 NOTE: https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1798 CVE-2016-10726 (The XMLUI feature in DSpace before 3.6, 4.x before 4.5, and 5.x before ...) NOT-FOR-US: DSpave CVE-2018-13797 (The macaddress module before 0.2.9 for Node.js is prone to an arbitrar ...) - node-macaddress 0.2.9-1 (unimportant) NOTE: https://github.com/scravy/node-macaddress/pull/20 NOTE: nodejs not covered by security support CVE-2018-13795 (Gravity before 0.5.1 does not support a maximum recursion depth. ...) NOT-FOR-US: Gravity CVE-2018-13794 (A heap-based buffer overflow exists in stbi__bmp_load_cont in stb_imag ...) - catimg 2.5.0-1 (bug #903711) NOTE: https://github.com/posva/catimg/issues/34 NOTE: Upstream fixed the issue by updating the stb_image copy to v2.19. NOTE: https://github.com/posva/catimg/pull/41 CVE-2018-13793 (Multiple Cross Site Request Forgery (CSRF) vulnerabilities in the HTTP ...) NOT-FOR-US: ABBYY FlexiCapture CVE-2018-13792 (Multiple SQL injection vulnerabilities in the monitoring feature in th ...) NOT-FOR-US: ABBYY FlexiCapture CVE-2018-13791 (The HTTP API in ABBYY FlexiCapture before 12 Release 1 Update 7 allows ...) NOT-FOR-US: ABBYY FlexiCapture CVE-2018-13790 (A Server Side Request Forgery (SSRF) vulnerability in tools/files/impo ...) NOT-FOR-US: concrete5 CVE-2018-13789 (An issue was discovered in Descor Infocad FM before 3.1.0.0. An unauth ...) NOT-FOR-US: Descor Infocad FM CVE-2018-13788 RESERVED CVE-2018-1000623 (JFrog JFrog Artifactory version Prior to version 6.0.3, since version ...) NOT-FOR-US: JFrog JFrog Artifactory CVE-2018-1000621 (Mycroft AI mycroft-core version 18.2.8b and earlier contains a Incorre ...) NOT-FOR-US: Mycroft AI mycroft-core CVE-2018-1000620 (Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insuff ...) NOT-FOR-US: Eran Hammer cryptiles CVE-2018-1000619 (Ovidentia version 8.4.3 and earlier contains a Unsanitized User Input ...) NOT-FOR-US: Ovidentia CVE-2018-1000618 (EOSIO/eos eos version after commit f1545dd0ae2b77580c2236fdb70ae7138d2 ...) NOT-FOR-US: EOSIO/eos CVE-2018-1000617 (Atlassian Floodlight Atlassian Floodlight Controller version 1.2 and e ...) NOT-FOR-US: Atlassian Floodlight Atlassian Floodlight Controller CVE-2018-1000616 (ONOS ONOS controller version 1.13.1 and earlier contains a XML Externa ...) NOT-FOR-US: ONOS CVE-2018-1000615 (ONOS ONOS Controller version 1.13.1 and earlier contains a Denial of S ...) NOT-FOR-US: ONOS CVE-2018-1000614 (ONOS ONOS Controller version 1.13.1 and earlier contains a XML Externa ...) NOT-FOR-US: ONOS CVE-2018-1000613 (Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptogra ...) - bouncycastle 1.60-1 (low) [stretch] - bouncycastle (XMSS/XMSS^MT algorithms were first introduced in BC >= 1.57) [jessie] - bouncycastle (XMSS/XMSS^MT algorithms were first introduced in BC >= 1.57) NOTE: https://github.com/bcgit/bc-java/commit/4092ede58da51af9a21e4825fbad0d9a3ef5a223#diff-2c06e2edef41db889ee14899e12bd574 NOTE: https://github.com/bcgit/bc-java/commit/cd98322b171b15b3f88c5ec871175147893c31e6#diff-148a6c098af0199192d6aede960f45dc CVE-2018-1000611 (SURFnet OpenConext EngineBlock version 5.7.0 to 5.7.3 contains a Cross ...) NOT-FOR-US: SURFnet OpenConext EngineBlock CVE-2018-1000622 (The Rust Programming Language rustdoc version Between 0.8 and 1.27.0 c ...) - rustc 1.27.1+dfsg1-1~exp1 [stretch] - rustc (Minor issue, can be fixed along in future rustc update for ESR69) [jessie] - rustc (Minor issue) NOTE: https://groups.google.com/forum/#!topic/rustlang-security-announcements/4ybxYLTtXuM CVE-2018-13787 (Certain Supermicro X11S, X10, X9, X8SI, K1SP, C9X299, C7, B1, A2, and ...) NOT-FOR-US: Supermicro CVE-2018-13786 RESERVED CVE-2018-13785 (In libpng 1.6.34, a wrong calculation of row_factor in the png_check_c ...) - libpng1.6 1.6.34-2 (bug #903430) [stretch] - libpng1.6 (Issue with wrong calculation of row_factor introduced after 1.6.32beta08) NOTE: https://github.com/glennrp/libpng/commit/8a05766cb74af05c04c53e6c9d60c13fc4d59bf2 NOTE: https://sourceforge.net/p/libpng/bugs/278/ CVE-2018-13784 (PrestaShop before 1.6.1.20 and 1.7.x before 1.7.3.4 mishandles cookie ...) NOT-FOR-US: PrestaShop CVE-2018-1000612 REJECTED CVE-2018-13783 (The mintToken function of a smart contract implementation for JiucaiTo ...) NOT-FOR-US: smart contract implementation for JiucaiToken CVE-2018-13782 (The mintToken function of a smart contract implementation for ENTER (E ...) NOT-FOR-US: smart contract implementation for ENTER (ENTR) (Contract Name: EnterCoin) CVE-2018-13781 (The mintToken function of a smart contract implementation for MyYLC, a ...) NOT-FOR-US: smart contract implementation for MyYLC CVE-2018-13780 (The mintToken function of a smart contract implementation for ESH, an ...) NOT-FOR-US: smart contract implementation for ESH CVE-2018-13779 (The mintToken function of a smart contract implementation for YLCToken ...) NOT-FOR-US: smart contract implementation for YLCToken CVE-2018-13778 (The mintToken function of a smart contract implementation for CGCToken ...) NOT-FOR-US: smart contract implementation for CGCToken CVE-2018-13777 (The mintToken function of a smart contract implementation for RRToken, ...) NOT-FOR-US: smart contract implementation for RRToken CVE-2018-13776 (The mintToken function of a smart contract implementation for AppleTok ...) NOT-FOR-US: smart contract implementation for AppleToken CVE-2018-13775 (The mintToken function of a smart contract implementation for RCKT_Coi ...) NOT-FOR-US: smart contract implementation for RCKT_Coin CVE-2018-13774 (The mintToken function of a smart contract implementation for Bitstart ...) NOT-FOR-US: smart contract implementation for Bitstarti CVE-2018-13773 (The mintToken function of a smart contract implementation for Enterpri ...) NOT-FOR-US: smart contract implementation for Enterprise Token Ecosystem (ETE) (Contract Name: NetkillerToken) CVE-2018-13772 (The mintToken function of a smart contract implementation for TheFlash ...) NOT-FOR-US: smart contract implementation for TheFlashToken CVE-2018-13771 (The mintToken function of a smart contract implementation for ExacoreC ...) NOT-FOR-US: smart contract implementation for ExacoreContract CVE-2018-13770 (The mintToken function of a smart contract implementation for Ultimate ...) NOT-FOR-US: smart contract implementation for UltimateCoin CVE-2018-13769 (The mintToken function of a smart contract implementation for JeansTok ...) NOT-FOR-US: smart contract implementation for JeansToken CVE-2018-13768 (The mintToken function of a smart contract implementation for ZToken, ...) NOT-FOR-US: smart contract implementation for ZToken CVE-2018-13767 (The mintToken function of a smart contract implementation for Cornerst ...) NOT-FOR-US: smart contract implementation for Cornerstone CVE-2018-13766 (The mintToken function of a smart contract implementation for Easticoi ...) NOT-FOR-US: smart contract implementation for Easticoin CVE-2018-13765 (The mintToken function of a smart contract implementation for LandCoin ...) NOT-FOR-US: smart contract implementation for LandCoin CVE-2018-13764 (The mintToken function of a smart contract implementation for BiquToke ...) NOT-FOR-US: smart contract implementation for BiquToken CVE-2018-13763 (The mintToken function of a smart contract implementation for Ublasti, ...) NOT-FOR-US: smart contract implementation for Ublasti CVE-2018-13762 (The mintToken function of a smart contract implementation for Yumerium ...) NOT-FOR-US: smart contract implementation for Yumerium CVE-2018-13761 (The mintToken function of a smart contract implementation for Netkille ...) NOT-FOR-US: smart contract implementation for NetkillerAdvancedTokenAirDrop CVE-2018-13760 (The mintToken function of a smart contract implementation for MoneyCha ...) NOT-FOR-US: smart contract implementation for MoneyChainNet (MCN) CVE-2018-13759 (The mintToken function of a smart contract implementation for BIGCAdva ...) NOT-FOR-US: smart contract implementation for BIGCAdvancedToken CVE-2018-13758 (The mintToken function of a smart contract implementation for LoliCoin ...) NOT-FOR-US: smart contract implementation for LoliCoin CVE-2018-13757 (The mintToken function of a smart contract implementation for Coinquer ...) NOT-FOR-US: smart contract implementation for Coinquer CVE-2018-13756 (The mintToken function of a smart contract implementation for CherryCo ...) NOT-FOR-US: smart contract implementation for CherryCoinFoundation CVE-2018-13755 (The mintToken function of a smart contract implementation for OTAKUTok ...) NOT-FOR-US: smart contract implementation for OTAKUToken CVE-2018-13754 (The mintToken function of a smart contract implementation for Cryptosi ...) NOT-FOR-US: smart contract implementation for CryptosisToken CVE-2018-13753 (The mintToken function of a smart contract implementation for DeWeiSec ...) NOT-FOR-US: smart contract implementation for DeWeiSecurityServiceToken CVE-2018-13752 (The mintToken function of a smart contract implementation for Thread, ...) NOT-FOR-US: smart contract implementation for Thread CVE-2018-13751 (The mintToken function of a smart contract implementation for JustWall ...) NOT-FOR-US: smart contract implementation for JustWallet CVE-2018-13750 (The mintToken function of a smart contract implementation for RichiumT ...) NOT-FOR-US: smart contract implementation for RichiumToken CVE-2018-13749 (The mintToken function of a smart contract implementation for FinalTok ...) NOT-FOR-US: smart contract implementation for FinalToken CVE-2018-13748 (The mintToken function of a smart contract implementation for CarToken ...) NOT-FOR-US: smart contract implementation for CarToken CVE-2018-13747 (The mintToken function of a smart contract implementation for VanMinhC ...) NOT-FOR-US: smart contract implementation for VanMinhCoin CVE-2018-13746 (The mintToken function of a smart contract implementation for kBit, an ...) NOT-FOR-US: smart contract implementation for kBit CVE-2018-13745 (The mintToken function of a smart contract implementation for STCToken ...) NOT-FOR-US: smart contract implementation for STCToken CVE-2018-13744 (The mintToken function of a smart contract implementation for Crowdnex ...) NOT-FOR-US: smart contract implementation for Crowdnext (CNX) CVE-2018-13743 (The mintToken function of a smart contract implementation for SuperEne ...) NOT-FOR-US: smart contract implementation for SuperEnergy (SEC) CVE-2018-13742 (The mintToken function of a smart contract implementation for tickets ...) NOT-FOR-US: smart contract implementation for tickets (TKT) CVE-2018-13741 (The mintToken function of a smart contract implementation for ABLGenes ...) NOT-FOR-US: smart contract implementation for ABLGenesisToken CVE-2018-13740 (The mintToken function of a smart contract implementation for OneChain ...) NOT-FOR-US: smart contract implementation for OneChain CVE-2018-13739 (The mintToken function of a smart contract implementation for dopnetwo ...) NOT-FOR-US: smart contract implementation for dopnetwork CVE-2018-13738 (The mintToken function of a smart contract implementation for PELOCoin ...) NOT-FOR-US: smart contract implementation for PELOCoinToken CVE-2018-13737 (The mintToken function of a smart contract implementation for AnovaBac ...) NOT-FOR-US: smart contract implementation for AnovaBace CVE-2018-13736 (The mintToken function of a smart contract implementation for ELearnin ...) NOT-FOR-US: smart contract implementation for ELearningCoinERC CVE-2018-13735 (The mintToken function of a smart contract implementation for ENTER (E ...) NOT-FOR-US: smart contract implementation for ENTER (ENTR) (Contract Name: EnterToken) CVE-2018-13734 (The mintToken function of a smart contract implementation for AZTToken ...) NOT-FOR-US: smart contract implementation for AZTToken CVE-2018-13733 (The mintToken function of a smart contract implementation for ProjectJ ...) NOT-FOR-US: smart contract implementation for ProjectJ CVE-2018-13732 (The mintToken function of a smart contract implementation for RiptideC ...) NOT-FOR-US: smart contract implementation for RiptideCoin (RIPT) CVE-2018-13731 (The mintToken function of a smart contract implementation for TokenMAC ...) NOT-FOR-US: smart contract implementation for TokenMACHU CVE-2018-13730 (The mintToken function of a smart contract implementation for HEY, an ...) NOT-FOR-US: smart contract implementation for HEY CVE-2018-13729 (The mintToken function of a smart contract implementation for JPMD100B ...) NOT-FOR-US: smart contract implementation for JPMD100B CVE-2018-13728 (The mintToken function of a smart contract implementation for JixoCoin ...) NOT-FOR-US: smart contract implementation for JixoCoin CVE-2018-13727 (The mintToken function of a smart contract implementation for Eastcoin ...) NOT-FOR-US: smart contract implementation for Eastcoin CVE-2018-13726 (The mintToken function of a smart contract implementation for ISeeVoic ...) NOT-FOR-US: smart contract implementation for ISeeVoiceToken CVE-2018-13725 (The mintToken function of a smart contract implementation for GlobalSu ...) NOT-FOR-US: smart contract implementation for GlobalSuperGameToken CVE-2018-13724 (The mint function of a smart contract implementation for HYIPCrowdsale ...) NOT-FOR-US: smart contract implementation for HYIPCrowdsale1 CVE-2018-13723 (The mintToken function of a smart contract implementation for SERVVIZI ...) NOT-FOR-US: smart contract implementation for SERVVIZIOToken CVE-2018-13722 (The mint function of a smart contract implementation for HYIPToken, an ...) NOT-FOR-US: smart contract implementation for HYIPToken CVE-2018-13721 (The mintToken function of a smart contract implementation for GoMineWo ...) NOT-FOR-US: smart contract implementation for GoMineWorld CVE-2018-13720 (The mintToken function of a smart contract implementation for Antoken, ...) NOT-FOR-US: smart contract implementation for Antoken CVE-2018-13719 (The mintToken function of a smart contract implementation for BiteduTo ...) NOT-FOR-US: smart contract implementation for BiteduToken CVE-2018-13718 (The mintToken function of a smart contract implementation for FuturXe, ...) NOT-FOR-US: smart contract implementation for FuturXe CVE-2018-13717 (The mintToken function of a smart contract implementation for Hormitec ...) NOT-FOR-US: smart contract implementation for HormitechToken CVE-2018-13716 (The mintToken function of a smart contract implementation for sexhdsol ...) NOT-FOR-US: smart contract implementation for sexhdsolo CVE-2018-13715 (The mintToken function of a smart contract implementation for BpsToken ...) NOT-FOR-US: smart contract implementation for BpsToken CVE-2018-13714 (The mintToken function of a smart contract implementation for CM, an E ...) NOT-FOR-US: smart contract implementation for CM CVE-2018-13713 (The mintToken function of a smart contract implementation for Tradesma ...) NOT-FOR-US: smart contract implementation for Tradesman CVE-2018-13712 (The mintToken function of a smart contract implementation for PMET, an ...) NOT-FOR-US: smart contract implementation for PMET CVE-2018-13711 (The mintToken function of a smart contract implementation for Databits ...) NOT-FOR-US: smart contract implementation for Databits CVE-2018-13710 (The mintToken function of a smart contract implementation for Mjolnir, ...) NOT-FOR-US: smart contract implementation for Mjolnir CVE-2018-13709 (The mintToken function of a smart contract implementation for Tube, an ...) NOT-FOR-US: smart contract implementation for Tube CVE-2018-13708 (The mintToken function of a smart contract implementation for Order (E ...) NOT-FOR-US: smart contract implementation for Order (ETH) (Contract Name: BuyToken) CVE-2018-13707 (The mintToken function of a smart contract implementation for YSS, an ...) NOT-FOR-US: smart contract implementation for YSS CVE-2018-13706 (The mintToken function of a smart contract implementation for IdeaCoin ...) NOT-FOR-US: smart contract implementation for IdeaCoin CVE-2018-13705 (The mintToken function of a smart contract implementation for PMHToken ...) NOT-FOR-US: smart contract implementation for PMHToken CVE-2018-13704 (The mintToken function of a smart contract implementation for eddToken ...) NOT-FOR-US: smart contract implementation for eddToken CVE-2018-13703 (The mintToken function of a smart contract implementation for CERB_Coi ...) NOT-FOR-US: smart contract implementation for CERB_Coin CVE-2018-13702 (The mintToken function of a smart contract implementation for Essence, ...) NOT-FOR-US: smart contract implementation for Essence CVE-2018-13701 (The mintToken function of a smart contract implementation for KissMe, ...) NOT-FOR-US: smart contract implementation for KissMe CVE-2018-13700 (The mintToken function of a smart contract implementation for IPMCoin, ...) NOT-FOR-US: smart contract implementation for IPMCoin CVE-2018-13699 (The mintToken function of a smart contract implementation for DestiNee ...) NOT-FOR-US: smart contract implementation for DestiNeed (DSN) CVE-2018-13698 (The mintTokens function of a smart contract implementation for Play2Li ...) NOT-FOR-US: smart contract implementation for Play2LivePromo CVE-2018-13697 (The mintToken function of a smart contract implementation for RobotBTC ...) NOT-FOR-US: smart contract implementation for RobotBTC CVE-2018-13696 (The mintToken function of a smart contract implementation for RedTicke ...) NOT-FOR-US: smart contract implementation for RedTicket CVE-2018-13695 (The mint function of a smart contract implementation for CTest7, an Et ...) NOT-FOR-US: smart contract implementation for CTest7 CVE-2018-13694 (The mintToken function of a smart contract implementation for GMile, a ...) NOT-FOR-US: smart contract implementation for GMile CVE-2018-13693 (The mintToken function of a smart contract implementation for GreenEne ...) NOT-FOR-US: smart contract implementation for GreenEnergyToken CVE-2018-13692 (The mintToken function of a smart contract implementation for MehdiTAZ ...) NOT-FOR-US: smart contract implementation for MehdiTAZIToken CVE-2018-13691 (The mintToken function of a smart contract implementation for R Time T ...) NOT-FOR-US: smart contract implementation for R Time Token v3 (RS) (Contract Name: RTokenMain) CVE-2018-13690 (The mintToken function of a smart contract implementation for Instacoc ...) NOT-FOR-US: smart contract implementation for Instacocoa CVE-2018-13689 (The mintToken function of a smart contract implementation for CJXToken ...) NOT-FOR-US: smart contract implementation for CJXToken CVE-2018-13688 (The mintToken function of a smart contract implementation for MallToke ...) NOT-FOR-US: smart contract implementation for MallToken CVE-2018-13687 (The mintToken function of a smart contract implementation for normikai ...) NOT-FOR-US: smart contract implementation for normikaivo CVE-2018-13686 (The mintToken function of a smart contract implementation for ICO Doll ...) NOT-FOR-US: smart contract implementation for ICO Dollar (ICOD) CVE-2018-13685 (The mintToken function of a smart contract implementation for Vornox ( ...) NOT-FOR-US: smart contract implementation for Vornox (VRX) (Contract Name: VornoxCoinToken) CVE-2018-13684 (The mintToken function of a smart contract implementation for ZIP, an ...) NOT-FOR-US: smart contract implementation for ZIP CVE-2018-13683 (The mintToken function of a smart contract implementation for exsulcoi ...) NOT-FOR-US: smart contract implementation for exsulcoin CVE-2018-13682 (The mintToken function of a smart contract implementation for ViteMone ...) NOT-FOR-US: smart contract implementation for ViteMoneyCoin CVE-2018-13681 (The mintToken function of a smart contract implementation for SOSCoin, ...) NOT-FOR-US: smart contract implementation for SOSCoin CVE-2018-13680 (The mintToken function of a smart contract implementation for LexitTok ...) NOT-FOR-US: smart contract implementation for LexitToken CVE-2018-13679 (The mintToken function of a smart contract implementation for ZPEcoin, ...) NOT-FOR-US: smart contract implementation for ZPEcoin CVE-2018-13678 (The mintToken function of a smart contract implementation for Lottery, ...) NOT-FOR-US: smart contract implementation for Lottery CVE-2018-13677 (The mintToken function of a smart contract implementation for Goochain ...) NOT-FOR-US: smart contract implementation for Goochain CVE-2018-13676 (The mintToken function of a smart contract implementation for Orderboo ...) NOT-FOR-US: smart contract implementation for Orderbook Presale Token (OBP) CVE-2018-13675 (The mintToken function of a smart contract implementation for YAMBYO, ...) NOT-FOR-US: smart contract implementation for YAMBYO CVE-2018-13674 (The mintToken function of a smart contract implementation for ComBillA ...) NOT-FOR-US: smart contract implementation for ComBillAdvancedToken CVE-2018-13673 (The mintToken function of a smart contract implementation for GoldToke ...) NOT-FOR-US: smart contract implementation for GoldTokenERC20 CVE-2018-13672 (The mintToken function of a smart contract implementation for OBTCoin, ...) NOT-FOR-US: smart contract implementation for OBTCoin CVE-2018-13671 (The mintToken function of a smart contract implementation for Dinstein ...) NOT-FOR-US: smart contract implementation for DinsteinCoin CVE-2018-13670 (The mintToken function of a smart contract implementation for GFCB, an ...) NOT-FOR-US: smart contract implementation for GFCB CVE-2018-13669 (The mintToken function of a smart contract implementation for NCU, an ...) NOT-FOR-US: smart contract implementation for NCU CVE-2018-13668 (The mintToken function of a smart contract implementation for BTPCoin, ...) NOT-FOR-US: smart contract implementation for BTPCoin CVE-2018-13667 (The mintToken function of a smart contract implementation for UTBToken ...) NOT-FOR-US: smart contract implementation for UTBTokenTest CVE-2018-13666 (The mintToken function of a smart contract implementation for Eristica ...) NOT-FOR-US: smart contract implementation for EristicaICO CVE-2018-13665 (The mintToken function of a smart contract implementation for BCaaS, a ...) NOT-FOR-US: smart contract implementation for BCaaS CVE-2018-13664 (The mintToken function of a smart contract implementation for CWS, an ...) NOT-FOR-US: smart contract implementation for CWS CVE-2018-13663 (The mintToken function of a smart contract implementation for BSCToken ...) NOT-FOR-US: smart contract implementation for BSCToken CVE-2018-13662 (The mintToken function of a smart contract implementation for WorldOpc ...) NOT-FOR-US: smart contract implementation for WorldOpctionChain CVE-2018-13661 (The mintToken function of a smart contract implementation for APP, an ...) NOT-FOR-US: smart contract implementation for APP CVE-2018-13660 (The mint function of a smart contract implementation for BillionReward ...) NOT-FOR-US: smart contract implementation for BillionRewardsToken CVE-2018-13659 (The mintToken function of a smart contract implementation for BrianCoi ...) NOT-FOR-US: smart contract implementation for BrianCoin CVE-2018-13658 (The mintToken function of a smart contract implementation for TheGoDgi ...) NOT-FOR-US: smart contract implementation for TheGoDgital CVE-2018-13657 (The mintToken function of a smart contract implementation for Rice, an ...) NOT-FOR-US: smart contract implementation for Rice CVE-2018-13656 (The mintToken function of a smart contract implementation for Sample T ...) NOT-FOR-US: smart contract implementation for Sample Token (STK) (Contract Name: cashBackMintable) CVE-2018-13655 (The mintToken function of a smart contract implementation for GFC, an ...) NOT-FOR-US: smart contract implementation for GFC CVE-2018-13654 (The mintToken function of a smart contract implementation for ESTSToke ...) NOT-FOR-US: smart contract implementation for ESTSToken CVE-2018-13653 (The mintToken function of a smart contract implementation for ipshoots ...) NOT-FOR-US: smart contract implementation for ipshoots CVE-2018-13652 (The mintToken function of a smart contract implementation for TheGoDig ...) NOT-FOR-US: smart contract implementation for TheGoDigital CVE-2018-13651 (The mintToken function of a smart contract implementation for MicoinNe ...) NOT-FOR-US: smart contract implementation for MicoinNetworkToken CVE-2018-13650 (The mintToken function of a smart contract implementation for Bitmaxer ...) NOT-FOR-US: smart contract implementation for BitmaxerToken CVE-2018-13649 (The mintToken function of a smart contract implementation for Deploy, ...) NOT-FOR-US: smart contract implementation for Deploy CVE-2018-13648 (The mintToken function of a smart contract implementation for BGC, an ...) NOT-FOR-US: smart contract implementation for BGC CVE-2018-13647 (The mintToken function of a smart contract implementation for TrueGold ...) NOT-FOR-US: smart contract implementation for TrueGoldCoinToken CVE-2018-13646 (The mintToken function of a smart contract implementation for Datiac, ...) NOT-FOR-US: smart contract implementation for Datiac CVE-2018-13645 (The mintToken function of a smart contract implementation for Fiocoin, ...) NOT-FOR-US: smart contract implementation for Fiocoin CVE-2018-13644 (The mintToken function of a smart contract implementation for RoyalCla ...) NOT-FOR-US: smart contract implementation for RoyalClassicCoin CVE-2018-13643 (The mintToken function of a smart contract implementation for GCRToken ...) NOT-FOR-US: smart contract implementation for GCRTokenERC20 CVE-2018-13642 (The mintToken function of a smart contract implementation for SECoin, ...) NOT-FOR-US: smart contract implementation for SECoin CVE-2018-13641 (The mintToken function of a smart contract implementation for MVGcoin, ...) NOT-FOR-US: smart contract implementation for MVGcoin CVE-2018-13640 (The mintToken function of a smart contract implementation for Ethereum ...) NOT-FOR-US: smart contract implementation for EthereumSmart CVE-2018-13639 (The mintToken function of a smart contract implementation for Virtual ...) NOT-FOR-US: smart contract implementation for Virtual Energy Units (VEU) (Contract Name: VEU_TokenERC20) CVE-2018-13638 (The mintToken function of a smart contract implementation for Bitpark, ...) NOT-FOR-US: smart contract implementation for Bitpark CVE-2018-13637 (The mintToken function of a smart contract implementation for CikkaCoi ...) NOT-FOR-US: smart contract implementation for CikkaCoin CVE-2018-13636 (The mintToken function of a smart contract implementation for TurdCoin ...) NOT-FOR-US: smart contract implementation for TurdCoin CVE-2018-13635 (The mintToken function of a smart contract implementation for HBCM, an ...) NOT-FOR-US: smart contract implementation for HBCM CVE-2018-13634 (The mintToken function of a smart contract implementation for MediaCub ...) NOT-FOR-US: smart contract implementation for MediaCubeToken CVE-2018-13633 (The mintToken function of a smart contract implementation for Martcoin ...) NOT-FOR-US: smart contract implementation for Martcoin CVE-2018-13632 (The mintToken function of a smart contract implementation for NEXPARA, ...) NOT-FOR-US: smart contract implementation for NEXPARA CVE-2018-13631 (The mintToken function of a smart contract implementation for doccoin, ...) NOT-FOR-US: smart contract implementation for doccoin CVE-2018-13630 (The mintToken function of a smart contract implementation for DoccoinP ...) NOT-FOR-US: smart contract implementation for DoccoinPreICO CVE-2018-13629 (The mintToken function of a smart contract implementation for CrimsonS ...) NOT-FOR-US: smart contract implementation for CrimsonShilling CVE-2018-13628 (The mintToken function of a smart contract implementation for Momentum ...) NOT-FOR-US: smart contract implementation for MomentumToken CVE-2018-13627 (The mintToken function of a smart contract implementation for MyOffer, ...) NOT-FOR-US: smart contract implementation for MyOffer CVE-2018-13626 (The mintToken function of a smart contract implementation for SemainTo ...) NOT-FOR-US: smart contract implementation for SemainToken CVE-2018-13625 (The mintlvlToken function of a smart contract implementation for Krown ...) NOT-FOR-US: smart contract implementation for Krown CVE-2018-13624 (The mintToken function of a smart contract implementation for WXSLToke ...) NOT-FOR-US: smart contract implementation for WXSLToken CVE-2018-13623 (The mintToken function of a smart contract implementation for Airdropp ...) NOT-FOR-US: smart contract implementation for AirdropperCryptics CVE-2018-13622 (The mintToken function of a smart contract implementation for ObjectTo ...) NOT-FOR-US: smart contract implementation for ObjectToken (OBJ) CVE-2018-13621 (The mintToken function of a smart contract implementation for SoundTri ...) NOT-FOR-US: smart contract implementation for SoundTribeToken CVE-2018-13620 (The mintToken function of a smart contract implementation for TripCash ...) NOT-FOR-US: smart contract implementation for TripCash CVE-2018-13619 (The mintToken function of a smart contract implementation for MicoinTo ...) NOT-FOR-US: smart contract implementation for MicoinToken CVE-2018-13618 (The mintToken function of a smart contract implementation for VICETOKE ...) NOT-FOR-US: smart contract implementation for VICETOKEN_ICO_IS_A_SCAM CVE-2018-13617 (The mintToken function of a smart contract implementation for CAPTOZ, ...) NOT-FOR-US: smart contract implementation for CAPTOZ CVE-2018-13616 (The mintToken function of a smart contract implementation for IOCT_Coi ...) NOT-FOR-US: smart contract implementation for IOCT_Coin CVE-2018-13615 (The mintToken function of a smart contract implementation for MJCToken ...) NOT-FOR-US: smart contract implementation for MJCToken CVE-2018-13614 (The mintToken function of a smart contract implementation for MAVCash, ...) NOT-FOR-US: smart contract implementation for MAVCash CVE-2018-13613 (The mintToken function of a smart contract implementation for CON0217, ...) NOT-FOR-US: smart contract implementation for CON0217 CVE-2018-13612 (The mintToken function of a smart contract implementation for Robincoi ...) NOT-FOR-US: smart contract implementation for Robincoin CVE-2018-13611 (The mintToken function of a smart contract implementation for CDcurren ...) NOT-FOR-US: smart contract implementation for CDcurrency CVE-2018-13610 (The mintToken function of a smart contract implementation for Medicayu ...) NOT-FOR-US: smart contract implementation for MedicayunLink CVE-2018-13609 (The mintToken function of a smart contract implementation for CSAToken ...) NOT-FOR-US: smart contract implementation for CSAToken CVE-2018-13608 (The mintToken function of a smart contract implementation for archerco ...) NOT-FOR-US: smart contract implementation for archercoin CVE-2018-13607 (The mintToken function of a smart contract implementation for Residual ...) NOT-FOR-US: smart contract implementation for ResidualShare CVE-2018-13606 (The mintToken function of a smart contract implementation for ARChain, ...) NOT-FOR-US: smart contract implementation for ARChain CVE-2018-13605 (The mintToken function of a smart contract implementation for Extreme ...) NOT-FOR-US: smart contract implementation for Extreme Coin (XT) (Contract Name: ExtremeToken) CVE-2018-13604 (The mintToken function of a smart contract implementation for wellieat ...) NOT-FOR-US: smart contract implementation for wellieat CVE-2018-13603 (The mintToken function of a smart contract implementation for Briant2T ...) NOT-FOR-US: smart contract implementation for Briant2Token CVE-2018-13602 (The mint function of a smart contract implementation for MiningToken, ...) NOT-FOR-US: smart contract implementation for MiningToken CVE-2018-13601 (The mintToken function of a smart contract implementation for Galactic ...) NOT-FOR-US: smart contract implementation for GalacticX CVE-2018-13600 (The mintToken function of a smart contract implementation for AMToken, ...) NOT-FOR-US: smart contract implementation for AMToken CVE-2018-13599 (The mintToken function of a smart contract implementation for Residual ...) NOT-FOR-US: smart contract implementation for ResidualValue CVE-2018-13598 (The mintToken function of a smart contract implementation for SendMe, ...) NOT-FOR-US: smart contract implementation for SendMe CVE-2018-13597 (The mintToken function of a smart contract implementation for testcoin ...) NOT-FOR-US: smart contract implementation for testcoin CVE-2018-13596 (The mintToken function of a smart contract implementation for TESTAhih ...) NOT-FOR-US: smart contract implementation for TESTAhihi CVE-2018-13595 (The mintToken function of a smart contract implementation for BitStore ...) NOT-FOR-US: smart contract implementation for BitStore CVE-2018-13594 (The mintToken function of a smart contract implementation for CardFact ...) NOT-FOR-US: smart contract implementation for CardFactory CVE-2018-13593 (The mintToken function of a smart contract implementation for CardToke ...) NOT-FOR-US: smart contract implementation for CardToken CVE-2018-13592 (The mintToken function of a smart contract implementation for RajTest, ...) NOT-FOR-US: smart contract implementation for RajTest CVE-2018-13591 (The mintToken function of a smart contract implementation for KAPcoin, ...) NOT-FOR-US: smart contract implementation for KAPcoin CVE-2018-13590 (The mintToken function of a smart contract implementation for SIPCOIN, ...) NOT-FOR-US: smart contract implementation for SIPCOIN CVE-2018-13589 (The mintToken function of a smart contract implementation for MooAdvTo ...) NOT-FOR-US: smart contract implementation for MooAdvToken CVE-2018-13588 (The mintToken function of a smart contract implementation for Code47 ( ...) NOT-FOR-US: smart contract implementation for Code47 (C47) CVE-2018-13587 (The mintToken function of a smart contract implementation for DECToken ...) NOT-FOR-US: smart contract implementation for DECToken CVE-2018-13586 (The mintToken function of a smart contract implementation for Nectar ( ...) NOT-FOR-US: smart contract implementation for Nectar (NCTR) CVE-2018-13585 (The mintToken function of a smart contract implementation for CHERRYCO ...) NOT-FOR-US: smart contract implementation for CHERRYCOIN CVE-2018-13584 (The mintToken function of a smart contract implementation for yasudem, ...) NOT-FOR-US: smart contract implementation for yasudem CVE-2018-13583 (The mintToken function of a smart contract implementation for Shmoo, a ...) NOT-FOR-US: smart contract implementation for Shmoo CVE-2018-13582 (The mintToken function of a smart contract implementation for My2Token ...) NOT-FOR-US: smart contract implementation for My2Token CVE-2018-13581 (The mintToken function of a smart contract implementation for TravelCo ...) NOT-FOR-US: smart contract implementation for TravelCoin (TRV) CVE-2018-13580 (The mintToken function of a smart contract implementation for Providen ...) NOT-FOR-US: smart contract implementation for ProvidenceCasino (PVE) CVE-2018-13579 (The mintToken function of a smart contract implementation for ForeverC ...) NOT-FOR-US: smart contract implementation for ForeverCoin CVE-2018-13578 (The mintToken function of a smart contract implementation for GalaxyCo ...) NOT-FOR-US: smart contract implementation for GalaxyCoin CVE-2018-13577 (The mintToken function of a smart contract implementation for ShitCoin ...) NOT-FOR-US: smart contract implementation for ShitCoin (SHITC) (Contract Name: AdvancedShit) CVE-2018-13576 (The mintToken function of a smart contract implementation for Escut (E ...) NOT-FOR-US: smart contract implementation for Escut (ESCT) (Contract Name: JuntsPerCreixer) CVE-2018-13575 (The mintToken function of a smart contract implementation for YESToken ...) NOT-FOR-US: smart contract implementation for YESToken CVE-2018-13574 (The mintToken function of a smart contract implementation for DataShie ...) NOT-FOR-US: smart contract implementation for DataShieldCoin CVE-2018-13573 (The mintToken function of a smart contract implementation for TripPay, ...) NOT-FOR-US: smart contract implementation for TripPay CVE-2018-13572 (The mintToken function of a smart contract implementation for PGM_Coin ...) NOT-FOR-US: smart contract implementation for PGM_Coin CVE-2018-13571 (The mintToken function of a smart contract implementation for GoramCoi ...) NOT-FOR-US: smart contract implementation for GoramCoin CVE-2018-13570 (The mint function of a smart contract implementation for kkTestCoin1 ( ...) NOT-FOR-US: smart contract implementation for kkTestCoin1 (KTC1) CVE-2018-13569 (The mintToken function of a smart contract implementation for HitToken ...) NOT-FOR-US: smart contract implementation for HitToken CVE-2018-13568 (The mintToken function of a smart contract implementation for MktCoin, ...) NOT-FOR-US: smart contract implementation for MktCoin CVE-2018-13567 (The mintToken function of a smart contract implementation for SDR, an ...) NOT-FOR-US: smart contract implementation for SDR CVE-2018-13566 (The mintToken function of a smart contract implementation for RETNToke ...) NOT-FOR-US: smart contract implementation for RETNToken CVE-2018-13565 (The mintToken function of a smart contract implementation for Co2Bit, ...) NOT-FOR-US: smart contract implementation for Co2Bit CVE-2018-13564 (The mintToken function of a smart contract implementation for GATcoin, ...) NOT-FOR-US: smart contract implementation for GATcoin CVE-2018-13563 (The mintToken function of a smart contract implementation for UPayToke ...) NOT-FOR-US: smart contract implementation for UPayToken CVE-2018-13562 (The mintToken function of a smart contract implementation for BMVCoin, ...) NOT-FOR-US: smart contract implementation for BMVCoin CVE-2018-13561 (The mintToken function of a smart contract implementation for YourCoin ...) NOT-FOR-US: smart contract implementation for YourCoin (ICO) (Contract Name: ETH033) CVE-2018-13560 (The mintToken function of a smart contract implementation for KelvinTo ...) NOT-FOR-US: smart contract implementation for KelvinToken CVE-2018-13559 (The mintToken function of a smart contract implementation for UTCT, an ...) NOT-FOR-US: smart contract implementation for UTCT CVE-2018-13558 (The mintToken function of a smart contract implementation for rhovit, ...) NOT-FOR-US: smart contract implementation for rhovit CVE-2018-13557 (The mintToken function of a smart contract implementation for Trabet_C ...) NOT-FOR-US: smart contract implementation for Trabet_Coin CVE-2018-13556 (The mintToken function of a smart contract implementation for COSMOTok ...) NOT-FOR-US: smart contract implementation for COSMOTokenERC20 CVE-2018-13555 (The mintToken function of a smart contract implementation for JaxBox, ...) NOT-FOR-US: smart contract implementation for JaxBox CVE-2018-13554 (The mintToken function of a smart contract implementation for MoneyTre ...) NOT-FOR-US: smart contract implementation for MoneyTree (TREE) CVE-2018-13553 (The mintToken function of a smart contract implementation for Micro BT ...) NOT-FOR-US: smart contract implementation for Micro BTC (MBTC) CVE-2018-13552 (The mintToken function of a smart contract implementation for Trabet_C ...) NOT-FOR-US: smart contract implementation for Trabet_Coin_PreICO CVE-2018-13551 (The mintToken function of a smart contract implementation for Bgamecoi ...) NOT-FOR-US: smart contract implementation for Bgamecoin CVE-2018-13550 (The mintToken function of a smart contract implementation for Coquinho ...) NOT-FOR-US: smart contract implementation for Coquinho Coin (CQNC) (Contract Name: CoquinhoERC20) CVE-2018-13549 (The mintToken function of a smart contract implementation for NeuroTok ...) NOT-FOR-US: smart contract implementation for NeuroToken CVE-2018-13548 (The mintToken function of a smart contract implementation for Mimicoin ...) NOT-FOR-US: smart contract implementation for Mimicoin CVE-2018-13547 (The mintToken function of a smart contract implementation for Providen ...) NOT-FOR-US: smart contract implementation for Providence Crypto Casino (PVE) (Contract Name: ProvidenceCasinoToken) CVE-2018-13546 (The mintToken function of a smart contract implementation for CCASH, a ...) NOT-FOR-US: smart contract implementation for CCASH CVE-2018-13545 (The mintToken function of a smart contract implementation for HashShie ...) NOT-FOR-US: smart contract implementation for HashShield CVE-2018-13544 (The mintToken function of a smart contract implementation for Numisma, ...) NOT-FOR-US: smart contract implementation for Numisma CVE-2018-13543 (The mintToken function of a smart contract implementation for Gemstone ...) NOT-FOR-US: smart contract implementation for GemstoneToken CVE-2018-13542 (The mintToken function of a smart contract implementation for ZIBToken ...) NOT-FOR-US: smart contract implementation for ZIBToken CVE-2018-13541 (The mintToken function of a smart contract implementation for CryptoLe ...) NOT-FOR-US: smart contract implementation for CryptoLeu CVE-2018-13540 (The mintToken function of a smart contract implementation for GSI, an ...) NOT-FOR-US: smart contract implementation for GSI CVE-2018-13539 (The mintToken function of a smart contract implementation for Bcxss, a ...) NOT-FOR-US: smart contract implementation for Bcxss CVE-2018-13538 (The mintToken function of a smart contract implementation for SIPCToke ...) NOT-FOR-US: smart contract implementation for SIPCToken CVE-2018-13537 (The mintToken function of a smart contract implementation for Ethereum ...) NOT-FOR-US: smart contract implementation for EthereumLegit CVE-2018-13536 (The mintToken function of a smart contract implementation for ERC20_IC ...) NOT-FOR-US: smart contract implementation for ERC20_ICO CVE-2018-13535 (The mintToken function of a smart contract implementation for PACCOIN, ...) NOT-FOR-US: smart contract implementation for PACCOIN CVE-2018-13534 (The mintToken function of a smart contract implementation for SpeedCas ...) NOT-FOR-US: smart contract implementation for SpeedCashLite (SCSL) CVE-2018-13533 (The mintToken function of a smart contract implementation for ALUXToke ...) NOT-FOR-US: smart contract implementation for ALUXToken CVE-2018-13532 (The mintToken function of a smart contract implementation for Mindexco ...) NOT-FOR-US: smart contract implementation for Mindexcoin CVE-2018-13531 (The mintToken function of a smart contract implementation for MaxHouse ...) NOT-FOR-US: smart contract implementation for MaxHouse CVE-2018-13530 (The mintToken function of a smart contract implementation for HunterCo ...) NOT-FOR-US: smart contract implementation for HunterCoin CVE-2018-13529 (The mintToken function of a smart contract implementation for BetterTh ...) NOT-FOR-US: smart contract implementation for BetterThanAdrien CVE-2018-13528 (The mintToken function of a smart contract implementation for DhaCoin, ...) NOT-FOR-US: smart contract implementation for DhaCoin CVE-2018-13527 (The mintToken function of a smart contract implementation for ElevateC ...) NOT-FOR-US: smart contract implementation for ElevateCoin CVE-2018-13526 (The mintToken function of a smart contract implementation for WangWang ...) NOT-FOR-US: smart contract implementation for WangWangToken CVE-2018-13525 (The mintToken function of a smart contract implementation for Flow, an ...) NOT-FOR-US: smart contract implementation for Flow CVE-2018-13524 (The mintToken function of a smart contract implementation for PornCoin ...) NOT-FOR-US: smart contract implementation for PornCoin (PRNC) CVE-2018-13523 (The mintToken function of a smart contract implementation for SmartPay ...) NOT-FOR-US: smart contract implementation for SmartPayment CVE-2018-13522 (The mintToken function of a smart contract implementation for EXGROUP, ...) NOT-FOR-US: smart contract implementation for EXGROUP CVE-2018-13521 (The mintToken function of a smart contract implementation for PinkyTok ...) NOT-FOR-US: smart contract implementation for PinkyToken CVE-2018-13520 (The mintToken function of a smart contract implementation for Topscoin ...) NOT-FOR-US: smart contract implementation for TopscoinAdvanced CVE-2018-13519 (The mint function of a smart contract implementation for DigitalCloudT ...) NOT-FOR-US: smart contract implementation for DigitalCloudToken CVE-2018-13518 (The mintToken function of a smart contract implementation for TCash, a ...) NOT-FOR-US: smart contract implementation for TCash CVE-2018-13517 (The mintToken function of a smart contract implementation for C3 Token ...) NOT-FOR-US: smart contract implementation for C3 Token (C3) CVE-2018-13516 (The mintToken function of a smart contract implementation for Super Co ...) NOT-FOR-US: smart contract implementation for Super Cool Awesome Money (SCAM) CVE-2018-13515 (The mintToken function of a smart contract implementation for aman, an ...) NOT-FOR-US: smart contract implementation for aman CVE-2018-13514 (The mintToken function of a smart contract implementation for esportz, ...) NOT-FOR-US: smart contract implementation for esportz CVE-2018-13513 (The mintToken function of a smart contract implementation for Ubiou, a ...) NOT-FOR-US: smart contract implementation for Ubiou CVE-2018-13512 (The mintToken function of a smart contract implementation for SmartHom ...) NOT-FOR-US: smart contract implementation for SmartHomeCoin CVE-2018-13511 (The mintToken function of a smart contract implementation for CorelliC ...) NOT-FOR-US: smart contract implementation for CorelliCoin CVE-2018-13510 (The mintToken function of a smart contract implementation for Welfare ...) NOT-FOR-US: smart contract implementation for Welfare Token Fund (WTF) CVE-2018-13509 (The mintToken function of a smart contract implementation for IamRich, ...) NOT-FOR-US: smart contract implementation for IamRich CVE-2018-13508 (The mintToken function of a smart contract implementation for VITToken ...) NOT-FOR-US: smart contract implementation for VITToken CVE-2018-13507 (The mintToken function of a smart contract implementation for SLCAdvan ...) NOT-FOR-US: smart contract implementation for SLCAdvancedToken CVE-2018-13506 (The mintToken function of a smart contract implementation for SDR22, a ...) NOT-FOR-US: smart contract implementation for SDR22 CVE-2018-13505 (The mintToken function of a smart contract implementation for ecogreen ...) NOT-FOR-US: smart contract implementation for ecogreenhouse CVE-2018-13504 (The mintToken function of a smart contract implementation for MMCoin, ...) NOT-FOR-US: smart contract implementation for MMCoin CVE-2018-13503 (The mintToken function of a smart contract implementation for South Pa ...) NOT-FOR-US: smart contract implementation for South Park Token Token (SPTKN) CVE-2018-13502 (The mintToken function of a smart contract implementation for HeliumNe ...) NOT-FOR-US: smart contract implementation for HeliumNetwork CVE-2018-13501 (The mintToken function of a smart contract implementation for HRWtoken ...) NOT-FOR-US: smart contract implementation for HRWtoken CVE-2018-13500 (The mintToken function of a smart contract implementation for MSXAdvan ...) NOT-FOR-US: smart contract implementation for MSXAdvanced CVE-2018-13499 (The mintToken function of a smart contract implementation for Crowdsal ...) NOT-FOR-US: smart contract implementation for Crowdsale CVE-2018-13498 (The mintToken function of a smart contract implementation for KAPAYcoi ...) NOT-FOR-US: smart contract implementation for KAPAYcoin CVE-2018-13497 (The mintToken function of a smart contract implementation for COBToken ...) NOT-FOR-US: smart contract implementation for COBToken CVE-2018-13496 (The mintToken function of a smart contract implementation for RajTestI ...) NOT-FOR-US: smart contract implementation for RajTestICO CVE-2018-13495 (The mintToken function of a smart contract implementation for KMCToken ...) NOT-FOR-US: smart contract implementation for KMCToken CVE-2018-13494 (The mintToken function of a smart contract implementation for SusanTok ...) NOT-FOR-US: smart contract implementation for SusanTokenERC20 CVE-2018-13493 (The mintToken function of a smart contract implementation for DaddyTok ...) NOT-FOR-US: smart contract implementation for DaddyToken CVE-2018-13492 (The mintToken function of a smart contract implementation for naga, an ...) NOT-FOR-US: smart contract implementation for naga CVE-2018-13491 (The mintToken function of a smart contract implementation for Carrot, ...) NOT-FOR-US: smart contract implementation for Carrot CVE-2018-13490 (The mintToken function of a smart contract implementation for FILM, an ...) NOT-FOR-US: smart contract implementation for FILM CVE-2018-13489 (The mintToken function of a smart contract implementation for OllisCoi ...) NOT-FOR-US: smart contract implementation for OllisCoin CVE-2018-13488 (The mintToken function of a smart contract implementation for Crypto A ...) NOT-FOR-US: smart contract implementation for Crypto Alley Shares (CAST) CVE-2018-13487 (The mintToken function of a smart contract implementation for PlatoTok ...) NOT-FOR-US: smart contract implementation for PlatoToken CVE-2018-13486 (The mintToken function of a smart contract implementation for HELP, an ...) NOT-FOR-US: smart contract implementation for HELP CVE-2018-13485 (The mintToken function of a smart contract implementation for BitcoinA ...) NOT-FOR-US: smart contract implementation for BitcoinAgileToken CVE-2018-13484 (The mintToken function of a smart contract implementation for CBRToken ...) NOT-FOR-US: smart contract implementation for CBRToken CVE-2018-13483 (The mintToken function of a smart contract implementation for mkethTok ...) NOT-FOR-US: smart contract implementation for mkethToken CVE-2018-13482 (The mintToken function of a smart contract implementation for ETHERCAS ...) NOT-FOR-US: smart contract implementation for ETHERCASH (ETC) CVE-2018-13481 (The mintToken function of a smart contract implementation for TRIUM, a ...) NOT-FOR-US: smart contract implementation for TRIUM CVE-2018-13480 (The mintToken function of a smart contract implementation for QRG, an ...) NOT-FOR-US: smart contract implementation for QRG CVE-2018-13479 (The mintToken function of a smart contract implementation for Slidebit ...) NOT-FOR-US: smart contract implementation for SlidebitsToken CVE-2018-13478 (The mintToken function of a smart contract implementation for DMPToken ...) NOT-FOR-US: smart contract implementation for DMPToken CVE-2018-13477 (The mintToken function of a smart contract implementation for CTESale, ...) NOT-FOR-US: smart contract implementation for CTESale CVE-2018-13476 (The mintToken function of a smart contract implementation for PhilCoin ...) NOT-FOR-US: smart contract implementation for PhilCoin CVE-2018-13475 (The mintToken function of a smart contract implementation for VSCToken ...) NOT-FOR-US: smart contract implementation for VSCToken CVE-2018-13474 (The mintToken function of a smart contract implementation for FansChai ...) NOT-FOR-US: smart contract implementation for FansChainToken CVE-2018-13473 (The mintToken function of a smart contract implementation for ohni_2 ( ...) NOT-FOR-US: smart contract implementation for ohni_2 (OHNI) CVE-2018-13472 (The mint function of a smart contract implementation for CloutToken, a ...) NOT-FOR-US: smart contract implementation for CloutToken CVE-2018-13471 (The mintToken function of a smart contract implementation for BeyondCa ...) NOT-FOR-US: smart contract implementation for BeyondCashToken CVE-2018-13470 (The mintToken function of a smart contract implementation for BuyerTok ...) NOT-FOR-US: smart contract implementation for BuyerToken CVE-2018-13469 (The mintToken function of a smart contract implementation for IcoContr ...) NOT-FOR-US: smart contract implementation for IcoContract CVE-2018-13468 (The mintToken function of a smart contract implementation for Cavecoin ...) NOT-FOR-US: smart contract implementation for Cavecoin CVE-2018-13467 (The mintToken function of a smart contract implementation for Epiphany ...) NOT-FOR-US: smart contract implementation for EpiphanyCoin CVE-2018-13466 (The mintToken function of a smart contract implementation for Crystals ...) NOT-FOR-US: smart contract implementation for Crystals CVE-2018-13465 (The mintToken function of a smart contract implementation for PaulyCoi ...) NOT-FOR-US: smart contract implementation for PaulyCoin CVE-2018-13464 (The mintToken function of a smart contract implementation for t_swap, ...) NOT-FOR-US: smart contract implementation for t_swap CVE-2018-13463 (The mintToken function of a smart contract implementation for T-Swap-T ...) NOT-FOR-US: smart contract implementation for T-Swap-Token (T-S-T) CVE-2018-13462 (The mintToken function of a smart contract implementation for MoonToke ...) NOT-FOR-US: smart contract implementation for MoonToken CVE-2018-13461 RESERVED CVE-2018-13460 RESERVED CVE-2018-13459 RESERVED CVE-2018-13458 (qh_core in Nagios Core 4.4.1 and earlier is prone to a NULL pointer de ...) - nagios4 4.3.4-3 (low; bug #917160) NOTE: https://gist.github.com/fakhrizulkifli/40f3daf52950cca6de28ebec2498ff6e NOTE: https://github.com/NagiosEnterprises/nagioscore/commit/b1a92a3b52d292ccb601e77a0b29cb1e67ac9d76 CVE-2018-13457 (qh_echo in Nagios Core 4.4.1 and earlier is prone to a NULL pointer de ...) - nagios4 4.3.4-3 (low; bug #917160) NOTE: https://gist.github.com/fakhrizulkifli/87cf1c1ad403b4d40a86d90c9c9bf7ab NOTE: https://github.com/NagiosEnterprises/nagioscore/commit/b1a92a3b52d292ccb601e77a0b29cb1e67ac9d76 CVE-2018-13456 RESERVED CVE-2018-13455 RESERVED CVE-2018-13454 RESERVED CVE-2018-13453 RESERVED CVE-2018-13452 RESERVED CVE-2018-13451 RESERVED CVE-2018-13450 (SQL injection vulnerability in product/card.php in Dolibarr ERP/CRM ve ...) - dolibarr NOTE: https://github.com/Dolibarr/dolibarr/commit/36402c22eef49d60edd73a2f312f8e28fe0bd1cb CVE-2018-13449 (SQL injection vulnerability in product/card.php in Dolibarr ERP/CRM ve ...) - dolibarr NOTE: https://github.com/Dolibarr/dolibarr/commit/36402c22eef49d60edd73a2f312f8e28fe0bd1cb CVE-2018-13448 (SQL injection vulnerability in product/card.php in Dolibarr ERP/CRM ve ...) - dolibarr NOTE: https://github.com/Dolibarr/dolibarr/commit/36402c22eef49d60edd73a2f312f8e28fe0bd1cb CVE-2018-13447 (SQL injection vulnerability in product/card.php in Dolibarr ERP/CRM ve ...) - dolibarr NOTE: https://github.com/Dolibarr/dolibarr/commit/36402c22eef49d60edd73a2f312f8e28fe0bd1cb CVE-2018-13446 (** DISPUTED ** An issue was discovered in the LINE jp.naver.line appli ...) NOT-FOR-US: LINE jp.naver.line application for Android CVE-2018-13445 (An issue was discovered in SeaCMS 6.61. There is a CSRF vulnerability ...) NOT-FOR-US: SeaCMS CVE-2018-13444 (An issue was discovered in SeaCMS 6.61. There is a CSRF vulnerability ...) NOT-FOR-US: SeaCMS CVE-2018-13443 (EOS.IO jit-wasm 4.1 has a heap-based buffer overflow via a crafted was ...) NOT-FOR-US: EOS.IO jit-wasm CVE-2018-13442 (SolarWinds Network Performance Monitor 12.3 allows SQL Injection via t ...) NOT-FOR-US: SolarWinds Network Performance Monitor CVE-2018-13441 (qh_help in Nagios Core version 4.4.1 and earlier is prone to a NULL po ...) - nagios4 4.3.4-3 (low; bug #917160) NOTE: https://gist.github.com/fakhrizulkifli/8df4a174158df69ebd765f824bd736b8 NOTE: https://github.com/NagiosEnterprises/nagioscore/commit/b1a92a3b52d292ccb601e77a0b29cb1e67ac9d76 CVE-2018-13440 (The audiofile Audio File Library 0.3.6 has a NULL pointer dereference ...) - audiofile 0.3.6-5 (low; bug #903499) [stretch] - audiofile 0.3.6-4+deb9u1 [jessie] - audiofile (Minor issue) NOTE: https://github.com/mpruett/audiofile/issues/49 CVE-2018-13439 (WXPayUtil in WeChat Pay Java SDK allows XXE attacks involving a mercha ...) NOT-FOR-US: WeChat Pay Java SDK CVE-2018-13438 RESERVED CVE-2018-13437 RESERVED CVE-2018-13436 RESERVED CVE-2018-13435 (** DISPUTED ** An issue was discovered in the LINE jp.naver.line appli ...) NOT-FOR-US: LINE jp.naver.line application for iOS CVE-2018-13434 (** DISPUTED ** An issue was discovered in the LINE jp.naver.line appli ...) NOT-FOR-US: LINE jp.naver.line application for iOS CVE-2018-13433 (Boostnote v0.11.7 allows XSS during highlighting of Markdown text, as ...) NOT-FOR-US: Boostnote CVE-2018-13432 RESERVED CVE-2018-13431 RESERVED CVE-2018-13430 RESERVED CVE-2018-13429 RESERVED CVE-2018-13428 RESERVED CVE-2018-13427 RESERVED CVE-2018-13426 RESERVED CVE-2018-13425 RESERVED CVE-2018-13424 RESERVED CVE-2018-13423 (admin/themes/default/items/tag-form.php in Omeka before 2.6.1 allows X ...) NOT-FOR-US: Omeka CVE-2018-13422 (TCExam before 14.1.2 has XSS via an ff_ or xl_ field. ...) NOT-FOR-US: TCExam CVE-2018-13421 (Fast C++ CSV Parser (aka fast-cpp-csv-parser) before 2018-07-06 has a ...) - fast-cpp-csv-parser 0.0+git20160525~9bf299c-2 (low; bug #903247) [stretch] - fast-cpp-csv-parser (Minor issue) [jessie] - fast-cpp-csv-parser (Minor issue) NOTE: https://github.com/ben-strasser/fast-cpp-csv-parser/issues/67 NOTE: https://github.com/ben-strasser/fast-cpp-csv-parser/commit/8cf591aa7397f4372778cc927e184d28ee591093 CVE-2018-13420 (** DISPUTED ** Google gperftools 2.7 has a memory leak in malloc_exten ...) - google-perftools (unimportant; bug #903248) NOTE: https://github.com/gperftools/gperftools/issues/1013 CVE-2018-13419 (** DISPUTED ** An issue has been found in libsndfile 1.0.28. There is ...) NOTE: Misreport, not reprodiucible by upstream and no test file was provided NOTE: https://github.com/erikd/libsndfile/issues/398 CVE-2018-13418 (System command injection in ajaxdata.php in TerraMaster TOS 3.1.03 all ...) NOT-FOR-US: TerraMaster TOS CVE-2018-13417 (In Vuze Bittorrent Client 5.7.6.0, the XML parsing engine for SSDP/UPn ...) - azureus CVE-2018-13416 (In Universal Media Server (UMS) 7.1.0, the XML parsing engine for SSDP ...) NOT-FOR-US: Universal Media Server CVE-2018-13415 (In Plex Media Server 1.13.2.5154, the XML parsing engine for SSDP/UPnP ...) NOT-FOR-US: Plex Media Server CVE-2018-13414 RESERVED CVE-2018-13413 RESERVED CVE-2018-13412 (An issue was discovered in the Self Service Portal in Zoho ManageEngin ...) NOT-FOR-US: Zoho ManageEngine Desktop Central CVE-2018-13411 (An issue was discovered in Zoho ManageEngine Desktop Central before 10 ...) NOT-FOR-US: Zoho ManageEngine Desktop Central CVE-2018-13410 (** DISPUTED ** Info-ZIP Zip 3.0, when the -T and -TT command-line opti ...) - zip (unimportant; bug #903196) NOTE: http://seclists.org/fulldisclosure/2018/Jul/24 NOTE: Negligible security impact, would involve that a untrusted party controls NOTE: the -TT value. CVE-2018-13409 (An issue was discovered in Jirafeau before 3.4.1. The "search file by ...) NOT-FOR-US: Jirafeau CVE-2018-13408 (An issue was discovered in Jirafeau before 3.4.1. The "search file by ...) NOT-FOR-US: Jirafeau CVE-2018-13407 (A CSRF issue was discovered in Jirafeau before 3.4.1. The "delete file ...) NOT-FOR-US: Jirafeau CVE-2018-13406 (An integer overflow in the uvesafb_setcmap function in drivers/video/f ...) {DLA-1715-1 DLA-1529-1} - linux 4.17.6-1 [stretch] - linux 4.9.130-1 NOTE: https://git.kernel.org/linus/9f645bcc566a1e9f921bdae7528a01ced5bc3713 CVE-2018-13405 (The inode_init_owner function in fs/inode.c in the Linux kernel throug ...) {DSA-4266-1 DLA-1529-1 DLA-1466-1} - linux 4.17.6-1 NOTE: https://git.kernel.org/linus/0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7 NOTE: http://www.openwall.com/lists/oss-security/2018/07/13/2 CVE-2018-13404 (The VerifyPopServerConnection resource in Atlassian Jira before versio ...) NOT-FOR-US: Atlassian CVE-2018-13403 (The two-dimensional filter statistics gadget in Atlassian Jira before ...) NOT-FOR-US: Atlassian CVE-2018-13402 (Many resources in Atlassian Jira before version 7.6.9, from version 7. ...) NOT-FOR-US: Atlassian CVE-2018-13401 (The XsrfErrorAction resource in Atlassian Jira before version 7.6.9, f ...) NOT-FOR-US: Atlassian CVE-2018-13400 (Several administrative resources in Atlassian Jira before version 7.6. ...) NOT-FOR-US: Atlassian CVE-2018-13399 (The Microsoft Windows Installer for Atlassian Fisheye and Crucible bef ...) NOT-FOR-US: Atlassian CVE-2018-13398 (The administrative smart-commits resource in Atlassian Fisheye and Cru ...) NOT-FOR-US: Atlassian Fisheye and Crucible CVE-2018-13397 (There was an argument injection vulnerability in Sourcetree for Window ...) NOT-FOR-US: Atlassian Sourcetree CVE-2018-13396 (There was an argument injection vulnerability in Sourcetree for macOS ...) NOT-FOR-US: Atlassian Sourcetree CVE-2018-13395 (Various resources in Atlassian Jira before version 7.6.8, from version ...) NOT-FOR-US: Atlassian Jira CVE-2018-13394 (The acceptAnswer resource in Atlassian Confluence Questions before ver ...) NOT-FOR-US: Atlassian Confluence Questions CVE-2018-13393 (The convertCommentToAnswer resource in Atlassian Confluence Questions ...) NOT-FOR-US: Atlassian Confluence Questions CVE-2018-13392 (Several resources in Atlassian Fisheye and Crucible before version 4.6 ...) NOT-FOR-US: Atlassian CVE-2018-13391 (The ProfileLinkUserFormat component of Jira Server before version 7.6. ...) NOT-FOR-US: Atlassian Jira Server CVE-2018-13390 (Unauthenticated access to cloudtoken daemon on Linux via network from ...) NOT-FOR-US: Atlassian CVE-2018-13389 (The attachment resource in Atlassian Confluence before version 6.6.1 a ...) NOT-FOR-US: Atlassian Confluence CVE-2018-13388 (The review attachment resource in Atlassian Fisheye and Crucible befor ...) NOT-FOR-US: Atlassian Fisheye and Crucible CVE-2018-13387 (The IncomingMailServers resource in Atlassian JIRA Server before versi ...) NOT-FOR-US: Atlassian CVE-2018-13386 (There was an argument injection vulnerability in Sourcetree for Window ...) NOT-FOR-US: Atlassian Sourcetree CVE-2018-13385 (There was an argument injection vulnerability in Sourcetree for macOS ...) NOT-FOR-US: Atlassian Sourcetree CVE-2018-13384 (A Host Header Redirection vulnerability in Fortinet FortiOS all versio ...) NOT-FOR-US: Fortinet FortiOS CVE-2018-13383 (A heap buffer overflow in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5. ...) NOT-FOR-US: Fortinet FortiOS CVE-2018-13382 (An Improper Authorization vulnerability in Fortinet FortiOS 6.0.0 to 6 ...) NOT-FOR-US: Fortinet FortiOS CVE-2018-13381 (A buffer overflow vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5. ...) NOT-FOR-US: Fortinet FortiOS CVE-2018-13380 (A Cross-site Scripting (XSS) vulnerability in Fortinet FortiOS 6.0.0 t ...) NOT-FOR-US: Fortinet FortiOS CVE-2018-13379 (An Improper Limitation of a Pathname to a Restricted Directory ("Path ...) NOT-FOR-US: Fortinet FortiOS CVE-2018-13378 (An information disclosure vulnerability in Fortinet FortiSIEM 5.2.0 an ...) NOT-FOR-US: Fortinet FortiSIEM CVE-2018-13377 RESERVED CVE-2018-13376 (An uninitialized memory buffer leak exists in Fortinet FortiOS 5.6.1 t ...) NOT-FOR-US: Fortinet FortiOS CVE-2018-13375 (An Improper Neutralization of Script-Related HTML Tags in Fortinet For ...) NOT-FOR-US: FortiAnalyzer and FortiManager CVE-2018-13374 (A Improper Access Control in Fortinet FortiOS allows attacker to obtai ...) NOT-FOR-US: Fortinet FortiOS CVE-2018-13373 RESERVED CVE-2018-13372 RESERVED CVE-2018-13371 (An external control of system vulnerability in FortiOS may allow an au ...) NOT-FOR-US: Fortiguard CVE-2018-13370 RESERVED CVE-2018-13369 RESERVED CVE-2018-13368 (A local privilege escalation in Fortinet FortiClient for Windows 6.0.4 ...) NOT-FOR-US: Fortinet FortiClient CVE-2018-13367 (An information exposure vulnerability in FortiOS 6.2.3, 6.2.0 and belo ...) NOT-FOR-US: FortiOS CVE-2018-13366 (An information disclosure vulnerability in Fortinet FortiOS 6.0.1, 5.6 ...) NOT-FOR-US: Fortinet FortiOS CVE-2018-13365 (An Information Exposure vulnerability in Fortinet FortiOS 6.0.1, 5.6.5 ...) NOT-FOR-US: Fortinet FortiOS CVE-2018-13364 RESERVED CVE-2018-13363 RESERVED CVE-2018-13362 RESERVED CVE-2018-13361 (User enumeration in usertable.php in TerraMaster TOS version 3.1.03 al ...) NOT-FOR-US: TerraMaster TOS CVE-2018-13360 (Cross-site scripting in Text Editor in TerraMaster TOS version 3.1.03 ...) NOT-FOR-US: TerraMaster TOS CVE-2018-13359 (Cross-site scripting in usertable.php in TerraMaster TOS version 3.1.0 ...) NOT-FOR-US: TerraMaster TOS CVE-2018-13358 (System command injection in ajaxdata.php in TerraMaster TOS version 3. ...) NOT-FOR-US: TerraMaster TOS CVE-2018-13357 (Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.0 ...) NOT-FOR-US: TerraMaster TOS CVE-2018-13356 (Incorrect access control on ajaxdata.php in TerraMaster TOS version 3. ...) NOT-FOR-US: TerraMaster TOS CVE-2018-13355 (Incorrect access controls in ajaxdata.php in TerraMaster TOS version 3 ...) NOT-FOR-US: TerraMaster TOS CVE-2018-13354 (System command injection in logtable.php in TerraMaster TOS version 3. ...) NOT-FOR-US: TerraMaster TOS CVE-2018-13353 (System command injection in ajaxdata.php in TerraMaster TOS version 3. ...) NOT-FOR-US: TerraMaster TOS CVE-2018-13352 (Session Exposure in the web application for TerraMaster TOS version 3. ...) NOT-FOR-US: TerraMaster TOS CVE-2018-13351 (Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.0 ...) NOT-FOR-US: TerraMaster TOS CVE-2018-13350 (SQL injection in logtable.php in TerraMaster TOS version 3.1.03 allows ...) NOT-FOR-US: TerraMaster TOS CVE-2018-13349 (Cross-site scripting in the web application taskbar in TerraMaster TOS ...) NOT-FOR-US: TerraMaster TOS CVE-2018-13345 RESERVED CVE-2018-13344 RESERVED CVE-2018-13343 RESERVED CVE-2018-13342 (The server API in the Anda app relies on hardcoded credentials. ...) NOT-FOR-US: Anda app CVE-2018-13341 (Crestron TSW-X60 all versions prior to 2.001.0037.001 and MC3 all vers ...) NOT-FOR-US: Creston CVE-2018-13340 (Gleez CMS 1.2.0 has CSRF, as demonstrated by a /page/add request. ...) NOT-FOR-US: Gleez CMS CVE-2018-13339 (Imperavi Redactor 3 in Angular Redactor 1.1.6, when HTML content mode ...) NOT-FOR-US: Imperavi Redactor CVE-2018-13338 (System command injection in ajaxdata.php in TerraMaster TOS version 3. ...) NOT-FOR-US: TerraMaster TOS CVE-2018-13337 (Session Fixation in the web application for TerraMaster TOS version 3. ...) NOT-FOR-US: TerraMaster TOS CVE-2018-13336 (System command injection in ajaxdata.php in TerraMaster TOS version 3. ...) NOT-FOR-US: TerraMaster TOS CVE-2018-13335 (Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.0 ...) NOT-FOR-US: TerraMaster TOS CVE-2018-13334 (Cross-site scripting in handle.php in TerraMaster TOS version 3.1.03 a ...) NOT-FOR-US: TerraMaster TOS CVE-2018-13333 (Cross-site scripting in File Manager in TerraMaster TOS version 3.1.03 ...) NOT-FOR-US: TerraMaster TOS CVE-2018-13332 (Directory Traversal in the explorer application in TerraMaster TOS ver ...) NOT-FOR-US: TerraMaster TOS CVE-2018-13331 (Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.0 ...) NOT-FOR-US: TerraMaster TOS CVE-2018-13330 (System command injection in ajaxdata.php in TerraMaster TOS version 3. ...) NOT-FOR-US: TerraMaster TOS CVE-2018-13329 (Cross-site scripting in ajaxdata.php in TerraMaster TOS version 3.1.03 ...) NOT-FOR-US: TerraMaster TOS CVE-2018-13328 (The transfer, transferFrom, and mint functions of a smart contract imp ...) NOT-FOR-US: smart contract CVE-2018-13327 (The transfer and transferFrom functions of a smart contract implementa ...) NOT-FOR-US: smart contract CVE-2018-13326 (The transfer and transferFrom functions of a smart contract implementa ...) NOT-FOR-US: smart contract CVE-2018-13325 (The _sell function of a smart contract implementation for GROWCHAIN (G ...) NOT-FOR-US: smart contract CVE-2018-13324 (Incorrect access control in nasapi in Buffalo TS5600D1206 version 3.61 ...) NOT-FOR-US: Buffalo CVE-2018-13323 (Cross-site scripting in detail.html in Buffalo TS5600D1206 version 3.6 ...) NOT-FOR-US: Buffalo CVE-2018-13322 (Directory traversal in list_folders method in Buffalo TS5600D1206 vers ...) NOT-FOR-US: Buffalo CVE-2018-13321 (Incorrect access controls in nasapi in Buffalo TS5600D1206 version 3.6 ...) NOT-FOR-US: Buffalo CVE-2018-13320 (System Command Injection in network.set_auth_settings in Buffalo TS560 ...) NOT-FOR-US: Buffalo CVE-2018-13319 (Incorrect access control in get_portal_info in Buffalo TS5600D1206 ver ...) NOT-FOR-US: Buffalo CVE-2018-13318 (System command injection in User.create method in Buffalo TS5600D1206 ...) NOT-FOR-US: Buffalo CVE-2018-13317 (Password disclosure in password.htm in TOTOLINK A3002RU version 1.0.8 ...) NOT-FOR-US: TOTOLINK CVE-2018-13316 (System command injection in formAliasIp in TOTOLINK A3002RU version 1. ...) NOT-FOR-US: TOTOLINK CVE-2018-13315 (Incorrect access control in formPasswordSetup in TOTOLINK A3002RU vers ...) NOT-FOR-US: TOTOLINK CVE-2018-13314 (System command injection in formAliasIp in TOTOLINK A3002RU version 1. ...) NOT-FOR-US: TOTOLINK CVE-2018-13313 (In TOTOLINK A3002RU 1.0.8, the router provides a page that allows the ...) NOT-FOR-US: TOTOLINK CVE-2018-13312 (Cross-site scripting in notice_gen.htm in TOTOLINK A3002RU version 1.0 ...) NOT-FOR-US: TOTOLINK CVE-2018-13311 (System command injection in formDlna in TOTOLINK A3002RU version 1.0.8 ...) NOT-FOR-US: TOTOLINK CVE-2018-13310 (Cross-site scripting in password.htm in TOTOLINK A3002RU version 1.0.8 ...) NOT-FOR-US: TOTOLINK CVE-2018-13309 (Cross-site scripting in password.htm in TOTOLINK A3002RU version 1.0.8 ...) NOT-FOR-US: TOTOLINK CVE-2018-13308 (Cross-site scripting in notice_gen.htm in TOTOLINK A3002RU version 1.0 ...) NOT-FOR-US: TOTOLINK CVE-2018-13307 (System command injection in fromNtp in TOTOLINK A3002RU version 1.0.8 ...) NOT-FOR-US: TOTOLINK CVE-2018-13306 (System command injection in formDlna in TOTOLINK A3002RU version 1.0.8 ...) NOT-FOR-US: TOTOLINK CVE-2018-13305 (In FFmpeg 4.0.1, due to a missing check for negative values of the mqu ...) - ffmpeg (Vulnerable code not present) - libav [jessie] - libav (vulnerable code is not present) NOTE: https://github.com/FFmpeg/FFmpeg/commit/d08d4a8c7387e758d439b0592782e4cfa2b4d6a4 NOTE: https://github.com/FFmpeg/FFmpeg/commit/d08d4a8c7387e758d439b0592782e4cfa2b4d6a4#commitcomment-30094223 CVE-2018-13304 (In libavcodec in FFmpeg 4.0.1, improper maintenance of the consistency ...) - ffmpeg 7:4.0.2-1 [stretch] - ffmpeg (Vulnerable code not present) - libav [jessie] - libav (vulnerable code is not present) NOTE: https://github.com/FFmpeg/FFmpeg/commit/bd27a9364ca274ca97f1df6d984e88a0700fb235 CVE-2018-13303 (In FFmpeg 4.0.1, a missing check for failure of a call to init_get_bit ...) - ffmpeg 7:4.0.2-1 [stretch] - ffmpeg (Vulnerable code not present) - libav [jessie] - libav (vulnerable code is not present) NOTE: https://github.com/FFmpeg/FFmpeg/commit/00e8181bd97c834fe60751b0c511d4bb97875f78 CVE-2018-13302 (In FFmpeg 4.0.1, improper handling of frame types (other than EAC3_FRA ...) {DSA-4249-1} - ffmpeg 7:3.4.3-1 - libav [jessie] - libav (vulnerable code is not present) NOTE: https://github.com/FFmpeg/FFmpeg/commit/ed22dc22216f74c75ee7901f82649e1ff725ba50 NOTE: Fixed in 3.2.11 CVE-2018-13301 (In FFmpeg 4.0.1, due to a missing check of a profile value before sett ...) - ffmpeg 7:4.0.2-1 (low) [stretch] - ffmpeg (3.2.x not affected) - libav [jessie] - libav (Vulnerable code path not present) NOTE: https://github.com/FFmpeg/FFmpeg/commit/2aa9047486dbff12d9e040f917e5f799ed2fd78b NOTE: It looks like Jessie is not affected but we need the reproducer to confirm this assumption. CVE-2018-13300 (In FFmpeg 4.0.1, an improper argument (AVCodecParameters) passed to th ...) {DSA-4249-1} - ffmpeg 7:3.4.3-1 - libav [jessie] - libav (vulnerable code is not present) NOTE: https://github.com/FFmpeg/FFmpeg/commit/95556e27e2c1d56d9e18f5db34d6f756f3011148 NOTE: Fixed in 3.2.11 CVE-2018-13299 (Relative path traversal vulnerability in Attachment Uploader in Synolo ...) NOT-FOR-US: Synology CVE-2018-13298 (Channel accessible by non-endpoint vulnerability in privacy page in Sy ...) NOT-FOR-US: Synology CVE-2018-13297 (Information exposure vulnerability in SYNO.SynologyDrive.Files in Syno ...) NOT-FOR-US: Synology CVE-2018-13296 (Uncontrolled resource consumption vulnerability in TLS configuration i ...) NOT-FOR-US: Synology CVE-2018-13295 (Information exposure vulnerability in SYNO.Personal.Application.Info i ...) NOT-FOR-US: Synology CVE-2018-13294 (Information exposure vulnerability in SYNO.Personal.Profile in Synolog ...) NOT-FOR-US: Synology CVE-2018-13293 (Cross-site scripting (XSS) vulnerability in Control Panel SSO Settings ...) NOT-FOR-US: Synology CVE-2018-13292 (Information exposure vulnerability in /usr/syno/etc/mount.conf in Syno ...) NOT-FOR-US: Synology CVE-2018-13291 (Information exposure vulnerability in /usr/syno/etc/mount.conf in Syno ...) NOT-FOR-US: Synology CVE-2018-13290 (Information exposure vulnerability in SYNO.Core.ACL in Synology Router ...) NOT-FOR-US: Synology CVE-2018-13289 (Information exposure vulnerability in SYNO.FolderSharing.List in Synol ...) NOT-FOR-US: Synology CVE-2018-13288 (Information exposure vulnerability in SYNO.FolderSharing.List in Synol ...) NOT-FOR-US: Synology CVE-2018-13287 (Incorrect default permissions vulnerability in synouser.conf in Synolo ...) NOT-FOR-US: Synology CVE-2018-13286 (Incorrect default permissions vulnerability in synouser.conf in Synolo ...) NOT-FOR-US: Synology CVE-2018-13285 (Command injection vulnerability in ftpd in Synology Router Manager (SR ...) NOT-FOR-US: Synology CVE-2018-13284 (Command injection vulnerability in ftpd in Synology Diskstation Manage ...) NOT-FOR-US: Synology CVE-2018-13283 (Lack of administrator control over security vulnerability in client.cg ...) NOT-FOR-US: Synology CVE-2018-13282 (Session fixation vulnerability in SYNO.PhotoStation.Auth in Synology P ...) NOT-FOR-US: Synology Photo Station CVE-2018-13281 (Information exposure vulnerability in SYNO.Core.ACL in Synology DiskSt ...) NOT-FOR-US: Synology DiskStation Manager CVE-2018-13280 (Use of insufficiently random values vulnerability in SYNO.Encryption.G ...) NOT-FOR-US: Synology CVE-2018-13279 RESERVED CVE-2018-13278 RESERVED CVE-2018-13277 REJECTED CVE-2018-13276 REJECTED CVE-2018-13275 REJECTED CVE-2018-13274 REJECTED CVE-2018-13273 REJECTED CVE-2018-13272 REJECTED CVE-2018-13271 REJECTED CVE-2018-13270 REJECTED CVE-2018-13269 REJECTED CVE-2018-13268 REJECTED CVE-2018-13267 REJECTED CVE-2018-13266 REJECTED CVE-2018-13265 REJECTED CVE-2018-13264 REJECTED CVE-2018-13263 REJECTED CVE-2018-13262 REJECTED CVE-2018-13261 REJECTED CVE-2018-13260 REJECTED CVE-2018-13259 (An issue was discovered in zsh before 5.6. Shebang lines exceeding 64 ...) - zsh 5.6-1 (bug #908000) [stretch] - zsh (Minor issue) [jessie] - zsh (Minor issue) NOTE: https://www.zsh.org/mla/zsh-announce/136 NOTE: https://sourceforge.net/p/zsh/code/ci/1c4c7b6a4d17294df028322b70c53803a402233d CVE-2018-13258 (Mediawiki 1.31 before 1.31.1 misses .htaccess files in the provided ta ...) - mediawiki (Affected upstream tarball was never used) NOTE: https://lists.wikimedia.org/pipermail/wikitech-l/2018-September/090849.html NOTE: https://phabricator.wikimedia.org/T199029 CVE-2018-13257 (The bb-auth-provider-cas authentication module within Blackboard Learn ...) NOT-FOR-US: Blackboard Learn CVE-2018-13256 (PHP Scripts Mall Auditor Website 2.0.1 has XSS via the lastname or fir ...) NOT-FOR-US: PHP Scripts Mall Auditor Website CVE-2018-13255 RESERVED CVE-2018-13254 RESERVED CVE-2018-13253 RESERVED CVE-2018-13252 (Entrust Datacard Syntera CS 5.x has XSS via the name field of "Domain ...) NOT-FOR-US: Entrust Datacard Syntera CS CVE-2018-13251 (In libming 0.4.8, there is an excessive memory allocation attempt in t ...) - ming NOTE: https://github.com/libming/libming/issues/149 CVE-2018-13250 (libming 0.4.8 has a NULL pointer dereference in the getString function ...) - ming NOTE: https://github.com/libming/libming/issues/147 CVE-2018-13249 RESERVED CVE-2018-13248 RESERVED CVE-2018-13247 RESERVED CVE-2018-13246 RESERVED CVE-2018-13245 RESERVED CVE-2018-13244 RESERVED CVE-2018-13243 RESERVED CVE-2018-13242 RESERVED CVE-2018-13241 RESERVED CVE-2018-13240 RESERVED CVE-2018-13239 RESERVED CVE-2018-13238 RESERVED CVE-2018-13237 RESERVED CVE-2018-13236 RESERVED CVE-2018-13235 RESERVED CVE-2018-13234 RESERVED CVE-2018-13233 (The sell function of a smart contract implementation for GSI, an Ether ...) NOT-FOR-US: smart contract implementation for GSI CVE-2018-13232 (The sell function of a smart contract implementation for ENTER (ENTR) ...) NOT-FOR-US: smart contract implementation for ENTER (ENTR) CVE-2018-13231 (The sell function of a smart contract implementation for ENTER (ENTR) ...) NOT-FOR-US: smart contract implementation for ENTER (ENTR) CVE-2018-13230 (The sell function of a smart contract implementation for DestiNeed (DS ...) NOT-FOR-US: smart contract implementation for DestiNeed (DSN) CVE-2018-13229 (The sell function of a smart contract implementation for RiptideCoin ( ...) NOT-FOR-US: smart contract implementation for RiptideCoin (RIPT) CVE-2018-13228 (The sell function of a smart contract implementation for Crowdnext (CN ...) NOT-FOR-US: smart contract implementation for Crowdnext (CNX) CVE-2018-13227 (The sell function of a smart contract implementation for MoneyChainNet ...) NOT-FOR-US: smart contract implementation for MoneyChainNet (MCN) CVE-2018-13226 (The sell function of a smart contract implementation for YLCToken, an ...) NOT-FOR-US: smart contract implementation for YLCToken CVE-2018-13225 (The sell function of a smart contract implementation for MyYLC, an Eth ...) NOT-FOR-US: smart contract implementation for MyYLC CVE-2018-13224 (The sell function of a smart contract implementation for Virtual Energ ...) NOT-FOR-US: smart contract implementation for Virtual Energy Units (VEU) CVE-2018-13223 (The sell function of a smart contract implementation for R Time Token ...) NOT-FOR-US: smart contract implementation for R Time Token v3 (RS) CVE-2018-13222 (The sell function of a smart contract implementation for ObjectToken ( ...) NOT-FOR-US: smart contract implementation for ObjectToken (OBJ) CVE-2018-13221 (The sell function of a smart contract implementation for Extreme Coin ...) NOT-FOR-US: smart contract implementation for Extreme Coin (XT) CVE-2018-13220 (The sell function of a smart contract implementation for MAVCash, an E ...) NOT-FOR-US: smart contract implementation for MAVCash CVE-2018-13219 (The sell function of a smart contract implementation for YourCoin (ICO ...) NOT-FOR-US: smart contract implementation for YourCoin (ICO) CVE-2018-13218 (The sell function of a smart contract implementation for ICO Dollar (I ...) NOT-FOR-US: smart contract implementation for ICO Dollar (ICOD) CVE-2018-13217 (The sell function of a smart contract implementation for CoinToken, an ...) NOT-FOR-US: smart contract implementation for CoinToken CVE-2018-13216 (The sell function of a smart contract implementation for GreenMed (GRM ...) NOT-FOR-US: smart contract implementation for GreenMed (GRMD) CVE-2018-13215 (The sell function of a smart contract implementation for Sample Token ...) NOT-FOR-US: smart contract implementation for Sample Token (STK) CVE-2018-13214 (The sell function of a smart contract implementation for GMile, an Eth ...) NOT-FOR-US: smart contract implementation for GMile CVE-2018-13213 (The sell function of a smart contract implementation for TravelCoin (T ...) NOT-FOR-US: smart contract implementation for TravelCoin CVE-2018-13212 (The sell function of a smart contract implementation for EthereumLegit ...) NOT-FOR-US: smart contract implementation for EthereumLegit CVE-2018-13211 (The sell function of a smart contract implementation for MyToken, an E ...) NOT-FOR-US: smart contract implementation for MyToken CVE-2018-13210 (The sell function of a smart contract implementation for Providence Cr ...) NOT-FOR-US: smart contract implementation for Providence Crypto Casion (PVE) CVE-2018-13209 (The sell function of a smart contract implementation for Nectar (NCTR) ...) NOT-FOR-US: smart contract implementation for Nectar (NCTR) CVE-2018-13208 (The sell function of a smart contract implementation for MoneyTree (TR ...) NOT-FOR-US: smart contract implementation for MoneyTree (TREE) CVE-2018-13207 (The sell function of a smart contract implementation for PornCoin (PRN ...) NOT-FOR-US: smart contract implementation for PornCoin CVE-2018-13206 (The sell function of a smart contract implementation for ProvidenceCas ...) NOT-FOR-US: smart contract implementation for ProvidenceCasino (PVE) CVE-2018-13205 (The sell function of a smart contract implementation for ohni_2 (OHNI) ...) NOT-FOR-US: smart contract implementation for ohni_2 (OHNI) CVE-2018-13204 (The sell function of a smart contract implementation for ETHERCASH (ET ...) NOT-FOR-US: smart contract implementation for ETHERCASH CVE-2018-13203 (The sellBuyerTokens function of a smart contract implementation for Sw ...) NOT-FOR-US: smart contract implementation for SwapToken CVE-2018-13202 (The sell function of a smart contract implementation for MyBO, an Ethe ...) NOT-FOR-US: smart contract implementation for MyBO CVE-2018-13201 (The sell function of a smart contract implementation for TiTok - Ticke ...) NOT-FOR-US: smart contract implementation for TiTok - Ticket Token CVE-2018-13200 (The sell function of a smart contract implementation for DateMe (DMX) ...) NOT-FOR-US: smart contract implementation for DateMe (DMX) CVE-2018-13199 (The sell function of a smart contract implementation for ETHEREUMBLACK ...) NOT-FOR-US: smart contract implementation for ETHEREUMBLACK CVE-2018-13198 (The sell function of a smart contract implementation for STeX Exchange ...) NOT-FOR-US: smart contract implementation for STeX Exchange ICO (STE) CVE-2018-13197 (The sell function of a smart contract implementation for Welfare Token ...) NOT-FOR-US: smart contract implementation for Welfare Token Fund (WTF) CVE-2018-13196 (The sell function of a smart contract implementation for T-Swap-Token ...) NOT-FOR-US: smart contract implementation for T-Swap-Token CVE-2018-13195 (The mintToken function of a smart contract implementation for Cranoo ( ...) NOT-FOR-US: smart contract implementation for Cranoo CVE-2018-13194 (The mintToken function of a smart contract implementation for TongTong ...) NOT-FOR-US: smart contract implementation for TongTong Coin CVE-2018-13193 (The mintToken function of a smart contract implementation for hentaiso ...) NOT-FOR-US: smart contract implementation for hentaisolo CVE-2018-13192 (The mintToken function of a smart contract implementation for Jobscoin ...) NOT-FOR-US: smart contract implementation for Jobscoin CVE-2018-13191 (The mintToken function of a smart contract implementation for Super Ca ...) NOT-FOR-US: smart contract implementation for Super Carbon Coin CVE-2018-13190 (The mintToken function of a smart contract implementation for DVChain, ...) NOT-FOR-US: smart contract implementation for DVChain CVE-2018-13189 (The mint function of a smart contract implementation for Unolabo (UNLB ...) NOT-FOR-US: smart contract implementation for Unolabo CVE-2018-13188 (The mintToken function of a smart contract implementation for MyBO, an ...) NOT-FOR-US: smart contract implementation for MyBO CVE-2018-13187 (The mintToken function of a smart contract implementation for CIBN Liv ...) NOT-FOR-US: smart contract implementation for CIBN Live Token CVE-2018-13186 (The mintToken function of a smart contract implementation for MMTCoin ...) NOT-FOR-US: smart contract implementation for MMTCoin CVE-2018-13185 (The mintToken function of a smart contract implementation for appcoins ...) NOT-FOR-US: smart contract implementation for appcoins CVE-2018-13184 (The mintToken function of a smart contract implementation for TravelZe ...) NOT-FOR-US: smart contract implementation for TravelZedi Token CVE-2018-13183 (The mintToken function of a smart contract implementation for JWC, an ...) NOT-FOR-US: smart contract implementation for JWC CVE-2018-13182 (The mintToken function of a smart contract implementation for loncoin ...) NOT-FOR-US: smart contract implementation for loncoin CVE-2018-13181 (The mintToken function of a smart contract implementation for Troo, an ...) NOT-FOR-US: smart contract implementation for Troo CVE-2018-13180 (The mintToken function of a smart contract implementation for IMM Coin ...) NOT-FOR-US: smart contract implementation for IMM Coin CVE-2018-13179 (The mintToken function of a smart contract implementation for Air-Cont ...) NOT-FOR-US: smart contract implementation for Air-Contact Token CVE-2018-13178 (The mintToken function of a smart contract implementation for ECToints ...) NOT-FOR-US: smart contract implementation for ECToints CVE-2018-13177 (The mintToken function of a smart contract implementation for MiningRi ...) NOT-FOR-US: smart contract implementation for MiningRigRentals Token CVE-2018-13176 (The mintToken function of a smart contract implementation for Trust Ze ...) NOT-FOR-US: smart contract implementation for Trust Zen Token CVE-2018-13175 (The mintToken function of a smart contract implementation for AIChain, ...) NOT-FOR-US: smart contract implementation for AIChain CVE-2018-13174 (The mintToken function of a smart contract implementation for CryptoAB ...) NOT-FOR-US: smart contract implementation for CryptoABS CVE-2018-13173 (The mintToken function of a smart contract implementation for EliteShi ...) NOT-FOR-US: smart contract implementation for EliteShipperToken CVE-2018-13172 (The mintToken function of a smart contract implementation for bzxcoin ...) NOT-FOR-US: smart contract implementation for bzxcoin CVE-2018-13171 (The mintToken function of a smart contract implementation for LadaToke ...) NOT-FOR-US: smart contract implementation for LadaToken CVE-2018-13170 (The mintToken function of a smart contract implementation for Snoqualm ...) NOT-FOR-US: smart contract implementation for Snoqualmie Coin CVE-2018-13169 (The mintToken function of a smart contract implementation for Ethereum ...) NOT-FOR-US: smart contract implementation for Ethereum Cash Pro CVE-2018-13168 (The mintToken function of a smart contract implementation for Yu Gi Oh ...) NOT-FOR-US: smart contract implementation for Yu Gi Oh CVE-2018-13167 (The mintToken function of a smart contract implementation for Yu Gi Oh ...) NOT-FOR-US: smart contract implementation for Yu Gi Oh CVE-2018-13166 (The mintToken function of a smart contract implementation for AthletiC ...) NOT-FOR-US: smart contract implementation for AthletiCoin CVE-2018-13165 (The mintToken function of a smart contract implementation for JustDCoi ...) NOT-FOR-US: smart contract implementation for JustDCoin CVE-2018-13164 (The mintToken function of a smart contract implementation for EPPCOIN ...) NOT-FOR-US: smart contract implementation for EPPCOIN CVE-2018-13163 (The mintToken function of a smart contract implementation for Ethernet ...) NOT-FOR-US: smart contract implementation for Ethernet Cash CVE-2018-13162 (The mintToken function of a smart contract implementation for ALEX, an ...) NOT-FOR-US: smart contract implementation for ALEX CVE-2018-13161 (The mintToken function of a smart contract implementation for MultiGam ...) NOT-FOR-US: smart contract implementation for MultiGames CVE-2018-13160 (The mintToken function of a smart contract implementation for etktoken ...) NOT-FOR-US: smart contract implementation for etktokens CVE-2018-13159 (The mintToken function of a smart contract implementation for bankcoin ...) NOT-FOR-US: smart contract implementation for bankcoin CVE-2018-13158 (The mintToken function of a smart contract implementation for AssetTok ...) NOT-FOR-US: smart contract implementation for AssetToken CVE-2018-13157 (The mintToken function of a smart contract implementation for Cryptoni ...) NOT-FOR-US: smart contract implementation for CryptonitexCoin CVE-2018-13156 (The mintToken function of a smart contract implementation for bonusTok ...) NOT-FOR-US: smart contract implementation for bonusToken CVE-2018-13155 (The mintToken function of a smart contract implementation for GEMCHAIN ...) NOT-FOR-US: smart contract implementation for GEMCHAIN CVE-2018-13154 RESERVED CVE-2018-13153 (In ImageMagick 7.0.8-4, there is a memory leak in the XMagickCommand f ...) - imagemagick 8:6.9.10.8+dfsg-1 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1195 NOTE: https://github.com/ImageMagick/ImageMagick/commit/4ab4849d667e26df0e63ece9d63ae23bc7ab0fa1 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/6ce6d25b47caf9b6b2979a510b6202ce0f3dd2d4 CVE-2018-13152 RESERVED CVE-2018-13151 RESERVED CVE-2018-13150 RESERVED CVE-2018-13149 RESERVED CVE-2018-13148 RESERVED CVE-2018-13147 RESERVED CVE-2018-13146 (The mintToken, buy, and sell functions of a smart contract implementat ...) NOT-FOR-US: smart contract CVE-2018-13145 (The mintToken function of a smart contract implementation for JavaSwap ...) NOT-FOR-US: smart contract CVE-2018-13144 (The transfer and transferFrom functions of a smart contract implementa ...) NOT-FOR-US: smart contract CVE-2018-13143 RESERVED CVE-2018-13142 RESERVED CVE-2018-13141 RESERVED CVE-2018-13140 (Druide Antidote through 9.5.1 on Windows and Linux allows remote code ...) NOT-FOR-US: Druide Antidote CVE-2018-13139 (A stack-based buffer overflow in psf_memset in common.c in libsndfile ...) {DLA-1618-1} - libsndfile 1.0.28-5 (unimportant) NOTE: https://github.com/erikd/libsndfile/issues/397 NOTE: https://github.com/erikd/libsndfile/commit/aaea680337267bfb6d2544da878890ee7f1c5077 NOTE: Missing channel number check in sndfile-deinterleave program, not a NOTE: security issue in the library. CVE-2018-13138 RESERVED CVE-2018-13137 (The Events Manager plugin 5.9.4 for WordPress has XSS via the dbem_eve ...) NOT-FOR-US: Events Manager plugin for WordPress CVE-2018-13136 (The Ultimate Member (aka ultimatemember) plugin before 2.0.18 for Word ...) NOT-FOR-US: Wordpress plugin CVE-2018-13135 RESERVED CVE-2018-13134 (TP-Link Archer C1200 1.13 Build 2018/01/24 rel.52299 EU devices have X ...) NOT-FOR-US: TP-Link CVE-2018-13133 (Golden Frog VyprVPN before 2018-06-21 has a vulnerability associated w ...) NOT-FOR-US: Golden Frog VyprVPN CVE-2015-9260 (An issue was discovered in BEdita before 3.7.0. A cross-site scripting ...) NOT-FOR-US: BEdita CVE-2018-13132 (Spadeico is a smart contract running on Ethereum. The mint function ha ...) NOT-FOR-US: Spadeico CVE-2018-13131 (SpadePreSale is a smart contract running on Ethereum. The mint functio ...) NOT-FOR-US: SpadePreSale CVE-2018-13130 (Bitotal (TFUND) is a smart contract running on Ethereum. The mintToken ...) NOT-FOR-US: Bitotal (TFUND) CVE-2018-13129 (SP8DE Token (SPX) is a smart contract running on Ethereum. The mint fu ...) NOT-FOR-US: SP8DE Token (SPX) CVE-2018-13128 (Etherty Token (ETY) is a smart contract running on Ethereum. The mint ...) NOT-FOR-US: Etherty Token (ETY) CVE-2018-13127 (SP8DE PreSale Token (DSPX) is a smart contract running on Ethereum. Th ...) NOT-FOR-US: SP8DE PreSale Token (DSPX) CVE-2018-13126 (MoxyOnePresale is a smart contract running on Ethereum. The mint funct ...) NOT-FOR-US: MoxyOnePresale CVE-2018-13125 RESERVED CVE-2018-13124 RESERVED CVE-2018-13123 (onefilecms.php in OneFileCMS through 2017-10-08 might allow attackers ...) NOT-FOR-US: OneFileCMS CVE-2018-13122 (onefilecms.php in OneFileCMS through 2017-10-08 might allow attackers ...) NOT-FOR-US: OneFileCMS CVE-2018-13121 (RealOne Player 2.0 Build 6.0.11.872 allows remote attackers to cause a ...) NOT-FOR-US: RealOne Player CVE-2018-13120 RESERVED CVE-2018-13119 RESERVED CVE-2018-13118 RESERVED CVE-2018-13117 RESERVED CVE-2018-13116 (/user/del.php in zzcms 8.3 allows SQL injection via the tablename para ...) NOT-FOR-US: zzcms CVE-2018-13115 (Lack of an authentication mechanism in KERUI Wifi Endoscope Camera (YP ...) NOT-FOR-US: KERUI Wifi Endoscope Camera CVE-2018-13114 (Missing authentication and improper input validation in KERUI Wifi End ...) NOT-FOR-US: KERUI Wifi Endoscope Camera CVE-2018-13113 (The transfer and transferFrom functions of a smart contract implementa ...) NOT-FOR-US: smart contract implementation for Easy Trading Token and Ethereum token CVE-2018-13112 (get_l2len in common/get.c in Tcpreplay 4.3.0 beta1 allows remote attac ...) - tcpreplay 4.3.1-1 (low; bug #902952) [stretch] - tcpreplay (Minor issue) [jessie] - tcpreplay (Minor issue) NOTE: https://github.com/appneta/tcpreplay/issues/477 NOTE: https://github.com/appneta/tcpreplay/issues/408 NOTE: https://github.com/appneta/tcpreplay/commit/0253c4707446b9500804101122a72dde2763ed8f CVE-2018-13111 (There exists a partial Denial of Service vulnerability in Wanscam HW00 ...) NOT-FOR-US: Wanscam CVE-2018-13110 (All ADB broadband gateways / routers based on the Epicentro platform a ...) NOT-FOR-US: ADB broadband gateways / routers CVE-2018-13109 (All ADB broadband gateways / routers based on the Epicentro platform a ...) NOT-FOR-US: ADB broadband gateways / routers CVE-2018-13108 (All ADB broadband gateways / routers based on the Epicentro platform a ...) NOT-FOR-US: ADB broadband gateways / routers CVE-2018-13107 RESERVED CVE-2018-13106 (ClipperCMS 1.3.3 has stored XSS via the "Tools -> Configuration" sc ...) NOT-FOR-US: ClipperCMS CVE-2018-13105 RESERVED CVE-2018-13104 (OX App Suite 7.8.4 and earlier allows XSS. Internal reference: 58742 ( ...) NOT-FOR-US: Open-Xchange App Suite CVE-2018-13103 (OX App Suite 7.8.4 and earlier allows SSRF. ...) NOT-FOR-US: Open-Xchange App Suite CVE-2018-13102 (AnyDesk before "12.06.2018 - 4.1.3" on Windows 7 SP1 has a DLL preload ...) NOT-FOR-US: AnyDesk CVE-2018-13101 (KioskSimpleService.exe in RedSwimmer KioskSimple 1.4.7.0 suffers from ...) NOT-FOR-US: RedSwimmer KioskSimple CVE-2018-13100 (An issue was discovered in fs/f2fs/super.c in the Linux kernel through ...) {DLA-1715-1} - linux 4.18.10-1 [stretch] - linux 4.9.144-1 [jessie] - linux (Hard to backport and low priority outside of Android) NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=200183 NOTE: https://git.kernel.org/pub/scm/linux/kernel/git/chao/linux.git/commit/?h=f2fs-dev&id=977f9bb558cb4a95d53b10301f5c739ed8867d4d CVE-2018-13099 (An issue was discovered in fs/f2fs/inline.c in the Linux kernel throug ...) {DSA-4308-1 DLA-1531-1} - linux 4.18.10-1 [jessie] - linux (Hard to backport and low priority outside of Android) - linux-4.9 NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=200179 NOTE: https://git.kernel.org/pub/scm/linux/kernel/git/chao/linux.git/commit/?h=f2fs-dev&id=cc60e90f9bfab8d6a7fb826937e824333c3bf94a NOTE: https://sourceforge.net/p/linux-f2fs/mailman/message/36356878/ CVE-2018-13098 (An issue was discovered in fs/f2fs/inode.c in the Linux kernel through ...) - linux 4.18.10-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=200173 NOTE: https://git.kernel.org/pub/scm/linux/kernel/git/chao/linux.git/commit/?h=f2fs-dev&id=346886775c5fa6a541c0148bbecc0554ab9d6dad CVE-2018-13097 (An issue was discovered in fs/f2fs/super.c in the Linux kernel through ...) {DLA-1715-1} - linux 4.19.9-1 [stretch] - linux 4.9.144-1 [jessie] - linux (Hard to backport and low priority outside of Android) NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=200171 NOTE: https://git.kernel.org/pub/scm/linux/kernel/git/chao/linux.git/commit/?h=f2fs-dev&id=78bbd741456e31e0acb983283a8d3993ba859c15 CVE-2018-13096 (An issue was discovered in fs/f2fs/super.c in the Linux kernel through ...) {DLA-1715-1} - linux 4.19.9-1 [stretch] - linux 4.9.144-1 [jessie] - linux (Hard to backport and low priority outside of Android) - linux-4.9 NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=200167 NOTE: https://git.kernel.org/pub/scm/linux/kernel/git/chao/linux.git/commit/?h=f2fs-dev&id=e335cc683fd13882b9152937b06ff3c16c28aa34 CVE-2018-13095 (An issue was discovered in fs/xfs/libxfs/xfs_inode_buf.c in the Linux ...) - linux 4.18.6-1 [jessie] - linux (Too risky to backport) NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=199915 NOTE: https://git.kernel.org/pub/scm/fs/xfs/xfs-linux.git/commit/?h=for-next&id=23fcb3340d033d9f081e21e6c12c2db7eaa541d3 CVE-2018-13094 (An issue was discovered in fs/xfs/libxfs/xfs_attr_leaf.c in the Linux ...) {DLA-2114-1 DLA-1529-1} - linux 4.17.14-1 [stretch] - linux 4.9.210-1 - linux-4.9 NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=199969 NOTE: https://git.kernel.org/pub/scm/fs/xfs/xfs-linux.git/commit/?h=for-next&id=bb3d48dcf86a97dc25fe9fc2c11938e19cb4399a CVE-2018-13093 (An issue was discovered in fs/xfs/xfs_icache.c in the Linux kernel thr ...) {DLA-2114-1 DLA-1529-1} - linux 4.17.14-1 [stretch] - linux 4.9.210-1 NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=199367 NOTE: https://git.kernel.org/pub/scm/fs/xfs/xfs-linux.git/commit/?h=for-next&id=afca6c5b2595fc44383919fba740c194b0b76aff CVE-2018-13092 (The mintToken function of a smart contract implementation for Reimburs ...) NOT-FOR-US: smart contract implementation CVE-2018-13091 (The mintToken function of a smart contract implementation for sumocoin ...) NOT-FOR-US: smart contract implementation CVE-2018-13090 (The mintToken function of a smart contract implementation for YiTongCo ...) NOT-FOR-US: smart contract implementation CVE-2018-13089 (The mintToken function of a smart contract implementation for Universa ...) NOT-FOR-US: smart contract implementation CVE-2018-13088 (The mintToken function of a smart contract implementation for Futures ...) NOT-FOR-US: smart contract implementation CVE-2018-13087 (The mintToken function of a smart contract implementation for Coinstar ...) NOT-FOR-US: smart contract implementation CVE-2018-13086 (The mintToken function of a smart contract implementation for IADOWR C ...) NOT-FOR-US: smart contract implementation CVE-2018-13085 (The mintToken function of a smart contract implementation for FreeCoin ...) NOT-FOR-US: smart contract implementation CVE-2018-13084 (The mintToken function of a smart contract implementation for Good Tim ...) NOT-FOR-US: smart contract implementation CVE-2018-13083 (The mintToken function of a smart contract implementation for Plaza To ...) NOT-FOR-US: smart contract implementation CVE-2018-13082 (The mintToken function of a smart contract implementation for MODI Tok ...) NOT-FOR-US: smart contract implementation CVE-2018-13081 (The mintToken function of a smart contract implementation for GZS Toke ...) NOT-FOR-US: smart contract implementation CVE-2018-13080 (The mintToken function of a smart contract implementation for Goutex ( ...) NOT-FOR-US: smart contract implementation CVE-2018-13079 (The mintToken function of a smart contract implementation for GoodTo ( ...) NOT-FOR-US: smart contract implementation CVE-2018-13078 (The mintToken function of a smart contract implementation for Jitech ( ...) NOT-FOR-US: smart contract implementation CVE-2018-13077 (The mintToken function of a smart contract implementation for CTB, an ...) NOT-FOR-US: smart contract implementation CVE-2018-13076 (The mintToken function of a smart contract implementation for Betcash ...) NOT-FOR-US: smart contract implementation CVE-2018-13075 (The mintToken function of a smart contract implementation for Carbon E ...) NOT-FOR-US: smart contract implementation CVE-2018-13074 (The mintToken function of a smart contract implementation for FIBToken ...) NOT-FOR-US: smart contract implementation CVE-2018-13073 (The mintToken function of a smart contract implementation for ETHEREUM ...) NOT-FOR-US: smart contract implementation CVE-2018-13072 (The mintToken function of a smart contract implementation for Coffeeco ...) NOT-FOR-US: smart contract implementation CVE-2018-13071 (The mintToken function of a smart contract implementation for CCindex1 ...) NOT-FOR-US: smart contract implementation CVE-2018-13070 (The mintToken function of a smart contract implementation for Encrypte ...) NOT-FOR-US: smart contract implementation CVE-2018-13069 (The mintToken function of a smart contract implementation for DYchain ...) NOT-FOR-US: smart contract implementation CVE-2018-13068 (The mintToken function of a smart contract implementation for AzurionT ...) NOT-FOR-US: smart contract implementation CVE-2018-13067 (/upload/catalog/controller/account/password.php in OpenCart through 3. ...) NOT-FOR-US: OpenCart CVE-2018-13066 (There is a memory leak in util/parser.c in libming 0.4.8, which will l ...) - ming NOTE: https://github.com/libming/libming/issues/146 CVE-2018-13065 (** DISPUTED ** ModSecurity 3.0.0 has XSS via an onerror attribute of a ...) NOT-FOR-US: Bogus claim for ModSecurity, to be revoked CVE-2018-13064 RESERVED CVE-2018-13063 (Easy!Appointments 1.3.0 has a Missing Authorization issue allowing ret ...) NOT-FOR-US: Easy!Appointments CVE-2018-13062 RESERVED CVE-2018-13061 RESERVED CVE-2018-13060 (Easy!Appointments 1.3.0 has a Guessable CAPTCHA issue. ...) NOT-FOR-US: Easy!Appointments CVE-2018-13059 RESERVED CVE-2018-13058 RESERVED CVE-2018-13057 RESERVED CVE-2018-13056 (An issue was discovered on zzcms 8.3. There is a vulnerability at /use ...) NOT-FOR-US: zzcms CVE-2018-13055 (A cross-site scripting (XSS) vulnerability in the View Filters page (v ...) - mantis NOTE: http://github.com/mantisbt/mantisbt/commit/4efac90ed89a5c009108b641e2e95683791a165a NOTE: https://mantisbt.org/blog/archives/mantisbt/602 NOTE: https://mantisbt.org/bugs/view.php?id=24580 CVE-2018-13053 (The alarm_timer_nsleep function in kernel/time/alarmtimer.c in the Lin ...) {DLA-1731-1 DLA-1715-1} - linux 4.18.20-1 [stretch] - linux 4.9.135-1 - linux-4.9 NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=200303 NOTE: https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?id=5f936e19cc0ef97dbe3a56e9498922ad5ba1edef CVE-2018-13052 (In CyberArk Endpoint Privilege Manager (formerly Viewfinity), Privileg ...) NOT-FOR-US: CyberArk Endpoint Privilege Manager CVE-2018-13051 RESERVED CVE-2018-13050 (A SQL Injection vulnerability exists in Zoho ManageEngine Applications ...) NOT-FOR-US: Zoho CVE-2018-13048 RESERVED CVE-2018-13047 RESERVED CVE-2018-13046 RESERVED CVE-2018-13045 (SQL injection vulnerability in the "Bazar" page in Yeswiki Cercopitheq ...) NOT-FOR-US: Yeswiki CVE-2018-13054 (An issue was discovered in Cinnamon 1.9.2 through 3.8.6. The cinnamon- ...) {DLA-1420-1} - cinnamon 3.8.8-1 (bug #903201) [stretch] - cinnamon (Minor issue) NOTE: https://github.com/linuxmint/Cinnamon/pull/7683 NOTE: https://github.com/linuxmint/Cinnamon/commit/66e54f43f179fdf041a3e5232178a9910963cfb5 (3.8.7) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1083067 CVE-2018-13049 (The constructSQL function in inc/search.class.php in GLPI 9.2.x throug ...) - glpi (unimportant) NOTE: https://github.com/glpi-project/glpi/issues/4270 NOTE: https://github.com/trasher/glpi/commit/5c58d4c57be7b1e0c1de925b97f22d4468291d41 NOTE: Only supported behind an authenticated HTTP zone CVE-2018-13044 RESERVED CVE-2018-13042 (The 1Password application 6.8 for Android is affected by a Denial Of S ...) NOT-FOR-US: 1Password CVE-2018-13041 (The mint function of a smart contract implementation for Link Platform ...) NOT-FOR-US: Link Platform CVE-2018-13040 (OpenSID 18.06-pasca has a CSRF vulnerability. This vulnerability can a ...) NOT-FOR-US: OpenSID CVE-2018-13039 (OpenSID 18.06-pasca has reflected Cross Site Scripting (XSS) via the c ...) NOT-FOR-US: OpenSID CVE-2018-13038 (OpenSID 18.06-pasca has an Unrestricted File Upload vulnerability via ...) NOT-FOR-US: OpenSID CVE-2018-13037 (An issue was discovered in jpeg-compressor 0.1. The bmp_load function ...) NOT-FOR-US: jpeg-compressor CVE-2018-13036 RESERVED CVE-2018-13035 RESERVED CVE-2018-13034 (Directory traversal in Jester web framework 0.2.0 allows remote attack ...) NOT-FOR-US: Jester web framework CVE-2018-13033 (The Binary File Descriptor (BFD) library (aka libbfd), as distributed ...) - binutils 2.30.90.20180627-1 (unimportant) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23361 NOTE: binutils not covered by security support CVE-2018-13032 (ECESSA ShieldLink SL175EHQ 10.7.4 devices have CSRF to add superuser a ...) NOT-FOR-US: ECESSA ShieldLink CVE-2018-13031 (DamiCMS v6.0.0 allows CSRF via admin.php?s=/Admin/doadd to add an admi ...) NOT-FOR-US: DamiCMS CVE-2018-13030 (An issue was discovered in jpeg-compressor 0.1. The build_huffman func ...) NOT-FOR-US: jpeg-compressor CVE-2018-13029 RESERVED CVE-2018-13028 RESERVED CVE-2018-13027 RESERVED CVE-2018-13026 (An issue was discovered in gpmf-parser 1.1.2. There is a heap-based bu ...) NOT-FOR-US: gpmf-parser CVE-2018-13025 (protected/apps/admin/controller/photoController.php in YXcms 1.4.7 all ...) NOT-FOR-US: YXcms CVE-2018-13024 (Metinfo v6.0.0 allows remote attackers to write code into a .php file, ...) NOT-FOR-US: Metinfo CVE-2018-13023 (System command injection vulnerability in wifi_access in Xiaomi Mi Rou ...) NOT-FOR-US: Xiaomi Mi Router CVE-2018-13022 (Cross-site scripting vulnerability in the API 404 page on Xiaomi Mi Ro ...) NOT-FOR-US: Xiaomi Mi Router CVE-2018-13021 (An issue was discovered in HongCMS 3.0.0. There is an Arbitrary Script ...) NOT-FOR-US: HongCMS CVE-2018-13020 RESERVED CVE-2018-13019 RESERVED CVE-2018-13018 RESERVED CVE-2018-13017 RESERVED CVE-2018-13016 RESERVED CVE-2018-13015 RESERVED CVE-2018-13014 (Storing password in recoverable format in safensec.com (SysWatch servi ...) NOT-FOR-US: SysWatch CVE-2018-13013 (Improper check of unusual conditions when launching msiexec.exe in saf ...) NOT-FOR-US: SysWatch CVE-2018-13012 (Download of code with improper integrity check in snsupd.exe and upd.e ...) NOT-FOR-US: SysWatch CVE-2018-13011 (An issue was discovered in gpmf-parser 1.1.2. There is a heap-based bu ...) NOT-FOR-US: gpmf-parser CVE-2018-13010 (WSTMall v1.9.1_170316 has CSRF via the index.php?m=Admin&c=Users&a ...) NOT-FOR-US: WSTMall CVE-2018-13009 (An issue was discovered in gpmf-parser 1.1.2. There is a heap-based bu ...) NOT-FOR-US: gpmf-parser CVE-2018-13008 (An issue was discovered in gpmf-parser 1.1.2. There is a heap-based bu ...) NOT-FOR-US: gpmf-parser CVE-2018-13007 (An issue was discovered in gpmf-parser 1.1.2. There is a heap-based bu ...) NOT-FOR-US: gpmf-parser CVE-2018-13006 (An issue was discovered in MP4Box in GPAC 0.7.1. There is a heap-based ...) {DLA-1432-1} - gpac 0.5.2-426-gc5ad4e4+dfsg5-4.1 (bug #902782) [stretch] - gpac 0.5.2-426-gc5ad4e4+dfsg5-3+deb9u1 NOTE: https://github.com/gpac/gpac/commit/bceb03fd2be95097a7b409ea59914f332fb6bc86 CVE-2018-13005 (An issue was discovered in MP4Box in GPAC 0.7.1. The function urn_Read ...) {DLA-1432-1} - gpac 0.5.2-426-gc5ad4e4+dfsg5-4.1 (bug #902782) [stretch] - gpac 0.5.2-426-gc5ad4e4+dfsg5-3+deb9u1 NOTE: https://github.com/gpac/gpac/issues/1088 NOTE: https://github.com/gpac/gpac/commit/bceb03fd2be95097a7b409ea59914f332fb6bc86 CVE-2018-13004 RESERVED CVE-2018-13003 (An issue was discovered in OpenTSDB 2.3.0. There is XSS in parameter ' ...) NOT-FOR-US: OpenTSDB CVE-2018-13002 (An XSS issue was discovered in Inhaltsprojekte in Weblication CMS Core ...) NOT-FOR-US: Weblication CMS CVE-2018-13001 (An XSS issue was discovered in Sandoba CP:Shop v2016.1. The vulnerabil ...) NOT-FOR-US: Sandoba CP:Shop CVE-2018-13000 (An XSS issue was discovered in Advanced Electron Forum (AEF) v1.0.9. A ...) NOT-FOR-US: Advanced Electron Forum CVE-2018-12999 (Incorrect Access Control in AgentTrayIconServlet in Zoho ManageEngine ...) NOT-FOR-US: Zoho CVE-2018-12998 (A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEng ...) NOT-FOR-US: Zoho CVE-2018-12997 (Incorrect Access Control in FailOverHelperServlet in Zoho ManageEngine ...) NOT-FOR-US: Zoho CVE-2018-12996 (A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEng ...) NOT-FOR-US: Zoho CVE-2018-12995 (onefilecms.php in OneFileCMS through 2012-04-14 might allow attackers ...) NOT-FOR-US: OneFileCMS CVE-2018-12994 (onefilecms.php in OneFileCMS through 2012-04-14 might allow attackers ...) NOT-FOR-US: OneFileCMS CVE-2018-12993 (onefilecms.php in OneFileCMS through 2012-04-14 might allow attackers ...) NOT-FOR-US: OneFileCMS CVE-2018-12992 (An issue was discovered CMS MaeloStore V.1.5.0. There is stored XSS in ...) NOT-FOR-US: CMS MaeloStore CVE-2018-12991 RESERVED CVE-2018-12990 (phpwcms 1.8.9 allows remote attackers to discover the installation pat ...) NOT-FOR-US: phpwcms CVE-2018-12989 (The report-viewing feature in Pearson VUE Certiport Console 8 and IQSy ...) NOT-FOR-US: Pearson VUE Certiport Console 8 and IQSystem 7 CVE-2018-12988 (GreenCMS 2.3.0603 has an arbitrary file download vulnerability via an ...) NOT-FOR-US: GreenCMS CVE-2018-12987 RESERVED CVE-2018-12986 RESERVED CVE-2018-12985 RESERVED CVE-2018-12984 (Hycus CMS 1.0.4 allows Authentication Bypass via "'=' 'OR'" credential ...) NOT-FOR-US: Hycus CMS CVE-2018-12983 (A stack-based buffer over-read in the PdfEncryptMD5Base::ComputeEncryp ...) - libpodofo (low; bug #916580) [buster] - libpodofo (Minor issue) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1595693 NOTE: https://sourceforge.net/p/podofo/tickets/23 CVE-2018-12982 (Invalid memory read in the PoDoFo::PdfVariant::DelayedLoad() function ...) - libpodofo 0.9.6+dfsg-4 (low; bug #916581) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1595689 NOTE: https://sourceforge.net/p/podofo/tickets/22 NOTE: https://sourceforge.net/p/podofo/code/1948 CVE-2018-12981 (An issue was discovered on WAGO e!DISPLAY 762-3000 through 762-3003 de ...) NOT-FOR-US: WAGO e!DISPLAY devices CVE-2018-12980 (An issue was discovered on WAGO e!DISPLAY 762-3000 through 762-3003 de ...) NOT-FOR-US: WAGO e!DISPLAY devices CVE-2018-12979 (An issue was discovered on WAGO e!DISPLAY 762-3000 through 762-3003 de ...) NOT-FOR-US: WAGO e!DISPLAY devices CVE-2018-12978 RESERVED CVE-2018-12977 (A SQL injection vulnerability in the SoftExpert (SE) Excellence Suite ...) NOT-FOR-US: SoftExpert (SE) Excellence Suite CVE-2018-12976 (In Go Doc Dot Org (gddo) through 2018-06-27, an attacker could use spe ...) NOT-FOR-US: Go Doc Dot Org CVE-2018-12975 (The random() function of the smart contract implementation for CryptoS ...) NOT-FOR-US: CryptoSaga CVE-2018-12974 RESERVED CVE-2018-12973 (An issue was discovered in OpenTSDB 2.3.0. There is XSS in parameter ' ...) NOT-FOR-US: OpenTSDB CVE-2018-12972 (An issue was discovered in OpenTSDB 2.3.0. Many parameters to the /q U ...) NOT-FOR-US: OpenTSDB CVE-2018-12971 (EasyCMS 1.3 has CSRF via the index.php?s=/admin/user/delAll URI to del ...) NOT-FOR-US: EasyCMS CVE-2018-12970 RESERVED CVE-2018-12969 RESERVED CVE-2018-12968 RESERVED CVE-2018-12967 RESERVED CVE-2018-12966 RESERVED CVE-2018-12965 RESERVED CVE-2018-12964 RESERVED CVE-2018-12963 RESERVED CVE-2018-12962 RESERVED CVE-2018-12961 RESERVED CVE-2018-12960 RESERVED CVE-2018-12959 (The approveAndCall function of a smart contract implementation for Adi ...) NOT-FOR-US: smart contract implementation for Aditus (ADI) CVE-2018-12958 RESERVED CVE-2018-12957 RESERVED CVE-2018-12956 RESERVED CVE-2018-12955 RESERVED CVE-2018-12954 RESERVED CVE-2018-12953 RESERVED CVE-2018-12952 RESERVED CVE-2018-12951 RESERVED CVE-2018-12950 RESERVED CVE-2018-12949 RESERVED CVE-2018-12948 RESERVED CVE-2018-12947 RESERVED CVE-2018-12946 RESERVED CVE-2018-12945 RESERVED CVE-2018-12944 (Persistent Cross-Site Scripting (XSS) vulnerability in the "Categories ...) NOT-FOR-US: SeedDMS CVE-2018-12943 (Cross-Site Scripting (XSS) vulnerability in every page that includes t ...) NOT-FOR-US: SeedDMS CVE-2018-12942 (SQL injection vulnerability in the "Users management" functionality in ...) NOT-FOR-US: SeedDMS CVE-2018-12941 (This vulnerability allows remote attackers to execute arbitrary code i ...) NOT-FOR-US: SeedDMS CVE-2018-12940 (Unrestricted file upload vulnerability in "op/op.UploadChunks.php" in ...) NOT-FOR-US: SeedDMS CVE-2018-12939 (A directory traversal flaw in SeedDMS (formerly LetoDMS and MyDMS) bef ...) NOT-FOR-US: SeedDMS CVE-2018-12937 RESERVED CVE-2018-12938 REJECTED CVE-2018-12936 RESERVED CVE-2018-12935 RESERVED CVE-2018-12934 (remember_Ktype in cplus-dem.c in GNU libiberty, as distributed in GNU ...) - binutils (unimportant) NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85453 NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=84950 NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23059 NOTE: binutils not covered by security support CVE-2018-12933 (PlayEnhMetaFileRecord in enhmetafile.c in Wine 3.7 allows attackers to ...) - wine 4.0~rc1-1 (low) [stretch] - wine (Minor issue) [jessie] - wine (Minor issue) - wine-development 3.8-1 (low) [stretch] - wine-development (Minor issue) [jessie] - wine-development (Minor issue) NOTE: https://bugs.winehq.org/show_bug.cgi?id=45106 NOTE: https://bugs.winehq.org/attachment.cgi?id=61285 NOTE: https://source.winehq.org/git/wine.git/commit/8d2676fd14f130f9e8f06744743423168bf8d18d NOTE: https://source.winehq.org/git/wine.git/commit/b6da3547d8990c3c3affc3a5865aefd2a0946949 CVE-2018-12932 (PlayEnhMetaFileRecord in enhmetafile.c in Wine 3.7 allows attackers to ...) - wine 4.0~rc1-1 (low) [stretch] - wine (Minor issue) [jessie] - wine (Minor issue) - wine-development 3.8-1 (low) [stretch] - wine-development (Minor issue) [jessie] - wine-development (Minor issue) NOTE: https://bugs.winehq.org/show_bug.cgi?id=45105 NOTE: https://bugs.winehq.org/attachment.cgi?id=61284 NOTE: https://source.winehq.org/git/wine.git/commit/8d2676fd14f130f9e8f06744743423168bf8d18d NOTE: https://source.winehq.org/git/wine.git/commit/b6da3547d8990c3c3affc3a5865aefd2a0946949 CVE-2018-12931 (ntfs_attr_find in the ntfs.ko filesystem driver in the Linux kernel 4. ...) - linux 4.19.37-1 [jessie] - linux (ntfs is not supportable) CVE-2018-12930 (ntfs_end_buffer_async_read in the ntfs.ko filesystem driver in the Lin ...) - linux 4.19.37-1 [jessie] - linux (ntfs is not supportable) CVE-2018-12929 (ntfs_read_locked_inode in the ntfs.ko filesystem driver in the Linux k ...) - linux 4.19.37-1 [jessie] - linux (ntfs is not supportable) CVE-2018-12928 (In the Linux kernel 4.15.0, a NULL pointer dereference was discovered ...) - linux (low) [buster] - linux (Minor issue) [stretch] - linux (Minor issue) - linux-4.9 NOTE: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1763384 NOTE: https://marc.info/?l=linux-fsdevel&m=152407263325766&w=2 CVE-2018-12927 (Northern Electric & Power (NEP) inverter devices allow remote atta ...) NOT-FOR-US: Northern Electric CVE-2018-12926 (Pharos Controls devices allow remote attackers to obtain potentially s ...) NOT-FOR-US: Pharos Controls CVE-2018-12925 (Baseon Lantronix MSS devices do not require a password for TELNET acce ...) NOT-FOR-US: Baseon Lantronix CVE-2018-12924 (Sollae Serial-Ethernet-Module and Remote-I/O-Device-Server devices hav ...) NOT-FOR-US: Sollae CVE-2018-12923 (BWS Systems HA-Bridge devices allow remote attackers to obtain potenti ...) NOT-FOR-US: BWS Systems CVE-2018-12922 (Emerson Liebert IntelliSlot Web Card devices allow remote attackers to ...) NOT-FOR-US: Emerson Liebert CVE-2018-12921 (Electro Industries GaugeTech Nexus devices allow remote attackers to o ...) NOT-FOR-US: Electro Industries GaugeTech CVE-2018-12920 (Brickstream 2300 devices allow remote attackers to obtain potentially ...) NOT-FOR-US: Brickstream CVE-2018-12919 (In CraftedWeb through 2013-09-24, aasp_includes/pages/notice.php allow ...) NOT-FOR-US: CraftedWeb CVE-2018-12918 (In libpbc.a in PBC through 2017-03-02, there is a Segmentation fault i ...) NOT-FOR-US: PBC CVE-2018-12917 (In libpbc.a in PBC through 2017-03-02, there is a heap-based buffer ov ...) NOT-FOR-US: PBC CVE-2018-12916 (In libpbc.a in PBC through 2017-03-02, there is a Segmentation fault i ...) NOT-FOR-US: PBC CVE-2018-12915 (In libpbc.a in PBC through 2017-03-02, there is a buffer over-read in ...) NOT-FOR-US: PBC CVE-2018-12914 (A remote code execution issue was discovered in PublicCMS V4.0.2018021 ...) NOT-FOR-US: PublicCMS CVE-2018-12913 (In Miniz 2.0.7, tinfl_decompress in miniz_tinfl.c has an infinite loop ...) NOT-FOR-US: Miniz CVE-2018-12912 (An issue wan discovered in admin\controllers\database.php in HongCMS 3 ...) NOT-FOR-US: HongCMS CVE-2018-12911 (WebKitGTK+ 2.20.3 has an off-by-one error, with a resultant out-of-bou ...) - webkit2gtk 2.20.4-1 (unimportant) NOTE: https://trac.webkit.org/changeset/233404/webkit NOTE: Not covered by security support NOTE: https://webkitgtk.org/security/WSA-2018-0006.html CVE-2018-12910 (The get_cookies function in soup-cookie-jar.c in libsoup 2.63.2 allows ...) {DSA-4241-1 DLA-1416-1} - libsoup2.4 2.62.2-2 NOTE: https://gitlab.gnome.org/GNOME/libsoup/commit/db2b0d5809d5f8226d47312b40992cadbcde439f CVE-2018-12909 (** DISPUTED ** Webgrind 1.5 relies on user input to display a file, wh ...) NOT-FOR-US: Webgrind CVE-2018-12908 (Brynamics "Online Trade - Online trading and cryptocurrency investment ...) NOT-FOR-US: Brynamics CVE-2018-12907 (In Rclone 1.42, use of "rclone sync" to migrate data between two Googl ...) NOT-FOR-US: Rclone CVE-2018-12906 RESERVED CVE-2018-12905 (joyplus-cms 1.6.0 has XSS in admin_player.php, related to manager/inde ...) NOT-FOR-US: joyplus-cms CVE-2017-18342 (In PyYAML before 5.1, the yaml.load() API could execute arbitrary code ...) - pyyaml 5.1.2-1 (unimportant; bug #902878) NOTE: This is a well-known design deficiency in pyyaml, various CVE IDs have been assigned NOTE: to applications misusing the API over the years. The CVE ID was assigned to raise NOTE: awareness (and 5.1 now fixes the default behaviour as well) NOTE: https://github.com/yaml/pyyaml/pull/74 CVE-2018-12904 (In arch/x86/kvm/vmx.c in the Linux kernel before 4.17.2, when nested v ...) - linux 4.16.16-1 [stretch] - linux (Vulnerability introduced later) [jessie] - linux (Vulnerability introduced later) NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1589 NOTE: https://git.kernel.org/linus/727ba748e110b4de50d142edca9d6a9b7e6111d8 CVE-2018-12903 (In CyberArk Endpoint Privilege Manager (formerly Viewfinity) 10.2.1.60 ...) NOT-FOR-US: CyberArk Endpoint Privilege Manager CVE-2018-12902 (In Easy Magazine through 2012-10-26, there is XSS in the search bar of ...) NOT-FOR-US: Easy Magazine CVE-2018-12901 (A vulnerability in the conferencing component of Mitel ST 14.2, versio ...) NOT-FOR-US: Mitel CVE-2018-12900 (Heap-based buffer overflow in the cpSeparateBufToContigBuf function in ...) {DSA-4670-1 DLA-2009-1} - tiff 4.0.10-4 (bug #902718) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2798 NOTE: https://gitlab.com/libtiff/libtiff/merge_requests/60 NOTE: https://gitlab.com/libtiff/libtiff/commit/27124e9148b2056d0e0bf4033b4924d5d2a38d01 CVE-2018-12899 RESERVED CVE-2018-12898 RESERVED CVE-2018-12897 (SolarWinds DameWare Mini Remote Control before 12.1 has a Buffer Overf ...) NOT-FOR-US: SolarWinds DameWare Mini Remote Control CVE-2018-12896 (An issue was discovered in the Linux kernel through 4.17.3. An Integer ...) {DLA-1731-1 DLA-1715-1} - linux 4.18.20-1 [stretch] - linux 4.9.144-1 NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=200189 NOTE: https://github.com/lcytxw/bug_repro/tree/master/bug_200189 NOTE: https://github.com/torvalds/linux/commit/78c9c4dfbf8c04883941445a195276bb4bb92c76 CVE-2018-12895 (WordPress through 4.9.6 allows Author users to execute arbitrary code ...) {DSA-4250-1 DLA-1452-1} - wordpress 4.9.7+dfsg1-1 (bug #902876) NOTE: https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/ NOTE: https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd CVE-2018-12894 RESERVED CVE-2018-12893 (An issue was discovered in Xen through 4.10.x. One of the fixes in XSA ...) {DSA-4236-1 DLA-1577-1} - xen 4.8.3+xsa267+shim4.10.1+xsa267-1+deb9u9 NOTE: https://xenbits.xen.org/xsa/advisory-265.html CVE-2018-12892 (An issue was discovered in Xen 4.7 through 4.10.x. libxl fails to pass ...) {DSA-4236-1} - xen 4.8.3+xsa267+shim4.10.1+xsa267-1+deb9u9 [jessie] - xen (Issue introduced in 4.7) NOTE: https://xenbits.xen.org/xsa/advisory-266.html CVE-2018-12891 (An issue was discovered in Xen through 4.10.x. Certain PV MMU operatio ...) {DSA-4236-1 DLA-1577-1} - xen 4.8.3+xsa267+shim4.10.1+xsa267-1+deb9u9 NOTE: https://xenbits.xen.org/xsa/advisory-264.html CVE-2018-12890 RESERVED CVE-2018-12889 (An issue was discovered in CCN-lite 2.0.1. There is a heap-based buffe ...) NOT-FOR-US: CCN-lite CVE-2018-12888 RESERVED CVE-2018-12887 RESERVED CVE-2018-12886 (stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in fu ...) - gcc-snapshot - gcc-8 [buster] - gcc-8 (Too intrusive to backport) - gcc-7 [buster] - gcc-7 (Too intrusive to backport) - gcc-6 [stretch] - gcc-6 (Too intrusive to backport) - gcc-4.9 [jessie] - gcc-4.9 (Too intrusive to backport) - gcc-4.8 [jessie] - gcc-4.8 (Too intrusive to backport) NOTE: https://gcc.gnu.org/viewcvs/gcc/trunk/gcc/config/arm/arm-protos.h?revision=266379&view=markup CVE-2018-12885 (The randMod() function of the smart contract implementation for MyCryp ...) NOT-FOR-US: MyCryptoChamp CVE-2018-12884 (In Octopus Deploy 3.0 onwards (before 2018.6.7), an authenticated user ...) NOT-FOR-US: Octopus Deploy CVE-2018-1000205 (U-Boot contains a CWE-20: Improper Input Validation vulnerability in V ...) - u-boot (unimportant) NOTE: No security impact as supported/packaged in Debian CVE-2018-13043 (scripts/grep-excuses.pl in Debian devscripts through 2.18.3 allows cod ...) - devscripts 2.18.4 (low; bug #902409) [stretch] - devscripts (Vulnerable code introduced in 2.17.7) [jessie] - devscripts (Vulnerable code introduced in 2.17.7) CVE-2018-1000610 (A exposure of sensitive information vulnerability exists in Jenkins Co ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000609 (A exposure of sensitive information vulnerability exists in Jenkins Co ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000608 (A exposure of sensitive information vulnerability exists in Jenkins z/ ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000607 (A arbitrary file write vulnerability exists in Jenkins Fortify CloudSc ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000606 (A server-side request forgery vulnerability exists in Jenkins URLTrigg ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000605 (A man in the middle vulnerability exists in Jenkins CollabNet Plugin 2 ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000604 (A persisted cross-site scripting vulnerability exists in Jenkins Badge ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000603 (A exposure of sensitive information vulnerability exists in Jenkins Op ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000602 (A session fixation vulnerability exists in Jenkins SAML Plugin 1.0.6 a ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000601 (A arbitrary file read vulnerability exists in Jenkins SSH Credentials ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000600 (A exposure of sensitive information vulnerability exists in Jenkins Gi ...) NOT-FOR-US: Jenkins plugin CVE-2018-12883 RESERVED CVE-2018-12882 (exif_read_from_impl in ext/exif/exif.c in PHP 7.2.x through 7.2.7 allo ...) - php7.2 7.2.8-1 - php7.1 (Specific to 7.2.x) - php7.0 (Specific to 7.2.x) - php5 (Specific to 7.2.x) NOTE: PHP Bug: https://bugs.php.net/bug.php?id=76409 NOTE: http://git.php.net/?p=php-src.git;a=commit;h=3fdde65617e9f954e2c964768aac8831005497e5 CVE-2018-12881 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-12880 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-12879 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-12878 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-12877 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-12876 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-12875 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-12874 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-12873 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-12872 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-12871 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-12870 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-12869 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-12868 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-12867 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-12866 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-12865 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-12864 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-12863 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-12862 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-12861 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-12860 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-12859 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-12858 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-12857 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-12856 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-12855 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-12854 REJECTED CVE-2018-12853 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-12852 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-12851 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-12850 (Adobe Acrobat and Reader versions 2018.011.20058 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-12849 (Adobe Acrobat and Reader versions 2018.011.20058 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-12848 (Adobe Acrobat and Reader versions 2018.011.20058 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-12847 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-12846 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-12845 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-12844 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-12843 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-12842 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-12841 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-12840 (Adobe Acrobat and Reader versions 2018.011.20058 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-12839 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-12838 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-12837 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-12836 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-12835 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-12834 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-12833 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-12832 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-12831 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-12830 (Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008 ...) NOT-FOR-US: Adobe CVE-2018-12829 (Adobe Creative Cloud Desktop Application before 4.6.1 has an improper ...) NOT-FOR-US: Adobe CVE-2018-12828 (Adobe Flash Player 30.0.0.134 and earlier have a "use of a component w ...) NOT-FOR-US: Adobe CVE-2018-12827 (Adobe Flash Player 30.0.0.134 and earlier have an out-of-bounds read v ...) NOT-FOR-US: Adobe CVE-2018-12826 (Adobe Flash Player 30.0.0.134 and earlier have an out-of-bounds read v ...) NOT-FOR-US: Adobe CVE-2018-12825 (Adobe Flash Player 30.0.0.134 and earlier have a security bypass vulne ...) NOT-FOR-US: Adobe CVE-2018-12824 (Adobe Flash Player 30.0.0.134 and earlier have an out-of-bounds read v ...) NOT-FOR-US: Adobe CVE-2018-12823 (Adobe Digital Editions versions 4.5.8 and below have a heap overflow v ...) NOT-FOR-US: Adobe CVE-2018-12822 (Adobe Digital Editions versions 4.5.8 and below have an use after free ...) NOT-FOR-US: Adobe CVE-2018-12821 (Adobe Digital Editions versions 4.5.8 and below have an out of bounds ...) NOT-FOR-US: Adobe CVE-2018-12820 (Adobe Digital Editions versions 4.5.8 and below have an out of bounds ...) NOT-FOR-US: Adobe CVE-2018-12819 (Adobe Digital Editions versions 4.5.8 and below have an out of bounds ...) NOT-FOR-US: Adobe CVE-2018-12818 (Adobe Digital Editions versions 4.5.8 and below have an out of bounds ...) NOT-FOR-US: Adobe CVE-2018-12817 (Adobe Digital Editions versions 4.5.9 and below have an out of bounds ...) NOT-FOR-US: Adobe CVE-2018-12816 (Adobe Digital Editions versions 4.5.8 and below have an out of bounds ...) NOT-FOR-US: Adobe CVE-2018-12815 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-12814 (Adobe Digital Editions versions 4.5.8 and below have a heap overflow v ...) NOT-FOR-US: Adobe CVE-2018-12813 (Adobe Digital Editions versions 4.5.8 and below have a heap overflow v ...) NOT-FOR-US: Adobe CVE-2018-12812 (Adobe Acrobat and Reader 2018.011.20038 and earlier, 2017.011.30079 an ...) NOT-FOR-US: Adobe CVE-2018-12811 (Adobe Photoshop CC 2018 before 19.1.6 and Photoshop CC 2017 before 18. ...) NOT-FOR-US: Adobe CVE-2018-12810 (Adobe Photoshop CC 2018 before 19.1.6 and Photoshop CC 2017 before 18. ...) NOT-FOR-US: Adobe CVE-2018-12809 (Adobe Experience Manager versions 6.4 and earlier have a Server-Side R ...) NOT-FOR-US: Adobe CVE-2018-12808 (Adobe Acrobat and Reader versions 2018.011.20055 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-12807 (Adobe Experience Manager versions 6.4, 6.3, 6.2, 6.1, and 6.0 have an ...) NOT-FOR-US: Adobe CVE-2018-12806 (Adobe Experience Manager versions 6.4, 6.3, 6.2, 6.1, and 6.0 have a r ...) NOT-FOR-US: Adobe CVE-2018-12805 (Adobe Connect versions 9.7.5 and earlier have an Insecure Library Load ...) NOT-FOR-US: Adobe CVE-2018-12804 (Adobe Connect versions 9.7.5 and earlier have an Authentication Bypass ...) NOT-FOR-US: Adobe CVE-2018-12803 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-12802 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-12801 (Adobe Acrobat and Reader versions 2018.011.20058 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-12800 REJECTED CVE-2018-12799 (Adobe Acrobat and Reader versions 2018.011.20055 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-12798 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-12797 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-12796 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-12795 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-12794 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-12793 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-12792 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-12791 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-12790 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-12789 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-12788 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-12787 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-12786 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-12785 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-12784 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-12783 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-12782 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-12781 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-12780 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-12779 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-12778 (Adobe Acrobat and Reader versions 2018.011.20058 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-12777 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-12776 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-12775 (Adobe Acrobat and Reader versions 2018.011.20058 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-12774 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-12773 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-12772 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-12771 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-12770 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-12769 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-12768 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-12767 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-12766 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-12765 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-12764 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-12763 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-12762 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-12761 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-12760 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-12759 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-12758 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-12757 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-12756 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-12755 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-12754 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-12753 RESERVED CVE-2018-12752 RESERVED CVE-2018-12751 RESERVED CVE-2018-12750 RESERVED CVE-2018-12749 RESERVED CVE-2018-12748 RESERVED CVE-2018-12747 RESERVED CVE-2018-12746 RESERVED CVE-2018-12745 RESERVED CVE-2018-12744 RESERVED CVE-2018-12743 RESERVED CVE-2018-12742 RESERVED CVE-2018-12741 RESERVED CVE-2018-12740 RESERVED CVE-2018-12739 (In BEESCMS 4.0, CSRF allows administrators to be added arbitrarily, a ...) NOT-FOR-US: BEESCMS CVE-2018-12738 RESERVED CVE-2018-12737 RESERVED CVE-2018-12736 RESERVED CVE-2018-12735 (SAJ Solar Inverter allows remote attackers to obtain potentially sensi ...) NOT-FOR-US: SAJ Solar Inverter CVE-2018-12734 RESERVED CVE-2018-12733 RESERVED CVE-2016-10725 (In Bitcoin Core before v0.13.0, a non-final alert is able to block the ...) - bitcoin 0.13.0-0.1 CVE-2018-12732 RESERVED CVE-2018-12731 RESERVED CVE-2018-12730 RESERVED CVE-2018-12729 RESERVED CVE-2018-12728 RESERVED CVE-2018-12727 RESERVED CVE-2018-12726 RESERVED CVE-2018-12725 RESERVED CVE-2018-12724 RESERVED CVE-2018-12723 RESERVED CVE-2018-12722 RESERVED CVE-2018-12721 RESERVED CVE-2018-12720 RESERVED CVE-2018-12719 RESERVED CVE-2018-12718 RESERVED CVE-2018-12717 RESERVED CVE-2018-12716 (The API service on Google Home and Chromecast devices before mid-July ...) NOT-FOR-US: Google services CVE-2018-12715 (DIGISOL DG-HR3400 devices have XSS via a modified SSID when the apssid ...) NOT-FOR-US: DIGISOL DG-HR3400 devices CVE-2018-12714 (An issue was discovered in the Linux kernel through 4.17.2. The filter ...) - linux (Vulnerable code introduced later) NOTE: https://git.kernel.org/linus/70303420b5721c38998cf987e6b7d30cc62d4ff1 CVE-2018-12713 (GIMP through 2.10.2 makes g_get_tmp_dir calls to establish temporary f ...) - gimp (unimportant) NOTE: https://github.com/GNOME/gimp/commit/c21eff4b031acb04fb4dfce8bd5fdfecc2b6524f NOTE: https://gitlab.gnome.org/GNOME/gimp/issues/1689 NOTE: No security impact CVE-2018-12712 (An issue was discovered in Joomla! 2.5.0 through 3.8.8 before 3.8.9. T ...) NOT-FOR-US: Joomla! CVE-2018-12711 (An XSS issue was discovered in the language switcher module in Joomla! ...) NOT-FOR-US: Joomla! CVE-2018-12710 (An issue was discovered on D-Link DIR-601 2.02NA devices. Being local ...) NOT-FOR-US: D-Link DIR-601 2.02NA devices CVE-2016-10724 (Bitcoin Core before v0.13.0 allows denial of service (memory exhaustio ...) - bitcoin 0.13.0-0.1 CVE-2018-12709 RESERVED CVE-2018-12708 RESERVED CVE-2018-12707 RESERVED CVE-2018-12706 (DIGISOL DG-BR4000NG devices have a Buffer Overflow via a long Authoriz ...) NOT-FOR-US: DIGISOL CVE-2018-12705 (DIGISOL DG-BR4000NG devices have XSS via the SSID (it is validated onl ...) NOT-FOR-US: DIGISOL CVE-2018-12704 RESERVED CVE-2018-12703 (The approveAndCallcode function of a smart contract implementation for ...) NOT-FOR-US: Block 18 CVE-2018-12702 (The approveAndCallcode function of a smart contract implementation for ...) NOT-FOR-US: Globalvillage ecosystem CVE-2018-12701 RESERVED CVE-2018-12700 (A Stack Exhaustion issue was discovered in debug_write_type in debug.c ...) - binutils 2.32.51.20190707-1 (unimportant) NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85454 NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23057 NOTE: Fixed by: https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=03e51746ed98d9106803f6009ebd71ea670ad3b9 NOTE: binutils not covered by security support CVE-2018-12699 (finish_stab in stabs.c in GNU Binutils 2.30 allows attackers to cause ...) - binutils 2.32.51.20190707-1 (unimportant) NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85454 NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23057 NOTE: Fixed by: https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=03e51746ed98d9106803f6009ebd71ea670ad3b9 NOTE: binutils not covered by security support CVE-2018-12698 (demangle_template in cplus-dem.c in GNU libiberty, as distributed in G ...) - binutils 2.32.51.20190707-1 (unimportant) NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85454 NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23057 NOTE: Fixed by: https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=03e51746ed98d9106803f6009ebd71ea670ad3b9 NOTE: binutils not covered by security support CVE-2018-12697 (A NULL pointer dereference (aka SEGV on unknown address 0x000000000000 ...) - binutils 2.32.51.20190707-1 (unimportant) NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85454 NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23057 NOTE: Fixed by: https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=03e51746ed98d9106803f6009ebd71ea670ad3b9 NOTE: binutils not covered by security support CVE-2018-12696 (mao10cms 6 allows XSS via the article page. ...) NOT-FOR-US: mao10cms CVE-2018-12695 (mao10cms 6 allows XSS via the m=bbs&a=index page. ...) NOT-FOR-US: mao10cms CVE-2018-12694 (TP-Link TL-WA850RE Wi-Fi Range Extender with hardware version 5 allows ...) NOT-FOR-US: TP-Link CVE-2018-12693 (Stack-based buffer overflow in TP-Link TL-WA850RE Wi-Fi Range Extender ...) NOT-FOR-US: TP-Link CVE-2018-12692 (TP-Link TL-WA850RE Wi-Fi Range Extender with hardware version 5 allows ...) NOT-FOR-US: TP-Link CVE-2018-12691 (Time-of-check to time-of-use (TOCTOU) race condition in org.onosprojec ...) NOT-FOR-US: ONOS CVE-2018-12690 RESERVED CVE-2018-12689 (phpLDAPadmin 1.2.2 allows LDAP injection via a crafted server_id param ...) - phpldapadmin (unimportant; bug #902186) NOTE: https://www.exploit-db.com/exploits/44926/ NOTE: Non-security issue as demostrated in https://bugs.debian.org/902186 NOTE: and disputed as security issue. Should be properly rejected by MITRE. CVE-2018-12688 (tinyexr 0.9.5 has a segmentation fault in the wav2Decode function. ...) NOT-FOR-US: tinyexr CVE-2018-12687 (tinyexr 0.9.5 has an assertion failure in DecodePixelData in tinyexr.h ...) NOT-FOR-US: tinyexr CVE-2018-12686 RESERVED CVE-2018-12685 RESERVED CVE-2018-12684 (Out-of-bounds Read in the send_ssi_file function in civetweb.c in Cive ...) NOT-FOR-US: CivetWeb CVE-2018-12683 RESERVED CVE-2018-12682 RESERVED CVE-2018-12681 RESERVED CVE-2018-12680 (The Serialize.deserialize() method in CoAPthon 3.1, 4.0.0, 4.0.1, and ...) NOT-FOR-US: CoAPthon CVE-2018-12679 (The Serialize.deserialize() method in CoAPthon3 1.0 and 1.0.1 mishandl ...) NOT-FOR-US: CoAPthon CVE-2018-12678 (Portainer before 1.18.0 supports unauthenticated requests to the webso ...) NOT-FOR-US: Portainer CVE-2018-12677 RESERVED CVE-2018-12676 RESERVED CVE-2018-12675 (The SV3C HD Camera (L-SERIES V2.3.4.2103-S50-NTD-B20170508B and V2.3.4 ...) NOT-FOR-US: SV3C CVE-2018-12674 (The SV3C HD Camera (L-SERIES V2.3.4.2103-S50-NTD-B20170508B and V2.3.4 ...) NOT-FOR-US: SV3C CVE-2018-12673 (An attacker with remote access to the SV3C HD Camera (L-SERIES V2.3.4. ...) NOT-FOR-US: SV3C CVE-2018-12672 (The SV3C HD Camera (L-SERIES V2.3.4.2103-S50-NTD-B20170508B) does not ...) NOT-FOR-US: SV3C CVE-2018-12671 (An attacker with remote access to the SV3C HD Camera (L-SERIES V2.3.4. ...) NOT-FOR-US: SV3C CVE-2018-12670 (SV3C L-SERIES HD CAMERA V2.3.4.2103-S50-NTD-B20170508B and V2.3.4.2103 ...) NOT-FOR-US: SV3C CVE-2018-12669 (SV3C L-SERIES HD CAMERA V2.3.4.2103-S50-NTD-B20170508B and V2.3.4.2103 ...) NOT-FOR-US: SV3C CVE-2018-12668 (SV3C L-SERIES HD CAMERA V2.3.4.2103-S50-NTD-B20170508B and V2.3.4.2103 ...) NOT-FOR-US: SV3C CVE-2018-12667 (The SV3C HD Camera (L-SERIES V2.3.4.2103-S50-NTD-B20170508B and V2.3.4 ...) NOT-FOR-US: SV3C CVE-2018-12666 (SV3C L-SERIES HD CAMERA V2.3.4.2103-S50-NTD-B20170508B devices imprope ...) NOT-FOR-US: SV3C CVE-2018-12665 RESERVED CVE-2018-12664 RESERVED CVE-2018-12663 RESERVED CVE-2018-12662 RESERVED CVE-2018-12661 RESERVED CVE-2018-12660 RESERVED CVE-2018-12659 (SLiMS 8 Akasia 8.3.1 allows remote attackers to bypass the CSRF protec ...) NOT-FOR-US: SLiMS 8 Akasia CVE-2018-12658 (Reflected Cross-Site Scripting (XSS) exists in the Stock Take module i ...) NOT-FOR-US: SLiMS 8 Akasia CVE-2018-12657 (Reflected Cross-Site Scripting (XSS) exists in the Master File module ...) NOT-FOR-US: SLiMS 8 Akasia CVE-2018-12656 (Reflected Cross-Site Scripting (XSS) exists in the Membership module i ...) NOT-FOR-US: SLiMS 8 Akasia CVE-2018-12655 (Reflected Cross-Site Scripting (XSS) exists in the Circulation module ...) NOT-FOR-US: SLiMS 8 Akasia CVE-2018-12654 (Reflected Cross-Site Scripting (XSS) exists in the Bibliography module ...) NOT-FOR-US: SLiMS 8 Akasia CVE-2018-12653 (A Reflected Cross Site Scripting (XSS) vulnerability exists in Adrenal ...) NOT-FOR-US: Adrenalin HRMS Software CVE-2018-12652 (A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in ...) NOT-FOR-US: Adrenalin HRMS Software CVE-2018-12651 (A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in ...) NOT-FOR-US: Adrenalin HRMS CVE-2018-12650 (Adrenalin HRMS version 5.4.0 contains a Reflected Cross Site Scripting ...) NOT-FOR-US: Adrenalin HRMS CVE-2018-12649 (An issue was discovered in app/Controller/UsersController.php in MISP ...) NOT-FOR-US: MISP CVE-2018-12648 (The WEBP::GetLE32 function in XMPFiles/source/FormatSupport/WEBP_Suppo ...) [experimental] - exempi 2.5.0-1 - exempi 2.5.0-2 (low; bug #902175) [stretch] - exempi (Minor issue) [jessie] - exempi (Minor issue) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=106981 NOTE: https://gitlab.freedesktop.org/libopenraw/exempi/issues/9 NOTE: https://gitlab.freedesktop.org/libopenraw/exempi/commit/8ed2f034705fd2d032c81383eee8208fd4eee0ac CVE-2018-12647 RESERVED CVE-2018-12646 RESERVED CVE-2018-12645 RESERVED CVE-2018-12644 RESERVED CVE-2018-12643 RESERVED CVE-2018-12642 (Froxlor through 0.9.39.5 has Incorrect Access Control for tickets not ...) NOT-FOR-US: Floxlor CVE-2018-12641 (An issue was discovered in arm_pt in cplus-dem.c in GNU libiberty, as ...) NOTE: harmless crashes exposed by binutils, but underlying issue is in libiberty from GCC NOTE: https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1763099 NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85452 NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23058 NOTE: Fixed by: https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=03e51746ed98d9106803f6009ebd71ea670ad3b9 NOTE: binutils not covered by security support CVE-2018-12640 (The webService binary on Insteon HD IP Camera White 2864-222 devices h ...) NOT-FOR-US: Insteon CVE-2018-12639 RESERVED CVE-2018-12638 (An issue was discovered in the Bose Soundtouch app 18.1.4 for iOS. The ...) NOT-FOR-US: Bose CVE-2018-1000559 (qutebrowser version introduced in v0.11.0 (1179ee7a937fb31414d77d9970b ...) - qutebrowser 1.3.3-1 NOTE: https://github.com/qutebrowser/qutebrowser/commit/4c9360237f186681b1e3f2a0f30c45161cf405c7 NOTE: https://github.com/qutebrowser/qutebrowser/commit/5a7869f2feaa346853d2a85413d6527c87ef0d9f NOTE: https://github.com/qutebrowser/qutebrowser/issues/4011 CVE-2018-1000558 (OCS Inventory NG ocsreports 2.4 and ocsreports 2.3.1 version 2.4 and 2 ...) - ocsinventory-server 2.4.1+dfsg-1 (unimportant) NOTE: Authentication is needed, only supported in trusted environments, see debtags CVE-2018-1000557 (OCS Inventory OCS Inventory NG version ocsreports 2.4 contains a Cross ...) - ocsinventory-server 2.4.1+dfsg-1 (unimportant) NOTE: Authentication is needed, only supported in trusted environments, see debtags CVE-2018-1000556 (WordPress version 4.8 + contains a Cross Site Scripting (XSS) vulnerab ...) NOT-FOR-US: WP Statistics plugin NOTE: The CVE description is misleading, this is about a plugin, not Wordpress itself CVE-2018-1000555 REJECTED CVE-2018-1000554 (Trovebox version <= 4.0.0-rc6 contains a Unsafe password reset toke ...) NOT-FOR-US: Trovebox CVE-2018-1000553 (Trovebox version <= 4.0.0-rc6 contains a Server-Side request forger ...) NOT-FOR-US: Trovebox CVE-2018-1000552 (Trovebox version <= 4.0.0-rc6 contains a SQL Injection vulnerabilit ...) NOT-FOR-US: Trovebox CVE-2018-1000551 (Trovebox version <= 4.0.0-rc6 contains a PHP Type juggling vulnerab ...) NOT-FOR-US: Trovebox CVE-2018-1000550 (The Sympa Community Sympa version prior to version 6.2.32 contains a D ...) {DSA-4285-1 DLA-1441-1} - sympa 6.2.32~dfsg-1 NOTE: https://sympa-community.github.io/security/2018-001.html CVE-2018-1000549 (Wekan version 1.04.0 contains a Email / Username Enumeration vulnerabi ...) NOT-FOR-US: Wekan CVE-2018-1000548 (Umlet version < 14.3 contains a XML External Entity (XXE) vulnerabi ...) NOT-FOR-US: Umlet CVE-2018-1000547 (coreBOS version 7.0 and earlier contains a Incorrect Access Control vu ...) NOT-FOR-US: CoreBOS CVE-2018-1000546 (Triplea version <= 1.9.0.0.10291 contains a XML External Entity (XX ...) - triplea (unimportant; bug #902719) NOTE: https://0dd.zone/2018/05/31/TripleA-XXE/ NOTE: https://github.com/triplea-game/triplea/issues/3442 NOTE: https://github.com/triplea-game/triplea/pull/4516 NOTE: Per https://github.com/triplea-game/triplea/issues/3442#issuecomment-451654646 no security impact CVE-2018-1000545 REJECTED CVE-2018-1000544 (rubyzip gem rubyzip version 1.2.1 and earlier contains a Directory Tra ...) {DLA-1467-1} - ruby-zip 1.2.2-1 (bug #902720) NOTE: https://github.com/rubyzip/rubyzip/issues/369 NOTE: Part of fixes: NOTE: https://github.com/rubyzip/rubyzip/commit/6e0d23178a39f1b9ee0debc4fffb6d90994c6955 NOTE: https://github.com/rubyzip/rubyzip/commit/8e78311d670ba70476fb46062c988849a82d1e02 NOTE: And further followup fixes: NOTE: https://github.com/rubyzip/rubyzip/pull/376 CVE-2018-1000543 (Akiee version 0.0.3 contains a XSS leading to code execution due to th ...) NOT-FOR-US: Akiee CVE-2018-1000542 (netbeans-mmd-plugin version <= 1.4.3 contains a XML External Entity ...) NOT-FOR-US: netbeans-mmd-plugin CVE-2018-1000541 REJECTED CVE-2018-1000540 (LoboEvolution version < 9b75694cedfa4825d4a2330abf2719d470c654cd co ...) NOT-FOR-US: LoboEvolution CVE-2018-1000539 (Nov json-jwt version >= 0.5.0 && < 1.9.4 contains a CWE- ...) {DSA-4283-1} - ruby-json-jwt 1.9.4-1 (bug #902721) NOTE: https://github.com/nov/json-jwt/pull/62 NOTE: https://github.com/nov/json-jwt/commit/3393f394f271c87bd42ec23c300727b4437d1638 CVE-2018-1000538 (Minio Inc. Minio S3 server version prior to RELEASE.2018-05-16T23-35-3 ...) NOT-FOR-US: Minion CVE-2018-1000537 (Marlin Firmware Marlin version 1.1.x and earlier contains a Buffer Ove ...) NOT-FOR-US: Marlin CVE-2018-1000536 (Medis version 0.6.1 and earlier contains a XSS vulnerability evolving ...) NOT-FOR-US: Media CVE-2018-1000535 (lms version <= LMS_011123 contains a Local File Disclosure vulnerab ...) NOT-FOR-US: lms CVE-2018-1000534 (Joplin version prior to 1.0.90 contains a XSS evolving into code execu ...) NOT-FOR-US: Joplin CVE-2018-1000533 (klaussilveira GitList version <= 0.6 contains a Passing incorrectly ...) NOT-FOR-US: klaussilveira GitList CVE-2018-1000532 (beep version 1.3 and up contains a External Control of File Name or Pa ...) - beep 1.4.3-1 (low; bug #902722) [stretch] - beep (Minor issue) [jessie] - beep (Minor issue) NOTE: https://github.com/johnath/beep/issues/11#issuecomment-379514298 CVE-2018-1000531 (inversoft prime-jwt version prior to commit abb0d479389a2509f939452a67 ...) NOT-FOR-US: prime-jwt CVE-2018-1000530 REJECTED CVE-2018-1000529 (Grails Fields plugin version 2.2.7 contains a Cross Site Scripting (XS ...) NOT-FOR-US: Grails Fields plugin CVE-2018-1000528 (GONICUS GOsa version before commit 56070d6289d47ba3f5918885954dcceb756 ...) {DSA-4239-1 DLA-1436-1} - gosa 2.7.4+reloaded3-5 (low; bug #902723) NOTE: https://github.com/gosa-project/gosa-core/commit/56070d6289d47ba3f5918885954dcceb75606001 NOTE: https://github.com/gosa-project/gosa-core/issues/14 CVE-2018-1000527 (Froxlor version <= 0.9.39.5 contains a PHP Object Injection vulnera ...) NOT-FOR-US: Froxlor CVE-2018-1000526 (Openpsa contains a XML Injection vulnerability in RSS file upload feat ...) NOT-FOR-US: openpsa CVE-2018-1000525 (openpsa contains a PHP Object Injection vulnerability in Form data pas ...) NOT-FOR-US: openpsa CVE-2018-1000524 (miniSphere version 5.2.9 and earlier contains a Integer Overflow vulne ...) NOT-FOR-US: miniSphere CVE-2018-1000523 (topydo contains a CWE-20: Improper Input Validation vulnerability in L ...) NOT-FOR-US: topydo CVE-2018-1000522 REJECTED CVE-2018-1000521 (BigTree-CMS contains a Cross Site Scripting (XSS) vulnerability in /us ...) NOT-FOR-US: BigTree-CMS CVE-2018-1000520 (ARM mbedTLS version 2.7.0 and earlier contains a Ciphersuite Allows In ...) - mbedtls (unimportant) - polarssl (unimportant) NOTE: https://github.com/ARMmbed/mbedtls/issues/1561 NOTE: No security impact CVE-2018-1000519 (aio-libs aiohttp-session contains a Session Fixation vulnerability in ...) NOT-FOR-US: aio-libs aiohttp-session CVE-2018-1000518 (aaugustin websockets version 4 contains a CWE-409: Improper Handling o ...) NOT-FOR-US: aaugustin websockets CVE-2018-1000517 (BusyBox project BusyBox wget version prior to commit 8e2174e9bd836e53c ...) {DLA-1445-1} - busybox 1:1.27.2-3 (low; bug #902724) [stretch] - busybox (Minor issue; can be fixed via point release) NOTE: https://git.busybox.net/busybox/commit/?id=8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e CVE-2018-1000516 (The Galaxy Project Galaxy version v14.10 contains a CWE-79: Improper N ...) NOT-FOR-US: Galaxy Project Galaxy CVE-2018-1000515 (ventrian News-Articles version NewsArticles.00.09.11 contains a XML Ex ...) NOT-FOR-US: News-Articles CVE-2018-1000514 (LimeSurvey version 3.0.0-beta.3+17110 contains a Cross ite Request For ...) - limesurvey (bug #472802) CVE-2018-1000513 (LimeSurvey version 3.0.0-beta.3+17110 contains a Cross Site Scripting ...) - limesurvey (bug #472802) CVE-2018-1000512 (Tooltipy Tooltipy (tooltips for WP) version 5 contains a Cross Site Sc ...) NOT-FOR-US: Wordpress plugin CVE-2018-1000511 (WP ULike version 2.8.1, 3.1 contains a Incorrect Access Control vulner ...) NOT-FOR-US: Wordpress plugin CVE-2018-1000510 (WP Image Zoom version 1.23 contains a Incorrect Access Control vulnera ...) NOT-FOR-US: Wordpress plugin CVE-2018-1000509 (Redirection version 2.7.1 contains a Serialisation vulnerability possi ...) NOT-FOR-US: Redirection CVE-2018-1000508 (WP ULike version 2.8.1, 3.1 contains a Cross Site Scripting (XSS) vuln ...) NOT-FOR-US: Wordpress plugin CVE-2018-1000507 (WP User Groups version 2.0.0 contains a Cross ite Request Forgery (CSR ...) NOT-FOR-US: Wordpress plugin CVE-2018-1000506 (Metronet Tag Manager version 1.2.7 contains a Cross ite Request Forger ...) NOT-FOR-US: Metronet Tag Manager CVE-2018-1000505 (Tooltipy (tooltips for WP) version 5 contains a Cross ite Request Forg ...) NOT-FOR-US: Wordpress plugin CVE-2018-1000504 (Redirection version 2.7.3 contains a ACE via file inclusion vulnerabil ...) NOT-FOR-US: Redirection CVE-2018-1000503 (MyBB Group MyBB contains a Incorrect Access Control vulnerability in P ...) NOT-FOR-US: MyBB Group MyBB CVE-2018-1000502 (MyBB Group MyBB contains a File Inclusion vulnerability in Admin panel ...) NOT-FOR-US: MyBB Group MyBB CVE-2018-1000501 (Instant Update CMS contains a Password Reset Vulnerability vulnerabili ...) NOT-FOR-US: Instante Update CMS CVE-2018-1000500 (Busybox contains a Missing SSL certificate validation vulnerability in ...) - busybox (unimportant) NOTE: Intentional design decision: NOTE: https://git.busybox.net/busybox/tree/networking/wget.c?id=8bc418f07eab79a9c8d26594629799f6157a9466#n74 NOTE: https://git.busybox.net/busybox/commit/networking/wget.c?id=0972c7f7a570c38edb68e1c60a45614b7a7c7d55 NOTE: Starting with 1:1.27.2-3 in unstable wget emmits a message that certificate NOTE: verification is not implemented. CVE-2018-1000404 (Jenkins project Jenkins AWS CodeBuild Plugin version 0.26 and earlier ...) NOT-FOR-US: Jenkins plugin CVE-2018-12637 RESERVED CVE-2018-12636 (The iThemes Security (better-wp-security) plugin before 7.0.3 for Word ...) NOT-FOR-US: Wordpress plugin CVE-2018-12635 (CirCarLife Scada v4.2.4 allows unauthorized upgrades via requests to t ...) NOT-FOR-US: CirCarLife Scada CVE-2018-12634 (CirCarLife Scada before 4.3 allows remote attackers to obtain sensitiv ...) NOT-FOR-US: CirCarLife Scada CVE-2018-12633 (An issue was discovered in the Linux kernel through 4.17.2. vbg_misc_d ...) - linux 4.17.3-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/bd23a7269834dc7c1f93e83535d16ebc44b75eba (4.18-rc1) NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=200131 CVE-2018-12632 (Redatam7 (formerly Redatam WebServer) allows remote attackers to disco ...) NOT-FOR-US: Redatam7 CVE-2018-12631 (Redatam7 (formerly Redatam WebServer) allows remote attackers to read ...) NOT-FOR-US: Redatam7 CVE-2018-12630 (NEWMARK (aka New Mark) NMCMS 2.1 allows SQL Injection via the sect_id ...) NOT-FOR-US: NEWMARK (aka New Mark) NMCMS 2.1 CVE-2018-12629 RESERVED CVE-2018-12628 (An issue was discovered in Eventum 3.5.0. CSRF in htdocs/manage/users. ...) NOT-FOR-US: Eventum CVE-2018-12627 (An issue was discovered in Eventum 3.5.0. /htdocs/list.php has XSS via ...) NOT-FOR-US: Eventum CVE-2018-12626 (An issue was discovered in Eventum 3.5.0. /htdocs/popup.php has XSS vi ...) NOT-FOR-US: Eventum CVE-2018-12625 (An issue was discovered in Eventum 3.5.0. /htdocs/validate.php has XSS ...) NOT-FOR-US: Eventum CVE-2018-12624 (An issue was discovered in Eventum 3.5.0. /htdocs/post_note.php has XS ...) NOT-FOR-US: Eventum CVE-2018-12623 (An issue was discovered in Eventum 3.5.0. htdocs/switch.php has XSS vi ...) NOT-FOR-US: Eventum CVE-2018-12622 (An issue was discovered in Eventum 3.5.0. htdocs/ajax/update.php has X ...) NOT-FOR-US: Eventum CVE-2018-12621 (An issue was discovered in Eventum 3.5.0. /htdocs/switch.php has an Op ...) NOT-FOR-US: Eventum CVE-2018-12620 RESERVED CVE-2018-12619 RESERVED CVE-2018-12618 RESERVED CVE-2018-12617 (qmp_guest_file_read in qga/commands-posix.c and qga/commands-win32.c i ...) {DSA-4454-1 DLA-1694-1} - qemu 1:3.1+dfsg-1 (low; bug #902725) NOTE: https://gist.github.com/fakhrizulkifli/c7740d28efa07dafee66d4da5d857ef6 NOTE: https://lists.gnu.org/archive/html/qemu-devel/2018-06/msg03385.html NOTE: Fixed by: https://git.qemu.org/?p=qemu.git;a=commit;h=141b197408ab398c4f474ac1a728ab316e921f2b CVE-2018-12616 RESERVED CVE-2018-12615 (An issue was discovered in switchGroup() in agent/ExecHelper/ExecHelpe ...) - passenger (Vulnerable code not present) - ruby-passenger (Vulnerable code not present) NOTE: https://github.com/phusion/passenger/commit/4e97fdb86d0a0141ec9a052c6e691fcd07bb45c8 CVE-2018-12614 RESERVED CVE-2018-12613 (An issue was discovered in phpMyAdmin 4.8.x before 4.8.2, in which an ...) - phpmyadmin (Affects 4.8.x) NOTE: https://www.phpmyadmin.net/security/PMASA-2018-4/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/7662d02939fb3cf6f0d9ec32ac664401dcfe7490 CVE-2018-12612 RESERVED CVE-2018-12611 (OX App Suite 7.8.4 and earlier allows Directory Traversal. ...) NOT-FOR-US: OX App Suite CVE-2018-12610 (OX App Suite 7.8.4 and earlier allows Information Exposure. ...) NOT-FOR-US: OX App Suite CVE-2018-12609 (OX App Suite 7.8.4 and earlier allows Server-Side Request Forgery. ...) NOT-FOR-US: OX App Suite CVE-2018-12608 (An issue was discovered in Docker Moby before 17.06.0. The Docker engi ...) - docker.io 18.03.1+dfsg1-2 NOTE: https://github.com/moby/moby/pull/33182 CVE-2018-1000403 (Jenkins project Jenkins AWS CodeDeploy Plugin version 1.19 and earlier ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000402 (Jenkins project Jenkins AWS CodeDeploy Plugin version 1.19 and earlier ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000401 (Jenkins project Jenkins AWS CodePipeline Plugin version 0.36 and earli ...) NOT-FOR-US: Jenkins plugin CVE-2018-12607 (An issue was discovered in GitLab Community Edition and Enterprise Edi ...) - gitlab 10.7.7+dfsg-2 (bug #902726) [stretch] - gitlab (Only affects >= 10.5) NOTE: https://about.gitlab.com/2018/06/25/security-release-gitlab-11-dot-0-dot-1-released/ CVE-2018-XXXX [gitlab: Activity feed publicly displaying internal project names] - gitlab 10.7.7+dfsg-2 (bug #902726) [stretch] - gitlab (Only affects >= 10.7) NOTE: https://about.gitlab.com/2018/06/25/security-release-gitlab-11-dot-0-dot-1-released/ CVE-2018-XXXX [gitlab: Content injection via username] - gitlab 10.7.7+dfsg-2 (bug #902726) NOTE: https://about.gitlab.com/2018/06/25/security-release-gitlab-11-dot-0-dot-1-released/ CVE-2018-12606 (An issue was discovered in GitLab Community Edition and Enterprise Edi ...) - gitlab 10.7.7+dfsg-2 (bug #902726) NOTE: https://about.gitlab.com/2018/06/25/security-release-gitlab-11-dot-0-dot-1-released/ CVE-2018-12605 (An issue was discovered in GitLab Community Edition and Enterprise Edi ...) - gitlab 10.7.7+dfsg-2 (bug #902726) [stretch] - gitlab (Only affects 10.7) NOTE: https://about.gitlab.com/2018/06/25/security-release-gitlab-11-dot-0-dot-1-released/ CVE-2018-12604 (GreenCMS 2.3.0603 allows remote attackers to obtain sensitive informat ...) NOT-FOR-US: GreenCMS CVE-2018-12603 (Cross-site request forgery (CSRF) vulnerability in admin.php in LFCMS ...) NOT-FOR-US: LFCMS CVE-2018-12602 (A CSRF vulnerability exists in LFCMS 3.7.0: users can be added arbitra ...) NOT-FOR-US: LFCMS CVE-2018-12601 (There is a heap-based buffer overflow in ReadImage in input-tga.ci in ...) {DLA-1463-1} - sam2p NOTE: https://github.com/pts/sam2p/issues/41 NOTE: https://github.com/pts/sam2p/commit/8b2b7151991e07ef262857c2325e95c3b2867f80 CVE-2018-12600 (In ImageMagick 7.0.8-3 Q16, ReadDIBImage and WriteDIBImage in coders/d ...) {DSA-4245-1 DLA-1394-1} [experimental] - imagemagick 8:6.9.10.2+dfsg-1 - imagemagick 8:6.9.10.2+dfsg-2 (bug #902728) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1178 NOTE: https://github.com/ImageMagick/ImageMagick/commit/921f208c2ea3cc45847f380257f270ff424adfff NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/ae71c12bbaa34d942e036824ff389c22b7dacade CVE-2018-12599 (In ImageMagick 7.0.8-3 Q16, ReadBMPImage and WriteBMPImage in coders/b ...) {DSA-4245-1 DLA-1394-1} [experimental] - imagemagick 8:6.9.10.2+dfsg-1 - imagemagick 8:6.9.10.2+dfsg-2 (bug #902727) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1177 NOTE: https://github.com/ImageMagick/ImageMagick/commit/ae04fa4be910255e5d363edebd77adeee99a525d NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/081f518eb9cb38e683b8b9ccb9e4ab5c52f82c2f CVE-2018-12598 RESERVED CVE-2018-12597 RESERVED CVE-2018-12596 (Episerver Ektron CMS before 9.0 SP3 Site CU 31, 9.1 before SP3 Site CU ...) NOT-FOR-US: Episerver Ektron CMS CVE-2018-12595 RESERVED CVE-2018-12594 (Reliable Controls MACH-ProWebCom 7.80 devices allow remote attackers t ...) NOT-FOR-US: Reliable Controls MACH-ProWebCom devices CVE-2018-12593 RESERVED CVE-2018-12592 (Polycom RealPresence Web Suite before 2.2.0 does not block a user's vi ...) NOT-FOR-US: Polycom RealPresence Web Suite CVE-2018-12591 (Ubiquiti Networks EdgeSwitch version 1.7.3 and prior suffer from an im ...) NOT-FOR-US: Ubiquiti Networks EdgeSwitch CVE-2018-12590 (Ubiquiti Networks EdgeSwitch version 1.7.3 and prior suffer from an ex ...) NOT-FOR-US: Ubiquiti Networks EdgeSwitch CVE-2018-12589 (Polaris Office 2017 8.1 allows attackers to execute arbitrary code via ...) NOT-FOR-US: Polaris Office CVE-2018-12588 (Cross-site scripting (XSS) vulnerability in templates/frontend/pages/s ...) NOT-FOR-US: Public Knowledge Project (PKP) Open Monograph Press (OMP) CVE-2018-12587 (A cross-site scripting (XSS) vulnerability was found in valeuraddons G ...) NOT-FOR-US: valeuraddons German Spelling Dictionary CVE-2018-12586 RESERVED CVE-2018-12585 (An XXE vulnerability in the OPC UA Java and .NET Legacy Stack can allo ...) NOT-FOR-US: OPC UA Java and .NET Legacy Stack CVE-2018-12584 (The ConnectionBase::preparseNewBytes function in resip/stack/Connectio ...) {DLA-1439-1} - resiprocate (bug #905495) [stretch] - resiprocate (Minor issue) NOTE: http://joachimdezutter.webredirect.org/advisory.html NOTE: https://github.com/resiprocate/resiprocate/commit/2cb291191c93c7c4e371e22cb89805a5b31d6608 CVE-2018-12583 (An issue was discovered in AKCMS 6.1. CSRF can delete an article via a ...) NOT-FOR-US: AKCMS CVE-2018-12582 (An issue was discovered in AKCMS 6.1. CSRF can add an admin account vi ...) NOT-FOR-US: AKCMS CVE-2018-12581 (An issue was discovered in js/designer/move.js in phpMyAdmin before 4. ...) - phpmyadmin 4:4.9.1+dfsg1-2 (low) [stretch] - phpmyadmin (Vulnerable code not present) [jessie] - phpmyadmin (vulnerable code not present) NOTE: https://www.phpmyadmin.net/security/PMASA-2018-3/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/6943fff87324bd54c3a37a5160a5fb77498c355e CVE-2018-12580 (library/DBTech/Security/Action/Sessions.php in DragonByte vBSecurity 3 ...) NOT-FOR-US: DragonByte vBSecurity for vBulletin CVE-2018-12579 (An issue was discovered in OXID eShop Enterprise Edition before 5.3.8, ...) NOT-FOR-US: OXID eShop CVE-2018-12578 (There is a heap-based buffer overflow in bmp_compress1_row in appliers ...) {DLA-1463-1} - sam2p NOTE: https://github.com/pts/sam2p/issues/39 NOTE: https://github.com/pts/sam2p/commit/22e7a17e70e5f5eedf466b0b1855c8c954061a51 CVE-2018-12577 (The Ping and Traceroute features on TP-Link TL-WR841N v13 00000001 0.9 ...) NOT-FOR-US: TP-Link CVE-2018-12576 (TP-Link TL-WR841N v13 00000001 0.9.1 4.16 v0001.0 Build 180119 Rel.652 ...) NOT-FOR-US: TP-Link CVE-2018-12575 (On TP-Link TL-WR841N v13 00000001 0.9.1 4.16 v0001.0 Build 171019 Rel. ...) NOT-FOR-US: TP-Link CVE-2018-12574 (CSRF exists for all actions in the web interface on TP-Link TL-WR841N ...) NOT-FOR-US: TP-Link CVE-2018-12573 RESERVED CVE-2018-12572 (Avast Free Antivirus prior to 19.1.2360 stores user credentials in mem ...) NOT-FOR-US: Avast CVE-2018-12571 (uniquesig0/InternalSite/InitParams.aspx in Microsoft Forefront Unified ...) NOT-FOR-US: Microsoft CVE-2018-12570 RESERVED CVE-2018-12569 RESERVED CVE-2018-12568 RESERVED CVE-2018-12567 RESERVED CVE-2018-12566 RESERVED CVE-2018-12565 (An issue was discovered in Linaro LAVA before 2018.5.post1. Because of ...) {DSA-4234-1} - lava 2018.5.post1-1 - lava-server [jessie] - lava-server (vulnerable code not present) NOTE: https://git.linaro.org/lava/lava.git/commit/?id=583666c84ea2f12797a3eb71392bcb05782f5b14 CVE-2018-12564 (An issue was discovered in Linaro LAVA before 2018.5.post1. Because of ...) {DSA-4234-1 DLA-1404-1} - lava 2018.5.post1-1 - lava-server NOTE: https://git.linaro.org/lava/lava.git/commit/?id=95a9a77b144ced24d7425d6544ab03ca7f6c75d3 CVE-2018-12563 (An issue was discovered in Linaro LAVA before 2018.5.post1. Because of ...) - lava 2018.5.post1-1 - lava-server [stretch] - lava-server (Vulnerable code introduced in 2017.6) [jessie] - lava-server (vulnerable code not present) NOTE: https://git.linaro.org/lava/lava.git/commit/?id=e24ec39599bc07562ad8bc2a581144b8448cb214 CVE-2018-12562 (An issue was discovered in the cantata-mounter D-Bus service in Cantat ...) - cantata 2.3.0.ds1-2 (bug #901798; unimportant) NOTE: http://www.openwall.com/lists/oss-security/2018/06/18/1 NOTE: The daemon code is part of cantata since version 2.0.0 and it is built NOTE: by default in versions 2.3.0 and 2.3.1. Before 2.3.0 it was only built NOTE: if `-DENABLE_REMOTE_DEVICES=ON` was passed to the cmake invocation. NOTE: 2.3.0.ds1-2 disables the cantata-mounter. NOTE: https://github.com/CDrummond/cantata/commit/afc4f8315d3e96574925fb530a7004cc9e6ce3d3 CVE-2018-12561 (An issue was discovered in the cantata-mounter D-Bus service in Cantat ...) - cantata 2.3.0.ds1-2 (bug #901798; unimportant) NOTE: http://www.openwall.com/lists/oss-security/2018/06/18/1 NOTE: The daemon code is part of cantata since version 2.0.0 and it is built NOTE: by default in versions 2.3.0 and 2.3.1. Before 2.3.0 it was only built NOTE: if `-DENABLE_REMOTE_DEVICES=ON` was passed to the cmake invocation. NOTE: 2.3.0.ds1-2 disables the cantata-mounter. NOTE: https://github.com/CDrummond/cantata/commit/afc4f8315d3e96574925fb530a7004cc9e6ce3d3 CVE-2018-12560 (An issue was discovered in the cantata-mounter D-Bus service in Cantat ...) - cantata 2.3.0.ds1-2 (bug #901798; unimportant) NOTE: http://www.openwall.com/lists/oss-security/2018/06/18/1 NOTE: The daemon code is part of cantata since version 2.0.0 and it is built NOTE: by default in versions 2.3.0 and 2.3.1. Before 2.3.0 it was only built NOTE: if `-DENABLE_REMOTE_DEVICES=ON` was passed to the cmake invocation. NOTE: 2.3.0.ds1-2 disables the cantata-mounter. CVE-2018-12559 (An issue was discovered in the cantata-mounter D-Bus service in Cantat ...) - cantata 2.3.0.ds1-2 (bug #901798; unimportant) NOTE: http://www.openwall.com/lists/oss-security/2018/06/18/1 NOTE: The daemon code is part of cantata since version 2.0.0 and it is built NOTE: by default in versions 2.3.0 and 2.3.1. Before 2.3.0 it was only built NOTE: if `-DENABLE_REMOTE_DEVICES=ON` was passed to the cmake invocation. NOTE: 2.3.0.ds1-2 disables the cantata-mounter. NOTE: https://github.com/CDrummond/cantata/commit/afc4f8315d3e96574925fb530a7004cc9e6ce3d3 CVE-2018-12558 (The parse() method in the Email::Address module through 1.909 for Perl ...) - libemail-address-perl 1.912-1 (unimportant; bug #901873) [stretch] - libemail-address-perl 1.908-1+deb9u1 NOTE: Possibility of DoS vs. usability issue for Email::Address NOTE: https://github.com/Perl-Email-Project/Email-Address/issues/19 NOTE: Mitigation: https://github.com/Perl-Email-Project/Email-Address/commit/aeaf0d7f1b0897b54cb246b8ac15d3ef177e5cae CVE-2018-12557 (An issue was discovered in Zuul 3.x before 3.1.0. If nodes become offl ...) - zuul (bug #705844) CVE-2018-12556 (The signature verification routine in install.sh in yarnpkg/website th ...) NOT-FOR-US: yarnpkg CVE-2018-12555 REJECTED CVE-2018-12554 REJECTED CVE-2018-12553 REJECTED CVE-2018-12552 REJECTED CVE-2018-12551 (When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured ...) {DSA-4388-1 DLA-1972-1} - mosquitto 1.5.6-1 (bug #921976) NOTE: https://mosquitto.org/blog/2019/02/version-1-5-6-released/ NOTE: https://mosquitto.org/files/cve/2018-12551 CVE-2018-12550 (When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured ...) {DSA-4388-1 DLA-1972-1} - mosquitto 1.5.6-1 (bug #921976) NOTE: https://mosquitto.org/blog/2019/02/version-1-5-6-released/ NOTE: https://mosquitto.org/files/cve/2018-12550 CVE-2018-12549 (In Eclipse OpenJ9 version 0.11.0, the OpenJ9 JIT compiler may incorrec ...) NOT-FOR-US: OpenJDK + Eclipse OpenJ9 CVE-2018-12548 (In OpenJDK + Eclipse OpenJ9 version 0.11.0 builds, the public jdk.cryp ...) NOT-FOR-US: OpenJDK + Eclipse OpenJ9 CVE-2018-12547 (In Eclipse OpenJ9, prior to the 0.12.0 release, the jio_snprintf() and ...) NOT-FOR-US: OpenJDK + Eclipse OpenJ9 CVE-2018-12546 (In Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) when a client pu ...) {DSA-4388-1} - mosquitto 1.5.6-1 (bug #921976) [jessie] - mosquitto (Minor issue) NOTE: https://mosquitto.org/blog/2019/02/version-1-5-6-released/ NOTE: https://mosquitto.org/files/cve/2018-12546 CVE-2018-12545 (In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to ...) - jetty9 (Vulnerable code never present in Debian released version) NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=538096 NOTE: Issue is not present in 9.2.x as there is no HTTP/2 support. Fixed upstream NOTE: in 9.4.12. Debian package moved directly to 9.4.14-1 containing the fix and NOTE: thus never including in unstable a vulnerable version. NOTE: Cf. https://bugs.eclipse.org/bugs/show_bug.cgi?id=538096#c7 CVE-2018-12544 (In version from 3.5.Beta1 to 3.5.3 of Eclipse Vert.x, the OpenAPI XML ...) NOT-FOR-US: Eclipse Vert.x CVE-2018-12543 (In Eclipse Mosquitto versions 1.5 to 1.5.2 inclusive, if a message is ...) - mosquitto (Vulnerable code introduced in 1.5) NOTE: http://mosquitto.org/blog/2018/09/security-advisory-cve-2018-12543/ NOTE: https://mosquitto.org/files/cve/2018-12543/ CVE-2018-12542 (In version from 3.0.0 to 3.5.3 of Eclipse Vert.x, the StaticHandler us ...) NOT-FOR-US: Eclipse Vert.x CVE-2018-12541 (In version from 3.0.0 to 3.5.3 of Eclipse Vert.x, the WebSocket HTTP u ...) NOT-FOR-US: Eclipse Vert.x CVE-2018-12540 (In version from 3.0.0 to 3.5.2 of Eclipse Vert.x, the CSRFHandler do n ...) NOT-FOR-US: Eclipse Vertx CVE-2018-12539 (In Eclipse OpenJ9 version 0.8, users other than the process owner may ...) NOT-FOR-US: Eclipse OpenJ9 CVE-2018-12538 (In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional ...) - jetty9 (Only affects 9.4.x) - jetty8 (Only affects 9.4.x) - jetty (Only affects 9.4.x) NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=536018 CVE-2018-12537 (In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response header ...) NOT-FOR-US: Eclipse Vertx CVE-2018-12536 (In Eclipse Jetty Server, all 9.x versions, on webapps deployed using d ...) - jetty9 9.2.25-1 (low; bug #902774) [stretch] - jetty9 (Harmless information leak) - jetty8 [jessie] - jetty8 (Harmless information leak) - jetty [jessie] - jetty (Harmless information leak) NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=535670 CVE-2018-12535 RESERVED CVE-2018-12534 (A SQL injection issue was discovered in the Quick Chat plugin before 4 ...) NOT-FOR-US: Quick Chat plugin for WordPress CVE-2018-12533 (JBoss RichFaces 3.1.0 through 3.3.4 allows unauthenticated remote atta ...) NOT-FOR-US: RichFaces CVE-2018-12532 (JBoss RichFaces 4.5.3 through 4.5.17 allows unauthenticated remote att ...) NOT-FOR-US: RichFaces CVE-2018-12531 (An issue was discovered in MetInfo 6.0.0. install\index.php allows rem ...) NOT-FOR-US: MetInfo CVE-2018-12530 (An issue was discovered in MetInfo 6.0.0. admin/app/batch/csvup.php al ...) NOT-FOR-US: MetInfo CVE-2018-12529 (An issue was discovered on Intex N150 devices. The router firmware suf ...) NOT-FOR-US: Intex CVE-2018-12528 (An issue was discovered on Intex N150 devices. The backup/restore opti ...) NOT-FOR-US: Intex CVE-2018-12527 RESERVED CVE-2018-12526 (Telesquare SDT-CS3B1 and SDT-CW3B1 devices through 1.2.0 have a defaul ...) NOT-FOR-US: Telesquare CVE-2018-12525 (An issue was discovered in perfSONAR Monitoring and Debugging Dashboar ...) NOT-FOR-US: perfSONAR Monitoring and Debugging Dashboard (MaDDash) CVE-2018-12524 (An issue was discovered in perfSONAR Monitoring and Debugging Dashboar ...) NOT-FOR-US: perfSONAR Monitoring and Debugging Dashboard (MaDDash) CVE-2018-12523 (An issue was discovered in perfSONAR Monitoring and Debugging Dashboar ...) NOT-FOR-US: perfSONAR Monitoring and Debugging Dashboard (MaDDash) CVE-2018-12522 (An issue was discovered in perfSONAR Monitoring and Debugging Dashboar ...) NOT-FOR-US: perfSONAR Monitoring and Debugging Dashboard (MaDDash) CVE-2018-12521 RESERVED CVE-2018-12520 (An issue was discovered in ntopng 3.4 before 3.4.180617. The PRNG invo ...) - ntopng 3.8+dfsg1-1 (bug #903154) [stretch] - ntopng (Minor issue) [jessie] - ntopng (Minor issue) NOTE: http://seclists.org/fulldisclosure/2018/Jul/14 NOTE: https://gist.github.com/Psychotropos/3e8c047cada9b1fb716e6a014a428b7f NOTE: https://github.com/ntop/ntopng/commit/30610bda60cbfc058f90a1c0a17d0e8f4516221a CVE-2018-12519 (An issue was discovered in ShopNx through 2017-11-17. The vulnerabilit ...) NOT-FOR-US: ShopNx CVE-2018-12518 RESERVED CVE-2018-12517 RESERVED CVE-2018-12516 RESERVED CVE-2018-12515 RESERVED CVE-2018-12514 RESERVED CVE-2018-12513 RESERVED CVE-2018-12512 RESERVED CVE-2018-12511 (In the mintToken function of a smart contract implementation for Subst ...) NOT-FOR-US: Substratum CVE-2018-12510 RESERVED CVE-2018-12509 RESERVED CVE-2018-12508 RESERVED CVE-2018-12507 RESERVED CVE-2018-12506 RESERVED CVE-2018-12505 RESERVED CVE-2018-12504 (tinyexr 0.9.5 has an assertion failure in ComputeChannelLayout in tiny ...) NOT-FOR-US: tinyexr CVE-2018-12503 (tinyexr 0.9.5 has a heap-based buffer over-read in LoadEXRImageFromMem ...) NOT-FOR-US: tinyexr CVE-2018-12502 RESERVED CVE-2018-12501 (Nagios Fusion before 4.1.4 has XSS, aka TPS#13332-13335. ...) NOT-FOR-US: Nagios Fusion CVE-2018-12500 RESERVED CVE-2018-12499 (The Motorola MBP853 firmware does not correctly validate server certif ...) NOT-FOR-US: Motoral CVE-2018-12498 (spider.admincp.php in iCMS v7.0.8 has SQL Injection via the id paramet ...) NOT-FOR-US: iCMS CVE-2018-12497 RESERVED CVE-2018-12496 RESERVED CVE-2018-12495 (The quoteblock function in markdown.c in libmarkdown.a in DISCOUNT 2.2 ...) {DSA-4293-1 DLA-1499-1} - discount 2.2.4-1 (bug #901912) NOTE: https://github.com/Orc/discount/issues/189#issuecomment-397541501 NOTE: Fixed by https://github.com/Orc/discount/commit/b002a5a4db31e42dfb45451c059bc56941c17974 CVE-2018-12494 (An issue was discovered in PublicCMS V4.0.20180210. There is a "Direct ...) NOT-FOR-US: PublicCMS CVE-2018-12493 (An issue was discovered in PublicCMS V4.0.20180210. There is a "Direct ...) NOT-FOR-US: PublicCMS CVE-2018-12492 (PHPOK 4.9.032 has an arbitrary file deletion vulnerability in the delf ...) NOT-FOR-US: PHPOK CVE-2018-12491 (PHPOK 4.9.032 has an arbitrary file upload vulnerability in the import ...) NOT-FOR-US: PHPOK CVE-2018-12490 RESERVED CVE-2018-12489 RESERVED CVE-2018-12488 RESERVED CVE-2018-12487 RESERVED CVE-2018-12486 RESERVED CVE-2018-12485 RESERVED CVE-2018-12484 RESERVED CVE-2018-12483 (OCS Inventory 2.4.1 is prone to a remote command-execution vulnerabili ...) - ocsinventory-server 2.5+dfsg-1 (unimportant; bug #905396) NOTE: Authentication is needed, only supported in trusted environments, see debtags CVE-2018-12482 (OCS Inventory 2.4.1 contains multiple SQL injections in the search eng ...) - ocsinventory-server 2.5+dfsg-1 (unimportant; bug #905396) NOTE: Authentication is needed, only supported in trusted environments, see debtags CVE-2018-12481 (The Olive Tree Ftp Server application 1.32 for Android has a "Sensitiv ...) NOT-FOR-US: Olive Tree Ftp Server application for Android CVE-2018-12480 (Mitigates an XSS issue in NetIQ Access Manager versions prior to 4.4 S ...) NOT-FOR-US: NetIQ Access Manager CVE-2018-12479 (A Improper Input Validation vulnerability in Open Build Service allows ...) - open-build-service 2.9.4-1 (bug #911797) [stretch] - open-build-service (Minor issue) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1108435 NOTE: https://github.com/openSUSE/open-build-service/pull/5880 NOTE: https://github.com/openSUSE/open-build-service/commit/01b015ca2a320afc4fae823465d1e72da8bd60df CVE-2018-12478 (A Improper Input Validation vulnerability in Open Build Service allows ...) NOT-FOR-US: obs-service replace_using_package_version NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1108280 CVE-2018-12477 (A Improper Neutralization of CRLF Sequences vulnerability in Open Buil ...) NOT-FOR-US: obs-service refresh_patches NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1108189 NOTE: https://github.com/openSUSE/obs-service-refresh_patches/commit/d6244245dda5367767efc989446fe4b5e4609cce CVE-2018-12476 (Relative Path Traversal vulnerability in obs-service-tar_scm of SUSE L ...) NOT-FOR-US: obs-service-tar_scm CVE-2018-12475 RESERVED CVE-2018-12474 (Improper input validation in obs-service-tar_scm of Open Build Service ...) NOT-FOR-US: obs-service-tar_scm of Open Build Service CVE-2018-12473 (A path traversal traversal vulnerability in obs-service-tar_scm of Ope ...) NOT-FOR-US: obs-service-tar_scm of Open Build Service CVE-2018-12472 (A improper authentication using the HOST header in SUSE Linux SMT allo ...) NOT-FOR-US: SUSE Linux SMT CVE-2018-12471 (A External Entity Reference ('XXE') vulnerability in SUSE Linux SMT al ...) NOT-FOR-US: SUSE Linux SMT CVE-2018-12470 (A SQL Injection in the RegistrationSharing module of SUSE Linux SMT al ...) NOT-FOR-US: SUSE Linux SMT CVE-2018-12469 (Incorrect handling of an invalid value for an HTTP request parameter b ...) NOT-FOR-US: Micro Focus CVE-2018-12468 (A vulnerability in the administration console of Micro Focus GroupWise ...) NOT-FOR-US: Micro Focus CVE-2018-12467 (Authorized users of the openbuildservice before 2.9.4 could delete pac ...) - open-build-service 2.9.4-1 (bug #911797) [stretch] - open-build-service (Minor issue) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1100217 NOTE: Fixed by: https://github.com/openSUSE/open-build-service/commit/f57b660f49f830006766a8d4abc3b4af6e178063 NOTE: Introduced by: https://github.com/openSUSE/open-build-service/commit/990ef7cccef6f38fc1d1a1bb22a08e174dcba43b CVE-2018-12466 (openSUSE openbuildservice before 9.2.4 allowed authenticated users to ...) - open-build-service (bug #911797) [stretch] - open-build-service (Minor issue) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1098934 NOTE: Fixed by: https://github.com/openSUSE/open-build-service/commit/f57b660f49f830006766a8d4abc3b4af6e178063 NOTE: Introduced by: https://github.com/openSUSE/open-build-service/commit/990ef7cccef6f38fc1d1a1bb22a08e174dcba43b CVE-2018-12465 (An OS command injection vulnerability in the web administration compon ...) NOT-FOR-US: Micro Focus CVE-2018-12464 (A SQL injection vulnerability in the web administration and quarantine ...) NOT-FOR-US: Micro Focus CVE-2018-12463 (An XML external entity (XXE) vulnerability in Fortify Software Securit ...) NOT-FOR-US: Fortify CVE-2018-12462 (NetIQ iManager 3.1.1 addresses potential XSS vulnerabilities. ...) NOT-FOR-US: NetIQ iManager CVE-2018-12461 (Fixed issues with NetIQ eDirectory prior to 9.1.1 when checking certif ...) NOT-FOR-US: NetIQ eDirectory CVE-2018-12460 (libavcodec in FFmpeg 4.0 may trigger a NULL pointer dereference if the ...) [experimental] - ffmpeg 7:4.0.1-1 (low) - ffmpeg (Introduced after 3.4) NOTE: https://github.com/FFmpeg/FFmpeg/commit/b3332a182f8ba33a34542e4a0370f38b914ccf7d CVE-2018-12459 (An inconsistent bits-per-sample value in the ff_mpeg4_decode_picture_h ...) [experimental] - ffmpeg 7:4.0.1-1 (low) - ffmpeg 7:4.0.1-2 (low) [stretch] - ffmpeg (Studio profile not yet supported) NOTE: https://github.com/FFmpeg/FFmpeg/commit/2fc108f60f98cd00813418a8754a46476b404a3c CVE-2018-12458 (An improper integer type in the mpeg4_encode_gop_header function in li ...) {DSA-4249-1} [experimental] - ffmpeg 7:4.0.1-1 (low) - ffmpeg 7:3.4.3-1 (low) NOTE: https://github.com/FFmpeg/FFmpeg/commit/e1182fac1afba92a4975917823a5f644bee7e6e8 NOTE: Fixed in 3.2.11 CVE-2018-12457 (expressCart before 1.1.6 allows remote attackers to create an admin us ...) NOT-FOR-US: expressCart CVE-2018-12456 (Intelbras NPLUG 1.0.0.14 wireless repeater devices have no CSRF token ...) NOT-FOR-US: Intelbras NPLUG 1.0.0.14 wireless repeater devices CVE-2018-12455 (Intelbras NPLUG 1.0.0.14 wireless repeater devices have a critical vul ...) NOT-FOR-US: Intelbras NPLUG 1.0.0.14 wireless repeater devices CVE-2018-12454 (The _addguess function of a simplelottery smart contract implementatio ...) NOT-FOR-US: simplelottery CVE-2018-12453 (Type confusion in the xgroupCommand function in t_stream.c in redis-se ...) - redis (Vulnerable code introduced in 5.0-rc1) NOTE: https://gist.github.com/fakhrizulkifli/34a56d575030682f6c564553c53b82b5 NOTE: https://github.com/antirez/redis/commit/c04082cf138f1f51cedf05ee9ad36fb6763cafc6 CVE-2018-12452 RESERVED CVE-2018-12451 RESERVED CVE-2018-12450 RESERVED CVE-2018-12449 (The Whale browser installer 0.4.3.0 and earlier versions allows DLL hi ...) NOT-FOR-US: Whale browser installer CVE-2018-12448 (Whale Browser before 1.3.48.4 displays no URL information but only a t ...) NOT-FOR-US: Whale Browser CVE-2018-12447 (The restore_tqb_pixels function in hevc_filter.c in libavcodec, as use ...) NOT-FOR-US: libbpg CVE-2018-12446 (** DISPUTED ** An issue was discovered in the com.dropbox.android appl ...) NOT-FOR-US: com.dropbox.android application for Android CVE-2018-12445 (** DISPUTED ** An issue was discovered in the com.dropbox.android appl ...) NOT-FOR-US: com.dropbox.android application for Android CVE-2018-12444 RESERVED CVE-2018-12443 RESERVED CVE-2018-12442 RESERVED CVE-2018-12441 (The CorsairService Service in Corsair Utility Engine is installed with ...) NOT-FOR-US: Corsair CVE-2017-18341 REJECTED CVE-2017-18340 REJECTED CVE-2017-18339 REJECTED CVE-2017-18338 REJECTED CVE-2017-18337 REJECTED CVE-2017-18336 REJECTED CVE-2017-18335 REJECTED CVE-2017-18334 REJECTED CVE-2017-18333 REJECTED CVE-2017-18332 (Security keys are logged when any WCDMA call is configured or reconfig ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18331 (Improper access control on secure display buffers in snapdragon automo ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18330 (Buffer overflow in AES-CCM and AES-GCM encryption via initialization v ...) NOT-FOR-US: snapdragon CVE-2017-18329 (Possible Buffer overflow when transmitting an RTP packet in snapdragon ...) NOT-FOR-US: snapdragon CVE-2017-18328 (Use after free in QSH client rule processing in snapdragon mobile and ...) NOT-FOR-US: snapdragon CVE-2017-18327 (Security keys are logged when any WCDMA call is configured or reconfig ...) NOT-FOR-US: snapdragon CVE-2017-18326 (Cryptographic keys are printed in modem debug messages in snapdragon m ...) NOT-FOR-US: snapdragon CVE-2017-18325 REJECTED CVE-2017-18324 (Cryptographic key material leaked in debug messages - GERAN in snapdra ...) NOT-FOR-US: snapdragon CVE-2017-18323 (Cryptographic key material leaked in TDSCDMA RRC debug messages in sna ...) NOT-FOR-US: snapdragon CVE-2017-18322 (Cryptographic key material leaked in WCDMA debug messages in snapdrago ...) NOT-FOR-US: snapdragon CVE-2017-18321 (Security keys used by the terminal and NW for a session could be leake ...) NOT-FOR-US: snapdragon CVE-2017-18320 (QSEE unload attempt on a 3rd party TEE without previously loading resu ...) NOT-FOR-US: snapdragon CVE-2017-18319 (Information leak in UIM API debug messages in snapdragon mobile and sn ...) NOT-FOR-US: snapdragon CVE-2017-18318 (Missing validation check on CRL issuer name in Snapdragon Automobile, ...) NOT-FOR-US: Snapdragon CVE-2017-18317 (Restrictions related to the modem (sim lock, sim kill) can be bypassed ...) NOT-FOR-US: Snapdragon CVE-2017-18316 (Secure application can access QSEE kernel memory through Ontario kerne ...) NOT-FOR-US: Snapdragon CVE-2017-18315 (Buffer over-read vulnerabilities in an older version of ASN.1 parser i ...) NOT-FOR-US: Snapdragon CVE-2017-18314 (In Snapdragon (Automobile, Mobile, Wear) in version MDM9206, MDM9607, ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18313 (Under certain mode of operations, HLOS may be able get direct or indir ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18312 (While accessing SafeSwitch services, third party can manipulate a give ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18311 (XPU Master privilege escalation is possible due to improper access con ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18310 (ClientEnv exposes services 0-32 to HLOS in Snapdragon Automobile, Snap ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18309 (A micro-core of QMP transportation may cause a macro-core to read from ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18308 (Modem segments are unlocked after authentication, leaving modem segmen ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18307 RESERVED CVE-2017-18306 RESERVED CVE-2017-18305 (XBL sec mem dump system call allows complete control of EL3 by unlocki ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18304 (Insufficient memory allocation in boot due to incorrect size being pas ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18303 (While processing the sensors registry configuration file, if inputs ar ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18302 (In Snapdragon (Automobile ,Mobile) in version MSM8996AU, SD 425, SD 42 ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18301 (In Small Cell SoC and Snapdragon (Automobile, Mobile, Wear) in version ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18300 (Secure display content could be accessed by third party trusted applic ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18299 (Improper translation table consolidation logic leads to resource exhau ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18298 (Lack of Input Validation in SDMX API can lead to NULL pointer access i ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18297 (Double memory free while closing TEE SE API Session management in Snap ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18296 (Access control on applications is not applied while accessing SafeSwit ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18295 (Possible buffer overflow if input is not null terminated in DSP Servic ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18294 (While reading file class type from ELF header, a buffer overread may h ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18293 (When a particular GPIO is protected by blocking access to the correspo ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18292 (Secure app running in non secure space can restart TZ by calling Widev ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-12440 (BoringSSL through 2018-06-14 allows a memory-cache side-channel attack ...) - boringssl (bug #823933) CVE-2018-12439 (MatrixSSL through 3.9.5 Open allows a memory-cache side-channel attack ...) - matrixssl CVE-2018-12438 (The Elliptic Curve Cryptography library (aka sunec or libsunec) allows ...) - openjdk-7 (Didn't include/build sunec, see #750400) - openjdk-8 - openjdk-11 CVE-2018-12437 (LibTomCrypt through 1.18.1 allows a memory-cache side-channel attack o ...) - libtomcrypt 1.18.2-1 (low; bug #901626) [stretch] - libtomcrypt (Minor issue) [jessie] - libtomcrypt (Minor issue) NOTE: https://github.com/libtom/libtomcrypt/issues/407 NOTE: https://github.com/libtom/libtomcrypt/pull/408 CVE-2018-12436 (wolfcrypt/src/ecc.c in wolfSSL before 3.15.1.patch allows a memory-cac ...) - wolfssl 3.15.3+dfsg-1 (bug #901627) NOTE: https://github.com/wolfSSL/wolfssl/commit/9b9568d500f31f964af26ba8d01e542e1f27e5ca NOTE: https://www.wolfssl.com/wolfssh-and-rohnp/ CVE-2018-12435 (Botan 2.5.0 through 2.6.0 before 2.7.0 allows a memory-cache side-chan ...) - botan 2.6.0-3 (bug #901619) - botan1.10 (Issue introduced in 2.5.0) NOTE: https://github.com/randombit/botan/pull/1604 NOTE: https://github.com/randombit/botan/commit/48fc8df51d99f9d8ba251219367b3d629cc848e3 CVE-2018-12434 (LibreSSL before 2.6.5 and 2.7.x before 2.7.4 allows a memory-cache sid ...) - libressl (bug #754513) CVE-2018-12433 (** DISPUTED ** cryptlib through 3.4.4 allows a memory-cache side-chann ...) NOT-FOR-US: cryptlib CVE-2018-12432 (JavaMelody through 1.60.0 has XSS via the counter parameter in a clear ...) NOT-FOR-US: JavaMelody CVE-2018-12431 (SeaCMS V6.61 has XSS via the site name parameter on an adm1n/admin_con ...) NOT-FOR-US: SeaCMS CVE-2018-12430 REJECTED CVE-2018-12429 (JEESNS through 1.2.1 allows XSS attacks by ordinary users who publish ...) NOT-FOR-US: JEESNS CVE-2018-12428 RESERVED CVE-2018-12427 RESERVED CVE-2018-12426 (The WP Live Chat Support Pro plugin before 8.0.07 for WordPress is vul ...) NOT-FOR-US: WP Live Chat Support Pro plugin for WordPress CVE-2018-12425 RESERVED CVE-2018-12424 RESERVED CVE-2018-12422 (** DISPUTED ** addressbook/backends/ldap/e-book-backend-ldap.c in Evol ...) - evolution-data-server 3.28.5-1 (unimportant; bug #901665) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=796174 NOTE: https://gitlab.gnome.org/GNOME/evolution-data-server/commit/34bad6173 NOTE: non-issue, to be rejected CVE-2018-12421 (LTB (aka LDAP Tool Box) Self Service Password before 1.3 allows a chan ...) NOT-FOR-US: LTB Self Service Password CVE-2018-12420 (IceHrm before 23.0.1.OS has a risky usage of a hashed password in a re ...) NOT-FOR-US: IceHrm CVE-2018-12419 RESERVED CVE-2018-12418 (Archive.java in Junrar before 1.0.1, as used in Apache Tika and other ...) NOT-FOR-US: Junrar CVE-2018-12417 REJECTED CVE-2018-12416 (The GridServer Broker and GridServer Director components of TIBCO Soft ...) NOT-FOR-US: TIBCO CVE-2018-12415 (The Central Administration server (emsca) component of TIBCO Software ...) NOT-FOR-US: TIBCO CVE-2018-12414 (The Rendezvous Routing Daemon (rvrd), Rendezvous Secure Routing Daemon ...) NOT-FOR-US: TIBCO CVE-2018-12413 (The Schema repository server (tibschemad) component of TIBCO Software ...) NOT-FOR-US: TIBCO CVE-2018-12412 (The realm server (tibrealmserver) component of TIBCO Software Inc. TIB ...) NOT-FOR-US: TIBCO CVE-2018-12411 (The administrative daemon (tibdgadmind) of TIBCO Software Inc.'s TIBCO ...) NOT-FOR-US: TIBCO CVE-2018-12410 (The web server component of TIBCO Software Inc's Spotfire Statistics S ...) NOT-FOR-US: TIBCO CVE-2018-12409 (The SOAP Admin API component of TIBCO Software Inc.'s TIBCO Silver Fab ...) NOT-FOR-US: TIBCO CVE-2018-12408 (The BusinessWorks engine component of TIBCO Software Inc.'s TIBCO Acti ...) NOT-FOR-US: TIBCO CVE-2018-12407 (A buffer overflow occurs when drawing and validating elements with the ...) - firefox 64.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-29/#CVE-2018-12407 CVE-2018-12406 (Mozilla developers and community members reported memory safety bugs p ...) - firefox 64.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-29/#CVE-2018-12406 CVE-2018-12405 (Mozilla developers and community members reported memory safety bugs p ...) {DSA-4362-1 DSA-4354-1 DLA-1624-1 DLA-1605-1} - firefox 64.0-1 - firefox-esr 60.4.0esr-1 - thunderbird 1:60.4.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-29/#CVE-2018-12405 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-30/#CVE-2018-12405 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-31/#CVE-2018-12405 CVE-2018-12404 (A cached side channel attack during handshakes using RSA encryption co ...) {DLA-1704-1} - nss 2:3.41-1 NOTE: http://cat.eyalro.net/ NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1485864 (not public) NOTE: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.36.6_release_notes NOTE: Fixed in 3.36.6, 3.40.1 CVE-2018-12403 (If a site is loaded over a HTTPS connection but loads a favicon resour ...) - firefox 63.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-26/#CVE-2018-12403 CVE-2018-12402 (The internal WebBrowserPersist code does not use correct origin contex ...) - firefox 63.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-26/#CVE-2018-12402 CVE-2018-12401 (Some special resource URIs will cause a non-exploitable crash if loade ...) - firefox 63.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-26/#CVE-2018-12401 CVE-2018-12400 (In private browsing mode on Firefox for Android, favicons are cached i ...) - firefox (Android-specific) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-26/#CVE-2018-12400 CVE-2018-12399 (When a new protocol handler is registered, the API accepts a title arg ...) - firefox 63.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-26/#CVE-2018-12399 CVE-2018-12398 (By using the reflected URL in some special resource URIs, such as chro ...) - firefox 63.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-26/#CVE-2018-12398 CVE-2018-12397 (A WebExtension can request access to local files without the warning p ...) {DSA-4324-1 DLA-1571-1} - firefox-esr 60.3.0esr-1 - firefox 63.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-27/#CVE-2018-12397 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-26/#CVE-2018-12397 CVE-2018-12396 (A vulnerability where a WebExtension can run content scripts in disall ...) {DSA-4324-1 DLA-1571-1} - firefox-esr 60.3.0esr-1 - firefox 63.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-27/#CVE-2018-12396 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-26/#CVE-2018-12396 CVE-2018-12395 (By rewriting the Host: request headers using the webRequest API, a Web ...) {DSA-4324-1 DLA-1571-1} - firefox-esr 60.3.0esr-1 - firefox 63.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-27/#CVE-2018-12395 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-26/#CVE-2018-12395 CVE-2018-12394 RESERVED CVE-2018-12393 (A potential vulnerability was found in 32-bit builds where an integer ...) {DSA-4337-1 DSA-4324-1 DLA-1575-1 DLA-1571-1} - firefox-esr 60.3.0esr-1 - firefox 63.0-1 - thunderbird 1:60.3.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-27/#CVE-2018-12393 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-26/#CVE-2018-12393 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-28/#CVE-2018-12393 CVE-2018-12392 (When manipulating user events in nested loops while opening a document ...) {DSA-4337-1 DSA-4324-1 DLA-1575-1 DLA-1571-1} - firefox-esr 60.3.0esr-1 - firefox 63.0-1 - thunderbird 1:60.3.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-27/#CVE-2018-12392 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-26/#CVE-2018-12392 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-28/#CVE-2018-12392 CVE-2018-12391 (During HTTP Live Stream playback on Firefox for Android, audio data ca ...) - firefox-esr (Android-specific) - firefox (Android-specific) - thunderbird (Android-specific) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-27/#CVE-2018-12391 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-26/#CVE-2018-12391 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-28/#CVE-2018-12391 CVE-2018-12390 (Mozilla developers and community members reported memory safety bugs p ...) {DSA-4337-1 DSA-4324-1 DLA-1575-1 DLA-1571-1} - firefox-esr 60.3.0esr-1 - firefox 63.0-1 - thunderbird 1:60.3.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-27/#CVE-2018-12390 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-26/#CVE-2018-12390 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-28/#CVE-2018-12390 CVE-2018-12389 (Mozilla developers and community members reported memory safety bugs p ...) {DSA-4337-1 DSA-4324-1 DLA-1575-1 DLA-1571-1} - firefox-esr 60.3.0esr-1 - thunderbird 1:60.3.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-27/#CVE-2018-12389 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-28/#CVE-2018-12389 CVE-2018-12388 (Mozilla developers and community members reported memory safety bugs p ...) - firefox 63.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-26/#CVE-2018-12388 CVE-2018-12387 (A vulnerability where the JavaScript JIT compiler inlines Array.protot ...) {DSA-4310-1} - firefox 62.0.3-1 - firefox-esr 60.2.2esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-24/#CVE-2018-12387 CVE-2018-12386 (A vulnerability in register allocation in JavaScript can lead to type ...) {DSA-4310-1} - firefox 62.0.3-1 - firefox-esr 60.2.2esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-24/#CVE-2018-12386 CVE-2018-12385 (A potentially exploitable crash in TransportSecurityInfo used for SSL ...) {DSA-4327-1 DSA-4304-1 DLA-1575-1} - firefox 62.0.2-1 - firefox-esr 60.2.1esr-1 - thunderbird 1:60.2.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-22/#CVE-2018-12385 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-23/#CVE-2018-12385 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-25/#CVE-2018-12385 CVE-2018-12384 (When handling a SSLv2-compatible ClientHello request, the server doesn ...) - nss 2:3.39-1 (low; bug #908332) [stretch] - nss (Minor issue, can be fixed along in future DSA) [jessie] - nss (Minor issue, can be fixed along in future DSA) NOTE: https://hg.mozilla.org/projects/nss/rev/2ed9f6afd84e (NSS_3_39_BRANCH) NOTE: https://hg.mozilla.org/projects/nss/rev/46f9a1f40c3d (NSS_3_36_BRANCH) NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1483128 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1622089 CVE-2018-12383 (If a user saved passwords before Firefox 58 and then later set a maste ...) {DSA-4327-1 DSA-4304-1 DLA-1575-1} - firefox 62.0-1 - firefox-esr 60.2.1esr-1 - thunderbird 1:60.2.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-20/#CVE-2018-12383 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-23/#CVE-2018-12383 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-25/#CVE-2018-12383 CVE-2018-12382 (The displayed addressbar URL can be spoofed on Firefox for Android usi ...) - firefox (Android-specific) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-20/#CVE-2018-12382 CVE-2018-12381 (Manually dragging and dropping an Outlook email message into the brows ...) - firefox (Windows-specific) - firefox-esr (Windows-specific) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-20/#CVE-2018-12381 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-21/#CVE-2018-12381 CVE-2018-12380 REJECTED CVE-2018-12379 (When the Mozilla Updater opens a MAR format file which contains a very ...) {DSA-4327-1 DLA-1575-1} - firefox 62.0-1 (unimportant) - firefox-esr 60.2.0esr-1 (unimportant) [stretch] - firefox-esr 60.2.0esr-1~deb9u2 - thunderbird 1:60.2.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-20/#CVE-2018-12379 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-21/#CVE-2018-12379 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-25/#CVE-2018-12379 CVE-2018-12378 (A use-after-free vulnerability can occur when an IndexedDB index is de ...) {DSA-4327-1 DSA-4287-1 DLA-1575-1} - firefox 62.0-1 - firefox-esr 60.2.0esr-1 - thunderbird 1:60.2.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-20/#CVE-2018-12378 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-21/#CVE-2018-12378 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-25/#CVE-2018-12378 CVE-2018-12377 (A use-after-free vulnerability can occur when refresh driver timers ar ...) {DSA-4327-1 DSA-4287-1 DLA-1575-1} - firefox 62.0-1 - firefox-esr 60.2.0esr-1 - thunderbird 1:60.2.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-20/#CVE-2018-12377 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-21/#CVE-2018-12377 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-25/#CVE-2018-12377 CVE-2018-12376 (Memory safety bugs present in Firefox 61 and Firefox ESR 60.1. Some of ...) {DSA-4327-1 DSA-4287-1 DLA-1575-1} - firefox 62.0-1 - firefox-esr 60.2.0esr-1 - thunderbird 1:60.2.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-20/#CVE-2018-12376 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-21/#CVE-2018-12376 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-25/#CVE-2018-12376 CVE-2018-12375 (Memory safety bugs present in Firefox 61. Some of these bugs showed ev ...) - firefox 62.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-20/#CVE-2018-12375 CVE-2018-12374 (Plaintext of decrypted emails can leak through by user submitting an e ...) {DSA-4244-1 DLA-1425-1} - thunderbird 1:52.9.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-18/#CVE-2018-12374 CVE-2018-12373 (dDecrypted S/MIME parts hidden with CSS or the plaintext HTML tag can ...) {DSA-4244-1 DLA-1425-1} - thunderbird 1:52.9.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-18/#CVE-2018-12373 CVE-2018-12372 (Decrypted S/MIME parts, when included in HTML crafted for an attack, c ...) {DSA-4244-1 DLA-1425-1} - thunderbird 1:52.9.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-18/#CVE-2018-12372 CVE-2018-12371 RESERVED {DSA-4295-1 DLA-1575-1} - firefox 61.0-1 - thunderbird 1:60.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-15/#CVE-2018-12371 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-19/#CVE-2018-12371 CVE-2018-12370 (In Reader View SameSite cookie protections are not checked on exiting. ...) - firefox 61.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-15/#CVE-2018-12370 CVE-2018-12369 (WebExtensions bundled with embedded experiments were not correctly che ...) - firefox 61.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-15/#CVE-2018-12369 CVE-2018-12368 (Windows 10 does not warn users before opening executable files with th ...) - firefox-esr (Windows-specific) - firefox (Windows-specific) - thunderbird (Windows-specific) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-15/#CVE-2018-12368 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-17/#CVE-2018-12368 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-18/#CVE-2018-12368 CVE-2018-12367 (In the previous mitigations for Spectre, the resolution or precision o ...) {DSA-4295-1 DLA-1575-1} - firefox 61.0-1 - thunderbird 1:60.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-15/#CVE-2018-12367 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-19/#CVE-2018-12367 CVE-2018-12366 (An invalid grid size during QCMS (color profile) transformations can r ...) {DSA-4244-1 DSA-4235-1 DLA-1425-1 DLA-1406-1} - firefox-esr 52.9.0esr-1 - firefox 61.0-1 - thunderbird 1:52.9.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-15/#CVE-2018-12366 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-17/#CVE-2018-12366 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-18/#CVE-2018-12366 CVE-2018-12365 (A compromised IPC child process can escape the content sandbox and lis ...) {DSA-4244-1 DSA-4235-1 DLA-1425-1 DLA-1406-1} - firefox-esr 52.9.0esr-1 - firefox 61.0-1 - thunderbird 1:52.9.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-15/#CVE-2018-12365 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-17/#CVE-2018-12365 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-18/#CVE-2018-12365 CVE-2018-12364 (NPAPI plugins, such as Adobe Flash, can send non-simple cross-origin r ...) {DSA-4244-1 DSA-4235-1 DLA-1425-1 DLA-1406-1} - firefox-esr 52.9.0esr-1 - firefox 61.0-1 - thunderbird 1:52.9.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-15/#CVE-2018-12364 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-17/#CVE-2018-12364 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-18/#CVE-2018-12364 CVE-2018-12363 (A use-after-free vulnerability can occur when script uses mutation eve ...) {DSA-4244-1 DSA-4235-1 DLA-1425-1 DLA-1406-1} - firefox-esr 52.9.0esr-1 - firefox 61.0-1 - thunderbird 1:52.9.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-15/#CVE-2018-12363 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-17/#CVE-2018-12363 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-18/#CVE-2018-12363 CVE-2018-12362 (An integer overflow can occur during graphics operations done by the S ...) {DSA-4244-1 DSA-4235-1 DLA-1425-1 DLA-1406-1} - firefox-esr 52.9.0esr-1 - firefox 61.0-1 - thunderbird 1:52.9.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-15/#CVE-2018-12362 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-17/#CVE-2018-12362 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-18/#CVE-2018-12362 CVE-2018-12361 (An integer overflow can occur in the SwizzleData code while calculatin ...) {DSA-4295-1 DLA-1575-1} - firefox 61.0-1 - thunderbird 1:60.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-15/#CVE-2018-12361 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-19/#CVE-2018-12361 CVE-2018-12360 (A use-after-free vulnerability can occur when deleting an input elemen ...) {DSA-4244-1 DSA-4235-1 DLA-1425-1 DLA-1406-1} - firefox-esr 52.9.0esr-1 - firefox 61.0-1 - thunderbird 1:52.9.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-15/#CVE-2018-12360 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-17/#CVE-2018-12360 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-18/#CVE-2018-12360 CVE-2018-12359 (A buffer overflow can occur when rendering canvas content while adjust ...) {DSA-4244-1 DSA-4235-1 DLA-1425-1 DLA-1406-1} - firefox-esr 52.9.0esr-1 - firefox 61.0-1 - thunderbird 1:52.9.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-15/#CVE-2018-12359 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-17/#CVE-2018-12359 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-18/#CVE-2018-12359 CVE-2018-12358 (Service workers can use redirection to avoid the tainting of cross-ori ...) - firefox 61.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-15/#CVE-2018-12358 CVE-2018-12423 (In Synapse before 0.31.2, unauthorised users can hijack rooms when the ...) - matrix-synapse 0.31.2+dfsg-1 (bug #901549) NOTE: https://github.com/matrix-org/synapse/pull/3397 CVE-2018-12357 (Arista CloudVision Portal through 2018.1.1 has Incorrect Permissions. ...) NOT-FOR-US: Arista CloudVision Portal CVE-2018-12356 (An issue was discovered in password-store.sh in pass in Simple Passwor ...) - password-store 1.7.2-1 (bug #901574) [stretch] - password-store (Signature verification support added in 1.7) [jessie] - password-store (Signature verification support added in 1.7) NOTE: https://lists.zx2c4.com/pipermail/password-store/2018-June/003308.html NOTE: Introduced in: https://git.zx2c4.com/password-store/commit/?id=ff62f87f41557ab7267defab662324927301485a NOTE: Fixed by: https://git.zx2c4.com/password-store/commit/?id=8683403b77f59c56fcb1f05c61ab33b9fd61a30d NOTE: https://neopg.io/blog/pass-signature-spoof/ NOTE: http://www.openwall.com/lists/oss-security/2018/06/14/3 CVE-2018-12355 (Knowage (formerly SpagoBI) 6.1.1 allows XSS via the name or descriptio ...) NOT-FOR-US: Knowage / SpagoBI CVE-2018-12354 (Knowage (formerly SpagoBI) 6.1.1 allows CSRF via every form, as demons ...) NOT-FOR-US: Knowage / SpagoBI CVE-2018-12353 (Knowage (formerly SpagoBI) 6.1.1 allows XSS via the name field to the ...) NOT-FOR-US: Knowage / SpagoBI CVE-2018-12352 RESERVED CVE-2018-12351 RESERVED CVE-2018-12350 RESERVED CVE-2018-12349 RESERVED CVE-2018-12348 RESERVED CVE-2018-12347 RESERVED CVE-2018-12346 RESERVED CVE-2018-12345 RESERVED CVE-2018-12344 RESERVED CVE-2018-12343 RESERVED CVE-2018-12342 RESERVED CVE-2018-12341 RESERVED CVE-2018-12340 RESERVED CVE-2018-12339 (ArticleCMS through 2017-02-19 has XSS via an "add an article" action. ...) NOT-FOR-US: ArticleCMS CVE-2018-12338 (Undocumented Factory Backdoor in ECOS System Management Appliance (aka ...) NOT-FOR-US: ECOS System Management Appliance CVE-2018-12337 (Reliance on Security Through Obscurity vulnerability in ECOS Secure Bo ...) NOT-FOR-US: ECOS Secure Boot Stick CVE-2018-12336 (Undocumented Factory Backdoor in ECOS Secure Boot Stick (aka SBS) 5.6. ...) NOT-FOR-US: ECOS Secure Boot Stick CVE-2018-12335 (Incorrect access control in ECOS System Management Appliance (aka SMA) ...) NOT-FOR-US: ECOS System Management Appliance CVE-2018-12334 (Protection Mechanism Failure in ECOS Secure Boot Stick (aka SBS) 5.6.5 ...) NOT-FOR-US: ECOS Secure Boot Stick CVE-2018-12333 (Insufficient Verification of Data Authenticity vulnerability in ECOS S ...) NOT-FOR-US: ECOS Secure Boot Stick CVE-2018-12332 (Incomplete Cleanup vulnerability in ECOS Secure Boot Stick (aka SBS) 5 ...) NOT-FOR-US: ECOS Secure Boot Stick CVE-2018-12331 (Authentication Bypass by Spoofing vulnerability in ECOS System Managem ...) NOT-FOR-US: ECOS System Management Appliance CVE-2018-12330 (Protection Mechanism Failure in ECOS Secure Boot Stick (aka SBS) 5.6.5 ...) NOT-FOR-US: ECOS Secure Boot Stick CVE-2018-12329 (Protection Mechanism Failure in ECOS Secure Boot Stick (aka SBS) 5.6.5 ...) NOT-FOR-US: ECOS Secure Boot Stick CVE-2018-12328 RESERVED CVE-2018-12327 (Stack-based buffer overflow in ntpq and ntpdc of NTP version 4.2.8p11 ...) - ntp (unimportant) NOTE: https://gist.github.com/fakhrizulkifli/9b58ed8e0354e8deee50b0eebd1c011f NOTE: Negligible security impact CVE-2018-12326 (Buffer overflow in redis-cli of Redis before 4.0.10 and 5.x before 5.0 ...) {DSA-4230-1 DLA-1396-1} - redis 5:4.0.10-1 (bug #902410) NOTE: https://gist.github.com/fakhrizulkifli/f831f40ec6cde4f744c552503d8698f0 NOTE: https://github.com/antirez/redis/commit/9fdcc15962f9ff4baebe6fdd947816f43f730d50 CVE-2018-12325 RESERVED CVE-2018-12324 RESERVED CVE-2018-12323 (An issue was discovered on Momentum Axel 720P 5.1.8 devices. A passwor ...) NOT-FOR-US: Momentum Axel 720P 5.1.8 devices CVE-2018-12322 (There is a heap out of bounds read in radare2 2.6.0 in _6502_op() in l ...) - radare2 2.7.0+dfsg-1 (low; bug #901628) [jessie] - radare2 (Minor issue) NOTE: https://github.com/radare/radare2/commit/bbb4af56003c1afdad67af0c4339267ca38b1017 NOTE: https://github.com/radare/radare2/issues/10294 CVE-2018-12321 (There is a heap out of bounds read in radare2 2.6.0 in java_switch_op( ...) - radare2 2.7.0+dfsg-1 (low; bug #901629) [jessie] - radare2 (Minor issue) NOTE: https://github.com/radare/radare2/commit/224e6bc13fa353dd3b7f7a2334588f1c4229e58d NOTE: https://github.com/radare/radare2/issues/10296 CVE-2018-12320 (There is a use after free in radare2 2.6.0 in r_anal_bb_free() in libr ...) - radare2 2.7.0+dfsg-1 (low; bug #901630) [jessie] - radare2 (Minor issue) NOTE: https://github.com/radare/radare2/commit/90b71c017a7fa9732fe45fd21b245ee051b1f548 NOTE: https://github.com/radare/radare2/issues/10293 CVE-2018-12319 (Denial-of-service in the login page of ASUSTOR ADM 3.1.1 allows attack ...) NOT-FOR-US: ASUSTOR ADM CVE-2018-12318 (Information disclosure in the SNMP settings page in ASUSTOR ADM versio ...) NOT-FOR-US: ASUSTOR ADM CVE-2018-12317 (OS command injection in group.cgi in ASUSTOR ADM version 3.1.1 allows ...) NOT-FOR-US: ASUSTOR ADM CVE-2018-12316 (OS Command Injection in upload.cgi in ASUSTOR ADM version 3.1.1 allows ...) NOT-FOR-US: ASUSTOR ADM CVE-2018-12315 (Missing verification of a password in ASUSTOR ADM version 3.1.1 allows ...) NOT-FOR-US: ASUSTOR ADM CVE-2018-12314 (Directory Traversal in downloadwallpaper.cgi in ASUSTOR ADM version 3. ...) NOT-FOR-US: ASUSTOR ADM CVE-2018-12313 (OS command injection in snmp.cgi in ASUSTOR ADM version 3.1.1 allows a ...) NOT-FOR-US: ASUSTOR ADM CVE-2018-12312 (OS command injection in user.cgi in ASUSTOR ADM version 3.1.1 allows a ...) NOT-FOR-US: ASUSTOR ADM CVE-2018-12311 (Cross-site scripting vulnerability in File Explorer in ASUSTOR ADM ver ...) NOT-FOR-US: ASUSTOR ADM CVE-2018-12310 (Cross-site scripting in the Login page in ASUSTOR ADM version 3.1.1 al ...) NOT-FOR-US: ASUSTOR ADM CVE-2018-12309 (Directory Traversal in upload.cgi in ASUSTOR ADM version 3.1.1 allows ...) NOT-FOR-US: ASUSTOR ADM CVE-2018-12308 (Encryption key disclosure in share.cgi in ASUSTOR ADM version 3.1.1 al ...) NOT-FOR-US: ASUSTOR ADM CVE-2018-12307 (OS command injection in user.cgi in ASUSTOR ADM version 3.1.1 allows a ...) NOT-FOR-US: ASUSTOR ADM CVE-2018-12306 (Directory Traversal in File Explorer in ASUSTOR ADM version 3.1.1 allo ...) NOT-FOR-US: ASUSTOR ADM CVE-2018-12305 (Cross-site scripting in File Explorer in ASUSTOR ADM version 3.1.1 all ...) NOT-FOR-US: ASUSTOR ADM CVE-2018-12304 (Cross-site scripting in Application Manager in Seagate NAS OS version ...) NOT-FOR-US: Seagate NAS OS CVE-2018-12303 (Cross-site scripting in filebrowser in Seagate NAS OS version 4.3.15.1 ...) NOT-FOR-US: Seagate NAS OS CVE-2018-12302 (Missing HTTPOnly flag on session cookies in the Seagate NAS OS version ...) NOT-FOR-US: Seagate NAS OS CVE-2018-12301 (Unvalidated URL in Download Manager in Seagate NAS OS version 4.3.15.1 ...) NOT-FOR-US: Seagate NAS OS CVE-2018-12300 (Arbitrary Redirect in echo-server.html in Seagate NAS OS version 4.3.1 ...) NOT-FOR-US: Seagate NAS OS CVE-2018-12299 (Cross-site scripting in filebrowser in Seagate NAS OS version 4.3.15.1 ...) NOT-FOR-US: Seagate NAS OS CVE-2018-12298 (Directory Traversal in filebrowser in Seagate NAS OS 4.3.15.1 allows a ...) NOT-FOR-US: Seagate NAS OS CVE-2018-12297 (Cross-site scripting in API error pages in Seagate NAS OS version 4.3. ...) NOT-FOR-US: Seagate NAS OS CVE-2018-12296 (Insufficient access control in /api/external/7.0/system.System.get_inf ...) NOT-FOR-US: Seagate NAS OS CVE-2018-12295 (SQL injection in folderViewSpecific.psp in Seagate NAS OS version 4.3. ...) NOT-FOR-US: Seagate NAS OS CVE-2018-12294 (WebCore/platform/graphics/texmap/TextureMapperLayer.cpp in WebKit, as ...) - webkit2gtk 2.20.2-1 (unimportant) NOTE: Not covered by security support NOTE: https://webkitgtk.org/security/WSA-2018-0005.html CVE-2018-12293 (The getImageData function in the ImageBufferCairo class in WebCore/pla ...) - webkit2gtk 2.20.3-1 (unimportant) NOTE: Not covered by security support NOTE: https://webkitgtk.org/security/WSA-2018-0005.html CVE-2018-12292 (A use-after-free vulnerability exists in DOMProxyHandler::EnsureExpand ...) NOT-FOR-US: Pale Moon CVE-2018-12290 (The Yii2-StateMachine extension v2.x.x for Yii2 has XSS. ...) NOT-FOR-US: Yii2-StateMachine extension for Yii2 CVE-2018-12289 RESERVED CVE-2018-12288 RESERVED CVE-2018-12287 RESERVED CVE-2018-12286 RESERVED CVE-2018-12285 RESERVED CVE-2018-12284 RESERVED CVE-2018-12283 RESERVED CVE-2018-12282 RESERVED CVE-2018-12281 RESERVED CVE-2018-12280 RESERVED CVE-2018-12279 RESERVED CVE-2018-12278 RESERVED CVE-2018-12277 RESERVED CVE-2018-12276 RESERVED CVE-2018-12275 RESERVED CVE-2018-12274 RESERVED CVE-2018-12273 (The /edit URI in the DMS component in Ximdex 4.0 has XSS via the Ciuda ...) NOT-FOR-US: Ximdex CVE-2018-12272 (xowl/request.php in Ximdex 4.0 has XSS via the content parameter. ...) NOT-FOR-US: Ximdex CVE-2018-12271 (** DISPUTED ** An issue was discovered in the com.getdropbox.Dropbox a ...) NOT-FOR-US: com.getdropbox.Dropbox app for IOS CVE-2018-12270 (In Valve Steam 1528829181 BETA, it is possible to perform a homograph ...) NOT-FOR-US: Valve Steam NOTE: Debian ships an installer as src:steam, but it auto-updates whenever Steam NOTE: is started, so nothing really to be updated there CVE-2018-12269 RESERVED CVE-2018-12268 (acccheck.pl in acccheck 0.2.1 allows Command Injection via shell metac ...) - acccheck (bug #901572) [stretch] - acccheck (Non-free not supported) CVE-2018-12267 RESERVED CVE-2018-12266 (system\errors\404.php in HongCMS 3.0.0 has XSS via crafted input that ...) NOT-FOR-US: HongCMS CVE-2018-12265 (Exiv2 0.26 has an integer overflow in the LoaderExifJpeg class in prev ...) {DSA-4238-1 DLA-1402-1} - exiv2 0.25-4 (bug #901706) NOTE: https://github.com/Exiv2/exiv2/issues/365 NOTE: https://github.com/Exiv2/exiv2/commit/937a1a2bd067b8b3b787f3757089d972f3a39853 CVE-2018-12264 (Exiv2 0.26 has integer overflows in LoaderTiff::getData() in preview.c ...) {DSA-4238-1 DLA-1402-1} - exiv2 0.25-4 (bug #901707) NOTE: https://github.com/Exiv2/exiv2/issues/366 NOTE: https://github.com/Exiv2/exiv2/commit/fe70939f54476e99046245ca69ff27012401f759 CVE-2018-12263 (portfolioCMS 1.0.5 allows upload of arbitrary .php files via the admin ...) NOT-FOR-US: portfolioCMS CVE-2018-12262 REJECTED CVE-2018-12261 (An issue was discovered on Momentum Axel 720P 5.1.8 devices. All proce ...) NOT-FOR-US: Momentum Axel 720P 5.1.8 devices CVE-2018-12260 (An issue was discovered on Momentum Axel 720P 5.1.8 devices. The root ...) NOT-FOR-US: Momentum Axel 720P 5.1.8 devices CVE-2018-12259 (An issue was discovered on Momentum Axel 720P 5.1.8 devices. Root acce ...) NOT-FOR-US: Momentum Axel 720P 5.1.8 devices CVE-2018-12258 (An issue was discovered on Momentum Axel 720P 5.1.8 devices. Custom Fi ...) NOT-FOR-US: Momentum Axel 720P 5.1.8 devices CVE-2018-12257 (An issue was discovered on Momentum Axel 720P 5.1.8 devices. There is ...) NOT-FOR-US: Momentum Axel 720P 5.1.8 devices CVE-2018-12256 (admin/vqmods.app/vqmods.inc.php in LiteCart before 2.1.3 allows remote ...) NOT-FOR-US: LiteCart CVE-2018-12255 (An XSS issue was discovered in InvoicePlane 1.5.10 via the "Quote PDF ...) NOT-FOR-US: InvoicePlane CVE-2018-12254 (router.php in the Harmis Ek rishta (aka ek-rishta) 2.10 component for ...) NOT-FOR-US: Harmis Ek rishta component for Joomla! CVE-2018-12253 RESERVED CVE-2018-12252 RESERVED CVE-2018-12251 RESERVED CVE-2018-12250 (An issue was discovered in Elite CMS Pro 2.01. In /admin/add_sidebar.p ...) NOT-FOR-US: Elite CMS CVE-2018-12249 (An issue was discovered in mruby 1.4.1. There is a NULL pointer derefe ...) - mruby 1.4.1+20180622+git640fca32-1 (bug #901652) [stretch] - mruby (Minor issue) [jessie] - mruby (Minor issue) NOTE: https://github.com/mruby/mruby/commit/faa4eaf6803bd11669bc324b4c34e7162286bfa3 NOTE: https://github.com/mruby/mruby/issues/4037 CVE-2018-12248 (An issue was discovered in mruby 1.4.1. There is a heap-based buffer o ...) - mruby 1.4.1+20180622+git640fca32-1 (bug #901653) [stretch] - mruby (Minor issue) [jessie] - mruby (Minor issue) NOTE: https://github.com/mruby/mruby/commit/778500563a9f7ceba996937dc886bd8cde29b42b NOTE: https://github.com/mruby/mruby/issues/4038 CVE-2018-12247 (An issue was discovered in mruby 1.4.1. There is a NULL pointer derefe ...) - mruby (Vulnerable code introduced later) NOTE: Introduced by: https://github.com/mruby/mruby/commit/f408143c289b8017883294f13d36d43b50c8bc5d NOTE: Fixed by: https://github.com/mruby/mruby/commit/55edae0226409de25e59922807cb09acb45731a2 NOTE: https://github.com/mruby/mruby/issues/4036 CVE-2018-12246 (Symantec Web Isolation (WI) 1.11 prior to 1.11.21 is susceptible to a ...) NOT-FOR-US: Symantec CVE-2018-12245 (Symantec Endpoint Protection prior to 14.2 MP1 may be susceptible to a ...) NOT-FOR-US: Symantec Endpoint Protection CVE-2018-12244 (SEP (Mac client) prior to and including 12.1 RU6 MP9 and prior to 14.2 ...) NOT-FOR-US: SEP CVE-2018-12243 (The Symantec Messaging Gateway product prior to 10.6.6 may be suscepti ...) NOT-FOR-US: Symantec CVE-2018-12242 (The Symantec Messaging Gateway product prior to 10.6.6 may be suscepti ...) NOT-FOR-US: Symantec CVE-2018-12241 (The Symantec Security Analytics (SA) 7.x prior to 7.3.4 Web UI is susc ...) NOT-FOR-US: Symantec CVE-2018-12240 (The Norton Identity Safe product prior to 5.3.0.976 may be susceptible ...) NOT-FOR-US: Norton CVE-2018-12239 (Norton prior to 22.15; Symantec Endpoint Protection (SEP) prior to 12. ...) NOT-FOR-US: Norton CVE-2018-12238 (Norton prior to 22.15; Symantec Endpoint Protection (SEP) prior to 12. ...) NOT-FOR-US: Norton CVE-2018-12237 (The Symantec Reporter CLI 10.1 prior to 10.1.5.6 and 10.2 prior to 10. ...) NOT-FOR-US: Symantec Reporter CLI CVE-2018-12236 RESERVED CVE-2018-12235 RESERVED CVE-2018-12234 (A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in ...) NOT-FOR-US: Adrenalin HRMS Software CVE-2018-12231 RESERVED CVE-2018-12230 (An wrong logical check identified in the transferFrom function of a sm ...) NOT-FOR-US: smart contract implementation for RemiCoin (RMC) CVE-2018-12229 (Cross-site scripting (XSS) vulnerability in Public Knowledge Project ( ...) NOT-FOR-US: Public Knowledge Project (PKP) Open Journal System (OJS) CVE-2017-18291 (An issue was discovered in PvPGN Stats 2.4.6. SQL Injection exists in ...) NOT-FOR-US: PvPGN Stats (relates to pvpgn, but the PHP utilities allowing integration with a PvPGN game server) CVE-2017-18290 (An issue was discovered in PvPGN Stats 2.4.6. SQL Injection exists in ...) NOT-FOR-US: PvPGN Stats (relates to pvpgn, but the PHP utilities allowing integration with a PvPGN game server) CVE-2017-18289 (An issue was discovered in PvPGN Stats 2.4.6. SQL Injection exist in l ...) NOT-FOR-US: PvPGN Stats (relates to pvpgn, but the PHP utilities allowing integration with a PvPGN game server) CVE-2017-18288 (An issue was discovered in PvPGN Stats 2.4.6. SQL Injection exists in ...) NOT-FOR-US: PvPGN Stats (relates to pvpgn, but the PHP utilities allowing integration with a PvPGN game server) CVE-2017-18287 (An issue was discovered in PvPGN Stats 2.4.6. SQL Injection exists in ...) NOT-FOR-US: PvPGN Stats (relates to pvpgn, but the PHP utilities allowing integration with a PvPGN game server) CVE-2018-12233 (In the ea_get function in fs/jfs/xattr.c in the Linux kernel through 4 ...) {DLA-1423-1 DLA-1422-1} - linux 4.17.3-1 [stretch] - linux 4.9.110-1 NOTE: https://lkml.org/lkml/2018/6/2/2 CVE-2018-12232 (In net/socket.c in the Linux kernel through 4.17.1, there is a race co ...) - linux 4.17.3-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/6d8c50dcb029872b298eea68cc6209c866fd3e14 CVE-2018-12228 (An issue was discovered in Asterisk Open Source 15.x before 15.4.1. Wh ...) - asterisk (Only affects 15.x) NOTE: http://downloads.asterisk.org/pub/security/AST-2018-007.html NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27807 CVE-2018-12227 (An issue was discovered in Asterisk Open Source 13.x before 13.21.1, 1 ...) {DSA-4320-1} - asterisk 1:13.22.0~dfsg-1 (bug #902954) [jessie] - asterisk (vulnerable code not present) NOTE: http://downloads.asterisk.org/pub/security/AST-2018-008.html NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27818 CVE-2018-12226 RESERVED CVE-2018-12225 RESERVED CVE-2018-12224 (Buffer leakage in igdkm64.sys in Intel(R) Graphics Driver for Windows* ...) NOT-FOR-US: Intel CVE-2018-12223 (Insufficient access control in User Mode Driver in Intel(R) Graphics D ...) NOT-FOR-US: Intel CVE-2018-12222 (Insufficient input validation in Kernel Mode Driver in Intel(R) Graphi ...) NOT-FOR-US: Intel CVE-2018-12221 (Insufficient input validation in Kernel Mode Driver in Intel(R) Graphi ...) NOT-FOR-US: Intel CVE-2018-12220 (Logic bug in Kernel Mode Driver in Intel(R) Graphics Driver for Window ...) NOT-FOR-US: Intel CVE-2018-12219 (Insufficient input validation in Kernel Mode Driver in Intel(R) Graphi ...) NOT-FOR-US: Intel CVE-2018-12218 (Unhandled exception in User Mode Driver in Intel(R) Graphics Driver fo ...) NOT-FOR-US: Intel CVE-2018-12217 (Insufficient access control in Kernel Mode Driver in Intel(R) Graphics ...) NOT-FOR-US: Intel CVE-2018-12216 (Insufficient input validation in Kernel Mode Driver in Intel(R) Graphi ...) NOT-FOR-US: Intel CVE-2018-12215 (Insufficient input validation in Kernel Mode Driver in Intel(R) Graphi ...) NOT-FOR-US: Intel CVE-2018-12214 (Potential memory corruption in Kernel Mode Driver in Intel(R) Graphics ...) NOT-FOR-US: Intel CVE-2018-12213 (Potential memory corruption in Kernel Mode Driver in Intel(R) Graphics ...) NOT-FOR-US: Intel CVE-2018-12212 (Buffer overflow in User Mode Driver in Intel(R) Graphics Driver for Wi ...) NOT-FOR-US: Intel CVE-2018-12211 (Insufficient input validation in User Mode Driver in Intel(R) Graphics ...) NOT-FOR-US: Intel CVE-2018-12210 (Multiple pointer dereferences in User Mode Driver in Intel(R) Graphics ...) NOT-FOR-US: Intel CVE-2018-12209 (Insufficient access control in User Mode Driver in Intel(R) Graphics D ...) NOT-FOR-US: Intel CVE-2018-12208 (Buffer overflow in HECI subsystem in Intel(R) CSME before versions 11. ...) NOT-FOR-US: Intel CVE-2018-12207 (Improper invalidation for page table updates by a virtual guest operat ...) {DSA-4602-1 DSA-4564-1 DLA-1990-1} - linux 5.3.9-2 [jessie] - linux (Untrusted guests are no longer supportable) - xen 4.11.3+24-g14b62ab3e5-1 (bug #947944) [jessie] - xen (Not supported in jessie LTS) NOTE: https://software.intel.com/security-software-guidance/insights/deep-dive-machine-check-error-avoidance-page-size-change-0 NOTE: https://xenbits.xen.org/xsa/advisory-304.html CVE-2018-12206 (Improper configuration of hardware access in Intel QuickAssist Technol ...) NOT-FOR-US: Intel QuickAssist Technology for Linux CVE-2018-12205 (Improper certificate validation in Platform Sample/ Silicon Reference ...) NOT-FOR-US: Intel CVE-2018-12204 (Improper memory initialization in Platform Sample/Silicon Reference fi ...) NOT-FOR-US: Intel CVE-2018-12203 (Denial of service vulnerability in Platform Sample/ Silicon Reference ...) NOT-FOR-US: Intel CVE-2018-12202 (Privilege escalation vulnerability in Platform Sample/ Silicon Referen ...) NOT-FOR-US: Intel CVE-2018-12201 (Buffer overflow vulnerability in Platform Sample / Silicon Reference f ...) NOT-FOR-US: Intel CVE-2018-12200 (Insufficient access control in Intel(R) Capability Licensing Service b ...) NOT-FOR-US: Intel CVE-2018-12199 (Buffer overflow in an OS component in Intel CSME before versions 11.8. ...) NOT-FOR-US: Intel CVE-2018-12198 (Insufficient input validation in Intel(R) Server Platform Services HEC ...) NOT-FOR-US: Intel CVE-2018-12197 RESERVED CVE-2018-12196 (Insufficient input validation in Intel(R) AMT in Intel(R) CSME before ...) NOT-FOR-US: Intel CVE-2018-12195 RESERVED CVE-2018-12194 RESERVED CVE-2018-12193 (Insufficient access control in driver stack for Intel QuickAssist Tech ...) NOT-FOR-US: Intel CVE-2018-12192 (Logic bug in Kernel subsystem in Intel CSME before version 11.8.60, 11 ...) NOT-FOR-US: Intel CVE-2018-12191 (Bounds check in Kernel subsystem in Intel CSME before version 11.8.60, ...) NOT-FOR-US: Intel CVE-2018-12190 (Insufficient input validation in Intel(r) CSME subsystem before versio ...) NOT-FOR-US: Intel CVE-2018-12189 (Unhandled exception in Content Protection subsystem in Intel CSME befo ...) NOT-FOR-US: Intel CVE-2018-12188 (Insufficient input validation in Intel CSME before versions 11.8.60, 1 ...) NOT-FOR-US: Intel CVE-2018-12187 (Insufficient input validation in Intel(R) Active Management Technology ...) NOT-FOR-US: Intel CVE-2018-12186 RESERVED CVE-2018-12185 (Insufficient input validation in Intel(R) AMT in Intel(R) CSME before ...) NOT-FOR-US: Intel CVE-2018-12184 RESERVED CVE-2018-12183 (Stack overflow in DxeCore for EDK II may allow an unauthenticated user ...) - edk2 0~20181115.85588389-1 [buster] - edk2 (Minor issue) [stretch] - edk2 (Minor issue) [jessie] - edk2 (non-free) NOTE: https://github.com/tianocore/edk2/commit/0a0d5296e448fc350de1594c49b9c0deff7fad60 CVE-2018-12182 (Insufficient memory write check in SMM service for EDK II may allow an ...) - edk2 (See https://bugzilla.tianocore.org/show_bug.cgi?id=1136#c13) NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=1136 CVE-2018-12181 (Stack overflow in corrupted bmp for EDK II may allow unprivileged user ...) - edk2 0~20181115.85588389-3 (bug #924615) [stretch] - edk2 0~20161202.7bbe0b3e-1+deb9u1 [jessie] - edk2 (non-free is not supported) NOTE: https://lists.01.org/pipermail/edk2-devel/2019-March/037626.html CVE-2018-12180 (Buffer overflow in BlockIo service for EDK II may allow an unauthentic ...) - edk2 0~20181115.85588389-3 (bug #924615) [stretch] - edk2 0~20161202.7bbe0b3e-1+deb9u1 [jessie] - edk2 (non-free is not supported) NOTE: https://lists.01.org/pipermail/edk2-devel/2019-February/037248.html NOTE: https://lists.01.org/pipermail/edk2-devel/2019-February/037249.html NOTE: https://lists.01.org/pipermail/edk2-devel/2019-February/037250.html NOTE: https://github.com/tianocore/edk2/commit/38c9fbdcaa0219eb86fe82d90e3f8cfb5a54be9f NOTE: https://github.com/tianocore/edk2/commit/fccdb88022c1f6d85c773fce506b10c879063f1d CVE-2018-12179 (Improper configuration in system firmware for EDK II may allow unauthe ...) - edk2 0~20190606.20d2e5a1-2 (unimportant; bug #927484) NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=1133 NOTE: OpalPassword code is not enabled in Debian images CVE-2018-12178 (Buffer overflow in network stack for EDK II may allow unprivileged use ...) - edk2 0~20181115.85588389-3 (bug #924615) [stretch] - edk2 0~20161202.7bbe0b3e-1+deb9u1 [jessie] - edk2 (non-free is not supported) NOTE: https://lists.01.org/pipermail/edk2-devel/2019-February/037251.html NOTE: https://github.com/tianocore/edk2/commit/84110bbe4bb3a346514b9bb12eadb7586bca7dfd CVE-2018-12177 (Improper directory permissions in the ZeroConfig service in Intel(R) P ...) NOT-FOR-US: Intel PROSet/Wireless WiFi Software CVE-2018-12176 (Improper input validation in firmware for Intel NUC Kits may allow a p ...) NOT-FOR-US: Intel CVE-2018-12175 (Default install directory permissions in Intel Distribution for Python ...) NOT-FOR-US: Intel Distribution for Python CVE-2018-12174 (Heap overflow in Intel Trace Analyzer 2018 in Intel Parallel Studio XE ...) NOT-FOR-US: Intel CVE-2018-12173 (Insufficient access protection in firmware in Intel Server Board, Inte ...) NOT-FOR-US: Intel CVE-2018-12172 (Improper password hashing in firmware in Intel Server Board (S7200AP,S ...) NOT-FOR-US: Intel CVE-2018-12171 (Privilege escalation in Intel Baseboard Management Controller (BMC) fi ...) NOT-FOR-US: Intel Baseboard Management Controller firmware CVE-2018-12170 RESERVED CVE-2018-12169 (Platform sample code firmware in 4th Generation Intel Core Processor, ...) NOT-FOR-US: Intel NOTE: https://edk2-docs.gitbooks.io/security-advisory/content/unauthenticated-firmware-chain-of-trust-bypass.html CVE-2018-12168 (Privilege escalation in file permissions in Intel Computing Improvemen ...) NOT-FOR-US: Intel CVE-2018-12167 (Firmware update routine in bootloader for Intel(R) Optane(TM) SSD DC P ...) NOT-FOR-US: Intel CVE-2018-12166 (Insufficient write protection in firmware for Intel(R) Optane(TM) SSD ...) NOT-FOR-US: Intel CVE-2018-12165 RESERVED CVE-2018-12164 RESERVED CVE-2018-12163 (A DLL injection vulnerability in the Intel IoT Developers Kit 4.0 inst ...) NOT-FOR-US: Intel IoT Developers Kit CVE-2018-12162 (Directory permissions in the Intel OpenVINO Toolkit for Windows before ...) NOT-FOR-US: Intel OpenVINO Toolkit for Windows CVE-2018-12161 (Insufficient session validation in the webserver component of the Inte ...) NOT-FOR-US: Intel Rapid Web Server CVE-2018-12160 (DLL injection vulnerability in software installer for Intel Data Cente ...) NOT-FOR-US: Intel CVE-2018-12159 (Buffer overflow in the command-line interface for Intel(R) PROSet Wire ...) NOT-FOR-US: Intel CVE-2018-12158 (Insufficient input validation in BIOS update utility in Intel NUC FW k ...) NOT-FOR-US: Intel CVE-2018-12157 RESERVED CVE-2018-12156 RESERVED CVE-2018-12155 (Data leakage in cryptographic libraries for Intel IPP before 2019 upda ...) NOT-FOR-US: Intel CVE-2018-12154 (Denial of Service in Unified Shader Compiler in Intel Graphics Drivers ...) NOT-FOR-US: Intel CVE-2018-12153 (Denial of Service in Unified Shader Compiler in Intel Graphics Drivers ...) NOT-FOR-US: Intel CVE-2018-12152 (Pointer corruption in Unified Shader Compiler in Intel Graphics Driver ...) NOT-FOR-US: Intel CVE-2018-12151 (Buffer overflow in installer for Intel Extreme Tuning Utility before 6 ...) NOT-FOR-US: Intel CVE-2018-12150 (Escalation of privilege in Installer for Intel Extreme Tuning Utility ...) NOT-FOR-US: Intel CVE-2018-12149 (Buffer overflow in input handling in Intel Extreme Tuning Utility befo ...) NOT-FOR-US: Intel CVE-2018-12148 (Privilege escalation in file permissions in Intel Driver and Support A ...) NOT-FOR-US: Intel CVE-2018-12147 (Insufficient input validation in HECI subsystem in Intel(R) CSME befor ...) NOT-FOR-US: Intel CVE-2018-12146 RESERVED CVE-2018-12145 RESERVED CVE-2018-12144 RESERVED CVE-2018-12143 RESERVED CVE-2018-12142 RESERVED CVE-2018-12141 RESERVED CVE-2018-12140 RESERVED CVE-2018-12139 RESERVED CVE-2018-12138 RESERVED CVE-2018-12137 RESERVED CVE-2018-12136 RESERVED CVE-2018-12135 RESERVED CVE-2018-12134 RESERVED CVE-2018-12133 RESERVED CVE-2018-12132 RESERVED CVE-2018-12131 (Permissions in the driver pack installers for Intel NVMe before versio ...) NOT-FOR-US: Intel CVE-2018-12130 (Microarchitectural Fill Buffer Data Sampling (MFBDS): Fill buffers on ...) {DSA-4447-1 DSA-4444-1 DLA-1789-2 DLA-1799-1 DLA-1789-1 DLA-1787-1} - intel-microcode 3.20190514.1 - linux 4.19.37-2 - xen 4.11.1+92-g6c33308a8d-1 (bug #929129) [stretch] - xen 4.8.5.final+shim4.10.4-1+deb9u12 [jessie] - xen (Depends on fix for CVE-2017-5715, CVE-2017-5753, CVE-2017-5754) NOTE: https://git.kernel.org/linus/fa4bff165070dc40a3de35b78e4f8da8e8d85ec5 NOTE: https://software.intel.com/security-software-guidance/software-guidance/microarchitectural-data-sampling NOTE: https://xenbits.xen.org/xsa/advisory-297.html NOTE: libvirt support for md-clear CPUID bit: NOTE: https://libvirt.org/git/?p=libvirt.git;a=commit;h=538d873571d7a682852dc1d70e5f4478f4d64e85 NOTE: qemu and libvirt need updates to passthrough md-clear, see #929067 for qemu and #929154 for libvirt CVE-2018-12129 RESERVED CVE-2018-12128 RESERVED CVE-2018-12127 (Microarchitectural Load Port Data Sampling (MLPDS): Load ports on some ...) {DSA-4447-1 DSA-4444-1 DLA-1789-2 DLA-1799-1 DLA-1789-1 DLA-1787-1} - intel-microcode 3.20190514.1 - linux 4.19.37-2 - xen 4.11.1+92-g6c33308a8d-1 (bug #929129) [stretch] - xen 4.8.5.final+shim4.10.4-1+deb9u12 [jessie] - xen (Depends on fix for CVE-2017-5715, CVE-2017-5753, CVE-2017-5754) NOTE: https://git.kernel.org/linus/fa4bff165070dc40a3de35b78e4f8da8e8d85ec5 NOTE: https://software.intel.com/security-software-guidance/software-guidance/microarchitectural-data-sampling NOTE: https://xenbits.xen.org/xsa/advisory-297.html NOTE: libvirt support for md-clear CPUID bit: NOTE: https://libvirt.org/git/?p=libvirt.git;a=commit;h=538d873571d7a682852dc1d70e5f4478f4d64e85 NOTE: qemu and libvirt need updates to passthrough md-clear, see #929067 for qemu and #929154 for libvirt CVE-2018-12126 (Microarchitectural Store Buffer Data Sampling (MSBDS): Store buffers o ...) {DSA-4447-1 DSA-4444-1 DLA-1789-2 DLA-1799-1 DLA-1789-1 DLA-1787-1} - intel-microcode 3.20190514.1 - linux 4.19.37-2 - xen 4.11.1+92-g6c33308a8d-1 (bug #929129) [stretch] - xen 4.8.5.final+shim4.10.4-1+deb9u12 [jessie] - xen (Depends on fix for CVE-2017-5715, CVE-2017-5753, CVE-2017-5754) NOTE: https://git.kernel.org/linus/fa4bff165070dc40a3de35b78e4f8da8e8d85ec5 NOTE: https://software.intel.com/security-software-guidance/software-guidance/microarchitectural-data-sampling NOTE: https://xenbits.xen.org/xsa/advisory-297.html NOTE: libvirt support for md-clear CPUID bit: NOTE: https://libvirt.org/git/?p=libvirt.git;a=commit;h=538d873571d7a682852dc1d70e5f4478f4d64e85 NOTE: qemu and libvirt need updates to passthrough md-clear, see #929067 for qemu and #929154 for libvirt CVE-2018-12125 RESERVED CVE-2018-12124 RESERVED CVE-2018-12123 (Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11. ...) - nodejs 10.15.0~dfsg-6 (unimportant) NOTE: https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/ NOTE: Nodejs not covered by security support NOTE: Patch (v8): https://github.com/nodejs/node/commit/53a6e4eb2002efc66eb9aefe24529fb63715094e CVE-2018-12122 (Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11. ...) - nodejs 10.15.0~dfsg-6 (unimportant) NOTE: https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/ NOTE: Nodejs not covered by security support NOTE: Patch (v8): https://github.com/nodejs/node/commit/696f063c5e9157fd10859515da00fd8bd190d76d CVE-2018-12121 (Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11. ...) - nodejs 10.15.0~dfsg-6 (unimportant) NOTE: https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/ NOTE: Nodejs not covered by security support NOTE: Patch (v8): https://github.com/nodejs/node/commit/93dba83fb0fb46ee2ea87163f435392490b4d59b CVE-2018-12120 (Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 list ...) - nodejs 8.9.3~dfsg-5 (unimportant) NOTE: https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/ NOTE: Nodejs not covered by security support NOTE: Code got removed in 8.x, so marking first 8.x version in sid as fixed NOTE: Patch (v6): https://github.com/nodejs/node/commit/a9791c9090927b41a8bbfad254a2279204508059 CVE-2018-12119 RESERVED CVE-2018-12118 RESERVED CVE-2018-12117 RESERVED CVE-2018-12116 (Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request ...) - nodejs 10.15.0~dfsg-6 (unimportant) NOTE: https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/ NOTE: Nodejs not covered by security support NOTE: Patch (v8): https://github.com/nodejs/node/commit/513e9747a22386bc9c93a12f9698561827a1e631 NOTE: Only affects 6.x and 8.x, marking first 10.x release as fixed CVE-2018-12115 (In all versions of Node.js prior to 6.14.4, 8.11.4 and 10.9.0 when use ...) - nodejs 10.15.0~dfsg-6 (unimportant) NOTE: https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/ NOTE: Nodejs not covered by security support NOTE: https://github.com/nodejs/node/commit/fc14d812b7 CVE-2018-12114 (Maccms 10 allows CSRF via admin.php/admin/admin/info.html to add user ...) NOT-FOR-US: Maccms CVE-2018-12113 (Core FTP LE version 2.2 Build 1921 is prone to a buffer overflow vulne ...) NOT-FOR-US: Core FTP LE CVE-2018-12112 (md_build_attribute in md4c.c in md4c 0.2.6 allows remote attackers to ...) NOT-FOR-US: md4c CVE-2018-12111 (Cross-site scripting (XSS) vulnerability in the Canon PrintMe EFI webi ...) NOT-FOR-US: Canon PrintMe EFI webinterface CVE-2018-12110 (portfolioCMS 1.0.5 has SQL Injection via the admin/portfolio.php previ ...) NOT-FOR-US: portfolioCMS CVE-2018-12109 (An issue was discovered in Free Lossless Image Format (FLIF) 0.3. The ...) - flif (bug #902196) NOTE: https://github.com/FLIF-hub/FLIF/issues/513 CVE-2018-12108 (An issue was discovered in Dropbox Lepton 1.2.1. The validateAndCompre ...) - lepton (bug #905494) NOTE: https://github.com/dropbox/lepton/issues/107 CVE-2018-12107 RESERVED CVE-2018-12106 RESERVED CVE-2018-12105 RESERVED CVE-2018-12104 (Cross-site scripting (XSS) vulnerability in Airbnb Knowledge Repo 0.7. ...) NOT-FOR-US: Airbnb Knowledge Repo CVE-2018-12103 (An issue was discovered on D-Link DIR-890L with firmware 1.21B02beta01 ...) NOT-FOR-US: D-Link CVE-2018-12102 (md4c 0.2.6 has a NULL pointer dereference in the function md_process_l ...) NOT-FOR-US: md4c CVE-2018-12101 (CMS Clipper 1.3.3 has XSS in the Security tab search, User Groups, Res ...) NOT-FOR-US: CMS Clipper CVE-2018-12100 (Sonatype Nexus Repository Manager versions 3.x before 3.12.0 has XSS i ...) NOT-FOR-US: Sonatype Nexus Repository Manager CVE-2018-12099 (Grafana before 5.2.0-beta1 has XSS vulnerabilities in dashboard links. ...) - grafana (Vulnerable code introduced later) NOTE: https://github.com/grafana/grafana/pull/11813 CVE-2018-12098 (** DISPUTED ** The liblnk_data_block_read function in liblnk_data_bloc ...) - liblnk 20180626-1 (unimportant; bug #901962) NOTE: http://seclists.org/fulldisclosure/2018/Jun/33 NOTE: https://github.com/libyal/liblnk/commit/cb7fe0c66a5a01c19f1953fc7814c4fedfdc5785 NOTE: https://github.com/libyal/liblnk/issues/32 NOTE: https://github.com/libyal/liblnk/issues/33 NOTE: Questionable/negligabe security impact CVE-2018-12097 (** DISPUTED ** The liblnk_location_information_read_data function in l ...) - liblnk (unimportant; bug #901962) NOTE: http://seclists.org/fulldisclosure/2018/Jun/33 NOTE: https://github.com/libyal/liblnk/commit/cb7fe0c66a5a01c19f1953fc7814c4fedfdc5785 NOTE: https://github.com/libyal/liblnk/issues/32 NOTE: https://github.com/libyal/liblnk/issues/33 NOTE: Questionable/negligabe security impact CVE-2018-12096 (** DISPUTED ** The liblnk_data_string_get_utf8_string_size function in ...) - liblnk (unimportant; bug #901962) NOTE: http://seclists.org/fulldisclosure/2018/Jun/33 NOTE: https://github.com/libyal/liblnk/issues/32 NOTE: https://github.com/libyal/liblnk/issues/33 NOTE: Questionable/negligabe security impact CVE-2018-12095 (A Reflected Cross-Site Scripting web vulnerability has been discovered ...) NOT-FOR-US: OEcms CVE-2018-12094 (Cross-site scripting (XSS) vulnerability in news.php in Dimofinf CMS V ...) NOT-FOR-US: Dimofinf CMS CVE-2018-12093 (tinyexr 0.9.5 has a memory leak in ParseEXRHeaderFromMemory in tinyexr ...) NOT-FOR-US: tinyexr CVE-2018-12092 (tinyexr 0.9.5 has a heap-based buffer over-read in tinyexr::DecodePixe ...) NOT-FOR-US: tinyexr CVE-2018-12091 RESERVED CVE-2018-12090 (There is unauthenticated reflected cross-site scripting (XSS) in LAMS ...) NOT-FOR-US: LAMS CVE-2018-12089 (In Octopus Deploy version 2018.5.1 to 2018.5.7, a user with Task View ...) NOT-FOR-US: Octopus Deploy CVE-2018-12291 (The on_get_missing_events function in handlers/federation.py in Matrix ...) - matrix-synapse 0.31.1+dfsg-1 (bug #901293) NOTE: https://github.com/matrix-org/synapse/pull/3371 NOTE: https://github.com/matrix-org/synapse/commit/0834b49c6a9b6c597a154d4b2dfcf8fff90699ec NOTE: https://matrix.org/blog/2018/06/08/synapse-0-31-1-released/ CVE-2018-12088 (S3QL before 2.27 mishandles checksumming, and consequently allows repl ...) - s3ql 2.27.1+dfsg-1 (low) [stretch] - s3ql (Minor issue, backports would change the file system revision rendering it unable to read older file systems) [jessie] - s3ql (Minor issue, backports would change the file system revision rendering it unable to read older file systems) NOTE: https://groups.google.com/forum/#!topic/s3ql/4TzCVIMkA4o NOTE: https://bitbucket.org/nikratio/s3ql/commits/85aba5c2d5c81453a73a50ed638adaeef0521020 CVE-2018-12087 (Failure to validate certificates in OPC Foundation UA Client Applicati ...) NOT-FOR-US: OPC UA CVE-2018-12086 (Buffer overflow in OPC UA applications allows remote attackers to trig ...) {DSA-4359-1} - wireshark 2.6.4-1 [jessie] - wireshark (changes are too intrusive to backport) NOTE: https://www.wireshark.org/security/wnpa-sec-2018-50.html NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=28a7a79cac425d1b1ecf06e73add41edd2241e49 CVE-2018-12085 (Liblouis 3.6.0 has a stack-based Buffer Overflow in the function parse ...) - liblouis 3.5.0-4 (bug #901202) [stretch] - liblouis 3.0.0-3+deb9u4 [jessie] - liblouis (Minor issue) NOTE: https://github.com/liblouis/liblouis/issues/595 NOTE: https://github.com/liblouis/liblouis/commit/dbfa58bb128cae86729578ac596056b3385817ef CVE-2018-12084 (The mintToken function of a smart contract implementation for BitAsean ...) NOT-FOR-US: BitAsean CVE-2018-12083 (The mintToken function of a smart contract implementation for GOAL Bon ...) NOT-FOR-US: GOAL CVE-2018-12082 (The mintToken function of a smart contract implementation for Fujinto ...) NOT-FOR-US: Fujinto CVE-2018-12081 (The mintToken function of a smart contract implementation for Target C ...) NOT-FOR-US: Target Coin CVE-2018-12080 (The mintToken function of a smart contract implementation for Internet ...) NOT-FOR-US: Internet Node Token CVE-2018-12079 (The mintToken function of a smart contract implementation for Substrat ...) NOT-FOR-US: Substratum CVE-2018-12078 (The mintToken function of a smart contract implementation for PolyAI ( ...) NOT-FOR-US: PolyAI CVE-2018-12077 RESERVED CVE-2018-12076 (A vulnerability in the UPC bar code of the Avanti Markets MarketCard c ...) NOT-FOR-US: Avanti Markets MarketCard CVE-2018-12075 RESERVED CVE-2018-12074 RESERVED CVE-2018-12073 (An issue was discovered on Eminent EM4544 9.10 devices. The device doe ...) NOT-FOR-US: Eminent EM4544 9.10 devices CVE-2018-12072 (An issue was discovered in Cloud Media Popcorn A-200 03-05-130708-21-P ...) NOT-FOR-US: Cloud Media Popcorn A-200 03-05-130708-21-POP-411-000 firmware CVE-2018-12071 (A Session Fixation issue exists in CodeIgniter before 3.1.9 because se ...) - codeigniter (bug #471583) CVE-2018-12070 (The sell function of a smart contract implementation for SEC, a tradab ...) NOT-FOR-US: SEC CVE-2018-12069 RESERVED CVE-2018-12068 (The sell function of a smart contract implementation for Target Coin ( ...) NOT-FOR-US: Target Coin CVE-2018-12067 (The sell function of a smart contract implementation for Substratum (S ...) NOT-FOR-US: Substratum CVE-2018-12065 (A Local File Inclusion vulnerability in /system/WCore/WHelper.php in C ...) NOT-FOR-US: wityCMS CVE-2018-12064 (tinyexr 0.9.5 has a heap-based buffer over-read via tinyexr::ReadChann ...) NOT-FOR-US: tinyexr CVE-2018-12063 (The sell function of a smart contract implementation for Internet Node ...) NOT-FOR-US: Internet Node Token CVE-2018-12062 (The sell function of a smart contract implementation for SwftCoin (SWF ...) NOT-FOR-US: SwfCoin CVE-2018-12061 RESERVED CVE-2018-12060 RESERVED CVE-2018-12059 RESERVED CVE-2018-12058 RESERVED CVE-2018-12057 RESERVED CVE-2018-12056 (The maxRandom function of a smart contract implementation for All For ...) NOT-FOR-US: smart contract implementation for All For One CVE-2018-12055 (Multiple SQL Injections exist in PHP Scripts Mall Schools Alert Manage ...) NOT-FOR-US: PHP Scripts Mall Schools Alert Management Script CVE-2018-12054 (Arbitrary File Read exists in PHP Scripts Mall Schools Alert Managemen ...) NOT-FOR-US: PHP Scripts Mall Schools Alert Management Script CVE-2018-12053 (Arbitrary File Deletion exists in PHP Scripts Mall Schools Alert Manag ...) NOT-FOR-US: PHP Scripts Mall Schools Alert Management Script CVE-2018-12052 (SQL Injection exists in PHP Scripts Mall Schools Alert Management Scri ...) NOT-FOR-US: PHP Scripts Mall Schools Alert Management Script CVE-2018-12051 (Arbitrary File Upload and Remote Code Execution exist in PHP Scripts M ...) NOT-FOR-US: PHP Scripts Mall Schools Alert Management Script CVE-2018-12050 RESERVED CVE-2018-13346 (The mpatch_apply function in mpatch.c in Mercurial before 4.6.1 incorr ...) {DLA-1414-1} - mercurial 4.6.1-1 (bug #901050) NOTE: https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.6.1_.282018-06-06.29 NOTE: https://www.mercurial-scm.org/repo/hg/rev/faa924469635 CVE-2018-13347 (mpatch.c in Mercurial before 4.6.1 mishandles integer addition and sub ...) {DLA-1414-1} - mercurial 4.6.1-1 (bug #901050) NOTE: https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.6.1_.282018-06-06.29 NOTE: https://www.mercurial-scm.org/repo/hg/rev/1acfc35d478c NOTE: there are actually 6 more patches required to completely fix bug #901050, NOTE: see https://www.mercurial-scm.org/repo/hg-committed/log?rev=modifies%28%22mercurial%2Fmpatch.c%22%29+and+4.5%3A%3A NOTE: upstream proposes we use OVE-20180430-0002 to cover all undefined behavior NOTE: cases which the 6 patches fix CVE-2018-13348 (The mpatch_decode function in mpatch.c in Mercurial before 4.6.1 misha ...) {DLA-1414-1} - mercurial 4.6.1-1 (bug #901050) NOTE: https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.6.1_.282018-06-06.29 NOTE: https://www.mercurial-scm.org/repo/hg/rev/90a274965de7 CVE-2018-12049 (** DISPUTED ** A remote attacker can bypass the System Manager Mode on ...) NOT-FOR-US: Canon CVE-2018-12048 (** DISPUTED ** A remote attacker can bypass the Management Mode on the ...) NOT-FOR-US: Canon CVE-2018-12047 (xfind/search in Ximdex 4.0 has XSS via the filter[n][value] parameters ...) NOT-FOR-US: Ximdex CVE-2018-12046 (DedeCMS through 5.7SP2 allows arbitrary file write in dede/file_manage ...) NOT-FOR-US: DedeCMS CVE-2018-12045 (DedeCMS through V5.7SP2 allows arbitrary file upload in dede/file_mana ...) NOT-FOR-US: DedeCMS CVE-2018-12044 RESERVED CVE-2018-12043 (content/content.blueprintspages.php in Symphony 2.7.6 has XSS via the ...) NOT-FOR-US: Symphony CMS CVE-2018-12042 (Roxy Fileman through v1.4.5 has Directory traversal via the php/downlo ...) NOT-FOR-US: Roxy Fileman CVE-2018-12041 (An issue was discovered on the MediaTek AWUS036NH wireless USB adapter ...) NOT-FOR-US: MediaTek CVE-2018-12040 (** DISPUTED ** Reflected Cross-site scripting (XSS) vulnerability in t ...) - symfony 3.4.12+dfsg-1 (unimportant) NOTE: https://github.com/symfony/symfony/issues/28002 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1590702 CVE-2018-12039 (joyplus-cms 1.6.0 allows Remote Code Execution because of an Arbitrary ...) NOT-FOR-US: joyplus-cms CVE-2018-12038 (An issue was discovered on Samsung 840 EVO devices. Vendor-specific co ...) NOT-FOR-US: Samsung 840 EVO devices CVE-2018-12037 (An issue was discovered on Samsung 840 EVO and 850 EVO devices (only i ...) NOT-FOR-US: Samsung CVE-2018-12036 (OWASP Dependency-Check before 3.2.0 allows attackers to write to arbit ...) NOT-FOR-US: OWASP Dependency-Check CVE-2018-12035 (In YARA 3.7.1 and prior, parsing a specially crafted compiled rule fil ...) - yara 3.7.1-3 (low) [stretch] - yara (Minor issue) [jessie] - yara (Minor issue) NOTE: https://github.com/VirusTotal/yara/issues/891 CVE-2018-12034 (In YARA 3.7.1 and prior, parsing a specially crafted compiled rule fil ...) - yara 3.7.1-3 (low) [stretch] - yara (Minor issue) [jessie] - yara (Minor issue) NOTE: https://github.com/VirusTotal/yara/issues/891 CVE-2018-12033 RESERVED CVE-2018-12032 RESERVED CVE-2018-12031 (Local file inclusion in Eaton Intelligent Power Manager v1.6 allows an ...) NOT-FOR-US: Eaton Intelligent Power Manager CVE-2018-12030 (Chevereto Free before 1.0.13 has XSS. ...) NOT-FOR-US: Chevereto Free CVE-2018-12029 (A race condition in the nginx module in Phusion Passenger 3.x through ...) {DLA-1399-1} - passenger 5.0.30-1.1 (bug #921767; unimportant) [stretch] - passenger 5.0.30-1+deb9u1 - ruby-passenger (unimportant) NOTE: https://blog.phusion.nl/2018/06/12/passenger-5-3-2-various-security-fixes/ NOTE: https://github.com/phusion/passenger/commit/207870f5b7f5cc240587ab0977d6046782ae1d86 (release-5.3.2) NOTE: unimportant as nginx module not built. NOTE: Related hardening commits: NOTE: https://github.com/phusion/passenger/commit/9ed61bb4641ba1f5158fca3840d4e4088805b5af (release-5.3.2) NOTE: https://github.com/phusion/passenger/commit/4f663c8246f529e32575d50196d11cde12a6dfda (release-5.3.3) NOTE: https://pulsesecurity.co.nz/advisories/phusion-passenger-priv-esc CVE-2018-12028 (An Incorrect Access Control vulnerability in SpawningKit in Phusion Pa ...) - passenger (Introduced in 5.3.0 with major refactoring of SpawningKit) - ruby-passenger (Introduced in 5.3.0 with major refactoring of SpawningKit) NOTE: https://blog.phusion.nl/2018/06/12/passenger-5-3-2-various-security-fixes/ CVE-2018-12027 (An Insecure Permissions vulnerability in SpawningKit in Phusion Passen ...) - passenger (Introduced in 5.3.0 with major refactoring of SpawningKit) - ruby-passenger (Introduced in 5.3.0 with major refactoring of SpawningKit) NOTE: https://blog.phusion.nl/2018/06/12/passenger-5-3-2-various-security-fixes/ CVE-2018-12026 (During the spawning of a malicious Passenger-managed application, Spaw ...) - passenger (Introduced in 5.3.0 with major refactoring of SpawningKit) - ruby-passenger (Introduced in 5.3.0 with major refactoring of SpawningKit) NOTE: https://blog.phusion.nl/2018/06/12/passenger-5-3-2-various-security-fixes/ CVE-2018-12025 (The transferFrom function of a smart contract implementation for Futur ...) NOT-FOR-US: FuturXE CVE-2018-12024 RESERVED CVE-2018-12023 (An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4 ...) {DSA-4452-1 DLA-1703-1} - jackson-databind 2.9.8-1 NOTE: https://github.com/FasterXML/jackson-databind/issues/2058 NOTE: https://github.com/FasterXML/jackson-databind/commit/7487cf7eb14be2f65a1eb108e8629c07ef45e0a1 CVE-2018-12022 (An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4 ...) {DSA-4452-1 DLA-1703-1} - jackson-databind 2.9.8-1 NOTE: https://github.com/FasterXML/jackson-databind/issues/2052 NOTE: https://github.com/FasterXML/jackson-databind/commit/7487cf7eb14be2f65a1eb108e8629c07ef45e0a1 CVE-2018-12021 (Singularity 2.3.0 through 2.5.1 is affected by an incorrect access con ...) - singularity-container 2.5.2-1 NOTE: https://github.com/singularityware/singularity/releases/tag/2.5.2 CVE-2018-12020 (mainproc.c in GnuPG before 2.2.8 mishandles the original filename duri ...) {DSA-4224-1 DSA-4223-1 DSA-4222-1} - enigmail 2:2.0.7-1 [jessie] - enigmail (see https://lists.debian.org/debian-lts-announce/2019/02/msg00002.html) - gnupg2 2.2.8-1 - gnupg1 1.4.22-5 (bug #901088) - gnupg NOTE: https://dev.gnupg.org/T4012 NOTE: https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html NOTE: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=210e402acd3e284b32db1901e43bf1470e659e49 (STABLE-BRANCH-2-2) NOTE: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=2326851c60793653069494379b16d84e4c10a0ac (STABLE-BRANCH-1-4) NOTE: http://www.openwall.com/lists/oss-security/2018/06/13/10 NOTE: https://neopg.io/blog/gpg-signature-spoof/ CVE-2018-12019 (The signature verification routine in Enigmail before 2.0.7 interprets ...) - enigmail 2:2.0.7-1 [jessie] - enigmail (see https://lists.debian.org/debian-lts-announce/2019/02/msg00002.html) NOTE: http://www.openwall.com/lists/oss-security/2018/06/13/10 NOTE: https://neopg.io/blog/enigmail-signature-spoof/ CVE-2018-12018 (The GetBlockHeadersMsg handler in the LES protocol implementation in G ...) NOT-FOR-US: Go Ethereum CVE-2018-12017 RESERVED CVE-2018-12016 (libephymain.so in GNOME Web (aka Epiphany) through 3.28.2.1 allows rem ...) - epiphany-browser 3.28.3.1-1 (unimportant; bug #901018) NOTE: webkit not covered by security support CVE-2018-12014 (In all android releases(Android for MSM, Firefox OS for MSM, QRD Andro ...) NOT-FOR-US: CodeAurora components for Android CVE-2018-12013 (Improper authentication in locked memory region can lead to unprivilge ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-12012 (While updating blacklisting region shared buffered memory region is no ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-12011 (In all android releases(Android for MSM, Firefox OS for MSM, QRD Andro ...) NOT-FOR-US: CodeAurora components for Android CVE-2018-12010 (In all android releases(Android for MSM, Firefox OS for MSM, QRD Andro ...) NOT-FOR-US: CodeAurora components for Android CVE-2018-12009 RESERVED CVE-2018-12008 RESERVED CVE-2018-12007 RESERVED CVE-2018-12006 (In all android releases(Android for MSM, Firefox OS for MSM, QRD Andro ...) NOT-FOR-US: CodeAurora components for Android CVE-2018-12005 (An unprivileged user can issue a binder call and cause a system halt i ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-12004 (Secure keypad is unlocked with secure display still intact in Snapdrag ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-12003 RESERVED CVE-2018-12002 RESERVED CVE-2018-12001 RESERVED CVE-2018-12000 RESERVED CVE-2018-11999 (Improper input validation in trustzone can lead to denial of service i ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11998 (While processing a packet decode request in MQTT, Race condition can o ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11997 RESERVED CVE-2018-11996 (When a malformed command is sent to the device programmer, an out-of-b ...) NOT-FOR-US: Snapdragon CVE-2018-11995 (In all android releases(Android for MSM, Firefox OS for MSM, QRD Andro ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11994 (SMMU secure camera logic allows secure camera controllers to access HL ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11993 (Improper check while accessing the local memory stack on MQTT connecti ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11992 RESERVED CVE-2018-11991 RESERVED CVE-2018-11990 RESERVED CVE-2018-11989 REJECTED CVE-2018-11988 (In all android releases(Android for MSM, Firefox OS for MSM, QRD Andro ...) NOT-FOR-US: CodeAurora components for Android CVE-2018-11987 (In all android releases(Android for MSM, Firefox OS for MSM, QRD Andro ...) - linux (Vulnerable code path not present) NOTE: https://source.codeaurora.org/quic/la/kernel/msm-4.9/commit/?id=5e9ffcfa152ecb2832990c42fcd8a0f2e63c2c04 NOTE: https://www.codeaurora.org/security-bulletin/2018/12/03/december-2018-code-aurora-security-bulletin#_CVE-2018-11987 NOTE: ion not enabled in Debian build and in staging anyway CVE-2018-11986 (In all android releases(Android for MSM, Firefox OS for MSM, QRD Andro ...) NOT-FOR-US: CodeAurora components for Android CVE-2018-11985 (In all android releases(Android for MSM, Firefox OS for MSM, QRD Andro ...) NOT-FOR-US: CodeAurora components for Android CVE-2018-11984 (In all android releases(Android for MSM, Firefox OS for MSM, QRD Andro ...) NOT-FOR-US: CodeAurora components for Android CVE-2018-11983 (In all android releases(Android for MSM, Firefox OS for MSM, QRD Andro ...) NOT-FOR-US: CodeAurora components for Android CVE-2018-11982 (In Snapdragon (Mobile, Wear) in version MDM9206, MDM9607, MDM9635M, MD ...) NOT-FOR-US: Snapdragon CVE-2018-11981 RESERVED CVE-2018-11980 (When a fake broadcast/multicast 11w rmf without mmie received, since n ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11979 RESERVED CVE-2018-11978 REJECTED CVE-2018-11977 REJECTED CVE-2018-11976 (ECDSA signature code leaks private keys from secure world to non-secur ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11975 REJECTED CVE-2018-11974 REJECTED CVE-2018-11973 REJECTED CVE-2018-11972 REJECTED CVE-2018-11971 (Interrupt exit code flow may undermine access control policy set forth ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11970 (TZ App dynamic allocations not protected from XBL loader in Snapdragon ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11969 REJECTED CVE-2018-11968 (Improper check before assigning value can lead to integer overflow in ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11967 (Signature verification of the skel library could potentially be disabl ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11966 (Undefined behavior in UE while processing unknown IEI in OTA message i ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11965 (In all android releases(Android for MSM, Firefox OS for MSM, QRD Andro ...) NOT-FOR-US: CodeAurora components for Android CVE-2018-11964 (In all android releases(Android for MSM, Firefox OS for MSM, QRD Andro ...) NOT-FOR-US: CodeAurora components for Android CVE-2018-11963 (In all android releases(Android for MSM, Firefox OS for MSM, QRD Andro ...) NOT-FOR-US: CodeAurora components for Android CVE-2018-11962 (In all android releases(Android for MSM, Firefox OS for MSM, QRD Andro ...) NOT-FOR-US: CodeAurora components for Android CVE-2018-11961 (In all android releases(Android for MSM, Firefox OS for MSM, QRD Andro ...) NOT-FOR-US: CodeAurora components for Android CVE-2018-11960 (In all android releases(Android for MSM, Firefox OS for MSM, QRD Andro ...) NOT-FOR-US: CodeAurora components for Android CVE-2018-11959 REJECTED CVE-2018-11958 (Insufficient protection of keys in keypad can lead HLOS to gain access ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11957 RESERVED CVE-2018-11956 (In all android releases(Android for MSM, Firefox OS for MSM, QRD Andro ...) NOT-FOR-US: Android CVE-2018-11955 (Lack of check on length of reason-code fetched from payload may lead d ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11954 RESERVED CVE-2018-11953 (While processing ssid IE length from remote AP, possible out-of-bounds ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11952 RESERVED NOT-FOR-US: Qualcomm components for Android CVE-2018-11951 (Improper access control in core module lead XBL_LOADER performs the ZI ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11950 (Unapproved TrustZone applications can be loaded and executed in Snapdr ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11949 (Failure to initialize the extra buffer can lead to an out of buffer ac ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11948 (Exceeding the limit of usage entries are not tracked and the informati ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11947 (The txrx stats req might be double freed in the pdev detach when the h ...) NOT-FOR-US: Snapdragon CVE-2018-11946 (In all android releases(Android for MSM, Firefox OS for MSM, QRD Andro ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11945 (Improper input validation in wireless service messaging module for dat ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11944 RESERVED CVE-2018-11943 (In all android releases(Android for MSM, Firefox OS for MSM, QRD Andro ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11942 (Failure to initialize the reserved memory which is sent to the firmwar ...) NOT-FOR-US: Snapdragon CVE-2018-11941 REJECTED CVE-2018-11940 (Lack of check in length before using memcpy in WLAN function can lead ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11939 (Use after issue in WLAN function due to multiple ACS scan requests at ...) NOT-FOR-US: Snapdragon CVE-2018-11938 (Improper input validation for argument received from HLOS can lead to ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11937 (Lack of input validation before copying can lead to a buffer over read ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11936 (Index of array is processed in a wrong way inside a while loop and res ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11935 (Improper input validation might result in incorrect app id returned to ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11934 (Possible out of bounds write due to improper input validation while pr ...) NOT-FOR-US: Snapdragon CVE-2018-11933 REJECTED CVE-2018-11932 (Improper input validation can lead RW access to secure subsystem from ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11931 (Improper access to HLOS is possible while transferring memory to CPZ i ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11930 (Improper input validation on input data which is used to locate and co ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11929 (Lack of input validation in WLAN function can lead to potential heap o ...) NOT-FOR-US: Snapdragon CVE-2018-11928 (Lack of check on length parameter may cause buffer overflow while proc ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11927 (Improper input validation on input which is used as an array index wil ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11926 RESERVED CVE-2018-11925 (Data length received from firmware is not validated against the max al ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11924 (Improper buffer length validation in WLAN function can lead to a poten ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11923 (Improper buffer length check before copying can lead to integer overfl ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11922 RESERVED CVE-2018-11921 (Failure condition is not handled properly and the correct error code i ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11920 RESERVED CVE-2018-11919 (In all android releases(Android for MSM, Firefox OS for MSM, QRD Andro ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11918 (In all android releases(Android for MSM, Firefox OS for MSM, QRD Andro ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11917 RESERVED CVE-2018-11916 RESERVED CVE-2018-11915 RESERVED CVE-2018-11914 (In all android releases(Android for MSM, Firefox OS for MSM, QRD Andro ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11913 (In all android releases(Android for MSM, Firefox OS for MSM, QRD Andro ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11912 (In all android releases(Android for MSM, Firefox OS for MSM, QRD Andro ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11911 (In all android releases(Android for MSM, Firefox OS for MSM, QRD Andro ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11910 (In all android releases(Android for MSM, Firefox OS for MSM, QRD Andro ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11909 (In all android releases(Android for MSM, Firefox OS for MSM, QRD Andro ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11908 (In all android releases(Android for MSM, Firefox OS for MSM, QRD Andro ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11907 (In all android releases(Android for MSM, Firefox OS for MSM, QRD Andro ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11906 (In all android releases(Android for MSM, Firefox OS for MSM, QRD Andro ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11905 (In all android releases(Android for MSM, Firefox OS for MSM, QRD Andro ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11904 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11903 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11902 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11901 RESERVED CVE-2018-11900 RESERVED CVE-2018-11899 (While processing radio connection status change events, Radio index is ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11898 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11897 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11896 RESERVED CVE-2018-11895 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11894 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11893 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11892 REJECTED CVE-2018-11891 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11890 RESERVED CVE-2018-11889 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11888 (Unauthorized access may be allowed by the SCP11 Crypto Services TA wil ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11887 RESERVED CVE-2018-11886 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11885 RESERVED CVE-2018-11884 (Improper input validation leads to buffer overflow while processing ne ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11883 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11882 (Incorrect bound check can lead to potential buffer overwrite in WLAN c ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11881 RESERVED CVE-2018-11880 (Incorrect bound check can lead to potential buffer overwrite in WLAN f ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11879 (When the buffer length passed is very large, bounds check could be byp ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11878 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11877 (When the buffer length passed is very large in WLAN, bounds check coul ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11876 (Lack of input validation while copying to buffer in WLAN will lead to ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11875 (Lack of check of buffer size before copying in a WLAN function can lea ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11874 (Buffer overflow if the length of passphrase is more than 32 when setti ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11873 (Improper input validation leads to buffer overwrite in the WLAN functi ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11872 (Improper input validation leads to buffer overwrite in the WLAN functi ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11871 (Buffer overwrite can happen in WLAN function while processing set pdev ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11870 (Buffer overwrite can occur when the legacy rates count received from t ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11869 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11868 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11867 (Lack of buffer length check before copying in WLAN function while proc ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11866 (Integer overflow may happen in WLAN when calculating an internal struc ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11865 (Integer overflow may happen when calculating an internal structure siz ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11864 (Bytes can be written to fuses from Secure region which can be read lat ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11863 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11862 (Buffer overflow can happen in WLAN module due to lack of validation of ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11861 (Buffer overflow can happen in WLAN function due to lack of validation ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11860 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11859 (Buffer overwrite can happen in WLAN due to lack of validation of the i ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11858 (When processing IE set command, buffer overwrite may occur due to lack ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11857 (Improper input validation in WLAN encrypt/decrypt module can lead to a ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11856 (Improper input validation leads to buffer overwrite in the WLAN functi ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11855 (If an end user makes use of SCP11 sample OCE code without modification ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11854 (Lack of check of valid length of input parameter may cause buffer over ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11853 (Lack of check on out of range for channels When processing channel lis ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11852 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11851 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11850 (Lack of check on remaining length parameter When processing scan start ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11849 (Lack of check on out of range of bssid parameter When processing scan ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11848 RESERVED CVE-2018-11847 (Malicious TA can tag QSEE kernel memory and map to EL0, there by corru ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11846 (The use of a non-time-constant memory comparison operation can lead to ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11845 (Usage of non-time-constant comparison functions can lead to informatio ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11844 RESERVED CVE-2018-11843 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11842 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11841 RESERVED CVE-2018-11840 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11839 RESERVED CVE-2018-11838 (Possible double free issue in WLAN due to lack of checking memory free ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11837 RESERVED CVE-2018-11836 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11835 RESERVED CVE-2018-11834 RESERVED CVE-2018-11833 RESERVED CVE-2018-11832 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Android kernel, code not in mainline CVE-2018-11831 RESERVED CVE-2018-11830 (Improper input validation in QCPE create function may lead to integer ...) NOT-FOR-US: Snapdragon CVE-2018-11829 RESERVED CVE-2018-11828 (When FW tries to get random mac address generated from new SW RNG and ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11827 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11826 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11825 REJECTED CVE-2018-11824 (A stack-based buffer overflow can occur in a firmware routine in Snapd ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11823 (In all android releases(Android for MSM, Firefox OS for MSM, QRD Andro ...) NOT-FOR-US: Android kernel, code not in mainline CVE-2018-11822 (A possible integer overflow may happen in WLAN during memory allocatio ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11821 (Possible integer overflow may happen in WLAN during memory allocation ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11820 (Use of non-time constant memcmp function creates side channel that lea ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11819 (Use after issue in WLAN function due to multiple ACS scan requests at ...) NOT-FOR-US: Snapdragon CVE-2018-11818 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11817 RESERVED NOT-FOR-US: Qualcomm components for Android CVE-2018-11816 RESERVED NOT-FOR-US: Qualcomm components for Android CVE-2018-11815 RESERVED CVE-2018-12066 (BIRD Internet Routing Daemon before 1.6.4 allows local users to cause ...) - bird 1.6.4-1 (low; bug #900967) [stretch] - bird (Minor issue) [jessie] - bird (Minor issue) NOTE: https://gitlab.labs.nic.cz/labs/bird/blob/v1.6.4/NEWS#L11 NOTE: Fixed by: https://gitlab.labs.nic.cz/labs/bird/commit/e8bc64e308586b6502090da2775af84cd760ed0d CVE-2018-1002209 (QuaZIP before 0.7.6 is vulnerable to directory traversal, allowing att ...) - libquazip 0.7.6-1 (bug #902786) [stretch] - libquazip (Minor issue) [jessie] - libquazip (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1593011 CVE-2018-1002204 (adm-zip npm library before 0.4.9 is vulnerable to directory traversal, ...) NOT-FOR-US: adm-zip nodejs module CVE-2018-1002202 (zip4j before 1.3.3 is vulnerable to directory traversal, allowing atta ...) - zip4j (Fixed before initial upload to the archive) CVE-2018-1002201 (zt-zip before 1.13 is vulnerable to directory traversal, allowing atta ...) NOT-FOR-US: zt-zip CVE-2018-1002200 (plexus-archiver before 3.6.0 is vulnerable to directory traversal, all ...) {DSA-4227-1} - plexus-archiver 3.6.0-1 (bug #900953) NOTE: https://github.com/codehaus-plexus/plexus-archiver/pull/87 NOTE: https://github.com/codehaus-plexus/plexus-archiver/commit/58bc24e465c0842981692adbf6d75680298989de CVE-2018-1000204 (** DISPUTED ** Linux Kernel version 3.18 to 4.16 incorrectly handles a ...) {DLA-1423-1 DLA-1422-1} - linux 4.16.12-1 [stretch] - linux 4.9.107-1 NOTE: Fixed by: https://git.kernel.org/linus/a45b599ad808c3c982fdcdc12b0b8611c2f92824 CVE-2018-1000203 (Soar Labs Soar Coin version up to and including git commit 4a2aa71ee21 ...) NOT-FOR-US: Soar Labs Soar Coin CVE-2018-11814 RESERVED CVE-2018-11813 (libjpeg 9c has a large loop because read_pixel in rdtarga.c mishandles ...) - libjpeg9 1:9d-1 (unimportant; bug #904719) - libjpeg-turbo (unimportant) NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/commit/909a8cfc7bca9b2e6707425bdb74da997e8fa499 NOTE: Infinite loop in CLI tool, no security impact CVE-2018-11812 RESERVED CVE-2018-11811 RESERVED CVE-2018-11810 RESERVED CVE-2018-11809 RESERVED CVE-2018-11808 (Incorrect Access Control in CustomFieldsFeedServlet in Zoho ManageEngi ...) NOT-FOR-US: Zoho ManageEngine Applications Manager CVE-2018-11807 RESERVED CVE-2018-11806 (m_cat in slirp/mbuf.c in Qemu has a heap-based buffer overflow via inc ...) {DSA-4454-1 DLA-1781-1} - qemu 1:3.1+dfsg-1 (bug #901017) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2018-06/msg01012.html NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=864036e251f54c99d31df124aad7f34f01f5344c CVE-2018-1000202 (A persisted cross-site scripting vulnerability exists in Jenkins Groov ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000198 (A XML external entity processing vulnerability exists in Jenkins Black ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000197 (An improper authorization vulnerability exists in Jenkins Black Duck H ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000196 (A exposure of sensitive information vulnerability exists in Jenkins Gi ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000195 (A server-side request forgery vulnerability exists in Jenkins 2.120 an ...) NOT-FOR-US: Jenkins CVE-2018-1000194 (A path traversal vulnerability exists in Jenkins 2.120 and older, LTS ...) NOT-FOR-US: Jenkins CVE-2018-1000193 (A improper neutralization of control sequences vulnerability exists in ...) NOT-FOR-US: Jenkins CVE-2018-12015 (In Perl through 5.26.2, the Archive::Tar module allows remote attacker ...) {DSA-4226-1} - perl 5.26.2-6 (bug #900834) NOTE: https://rt.cpan.org/Public/Bug/Display.html?id=125523 NOTE: https://github.com/jib/archive-tar-new/commit/ae65651eab053fc6dc4590dbb863a268215c1fc5 CVE-2018-1000192 (A information exposure vulnerability exists in Jenkins 2.120 and older ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000191 (A exposure of sensitive information vulnerability exists in Jenkins Bl ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000190 (A exposure of sensitive information vulnerability exists in Jenkins Bl ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000189 (A command execution vulnerability exists in Jenkins Absint Astree Plug ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000188 (A server-side request forgery vulnerability exists in Jenkins CAS Plug ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000187 (A exposure of sensitive information vulnerability exists in Jenkins Ku ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000186 (A exposure of sensitive information vulnerability exists in Jenkins Gi ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000185 (A server-side request forgery vulnerability exists in Jenkins GitHub B ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000184 (A server-side request forgery vulnerability exists in Jenkins GitHub P ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000183 (A exposure of sensitive information vulnerability exists in Jenkins Gi ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000182 (A server-side request forgery vulnerability exists in Jenkins Git Plug ...) NOT-FOR-US: Jenkins plugin CVE-2019-19920 (sa-exim 4.2.1 allows attackers to execute arbitrary code if they can w ...) {DLA-2062-1} - sa-exim 4.2.1-19 (bug #947198) [buster] - sa-exim (Minor issue; can be fixed via point release) [stretch] - sa-exim (Minor issue; can be fixed via point release) NOTE: https://bugs.debian.org/946829#24 NOTE: https://marc.info/?l=spamassassin-users&m=157668107325768&w=2 NOTE: https://marc.info/?l=spamassassin-users&m=157668305026635&w=2 NOTE: The issue is "effectively" mitigating due to the CVE-2018-11805 fix in NOTE: spamassassin, making the Greylisting.pm non-functional (and so a functional NOTE: regression as well as tracked in #946829). The security implications are NOTE: as well documented in /usr/share/doc/sa-exim/README.greylisting.gz CVE-2018-11805 (In Apache SpamAssassin before 3.4.3, nefarious CF files can be configu ...) {DSA-4584-1 DLA-2037-1} - spamassassin 3.4.3~rc6-1 (bug #946652) NOTE: https://www.openwall.com/lists/oss-security/2019/12/12/1 NOTE: https://markmail.org/message/pyp425yrulfxyhrn NOTE: https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7648 (not public) CVE-2018-11804 (Spark's Apache Maven-based build includes a convenience script, 'build ...) - apache-spark (bug #802194) CVE-2018-11803 (Subversion's mod_dav_svn Apache HTTPD module versions 1.11.0 and 1.10. ...) - subversion 1.10.4-1 [stretch] - subversion (Vulnerable code introduced in 1.10.0) [jessie] - subversion (Vulnerable code introduced in 1.10.0) NOTE: https://subversion.apache.org/security/CVE-2018-11803-advisory.txt NOTE: https://www.openwall.com/lists/oss-security/2019/01/23/1 CVE-2018-11802 (In Apache Solr, the cluster can be partitioned into multiple collectio ...) - lucene-solr (Vulnerable code is not present) NOTE: https://issues.apache.org/jira/browse/SOLR-12514 NOTE: Issue introduced around: https://github.com/apache/lucene-solr/commit/56e88400aefbeb7f1821cbd10a2997cde018df97 (4.2.0) NOTE: Fixed by: https://github.com/apache/lucene-solr/commit/add003f217806afb4e1604f697cdb0a5a7115895 (releases/lucene-solr/6.6.6) CVE-2018-11801 (SQL injection vulnerability in Apache Fineract before 1.3.0 allows att ...) NOT-FOR-US: Apache Fineract CVE-2018-11800 (SQL injection vulnerability in Apache Fineract before 1.3.0 allows att ...) NOT-FOR-US: Apache Fineract CVE-2018-11799 (Vulnerability allows a user of Apache Oozie 3.1.3-incubating to 5.0.0 ...) NOT-FOR-US: Apache Oozie CVE-2018-11798 (The Apache Thrift Node.js static web server in versions 0.9.2 through ...) - thrift 0.11.0-4 (unimportant; bug #918734) NOTE: https://issues.apache.org/jira/browse/THRIFT-4647 NOTE: https://github.com/apache/thrift/commit/2a2b72f6c8aef200ecee4984f011e06052288ff2 NOTE: src:thrift in Debian configured with --without-nodejs CVE-2018-11797 (In Apache PDFBox 1.8.0 to 1.8.15 and 2.0.0RC1 to 2.0.11, a carefully c ...) {DLA-1547-1} - libpdfbox-java 1:1.8.16-1 (bug #910390) [stretch] - libpdfbox-java (Minor issue) - libpdfbox2-java 2.0.12-1 (bug #910391) NOTE: https://www.openwall.com/lists/oss-security/2018/10/05/4 NOTE: https://svn.apache.org/r1842131 (branch 2.0) NOTE: https://svn.apache.org/r1842278 (branch 1.8) CVE-2018-11796 (In Apache Tika 1.19 (CVE-2018-11761), we added an entity expansion lim ...) - tika (Incomplete fix for CVE-2018-11761 not applied) NOTE: https://lists.apache.org/thread.html/88de8350cda9b184888ec294c813c5bd8a2081de8fd3666f8904bc05@%3Cdev.tika.apache.org%3E NOTE: https://issues.apache.org/jira/projects/TIKA/issues/TIKA-2727 NOTE: https://github.com/apache/tika/commit/86d4ba1e CVE-2018-11795 REJECTED CVE-2018-11794 REJECTED CVE-2018-11793 (When parsing a JSON payload with deeply nested JSON structures, the pa ...) - apache-mesos (bug #760315) CVE-2018-11792 (In Apache Impala before 3.0.1, ALTER TABLE/VIEW RENAME required ALTER ...) NOT-FOR-US: Apache Impala CVE-2018-11791 REJECTED CVE-2018-11790 (When loading a document with Apache Open Office 4.1.5 and earlier with ...) - libreoffice 1:4.0.3-1 NOTE: https://www.openwall.com/lists/oss-security/2019/01/16/2 NOTE: https://github.com/LibreOffice/core/commit/bbc94edb9a91b27910d43610db9994df10dd99e1 CVE-2018-11789 (When accessing the heron-ui webpage, people can modify the file paths ...) NOT-FOR-US: Apache Heron CVE-2018-11788 (Apache Karaf provides a features deployer, which allows users to "hot ...) - apache-karaf (bug #881297) CVE-2018-11787 (In Apache Karaf version prior to 3.0.9, 4.0.9, 4.1.1, when the webcons ...) - apache-karaf (bug #881297) CVE-2018-11786 (In Apache Karaf prior to 4.2.0 release, if the sshd service in Karaf i ...) - apache-karaf (bug #881297) CVE-2018-11785 (Missing authorization check in Apache Impala before 3.0.1 allows a Ker ...) NOT-FOR-US: Apache Impala CVE-2018-11784 (When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, ...) {DSA-4596-1 DLA-1545-1 DLA-1544-1} - tomcat9 (Fixed before initial upload to Debian) - tomcat8 8.5.34-1 - tomcat8.0 (unimportant) NOTE: tomcat8.0 builds only tomcat8.0-user and libtomcat8.0-java - tomcat7 7.0.72-3 NOTE: Since 7.0.72-3, src:tomcat7 only builds the Servlet API NOTE: Fixed upstream in 9.0.12, 8.5.34, 7.0.91 NOTE: https://lists.apache.org/thread.html/23134c9b5a23892a205dc140cdd8c9c0add233600f76b313dda6bd75@%3Cannounce.tomcat.apache.org%3E NOTE: https://svn.apache.org/r1840055 (9.0.x) NOTE: https://svn.apache.org/r1840056 (8.5.x) NOTE: https://svn.apache.org/r1840057 (7.0.x) CVE-2018-11783 (sslheaders plugin extracts information from the client certificate and ...) - trafficserver 8.0.2+ds-1 NOTE: https://github.com/apache/trafficserver/pull/4701 NOTE: https://www.openwall.com/lists/oss-security/2019/02/13/6 CVE-2018-11782 (In Apache Subversion versions up to and including 1.9.10, 1.10.4, 1.12 ...) {DSA-4490-1 DLA-1903-1} - subversion 1.10.6-1 NOTE: https://subversion.apache.org/security/CVE-2018-11782-advisory.txt CVE-2018-11781 (Apache SpamAssassin 3.4.2 fixes a local user code injection in the met ...) {DLA-1578-1} - spamassassin 3.4.2-1 (bug #908971) [stretch] - spamassassin 3.4.2-1~deb9u1 NOTE: https://www.openwall.com/lists/oss-security/2018/09/16/1 CVE-2018-11780 (A potential Remote Code Execution bug exists with the PDFInfo plugin i ...) {DLA-1578-1} - spamassassin 3.4.2-1 (bug #908970) [stretch] - spamassassin 3.4.2-1~deb9u1 NOTE: https://www.openwall.com/lists/oss-security/2018/09/16/1 CVE-2018-11779 (In Apache Storm versions 1.1.0 to 1.2.2, when the user is using the st ...) NOT-FOR-US: Apache Storm CVE-2018-11778 (UnixAuthenticationService in Apache Ranger 1.2.0 was updated to correc ...) NOT-FOR-US: Apache Ranger CVE-2018-11777 (In Apache Hive 2.3.3, 3.1.0 and earlier, local resources on HiveServer ...) NOT-FOR-US: Apache Hive CVE-2018-11776 (Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from pos ...) - libstruts1.2-java (Specific to 2.x) NOTE: https://cwiki.apache.org/confluence/display/WW/S2-057 CVE-2018-11775 (TLS hostname verification when using the Apache ActiveMQ Client before ...) - activemq 5.15.6-1 (low; bug #908950) [stretch] - activemq (Minor issue) [jessie] - activemq (Minor issue) NOTE: http://activemq.apache.org/security-advisories.data/CVE-2018-11775-announcement.txt NOTE: https://git-wip-us.apache.org/repos/asf?p=activemq.git;a=commit;h=bde7097fb8173cf871827df7811b3865679b963d NOTE: https://git-wip-us.apache.org/repos/asf?p=activemq.git;a=commit;h=02971a40e281713a8397d3a1809c164b594abfbb NOTE: Fixed in 5.15.6 CVE-2018-11774 (Apache VCL versions 2.1 through 2.5 do not properly validate form inpu ...) NOT-FOR-US: Apache VCL CVE-2018-11773 (Apache VCL versions 2.1 through 2.5 do not properly validate form inpu ...) NOT-FOR-US: Apache VCL CVE-2018-11772 (Apache VCL versions 2.1 through 2.5 do not properly validate cookie in ...) NOT-FOR-US: Apache VCL CVE-2018-11771 (When reading a specially crafted ZIP archive, the read method of Apach ...) - libcommons-compress-java 1.18-1 (bug #906301) [stretch] - libcommons-compress-java (Minor issue) [jessie] - libcommons-compress-java (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2018/08/16/2 CVE-2018-11770 (From version 1.3.0 onward, Apache Spark's standalone master exposes a ...) - apache-spark (bug #802194) CVE-2018-11769 (CouchDB administrative users before 2.2.0 can configure the database s ...) - couchdb NOTE: http://www.openwall.com/lists/oss-security/2018/08/08/2 CVE-2018-11768 (In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1 ...) - hadoop (bug #793644) CVE-2018-11767 (In Apache Hadoop 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6, KMS b ...) - hadoop (bug #793644) CVE-2018-11766 (In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is ...) - hadoop (bug #793644) CVE-2018-11765 RESERVED CVE-2018-11764 RESERVED CVE-2018-11763 (In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large S ...) - apache2 2.4.35-1 (bug #909591) [stretch] - apache2 2.4.25-3+deb9u6 [jessie] - apache2 (Vulnerable code not present) NOTE: HTTP/2 support introduced in 2.4.17 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2018-11763 CVE-2018-11762 (In Apache Tika 0.9 to 1.18, in a rare edge case where a user does not ...) - tika 1.20-1 [jessie] - tika (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2018/09/19/5 CVE-2018-11761 (In Apache Tika 0.1 to 1.18, the XML parsers were not configured to lim ...) - tika 1.20-1 [jessie] - tika (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2018/09/19/4 NOTE: When fixing this issue the fix needs to be made complete to not open NOTE: CVE-2018-11796. The full fix is only in 1.19.1 onwards. CVE-2018-11760 (When using PySpark , it's possible for a different local user to conne ...) - apache-spark (bug #802194) CVE-2018-11759 (The Apache Web Server (httpd) specific code that normalised the reques ...) {DSA-4357-1 DLA-1609-1} - libapache-mod-jk 1:1.2.46-1 NOTE: https://tomcat.apache.org/security-jk.html#Fixed_in_Apache_Tomcat_JK_Connector_1.2.46 NOTE: https://www.immunit.ch/blog/2018/11/01/cve-2018-11759-apache-mod_jk-access-bypass/ CVE-2018-11758 (This affects Apache Cayenne 4.1.M1, 3.2.M1, 4.0.M2 to 4.0.M5, 4.0.B1, ...) NOT-FOR-US: Apache Cayenne CVE-2018-11757 (In Docker Skeleton Runtime for Apache OpenWhisk, a Docker action inher ...) NOT-FOR-US: Docker Skeleton Runtime for Apache OpenWhisk CVE-2018-11756 (In PHP Runtime for Apache OpenWhisk, a Docker action inheriting one of ...) NOT-FOR-US: PHP Runtime for Apache OpenWhisk CVE-2018-11755 RESERVED CVE-2018-11754 RESERVED CVE-2018-11753 RESERVED CVE-2018-11752 (Previous releases of the Puppet cisco_ios module output SSH session de ...) NOT-FOR-US: cisco_ios Puppet module CVE-2018-11751 (Previous versions of Puppet Agent didn't verify the peer in the SSL co ...) - puppet (bug #952925) [buster] - puppet (Minor issue) [stretch] - puppet (Minor issue) [jessie] - puppet (Patch too invasive to backport, minor issue) NOTE: https://puppet.com/security/cve/CVE-2018-11751/ NOTE: https://tickets.puppetlabs.com/browse/PUP-9459 NOTE: https://github.com/puppetlabs/puppet/commit/b49c11b6425738441d6f33285d2630fa434a123e CVE-2018-11750 (Previous releases of the Puppet cisco_ios module did not validate a ho ...) NOT-FOR-US: cisco_ios Puppet module CVE-2018-11749 (When users are configured to use startTLS with RBAC LDAP, at login tim ...) - puppet (RBAC is specific to Puppet Enterprise) CVE-2018-11748 (Previous releases of the Puppet device_manager module creates configur ...) NOT-FOR-US: Puppet device_manager module CVE-2018-11747 (Previously, Puppet Discovery was shipped with a default generated TLS ...) NOT-FOR-US: Puppet Discovery CVE-2018-11746 (In Puppet Discovery prior to 1.2.0, when running Discovery against Win ...) NOT-FOR-US: Puppet Discovery CVE-2018-11745 RESERVED CVE-2018-11744 (Cloudera Manager through 5.15 has Incorrect Access Control. ...) NOT-FOR-US: Cloudera CVE-2018-11743 (The init_copy function in kernel.c in mruby 1.4.1 makes initialize_cop ...) - mruby 1.4.1+20180622+git640fca32-1 (bug #900845) [stretch] - mruby (Minor issue) [jessie] - mruby (Minor issue) NOTE: https://github.com/mruby/mruby/commit/b64ce17852b180dfeea81cf458660be41a78974d NOTE: https://github.com/mruby/mruby/issues/4027 CVE-2018-11742 (NEC Univerge Sv9100 WebPro 6.00.00 devices have Cleartext Password Sto ...) NOT-FOR-US: NEC Univerge Sv9100 WebPro devices CVE-2018-11741 (NEC Univerge Sv9100 WebPro 6.00.00 devices have Predictable Session ID ...) NOT-FOR-US: NEC Univerge Sv9100 WebPro devices CVE-2018-11740 (An issue was discovered in libtskbase.a in The Sleuth Kit (TSK) from r ...) - sleuthkit (low; bug #902187) [buster] - sleuthkit (Minor issue) [stretch] - sleuthkit (Minor issue) [jessie] - sleuthkit (Minor issue) NOTE: https://github.com/sleuthkit/sleuthkit/issues/1264 CVE-2018-11739 (An issue was discovered in libtskimg.a in The Sleuth Kit (TSK) from re ...) - sleuthkit (low; bug #902187) [buster] - sleuthkit (Minor issue) [stretch] - sleuthkit (Minor issue) [jessie] - sleuthkit (Minor issue) NOTE: https://github.com/sleuthkit/sleuthkit/issues/1267 CVE-2018-11738 (An issue was discovered in libtskfs.a in The Sleuth Kit (TSK) from rel ...) - sleuthkit (low; bug #902187) [buster] - sleuthkit (Minor issue) [stretch] - sleuthkit (Minor issue) [jessie] - sleuthkit (Minor issue) NOTE: https://github.com/sleuthkit/sleuthkit/issues/1265 CVE-2018-11737 (An issue was discovered in libtskfs.a in The Sleuth Kit (TSK) from rel ...) - sleuthkit (low; bug #902187) [buster] - sleuthkit (Minor issue) [stretch] - sleuthkit (Minor issue) [jessie] - sleuthkit (Minor issue) NOTE: https://github.com/sleuthkit/sleuthkit/issues/1266 CVE-2018-1000201 (ruby-ffi version 1.9.23 and earlier has a DLL loading issue which can ...) - ruby-ffi (Windows-specific) CVE-2018-11736 (An issue was discovered in Pluck before 4.7.7-dev2. /data/inc/images.p ...) NOT-FOR-US: Pluck CMS CVE-2018-11735 (index.php?action=createaccount in Ximdex 4.0 has XSS via the sname or ...) NOT-FOR-US: Ximdex CVE-2018-11734 (In e107 v2.1.7, output without filtering results in XSS. ...) NOT-FOR-US: e107 CVE-2018-11733 RESERVED CVE-2018-11732 RESERVED CVE-2018-11731 (** DISPUTED ** The libfsntfs_mft_entry_read_attributes function in lib ...) - libfsntfs 20190104-1 (unimportant) NOTE: http://seclists.org/fulldisclosure/2018/Jun/17 NOTE: https://github.com/libyal/libfsntfs/issues/8 NOTE: https://github.com/libyal/libfsntfs/issues/9 NOTE: https://github.com/libyal/libfsntfs/commit/7a17c43be39919227b4fe24684a8a29a90ee54ad NOTE: Negligable/questionable security impact CVE-2018-11730 (** DISPUTED ** The libfsntfs_security_descriptor_values_free function ...) - libfsntfs 20190104-1 (unimportant) NOTE: http://seclists.org/fulldisclosure/2018/Jun/17 NOTE: https://github.com/libyal/libfsntfs/issues/8 NOTE: https://github.com/libyal/libfsntfs/issues/9 NOTE: https://github.com/libyal/libfsntfs/commit/7a17c43be39919227b4fe24684a8a29a90ee54ad NOTE: Negligable/questionable security impact CVE-2018-11729 (** DISPUTED ** The libfsntfs_mft_entry_read_header function in libfsnt ...) - libfsntfs 20190104-1 (unimportant) NOTE: http://seclists.org/fulldisclosure/2018/Jun/17 NOTE: https://github.com/libyal/libfsntfs/issues/8 NOTE: https://github.com/libyal/libfsntfs/issues/9 NOTE: https://github.com/libyal/libfsntfs/commit/7a17c43be39919227b4fe24684a8a29a90ee54ad NOTE: Negligable/questionable security impact CVE-2018-11728 (** DISPUTED ** The libfsntfs_reparse_point_values_read_data function i ...) - libfsntfs 20190104-1 (unimportant) NOTE: http://seclists.org/fulldisclosure/2018/Jun/17 NOTE: https://github.com/libyal/libfsntfs/issues/8 NOTE: https://github.com/libyal/libfsntfs/issues/9 NOTE: https://github.com/libyal/libfsntfs/commit/7a17c43be39919227b4fe24684a8a29a90ee54ad NOTE: Negligable/questionable security impact CVE-2018-11727 (** DISPUTED ** The libfsntfs_attribute_read_from_mft function in libfs ...) - libfsntfs 20190104-1 (unimportant) NOTE: http://seclists.org/fulldisclosure/2018/Jun/17 NOTE: https://github.com/libyal/libfsntfs/issues/8 NOTE: https://github.com/libyal/libfsntfs/issues/9 NOTE: https://github.com/libyal/libfsntfs/commit/7a17c43be39919227b4fe24684a8a29a90ee54ad NOTE: Negligable/questionable security impact CVE-2018-11726 (The mobi_decode_font_resource function in util.c in Libmobi 0.3 allows ...) NOT-FOR-US: Libmobi CVE-2018-11725 (The mobi_parse_index_entry function in index.c in Libmobi 0.3 allows r ...) NOT-FOR-US: Libmobi CVE-2018-11724 (The mobi_pk1_decrypt function in encryption.c in Libmobi 0.3 allows re ...) NOT-FOR-US: Libmobi CVE-2018-11723 (** DISPUTED ** The libpff_name_to_id_map_entry_read function in libpff ...) - libpff 20180714-1 (low; bug #901967) [stretch] - libpff (Minor issue) [jessie] - libpff (Minor issue) NOTE: http://seclists.org/fulldisclosure/2018/Jun/15 NOTE: https://github.com/libyal/libpff/issues/64 NOTE: https://github.com/libyal/libpff/commit/7b92bcace7e743cc9417e3cc3e4eee29abb70cf5 CVE-2018-11722 (WUZHI CMS 4.1.0 has a SQL Injection in api/uc.php via the 'code' param ...) NOT-FOR-US: WUZHI CMS CVE-2018-11721 RESERVED CVE-2018-11720 (Xovis PC2, PC2R, and PC3 devices through 3.6.0 allow Directory Travers ...) NOT-FOR-US: Xovis CVE-2018-11719 (Xovis PC2, PC2R, and PC3 devices through 3.6.0 allow XXE. ...) NOT-FOR-US: Xovis CVE-2018-11718 (Xovis PC2, PC2R, and PC3 devices through 3.6.0 allow CSRF. ...) NOT-FOR-US: Xovis CVE-2017-18286 (nZEDb v0.7.3.3 has XSS in the 404 error page. ...) NOT-FOR-US: nZEDb CVE-2016-1000352 (In the Bouncy Castle JCE Provider version 1.55 and earlier the ECIES i ...) - bouncycastle 1.56-1 [jessie] - bouncycastle (Intrusive changes, can be mitigated by using a different mode than ECB) NOTE: https://github.com/bcgit/bc-java/commit/9385b0ebd277724b167fe1d1456e3c112112be1f CVE-2016-1000346 (In the Bouncy Castle JCE Provider version 1.55 and earlier the other p ...) {DLA-1418-1} - bouncycastle 1.56-1 NOTE: https://github.com/bcgit/bc-java/commit/1127131c89021612c6eefa26dbe5714c194e7495#diff-d525a20b8acaed791ae2f0f770eb5937 CVE-2016-1000345 (In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES/E ...) {DLA-1418-1} - bouncycastle 1.56-1 NOTE: https://github.com/bcgit/bc-java/commit/21dcb3d9744c83dcf2ff8fcee06dbca7bfa4ef35#diff-4439ce586bf9a13bfec05c0d113b8098 CVE-2016-1000344 (In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES i ...) - bouncycastle 1.56-1 [jessie] - bouncycastle (Intrusive changes, can be mitigated by using a different mode than ECB) NOTE: https://github.com/bcgit/bc-java/commit/9385b0ebd277724b167fe1d1456e3c112112be1f CVE-2018-11717 (An issue was discovered in Zoho ManageEngine Desktop Central before 10 ...) NOT-FOR-US: Zoho ManageEngine Desktop Central CVE-2018-11716 (An issue was discovered in Zoho ManageEngine Desktop Central before 10 ...) NOT-FOR-US: Zoho ManageEngine Desktop Central CVE-2018-11715 (The Recent Threads plugin before 1.1 for MyBB allows XSS via a thread ...) NOT-FOR-US: Recent Threads plugin for MyBB CVE-2018-11714 (An issue was discovered on TP-Link TL-WR840N v5 00000005 0.9.1 3.16 v0 ...) NOT-FOR-US: TP-Link CVE-2018-11713 (WebCore/platform/network/soup/SocketStreamHandleImplSoup.cpp in the li ...) - webkit2gtk 2.20.0-2 (unimportant) NOTE: https://bugs.webkit.org/show_bug.cgi?id=126384 NOTE: https://trac.webkit.org/changeset/228088/webkit NOTE: Not covered by security support NOTE: https://webkitgtk.org/security/WSA-2018-0005.html CVE-2018-11712 (WebCore/platform/network/soup/SocketStreamHandleImplSoup.cpp in the li ...) - webkit2gtk 2.20.2-1 (unimportant) NOTE: https://bugs.webkit.org/show_bug.cgi?id=184804 NOTE: https://trac.webkit.org/changeset/230886/webkit NOTE: Not covered by security support NOTE: https://webkitgtk.org/security/WSA-2018-0005.html CVE-2018-11711 (** DISPUTED ** A remote attacker can bypass the System Manager Mode on ...) NOT-FOR-US: Canon MF210 and MF220 web interface CVE-2018-11710 (soundlib/pattern.h in libopenmpt before 0.3.9 allows remote attackers ...) - libopenmpt 0.3.9-1 [stretch] - libopenmpt (Minor issue) NOTE: https://lib.openmpt.org/libopenmpt/2018/04/29/security-updates-0.3.9-0.2-beta32-0.2.7561-beta20.5-p9-0.2.7386-beta20.3-p12/ NOTE: https://source.openmpt.org/browse/openmpt/trunk/?op=revision&rev=10149&peg=10150 CVE-2018-11709 (wpforo_get_request_uri in wpf-includes/functions.php in the wpForo For ...) NOT-FOR-US: wpForo Forum plugin for WordPress CVE-2018-11708 RESERVED CVE-2018-1002101 (In Kubernetes versions 1.9.0-1.9.9, 1.10.0-1.10.5, and 1.11.0-1.11.1, ...) - kubernetes (Vulnerable code introduced later; Windows specific) NOTE: https://github.com/kubernetes/kubernetes/issues/65750 CVE-2016-1000343 (In the Bouncy Castle JCE Provider version 1.55 and earlier the DSA key ...) {DLA-1418-1} - bouncycastle 1.56-1 NOTE: https://github.com/bcgit/bc-java/commit/50a53068c094d6cff37659da33c9b4505becd389#diff-5578e61500abb2b87b300d3114bdfd7d CVE-2016-1000342 (In the Bouncy Castle JCE Provider version 1.55 and earlier ECDSA does ...) {DLA-1418-1} - bouncycastle 1.56-1 NOTE: https://github.com/bcgit/bc-java/commit/843c2e60f67d71faf81d236f448ebbe56c62c647#diff-25c3c78db788365f36839b3f2d3016b9 CVE-2016-1000341 (In the Bouncy Castle JCE Provider version 1.55 and earlier DSA signatu ...) {DLA-1418-1} - bouncycastle 1.56-1 NOTE: https://github.com/bcgit/bc-java/commit/acaac81f96fec91ab45bd0412beaf9c3acd8defa#diff-e75226a9ca49217a7276b29242ec59ce CVE-2016-1000340 (In the Bouncy Castle JCE Provider versions 1.51 to 1.55, a carry propa ...) - bouncycastle 1.56-1 [jessie] - bouncycastle (Vulnerable code introduced later) NOTE: https://github.com/bcgit/bc-java/commit/790642084c4e0cadd47352054f868cc8397e2c00#diff-e5934feac8203ca0104ab291a3560a31 CVE-2016-1000339 (In the Bouncy Castle JCE Provider version 1.55 and earlier the primary ...) {DLA-1418-1} - bouncycastle 1.56-1 NOTE: https://github.com/bcgit/bc-java/commit/413b42f4d770456508585c830cfcde95f9b0e93b#diff-54656f860db94b867ba7542430cd2ef0 NOTE: https://github.com/bcgit/bc-java/commit/8a73f08931450c17c749af067b6a8185abdfd2c0#diff-494fb066bed02aeb76b6c005632943f2 CVE-2018-11707 (FastStone Image Viewer 6.2 has a User Mode Read and Execute AV at 0x00 ...) NOT-FOR-US: FastStone Image Viewer CVE-2018-11706 (FastStone Image Viewer 6.2 has a User Mode Write AV at 0x00578dd8, tri ...) NOT-FOR-US: FastStone Image Viewer CVE-2018-11705 (FastStone Image Viewer 6.2 has a User Mode Write AV at 0x00578cc4, tri ...) NOT-FOR-US: FastStone Image Viewer CVE-2018-11704 (FastStone Image Viewer 6.2 has a User Mode Write AV at 0x00402d7d, tri ...) NOT-FOR-US: FastStone Image Viewer CVE-2018-11703 (FastStone Image Viewer 6.2 has a User Mode Write AV at 0x00402d6a, tri ...) NOT-FOR-US: FastStone Image Viewer CVE-2018-11702 (FastStone Image Viewer 6.2 has a User Mode Write AV at 0x00578cb3, tri ...) NOT-FOR-US: FastStone Image Viewer CVE-2018-11701 (FastStone Image Viewer 6.2 has a User Mode Write AV at 0x005cb509, tri ...) NOT-FOR-US: FastStone Image Viewer CVE-2018-11700 RESERVED CVE-2018-11699 RESERVED CVE-2018-11698 (An issue was discovered in LibSass through 3.5.4. An out-of-bounds rea ...) - libsass [buster] - libsass (Minor issue) [stretch] - libsass (Minor issue) NOTE: https://github.com/sass/libsass/issues/2662 CVE-2018-11697 (An issue was discovered in LibSass through 3.5.4. An out-of-bounds rea ...) - libsass [buster] - libsass (Minor issue) [stretch] - libsass (Minor issue) NOTE: https://github.com/sass/libsass/issues/2656 NOTE: https://github.com/sass/libsass/commit/eb15533b07773c30dc03c9d742865604f47120ef CVE-2018-11696 (An issue was discovered in LibSass through 3.5.4. A NULL pointer deref ...) - libsass 3.5.5-1 [stretch] - libsass (Minor issue) NOTE: https://github.com/sass/libsass/issues/2665 NOTE: https://github.com/sass/libsass/commit/38f4c3699d06b64128bebc7cf1e8b3125be74dc4 CVE-2018-11695 (An issue was discovered in LibSass through 3.5.2. A NULL pointer deref ...) - libsass 3.5.4-1 (low) [stretch] - libsass (Minor issue) NOTE: https://github.com/sass/libsass/issues/2664 NOTE: https://github.com/sass/libsass/commit/0bc35e3d26922229d5a3e3308860cf0fcee5d1cf (master) NOTE: https://github.com/sass/libsass/commit/e3512120403dc7863a38bf2f122e7523593718ad (3.5.3) CVE-2018-11694 (An issue was discovered in LibSass through 3.5.4. A NULL pointer deref ...) - libsass (low) [buster] - libsass (Minor issue) [stretch] - libsass (Minor issue) NOTE: https://github.com/sass/libsass/issues/2663 NOTE: https://github.com/sass/libsass/commit/280ffd8c692cc24199b678f38fc796825d7df4a1 NOTE: https://github.com/sass/libsass/commit/c93f0581c6b7794d8c1d5637c5c4dabd591b1d57 CVE-2018-11693 (An issue was discovered in LibSass through 3.5.4. An out-of-bounds rea ...) - libsass 3.5.4+20180621~c0a6cf3-1 (low) [stretch] - libsass (Minor issue) NOTE: https://github.com/sass/libsass/issues/2661 NOTE: https://github.com/sass/libsass/commit/c0a6cf39dea9b2522a08d61b731bc72dfb362584 (3.5.5) NOTE: https://github.com/sass/libsass/commit/b3374e3fd1a0c3658644d2bad24e4a0ff2e0dcea (master) CVE-2018-11692 (** DISPUTED ** An issue was discovered on Canon LBP6650, LBP3370, LBP3 ...) NOT-FOR-US: Canon devices CVE-2018-11691 (Emerson DeltaV Smart Switch Command Center application, available in v ...) NOT-FOR-US: Emerson devices CVE-2018-11690 (The Balbooa Gridbox extension version 2.4.0 and previous versions for ...) NOT-FOR-US: Balbooa Gridbox extension for Joomla! CVE-2018-11689 (Smart Viewer in Samsung Web Viewer for Samsung DVR is vulnerable to cr ...) NOT-FOR-US: Smart Viewer in Samsung Web Viewer for Samsung DVR CVE-2018-11688 (Ignite Realtime Openfire before 3.9.2 is vulnerable to cross-site scri ...) NOT-FOR-US: Ignite Realtime Openfire CVE-2018-11687 (An integer overflow in the distributeBTR function of a smart contract ...) NOT-FOR-US: smart contract implementation for Bitcoin Red (BTCR) CVE-2018-11686 (The Publish Service in FlexPaper (later renamed FlowPaper) 2.3.6 allow ...) NOT-FOR-US: FlexPaper (later renamed FlowPaper) CVE-2018-11685 (Liblouis 3.5.0 has a stack-based Buffer Overflow in the function compi ...) - liblouis 3.5.0-3 [stretch] - liblouis 3.0.0-3+deb9u4 [jessie] - liblouis (Minor issue) NOTE: https://github.com/liblouis/liblouis/issues/593 NOTE: https://github.com/liblouis/liblouis/commit/b5049cb17ae3d15b2b26890de0e24d0fecc080f5 CVE-2018-11684 (Liblouis 3.5.0 has a stack-based Buffer Overflow in the function inclu ...) - liblouis 3.5.0-3 [stretch] - liblouis 3.0.0-3+deb9u4 [jessie] - liblouis (Minor issue) NOTE: https://github.com/liblouis/liblouis/issues/592 NOTE: https://github.com/liblouis/liblouis/commit/fb2bfce4ed49ac4656a8f7e5b5526e4838da1dde CVE-2018-11683 (Liblouis 3.5.0 has a stack-based Buffer Overflow in the function parse ...) - liblouis 3.5.0-3 [stretch] - liblouis 3.0.0-3+deb9u4 [jessie] - liblouis (Minor issue) NOTE: https://github.com/liblouis/liblouis/issues/591 NOTE: https://github.com/liblouis/liblouis/commit/e7eee2b7926668360a0d8e2abee6c35a00ebce3c NOTE: https://github.com/liblouis/liblouis/commit/d4fc803687e38a5355fb686bf98cc082951f3043 CVE-2017-18285 (The Gentoo app-backup/burp package before 2.1.32 has incorrect group o ...) - burp (/etc/burp is owned by root:root in Debian) CVE-2017-18284 (The Gentoo app-backup/burp package before 2.1.32 sets the ownership of ...) - burp (Debian package uses /var/run for the PID file) CVE-2018-11682 (** DISPUTED ** Default and unremovable support credentials allow attac ...) NOT-FOR-US: products using the Stanza Lutron integration protocol CVE-2018-11681 (** DISPUTED ** Default and unremovable support credentials (user:nwk p ...) NOT-FOR-US: products using the RadioRA 2 Lutron integration protocol CVE-2018-11680 (An issue was discovered in CmsEasy 6.1_20180508. There is a CSRF vulne ...) NOT-FOR-US: CmsEasy CVE-2018-11679 (An issue was discovered in CmsEasy 6.1_20180508. There is a CSRF vulne ...) NOT-FOR-US: CmsEasy CVE-2018-11678 (plugins/box/users/users.plugin.php in Monstra CMS 3.0.4 allows Login R ...) NOT-FOR-US: Monstra CMS CVE-2018-11677 RESERVED CVE-2018-11676 RESERVED CVE-2018-11675 REJECTED CVE-2018-11674 RESERVED CVE-2018-11673 RESERVED CVE-2018-11672 RESERVED CVE-2018-11671 (An issue was discovered in GreenCMS v2.3.0603. There is a CSRF vulnera ...) NOT-FOR-US: GreenCMS CVE-2018-11670 (An issue was discovered in GreenCMS v2.3.0603. There is a CSRF vulnera ...) NOT-FOR-US: GreenCMS CVE-2018-11669 RESERVED CVE-2018-11668 RESERVED CVE-2018-11667 RESERVED CVE-2018-11666 RESERVED CVE-2018-11665 RESERVED CVE-2018-11664 RESERVED CVE-2018-11663 RESERVED CVE-2018-11662 RESERVED CVE-2018-11661 RESERVED CVE-2018-11660 RESERVED CVE-2018-11659 RESERVED CVE-2018-11658 RESERVED CVE-2018-11657 (ngiflib.c in MiniUPnP ngiflib 0.4 has an infinite loop in DecodeGifImg ...) NOT-FOR-US: ngiflib CVE-2018-11656 (In ImageMagick 7.0.7-20 Q16 x86_64, a memory leak vulnerability was fo ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/931 NOTE: https://github.com/ImageMagick/ImageMagick/commit/4da2cd650532ffd18fa11578fc2ec7c2467727bb CVE-2018-11655 (In ImageMagick 7.0.7-20 Q16 x86_64, a memory leak vulnerability was fo ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/930 NOTE: https://github.com/ImageMagick/ImageMagick/commit/a7414b7322201a9c8a5cacf563f08468c329b4b1 CVE-2018-11654 (Information disclosure in Netwave IP camera at get_status.cgi (via HTT ...) NOT-FOR-US: Netwave IP camera CVE-2018-11653 (Information disclosure in Netwave IP camera at //etc/RT2870STA.dat (vi ...) NOT-FOR-US: Netwave IP camera CVE-2018-11652 (CSV Injection vulnerability in Nikto 2.1.6 and earlier allows remote a ...) - nikto 1:2.1.5-3 (bug #900608) [stretch] - nikto (non-free not supported) [jessie] - nikto (non-free not supported) NOTE: https://github.com/sullo/nikto/commit/e759b3300aace5314fe3d30800c8bd83c81c29f7 CVE-2018-11651 (Graylog before v2.4.4 has an XSS security issue with unescaped text in ...) - graylog2 (bug #652273) CVE-2018-11650 (Graylog before v2.4.4 has an XSS security issue with unescaped text in ...) - graylog2 (bug #652273) CVE-2018-11649 (Hue 3.12 has XSS via the /pig/save/ name and script parameters. ...) NOT-FOR-US: Hue CVE-2018-11648 RESERVED CVE-2018-11647 (index.js in oauth2orize-fprm before 0.2.1 has XSS via a crafted URL. ...) NOT-FOR-US: oauth2orize-fprm CVE-2018-11646 (webkitFaviconDatabaseSetIconForPageURL and webkitFaviconDatabaseSetIco ...) - webkit2gtk 2.20.3-1 (unimportant) NOTE: https://bugs.webkit.org/show_bug.cgi?id=186164 NOTE: Was found while investigting CVE-2018-11396 in epiphany, cf. NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=795740 but is a NOTE: different issue. NOTE: Not covered by security support NOTE: https://webkitgtk.org/security/WSA-2018-0005.html CVE-2018-11645 (psi/zfile.c in Artifex Ghostscript before 9.21rc1 permits the status c ...) {DSA-4336-1 DLA-1504-1} - ghostscript 9.21~dfsg-1 (low) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697193 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b60d50b7567369ad856cebe1efb6cd7dd2284219 (9.21rc1) CVE-2018-11644 RESERVED CVE-2018-11643 (SQL injection vulnerability in the administrative console in Dialogic ...) NOT-FOR-US: Dialogic CVE-2018-11642 (Incorrect Permission Assignment on the /var/www/xms/cleanzip.sh shell ...) NOT-FOR-US: Dialogic CVE-2018-11641 (Use of Hard-coded Credentials in /var/www/xms/application/controllers/ ...) NOT-FOR-US: Dialogic CVE-2018-11640 (XML External Entity (XXE) vulnerability in the web service in Dialogic ...) NOT-FOR-US: Dialogic CVE-2018-11639 (Plaintext Storage of Passwords within Cookies in /var/www/xms/applicat ...) NOT-FOR-US: Dialogic CVE-2018-11638 (Unrestricted Upload of a File with a Dangerous Type in the administrat ...) NOT-FOR-US: Dialogic CVE-2018-11637 (Information leakage vulnerability in the administrative console in Dia ...) NOT-FOR-US: Dialogic CVE-2018-11636 (Cross-site request forgery (CSRF) vulnerability in the administrative ...) NOT-FOR-US: Dialogic CVE-2018-11635 (Use of a Hard-coded Cryptographic Key used to protect cookie session d ...) NOT-FOR-US: Dialogic CVE-2018-11634 (Plaintext Storage of Passwords in the administrative console in Dialog ...) NOT-FOR-US: Dialogic CVE-2018-11633 (An issue was discovered in the MULTIDOTS Woo Checkout for Digital Good ...) NOT-FOR-US: MULTIDOTS Woo Checkout for Digital Goods plugin for WordPress CVE-2018-11632 (An issue was discovered in the MULTIDOTS Add Social Share Messenger Bu ...) NOT-FOR-US: MULTIDOTS Add Social Share Messenger Buttons Whatsapp and Viber plugin for WordPress CVE-2018-11631 (Rondaful M1 Wristband Smart Band 1 devices allow remote attackers to s ...) NOT-FOR-US: Rondaful M1 Wristband Smart Band 1 devices CVE-2018-11630 RESERVED CVE-2018-11629 (** DISPUTED ** Default and unremovable support credentials (user:lutro ...) NOT-FOR-US: products using the HomeWorks QS Lutron integration protocol CVE-2018-11628 (Data input into EMS Master Calendar before 8.0.0.201805210 via URL par ...) NOT-FOR-US: EMS Master Calendar CVE-2018-11627 (Sinatra before 2.0.2 has XSS via the 400 Bad Request page that occurs ...) - ruby-sinatra (Vulnerable code not present) NOTE: https://github.com/sinatra/sinatra/issues/1428 NOTE: Introduced by: https://github.com/sinatra/sinatra/commit/8f8df53ff29938ace79b31097c27d9cdac803b44 NOTE: Fixed by: https://github.com/sinatra/sinatra/commit/12786867d6faaceaec62c7c2cb5b0e2dc074d71a CVE-2018-11626 (SELA (aka SimplE Lossless Audio) v0.1.2-alpha has a stack-based buffer ...) NOT-FOR-US: SELA CVE-2018-11625 (In ImageMagick 7.0.7-37 Q16, SetGrayscaleImage in the quantize.c file ...) [experimental] - imagemagick 8:6.9.10.2+dfsg-1 - imagemagick 8:6.9.10.2+dfsg-2 [stretch] - imagemagick (Vulnerable code not present) [jessie] - imagemagick (Vulnerable code not present) NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/5294966898532a6bd54699fbf04edf18902513ac NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/406ebfe09b62858b17ab3ee11f67171d43d9a76e NOTE: https://github.com/ImageMagick/ImageMagick/issues/1156 CVE-2018-11624 (In ImageMagick 7.0.7-36 Q16, the ReadMATImage function in coders/mat.c ...) [experimental] - imagemagick 8:6.9.10.2+dfsg-1 - imagemagick 8:6.9.10.2+dfsg-2 [stretch] - imagemagick (Vulnerable code not present) [jessie] - imagemagick (Vulnerable code not present) NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/172d82afe89d3499ef0cab06dc58d380cc1ab946 NOTE: https://github.com/ImageMagick/ImageMagick/issues/1149 CVE-2018-11623 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-11622 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-11621 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2018-11620 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2018-11619 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-11618 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-11617 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-11616 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Tencent Foxmail CVE-2018-11615 (This vulnerability allows remote attackers to deny service on vulnerab ...) NOT-FOR-US: mosca CVE-2018-11614 (This vulnerability allows remote attackers to escalate privileges on v ...) NOT-FOR-US: Samsung Members Fixed CVE-2018-11613 RESERVED CVE-2018-11612 RESERVED CVE-2018-11611 RESERVED CVE-2018-11610 RESERVED CVE-2018-11609 RESERVED CVE-2018-11608 RESERVED CVE-2018-11607 RESERVED CVE-2018-11606 RESERVED CVE-2018-11605 RESERVED CVE-2018-11604 RESERVED CVE-2018-11603 RESERVED CVE-2018-11602 RESERVED CVE-2018-11601 RESERVED CVE-2018-11600 RESERVED CVE-2018-11599 RESERVED CVE-2018-11598 (Espruino before 1.99 allows attackers to cause a denial of service (ap ...) NOT-FOR-US: Espruino CVE-2018-11597 (Espruino before 1.99 allows attackers to cause a denial of service (ap ...) NOT-FOR-US: Espruino CVE-2018-11596 (Espruino before 1.99 allows attackers to cause a denial of service (ap ...) NOT-FOR-US: Espruino CVE-2018-11595 (Espruino before 1.99 allows attackers to cause a denial of service (ap ...) NOT-FOR-US: Espruino CVE-2018-11594 (Espruino before 1.99 allows attackers to cause a denial of service (ap ...) NOT-FOR-US: Espruino CVE-2018-11593 (Espruino before 1.99 allows attackers to cause a denial of service (ap ...) NOT-FOR-US: Espruino CVE-2018-11592 (Espruino before 1.98 allows attackers to cause a denial of service (ap ...) NOT-FOR-US: Espruino CVE-2018-11591 (Espruino before 1.98 allows attackers to cause a denial of service (ap ...) NOT-FOR-US: Espruino CVE-2018-11590 (Espruino before 1.99 allows attackers to cause a denial of service (ap ...) NOT-FOR-US: Espruino CVE-2018-11589 (Multiple SQL injection vulnerabilities in Centreon 3.4.6 including Cen ...) - centreon-web (bug #913903) CVE-2018-11588 (Centreon 3.4.6 including Centreon Web 2.8.23 is vulnerable to an authe ...) - centreon-web (bug #913903) CVE-2018-11587 (There is Remote Code Execution in Centreon 3.4.6 including Centreon We ...) - centreon-web (bug #913903) CVE-2018-11586 (XML external entity (XXE) vulnerability in api/rest/status in SearchBl ...) NOT-FOR-US: SearchBlox CVE-2018-11585 RESERVED CVE-2018-11584 RESERVED CVE-2018-11583 (SeaCMS 6.61 has stored XSS in admin_collect.php via the siteurl parame ...) NOT-FOR-US: SeaCMS CVE-2018-11582 RESERVED CVE-2018-11581 (Cross-site scripting (XSS) vulnerability on Brother HL series printers ...) NOT-FOR-US: Brother HL-L2340D and HL-L2380DW series printers CVE-2018-11580 (An issue was discovered in mass-pages-posts-creator.php in the MULTIDO ...) NOT-FOR-US: MULTIDOTS Mass Pages/Posts Creator plugin for WordPress CVE-2018-11579 (class-woo-banner-management.php in the MULTIDOTS WooCommerce Category ...) NOT-FOR-US: MULTIDOTS WooCommerce Category Banner Management plugin for WordPress CVE-2018-11578 (GifIndexToTrueColor in ngiflib.c in MiniUPnP ngiflib 0.4 has a Segment ...) NOT-FOR-US: ngiflib CVE-2018-11577 (Liblouis 3.5.0 has a Segmentation fault in lou_logPrint in logging.c. ...) - liblouis 3.5.0-3 (bug #900607) [stretch] - liblouis 3.0.0-3+deb9u4 [jessie] - liblouis (Minor issue) NOTE: https://github.com/liblouis/liblouis/issues/582 CVE-2018-11576 (ngiflib.c in MiniUPnP ngiflib 0.4 has a heap-based buffer over-read in ...) NOT-FOR-US: ngiflib CVE-2018-11575 (ngiflib.c in MiniUPnP ngiflib 0.4 has a stack-based buffer overflow in ...) NOT-FOR-US: ngiflib CVE-2018-11574 (Improper input validation together with an integer overflow in the EAP ...) - ppp 2.4.7-2+3 [stretch] - ppp (Vulnerable code introduced later) [jessie] - ppp (Vulnerable code introduced later) [wheezy] - ppp (Vulnerable code introduced later) NOTE: http://www.openwall.com/lists/oss-security/2018/06/11/1 NOTE: https://www.nikhef.nl/~janjust/ppp/ppp-2.4.7-eaptls-mppe-1.101.patch CVE-2018-11573 RESERVED CVE-2018-11572 (ClipperCMS 1.3.3 has XSS in the "Module name" field in a "Modules -> ...) NOT-FOR-US: ClipperCMS CVE-2018-11571 (ClipperCMS 1.3.3 allows Session Fixation. ...) NOT-FOR-US: ClipperCMS CVE-2018-11570 RESERVED CVE-2018-11569 (Controller/ListController.php in Eventum 3.5.0 is vulnerable to Deseri ...) NOT-FOR-US: Eventum CVE-2018-11568 (Reflected XSS is possible in the GamePlan theme through 1.5.13.2 for W ...) NOT-FOR-US: GamePlan theme for WordPress CVE-2018-11567 (** DISPUTED ** Prior to 2018-04-27, the reprompt feature in Amazon Ech ...) NOT-FOR-US: Amazon Echo devices CVE-2018-11566 RESERVED CVE-2018-11565 (Mahara 17.04 before 17.04.8 and 17.10 before 17.10.5 and 18.04 before ...) - mahara NOTE: https://bugs.launchpad.net/mahara/+bug/1772774 CVE-2018-11564 (Stored XSS in YOOtheme Pagekit 1.0.13 and earlier allows a user to upl ...) NOT-FOR-US: Pagekit CMS CVE-2018-11563 (An issue was discovered in Open Ticket Request System (OTRS) 6.0.x thr ...) {DLA-1877-1} - otrs2 6.0.8-1 [stretch] - otrs2 (Non-free not supported) NOTE: https://community.otrs.com/security-advisory-2018-02-security-update-for-otrs-framework/ NOTE: https://github.com/OTRS/otrs/commit/50861a2a1183a07daf99cc2e71395e79f022338f CVE-2018-11562 (An issue was discovered in MISP 2.4.91. A vulnerability in app/View/El ...) NOT-FOR-US: MISP CVE-2018-11561 (An integer overflow in the unprotected distributeToken function of a s ...) NOT-FOR-US: smart contract implementation for EETHER (EETHER) CVE-2018-11560 (The webService binary on Insteon HD IP Camera White 2864-222 devices h ...) NOT-FOR-US: Insteon CVE-2018-11559 (DomainMod 4.10.0 has Stored XSS in the "/settings/profile/index.php" n ...) NOT-FOR-US: DomainMod CVE-2018-11558 (DomainMod 4.10.0 has Stored XSS in the "/settings/profile/index.php" n ...) NOT-FOR-US: DomainMod CVE-2018-11557 (YIBAN Easy class education platform 2.0 has XSS via the articlelist.ph ...) NOT-FOR-US: YIBAN Easy CVE-2018-11556 (tificc in Little CMS 2.9 has an out-of-bounds write in the cmsPipeline ...) NOT-FOR-US: Little CMS CVE-2018-11555 (tificc in Little CMS 2.9 has an out-of-bounds write in the Precalculat ...) NOT-FOR-US: Little CMS CVE-2018-11554 (The forgotten-password feature in index.php/member/reset/reset_email.h ...) NOT-FOR-US: YzmCMS CVE-2018-11553 (SGIN.CN xiangyun platform V9.4.10 has XSS via the login_url parameter ...) NOT-FOR-US: SGIN.CN xiangyun platform CVE-2018-11552 (There is a reflected XSS vulnerability in AXON PBX 2.02 via the "AXON- ...) NOT-FOR-US: AXON PBX CVE-2018-11551 (AXON PBX 2.02 contains a DLL hijacking vulnerability that could allow ...) NOT-FOR-US: AXON PBX CVE-2018-11550 REJECTED CVE-2018-11549 (An issue was discovered in WUZHI CMS 4.1.0 There is a Stored XSS Vulne ...) NOT-FOR-US: WUZHI CMS CVE-2018-11548 (An issue was discovered in EOS.IO DAWN 4.2. plugins/net_plugin/net_plu ...) NOT-FOR-US: EOS.IO DAWN CVE-2018-11547 (md_is_link_reference_definition_helper in md4c 0.2.5 has a heap-based ...) NOT-FOR-US: md4c CVE-2018-11546 (md4c 0.2.5 has a heap-based buffer over-read because md_is_named_entit ...) NOT-FOR-US: md4c CVE-2018-11545 (md4c 0.2.5 has a heap-based buffer overflow in md_merge_lines because ...) NOT-FOR-US: md4c CVE-2018-11544 (The Olive Tree Ftp Server application 1.32 for Android has Insecure Da ...) NOT-FOR-US: Olive Tree Ftp Server application CVE-2018-11543 (A Local File Inclusion (LFI) vulnerability in the Sonus SBC 1000 / SBC ...) NOT-FOR-US: Sonus SBC 1000 / SBC 2000 / SBC SWe Lite web interface CVE-2018-11542 (A Remote Command Execution (RCE) vulnerability in the Sonus SBC 1000 / ...) NOT-FOR-US: Sonus SBC 1000 / SBC 2000 / SBC SWe Lite web interface CVE-2018-11541 (A root privilege escalation vulnerability in the Sonus SBC 1000 / SBC ...) NOT-FOR-US: Sonus SBC 1000 / SBC 2000 / SBC SWe Lite web interface CVE-2018-XXXX [gitlab: Removing public deploy keys regression] [experimental] - gitlab 10.7.5+dfsg-1 - gitlab 10.7.7+dfsg-2 (bug #900522) [stretch] - gitlab (Introduced in 10.1.6) NOTE: https://about.gitlab.com/2018/05/29/security-release-gitlab-10-dot-8-dot-2-released/ CVE-2017-0921 (GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10 ...) [experimental] - gitlab 10.7.5+dfsg-1 - gitlab 10.7.7+dfsg-2 (bug #900522) NOTE: https://about.gitlab.com/2018/05/29/security-release-gitlab-10-dot-8-dot-2-released/ CVE-2018-XXXX [gitlab: Persistent XSS - Selecting users as allowed merge request approvers] [experimental] - gitlab 10.7.5+dfsg-1 - gitlab 10.7.7+dfsg-2 (bug #900522) [stretch] - gitlab (Introduced in 9.1) NOTE: https://about.gitlab.com/2018/05/29/security-release-gitlab-10-dot-8-dot-2-released/ CVE-2018-XXXX [gitlab: Persistent XSS - Multiple locations of user selection drop downs] [experimental] - gitlab 10.7.5+dfsg-1 - gitlab 10.7.7+dfsg-2 (bug #900522) [stretch] - gitlab (Introduced in 9.1) NOTE: https://about.gitlab.com/2018/05/29/security-release-gitlab-10-dot-8-dot-2-released/ CVE-2018-XXXX [gitlab: include directive in .gitlab-ci.yml allows SSRF requests] [experimental] - gitlab 10.7.5+dfsg-1 - gitlab 10.7.7+dfsg-2 (bug #900522) [stretch] - gitlab (Introduced in 10.5) NOTE: https://about.gitlab.com/2018/05/29/security-release-gitlab-10-dot-8-dot-2-released/ CVE-2018-XXXX [gitlab: Permissions issue in Merge Requests Create Service] [experimental] - gitlab 10.7.5+dfsg-1 - gitlab 10.7.7+dfsg-2 (bug #900522) [stretch] - gitlab (Introduced in 10.6) NOTE: https://about.gitlab.com/2018/05/29/security-release-gitlab-10-dot-8-dot-2-released/ CVE-2018-XXXX [gitlab: Arbitrary assignment of project fields using Import project] [experimental] - gitlab 10.7.5+dfsg-1 - gitlab 10.7.7+dfsg-2 (bug #900522) [stretch] - gitlab (Introduced in 10.4) NOTE: https://about.gitlab.com/2018/05/29/security-release-gitlab-10-dot-8-dot-2-released/ CVE-2018-11540 RESERVED CVE-2018-11539 RESERVED CVE-2018-11538 (servlet/UserServlet in SearchBlox 8.6.6 has CSRF via the u_name, u_pas ...) NOT-FOR-US: SearchBlox CVE-2018-11537 (Auth0 angular-jwt before 0.1.10 treats whiteListedDomains entries as r ...) NOT-FOR-US: angular-jwt CVE-2018-11536 (md4c before 0.2.5 has a heap-based buffer overflow because md_split_si ...) NOT-FOR-US: md4c CVE-2018-11535 (An issue was discovered in SITEMAKIN SLAC (Site Login and Access Contr ...) NOT-FOR-US: SITEMAKIN SLAC CVE-2018-11534 RESERVED CVE-2018-11533 RESERVED CVE-2018-11532 (An issue was discovered in the ChangUonDyU Advanced Statistics plugin ...) NOT-FOR-US: MyBB plugin CVE-2018-11531 (Exiv2 0.26 has a heap-based buffer overflow in getData in preview.cpp. ...) {DSA-4238-1 DLA-1402-1} - exiv2 0.25-4 NOTE: https://github.com/Exiv2/exiv2/issues/283 NOTE: https://github.com/Exiv2/exiv2/commit/ed874703ad553338f973d537b8159d0eb4375cc4 NOTE: https://github.com/Exiv2/exiv2/commit/863aaebc92ff0b0ee3d302b7b5291002c043bc7b NOTE: https://github.com/Exiv2/exiv2/commit/67a5a741153c876a6f1c189abb874721d1725c48 CVE-2018-11530 RESERVED CVE-2018-11529 (VideoLAN VLC media player 2.2.x is prone to a use after free vulnerabi ...) {DSA-4251-1} - vlc 3.0.3-1-1 [jessie] - vlc (See https://lists.debian.org/debian-security-announce/2018/msg00130.html) NOTE: https://github.com/videolan/vlc-3.0/commit/c472668ff873cfe29281822b4548715fb7bb0368 NOTE: https://github.com/videolan/vlc-3.0/commit/d2dadb37e7acc25ae08df71e563855d6e17b5b42 CVE-2018-11528 (WUZHI CMS 4.1.0 has SQL Injection via an api/sms_check.php?param= URI. ...) NOT-FOR-US: WUZHI CMS CVE-2018-11527 (An issue was discovered in CScms v4.1. A Cross-site request forgery (C ...) NOT-FOR-US: CScms CVE-2018-11526 (The plugin "WordPress Comments Import & Export" for WordPress (v2. ...) NOT-FOR-US: "WordPress Comments Import & Export" plugin for WordPress CVE-2018-11525 (The plugin "Advanced Order Export For WooCommerce" for WordPress (v1.5 ...) NOT-FOR-US: "Advanced Order Export For WooCommerce" plugin for WordPress CVE-2018-11524 RESERVED CVE-2018-11523 (upload.php on NUUO NVRmini 2 devices allows Arbitrary File Upload, suc ...) NOT-FOR-US: NUUO NVRmini CVE-2018-11522 (Yosoro 1.0.4 has stored XSS. ...) NOT-FOR-US: Yosoro CVE-2018-11521 RESERVED CVE-2018-11520 RESERVED CVE-2018-11519 RESERVED CVE-2018-11518 (A vulnerability allows a phreaking attack on HCL legacy IVR systems th ...) NOT-FOR-US: HCL legacy IVR systems CVE-2018-11517 (mySCADA myPRO 7 allows remote attackers to discover all ProjectIDs in ...) NOT-FOR-US: mySCADA myPRO CVE-2018-11516 (The vlc_demux_chained_Delete function in input/demux_chained.c in Vide ...) - vlc 3.0.2-1 [stretch] - vlc 3.0.2-0+deb9u1 [jessie] - vlc (Only affects 3.x) NOTE: http://git.videolan.org/?p=vlc.git;a=commit;h=33dcfcf41340c27b6f8183fdb35b129282a79bd8 NOTE: http://www.videolan.org/security/sa1801.html CVE-2018-11515 (The wpForo plugin through 2018-02-05 for WordPress has SQL Injection v ...) NOT-FOR-US: wpForo plugin for WordPress CVE-2018-11514 (PHP Scripts Mall Naukri Clone Script through 3.0.3 allows Unrestricted ...) NOT-FOR-US: PHP Scripts Mall Naukri Clone Script CVE-2018-11513 RESERVED CVE-2018-11512 (Stored cross-site scripting (XSS) vulnerability in the "Website's name ...) NOT-FOR-US: wityCMS CVE-2018-11511 (The tree list functionality in the photo gallery application in ASUSTO ...) NOT-FOR-US: ASUSTOR ADM CVE-2018-11510 (The ASUSTOR ADM 3.1.0.RFQ3 NAS portal suffers from an unauthenticated ...) NOT-FOR-US: ASUSTOR CVE-2018-11509 (ASUSTOR ADM 3.1.0.RFQ3 uses the same default root:admin username and p ...) NOT-FOR-US: ASUSTOR ADM CVE-2018-11508 (The compat_get_timex function in kernel/compat.c in the Linux kernel b ...) - linux 4.16.12-1 [stretch] - linux (Vulnerable code introduced later) [jessie] - linux (Vulnerable code introduced later) [wheezy] - linux (Vulnerable code introduced later) NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1574 NOTE: Fixed by: https://git.kernel.org/linus/0a0b98734479aa5b3c671d5190e86273372cab95 CVE-2018-11507 (An issue was discovered in Free Lossless Image Format (FLIF) 0.3. An a ...) - flif (bug #902188) NOTE: https://github.com/FLIF-hub/FLIF/issues/509 CVE-2018-11506 (The sr_do_ioctl function in drivers/scsi/sr_ioctl.c in the Linux kerne ...) {DLA-1423-1 DLA-1422-1} - linux 4.16.16-1 [stretch] - linux 4.9.110-1 NOTE: Fixed by: https://git.kernel.org/linus/f7068114d45ec55996b9040e98111afa56e010fe CVE-2018-11505 (The Werewolf Online application 0.8.8 for Android allows attackers to ...) NOT-FOR-US: Werewolf Online application for Android CVE-2018-11504 (The islist function in markdown.c in libmarkdown.a in DISCOUNT 2.2.3a ...) {DSA-4293-1 DLA-1499-1} - discount 2.2.4-1 (bug #901912) NOTE: https://github.com/Orc/discount/issues/189#issuecomment-392247798 NOTE: POC: https://github.com/fCorleone/fuzz_programs/blob/master/discount/issue3_testcase NOTE: Fixed by https://github.com/Orc/discount/commit/b002a5a4db31e42dfb45451c059bc56941c17974 CVE-2018-11503 (The isfootnote function in markdown.c in libmarkdown.a in DISCOUNT 2.2 ...) {DSA-4293-1 DLA-1499-1} - discount 2.2.4-1 (bug #901912) NOTE: https://github.com/Orc/discount/issues/189#issuecomment-392247798 NOTE: POC: https://github.com/fCorleone/fuzz_programs/blob/master/discount/issue2_testcase NOTE: Fixed by https://github.com/Orc/discount/commit/b002a5a4db31e42dfb45451c059bc56941c17974 CVE-2018-11502 (An issue was discovered in the Moderator Log Notes plugin 1.1 for MyBB ...) NOT-FOR-US: MyBB plugin CVE-2018-11501 (PHP Scripts Mall Website Seller Script 2.0.3 has CSRF via user_submit. ...) NOT-FOR-US: PHP Scripts Mall Website Seller Script CVE-2018-11500 (An issue was discovered in PublicCMS V4.0.20180210. There is a CSRF vu ...) NOT-FOR-US: PublicCMS CVE-2018-11499 (A use-after-free vulnerability exists in handle_error() in sass_contex ...) - libsass 3.5.5-3 (bug #900182) [stretch] - libsass (Vulnerability introduced in 3.4.7 upstream) NOTE: https://github.com/sass/libsass/issues/2643 NOTE: https://github.com/sass/libsass/commit/84eaca254ca726531def3569c990089b3154e640 CVE-2018-11498 (In Lizard v1.0 and LZ5 v2.0 (the prior release, before the product was ...) NOT-FOR-US: Lizard CVE-2018-11497 RESERVED CVE-2018-11496 (In Long Range Zip (aka lrzip) 0.631, there is a use-after-free in read ...) - lrzip 0.631+git180528-1 [stretch] - lrzip (Minor issue) [jessie] - lrzip (Minor issue) NOTE: https://github.com/ckolivas/lrzip/issues/96 NOTE: https://github.com/ckolivas/lrzip/commit/907b66b8cb4ba7384abf8d82f09204b127d328bd NOTE: https://github.com/ckolivas/lrzip/commit/a81248e47d276cf59b8c7e22558e2b5035e87b33 CVE-2018-11495 (OpenCart through 3.0.2.0 allows directory traversal in the editDownloa ...) NOT-FOR-US: OpenCart CVE-2018-11494 (The "program extension upload" feature in OpenCart through 3.0.2.0 has ...) NOT-FOR-US: OpenCart CVE-2018-11493 (An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerabil ...) NOT-FOR-US: WUZHI CMS CVE-2018-11492 (ASUS HG100 devices allow denial of service via an IPv4 packet flood. ...) NOT-FOR-US: ASUS HG100 devices CVE-2018-11491 (ASUS HG100 devices with firmware before 1.05.12 allow unauthenticated ...) NOT-FOR-US: ASUS HG100 devices CVE-2018-11490 (The DGifDecompressLine function in dgif_lib.c in GIFLIB (possibly vers ...) [experimental] - giflib 5.1.7-1 - giflib 5.1.9-1 (bug #904114) [buster] - giflib (Minor issue) [stretch] - giflib (Minor issue) [jessie] - giflib (Minor issue) NOTE: https://github.com/pts/sam2p/issues/38 NOTE: https://sourceforge.net/p/giflib/bugs/113/ NOTE: https://sourceforge.net/p/giflib/code/ci/08438a5098f3bb1de23a29334af55eba663f75bd/ NOTE: Issue was reported against sam2p but issue is in dgif_lib.c from giflib. CVE-2018-11489 (The DGifDecompressLine function in dgif_lib.c in GIFLIB (possibly vers ...) - giflib (bug #904113) [buster] - giflib (Minor issue) [stretch] - giflib (Minor issue) [jessie] - giflib (Minor issue) NOTE: https://github.com/pts/sam2p/issues/37 NOTE: https://sourceforge.net/p/giflib/bugs/112/ NOTE: Issue was reported against sam2p but issue is in dgif_lib.c from giflib. CVE-2018-11488 (A stack exhaustion vulnerability in the search function of dtSearch 7. ...) NOT-FOR-US: dtSearch CVE-2018-11487 (PHPMyWind 5.5 has XSS via the cid parameter to newsshow.php, or the qu ...) NOT-FOR-US: PHPMyWind CVE-2018-11486 (An issue was discovered in the MULTIDOTS Advance Search for WooCommerc ...) NOT-FOR-US: MULTIDOTS Advance Search for WooCommerce plugin for WordPress CVE-2018-11485 (The MULTIDOTS WooCommerce Quick Reports plugin 1.0.6 and earlier for W ...) NOT-FOR-US: MULTIDOTS WooCommerce Quick Reports plugin for WordPress CVE-2018-11484 RESERVED CVE-2018-11483 RESERVED CVE-2018-11482 (/usr/lib/lua/luci/websys.lua on TP-LINK IPC TL-IPC223(P)-6, TL-IPC323K ...) NOT-FOR-US: TP-LINK CVE-2018-11481 (TP-LINK IPC TL-IPC223(P)-6, TL-IPC323K-D, TL-IPC325(KP)-*, and TL-IPC4 ...) NOT-FOR-US: TP-LINK CVE-2018-11480 RESERVED CVE-2018-11479 (The VPN component in Windscribe 1.81 uses the OpenVPN client for conne ...) NOT-FOR-US: VPN component in Windscribe CVE-2018-11478 (An issue was discovered on Vgate iCar 2 Wi-Fi OBD2 Dongle devices. The ...) NOT-FOR-US: Vgate iCar 2 Wi-Fi OBD2 Dongle devices CVE-2018-11477 (An issue was discovered on Vgate iCar 2 Wi-Fi OBD2 Dongle devices. The ...) NOT-FOR-US: Vgate iCar 2 Wi-Fi OBD2 Dongle devices CVE-2018-11476 (An issue was discovered on Vgate iCar 2 Wi-Fi OBD2 Dongle devices. The ...) NOT-FOR-US: Vgate iCar 2 Wi-Fi OBD2 Dongle devices CVE-2018-11475 (Monstra CMS 3.0.4 has a Session Management Issue in the Users tab. A p ...) NOT-FOR-US: Monstra CMS CVE-2018-11474 (Monstra CMS 3.0.4 has a Session Management Issue in the Administration ...) NOT-FOR-US: Monstra CMS CVE-2018-11473 (Monstra CMS 3.0.4 has XSS in the registration Form (i.e., the login pa ...) NOT-FOR-US: Monstra CMS CVE-2018-11472 (Monstra CMS 3.0.4 has Reflected XSS during Login (i.e., the login para ...) NOT-FOR-US: Monstra CMS CVE-2018-11471 (Cockpit 0.5.5 has XSS via a collection, form, or region. ...) NOT-FOR-US: Cockpit CMS (different from src:cockpit) CVE-2018-11470 (iScripts eSwap v2.4 has SQL injection via the "search.php" 'Told' para ...) NOT-FOR-US: iScripts eSwap CVE-2018-11469 (Incorrect caching of responses to requests including an Authorization ...) - haproxy 1.8.9-2 (bug #900084) [stretch] - haproxy (Issue introduced in 1.8.0) [jessie] - haproxy (Issue introduced in 1.8.0) NOTE: https://git.haproxy.org/?p=haproxy-1.8.git;a=commit;h=17514045e5d934dede62116216c1b016fe23dd06 CVE-2018-11468 (The __mkd_trim_line function in mkdio.c in libmarkdown.a in DISCOUNT 2 ...) {DSA-4293-1 DLA-1499-1} - discount 2.2.4-1 (bug #901912) NOTE: https://github.com/Orc/discount/issues/189 NOTE: POC: https://github.com/fCorleone/fuzz_programs/blob/master/discount/issue1_testcase NOTE: Fixed by https://github.com/Orc/discount/commit/b002a5a4db31e42dfb45451c059bc56941c17974 CVE-2018-11467 RESERVED CVE-2018-11466 (A vulnerability has been identified in SINUMERIK 808D V4.7 (All versio ...) NOT-FOR-US: Siemens CVE-2018-11465 (A vulnerability has been identified in SINUMERIK 808D V4.7 (All versio ...) NOT-FOR-US: Siemens CVE-2018-11464 (A vulnerability has been identified in SINUMERIK 828D V4.7 (All versio ...) NOT-FOR-US: Siemens CVE-2018-11463 (A vulnerability has been identified in SINUMERIK 808D V4.7 (All versio ...) NOT-FOR-US: Siemens CVE-2018-11462 (A vulnerability has been identified in SINUMERIK 808D V4.7 (All versio ...) NOT-FOR-US: Siemens CVE-2018-11461 (A vulnerability has been identified in SINUMERIK 808D V4.7 (All versio ...) NOT-FOR-US: Siemens CVE-2018-11460 (A vulnerability has been identified in SINUMERIK 808D V4.7 (All versio ...) NOT-FOR-US: Siemens CVE-2018-11459 (A vulnerability has been identified in SINUMERIK 808D V4.7 (All versio ...) NOT-FOR-US: Siemens CVE-2018-11458 (A vulnerability has been identified in SINUMERIK 828D V4.7 (All versio ...) NOT-FOR-US: Siemens CVE-2018-11457 (A vulnerability has been identified in SINUMERIK 828D V4.7 (All versio ...) NOT-FOR-US: Siemens CVE-2018-11456 (A vulnerability has been identified in Automation License Manager 5 (A ...) NOT-FOR-US: Automation License Manager CVE-2018-11455 (A vulnerability has been identified in Automation License Manager 5 (A ...) NOT-FOR-US: Automation License Manager CVE-2018-11454 (A vulnerability has been identified in SIMATIC STEP 7 (TIA Portal) and ...) NOT-FOR-US: SIMATIC CVE-2018-11453 (A vulnerability has been identified in SIMATIC STEP 7 (TIA Portal) and ...) NOT-FOR-US: SIMATIC CVE-2018-11452 (A vulnerability has been identified in Firmware variant IEC 61850 for ...) NOT-FOR-US: Siemens CVE-2018-11451 (A vulnerability has been identified in Firmware variant IEC 61850 for ...) NOT-FOR-US: Siemens CVE-2018-11450 (A reflected Cross-Site-Scripting (XSS) vulnerability has been identifi ...) NOT-FOR-US: Siemens PLM Software TEAMCENTER CVE-2018-11449 (A vulnerability has been identified in SCALANCE M875 (All versions). A ...) NOT-FOR-US: SCALANCE CVE-2018-11448 (A vulnerability has been identified in SCALANCE M875 (All versions). T ...) NOT-FOR-US: SCALANCE CVE-2018-11447 (A vulnerability has been identified in SCALANCE M875 (All versions). T ...) NOT-FOR-US: SCALANCE CVE-2018-11446 (The buy function of a smart contract implementation for Gold Reward (G ...) NOT-FOR-US: Gold Reward CVE-2018-11445 (A CSRF issue was discovered on the User Add/System Settings Page (syst ...) NOT-FOR-US: EasyService Billing CVE-2018-11444 (A SQL Injection issue was observed in the parameter "q" in jobcard-ong ...) NOT-FOR-US: EasyService Billing CVE-2018-11443 (The parameter q is affected by Cross-site Scripting in jobcard-ongoing ...) NOT-FOR-US: EasyService Billing CVE-2018-11442 (A CSRF issue was discovered in EasyService Billing 1.0, which was trig ...) NOT-FOR-US: EasyService Billing CVE-2018-11441 RESERVED CVE-2018-11440 (Liblouis 3.5.0 has a stack-based Buffer Overflow in the function parse ...) - liblouis 3.5.0-3 (bug #900085) [stretch] - liblouis 3.0.0-3+deb9u4 [jessie] - liblouis (Minor issue) NOTE: https://github.com/liblouis/liblouis/issues/575 NOTE: https://github.com/liblouis/liblouis/commit/4417bad83df4481ed58419b28c5c91b9649e2a86 CVE-2018-11439 (The TagLib::Ogg::FLAC::File::scan function in oggflacfile.cpp in TagLi ...) {DLA-1430-1} - taglib 1.11.1+dfsg.1-0.3 (bug #903847) [stretch] - taglib (Minor issue) NOTE: PoC: http://seclists.org/fulldisclosure/2018/May/49 NOTE: Upstream issue: https://github.com/taglib/taglib/issues/868 NOTE: Pull request: https://github.com/taglib/taglib/pull/869 NOTE: Upstream fix: https://github.com/taglib/taglib/commit/2c4ae870ec086f2ddd21a47861a3709c36faac45 CVE-2018-11438 (The mobi_decompress_lz77 function in compression.c in Libmobi 0.3 allo ...) NOT-FOR-US: Libmobi CVE-2018-11437 (The mobi_reconstruct_parts function in parse_rawml.c in Libmobi 0.3 al ...) NOT-FOR-US: Libmobi CVE-2018-11436 (The buffer_addraw function in buffer.c in Libmobi 0.3 allows remote at ...) NOT-FOR-US: Libmobi CVE-2018-11435 (The mobi_decompress_huffman_internal function in compression.c in Libm ...) NOT-FOR-US: Libmobi CVE-2018-11434 (The buffer_fill64 function in compression.c in Libmobi 0.3 allows remo ...) NOT-FOR-US: Libmobi CVE-2018-11433 (The mobi_get_kf8boundary_seqnumber function in util.c in Libmobi 0.3 a ...) NOT-FOR-US: Libmobi CVE-2018-11432 (The mobi_parse_mobiheader function in read.c in Libmobi 0.3 allows rem ...) NOT-FOR-US: Libmobi CVE-2018-11431 RESERVED CVE-2018-11430 (An issue was discovered in the Moderator Log Notes plugin 1.1 for MyBB ...) NOT-FOR-US: Moderator Log Notes plugin for MyBB CVE-2018-11429 (ATLANT (ATL) is a smart contract running on Ethereum. The mint functio ...) NOT-FOR-US: smart contract CVE-2018-11428 RESERVED CVE-2018-11427 (CSRF tokens are not used in the web application of Moxa OnCell G3100-H ...) NOT-FOR-US: Moxa CVE-2018-11426 (A weak Cookie parameter is used in the web application of Moxa OnCell ...) NOT-FOR-US: Moxa CVE-2018-11425 (Memory corruption issue was discovered in Moxa OnCell G3470A-LTE Serie ...) NOT-FOR-US: Moxa CVE-2018-11424 (There is Memory corruption in the web interface of Moxa OnCell G3470A- ...) NOT-FOR-US: Moxa CVE-2018-11423 (There is Memory corruption in the web interface Moxa OnCell G3100-HSPA ...) NOT-FOR-US: Moxa CVE-2018-11422 (Moxa OnCell G3100-HSPA Series version 1.6 Build 17100315 and prior use ...) NOT-FOR-US: Moxa CVE-2018-11421 (Moxa OnCell G3100-HSPA Series version 1.6 Build 17100315 and prior use ...) NOT-FOR-US: Moxa CVE-2018-11420 (There is Memory corruption in the web interface of Moxa OnCell G3100-H ...) NOT-FOR-US: Moxa CVE-2018-11419 (An issue was discovered in JerryScript 1.0. There is a heap-based buff ...) NOT-FOR-US: JerryScript CVE-2018-11418 (An issue was discovered in JerryScript 1.0. There is a heap-based buff ...) NOT-FOR-US: JerryScript CVE-2018-11417 RESERVED CVE-2018-11416 (jpegoptim.c in jpegoptim 1.4.5 (fixed in 1.4.6) has an invalid use of ...) - jpegoptim (Introduced in 1.4.5) NOTE: https://github.com/tjko/jpegoptim/issues/57 CVE-2018-11415 (SAP Internet Transaction Server (ITS) 6200.X.X has Reflected Cross Sit ...) NOT-FOR-US: SAP Internet Transaction Server CVE-2018-11414 (An issue was discovered in BearAdmin 0.5. There is admin/admin_log/ind ...) NOT-FOR-US: BearAdmin CVE-2018-11413 (An issue was discovered in BearAdmin 0.5. Remote attackers can downloa ...) NOT-FOR-US: BearAdmin CVE-2018-11412 (In the Linux kernel 4.13 through 4.16.11, ext4_read_inline_data() in f ...) - linux 4.17.3-1 [stretch] - linux (Introduced in e50e5129f384 in 4.13) [jessie] - linux (Introduced in e50e5129f384 in 4.13) [wheezy] - linux (Introduced in e50e5129f384 in 4.13) NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1580 NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=199803 NOTE: Fixed by: https://git.kernel.org/linus/117166efb1ee8f13c38f9e96b258f16d4923f888 CVE-2018-11411 (The transferFrom function of a smart contract implementation for Dimon ...) NOT-FOR-US: DimonCoin CVE-2018-11410 (An issue was discovered in Liblouis 3.5.0. A invalid free in the compi ...) - liblouis 3.5.0-2 (bug #899999) [stretch] - liblouis 3.0.0-3+deb9u2 [jessie] - liblouis (Code did not even exist at the time) [wheezy] - liblouis (Code did not even exist at the time) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1582024 NOTE: https://github.com/liblouis/liblouis/issues/573 CVE-2018-11409 (Splunk through 7.0.1 allows information disclosure by appending __raw/ ...) NOT-FOR-US: Splunk CVE-2018-11408 (The security handlers in the Security component in Symfony in 2.7.x be ...) {DLA-1707-1} - symfony 3.4.12+dfsg-1 [stretch] - symfony (Incomplete fix for CVE-2017-16652 wasn't backported) NOTE: https://symfony.com/blog/cve-2018-11408-open-redirect-vulnerability-on-security-handlers CVE-2018-11407 (An issue was discovered in the Ldap component in Symfony 2.8.x before ...) - symfony 3.4.12+dfsg-1 [stretch] - symfony (Incomplete fix for CVE-2016-2403 not applied) [jessie] - symfony (Incomplete fix for CVE-2016-2403 not applied) NOTE: https://symfony.com/blog/cve-2018-11407-unauthorized-access-on-a-misconfigured-ldap-server-when-using-an-empty-password CVE-2018-11406 (An issue was discovered in the Security component in Symfony 2.7.x bef ...) {DSA-4262-1} - symfony 3.4.12+dfsg-1 [jessie] - symfony (vulnerable code not present in branch 2.3) NOTE: https://symfony.com/blog/cve-2018-11406-csrf-token-fixation CVE-2018-11405 (Kliqqi 2.0.2 has CSRF in admin/admin_users.php. ...) NOT-FOR-US: Kliqqi CVE-2018-11404 (DomainMod v4.09.03 has XSS via the assets/edit/ssl-provider-account.ph ...) NOT-FOR-US: DomainMod CVE-2018-11403 (DomainMod v4.09.03 has XSS via the assets/edit/account-owner.php oid p ...) NOT-FOR-US: DomainMod CVE-2018-11402 (SimpliSafe Original has Unencrypted Keypad Transmissions, which allows ...) NOT-FOR-US: SimpliSafe Original CVE-2018-11401 (In SimpliSafe Original, RF Interference (e.g., an extremely strong 433 ...) NOT-FOR-US: SimpliSafe Original CVE-2018-11400 (In SimpliSafe Original, the Base Station fails to detect tamper attemp ...) NOT-FOR-US: SimpliSafe Original CVE-2018-11399 (SimpliSafe Original has Unencrypted Sensor Transmissions, which allows ...) NOT-FOR-US: SimpliSafe Original CVE-2018-11398 RESERVED CVE-2018-11397 RESERVED CVE-2018-11396 (ephy-session.c in libephymain.so in GNOME Web (aka Epiphany) through 3 ...) - epiphany-browser 3.28.2.1-1 (unimportant; bug #899409) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=795740 NOTE: webkit not covered by security support CVE-2018-11395 RESERVED CVE-2018-11394 RESERVED CVE-2018-11393 RESERVED CVE-2018-11392 (An arbitrary file upload vulnerability in /classes/profile.class.php i ...) NOT-FOR-US: Jigowatt CVE-2018-11391 RESERVED CVE-2018-11390 RESERVED CVE-2018-11389 RESERVED CVE-2018-11388 RESERVED CVE-2018-11387 RESERVED CVE-2018-11386 (An issue was discovered in the HttpFoundation component in Symfony 2.7 ...) {DSA-4262-1} - symfony 3.4.12+dfsg-1 [jessie] - symfony (vulnerable code no present, no rollback mechanism in this version) NOTE: https://symfony.com/blog/cve-2018-11386-denial-of-service-when-using-pdosessionhandler CVE-2018-11385 (An issue was discovered in the Security component in Symfony 2.7.x bef ...) {DSA-4262-1 DLA-1707-1} - symfony 3.4.12+dfsg-1 NOTE: https://symfony.com/blog/cve-2018-11385-session-fixation-issue-for-guard-authentication CVE-2018-11384 (The sh_op() function in radare2 2.5.0 allows remote attackers to cause ...) - radare2 2.6.0+dfsg-1 (low) [jessie] - radare2 (Minor issue) [wheezy] - radare2 (Minor issue) NOTE: https://github.com/radare/radare2/commit/77c47cf873dd55b396da60baa2ca83bbd39e4add NOTE: https://github.com/radare/radare2/issues/9903 CVE-2018-11383 (The r_strbuf_fini() function in radare2 2.5.0 allows remote attackers ...) - radare2 2.6.0+dfsg-1 (low) [jessie] - radare2 (Minor issue) [wheezy] - radare2 (Minor issue) NOTE: https://github.com/radare/radare2/commit/9d348bcc2c4bbd3805e7eec97b594be9febbdf9a NOTE: https://github.com/radare/radare2/issues/9943 CVE-2018-11382 (The _inst__sts() function in radare2 2.5.0 allows remote attackers to ...) - radare2 (Vulnerable code not yet present) NOTE: https://github.com/radare/radare2/commit/d04c78773f6959bcb427453f8e5b9824d5ba9eff NOTE: https://github.com/radare/radare2/issues/10091 CVE-2018-11381 (The string_scan_range() function in radare2 2.5.0 allows remote attack ...) - radare2 2.6.0+dfsg-1 (low) [jessie] - radare2 (Minor issue) [wheezy] - radare2 (Minor issue) NOTE: https://github.com/radare/radare2/commit/3fcf41ed96ffa25b38029449520c8d0a198745f3 NOTE: https://github.com/radare/radare2/issues/9902 CVE-2018-11380 (The parse_import_ptr() function in radare2 2.5.0 allows remote attacke ...) - radare2 2.6.0+dfsg-1 (low) [jessie] - radare2 (Minor issue) [wheezy] - radare2 (Minor issue) NOTE: https://github.com/radare/radare2/commit/60208765887f5f008b3b9a883f3addc8bdb9c134 NOTE: https://github.com/radare/radare2/issues/9970 CVE-2018-11379 (The get_debug_info() function in radare2 2.5.0 allows remote attackers ...) - radare2 2.6.0+dfsg-1 (low) [jessie] - radare2 (Minor issue) [wheezy] - radare2 (Minor issue) NOTE: https://github.com/radare/radare2/commit/4e1cf0d3e6f6fe2552a269def0af1cd2403e266c NOTE: https://github.com/radare/radare2/issues/9926 CVE-2018-11378 (The wasm_dis() function in libr/asm/arch/wasm/wasm.c in or possibly ha ...) - radare2 2.6.0+dfsg-1 (low) [jessie] - radare2 (Vulnerable code not present) [wheezy] - radare2 (Vulnerable code not present) NOTE: https://github.com/radare/radare2/commit/bd276ef2fd8ac3401e65be7c126a43175ccfbcd7 NOTE: https://github.com/radare/radare2/issues/9969 CVE-2018-11377 (The avr_op_analyze() function in radare2 2.5.0 allows remote attackers ...) - radare2 2.6.0+dfsg-1 (low) [jessie] - radare2 (Minor issue) [wheezy] - radare2 (Minor issue) NOTE: https://github.com/radare/radare2/commit/25a3703ef2e015bbe1d1f16f6b2f63bb10dd34f4 NOTE: https://github.com/radare/radare2/commit/b35530fa0681b27eba084de5527037ebfb397422 NOTE: https://github.com/radare/radare2/issues/9901 CVE-2018-11376 (The r_read_le32() function in radare2 2.5.0 allows remote attackers to ...) - radare2 2.6.0+dfsg-1 (low) [jessie] - radare2 (Minor issue) [wheezy] - radare2 (Minor issue) NOTE: https://github.com/radare/radare2/commit/1f37c04f2a762500222dda2459e6a04646feeedf NOTE: https://github.com/radare/radare2/issues/9904 CVE-2018-11375 (The _inst__lds() function in radare2 2.5.0 allows remote attackers to ...) - radare2 (Vulnerable code not yet present) NOTE: https://github.com/radare/radare2/commit/041e53cab7ca33481ae45ecd65ad596976d78e68 NOTE: https://github.com/radare/radare2/issues/9928 CVE-2018-11374 RESERVED CVE-2018-11373 (iScripts eSwap v2.4 has SQL injection via the "salelistdetailed.php" U ...) NOT-FOR-US: iScripts eSwap CVE-2018-11372 (iScripts eSwap v2.4 has SQL injection via the wishlistdetailed.php Use ...) NOT-FOR-US: iScripts eSwap CVE-2018-11371 (SkyCaiji 1.2 allows CSRF to add an Administrator user. ...) NOT-FOR-US: SkyCaiji CVE-2018-11370 RESERVED CVE-2018-11369 (An issue was discovered in PbootCMS v1.0.9. There is a SQL Injection t ...) NOT-FOR-US: PbootCMS CVE-2018-11368 RESERVED CVE-2018-11367 (An issue was discovered in CppCMS before 1.2.1. There is a denial of s ...) NOT-FOR-US: CppCMS CVE-2018-11366 (init.php in the Loginizer plugin 1.3.8 through 1.3.9 for WordPress has ...) NOT-FOR-US: Wordpress plugin CVE-2018-11365 (sas/readstat_sas7bcat_read.c in libreadstat.a in ReadStat 0.1.1 has an ...) - r-cran-haven 1.1.1-2 (low; bug #899335) CVE-2018-11364 (sav_parse_machine_integer_info_record in spss/readstat_sav_read.c in l ...) - r-cran-haven 1.1.1-2 (low; bug #899335) CVE-2018-11363 (jpeg_size in pdfgen.c in PDFGen before 2018-04-09 has a heap-based buf ...) NOT-FOR-US: PDFGen CVE-2018-11362 (In Wireshark 2.6.0, 2.4.0 to 2.4.6, and 2.2.0 to 2.2.14, the LDSS diss ...) {DSA-4217-1 DLA-1388-1} - wireshark 2.6.1-1 (bug #900708) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14615 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=f177008b04a530640de835ca878892e58b826d58 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-25.html CVE-2018-11361 (In Wireshark 2.6.0, the IEEE 802.11 protocol dissector could crash. Th ...) - wireshark 2.6.1-1 (bug #900708) [jessie] - wireshark (vulnerable code not present (TDLS support added in version 2.1.0)) [wheezy] - wireshark (vulnerable code not present (TDLS support added in version 2.1.0)) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14686 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=1b52f9929238ce3948ec924ae4f9456b5e9df558 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-32.html CVE-2018-11360 (In Wireshark 2.6.0, 2.4.0 to 2.4.6, and 2.2.0 to 2.2.14, the GSM A DTA ...) - wireshark 2.6.1-1 (bug #900708) [stretch] - wireshark 2.2.6+g32dac6a-2+deb9u3 [jessie] - wireshark (vulnerable code not present (uses static a_bigbuf instead)) [wheezy] - wireshark (vulnerable code not present (uses static a_bigbuf instead)) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14688 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=a55b36c51f83a7b9680824e8ee3a6ce8429ab24b NOTE: https://www.wireshark.org/security/wnpa-sec-2018-30.html CVE-2018-11359 (In Wireshark 2.6.0, 2.4.0 to 2.4.6, and 2.2.0 to 2.2.14, the RRC disse ...) {DLA-1634-1} - wireshark 2.6.1-1 (bug #900708) [wheezy] - wireshark (Minor issue) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14703 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=beaebe91b14564fb9f86f0726bab09927872721b NOTE: https://www.wireshark.org/security/wnpa-sec-2018-33.html CVE-2018-11358 (In Wireshark 2.6.0, 2.4.0 to 2.4.6, and 2.2.0 to 2.2.14, the Q.931 dis ...) {DSA-4217-1 DLA-1388-1} - wireshark 2.6.1-1 (bug #900708) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14689 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=ccb1ac3c8cec47fbbbf2e80ced80644005c65252 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-31.html CVE-2018-11357 (In Wireshark 2.6.0, 2.4.0 to 2.4.6, and 2.2.0 to 2.2.14, the LTP disse ...) {DLA-1634-1} - wireshark 2.6.1-1 (bug #900708) [wheezy] - wireshark (Minor issue) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14678 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=ab8a33ef083b9732c89117747a83a905a676faf6 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-28.html CVE-2018-11356 (In Wireshark 2.6.0, 2.4.0 to 2.4.6, and 2.2.0 to 2.2.14, the DNS disse ...) {DLA-1634-1} - wireshark 2.6.1-1 (bug #900708) [wheezy] - wireshark (Minor issue) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14681 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=4425716ddba99374749bd033d9bc0f4add2fb973 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-29.html CVE-2018-11355 (In Wireshark 2.6.0, the RTCP dissector could crash. This was addressed ...) - wireshark (Vulnerable code, new RTCP dissector for transport-cc, introduced later) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14673 NOTE: Introduced by: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=a584eab239d55e441433ead40c993e08a24c59fe (v2.5.0) NOTE: Fixed by: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=99d27a5fd2c540f837154aca3b3647f5ccfa0c33 (v2.6.1) NOTE: https://www.wireshark.org/security/wnpa-sec-2018-27.html CVE-2018-11354 (In Wireshark 2.6.0, the IEEE 1905.1a dissector could crash. This was a ...) - wireshark (Vulnerable code, IEEE 1905.1a dissector, introduced in v2.5.0~1187) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14647 NOTE: Introduced by: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=05b1d35586aee37dad7d84fa27531fc9794a41c9 (v2.5.0) NOTE: Fixed by: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=cb517a4a434387e74a2f75ebb106ee3c3893251c (v2.6.1) NOTE: https://www.wireshark.org/security/wnpa-sec-2018-26.html CVE-2018-11353 RESERVED CVE-2018-11352 (The Wallabag application 2.2.3 to 2.3.2 is affected by one cross-site ...) NOT-FOR-US: Wallabag CVE-2018-11351 (script.php in Jirafeau before 3.4.1 is affected by two stored Cross-Si ...) NOT-FOR-US: Jirafeau CVE-2018-11350 (An issue was discovered in Jirafeau before 3.4.1. The file "search by ...) NOT-FOR-US: Jirafeau CVE-2018-11349 (The administration panel of Jirafeau before 3.4.1 is vulnerable to thr ...) NOT-FOR-US: Jirafeau CVE-2018-11348 (Two XSS vulnerabilities are located in the profile edition page of the ...) NOT-FOR-US: Yunihost CVE-2018-11347 (The YunoHost 2.7.2 through 2.7.14 web application is affected by one H ...) NOT-FOR-US: Yunihost CVE-2018-11346 (An insecure direct object reference vulnerability in download.cgi in A ...) NOT-FOR-US: ASUSTOR CVE-2018-11345 (An unrestricted file upload vulnerability in upload.cgi in ASUSTOR AS6 ...) NOT-FOR-US: ASUSTOR CVE-2018-11344 (A path traversal vulnerability in download.cgi in ASUSTOR AS6202T ADM ...) NOT-FOR-US: ASUSTOR CVE-2018-11343 (A persistent cross site scripting vulnerability in playlistmanger.cgi ...) NOT-FOR-US: ASUSTOR CVE-2018-11342 (A path traversal vulnerability in fileExplorer.cgi in ASUSTOR AS6202T ...) NOT-FOR-US: ASUSTOR CVE-2018-11341 (Directory traversal in importuser.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ ...) NOT-FOR-US: ASUSTOR CVE-2018-11340 (An unrestricted file upload vulnerability in importuser.cgi in ASUSTOR ...) NOT-FOR-US: ASUSTOR CVE-2018-11339 (An XSS issue was discovered in Frappe ERPNext v11.x.x-develop b1036e5 ...) NOT-FOR-US: Frappe ERPNext CVE-2018-11338 (Intuit Lacerte 2017 for Windows in a client/server environment transfe ...) NOT-FOR-US: Intuit Lacerte CVE-2018-11337 RESERVED CVE-2018-11336 RESERVED CVE-2018-11335 (GVToken Genesis Vision (GVT) is a smart contract running on Ethereum. ...) NOT-FOR-US: smart contract CVE-2018-11334 (Windscribe 1.81 creates a named pipe with a NULL DACL that allows Ever ...) NOT-FOR-US: Windscribe CVE-2018-11333 RESERVED CVE-2018-11332 (Stored cross-site scripting (XSS) vulnerability in the "Site Name" fie ...) NOT-FOR-US: ClipperCMS CVE-2018-11331 (An issue was discovered in Pluck before 4.7.6. Remote PHP code executi ...) NOT-FOR-US: Pluck CMS CVE-2018-11330 (An issue was discovered in Pluck before 4.7.6. There is authenticated ...) NOT-FOR-US: Pluck CMS CVE-2018-11329 (The DrugDealer function of a smart contract implementation for Ether C ...) NOT-FOR-US: DrugDealer smart contractz CVE-2018-11328 (An issue was discovered in Joomla! Core before 3.8.8. Under specific c ...) NOT-FOR-US: Joomla! CVE-2018-11327 (An issue was discovered in Joomla! Core before 3.8.8. Inadequate check ...) NOT-FOR-US: Joomla! CVE-2018-11326 (An issue was discovered in Joomla! Core before 3.8.8. Inadequate input ...) NOT-FOR-US: Joomla! CVE-2018-11325 (An issue was discovered in Joomla! Core before 3.8.8. The web install ...) NOT-FOR-US: Joomla! CVE-2018-11324 (An issue was discovered in Joomla! Core before 3.8.8. A long running b ...) NOT-FOR-US: Joomla! CVE-2018-11323 (An issue was discovered in Joomla! Core before 3.8.8. Inadequate check ...) NOT-FOR-US: Joomla! CVE-2018-11322 (An issue was discovered in Joomla! Core before 3.8.8. Depending on the ...) NOT-FOR-US: Joomla! CVE-2018-11321 (An issue was discovered in com_fields in Joomla! Core before 3.8.8. In ...) NOT-FOR-US: Joomla! CVE-2018-11320 (In Octopus Deploy 2018.4.4 through 2018.5.1, Octopus variables that ar ...) NOT-FOR-US: Octopus Deploy CVE-2018-1000181 (Kitura 2.3.0 and earlier have an unintended read access to unauthorise ...) NOT-FOR-US: Kitura CVE-2018-1000180 (Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier h ...) {DSA-4233-1} - bouncycastle 1.59-2 (bug #900843) [jessie] - bouncycastle (Issue introduced in 1.54) NOTE: Fixed by: https://github.com/bcgit/bc-java/commit/22467b6e8fe19717ecdf201c0cf91bacf04a55ad NOTE: Fixed by: https://github.com/bcgit/bc-java/commit/73780ac522b7795fc165630aba8d5f5729acc839 NOTE: Introduced by: https://github.com/bcgit/bc-java/commit/a47c9eff26101f2969bb2a9627ca721b135c9d47 NOTE: https://www.bouncycastle.org/jira/browse/BJA-694 CVE-2018-11318 RESERVED CVE-2018-11317 (Subrion CMS before 4.1.4 has XSS. ...) NOT-FOR-US: Subrion CMS CVE-2018-11316 (The UPnP HTTP server on Sonos wireless speaker products allow unauthor ...) NOT-FOR-US: Sonos CVE-2018-11315 (The Local HTTP API in Radio Thermostat CT50 and CT80 1.04.84 and below ...) NOT-FOR-US: Radio Thermostat CT50 and CT80 CVE-2018-11314 (The External Control API in Roku and Roku TV products allow unauthoriz ...) NOT-FOR-US: Roku CVE-2018-11313 RESERVED CVE-2018-11312 RESERVED CVE-2018-11311 (A hardcoded FTP username of myscada and password of Vikuk63 in 'myscad ...) NOT-FOR-US: mySCADA CVE-2018-11310 RESERVED CVE-2018-11309 (Blind SQL injection in coupon_code in the MemberMouse plugin 2.2.8 and ...) NOT-FOR-US: MemberMouse plugin for WordPress CVE-2018-11308 RESERVED CVE-2018-11307 (An issue was discovered in FasterXML jackson-databind 2.0.0 through 2. ...) {DSA-4452-1 DLA-1703-1} - jackson-databind 2.9.8-1 NOTE: https://github.com/FasterXML/jackson-databind/issues/2032 NOTE: https://github.com/FasterXML/jackson-databind/commit/27b4defc270454dea6842bd9279f17387eceb737 CVE-2018-11306 RESERVED CVE-2018-11305 (When a series of FDAL messages are sent to the modem, a Use After Free ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11304 (Possible buffer overflow in msm_adsp_stream_callback_put due to lack o ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11303 RESERVED CVE-2018-11302 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11301 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11300 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11299 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11298 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11297 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11296 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11295 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11294 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11293 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11292 (In Snapdragon (Automobile, Mobile, Wear) in version MDM9206, MDM9607, ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11291 (In Snapdragon (Automobile, Mobile, Wear) in version IPQ8074, MDM9206, ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11290 (In Snapdragon (Automobile, Mobile, Wear) in version MDM9206, MDM9607, ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11289 (Data truncation during higher to lower type conversion which causes le ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11288 (Possible undefined behavior due to lack of size check in function for ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11287 (In Snapdragon (Automobile, Mobile, Wear) in version MDM9206, MDM9607, ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11286 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11285 (In Snapdragon (Automobile, Mobile, Wear) in version MDM9206, MDM9607, ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11284 (Spoofed SMS can be used to send a large number of messages to the devi ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11283 RESERVED CVE-2018-11282 RESERVED CVE-2018-11281 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11280 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11279 (Lack of check of input size can make device memory get corrupted becau ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11278 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11277 (In Snapdragon (Automobile, Mobile, Wear) in version MSM8909W, MSM8996A ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11276 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11275 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11274 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11273 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11272 RESERVED CVE-2018-11271 (Improper authentication can happen on Remote command handling due to i ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11270 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11269 (In Snapdragon (Automobile, Mobile, Wear) in version MDM9206, MDM9607, ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11268 (In Snapdragon (Automobile, Mobile, Wear) in version MDM9206, MDM9607, ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11267 (In Snapdragon (Automobile, Mobile, Wear) in version MDM9206, MDM9607, ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11266 (In all android releases(Android for MSM, Firefox OS for MSM, QRD Andro ...) NOT-FOR-US: Android kernel, code not in mainline CVE-2018-11265 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11264 (Possible buffer overflow in Ontario fingerprint code due to lack of in ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11263 (In all Android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11262 (In Android for MSM, Firefox OS for MSM, and QRD Android with all Andro ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11261 (In all android releases(Android for MSM, Firefox OS for MSM, QRD Andro ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11260 (In all android releases(Android for MSM, Firefox OS for MSM, QRD Andro ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11259 (Due to Improper Access Control of NAND-based EFS in Snapdragon Automob ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11258 (In ADSP RPC in Snapdragon Automobile, Snapdragon Mobile and Snapdragon ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11257 (Permissions, Privileges, and Access Controls in TA in Snapdragon Mobil ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18283 (Possible memory corruption when Read Val Blob Req is received with inv ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18282 (Non-secure SW can cause SDCC to generate secure bus accesses, which ma ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18281 (A bool variable in Video function, which gets typecasted to int before ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18280 (In Snapdragon (Automobile, Mobile, Wear) in version MDM9607, MSM8909W, ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18279 (Lack of check of buffer length before copying can lead to buffer overf ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18278 (An integer underflow may occur due to lack of check when received data ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18277 (When dynamic memory allocation fails, currently the process sleeps for ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18276 (Secure camera logic allows display/secure camera controllers to access ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18275 (A new account can be inserted into simContacts service using Android c ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18274 (While iterating through the models contained in a fixed-size array in ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11256 (An issue was discovered in PoDoFo 0.9.5. The function PdfDocument::App ...) - libpodofo 0.9.6+dfsg-4 (low; bug #916583) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1575851 NOTE: https://sourceforge.net/p/podofo/tickets/21 NOTE: https://sourceforge.net/p/podofo/code/1938 CVE-2018-11255 (An issue was discovered in PoDoFo 0.9.5. The function PdfPage::GetPage ...) - libpodofo (low; bug #916584) [buster] - libpodofo (Minor issue) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1575502 NOTE: https://sourceforge.net/p/podofo/tickets/20 NOTE: https://sourceforge.net/p/podofo/code/1952 (this commit doesn't fix the crash) CVE-2018-11254 (An issue was discovered in PoDoFo 0.9.5. There is an Excessive Recursi ...) - libpodofo 0.9.6+dfsg-4 (low; bug #916585) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1576174 NOTE: https://sourceforge.net/p/podofo/tickets/19 NOTE: https://sourceforge.net/p/podofo/code/1941 CVE-2018-11253 RESERVED CVE-2018-11252 RESERVED CVE-2018-11251 (In ImageMagick 7.0.7-23 Q16 x86_64 2018-01-24, there is a heap-based b ...) {DSA-4245-1 DLA-1394-1 DLA-1381-1} - imagemagick 8:6.9.9.39+dfsg-1 NOTE: https://github.com/ImageMagick/ImageMagick/issues/956 NOTE: https://github.com/ImageMagick/ImageMagick/commit/73fbc6a557b4f63af18b2debe83f817859ef7481 CVE-2018-11250 RESERVED CVE-2018-11249 RESERVED CVE-2018-11248 (util/FileDownloadUtils.java in FileDownloader 1.7.3 does not check an ...) NOT-FOR-US: FileDownloader CVE-2018-11247 (The JMX/RMI interface in Nasdaq BWise 5.0 does not require authenticat ...) NOT-FOR-US: SAP CVE-2018-11246 RESERVED CVE-2018-11245 (app/webroot/js/misp.js in MISP 2.4.91 has a DOM based XSS with cortex ...) NOT-FOR-US: MISP CVE-2018-11244 (The BBE theme before 1.53 for WordPress allows a direct launch of an H ...) NOT-FOR-US: WordPress theme CVE-2018-11243 (PackLinuxElf64::unpack in p_lx_elf.cpp in UPX 3.95 allows remote attac ...) - upx-ucl 1.03+repack-5 (unimportant; bug #899190; bug #907426) NOTE: https://github.com/upx/upx/issues/206 NOTE: https://github.com/upx/upx/issues/207 CVE-2018-11242 (An issue was discovered in the MakeMyTrip application 7.2.4 for Androi ...) NOT-FOR-US: MakeMyTrip application for Android CVE-2018-11241 (An issue was discovered on SoftCase T-Router build 20112017 devices. A ...) NOT-FOR-US: SoftCase T-Router devices CVE-2018-11240 (An issue was discovered on SoftCase T-Router build 20112017 devices. T ...) NOT-FOR-US: SoftCase T-Router devices CVE-2018-11239 (An integer overflow in the _transfer function of a smart contract impl ...) NOT-FOR-US: Hexagon (HXG) CVE-2018-11238 RESERVED CVE-2018-11237 (An AVX-512-optimized implementation of the mempcpy function in the GNU ...) - glibc 2.27-4 (low; bug #899070) [stretch] - glibc 2.24-11+deb9u4 [jessie] - glibc (Minor issue, can be fixed along in future DSA or point update) - eglibc NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23196 CVE-2018-11236 (stdlib/canonicalize.c in the GNU C Library (aka glibc or libc6) 2.27 a ...) - glibc 2.27-4 (low; bug #899071) [stretch] - glibc 2.24-11+deb9u4 [jessie] - glibc (Minor issue, can be fixed along in future DSA or point update) - eglibc NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22786 NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5460617d1567657621107d895ee2dd83bc1f88f2 CVE-2018-11235 (In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16 ...) {DSA-4212-1} - git 1:2.17.1-1 NOTE: https://lkml.org/lkml/2018/5/29/889 CVE-2018-11234 RESERVED CVE-2018-11233 (In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16 ...) - git 1:2.17.1-1 (unimportant) [stretch] - git 1:2.11.0-3+deb9u3 [jessie] - git 1:2.1.4-2.1+deb8u6 NOTE: Only an issue when running on an NTFS filesystem. NOTE: https://lkml.org/lkml/2018/5/29/889 CVE-2018-1000400 (Kubernetes CRI-O version prior to 1.9 contains a Privilege Context Swi ...) NOT-FOR-US: Kubernetes CRI-O CVE-2017-18273 (In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-22, an infinite loop vulner ...) {DLA-1785-1 DLA-1381-1} - imagemagick 8:6.9.9.34+dfsg-3 (low) [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/910 NOTE: https://github.com/ImageMagick/ImageMagick/commit/b8fcb59e9e1d1189caf2e0f5e39346944dcd6b9d CVE-2017-18272 (In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-25, there is a use-after-fr ...) - imagemagick 8:6.9.9.34+dfsg-3 [stretch] - imagemagick (Vulnerable code not present) [jessie] - imagemagick (Vulnerable code not present) [wheezy] - imagemagick (vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/918 NOTE: https://github.com/ImageMagick/ImageMagick/commit/93d029b70ac766ce0b5d7261a2dd334535f48038 CVE-2017-18271 (In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-22, an infinite loop vulner ...) {DLA-1785-1 DLA-1381-1} - imagemagick 8:6.9.9.34+dfsg-3 (low) [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/911 NOTE: https://github.com/ImageMagick/ImageMagick/commit/7523250e2664028aa1d8f02d2d7ae49c769a851e CVE-2017-18269 (An SSE2-optimized memmove implementation for i386 in sysdeps/i386/i686 ...) - glibc 2.27-3 [stretch] - glibc 2.24-11+deb9u4 [jessie] - glibc (Vulnerable code not present) - eglibc (Vulnerable code not present) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22644 NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=cd66c0e584c6d692bc8347b5e72723d02b8a8ada CVE-2018-11232 (The etm_setup_aux function in drivers/hwtracing/coresight/coresight-et ...) - linux (Vulnerable code never present in unstable) NOTE: Fixed by: https://git.kernel.org/linus/f09444639099584bc4784dfcd85ada67c6f33e0f CVE-2018-11231 (In the Divido plugin for OpenCart, there is SQL injection. Attackers c ...) NOT-FOR-US: OpenCart plugin CVE-2018-11230 (jbig2_add_page in jbig2enc.cc in libjbig2enc.a in jbig2enc 0.29 allows ...) NOT-FOR-US: jbig2enc CVE-2018-11229 (Crestron TSW-1060, TSW-760, TSW-560, TSW-1060-NC, TSW-760-NC, and TSW- ...) NOT-FOR-US: Crestron devices CVE-2018-11228 (Crestron TSW-1060, TSW-760, TSW-560, TSW-1060-NC, TSW-760-NC, and TSW- ...) NOT-FOR-US: Crestron devices CVE-2018-11227 (Monstra CMS 3.0.4 and earlier has XSS via index.php. ...) NOT-FOR-US: Monstra CMS CVE-2018-11226 (The getString function in decompile.c in libming through 0.4.8 mishand ...) - ming NOTE: https://github.com/libming/libming/issues/144 CVE-2018-11225 (The dcputs function in decompile.c in libming through 0.4.8 mishandles ...) - ming NOTE: https://github.com/libming/libming/issues/143 CVE-2018-11224 (An issue was discovered in Libav 12.3. A read access violation in the ...) - libav (low) [jessie] - libav (Minor issue, oob read, no patch) NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1129 NOTE: ffmpeg PoC crash fixed but different vector: NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commitdiff/7248e735599bad765e1ef39c3ea9a6d469d74049 CVE-2018-11223 (XSS in Artica Pandora FMS before 7.0 NG 723 allows an attacker to exec ...) NOT-FOR-US: Pandora FMS CVE-2018-11222 (Local File Inclusion (LFI) in Artica Pandora FMS through version 7.23 ...) NOT-FOR-US: Pandora FMS CVE-2018-11221 (Unauthenticated untrusted file upload in Artica Pandora FMS through ve ...) NOT-FOR-US: Pandora FMS CVE-2018-11220 (Bitmain Antminer D3, L3+, and S9 devices allow Remote Command Executio ...) NOT-FOR-US: Bitmain Antminer D3, L3+, and S9 devices CVE-2018-11219 (An Integer Overflow issue was discovered in the struct library in the ...) {DSA-4230-1 DLA-1396-1} - redis 5:4.0.10-1 (bug #901495) NOTE: https://github.com/antirez/redis/issues/5017 NOTE: http://antirez.com/news/119 CVE-2018-11218 (Memory Corruption was discovered in the cmsgpack library in the Lua su ...) {DSA-4230-1 DLA-1396-1} - redis 5:4.0.10-1 (bug #901495) NOTE: https://github.com/antirez/redis/issues/5017 NOTE: http://antirez.com/news/119 CVE-2018-11217 RESERVED CVE-2018-11216 RESERVED CVE-2018-11215 (Remote code execution is possible in Cloudera Data Science Workbench v ...) NOT-FOR-US: Cloudera CVE-2018-11214 (An issue was discovered in libjpeg 9a. The get_text_rgb_row function i ...) {DLA-1638-1} - libjpeg9 1:9c-1 (low; bug #902176) - libjpeg-turbo 1:1.4.2-1 NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/commit/6709e4a0cfa44d4f54ee8ad05753d4aa9260cb91 (1.4.2) CVE-2018-11213 (An issue was discovered in libjpeg 9a. The get_text_gray_row function ...) {DLA-1638-1} - libjpeg9 1:9c-1 (low; bug #902176) - libjpeg-turbo 1:1.4.2-1 NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/commit/6709e4a0cfa44d4f54ee8ad05753d4aa9260cb91 (1.4.2) CVE-2018-11212 (An issue was discovered in libjpeg 9a. The alloc_sarray function in jm ...) {DLA-1638-1} - libjpeg9 1:9c-1 (low; bug #902176) - libjpeg-turbo 1:1.4.2-1 NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/commit/82923eb93a2eacf4a593e00e3e672bbb86a8a3a0 (1.4.2) CVE-2018-11211 RESERVED CVE-2018-11210 (** DISPUTED ** TinyXML2 6.2.0 has a heap-based buffer over-read in the ...) - tinyxml2 (bug #899063; unimportant) NOTE: https://github.com/leethomason/tinyxml2/issues/675 NOTE: Non-real issue, missuse of API CVE-2018-11209 (** DISPUTED ** An issue was discovered in Z-BlogPHP 2.0.0. zb_system/c ...) NOT-FOR-US: Z-BlogPHP CVE-2018-11208 (** DISPUTED ** An issue was discovered in Z-BlogPHP 2.0.0. There is a ...) NOT-FOR-US: Z-BlogPHP CVE-2018-11207 (A division by zero was discovered in H5D__chunk_init in H5Dchunk.c in ...) - hdf5 1.10.4+repack-1 (low) [stretch] - hdf5 (Minor issue) [jessie] - hdf5 (Minor issue) [wheezy] - hdf5 (Minor issue) NOTE: https://jira.hdfgroup.org/browse/HDFFV-10481 NOTE: https://bitbucket.hdfgroup.org/projects/HDFFV/repos/hdf5/commits/d0362ce438aef8ad690d5b084d929403c9877107 CVE-2018-11206 (An out of bounds read was discovered in H5O_fill_new_decode and H5O_fi ...) - hdf5 1.10.4+repack-1 (low) [stretch] - hdf5 (Minor issue) [jessie] - hdf5 (Minor issue) [wheezy] - hdf5 (Minor issue) NOTE: https://jira.hdfgroup.org/browse/HDFFV-10480 NOTE: https://bitbucket.hdfgroup.org/projects/HDFFV/repos/hdf5/commits/992a199f90fec31e0ad72ed76ed279a3ccea59e4 CVE-2018-11205 (A out of bounds read was discovered in H5VM_memcpyvv in H5VM.c in the ...) - hdf5 NOTE: https://jira.hdfgroup.org/browse/HDFFV-10479 CVE-2018-11204 (A NULL pointer dereference was discovered in H5O__chunk_deserialize in ...) - hdf5 1.10.4+repack-1 (low) [stretch] - hdf5 (Minor issue) [jessie] - hdf5 (Minor issue) [wheezy] - hdf5 (Minor issue) NOTE: https://jira.hdfgroup.org/browse/HDFFV-10478 NOTE: https://bitbucket.hdfgroup.org/projects/HDFFV/repos/hdf5/commits/992a199f90fec31e0ad72ed76ed279a3ccea59e4 CVE-2018-11203 (A division by zero was discovered in H5D__btree_decode_key in H5Dbtree ...) - hdf5 1.10.4+repack-1 (low) [stretch] - hdf5 (Minor issue) [jessie] - hdf5 (Minor issue) [wheezy] - hdf5 (Minor issue) NOTE: https://jira.hdfgroup.org/browse/HDFFV-10477 NOTE: https://bitbucket.hdfgroup.org/projects/HDFFV/repos/hdf5/commits/d0362ce438aef8ad690d5b084d929403c9877107 CVE-2018-11202 (A NULL pointer dereference was discovered in H5S_hyper_make_spans in H ...) - hdf5 1.10.4+repack-1 (low) [stretch] - hdf5 (Minor issue) [jessie] - hdf5 (Minor issue) [wheezy] - hdf5 (Minor issue) NOTE: https://jira.hdfgroup.org/browse/HDFFV-10476 NOTE: https://bitbucket.hdfgroup.org/projects/HDFFV/repos/hdf5/commits/992a199f90fec31e0ad72ed76ed279a3ccea59e4 CVE-2018-11201 RESERVED CVE-2018-11200 (An issue was discovered in Mautic 2.13.1. It has Stored XSS via the co ...) NOT-FOR-US: Mautic CVE-2018-11199 RESERVED CVE-2018-11198 (An issue was discovered in Mautic 2.13.1. There is Stored XSS via the ...) NOT-FOR-US: Mautic CVE-2018-11197 RESERVED CVE-2018-11196 (Mahara 17.04 before 17.04.8 and 17.10 before 17.10.5 and 18.04 before ...) - mahara NOTE: https://bugs.launchpad.net/bugs/1770535 NOTE: https://mahara.org/interaction/forum/topic.php?id=8270 CVE-2018-11195 (Mahara 17.04 before 17.04.8 and 17.10 before 17.10.5 and 18.04 before ...) - mahara NOTE: https://bugs.launchpad.net/mahara/+bug/1770561 NOTE: https://mahara.org/interaction/forum/topic.php?id=8269 CVE-2018-11194 (Quest DR Series Disk Backup software version before 4.0.3.1 allows pri ...) NOT-FOR-US: Quest DR Series Disk Backup software CVE-2018-11193 (Quest DR Series Disk Backup software version before 4.0.3.1 allows pri ...) NOT-FOR-US: Quest DR Series Disk Backup software CVE-2018-11192 (Quest DR Series Disk Backup software version before 4.0.3.1 allows pri ...) NOT-FOR-US: Quest DR Series Disk Backup software CVE-2018-11191 (Quest DR Series Disk Backup software version before 4.0.3.1 allows pri ...) NOT-FOR-US: Quest DR Series Disk Backup software CVE-2018-11190 (Quest DR Series Disk Backup software version before 4.0.3.1 allows pri ...) NOT-FOR-US: Quest DR Series Disk Backup software CVE-2018-11189 (Quest DR Series Disk Backup software version before 4.0.3.1 allows pri ...) NOT-FOR-US: Quest DR Series Disk Backup software CVE-2018-11188 (Quest DR Series Disk Backup software version before 4.0.3.1 allows com ...) NOT-FOR-US: Quest DR Series Disk Backup software CVE-2018-11187 (Quest DR Series Disk Backup software version before 4.0.3.1 allows com ...) NOT-FOR-US: Quest DR Series Disk Backup software CVE-2018-11186 (Quest DR Series Disk Backup software version before 4.0.3.1 allows com ...) NOT-FOR-US: Quest DR Series Disk Backup software CVE-2018-11185 (Quest DR Series Disk Backup software version before 4.0.3.1 allows com ...) NOT-FOR-US: Quest DR Series Disk Backup software CVE-2018-11184 (Quest DR Series Disk Backup software version before 4.0.3.1 allows com ...) NOT-FOR-US: Quest DR Series Disk Backup software CVE-2018-11183 (Quest DR Series Disk Backup software version before 4.0.3.1 allows com ...) NOT-FOR-US: Quest DR Series Disk Backup software CVE-2018-11182 (Quest DR Series Disk Backup software version before 4.0.3.1 allows com ...) NOT-FOR-US: Quest DR Series Disk Backup software CVE-2018-11181 (Quest DR Series Disk Backup software version before 4.0.3.1 allows com ...) NOT-FOR-US: Quest DR Series Disk Backup software CVE-2018-11180 (Quest DR Series Disk Backup software version before 4.0.3.1 allows com ...) NOT-FOR-US: Quest DR Series Disk Backup software CVE-2018-11179 (Quest DR Series Disk Backup software version before 4.0.3.1 allows com ...) NOT-FOR-US: Quest DR Series Disk Backup software CVE-2018-11178 (Quest DR Series Disk Backup software version before 4.0.3.1 allows com ...) NOT-FOR-US: Quest DR Series Disk Backup software CVE-2018-11177 (Quest DR Series Disk Backup software version before 4.0.3.1 allows com ...) NOT-FOR-US: Quest DR Series Disk Backup software CVE-2018-11176 (Quest DR Series Disk Backup software version before 4.0.3.1 allows com ...) NOT-FOR-US: Quest DR Series Disk Backup software CVE-2018-11175 (Quest DR Series Disk Backup software version before 4.0.3.1 allows com ...) NOT-FOR-US: Quest DR Series Disk Backup software CVE-2018-11174 (Quest DR Series Disk Backup software version before 4.0.3.1 allows com ...) NOT-FOR-US: Quest DR Series Disk Backup software CVE-2018-11173 (Quest DR Series Disk Backup software version before 4.0.3.1 allows com ...) NOT-FOR-US: Quest DR Series Disk Backup software CVE-2018-11172 (Quest DR Series Disk Backup software version before 4.0.3.1 allows com ...) NOT-FOR-US: Quest DR Series Disk Backup software CVE-2018-11171 (Quest DR Series Disk Backup software version before 4.0.3.1 allows com ...) NOT-FOR-US: Quest DR Series Disk Backup software CVE-2018-11170 (Quest DR Series Disk Backup software version before 4.0.3.1 allows com ...) NOT-FOR-US: Quest DR Series Disk Backup software CVE-2018-11169 (Quest DR Series Disk Backup software version before 4.0.3.1 allows com ...) NOT-FOR-US: Quest DR Series Disk Backup software CVE-2018-11168 (Quest DR Series Disk Backup software version before 4.0.3.1 allows com ...) NOT-FOR-US: Quest DR Series Disk Backup software CVE-2018-11167 (Quest DR Series Disk Backup software version before 4.0.3.1 allows com ...) NOT-FOR-US: Quest DR Series Disk Backup software CVE-2018-11166 (Quest DR Series Disk Backup software version before 4.0.3.1 allows com ...) NOT-FOR-US: Quest DR Series Disk Backup software CVE-2018-11165 (Quest DR Series Disk Backup software version before 4.0.3.1 allows com ...) NOT-FOR-US: Quest DR Series Disk Backup software CVE-2018-11164 (Quest DR Series Disk Backup software version before 4.0.3.1 allows com ...) NOT-FOR-US: Quest DR Series Disk Backup software CVE-2018-11163 (Quest DR Series Disk Backup software version before 4.0.3.1 allows com ...) NOT-FOR-US: Quest DR Series Disk Backup software CVE-2018-11162 (Quest DR Series Disk Backup software version before 4.0.3.1 allows com ...) NOT-FOR-US: Quest DR Series Disk Backup software CVE-2018-11161 (Quest DR Series Disk Backup software version before 4.0.3.1 allows com ...) NOT-FOR-US: Quest DR Series Disk Backup software CVE-2018-11160 (Quest DR Series Disk Backup software version before 4.0.3.1 allows com ...) NOT-FOR-US: Quest DR Series Disk Backup software CVE-2018-11159 (Quest DR Series Disk Backup software version before 4.0.3.1 allows com ...) NOT-FOR-US: Quest DR Series Disk Backup software CVE-2018-11158 (Quest DR Series Disk Backup software version before 4.0.3.1 allows com ...) NOT-FOR-US: Quest DR Series Disk Backup software CVE-2018-11157 (Quest DR Series Disk Backup software version before 4.0.3.1 allows com ...) NOT-FOR-US: Quest DR Series Disk Backup software CVE-2018-11156 (Quest DR Series Disk Backup software version before 4.0.3.1 allows com ...) NOT-FOR-US: Quest DR Series Disk Backup software CVE-2018-11155 (Quest DR Series Disk Backup software version before 4.0.3.1 allows com ...) NOT-FOR-US: Quest DR Series Disk Backup software CVE-2018-11154 (Quest DR Series Disk Backup software version before 4.0.3.1 allows com ...) NOT-FOR-US: Quest DR Series Disk Backup software CVE-2018-11153 (Quest DR Series Disk Backup software version before 4.0.3.1 allows com ...) NOT-FOR-US: Quest DR Series Disk Backup software CVE-2018-11152 (Quest DR Series Disk Backup software version before 4.0.3.1 allows com ...) NOT-FOR-US: Quest DR Series Disk Backup software CVE-2018-11151 (Quest DR Series Disk Backup software version before 4.0.3.1 allows com ...) NOT-FOR-US: Quest DR Series Disk Backup software CVE-2018-11150 (Quest DR Series Disk Backup software version before 4.0.3.1 allows com ...) NOT-FOR-US: Quest DR Series Disk Backup software CVE-2018-11149 (Quest DR Series Disk Backup software version before 4.0.3.1 allows com ...) NOT-FOR-US: Quest DR Series Disk Backup software CVE-2018-11148 (Quest DR Series Disk Backup software version before 4.0.3.1 allows com ...) NOT-FOR-US: Quest DR Series Disk Backup software CVE-2018-11147 (Quest DR Series Disk Backup software version before 4.0.3.1 allows com ...) NOT-FOR-US: Quest DR Series Disk Backup software CVE-2018-11146 (Quest DR Series Disk Backup software version before 4.0.3.1 allows com ...) NOT-FOR-US: Quest DR Series Disk Backup software CVE-2018-11145 (Quest DR Series Disk Backup software version before 4.0.3.1 allows com ...) NOT-FOR-US: Quest DR Series Disk Backup software CVE-2018-11144 (Quest DR Series Disk Backup software version before 4.0.3.1 allows com ...) NOT-FOR-US: Quest DR Series Disk Backup software CVE-2018-11143 (Quest DR Series Disk Backup software version before 4.0.3.1 allows com ...) NOT-FOR-US: Quest DR Series Disk Backup software CVE-2018-11142 (The 'systemui/settings_network.php' and 'systemui/settings_patching.ph ...) NOT-FOR-US: Quest KACE System Management Appliance CVE-2018-11141 (The 'IMAGES_JSON' and 'attachments_to_remove[]' parameters of the '/ad ...) NOT-FOR-US: Quest KACE System Management Virtual Appliance CVE-2018-11140 (The 'reportID' parameter received by the '/common/run_report.php' scri ...) NOT-FOR-US: Quest KACE System Management Appliance CVE-2018-11139 (The '/common/ajax_email_connection_test.php' script in the Quest KACE ...) NOT-FOR-US: Quest KACE System Management Appliance CVE-2018-11138 (The '/common/download_agent_installer.php' script in the Quest KACE Sy ...) NOT-FOR-US: Quest KACE System Management Appliance CVE-2018-11137 (The 'checksum' parameter of the '/common/download_attachment.php' scri ...) NOT-FOR-US: Quest KACE System Management Appliance CVE-2018-11136 (The 'orgID' parameter received by the '/common/download_agent_installe ...) NOT-FOR-US: Quest KACE System Management Appliance CVE-2018-11135 (The script '/adminui/error_details.php' in the Quest KACE System Manag ...) NOT-FOR-US: Quest KACE System Management Appliance CVE-2018-11134 (In order to perform actions that requires higher privileges, the Quest ...) NOT-FOR-US: Quest KACE System Management Appliance CVE-2018-11133 (The 'fmt' parameter of the '/common/run_cross_report.php' script in th ...) NOT-FOR-US: Quest KACE System Management Appliance CVE-2018-11132 (In order to perform actions that require higher privileges, the Quest ...) NOT-FOR-US: Quest KACE System Management Appliance CVE-2018-11131 RESERVED CVE-2018-11130 (The header::add_FORMAT_descriptor function in header.cpp in VCFtools 0 ...) {DLA-1807-1} - vcftools 0.1.16-1 (low; bug #902190) [stretch] - vcftools 0.1.14+dfsg-4+deb9u1 [wheezy] - vcftools (Minor issue) NOTE: http://seclists.org/fulldisclosure/2018/May/43 NOTE: https://github.com/vcftools/vcftools/issues/109 CVE-2018-11129 (The header::add_INFO_descriptor function in header.cpp in VCFtools 0.1 ...) {DLA-1807-1} - vcftools 0.1.16-1 (low; bug #902190) [stretch] - vcftools 0.1.14+dfsg-4+deb9u1 [wheezy] - vcftools (Minor issue) NOTE: http://seclists.org/fulldisclosure/2018/May/43 NOTE: https://github.com/vcftools/vcftools/issues/109 CVE-2018-11128 (The ObjReader::ReadObj() function in ObjReader.cpp in vincent0629 PDFP ...) NOT-FOR-US: vincent0629 PDFParser CVE-2018-11127 (e107 2.1.7 has CSRF resulting in arbitrary user deletion. ...) NOT-FOR-US: e107 CVE-2018-11126 (dg-user/?controller=users&action=add in doorGets 7.0 has CSRF that ...) NOT-FOR-US: doorGets CVE-2018-11125 REJECTED CVE-2018-11124 (Cross-site scripting (XSS) vulnerability in Attributes functionality i ...) NOT-FOR-US: Open-AudIT Community CVE-2018-11123 RESERVED CVE-2018-11122 RESERVED CVE-2018-11121 RESERVED CVE-2018-11120 (Services/COPage/classes/class.ilPCSourceCode.php in ILIAS 5.1.x, 5.2.x ...) NOT-FOR-US: ILIAS CVE-2018-11119 (ILIAS 5.1.x, 5.2.x, and 5.3.x before 5.3.5 redirects a logged-in user ...) NOT-FOR-US: ILIAS CVE-2018-11118 (The RSS subsystem in ILIAS 5.1.x, 5.2.x, and 5.3.x before 5.3.5 has XS ...) NOT-FOR-US: ILIAS CVE-2018-11117 (Services/Feeds/classes/class.ilExternalFeedItem.php in ILIAS 5.1.x, 5. ...) NOT-FOR-US: ILIAS CVE-2018-11116 (** DISPUTED ** OpenWrt mishandles access control in /etc/config/rpcd a ...) NOT-FOR-US: OpenWrt CVE-2018-11115 RESERVED CVE-2018-11114 RESERVED CVE-2018-11113 RESERVED CVE-2018-11112 RESERVED CVE-2018-11111 RESERVED CVE-2018-11110 RESERVED CVE-2018-11109 RESERVED CVE-2018-11108 RESERVED CVE-2018-11107 RESERVED CVE-2018-11106 (NETGEAR has released fixes for a pre-authentication command injection ...) NOT-FOR-US: Netgear CVE-2018-11105 (There is stored cross site scripting in the wp-live-chat-support plugi ...) NOT-FOR-US: Wordpress plugin CVE-2018-11104 RESERVED CVE-2018-11103 RESERVED CVE-2018-11102 (An issue was discovered in Libav 12.3. A read access violation in the ...) {DLA-1907-1} - libav (low) NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1128 CVE-2018-11101 (Open Whisper Signal (aka Signal-Desktop) through 1.10.1 allows XSS via ...) - signal-desktop (bug #842943) CVE-2018-11100 (The decompileSETTARGET function in decompile.c in libming through 0.4. ...) - ming NOTE: https://github.com/libming/libming/issues/142 CVE-2018-11099 (The header::add_INFO_descriptor function in header.cpp in VCFtools 0.1 ...) {DLA-1807-1} - vcftools 0.1.16-1 (low; bug #902190) [stretch] - vcftools 0.1.14+dfsg-4+deb9u1 [wheezy] - vcftools (Minor issue) NOTE: http://seclists.org/fulldisclosure/2018/May/43 NOTE: https://github.com/vcftools/vcftools/issues/109 CVE-2018-11098 (An issue was discovered in Frog CMS 0.9.5. There is a file upload vuln ...) NOT-FOR-US: Frog CMS CVE-2018-11097 (An issue was discovered in cloudwu/cstring through 2016-11-09. There i ...) NOT-FOR-US: cloudwu CVE-2018-11096 (Horse Market Sell & Rent Portal Script 1.5.7 has a CSRF vulnerabil ...) NOT-FOR-US: Horse Market Sell & Rent Portal Script CVE-2018-11095 (The decompileJUMP function in decompile.c in libming through 0.4.8 mis ...) - ming NOTE: https://github.com/libming/libming/issues/141 CVE-2018-11094 (An issue was discovered on Intelbras NCLOUD 300 1.0 devices. /cgi-bin/ ...) NOT-FOR-US: Intelbras NCLOUD CVE-2018-11093 (Cross-site scripting (XSS) vulnerability in the Link package for CKEdi ...) NOT-FOR-US: CKeditor addon CVE-2018-11092 (An issue was discovered in the Admin Notes plugin 1.1 for MyBB. CSRF a ...) NOT-FOR-US: Admin Notes plugin for MyBB CVE-2018-11091 (An issue was discovered in MyBiz MyProcureNet 5.0.0. A malicious file ...) NOT-FOR-US: MyBiz MyProcureNet CVE-2018-11090 (An XSS issue was discovered in MyBiz MyProcureNet 5.0.0. This vulnerab ...) NOT-FOR-US: MyBiz MyProcureNet CVE-2018-11089 RESERVED CVE-2018-11088 (Pivotal Applications Manager in Pivotal Application Service, versions ...) NOT-FOR-US: Pivotal CVE-2018-11087 (Pivotal Spring AMQP, 1.x versions prior to 1.7.10 and 2.x versions pri ...) NOT-FOR-US: Spring AMQP CVE-2018-11086 (Pivotal Usage Service in Pivotal Application Service, versions 2.0 pri ...) NOT-FOR-US: Pivotal CVE-2018-11085 REJECTED CVE-2018-11084 (Cloud Foundry Garden-runC release, versions prior to 1.16.1, prevents ...) NOT-FOR-US: Cloud Foundry CVE-2018-11083 (Cloud Foundry BOSH, versions v264 prior to v264.14.0 and v265 prior to ...) NOT-FOR-US: Cloud Foundry CVE-2018-11082 (Cloud Foundry UAA, all versions prior to 4.20.0 and Cloud Foundry UAA ...) NOT-FOR-US: Cloud Foundry CVE-2018-11081 (Pivotal Operations Manager, versions 2.2.x prior to 2.2.1, 2.1.x prior ...) NOT-FOR-US: Pivotal CVE-2018-11080 (Dell EMC Secure Remote Services, versions prior to 3.32.00.08, contain ...) NOT-FOR-US: EMC Secure Remote Services CVE-2018-11079 (Dell EMC Secure Remote Services, versions prior to 3.32.00.08, contain ...) NOT-FOR-US: EMC Secure Remote Services CVE-2018-11078 (Dell EMC VPlex GeoSynchrony, versions prior to 6.1, contains an Insecu ...) NOT-FOR-US: EMC VPlex GeoSynchrony CVE-2018-11077 ('getlogs' utility in Dell EMC Avamar Server versions 7.2.0, 7.2.1, 7.3 ...) NOT-FOR-US: EMC CVE-2018-11076 (Dell EMC Avamar Server versions 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.4.0 and ...) NOT-FOR-US: EMC CVE-2018-11075 (RSA Authentication Manager versions prior to 8.3 P3 contain a reflecte ...) NOT-FOR-US: RSA Authentication Manager CVE-2018-11074 (RSA Authentication Manager versions prior to 8.3 P3 are affected by a ...) NOT-FOR-US: RSA Authentication Manager CVE-2018-11073 (RSA Authentication Manager versions prior to 8.3 P3 contain a stored c ...) NOT-FOR-US: RSA Authentication Manager CVE-2018-11072 (Dell Digital Delivery versions prior to 3.5.1 contain a DLL Injection ...) NOT-FOR-US: Dell Digital Delivery CVE-2018-11071 (Dell EMC Isilon OneFS versions 7.1.1.x, 7.2.1.x, 8.0.0.x, 8.0.1.x, 8.1 ...) NOT-FOR-US: EMC Isilon OneFS CVE-2018-11070 (RSA BSAFE Crypto-J versions prior to 6.2.4 and RSA BSAFE SSL-J version ...) NOT-FOR-US: RSA BSAFE Crypto-J CVE-2018-11069 (RSA BSAFE SSL-J versions prior to 6.2.4 contain a Covert Timing Channe ...) NOT-FOR-US: RSA BSAFE SSL-J CVE-2018-11068 (RSA BSAFE SSL-J versions prior to 6.2.4 contain a Heap Inspection vuln ...) NOT-FOR-US: RSA BSAFE SSL-J CVE-2018-11067 (Dell EMC Avamar Client Manager in Dell EMC Avamar Server versions 7.2. ...) NOT-FOR-US: EMC CVE-2018-11066 (Dell EMC Avamar Client Manager in Dell EMC Avamar Server versions 7.2. ...) NOT-FOR-US: EMC CVE-2018-11065 (The WorkPoint component, which is embedded in all RSA Archer, versions ...) NOT-FOR-US: RSA CVE-2018-11064 (Dell EMC Unity OE versions 4.3.0.x and 4.3.1.x and UnityVSA OE version ...) NOT-FOR-US: Dell CVE-2018-11063 (Dell WMS versions 1.1 and prior are impacted by multiple unquoted serv ...) NOT-FOR-US: Dell WMS CVE-2018-11062 (Integrated Data Protection Appliance versions 2.0, 2.1, and 2.2 contai ...) NOT-FOR-US: Integrated Data Protection Appliance CVE-2018-11061 (RSA NetWitness Platform versions prior to 11.1.0.2 and RSA Security An ...) NOT-FOR-US: RSA CVE-2018-11060 (RSA Archer, versions prior to 6.4.0.1, contain an authorization bypass ...) NOT-FOR-US: RSA Archer CVE-2018-11059 (RSA Archer, versions prior to 6.4.0.1, contain a stored cross-site scr ...) NOT-FOR-US: RSA Archer CVE-2018-11058 (RSA BSAFE Micro Edition Suite, versions prior to 4.0.11 (in 4.0.x) and ...) NOT-FOR-US: RSA BSAFE Micro Edition Suite CVE-2018-11057 (RSA BSAFE Micro Edition Suite, versions prior to 4.0.11 (in 4.0.x) and ...) NOT-FOR-US: RSA BSAFE Micro Edition Suite CVE-2018-11056 (RSA BSAFE Micro Edition Suite, prior to 4.1.6.1 (in 4.1.x), and RSA BS ...) NOT-FOR-US: RSA BSAFE Micro Edition Suite CVE-2018-11055 (RSA BSAFE Micro Edition Suite, versions prior to 4.0.11 (in 4.0.x) and ...) NOT-FOR-US: RSA BSAFE Micro Edition Suite CVE-2018-11054 (RSA BSAFE Micro Edition Suite, version 4.1.6, contains an integer over ...) NOT-FOR-US: RSA BSAFE Micro Edition Suite CVE-2018-11053 (Dell EMC iDRAC Service Module for all supported Linux and XenServer ve ...) NOT-FOR-US: Dell CVE-2018-11052 (Dell EMC ECS versions 3.2.0.0 and 3.2.0.1 contain an authentication by ...) NOT-FOR-US: EMC CVE-2018-11051 (RSA Certificate Manager Versions 6.9 build 560 through 6.9 build 564 c ...) NOT-FOR-US: RSA Certificate Manager CVE-2018-11050 (Dell EMC NetWorker versions between 9.0 and 9.1.1.8 through 9.2.1.3, a ...) NOT-FOR-US: EMC CVE-2018-11049 (RSA Identity Governance and Lifecycle, RSA Via Lifecycle and Governanc ...) NOT-FOR-US: RSA CVE-2018-11048 (Dell EMC Data Protection Advisor, versions 6.2, 6,3, 6.4, 6.5 and Dell ...) NOT-FOR-US: Dell CVE-2018-11047 (Cloud Foundry UAA, versions 4.19 prior to 4.19.2 and 4.12 prior to 4.1 ...) NOT-FOR-US: Cloud Foundry CVE-2018-11046 (Pivotal Operations Manager, versions 2.1.x prior to 2.1.6 and version ...) NOT-FOR-US: Pivotal CVE-2018-11045 (Pivotal Operations Manager, versions 2.1 prior to 2.1.6 and 2.0 prior ...) NOT-FOR-US: Pivotal CVE-2018-11044 (Pivotal Apps Manager included in Pivotal Application Service, versions ...) NOT-FOR-US: Pivotal CVE-2018-11043 REJECTED CVE-2018-11042 REJECTED CVE-2018-11041 (Cloud Foundry UAA, versions later than 4.6.0 and prior to 4.19.0 excep ...) NOT-FOR-US: Cloud Foundry CVE-2018-11040 (Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3 ...) - libspring-java 4.3.19-1 [stretch] - libspring-java (Minor issue) [jessie] - libspring-java (unable to find relevant commits) NOTE: https://pivotal.io/security/cve-2018-11040 CVE-2018-11039 (Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior ...) - libspring-java 4.3.19-1 [stretch] - libspring-java (Minor issue) [jessie] - libspring-java (Minor issue) NOTE: https://pivotal.io/security/cve-2018-11039 CVE-2017-18270 (In the Linux kernel before 4.13.5, a local user could create keyrings ...) - linux 4.13.10-1 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.56-1 [wheezy] - linux 3.2.101-1 NOTE: Fixed by: https://git.kernel.org/linus/237bbd29f7a049d310d907f4b2716a7feef9abf3 (4.14-rc3) CVE-2017-18268 (Symantec IntelligenceCenter 3.3 is vulnerable to the Return of the Ble ...) NOT-FOR-US: Symantec CVE-2018-11038 RESERVED CVE-2018-11037 (In Exiv2 0.26, the Exiv2::PngImage::printStructure function in pngimag ...) - exiv2 0.27.2-6 (low) [buster] - exiv2 (Minor issue) [stretch] - exiv2 (Minor issue) [jessie] - exiv2 (Jessie doesn't have '-pS', not reproducible, closed upstream) NOTE: https://github.com/Exiv2/exiv2/issues/307 CVE-2018-11036 (Ruckus SmartZone (formerly Virtual SmartCell Gateway or vSCG) 3.5.0, 3 ...) NOT-FOR-US: Ruckus devices CVE-2018-11035 (In 2345 Security Guard 3.7, the driver file (2345NsProtect.sys, X64 ve ...) NOT-FOR-US: 2345 Security Guard CVE-2018-11034 (In 2345 Security Guard 3.7, the driver file (2345NsProtect.sys, X64 ve ...) NOT-FOR-US: 2345 Security Guard CVE-2018-11033 (The DCTStream::readHuffSym function in Stream.cc in the DCT decoder in ...) - xpdf (unimportant) NOTE: https://forum.xpdfreader.com/viewtopic.php?f=3&t=40842 CVE-2018-11032 (PHPRAP 1.0.4 through 1.0.8 has SQL Injection via the application/home/ ...) NOT-FOR-US: PHPRAP CVE-2018-11031 (application/home/controller/debug.php in PHPRAP 1.0.4 through 1.0.8 ha ...) NOT-FOR-US: PHPRAP CVE-2018-11030 RESERVED CVE-2018-11029 RESERVED CVE-2018-11028 RESERVED CVE-2018-11027 (A reflected XSS vulnerability on Ruckus ICX7450-48 devices allows remo ...) NOT-FOR-US: Ruckus CVE-2018-11026 RESERVED CVE-2018-11025 (kernel/omap/drivers/mfd/twl6030-gpadc.c in the kernel component in Ama ...) NOT-FOR-US: kernel component on Amazon Fire CVE-2018-11024 (kernel/omap/drivers/misc/gcx/gcioctl/gcif.c in the kernel component in ...) NOT-FOR-US: kernel component on Amazon Fire CVE-2018-11023 (kernel/omap/drivers/misc/gcx/gcioctl/gcif.c in the kernel component in ...) NOT-FOR-US: kernel component on Amazon Fire CVE-2018-11022 (kernel/omap/drivers/misc/gcx/gcioctl/gcif.c in the kernel component in ...) NOT-FOR-US: kernel component on Amazon Fire CVE-2018-11021 (kernel/omap/drivers/video/omap2/dsscomp/device.c in the kernel compone ...) NOT-FOR-US: kernel component on Amazon Fire CVE-2018-11020 (kernel/omap/drivers/rpmsg/rpmsg_omx.c in the kernel component in Amazo ...) NOT-FOR-US: kernel component on Amazon Fire CVE-2018-11019 (kernel/omap/drivers/misc/gcx/gcioctl/gcif.c in the kernel component in ...) NOT-FOR-US: kernel component on Amazon Fire CVE-2018-11018 (An issue was discovered in PbootCMS v1.0.7. Cross-site request forgery ...) NOT-FOR-US: PbootCMS CVE-2018-11017 (The newVar_N function in decompile.c in libming through 0.4.8 mishandl ...) - ming CVE-2018-11016 RESERVED CVE-2018-11015 RESERVED CVE-2018-11014 RESERVED CVE-2018-11013 (Stack-based buffer overflow in the websRedirect function in GoAhead on ...) NOT-FOR-US: D-Link CVE-2018-11012 (ruibaby Halo 0.0.2 has stored XSS via the loginName and loginPwd param ...) NOT-FOR-US: ruibaby Halo CVE-2018-11011 (ruibaby Halo 0.0.2 has stored XSS via the commentAuthor field to Front ...) NOT-FOR-US: ruibaby Halo CVE-2018-11010 RESERVED CVE-2018-11009 RESERVED CVE-2018-11008 RESERVED CVE-2018-11007 RESERVED CVE-2018-11006 RESERVED CVE-2018-11005 RESERVED CVE-2018-11004 (An issue was discovered in SDcms v1.5. Cross-site request forgery (CSR ...) NOT-FOR-US: SDcms CVE-2018-11003 (An issue was discovered in YXcms 1.4.7. Cross-site request forgery (CS ...) NOT-FOR-US: YXcms CVE-2018-11002 (Pulse Secure Desktop Client 5.3 up to and including R6.0 build 1769 on ...) NOT-FOR-US: Pulse Secure Desktop Client CVE-2018-11001 RESERVED CVE-2018-11000 RESERVED CVE-2018-10999 (An issue was discovered in Exiv2 0.26. The Exiv2::Internal::PngChunk:: ...) {DSA-4238-1 DLA-1551-1 DLA-1402-1} - exiv2 0.25-4 NOTE: https://github.com/Exiv2/exiv2/issues/306 NOTE: https://github.com/Exiv2/exiv2/commit/2fb00c8a16ce93756cddd70536e361a49369ba88 NOTE: https://github.com/Exiv2/exiv2/commit/3ad0050469e6ea63b4081f2a88c264ce8ab55c51 CVE-2018-10998 (An issue was discovered in Exiv2 0.26. readMetadata in jp2image.cpp al ...) {DSA-4238-1 DLA-1402-1} - exiv2 0.25-4 NOTE: https://github.com/Exiv2/exiv2/issues/303 NOTE: https://github.com/Exiv2/exiv2/commit/f4e8ed2fd48d012467b99552f0d6378302a23c75 CVE-2018-10997 (Etere EtereWeb before 28.1.20 has a pre-authentication blind SQL injec ...) NOT-FOR-US: Etere EtereWeb CVE-2018-10996 (The weblogin_log function in /htdocs/cgibin on D-Link DIR-629-B1 devic ...) NOT-FOR-US: D-Link CVE-2018-10995 (SchedMD Slurm before 17.02.11 and 17.1x.x before 17.11.7 mishandles us ...) {DSA-4254-1 DLA-1437-1} - slurm-llnl 17.11.7-1 (bug #900548) NOTE: https://www.schedmd.com/news.php?id=203 NOTE: https://lists.schedmd.com/pipermail/slurm-announce/2018/000008.html NOTE: https://github.com/SchedMD/slurm/commit/033dc0d1d28b8d2ba1a5187f564a01c15187eb4e NOTE: https://github.com/SchedMD/slurm/commit/df545955e4f119974c278bff0c47155257d5afc7 CVE-2018-10994 (js/views/message_view.js in Open Whisper Signal (aka Signal-Desktop) b ...) - signal-desktop (bug #842943) CVE-2018-10993 RESERVED CVE-2018-10991 REJECTED CVE-2018-10990 (On Arris Touchstone Telephony Gateway TG1682G 9.1.103J6 devices, a log ...) NOT-FOR-US: Arris Touchstone Telephony Gateway CVE-2018-10989 (Arris Touchstone Telephony Gateway TG1682G 9.1.103J6 devices are distr ...) NOT-FOR-US: Arris Touchstone Telephony Gateway CVE-2018-10988 (An issue was discovered on Diqee Diqee360 devices. A firmware update p ...) NOT-FOR-US: Diqee CVE-2018-10987 (An issue was discovered on Dongguan Diqee Diqee360 devices. The affect ...) NOT-FOR-US: Diqee CVE-2018-10986 (OX Guard 2.8.0 has CSRF. ...) NOT-FOR-US: Open-Xchange OX Guard CVE-2018-10985 RESERVED CVE-2018-10984 RESERVED CVE-2018-10983 RESERVED CVE-2009-5152 (Absolute Computrace Agent, as distributed on certain Dell Inspiron sys ...) NOT-FOR-US: Absolute Computrace Agent CVE-2009-5151 (The stub component of Absolute Computrace Agent V70.785 executes code ...) NOT-FOR-US: Absolute Computrace Agent CVE-2009-5150 (Absolute Computrace Agent V80.845 and V80.866 does not have a digital ...) NOT-FOR-US: Absolute Computrace Agent CVE-2018-10992 (lilypond-invoke-editor in LilyPond 2.19.80 does not validate strings b ...) - lilypond 2.18.2-13 (bug #898373) [jessie] - lilypond (Incomplete fix not applied) [wheezy] - lilypond (Incomplete fix not applied) CVE-2018-10982 (An issue was discovered in Xen through 4.10.x allowing x86 HVM guest O ...) {DSA-4201-1 DLA-1549-1 DLA-1383-1} - xen 4.8.3+xsa262+shim4.10.0+comet3-1+deb9u6 NOTE: https://xenbits.xen.org/xsa/advisory-261.html CVE-2018-10981 (An issue was discovered in Xen through 4.10.x allowing x86 HVM guest O ...) {DSA-4201-1 DLA-1559-1 DLA-1383-1} - xen 4.8.3+xsa262+shim4.10.0+comet3-1+deb9u6 NOTE: https://xenbits.xen.org/xsa/advisory-262.html CVE-2018-10980 RESERVED CVE-2018-10979 RESERVED CVE-2018-10978 RESERVED CVE-2018-10977 (In 2345 Security Guard 3.7, the driver file (2345BdPcSafe.sys, X64 ver ...) NOT-FOR-US: 2345 Security Guard CVE-2018-10976 (In 2345 Security Guard 3.7, the driver file (2345BdPcSafe.sys, X64 ver ...) NOT-FOR-US: 2345 Security Guard CVE-2018-10975 (In 2345 Security Guard 3.7, the driver file (2345BdPcSafe.sys, X64 ver ...) NOT-FOR-US: 2345 Security Guard CVE-2018-10974 (In 2345 Security Guard 3.7, the driver file (2345BdPcSafe.sys, X64 ver ...) NOT-FOR-US: 2345 Security Guard CVE-2018-10973 (An integer overflow in the transferMulti function of a smart contract ...) NOT-FOR-US: KoreaShow CVE-2018-10972 (An issue was discovered in Free Lossless Image Format (FLIF) 0.3. The ...) - flif (bug #898407) NOTE: https://github.com/FLIF-hub/FLIF/issues/503 CVE-2018-10971 (An issue was discovered in Free Lossless Image Format (FLIF) 0.3. The ...) - flif (bug #898406) NOTE: https://github.com/FLIF-hub/FLIF/issues/501 CVE-2018-10970 RESERVED CVE-2018-10969 (SQL injection vulnerability in the Pie Register plugin before 3.0.10 f ...) NOT-FOR-US: Pie Register plugin for WordPress CVE-2018-10968 (On D-Link DIR-550A and DIR-604M devices through v2.10KR, a malicious u ...) NOT-FOR-US: D-Link CVE-2018-10967 (On D-Link DIR-550A and DIR-604M devices through v2.10KR, a malicious u ...) NOT-FOR-US: D-Link CVE-2018-10966 (An issue was discovered in GamerPolls 0.4.6, related to config/environ ...) NOT-FOR-US: GamerPolls CVE-2018-10965 RESERVED CVE-2018-10964 RESERVED CVE-2018-10963 (The TIFFWriteDirectorySec() function in tif_dirwrite.c in LibTIFF thro ...) {DSA-4349-1 DLA-1411-1} - tiff 4.0.9-6 (bug #898348) [stretch] - tiff (Minor issue) - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2795 NOTE: https://gitlab.com/libtiff/libtiff/commit/de144fd228e4be8aa484c3caf3d814b6fa88c6d9 CVE-2018-10962 (An issue was discovered in Shanghai 2345 Security Guard 3.7.0. 2345MPC ...) NOT-FOR-US: Shanghai 2345 Security Guard CVE-2018-10961 RESERVED CVE-2018-10960 RESERVED CVE-2018-10959 (Avecto Defendpoint 4 prior to 4.4 SR6 and 5 prior to 5.1 SR1 has an Un ...) NOT-FOR-US: Avecto Defendpoint CVE-2018-10958 (In types.cpp in Exiv2 0.26, a large size value may lead to a SIGABRT d ...) {DSA-4238-1 DLA-1551-1 DLA-1402-1} - exiv2 0.25-4 NOTE: https://github.com/Exiv2/exiv2/issues/302 NOTE: https://github.com/Exiv2/exiv2/commit/2fb00c8a16ce93756cddd70536e361a49369ba88 NOTE: https://github.com/Exiv2/exiv2/commit/3ad0050469e6ea63b4081f2a88c264ce8ab55c51 CVE-2018-10957 (CSRF exists on D-Link DIR-868L devices, leading to (for example) a cha ...) NOT-FOR-US: D-Link CVE-2018-10956 (IPConfigure Orchid Core VMS 2.0.5 allows Directory Traversal. ...) NOT-FOR-US: IPConfigure Orchid Core VMS CVE-2018-10955 (In 2345 Security Guard 3.7, the driver file (2345BdPcSafe.sys, X64 ver ...) NOT-FOR-US: 2345 Security Guard CVE-2018-10954 (In 2345 Security Guard 3.7, the driver file (2345BdPcSafe.sys, X64 ver ...) NOT-FOR-US: 2345 Security Guard CVE-2018-10953 (In 2345 Security Guard 3.7, the driver file (2345BdPcSafe.sys, X64 ver ...) NOT-FOR-US: 2345 Security Guard CVE-2018-10952 (In 2345 Security Guard 3.7, the driver file (2345BdPcSafe.sys, X64 ver ...) NOT-FOR-US: 2345 Security Guard CVE-2018-10951 (mailboxd in Zimbra Collaboration Suite 8.8 before 8.8.8; 8.7 before 8. ...) NOT-FOR-US: Zimbra CVE-2018-10950 (mailboxd in Zimbra Collaboration Suite 8.8 before 8.8.8; 8.7 before 8. ...) NOT-FOR-US: Zimbra CVE-2018-10949 (mailboxd in Zimbra Collaboration Suite 8.8 before 8.8.8; 8.7 before 8. ...) NOT-FOR-US: Zimbra CVE-2018-10948 (Synacor Zimbra Admin UI in Zimbra Collaboration Suite before 8.8.0 bet ...) NOT-FOR-US: Zimbra CVE-2018-10947 (An issue was discovered in versions earlier than 1.3.2 for Polycom Rea ...) NOT-FOR-US: Polycom CVE-2018-10946 (An issue was discovered in versions earlier than 1.3.0-66872 for Polyc ...) NOT-FOR-US: Polycom CVE-2017-18267 (The FoFiType1C::cvtGlyph function in fofi/FoFiType1C.cc in Poppler thr ...) {DLA-1562-1} [experimental] - poppler 0.65.0-1 - poppler 0.69.0-2 (bug #898357) [stretch] - poppler (Minor issue) [wheezy] - poppler (Minor issue) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=104942 NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=103238 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=60b4fe65bc9dc9b82bbadf0be2e3781be796a13d CVE-2017-18266 (The open_envvar function in xdg-open in xdg-utils before 1.1.3 does no ...) {DSA-4211-1 DLA-1384-1} - xdg-utils 1.1.3-1 (bug #898317) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=103807 NOTE: Upstream bug discussed possible other approach to fix the issue. NOTE: Fixed by: https://cgit.freedesktop.org/xdg/xdg-utils/commit/?id=ce802d71c3466d1dbb24f2fe9b6db82a1f899bcb CVE-2018-10945 (The mg_handle_cgi function in mongoose.c in Mongoose 6.11 allows remot ...) - smplayer 18.5.0~ds1-1 [stretch] - smplayer (Vulnerable code not present) [jessie] - smplayer (Vulnerable code not present) [wheezy] - smplayer (Vulnerable code not present) NOTE: 18.5.0~ds1-1 isn't fixed on the source level, but no longer builds the Chromecast support CVE-2018-10944 (The request_dividend function of a smart contract implementation for R ...) NOT-FOR-US: Rasputin Online Coin CVE-2018-10943 (An issue was discovered on Barco ClickShare CSE-200 and CS-100 Base Un ...) NOT-FOR-US: Barco ClickShare CSE-200 and CS-100 Base Units CVE-2018-10942 (modules/attributewizardpro/file_upload.php in the Attribute Wizard add ...) NOT-FOR-US: Attribute Wizard addon for PrestaShop CVE-2018-10941 RESERVED CVE-2018-10940 (The cdrom_ioctl_media_changed function in drivers/cdrom/cdrom.c in the ...) {DLA-1423-1 DLA-1422-1 DLA-1392-1} - linux 4.16.12-1 [stretch] - linux 4.9.107-1 NOTE: Fixed by: https://git.kernel.org/linus/9de4ee40547fd315d4a0ed1dd15a2fa3559ad707 CVE-2018-10939 (Zimbra Web Client (ZWC) in Zimbra Collaboration Suite 8.8 before 8.8.8 ...) NOT-FOR-US: Zimbra Web Client CVE-2018-10938 (A flaw was found in the Linux kernel present since v4.0-rc1 and throug ...) {DSA-4308-1 DLA-1531-1} - linux 4.13.4-1 (unimportant) [jessie] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/40413955ee265a5e42f710940ec78f5450d49149 (4.13-rc5) NOTE: http://www.openwall.com/lists/oss-security/2018/08/27/1 CVE-2018-10937 (A cross site scripting flaw exists in the tetonic-console component of ...) NOT-FOR-US: OpenShift CVE-2018-10936 (A weakness was found in postgresql-jdbc before version 42.2.5. It was ...) - libpgjava 42.2.5-1 [stretch] - libpgjava (Minor issue) [jessie] - libpgjava (Minor issue) NOTE: https://github.com/pgjdbc/pgjdbc/commit/cdeeaca47dc3bc6f727c79a582c9e412309 CVE-2018-10935 (A flaw was found in the 389 Directory Server that allows users to caus ...) {DLA-1483-1} - 389-ds-base 1.4.0.15-1 (bug #906985) [stretch] - 389-ds-base (Minor issue) NOTE: https://pagure.io/389-ds-base/issue/49890 CVE-2018-10934 (A cross-site scripting (XSS) vulnerability was found in the JBoss Mana ...) - wildfly (bug #752018) CVE-2018-10933 (A vulnerability was found in libssh's server-side state machine before ...) {DSA-4322-1 DLA-1548-1} - libssh 0.8.4-1 (bug #911149) NOTE: https://www.libssh.org/2018/10/16/libssh-0-8-4-and-0-7-6-security-and-bugfix-release/ NOTE: https://bugs.libssh.org/T101 NOTE: https://www.libssh.org/security/advisories/CVE-2018-10933.txt NOTE: POC: https://www.openwall.com/lists/oss-security/2018/10/17/5 NOTE: https://git.libssh.org/projects/libssh.git/commit/?id=2bddafeb709eacc80ad31fec40479f9b628a8bd7 (master) NOTE: https://git.libssh.org/projects/libssh.git/commit/?id=825f4ba96407abe8cebb046a7503fa2bf5de9df6 (master) NOTE: https://git.libssh.org/projects/libssh.git/commit/?id=20981bf2296202e95d7919394d4610ae3a876cfa (master) NOTE: https://git.libssh.org/projects/libssh.git/commit/?id=5d7414467d6dac100a93df761b06de5cd07fc69a (master) NOTE: https://git.libssh.org/projects/libssh.git/commit/?id=459868c4a57d2d11cf7835655a8d1a5cf034ccb4 (master) NOTE: https://git.libssh.org/projects/libssh.git/commit/?id=68b0c7a93448123cc0d6a04d3df40d92a3fd0a67 (master) NOTE: https://git.libssh.org/projects/libssh.git/commit/?id=75be012b4a14f4550ce6ad3f126e559f44dbde76 (master) NOTE: https://git.libssh.org/projects/libssh.git/commit/?id=e1548a71bdac73da084174ab1d6d2713edd93f6e (master) NOTE: Fixed in 0.7.6, 0.8.4 upstream CVE-2018-10932 (lldptool version 1.0.1 and older can print a raw, unsanitized attacker ...) - lldpad 1.0.1+git20180808.4e642bd-1 (unimportant; bug #905901) NOTE: https://github.com/intel/openlldp/pull/7 NOTE: https://github.com/intel/openlldp/commit/41feb359a9d0082b0bcf68b1f2b37227f02af4f1 NOTE: Terminal emulators need to perform proper escaping CVE-2018-10931 (It was found that cobbler 2.6.x exposed all functions from its Cobbler ...) - cobbler NOTE: http://www.openwall.com/lists/oss-security/2018/08/09/9 CVE-2018-10930 (A flaw was found in RPC request using gfs3_rename_req in glusterfs ser ...) {DLA-1510-1} - glusterfs 4.1.4-1 (bug #909215) [stretch] - glusterfs (Minor issue; can be fixed via point release) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1612664 NOTE: https://github.com/gluster/glusterfs/commit/9ae986f18c0f251cba6bbc23eae2150a8ce0417e NOTE: When fixing this issue make sure to be complete an not open CVE-2018-14651 CVE-2018-10929 (A flaw was found in RPC request using gfs2_create_req in glusterfs ser ...) {DLA-1510-1} - glusterfs 4.1.4-1 (bug #909215) [stretch] - glusterfs (Minor issue; can be fixed via point release) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1612660 NOTE: https://github.com/gluster/glusterfs/commit/9ae986f18c0f251cba6bbc23eae2150a8ce0417e NOTE: When fixing this issue make sure to be complete an not open CVE-2018-14651 CVE-2018-10928 (A flaw was found in RPC request using gfs3_symlink_req in glusterfs se ...) {DLA-1510-1} - glusterfs 4.1.4-1 (bug #909215) [stretch] - glusterfs (Minor issue; can be fixed via point release) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1612659 NOTE: https://github.com/gluster/glusterfs/commit/9ae986f18c0f251cba6bbc23eae2150a8ce0417e NOTE: When fixing this issue make sure to be complete an not open CVE-2018-14651 CVE-2018-10927 (A flaw was found in RPC request using gfs3_lookup_req in glusterfs ser ...) {DLA-1510-1} - glusterfs 4.1.4-1 (bug #909215) [stretch] - glusterfs (Minor issue; can be fixed via point release) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1612658 NOTE: https://github.com/gluster/glusterfs/commit/9ae986f18c0f251cba6bbc23eae2150a8ce0417e NOTE: When fixing this issue make sure to be complete an not open CVE-2018-14651 CVE-2018-10926 (A flaw was found in RPC request using gfs3_mknod_req supported by glus ...) {DLA-1510-1} - glusterfs 4.1.4-1 (bug #909215) [stretch] - glusterfs (Minor issue; can be fixed via point release) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1613143 NOTE: https://github.com/gluster/glusterfs/commit/9ae986f18c0f251cba6bbc23eae2150a8ce0417e NOTE: When fixing this issue make sure to be complete an not open CVE-2018-14651 CVE-2018-10925 (It was discovered that PostgreSQL versions before 10.5, 9.6.10, 9.5.14 ...) {DSA-4269-1} - postgresql-10 10.5-1 - postgresql-9.6 - postgresql-9.5 - postgresql-9.5 (Only affects PostgreSQL 9.5 onwards) - postgresql-9.4 (Only affects PostgreSQL 9.5 onwards) - postgresql-9.1 (Only affects PostgreSQL 9.5 onwards) NOTE: Fixed in 9.5.14, 9.6.10, 10.5 NOTE: https://www.postgresql.org/about/news/1878/ CVE-2018-10924 (It was discovered that fsync(2) system call in glusterfs client code l ...) - glusterfs 4.0.1-1 [stretch] - glusterfs (Issue introduced in 3.13.2 and backported to 3.12 series) [jessie] - glusterfs (Issue introduced in 3.13.2 and backported to 3.12 series) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1611785 NOTE: Introduced by: http://git.gluster.org/cgit/glusterfs.git/commit/?id=51dfc9c789b8405f595a337eade938aedcb449c4 NOTE: https://review.gluster.org/20723 CVE-2018-10923 (It was found that the "mknod" call derived from mknod(2) can create fi ...) {DLA-1510-1} - glusterfs 4.1.4-1 (bug #909215) [stretch] - glusterfs (Minor issue; can be fixed via point release) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1610659 NOTE: https://github.com/gluster/glusterfs/commit/4bafcc97e812acc854dfc436ade35df0308d5a3e CVE-2018-10922 (An input validation flaw exists in ttembed. With a crafted input file, ...) NOT-FOR-US: ttembed CVE-2018-10921 (Certain input files may trigger an integer overflow in ttembed input f ...) NOT-FOR-US: ttembed CVE-2018-10920 (Improper input validation bug in DNS resolver component of Knot Resolv ...) - knot-resolver 2.4.1-1 (bug #905325) NOTE: https://www.knot-resolver.cz/2018-08-02-knot-resolver-2.4.1.html NOTE: http://www.openwall.com/lists/oss-security/2018/08/09/2 (including patch) CVE-2018-10919 (The Samba Active Directory LDAP server was vulnerable to an informatio ...) {DSA-4271-1 DLA-1539-1} - samba 2:4.8.4+dfsg-1 NOTE: https://www.samba.org/samba/security/CVE-2018-10919.html CVE-2018-10918 (A null pointer dereference flaw was found in the way samba checked dat ...) - samba 2:4.8.4+dfsg-1 [stretch] - samba (Only affects Samba 4.7.0 onwards) [jessie] - samba (Only affects Samba 4.7.0 onwards) NOTE: https://www.samba.org/samba/security/CVE-2018-10918.html CVE-2018-10917 (pulp 2.16.x and possibly older is vulnerable to an improper path parsi ...) NOT-FOR-US: Pulp (Red Hat) CVE-2018-10916 (It has been discovered that lftp up to and including version 4.8.3 doe ...) - lftp 4.8.4-1 (bug #905163) [stretch] - lftp (Minor issue) [jessie] - lftp (Minor issue) NOTE: https://github.com/lavv17/lftp/issues/452 NOTE: https://github.com/lavv17/lftp/commit/a27e07d90a4608ceaf928b1babb27d4d803e1992 CVE-2018-10915 (A vulnerability was found in libpq, the default PostgreSQL client libr ...) {DSA-4269-1 DLA-1464-1} - postgresql-10 10.5-1 - postgresql-9.6 - postgresql-9.5 - postgresql-9.4 - postgresql-9.1 [jessie] - postgresql-9.1 (package only serves as a means for upgrading to Stretch) NOTE: Fixed in 9.3.24, 9.4.19, 9.5.14, 9.6.10, 10.5 NOTE: https://www.postgresql.org/about/news/1878/ CVE-2018-10914 (It was found that an attacker could issue a xattr request via glusterf ...) {DLA-1510-1} - glusterfs 4.1.4-1 (bug #909215) [stretch] - glusterfs (Minor issue; can be fixed via point release) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1607617 NOTE: https://github.com/gluster/glusterfs/commit/13298d2b3893edb5d147ea3bcb9902ee5be4b3ad CVE-2018-10913 (An information disclosure vulnerability was discovered in glusterfs se ...) {DLA-1510-1} - glusterfs 4.1.4-1 (bug #909215) [stretch] - glusterfs (Minor issue; can be fixed via point release) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1607618 NOTE: https://github.com/gluster/glusterfs/commit/13298d2b3893edb5d147ea3bcb9902ee5be4b3ad CVE-2018-10912 (keycloak before version 4.0.0.final is vulnerable to a infinite loop i ...) NOT-FOR-US: Keycloak CVE-2018-10911 (A flaw was found in the way dic_unserialize function of glusterfs does ...) {DLA-1510-1} - glusterfs 4.1.4-1 (bug #909215) [stretch] - glusterfs (Minor issue; can be fixed via point release) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1601657 NOTE: https://github.com/gluster/glusterfs/commit/cc3271ebf3aacdbbc77fdd527375af78ab12ea8d CVE-2018-10910 (A bug in Bluez may allow for the Bluetooth Discoverable state being se ...) - bluez (low; bug #925369) [buster] - bluez (Minor issue) [stretch] - bluez (Minor issue, does not affected Gnome Bluetooth in stretch) [jessie] - bluez (Minor issue because in gnome-bluetooth <= 3.26 the D-Bus calls were synchronous and thus the issue in bluez will have no actual affect) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1606203 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1602985 NOTE: Bug in src:bluez itself and would need fixing there, but it is workaroundable in NOTE: gnome-bluetooth: https://gitlab.gnome.org/GNOME/gnome-bluetooth/commit/6b5086d42ea64d46277f3c93b43984f331d12f89 NOTE: workaround in gnome-bluetooth landed in 3.28.2, BlueZ fixed in 5.51 CVE-2018-10909 RESERVED CVE-2018-10908 (It was found that vdsm before version 4.20.37 invokes qemu-img on untr ...) - vdsm (bug #668538) CVE-2018-10907 (It was found that glusterfs server is vulnerable to multiple stack bas ...) {DLA-1510-1} - glusterfs 4.1.4-1 (bug #909215) [stretch] - glusterfs (Minor issue; can be fixed via point release) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1601642 NOTE: https://github.com/gluster/glusterfs/commit/35f86ce46240c4f9c216bbc29164ce441cfca1e7 CVE-2018-10906 (In fuse before versions 2.9.8 and 3.x before 3.2.5, fusermount is vuln ...) {DSA-4257-1 DLA-1468-1} - fuse3 3.2.6-1 (bug #911343) - fuse 2.9.8-1 (bug #904439) NOTE: https://github.com/libfuse/libfuse/pull/268 NOTE: https://sourceforge.net/p/fuse/mailman/message/36374753/ CVE-2018-10905 (CloudForms Management Engine (cfme) is vulnerable to an improper secur ...) NOT-FOR-US: Red Hat CloudForms Management Engine CVE-2018-10904 (It was found that glusterfs server does not properly sanitize file pat ...) {DLA-1510-1} - glusterfs 4.1.4-1 (bug #909215) [stretch] - glusterfs (Minor issue; can be fixed via point release) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1601298 NOTE: https://github.com/gluster/glusterfs/commit/9716ce88b3a1faf135a6badc02d94249898059dd CVE-2018-10903 (A flaw was found in python-cryptography versions between >=1.9.0 an ...) - python-cryptography 2.3-1 (bug #904072) [stretch] - python-cryptography (Vulnerable code introduced later) [jessie] - python-cryptography (Vulnerable code introduced later) NOTE: https://github.com//pyca/cryptography/pull/4342 NOTE: https://github.com/pyca/cryptography/pull/4342/commits/688e0f673bfbf43fa898994326c6877f00ab19ef CVE-2018-10902 (It was found that the raw midi kernel driver does not protect against ...) {DSA-4308-1 DLA-1531-1 DLA-1529-1} - linux 4.17.15-1 NOTE: https://git.kernel.org/linus/39675f7a7c7e7702f7d5341f1e0d01db746543a0 (4.18-rc6) CVE-2018-10901 (A flaw was found in Linux kernel's KVM virtualization subsystem. The V ...) - linux (Fixed before src:linux-2.6 -> src:linux rename) NOTE: https://git.kernel.org/linus/3444d7da1839b851eefedd372978d8a982316c36 (2.6.36-rc1) CVE-2018-10900 (Network Manager VPNC plugin (aka networkmanager-vpnc) before version 1 ...) {DSA-4253-1 DLA-1454-1} - network-manager-vpnc 1.2.6-1 (bug #904255) NOTE: http://www.openwall.com/lists/oss-security/2018/07/20/3 NOTE: https://gitlab.gnome.org/GNOME/NetworkManager-vpnc/commit/07ac18a32b4e361a27ef48ac757d36cbb46e8e12 CVE-2018-10899 (A flaw was found in Jolokia versions from 1.2 to before 1.6.1. Affecte ...) NOT-FOR-US: Jolokia CVE-2018-10898 (A vulnerability was found in openstack-tripleo-heat-templates before v ...) - tripleo-heat-templates CVE-2018-10897 (A directory traversal issue was found in reposync, a part of yum-utils ...) - yum-utils 1.1.31-2.2 (bug #921131) [stretch] - yum-utils (Minor issue) [jessie] - yum-utils (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1600221 NOTE: https://github.com/rpm-software-management/yum-utils/commit/7554c0133eb830a71dc01846037cc047d0acbc2c NOTE: https://github.com/rpm-software-management/yum-utils/commit/6a8de061f8fdc885e74ebe8c94625bf53643b71c NOTE: https://github.com/rpm-software-management/yum-utils/pull/43 CVE-2018-10896 (The default cloud-init configuration, in cloud-init 0.6.2 and newer, i ...) NOT-FOR-US: Red Hat-specific packaging flaw of cloud-init default config CVE-2018-10895 (qutebrowser before version 1.4.1 is vulnerable to a cross-site request ...) - qutebrowser 1.4.1-1 NOTE: http://www.openwall.com/lists/oss-security/2018/07/11/7 NOTE: https://github.com/qutebrowser/qutebrowser/issues/4060 NOTE: Introduced in: https://github.com/qutebrowser/qutebrowser/commit/ffc29ee (v1.0.0) NOTE: Fixed in: https://github.com/qutebrowser/qutebrowser/commit/43e58ac865ff862c2008c510fc5f7627e10b4660 (v1.4.1) CVE-2018-10894 (It was found that SAML authentication in Keycloak 3.4.3.Final incorrec ...) NOT-FOR-US: Keycloak CVE-2018-10893 (Multiple integer overflow and buffer overflow issues were discovered i ...) - spice-gtk (bug #904161) [buster] - spice-gtk (Minor issue) [stretch] - spice-gtk (Minor issue) [jessie] - spice-gtk (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1598234 NOTE: Ongoing patch review: https://lists.freedesktop.org/archives/spice-devel/2018-July/044489.html CVE-2018-10892 (The default OCI linux spec in oci/defaults{_linux}.go in Docker/Moby f ...) [experimental] - docker.io 18.06.0+dfsg1-1 - docker.io 18.06.1+dfsg1-1 (bug #908057) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1598581 NOTE: https://github.com/moby/moby/pull/37404 CVE-2018-10891 (A flaw was found in moodle before versions 3.5.1, 3.4.4, 3.3.7, 3.1.13 ...) - moodle CVE-2018-10890 (A flaw was found in moodle before versions 3.5.1, 3.4.4, 3.3.7, 3.1.13 ...) - moodle CVE-2018-10889 (A flaw was found in moodle before versions 3.5.1, 3.4.4, 3.3.7. No opt ...) - moodle CVE-2018-10888 (A flaw was found in libgit2 before version 0.27.3. A missing check in ...) {DLA-1477-1} - libgit2 0.27.4+dfsg.1-0.1 (low; bug #903508) [stretch] - libgit2 (Minor issue) NOTE: https://github.com/libgit2/libgit2/commit/9844d38bed10e9ff17174434b3421b227ae710f3 CVE-2018-10887 (A flaw was found in libgit2 before version 0.27.3. It has been discove ...) {DLA-1477-1} - libgit2 0.27.4+dfsg.1-0.1 (low; bug #903509) [stretch] - libgit2 (Minor issue) NOTE: https://github.com/libgit2/libgit2/commit/3f461902dc1072acb8b7607ee65d0a0458ffac2a NOTE: https://github.com/libgit2/libgit2/commit/c1577110467b701dcbcf9439ac225ea851b47d22 CVE-2018-XXXX [Incomplete fix for CVE-2018-10886] - ant 1.10.5-1 (bug #904191) [stretch] - ant (Incomplete fix for CVE-2018-10886 not applied) [jessie] - ant 1.9.4-3+deb8u2 NOTE: Workaround entry for DLA-1457-1 (as no CVE will be assigned by its CNA) NOTE: https://github.com/apache/ant/commit/6a41d62cb9ab4e640b72cb4de42a6c211dea645d NOTE: https://github.com/apache/ant/commit/5a8c37b271677587046bfd0fea18c1675d5a6300 NOTE: https://bz.apache.org/bugzilla/show_bug.cgi?id=62502 CVE-2018-10886 REJECTED {DSA-4255-1 DLA-1431-1} - ant 1.10.4-1 NOTE: Fixed upstream in 1.9.12 and 1.10.4 NOTE: https://github.com/apache/ant/commit/e56e54565804991c62ec76dad385d2bdda8972a7 NOTE: https://github.com/apache/ant/commit/1a2b1e37e3616991588f21efa89c474dd6ff83ff NOTE: https://github.com/apache/ant/commit/f72406d53cfb3b3425cc9d000eea421a0e05d8fe NOTE: https://github.com/apache/ant/commit/857095da5153fd18504b46f276d84f1e76a66970 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1584407 NOTE: The CVE will be rejected, as it was assigned by Red Hat's CNA but is out of NOTE: scope of the assigning CNA. CVE-2018-10885 (In atomic-openshift before version 3.10.9 a malicious network-policy c ...) NOT-FOR-US: atomic-openshift CVE-2018-10884 (Ansible Tower before versions 3.1.8 and 3.2.6 is vulnerable to cross-s ...) NOT-FOR-US: Ansible Tower CVE-2018-10883 (A flaw was found in the Linux kernel's ext4 filesystem. A local user c ...) {DLA-1529-1 DLA-1423-1} - linux 4.17.3-1 [stretch] - linux 4.9.110-1 NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=200071 CVE-2018-10882 (A flaw was found in the Linux kernel's ext4 filesystem. A local user c ...) {DLA-1529-1 DLA-1423-1} - linux 4.17.3-1 [stretch] - linux 4.9.110-1 NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=200069 CVE-2018-10881 (A flaw was found in the Linux kernel's ext4 filesystem. A local user c ...) {DLA-1529-1 DLA-1423-1} - linux 4.17.3-1 [stretch] - linux 4.9.110-1 NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=200015 CVE-2018-10880 (Linux kernel is vulnerable to a stack-out-of-bounds write in the ext4 ...) {DLA-1529-1 DLA-1423-1} - linux 4.17.3-1 [stretch] - linux 4.9.110-1 NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=200005 CVE-2018-10879 (A flaw was found in the Linux kernel's ext4 filesystem. A local user c ...) {DLA-1529-1 DLA-1423-1} - linux 4.17.3-1 [stretch] - linux 4.9.110-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1596806 CVE-2018-10878 (A flaw was found in the Linux kernel's ext4 filesystem. A local user c ...) {DLA-1529-1 DLA-1423-1} - linux 4.17.3-1 [stretch] - linux 4.9.110-1 NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=199865 CVE-2018-10877 (Linux kernel ext4 filesystem is vulnerable to an out-of-bound access i ...) {DLA-1529-1 DLA-1423-1} - linux 4.17.3-1 [stretch] - linux 4.9.110-1 NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=199417 CVE-2018-10876 (A flaw was found in Linux kernel in the ext4 filesystem code. A use-af ...) {DLA-1529-1 DLA-1423-1} - linux 4.17.3-1 [stretch] - linux 4.9.110-1 NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=199403 CVE-2018-10875 (A flaw was found in ansible. ansible.cfg is read from the current work ...) {DSA-4396-1 DLA-1923-1} - ansible 2.6.1+dfsg-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1596533 NOTE: https://github.com/ansible/ansible/pull/42070 NOTE: https://github.com/ansible/ansible/commit/4cecbe81adbc655d7ab734165d3ac539f8ba5981 CVE-2018-10874 (In ansible it was found that inventory variables are loaded from curre ...) - ansible 2.6.1+dfsg-1 [stretch] - ansible (Vulnerable code not present) [jessie] - ansible (vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1596528 NOTE: https://github.com/ansible/ansible/pull/42067 NOTE: https://github.com/ansible/ansible/commit/1f80949f964a946773f9d3ac1899535bd2cc2b8e CVE-2018-10873 (A vulnerability was discovered in SPICE before version 0.14.1 where th ...) {DSA-4319-1 DLA-1489-1 DLA-1486-1} - spice 0.14.0-1.1 (bug #906315) - spice-gtk 0.35-1 (bug #906316) [stretch] - spice-gtk (Minor issue) NOTE: https://gitlab.freedesktop.org/spice/spice-common/commit/bb15d4815ab586b4c4a20f4a565970a44824c42c CVE-2018-10872 (A flaw was found in the way the Linux kernel handled exceptions delive ...) - linux (Red Hat specific CVE-2018-8897 regression in RHEL 6.10) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1596094 CVE-2018-10871 (389-ds-base before versions 1.3.8.5, 1.4.0.12 is vulnerable to a Clear ...) {DLA-1483-1} [experimental] - 389-ds-base 1.4.0.13-1 - 389-ds-base 1.4.0.15-1 [stretch] - 389-ds-base (Minor issue) NOTE: https://pagure.io/389-ds-base/issue/49789 CVE-2018-10870 (redhat-certification does not properly sanitize paths in rhcertStore.p ...) NOT-FOR-US: Red Hat Certification CVE-2018-10869 (redhat-certification does not properly restrict files that can be down ...) NOT-FOR-US: Red Hat Certification CVE-2018-10868 RESERVED NOT-FOR-US: Red Hat Certification CVE-2018-10867 RESERVED NOT-FOR-US: Red Hat Certification CVE-2018-10866 RESERVED NOT-FOR-US: Red Hat Certification CVE-2018-10865 RESERVED NOT-FOR-US: Red Hat Certification CVE-2018-10864 (An uncontrolled resource consumption flaw has been discovered in redha ...) NOT-FOR-US: Red Hat Certification CVE-2018-10863 RESERVED NOT-FOR-US: Red Hat Certification CVE-2018-10862 (WildFly Core before version 6.0.0.Alpha3 does not properly validate fi ...) - wildfly (bug #752018) CVE-2018-10861 (A flaw was found in the way ceph mon handles user requests. Any authen ...) {DSA-4339-1} - ceph 12.2.8+dfsg1-1 (bug #913470) [jessie] - ceph (Intrusive changes) NOTE: http://tracker.ceph.com/issues/24838 NOTE: https://github.com/ceph/ceph/commit/975528f632f73fbffa3f1fee304e3bbe3296cffc CVE-2018-10860 (perl-archive-zip is vulnerable to a directory traversal in Archive::Zi ...) {DSA-4300-1 DLA-1440-1} - libarchive-zip-perl 1.62-1 (bug #902882) NOTE: https://github.com/redhotpenguin/perl-Archive-Zip/pull/33 NOTE: https://github.com/redhotpenguin/perl-Archive-Zip/commit/95e1df86327 CVE-2018-10859 (git-annex is vulnerable to an Information Exposure when decrypting fil ...) {DLA-1495-1} - git-annex 6.20180626-1 [stretch] - git-annex 6.20170101-1+deb9u2 NOTE: http://www.openwall.com/lists/oss-security/2018/06/26/4 NOTE: https://git-annex.branchable.com/security/CVE-2018-10857_and_CVE-2018-10859/ CVE-2018-10858 (A heap-buffer overflow was found in the way samba clients processed ex ...) {DSA-4271-1 DLA-1539-1} - samba 2:4.8.4+dfsg-1 NOTE: https://www.samba.org/samba/security/CVE-2018-10858.html CVE-2018-10857 (git-annex is vulnerable to a private data exposure and exfiltration at ...) {DLA-1495-1} - git-annex 6.20180626-1 [stretch] - git-annex 6.20170101-1+deb9u2 NOTE: http://www.openwall.com/lists/oss-security/2018/06/26/4 NOTE: https://git-annex.branchable.com/security/CVE-2018-10857_and_CVE-2018-10859/ CVE-2018-10856 (It has been discovered that podman before version 0.6.1 does not drop ...) - libpod (Fixed before initial upload) CVE-2018-10855 (Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the n ...) {DSA-4396-1} - ansible 2.5.5+dfsg-1 (low) [jessie] - ansible (vulnerable code not present) NOTE: https://github.com/ansible/ansible/pull/41414 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1588855 CVE-2018-10854 (cloudforms version, cloudforms 5.8 and cloudforms 5.9, is vulnerable t ...) NOT-FOR-US: Red Hat CloudForms CVE-2018-10853 (A flaw was found in the way Linux kernel KVM hypervisor before 4.18 em ...) {DLA-1423-1 DLA-1422-1} - linux 4.16.16-1 [stretch] - linux 4.9.110-1 NOTE: Fixed by: https://git.kernel.org/linus/3c9fa24ca7c9c47605672916491f79e8ccacb9e6 CVE-2018-10852 (The UNIX pipe which sudo uses to contact SSSD and read the available s ...) {DLA-1429-1} - sssd 1.16.3-1 (bug #902860) [stretch] - sssd (Minor issue) NOTE: https://pagure.io/SSSD/sssd/issue/3766 NOTE: https://pagure.io/SSSD/sssd/c/ed90a20a0f0e936eb00d268080716c0384ffb01d (master, ssd-1_16_3) CVE-2018-10851 (PowerDNS Authoritative Server 3.3.0 up to 4.1.4 excluding 4.1.5 and 4. ...) - pdns 4.1.5-1 (bug #913163) [stretch] - pdns 4.0.3-1+deb9u3 [jessie] - pdns (Minor issue) - pdns-recursor 4.1.7-1 (bug #913162) [stretch] - pdns-recursor 4.0.4-1+deb9u4 [jessie] - pdns-recursor (Minor issue) NOTE: https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-03.html NOTE: https://downloads.powerdns.com/patches/2018-03/ NOTE: https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-04.html NOTE: https://downloads.powerdns.com/patches/2018-04/ CVE-2018-10850 (389-ds-base before versions 1.4.0.10, 1.3.8.3 is vulnerable to a race ...) {DLA-1428-1} [experimental] - 389-ds-base 1.4.0.13-1 - 389-ds-base 1.4.0.15-1 (bug #903501) [stretch] - 389-ds-base (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1588056 NOTE: https://pagure.io/389-ds-base/c/8f04487f99a NOTE: https://pagure.io/389-ds-base/issue/49768 CVE-2018-10849 REJECTED CVE-2018-10848 REJECTED CVE-2018-10847 (prosody before versions 0.10.2, 0.9.14 is vulnerable to an Authenticat ...) {DSA-4216-1} - prosody 0.10.2-1 (bug #900524) NOTE: https://issues.prosody.im/1147 NOTE: https://blog.prosody.im/prosody-0-10-2-security-release/ NOTE: https://prosody.im/security/advisory_20180531/issue1147-0.10.1.patch (0.10.1) NOTE: https://prosody.im/security/advisory_20180531/issue1147-0.9.patch (0.9.x) CVE-2018-10846 (A cache-based side channel in GnuTLS implementation that leads to plai ...) {DLA-1560-1} [experimental] - gnutls28 3.6.3-1 - gnutls28 3.5.19-1 [stretch] - gnutls28 3.5.8-5+deb9u4 - gnutls26 NOTE: https://gitlab.com/gnutls/gnutls/merge_requests/657 NOTE: https://gitlab.com/gnutls/gnutls/commit/ce671a6db9e47006cff152d485091141b1569f39 (master) NOTE: The proposed fix is to introduce a new option to force encrypt-then-mac NOTE: instead of correcting the issue. NOTE: https://eprint.iacr.org/2018/747 NOTE: Backport of the MR657 to 3.5.x: https://gitlab.com/gnutls/gnutls/merge_requests/663 CVE-2018-10845 (It was found that the GnuTLS implementation of HMAC-SHA-384 was vulner ...) {DLA-1560-1} - gnutls28 3.5.19-1 [stretch] - gnutls28 3.5.8-5+deb9u4 - gnutls26 NOTE: https://gitlab.com/gnutls/gnutls/issues/455 NOTE: https://gitlab.com/gnutls/gnutls/commit/cc14ec5ece856cb083d64e6a5a8657323da661cb (master) NOTE: https://gitlab.com/gnutls/gnutls/commit/e14d85eb8b1987d86f7b1d101a0e7795675d20d4 (gnutls_3_5_19) NOTE: https://gitlab.com/gnutls/gnutls/merge_requests/657 NOTE: https://eprint.iacr.org/2018/747 CVE-2018-10844 (It was found that the GnuTLS implementation of HMAC-SHA-256 was vulner ...) {DLA-1560-1} - gnutls28 3.5.19-1 [stretch] - gnutls28 3.5.8-5+deb9u4 - gnutls26 NOTE: https://gitlab.com/gnutls/gnutls/issues/456 NOTE: https://gitlab.com/gnutls/gnutls/commit/29ffa2a1fa4cc396c5d1563a3e5cdca0174de28b (master) NOTE: https://gitlab.com/gnutls/gnutls/commit/c32a8690f9f9b05994078fe9d2e7a41b18da5b09 (master) NOTE: https://gitlab.com/gnutls/gnutls/commit/c433cdf92349afae66c703bdacedf987f423605e (gnutls_3_5_19) NOTE: https://gitlab.com/gnutls/gnutls/commit/c2e094acd68f7159025b2e2556d6fb4427b41dd7 (gnutls_3_5_19) NOTE: https://gitlab.com/gnutls/gnutls/merge_requests/657 NOTE: https://eprint.iacr.org/2018/747 CVE-2018-10843 (source-to-image component of Openshift Container Platform before versi ...) NOT-FOR-US: source-to-image in OpenShift CVE-2018-10842 REJECTED CVE-2018-10841 (glusterfs is vulnerable to privilege escalation on gluster server node ...) - glusterfs 4.1.2-1 (bug #901968) [stretch] - glusterfs (Minor issue; can be fixed via point release) [jessie] - glusterfs (vulnerable code not present) NOTE: https://review.gluster.org/#/c/20328/ NOTE: http://git.gluster.org/cgit/glusterfs.git/commit/?id=e8d928e34680079e42be6947ffacc4ddd7defca2 CVE-2018-10840 (Linux kernel is vulnerable to a heap-based buffer overflow in the fs/e ...) - linux 4.17.3-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=199347 NOTE: Fixed by: https://git.kernel.org/linus/8a2b307c21d4b290e3cbe33f768f194286d07c23 CVE-2018-10839 (Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support ...) {DSA-4338-1 DLA-1599-1} - qemu 1:3.1+dfsg-1 (bug #910431) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2018-09/msg03273.html NOTE: https://www.openwall.com/lists/oss-security/2018/10/08/1 NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=fdc89e90fac40c5ca2686733df17b6423fb8d8fb CVE-2018-10838 RESERVED CVE-2018-10837 RESERVED CVE-2018-10836 RESERVED CVE-2018-10835 RESERVED CVE-2018-10834 RESERVED CVE-2018-10833 RESERVED CVE-2018-10832 (ModbusPal 1.6b is vulnerable to an XML External Entity (XXE) attack. P ...) NOT-FOR-US: ModbusPal CVE-2018-10831 (Z-NOMP before 2018-04-05 has an incorrect Equihash solution verifier t ...) NOT-FOR-US: Z-NOMP CVE-2018-10830 (In 2345 Security Guard 3.7, the driver file (2345BdPcSafe.sys, X64 ver ...) NOT-FOR-US: 2345 Security Guard CVE-2018-10829 RESERVED CVE-2018-10828 (An issue was discovered in Alps Pointing-device Driver 10.1.101.207. A ...) NOT-FOR-US: Alps Pointing-device Driver CVE-2018-10827 (LiteCart before 2.1.2 allows remote attackers to cause a denial of ser ...) NOT-FOR-US: LiteCart CVE-2018-10826 RESERVED CVE-2018-10825 (Mimo Baby 2 devices do not use authentication or encryption for the Bl ...) NOT-FOR-US: Mimo Baby 2 CVE-2018-10824 (An issue was discovered on D-Link DWR-116 through 1.06, DIR-140L throu ...) NOT-FOR-US: D-Link CVE-2018-10823 (An issue was discovered on D-Link DWR-116 through 1.06, DWR-512 throug ...) NOT-FOR-US: D-Link CVE-2018-10822 (Directory traversal vulnerability in the web interface on D-Link DWR-1 ...) NOT-FOR-US: D-Link CVE-2018-10821 (Cross-site scripting (XSS) vulnerability in backend/pages/modify.php i ...) NOT-FOR-US: BlackCatCMS CVE-2018-10820 RESERVED CVE-2018-10819 RESERVED CVE-2018-10818 RESERVED CVE-2018-10817 (Severalnines ClusterControl before 1.6.0-4699 allows XSS. ...) NOT-FOR-US: Severalnines ClusterControl CVE-2018-10816 RESERVED CVE-2018-10815 (An issue was discovered in Cloudera Manager before 5.13.4, 5.14.x befo ...) NOT-FOR-US: Cloudera Manager CVE-2018-10814 (Synametrics SynaMan 4.0 build 1488 uses cleartext password storage for ...) NOT-FOR-US: Synametrics SynaMan CVE-2018-10813 (In Dedos-web 1.0, the cookie and session secrets used in the Express.j ...) NOT-FOR-US: Dedos-web CVE-2018-10812 (The Bitpie application through 3.2.4 for Android and iOS uses cleartex ...) NOT-FOR-US: Bitpie application for Android and iOS CVE-2018-10811 (strongSwan 5.6.0 and older allows Remote Denial of Service because of ...) {DSA-4229-1} - strongswan 5.6.3-1 NOTE: https://www.strongswan.org/blog/2018/05/28/strongswan-5.6.3-released.html NOTE: https://www.strongswan.org/blog/2018/05/28/strongswan-vulnerability-(cve-2018-10811).html CVE-2018-10810 (chat/mobile/index.php in LiveZilla Live Chat 7.0.9.5 and prior is affe ...) NOT-FOR-US: LiveZilla Live Chat CVE-2018-10809 (In 2345 Security Guard 3.7, the driver file (2345NetFirewall.sys) allo ...) NOT-FOR-US: 2345 Security Guard CVE-2018-10808 RESERVED CVE-2018-10807 RESERVED CVE-2018-10806 (An issue was discovered in Frog CMS 0.9.5. There is a reflected Cross ...) NOT-FOR-US: Frog CMS CVE-2018-10805 (ImageMagick version 7.0.7-28 contains a memory leak in ReadYCBCRImage ...) [experimental] - imagemagick 8:6.9.10.2+dfsg-1 - imagemagick 8:6.9.10.2+dfsg-2 (unimportant; bug #898218) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1054 CVE-2018-10804 (ImageMagick version 7.0.7-28 contains a memory leak in WriteTIFFImage ...) [experimental] - imagemagick 8:6.9.10.2+dfsg-1 - imagemagick 8:6.9.10.2+dfsg-2 (unimportant; bug #898217) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1053 NOTE: https://github.com/ImageMagick/ImageMagick/commit/052f6c22d3a2b2aae9dfa24aff9ccdf8b72ace91 CVE-2018-10803 (Cross-site scripting (XSS) vulnerability in the add credentials functi ...) NOT-FOR-US: Zoho ManageEngine NetFlow Analyzer CVE-2018-1000301 (curl version curl 7.20.0 to and including curl 7.59.0 contains a CWE-1 ...) {DSA-4202-1 DLA-1379-1} - curl 7.60.0-1 (bug #898856) NOTE: https://curl.haxx.se/docs/adv_2018-b138.html CVE-2018-1000300 (curl version curl 7.54.1 to and including curl 7.59.0 contains a CWE-1 ...) - curl 7.60.0-1 [stretch] - curl (Vulnerable code introduced in 7.54.1) [jessie] - curl (Vulnerable code introduced in 7.54.1) [wheezy] - curl (Vulnerable code introduced in 7.54.1) NOTE: https://curl.haxx.se/docs/adv_2018-82c2.html CVE-2018-1000177 (A cross-site scripting vulnerability exists in Jenkins S3 Plugin 0.10. ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000176 (An exposure of sensitive information vulnerability exists in Jenkins E ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000175 (A path traversal vulnerability exists in Jenkins HTML Publisher Plugin ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000174 (An open redirect vulnerability exists in Jenkins Google Login Plugin 1 ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000173 (A session fixaction vulnerability exists in Jenkins Google Login Plugi ...) NOT-FOR-US: Jenkins plugin CVE-2018-10802 RESERVED CVE-2018-10801 (TIFFClientOpen in tif_unix.c in LibTIFF 3.8.2 has memory leaks, as dem ...) - tiff 4.0.6-3 [jessie] - tiff 4.0.3-12.3+deb8u2 - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2790 NOTE: Utility bmp2tiff has been removed from upstream LibTIFF NOTE: bmp2tiff was removed in 4.0.6-3 and DSA 3762, marking as fixed although NOTE: technically still present in the source package CVE-2018-10800 RESERVED CVE-2018-10799 (A hang issue was discovered in Brave before 0.14.0 (on, for example, L ...) - brave-browser (bug #864795) CVE-2018-10798 (A hang issue was discovered in Brave before 0.14.0 (on, for example, L ...) - brave-browser (bug #864795) CVE-2018-10797 RESERVED CVE-2018-10796 (In 2345 Security Guard 3.7, the driver file (2345NetFirewall.sys) allo ...) NOT-FOR-US: 2345 Security Guard CVE-2018-10795 (** DISPUTED ** Liferay 6.2.x and before has an FCKeditor configuration ...) NOT-FOR-US: Liferay CVE-2017-18265 (Prosody before 0.10.0 allows remote attackers to cause a denial of ser ...) {DSA-4198-1} - prosody 0.10.0-1 (bug #875829) [jessie] - prosody (Only exploitable with a LuaSocket version not in jessie) [wheezy] - prosody (Vulnerable code not present) NOTE: https://prosody.im/issues/issue/987 CVE-2018-10794 RESERVED CVE-2018-10793 RESERVED CVE-2018-10792 RESERVED CVE-2018-10791 RESERVED CVE-2018-10790 RESERVED CVE-2018-10789 RESERVED CVE-2018-10788 RESERVED CVE-2018-10787 RESERVED CVE-2018-10786 RESERVED CVE-2018-10785 RESERVED CVE-2018-10784 RESERVED CVE-2018-10783 RESERVED CVE-2018-10782 RESERVED CVE-2018-10781 RESERVED CVE-2018-10780 (Exiv2::Image::byteSwap2 in image.cpp in Exiv2 0.26 has a heap-based bu ...) - exiv2 (Vulnerable code introduced later; only affected experimental) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1575201 NOTE: Commit https://github.com/Exiv2/exiv2/commit/74cb5bab132ed76adf15df172c5e8b58cddaa96c NOTE: adresses an overflow, but not solving the invalid write of size 1 via NOTE: Exiv2::Image::printIFDStructure. NOTE: Commit https://github.com/Exiv2/exiv2/commit/8ff26931e31bb25d66c69846f47f3f5b6d9a32f1 NOTE: avoids using Image::printStructure() when reading images. CVE-2018-10779 (TIFFWriteScanline in tif_write.c in LibTIFF 3.8.2 has a heap-based buf ...) - tiff 4.0.6-3 (bug #898359) [jessie] - tiff 4.0.3-12.3+deb8u2 - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2788 NOTE: Utility bmp2tiff has been removed from upstream LibTIFF NOTE: bmp2tiff was removed in 4.0.6-3 and DSA 3762, marking as fixed although NOTE: technically still present in the source package CVE-2018-10778 (Read access violation in the III_dequantize_sample function in mpglibD ...) - mp3gain [wheezy] - mp3gain (Not supported in Wheezy) CVE-2018-10777 (Buffer overflow in the WriteMP3GainAPETag function in apetag.c in mp3g ...) - mp3gain [wheezy] - mp3gain (Not supported in Wheezy) CVE-2018-10776 (The getbits function in mpglibDBL/common.c in mp3gain through 1.5.2-r2 ...) - mp3gain [wheezy] - mp3gain (Not supported in Wheezy) CVE-2018-10775 (NULL pointer dereference in the _fields_add function in fields.c in li ...) - bibutils (unimportant; bug #898135) NOTE: Crash in CLI tool, no security impact CVE-2018-10774 (Read access violation in the isiin_keyword function in isiin.c in libb ...) - bibutils (unimportant; bug #898135) NOTE: Crash in CLI tool, no security impact CVE-2018-10773 (NULL pointer deference in the addsn function in serialno.c in libbibco ...) - bibutils (unimportant; bug #898135) NOTE: Crash in CLI tool, no security impact CVE-2018-10772 (The tEXtToDataBuf function in pngimage.cpp in Exiv2 through 0.26 allow ...) [experimental] - exiv2 - exiv2 (Vulnerable code introduced after 0.25) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1566260 CVE-2018-10771 (Stack-based buffer overflow in the get_key function in parse.c in abcm ...) - abcm2ps 8.14.2-0.1 (unimportant; bug #898130) NOTE: https://github.com/leesavide/abcm2ps/issues/17 NOTE: https://github.com/leesavide/abcm2ps/commit/dc0372993674d0b50fedfbf7b9fad1239b8efc5f NOTE: Crash in CLI tool (neutralised by toolchain hardening), no security impact CVE-2018-10770 (download.rsp on ShenZhen Anni "5 in 1 XVR" devices allows remote attac ...) NOT-FOR-US: ShenZhen Anni "5 in 1 XVR" devices CVE-2018-10769 (The transferProxy and approveProxy functions of a smart contract imple ...) NOT-FOR-US: smart contract CVE-2018-10768 (There is a NULL pointer dereference in the AnnotPath::getCoordsLength ...) {DLA-1562-1} - poppler 0.38.0-2 [wheezy] - poppler (Vulnerable code is not present) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=106408 NOTE: Fixed by: https://cgit.freedesktop.org/poppler/poppler/commit/?id=942adfc25e7a00ac3cf032ced2d8949e99099f70 (poppler-0.37) CVE-2018-10767 (There is a stack-based buffer over-read in calling GLib in the functio ...) - libgxps 0.3.0-3 (bug #898133) [stretch] - libgxps (Minor issue) [jessie] - libgxps (Minor issue) [wheezy] - libgxps (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1575188 CVE-2018-10766 RESERVED CVE-2018-10765 RESERVED CVE-2018-10764 RESERVED CVE-2018-10763 (Multiple cross-site scripting (XSS) vulnerabilities in Synametrics Syn ...) NOT-FOR-US: Synametrics SynaMan CVE-2018-10762 REJECTED CVE-2018-10761 REJECTED CVE-2018-10760 (Unrestricted file upload vulnerability in the Files plugin in ProjectP ...) NOT-FOR-US: Files plugin in ProjectPier CVE-2018-10759 (PHP remote file inclusion vulnerability in public/patch/patch.php in P ...) NOT-FOR-US: Project Pier CVE-2018-11319 (Syntastic (aka vim-syntastic) through 3.9.0 does not properly handle s ...) {DSA-4261-1 DLA-1444-1} - vim-syntastic 3.9.0-1 (bug #894736) NOTE: https://github.com/vim-syntastic/syntastic/issues/2170 NOTE: https://github.com/vim-syntastic/syntastic/commit/6d7c0b394e001233dd09ec473fbea2002c72632f CVE-2018-10758 (The edit/ URI in Datenstrom Yellow 0.7.3 has CSRF via a delete action ...) NOT-FOR-US: Datenstrom Yellow CVE-2018-10757 (CSP MySQL User Manager 2.3.1 allows SQL injection, and resultant Authe ...) NOT-FOR-US: CSP MySQL User Manager CVE-2018-10756 (Use-after-free in libtransmission/variant.c in Transmission before 3.0 ...) {DLA-2218-1} - transmission 3.00-1 (bug #961461) NOTE: https://github.com/transmission/transmission/commit/2123adf8e5e1c2b48791f9d22fc8c747e974180e (3.00) NOTE: https://tomrichards.net/2020/05/cve-2018-10756-transmission/ CVE-2018-10755 REJECTED CVE-2018-10754 REJECTED CVE-2018-10753 (Stack-based buffer overflow in the delayed_output function in music.c ...) - abcm2ps 8.14.2-0.1 (unimportant; bug #897966) NOTE: https://github.com/leesavide/abcm2ps/issues/16 NOTE: https://github.com/leesavide/abcm2ps/commit/fd956e19f88ee32f8ec4aece5901400b06e80bcc NOTE: Crash in CLI tool, no security impact CVE-2018-10752 (The Tagregator plugin 0.6 for WordPress has stored XSS via the title f ...) NOT-FOR-US: Tagregator plugin for WordPress CVE-2018-10751 (A malformed OMACP WAP push message can cause memory corruption on a Sa ...) NOT-FOR-US: Samsung CVE-2018-10750 (An issue was discovered on D-Link DSL-3782 EU 1.01 devices. An authent ...) NOT-FOR-US: D-Link CVE-2018-10749 (An issue was discovered on D-Link DSL-3782 EU 1.01 devices. An authent ...) NOT-FOR-US: D-Link CVE-2018-10748 (An issue was discovered on D-Link DSL-3782 EU 1.01 devices. An authent ...) NOT-FOR-US: D-Link CVE-2018-10747 (An issue was discovered on D-Link DSL-3782 EU 1.01 devices. An authent ...) NOT-FOR-US: D-Link CVE-2018-10746 (An issue was discovered on D-Link DSL-3782 EU 1.01 devices. An authent ...) NOT-FOR-US: D-Link CVE-2018-10745 RESERVED CVE-2018-10744 RESERVED CVE-2018-10743 RESERVED CVE-2018-10742 RESERVED CVE-2018-10741 RESERVED CVE-2018-10740 (Axublog 1.1.0 allows remote Code Execution as demonstrated by injectio ...) NOT-FOR-US: Axublog CVE-2018-10739 (An issue was discovered in Shanghai 2345 Security Guard 3.7.0. 2345MPC ...) NOT-FOR-US: Shanghai 2345 Security Guard CVE-2018-10738 (A SQL injection issue was discovered in Nagios XI before 5.4.13 via th ...) NOT-FOR-US: Nagios XI CVE-2018-10737 (A SQL injection issue was discovered in Nagios XI before 5.4.13 via th ...) NOT-FOR-US: Nagios XI CVE-2018-10736 (A SQL injection issue was discovered in Nagios XI before 5.4.13 via th ...) NOT-FOR-US: Nagios XI CVE-2018-10735 (A SQL injection issue was discovered in Nagios XI before 5.4.13 via th ...) NOT-FOR-US: Nagios XI CVE-2018-10734 (KONGTOP DVR devices A303, A403, D303, D305, and D403 contain a backdoo ...) NOT-FOR-US: KONGTOP DVR devices CVE-2018-10733 (There is a heap-based buffer over-read in the function ft_font_face_ha ...) - libgxps 0.3.0-3 (low; bug #897954) [stretch] - libgxps (Minor issue) [jessie] - libgxps (Minor issue) [wheezy] - libgxps (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1574844 NOTE: https://git.gnome.org/browse/libgxps/commit/?id=b458226e162fe1ffe7acb4230c114a52ada5131b NOTE: https://git.gnome.org/browse/libgxps/commit/?id=133fe2a96e020d4ca65c6f64fb28a404050ebbfd CVE-2018-10732 (The REST API in Dataiku DSS before 4.2.3 allows remote attackers to ob ...) NOT-FOR-US: Dataiku DSS CVE-2018-10731 (All Phoenix Contact managed FL SWITCH 3xxx, 4xxx, 48xx products runnin ...) NOT-FOR-US: Phoenix Contact managed FL SWITCH 3xxx, 4xxx, 48xx products CVE-2018-10730 (All Phoenix Contact managed FL SWITCH 3xxx, 4xxx, 48xx products runnin ...) NOT-FOR-US: Phoenix Contact managed FL SWITCH 3xxx, 4xxx, 48xx products CVE-2018-10729 (All Phoenix Contact managed FL SWITCH 3xxx, 4xxx, 48xx products runnin ...) NOT-FOR-US: Phoenix Contact managed FL SWITCH 3xxx, 4xxx, 48xx products CVE-2018-10728 (All Phoenix Contact managed FL SWITCH 3xxx, 4xxx, 48xx products runnin ...) NOT-FOR-US: Phoenix Contact managed FL SWITCH 3xxx, 4xxx, 48xx products CVE-2018-10727 (Reflected Cross-Site Scripting (XSS) vulnerability in the fabrik_refer ...) NOT-FOR-US: Joomla extension CVE-2018-10726 (** DISPUTED ** A stored XSS vulnerability was found in Datenstrom Yell ...) NOT-FOR-US: Datenstrom Yellow CVE-2018-10725 RESERVED CVE-2018-10724 RESERVED CVE-2018-10723 (Directus 6.4.9 has a hardcoded admin password for the Admin account be ...) NOT-FOR-US: Directus CVE-2018-10722 (In Cylance CylancePROTECT before 1470, an unprivileged local user can ...) NOT-FOR-US: Cylance CylancePROTECT CVE-2018-10721 RESERVED CVE-2018-10720 RESERVED CVE-2018-10719 RESERVED CVE-2018-10718 (Stack-based buffer overflow in Activision Infinity Ward Call of Duty M ...) NOT-FOR-US: Activision CVE-2018-10717 (The DecodeGifImg function in ngiflib.c in MiniUPnP ngiflib 0.4 does no ...) NOT-FOR-US: ngiflib CVE-2018-10716 (An issue was discovered in Shanghai 2345 Security Guard 3.7.0. 2345MPC ...) NOT-FOR-US: Shanghai 2345 Security Guard CVE-2018-10715 RESERVED CVE-2018-10714 RESERVED CVE-2018-10713 (An issue was discovered on D-Link DSL-3782 EU 1.01 devices. An authent ...) NOT-FOR-US: D-Link CVE-2018-10712 (The AsrDrv101.sys and AsrDrv102.sys low-level drivers in ASRock RGBLED ...) NOT-FOR-US: ASRock CVE-2018-10711 (The AsrDrv101.sys and AsrDrv102.sys low-level drivers in ASRock RGBLED ...) NOT-FOR-US: ASRock CVE-2018-10710 (The AsrDrv101.sys and AsrDrv102.sys low-level drivers in ASRock RGBLED ...) NOT-FOR-US: ASRock CVE-2018-10709 (The AsrDrv101.sys and AsrDrv102.sys low-level drivers in ASRock RGBLED ...) NOT-FOR-US: ASRock CVE-2018-10708 RESERVED CVE-2018-10707 RESERVED CVE-2018-10706 (An integer overflow in the transferMulti function of a smart contract ...) NOT-FOR-US: Social Chain CVE-2018-10705 (The Owned smart contract implementation for Aurora DAO (AURA), an Ethe ...) NOT-FOR-US: Aurora DAD CVE-2018-10704 (yidashi yii2cmf 2.0 has XSS via the /search q parameter. ...) NOT-FOR-US: yidashi yii2cmf CVE-2018-10703 (An issue was discovered on Moxa AWK-3121 1.14 devices. It provides fun ...) NOT-FOR-US: Moxa CVE-2018-10702 (An issue was discovered on Moxa AWK-3121 1.14 devices. It provides fun ...) NOT-FOR-US: Moxa CVE-2018-10701 (An issue was discovered on Moxa AWK-3121 1.14 devices. It provides fun ...) NOT-FOR-US: Moxa CVE-2018-10700 (An issue was discovered on Moxa AWK-3121 1.19 devices. It provides fun ...) NOT-FOR-US: Moxa CVE-2018-10699 (An issue was discovered on Moxa AWK-3121 1.14 devices. The Moxa AWK 31 ...) NOT-FOR-US: Moxa CVE-2018-10698 (An issue was discovered on Moxa AWK-3121 1.14 devices. The device enab ...) NOT-FOR-US: Moxa CVE-2018-10697 (An issue was discovered on Moxa AWK-3121 1.14 devices. The Moxa AWK 31 ...) NOT-FOR-US: Moxa CVE-2018-10696 (An issue was discovered on Moxa AWK-3121 1.14 devices. The device prov ...) NOT-FOR-US: Moxa CVE-2018-10695 (An issue was discovered on Moxa AWK-3121 1.14 devices. It provides ale ...) NOT-FOR-US: Moxa CVE-2018-10694 (An issue was discovered on Moxa AWK-3121 1.14 devices. The device prov ...) NOT-FOR-US: Moxa CVE-2018-10693 (An issue was discovered on Moxa AWK-3121 1.14 devices. It provides pin ...) NOT-FOR-US: Moxa CVE-2018-10692 (An issue was discovered on Moxa AWK-3121 1.14 devices. The session coo ...) NOT-FOR-US: Moxa CVE-2018-10691 (An issue was discovered on Moxa AWK-3121 1.14 devices. It is intended ...) NOT-FOR-US: Moxa CVE-2018-10690 (An issue was discovered on Moxa AWK-3121 1.14 devices. The device by d ...) NOT-FOR-US: Moxa CVE-2018-10689 (blktrace (aka Block IO Tracing) 1.2.0, as used with the Linux kernel a ...) - blktrace 1.2.0-1 (low; bug #897695) [stretch] - blktrace 1.1.0-2+deb9u1 [jessie] - blktrace 1.0.5-1+deb8u1 [wheezy] - blktrace (Minor issue) NOTE: https://git.kernel.org/pub/scm/linux/kernel/git/axboe/blktrace.git/commit/?id=d61ff409cb4dda31386373d706ea0cfb1aaac5b7 NOTE: https://www.spinics.net/lists/linux-btrace/msg00847.html CVE-2018-10688 RESERVED CVE-2018-10687 RESERVED CVE-2018-10686 (An issue was discovered in Vesta Control Panel 0.9.8-20. There is Refl ...) NOT-FOR-US: Vesta Control Panel CVE-2018-10685 (In Long Range Zip (aka lrzip) 0.631, there is a use-after-free in the ...) - lrzip 0.631+git180517-1 (low; bug #897645) [stretch] - lrzip (Minor issue) [jessie] - lrzip (Minor issue) [wheezy] - lrzip (Minor issue) NOTE: https://github.com/ckolivas/lrzip/issues/95 CVE-2018-10684 RESERVED CVE-2018-10683 (** DISPUTED ** An issue was discovered in WildFly 10.1.2.Final. In the ...) - wildfly (bug #752018) CVE-2018-10682 (** DISPUTED ** An issue was discovered in WildFly 10.1.2.Final. It is ...) - wildfly (bug #752018) CVE-2016-10723 (** DISPUTED ** An issue was discovered in the Linux kernel through 4.1 ...) - linux - linux-4.9 NOTE: https://patchwork.kernel.org/patch/10395909/ CVE-2016-10722 (partclone.fat in Partclone before 0.2.88 is prone to a heap-based buff ...) - partclone 0.2.88-1 [jessie] - partclone (Minor issue) [wheezy] - partclone (Minor issue) NOTE: https://david.gnedt.at/blog/2016/11/14/advisory-partclone-fat-bitmap-heap-overflow/ NOTE: https://github.com/Thomas-Tsai/partclone/issues/71 CVE-2016-10721 (partclone.restore in Partclone 0.2.87 is prone to a heap-based buffer ...) - partclone 0.2.88-1 [jessie] - partclone (Minor issue) [wheezy] - partclone (Minor issue) NOTE: https://github.com/Thomas-Tsai/partclone/issues/82 CVE-2018-10681 RESERVED CVE-2018-10680 (** DISPUTED ** Z-BlogPHP 1.5.2 has a stored Cross Site Scripting Vulne ...) NOT-FOR-US: Z-BlogPHP CVE-2018-10679 RESERVED CVE-2018-10678 (MyBB 1.8.15, when accessed with Microsoft Edge, mishandles 'target="_b ...) NOT-FOR-US: MyBB CVE-2018-10677 (The DecodeGifImg function in ngiflib.c in MiniUPnP ngiflib 0.4 lacks c ...) NOT-FOR-US: ngiflib CVE-2018-10676 (CeNova, Night OWL, Novo, Pulnix, QSee, Securus, and TBK Vision DVR dev ...) NOT-FOR-US: CeNova, Night OWL, Novo, Pulnix, QSee, Securus, and TBK Vision DVR devices CVE-2018-10674 RESERVED CVE-2018-10673 RESERVED CVE-2018-10672 RESERVED CVE-2018-10671 RESERVED CVE-2018-10670 RESERVED CVE-2018-10669 RESERVED CVE-2018-10668 RESERVED CVE-2018-10667 RESERVED CVE-2018-10666 (The Owned smart contract implementation for Aurora IDEX Membership (ID ...) NOT-FOR-US: Aurora IDEX CVE-2018-10665 (ILIAS 5.3.4 has XSS through unsanitized output of PHP_SELF, related to ...) NOT-FOR-US: ILIAS CVE-2018-10664 (An issue was discovered in the httpd process in multiple models of Axi ...) NOT-FOR-US: Axis CVE-2018-10663 (An issue was discovered in multiple models of Axis IP Cameras. There i ...) NOT-FOR-US: Axis CVE-2018-10662 (An issue was discovered in multiple models of Axis IP Cameras. There i ...) NOT-FOR-US: Axis CVE-2018-10661 (An issue was discovered in multiple models of Axis IP Cameras. There i ...) NOT-FOR-US: Axis CVE-2018-10660 (An issue was discovered in multiple models of Axis IP Cameras. There i ...) NOT-FOR-US: Axis CVE-2018-10659 (There was a Memory Corruption issue discovered in multiple models of A ...) NOT-FOR-US: Axis CVE-2018-10658 (There was a Memory Corruption issue discovered in multiple models of A ...) NOT-FOR-US: Axis CVE-2018-10675 (The do_get_mempolicy function in mm/mempolicy.c in the Linux kernel be ...) - linux 4.12.12-1 [stretch] - linux 4.9.47-1 [jessie] - linux 3.16.51-1 [wheezy] - linux 3.2.96-1 NOTE: https://git.kernel.org/linus/73223e4e2e3867ebf033a5a8eb2e5df0158ccc99 (4.13-rc6) CVE-2018-10657 (Matrix Synapse before 0.28.1 is prone to a denial of service flaw wher ...) - matrix-synapse 0.28.1+dfsg-1 NOTE: https://github.com/matrix-org/synapse/commit/33f469ba19586bbafa0cf2c7d7c35463bdab87eb NOTE: https://matrix.org/blog/2018/05/01/security-update-synapse-0-28-1/ CVE-2018-10656 RESERVED CVE-2018-10655 (DLPnpAuditor.exe in DeviceLock Plug and Play Auditor (freeware) 5.72 h ...) NOT-FOR-US: DeviceLock Plug and Play Auditor CVE-2018-10654 (There is a Hazelcast Library Java Deserialization Vulnerability in Cit ...) NOT-FOR-US: Citrix CVE-2018-10653 (There is an XML External Entity (XXE) Processing Vulnerability in Citr ...) NOT-FOR-US: Citrix CVE-2018-10652 (There is a Sensitive Data Leakage issue in Citrix XenMobile Server 10. ...) NOT-FOR-US: Citrix CVE-2018-10651 (There are Open Redirect Vulnerabilities in Citrix XenMobile Server 10. ...) NOT-FOR-US: Citrix CVE-2018-10650 (There is an Insufficient Path Validation Vulnerability in Citrix XenMo ...) NOT-FOR-US: Citrix CVE-2018-10649 (There is a Cross-Site Scripting Vulnerability in Citrix XenMobile Serv ...) NOT-FOR-US: Citrix CVE-2018-10648 (There are Unauthenticated File Upload Vulnerabilities in Citrix XenMob ...) NOT-FOR-US: Citrix CVE-2018-10647 (SaferVPN 4.2.5 for Windows suffers from a SYSTEM privilege escalation ...) NOT-FOR-US: SaferVPN CVE-2018-10646 (CyberGhost 6.5.0.3180 for Windows suffers from a SYSTEM privilege esca ...) NOT-FOR-US: CyberGhost CVE-2018-10645 (Golden Frog VyprVPN 2.12.1.8015 for Windows suffers from a SYSTEM priv ...) NOT-FOR-US: Golden Frog VyprVPN CVE-2018-10644 RESERVED CVE-2018-10643 RESERVED CVE-2018-10642 (Command injection vulnerability in Combodo iTop 2.4.1 allows remote au ...) NOT-FOR-US: Combodo iTop CVE-2018-10641 (D-Link DIR-601 A1 1.02NA devices do not require the old password for a ...) NOT-FOR-US: D-Link CVE-2018-10640 RESERVED CVE-2018-10639 RESERVED CVE-2018-10638 RESERVED CVE-2018-10637 (A maliciously crafted project file may cause a buffer overflow, which ...) NOT-FOR-US: Fuji CVE-2018-10636 (CNCSoft Version 1.00.83 and prior with ScreenEditor Version 1.00.54 ha ...) NOT-FOR-US: CNCSoft CVE-2018-10635 (In Universal Robots Robot Controllers Version CB 3.1, SW Version 3.4.5 ...) NOT-FOR-US: Universal Robots CVE-2018-10634 (Medtronic MMT 508 MiniMed insulin pump, 522 / MMT - 722 Paradigm REAL- ...) NOT-FOR-US: Medtronic CVE-2018-10633 (Universal Robots Robot Controllers Version CB 3.1, SW Version 3.4.5-10 ...) NOT-FOR-US: Universal Robots CVE-2018-10632 (In Moxa NPort 5210, 5230, and 5232 versions 2.9 build 17030709 and pri ...) NOT-FOR-US: Moxa CVE-2018-10631 (Medtronic N'Vision Clinician Programmer 8840 N'Vision Clinician Progra ...) NOT-FOR-US: Medtronic CVE-2018-10630 (For Crestron TSW-X60 version prior to 2.001.0037.001 and MC3 version p ...) NOT-FOR-US: Creston CVE-2018-10629 RESERVED CVE-2018-10628 (AVEVA InTouch 2014 R2 SP1 and prior, InTouch 2017, InTouch 2017 Update ...) NOT-FOR-US: AVEVA CVE-2018-10627 (Echelon SmartServer 1 all versions, SmartServer 2 all versions prior t ...) NOT-FOR-US: Echelon CVE-2018-10626 (A vulnerability was discovered in all versions of Medtronic MyCareLink ...) NOT-FOR-US: Medtronic CVE-2018-10625 RESERVED CVE-2018-10624 (In Johnson Controls Metasys System Versions 8.0 and prior and BCPro (B ...) NOT-FOR-US: Johnson Controls Metasys System CVE-2018-10623 (Delta Electronics Delta Industrial Automation DOPSoft version 4.00.04 ...) NOT-FOR-US: Delta Electronics Delta Industrial Automation DOPSoft CVE-2018-10622 (A vulnerability was discovered in all versions of Medtronic MyCareLink ...) NOT-FOR-US: Medtronic CVE-2018-10621 (Delta Electronics Delta Industrial Automation DOPSoft version 4.00.04 ...) NOT-FOR-US: Delta Electronics Delta Industrial Automation DOPSoft CVE-2018-10620 (AVEVA InduSoft Web Studio v8.1 and v8.1SP1, and InTouch Machine Editio ...) NOT-FOR-US: AVEVA CVE-2018-10619 (An unquoted search path or element in RSLinx Classic Versions 3.90.01 ...) NOT-FOR-US: RSLinx CVE-2018-10618 (Davolink DVW-3200N all version prior to Version 1.00.06. The device ge ...) NOT-FOR-US: Davolink DVW-3200N CVE-2018-10617 (Delta Electronics Delta Industrial Automation DOPSoft version 4.00.04 ...) NOT-FOR-US: Delta Electronics Delta Industrial Automation DOPSoft CVE-2018-10616 (ABB Panel Builder 800 all versions has an improper input validation vu ...) NOT-FOR-US: ABB Panel Builder 800 CVE-2018-10615 (Directory traversal may lead to files being exfiltrated or deleted on ...) NOT-FOR-US: GE MDS PulseNET and MDS PulseNET Enterprise CVE-2018-10614 (An XXE vulnerability in LeviStudioU, Versions 1.8.29 and 1.8.44 can be ...) NOT-FOR-US: LeviStudioU CVE-2018-10613 (Multiple variants of XML External Entity (XXE) attacks may be used to ...) NOT-FOR-US: GE MDS PulseNET and MDS PulseNET Enterprise CVE-2018-10612 (In 3S-Smart Software Solutions GmbH CODESYS Control V3 products prior ...) NOT-FOR-US: 3S-Smart Software Solutions GmbH CODESYS Control V3 Products CVE-2018-10611 (Java remote method invocation (RMI) input port in GE MDS PulseNET and ...) NOT-FOR-US: GE MDS PulseNET and MDS PulseNET Enterprise CVE-2018-10610 (An out-of-bounds vulnerability in LeviStudioU, Versions 1.8.29 and 1.8 ...) NOT-FOR-US: LeviStudioU CVE-2018-10609 (Martem TELEM GW6 and GWM devices with firmware 2018.04.18-linux_4-01-6 ...) NOT-FOR-US: Martem TELEM GW6 and GWM devices CVE-2018-10608 (SEL AcSELerator Architect version 2.2.24.0 and prior can be exploited ...) NOT-FOR-US: SEL AcSELerator Architect CVE-2018-10607 (Martem TELEM GW6 and GWM devices with firmware 2018.04.18-linux_4-01-6 ...) NOT-FOR-US: Martem TELEM GW6 and GWM devices CVE-2018-10606 (WECON LeviStudio Versions 1.8.29 and 1.8.44 have multiple heap-based b ...) NOT-FOR-US: WECON LeviStudio CVE-2018-10605 (Martem TELEM GW6/GWM versions prior to 2.0.87-4018403-k4 may allow unp ...) NOT-FOR-US: Martem TELEM GW6/GWM CVE-2018-10604 (SEL Compass version 3.0.5.1 and prior allows all users full access to ...) NOT-FOR-US: SEL Compass CVE-2018-10603 (Martem TELEM GW6 and GWM devices with firmware 2018.04.18-linux_4-01-6 ...) NOT-FOR-US: Martem TELEM GW6 and GWM devices CVE-2018-10602 (WECON LeviStudio Versions 1.8.29 and 1.8.44 have multiple stack-based ...) NOT-FOR-US: WECON LeviStudio CVE-2018-10601 (IntelliVue Patient Monitors MP Series (including MP2/X2/MP30/MP50/MP70 ...) NOT-FOR-US: Philips CVE-2018-10600 (SEL AcSELerator Architect version 2.2.24.0 and prior allows unsanitize ...) NOT-FOR-US: SEL AcSELerator Architect CVE-2018-10599 (IntelliVue Patient Monitors MP Series (including MP2/X2/MP30/MP50/MP70 ...) NOT-FOR-US: Philips CVE-2018-10598 (CNCSoft Version 1.00.83 and prior with ScreenEditor Version 1.00.54 ha ...) NOT-FOR-US: CNCSoft CVE-2018-10597 (IntelliVue Patient Monitors MP Series (including MP2/X2/MP30/MP50/MP70 ...) NOT-FOR-US: Philips CVE-2018-10596 (Medtronic 2090 CareLink Programmer all versions The affected product u ...) NOT-FOR-US: Medtronic CVE-2018-10595 (A vulnerability in ReadA version 1.1.0.2 and previous allows an author ...) NOT-FOR-US: BD Kiestra and InoqulA systems CVE-2018-10594 (Delta Industrial Automation COMMGR from Delta Electronics versions 1.0 ...) NOT-FOR-US: Delta CVE-2018-10593 (A vulnerability in DB Manager version 3.0.1.0 and previous and Perform ...) NOT-FOR-US: BD Kiestra and InoqulA systems CVE-2018-10592 (Yokogawa STARDOM FCJ controllers R4.02 and prior, FCN-100 controllers ...) NOT-FOR-US: Yokogawa CVE-2018-10591 (In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess ver ...) NOT-FOR-US: Advantech CVE-2018-10590 (In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess ver ...) NOT-FOR-US: Advantech CVE-2018-10589 (In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess ver ...) NOT-FOR-US: Advantech CVE-2018-10588 RESERVED CVE-2018-10587 (NetGain Enterprise Manager (EM) is affected by OS Command Injection vu ...) NOT-FOR-US: NetGain Enterprise Manager CVE-2018-10586 (NetGain Enterprise Manager (EM) is affected by multiple Stored Cross-S ...) NOT-FOR-US: NetGain Enterprise Manager CVE-2018-10585 RESERVED CVE-2018-10584 RESERVED CVE-2018-10583 (An information disclosure vulnerability occurs when LibreOffice 6.0.3 ...) - libreoffice (unimportant) NOTE: http://secureyourit.co.uk/wp/2018/05/01/creating-malicious-odt-files/ NOTE: This is the generic behaviour of accessing remote SMB shares and not limited to NOTE: Libreoffice. This can e.g. be addressed by rejecting outgoing SMB connections NOTE: from the local network NOTE: The following commit adds this class of access to the list of trusted locations: NOTE: https://cgit.freedesktop.org/libreoffice/core/commit/?id=0b7f4a4f57117fde33d0b1df96134aa6ccce023e CVE-2018-10582 RESERVED CVE-2018-10581 (In Octopus Deploy 3.4.x before 2018.4.7, an authenticated user is able ...) NOT-FOR-US: Octopus Deploy CVE-2018-10580 (The "Latest Posts on Profile" plugin 1.1 for MyBB has XSS because ther ...) NOT-FOR-US: "Latest Posts on Profile" plugin for MyBB CVE-2018-10579 RESERVED CVE-2018-10578 (An issue was discovered on WatchGuard AP100, AP102, and AP200 devices ...) NOT-FOR-US: WatchGuard AP100, AP102, and AP200 devices CVE-2018-10577 (An issue was discovered on WatchGuard AP100, AP102, and AP200 devices ...) NOT-FOR-US: WatchGuard AP100, AP102, and AP200 devices CVE-2018-10576 (An issue was discovered on WatchGuard AP100, AP102, and AP200 devices ...) NOT-FOR-US: WatchGuard devices CVE-2018-10575 (An issue was discovered on WatchGuard AP100, AP102, and AP200 devices ...) NOT-FOR-US: WatchGuard devices CVE-2018-10574 (site/index.php/admin/trees/add/ in BigTree 4.2.22 and earlier allows r ...) NOT-FOR-US: BigTree CMS CVE-2018-1000172 (Imagely NextGEN Gallery version 2.2.30 and earlier contains a Cross Si ...) NOT-FOR-US: Imagely NextGEN Gallery CVE-2018-10573 (interface/fax/fax_dispatch.php in OpenEMR before 5.0.1 allows remote a ...) NOT-FOR-US: OpenEMR CVE-2018-10572 (interface/patient_file/letter.php in OpenEMR before 5.0.1 allows remot ...) NOT-FOR-US: OpenEMR CVE-2018-10571 (Multiple reflected cross-site scripting (XSS) vulnerabilities in OpenE ...) NOT-FOR-US: OpenEMR CVE-2018-10570 (Frog CMS 0.9.5 has XSS in /install/index.php via the ['config']['admin ...) NOT-FOR-US: Frog CMS CVE-2018-10569 (An issue was discovered in Edimax EW-7438RPn Mini v2 before version 1. ...) NOT-FOR-US: Edimax EW-7438RPn Mini v2 CVE-2018-10568 (XSS exists in Flexense DiskSorter Enterprise from v9.5.12 to v10.7. ...) NOT-FOR-US: Flexense DiskSorter Enterprise CVE-2018-10567 (XSS exists in Flexense VX Search Enterprise from v10.1.12 to v10.7. ...) NOT-FOR-US: Flexense VX Search Enterprise CVE-2018-10566 (XSS exists in Flexense DupScout Enterprise from v10.0.18 to v10.7. ...) NOT-FOR-US: Flexense DupScout Enterprise CVE-2018-10565 (XSS exists in Flexense DiskSavvy Enterprise from v10.4 to v10.7. ...) NOT-FOR-US: Flexense DiskSavvy Enterprise CVE-2018-10564 (XSS exists in Flexense DiskPulse Enterprise from v10.4 to v10.7. ...) NOT-FOR-US: Flexense DiskPulse Enterprise CVE-2018-10563 (An XSS in Flexense SyncBreeze affects all versions (tested from SyncBr ...) NOT-FOR-US: Flexense SyncBreeze CVE-2018-10562 (An issue was discovered on Dasan GPON home routers. Command Injection ...) NOT-FOR-US: Dasan GPON home routers CVE-2018-10561 (An issue was discovered on Dasan GPON home routers. It is possible to ...) NOT-FOR-US: Dasan GPON home routers CVE-2018-10560 RESERVED CVE-2018-10559 RESERVED CVE-2018-10558 RESERVED CVE-2018-10557 RESERVED CVE-2018-10556 RESERVED CVE-2018-10555 RESERVED CVE-2018-10554 (An issue was discovered in Nagios XI 5.4.13. There is XSS exploitable ...) NOT-FOR-US: Nagios XI CVE-2018-10553 (An issue was discovered in Nagios XI 5.4.13. A registered user is able ...) NOT-FOR-US: Nagios XI CVE-2018-10552 RESERVED CVE-2018-10551 RESERVED CVE-2018-10550 (In Octopus Deploy before 2018.4.7, target and tenant tag variable scop ...) NOT-FOR-US: Octopus Deploy CVE-2018-10549 (An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1 ...) {DSA-4240-1 DLA-1397-1} - php7.2 7.2.8-1 - php7.1 7.1.19-1 - php7.0 7.0.30-1 - php5 [wheezy] - php5 (vulnerable code is not present) NOTE: Fixed in 5.6.36, 7.0.30, 7.1.17, 7.2.5 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=76130 CVE-2018-10548 (An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1 ...) {DSA-4240-1 DLA-1397-1 DLA-1373-1} - php7.2 7.2.8-1 - php7.1 7.1.19-1 - php7.0 7.0.30-1 - php5 NOTE: Fixed in 5.6.36, 7.0.30, 7.1.17, 7.2.5 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=76248 CVE-2018-10547 (An issue was discovered in ext/phar/phar_object.c in PHP before 5.6.36 ...) {DSA-4240-1 DLA-1397-1 DLA-1373-1} - php7.2 7.2.8-1 - php7.1 7.1.19-1 - php7.0 7.0.30-1 - php5 NOTE: Fixed in 5.6.36, 7.0.30, 7.1.17, 7.2.5 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=76129 CVE-2018-10546 (An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1 ...) {DSA-4240-1 DLA-1397-1} - php7.2 7.2.8-1 - php7.1 7.1.19-1 - php7.0 7.0.30-1 - php5 [wheezy] - php5 (does not cause an infinite loop) NOTE: Fixed in 5.6.36, 7.0.30, 7.1.17, 7.2.5 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=76249 CVE-2018-10545 (An issue was discovered in PHP before 5.6.35, 7.0.x before 7.0.29, 7.1 ...) {DSA-4240-1 DLA-1397-1 DLA-1373-1} - php7.2 7.2.4-1 - php7.1 7.1.16-1 - php7.0 7.0.29-1 - php5 NOTE: Fixed in 5.6.35, 7.0.29, 7.1.16, 7.2.4 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=75605 CVE-2018-10544 (Meross MSS110 devices through 1.1.24 contain an unauthenticated admin. ...) NOT-FOR-US: Meross MSS110 CVE-2018-10543 RESERVED CVE-2018-10542 RESERVED CVE-2018-10541 RESERVED CVE-2018-10540 (An issue was discovered in WavPack 5.1.0 and earlier for W64 input. Ou ...) {DSA-4197-1} - wavpack 5.1.0-3 (bug #897271) [jessie] - wavpack (Vulnerable code not present, introduced in 5.0.0) [wheezy] - wavpack (Vulnerable code not present, introduced in 5.0.0) NOTE: https://github.com/dbry/WavPack/commit/6f8bb34c2993a48ab9afbe353e6d0cff7c8d821d NOTE: https://github.com/dbry/WavPack/issues/33 CVE-2018-10539 (An issue was discovered in WavPack 5.1.0 and earlier for DSDiff input. ...) {DSA-4197-1} - wavpack 5.1.0-3 (bug #897271) [jessie] - wavpack (Vulnerable code not present, introduced in 5.0.0) [wheezy] - wavpack (Vulnerable code not present, introduced in 5.0.0) NOTE: https://github.com/dbry/WavPack/commit/6f8bb34c2993a48ab9afbe353e6d0cff7c8d821d NOTE: https://github.com/dbry/WavPack/issues/33 CVE-2018-10538 (An issue was discovered in WavPack 5.1.0 and earlier for WAV input. Ou ...) {DSA-4197-1} - wavpack 5.1.0-3 (bug #897271) [jessie] - wavpack (Vulnerable code not present, introduced in 5.0.0) [wheezy] - wavpack (Vulnerable code not present, introduced in 5.0.0) NOTE: https://github.com/dbry/WavPack/commit/6f8bb34c2993a48ab9afbe353e6d0cff7c8d821d NOTE: https://github.com/dbry/WavPack/issues/33 CVE-2018-10537 (An issue was discovered in WavPack 5.1.0 and earlier. The W64 parser c ...) {DSA-4197-1} - wavpack 5.1.0-3 (bug #897271) [jessie] - wavpack (Vulnerable code not present, introduced in 5.0.0) [wheezy] - wavpack (Vulnerable code not present, introduced in 5.0.0) NOTE: https://github.com/dbry/WavPack/commit/26cb47f99d481ad9b93eeff80d26e6b63bbd7e15 NOTE: https://github.com/dbry/WavPack/issues/30 NOTE: https://github.com/dbry/WavPack/issues/31 NOTE: https://github.com/dbry/WavPack/issues/32 CVE-2018-10536 (An issue was discovered in WavPack 5.1.0 and earlier. The WAV parser c ...) {DSA-4197-1} - wavpack 5.1.0-3 (bug #897271) [jessie] - wavpack (Vulnerable code not present, introduced in 5.0.0) [wheezy] - wavpack (Vulnerable code not present, introduced in 5.0.0) NOTE: https://github.com/dbry/WavPack/commit/26cb47f99d481ad9b93eeff80d26e6b63bbd7e15 NOTE: https://github.com/dbry/WavPack/issues/30 NOTE: https://github.com/dbry/WavPack/issues/31 NOTE: https://github.com/dbry/WavPack/issues/32 CVE-2018-10535 (The ignore_section_sym function in elf.c in the Binary File Descriptor ...) - binutils 2.30.90.20180627-1 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23113 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=db0c309f4011ca94a4abc8458e27f3734dab92ac CVE-2018-10534 (The _bfd_XX_bfd_copy_private_bfd_data_common function in peXXigen.c in ...) - binutils 2.30.90.20180627-1 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23110 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=aa4a8c2a2a67545e90c877162c53cc9de42dc8b4 CVE-2018-10533 RESERVED CVE-2018-10532 (An issue was discovered on EE 4GEE HH70VB-2BE8GB3 HH70_E1_02.00_19 dev ...) NOT-FOR-US: EE 4GEE HH70VB-2BE8GB3s CVE-2018-10531 (An issue was discovered in the America's Army Proving Grounds platform ...) NOT-FOR-US: America's Army Proving Grounds CVE-2018-10530 RESERVED CVE-2018-10529 (An issue was discovered in LibRaw 0.18.9. There is an out-of-bounds re ...) - libraw 0.18.11-1 (low; bug #897186) [stretch] - libraw (Minor issue) [jessie] - libraw (Minor issue) [wheezy] - libraw (Minor issue) NOTE: https://github.com/LibRaw/LibRaw/commit/f0c505a3e5d47989a5f69be2d0d4f250af6b1a6c NOTE: https://github.com/LibRaw/LibRaw/issues/144 CVE-2018-10528 (An issue was discovered in LibRaw 0.18.9. There is a stack-based buffe ...) - libraw 0.18.11-1 (low; bug #897185) [stretch] - libraw (Minor issue) [jessie] - libraw (Minor issue) [wheezy] - libraw (Minor issue) NOTE: https://github.com/LibRaw/LibRaw/commit/895529fc2f2eb8bc633edd6b04b5b237eb4db564 NOTE: https://github.com/LibRaw/LibRaw/issues/144 CVE-2018-10527 (EasyCMS 1.3 is prone to Stored XSS when posting an article; four field ...) NOT-FOR-US: EasyCMS CVE-2018-10526 RESERVED CVE-2018-10525 RESERVED CVE-2017-18264 (An issue was discovered in libraries/common.inc.php in phpMyAdmin 4.0 ...) {DLA-1415-1} - phpmyadmin 4:4.6.6-2 NOTE: https://www.phpmyadmin.net/security/PMASA-2017-8/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/7232271a379396ca1d4b083af051262057003c41 (4.7-branch) NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/b6ca92cc75c8a16001425be7881e73430bcc35b8 (4.0-branch) NOTE: If the issue is triggerable depends as well on the used PHP version. CVE-2017-18263 (Seagate Media Server in Seagate Personal Cloud before 4.3.18.4 has dir ...) NOT-FOR-US: Seagate CVE-2018-10524 RESERVED CVE-2018-10523 (CMS Made Simple (CMSMS) through 2.2.7 contains a physical path leakage ...) NOT-FOR-US: CMS Made Simple CVE-2018-10522 (In CMS Made Simple (CMSMS) through 2.2.7, the "file view" operation in ...) NOT-FOR-US: CMS Made Simple CVE-2018-10521 (In CMS Made Simple (CMSMS) through 2.2.7, the "file move" operation in ...) NOT-FOR-US: CMS Made Simple CVE-2018-10520 (In CMS Made Simple (CMSMS) through 2.2.7, the "module remove" operatio ...) NOT-FOR-US: CMS Made Simple CVE-2018-10519 (CMS Made Simple (CMSMS) 2.2.7 contains a privilege escalation vulnerab ...) NOT-FOR-US: CMS Made Simple CVE-2018-10518 (In CMS Made Simple (CMSMS) through 2.2.7, the "file delete" operation ...) NOT-FOR-US: CMS Made Simple CVE-2018-10517 (In CMS Made Simple (CMSMS) through 2.2.7, the "module import" operatio ...) NOT-FOR-US: CMS Made Simple CVE-2018-10516 (In CMS Made Simple (CMSMS) through 2.2.7, the "file rename" operation ...) NOT-FOR-US: CMS Made Simple CVE-2018-10515 (In CMS Made Simple (CMSMS) through 2.2.7, the "file unpack" operation ...) NOT-FOR-US: CMS Made Simple CVE-2018-10514 (A Missing Impersonation Privilege Escalation vulnerability in Trend Mi ...) NOT-FOR-US: Trend Micro CVE-2018-10513 (A Deserialization of Untrusted Data Privilege Escalation vulnerability ...) NOT-FOR-US: Trend Micro CVE-2018-10512 (A vulnerability in Trend Micro Control Manager (versions 6.0 and 7.0) ...) NOT-FOR-US: Trend Micro CVE-2018-10511 (A vulnerability in Trend Micro Control Manager (versions 6.0 and 7.0) ...) NOT-FOR-US: Trend Micro CVE-2018-10510 (A Directory Traversal Remote Code Execution vulnerability in Trend Mic ...) NOT-FOR-US: Trend Micro CVE-2018-10509 (A vulnerability in Trend Micro OfficeScan 11.0 SP1 and XG could allow ...) NOT-FOR-US: Trend Micro CVE-2018-10508 (A vulnerability in Trend Micro OfficeScan 11.0 SP1 and XG could allow ...) NOT-FOR-US: Trend Micro CVE-2018-10507 (A vulnerability in Trend Micro OfficeScan 11.0 SP1 and XG could allow ...) NOT-FOR-US: Trend Micro CVE-2018-10506 (A out-of-bounds read information disclosure vulnerability in Trend Mic ...) NOT-FOR-US: Trend Micro CVE-2018-10505 (A pool corruption privilege escalation vulnerability in Trend Micro Of ...) NOT-FOR-US: Trend Micro CVE-2018-10504 (The WebDorado "Form Maker by WD" plugin before 1.12.24 for WordPress a ...) NOT-FOR-US: Wordpress plugin CVE-2018-10503 (An issue was discovered in index.php in baijiacms V4 v4_1_4_20170105. ...) NOT-FOR-US: baijiacms CVE-2018-10502 (This vulnerability allows local attackers to escalate privileges on vu ...) NOT-FOR-US: Samsung Galaxy Apps Fixed CVE-2018-10501 (This vulnerability allows local attackers to escalate privileges on vu ...) NOT-FOR-US: Samsung Notes Fixed CVE-2018-10500 (This vulnerability allows local attackers to escalate privileges on vu ...) NOT-FOR-US: Samsung Galaxy Apps CVE-2018-10499 (This vulnerability allows local attackers to execute arbitrary code on ...) NOT-FOR-US: Samsung Galaxy Apps CVE-2018-10498 (This vulnerability allows local attackers to disclose sensitive inform ...) NOT-FOR-US: Samsung Email Fixed CVE-2018-10497 (This vulnerability allows local attackers to escalate privileges on vu ...) NOT-FOR-US: Samsung Email Fixed CVE-2018-10496 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Samsung Internet Browser Fixed CVE-2018-10495 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-10494 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-10493 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2018-10492 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2018-10491 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-10490 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-10489 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-10488 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-10487 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2018-10486 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2018-10485 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2018-10484 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-10483 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-10482 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2018-10481 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2018-10480 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2018-10479 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2018-10478 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2018-10477 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-10476 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2018-10475 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2018-10474 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-10473 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-10470 (Little Snitch versions 4.0 to 4.0.6 use the SecStaticCodeCheckValidity ...) NOT-FOR-US: Little Snitch CVE-2018-10469 (b3log Symphony (aka Sym) 2.6.0 allows remote attackers to upload and e ...) NOT-FOR-US: b3log Symphony (aka Sym) CVE-2018-10468 (The transferFrom function of a smart contract implementation for Usele ...) NOT-FOR-US: Ethereum CVE-2018-10467 RESERVED CVE-2018-10466 (Zoho ManageEngine ADAudit Plus before 5.0.0 build 5100 allows blind SQ ...) NOT-FOR-US: Zoho CVE-2018-10465 (Jamf Pro 10.x before 10.3.0 has Incorrect Access Control. Jamf Pro use ...) NOT-FOR-US: Jamf Pro CVE-2018-10464 RESERVED CVE-2018-10463 RESERVED CVE-2018-10462 RESERVED CVE-2018-10461 RESERVED CVE-2018-10460 RESERVED CVE-2018-10459 RESERVED CVE-2018-10458 RESERVED CVE-2018-10457 RESERVED CVE-2018-10456 RESERVED CVE-2018-10455 RESERVED CVE-2018-10454 RESERVED CVE-2018-10453 RESERVED CVE-2018-10452 RESERVED CVE-2018-10451 RESERVED CVE-2018-10450 RESERVED CVE-2018-10449 RESERVED CVE-2018-10448 RESERVED CVE-2018-10447 RESERVED CVE-2018-10446 RESERVED CVE-2018-10445 RESERVED CVE-2018-10444 RESERVED CVE-2018-10443 RESERVED CVE-2018-10442 RESERVED CVE-2018-10441 RESERVED CVE-2018-10440 RESERVED CVE-2018-10439 RESERVED CVE-2018-10438 RESERVED CVE-2018-10437 RESERVED CVE-2018-10436 RESERVED CVE-2018-10435 RESERVED CVE-2018-10434 RESERVED CVE-2018-10433 RESERVED CVE-2017-18262 (Blackboard Learn (Since at least 17th of October 2017) has allowed Unv ...) NOT-FOR-US: Blackboard Learn CVE-2018-10471 (An issue was discovered in Xen through 4.10.x allowing x86 PV guest OS ...) {DSA-4201-1 DLA-1549-1} - xen 4.8.3+xsa262+shim4.10.0+comet3-1+deb9u6 [wheezy] - xen (Regression for XSA-254 which was not applied in wheezy) NOTE: https://xenbits.xen.org/xsa/advisory-259.html CVE-2018-10472 (An issue was discovered in Xen through 4.10.x allowing x86 HVM guest O ...) {DSA-4201-1 DLA-1559-1} - xen 4.8.3+xsa262+shim4.10.0+comet3-1+deb9u6 [wheezy] - xen (No QMP support in wheezy) NOTE: https://xenbits.xen.org/xsa/advisory-258.html CVE-2018-10432 RESERVED CVE-2018-10431 (D-Link DIR-615 2.5.17 devices allow Remote Code Execution via shell me ...) NOT-FOR-US: D-Link CVE-2018-10430 (An issue was discovered in DiliCMS (aka DiligentCMS) 2.4.0. There is a ...) NOT-FOR-US: DiliCMS CVE-2018-10429 (Cosmo 1.0.0Beta6 allows attackers to execute arbitrary PHP code via th ...) NOT-FOR-US: Cosmo CVE-2018-10428 (ILIAS before 5.1.26, 5.2.x before 5.2.15, and 5.3.x before 5.3.4, due ...) NOT-FOR-US: ILIAS CVE-2018-10427 RESERVED CVE-2018-10426 RESERVED CVE-2018-10425 (An issue was discovered in Shanghai 2345 Security Guard 3.7.0. 2345MPC ...) NOT-FOR-US: Shanghai 2345 Security Guard CVE-2018-10424 (mc-admin/post-edit.php in MiniCMS 1.10 allows full path disclosure via ...) NOT-FOR-US: MiniCMS CVE-2018-10423 (mc-admin/post.php in MiniCMS 1.10 allows remote attackers to obtain a ...) NOT-FOR-US: MiniCMS CVE-2018-10422 (An issue was discovered in HongCMS 3.0.0. The post news feature has St ...) NOT-FOR-US: HongCMS CVE-2018-10421 RESERVED CVE-2018-10420 RESERVED CVE-2018-10419 RESERVED CVE-2018-10418 RESERVED CVE-2018-10417 RESERVED CVE-2018-10416 RESERVED CVE-2018-10415 RESERVED CVE-2018-10414 RESERVED CVE-2018-10413 RESERVED CVE-2018-10412 RESERVED CVE-2018-10411 RESERVED CVE-2018-10410 RESERVED CVE-2018-10409 RESERVED CVE-2018-10408 (An issue was discovered in VirusTotal. A maliciously crafted Universal ...) NOT-FOR-US: VirusTotal CVE-2018-10407 (An issue was discovered in Carbon Black Cb Response. A maliciously cra ...) NOT-FOR-US: Carbon Black Cb Response CVE-2018-10406 (An issue was discovered in Yelp OSXCollector. A maliciously crafted Un ...) NOT-FOR-US: Yelp OSXCollector CVE-2018-10405 (An issue was discovered in Google Santa and molcodesignchecker. A mali ...) NOT-FOR-US: Google Santa and molcodesignchecker CVE-2018-10404 (An issue was discovered in Objective-See KnockKnock, LuLu, TaskExplore ...) NOT-FOR-US: Objective-See KnockKnock, LuLu, TaskExplorer, WhatsYourSign, and procInfo CVE-2018-10403 (An issue was discovered in F-Secure XFENCE and Little Flocker. A malic ...) NOT-FOR-US: F-Secure XFENCE and Little Flocker CVE-2018-10402 RESERVED CVE-2018-10401 RESERVED CVE-2018-10400 RESERVED CVE-2018-10399 RESERVED CVE-2018-10398 RESERVED CVE-2018-10397 RESERVED CVE-2018-10396 RESERVED CVE-2018-10395 RESERVED CVE-2018-10394 RESERVED CVE-2018-10393 (bark_noise_hybridmp in psy.c in Xiph.Org libvorbis 1.3.6 has a stack-b ...) {DLA-2013-1} - libvorbis 1.3.6-2 (bug #876780) [stretch] - libvorbis (Minor issue) [wheezy] - libvorbis (Minor issue) NOTE: https://gitlab.xiph.org/xiph/vorbis/issues/2334 NOTE: Fixed by: https://gitlab.xiph.org/xiph/vorbis/commit/018ca26dece618457dd13585cad52941193c4a25 NOTE: Same patch as for CVE-2017-14160 CVE-2018-10392 (mapping0_forward in mapping0.c in Xiph.Org libvorbis 1.3.6 does not va ...) {DLA-2013-1} - libvorbis 1.3.6-2 (bug #876780) [stretch] - libvorbis (Minor issue) [wheezy] - libvorbis (Minor issue) NOTE: https://gitlab.xiph.org/xiph/vorbis/issues/2335 NOTE: Fixed by: https://gitlab.xiph.org/xiph/vorbis/commit/112d3bd0aaacad51305e1464d4b381dabad0e88b CVE-2018-10391 (An issue was discovered in WUZHI CMS 4.1.0. There is XSS via the email ...) NOT-FOR-US: WUZHI CMS CVE-2018-10390 RESERVED CVE-2018-10389 (Format string vulnerability in the logMess function in TFTP Server MT ...) NOT-FOR-US: TFTP Server SP CVE-2018-10388 (Format string vulnerability in the logMess function in TFTP Server SP ...) NOT-FOR-US: TFTP Server SP CVE-2018-10387 (Heap-based overflow vulnerability in TFTP Server SP 1.66 and earlier a ...) NOT-FOR-US: TFTP Server SP CVE-2018-10386 RESERVED CVE-2018-10385 RESERVED CVE-2018-10384 RESERVED CVE-2018-10383 (Lantronix SecureLinx Spider (SLS) 2.2+ devices have XSS in the auth.as ...) NOT-FOR-US: Lantronix SecureLinx Spider CVE-2018-10382 (MODX Revolution 2.6.3 has XSS. ...) NOT-FOR-US: MODX Revolution CVE-2018-10381 (TunnelBear 3.2.0.6 for Windows suffers from a SYSTEM privilege escalat ...) NOT-FOR-US: TunnelBear for Windows CVE-2018-10380 (kwallet-pam in KDE KWallet before 5.12.6 allows local users to obtain ...) {DSA-4200-1} - kwallet-pam 5.12.1-2 NOTE: https://www.kde.org/info/security/advisory-20180503-1.txt NOTE: https://commits.kde.org/kwallet-pam/2134dec85ce19d6378d03cddfae9e5e464cb24c0 (Plasma 5.12) NOTE: https://commits.kde.org/kwallet-pam/01d4143fda5bddb6dca37b23304dc239a5fb38b5 (Plasma 5.12) NOTE: https://commits.kde.org/kwallet-pam/99abc7fde21f40cc6da5feb6ee766cc46fcca1f8 (Plasma 5.8) NOTE: https://commits.kde.org/kwallet-pam/802f305d81f8771c4f4a8bd7fd0e368ffc6f9b3b (Plasma 5.8) CVE-2018-10379 (An issue was discovered in GitLab Community Edition (CE) and Enterpris ...) - gitlab 10.6.5+dfsg-1 [stretch] - gitlab (Vulnerable code introduced in 9.5) NOTE: https://about.gitlab.com/2018/04/30/security-release-gitlab-10-dot-7-dot-2-released/ CVE-2018-10378 RESERVED CVE-2018-10377 (PortSwigger Burp Suite before 1.7.34 has Improper Certificate Validati ...) NOT-FOR-US: PortSwigger Burp Suite CVE-2018-10376 (An integer overflow in the transferProxy function of a smart contract ...) NOT-FOR-US: SmartMesh token CVE-2018-10375 (A file uploading vulnerability exists in /include/helpers/upload.helpe ...) NOT-FOR-US: DedeCMS CVE-2018-10374 (EasyCMS 1.3 has XSS via the s POST parameter (aka a search box value) ...) NOT-FOR-US: EasyCMS CVE-2018-10373 (concat_filename in dwarf2.c in the Binary File Descriptor (BFD) librar ...) - binutils 2.30.90.20180627-1 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23065 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6327533b1fd29fa86f6bf34e61c332c010e3c689 CVE-2018-10372 (process_cu_tu_index in dwarf.c in GNU Binutils 2.30 allows remote atta ...) - binutils 2.30.90.20180627-1 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23064 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6aea08d9f3e3d6475a65454da488a0c51f5dc97d CVE-2018-10371 (An issue was discovered in the wunderfarm WF Cookie Consent plugin 1.1 ...) NOT-FOR-US: wunderfarm WF Cookie Consent plugin for WordPress CVE-2018-1000178 (A heap corruption of type CWE-120 exists in quassel version 0.12.4 in ...) {DSA-4189-1 DLA-1370-1} - quassel 1:0.12.5-1 (bug #896914) NOTE: https://github.com/quassel/quassel/commit/2b777e99fc9f74d4ed21491710260664a1721d1f (master) NOTE: https://github.com/quassel/quassel/commit/18389a713a6810f57ab237b945e8ee03df857b8b (0.12) NOTE: http://www.openwall.com/lists/oss-security/2018/04/27/1 CVE-2018-1000179 (A NULL Pointer Dereference of CWE-476 exists in quassel version 0.12.4 ...) {DSA-4189-1} - quassel 1:0.12.5-1 (bug #896915) [wheezy] - quassel (Minor issue) NOTE: https://github.com/quassel/quassel/commit/e17fca767d60c06ca02bc5898ced04f06d3670bd (master) NOTE: https://github.com/quassel/quassel/commit/08bace4e9ecf08273f094c0c6aa8b3363d38ac3e (0.12) NOTE: http://www.openwall.com/lists/oss-security/2018/04/27/1 CVE-2018-10370 RESERVED CVE-2018-10369 (A Cross-site scripting (XSS) vulnerability was discovered on Intelbras ...) NOT-FOR-US: Intelbras Win devices CVE-2018-10368 (An issue was discovered in WUZHI CMS 4.1.0. The "Extension Module -> ...) NOT-FOR-US: WUZHI CMS CVE-2018-10367 (An issue was discovered in WUZHI CMS 4.1.0. The content-management fea ...) NOT-FOR-US: WUZHI CMS CVE-2018-10366 (An issue was discovered in the Users (aka Front-end user management) p ...) NOT-FOR-US: Users (aka Front-end user management) plugin for October CMS CVE-2018-10365 (An XSS issue was discovered in the Threads to Link plugin 1.3 for MyBB ...) NOT-FOR-US: Threads to Link plugin for MyBB CVE-2018-10364 (BigTree before 4.2.22 has XSS in the Users management page via the nam ...) NOT-FOR-US: BigTree CMS CVE-2018-10363 (An issue was discovered in the WpDevArt "Booking calendar, Appointment ...) NOT-FOR-US: WpDevArt "Booking calendar, Appointment Booking System" plugin for WordPress CVE-2018-10360 (The do_core_note function in readelf.c in libmagic.a in file 5.33 allo ...) - file 1:5.33-3 (bug #901351) [stretch] - file 1:5.30-1+deb9u2 [jessie] - file 1:5.22+15-2+deb8u4 NOTE: https://github.com/file/file/commit/a642587a9c9e2dd7feacdf513c3643ce26ad3c22 CVE-2018-10359 (A pool corruption privilege escalation vulnerability in Trend Micro Of ...) NOT-FOR-US: Trend Micro CVE-2018-10358 (A pool corruption privilege escalation vulnerability in Trend Micro Of ...) NOT-FOR-US: Trend Micro CVE-2018-10357 (A directory traversal vulnerability in Trend Micro Endpoint Applicatio ...) NOT-FOR-US: Trend Micro CVE-2018-10356 (A SQL injection remote code execution vulnerability in Trend Micro Ema ...) NOT-FOR-US: Trend Micro CVE-2018-10355 (An authentication weakness vulnerability in Trend Micro Email Encrypti ...) NOT-FOR-US: Trend Micro CVE-2018-10354 (A command injection remote command execution vulnerability in Trend Mi ...) NOT-FOR-US: Trend Micro CVE-2018-10353 (A SQL injection information disclosure vulnerability in Trend Micro Em ...) NOT-FOR-US: Trend Micro CVE-2018-10352 (A vulnerability in Trend Micro Email Encryption Gateway 5.5 could allo ...) NOT-FOR-US: Trend Micro CVE-2018-10351 (A vulnerability in Trend Micro Email Encryption Gateway 5.5 could allo ...) NOT-FOR-US: Trend Micro CVE-2018-10350 (A SQL injection remote code execution vulnerability in Trend Micro Sma ...) NOT-FOR-US: Trend Micro CVE-2018-10349 RESERVED CVE-2018-10348 RESERVED CVE-2018-10347 RESERVED CVE-2018-10346 RESERVED CVE-2018-10345 RESERVED CVE-2018-10344 RESERVED CVE-2018-10343 RESERVED CVE-2018-10342 RESERVED CVE-2018-10341 RESERVED CVE-2018-10340 RESERVED CVE-2018-10339 RESERVED CVE-2018-10338 RESERVED CVE-2018-10337 RESERVED CVE-2018-10336 RESERVED CVE-2018-10335 RESERVED CVE-2018-10334 RESERVED CVE-2018-10333 RESERVED CVE-2018-10332 RESERVED CVE-2018-10331 RESERVED CVE-2018-10330 RESERVED CVE-2018-10361 (An issue was discovered in KTextEditor 5.34.0 through 5.45.0. Insecure ...) - ktexteditor 5.47.0-1 (bug #896836) [stretch] - ktexteditor (Introduced in 5.34.0) NOTE: http://www.openwall.com/lists/oss-security/2018/04/24/1 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1033055 NOTE: https://phabricator.kde.org/R39:c81af5aa1d4f6e0f8c44b2e85ca007ba2a1e4590 CVE-2018-10329 (app/tools/mac-lookup/index.php in phpIPAM 1.3.1 has Reflected XSS on / ...) - phpipam (bug #731713) NOTE: https://github.com/phpipam/phpipam/issues/1903 CVE-2018-10328 (Momentum Axel 720P 5.1.8 devices have a hardcoded password of streamin ...) NOT-FOR-US: Momentum Axel 720P 5.1.8 devices CVE-2018-10327 (PrinterOn Enterprise 4.1.3 stores the Active Directory bind credential ...) NOT-FOR-US: PrinterOn Enterprise CVE-2018-10326 (PrinterOn Enterprise 4.1.3 suffers from multiple authenticated stored ...) NOT-FOR-US: PrinterOn Enterprise CVE-2018-10325 RESERVED CVE-2018-10324 RESERVED CVE-2018-10323 (The xfs_bmap_extents_to_btree function in fs/xfs/libxfs/xfs_bmap.c in ...) {DSA-4188-1 DLA-1529-1} - linux 4.16.5-1 [wheezy] - linux (Too much work to backport) NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=199423 CVE-2018-10322 (The xfs_dinode_verify function in fs/xfs/libxfs/xfs_inode_buf.c in the ...) - linux 4.16.5-1 [jessie] - linux (dinode verifier not implemented) [wheezy] - linux (dinode verifier not implemented) - linux-4.9 NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=199377 CVE-2018-10321 (Frog CMS 0.9.5 has a stored Cross Site Scripting Vulnerability via "Ad ...) NOT-FOR-US: Frog CMS CVE-2018-10320 (Frog CMS 0.9.5 has XSS via the admin/?/layout/edit layout[name] parame ...) NOT-FOR-US: Frog CMS CVE-2018-10319 (Frog CMS 0.9.5 has XSS via the admin/?/snippet/edit snippet[name] para ...) NOT-FOR-US: Frog CMS CVE-2018-10318 (Frog CMS 0.9.5 has XSS via the admin/?/page/edit page[keywords] parame ...) NOT-FOR-US: Frog CMS CVE-2018-10317 RESERVED CVE-2018-10316 (Netwide Assembler (NASM) 2.14rc0 has an endless while loop in the asse ...) - nasm 2.14-1 (unimportant) NOTE: No security impact NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392474 NOTE: https://github.com/netwide-assembler/nasm/commit/f0ceb1e122dc3523123dd8dfd6113f2e68451452 CVE-2018-10315 RESERVED CVE-2018-10314 (Cross-site scripting (XSS) vulnerability in Open-AudIT Community 2.2.0 ...) NOT-FOR-US: Open-AudIT Community CVE-2018-10313 (WUZHI CMS 4.1.0 allows persistent XSS via the form%5Bqq_10%5D paramete ...) NOT-FOR-US: WUZHI CMS CVE-2018-10312 (index.php?m=member&v=pw_reset in WUZHI CMS 4.1.0 allows CSRF to ch ...) NOT-FOR-US: WUZHI CMS CVE-2018-10311 (A vulnerability was discovered in WUZHI CMS 4.1.0. There is persistent ...) NOT-FOR-US: WUZHI CMS CVE-2018-10310 (A persistent cross-site scripting vulnerability has been identified in ...) NOT-FOR-US: web interface of the Catapult UK Cookie Consent plugin for WordPress CVE-2018-10309 (The Responsive Cookie Consent plugin before 1.8 for WordPress mishandl ...) NOT-FOR-US: Responsive Cookie Consent plugin for WordPress CVE-2018-10308 RESERVED CVE-2018-10307 (error.php in ILIAS 5.2.x through 5.3.x before 5.3.4 allows XSS via the ...) NOT-FOR-US: ILIAS CVE-2018-10306 (Services/Form/classes/class.ilDateDurationInputGUI.php and Services/Fo ...) NOT-FOR-US: ILIAS CVE-2018-10305 (The MessageSearch2 function in PersonalMessage.php in Simple Machines ...) NOT-FOR-US: Simple Machines Forum CVE-2018-10304 RESERVED CVE-2018-10303 (A use-after-free in Foxit Reader before 9.1 and PhantomPDF before 9.1 ...) NOT-FOR-US: Foxit Reader CVE-2018-10302 (A use-after-free in Foxit Reader before 9.1 and PhantomPDF before 9.1 ...) NOT-FOR-US: Foxit Reader CVE-2018-10362 (An issue was discovered in phpLiteAdmin 1.9.5 through 1.9.7.1. Due to ...) - phpliteadmin 1.9.7.1-2 (bug #896682) NOTE: https://github.com/phpLiteAdmin/pla/issues/11 NOTE: Fixed by: https://github.com/phpLiteAdmin/pla/commit/41545fe058e674a983f557bff13787df53167274 CVE-2018-10301 (Cross-site scripting (XSS) vulnerability in the Web-Dorado Instagram F ...) NOT-FOR-US: Web-Dorado Instagram Feed WD plugin Premium for WordPress CVE-2018-10300 (Cross-site scripting (XSS) vulnerability in the Web-Dorado Instagram F ...) NOT-FOR-US: Web-Dorado Instagram Feed WD plugin for WordPress CVE-2018-10299 (An integer overflow in the batchTransfer function of a smart contract ...) NOT-FOR-US: Beauty Chain CVE-2018-10298 (Discuz! DiscuzX through X3.4 has reflected XSS via forum.php?mod=post& ...) NOT-FOR-US: DiscuzX CVE-2018-10297 (Discuz! DiscuzX through X3.4 has stored XSS via the portal.php?mod=por ...) NOT-FOR-US: DiscuzX CVE-2018-10296 (MiniCMS V1.10 has XSS via the mc-admin/post-edit.php title parameter. ...) NOT-FOR-US: MiniCMS CVE-2018-10295 (ChemCMS v1.0.6 has CSRF by using public/admin/user/addpost.html to add ...) NOT-FOR-US: ChemCMS CVE-2018-10294 (Flexense DiskBoss Enterprise v7.4.28 to v9.1.16 has XSS. ...) NOT-FOR-US: Flexense DiskBoss Enterprise CVE-2018-10293 RESERVED CVE-2018-10292 RESERVED CVE-2018-10291 RESERVED CVE-2018-10290 RESERVED CVE-2018-10289 (In MuPDF 1.13.0, there is an infinite loop in the fz_skip_space functi ...) - mupdf 1.13.0+ds1-3 (unimportant; bug #896545) [jessie] - mupdf (Vulnerable code introduced later) [wheezy] - mupdf (Vulnerable code introduced later) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=699271 NOTE: Introduced in http://git.ghostscript.com/?p=mupdf.git;a=commit;h=1acaaf2b40614401378aa697de47093be9f390fe (1.8) CVE-2018-10288 RESERVED CVE-2018-10287 RESERVED CVE-2018-10286 (The Ericsson-LG iPECS NMS A.1Ac web application discloses sensitive in ...) NOT-FOR-US: Ericsson-LG iPECS NMS A.1Ac web application CVE-2018-10285 (The Ericsson-LG iPECS NMS A.1Ac web application uses incorrect access ...) NOT-FOR-US: Ericsson-LG iPECS NMS A.1Ac web application CVE-2018-10284 (Adaltech G-Ticket v70 EME104 has SQL Injection via the mobile-loja/men ...) NOT-FOR-US: Adaltech G-Ticket v70 EME104 CVE-2018-10283 (CliqueMania loja virtual 14 has SQL Injection via the patch/remote.php ...) NOT-FOR-US: CliqueMania loja virtual CVE-2018-10282 RESERVED CVE-2018-10281 RESERVED CVE-2018-10280 RESERVED CVE-2018-10279 RESERVED CVE-2018-10278 RESERVED CVE-2018-10277 RESERVED CVE-2018-10276 RESERVED CVE-2018-10275 RESERVED CVE-2018-10274 RESERVED CVE-2018-10273 RESERVED CVE-2018-10272 RESERVED CVE-2018-10271 RESERVED CVE-2018-10270 RESERVED CVE-2018-10269 RESERVED CVE-2018-10268 (An issue was discovered in FastAdmin V1.0.0.20180417_beta. There is XS ...) NOT-FOR-US: FastAdmin CVE-2018-10267 (WTCMS 1.0 has a CSRF vulnerability to add an administrator account via ...) NOT-FOR-US: WTCMS CVE-2018-10266 (BEESCMS 4.0 has a CSRF vulnerability to add an administrator account v ...) NOT-FOR-US: BEESCMS CVE-2018-10265 (An issue was discovered in HongCMS v3.0.0. There is a CSRF vulnerabili ...) NOT-FOR-US: HongCMS CVE-2018-10264 RESERVED CVE-2018-10263 RESERVED CVE-2018-10262 RESERVED CVE-2018-10261 RESERVED CVE-2018-10260 (A Local File Inclusion vulnerability was found in HRSALE The Ultimate ...) NOT-FOR-US: HRSALE CVE-2018-10259 (An Authenticated Stored XSS vulnerability was found in HRSALE The Ulti ...) NOT-FOR-US: HRSALE CVE-2018-10258 (A CSV Injection vulnerability was discovered in Shopy Point of Sale v1 ...) NOT-FOR-US: Shopy CVE-2018-10257 (A CSV Injection vulnerability was discovered in HRSALE The Ultimate HR ...) NOT-FOR-US: HRSALE CVE-2018-10256 (A SQL Injection vulnerability was discovered in HRSALE The Ultimate HR ...) NOT-FOR-US: HRSALE CVE-2018-10255 (A CSV Injection vulnerability was discovered in clustercoding Blog Mas ...) NOT-FOR-US: clustercoding CVE-2018-10254 (Netwide Assembler (NASM) 2.13 has a stack-based buffer over-read in th ...) - nasm 2.14-1 (bug #896523) [stretch] - nasm (Minor issue) [jessie] - nasm (Minor issue) [wheezy] - nasm (Minor issue) NOTE: https://sourceforge.net/p/nasm/bugs/561/ NOTE: https://github.com/netwide-assembler/nasm/commit/55d09bbf6f7087339277b1e3b17c134b2afb2510 CVE-2018-10253 (Paessler PRTG Network Monitor before 18.1.39.1648 mishandles stack mem ...) NOT-FOR-US: Paessler PRTG Network Monitor CVE-2018-10252 (An issue was discovered on Actiontec WCB6200Q before 1.1.10.20a device ...) NOT-FOR-US: Actiontec WCB6200Q CVE-2018-10251 (A vulnerability in Sierra Wireless AirLink GX400, GX440, ES440, and LS ...) NOT-FOR-US: Sierra Wireless AirLink routers CVE-2018-10250 (iCMS V7.0.8 has XSS via the admincp.php keywords parameter in a weixin ...) NOT-FOR-US: iCMS CVE-2018-10249 (baijiacms V3 has CSRF via index.php?mod=site&op=edituser&name= ...) NOT-FOR-US: baijiacms CVE-2018-10248 (An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerabil ...) NOT-FOR-US: WUZHI CMS CVE-2018-10247 RESERVED CVE-2018-10246 RESERVED CVE-2018-10245 (A Full Path Disclosure vulnerability in AWStats through 7.6 allows rem ...) - awstats (unimportant) NOTE: Path disclosure for awstats negligible within Debian CVE-2018-10244 (Suricata version 4.0.4 incorrectly handles the parsing of an EtherNet/ ...) - suricata 1:4.0.5-1 [stretch] - suricata (Minor issue) [jessie] - suricata (EtherNet/IP and CIP support introduced in 3.2beta1) NOTE: https://redmine.openinfosecfoundation.org/issues/2545 NOTE: https://redmine.openinfosecfoundation.org/issues/2543 NOTE: https://github.com/OISF/suricata/commit/f68bf3301ad4d25f0a5ecb13405f4e26316cdf8d NOTE: https://suricata-ids.org/2018/07/18/suricata-4-0-5-available/ CVE-2018-10243 (htp_parse_authorization_digest in htp_parsers.c in LibHTP 0.5.26 allow ...) {DLA-1751-1} - libhtp 1:0.5.28-1 - suricata 1:4.0.0-1 [stretch] - suricata (Minor issue) NOTE: suricata used the embedded copy of libhtp up to before 1:4.0.0-1. NOTE: https://github.com/OISF/libhtp/issues/169 NOTE: https://github.com/OISF/libhtp/commit/eefd4b7d2be663f6067362f29c81e6edf909145a NOTE: https://suricata-ids.org/2018/07/18/suricata-4-0-5-available/ CVE-2018-10242 (Suricata version 4.0.4 incorrectly handles the parsing of the SSH bann ...) {DLA-1751-1} - suricata 1:4.0.5-1 [stretch] - suricata (Minor issue) NOTE: https://redmine.openinfosecfoundation.org/issues/2544 NOTE: https://redmine.openinfosecfoundation.org/issues/2542 NOTE: https://github.com/OISF/suricata/commit/9ba89a31efc89ec5cb72326dbcb9166b098f3ea0 NOTE: https://suricata-ids.org/2018/07/18/suricata-4-0-5-available/ CVE-2014-10073 (The create_response function in server/server.c in Psensor before 1.1. ...) {DLA-1361-1} - psensor 1.1.5-1 (low; bug #896195) [jessie] - psensor 1.1.3-2+deb8u1 NOTE: http://git.wpitchoune.net/gitweb/?p=psensor.git;a=commitdiff;h=8b10426dcc0246c1712a99460dd470dcb1cc4d9c CVE-2018-10241 (A denial of service vulnerability in SolarWinds Serv-U before 15.1.6 H ...) NOT-FOR-US: SolarWinds Serv-U CVE-2018-10240 (SolarWinds Serv-U MFT before 15.1.6 HFv1 assigns authenticated users a ...) NOT-FOR-US: SolarWinds Serv-U CVE-2018-10239 (A privilege escalation vulnerability in the "support access" feature o ...) NOT-FOR-US: Infoblox NIOS CVE-2018-10238 (bvlc.c in skarg BACnet Protocol Stack bacserv 0.9.1 and 0.8.5 is affec ...) NOT-FOR-US: skarg BACnet Protocol Stack CVE-2018-10237 (Unbounded memory allocation in Google Guava 11.0 through 24.x before 2 ...) NOT-FOR-US: Google Guava CVE-2018-10236 (POSCMS 3.2.18 allows remote attackers to execute arbitrary PHP code vi ...) NOT-FOR-US: POSCMS CVE-2018-10235 (POSCMS 3.2.10 allows remote attackers to execute arbitrary PHP code vi ...) NOT-FOR-US: POSCMS CVE-2018-10234 (Authenticated Cross site Scripting exists in the User Profile & Me ...) NOT-FOR-US: User Profile & Membership plugin for WordPress CVE-2018-10233 (The User Profile & Membership plugin before 2.0.7 for WordPress ha ...) NOT-FOR-US: User Profile & Membership plugin for WordPress CVE-2018-10232 (Cross-site request forgery (CSRF) vulnerability in TOPdesk before 8.05 ...) NOT-FOR-US: TOPdesk CVE-2018-10231 (Cross-site scripting (XSS) vulnerability in TOPdesk before 8.05.017 (J ...) NOT-FOR-US: TOPdesk CVE-2018-10230 (Zend Debugger in Zend Server before 9.1.3 has XSS, aka ZSR-2455. ...) NOT-FOR-US: Zend Server CVE-2018-10229 (A hardware vulnerability in GPU memory modules allows attackers to acc ...) NOT-FOR-US: GPU memory hardware issue CVE-2018-10228 RESERVED CVE-2018-10227 (MiniCMS v1.10 has XSS via the mc-admin/conf.php site_link parameter. ...) NOT-FOR-US: MiniCMS CVE-2018-10226 RESERVED CVE-2018-10225 (thinkphp 3.1.3 has SQL Injection via the index.php s parameter. ...) NOT-FOR-US: thinkphp CVE-2018-10224 (An issue was discovered in YzmCMS 3.8. There is a CSRF vulnerability t ...) NOT-FOR-US: YzmCMS CVE-2018-10223 (An issue was discovered in YzmCMS 3.8. There is a CSRF vulnerability t ...) NOT-FOR-US: YzmCMS CVE-2018-10222 (An issue was discovered in idreamsoft iCMS V7.0. There is a CSRF vulne ...) NOT-FOR-US: idreamsoft iCMS CVE-2018-10221 (An issue was discovered in WUZHI CMS V4.1.0. There is a persistent XSS ...) NOT-FOR-US: WUZHI CMS CVE-2018-10220 (** DISPUTED ** Glastopf 3.1.3-dev has SSRF, as demonstrated by the abc ...) NOT-FOR-US: Glastopf CVE-2018-10219 (baijiacms V3 has physical path leakage via an index.php?mod=mobile& ...) NOT-FOR-US: baijiacms CVE-2018-10218 RESERVED CVE-2018-10217 RESERVED CVE-2018-10216 RESERVED CVE-2018-10215 RESERVED CVE-2018-10214 RESERVED CVE-2018-10213 (An issue was discovered in Vaultize Enterprise File Sharing 17.05.31. ...) NOT-FOR-US: Vaultize Enterprise File Sharing CVE-2018-10212 (An issue was discovered in Vaultize Enterprise File Sharing 17.05.31. ...) NOT-FOR-US: Vaultize Enterprise File Sharing CVE-2018-10211 (An issue was discovered in Vaultize Enterprise File Sharing 17.05.31. ...) NOT-FOR-US: Vaultize Enterprise File Sharing CVE-2018-10210 (An issue was discovered in Vaultize Enterprise File Sharing 17.05.31. ...) NOT-FOR-US: Vaultize Enterprise File Sharing CVE-2018-10209 (An issue was discovered in Vaultize Enterprise File Sharing 17.05.31. ...) NOT-FOR-US: Vaultize Enterprise File Sharing CVE-2018-10208 (An issue was discovered in Vaultize Enterprise File Sharing 17.05.31. ...) NOT-FOR-US: Vaultize Enterprise File Sharing CVE-2018-10207 (An issue was discovered in Vaultize Enterprise File Sharing 17.05.31. ...) NOT-FOR-US: Vaultize Enterprise File Sharing CVE-2018-10206 (An issue was discovered in Vaultize Enterprise File Sharing 17.05.31. ...) NOT-FOR-US: Vaultize Enterprise File Sharing CVE-2018-10205 (hyperstart 1.0.0 in HyperHQ Hyper has memory leaks in the container_se ...) NOT-FOR-US: HyperHQ Hyper CVE-2018-10204 (PureVPN 6.0.1 for Windows suffers from a SYSTEM privilege escalation v ...) NOT-FOR-US: PureVPN CVE-2018-10203 RESERVED CVE-2018-10202 RESERVED CVE-2018-10201 (An issue was discovered in NcMonitorServer.exe in NC Monitor Server in ...) NOT-FOR-US: NC Monitor Server CVE-2017-18261 (The arch_timer_reg_read_stable macro in arch/arm64/include/asm/arch_ti ...) - linux 4.13.4-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/adb4f11e0a8f4e29900adb2b7af28b6bbd5c1fa4 (4.13-rc6) CVE-2018-10200 RESERVED CVE-2018-10198 (An issue was discovered in OTRS 6.0.x before 6.0.7. An attacker who is ...) - otrs2 6.0.7-1 [stretch] - otrs2 (Specific to OTRS 6) [jessie] - otrs2 (Specific to OTRS 6) NOTE: https://github.com/OTRS/otrs/commit/9f5f09e4eef283c2f38c003ba0685b77234750d1 NOTE: https://community.otrs.com/security-advisory-2018-01-security-update-for-otrs-framework CVE-2018-10197 (There is a time-based blind SQL injection vulnerability in the Access ...) NOT-FOR-US: ELO CVE-2018-10196 (NULL pointer dereference vulnerability in the rebuild_vlists function ...) - graphviz 2.40.1-6 (low; bug #898841) [stretch] - graphviz (Minor issue) [jessie] - graphviz (Minor issue) [wheezy] - graphviz (Minor issue) NOTE: https://gitlab.com/graphviz/graphviz/issues/1367 NOTE: https://issuetracker.google.com/issues/77810342 CVE-2018-10195 [rzsz: sz can leak data to receiving side] RESERVED - lrzsz 0.12.21-10 (low; bug #897010) [stretch] - lrzsz (Minor issue) [jessie] - lrzsz (Minor issue) [wheezy] - lrzsz (Minor issue) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1090051 NOTE: Fedora patch: https://src.fedoraproject.org/cgit/rpms/lrzsz.git/tree/lrzsz-0.12.20.patch CVE-2018-10194 (The set_text_distance function in devices/vector/gdevpdts.c in the pdf ...) {DLA-1363-1} - ghostscript 9.22~dfsg-2.1 (bug #896069) [stretch] - ghostscript 9.20~dfsg-3.2+deb9u2 [jessie] - ghostscript 9.06~dfsg-2+deb8u7 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=39b1e54b2968620723bf32e96764c88797714879 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=699255 (not yet public) CVE-2018-1000200 (The Linux Kernel versions 4.14, 4.15, and 4.16 has a null pointer dere ...) - linux 4.16.12-1 [stretch] - linux (Vulnerable code introduced later) [jessie] - linux (Vulnerable code introduced later) [wheezy] - linux (Vulnerable code introduced later) NOTE: Fixed by: https://git.kernel.org/linus/27ae357fa82be5ab73b2ef8d39dcb8ca2563483a CVE-2018-1000167 (OISF suricata-update version 1.0.0a1 contains an Insecure Deserializat ...) NOT-FOR-US: suricata-update (different from suricata) CVE-2018-1000166 REJECTED CVE-2018-1000165 (LightSAML version prior to 1.3.5 contains a Incorrect Access Control v ...) NOT-FOR-US: LightSAML CVE-2018-1000163 (Floodlight version 1.2 and earlier contains a Cross Site Scripting (XS ...) NOT-FOR-US: Floodlight CVE-2018-1000162 (Parsedown version prior to 1.7.0 contains a Cross Site Scripting (XSS) ...) NOT-FOR-US: Parsedown CVE-2018-1000160 (RisingStack protect version 1.2.0 and earlier contains a Cross Site Sc ...) NOT-FOR-US: RisingStack CVE-2018-1000158 (cmsmadesimple version 2.2.7 contains a Incorrect Access Control vulner ...) NOT-FOR-US: CMS Made Simple CVE-2018-10199 (In versions of mruby up to and including 1.4.0, a use-after-free vulne ...) - mruby 1.4.0+20180418+git54905e98-1 (bug #896021) [stretch] - mruby (Vulnerable code introduced later) [jessie] - mruby (Vulnerable code introduced later) NOTE: https://github.com/mruby/mruby/issues/4001 NOTE: https://github.com/mruby/mruby/commit/b51b21fc63c9805862322551387d9036f2b63433 CVE-2018-10193 (LogMeIn LastPass through 4.15.0 allows remote attackers to cause a den ...) NOT-FOR-US: LogMeIn LastPass CVE-2018-10192 (IPVanish 3.0.11 for macOS suffers from a root privilege escalation vul ...) NOT-FOR-US: IPVanish for macOS CVE-2018-10191 (In versions of mruby up to and including 1.4.0, an integer overflow ex ...) - mruby 1.4.0+20180418+git54905e98-1 (bug #896020) [stretch] - mruby (Minor issue) [jessie] - mruby (Minor issue) NOTE: https://github.com/mruby/mruby/issues/3995 NOTE: https://github.com/mruby/mruby/commit/1905091634a6a2925c911484434448e568330626 CVE-2018-10190 (A vulnerability in London Trust Media Private Internet Access (PIA) VP ...) NOT-FOR-US: London Trust Media Private Internet Access (PIA) VPN Client for Windows CVE-2018-10189 (An issue was discovered in Mautic 1.x and 2.x before 2.13.0. It is pos ...) NOT-FOR-US: Mautic CVE-2018-10188 (phpMyAdmin 4.8.0 before 4.8.0-1 has CSRF, allowing an attacker to exec ...) - phpmyadmin 4:4.9.1+dfsg1-2 (bug #896490) [stretch] - phpmyadmin (Only affects 4.8.x) [jessie] - phpmyadmin (vulnerable code not present) [wheezy] - phpmyadmin (vulnerable code not present) NOTE: https://www.phpmyadmin.net/security/PMASA-2018-2/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/c6dd6b56e236a3aff953cee4135ecaa67130e641 CVE-2018-10187 (In radare2 2.5.0, there is a heap-based buffer over-read in the dalvik ...) - radare2 2.6.0+dfsg-1 (low; bug #897305) [jessie] - radare2 (Minor issue) [wheezy] - radare2 (Minor issue) NOTE: https://github.com/radare/radare2/issues/9913 NOTE: https://github.com/radare/radare2/commit/cdb278059b7b0aaaaa2315b82d0fa6ad50433db0 CVE-2018-10186 (In radare2 2.5.0, there is a heap-based buffer over-read in the r_hex_ ...) - radare2 2.6.0+dfsg-1 (low; bug #897305) [jessie] - radare2 (Minor issue) [wheezy] - radare2 (Minor issue) NOTE: https://github.com/radare/radare2/issues/9915 NOTE: https://github.com/radare/radare2/commit/a0348bb1b512ef27301dd7cdfb327ef5e14813fc NOTE: Before applying the fix for CVE-2018-8808 the issue is covered/differently visible CVE-2018-10185 (An issue was discovered in TuziCMS v2.0.6. There is a CSRF vulnerabili ...) NOT-FOR-US: TuziCMS CVE-2018-10184 (An issue was discovered in HAProxy before 1.8.8. The incoming H2 frame ...) - haproxy 1.8.8-1 [stretch] - haproxy (Vulnerable code introduced later with HTTP/2 support) [jessie] - haproxy (Vulnerable code introduced later with HTTP/2 support) [wheezy] - haproxy (Vulnerable code introduced later with HTTP/2 support) NOTE: http://git.haproxy.org/?p=haproxy.git;a=commit;h=3f0e1ec70173593f4c2b3681b26c04a4ed5fc588 NOTE: http://git.haproxy.org/?p=haproxy-1.8.git;a=commit;h=cd117685f0cff4f2f5577ef6a21eaae96ebd9f28 CVE-2018-10183 (An issue was discovered in BigTree 4.2.22. There is cross-site scripti ...) NOT-FOR-US: BigTree CMS CVE-2018-10182 RESERVED CVE-2018-1000199 (The Linux Kernel version 3.18 contains a dangerous feature vulnerabili ...) {DSA-4188-1 DSA-4187-1 DLA-1369-1} - linux 4.15.17-1 NOTE: Fixed by: https://git.kernel.org/linus/f67b15037a7a50c57f72e69a6d59941ad90a0f0f CVE-2018-10181 RESERVED CVE-2018-10180 RESERVED CVE-2018-10179 RESERVED CVE-2018-10178 (The FromDocToPDF extension before 13.611.13.2303 for Chrome allows rem ...) NOT-FOR-US: FromDocToPDF extension for Ghrome CVE-2018-10177 (In ImageMagick 7.0.7-28, there is an infinite loop in the ReadOneMNGIm ...) [experimental] - imagemagick 8:6.9.10.2+dfsg-1 - imagemagick 8:6.9.10.2+dfsg-2 (bug #896018) [stretch] - imagemagick (Minor issue) [jessie] - imagemagick (Minor issue) [wheezy] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1095 NOTE: https://github.com/ImageMagick/ImageMagick/commit/9fdda6391e38aaad3bfd6a30bd6a72bd31aeee02 CVE-2018-10176 (Digital Guardian Management Console 7.1.2.0015 has a Directory Travers ...) NOT-FOR-US: Digital Guardian Management Console CVE-2018-10175 (Digital Guardian Management Console 7.1.2.0015 has an XXE issue. ...) NOT-FOR-US: Digital Guardian Management Console CVE-2018-10174 (Digital Guardian Management Console 7.1.2.0015 has an SSRF issue that ...) NOT-FOR-US: Digital Guardian Management Console CVE-2018-10173 (Digital Guardian Management Console 7.1.2.0015 allows authenticated re ...) NOT-FOR-US: Digital Guardian Management Console CVE-2018-10172 (7-Zip through 18.01 on Windows implements the "Large memory pages" opt ...) NOT-FOR-US: 7-Zip CVE-2018-10171 (Kromtech MacKeeper 3.20.4 suffers from a root privilege escalation vul ...) NOT-FOR-US: Kromtech MacKeeper CVE-2018-10170 (NordVPN 6.12.7.0 for Windows suffers from a SYSTEM privilege escalatio ...) NOT-FOR-US: NordVPN for Windows CVE-2018-10169 (ProtonVPN 1.3.3 for Windows suffers from a SYSTEM privilege escalation ...) NOT-FOR-US: ProtonVPN for Windows CVE-2018-10168 (TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6 ...) NOT-FOR-US: TP-Link CVE-2018-10167 (The web application backup file in the TP-Link EAP Controller and Omad ...) NOT-FOR-US: TP-Link CVE-2018-10166 (The web management interface in the TP-Link EAP Controller and Omada C ...) NOT-FOR-US: TP-Link CVE-2018-10165 (Stored Cross-site scripting (XSS) vulnerability in the TP-Link EAP Con ...) NOT-FOR-US: TP-Link CVE-2018-10164 (Stored Cross-site scripting (XSS) vulnerability in the TP-Link EAP Con ...) NOT-FOR-US: TP-Link CVE-2018-10163 REJECTED CVE-2018-10162 REJECTED CVE-2018-10161 REJECTED CVE-2018-10160 REJECTED CVE-2018-10159 REJECTED CVE-2018-10158 REJECTED CVE-2018-10157 REJECTED CVE-2018-10156 REJECTED CVE-2018-10155 REJECTED CVE-2018-10154 REJECTED CVE-2018-10153 REJECTED CVE-2018-10152 REJECTED CVE-2018-10151 REJECTED CVE-2018-10150 REJECTED CVE-2018-10149 REJECTED CVE-2018-10148 REJECTED CVE-2018-10147 REJECTED CVE-2018-10146 REJECTED CVE-2018-10145 REJECTED CVE-2018-10144 REJECTED CVE-2018-10143 (The Palo Alto Networks Expedition Migration tool 1.0.107 and earlier m ...) NOT-FOR-US: Palo Alto Networks Expedition Migration tool CVE-2018-10142 (The Expedition Migration tool 1.0.106 and earlier may allow an unauthe ...) NOT-FOR-US: Expedition Migration CVE-2018-10141 (GlobalProtect Portal Login page in Palo Alto Networks PAN-OS before 8. ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2018-10140 (The PAN-OS Management Web Interface in Palo Alto Networks PAN-OS 8.1.2 ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2018-10139 (The PAN-OS response for GlobalProtect Gateway in Palo Alto Networks PA ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2018-10138 (The CATALooK.netStore module through 7.2.8 for DNN (formerly DotNetNuk ...) NOT-FOR-US: DNN CVE-2018-10137 (iScripts UberforX 2.2 has CSRF in the "manage_settings" section of the ...) NOT-FOR-US: iScripts UberforX CVE-2018-10136 (iScripts UberforX 2.2 has Stored XSS in the "manage_settings" section ...) NOT-FOR-US: iScripts UberforX CVE-2018-10135 (iScripts eSwap v2.4 has Reflected XSS via the "catwiseproducts.php" ca ...) NOT-FOR-US: iScripts eSwap CVE-2018-10134 RESERVED CVE-2018-10133 (PbootCMS v0.9.8 allows PHP code injection via an IF label in index.php ...) NOT-FOR-US: PbootCMS CVE-2018-10132 (PbootCMS v0.9.8 has CSRF via an admin.php/Message/mod/id/19.html?backu ...) NOT-FOR-US: PbootCMS CVE-2018-10131 RESERVED CVE-2018-10130 RESERVED CVE-2018-10129 RESERVED CVE-2018-10128 (An issue was discovered in XYHCMS 3.5. It has XSS via the test paramet ...) NOT-FOR-US: XYHCMS CVE-2018-10127 (An issue was discovered in XYHCMS 3.5. It has CSRF via an index.php?g= ...) NOT-FOR-US: XYHCMS CVE-2018-10126 (LibTIFF 4.0.9 has a NULL pointer dereference in the jpeg_fdct_16x16 fu ...) - tiff (unimportant) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2786 NOTE: Crash in CLI tool, no security impact CVE-2018-10125 (Contao before 4.5.7 has XSS in the system log. ...) NOT-FOR-US: Contao CVE-2018-10123 (p910nd on Inteno IOPSYS 2.0 through 4.2.0 allows remote attackers to r ...) NOT-FOR-US: p910nd on Inteno IOPSYS CVE-2018-10122 (QingDao Nature Easy Soft Chanzhi Enterprise Portal System (aka chanzhi ...) NOT-FOR-US: QingDao Nature Easy Soft Chanzhi Enterprise Portal System CVE-2018-10121 (plugins/box/pages/pages.admin.php in Monstra CMS 3.0.4 has a stored XS ...) NOT-FOR-US: Monstra CMS CVE-2018-10120 (The SwCTBWrapper::Read function in sw/source/filter/ww8/ww8toolbar.cxx ...) {DSA-4178-1 DLA-1356-1} - libreoffice 1:6.0.2-1 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6173 NOTE: https://gerrit.libreoffice.org/#/c/49486/ NOTE: https://gerrit.libreoffice.org/#/c/49499/ NOTE: https://gerrit.libreoffice.org/#/c/49500/ NOTE: https://gerrit.libreoffice.org/gitweb?p=core.git;a=commit;h=017fcc2fcd00af17a97bd5463d89662404f57667 NOTE: https://www.libreoffice.org/about-us/security/advisories/cve-2018-10120/ CVE-2018-10119 (sot/source/sdstor/stgstrms.cxx in LibreOffice before 5.4.5.1 and 6.x b ...) {DSA-4178-1 DLA-1356-1} - libreoffice 1:6.0.1-1 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5747 NOTE: https://gerrit.libreoffice.org/#/c/48751/ NOTE: https://gerrit.libreoffice.org/#/c/48756/ NOTE: https://gerrit.libreoffice.org/#/c/48757/ NOTE: https://gerrit.libreoffice.org/#/c/48758/ NOTE: https://gerrit.libreoffice.org/gitweb?p=core.git;a=commit;h=fdd41c995d1f719e92c6f083e780226114762f05 NOTE: https://www.libreoffice.org/about-us/security/advisories/cve-2018-10119/ CVE-2018-10118 (Monstra CMS 3.0.4 has Stored XSS via the Name field on the Create New ...) NOT-FOR-US: Monstra CMS CVE-2018-10117 (An issue was discovered in idreamsoft iCMS V7.0.7. There is a CSRF vul ...) NOT-FOR-US: idreamsoft iCMS CVE-2018-10116 RESERVED CVE-2018-10115 (Incorrect initialization logic of RAR decoder objects in 7-Zip 18.03 a ...) - p7zip-rar 16.02-3 (bug #897674) [stretch] - p7zip-rar (Non-free not supported) [jessie] - p7zip-rar (Non-free not supported) [wheezy] - p7zip-rar (Non-free not supported) NOTE: https://landave.io/2018/05/7-zip-from-uninitialized-memory-to-remote-code-execution/ NOTE: https://sourceforge.net/p/sevenzip/discussion/45797/thread/adc65bfa/ CVE-2018-10114 (An issue was discovered in GEGL through 0.3.32. The gegl_buffer_iterat ...) - gegl 0.3.34-1 (low) [stretch] - gegl (Minor issue) [jessie] - gegl (Minor issue) [wheezy] - gegl (Minor issue) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=795248 NOTE: https://git.gnome.org/browse/gegl/commit/?id=c83b05d565a1e3392c9606a4ecaa560eb9a4ee29 NOTE: POC https://github.com/xiaoqx/pocs/tree/master/gegl#1-gegl-outbound-write-1 CVE-2018-10113 (An issue was discovered in GEGL through 0.3.32. The process function i ...) - gegl 0.3.34-1 (low) [stretch] - gegl (Minor issue) [jessie] - gegl (Minor issue) [wheezy] - gegl (Minor issue) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=795248 NOTE: https://gitlab.gnome.org/GNOME/gegl/commit/c83b05d565a1e3392c9606a4ecaa560eb9a4ee29 CVE-2018-10112 (An issue was discovered in GEGL through 0.3.32. The gegl_tile_backend_ ...) - gegl (low) [buster] - gegl (Minor issue, architectual limitation) [stretch] - gegl (Minor issue, architectual limitation) [jessie] - gegl (Minor issue) [wheezy] - gegl (Minor issue) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=795249 NOTE: https://gitlab.gnome.org/GNOME/gegl/issues/65 NOTE: https://github.com/xiaoqx/pocs/tree/master/gegl#4-gegl-outbound-write-2 CVE-2018-10111 (An issue was discovered in GEGL through 0.3.32. The render_rectangle f ...) - gegl (low) [buster] - gegl (Minor issue, architectual limitation) [stretch] - gegl (Minor issue, architectual limitation) [jessie] - gegl (Minor issue) [wheezy] - gegl (Minor issue) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=795249 NOTE: https://gitlab.gnome.org/GNOME/gegl/issues/65 NOTE: POC https://github.com/xiaoqx/pocs/tree/master/gegl#2-gegl-dos-1 CVE-2018-10110 (D-Link DIR-615 T1 devices allow XSS via the Add User feature. ...) NOT-FOR-US: D-Link CVE-2018-10109 (Monstra CMS 3.0.4 has a stored XSS vulnerability when an attacker has ...) NOT-FOR-US: Monstra CMS CVE-2018-10108 (D-Link DIR-815 REV. B (with firmware through DIR-815_REVB_FIRMWARE_PAT ...) NOT-FOR-US: D-Link CVE-2018-10107 (D-Link DIR-815 REV. B (with firmware through DIR-815_REVB_FIRMWARE_PAT ...) NOT-FOR-US: D-Link CVE-2018-10106 (D-Link DIR-815 REV. B (with firmware through DIR-815_REVB_FIRMWARE_PAT ...) NOT-FOR-US: D-Link CVE-2018-10105 (tcpdump before 4.9.3 mishandles the printing of SMB data (issue 2 of 2 ...) {DSA-4547-1 DLA-1955-1} - tcpdump 4.9.3-1 (bug #941698) NOTE: "Fixed" by disabling SMB printing CVE-2018-10104 RESERVED CVE-2018-10103 (tcpdump before 4.9.3 mishandles the printing of SMB data (issue 1 of 2 ...) {DSA-4547-1 DLA-1955-1} - tcpdump 4.9.3-1 (bug #941698) NOTE: "Fixed" by disabling SMB printing CVE-2018-10099 (Google Monorail before 2018-04-04 has a Cross-Site Search (XS-Search) ...) NOT-FOR-US: Google Monorail CVE-2018-10098 (In MicroWorld eScan Internet Security Suite (ISS) for Business 14.0.14 ...) NOT-FOR-US: MicroWorld eScan CVE-2018-10097 (XSS exists in Domain Trader 2.5.3 via the recoverlogin.php email_addre ...) NOT-FOR-US: Domain Trader CVE-2018-1000171 REJECTED CVE-2018-1002100 (In Kubernetes versions 1.5.x, 1.6.x, 1.7.x, 1.8.x, and prior to versio ...) - kubernetes 1.17.4-1 (bug #929225) NOTE: https://github.com/kubernetes/kubernetes/issues/61297 NOTE: https://github.com/kubernetes/kubernetes/commit/f180c969ccd47b9d00dbaf5cbd5b37eb8b49ae08 (1.9.x) CVE-2018-1000170 (A cross-site scripting vulnerability exists in Jenkins 2.115 and older ...) - jenkins CVE-2018-1000169 (An exposure of sensitive information vulnerability exists in Jenkins 2 ...) - jenkins CVE-2018-10096 (joyplus-cms 1.6.0 has XSS via the device_name parameter in a manager/a ...) NOT-FOR-US: joyplus-cms CVE-2018-10095 (Cross-site scripting (XSS) vulnerability in Dolibarr before 7.0.2 allo ...) - dolibarr CVE-2018-10094 (SQL injection vulnerability in Dolibarr before 7.0.2 allows remote att ...) - dolibarr CVE-2018-10093 (AudioCodes IP phone 420HD devices using firmware version 2.2.12.126 al ...) NOT-FOR-US: AudioCodes IP phone CVE-2018-10092 (The admin panel in Dolibarr before 7.0.2 might allow remote attackers ...) - dolibarr CVE-2018-10091 (AudioCodes IP phone 420HD devices using firmware version 2.2.12.126 al ...) NOT-FOR-US: AudioCodes IP phone CVE-2018-10090 RESERVED CVE-2018-10089 RESERVED CVE-2018-10088 (Buffer overflow in XiongMai uc-httpd 1.0.0 has unspecified impact and ...) NOT-FOR-US: XiongMai uc-httpd CVE-2018-10124 (The kill_something_info function in kernel/signal.c in the Linux kerne ...) {DLA-1423-1} - linux 4.13.4-1 [stretch] - linux 4.9.107-1 [jessie] - linux (Minor issue) [wheezy] - linux (Minor issue) NOTE: Fixed by: https://git.kernel.org/linus/4ea77014af0d6205b05503d1c7aac6eace11d473 (4.13-rc1) CVE-2018-10087 (The kernel_wait4 function in kernel/exit.c in the Linux kernel before ...) {DLA-1423-1} - linux 4.13.4-1 [stretch] - linux 4.9.107-1 [jessie] - linux (Minor issue) [wheezy] - linux (Minor issue) NOTE: Fixed by: https://git.kernel.org/linus/dd83c161fbcc5d8be637ab159c0de015cbff5ba4 (4.13-rc1) CVE-2018-10086 (CMS Made Simple (CMSMS) through 2.2.7 contains an arbitrary code execu ...) NOT-FOR-US: CMS Made Simple CVE-2018-10085 (CMS Made Simple (CMSMS) through 2.2.6 allows PHP object injection beca ...) NOT-FOR-US: CMS Made Simple CVE-2018-10084 (CMS Made Simple (CMSMS) through 2.2.6 contains a privilege escalation ...) NOT-FOR-US: CMS Made Simple CVE-2018-10083 (CMS Made Simple (CMSMS) through 2.2.7 contains an arbitrary file delet ...) NOT-FOR-US: CMS Made Simple CVE-2018-10082 (CMS Made Simple (CMSMS) through 2.2.7 allows physical path leakage via ...) NOT-FOR-US: CMS Made Simple CVE-2018-10081 (CMS Made Simple (CMSMS) through 2.2.6 contains an admin password reset ...) NOT-FOR-US: CMS Made Simple CVE-2018-10080 (Secutech RiS-11, RiS-22, and RiS-33 devices with firmware V5.07.52_es_ ...) NOT-FOR-US: Secutech RiS-11, RiS-22, and RiS-33 devices CVE-2018-10079 (Geist WatchDog Console 3.2.2 uses a weak ACL for the C:\ProgramData\Wa ...) NOT-FOR-US: Geist WatchDog Console CVE-2018-10078 (Cross-site scripting (XSS) vulnerability in Geist WatchDog Console 3.2 ...) NOT-FOR-US: Geist WatchDog Console CVE-2018-10077 (XML external entity (XXE) vulnerability in Geist WatchDog Console 3.2. ...) NOT-FOR-US: Geist WatchDog Console CVE-2018-10076 (An issue was discovered in Zoho ManageEngine EventLog Analyzer 11.12. ...) NOT-FOR-US: Zoho CVE-2018-10075 (Cross-site scripting (XSS) vulnerability in Zoho ManageEngine EventLog ...) NOT-FOR-US: Zoho CVE-2018-10073 (joyplus-cms 1.6.0 has XSS in manager/admin_vod.php via the keyword par ...) NOT-FOR-US: joyplus-cms CVE-2018-10072 (windrvr1260.sys in Jungo DriverWizard WinDriver 12.6.0 allows attacker ...) NOT-FOR-US: WinDriver CVE-2018-10071 (windrvr1260.sys in Jungo DriverWizard WinDriver 12.6.0 allows attacker ...) NOT-FOR-US: WinDriver CVE-2018-10070 (A vulnerability in MikroTik Version 6.41.4 could allow an unauthentica ...) NOT-FOR-US: MikroTik CVE-2018-10069 RESERVED CVE-2018-10068 (The jDownloads extension before 3.2.59 for Joomla! has XSS. ...) NOT-FOR-US: jDownloads extension for Joomla! CVE-2018-10067 RESERVED CVE-2018-10066 (An issue was discovered in MikroTik RouterOS 6.41.4. Missing OpenVPN s ...) NOT-FOR-US: MikroTik RouterOS CVE-2018-10065 RESERVED CVE-2018-10064 RESERVED CVE-2018-10063 (The Convert Forms extension before 2.0.4 for Joomla! is vulnerable to ...) NOT-FOR-US: Convert Forms extension for Joomla! CVE-2018-10062 RESERVED CVE-2018-10074 (The hi3660_stub_clk_probe function in drivers/clk/hisilicon/clk-hi3660 ...) - linux (Vulnerable code introduced later) NOTE: Fixed by: https://git.kernel.org/linus/9903e41ae1f5d50c93f268ca3304d4d7c64b9311 (4.16-rc7) CVE-2018-10061 (Cacti before 1.1.37 has XSS because it makes certain htmlspecialchars ...) - cacti 1.1.37+ds1-1 (low) [stretch] - cacti (Minor issue) [jessie] - cacti (Minor issue) [wheezy] - cacti (Minor issue) NOTE: https://github.com/Cacti/cacti/issues/1457 CVE-2018-10060 (Cacti before 1.1.37 has XSS because it does not properly reject uninte ...) - cacti 1.1.37+ds1-1 (low) [stretch] - cacti (Minor issue) [jessie] - cacti (Minor issue) [wheezy] - cacti (Minor issue) NOTE: https://github.com/Cacti/cacti/issues/1457 CVE-2018-10059 (Cacti before 1.1.37 has XSS because the get_current_page function in l ...) - cacti 1.1.37+ds1-1 [stretch] - cacti (Issue introduced later) [jessie] - cacti (Issue introduced later) [wheezy] - cacti (Issue introduced later) NOTE: https://github.com/Cacti/cacti/issues/1457 NOTE: get_current_page was added in the 1.x series CVE-2018-10058 (The remote management interface of cgminer 4.10.0 and bfgminer 5.5.0 a ...) - cgminer (bug #900929) [stretch] - cgminer (Minor issue) [jessie] - cgminer (Minor issue) - bfgminer (bug #900930) [jessie] - bfgminer (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2018/06/03/1 NOTE: Mitigated by toolchain hardening to plain crash CVE-2018-10057 (The remote management interface of cgminer 4.10.0 and bfgminer 5.5.0 a ...) - cgminer (bug #900929) [stretch] - cgminer (Minor issue) [jessie] - cgminer (Minor issue) - bfgminer (bug #900930) [jessie] - bfgminer (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2018/06/03/1 CVE-2018-10056 RESERVED CVE-2018-10055 (Invalid memory access and/or a heap buffer overflow in the TensorFlow ...) - tensorflow (bug #804612) CVE-2018-10054 (H2 1.4.197, as used in Datomic before 0.9.5697 and other products, all ...) NOT-FOR-US: H2 (different from src:python-h2) CVE-2018-10053 RESERVED CVE-2018-10052 (iScripts SupportDesk v4.3 has XSS via the admin/inteligentsearchresult ...) NOT-FOR-US: iScripts SupportDesk CVE-2018-10051 (iScripts SupportDesk v4.3 has XSS via the staff/inteligentsearchresult ...) NOT-FOR-US: iScripts SupportDesk CVE-2018-10050 (iScripts eSwap v2.4 has SQL injection via the "registration_settings.p ...) NOT-FOR-US: iScripts eSwap CVE-2018-10049 (iScripts eSwap v2.4 has XSS via the "registration_settings.php" txtDat ...) NOT-FOR-US: iScripts eSwap CVE-2018-10048 (iScripts eSwap v2.4 has CSRF via "registration_settings.php" in the Ad ...) NOT-FOR-US: iScripts eSwap CVE-2018-10047 RESERVED CVE-2018-10046 RESERVED CVE-2018-10045 RESERVED CVE-2018-10044 RESERVED CVE-2018-10043 RESERVED CVE-2018-10042 RESERVED CVE-2018-10041 RESERVED CVE-2018-10040 RESERVED CVE-2018-10039 RESERVED CVE-2018-10038 RESERVED CVE-2018-10037 RESERVED CVE-2018-10036 RESERVED CVE-2018-10035 RESERVED CVE-2018-10034 RESERVED CVE-2018-10033 (CMS Made Simple (aka CMSMS) 2.2.7 has Stored XSS in admin/siteprefs.ph ...) NOT-FOR-US: CMS Made Simple CVE-2018-10032 (CMS Made Simple (aka CMSMS) 2.2.7 has Reflected XSS in admin/moduleint ...) NOT-FOR-US: CMS Made Simple CVE-2018-10031 (CMS Made Simple (aka CMSMS) 2.2.7 has CSRF in admin/moduleinterface.ph ...) NOT-FOR-US: CMS Made Simple CVE-2018-10030 (CMS Made Simple (aka CMSMS) 2.2.7 has CSRF in admin/siteprefs.php. ...) NOT-FOR-US: CMS Made Simple CVE-2018-10029 (CMS Made Simple (aka CMSMS) 2.2.7 has Reflected XSS in admin/moduleint ...) NOT-FOR-US: CMS Made Simple CVE-2018-10028 (joyplus-cms 1.6.0 allows remote attackers to obtain sensitive informat ...) NOT-FOR-US: joyplus-cms CVE-2018-10027 (ESTsoft ALZip before 10.76 allows local users to execute arbitrary cod ...) NOT-FOR-US: ESTsoft ALZip CVE-2018-10026 (The WeChat module in YzmCMS 3.7.1 has reflected XSS via the admin/modu ...) NOT-FOR-US: WeChat module in YzmCMS CVE-2018-10025 RESERVED CVE-2018-10024 (ubiQuoss Switch VP5208A creates a bcm_password file at /cgi-bin/ with ...) NOT-FOR-US: ubiQuoss Switch VP5208A CVE-2018-10023 (Catfish CMS V4.7.21 allows XSS via the pinglun parameter to cat/index/ ...) NOT-FOR-US: Catfish CMS CVE-2018-10022 RESERVED CVE-2018-10021 (** DISPUTED ** drivers/scsi/libsas/sas_scsi_host.c in the Linux kernel ...) {DLA-1529-1 DLA-1423-1} - linux 4.15.17-1 [stretch] - linux 4.9.107-1 [wheezy] - linux (Vulnerable code introduced later) NOTE: Fixed by: https://git.kernel.org/linus/318aaf34f1179b39fa9c30fa0f3288b645beee39 (4.16-rc7) NOTE: Low security impact, failure can only occur for physically NOTE: proximate attackers who unplug SAS Host Bus Adapter cables. CVE-2018-10020 RESERVED CVE-2018-10019 RESERVED CVE-2018-9999 (In Zulip Server versions before 1.7.2, there was an XSS issue with use ...) - zulip-server (bug #800052) CVE-2018-9998 (Open-Xchange OX App Suite before 7.6.3-rev37, 7.8.x before 7.8.2-rev40 ...) NOT-FOR-US: Open-Xchange CVE-2018-9997 (Cross-site scripting (XSS) vulnerability in mail compose in Open-Xchan ...) NOT-FOR-US: Open-Xchange CVE-2018-9996 (An issue was discovered in cplus-dem.c in GNU libiberty, as distribute ...) - binutils (unimportant) NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85304 NOTE: binutils not covered by security support CVE-2018-9995 (TBK DVR4104 and DVR4216 devices, as well as Novo, CeNova, QSee, Pulnix ...) NOT-FOR-US: TBK DVR4104 and DVR4216 devices CVE-2018-9994 REJECTED CVE-2018-9993 (YUNUCMS 1.0.7 has XSS via the content title on an admin/content/addcon ...) NOT-FOR-US: YUNUCMS CVE-2018-9992 (Frog CMS 0.9.5 has XSS via the name field of a new "File" or "Director ...) NOT-FOR-US: Frog CMS CVE-2018-9991 (Frog CMS 0.9.5 has XSS via the /admin/?/user/add Name or Username para ...) NOT-FOR-US: Frog CMS CVE-2018-9990 (In Zulip Server versions before 1.7.2, there was an XSS issue with str ...) - zulip-server (bug #800052) CVE-2018-10018 (The GDASPAMLib.AntiSpam ActiveX control ASK\GDASpam.dll in G DATA Tota ...) NOT-FOR-US: GDASPAMLib.AntiSpam ActiveX control CVE-2018-10017 (soundlib/Snd_fx.cpp in OpenMPT before 1.27.07.00 and libopenmpt before ...) - libopenmpt 0.3.8-1 (bug #895406) [stretch] - libopenmpt 0.2.7386~beta20.3-3+deb9u3 NOTE: https://github.com/OpenMPT/openmpt/commit/492022c7297ede682161d9c0ec2de15526424e76 CVE-2018-10016 (Netwide Assembler (NASM) 2.14rc0 has a division-by-zero vulnerability ...) - nasm 2.14-1 (bug #895408) [stretch] - nasm (Minor issue) [jessie] - nasm (Minor issue) [wheezy] - nasm (Minor issue) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392473 NOTE: https://github.com/netwide-assembler/nasm/commit/ceec0d818798aeaa75ed4907e6135b0247ed46b2 CVE-2018-10015 RESERVED CVE-2018-10014 RESERVED CVE-2018-10013 RESERVED CVE-2018-10012 RESERVED CVE-2018-10011 RESERVED CVE-2018-10010 RESERVED CVE-2018-10009 RESERVED CVE-2018-10008 RESERVED CVE-2018-10007 RESERVED CVE-2018-10006 RESERVED CVE-2018-10005 RESERVED CVE-2018-10004 RESERVED CVE-2018-10003 RESERVED CVE-2018-10002 RESERVED CVE-2018-10001 (The decode_init function in libavcodec/utvideodec.c in FFmpeg through ...) {DSA-4249-1} - ffmpeg 7:3.4.3-1 (low) NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=47b7c68ae54560e2308bdb6be4fb076c73b93081 - libav [jessie] - libav (Vulnerable code not present) NOTE: Fixed in 3.2.11 CVE-2018-10000 (The Video Downloader professional extension before 2018-04-05 for Chro ...) NOT-FOR-US: The Video Downloader professional extension for Chrome CVE-2017-18260 (Dolibarr ERP/CRM is affected by multiple SQL injection vulnerabilities ...) - dolibarr CVE-2017-18259 (Dolibarr ERP/CRM is affected by stored Cross-Site Scripting (XSS) in v ...) - dolibarr CVE-2018-9989 (ARM mbed TLS before 2.1.11, before 2.7.2, and before 2.8.0 has a buffe ...) {DLA-1518-1} - mbedtls 2.8.0-1 [stretch] - mbedtls (Minor issue) - polarssl [wheezy] - polarssl (Minor issue) NOTE: https://github.com/ARMmbed/mbedtls/commit/5224a7544c95552553e2e6be0b4a789956a6464e NOTE: https://github.com/ARMmbed/mbedtls/commit/740b218386083dc708ce98ccc94a63a95cd5629e NOTE: https://tls.mbed.org/tech-updates/releases/mbedtls-2.8.0-2.7.2-and-2.1.11-released CVE-2018-9988 (ARM mbed TLS before 2.1.11, before 2.7.2, and before 2.8.0 has a buffe ...) {DLA-1518-1} - mbedtls 2.8.0-1 [stretch] - mbedtls (Minor issue) - polarssl [wheezy] - polarssl (Minor issue) NOTE: https://github.com/ARMmbed/mbedtls/commit/027f84c69f4ef30c0693832a6c396ef19e563ca1 NOTE: https://github.com/ARMmbed/mbedtls/commit/a1098f81c252b317ad34ea978aea2bc47760b215 NOTE: https://tls.mbed.org/tech-updates/releases/mbedtls-2.8.0-2.7.2-and-2.1.11-released CVE-2018-9987 (In Zulip Server versions 1.5.x, 1.6.x, and 1.7.x before 1.7.2, there w ...) - zulip-server (bug #800052) CVE-2018-9986 (In Zulip Server versions before 1.7.2, there were XSS issues with the ...) - zulip-server (bug #800052) CVE-2018-9985 (The front page of MetInfo 6.0 allows XSS by sending a feedback message ...) NOT-FOR-US: MetInfo CVE-2018-9984 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2018-9983 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2018-9982 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-9981 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-9980 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2018-9979 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2018-9978 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2018-9977 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-9976 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2018-9975 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-9974 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-9973 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2018-9972 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2018-9971 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2018-9970 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-9969 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-9968 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-9967 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-9966 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-9965 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-9964 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-9963 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2018-9962 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-9961 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-9960 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-9959 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-9958 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-9957 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-9956 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-9955 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-9954 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-9953 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-9952 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-9951 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-9950 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2018-9949 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-9948 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2018-9947 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-9946 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2018-9945 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-9944 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-9943 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-9942 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-9941 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-9940 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-9939 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-9938 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-9937 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-9936 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-9935 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-9934 (The reset-password feature in MetInfo 6.0 allows remote attackers to c ...) NOT-FOR-US: MetInfo CVE-2018-9933 RESERVED CVE-2018-9932 RESERVED CVE-2018-9931 RESERVED CVE-2018-9930 RESERVED CVE-2018-9929 RESERVED CVE-2018-9928 (Cross-site scripting (XSS) vulnerability in save.php in MetInfo 6.0 al ...) NOT-FOR-US: MetInfo CVE-2018-9927 (An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerabil ...) NOT-FOR-US: WUZHI CMS CVE-2018-9926 (An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerabil ...) NOT-FOR-US: WUZHI CMS CVE-2018-9925 (An issue was discovered in idreamsoft iCMS through 7.0.7. XSS exists v ...) NOT-FOR-US: idreamsoft iCMS CVE-2018-9924 (An issue was discovered in idreamsoft iCMS through 7.0.7. SQL injectio ...) NOT-FOR-US: idreamsoft iCMS CVE-2018-9923 (An issue was discovered in idreamsoft iCMS through 7.0.7. CSRF exists ...) NOT-FOR-US: idreamsoft iCMS CVE-2018-9922 (An issue was discovered in idreamsoft iCMS through 7.0.7. Physical pat ...) NOT-FOR-US: idreamsoft iCMS CVE-2018-9921 (In CMS Made Simple 2.2.7, a Directory Traversal issue makes it possibl ...) NOT-FOR-US: CMS Made Simple CVE-2018-9920 (Server side request forgery exists in the runtime application in K2 sm ...) NOT-FOR-US: K2 CVE-2018-9919 (A web-accessible backdoor, with resultant SSRF, exists in Tp-shop 2.0. ...) NOT-FOR-US: Tp-shop CVE-2018-9918 (libqpdf.a in QPDF through 8.0.2 mishandles certain "expected dictionar ...) - qpdf 8.0.2-3 (bug #895443) [stretch] - qpdf (Minor issue) [jessie] - qpdf (Minor issue) [wheezy] - qpdf (Minor issue) NOTE: https://github.com/qpdf/qpdf/issues/202 CVE-2018-9917 RESERVED CVE-2018-9916 RESERVED CVE-2018-9915 RESERVED CVE-2018-9914 RESERVED CVE-2018-9913 RESERVED CVE-2018-9912 RESERVED CVE-2018-9911 RESERVED CVE-2018-9910 RESERVED CVE-2018-9909 RESERVED CVE-2018-9908 RESERVED CVE-2018-9907 RESERVED CVE-2018-9906 RESERVED CVE-2018-9905 RESERVED CVE-2018-9904 RESERVED CVE-2018-9903 RESERVED CVE-2018-9902 RESERVED CVE-2018-9901 RESERVED CVE-2018-9900 RESERVED CVE-2018-9899 RESERVED CVE-2018-9898 RESERVED CVE-2018-9897 RESERVED CVE-2018-9896 RESERVED CVE-2018-9895 RESERVED CVE-2018-9894 RESERVED CVE-2018-9893 RESERVED CVE-2018-9892 RESERVED CVE-2018-9891 RESERVED CVE-2018-9890 RESERVED CVE-2018-9889 RESERVED CVE-2018-9888 RESERVED CVE-2018-9887 RESERVED CVE-2018-9886 RESERVED CVE-2018-9885 RESERVED CVE-2018-9884 RESERVED CVE-2018-9883 RESERVED CVE-2018-9882 RESERVED CVE-2018-9881 RESERVED CVE-2018-9880 RESERVED CVE-2018-9879 RESERVED CVE-2018-9878 RESERVED CVE-2018-9877 RESERVED CVE-2018-9876 RESERVED CVE-2018-9875 RESERVED CVE-2018-9874 RESERVED CVE-2018-9873 RESERVED CVE-2018-9872 RESERVED CVE-2018-9871 RESERVED CVE-2018-9870 RESERVED CVE-2018-9869 RESERVED CVE-2018-9868 RESERVED CVE-2018-9867 (In SonicWall SonicOS, administrators without full permissions can down ...) NOT-FOR-US: SonicWall CVE-2018-9866 (A vulnerability in lack of validation of user-supplied parameters pass ...) NOT-FOR-US: SonicWall CVE-2018-9865 RESERVED CVE-2018-9864 (The WP Live Chat Support plugin before 8.0.06 for WordPress has stored ...) NOT-FOR-US: WP Live Chat Support plugin for WordPress CVE-2018-9863 RESERVED CVE-2018-9862 (util.c in runV 1.0.0 for Docker mishandles a numeric username, which a ...) NOT-FOR-US: runV for Docker CVE-2018-9861 (Cross-site scripting (XSS) vulnerability in the Enhanced Image (aka im ...) NOT-FOR-US: ckeditor plugin CVE-2018-9860 (An issue was discovered in Botan 1.11.32 through 2.x before 2.6.0. An ...) - botan 2.4.0-6 - botan1.10 (Issue introduced in 1.11.32) NOTE: https://github.com/randombit/botan/commit/ec222c99719c396a1f4756b2ca345dbbfbeb5ed5 NOTE: Bug introduced in 1.11.32, fixed in 2.6.0 CVE-2018-9859 (The path of Whale update service was unquoted in NAVER Whale before 1. ...) NOT-FOR-US: Whale CVE-2018-1000168 (nghttp2 version >= 1.10.0 and nghttp2 <= v1.31.0 contains an Imp ...) - nghttp2 1.31.1-1 (low; bug #895566) [stretch] - nghttp2 (Minor issue) [jessie] - nghttp2 (Issue introduced in 1.10.0) NOTE: Affected versions: nghttp2 >= 1.10.0 and nghttp2 <= v1.31.0 NOTE: Fixed by: https://github.com/nghttp2/nghttp2/commit/b1bd6035e884b3d83748914a3b5f2a8e52a78a2f NOTE: http://www.openwall.com/lists/oss-security/2018/04/12/4 CVE-2018-9858 RESERVED CVE-2018-9857 (PHP Scripts Mall Match Clone Script 1.0.4 has XSS via the search field ...) NOT-FOR-US: PHP Scripts Mall Match Clone Script CVE-2018-9856 (Kotti before 1.3.2 and 2.x before 2.0.0b2 has CSRF in the local roles ...) NOT-FOR-US: Kotti CVE-2018-9855 RESERVED CVE-2018-9854 RESERVED CVE-2018-9853 (Insecure access control in freeSSHd version 1.3.1 allows attackers to ...) NOT-FOR-US: freeSSHd CVE-2018-9852 (In Gxlcms QY v1.0.0713, Lib\Lib\Action\Home\HitsAction.class.php allow ...) NOT-FOR-US: Gxlcms QY CVE-2018-9851 (In Gxlcms QY v1.0.0713, Lib\Lib\Action\Admin\TplAction.class.php allow ...) NOT-FOR-US: Gxlcms QY CVE-2018-9850 (In Gxlcms QY v1.0.0713, Lib\Lib\Action\Admin\DataAction.class.php allo ...) NOT-FOR-US: Gxlcms QY CVE-2018-9849 (Pulse Secure Pulse Connect Secure 8.1.x before 8.1R14, 8.2.x before 8. ...) NOT-FOR-US: Pulse Secure Pulse Connect Secure CVE-2018-9848 (In Gxlcms QY v1.0.0713, the upload function in Lib\Lib\Action\Admin\Up ...) NOT-FOR-US: Gxlcms QY CVE-2018-9847 (In Gxlcms QY v1.0.0713, the update function in Lib\Lib\Action\Admin\Tp ...) NOT-FOR-US: Gxlcms QY CVE-2018-9846 (In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin ena ...) {DSA-4181-1} - roundcube 1.3.6+dfsg.1-1 (bug #895184) [wheezy] - roundcube (Vulnerable code not present in archive.php) NOTE: https://github.com/roundcube/roundcubemail/issues/6238 NOTE: https://github.com/roundcube/roundcubemail/commit/e3dd5b66d236867572e68fcb80281e9268a0cfb0 (release-1.3) NOTE: https://github.com/roundcube/roundcubemail/commit/cdeb6234a2e029c499898c3432fdf5b2cf093640 (release-1.2) NOTE: https://github.com/roundcube/roundcubemail/commit/5b7e9a2c960eb4fd2364921297020a5dcd2d7dbc (release-1.2) NOTE: https://github.com/roundcube/roundcubemail/commit/c69b851b8a704f6483ec9d1cae7cd1ecd33c3343 (release-1.2) NOTE: https://github.com/roundcube/roundcubemail/commit/7901047474729a7f466eb8c59c92a36fc7cf0e70 (release-1.2) CVE-2018-9845 (Etherpad Lite before 1.6.4 is exploitable for admin access. ...) - etherpad-lite (bug #576998) CVE-2018-9844 (The Iptanus WordPress File Upload plugin before 4.3.4 for WordPress mi ...) NOT-FOR-US: Iptanus WordPress File Upload plugin for WordPress CVE-2018-9843 (The REST API in CyberArk Password Vault Web Access before 9.9.5 and 10 ...) NOT-FOR-US: CyberArk Password Vault Web Access CVE-2018-9842 (CyberArk Password Vault before 9.7 allows remote attackers to obtain s ...) NOT-FOR-US: CyberArk Password Vault CVE-2018-9841 (The export function in libavfilter/vf_signature.c in FFmpeg through 3. ...) - ffmpeg 7:3.4.3-1 (low) [stretch] - ffmpeg (Vulnerable code not present) - libav (Vulnerable code not present) NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=35eeff30caf34df835206f1c12bcf4b7c2bd6758 CVE-2018-9840 (The Open Whisper Signal app before 2.23.2 for iOS allows physically pr ...) NOT-FOR-US: Open Whisper Signal app for iOS CVE-2018-9839 (An issue was discovered in MantisBT through 1.3.14, and 2.0.0. Using a ...) - mantis NOTE: https://github.com/mantisbt/mantisbt/commit/1fbcd9bca2f2c77cb61624d36ddee4b3802c38ea NOTE: https://mantisbt.org/bugs/view.php?id=24221 CVE-2018-1000164 (gunicorn version 19.4.5 contains a CWE-113: Improper Neutralization of ...) {DSA-4186-1 DLA-1357-1} - gunicorn 19.5.0-1 (bug #896548) NOTE: https://epadillas.github.io/2018/04/02/http-header-splitting-in-gunicorn-19.4.5 NOTE: https://github.com/benoitc/gunicorn/issues/1227 NOTE: https://github.com/benoitc/gunicorn/commit/5263a4ef2a63c62216680876f3813959839608ff CVE-2018-1000161 (nmap version 6.49BETA6 through 7.60, up to and including SVN revision ...) - nmap 7.70+dfsg1-1 [stretch] - nmap (Minor issue) [jessie] - nmap (Vulnerable code not present) [wheezy] - nmap (Vulnerable code not present) NOTE: Fixed by: https://github.com/nmap/nmap/commit/098e32713650f54732472f31245b7eca936b2bd8 NOTE: Fixed by: https://github.com/nmap/nmap/commit/da0c861299ae1ce6268e9591838f7a1144b327d7 NOTE: Fixed by: https://github.com/nmap/nmap/commit/88631b50676c38824e01d30819f46258a8497b0a NOTE: Fixed by: https://github.com/nmap/nmap/commit/80e1977308e51b1b7aa038a38f8837a7e90b3849 NOTE: Introduced in https://github.com/nmap/nmap/commit/88381c2e685297a4fafe7182a06877b27da34e1e NOTE: Script added in 6.49BETA6 (cf. https://bugzilla.suse.com/show_bug.cgi?id=1088608#c1) CVE-2018-1000159 (tlslite-ng version 0.7.3 and earlier, since commit d7b288316bca7bcdd08 ...) - tlslite-ng 0.7.4-1 (low; bug #895728) [stretch] - tlslite-ng 0.6.0-1+deb9u1 NOTE: https://github.com/tomato42/tlslite-ng/pull/234 NOTE: https://github.com/tomato42/tlslite-ng/pull/234/commits/3674815d1b0f7484454995e2737a352e0a6a93d8 (v0.8.0-alpha3) NOTE: https://github.com/tomato42/tlslite-ng/pull/235 NOTE: https://github.com/tomato42/tlslite-ng/pull/235/commits/e5e9145558f4c1a81071c61c947aa55a52542585 (backport for tslite-ng-0.7) CVE-2018-1000157 REJECTED CVE-2018-9838 (The caml_ba_deserialize function in byterun/bigarray.c in the standard ...) - ocaml 4.05.0-11 (bug #895472) [stretch] - ocaml (Minor issue) [jessie] - ocaml (Minor issue) [wheezy] - ocaml (Minor issue) NOTE: https://caml.inria.fr/mantis/view.php?id=7765 NOTE: https://github.com/ocaml/ocaml/pull/1718 NOTE: https://github.com/ocaml/ocaml/commit/9664c7ee807c2dfa802f53cabd405ff58e219c47 NOTE: Before 4.06.0+beta1 the code is present in otherlibs/bigarray/bigarray_stubs.c CVE-2018-10101 (Before WordPress 4.9.5, the URL validator assumed URLs with the hostna ...) - wordpress 4.9.5+dfsg1-1 (bug #895034) [stretch] - wordpress 4.7.5+dfsg-2+deb9u3 [jessie] - wordpress (vulnerable code is not present) [wheezy] - wordpress (vulnerable code is not present) NOTE: https://core.trac.wordpress.org/changeset/42894 NOTE: https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216 NOTE: Introduced via https://github.com/WordPress/WordPress/commit/c73a812109e1a64ecf21b6a198f949c58d1f2674 (4.5) CVE-2018-10100 (Before WordPress 4.9.5, the redirection URL for the login page was not ...) {DSA-4193-1 DLA-1366-1} - wordpress 4.9.5+dfsg1-1 (bug #895034) NOTE: https://core.trac.wordpress.org/changeset/42892 NOTE: https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e CVE-2018-10102 (Before WordPress 4.9.5, the version string was not escaped in the get_ ...) {DSA-4193-1 DLA-1366-1} - wordpress 4.9.5+dfsg1-1 (bug #895034) NOTE: https://core.trac.wordpress.org/changeset/42893 NOTE: https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d CVE-2018-9837 RESERVED CVE-2018-9836 RESERVED CVE-2018-9835 RESERVED CVE-2018-9834 RESERVED CVE-2018-9833 RESERVED CVE-2018-9832 RESERVED CVE-2018-9831 RESERVED CVE-2018-9830 RESERVED CVE-2018-9829 RESERVED CVE-2018-9828 RESERVED CVE-2018-9827 RESERVED CVE-2018-9826 RESERVED CVE-2018-9825 RESERVED CVE-2018-9824 RESERVED CVE-2018-9823 RESERVED CVE-2018-9822 RESERVED CVE-2018-9821 RESERVED CVE-2018-9820 RESERVED CVE-2018-9819 RESERVED CVE-2018-9818 RESERVED CVE-2018-9817 RESERVED CVE-2018-9816 RESERVED CVE-2018-9815 RESERVED CVE-2018-9814 RESERVED CVE-2018-9813 RESERVED CVE-2018-9812 RESERVED CVE-2018-9811 RESERVED CVE-2018-9810 RESERVED CVE-2018-9809 RESERVED CVE-2018-9808 RESERVED CVE-2018-9807 RESERVED CVE-2018-9806 RESERVED CVE-2018-9805 RESERVED CVE-2018-9804 RESERVED CVE-2018-9803 RESERVED CVE-2018-9802 RESERVED CVE-2018-9801 RESERVED CVE-2018-9800 RESERVED CVE-2018-9799 RESERVED CVE-2018-9798 RESERVED CVE-2018-9797 RESERVED CVE-2018-9796 RESERVED CVE-2018-9795 RESERVED CVE-2018-9794 RESERVED CVE-2018-9793 RESERVED CVE-2018-9792 RESERVED CVE-2018-9791 RESERVED CVE-2018-9790 RESERVED CVE-2018-9789 RESERVED CVE-2018-9788 RESERVED CVE-2018-9787 RESERVED CVE-2018-9786 RESERVED CVE-2018-9785 RESERVED CVE-2018-9784 RESERVED CVE-2018-9783 RESERVED CVE-2018-9782 RESERVED CVE-2018-9781 RESERVED CVE-2018-9780 RESERVED CVE-2018-9779 RESERVED CVE-2018-9778 RESERVED CVE-2018-9777 RESERVED CVE-2018-9776 RESERVED CVE-2018-9775 RESERVED CVE-2018-9774 RESERVED CVE-2018-9773 RESERVED CVE-2018-9772 RESERVED CVE-2018-9771 RESERVED CVE-2018-9770 RESERVED CVE-2018-9769 RESERVED CVE-2018-9768 RESERVED CVE-2018-9767 RESERVED CVE-2018-9766 RESERVED CVE-2018-9765 RESERVED CVE-2018-9764 RESERVED CVE-2018-9763 RESERVED CVE-2018-9762 RESERVED CVE-2018-9761 RESERVED CVE-2018-9760 RESERVED CVE-2018-9759 RESERVED CVE-2018-9758 RESERVED CVE-2018-9757 RESERVED CVE-2018-9756 RESERVED CVE-2018-9755 RESERVED CVE-2018-9754 RESERVED CVE-2018-9753 RESERVED CVE-2018-9752 RESERVED CVE-2018-9751 RESERVED CVE-2018-9750 RESERVED CVE-2018-9749 RESERVED CVE-2018-9748 RESERVED CVE-2018-9747 RESERVED CVE-2018-9746 RESERVED CVE-2018-9745 RESERVED CVE-2018-9744 RESERVED CVE-2018-9743 RESERVED CVE-2018-9742 RESERVED CVE-2018-9741 RESERVED CVE-2018-9740 RESERVED CVE-2018-9739 RESERVED CVE-2018-9738 RESERVED CVE-2018-9737 RESERVED CVE-2018-9736 RESERVED CVE-2018-9735 RESERVED CVE-2018-9734 RESERVED CVE-2018-9733 RESERVED CVE-2018-9732 RESERVED CVE-2018-9731 RESERVED CVE-2018-9730 RESERVED CVE-2018-9729 RESERVED CVE-2018-9728 RESERVED CVE-2018-9727 RESERVED CVE-2018-9726 RESERVED CVE-2018-9725 RESERVED CVE-2018-9724 RESERVED CVE-2018-9723 RESERVED CVE-2018-9722 RESERVED CVE-2018-9721 RESERVED CVE-2018-9720 RESERVED CVE-2018-9719 RESERVED CVE-2018-9718 RESERVED CVE-2018-9717 RESERVED CVE-2018-9716 RESERVED CVE-2018-9715 RESERVED CVE-2018-9714 RESERVED CVE-2018-9713 RESERVED CVE-2018-9712 RESERVED CVE-2018-9711 RESERVED CVE-2018-9710 RESERVED CVE-2018-9709 RESERVED CVE-2018-9708 RESERVED CVE-2018-9707 RESERVED CVE-2018-9706 RESERVED CVE-2018-9705 RESERVED CVE-2018-9704 RESERVED CVE-2018-9703 RESERVED CVE-2018-9702 RESERVED CVE-2018-9701 RESERVED CVE-2018-9700 RESERVED CVE-2018-9699 RESERVED CVE-2018-9698 RESERVED CVE-2018-9697 RESERVED CVE-2018-9696 RESERVED CVE-2018-9695 RESERVED CVE-2018-9694 RESERVED CVE-2018-9693 RESERVED CVE-2018-9692 RESERVED CVE-2018-9691 RESERVED CVE-2018-9690 RESERVED CVE-2018-9689 RESERVED CVE-2018-9688 RESERVED CVE-2018-9687 RESERVED CVE-2018-9686 RESERVED CVE-2018-9685 RESERVED CVE-2018-9684 RESERVED CVE-2018-9683 RESERVED CVE-2018-9682 RESERVED CVE-2018-9681 RESERVED CVE-2018-9680 RESERVED CVE-2018-9679 RESERVED CVE-2018-9678 RESERVED CVE-2018-9677 RESERVED CVE-2018-9676 RESERVED CVE-2018-9675 RESERVED CVE-2018-9674 RESERVED CVE-2018-9673 RESERVED CVE-2018-9672 RESERVED CVE-2018-9671 RESERVED CVE-2018-9670 RESERVED CVE-2018-9669 RESERVED CVE-2018-9668 RESERVED CVE-2018-9667 RESERVED CVE-2018-9666 RESERVED CVE-2018-9665 RESERVED CVE-2018-9664 RESERVED CVE-2018-9663 RESERVED CVE-2018-9662 RESERVED CVE-2018-9661 RESERVED CVE-2018-9660 RESERVED CVE-2018-9659 RESERVED CVE-2018-9658 RESERVED CVE-2018-9657 RESERVED CVE-2018-9656 RESERVED CVE-2018-9655 RESERVED CVE-2018-9654 RESERVED CVE-2018-9653 RESERVED CVE-2018-9652 RESERVED CVE-2018-9651 RESERVED CVE-2018-9650 RESERVED CVE-2018-9649 RESERVED CVE-2018-9648 RESERVED CVE-2018-9647 RESERVED CVE-2018-9646 RESERVED CVE-2018-9645 RESERVED CVE-2018-9644 RESERVED CVE-2018-9643 RESERVED CVE-2018-9642 RESERVED CVE-2018-9641 RESERVED CVE-2018-9640 RESERVED CVE-2018-9639 RESERVED CVE-2018-9638 RESERVED CVE-2018-9637 RESERVED CVE-2018-9636 RESERVED CVE-2018-9635 RESERVED CVE-2018-9634 RESERVED CVE-2018-9633 RESERVED CVE-2018-9632 RESERVED CVE-2018-9631 RESERVED CVE-2018-9630 RESERVED CVE-2018-9629 RESERVED CVE-2018-9628 RESERVED CVE-2018-9627 RESERVED CVE-2018-9626 RESERVED CVE-2018-9625 RESERVED CVE-2018-9624 RESERVED CVE-2018-9623 RESERVED CVE-2018-9622 RESERVED CVE-2018-9621 RESERVED CVE-2018-9620 RESERVED CVE-2018-9619 RESERVED CVE-2018-9618 RESERVED CVE-2018-9617 RESERVED CVE-2018-9616 RESERVED CVE-2018-9615 RESERVED CVE-2018-9614 RESERVED CVE-2018-9613 RESERVED CVE-2018-9612 RESERVED CVE-2018-9611 RESERVED CVE-2018-9610 RESERVED CVE-2018-9609 RESERVED CVE-2018-9608 RESERVED CVE-2018-9607 RESERVED CVE-2018-9606 RESERVED CVE-2018-9605 RESERVED CVE-2018-9604 RESERVED CVE-2018-9603 RESERVED CVE-2018-9602 RESERVED CVE-2018-9601 RESERVED CVE-2018-9600 RESERVED CVE-2018-9599 RESERVED CVE-2018-9598 RESERVED CVE-2018-9597 RESERVED CVE-2018-9596 RESERVED CVE-2018-9595 RESERVED CVE-2018-9594 (In llcp_link_proc_agf_pdu of llcp_link.cc in Android-7.0, Android-7.1. ...) NOT-FOR-US: Android CVE-2018-9593 (In llcp_dlc_proc_i_pdu of llcp_dlc.cc in Android-7.0, Android-7.1.1, A ...) NOT-FOR-US: Android CVE-2018-9592 (In mca_ccb_hdl_rsp of mca_cact.cc in Android-7.0, Android-7.1.1, Andro ...) NOT-FOR-US: Android CVE-2018-9591 (In bta_hh_ctrl_dat_act of bta_hh_act.cc in Android-7.0, Android-7.1.1, ...) NOT-FOR-US: Android CVE-2018-9590 (In add_attr of sdp_discovery.c in Android-7.0, Android-7.1.1, Android- ...) NOT-FOR-US: Android CVE-2018-9589 (In ieee802_11_rx_wnmsleep_req of wnm_ap.c in Android-7.0, Android-7.1. ...) NOT-FOR-US: Android CVE-2018-9588 (In avdt_scb_hdl_report of avdt_scb_act.cc in Android-7.0, Android-7.1. ...) NOT-FOR-US: Android CVE-2018-9587 (In savePhotoFromUriToUri of ContactPhotoUtils.java in Android-7.0, And ...) NOT-FOR-US: Android CVE-2018-9586 (In run of InstallPackageTask.java in Android-7.0, Android-7.1.1, Andro ...) NOT-FOR-US: Android CVE-2018-9585 (In nfc_ncif_proc_get_routing of nfc_ncif.cc in Android-7.0, Android-7. ...) NOT-FOR-US: Android CVE-2018-9584 (In nfc_ncif_set_config_status of nfc_ncif.cc in Android-7.0, Android-7 ...) NOT-FOR-US: Android CVE-2018-9583 (In bta_ag_parse_cmer of bta_ag_cmd.cc in Android-7.0, Android-7.1.1, A ...) NOT-FOR-US: Android CVE-2018-9582 (In package installer in Android-8.0, Android-8.1 and Android-9, there ...) NOT-FOR-US: Android CVE-2018-9581 (In WiFi, the RSSI value and SSID information is broadcast as part of a ...) NOT-FOR-US: Android CVE-2018-9580 (A Elevation of privilege vulnerability in the HTC bootloader. Product: ...) NOT-FOR-US: HTC CVE-2018-9579 RESERVED CVE-2018-9578 (In ixheaacd_adts_crc_start_reg of ixheaacd_adts_crc_check.c, there is ...) NOT-FOR-US: Android libxaac CVE-2018-9577 (In impd_parametric_drc_parse_gain_set_params of impd_drc_static_payloa ...) NOT-FOR-US: Android libxaac CVE-2018-9576 (In impd_parse_parametric_drc_instructions of impd_drc_static_payload.c ...) NOT-FOR-US: Android libxaac CVE-2018-9575 (In impd_parse_dwnmix_instructions of impd_drc_static_payload.c there i ...) NOT-FOR-US: Android libxaac CVE-2018-9574 (In impd_parse_split_drc_characteristic of impd_drc_static_payload.c th ...) NOT-FOR-US: Android libxaac CVE-2018-9573 (In impd_parse_filt_block of impd_drc_dynamic_payload.c there is a poss ...) NOT-FOR-US: Android libxaac CVE-2018-9572 (In impd_drc_parse_coeff of impd_drc_static_payload.c there is a possib ...) NOT-FOR-US: Android libxaac CVE-2018-9571 (In impd_parse_loud_eq_instructions of impd_drc_dynamic_payload.c there ...) NOT-FOR-US: Android libxaac CVE-2018-9570 (In impd_parse_drc_ext_v1 of impd_drc_dynamic_payload.c there is a poss ...) NOT-FOR-US: Android libxaac CVE-2018-9569 (In impd_init_drc_decode_post_config of impd_drc_gain_decoder.c there i ...) NOT-FOR-US: Android libxaac CVE-2018-9568 (In sk_clone_lock of sock.c, there is a possible memory corruption due ...) - linux 4.13.10-1 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.59-1 NOTE: Fixed by: https://git.kernel.org/linus/9d538fa60bad4f7b23193c89e843797a1cf71ef3 CVE-2018-9567 (On Pixel devices there is a bug causing verified boot to show the same ...) NOT-FOR-US: Android CVE-2018-9566 (In process_service_search_rsp of sdp_discovery.c, there is a possible ...) NOT-FOR-US: Android CVE-2018-9565 (In readBytes of xltdecwbxml.c, there is a possible out of bounds read ...) NOT-FOR-US: Android CVE-2018-9564 (In llcp_util_parse_link_params of llcp_util.cc, there is a possible ou ...) NOT-FOR-US: Android CVE-2018-9563 (In llcp_util_parse_cc of llcp_util.cc, there is a possible out-of-boun ...) NOT-FOR-US: Android CVE-2018-9562 (In bta_ag_do_disc of bta_ag_sdp.cc, there is a possible out-of-bound r ...) NOT-FOR-US: Android CVE-2018-9561 (In llcp_util_parse_connect of llcp_util.cc, there is a possible out-of ...) NOT-FOR-US: Android CVE-2018-9560 (In HID_DevAddRecord of hidd_api.cc, there is a possible out-of-bounds ...) NOT-FOR-US: Android CVE-2018-9559 (In persist_set_key and other functions of cryptfs.cpp, there is a poss ...) NOT-FOR-US: Android CVE-2018-9558 (In rw_t2t_handle_tlv_detect of rw_t2t_ndef.cc, there is a possible out ...) NOT-FOR-US: Android CVE-2018-9557 (In really_install_package of install.cpp, there is a possible free of ...) NOT-FOR-US: Android CVE-2018-9556 (In ParsePayloadHeader of payload_metadata.cc, there is a possible out ...) NOT-FOR-US: Android CVE-2018-9555 (In l2c_lcc_proc_pdu of l2c_fcr.cc, there is a possible out of bounds w ...) NOT-FOR-US: Android CVE-2018-9554 (In dumpExtractors of IMediaExtractor.cp, there is a possible disclosur ...) NOT-FOR-US: Android Media Framework CVE-2018-9553 (In MasteringMetadata::Parse of mkvparser.cc there is a possible double ...) NOT-FOR-US: Android Media Framework CVE-2018-9552 (In ihevcd_sao_shift_ctb of ihevcd_sao.c there is a possible out of bou ...) NOT-FOR-US: Android Media Framework CVE-2018-9551 (In CAacDecoder_Init of aacdecoder.cpp, there is a possible out-of-boun ...) NOT-FOR-US: Android Media Framework CVE-2018-9550 (In CAacDecoder_Init of aacdecoder.cpp, there is a possible out of boun ...) NOT-FOR-US: Android Media Framework CVE-2018-9549 (In lppTransposer of lpp_tran.cpp there is a possible out of bounds wri ...) NOT-FOR-US: Android Media Framework CVE-2018-9548 (In multiple functions of ContentProvider.java, there is a possible per ...) NOT-FOR-US: Android CVE-2018-9547 (In unflatten of GraphicBuffer.cpp, there is a possible bad fd close du ...) NOT-FOR-US: Android CVE-2018-9546 RESERVED CVE-2018-9545 (In BTA_HdRegisterApp of bta_hd_api.cc, there is a possible out-of-boun ...) NOT-FOR-US: Android CVE-2018-9544 (In register_app of btif_hd.cc, there is a possible out-of-bounds read ...) NOT-FOR-US: Android CVE-2018-9543 (In trim_device of f2fs_format_utils.c, it is possible that the data pa ...) NOT-FOR-US: Android CVE-2018-9542 (In avrc_pars_vendor_rsp of avrc_pars_ct.cc, there is a possible out of ...) NOT-FOR-US: Android CVE-2018-9541 (In avrc_pars_vendor_rsp of avcr_pars_ct.cc, there is a possible out-of ...) NOT-FOR-US: Android CVE-2018-9540 (In avrc_ctrl_pars_vendor_rsp of avrc_pars_ct.c, there is a possible ou ...) NOT-FOR-US: Android CVE-2018-9539 (In the ClearKey CAS descrambler, there is a possible use after free du ...) NOT-FOR-US: Android Media Framework CVE-2018-9538 (In V4L2SliceVideoDecodeAccelerator::Dequeue of v4l2_slice_video_decode ...) NOT-FOR-US: Android Media Framework CVE-2018-9537 (In CAacDecoder_DecodeFrame of aacdecode.cpp, there is a possible out-o ...) NOT-FOR-US: Android Media Framework CVE-2018-9536 (In numerous functions of libFDK, there are possible out of bounds writ ...) NOT-FOR-US: Android Media Framework CVE-2018-9535 (In ixheaacd_reset_acelp_data_fix of ixheaacd_lpc.c there is a possible ...) NOT-FOR-US: Android libxaac CVE-2018-9534 (In ixheaacd_mps_getstridemap of ixheaacd_mps_parse.c there is a possib ...) NOT-FOR-US: Android libxaac CVE-2018-9533 (In ixheaacd_dec_data_init of ixheaacd_create.c there is a possible out ...) NOT-FOR-US: Android libxaac CVE-2018-9532 (In ixheaacd_extract_frame_info_ld of ixheaacd_env_extr.c there is a po ...) NOT-FOR-US: Android libxaac CVE-2018-9531 (In AudioSpecificConfig_Parse of tpdec_asc.cpp, there is a possible out ...) NOT-FOR-US: Android Media Framework CVE-2018-9530 (In ixheaacd_tns_ar_filter_dec of ixheaacd_aac_tns.c there is a possibl ...) NOT-FOR-US: Android libxaac CVE-2018-9529 (In ixheaacd_individual_ch_stream of ixheaacd_channel.c there is a poss ...) NOT-FOR-US: Android libxaac CVE-2018-9528 (In ixheaacd_over_lap_add1_armv8 of ixheaacd_overlap_add1.s there is a ...) NOT-FOR-US: Android libxaac CVE-2018-9527 (In vorbis_book_decodev_set of codebook.c there is a possible out of bo ...) NOT-FOR-US: Android Media Framework CVE-2018-9526 (In device configuration data, there is an improperly configured settin ...) NOT-FOR-US: Android CVE-2018-9525 (In the AndroidManifest.xml file defining the SliceBroadcastReceiver ha ...) NOT-FOR-US: Android CVE-2018-9524 (In functionality implemented in System UI, there are insufficient prot ...) NOT-FOR-US: Android CVE-2018-9523 (In Parcel.writeMapInternal of Parcel.java, there is a possible parcel ...) NOT-FOR-US: Android CVE-2018-9522 (In the serialization functions of StatsLogEventWrapper.java, there is ...) NOT-FOR-US: Android CVE-2018-9521 (In parseMPEGCCData of NuPlayer2CCDecoder.cpp, there is a possible out ...) NOT-FOR-US: Android Media Framework CVE-2018-9520 RESERVED CVE-2018-9519 (In easelcomm_hw_build_scatterlist, there is a possible out of bounds w ...) NOT-FOR-US: Android kernel CVE-2018-9518 (In nfc_llcp_build_sdreq_tlv of llcp_commands.c, there is a possible ou ...) - linux 4.16.5-1 [stretch] - linux 4.9.107-1 [jessie] - linux 3.16.57-1 NOTE: Fixed by: https://git.kernel.org/linus/fe9c842695e26d8116b61b80bfb905356f07834b (4.16-rc3) CVE-2018-9517 (In pppol2tp_connect, there is possible memory corruption due to a use ...) - linux 4.14.2-1 [jessie] - linux 3.16.51-1 NOTE: https://git.kernel.org/linus/f026bc29a8e093edfbb2a77700454b285c97e8ad NOTE: https://source.android.com/security/bulletin/pixel/2018-09-01 CVE-2018-9516 (In hid_debug_events_read of drivers/hid/hid-debug.c, there is a possib ...) {DSA-4308-1 DLA-1531-1 DLA-1529-1} - linux 4.17.6-1 NOTE: https://git.kernel.org/linus/717adfdaf14704fd3ec7fa2c04520c0723247eac NOTE: https://source.android.com/security/bulletin/pixel/2018-09-01 CVE-2018-9515 (In sdcardfs_create and sdcardfs_mkdir of inode.c, there is a possible ...) NOT-FOR-US: Android kernel (apparently not in mainline) CVE-2018-9514 (In sdcardfs_open of file.c, there is a possible Use After Free due to ...) NOT-FOR-US: Android kernel (apparently not in mainline) CVE-2018-9513 (In copy_process of fork.c, there is possible memory corruption due to ...) NOT-FOR-US: Android kernel (apparently not in mainline) CVE-2018-9512 RESERVED CVE-2018-9511 (In ipSecSetEncapSocketOwner of XfrmController.cpp, there is a possible ...) NOT-FOR-US: Android CVE-2018-9510 (In smp_proc_enc_info of smp_act.cc, there is a possible out of bounds ...) NOT-FOR-US: Android CVE-2018-9509 (In smp_proc_master_id of smp_act.cc, there is a possible out of bounds ...) NOT-FOR-US: Android CVE-2018-9508 (In smp_process_keypress_notification of smp_act.cc, there is a possibl ...) NOT-FOR-US: Android CVE-2018-9507 (In bta_av_proc_meta_cmd of bta_av_act.cc, there is a possible out of b ...) NOT-FOR-US: Android CVE-2018-9506 (In avrc_msg_cback of avrc_api.cc, there is a possible out-of-bound rea ...) NOT-FOR-US: Android CVE-2018-9505 (In mca_ccb_hdl_req of mca_cact.cc, there is a possible out of bounds r ...) NOT-FOR-US: Android CVE-2018-9504 (In sdp_copy_raw_data of sdp_discovery.cc, there is a possible out of b ...) NOT-FOR-US: Android CVE-2018-9503 (In rfc_process_mx_message of rfc_ts_frames.cc, there is a possible out ...) NOT-FOR-US: Android CVE-2018-9502 (In rfc_process_mx_message of rfc_ts_frames.cc, there is a possible out ...) NOT-FOR-US: Android CVE-2018-9501 (In the SetupWizard, there is a possible Factory Reset Protection bypas ...) NOT-FOR-US: Android CVE-2018-9500 RESERVED CVE-2018-9499 (In readVector of iCrypto.cpp, there is a possible invalid read due to ...) NOT-FOR-US: Android Media Framework CVE-2018-9498 (In SkSampler::Fill of SkSampler.cpp, there is a possible out of bounds ...) NOT-FOR-US: Android Media Framework CVE-2018-9497 (In impeg2_fmt_conv_yuv420p_to_yuv420sp_uv_av8 of impeg2_format_conv.s ...) NOT-FOR-US: Android Media Framework CVE-2018-9496 (In ixheaacd_real_synth_fft_p3 of ixheaacd_esbr_fft.c there is a possib ...) NOT-FOR-US: Android Media Framework CVE-2018-9495 RESERVED CVE-2018-9494 RESERVED CVE-2018-9493 (In the content provider of the download manager, there is a possible S ...) NOT-FOR-US: Android CVE-2018-9492 (In checkGrantUriPermissionLocked of ActivityManagerService.java, there ...) NOT-FOR-US: Android CVE-2018-9491 (In AMediaCodecCryptoInfo_new of NdkMediaCodec.cpp, there is a possible ...) NOT-FOR-US: Android CVE-2018-9490 (In CollectValuesOrEntriesImpl of elements.cc, there is possible remote ...) NOT-FOR-US: Android CVE-2018-9489 (When wifi is switched, function sendNetworkStateChangeBroadcast of Wif ...) NOT-FOR-US: Android CVE-2018-9488 (In the SELinux permissions of crash_dump.te, there is a permissions by ...) NOT-FOR-US: Android CVE-2018-9487 RESERVED NOT-FOR-US: Android CVE-2018-9486 RESERVED NOT-FOR-US: Android CVE-2018-9485 RESERVED NOT-FOR-US: Android CVE-2018-9484 RESERVED NOT-FOR-US: Android CVE-2018-9483 RESERVED NOT-FOR-US: Android CVE-2018-9482 RESERVED NOT-FOR-US: Android CVE-2018-9481 RESERVED NOT-FOR-US: Android CVE-2018-9480 RESERVED NOT-FOR-US: Android CVE-2018-9479 RESERVED NOT-FOR-US: Android CVE-2018-9478 RESERVED NOT-FOR-US: Android CVE-2018-9477 RESERVED NOT-FOR-US: Android CVE-2018-9476 (In avrc_pars_browsing_cmd of avrc_pars_tg.cc, there is a possible use- ...) NOT-FOR-US: Android CVE-2018-9475 RESERVED NOT-FOR-US: Android CVE-2018-9474 RESERVED CVE-2018-9473 (In ihevcd_parse_sei_payload of ihevcd_parse_headers.c, there is a poss ...) NOT-FOR-US: Android Media Framework CVE-2018-9472 RESERVED NOT-FOR-US: Android CVE-2018-9471 RESERVED NOT-FOR-US: Android CVE-2018-9470 RESERVED NOT-FOR-US: Android CVE-2018-9469 RESERVED NOT-FOR-US: Android CVE-2018-9468 RESERVED NOT-FOR-US: Android CVE-2018-9467 RESERVED NOT-FOR-US: Android CVE-2018-9466 RESERVED NOT-FOR-US: Android CVE-2018-9465 (In task_get_unused_fd_flags of binder.c, there is a possible memory co ...) - linux 4.14.12-1 (unimportant) [stretch] - linux 4.9.144-1 NOTE: Android drivers from staging not enabled in any released suite NOTE: https://git.kernel.org/linus/7f3dc0088b98533f17128058fac73cd8b2752ef1 CVE-2018-9464 RESERVED CVE-2018-9463 RESERVED CVE-2018-9462 RESERVED CVE-2018-9461 RESERVED CVE-2018-9460 RESERVED CVE-2018-9459 (In Attachment of Attachment.java and getFilePath of EmlAttachmentProvi ...) NOT-FOR-US: Android CVE-2018-9458 (In computeFocusedWindow of RootWindowContainer.java, and related funct ...) NOT-FOR-US: Android CVE-2018-9457 (In onCheckedChanged of BluetoothPairingController.java, there is a pos ...) NOT-FOR-US: Android CVE-2018-9456 RESERVED NOT-FOR-US: Android CVE-2018-9455 (In sdpu_extract_attr_seq of sdp_utils.cc, there is a possible out of b ...) NOT-FOR-US: Android CVE-2018-9454 (In bnep_data_ind of bnep_main.cc, there is a possible out of bounds re ...) NOT-FOR-US: Android CVE-2018-9453 (In avdt_msg_prs_cfg of avdt_msg.cc, there is a possible out of bounds ...) NOT-FOR-US: Android CVE-2018-9452 (In getOffsetForHorizontal of Layout.java, there is a possible applicat ...) NOT-FOR-US: Android CVE-2018-9451 (In DynamicRefTable::load of ResourceTypes.cpp, there is a possible out ...) NOT-FOR-US: Android CVE-2018-9450 (In avrc_proc_vendor_command of avrc_api.cc, there is a possible out of ...) NOT-FOR-US: Android CVE-2018-9449 RESERVED CVE-2018-9448 (In avct_bcb_msg_ind of avct_bcb_act.cc, there is a possible out of bou ...) NOT-FOR-US: Android CVE-2018-9447 RESERVED CVE-2018-9446 (In smp_br_state_machine_event of smp_br_main.cc, there is a possible o ...) NOT-FOR-US: Android CVE-2018-9445 (In readMetadata of Utils.cpp, there is a possible path traversal bug d ...) NOT-FOR-US: Android CVE-2018-9444 (In ih264d_video_decode of ih264d_api.c there is a possible resource ex ...) NOT-FOR-US: Android Media Framework CVE-2018-9443 RESERVED CVE-2018-9442 RESERVED CVE-2018-9441 RESERVED CVE-2018-9440 RESERVED NOT-FOR-US: Android Media Framework CVE-2018-9439 RESERVED CVE-2018-9438 (When a device connects only over WiFi VPN, the device may not receive ...) NOT-FOR-US: Android CVE-2018-9437 (In getstring of ID3.cpp there is a possible out-of-bounds read due to ...) NOT-FOR-US: Android Media Framework CVE-2018-9436 (In bnep_data_ind of bnep_main.cc, there is a possible out of bounds re ...) NOT-FOR-US: Android CVE-2018-9435 RESERVED CVE-2018-9434 RESERVED NOT-FOR-US: Android CVE-2018-9433 RESERVED NOT-FOR-US: Android CVE-2018-9432 RESERVED NOT-FOR-US: Android CVE-2018-9431 RESERVED NOT-FOR-US: Android CVE-2018-9430 RESERVED NOT-FOR-US: Android CVE-2018-9429 RESERVED NOT-FOR-US: Android Media Framework CVE-2018-9428 RESERVED NOT-FOR-US: Android Media Framework CVE-2018-9427 (In CopyToOMX of OMXNodeInstance.cpp there is a possible out-of-bounds ...) NOT-FOR-US: Android Media Framework CVE-2018-9426 RESERVED NOT-FOR-US: Android CVE-2018-9425 (In Platform, there is a possible bypass of user interaction requiremen ...) NOT-FOR-US: Android CVE-2018-9424 RESERVED NOT-FOR-US: Android Media Framework CVE-2018-9423 RESERVED NOT-FOR-US: Android Media Framework CVE-2018-9422 (In get_futex_key of futex.c, there is a use-after-free due to improper ...) {DLA-1422-1} - linux 4.6.1-1 NOTE: https://git.kernel.org/linus/65d8fc777f6dcfee12785c057a6b57f679641c90 CVE-2018-9421 RESERVED NOT-FOR-US: Android Media Framework CVE-2018-9420 RESERVED NOT-FOR-US: Android CVE-2018-9419 RESERVED NOT-FOR-US: Android CVE-2018-9418 RESERVED NOT-FOR-US: Android CVE-2018-9417 RESERVED NOT-FOR-US: Android kernel (no source release, so not from upstream kernel) CVE-2018-9416 RESERVED NOT-FOR-US: Android kernel (no source release, so not from upstream kernel) CVE-2018-9415 (In driver_override_store and driver_override_show of bus.c, there is a ...) - linux 4.16.12-1 [stretch] - linux 4.9.107-1 [jessie] - linux (Vulnerable code not present) NOTE: https://source.android.com/security/bulletin/pixel/2018-07-01 NOTE: https://patchwork.kernel.org/patch/10175615/ CVE-2018-9414 RESERVED NOT-FOR-US: Android CVE-2018-9413 RESERVED NOT-FOR-US: Android CVE-2018-9412 RESERVED NOT-FOR-US: Android Media Framework CVE-2018-9411 RESERVED NOT-FOR-US: Android Media Framework CVE-2018-9410 RESERVED NOT-FOR-US: Android CVE-2018-9409 RESERVED CVE-2018-9408 RESERVED CVE-2018-9407 RESERVED CVE-2018-9406 RESERVED CVE-2018-9405 RESERVED CVE-2018-9404 RESERVED CVE-2018-9403 RESERVED CVE-2018-9402 RESERVED CVE-2018-9401 RESERVED CVE-2018-9400 RESERVED CVE-2018-9399 RESERVED CVE-2018-9398 RESERVED CVE-2018-9397 RESERVED CVE-2018-9396 RESERVED CVE-2018-9395 RESERVED CVE-2018-9394 RESERVED CVE-2018-9393 RESERVED CVE-2018-9392 RESERVED CVE-2018-9391 RESERVED CVE-2018-9390 RESERVED CVE-2018-9389 RESERVED CVE-2018-9388 RESERVED CVE-2018-9387 RESERVED CVE-2018-9386 RESERVED CVE-2018-9385 (In driver_override_store of bus.c, there is a possible out of bounds w ...) - linux 4.16.12-1 [stretch] - linux 4.9.107-1 [jessie] - linux (Vulnerable code not present) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1100491 NOTE: Related, but not the same as CVE-2018-9415 CVE-2018-9384 RESERVED CVE-2018-9383 RESERVED CVE-2018-9382 RESERVED CVE-2018-9381 RESERVED CVE-2018-9380 RESERVED CVE-2018-9379 RESERVED CVE-2018-9378 RESERVED CVE-2018-9377 RESERVED CVE-2018-9376 RESERVED NOT-FOR-US: Android CVE-2018-9375 RESERVED CVE-2018-9374 RESERVED CVE-2018-9373 RESERVED CVE-2018-9372 RESERVED CVE-2018-9371 RESERVED CVE-2018-9370 RESERVED CVE-2018-9369 RESERVED CVE-2018-9368 RESERVED CVE-2018-9367 RESERVED CVE-2018-9366 RESERVED CVE-2018-9365 RESERVED NOT-FOR-US: Android CVE-2018-9364 RESERVED CVE-2018-9363 (In the hidp_process_report in bluetooth, there is an integer overflow. ...) {DSA-4308-1 DLA-1531-1 DLA-1529-1} - linux 4.17.15-1 CVE-2018-9362 (In processMessagePart of InboundSmsHandler.java, there is a possible r ...) NOT-FOR-US: Android CVE-2018-9361 (In process_l2cap_cmd of l2c_main.cc, there is a possible out of bounds ...) NOT-FOR-US: Android CVE-2018-9360 (In process_l2cap_cmd of l2c_main.cc, there is a possible out of bounds ...) NOT-FOR-US: Android CVE-2018-9359 (In process_l2cap_cmd of l2c_main.cc, there is a possible out of bounds ...) NOT-FOR-US: Android CVE-2018-9358 (In gatts_process_attribute_req of gatt_sc.cc, there is a possible read ...) NOT-FOR-US: Android CVE-2018-9357 (In BNEP_Write of bnep_api.cc, there is a possible out of bounds write ...) NOT-FOR-US: Android CVE-2018-9356 (In bnep_data_ind of bnep_main.c, there is a possible remote code execu ...) NOT-FOR-US: Android CVE-2018-9355 (In bta_dm_sdp_result of bta_dm_act.cc, there is a possible out of boun ...) NOT-FOR-US: Android CVE-2018-9354 RESERVED CVE-2018-9353 RESERVED CVE-2018-9352 RESERVED CVE-2018-9351 RESERVED CVE-2018-9350 RESERVED CVE-2018-9349 RESERVED CVE-2018-9348 RESERVED NOT-FOR-US: Android Media Framework CVE-2018-9347 (In function SMF_ParseMetaEvent of file eas_smf.c there is incorrect in ...) NOT-FOR-US: Android Media Framework CVE-2018-9346 RESERVED NOT-FOR-US: Android Media Framework CVE-2018-9345 RESERVED NOT-FOR-US: Android Media Framework CVE-2018-9344 RESERVED NOT-FOR-US: Android Media Framework CVE-2018-9343 RESERVED CVE-2018-9342 RESERVED CVE-2018-9341 RESERVED NOT-FOR-US: Android Media Framework CVE-2018-9340 RESERVED NOT-FOR-US: Android CVE-2018-9339 RESERVED NOT-FOR-US: Android CVE-2018-9338 RESERVED NOT-FOR-US: Android CVE-2018-9337 (The PAN-OS web interface administration page in PAN-OS 6.1.20 and earl ...) NOT-FOR-US: PAN-OS CVE-2018-9336 (openvpnserv.exe (aka the interactive service helper) in OpenVPN 2.4.x ...) - openvpn (Windows specific issue) NOTE: https://github.com/OpenVPN/openvpn/commit/1394192b210cb3c6624a7419bcf3ff966742e79b CVE-2018-9335 (The PAN-OS session browser in PAN-OS 6.1.20 and earlier, PAN-OS 7.1.16 ...) NOT-FOR-US: PAN-OS CVE-2018-9334 (The PAN-OS management web interface page in PAN-OS 6.1.20 and earlier, ...) NOT-FOR-US: PAN-OS CVE-2018-9333 RESERVED CVE-2018-9332 RESERVED CVE-2018-9331 (An issue was discovered in zzcms 8.2. user/adv.php allows remote attac ...) NOT-FOR-US: zzcms CVE-2016-10720 RESERVED CVE-2016-10719 (TP-Link Archer CR-700 1.0.6 devices have an XSS vulnerability that can ...) NOT-FOR-US: TP-Link CVE-2018-9330 (register.jsp in Coremail XT3.0 allows stored XSS, as demonstrated by t ...) NOT-FOR-US: Coremail XT3.0 CVE-2018-9329 REJECTED CVE-2018-9328 (PHP Scripts Mall Redbus Clone Script 3.0.6 has XSS via the ter_from or ...) NOT-FOR-US: PHP Scripts Mall Redbus Clone Script CVE-2018-9327 (Etherpad 1.5.x and 1.6.x before 1.6.4 allows an attacker to execute ar ...) - etherpad-lite (bug #576998) CVE-2018-9326 (Etherpad 1.6.3 before 1.6.4 allows an attacker to execute arbitrary co ...) - etherpad-lite (bug #576998) CVE-2018-9325 (Etherpad 1.5.x and 1.6.x before 1.6.4 allows an attacker to export all ...) - etherpad-lite (bug #576998) CVE-2018-9324 REJECTED CVE-2018-9323 REJECTED CVE-2018-9322 (The Head Unit HU_NBT (aka Infotainment) component on BMW i Series, BMW ...) NOT-FOR-US: Head Unit HU_NBT (aka Infotainment) component on BMW vehicles CVE-2018-9321 REJECTED CVE-2018-9320 (The Head Unit HU_NBT (aka Infotainment) component on BMW i Series, BMW ...) NOT-FOR-US: BMW (Head Unit HU_NBT component) on BMW vehicles CVE-2018-9319 REJECTED CVE-2018-9318 (The Telematics Control Unit (aka Telematic Communication Box or TCB), ...) NOT-FOR-US: Telematics Control Unit (aka Telematic Communication Box or TCB) on BMW vehicles CVE-2018-9317 REJECTED CVE-2018-9316 REJECTED CVE-2018-9315 REJECTED CVE-2018-9314 (The Head Unit HU_NBT (aka Infotainment) component on BMW i Series, BMW ...) NOT-FOR-US: Head Unit HU_NBT (aka Infotainment) component on BMW vehicles CVE-2018-9313 (The Head Unit HU_NBT (aka Infotainment) component on BMW i Series, BMW ...) NOT-FOR-US: Head Unit HU_NBT (aka Infotainment) component on BMW vehicles CVE-2018-9312 (The Head Unit HU_NBT (aka Infotainment) component on BMW i Series, BMW ...) NOT-FOR-US: Head Unit HU_NBT (aka Infotainment) component on BMW vehicles CVE-2018-9311 (The Telematics Control Unit (aka Telematic Communication Box or TCB), ...) NOT-FOR-US: Telematics Control Unit (aka Telematic Communication Box or TCB) on BMW vehicles CVE-2018-1000155 (OpenFlow version 1.0 onwards contains a Denial of Service and Improper ...) NOT-FOR-US: Flaw in the OpenFlow protocol CVE-2018-1000154 (Zammad GmbH Zammad version 2.3.0 and earlier contains a Improper Neutr ...) - zammad (bug #841355) CVE-2018-1000142 (An exposure of sensitive information vulnerability exists in Jenkins G ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000143 (An exposure of sensitive information vulnerability exists in Jenkins G ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000144 (A cross site scripting vulnerability exists in Jenkins Cucumber Living ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000145 (An exposure of sensitive information vulnerability exists in Jenkins P ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000146 (An arbitrary code execution vulnerability exists in Liquibase Runner P ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000147 (An exposure of sensitive information vulnerability exists in Jenkins P ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000148 (An exposure of sensitive information vulnerability exists in Jenkins C ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000149 (A man in the middle vulnerability exists in Jenkins Ansible Plugin 0.8 ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000150 (An exposure of sensitive information vulnerability exists in Jenkins R ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000151 (A man in the middle vulnerability exists in Jenkins vSphere Plugin 2.1 ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000152 (An improper authorization vulnerability exists in Jenkins vSphere Plug ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000153 (A cross-site request forgery vulnerability exists in Jenkins vSphere P ...) NOT-FOR-US: Jenkins plugin CVE-2018-9310 (An issue was discovered in MagniComp SysInfo before 10-H82 if setuid r ...) NOT-FOR-US: MagniComp SysInfo CVE-2018-9309 (An issue was discovered in zzcms 8.2. It allows SQL injection via the ...) NOT-FOR-US: zzcms CVE-2018-9308 RESERVED CVE-2018-9307 (dsmall v20180320 allows XSS via the pdr_sn parameter to public/index.p ...) NOT-FOR-US: dsmall CVE-2018-9306 REJECTED CVE-2018-9305 (In Exiv2 0.26, an out-of-bounds read in IptcData::printStructure in ip ...) - exiv2 (Vulnerable code introduced after 0.25; only affected experimental) NOTE: https://github.com/Exiv2/exiv2/issues/263 CVE-2018-9304 (In Exiv2 0.26, a divide by zero in BigTiffImage::printIFD in bigtiffim ...) - exiv2 (Vulnerable code introduced after 0.26; only affected experimental) NOTE: https://github.com/Exiv2/exiv2/issues/262 CVE-2018-9303 (In Exiv2 0.26, an assertion failure in BigTiffImage::readData in bigti ...) - exiv2 (Vulnerable code introduced after 0.26; only affected experimental) NOTE: https://github.com/Exiv2/exiv2/issues/262 CVE-2018-9302 (SSRF (Server Side Request Forgery) in /assets/lib/fuc.js.php in Cockpi ...) NOT-FOR-US: Cockpit CMS (different from src:cockpit) CVE-2018-9301 RESERVED CVE-2018-9300 RESERVED CVE-2018-9299 RESERVED CVE-2018-9298 RESERVED CVE-2018-9297 RESERVED CVE-2018-9296 RESERVED CVE-2018-9295 RESERVED CVE-2018-9294 RESERVED CVE-2018-9293 RESERVED CVE-2018-9292 RESERVED CVE-2018-9291 RESERVED CVE-2018-9290 RESERVED CVE-2018-9289 RESERVED CVE-2018-9288 RESERVED CVE-2018-9287 RESERVED CVE-2018-9286 RESERVED CVE-2018-9243 (GitLab Community and Enterprise Editions version 8.4 up to 10.4 are vu ...) - gitlab 10.6.3+dfsg-1 (bug #894869) NOTE: https://about.gitlab.com/2018/04/04/security-release-gitlab-10-dot-6-dot-3-released/ CVE-2018-9244 (GitLab Community and Enterprise Editions version 9.2 up to 10.4 are vu ...) - gitlab 10.6.3+dfsg-1 (bug #894868) [stretch] - gitlab (Vulnerable code introduced in 9.2) NOTE: https://about.gitlab.com/2018/04/04/security-release-gitlab-10-dot-6-dot-3-released/ CVE-2018-XXXX [Confidential issue comments in Slack, Mattermost, and webhook integrations] - gitlab 10.6.3+dfsg-1 (bug #894867) NOTE: https://about.gitlab.com/2018/04/04/security-release-gitlab-10-dot-6-dot-3-released/ CVE-2018-9285 (Main_Analysis_Content.asp in /apply.cgi on ASUS RT-AC66U, RT-AC68U, RT ...) NOT-FOR-US: ASUS CVE-2018-9284 (authentication.cgi on D-Link DIR-868L devices with Singapore StarHub f ...) NOT-FOR-US: D-Link CVE-2018-9283 (An XSS issue was discovered in CremeCRM 1.6.12. It is affected by 10 s ...) NOT-FOR-US: Creme CRM CVE-2018-9282 (An XSS issue was discovered in Subsonic Media Server 6.1.1. The podcas ...) NOT-FOR-US: Subsonic Media Server CVE-2018-9281 (An issue was discovered on Eaton UPS 9PX 8000 SP devices. The administ ...) NOT-FOR-US: Eaton CVE-2018-9280 (An issue was discovered on Eaton UPS 9PX 8000 SP devices. The applianc ...) NOT-FOR-US: Eaton CVE-2018-9279 (An issue was discovered on Eaton UPS 9PX 8000 SP devices. The applianc ...) NOT-FOR-US: Eaton CVE-2018-9278 RESERVED CVE-2018-9277 RESERVED CVE-2018-9276 (An issue was discovered in PRTG Network Monitor before 18.2.39. An att ...) NOT-FOR-US: PRTG Network Monitor CVE-2018-9275 (In check_user_token in util.c in the Yubico PAM module (aka pam_yubico ...) - yubico-pam 2.26-1 (bug #896491) [stretch] - yubico-pam (Minor issue) [jessie] - yubico-pam (Vulnerable code introduced later) [wheezy] - yubico-pam (Vulnerable code introduced later) NOTE: https://bugzilla.opensuse.org/show_bug.cgi?id=1088027 NOTE: Fixed by: https://github.com/Yubico/yubico-pam/commit/0f6ceabab0a8849b47f67d727aa526c2656089ba NOTE: Introduced in: https://github.com/Yubico/yubico-pam/commit/d9780eacd9e61c5062cdabdce21c224de1884583 (2.18) NOTE: https://github.com/Yubico/yubico-pam/issues/136 CVE-2017-18257 (The __get_data_block function in fs/f2fs/data.c in the Linux kernel be ...) {DSA-4188-1} - linux 4.11.6-1 [jessie] - linux (Vulnerable code introduced later) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/b86e33075ed1909d8002745b56ecf73b833db143 CVE-2018-1002150 (Koji version 1.12, 1.13, 1.14 and 1.15 contain an incorrect access con ...) - koji (Issue introduced in 1.12.0, cf. #894832) NOTE: http://www.openwall.com/lists/oss-security/2018/04/04/1 NOTE: https://docs.pagure.org/koji/CVE-2018-1002150/ NOTE: https://pagure.io/koji/issue/850 NOTE: Fixed by: https://pagure.io/koji/c/ab1ade7 CVE-2018-9274 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, ui/failure_message.c ...) - wireshark 2.4.6-1 [stretch] - wireshark (Vulnerable code not present) [jessie] - wireshark (Vulnerable code not present) [wheezy] - wireshark (Vulnerable code not present) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14489 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=211845aba4794720ae265c782cdffddae54a3e7a NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=f38e895dfc0d97bce64f73ce99df706911d9aa07 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-24.html CVE-2018-9273 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, epan/dissectors/packe ...) - wireshark 2.4.6-1 [stretch] - wireshark 2.2.6+g32dac6a-2+deb9u3 [jessie] - wireshark (Vulnerable code not present) [wheezy] - wireshark (Vulnerable code not present) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14488 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=1f8f1456f1e73b6c09e50a64749e43413ac12df7 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-24.html CVE-2018-9272 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, epan/dissectors/packe ...) - wireshark 2.4.6-1 (low) [jessie] - wireshark (Minor issue) [wheezy] - wireshark (Minor issue) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14487 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=6e3b90824a82724f445a0374e99f0b76e4cf5e8b NOTE: https://www.wireshark.org/security/wnpa-sec-2018-24.html NOTE: Applying patch for versions 1.12 and older requires introduction of a new NOTE: memory management system (wmem). CVE-2018-9271 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, epan/dissectors/packe ...) - wireshark 2.4.6-1 (low) [jessie] - wireshark (Minor issue) [wheezy] - wireshark (Minor issue) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14486 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=5b0228945dc74ee82d2ab4a4e7af2bdfe7b75910 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-24.html CVE-2018-9270 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, epan/oids.c has a mem ...) {DLA-1634-1 DLA-1388-1} - wireshark 2.4.6-1 (low) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14485 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=0fbc50f9b9219be54d6db47f04b65af19696a7c7 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-24.html CVE-2018-9269 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, epan/dissectors/packe ...) {DLA-1634-1 DLA-1388-1} - wireshark 2.4.6-1 (low) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14484 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=e19aba33026212cbe000ece633adf14d109489fa NOTE: https://www.wireshark.org/security/wnpa-sec-2018-24.html CVE-2018-9268 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, epan/dissectors/packe ...) {DLA-1634-1 DLA-1388-1} - wireshark 2.4.6-1 (low) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14483 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=c69d710d2bf39fe633800db65efddf55701131b6 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-24.html CVE-2018-9267 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, epan/dissectors/packe ...) - wireshark 2.4.6-1 (low) [jessie] - wireshark (Minor issue) [wheezy] - wireshark (Minor issue) NOTE: applying patch in jessie/wheezy requires introduction of a new memory management system (wmem) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14482 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=8ed057f7faa709dbde34b91f0715a957837f74d9 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-24.html CVE-2018-9266 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, epan/dissectors/packe ...) - wireshark 2.4.6-1 [jessie] - wireshark (Vulnerable code not present) [wheezy] - wireshark (Vulnerable code not present) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14481 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=9d3714e767cb104dcfa1647935fa5960b16bb8e1 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-24.html CVE-2018-9265 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, epan/dissectors/packe ...) - wireshark 2.4.6-1 (low) [jessie] - wireshark (Minor issue) [wheezy] - wireshark (Minor issue) NOTE: applying patch in jessie/wheezy requires introduction of a new memory management system (wmem) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14480 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=b12cc581cd4878d74b6116ca02c7dbe650c1f242 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-24.html CVE-2018-9264 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, the ADB dissector cou ...) - wireshark 2.4.6-1 [stretch] - wireshark 2.2.6+g32dac6a-2+deb9u3 [jessie] - wireshark (Vulnerable code not present (only adb_cs available)) [wheezy] - wireshark (Vulnerable code not present (only adb_cs available)) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14460 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=0290a62be0fca8da9bb190f59dc1fe26c1d65024 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-16.html CVE-2018-9263 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, the Kerberos dissecto ...) {DLA-1634-1 DLA-1388-1} - wireshark 2.4.6-1 (low) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14576 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=4fe65168fd0de81306710330aa414f10f53cbdf0 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-23.html CVE-2018-9262 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, the VLAN dissector co ...) {DLA-1634-1} - wireshark 2.4.6-1 (low) [wheezy] - wireshark (Minor issue) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14469 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=f05c3b91f9571210b86576ee6284e71a3306109d NOTE: https://www.wireshark.org/security/wnpa-sec-2018-19.html CVE-2018-9261 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, the NBAP dissector co ...) {DSA-4217-1 DLA-1388-1} - wireshark 2.4.6-1 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14471 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=66bc372716e04d6a8afdf6712583c9b5d11fee55 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-18.html CVE-2018-9260 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, the IEEE 802.15.4 dis ...) {DLA-1634-1 DLA-1388-1} - wireshark 2.4.6-1 (low) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14468 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=14d6f717d8ea27688af48532edb1d29f502ea8f0 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-17.html CVE-2018-9259 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, the MP4 dissector cou ...) {DLA-1634-1} - wireshark 2.4.6-1 (low) [wheezy] - wireshark (Minor issue) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13777 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=2113179835b37549f245ac7c05ff2b96276893e4 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-15.html CVE-2018-9258 (In Wireshark 2.4.0 to 2.4.5, the TCP dissector could crash. This was a ...) {DLA-1634-1 DLA-1388-1} - wireshark 2.4.6-1 (low) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14472 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=2d4695de1477df60b0188fd581c0c279db601978 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-21.html CVE-2018-9257 (In Wireshark 2.4.0 to 2.4.5, the CQL dissector could go into an infini ...) - wireshark 2.4.6-1 (low) [jessie] - wireshark (Vulnerable code not present) [wheezy] - wireshark (Vulnerable code not present) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14530 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=d7a9501b0439a5dbf24016a95b4896170d789dc2 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-22.html CVE-2018-9256 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, the LWAPP dissector c ...) {DLA-1634-1} - wireshark 2.4.6-1 (low) [wheezy] - wireshark (Minor issue) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14467 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=dac48f148538c706c446e5105d84ebcb54587528 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-20.html CVE-2018-9255 RESERVED CVE-2018-9254 RESERVED CVE-2018-9253 RESERVED CVE-2018-9252 (JasPer 2.0.14 allows denial of service via a reachable assertion in th ...) - jasper (unimportant) NOTE: https://github.com/mdadams/jasper/issues/173 NOTE: Negligible impact CVE-2018-9251 (The xz_decomp function in xzlib.c in libxml2 2.9.8, if --with-lzma is ...) - libxml2 (Fix for CVE-2017-18258 not applied, cf. bug #895195) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=794914 NOTE: Fixed by: https://gitlab.gnome.org/GNOME/libxml2/commit/2240fbf5912054af025fb6e01e26375100275e74 NOTE: Before upstream commit https://git.gnome.org/browse/libxml2/commit/?id=e2a9122b8dde53d320750451e9907a7dcb2ca8bb NOTE: the memlimit argument to lzma_auto_decoder was set to UINT64_MAX, possibly NOTE: allowing a malicious LZMA compressed files to consume large amounts of memory NOTE: when decompressed. Setting memlimit to UINT64_MAX the limiter is effectively NOTE: disabled and "lzma_auto_decoder(&state->strm, UINT64_MAX, 0)" can never result NOTE: in LZMA_MEMLIMIT_ERROR outcome because there is no way to exceed UINT64_MAX. NOTE: Thus CVE-2018-9251 is only affecting libxml2 if e2a9122b8dde53d320750451e9907a7dcb2ca8bb NOTE: is applied. CVE-2017-18258 (The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote ...) {DLA-1524-1} [experimental] - libxml2 2.9.7+dfsg-1 - libxml2 2.9.10+dfsg-2 (low; bug #895245) [buster] - libxml2 (Minor issue) [stretch] - libxml2 (Minor issue; wait for upstream fix for upstream bug 794914) [wheezy] - libxml2 (Minor issue; wait for upstream fix for upstream bug 794914) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=786696 NOTE: Fixed by: https://git.gnome.org/browse/libxml2/commit/?id=e2a9122b8dde53d320750451e9907a7dcb2ca8bb NOTE: When fixing this issue make sure to not open CVE-2018-9251 and apply NOTE: the fix for CVE-2018-9251 / https://bugzilla.gnome.org/show_bug.cgi?id=794914 CVE-2018-9250 (interface\super\edit_list.php in OpenEMR before v5_0_1_1 allows remote ...) NOT-FOR-US: OpenEMR CVE-2018-9249 (FiberHome VDSL2 Modem HG 150-UB devices allow authentication bypass by ...) NOT-FOR-US: FiberHome VDSL2 Modem HG 150-UB devices CVE-2018-9248 (FiberHome VDSL2 Modem HG 150-UB devices allow authentication bypass vi ...) NOT-FOR-US: FiberHome VDSL2 Modem HG 150-UB devices CVE-2018-9247 (The upsql function in \Lib\Lib\Action\Admin\DataAction.class.php in Gx ...) NOT-FOR-US: Gxlcms QY CVE-2018-9246 (The PGObject::Util::DBAdmin module before 0.120.0 for Perl, as used in ...) - libpgobject-util-dbadmin-perl 0.130.1-1 (bug #900942) [stretch] - libpgobject-util-dbadmin-perl (Minor issue) NOTE: https://github.com/ledgersmb/PGObject-Util-DBAdmin/commit/2c25c3dbc8b832a657247d3ea63ae80f3c5df6b1 NOTE: https://github.com/ledgersmb/PGObject-Util-DBAdmin/commit/f4e684008ca9e182833a70793ae91288d2c80218 NOTE: https://github.com/ledgersmb/PGObject-Util-DBAdmin/commit/dc48d0e1af0dbf861779b2c781e0f4c612c22cfb NOTE: https://archive.ledgersmb.org/ledger-smb-announce/msg00280.html CVE-2018-9245 (The Ericsson-LG iPECS NMS A.1Ac login portal has a SQL injection vulne ...) NOT-FOR-US: Ericsson-LG iPECS NMS A.1Ac login portal CVE-2018-9242 (The PAN-OS management web interface page in PAN-OS 6.1.20 and earlier, ...) NOT-FOR-US: PAN-OS CVE-2018-9241 RESERVED CVE-2018-9239 RESERVED CVE-2018-9238 (proberv.php in Yahei-PHP Proberv 0.4.7 has XSS via the funName paramet ...) NOT-FOR-US: Yahei-PHP Proberv CVE-2018-9237 (iScripts EasyCreate 3.2.1 has Stored Cross-Site Scripting in the "Site ...) NOT-FOR-US: iScripts EasyCreate CVE-2018-9236 (iScripts EasyCreate 3.2.1 has Stored Cross-Site Scripting in the "Site ...) NOT-FOR-US: iScripts EasyCreate CVE-2018-9235 (iScripts SonicBB 1.0 has Reflected Cross-Site Scripting via the query ...) NOT-FOR-US: iScripts SonicBB CVE-2017-18256 (Brave Browser before 0.13.0 allows remote attackers to cause a denial ...) - brave-browser (bug #864795) CVE-2016-10718 (Brave Browser before 0.13.0 allows a tab to close itself even if the t ...) - brave-browser (bug #864795) CVE-2018-9234 (GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key ce ...) - gnupg2 2.2.7-1 (low; bug #894983) [stretch] - gnupg2 (Minor issue) [jessie] - gnupg2 (Minor issue) [wheezy] - gnupg2 (Minor issue) NOTE: https://dev.gnupg.org/T3844 NOTE: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=a17d2d1f690ebe5d005b4589a5fe378b6487c657 CVE-2018-9240 (ncmpc through 0.29 is prone to a NULL pointer dereference flaw. If a u ...) {DLA-2186-1} - ncmpc 0.33-1 (low; bug #894724) [stretch] - ncmpc 0.25-0.1+deb9u1 [wheezy] - ncmpc (Minor issue) CVE-2018-9233 (Sophos Endpoint Protection 10.7 uses an unsalted SHA-1 hash for passwo ...) NOT-FOR-US: Sophos CVE-2018-9232 (Due to the lack of firmware authentication in the upgrade process of T ...) NOT-FOR-US: T&W WIFI Repeater BE126 devices CVE-2018-9231 RESERVED CVE-2018-9230 (** DISPUTED ** In OpenResty through 1.13.6.1, URI parameters are obtai ...) NOT-FOR-US: OpenResty CVE-2018-9229 RESERVED CVE-2018-9228 RESERVED CVE-2018-9227 RESERVED CVE-2018-9226 RESERVED CVE-2018-9225 RESERVED CVE-2018-9224 RESERVED CVE-2018-9223 RESERVED CVE-2018-9222 RESERVED CVE-2018-9221 RESERVED CVE-2018-9220 RESERVED CVE-2018-9219 RESERVED CVE-2018-9218 RESERVED CVE-2018-9217 RESERVED CVE-2018-9216 RESERVED CVE-2018-9215 RESERVED CVE-2018-9214 RESERVED CVE-2018-9213 RESERVED CVE-2018-9212 RESERVED CVE-2018-9211 RESERVED CVE-2018-9210 RESERVED CVE-2018-9209 (Unauthenticated arbitrary file upload vulnerability in FineUploader ph ...) NOT-FOR-US: FineUploader CVE-2018-9208 (Unauthenticated arbitrary file upload vulnerability in jQuery Picture ...) NOT-FOR-US: jQuery Picture CVE-2018-9207 (Arbitrary file upload in jQuery Upload File <= 4.0.2 ...) NOT-FOR-US: jQuery Upload File (different from src:libjs-jquery-file-upload) CVE-2018-9206 (Unauthenticated arbitrary file upload vulnerability in Blueimp jQuery- ...) - libjs-jquery-file-upload 9.25.0-1 NOTE: https://github.com/blueimp/jQuery-File-Upload/pull/3514 NOTE: http://www.vapidlabs.com/advisory.php?v=204 CVE-2018-9205 (Vulnerability in avatar_uploader v7.x-1.0-beta8 , The code in view.php ...) NOT-FOR-US: avatar_uploader CVE-2018-9204 RESERVED CVE-2018-9203 RESERVED CVE-2018-9202 RESERVED CVE-2018-9201 RESERVED CVE-2018-9200 RESERVED CVE-2018-9199 RESERVED CVE-2018-9198 RESERVED CVE-2018-9197 RESERVED CVE-2018-9196 RESERVED CVE-2018-9195 (Use of a hardcoded cryptographic key in the FortiGuard services commun ...) NOT-FOR-US: FortiGuard CVE-2018-9194 (A plaintext recovery of encrypted messages or a Man-in-the-middle (MiT ...) NOT-FOR-US: Fortinet FortiOS CVE-2018-9193 (A local privilege escalation in Fortinet FortiClient for Windows 6.0.4 ...) NOT-FOR-US: Fortinet FortiClient CVE-2018-9192 (A plaintext recovery of encrypted messages or a Man-in-the-middle (MiT ...) NOT-FOR-US: Fortinet FortiOS CVE-2018-9191 (A local privilege escalation in Fortinet FortiClient for Windows 6.0.4 ...) NOT-FOR-US: Fortinet FortiClient CVE-2018-9190 (A null pointer dereference vulnerability in Fortinet FortiClientWindow ...) NOT-FOR-US: Fortinet CVE-2018-9189 RESERVED CVE-2018-9188 RESERVED CVE-2018-9187 RESERVED CVE-2018-9186 (A cross-site scripting (XSS) vulnerability in Fortinet FortiAuthentica ...) NOT-FOR-US: Fortinet CVE-2018-9185 (An information disclosure vulnerability in Fortinet FortiOS 6.0.0 and ...) NOT-FOR-US: Fortinet CVE-2018-9184 RESERVED CVE-2018-9183 (The Joom Sky JS Jobs extension before 1.2.1 for Joomla! has XSS. ...) NOT-FOR-US: Joomla addon CVE-2018-9182 (Twonky Server before 8.5.1 has XSS via a modified "language" parameter ...) NOT-FOR-US: Twonky Server CVE-2018-9181 RESERVED CVE-2018-9180 RESERVED CVE-2018-9179 RESERVED CVE-2018-9178 RESERVED CVE-2018-9177 (Twonky Server before 8.5.1 has XSS via a folder name on the Shared Fol ...) NOT-FOR-US: Twonky Server CVE-2018-9176 RESERVED CVE-2018-9175 (DedeCMS 5.7 allows remote attackers to execute arbitrary PHP code via ...) NOT-FOR-US: DedeCMS CVE-2018-9174 (sys_verifies.php in DedeCMS 5.7 allows remote attackers to execute arb ...) NOT-FOR-US: DedeCMS CVE-2018-9173 (Cross-site scripting (XSS) vulnerability in admin/template/js/uploadif ...) NOT-FOR-US: GetSimple CMS CVE-2018-9172 (The Iptanus WordPress File Upload plugin before 4.3.3 for WordPress mi ...) NOT-FOR-US: Wordpress plugin CVE-2018-9171 RESERVED CVE-2018-9170 RESERVED CVE-2018-9169 (Z-BlogPHP 1.5.1 has XSS via the zb_users/plugin/AppCentre/plugin_edit. ...) NOT-FOR-US: Z-BlogPHP CVE-2018-9168 RESERVED CVE-2018-9167 RESERVED CVE-2018-9166 RESERVED CVE-2018-9165 (The pushdup function in util/decompile.c in libming through 0.4.8 does ...) {DLA-1343-1} - ming NOTE: https://github.com/libming/libming/issues/121 CVE-2018-9164 RESERVED CVE-2018-9163 (A stored Cross-site scripting (XSS) vulnerability in Zoho ManageEngine ...) NOT-FOR-US: Zoho CVE-2018-9162 (Contec Smart Home 4.15 devices do not require authentication for new_u ...) NOT-FOR-US: Contec Smart Home CVE-2018-9161 (Prisma Industriale Checkweigher PrismaWEB 1.21 allows remote attackers ...) NOT-FOR-US: Prisma Industriale Checkweigher PrismaWEB CVE-2018-9160 (SickRage before v2018.03.09-1 includes cleartext credentials in HTTP r ...) NOT-FOR-US: SickRage CVE-2018-9159 (In Spark before 2.7.2, a remote attacker can read unintended static fi ...) NOT-FOR-US: Spark Java framework (unrelated to src:spark) CVE-2018-9158 (An issue was discovered on AXIS M1033-W (IP camera) Firmware version 5 ...) NOT-FOR-US: AXIS CVE-2018-9157 (** DISPUTED ** An issue was discovered on AXIS M1033-W (IP camera) Fir ...) NOT-FOR-US: AXIS CVE-2018-9156 (** DISPUTED ** An issue was discovered on AXIS P1354 (IP camera) Firmw ...) NOT-FOR-US: AXIS CVE-2018-9155 (Cross-site scripting (XSS) vulnerability in Open-AudIT Professional 2. ...) NOT-FOR-US: Open-AudIT Professional CVE-2018-9154 (There is a reachable abort in the function jpc_dec_process_sot in libj ...) - jasper (unimportant) CVE-2018-9153 (The plugin upload component in Z-BlogPHP 1.5.1 allows remote attackers ...) NOT-FOR-US: Z-BlogPHP CVE-2017-18255 (The perf_cpu_time_max_percent_handler function in kernel/events/core.c ...) {DLA-1423-1} - linux 4.11.6-1 (unimportant) [stretch] - linux 4.9.107-1 NOTE: https://git.kernel.org/linus/1572e45a924f254d9570093abde46430c3172e3d CVE-2015-9259 (In Docker Notary before 0.1, the checkRoot function in gotuf/client/cl ...) - notary 0.1~ds1-1 CVE-2015-9258 (In Docker Notary before 0.1, gotuf/signed/verify.go has a Signature Al ...) - notary 0.1~ds1-1 CVE-2018-9152 RESERVED CVE-2018-9151 (A NULL pointer dereference bug in the function ObReferenceObjectByHand ...) NOT-FOR-US: Kingsoft Internet Security CVE-2018-9150 RESERVED CVE-2018-9149 (The Zyxel Multy X (AC3000 Tri-Band WiFi System) device doesn't use a s ...) NOT-FOR-US: Zyxel CVE-2018-9148 (Western Digital WD My Cloud v04.05.00-320 devices embed the session to ...) NOT-FOR-US: Western Digital WD My Cloud CVE-2018-9147 (Cross-site scripting (XSS) vulnerabilities in version 7.5.7 of Gespage ...) NOT-FOR-US: Gespage CVE-2018-9146 REJECTED CVE-2018-9145 (In the DataBuf class in include/exiv2/types.hpp in Exiv2 0.26, an issu ...) - exiv2 (Vulnerable code introduced later; only affected experimental; bug #910909) NOTE: https://github.com/xiaoqx/pocs/tree/master/exiv2 NOTE: https://github.com/Exiv2/exiv2/pull/470 NOTE: Fixed with: https://github.com/Exiv2/exiv2/commit/c03f73268f65c73f9d3d7b670f13e48e92692750 NOTE: Issue introduced after https://github.com/Exiv2/exiv2/commit/163f3ce7f17a143f58d857a5cba3cb7b24436a2a CVE-2018-9144 (In Exiv2 0.26, there is an out-of-bounds read in Exiv2::Internal::bina ...) - exiv2 0.27.2-6 (low) [buster] - exiv2 (Minor issue) [stretch] - exiv2 (Minor issue) [jessie] - exiv2 (Minor issue) [wheezy] - exiv2 (Vulnerable code not present) NOTE: https://github.com/Exiv2/exiv2/issues/254 NOTE: https://github.com/xiaoqx/pocs/tree/master/exiv2 NOTE: https://github.com/Exiv2/exiv2/pull/180 intends to fix this CVE-2018-9143 (On Samsung mobile devices with M(6.0) and N(7.x) software, a heap over ...) NOT-FOR-US: Samsung CVE-2018-9142 (On Samsung mobile devices with N(7.x) software, attackers can install ...) NOT-FOR-US: Samsung CVE-2018-9141 (On Samsung mobile devices with L(5.x), M(6.0), and N(7.x) software, Ga ...) NOT-FOR-US: Samsung CVE-2018-9140 (On Samsung mobile devices with M(6.0) software, the Email application ...) NOT-FOR-US: Samsung CVE-2018-9139 (On Samsung mobile devices with N(7.x) software, a buffer overflow in t ...) NOT-FOR-US: Samsung CVE-2018-9138 (An issue was discovered in cplus-dem.c in GNU libiberty, as distribute ...) - binutils 2.32.51.20190707-1 (unimportant) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23008 NOTE: binutils not covered by security support CVE-2018-9137 (Open-AudIT before 2.2 has CSV Injection. ...) NOT-FOR-US: Open-AudIT CVE-2018-9136 (windrvr1260.sys in Jungo DriverWizard WinDriver 12.6.0 allows attacker ...) NOT-FOR-US: Jungo CVE-2018-9135 (In ImageMagick 7.0.7-24 Q16, there is a heap-based buffer over-read in ...) - imagemagick 8:6.9.10.8+dfsg-1 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1009 NOTE: https://github.com/ImageMagick/ImageMagick/commit/361ed689cc8e56fd125f9d0d6508e9eb303bdca6 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/4f7196b0b7539b113f2580b6a77aa496813d8899 NOTE: webp support not enabled, see #806425 CVE-2018-9134 (file_manage_control.php in DedeCMS 5.7 has CSRF in an fmdo=rename acti ...) NOT-FOR-US: DedeCMS CVE-2018-9133 (ImageMagick 7.0.7-26 Q16 has excessive iteration in the DecodeLabImage ...) [experimental] - imagemagick 8:6.9.10.2+dfsg-1 - imagemagick 8:6.9.10.2+dfsg-2 (low; bug #894848) [stretch] - imagemagick (Minor issue) [jessie] - imagemagick (Minor issue) [wheezy] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1072 NOTE: IM6: https://github.com/ImageMagick/ImageMagick/commit/089fca04e0130549fa15f48ace3f56e30a06049a NOTE: IM7: https://github.com/ImageMagick/ImageMagick/commit/19b96ba61431914e2ac316b72c0789965f2b7c09 CVE-2018-9132 (libming 0.4.8 has a NULL pointer dereference in the getInt function of ...) {DLA-1386-1} - ming NOTE: https://github.com/libming/libming/issues/133 CVE-2018-9131 REJECTED CVE-2018-9130 (IBOS 4.4.3 has XSS via a company full name. ...) NOT-FOR-US: IBOS CVE-2018-9129 (ZyXEL ZyWALL/USG series devices have a Bleichenbacher vulnerability in ...) NOT-FOR-US: ZyXEL ZyWALL/USG series devices CVE-2018-9128 (DVD X Player Standard 5.5.3.9 has a Buffer Overflow via a crafted .plf ...) NOT-FOR-US: DVD X Player Standard CVE-2018-9127 (Botan 2.2.0 - 2.4.0 (fixed in 2.5.0) improperly handled wildcard certi ...) - botan 2.4.0-5 (bug #894648) CVE-2018-9126 (The DNNArticle module 11 for DNN (formerly DotNetNuke) allows remote a ...) NOT-FOR-US: DNN CVE-2018-9125 RESERVED CVE-2018-9124 RESERVED CVE-2018-9123 (In Crea8social 2018.2, there is Stored Cross-Site Scripting via a User ...) NOT-FOR-US: Crea8social CVE-2018-9122 (In Crea8social 2018.2, there is Reflected Cross-Site Scripting via the ...) NOT-FOR-US: Crea8social CVE-2018-9121 (In Crea8social 2018.2, there is Stored Cross-Site Scripting via a post ...) NOT-FOR-US: Crea8social CVE-2018-9120 (In Crea8social 2018.2, there is Stored Cross-Site Scripting via a post ...) NOT-FOR-US: Crea8social CVE-2018-9119 (An attacker with physical access to a BrilliantTS FUZE card (MCU firmw ...) NOT-FOR-US: BrilliantTS FUZE card CVE-2018-9118 (exports/download.php in the 99 Robots WP Background Takeover Advertise ...) NOT-FOR-US: 99 Robots WP Background Takeover Advertisements plugin for WordPress CVE-2018-9117 (WireMock before 2.16.0 contains a vulnerability that allows a remote u ...) NOT-FOR-US: WireMock CVE-2018-9116 (An XXE vulnerability within WireMock before 2.16.0 allows a remote una ...) NOT-FOR-US: WireMock CVE-2018-9115 (Systematic SitaWare 6.4 SP2 does not validate input from other sources ...) NOT-FOR-US: Systematic SitaWare CVE-2018-9114 RESERVED CVE-2018-9113 (Centers for Disease Control and Prevention MicrobeTRACE 0.1.12 allows ...) NOT-FOR-US: Centers for Disease Control and Prevention MicrobeTRACE CVE-2018-9112 (A low privileged admin account with a weak default password of admin e ...) NOT-FOR-US: Foxconn FEMTO AP-FC4064-T AP_GT_B38_5.8.3lb15-W47 LTE CVE-2018-9111 (Cross Site Scripting (XSS) exists on the Foxconn FEMTO AP-FC4064-T AP_ ...) NOT-FOR-US: Foxconn FEMTO AP-FC4064-T AP_GT_B38_5.8.3lb15-W47 LTE CVE-2018-9110 (Studio 42 elFinder before 2.1.37 has a directory traversal vulnerabili ...) NOT-FOR-US: Studio 42 elFinder CVE-2018-9109 (Studio 42 elFinder before 2.1.36 has a directory traversal vulnerabili ...) NOT-FOR-US: Studio 42 elFinder CVE-2018-9108 (CSRF in /admin/user/manage/add in QuickAppsCMS 2.0.0-beta2 allows an u ...) NOT-FOR-US: QuickAppsCMS CVE-2018-9107 (CSV Injection (aka Excel Macro Injection or Formula Injection) exists ...) NOT-FOR-US: Acyba AcyMailing extension for Joomla! CVE-2018-9106 (CSV Injection (aka Excel Macro Injection or Formula Injection) exists ...) NOT-FOR-US: Acyba AcyMailing extension for Joomla! CVE-2018-9105 (NordVPN 3.3.10 for macOS suffers from a root privilege escalation vuln ...) NOT-FOR-US: NordVPN CVE-2018-9104 (A vulnerability in the conferencing component of Mitel MiVoice Connect ...) NOT-FOR-US: Mitel CVE-2018-9103 (A vulnerability in the conferencing component of Mitel MiVoice Connect ...) NOT-FOR-US: Mitel CVE-2018-9102 (A vulnerability in the conferencing component of Mitel MiVoice Connect ...) NOT-FOR-US: Mitel CVE-2018-9101 (A vulnerability in the conferencing component of Mitel MiVoice Connect ...) NOT-FOR-US: Mitel CVE-2018-9100 RESERVED CVE-2018-9099 RESERVED CVE-2018-9098 RESERVED CVE-2018-9097 RESERVED CVE-2018-9096 RESERVED CVE-2018-9095 RESERVED CVE-2018-9094 RESERVED CVE-2018-9093 RESERVED CVE-2018-9092 (There is a CSRF vulnerability in mc-admin/conf.php in MiniCMS 1.10 tha ...) NOT-FOR-US: MiniCMS CVE-2018-9091 (A critical vulnerability in the KEMP LoadMaster Operating System (LMOS ...) NOT-FOR-US: KEMP LoadMaster Operating System CVE-2018-9090 (CoreOS Tectonic 1.7.x and 1.8.x before 1.8.7-tectonic.2 deploys the Gr ...) NOT-FOR-US: CoreOS Tectonic CVE-2018-9089 RESERVED CVE-2018-9088 RESERVED CVE-2018-9087 RESERVED CVE-2018-9086 (In some Lenovo ThinkServer-branded servers, a command injection vulner ...) NOT-FOR-US: Lenovo CVE-2018-9085 (A write protection lock bit was left unset after boot on an older gene ...) NOT-FOR-US: IBM CVE-2018-9084 (In System Management Module (SMM) versions prior to 1.06, if an attack ...) NOT-FOR-US: Lenovo / System Management Module (SMM) CVE-2018-9083 (In System Management Module (SMM) versions prior to 1.06, the SMM cont ...) NOT-FOR-US: Lenovo / System Management Module (SMM) CVE-2018-9082 (For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 ...) NOT-FOR-US: Lenovo CVE-2018-9081 (For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 ...) NOT-FOR-US: Lenovo CVE-2018-9080 (For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 ...) NOT-FOR-US: Lenovo CVE-2018-9079 (For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 ...) NOT-FOR-US: Lenovo CVE-2018-9078 (For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 ...) NOT-FOR-US: Lenovo CVE-2018-9077 (For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 ...) NOT-FOR-US: Lenovo CVE-2018-9076 (For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 ...) NOT-FOR-US: Lenovo CVE-2018-9075 (For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 ...) NOT-FOR-US: Lenovo CVE-2018-9074 (For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 ...) NOT-FOR-US: Lenovo CVE-2018-9073 (Lenovo Chassis Management Module (CMM) prior to version 2.0.0 utilizes ...) NOT-FOR-US: Lenovo Chassis Management Module CVE-2018-9072 (In versions prior to 5.5, LXCI for VMware allows an authenticated user ...) NOT-FOR-US: LXCI (Lenovo XClarity Integrator) CVE-2018-9071 (Lenovo Chassis Management Module (CMM) prior to version 2.0.0 allows u ...) NOT-FOR-US: Lenovo Chassis Management Module CVE-2018-9070 (For the Lenovo Smart Assistant Android app versions earlier than 12.1. ...) NOT-FOR-US: Lenovo CVE-2018-9069 (In some Lenovo IdeaPad consumer notebook models, a race condition in t ...) NOT-FOR-US: Lenovo CVE-2018-9068 (The IMM2 First Failure Data Capture function collects management modul ...) NOT-FOR-US: IBM CVE-2018-9067 (The Lenovo Help Android app versions earlier than 6.1.2.0327 had insuf ...) NOT-FOR-US: Lenovo CVE-2018-9066 (In Lenovo xClarity Administrator versions earlier than 2.1.0, an authe ...) NOT-FOR-US: Lenovo xClarity Administrator CVE-2018-9065 (In Lenovo xClarity Administrator versions earlier than 2.1.0, an attac ...) NOT-FOR-US: Lenovo xClarity Administrator CVE-2018-9064 (In Lenovo xClarity Administrator versions earlier than 2.1.0, an authe ...) NOT-FOR-US: Lenovo xClarity Administrator CVE-2018-9063 (MapDrv (C:\Program Files\Lenovo\System Update\mapdrv.exe) In Lenovo Sy ...) NOT-FOR-US: Lenovo CVE-2018-9062 (In some Lenovo ThinkPad products, one BIOS region is not properly incl ...) NOT-FOR-US: Lenovo CVE-2018-9061 RESERVED CVE-2018-9060 REJECTED CVE-2018-9059 (Stack-based buffer overflow in Easy File Sharing (EFS) Web Server 7.2 ...) NOT-FOR-US: Easy File Sharing (EFS) CVE-2018-9058 (In Long Range Zip (aka lrzip) 0.631, there is an infinite loop in the ...) - lrzip 0.631+git180517-1 (unimportant) NOTE: https://github.com/ckolivas/lrzip/issues/93 NOTE: No security impact CVE-2018-7600 (Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x be ...) {DSA-4156-1 DLA-1325-1} - drupal7 7.58-1 (bug #894259) NOTE: https://www.drupal.org/sa-core-2018-002 NOTE: https://groups.drupal.org/security/faq-2018-002 NOTE: https://www.drupal.org/psa-2018-001 NOTE: Drupal 7.x Patch: https://cgit.drupalcode.org/drupal/rawdiff/?h=7.x&id=2266d2a83db50e2f97682d9a0fb8a18e2722cba5 CVE-2018-9057 (aws/resource_aws_iam_user_login_profile.go in the HashiCorp Terraform ...) NOT-FOR-US: HashiCorp Terraform Amazon Web Services CVE-2018-9056 (Systems with microprocessors utilizing speculative execution may allow ...) NOTE: Hardware side channel attack NOTE: http://www.cs.ucr.edu/~nael/pubs/asplos18.pdf CVE-2018-9055 (JasPer 2.0.14 allows denial of service via a reachable assertion in th ...) - jasper (unimportant) NOTE: https://github.com/mdadams/jasper/issues/172 NOTE: Negligible impact CVE-2018-9054 (In Windows Master (aka Windows Optimization Master) 7.99.13.604, the d ...) NOT-FOR-US: Windows Master (aka Windows Optimization Master) CVE-2018-9053 (In Windows Master (aka Windows Optimization Master) 7.99.13.604, the d ...) NOT-FOR-US: Windows Master (aka Windows Optimization Master) CVE-2018-9052 (In Windows Master (aka Windows Optimization Master) 7.99.13.604, the d ...) NOT-FOR-US: Windows Master (aka Windows Optimization Master) CVE-2018-9051 (In Windows Master (aka Windows Optimization Master) 7.99.13.604, the d ...) NOT-FOR-US: Windows Master (aka Windows Optimization Master) CVE-2018-9050 (In Windows Master (aka Windows Optimization Master) 7.99.13.604, the d ...) NOT-FOR-US: Windows Master (aka Windows Optimization Master) CVE-2018-9049 (In Windows Master (aka Windows Optimization Master) 7.99.13.604, the d ...) NOT-FOR-US: Windows Master (aka Windows Optimization Master) CVE-2018-9048 (In Windows Master (aka Windows Optimization Master) 7.99.13.604, the d ...) NOT-FOR-US: Windows Master (aka Windows Optimization Master) CVE-2018-9047 (In Windows Master (aka Windows Optimization Master) 7.99.13.604, the d ...) NOT-FOR-US: Windows Master (aka Windows Optimization Master) CVE-2018-9046 (In Windows Master (aka Windows Optimization Master) 7.99.13.604, the d ...) NOT-FOR-US: Windows Master (aka Windows Optimization Master) CVE-2018-9045 (In Windows Master (aka Windows Optimization Master) 7.99.13.604, the d ...) NOT-FOR-US: Windows Master (aka Windows Optimization Master) CVE-2018-9044 (In Advanced SystemCare Ultimate 11.0.1.58, the driver file (Monitor_wi ...) NOT-FOR-US: Advanced SystemCare Ultimate CVE-2018-9043 (In Advanced SystemCare Ultimate 11.0.1.58, the driver file (Monitor_wi ...) NOT-FOR-US: Advanced SystemCare Ultimate CVE-2018-9042 (In Advanced SystemCare Ultimate 11.0.1.58, the driver file (Monitor_wi ...) NOT-FOR-US: Advanced SystemCare Ultimate CVE-2018-9041 (In Advanced SystemCare Ultimate 11.0.1.58, the driver file (Monitor_wi ...) NOT-FOR-US: Advanced SystemCare Ultimate CVE-2018-9040 (In Advanced SystemCare Ultimate 11.0.1.58, the driver file (Monitor_wi ...) NOT-FOR-US: Advanced SystemCare Ultimate CVE-2018-9039 (In Octopus Deploy 2.0 and later before 2018.3.7, an authenticated user ...) NOT-FOR-US: Octopus Deploy CVE-2018-9038 (Monstra CMS 3.0.4 allows remote attackers to delete files via an admin ...) NOT-FOR-US: Monstra CMS CVE-2018-9037 (Monstra CMS 3.0.4 allows remote code execution via an upload_file requ ...) NOT-FOR-US: Monstra CMS CVE-2018-9036 (CheckSec Canopy 3.x before 3.0.7 has stored XSS via the Login Page Dis ...) NOT-FOR-US: CheckSec Canopy CVE-2018-9035 (CSV Injection vulnerability in ExportToCsvUtf8.php of the Contact Form ...) NOT-FOR-US: Wordpress plugin CVE-2018-9034 (Cross-site scripting (XSS) vulnerability in lib/interface.php of the R ...) NOT-FOR-US: Wordpress plugin CVE-2018-9033 RESERVED CVE-2018-9032 (An authentication bypass vulnerability on D-Link DIR-850L Wireless AC1 ...) NOT-FOR-US: D-Link CVE-2018-9031 (The login interface on TNLSoftSolutions Sentry Vision 3.x devices prov ...) NOT-FOR-US: TNLSoftSolutions Sentry Vision 3.x devices CVE-2018-9030 RESERVED CVE-2018-9029 (An improper input validation vulnerability in CA Privileged Access Man ...) NOT-FOR-US: CA Privileged Access Manager CVE-2018-9028 (Weak cryptography used for passwords in CA Privileged Access Manager 2 ...) NOT-FOR-US: CA Privileged Access Manager CVE-2018-9027 (A reflected cross-site scripting vulnerability in CA Privileged Access ...) NOT-FOR-US: CA Privileged Access Manager CVE-2018-9026 (A session fixation vulnerability in CA Privileged Access Manager 2.x a ...) NOT-FOR-US: CA Privileged Access Manager CVE-2018-9025 (An input validation vulnerability in CA Privileged Access Manager 2.x ...) NOT-FOR-US: CA Privileged Access Manager CVE-2018-9024 (An improper authentication vulnerability in CA Privileged Access Manag ...) NOT-FOR-US: CA Privileged Access Manager CVE-2018-9023 (An input validation vulnerability in CA Privileged Access Manager 2.x ...) NOT-FOR-US: CA Privileged Access Manager CVE-2018-9022 (An authentication bypass vulnerability in CA Privileged Access Manager ...) NOT-FOR-US: CA Privileged Access Manager CVE-2018-9021 (An authentication bypass vulnerability in CA Privileged Access Manager ...) NOT-FOR-US: CA Privileged Access Manager CVE-2017-18254 (An issue was discovered in ImageMagick 7.0.7. A memory leak vulnerabil ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/commit/24d5699753170c141b46816284430516c2d48fed NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/53ea13989003cdb4955024f95b4a0158a2e871c6 NOTE: https://github.com/ImageMagick/ImageMagick/issues/808 CVE-2017-18253 (An issue was discovered in ImageMagick 7.0.7. A NULL pointer dereferen ...) - imagemagick (Vulnerable code introduced later) NOTE: https://github.com/ImageMagick/ImageMagick/issues/794 NOTE: https://github.com/ImageMagick/ImageMagick/commit/de5deab202c340162b65f65bafbbe17b1eda2c1a CVE-2017-18252 (An issue was discovered in ImageMagick 7.0.7. The MogrifyImageList fun ...) - imagemagick 8:6.9.9.34+dfsg-3 (low) [stretch] - imagemagick (Minor issue) [jessie] - imagemagick (Minor issue) [wheezy] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/802 NOTE: https://github.com/ImageMagick/ImageMagick/commit/12f34b60564de1cbec08e23e2413dab5b64daeb7 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/bb04ccb34fd45e9c3020786857fb79b09f44d7db CVE-2017-18251 (An issue was discovered in ImageMagick 7.0.7. A memory leak vulnerabil ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/809 NOTE: https://github.com/ImageMagick/ImageMagick/commit/12a43437fec6f9245327636dc2730863bb9fdd8b NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/99718b41102f26f802311045e882aa947ef2941b CVE-2017-18250 (An issue was discovered in ImageMagick 7.0.7. A NULL pointer dereferen ...) - imagemagick (Vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/793 NOTE: https://github.com/ImageMagick/ImageMagick/commit/2f368e74a51ec7541b6595af712d17d6d1376534 CVE-2017-18249 (The add_free_nid function in fs/f2fs/node.c in the Linux kernel before ...) {DLA-1715-1} - linux 4.12.6-1 [stretch] - linux 4.9.144-1 [jessie] - linux (Hard to backport and low priority outside of Android) [wheezy] - linux (Vulnerable code not present) - linux-4.9 NOTE: Fixed by: https://git.kernel.org/linus/30a61ddf8117c26ac5b295e1233eaa9629a94ca3 CVE-2017-18248 (The add_job function in scheduler/ipp.c in CUPS before 2.2.6, when D-B ...) {DLA-1412-1 DLA-1387-1} - cups 2.2.6-1 [stretch] - cups 2.2.1-8+deb9u3 NOTE: https://github.com/apple/cups/commit/49fa4983f25b64ec29d548ffa3b9782426007df3 NOTE: https://github.com/apple/cups/issues/5143 CVE-2018-9020 (The Events Manager plugin before 5.8.1.2 for WordPress allows XSS via ...) NOT-FOR-US: Wordpress plugin CVE-2018-9019 (SQL Injection vulnerability in Dolibarr before version 7.0.2 allows re ...) - dolibarr NOTE: https://github.com/Dolibarr/dolibarr/commit/83b762b681c6dfdceb809d26ce95f3667b614739 CVE-2018-9018 (In GraphicsMagick 1.3.28, there is a divide-by-zero in the ReadMNGImag ...) {DSA-4321-1 DLA-1456-1 DLA-1322-1} - graphicsmagick 1.3.28-2 (bug #894396) NOTE: https://sourceforge.net/p/graphicsmagick/bugs/554/ NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/84040fada1ee CVE-2018-9017 (dsmall v20180320 allows XSS via the member search box at the public/in ...) NOT-FOR-US: dsmall CVE-2018-9016 (dsmall v20180320 allows XSS via the main page search box at the public ...) NOT-FOR-US: dsmall CVE-2018-9015 (dsmall v20180320 allows XSS via the public/index.php/home/predeposit/i ...) NOT-FOR-US: dsmall CVE-2018-9014 (dsmall v20180320 allows physical path leakage via a public/index.php/h ...) NOT-FOR-US: dsmall CVE-2018-9013 RESERVED CVE-2018-9012 RESERVED CVE-2018-9011 RESERVED CVE-2018-9010 (Intelbras TELEFONE IP TIP200/200 LITE 60.0.75.29 devices allow remote ...) NOT-FOR-US: Intelbras CVE-2018-9009 (In libming 0.4.8, there is a use-after-free in the decompileJUMP funct ...) {DLA-1386-1} - ming NOTE: https://github.com/libming/libming/issues/131 CVE-2018-9008 RESERVED CVE-2018-9007 (In Advanced SystemCare Ultimate 11.0.1.58, the driver file (Monitor_x8 ...) NOT-FOR-US: Advanced SystemCare Ultimate CVE-2018-9006 (In Advanced SystemCare Ultimate 11.0.1.58, the driver file (Monitor_wi ...) NOT-FOR-US: Advanced SystemCare Ultimate CVE-2018-9005 (In Advanced SystemCare Ultimate 11.0.1.58, the driver file (Monitor_wi ...) NOT-FOR-US: Advanced SystemCare Ultimate CVE-2018-9004 (In Advanced SystemCare Ultimate 11.0.1.58, the driver file (Monitor_x8 ...) NOT-FOR-US: Advanced SystemCare Ultimate CVE-2018-9003 (In Advanced SystemCare Ultimate 11.0.1.58, the driver file (Monitor_x8 ...) NOT-FOR-US: Advanced SystemCare Ultimate CVE-2018-9002 (In Advanced SystemCare Ultimate 11.0.1.58, the driver file (Monitor_wi ...) NOT-FOR-US: Advanced SystemCare Ultimate CVE-2018-9001 (In Advanced SystemCare Ultimate 11.0.1.58, the driver file (Monitor_wi ...) NOT-FOR-US: Advanced SystemCare Ultimate CVE-2018-9000 (In Advanced SystemCare Ultimate 11.0.1.58, the driver file (Monitor_x8 ...) NOT-FOR-US: Advanced SystemCare Ultimate CVE-2018-8999 (In Advanced SystemCare Ultimate 11.0.1.58, the driver file (Monitor_wi ...) NOT-FOR-US: Advanced SystemCare Ultimate CVE-2018-8998 (In Advanced SystemCare Ultimate 11.0.1.58, the driver file (Monitor_x8 ...) NOT-FOR-US: Advanced SystemCare Ultimate CVE-2018-8997 (In Windows Master (aka Windows Optimization Master) 7.99.13.604, the d ...) NOT-FOR-US: Windows Master (aka Windows Optimization Master) CVE-2018-8996 (In Windows Master (aka Windows Optimization Master) 7.99.13.604, the d ...) NOT-FOR-US: Windows Master (aka Windows Optimization Master) CVE-2018-8995 (In Windows Master (aka Windows Optimization Master) 7.99.13.604, the d ...) NOT-FOR-US: Windows Master (aka Windows Optimization Master) CVE-2018-8994 (In Windows Master (aka Windows Optimization Master) 7.99.13.604, the d ...) NOT-FOR-US: Windows Master (aka Windows Optimization Master) CVE-2018-8993 (In Windows Master (aka Windows Optimization Master) 7.99.13.604, the d ...) NOT-FOR-US: Windows Master (aka Windows Optimization Master) CVE-2018-8992 (In Windows Master (aka Windows Optimization Master) 7.99.13.604, the d ...) NOT-FOR-US: Windows Master (aka Windows Optimization Master) CVE-2018-8991 (In Windows Master (aka Windows Optimization Master) 7.99.13.604, the d ...) NOT-FOR-US: Windows Master (aka Windows Optimization Master) CVE-2018-8990 (In Windows Master (aka Windows Optimization Master) 7.99.13.604, the d ...) NOT-FOR-US: Windows Master (aka Windows Optimization Master) CVE-2018-8989 (In Windows Master (aka Windows Optimization Master) 7.99.13.604, the d ...) NOT-FOR-US: Windows Master (aka Windows Optimization Master) CVE-2018-8988 (In Windows Master (aka Windows Optimization Master) 7.99.13.604, the d ...) NOT-FOR-US: Windows Master (aka Windows Optimization Master) CVE-2018-8987 RESERVED CVE-2018-8986 RESERVED CVE-2018-8985 RESERVED CVE-2018-8984 RESERVED CVE-2018-8983 RESERVED CVE-2018-8982 RESERVED CVE-2018-8981 RESERVED CVE-2018-8980 RESERVED CVE-2018-8979 (Open-AudIT Professional 2.1 has CSRF, as demonstrated by modifying a u ...) NOT-FOR-US: Open-AudIT Professional CVE-2018-8978 (Open-AudIT Professional 2.1 has XSS via a crafted src attribute of an ...) NOT-FOR-US: Open-AudIT Professional CVE-2018-8977 (In Exiv2 0.26, the Exiv2::Internal::printCsLensFFFF function in canonm ...) - exiv2 (Vulnerable code introduced after 0.25; only affected experimental, bug #894179) NOTE: https://github.com/Exiv2/exiv2/issues/247 CVE-2018-8976 (In Exiv2 0.26, jpgimage.cpp allows remote attackers to cause a denial ...) - exiv2 0.27.2-6 (low; bug #903813) [buster] - exiv2 (Minor issue) [stretch] - exiv2 (Minor issue) [jessie] - exiv2 (Minor issue) [wheezy] - exiv2 (Vulnerable code not present) NOTE: https://github.com/Exiv2/exiv2/issues/246 NOTE: https://github.com/Exiv2/exiv2/pull/256 CVE-2018-8975 (The pm_mallocarray2 function in lib/util/mallocvar.c in Netpbm through ...) - netpbm-free (Vulnerable code not present) NOTE: Debian uses an unaffected fork CVE-2018-8974 (Centers for Disease Control and Prevention MicrobeTRACE 0.1.11 allows ...) NOT-FOR-US: Centers for Disease Control and Prevention MicrobeTRACE CVE-2018-8973 (OTCMS 3.20 allows XSS by adding a keyword or link to an article, as de ...) NOT-FOR-US: OTCMS CVE-2018-8972 (Creditwest Bank CMS Project (aka CWCMS) through 2017-07-28 has CSRF in ...) NOT-FOR-US: Creditwest Bank CMS Project (aka CWCMS) CVE-2018-8970 (The int_x509_param_set_hosts function in lib/libcrypto/x509/x509_vpm.c ...) - libressl (bug #754513) CVE-2018-8969 (An issue was discovered in zzcms 8.2. user/licence_save.php allows rem ...) NOT-FOR-US: zzcms CVE-2018-8968 (An issue was discovered in zzcms 8.2. user/manage.php allows remote at ...) NOT-FOR-US: zzcms CVE-2018-8967 (An issue was discovered in zzcms 8.2. It allows SQL injection via the ...) NOT-FOR-US: zzcms CVE-2018-8966 (An issue was discovered in zzcms 8.2. It allows PHP code injection via ...) NOT-FOR-US: zzcms CVE-2018-8965 (An issue was discovered in zzcms 8.2. user/ppsave.php allows remote at ...) NOT-FOR-US: zzcms CVE-2015-9257 (BMC Remedy Action Request (AR) System 9.0 before 9.0.00 Service Pack 2 ...) NOT-FOR-US: BMC Remedy Action Request (AR) System CVE-2018-8964 (In libming 0.4.8, the decompileDELETE function of decompile.c has a us ...) - ming [wheezy] - ming 1:0.4.4-1.1+deb7u8 NOTE: https://github.com/libming/libming/issues/130 CVE-2018-8963 (In libming 0.4.8, the decompileGETVARIABLE function of decompile.c has ...) - ming [wheezy] - ming 1:0.4.4-1.1+deb7u8 NOTE: https://github.com/libming/libming/issues/130 CVE-2018-8962 (In libming 0.4.8, the decompileSingleArgBuiltInFunctionCall function o ...) - ming [wheezy] - ming 1:0.4.4-1.1+deb7u8 NOTE: https://github.com/libming/libming/issues/130 CVE-2018-8961 (In libming 0.4.8, the decompilePUSHPARAM function of decompile.c has a ...) - ming [wheezy] - ming 1:0.4.4-1.1+deb7u8 NOTE: https://github.com/libming/libming/issues/130 CVE-2018-8960 (The ReadTIFFImage function in coders/tiff.c in ImageMagick 7.0.7-26 Q1 ...) - imagemagick 8:6.9.9.39+dfsg-1 (low) [stretch] - imagemagick (Minor issue) [jessie] - imagemagick (Minor issue) [wheezy] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1020 NOTE: https://github.com/ImageMagick/ImageMagick/commit/23f6beef78cfe806cabc090a015e73557d60788e NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/7c0b29f621ebcce1a35c0e6c1992c9043b3bb1bd CVE-2018-8959 RESERVED CVE-2018-8958 RESERVED CVE-2018-8957 (CoverCMS v1.1.6 has XSS via the fourth input box to index.php, related ...) NOT-FOR-US: CoverCMS CVE-2018-8956 (ntpd in ntp 4.2.8p10, 4.2.8p11, 4.2.8p12 and 4.2.8p13 allow remote att ...) - ntp (low) [buster] - ntp (Minor issue) [stretch] - ntp (Minor issue) [jessie] - ntp (Minor issue, requires being part of same broadcast network, no patch) - ntpsec (Broadcast mode not present, see #961748) NOTE: https://arxiv.org/abs/2005.01783 NOTE: https://nikhiltripathi.in/NTP_attack.pdf NOTE: https://tools.ietf.org/html/rfc5905 CVE-2018-8955 (The installer for BitDefender GravityZone relies on an encoded string ...) NOT-FOR-US: BitDefender GravityZone CVE-2018-8954 (CA Workload Control Center before r11.4 SP6 allows remote attackers to ...) NOT-FOR-US: CA Workload Control Center CVE-2018-8953 (CA Workload Automation AE before r11.3.6 SP7 allows remote attackers t ...) NOT-FOR-US: CA Workload Automation AE CVE-2018-8952 RESERVED CVE-2018-8951 RESERVED CVE-2018-8950 RESERVED CVE-2018-8949 (An issue was discovered in app/Model/Attribute.php in MISP before 2.4. ...) NOT-FOR-US: MISP CVE-2018-8948 (In MISP before 2.4.89, app/View/Events/resolved_attributes.ctp has mul ...) NOT-FOR-US: MISP CVE-2018-8947 (rap2hpoutre Laravel Log Viewer before v0.13.0 relies on Base64 encodin ...) NOT-FOR-US: rap2hpoutre Laravel Log Viewer CVE-2018-1000141 (I, Librarian version 4.9 and earlier contains an Incorrect Access Cont ...) - i-librarian (bug #649291) NOTE: https://github.com/mkucej/i-librarian/issues/124 CVE-2018-1000140 (rsyslog librelp version 1.2.14 and earlier contains a Buffer Overflow ...) {DSA-4151-1} - librelp 1.2.15-1 [wheezy] - librelp (vulnerable code not present) NOTE: https://www.rsyslog.com/cve-2018-1000140/ NOTE: Fixed by: https://github.com/rsyslog/librelp/commit/2cfe657672636aa5d7d2a14cfcb0a6ab9d1f00cf CVE-2018-1000139 (I, Librarian version 4.8 and earlier contains a Cross Site Scripting ( ...) - i-librarian (bug #649291) NOTE: https://github.com/mkucej/i-librarian/issues/119 CVE-2018-1000138 (I, Librarian version 4.8 and earlier contains a SSRF vulnerability in ...) - i-librarian (bug #649291) NOTE: https://github.com/mkucej/i-librarian/issues/120 CVE-2018-1000137 (I, Librarian version 4.8 and earlier contains a Cross site Request For ...) - i-librarian (bug #649291) NOTE: https://github.com/mkucej/i-librarian/issues/121 CVE-2017-18247 (The av_audio_fifo_size function in libavutil/audio_fifo.c in Libav 12. ...) - libav (low) [jessie] - libav (Minor issue, clean crash, not reproducible with 11.12) NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1089 NOTE: referenced patch 27085d1b should protect direct ./avconv vectors but situation is unclear for library vectors CVE-2017-18246 (The pcm_encode_frame function in libavcodec/pcm.c in Libav 12.2 allows ...) - libav (low) [jessie] - libav (Minor issue, oob read, not reproducible with 11.12, no patch) NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1095 CVE-2017-18245 (The mpc8_probe function in libavformat/mpc8.c in Libav 12.2 allows rem ...) {DLA-2021-1} - libav NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1094 NOTE: new 2019 PoC crash with non-null, non-asan segfault, 32-bit only CVE-2018-8971 (The Auth0 integration in GitLab before 10.3.9, 10.4.x before 10.4.6, a ...) {DSA-4206-1} - gitlab 10.5.6+dfsg-1 (bug #893905) NOTE: https://about.gitlab.com/2018/03/20/critical-security-release-gitlab-10-dot-5-dot-6-released/ CVE-2018-8946 RESERVED CVE-2018-8945 (The bfd_section_from_shdr function in elf.c in the Binary File Descrip ...) - binutils 2.30.90.20180627-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22809 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=95a6d23566165208853a68d9cd3c6eedca840ec6 CVE-2018-8944 (PHPOK 4.8.338 has an arbitrary file upload vulnerability. ...) NOT-FOR-US: PHPOK CVE-2018-8943 (There is a SQL injection in the PHPSHE 1.6 userbank parameter. ...) NOT-FOR-US: PHPSE CVE-2018-8942 (Xiuno BBS 4.0.0 has XSS in the adminpage sitename parameter. ...) NOT-FOR-US: Xiuno BBS CVE-2017-18244 (The stereo_processing function in libavcodec/aacps.c in Libav 12.2 all ...) - libav (low) [jessie] - libav (not reproducible with 11.12, no patch) NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1105 CVE-2017-18243 (The unpack_parse_unit function in libavcodec/dirac_parser.c in Libav 1 ...) - libav (low) [jessie] - libav (not reproducible with 11.12, 32-bit only, no patch) NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1088 CVE-2017-18242 (The apply_dependent_coupling function in libavcodec/aacdec.c in Libav ...) - libav (low) [jessie] - libav (not reproducible with 11.12, no patch) NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1093 CVE-2018-8941 (Diagnostics functionality on D-Link DSL-3782 devices with firmware EU ...) NOT-FOR-US: D-Link CVE-2018-8940 (ClientServiceConfigController.cs in Enghouse Cloud Contact Center Plat ...) NOT-FOR-US: Enghouse Cloud Contact Center Platform CVE-2018-8939 (An SSRF issue was discovered in NmAPI.exe in Ipswitch WhatsUp Gold bef ...) NOT-FOR-US: Ipswitch CVE-2018-8938 (A Code Injection issue was discovered in DlgSelectMibFile.asp in Ipswi ...) NOT-FOR-US: Ipswitch CVE-2018-8937 (An issue was discovered in Open-AudIT Professional 2.1. It is possible ...) NOT-FOR-US: Open-AudIT Professional CVE-2018-8936 (The AMD EPYC Server, Ryzen, Ryzen Pro, and Ryzen Mobile processor chip ...) NOT-FOR-US: AMD CVE-2018-8935 (The Promontory chipset, as used in AMD Ryzen and Ryzen Pro platforms, ...) NOT-FOR-US: AMD CVE-2018-8934 (The Promontory chipset, as used in AMD Ryzen and Ryzen Pro platforms, ...) NOT-FOR-US: AMD CVE-2018-8933 (The AMD EPYC Server processor chips have insufficient access control f ...) NOT-FOR-US: AMD CVE-2018-8932 (The AMD Ryzen and Ryzen Pro processor chips have insufficient access c ...) NOT-FOR-US: AMD CVE-2018-8931 (The AMD Ryzen, Ryzen Pro, and Ryzen Mobile processor chips have insuff ...) NOT-FOR-US: AMD CVE-2018-8930 (The AMD EPYC Server, Ryzen, Ryzen Pro, and Ryzen Mobile processor chip ...) NOT-FOR-US: AMD CVE-2018-8929 (Improper restriction of communication channel to intended endpoints vu ...) NOT-FOR-US: Synology CVE-2018-8928 (Cross-site scripting (XSS) vulnerability in Address Book Editor in Syn ...) NOT-FOR-US: Synology CVE-2018-8927 (Improper authorization vulnerability in SYNO.Cal.Event in Calendar bef ...) NOT-FOR-US: Synology CVE-2018-8926 (Permissive regular expression vulnerability in synophoto_dsm_user in S ...) NOT-FOR-US: Synology CVE-2018-8925 (Cross-site request forgery (CSRF) vulnerability in admin/user.php in S ...) NOT-FOR-US: Synology CVE-2018-8924 (Cross-site scripting (XSS) vulnerability in Title Tootip in Synology O ...) NOT-FOR-US: Synology CVE-2018-8923 (Cross-site scripting (XSS) vulnerability in Attachment Preview in Syno ...) NOT-FOR-US: Synology CVE-2018-8922 (Improper access control vulnerability in Synology Drive before 1.0.2-1 ...) NOT-FOR-US: Synology Drive CVE-2018-8921 (Cross-site scripting (XSS) vulnerability in File Sharing Notify Toast ...) NOT-FOR-US: Synology Drive CVE-2018-8920 (Improper neutralization of escape vulnerability in Log Exporter in Syn ...) NOT-FOR-US: Synology DiskStation Manager CVE-2018-8919 (Information exposure vulnerability in SYNO.Core.Desktop.SessionData in ...) NOT-FOR-US: Synology DiskStation Manager CVE-2018-8918 (Cross-site scripting (XSS) vulnerability in info.cgi in Synology Route ...) NOT-FOR-US: Synology Router Manager CVE-2018-8917 (Cross-site scripting (XSS) vulnerability in info.cgi in Synology DiskS ...) NOT-FOR-US: Synology DiskStation Manager CVE-2018-8916 (Unverified password change vulnerability in Change Password in Synolog ...) NOT-FOR-US: Synology CVE-2018-8915 (Cross-site scripting (XSS) vulnerability in Notification Center in Syn ...) NOT-FOR-US: Synology CVE-2018-8914 (SQL injection vulnerability in UPnP DMA in Synology Media Server befor ...) NOT-FOR-US: Synology Media Server CVE-2018-8913 (Missing custom error page vulnerability in Synology Web Station before ...) NOT-FOR-US: Synology CVE-2018-8912 (Cross-site scripting (XSS) vulnerability in SYNO.NoteStation.Note in S ...) NOT-FOR-US: Synology Note Station CVE-2018-8911 (Cross-site scripting (XSS) vulnerability in Attachment Preview in Syno ...) NOT-FOR-US: Synology Note Station CVE-2018-8910 (Cross-site scripting (XSS) vulnerability in Attachment Preview in Syno ...) NOT-FOR-US: Synology CVE-2018-8909 (The Wire application before 2018-03-07 for Android allows attackers to ...) NOT-FOR-US: Wire application for Android CVE-2018-8908 (An issue was discovered in /admin/?/user/add in Frog CMS 0.9.5. The ap ...) NOT-FOR-US: Frog CMS CVE-2018-8907 RESERVED CVE-2018-8906 (dsmall v20180320 has XSS via a crafted street address to public/index. ...) NOT-FOR-US: dsmall CVE-2018-8905 (In LibTIFF 4.0.9, a heap-based buffer overflow occurs in the function ...) {DSA-4349-1 DLA-1411-1 DLA-1378-1 DLA-1377-1} - tiff 4.0.9-6 (bug #893806) - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2780 NOTE: https://gitlab.com/libtiff/libtiff/commit/58a898cb4459055bb488ca815c23b880c242a27d CVE-2018-8904 (In Windows Master (aka Windows Optimization Master) 7.99.13.604, the d ...) NOT-FOR-US: Windows Optimization Master CVE-2018-8903 (Open-AudIT Professional 2.1 allows XSS via the Name or Description fie ...) NOT-FOR-US: Open-AudIT Professional CVE-2018-8902 (An issue was discovered in Ivanti Avalanche for all versions between 5 ...) NOT-FOR-US: Ivanti CVE-2018-8901 (An issue was discovered in Ivanti Avalanche for all versions between 5 ...) NOT-FOR-US: Ivanti CVE-2018-8900 (The License Manager service of HASP SRM, Sentinel HASP and Sentinel LD ...) NOT-FOR-US: HASP SRM CVE-2018-8899 (IdentityServer IdentityServer4 1.x before 1.5.3 and 2.x before 2.1.3 d ...) NOT-FOR-US: IdentityServer CVE-2018-8898 (A flaw in the authentication mechanism in the Login Panel of router D- ...) NOT-FOR-US: D-Link CVE-2018-8897 (A statement in the System Programming Guide of the Intel 64 and IA-32 ...) {DSA-4201-1 DSA-4196-1 DLA-1577-1 DLA-1392-1 DLA-1383-1} - linux 4.15.17-1 NOTE: Fixed by: https://git.kernel.org/linus/d8ba61ba58c88d5207c1ba2f7d9a2280e7d03be9 (4.16-rc7) - xen 4.8.3+xsa262+shim4.10.0+comet3-1+deb9u6 NOTE: https://xenbits.xen.org/xsa/advisory-260.html NOTE: http://www.openwall.com/lists/oss-security/2018/05/08/4 CVE-2018-8896 (In 2345 Security Guard 3.6, the driver file (2345DumpBlock.sys) allows ...) NOT-FOR-US: 2345 Security Guard CVE-2018-8895 (In 2345 Security Guard 3.6, the driver file (2345DumpBlock.sys) allows ...) NOT-FOR-US: 2345 Security Guard CVE-2018-8894 (In 2345 Security Guard 3.6, the driver file (2345BdPcSafe.sys) allows ...) NOT-FOR-US: 2345 Security Guard CVE-2018-8893 (Z-BlogPHP 1.5.1 Zero has CSRF in plugin_edit.php, resulting in the abi ...) NOT-FOR-US: Z-BlogPHP CVE-2018-8892 (A cross-site request forgery (CSRF) vulnerability in the Management Co ...) NOT-FOR-US: Management Console of BlackBerry UEM CVE-2018-8891 (Multiple stored cross-site scripting (XSS) vulnerabilities in the Mana ...) NOT-FOR-US: Management Console of BlackBerry UEM CVE-2018-8890 (An information disclosure vulnerability in the Management Console of B ...) NOT-FOR-US: BlackBerry CVE-2018-8889 (A directory traversal vulnerability in the Connect Service of the Blac ...) NOT-FOR-US: BlackBerry CVE-2018-8888 (A stored cross-site scripting (XSS) vulnerability in the Management Co ...) NOT-FOR-US: Management Console of BlackBerry UEM CVE-2018-8887 RESERVED CVE-2018-8886 RESERVED CVE-2018-8885 (screenresolution-mechanism in screen-resolution-extra 0.17.2 does not ...) NOT-FOR-US: screen-resolution-extra CVE-2018-1000136 (Electron version 1.7 up to 1.7.12; 1.8 up to 1.8.3 and 2.0.0 up to 2.0 ...) - electron (bug #842420) CVE-2017-18241 (fs/f2fs/segment.c in the Linux kernel before 4.13 allows local users t ...) {DSA-4188-1 DSA-4187-1} - linux 4.13.4-1 [wheezy] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/d4fdf8ba0e5808ba9ad6b44337783bd9935e0982 CVE-2016-10717 (A vulnerability in the encryption and permission implementation of Mal ...) NOT-FOR-US: Malwarebytes Anti-Malware CVE-2018-8884 RESERVED CVE-2018-8883 (Netwide Assembler (NASM) 2.13.02rc2 has a buffer over-read in the pars ...) - nasm 2.14-1 (low; bug #894847) [stretch] - nasm (Minor issue) [jessie] - nasm (Minor issue) [wheezy] - nasm (Minor issue) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392447 NOTE: https://github.com/netwide-assembler/nasm/commit/3c755dac88039b718d52ef56e8f74b5f65f3b55b CVE-2018-8882 (Netwide Assembler (NASM) 2.13.02rc2 has a stack-based buffer under-rea ...) - nasm 2.14-1 (low; bug #894846) [stretch] - nasm (Minor issue) [jessie] - nasm (Minor issue) [wheezy] - nasm (Minor issue) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392445 NOTE: https://github.com/netwide-assembler/nasm/commit/c7c28357c85fb0bf4105419195bc204aea0fef35 CVE-2018-8881 (Netwide Assembler (NASM) 2.13.02rc2 has a heap-based buffer over-read ...) - nasm 2.13.02-0.1 (low) [stretch] - nasm (Minor issue) [jessie] - nasm (Minor issue) [wheezy] - nasm (Minor issue) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392446 NOTE: http://repo.or.cz/nasm.git/commit/3144e84add8b152cc7a71e44617ce6f21daa4ba3 (nasm-2.13.02rc3) CVE-2018-8880 (Lutron Quantum BACnet Integration 2.0 (firmware 3.2.243) doesn't check ...) NOT-FOR-US: Lutron Quantum BACnet Integration CVE-2018-8879 (Stack-based buffer overflow in Asuswrt-Merlin firmware for ASUS device ...) NOT-FOR-US: ASUS CVE-2018-8878 (Information disclosure in Asuswrt-Merlin firmware for ASUS devices old ...) NOT-FOR-US: ASUS CVE-2018-8877 (Information disclosure in Asuswrt-Merlin firmware for ASUS devices old ...) NOT-FOR-US: ASUS CVE-2018-8876 (In 2345 Security Guard 3.6, the driver file (2345Wrath.sys) allows loc ...) NOT-FOR-US: 2345 Security Guard CVE-2018-8875 (In 2345 Security Guard 3.6, the driver file (2345Wrath.sys) allows loc ...) NOT-FOR-US: 2345 Security Guard CVE-2018-8874 (In 2345 Security Guard 3.6, the driver file (2345Wrath.sys) allows loc ...) NOT-FOR-US: 2345 Security Guard CVE-2018-8873 (In 2345 Security Guard 3.6, the driver file (2345NetFirewall.sys) allo ...) NOT-FOR-US: 2345 Security Guard CVE-2018-8872 (In Schneider Electric Triconex Tricon MP model 3008 firmware versions ...) NOT-FOR-US: Schneider CVE-2018-8871 (In Delta Electronics Automation TPEditor version 1.89 or prior, parsin ...) NOT-FOR-US: Delta Electronics Automation TPEditor CVE-2018-8870 (Medtronic MyCareLink Patient Monitor, 24950 MyCareLink Monitor, all ve ...) NOT-FOR-US: Medtronic CVE-2018-8869 (In Lantech IDS 2102 2.0 and prior, nearly all input fields allow for a ...) NOT-FOR-US: Lantech CVE-2018-8868 (Medtronic MyCareLink Patient Monitor, 24950 MyCareLink Monitor, all ve ...) NOT-FOR-US: Medtronic CVE-2018-8867 (In GE PACSystems RX3i CPE305/310 version 9.20 and prior, RX3i CPE330 v ...) NOT-FOR-US: GE PACSystems CVE-2018-8866 (In Vecna VGo Robot versions prior to 3.0.3.52164, an attacker on an ad ...) NOT-FOR-US: Vecna VGo Robot CVE-2018-8865 (In Lantech IDS 2102 2.0 and prior, a stack-based buffer overflow vulne ...) NOT-FOR-US: Lantech CVE-2018-8864 (In ATI Systems Emergency Mass Notification Systems (HPSS16, HPSS32, MH ...) NOT-FOR-US: ATI Systems Emergency Mass Notification Systems devices CVE-2018-8863 RESERVED CVE-2018-8862 (In ATI Systems Emergency Mass Notification Systems (HPSS16, HPSS32, MH ...) NOT-FOR-US: ATI Systems Emergency Mass Notification Systems devices CVE-2018-8861 (Vulnerabilities within the Philips Brilliance CT kiosk environment (Br ...) NOT-FOR-US: Philips Brilliance CVE-2018-8860 (In Vecna VGo Robot versions prior to 3.0.3.52164, an attacker may be a ...) NOT-FOR-US: Vecna VGo Robot CVE-2018-8859 (Echelon SmartServer 1 all versions, SmartServer 2 all versions prior t ...) NOT-FOR-US: Echelon CVE-2018-8858 (If an attacker has access to the firmware from the VGo Robot (Versions ...) NOT-FOR-US: VGo Robot CVE-2018-8857 (Philips Brilliance CT software (Brilliance 64 version 2.6.2 and prior, ...) NOT-FOR-US: Philips Brilliance CVE-2018-8856 (Philips e-Alert Unit (non-medical device), Version R2.1 and prior. The ...) NOT-FOR-US: Philips CVE-2018-8855 (Echelon SmartServer 1 all versions, SmartServer 2 all versions prior t ...) NOT-FOR-US: Echelon CVE-2018-8854 (Philips e-Alert Unit (non-medical device), Version R2.1 and prior. The ...) NOT-FOR-US: Philips CVE-2018-8853 (Philips Brilliance CT devices operate user functions from within a con ...) NOT-FOR-US: Philips Brilliance CVE-2018-8852 (Philips e-Alert Unit (non-medical device), Version R2.1 and prior. Whe ...) NOT-FOR-US: Philips CVE-2018-8851 (Echelon SmartServer 1 all versions, SmartServer 2 all versions prior t ...) NOT-FOR-US: Echelon CVE-2018-8850 (Philips e-Alert Unit (non-medical device), Version R2.1 and prior. The ...) NOT-FOR-US: Philips CVE-2018-8849 (Medtronic N'Vision Clinician Programmer 8840 N'Vision Clinician Progra ...) NOT-FOR-US: Medtronic CVE-2018-8848 (Philips e-Alert Unit (non-medical device), Version R2.1 and prior. The ...) NOT-FOR-US: Philips CVE-2018-8847 (Eaton 9000X DriveA versions 2.0.29 and prior has a stack-based buffer ...) NOT-FOR-US: Eaton CVE-2018-8846 (Philips e-Alert Unit (non-medical device), Version R2.1 and prior. The ...) NOT-FOR-US: Philips CVE-2018-8845 (In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess ver ...) NOT-FOR-US: Advantech CVE-2018-8844 (Philips e-Alert Unit (non-medical device), Version R2.1 and prior. The ...) NOT-FOR-US: Philips CVE-2018-8843 (Rockwell Automation Arena versions 15.10.00 and prior contains a use a ...) NOT-FOR-US: Rockwell CVE-2018-8842 (Philips e-Alert Unit (non-medical device), Version R2.1 and prior. The ...) NOT-FOR-US: Philips CVE-2018-8841 (In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess ver ...) NOT-FOR-US: Advantech CVE-2018-8840 (A remote attacker could send a carefully crafted packet in InduSoft We ...) NOT-FOR-US: InduSoft CVE-2018-8839 (Delta PMSoft versions 2.10 and prior have multiple stack-based buffer ...) NOT-FOR-US: Delta PMSoft CVE-2018-8838 (A weakness in access controls in CENTUM CS 1000 all versions, CENTUM C ...) NOT-FOR-US: CENTUM CVE-2018-8837 (Processing specially crafted .pm3 files in Advantech WebAccess HMI Des ...) NOT-FOR-US: Advantech CVE-2018-8836 (Wago 750 Series PLCs with firmware version 10 and prior include a remo ...) NOT-FOR-US: Wago 750 Series PLCs CVE-2018-8835 (Double free vulnerabilities in Advantech WebAccess HMI Designer 2.1.7. ...) NOT-FOR-US: Advantech CVE-2018-8834 (Parsing malformed project files in Omron CX-One versions 4.42 and prio ...) NOT-FOR-US: Omron CVE-2018-8833 (Heap-based buffer overflow vulnerabilities in Advantech WebAccess HMI ...) NOT-FOR-US: Advantech CVE-2018-8832 (enhavo 0.4.0 has XSS via a user-group that contains executable JavaScr ...) NOT-FOR-US: enhavo CVE-2018-8831 (A Persistent XSS vulnerability exists in Kodi (formerly XBMC) through ...) - kodi (low) [buster] - kodi (Minor issue) [stretch] - kodi (Minor issue) - xbmc [jessie] - xbmc (Minor issue) [wheezy] - xbmc (Minor issue) NOTE: http://seclists.org/fulldisclosure/2018/Apr/36 NOTE: https://trac.kodi.tv/ticket/17814 NOTE: Fixed in v18 CVE-2018-8830 RESERVED CVE-2018-8829 RESERVED CVE-2018-8828 (A Buffer Overflow issue was discovered in Kamailio before 4.4.7, 5.0.x ...) {DSA-4148-1} - kamailio 5.1.2-1 NOTE: https://github.com/EnableSecurity/advisories/tree/master/ES2018-05-kamailio-heap-overflow NOTE: https://github.com/kamailio/kamailio/commit/e1d8008a09d9390ebaf698abe8909e10dfec4097 CVE-2018-8827 (The admin web interface on Technicolor MediaAccess TG789vac v2 HP devi ...) NOT-FOR-US: Technicolor CVE-2018-8826 (ASUS RT-AC51U, RT-AC58U, RT-AC66U, RT-AC1750, RT-ACRH13, and RT-N12 D1 ...) NOT-FOR-US: ASUS routers CVE-2018-8825 (Google TensorFlow 1.7 and below is affected by: Buffer Overflow. The i ...) - tensorflow (bug #804612) CVE-2018-8824 (modules/bamegamenu/ajax_phpcode.php in the Responsive Mega Menu (Horiz ...) NOT-FOR-US: Responsive Mega Menu Pro module for PrestaShop CVE-2018-8823 (modules/bamegamenu/ajax_phpcode.php in the Responsive Mega Menu (Horiz ...) NOT-FOR-US: Responsive Mega Menu Pro module for PrestaShop CVE-2018-8822 (Incorrect buffer length handling in the ncp_read_kernel function in fs ...) {DSA-4188-1 DSA-4187-1 DLA-1369-1} - linux 4.15.17-1 CVE-2018-1000135 (GNOME NetworkManager version 1.10.2 and earlier contains a Information ...) [experimental] - network-manager 1.11.4-1 - network-manager 1.12.0-2 (bug #895658) [stretch] - network-manager (Minor issue) [jessie] - network-manager (Minor issue) [wheezy] - network-manager (Minor issue) NOTE: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1754671 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=746422 NOTE: https://cgit.freedesktop.org/NetworkManager/NetworkManager/log/?h=bg/dns-bgo746422 NOTE: Merge: https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=d9782589248e61c0cb5aec90e3eb62612891116b NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1553634 CVE-2018-8821 (windrvr1260.sys in Jungo DriverWizard WinDriver 12.6.0 allows attacker ...) NOT-FOR-US: windrvr1260.sys in Jungo DriverWizard WinDriver CVE-2018-8820 (An issue was discovered in Square 9 GlobalForms 6.2.x. A Time Based SQ ...) NOT-FOR-US: Square 9 CVE-2018-8819 (An XXE issue was discovered in Automated Logic Corporation (ALC) WebCT ...) NOT-FOR-US: Automated Logic Corporation (ALC) WebCTRL CVE-2018-8818 RESERVED CVE-2018-8817 (Wampserver before 3.1.3 has CSRF in add_vhost.php. ...) NOT-FOR-US: Wampserver CVE-2018-8816 RESERVED CVE-2018-8815 (Cross-site scripting (XSS) vulnerability in the gallery function in Al ...) NOT-FOR-US: Alkacon OpenCMS CVE-2018-8814 (Cross-site request forgery (CSRF) vulnerability in WolfCMS 0.8.3.1 all ...) NOT-FOR-US: WolfCMS CVE-2018-8813 (Open redirect vulnerability in the login[redirect] parameter login fun ...) NOT-FOR-US: WolfCMS CVE-2018-8812 REJECTED CVE-2018-8811 (** DISPUTED ** Cross-site request forgery (CSRF) vulnerability in syst ...) NOT-FOR-US: OpenCMS CVE-2018-8810 (In radare2 2.4.0, there is a heap-based buffer over-read in the get_iv ...) - radare2 2.6.0+dfsg-1 (bug #895749) [jessie] - radare2 (Minor issue) [wheezy] - radare2 (vulnerable code not present) NOTE: https://github.com/radare/radare2/issues/9727 NOTE: https://github.com/radare/radare2/commit/06c9903be9a1ca46b74571d49027bee2168fbd69 CVE-2018-8809 (In radare2 2.4.0, there is a heap-based buffer over-read in the dalvik ...) - radare2 2.6.0+dfsg-1 (low; bug #895751) [jessie] - radare2 (Minor issue) [wheezy] - radare2 (minor issue, likely not even affected) NOTE: https://github.com/radare/radare2/issues/9726 NOTE: https://github.com/radare/radare2/commit/24282de142000d2ed2c19783b40a1351872dfc54 CVE-2018-8808 (In radare2 2.4.0, there is a heap-based buffer over-read in the r_asm_ ...) - radare2 2.6.0+dfsg-1 (low; bug #895752) [jessie] - radare2 (Minor issue) [wheezy] - radare2 (minor issue, likely not even affected) NOTE: https://github.com/radare/radare2/issues/9725 NOTE: https://github.com/radare/radare2/commit/a88069940950999d5e2fd16cd7d16c7e956bf516 CVE-2018-8807 (In libming 0.4.8, these is a use-after-free in the function decompileC ...) - ming [wheezy] - ming 1:0.4.4-1.1+deb7u8 NOTE: https://github.com/libming/libming/issues/129 CVE-2018-8806 (In libming 0.4.8, there is a use-after-free in the decompileArithmetic ...) - ming [wheezy] - ming 1:0.4.4-1.1+deb7u8 NOTE: https://github.com/libming/libming/issues/128 CVE-2018-8805 (Yxcms building system (compatible cell phone) v1.4.7 has XSS via the c ...) NOT-FOR-US: Yxcms CVE-2018-8804 (WriteEPTImage in coders/ept.c in ImageMagick 7.0.7-25 Q16 allows remot ...) - imagemagick 8:6.9.9.39+dfsg-1 (low) [stretch] - imagemagick (Minor issue) [jessie] - imagemagick (Minor issue) [wheezy] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/commit/f55d3a622d234e940fb99325b92c6d3df578fa9b NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/6355db269e03f879c516cf9d592c72e157bc75d6 NOTE: https://github.com/ImageMagick/ImageMagick/issues/1025 CVE-2018-8803 RESERVED CVE-2018-8802 (SQL injection vulnerability in the management interface in ePortal Ma ...) NOT-FOR-US: ePortal Manager in Unisys ClearPath MCP OS systems CVE-2018-8801 (GitLab Community and Enterprise Editions version 8.3 up to 10.x before ...) - gitlab 10.5.6+dfsg-1 (bug #893905) NOTE: https://about.gitlab.com/2018/03/20/critical-security-release-gitlab-10-dot-5-dot-6-released/ CVE-2018-8800 (rdesktop versions up to and including v1.8.3 contain a Heap-Based Buff ...) {DSA-4394-1 DLA-1683-1} - rdesktop 1.8.4-1 NOTE: https://github.com/rdesktop/rdesktop/commit/766ebcf6f23ccfe8323ac10242ae6e127d4505d2 (v1.8.4) CVE-2018-8799 (rdesktop versions up to and including v1.8.3 contain an Out-Of-Bounds ...) {DSA-4394-1 DLA-1683-1} - rdesktop 1.8.4-1 NOTE: https://github.com/rdesktop/rdesktop/commit/766ebcf6f23ccfe8323ac10242ae6e127d4505d2 (v1.8.4) CVE-2018-8798 (rdesktop versions up to and including v1.8.3 contain an Out-Of-Bounds ...) {DSA-4394-1 DLA-1683-1} - rdesktop 1.8.4-1 NOTE: https://github.com/rdesktop/rdesktop/commit/766ebcf6f23ccfe8323ac10242ae6e127d4505d2 (v1.8.4) CVE-2018-8797 (rdesktop versions up to and including v1.8.3 contain a Heap-Based Buff ...) {DSA-4394-1 DLA-1683-1} - rdesktop 1.8.4-1 NOTE: https://github.com/rdesktop/rdesktop/commit/766ebcf6f23ccfe8323ac10242ae6e127d4505d2 (v1.8.4) CVE-2018-8796 (rdesktop versions up to and including v1.8.3 contain an Out-Of-Bounds ...) {DSA-4394-1 DLA-1683-1} - rdesktop 1.8.4-1 NOTE: https://github.com/rdesktop/rdesktop/commit/766ebcf6f23ccfe8323ac10242ae6e127d4505d2 (v1.8.4) CVE-2018-8795 (rdesktop versions up to and including v1.8.3 contain an Integer Overfl ...) {DSA-4394-1 DLA-1683-1} - rdesktop 1.8.4-1 NOTE: https://github.com/rdesktop/rdesktop/commit/766ebcf6f23ccfe8323ac10242ae6e127d4505d2 (v1.8.4) CVE-2018-8794 (rdesktop versions up to and including v1.8.3 contain an Integer Overfl ...) {DSA-4394-1 DLA-1683-1} - rdesktop 1.8.4-1 NOTE: https://github.com/rdesktop/rdesktop/commit/766ebcf6f23ccfe8323ac10242ae6e127d4505d2 (v1.8.4) CVE-2018-8793 (rdesktop versions up to and including v1.8.3 contain a Heap-Based Buff ...) {DSA-4394-1 DLA-1683-1} - rdesktop 1.8.4-1 NOTE: https://github.com/rdesktop/rdesktop/commit/766ebcf6f23ccfe8323ac10242ae6e127d4505d2 (v1.8.4) CVE-2018-8792 (rdesktop versions up to and including v1.8.3 contain an Out-Of-Bounds ...) {DSA-4394-1 DLA-1683-1} - rdesktop 1.8.4-1 NOTE: https://github.com/rdesktop/rdesktop/commit/766ebcf6f23ccfe8323ac10242ae6e127d4505d2 (v1.8.4) CVE-2018-8791 (rdesktop versions up to and including v1.8.3 contain an Out-Of-Bounds ...) {DSA-4394-1 DLA-1683-1} - rdesktop 1.8.4-1 NOTE: https://github.com/rdesktop/rdesktop/commit/766ebcf6f23ccfe8323ac10242ae6e127d4505d2 (v1.8.4) CVE-2018-8790 (Check Point ZoneAlarm version 15.3.064.17729 and below expose a WCF se ...) NOT-FOR-US: Check Point ZoneAlarm CVE-2018-8789 (FreeRDP prior to version 2.0.0-rc4 contains several Out-Of-Bounds Read ...) {DLA-1666-1} - freerdp2 2.0.0~git20181120.1.e21b72c95+dfsg1-1 - freerdp [stretch] - freerdp 1.1.0~git20140921.1.440916e+dfsg1-13+deb9u3 NOTE: https://github.com/FreeRDP/FreeRDP/commit/2ee663f39dc8dac3d9988e847db19b2d7e3ac8c6 CVE-2018-8788 (FreeRDP prior to version 2.0.0-rc4 contains an Out-Of-Bounds Write of ...) {DLA-1666-1} - freerdp2 2.0.0~git20181120.1.e21b72c95+dfsg1-1 - freerdp [stretch] - freerdp 1.1.0~git20140921.1.440916e+dfsg1-13+deb9u3 NOTE: https://github.com/FreeRDP/FreeRDP/commit/d1112c279bd1a327e8e4d0b5f371458bf2579659 CVE-2018-8787 (FreeRDP prior to version 2.0.0-rc4 contains an Integer Overflow that l ...) {DLA-1666-1} - freerdp2 2.0.0~git20181120.1.e21b72c95+dfsg1-1 - freerdp [stretch] - freerdp 1.1.0~git20140921.1.440916e+dfsg1-13+deb9u3 NOTE: https://github.com/FreeRDP/FreeRDP/commit/09b9d4f1994a674c4ec85b4947aa656eda1aed8a CVE-2018-8786 (FreeRDP prior to version 2.0.0-rc4 contains an Integer Truncation that ...) {DLA-1666-1} - freerdp2 2.0.0~git20181120.1.e21b72c95+dfsg1-1 - freerdp [stretch] - freerdp 1.1.0~git20140921.1.440916e+dfsg1-13+deb9u3 NOTE: https://github.com/FreeRDP/FreeRDP/commit/445a5a42c500ceb80f8fa7f2c11f3682538033f3 CVE-2018-8785 (FreeRDP prior to version 2.0.0-rc4 contains a Heap-Based Buffer Overfl ...) - freerdp2 2.0.0~git20181120.1.e21b72c95+dfsg1-1 - freerdp [stretch] - freerdp (Vulnerable code not present, zgfx not yet supported) [jessie] - freerdp (Vulnerable code not present, zgfx not yet supported) NOTE: https://github.com/FreeRDP/FreeRDP/commit/602f4a2e14b41703b5f431de3154cd46a5750a2d CVE-2018-8784 (FreeRDP prior to version 2.0.0-rc4 contains a Heap-Based Buffer Overfl ...) - freerdp2 2.0.0~git20181120.1.e21b72c95+dfsg1-1 - freerdp [stretch] - freerdp (Vulnerable code not present, zgfx not yet supported) [jessie] - freerdp (Vulnerable code not present, zgfx not yet supported) NOTE: https://github.com/FreeRDP/FreeRDP/commit/17c363a5162fd4dc77b1df54e48d7bd9bf6b3be7 CVE-2018-8783 RESERVED CVE-2018-8782 RESERVED CVE-2018-8781 (The udl_fb_mmap function in drivers/gpu/drm/udl/udl_fb.c at the Linux ...) {DSA-4188-1 DSA-4187-1 DLA-1369-1} - linux 4.15.17-1 NOTE: https://patchwork.freedesktop.org/patch/211845/ NOTE: Fixed by: https://git.kernel.org/linus/3b82a4db8eaccce735dffd50b4d4e1578099b8e8 CVE-2018-8780 (In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x b ...) {DSA-4259-1 DLA-1421-1 DLA-1359-1 DLA-1358-1} - ruby2.5 2.5.1-1 - ruby2.3 - ruby2.1 - ruby1.9.1 - ruby1.8 NOTE: https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-dir-cve-2018-8780/ NOTE: https://hackerone.com/reports/302338 NOTE: Fixed by: https://github.com/ruby/ruby/commit/bd5661a3cbb38a8c3a3ea10cd76c88bbef7871b8 NOTE: Fixed by: https://github.com/ruby/ruby/commit/143eb22f1877815dd802f7928959c5f93d4c7bb3 (2.2.10) CVE-2018-8779 (In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x b ...) {DSA-4259-1 DLA-1421-1 DLA-1359-1 DLA-1358-1} - ruby2.5 2.5.1-1 - ruby2.3 - ruby2.1 - ruby1.9.1 - ruby1.8 NOTE: https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-unixsocket-cve-2018-8779/ NOTE: https://hackerone.com/reports/302997 NOTE: Fixed by: https://github.com/ruby/ruby/commit/8794dec6a5f11adc5cdd19a5ee91ea6b0816763f NOTE: Fixed by: https://github.com/ruby/ruby/commit/47165eed264d357e78e27371cfef20d5c2bde5d9 (2.2.10) NOTE: ruby1.8: test examples from hackerone doesn't work. ext/socket/socket.c:init_unixsock() uses SafeStringValue(path) though. CVE-2018-8778 (In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x b ...) {DSA-4259-1 DLA-1421-1 DLA-1359-1 DLA-1358-1} - ruby2.5 2.5.1-1 - ruby2.3 - ruby2.1 - ruby1.9.1 - ruby1.8 NOTE: https://www.ruby-lang.org/en/news/2018/03/28/buffer-under-read-unpack-cve-2018-8778/ NOTE: https://hackerone.com/reports/298246 NOTE: Fixed by: https://github.com/ruby/ruby/commit/d02b7bd864706fc2a40d83fb6014772ad3cc3b80 NOTE: Fixed by: https://github.com/ruby/ruby/commit/4cd92d7b13002161a3452a0fe278b877901a8859 (2.2.10) CVE-2018-8777 (In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x b ...) {DSA-4259-1 DLA-1421-1 DLA-1359-1 DLA-1358-1} - ruby2.5 2.5.1-1 - ruby2.3 - ruby2.1 - ruby1.9.1 - ruby1.8 NOTE: https://www.ruby-lang.org/en/news/2018/03/28/large-request-dos-in-webrick-cve-2018-8777/ CVE-2018-XXXX [Multiple vulnerabilities in CiviCRM] - civicrm 4.7.30+dfsg-1 (bug #887330) NOTE: https://civicrm.org/blog/dev-team/security-release-civicrm-4726-and-4633-monthly-release-4727 CVE-2017-18240 (The Gentoo app-admin/collectd package before 5.7.2-r1 sets the ownersh ...) - collectd (Init scripts shipped by Debian are not affected) CVE-2018-8776 RESERVED CVE-2018-8775 RESERVED CVE-2018-8774 RESERVED CVE-2018-8773 RESERVED CVE-2018-8772 (Coship RT3052 4.0.0.48 devices allow XSS via a crafted SSID field on t ...) NOT-FOR-US: Coship RT3052 4.0.0.48 devices CVE-2018-8771 RESERVED CVE-2018-8770 (Physical path Leakage exists in Western Bridge Cobub Razor 0.8.0 via g ...) NOT-FOR-US: Western Bridge Cobub Razor CVE-2018-8769 (elfutils 0.170 has a buffer over-read in the ebl_dynamic_tag_name func ...) - elfutils (Issue introduced later) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22976 NOTE: https://sourceware.org/ml/elfutils-devel/2018-q1/msg00078.html NOTE: Issue introduced with a merge/update of elf.h from glibc in NOTE: https://sourceware.org/git/?p=elfutils.git;a=commit;h=88f3d2daa107b09fdba376a82bce7ed534c93645 NOTE: when SYMTAB_SHNDX was introduced, but not yet handled in the NOTE: ebl_dynamic_tag_name function. CVE-2018-8767 (joyplus-cms 1.6.0 has XSS in manager/admin_ajax.php?action=save&ta ...) NOT-FOR-US: joyplus-cms CVE-2018-8766 (joyplus-cms 1.6.0 allows Remote Code Execution because of an Arbitrary ...) NOT-FOR-US: joyplus-cms CVE-2018-8765 (In 2345 Security Guard 3.6, the driver file (2345NetFirewall.sys) allo ...) NOT-FOR-US: 2345 Security Guard CVE-2018-8764 (Roland Gruber Softwareentwicklung LDAP Account Manager before 6.3 plac ...) - ldap-account-manager 6.3-1 [stretch] - ldap-account-manager 5.5-1+deb9u1 [jessie] - ldap-account-manager (Issue introduced later) [wheezy] - ldap-account-manager (Issue introduced later) NOTE: https://www.ldap-account-manager.org/lamcms/node/354 NOTE: https://github.com/LDAPAccountManager/lam/commit/993751c7ff0faa07b7c028295152cf9c20349688 CVE-2018-8763 (Roland Gruber Softwareentwicklung LDAP Account Manager before 6.3 has ...) {DSA-4165-1 DLA-1342-1} - ldap-account-manager 6.3-1 NOTE: https://github.com/LDAPAccountManager/lam/commit/f1d7aec5fc4aaf516e1d8a6f0eb3082050553302 NOTE: https://github.com/LDAPAccountManager/lam/commit/16fc7f7e8603c5cb7c129cfbf97fc572b9b8740c NOTE: https://github.com/LDAPAccountManager/lam/commit/d4f0d6db966af4dd7d83c978125635f03895b81a NOTE: https://www.ldap-account-manager.org/lamcms/node/354 CVE-2018-8762 RESERVED CVE-2018-8761 (protected\apps\member\controller\shopcarController.php in Yxcms buildi ...) NOT-FOR-US: Yxcms CVE-2018-8760 RESERVED CVE-2018-8759 RESERVED CVE-2018-8758 RESERVED CVE-2018-8757 RESERVED CVE-2018-8756 (Eval injection in yzmphp/core/function/global.func.php in YzmCMS v3.7. ...) NOT-FOR-US: YzmCMS CVE-2018-8755 (NuCom WR644GACV devices before STA006 allow an attacker to download th ...) NOT-FOR-US: NuCom CVE-2018-8754 (** DISPUTED ** The libevt_record_values_read_event() function in libev ...) {DSA-4160-1} - libevt 20180317-1 (bug #893431) NOTE: https://github.com/libyal/libevt/commit/444ca3ce7853538c577e0ec3f6146d2d65780734 NOTE: Impact limited to OOB read, not write CVE-2018-8753 (The IKEv1 implementation in Clavister cOS Core before 11.00.11, 11.20. ...) NOT-FOR-US: Clavister cOS Core CVE-2018-8752 RESERVED CVE-2018-8751 RESERVED CVE-2018-8750 RESERVED CVE-2018-8749 RESERVED CVE-2018-8748 RESERVED CVE-2018-8747 RESERVED CVE-2018-8746 RESERVED CVE-2018-8745 RESERVED CVE-2018-8744 RESERVED CVE-2018-8743 RESERVED CVE-2018-8742 RESERVED CVE-2017-18239 (A time-sensitive equality check on the JWT signature in the JsonWebTok ...) NOT-FOR-US: authentikat-jwt CVE-2018-8768 (In Jupyter Notebook before 5.4.1, a maliciously forged notebook file c ...) - jupyter-notebook 5.4.1-1 (bug #893436) [stretch] - jupyter-notebook (Minor issue) - ipython 5.1.0-2 [jessie] - ipython (Minor issue) [wheezy] - ipython (Too invasive to fix) NOTE: After the reupload of ipython to Debian as 4.1.2-1 via experimental NOTE: src:ipython does not provide anymore the Notebook NOTE: http://www.openwall.com/lists/oss-security/2018/03/15/2 NOTE: Fixed by: https://github.com/jupyter/notebook/commit/4e79ebb49acac722b37b03f1fe811e67590d3831 NOTE: Ipython in Wheezy lacks sanitization of untrusted HTML completely NOTE: which means in theory this CVE does not apply. However due to the absence of NOTE: sanitization it is recommended not to use Ipython's notebook with untrusted NOTE: content. This issue is no-dsa because it cannot be determined if Ipython NOTE: in Wheezy is still affected, a fix appears to be to intrusive though. We recommend to NOTE: upgrade to a newer version instead. CVE-2018-8741 (A directory traversal flaw in SquirrelMail 1.4.22 allows an authentica ...) {DSA-4168-1 DLA-1344-1} - squirrelmail (bug #893202) NOTE: http://www.openwall.com/lists/oss-security/2018/03/17/2 NOTE: https://sourceforge.net/p/squirrelmail/bugs/2846/ NOTE: https://sourceforge.net/p/squirrelmail/code/14751/ CVE-2018-8740 (In SQLite through 3.22.0, databases whose schema is corrupted using a ...) {DLA-1633-1} - sqlite3 3.22.0-2 (bug #893195) [stretch] - sqlite3 (Minor issue) [wheezy] - sqlite3 (Minor issue) NOTE: https://bugs.launchpad.net/ubuntu/+source/sqlite3/+bug/1756349 NOTE: https://www.sqlite.org/cgi/src/vdiff?from=1774f1c3baf0bc3d&to=d75e67654aa9620b NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6964 CVE-2018-8739 (VPN Unlimited 4.2.0 for macOS suffers from a root privilege escalation ...) NOT-FOR-US: VPN Unlimited CVE-2018-1000134 (UnboundID LDAP SDK version from commit 801111d8b5c732266a5dbd4b3bb0b6c ...) NOT-FOR-US: UnboundID LDAP SDK CVE-2018-1000133 (Pitchfork version 1.4.6 RC1 contains an Improper Privilege Management ...) NOT-FOR-US: Pitchfork CVE-2016-10716 (The Mail.ru Calendar plugin before 2.5.0.61 for Atlassian Jira has XSS ...) NOT-FOR-US: Atlassian Jira plugin CVE-2016-10715 (The Artezio Kanban Board plugin 1.4 revision 1914 for Atlassian Jira h ...) NOT-FOR-US: Atlassian Jira plugin CVE-2018-8738 (Airties 5444 1.0.0.18 and 5444TT 1.0.0.18 devices allow XSS. ...) NOT-FOR-US: Airties CVE-2018-8737 (Bookme Control Panel 2.0 Application is vulnerable to stored XSS withi ...) NOT-FOR-US: Bookme Control Panel Application CVE-2018-8736 (A privilege escalation vulnerability in Nagios XI 5.2.x through 5.4.x ...) NOT-FOR-US: Nagios XI CVE-2018-8735 (Remote command execution (RCE) vulnerability in Nagios XI 5.2.x throug ...) NOT-FOR-US: Nagios XI CVE-2018-8734 (SQL injection vulnerability in the core config manager in Nagios XI 5. ...) NOT-FOR-US: Nagios XI CVE-2018-8733 (Authentication bypass vulnerability in the core config manager in Nagi ...) NOT-FOR-US: Nagios XI CVE-2018-8732 (Cross-site scripting (XSS) vulnerability in WampServer 3.1.1 allows re ...) NOT-FOR-US: WampServer CVE-2018-8731 RESERVED CVE-2018-8730 RESERVED CVE-2018-8729 (Multiple cross-site scripting (XSS) vulnerabilities in the Activity Lo ...) NOT-FOR-US: Activity Log plugin for WordPress CVE-2018-8728 (server/app/views/static/code.html in Kontena before 1.5.0 allows XSS i ...) NOT-FOR-US: Kontena CVE-2018-8727 (Path Traversal in Gateway in Mirasys DVMS Workstation 5.12.6 and earli ...) NOT-FOR-US: Path Traversal in Gateway in Mirasys DVMS Workstation CVE-2017-18238 (An issue was discovered in Exempi before 2.4.4. The TradQT_Manager::Pa ...) {DLA-1310-1} - exempi 2.4.4-1 (low) [stretch] - exempi (Minor issue) [jessie] - exempi (Minor issue) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102483 NOTE: https://cgit.freedesktop.org/exempi/commit/?id=886cd1d2314755adb1f4cdb99c16ff00830f0331 CVE-2017-18237 (An issue was discovered in Exempi before 2.4.3. The PostScript_Support ...) - exempi 2.4.3-1 (low) [stretch] - exempi (Minor issue) [jessie] - exempi (Minor issue) [wheezy] - exempi (vulnerable code not present) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=101914 NOTE: https://cgit.freedesktop.org/exempi/commit/?id=f19d0107fbae1fb41836cd110d4425e407e64048 CVE-2017-18236 (An issue was discovered in Exempi before 2.4.4. The ASF_Support::ReadH ...) {DLA-1310-1} - exempi 2.4.4-1 (low) [stretch] - exempi (Minor issue) [jessie] - exempi (Minor issue) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102484 NOTE: https://cgit.freedesktop.org/exempi/commit/?id=fe59605d3520bf2ca4e0a963d194f10e9fee5806 CVE-2017-18235 (An issue was discovered in Exempi before 2.4.3. The VPXChunk class in ...) - exempi 2.4.3-1 (low) [stretch] - exempi (Minor issue) [jessie] - exempi (Minor issue) [wheezy] - exempi (vulnerable code not present) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=101913 NOTE: https://cgit.freedesktop.org/exempi/commit/?id=9e76a7782a54a242f18d609e7ba32bf1c430a5e4 CVE-2017-18234 (An issue was discovered in Exempi before 2.4.3. It allows remote attac ...) {DLA-1310-1} - exempi 2.4.3-1 (low) [stretch] - exempi (Minor issue) [jessie] - exempi (Minor issue) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=100397 NOTE: https://cgit.freedesktop.org/exempi/commit/?id=c26d5beb60a5a85f76259f50ed3e08c8169b0a0c CVE-2017-18233 (An issue was discovered in Exempi before 2.4.4. Integer overflow in th ...) {DLA-1310-1} - exempi 2.4.4-1 (low) [stretch] - exempi (Minor issue) [jessie] - exempi (Minor issue) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102151 NOTE: https://cgit.freedesktop.org/exempi/commit/?id=65a8492832b7335ffabd01f5f64d89dec757c260 CVE-2018-8726 RESERVED CVE-2018-8725 RESERVED CVE-2018-8724 RESERVED CVE-2018-8723 RESERVED CVE-2018-8722 (Zoho ManageEngine Desktop Central version 9.1.0 build 91099 has multip ...) NOT-FOR-US: Zoho CVE-2018-8721 (Zoho ManageEngine EventLog Analyzer version 11.0 build 11000 has Store ...) NOT-FOR-US: Zoho CVE-2018-8720 (ServiceNow ITSM 2016-06-02 has XSS via the First Name or Last Name fie ...) NOT-FOR-US: ServiceNow ITSM CVE-2018-8719 (An issue was discovered in the WP Security Audit Log plugin 3.1.1 for ...) NOT-FOR-US: WP Security Audit Log plugin for WordPress CVE-2018-8718 (Cross-site request forgery (CSRF) vulnerability in the Mailer Plugin 1 ...) - jenkins-mailer-plugin CVE-2017-18232 (The Serial Attached SCSI (SAS) implementation in the Linux kernel thro ...) {DSA-4187-1} - linux 4.15.17-1 [stretch] - linux (Minor issue) [jessie] - linux (Minor issue) [wheezy] - linux (Vulnerability introduced later) - linux-4.9 NOTE: Fixed by: https://git.kernel.org/linus/0558f33c06bb910e2879e355192227a8e8f0219d CVE-2018-8717 (joyplus-cms 1.6.0 has CSRF, as demonstrated by adding an administrator ...) NOT-FOR-US: joyplus-cms CVE-2018-8716 (WSO2 Identity Server before 5.5.0 has XSS via the dashboard, allowing ...) NOT-FOR-US: WSO2 Identity Server CVE-2018-8715 (The Embedthis HTTP library, and Appweb versions before 7.0.3, have a l ...) NOT-FOR-US: Embedthis HTTP library / Appweb CVE-2018-8714 (Honeywell MatrikonOPC OPC Controller before 5.1.0.0 allows local users ...) NOT-FOR-US: Honeywell MatrikonOPC OPC Controller CVE-2018-8713 RESERVED CVE-2018-8712 (An issue was discovered in Webmin 1.840 and 1.880 when the default Yes ...) - webmin CVE-2018-8711 (A local file inclusion issue was discovered in the WooCommerce Product ...) NOT-FOR-US: WooCommerce Products Filter (aka WOOF) plugin for WordPress CVE-2018-8710 (A remote code execution issue was discovered in the WooCommerce Produc ...) NOT-FOR-US: WooCommerce Products Filter (aka WOOF) plugin for WordPress CVE-2018-8709 RESERVED CVE-2018-8708 RESERVED CVE-2018-8707 RESERVED CVE-2018-8706 RESERVED CVE-2018-8705 RESERVED CVE-2018-8704 RESERVED CVE-2018-8703 RESERVED CVE-2018-8702 RESERVED CVE-2018-8701 RESERVED CVE-2018-8700 RESERVED CVE-2018-8699 RESERVED CVE-2018-8698 RESERVED CVE-2018-8697 RESERVED CVE-2018-8696 RESERVED CVE-2018-8695 RESERVED CVE-2018-8694 RESERVED CVE-2018-8693 RESERVED CVE-2018-8692 RESERVED CVE-2018-8691 RESERVED CVE-2018-8690 RESERVED CVE-2018-8689 RESERVED CVE-2018-8688 RESERVED CVE-2018-8687 RESERVED CVE-2018-8686 RESERVED CVE-2018-8685 RESERVED CVE-2018-8684 RESERVED CVE-2018-8683 RESERVED CVE-2018-8682 RESERVED CVE-2018-8681 RESERVED CVE-2018-8680 RESERVED CVE-2018-8679 RESERVED CVE-2018-8678 RESERVED CVE-2018-8677 RESERVED CVE-2018-8676 RESERVED CVE-2018-8675 RESERVED CVE-2018-8674 RESERVED CVE-2018-8673 RESERVED CVE-2018-8672 RESERVED CVE-2018-8671 RESERVED CVE-2018-8670 RESERVED CVE-2018-8669 RESERVED CVE-2018-8668 RESERVED CVE-2018-8667 RESERVED CVE-2018-8666 RESERVED CVE-2018-8665 RESERVED CVE-2018-8664 RESERVED CVE-2018-8663 RESERVED CVE-2018-8662 RESERVED CVE-2018-8661 RESERVED CVE-2018-8660 RESERVED CVE-2018-8659 RESERVED CVE-2018-8658 RESERVED CVE-2018-8657 RESERVED CVE-2018-8656 RESERVED CVE-2018-8655 RESERVED CVE-2018-8654 (An elevation of privilege vulnerability exists in Microsoft Dynamics 3 ...) NOT-FOR-US: Microsoft CVE-2018-8653 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2018-8652 (A Cross-site Scripting (XSS) vulnerability exists when Windows Azure P ...) NOT-FOR-US: Windows Azure Pack Rollup CVE-2018-8651 (A cross site scripting vulnerability exists when Microsoft Dynamics NA ...) NOT-FOR-US: Microsoft Dynamics NAV CVE-2018-8650 (A cross-site-scripting (XSS) vulnerability exists when Microsoft Share ...) NOT-FOR-US: Microsoft CVE-2018-8649 (A denial of service vulnerability exists when Windows improperly handl ...) NOT-FOR-US: Microsoft Windows CVE-2018-8648 RESERVED CVE-2018-8647 RESERVED CVE-2018-8646 RESERVED CVE-2018-8645 RESERVED CVE-2018-8644 RESERVED CVE-2018-8643 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2018-8642 RESERVED CVE-2018-8641 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft Windows CVE-2018-8640 RESERVED CVE-2018-8639 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft Windows CVE-2018-8638 (An information disclosure vulnerability exists when DirectX improperly ...) NOT-FOR-US: Microsoft Windows CVE-2018-8637 (An information disclosure vulnerability exists in Windows kernel that ...) NOT-FOR-US: Microsoft Windows CVE-2018-8636 (A remote code execution vulnerability exists in Microsoft Excel softwa ...) NOT-FOR-US: Microsoft CVE-2018-8635 (An elevation of privilege vulnerability exists when Microsoft SharePoi ...) NOT-FOR-US: Microsoft CVE-2018-8634 (A remote code execution vulnerability exists in Windows where Microsof ...) NOT-FOR-US: Microsoft Windows CVE-2018-8633 RESERVED CVE-2018-8632 RESERVED CVE-2018-8631 (A remote code execution vulnerability exists when Internet Explorer im ...) NOT-FOR-US: Microsoft CVE-2018-8630 RESERVED CVE-2018-8629 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2018-8628 (A remote code execution vulnerability exists in Microsoft PowerPoint s ...) NOT-FOR-US: Microsoft CVE-2018-8627 (An information disclosure vulnerability exists when Microsoft Excel so ...) NOT-FOR-US: Microsoft CVE-2018-8626 (A remote code execution vulnerability exists in Windows Domain Name Sy ...) NOT-FOR-US: Microsoft Windows CVE-2018-8625 (A remote code execution vulnerability exists in the way that the VBScr ...) NOT-FOR-US: Microsoft CVE-2018-8624 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2018-8623 RESERVED CVE-2018-8622 (An information disclosure vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft Windows CVE-2018-8621 (An information disclosure vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft Windows CVE-2018-8620 RESERVED CVE-2018-8619 (A remote code execution vulnerability exists when the Internet Explore ...) NOT-FOR-US: Microsoft CVE-2018-8618 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2018-8617 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2018-8616 RESERVED CVE-2018-8615 RESERVED CVE-2018-8614 RESERVED CVE-2018-8613 RESERVED CVE-2018-8612 (A Denial Of Service vulnerability exists when Connected User Experienc ...) NOT-FOR-US: Microsoft Windows CVE-2018-8611 (An elevation of privilege vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft Windows CVE-2018-8610 RESERVED CVE-2018-8609 (A remote code execution vulnerability exists in Microsoft Dynamics 365 ...) NOT-FOR-US: Microsoft CVE-2018-8608 (A cross site scripting vulnerability exists when Microsoft Dynamics 36 ...) NOT-FOR-US: Microsoft CVE-2018-8607 (A cross site scripting vulnerability exists when Microsoft Dynamics 36 ...) NOT-FOR-US: Microsoft CVE-2018-8606 (A cross site scripting vulnerability exists when Microsoft Dynamics 36 ...) NOT-FOR-US: Microsoft CVE-2018-8605 (A cross site scripting vulnerability exists when Microsoft Dynamics 36 ...) NOT-FOR-US: Microsoft CVE-2018-8604 (A tampering vulnerability exists when Microsoft Exchange Server fails ...) NOT-FOR-US: Microsoft CVE-2018-8603 RESERVED CVE-2018-8602 (A Cross-site Scripting (XSS) vulnerability exists when Team Foundation ...) NOT-FOR-US: Microsoft CVE-2018-8601 RESERVED CVE-2018-8600 (A Cross-site Scripting (XSS) vulnerability exists when Azure App Servi ...) NOT-FOR-US: Microsoft CVE-2018-8599 (An elevation of privilege vulnerability exists when the Diagnostics Hu ...) NOT-FOR-US: Microsoft Windows CVE-2018-8598 (An information disclosure vulnerability exists when Microsoft Excel im ...) NOT-FOR-US: Microsoft CVE-2018-8597 (A remote code execution vulnerability exists in Microsoft Excel softwa ...) NOT-FOR-US: Microsoft CVE-2018-8596 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft Windows CVE-2018-8595 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft Windows CVE-2018-8594 RESERVED CVE-2018-8593 RESERVED CVE-2018-8592 (An elevation of privilege vulnerability exists in Windows 10 version 1 ...) NOT-FOR-US: Microsoft CVE-2018-8591 RESERVED CVE-2018-8590 RESERVED CVE-2018-8589 (An elevation of privilege vulnerability exists when Windows improperly ...) NOT-FOR-US: Microsoft CVE-2018-8588 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2018-8587 (A remote code execution vulnerability exists in Microsoft Outlook soft ...) NOT-FOR-US: Microsoft CVE-2018-8586 RESERVED CVE-2018-8585 RESERVED CVE-2018-8584 (An elevation of privilege vulnerability exists when Windows improperly ...) NOT-FOR-US: Microsoft CVE-2018-8583 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2018-8582 (A remote code execution vulnerability exists in the way that Microsoft ...) NOT-FOR-US: Microsoft CVE-2018-8581 (An elevation of privilege vulnerability exists in Microsoft Exchange S ...) NOT-FOR-US: Microsoft CVE-2018-8580 (An information disclosure vulnerability exists where certain modes of ...) NOT-FOR-US: Microsoft CVE-2018-8579 (An information disclosure vulnerability exists when attaching files to ...) NOT-FOR-US: Microsoft CVE-2018-8578 (An information disclosure vulnerability exists when Microsoft SharePoi ...) NOT-FOR-US: Microsoft CVE-2018-8577 (A remote code execution vulnerability exists in Microsoft Excel softwa ...) NOT-FOR-US: Microsoft CVE-2018-8576 (A remote code execution vulnerability exists in Microsoft Outlook soft ...) NOT-FOR-US: Microsoft CVE-2018-8575 (A remote code execution vulnerability exists in Microsoft Project soft ...) NOT-FOR-US: Microsoft CVE-2018-8574 (A remote code execution vulnerability exists in Microsoft Excel softwa ...) NOT-FOR-US: Microsoft CVE-2018-8573 (A remote code execution vulnerability exists in Microsoft Word softwar ...) NOT-FOR-US: Microsoft CVE-2018-8572 (An elevation of privilege vulnerability exists when Microsoft SharePoi ...) NOT-FOR-US: Microsoft CVE-2018-8571 RESERVED CVE-2018-8570 (A remote code execution vulnerability exists when Internet Explorer im ...) NOT-FOR-US: Microsoft CVE-2018-8569 (A remote code execution vulnerability exists in the Yammer desktop app ...) NOT-FOR-US: Yammer CVE-2018-8568 (An elevation of privilege vulnerability exists when Microsoft SharePoi ...) NOT-FOR-US: Microsoft CVE-2018-8567 (An elevation of privilege vulnerability exists when Microsoft Edge doe ...) NOT-FOR-US: Microsoft CVE-2018-8566 (A security feature bypass vulnerability exists when Windows improperly ...) NOT-FOR-US: Microsoft CVE-2018-8565 (An information disclosure vulnerability exists when the win32k compone ...) NOT-FOR-US: Microsoft CVE-2018-8564 (A spoofing vulnerability exists when Microsoft Edge improperly handles ...) NOT-FOR-US: Microsoft CVE-2018-8563 (An information disclosure vulnerability exists when DirectX improperly ...) NOT-FOR-US: Microsoft CVE-2018-8562 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft CVE-2018-8561 (An elevation of privilege vulnerability exists when DirectX improperly ...) NOT-FOR-US: Microsoft CVE-2018-8560 RESERVED CVE-2018-8559 RESERVED CVE-2018-8558 (An information disclosure vulnerability exists when Microsoft Outlook ...) NOT-FOR-US: Microsoft CVE-2018-8557 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2018-8556 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2018-8555 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2018-8554 (An elevation of privilege vulnerability exists when DirectX improperly ...) NOT-FOR-US: Microsoft CVE-2018-8553 (A remote code execution vulnerability exists in the way that Microsoft ...) NOT-FOR-US: Microsoft CVE-2018-8552 (An information disclosure vulnerability exists when VBScript improperl ...) NOT-FOR-US: Microsoft CVE-2018-8551 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2018-8550 (An elevation of privilege exists in Windows COM Aggregate Marshaler, a ...) NOT-FOR-US: Microsoft CVE-2018-8549 (A security feature bypass exists when Windows incorrectly validates ke ...) NOT-FOR-US: Microsoft CVE-2018-8548 RESERVED CVE-2018-8547 (A cross-site-scripting (XSS) vulnerability exists when an open source ...) NOT-FOR-US: Microsoft CVE-2018-8546 (A denial of service vulnerability exists in Skype for Business, aka "M ...) NOT-FOR-US: Microsoft CVE-2018-8545 (An information disclosure vulnerability exists in the way that Microso ...) NOT-FOR-US: Microsoft CVE-2018-8544 (A remote code execution vulnerability exists in the way that the VBScr ...) NOT-FOR-US: Microsoft CVE-2018-8543 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2018-8542 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2018-8541 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2018-8540 (A remote code execution vulnerability exists when the Microsoft .NET F ...) NOT-FOR-US: Microsoft .NET CVE-2018-8539 (A remote code execution vulnerability exists in Microsoft Word softwar ...) NOT-FOR-US: Microsoft CVE-2018-8538 RESERVED CVE-2018-8537 RESERVED CVE-2018-8536 RESERVED CVE-2018-8535 RESERVED CVE-2018-8534 RESERVED CVE-2018-8533 (An information disclosure vulnerability exists in Microsoft SQL Server ...) NOT-FOR-US: Microsoft CVE-2018-8532 (An information disclosure vulnerability exists in Microsoft SQL Server ...) NOT-FOR-US: Microsoft CVE-2018-8531 (A remote code execution vulnerability exists in the way that Azure IoT ...) NOT-FOR-US: Microsoft CVE-2018-8530 (A security feature bypass vulnerability exists when Microsoft Edge imp ...) NOT-FOR-US: Microsoft CVE-2018-8529 (A remote code execution vulnerability exists when Team Foundation Serv ...) NOT-FOR-US: Microsoft CVE-2018-8528 RESERVED CVE-2018-8527 (An information disclosure vulnerability exists in Microsoft SQL Server ...) NOT-FOR-US: Microsoft CVE-2018-8526 RESERVED CVE-2018-8525 RESERVED CVE-2018-8524 (A remote code execution vulnerability exists in Microsoft Outlook soft ...) NOT-FOR-US: Microsoft CVE-2018-8523 RESERVED CVE-2018-8522 (A remote code execution vulnerability exists in Microsoft Outlook soft ...) NOT-FOR-US: Microsoft CVE-2018-8521 RESERVED CVE-2018-8520 RESERVED CVE-2018-8519 RESERVED CVE-2018-8518 (An elevation of privilege vulnerability exists when Microsoft SharePoi ...) NOT-FOR-US: Microsoft CVE-2018-8517 (A denial of service vulnerability exists when .NET Framework improperl ...) NOT-FOR-US: Microsoft .NET CVE-2018-8516 RESERVED CVE-2018-8515 RESERVED CVE-2018-8514 (An information disclosure vulnerability exists when Remote Procedure C ...) NOT-FOR-US: Microsoft Windows CVE-2018-8513 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2018-8512 (A security feature bypass vulnerability exists in Microsoft Edge when ...) NOT-FOR-US: Microsoft CVE-2018-8511 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2018-8510 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2018-8509 (A remote code execution vulnerability exists when Microsoft Edge impro ...) NOT-FOR-US: Microsoft CVE-2018-8508 RESERVED CVE-2018-8507 RESERVED CVE-2018-8506 (An Information Disclosure vulnerability exists in the way that Microso ...) NOT-FOR-US: Microsoft CVE-2018-8505 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2018-8504 (A remote code execution vulnerability exists in Microsoft Word softwar ...) NOT-FOR-US: Microsoft CVE-2018-8503 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2018-8502 (A remote code execution vulnerability exists in Microsoft Excel softwa ...) NOT-FOR-US: Microsoft CVE-2018-8501 (A remote code execution vulnerability exists in Microsoft PowerPoint s ...) NOT-FOR-US: Microsoft CVE-2018-8500 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2018-8499 RESERVED CVE-2018-8498 (An elevation of privilege vulnerability exists when Microsoft SharePoi ...) NOT-FOR-US: Microsoft CVE-2018-8497 (An elevation of privilege vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2018-8496 RESERVED CVE-2018-8495 (A remote code execution vulnerability exists when Windows Shell improp ...) NOT-FOR-US: Microsoft CVE-2018-8494 (A remote code execution vulnerability exists when the Microsoft XML Co ...) NOT-FOR-US: Microsoft CVE-2018-8493 (An information disclosure vulnerability exists when the Windows TCP/IP ...) NOT-FOR-US: Microsoft CVE-2018-8492 (A security feature bypass vulnerability exists in Device Guard that co ...) NOT-FOR-US: Microsoft CVE-2018-8491 (A remote code execution vulnerability exists when Internet Explorer im ...) NOT-FOR-US: Microsoft CVE-2018-8490 (A remote code execution vulnerability exists when Windows Hyper-V on a ...) NOT-FOR-US: Microsoft CVE-2018-8489 (A remote code execution vulnerability exists when Windows Hyper-V on a ...) NOT-FOR-US: Microsoft CVE-2018-8488 (An elevation of privilege vulnerability exists when Microsoft SharePoi ...) NOT-FOR-US: Microsoft CVE-2018-8487 RESERVED CVE-2018-8486 (An information disclosure vulnerability exists when DirectX improperly ...) NOT-FOR-US: Microsoft CVE-2018-8485 (An elevation of privilege vulnerability exists when DirectX improperly ...) NOT-FOR-US: Microsoft CVE-2018-8484 (An elevation of privilege vulnerability exists when the DirectX Graphi ...) NOT-FOR-US: Microsoft CVE-2018-8483 RESERVED CVE-2018-8482 (An information disclosure vulnerability exists when Windows Media Play ...) NOT-FOR-US: Microsoft CVE-2018-8481 (An information disclosure vulnerability exists when Windows Media Play ...) NOT-FOR-US: Microsoft CVE-2018-8480 (An elevation of privilege vulnerability exists when Microsoft SharePoi ...) NOT-FOR-US: Microsoft CVE-2018-8479 (A spoofing vulnerability exists for the Azure IoT Device Provisioning ...) NOT-FOR-US: Azure CVE-2018-8478 RESERVED CVE-2018-8477 (An information disclosure vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft Windows CVE-2018-8476 (A remote code execution vulnerability exists in the way that Windows D ...) NOT-FOR-US: Microsoft CVE-2018-8475 (A remote code execution vulnerability exists when Windows does not pro ...) NOT-FOR-US: Microsoft CVE-2018-8474 (A security feature bypass vulnerability exists when Lync for Mac 2011 ...) NOT-FOR-US: Microsoft CVE-2018-8473 (A remote code execution vulnerability exists when Microsoft Edge impro ...) NOT-FOR-US: Microsoft CVE-2018-8472 (An information disclosure vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2018-8471 (An elevation of privilege vulnerability exists in the way that the Mic ...) NOT-FOR-US: Microsoft CVE-2018-8470 (A security feature bypass vulnerability exists in Internet Explorer du ...) NOT-FOR-US: Microsoft CVE-2018-8469 (An elevation of privilege vulnerability exists in Microsoft Edge that ...) NOT-FOR-US: Microsoft CVE-2018-8468 (An elevation of privilege vulnerability exists when Windows, allowing ...) NOT-FOR-US: Microsoft CVE-2018-8467 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2018-8466 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2018-8465 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2018-8464 (An remote code execution vulnerability exists when Microsoft Edge PDF ...) NOT-FOR-US: Microsoft CVE-2018-8463 (An elevation of privilege vulnerability exists in Microsoft Edge that ...) NOT-FOR-US: Microsoft CVE-2018-8462 (An elevation of privilege vulnerability exists when the DirectX Graphi ...) NOT-FOR-US: Microsoft CVE-2018-8461 (A remote code execution vulnerability exists when Internet Explorer im ...) NOT-FOR-US: Microsoft CVE-2018-8460 (A remote code execution vulnerability exists when Internet Explorer im ...) NOT-FOR-US: Microsoft CVE-2018-8459 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2018-8458 RESERVED CVE-2018-8457 (A remote code execution vulnerability exists in the way the scripting ...) NOT-FOR-US: Microsoft CVE-2018-8456 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2018-8455 (An elevation of privilege vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2018-8454 (An information disclosure vulnerability exists when Windows Audio Serv ...) NOT-FOR-US: Microsoft CVE-2018-8453 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft CVE-2018-8452 (An information disclosure vulnerability exists when the scripting engi ...) NOT-FOR-US: Microsoft CVE-2018-8451 RESERVED CVE-2018-8450 (A remote code execution vulnerability exists when Windows Search handl ...) NOT-FOR-US: Microsoft CVE-2018-8449 (A security feature bypass exists when Device Guard incorrectly validat ...) NOT-FOR-US: Microsoft CVE-2018-8448 (An elevation of privilege vulnerability exists when Microsoft Exchange ...) NOT-FOR-US: Microsoft CVE-2018-8447 (A remote code execution vulnerability exists when Internet Explorer im ...) NOT-FOR-US: Microsoft CVE-2018-8446 (An information disclosure vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2018-8445 (An information disclosure vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2018-8444 (An information disclosure vulnerability exists in the way that the Mic ...) NOT-FOR-US: Microsoft CVE-2018-8443 (An information disclosure vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2018-8442 (An information disclosure vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2018-8441 (An elevation of privilege vulnerability exists due to an integer overf ...) NOT-FOR-US: Microsoft CVE-2018-8440 (An elevation of privilege vulnerability exists when Windows improperly ...) NOT-FOR-US: Microsoft CVE-2018-8439 (A remote code execution vulnerability exists when Windows Hyper-V on a ...) NOT-FOR-US: Microsoft CVE-2018-8438 (A denial of service vulnerability exists when Microsoft Hyper-V Networ ...) NOT-FOR-US: Microsoft CVE-2018-8437 (A denial of service vulnerability exists when Microsoft Hyper-V Networ ...) NOT-FOR-US: Microsoft CVE-2018-8436 (A denial of service vulnerability exists when Microsoft Hyper-V Networ ...) NOT-FOR-US: Microsoft CVE-2018-8435 (A security feature bypass vulnerability exists when Windows Hyper-V BI ...) NOT-FOR-US: Microsoft CVE-2018-8434 (An information disclosure vulnerability exists when Windows Hyper-V on ...) NOT-FOR-US: Microsoft CVE-2018-8433 (An information disclosure vulnerability exists when the Windows Graphi ...) NOT-FOR-US: Microsoft CVE-2018-8432 (A remote code execution vulnerability exists in the way that Microsoft ...) NOT-FOR-US: Microsoft CVE-2018-8431 (An elevation of privilege vulnerability exists when Microsoft SharePoi ...) NOT-FOR-US: Microsoft CVE-2018-8430 (A remote code execution vulnerability exists in Microsoft Word if a us ...) NOT-FOR-US: Microsoft CVE-2018-8429 (An information disclosure vulnerability exists when Microsoft Excel im ...) NOT-FOR-US: Microsoft CVE-2018-8428 (An elevation of privilege vulnerability exists when Microsoft SharePoi ...) NOT-FOR-US: Microsoft CVE-2018-8427 (An information disclosure vulnerability exists in the way that Microso ...) NOT-FOR-US: Microsoft CVE-2018-8426 (A cross-site-scripting (XSS) vulnerability exists when Microsoft Share ...) NOT-FOR-US: Microsoft CVE-2018-8425 (A spoofing vulnerability exists when Microsoft Edge improperly handles ...) NOT-FOR-US: Microsoft CVE-2018-8424 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft CVE-2018-8423 (A remote code execution vulnerability exists in the Microsoft JET Data ...) NOT-FOR-US: Microsoft CVE-2018-8422 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft CVE-2018-8421 (A remote code execution vulnerability exists when Microsoft .NET Frame ...) NOT-FOR-US: Microsoft CVE-2018-8420 (A remote code execution vulnerability exists when the Microsoft XML Co ...) NOT-FOR-US: Microsoft CVE-2018-8419 (An information disclosure vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2018-8418 RESERVED CVE-2018-8417 (A security feature bypass vulnerability exists in Microsoft JScript th ...) NOT-FOR-US: Microsoft CVE-2018-8416 (A tampering vulnerability exists when .NET Core improperly handles spe ...) NOT-FOR-US: .dotnet CoreFX CVE-2018-8415 (A tampering vulnerability exists in PowerShell that could allow an att ...) NOT-FOR-US: Microsoft CVE-2018-8414 (A remote code execution vulnerability exists when the Windows Shell do ...) NOT-FOR-US: Microsoft CVE-2018-8413 (A remote code execution vulnerability exists when "Windows Theme API" ...) NOT-FOR-US: Microsoft CVE-2018-8412 (An elevation of privilege vulnerability exists when the Microsoft Auto ...) NOT-FOR-US: Microsoft CVE-2018-8411 (An elevation of privilege vulnerability exists when NTFS improperly ch ...) NOT-FOR-US: Microsoft CVE-2018-8410 (An elevation of privilege vulnerability exists when the Windows Kernel ...) NOT-FOR-US: Microsoft CVE-2018-8409 (A denial of service vulnerability exists when System.IO.Pipelines impr ...) NOT-FOR-US: Microsoft CVE-2018-8408 (An information disclosure vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2018-8407 (An information disclosure vulnerability exists when "Kernel Remote Pro ...) NOT-FOR-US: Microsoft CVE-2018-8406 (An elevation of privilege vulnerability exists when the DirectX Graphi ...) NOT-FOR-US: Microsoft CVE-2018-8405 (An elevation of privilege vulnerability exists when the DirectX Graphi ...) NOT-FOR-US: Microsoft CVE-2018-8404 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft CVE-2018-8403 (A remote code execution vulnerability exists in the way that Microsoft ...) NOT-FOR-US: Microsoft CVE-2018-8402 RESERVED CVE-2018-8401 (An elevation of privilege vulnerability exists when the DirectX Graphi ...) NOT-FOR-US: Microsoft CVE-2018-8400 (An elevation of privilege vulnerability exists when the DirectX Graphi ...) NOT-FOR-US: Microsoft CVE-2018-8399 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft CVE-2018-8398 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft CVE-2018-8397 (A remote code execution vulnerability exists in the way that the Windo ...) NOT-FOR-US: Microsoft CVE-2018-8396 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft CVE-2018-8395 RESERVED CVE-2018-8394 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft CVE-2018-8393 (A buffer overflow vulnerability exists in the Microsoft JET Database E ...) NOT-FOR-US: Microsoft CVE-2018-8392 (A buffer overflow vulnerability exists in the Microsoft JET Database E ...) NOT-FOR-US: Microsoft CVE-2018-8391 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2018-8390 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2018-8389 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2018-8388 (A spoofing vulnerability exists when Microsoft Edge improperly handles ...) NOT-FOR-US: Microsoft CVE-2018-8387 (A remote code execution vulnerability exists when Microsoft Edge impro ...) NOT-FOR-US: Microsoft CVE-2018-8386 RESERVED CVE-2018-8385 (A remote code execution vulnerability exists in the way the scripting ...) NOT-FOR-US: Microsoft CVE-2018-8384 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2018-8383 (A spoofing vulnerability exists when Microsoft Edge does not properly ...) NOT-FOR-US: Microsoft CVE-2018-8382 (An information disclosure vulnerability exists when Microsoft Excel im ...) NOT-FOR-US: Microsoft CVE-2018-8381 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2018-8380 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2018-8379 (A remote code execution vulnerability exists in Microsoft Excel softwa ...) NOT-FOR-US: Microsoft CVE-2018-8378 (An information disclosure vulnerability exists when Microsoft Office s ...) NOT-FOR-US: Microsoft CVE-2018-8377 (A remote code execution vulnerability exists when Microsoft Edge impro ...) NOT-FOR-US: Microsoft CVE-2018-8376 (A remote code execution vulnerability exists in Microsoft PowerPoint s ...) NOT-FOR-US: Microsoft CVE-2018-8375 (A remote code execution vulnerability exists in Microsoft Excel softwa ...) NOT-FOR-US: Microsoft CVE-2018-8374 (A tampering vulnerability exists when Microsoft Exchange Server fails ...) NOT-FOR-US: Microsoft CVE-2018-8373 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2018-8372 (A remote code execution vulnerability exists in the way the scripting ...) NOT-FOR-US: Microsoft CVE-2018-8371 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2018-8370 (A information disclosure vulnerability exists when WebAudio Library im ...) NOT-FOR-US: Microsoft CVE-2018-8369 RESERVED CVE-2018-8368 RESERVED CVE-2018-8367 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2018-8366 (An information disclosure vulnerability exists when the Microsoft Edge ...) NOT-FOR-US: Microsoft CVE-2018-8365 RESERVED CVE-2018-8364 RESERVED CVE-2018-8363 RESERVED CVE-2018-8362 RESERVED CVE-2018-8361 RESERVED CVE-2018-8360 (An information disclosure vulnerability exists in Microsoft .NET Frame ...) NOT-FOR-US: Microsoft CVE-2018-8359 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2018-8358 (A security feature bypass vulnerability exists when Microsoft Edge imp ...) NOT-FOR-US: Microsoft CVE-2018-8357 (An elevation of privilege vulnerability exists in Microsoft browsers a ...) NOT-FOR-US: Microsoft CVE-2018-8356 (A security feature bypass vulnerability exists when Microsoft .NET Fra ...) NOT-FOR-US: Microsoft .NET, doesn't affect src:mono CVE-2018-8355 (A remote code execution vulnerability exists in the way the scripting ...) NOT-FOR-US: Microsoft CVE-2018-8354 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2018-8353 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2018-8352 RESERVED CVE-2018-8351 (An information disclosure vulnerability exists when affected Microsoft ...) NOT-FOR-US: Microsoft CVE-2018-8350 (A remote code execution vulnerability exists when Microsoft Windows PD ...) NOT-FOR-US: Microsoft CVE-2018-8349 (A remote code execution vulnerability exists in "Microsoft COM for Win ...) NOT-FOR-US: Microsoft CVE-2018-8348 (An information disclosure vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2018-8347 (An elevation of privilege vulnerability exists in Microsoft Windows wh ...) NOT-FOR-US: Microsoft CVE-2018-8346 (A remote code execution vulnerability exists in Microsoft Windows that ...) NOT-FOR-US: Microsoft CVE-2018-8345 (A remote code execution vulnerability exists in Microsoft Windows that ...) NOT-FOR-US: Microsoft CVE-2018-8344 (A remote code execution vulnerability exists when the Windows font lib ...) NOT-FOR-US: Microsoft CVE-2018-8343 (An elevation of privilege vulnerability exists in the Network Driver I ...) NOT-FOR-US: Microsoft CVE-2018-8342 (An elevation of privilege vulnerability exists in the Network Driver I ...) NOT-FOR-US: Microsoft CVE-2018-8341 (An information disclosure vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2018-8340 (A security feature bypass vulnerability exists when Active Directory F ...) NOT-FOR-US: Microsoft CVE-2018-8339 (An elevation of privilege vulnerability exists in the Windows Installe ...) NOT-FOR-US: Microsoft CVE-2018-8338 RESERVED CVE-2018-8337 (A security feature bypass vulnerability exists when Windows Subsystem ...) NOT-FOR-US: Microsoft CVE-2018-8336 (An information disclosure vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2018-8335 (A denial of service vulnerability exists in the Microsoft Server Block ...) NOT-FOR-US: Microsoft CVE-2018-8334 RESERVED CVE-2018-8333 (An Elevation of Privilege vulnerability exists in Filter Manager when ...) NOT-FOR-US: Microsoft CVE-2018-8332 (A remote code execution vulnerability exists when the Windows font lib ...) NOT-FOR-US: Microsoft CVE-2018-8331 (A remote code execution vulnerability exists in Microsoft Excel softwa ...) NOT-FOR-US: Microsoft CVE-2018-8330 (An information disclosure vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2018-8329 (An Elevation of Privilege vulnerability exists in Windows Subsystem fo ...) NOT-FOR-US: Microsoft CVE-2018-8328 RESERVED CVE-2018-8327 (A remote code execution vulnerability exists in PowerShell Editor Serv ...) NOT-FOR-US: Microsoft CVE-2018-8326 (A cross-site-scripting (XSS) vulnerability exists when an open source ...) NOT-FOR-US: Microsoft CVE-2018-8325 (An information disclosure vulnerability exists when Microsoft Edge imp ...) NOT-FOR-US: Microsoft CVE-2018-8324 (An information disclosure vulnerability exists when Microsoft Edge imp ...) NOT-FOR-US: Microsoft CVE-2018-8323 (An elevation of privilege vulnerability exists when Microsoft SharePoi ...) NOT-FOR-US: Microsoft CVE-2018-8322 RESERVED CVE-2018-8321 RESERVED CVE-2018-8320 (A security feature bypass vulnerability exists in DNS Global Blocklist ...) NOT-FOR-US: Microsoft CVE-2018-8319 (A Security Feature Bypass vulnerability exists in MSR JavaScript Crypt ...) NOT-FOR-US: Microsoft CVE-2018-8318 RESERVED CVE-2018-8317 RESERVED CVE-2018-8316 (A remote code execution vulnerability exists when Internet Explorer im ...) NOT-FOR-US: Microsoft CVE-2018-8315 (An information disclosure vulnerability exists when the browser script ...) NOT-FOR-US: Microsoft CVE-2018-8314 (An elevation of privilege vulnerability exists when Windows fails a ch ...) NOT-FOR-US: Microsoft CVE-2018-8313 (An elevation of privilege vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2018-8312 (A remote code execution vulnerability exists when Microsoft Access fai ...) NOT-FOR-US: Microsoft CVE-2018-8311 (A remote code execution vulnerability exists when Skype for Business a ...) NOT-FOR-US: Microsoft CVE-2018-8310 (A tampering vulnerability exists when Microsoft Outlook does not prope ...) NOT-FOR-US: Microsoft CVE-2018-8309 (A denial of service vulnerability exists when Windows improperly handl ...) NOT-FOR-US: Microsoft CVE-2018-8308 (An elevation of privilege vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2018-8307 (A security feature bypass vulnerability exists when Microsoft WordPad ...) NOT-FOR-US: Microsoft CVE-2018-8306 (A command injection vulnerability exists in the Microsoft Wireless Dis ...) NOT-FOR-US: Microsoft CVE-2018-8305 (An information disclosure vulnerability exists in Windows Mail Client ...) NOT-FOR-US: Microsoft CVE-2018-8304 (A denial of service vulnerability exists in Windows Domain Name System ...) NOT-FOR-US: Microsoft CVE-2018-8303 RESERVED CVE-2018-8302 (A remote code execution vulnerability exists in Microsoft Exchange sof ...) NOT-FOR-US: Microsoft CVE-2018-8301 (A remote code execution vulnerability exists when Microsoft Edge impro ...) NOT-FOR-US: Microsoft CVE-2018-8300 (A remote code execution vulnerability exists in Microsoft SharePoint w ...) NOT-FOR-US: Microsoft CVE-2018-8299 (An elevation of privilege vulnerability exists when Microsoft SharePoi ...) NOT-FOR-US: Microsoft CVE-2018-8298 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2018-8297 (An information disclosure vulnerability exists when Microsoft Edge imp ...) NOT-FOR-US: Microsoft CVE-2018-8296 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2018-8295 RESERVED CVE-2018-8294 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2018-8293 RESERVED CVE-2018-8292 (An information disclosure vulnerability exists in .NET Core when authe ...) NOT-FOR-US: .dotnet CoreFX NOTE: https://github.com/dotnet/corefx/commit/56aae8a7076f283e334b88f642ef6bb7c59e02c3 CVE-2018-8291 (A remote code execution vulnerability exists in the way the scripting ...) NOT-FOR-US: Microsoft CVE-2018-8290 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2018-8289 (An information disclosure vulnerability exists when Microsoft Edge imp ...) NOT-FOR-US: Microsoft CVE-2018-8288 (A remote code execution vulnerability exists in the way the scripting ...) NOT-FOR-US: Microsoft CVE-2018-8287 (A remote code execution vulnerability exists in the way the scripting ...) NOT-FOR-US: Microsoft CVE-2018-8286 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2018-8285 RESERVED CVE-2018-8284 (A remote code execution vulnerability exists when the Microsoft .NET F ...) NOT-FOR-US: Microsoft CVE-2018-8283 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2018-8282 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft CVE-2018-8281 (A remote code execution vulnerability exists in Microsoft Office softw ...) NOT-FOR-US: Microsoft CVE-2018-8280 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2018-8279 (A remote code execution vulnerability exists when Microsoft Edge impro ...) NOT-FOR-US: Microsoft CVE-2018-8278 (A spoofing vulnerability exists when Microsoft Edge improperly handles ...) NOT-FOR-US: Microsoft CVE-2018-8277 RESERVED CVE-2018-8276 (A security feature bypass vulnerability exists in the Microsoft Chakra ...) NOT-FOR-US: Microsoft CVE-2018-8275 (A remote code execution vulnerability exists when Microsoft Edge impro ...) NOT-FOR-US: Microsoft CVE-2018-8274 (A remote code execution vulnerability exists when Microsoft Edge impro ...) NOT-FOR-US: Microsoft CVE-2018-8273 (A buffer overflow vulnerability exists in the Microsoft SQL Server tha ...) NOT-FOR-US: Microsoft CVE-2018-8272 RESERVED CVE-2018-8271 (An information disclosure vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft CVE-2018-8270 RESERVED CVE-2018-8269 (A denial of service vulnerability exists when OData Library improperly ...) NOT-FOR-US: Microsoft CVE-2018-8268 RESERVED CVE-2018-8267 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2018-8266 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2018-8265 (A remote code execution vulnerability exists in the way Microsoft Exch ...) NOT-FOR-US: Microsoft CVE-2018-8264 RESERVED CVE-2018-8263 RESERVED CVE-2018-8262 (A remote code execution vulnerability exists when Microsoft Edge impro ...) NOT-FOR-US: Microsoft CVE-2018-8261 REJECTED CVE-2018-8260 (A Remote Code Execution vulnerability exists in .NET software when the ...) NOT-FOR-US: Microsoft CVE-2018-8259 RESERVED CVE-2018-8258 RESERVED CVE-2018-8257 RESERVED CVE-2018-8256 (A remote code execution vulnerability exists when PowerShell improperl ...) NOT-FOR-US: Microsoft CVE-2018-8255 RESERVED CVE-2018-8254 (An elevation of privilege vulnerability exists when Microsoft SharePoi ...) NOT-FOR-US: Microsoft CVE-2018-8253 (An elevation of privilege vulnerability exists when Microsoft Cortana ...) NOT-FOR-US: Microsoft CVE-2018-8252 (An elevation of privilege vulnerability exists when Microsoft SharePoi ...) NOT-FOR-US: Microsoft CVE-2018-8251 (A memory corruption vulnerability exists when Windows Media Foundation ...) NOT-FOR-US: Microsoft CVE-2018-8250 RESERVED CVE-2018-8249 (A remote code execution vulnerability exists when Internet Explorer im ...) NOT-FOR-US: Microsoft CVE-2018-8248 (A remote code execution vulnerability exists in Microsoft Excel softwa ...) NOT-FOR-US: Microsoft CVE-2018-8247 (An elevation of privilege vulnerability exists when Office Web Apps Se ...) NOT-FOR-US: Microsoft CVE-2018-8246 (An information disclosure vulnerability exists when Microsoft Excel im ...) NOT-FOR-US: Microsoft CVE-2018-8245 (A remote code execution vulnerability exists when Microsoft Publisher ...) NOT-FOR-US: Microsoft CVE-2018-8244 (An elevation of privilege vulnerability exists when Microsoft Outlook ...) NOT-FOR-US: Microsoft CVE-2018-8243 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2018-8242 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2018-8241 RESERVED CVE-2018-8240 RESERVED CVE-2018-8239 (An information disclosure vulnerability exists when the Windows GDI co ...) NOT-FOR-US: Microsoft CVE-2018-8238 (A security feature bypass vulnerability exists when Skype for Business ...) NOT-FOR-US: Microsoft CVE-2018-8237 RESERVED CVE-2018-8236 (A remote code execution vulnerability exists when Microsoft Edge impro ...) NOT-FOR-US: Microsoft CVE-2018-8235 (A security feature bypass vulnerability exists when Microsoft Edge imp ...) NOT-FOR-US: Microsoft CVE-2018-8234 (An information disclosure vulnerability exists when Microsoft Edge imp ...) NOT-FOR-US: Microsoft CVE-2018-8233 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft CVE-2018-8232 (A Tampering vulnerability exists when Microsoft Macro Assembler improp ...) NOT-FOR-US: Microsoft CVE-2018-8231 (A remote code execution vulnerability exists when HTTP Protocol Stack ...) NOT-FOR-US: Microsoft CVE-2018-8230 RESERVED CVE-2018-8229 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2018-8228 RESERVED CVE-2018-8227 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2018-8226 (A denial of service vulnerability exists in the HTTP 2.0 protocol stac ...) NOT-FOR-US: Microsoft CVE-2018-8225 (A remote code execution vulnerability exists in Windows Domain Name Sy ...) NOT-FOR-US: Microsoft CVE-2018-8224 (An elevation of privilege vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2018-8223 RESERVED CVE-2018-8222 (A security feature bypass vulnerability exists in Device Guard that co ...) NOT-FOR-US: Microsoft CVE-2018-8221 (A security feature bypass vulnerability exists in Device Guard that co ...) NOT-FOR-US: Microsoft CVE-2018-8220 RESERVED CVE-2018-8219 (An elevation of privilege vulnerability exists when Windows Hyper-V in ...) NOT-FOR-US: Microsoft CVE-2018-8218 (A denial of service vulnerability exists when Microsoft Hyper-V Networ ...) NOT-FOR-US: Microsoft CVE-2018-8217 (A security feature bypass vulnerability exists in Device Guard that co ...) NOT-FOR-US: Microsoft CVE-2018-8216 (A security feature bypass vulnerability exists in Device Guard that co ...) NOT-FOR-US: Microsoft CVE-2018-8215 (A security feature bypass vulnerability exists in Device Guard that co ...) NOT-FOR-US: Microsoft CVE-2018-8214 (An elevation of privilege vulnerability exists in Windows when Desktop ...) NOT-FOR-US: Microsoft CVE-2018-8213 (A remote code execution vulnerability exists when Windows improperly h ...) NOT-FOR-US: Microsoft CVE-2018-8212 (A security feature bypass vulnerability exists in Device Guard that co ...) NOT-FOR-US: Microsoft CVE-2018-8211 (A security feature bypass vulnerability exists in Device Guard that co ...) NOT-FOR-US: Microsoft CVE-2018-8210 (A remote code execution vulnerability exists when Windows improperly h ...) NOT-FOR-US: Microsoft CVE-2018-8209 (An information disclosure vulnerability exists when Windows allows a n ...) NOT-FOR-US: Microsoft CVE-2018-8208 (An elevation of privilege vulnerability exists in Windows when Desktop ...) NOT-FOR-US: Microsoft CVE-2018-8207 (An information disclosure vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2018-8206 (A denial of service vulnerability exists when Windows improperly handl ...) NOT-FOR-US: Microsoft CVE-2018-8205 (A denial of service vulnerability exists when Windows improperly handl ...) NOT-FOR-US: Microsoft CVE-2018-8204 (A security feature bypass vulnerability exists in Device Guard that co ...) NOT-FOR-US: Microsoft CVE-2018-8203 RESERVED CVE-2018-8202 (An elevation of privilege vulnerability exists in .NET Framework which ...) NOT-FOR-US: Microsoft CVE-2018-8201 (A security feature bypass vulnerability exists in Device Guard that co ...) NOT-FOR-US: Microsoft CVE-2018-8200 (A security feature bypass vulnerability exists in Device Guard that co ...) NOT-FOR-US: Microsoft CVE-2018-8199 RESERVED CVE-2018-8198 RESERVED CVE-2018-8197 RESERVED CVE-2018-8196 RESERVED CVE-2018-8195 RESERVED CVE-2018-8194 RESERVED CVE-2018-8193 RESERVED CVE-2018-8192 RESERVED CVE-2018-8191 RESERVED CVE-2018-8190 RESERVED CVE-2018-8189 RESERVED CVE-2018-8188 RESERVED CVE-2018-8187 RESERVED CVE-2018-8186 RESERVED CVE-2018-8185 RESERVED CVE-2018-8184 RESERVED CVE-2018-8183 RESERVED CVE-2018-8182 RESERVED CVE-2018-8181 RESERVED CVE-2018-8180 RESERVED CVE-2018-8179 (A remote code execution vulnerability exists when Microsoft Edge impro ...) NOT-FOR-US: Microsoft CVE-2018-8178 (A remote code execution vulnerability exists in the way that Microsoft ...) NOT-FOR-US: Microsoft CVE-2018-8177 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2018-8176 (A remote code execution vulnerability exists in Microsoft PowerPoint s ...) NOT-FOR-US: Microsoft CVE-2018-8175 (An denial of service vulnerability exists when Windows NT WEBDAV Minir ...) NOT-FOR-US: Microsoft CVE-2018-8174 (A remote code execution vulnerability exists in the way that the VBScr ...) NOT-FOR-US: Microsoft CVE-2018-8173 (A remote code execution vulnerability exists in Microsoft InfoPath whe ...) NOT-FOR-US: Microsoft CVE-2018-8172 (A remote code execution vulnerability exists in Visual Studio software ...) NOT-FOR-US: Microsoft CVE-2018-8171 (A Security Feature Bypass vulnerability exists in ASP.NET when the num ...) NOT-FOR-US: Microsoft CVE-2018-8170 (An elevation of privilege vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2018-8169 (An elevation of privilege vulnerability exists when the (Human Interfa ...) NOT-FOR-US: Microsoft CVE-2018-8168 (An elevation of privilege vulnerability exists when Microsoft SharePoi ...) NOT-FOR-US: Microsoft CVE-2018-8167 (An elevation of privilege vulnerability exists when the Windows Common ...) NOT-FOR-US: Microsoft CVE-2018-8166 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft CVE-2018-8165 (An elevation of privilege vulnerability exists when the DirectX Graphi ...) NOT-FOR-US: Microsoft CVE-2018-8164 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft CVE-2018-8163 (An information disclosure vulnerability exists when Microsoft Excel im ...) NOT-FOR-US: Microsoft CVE-2018-8162 (A remote code execution vulnerability exists in Microsoft Excel softwa ...) NOT-FOR-US: Microsoft CVE-2018-8161 (A remote code execution vulnerability exists in Microsoft Office softw ...) NOT-FOR-US: Microsoft CVE-2018-8160 (An information disclosure vulnerability exists in Outlook when a messa ...) NOT-FOR-US: Microsoft CVE-2018-8159 (An elevation of privilege vulnerability exists when Microsoft Exchange ...) NOT-FOR-US: Microsoft CVE-2018-8158 (A remote code execution vulnerability exists in Microsoft Office softw ...) NOT-FOR-US: Microsoft CVE-2018-8157 (A remote code execution vulnerability exists in Microsoft Office softw ...) NOT-FOR-US: Microsoft CVE-2018-8156 (An elevation of privilege vulnerability exists when Microsoft SharePoi ...) NOT-FOR-US: Microsoft CVE-2018-8155 (An elevation of privilege vulnerability exists when Microsoft SharePoi ...) NOT-FOR-US: Microsoft CVE-2018-8154 (A remote code execution vulnerability exists in Microsoft Exchange sof ...) NOT-FOR-US: Microsoft CVE-2018-8153 (A spoofing vulnerability exists in Microsoft Exchange Server when Outl ...) NOT-FOR-US: Microsoft CVE-2018-8152 (An elevation of privilege vulnerability exists when Microsoft Exchange ...) NOT-FOR-US: Microsoft CVE-2018-8151 (An information disclosure vulnerability exists when Microsoft Exchange ...) NOT-FOR-US: Microsoft CVE-2018-8150 (A security feature bypass vulnerability exists when the Microsoft Outl ...) NOT-FOR-US: Microsoft CVE-2018-8149 (An elevation of privilege vulnerability exists when Microsoft SharePoi ...) NOT-FOR-US: Microsoft CVE-2018-8148 (A remote code execution vulnerability exists in Microsoft Excel softwa ...) NOT-FOR-US: Microsoft CVE-2018-8147 (A remote code execution vulnerability exists in Microsoft Excel softwa ...) NOT-FOR-US: Microsoft CVE-2018-8146 RESERVED CVE-2018-8145 (An information disclosure vulnerability exists when Chakra improperly ...) NOT-FOR-US: Microsoft CVE-2018-8144 RESERVED CVE-2018-8143 RESERVED CVE-2018-8142 (A security feature bypass exists when Windows incorrectly validates ke ...) NOT-FOR-US: Microsoft CVE-2018-8141 (An information disclosure vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2018-8140 (An Elevation of Privilege vulnerability exists when Cortana retrieves ...) NOT-FOR-US: Microsoft CVE-2018-8139 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2018-8138 RESERVED CVE-2018-8137 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2018-8136 (A remote code execution vulnerability exists in the way that Windows h ...) NOT-FOR-US: Microsoft CVE-2018-8135 RESERVED CVE-2018-8134 (An elevation of privilege vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2018-8133 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2018-8132 (A security feature bypass vulnerability exists in Windows which could ...) NOT-FOR-US: Microsoft CVE-2018-8131 RESERVED CVE-2018-8130 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2018-8129 (A security feature bypass vulnerability exists in Windows which could ...) NOT-FOR-US: Microsoft CVE-2018-8128 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2018-8127 (An information disclosure vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2018-8126 (A security feature bypass vulnerability exists when Internet Explorer ...) NOT-FOR-US: Microsoft CVE-2018-8125 (A remote code execution vulnerability exists when Microsoft Edge impro ...) NOT-FOR-US: Microsoft CVE-2018-8124 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft CVE-2018-8123 (An information disclosure vulnerability exists when Microsoft Edge imp ...) NOT-FOR-US: Microsoft CVE-2018-8122 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2018-8121 (An information disclosure vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2018-8120 (An elevation of privilege vulnerability exists in Windows when the Win ...) NOT-FOR-US: Microsoft CVE-2018-8119 (A spoofing vulnerability exists when the Azure IoT Device Provisioning ...) NOT-FOR-US: Microsoft CVE-2018-8118 (A remote code execution vulnerability exists when Internet Explorer im ...) NOT-FOR-US: Microsoft CVE-2018-8117 (A security feature bypass vulnerability exists in the Microsoft Wirele ...) NOT-FOR-US: Microsoft CVE-2018-8116 (A denial of service vulnerability exists in the way that Windows handl ...) NOT-FOR-US: Microsoft CVE-2018-8115 (A remote code execution vulnerability exists when the Windows Host Com ...) NOT-FOR-US: Microsoft CVE-2018-8114 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2018-8113 (A security feature bypass vulnerability exists in Internet Explorer th ...) NOT-FOR-US: Microsoft CVE-2018-8112 (A security feature bypass vulnerability exists when Microsoft Edge imp ...) NOT-FOR-US: Microsoft CVE-2018-8111 (A remote code execution vulnerability exists when Microsoft Edge impro ...) NOT-FOR-US: Microsoft CVE-2018-8110 (A remote code execution vulnerability exists when Microsoft Edge impro ...) NOT-FOR-US: Microsoft CVE-2018-1000132 (Mercurial version 4.5 and earlier contains a Incorrect Access Control ...) {DLA-1414-1 DLA-1331-1} - mercurial 4.5.2-1 (bug #892964) NOTE: https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.5.1_.2F_4.5.2_.282018-03-06.29 NOTE: https://www.mercurial-scm.org/repo/hg/rev/2ecb0fc535b1 (4.5.2) NOTE: Backports for older branches in https://hg.mozilla.org/users/gszorc_mozilla.com/hg NOTE: 4.4: 4843835c835::7cf827e5f8af NOTE: 4.3: db527ae12671::86f9a022ccb8 CVE-2018-1000131 (Pradeep Makone wordpress Support Plus Responsive Ticket System version ...) NOT-FOR-US: Pradeep Makone wordpress Support Plus Responsive Ticket System CVE-2018-1000130 (A JNDI Injection vulnerability exists in Jolokia agent version 1.3.7 i ...) NOT-FOR-US: Jolokia CVE-2018-1000129 (An XSS vulnerability exists in the Jolokia agent version 1.3.7 in the ...) NOT-FOR-US: Jolokia CVE-2018-8109 RESERVED CVE-2018-8108 (The select component in bui through 2018-03-13 has XSS because it perf ...) NOT-FOR-US: bui CVE-2018-8107 (The JPXStream::close function in JPXStream.cc in xpdf 4.00 allows atta ...) - xpdf (unimportant) NOTE: https://forum.xpdfreader.com/viewtopic.php?f=3&t=654&p=819#p819 NOTE: src:xpdf switched to use system poppler libary in 3.02-3 NOTE: Reproducer correctly detected as broken with jessie's poppler build CVE-2018-8106 (The JPXStream::readTilePartData function in JPXStream.cc in xpdf 4.00 ...) - xpdf (unimportant) NOTE: https://forum.xpdfreader.com/viewtopic.php?f=3&t=654&p=819#p819 NOTE: src:xpdf switched to use system poppler libary in 3.02-3 NOTE: Reproducer correctly detected as broken with jessie's poppler build CVE-2018-8105 (The JPXStream::fillReadBuf function in JPXStream.cc in xpdf 4.00 allow ...) - xpdf (unimportant) NOTE: https://forum.xpdfreader.com/viewtopic.php?f=3&t=654&p=819#p819 NOTE: src:xpdf switched to use system poppler libary in 3.02-3 NOTE: Reproducer correctly detected as broken with jessie's poppler build CVE-2018-8104 (The BufStream::lookChar function in Stream.cc in xpdf 4.00 allows atta ...) - xpdf (unimportant) NOTE: https://forum.xpdfreader.com/viewtopic.php?f=3&t=654&p=819#p819 NOTE: src:xpdf switched to use system poppler libary in 3.02-3 NOTE: Reproducer correctly detected as broken with jessie's poppler build CVE-2018-8103 (The JBIG2Stream::readGenericBitmap function in JBIG2Stream.cc in xpdf ...) - xpdf (unimportant) NOTE: https://forum.xpdfreader.com/viewtopic.php?f=3&t=654&p=819#p819 NOTE: src:xpdf switched to use system poppler libary in 3.02-3 NOTE: Reproducer correctly detected as broken with jessie's poppler build CVE-2018-8102 (The JBIG2MMRDecoder::getBlackCode function in JBIG2Stream.cc in xpdf 4 ...) - xpdf (unimportant) NOTE: https://forum.xpdfreader.com/viewtopic.php?f=3&t=654&p=819#p819 NOTE: src:xpdf switched to use system poppler libary in 3.02-3 NOTE: Reproducer correctly detected as broken with jessie's poppler build CVE-2018-8101 (The JPXStream::inverseTransformLevel function in JPXStream.cc in xpdf ...) - xpdf (unimportant) NOTE: https://forum.xpdfreader.com/viewtopic.php?f=3&t=654&p=819#p819 NOTE: src:xpdf switched to use system poppler libary in 3.02-3 NOTE: Reproducer correctly detected as broken with jessie's poppler build CVE-2018-8100 (The JPXStream::readTilePart function in JPXStream.cc in xpdf 4.00 allo ...) - xpdf (unimportant) NOTE: https://forum.xpdfreader.com/viewtopic.php?f=3&t=654&p=819#p819 NOTE: src:xpdf switched to use system poppler libary in 3.02-3 NOTE: Reproducer correctly detected as broken with jessie's poppler build CVE-2018-8099 (Incorrect returning of an error code in the index.c:read_entry() funct ...) [experimental] - libgit2 0.27.0+dfsg.1-0.1 - libgit2 0.27.0+dfsg.1-0.6 (low; bug #892962) [stretch] - libgit2 (Minor issue) [jessie] - libgit2 (Minor issue) NOTE: https://github.com/libgit2/libgit2/commit/58a6fe94cb851f71214dbefac3f9bffee437d6fe CVE-2018-8098 (Integer overflow in the index.c:read_entry() function while decompress ...) [experimental] - libgit2 0.27.0+dfsg.1-0.1 - libgit2 0.27.0+dfsg.1-0.6 (low; bug #892961) [stretch] - libgit2 (Minor issue) [jessie] - libgit2 (Minor issue) NOTE: https://github.com/libgit2/libgit2/commit/3207ddb0103543da8ad2139ec6539f590f9900c1 NOTE: https://github.com/libgit2/libgit2/commit/3db1af1f370295ad5355b8f64b865a2a357bcac0 CVE-2018-8097 (io/mongo/parser.py in Eve (aka pyeve) before 0.7.5 allows remote attac ...) NOT-FOR-US: pyeve CVE-2018-8096 (Datalust Seq before 4.2.605 is vulnerable to Authentication Bypass (wi ...) NOT-FOR-US: Datalust Seq CVE-2018-8095 RESERVED CVE-2018-1000128 REJECTED CVE-2018-1000127 (memcached version prior to 1.4.37 contains an Integer Overflow vulnera ...) {DSA-4218-1 DLA-1329-1} - memcached 1.5.0-1 (bug #894404) NOTE: https://github.com/memcached/memcached/commit/a8c4a82787b8b6c256d61bd5c42fb7f92d1bae00 NOTE: https://github.com/memcached/memcached/issues/271 CVE-2018-1000126 (Ajenti version 2 contains an Information Disclosure vulnerability in L ...) - ajenti (bug #792019) CVE-2018-1000125 (inversoft prime-jwt version prior to version 1.3.0 or prior to commit ...) NOT-FOR-US: inversoft prime-jwt CVE-2018-1000124 (I Librarian I-librarian version 4.8 and earlier contains a XML Externa ...) - i-librarian (bug #649291) CVE-2018-1000123 (Ionic Team Cordova plugin iOS Keychain version before commit 18233ca25 ...) NOT-FOR-US: Ionic Team Cordova plugin iOS Keychain CVE-2017-18231 (An issue was discovered in GraphicsMagick 1.3.26. A NULL pointer deref ...) {DSA-4321-1 DLA-1456-1 DLA-1322-1} - graphicsmagick 1.3.27-1 NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/ea074081678b NOTE: https://sourceforge.net/p/graphicsmagick/bugs/475/ CVE-2017-18230 (An issue was discovered in GraphicsMagick 1.3.26. A NULL pointer deref ...) {DSA-4321-1 DLA-1456-1 DLA-1322-1} - graphicsmagick 1.3.27-1 NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/53a4d841e90f NOTE: https://sourceforge.net/p/graphicsmagick/bugs/473/ CVE-2017-18229 (An issue was discovered in GraphicsMagick 1.3.26. An allocation failur ...) {DSA-4321-1 DLA-1456-1 DLA-1322-1} - graphicsmagick 1.3.27-1 NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/752c0b41fa32 NOTE: https://sourceforge.net/p/graphicsmagick/bugs/461/ CVE-2018-8094 RESERVED CVE-2018-8093 RESERVED CVE-2018-8092 (Mautic before 2.13.0 allows CSV injection. ...) NOT-FOR-US: Mautic CVE-2018-8091 RESERVED CVE-2018-8090 (Quick Heal Total Security 64 bit 17.00 (QHTS64.exe), (QHTSFT64.exe) - ...) NOT-FOR-US: Quick Heal CVE-2018-8089 RESERVED CVE-2018-8088 (org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J before ...) - libslf4j-java 1.7.25-3 (bug #893684; unimportant) NOTE: slf4j-ext module is not built by default NOTE: https://github.com/qos-ch/slf4j/commit/d2b27fba88e983f921558da27fc29b5f5d269405 NOTE: https://jira.qos.ch/browse/SLF4J-430 NOTE: https://jira.qos.ch/browse/SLF4J-431 CVE-2018-8087 (Memory leak in the hwsim_new_radio_nl function in drivers/net/wireless ...) {DSA-4188-1} - linux 4.15.11-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/0ddcff49b672239dda94d70d0fcf50317a9f4b51 CVE-2018-8086 REJECTED CVE-2018-8085 RESERVED CVE-2018-1000097 (Sharutils sharutils (unshar command) version 4.15.2 contains a Buffer ...) {DSA-4167-1} - sharutils 1:4.15.2-3 (bug #893525) [wheezy] - sharutils (Vulnerable code not present) NOTE: http://seclists.org/bugtraq/2018/Feb/54 CVE-2018-1000096 (brianleroux tiny-json-http version all versions since commit 9b8e74a23 ...) NOT-FOR-US: tiny-json-http CVE-2018-1000095 (oVirt version 4.2.0 to 4.2.2 contains a Cross Site Scripting (XSS) vul ...) NOT-FOR-US: ovirt-engine CVE-2018-1000094 (CMS Made Simple version 2.2.5 contains a Remote Code Execution vulnera ...) NOT-FOR-US: CMS Made Simple CVE-2017-18228 (Remedy Mid Tier in BMC Remedy AR System 9.1 allows XSS via the ATTKey ...) NOT-FOR-US: Remedy Mid Tier in BMC Remedy AR System CVE-2018-8084 RESERVED CVE-2018-8083 RESERVED CVE-2018-8082 RESERVED CVE-2018-8081 RESERVED CVE-2018-8080 RESERVED CVE-2018-8079 RESERVED CVE-2018-8078 (YzmCMS 3.7 has Stored XSS via the title parameter to advertisement/adv ...) NOT-FOR-US: YzmCMS CVE-2018-8077 RESERVED CVE-2018-8076 (ZenMate 1.5.4 for macOS suffers from a type confusion vulnerability wi ...) NOT-FOR-US: ZenMate CVE-2018-8075 RESERVED CVE-2018-8074 (Yii 2.x before 2.0.15 allows remote attackers to inject unintended sea ...) - yii (bug #597899) CVE-2018-8073 (Yii 2.x before 2.0.15 allows remote attackers to execute arbitrary LUA ...) - yii (bug #597899) CVE-2018-8072 (An issue was discovered on EDIMAX IC-3140W through 3.06, IC-5150W thro ...) NOT-FOR-US: EDIMAX CVE-2018-8071 (Mautic before v2.13.0 has stored XSS via a theme config file. ...) NOT-FOR-US: Mautic CVE-2018-8070 (QCMS version 3.0 has XSS via the title parameter to the /guest/index.h ...) NOT-FOR-US: QCMS CVE-2018-8069 (QCMS version 3.0 has XSS via the webname parameter to the /backend/sys ...) NOT-FOR-US: QCMS CVE-2018-8068 RESERVED CVE-2018-8067 RESERVED CVE-2018-8066 RESERVED CVE-2018-8065 (An issue was discovered in the web server in Flexense SyncBreeze Enter ...) NOT-FOR-US: Flexense SyncBreeze Enterprise CVE-2017-18227 (TitanHQ WebTitan Gateway has incorrect certificate validation for the ...) NOT-FOR-US: TitanHQ WebTitan Gateway CVE-2017-18226 (The Gentoo net-im/jabberd2 package through 2.6.1 sets the ownership of ...) - jabberd2 (low; bug #902783) [buster] - jabberd2 (Minor issue, default init system not affected) [stretch] - jabberd2 (Minor issue, default init system not affected) NOTE: https://bugs.gentoo.org/631068 CVE-2017-18225 (The Gentoo net-im/jabberd2 package through 2.6.1 installs jabberd, jab ...) - jabberd2 (Installed with correct permissions in Debian) NOTE: https://bugs.gentoo.org/629412 CVE-2017-18224 (In the Linux kernel before 4.15, fs/ocfs2/aops.c omits use of a semaph ...) {DSA-4188-1} - linux 4.15.4-1 [jessie] - linux (Vulnerable code introduced later) [wheezy] - linux (Vulnerable code introduced later) NOTE: https://git.kernel.org/linus/3e4c56d41eef5595035872a2ec5a483f42e8917f CVE-2018-8064 RESERVED CVE-2018-8063 RESERVED CVE-2018-8062 RESERVED CVE-2018-8061 (HWiNFO AMD64 Kernel driver version 8.98 and lower allows an unprivileg ...) NOT-FOR-US: HWiNFO AMD64 Kernel driver CVE-2018-8060 (HWiNFO AMD64 Kernel driver version 8.98 and lower allows an unprivileg ...) NOT-FOR-US: HWiNFO AMD64 Kernel driver CVE-2018-8059 (The Djelibeybi configuration examples for use of NGINX in SUSE Portus ...) NOT-FOR-US: Portus CVE-2018-8058 (CMS Made Simple (CMSMS) 2.2.6 has XSS in admin/moduleinterface.php via ...) NOT-FOR-US: CMS Made Simple CVE-2018-8057 (A SQL Injection vulnerability exists in Western Bridge Cobub Razor 0.8 ...) NOT-FOR-US: Western Bridge Cobub Razor CVE-2018-8056 (Physical path Leakage exists in Western Bridge Cobub Razor 0.8.0 via a ...) NOT-FOR-US: Western Bridge Cobub Razor CVE-2018-8055 RESERVED CVE-2018-8054 RESERVED CVE-2018-8053 RESERVED CVE-2018-8052 RESERVED CVE-2018-8051 RESERVED CVE-2018-8050 (The af_get_page() function in lib/afflib_pages.cpp in AFFLIB (aka AFFL ...) - afflib 3.7.16-3 (unimportant; bug #892599) NOTE: https://github.com/sshock/AFFLIBv3/commit/435a2ca802358a3debb6d164d2c33049131df81c NOTE: Negligible security impact CVE-2018-8049 (The Stealth endpoint in Unisys Stealth SVG 2.8.x, 3.0.x before 3.0.199 ...) NOT-FOR-US: Unisys Stealth SVG CVE-2018-8048 (In the Loofah gem through 2.2.0 for Ruby, non-whitelisted HTML attribu ...) {DSA-4171-1} - ruby-loofah 2.2.1-1 (bug #893596) NOTE: https://github.com/flavorjones/loofah/issues/144 NOTE: https://github.com/flavorjones/loofah/commit/4a08c25a603654f2fc505a7d2bf0c35a39870ad7 NOTE: https://github.com/flavorjones/loofah/commit/56e95a6696b1e17a242eb8ebbbab64d613c4f1fe CVE-2018-8047 (vtiger CRM 7.0.1 is affected by one reflected Cross-Site Scripting (XS ...) NOT-FOR-US: vtiger CRM CVE-2018-8046 (The getTip() method of Action Columns of Sencha Ext JS 4 to 6 before 6 ...) NOT-FOR-US: Sencha CVE-2018-8045 (In Joomla! 3.5.0 through 3.8.5, the lack of type casting of a variable ...) NOT-FOR-US: Joomla! CVE-2018-8044 RESERVED CVE-2017-18223 (BMC Remedy AR System before 9.1 SP3, when Remedy AR Authentication is ...) NOT-FOR-US: BMC Remedy AR System CVE-2018-8043 (The unimac_mdio_probe function in drivers/net/phy/mdio-bcm-unimac.c in ...) - linux (unimportant) [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/297a6961ffb8ff4dc66c9fbf53b924bd1dda05d5 NOTE: Negligible security impact, only enabled on armhf CVE-2018-8042 (Apache Ambari, version 2.5.0 to 2.6.2, passwords for Hadoop credential ...) NOT-FOR-US: Apache Ambari CVE-2018-8041 (Apache Camel's Mail 2.20.0 through 2.20.3, 2.21.0 through 2.21.1 and 2 ...) NOT-FOR-US: Apache Camel Mail component CVE-2018-8040 (Pages that are rendered using the ESI plugin can have access to the co ...) {DSA-4282-1} - trafficserver 7.1.4+ds-1 NOTE: http://www.openwall.com/lists/oss-security/2018/08/29/2 NOTE: https://github.com/apache/trafficserver/pull/3926 NOTE: https://github.com/apache/trafficserver/commit/cea07c03274807c1588dbdf03baa1537d958c92f CVE-2018-8039 (It is possible to configure Apache CXF to use the com.sun.net.ssl impl ...) NOT-FOR-US: Apache CXF CVE-2018-8038 (Versions of Apache CXF Fediz prior to 1.4.4 do not fully disable Docum ...) NOT-FOR-US: Apache CXF CVE-2018-8037 (If an async request was completed by the application at the same time ...) {DSA-4281-1} - tomcat9 (Fixed before initial upload to Debian) - tomcat8 8.5.32-1 [jessie] - tomcat8 (vulnerable code only present in 8.5.5 to 8.5.31 in 8.x series) - tomcat8.0 (Vulnerable code only present in 8.5.5 to 8.5.31 in 8.x series) NOTE: https://svn.apache.org/r1833906 (9.0.x) NOTE: https://svn.apache.org/r1833907 (8.5.x) CVE-2018-8036 (In Apache PDFBox 1.8.0 to 1.8.14 and 2.0.0RC1 to 2.0.10, a carefully c ...) - libpdfbox-java 1:1.8.15-1 (low; bug #902776) - libpdfbox2-java 2.0.11-1 (low) [stretch] - libpdfbox-java (Minor issue) [jessie] - libpdfbox-java (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2018/06/29/2 CVE-2018-8035 (This vulnerability relates to the user's browser processing of DUCC we ...) NOT-FOR-US: UIMA DUCC (subproject of Apache UIMA) NOTE: https://uima.apache.org/security_report#CVE-2018-8035 CVE-2018-8034 (The host name verification when using TLS with the WebSocket client wa ...) {DSA-4281-1 DLA-1491-1 DLA-1453-1} - tomcat9 (Fixed before initial upload to Debian) - tomcat8 8.5.32-1 - tomcat8.0 (unimportant) NOTE: tomcat8.0 builds only tomcat8.0-user and libtomcat8.0-java - tomcat7 7.0.72-3 NOTE: Since 7.0.72-3, src:tomcat7 only builds the Servlet API NOTE: https://svn.apache.org/r1833757 (9.0.x) NOTE: https://svn.apache.org/r1833758 (8.5.x) NOTE: https://svn.apache.org/r1833759 (8.0.x) NOTE: https://svn.apache.org/r1833760 (7.0.x) CVE-2018-8033 (In Apache OFBiz 16.11.01 to 16.11.04, the OFBiz HTTP engine (org.apach ...) NOT-FOR-US: Apache OFBiz CVE-2018-8032 (Apache Axis 1.x up to and including 1.4 is vulnerable to a cross-site ...) - axis 1.4-28 (bug #905328) [stretch] - axis (Minor issue) [jessie] - axis (Minor issue) NOTE: https://issues.apache.org/jira/browse/AXIS-2924 NOTE: https://svn.apache.org/r1831943 CVE-2018-8031 (The Apache TomEE console (tomee-webapp) has a XSS vulnerability which ...) NOT-FOR-US: Apache TomEE CVE-2018-8030 (A Denial of Service vulnerability was found in Apache Qpid Broker-J ve ...) - qpid-java (bug #840131) CVE-2018-8029 (In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2 ...) - hadoop (bug #793644) CVE-2018-8028 (An authenticated user can execute ALTER TABLE EXCHANGE PARTITIONS with ...) NOT-FOR-US: Apache Sentry CVE-2018-8027 (Apache Camel 2.20.0 to 2.20.3 and 2.21.0 Core is vulnerable to XXE in ...) NOT-FOR-US: Apache Camel CVE-2018-8026 (This vulnerability in Apache Solr 6.0.0 to 6.6.4 and 7.0.0 to 7.3.1 re ...) - lucene-solr (Do not allow to upload configsets via the API) NOTE: Versions 5.x and earlier are not affected by the vulnerability, since NOTE: those versions do not allow to upload configsets via the API. NOTE: https://issues.apache.org/jira/browse/SOLR-12450 CVE-2018-8025 (CVE-2018-8025 describes an issue in Apache HBase that affects the opti ...) NOT-FOR-US: Apache HBase CVE-2018-8024 (In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it's possib ...) - apache-spark (bug #802194) CVE-2018-8023 (Apache Mesos can be configured to require authentication to call the E ...) - apache-mesos (bug #760315) CVE-2018-8022 (A carefully crafted invalid TLS handshake can cause Apache Traffic Ser ...) - trafficserver 7.0.0-1 NOTE: http://www.openwall.com/lists/oss-security/2018/08/29/1 NOTE: Only affects 6.x, marking 7.0 as the fixed version NOTE: https://github.com/apache/trafficserver/pull/2147 CVE-2018-8021 (Versions of Superset prior to 0.23 used an unsafe load method from the ...) NOT-FOR-US: Apache Superset CVE-2018-8020 (Apache Tomcat Native 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34 has a flaw t ...) {DLA-1475-1} - tomcat-native 1.2.17-1 [stretch] - tomcat-native 1.2.12-2+deb9u2 NOTE: https://svn.apache.org/r1832863 CVE-2018-8019 (When using an OCSP responder Apache Tomcat Native 1.2.0 to 1.2.16 and ...) {DLA-1475-1} - tomcat-native 1.2.17-1 [stretch] - tomcat-native 1.2.12-2+deb9u2 NOTE: https://svn.apache.org/r1832832 CVE-2018-8018 (In Apache Ignite before 2.4.8 and 2.5.x before 2.5.3, the serializatio ...) NOT-FOR-US: Apache Ignite CVE-2018-8017 (In Apache Tika 1.2 to 1.18, a carefully crafted file can trigger an in ...) - tika 1.20-1 (bug #914643) [jessie] - tika (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2018/09/19/6 CVE-2018-8016 (The default configuration in Apache Cassandra 3.8 through 3.11.1 binds ...) - cassandra (bug #585905) CVE-2018-8015 (In Apache ORC 1.0.0 to 1.4.3 a malformed ORC file can trigger an endle ...) NOT-FOR-US: Apache ORC CVE-2018-8014 (The defaults settings for the CORS filter provided in Apache Tomcat 9. ...) {DSA-4596-1 DLA-1883-1 DLA-1400-1} - tomcat9 (Fixed before initial upload to Debian) - tomcat8 8.5.32-1 (bug #898935) - tomcat8.0 (unimportant) NOTE: tomcat8.0 builds only tomcat8.0-user and libtomcat8.0-java - tomcat7 7.0.72-3 [wheezy] - tomcat7 (vulnerable code not present) NOTE: Since 7.0.72-3, src:tomcat7 only builds the Servlet API NOTE: https://svn.apache.org/r1831728 (8.5.x) NOTE: https://svn.apache.org/r1831729 (8.0.x) NOTE: https://svn.apache.org/r1831730 (7.0.x) NOTE: https://bz.apache.org/bugzilla/show_bug.cgi?id=62343 NOTE: It is expected that users of the CORS filter will have configured it appropriately NOTE: for their einvironment rather than using it in the default configuration CVE-2018-8013 (In Apache Batik 1.x before 1.10, when deserializing subclass of `Abstr ...) {DSA-4215-1 DLA-1385-1} - batik 1.10-1 (bug #899374) NOTE: https://issues.apache.org/jira/browse/BATIK-1222 NOTE: https://svn.apache.org/r1831241 NOTE: https://marc.info/?l=oss-security&m=152707788503264&w=2 CVE-2018-8012 (No authentication/authorization is enforced when a server attempts to ...) {DSA-4214-1} - zookeeper 3.4.10-2 (bug #899332) [wheezy] - zookeeper (changes are too intrusive to backport) NOTE: https://issues.apache.org/jira/browse/ZOOKEEPER-1045 NOTE: http://www.openwall.com/lists/oss-security/2018/05/21/6 NOTE: https://cwiki.apache.org/confluence/display/ZOOKEEPER/Server-Server+mutual+authentication NOTE: https://issues.apache.org/jira/secure/attachment/12840904/ZOOKEEPER-1045-br-3-4.patch CVE-2018-8011 (By specially crafting HTTP requests, the mod_md challenge handler woul ...) - apache2 2.4.34-1 (bug #904107) [stretch] - apache2 (Vulnerable code not present; mod_md module) [jessie] - apache2 (Vulnerable code not present; mod_md module) NOTE: http://www.openwall.com/lists/oss-security/2018/07/18/2 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2018-8011 CVE-2018-8010 (This vulnerability in Apache Solr 6.0.0 to 6.6.3, 7.0.0 to 7.3.0 relat ...) - lucene-solr (Do not allow to upload configsets via the API) NOTE: Versions 5.x and earlier are not affected by the vulnerability, since NOTE: those versions do not allow to upload configsets via the API. NOTE: https://issues.apache.org/jira/browse/SOLR-12316 CVE-2018-8009 (Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2. ...) - hadoop (bug #793644) CVE-2018-8008 (Apache Storm version 1.0.6 and earlier, 1.2.1 and earlier, and version ...) NOT-FOR-US: Apache Storm CVE-2018-8007 (Apache CouchDB administrative users can configure the database server ...) - couchdb NOTE: https://blog.couchdb.org/2018/07/10/cve-2018-8007/ CVE-2018-8006 (An instance of a cross-site scripting vulnerability was identified to ...) - activemq 5.15.6-1 (unimportant) NOTE: https://issues.apache.org/jira/browse/AMQ-6954 NOTE: https://git-wip-us.apache.org/repos/asf?p=activemq.git;h=d25de5d NOTE: https://git-wip-us.apache.org/repos/asf?p=activemq.git;h=d8c80a9 NOTE: Admin console not enabled in the Debian package, see #702670) NOTE: Fixed in 5.15.6, 5.16.0 CVE-2018-8005 (When there are multiple ranges in a range request, Apache Traffic Serv ...) {DSA-4282-1} - trafficserver 7.1.4+ds-1 NOTE: http://www.openwall.com/lists/oss-security/2018/08/29/4 NOTE: https://github.com/apache/trafficserver/pull/3106 NOTE: https://github.com/apache/trafficserver/pull/3124 NOTE: https://github.com/apache/trafficserver/commit/bbcbb7cf7f25ebfe3a97d792e889de618e41a6a4 CVE-2018-8004 (There are multiple HTTP smuggling and cache poisoning issues when clie ...) {DSA-4282-1} - trafficserver 7.1.4+ds-1 NOTE: http://www.openwall.com/lists/oss-security/2018/08/29/5 NOTE: https://github.com/apache/trafficserver/pull/3192 NOTE: https://github.com/apache/trafficserver/pull/3201 NOTE: https://github.com/apache/trafficserver/pull/3231 NOTE: https://github.com/apache/trafficserver/pull/3251 NOTE: https://github.com/apache/trafficserver/commit/05d734c773900dd589480ff07572c0d7db7c3d44 NOTE: https://github.com/apache/trafficserver/commit/9659d12a21cf1870c2790fdd5acab712ed87f16e NOTE: https://github.com/apache/trafficserver/commit/2616e580de7d66b9098c464d503a049c7814e35a NOTE: https://github.com/apache/trafficserver/commit/3d2fdab8b0606bc8b35006f7aeb73729d364b333 CVE-2018-8003 (Apache Ambari, versions 1.4.0 to 2.6.1, is susceptible to a directory ...) NOT-FOR-US: Apache Ambari CVE-2018-8002 (In PoDoFo 0.9.5, there exists an infinite loop vulnerability in PdfPar ...) - libpodofo (low; bug #892557) [buster] - libpodofo (Minor issue) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) NOTE: PoC https://bugzilla.redhat.com/show_bug.cgi?id=1548930 NOTE: Upstream bug: https://sourceforge.net/p/podofo/tickets/15/ CVE-2018-8001 (In PoDoFo 0.9.5, there exists a heap-based buffer over-read vulnerabil ...) - libpodofo 0.9.6+dfsg-3 (low; bug #892556) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) NOTE: PoC https://bugzilla.redhat.com/show_bug.cgi?id=1549469 NOTE: Upstream bug: https://sourceforge.net/p/podofo/tickets/14/ NOTE: Upstream commit: http://sourceforge.net/p/podofo/code/1909 CVE-2018-8000 (In PoDoFo 0.9.5, there exists a heap-based buffer overflow vulnerabili ...) NOTE: PoC https://bugzilla.redhat.com/show_bug.cgi?id=1548918 NOTE: Upstream bug: https://sourceforge.net/p/podofo/tickets/13/ NOTE: Upstream tracked this down as a of CVE-2017-5886 CVE-2018-7999 (In libgraphite2 in graphite2 1.3.11, a NULL pointer dereference vulner ...) - graphite2 1.3.11-2 (bug #892590) [stretch] - graphite2 (Minor issue) [jessie] - graphite2 (Minor issue) [wheezy] - graphite2 (Minor issue) NOTE: https://github.com/silnrsi/graphite/commit/db132b4731a9b4c9534144ba3a18e65b390e9ff6 NOTE: https://github.com/silnrsi/graphite/issues/22 CVE-2018-7998 (In libvips before 8.6.3, a NULL function pointer dereference vulnerabi ...) {DLA-1306-1} - vips 8.4.5-2 (low; bug #892589) [stretch] - vips 8.4.5-1+deb9u1 [jessie] - vips (Minor issue) NOTE: https://github.com/jcupitt/libvips/commit/20d840e6da15c1574b3ed998bc92f91d1e36c2a5 NOTE: https://github.com/jcupitt/libvips/issues/893 CVE-2018-7997 (Eramba e1.0.6.033 has Reflected XSS on the Error page of the CSV file ...) NOT-FOR-US: Eramba CVE-2018-7996 (Eramba e1.0.6.033 has Stored XSS on the tooltip box via the /programSc ...) NOT-FOR-US: Eramba CVE-2018-7994 (Some Huawei products IPS Module V500R001C50; NGFW Module V500R001C50; ...) NOT-FOR-US: Huawei CVE-2018-7993 (HUAWEI Mate 10 smartphones with versions earlier than ALP-AL00 8.1.0.3 ...) NOT-FOR-US: Huawei CVE-2018-7992 (Mdapt Driver of Huawei MediaPad M3 BTV-W09C128B353CUSTC128D001; Mate 9 ...) NOT-FOR-US: Huawei CVE-2018-7991 (Huawei smartphones Mate10 with versions earlier before ALP-AL00B 8.0.0 ...) NOT-FOR-US: Huawei CVE-2018-7990 (Mate10 Pro Huawei smart phones with the versions before 8.1.0.326(C00) ...) NOT-FOR-US: Huawei CVE-2018-7989 (Huawei Mate 10 pro smartphones with the versions before BLA-AL00B 8.1. ...) NOT-FOR-US: Huawei CVE-2018-7988 (There is a Factory Reset Protection (FRP) bypass vulnerability on seve ...) NOT-FOR-US: Huawei CVE-2018-7987 (There is an out-of-bounds write vulnerability on Huawei P20 smartphone ...) NOT-FOR-US: Huawei CVE-2018-7986 REJECTED CVE-2018-7985 REJECTED CVE-2018-7984 REJECTED CVE-2018-7983 REJECTED CVE-2018-7982 REJECTED CVE-2018-7981 REJECTED CVE-2018-7980 REJECTED CVE-2018-7979 REJECTED CVE-2018-7978 REJECTED CVE-2018-7977 (There is an information leakage vulnerability on several Huawei produc ...) NOT-FOR-US: Huawei CVE-2018-7976 (There is a stored cross-site scripting (XSS) vulnerability in Huawei e ...) NOT-FOR-US: Huawei CVE-2018-7975 REJECTED CVE-2018-7974 REJECTED CVE-2018-7973 REJECTED CVE-2018-7972 REJECTED CVE-2018-7971 REJECTED CVE-2018-7970 REJECTED CVE-2018-7969 REJECTED CVE-2018-7968 REJECTED CVE-2018-7967 REJECTED CVE-2018-7966 REJECTED CVE-2018-7965 REJECTED CVE-2018-7964 REJECTED CVE-2018-7963 REJECTED CVE-2018-7962 RESERVED CVE-2018-7961 (There is a smart SMS verification code vulnerability in some Huawei sm ...) NOT-FOR-US: Huawei CVE-2018-7960 (There is a SRTP icon display vulnerability in Huawei eSpace product. A ...) NOT-FOR-US: Huawei CVE-2018-7959 (There is a short key vulnerability in Huawei eSpace product. An unauth ...) NOT-FOR-US: Huawei CVE-2018-7958 (There is an anonymous TLS cipher suites supported vulnerability in Hua ...) NOT-FOR-US: Huawei CVE-2018-7957 (Huawei smartphones with software Victoria-AL00 8.0.0.336a(C00) have an ...) NOT-FOR-US: Huawei CVE-2018-7956 (Huawei VIP App is a mobile app for Malaysia customers that purchased P ...) NOT-FOR-US: Huawei CVE-2018-7955 REJECTED CVE-2018-7954 RESERVED CVE-2018-7953 RESERVED CVE-2018-7952 RESERVED CVE-2018-7951 (The iBMC (Intelligent Baseboard Management Controller) of some Huawei ...) NOT-FOR-US: Huawei CVE-2018-7950 (The iBMC (Intelligent Baseboard Management Controller) of some Huawei ...) NOT-FOR-US: Huawei CVE-2018-7949 (The iBMC (Intelligent Baseboard Management Controller) of some Huawei ...) NOT-FOR-US: Huawei CVE-2018-7948 REJECTED CVE-2018-7947 (Huawei mobile phones with versions earlier before Emily-AL00A 8.1.0.15 ...) NOT-FOR-US: Huawei CVE-2018-7946 (There is an information leak vulnerability in some Huawei smartphones. ...) NOT-FOR-US: Huawei CVE-2018-7945 REJECTED CVE-2018-7944 (Huawei smart phones Emily-AL00A with software 8.1.0.106(SP2C00) and 8. ...) NOT-FOR-US: Huawei CVE-2018-7943 (There is an authentication bypass vulnerability in some Huawei servers ...) NOT-FOR-US: Huawei CVE-2018-7942 (The iBMC (Intelligent Baseboard Management Controller) of some Huawei ...) NOT-FOR-US: Huawei CVE-2018-7941 (Huawei iBMC V200R002C60 have an authentication bypass vulnerability. A ...) NOT-FOR-US: Huawei CVE-2018-7940 (Huawei smart phones Mate 10 and Mate 10 Pro with earlier versions than ...) NOT-FOR-US: Huawei CVE-2018-7939 (Huawei smart phones G9 Lite, Honor 5A, Honor 6X, Honor 8 with the vers ...) NOT-FOR-US: Huawei CVE-2018-7938 (P10 Huawei smartphones with the versions before Victoria-AL00AC00B217 ...) NOT-FOR-US: Huawei CVE-2018-7937 (In Huawei HiRouter-CD20-10 with the versions before 1.9.6 and WS5200-1 ...) NOT-FOR-US: Huawei CVE-2018-7936 (Mate 10 Pro Huawei smart phones with the versions before BLA-L29 8.0.0 ...) NOT-FOR-US: Huawei CVE-2018-7935 RESERVED CVE-2018-7934 (Some Huawei mobile phone with the versions before BLA-L29 8.0.0.145(C4 ...) NOT-FOR-US: Huawei CVE-2018-7933 (Huawei home gateway products HiRouter-CD20 and WS5200 with the version ...) NOT-FOR-US: Huawei CVE-2018-7932 (Huawei AppGallery versions before 8.0.4.301 has an arbitrary Javascrip ...) NOT-FOR-US: Huawei CVE-2018-7931 (Huawei AppGallery versions before 8.0.4.301 has a whitelist mechanism ...) NOT-FOR-US: Huawei CVE-2018-7930 (The Near Field Communication (NFC) module in Mate 9 Huawei mobile phon ...) NOT-FOR-US: Mate 9 Huawei mobile phones CVE-2018-7929 (Huawei Mate RS smartphones with the versions before NEO-AL00D 8.1.0.16 ...) NOT-FOR-US: Huawei CVE-2018-7928 (There is a security vulnerability which could lead to Factory Reset Pr ...) NOT-FOR-US: Huawei CVE-2018-7927 REJECTED CVE-2018-7926 (Huawei Watch 2 with versions and earlier than OWDD.180707.001.E1 have ...) NOT-FOR-US: Huawei CVE-2018-7925 (The radio module of some Huawei smartphones Emily-AL00A The versions b ...) NOT-FOR-US: Huawei CVE-2018-7924 (Anne-AL00 Huawei phones with versions earlier than 8.0.0.151(C00) have ...) NOT-FOR-US: Huawei CVE-2018-7923 (Huawei ALP-L09 smart phones with versions earlier than ALP-L09 8.0.0.1 ...) NOT-FOR-US: Huawei CVE-2018-7922 (Huawei ALP-L09 smart phones with versions earlier than ALP-L09 8.0.0.1 ...) NOT-FOR-US: Huawei CVE-2018-7921 (Huawei B315s-22 products with software of 21.318.01.00.26 have an info ...) NOT-FOR-US: Huawei CVE-2018-7920 (Huawei AR1200 V200R006C10SPC300, AR160 V200R006C10SPC300, AR200 V200R0 ...) NOT-FOR-US: Huawei CVE-2018-7919 RESERVED CVE-2018-7918 RESERVED CVE-2018-7917 RESERVED CVE-2018-7916 REJECTED CVE-2018-7915 REJECTED CVE-2018-7914 REJECTED CVE-2018-7913 REJECTED CVE-2018-7912 REJECTED CVE-2018-7911 (Some Huawei smart phones ALP-AL00B 8.0.0.106(C00), 8.0.0.113(SP2C00), ...) NOT-FOR-US: Huawei CVE-2018-7910 (Some Huawei smartphones ALP-AL00B 8.0.0.118D(C00), ALP-TL00B 8.0.0.118 ...) NOT-FOR-US: Huawei CVE-2018-7909 REJECTED CVE-2018-7908 REJECTED CVE-2018-7907 (Some Huawei products Agassi-L09 AGS-L09C100B257CUSTC100D001, AGS-L09C1 ...) NOT-FOR-US: Huawei CVE-2018-7906 (Some Huawei smart phones with software of Leland-AL00 8.0.0.114(C636), ...) NOT-FOR-US: Huawei CVE-2018-7905 REJECTED CVE-2018-7904 (Huawei 1288H V5 and 288H V5 with software of V100R005C00 have a JSON i ...) NOT-FOR-US: Huawei CVE-2018-7903 (Huawei 1288H V5 and 288H V5 with software of V100R005C00 have a JSON i ...) NOT-FOR-US: Huawei CVE-2018-7902 (Huawei 1288H V5 and 288H V5 with software of V100R005C00 have a JSON i ...) NOT-FOR-US: Huawei CVE-2018-7901 (RCS module in Huawei ALP-AL00B smart phones with software versions ear ...) NOT-FOR-US: Huawei CVE-2018-7900 (There is an information leak vulnerability in some Huawei HG products. ...) NOT-FOR-US: Huawei CVE-2018-7899 (The Mali Driver of Huawei Berkeley-AL20 and Berkeley-BD smart phones w ...) NOT-FOR-US: Mali Driver of Huawei Berkeley-AL20 and Berkeley-BD smart phones CVE-2018-7898 RESERVED CVE-2018-7897 RESERVED CVE-2018-7896 RESERVED CVE-2018-7895 RESERVED CVE-2018-7894 (Eramba e1.0.6.033 has Reflected XSS in reviews/filterIndex/ThirdPartyR ...) NOT-FOR-US: Eramba CVE-2018-7893 (CMS Made Simple (CMSMS) 2.2.6 has stored XSS in admin/moduleinterface. ...) NOT-FOR-US: CMS Made Simple CVE-2018-7892 RESERVED CVE-2018-7891 (The Milestone XProtect Video Management Software (Corporate, Expert, P ...) NOT-FOR-US: Milestone XProtect Video Management Software CVE-2018-7995 (** DISPUTED ** Race condition in the store_int_with_restart() function ...) {DSA-4188-1 DSA-4187-1 DLA-1369-1} - linux 4.15.11-1 NOTE: https://lkml.org/lkml/2018/3/2/970 CVE-2018-7890 (A remote code execution issue was discovered in Zoho ManageEngine Appl ...) NOT-FOR-US: Zoho ManageEngine Applications Manager CVE-2018-7889 (gui2/viewer/bookmarkmanager.py in Calibre 3.18 calls cPickle.load on i ...) - calibre 3.19.0+dfsg-1 (bug #892242) [stretch] - calibre (Minor issue) [jessie] - calibre (Minor issue) [wheezy] - calibre (Minor issue) NOTE: https://bugs.launchpad.net/calibre/+bug/1753870 NOTE: deserialization fix https://github.com/kovidgoyal/calibre/commit/aeb5b036a0bf657951756688b3c72bd68b6e4a7d NOTE: insufficient as import also loads configuration files, which are python executables, NOTE: see https://lists.debian.org/87muy0usv1.fsf@curie.anarc.at NOTE: The CVE assignment is specific to the issue fixed by upstream commit NOTE: aeb5b036a0bf657951756688b3c72bd68b6e4a7d. CVE-2018-1000122 (A buffer over-read exists in curl 7.20.0 to and including curl 7.58.0 ...) {DSA-4136-1 DLA-1309-1} - curl 7.60.0-1 (bug #893546) NOTE: https://curl.haxx.se/docs/adv_2018-b047.html NOTE: https://curl.haxx.se/CVE-2018-1000122.patch CVE-2018-1000121 (A NULL pointer dereference exists in curl 7.21.0 to and including curl ...) {DSA-4136-1 DLA-1309-1} - curl 7.60.0-1 (bug #893546) NOTE: https://curl.haxx.se/docs/adv_2018-97a2.html NOTE: https://curl.haxx.se/CVE-2018-1000121.patch CVE-2018-1000120 (A buffer overflow exists in curl 7.12.3 to and including curl 7.58.0 i ...) {DSA-4136-1 DLA-1309-1} - curl 7.60.0-1 (bug #893546) NOTE: https://curl.haxx.se/docs/adv_2018-9cd6.html NOTE: https://curl.haxx.se/CVE-2018-1000120.patch CVE-2018-7888 RESERVED CVE-2018-7887 RESERVED CVE-2018-7886 (An issue was discovered in CloudMe 1.11.0. An unauthenticated local at ...) NOT-FOR-US: CloudMe CVE-2018-7885 RESERVED CVE-2018-7884 (An issue was discovered in DisplayLink Core Software Cleaner Applicati ...) NOT-FOR-US: DisplayLink Core Software Cleaner Application CVE-2018-7883 RESERVED CVE-2018-7882 RESERVED CVE-2018-7881 RESERVED CVE-2018-7880 RESERVED CVE-2018-7879 RESERVED CVE-2018-7878 RESERVED CVE-2018-7877 (There is a heap-based buffer overflow in the getString function of uti ...) - ming [wheezy] - ming 1:0.4.4-1.1+deb7u8 NOTE: https://github.com/libming/libming/issues/110 CVE-2018-7876 (In libming 0.4.8, a memory exhaustion vulnerability was found in the f ...) {DLA-1386-1} - ming NOTE: https://github.com/libming/libming/issues/109 CVE-2018-7875 (There is a heap-based buffer over-read in the getString function of ut ...) {DLA-1343-1} - ming NOTE: https://github.com/libming/libming/issues/112 CVE-2018-7874 (An invalid memory address dereference was discovered in strlenext in u ...) - ming [wheezy] - ming 1:0.4.4-1.1+deb7u8 NOTE: https://github.com/libming/libming/issues/115 CVE-2018-7873 (There is a heap-based buffer overflow in the getString function of uti ...) {DLA-1386-1} - ming NOTE: https://github.com/libming/libming/issues/111 CVE-2018-7872 (An invalid memory address dereference was discovered in the function g ...) {DLA-1343-1} - ming NOTE: https://github.com/libming/libming/issues/114 CVE-2018-7871 (There is a heap-based buffer over-read in the getName function of util ...) {DLA-1343-1} - ming NOTE: https://github.com/libming/libming/issues/120 CVE-2018-7870 (An invalid memory address dereference was discovered in getString in u ...) {DLA-1343-1} - ming NOTE: https://github.com/libming/libming/issues/117 CVE-2018-7869 (There is a memory leak triggered in the function dcinit of util/decomp ...) - ming [wheezy] - ming (Minor issue present everywhere in the source code, hard to fix) NOTE: https://github.com/libming/libming/issues/119 CVE-2018-7868 (There is a heap-based buffer over-read in the getName function of util ...) {DLA-1343-1} - ming NOTE: https://github.com/libming/libming/issues/113 CVE-2018-7867 (There is a heap-based buffer overflow in the getString function of uti ...) {DLA-1343-1} - ming NOTE: https://github.com/libming/libming/issues/116 CVE-2018-7866 (A NULL pointer dereference was discovered in newVar3 in util/decompile ...) {DLA-1386-1} - ming NOTE: https://github.com/libming/libming/issues/118 CVE-2018-7865 REJECTED CVE-2018-7864 REJECTED CVE-2018-7863 REJECTED CVE-2018-7862 REJECTED CVE-2018-7861 REJECTED CVE-2018-7860 RESERVED CVE-2018-7859 (A security vulnerability in D-Link DGS-1510-series switches with firmw ...) NOT-FOR-US: D-Link CVE-2018-7858 (Quick Emulator (aka QEMU), when built with the Cirrus CLGD 54xx VGA Em ...) - qemu 1:2.12~rc3+dfsg-1 (bug #892497) [stretch] - qemu (Vulnerable code not present) [jessie] - qemu (Vulnerable code not present) [wheezy] - qemu (Vulnerable code not present) - qemu-kvm [wheezy] - qemu-kvm (Vulnerable code not present) NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2018-03/msg02174.html CVE-2018-7857 (A CWE-248: Uncaught Exception vulnerability exists in all versions of ...) NOT-FOR-US: Schneider Electric CVE-2018-7856 (A CWE-248: Uncaught Exception vulnerability exists in all versions of ...) NOT-FOR-US: Schneider Electric CVE-2018-7855 (A CWE-248 Uncaught Exception vulnerability exists in all versions of t ...) NOT-FOR-US: Schneider Electric CVE-2018-7854 (A CWE-248 Uncaught Exception vulnerability exists in all versions of t ...) NOT-FOR-US: Schneider Electric CVE-2018-7853 (A CWE-248: Uncaught Exception vulnerability exists in all versions of ...) NOT-FOR-US: Schneider Electric CVE-2018-7852 (A CWE-248: Uncaught Exception vulnerability exists in all versions of ...) NOT-FOR-US: Schneider Electric CVE-2018-7851 (CWE-119: Buffer errors vulnerability exists in Modicon M580 with firmw ...) NOT-FOR-US: Schneider Electric CVE-2018-7850 (A CWE-807: Reliance on Untrusted Inputs in a Security Decision vulnera ...) NOT-FOR-US: Schneider Electric CVE-2018-7849 (A CWE-248: Uncaught Exception vulnerability exists in all versions of ...) NOT-FOR-US: Schneider Electric CVE-2018-7848 (A CWE-200: Information Exposure vulnerability exists in all versions o ...) NOT-FOR-US: Schneider Electric CVE-2018-7847 (A CWE-284: Improper Access Control vulnerability exists in all version ...) NOT-FOR-US: Schneider Electric CVE-2018-7846 (A CWE-501: Trust Boundary Violation vulnerability on connection to the ...) NOT-FOR-US: Schneider Electric CVE-2018-7845 (A CWE-125: Out-of-bounds Read vulnerability exists in all versions of ...) NOT-FOR-US: Schneider Electric CVE-2018-7844 (A CWE-200: Information Exposure vulnerability exists in all versions o ...) NOT-FOR-US: Schneider Electric CVE-2018-7843 (A CWE-248: Uncaught Exception vulnerability exists in all versions of ...) NOT-FOR-US: Schneider Electric CVE-2018-7842 (A CWE-290: Authentication Bypass by Spoofing vulnerability exists in a ...) NOT-FOR-US: Schneider Electric CVE-2018-7841 (A SQL Injection (CWE-89) vulnerability exists in U.motion Builder soft ...) NOT-FOR-US: Schneider Electric CVE-2018-7840 (A Uncontrolled Search Path Element (CWE-427) vulnerability exists in V ...) NOT-FOR-US: Schneider Electric CVE-2018-7839 (A Cryptographic Issue (CWE-310) vulnerability exists in IIoT Monitor 3 ...) NOT-FOR-US: Schneider CVE-2018-7838 (A CWE-119 Buffer Errors vulnerability exists in Modicon M580 CPU - BME ...) NOT-FOR-US: Modicon CVE-2018-7837 (An Improper Restriction of XML External Entity Reference ('XXE') vulne ...) NOT-FOR-US: IIoT Monitor (Schneider Electric) CVE-2018-7836 (An unrestricted Upload of File with Dangerous Type vulnerability exist ...) NOT-FOR-US: IIoT Monitor (Schneider Electric) CVE-2018-7835 (An Improper Limitation of a Pathname to a Restricted Directory ('Path ...) NOT-FOR-US: IIoT Monitor (Schneider Electric) CVE-2018-7834 (A CWE-79 Cross-Site Scripting vulnerability exists in all versions of ...) NOT-FOR-US: Schneider Electric CVE-2018-7833 (An Improper Check for Unusual or Exceptional Conditions vulnerability ...) NOT-FOR-US: Schneider Electric CVE-2018-7832 (An Improper Input Validation vulnerability exists in Pro-Face GP-Pro E ...) NOT-FOR-US: Schneider Electric CVE-2018-7831 (An Improper Neutralization of Script-Related HTML Tags in a Web Page ( ...) NOT-FOR-US: Modicon (Schneider Electric) CVE-2018-7830 (Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Respo ...) NOT-FOR-US: Modicon (Schneider Electric) CVE-2018-7829 (An Improper Neutralization of Special Elements in Query vulnerability ...) NOT-FOR-US: Schneider Electric CVE-2018-7828 (A Cross-Site Request Forgery (CSRF) vulnerability exists in the 1st Ge ...) NOT-FOR-US: Schneider Electric CVE-2018-7827 (A Cross-Site Scripting (XSS) vulnerability exists in the 1st Gen. Pelc ...) NOT-FOR-US: Schneider Electric CVE-2018-7826 (A Command Injection vulnerability exists in the web-based GUI of the 1 ...) NOT-FOR-US: Schneider Electric CVE-2018-7825 (A Command Injection vulnerability exists in the web-based GUI of the 1 ...) NOT-FOR-US: Schneider Electric CVE-2018-7824 (An Externally Controlled Reference to a Resource (CWE-610) vulnerabili ...) NOT-FOR-US: Schneider Electric CVE-2018-7823 (A Environment (CWE-2) vulnerability exists in SoMachine Basic, all ver ...) NOT-FOR-US: Schneider Electric CVE-2018-7822 (An Incorrect Default Permissions (CWE-276) vulnerability exists in SoM ...) NOT-FOR-US: Schneider Electric CVE-2018-7821 (An Environment (CWE-2) vulnerability exists in SoMachine Basic, all ve ...) NOT-FOR-US: Schneider Electric CVE-2018-7820 (A Credentials Management CWE-255 vulnerability exists in the APC UPS N ...) NOT-FOR-US: APC CVE-2018-7819 RESERVED CVE-2018-7818 RESERVED CVE-2018-7817 (A Use After Free (CWE-416) vulnerability exists in Zelio Soft 2 v5.1 a ...) NOT-FOR-US: Zolio CVE-2018-7816 (A Permissions, Privileges, and Access Control vulnerability exists in ...) NOT-FOR-US: Schneider Electric CVE-2018-7815 (A Type Confusion (CWE-843) vulnerability exists in Eurotherm by Schnei ...) NOT-FOR-US: Schneider Electric CVE-2018-7814 (A Stack-based Buffer Overflow (CWE-121) vulnerability exists in Euroth ...) NOT-FOR-US: Schneider Electric CVE-2018-7813 (A Type Confusion (CWE-843) vulnerability exists in Eurotherm by Schnei ...) NOT-FOR-US: Schneider Electric CVE-2018-7812 (An Information Exposure through Discrepancy vulnerability exists in th ...) NOT-FOR-US: Schneider Electric CVE-2018-7811 (An Unverified Password Change vulnerability exists in the embedded web ...) NOT-FOR-US: Modicon (Schneider Electric) CVE-2018-7810 (An Improper Neutralization of Input During Web Page Generation ('Cross ...) NOT-FOR-US: Modicon (Schneider Electric) CVE-2018-7809 (An Unverified Password Change vulnerability exists in the embedded web ...) NOT-FOR-US: Modicon (Schneider Electric) CVE-2018-7808 RESERVED CVE-2018-7807 (Data Center Expert, versions 7.5.0 and earlier, allows for the upload ...) NOT-FOR-US: Data Center Expert CVE-2018-7806 (Data Center Operation allows for the upload of a zip file from its use ...) NOT-FOR-US: Data Center Operation CVE-2018-7805 RESERVED CVE-2018-7804 (A URL Redirection to Untrusted Site vulnerability exists in the embedd ...) NOT-FOR-US: Schneider Electric CVE-2018-7803 (A CWE-754 Improper Check for Unusual or Exceptional Conditions vulnera ...) NOT-FOR-US: Schneider Electric CVE-2018-7802 (A SQL Injection vulnerability exists in EVLink Parking, v3.2.0-12_v1 a ...) NOT-FOR-US: Schneider Electric CVE-2018-7801 (A Code Injection vulnerability exists in EVLink Parking, v3.2.0-12_v1 ...) NOT-FOR-US: Schneider Electric CVE-2018-7800 (A Hard-coded Credentials vulnerability exists in EVLink Parking, v3.2. ...) NOT-FOR-US: Schneider Electric CVE-2018-7799 (A DLL hijacking vulnerability exists in Schneider Electric Software Up ...) NOT-FOR-US: Schneider Electric CVE-2018-7798 (A Insufficient Verification of Data Authenticity (CWE-345) vulnerabili ...) NOT-FOR-US: Schneider CVE-2018-7797 (A URL redirection vulnerability exists in Power Monitoring Expert, Ene ...) NOT-FOR-US: Schneider Electric CVE-2018-7796 (A Buffer Error vulnerability exists in PowerSuite 2, all released vers ...) NOT-FOR-US: Schneider Electric CVE-2018-7795 (A Cross Protocol Injection vulnerability exists in Schneider Electric' ...) NOT-FOR-US: Schneider CVE-2018-7794 (A CWE-754: Improper Check for Unusual or Exceptional Conditions vulner ...) NOT-FOR-US: Modicon CVE-2018-7793 (A Credential Management vulnerability exists in FoxView HMI SCADA (All ...) NOT-FOR-US: Schneider Electric CVE-2018-7792 (A Permissions, Privileges, and Access Control vulnerability exists in ...) NOT-FOR-US: Schneider CVE-2018-7791 (A Permissions, Privileges, and Access Control vulnerability exists in ...) NOT-FOR-US: Schneider CVE-2018-7790 (An Information Management Error vulnerability exists in Schneider Elec ...) NOT-FOR-US: Schneider CVE-2018-7789 (An Improper Check for Unusual or Exceptional Conditions vulnerability ...) NOT-FOR-US: Schneider CVE-2018-7788 (A CWE-255 Credentials Management vulnerability exists in Modicon Quant ...) NOT-FOR-US: Schneider Electric CVE-2018-7787 (In Schneider Electric U.motion Builder software versions prior to v1.3 ...) NOT-FOR-US: Schneider CVE-2018-7786 (In Schneider Electric U.motion Builder software versions prior to v1.3 ...) NOT-FOR-US: Schneider CVE-2018-7785 (In Schneider Electric U.motion Builder software versions prior to v1.3 ...) NOT-FOR-US: Schneider CVE-2018-7784 (In Schneider Electric U.motion Builder software versions prior to v1.3 ...) NOT-FOR-US: Schneider CVE-2018-7783 (Schneider Electric SoMachine Basic prior to v1.6 SP1 suffers from an X ...) NOT-FOR-US: Schneider CVE-2018-7782 (In Schneider Electric Pelco Sarix Professional 1st generation cameras ...) NOT-FOR-US: Schneider CVE-2018-7781 (In Schneider Electric Pelco Sarix Professional 1st generation cameras ...) NOT-FOR-US: Schneider CVE-2018-7780 (In Schneider Electric Pelco Sarix Professional 1st generation cameras ...) NOT-FOR-US: Schneider CVE-2018-7779 (In Schneider Electric Wiser for KNX V2.1.0 and prior, homeLYnk V2.0.1 ...) NOT-FOR-US: Schneider CVE-2018-7778 (In Schneider Electric Evlink Charging Station versions prior to v3.2.0 ...) NOT-FOR-US: Schneider CVE-2018-7777 (The vulnerability is due to insufficient handling of update_file reque ...) NOT-FOR-US: Schneider CVE-2018-7776 (The vulnerability exists within error.php in Schneider Electric U.moti ...) NOT-FOR-US: Schneider CVE-2018-7775 REJECTED CVE-2018-7774 (The vulnerability exists within processing of localize.php in Schneide ...) NOT-FOR-US: Schneider CVE-2018-7773 (The vulnerability exists within processing of nfcserver.php in Schneid ...) NOT-FOR-US: Schneider CVE-2018-7772 (The vulnerability exists within processing of applets which are expose ...) NOT-FOR-US: Schneider CVE-2018-7771 (The vulnerability exists within processing of editscript.php in Schnei ...) NOT-FOR-US: Schneider CVE-2018-7770 (The vulnerability exists within processing of sendmail.php in Schneide ...) NOT-FOR-US: Schneider CVE-2018-7769 (The vulnerability exists within processing of xmlserver.php in Schneid ...) NOT-FOR-US: Schneider CVE-2018-7768 (The vulnerability exists within processing of loadtemplate.php in Schn ...) NOT-FOR-US: Schneider CVE-2018-7767 (The vulnerability exists within processing of editobject.php in Schnei ...) NOT-FOR-US: Schneider CVE-2018-7766 (The vulnerability exists within processing of track_getdata.php in Sch ...) NOT-FOR-US: Schneider CVE-2018-7765 (The vulnerability exists within processing of track_import_export.php ...) NOT-FOR-US: Schneider CVE-2018-7764 (The vulnerability exists within runscript.php applet in Schneider Elec ...) NOT-FOR-US: Schneider CVE-2018-7763 (The vulnerability exists within css.inc.php in Schneider Electric U.mo ...) NOT-FOR-US: Schneider CVE-2018-7762 (A vulnerability exists in the web services to process SOAP requests in ...) NOT-FOR-US: Schneider CVE-2018-7761 (A vulnerability exists in the HTTP request parser in Schneider Electri ...) NOT-FOR-US: Schneider CVE-2018-7760 (An authorization bypass vulnerability exists in Schneider Electric's M ...) NOT-FOR-US: Schneider CVE-2018-7759 (A buffer overflow vulnerability exists in Schneider Electric's Modicon ...) NOT-FOR-US: Schneider CVE-2018-7758 (A denial of service vulnerability exists in Schneider Electric's MiCOM ...) NOT-FOR-US: Schneider CVE-2018-7757 (Memory leak in the sas_smp_get_phy_events function in drivers/scsi/lib ...) {DSA-4188-1 DSA-4187-1 DLA-1369-1} - linux 4.15.17-1 NOTE: Fixed by: https://git.kernel.org/linus/4a491b1ab11ca0556d2fda1ff1301e862a2d44c4 (4.16-rc1) CVE-2017-18222 (In the Linux kernel before 4.12, Hisilicon Network Subsystem (HNS) doe ...) {DSA-4188-1} - linux 4.15.17-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) CVE-2018-7756 (RunExeFile.exe in the installer for DEWESoft X3 SP1 (64-bit) devices d ...) NOT-FOR-US: RunExeFile.exe in the installer for DEWESoft X3 SP1 devices CVE-2018-7755 (An issue was discovered in the fd_locked_ioctl function in drivers/blo ...) {DSA-4308-1 DLA-1531-1 DLA-1529-1} - linux 4.18.10-1 - linux-4.9 NOTE: https://lkml.org/lkml/2018/5/29/495 CVE-2018-7754 (The aoedisk_debugfs_show function in drivers/block/aoe/aoeblk.c in the ...) - linux 4.15.4-1 [stretch] - linux (debugfs restricted to root by default) [jessie] - linux (debugfs restricted to root by default) NOTE: https://git.kernel.org/linus/ad67b74d2469d9b82aaa572d76474c95bc484d57 CVE-2018-7751 (The svg_probe function in libavformat/img2dec.c in FFmpeg through 3.4. ...) - ffmpeg 7:3.4.3-1 [stretch] - ffmpeg (Vulnerable code not present) - libav (Vulnerable code not present) NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/a6cba062051f345e8ebfdff34aba071ed73d923f CVE-2018-7750 (transport.py in the SSH server implementation of Paramiko before 1.17. ...) {DLA-1556-1} - paramiko 2.4.2-0.1 (bug #892859) [stretch] - paramiko (Minor issue) [wheezy] - paramiko (Minor issue) NOTE: https://github.com/paramiko/paramiko/issues/1175 NOTE: https://github.com/paramiko/paramiko/commit/fa29bd8446c8eab237f5187d28787727b4610516 CVE-2018-7749 (The SSH server implementation of AsyncSSH before 1.12.1 does not prope ...) - python-asyncssh 1.12.1-1 (bug #892787) NOTE: https://github.com/ronf/asyncssh/commit/16e6ebfa893167c7d9d3f6dc7a2c0d197e47f43a CVE-2018-7748 (report_viewer.do in ServiceNow Release Jakarta Patch 8 and earlier all ...) NOT-FOR-US: ServiceNow CVE-2018-7747 (Multiple cross-site scripting (XSS) vulnerabilities in the Caldera For ...) NOT-FOR-US: Caldera Forms plugin for WordPress CVE-2018-7746 (An issue was discovered in Western Bridge Cobub Razor 0.7.2. Authentic ...) NOT-FOR-US: Western Bridge Cobub Razor CVE-2018-7745 (An issue was discovered in Western Bridge Cobub Razor 0.7.2. Authentic ...) NOT-FOR-US: Western Bridge Cobub Razor CVE-2018-7744 RESERVED CVE-2018-7743 RESERVED CVE-2018-7742 RESERVED CVE-2018-7741 (Eramba e1.0.6.033 has Reflected XSS in the Date Filter via the created ...) NOT-FOR-US: Eramba CVE-2018-1000118 (Github Electron version Electron 1.8.2-beta.4 and earlier contains a C ...) - electron (bug #842420) CVE-2018-1000116 (NET-SNMP version 5.7.2 contains a heap corruption vulnerability in the ...) {DSA-4154-1 DLA-1317-1} - net-snmp 5.7.3+dfsg-1.1 (bug #894110) NOTE: https://sourceforge.net/p/net-snmp/bugs/2821/ NOTE: https://sourceforge.net/p/net-snmp/code/ci/f23bcd3ac6ddee5d0a48f9703007ccc738914791/ NOTE: Same patch/commit as #788964 (as used for fixing CVE-2015-5621) NOTE: adresses CVE-2018-1000116 as well. CVE-2018-7753 (An issue was discovered in Bleach 2.1.x before 2.1.3. Attributes that ...) - python-bleach 2.1.3-1 (bug #892252) [stretch] - python-bleach (Vulnerable code introduced later) [jessie] - python-bleach (Vulnerable code introduced later) NOTE: https://github.com/mozilla/bleach/pull/356 NOTE: https://github.com/mozilla/bleach/commit/c5df5789ec3471a31311f42c2d19fc2cf21b35ef CVE-2018-1000117 (Python Software Foundation CPython version From 3.2 until 3.6.4 on Win ...) - python3.7 (Windows-specific) - python3.6 (Windows-specific) - python3.5 (Windows-specific) - python3.4 (Windows-specific) NOTE: http://hg.python.org/lookup/6921e73e33edc3c61bc2d78ed558eaa22a89a564 NOTE: https://bugs.python.org/issue33001 CVE-2018-7740 (The resv_map_release function in mm/hugetlb.c in the Linux kernel thro ...) {DSA-4188-1 DSA-4187-1 DLA-1369-1} - linux 4.15.17-1 NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=199037 CVE-2018-7739 (antsle antman before 0.9.1a allows remote attackers to bypass authenti ...) NOT-FOR-US: antsle antman CVE-2018-7737 (** DISPUTED ** In Z-BlogPHP 1.5.1.1740, there is Web Site physical pat ...) NOT-FOR-US: Z-BlogPHP CVE-2018-7736 (** DISPUTED ** In Z-BlogPHP 1.5.1.1740, cmd.php has XSS via the ZC_BLO ...) NOT-FOR-US: Z-BlogPHP CVE-2017-18221 (The __munlock_pagevec function in mm/mlock.c in the Linux kernel befor ...) - linux 4.11.6-1 [stretch] - linux 4.9.47-1 [jessie] - linux 3.16.48-1 [wheezy] - linux (Vulnerable code introduce later) CVE-2018-7735 (Afian FileRun (before 2018.02.13) suffers from a remote SQL injection ...) NOT-FOR-US: Afian FileRun CVE-2018-7734 (Afian FileRun (before 2018.02.13) suffers from a remote SQL injection ...) NOT-FOR-US: Afian FileRun CVE-2018-7733 (An issue was discovered in YxtCMF 3.1. RbacController.class.php has CS ...) NOT-FOR-US: YxtCMF CVE-2018-7732 (An issue was discovered in YxtCMF 3.1. SQL Injection exists in ShitiCo ...) NOT-FOR-US: YxtCMF CVE-2018-7731 (An issue was discovered in Exempi through 2.4.4. XMPFiles/source/Forma ...) - exempi 2.4.5-1 (low; bug #892782) [stretch] - exempi (Minor issue) [jessie] - exempi (Vulnerable code introduced later) [wheezy] - exempi (Vulnerable code introduced later) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=105247 NOTE: https://cgit.freedesktop.org/exempi/commit/?id=aabedb5e749dd59112a3fe1e8e08f2d934f56666 CVE-2018-7730 (An issue was discovered in Exempi through 2.4.4. A certain case of a 0 ...) {DLA-1310-1} - exempi 2.4.5-1 (low; bug #892782) [stretch] - exempi (Minor issue) [jessie] - exempi (Minor issue) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=105204 NOTE: https://cgit.freedesktop.org/exempi/commit/?id=6cbd34025e5fd3ba47b29b602096e456507ce83b CVE-2018-7729 (An issue was discovered in Exempi through 2.4.4. There is a stack-base ...) - exempi 2.4.5-1 (low; bug #892782) [stretch] - exempi (Minor issue) [jessie] - exempi (Minor issue) [wheezy] - exempi (vulnerable code not present) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=105206 NOTE: https://cgit.freedesktop.org/exempi/commit/?id=baa4b8a02c1ffab9645d13f0bfb1c0d10d311a0c CVE-2018-7728 (An issue was discovered in Exempi through 2.4.4. XMPFiles/source/FileH ...) {DLA-1310-1} - exempi 2.4.5-1 (low; bug #892782) [stretch] - exempi (Minor issue) [jessie] - exempi (Minor issue) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=105205 NOTE: https://cgit.freedesktop.org/exempi/commit/?id=e163667a06a9b656a047b0ec660b871f29a83c9f CVE-2018-7727 (An issue was discovered in ZZIPlib 0.13.68. There is a memory leak tri ...) - zziplib (unimportant) NOTE: https://github.com/gdraheim/zziplib/issues/40 NOTE: https://github.com/gdraheim/zziplib/commit/83a2da55922f67e07f22048ac9671a44cc0d35c4 (v0.13.69) NOTE: unzzipcat-mem and unzzipdir-mem not installed into binary packages. CVE-2018-7726 (An issue was discovered in ZZIPlib 0.13.68. There is a bus error cause ...) {DLA-2258-1} - zziplib 0.13.62-3.2 (low; bug #913165) [stretch] - zziplib 0.13.62-3.2~deb9u1 [wheezy] - zziplib (Minor issue) NOTE: https://github.com/gdraheim/zziplib/issues/27 NOTE: https://github.com/gdraheim/zziplib/issues/41 NOTE: https://github.com/gdraheim/zziplib/commit/8f48323c181e20b7e527b8be7229d6eb1148ec5f (v0.13.69) NOTE: https://github.com/gdraheim/zziplib/commit/19c9e4dc6c5cf92a38d0d23dbccac6993f9c41be (v0.13.69) NOTE: https://github.com/gdraheim/zziplib/commit/feae4da1a5c92100c44ebfcbaaa895959cc0829b (v0.13.69) CVE-2018-7725 (An issue was discovered in ZZIPlib 0.13.68. An invalid memory address ...) {DLA-2258-1} - zziplib 0.13.62-3.2 (low; bug #913165) [stretch] - zziplib 0.13.62-3.2~deb9u1 [wheezy] - zziplib (Minor issue) NOTE: https://github.com/gdraheim/zziplib/issues/39 NOTE: https://github.com/gdraheim/zziplib/commit/1ba660b3300d67b8ce9f6b96bbae0b36fa2d6b06 (v0.13.69) CVE-2018-7724 (The management panel in Piwigo 2.9.3 has stored XSS via the name param ...) - piwigo NOTE: https://github.com/Piwigo/Piwigo/issues/872 NOTE: https://github.com/Piwigo/Piwigo/commit/55a9754b111309d7a85c6dd86efe47954e984072 CVE-2018-7723 (The management panel in Piwigo 2.9.3 has stored XSS via the virtual_na ...) - piwigo CVE-2018-7722 (The management panel in Piwigo 2.9.3 has stored XSS via the name param ...) - piwigo NOTE: https://github.com/Piwigo/Piwigo/issues/871 NOTE: https://github.com/Piwigo/Piwigo/commit/0ec289769ee1fc314dbc7d90fdc480389e786942 CVE-2018-7721 (Cross Site Scripting (XSS) exists in MetInfo 6.0.0 via /feedback/index ...) NOT-FOR-US: MetInfo CVE-2018-7720 (A cross-site request forgery (CSRF) vulnerability exists in Western Br ...) NOT-FOR-US: Western Bridge Cobub Razor CVE-2018-7719 (Acrolinx Server before 5.2.5 on Windows allows Directory Traversal. ...) NOT-FOR-US: Acrolinx Server CVE-2018-7752 (GPAC through 0.7.1 has a Buffer Overflow in the gf_media_avc_read_sps ...) {DLA-1693-1} - gpac 0.5.2-426-gc5ad4e4+dfsg5-4.1 (bug #892526) [stretch] - gpac 0.5.2-426-gc5ad4e4+dfsg5-3+deb9u1 [wheezy] - gpac (vulnerable code not present) NOTE: https://github.com/gpac/gpac/issues/997 NOTE: https://github.com/gpac/gpac/commit/90dc7f853d31b0a4e9441cba97feccf36d8b69a4 NOTE: CVE is for the issue in av_parsers.c and fixed in same commit as NOTE: CVE-2018-1000100 CVE-2018-1000100 (GPAC MP4Box version 0.7.1 and earlier contains a Buffer Overflow vulne ...) - gpac (Vulnerable code not present) NOTE: https://github.com/gpac/gpac/issues/994 NOTE: https://github.com/gpac/gpac/commit/90dc7f853d31b0a4e9441cba97feccf36d8b69a4 CVE-2018-7738 (In util-linux before 2.32-rc1, bash-completion/umount allows local use ...) {DSA-4134-1} - bash-completion (unimportant) - util-linux 2.31.1-0.5 (bug #892179) [jessie] - util-linux (umount completion added later) [wheezy] - util-linux (umount completion added later) NOTE: Fix in bash-completion's from util-linux: NOTE: https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55#diff-a47601b5dbce9dc06c3af1deb02758c7 NOTE: src:util-linux/2.28-1 takes over the umount completion from NOTE: src:bash-completion (which in turn starting from 1:2.1-4.3 NOTE: does not provide the umount completion in the binary packaage) CVE-2018-7718 (An issue was discovered in Telexy QPath 5.4.462. A low privileged auth ...) NOT-FOR-US: Telexy QPath CVE-2018-7717 (The htmlImageAddTitleAttribute function in sige.php in the Kubik-Rubik ...) NOT-FOR-US: Kubik-Rubik Simple Image Gallery Extended (SIGE) extension for Joomla! CVE-2018-7716 (PrivateVPN 2.0.31 for macOS suffers from a root privilege escalation v ...) NOT-FOR-US: PrivateVPN for macOS CVE-2018-7715 (PrivateVPN 2.0.31 for macOS suffers from a root privilege escalation v ...) NOT-FOR-US: PrivateVPN for macOS CVE-2018-7714 (** DISPUTED ** The validateInputImageSize function in modules/imgcodec ...) NOTE: Non-issue, needs to be handled within applications using opencv NOTE: https://github.com/opencv/opencv/issues/10998 CVE-2018-7713 (** DISPUTED ** The validateInputImageSize function in modules/imgcodec ...) NOTE: Non-issue, needs to be handled within applications using opencv NOTE: https://github.com/opencv/opencv/issues/10998 CVE-2018-7712 (** DISPUTED ** The validateInputImageSize function in modules/imgcodec ...) NOTE: Non-issue, needs to be handled within applications using opencv NOTE: https://github.com/opencv/opencv/issues/10998 CVE-2018-7710 RESERVED CVE-2018-7709 RESERVED CVE-2018-7708 RESERVED CVE-2018-7707 (Cross-site scripting (XSS) vulnerability in SecurEnvoy SecurMail befor ...) NOT-FOR-US: SecurEnvoy SecurMail CVE-2018-7706 (Directory traversal vulnerability in SecurEnvoy SecurMail before 9.2.5 ...) NOT-FOR-US: SecurEnvoy SecurMail CVE-2018-7705 (Directory traversal vulnerability in SecurEnvoy SecurMail before 9.2.5 ...) NOT-FOR-US: SecurEnvoy SecurMail CVE-2018-7704 (SecurEnvoy SecurMail before 9.2.501 allows remote authenticated users ...) NOT-FOR-US: SecurEnvoy SecurMail CVE-2018-7703 (Cross-site scripting (XSS) vulnerability in SecurEnvoy SecurMail befor ...) NOT-FOR-US: SecurEnvoy SecurMail CVE-2018-7702 (SecurEnvoy SecurMail before 9.2.501 allows remote attackers to spoof t ...) NOT-FOR-US: SecurEnvoy SecurMail CVE-2018-7701 (Multiple cross-site request forgery (CSRF) vulnerabilities in SecurEnv ...) NOT-FOR-US: SecurEnvoy SecurMail CVE-2017-18220 (The ReadOneJNGImage and ReadJNGImage functions in coders/png.c in Grap ...) {DSA-4321-1 DLA-1456-1 DLA-1322-1} - graphicsmagick 1.3.26-8 NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/98721124e51f NOTE: https://sourceforge.net/p/graphicsmagick/bugs/438/ NOTE: Issue is related to CVE-2017-11403 but not the same issue. CVE-2017-18219 (An issue was discovered in GraphicsMagick 1.3.26. An allocation failur ...) {DSA-4321-1 DLA-1456-1 DLA-1322-1} - graphicsmagick 1.3.27-1 NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/cadd4b0522fa NOTE: https://sourceforge.net/p/graphicsmagick/bugs/459/ CVE-2018-7700 (DedeCMS 5.7 has CSRF with an impact of arbitrary code execution, becau ...) NOT-FOR-US: DedeCMS CVE-2018-7699 RESERVED CVE-2018-7698 (An issue was discovered in D-Link mydlink+ 3.8.5 build 259 for DCS-933 ...) NOT-FOR-US: D-Link CVE-2018-7697 RESERVED CVE-2018-7696 RESERVED CVE-2018-7695 RESERVED CVE-2018-7694 RESERVED CVE-2018-7693 RESERVED CVE-2018-7692 (Unvalidated redirect vulnerability in in NetIQ eDirectory before 9.1.1 ...) NOT-FOR-US: NetIQ eDirectory CVE-2018-7691 (A potential Remote Unauthorized Access in Micro Focus Fortify Software ...) NOT-FOR-US: Micro Focus CVE-2018-7690 (A potential Remote Unauthorized Access in Micro Focus Fortify Software ...) NOT-FOR-US: Micro Focus CVE-2018-7689 (Lack of permission checks in the InitializeDevelPackage function in op ...) - open-build-service 2.9.4-1 (low; bug #903797) [stretch] - open-build-service (Minor issue) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1094819 NOTE: https://github.com/openSUSE/open-build-service/commit/990ef7cccef6f38fc1d1a1bb22a08e174dcba43b CVE-2018-7688 (A missing permission check in the review handling of openSUSE Open Bui ...) - open-build-service 2.9.4-1 (low; bug #903796) [stretch] - open-build-service (Minor issue) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1094820 NOTE: https://github.com/openSUSE/open-build-service/commit/b15cf19e9e01115f653c76ffdc8f54cd97566553 CVE-2018-7687 (The Micro Focus Client for OES before version 2 SP4 IR8a has a vulnera ...) NOT-FOR-US: Micro Focus Client for OES CVE-2018-7686 (Information leakage vulnerability in NetIQ eDirectory before 9.1.1 HF1 ...) NOT-FOR-US: NetIQ eDirectory CVE-2018-7685 (The decoupled download and installation steps in libzypp before 17.5.0 ...) - libzypp 17.6.1-1 [jessie] - libzypp (Minor issue, very low popcon) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1091624 NOTE: https://github.com/openSUSE/libzypp/commit/5186110992f29c5e3b1b5bfe9e1ca899a155399c CVE-2018-7684 RESERVED CVE-2018-7683 (Micro Focus Solutions Business Manager versions prior to 11.4 might re ...) NOT-FOR-US: Micro Focus Solutions Business Manager CVE-2018-7682 (Micro Focus Solutions Business Manager versions prior to 11.4 allows a ...) NOT-FOR-US: Micro Focus Solutions Business Manager CVE-2018-7681 (Micro Focus Solutions Business Manager versions prior to 11.4 allows J ...) NOT-FOR-US: Micro Focus Solutions Business Manager CVE-2018-7680 (Micro Focus Solutions Business Manager versions prior to 11.4 can refl ...) NOT-FOR-US: Micro Focus Solutions Business Manager CVE-2018-7679 (Micro Focus Solutions Business Manager versions prior to 11.4 when ASP ...) NOT-FOR-US: Micro Focus Solutions Business Manager CVE-2018-7678 (A cross site scripting vulnerability exist in the Administration Conso ...) NOT-FOR-US: NetIQ Access Manager CVE-2018-7677 (A CSRF exposure exists in NetIQ Access Manager (NAM) 4.4 Identity Serv ...) NOT-FOR-US: NetIQ Access Manager CVE-2018-7676 (The NetIQ Identity Manager, in versions prior to 4.7, userapp with log ...) NOT-FOR-US: NetIQ Identity Manager CVE-2018-7675 (In NetIQ Sentinel before 8.1.x, a Sentinel user is logged into the Sen ...) NOT-FOR-US: NetIQ Sentinel CVE-2018-7674 (The NetIQ Identity Manager user console, in versions prior to 4.7, is ...) NOT-FOR-US: NetIQ Identity Manager CVE-2018-7673 (The NetIQ Identity Manager communication channel, in versions prior to ...) NOT-FOR-US: NetIQ Identity Manager CVE-2017-18218 (In drivers/net/ethernet/hisilicon/hns/hns_enet.c in the Linux kernel b ...) {DSA-4188-1} - linux 4.13.4-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/27463ad99f738ed93c7c8b3e2e5bc8c4853a2ff2 CVE-2017-18217 (An issue was discovered in InvoicePlane before 1.5.5. It was observed ...) NOT-FOR-US: InvoicePlane CVE-2017-18216 (In fs/ocfs2/cluster/nodemanager.c in the Linux kernel before 4.15, loc ...) {DSA-4188-1 DSA-4187-1 DLA-1369-1} - linux 4.15.4-1 NOTE: Fixed by: https://git.kernel.org/linus/853bc26a7ea39e354b9f8889ae7ad1492ffa28d2 CVE-2017-18215 (xvpng.c in xv 3.10a has memory corruption (out-of-bounds write) when d ...) - xv CVE-2018-7672 RESERVED CVE-2018-7671 RESERVED CVE-2018-7670 RESERVED CVE-2018-7669 (An issue was discovered in Sitecore Sitecore.NET 8.1 rev. 151207 Hotfi ...) NOT-FOR-US: Sitecore CVE-2018-7668 (TestLink through 1.9.16 allows remote attackers to read arbitrary atta ...) NOT-FOR-US: TestLink CVE-2018-7667 (Adminer through 4.3.1 has SSRF via the server parameter. ...) {DLA-1311-1} - adminer 4.5.0-1 (bug #893668) [stretch] - adminer 4.2.5-3+deb9u1 [jessie] - adminer 3.3.3-1+deb8u1 NOTE: http://hyp3rlinx.altervista.org/advisories/ADMINER-UNAUTHENTICATED-SERVER-SIDE-REQUEST-FORGERY.txt NOTE: https://github.com/vrana/adminer/commit/0fae40fb611b5c8167fa2b8d40bf576a8935a380 NOTE: adminer 4.4.0 disallows connecting to privileged ports, and thus not "enumerating" NOTE: services on (another) host for ports < 1024. NOTE: Additionally 4.4.0 rate-limits password-less login attempts from the same NOTE: IP address: NOTE: https://github.com/vrana/adminer/commit/0e5df34ea87ad34c1bc0ceac162eb86175d611a3 CVE-2018-7666 (An issue was discovered in ClipBucket before 4.0.0 Release 4902. SQL i ...) NOT-FOR-US: ClipBucket CVE-2018-7665 (An issue was discovered in ClipBucket before 4.0.0 Release 4902. A mal ...) NOT-FOR-US: ClipBucket CVE-2018-7664 (An issue was discovered in ClipBucket before 4.0.0 Release 4902. Any O ...) NOT-FOR-US: ClipBucket CVE-2018-7663 (An issue was discovered in resources/views/layouts/app.blade.php in Vo ...) NOT-FOR-US: Voten.co CVE-2018-7662 (Couch through 2.0 allows remote attackers to discover the full path vi ...) NOT-FOR-US: CouchCMS CVE-2018-7661 (Papenmeier WiFi Baby Monitor Free & Lite before 2.02.2 allows remo ...) NOT-FOR-US: Papenmeier WiFi Baby Monitor Free & Lite CVE-2018-7660 (In OpenText Documentum D2 Webtop v4.6.0030 build 059, a Reflected Cros ...) NOT-FOR-US: OpenText Documentum D2 Webtop CVE-2018-7659 (In OpenText Documentum D2 Webtop v4.6.0030 build 059, a Stored Cross-S ...) NOT-FOR-US: OpenText Documentum D2 Webtop CVE-2018-7711 (HTTPRedirect.php in the saml2 library in SimpleSAMLphp before 1.15.4 h ...) {DLA-1314-1} - simplesamlphp 1.15.4-1 [stretch] - simplesamlphp (Minor issue) [jessie] - simplesamlphp (Minor issue) NOTE: failure mode hard to trigger for an attacker, signing of redirect binding in many cases not that important NOTE: https://simplesamlphp.org/security/201803-01 NOTE: https://github.com/simplesamlphp/saml2/commit/4f6af7f69f29df8555a18b9bb7b646906b45924d CVE-2018-7658 (NTSServerSvc.exe in the server in Softros Network Time System 2.3.4 al ...) NOT-FOR-US: Softros Network Time System CVE-2018-7657 RESERVED CVE-2018-7656 RESERVED CVE-2018-7655 RESERVED CVE-2018-7654 (On 3CX 15.5.6354.2 devices, the parameter "file" in the request "/api/ ...) NOT-FOR-US: 3CX 15.5.6354.2 devices CVE-2018-7653 (In YzmCMS 3.6, index.php has XSS via the a, c, or m parameter. ...) NOT-FOR-US: YzmCMS CVE-2018-7652 (lib/Zonemaster/GUI/Dancer/Export.pm in Zonemaster Web GUI before 1.0.1 ...) NOT-FOR-US: Zonemaster Web GUI NOTE: The source (1.0.7) is in Salsa, but never uploaded: https://salsa.debian.org/perl-team/modules/packages/zonemaster-gui CVE-2017-18213 (In Exponent CMS before 2.4.1 Patch #6, certain admin users can elevate ...) NOT-FOR-US: Exponent CMS CVE-2017-18214 (The moment module before 2.19.3 for Node.js is prone to a regular expr ...) - node-moment 2.19.3+ds-1 (unimportant) NOTE: fixed in 2.19.3 upstream NOTE: https://github.com/moment/moment/commit/69ed9d44957fa6ab12b73d2ae29d286a857b80eb NOTE: https://github.com/moment/moment/pull/4326 NOTE: https://github.com/moment/moment/issues/4163 NOTE: https://nodesecurity.io/advisories/532 NOTE: nodejs not covered by security support CVE-2018-7651 (index.js in the ssri module before 5.2.2 for Node.js is prone to a reg ...) - node-ssri 5.2.4-1 (unimportant; bug #891980) NOTE: fixed in 5.2.2 NOTE: https://github.com/zkat/ssri/commit/d0ebcdc22cb5c8f47f89716d08b3518b2485d65d NOTE: https://github.com/zkat/ssri/issues/10 NOTE: https://nodesecurity.io/advisories/565 NOTE: nodejs not covered by security support CVE-2018-1000119 (Sinatra rack-protection versions 1.5.4 and 2.0.0.rc3 and earlier conta ...) {DSA-4247-1} - ruby-rack-protection 1.5.3-2.1 (bug #892250) [jessie] - ruby-rack-protection (Low prio package and low prio vulnerability according to RedHat) [wheezy] - ruby-rack-protection (Low prio package and low prio vulnerability according to RedHat) NOTE: https://snyk.io/vuln/SNYK-RUBY-SINATRA-20470 NOTE: https://snyk.io/vuln/SNYK-RUBY-RACKPROTECTION-20395 NOTE: https://github.com/sinatra/sinatra/commit/8aa6c42ef724f93ae309fb7c5668e19ad547eceb CVE-2018-1000115 (Memcached version 1.5.5 contains an Insufficient Control of Network Me ...) {DSA-4218-1} - memcached 1.5.6-1 [wheezy] - memcached (Minor issue; Debian defaults to listen only on localhost) NOTE: Upstream 1.5.6 disables by default the UDP protocol NOTE: https://github.com/memcached/memcached/commit/dbb7a8af90054bf4ef51f5814ef7ceb17d83d974 NOTE: Documentation in memcached's config files clearly mentions the NOTE: issues: "Specify which IP address to listen on. The default NOTE: (upstream) is to listen on all IP addresses. [...] so make sure NOTE: it's listening on a firewalled interface." CVE-2018-7650 (PHP Scripts Mall Hot Scripts Clone:Script Classified Version 3.1 Appli ...) NOT-FOR-US: PHP Scripts Mall Hot Scripts Clone:Script Classified Application CVE-2018-7649 (Monitorix before 3.10.1 allows XSS via CGI variables. ...) NOT-FOR-US: Monitorix CVE-2018-7648 (An issue was discovered in mj2/opj_mj2_extract.c in OpenJPEG 2.3.0. Th ...) - openjpeg2 2.3.1-1 (unimportant) NOTE: https://github.com/uclouvain/openjpeg/commit/cc3824767bde397fedb8a1ae4786a222ba860c8d NOTE: https://github.com/uclouvain/openjpeg/issues/1088 NOTE: The Debian package is built with -DBUILD_MJ2:BOOL=OFF CVE-2018-7647 RESERVED CVE-2018-7646 RESERVED CVE-2018-7645 RESERVED CVE-2018-7643 (The display_debug_ranges function in dwarf.c in GNU Binutils 2.30 allo ...) - binutils 2.30-6 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22905 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d11ae95ea3403559f052903ab053f43ad7821e37 CVE-2018-7642 (The swap_std_reloc_in function in aoutx.h in the Binary File Descripto ...) - binutils 2.30-6 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22887 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=116acb2c268c89c89186673a7c92620d21825b25 CVE-2018-7641 (An issue was discovered in CImg v.220. A heap-based buffer over-read i ...) {DLA-1934-1} - cimg 2.3.6+dfsg-1 (low; bug #892780) [stretch] - cimg (Minor issue) [wheezy] - cimg (Minor issue) NOTE: https://github.com/dtschump/CImg/issues/185 NOTE: https://github.com/dtschump/CImg/commit/10af1e8c1ad2a58a0a3342a856bae63e8f257abb CVE-2018-7640 (An issue was discovered in CImg v.220. A heap-based buffer over-read i ...) {DLA-1934-1} - cimg 2.3.6+dfsg-1 (low; bug #892780) [stretch] - cimg (Minor issue) [wheezy] - cimg (Minor issue) NOTE: https://github.com/dtschump/CImg/issues/185 NOTE: https://github.com/dtschump/CImg/commit/10af1e8c1ad2a58a0a3342a856bae63e8f257abb CVE-2018-7639 (An issue was discovered in CImg v.220. A heap-based buffer over-read i ...) {DLA-1934-1} - cimg 2.3.6+dfsg-1 (low; bug #892780) [stretch] - cimg (Minor issue) [wheezy] - cimg (Minor issue) NOTE: https://github.com/dtschump/CImg/issues/185 NOTE: https://github.com/dtschump/CImg/commit/10af1e8c1ad2a58a0a3342a856bae63e8f257abb CVE-2018-7638 (An issue was discovered in CImg v.220. A heap-based buffer over-read i ...) {DLA-1934-1} - cimg 2.3.6+dfsg-1 (low; bug #892780) [stretch] - cimg (Minor issue) [wheezy] - cimg (Minor issue) NOTE: https://github.com/dtschump/CImg/issues/185 NOTE: https://github.com/dtschump/CImg/commit/10af1e8c1ad2a58a0a3342a856bae63e8f257abb CVE-2018-7637 (An issue was discovered in CImg v.220. A heap-based buffer over-read i ...) {DLA-1934-1} - cimg 2.3.6+dfsg-1 (low; bug #892780) [stretch] - cimg (Minor issue) [wheezy] - cimg (Minor issue) NOTE: https://github.com/dtschump/CImg/issues/185 NOTE: https://github.com/dtschump/CImg/commit/10af1e8c1ad2a58a0a3342a856bae63e8f257abb CVE-2018-7636 (The URL filtering "continue page" hosted by PAN-OS 8.0.10 and earlier ...) NOT-FOR-US: PAN-OS CVE-2018-7635 (Whale Browser before 1.0.41.8 displays no URL information but only a t ...) NOT-FOR-US: Whale Browser CVE-2018-7634 (An issue was discovered in Enalean Tuleap 9.17. Lack of CSRF attack mi ...) NOT-FOR-US: Enalean Tuleap CVE-2018-7633 (Code injection in the /ui/login form Language parameter in Epicentro E ...) NOT-FOR-US: Epicentro CVE-2018-7632 (Buffer Overflow in httpd in EpiCentro E_7.3.2+ allows attackers to cau ...) NOT-FOR-US: Epicentro CVE-2018-7631 (Buffer Overflow in httpd in EpiCentro E_7.3.2+ allows attackers to exe ...) NOT-FOR-US: Epicentro CVE-2018-7630 RESERVED CVE-2018-7629 RESERVED CVE-2018-7628 RESERVED CVE-2018-7627 RESERVED CVE-2018-7626 RESERVED CVE-2018-7625 RESERVED CVE-2018-7624 RESERVED CVE-2018-7623 RESERVED CVE-2018-7622 RESERVED CVE-2018-7621 RESERVED CVE-2018-7620 RESERVED CVE-2018-7619 RESERVED CVE-2018-7618 RESERVED CVE-2018-7617 RESERVED CVE-2018-7616 RESERVED CVE-2018-7615 RESERVED CVE-2018-7614 RESERVED CVE-2018-7613 RESERVED CVE-2018-7612 RESERVED CVE-2018-7611 RESERVED CVE-2018-7610 RESERVED CVE-2018-7609 RESERVED CVE-2018-7608 RESERVED CVE-2018-7607 RESERVED CVE-2018-7606 RESERVED CVE-2018-7605 RESERVED CVE-2018-7604 RESERVED CVE-2018-7603 (In Drupal's 3rd party module search auto complete prior to versions 7. ...) NOT-FOR-US: Drupal addon CVE-2018-7602 (A remote code execution vulnerability exists within multiple subsystem ...) {DSA-4180-1 DLA-1365-1} - drupal7 (bug #896701) NOTE: https://www.drupal.org/psa-2018-003 NOTE: https://www.drupal.org/sa-core-2018-004 NOTE: https://cgit.drupalcode.org/drupal/rawdiff/?h=7.x&id=080daa38f265ea28444c540832509a48861587d0 CVE-2018-7601 RESERVED CVE-2018-7599 RESERVED CVE-2018-7598 RESERVED CVE-2018-7597 RESERVED CVE-2018-7596 RESERVED CVE-2018-7595 RESERVED CVE-2018-7594 RESERVED CVE-2018-7593 RESERVED CVE-2018-7592 RESERVED CVE-2018-7591 RESERVED CVE-2018-7590 (CSRF exists in Hoosk 1.7.0 via /admin/users/new/add, resulting in acco ...) NOT-FOR-US: Hoosk CVE-2018-7589 (An issue was discovered in CImg v.220. A double free in load_bmp in CI ...) {DLA-1934-1} - cimg 2.3.6+dfsg-1 (low; bug #892780) [stretch] - cimg (Minor issue) [wheezy] - cimg (Minor issue) NOTE: https://github.com/dtschump/CImg/issues/184 NOTE: https://github.com/dtschump/CImg/commit/8447076ef22322a14a0ce130837e44c5ba8095f4 CVE-2018-7588 (An issue was discovered in CImg v.220. A heap-based buffer over-read i ...) {DLA-1934-1} - cimg 2.3.6+dfsg-1 (low; bug #892780) [stretch] - cimg (Minor issue) [wheezy] - cimg (Minor issue) NOTE: https://github.com/dtschump/CImg/issues/183 NOTE: https://github.com/dtschump/CImg/commit/8447076ef22322a14a0ce130837e44c5ba8095f4 CVE-2018-7587 (An issue was discovered in CImg v.220. DoS occurs when loading a craft ...) - cimg (low; bug #892780; bug #940951) [buster] - cimg (Minor issue) [stretch] - cimg (Minor issue) [jessie] - cimg (Minor issue) [wheezy] - cimg (Minor issue) CVE-2018-7586 (In the nextgen-gallery plugin before 2.2.50 for WordPress, gallery pat ...) NOT-FOR-US: nextgen-gallery plugin for WordPress CVE-2017-18212 (An issue was discovered in JerryScript 1.0. There is a heap-based buff ...) NOT-FOR-US: JerryScript CVE-2018-7585 RESERVED CVE-2018-7584 (In PHP through 5.6.33, 7.0.x before 7.0.28, 7.1.x through 7.1.14, and ...) {DSA-4240-1 DLA-1397-1 DLA-1326-1} - php7.2 7.2.3-1 - php7.1 7.1.15-1 - php7.0 7.0.28-1 - php5 NOTE: Fixed in 5.6.34, 7.0.28, 7.1.15, 7.2.3 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=75981 NOTE: https://github.com/php/php-src/commit/523f230c831d7b33353203fa34aee4e92ac12bba CVE-2018-7583 (Proxy.exe in DualDesk 20 allows Remote Denial Of Service (daemon crash ...) NOT-FOR-US: Proxy.exe in DualDesk 20 CVE-2018-7582 (WebLog Expert Web Server Enterprise 9.4 allows Remote Denial Of Servic ...) NOT-FOR-US: WebLog Expert Web Server Enterprise CVE-2018-7581 (\ProgramData\WebLog Expert\WebServer\WebServer.cfg in WebLog Expert We ...) NOT-FOR-US: WebLog Expert Web Server Enterprise CVE-2018-7580 RESERVED CVE-2017-18211 (In ImageMagick 7.0.7, a NULL pointer dereference vulnerability was fou ...) - imagemagick 8:6.9.9.34+dfsg-3 (low) [stretch] - imagemagick (Minor issue) [jessie] - imagemagick (vulnerable code not present) [wheezy] - imagemagick (vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/792 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/96c2fab85e1699c87080271254c5a01387805564 NOTE: https://github.com/ImageMagick/ImageMagick/commit/22eec833cd72b5abab2627fcacc27d2dfb6aa6e7 CVE-2017-18210 (In ImageMagick 7.0.7, a NULL pointer dereference vulnerability was fou ...) - imagemagick (Vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/791 NOTE: https://github.com/ImageMagick/ImageMagick/commit/d2b87b403059af21db3002db95f4603f32b492ef NOTE: The commit referenced the wrong issue in the upstream issue tracker, but NOTE: as noted in https://github.com/ImageMagick/ImageMagick/issues/791#issuecomment-334050314 CVE-2017-18209 (In the GetOpenCLCachedFilesDirectory function in magick/opencl.c in Im ...) - imagemagick 8:6.9.9.34+dfsg-3 (low) [stretch] - imagemagick (Minor issue) [jessie] - imagemagick (vulnerable code not present) [wheezy] - imagemagick (vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/790 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/6ac2858a87df6d645813e43928b4f01a3169ad3f NOTE: https://github.com/ImageMagick/ImageMagick/commit/cca91aa1861818342e3d072bb0fad7dc4ffac24a CVE-2018-7579 (\application\admin\controller\update_urls.class.php in YzmCMS 3.6 has ...) NOT-FOR-US: YzmCMS CVE-2018-7578 RESERVED CVE-2018-7577 (Memcpy parameter overlap in Google Snappy library 1.1.4, as used in Go ...) - snappy NOTE: https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2018-005.md NOTE: There are no useful details, could just as well be a misuse of snappy by Tensorflow CVE-2018-7576 (Google TensorFlow 1.6.x and earlier is affected by: Null Pointer Deref ...) - tensorflow (bug #804612) CVE-2018-7575 (Google TensorFlow 1.7.x and earlier is affected by a Buffer Overflow v ...) - tensorflow (bug #804612) CVE-2018-7574 REJECTED CVE-2018-7573 (An issue was discovered in FTPShell Client 6.7. A remote FTP server ca ...) NOT-FOR-US: FTPShell Client CVE-2018-7572 (Pulse Secure Client 9.0R1 and 5.3RX before 5.3R5, when configured to a ...) NOT-FOR-US: Pulse Secure Client CVE-2018-7571 RESERVED CVE-2018-7570 (The assign_file_positions_for_non_load_sections function in elf.c in t ...) - binutils 2.30-6 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22881 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=01f7e10cf2dcf403462b2feed06c43135651556d CVE-2018-7569 (dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as ...) - binutils 2.30-6 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22895 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=12c963421d045a127c413a0722062b9932c50aa9 CVE-2018-7568 (The parse_die function in dwarf1.c in the Binary File Descriptor (BFD) ...) - binutils 2.30-6 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22894 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=eef104664efb52965d85a28bc3fc7c77e52e48e2 CVE-2017-18208 (The madvise_willneed function in mm/madvise.c in the Linux kernel befo ...) - linux 4.14.7-1 [stretch] - linux 4.9.80-1 [jessie] - linux 3.16.57-1 [wheezy] - linux (Only affects ARM with XIP enabled) NOTE: Fixed by: https://git.kernel.org/linus/6ea8d958a2c95a1d514015d4e29ba21a8c0a1a91 CVE-2017-18207 (** DISPUTED ** The Wave_read._read_fmt_chunk function in Lib/wave.py i ...) NOTE: Nonsense report for Python CVE-2018-1000103 REJECTED CVE-2018-1000102 REJECTED CVE-2018-1000114 (An improper authorization vulnerability exists in Jenkins Promoted Bui ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000113 (A cross-site scripting vulnerability exists in Jenkins TestLink Plugin ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000112 (An improper authorization vulnerability exists in Jenkins Mercurial Pl ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000111 (An improper authorization vulnerability exists in Jenkins Subversion P ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000110 (An improper authorization vulnerability exists in Jenkins Git Plugin v ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000109 (An improper authorization vulnerability exists in Jenkins Google Play ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000108 (A cross-site scripting vulnerability exists in Jenkins CppNCSS Plugin ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000107 (An improper authorization vulnerability exists in Jenkins Job and Node ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000106 (An improper authorization vulnerability exists in Jenkins Gerrit Trigg ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000105 (An improper authorization vulnerability exists in Jenkins Gerrit Trigg ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000104 (A plaintext storage of a password vulnerability exists in Jenkins Cove ...) NOT-FOR-US: Jenkins plugin CVE-2018-7567 (** DISPUTED ** In the Admin Package Manager in Open Ticket Request Sys ...) - otrs2 (unimportant) NOTE: PoC https://0day.today/exploit/29938 NOTE: Admin Package Manager works as designed and warns if a package is beeing NOTE: installed which is not verified by the OTRS Group. Responsiblity of the NOTE: respective admin to check packages before installation. CVE-2018-7566 (The Linux kernel 4.15 has a Buffer Overflow via an SNDRV_SEQ_IOCTL_SET ...) {DSA-4188-1 DSA-4187-1 DLA-1369-1} - linux 4.15.11-1 NOTE: Fixed by: https://git.kernel.org/linus/d15d662e89fc667b90cd294b0eb45694e33144da CVE-2018-7565 (CSRF exists on Polycom QDX 6000 devices. ...) NOT-FOR-US: Polycom QDX 6000 devices CVE-2018-7564 (Stored XSS exists on Polycom QDX 6000 devices. ...) NOT-FOR-US: Polycom QDX 6000 devices CVE-2018-7563 (An issue was discovered in GLPI through 9.2.1. The application is affe ...) - glpi (unimportant) NOTE: Only supported behind an authenticated HTTP zone CVE-2018-7562 (A remote code execution issue was discovered in GLPI through 9.2.1. Th ...) - glpi (unimportant) NOTE: Only supported behind an authenticated HTTP zone CVE-2018-7561 (Stack-based Buffer Overflow in httpd on Tenda AC9 devices V15.03.05.14 ...) NOT-FOR-US: Tenda AC9 devices CVE-2018-7560 (index.js in the Anton Myshenin aws-lambda-multipart-parser NPM package ...) NOT-FOR-US: aws-lambda-multipart-parser NPM package CVE-2018-7559 (An issue was discovered in OPC UA .NET Standard Stack and Sample Code ...) NOT-FOR-US: OPC UA .NET CVE-2018-7558 RESERVED CVE-2018-7557 (The decode_init function in libavcodec/utvideodec.c in FFmpeg through ...) {DSA-4249-1 DLA-1630-1} - ffmpeg 7:3.4.3-1 - libav NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/7414d0bda7763f9bd69c26c068e482ab297c1c96 NOTE: Fixed in 3.2.11 CVE-2018-7556 (LimeSurvey 2.6.x before 2.6.7, 2.7x.x before 2.73.1, and 3.x before 3. ...) - limesurvey (bug #472802) CVE-2018-7555 RESERVED CVE-2018-7554 (There is an invalid free in ReadImage in input-bmp.ci that leads to a ...) {DLA-1340-1} - sam2p [jessie] - sam2p 0.49.2-3+deb8u2 NOTE: https://github.com/pts/sam2p/issues/29 NOTE: https://github.com/pts/sam2p/commit/a6621e996f976912252018be8a8836ee6a966ee3 NOTE: https://github.com/pts/sam2p/commit/118cb8102b767df4100d8a14184e44b33a822861 NOTE: https://github.com/pts/sam2p/commit/1e43ec5fe34b009cb43f90a9d562442ca347cd75 NOTE: https://github.com/pts/sam2p/commit/beea3bd8dd05a731fddfa447ff0bad19fe32c973 NOTE: https://github.com/pts/sam2p/commit/47378716ab03d6b39ee959c949df551c643942f1 CVE-2018-7553 (There is a heap-based buffer overflow in the pcxLoadRaster function of ...) {DLA-1340-1} - sam2p [jessie] - sam2p 0.49.2-3+deb8u2 NOTE: https://github.com/pts/sam2p/issues/32 CVE-2018-7552 (There is an invalid free in Mapping::DoubleHash::clear in mapping.cpp ...) {DLA-1340-1} - sam2p [jessie] - sam2p 0.49.2-3+deb8u2 NOTE: https://github.com/pts/sam2p/issues/30 NOTE: CVE-2018-7554 patches will address this issue too. CVE-2018-7551 (There is an invalid free in MiniPS::delete0 in minips.cpp that leads t ...) {DLA-1340-1} - sam2p [jessie] - sam2p 0.49.2-3+deb8u2 NOTE: https://github.com/pts/sam2p/issues/28 CVE-2018-7550 (The load_multiboot function in hw/i386/multiboot.c in Quick Emulator ( ...) {DSA-4213-1 DLA-1497-1 DLA-1351-1 DLA-1350-1} - qemu 1:2.12~rc3+dfsg-1 (bug #892041) - qemu-kvm NOTE: https://git.qemu.org/?p=qemu.git;a=patch;h=2a8fcd119eb7c6bb3837fc3669eb1b2dfb31daf8 CVE-2018-7549 (In params.c in zsh through 5.4.2, there is a crash during a copy of an ...) - zsh 5.5-1 (unimportant) NOTE: https://sourceforge.net/p/zsh/code/ci/c2cc8b0fbefc9868fa83537f5b6d90fc1ec438dd NOTE: no security impact CVE-2018-7548 (In subst.c in zsh through 5.4.2, there is a NULL pointer dereference w ...) - zsh 5.5-1 (unimportant) NOTE: https://sourceforge.net/p/zsh/code/ci/110b13e1090bc31ac1352b28adc2d02b6d25a102 NOTE: no security impact CVE-2018-7547 (lyadmin 1.x has XSS via the config[WEB_SITE_TITLE] parameter to the /a ...) NOT-FOR-US: lyadmin CVE-2018-7546 (wpsmain.dll in Kingsoft WPS Office 2016 and Jinshan PDF 10.1.0.6621 al ...) NOT-FOR-US: Kingsoft WPS Office 2016 and Jinshan PDF CVE-2018-7545 RESERVED CVE-2017-18206 (In utils.c in zsh before 5.4, symlink expansion had a buffer overflow. ...) {DLA-1304-1} - zsh 5.4.1-1 [stretch] - zsh (Minor issue) [jessie] - zsh (Minor issue) NOTE: https://sourceforge.net/p/zsh/code/ci/c7a9cf465dd620ef48d586026944d9bd7a0d5d6d CVE-2017-18205 (In builtin.c in zsh before 5.4, when sh compatibility mode is used, th ...) - zsh 5.4.1-1 (unimportant) NOTE: https://sourceforge.net/p/zsh/code/ci/eb783754bdb74377f3cea4ceca9c23a02ea1bf58 NOTE: no security impact CVE-2016-10714 (In zsh before 5.3, an off-by-one error resulted in undersized buffers ...) {DLA-1304-1} - zsh 5.3-1 [jessie] - zsh (Minor issue) NOTE: https://sourceforge.net/p/zsh/code/ci/a62e1640bcafbb82d86ea8d8ce057a83c4683d60 CVE-2014-10072 (In utils.c in zsh before 5.0.6, there is a buffer overflow when scanni ...) {DLA-1304-1} - zsh 5.0.6-1 NOTE: https://sourceforge.net/p/zsh/code/ci/3e06aeabd8a9e8384ebaa8b08996cd1f64737210 CVE-2014-10071 (In exec.c in zsh before 5.0.7, there is a buffer overflow for very lon ...) {DLA-1304-1} - zsh 5.0.7-3 NOTE: https://sourceforge.net/p/zsh/code/ci/49a3086bb67575435251c70ee598e2fd406ef055 NOTE: Debian needed to add cherry-pick-9982ab6f-missing-changelog-entry CVE-2014-10070 (zsh before 5.0.7 allows evaluation of the initial values of integer va ...) {DLA-1304-1} - zsh 5.0.7-3 NOTE: https://sourceforge.net/p/zsh/code/ci/546203a770cec329e73781c3c8ab1078390aee72 CVE-2018-7544 (** DISPUTED ** A cross-protocol scripting issue was discovered in the ...) - openvpn (unimportant) NOTE: Not a security issue per se, later versions might explicitly warn in NOTE: affected problematic configurations in both the documentation and with NOTE: a runtime warning. CVE-2018-7543 (Cross-site scripting (XSS) vulnerability in installer/build/view.step4 ...) NOT-FOR-US: Wordpress plugin CVE-2018-7539 (On Appear TV XC5000 and XC5100 devices with firmware 3.26.217, it is p ...) NOT-FOR-US: Appear TV XC5000 and XC5100 devices CVE-2018-7538 (A SQL injection vulnerability in the tracker functionality of Enalean ...) NOT-FOR-US: Enalean Tuleap CVE-2018-7542 (An issue was discovered in Xen 4.8.x through 4.10.x allowing x86 PVH g ...) {DSA-4131-1} - xen 4.8.3+comet2+shim4.10.0+comet3-1+deb9u5 [jessie] - xen (Vulnerable code introduced later) [wheezy] - xen (Vulnerable code introduced later) NOTE: https://xenbits.xen.org/xsa/advisory-256.html CVE-2018-7541 (An issue was discovered in Xen through 4.10.x allowing guest OS users ...) {DSA-4131-1 DLA-1577-1 DLA-1300-1} - xen 4.8.3+comet2+shim4.10.0+comet3-1+deb9u5 NOTE: https://xenbits.xen.org/xsa/advisory-255.html CVE-2018-7540 (An issue was discovered in Xen through 4.10.x allowing x86 PV guest OS ...) {DSA-4131-1 DLA-1577-1 DLA-1300-1} - xen 4.8.3+comet2+shim4.10.0+comet3-1+deb9u5 NOTE: https://xenbits.xen.org/xsa/advisory-252.html CVE-2018-7644 (The XmlSecLibs library as used in the saml2 library in SimpleSAMLphp b ...) {DSA-4127-1 DLA-1298-1} - simplesamlphp 1.15.3-1 NOTE: https://simplesamlphp.org/security/201802-01 NOTE: Fixed by: https://github.com/simplesamlphp/saml2/commit/88a9ae848c4b310b1c53b5700893d890999dd930 CVE-2018-7537 (An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.1 ...) {DSA-4161-1 DLA-1303-1} - python-django 1:1.11.11-1 NOTE: https://www.djangoproject.com/weblog/2018/mar/06/security-releases/ NOTE: Patch https://github.com/django/django/commit/a91436360b79a6ff995c3e5018bcc666dfaf1539 CVE-2018-7536 (An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.1 ...) {DSA-4161-1 DLA-1303-1} - python-django 1:1.11.11-1 NOTE: https://www.djangoproject.com/weblog/2018/mar/06/security-releases/ NOTE: Patch https://github.com/django/django/commit/abf89d729f210c692a50e0ad3f75fb6bec6fae16 CVE-2018-7535 (An issue was discovered in TotalAV v4.1.7. An unprivileged user could ...) NOT-FOR-US: TotalAV CVE-2018-7534 (In Stealth Authorization Server before 3.3.017.0 in Unisys Stealth Sol ...) NOT-FOR-US: Stealth Authorization Server CVE-2018-7533 (An Incorrect Default Permissions issue was discovered in OSIsoft PI Da ...) NOT-FOR-US: OSIsoft PI CVE-2018-7532 (Unauthentication vulnerabilities have been identified in Geutebruck G- ...) NOT-FOR-US: IP Geutebruck and Topline IP cameras CVE-2018-7531 (An Improper Input Validation issue was discovered in OSIsoft PI Data A ...) NOT-FOR-US: OSIsoft PI CVE-2018-7530 (Parsing malformed project files in Omron CX-One versions 4.42 and prio ...) NOT-FOR-US: Omron CVE-2018-7529 (A Deserialization of Untrusted Data issue was discovered in OSIsoft PI ...) NOT-FOR-US: OSIsoft PI CVE-2018-7528 (An SQL injection vulnerability has been identified in Geutebruck G-Cam ...) NOT-FOR-US: IP Geutebruck and Topline IP cameras CVE-2018-7527 (A buffer overflow can be triggered in LeviStudio HMI Editor, Version 1 ...) NOT-FOR-US: LeviStudio HMI Editor CVE-2018-7526 (In TotalAlert Web Application in BeaconMedaes Scroll Medical Air Syste ...) NOT-FOR-US: TotalAlert Web Application CVE-2018-7525 (In Omron CX-Supervisor Versions 3.30 and prior, processing a malformed ...) NOT-FOR-US: Omron CX-Supervisor CVE-2018-7524 (A cross-site request forgery vulnerability has been identified in Geut ...) NOT-FOR-US: IP Geutebruck and Topline IP cameras CVE-2018-7523 (In Omron CX-Supervisor Versions 3.30 and prior, parsing malformed proj ...) NOT-FOR-US: Omron CX-Supervisor CVE-2018-7522 (In Schneider Electric Triconex Tricon MP model 3008 firmware versions ...) NOT-FOR-US: Schneider CVE-2018-7521 (In Omron CX-Supervisor Versions 3.30 and prior, use after free vulnera ...) NOT-FOR-US: Omron CX-Supervisor CVE-2018-7520 (An improper access control vulnerability has been identified in Geuteb ...) NOT-FOR-US: IP Geutebruck and Topline IP cameras CVE-2018-7519 (In Omron CX-Supervisor Versions 3.30 and prior, parsing malformed proj ...) NOT-FOR-US: Omron CX-Supervisor CVE-2018-7518 (In TotalAlert Web Application in BeaconMedaes Scroll Medical Air Syste ...) NOT-FOR-US: TotalAlert Web Application CVE-2018-7517 (In Omron CX-Supervisor Versions 3.30 and prior, parsing malformed proj ...) NOT-FOR-US: Omron CX-Supervisor CVE-2018-7516 (A server-side request forgery vulnerability has been identified in Geu ...) NOT-FOR-US: IP Geutebruck and Topline IP cameras CVE-2018-7515 (In Omron CX-Supervisor Versions 3.30 and prior, access of uninitialize ...) NOT-FOR-US: Omron CX-Supervisor CVE-2018-7514 (Parsing malformed project files in Omron CX-One versions 4.42 and prio ...) NOT-FOR-US: Omron CVE-2018-7513 (In Omron CX-Supervisor Versions 3.30 and prior, parsing malformed proj ...) NOT-FOR-US: Omron CX-Supervisor CVE-2018-7512 (A cross-site scripting vulnerability has been identified in Geutebruck ...) NOT-FOR-US: IP Geutebruck and Topline IP cameras CVE-2018-7511 (In Eaton ELCSoft versions 2.04.02 and prior, there are multiple cases ...) NOT-FOR-US: Eaton ELCSoft CVE-2018-7510 (In the web application in BeaconMedaes TotalAlert Scroll Medical Air S ...) NOT-FOR-US: BeaconMedaes TotalAlert CVE-2018-7509 (WPLSoft in Delta Electronics versions 2.45.0 and prior writes data fro ...) NOT-FOR-US: Delta Electronics CVE-2018-7508 (A Cross-site Scripting issue was discovered in OSIsoft PI Web API vers ...) NOT-FOR-US: OSIsoft PI CVE-2018-7507 (WPLSoft in Delta Electronics versions 2.45.0 and prior utilizes a fixe ...) NOT-FOR-US: Delta Electronics CVE-2018-7506 (The private key of the web server in Moxa MXview versions 2.8 and prio ...) NOT-FOR-US: Moxa CVE-2018-7505 (In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess ver ...) NOT-FOR-US: Advantech CVE-2018-7504 (A Protection Mechanism Failure issue was discovered in OSIsoft PI Visi ...) NOT-FOR-US: OSIsoft PI CVE-2018-7503 (In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess ver ...) NOT-FOR-US: Advantech CVE-2018-7502 (Kernel drivers in Beckhoff TwinCAT 3.1 Build 4022.4, TwinCAT 2.11 R3 2 ...) NOT-FOR-US: Beckhoff TwinCAT CVE-2018-7501 (In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess ver ...) NOT-FOR-US: Advantech CVE-2018-7500 (A Permissions, Privileges, and Access Controls issue was discovered in ...) NOT-FOR-US: OSIsoft PI CVE-2018-7499 (In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess ver ...) NOT-FOR-US: Advantech CVE-2018-7498 (In Philips Alice 6 System version R8.0.2 or prior, the lack of proper ...) NOT-FOR-US: Philips Alice 6 System CVE-2018-7497 (In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess ver ...) NOT-FOR-US: Advantech CVE-2018-7496 (An Information Exposure issue was discovered in OSIsoft PI Vision vers ...) NOT-FOR-US: OSIsoft PI CVE-2018-7495 (In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess ver ...) NOT-FOR-US: Advantech CVE-2018-7494 (WPLSoft in Delta Electronics versions 2.45.0 and prior utilizes a fixe ...) NOT-FOR-US: Delta Electronics CVE-2018-7493 (CactusVPN through 6.0 for macOS suffers from a root privilege escalati ...) NOT-FOR-US: CactusVPN for macOS CVE-2017-18204 (The ocfs2_setattr function in fs/ocfs2/file.c in the Linux kernel befo ...) - linux 4.14.2-1 [stretch] - linux 4.9.65-1 [jessie] - linux (Vulnerable code introduced later) [wheezy] - linux (Vulnerable code introduced later) NOTE: Fixed by: https://git.kernel.org/linus/28f5a8a7c033cbf3e32277f4cc9c6afd74f05300 CVE-2017-18203 (The dm_get_from_kobject function in drivers/md/dm.c in the Linux kerne ...) {DSA-4187-1 DLA-1369-1} - linux 4.14.7-1 [stretch] - linux 4.9.80-1 NOTE: Fixed by: https://git.kernel.org/linus/b9a41d21dceadf8104812626ef85dc56ee8a60ed CVE-2017-18202 (The __oom_reap_task_mm function in mm/oom_kill.c in the Linux kernel b ...) - linux 4.14.7-1 [stretch] - linux 4.9.80-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/687cb0884a714ff484d038e9190edc874edcf146 CVE-2018-7492 (A NULL pointer dereference was found in the net/rds/rdma.c __rds_rdma_ ...) {DSA-4187-1 DLA-1369-1} - linux 4.14.7-1 [stretch] - linux 4.9.80-1 NOTE: Fixed by: https://git.kernel.org/linus/f3069c6d33f6ae63a1668737bc78aaaa51bff7ca CVE-2018-7491 (In PrestaShop through 1.7.2.5, a UI-Redressing/Clickjacking vulnerabil ...) NOT-FOR-US: PrestaShop CVE-2018-7490 (uWSGI before 2.0.17 mishandles a DOCUMENT_ROOT check during use of the ...) {DSA-4142-1} - uwsgi 2.0.15-10.4 (bug #891639) [wheezy] - uwsgi (plugin package introduced in jessie) NOTE: Fixed in 2.0.17 upstream NOTE: https://github.com/unbit/uwsgi/commit/0a480f435ea6feb63deb410ad2bf376ed3f05f8a NOTE: https://blog.runesec.com/2018/03/01/uwsgi-path-traversal/ CVE-2018-7489 (FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2 ...) {DSA-4190-1} - jackson-databind 2.9.5-1 (bug #891614) NOTE: https://github.com/FasterXML/jackson-databind/issues/1931 NOTE: https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2 CVE-2018-7488 RESERVED CVE-2018-7487 (There is a heap-based buffer overflow in the LoadPCX function of in_pc ...) {DLA-1340-1} - sam2p [jessie] - sam2p 0.49.2-3+deb8u2 NOTE: https://github.com/pts/sam2p/issues/18 CVE-2018-7486 (Blue River Mura CMS before v7.0.7029 supports inline function calls wi ...) NOT-FOR-US: Blue River Mura CMS CVE-2018-7485 (The SQLWriteFileDSN function in odbcinst/SQLWriteFileDSN.c in unixODBC ...) - unixodbc (Vulnerable code introduced later) NOTE: https://github.com/lurcher/unixODBC/commit/45ef78e037f578b15fc58938a3a3251655e71d6f#diff-d52750c7ba4e594410438569d8e2963aL24 NOTE: Issue introduced with https://github.com/lurcher/unixODBC/commit/4f9f77fb4204659ec9b7be8745d9e05a539c80b9 NOTE: when actually fixing another potential (security) issue, "Buffer NOTE: overflows and missing null checks in SQLConfigDataSource, NOTE: SQLInstallDriverEx, and SQLWriteFileDSN" CVE-2017-18201 (An issue was discovered in GNU libcdio before 2.0.0. There is a double ...) - libcdio 2.0.0-2 (bug #891638) [stretch] - libcdio (Vulnerable code introduced post 0.92) [jessie] - libcdio (Vulnerable code introduced post 0.92) [wheezy] - libcdio (Vulnerable code introduced post 0.92) NOTE: Fixed by https://git.savannah.gnu.org/cgit/libcdio.git/commit/?id=f6f9c48fb40b8a1e8218799724b0b61a7161eb1d NOTE: with https://git.savannah.gnu.org/cgit/libcdio.git/commit/?id=dec2f876c2d7162da213429bce1a7140cdbdd734 CVE-2018-7484 (An issue was discovered in PureVPN through 5.19.4.0 on Windows. The cl ...) NOT-FOR-US: PureVPN on Windows CVE-2018-7483 RESERVED CVE-2018-7482 (** DISPUTED ** The K2 component 2.8.0 for Joomla! has Incorrect Access ...) NOT-FOR-US: K2 component for Joomla! CVE-2017-18200 (The f2fs implementation in the Linux kernel before 4.14 mishandles ref ...) - linux (Vulnerable code not present) CVE-2018-1000099 (Teluu PJSIP version 2.7.1 and earlier contains a Access of Null/Uninit ...) {DSA-4170-1} - pjproject 2.7.2~dfsg-1 [jessie] - pjproject (Minor issue) NOTE: http://downloads.asterisk.org/pub/security/AST-2018-003.html NOTE: https://trac.pjsip.org/repos/ticket/2092 NOTE: In jessie Asterisk doesn't use pjproject for SIP (only for ICE, STUN and TURN) CVE-2018-1000098 (Teluu PJSIP version 2.7.1 and earlier contains a Integer Overflow vuln ...) {DSA-4170-1} - pjproject 2.7.2~dfsg-1 [jessie] - pjproject (Minor issue) NOTE: http://downloads.asterisk.org/pub/security/AST-2018-002.html NOTE: https://trac.pjsip.org/repos/ticket/2093 NOTE: In jessie Asterisk doesn't use pjproject for SIP (only for ICE, STUN and TURN) CVE-2018-1000101 (Mingw-w64 version 5.0.3 and earlier contains an Improper Null Terminat ...) - mingw-w64 (low; bug #897196) [buster] - mingw-w64 (Minor issue) [stretch] - mingw-w64 (Minor issue) [jessie] - mingw-w64 (Minor issue) [wheezy] - mingw-w64 (Minor issue) NOTE: https://sourceforge.net/p/mingw-w64/bugs/709/ CVE-2018-7481 RESERVED CVE-2018-7480 (The blkcg_init_queue function in block/blk-cgroup.c in the Linux kerne ...) {DSA-4188-1} - linux 4.11.6-1 [jessie] - linux (Issue introduced later) [wheezy] - linux (Issue introduced later) NOTE: Fixed by: https://git.kernel.org/linus/9b54d816e00425c3a517514e0d677bb3cec49258 CVE-2018-7479 (YzmCMS 3.6 allows remote attackers to discover the full path via a dir ...) NOT-FOR-US: YzmCMS CVE-2018-7478 RESERVED CVE-2018-7477 (SQL Injection exists in PHP Scripts Mall School Management Script 3.0. ...) NOT-FOR-US: PHP Scripts Mall School Management Script CVE-2018-7476 (controllers/admin/Linkage.php in dayrui FineCms 5.3.0 has Cross Site S ...) NOT-FOR-US: FineCms CVE-2018-7475 (Cross-site scripting (XSS) vulnerability for webdav/ticket/ URIs in Ic ...) NOT-FOR-US: IceWarp CVE-2018-7474 (An issue was discovered in Textpattern CMS 4.6.2 and earlier. It is po ...) - textpattern CVE-2018-7473 (Open redirect vulnerability in the SO Connect SO WIFI hotspot web inte ...) NOT-FOR-US: SO Connect SO WIFI CVE-2018-7472 (INVT Studio 1.2 allows remote attackers to cause a denial of service d ...) NOT-FOR-US: INVT Studio CVE-2018-7471 (KingView 7.5SP1 has an integer overflow during stgopenstorage API read ...) NOT-FOR-US: KingView CVE-2018-7470 (An issue was discovered in ImageMagick 7.0.7-22 Q16. The IsWEBPImageLo ...) - imagemagick 8:6.9.9.39+dfsg-1 (unimportant; bug #891420) NOTE: https://github.com/ImageMagick/ImageMagick/issues/998 NOTE: https://github.com/ImageMagick/ImageMagick/commit/9e80713e5132a3bd26702ee0a833306f7e801469 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/8130e12eb30685ef958f4e62fe624da393920be7 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/7305dacfcdf5e51c4f8d0ba9f77fa97792f8acf7 NOTE: webp support not enabled, see #806425 CVE-2018-7469 (PHP Scripts Mall Entrepreneur Job Portal Script 2.0.9 has XSS via the ...) NOT-FOR-US: PHP Scripts Mall Entrepreneur Job Portal Script CVE-2018-7468 RESERVED CVE-2018-7467 (AxxonSoft Axxon Next has Directory Traversal via an initial /css//..%2 ...) NOT-FOR-US: AxxonSoft Axxon Next CVE-2018-7466 (install/installNewDB.php in TestLink through 1.9.16 allows remote atta ...) NOT-FOR-US: TestLink CVE-2018-7465 (An XSS issue was discovered in VirtueMart before 3.2.14. All the texta ...) NOT-FOR-US: VirtueMart CVE-2018-7464 RESERVED CVE-2018-7463 (SQL injection vulnerability in files.php in the "files" component in A ...) NOT-FOR-US: ASANHAMAYESH CMS CVE-2018-7462 RESERVED CVE-2018-7461 RESERVED CVE-2018-7460 RESERVED CVE-2018-7459 RESERVED CVE-2018-7458 RESERVED CVE-2018-7457 RESERVED CVE-2018-7456 (A NULL Pointer Dereference occurs in the function TIFFPrintDirectory i ...) {DSA-4349-1 DLA-1411-1 DLA-1347-1 DLA-1346-1} - tiff 4.0.9-5 (bug #891288) - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2778 NOTE: https://gitlab.com/libtiff/libtiff/commit/be4c85b16e8801a16eec25e80eb9f3dd6a96731b CVE-2018-7455 (An out-of-bounds read in JPXStream::readTilePart in JPXStream.cc in xp ...) - xpdf (unimportant) NOTE: https://forum.xpdfreader.com/viewtopic.php?f=3&t=654&p=819#p819 NOTE: src:xpdf switched to use system poppler libary in 3.02-3 NOTE: Reproducer correctly detected as broken with jessie's poppler build CVE-2018-7454 (A NULL pointer dereference in XFAForm::scanFields in XFAForm.cc in xpd ...) - xpdf (unimportant) NOTE: https://forum.xpdfreader.com/viewtopic.php?f=3&t=613 NOTE: src:xpdf switched to use system poppler libary in 3.02-3 NOTE: Reproducer correctly detected as broken with jessie's poppler build CVE-2018-7453 (Infinite recursion in AcroForm::scanField in AcroForm.cc in xpdf 4.00 ...) - xpdf (unimportant) NOTE: https://forum.xpdfreader.com/viewtopic.php?p=814#p814 NOTE: src:xpdf switched to use system poppler libary in 3.02-3 NOTE: Reproducer correctly detected as broken with jessie's poppler build CVE-2018-7452 (A NULL pointer dereference in JPXStream::fillReadBuf in JPXStream.cc i ...) - xpdf (unimportant) NOTE: https://forum.xpdfreader.com/viewtopic.php?f=3&t=613 NOTE: src:xpdf switched to use system poppler libary in 3.02-3 NOTE: Reproducer correctly detected as broken with jessie's poppler build CVE-2018-7451 RESERVED CVE-2018-7450 RESERVED CVE-2018-7449 (SEGGER FTP Server for Windows before 3.22a allows remote attackers to ...) NOT-FOR-US: SEGGER embOS/IP FTP Server CVE-2018-7448 (Remote code execution vulnerability in /cmsms-2.1.6-install.php/index. ...) NOT-FOR-US: CMS Made Simple CVE-2018-7447 (** DISPUTED ** mojoPortal through 2.6.0.0 is prone to multiple persist ...) NOT-FOR-US: mojoPortal CVE-2018-7446 RESERVED CVE-2018-7445 (A buffer overflow was found in the MikroTik RouterOS SMB service when ...) NOT-FOR-US: MikroTik RouterOS CVE-2018-7444 RESERVED CVE-2017-18199 (realloc_symlink in rock.c in GNU libcdio before 1.0.0 allows remote at ...) - libcdio 1.0.0-1 (low) [stretch] - libcdio (Minor issue) [jessie] - libcdio (Minor issue) [wheezy] - libcdio (Minor issue) NOTE: https://savannah.gnu.org/bugs/?52264 CVE-2017-18198 (print_iso9660_recurse in iso-info.c in GNU libcdio before 1.0.0 allows ...) - libcdio 1.0.0-1 (low) [stretch] - libcdio (Minor issue) [jessie] - libcdio (Minor issue) [wheezy] - libcdio (Minor issue) NOTE: https://savannah.gnu.org/bugs/?52265 CVE-2017-18197 (In mxGraphViewImageReader.java in mxGraph before 3.7.6, the SAXParserF ...) {DLA-1299-1} - libjgraphx-java 2.1.0.7-2 (low; bug #891796) [stretch] - libjgraphx-java (Minor issue) [jessie] - libjgraphx-java (Minor issue) NOTE: https://github.com/jgraph/mxgraph/issues/124 NOTE: https://bitbucket.org/jgraph/mxgraph2/commits/7d159ca3259b961cbb1c51b4ea42cb408c624ff1 CVE-2018-7443 (The ReadTIFFImage function in coders/tiff.c in ImageMagick 7.0.7-23 Q1 ...) {DLA-1293-1} - imagemagick 8:6.9.9.39+dfsg-1 (low; bug #891291) [stretch] - imagemagick (Minor issue) [jessie] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/999 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/1f7c6b153882896e7a569a6e8a362ce2a11a8b1f NOTE: https://github.com/ImageMagick/ImageMagick/commit/5c0e1a31bc44829b1024ce599097f43285a05a42 CVE-2018-7434 (zzcms 8.2 allows remote attackers to discover the full path via a dire ...) NOT-FOR-US: zzcms CVE-2018-7433 (The iThemes Security plugin before 6.9.1 for WordPress does not proper ...) NOT-FOR-US: iThemes Security plugin for WordPress CVE-2018-7432 (Splunk Enterprise 6.2.x before 6.2.14, 6.3.x before 6.3.10, 6.4.x befo ...) NOT-FOR-US: Splunk CVE-2018-7431 (Directory traversal vulnerability in the Splunk Django App in Splunk E ...) NOT-FOR-US: Splunk CVE-2018-7430 RESERVED CVE-2018-7429 (Splunkd in Splunk Enterprise 6.2.x before 6.2.14 6.3.x before 6.3.11, ...) NOT-FOR-US: Splunk CVE-2018-7428 RESERVED CVE-2018-7427 (Cross-site scripting (XSS) vulnerability in Splunk Web in Splunk Enter ...) NOT-FOR-US: Splunk CVE-2018-7426 RESERVED CVE-2018-7425 RESERVED CVE-2018-7424 RESERVED CVE-2018-7423 RESERVED CVE-2017-18195 (An issue was discovered in tools/conversations/view_ajax.php in Concre ...) NOT-FOR-US: Concrete5 CVE-2012-6709 (ELinks 0.12 and Twibright Links 2.3 have Missing SSL Certificate Valid ...) [experimental] - elinks 0.13~20190125-1 - elinks 0.13~20190125-3 (low; bug #891575) [stretch] - elinks (Minor issue) [jessie] - elinks (Minor issue) [wheezy] - elinks (Minor issue) - links2 2.6-1 (bug #694658; bug #510417) NOTE: Patch proposed upstream (when using): http://lists.linuxfromscratch.org/pipermail/elinks-dev/2015-June/002099.html NOTE: tested links2 against badssl.com, no apparent issue back in wheezy NOTE: src:links2/2.6-1 adds verify-ssl-certs-510417.diff to verify SSL certs. NOTE: src:links2 upstream in 2.11 adds support for verifying SSL certificates. CVE-2018-7422 (A Local File Inclusion vulnerability in the Site Editor plugin through ...) NOT-FOR-US: Site Editor plugin for WordPress CVE-2018-7421 (In Wireshark 2.2.0 to 2.2.12 and 2.4.0 to 2.4.4, the DMP dissector cou ...) - wireshark 2.4.5-1 (low) [jessie] - wireshark (Vulnerable code introduced later) [wheezy] - wireshark (Vulnerable code introduced later) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14408 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=656812ee1f2a8ddfd383b02a066e888f5919e17a NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=e8be5adae469ba563acfad2c2b98673e1afaf901 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-06.html CVE-2018-7420 (In Wireshark 2.2.0 to 2.2.12 and 2.4.0 to 2.4.4, the pcapng file parse ...) {DLA-1634-1 DLA-1353-1} - wireshark 2.4.5-1 (low) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14403 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=129e41f9f63885ad8224ef413c2860788fb9e849 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-11.html CVE-2018-7419 (In Wireshark 2.2.0 to 2.2.12 and 2.4.0 to 2.4.4, the NBAP dissector co ...) {DSA-4217-1 DLA-1353-1} - wireshark 2.4.5-1 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14443 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=bebd3a1f50b0a27738d8d3da5b33c1b392eb7273 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-14.html CVE-2018-7418 (In Wireshark 2.2.0 to 2.2.12 and 2.4.0 to 2.4.4, the SIGCOMP dissector ...) {DLA-1634-1 DLA-1353-1} - wireshark 2.4.5-1 (low) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14410 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=29d920b8309905dda11ad397596fe8aafc9b4bf7 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-13.html CVE-2018-7417 (In Wireshark 2.2.0 to 2.2.12 and 2.4.0 to 2.4.4, the IPMI dissector co ...) {DLA-1634-1 DLA-1353-1} - wireshark 2.4.5-1 (low) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14409 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=81216a176b25dd8a616e11808a951e141a467009 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-12.html CVE-2018-7416 RESERVED CVE-2018-7439 (An issue was discovered in FreeXL before 1.0.5. There is a heap-based ...) {DSA-4129-1 DLA-1297-1} - freexl 1.0.5-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1547892 CVE-2018-7438 (An issue was discovered in FreeXL before 1.0.5. There is a heap-based ...) {DSA-4129-1 DLA-1297-1} - freexl 1.0.5-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1547889 CVE-2018-7437 (An issue was discovered in FreeXL before 1.0.5. There is a heap-based ...) {DSA-4129-1 DLA-1297-1} - freexl 1.0.5-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1547885 CVE-2018-7436 (An issue was discovered in FreeXL before 1.0.5. There is a heap-based ...) {DSA-4129-1 DLA-1297-1} - freexl 1.0.5-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1547883 CVE-2018-7435 (An issue was discovered in FreeXL before 1.0.5. There is a heap-based ...) {DSA-4129-1 DLA-1297-1} - freexl 1.0.5-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1547879 CVE-2018-7415 RESERVED CVE-2018-7414 RESERVED CVE-2018-7413 RESERVED CVE-2018-7412 RESERVED CVE-2018-7411 RESERVED CVE-2018-7410 RESERVED CVE-2018-7409 (In unixODBC before 2.3.5, there is a buffer overflow in the unicode_to ...) - unixodbc 2.3.6-0.1 (bug #891596) [stretch] - unixodbc (Minor issue) [jessie] - unixodbc (Minor issue) [wheezy] - unixodbc (Minor issue) NOTE: Fixed by: https://sourceforge.net/p/unixodbc/code/136/ NOTE: https://github.com/lurcher/unixODBC/commit/4f9f77fb4204659ec9b7be8745d9e05a539c80b9 CVE-2018-7408 (An issue was discovered in an npm 5.7.0 2018-02-21 pre-release (marked ...) - npm (Vulnerable code introduced later) CVE-2018-7407 (An issue was discovered in Foxit Reader before 9.1 and PhantomPDF befo ...) NOT-FOR-US: Foxit CVE-2018-7406 (An issue was discovered in Foxit Reader before 9.1 and PhantomPDF befo ...) NOT-FOR-US: Foxit CVE-2018-7405 (Cross-site scripting (XSS) in Zoho ManageEngine EventLog Analyzer befo ...) NOT-FOR-US: Zoho ManageEngine EventLog Analyzer CVE-2018-7404 RESERVED CVE-2018-7403 RESERVED CVE-2018-7402 RESERVED CVE-2018-7401 RESERVED CVE-2018-7400 RESERVED CVE-2018-7399 RESERVED CVE-2018-7398 RESERVED CVE-2018-7397 RESERVED CVE-2018-7396 RESERVED CVE-2018-7395 RESERVED CVE-2018-7394 RESERVED CVE-2018-7393 RESERVED CVE-2018-7392 RESERVED CVE-2018-7391 RESERVED CVE-2018-7390 RESERVED CVE-2018-7389 RESERVED CVE-2018-7388 RESERVED CVE-2018-7387 RESERVED CVE-2018-7386 RESERVED CVE-2018-7385 RESERVED CVE-2018-7384 RESERVED CVE-2018-7383 RESERVED CVE-2018-7382 RESERVED CVE-2018-7381 RESERVED CVE-2018-7380 RESERVED CVE-2018-7379 RESERVED CVE-2018-7378 RESERVED CVE-2018-7377 RESERVED CVE-2018-7376 RESERVED CVE-2018-7375 RESERVED CVE-2018-7374 RESERVED CVE-2018-7373 RESERVED CVE-2018-7372 RESERVED CVE-2018-7371 RESERVED CVE-2018-7370 RESERVED CVE-2018-7369 RESERVED CVE-2018-7368 REJECTED CVE-2018-7367 REJECTED CVE-2018-7366 (ZTE ZXV10 B860AV2.1 product ChinaMobile branch with the ICNT versions ...) NOT-FOR-US: ZTE CVE-2018-7365 (All versions up to ZXCLOUD iRAI V5.01.05 of the ZTE uSmartView product ...) NOT-FOR-US: ZTE CVE-2018-7364 (All versions up to ZXINOS-RESV1.01.43 of the ZTE ZXIN10 product Europe ...) NOT-FOR-US: ZTE CVE-2018-7363 (All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are impacted ...) NOT-FOR-US: ZTE CVE-2018-7362 (All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are impacted ...) NOT-FOR-US: ZTE CVE-2018-7361 (All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are impacted ...) NOT-FOR-US: ZTE CVE-2018-7360 (All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are impacted ...) NOT-FOR-US: ZTE CVE-2018-7359 (All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are impacted ...) NOT-FOR-US: ZTE CVE-2018-7358 (ZTE ZXHN H168N product with versions V2.2.0_PK1.2T5, V2.2.0_PK1.2T2, V ...) NOT-FOR-US: ZTE ZXHN H168N product CVE-2018-7357 (ZTE ZXHN H168N product with versions V2.2.0_PK1.2T5, V2.2.0_PK1.2T2, V ...) NOT-FOR-US: ZTE ZXHN H168N product CVE-2018-7356 (All versions up to V3.03.10.B23P2 of ZTE ZXR10 8905E product are impac ...) NOT-FOR-US: ZTE ZXR10 8905E CVE-2018-7355 (All versions up to V1.0.0B05 of ZTE MF65 and all versions up to V1.0.0 ...) NOT-FOR-US: ZTE CVE-2018-7354 RESERVED CVE-2018-7353 RESERVED CVE-2018-7352 RESERVED CVE-2018-7351 RESERVED CVE-2018-7350 RESERVED CVE-2018-7349 RESERVED CVE-2018-7348 RESERVED CVE-2018-7347 RESERVED CVE-2018-7346 RESERVED CVE-2018-7345 RESERVED CVE-2018-7344 RESERVED CVE-2018-7343 RESERVED CVE-2018-7342 RESERVED CVE-2018-7341 RESERVED CVE-2018-7340 (Duo Network Gateway 1.2.9 and earlier may incorrectly utilize the resu ...) NOT-FOR-US: Duo Network Gateway CVE-2018-7339 (The MP4Atom class in mp4atom.cpp in MP4v2 through 2.0.0 mishandles Ent ...) - mp4v2 (low; bug #893544) [stretch] - mp4v2 (Minor issue) [jessie] - mp4v2 (Minor issue) [wheezy] - mp4v2 (Minor issue) NOTE: https://github.com/pingsuewim/libmp4_bof CVE-2017-18194 (SQL injection vulnerability in users/signup.php in the "signup" compon ...) NOT-FOR-US: HamayeshNegar CMS CVE-2017-18193 (fs/f2fs/extent_cache.c in the Linux kernel before 4.13 mishandles exte ...) {DSA-4188-1} - linux 4.13.4-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/dad48e73127ba10279ea33e6dbc8d3905c4d31c0 CVE-2017-6932 (Drupal core 7.x versions before 7.57 has an external link injection vu ...) {DSA-4123-1 DLA-1295-1} - drupal7 7.57-1 (bug #891154) NOTE: https://www.drupal.org/sa-core-2018-001 CVE-2017-6929 (A jQuery cross site scripting vulnerability is present when making Aja ...) {DSA-4123-1 DLA-1295-1} - drupal7 7.57-1 (bug #891153) NOTE: https://www.drupal.org/sa-core-2018-001 CVE-2017-6928 (Drupal core 7.x versions before 7.57 when using Drupal's private file ...) {DSA-4123-1 DLA-1295-1} - drupal7 7.57-1 (bug #891152) NOTE: https://www.drupal.org/sa-core-2018-001 CVE-2017-6927 (Drupal 8.4.x versions before 8.4.5 and Drupal 7.x versions before 7.57 ...) {DSA-4123-1 DLA-1295-1} - drupal8 (bug #756305) - drupal7 7.57-1 (bug #891150) NOTE: https://www.drupal.org/sa-core-2018-001 CVE-2018-7338 RESERVED NOT-FOR-US: Duo Network Gateway NOTE: https://duo.com/labs/psa/duo-psa-2017-003 NOTE: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations NOTE: https://www.kb.cert.org/vuls/id/475445 CVE-2018-7337 (In Wireshark 2.4.0 to 2.4.4, the DOCSIS protocol dissector could crash ...) {DLA-1353-1} - wireshark 2.4.5-1 (low) [jessie] - wireshark (Minor issue) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14446 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=511a8b0b546d25413e289dc5a7d3a455a33994c2 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-08.html CVE-2018-7336 (In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, the FCP protocol diss ...) {DLA-1634-1 DLA-1353-1} - wireshark 2.4.5-1 (low) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14374 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=b56f598f1bc04f5d00f13b38c713763928cedb7c NOTE: https://www.wireshark.org/security/wnpa-sec-2018-09.html CVE-2018-7335 (In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, the IEEE 802.11 disse ...) {DSA-4217-1 DLA-1353-1} - wireshark 2.4.5-1 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14442 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=a2901dcf45c9f1b07abfbf2a0b0cd654371d72a4 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-05.html CVE-2018-7334 (In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, the UMTS MAC dissecto ...) {DSA-4217-1 DLA-1353-1} - wireshark 2.4.5-1 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14339 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=8ed705e1227d3d582e3f0de435bba606d053d686 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-07.html CVE-2018-7333 (In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/packe ...) - wireshark 2.4.5-1 (low) [jessie] - wireshark (vulnerable code introduced later in v1.99.7) [wheezy] - wireshark (vulnerable code introduced later in v1.99.7) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14449 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=bd6313181317bfe83842b27650b65f3c2b8d5dc9 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-06.html CVE-2018-7332 (In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/packe ...) {DLA-1634-1 DLA-1353-1} - wireshark 2.4.5-1 (low) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14445 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=1ab0585098c7ce20f3afceb6730427cc2a1e98ea NOTE: https://www.wireshark.org/security/wnpa-sec-2018-06.html CVE-2018-7331 (In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/packe ...) {DLA-1634-1} - wireshark 2.4.5-1 (low) [wheezy] - wireshark (Minor issue) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14444 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=157712b2f5f89b19ef2497ea89c5938eb29529da NOTE: https://www.wireshark.org/security/wnpa-sec-2018-06.html CVE-2018-7330 (In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/packe ...) - wireshark 2.4.5-1 (low) [stretch] - wireshark (vulnerable code introduced later in v2.4.0) [jessie] - wireshark (vulnerable code introduced later in v2.4.0) [wheezy] - wireshark (vulnerable code introduced later in v2.4.0) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14428 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=8ad0c5b3683a17d9e2e16bbf25869140fd5c1c66 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-06.html CVE-2018-7329 (In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/packe ...) - wireshark 2.4.5-1 (low) [jessie] - wireshark (vulnerable code introduced later in v1.99.0) [wheezy] - wireshark (vulnerable code introduced later in v1.99.0) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14423 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=d8a0cbc4f2979e0b1cadbe79f0b8b4ecb92477be NOTE: https://www.wireshark.org/security/wnpa-sec-2018-06.html CVE-2018-7328 (In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/packe ...) - wireshark 2.4.5-1 (low) [stretch] - wireshark (vulnerable code introduced later in v2.4.0) [jessie] - wireshark (vulnerable code introduced later in v2.4.0) [wheezy] - wireshark (vulnerable code introduced later in v2.4.0) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14421 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=69d09028c956f6e049145485ce9b3e2858789b2b NOTE: https://www.wireshark.org/security/wnpa-sec-2018-06.html CVE-2018-7327 (In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/packe ...) - wireshark 2.4.5-1 (low) [stretch] - wireshark (vulnerable code introduced later in v2.4.0) [jessie] - wireshark (vulnerable code introduced later in v2.4.0) [wheezy] - wireshark (vulnerable code introduced later in v2.4.0) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14420 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=563989f888e51258edb9a27db56124bdc33c9afe NOTE: https://www.wireshark.org/security/wnpa-sec-2018-06.html CVE-2018-7326 (In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/packe ...) - wireshark 2.4.5-1 (low) [jessie] - wireshark (vulnerable code introduced later in v1.99.0) [wheezy] - wireshark (vulnerable code introduced later in v1.99.0) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14419 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=293b999425e998d6cde0d9149648e421ea7687d0 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-06.html CVE-2018-7325 (In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/packe ...) {DLA-1634-1} - wireshark 2.4.5-1 (low) [wheezy] - wireshark (vulnerable code introduced later) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14414 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=7be234d06ea39ab6a88115ae41d71060f1f15e3c NOTE: https://www.wireshark.org/security/wnpa-sec-2018-06.html CVE-2018-7324 (In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/packe ...) {DLA-1634-1 DLA-1353-1} - wireshark 2.4.5-1 (low) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14413 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=9e7695bbee18525eaa6d12b32230313ae8a36a81 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-06.html CVE-2018-7323 (In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/packe ...) {DLA-1634-1 DLA-1353-1} - wireshark 2.4.5-1 (low) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14412 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=4f9199ea8cff56c6704e9828c3d80360b27c4565 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=5d45b69b590cabc5127282d1ade3bca1598e5f5c NOTE: https://www.wireshark.org/security/wnpa-sec-2018-06.html CVE-2018-7322 (In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/packe ...) {DLA-1634-1 DLA-1353-1} - wireshark 2.4.5-1 (low) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14411 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=afc780e2c796e971bb7d164103f4f0d10d3c25b5 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-06.html CVE-2018-7321 (In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/packe ...) - wireshark 2.4.5-1 (low) [jessie] - wireshark (vulnerable code introduced later in v1.99.6) [wheezy] - wireshark (vulnerable code introduced later in v1.99.6) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14379 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=c784d551ad50864de1035ce54e72837301cf6aca NOTE: https://www.wireshark.org/security/wnpa-sec-2018-06.html CVE-2018-7320 (In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, the SIGCOMP protocol ...) - wireshark 2.4.5-1 [stretch] - wireshark 2.2.6+g32dac6a-2+deb9u3 [jessie] - wireshark (Vulnerable code introduced later) [wheezy] - wireshark (Vulnerable code introduced later) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14398 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=015e3399390b8b5cfbfcfcda30589983ab6cc129 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-10.html CVE-2018-7319 (SQL Injection exists in the OS Property Real Estate 3.12.7 component f ...) NOT-FOR-US: OS Property Real Estate component for Joomla! CVE-2018-7318 (SQL Injection exists in the CheckList 1.1.1 component for Joomla! via ...) NOT-FOR-US: CheckList component for Joomla! CVE-2018-7317 (Backup Download exists in the Proclaim 9.1.1 component for Joomla! via ...) NOT-FOR-US: Proclaim component for Joomla! CVE-2018-7316 (Arbitrary File Upload exists in the Proclaim 9.1.1 component for Jooml ...) NOT-FOR-US: Proclaim component for Joomla! CVE-2018-7315 (SQL Injection exists in the Ek Rishta 2.9 component for Joomla! via th ...) NOT-FOR-US: Ek Rishta component for Joomla! CVE-2018-7314 (SQL Injection exists in the PrayerCenter 3.0.2 component for Joomla! v ...) NOT-FOR-US: PrayerCenter component for Joomla! CVE-2018-7313 (SQL Injection exists in the CW Tags 2.0.6 component for Joomla! via th ...) NOT-FOR-US: CW Tags component for Joomla! CVE-2018-7312 (SQL Injection exists in the Alexandria Book Library 3.1.2 component fo ...) NOT-FOR-US: Alexandria Book Library component for Joomla! CVE-2018-7311 (** DISPUTED ** PrivateVPN 2.0.31 for macOS suffers from a root privile ...) NOT-FOR-US: PrivateVPN for macOS CVE-2018-7310 RESERVED CVE-2018-7309 RESERVED CVE-2018-7308 (A CSRF issue was found in var/www/html/files.php in DanWin hosting thr ...) NOT-FOR-US: DanWin hosting CVE-2018-7307 (The Auth0 Auth0.js library before 9.3 has CSRF because it mishandles t ...) NOT-FOR-US: Auth0 Auth0.js library CVE-2018-7306 RESERVED CVE-2018-7305 (MyBB 1.8.14 is not checking for a valid CSRF token, leading to arbitra ...) NOT-FOR-US: MyBB CVE-2018-7304 (Tiki 17.1 does not validate user input for special characters; consequ ...) NOT-FOR-US: Tiki CVE-2018-7303 (The Calendar component in Tiki 17.1 allows HTML injection. ...) NOT-FOR-US: Tiki CVE-2018-7302 (Tiki 17.1 allows upload of a .PNG file that actually has SVG content, ...) NOT-FOR-US: Tiki CVE-2018-7301 (eQ-3 AG HomeMatic CCU2 2.29.22 devices have an open XML-RPC port witho ...) NOT-FOR-US: eQ-3 AG HomeMatic CCU2 2.29.22 devices CVE-2018-7300 (Directory Traversal / Arbitrary File Write / Remote Code Execution in ...) NOT-FOR-US: eQ-3 AG Homematic CCU2 CVE-2018-7299 (Remote Code Execution in the addon installation process in eQ-3 AG Hom ...) NOT-FOR-US: eQ-3 AG Homematic CCU2 CVE-2018-7298 (In /usr/local/etc/config/addons/mh/loopupd.sh on eQ-3 AG HomeMatic CCU ...) NOT-FOR-US: eQ-3 AG Homematic CCU2 CVE-2018-7297 (Remote Code Execution in the TCL script interpreter in eQ-3 AG Homemat ...) NOT-FOR-US: eQ-3 AG Homematic CCU2 CVE-2018-7296 (Directory Traversal / Arbitrary File Read in User.getLanguage method i ...) NOT-FOR-US: eQ-3 AG Homematic CCU2 CVE-2018-7295 (ffxivlauncher.exe in Square Enix Final Fantasy XIV 4.21 and 4.25 on Wi ...) NOT-FOR-US: Final Fantasy CVE-2018-7294 RESERVED CVE-2018-7293 RESERVED CVE-2018-7292 RESERVED CVE-2018-7291 RESERVED CVE-2018-7290 (Cross Site Scripting (XSS) exists in Tiki before 12.13, 15.6, 17.2, an ...) NOT-FOR-US: Tiki CVE-2018-7289 (An issue was discovered in armadito-windows-driver/src/communication.c ...) NOT-FOR-US: Armadito CVE-2018-7288 RESERVED CVE-2018-7287 (An issue was discovered in res_http_websocket.c in Asterisk 15.x throu ...) - asterisk (Only affects Asterisk 15.x) NOTE: downloads.digium.com/pub/security/AST-2018-006.html NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27658 CVE-2018-7286 (An issue was discovered in Asterisk through 13.19.1, 14.x through 14.7 ...) {DSA-4320-1} - asterisk 1:13.20.0~dfsg-1 (bug #891228) [jessie] - asterisk (Vulnerable code not present) [wheezy] - asterisk (Vulnerable code not present) NOTE: http://downloads.asterisk.org/pub/security/AST-2018-005.html NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27618 NOTE: http://downloads.asterisk.org/pub/security/AST-2018-005-13.diff CVE-2018-7285 (A NULL pointer access issue was discovered in Asterisk 15.x through 15 ...) - asterisk (Only affects Asterisk 15.x) NOTE: http://downloads.asterisk.org/pub/security/AST-2018-001.html CVE-2018-7284 (A Buffer Overflow issue was discovered in Asterisk through 13.19.1, 14 ...) {DSA-4320-1} - asterisk 1:13.20.0~dfsg-1 (bug #891227) [jessie] - asterisk (Vulnerable code not present) [wheezy] - asterisk (Vulnerable code not present) NOTE: http://downloads.asterisk.org/pub/security/AST-2018-004.html NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27640 NOTE: http://downloads.asterisk.org/pub/security/AST-2018-004-13.diff CVE-2018-7283 RESERVED CVE-2018-7282 (The username parameter of the TITool PrintMonitor solution during the ...) NOT-FOR-US: TITool CVE-2018-7281 (CactusVPN 5.3.6 for macOS contains a root privilege escalation vulnera ...) NOT-FOR-US: CactusVPN for macOS CVE-2018-7280 (The Ninja Forms plugin before 3.2.14 for WordPress has XSS. ...) NOT-FOR-US: Ninja Forms plugin for WordPress CVE-2018-1000093 (CryptoNote version version 0.8.9 and possibly later contain a local RP ...) NOT-FOR-US: CryptoNote CVE-2018-1000092 (CMS Made Simple version versions 2.2.5 contains a Cross ite Request Fo ...) NOT-FOR-US: CMS Made Simple CVE-2018-1000091 (KadNode version version 2.2.0 contains a Buffer Overflow vulnerability ...) NOT-FOR-US: KadNode CVE-2018-1000090 (textpattern version version 4.6.2 contains a XML Injection vulnerabili ...) - textpattern CVE-2018-1000089 (Anymail django-anymail version version 0.2 through 1.3 contains a CWE- ...) - django-anymail 1.4-1 (bug #890097) [stretch] - django-anymail (Minor issue; non-free/contrib not security supported) NOTE: https://github.com/anymail/django-anymail/commit/1a6086f2b58478d71f89bf27eb034ed81aefe5ef CVE-2018-1000088 (Doorkeeper version 2.1.0 through 4.2.5 contains a Cross Site Scripting ...) - ruby-doorkeeper 4.3.1-1 (bug #891069) [stretch] - ruby-doorkeeper (Minor issue) NOTE: https://github.com/doorkeeper-gem/doorkeeper/issues/969 NOTE: https://github.com/doorkeeper-gem/doorkeeper/pull/970 CVE-2018-1000087 (WolfCMS version version 0.8.3.1 contains a Reflected Cross Site Script ...) NOT-FOR-US: WolfCMS CVE-2018-1000086 (NPR Visuals Team Pym.js version versions 0.4.2 up to 1.3.1 contains a ...) NOT-FOR-US: pym.js CVE-2018-1000085 (ClamAV version version 0.99.3 contains a Out of bounds heap memory rea ...) {DLA-1307-1} - clamav 0.99.3~beta1+dfsg-1 [stretch] - clamav 0.99.4+dfsg-1+deb9u1 NOTE: https://github.com/Cisco-Talos/clamav-devel/commit/d96a6b8bcc7439fa7e3876207aa0a8e79c8451b6 NOTE: http://www.openwall.com/lists/oss-security/2017/09/29/4 CVE-2018-1000084 (WOlfCMS WolfCMS version version 0.8.3.1 contains a Stored Cross-Site S ...) NOT-FOR-US: WolfCMS CVE-2018-1000083 (Ajenti version version 2 contains a Improper Error Handling vulnerabil ...) - ajenti (bug #792019) CVE-2018-1000082 (Ajenti version version 2 contains a Cross ite Request Forgery (CSRF) v ...) - ajenti (bug #792019) CVE-2018-1000081 (Ajenti version version 2 contains a Input Validation vulnerability in ...) - ajenti (bug #792019) CVE-2018-1000080 (Ajenti version version 2 contains a Insecure Permissions vulnerability ...) - ajenti (bug #792019) CVE-2018-1000079 (RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: ...) {DSA-4259-1 DSA-4219-1 DLA-1421-1} - ruby2.5 2.5.0-5 - ruby2.3 - ruby2.1 - ruby1.9.1 [wheezy] - ruby1.9.1 (Minor issue, too intrusive to backport) - rubygems [wheezy] - rubygems (Vulnerable code not present) - jruby 9.1.17.0-1 (bug #895778) [jessie] - jruby (Vulnerable code not present) [wheezy] - jruby (Vulnerable code not present) NOTE: https://github.com/rubygems/rubygems/commit/f83f911e19e27cbac1ccce7471d96642241dd759 NOTE: https://github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db921099 NOTE: https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/ CVE-2018-1000078 (RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: ...) {DSA-4259-1 DSA-4219-1 DLA-1796-1 DLA-1421-1 DLA-1358-1 DLA-1337-1 DLA-1336-1} - ruby2.5 2.5.0-5 - ruby2.3 - ruby2.1 - ruby1.9.1 - rubygems - jruby 9.1.17.0-1 (bug #895778) NOTE: https://github.com/rubygems/rubygems/commit/66a28b9275551384fdab45f3591a82d6b59952cb NOTE: https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/ CVE-2018-1000077 (RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: ...) {DSA-4259-1 DSA-4219-1 DLA-1796-1 DLA-1421-1 DLA-1358-1 DLA-1337-1 DLA-1336-1} - ruby2.5 2.5.0-5 - ruby2.3 - ruby2.1 - ruby1.9.1 - rubygems - jruby 9.1.17.0-1 (bug #895778) NOTE: https://github.com/rubygems/rubygems/commit/feadefc2d351dcb95d6492f5ad17ebca546eb964 NOTE: https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/ CVE-2018-1000076 (RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: ...) {DSA-4259-1 DSA-4219-1 DLA-1796-1 DLA-1421-1 DLA-1358-1 DLA-1337-1 DLA-1336-1} - ruby2.5 2.5.0-5 - ruby2.3 - ruby2.1 - ruby1.9.1 - rubygems - jruby 9.1.17.0-1 (bug #895778) NOTE: https://github.com/rubygems/rubygems/commit/f5042b879259b1f1ce95a0c5082622c646376693 NOTE: https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/ CVE-2018-1000075 (RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: ...) {DSA-4259-1 DSA-4219-1 DLA-1796-1 DLA-1421-1 DLA-1358-1 DLA-1337-1 DLA-1336-1} - ruby2.5 2.5.0-5 - ruby2.3 - ruby2.1 - ruby1.9.1 - rubygems - jruby 9.1.17.0-1 (bug #895778) NOTE: https://github.com/rubygems/rubygems/commit/92e98bf8f810bd812f919120d4832df51bc25d83 NOTE: https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/ CVE-2018-1000074 (RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: ...) {DSA-4259-1 DSA-4219-1 DLA-1796-1 DLA-1480-1 DLA-1352-1} - ruby2.5 2.5.0-5 - ruby2.3 - ruby2.1 - ruby1.9.1 [wheezy] - ruby1.9.1 (Minor issue, too intrusive to backport) - rubygems [wheezy] - rubygems (Minor issue) - jruby 9.1.17.0-1 (bug #895778) NOTE: https://github.com/rubygems/rubygems/commit/254e3d0ee873c008c0b74e8b8abcbdab4caa0a6d NOTE: https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/ CVE-2018-1000073 (RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: ...) {DSA-4259-1 DSA-4219-1 DLA-1480-1} - ruby2.5 2.5.0-5 - ruby2.3 - ruby2.1 - ruby1.9.1 [wheezy] - ruby1.9.1 (Vulnerable code not present) - rubygems [wheezy] - rubygems (Vulnerable code not present) - jruby 9.1.17.0-2.1 (bug #895778; bug #925986) [jessie] - jruby (Vulnerable code not present) [wheezy] - jruby (Vulnerable code not present) NOTE: https://github.com/rubygems/rubygems/commit/1b931fc03b819b9a0214be3eaca844ef534175e2 NOTE: https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/ CVE-2018-1000072 (iRedMail version prior to commit f04b8ef contains a Insecure Permissio ...) NOT-FOR-US: iRedMail CVE-2018-1000071 (roundcube version 1.3.4 and earlier contains an Insecure Permissions v ...) - roundcube 1.3.10+dfsg.1-1 (unimportant; bug #897014) [buster] - roundcube 1.3.10+dfsg.1-1~deb10u1 [stretch] - roundcube 1.2.3+dfsg.1-4+deb9u2 NOTE: https://github.com/roundcube/roundcubemail/issues/6173 NOTE: https://github.com/roundcube/roundcubemail/commit/48417c5fc9f6eb4b90500c09596606d489c700b5 NOTE: https://www.legacysecuritygroup.com/cve/references/02122018-roundcube-enigma.txt NOTE: That plugin is not functional in stretch due to a missing package dependency, setting it NOTE: up would require several additional manual changes on the admin's side NOTE: Can be mitigated by moving home folder outside the scope of the webserver CVE-2018-1000070 (Bitmessage PyBitmessage version v0.6.2 (and introduced in or after com ...) NOT-FOR-US: PyBitmessage CVE-2018-1000069 (FreePlane version 1.5.9 and earlier contains a XML External Entity (XX ...) {DSA-4175-1 DLA-1316-1} - freeplane 1.6.6-1 (bug #893663) NOTE: https://www.freeplane.org/wiki/index.php/XML_External_Entity_vulnerability_in_map_parser NOTE: https://github.com/freeplane/freeplane/commit/a5dce7f9f CVE-2018-7279 (A remote code execution issue was discovered in AlienVault USM and OSS ...) NOT-FOR-US: AlienVault CVE-2018-7278 (An issue was discovered on RLE Protocol Converter FDS-PC / FDS-PC-DP 2 ...) NOT-FOR-US: RLE Protocol Converter FDS-PC / FDS-PC-DP devices CVE-2018-7277 (An issue was discovered on RLE Wi-MGR/FDS-Wi 6.2 devices. Persistent X ...) NOT-FOR-US: RLE Wi-MGR/FDS-Wi 6.2 devices CVE-2018-7276 (An issue was discovered on Lutron Quantum BACnet Integration 2.0 (firm ...) NOT-FOR-US: Lutron Quantum BACnet Integration 2.0 devices CVE-2018-7275 RESERVED CVE-2018-7274 (Yab Quarx through 2.4.3 is prone to multiple persistent cross-site scr ...) NOT-FOR-US: Yab Quarx CVE-2018-7273 (In the Linux kernel through 4.15.4, the floppy driver reveals the addr ...) - linux 4.15.4-1 [stretch] - linux (Minor issue) [jessie] - linux (Minor issue) [wheezy] - linux (Minor issue) - linux-4.9 NOTE: https://lkml.org/lkml/2018/2/20/669 CVE-2018-7272 (The REST APIs in ForgeRock AM before 5.5.0 include SSOToken IDs as par ...) NOT-FOR-US: ForgeRock AM CVE-2018-7271 (An issue was discovered in MetInfo 6.0.0. In install/install.php in th ...) NOT-FOR-US: MetInfo CVE-2018-7270 RESERVED CVE-2018-7269 (The findByCondition function in framework/db/ActiveRecord.php in Yii 2 ...) - yii (bug #597899) CVE-2018-7268 (MagniComp SysInfo before 10-H81, as shipped with BMC BladeLogic Automa ...) NOT-FOR-US: MagniComp CVE-2018-7267 RESERVED CVE-2018-7266 RESERVED CVE-2018-7265 (Shimmie 2 2.6.0 allows an attacker to upload a crafted SVG file that e ...) NOT-FOR-US: Shimmie CVE-2018-7264 (The Pictview image processing library embedded in the ActivePDF toolki ...) NOT-FOR-US: ActivePDF CVE-2004-2779 (id3_utf16_deserialize() in utf16.c in libid3tag through 0.15.1b mispar ...) - libid3tag 0.15.1b-5 (bug #304913) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=162647 NOTE: https://sources.debian.org/patches/libid3tag/0.15.1b-13/10_utf16.dpatch/ CVE-2018-7263 (The mad_decoder_run() function in decoder.c in Underbit libmad through ...) NOTE: Seems like a duplicate of CVE-2017-11552 relates to the issue raised in NOTE: https://bugs.debian.org/870608 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1081784 NOTE: MITRE stated, that "[...] However, if there are two different code NOTE: paths by which libmad is used incorrectly, and both code paths result NOTE: in "double free or corruption" errors, then we would represent this NOTE: with two CVEs." CVE-2018-7262 (In Ceph before 12.2.3 and 13.x through 13.0.1, the rgw_civetweb.cc RGW ...) - ceph (Issue introduced later) NOTE: See details in https://bugs.debian.org/891963#15 . Ceph as present in NOTE: Debian up to 10.2.5-7.2 is not vulnerable as they contain an older NOTE: version of the embedded webserver in RADOS gateway which does not return NOTE: null strings on malformed HTTP requests. NOTE: Original pull request: https://github.com/ceph/ceph/pull/20403 NOTE: Superseeded by: https://github.com/ceph/ceph/pull/20488 CVE-2018-7261 (There are multiple Persistent XSS vulnerabilities in Radiant CMS 1.1.4 ...) NOT-FOR-US: Radiant CMS CVE-2018-7260 (Cross-site scripting (XSS) vulnerability in db_central_columns.php in ...) - phpmyadmin 4:4.9.1+dfsg1-2 (bug #893539) [stretch] - phpmyadmin (Minor issue) [jessie] - phpmyadmin (Vulnerable code not present) [wheezy] - phpmyadmin (Vulnerable code not present) NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/d2886a3e8745e8845633ae8a0054b5ee4d8babd5 NOTE: https://www.phpmyadmin.net/security/PMASA-2018-1/ CVE-2018-7259 (The FSX / P3Dv4 installer 2.0.1.231 for Flight Sim Labs A320-X sends a ...) NOT-FOR-US: Flight Sim Labs CVE-2018-7258 RESERVED CVE-2018-7257 RESERVED CVE-2018-7256 RESERVED CVE-2018-7255 RESERVED CVE-2018-7252 RESERVED CVE-2018-7251 (An issue was discovered in config/error.php in Anchor 0.12.3. The erro ...) NOT-FOR-US: Anchor CMS CVE-2018-7250 (An issue was discovered in secdrv.sys as shipped in Microsoft Windows ...) NOT-FOR-US: Microsoft CVE-2018-7249 (An issue was discovered in secdrv.sys as shipped in Microsoft Windows ...) NOT-FOR-US: Microsoft CVE-2017-18192 (smart/calculator/gallerylock/CalculatorActivity.java in the "Photo,Vid ...) NOT-FOR-US: "Photo,Video Locker-Calculator" application for Android CVE-2015-9256 (Datto ALTO and SIRIS devices allow remote attackers to obtain sensitiv ...) NOT-FOR-US: Datto ALTO and SIRIS devices CVE-2015-9255 (Datto ALTO and SIRIS devices allow remote attackers to obtain sensitiv ...) NOT-FOR-US: Datto ALTO and SIRIS devices CVE-2015-9254 (Datto ALTO and SIRIS devices have a default VNC password. ...) NOT-FOR-US: Datto ALTO and SIRIS devices CVE-2018-7254 (The ParseCaffHeaderConfig function of the cli/caff.c file of WavPack 5 ...) {DSA-4125-1} - wavpack 5.1.0-3 (bug #889274) [jessie] - wavpack (Vulnerable code not present) [wheezy] - wavpack (Vulnerable code not present) NOTE: https://github.com/dbry/WavPack/issues/26 NOTE: https://github.com/dbry/WavPack/commit/8e3fe45a7bac31d9a3b558ae0079e2d92a04799e CVE-2018-7253 (The ParseDsdiffHeaderConfig function of the cli/dsdiff.c file of WavPa ...) {DSA-4125-1} - wavpack 5.1.0-3 (bug #889559) [jessie] - wavpack (Vulnerable code not present) [wheezy] - wavpack (Vulnerable code not present) NOTE: https://github.com/dbry/WavPack/issues/28 NOTE: https://github.com/dbry/WavPack/commit/36a24c7881427d2e1e4dc1cef58f19eee0d13aec CVE-2018-7248 (An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3 Buil ...) NOT-FOR-US: Zoho ManageEngine ServiceDesk Plus CVE-2018-7247 (An issue was discovered in pixHtmlViewer in prog/htmlviewer.c in Lepto ...) - leptonlib 1.76.0-1 (unimportant) NOTE: https://github.com/DanBloomberg/leptonica/commit/c1079bb8e77cdd426759e466729917ca37a3ed9f CVE-2018-7246 (A cleartext transmission of sensitive information vulnerability exists ...) NOT-FOR-US: Schneider CVE-2018-7245 (An improper authorization vulnerability exists In Schneider Electric's ...) NOT-FOR-US: Schneider CVE-2018-7244 (An information disclosure vulnerability exists In Schneider Electric's ...) NOT-FOR-US: Schneider CVE-2018-7243 (An authorization bypass vulnerability exists In Schneider Electric's 6 ...) NOT-FOR-US: Schneider CVE-2018-7242 (Vulnerable hash algorithms exists in Schneider Electric's Modicon Prem ...) NOT-FOR-US: Schneider CVE-2018-7241 (Hard coded accounts exist in Schneider Electric's Modicon Premium, Mod ...) NOT-FOR-US: Schneider CVE-2018-7240 (A vulnerability exists in Schneider Electric's Modicon Quantum in all ...) NOT-FOR-US: Schneider CVE-2018-7239 (A DLL hijacking vulnerability exists in Schneider Electric's SoMove So ...) NOT-FOR-US: Schneider Electric CVE-2018-7238 (A buffer overflow vulnerability exist in the web-based GUI of Schneide ...) NOT-FOR-US: Schneider Electric CVE-2018-7237 (A vulnerability exists in Schneider Electric's Pelco Sarix Professiona ...) NOT-FOR-US: Schneider Electric CVE-2018-7236 (A vulnerability exists in Schneider Electric's Pelco Sarix Professiona ...) NOT-FOR-US: Schneider Electric CVE-2018-7235 (A vulnerability exists in Schneider Electric's Pelco Sarix Professiona ...) NOT-FOR-US: Schneider Electric CVE-2018-7234 (A vulnerability exists in Schneider Electric's Pelco Sarix Professiona ...) NOT-FOR-US: Schneider Electric CVE-2018-7233 (A vulnerability exists in Schneider Electric's Pelco Sarix Professiona ...) NOT-FOR-US: Schneider Electric CVE-2018-7232 (A vulnerability exists in Schneider Electric's Pelco Sarix Professiona ...) NOT-FOR-US: Schneider Electric CVE-2018-7231 (A vulnerability exists in Schneider Electric's Pelco Sarix Professiona ...) NOT-FOR-US: Schneider Electric CVE-2018-7230 (A XML external entity (XXE) vulnerability exists in the import.cgi of ...) NOT-FOR-US: Schneider Electric CVE-2018-7229 (A vulnerability exists in Schneider Electric's Pelco Sarix Professiona ...) NOT-FOR-US: Schneider Electric CVE-2018-7228 (A vulnerability exists in Schneider Electric's Pelco Sarix Professiona ...) NOT-FOR-US: Schneider Electric CVE-2018-7227 (A vulnerability exists in Schneider Electric's Pelco Sarix Professiona ...) NOT-FOR-US: Schneider Electric CVE-2017-18191 (An issue was discovered in OpenStack Nova 15.x through 15.1.0 and 16.x ...) - nova 2:17.0.0-1 [stretch] - nova (Minor issue) [jessie] - nova (Minor issue) [wheezy] - nova (Not supported in Wheezy) NOTE: https://launchpad.net/bugs/1739593 NOTE: https://review.openstack.org/539893 CVE-2015-9253 (An issue was discovered in PHP 7.3.x before 7.3.0alpha3, 7.2.x before ...) - php7.3 (Fixed with initial upload to unstable) - php7.2 7.2.8-1 (unimportant) - php7.1 7.1.20-1 (unimportant) - php7.0 (unimportant) - php5 (unimportant) NOTE: https://bugs.php.net/bug.php?id=73342 NOTE: https://bugs.php.net/bug.php?id=70185 NOTE: https://bugs.php.net/bug.php?id=75968 NOTE: Only exploitable with malicious script CVE-2018-7226 (An issue was discovered in vcSetXCutTextProc() in VNConsole.c in Linux ...) - vncterm (low; bug #898453) [stretch] - vncterm (Minor issue) NOTE: https://github.com/LibVNC/vncterm/issues/6 CVE-2018-7225 (An issue was discovered in LibVNCServer through 0.9.11. rfbProcessClie ...) {DSA-4221-1 DLA-2045-1 DLA-2014-1 DLA-1979-1 DLA-1332-1} - libvncserver 0.9.11+dfsg-1.1 (bug #894045) - italc [stretch] - italc 1:3.0.3+dfsg1-1+deb9u1 - tightvnc 1:1.3.9-9.1 [buster] - tightvnc 1:1.3.9-9deb10u1 [stretch] - tightvnc 1:1.3.9-9+deb9u1 - vino 3.22.0-6 (bug #945784) [buster] - vino (Minor issue) [stretch] - vino (Minor issue) NOTE: https://github.com/LibVNC/libvncserver/issues/218 NOTE: https://github.com/LibVNC/libvncserver/commit/b0c77391e6bd0a2305bbc9b37a2499af74ddd9ee CVE-2018-7224 RESERVED CVE-2018-7223 RESERVED CVE-2018-7222 RESERVED CVE-2018-7221 RESERVED CVE-2018-7220 RESERVED CVE-2018-7219 (application/admin/controller/Admin.php in NoneCms 1.3.0 has CSRF, as d ...) NOT-FOR-US: NoneCms CVE-2018-7218 (The AppFirewall functionality in Citrix NetScaler Application Delivery ...) NOT-FOR-US: Citrix CVE-2018-7217 (In Bravo Tejari Procurement Portal, uploaded files are not properly va ...) NOT-FOR-US: Bravo Tejari Procurement Portal CVE-2018-7216 (Cross-site request forgery (CSRF) vulnerability in esop/toolkit/profil ...) NOT-FOR-US: Bravo Tejari Procurement Portal CVE-2018-7215 RESERVED CVE-2018-7214 RESERVED CVE-2018-7213 (The Password Manager Extension in Abine Blur 7.8.242* before 7.8.2428 ...) NOT-FOR-US: Password Manager Extension in Abine Blur CVE-2018-7212 (An issue was discovered in rack-protection/lib/rack/protection/path_tr ...) NOT-FOR-US: Sinatra CVE-2018-7211 (An issue was discovered in iDashboards 9.6b. The SSO implementation is ...) NOT-FOR-US: iDashboards CVE-2018-7210 (An issue was discovered in iDashboards 9.6b. It allows remote attacker ...) NOT-FOR-US: iDashboards CVE-2018-7209 (An issue was discovered in iDashboards 9.6b. It allows remote attacker ...) NOT-FOR-US: iDashboards CVE-2018-7208 (In the coff_pointerize_aux function in coffgen.c in the Binary File De ...) - binutils 2.30-6 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22741 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=eb77f6a4621795367a39cdd30957903af9dbb815 CVE-2018-7207 REJECTED CVE-2018-7206 (An issue was discovered in Project Jupyter JupyterHub OAuthenticator 0 ...) NOT-FOR-US: JupyterHub CVE-2018-7205 (** DISPUTED ** Reflected Cross-Site Scripting vulnerability in "Design ...) NOT-FOR-US: Kentico CVE-2018-7204 (inc/logger.php in the Giribaz File Manager plugin before 5.0.2 for Wor ...) NOT-FOR-US: Wordpress plugin CVE-2018-7203 (Cross-site scripting (XSS) vulnerability in Twonky Server 7.0.11 throu ...) NOT-FOR-US: Twonky Server CVE-2018-7202 (An issue was discovered in ProjectSend before r1053. XSS exists in the ...) NOT-FOR-US: ProjectSend CVE-2018-7201 (CSV Injection was discovered in ProjectSend before r1053, affecting vi ...) NOT-FOR-US: ProjectSend CVE-2018-7200 RESERVED CVE-2018-7199 RESERVED CVE-2018-7198 (October CMS through 1.0.431 allows XSS by entering HTML on the Add Pos ...) NOT-FOR-US: October CMS CVE-2018-7197 (An issue was discovered in Pluck through 4.7.4. A stored cross-site sc ...) NOT-FOR-US: Pluck CMS CVE-2018-7196 (Cross-site scripting (XSS) vulnerability in /scp/index.php in Enhances ...) NOT-FOR-US: osTicket CVE-2018-7195 (Enhancesoft osTicket before 1.10.2 allows remote attackers to reset ar ...) NOT-FOR-US: osTicket CVE-2018-7194 (Integer format vulnerability in the ticket number generator in Enhance ...) NOT-FOR-US: osTicket CVE-2018-7193 (Cross-site scripting (XSS) vulnerability in /scp/directory.php in Enha ...) NOT-FOR-US: osTicket CVE-2018-7192 (Cross-site scripting (XSS) vulnerability in /ajax.php/form/help-topic ...) NOT-FOR-US: osTicket CVE-2018-7191 (In the tun subsystem in the Linux kernel before 4.13.14, dev_get_valid ...) - linux 4.14.2-1 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.56-1+deb8u1 NOTE: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1743792 NOTE: https://git.kernel.org/linus/0ad646c81b2182f7fa67ec0c8c825e0ee165696d NOTE: https://git.kernel.org/linus/5c25f65fd1e42685f7ccd80e0621829c105785d9 CVE-2018-7190 RESERVED CVE-2018-7189 RESERVED CVE-2018-7188 (An XSS vulnerability (via an SVG image) in Tiki before 18 allows an au ...) NOT-FOR-US: Tiki CVE-2018-7187 (The "go get" implementation in Go 1.9.4, when the -insecure command-li ...) {DSA-4380-1 DSA-4379-1 DLA-1294-1} - golang-1.10 1.10.1-1 - golang-1.9 (bug #895663) - golang-1.8 (bug #895664) - golang-1.7 (bug #895665) - golang [jessie] - golang (Minor issue) NOTE: https://github.com/golang/go/issues/23867 NOTE: https://github.com/golang/go/commit/c941e27e70c3e06e1011d2dd71d72a7a06a9bcbc CVE-2018-7185 (The protocol engine in ntp 4.2.6 before 4.2.8p11 allows a remote attac ...) - ntp 1:4.2.8p11+dfsg-1 (low) [stretch] - ntp (Minor issue) [jessie] - ntp (Minor issue) [wheezy] - ntp (Minor issue) - ntpsec (Issue not present) NOTE: http://www.kb.cert.org/vuls/id/961909 NOTE: http://support.ntp.org/bin/view/Main/NtpBug3454 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#February_2018_ntp_4_2_8p11_NTP_S CVE-2018-7184 (ntpd in ntp 4.2.8p4 before 4.2.8p11 drops bad packets before updating ...) - ntp 1:4.2.8p11+dfsg-1 (low) [stretch] - ntp (Minor issue) [jessie] - ntp (Minor issue) [wheezy] - ntp (Minor issue) - ntpsec (Issue not present) NOTE: http://www.kb.cert.org/vuls/id/961909 NOTE: http://support.ntp.org/bin/view/Main/NtpBug3453 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#February_2018_ntp_4_2_8p11_NTP_S NOTE: http://bk.ntp.org/ntp-stable/?PAGE=cset&REV=5a76f46bK1M87GD1tJounOczC-5Zow CVE-2018-7183 (Buffer overflow in the decodearr function in ntpq in ntp 4.2.8p6 throu ...) - ntp 1:4.2.8p11+dfsg-1 (low) [stretch] - ntp (Minor issue) [jessie] - ntp (Minor issue) [wheezy] - ntp (Minor issue) - ntpsec (Issue not present) NOTE: http://www.kb.cert.org/vuls/id/961909 NOTE: http://support.ntp.org/bin/view/Main/NtpBug3414 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#February_2018_ntp_4_2_8p11_NTP_S CVE-2018-7182 (The ctl_getitem method in ntpd in ntp-4.2.8p6 before 4.2.8p11 allows r ...) - ntp 1:4.2.8p11+dfsg-1 [stretch] - ntp (Can be fixed along in a future update) [jessie] - ntp (Can be fixed along in a future update) [wheezy] - ntp (Issue not present) - ntpsec 1.0.0+dfsg1-5 NOTE: http://www.kb.cert.org/vuls/id/961909 NOTE: http://support.ntp.org/bin/view/Main/NtpBug3412 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#February_2018_ntp_4_2_8p11_NTP_S NOTE: Fixed by (ntpsec): https://gitlab.com/NTPsec/ntpsec/commit/6d6aa6da0fe685011f5a9633c3618409af8349d7 NOTE: https://lists.ntpsec.org/pipermail/devel/2018-March/006008.html CVE-2018-7181 RESERVED CVE-2017-18190 (A localhost.localdomain whitelist entry in valid_host() in scheduler/c ...) {DLA-1412-1 DLA-1288-1} - cups 2.2.3-2 [stretch] - cups 2.2.1-8+deb9u1 NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1048 NOTE: https://github.com/apple/cups/commit/afa80cb2b457bf8d64f775bed307588610476c41 (v2.2.2) CVE-2018-7186 (Leptonica before 1.75.3 does not limit the number of characters in a % ...) {DLA-1302-1} - leptonlib 1.75.3-2 (low; bug #890548) [stretch] - leptonlib (Minor issue) [jessie] - leptonlib (Minor issue) NOTE: https://github.com/DanBloomberg/leptonica/commit/ee301cb2029db8a6289c5295daa42bba7715e99a CVE-2018-7180 (SQL Injection exists in the Saxum Astro 4.0.14 component for Joomla! v ...) NOT-FOR-US: Saxum Astro component for Joomla! CVE-2018-7179 (SQL Injection exists in the SquadManagement 1.0.3 component for Joomla ...) NOT-FOR-US: SquadManagement component for Joomla! CVE-2018-7178 (SQL Injection exists in the Saxum Picker 3.2.10 component for Joomla! ...) NOT-FOR-US: Saxum Picker component for Joomla! CVE-2018-7177 (SQL Injection exists in the Saxum Numerology 3.0.4 component for Jooml ...) NOT-FOR-US: Saxum Numerology component for Joomla! CVE-2018-7176 (FrontAccounting 2.4.3 suffers from a CSRF flaw, which leads to adding ...) - frontaccounting (bug #890604) [wheezy] - frontaccounting (unsupported in wheezy, already vulnerable to SQL injection in CVE-2014-3973) NOTE: https://securitywarrior9.blogspot.ca/2018/02/cross-site-request-forgery-front.html CVE-2018-7175 (An issue was discovered in xpdf 4.00. A NULL pointer dereference in re ...) - xpdf (unimportant) NOTE: https://forum.xpdfreader.com/viewtopic.php?f=3&t=613 NOTE: src:xpdf switched to use system poppler libary in 3.02-3 CVE-2018-7174 (An issue was discovered in xpdf 4.00. An infinite loop in XRef::Xref a ...) - xpdf (unimportant) NOTE: https://forum.xpdfreader.com/viewtopic.php?f=3&t=605 NOTE: src:xpdf switched to use system poppler libary in 3.02-3 CVE-2018-7173 (A large loop in JBIG2Stream::readSymbolDictSeg in xpdf 4.00 allows an ...) - xpdf (unimportant) NOTE: https://forum.xpdfreader.com/viewtopic.php?f=3&t=607 NOTE: src:xpdf switched to use system poppler libary in 3.02-3 CVE-2018-1000068 (An improper input validation vulnerability exists in Jenkins versions ...) - jenkins CVE-2018-1000067 (An improper authorization vulnerability exists in Jenkins versions 2.1 ...) - jenkins CVE-2018-7172 (In index.php in WonderCMS before 2.4.1, remote attackers can delete ar ...) NOT-FOR-US: WonderCMS CVE-2018-7171 (Directory traversal vulnerability in Twonky Server 7.0.11 through 8.5 ...) NOT-FOR-US: Twonky Server CVE-2018-7170 (ntpd in ntp 4.2.x before 4.2.8p7 and 4.3.x before 4.3.92 allows authen ...) - ntp 1:4.2.8p11+dfsg-1 [stretch] - ntp (Minor issue) [jessie] - ntp (Minor issue) [wheezy] - ntp (Minor issue) - ntpsec (Issue not present) NOTE: http://www.kb.cert.org/vuls/id/961909 NOTE: http://support.ntp.org/bin/view/Main/NtpBug3415 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#February_2018_ntp_4_2_8p11_NTP_S CVE-2018-7169 (An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is ...) - shadow 1:4.7-1 (low; bug #890557) [buster] - shadow (Minor issue) [stretch] - shadow (Minor issue) [jessie] - shadow (Minor issue) [wheezy] - shadow (Minor issue) NOTE: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357 NOTE: https://github.com/shadow-maint/shadow/pull/97 CVE-2018-7168 RESERVED CVE-2018-7167 (Calling Buffer.fill() or Buffer.alloc() with some parameters can lead ...) - nodejs 10.15.0~dfsg-6 (unimportant) NOTE: https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/#calls-to-buffer-fill-and-or-buffer-alloc-may-hang-cve-2018-7167 NOTE: Doesn't affect 10.x, marking first 10.x upload to sid as fixed CVE-2018-7166 (In all versions of Node.js 10 prior to 10.9.0, an argument processing ...) - nodejs (Only affects 10.x and later) NOTE: https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/ NOTE: https://github.com/nodejs/node/commit/40a7beeddac9b9ec9ef5b49157daaf8470648b08 CVE-2018-7165 RESERVED CVE-2018-7164 (Node.js versions 9.7.0 and later and 10.x are vulnerable and the sever ...) - nodejs 10.15.0~dfsg-6 (unimportant) [stretch] - nodejs (Only affects >= 9.x) [jessie] - nodejs (Only affects >= 9.x) NOTE: https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/#memory-exhaustion-dos-on-v9-x-cve-2018-7164 NOTE: https://github.com/nodejs/node/commit/3217e8e66fa81e CVE-2018-7163 RESERVED CVE-2018-7162 (All versions of Node.js 9.x and 10.x are vulnerable and the severity i ...) - nodejs 10.15.0~dfsg-6 (unimportant) [stretch] - nodejs (Only affects >= 8.x) [jessie] - nodejs (Only affects >= 8.x) NOTE: https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/#denial-of-service-vulnerability-in-tls-cve-2018-7162 NOTE: https://github.com/nodejs/node/commit/0cb3325f1 CVE-2018-7161 (All versions of Node.js 8.x, 9.x, and 10.x are vulnerable and the seve ...) - nodejs 10.15.0~dfsg-6 (unimportant) [stretch] - nodejs (Only affects >= 8.x) [jessie] - nodejs (Only affects >= 8.x) NOTE: https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/#denial-of-service-vulnerability-in-http-2-cve-2018-7161 NOTE: https://github.com/nodejs/node/commit/8bf213dbdc7e CVE-2018-7160 (The Node.js inspector, in 6.x and later is vulnerable to a DNS rebindi ...) - nodejs 8.11.1~dfsg-2 (unimportant) [stretch] - nodejs (Vulnerable code not present) [jessie] - nodejs (Vulnerable code not present) [wheezy] - nodejs (Vulnerable code not present) CVE-2018-7159 (The HTTP parser in all current versions of Node.js ignores spaces in t ...) - nodejs 8.11.1~dfsg-2 (unimportant) CVE-2018-7158 (The `'path'` module in the Node.js 4.x release line contains a potenti ...) - nodejs 6.0.0~dfsg-1 (unimportant) CVE-2018-7157 RESERVED CVE-2018-7156 RESERVED CVE-2018-7155 RESERVED CVE-2018-7154 RESERVED CVE-2018-7153 RESERVED CVE-2018-7152 RESERVED CVE-2018-7151 RESERVED CVE-2018-7150 RESERVED CVE-2018-7149 RESERVED CVE-2018-7148 RESERVED CVE-2018-7147 RESERVED CVE-2018-7146 RESERVED CVE-2018-7145 RESERVED CVE-2018-7144 RESERVED CVE-2018-7143 RESERVED CVE-2018-7142 RESERVED CVE-2018-7141 RESERVED CVE-2018-7140 RESERVED CVE-2018-7139 RESERVED CVE-2018-7138 RESERVED CVE-2018-7137 RESERVED CVE-2018-7136 RESERVED CVE-2018-7135 RESERVED CVE-2018-7134 RESERVED CVE-2018-7133 RESERVED CVE-2018-7132 RESERVED CVE-2018-7131 RESERVED CVE-2018-7130 RESERVED CVE-2018-7129 RESERVED CVE-2018-7128 RESERVED CVE-2018-7127 RESERVED CVE-2018-7126 RESERVED CVE-2018-7125 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2018-7124 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2018-7123 (A remote denial of service vulnerability was identified in HPE Intelli ...) NOT-FOR-US: HPE CVE-2018-7122 (A remote disclosure of information vulnerability was identified in HPE ...) NOT-FOR-US: HPE CVE-2018-7121 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2018-7120 (A security vulnerability in the HPE Virtual Connect SE 16Gb Fibre Chan ...) NOT-FOR-US: HPE CVE-2018-7119 (A Local Disclosure of Sensitive Information vulnerability was identifi ...) NOT-FOR-US: HPE CVE-2018-7118 (A local access restriction bypass vulnerability was identified in HPE ...) NOT-FOR-US: HPE Service Pack for ProLiant (SPP) Bundled Software CVE-2018-7117 (A remote Cross-Site Scripting in HPE iLO 5 Web User Interface vulnerab ...) NOT-FOR-US: HPE CVE-2018-7116 (HPE Intelligent Management Center (IMC) prior to IMC PLAT 7.3 (E0605P0 ...) NOT-FOR-US: HPE CVE-2018-7115 (HPE Intelligent Management Center (IMC) prior to IMC PLAT 7.3 (E0605P0 ...) NOT-FOR-US: HPE CVE-2018-7114 (HPE Intelligent Management Center (IMC) prior to IMC PLAT 7.3 (E0605P0 ...) NOT-FOR-US: HPE CVE-2018-7113 (A security vulnerability in HPE Integrated Lights-Out 5 (iLO 5) prior ...) NOT-FOR-US: HPE CVE-2018-7112 (The HPE-provided Windows firmware installer for certain Gen9, Gen8, G7 ...) NOT-FOR-US: HPE CVE-2018-7111 (A remote unauthorized access vulnerability was identified in HPE UIoT ...) NOT-FOR-US: HPE CVE-2018-7110 (A remote unauthorized disclosure of information vulnerability was iden ...) NOT-FOR-US: HPE CVE-2018-7109 (HPE has addressed a remote arbitrary file modification vulnerability i ...) NOT-FOR-US: HPE CVE-2018-7108 (HPE StorageWorks XP7 Automation Director (AutoDir) version 8.5.2-02 to ...) NOT-FOR-US: HPE CVE-2018-7107 (A potential security vulnerability has been identified in HPE Device E ...) NOT-FOR-US: HPE CVE-2018-7106 REJECTED CVE-2018-7105 (A security vulnerability in HPE Integrated Lights-Out 5 (iLO 5) for HP ...) NOT-FOR-US: HPE CVE-2018-7104 (A Remote Code Execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2018-7103 (A Remote Code Execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2018-7102 (A security vulnerability in HPE Intelligent Management Center (iMC) PL ...) NOT-FOR-US: HPE CVE-2018-7101 (A potential remote denial of service security vulnerability has been i ...) NOT-FOR-US: HPE CVE-2018-7100 (A potential security vulnerability has been identified in HPE OfficeCo ...) NOT-FOR-US: HPE OfficeConnect 1810 Switch Series CVE-2018-7099 (A security vulnerability was identified in 3PAR Service Processor (SP) ...) NOT-FOR-US: 3PAR CVE-2018-7098 (A security vulnerability was identified in 3PAR Service Processor (SP) ...) NOT-FOR-US: 3PAR CVE-2018-7097 (A security vulnerability was identified in 3PAR Service Processor (SP) ...) NOT-FOR-US: 3PAR CVE-2018-7096 (A security vulnerability was identified in 3PAR Service Processor (SP) ...) NOT-FOR-US: 3PAR CVE-2018-7095 (A security vulnerability was identified in 3PAR Service Processor (SP) ...) NOT-FOR-US: 3PAR CVE-2018-7094 (A security vulnerability was identified in 3PAR Service Processor (SP) ...) NOT-FOR-US: 3PAR CVE-2018-7093 (A security vulnerability in HPE Integrated Lights-Out 3 prior to v1.90 ...) NOT-FOR-US: HPE CVE-2018-7092 (A potential security vulnerability has been identified in HPE Intellig ...) NOT-FOR-US: HPE CVE-2018-7091 (HPE XP P9000 Command View Advanced Edition Software (CVAE) has open UR ...) NOT-FOR-US: HPE CVE-2018-7090 (HPE XP P9000 Command View Advanced Edition Software (CVAE) has local a ...) NOT-FOR-US: HPE CVE-2018-7089 RESERVED CVE-2018-7088 RESERVED CVE-2018-7087 RESERVED CVE-2018-7086 RESERVED CVE-2018-7085 RESERVED CVE-2018-7084 (A command injection vulnerability is present that permits an unauthent ...) NOT-FOR-US: Aruba CVE-2018-7083 (If a process running within Aruba Instant crashes, it may leave behind ...) NOT-FOR-US: Aruba CVE-2018-7082 (A command injection vulnerability is present in Aruba Instant that per ...) NOT-FOR-US: Aruba CVE-2018-7081 (A remote code execution vulnerability is present in network-listening ...) NOT-FOR-US: Aruba CVE-2018-7080 (A vulnerability exists in the firmware of embedded BLE radios that are ...) NOT-FOR-US: Aruba CVE-2018-7079 (Aruba ClearPass Policy Manager guest authorization failure. Certain ad ...) NOT-FOR-US: Aruba CVE-2018-7078 (A remote code execution was identified in HPE Integrated Lights-Out 4 ...) NOT-FOR-US: HPE CVE-2018-7077 (A security vulnerability in HPE XP P9000 Command View Advanced Edition ...) NOT-FOR-US: HPE CVE-2018-7076 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2018-7075 (A remote cross-site scripting (XSS) vulnerability was identified in HP ...) NOT-FOR-US: HPE CVE-2018-7074 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2018-7073 (A local arbitrary file modification vulnerability was identified in HP ...) NOT-FOR-US: HPE CVE-2018-7072 (A remote bypass of security restrictions vulnerability was identified ...) NOT-FOR-US: HPE CVE-2018-7071 (HPE has identified a remote access to sensitive information vulnerabil ...) NOT-FOR-US: HPE CVE-2018-7070 (HPE has identified a remote disclosure of information vulnerability in ...) NOT-FOR-US: HPE CVE-2018-7069 (HPE has identified a remote unauthenticated access to files vulnerabil ...) NOT-FOR-US: HPE CVE-2018-7068 (HPE has identified a remote HOST header attack vulnerability in HPE Ce ...) NOT-FOR-US: HPE CVE-2018-7067 (A Remote Authentication bypass in Aruba ClearPass Policy Manager leads ...) NOT-FOR-US: Aruba CVE-2018-7066 (An unauthenticated remote command execution exists in Aruba ClearPass ...) NOT-FOR-US: Aruba CVE-2018-7065 (An authenticated SQL injection vulnerability in Aruba ClearPass Policy ...) NOT-FOR-US: Aruba CVE-2018-7064 (A reflected cross-site scripting (XSS) vulnerability is present in an ...) NOT-FOR-US: Aruba CVE-2018-7063 (In Aruba ClearPass, disabled API admins can still perform read/write o ...) NOT-FOR-US: Aruba CVE-2018-7062 RESERVED CVE-2018-7061 RESERVED CVE-2018-7060 (Aruba ClearPass 6.6.x prior to 6.6.9 and 6.7.x prior to 6.7.1 is vulne ...) NOT-FOR-US: Aruba ClearPass CVE-2018-7059 (Aruba ClearPass prior to 6.6.9 has a vulnerability in the API that hel ...) NOT-FOR-US: Aruba ClearPass CVE-2018-7058 (Aruba ClearPass, all versions of 6.6.x prior to 6.6.9 are affected by ...) NOT-FOR-US: Aruba ClearPass CVE-2018-7057 (RoomWizard before 4.4.x allows XSS via the HelpAction.action pageName ...) NOT-FOR-US: RoomWizard CVE-2018-7056 (RoomWizard before 4.4.x allows remote attackers to obtain potentially ...) NOT-FOR-US: RoomWizard CVE-2018-7055 (GroupViewProxyServlet in RoomWizard before 4.4.x allows SSRF via the u ...) NOT-FOR-US: RoomWizard CVE-2018-7054 (An issue was discovered in Irssi before 1.0.7 and 1.1.x before 1.1.1. ...) {DSA-4162-1} - irssi 1.0.7-1 (bug #890674) [jessie] - irssi (Vulnerable netsplit code introduced in 1.0.0) [wheezy] - irssi (Vulnerable netsplit code introduced in 1.0.0) NOTE: https://irssi.org/security/irssi_sa_2018_02.txt NOTE: Some netsplit related changes as introduced in 1.0.0 were reverted: NOTE: https://github.com/irssi/irssi/commit/7605f67f95b6ee1ac26dd8fb7f3121f319497943 NOTE: https://github.com/irssi/irssi/commit/fa8508404f4c4a02749cae5148662e2322c2abf0 NOTE: https://github.com/irssi/irssi/commit/a4f99ae746efb121185fe76c392a64d743a9eb92 NOTE: But the CVE is specifically for the use-after-free issue. CVE-2018-7053 (An issue was discovered in Irssi before 1.0.7 and 1.1.x before 1.1.1. ...) {DSA-4162-1} - irssi 1.0.7-1 (bug #890674) [jessie] - irssi (Vulnerable code introduced in 0.8.18) [wheezy] - irssi (Vulnerable code introduced in 0.8.18) NOTE: https://irssi.org/security/irssi_sa_2018_02.txt NOTE: Fixed by: https://github.com/irssi/irssi/commit/84f03e01467b90a4251987b32b2813ee976b357c CVE-2018-7052 (An issue was discovered in Irssi before 1.0.7 and 1.1.x before 1.1.1. ...) {DSA-4162-1 DLA-1289-1} - irssi 1.0.7-1 (bug #890676) [jessie] - irssi (Minor issue) NOTE: https://irssi.org/security/irssi_sa_2018_02.txt NOTE: Fixed by: https://github.com/irssi/irssi/commit/5b5bfef03596d95079c728f65f523570dd7b03aa CVE-2018-7051 (An issue was discovered in Irssi before 1.0.7 and 1.1.x before 1.1.1. ...) {DSA-4162-1 DLA-1318-1} - irssi 1.0.7-1 (bug #890677) [jessie] - irssi (Minor issue) NOTE: https://irssi.org/security/irssi_sa_2018_02.txt NOTE: Fixed by: https://github.com/irssi/irssi/commit/e32e9d63c67ab95ef0576154680a6c52334b97af CVE-2018-7050 (An issue was discovered in Irssi before 1.0.7 and 1.1.x before 1.1.1. ...) {DSA-4162-1 DLA-1289-1} - irssi 1.0.7-1 (bug #890678) [jessie] - irssi (Minor issue) NOTE: https://irssi.org/security/irssi_sa_2018_02.txt NOTE: Fixed by: https://github.com/irssi/irssi/commit/e91da9e4098e449dc36eaa15354aff67650e7703 CVE-2017-18189 (In the startread function in xa.c in Sound eXchange (SoX) through 14.4 ...) {DLA-1695-1 DLA-1197-1} - sox 14.4.2-2 (bug #881121) [stretch] - sox 14.4.1-5+deb9u2 NOTE: https://github.com/mansr/sox/commit/7a8ceb86212b28243bbb6d0de636f0dfbe833e53 CVE-2018-7049 (An issue was discovered in Wowza Streaming Engine before 4.7.1. There ...) NOT-FOR-US: Wowza Streaming Engine CVE-2018-7048 (An issue was discovered in Wowza Streaming Engine before 4.7.1. There ...) NOT-FOR-US: Wowza Streaming Engine CVE-2018-7047 (An issue was discovered in the MBeans Server in Wowza Streaming Engine ...) NOT-FOR-US: Wowza Streaming Engine CVE-2018-7046 (** DISPUTED ** Arbitrary code execution vulnerability in Kentico 9 thr ...) NOT-FOR-US: Kentico CVE-2018-7045 RESERVED CVE-2018-7044 RESERVED CVE-2018-7043 RESERVED CVE-2018-7042 RESERVED CVE-2018-7041 RESERVED CVE-2018-7040 RESERVED CVE-2018-7039 (CCN-lite 2.0.0 Beta allows remote attackers to cause a denial of servi ...) NOT-FOR-US: CCN-lite 2 CVE-2018-7038 RESERVED CVE-2018-7037 RESERVED CVE-2018-7036 RESERVED CVE-2018-7035 (Cross-site scripting (XSS) vulnerability in Gleez CMS 1.2.0 and 2.0 mi ...) NOT-FOR-US: Gleez CMS CVE-2018-7034 (TRENDnet TEW-751DR v1.03B03, TEW-752DRU v1.03B01, and TEW733GR v1.03B0 ...) NOT-FOR-US: TRENDnet devices CVE-2018-7033 (SchedMD Slurm before 17.02.10 and 17.11.x before 17.11.5 allows SQL In ...) {DSA-4254-1 DLA-1437-1 DLA-1367-1} - slurm-llnl 17.11.5-1 (bug #893044) NOTE: https://bugs.schedmd.com/show_bug.cgi?id=4792 (not yet public) NOTE: https://github.com/SchedMD/slurm/commit/db468895240ad6817628d07054fe54e71273b2fe NOTE: https://github.com/SchedMD/slurm/commit/2f5e924bf6e018dbcef24bcda9683d6b3662f6d4 CVE-2018-7031 REJECTED CVE-2018-7030 REJECTED CVE-2018-7029 REJECTED CVE-2018-7028 REJECTED CVE-2018-7027 REJECTED CVE-2018-7026 REJECTED CVE-2018-7025 REJECTED CVE-2018-7024 REJECTED CVE-2018-7023 REJECTED CVE-2018-7022 REJECTED CVE-2018-7021 REJECTED CVE-2018-7020 REJECTED CVE-2018-7019 REJECTED CVE-2018-7018 REJECTED CVE-2018-7017 REJECTED CVE-2018-7016 REJECTED CVE-2018-7015 REJECTED CVE-2018-7014 REJECTED CVE-2018-7013 REJECTED CVE-2018-7012 REJECTED CVE-2018-7011 REJECTED CVE-2018-7010 REJECTED CVE-2018-7009 REJECTED CVE-2018-7008 REJECTED CVE-2018-7007 REJECTED CVE-2018-7006 REJECTED CVE-2018-7005 REJECTED CVE-2018-7004 REJECTED CVE-2018-7003 REJECTED CVE-2018-7002 REJECTED CVE-2018-7001 REJECTED CVE-2018-7000 REJECTED CVE-2018-6999 REJECTED CVE-2018-6998 REJECTED CVE-2018-6997 REJECTED CVE-2018-6996 REJECTED CVE-2018-6995 REJECTED CVE-2018-6994 REJECTED CVE-2018-6993 REJECTED CVE-2018-6992 REJECTED CVE-2018-6991 REJECTED CVE-2018-6990 REJECTED CVE-2018-6989 REJECTED CVE-2018-6988 REJECTED CVE-2018-6987 REJECTED CVE-2018-6986 REJECTED CVE-2018-6985 REJECTED CVE-2018-6984 RESERVED CVE-2018-6983 (VMware Workstation (15.x before 15.0.2 and 14.x before 14.1.5) and Fus ...) NOT-FOR-US: VMware CVE-2018-6982 (VMware ESXi 6.7 without ESXi670-201811401-BG and VMware ESXi 6.5 witho ...) NOT-FOR-US: VMware NOTE: https://seclists.org/bugtraq/2018/Nov/12 CVE-2018-6981 (VMware ESXi 6.7 without ESXi670-201811401-BG and VMware ESXi 6.5 witho ...) NOT-FOR-US: VMware NOTE: https://seclists.org/bugtraq/2018/Nov/12 CVE-2018-6980 (VMware vRealize Log Insight (4.7.x before 4.7.1 and 4.6.x before 4.6.2 ...) NOT-FOR-US: VMware CVE-2018-6979 (The VMware Workspace ONE Unified Endpoint Management Console (A/W Cons ...) NOT-FOR-US: VMware CVE-2018-6978 (vRealize Operations (7.x before 7.0.0.11287810, 6.7.x before 6.7.0.112 ...) NOT-FOR-US: VMware CVE-2018-6977 (VMware ESXi (6.7, 6.5, 6.0), Workstation (15.x and 14.x) and Fusion (1 ...) NOT-FOR-US: VMware CVE-2018-6976 (The VMware Content Locker for iOS prior to 4.14 contains a data protec ...) NOT-FOR-US: VMware CVE-2018-6975 (The AirWatch Agent for iOS prior to 5.8.1 contains a data protection v ...) NOT-FOR-US: AirWatch Agent for iOS CVE-2018-6974 (VMware ESXi (6.7 before ESXi670-201810101-SG, 6.5 before ESXi650-20180 ...) NOT-FOR-US: VMware CVE-2018-6973 (VMware Workstation (14.x before 14.1.3) and Fusion (10.x before 10.1.3 ...) NOT-FOR-US: VMware CVE-2018-6972 (VMware ESXi (6.7 before ESXi670-201806401-BG, 6.5 before ESXi650-20180 ...) NOT-FOR-US: VMware CVE-2018-6971 (VMware Horizon View Agents (7.x.x before 7.5.1) contain a local inform ...) NOT-FOR-US: VMware CVE-2018-6970 (VMware Horizon 6 (6.x.x before 6.2.7), Horizon 7 (7.x.x before 7.5.1), ...) NOT-FOR-US: VMware CVE-2018-6969 (VMware Tools (10.x and prior before 10.3.0) contains an out-of-bounds ...) NOT-FOR-US: VMware CVE-2018-6968 (The VMware AirWatch Agent for Android prior to 8.2 and AirWatch Agent ...) NOT-FOR-US: VMware AirWatch Agent CVE-2018-6967 (VMware ESXi (6.7 before ESXi670-201806401-BG), Workstation (14.x befor ...) NOT-FOR-US: VMware CVE-2018-6966 (VMware ESXi (6.7 before ESXi670-201806401-BG), Workstation (14.x befor ...) NOT-FOR-US: VMware CVE-2018-6965 (VMware ESXi (6.7 before ESXi670-201806401-BG), Workstation (14.x befor ...) NOT-FOR-US: VMware CVE-2018-6964 (VMware Horizon Client for Linux (4.x before 4.8.0 and prior) contains ...) NOT-FOR-US: VMware CVE-2018-6963 (VMware Workstation (14.x before 14.1.2) and Fusion (10.x before 10.1.2 ...) NOT-FOR-US: VMware CVE-2018-6962 (VMware Fusion (10.x before 10.1.2) contains a signature bypass vulnera ...) NOT-FOR-US: VMware CVE-2018-6961 (VMware NSX SD-WAN Edge by VeloCloud prior to version 3.1.0 contains a ...) NOT-FOR-US: VMware NSX SD-WAN Edge by VeloCloud CVE-2018-6960 (VMware Horizon DaaS (7.x before 8.0.0) contains a broken authenticatio ...) NOT-FOR-US: VMware Horizon DaaS CVE-2018-6959 (VMware vRealize Automation (vRA) prior to 7.4.0 contains a vulnerabili ...) NOT-FOR-US: VMware vRealize Automation CVE-2018-6958 (VMware vRealize Automation (vRA) prior to 7.3.1 contains a vulnerabili ...) NOT-FOR-US: VMware vRealize Automation CVE-2018-6957 (VMware Workstation (14.x before 14.1.1, 12.x) and Fusion (10.x before ...) NOT-FOR-US: VMware CVE-2017-18188 (OpenRC opentmpfiles through 0.1.3, when the fs.protected_hardlinks sys ...) NOT-FOR-US: opentmpfiles CVE-2017-18187 (In ARM mbed TLS before 2.7.0, there is a bounds-check bypass through a ...) {DSA-4147-1 DSA-4138-1} - mbedtls 2.7.0-2 - polarssl [wheezy] - polarssl (vulnerable code not present) NOTE: https://github.com/ARMmbed/mbedtls/commit/83c9f495ffe70c7dd280b41fdfd4881485a3bc28 CVE-2018-7032 (webcheckout in myrepos through 1.20171231 does not sanitize URLs that ...) - myrepos 1.20180726 (bug #840014) [stretch] - myrepos (Minor issue) [jessie] - myrepos (Minor issue) - mr 1.16 [wheezy] - mr (Minor issue) NOTE: 1.16 was made a source-based transitional package to myrepos not containg NOTE: in particular webcheckout anymore. NOTE: http://source.myrepos.branchable.com/?p=source.git;a=commitdiff;h=40a3df21c73f1bb1b6915cc6fa503f50814664c8 CVE-2018-6956 RESERVED CVE-2018-6955 RESERVED CVE-2018-6954 (systemd-tmpfiles in systemd through 237 mishandles symlinks present in ...) - systemd 238-1 (low; bug #890779) [stretch] - systemd (Minor issue, too intrusive to backport) [jessie] - systemd (Minor issue, revisit if/when fixed upstream) [wheezy] - systemd (/etc/tmpfiles.d not supported in Wheezy) NOTE: https://github.com/systemd/systemd/issues/7986 NOTE: https://github.com/systemd/systemd/pull/8822 NOTE: https://www.openwall.com/lists/oss-security/2018/12/22/1 CVE-2018-6953 (In CCN-lite 2, the Parser of NDNTLV does not verify whether a certain ...) NOT-FOR-US: CCN-lite 2 CVE-2018-6952 (A double free exists in the another_hunk function in pch.c in GNU patc ...) - patch (unimportant) NOTE: https://savannah.gnu.org/bugs/index.php?53133 NOTE: https://git.savannah.gnu.org/cgit/patch.git/commit/?id=9c986353e420ead6e706262bf204d6e03322c300 NOTE: When fixing this issue make sure to not apply only the incomplete fix, NOTE: and opening CVE-2019-20633, cf. https://savannah.gnu.org/bugs/index.php?56683 NOTE: Crash in CLI tool, no security impact CVE-2018-6951 (An issue was discovered in GNU patch through 2.7.6. There is a segment ...) - patch (unimportant) NOTE: https://git.savannah.gnu.org/cgit/patch.git/commit/?id=f290f48a621867084884bfff87f8093c15195e6a NOTE: https://savannah.gnu.org/bugs/index.php?53132 NOTE: Crash in CLI tool, no security impact CVE-2018-6950 RESERVED CVE-2018-6949 RESERVED CVE-2018-6948 (In CCN-lite 2, the function ccnl_prefix_to_str_detailed can cause a bu ...) NOT-FOR-US: CCN-lite 2 CVE-2018-6947 (An uninitialised stack variable in the nxfuse component that is part o ...) NOT-FOR-US: DokanFS CVE-2018-6946 RESERVED CVE-2018-6945 RESERVED CVE-2018-6944 (core/lib/upload/um-file-upload.php in the UltimateMember plugin 2.0 fo ...) NOT-FOR-US: UltimateMember plugin for WordPress CVE-2018-6943 (core/lib/upload/um-image-upload.php in the UltimateMember plugin 2.0 f ...) NOT-FOR-US: UltimateMember plugin for WordPress CVE-2018-6942 (An issue was discovered in FreeType 2 through 2.9. A NULL pointer dere ...) - freetype 2.9.1-3 (bug #890450) [stretch] - freetype (Vulnerable code introduced later) [jessie] - freetype (Vulnerable code introduced later) [wheezy] - freetype (Vulnerable code introduced later) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5736 NOTE: https://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=29c759284e305ec428703c9a5831d0b1fc3497ef CVE-2018-6941 (A /shell?cmd= CSRF issue exists in the HTTPD component of NAT32 v2.2 B ...) NOT-FOR-US: NAT32 devices CVE-2018-6940 (A /shell?cmd= XSS issue exists in the HTTPD component of NAT32 v2.2 Bu ...) NOT-FOR-US: NAT32 devices CVE-2018-6939 RESERVED CVE-2018-6938 RESERVED CVE-2018-6937 RESERVED CVE-2018-6936 (Cross Site Scripting (XSS) exists on the D-Link DIR-600M C1 3.01 via t ...) NOT-FOR-US: D-Link CVE-2018-6935 (PHP Scripts Mall Student Profile Management System Script v2.0.6 has X ...) NOT-FOR-US: PHP Scripts Mall Student Profile Management System Script CVE-2018-6934 (CSRF exists in student/personal-info in PHP Scripts Mall Online Tutori ...) NOT-FOR-US: PHP Scripts Mall Online Tutoring Script CVE-2018-6933 RESERVED CVE-2018-6932 RESERVED CVE-2018-6931 RESERVED CVE-2018-6930 (A stack-based buffer over-read in the ComputeResizeImage function in t ...) - imagemagick (Vulnerable code introduced later) NOTE: https://github.com/ImageMagick/ImageMagick/issues/967 CVE-2018-6929 RESERVED CVE-2018-6928 (PHP Scripts Mall News Website Script 2.0.4 has SQL Injection via a sea ...) NOT-FOR-US: PHP Scripts Mall News Website Script CVE-2018-1000066 REJECTED CVE-2018-1000065 REJECTED CVE-2018-1000064 REJECTED CVE-2017-18186 (An issue was discovered in QPDF before 7.0.0. There is an infinite loo ...) - qpdf 7.0.0-1 [stretch] - qpdf (Minor issue) [jessie] - qpdf (Minor issue) [wheezy] - qpdf (Minor issue) NOTE: https://github.com/qpdf/qpdf/commit/85f05cc57ffa0a863d9d9b23e73acea9410b2937 NOTE: https://github.com/qpdf/qpdf/issues/149 CVE-2017-18185 (An issue was discovered in QPDF before 7.0.0. There is a large heap-ba ...) - qpdf 7.0.0-1 [stretch] - qpdf (Minor issue) [jessie] - qpdf (Minor issue) [wheezy] - qpdf (Minor issue) NOTE: https://github.com/qpdf/qpdf/commit/ec7d74a386c0b2f38990079c3b0d2a2b30be0e71 NOTE: https://github.com/qpdf/qpdf/issues/150 CVE-2017-18184 (An issue was discovered in QPDF before 7.0.0. There is a stack-based o ...) - qpdf 7.0.0-1 [stretch] - qpdf (Minor issue) [jessie] - qpdf (Minor issue) [wheezy] - qpdf (Minor issue) NOTE: https://github.com/qpdf/qpdf/commit/dea704f0ab7f625e1e7b3f9a1110b45b63157317 NOTE: https://github.com/qpdf/qpdf/issues/147 CVE-2017-18183 (An issue was discovered in QPDF before 7.0.0. There is an infinite loo ...) - qpdf 7.0.0-1 [stretch] - qpdf (Minor issue) [jessie] - qpdf (Minor issue) [wheezy] - qpdf (Minor issue) NOTE: https://github.com/qpdf/qpdf/commit/8249a26d69f72b9cda584c14cc3f12769985e481 NOTE: https://github.com/qpdf/qpdf/issues/143 CVE-2017-18182 RESERVED CVE-2017-18181 RESERVED CVE-2017-18180 RESERVED CVE-2016-10713 (An issue was discovered in GNU patch before 2.7.6. Out-of-bounds acces ...) - patch 2.7.6-1 (unimportant) NOTE: https://git.savannah.gnu.org/cgit/patch.git/commit/src/pch.c?id=a0d7fe4589651c64bd16ddaaa634030bb0455866 NOTE: Crash in CLI tool, no security impact CVE-2015-9252 (An issue was discovered in QPDF before 7.0.0. Endless recursion causes ...) - qpdf 7.0.0-1 [stretch] - qpdf (Minor issue) [jessie] - qpdf (Minor issue) [wheezy] - qpdf (Minor issue) NOTE: https://github.com/qpdf/qpdf/commit/701b518d5c56a1449825a3a37a716c58e05e1c3e NOTE: https://github.com/qpdf/qpdf/issues/51 CVE-2018-6927 (The futex_requeue function in kernel/futex.c in the Linux kernel befor ...) {DSA-4187-1 DLA-1369-1} - linux 4.14.17-1 [stretch] - linux 4.9.80-1 NOTE: Fixed by: https://git.kernel.org/linus/fbe0e839d1e22d88810f3ee3e2f1479be4c0aa4a CVE-2018-6926 (In app/Controller/ServersController.php in MISP 2.4.87, a server setti ...) NOT-FOR-US: MISP CVE-2018-6925 (In FreeBSD before 11.2-STABLE(r338986), 11.2-RELEASE-p4, 11.1-RELEASE- ...) - kfreebsd-10 (unimportant) NOTE: https://security.FreeBSD.org/advisories/FreeBSD-EN-18:11.listen.asc NOTE: kfreebsd not covered by security support CVE-2018-6924 (In FreeBSD before 11.1-STABLE, 11.2-RELEASE-p3, 11.1-RELEASE-p14, 10.4 ...) - kfreebsd-10 (unimportant) NOTE: https://security.freebsd.org/advisories/FreeBSD-SA-18:12.elf.asc NOTE: kfreebsd not covered by security support CVE-2018-6923 (In FreeBSD before 11.1-STABLE, 11.2-RELEASE-p2, 11.1-RELEASE-p13, ip f ...) - kfreebsd-10 (unimportant) NOTE: https://www.freebsd.org/security/advisories/FreeBSD-SA-18:10.ip.asc NOTE: kfreebsd not covered by security support CVE-2018-6922 (One of the data structures that holds TCP segments in all versions of ...) - kfreebsd-10 (unimportant) NOTE: https://www.kb.cert.org/vuls/id/962459 NOTE: kfreebsd not covered by security support CVE-2018-6921 (In FreeBSD before 11.1-STABLE(r332066) and 11.1-RELEASE-p10, due to in ...) - kfreebsd-10 (unimportant) NOTE: https://security.FreeBSD.org/advisories/FreeBSD-EN-18:05.mem.asc NOTE: kfreebsd not covered by security support CVE-2018-6920 (In FreeBSD before 11.1-STABLE(r332303), 11.1-RELEASE-p10, 10.4-STABLE( ...) - kfreebsd-10 (unimportant) NOTE: https://security.FreeBSD.org/advisories/FreeBSD-EN-18:05.mem.asc NOTE: kfreebsd not covered by security support CVE-2018-6919 (In FreeBSD before 11.1-STABLE, 11.1-RELEASE-p9, 10.4-STABLE, 10.4-RELE ...) - kfreebsd-10 (unimportant) NOTE: https://security.FreeBSD.org/advisories/FreeBSD-EN-18:04.mem.asc NOTE: kfreebsd not covered by security support CVE-2018-6918 (In FreeBSD before 11.1-STABLE, 11.1-RELEASE-p9, 10.4-STABLE, 10.4-RELE ...) - kfreebsd-10 (unimportant) NOTE: https://security.FreeBSD.org/advisories/FreeBSD-SA-18:05.ipsec.asc NOTE: kfreebsd not covered by security support CVE-2018-6917 (In FreeBSD before 11.1-STABLE, 11.1-RELEASE-p9, 10.4-STABLE, 10.4-RELE ...) - kfreebsd-10 (unimportant) NOTE: https://www.freebsd.org/security/advisories/FreeBSD-SA-18:04.vt.asc NOTE: kfreebsd not covered by security support CVE-2018-6916 (In FreeBSD before 11.1-STABLE, 11.1-RELEASE-p7, 10.4-STABLE, 10.4-RELE ...) - kfreebsd-10 (unimportant) NOTE: https://www.freebsd.org/security/patches/SA-18:01/ipsec-10.patch NOTE: kfreebsd not covered by security support CVE-2018-6915 RESERVED CVE-2018-6914 (Directory traversal vulnerability in the Dir.mktmpdir method in the tm ...) {DSA-4259-1 DLA-1421-1 DLA-1359-1 DLA-1358-1} - ruby2.5 2.5.1-1 - ruby2.3 - ruby2.1 - ruby1.9.1 - ruby1.8 NOTE: https://www.ruby-lang.org/en/news/2018/03/28/unintentional-file-and-directory-creation-with-directory-traversal-cve-2018-6914/ NOTE: https://hackerone.com/reports/302298 NOTE: Fixed by: https://github.com/ruby/ruby/commit/10b96900b90914b0cc1dba36f9736c038db2859d NOTE: Fixed by: https://github.com/ruby/ruby/commit/e9ddf2ba41a0bffe1047e33576affd48808c5d0b (2.2.10) CVE-2018-1000063 REJECTED CVE-2017-18179 (Progress Sitefinity 9.1 uses wrap_access_token as a non-expiring authe ...) NOT-FOR-US: Progress Sitefinity CVE-2017-18178 (Authenticate/SWT in Progress Sitefinity 9.1 has an open redirect issue ...) NOT-FOR-US: Progress Sitefinity CVE-2017-18177 (Progress Sitefinity 9.1 has XSS via the Last name, First name, and Abo ...) NOT-FOR-US: Progress Sitefinity CVE-2017-18176 (Progress Sitefinity 9.1 has XSS via file upload, because JavaScript co ...) NOT-FOR-US: Progress Sitefinity CVE-2017-18175 (Progress Sitefinity 9.1 has XSS via the Content Management Template Co ...) NOT-FOR-US: Progress Sitefinity CVE-2018-6913 (Heap-based buffer overflow in the pack function in Perl before 5.26.2 ...) {DSA-4172-1 DLA-1345-1} - perl 5.26.1-6 NOTE: https://rt.perl.org/Public/Bug/Display.html?id=131844 NOTE: maint-5.26: https://perl5.git.perl.org/perl.git/commitdiff/0fcf83230df5f8c52602ae22fde57c7ea885534d NOTE: maint-5.24: https://perl5.git.perl.org/perl.git/commitdiff/a9d5c6e11891b48be06d4e06eeed18642bc98527 CVE-2018-6912 (The decode_plane function in libavcodec/utvideodec.c in FFmpeg through ...) - ffmpeg 7:4.0.1-2 (low) [stretch] - ffmpeg (Code in 3.2 is different/not affected) - libav [jessie] - libav (vulnerable code is not present) NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/76cc0f0f673353cd4746cd3b83838ae335e5d9ed CVE-2018-6911 (The VBWinExec function in Node\AspVBObj.dll in Advantech WebAccess 8.3 ...) NOT-FOR-US: Advantech WebAccess CVE-2018-6910 (DedeCMS 5.7 allows remote attackers to discover the full path via a di ...) NOT-FOR-US: DedeCMS CVE-2018-6909 (A missing X-Frame-Options header in the Green Electronics RainMachine ...) NOT-FOR-US: Green Electronics CVE-2018-6908 (An authentication bypass vulnerability exists in the Green Electronics ...) NOT-FOR-US: Green Electronics CVE-2018-6907 (A Cross Site Request Forgery (CSRF) vulnerability in the Green Electro ...) NOT-FOR-US: Green Electronics CVE-2018-6906 (A persistent Cross Site Scripting (XSS) vulnerability in the Green Ele ...) NOT-FOR-US: Green Electronics CVE-2018-6905 (The page module in TYPO3 before 8.7.11, and 9.1.0, has XSS via $GLOBAL ...) - typo3-src [wheezy] - typo3-src CVE-2018-6904 (PHP Scripts Mall Car Rental Script 2.0.8 has XSS via the User Name fie ...) NOT-FOR-US: PHP Scripts Mall Car Rental Script CVE-2018-6903 (PHP Scripts Mall Hot Scripts Clone Script Classified v3.1 uses the cli ...) NOT-FOR-US: PHP Scripts Mall Hot Scripts Clone Script Classified CVE-2018-6902 (PHP Scripts Mall Image Sharing Script 1.3.3 has XSS via the Full Name ...) NOT-FOR-US: PHP Scripts Mall Image Sharing Script CVE-2018-6901 RESERVED CVE-2018-6900 (PHP Scripts Mall Website Broker Script 3.0.6 has XSS via the Last Name ...) NOT-FOR-US: PHP Scripts Mall Website Broker Script CVE-2018-6899 RESERVED CVE-2018-6898 RESERVED CVE-2018-6897 RESERVED CVE-2018-6896 RESERVED CVE-2018-6895 RESERVED CVE-2018-6894 RESERVED CVE-2018-6893 (controllers/member/Api.php in dayrui FineCms 5.2.0 has SQL Injection: ...) NOT-FOR-US: FineCms CVE-2018-6892 (An issue was discovered in CloudMe before 1.11.0. An unauthenticated r ...) NOT-FOR-US: CloudMe CVE-2018-6891 (Bookly #1 WordPress Booking Plugin Lite before 14.5 has XSS via a jQue ...) NOT-FOR-US: Bookly #1 WordPress Booking Plugin Lite CVE-2018-6890 (Cross-site scripting (XSS) vulnerability in Wolf CMS 0.8.3.1 via the p ...) NOT-FOR-US: Wolf CMS CVE-2018-6889 (An issue was discovered in Typesetter 5.1. It suffers from a Host head ...) NOT-FOR-US: Typesetter CMS CVE-2018-6888 (An issue was discovered in Typesetter 5.1. The User Permissions page ( ...) NOT-FOR-US: Typesetter CMS CVE-2018-6887 RESERVED CVE-2018-6886 RESERVED CVE-2018-6885 (An issue was discovered in MicroStrategy Web Services (the Microsoft O ...) NOT-FOR-US: MicroStrategy Web Services CVE-2018-6884 RESERVED CVE-2018-6883 (Piwigo before 2.9.3 has SQL injection in admin/tags.php in the adminis ...) - piwigo CVE-2018-6882 (Cross-site scripting (XSS) vulnerability in the ZmMailMsgView.getAttac ...) NOT-FOR-US: Zimbra CVE-2018-1000062 (WonderCMS version 2.4.0 contains a Stored Cross-Site Scripting on File ...) NOT-FOR-US: WonderCMS CVE-2018-1000061 REJECTED CVE-2018-1000060 (Sensu, Inc. Sensu Core version Before 1.2.0 & before commit 46ff10 ...) - sensu (bug #838484) CVE-2018-1000059 (ValidFormBuilder version 4.5.4 contains a PHP Object Injection vulnera ...) NOT-FOR-US: ValidFormBuilder CVE-2018-6881 (EmpireCMS 6.6 allows remote attackers to discover the full path via an ...) NOT-FOR-US: EmpireCMS CVE-2018-6880 (EmpireCMS 6.6 through 7.2 allows remote attackers to discover the full ...) NOT-FOR-US: EmpireCMS CVE-2018-6879 (PHP Scripts Mall Website Seller Script 2.0.3 uses the client side to e ...) NOT-FOR-US: PHP Scripts Mall Website Seller Script CVE-2018-6878 (Cross Site Scripting (XSS) exists in the review section in PHP Scripts ...) NOT-FOR-US: PHP Scripts Mall Hot Scripts Clone Script Classified CVE-2018-6877 RESERVED CVE-2018-6876 (The OLEProperty class in ole/oleprop.cpp in libfpx 1.3.1-10, as used i ...) NOT-FOR-US: libfpx CVE-2018-6875 (Format String vulnerability in KeepKey version 4.0.0 allows attackers ...) NOT-FOR-US: KeepKey CVE-2018-6874 (CSRF exists in the Auth0 authentication service through 14591 if the L ...) NOT-FOR-US: Auth0 CVE-2018-6873 (The Auth0 authentication service before 2017-10-15 allows privilege es ...) NOT-FOR-US: Auth0 CVE-2018-6872 (The elf_parse_notes function in elf.c in the Binary File Descriptor (B ...) - binutils 2.30-4 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22788 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commit;h=ef135d4314fd4c2d7da66b9d7b59af4a85b0f7e6 CVE-2018-6871 (LibreOffice before 5.4.5 and 6.x before 6.0.1 allows remote attackers ...) {DSA-4111-2 DSA-4111-1} - libreoffice 1:6.0.1-1 [wheezy] - libreoffice (Vulnerable code not present) NOTE: https://github.com/jollheef/libreoffice-remote-arbitrary-file-disclosure CVE-2018-6870 (Reflected XSS exists in PHP Scripts Mall Website Seller Script 2.0.3 v ...) NOT-FOR-US: PHP Scripts Mall Website Seller Script CVE-2018-6869 (In ZZIPlib 0.13.68, there is an uncontrolled memory allocation and a c ...) {DLA-2258-1 DLA-1287-1} - zziplib 0.13.62-3.2 (bug #889089) [stretch] - zziplib 0.13.62-3.2~deb9u1 NOTE: https://github.com/gdraheim/zziplib/issues/22 NOTE: https://github.com/gdraheim/zziplib/commit/0c0c9256b0903f664bca25dd8d924211f81e01d3 (v0.13.68) CVE-2018-6868 (Cross Site Scripting (XSS) exists in PHP Scripts Mall Slickdeals / Dea ...) NOT-FOR-US: PHP Scripts Mall Slickdeals / DealNews / Groupon Clone Script CVE-2018-6867 (Cross Site Scripting (XSS) exists in PHP Scripts Mall Alibaba Clone Sc ...) NOT-FOR-US: PHP Scripts Mall Alibaba Clone Script CVE-2018-6866 (Cross Site Scripting (XSS) exists in PHP Scripts Mall Learning and Exa ...) NOT-FOR-US: PHP Scripts Mall Learning and Examination Management System Script CVE-2018-6865 RESERVED CVE-2018-6864 (Cross Site Scripting (XSS) exists in PHP Scripts Mall Multi religion R ...) NOT-FOR-US: PHP Scripts Mall Multi religion Responsive Matrimonial CVE-2018-6863 (SQL Injection exists in PHP Scripts Mall Select Your College Script 2. ...) NOT-FOR-US: PHP Scripts Mall Select Your College Script CVE-2018-6862 (Cross Site Scripting (XSS) exists in PHP Scripts Mall Bitcoin MLM Soft ...) NOT-FOR-US: PHP Scripts Mall Bitcoin MLM Software CVE-2018-6861 (Cross Site Scripting (XSS) exists in PHP Scripts Mall Lawyer Search Sc ...) NOT-FOR-US: PHP Scripts Mall Lawyer Search Script CVE-2018-6860 (Arbitrary File Upload and Remote Code Execution exist in PHP Scripts M ...) NOT-FOR-US: PHP Scripts Mall Schools Alert Management Script CVE-2018-6859 (SQL Injection exists in PHP Scripts Mall Schools Alert Management Scri ...) NOT-FOR-US: PHP Scripts Mall Schools Alert Management Script CVE-2018-6858 (Cross Site Scripting (XSS) exists in PHP Scripts Mall Facebook Clone S ...) NOT-FOR-US: PHP Scripts Mall Facebook Clone Script CVE-2018-6857 (Sophos SafeGuard Enterprise before 8.00.5, SafeGuard Easy before 7.00. ...) NOT-FOR-US: Sophos CVE-2018-6856 (Sophos SafeGuard Enterprise before 8.00.5, SafeGuard Easy before 7.00. ...) NOT-FOR-US: Sophos CVE-2018-6855 (Sophos SafeGuard Enterprise before 8.00.5, SafeGuard Easy before 7.00. ...) NOT-FOR-US: Sophos CVE-2018-6854 (Sophos SafeGuard Enterprise before 8.00.5, SafeGuard Easy before 7.00. ...) NOT-FOR-US: Sophos CVE-2018-6853 (Sophos SafeGuard Enterprise before 8.00.5, SafeGuard Easy before 7.00. ...) NOT-FOR-US: Sophos CVE-2018-6852 (Sophos SafeGuard Enterprise before 8.00.5, SafeGuard Easy before 7.00. ...) NOT-FOR-US: Sophos CVE-2018-6851 (Sophos SafeGuard Enterprise before 8.00.5, SafeGuard Easy before 7.00. ...) NOT-FOR-US: Sophos CVE-2018-6850 RESERVED CVE-2018-6849 (In the WebRTC component in DuckDuckGo 4.2.0, after visiting a web site ...) NOT-FOR-US: DuckDuckGo CVE-2018-6848 RESERVED CVE-2018-6847 RESERVED CVE-2018-6846 (Z-BlogPHP 1.5.1 allows remote attackers to discover the full path via ...) NOT-FOR-US: Z-BlogPHP CVE-2018-6845 (PHP Scripts Mall Multi Language Olx Clone Script 2.0.6 has XSS via the ...) NOT-FOR-US: PHP Scripts Mall Multi Language Olx Clone Script CVE-2018-6844 (MyBB 1.8.14 has XSS via the Title or Description field on the Edit For ...) NOT-FOR-US: MyBB CVE-2018-6843 (Kentico 10 before 10.0.50 and 11 before 11.0.3 has SQL injection in th ...) NOT-FOR-US: Kentico CMS CVE-2018-6842 (Kentico 10 before 10.0.50 and 11 before 11.0.3 has XSS in which a craf ...) NOT-FOR-US: Kentico CMS CVE-2018-6841 RESERVED CVE-2018-6840 RESERVED CVE-2018-6839 RESERVED CVE-2018-6838 RESERVED CVE-2018-6837 RESERVED CVE-2018-6836 (The netmonrec_comment_destroy function in wiretap/netmon.c in Wireshar ...) - wireshark (Vulnerable code introduced in v2.5.0) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14397 NOTE: Introduced by: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=52823805b29a44a83eacd0e5b415b11227ec313b NOTE: Fixed by: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=28960d79cca262ac6b974f339697b299a1e28fef CVE-2018-6835 (node/hooks/express/apicalls.js in Etherpad Lite before v1.6.3 mishandl ...) - etherpad-lite (bug #576998) CVE-2018-6834 (static/js/pad_utils.js in Etherpad Lite before v1.6.3 has XSS via wind ...) - etherpad-lite (bug #576998) CVE-2018-6833 RESERVED CVE-2018-6832 (Stack-based buffer overflow in the getSWFlag function in Foscam Camera ...) NOT-FOR-US: Foscam Cameras CVE-2018-6831 (The setSystemTime function in Foscam Cameras C1 Lite V3, and C1 V3 wit ...) NOT-FOR-US: Foscam Cameras CVE-2018-6830 (Directory traversal vulnerability in Foscam Cameras C1 Lite V3, and C1 ...) NOT-FOR-US: Foscam Cameras CVE-2018-6829 (cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt mess ...) - libgcrypt20 (unimportant) - libgcrypt11 (unimportant) - gnupg1 (unimportant) - gnupg (unimportant) NOTE: https://github.com/weikengchen/attack-on-libgcrypt-elgamal NOTE: https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki NOTE: https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html NOTE: GnuPG uses ElGamal in hybrid mode only. NOTE: This is not a vulnerability in libgcrypt, but in an application using NOTE: it in an insecure manner, see also NOTE: https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004401.html CVE-2018-6828 RESERVED CVE-2018-6827 (VOBOT CLOCK before 0.99.30 devices do not verify X.509 certificates fr ...) NOT-FOR-US: VOBOT CLOCK CVE-2018-6826 (An issue was discovered on VOBOT CLOCK before 0.99.30 devices. Clearte ...) NOT-FOR-US: VOBOT CLOCK CVE-2018-6825 (An issue was discovered on VOBOT CLOCK before 0.99.30 devices. An SSH ...) NOT-FOR-US: VOBOT CLOCK CVE-2018-6824 (Cozy version 2 has XSS allowing remote attackers to obtain administrat ...) NOT-FOR-US: Cozy CVE-2018-6823 (In the VPN client in Mailbutler Shimo before 4.1.5.1 on macOS, the com ...) NOT-FOR-US: Mailbutler Shimo CVE-2018-6822 (In PureVPN 6.0.1 on macOS, HelperTool LaunchDaemon implements an unpro ...) NOT-FOR-US: PureVPN CVE-2018-6821 REJECTED CVE-2018-6820 REJECTED CVE-2018-6819 REJECTED CVE-2018-6818 REJECTED CVE-2018-6817 REJECTED CVE-2018-6816 RESERVED CVE-2018-6815 RESERVED CVE-2018-6814 RESERVED CVE-2018-6813 RESERVED CVE-2018-6812 RESERVED CVE-2018-6811 (Multiple cross-site scripting (XSS) vulnerabilities in Citrix NetScale ...) NOT-FOR-US: Citrix CVE-2018-6810 (Directory traversal vulnerability in NetScaler ADC 10.5, 11.0, 11.1, a ...) NOT-FOR-US: Citrix CVE-2018-6809 (NetScaler ADC 10.5, 11.0, 11.1, and 12.0, and NetScaler Gateway 10.5, ...) NOT-FOR-US: Citrix CVE-2018-6808 (NetScaler ADC 10.5, 11.0, 11.1, and 12.0, and NetScaler Gateway 10.5, ...) NOT-FOR-US: Citrix CVE-2018-6807 RESERVED CVE-2018-6806 (Marked 2 through 2.5.11 allows remote attackers to read arbitrary file ...) NOT-FOR-US: Marked 2 CVE-2018-6805 RESERVED CVE-2018-6804 RESERVED CVE-2018-6803 RESERVED CVE-2018-6802 RESERVED CVE-2018-6801 RESERVED CVE-2018-6800 RESERVED CVE-2018-6799 (The AcquireCacheNexus function in magick/pixel_cache.c in GraphicsMagi ...) {DSA-4321-1 DLA-1456-1 DLA-1282-1} - graphicsmagick 1.3.28-1 NOTE: https://sourceforge.net/p/graphicsmagick/bugs/531/ NOTE: https://sourceforge.net/p/graphicsmagick/bugs/532/ NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/b41e2efce6d3 NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/d30ed06e9b87 CVE-2018-6798 (An issue was discovered in Perl 5.22 through 5.26. Matching a crafted ...) - perl 5.26.1-6 [stretch] - perl 5.24.1-3+deb9u3 [jessie] - perl (Issue introduced later) [wheezy] - perl (Issue introduced later) NOTE: https://rt.perl.org/Public/Bug/Display.html?id=132063 NOTE: maint-5.26: https://perl5.git.perl.org/perl.git/commitdiff/8e6f44c90c7fa1f63c19a44c45482b09a407e15b NOTE: maint-5.26: https://perl5.git.perl.org/perl.git/commitdiff/8b80ce67ff257aaa36e47eaf4194d27a51595524 NOTE: maint-5.24: https://perl5.git.perl.org/perl.git/commitdiff/0abf1e8d89aecd32dbdabda5da4d52a2d57a7cff NOTE: maint-5.24: https://perl5.git.perl.org/perl.git/commitdiff/f65da1ca2eee74696d9c120e9d69af37b4fa1920 CVE-2018-6797 (An issue was discovered in Perl 5.18 through 5.26. A crafted regular e ...) - perl 5.26.1-6 [stretch] - perl 5.24.1-3+deb9u3 [jessie] - perl (Backport of fixes too intrusive and risky for regressions) [wheezy] - perl (Backport of fixes too intrusive and risky for regressions) NOTE: https://rt.perl.org/Public/Bug/Display.html?id=132227 NOTE: maint-5.26: https://perl5.git.perl.org/perl.git/commitdiff/abe1e6c568b96bcb382dfa4f61c56d1ab001ea51 NOTE: maint-5.24: https://perl5.git.perl.org/perl.git/commitdiff/510cc261d965ccfa427900ebb368fc4d337442d2 CVE-2018-6796 (PHP Scripts Mall Multilanguage Real Estate MLM Script 3.0 has Stored X ...) NOT-FOR-US: PHP Scripts Mall Multilanguage Real Estate MLM Script CVE-2018-6795 (PHP Scripts Mall Naukri Clone Script 3.0.3 has Stored XSS via every pr ...) NOT-FOR-US: PHP Scripts Mall Naukri Clone Script CVE-2018-6794 (Suricata before 4.0.4 is prone to an HTTP detection bypass vulnerabili ...) {DLA-1603-1} - suricata 1:4.0.4-1 (bug #889842) [stretch] - suricata (Minor issue) [wheezy] - suricata (Minor issue) NOTE: https://redmine.openinfosecfoundation.org/issues/2427 NOTE: https://github.com/OISF/suricata/pull/3202/commits/e1ef57c848bbe4e567d5d4b66d346a742e3f77a1 CVE-2018-6793 RESERVED CVE-2018-6792 (Multiple SQL injection vulnerabilities in Saifor CVMS HUB 1.3.1 allow ...) NOT-FOR-US: Saifor CVMS HUB CVE-2018-6791 (An issue was discovered in soliduiserver/deviceserviceaction.cpp in KD ...) {DSA-4116-1} - plasma-workspace 4:5.12.0-2 - kde-runtime (Performs correct escaping) NOTE: https://bugs.kde.org/show_bug.cgi?id=389815 NOTE: https://commits.kde.org/plasma-workspace/f32002ce50edc3891f1fa41173132c820b917d57 (Plasma/5.12) NOTE: https://commits.kde.org/plasma-workspace/9db872df82c258315c6ebad800af59e81ffb9212 (Plasma/5.8) CVE-2018-6790 (An issue was discovered in KDE Plasma Workspace before 5.12.0. dataeng ...) - plasma-workspace 4:5.12.0-2 [stretch] - plasma-workspace (Minor issue, too intrusive to backport) NOTE: https://phabricator.kde.org/D10188 NOTE: https://cgit.kde.org/plasma-workspace.git/commit/?id=5bc696b5abcdb460c1017592e80b2d7f6ed3107c NOTE: https://cgit.kde.org/plasma-workspace.git/commit/?id=8164beac15ea34ec0d1564f0557fe3e742bdd938 CVE-2018-6789 (An issue was discovered in the base64d function in the SMTP listener i ...) {DSA-4110-1 DLA-1274-1} - exim4 4.90.1-1 (bug #890000) NOTE: http://www.openwall.com/lists/oss-security/2018/02/07/2 NOTE: https://exim.org/static/doc/security/CVE-2018-6789.txt NOTE: https://bugs.exim.org/show_bug.cgi?id=2235 NOTE: https://git.exim.org/exim.git/commit/062990cc1b2f9e5d82a413b53c8f0569075de700 CVE-2018-6788 (In Jiangmin Antivirus 16.0.0.100, the driver file (KVFG.sys) allows lo ...) NOT-FOR-US: Jiangmin Antivirus CVE-2018-6787 (In Jiangmin Antivirus 16.0.0.100, the driver file (KVFG.sys) allows lo ...) NOT-FOR-US: Jiangmin Antivirus CVE-2018-6786 (In Jiangmin Antivirus 16.0.0.100, the driver file (KVFG.sys) allows lo ...) NOT-FOR-US: Jiangmin Antivirus CVE-2018-6785 (In Jiangmin Antivirus 16.0.0.100, the driver file (KSysCall.sys) allow ...) NOT-FOR-US: Jiangmin Antivirus CVE-2018-6784 (In Jiangmin Antivirus 16.0.0.100, the driver file (KSysCall.sys) allow ...) NOT-FOR-US: Jiangmin Antivirus CVE-2018-6783 (In Jiangmin Antivirus 16.0.0.100, the driver file (KSysCall.sys) allow ...) NOT-FOR-US: Jiangmin Antivirus CVE-2018-6782 (In Jiangmin Antivirus 16.0.0.100, the driver file (KSysCall.sys) allow ...) NOT-FOR-US: Jiangmin Antivirus CVE-2018-6781 (In Jiangmin Antivirus 16.0.0.100, the driver file (KSysCall.sys) allow ...) NOT-FOR-US: Jiangmin Antivirus CVE-2018-6780 (In Jiangmin Antivirus 16.0.0.100, the driver file (KSysCall.sys) allow ...) NOT-FOR-US: Jiangmin Antivirus CVE-2018-6779 (In Jiangmin Antivirus 16.0.0.100, the driver file (KSysCall.sys) allow ...) NOT-FOR-US: Jiangmin Antivirus CVE-2018-6778 (In Jiangmin Antivirus 16.0.0.100, the driver file (KSysCall.sys) allow ...) NOT-FOR-US: Jiangmin Antivirus CVE-2018-6777 (In Jiangmin Antivirus 16.0.0.100, the driver file (KVFG.sys) allows lo ...) NOT-FOR-US: Jiangmin Antivirus CVE-2018-6776 (In Jiangmin Antivirus 16.0.0.100, the driver file (KSysCall.sys) allow ...) NOT-FOR-US: Jiangmin Antivirus CVE-2018-6775 (In Jiangmin Antivirus 16.0.0.100, the driver file (KrnlCall.sys) allow ...) NOT-FOR-US: Jiangmin Antivirus CVE-2018-6774 (In Jiangmin Antivirus 16.0.0.100, the driver file (KSysCall.sys) allow ...) NOT-FOR-US: Jiangmin Antivirus CVE-2018-6773 (In Jiangmin Antivirus 16.0.0.100, the driver file (KSysCall.sys) allow ...) NOT-FOR-US: Jiangmin Antivirus CVE-2018-6772 (In Jiangmin Antivirus 16.0.0.100, the driver file (KrnlCall.sys) allow ...) NOT-FOR-US: Jiangmin Antivirus CVE-2018-6771 (In Jiangmin Antivirus 16.0.0.100, the driver file (KrnlCall.sys) allow ...) NOT-FOR-US: Jiangmin Antivirus CVE-2018-6770 (In Jiangmin Antivirus 16.0.0.100, the driver file (KrnlCall.sys) allow ...) NOT-FOR-US: Jiangmin Antivirus CVE-2018-6769 (In Jiangmin Antivirus 16.0.0.100, the driver file (KrnlCall.sys) allow ...) NOT-FOR-US: Jiangmin Antivirus CVE-2018-6768 (In Jiangmin Antivirus 16.0.0.100, the driver file (KSysCall.sys) allow ...) NOT-FOR-US: Jiangmin Antivirus CVE-2018-6766 (Swisscom TVMediaHelper 1.1.0.50 contains a vulnerability that could al ...) NOT-FOR-US: Swisscom TVMediaHelper CVE-2018-6765 (Swisscom MySwisscomAssistant 2.17.1.1065 contains a vulnerability that ...) NOT-FOR-US: Swisscom MySwisscomAssistant CVE-2018-6763 RESERVED CVE-2018-6762 RESERVED CVE-2018-6761 RESERVED CVE-2018-6760 RESERVED CVE-2018-6767 (A stack-based buffer over-read in the ParseRiffHeaderConfig function o ...) {DSA-4125-1} - wavpack 5.1.0-3 (bug #889276) [jessie] - wavpack (Vulnerable code introduced later in 4.80.0) [wheezy] - wavpack (Vulnerable code introduced later in 4.80.0) NOTE: https://github.com/dbry/WavPack/issues/27 NOTE: https://github.com/dbry/WavPack/commit/d5bf76b5a88d044a1be1d5656698e3ba737167e5 CVE-2018-6764 (util/virlog.c in libvirt does not properly determine the hostname on L ...) - libvirt 4.0.0-2 (bug #889839) [stretch] - libvirt 3.0.0-4+deb9u3 [jessie] - libvirt (Vulnerable code introduced later in 1.3.1) [wheezy] - libvirt (Vulnerable code introduced later in 1.3.1) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1541444 NOTE: introduced-by https://libvirt.org/git/?p=libvirt.git;a=commit;h=759b4d1b0fe5f4d84d98b99153dfa7ac289dd167 CVE-2018-6759 (The bfd_get_debug_link_info_1 function in opncls.c in the Binary File ...) - binutils 2.30-3 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22794 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=64e234d417d5685a4aec0edc618114d9991c031b CVE-2018-6757 (Privilege Escalation vulnerability in Microsoft Windows client in McAf ...) NOT-FOR-US: McAfee True Key CVE-2018-6756 (Authentication Abuse vulnerability in Microsoft Windows client in McAf ...) NOT-FOR-US: McAfee True Key CVE-2018-6755 (Weak Directory Permission Vulnerability in Microsoft Windows client in ...) NOT-FOR-US: McAfee True Key CVE-2018-6754 RESERVED CVE-2018-6753 RESERVED CVE-2018-6752 RESERVED CVE-2018-6751 RESERVED CVE-2018-6750 RESERVED CVE-2018-6749 RESERVED CVE-2018-6748 RESERVED CVE-2018-6747 RESERVED CVE-2018-6746 RESERVED CVE-2018-6745 RESERVED CVE-2018-6744 RESERVED CVE-2018-6743 RESERVED CVE-2018-6742 RESERVED CVE-2018-6741 RESERVED CVE-2018-6740 RESERVED CVE-2018-6739 RESERVED CVE-2018-6738 RESERVED CVE-2018-6737 RESERVED CVE-2018-6736 RESERVED CVE-2018-6735 RESERVED CVE-2018-6734 RESERVED CVE-2018-6733 RESERVED CVE-2018-6732 RESERVED CVE-2018-6731 RESERVED CVE-2018-6730 RESERVED CVE-2018-6729 RESERVED CVE-2018-6728 RESERVED CVE-2018-6727 RESERVED CVE-2018-6726 RESERVED CVE-2018-6725 RESERVED CVE-2018-6724 RESERVED CVE-2018-6723 RESERVED CVE-2018-6722 RESERVED CVE-2018-6721 RESERVED CVE-2018-6720 RESERVED CVE-2018-6719 RESERVED CVE-2018-6718 RESERVED CVE-2018-6717 RESERVED CVE-2018-6716 RESERVED CVE-2018-6715 RESERVED CVE-2018-6714 RESERVED CVE-2018-6713 RESERVED CVE-2018-6712 RESERVED CVE-2018-6711 RESERVED CVE-2018-6710 RESERVED CVE-2018-6709 RESERVED CVE-2018-6708 RESERVED CVE-2018-6707 (Denial of Service through Resource Depletion vulnerability in the agen ...) NOT-FOR-US: McAfee CVE-2018-6706 (Insecure handling of temporary files in non-Windows McAfee Agent 5.0.0 ...) NOT-FOR-US: McAfee CVE-2018-6705 (Privilege escalation vulnerability in McAfee Agent (MA) for Linux 5.0. ...) NOT-FOR-US: McAfee CVE-2018-6704 (Privilege escalation vulnerability in McAfee Agent (MA) for Linux 5.0. ...) NOT-FOR-US: McAfee CVE-2018-6703 (Use After Free in Remote logging (which is disabled by default) in McA ...) NOT-FOR-US: McAfee CVE-2018-6702 RESERVED CVE-2018-6701 RESERVED CVE-2018-6700 (DLL Search Order Hijacking vulnerability in Microsoft Windows Client i ...) NOT-FOR-US: McAfee CVE-2018-6699 RESERVED CVE-2018-6698 RESERVED CVE-2018-6697 RESERVED CVE-2018-6696 RESERVED CVE-2018-6695 (SSH host keys generation vulnerability in the server in McAfee Threat ...) NOT-FOR-US: McAfee CVE-2018-6694 RESERVED CVE-2018-6693 (An unprivileged user can delete arbitrary files on a Linux system runn ...) NOT-FOR-US: McAfee CVE-2018-6692 (Stack-based Buffer Overflow vulnerability in libUPnPHndlr.so in Belkin ...) NOT-FOR-US: Belkin Wemo Insight Smart Plug CVE-2018-6691 RESERVED CVE-2018-6690 (Accessing, modifying, or executing executable files vulnerability in M ...) NOT-FOR-US: McAfee CVE-2018-6689 (Authentication Bypass vulnerability in McAfee Data Loss Prevention End ...) NOT-FOR-US: McAfee CVE-2018-6688 RESERVED CVE-2018-6687 (Loop with Unreachable Exit Condition ('Infinite Loop') in McAfee GetSu ...) NOT-FOR-US: McAfee CVE-2018-6686 (Authentication Bypass vulnerability in TPM autoboot in McAfee Drive En ...) NOT-FOR-US: McAfee CVE-2018-6685 RESERVED CVE-2018-6684 RESERVED CVE-2018-6683 (Exploiting Incorrectly Configured Access Control Security Levels vulne ...) NOT-FOR-US: McAfee CVE-2018-6682 (Cross Site Scripting Exposure in McAfee True Key (TK) 4.0.0.0 and earl ...) NOT-FOR-US: McAfee CVE-2018-6681 (Abuse of Functionality vulnerability in the web interface in McAfee Ne ...) NOT-FOR-US: McAfee CVE-2018-6680 RESERVED CVE-2018-6679 RESERVED CVE-2018-6678 (Configuration/Environment manipulation vulnerability in the administra ...) NOT-FOR-US: McAfee CVE-2018-6677 (Directory Traversal vulnerability in the administrative user interface ...) NOT-FOR-US: McAfee CVE-2018-6676 RESERVED CVE-2018-6675 RESERVED CVE-2018-6674 (Privilege Escalation vulnerability in Microsoft Windows client (McTray ...) NOT-FOR-US: McAfee CVE-2018-6673 RESERVED CVE-2018-6672 (Information disclosure vulnerability in McAfee ePolicy Orchestrator (e ...) NOT-FOR-US: McAfee CVE-2018-6671 (Application Protection Bypass vulnerability in McAfee ePolicy Orchestr ...) NOT-FOR-US: McAfee CVE-2018-6670 (External Entity Attack vulnerability in the ePO extension in McAfee Co ...) NOT-FOR-US: McAfee CVE-2018-6669 (A whitelist bypass vulnerability in McAfee Application Control / Chang ...) NOT-FOR-US: McAfee CVE-2018-6668 (A whitelist bypass vulnerability in McAfee Application Control / Chang ...) NOT-FOR-US: McAfee CVE-2018-6667 (Authentication Bypass vulnerability in the administrative user interfa ...) NOT-FOR-US: McAfee CVE-2018-6666 RESERVED CVE-2018-6665 RESERVED CVE-2018-6664 (Application Protections Bypass vulnerability in Microsoft Windows in M ...) NOT-FOR-US: McAfee CVE-2018-6663 RESERVED CVE-2018-6662 (Privilege Escalation vulnerability in McAfee Management of Native Encr ...) NOT-FOR-US: McAfee CVE-2018-6661 (DLL Side-Loading vulnerability in Microsoft Windows Client in McAfee T ...) NOT-FOR-US: McAfee CVE-2018-6660 (Directory Traversal vulnerability in McAfee ePolicy Orchestrator (ePO) ...) NOT-FOR-US: McAfee CVE-2018-6659 (Reflected Cross-Site Scripting vulnerability in McAfee ePolicy Orchest ...) NOT-FOR-US: McAfee CVE-2018-6658 RESERVED CVE-2018-6758 (The uwsgi_expand_path function in core/utils.c in Unbit uWSGI through ...) {DLA-1275-1} - uwsgi 2.0.15-10.2 (bug #889753) [stretch] - uwsgi 2.0.14+20161117-3+deb9u1 [jessie] - uwsgi 2.0.7-1+deb8u2 NOTE: http://lists.unbit.it/pipermail/uwsgi/2018-February/008835.html NOTE: https://github.com/unbit/uwsgi/commit/cb4636f7c0af2e97a4eef7a3cdcbd85a71247bfe CVE-2018-6657 RESERVED CVE-2018-6656 (Z-BlogPHP 1.5.1 has CSRF via zb_users/plugin/AppCentre/app_del.php, as ...) NOT-FOR-US: Z-BlogPHP CVE-2018-6655 (PHP Scripts Mall Doctor Search Script 1.0.2 has Stored XSS via an arbi ...) NOT-FOR-US: PHP Scripts Mall Doctor Search Script CVE-2018-6654 (The Grammarly extension before 2018-02-02 for Chrome allows remote att ...) NOT-FOR-US: Grammarly extension for Chrome CVE-2018-6653 (comforte SWAP 1049 through 1069 and 20.0.0 through 21.5.3 (as used in ...) NOT-FOR-US: comforte SWAP CVE-2018-6652 RESERVED CVE-2018-6651 (In the uncurl_ws_accept function in uncurl.c in uncurl before 0.07, as ...) NOT-FOR-US: uncurl CVE-2018-6650 RESERVED CVE-2018-6649 RESERVED CVE-2018-6648 RESERVED CVE-2018-6647 RESERVED CVE-2018-6646 RESERVED CVE-2018-6645 RESERVED CVE-2018-6644 (SBLIM Small Footprint CIM Broker (SFCB) 1.4.9 has a null pointer (DoS) ...) - sblim-sfcb (bug #754493) CVE-2018-6643 (Infoblox NetMRI 7.1.1 has Reflected Cross-Site Scripting via the /api/ ...) NOT-FOR-US: Infoblox NetMRI CVE-2018-6642 RESERVED CVE-2018-6641 (An Arbitrary Free (Remote Code Execution) issue was discovered in Desi ...) NOT-FOR-US: Design Science MathType CVE-2018-6640 (A Heap Overflow (Remote Code Execution) issue was discovered in Design ...) NOT-FOR-US: Design Science MathType CVE-2018-6639 (An out-of-bounds write (Remote Code Execution) issue was discovered in ...) NOT-FOR-US: Design Science MathType CVE-2018-6638 (A stack-based buffer overflow (Remote Code Execution) issue was discov ...) NOT-FOR-US: Design Science MathType CVE-2018-6637 RESERVED CVE-2018-6636 RESERVED CVE-2018-6635 (System Manager in Avaya Aura before 7.1.2 does not properly use SSL in ...) NOT-FOR-US: System Manager in Avaya Aura CVE-2018-6634 (A vulnerability in Parsec Windows 142-0 and Parsec 'Linux Ubuntu 16.04 ...) NOT-FOR-US: Parsec CVE-2018-6633 (In Micropoint proactive defense software 2.0.20266.0146, the driver fi ...) NOT-FOR-US: Micropoint proactive defense software CVE-2018-6632 (In Micropoint proactive defense software 2.0.20266.0146, the driver fi ...) NOT-FOR-US: Micropoint proactive defense software CVE-2018-6631 (In Micropoint proactive defense software 2.0.20266.0146, the driver fi ...) NOT-FOR-US: Micropoint proactive defense software CVE-2018-6630 (In Micropoint proactive defense software 2.0.20266.0146, the driver fi ...) NOT-FOR-US: Micropoint proactive defense software CVE-2018-6629 (In Micropoint proactive defense software 2.0.20266.0146, the driver fi ...) NOT-FOR-US: Micropoint proactive defense software CVE-2018-6628 (In Micropoint proactive defense software 2.0.20266.0146, the driver fi ...) NOT-FOR-US: Micropoint proactive defense software CVE-2018-6627 (In WatchDog Anti-Malware 2.74.186.150, the driver file (ZAMGUARD32.SYS ...) NOT-FOR-US: WatchDog Anti-Malware CVE-2018-6626 (In Micropoint proactive defense software 2.0.20266.0146, the driver fi ...) NOT-FOR-US: Micropoint proactive defense software CVE-2018-6625 (In WatchDog Anti-Malware 2.74.186.150, the driver file (ZAMGUARD32.SYS ...) NOT-FOR-US: WatchDog Anti-Malware CVE-2018-6624 (OMRON NS devices 1.1 through 1.3 allow remote attackers to bypass auth ...) NOT-FOR-US: OMRON NS devices CVE-2018-6623 (An issue was discovered in Hola 1.79.859. An unprivileged user could m ...) NOT-FOR-US: Hola CVE-2018-1000058 (Jenkins Pipeline: Supporting APIs Plugin 2.17 and earlier have an arbi ...) NOT-FOR-US: jenkins-plugin-workflow-support CVE-2018-1000057 (Jenkins Credentials Binding Plugin 1.14 and earlier masks passwords it ...) NOT-FOR-US: jenkins-plugin-credentials-binding CVE-2018-1000056 (Jenkins JUnit Plugin 1.23 and earlier processes XML external entities ...) NOT-FOR-US: jenkins-plugin-junit CVE-2018-1000055 (Jenkins Android Lint Plugin 2.5 and earlier processes XML external ent ...) NOT-FOR-US: Jenkins Android Lint Plugin CVE-2018-1000054 (Jenkins CCM Plugin 3.1 and earlier processes XML external entities in ...) NOT-FOR-US: Jenkins CCM Plugin CVE-2018-1000053 (LimeSurvey version 3.0.0-beta.3+17110 contains a Cross ite Request For ...) - limesurvey (bug #472802) CVE-2018-1000052 (fmtlib version prior to version 4.1.0 (before commit 0555cea5fc0bf890a ...) - fmtlib 5.2.1+ds-1 (unimportant; bug #890033) NOTE: https://github.com/fmtlib/fmt/issues/642 NOTE: https://github.com/fmtlib/fmt/commit/8cf30aa2be256eba07bb1cefb998c52326e846e7 NOTE: This looks bogus, how would that come from untrusted input CVE-2018-1000051 (Artifex Mupdf version 1.12.0 contains a Use After Free vulnerability i ...) {DSA-4152-1} - mupdf 1.12.0+ds1-1 (bug #891245) [wheezy] - mupdf (Vulnerable code not present, introduced in version 1.3) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698825 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698873 NOTE: Fixed by: http://www.ghostscript.com/cgi-bin/findgit.cgi?321ba1de287016b0036bf4a56ce774ad11763384 CVE-2018-1000050 (Sean Barrett stb_vorbis version 1.12 and earlier contains a Buffer Ove ...) - libstb (Fixed before initial upload to Debian) NOTE: https://github.com/nothings/stb/commit/dfff6f5e7cd412876fe6282f157c1928b99d1de9 NOTE: Potentially affects liblivemedia, retroarch, godot, yquake2, pax-britannica, libxmp, faudio CVE-2018-1000049 (Nanopool Claymore Dual Miner version 7.3 and earlier contains a remote ...) NOT-FOR-US: nanopool Claymore Dual Miner CVE-2018-1000048 (NASA RtRetrievalFramework version v1.0 contains a CWE-502 vulnerabilit ...) NOT-FOR-US: NASA RtRetrievalFramework CVE-2018-1000047 (NASA Kodiak version v1.0 contains a CWE-502 vulnerability in Kodiak li ...) NOT-FOR-US: NASA Kodiak CVE-2018-1000046 (NASA Pyblock version v1.0 - v1.3 contains a CWE-502 vulnerability in R ...) NOT-FOR-US: NASA Pyblock CVE-2018-1000045 (NASA Singledop version v1.0 contains a CWE-502 vulnerability in NASA S ...) NOT-FOR-US: NASA Singledop CVE-2018-1000044 (Security Onion Solutions Squert version 1.1.1 through 1.6.7 contains a ...) NOT-FOR-US: Security Onion Solutions Squert CVE-2018-1000043 (Security Onion Solutions Squert version 1.0.1 through 1.6.7 contains a ...) NOT-FOR-US: Security Onion Solutions Squert CVE-2018-1000042 (Security Onion Solutions Squert version 1.3.0 through 1.6.7 contains a ...) NOT-FOR-US: Security Onion Solutions Squert CVE-2018-1000041 (GNOME librsvg version before commit c6ddf2ed4d768fd88adbea2b63f575cd52 ...) {DLA-1278-1} - librsvg (Specific to Windows) NOTE: Merge of changes: https://github.com/GNOME/librsvg/commit/c6ddf2ed4d768fd88adbea2b63f575cd523022ea NOTE: https://github.com/GNOME/librsvg/commit/4de19d9fdddf81773125b04a4defe1ffd0d3bfe0 CVE-2017-18174 (In the Linux kernel before 4.7, the amd_gpio_remove function in driver ...) - linux (Vulnerable code not present) NOTE: double-free introduced and fixed in the 4.11 release cycle CVE-2017-18173 (In case of using an invalid android verified boot signature with very ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18172 (In a device, with screen size 1440x2560, the check of contiguous buffe ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18171 (Improper input validation for GATT data packet received in Bluetooth C ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18170 (Improper input validation in Bluetooth Controller function can lead to ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18169 (User process can perform the kernel DOS in ashmem when doing cache mai ...) - linux (Android-specific) CVE-2017-18168 RESERVED CVE-2017-18167 RESERVED CVE-2017-18166 RESERVED CVE-2017-18165 RESERVED CVE-2017-18164 RESERVED CVE-2017-18163 RESERVED CVE-2017-18162 RESERVED CVE-2017-18161 RESERVED CVE-2017-18160 (AGPS session failure in GNSS module due to cyphersuites are hardcoded ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18159 (In Android releases from CAF using the linux kernel (Android for MSM, ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18158 (Possible buffer overflows and array out of bounds accesses in Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18157 (A Use After Free Condition can occur in Thermal Engine in Snapdragon A ...) NOT-FOR-US: Snapdragon CVE-2017-18156 (While processing camera buffers in camera driver, a use after free con ...) NOT-FOR-US: Snapdragon CVE-2017-18155 (While playing HEVC content using HD DMB in Snapdragon Automobile and S ...) NOT-FOR-US: Snapdragon CVE-2017-18154 (A crafted binder request can cause an arbitrary unmap in MediaServer i ...) NOT-FOR-US: Android Mediaserver CVE-2017-18153 RESERVED NOT-FOR-US: Qualcomm components for Android CVE-2017-18152 RESERVED CVE-2017-18151 RESERVED CVE-2017-18150 RESERVED CVE-2017-18149 RESERVED CVE-2017-18148 RESERVED CVE-2017-18147 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18146 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18145 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18144 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18143 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18142 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18141 (When a 3rd party TEE has been loaded it is possible for the non-secure ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18140 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18139 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18138 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18137 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18136 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18135 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18134 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18133 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18132 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18131 (In QTEE, an incorrect fuse value can be blown in Snapdragon Automobile ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18130 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18129 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18128 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18127 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18126 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18125 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18124 (During secure boot, addition is performed on uint8 ptrs which led to o ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-6622 (An issue was discovered that affects all producers of BIOS firmware wh ...) NOT-FOR-US: Generic TPM issue CVE-2018-6621 (The decode_frame function in libavcodec/utvideodec.c in FFmpeg through ...) {DSA-4249-1 DLA-1630-1} - ffmpeg 7:3.4.2-1 (low) - libav NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/118e1b0b3370dd1c0da442901b486689efd1654b NOTE: Fixed in 3.2.11 CVE-2018-6620 REJECTED CVE-2018-6619 (Easy Hosting Control Panel (EHCP) v0.37.12.b makes it easier for attac ...) NOT-FOR-US: Easy Hosting Control Panel (EHCP) CVE-2018-6618 (Easy Hosting Control Panel (EHCP) v0.37.12.b allows attackers to obtai ...) NOT-FOR-US: Easy Hosting Control Panel (EHCP) CVE-2018-6617 (Easy Hosting Control Panel (EHCP) v0.37.12.b, when using a local MySQL ...) NOT-FOR-US: Easy Hosting Control Panel (EHCP) CVE-2018-6616 (In OpenJPEG 2.3.0, there is excessive iteration in the opj_t1_encode_c ...) {DSA-4405-1 DLA-1614-1} - openjpeg2 2.3.0-2 (bug #889683) NOTE: https://github.com/uclouvain/openjpeg/issues/1059 NOTE: https://github.com/uclouvain/openjpeg/commit/8ee335227bbcaf1614124046aa25e53d67b11ec3 CVE-2018-6615 RESERVED CVE-2018-6614 RESERVED CVE-2018-6613 RESERVED CVE-2018-6612 (An integer underflow bug in the process_EXIF function of the exif.c fi ...) - jhead 1:3.00-6 (unimportant; bug #889272) NOTE: https://anonscm.debian.org/git/collab-maint/jhead.git/diff/debian/patches/0008-heap-buffer-overflow.patch?id=01f09ab772d0d341cdc1326490dd2aa5aa2a7784 NOTE: Crash in CLI tool, no security impact CVE-2018-6611 (soundlib/Load_stp.cpp in OpenMPT through 1.27.04.00, and libopenmpt be ...) - libopenmpt 0.3.6-1 (bug #889545) [stretch] - libopenmpt (Vulnerable code not present) NOTE: https://github.com/OpenMPT/openmpt/commit/61fc6d3030a4d4283105cb5fb46b27b42fa5575e CVE-2018-6610 (Information Leakage exists in the jLike 1.0 component for Joomla! via ...) NOT-FOR-US: jLike component for Joomla! CVE-2018-6609 (SQL Injection exists in the JSP Tickets 1.1 component for Joomla! via ...) NOT-FOR-US: JSP Tickets component for Joomla! CVE-2018-6608 (In the WebRTC component in Opera 51.0.2830.55, after visiting a web si ...) NOT-FOR-US: WebRTC component in Opera CVE-2018-6607 RESERVED CVE-2018-6606 (An issue was discovered in MalwareFox AntiMalware 2.74.0.150. Improper ...) NOT-FOR-US: MalwareFox AntiMalware CVE-2018-6605 (SQL Injection exists in the Zh BaiduMap 3.0.0.1 component for Joomla! ...) NOT-FOR-US: Zh BaiduMap component for Joomla! CVE-2018-6604 (SQL Injection exists in the Zh YandexMap 6.2.1.0 component for Joomla! ...) NOT-FOR-US: Zh YandexMap component for Joomla! CVE-2018-6603 (Promise Technology WebPam Pro-E devices allow remote attackers to cond ...) NOT-FOR-US: Promise Technology WebPam Pro-E devices CVE-2018-6602 RESERVED CVE-2018-6601 RESERVED CVE-2018-6600 RESERVED CVE-2018-6599 (An issue was discovered on Orbic Wonder Orbic/RC555L/RC555L:7.1.2/N2G4 ...) NOT-FOR-US: Orbic CVE-2018-6598 (An issue was discovered on Orbic Wonder Orbic/RC555L/RC555L:7.1.2/N2G4 ...) NOT-FOR-US: Orbic CVE-2018-6597 (The Alcatel A30 device with a build fingerprint of TCL/5046G/MICKEY6US ...) NOT-FOR-US: Alcatel A30 device CVE-2018-6596 (webhooks/base.py in Anymail (aka django-anymail) before 1.2.1 is prone ...) {DSA-4107-1} - django-anymail 1.3-1 (bug #889450) NOTE: https://github.com/anymail/django-anymail/commit/db586ede1fbb41dce21310ea28ae15a1cf1286c5 (v1.3) NOTE: https://github.com/anymail/django-anymail/commit/c07998304b4a31df4c61deddcb03d3607a04691b (v1.2.x-branch) CVE-2018-6595 RESERVED CVE-2018-6594 (lib/Crypto/PublicKey/ElGamal.py in PyCrypto through 2.6.1 generates we ...) - pycryptodome 3.4.11-1 (bug #889998) - python-crypto 2.6.1-9 (bug #889999) [stretch] - python-crypto (Minor issue) [jessie] - python-crypto (Minor issue) [wheezy] - python-crypto (Minor issue) NOTE: PyCrypto: https://github.com/dlitz/pycrypto/issues/253 NOTE: The issue is found as well in pycryptodome (fork from python-crypto) NOTE: PyCryptodome: https://github.com/Legrandin/pycryptodome/issues/90 NOTE: PyCrytpodome: https://github.com/Legrandin/pycryptodome/commit/99c27a3b9e8a884bbde0e88c63234b669d4398d8 (3.4.10) NOTE: See further discussion as per https://github.com/Legrandin/pycryptodome/issues/90#issuecomment-362783537 NOTE: Upstream feels that this is not a vulnerability in pycryptodome/python-crypto, NOTE: but in an application using it in an insecure manner. CVE-2018-6593 (An issue was discovered in MalwareFox AntiMalware 2.74.0.150. Improper ...) NOT-FOR-US: MalwareFox AntiMalware CVE-2018-6592 (Unisys Stealth 3.3 Windows endpoints before 3.3.016.1 allow local user ...) NOT-FOR-US: Unisys Stealth Windows endpoints CVE-2018-6591 (Converse.js and Inverse.js through 3.3 allow remote attackers to obtai ...) NOT-FOR-US: Converse.js CVE-2018-6590 (CA API Developer Portal 4.x, prior to v4.2.5.3 and v4.2.7.1, has an un ...) NOT-FOR-US: CA API Developer Portal CVE-2018-6589 (CA Spectrum 10.1 prior to 10.01.02.PTF_10.1.239 and 10.2.x prior to 10 ...) NOT-FOR-US: CA Spectrum CVE-2018-6588 (CA API Developer Portal 3.5 up to and including 3.5 CR5 has a reflecte ...) NOT-FOR-US: CA API Developer Portal CVE-2018-6587 (CA API Developer Portal 3.5 up to and including 3.5 CR6 has a reflecte ...) NOT-FOR-US: CA API Developer Portal CVE-2018-6586 (CA API Developer Portal 3.5 up to and including 3.5 CR6 has a stored c ...) NOT-FOR-US: CA API Developer Portal CVE-2018-1000040 (In MuPDF 1.12.0 and earlier, multiple use of uninitialized value bugs ...) {DSA-4334-1} - mupdf 1.13.0+ds1-1 [jessie] - mupdf (vulnerable code not present) [wheezy] - mupdf (vulnerable code not present) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5596 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5600 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5603 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5609 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5610 NOTE: http://git.ghostscript.com/?p=mupdf.git;a=commitdiff;h=83d4dae44c71816c084a635550acc1a51529b881;hp=f597300439e62f5e921f0d7b1e880b5c1a1f1607 CVE-2018-1000039 (In MuPDF 1.12.0 and earlier, multiple heap use after free bugs in the ...) - mupdf 1.13.0+ds1-1 [jessie] - mupdf (vulnerable code not present) [wheezy] - mupdf (vulnerable code not present) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5492 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5513 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5521 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5604 NOTE: http://git.ghostscript.com/?p=mupdf.git;a=commitdiff;h=4dcc6affe04368461310a21238f7e1871a752a05;hp=8ec561d1bccc46e9db40a9f61310cd8b3763914e NOTE: http://git.ghostscript.com/?p=mupdf.git;a=commitdiff;h=71ceebcf56e682504da22c4035b39a2d451e8ffd;hp=7f82c01523505052615492f8e220f4348ba46995 NOTE: http://git.ghostscript.com/?p=mupdf.git;a=commitdiff;h=f597300439e62f5e921f0d7b1e880b5c1a1f1607;hp=093fc3b098dc5fadef5d8ad4b225db9fb124758b CVE-2018-1000038 (In MuPDF 1.12.0 and earlier, a stack buffer overflow in function pdf_l ...) - mupdf 1.13.0+ds1-1 [jessie] - mupdf (vulnerable code not present) [wheezy] - mupdf (vulnerable code not present) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5494 NOTE: http://git.ghostscript.com/?p=mupdf.git;a=commitdiff;h=71ceebcf56e682504da22c4035b39a2d451e8ffd;hp=7f82c01523505052615492f8e220f4348ba46995 NOTE: http://git.ghostscript.com/?p=mupdf.git;a=commitdiff;h=f597300439e62f5e921f0d7b1e880b5c1a1f1607;hp=093fc3b098dc5fadef5d8ad4b225db9fb124758b CVE-2018-1000037 (In MuPDF 1.12.0 and earlier, multiple reachable assertions in the PDF ...) {DSA-4334-1} - mupdf 1.13.0+ds1-1 [jessie] - mupdf (vulnerable code not present) [wheezy] - mupdf (vulnerable code not present) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5490 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5501 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5503 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5511 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5564 NOTE: http://git.ghostscript.com/?p=mupdf.git;a=commitdiff;h=71ceebcf56e682504da22c4035b39a2d451e8ffd;hp=7f82c01523505052615492f8e220f4348ba46995 NOTE: http://git.ghostscript.com/?p=mupdf.git;a=commitdiff;h=8a3257b01faa899dd9b5e35c6bb3403cd709c371;hp=de39f005f12a1afc6973c1f5cec362d6545f70cb NOTE: http://git.ghostscript.com/?p=mupdf.git;a=commitdiff;h=b2e7d38e845c7d4922d05e6e41f3a2dc1bc1b14a;hp=f51836b9732c38d945b87fda0770009a77ba680c CVE-2018-1000036 (In MuPDF 1.12.0 and earlier, multiple memory leaks in the PDF parser a ...) - mupdf 1.14.0+ds1-1 (unimportant; bug #900129) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5502 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=699695 NOTE: http://git.ghostscript.com/?p=mupdf.git;h=985fdcfc117a3bd4bc097cdcae8347b3787fbab2 NOTE: negligible security impact, memory leak in CLI tool CVE-2018-1000035 (A heap-based buffer overflow exists in Info-Zip UnZip version <= 6. ...) {DLA-2082-1} - unzip 6.0-22 (bug #889838) [stretch] - unzip 6.0-21+deb9u1 [wheezy] - unzip (Harmless crash, builds with fortified source) NOTE: https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html NOTE: Patch used in openSUSE:Factory/unzip: https://bugzilla.suse.com/attachment.cgi?id=759406 CVE-2018-1000034 (An out-of-bounds read exists in Info-Zip UnZip version 6.10c22 that al ...) - unzip (Only affects 6.1c22) NOTE: https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html CVE-2018-1000033 (An out-of-bounds read exists in Info-Zip UnZip version 6.10c22 that al ...) - unzip (Only affects 6.1c22) NOTE: https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html CVE-2018-1000032 (A heap-based buffer overflow exists in Info-Zip UnZip version 6.10c22 ...) - unzip (Only affects 6.1c22) NOTE: https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html CVE-2018-1000031 (A heap-based buffer overflow exists in Info-Zip UnZip version 6.10c22 ...) - unzip (Only affects 6.1c22) NOTE: https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html CVE-2017-18123 (The call parameter of /lib/exe/ajax.php in DokuWiki through 2017-02-19 ...) {DLA-1413-1 DLA-1269-1} - dokuwiki 0.0.20160626.a-2.1 (bug #889281) NOTE: https://github.com/splitbrain/dokuwiki/issues/2029 NOTE: https://github.com/splitbrain/dokuwiki/commit/238b8e878ad48f370903465192b57c2072f65d86 CVE-2018-6585 (SQL Injection exists in the JTicketing 2.0.16 component for Joomla! vi ...) NOT-FOR-US: JTicketing component for Joomla! CVE-2018-6584 (SQL Injection exists in the DT Register 3.2.7 component for Joomla! vi ...) NOT-FOR-US: DT Register component for Joomla! CVE-2018-6583 (SQL Injection exists in the Timetable Responsive Schedule 1.5 componen ...) NOT-FOR-US: Timetable Responsive Schedule component for Joomla! CVE-2018-6582 (SQL Injection exists in the Zh GoogleMap 8.4.0.0 component for Joomla! ...) NOT-FOR-US: Zh GoogleMap component for Joomla! CVE-2018-6581 (SQL Injection exists in the JMS Music 1.1.1 component for Joomla! via ...) NOT-FOR-US: JMS Music component for Joomla! CVE-2018-6580 (Arbitrary file upload exists in the Jimtawl 2.1.6 and 2.2.5 component ...) NOT-FOR-US: Jimtawl component for Joomla! CVE-2018-6579 (SQL Injection exists in the JEXTN Reverse Auction 3.1.0 component for ...) NOT-FOR-US: JEXTN Reverse Auction component for Joomla! CVE-2018-6578 (SQL Injection exists in the JE PayperVideo 3.0.0 component for Joomla! ...) NOT-FOR-US: JE PayperVideo component for Joomla! CVE-2018-6577 (SQL Injection exists in the JEXTN Membership 3.1.0 component for Jooml ...) NOT-FOR-US: JEXTN Membership component for Joomla! CVE-2018-6576 (SQL Injection exists in Event Manager 1.0 via the event.php id paramet ...) NOT-FOR-US: Event Manager CVE-2018-6575 (SQL Injection exists in the JEXTN Classified 1.0.0 component for Jooml ...) NOT-FOR-US: JEXTN Membership component for Joomla! CVE-2018-6574 (Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases befor ...) {DSA-4380-1} - golang-1.10 1.10~rc2-1 - golang-1.9 1.9.4-1 - golang-1.8 - golang-1.7 [stretch] - golang-1.7 (Minor issue) - golang [jessie] - golang (Minor issue) [wheezy] - golang (Minor issue) NOTE: https://github.com/golang/go/issues/23672 NOTE: https://go.googlesource.com/go/+/44821583bc16ff2508664fab94360bb856e9e9d6 NOTE: https://go.googlesource.com/go/+/867fb18b6d5bc73266b68c9a695558a04e060a8a CVE-2018-6573 RESERVED CVE-2018-6572 RESERVED CVE-2018-6571 RESERVED CVE-2018-6570 RESERVED CVE-2018-6569 (West Wind Web Server 6.x does not require authentication for /ADMIN.AS ...) NOT-FOR-US: West Wind Web Server CVE-2018-6568 RESERVED CVE-2018-6567 RESERVED CVE-2018-6566 RESERVED CVE-2018-6565 RESERVED CVE-2018-6564 RESERVED CVE-2018-6563 (Multiple cross-site request forgery (CSRF) vulnerabilities in totemoma ...) NOT-FOR-US: totemomail Encryption Gateway CVE-2018-6562 (totemomail Encryption Gateway before 6.0_b567 allows remote attackers ...) NOT-FOR-US: totemomail Encryption Gateway CVE-2018-6561 (dijit.Editor in Dojo Toolkit 1.13 allows XSS via the onload attribute ...) - dojo 1.13.0+dfsg1-1 (bug #898944) [jessie] - dojo (Minor issue) [wheezy] - dojo (Minor issue) NOTE: https://github.com/imsebao/404team/blob/master/dijit_editor_xss.md CVE-2018-6560 (In dbus-proxy/flatpak-proxy.c in Flatpak before 0.8.9, and 0.9.x and 0 ...) - flatpak 0.10.3-1 (bug #888842) [stretch] - flatpak 0.8.9-0+deb9u1 NOTE: https://github.com/flatpak/flatpak/commit/52346bf187b5a7f1c0fe9075b328b7ad6abe78f6 CVE-2018-6559 (The Linux kernel, as used in Ubuntu 18.04 LTS and Ubuntu 18.10, allows ...) - linux (Ubuntu-specific issue) NOTE: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1793458 CVE-2018-6558 (The pam_fscrypt module in fscrypt before 0.2.4 may incorrectly restore ...) - fscrypt 0.2.4-1 (bug #907074) NOTE: https://bugs.launchpad.net/ubuntu/+source/fscrypt/+bug/1787548 NOTE: https://github.com/google/fscrypt/issues/77 NOTE: https://github.com/google/fscrypt/pull/103 CVE-2018-6557 (The MOTD update script in the base-files package in Ubuntu 18.04 LTS b ...) - base-files (Ubuntu specific motd update code; vulnerable code not present) CVE-2018-6556 (lxc-user-nic when asked to delete a network interface will uncondition ...) - lxc 1:2.0.9-6.1 (bug #905586) [stretch] - lxc (Vulnerable code introduced later) [jessie] - lxc (Vulnerable code introduced later) NOTE: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1783591 NOTE: Prerequisite: https://github.com/lxc/lxc/commit/f96f5f3c1341e73ee51c8b49bef4ba571c562d8c NOTE: Fixed by: https://github.com/lxc/lxc/commit/5eb45428b312e978fb9e294dde16efb14dd9fa4d CVE-2018-6555 (The irda_setsockopt function in net/irda/af_irda.c and later in driver ...) {DSA-4308-1 DLA-1531-1 DLA-1529-1} - linux 4.17.3-1 NOTE: http://www.openwall.com/lists/oss-security/2018/09/04/2 CVE-2018-6554 (Memory leak in the irda_bind function in net/irda/af_irda.c and later ...) {DSA-4308-1 DLA-1715-1 DLA-1531-1 DLA-1529-1} - linux 4.17.3-1 NOTE: http://www.openwall.com/lists/oss-security/2018/09/04/2 CVE-2018-6553 (The CUPS AppArmor profile incorrectly confined the dnssd backend due t ...) {DSA-4243-1 DLA-1426-1} - cups 2.2.8-5 (bug #903605) CVE-2018-6552 (Apport does not properly handle crashes originating from a PID namespa ...) NOT-FOR-US: Apport CVE-2018-6551 (The malloc implementation in the GNU C Library (aka glibc or libc6), f ...) [experimental] - glibc 2.26.9000+20180127.7e23a7dd-0experimental0 - glibc 2.27-1 [stretch] - glibc (Minor issue) [jessie] - glibc (Issue introduced in 2.24, 2.26 only for i386) - eglibc (Issue introduced in 2.24 for powerpc, 2.26 only for i386) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22774 NOTE: Fixed by: https://sourceware.org/git/?p=glibc.git;a=commit;h=8e448310d74b283c5cd02b9ed7fb997b47bf9b22 CVE-2018-6550 (Monstra CMS through 3.0.4 has XSS in the title function in plugins/box ...) NOT-FOR-US: Monstra CMS CVE-2017-18122 (A signature-validation bypass issue was discovered in SimpleSAMLphp th ...) {DSA-4127-1 DLA-1273-1} - simplesamlphp 1.15.0-1 (bug #889286) NOTE: https://simplesamlphp.org/security/201710-01 NOTE: https://github.com/simplesamlphp/simplesamlphp/commit/e2d53086abbb253efb24ddcb49b116246eb0b6ca (v1.14.17) CVE-2017-18121 (The consentAdmin module in SimpleSAMLphp through 1.14.15 is vulnerable ...) {DSA-4127-1 DLA-1273-1} - simplesamlphp 1.15.0-1 (bug #889286) NOTE: https://simplesamlphp.org/security/201709-01 NOTE: https://github.com/simplesamlphp/simplesamlphp/commit/34e1bdb7660c0c9b627f8e5f0ca224a6afe641a8 (v1.14.16) CVE-2018-6549 RESERVED CVE-2018-6548 (A use-after-free issue was discovered in libwebm through 2018-02-02. I ...) - chromium-browser (unimportant) NOTE: Chromium is built with support for VP9 disabled in Debian NOTE: https://bugs.chromium.org/p/webm/issues/detail?id=1493 NOTE: https://github.com/dwfault/PoCs/blob/master/libwebm%20Vp9HeaderParser%20UAF%20by%20PrintVP9Info/libwebm%20Vp9HeaderParser%20UAF%20by%20PrintVP9Info.md CVE-2018-6547 (plays_service.exe in the plays.tv service before 1.27.7.0, as distribu ...) NOT-FOR-US: plays_service.exe in the plays.tv service CVE-2018-6546 (plays_service.exe in the plays.tv service before 1.27.7.0, as distribu ...) NOT-FOR-US: plays_service.exe in the plays.tv service CVE-2018-6545 (Ipswitch MoveIt v8.1 is vulnerable to a Stored Cross-Site Scripting (X ...) NOT-FOR-US: Ipswitch MoveIt CVE-2018-6544 (pdf_load_obj_stm in pdf/pdf-xref.c in Artifex MuPDF 1.12.0 could refer ...) {DSA-4152-1} - mupdf 1.12.0+ds1-1 (bug #891245) [wheezy] - mupdf (Most likely not affected, minor issue) NOTE: http://git.ghostscript.com/?p=mupdf.git;h=26527eef77b3e51c2258c8e40845bfbc015e405d NOTE: above patch is not needed in Jessie, as there is no fz_try() used in this version NOTE: http://git.ghostscript.com/?p=mupdf.git;h=b03def134988da8c800adac1a38a41a1f09a1d89 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698830 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698965 NOTE: https://lists.debian.org/debian-lts/2018/03/msg00043.html CVE-2018-6543 (In GNU Binutils 2.30, there's an integer overflow in the function load ...) - binutils 2.30-3 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22769 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f2023ce7e8d70b0155cc6206c901e185260918f0 CVE-2018-6542 (In ZZIPlib 0.13.67, there is a bus error (when handling a disk64_trail ...) - zziplib (unimportant) NOTE: https://github.com/gdraheim/zziplib/issues/17 NOTE: https://github.com/gdraheim/zziplib/commit/931f962ddfec0e00d6f486df2c56d9857b55944e (v0.13.68) NOTE: Negligible impact and unzzipcat utility not installed into binary packages CVE-2018-6541 (In ZZIPlib 0.13.67, there is a bus error caused by loading of a misali ...) {DLA-2258-1} - zziplib 0.13.62-3.2 (bug #889089) [stretch] - zziplib 0.13.62-3.2~deb9u1 [wheezy] - zziplib (Minor issue) NOTE: https://github.com/gdraheim/zziplib/issues/16 NOTE: https://github.com/gdraheim/zziplib/commit/0c0c9256b0903f664bca25dd8d924211f81e01d3 (v0.13.68) CVE-2018-6540 (In ZZIPlib 0.13.67, there is a bus error caused by loading of a misali ...) {DLA-2258-1} - zziplib 0.13.62-3.2 (bug #923659) [stretch] - zziplib 0.13.62-3.2~deb9u1 [wheezy] - zziplib (Minor issue) NOTE: https://github.com/gdraheim/zziplib/issues/15 NOTE: https://github.com/gdraheim/zziplib/commit/72ec933663f738d8e166979aa7fd5590b2104a07 (v0.13.68) CVE-2018-6539 RESERVED CVE-2018-6538 REJECTED CVE-2018-6537 (A buffer overflow vulnerability in the control protocol of Flexense Sy ...) NOT-FOR-US: Flexense SyncBreeze Enterprise CVE-2018-6536 (An issue was discovered in Icinga 2.x through 2.8.1. The daemon create ...) - icinga2 2.8.4-1 [stretch] - icinga2 (Minor issue) [jessie] - icinga2 (Minor issue) NOTE: https://github.com/Icinga/icinga2/issues/5991 CVE-2018-6535 (An issue was discovered in Icinga 2.x through 2.8.1. The lack of a con ...) - icinga2 2.8.4-1 (low; bug #897301) [stretch] - icinga2 (Minor issue) [jessie] - icinga2 (Minor issue) NOTE: https://github.com/Icinga/icinga2/issues/4920 NOTE: https://github.com/Icinga/icinga2/pull/5715 NOTE: http://www.openwall.com/lists/oss-security/2018/03/22/3 CVE-2018-6534 (An issue was discovered in Icinga 2.x through 2.8.1. By sending specia ...) - icinga2 2.8.4-1 (low; bug #897301) [stretch] - icinga2 (Minor issue) [jessie] - icinga2 (Minor issue) NOTE: https://github.com/Icinga/icinga2/pull/6104 NOTE: http://www.openwall.com/lists/oss-security/2018/03/22/3 CVE-2018-6533 (An issue was discovered in Icinga 2.x through 2.8.1. By editing the in ...) - icinga2 2.8.4-1 (low; bug #897301) [stretch] - icinga2 (Minor issue) [jessie] - icinga2 (Minor issue) NOTE: https://github.com/Icinga/icinga2/pull/5850 NOTE: CVE is related to CVE-2017-16933 but for "the issue in using NOTE: init.conf to support run-time reconfiguration of an account is NOTE: design flaw". CVE-2018-6533 larger issue than CVE-2017-16933. CVE-2018-6532 (An issue was discovered in Icinga 2.x through 2.8.1. By sending specia ...) - icinga2 2.8.4-1 (low) [stretch] - icinga2 (Minor issue) [jessie] - icinga2 (Minor issue) NOTE: https://github.com/Icinga/icinga2/pull/6103 NOTE: http://www.openwall.com/lists/oss-security/2018/03/22/3 CVE-2018-6531 RESERVED CVE-2018-6530 (OS command injection vulnerability in soap.cgi (soapcgi_main in cgibin ...) NOT-FOR-US: D-Link CVE-2018-6529 (XSS vulnerability in htdocs/webinc/js/bsc_sms_inbox.php in D-Link DIR- ...) NOT-FOR-US: D-Link CVE-2018-6528 (XSS vulnerability in htdocs/webinc/body/bsc_sms_send.php in D-Link DIR ...) NOT-FOR-US: D-Link CVE-2018-6527 (XSS vulnerability in htdocs/webinc/js/adv_parent_ctrl_map.php in D-Lin ...) NOT-FOR-US: D-Link CVE-2018-6526 (view_all_bug_page.php in MantisBT 2.10.0-development before 2018-02-02 ...) - mantis [wheezy] - mantis (Not supported in wheezy LTS) NOTE: https://mantisbt.org/bugs/view.php?id=23921 CVE-2018-6525 (In nProtect AVS V4.0 before 4.0.0.39, the driver file (TKFsAv.SYS) all ...) NOT-FOR-US: nProtect AVS CVE-2018-6524 (In nProtect AVS V4.0 before 4.0.0.39, the driver file (TKFsAv.SYS) all ...) NOT-FOR-US: nProtect AVS CVE-2018-6523 (In nProtect AVS V4.0 before 4.0.0.39, the driver file (TKFsAv.SYS) all ...) NOT-FOR-US: nProtect AVS CVE-2018-6522 (In nProtect AVS V4.0 before 4.0.0.39, the driver file (TKRgFtXp.SYS) a ...) NOT-FOR-US: nProtect AVS CVE-2017-18120 (A double-free bug in the read_gif function in gifread.c in gifsicle 1. ...) - gifsicle 1.91-1 (unimportant; bug #878739; bug #881120) NOTE: https://github.com/kohler/gifsicle/issues/117 NOTE: https://github.com/kohler/gifsicle/commit/118a46090c50829dc543179019e6140e1235f909 NOTE: Crash in CLI tool, no security impact CVE-2018-6521 (The sqlauth module in SimpleSAMLphp before 1.15.2 relies on the MySQL ...) {DSA-4127-1 DLA-1273-1} - simplesamlphp 1.15.2-1 NOTE: https://simplesamlphp.org/security/201801-03 CVE-2018-6520 (SimpleSAMLphp before 1.15.2 allows remote attackers to bypass an open ...) - simplesamlphp 1.15.2-1 [stretch] - simplesamlphp (Minor issue) [jessie] - simplesamlphp (Minor issue) [wheezy] - simplesamlphp (Vulnerable code introduced in 1.12) NOTE: https://simplesamlphp.org/security/201801-02 CVE-2018-6519 (The SAML2 library before 1.10.4, 2.x before 2.3.5, and 3.x before 3.1. ...) {DSA-4127-1} - simplesamlphp 1.15.2-1 [wheezy] - simplesamlphp (Vulnerable code not present) NOTE: minor issue NOTE: https://simplesamlphp.org/security/201801-01 NOTE: The issue lies in the simplesamlphp/saml2 part, which is NOTE: updated in 1.15.2 to the respective fixed version. NOTE: https://github.com/simplesamlphp/saml2/commit/726404bf7b4085a9eb9c9a869af1ecc146bd8f6d CVE-2018-6518 (Composr CMS 10.0.13 has XSS via the site_name parameter in a page=admi ...) NOT-FOR-US: Composr CMS CVE-2018-6517 (Prior to version 0.3.0, chloride's use of net-ssh resulted in host fin ...) NOT-FOR-US: chloride CVE-2018-6516 (On Windows only, with a specifically crafted configuration file an att ...) - puppet (Specific issue Windows only) CVE-2018-6515 (Puppet Agent 1.10.x prior to 1.10.13, Puppet Agent 5.3.x prior to 5.3. ...) - puppet (Specific issue Windows only) NOTE: https://puppet.com/security/cve/CVE-2018-6515 CVE-2018-6514 (In Puppet Agent 1.10.x prior to 1.10.13, Puppet Agent 5.3.x prior to 5 ...) - facter (Specific to Facter on Windows) NOTE: https://puppet.com/security/cve/CVE-2018-6514 CVE-2018-6513 (Puppet Enterprise 2016.4.x prior to 2016.4.12, Puppet Enterprise 2017. ...) - puppet (Windows-specific) NOTE: https://puppet.com/security/cve/CVE-2018-6513 CVE-2018-6512 (The previous version of Puppet Enterprise 2018.1 is vulnerable to unsa ...) - puppet (Specific to Puppet Enterprise) NOTE: https://puppet.com/security/cve/CVE-2018-6512 CVE-2018-6511 (A cross-site scripting vulnerability in Puppet Enterprise Console of P ...) - puppet (Specific to Puppet Enterprise) CVE-2018-6510 (A cross-site scripting vulnerability in Puppet Enterprise Console of P ...) - puppet (Specific to Puppet Enterprise) CVE-2018-6509 RESERVED CVE-2018-6508 (Puppet Enterprise 2017.3.x prior to 2017.3.3 are vulnerable to a remot ...) - puppet-module-puppetlabs-apt (unimportant) - puppet-module-puppetlabs-apache (unimportant) - puppet-module-puppetlabs-mysql (unimportant) NOTE: https://puppet.com/security/cve/CVE-2018-6508 NOTE: Issue in various puppet modules: facter_task, puppet_conf, apt, apache and mysql modules NOTE: https://github.com/puppetlabs/puppetlabs-facter_task/commit/dd37c72e78c8a37e671e20becb05d6ceafdbd81c NOTE: https://github.com/puppetlabs/puppetlabs-puppet_conf/commit/ba434605717e16d935cba45ab38ca5866780a36b NOTE: https://github.com/puppetlabs/puppetlabs-apt/commit/81879be960d5723016e3d0b4ff155ee704261bbc NOTE: https://github.com/puppetlabs/puppetlabs-apache/commit/81bc5119ceced1faa4bf261efa4b7cd3731ef3ef NOTE: https://github.com/puppetlabs/puppetlabs-mysql/commit/da3684c79d5fe6ece826e087e8693c75ac40414c NOTE: This is only exploitable with Puppet Tasks, which aren't packaged/available in Debian CVE-2018-6507 RESERVED CVE-2018-6506 (Cross-Site Scripting (XSS) exists in the Add Forum feature in the Admi ...) NOT-FOR-US: miniBB CVE-2018-6505 (A potential Unauthenticated File Download vulnerability has been ident ...) NOT-FOR-US: ArcSight Management Center (ArcMC) CVE-2018-6504 (A potential Cross-Site Request Forgery (CSRF) vulnerability has been i ...) NOT-FOR-US: ArcSight Management Center (ArcMC) CVE-2018-6503 (A potential Access Control vulnerability has been identified in ArcSig ...) NOT-FOR-US: ArcSight Management Center (ArcMC) CVE-2018-6502 (A potential Reflected Cross-Site Scripting (XSS) Security vulnerabilit ...) NOT-FOR-US: ArcSight Management Center (ArcMC) CVE-2018-6501 (Potential security vulnerability of Insufficient Access Controls has b ...) NOT-FOR-US: ArcSight Management Center (ArcMC) CVE-2018-6500 (A potential Directory Traversal Security vulnerability has been identi ...) NOT-FOR-US: ArcSight Management Center (ArcMC) CVE-2018-6499 (Remote Code Execution in the following products Hybrid Cloud Managemen ...) NOT-FOR-US: Hybrid Cloud Management Containerized Suite CVE-2018-6498 (Remote Code Execution in the following products Hybrid Cloud Managemen ...) NOT-FOR-US: Hybrid Cloud Management Containerized Suite CVE-2018-6497 (Remote Cross-site Request forgery (CSRF) potential has been identified ...) NOT-FOR-US: UCMDB Server CVE-2018-6496 (Remote Cross-site Request forgery (CSRF) potential has been identified ...) NOT-FOR-US: UCMBD Browser CVE-2018-6495 (Cross-Site Scripting (XSS) in Micro Focus Universal CMDB, version 10.2 ...) NOT-FOR-US: Micro Focus CVE-2018-6494 (Remote SQL Injection against the HP Service Manager Software Web Tier, ...) NOT-FOR-US: HP CVE-2018-6493 (SQL Injection in HP Network Operations Management Ultimate, version 20 ...) NOT-FOR-US: HP CVE-2018-6492 (Persistent Cross-Site Scripting, and non-persistent HTML Injection in ...) NOT-FOR-US: HP CVE-2018-6491 (Local Escalation of Privilege vulnerability to Micro Focus Universal C ...) NOT-FOR-US: Micro Focus Universal CMDB CVE-2018-6490 (Denial of Service vulnerability in Micro Focus Operations Orchestratio ...) NOT-FOR-US: Micro Focus Operations Orchestration Software CVE-2018-6489 (XML External Entity (XXE) vulnerability in Micro Focus Project and Por ...) NOT-FOR-US: Micro Focus Project and Portfolio Management Center CVE-2018-6488 (Arbitrary Code Execution vulnerability in Micro Focus Universal CMDB, ...) NOT-FOR-US: Micro Focus Universal CMDB CVE-2018-6487 (Remote Disclosure of Information in Micro Focus Universal CMDB Foundat ...) NOT-FOR-US: Micro Focus Universal CMDB Foundation Software CVE-2018-6486 (XML External Entity (XXE) vulnerability in Micro Focus Fortify Audit W ...) NOT-FOR-US: Micro Focus Fortify Audit Workbench CVE-2017-18119 RESERVED CVE-2017-18118 RESERVED CVE-2017-18117 RESERVED CVE-2017-18116 RESERVED CVE-2017-18115 RESERVED CVE-2017-18114 RESERVED CVE-2017-18113 RESERVED CVE-2017-18112 RESERVED CVE-2017-18111 (The OAuthHelper in Atlassian Application Links before version 5.0.10, ...) NOT-FOR-US: Atlassian Application Links CVE-2017-18110 (The administration backup restore resource in Atlassian Crowd before v ...) NOT-FOR-US: Atlassian Crowd CVE-2017-18109 (The login resource of CrowdId in Atlassian Crowd before version 3.0.2 ...) NOT-FOR-US: Atlassian Crowd CVE-2017-18108 (The administration SMTP configuration resource in Atlassian Crowd befo ...) NOT-FOR-US: Atlassian Crowd CVE-2017-18107 (Various resources in the Crowd Demo application of Atlassian Crowd bef ...) NOT-FOR-US: Atlassian CVE-2017-18106 (The identifier_hash for a session token in Atlassian Crowd before vers ...) NOT-FOR-US: Atlassian Crowd CVE-2017-18105 (The console login resource in Atlassian Crowd before version 3.0.2 and ...) NOT-FOR-US: Atlassian Crowd CVE-2017-18104 (The Webhooks component of Atlassian Jira before version 7.6.7 and from ...) NOT-FOR-US: Atlassian Jira CVE-2017-18103 (The atlassian-http library, as used in various Atlassian products, bef ...) NOT-FOR-US: Atlassian CVE-2017-18102 (The wiki markup component of atlassian-renderer from version 8.0.0 bef ...) NOT-FOR-US: wiki markup component of atlassian-renderer CVE-2017-18101 (Various administrative external system import resources in Atlassian J ...) NOT-FOR-US: Atlassian CVE-2017-18100 (The agile wallboard gadget in Atlassian Jira before version 7.8.1 allo ...) NOT-FOR-US: Atlassian CVE-2017-18099 RESERVED CVE-2017-18098 (The searchrequest-xml resource in Atlassian Jira before version 7.6.1 ...) NOT-FOR-US: Atlassian CVE-2017-18097 (The Trello board importer resource in Atlassian Jira before version 7. ...) NOT-FOR-US: Atlassian CVE-2017-18096 (The OAuth status rest resource in Atlassian Application Links before v ...) NOT-FOR-US: Atlassian Application Links CVE-2017-18095 (The SnippetRPCServiceImpl class in Atlassian Crucible before version 4 ...) NOT-FOR-US: Atlassian Crucible CVE-2017-18094 (Various resources in Atlassian Fisheye and Crucible before version 4.4 ...) NOT-FOR-US: Atlassian Fisheye and Crucible CVE-2017-18093 (Various resources in Atlassian Fisheye and Crucible before version 4.4 ...) NOT-FOR-US: Atlassian Fisheye and Crucible CVE-2017-18092 (The print snippet resource in Atlassian Crucible before version 4.4.3 ...) NOT-FOR-US: Atlassian Crucible CVE-2017-18091 (The admin backupprogress action in Atlassian Fisheye and Crucible befo ...) NOT-FOR-US: Atlassian Fisheye and Crucible CVE-2017-18090 (Various resources in Atlassian Fisheye before version 4.5.1 (the fixed ...) NOT-FOR-US: Atlassian Fisheye CVE-2017-18089 (The view review history resource in Atlassian Crucible before version ...) NOT-FOR-US: Atlassian Crucible CVE-2017-18088 (Various plugin servlet resources in Atlassian Bitbucket Server before ...) NOT-FOR-US: Atlassian Bitbucket Server CVE-2017-18087 (The download commit resource in Atlassian Bitbucket Server from versio ...) NOT-FOR-US: Atlassian Bitbucket Server CVE-2017-18086 (Various resources in Atlassian Confluence Server before version 6.4.2 ...) NOT-FOR-US: Atlassian Confluence CVE-2017-18085 (The viewdefaultdecorator resource in Atlassian Confluence Server befor ...) NOT-FOR-US: Atlassian Confluence CVE-2017-18084 (The usermacros resource in Atlassian Confluence Server before version ...) NOT-FOR-US: Atlassian Confluence CVE-2017-18083 (The editinword resource in Atlassian Confluence Server before version ...) NOT-FOR-US: Atlassian Confluence CVE-2017-18082 (The plan configure branches resource in Atlassian Bamboo before versio ...) NOT-FOR-US: Atlassian Bamboo CVE-2017-18081 (The signupUser resource in Atlassian Bamboo before version 6.3.1 allow ...) NOT-FOR-US: Atlassian Bamboo CVE-2017-18080 (The saveConfigureSecurity resource in Atlassian Bamboo before version ...) NOT-FOR-US: Atlassian Bamboo CVE-2018-6485 (An integer overflow in the implementation of the posix_memalign in mem ...) [experimental] - glibc 2.26.9000+20180127.7e23a7dd-0experimental0 - glibc 2.27-1 (bug #878159) [stretch] - glibc (Minor issue) [jessie] - glibc (Minor issue) - eglibc [wheezy] - eglibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22343 NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=8e448310d74b283c5cd02b9ed7fb997b47bf9b22 CVE-2018-6484 (In ZZIPlib 0.13.67, there is a memory alignment error and bus error in ...) {DLA-2258-1} - zziplib 0.13.62-3.2 (bug #889089) [stretch] - zziplib 0.13.62-3.2~deb9u1 [wheezy] - zziplib (Minor issue) NOTE: https://github.com/gdraheim/zziplib/issues/14 NOTE: https://github.com/gdraheim/zziplib/commit/0c0c9256b0903f664bca25dd8d924211f81e01d3 (v0.13.68) CVE-2018-6483 RESERVED CVE-2018-6482 RESERVED CVE-2018-6481 (A buffer overflow vulnerability in the control protocol of Disk Savvy ...) NOT-FOR-US: Disk Savvy Enterprise CVE-2018-6480 (A type confusion issue was discovered in CCN-lite 2, leading to a memo ...) NOT-FOR-US: CCN-lite 2 CVE-2018-6479 (An issue was discovered on Netwave IP Camera devices. An unauthenticat ...) NOT-FOR-US: Netwave IP Camera devices CVE-2018-6478 RESERVED CVE-2018-6477 RESERVED CVE-2018-6476 (In SUPERAntiSpyware Professional Trial 6.0.1254, the SASKUTIL.SYS driv ...) NOT-FOR-US: SUPERAntiSpyware Professional Trial CVE-2018-6475 (In SUPERAntiSpyware Professional Trial 6.0.1254, SUPERAntiSpyware.exe ...) NOT-FOR-US: SUPERAntiSpyware Professional Trial CVE-2018-6474 (In SUPERAntiSpyware Professional Trial 6.0.1254, the driver file (SASK ...) NOT-FOR-US: SUPERAntiSpyware Professional Trial CVE-2018-6473 (In SUPERAntiSpyware Professional Trial 6.0.1254, the driver file (SASK ...) NOT-FOR-US: SUPERAntiSpyware Professional Trial CVE-2018-6472 (In SUPERAntiSpyware Professional Trial 6.0.1254, the driver file (SASK ...) NOT-FOR-US: SUPERAntiSpyware Professional Trial CVE-2018-6471 (In SUPERAntiSpyware Professional Trial 6.0.1254, the driver file (SASK ...) NOT-FOR-US: SUPERAntiSpyware Professional Trial CVE-2018-6470 (Nibbleblog 4.0.5 on macOS defaults to having .DS_Store in each directo ...) NOT-FOR-US: Nibbleblog on macOS CVE-2018-6469 (A cross-site scripting (XSS) vulnerability in flickrRSS.php in the fli ...) NOT-FOR-US: flickrRSS plugin for WordPress CVE-2018-6468 (A cross-site scripting (XSS) vulnerability in flickrRSS.php in the fli ...) NOT-FOR-US: flickrRSS plugin for WordPress CVE-2018-6467 (The flickrRSS plugin 5.3.1 for WordPress has CSRF via wp-admin/options ...) NOT-FOR-US: flickrRSS plugin for WordPress CVE-2018-6466 (A cross-site scripting (XSS) vulnerability in flickrRSS.php in the fli ...) NOT-FOR-US: flickrRSS plugin for WordPress CVE-2018-6465 (The PropertyHive plugin before 1.4.15 for WordPress has XSS via the bo ...) NOT-FOR-US: PropertyHive plugin for WordPress CVE-2018-6464 (Simditor v2.3.11 allows XSS via crafted use of svg/onload=alert in a T ...) NOT-FOR-US: Simditor CVE-2018-6463 RESERVED CVE-2018-6462 (Tracker PDF-XChange Viewer and Viewer AX SDK before 2.5.322.8 mishandl ...) NOT-FOR-US: Tracker PDF-XChange Viewer and Viewer AX SDK CVE-2018-6461 (March Hare WINCVS before 2.8.01 build 6610, and CVS Suite before 2009R ...) NOT-FOR-US: March Hare CVE-2018-6460 (Hotspot Shield runs a webserver with a static IP address 127.0.0.1 and ...) NOT-FOR-US: Hotspot Shield CVE-2018-6459 (The rsa_pss_params_parse function in libstrongswan/credentials/keys/si ...) - strongswan 5.6.2-1 [stretch] - strongswan (Vulnerable code introduced later) [jessie] - strongswan (Vulnerable code introduced later) [wheezy] - strongswan (Vulnerable code introduced later) NOTE: https://www.strongswan.org/blog/2018/02/19/strongswan-vulnerability-(cve-2018-6459).html CVE-2018-6458 (Easy Hosting Control Panel (EHCP) v0.37.12.b allows remote attackers t ...) NOT-FOR-US: Easy Hosting Control Panel (EHCP) CVE-2018-6457 RESERVED CVE-2018-6456 RESERVED CVE-2018-6455 RESERVED CVE-2018-6454 RESERVED CVE-2018-6453 RESERVED CVE-2018-6452 RESERVED CVE-2018-6451 RESERVED CVE-2018-6450 RESERVED CVE-2018-6449 RESERVED CVE-2018-6448 RESERVED CVE-2018-6447 RESERVED CVE-2018-6446 (A vulnerability in Brocade Network Advisor Version Before 14.3.1 could ...) TODO: check CVE-2018-6445 (A Vulnerability in Brocade Network Advisor versions before 14.0.3 coul ...) NOT-FOR-US: Brocade CVE-2018-6444 (A Vulnerability in Brocade Network Advisor versions before 14.1.0 coul ...) NOT-FOR-US: Brocade CVE-2018-6443 (A vulnerability in Brocade Network Advisor Versions before 14.3.1 coul ...) NOT-FOR-US: Brocade CVE-2018-6442 (A vulnerability in the Brocade Webtools firmware update section of Bro ...) NOT-FOR-US: Brocade CVE-2018-6441 (A vulnerability in Secure Shell implementation of Brocade Fabric OS ve ...) NOT-FOR-US: Brocade CVE-2018-6440 (A vulnerability in the proxy service of Brocade Fabric OS versions bef ...) NOT-FOR-US: Brocade CVE-2018-6439 (A Vulnerability in the configdownload command of Brocade Fabric OS com ...) NOT-FOR-US: Brocade CVE-2018-6438 (A Vulnerability in the supportsave command of Brocade Fabric OS comman ...) NOT-FOR-US: Brocade CVE-2018-6437 (A Vulnerability in the help command of Brocade Fabric OS command line ...) NOT-FOR-US: Brocade CVE-2018-6436 (A Vulnerability in the firmwaredownload command of Brocade Fabric OS c ...) NOT-FOR-US: Brocade CVE-2018-6435 (A Vulnerability in the secryptocfg command of Brocade Fabric OS comman ...) NOT-FOR-US: Brocade CVE-2018-6434 (A vulnerability in the web management interface of Brocade Fabric OS v ...) NOT-FOR-US: Brocade CVE-2018-6433 (A vulnerability in the secryptocfg export command of Brocade Fabric OS ...) NOT-FOR-US: Brocade CVE-2018-6432 RESERVED CVE-2018-6431 RESERVED CVE-2018-6430 RESERVED CVE-2018-6429 RESERVED CVE-2018-6428 RESERVED CVE-2018-6427 RESERVED CVE-2018-6426 RESERVED CVE-2018-6425 RESERVED CVE-2018-6424 RESERVED CVE-2018-6423 RESERVED CVE-2018-6422 RESERVED CVE-2018-6421 RESERVED CVE-2018-6420 RESERVED CVE-2018-6419 RESERVED CVE-2018-6418 RESERVED CVE-2018-6417 RESERVED CVE-2018-6416 RESERVED CVE-2018-6415 RESERVED CVE-2018-6414 (A buffer overflow vulnerability in the web server of some Hikvision IP ...) NOT-FOR-US: Hikvision IP Cameras CVE-2018-6413 (There is a buffer overflow in the Hikvision Camera DS-2CD9111-S of V4. ...) NOT-FOR-US: Hikvision Camera DS-2CD9111-S CVE-2018-6412 (In the function sbusfb_ioctl_helper() in drivers/video/fbdev/sbuslib.c ...) {DLA-1423-1} - linux 4.16.5-1 (unimportant) [stretch] - linux 4.9.107-1 [jessie] - linux 3.16.57-1 [wheezy] - linux 3.2.102-1 NOTE: https://marc.info/?l=linux-fbdev&m=151734425901499&w=2 NOTE: The issue only affects SPARC systems. CVE-2018-6411 (An issue was discovered in Appnitro MachForm before 4.2.3. When the fo ...) NOT-FOR-US: Appnitro MachForm CVE-2018-6410 (An issue was discovered in Appnitro MachForm before 4.2.3. There is a ...) NOT-FOR-US: Appnitro MachForm CVE-2018-6409 (An issue was discovered in Appnitro MachForm before 4.2.3. The module ...) NOT-FOR-US: Appnitro MachForm CVE-2018-6408 (An issue was discovered on Conceptronic CIPCAMPTIWL V3 0.61.30.21 devi ...) NOT-FOR-US: CIPCAMPTIWL devices CVE-2018-6407 (An issue was discovered on Conceptronic CIPCAMPTIWL V3 0.61.30.21 devi ...) NOT-FOR-US: CIPCAMPTIWL devices CVE-2018-6406 (The function ParseVP9SuperFrameIndex in common/libwebm_util.cc in libw ...) - chromium-browser (unimportant) NOTE: Chromium is built with support for VP9 disabled in Debian NOTE: https://bugs.chromium.org/p/webm/issues/detail?id=1492 NOTE: https://github.com/dwfault/PoCs/blob/master/libwebm%20ParseVP9SuperFrameIndex%20memory%20corruption/libwebm%20ParseVP9SuperFrameIndex%20OOB%20read.md CVE-2018-6405 (In the ReadDCMImage function in coders/dcm.c in ImageMagick before 7.0 ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/964 NOTE: https://github.com/ImageMagick/ImageMagick/commit/1fbed78912c830ccd82eecdb8a1db4882abb8276 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/1fbed78912c830ccd82eecdb8a1db4882abb8276 CVE-2018-6404 RESERVED CVE-2018-6403 RESERVED CVE-2018-6402 (Ecobee Ecobee4 4.2.0.171 devices can be forced to deauthenticate and c ...) NOT-FOR-US: Ecobee Ecobee4 4.2.0.171 devices CVE-2018-6401 (Meross MSS110 devices before 1.1.24 contain a TELNET listener providin ...) NOT-FOR-US: Meross CVE-2018-6400 (Kingsoft WPS Office Free 10.2.0.5978 allows local users to gain privil ...) NOT-FOR-US: Kingsoft WPS Office Free CVE-2018-6399 RESERVED CVE-2018-6398 (SQL Injection exists in the CP Event Calendar 3.0.1 component for Joom ...) NOT-FOR-US: CP Event Calendar component for Joomla! CVE-2018-6397 (Directory Traversal exists in the Picture Calendar 3.1.4 component for ...) NOT-FOR-US: Picture Calendar component for Joomla! CVE-2018-6396 (SQL Injection exists in the Google Map Landkarten through 4.2.3 compon ...) NOT-FOR-US: Google Map Landkarten component for Joomla! CVE-2018-6395 (SQL Injection exists in the Visual Calendar 3.1.3 component for Joomla ...) NOT-FOR-US: Visual Calendar component for Joomla! CVE-2018-6394 (SQL Injection exists in the InviteX 3.0.5 component for Joomla! via th ...) NOT-FOR-US: InviteX component for Joomla! CVE-2018-6393 (** DISPUTED ** FreePBX 10.13.66-32bit and 14.0.1.24 (SNG7-PBX-64bit-17 ...) NOT-FOR-US: FreePBX CVE-2018-6392 (The filter_slice function in libavfilter/vf_transpose.c in FFmpeg thro ...) {DSA-4249-1 DLA-1740-1} - ffmpeg 7:3.4.2-1 - libav NOTE: Fixed by: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/3f621455d62e46745453568d915badd5b1e5bcd5 NOTE: Needs as well: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/c6939f65a116b1ffed345d29d8621ee4ffb32235 NOTE: fixing a (functional) regression introduced by the original fix. NOTE: Fixed in 3.2.11, the commit in the 3.2 branch (c4ba170cad2ccdd896ea6fd3a890980008606541) NOTE: has the regression fix squashed in NOTE: The vulnerable function is filter_frame in libav. CVE-2018-6391 (A cross-site request forgery web vulnerability has been discovered on ...) NOT-FOR-US: Netis WF2419 V2.2.36123 devices CVE-2018-6390 (The WStr::assign function in kso.dll in Kingsoft WPS Office 10.1.0.710 ...) NOT-FOR-US: Kingsoft WPS Office CVE-2018-6389 (In WordPress through 4.9.2, unauthenticated attackers can cause a deni ...) - wordpress (unimportant) NOTE: https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html NOTE: https://thehackernews.com/2018/02/wordpress-dos-exploit.html NOTE: https://wpvulndb.com/vulnerabilities/9021 NOTE: disputed by upstream as best fixed at the server level NOTE: patch in progress in https://core.trac.wordpress.org/ticket/43308 NOTE: Architectual limitation, marginal impact CVE-2018-6388 (iBall iB-WRA150N 1.2.6 build 110401 Rel.47776n devices allow remote au ...) NOT-FOR-US: iBall iB-WRA150N 1.2.6 build 110401 Rel.47776n devices CVE-2018-6387 (iBall iB-WRA150N 1.2.6 build 110401 Rel.47776n devices have a hardcode ...) NOT-FOR-US: iBall iB-WRA150N 1.2.6 build 110401 Rel.47776n devices CVE-2018-6386 RESERVED CVE-2018-6385 RESERVED CVE-2018-6384 (Unquoted Windows search path vulnerability in NSClient++ before 0.4.1. ...) NOT-FOR-US: NSClient++ CVE-2018-6383 (Monstra CMS through 3.0.4 has an incomplete "forbidden types" list tha ...) NOT-FOR-US: Monstra CMS CVE-2018-6382 (** DISPUTED ** MantisBT 2.10.0 allows local users to conduct SQL Injec ...) - mantis [wheezy] - mantis (Not supported in Wheezy) NOTE: https://mantisbt.org/bugs/view.php?id=23908 CVE-2018-6381 (In ZZIPlib 0.13.67, there is a segmentation fault caused by invalid me ...) {DLA-2258-1} - zziplib 0.13.62-3.2 (bug #889096) [stretch] - zziplib 0.13.62-3.2~deb9u1 [wheezy] - zziplib (Minor issue) NOTE: https://github.com/gdraheim/zziplib/issues/12 NOTE: https://github.com/gdraheim/zziplib/commit/a803559fa9194be895422ba3684cf6309b6bb598 (v0.13.68) CVE-2018-6380 (In Joomla! before 3.8.4, lack of escaping in the module chromes leads ...) NOT-FOR-US: Joomla! CVE-2018-6379 (In Joomla! before 3.8.4, inadequate input filtering in the Uri class ( ...) NOT-FOR-US: Joomla! CVE-2018-6378 (In Joomla! Core before 3.8.8, inadequate filtering of file and folder ...) NOT-FOR-US: Joomla! CVE-2018-6377 (In Joomla! before 3.8.4, inadequate input filtering in com_fields lead ...) NOT-FOR-US: Joomla! CVE-2018-6376 (In Joomla! before 3.8.4, the lack of type casting of a variable in a S ...) NOT-FOR-US: Joomla! CVE-2018-1000030 (Python 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well as a Hea ...) - python3.7 (Reading ahead of file objects implemented differently) - python3.6 (Reading ahead of file objects implemented differently) - python3.5 (Reading ahead of file objects implemented differently) - python3.4 (Reading ahead of file objects implemented differently) - python3.2 (Reading ahead of file objects implemented differently) - python2.7 2.7.14-5 (unimportant) - python2.6 (unimportant) NOTE: Original report: https://bugs.python.org/issue31530 NOTE: https://bugs.python.org/file47157/0001-stop-crashes-when-iterating-over-a-file-on-multiple-.patch NOTE: which was followed by a pull request to fix the issue: NOTE: https://github.com/python/cpython/pull/3670 NOTE: https://github.com/python/cpython/pull/3672 NOTE: https://github.com/python/cpython/commit/6401e5671781eb217ee1afb4603cc0d1b0367ae6 NOTE: The original approach caused a regression leading to NOTE: https://github.com/python/cpython/pull/5060 NOTE: https://bugs.python.org/msg309265 NOTE: where the 6401e56 commit was mostly reverted again. NOTE: Needed: https://github.com/python/cpython/commit/dbf52e02f18dac6f5f0a64f78932f3dc6efc056b NOTE: No practical security impact, why DWF assigned a CVE ID is hard to tell CVE-2018-1000029 (mcholste Enterprise Log Search and Archive (ELSA) version revision 120 ...) NOT-FOR-US: mcholste Enterprise Log Search and Archive CVE-2018-1000026 (Linux Linux kernel version at least v4.8 onwards, probably well before ...) {DLA-1771-1} - linux 4.16.5-1 [stretch] - linux 4.9.161-1 [jessie] - linux (Minor issue, requires core networking changes) - linux-4.9 NOTE: https://patchwork.ozlabs.org/patch/859410/ NOTE: http://lists.openwall.net/netdev/2018/01/16/40 NOTE: http://lists.openwall.net/netdev/2018/01/18/96 NOTE: https://git.kernel.org/linus/8914a595110a6eca69a5e275b323f5d09e18f4f9 NOTE: https://git.kernel.org/linus/2b16f048729bf35e6c28a40cbfad07239f9dcd90 CVE-2018-1000025 (Jerome Gamez Firebase Admin SDK for PHP version from 3.2.0 to 3.8.0 co ...) NOT-FOR-US: Jerome Gamez Firebase Admin SDK for PHP CVE-2018-1000023 (Bitpay/insight-api Insight-api version 5.0.0 and earlier contains a CW ...) NOT-FOR-US: Bitpay/insight-api Insight-api CVE-2018-1000021 (GIT version 2.15.1 and earlier contains a Input Validation Error vulne ...) - git (unimportant; bug #889680) NOTE: http://www.batterystapl.es/2018/01/security-implications-of-ansi-escape.html NOTE: Terminal emulators need to perform proper escaping CVE-2018-1000020 (OpenEMR version 5.0.0 contains a Cross Site Scripting (XSS) vulnerabil ...) NOT-FOR-US: OpenEMR CVE-2018-1000019 (OpenEMR version 5.0.0 contains a OS Command Injection vulnerability in ...) NOT-FOR-US: OpenEMR CVE-2017-1000510 (Croogo version 2.3.1-17-g6f82e6c contains a Cross Site Scripting (XSS) ...) NOT-FOR-US: Croogo CVE-2017-1000509 (Dolibarr version 6.0.2 contains a Cross Site Scripting (XSS) vulnerabi ...) - dolibarr NOTE: https://github.com/Dolibarr/dolibarr/issues/7727 CVE-2017-1000508 (Invoice Plane version 1.5.4 and earlier contains a Cross Site Scriptin ...) NOT-FOR-US: Invoice Plane CVE-2017-1000507 (Canvs Canvas version 3.4.2 contains a Cross Site Scripting (XSS) vulne ...) NOT-FOR-US: Canvs Canvas CVE-2017-1000506 (Mautic version 2.11.0 and earlier contains a Cross Site Scripting (XSS ...) NOT-FOR-US: Mautic CVE-2016-10711 (Apsis Pound before 2.8a allows request smuggling via crafted headers, ...) {DLA-2196-1 DLA-1280-1} [experimental] - pound 2.8-1+patrodyne20190113 - pound 2.8-2 (bug #888786) [stretch] - pound 2.7-1.3+deb9u1 NOTE: http://www.apsis.ch/pound/pound_list/archive/2016/2016-10/1477235279000 NOTE: https://www.suse.com/de-de/security/cve/CVE-2016-10711/ NOTE: Fixed by https://build.opensuse.org/request/show/571084 NOTE: Confirmed that the SUSE patch is the security relevant diff between NOTE: version 2.7 and 2.8a NOTE: an additional fix of the fix is needed to avoid that pound uses 100% CPU NOTE: https://github.com/graygnuorg/pound/commit/c5a95780e2233a05ab3fb8b4eb8a9550f0c3b53c CVE-2018-6375 RESERVED CVE-2018-6374 (The GUI component (aka PulseUI) in Pulse Secure Desktop Linux clients ...) NOT-FOR-US: PulseUI in Pulse Secure Desktop Linux clients CVE-2018-6373 (SQL Injection exists in the Fastball 2.5 component for Joomla! via the ...) NOT-FOR-US: Fastball component for Joomla! CVE-2018-6372 (SQL Injection exists in the JB Bus 2.3 component for Joomla! via the o ...) NOT-FOR-US: JB Bus component for Joomla! CVE-2018-6371 RESERVED CVE-2018-6370 (SQL Injection exists in the NeoRecruit 4.1 component for Joomla! via t ...) NOT-FOR-US: NeoRecruit component for Joomla! CVE-2018-6369 RESERVED CVE-2018-6368 (SQL Injection exists in the JomEstate PRO through 3.7 component for Jo ...) NOT-FOR-US: JomEstate PRO component for Joomla! CVE-2018-6367 (SQL Injection exists in Vastal I-Tech Buddy Zone Facebook Clone 2.9.9 ...) NOT-FOR-US: Vastal I-Tech Buddy Zone Facebook Clone CVE-2018-6366 RESERVED CVE-2018-6365 (SQL Injection exists in TSiteBuilder 1.0 via the id parameter to /site ...) NOT-FOR-US: TSiteBuilder CVE-2018-6364 (SQL Injection exists in Multilanguage Real Estate MLM Script through 3 ...) NOT-FOR-US: Multilanguage Real Estate MLM Script CVE-2018-6363 (SQL Injection exists in Task Rabbit Clone 1.0 via the single_blog.php ...) NOT-FOR-US: Task Rabbit Clone CVE-2017-18079 (drivers/input/serio/i8042.c in the Linux kernel before 4.12.4 allows a ...) - linux 4.12.6-1 [stretch] - linux 4.9.47-1 [jessie] - linux 3.16.51-1 [wheezy] - linux 3.2.96-1 NOTE: Fixed by: https://git.kernel.org/linus/340d394a789518018f834ff70f7534fc463d3226 CVE-2017-18078 (systemd-tmpfiles in systemd before 237 attempts to support ownership/p ...) {DLA-1762-1} - systemd 237-1 (unimportant) NOTE: https://github.com/systemd/systemd/issues/7736 NOTE: https://github.com/systemd/systemd/commit/5579f85663d10269e7ac7464be6548c99cea4ada (v237) NOTE: Neutralised by kernel hardening CVE-2018-6362 (Easy Hosting Control Panel (EHCP) v0.37.12.b has XSS via the domainop ...) NOT-FOR-US: Easy Hosting Control Panel (EHCP) CVE-2018-6361 (Easy Hosting Control Panel (EHCP) v0.37.12.b has XSS via the op parame ...) NOT-FOR-US: Easy Hosting Control Panel (EHCP) CVE-2018-6360 (mpv through 0.28.0 allows remote attackers to execute arbitrary code v ...) {DSA-4105-1} - mpv 0.27.0-3 (bug #888654) [jessie] - mpv (Vulnerable code not present, youtube-dl hook script added in 0.7.0) NOTE: https://github.com/mpv-player/mpv/issues/5456 NOTE: https://github.com/mpv-player/mpv/commit/e6e6b0dcc7e9b0dbf35154a179b3dc1fcfcaff43 CVE-2018-6359 (The decompileIF function (util/decompile.c) in libming through 0.4.8 i ...) {DLA-1305-1} - ming NOTE: https://github.com/libming/libming/issues/105 CVE-2018-6358 (The printDefineFont2 function (util/listfdb.c) in libming through 0.4. ...) {DLA-1343-1} - ming NOTE: https://github.com/libming/libming/issues/104 CVE-2018-6357 (The acx_asmw_saveorder_callback function in function.php in the acurax ...) NOT-FOR-US: acurax-social-media-widget plugin for WordPress CVE-2018-6356 (Jenkins before 2.107 and Jenkins LTS before 2.89.4 did not properly pr ...) - jenkins CVE-2018-6355 (/goform/setLang on iBall 300M devices with "iB-WRB302N_1.0.1-Sep 8 201 ...) NOT-FOR-US: iBall 300M devices CVE-2018-6354 (templates/forms/thanks.html in Formspree before 2018-01-23 allows XSS ...) NOT-FOR-US: Formspree CVE-2018-6353 (The Python console in Electrum through 2.9.4 and 3.x through 3.0.5 sup ...) - electrum (bug #890003; unimportant) NOTE: https://github.com/spesmilo/electrum/issues/3678 NOTE: https://github.com/spesmilo/electrum/pull/3700 CVE-2018-6352 (In PoDoFo 0.9.5, there is an Excessive Iteration in the PdfParser::Rea ...) - libpodofo 0.9.6+dfsg-3 [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1539237 NOTE: https://sourceforge.net/p/podofo/tickets/3/ CVE-2018-6351 RESERVED CVE-2018-6350 (An out-of-bounds read was possible in WhatsApp due to incorrect parsin ...) NOT-FOR-US: WhatsApp CVE-2018-6349 (When receiving calls using WhatsApp for Android, a missing size check ...) NOT-FOR-US: WhatsApp CVE-2018-6348 RESERVED CVE-2018-6347 (An issue in the Proxygen handling of HTTP2 parsing of headers/trailers ...) NOT-FOR-US: Facebook Proxygen CVE-2018-6346 (A potential denial-of-service issue in the Proxygen handling of invali ...) NOT-FOR-US: Facebook Proxygen CVE-2018-6345 (The function number_format is vulnerable to a heap overflow issue when ...) - hhvm CVE-2018-6344 (A heap corruption in WhatsApp can be caused by a malformed RTP packet ...) NOT-FOR-US: Whatsapp CVE-2018-6343 (Proxygen fails to validate that a secondary auth manager is set before ...) NOT-FOR-US: Facebook Proxygen CVE-2018-6342 (react-dev-utils on Windows allows developers to run a local webserver ...) NOT-FOR-US: react-dev-utils CVE-2018-6341 (React applications which rendered to HTML using the ReactDOMServer API ...) NOT-FOR-US: React CVE-2018-6340 (The Memcache::getextendedstats function can be used to trigger an out- ...) - hhvm CVE-2018-6339 (When receiving calls using WhatsApp on Android, a stack allocation fai ...) NOT-FOR-US: WhatsApp CVE-2018-6338 RESERVED CVE-2018-6337 (folly::secureRandom will re-use a buffer between parent and child proc ...) - hhvm (Only affects 3.26) NOTE: https://github.com/facebook/hhvm/commit/e2d10a1e32d01f71aaadd81169bcb9ae86c5d6b8 NOTE: https://hhvm.com/blog/2018/05/24/hhvm-3.26.3.html CVE-2018-6336 (An issue was discovered in osquery. A maliciously crafted Universal/fa ...) NOT-FOR-US: osquery CVE-2018-6335 (A Malformed h2 frame can cause 'std::out_of_range' exception when pars ...) - hhvm 3.24.7+dfsg-1 NOTE: https://github.com/facebook/hhvm/commit/4cb57dd753a339654ca464c139db9871fe961d56 NOTE: https://hhvm.com/blog/2018/05/04/hhvm-3.25.3.html CVE-2018-6334 (Multipart-file uploads call variables to be improperly registered in t ...) - hhvm 3.24.7+dfsg-1 (bug #895194) NOTE: https://hhvm.com/blog/2018/03/30/hhvm-3.25.2.html NOTE: https://github.com/facebook/hhvm/commit/6937de5544c3eead3466b75020d8382080ed0cff CVE-2018-6333 (The hhvm-attach deep link handler in Nuclide did not properly sanitize ...) NOT-FOR-US: Nuclide CVE-2018-6332 (A potential denial-of-service issue in the Proxygen handling of invali ...) - hhvm 3.24.7+dfsg-1 (bug #895194) NOTE: https://hhvm.com/blog/2018/03/15/hhvm-3.25.html CVE-2018-6331 (Buck parser-cache command loads/saves state using Java serialized obje ...) NOT-FOR-US: Buck parser-cache CVE-2018-6330 (Laravel 5.4.15 is vulnerable to Error based SQL injection in save.php ...) NOT-FOR-US: Laravel Framework CVE-2018-6329 (It was discovered that the Unitrends Backup (UB) before 10.1.0 libbpex ...) NOT-FOR-US: Unitrends Backup CVE-2018-6328 (It was discovered that the Unitrends Backup (UB) before 10.1.0 user in ...) NOT-FOR-US: Unitrends Backup CVE-2018-6327 RESERVED CVE-2018-6326 RESERVED CVE-2018-6325 RESERVED CVE-2017-18077 (index.js in brace-expansion before 1.1.7 is vulnerable to Regular Expr ...) - node-brace-expansion 1.1.8-1 (unimportant; bug #862712) [stretch] - node-brace-expansion 1.1.6-1+deb9u1 NOTE: https://nodesecurity.io/advisories/338 NOTE: https://github.com/juliangruber/brace-expansion/issues/33 NOTE: https://github.com/juliangruber/brace-expansion/pull/35/commits/b13381281cead487cbdbfd6a69fb097ea5e456c3 NOTE: nodejs not covered by security support CVE-2017-18076 (In strategy.rb in OmniAuth before 1.3.2, the authenticity_token value ...) {DSA-4109-1} [experimental] - ruby-omniauth 1.6.1-1 - ruby-omniauth 1.3.1-2 (bug #888523) NOTE: https://github.com/omniauth/omniauth/pull/867 CVE-2018-6324 (F-Secure Radar (on-premises) before 2018-02-15 has an Unvalidated Redi ...) NOT-FOR-US: F-Secure Radar CVE-2018-6323 (The elf_object_p function in elfcode.h in the Binary File Descriptor ( ...) - binutils 2.30-3 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22746 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=38e64b0ecc7f4ee64a02514b8d532782ac057fa2 CVE-2018-6322 (Panda Global Protection 17.0.1 allows local users to gain privileges o ...) NOT-FOR-US: Panda Global Protection CVE-2018-6321 (Unquoted Windows search path vulnerability in the panda_url_filtering ...) NOT-FOR-US: Panda Global Protection CVE-2018-6320 (A vulnerability has been discovered in login.cgi in Pulse Secure Pulse ...) NOT-FOR-US: Pulse Secure CVE-2018-6319 (In Sophos Tester Tool 3.2.0.7 Beta, the driver accepts a special Devic ...) NOT-FOR-US: Sophos Tester Tool CVE-2018-6318 (In Sophos Tester Tool 3.2.0.7 Beta, the driver loads (in the context o ...) NOT-FOR-US: Sophos Tester Tool CVE-2018-6317 (The remote management interface in Claymore Dual Miner 10.5 and earlie ...) NOT-FOR-US: Claymore's Dual Ethereum CVE-2018-6316 (Ivanti Endpoint Security (formerly HEAT Endpoint Management and Securi ...) NOT-FOR-US: Ivanti Endpoint Security CVE-2018-6315 (The outputSWF_TEXT_RECORD function (util/outputscript.c) in libming th ...) {DLA-1305-1} - ming NOTE: https://github.com/libming/libming/issues/101 CVE-2018-6314 RESERVED CVE-2018-6313 (Cross-site scripting (XSS) in WBCE CMS 1.3.1 allows remote authenticat ...) NOT-FOR-US: WBCE CMS CVE-2016-10710 (Biscom Secure File Transfer (SFT) 5.0.1000 through 5.0.1048 does not v ...) NOT-FOR-US: Biscom Secure File Transfer CVE-2017-1000505 (In Jenkins Script Security Plugin version 1.36 and earlier, users with ...) NOT-FOR-US: Jenkins Script Security Plugin CVE-2017-1000468 REJECTED CVE-2017-1000464 REJECTED CVE-2017-1000414 (ImpulseAdventure JPEGsnoop version 1.7.5 is vulnerable to a division b ...) NOT-FOR-US: ImpulseAdventure JPEGsnoop CVE-2018-6312 (A privileged account with a weak default password on the Foxconn femto ...) NOT-FOR-US: Foxconn femtocell FEMTO AP-FC4064-T CVE-2018-6311 (One can gain root access on the Foxconn femtocell FEMTO AP-FC4064-T ve ...) NOT-FOR-US: Foxconn femtocell FEMTO AP-FC4064-T CVE-2018-6310 RESERVED CVE-2018-6309 RESERVED CVE-2018-6308 (Multiple SQL injections exist in SugarCRM Community Edition 6.5.26 and ...) NOT-FOR-US: SugarCRM CVE-2018-6307 (LibVNC before commit ca2a5ac02fbbadd0a21fabba779c1ea69173d10b contains ...) {DSA-4383-1 DLA-1979-1 DLA-1617-1} - libvncserver 0.9.11+dfsg-1.2 (bug #916941) - italc [stretch] - italc 1:3.0.3+dfsg1-1+deb9u1 NOTE: https://github.com/LibVNC/libvncserver/issues/241 NOTE: https://github.com/LibVNC/libvncserver/commit/ca2a5ac02fbbadd0a21fabba779c1ea69173d10b NOTE: https://ics-cert.kaspersky.com/advisories/klcert-advisories/2018/12/19/klcert-18-026-libvnc-heap-use-after-free/ CVE-2018-6306 (Unauthorized code execution from specific DLL and is known as DLL Hija ...) NOT-FOR-US: Kaspersky Password Manager CVE-2018-6305 (Denial of service in Gemalto's Sentinel LDK RTE version before 7.65 ...) NOT-FOR-US: Gemalto CVE-2018-6304 (Stack overflow in custom XML-parser in Gemalto's Sentinel LDK RTE vers ...) NOT-FOR-US: Gemalto CVE-2018-6303 (Denial of service by uploading malformed firmware in Hanwha Techwin Sm ...) NOT-FOR-US: Hanwha Techwin Smartcams CVE-2018-6302 (Denial of service by blocking of new camera registration on the cloud ...) NOT-FOR-US: Hanwha Techwin Smartcams CVE-2018-6301 (Arbitrary camera access and monitoring via cloud in Hanwha Techwin Sma ...) NOT-FOR-US: Hanwha Techwin Smartcams CVE-2018-6300 (Remote password change in Hanwha Techwin Smartcams ...) NOT-FOR-US: Hanwha Techwin Smartcams CVE-2018-6299 (Authentication bypass in Hanwha Techwin Smartcams ...) NOT-FOR-US: Hanwha Techwin Smartcams CVE-2018-6298 (Remote code execution in Hanwha Techwin Smartcams ...) NOT-FOR-US: Hanwha Techwin Smartcams CVE-2018-6297 (Buffer overflow in Hanwha Techwin Smartcams ...) NOT-FOR-US: Hanwha Techwin Smartcams CVE-2018-6296 (An undocumented (hidden) capability for switching the web interface in ...) NOT-FOR-US: Hanwha Techwin Smartcams CVE-2018-6295 (Unencrypted way of remote control and communications in Hanwha Techwin ...) NOT-FOR-US: Hanwha Techwin Smartcams CVE-2018-6294 (Unsecured way of firmware update in Hanwha Techwin Smartcams ...) NOT-FOR-US: Hanwha Techwin Smartcams CVE-2018-6293 (Arbitrary File Read in Saperion Web Client version 7.5.2 83166. ...) NOT-FOR-US: Saperion Web Client CVE-2018-6292 (Remote Code Execution in Saperion Web Client version 7.5.2 83166. ...) NOT-FOR-US: Saperion Web Client CVE-2018-6291 (WebConsole Cross-Site Scripting in Kaspersky Secure Mail Gateway versi ...) NOT-FOR-US: Kaspersky Secure Mail Gateway CVE-2018-6290 (Local Privilege Escalation in Kaspersky Secure Mail Gateway version 1. ...) NOT-FOR-US: Kaspersky Secure Mail Gateway CVE-2018-6289 (Configuration file injection leading to Code Execution as Root in Kasp ...) NOT-FOR-US: Kaspersky Secure Mail Gateway CVE-2018-6288 (Cross-site Request Forgery leading to Administrative account takeover ...) NOT-FOR-US: Kaspersky Secure Mail Gateway CVE-2018-6287 RESERVED CVE-2018-6286 RESERVED NOT-FOR-US: NVIDIA component for Android CVE-2018-6285 RESERVED CVE-2018-6284 RESERVED NOT-FOR-US: NVIDIA component for Android CVE-2018-6283 RESERVED CVE-2018-6282 RESERVED CVE-2018-6281 RESERVED NOT-FOR-US: NVIDIA component for Android CVE-2018-6280 RESERVED CVE-2018-6279 RESERVED CVE-2018-6278 RESERVED CVE-2018-6277 RESERVED CVE-2018-6276 RESERVED CVE-2018-6275 RESERVED CVE-2018-6274 RESERVED CVE-2018-6273 RESERVED CVE-2018-6272 RESERVED CVE-2018-6271 (NVIDIA Tegra OpenMax driver (libnvomx) contains a vulnerability in whi ...) NOT-FOR-US: NVIDIA component for Android CVE-2018-6270 RESERVED CVE-2018-6269 (NVIDIA Jetson TX2 contains a vulnerability in the kernel driver where ...) NOT-FOR-US: NVIDIA CVE-2018-6268 (NVIDIA Tegra library contains a vulnerability in libnvmmlite_video.so, ...) NOT-FOR-US: NVIDIA component for Android CVE-2018-6267 (NVIDIA Tegra OpenMax driver (libnvomx) contains a vulnerability in whi ...) NOT-FOR-US: NVIDIA component for Android CVE-2018-6266 (NVIDIA GeForce Experience contains a vulnerability in all versions pri ...) NOT-FOR-US: NVIDIA GeForce Experience CVE-2018-6265 (NVIDIA GeForce Experience contains a vulnerability in all versions pri ...) NOT-FOR-US: NVIDIA GeForce Experience CVE-2018-6264 RESERVED CVE-2018-6263 (NVIDIA GeForce Experience contains a vulnerability in all versions pri ...) NOT-FOR-US: NVIDIA GeForce Experience CVE-2018-6262 (NVIDIA GeForce Experience prior to 3.15 contains a vulnerability when ...) NOT-FOR-US: NVIDIA GeForce Experience CVE-2018-6261 (NVIDIA GeForce Experience prior to 3.15 contains a vulnerability when ...) NOT-FOR-US: NVIDIA GeForce Experience CVE-2018-6260 (NVIDIA graphics driver contains a vulnerability that may allow access ...) [experimental] - nvidia-graphics-drivers 418.43-1 - nvidia-graphics-drivers 410.104-1 (bug #913467) [stretch] - nvidia-graphics-drivers 390.116-1 [jessie] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-390xx 390.116-1 [buster] - nvidia-graphics-drivers-legacy-390xx (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx [buster] - nvidia-graphics-drivers-legacy-340xx (Non-free not supported) [stretch] - nvidia-graphics-drivers-legacy-340xx (Non-free not supported) - nvidia-graphics-drivers-legacy-304xx [stretch] - nvidia-graphics-drivers-legacy-304xx (Non-free not supported) [jessie] - nvidia-graphics-drivers-legacy-304xx (Non-free not supported) NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/4738 NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/4772 CVE-2018-6259 (NVIDIA GeForce Experience all versions prior to 3.14.1 contains a pote ...) NOT-FOR-US: NVIDIA GeForce Experience CVE-2018-6258 (NVIDIA GeForce Experience all versions prior to 3.14.1 contains a pote ...) NOT-FOR-US: NVIDIA GeForce Experience CVE-2018-6257 (NVIDIA GeForce Experience all versions prior to 3.14.1 contains a pote ...) NOT-FOR-US: NVIDIA GeForce Experience CVE-2018-6256 RESERVED CVE-2018-6255 RESERVED CVE-2018-6254 (In Android before the 2018-05-05 security patch level, NVIDIA Media Se ...) NOT-FOR-US: NVIDIA components for Android CVE-2018-6253 (NVIDIA GPU Display Driver contains a vulnerability in the DirectX and ...) - nvidia-graphics-drivers 390.48-1 (bug #894338) [stretch] - nvidia-graphics-drivers 384.130-1 [jessie] - nvidia-graphics-drivers (Non-free not supported) [wheezy] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx [buster] - nvidia-graphics-drivers-legacy-340xx (Non-free not supported, no updates provided by Nvidia for 340) [stretch] - nvidia-graphics-drivers-legacy-340xx (Non-free not supported) - nvidia-graphics-drivers-legacy-304xx [stretch] - nvidia-graphics-drivers-legacy-304xx (Non-free not supported) [jessie] - nvidia-graphics-drivers-legacy-304xx (Non-free not supported) NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/4649 CVE-2018-6252 (NVIDIA Windows GPU Display Driver contains a vulnerability in the kern ...) NOT-FOR-US: NVIDIA Windows driver CVE-2018-6251 (NVIDIA Windows GPU Display Driver contains a vulnerability in the Dire ...) NOT-FOR-US: NVIDIA Windows driver CVE-2018-6250 (NVIDIA Windows GPU Display Driver contains a vulnerability in the kern ...) NOT-FOR-US: NVIDIA Windows driver CVE-2018-6249 (NVIDIA GPU Display Driver contains a vulnerability in kernel mode laye ...) - nvidia-graphics-drivers 390.48-1 (bug #894338) [stretch] - nvidia-graphics-drivers 384.130-1 [jessie] - nvidia-graphics-drivers (Non-free not supported) [wheezy] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx [buster] - nvidia-graphics-drivers-legacy-340xx (Non-free not supported, no updates provided by Nvidia for 340) [stretch] - nvidia-graphics-drivers-legacy-340xx (Non-free not supported) - nvidia-graphics-drivers-legacy-304xx [stretch] - nvidia-graphics-drivers-legacy-304xx (Non-free not supported) [jessie] - nvidia-graphics-drivers-legacy-304xx (Non-free not supported) NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/4649 CVE-2018-6248 (NVIDIA Windows GPU Display Driver contains a vulnerability in the kern ...) NOT-FOR-US: NVIDIA Windows driver CVE-2018-6247 (NVIDIA Windows GPU Display Driver contains a vulnerability in the kern ...) NOT-FOR-US: NVIDIA Windows driver CVE-2018-6246 (In Android before the 2018-05-05 security patch level, NVIDIA Widevine ...) NOT-FOR-US: NVIDIA components for Android CVE-2018-6245 RESERVED CVE-2018-6244 RESERVED CVE-2018-6243 (NVIDIA Tegra TLK Widevine Trust Application contains a vulnerability i ...) NOT-FOR-US: NVIDIA CVE-2018-6242 (Some NVIDIA Tegra mobile processors released prior to 2016 contain a b ...) NOT-FOR-US: NVIDIA CVE-2018-6241 (NVIDIA Tegra Gralloc module contains a vulnerability in driver in whic ...) NOT-FOR-US: NVIDIA CVE-2018-6240 (NVIDIA Tegra contains a vulnerability in BootRom where a user with ker ...) NOT-FOR-US: NVIDIA CVE-2018-6239 (NVIDIA Jetson TX2 contains a vulnerability by means of speculative exe ...) NOT-FOR-US: NVIDIA CVE-2018-6238 RESERVED CVE-2018-6237 (A vulnerability in Trend Micro Smart Protection Server (Standalone) 3. ...) NOT-FOR-US: Trend Micro CVE-2018-6236 (A Time-of-Check Time-of-Use privilege escalation vulnerability in Tren ...) NOT-FOR-US: Trend Micro CVE-2018-6235 (An Out-of-Bounds write privilege escalation vulnerability in Trend Mic ...) NOT-FOR-US: Trend Micro CVE-2018-6234 (An Out-of-Bounds Read Information Disclosure vulnerability in Trend Mi ...) NOT-FOR-US: Trend Micro CVE-2018-6233 (A buffer overflow privilege escalation vulnerability in Trend Micro Ma ...) NOT-FOR-US: Trend Micro CVE-2018-6232 (A buffer overflow privilege escalation vulnerability in Trend Micro Ma ...) NOT-FOR-US: Trend Micro CVE-2018-6231 (A server auth command injection authentication bypass vulnerability in ...) NOT-FOR-US: Trend Micro CVE-2018-6230 (A SQL injection vulnerability in an Trend Micro Email Encryption Gatew ...) NOT-FOR-US: Trend Micro CVE-2018-6229 (A SQL injection vulnerability in an Trend Micro Email Encryption Gatew ...) NOT-FOR-US: Trend Micro CVE-2018-6228 (A SQL injection vulnerability in a Trend Micro Email Encryption Gatewa ...) NOT-FOR-US: Trend Micro CVE-2018-6227 (A stored cross-site scripting (XSS) vulnerability in Trend Micro Email ...) NOT-FOR-US: Trend Micro CVE-2018-6226 (Reflected cross-site scripting (XSS) vulnerabilities in two Trend Micr ...) NOT-FOR-US: Trend Micro CVE-2018-6225 (An XML external entity injection (XXE) vulnerability in Trend Micro Em ...) NOT-FOR-US: Trend Micro CVE-2018-6224 (A lack of cross-site request forgery (CSRF) protection vulnerability i ...) NOT-FOR-US: Trend Micro CVE-2018-6223 (A missing authentication for appliance registration vulnerability in T ...) NOT-FOR-US: Trend Micro CVE-2018-6222 (Arbitrary logs location in Trend Micro Email Encryption Gateway 5.5 co ...) NOT-FOR-US: Trend Micro CVE-2018-6221 (An unvalidated software update vulnerability in Trend Micro Email Encr ...) NOT-FOR-US: Trend Micro CVE-2018-6220 (An arbitrary file write vulnerability in Trend Micro Email Encryption ...) NOT-FOR-US: Trend Micro CVE-2018-6219 (An Insecure Update via HTTP vulnerability in Trend Micro Email Encrypt ...) NOT-FOR-US: Trend Micro CVE-2018-6218 (A DLL Hijacking vulnerability in Trend Micro's User-Mode Hooking Modul ...) NOT-FOR-US: Trend Micro CVE-2018-6217 (The WStr::_alloc_iostr_data() function in kso.dll in Kingsoft WPS Offi ...) NOT-FOR-US: Kingsoft WPS Office CVE-2018-6216 RESERVED CVE-2018-6215 RESERVED CVE-2018-6214 RESERVED CVE-2018-6213 (In the web server on D-Link DIR-620 devices with a certain customized ...) NOT-FOR-US: D-Link CVE-2018-6212 (On D-Link DIR-620 devices with a certain customized (by ISP) variant o ...) NOT-FOR-US: D-Link CVE-2018-6211 (On D-Link DIR-620 devices with a certain customized (by ISP) variant o ...) NOT-FOR-US: D-Link CVE-2018-6210 (D-Link DIR-620 devices, with a certain Rostelekom variant of firmware ...) NOT-FOR-US: D-Link CVE-2018-6209 (In Max Secure Anti Virus 19.0.3.019,, the driver file (MaxCryptMon.sys ...) NOT-FOR-US: Max Secure Anti Virus CVE-2018-6208 (In Max Secure Anti Virus 19.0.3.019,, the driver file (MaxProtector32. ...) NOT-FOR-US: Max Secure Anti Virus CVE-2018-6207 (In Max Secure Anti Virus 19.0.3.019,, the driver file (MaxProtector32. ...) NOT-FOR-US: Max Secure Anti Virus CVE-2018-6206 (In Max Secure Anti Virus 19.0.3.019,, the driver file (MaxProtector32. ...) NOT-FOR-US: Max Secure Anti Virus CVE-2018-6205 (In Max Secure Anti Virus 19.0.3.019,, the driver file (MaxProtector32. ...) NOT-FOR-US: Max Secure Anti Virus CVE-2018-6204 (In Max Secure Anti Virus 19.0.3.019,, the driver file (SDActMon.sys) a ...) NOT-FOR-US: Max Secure Anti Virus CVE-2018-6203 (In eScan Antivirus 14.0.1400.2029, the driver file (econceal.sys) allo ...) NOT-FOR-US: eScan Antivirus CVE-2018-6202 (In eScan Antivirus 14.0.1400.2029, the driver file (econceal.sys) allo ...) NOT-FOR-US: eScan Antivirus CVE-2018-6201 (In eScan Antivirus 14.0.1400.2029, the driver file (econceal.sys) allo ...) NOT-FOR-US: eScan Antivirus CVE-2018-6200 (vBulletin 3.x.x and 4.2.x through 4.2.5 has an open redirect via the r ...) NOT-FOR-US: vBulletin CVE-2018-6199 RESERVED CVE-2018-6195 (admin/partials/wp-splashing-admin-main.php in the Splashing Images plu ...) NOT-FOR-US: WordPress plugin wp-splashing-images CVE-2018-6194 (A cross-site scripting (XSS) vulnerability in admin/partials/wp-splash ...) NOT-FOR-US: WordPress plugin wp-splashing-images CVE-2018-6193 (A Cross-Site Scripting (XSS) vulnerability was found in Routers2 2.24, ...) NOT-FOR-US: Routers2 CVE-2018-6192 (In Artifex MuPDF 1.12.0, the pdf_read_new_xref function in pdf/pdf-xre ...) {DSA-4334-1 DLA-1838-1} - mupdf 1.13.0+ds1-1 (bug #888487) [wheezy] - mupdf (Minor issue) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698916 NOTE: Fixed by: http://www.ghostscript.com/cgi-bin/findgit.cgi?5e411a99604ff6be5db9e273ee84737204113299 CVE-2018-6191 (The js_strtod function in jsdtoa.c in Artifex MuJS through 1.0.2 has a ...) NOT-FOR-US: MuJS CVE-2018-6190 (Netis WF2419 V3.2.41381 devices allow XSS via the Description field on ...) NOT-FOR-US: Netis WF2419 V3.2.41381 devices CVE-2017-1000504 (A race condition during Jenkins 2.94 and earlier; 2.89.1 and earlier s ...) - jenkins CVE-2017-1000503 (A race condition during Jenkins 2.81 through 2.94 (inclusive); 2.89.1 ...) - jenkins CVE-2017-1000502 (Users with permission to create or configure agents in Jenkins 1.37 an ...) - jenkins CVE-2017-1000474 (Soyket Chowdhury Vehicle Sales Management System version 2017-07-30 is ...) NOT-FOR-US: Soyket Chowdhury Vehicle Sales Management System CVE-2018-6198 (w3m through 0.5.3 does not properly handle temporary files when the ~/ ...) - w3m 0.5.3-36 (bug #888097; unimportant) [stretch] - w3m 0.5.3-34+deb9u1 NOTE: https://github.com/tats/w3m/commit/18dcbadf2771cdb0c18509b14e4e73505b242753 NOTE: Neutralised by kernel hardening CVE-2018-6197 (w3m through 0.5.3 is prone to a NULL pointer dereference flaw in formU ...) {DLA-2195-1} - w3m 0.5.3-36 (low) [stretch] - w3m 0.5.3-34+deb9u1 [wheezy] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/issues/89 NOTE: https://github.com/tats/w3m/commit/7fdc83b0364005a0b5ed869230dd81752ba022e8 CVE-2018-6196 (w3m through 0.5.3 is prone to an infinite recursion flaw in HTMLlinepr ...) {DLA-2195-1} - w3m 0.5.3-36 (low) [stretch] - w3m 0.5.3-34+deb9u1 [wheezy] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/issues/88 NOTE: https://github.com/tats/w3m/commit/8354763b90490d4105695df52674d0fcef823e92 CVE-2018-6189 (F-Secure Radar (on-premises) before 2018-02-15 has XSS via vectors inv ...) NOT-FOR-US: F-Secure Radar CVE-2018-6188 (django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0. ...) - python-django 1:1.11.10-1 [stretch] - python-django (Issue introduced in 1.11.8 and 2.0) [jessie] - python-django (Issue introduced in 1.11.8 and 2.0) [wheezy] - python-django (Issue introduced in 1.11.8 and 2.0) NOTE: https://www.djangoproject.com/weblog/2018/feb/01/security-releases/ CVE-2018-6187 (In Artifex MuPDF 1.12.0, there is a heap-based buffer overflow vulnera ...) {DSA-4334-1} - mupdf 1.13.0+ds1-1 (bug #888464) [jessie] - mupdf (Minor issue) [wheezy] - mupdf (Most likely not affected, minor issue) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698908 NOTE: https://lists.debian.org/debian-lts/2018/03/msg00041.html NOTE: Fixed by: http://www.ghostscript.com/cgi-bin/findgit.cgi?3e30fbb7bf5efd88df431e366492356e7eb969ec NOTE: issued covered by: http://www.ghostscript.com/cgi-bin/findgit.cgi?fa9cd085533f68367c299e058ab3fbb7ad8a2dc6 CVE-2018-6186 (Citrix NetScaler VPX through NS12.0 53.13.nc allows an SSRF attack via ...) NOT-FOR-US: Citrix NetScaler VPX CVE-2018-6185 (In Cloudera Navigator Key Trustee KMS 5.12 and 5.13, incorrect default ...) NOT-FOR-US: Cloudera Navigator Key Trustee KMS CVE-2018-6184 (ZEIT Next.js 4 before 4.2.3 has Directory Traversal under the /_next r ...) NOT-FOR-US: ZEIT Next.js CVE-2018-6183 (BitDefender Total Security 2018 allows local users to gain privileges ...) NOT-FOR-US: BitDefender Total Security CVE-2018-6182 (Mahara 16.10 before 16.10.9 and 17.04 before 17.04.7 and 17.10 before ...) - mahara CVE-2018-6181 RESERVED CVE-2018-6180 (A flaw in the profile section of Online Voting System 1.0 allows an un ...) NOT-FOR-US: Online Voting System CVE-2018-1000017 REJECTED CVE-2017-1000475 (FreeSSHd 1.3.1 version is vulnerable to an Unquoted Path Service allow ...) NOT-FOR-US: FreeSSHd CVE-2017-18075 (crypto/pcrypt.c in the Linux kernel before 4.14.13 mishandles freeing ...) - linux 4.14.13-1 [stretch] - linux 4.9.80-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/d76c68109f37cb85b243a1cf0f40313afd2bae68 CVE-2018-1000018 (An information disclosure in ovirt-hosted-engine-setup prior to 2.2.7 ...) NOT-FOR-US: ovirt-engine CVE-2018-6179 (Insufficient enforcement of file access permission in the activeTab ca ...) {DSA-4256-1} - chromium-browser 68.0.3440.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-6178 (Eliding from the wrong side in an infobar in DevTools in Google Chrome ...) {DSA-4256-1} - chromium-browser 68.0.3440.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-6177 (Information leak in media engine in Google Chrome prior to 68.0.3440.7 ...) {DSA-4256-1} - chromium-browser 68.0.3440.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-6176 (Insufficient file type enforcement in Extensions API in Google Chrome ...) {DSA-4256-1} - chromium-browser 68.0.3440.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-6175 (Incorrect handling of confusable characters in URL Formatter in Google ...) {DSA-4256-1} - chromium-browser 68.0.3440.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-6174 (Integer overflows in Swiftshader in Google Chrome prior to 68.0.3440.7 ...) {DSA-4256-1} - chromium-browser 68.0.3440.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-6173 (Incorrect handling of confusable characters in URL Formatter in Google ...) {DSA-4256-1} - chromium-browser 68.0.3440.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-6172 (Incorrect handling of confusable characters in URL Formatter in Google ...) {DSA-4256-1} - chromium-browser 68.0.3440.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-6171 (Use after free in Bluetooth in Google Chrome prior to 68.0.3440.75 all ...) {DSA-4256-1} - chromium-browser 68.0.3440.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-6170 (A bad cast in PDFium in Google Chrome prior to 68.0.3440.75 allowed a ...) {DSA-4256-1} - chromium-browser 68.0.3440.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-6169 (Lack of timeout on extension install prompt in Extensions in Google Ch ...) {DSA-4256-1} - chromium-browser 68.0.3440.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-6168 (Information leak in media engine in Google Chrome prior to 68.0.3440.7 ...) {DSA-4256-1} - chromium-browser 68.0.3440.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-6167 (Incorrect handling of confusable characters in URL Formatter in Google ...) {DSA-4256-1} - chromium-browser 68.0.3440.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-6166 (Incorrect handling of confusable characters in URL Formatter in Google ...) {DSA-4256-1} - chromium-browser 68.0.3440.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-6165 (Incorrect handling of reloads in Navigation in Google Chrome prior to ...) {DSA-4256-1} - chromium-browser 68.0.3440.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-6164 (Insufficient origin checks for CSS content in Blink in Google Chrome p ...) {DSA-4256-1} - chromium-browser 68.0.3440.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-6163 (Incorrect handling of confusable characters in URL Formatter in Google ...) {DSA-4256-1} - chromium-browser 68.0.3440.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-6162 (Improper deserialization in WebGL in Google Chrome on Mac prior to 68. ...) {DSA-4256-1} - chromium-browser 68.0.3440.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-6161 (Insufficient policy enforcement in Blink in Google Chrome prior to 68. ...) {DSA-4256-1} - chromium-browser 68.0.3440.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-6160 (JavaScript alert handling in Prompts in Google Chrome prior to 68.0.34 ...) - chromium-browser (Only affects Chrome on iOS) CVE-2018-6159 (Insufficient policy enforcement in ServiceWorker in Google Chrome prio ...) {DSA-4256-1} - chromium-browser 68.0.3440.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-6158 (A race condition in Oilpan in Google Chrome prior to 68.0.3440.75 allo ...) {DSA-4256-1} - chromium-browser 68.0.3440.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-6157 (Type confusion in WebRTC in Google Chrome prior to 68.0.3440.75 allowe ...) {DSA-4256-1} - chromium-browser 68.0.3440.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-6156 (Incorect derivation of a packet length in WebRTC in Google Chrome prio ...) {DSA-4256-1} - chromium-browser 68.0.3440.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) - firefox 70.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-34/#CVE-2018-6156 CVE-2018-6155 (Incorrect handling of frames in the VP8 parser in Google Chrome prior ...) {DSA-4256-1} - chromium-browser 68.0.3440.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-6154 (Insufficient data validation in WebGL in Google Chrome prior to 68.0.3 ...) {DSA-4256-1} - chromium-browser 68.0.3440.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-6153 (A precision error in Skia in Google Chrome prior to 68.0.3440.75 allow ...) {DSA-4256-1} - chromium-browser 68.0.3440.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-6152 (The implementation of the Page.downloadBehavior backend unconditionall ...) {DSA-4256-1} - chromium-browser 68.0.3440.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-6151 (Bad cast in DevTools in Google Chrome on Win, Linux, Mac, Chrome OS pr ...) {DSA-4256-1} - chromium-browser 68.0.3440.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-6150 (Incorrect handling of CORS in ServiceWorker in Google Chrome prior to ...) {DSA-4256-1} - chromium-browser 68.0.3440.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-6149 (Type confusion in JavaScript in Google Chrome prior to 67.0.3396.87 al ...) {DSA-4237-1} - chromium-browser 67.0.3396.87-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-6148 (Incorrect implementation in Content Security Policy in Google Chrome p ...) {DSA-4237-1} - chromium-browser 67.0.3396.79-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-6147 (Lack of secure text entry mode in Browser UI in Google Chrome on Mac p ...) {DSA-4237-1} - chromium-browser 67.0.3396.62-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6146 RESERVED CVE-2018-6145 (Insufficient data validation in HTML parser in Google Chrome prior to ...) {DSA-4237-1} - chromium-browser 67.0.3396.62-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6144 (Off-by-one error in PDFium in Google Chrome prior to 67.0.3396.62 allo ...) {DSA-4237-1} - chromium-browser 67.0.3396.62-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6143 (Insufficient validation in V8 in Google Chrome prior to 67.0.3396.62 a ...) {DSA-4237-1} - chromium-browser 67.0.3396.62-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6142 (Array bounds check failure in V8 in Google Chrome prior to 67.0.3396.6 ...) {DSA-4237-1} - chromium-browser 67.0.3396.62-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6141 (Insufficient validation of an image filter in Skia in Google Chrome pr ...) {DSA-4237-1} - chromium-browser 67.0.3396.62-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6140 (Allowing the chrome.debugger API to attach to Web UI pages in DevTools ...) {DSA-4237-1} - chromium-browser 67.0.3396.62-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6139 (Insufficient target checks on the chrome.debugger API in DevTools in G ...) {DSA-4237-1} - chromium-browser 67.0.3396.62-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6138 (Insufficient policy enforcement in Extensions API in Google Chrome pri ...) {DSA-4237-1} - chromium-browser 67.0.3396.62-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6137 (CSS Paint API in Blink in Google Chrome prior to 67.0.3396.62 allowed ...) {DSA-4237-1} - chromium-browser 67.0.3396.62-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6136 (Missing type check in V8 in Google Chrome prior to 67.0.3396.62 allowe ...) {DSA-4237-1} - chromium-browser 67.0.3396.62-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6135 (Lack of clearing the previous site before loading alerts from a new on ...) {DSA-4237-1} - chromium-browser 67.0.3396.62-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6134 (Information leak in Blink in Google Chrome prior to 67.0.3396.62 allow ...) {DSA-4237-1} - chromium-browser 67.0.3396.62-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6133 (Incorrect handling of confusable characters in URL Formatter in Google ...) {DSA-4237-1} - chromium-browser 67.0.3396.62-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6132 (Uninitialized data in WebRTC in Google Chrome prior to 67.0.3396.62 al ...) {DSA-4237-1} - chromium-browser 67.0.3396.62-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6131 (Object lifecycle issue in WebAssembly in Google Chrome prior to 67.0.3 ...) {DSA-4237-1} - chromium-browser 67.0.3396.62-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6130 (Incorrect handling of object lifetimes in WebRTC in Google Chrome prio ...) {DSA-4237-1} - chromium-browser 67.0.3396.62-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6129 (Out of bounds array access in WebRTC in Google Chrome prior to 67.0.33 ...) {DSA-4237-1} - chromium-browser 67.0.3396.62-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6128 (Incorrect URL parsing in WebKit in Google Chrome on iOS prior to 67.0. ...) - chromium-browser (ios specific) CVE-2018-6127 (Early free of object in use in IndexDB in Google Chrome prior to 67.0. ...) {DSA-4237-1} - chromium-browser 67.0.3396.62-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6126 (A precision error in Skia in Google Chrome prior to 67.0.3396.62 allow ...) {DSA-4237-1 DSA-4220-1} - chromium-browser 67.0.3396.62-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) - firefox 60.0.2-1 - firefox-esr 52.8.1esr-1 - skia (bug #818180) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-14/ CVE-2018-6125 RESERVED {DSA-4237-1} - chromium-browser 67.0.3396.62-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6124 (Type confusion in ReadableStreams in Blink in Google Chrome prior to 6 ...) {DSA-4237-1} - chromium-browser 67.0.3396.62-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6123 (A use after free in Blink in Google Chrome prior to 67.0.3396.62 allow ...) {DSA-4237-1} - chromium-browser 67.0.3396.62-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6122 RESERVED {DSA-4237-1} - chromium-browser 66.0.3359.181-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6121 (Insufficient validation of input in Blink in Google Chrome prior to 66 ...) {DSA-4237-1} - chromium-browser 66.0.3359.181-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6120 (An integer overflow that could lead to an attacker-controlled heap out ...) {DSA-4237-1} - chromium-browser 66.0.3359.181-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6119 (Incorrect security UI in Omnibox in Google Chrome prior to 64.0.3282.1 ...) {DSA-4103-1} - chromium-browser 64.0.3282.119-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-6118 (A double-eviction in the Incognito mode cache that lead to a user-afte ...) {DSA-4237-1} - chromium-browser 66.0.3359.139-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6117 (Confusing settings in Autofill in Google Chrome prior to 66.0.3359.117 ...) {DSA-4182-1} - chromium-browser 66.0.3359.117-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6116 (A nullptr dereference in WebAssembly in Google Chrome prior to 66.0.33 ...) {DSA-4182-1} - chromium-browser 66.0.3359.117-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6115 (Inappropriate setting of the SEE_MASK_FLAG_NO_UI flag in file download ...) - chromium-browser (windows specific) CVE-2018-6114 (Incorrect enforcement of CSP for <object> tags in Blink in Googl ...) {DSA-4182-1} - chromium-browser 66.0.3359.117-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6113 (Improper handling of pending navigation entries in Navigation in Googl ...) {DSA-4182-1} - chromium-browser 66.0.3359.117-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6112 (Making URLs clickable and allowing them to be styled in DevTools in Go ...) {DSA-4182-1} - chromium-browser 66.0.3359.117-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6111 (An object lifetime issue in the developer tools network handler in Goo ...) {DSA-4182-1} - chromium-browser 66.0.3359.117-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6110 (Parsing documents as HTML in Downloads in Google Chrome prior to 66.0. ...) {DSA-4182-1} - chromium-browser 66.0.3359.117-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6109 (readAsText() can indefinitely read the file picked by the user, rather ...) {DSA-4182-1} - chromium-browser 66.0.3359.117-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6108 (Incorrect handling of confusable characters in URL Formatter in Google ...) {DSA-4182-1} - chromium-browser 66.0.3359.117-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6107 (Incorrect handling of confusable characters in URL Formatter in Google ...) {DSA-4182-1} - chromium-browser 66.0.3359.117-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6106 (An asynchronous generator may return an incorrect state in V8 in Googl ...) {DSA-4182-1} - chromium-browser 66.0.3359.117-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6105 (Incorrect handling of confusable characters in Omnibox in Google Chrom ...) {DSA-4182-1} - chromium-browser 66.0.3359.117-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6104 (Incorrect handling of confusable characters in URL Formatter in Google ...) {DSA-4182-1} - chromium-browser 66.0.3359.117-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6103 (A stagnant permission prompt in Prompts in Google Chrome prior to 66.0 ...) {DSA-4182-1} - chromium-browser 66.0.3359.117-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6102 (Missing confusable characters in Internationalization in Google Chrome ...) {DSA-4182-1} - chromium-browser 66.0.3359.117-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6101 (A lack of host validation in DevTools in Google Chrome prior to 66.0.3 ...) {DSA-4182-1} - chromium-browser 66.0.3359.117-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6100 (Incorrect handling of confusable characters in URL Formatter in Google ...) {DSA-4182-1} - chromium-browser 66.0.3359.117-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6099 (A lack of CORS checks in Blink in Google Chrome prior to 66.0.3359.117 ...) {DSA-4182-1} - chromium-browser 66.0.3359.117-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6098 (Incorrect handling of confusable characters in URL Formatter in Google ...) {DSA-4182-1} - chromium-browser 66.0.3359.117-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6097 (Incorrect handling of asynchronous methods in Fullscreen in Google Chr ...) {DSA-4182-1} - chromium-browser 66.0.3359.117-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6096 (A JavaScript focused window could overlap the fullscreen notification ...) {DSA-4182-1} - chromium-browser 66.0.3359.117-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6095 (Inappropriate dismissal of file picker on keyboard events in Blink in ...) {DSA-4182-1} - chromium-browser 66.0.3359.117-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6094 (Inline metadata in GarbageCollection in Google Chrome prior to 66.0.33 ...) {DSA-4182-1} - chromium-browser 66.0.3359.117-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6093 (Insufficient origin checks in Blink in Google Chrome prior to 66.0.335 ...) {DSA-4182-1} - chromium-browser 66.0.3359.117-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6092 (An integer overflow on 32-bit systems in WebAssembly in Google Chrome ...) {DSA-4182-1} - chromium-browser 66.0.3359.117-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6091 (Service Workers can intercept any request made by an <embed> or ...) {DSA-4182-1} - chromium-browser 66.0.3359.117-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6090 (An integer overflow that lead to a heap buffer-overflow in Skia in Goo ...) {DSA-4182-1} - chromium-browser 66.0.3359.117-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6089 (A lack of CORS checks, after a Service Worker redirected to a cross-or ...) {DSA-4182-1} - chromium-browser 66.0.3359.117-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6088 (An iterator-invalidation bug in PDFium in Google Chrome prior to 66.0. ...) {DSA-4182-1} - chromium-browser 66.0.3359.117-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6087 (A use-after-free in WebAssembly in Google Chrome prior to 66.0.3359.11 ...) {DSA-4182-1} - chromium-browser 66.0.3359.117-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6086 (A double-eviction in the Incognito mode cache that lead to a user-afte ...) {DSA-4182-1} - chromium-browser 66.0.3359.117-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6085 (Re-entry of a destructor in Networking Disk Cache in Google Chrome pri ...) {DSA-4182-1} - chromium-browser 66.0.3359.117-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6084 (Insufficiently sanitized distributed objects in Updater in Google Chro ...) - chromium-browser (Specific to MacOS) CVE-2018-6083 (Failure to disallow PWA installation from CSP sandboxed pages in AppMa ...) {DSA-4182-1} - chromium-browser 65.0.3325.146-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6082 (Including port 22 in the list of allowed FTP ports in Networking in Go ...) {DSA-4182-1} - chromium-browser 65.0.3325.146-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6081 (XSS vulnerabilities in Interstitials in Google Chrome prior to 65.0.33 ...) {DSA-4182-1} - chromium-browser 65.0.3325.146-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6080 (Lack of access control checks in Instrumentation in Google Chrome prio ...) {DSA-4182-1} - chromium-browser 65.0.3325.146-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6079 (Inappropriate sharing of TEXTURE_2D_ARRAY/TEXTURE_3D data between tabs ...) {DSA-4182-1} - chromium-browser 65.0.3325.146-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6078 (Incorrect handling of confusable characters in Omnibox in Google Chrom ...) {DSA-4182-1} - chromium-browser 65.0.3325.146-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6077 (Displacement map filters being applied to cross-origin images in Blink ...) {DSA-4182-1} - chromium-browser 65.0.3325.146-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6076 (Insufficient encoding of URL fragment identifiers in Blink in Google C ...) {DSA-4182-1} - chromium-browser 65.0.3325.146-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6075 (Incorrect handling of specified filenames in file downloads in Google ...) {DSA-4182-1} - chromium-browser 65.0.3325.146-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6074 (Failure to apply Mark-of-the-Web in Downloads in Google Chrome prior t ...) {DSA-4182-1} - chromium-browser 65.0.3325.146-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6073 (A heap buffer overflow in WebGL in Google Chrome prior to 65.0.3325.14 ...) {DSA-4182-1} - chromium-browser 65.0.3325.146-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6072 (An integer overflow leading to use after free in PDFium in Google Chro ...) {DSA-4182-1} - chromium-browser 65.0.3325.146-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6071 (An integer overflow in Skia in Google Chrome prior to 65.0.3325.146 al ...) {DSA-4182-1} - chromium-browser 65.0.3325.146-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6070 (Lack of CSP enforcement on WebUI pages in Bink in Google Chrome prior ...) {DSA-4182-1} - chromium-browser 65.0.3325.146-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6069 (Stack buffer overflow in Skia in Google Chrome prior to 65.0.3325.146 ...) {DSA-4182-1} - chromium-browser 65.0.3325.146-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6068 (Object lifecycle issue in Chrome Custom Tab in Google Chrome prior to ...) {DSA-4182-1} - chromium-browser 65.0.3325.146-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6067 (Incorrect IPC serialization in Skia in Google Chrome prior to 65.0.332 ...) {DSA-4182-1} - chromium-browser 65.0.3325.146-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6066 (Lack of CORS checking by ResourceFetcher/ResourceLoader in Blink in Go ...) {DSA-4182-1} - chromium-browser 65.0.3325.146-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6065 (Integer overflow in computing the required allocation size when instan ...) {DSA-4182-1} - chromium-browser 65.0.3325.146-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2018-6064 (Type Confusion in the implementation of __defineGetter__ in V8 in Goog ...) {DSA-4182-1} - chromium-browser 65.0.3325.146-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2018-6063 (Incorrect use of mojo::WrapSharedMemoryHandle in Mojo in Google Chrome ...) {DSA-4182-1} - chromium-browser 65.0.3325.146-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6062 (Heap overflow write in Skia in Google Chrome prior to 65.0.3325.146 al ...) {DSA-4182-1} - chromium-browser 65.0.3325.146-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6061 (A race in the handling of SharedArrayBuffers in WebAssembly in Google ...) {DSA-4182-1} - chromium-browser 65.0.3325.146-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2018-6060 (Use after free in WebAudio in Google Chrome prior to 65.0.3325.146 all ...) {DSA-4182-1} - chromium-browser 65.0.3325.146-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6059 RESERVED - chromium-browser (Chromium doesn't bundle Flash) CVE-2018-6058 RESERVED - chromium-browser (Chromium doesn't bundle Flash) CVE-2018-6057 (Lack of special casing of Android ashmem in Google Chrome prior to 65. ...) {DSA-4182-1} - chromium-browser 65.0.3325.146-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6056 (Type confusion could lead to a heap out-of-bounds write in V8 in Googl ...) {DSA-4182-1} [experimental] - chromium-browser 65.0.3325.73-1 - chromium-browser 65.0.3325.146-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2018-6055 (Insufficient policy enforcement in Catalog Service in Google Chrome pr ...) {DSA-4103-1} - chromium-browser 64.0.3282.119-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-6054 (Use after free in WebUI in Google Chrome prior to 64.0.3282.119 allowe ...) {DSA-4103-1} - chromium-browser 64.0.3282.119-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6053 (Inappropriate implementation in New Tab Page in Google Chrome prior to ...) {DSA-4103-1} - chromium-browser 64.0.3282.119-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6052 (Lack of support for a non standard no-referrer policy value in Blink i ...) {DSA-4103-1} - chromium-browser 64.0.3282.119-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6051 (XSS Auditor in Google Chrome prior to 64.0.3282.119, did not ensure th ...) {DSA-4103-1} - chromium-browser 64.0.3282.119-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6050 (Incorrect security UI in Omnibox in Google Chrome prior to 64.0.3282.1 ...) {DSA-4103-1} - chromium-browser 64.0.3282.119-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6049 (Incorrect security UI in permissions prompt in Google Chrome prior to ...) {DSA-4103-1} - chromium-browser 64.0.3282.119-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6048 (Insufficient policy enforcement in Blink in Google Chrome prior to 64. ...) {DSA-4103-1} - chromium-browser 64.0.3282.119-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6047 (Insufficient policy enforcement in WebGL in Google Chrome prior to 64. ...) {DSA-4103-1} - chromium-browser 64.0.3282.119-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6046 (Insufficient data validation in DevTools in Google Chrome prior to 64. ...) {DSA-4103-1} - chromium-browser 64.0.3282.119-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6045 (Insufficient policy enforcement in DevTools in Google Chrome prior to ...) {DSA-4103-1} - chromium-browser 64.0.3282.119-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6044 RESERVED {DSA-4256-1} - chromium-browser 68.0.3440.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-6043 (Insufficient data validation in External Protocol Handler in Google Ch ...) {DSA-4103-1} - chromium-browser 64.0.3282.119-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6042 (Incorrect security UI in Omnibox in Google Chrome prior to 64.0.3282.1 ...) {DSA-4103-1} - chromium-browser 64.0.3282.119-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6041 (Incorrect security UI in navigation in Google Chrome prior to 64.0.328 ...) {DSA-4103-1} - chromium-browser 64.0.3282.119-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6040 (Insufficient policy enforcement in Blink in Google Chrome prior to 64. ...) {DSA-4103-1} - chromium-browser 64.0.3282.119-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6039 (Insufficient data validation in DevTools in Google Chrome prior to 64. ...) {DSA-4103-1} - chromium-browser 64.0.3282.119-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6038 (Heap buffer overflow in WebGL in Google Chrome prior to 64.0.3282.119 ...) {DSA-4103-1} - chromium-browser 64.0.3282.119-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6037 (Inappropriate implementation in autofill in Google Chrome prior to 64. ...) {DSA-4103-1} - chromium-browser 64.0.3282.119-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6036 (Insufficient data validation in V8 in Google Chrome prior to 64.0.3282 ...) {DSA-4103-1} - chromium-browser 64.0.3282.119-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6035 (Insufficient policy enforcement in DevTools in Google Chrome prior to ...) {DSA-4103-1} - chromium-browser 64.0.3282.119-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6034 (Insufficient data validation in WebGL in Google Chrome prior to 64.0.3 ...) {DSA-4103-1} - chromium-browser 64.0.3282.119-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6033 (Insufficient data validation in Downloads in Google Chrome prior to 64 ...) {DSA-4103-1} - chromium-browser 64.0.3282.119-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6032 (Insufficient policy enforcement in Blink in Google Chrome prior to 64. ...) {DSA-4103-1} - chromium-browser 64.0.3282.119-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6031 (Use after free in PDFium in Google Chrome prior to 64.0.3282.119 allow ...) {DSA-4103-1} - chromium-browser 64.0.3282.119-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6030 RESERVED CVE-2018-1000016 REJECTED CVE-2018-1000015 (On Jenkins instances with Authorize Project plugin, the authentication ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000014 (Jenkins Translation Assistance Plugin 1.15 and earlier did not require ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000013 (Jenkins Release Plugin 2.9 and earlier did not require form submission ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000012 (Jenkins Warnings Plugin 4.64 and earlier processes XML external entiti ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000011 (Jenkins FindBugs Plugin 4.71 and earlier processes XML external entiti ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000010 (Jenkins DRY Plugin 2.49 and earlier processes XML external entities in ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000009 (Jenkins Checkstyle Plugin 3.49 and earlier processes XML external enti ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000008 (Jenkins PMD Plugin 3.49 and earlier processes XML external entities in ...) NOT-FOR-US: Jenkins plugin CVE-2015-1142857 (On multiple SR-IOV cars it is possible for VF's assigned to guests to ...) NOT-FOR-US: SR-IOV cars CVE-2018-6029 (The copy function in application/admin/controller/Article.php in NoneC ...) NOT-FOR-US: NoneCms CVE-2018-6028 RESERVED CVE-2018-6027 RESERVED CVE-2018-6026 RESERVED CVE-2018-6025 RESERVED CVE-2018-6024 (SQL Injection exists in the Project Log 1.5.3 component for Joomla! vi ...) NOT-FOR-US: Project Log component for Joomla! CVE-2018-6023 (Fastweb FASTgate 0.00.47 devices are vulnerable to CSRF, with impacts ...) NOT-FOR-US: Fastweb FASTgate CVE-2018-6022 (Directory traversal vulnerability in application/admin/controller/Main ...) NOT-FOR-US: NoneCms CVE-2018-6021 (Silex SD-320AN version 2.01 and prior and GE MobileLink(GEH-SD-320AN) ...) NOT-FOR-US: Silex Technology products CVE-2018-6020 (In Silex SX-500 all versions and GE MobileLink(GEH-500) version 1.54 a ...) NOT-FOR-US: Silex Technology products CVE-2018-6019 (Samsung Display Solutions App before 3.02 for Android allows man-in-th ...) NOT-FOR-US: Samsung Display Solutions App for Android CVE-2018-6018 (Fixed sizes of HTTPS responses in Tinder iOS app and Tinder Android ap ...) NOT-FOR-US: Tinder CVE-2018-6017 (Unencrypted transmission of images in Tinder iOS app and Tinder Androi ...) NOT-FOR-US: Tinder CVE-2018-6016 (Unquoted Windows search path vulnerability in the srvInventoryWebServe ...) NOT-FOR-US: 10-Strike Network Monitor CVE-2018-6015 (An issue was discovered in the "Email Subscribers & Newsletters" p ...) NOT-FOR-US: "Email Subscribers & Newsletters" plugin for WordPress CVE-2018-6014 (Subsonic v6.1.3 has an insecure allow-access-from domain="*" Flash cro ...) NOT-FOR-US: Subsonic CVE-2018-6013 (Cross-site scripting (XSS) in BigTree 4.2.19 allows any remote users t ...) NOT-FOR-US: BigTree CMS CVE-2018-6012 (The 'Weather Service' feature of the Green Electronics RainMachine Min ...) NOT-FOR-US: Green Electronics CVE-2018-6011 (The time-based one-time-password (TOTP) function in the application lo ...) NOT-FOR-US: Green Electronics CVE-2018-6010 (In Yii Framework 2.x before 2.0.14, remote attackers could obtain pote ...) - yii (bug #597899) CVE-2018-6009 (In Yii Framework 2.x before 2.0.14, the switchIdentity function in web ...) - yii (bug #597899) CVE-2018-6008 (Arbitrary File Download exists in the Jtag Members Directory 5.3.7 com ...) NOT-FOR-US: Jtag Members Directory component for Joomla! CVE-2018-6007 (CSRF exists in the JS Support Ticket 1.1.0 component for Joomla! and a ...) NOT-FOR-US: Support Ticket component for Joomla! CVE-2018-6006 (SQL Injection exists in the JS Autoz 1.0.9 component for Joomla! via t ...) NOT-FOR-US: JS Autoz component for Joomla! CVE-2018-6005 (SQL Injection exists in the Realpin through 1.5.04 component for Jooml ...) NOT-FOR-US: Realpin component for Joomla! CVE-2018-6004 (SQL Injection exists in the File Download Tracker 3.0 component for Jo ...) NOT-FOR-US: File Download Tracker component for Joomla! CVE-2017-18074 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-18073 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-18072 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-18071 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-18070 (In wma_ndp_end_response_event_handler(), the variable len_end_rsp is a ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18069 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-18068 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18067 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18066 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18065 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18064 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18063 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18062 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18061 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18060 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18059 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18058 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18057 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18056 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18055 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18054 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18053 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18052 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18051 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18050 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18049 (In the CSV export feature of SilverStripe before 3.5.6, 3.6.x before 3 ...) NOT-FOR-US: SilverStripe CVE-2017-18048 (Monstra CMS 3.0.4 allows users to upload arbitrary files, which leads ...) NOT-FOR-US: Monstra CMS CVE-2017-1000417 (MatrixSSL version 3.7.2 adopts a collision-prone OID comparison logic ...) - matrixssl [wheezy] - matrixssl (not supported in Wheezy) CVE-2017-1000416 (axTLS version 1.5.3 has a coding error in the ASN.1 parser resulting i ...) - axtls (Fixed with initial upload to Debian) CVE-2018-6003 (An issue was discovered in the _asn1_decode_simple_ber function in dec ...) {DSA-4106-1} - libtasn1-6 4.13-2 [jessie] - libtasn1-6 (Vulnerable code introduced in 4.3) - libtasn1-3 (Vulnerable code introduced in 4.3) NOTE: https://lists.gnu.org/archive/html/help-libtasn1/2018-01/msg00000.html NOTE: Affected function introduced in: http://git.savannah.nongnu.org/cgit/libtasn1.git/commit/lib/decoding.c?id=b12bfa8932f44d1d1c25b4a2e385387a62dfbcc9 (libtasn1_4_3) NOTE: Fixed by: https://gitlab.com/gnutls/libtasn1/commit/c593ae84cfcde8fea45787e53950e0ac71e9ca97 (libtasn1_4_13) CVE-2018-6002 (The Soundy Background Music plugin 3.9 and below for WordPress has Cro ...) NOT-FOR-US: Soundy Background Music plugin for WordPress CVE-2018-6001 (The Soundy Audio Playlist plugin 4.6 and below for WordPress has Cross ...) NOT-FOR-US: Soundy Audio Playlist plugin for WordPress CVE-2018-6000 (An issue was discovered in AsusWRT before 3.0.0.4.384_10007. The do_vp ...) NOT-FOR-US: AsusWRT CVE-2018-5999 (An issue was discovered in AsusWRT before 3.0.0.4.384_10007. In the ha ...) NOT-FOR-US: AsusWRT CVE-2018-5998 RESERVED CVE-2018-5997 (An issue was discovered in the HTTP Server in RAVPower Filehub 2.000.0 ...) NOT-FOR-US: RAVPower Filehub CVE-2018-1000007 (libcurl 7.1 through 7.57.0 might accidentally leak authentication data ...) {DSA-4098-1 DLA-1263-1} - curl 7.58.0-1 NOTE: https://curl.haxx.se/docs/adv_2018-b3bf.html NOTE: Patch: https://github.com/curl/curl/commit/af32cd3859336ab.patch CVE-2018-5996 (Insufficient exception handling in the method NCompress::NRar3::CDecod ...) - p7zip-rar 16.02-2 (bug #888314) [stretch] - p7zip-rar (Non-free not supported) [jessie] - p7zip-rar (Non-free not supported) [wheezy] - p7zip-rar (Non-free not supported) NOTE: https://landave.io/2018/01/7-zip-multiple-memory-corruptions-via-rar-and-zip/ CVE-2018-5995 (The pcpu_embed_first_chunk function in mm/percpu.c in the Linux kernel ...) {DSA-4497-1 DLA-1885-1 DLA-1799-1} - linux 4.15.4-1 CVE-2018-5994 (SQL Injection exists in the JS Jobs 1.1.9 component for Joomla! via th ...) NOT-FOR-US: JS Jobs component for Joomla! CVE-2018-5993 (SQL Injection exists in the Aist through 2.0 component for Joomla! via ...) NOT-FOR-US: Aist component for Joomla! CVE-2018-5992 (SQL Injection exists in the Staff Master through 1.0 RC 1 component fo ...) NOT-FOR-US: Staff Master component for Joomla! CVE-2018-5991 (SQL Injection exists in the Form Maker 3.6.12 component for Joomla! vi ...) NOT-FOR-US: Form Maker component for Joomla! CVE-2018-5990 (SQL Injection exists in the AllVideos Reloaded 1.2.x component for Joo ...) NOT-FOR-US: AllVideos Reloaded component for Joomla! CVE-2018-5989 (SQL Injection exists in the ccNewsletter 2.x component for Joomla! via ...) NOT-FOR-US: ccNewsletter component for Joomla! CVE-2018-5988 (SQL Injection exists in Flexible Poll 1.2 via the id parameter to mobi ...) NOT-FOR-US: Flexible Poll CVE-2018-5987 (SQL Injection exists in the Pinterest Clone Social Pinboard 2.0 compon ...) NOT-FOR-US: Pinterest Clone Social Pinboard component for Joomla! CVE-2018-5986 (SQL Injection exists in Easy Car Script 2014 via the s_order or s_row ...) NOT-FOR-US: Easy Car Script CVE-2018-5985 (SQL Injection exists in the LiveCRM SaaS Cloud 1.0 component for Jooml ...) NOT-FOR-US: LiveCRM SaaS Cloud CVE-2018-5984 (SQL Injection exists in the Tumder (An Arcade Games Platform) 2.1 comp ...) NOT-FOR-US: Tumder CVE-2018-5983 (SQL Injection exists in the JquickContact 1.3.2.2.1 component for Joom ...) NOT-FOR-US: JquickContact component for Joomla! CVE-2018-5982 (SQL Injection exists in the Advertisement Board 3.1.0 component for Jo ...) NOT-FOR-US: Advertisement Board component for Joomla! CVE-2018-5981 (SQL Injection exists in the Gallery WD 1.3.6 component for Joomla! via ...) NOT-FOR-US: Gallery WD component for Joomla! CVE-2018-5980 (SQL Injection exists in the Solidres 2.5.1 component for Joomla! via t ...) NOT-FOR-US: Solidres component for Joomla! CVE-2018-5979 (SQL Injection exists in Wchat Fully Responsive PHP AJAX Chat Script 1. ...) NOT-FOR-US: Wchat Fully Responsive PHP AJAX Chat Script CVE-2018-5978 (SQL Injection exists in Facebook Style Php Ajax Chat Zechat 1.5 via th ...) NOT-FOR-US: Facebook Style Php Ajax Chat Zechat CVE-2018-5977 (SQL Injection exists in Affiligator Affiliate Webshop Management Syste ...) NOT-FOR-US: Affiligator Affiliate Webshop Management System CVE-2018-5976 (Cross Site Request Forgery (CSRF) exists in RSVP Invitation Online 1.0 ...) NOT-FOR-US: RSVP Invitation Online CVE-2018-5975 (SQL Injection exists in the Smart Shoutbox 3.0.0 component for Joomla! ...) NOT-FOR-US: Smart Shoutbox component for Joomla! CVE-2018-5974 (SQL Injection exists in the SimpleCalendar 3.1.9 component for Joomla! ...) NOT-FOR-US: SimpleCalendar component for Joomla! CVE-2018-5973 (SQL Injection exists in Professional Local Directory Script 1.0 via th ...) NOT-FOR-US: Professional Local Directory Script CVE-2018-5972 (SQL Injection exists in Classified Ads CMS Quickad 4.0 via the keyword ...) NOT-FOR-US: Classified Ads CMS Quickad CVE-2018-5971 (SQL Injection exists in the MediaLibrary Free 4.0.12 component for Joo ...) NOT-FOR-US: MediaLibrary Free component for Joomla! CVE-2018-5970 (SQL Injection exists in the JGive 2.0.9 component for Joomla! via the ...) NOT-FOR-US: JGive component for Joomla! CVE-2018-5969 (Cross Site Request Forgery (CSRF) exists in Photography CMS 1.0 via cl ...) NOT-FOR-US: Photography CMS CVE-2018-5968 (FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allo ...) {DSA-4114-1} - jackson-databind 2.9.4-1 (bug #888316) NOTE: https://github.com/FasterXML/jackson-databind/issues/1899 NOTE: https://github.com/FasterXML/jackson-databind/commit/038b471e2efde2e8f96b4e0be958d3e5a1ff1d05 CVE-2018-5967 (Netis WF2419 V2.2.36123 devices allow XSS via the Description paramete ...) NOT-FOR-US: Netis WF2419 V2.2.36123 devices CVE-2018-5966 RESERVED CVE-2018-5965 (CMS Made Simple (CMSMS) 2.2.5 has XSS in admin/moduleinterface.php via ...) NOT-FOR-US: CMS Made Simple CVE-2018-5964 (CMS Made Simple (CMSMS) 2.2.5 has XSS in admin/moduleinterface.php via ...) NOT-FOR-US: CMS Made Simple CVE-2018-5963 (CMS Made Simple (CMSMS) 2.2.5 has XSS in admin/addbookmark.php via the ...) NOT-FOR-US: CMS Made Simple CVE-2018-5962 (index.php in CentOS-WebPanel.com (aka CWP) CentOS Web Panel through v0 ...) NOT-FOR-US: CentOS-WebPanel.com CentOS Web Panel CVE-2018-5961 (CentOS-WebPanel.com (aka CWP) CentOS Web Panel through v0.9.8.12 has X ...) NOT-FOR-US: CentOS-WebPanel.com CentOS Web Panel CVE-2018-5960 (Zenario v7.1 - v7.6 has SQL injection via the `Name` input field of or ...) NOT-FOR-US: Zenario CVE-2018-5959 RESERVED CVE-2018-5958 (In Zillya! Antivirus 3.0.2230.0, the driver file (zef.sys) allows loca ...) NOT-FOR-US: Zillya! Antivirus CVE-2018-5957 (In Zillya! Antivirus 3.0.2230.0, the driver file (zef.sys) allows loca ...) NOT-FOR-US: Zillya! Antivirus CVE-2018-5956 (In Zillya! Antivirus 3.0.2230.0, the driver file (zef.sys) allows loca ...) NOT-FOR-US: Zillya! Antivirus CVE-2018-5955 (An issue was discovered in GitStack through 2.3.10. User controlled in ...) NOT-FOR-US: GitStack CVE-2017-18047 (Buffer Overflow in the FTP client in LabF nfsAxe 3.7 allows remote FTP ...) NOT-FOR-US: LabF nfsAxe CVE-2017-18046 (Buffer overflow on Dasan GPON ONT WiFi Router H640X 12.02-01121 2.77p1 ...) NOT-FOR-US: Dasan GPON ONT WiFi Router devices CVE-2016-10709 (pfSense before 2.3 allows remote authenticated users to execute arbitr ...) NOT-FOR-US: pfSense CVE-2016-10708 (sshd in OpenSSH before 7.4 allows remote attackers to cause a denial o ...) {DLA-1500-1 DLA-1257-1} - openssh 1:7.4p1-1 NOTE: https://anongit.mindrot.org/openssh.git/commit/?id=28652bca29046f62c7045e933e6b931de1d16737 NOTE: http://blog.swiecki.net/2018/01/fuzzing-tcp-servers.html NOTE: Flaw is not crashing the whole sshd daemon, rather the privsep process CVE-2018-5954 (phpFreeChat 1.7 and earlier allows remote attackers to cause a denial ...) NOT-FOR-US: phpFreeChat CVE-2018-5953 (The swiotlb_print_info function in lib/swiotlb.c in the Linux kernel t ...) {DLA-1731-1} - linux 4.15.4-1 [stretch] - linux 4.9.161-1 CVE-2018-5952 RESERVED CVE-2018-5951 (An issue was discovered in Mikrotik RouterOS. Crafting a packet that h ...) NOT-FOR-US: Mikrotik RouterOS CVE-2017-18045 (JBMC DirectAdmin before 1.52, when the email_ftp_password_change setti ...) NOT-FOR-US: JBMC DirectAdmin CVE-2018-5950 (Cross-site scripting (XSS) vulnerability in the web UI in Mailman befo ...) {DSA-4108-1 DLA-1272-1} - mailman 1:2.1.26-1 (bug #888201) NOTE: https://mail.python.org/pipermail/mailman-users/2018-February/083011.html NOTE: Patch: https://launchpadlibrarian.net/355686141/options.patch NOTE: https://bugs.launchpad.net/mailman/+bug/1747209 CVE-2018-5949 RESERVED CVE-2018-5948 RESERVED CVE-2018-5947 RESERVED CVE-2018-5946 RESERVED CVE-2018-5945 RESERVED CVE-2018-5944 RESERVED CVE-2018-5943 RESERVED CVE-2018-5942 RESERVED CVE-2018-5941 RESERVED CVE-2018-5940 RESERVED CVE-2018-5939 RESERVED CVE-2018-5938 RESERVED CVE-2018-5937 RESERVED CVE-2018-5936 RESERVED CVE-2018-5935 RESERVED CVE-2018-5934 RESERVED CVE-2018-5933 RESERVED CVE-2018-5932 RESERVED CVE-2018-5931 RESERVED CVE-2018-5930 RESERVED CVE-2018-5929 RESERVED CVE-2018-5928 RESERVED CVE-2018-5927 (HP Support Assistant before 8.7.50.3 allows an unauthorized person wit ...) NOT-FOR-US: HP Support Assistant CVE-2018-5926 (A potential vulnerability has been identified in HP Remote Graphics So ...) NOT-FOR-US: HP CVE-2018-5925 (A security vulnerability has been identified with certain HP Inkjet pr ...) NOT-FOR-US: HP Inkjet printers CVE-2018-5924 (A security vulnerability has been identified with certain HP Inkjet pr ...) NOT-FOR-US: HP Inkjet printers CVE-2018-5923 (In HP LaserJet Enterprise, HP PageWide Enterprise, HP LaserJet Managed ...) NOT-FOR-US: HP CVE-2018-5922 RESERVED CVE-2018-5921 (A potential security vulnerability has been identified with certain HP ...) NOT-FOR-US: HP printers CVE-2018-5920 RESERVED CVE-2018-5919 (In all android releases(Android for MSM, Firefox OS for MSM, QRD Andro ...) NOT-FOR-US: Android CVE-2018-5918 (Possible buffer overflow in DRM Trusted application due to lack of che ...) NOT-FOR-US: Snapdragon CVE-2018-5917 (Possible buffer overflow in OEM crypto function due to improper input ...) NOT-FOR-US: Snapdragon CVE-2018-5916 (Buffer overread while decoding PDP modify request or network initiated ...) NOT-FOR-US: Snapdragon CVE-2018-5915 (Exception in Modem IP stack while processing IPv6 packet in snapdragon ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5914 (Improper input validation in TZ led to array out of bound in TZ functi ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5913 (A non-time constant function memcmp is used which creates a side chann ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5912 (Potential buffer overflow in Video due to lack of input validation in ...) NOT-FOR-US: Snapdragon CVE-2018-5911 (Buffer overflow in WLAN function due to improper check of buffer size ...) NOT-FOR-US: Snapdragon CVE-2018-5910 (In all android releases(Android for MSM, Firefox OS for MSM, QRD Andro ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5909 (In all android releases(Android for MSM, Firefox OS for MSM, QRD Andro ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5908 (In all android releases(Android for MSM, Firefox OS for MSM, QRD Andro ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5907 (Possible buffer overflow in msm_adsp_stream_callback_put due to lack o ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5906 (In all android releases(Android for MSM, Firefox OS for MSM, QRD Andro ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5905 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5904 (In all android releases(Android for MSM, Firefox OS for MSM, QRD Andro ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5903 (Out of bounds read occurs due to improper validation of array while pr ...) NOT-FOR-US: Snapdragon CVE-2018-5902 RESERVED CVE-2018-5901 RESERVED CVE-2018-5900 RESERVED CVE-2018-5899 (In Android releases from CAF using the linux kernel (Android for MSM, ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5898 (Integer overflow can occur in msm_pcm_adsp_stream_cmd_put() function i ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5897 (While reading the data from buffer in dci_process_ctrl_status() there ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5896 (In Android releases from CAF using the linux kernel (Android for MSM, ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5895 (Buffer over-read may happen in wma_process_utf_event() due to improper ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5894 (Improper Validation of Array Index in Multimedia While parsing an mp4 ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5893 (While processing a message from firmware in htt_t2h_msg_handler_fast() ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5892 (The Touch Pal application can collect user behavior data without aware ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5891 (While processing modem SSR after IMS is registered, the IMS data daemo ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5890 (If the fdt_totalsize is reported as 0 for the current device tree, it ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5889 (While processing a compressed kernel image, a buffer overflow can occu ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5888 (While processing the system path, an out of bounds access can occur in ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5887 (While processing the USB StrSerialDescriptor array, an array index out ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5886 (A pointer in an ADSPRPC command is not properly validated in all Andro ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5885 (While loading dynamic fonts, a buffer overflow may occur if the number ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5884 (Improper Access Control in Multimedia in Snapdragon Mobile and Snapdra ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5883 (Buffer overflow in WLAN driver event handlers due to improper validati ...) NOT-FOR-US: Snapdragon CVE-2018-5882 (While parsing a Flac file with a corrupted comment block, a buffer ove ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5881 (Improper validation of buffer length checks in the lwm2m device manage ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5880 (Improper data length check while processing an event report indication ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5879 (Improper length check while processing an MQTT message can lead to hea ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5878 (While sending the response to a RIL_REQUEST_GET_SMSC_ADDRESS message, ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5877 (In the device programmer target-side code for firehose, a string may n ...) NOT-FOR-US: Snapdragon CVE-2018-5876 (While parsing an mp4 file, a buffer overflow can occur in Snapdragon A ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5875 (While parsing an mp4 file, an integer overflow leading to a buffer ove ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5874 (While parsing an mp4 file, a stack-based buffer overflow can occur in ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5873 (An issue was discovered in the __ns_get_path function in fs/nsfs.c in ...) - linux 4.11.6-1 [stretch] - linux 4.9.82-1+deb9u1 [jessie] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/073c516ff73557a8f7315066856c04b50383ac34 CVE-2018-5872 (While parsing over-the-air information elements in all Android release ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5871 (In Snapdragon (Automobile, Mobile, Wear) in version MDM9206, MDM9607, ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5870 (While loading a service image, an untrusted pointer dereference can oc ...) NOT-FOR-US: Snapdragon CVE-2018-5869 (Improper input validation in the QTEE keymaster app can lead to invali ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5868 (Lack of checking input size can lead to buffer overflow In WideVine in ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5867 (Lack of checking input size can lead to buffer overflow In WideVine in ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5866 (While processing logs, data is copied into a buffer pointed to by an u ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5865 (While processing a debug log event from firmware in all Android releas ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5864 (While processing a WMI_APFIND event in all Android releases from CAF u ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5863 (If userspace provides a too-large WPA RSN IE length in wlan_hdd_cfg802 ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5862 (In __wlan_hdd_cfg80211_vendor_scan() in all Android releases from CAF ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5861 (In all android releases(Android for MSM, Firefox OS for MSM, QRD Andro ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5860 (In the MDSS driver in all Android releases(Android for MSM, Firefox OS ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5859 (Due to a race condition in the MDSS MDP driver in all Android releases ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5858 (In the audio debugfs in all Android releases from CAF using the Linux ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5857 (In the WCD CPE codec, a Use After Free condition can occur in all Andr ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5856 (In all android releases(Android for MSM, Firefox OS for MSM, QRD Andro ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5855 (While padding or shrinking a nested wmi packet in all Android releases ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5854 (A stack-based buffer overflow can occur in fastboot from all Android r ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5853 (A race condition exists in a driver in all Android releases from CAF u ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5852 RESERVED CVE-2018-5851 (Buffer over flow can occur while processing a HTT_T2H_MSG_TYPE_TX_COMP ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5850 (In the function csr_update_fils_params_rso(), insufficient validation ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5849 (Due to a race condition in the QTEECOM driver in all Android releases ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5848 (In the function wmi_set_ie(), the length validation code does not hand ...) {DLA-1731-1 DLA-1715-1} - linux 4.16.5-1 [stretch] - linux 4.9.144-1 NOTE: Fixed by: https://git.kernel.org/linus/b5a8ffcae4103a9d823ea3aa3a761f65779fbe2a (4.16-rc1) CVE-2018-5847 (Early or late retirement of rotation requests can result in a Use Afte ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5846 (A Use After Free condition can occur in the IPA driver whenever the IP ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5845 (A race condition in drm_atomic_nonblocking_commit() in the display dri ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5844 (In the video driver function set_output_buffers(), binfo can be access ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5843 (In the function wma_pdev_div_info_evt_handler() in all Android release ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5842 (An arbitrary address write can occur if a compromised WLAN firmware se ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5841 (dcc_curr_list is initialized with a default invalid value that is expe ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5840 (Buffer Copy without Checking Size of Input can occur during the DRM SD ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5839 (Improperly configured memory protection allows read/write access to mo ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5838 (Improper Validation of Array Index In the adreno OpenGL driver in Snap ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5837 (In Snapdragon (Automobile, Mobile, Wear) in version IPQ8074, MDM9206, ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5836 (In wma_nan_rsp_event_handler() in Android releases from CAF using the ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5835 (If the seq_len is greater then CSR_MAX_RSC_LEN, a buffer overflow in _ ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5834 (In __wlan_hdd_cfg80211_vendor_scan(), a buffer overwrite can potential ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5833 RESERVED CVE-2018-5832 (Due to a race condition in a camera driver ioctl handler in Android re ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5831 (In the KGSL driver in Android releases from CAF using the linux kernel ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5830 (While processing the HTT_T2H_MSG_TYPE_MGMT_TX_COMPL_IND message, a buf ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5829 (In wlan_hdd_cfg80211_set_privacy_ibss() in Android releases from CAF u ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5828 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5827 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5826 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5825 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5824 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5823 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5822 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5821 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5820 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5819 (An error within the "parse_sinar_ia()" function (internal/dcraw_common ...) {DLA-1734-1} - libraw 0.19.1-1 [stretch] - libraw (Minor issue) NOTE: https://www.flexera.com/company/secunia-research/advisories/SR-2018-27.html NOTE: https://github.com/LibRaw/LibRaw/commit/9eb76dc153f5acf42ec7325a33fe7ccdcadaf8d6 CVE-2018-5818 (An error within the "parse_rollei()" function (internal/dcraw_common.c ...) {DLA-1734-1} - libraw 0.19.1-1 [stretch] - libraw (Minor issue) NOTE: https://www.flexera.com/company/secunia-research/advisories/SR-2018-27.html NOTE: https://github.com/LibRaw/LibRaw/commit/9eb76dc153f5acf42ec7325a33fe7ccdcadaf8d6 CVE-2018-5817 (A type confusion error within the "unpacked_load_raw()" function withi ...) {DLA-1734-1} - libraw 0.19.1-1 [stretch] - libraw (Minor issue) NOTE: https://www.flexera.com/company/secunia-research/advisories/SR-2018-27.html NOTE: https://github.com/LibRaw/LibRaw/commit/9eb76dc153f5acf42ec7325a33fe7ccdcadaf8d6 CVE-2018-5816 (An integer overflow error within the "identify()" function (internal/d ...) - libraw 0.18.13-1 (low) [stretch] - libraw (Fix for CVE-2018-5804 not released in stretch) [jessie] - libraw (Fix for CVE-2018-5804 not in jessie LTS) NOTE: http://seclists.org/bugtraq/2018/Jul/58 NOTE: Issue caused by an incomplete fix for CVE-2018-5804 CVE-2018-5815 (An integer overflow error within the "parse_qt()" function (internal/d ...) - libraw 0.18.13-1 (low) [stretch] - libraw (Minor issue) [jessie] - libraw (Minor issue) NOTE: http://seclists.org/bugtraq/2018/Jul/58 CVE-2018-5814 (In the Linux Kernel before version 4.16.11, 4.14.43, 4.9.102, and 4.4. ...) {DLA-1423-1 DLA-1422-1} - linux 4.16.12-1 [stretch] - linux 4.9.107-1 NOTE: https://git.kernel.org/linus/22076557b07c12086eeb16b8ce2b0b735f7a27e7 NOTE: https://git.kernel.org/linus/c171654caa875919be3c533d3518da8be5be966e CVE-2018-5813 (An error within the "parse_minolta()" function (dcraw/dcraw.c) in LibR ...) - libraw 0.18.11-1 (low) [stretch] - libraw (Minor issue) [jessie] - libraw (Minor issue) NOTE: https://secuniaresearch.flexerasoftware.com/secunia_research/2018-13/ CVE-2018-5812 (An error within the "nikon_coolscan_load_raw()" function (internal/dcr ...) - libraw 0.18.11-1 [stretch] - libraw (Minor issue) [jessie] - libraw (Vulnerable code not present) NOTE: https://secuniaresearch.flexerasoftware.com/secunia_research/2018-10/ CVE-2018-5811 (An error within the "nikon_coolscan_load_raw()" function (internal/dcr ...) - libraw 0.18.11-1 [stretch] - libraw (Minor issue) [jessie] - libraw (Vulnerable code not present) NOTE: https://secuniaresearch.flexerasoftware.com/secunia_research/2018-10/ CVE-2018-5810 (An error within the "rollei_load_raw()" function (internal/dcraw_commo ...) - libraw 0.18.11-1 [stretch] - libraw (Minor issue) [jessie] - libraw (Minor issue) NOTE: https://secuniaresearch.flexerasoftware.com/secunia_research/2018-10/ CVE-2018-5809 (An error within the "LibRaw::parse_exif()" function (internal/dcraw_co ...) - libraw 0.18.11-1 [stretch] - libraw (Minor issue) [jessie] - libraw (Vulnerable code not present) NOTE: https://secuniaresearch.flexerasoftware.com/secunia_research/2018-9/ NOTE: https://github.com/LibRaw/LibRaw/commit/fd6330292501983ac75fe4162275794b18445bd9 CVE-2018-5808 (An error within the "find_green()" function (internal/dcraw_common.cpp ...) {DLA-1734-1} - libraw 0.18.11-1 [stretch] - libraw (Minor issue) NOTE: https://secuniaresearch.flexerasoftware.com/secunia_research/2018-9/ NOTE: https://github.com/LibRaw/LibRaw/commit/fd6330292501983ac75fe4162275794b18445bd9 CVE-2018-5807 (An error within the "samsung_load_raw()" function (internal/dcraw_comm ...) - libraw 0.18.11-1 [stretch] - libraw (Minor issue) [jessie] - libraw (Minor issue) NOTE: https://secuniaresearch.flexerasoftware.com/secunia_research/2018-10/ CVE-2018-5806 (An error within the "leaf_hdr_load_raw()" function (internal/dcraw_com ...) - libraw 0.18.8-1 (low) [stretch] - libraw (Minor issue) [jessie] - libraw (Minor issue) NOTE: https://secuniaresearch.flexerasoftware.com/secunia_research/2018-03 CVE-2018-5805 (A boundary error within the "quicktake_100_load_raw()" function (inter ...) - libraw 0.18.8-1 (low) [stretch] - libraw (Minor issue) [jessie] - libraw (Minor issue) NOTE: https://secuniaresearch.flexerasoftware.com/secunia_research/2018-03 CVE-2018-5804 (A type confusion error within the "identify()" function (internal/dcra ...) - libraw 0.18.8-1 (low) [stretch] - libraw (Minor issue) [jessie] - libraw (Minor issue) NOTE: https://secuniaresearch.flexerasoftware.com/secunia_research/2018-03 CVE-2018-5803 (In the Linux Kernel before version 4.15.8, 4.14.25, 4.9.87, 4.4.121, 4 ...) {DSA-4188-1 DSA-4187-1 DLA-1369-1} - linux 4.15.11-1 NOTE: Fixed by: https://git.kernel.org/linus/07f2c7ab6f8d0a7e7c5764c4e6cc9c52951b9d9c CVE-2018-5802 (An error within the "kodak_radc_load_raw()" function (internal/dcraw_c ...) {DLA-1734-1} - libraw 0.18.7-1 [stretch] - libraw (Minor issue) [wheezy] - libraw (Minor issue) NOTE: https://packetstormsecurity.com/files/146172/secunia-libraw.txt NOTE: https://github.com/LibRaw/LibRaw/commit/8682ad204392b914ab1cc6ebcca9c27c19c1a4b4 CVE-2018-5801 (An error within the "LibRaw::unpack()" function (src/libraw_cxx.cpp) i ...) {DLA-1734-1} - libraw 0.18.7-1 [stretch] - libraw (Minor issue) [wheezy] - libraw (Minor issue) NOTE: https://packetstormsecurity.com/files/146172/secunia-libraw.txt NOTE: https://github.com/LibRaw/LibRaw/commit/8682ad204392b914ab1cc6ebcca9c27c19c1a4b4 CVE-2018-5800 (An off-by-one error within the "LibRaw::kodak_ycbcr_load_raw()" functi ...) {DLA-1734-1} - libraw 0.18.7-1 [stretch] - libraw (Minor issue) [wheezy] - libraw (Minor issue) NOTE: https://packetstormsecurity.com/files/146172/secunia-libraw.txt NOTE: https://github.com/LibRaw/LibRaw/commit/8682ad204392b914ab1cc6ebcca9c27c19c1a4b4 CVE-2018-1000006 (GitHub Electron versions 1.8.2-beta.3 and earlier, 1.7.10 and earlier, ...) - electron (bug #842420) NOTE: Linux is not affected NOTE: https://electronjs.org/blog/protocol-handler-fix NOTE: https://nodesecurity.io/advisories/563 CVE-2018-5799 (In Zoho ManageEngine ServiceDesk Plus before 9403, an XSS issue allows ...) NOT-FOR-US: Zoho CVE-2018-5798 (This CVE relates to an unspecified cross site scripting vulnerability ...) NOT-FOR-US: Cloudera Manager CVE-2018-5797 (An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x b ...) NOT-FOR-US: Extreme Networks ExtremeWireless WiNG CVE-2018-5796 (An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x b ...) NOT-FOR-US: Extreme Networks ExtremeWireless WiNG CVE-2018-5795 (An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x b ...) NOT-FOR-US: Extreme Networks ExtremeWireless WiNG CVE-2018-5794 (An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x b ...) NOT-FOR-US: Extreme Networks ExtremeWireless WiNG CVE-2018-5793 (An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x b ...) NOT-FOR-US: Extreme Networks ExtremeWireless WiNG CVE-2018-5792 (An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x b ...) NOT-FOR-US: Extreme Networks ExtremeWireless WiNG CVE-2018-5791 (An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x b ...) NOT-FOR-US: Extreme Networks ExtremeWireless WiNG CVE-2018-5790 (An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x b ...) NOT-FOR-US: Extreme Networks ExtremeWireless WiNG CVE-2018-5789 (An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x b ...) NOT-FOR-US: Extreme Networks ExtremeWireless WiNG CVE-2018-5788 (An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x b ...) NOT-FOR-US: Extreme Networks ExtremeWireless WiNG CVE-2018-5787 (An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x b ...) NOT-FOR-US: Extreme Networks ExtremeWireless WiNG CVE-2017-18044 (A Command Injection issue was discovered in ContentStore/Base/CVDataPi ...) NOT-FOR-US: Commvault CVE-2018-5786 (In Long Range Zip (aka lrzip) 0.631, there is an infinite loop and app ...) - lrzip 0.631+git180517-1 (bug #888506) [stretch] - lrzip (Minor issue) [jessie] - lrzip (Minor issue) [wheezy] - lrzip (Minor issue) NOTE: https://github.com/ckolivas/lrzip/issues/91 CVE-2018-5785 (In OpenJPEG 2.3.0, there is an integer overflow caused by an out-of-bo ...) {DSA-4405-1} - openjpeg2 2.3.0-2 (low; bug #888533) [jessie] - openjpeg2 (Vulnerable code introduced later) NOTE: https://github.com/uclouvain/openjpeg/issues/1057 NOTE: https://github.com/uclouvain/openjpeg/commit/ca16fe55014c57090dd97369256c7657aeb25975 NOTE: vulnerable code introduced in NOTE: https://github.com/uclouvain/openjpeg/commit/33a0e66eb129c4e91b555a6b8dd9eab512fbfeb8 CVE-2018-5784 (In LibTIFF 4.0.9, there is an uncontrolled resource consumption in the ...) {DSA-4349-1 DLA-1411-1 DLA-1391-1} - tiff 4.0.9-4 (bug #890441) - tiff3 [wheezy] - tiff3 (Minor issue, revisit once fixed upstream) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2772 NOTE: Fixed by: https://gitlab.com/libtiff/libtiff/commit/473851d211cf8805a161820337ca74cc9615d6ef CVE-2018-5783 (In PoDoFo 0.9.5, there is an uncontrolled memory allocation in the PoD ...) - libpodofo 0.9.6+dfsg-4 (bug #916142) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) NOTE: https://sourceforge.net/p/podofo/tickets/4/ NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1536179 NOTE: https://sourceforge.net/p/podofo/code/1949 CVE-2018-5782 (A vulnerability in the conferencing component of Mitel Connect ONSITE, ...) NOT-FOR-US: Mitel CVE-2018-5781 (A vulnerability in the conferencing component of Mitel Connect ONSITE, ...) NOT-FOR-US: Mitel CVE-2018-5780 (A vulnerability in the conferencing component of Mitel Connect ONSITE, ...) NOT-FOR-US: Mitel CVE-2018-5779 (A vulnerability in the conferencing component of Mitel Connect ONSITE, ...) NOT-FOR-US: Mitel CVE-2018-5778 (An issue was discovered in Ipswitch WhatsUp Gold before 2017 Plus SP1 ...) NOT-FOR-US: Ipswitch WhatsUp Gold CVE-2018-5777 (An issue was discovered in Ipswitch WhatsUp Gold before 2017 Plus SP1 ...) NOT-FOR-US: Ipswitch WhatsUp Gold CVE-2018-5775 RESERVED CVE-2018-5774 RESERVED CVE-2018-5773 (An issue was discovered in markdown2 (aka python-markdown2) through 2. ...) NOT-FOR-US: python-markdown2 (not our markdown, different code base) CVE-2017-18043 (Integer overflow in the macro ROUND_UP (n, d) in Quick Emulator (Qemu) ...) {DSA-4213-1 DLA-1497-1} - qemu 1:2.10.0+dfsg-2 [wheezy] - qemu (vulnerable code not present) - qemu-kvm [wheezy] - qemu-kvm (vulnerable code not present) NOTE: Fixed by: https://git.qemu.org/?p=qemu.git;a=commit;h=2098b073f398cd628c09c5a78537a6854 NOTE: Broken since: https://git.qemu.org/?p=qemu.git;a=object;h=292c8e50 (v1.5.0) NOTE: Fix included in 1:2.10.0+dfsg-2 via debian/patches/qemu-2.10.1.diff patch CVE-2016-10707 (jQuery 3.0.0-rc.1 is vulnerable to Denial of Service (DoS) due to remo ...) - jquery (Vulnerable code never in unstable; only experimental) NOTE: https://github.com/jquery/jquery/issues/3133 NOTE: https://github.com/jquery/jquery/pull/3134 NOTE: https://snyk.io/vuln/npm:jquery:20160529 NOTE: Only 3.0.0-rc1 affected: https://github.com/jquery/jquery/issues/3133#issuecomment-358978489 CVE-2015-9251 (jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attack ...) - jquery 3.1.1-1 [jessie] - jquery (Too intrusive to backport) [wheezy] - jquery (Too invasive to fix) NOTE: https://github.com/jquery/jquery/commit/f60729f3903d17917dc351f3ac87794de379b0cc NOTE: https://github.com/jquery/jquery/issues/2432 NOTE: https://github.com/jquery/jquery/pull/2588 NOTE: https://snyk.io/vuln/npm:jquery:20150627 NOTE: only 3.0 was fixed upstream, because fix considered too invasive: https://github.com/jquery/jquery/issues/2432#issuecomment-290983196 CVE-2012-6708 (jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attack ...) - jquery 1.11.3+dfsg-1 [jessie] - jquery (Too intrusive to backport) [wheezy] - jquery (Too invasive to fix) NOTE: https://bugs.jquery.com/ticket/11290 NOTE: https://github.com/jquery/jquery/commit/05531fc4080ae24070930d15ae0cea7ae056457d NOTE: https://snyk.io/vuln/npm:jquery:20120206 NOTE: 1.9 release introduced backwards incompatible changes to fix this, so may be too invasive to fix CVE-2018-5776 (WordPress before 4.9.2 has XSS in the Flash fallback files in MediaEle ...) - wordpress 4.9.2+dfsg-1 (bug #887596) [stretch] - wordpress (Vulnerable files have been removed before) [jessie] - wordpress (Vulnerable files have been removed before) [wheezy] - wordpress (Vulnerable files have been removed before) NOTE: For jessie and stretch version the files silverlightmediaelement.xap and NOTE: flashmediaelement.swf have been removed with the 4.1+dfsg-1 version. NOTE: sid in version 4.9.1+dfsg-1 did as well *not* have the files but track here the NOTE: final wordpress version 4.9.2 which finally removed the mediaelement files. NOTE: https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/ NOTE: https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850 CVE-2018-5772 (In Exiv2 0.26, there is a segmentation fault caused by uncontrolled re ...) - exiv2 (Vulnerable code introduced after 0.25; only affected experimental; bug #888862) NOTE: https://github.com/Exiv2/exiv2/issues/216 CVE-2018-5771 RESERVED CVE-2018-5770 (An issue was discovered on Tenda AC15 devices. A remote, unauthenticat ...) NOT-FOR-US: Tenda AC15 devices CVE-2018-5769 RESERVED CVE-2018-5768 (A remote, unauthenticated attacker can gain remote code execution on t ...) NOT-FOR-US: Tenda AC15 router CVE-2018-5767 (An issue was discovered on Tenda AC15 V15.03.1.16_multi devices. A rem ...) NOT-FOR-US: Tenda AC15 V15.03.1.16_multi devices CVE-2018-5766 (In Libav through 12.2, there is an invalid memcpy in the av_packet_ref ...) {DLA-1907-1} - libav [wheezy] - libav (Minor issue) NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1112 CVE-2018-5765 RESERVED CVE-2018-5764 (The parse_arguments function in options.c in rsyncd in rsync before 3. ...) {DLA-1725-1 DLA-1247-1} - rsync 3.1.2-2.2 (bug #887588) [stretch] - rsync (Minor issue) NOTE: https://git.samba.org/rsync.git/?p=rsync.git;a=commit;h=7706303828fcde524222babb2833864a4bd09e07 CVE-2018-5763 (An issue was discovered in OXID eShop Enterprise Edition before 5.3.7 ...) NOT-FOR-US: OXID eShop Enterprise Edition CVE-2018-5762 (The TLS implementation in the TCP/IP networking module in Unisys Clear ...) NOT-FOR-US: Unisys ClearPath MCP systems CVE-2018-5761 (A man-in-the-middle vulnerability related to vCenter access was found ...) NOT-FOR-US: Rubrik CDM CVE-2018-5760 RESERVED CVE-2018-5759 (jsparse.c in Artifex MuJS through 1.0.2 does not properly maintain the ...) NOT-FOR-US: MuJS CVE-2018-5758 (The Upload File functionality in upload.jspa in Aurea Jive Jive-n 9.0. ...) NOT-FOR-US: Aurea Jive Jive-n CVE-2018-5757 (An issue was discovered on AudioCodes 450HD IP Phone devices with firm ...) NOT-FOR-US: AudioCodes 450HD IP Phone devices CVE-2018-5756 (The backend component in Open-Xchange OX App Suite before 7.6.3-rev36, ...) NOT-FOR-US: Open-Xchange CVE-2018-5755 (Absolute path traversal vulnerability in the readerengine component in ...) NOT-FOR-US: Open-Xchange CVE-2018-5754 (Cross-site scripting (XSS) vulnerability in the office-web component i ...) NOT-FOR-US: Open-Xchange CVE-2018-5753 (The frontend component in Open-Xchange OX App Suite before 7.6.3-rev31 ...) NOT-FOR-US: Open-Xchange CVE-2018-5752 (The backend component in Open-Xchange OX App Suite before 7.6.3-rev36, ...) NOT-FOR-US: Open-Xchange CVE-2018-5751 (The backend component in Open-Xchange OX App Suite before 7.6.3-rev36, ...) NOT-FOR-US: Open-Xchange CVE-2017-18042 (The update user administration resource in Atlassian Bamboo before ver ...) NOT-FOR-US: Atlassian Bamboo CVE-2017-18041 (The viewDeploymentVersionJiraIssuesDialog resource in Atlassian Bamboo ...) NOT-FOR-US: Atlassian Bamboo CVE-2017-18040 (The viewDeploymentVersionCommits resource in Atlassian Bamboo before v ...) NOT-FOR-US: Atlassian Bamboo CVE-2017-18039 (The IncomingMailServers resource in Atlassian Jira from version 6.2.1 ...) NOT-FOR-US: Atlassian Jira CVE-2017-18038 (The repository settings resource in Atlassian Bitbucket Server before ...) NOT-FOR-US: Atlassian Bitbucket CVE-2017-18037 (The git repository tag rest resource in Atlassian Bitbucket Server fro ...) NOT-FOR-US: Atlassian Bitbucket CVE-2017-18036 (The Github repository importer in Atlassian Bitbucket Server before ve ...) NOT-FOR-US: Atlassian Bitbucket CVE-2017-18035 (The /rest/review-coverage-chart/1.0/data/<repository_name>/.json ...) NOT-FOR-US: Atlassian Fisheye and Crucible CVE-2017-18034 (The source browse resource in Atlassian FishEye and Crucible before ve ...) NOT-FOR-US: Atlassian Fisheye and Crucible CVE-2017-18033 (The Jira-importers-plugin in Atlassian Jira before version 7.6.1 allow ...) NOT-FOR-US: Jira-importers-plugin in Atlassian Jira CVE-2018-5750 (The acpi_smbus_hc_add function in drivers/acpi/sbshc.c in the Linux ke ...) {DSA-4187-1 DSA-4120-1 DLA-1369-1} - linux 4.15.4-1 NOTE: https://patchwork.kernel.org/patch/10174835/ CVE-2018-5749 (install.php in Minecraft Servers List Lite before commit c1cd164 and P ...) NOT-FOR-US: Minecraft Servers List Lite CVE-2018-5748 (qemu/qemu_monitor.c in libvirt allows attackers to cause a denial of s ...) {DLA-1315-1} - libvirt 4.0.0-1 (bug #887700) [stretch] - libvirt 3.0.0-4+deb9u2 [jessie] - libvirt 1.2.9-9+deb8u5 NOTE: https://www.redhat.com/archives/libvir-list/2017-December/msg00749.html NOTE: https://libvirt.org/git/?p=libvirt.git;a=commit;h=bc251ea91bcfddd2622fce6bce701a438b2e7276 CVE-2018-5747 (In Long Range Zip (aka lrzip) 0.631, there is a use-after-free in the ...) - lrzip 0.631+git180517-1 (bug #898451) [stretch] - lrzip (Minor issue) [jessie] - lrzip (Minor issue) [wheezy] - lrzip (Minor issue) NOTE: https://github.com/ckolivas/lrzip/issues/90 CVE-2018-5746 REJECTED CVE-2018-5745 ("managed-keys" is a feature which allows a BIND resolver to automatica ...) {DSA-4440-1 DLA-1697-1} - bind9 1:9.11.5.P4+dfsg-1 (low; bug #922954) NOTE: https://kb.isc.org/docs/cve-2018-5745 NOTE: https://gitlab.isc.org/isc-projects/bind9/commit/235a64a5a4c0143b183bd55f6ed756741d4d7880 NOTE: https://gitlab.isc.org/isc-projects/bind9/commit/38c2bdba0a5b785ef9f2da2329838b931754b3e4 (test) NOTE: https://gitlab.isc.org/isc-projects/bind9/commit/f09352d20a9d360e50683cd1d2fc52ccedcd77a0 NOTE: https://gitlab.isc.org/isc-projects/bind9/commit/3022633d795bc9f04103ac9a354c026ce9b4eea3 (test) CVE-2018-5744 (A failure to free memory can occur when processing messages having a s ...) - bind9 1:9.11.5.P4+dfsg-1 (bug #922953) [stretch] - bind9 (Vulnerable code introduced later; in .9.10 branch in 9.10.7 only) [jessie] - bind9 (Vulnerable code introduced later) NOTE: https://kb.isc.org/docs/cve-2018-5744 NOTE: https://gitlab.isc.org/isc-projects/bind9/commit/35025b6e88b726ae89caacbb312d1b40e5c20b4d NOTE: Test: https://gitlab.isc.org/isc-projects/bind9/commit/fe4810f1f8f75a4d5a96542fc6085109c94a3ee5 CVE-2018-5743 (By design, BIND is intended to limit the number of TCP clients that ca ...) {DSA-4440-1 DLA-1859-1} - bind9 1:9.11.5.P4+dfsg-4 (bug #927932) NOTE: https://kb.isc.org/docs/cve-2018-5743 NOTE: https://gitlab.isc.org/isc-projects/bind9/commit/9689ffc485df8f971f0ad81ab8ab1f5389493776 NOTE: https://gitlab.isc.org/isc-projects/bind9/commit/55a7a458e30e47874d34bdf1079eb863a0512396 NOTE: https://gitlab.isc.org/isc-projects/bind9/commit/9446629b730c59c4215f08d37fbaf810282fbccb NOTE: https://gitlab.isc.org/isc-projects/bind9/commit/87d431161450777ea093821212abfb52d51b36e3 NOTE: https://gitlab.isc.org/isc-projects/bind9/commit/13f7c918b8720d890408f678bd73c20e634539d9 NOTE: https://gitlab.isc.org/isc-projects/bind9/commit/d01023aaac35543daffbdf48464e320150235d41 NOTE: Additionally: https://lists.isc.org/pipermail/bind-users/2019-April/101673.html NOTE: https://gitlab.isc.org/isc-projects/bind9/merge_requests/1864.patch CVE-2018-5742 (While backporting a feature for a newer branch of BIND9, RedHat introd ...) - bind9 (Introduced via RedHat specific backport of Negative Trust Anchor (NTA) feature) NOTE: https://www.openwall.com/lists/oss-security/2018/12/19/6 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1655844 NOTE: https://bugs.centos.org/view.php?id=15528 NOTE: Introduced by https://bugzilla.redhat.com/show_bug.cgi?id=1452091 CVE-2018-5741 (To provide fine-grained controls over the ability to use Dynamic DNS ( ...) - bind9 1:9.11.5+dfsg-1 (unimportant; bug #908595) NOTE: https://kb.isc.org/docs/cve-2018-5741 NOTE: No code fix provided; Incorrect documentation of krb5-subdomain and ms-subdomain update policies. NOTE: Will be adressed in 9.11.5, 9.12.3 CVE-2018-5740 ("deny-answer-aliases" is a little-used feature intended to help recurs ...) {DLA-1485-1} - bind9 1:9.11.4.P1+dfsg-1 (bug #905743) [stretch] - bind9 (Can be fixed along in the next DSA) NOTE: https://kb.isc.org/article/AA-01639/74/CVE-2018-5740 NOTE: https://gitlab.isc.org/isc-projects/bind9/merge_requests/607/commits CVE-2018-5739 (An extension to hooks capabilities which debuted in Kea 1.4.0 introduc ...) - isc-kea (Vulnerable code introduced in Kea 1.4.0) NOTE: https://kb.isc.org/article/AA-01626 NOTE: 1.4.0-1 was uploaded to experimental as https://tracker.debian.org/news/973011 NOTE: Tracking bug as #903729 with RC severity so this version does NOTE: not enter unstable without fix. CVE-2018-5738 (Change #4777 (introduced in October 2017) introduced an unforeseen iss ...) - bind9 1:9.11.3+dfsg-2 (bug #901483) [stretch] - bind9 (Vulnerable code introduced later) [jessie] - bind9 (Vulnerable code introduced later) NOTE: Introduced by upstream change #4777 NOTE: Introduced by: https://gitlab.isc.org/isc-projects/bind9/commit/89636d8f305956ad42e95a988502c7345e85ffe1 NOTE: https://kb.isc.org/article/AA-01616/0/CVE-2018-5738 CVE-2018-5737 (A problem with the implementation of the new serve-stale feature in BI ...) - bind9 (only affects 9.12, not yet packaged) NOTE: https://kb.isc.org/article/AA-01606 CVE-2018-5736 (An error in zone database reference counting can lead to an assertion ...) - bind9 (only affects 9.12, not yet packaged) NOTE: https://kb.isc.org/article/AA-01602 CVE-2018-5735 (The Debian backport of the fix for CVE-2017-3137 leads to assertion fa ...) {DLA-1285-1} - bind9 1:9.9.3.dfsg.P2-1 (bug #889285) NOTE: Issue similar/closely related to the CVE-2017-3139 issue in Red Hat. NOTE: Mark as fixed version the 1:9.9.3.dfsg.P2-1 as the related code was NOTE: added upstream in 9.9.3b1. The issue though does not affect bind9 upstream NOTE: and is only triggered as described in #889285. CVE-2018-5734 (While handling a particular type of malformed packet BIND erroneously ...) - bind9 (Only affects Supported Preview Edition/Subscription Edition) NOTE: https://kb.isc.org/article/AA-01562/74/CVE-2018-5734 CVE-2018-5733 (A malicious client which is allowed to send very large amounts of traf ...) {DSA-4133-1 DLA-1313-1} - isc-dhcp 4.3.5-3.1 (bug #891785) NOTE: https://kb.isc.org/article/AA-01567/75/CVE-2018-5733 NOTE: https://bugs.isc.org/Public/Bug/Display.html?id=47140 NOTE: https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=commit;h=197b26f25309f947b97a83b8fdfc414b767798f8 (4.4.1) NOTE: Fixes for 4.3.6p1: https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=commit;h=99a25aedea02d9c259cb8fabf4be700fb32571a3 CVE-2018-5732 (Failure to properly bounds-check a buffer used for processing DHCP opt ...) {DSA-4133-1 DLA-1313-1} - isc-dhcp 4.3.5-3.1 (bug #891786) NOTE: https://kb.isc.org/article/AA-01565/75/CVE-2018-5732 NOTE: https://bugs.isc.org/Public/Bug/Display.html?id=47139 NOTE: https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=commit;h=c5931725b48b121d232df4ba9e45bc41e0ba114d (4.4.1) NOTE: Fixes for 4.3.6p1: https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=commit;h=99a25aedea02d9c259cb8fabf4be700fb32571a3 CVE-2018-1000005 (libcurl 7.49.0 to and including 7.57.0 contains an out bounds read in ...) - curl 7.58.0-1 [stretch] - curl 7.52.1-5+deb9u4 [jessie] - curl (Vulnerable code introduce later) [wheezy] - curl (Vulnerable code introduce later) NOTE: https://github.com/curl/curl/pull/2231 NOTE: https://curl.haxx.se/docs/adv_2018-824a.html NOTE: Introduced by: https://github.com/curl/curl/commit/0761a51ee0551ad9e5 NOTE: Patch: https://github.com/curl/curl/commit/fa3dbb9a147488a294.patch CVE-2018-5731 (An issue was discovered in Heimdal PRO 2.2.190. As part of the scannin ...) NOT-FOR-US: Heimdal PRO CVE-2018-5730 (MIT krb5 1.6 or later allows an authenticated kadmin with permission t ...) {DLA-1643-1} - krb5 1.16.1-1 (bug #891869) [stretch] - krb5 (Minor issue) [wheezy] - krb5 (Minor issue) NOTE: Fixed by: https://github.com/krb5/krb5/commit/e1caf6fb74981da62039846931ebdffed71309d1 CVE-2018-5729 (MIT krb5 1.6 or later allows an authenticated kadmin with permission t ...) {DLA-1643-1} - krb5 1.16.1-1 (bug #891869) [stretch] - krb5 (Minor issue) [wheezy] - krb5 (Minor issue) NOTE: Fixed by: https://github.com/krb5/krb5/commit/e1caf6fb74981da62039846931ebdffed71309d1 CVE-2018-5728 (Cobham Sea Tel 121 build 222701 devices allow remote attackers to obta ...) NOT-FOR-US: Cobham Sea Tel 121 build 222701 devices CVE-2018-5727 (In OpenJPEG 2.3.0, there is an integer overflow vulnerability in the o ...) - openjpeg2 2.3.1-1 (unimportant; bug #888532) NOTE: https://github.com/uclouvain/openjpeg/issues/1053 NOTE: https://github.com/rouault/openjpeg/commit/a1d32a596a94280178c44a55d7e NOTE: ubsan error (integer overflow), no security impact per se and unlikely NOTE: to trigger any security relevant issue CVE-2018-5726 (MASTER IPCAMERA01 3.3.4.2103 devices allow remote attackers to obtain ...) NOT-FOR-US: MASTER IPCAMERA01 3.3.4.2103 devices CVE-2018-5725 (MASTER IPCAMERA01 3.3.4.2103 devices allow Unauthenticated Configurati ...) NOT-FOR-US: MASTER IPCAMERA01 3.3.4.2103 devices CVE-2018-5724 (MASTER IPCAMERA01 3.3.4.2103 devices allow Unauthenticated Configurati ...) NOT-FOR-US: MASTER IPCAMERA01 3.3.4.2103 devices CVE-2018-5723 (MASTER IPCAMERA01 3.3.4.2103 devices have a hardcoded password of cat1 ...) NOT-FOR-US: MASTER IPCAMERA01 3.3.4.2103 devices CVE-2018-5722 RESERVED CVE-2018-5721 (Stack-based buffer overflow in the ej_update_variables function in rou ...) NOT-FOR-US: ASUS routers CVE-2018-5720 (An issue was discovered on DODOCOOL DC38 3-in-1 N300 Mini Wireless Ran ...) NOT-FOR-US: DODOCOOL DC38 3-in-1 N300 Mini Wireless Range Extend RTN2-AW.GD.R3465.1.20161103 devices CVE-2018-5719 RESERVED CVE-2018-5718 (Improper restriction of write operations within the bounds of a memory ...) NOT-FOR-US: SoftControl CVE-2018-5717 (Memory write mechanism in NCR S2 Dispenser controller before firmware ...) NOT-FOR-US: NCR S2 Dispenser controller CVE-2018-5716 (An issue was discovered in Reprise License Manager 11.0. This vulnerab ...) NOT-FOR-US: Reprise License Manager CVE-2018-5715 (phprint.php in SugarCRM 3.5.1 has XSS via a parameter name in the quer ...) NOT-FOR-US: SugarCRM CVE-2018-5714 (In Malwarefox Anti-Malware 2.72.169, the driver file (zam64.sys) allow ...) NOT-FOR-US: Malwarefox Anti-Malware CVE-2018-5713 (In Malwarefox Anti-Malware 2.72.169, the driver file (zam64.sys) allow ...) NOT-FOR-US: Malwarefox Anti-Malware CVE-2018-5712 (An issue was discovered in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1 ...) {DSA-4081-1 DSA-4080-1 DLA-1251-1} - php7.1 7.1.13-1 - php7.0 7.0.27-1 - php5 NOTE: Fixed in 5.6.33, 7.0.27, 7.1.13, 7.2.1 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=74782 CVE-2018-5711 (gd_gif_in.c in the GD Graphics Library (aka libgd), as used in PHP bef ...) {DSA-4081-1 DSA-4080-1 DLA-1651-1 DLA-1248-1} - php7.1 7.1.13-1 (unimportant) - php7.0 7.0.27-1 (unimportant) - php5 (unimportant) - hhvm 3.24.7+dfsg-1 NOTE: Fixed in 5.6.33, 7.0.27, 7.1.13, 7.2.1 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=75571 NOTE: https://hhvm.com/blog/2018/05/04/hhvm-3.25.3.html - libgd2 2.2.5-4.1 (bug #887485) [stretch] - libgd2 2.2.4-2+deb9u3 NOTE: https://github.com/libgd/libgd/issues/420 NOTE: https://github.com/libgd/libgd/commit/a11f47475e6443b7f32d21f2271f28f417e2ac04 CVE-2018-5710 (An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. The ...) - krb5 1.16.1-1 (bug #889685) [stretch] - krb5 (Minor issue) [jessie] - krb5 (Minor issue) [wheezy] - krb5 (all strlen() parameters are checked for NULL) NOTE: https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities/tree/master/Denial%20Of%20Service(DoS) NOTE: The CVE is a duplicate of the #891869 issue(s) due to reporter not NOTE: having coordinated with upstream and the CVE assignment ist sill for NOTE: slight different coverage. Thus keep it distinct (for now) and mark NOTE: CVE-2018-5710 issue as well as fixed once #891869 is adressed. CVE-2018-5709 (An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. The ...) - krb5 (unimportant; bug #889684) NOTE: https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities/tree/master/Integer%20Overflow NOTE: non-issue, codepath is only run on trusted input, potential integer NOTE: overflow is non-issue CVE-2018-5708 (An issue was discovered on D-Link DIR-601 B1 2.02NA devices. Being on ...) NOT-FOR-US: D-Link CVE-2018-5707 RESERVED CVE-2018-5706 (An issue was discovered in Octopus Deploy before 4.1.9. Any user with ...) NOT-FOR-US: Octopus Deploy CVE-2018-5705 (Reservo Image Hosting 1.6 is vulnerable to XSS attacks. The affected f ...) NOT-FOR-US: Reservo Image Hosting CVE-2018-1000003 (Improper input validation bugs in DNSSEC validators components in Powe ...) - pdns-recursor 4.1.1-1 [stretch] - pdns-recursor (Only affects 4.1) [jessie] - pdns-recursor (Only affects 4.1) [wheezy] - pdns-recursor (Only affects 4.1) NOTE: https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-01.html CVE-2018-1000002 (Improper input validation bugs in DNSSEC validators components in Knot ...) - knot-resolver 1.5.2-1 NOTE: https://www.knot-resolver.cz/2018-01-22-knot-resolver-1.5.2.html NOTE: prior to 1.5.1 memcached module was called kmemcached CVE-2018-5704 (Open On-Chip Debugger (OpenOCD) 0.10.0 does not block attempts to use ...) {DSA-4093-1 DLA-1253-1} - openocd 0.10.0-4 (bug #887488) NOTE: https://sourceforge.net/p/openocd/mailman/message/36188041/ NOTE: http://openocd.zylin.com/4330 NOTE: http://openocd.zylin.com/4331 NOTE: http://openocd.zylin.com/4335 CVE-2018-5703 (The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux ...) - linux 4.15.11-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: https://lkml.org/lkml/2018/1/16/53 CVE-2017-18032 (The download-manager plugin before 2.9.52 for WordPress has XSS via th ...) NOT-FOR-US: download-manager plugin for WordPress CVE-2018-5701 (In Iolo System Shield AntiVirus and AntiSpyware 5.0.0.136, the amp.sys ...) NOT-FOR-US: Iolo System Shield AntiVirus and AntiSpyware CVE-2018-5700 (Winmail Server through 6.2 allows remote code execution by authenticat ...) NOT-FOR-US: Winmail Server CVE-2018-5699 RESERVED CVE-2017-18031 RESERVED CVE-2018-5698 (libreadstat.a in WizardMac ReadStat 0.1.1 has a heap-based buffer over ...) - r-cran-haven 1.1.1-1 NOTE: https://github.com/WizardMac/ReadStat/issues/108 NOTE: https://github.com/WizardMac/ReadStat/commit/79793dba3b665ff037ca60140441a6679a8971cf CVE-2018-5697 (Icy Phoenix 2.2.0.105 allows SQL injection via an unapprove request to ...) NOT-FOR-US: Icy Phoenix CVE-2018-5696 (The iJoomla com_adagency plugin 6.0.9 for Joomla! allows SQL injection ...) NOT-FOR-US: iJoomla com_adagency plugin for Joomla! CVE-2018-5695 (The WpJobBoard plugin 4.4.4 for WordPress allows SQL injection via the ...) NOT-FOR-US: WpJobBoard plugin for WordPress CVE-2018-5694 (The callforward module in User Control Panel (UCP) in Nicolas Gudino ( ...) NOT-FOR-US: Nicolas Gudino (aka Asternic) Flash Operator Panel CVE-2018-5693 (The LinuxMagic MagicSpam extension before 2.0.14-1 for Plesk allows lo ...) NOT-FOR-US: LinuxMagic MagicSpam extension for Plesk CVE-2018-5692 (Piwigo v2.8.2 has XSS via the `tab`, `to`, `section`, `mode`, `install ...) - piwigo NOTE: https://github.com/Piwigo/Piwigo/issues/847 NOTE: https://github.com/Piwigo/Piwigo/commit/18e4b861992e8412fd70a3a7e0b2bf9b676c42ed CVE-2018-5691 (SonicWall Global Management System (GMS) 8.1 has XSS via the `newName` ...) NOT-FOR-US: SonicWall Global Management System CVE-2018-5690 (Cross-site scripting (XSS) vulnerability in admin/users.php in Dotclea ...) - dotclear CVE-2018-5689 (Cross-site scripting (XSS) vulnerability in admin/auth.php in Dotclear ...) - dotclear CVE-2018-5688 (ILIAS before 5.2.4 has XSS via the cmd parameter to the displayHeader ...) NOT-FOR-US: ILIAS CVE-2018-5687 (NewsBee allows XSS via the Company Name field in the Settings under ad ...) NOT-FOR-US: NewsBee CMS CVE-2018-5686 (In MuPDF 1.12.0, there is an infinite loop vulnerability and applicati ...) {DSA-4334-1 DLA-1838-1} - mupdf 1.13.0+ds1-1 (bug #887130) [wheezy] - mupdf (Minor issue) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698860 NOTE: pdf_parse_array function in source/pdf/pdf-parse.c does not consider NOTE: EOF. NOTE: Fixed by: http://git.ghostscript.com/?p=mupdf.git;h=b70eb93f6936c03d8af52040bbca4d4a7db39079 CVE-2018-5685 (In GraphicsMagick 1.3.27, there is an infinite loop and application ha ...) {DSA-4321-1 DLA-1456-1 DLA-1245-1} - graphicsmagick 1.3.27-4 (bug #887158) NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/52a91ddb1aa6 NOTE: https://sourceforge.net/p/graphicsmagick/bugs/541/ NOTE: Before 1.3.27, the problem only affects 32-bit architectures (i.e., 4-byte long) it NOTE: expanded to 64-bit architectures with upstream commit be5e89e6032d CVE-2018-5684 (In Libav through 12.2, there is an invalid memcpy call in the ff_mov_r ...) - libav [jessie] - libav (vulnerable code is not present) NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1110 CVE-2018-5683 (The vga_draw_text function in Qemu allows local OS guest privileged us ...) {DSA-4213-1 DLA-1497-1} - qemu 1:2.12~rc3+dfsg-1 (bug #887392) [wheezy] - qemu (Minor issue, can be fixed along in next DLA) - qemu-kvm [wheezy] - qemu-kvm (Minor issue, can be fixed along in next DLA) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2018-01/msg02131.html CVE-2017-18030 (The cirrus_invalidate_region function in hw/display/cirrus_vga.c in Qe ...) {DLA-1497-1} - qemu 1:2.8+dfsg-4 [wheezy] - qemu 1.1.2+dfsg-6+deb7u22 - qemu-kvm [wheezy] - qemu-kvm 1.1.2+dfsg-6+deb7u21 NOTE: https://git.qemu.org/?p=qemu.git;a=commitdiff;h=f153b563f8cf121aebf5a2fff5f0110faf58ccb3 CVE-2018-5682 (PrestaShop 1.7.2.4 allows user enumeration via the Reset Password feat ...) NOT-FOR-US: PrestaShop CVE-2018-5681 (PrestaShop 1.7.2.4 has XSS via source-code editing on the "Pages > ...) NOT-FOR-US: PrestaShop CVE-2018-5680 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit CVE-2018-5679 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit CVE-2018-5678 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit CVE-2018-5677 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit CVE-2018-5676 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit CVE-2018-5675 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit CVE-2018-5674 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit CVE-2018-5673 (An issue was discovered in the booking-calendar plugin 2.1.7 for WordP ...) NOT-FOR-US: booking-calendar plugin for WordPress CVE-2018-5672 (An issue was discovered in the booking-calendar plugin 2.1.7 for WordP ...) NOT-FOR-US: booking-calendar plugin for WordPress CVE-2018-5671 (An issue was discovered in the booking-calendar plugin 2.1.7 for WordP ...) NOT-FOR-US: booking-calendar plugin for WordPress CVE-2018-5670 (An issue was discovered in the booking-calendar plugin 2.1.7 for WordP ...) NOT-FOR-US: booking-calendar plugin for WordPress CVE-2018-5669 (An issue was discovered in the read-and-understood plugin 2.1 for Word ...) NOT-FOR-US: read-and-understood plugin for WordPress CVE-2018-5668 (An issue was discovered in the read-and-understood plugin 2.1 for Word ...) NOT-FOR-US: read-and-understood plugin for WordPress CVE-2018-5667 (An issue was discovered in the read-and-understood plugin 2.1 for Word ...) NOT-FOR-US: read-and-understood plugin for WordPress CVE-2018-5666 (An issue was discovered in the responsive-coming-soon-page plugin 1.1. ...) NOT-FOR-US: responsive-coming-soon-page plugin for WordPress CVE-2018-5665 (An issue was discovered in the responsive-coming-soon-page plugin 1.1. ...) NOT-FOR-US: responsive-coming-soon-page plugin for WordPress CVE-2018-5664 (An issue was discovered in the responsive-coming-soon-page plugin 1.1. ...) NOT-FOR-US: responsive-coming-soon-page plugin for WordPress CVE-2018-5663 (An issue was discovered in the responsive-coming-soon-page plugin 1.1. ...) NOT-FOR-US: responsive-coming-soon-page plugin for WordPress CVE-2018-5662 (An issue was discovered in the responsive-coming-soon-page plugin 1.1. ...) NOT-FOR-US: responsive-coming-soon-page plugin for WordPress CVE-2018-5661 (An issue was discovered in the responsive-coming-soon-page plugin 1.1. ...) NOT-FOR-US: responsive-coming-soon-page plugin for WordPress CVE-2018-5660 (An issue was discovered in the responsive-coming-soon-page plugin 1.1. ...) NOT-FOR-US: responsive-coming-soon-page plugin for WordPress CVE-2018-5659 (An issue was discovered in the responsive-coming-soon-page plugin 1.1. ...) NOT-FOR-US: responsive-coming-soon-page plugin for WordPress CVE-2018-5658 (An issue was discovered in the responsive-coming-soon-page plugin 1.1. ...) NOT-FOR-US: responsive-coming-soon-page plugin for WordPress CVE-2018-5657 (An issue was discovered in the responsive-coming-soon-page plugin 1.1. ...) NOT-FOR-US: responsive-coming-soon-page plugin for WordPress CVE-2018-5656 (An issue was discovered in the weblizar-pinterest-feeds plugin 1.1.1 f ...) NOT-FOR-US: weblizar-pinterest-feeds plugin for WordPress CVE-2018-5655 (An issue was discovered in the weblizar-pinterest-feeds plugin 1.1.1 f ...) NOT-FOR-US: weblizar-pinterest-feeds plugin for WordPress CVE-2018-5654 (An issue was discovered in the weblizar-pinterest-feeds plugin 1.1.1 f ...) NOT-FOR-US: weblizar-pinterest-feeds plugin for WordPress CVE-2018-5653 (An issue was discovered in the weblizar-pinterest-feeds plugin 1.1.1 f ...) NOT-FOR-US: weblizar-pinterest-feeds plugin for WordPress CVE-2018-5652 (An issue was discovered in the dark-mode plugin 1.6 for WordPress. XSS ...) NOT-FOR-US: dark-mode plugin for WordPress CVE-2018-5651 (An issue was discovered in the dark-mode plugin 1.6 for WordPress. XSS ...) NOT-FOR-US: dark-mode plugin for WordPress CVE-2018-5650 (In Long Range Zip (aka lrzip) 0.631, there is an infinite loop and app ...) - lrzip 0.631+git180517-1 (bug #887065) [stretch] - lrzip (Minor issue) [jessie] - lrzip (Minor issue) [wheezy] - lrzip (Minor issue) NOTE: https://github.com/ckolivas/lrzip/issues/88 NOTE: https://github.com/ckolivas/lrzip/commit/50cfb3b9f68c7458822795e8b87a07dc06b39816 CVE-2018-5649 RESERVED CVE-2018-5648 RESERVED CVE-2018-5647 RESERVED CVE-2018-5646 RESERVED CVE-2018-5645 RESERVED CVE-2018-5644 RESERVED CVE-2018-5643 RESERVED CVE-2018-5642 RESERVED CVE-2018-5641 RESERVED CVE-2018-5640 RESERVED CVE-2018-5639 RESERVED CVE-2018-5638 RESERVED CVE-2018-5637 RESERVED CVE-2018-5636 RESERVED CVE-2018-5635 RESERVED CVE-2018-5634 RESERVED CVE-2018-5633 RESERVED CVE-2018-5632 RESERVED CVE-2018-5631 RESERVED CVE-2018-5630 RESERVED CVE-2018-5629 RESERVED CVE-2018-5628 RESERVED CVE-2018-5627 RESERVED CVE-2018-5626 RESERVED CVE-2018-5625 RESERVED CVE-2018-5624 RESERVED CVE-2018-5623 RESERVED CVE-2018-5622 RESERVED CVE-2018-5621 RESERVED CVE-2018-5620 RESERVED CVE-2018-5619 RESERVED CVE-2018-5618 RESERVED CVE-2018-5617 RESERVED CVE-2018-5616 RESERVED CVE-2018-5615 RESERVED CVE-2018-5614 RESERVED CVE-2018-5613 RESERVED CVE-2018-5612 RESERVED CVE-2018-5611 RESERVED CVE-2018-5610 RESERVED CVE-2018-5609 RESERVED CVE-2018-5608 RESERVED CVE-2018-5607 RESERVED CVE-2018-5606 RESERVED CVE-2018-5605 RESERVED CVE-2018-5604 RESERVED CVE-2018-5603 RESERVED CVE-2018-5602 RESERVED CVE-2018-5601 RESERVED CVE-2018-5600 RESERVED CVE-2018-5599 RESERVED CVE-2018-5598 RESERVED CVE-2018-5597 RESERVED CVE-2018-5596 RESERVED CVE-2018-5595 RESERVED CVE-2018-5594 RESERVED CVE-2018-5593 RESERVED CVE-2018-5592 RESERVED CVE-2018-5591 RESERVED CVE-2018-5590 RESERVED CVE-2018-5589 RESERVED CVE-2018-5588 RESERVED CVE-2018-5587 RESERVED CVE-2018-5586 RESERVED CVE-2018-5585 RESERVED CVE-2018-5584 RESERVED CVE-2018-5583 RESERVED CVE-2018-5582 RESERVED CVE-2018-5581 RESERVED CVE-2018-5580 RESERVED CVE-2018-5579 RESERVED CVE-2018-5578 RESERVED CVE-2018-5577 RESERVED CVE-2018-5576 RESERVED CVE-2018-5575 RESERVED CVE-2018-5574 RESERVED CVE-2018-5573 RESERVED CVE-2018-5572 RESERVED CVE-2018-5571 RESERVED CVE-2018-5570 RESERVED CVE-2018-5569 RESERVED CVE-2018-5568 RESERVED CVE-2018-5567 RESERVED CVE-2018-5566 RESERVED CVE-2018-5565 RESERVED CVE-2018-5564 RESERVED CVE-2018-5563 RESERVED CVE-2018-5562 RESERVED CVE-2018-5561 RESERVED CVE-2018-5560 (A reliance on a static, hard-coded credential in the design of the clo ...) NOT-FOR-US: Guardzilla CVE-2018-5559 (In Rapid7 Komand version 0.41.0 and prior, certain endpoints that are ...) NOT-FOR-US: Rapid7 Komand CVE-2018-5558 RESERVED CVE-2018-5557 RESERVED CVE-2018-5556 RESERVED CVE-2018-5555 RESERVED CVE-2018-5554 RESERVED CVE-2018-5553 (The Crestron Console service running on DGE-100, DM-DGE-200-C, and TS- ...) NOT-FOR-US: Crestron Console service running on DGE-100, DM-DGE-200-C, and TS-1542-C devices CVE-2018-5552 (Versions of DocuTrac QuicDoc and Office Therapy that ship with DTISQLI ...) NOT-FOR-US: DocuTrac QuicDoc and Office Therapy CVE-2018-5551 (Versions of DocuTrac QuicDoc and Office Therapy that ship with DTISQLI ...) NOT-FOR-US: DocuTrac QuicDoc and Office Therapy CVE-2018-5550 (Versions of Epson AirPrint released prior to January 19, 2018 contain ...) NOT-FOR-US: Epson AirPrint CVE-2015-9250 (An issue was discovered in Skybox Platform before 7.5.201. Directory T ...) NOT-FOR-US: Skybox Platform CVE-2015-9249 (An issue was discovered in Skybox Platform before 7.5.201. SQL Injecti ...) NOT-FOR-US: Skybox Platform CVE-2015-9248 (An issue was discovered in Skybox Platform before 7.5.201. Stored cros ...) NOT-FOR-US: Skybox Platform CVE-2015-9247 (An issue was discovered in Skybox Platform before 7.5.401. Reflected c ...) NOT-FOR-US: Skybox Platform CVE-2015-9246 (An issue was discovered in Skybox Platform before 7.5.201. Remote Unau ...) NOT-FOR-US: Skybox Platform CVE-2018-5549 (On BIG-IP APM 11.6.0-11.6.3.1, 12.1.0-12.1.3.3, 13.0.0, and 13.1.0-13. ...) NOT-FOR-US: F5 BIG-IP CVE-2018-5548 (On BIG-IP APM 11.6.0-11.6.3, an insecure AES ECB mode is used for orig ...) NOT-FOR-US: F5 BIG-IP CVE-2018-5547 (Windows Logon Integration feature of F5 BIG-IP APM client prior to ver ...) NOT-FOR-US: F5 BIG-IP CVE-2018-5546 (The svpn and policyserver components of the F5 BIG-IP APM client prior ...) NOT-FOR-US: F5 BIG-IP CVE-2018-5545 (On F5 WebSafe Alert Server 1.0.0-4.2.6, a malicious, authenticated use ...) NOT-FOR-US: F5 WebSafe Alert Server CVE-2018-5544 (When the F5 BIG-IP APM 13.0.0-13.1.1 or 12.1.0-12.1.3 renders certain ...) NOT-FOR-US: F5 BIG-IP CVE-2018-5543 (The F5 BIG-IP Controller for Kubernetes 1.0.0-1.5.0 (k8s-bigip-crtl) p ...) NOT-FOR-US: F5 BIG-IP CVE-2018-5542 (F5 BIG-IP 13.0.0-13.0.1, 12.1.0-12.1.3.6, or 11.2.1-11.6.3.2 HTTPS hea ...) NOT-FOR-US: F5 BIG-IP CVE-2018-5541 (When F5 BIG-IP ASM 13.0.0-13.1.0.1, 12.1.0-12.1.3.5, 11.6.0-11.6.3.1, ...) NOT-FOR-US: F5 BIG-IP CVE-2018-5540 (On F5 BIG-IP 13.0.0-13.0.1, 12.1.0-12.1.3.3, 11.6.0-11.6.3.1, or 11.5. ...) NOT-FOR-US: F5 BIG-IP CVE-2018-5539 (Under certain conditions, on F5 BIG-IP ASM 13.0.0-13.1.0.7, 12.1.0-12. ...) NOT-FOR-US: F5 BIG-IP CVE-2018-5538 (On F5 BIG-IP DNS 13.1.0-13.1.0.7, 12.1.3-12.1.3.5, DNS Express / DNS Z ...) NOT-FOR-US: F5 BIG-IP CVE-2018-5537 (A remote attacker may be able to disrupt services on F5 BIG-IP 13.0.0- ...) NOT-FOR-US: F5 BIG-IP CVE-2018-5536 (A remote attacker via undisclosed measures, may be able to exploit an ...) NOT-FOR-US: F5 BIG-IP CVE-2018-5535 (On F5 BIG-IP 14.0.0, 13.0.0-13.1.0, 12.1.0-12.1.3, or 11.5.1-11.6.3 sp ...) NOT-FOR-US: F5 BIG-IP CVE-2018-5534 (Under certain conditions on F5 BIG-IP 13.1.0-13.1.0.5, 13.0.0, 12.1.0- ...) NOT-FOR-US: F5 BIG-IP CVE-2018-5533 (Under certain conditions on F5 BIG-IP 13.0.0, 12.1.0-12.1.2, 11.6.0-11 ...) NOT-FOR-US: F5 BIG-IP CVE-2018-5532 (On F5 BIG-IP 13.0.0, 12.1.0-12.1.2, 11.6.0-11.6.3.1, or 11.2.1-11.5.6 ...) NOT-FOR-US: F5 BIG-IP CVE-2018-5531 (Through undisclosed methods, on F5 BIG-IP 13.0.0-13.1.0.7, 12.1.0-12.1 ...) NOT-FOR-US: F5 BIG-IP CVE-2018-5530 (F5 BIG-IP 13.0.0-13.1.0.5, 12.1.0-12.1.3.5, or 11.6.0-11.6.3.1 virtual ...) NOT-FOR-US: F5 BIG-IP CVE-2018-5529 (The svpn component of the F5 BIG-IP APM client prior to version 7.1.7 ...) NOT-FOR-US: F5 BIG-IP CVE-2018-5528 (Under certain conditions, TMM may restart and produce a core file whil ...) NOT-FOR-US: F5 BIG-IP CVE-2018-5527 (On BIG-IP 13.1.0-13.1.0.7, a remote attacker using undisclosed methods ...) NOT-FOR-US: F5 BIG-IP CVE-2018-5526 (Under certain conditions, on F5 BIG-IP ASM 13.1.0-13.1.0.5, Behavioral ...) NOT-FOR-US: F5 BIG-IP CVE-2018-5525 (A local file vulnerability exists in the F5 BIG-IP Configuration utili ...) NOT-FOR-US: F5 BIG-IP CVE-2018-5524 (Under certain conditions, on F5 BIG-IP 13.0.0-13.1.0.5, 12.1.0-12.1.3. ...) NOT-FOR-US: F5 BIG-IP CVE-2018-5523 (On F5 BIG-IP 13.1.0-13.1.0.3, 13.0.0, 12.1.0-12.1.3.1, 11.6.1-11.6.3.1 ...) NOT-FOR-US: F5 BIG-IP CVE-2018-5522 (On F5 BIG-IP 13.0.0, 12.0.0-12.1.2, 11.6.1-11.6.3.1, 11.5.1-11.5.5, or ...) NOT-FOR-US: F5 BIG-IP CVE-2018-5521 (On F5 BIG-IP 12.1.0-12.1.3.1, 11.6.1-11.6.3.1, 11.5.1-11.5.5, or 11.2. ...) NOT-FOR-US: F5 BIG-IP CVE-2018-5520 (On an F5 BIG-IP 13.0.0-13.1.0.5, 12.1.0-12.1.3.1, or 11.2.1-11.6.3.1 s ...) NOT-FOR-US: F5 BIG-IP CVE-2018-5519 (On F5 BIG-IP 13.0.0-13.1.0.5, 12.1.0-12.1.3.3, or 11.2.1-11.6.3.1, adm ...) NOT-FOR-US: F5 BIG-IP CVE-2018-5518 (On F5 BIG-IP 13.0.0-13.1.0.5 or 12.0.0-12.1.3.3, malicious root users ...) NOT-FOR-US: F5 BIG-IP CVE-2018-5517 (On F5 BIG-IP 13.1.0-13.1.0.5, malformed TCP packets sent to a self IP ...) NOT-FOR-US: F5 BIG-IP CVE-2018-5516 (On F5 BIG-IP 13.0.0-13.1.0.5, 12.1.0-12.1.2, or 11.2.1-11.6.3.1, Enter ...) NOT-FOR-US: F5 BIG-IP CVE-2018-5515 (On F5 BIG-IP 13.0.0-13.1.0.5, using RADIUS authentication responses fr ...) NOT-FOR-US: F5 BIG-IP CVE-2018-5514 (On F5 BIG-IP 13.1.0-13.1.0.5, maliciously crafted HTTP/2 request frame ...) NOT-FOR-US: F5 BIG-IP CVE-2018-5513 (On F5 BIG-IP 13.1.0-13.1.0.3, 13.0.0, 12.1.0-12.1.3.3, 11.6.1-11.6.3.1 ...) NOT-FOR-US: F5 BIG-IP CVE-2018-5512 (On F5 BIG-IP 13.1.0-13.1.0.5, when Large Receive Offload (LRO) and SYN ...) NOT-FOR-US: F5 BIG-IP CVE-2018-5511 (On F5 BIG-IP 13.1.0-13.1.0.3 or 13.0.0, when authenticated administrat ...) NOT-FOR-US: F5 BIG-IP CVE-2018-5510 (On F5 BIG-IP 11.5.4 HF4-11.5.5, the Traffic Management Microkernel (TM ...) NOT-FOR-US: F5 BIG-IP CVE-2018-5509 (On F5 BIG-IP versions 13.0.0 or 12.1.0 - 12.1.3.1, when a specifically ...) NOT-FOR-US: F5 BIG-IP CVE-2018-5508 (On F5 BIG-IP PEM versions 13.0.0, 12.0.0-12.1.3.1, 11.6.0-11.6.2, 11.5 ...) NOT-FOR-US: F5 BIG-IP CVE-2018-5507 (On F5 BIG-IP versions 13.0.0, 12.1.0-12.1.3.1, 11.6.1-11.6.2, or 11.5. ...) NOT-FOR-US: F5 BIG-IP CVE-2018-5506 (In F5 BIG-IP 13.0.0, 12.1.0-12.1.2, 11.6.1, 11.5.1-11.5.5, or 11.2.1 t ...) NOT-FOR-US: F5 BIG-IP CVE-2018-5505 (On F5 BIG-IP versions 13.1.0 - 13.1.0.3, when ASM and AVR are both pro ...) NOT-FOR-US: F5 BIG-IP CVE-2018-5504 (In some circumstances, the Traffic Management Microkernel (TMM) does n ...) NOT-FOR-US: F5 BIG-IP CVE-2018-5503 (On F5 BIG-IP versions 13.0.0 - 13.1.0.3 or 12.0.0 - 12.1.3.1, TMM may ...) NOT-FOR-US: F5 BIG-IP CVE-2018-5502 (On F5 BIG-IP versions 13.0.0 - 13.1.0.3, attackers may be able to disr ...) NOT-FOR-US: F5 BIG-IP CVE-2018-5501 (In some circumstances, on F5 BIG-IP systems running 13.0.0, 12.1.0 - 1 ...) NOT-FOR-US: F5 BIG-IP CVE-2018-5500 (On F5 BIG-IP systems running 13.0.0, 12.1.0 - 12.1.3.1, or 11.6.1 - 11 ...) NOT-FOR-US: F5 BIG-IP CVE-2018-5499 (ATTO FibreBridge 7500N firmware version 2.95 is susceptible to a vulne ...) NOT-FOR-US: ATTO FibreBridge 7500N firmware CVE-2018-5498 (Clustered Data ONTAP versions 9.0 through 9.4 are susceptible to a vul ...) NOT-FOR-US: Clustered Data ONTAP CVE-2018-5497 (Clustered Data ONTAP versions prior to 9.1P16, 9.3P10 and 9.4P5 are su ...) NOT-FOR-US: Clustered Data ONTAP CVE-2018-5496 (Data ONTAP operating in 7-Mode versions prior to 8.2.5P2 are susceptib ...) NOT-FOR-US: Data ONTAP CVE-2018-5495 (All StorageGRID Webscale versions are susceptible to a vulnerability w ...) NOT-FOR-US: NetApp CVE-2018-5494 RESERVED CVE-2018-5493 (ATTO FibreBridge 7500N firmware versions prior to 2.90 are susceptible ...) NOT-FOR-US: ATTO CVE-2018-5492 (NetApp E-Series SANtricity OS Controller Software 11.30 and later vers ...) NOT-FOR-US: NetApp CVE-2018-5491 REJECTED CVE-2018-5490 (Read-Only export policy rules are not correctly enforced in Clustered ...) NOT-FOR-US: NetApp Data ONTAP CVE-2018-5489 (NetApp 7-Mode Transition Tool allows users with valid credentials to a ...) NOT-FOR-US: NetApp CVE-2018-5488 (NetApp SANtricity Web Services Proxy versions 1.10.x000.0002 through 2 ...) NOT-FOR-US: NetApp SANtricity Web Services Proxy CVE-2018-5487 (NetApp OnCommand Unified Manager for Linux versions 7.2 through 7.3 sh ...) NOT-FOR-US: NetApp OnCommand Unified Manager for Linux CVE-2018-5486 (NetApp OnCommand Unified Manager for Linux versions 7.2 though 7.3 shi ...) NOT-FOR-US: NetApp OnCommand Unified Manager for Linux CVE-2018-5485 (NetApp OnCommand Unified Manager for Windows versions 7.2 through 7.3 ...) NOT-FOR-US: NetApp OnCommand Unified Manager for Windows CVE-2018-5484 REJECTED CVE-2018-5483 RESERVED CVE-2018-5482 (NetApp SnapCenter Server prior to 4.1 does not set the secure flag for ...) NOT-FOR-US: NetApp SnapCenter Server CVE-2018-5481 (OnCommand Unified Manager for 7-Mode (core package) prior to 5.2.4 use ...) NOT-FOR-US: OnCommand Unified Manager CVE-2018-5480 REJECTED CVE-2018-5479 (FoxSash ImgHosting 1.5 (according to footer information) is vulnerable ...) NOT-FOR-US: FoxSash ImgHosting CVE-2018-5478 RESERVED CVE-2018-5477 (An Information Exposure issue was discovered in ABB netCADOPS Web Appl ...) NOT-FOR-US: ABB netCADOPS Web Application CVE-2018-5476 (A Stack-based Buffer Overflow issue was discovered in Delta Electronic ...) NOT-FOR-US: Delta Electronics Delta Industrial Automation DOPSoft CVE-2018-5475 (A Stack-based Buffer Overflow issue was discovered in GE D60 Line Dist ...) NOT-FOR-US: GE D60 Line Distance Relay devices CVE-2018-5474 (Philips Intellispace Portal all versions 7.0.x and 8.0.x have an input ...) NOT-FOR-US: Philips Intellispace Portal CVE-2018-5473 (An Improper Restriction of Operations within the Bounds of a Memory Bu ...) NOT-FOR-US: GE D60 Line Distance Relay devices CVE-2018-5472 (Philips Intellispace Portal all versions 7.0.x and 8.0.x have an insec ...) NOT-FOR-US: Philips Intellispace Portal CVE-2018-5471 (A Cleartext Transmission of Sensitive Information issue was discovered ...) NOT-FOR-US: Belden Hirschmann RS, RSR, RSB, MACH100, MACH1000, MACH4000, MS, and OCTOPUS Classic Platform Switches CVE-2018-5470 (Philips IntelliSpace Portal all versions of 8.0.x, and 7.0.x have an u ...) NOT-FOR-US: Philips Intellispace Portal CVE-2018-5469 (An Improper Restriction of Excessive Authentication Attempts issue was ...) NOT-FOR-US: Belden Hirschmann RS, RSR, RSB, MACH100, MACH1000, MACH4000, MS, and OCTOPUS Classic Platform Switches CVE-2018-5468 (Philips Intellispace Portal all versions 7.0.x and 8.0.x have a remote ...) NOT-FOR-US: Philips Intellispace Portal CVE-2018-5467 (An Information Exposure Through Query Strings in GET Request issue was ...) NOT-FOR-US: Belden Hirschmann RS, RSR, RSB, MACH100, MACH1000, MACH4000, MS, and OCTOPUS Classic Platform Switches CVE-2018-5466 (Philips IntelliSpace Portal all versions of 8.0.x, and 7.0.x have a se ...) NOT-FOR-US: Philips Intellispace Portal CVE-2018-5465 (A Session Fixation issue was discovered in Belden Hirschmann RS, RSR, ...) NOT-FOR-US: Belden Hirschmann RS, RSR, RSB, MACH100, MACH1000, MACH4000, MS, and OCTOPUS Classic Platform Switches CVE-2018-5464 (Philips IntelliSpace Portal all versions of 8.0.x, and 7.0.x have an u ...) NOT-FOR-US: Philips Intellispace Portal CVE-2018-5463 (A structured exception handler overflow vulnerability in Leao Consulto ...) NOT-FOR-US: Leao Consultoria e Desenvolvimento de Sistemas (LCDS) LTDA ME LAquis SCADA CVE-2018-5462 (Philips IntelliSpace Portal all versions of 8.0.x, and 7.0.x have an S ...) NOT-FOR-US: Philips Intellispace Portal CVE-2018-5461 (An Inadequate Encryption Strength issue was discovered in Belden Hirsc ...) NOT-FOR-US: Belden Hirschmann RS, RSR, RSB, MACH100, MACH1000, MACH4000, MS, and OCTOPUS Classic Platform Switches CVE-2018-5460 RESERVED CVE-2018-5459 (An Improper Authentication issue was discovered in WAGO PFC200 Series ...) NOT-FOR-US: WAGO PFC200 CVE-2018-5458 (Philips IntelliSpace Portal all versions of 8.0.x, and 7.0.x have a vu ...) NOT-FOR-US: Philips Intellispace Portal CVE-2018-5457 (A uncontrolled search path element issue was discovered in Vyaire Medi ...) NOT-FOR-US: Vyaire Medical CareFusion Upgrade Utility CVE-2018-5456 RESERVED CVE-2018-5455 (A Reliance on Cookies without Validation and Integrity Checking issue ...) NOT-FOR-US: Moxa CVE-2018-5454 (Philips IntelliSpace Portal all versions of 8.0.x, and 7.0.x have a vu ...) NOT-FOR-US: Philips Intellispace Portal CVE-2018-5453 (An Improper Handling of Length Parameter Inconsistency issue was disco ...) NOT-FOR-US: Moxa CVE-2018-5452 (A Stack-based Buffer Overflow issue was discovered in Emerson Process ...) NOT-FOR-US: Emerson Process Management ControlWave Micro Process Automation Controller CVE-2018-5451 (In Philips Alice 6 System version R8.0.2 or prior, when an actor claim ...) NOT-FOR-US: Philips Alice 6 System CVE-2018-5450 RESERVED CVE-2018-5449 (A NULL Pointer Dereference issue was discovered in Moxa OnCell G3100-H ...) NOT-FOR-US: Moxa CVE-2018-5448 (All versions of the Medtronic 2090 Carelink Programmer are affected by ...) NOT-FOR-US: Medtronic CVE-2018-5447 (An Improper Input Validation issue was discovered in Nari PCS-9611 rel ...) NOT-FOR-US: Nari PCS-9611 relay CVE-2018-5446 (All versions of the Medtronic 2090 Carelink Programmer are affected by ...) NOT-FOR-US: Medtronic CVE-2018-5445 (A Path Traversal issue was discovered in Advantech WebAccess/SCADA ver ...) NOT-FOR-US: Advantech WebAccess/SCADA CVE-2018-5444 RESERVED CVE-2018-5443 (A SQL Injection issue was discovered in Advantech WebAccess/SCADA vers ...) NOT-FOR-US: Advantech WebAccess/SCADA CVE-2018-5442 (A Stack-based Buffer Overflow issue was discovered in Fuji Electric V- ...) NOT-FOR-US: Fuji Electric V-Server VPR CVE-2018-5441 (An Improper Validation of Integrity Check Value issue was discovered i ...) NOT-FOR-US: PHOENIX CONTACT mGuard firmware CVE-2018-5440 (A Stack-based Buffer Overflow issue was discovered in 3S-Smart CODESYS ...) NOT-FOR-US: 3S-Smart CVE-2018-5439 (A Command Injection issue was discovered in Nortek Linear eMerge E3 se ...) NOT-FOR-US: Nortek Linear eMerge E3 series CVE-2018-5438 (Philips ISCV application prior to version 2.3.0 has an insufficient se ...) NOT-FOR-US: Philips ISCV application CVE-2018-5437 (The TIBCO Spotfire Client and TIBCO Spotfire Web Player Client compone ...) NOT-FOR-US: TIBCO Spotfire CVE-2018-5436 (The Spotfire server component of TIBCO Software Inc.'s TIBCO Spotfire ...) NOT-FOR-US: TIBCO Spotfire CVE-2018-5435 (The TIBCO Spotfire Client and TIBCO Spotfire Web Player Client compone ...) NOT-FOR-US: TIBCO Spotfire CVE-2018-5434 (The TIBCO Designer component of TIBCO Software Inc.'s TIBCO Runtime Ag ...) NOT-FOR-US: TIBCO Runtime Agent CVE-2018-5433 (The TIBCO Administrator server component of TIBCO Software Inc.'s TIBC ...) NOT-FOR-US: TIBCO Administrator CVE-2018-5432 (The TIBCO Administrator server component of of TIBCO Software Inc.'s T ...) NOT-FOR-US: TIBCO Administrator CVE-2018-5431 (The domain designer component of TIBCO Software Inc.'s TIBCO JasperRep ...) - jasperreports [jessie] - jasperreports (not supported in Jessie) [wheezy] - jasperreports (not supported in Wheezy) NOTE: https://www.tibco.com/support/advisories/2018/04/tibco-security-advisory-april-17-2018-tibco-jasperreports-2018-5431 CVE-2018-5430 (The Spring web flows of TIBCO Software Inc.'s TIBCO JasperReports Serv ...) - jasperreports [jessie] - jasperreports (not supported in Jessie) [wheezy] - jasperreports (not supported in Wheezy) NOTE: https://www.tibco.com/support/advisories/2018/04/tibco-security-advisory-april-17-2018-tibco-jasperreports-2018-5430 CVE-2018-5429 (A vulnerability in the report scripting component of TIBCO Software In ...) - jasperreports [jessie] - jasperreports (not supported in Jessie) [wheezy] - jasperreports (not supported in Wheezy) NOTE: https://www.tibco.com/support/advisories/2018/04/tibco-security-advisory-april-17-2018-tibco-jasperreports-2018-5429 CVE-2018-5428 (The version control adapters component of TIBCO Data Virtualization (f ...) NOT-FOR-US: TIBCO Data Virtualization CVE-2018-5427 REJECTED CVE-2018-5426 REJECTED CVE-2018-5425 REJECTED CVE-2018-5424 REJECTED CVE-2018-5423 REJECTED CVE-2018-5422 REJECTED CVE-2018-5421 REJECTED CVE-2018-5420 REJECTED CVE-2018-5419 REJECTED CVE-2018-5418 REJECTED CVE-2018-5417 REJECTED CVE-2018-5416 REJECTED CVE-2018-5415 REJECTED CVE-2018-5414 REJECTED CVE-2018-5413 (Imperva SecureSphere running v13.0, v12.0, or v11.5 allows low privile ...) NOT-FOR-US: Imperva SecureSphere CVE-2018-5412 (Imperva SecureSphere running v12.0.0.50 is vulnerable to local arbitra ...) NOT-FOR-US: Imperva SecureSphere CVE-2018-5411 (Pixar's Tractor software, versions 2.2 and earlier, contain a stored c ...) NOT-FOR-US: Pixar Tractor CVE-2018-5410 (Dokan, versions between 1.0.0.5000 and 1.2.0.1000, are vulnerable to a ...) NOT-FOR-US: Dokan CVE-2018-5409 (The PrinterLogic Print Management software, versions up to and includi ...) NOT-FOR-US: PrinterLogic Print Management software CVE-2018-5408 (The PrinterLogic Print Management software, versions up to and includi ...) NOT-FOR-US: PrinterLogic Print Management software CVE-2018-5407 (Simultaneous Multi-threading (SMT) in processors can enable local user ...) {DSA-4355-1 DSA-4348-1 DLA-1586-1} - openssl 1.1.1~~pre9-1 - openssl1.0 1.0.2q-1 NOTE: https://www.openssl.org/news/secadv/20181112.txt NOTE: OpenSSL_1_0_2-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=b18162a7c9bbfb57112459a4d6631fa258fd8c0c NOTE: https://www.openwall.com/lists/oss-security/2018/11/01/4 NOTE: https://github.com/bbbrumley/portsmash NOTE: This is not an issue in software but in a hardware issue. Issue can be NOTE: mitigated e.g. for OpenSSL. CVE-2018-5406 (The Quest Kace K1000 Appliance, versions prior to 9.0.270, allows a re ...) NOT-FOR-US: Quest Kace K1000 Appliance CVE-2018-5405 (The Quest Kace K1000 Appliance, versions prior to 9.0.270, allows an a ...) NOT-FOR-US: Quest Kace K1000 Appliance CVE-2018-5404 (The Quest Kace K1000 Appliance, versions prior to 9.0.270, allows an a ...) NOT-FOR-US: Quest Kace K1000 Appliance CVE-2018-5403 (Imperva SecureSphere gateway (GW) running v13, for both pre-First Time ...) NOT-FOR-US: Imperva SecureSphere CVE-2018-5402 (The Auto-Maskin DCU 210E, RP-210E, and Marine Pro Observer Android App ...) NOT-FOR-US: Auto-Maskin CVE-2018-5401 (The Auto-Maskin DCU 210E, RP-210E, and Marine Pro Observer Android App ...) NOT-FOR-US: Auto-Maskin CVE-2018-5400 (The Auto-Maskin products utilize an undocumented custom protocol to se ...) NOT-FOR-US: Auto-Maskin CVE-2018-5399 (The Auto-Maskin DCU 210E firmware contains an undocumented Dropbear SS ...) NOT-FOR-US: Auto-Maskin CVE-2018-5398 RESERVED CVE-2018-5397 RESERVED CVE-2018-5396 RESERVED CVE-2018-5395 RESERVED CVE-2018-5394 RESERVED CVE-2018-5393 (The TP-LINK EAP Controller is TP-LINK's software for remotely controll ...) NOT-FOR-US: TP-LINK CVE-2018-5392 (mingw-w64 version 5.0.4 by default produces executables that opt in to ...) - mingw-w64 (unimportant) NOTE: https://sourceforge.net/p/mingw-w64/mailman/message/31034877/ NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=17321 NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=19011 NOTE: https://www.kb.cert.org/vuls/id/307144 (describes workaround) CVE-2018-5391 (The Linux kernel, versions 3.9+, is vulnerable to a denial of service ...) {DSA-4272-1 DLA-1715-1 DLA-1529-1 DLA-1466-1} - linux 4.17.15-1 NOTE: Mitigation: Change the default values of net.ipv4.ipfrag_high_thresh and NOTE: net.ipv4.ipfrag_low_thresh back to 256kB and 192 kB (respectively) or NOTE: below. CVE-2018-5390 (Linux kernel versions 4.9+ can be forced to make very expensive calls ...) {DSA-4266-1 DLA-1466-1} - linux 4.17.14-1 (bug #905751) [jessie] - linux (Vulnerable code introduced later) NOTE: https://www.kb.cert.org/vuls/id/962459 CVE-2018-5389 (The Internet Key Exchange v1 main mode is vulnerable to offline dictio ...) - strongswan (unimportant) - libreswan (unimportant) - ipsec-tools (unimportant) - isakmpd (unimportant) NOTE: https://www.usenix.org/conference/usenixsecurity18/presentation/felsch NOTE: https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-felsch.pdf NOTE: https://www.usenix.org/sites/default/files/conference/protected-files/security18_slides_felsch.pdf NOTE: vulnerability in IKEv1 protocol, not fixable in implementation; use strong passphrase or public-key cryptography CVE-2018-5388 (In stroke_socket.c in strongSwan before 5.6.3, a missing packet length ...) {DSA-4229-1} - strongswan 5.6.3-1 [stretch] - strongswan (needs root priv for access to the stroke socket) [jessie] - strongswan (needs root priv for access to the stroke socket) [wheezy] - strongswan (needs root priv for access to the stroke socket) NOTE: https://www.kb.cert.org/vuls/id/338343 NOTE: https://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=0acd1ab4 NOTE: https://www.strongswan.org/blog/2018/05/28/strongswan-5.6.3-released.html NOTE: https://www.strongswan.org/blog/2018/05/28/strongswan-vulnerability-(cve-2018-5388).html CVE-2018-5387 (Wizkunde SAMLBase may incorrectly utilize the results of XML DOM trave ...) NOT-FOR-US: Wizkunde SAMLBase CVE-2018-5386 (Some Navarino Infinity functions, up to version 2.2, placed in the URL ...) NOT-FOR-US: Navarino Infinity CVE-2018-5385 (Navarino Infinity is prone to session fixation attacks. The server acc ...) NOT-FOR-US: Navarino Infinity CVE-2018-5384 (Navarino Infinity web interface up to version 2.2 exposes an unauthent ...) NOT-FOR-US: Navarino Infinity CVE-2018-5383 (Bluetooth firmware or operating system software drivers in macOS versi ...) {DLA-1747-1} - firmware-nonfree 20190114-1 [stretch] - firmware-nonfree 20161130-5 NOTE: http://www.cs.technion.ac.il/~biham/BT/ CVE-2018-5382 (Bouncy Castle BKS version 1 keystore (BKS-V1) files use an HMAC that i ...) - bouncycastle 1.48+dfsg-2 [wheezy] - bouncycastle (this only affects the integrity verification and not the content of the BKS keystore) NOTE: https://insights.sei.cmu.edu/cert/2018/03/the-curious-case-of-the-bouncy-castle-bks-passwords.html NOTE: https://www.kb.cert.org/vuls/id/306792 NOTE: Issue fixed in 1.47 upstream. The default MAC for a BKS key store was NOTE: 2 bytes before and has been upgraded to 20 bytes. CVE-2018-5381 (The Quagga BGP daemon (bgpd) prior to version 1.2.3 has a bug in its p ...) {DSA-4115-1 DLA-1286-1} - quagga 1.2.4-1 (bug #890563) NOTE: https://www.quagga.net/security/Quagga-2018-1975.txt NOTE: https://git.savannah.gnu.org/cgit/quagga.git/commit/?id=ce07207c50a3d1f05d6dd49b5294282e59749787 CVE-2018-5380 (The Quagga BGP daemon (bgpd) prior to version 1.2.3 can overrun intern ...) {DSA-4115-1 DLA-1286-1} - quagga 1.2.4-1 (bug #890563) NOTE: https://www.quagga.net/security/Quagga-2018-1550.txt NOTE: https://git.savannah.gnu.org/cgit/quagga.git/commit/?id=9e5251151894aefdf8e9392a2371615222119ad8 CVE-2018-5379 (The Quagga BGP daemon (bgpd) prior to version 1.2.3 can double-free me ...) {DSA-4115-1 DLA-1286-1} - quagga 1.2.4-1 (bug #890563) NOTE: https://www.quagga.net/security/Quagga-2018-1114.txt NOTE: https://git.savannah.gnu.org/cgit/quagga.git/commit/?id=e69b535f92eafb599329bf725d9b4c6fd5d7fded CVE-2018-5378 (The Quagga BGP daemon (bgpd) prior to version 1.2.3 does not properly ...) - quagga 1.2.4-1 (bug #890563) [stretch] - quagga 1.1.1-3+deb9u2 [jessie] - quagga (Vulnerable code not present) [wheezy] - quagga (Vulnerable code not present) NOTE: https://www.quagga.net/security/Quagga-2018-0543.txt NOTE: https://git.savannah.gnu.org/cgit/quagga.git/commit/?id=cc2e6770697e343f4af534114ab7e633d5beabec CVE-2018-5377 (Discuz! DiscuzX X3.4 allows remote attackers to bypass intended access ...) NOT-FOR-US: Discuz! DiscuzX CVE-2018-5376 (Discuz! DiscuzX X3.4 has XSS via the include\spacecp\spacecp_upload.ph ...) NOT-FOR-US: Discuz! DiscuzX CVE-2018-5375 (Discuz! DiscuzX X3.4 has XSS via the include\spacecp\spacecp_space.php ...) NOT-FOR-US: Discuz! DiscuzX CVE-2017-18029 (In ImageMagick 7.0.6-10 Q16, a memory leak vulnerability was found in ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/691 NOTE: https://github.com/ImageMagick/ImageMagick/commit/d3144a8be81aed6e635de68f0d8e97881638a398 CVE-2017-18028 (In ImageMagick 7.0.7-1 Q16, a memory exhaustion vulnerability was foun ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/736 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/740985d9bd3f1c50d622c3496bb2e75d44b65a91 NOTE: https://github.com/ImageMagick/ImageMagick/commit/32a3eeb9e0da083cbc05909e4935efdbf9846df9 CVE-2017-18027 (In ImageMagick 7.0.7-1 Q16, a memory leak vulnerability was found in t ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/734 NOTE: https://github.com/ImageMagick/ImageMagick/commit/a43f4155ee916fbed080acd534232a9d2396b5b5 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/6a88a234cbb88a06fcb7e7ebe6668267b72fa787 CVE-2016-10706 (The Jetpack plugin before 4.0.3 for WordPress has XSS via a crafted Vi ...) NOT-FOR-US: WordPress plugin jetpack CVE-2016-10705 (The Jetpack plugin before 4.0.4 for WordPress has XSS via the Likes mo ...) NOT-FOR-US: WordPress plugin jetpack CVE-2018-5702 (Transmission through 2.92 relies on X-Transmission-Session-Id (which i ...) {DSA-4087-1 DLA-1246-1} - transmission 2.92-3 (bug #886990) NOTE: http://www.openwall.com/lists/oss-security/2018/01/12/1 NOTE: https://github.com/transmission/transmission/pull/468 NOTE: Proposed patch: https://patch-diff.githubusercontent.com/raw/transmission/transmission/pull/468.diff NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1447 CVE-2018-5374 (The Dbox 3D Slider Lite plugin through 1.2.2 for WordPress has SQL Inj ...) NOT-FOR-US: Dbox 3D Slider Lite plugin for WordPress CVE-2018-5373 (The Smooth Slider plugin through 2.8.6 for WordPress has SQL Injection ...) NOT-FOR-US: Smooth Slider plugin for WordPress CVE-2018-5372 (The Testimonial Slider plugin through 1.2.4 for WordPress has SQL Inje ...) NOT-FOR-US: Testimonial Slider plugin for WordPress CVE-2018-5371 (diag_ping.cmd on D-Link DSL-2640U devices with firmware IM_1.00 and ME ...) NOT-FOR-US: D-Link CVE-2018-5370 (BizLogic xnami 1.0 has XSS via the comment parameter in an addComment ...) NOT-FOR-US: BizLogic xnami CVE-2018-5369 (The SrbTransLatin plugin 1.46 for WordPress has XSS via an srbtranslat ...) NOT-FOR-US: SrbTransLatin plugin for WordPress CVE-2018-5368 (The SrbTransLatin plugin 1.46 for WordPress has CSRF via an srbtransla ...) NOT-FOR-US: SrbTransLatin plugin for WordPress CVE-2018-5367 (The WPGlobus plugin 1.9.6 for WordPress has XSS via the wpglobus_optio ...) NOT-FOR-US: WPGlobus plugin for WordPress CVE-2018-5366 (The WPGlobus plugin 1.9.6 for WordPress has XSS via the wpglobus_optio ...) NOT-FOR-US: WPGlobus plugin for WordPress CVE-2018-5365 (The WPGlobus plugin 1.9.6 for WordPress has XSS via the wpglobus_optio ...) NOT-FOR-US: WPGlobus plugin for WordPress CVE-2018-5364 (The WPGlobus plugin 1.9.6 for WordPress has XSS via the wpglobus_optio ...) NOT-FOR-US: WPGlobus plugin for WordPress CVE-2018-5363 (The WPGlobus plugin 1.9.6 for WordPress has XSS via the wpglobus_optio ...) NOT-FOR-US: WPGlobus plugin for WordPress CVE-2018-5362 (The WPGlobus plugin 1.9.6 for WordPress has XSS via the wpglobus_optio ...) NOT-FOR-US: WPGlobus plugin for WordPress CVE-2018-5361 (The WPGlobus plugin 1.9.6 for WordPress has CSRF via wp-admin/options. ...) NOT-FOR-US: WPGlobus plugin for WordPress CVE-2018-5360 (LibTIFF before 4.0.6 mishandles the reading of TIFF files, as demonstr ...) - tiff 4.0.6-3 [jessie] - tiff (Minor issue, duplicate of CVE-2014-8127) - tiff3 [wheezy] - tiff3 (Minor issue, revisit once fixed upstream) NOTE: Issue demostrated in tiff via a vector through graphicsmagick, cf. NOTE: https://sourceforge.net/p/graphicsmagick/bugs/540/ NOTE: Same issue as http://bugzilla.maptools.org/show_bug.cgi?id=2500 (CVE-2014-8127) NOTE: fixed as per 2016-10-25 (first release to ship the patch seems to be 4.0.7) NOTE: https://gitlab.com/libtiff/libtiff/commit/739dcd28a061738b317c1e9f91029d9cbc157159 CVE-2018-5359 (The server in Flexense SysGauge 3.6.18 operating on port 9221 can be e ...) NOT-FOR-US: Flexense SysGauge CVE-2018-5358 (ImageMagick 7.0.7-22 Q16 has memory leaks in the EncodeImageAttributes ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/939 NOTE: https://github.com/ImageMagick/ImageMagick/commit/4e72d445220287727d7886a5f17a10caf944a802 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/ed80c93e4cbf2727ead75fd8bd5e5d9ecbe762f9 CVE-2018-5357 (ImageMagick 7.0.7-22 Q16 has memory leaks in the ReadDCMImage function ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/941 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/4b60459202805cb4c9a96cdeeb70db594b1d3c72 NOTE: Imagemagick-6: https://github.com/ImageMagick/ImageMagick/commit/152d81b91fc83d72da1989518685b1d70fc5e60a NOTE: https://github.com/ImageMagick/ImageMagick/commit/fcce81295235f39aace870e1ed4785eec40790c1 CVE-2018-5356 RESERVED CVE-2018-5355 RESERVED CVE-2018-5354 RESERVED CVE-2018-5353 RESERVED CVE-2018-5352 RESERVED CVE-2018-5351 RESERVED CVE-2018-5350 RESERVED CVE-2018-5349 (A vulnerability has been found in Heimdal PRO v2.2.190, but it is most ...) NOT-FOR-US: Heimdal PRO CVE-2018-5348 RESERVED CVE-2018-5347 (Seagate Media Server in Seagate Personal Cloud has unauthenticated com ...) NOT-FOR-US: Seagate Media Server in Seagate Personal Cloud CVE-2018-5346 RESERVED CVE-2018-1000004 (In the Linux kernel 4.12, 3.10, 2.6 and possibly earlier versions a ra ...) {DSA-4187-1 DLA-1369-1} - linux 4.14.17-1 [stretch] - linux 4.9.80-1 CVE-2018-1000001 (In glibc 2.26 and earlier there is confusion in the usage of getcwd() ...) - glibc 2.26-4 (bug #887001) [stretch] - glibc (Minor issue, can be fixed along in next DSA or preferably point release) [jessie] - glibc (Minor issue, can be fixed along in next DSA or preferably point release) - eglibc [wheezy] - eglibc (Minor issue, can be fixed along in next DSA) NOTE: http://www.openwall.com/lists/oss-security/2018/01/11/5 NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22679 NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=52a713fdd0a30e1bd79818e2e3c4ab44ddca1a94 CVE-2018-5345 (A stack-based buffer overflow within GNOME gcab through 0.7.4 can be e ...) {DSA-4095-1} - gcab 0.7-7 (bug #887776) NOTE: https://git.gnome.org/browse/gcab/commit/?id=bd2abee5f0a9b5cbe3a1ab1f338c4fb8f6ca797b CVE-2018-5344 (In the Linux kernel through 4.14.13, drivers/block/loop.c mishandles l ...) - linux 4.14.17-1 [stretch] - linux 4.9.80-1 [jessie] - linux (Vulnerability introduced later) [wheezy] - linux (Vulnerability introduced later) NOTE: Fixed by: https://git.kernel.org/linus/ae6650163c66a7eff1acd6eb8b0f752dcfa8eba5 CVE-2018-5343 RESERVED CVE-2018-5342 (An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 ...) NOT-FOR-US: Zoho ManageEngine Desktop Central CVE-2018-5341 (An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 ...) NOT-FOR-US: Zoho ManageEngine Desktop Central CVE-2018-5340 (An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 ...) NOT-FOR-US: Zoho ManageEngine Desktop Central CVE-2018-5339 (An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 ...) NOT-FOR-US: Zoho ManageEngine Desktop Central CVE-2018-5338 (An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 ...) NOT-FOR-US: Zoho ManageEngine Desktop Central CVE-2018-5337 (An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 ...) NOT-FOR-US: Zoho ManageEngine Desktop Central CVE-2018-5336 (In Wireshark 2.4.0 to 2.4.3 and 2.2.0 to 2.2.11, the JSON, XML, NTP, X ...) {DSA-4101-1 DLA-1258-1} - wireshark 2.4.4-1 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-01.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14253 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=4f4c95cf46ba6adbd10b09747e10742801bc706b NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=f6702e49a9720d173246668495eece6d77eca5b0 CVE-2018-5335 (In Wireshark 2.4.0 to 2.4.3 and 2.2.0 to 2.2.11, the WCP dissector cou ...) {DSA-4101-1 DLA-1258-1} - wireshark 2.4.4-1 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-04.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14251 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=086b87376b988c555484349aa115d6e08ac6db07 CVE-2018-5334 (In Wireshark 2.4.0 to 2.4.3 and 2.2.0 to 2.2.11, the IxVeriWave file p ...) {DSA-4101-1 DLA-1258-1} - wireshark 2.4.4-1 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-03.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14297 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=dc308c05ba0673460fe80873b22d296880ee996d CVE-2018-5333 (In the Linux kernel through 4.14.13, the rds_cmsg_atomic function in n ...) {DSA-4187-1 DLA-1369-1} - linux 4.14.17-1 [stretch] - linux 4.9.80-1 NOTE: Fixed by: https://git.kernel.org/linus/7d11f77f84b27cef452cee332f4e469503084737 CVE-2018-5332 (In the Linux kernel through 4.14.13, the rds_message_alloc_sgs() funct ...) {DSA-4187-1 DLA-1369-1} - linux 4.14.17-1 [stretch] - linux 4.9.80-1 NOTE: Fixed by: https://git.kernel.org/linus/c095508770aebf1b9218e77026e48345d719b17c CVE-2017-1000441 REJECTED CVE-2017-1000439 REJECTED CVE-2018-5331 (Discuz! DiscuzX X3.4 has XSS via the view parameter to include/space/s ...) NOT-FOR-US: Discuz! CVE-2018-5330 (ZyXEL P-660HW v3 devices allow remote attackers to cause a denial of s ...) NOT-FOR-US: ZyXEL CVE-2018-5329 (ZUUSE BEIMS ContractorWeb .NET 5.18.0.0 is vulnerable to Cross-Site Re ...) NOT-FOR-US: ZUUSE BEIMS ContractorWeb .NET CVE-2018-5328 (ZUUSE BEIMS ContractorWeb .NET 5.18.0.0 allows access to various /User ...) NOT-FOR-US: ZUUSE BEIMS ContractorWeb .NET CVE-2018-5327 (Cheetah Mobile Armorfly Browser & Downloader 1.1.05.0010, when ins ...) NOT-FOR-US: Cheetah Mobile Armorfly Browser & Downloader CVE-2018-5326 (Cheetah Mobile CM Browser 5.22.06.0012, when installed on unspecified ...) NOT-FOR-US: Cheetah Mobile CM Browser CVE-2018-5325 RESERVED CVE-2018-5324 RESERVED CVE-2018-5323 RESERVED CVE-2018-5322 RESERVED CVE-2018-5321 RESERVED CVE-2018-5320 RESERVED CVE-2018-5319 (RAVPower FileHub 2.000.056 allows remote users to steal sensitive info ...) NOT-FOR-US: RAVPower FileHub CVE-2018-5318 RESERVED CVE-2018-5317 RESERVED CVE-2018-5316 (The "SagePay Server Gateway for WooCommerce" plugin before 1.0.9 for W ...) NOT-FOR-US: "SagePay Server Gateway for WooCommerce" plugin for WordPress CVE-2018-5315 (The Wachipi WP Events Calendar plugin 1.0 for WordPress has SQL Inject ...) NOT-FOR-US: Wachipi WP Events Calendar plugin for WordPress CVE-2018-5314 (Command injection vulnerability in Citrix NetScaler ADC and NetScaler ...) NOT-FOR-US: Citrix CVE-2017-1000465 (Sulu-standard version 1.6.6 is vulnerable to stored cross-site scripti ...) NOT-FOR-US: Sulu-standard CVE-2017-1000429 (rui Li finecms 5.0.10 is vulnerable to a reflected XSS in the file Wei ...) NOT-FOR-US: rui Li finecms CVE-2017-1000428 (flatCore-CMS 1.4.6 is vulnerable to reflected XSS in user_management.p ...) NOT-FOR-US: flatCore-CMS CVE-2017-18026 (Redmine before 3.2.9, 3.3.x before 3.3.6, and 3.4.x before 3.4.4 does ...) {DSA-4191-1} - redmine 3.4.4-1 (bug #887307) [jessie] - redmine (Not supported in Jessie-LTS) [wheezy] - redmine (Not supported in wheezy LTS) NOTE: https://www.redmine.org/issues/27516 (private) NOTE: https://github.com/redmine/redmine/commit/ca87bf766cdc70179cb2dce03015d78ec9c13ebd NOTE: https://github.com/redmine/redmine/commit/58ed8655136ff2fe5ff7796859bf6a399c76c678 NOTE: https://github.com/redmine/redmine/commit/9d797400eaec5f9fa7ba9507c82d9c18cb91d02e NOTE: upstream fixed in 3.2.9, 3.3.6 and 3.4.4 CVE-2018-5313 (A vulnerability allows local attackers to escalate privilege on Rapid ...) NOT-FOR-US: Rapid Scada CVE-2017-1000415 (MatrixSSL version 3.7.2 has an incorrect UTCTime date range validation ...) - matrixssl [wheezy] - matrixssl (not supported in Wheezy) CVE-2018-5312 (The tabs-responsive plugin 1.8.0 for WordPress has XSS via the post_ti ...) NOT-FOR-US: tabs-responsive plugin for WordPress CVE-2018-5311 (The Easy Custom Auto Excerpt plugin 2.4.6 for WordPress has XSS via th ...) NOT-FOR-US: Easy Custom Auto Excerpt plugin for WordPress CVE-2018-5310 (In the "Media from FTP" plugin before 9.85 for WordPress, Directory Tr ...) NOT-FOR-US: "Media from FTP" plugin for WordPress CVE-2018-5309 (In PoDoFo 0.9.5, there is an integer overflow in the PdfObjectStreamPa ...) - libpodofo 0.9.6+dfsg-3 (low) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) NOTE: https://sourceforge.net/p/podofo/tickets/5/ NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1532381 NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1907 CVE-2018-5308 (PoDoFo 0.9.5 does not properly validate memcpy arguments in the PdfMem ...) - libpodofo 0.9.5-9 (low; bug #854602) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1532390 NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1870 NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1876 NOTE: duplicate CVE: CVE-2017-5854 CVE-2018-5307 (Multiple cross-site scripting (XSS) vulnerabilities in Sonatype Nexus ...) NOT-FOR-US: Sonatype Nexus Repository Manager CVE-2018-5306 (Multiple cross-site scripting (XSS) vulnerabilities in Sonatype Nexus ...) NOT-FOR-US: Sonatype Nexus Repository Manager CVE-2018-5305 RESERVED CVE-2018-5304 (An issue was discovered on the Impinj Speedway Connect R420 RFID Reade ...) NOT-FOR-US: Impinj Speedway Connect R420 RFID Reader CVE-2018-5303 (An issue was discovered on the Impinj Speedway Connect R420 RFID Reade ...) NOT-FOR-US: Impinj Speedway Connect R420 RFID Reader CVE-2018-5302 RESERVED CVE-2018-5301 (Magento Community Edition and Enterprise Edition before 2.0.10 and 2.1 ...) NOT-FOR-US: Magento CVE-2017-18025 (cgi-bin/drknow.cgi in Innotube ITGuard-Manager 0.0.0.1 allows remote a ...) NOT-FOR-US: Innotube ITGuard-Manager CVE-2017-18024 (AvantFAX 3.3.3 has XSS via an arbitrary parameter name to the default ...) NOT-FOR-US: AvantFAX CVE-2017-18023 (Office Tracker 11.2.5 has XSS via the logincount parameter to the /otw ...) NOT-FOR-US: Office Tracker CVE-2018-1000028 (Linux kernel version after commit bdcf0a423ea1 - 4.15-rc4+, 4.14.8+, 4 ...) - linux 4.14.17-1 [stretch] - linux (Vulnerable code introduced later) [jessie] - linux (Vulnerable code introduced later) [wheezy] - linux (Vulnerable code introduced later) NOTE: Fixed by: https://git.kernel.org/linus/1995266727fa8143897e89b55f5d3c79aa828420 NOTE: Introducing commit backported to 4.14.8 and 4.9.76. But Debian stretch NOTE: did never contain the vulnerable code alone without the fix. CVE-2018-1000027 (The Squid Software Foundation Squid HTTP Caching Proxy version prior t ...) {DSA-4122-1 DLA-1267-1 DLA-1266-1} [experimental] - squid 4.0.23-1~exp8 - squid 4.1-1 - squid3 3.5.27-1 (bug #888720) NOTE: src:squid as source package reintroduced for 4.x in experimental NOTE: Squid 3.5: http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2018_2.patch NOTE: Squid 4: http://www.squid-cache.org/Versions/v4/changesets/SQUID-2018_2.patch NOTE: http://www.squid-cache.org/Advisories/SQUID-2018_2.txt CVE-2018-1000024 (The Squid Software Foundation Squid HTTP Caching Proxy version 3.0 to ...) {DSA-4122-1 DLA-1266-1} [experimental] - squid 4.0.23-1~exp8 - squid 4.1-1 [wheezy] - squid (Not affected according to upstream advisory) - squid3 3.5.27-1 (bug #888719) NOTE: src:squid as source package reintroduced for 4.x in experimental NOTE: Squid 3.5: http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2018_1.patch NOTE: Squid 4: http://www.squid-cache.org/Versions/v4/changesets/SQUID-2018_1.patch NOTE: http://www.squid-cache.org/Advisories/SQUID-2018_1.txt NOTE: Squid3 in Debian builds to use the libxml2 or libexpat XML parsers. CVE-2018-1000022 (Electrum Technologies GmbH Electrum Bitcoin Wallet version prior to ve ...) - electrum 3.0.5-1 (bug #886683) [jessie] - electrum (Only affects >= 2.6) NOTE: https://github.com/spesmilo/electrum/issues/3374 NOTE: http://www.openwall.com/lists/oss-security/2018/01/10/4 CVE-2018-5300 RESERVED CVE-2018-5299 (A stack-based Buffer Overflow Vulnerability exists in the web server i ...) NOT-FOR-US: Pulse Secure Pulse Connect Secure CVE-2018-5298 (In the Procter & Gamble "Oral-B App" (aka com.pg.oralb.oralbapp) a ...) NOT-FOR-US: Procter & Gamble "Oral-B App" for Android CVE-2018-5297 RESERVED CVE-2018-5296 (In PoDoFo 0.9.5, there is an uncontrolled memory allocation in the Pdf ...) - libpodofo 0.9.6+dfsg-3 (low) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) NOTE: https://sourceforge.net/p/podofo/tickets/6/ NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1925 CVE-2018-5295 (In PoDoFo 0.9.5, there is an integer overflow in the PdfXRefStreamPars ...) - libpodofo 0.9.5-9 (low; bug #889511) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) NOTE: upstream thread: https://sourceforge.net/p/podofo/mailman/message/36180168/ NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1889 CVE-2018-5294 (In libming 0.4.8, there is an integer overflow (caused by an out-of-ra ...) {DLA-1305-1} - ming NOTE: https://github.com/libming/libming/issues/98 CVE-2018-5293 (The GD Rating System plugin 2.3 for WordPress has XSS via the wp-admin ...) NOT-FOR-US: GD Rating System plugin for WordPress CVE-2018-5292 (The GD Rating System plugin 2.3 for WordPress has XSS via the wp-admin ...) NOT-FOR-US: GD Rating System plugin for WordPress CVE-2018-5291 (The GD Rating System plugin 2.3 for WordPress has Directory Traversal ...) NOT-FOR-US: GD Rating System plugin for WordPress CVE-2018-5290 (The GD Rating System plugin 2.3 for WordPress has Directory Traversal ...) NOT-FOR-US: GD Rating System plugin for WordPress CVE-2018-5289 (The GD Rating System plugin 2.3 for WordPress has Directory Traversal ...) NOT-FOR-US: GD Rating System plugin for WordPress CVE-2018-5288 (The GD Rating System plugin 2.3 for WordPress has XSS via the wp-admin ...) NOT-FOR-US: GD Rating System plugin for WordPress CVE-2018-5287 (The GD Rating System plugin 2.3 for WordPress has Directory Traversal ...) NOT-FOR-US: GD Rating System plugin for WordPress CVE-2018-5286 (The GD Rating System plugin 2.3 for WordPress has XSS via the wp-admin ...) NOT-FOR-US: GD Rating System plugin for WordPress CVE-2018-5285 (The ImageInject plugin 1.15 for WordPress has CSRF via wp-admin/option ...) NOT-FOR-US: ImageInject plugin for WordPress CVE-2018-5284 (The ImageInject plugin 1.15 for WordPress has XSS via the flickr_appid ...) NOT-FOR-US: ImageInject plugin for WordPress CVE-2018-5283 (The Photos in Wifi application 1.0.1 for iOS has directory traversal v ...) NOT-FOR-US: Photos in Wifi application for iOS CVE-2018-5282 (** DISPUTED ** Kentico 9.0 through 11.0 has a stack-based buffer overf ...) NOT-FOR-US: Kentico CVE-2018-5281 (SonicWall SonicOS on Network Security Appliance (NSA) 2017 Q4 devices ...) NOT-FOR-US: SonicWall SonicOS CVE-2018-5280 (SonicWall SonicOS on Network Security Appliance (NSA) 2016 Q4 devices ...) NOT-FOR-US: SonicWall SonicOS CVE-2018-5279 (** DISPUTED ** In Malwarebytes Premium 3.3.1.2183, the driver file (FA ...) NOT-FOR-US: Malwarebytes Premium CVE-2018-5278 (** DISPUTED ** In Malwarebytes Premium 3.3.1.2183, the driver file (FA ...) NOT-FOR-US: Malwarebytes Premium CVE-2018-5277 (** DISPUTED ** In Malwarebytes Premium 3.3.1.2183, the driver file (FA ...) NOT-FOR-US: Malwarebytes Premium CVE-2018-5276 (** DISPUTED ** In Malwarebytes Premium 3.3.1.2183, the driver file (FA ...) NOT-FOR-US: Malwarebytes Premium CVE-2018-5275 (** DISPUTED ** In Malwarebytes Premium 3.3.1.2183, the driver file (FA ...) NOT-FOR-US: Malwarebytes Premium CVE-2018-5274 (** DISPUTED ** In Malwarebytes Premium 3.3.1.2183, the driver file (FA ...) NOT-FOR-US: Malwarebytes Premium CVE-2018-5273 (** DISPUTED ** In Malwarebytes Premium 3.3.1.2183, the driver file (FA ...) NOT-FOR-US: Malwarebytes Premium CVE-2018-5272 (** DISPUTED ** In Malwarebytes Premium 3.3.1.2183, the driver file (FA ...) NOT-FOR-US: Malwarebytes Premium CVE-2018-5271 (** DISPUTED ** In Malwarebytes Premium 3.3.1.2183, the driver file (FA ...) NOT-FOR-US: Malwarebytes Premium CVE-2018-5270 (** DISPUTED ** In Malwarebytes Premium 3.3.1.2183, the driver file (FA ...) NOT-FOR-US: Malwarebytes Premium CVE-2018-5269 (In OpenCV 3.3.1, an assertion failure happens in cv::RBaseStream::setP ...) {DLA-1438-1 DLA-1354-1} [experimental] - opencv 3.4.4+dfsg-1~exp1 - opencv 3.2.0+dfsg-6 (bug #886675) [stretch] - opencv (Minor issue) NOTE: https://github.com/opencv/opencv/issues/10540 NOTE: 2.4 backport: https://patch-diff.githubusercontent.com/raw/opencv/opencv/pull/10901.patch CVE-2018-5268 (In OpenCV 3.3.1, a heap-based buffer overflow happens in cv::Jpeg2KDec ...) {DLA-1438-1 DLA-1354-1} [experimental] - opencv 3.4.4+dfsg-1~exp1 - opencv 3.2.0+dfsg-6 (bug #886674) [stretch] - opencv (Minor issue) NOTE: https://github.com/opencv/opencv/issues/10541 NOTE: 2.4 backport: https://patch-diff.githubusercontent.com/raw/opencv/opencv/pull/10901.patch CVE-2018-5267 (Cobham Sea Tel 121 build 222701 devices allow remote attackers to bypa ...) NOT-FOR-US: Cobham Sea Tel 121 build 222701 devices CVE-2018-5266 (Cobham Sea Tel 121 build 222701 devices allow remote attackers to obta ...) NOT-FOR-US: Cobham Sea Tel 121 build 222701 devices CVE-2018-5265 (Ubiquiti EdgeOS 1.9.1 on EdgeRouter Lite devices allows remote attacke ...) NOT-FOR-US: Ubiquiti EdgeOS CVE-2018-5264 (Ubiquiti UniFi 52 devices, when Hotspot mode is used, allow remote att ...) NOT-FOR-US: Ubiquiti UniFi 52 devices CVE-2018-5263 (The StackIdeas EasyDiscuss (aka com_easydiscuss) extension before 4.0. ...) NOT-FOR-US: The StackIdeas EasyDiscuss extension for Joomla! CVE-2018-5262 (A stack-based buffer overflow in Flexense DiskBoss 8.8.16 and earlier ...) NOT-FOR-US: Flexense DiskBoss CVE-2018-5261 (An issue was discovered in Flexense DiskBoss 8.8.16 and earlier. Due t ...) NOT-FOR-US: Flexense DiskBoss CVE-2018-5260 RESERVED CVE-2018-5259 (Discuz! DiscuzX X3.4 allows remote authenticated users to bypass inten ...) NOT-FOR-US: Discuz! DiscuzX CVE-2018-5258 (The Neon app 1.6.14 iOS does not verify X.509 certificates from SSL se ...) NOT-FOR-US: Neon app CVE-2018-5257 RESERVED CVE-2018-5256 (CoreOS Tectonic 1.7.x before 1.7.9-tectonic.4 and 1.8.x before 1.8.4-t ...) NOT-FOR-US: CoreOS Tectonic CVE-2014-10069 (Hitron CVE-30360 devices use a 578A958E3DD933FC DES key that is shared ...) NOT-FOR-US: Hitron CVE-30360 devices CVE-2018-5255 (The Mlag agent in Arista EOS 4.19 before 4.19.4M and 4.20 before 4.20. ...) NOT-FOR-US: Arista CVE-2018-5254 (Arista EOS before 4.20.2F allows remote BGP peers to cause a denial of ...) NOT-FOR-US: Arista EOS CVE-2018-5253 (The AP4_FtypAtom class in Core/Ap4FtypAtom.cpp in Bento4 1.5.1.0 has a ...) NOT-FOR-US: Bento4 CVE-2018-5252 (libimageworsener.a in ImageWorsener 1.3.2, when libjpeg 8d is used, ha ...) NOT-FOR-US: ImageWorsener CVE-2018-5251 (In libming 0.4.8, there is an integer signedness error vulnerability ( ...) {DLA-1305-1} - ming NOTE: https://github.com/libming/libming/issues/97 CVE-2018-5250 RESERVED CVE-2018-5249 (Cross-site scripting (XSS) vulnerability in Shaarli before 0.8.5 and 0 ...) - shaarli (bug #864559) CVE-2018-5248 (In ImageMagick 7.0.7-17 Q16, there is a heap-based buffer over-read in ...) {DSA-4245-1 DSA-4204-1} - imagemagick 8:6.9.9.34+dfsg-3 (bug #886588) [wheezy] - imagemagick (Vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/927 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/c76434c16b5ac8861ee0c5d5c3ab8974fae3d624 NOTE: https://github.com/ImageMagick/ImageMagick/commit/0272305f91763b5ce119a2c7a0e0084d8241a58d CVE-2018-5247 (In ImageMagick 7.0.7-17 Q16, there are memory leaks in ReadRLAImage in ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/928 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/0ecb22aa909e52d86b4545aa7a51f7a0922147e6 NOTE: https://github.com/ImageMagick/ImageMagick/commit/d85c34f8bd699c31b94118babc6c0445eecc9920 CVE-2018-5246 (In ImageMagick 7.0.7-17 Q16, there are memory leaks in ReadPATTERNImag ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/929 NOTE: https://github.com/ImageMagick/ImageMagick/commit/1c3dd700bbb17837ee6f540aff3eafc76262accf NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/e59dc85e6ce58fd7618c3680b2a8def62050582f CVE-2018-5245 RESERVED CVE-2018-5243 (The Symantec Encryption Management Server (SEMS) product, prior to ver ...) NOT-FOR-US: Symantec CVE-2018-5242 (Norton App Lock prior to version 1.3.0.329 can be susceptible to a byp ...) NOT-FOR-US: Norton App Lock CVE-2018-5241 (Symantec Advanced Secure Gateway (ASG) 6.6 and 6.7, and ProxySG 6.5, 6 ...) NOT-FOR-US: Symantec CVE-2018-5240 (The Inventory Plugin for Symantec Management Agent prior to 7.6 POST H ...) NOT-FOR-US: Inventory Plugin for Symantec Management Agent CVE-2018-5239 (Norton App Lock prior to v1.3.0.332 can be susceptible to a bypass exp ...) NOT-FOR-US: Norton CVE-2018-5238 (Norton Power Eraser (prior to 5.3.0.24) and SymDiag (prior to 2.1.242) ...) NOT-FOR-US: Norton CVE-2018-5237 (Symantec Endpoint Protection prior to 14 RU1 MP1 or 12.1 RU6 MP10 coul ...) NOT-FOR-US: Symantec CVE-2018-5236 (Symantec Endpoint Protection prior to 14 RU1 MP1 or 12.1 RU6 MP10 may ...) NOT-FOR-US: Symantec CVE-2018-5235 (Norton Utilities (prior to 16.0.3.44) may be susceptible to a DLL Prel ...) NOT-FOR-US: Norton CVE-2018-5234 (The Norton Core router prior to v237 may be susceptible to a command i ...) NOT-FOR-US: Norton Core router CVE-2017-18022 (In ImageMagick 7.0.7-12 Q16, there are memory leaks in MontageImageCom ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/904 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/8cf0676455929a067257400e8020dea6ca94c1a4 NOTE: https://github.com/ImageMagick/ImageMagick/commit/e7649e96a7730dd116afb629b372c5772be0b900 CVE-2018-5244 (In Xen 4.10, new infrastructure was introduced as part of an overhaul ...) - xen (Only affects Xen 4.10 onwards) NOTE: https://xenbits.xen.org/xsa/advisory-253.html CVE-2018-5233 (Cross-site scripting (XSS) vulnerability in system/src/Grav/Common/Twi ...) NOT-FOR-US: Grav CMS admin plugin CVE-2018-5232 (The EditIssue.jspa resource in Atlassian Jira before version 7.6.7 and ...) NOT-FOR-US: Atlassian Jira CVE-2018-5231 (The ForgotLoginDetails resource in Atlassian Jira before version 7.6.6 ...) NOT-FOR-US: Atlassian CVE-2018-5230 (The issue collector in Atlassian Jira before version 7.6.6, from versi ...) NOT-FOR-US: Atlassian CVE-2018-5229 (The NotificationRepresentationFactoryImpl class in Atlassian Universal ...) NOT-FOR-US: Atlassian CVE-2018-5228 (The /browse/~raw resource in Atlassian Fisheye and Crucible before ver ...) NOT-FOR-US: Atlassian CVE-2018-5227 (Various administrative application link resources in Atlassian Applica ...) NOT-FOR-US: Atlassian CVE-2018-5226 (There was an argument injection vulnerability in Sourcetree for Window ...) NOT-FOR-US: Atlassian CVE-2018-5225 (In browser editing in Atlassian Bitbucket Server from version 4.13.0 b ...) NOT-FOR-US: Atlassian Bitbucket Server CVE-2018-5224 (Bamboo did not correctly check if a configured Mercurial repository UR ...) NOT-FOR-US: Atlassian CVE-2018-5223 (Fisheye and Crucible did not correctly check if a configured Mercurial ...) NOT-FOR-US: Atlassian CVE-2018-5222 RESERVED CVE-2018-5221 (Multiple buffer overflows in BarCodeWiz BarCode before 6.7 ActiveX con ...) NOT-FOR-US: BarCodeWiz BarCode CVE-2018-5220 (In K7 Antivirus 15.1.0306, the driver file (K7Sentry.sys) allows local ...) NOT-FOR-US: K7 Antivirus CVE-2018-5219 (In K7 Antivirus 15.1.0306, the driver file (K7FWHlpr.sys) allows local ...) NOT-FOR-US: K7 Antivirus CVE-2018-5218 (In K7 Antivirus 15.1.0306, the driver file (K7Sentry.sys) allows local ...) NOT-FOR-US: K7 Antivirus CVE-2018-5217 (In K7 Antivirus 15.1.0306, the driver file (K7Sentry.sys) allows local ...) NOT-FOR-US: K7 Antivirus CVE-2018-5216 (Radiant CMS 1.1.4 has XSS via crafted Markdown input in the part_body_ ...) NOT-FOR-US: Radiant CMS CVE-2018-5215 (Fork CMS 5.0.7 has XSS in /private/en/pages/edit via the title paramet ...) NOT-FOR-US: Fork CMS CVE-2018-5214 (The "Add Link to Facebook" plugin through 2.3 for WordPress has XSS vi ...) NOT-FOR-US: "Add Link to Facebook" plugin for WordPress CVE-2018-5213 (The Simple Download Monitor plugin before 3.5.4 for WordPress has XSS ...) NOT-FOR-US: Simple Download Monitor plugin for WordPress CVE-2018-5212 (The Simple Download Monitor plugin before 3.5.4 for WordPress has XSS ...) NOT-FOR-US: Simple Download Monitor plugin for WordPress CVE-2018-5211 (PHP Melody version 2.7.1 suffer from SQL Injection Time-based attack o ...) NOT-FOR-US: PHP Melody CVE-2018-5210 (On Samsung mobile devices with N(7.x) software and Exynos chipsets, at ...) NOT-FOR-US: Samsung mobile devices CVE-2018-5209 RESERVED CVE-2018-5208 (In Irssi before 1.0.6, a calculation error in the completion code coul ...) {DSA-4162-1} - irssi 1.0.7-1 (bug #886475) [jessie] - irssi (Minor issue) [wheezy] - irssi (Minor issue) NOTE: https://irssi.org/security/irssi_sa_2018_01.txt NOTE: https://github.com/irssi/irssi/releases/download/1.0.6/irssi-1.0.5_1.0.6.diff CVE-2018-5207 (When using an incomplete variable argument, Irssi before 1.0.6 may acc ...) {DSA-4162-1} - irssi 1.0.7-1 (bug #886475) [jessie] - irssi (Minor issue) [wheezy] - irssi (Minor issue) NOTE: https://irssi.org/security/irssi_sa_2018_01.txt NOTE: https://github.com/irssi/irssi/releases/download/1.0.6/irssi-1.0.5_1.0.6.diff CVE-2018-5206 (When the channel topic is set without specifying a sender, Irssi befor ...) {DSA-4162-1} - irssi 1.0.7-1 (bug #886475) [jessie] - irssi (Minor issue) [wheezy] - irssi (Minor issue) NOTE: https://irssi.org/security/irssi_sa_2018_01.txt NOTE: https://github.com/irssi/irssi/releases/download/1.0.6/irssi-1.0.5_1.0.6.diff CVE-2018-5205 (When using incomplete escape codes, Irssi before 1.0.6 may access data ...) {DSA-4162-1} - irssi 1.0.7-1 (bug #886475) [jessie] - irssi (Minor issue) [wheezy] - irssi (Minor issue) NOTE: https://irssi.org/security/irssi_sa_2018_01.txt NOTE: https://github.com/irssi/irssi/releases/download/1.0.6/irssi-1.0.5_1.0.6.diff CVE-2018-5204 (ML Report version Between 2.00.000.0000 and 2.18.628.5980 contains a v ...) NOT-FOR-US: ML Report CVE-2018-5203 (DEXTUploadX5 version Between 1.0.0.0 and 2.2.0.0 contains a vulnerabil ...) NOT-FOR-US: DEXTUploadX5 CVE-2018-5202 (SKCertService 2.5.5 and earlier contains a vulnerability that could al ...) NOT-FOR-US: SKCertService CVE-2018-5201 (Hancom Office 2018 10.0.0.8214 and earlier, Hancom Office NEO 9.6.1.10 ...) NOT-FOR-US: Hancom Office CVE-2018-5200 (KMPlayer 4.2.2.15 and earlier have a Heap Based Buffer Overflow Vulner ...) NOT-FOR-US: KMPlayer (different from src:kmplayer) CVE-2018-5199 (In Veraport G3 ALL on MacOS, due to insufficient domain validation, It ...) NOT-FOR-US: Veraport G3 ALL CVE-2018-5198 (In Veraport G3 ALL on MacOS, a race condition when calling the Verapor ...) NOT-FOR-US: Veraport G3 ALL CVE-2018-5197 (A vulnerability in the ExtCommon.dll user extension module version 9.2 ...) NOT-FOR-US: Xplatform ActiveX CVE-2018-5196 (Alzip 10.76.0.0 and earlier is vulnerable to a stack overflow caused b ...) NOT-FOR-US: ALZip CVE-2018-5195 (Hancom NEO versions 9.6.1.5183 and earlier have a buffer Overflow vuln ...) NOT-FOR-US: Hancom NEO CVE-2018-5194 RESERVED CVE-2018-5193 RESERVED CVE-2018-5192 RESERVED CVE-2018-5191 REJECTED CVE-2018-5190 (PicturesPro Photo Cart 6 and 7 before Security-Patch-2018-B allows rem ...) NOT-FOR-US: PicturesPro Photo Cart CVE-2018-5189 (Race condition in Jungo Windriver 12.5.1 allows local users to cause a ...) NOT-FOR-US: Jungo Windriver CVE-2018-5188 (Memory safety bugs present in Firefox 60, Firefox ESR 60, and Firefox ...) {DSA-4244-1 DSA-4235-1 DLA-1425-1 DLA-1406-1} - firefox-esr 52.9.0esr-1 - firefox 61.0-1 - thunderbird 1:52.9.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-15/#CVE-2018-5188 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-17/#CVE-2018-5188 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-18/#CVE-2018-5188 CVE-2018-5187 (Memory safety bugs present in Firefox 60 and Firefox ESR 60. Some of t ...) {DSA-4295-1 DLA-1575-1} - firefox 61.0-1 - thunderbird 1:60.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-15/#CVE-2018-5187 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-19/#CVE-2018-5187 CVE-2018-5186 (Memory safety bugs present in Firefox 60. Some of these bugs showed ev ...) - firefox 61.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-15/#CVE-2018-5186 CVE-2018-5185 (Plaintext of decrypted emails can leak through by user submitting an e ...) {DSA-4209-1 DLA-1382-1} - thunderbird 1:52.8.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-13/#CVE-2018-5185 CVE-2018-5184 (Using remote content in encrypted messages can lead to the disclosure ...) {DSA-4209-1 DLA-1382-1} - thunderbird 1:52.8.0-1 (bug #898631) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-13/#CVE-2018-5184 CVE-2018-5183 (Mozilla developers backported selected changes in the Skia library. Th ...) {DSA-4209-1 DSA-4199-1 DLA-1382-1 DLA-1376-1} - firefox-esr 52.8.0esr-1 - thunderbird 1:52.8.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-12/#CVE-2018-5183 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-13/#CVE-2018-5183 CVE-2018-5182 (If a text string that happens to be a filename in the operating system ...) - firefox 60.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5182 CVE-2018-5181 (If a URL using the "file:" protocol is dragged and dropped onto an ope ...) - firefox 60.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5181 CVE-2018-5180 (A use-after-free vulnerability can occur during WebGL operations. Whil ...) - firefox 60.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5180 CVE-2018-5179 (A service worker can send the activate event on itself periodically wh ...) {DSA-4330-1} - chromium-browser 70.0.3538.67-1 [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-5178 (A buffer overflow was found during UTF8 to Unicode string conversion w ...) {DSA-4209-1 DSA-4199-1 DLA-1382-1 DLA-1376-1} - firefox-esr 52.8.0esr-1 - thunderbird 1:52.8.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-12/#CVE-2018-5178 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-13/#CVE-2018-5178 CVE-2018-5177 (A vulnerability exists in XSLT during number formatting where a negati ...) - firefox 60.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5177 CVE-2018-5176 (The JSON Viewer displays clickable hyperlinks for strings that are par ...) - firefox 60.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5176 CVE-2018-5175 (A mechanism to bypass Content Security Policy (CSP) protections on sit ...) - firefox 60.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5175 CVE-2018-5174 (In the Windows 10 April 2018 Update, Windows Defender SmartScreen hono ...) - firefox (Windows-specific) - firefox-esr (Windows-specific) - thunderbird (Windows-specific) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5174 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-12/#CVE-2018-5174 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-13/#CVE-2018-5174 CVE-2018-5173 (The filename appearing in the "Downloads" panel improperly renders som ...) - firefox 60.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5173 CVE-2018-5172 (The Live Bookmarks page and the PDF viewer can run injected script con ...) - firefox 60.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5172 CVE-2018-5171 RESERVED CVE-2018-5170 (It is possible to spoof the filename of an attachment and display an a ...) {DSA-4209-1 DLA-1382-1} - thunderbird 1:52.8.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-13/#CVE-2018-5170 CVE-2018-5169 (If manipulated hyperlinked text with "chrome:" URL contained in it is ...) - firefox 60.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5169 CVE-2018-5168 (Sites can bypass security checks on permissions to install lightweight ...) {DSA-4209-1 DSA-4199-1 DLA-1382-1 DLA-1376-1} - firefox 60.0-1 - firefox-esr 52.8.0esr-1 - thunderbird 1:52.8.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5168 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-12/#CVE-2018-5168 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-13/#CVE-2018-5168 CVE-2018-5167 (The web console and JavaScript debugger do not sanitize all output tha ...) - firefox 60.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5167 CVE-2018-5166 (WebExtensions can use request redirection and a "filterReponseData" fi ...) - firefox 60.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5166 CVE-2018-5165 (In 32-bit versions of Firefox, the Adobe Flash plugin setting for "Ena ...) - firefox 60.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5165 CVE-2018-5164 (Content Security Policy (CSP) is not applied correctly to all parts of ...) - firefox 60.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5164 CVE-2018-5163 (If a malicious attacker has used another vulnerability to gain full co ...) - firefox 60.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5163 CVE-2018-5162 (Plaintext of decrypted emails can leak through the src attribute of re ...) {DSA-4209-1 DLA-1382-1} - thunderbird 1:52.8.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-13/#CVE-2018-5162 CVE-2018-5161 (Crafted message headers can cause a Thunderbird process to hang on rec ...) {DSA-4209-1 DLA-1382-1} - thunderbird 1:52.8.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-13/#CVE-2018-5161 CVE-2018-5160 (WebRTC can use a "WrappedI420Buffer" pixel buffer but the owning image ...) - firefox 60.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5160 CVE-2018-5159 (An integer overflow can occur in the Skia library due to 32-bit intege ...) {DSA-4209-1 DSA-4199-1 DLA-1382-1 DLA-1376-1} - firefox 60.0-1 - firefox-esr 52.8.0esr-1 - thunderbird 1:52.8.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5159 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-12/#CVE-2018-5159 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-13/#CVE-2018-5159 CVE-2018-5158 (The PDF viewer does not sufficiently sanitize PostScript calculator fu ...) {DSA-4199-1 DLA-1376-1} - firefox 60.0-1 - firefox-esr 52.8.0esr-1 - gitlab 11.8.6+dfsg-1 (bug #926482) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5158 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-12/#CVE-2018-5158 NOTE: https://about.gitlab.com/2019/04/01/security-release-gitlab-11-dot-9-dot-4-released/ CVE-2018-5157 (Same-origin protections for the PDF viewer can be bypassed, allowing a ...) {DSA-4199-1 DLA-1376-1} - firefox 60.0-1 - firefox-esr 52.8.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5157 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-12/#CVE-2018-5157 CVE-2018-5156 (A vulnerability can occur when capturing a media stream when the media ...) {DSA-4295-1 DSA-4235-1 DLA-1575-1 DLA-1406-1} - firefox-esr 52.9.0esr-1 - firefox 61.0-1 - thunderbird 1:60.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-15/#CVE-2018-5156 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-17/#CVE-2018-5156 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-19/#CVE-2018-5156 CVE-2018-5155 (A use-after-free vulnerability can occur while adjusting layout during ...) {DSA-4209-1 DSA-4199-1 DLA-1382-1 DLA-1376-1} - firefox 60.0-1 - firefox-esr 52.8.0esr-1 - thunderbird 1:52.8.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5155 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-12/#CVE-2018-5155 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-13/#CVE-2018-5155 CVE-2018-5154 (A use-after-free vulnerability can occur while enumerating attributes ...) {DSA-4209-1 DSA-4199-1 DLA-1382-1 DLA-1376-1} - firefox 60.0-1 - firefox-esr 52.8.0esr-1 - thunderbird 1:52.8.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5154 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-12/#CVE-2018-5154 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-13/#CVE-2018-5154 CVE-2018-5153 (If websocket data is sent with mixed text and binary in a single messa ...) - firefox 60.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5153 CVE-2018-5152 (WebExtensions with the appropriate permissions can attach content scri ...) - firefox 60.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5152 CVE-2018-5151 (Memory safety bugs were reported in Firefox 59. Some of these bugs sho ...) - firefox 60.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5151 CVE-2018-5150 (Memory safety bugs were reported in Firefox 59, Firefox ESR 52.7, and ...) {DSA-4209-1 DSA-4199-1 DLA-1382-1 DLA-1376-1} - firefox 60.0-1 - firefox-esr 52.8.0esr-1 - thunderbird 1:52.8.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5150 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-12/#CVE-2018-5150 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-13/#CVE-2018-5150 CVE-2018-5149 RESERVED CVE-2018-5148 (A use-after-free vulnerability can occur in the compositor during cert ...) {DSA-4153-1 DLA-1321-1} - firefox 59.0.2-1 - firefox-esr 52.7.3esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-10/ CVE-2018-5147 (The libtremor library has the same flaw as CVE-2018-5146. This library ...) {DSA-4143-1 DSA-4141-1 DLA-1319-1 DLA-1312-1} - firefox 59.0.1-1 - firefox-esr 52.7.2esr-1 - libvorbisidec 1.2.1+git20180316-1 (bug #893132) NOTE: https://git.xiph.org/?p=tremor.git;a=commit;h=562307a4a7082e24553f3d2c55dab397a17c4b4f NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-08/ CVE-2018-5146 (An out of bounds memory write while processing Vorbis audio data was r ...) {DSA-4155-1 DSA-4143-1 DSA-4140-1 DLA-1368-1 DLA-1327-1 DLA-1319-1} - firefox 59.0.1-1 - firefox-esr 52.7.2esr-1 - thunderbird 1:52.7.0-1 - libvorbis 1.3.5-4.2 (bug #893130) NOTE: https://git.xiph.org/?p=vorbis.git;a=commit;h=667ceb4aab60c1f74060143bb24e5f427b3cce5f NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-08/ NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-09/ CVE-2018-5145 (Memory safety bugs were reported in Firefox ESR 52.6. These bugs showe ...) {DSA-4155-1 DSA-4139-1 DLA-1327-1 DLA-1308-1} - firefox-esr 52.7.0esr-1 - thunderbird 1:52.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-07/ NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-09/ CVE-2018-5144 (An integer overflow can occur during conversion of text to some Unicod ...) {DSA-4155-1 DSA-4139-1 DLA-1327-1 DLA-1308-1} - firefox-esr 52.7.0esr-1 - thunderbird 1:52.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-07/ NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-09/ CVE-2018-5143 (URLs using "javascript:" have the protocol removed when pasted into th ...) - firefox 59.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-06/ CVE-2018-5142 (If Media Capture and Streams API permission is requested from document ...) - firefox 59.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-06/ CVE-2018-5141 (A vulnerability in the notifications Push API where notifications can ...) - firefox 59.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-06/ CVE-2018-5140 (Image for moz-icons can be accessed through the "moz-icon:" protocol t ...) - firefox 59.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-06/ CVE-2018-5139 RESERVED CVE-2018-5138 (A spoofing vulnerability can occur when a malicious site with an extre ...) - firefox (Android-specific) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-06/ CVE-2018-5137 (A legacy extension's non-contentaccessible, defined resources can be l ...) - firefox 59.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-06/ CVE-2018-5136 (A shared worker created from a "data:" URL in one tab can be shared by ...) - firefox 59.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-06/ CVE-2018-5135 (WebExtensions can bypass normal restrictions in some circumstances and ...) - firefox 59.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-06/ CVE-2018-5134 (WebExtensions may use "view-source:" URLs to view local "file:" URL co ...) - firefox 59.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-06/ CVE-2018-5133 (If the "app.support.baseURL" preference is changed by a malicious loca ...) - firefox 59.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-06/ CVE-2018-5132 (The Find API for WebExtensions can search some privileged pages, such ...) - firefox 59.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-06/ CVE-2018-5131 (Under certain circumstances the "fetch()" API can return transient loc ...) {DSA-4139-1 DLA-1308-1} - firefox 59.0-1 - firefox-esr 52.7.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-07/ NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-06/ CVE-2018-5130 (When packets with a mismatched RTP payload type are sent in WebRTC con ...) {DSA-4139-1 DLA-1308-1} - firefox 59.0-1 - firefox-esr 52.7.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-07/ NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-06/ CVE-2018-5129 (A lack of parameter validation on IPC messages results in a potential ...) {DSA-4155-1 DSA-4139-1 DLA-1327-1 DLA-1308-1} - firefox 59.0-1 - firefox-esr 52.7.0esr-1 - thunderbird 1:52.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-07/ NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-06/ NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-09/ CVE-2018-5128 (A use-after-free vulnerability can occur when manipulating elements, e ...) - firefox 59.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-06/ CVE-2018-5127 (A buffer overflow can occur when manipulating the SVG "animatedPathSeg ...) {DSA-4155-1 DSA-4139-1 DLA-1327-1 DLA-1308-1} - firefox 59.0-1 - firefox-esr 52.7.0esr-1 - thunderbird 1:52.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-07/ NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-06/ NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-09/ CVE-2018-5126 (Memory safety bugs were reported in Firefox 58. Some of these bugs sho ...) - firefox 59.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-06/ CVE-2018-5125 (Memory safety bugs were reported in Firefox 58 and Firefox ESR 52.6. S ...) {DSA-4155-1 DSA-4139-1 DLA-1327-1 DLA-1308-1} - firefox 59.0-1 - firefox-esr 52.7.0esr-1 - thunderbird 1:52.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-07/ NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-06/ NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-09/ CVE-2018-5124 (Unsanitized output in the browser UI leaves HTML tags in place and can ...) - firefox 58.0.1-1 - firefox-esr (Vulnerable code introduced later than 52) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-05/ CVE-2018-5123 (A third party website can access information available to a user with ...) - bugzilla4 (bug #669643) - bugzilla CVE-2018-5122 (A potential integer overflow in the "DoCrypt" function of WebCrypto wa ...) - firefox 58.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5122 CVE-2018-5121 (Low descenders on some Tibetan characters in several fonts on OS X are ...) - firefox (Only affects Firefox on Mac OS X) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5121 CVE-2018-5120 RESERVED CVE-2018-5119 (The reader view will display cross-origin content when CORS headers ar ...) - firefox 58.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5119 CVE-2018-5118 (The screenshot images displayed in the Activity Stream page displayed ...) - firefox 58.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5118 CVE-2018-5117 (If right-to-left text is used in the addressbar with left-to-right ali ...) {DSA-4102-1 DSA-4096-1 DLA-1262-1 DLA-1256-1} - firefox 58.0-1 - firefox-esr 52.6.0esr-1 - thunderbird 1:52.6.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5117 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-03/#CVE-2018-5117 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-04/#CVE-2018-5117 CVE-2018-5116 (WebExtensions with the "ActiveTab" permission are able to access frame ...) - firefox 58.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5116 CVE-2018-5115 (If an HTTP authentication prompt is triggered by a background network ...) - firefox 58.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5115 CVE-2018-5114 (If an existing cookie is changed to be "HttpOnly" while a document is ...) - firefox 58.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5114 CVE-2018-5113 (The "browser.identity.launchWebAuthFlow" function of WebExtensions is ...) - firefox 58.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5113 CVE-2018-5112 (Development Tools panels of an extension are required to load URLs for ...) - firefox 58.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5112 CVE-2018-5111 (When the text of a specially formatted URL is dragged to the addressba ...) - firefox 58.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5111 CVE-2018-5110 (If cursor visibility is toggled by script using from 'none' to an imag ...) - firefox (Only affects Firefox on Mac OS X) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5110 CVE-2018-5109 (An audio capture session can started under an incorrect origin from th ...) - firefox 58.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5109 CVE-2018-5108 (A Blob URL can violate origin attribute segregation, allowing it to be ...) - firefox 58.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5108 CVE-2018-5107 (The printing process can bypass local access protections to read files ...) - firefox 58.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5107 CVE-2018-5106 (Style editor traffic in the Developer Tools can be routed through a se ...) - firefox 58.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5106 CVE-2018-5105 (WebExtensions can bypass user prompts to first save and then open an a ...) - firefox 58.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5105 CVE-2018-5104 (A use-after-free vulnerability can occur during font face manipulation ...) {DSA-4102-1 DSA-4096-1 DLA-1262-1 DLA-1256-1} - firefox 58.0-1 - firefox-esr 52.6.0esr-1 - thunderbird 1:52.6.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5104 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-03/#CVE-2018-5104 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-04/#CVE-2018-5104 CVE-2018-5103 (A use-after-free vulnerability can occur during mouse event handling d ...) {DSA-4102-1 DSA-4096-1 DLA-1262-1 DLA-1256-1} - firefox 58.0-1 - firefox-esr 52.6.0esr-1 - thunderbird 1:52.6.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5103 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-03/#CVE-2018-5103 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-04/#CVE-2018-5103 CVE-2018-5102 (A use-after-free vulnerability can occur when manipulating HTML media ...) {DSA-4102-1 DSA-4096-1 DLA-1262-1 DLA-1256-1} - firefox 58.0-1 - firefox-esr 52.6.0esr-1 - thunderbird 1:52.6.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5102 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-03/#CVE-2018-5102 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-04/#CVE-2018-5102 CVE-2018-5101 (A use-after-free vulnerability can occur when manipulating floating "f ...) - firefox 58.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5101 CVE-2018-5100 (A use-after-free vulnerability can occur when arguments passed to the ...) - firefox 58.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5100 CVE-2018-5099 (A use-after-free vulnerability can occur when the widget listener is h ...) {DSA-4102-1 DSA-4096-1 DLA-1262-1 DLA-1256-1} - firefox 58.0-1 - firefox-esr 52.6.0esr-1 - thunderbird 1:52.6.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5099 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-03/#CVE-2018-5099 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-04/#CVE-2018-5099 CVE-2018-5098 (A use-after-free vulnerability can occur when form input elements, foc ...) {DSA-4102-1 DSA-4096-1 DLA-1262-1 DLA-1256-1} - firefox 58.0-1 - firefox-esr 52.6.0esr-1 - thunderbird 1:52.6.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5098 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-03/#CVE-2018-5098 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-04/#CVE-2018-5098 CVE-2018-5097 (A use-after-free vulnerability can occur during XSL transformations wh ...) {DSA-4102-1 DSA-4096-1 DLA-1262-1 DLA-1256-1} - firefox 58.0-1 - firefox-esr 52.6.0esr-1 - thunderbird 1:52.6.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5097 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-03/#CVE-2018-5097 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-04/#CVE-2018-5097 CVE-2018-5096 (A use-after-free vulnerability can occur while editing events in form ...) {DSA-4102-1 DSA-4096-1 DLA-1262-1 DLA-1256-1} - firefox-esr 52.6.0esr-1 - thunderbird 1:52.6.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-03/#CVE-2018-5096 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-04/#CVE-2018-5096 CVE-2018-5095 (An integer overflow vulnerability in the Skia library when allocating ...) {DSA-4102-1 DSA-4096-1 DLA-1262-1 DLA-1256-1} - firefox 58.0-1 - firefox-esr 52.6.0esr-1 - skia (bug #818180) - thunderbird 1:52.6.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5095 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-03/#CVE-2018-5095 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-04/#CVE-2018-5095 CVE-2018-5094 (A heap buffer overflow vulnerability may occur in WebAssembly when "sh ...) - firefox 58.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5094 CVE-2018-5093 (A heap buffer overflow vulnerability may occur in WebAssembly during M ...) - firefox 58.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5093 CVE-2018-5092 (A use-after-free vulnerability can occur when the thread for a Web Wor ...) - firefox 58.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5092 CVE-2018-5091 (A use-after-free vulnerability can occur during WebRTC connections whe ...) {DSA-4102-1 DSA-4096-1 DLA-1256-1} - firefox 58.0-1 - firefox-esr 52.6.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5091 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-03/#CVE-2018-5091 CVE-2018-5090 (Memory safety bugs were reported in Firefox 57. Some of these bugs sho ...) - firefox 58.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5090 CVE-2018-5089 (Memory safety bugs were reported in Firefox 57 and Firefox ESR 52.5. S ...) {DSA-4102-1 DSA-4096-1 DLA-1262-1 DLA-1256-1} - firefox 58.0-1 - firefox-esr 52.6.0esr-1 - thunderbird 1:52.6.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5089 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-03/#CVE-2018-5089 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-04/#CVE-2018-5089 CVE-2018-5088 (In K7 AntiVirus 15.1.0306, the driver file (K7FWHlpr.sys) allows local ...) NOT-FOR-US: K7 AntiVirus CVE-2018-5087 (In K7 AntiVirus 15.1.0306, the driver file (K7FWHlpr.sys) allows local ...) NOT-FOR-US: K7 AntiVirus CVE-2018-5086 (In K7 AntiVirus 15.1.0306, the driver file (K7FWHlpr.sys) allows local ...) NOT-FOR-US: K7 AntiVirus CVE-2018-5085 (In K7 AntiVirus 15.1.0306, the driver file (K7FWHlpr.sys) allows local ...) NOT-FOR-US: K7 AntiVirus CVE-2018-5084 (In K7 AntiVirus 15.1.0306, the driver file (K7FWHlpr.sys) allows local ...) NOT-FOR-US: K7 AntiVirus CVE-2018-5083 (In K7 AntiVirus 15.1.0306, the driver file (K7FWHlpr.sys) allows local ...) NOT-FOR-US: K7 AntiVirus CVE-2018-5082 (In K7 AntiVirus 15.1.0306, the driver file (K7FWHlpr.sys) allows local ...) NOT-FOR-US: K7 AntiVirus CVE-2018-5081 (In K7 AntiVirus 15.1.0306, the driver file (K7FWHlpr.sys) allows local ...) NOT-FOR-US: K7 AntiVirus CVE-2018-5080 (In K7 AntiVirus 15.1.0306, the driver file (K7FWHlpr.sys) allows local ...) NOT-FOR-US: K7 AntiVirus CVE-2018-5079 (In K7 AntiVirus 15.1.0306, the driver file (K7FWHlpr.sys) allows local ...) NOT-FOR-US: K7 AntiVirus CVE-2017-18021 (It was discovered that QtPass before 1.2.1, when using the built-in pa ...) - qtpass 1.2.1-1 [stretch] - qtpass 1.1.6-1+deb9u1 NOTE: https://lists.zx2c4.com/pipermail/password-store/2018-January/003165.html NOTE: https://github.com/IJHack/QtPass/issues/338 CVE-2017-18020 (On Samsung mobile devices with L(5.x), M(6.x), and N(7.x) software and ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18019 (In K7 Total Security before 15.1.0.305, user-controlled input to the K ...) NOT-FOR-US: K7 Total Security CVE-2017-18018 (In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does no ...) - coreutils (unimportant) NOTE: http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html NOTE: http://www.openwall.com/lists/oss-security/2018/01/04/3 NOTE: Documentation patches proposed: NOTE: https://lists.gnu.org/archive/html/coreutils/2017-12/msg00072.html NOTE: https://lists.gnu.org/archive/html/coreutils/2017-12/msg00073.html NOTE: Neutralised by kernel hardening CVE-2018-5078 (Online Ticket Booking has XSS via the admin/eventlist.php cast paramet ...) NOT-FOR-US: Online Ticket Booking CVE-2018-5077 (Online Ticket Booking has XSS via the admin/movieedit.php moviename pa ...) NOT-FOR-US: Online Ticket Booking CVE-2018-5076 (Online Ticket Booking has XSS via the admin/newsedit.php newstitle par ...) NOT-FOR-US: Online Ticket Booking CVE-2018-5075 (Online Ticket Booking has XSS via the admin/snacks_edit.php snacks_nam ...) NOT-FOR-US: Online Ticket Booking CVE-2018-5074 (Online Ticket Booking has XSS via the admin/manageownerlist.php contac ...) NOT-FOR-US: Online Ticket Booking CVE-2018-5073 (Online Ticket Booking has CSRF via admin/movieedit.php. ...) NOT-FOR-US: Online Ticket Booking CVE-2018-5072 (Online Ticket Booking has XSS via the admin/sitesettings.php keyword p ...) NOT-FOR-US: Online Ticket Booking CVE-2018-5071 (Persistent XSS exists in the web server on Cobham Sea Tel 116 build 22 ...) NOT-FOR-US: Cobham Sea Tel 116 build 222429 satellite communication system devices CVE-2018-5070 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5069 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5068 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5067 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5066 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5065 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5064 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5063 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5062 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5061 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5060 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5059 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5058 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5057 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5056 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5055 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5054 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5053 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5052 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5051 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5050 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5049 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5048 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5047 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5046 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5045 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5044 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5043 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5042 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5041 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5040 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5039 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5038 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5037 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5036 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5035 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5034 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5033 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5032 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5031 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5030 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5029 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5028 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5027 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5026 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5025 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5024 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5023 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5022 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5021 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5020 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5019 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5018 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5017 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5016 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5015 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5014 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5013 REJECTED CVE-2018-5012 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5011 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5010 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5009 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 an ...) NOT-FOR-US: Adobe CVE-2018-5008 (Adobe Flash Player 30.0.0.113 and earlier versions have an Out-of-boun ...) NOT-FOR-US: Adobe CVE-2018-5007 (Adobe Flash Player 30.0.0.113 and earlier versions have a Type Confusi ...) NOT-FOR-US: Adobe CVE-2018-5006 (Adobe Experience Manager versions 6.4 and earlier have a Server-Side R ...) NOT-FOR-US: Adobe CVE-2018-5005 (Adobe Experience Manager versions 6.4, 6.3, 6.2, 6.1, and 6.0 have a C ...) NOT-FOR-US: Adobe Experience Manager CVE-2018-5004 (Adobe Experience Manager versions 6.2 and 6.3 have a Server-Side Reque ...) NOT-FOR-US: Adobe CVE-2018-5003 (Adobe Creative Cloud Desktop Application before 4.5.5.342 (installer) ...) NOT-FOR-US: Adobe CVE-2018-5002 (Adobe Flash Player versions 29.0.0.171 and earlier have a Stack-based ...) NOT-FOR-US: Adobe CVE-2018-5001 (Adobe Flash Player versions 29.0.0.171 and earlier have an Out-of-boun ...) NOT-FOR-US: Adobe CVE-2018-5000 (Adobe Flash Player versions 29.0.0.171 and earlier have an Integer Ove ...) NOT-FOR-US: Adobe CVE-2018-4999 (Adobe Acrobat and Reader versions 2018.009.20050 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-4998 (Adobe Acrobat and Reader versions 2018.009.20050 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-4997 (Adobe Acrobat and Reader versions 2018.009.20050 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-4996 (Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-4995 (Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-4994 (Adobe Connect versions 9.7.5 and earlier have an exploitable Authentic ...) NOT-FOR-US: Adobe CVE-2018-4993 (Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-4992 (Adobe Creative Cloud Desktop Application versions 4.4.1.298 and earlie ...) NOT-FOR-US: Adobe CVE-2018-4991 (Adobe Creative Cloud Desktop Application versions 4.4.1.298 and earlie ...) NOT-FOR-US: Adobe CVE-2018-4990 (Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-4989 (Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-4988 (Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-4987 (Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-4986 (Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-4985 (Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-4984 (Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-4983 (Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-4982 (Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-4981 (Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-4980 (Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-4979 (Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-4978 (Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-4977 (Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-4976 (Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-4975 (Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-4974 (Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-4973 (Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-4972 (Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-4971 (Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-4970 (Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-4969 (Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-4968 (Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-4967 (Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-4966 (Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-4965 (Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-4964 (Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-4963 (Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-4962 (Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-4961 (Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-4960 (Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-4959 (Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-4958 (Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-4957 (Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-4956 (Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-4955 (Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-4954 (Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-4953 (Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-4952 (Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011 ...) NOT-FOR-US: VMware Xenon CVE-2018-4951 (Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-4950 (Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-4949 (Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-4948 (Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-4947 (Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011 ...) NOT-FOR-US: VMware Xenon CVE-2018-4946 (Adobe Photoshop CC versions 19.1.3 and earlier, 18.1.3 and earlier, an ...) NOT-FOR-US: Adobe CVE-2018-4945 (Adobe Flash Player versions 29.0.0.171 and earlier have a Type Confusi ...) NOT-FOR-US: Adobe CVE-2018-4944 (Adobe Flash Player versions 29.0.0.140 and earlier have an exploitable ...) NOT-FOR-US: Adobe CVE-2018-4943 (Adobe PhoneGap Push Plugin versions 1.8.0 and earlier have an exploita ...) NOT-FOR-US: Adobe CVE-2018-4942 (Adobe ColdFusion Update 5 and earlier versions, ColdFusion 11 Update 1 ...) NOT-FOR-US: Adobe CVE-2018-4941 (Adobe ColdFusion Update 5 and earlier versions, ColdFusion 11 Update 1 ...) NOT-FOR-US: Adobe CVE-2018-4940 (Adobe ColdFusion Update 5 and earlier versions, ColdFusion 11 Update 1 ...) NOT-FOR-US: Adobe CVE-2018-4939 (Adobe ColdFusion Update 5 and earlier versions, ColdFusion 11 Update 1 ...) NOT-FOR-US: Adobe CVE-2018-4938 (Adobe ColdFusion Update 5 and earlier versions, ColdFusion 11 Update 1 ...) NOT-FOR-US: Adobe CVE-2018-4937 (Adobe Flash Player versions 29.0.0.113 and earlier have an exploitable ...) NOT-FOR-US: Adobe CVE-2018-4936 (Adobe Flash Player versions 29.0.0.113 and earlier have an exploitable ...) NOT-FOR-US: Adobe CVE-2018-4935 (Adobe Flash Player versions 29.0.0.113 and earlier have an exploitable ...) NOT-FOR-US: Adobe CVE-2018-4934 (Adobe Flash Player versions 29.0.0.113 and earlier have an exploitable ...) NOT-FOR-US: Adobe CVE-2018-4933 (Adobe Flash Player versions 29.0.0.113 and earlier have an exploitable ...) NOT-FOR-US: Adobe CVE-2018-4932 (Adobe Flash Player versions 29.0.0.113 and earlier have an exploitable ...) NOT-FOR-US: Adobe CVE-2018-4931 (Adobe Experience Manager versions 6.1 and earlier have an exploitable ...) NOT-FOR-US: Adobe CVE-2018-4930 (Adobe Experience Manager versions 6.3 and earlier have an exploitable ...) NOT-FOR-US: Adobe CVE-2018-4929 (Adobe Experience Manager versions 6.2 and earlier have an exploitable ...) NOT-FOR-US: Adobe CVE-2018-4928 (Adobe InDesign versions 13.0 and below have an exploitable Memory corr ...) NOT-FOR-US: Adobe CVE-2018-4927 (Adobe InDesign versions 13.0 and below have an exploitable Untrusted S ...) NOT-FOR-US: Adobe CVE-2018-4926 (Adobe Digital Editions versions 4.5.7 and below have an exploitable St ...) NOT-FOR-US: Adobe CVE-2018-4925 (Adobe Digital Editions versions 4.5.7 and below have an exploitable Ou ...) NOT-FOR-US: Adobe CVE-2018-4924 (Adobe Dreamweaver CC versions 18.0 and earlier have an OS Command Inje ...) NOT-FOR-US: Adobe CVE-2018-4923 (Adobe Connect versions 9.7 and earlier have an exploitable OS Command ...) NOT-FOR-US: Adobe CVE-2018-4922 REJECTED CVE-2018-4921 (Adobe Connect versions 9.7 and earlier have an exploitable unrestricte ...) NOT-FOR-US: Adobe CVE-2018-4920 (Adobe Flash Player versions 28.0.0.161 and earlier have an exploitable ...) NOT-FOR-US: Adobe CVE-2018-4919 (Adobe Flash Player versions 28.0.0.161 and earlier have an exploitable ...) NOT-FOR-US: Adobe CVE-2018-4918 (Adobe Acrobat and Reader versions 2018.009.20050 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-4917 (Adobe Acrobat and Reader versions 2018.009.20050 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2018-4916 (An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and ear ...) NOT-FOR-US: Adobe CVE-2018-4915 (An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and ear ...) NOT-FOR-US: Adobe CVE-2018-4914 (An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and ear ...) NOT-FOR-US: Adobe CVE-2018-4913 (An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and ear ...) NOT-FOR-US: Adobe CVE-2018-4912 (An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and ear ...) NOT-FOR-US: Adobe CVE-2018-4911 (An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and ear ...) NOT-FOR-US: Adobe CVE-2018-4910 (An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and ear ...) NOT-FOR-US: Adobe CVE-2018-4909 (An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and ear ...) NOT-FOR-US: Adobe CVE-2018-4908 (An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and ear ...) NOT-FOR-US: Adobe CVE-2018-4907 (An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and ear ...) NOT-FOR-US: Adobe CVE-2018-4906 (An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and ear ...) NOT-FOR-US: Adobe CVE-2018-4905 (An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and ear ...) NOT-FOR-US: Adobe CVE-2018-4904 (An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and ear ...) NOT-FOR-US: Adobe CVE-2018-4903 (An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and ear ...) NOT-FOR-US: Adobe CVE-2018-4902 (An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and ear ...) NOT-FOR-US: Adobe CVE-2018-4901 (An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and ear ...) NOT-FOR-US: Adobe CVE-2018-4900 (An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and ear ...) NOT-FOR-US: Adobe CVE-2018-4899 (An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and ear ...) NOT-FOR-US: Adobe CVE-2018-4898 (An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and ear ...) NOT-FOR-US: Adobe CVE-2018-4897 (An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and ear ...) NOT-FOR-US: Adobe CVE-2018-4896 (An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and ear ...) NOT-FOR-US: Adobe CVE-2018-4895 (An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and ear ...) NOT-FOR-US: Adobe CVE-2018-4894 (An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and ear ...) NOT-FOR-US: Adobe CVE-2018-4893 (An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and ear ...) NOT-FOR-US: Adobe CVE-2018-4892 (An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and ear ...) NOT-FOR-US: Adobe CVE-2018-4891 (An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and ear ...) NOT-FOR-US: Adobe CVE-2018-4890 (An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and ear ...) NOT-FOR-US: Adobe CVE-2018-4889 (An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and ear ...) NOT-FOR-US: Adobe CVE-2018-4888 (An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and ear ...) NOT-FOR-US: Adobe CVE-2018-4887 (An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and ear ...) NOT-FOR-US: Adobe CVE-2018-4886 (An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and ear ...) NOT-FOR-US: Adobe CVE-2018-4885 (An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and ear ...) NOT-FOR-US: Adobe CVE-2018-4884 (An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and ear ...) NOT-FOR-US: Adobe CVE-2018-4883 (An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and ear ...) NOT-FOR-US: Adobe CVE-2018-4882 (An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and ear ...) NOT-FOR-US: Adobe CVE-2018-4881 (An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and ear ...) NOT-FOR-US: Adobe CVE-2018-4880 (An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and ear ...) NOT-FOR-US: Adobe CVE-2018-4879 (An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and ear ...) NOT-FOR-US: Adobe CVE-2018-4878 (A use-after-free vulnerability was discovered in Adobe Flash Player be ...) NOT-FOR-US: Adobe Flash Player CVE-2018-4877 (A use-after-free vulnerability was discovered in Adobe Flash Player be ...) NOT-FOR-US: Adobe Flash Player CVE-2018-4876 (Adobe Experience Manager versions 6.3, 6.2, and 6.1 are vulnerable to ...) NOT-FOR-US: Adobe Experience Manager CVE-2018-4875 (Adobe Experience Manager versions 6.1 and 6.0 are vulnerable to a refl ...) NOT-FOR-US: Adobe Experience Manager CVE-2018-4874 REJECTED CVE-2018-4873 (Adobe Creative Cloud Desktop Application versions 4.4.1.298 and earlie ...) NOT-FOR-US: Adobe CVE-2018-4872 (An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and ear ...) NOT-FOR-US: Adobe CVE-2018-4871 (An Out-of-bounds Read issue was discovered in Adobe Flash Player befor ...) NOT-FOR-US: Adobe Flash Player CVE-2018-4870 RESERVED CVE-2018-4869 RESERVED CVE-2018-4868 (The Exiv2::Jp2Image::readMetadata function in jp2image.cpp in Exiv2 0. ...) - exiv2 (Vulnerable code introduced in 0.26) NOTE: https://github.com/Exiv2/exiv2/issues/202 CVE-2017-1000500 REJECTED CVE-2017-1000499 (phpMyAdmin versions 4.7.x (prior to 4.7.6.1/4.7.7) are vulnerable to a ...) - phpmyadmin (Only affects phpMyAdmin starting from 4.7.0) NOTE: https://www.phpmyadmin.net/security/PMASA-2017-9/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/edd929216ade9f7c150a262ba3db44db0fed0e1b (4.7-branch) NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/72f109a99c82b14c07dcb19946ba9b76efc32a1b (4.8-branch) CVE-2017-1000498 (AndroidSVG version 1.2.2 is vulnerable to XXE attacks in the SVG parsi ...) NOT-FOR-US: AndroidSVG CVE-2017-1000497 (Pepperminty-Wiki version 0.15 is vulnerable to XXE attacks in the gets ...) NOT-FOR-US: Pepperminty-Wiki CVE-2017-1000496 (Commsy version 9.0.0 is vulnerable to XXE attacks in the configuration ...) NOT-FOR-US: Commsy CVE-2017-1000495 (QuickApps CMS version 2.0.0 is vulnerable to Stored Cross-site Scripti ...) NOT-FOR-US: QuickApps CMS CVE-2017-1000494 (Uninitialized stack variable vulnerability in NameValueParserEndElt (u ...) {DLA-1811-1} - miniupnpd 2.0.20171212-1 (bug #887129) [stretch] - miniupnpd 1.8.20140523-4.1+deb9u1 - miniupnpc 2.0.20171212-3 (unimportant) NOTE: https://github.com/miniupnp/miniupnp/issues/268 NOTE: https://github.com/miniupnp/miniupnp/commit/7aeb624b44f86d335841242ff427433190e7168a NOTE: https://github.com/miniupnp/miniupnp/commit/a0573e251817ec090a8c9f9f41b56d720c835a6c CVE-2017-1000490 (Mautic versions 1.0.0 - 2.11.0 are vulnerable to allowing any authoriz ...) NOT-FOR-US: Mautic CVE-2017-1000489 (Mautic versions 2.0.0 - 2.11.0 with a SSO plugin installed could allow ...) NOT-FOR-US: Mautic CVE-2017-1000488 (Mautic version 2.1.0 - 2.11.0 is vulnerable to an inline JS XSS attack ...) NOT-FOR-US: Mautic CVE-2017-1000487 (Plexus-utils before 3.0.16 is vulnerable to command injection because ...) {DSA-4149-1 DSA-4146-1 DLA-1237-1 DLA-1236-1} - plexus-utils 1:1.5.15-5 - plexus-utils2 3.0.22-1 NOTE: https://snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSPLEXUS-31522 NOTE: https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41 CVE-2017-1000486 (Primetek Primefaces 5.x is vulnerable to a weak encryption flaw result ...) NOT-FOR-US: Primetek Primefaces CVE-2017-1000485 (Nylas Mail Lives 2.2.2 uses 0755 permissions for $HOME/.nylas-mail, wh ...) NOT-FOR-US: Nylas Mail Lives CVE-2017-1000484 (By linking to a specific url in Plone 2.5-5.1rc1 with a parameter, an ...) NOT-FOR-US: Plone CVE-2017-1000483 (Accessing private content via str.format in through-the-web templates ...) NOT-FOR-US: Plone CVE-2017-1000482 (A member of the Plone 2.5-5.1rc1 site could set javascript in the home ...) NOT-FOR-US: Plone CVE-2017-1000481 (When you visit a page where you need to login, Plone 2.5-5.1rc1 sends ...) NOT-FOR-US: Plone CVE-2017-1000480 (Smarty 3 before 3.1.32 is vulnerable to a PHP code injection when call ...) {DSA-4094-1 DLA-1249-1} - smarty - smarty3 3.1.31+20161214.1.c7d42e4+selfpack1-3 (bug #886460) NOTE: https://github.com/smarty-php/smarty/commit/614ad1f8b9b00086efc123e49b7bb8efbfa81b61 CVE-2017-1000479 (pfSense versions 2.4.1 and lower are vulnerable to clickjacking attack ...) NOT-FOR-US: pfSense CVE-2017-1000478 (ELabftw version 1.7.8 is vulnerable to stored cross-site scripting in ...) NOT-FOR-US: ELabftw CVE-2017-1000477 (XMLBundle version 0.1.7 is vulnerable to XXE attacks which can result ...) NOT-FOR-US: XMLBundle CVE-2017-1000476 (ImageMagick 7.0.7-12 Q16, a CPU exhaustion vulnerability was found in ...) {DLA-1785-1 DLA-1229-1} - imagemagick 8:6.9.9.34+dfsg-3 [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/867 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/e5dae180b9236bccd73ce93bfce81e99232a8533 CVE-2017-1000473 (Linux Dash up to version v2 is vulnerable to multiple command injectio ...) NOT-FOR-US: Linux Dash CVE-2017-1000472 (The ZipCommon::isValidPath() function in Zip/src/ZipCommon.cpp in POCO ...) {DSA-4083-1 DLA-1239-1} - poco 1.8.0-2 NOTE: https://github.com/pocoproject/poco/issues/1968 CVE-2017-1000471 (EmbedThis GoAhead Webserver version 4.0.0 is vulnerable to a NULL poin ...) NOT-FOR-US: EmbedThis GoAhead Webserver CVE-2017-1000470 (EmbedThis GoAhead Webserver versions 4.0.0 and earlier is vulnerable t ...) NOT-FOR-US: EmbedThis GoAhead Webserver CVE-2017-1000469 (Cobbler version up to 2.8.2 is vulnerable to a command injection vulne ...) - cobbler (bug #886480) NOTE: https://github.com/cobbler/cobbler/issues/1845 CVE-2017-1000467 (LavaLite version 5.2.4 is vulnerable to stored cross-site scripting vu ...) NOT-FOR-US: LavaLite CVE-2017-1000462 (BookStack version 0.18.4 is vulnerable to stored cross-site scripting, ...) NOT-FOR-US: BookStack CVE-2017-1000461 (Brave Software's Brave Browser, version 0.19.73 (and earlier) is vulne ...) - brave-browser (bug #864795) CVE-2017-1000460 (In line libavcodec/h264dec.c:500 in libav(v13_dev0), ffmpeg(n3.4), chr ...) {DLA-1740-1} - libav - ffmpeg 7:3.1.1-1 NOTE: https://bugzilla.libav.org/show_bug.cgi?id=952 NOTE: https://lists.ffmpeg.org/pipermail/ffmpeg-cvslog/2017-January/104221.html CVE-2018-4867 RESERVED CVE-2018-4866 RESERVED CVE-2018-4865 RESERVED CVE-2018-4864 RESERVED CVE-2018-4863 (Sophos Endpoint Protection 10.7 allows local users to bypass an intend ...) NOT-FOR-US: Sophos CVE-2018-4862 (In Octopus Deploy versions 3.2.11 - 4.1.5 (fixed in 4.1.6), an authent ...) NOT-FOR-US: Octopus Deploy CVE-2018-4861 (A vulnerability has been identified in SCALANCE M875 (All versions). A ...) NOT-FOR-US: SCALANCE CVE-2018-4860 (A vulnerability has been identified in SCALANCE M875 (All versions). A ...) NOT-FOR-US: SCALANCE CVE-2018-4859 (A vulnerability has been identified in SCALANCE M875 (All versions). A ...) NOT-FOR-US: SCALANCE CVE-2018-4858 (A vulnerability has been identified in IEC 61850 system configurator ( ...) NOT-FOR-US: IEC CVE-2018-4857 REJECTED CVE-2018-4856 (A vulnerability has been identified in SICLOCK TC100 (All versions) an ...) NOT-FOR-US: SICLOCK TC100 CVE-2018-4855 (A vulnerability has been identified in SICLOCK TC100 (All versions) an ...) NOT-FOR-US: SICLOCK TC100 CVE-2018-4854 (A vulnerability has been identified in SICLOCK TC100 (All versions) an ...) NOT-FOR-US: SICLOCK TC100 CVE-2018-4853 (A vulnerability has been identified in SICLOCK TC100 (All versions) an ...) NOT-FOR-US: SICLOCK TC100 CVE-2018-4852 (A vulnerability has been identified in SICLOCK TC100 (All versions) an ...) NOT-FOR-US: SICLOCK TC100 CVE-2018-4851 (A vulnerability has been identified in SICLOCK TC100 (All versions) an ...) NOT-FOR-US: SICLOCK TC100 CVE-2018-4850 (A vulnerability has been identified in SIMATIC S7-400 (incl. F) CPU ha ...) NOT-FOR-US: SIMATIC CVE-2018-4849 (A vulnerability has been identified in Siveillance VMS Video for Andro ...) NOT-FOR-US: Siveillance VMS Video CVE-2018-4848 (A vulnerability has been identified in SCALANCE X-200 switch family (i ...) NOT-FOR-US: Siemens SCALANCE X switches CVE-2018-4847 (A vulnerability has been identified in SIMATIC WinCC OA Operator iOS A ...) NOT-FOR-US: SIMATIC WinCC OA Operator iOS App CVE-2018-4846 (A vulnerability has been identified in RAPIDLab 1200 systems / RAPIDPo ...) NOT-FOR-US: RAPIDLab CVE-2018-4845 (A vulnerability has been identified in RAPIDLab 1200 systems / RAPIDPo ...) NOT-FOR-US: RAPIDLab CVE-2018-4844 (A vulnerability has been identified in SIMATIC WinCC OA UI for Android ...) NOT-FOR-US: SIMATIC CVE-2018-4843 (A vulnerability has been identified in SIMATIC CP 343-1 Advanced (All ...) NOT-FOR-US: SIMATIC CVE-2018-4842 (A vulnerability has been identified in SCALANCE X-200IRT switch family ...) NOT-FOR-US: Siemens SCALANCE X switches CVE-2018-4841 (A vulnerability has been identified in TIM 1531 IRC (All versions < ...) NOT-FOR-US: TIM CVE-2018-4840 (A vulnerability has been identified in Siemens DIGSI 4 (All versions & ...) NOT-FOR-US: Siemens CVE-2018-4839 (A vulnerability has been identified in Siemens DIGSI 4 (All versions & ...) NOT-FOR-US: Siemens CVE-2018-4838 (A vulnerability has been identified in EN100 Ethernet module IEC 61850 ...) NOT-FOR-US: Siemens CVE-2018-4837 (A vulnerability has been identified in TeleControl Server Basic < V ...) NOT-FOR-US: Siemens / TeleControl Server Basic CVE-2018-4836 (A vulnerability has been identified in TeleControl Server Basic < V ...) NOT-FOR-US: Siemens / TeleControl Server Basic CVE-2018-4835 (A vulnerability has been identified in TeleControl Server Basic < V ...) NOT-FOR-US: Siemens / TeleControl Server Basic CVE-2018-4834 (A vulnerability has been identified in Desigo Automation Controllers P ...) NOT-FOR-US: Desigo CVE-2018-4833 (A vulnerability has been identified in RFID 181-EIP (All versions), RU ...) NOT-FOR-US: Siemens CVE-2018-4832 (A vulnerability has been identified in OpenPCS 7 V7.1 and earlier (All ...) NOT-FOR-US: Siemens CVE-2018-4831 RESERVED CVE-2018-4830 RESERVED CVE-2018-4829 RESERVED CVE-2018-4828 RESERVED CVE-2018-4827 RESERVED CVE-2018-4826 RESERVED CVE-2018-4825 RESERVED CVE-2018-4824 RESERVED CVE-2018-4823 RESERVED CVE-2018-4822 RESERVED CVE-2018-4821 RESERVED CVE-2018-4820 RESERVED CVE-2018-4819 RESERVED CVE-2018-4818 RESERVED CVE-2018-4817 RESERVED CVE-2018-4816 RESERVED CVE-2018-4815 RESERVED CVE-2018-4814 RESERVED CVE-2018-4813 RESERVED CVE-2018-4812 RESERVED CVE-2018-4811 RESERVED CVE-2018-4810 RESERVED CVE-2018-4809 RESERVED CVE-2018-4808 RESERVED CVE-2018-4807 RESERVED CVE-2018-4806 RESERVED CVE-2018-4805 RESERVED CVE-2018-4804 RESERVED CVE-2018-4803 RESERVED CVE-2018-4802 RESERVED CVE-2018-4801 RESERVED CVE-2018-4800 RESERVED CVE-2018-4799 RESERVED CVE-2018-4798 RESERVED CVE-2018-4797 RESERVED CVE-2018-4796 RESERVED CVE-2018-4795 RESERVED CVE-2018-4794 RESERVED CVE-2018-4793 RESERVED CVE-2018-4792 RESERVED CVE-2018-4791 RESERVED CVE-2018-4790 RESERVED CVE-2018-4789 RESERVED CVE-2018-4788 RESERVED CVE-2018-4787 RESERVED CVE-2018-4786 RESERVED CVE-2018-4785 RESERVED CVE-2018-4784 RESERVED CVE-2018-4783 RESERVED CVE-2018-4782 RESERVED CVE-2018-4781 RESERVED CVE-2018-4780 RESERVED CVE-2018-4779 RESERVED CVE-2018-4778 RESERVED CVE-2018-4777 RESERVED CVE-2018-4776 RESERVED CVE-2018-4775 RESERVED CVE-2018-4774 RESERVED CVE-2018-4773 RESERVED CVE-2018-4772 RESERVED CVE-2018-4771 RESERVED CVE-2018-4770 RESERVED CVE-2018-4769 RESERVED CVE-2018-4768 RESERVED CVE-2018-4767 RESERVED CVE-2018-4766 RESERVED CVE-2018-4765 RESERVED CVE-2018-4764 RESERVED CVE-2018-4763 RESERVED CVE-2018-4762 RESERVED CVE-2018-4761 RESERVED CVE-2018-4760 RESERVED CVE-2018-4759 RESERVED CVE-2018-4758 RESERVED CVE-2018-4757 RESERVED CVE-2018-4756 RESERVED CVE-2018-4755 RESERVED CVE-2018-4754 RESERVED CVE-2018-4753 RESERVED CVE-2018-4752 RESERVED CVE-2018-4751 RESERVED CVE-2018-4750 RESERVED CVE-2018-4749 RESERVED CVE-2018-4748 RESERVED CVE-2018-4747 RESERVED CVE-2018-4746 RESERVED CVE-2018-4745 RESERVED CVE-2018-4744 RESERVED CVE-2018-4743 RESERVED CVE-2018-4742 RESERVED CVE-2018-4741 RESERVED CVE-2018-4740 RESERVED CVE-2018-4739 RESERVED CVE-2018-4738 RESERVED CVE-2018-4737 RESERVED CVE-2018-4736 RESERVED CVE-2018-4735 RESERVED CVE-2018-4734 RESERVED CVE-2018-4733 RESERVED CVE-2018-4732 RESERVED CVE-2018-4731 RESERVED CVE-2018-4730 RESERVED CVE-2018-4729 RESERVED CVE-2018-4728 RESERVED CVE-2018-4727 RESERVED CVE-2018-4726 RESERVED CVE-2018-4725 RESERVED CVE-2018-4724 RESERVED CVE-2018-4723 RESERVED CVE-2018-4722 RESERVED CVE-2018-4721 RESERVED CVE-2018-4720 RESERVED CVE-2018-4719 RESERVED CVE-2018-4718 RESERVED CVE-2018-4717 RESERVED CVE-2018-4716 RESERVED CVE-2018-4715 RESERVED CVE-2018-4714 RESERVED CVE-2018-4713 RESERVED CVE-2018-4712 RESERVED CVE-2018-4711 RESERVED CVE-2018-4710 RESERVED CVE-2018-4709 RESERVED CVE-2018-4708 RESERVED CVE-2018-4707 RESERVED CVE-2018-4706 RESERVED CVE-2018-4705 RESERVED CVE-2018-4704 RESERVED CVE-2018-4703 RESERVED CVE-2018-4702 RESERVED CVE-2018-4701 RESERVED CVE-2018-4700 REJECTED CVE-2018-4699 RESERVED CVE-2018-4698 RESERVED CVE-2018-4697 RESERVED CVE-2018-4696 RESERVED CVE-2018-4695 RESERVED CVE-2018-4694 RESERVED CVE-2018-4693 RESERVED CVE-2018-4692 RESERVED CVE-2018-4691 RESERVED CVE-2018-4690 RESERVED CVE-2018-4689 RESERVED CVE-2018-4688 RESERVED CVE-2018-4687 RESERVED CVE-2018-4686 RESERVED CVE-2018-4685 RESERVED CVE-2018-4684 RESERVED CVE-2018-4683 RESERVED CVE-2018-4682 RESERVED CVE-2018-4681 RESERVED CVE-2018-4680 RESERVED CVE-2018-4679 RESERVED CVE-2018-4678 RESERVED CVE-2018-4677 RESERVED CVE-2018-4676 RESERVED CVE-2018-4675 RESERVED CVE-2018-4674 RESERVED CVE-2018-4673 RESERVED CVE-2018-4672 RESERVED CVE-2018-4671 RESERVED CVE-2018-4670 RESERVED CVE-2018-4669 RESERVED CVE-2018-4668 RESERVED CVE-2018-4667 RESERVED CVE-2018-4666 RESERVED CVE-2018-4665 RESERVED CVE-2018-4664 RESERVED CVE-2018-4663 RESERVED CVE-2018-4662 RESERVED CVE-2018-4661 RESERVED CVE-2018-4660 RESERVED CVE-2018-4659 RESERVED CVE-2018-4658 RESERVED CVE-2018-4657 RESERVED CVE-2018-4656 RESERVED CVE-2018-4655 RESERVED CVE-2018-4654 RESERVED CVE-2018-4653 RESERVED CVE-2018-4652 RESERVED CVE-2018-4651 RESERVED CVE-2018-4650 RESERVED CVE-2018-4649 RESERVED CVE-2018-4648 RESERVED CVE-2018-4647 RESERVED CVE-2018-4646 RESERVED CVE-2018-4645 RESERVED CVE-2018-4644 RESERVED CVE-2018-4643 RESERVED CVE-2018-4642 RESERVED CVE-2018-4641 RESERVED CVE-2018-4640 RESERVED CVE-2018-4639 RESERVED CVE-2018-4638 RESERVED CVE-2018-4637 RESERVED CVE-2018-4636 RESERVED CVE-2018-4635 RESERVED CVE-2018-4634 RESERVED CVE-2018-4633 RESERVED CVE-2018-4632 RESERVED CVE-2018-4631 RESERVED CVE-2018-4630 RESERVED CVE-2018-4629 RESERVED CVE-2018-4628 RESERVED CVE-2018-4627 RESERVED CVE-2018-4626 RESERVED CVE-2018-4625 RESERVED CVE-2018-4624 RESERVED CVE-2018-4623 RESERVED CVE-2018-4622 RESERVED CVE-2018-4621 RESERVED CVE-2018-4620 RESERVED CVE-2018-4619 RESERVED CVE-2018-4618 RESERVED CVE-2018-4617 RESERVED CVE-2018-4616 RESERVED CVE-2018-4615 RESERVED CVE-2018-4614 RESERVED CVE-2018-4613 RESERVED CVE-2018-4612 RESERVED CVE-2018-4611 RESERVED CVE-2018-4610 RESERVED CVE-2018-4609 RESERVED CVE-2018-4608 RESERVED CVE-2018-4607 RESERVED CVE-2018-4606 RESERVED CVE-2018-4605 RESERVED CVE-2018-4604 RESERVED CVE-2018-4603 RESERVED CVE-2018-4602 RESERVED CVE-2018-4601 RESERVED CVE-2018-4600 RESERVED CVE-2018-4599 RESERVED CVE-2018-4598 RESERVED CVE-2018-4597 RESERVED CVE-2018-4596 RESERVED CVE-2018-4595 RESERVED CVE-2018-4594 RESERVED CVE-2018-4593 RESERVED CVE-2018-4592 RESERVED CVE-2018-4591 RESERVED CVE-2018-4590 RESERVED CVE-2018-4589 RESERVED CVE-2018-4588 RESERVED CVE-2018-4587 RESERVED CVE-2018-4586 RESERVED CVE-2018-4585 RESERVED CVE-2018-4584 RESERVED CVE-2018-4583 RESERVED CVE-2018-4582 RESERVED CVE-2018-4581 RESERVED CVE-2018-4580 RESERVED CVE-2018-4579 RESERVED CVE-2018-4578 RESERVED CVE-2018-4577 RESERVED CVE-2018-4576 RESERVED CVE-2018-4575 RESERVED CVE-2018-4574 RESERVED CVE-2018-4573 RESERVED CVE-2018-4572 RESERVED CVE-2018-4571 RESERVED CVE-2018-4570 RESERVED CVE-2018-4569 RESERVED CVE-2018-4568 RESERVED CVE-2018-4567 RESERVED CVE-2018-4566 RESERVED CVE-2018-4565 RESERVED CVE-2018-4564 RESERVED CVE-2018-4563 RESERVED CVE-2018-4562 RESERVED CVE-2018-4561 RESERVED CVE-2018-4560 RESERVED CVE-2018-4559 RESERVED CVE-2018-4558 RESERVED CVE-2018-4557 RESERVED CVE-2018-4556 RESERVED CVE-2018-4555 RESERVED CVE-2018-4554 RESERVED CVE-2018-4553 RESERVED CVE-2018-4552 RESERVED CVE-2018-4551 RESERVED CVE-2018-4550 RESERVED CVE-2018-4549 RESERVED CVE-2018-4548 RESERVED CVE-2018-4547 RESERVED CVE-2018-4546 RESERVED CVE-2018-4545 RESERVED CVE-2018-4544 RESERVED CVE-2018-4543 RESERVED CVE-2018-4542 RESERVED CVE-2018-4541 RESERVED CVE-2018-4540 RESERVED CVE-2018-4539 RESERVED CVE-2018-4538 RESERVED CVE-2018-4537 RESERVED CVE-2018-4536 RESERVED CVE-2018-4535 RESERVED CVE-2018-4534 RESERVED CVE-2018-4533 RESERVED CVE-2018-4532 RESERVED CVE-2018-4531 RESERVED CVE-2018-4530 RESERVED CVE-2018-4529 RESERVED CVE-2018-4528 RESERVED CVE-2018-4527 RESERVED CVE-2018-4526 RESERVED CVE-2018-4525 RESERVED CVE-2018-4524 RESERVED CVE-2018-4523 RESERVED CVE-2018-4522 RESERVED CVE-2018-4521 RESERVED CVE-2018-4520 RESERVED CVE-2018-4519 RESERVED CVE-2018-4518 RESERVED CVE-2018-4517 RESERVED CVE-2018-4516 RESERVED CVE-2018-4515 RESERVED CVE-2018-4514 RESERVED CVE-2018-4513 RESERVED CVE-2018-4512 RESERVED CVE-2018-4511 RESERVED CVE-2018-4510 RESERVED CVE-2018-4509 RESERVED CVE-2018-4508 RESERVED CVE-2018-4507 RESERVED CVE-2018-4506 RESERVED CVE-2018-4505 RESERVED CVE-2018-4504 RESERVED CVE-2018-4503 RESERVED CVE-2018-4502 RESERVED CVE-2018-4501 RESERVED CVE-2018-4500 RESERVED CVE-2018-4499 RESERVED CVE-2018-4498 RESERVED CVE-2018-4497 RESERVED CVE-2018-4496 RESERVED CVE-2018-4495 RESERVED CVE-2018-4494 RESERVED CVE-2018-4493 RESERVED CVE-2018-4492 RESERVED CVE-2018-4491 RESERVED CVE-2018-4490 RESERVED CVE-2018-4489 RESERVED CVE-2018-4488 RESERVED CVE-2018-4487 RESERVED CVE-2018-4486 RESERVED CVE-2018-4485 RESERVED CVE-2018-4484 RESERVED CVE-2018-4483 RESERVED CVE-2018-4482 RESERVED CVE-2018-4481 RESERVED CVE-2018-4480 RESERVED CVE-2018-4479 RESERVED CVE-2018-4478 RESERVED CVE-2018-4477 RESERVED CVE-2018-4476 RESERVED CVE-2018-4475 RESERVED CVE-2018-4474 RESERVED CVE-2018-4473 RESERVED CVE-2018-4472 RESERVED CVE-2018-4471 RESERVED CVE-2018-4470 (A privacy issue in the handling of Open Directory records was addresse ...) NOT-FOR-US: Apple CVE-2018-4469 RESERVED CVE-2018-4468 RESERVED CVE-2018-4467 RESERVED CVE-2018-4466 RESERVED CVE-2018-4465 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2018-4464 (Multiple memory corruption issues were addressed with improved memory ...) - webkit2gtk 2.22.0-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0009.html NOTE: Not covered by security support CVE-2018-4463 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2018-4462 (A validation issue was addressed with improved input sanitization. Thi ...) NOT-FOR-US: Apple CVE-2018-4461 (A memory corruption issue was addressed with improved input validation ...) NOT-FOR-US: Apple CVE-2018-4460 (A denial of service issue was addressed by removing the vulnerable cod ...) NOT-FOR-US: Apple CVE-2018-4459 RESERVED CVE-2018-4458 RESERVED CVE-2018-4457 RESERVED CVE-2018-4456 (A memory corruption issue was addressed with improved input validation ...) NOT-FOR-US: Apple CVE-2018-4455 RESERVED CVE-2018-4454 RESERVED CVE-2018-4453 RESERVED CVE-2018-4452 RESERVED CVE-2018-4451 RESERVED CVE-2018-4450 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2018-4449 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2018-4448 RESERVED CVE-2018-4447 (A memory corruption issue was addressed with improved state management ...) NOT-FOR-US: Apple CVE-2018-4446 (This issue was addressed with improved entitlements. This issue affect ...) NOT-FOR-US: Apple CVE-2018-4445 ("Clear History and Website Data" did not clear the history. The issue ...) NOT-FOR-US: Apple CVE-2018-4444 RESERVED CVE-2018-4443 (A memory corruption issue was addressed with improved memory handling. ...) - webkit2gtk 2.22.3-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0009.html NOTE: Not covered by security support CVE-2018-4442 (A memory corruption issue was addressed with improved memory handling. ...) - webkit2gtk 2.22.3-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0009.html NOTE: Not covered by security support CVE-2018-4441 (A memory corruption issue was addressed with improved memory handling. ...) - webkit2gtk 2.22.3-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0009.html NOTE: Not covered by security support CVE-2018-4440 (A logic issue was addressed with improved state management. This issue ...) NOT-FOR-US: Apple CVE-2018-4439 (A logic issue was addressed with improved validation. This issue affec ...) NOT-FOR-US: Apple CVE-2018-4438 (A logic issue existed resulting in memory corruption. This was address ...) - webkit2gtk 2.22.3-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0009.html NOTE: Not covered by security support CVE-2018-4437 (Multiple memory corruption issues were addressed with improved memory ...) - webkit2gtk 2.22.5-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0009.html NOTE: Not covered by security support CVE-2018-4436 (A certificate validation issue existed in configuration profiles. This ...) NOT-FOR-US: Apple CVE-2018-4435 (A logic issue was addressed with improved restrictions. This issue aff ...) NOT-FOR-US: Apple CVE-2018-4434 (An out-of-bounds read was addressed with improved input validation. Th ...) NOT-FOR-US: Apple CVE-2018-4433 RESERVED CVE-2018-4432 RESERVED CVE-2018-4431 (A memory initialization issue was addressed with improved memory handl ...) NOT-FOR-US: Apple CVE-2018-4430 (A lock screen issue allowed access to contacts on a locked device. Thi ...) NOT-FOR-US: Apple CVE-2018-4429 (A spoofing issue existed in the handling of URLs. This issue was addre ...) NOT-FOR-US: Apple CVE-2018-4428 RESERVED CVE-2018-4427 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2018-4426 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2018-4425 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2018-4424 (A buffer overflow was addressed with improved size validation. This is ...) NOT-FOR-US: Apple CVE-2018-4423 (A logic issue was addressed with improved validation. This issue affec ...) NOT-FOR-US: Apple CVE-2018-4422 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2018-4421 (A memory initialization issue was addressed with improved memory handl ...) NOT-FOR-US: Apple CVE-2018-4420 (A memory corruption issue was addressed by removing the vulnerable cod ...) NOT-FOR-US: Apple CVE-2018-4419 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2018-4418 (A validation issue was addressed with improved input sanitization. Thi ...) NOT-FOR-US: Apple CVE-2018-4417 (A validation issue was addressed with improved input sanitization. Thi ...) NOT-FOR-US: Apple CVE-2018-4416 (Multiple memory corruption issues were addressed with improved memory ...) - webkit2gtk 2.22.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0008.html NOTE: Not covered by security support CVE-2018-4415 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2018-4414 (A memory corruption issue was addressed with improved input validation ...) NOT-FOR-US: Apple CVE-2018-4413 (A memory initialization issue was addressed with improved memory handl ...) NOT-FOR-US: Apple CVE-2018-4412 (A memory corruption issue was addressed with improved input validation ...) NOT-FOR-US: Apple CVE-2018-4411 (A memory corruption issue was addressed with improved input validation ...) NOT-FOR-US: Apple CVE-2018-4410 (A memory corruption issue was addressed with improved input validation ...) NOT-FOR-US: Apple CVE-2018-4409 (A resource exhaustion issue was addressed with improved input validati ...) NOT-FOR-US: Apple CVE-2018-4408 (A memory corruption issue was addressed with improved input validation ...) NOT-FOR-US: Apple CVE-2018-4407 (A memory corruption issue was addressed with improved validation. This ...) NOT-FOR-US: Apple CVE-2018-4406 (A denial of service issue was addressed with improved validation. This ...) NOT-FOR-US: Apple CVE-2018-4405 RESERVED CVE-2018-4404 (In iOS before 11.4 and macOS High Sierra before 10.13.5, a memory corr ...) NOT-FOR-US: Apple CVE-2018-4403 (This issue was addressed by removing additional entitlements. This iss ...) NOT-FOR-US: Apple CVE-2018-4402 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2018-4401 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2018-4400 (A validation issue was addressed with improved logic. This issue affec ...) NOT-FOR-US: Apple CVE-2018-4399 (An access issue existed with privileged API calls. This issue was addr ...) NOT-FOR-US: Apple CVE-2018-4398 (An issue existed in the method for determining prime numbers. This iss ...) NOT-FOR-US: Apple CVE-2018-4397 (Analytics data was sent using HTTP rather than HTTPS. This was address ...) NOT-FOR-US: Apple CVE-2018-4396 (A validation issue was addressed with improved input sanitization. Thi ...) NOT-FOR-US: Apple CVE-2018-4395 (This issue was addressed with improved checks. This issue affected ver ...) NOT-FOR-US: Apple CVE-2018-4394 (A memory corruption issue was addressed with improved input validation ...) NOT-FOR-US: Apple CVE-2018-4393 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2018-4392 (Multiple memory corruption issues were addressed with improved memory ...) - webkit2gtk 2.22.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0008.html NOTE: Not covered by security support CVE-2018-4391 RESERVED CVE-2018-4390 RESERVED CVE-2018-4389 (An inconsistent user interface issue was addressed with improved state ...) NOT-FOR-US: Apple CVE-2018-4388 (A lock screen issue allowed access to the share function on a locked d ...) NOT-FOR-US: Apple CVE-2018-4387 (A lock screen issue allowed access to photos via Reply With Message on ...) NOT-FOR-US: Apple CVE-2018-4386 (Multiple memory corruption issues were addressed with improved memory ...) - webkit2gtk 2.22.3-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0008.html NOTE: Not covered by security support CVE-2018-4385 (A logic issue was addressed with improved state management. This issue ...) NOT-FOR-US: Apple CVE-2018-4384 (A memory corruption issue was addressed with improved input validation ...) NOT-FOR-US: Apple CVE-2018-4383 (A memory corruption issue was addressed with improved state management ...) NOT-FOR-US: Apple CVE-2018-4382 (Multiple memory corruption issues were addressed with improved memory ...) - webkit2gtk 2.22.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0008.html NOTE: Not covered by security support CVE-2018-4381 RESERVED CVE-2018-4380 (A lock screen issue allowed access to photos and contacts on a locked ...) NOT-FOR-US: Apple CVE-2018-4379 (A lock screen issue allowed access to the share function on a locked d ...) NOT-FOR-US: Apple CVE-2018-4378 (A memory corruption issue was addressed with improved validation. This ...) - webkit2gtk 2.22.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0008.html NOTE: Not covered by security support CVE-2018-4377 (A cross-site scripting issue existed in Safari. This issue was address ...) NOT-FOR-US: Apple CVE-2018-4376 (Multiple memory corruption issues were addressed with improved memory ...) - webkit2gtk 2.22.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0008.html NOTE: Not covered by security support CVE-2018-4375 (Multiple memory corruption issues were addressed with improved memory ...) - webkit2gtk 2.22.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0008.html NOTE: Not covered by security support CVE-2018-4374 (A logic issue was addressed with improved validation. This issue affec ...) NOT-FOR-US: Apple CVE-2018-4373 (Multiple memory corruption issues were addressed with improved memory ...) - webkit2gtk 2.22.0-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0008.html NOTE: Not covered by security support CVE-2018-4372 (Multiple memory corruption issues were addressed with improved memory ...) - webkit2gtk 2.22.4-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0008.html NOTE: Not covered by security support CVE-2018-4371 (An out-of-bounds read was addressed with improved input validation. Th ...) NOT-FOR-US: Apple CVE-2018-4370 RESERVED CVE-2018-4369 (A logic issue was addressed with improved state management. This issue ...) NOT-FOR-US: Apple CVE-2018-4368 (A denial of service issue was addressed with improved validation. This ...) NOT-FOR-US: Apple CVE-2018-4367 (A memory corruption issue was addressed with improved input validation ...) NOT-FOR-US: Apple CVE-2018-4366 (A memory corruption issue was addressed with improved input validation ...) NOT-FOR-US: Apple CVE-2018-4365 (An out-of-bounds read was addressed with improved bounds checking. Thi ...) NOT-FOR-US: Apple CVE-2018-4364 RESERVED CVE-2018-4363 (An input validation issue existed in the kernel. This issue was addres ...) NOT-FOR-US: Apple CVE-2018-4362 (An inconsistent user interface issue was addressed with improved state ...) NOT-FOR-US: Apple CVE-2018-4361 (A memory consumption issue was addressed with improved memory handling ...) - webkit2gtk 2.22.0-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0007.html NOTE: Not covered by security support CVE-2018-4360 (Multiple memory corruption issues were addressed with improved memory ...) NOT-FOR-US: Apple CVE-2018-4359 (Multiple memory corruption issues were addressed with improved memory ...) - webkit2gtk 2.22.0-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0007.html NOTE: Not covered by security support CVE-2018-4358 (Multiple memory corruption issues were addressed with improved memory ...) - webkit2gtk 2.22.0-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0007.html NOTE: Not covered by security support CVE-2018-4357 (A memory corruption issue was addressed with improved input validation ...) NOT-FOR-US: Apple Xcode CVE-2018-4356 (A permissions issue existed. This issue was addressed with improved pe ...) NOT-FOR-US: Apple CVE-2018-4355 (A configuration issue was addressed with additional restrictions. This ...) NOT-FOR-US: Apple CVE-2018-4354 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2018-4353 (A configuration issue was addressed with additional restrictions. This ...) NOT-FOR-US: Apple CVE-2018-4352 (A consistency issue existed in the handling of application snapshots. ...) NOT-FOR-US: Apple CVE-2018-4351 (A memory initialization issue was addressed with improved memory handl ...) NOT-FOR-US: Apple CVE-2018-4350 (A memory corruption issue was addressed with improved input validation ...) NOT-FOR-US: Apple CVE-2018-4349 RESERVED CVE-2018-4348 (A validation issue was addressed with improved logic. This issue affec ...) NOT-FOR-US: Apple CVE-2018-4347 (A use after free issue was addressed with improved memory management. ...) NOT-FOR-US: Apple CVE-2018-4346 (A validation issue existed which allowed local file access. This was a ...) NOT-FOR-US: Apple CVE-2018-4345 (A cross-site scripting issue existed in Safari. This issue was address ...) - webkit2gtk 2.22.3-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0008.html NOTE: Not covered by security support CVE-2018-4344 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2018-4343 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2018-4342 (A configuration issue was addressed with additional restrictions. This ...) NOT-FOR-US: Apple CVE-2018-4341 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2018-4340 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2018-4339 RESERVED CVE-2018-4338 (A validation issue was addressed with improved input sanitization. Thi ...) NOT-FOR-US: Apple CVE-2018-4337 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2018-4336 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2018-4335 (A validation issue was addressed with improved input sanitization. Thi ...) NOT-FOR-US: Apple CVE-2018-4334 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2018-4333 (A validation issue was addressed with improved input sanitization. Thi ...) NOT-FOR-US: Apple CVE-2018-4332 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2018-4331 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2018-4330 (In iOS before 11.4, a memory corruption issue exists and was addressed ...) NOT-FOR-US: Apple CVE-2018-4329 (Clearing a history item may not clear visits with redirect chains. The ...) NOT-FOR-US: Apple CVE-2018-4328 (Multiple memory corruption issues were addressed with improved memory ...) - webkit2gtk 2.22.0-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0007.html NOTE: Not covered by security support CVE-2018-4327 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2018-4326 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2018-4325 (A logic issue was addressed with improved restrictions. This issue aff ...) NOT-FOR-US: Apple CVE-2018-4324 (A permissions issue existed in the handling of the Apple ID. This issu ...) NOT-FOR-US: Apple CVE-2018-4323 (Multiple memory corruption issues were addressed with improved memory ...) - webkit2gtk 2.22.0-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0007.html NOTE: Not covered by security support CVE-2018-4322 (This issue was addressed with improved entitlements. This issue affect ...) NOT-FOR-US: Apple CVE-2018-4321 (A validation issue existed in the entitlement verification. This issue ...) NOT-FOR-US: Apple CVE-2018-4320 RESERVED CVE-2018-4319 (A cross-origin issue existed with "iframe" elements. This was addresse ...) - webkit2gtk 2.22.0-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0007.html NOTE: Not covered by security support CVE-2018-4318 (A use after free issue was addressed with improved memory management. ...) - webkit2gtk 2.22.0-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0007.html NOTE: Not covered by security support CVE-2018-4317 (A use after free issue was addressed with improved memory management. ...) - webkit2gtk 2.22.0-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0007.html NOTE: Not covered by security support CVE-2018-4316 (A memory corruption issue was addressed with improved state management ...) - webkit2gtk 2.22.0-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0007.html NOTE: Not covered by security support CVE-2018-4315 (A use after free issue was addressed with improved memory management. ...) - webkit2gtk 2.22.0-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0007.html NOTE: Not covered by security support CVE-2018-4314 (A use after free issue was addressed with improved memory management. ...) - webkit2gtk 2.22.0-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0007.html NOTE: Not covered by security support CVE-2018-4313 (A consistency issue existed in the handling of application snapshots. ...) NOT-FOR-US: Apple CVE-2018-4312 (A use after free issue was addressed with improved memory management. ...) - webkit2gtk 2.22.0-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0007.html NOTE: Not covered by security support CVE-2018-4311 (The issue was addressed by removing origin information. This issue aff ...) - webkit2gtk 2.22.0-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0007.html NOTE: Not covered by security support CVE-2018-4310 (An access issue was addressed with additional sandbox restrictions. Th ...) NOT-FOR-US: Apple CVE-2018-4309 (A cross-site scripting issue existed in Safari. This issue was address ...) - webkit2gtk 2.22.0-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0007.html NOTE: Not covered by security support CVE-2018-4308 (An out-of-bounds read was addressed with improved bounds checking. Thi ...) NOT-FOR-US: Apple CVE-2018-4307 (A logic issue was addressed with improved state management. This issue ...) NOT-FOR-US: Apple CVE-2018-4306 (A use after free issue was addressed with improved memory management. ...) - webkit2gtk 2.22.0-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0007.html NOTE: Not covered by security support CVE-2018-4305 (An input validation issue was addressed with improved input validation ...) NOT-FOR-US: Apple CVE-2018-4304 (A denial of service issue was addressed with improved validation. This ...) NOT-FOR-US: Apple CVE-2018-4303 (An input validation issue was addressed with improved input validation ...) NOT-FOR-US: Apple CVE-2018-4302 RESERVED CVE-2018-4301 RESERVED NOT-FOR-US: Apple CVE-2018-4300 (The session cookie generated by the CUPS web interface was easy to gue ...) {DLA-1936-1} - cups 2.2.10-1 (bug #915909) [stretch] - cups 2.2.1-8+deb9u3 NOTE: https://github.com/apple/cups/commit/feb4c62b211bfbd78dc10d737d873439ccdfa58c (2.2.10) NOTE: https://github.com/apple/cups/commit/b9ff93ce913ff633a3f667317e5a81fa7fe0d5d3 (2.3b6) NOTE: Clarification about typo for CVE id: https://github.com/apple/cups/issues/5561 CVE-2018-4299 (Multiple memory corruption issues were addressed with improved memory ...) - webkit2gtk 2.22.0-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0007.html NOTE: Not covered by security support CVE-2018-4298 (In macOS High Sierra before 10.13.3, Security Update 2018-001 Sierra, ...) NOT-FOR-US: Apple CVE-2018-4297 RESERVED CVE-2018-4296 RESERVED CVE-2018-4295 (An input validation issue was addressed with improved input validation ...) NOT-FOR-US: Apple CVE-2018-4294 RESERVED CVE-2018-4293 (A cookie management issue was addressed with improved checks. This iss ...) NOT-FOR-US: Apple CVE-2018-4292 RESERVED CVE-2018-4291 (Multiple memory corruption issues were addressed with improved memory ...) NOT-FOR-US: Apple CVE-2018-4290 (A denial of service issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2018-4289 (An information disclosure issue was addressed by removing the vulnerab ...) NOT-FOR-US: Apple CVE-2018-4288 (Multiple memory corruption issues were addressed with improved memory ...) NOT-FOR-US: Apple CVE-2018-4287 (Multiple memory corruption issues were addressed with improved memory ...) NOT-FOR-US: Apple CVE-2018-4286 (Multiple memory corruption issues were addressed with improved memory ...) NOT-FOR-US: Apple CVE-2018-4285 (A type confusion issue was addressed with improved memory handling. Th ...) NOT-FOR-US: Apple CVE-2018-4284 (A type confusion issue was addressed with improved memory handling. Th ...) - webkit2gtk 2.20.4-1 (unimportant) NOTE: Not covered by security support NOTE: https://webkitgtk.org/security/WSA-2018-0006.html CVE-2018-4283 (An out-of-bounds read issue existed that led to the disclosure of kern ...) NOT-FOR-US: Apple CVE-2018-4282 (An out-of-bounds read issue existed that led to the disclosure of kern ...) NOT-FOR-US: Apple CVE-2018-4281 (In SwiftNIO before 1.8.0, a buffer overflow was addressed with improve ...) NOT-FOR-US: Apple CVE-2018-4280 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2018-4279 (An inconsistent user interface issue was addressed with improved state ...) NOT-FOR-US: Apple Safari CVE-2018-4278 (In Safari before 11.1.2, iTunes before 12.8 for Windows, iOS before 11 ...) - webkit2gtk 2.20.4-1 (unimportant) NOTE: Not covered by security support NOTE: https://webkitgtk.org/security/WSA-2018-0006.html CVE-2018-4277 (In iOS before 11.4.1, watchOS before 4.3.2, tvOS before 11.4.1, Safari ...) NOT-FOR-US: Apple CVE-2018-4276 (A null pointer dereference was addressed with improved validation. Thi ...) NOT-FOR-US: Apple CVE-2018-4275 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2018-4274 (A spoofing issue existed in the handling of URLs. This issue was addre ...) NOT-FOR-US: Apple CVE-2018-4273 (Multiple memory corruption issues were addressed with improved input v ...) - webkit2gtk 2.20.4-1 (unimportant) NOTE: Not covered by security support NOTE: https://webkitgtk.org/security/WSA-2018-0006.html CVE-2018-4272 (Multiple memory corruption issues were addressed with improved memory ...) - webkit2gtk 2.20.4-1 (unimportant) NOTE: Not covered by security support NOTE: https://webkitgtk.org/security/WSA-2018-0006.html CVE-2018-4271 (Multiple memory corruption issues were addressed with improved input v ...) - webkit2gtk 2.20.2-1 (unimportant) NOTE: Not covered by security support NOTE: https://webkitgtk.org/security/WSA-2018-0006.html CVE-2018-4270 (A memory corruption issue was addressed with improved memory handling. ...) - webkit2gtk 2.20.4-1 (unimportant) NOTE: Not covered by security support NOTE: https://webkitgtk.org/security/WSA-2018-0006.html CVE-2018-4269 (A memory corruption issue was addressed with improved input validation ...) NOT-FOR-US: Apple CVE-2018-4268 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2018-4267 (Multiple memory corruption issues were addressed with improved memory ...) - webkit2gtk 2.20.4-1 (unimportant) NOTE: Not covered by security support NOTE: https://webkitgtk.org/security/WSA-2018-0006.html CVE-2018-4266 (A race condition was addressed with additional validation. This issue ...) - webkit2gtk 2.20.4-1 (unimportant) NOTE: Not covered by security support NOTE: https://webkitgtk.org/security/WSA-2018-0006.html CVE-2018-4265 (Multiple memory corruption issues were addressed with improved memory ...) - webkit2gtk 2.20.4-1 (unimportant) NOTE: Not covered by security support NOTE: https://webkitgtk.org/security/WSA-2018-0006.html CVE-2018-4264 (Multiple memory corruption issues were addressed with improved memory ...) - webkit2gtk 2.20.4-1 (unimportant) NOTE: Not covered by security support NOTE: https://webkitgtk.org/security/WSA-2018-0006.html CVE-2018-4263 (Multiple memory corruption issues were addressed with improved memory ...) - webkit2gtk 2.20.4-1 (unimportant) NOTE: Not covered by security support NOTE: https://webkitgtk.org/security/WSA-2018-0006.html CVE-2018-4262 (In Safari before 11.1.2, iTunes before 12.8 for Windows, iOS before 11 ...) - webkit2gtk 2.20.4-1 (unimportant) NOTE: Not covered by security support NOTE: https://webkitgtk.org/security/WSA-2018-0006.html CVE-2018-4261 (Multiple memory corruption issues were addressed with improved memory ...) - webkit2gtk 2.20.4-1 (unimportant) NOTE: Not covered by security support NOTE: https://webkitgtk.org/security/WSA-2018-0006.html CVE-2018-4260 (An inconsistent user interface issue was addressed with improved state ...) NOT-FOR-US: Apple CVE-2018-4259 (Multiple memory corruption issues were addressed with improved memory ...) NOT-FOR-US: Apple CVE-2018-4258 (In macOS High Sierra before 10.13.5, a buffer overflow was addressed w ...) NOT-FOR-US: Apple CVE-2018-4257 (In macOS High Sierra before 10.13.5, a buffer overflow was addressed w ...) NOT-FOR-US: Apple CVE-2018-4256 (In macOS High Sierra before 10.13.5, an out-of-bounds read was address ...) NOT-FOR-US: Apple CVE-2018-4255 (In macOS High Sierra before 10.13.5, an out-of-bounds read was address ...) NOT-FOR-US: Apple CVE-2018-4254 (In macOS High Sierra before 10.13.5, an input validation issue existed ...) NOT-FOR-US: Apple CVE-2018-4253 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2018-4252 (An issue was discovered in certain Apple products. iOS before 11.4 is ...) NOT-FOR-US: Apple CVE-2018-4251 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2018-4250 (An issue was discovered in certain Apple products. iOS before 11.4 is ...) NOT-FOR-US: Apple CVE-2018-4249 (An issue was discovered in certain Apple products. iOS before 11.4 is ...) NOT-FOR-US: Apple CVE-2018-4248 (An out-of-bounds read was addressed with improved input validation. Th ...) NOT-FOR-US: Apple CVE-2018-4247 (An issue was discovered in certain Apple products. iOS before 11.4 is ...) NOT-FOR-US: Apple CVE-2018-4246 (An issue was discovered in certain Apple products. iOS before 11.4 is ...) - webkit2gtk 2.20.4-1 (unimportant) NOTE: Not covered by security support NOTE: https://webkitgtk.org/security/WSA-2018-0006.html CVE-2018-4245 RESERVED CVE-2018-4244 (An issue was discovered in certain Apple products. iOS before 11.4 is ...) NOT-FOR-US: Apple CVE-2018-4243 (An issue was discovered in certain Apple products. iOS before 11.4 is ...) NOT-FOR-US: Apple CVE-2018-4242 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2018-4241 (An issue was discovered in certain Apple products. iOS before 11.4 is ...) NOT-FOR-US: Apple CVE-2018-4240 (An issue was discovered in certain Apple products. iOS before 11.4 is ...) NOT-FOR-US: Apple CVE-2018-4239 (An issue was discovered in certain Apple products. iOS before 11.4 is ...) NOT-FOR-US: Apple CVE-2018-4238 (An issue was discovered in certain Apple products. iOS before 11.4 is ...) NOT-FOR-US: Apple CVE-2018-4237 (An issue was discovered in certain Apple products. iOS before 11.4 is ...) NOT-FOR-US: Apple CVE-2018-4236 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2018-4235 (An issue was discovered in certain Apple products. iOS before 11.4 is ...) NOT-FOR-US: Apple CVE-2018-4234 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2018-4233 (An issue was discovered in certain Apple products. iOS before 11.4 is ...) - webkit2gtk 2.20.3-1 (unimportant) NOTE: Not covered by security support NOTE: https://webkitgtk.org/security/WSA-2018-0005.html CVE-2018-4232 (An issue was discovered in certain Apple products. iOS before 11.4 is ...) - webkit2gtk 2.20.3-1 (unimportant) NOTE: Not covered by security support NOTE: https://webkitgtk.org/security/WSA-2018-0005.html CVE-2018-4231 RESERVED CVE-2018-4230 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2018-4229 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2018-4228 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2018-4227 (An issue was discovered in certain Apple products. iOS before 11.4 is ...) NOT-FOR-US: Apple CVE-2018-4226 (An issue was discovered in certain Apple products. iOS before 11.4 is ...) NOT-FOR-US: Apple CVE-2018-4225 (An issue was discovered in certain Apple products. iOS before 11.4 is ...) NOT-FOR-US: Apple CVE-2018-4224 (An issue was discovered in certain Apple products. iOS before 11.4 is ...) NOT-FOR-US: Apple CVE-2018-4223 (An issue was discovered in certain Apple products. iOS before 11.4 is ...) NOT-FOR-US: Apple CVE-2018-4222 (An issue was discovered in certain Apple products. iOS before 11.4 is ...) - webkit2gtk 2.20.3-1 (unimportant) NOTE: Not covered by security support NOTE: https://webkitgtk.org/security/WSA-2018-0005.html CVE-2018-4221 (An issue was discovered in certain Apple products. iOS before 11.4 is ...) NOT-FOR-US: Apple CVE-2018-4220 (An issue was discovered in certain Apple products. Swift before 4.1.1 ...) NOT-FOR-US: Apple CVE-2018-4219 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2018-4218 (An issue was discovered in certain Apple products. iOS before 11.4 is ...) - webkit2gtk 2.20.3-1 (unimportant) NOTE: Not covered by security support NOTE: https://webkitgtk.org/security/WSA-2018-0005.html CVE-2018-4217 (In macOS High Sierra before 10.13.5, a privacy issue in the handling o ...) NOT-FOR-US: Apple CVE-2018-4216 (A logic issue existed in the handling of call URLs. This issue was add ...) NOT-FOR-US: Apple CVE-2018-4215 (An issue was discovered in certain Apple products. iOS before 11.4 is ...) NOT-FOR-US: Apple CVE-2018-4214 (An issue was discovered in certain Apple products. iOS before 11.4 is ...) - webkit2gtk 2.20.0-2 (unimportant) NOTE: Not covered by security support NOTE: https://webkitgtk.org/security/WSA-2018-0005.html CVE-2018-4213 (In iOS before 11.3, Safari before 11.1, iCloud for Windows before 7.4, ...) - webkit2gtk 2.22.0-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0007.html NOTE: Not covered by security support CVE-2018-4212 (In iOS before 11.3, Safari before 11.1, iCloud for Windows before 7.4, ...) - webkit2gtk 2.22.0-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0007.html NOTE: Not covered by security support CVE-2018-4211 (An issue was discovered in certain Apple products. iOS before 11.4 is ...) NOT-FOR-US: Apple CVE-2018-4210 (In iOS before 11.3, Safari before 11.1, tvOS before 11.3, watchOS befo ...) - webkit2gtk 2.22.0-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0007.html NOTE: Not covered by security support CVE-2018-4209 (In iOS before 11.3, Safari before 11.1, iCloud for Windows before 7.4, ...) - webkit2gtk 2.22.0-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0007.html NOTE: Not covered by security support CVE-2018-4208 (In iOS before 11.3, Safari before 11.1, iCloud for Windows before 7.4, ...) - webkit2gtk 2.22.0-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0007.html NOTE: Not covered by security support CVE-2018-4207 (In iOS before 11.3, Safari before 11.1, iCloud for Windows before 7.4, ...) - webkit2gtk 2.22.0-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0007.html NOTE: Not covered by security support CVE-2018-4206 (An issue was discovered in certain Apple products. iOS before 11.3.1 i ...) NOT-FOR-US: Apple CVE-2018-4205 (An issue was discovered in certain Apple products. Safari before 11.1. ...) NOT-FOR-US: Apple CVE-2018-4204 (An issue was discovered in certain Apple products. iOS before 11.4 is ...) - webkit2gtk 2.20.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0004.html NOTE: Not covered by security support CVE-2018-4203 (An out-of-bounds read was addressed with improved bounds checking. Thi ...) NOT-FOR-US: Apple CVE-2018-4202 (An issue was discovered in certain Apple products. iOS before 11.4 is ...) NOT-FOR-US: Apple (iBooks component) CVE-2018-4201 (An issue was discovered in certain Apple products. iOS before 11.4 is ...) - webkit2gtk 2.20.1-2 (unimportant) NOTE: Not covered by security support NOTE: https://webkitgtk.org/security/WSA-2018-0005.html CVE-2018-4200 (An issue was discovered in certain Apple products. iOS before 11.3.1 i ...) - webkit2gtk 2.20.2-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0004.html NOTE: Not covered by security support CVE-2018-4199 (An issue was discovered in certain Apple products. iOS before 11.4 is ...) - webkit2gtk 2.20.3-1 (unimportant) NOTE: Not covered by security support NOTE: https://webkitgtk.org/security/WSA-2018-0005.html CVE-2018-4198 (An issue was discovered in certain Apple products. iOS before 11.4 is ...) NOT-FOR-US: Apple (UIKit component) CVE-2018-4197 (A use after free issue was addressed with improved memory management. ...) - webkit2gtk 2.22.0-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0007.html NOTE: Not covered by security support CVE-2018-4196 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple (Accessibility Framework component) CVE-2018-4195 (An inconsistent user interface issue was addressed with improved state ...) NOT-FOR-US: Apple CVE-2018-4194 (In iOS before 11.4, iCloud for Windows before 7.5, watchOS before 4.3. ...) NOT-FOR-US: Apple CVE-2018-4193 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple (Windows Server component) CVE-2018-4192 (An issue was discovered in certain Apple products. iOS before 11.4 is ...) - webkit2gtk 2.20.1-1 (unimportant) NOTE: Not covered by security support NOTE: https://webkitgtk.org/security/WSA-2018-0005.html CVE-2018-4191 (A memory corruption issue was addressed with improved validation. This ...) - webkit2gtk 2.22.0-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0007.html NOTE: Not covered by security support CVE-2018-4190 (An issue was discovered in certain Apple products. iOS before 11.4 is ...) - webkit2gtk 2.20.3-1 (unimportant) NOTE: Not covered by security support NOTE: https://webkitgtk.org/security/WSA-2018-0005.html CVE-2018-4189 (In iOS before 11.2.5, macOS High Sierra before 10.13.3, Security Updat ...) NOT-FOR-US: Apple CVE-2018-4188 (An issue was discovered in certain Apple products. iOS before 11.4 is ...) NOT-FOR-US: Safari CVE-2018-4187 (An issue was discovered in certain Apple products. iOS before 11.3.1 i ...) NOT-FOR-US: Apple (LinkPresentation component) CVE-2018-4186 (In Safari before 11.1, an information leakage issue existed in the han ...) NOT-FOR-US: Apple CVE-2018-4185 (In iOS before 11.3, tvOS before 11.3, watchOS before 4.3, and macOS be ...) NOT-FOR-US: Apple CVE-2018-4184 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple (Speech component) CVE-2018-4183 (In macOS High Sierra before 10.13.5, an access issue was addressed wit ...) - cups (MacOS X specific issue) NOTE: Fixed by: https://github.com/apple/cups/commit/d47f6aec436e0e9df6554436e391471097686ecc CVE-2018-4182 (In macOS High Sierra before 10.13.5, an access issue was addressed wit ...) - cups (MacOS X specific issue) NOTE: Fixed by: https://github.com/apple/cups/commit/d47f6aec436e0e9df6554436e391471097686ecc CVE-2018-4181 (In macOS High Sierra before 10.13.5, an issue existed in CUPS. This is ...) {DSA-4243-1 DLA-1426-1} - cups 2.2.8-2 NOTE: Fixed by: https://github.com/apple/cups/commit/d47f6aec436e0e9df6554436e391471097686ecc CVE-2018-4180 (In macOS High Sierra before 10.13.5, an issue existed in CUPS. This is ...) {DSA-4243-1 DLA-1426-1} - cups 2.2.8-2 NOTE: Fixed by: https://github.com/apple/cups/commit/d47f6aec436e0e9df6554436e391471097686ecc CVE-2018-4179 (In macOS High Sierra before 10.13.4, there was an issue with the handl ...) NOT-FOR-US: Apple CVE-2018-4178 (A permissions issue existed in which execute permission was incorrectl ...) NOT-FOR-US: Apple CVE-2018-4177 RESERVED CVE-2018-4176 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2018-4175 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2018-4174 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) NOT-FOR-US: Apple CVE-2018-4173 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) NOT-FOR-US: Apple CVE-2018-4172 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) NOT-FOR-US: Apple CVE-2018-4171 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2018-4170 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2018-4169 (In macOS High Sierra before 10.13.3, Security Update 2018-001 Sierra, ...) NOT-FOR-US: Apple CVE-2018-4168 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) NOT-FOR-US: Apple CVE-2018-4167 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) NOT-FOR-US: Apple CVE-2018-4166 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) NOT-FOR-US: Apple CVE-2018-4165 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - webkit2gtk 2.20.0-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0003.html NOTE: Not covered by security support CVE-2018-4164 (An issue was discovered in certain Apple products. Xcode before 9.3 is ...) NOT-FOR-US: Apple CVE-2018-4163 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - webkit2gtk 2.20.0-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0003.html NOTE: Not covered by security support CVE-2018-4162 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - webkit2gtk 2.20.0-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0003.html NOTE: Not covered by security support CVE-2018-4161 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - webkit2gtk 2.20.0-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0003.html NOTE: Not covered by security support CVE-2018-4160 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2018-4159 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2018-4158 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) NOT-FOR-US: Apple CVE-2018-4157 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) NOT-FOR-US: Apple CVE-2018-4156 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) NOT-FOR-US: Apple CVE-2018-4155 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) NOT-FOR-US: Apple CVE-2018-4154 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) NOT-FOR-US: Apple CVE-2018-4153 (An injection issue was addressed with improved validation. This issue ...) NOT-FOR-US: Apple CVE-2018-4152 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2018-4151 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) NOT-FOR-US: Apple CVE-2018-4150 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) NOT-FOR-US: Apple CVE-2018-4149 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) NOT-FOR-US: Apple CVE-2018-4148 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) NOT-FOR-US: Apple CVE-2018-4147 (In iCloud for Windows before 7.3, Safari before 11.0.3, iTunes before ...) NOT-FOR-US: Apple CVE-2018-4146 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - webkit2gtk 2.20.0-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0003.html NOTE: Not covered by security support CVE-2018-4145 (Multiple memory corruption issues were addressed with improved memory ...) NOT-FOR-US: Apple CVE-2018-4144 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) NOT-FOR-US: Apple CVE-2018-4143 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) NOT-FOR-US: Apple CVE-2018-4142 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) NOT-FOR-US: Apple CVE-2018-4141 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2018-4140 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) NOT-FOR-US: Apple CVE-2018-4139 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2018-4138 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: NVIDIA graphics driver for MacOS CVE-2018-4137 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) NOT-FOR-US: Apple CVE-2018-4136 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2018-4135 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2018-4134 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) NOT-FOR-US: Apple CVE-2018-4133 (An issue was discovered in certain Apple products. Safari before 11.1 ...) - webkit2gtk 2.20.0-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0003.html NOTE: Not covered by security support CVE-2018-4132 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Intel graphics driver for MacOS CVE-2018-4131 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) NOT-FOR-US: Apple CVE-2018-4130 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) NOT-FOR-US: Apple CVE-2018-4129 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - webkit2gtk 2.20.0-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0003.html NOTE: Not covered by security support CVE-2018-4128 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - webkit2gtk 2.20.0-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0003.html NOTE: Not covered by security support CVE-2018-4127 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - webkit2gtk 2.20.0-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0003.html NOTE: Not covered by security support CVE-2018-4126 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2018-4125 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - webkit2gtk 2.20.0-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0003.html NOTE: Not covered by security support CVE-2018-4124 (An issue was discovered in certain Apple products. iOS before 11.2.6 i ...) NOT-FOR-US: Apple CVE-2018-4123 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) NOT-FOR-US: Apple CVE-2018-4122 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - webkit2gtk 2.20.0-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0003.html NOTE: Not covered by security support CVE-2018-4121 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - webkit2gtk 2.20.0-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0004.html NOTE: Not covered by security support CVE-2018-4120 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - webkit2gtk 2.20.0-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0003.html NOTE: Not covered by security support CVE-2018-4119 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - webkit2gtk 2.20.0-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0003.html NOTE: Not covered by security support CVE-2018-4118 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - webkit2gtk 2.20.0-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0003.html NOTE: Not covered by security support CVE-2018-4117 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) {DSA-4256-1} - chromium-browser 68.0.3440.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) - webkit2gtk 2.20.0-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0003.html NOTE: Not covered by security support CVE-2018-4116 (An issue was discovered in certain Apple products. Safari before 11.1 ...) NOT-FOR-US: Apple CVE-2018-4115 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) NOT-FOR-US: Apple CVE-2018-4114 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - webkit2gtk 2.20.0-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0003.html NOTE: Not covered by security support CVE-2018-4113 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - webkit2gtk 2.20.0-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0003.html NOTE: Not covered by security support CVE-2018-4112 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2018-4111 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2018-4110 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) NOT-FOR-US: Apple CVE-2018-4109 (An issue was discovered in certain Apple products. iOS before 11.2.5 i ...) NOT-FOR-US: Apple CVE-2018-4108 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2018-4107 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2018-4106 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2018-4105 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2018-4104 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) NOT-FOR-US: Apple CVE-2018-4103 RESERVED CVE-2018-4102 (An issue was discovered in certain Apple products. Safari before 11.1 ...) NOT-FOR-US: Apple CVE-2018-4101 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - webkit2gtk 2.20.0-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0003.html NOTE: Not covered by security support CVE-2018-4100 (An issue was discovered in certain Apple products. iOS before 11.2.5 i ...) NOT-FOR-US: Apple CVE-2018-4099 RESERVED CVE-2018-4098 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2018-4097 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2018-4096 (An issue was discovered in certain Apple products. iOS before 11.2.5 i ...) - webkit2gtk 2.18.6-1 (unimportant) [stretch] - webkit2gtk 2.18.6-1~deb9u1 NOTE: https://webkitgtk.org/security/WSA-2018-0002.html NOTE: Not covered by security support CVE-2018-4095 (An issue was discovered in certain Apple products. iOS before 11.2.5 i ...) NOT-FOR-US: Apple bluetoothd NOTE: https://blog.zimperium.com/cve-2018-4087-poc-escaping-sandbox-misleading-bluetoothd/ CVE-2018-4094 (An issue was discovered in certain Apple products. iOS before 11.2.5 i ...) NOT-FOR-US: Apple CVE-2018-4093 (An issue was discovered in certain Apple products. iOS before 11.2.5 i ...) NOT-FOR-US: Apple CVE-2018-4092 (An issue was discovered in certain Apple products. iOS before 11.2.5 i ...) NOT-FOR-US: Apple CVE-2018-4091 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2018-4090 (An issue was discovered in certain Apple products. iOS before 11.2.5 i ...) NOT-FOR-US: Apple CVE-2018-4089 (An issue was discovered in certain Apple products. iOS before 11.2.5 i ...) - webkit2gtk 2.18.6-1 (unimportant) [stretch] - webkit2gtk 2.18.6-1~deb9u1 NOTE: https://webkitgtk.org/security/WSA-2018-0002.html NOTE: Not covered by security support CVE-2018-4088 (An issue was discovered in certain Apple products. iOS before 11.2.5 i ...) - webkit2gtk 2.18.6-1 (unimportant) [stretch] - webkit2gtk 2.18.6-1~deb9u1 NOTE: https://webkitgtk.org/security/WSA-2018-0002.html NOTE: Not covered by security support CVE-2018-4087 (An issue was discovered in certain Apple products. iOS before 11.2.5 i ...) NOT-FOR-US: Apple bluetoothd NOTE: https://blog.zimperium.com/cve-2018-4087-poc-escaping-sandbox-misleading-bluetoothd/ CVE-2018-4086 (An issue was discovered in certain Apple products. iOS before 11.2.5 i ...) NOT-FOR-US: Apple CVE-2018-4085 (An issue was discovered in certain Apple products. iOS before 11.2.5 i ...) NOT-FOR-US: Apple CVE-2018-4084 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2018-4083 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2018-4082 (An issue was discovered in certain Apple products. iOS before 11.2.5 i ...) NOT-FOR-US: Apple CVE-2018-4081 RESERVED CVE-2018-4080 REJECTED CVE-2018-4079 REJECTED CVE-2018-4078 REJECTED CVE-2018-4077 REJECTED CVE-2018-4076 REJECTED CVE-2018-4075 REJECTED CVE-2018-4074 REJECTED CVE-2018-4073 (An exploitable Permission Assignment vulnerability exists in the ACEMa ...) NOT-FOR-US: Sierra Wireless AirLink ES450 firmware CVE-2018-4072 (An exploitable Permission Assignment vulnerability exists in the ACEMa ...) NOT-FOR-US: Sierra Wireless AirLink ES450 firmware CVE-2018-4071 (An exploitable Information Disclosure vulnerability exists in the ACEM ...) NOT-FOR-US: Sierra Wireless AirLink ES450 firmware CVE-2018-4070 (An exploitable Information Disclosure vulnerability exists in the ACEM ...) NOT-FOR-US: Sierra Wireless AirLink ES450 firmware CVE-2018-4069 (An information disclosure vulnerability exists in the ACEManager authe ...) NOT-FOR-US: Sierra Wireless AirLink ES450 firmware CVE-2018-4068 (An exploitable information disclosure vulnerability exists in the ACEM ...) NOT-FOR-US: Sierra Wireless AirLink ES450 firmware CVE-2018-4067 (An exploitable information disclosure vulnerability exists in the ACEM ...) NOT-FOR-US: Sierra Wireless AirLink ES450 firmware CVE-2018-4066 (An exploitable cross-site request forgery vulnerability exists in the ...) NOT-FOR-US: Sierra Wireless AirLink ES450 firmware CVE-2018-4065 (An exploitable cross-site scripting vulnerability exists in the ACEMan ...) NOT-FOR-US: Sierra Wireless AirLink ES450 firmware CVE-2018-4064 (An exploitable unverified password change vulnerability exists in the ...) NOT-FOR-US: Sierra Wireless AirLink ES250 firmware CVE-2018-4063 (An exploitable remote code execution vulnerability exists in the uploa ...) NOT-FOR-US: Sierra Wireless AirLink ES450 firmware CVE-2018-4062 (A hard-coded credentials vulnerability exists in the snmpd function of ...) NOT-FOR-US: Sierra Wireless AirLink ES450 firmware CVE-2018-4061 (An exploitable command injection vulnerability exists in the ACEManage ...) NOT-FOR-US: Sierra Wireless AirLink ES450 firmware CVE-2018-4060 REJECTED CVE-2018-4059 (An exploitable unsafe default configuration vulnerability exists in th ...) {DSA-4373-1 DLA-1671-1} - coturn 4.5.1.0-1 CVE-2018-4058 (An exploitable unsafe default configuration vulnerability exists in th ...) {DSA-4373-1 DLA-1671-1} - coturn 4.5.1.0-1 CVE-2018-4057 REJECTED CVE-2018-4056 (An exploitable SQL injection vulnerability exists in the administrator ...) {DSA-4373-1 DLA-1671-1} - coturn 4.5.1.0-1 CVE-2018-4055 (A local privilege escalation vulnerability exists in the install helpe ...) NOT-FOR-US: Renderman CVE-2018-4054 (A local privilege escalation vulnerability exists in the install helpe ...) NOT-FOR-US: Renderman CVE-2018-4053 (An exploitable local denial-of-service vulnerability exists in the pri ...) NOT-FOR-US: GOG Galaxy's Games for MacOS CVE-2018-4052 (An exploitable local information leak vulnerability exists in the priv ...) NOT-FOR-US: GOG Galaxy's Games for MacOS CVE-2018-4051 (An exploitable local privilege escalation vulnerability exists in the ...) NOT-FOR-US: GOG Galaxy's Games for MacOS CVE-2018-4050 (An exploitable local privilege escalation vulnerability exists in the ...) NOT-FOR-US: GOG Galaxy's Games for MacOS CVE-2018-4049 (An exploitable local privilege elevation vulnerability exists in the f ...) NOT-FOR-US: GOG Galaxy's Games for Windows CVE-2018-4048 (An exploitable local privilege elevation vulnerability exists in the f ...) NOT-FOR-US: GOG Galaxy CVE-2018-4047 (An exploitable privilege escalation vulnerability exists in the helper ...) NOT-FOR-US: Clean My Mac X CVE-2018-4046 (An exploitable denial-of-service vulnerability exists in the helper se ...) NOT-FOR-US: Clean My Mac X CVE-2018-4045 (An exploitable privilege escalation vulnerability exists in the helper ...) NOT-FOR-US: Clean My Mac X CVE-2018-4044 (An exploitable privilege escalation vulnerability exists in the helper ...) NOT-FOR-US: Clean My Mac X CVE-2018-4043 (An exploitable privilege escalation vulnerability exists in the Clean ...) NOT-FOR-US: Clean My Mac X CVE-2018-4042 (An exploitable privilege escalation vulnerability exists in the helper ...) NOT-FOR-US: Clean My Mac X CVE-2018-4041 (An exploitable privilege escalation vulnerability exists in the helper ...) NOT-FOR-US: Clean My Mac X CVE-2018-4040 (An exploitable uninitialized pointer vulnerability exists in the rich ...) NOT-FOR-US: Atlantis Word Processor CVE-2018-4039 (An exploitable out-of-bounds write vulnerability exists in the PNG imp ...) NOT-FOR-US: Atlantis Word Processor CVE-2018-4038 (An exploitable arbitrary write vulnerability exists in the open docume ...) NOT-FOR-US: Atlantis Word Processor CVE-2018-4037 (The CleanMyMac X software contains an exploitable privilege escalation ...) NOT-FOR-US: Clean My Mac X CVE-2018-4036 (The CleanMyMac X software contains an exploitable privilege escalation ...) NOT-FOR-US: Clean My Mac X CVE-2018-4035 (The CleanMyMac X software contains an exploitable privilege escalation ...) NOT-FOR-US: Clean My Mac X CVE-2018-4034 (The CleanMyMac X software contains an exploitable privilege escalation ...) NOT-FOR-US: Clean My Mac X CVE-2018-4033 (The CleanMyMac X software contains an exploitable privilege escalation ...) NOT-FOR-US: Clean My Mac X CVE-2018-4032 (An exploitable privilege escalation vulnerability exists in the way th ...) NOT-FOR-US: Clean My Mac X CVE-2018-4031 (An exploitable vulnerability exists in the safe browsing function of t ...) NOT-FOR-US: CUJO Smart Firewall CVE-2018-4030 (An exploitable vulnerability exists the safe browsing function of the ...) NOT-FOR-US: CUJO Smart Firewall CVE-2018-4029 (An exploitable code execution vulnerability exists in the HTTP request ...) NOT-FOR-US: NT9665X Chipset firmwareNT9665X Chipset firmware on Anker Roav A1 Dashcam CVE-2018-4028 (An exploitable firmware update vulnerability exists in the NT9665X Chi ...) NOT-FOR-US: NT9665X Chipset firmwareNT9665X Chipset firmware on Anker Roav A1 Dashcam CVE-2018-4027 (An exploitable denial-of-service vulnerability exists in the XML_Uploa ...) NOT-FOR-US: NT9665X Chipset firmwareNT9665X Chipset firmware on Anker Roav A1 Dashcam CVE-2018-4026 (An exploitable denial-of-service vulnerability exists in the XML_GetSc ...) NOT-FOR-US: NT9665X Chipset firmwareNT9665X Chipset firmware on Anker Roav A1 Dashcam CVE-2018-4025 (An exploitable denial-of-service vulnerability exists in the XML_GetRa ...) NOT-FOR-US: NT9665X Chipset firmwareNT9665X Chipset firmware on Anker Roav A1 Dashcam CVE-2018-4024 (An exploitable denial-of-service vulnerability exists in the thumbnail ...) NOT-FOR-US: NT9665X Chipset firmwareNT9665X Chipset firmware on Anker Roav A1 Dashcam CVE-2018-4023 (An exploitable code execution vulnerability exists in the XML_UploadFi ...) NOT-FOR-US: NT9665X Chipset firmwareNT9665X Chipset firmware on Anker Roav A1 Dashcam CVE-2018-4022 (A use-after-free vulnerability exists in the way MKVToolNix MKVINFO v2 ...) - mkvtoolnix 28.2.0-1 [stretch] - mkvtoolnix (Vulnerable code introduced later) [jessie] - mkvtoolnix (vulnerable code is not present) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2018-0694 NOTE: https://gitlab.com/mbunkus/mkvtoolnix/commit/43021d16c7bcd3f9f70214827755a5163782b633 CVE-2018-4021 (An exploitable command injection vulnerability exists in the way Netga ...) NOT-FOR-US: pfSense CVE-2018-4020 (An exploitable command injection vulnerability exists in the way Netga ...) NOT-FOR-US: pfSense CVE-2018-4019 (An exploitable command injection vulnerability exists in the way Netga ...) NOT-FOR-US: pfSense CVE-2018-4018 (An exploitable firmware update vulnerability exists in the NT9665X Chi ...) NOT-FOR-US: NT9665X Chipset firmwareNT9665X Chipset firmware on Anker Roav A1 Dashcam CVE-2018-4017 (An exploitable vulnerability exists in the Wi-Fi Access Point feature ...) NOT-FOR-US: Roav A1 Dashcam CVE-2018-4016 (An exploitable code execution vulnerability exists in the URL-parsing ...) NOT-FOR-US: Roav A1 Dashcam CVE-2018-4015 (An exploitable vulnerability exists in the HTTP client functionality o ...) NOT-FOR-US: Webroot BrightCloud SDK CVE-2018-4014 (An exploitable code execution vulnerability exists in Wi-Fi Command 99 ...) NOT-FOR-US: Roav A1 Dashcam CVE-2018-4013 (An exploitable code execution vulnerability exists in the HTTP packet- ...) {DSA-4343-1 DLA-1582-1} - liblivemedia 2018.10.17-1 NOTE: http://lists.live555.com/pipermail/live-devel/2018-October/021071.html NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2018-0684 CVE-2018-4012 (An exploitable buffer overflow vulnerability exists in the HTTP header ...) NOT-FOR-US: Webroot BrightCloud SDK CVE-2018-4011 (An exploitable integer underflow vulnerability exists in the mdnscap b ...) NOT-FOR-US: CUJO Smart Firewall CVE-2018-4010 (An exploitable code execution vulnerability exists in the connect func ...) NOT-FOR-US: ProtonVPN client CVE-2018-4009 (An exploitable privilege escalation vulnerability exists in the Shimo ...) NOT-FOR-US: Shimo VPN CVE-2018-4008 (An exploitable privilege escalation vulnerability exists in the Shimo ...) NOT-FOR-US: Shimo VPN CVE-2018-4007 (An exploitable privilege escalation vulnerability exists in the Shimo ...) NOT-FOR-US: Shimo VPN CVE-2018-4006 (An exploitable privilege escalation vulnerability exists in the Shimo ...) NOT-FOR-US: Shimo VPN CVE-2018-4005 (An exploitable privilege escalation vulnerability exists in the Shimo ...) NOT-FOR-US: Shimo VPN CVE-2018-4004 (An exploitable privilege escalation vulnerability exists in the Shimo ...) NOT-FOR-US: Shimo VPN CVE-2018-4003 (An exploitable heap overflow vulnerability exists in the mdnscap binar ...) NOT-FOR-US: CUJO Smart Firewall CVE-2018-4002 (An exploitable denial-of-service vulnerability exists in the mdnscap b ...) NOT-FOR-US: CUJO Smart Firewall CVE-2018-4001 (An exploitable uninitialized pointer vulnerability exists in the Offic ...) NOT-FOR-US: Atlantis Word Processor CVE-2018-4000 (An exploitable double-free vulnerability exists in the Office Open XML ...) NOT-FOR-US: Atlantis Word Processor CVE-2018-3999 (An exploitable stack-based buffer overflow vulnerability exists in the ...) NOT-FOR-US: Atlantis Word Processor CVE-2018-3998 (An exploitable heap-based buffer overflow vulnerability exists in the ...) NOT-FOR-US: Atlantis Word Processor CVE-2018-3997 (An exploitable use-after-free vulnerability exists in the JavaScript e ...) NOT-FOR-US: Foxit PDF Reader CVE-2018-3996 (An exploitable use-after-free vulnerability exists in the JavaScript e ...) NOT-FOR-US: Foxit Software's PDF Reader CVE-2018-3995 (An exploitable use-after-free vulnerability exists in the JavaScript e ...) NOT-FOR-US: Foxit Software's PDF Reader CVE-2018-3994 (An exploitable use-after-free vulnerability exists in the JavaScript e ...) NOT-FOR-US: Foxit Software's PDF Reader CVE-2018-3993 (An exploitable use-after-free vulnerability exists in the JavaScript e ...) NOT-FOR-US: Foxit Software's PDF Reader CVE-2018-3992 (An exploitable use-after-free vulnerability exists in the JavaScript e ...) NOT-FOR-US: Foxit Software's PDF Reader CVE-2018-3991 (An exploitable heap overflow vulnerability exists in the WkbProgramLow ...) NOT-FOR-US: WibuKey CVE-2018-3990 (An exploitable pool corruption vulnerability exists in the 0x8200E804 ...) NOT-FOR-US: WibuKey CVE-2018-3989 (An exploitable kernel memory disclosure vulnerability exists in the 0x ...) NOT-FOR-US: WibuKey CVE-2018-3988 (Signal Messenger for Android 4.24.8 may expose private information whe ...) NOT-FOR-US: Signal Messenger CVE-2018-3987 (An exploitable information disclosure vulnerability exists in the 'Sec ...) NOT-FOR-US: Rakuten Viber on Android CVE-2018-3986 (An exploitable information disclosure vulnerability exists in the "Sec ...) NOT-FOR-US: Telegram Android CVE-2018-3985 (An exploitable double free vulnerability exists in the mdnscap binary ...) NOT-FOR-US: CUJO Smart Firewall CVE-2018-3984 (An exploitable uninitialized length vulnerability exists within the Wo ...) NOT-FOR-US: Atlantis Word Processor CVE-2018-3983 (An exploitable uninitialized pointer vulnerability exists in the Word ...) NOT-FOR-US: Atlantis Word Processor CVE-2018-3982 (An exploitable arbitrary write vulnerability exists in the Word docume ...) NOT-FOR-US: Atlantis Word Processor CVE-2018-3981 (An exploitable out-of-bounds write exists in the TIFF-parsing function ...) NOT-FOR-US: Atlantis Word Processor CVE-2018-3980 (An exploitable out-of-bounds write exists in the TIFF-parsing function ...) NOT-FOR-US: Canvas Draw CVE-2018-3979 (A remote denial-of-service vulnerability exists in the way the Nouveau ...) - xserver-xorg-video-nouveau (low) [buster] - xserver-xorg-video-nouveau (Minor issue) [stretch] - xserver-xorg-video-nouveau (Minor issue) [jessie] - xserver-xorg-video-nouveau (Minor issue) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2018-0647 CVE-2018-3978 (An exploitable out-of-bounds write vulnerability exists in the Word Do ...) NOT-FOR-US: Atlantis Word Processor CVE-2018-3977 (An exploitable code execution vulnerability exists in the XCF image re ...) {DLA-1865-1 DLA-1861-1} - libsdl2-image 2.0.3+dfsg1-3 (bug #912617) [stretch] - libsdl2-image 2.0.1+dfsg-2+deb9u2 - sdl-image1.2 1.2.12-10 (bug #912618) [stretch] - sdl-image1.2 1.2.12-5+deb9u2 NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2018-0645 NOTE: https://hg.libsdl.org/SDL_image/rev/170d7d32e4a8 NOTE: follow-up fix (TALOS-2019-0842): https://hg.libsdl.org/SDL_image/rev/b1a80aec2b10 NOTE: which got a separate CVE assigned as CVE-2019-5058. CVE-2018-3976 (An exploitable out-of-bounds write exists in the CALS Raster file form ...) NOT-FOR-US: Canvas Draw CVE-2018-3975 (An exploitable uninitialized variable vulnerability exists in the RTF- ...) NOT-FOR-US: Atlantis Word Processor CVE-2018-3974 (An exploitable local privilege elevation vulnerability exists in the f ...) NOT-FOR-US: GOG Galaxy's CVE-2018-3973 (An exploitable out of bounds write exists in the CAL parsing functiona ...) NOT-FOR-US: Canvas Draw CVE-2018-3972 (An exploitable code execution vulnerability exists in the Levin deseri ...) NOT-FOR-US: Epee library CVE-2018-3971 (An exploitable arbitrary write vulnerability exists in the 0x2222CC IO ...) NOT-FOR-US: Sophos CVE-2018-3970 (An exploitable memory disclosure vulnerability exists in the 0x222000 ...) NOT-FOR-US: Sophos CVE-2018-3969 (An exploitable vulnerability exists in the verified boot protection of ...) NOT-FOR-US: CUJO Smart Firewall CVE-2018-3968 (An exploitable vulnerability exists in the verified boot protection of ...) - u-boot 2014.07+dfsg1-1 NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2018-0633 CVE-2018-3967 (An exploitable use-after-free vulnerability exists in the JavaScript e ...) NOT-FOR-US: Foxit Software's Foxit PDF Reader CVE-2018-3966 (An exploitable use-after-free vulnerability exists in the JavaScript e ...) NOT-FOR-US: Foxit Software's Foxit PDF Reader CVE-2018-3965 (An exploitable use-after-free vulnerability exists in the JavaScript e ...) NOT-FOR-US: Foxit Software's Foxit PDF Reader CVE-2018-3964 (An exploitable use-after-free vulnerability exists in the JavaScript e ...) NOT-FOR-US: Foxit Software's Foxit PDF Reader CVE-2018-3963 (An exploitable command injection vulnerability exists in the DHCP daem ...) NOT-FOR-US: CUJO Smart Firewall CVE-2018-3962 (A use-after-free vulnerability exists in the JavaScript engine of Foxi ...) NOT-FOR-US: Foxit Software's Foxit PDF Reader CVE-2018-3961 (A use-after-free vulnerability exists in the JavaScript engine of Foxi ...) NOT-FOR-US: Foxit Software's Foxit PDF Reader CVE-2018-3960 (A use-after-free vulnerability exists in the JavaScript engine of Foxi ...) NOT-FOR-US: Foxit Software's Foxit PDF Reader CVE-2018-3959 (A use-after-free vulnerability exists in the JavaScript engine of Foxi ...) NOT-FOR-US: Foxit Software's Foxit PDF Reader CVE-2018-3958 (A use-after-free vulnerability exists in the JavaScript engine of Foxi ...) NOT-FOR-US: Foxit Software's Foxit PDF Reader CVE-2018-3957 (A use-after-free vulnerability exists in the JavaScript engine of Foxi ...) NOT-FOR-US: Foxit Software's Foxit PDF Reader CVE-2018-3956 (An exploitable out-of-bounds read vulnerability exists in the handling ...) NOT-FOR-US: Foxit CVE-2018-3955 (An exploitable operating system command injection exists in the Linksy ...) NOT-FOR-US: Linksys CVE-2018-3954 (Devices in the Linksys ESeries line of routers (Linksys E1200 Firmware ...) NOT-FOR-US: Linksys CVE-2018-3953 (Devices in the Linksys ESeries line of routers (Linksys E1200 Firmware ...) NOT-FOR-US: Linksys CVE-2018-3952 (An exploitable code execution vulnerability exists in the connect func ...) NOT-FOR-US: NordVPN CVE-2018-3951 (An exploitable remote code execution vulnerability exists in the HTTP ...) NOT-FOR-US: TP-Link CVE-2018-3950 (An exploitable remote code execution vulnerability exists in the ping ...) NOT-FOR-US: TP-Link CVE-2018-3949 (An exploitable information disclosure vulnerability exists in the HTTP ...) NOT-FOR-US: TP-Link CVE-2018-3948 (An exploitable denial-of-service vulnerability exists in the URI-parsi ...) NOT-FOR-US: TP-Link CVE-2018-3947 (An exploitable information disclosure vulnerability exists in the phon ...) NOT-FOR-US: Yi Home Camera CVE-2018-3946 (An exploitable use-after-free vulnerability exists in the JavaScript e ...) NOT-FOR-US: Foxit Software's Foxit PDF Reader CVE-2018-3945 (An exploitable use-after-free vulnerability exists in the JavaScript e ...) NOT-FOR-US: Foxit Software's Foxit PDF Reader CVE-2018-3944 (An exploitable use-after-free vulnerability exists in the JavaScript e ...) NOT-FOR-US: Foxit Software's Foxit PDF Reader CVE-2018-3943 (An exploitable use-after-free vulnerability exists in the JavaScript e ...) NOT-FOR-US: Foxit Software's Foxit PDF Reader CVE-2018-3942 (An exploitable use-after-free vulnerability exists in the JavaScript e ...) NOT-FOR-US: Foxit Software's Foxit PDF Reader CVE-2018-3941 (An exploitable use-after-free vulnerability exists in the JavaScript e ...) NOT-FOR-US: Foxit Software's Foxit PDF Reader CVE-2018-3940 (An exploitable use-after-free vulnerability exists in the JavaScript e ...) NOT-FOR-US: Foxit Software's Foxit PDF Reader CVE-2018-3939 (An exploitable use-after-free vulnerability exists in the JavaScript e ...) NOT-FOR-US: Foxit CVE-2018-3938 (An exploitable stack-based buffer overflow vulnerability exists in the ...) NOT-FOR-US: Sony CVE-2018-3937 (An exploitable command injection vulnerability exists in the measureme ...) NOT-FOR-US: Sony CVE-2018-3936 (In Antenna House Office Server Document Converter version V6.1 Pro MR2 ...) NOT-FOR-US: Antenna House Office Server Document Converter CVE-2018-3935 (An exploitable code execution vulnerability exists in the UDP network ...) NOT-FOR-US: Yi Home Camera CVE-2018-3934 (An exploitable code execution vulnerability exists in the firmware upd ...) NOT-FOR-US: Yi Home Camera CVE-2018-3933 (An exploitable out-of-bounds write exists in the Microsoft Word docume ...) NOT-FOR-US: Microsoft CVE-2018-3932 (An exploitable stack-based buffer overflow exists in the Microsoft Wor ...) NOT-FOR-US: Microsoft CVE-2018-3931 (In Antenna House Office Server Document Converter version V6.1 Pro MR2 ...) NOT-FOR-US: Microsoft CVE-2018-3930 (In Antenna House Office Server Document Converter version V6.1 Pro MR2 ...) NOT-FOR-US: Microsoft CVE-2018-3929 (An exploitable heap corruption exists in the PowerPoint document conve ...) NOT-FOR-US: Microsoft CVE-2018-3928 (An exploitable code execution vulnerability exists in the firmware upd ...) NOT-FOR-US: Yi Home Camera CVE-2018-3927 (An exploitable information disclosure vulnerability exists in the cras ...) NOT-FOR-US: Samsung SmartThings Hub STH-ETH-250 devices CVE-2018-3926 (An exploitable integer underflow vulnerability exists in the ZigBee fi ...) NOT-FOR-US: Samsung CVE-2018-3925 (An exploitable buffer overflow vulnerability exists in the remote vide ...) NOT-FOR-US: Samsung SmartThings Hub STH-ETH-250 devices CVE-2018-3924 (An exploitable use-after-free vulnerability exists in the JavaScript e ...) NOT-FOR-US: Foxit PDF Reader CVE-2018-3923 (A memory corruption vulnerability exists in the PCX-parsing functional ...) NOT-FOR-US: Computerinsel Photoline CVE-2018-3922 (A memory corruption vulnerability exists in the ANI-parsing functional ...) NOT-FOR-US: Computerinsel Photoline CVE-2018-3921 (A memory corruption vulnerability exists in the PSD-parsing functional ...) NOT-FOR-US: Computerinsel Photoline CVE-2018-3920 (An exploitable code execution vulnerability exists in the firmware upd ...) NOT-FOR-US: Yi Home Camera CVE-2018-3919 (An exploitable stack-based buffer overflow vulnerability exists in the ...) NOT-FOR-US: Samsung SmartThings Hub STH-ETH-250 devices CVE-2018-3918 (An exploitable vulnerability exists in the remote servers of Samsung S ...) NOT-FOR-US: Samsung SmartThings Hub STH-ETH-250 devices CVE-2018-3917 (On Samsung SmartThings Hub STH-ETH-250 devices with firmware version 0 ...) NOT-FOR-US: Samsung SmartThings Hub STH-ETH-250 devices CVE-2018-3916 (An exploitable stack-based buffer overflow vulnerability exists in the ...) NOT-FOR-US: Samsung CVE-2018-3915 (An exploitable stack-based buffer overflow vulnerability exists in the ...) NOT-FOR-US: Samsung CVE-2018-3914 (An exploitable stack-based buffer overflow vulnerability exists in the ...) NOT-FOR-US: Samsung CVE-2018-3913 (An exploitable stack-based buffer overflow vulnerability exists in the ...) NOT-FOR-US: Samsung CVE-2018-3912 (On Samsung SmartThings Hub STH-ETH-250 devices with firmware version 0 ...) NOT-FOR-US: Samsung SmartThings Hub STH-ETH-250 devices CVE-2018-3911 (An exploitable HTTP header injection vulnerability exists in the remot ...) NOT-FOR-US: Samsung SmartThings Hub STH-ETH-250 devices CVE-2018-3910 (An exploitable code execution vulnerability exists in the cloud OTA se ...) NOT-FOR-US: Yi Home Camera CVE-2018-3909 (An exploitable vulnerability exists in the REST parser of video-core's ...) NOT-FOR-US: Samsung SmartThings Hub STH-ETH-250 devices CVE-2018-3908 (An exploitable vulnerability exists in the REST parser of video-core's ...) NOT-FOR-US: Samsung SmartThings Hub STH-ETH-250-Firmware CVE-2018-3907 (An exploitable vulnerability exists in the REST parser of video-core's ...) NOT-FOR-US: Samsung SmartThings Hub STH-ETH-250 devices CVE-2018-3906 (An exploitable stack-based buffer overflow vulnerability exists in the ...) NOT-FOR-US: Samsung CVE-2018-3905 (An exploitable buffer overflow vulnerability exists in the camera "cre ...) NOT-FOR-US: Samsung SmartThings Hub STH-ETH-250 devices CVE-2018-3904 (An exploitable buffer overflow vulnerability exists in the camera 'upd ...) NOT-FOR-US: Samsung SmartThings Hub STH-ETH-250 devices CVE-2018-3903 (On Samsung SmartThings Hub STH-ETH-250 devices with firmware version 0 ...) NOT-FOR-US: Samsung SmartThings Hub STH-ETH-250 devices CVE-2018-3902 (An exploitable buffer overflow vulnerability exists in the camera "rep ...) NOT-FOR-US: Samsung SmartThings Hub STH-ETH-250 devices CVE-2018-3901 RESERVED CVE-2018-3900 (An exploitable code execution vulnerability exists in the QR code scan ...) NOT-FOR-US: Yi Home Camera CVE-2018-3899 (An exploitable code execution vulnerability exists in the QR code scan ...) NOT-FOR-US: Yi Home Camera CVE-2018-3898 (An exploitable code execution vulnerability exists in the QR code scan ...) NOT-FOR-US: Yi Home Camera CVE-2018-3897 (An exploitable buffer overflow vulnerabilities exist in the /cameras/X ...) NOT-FOR-US: Samsung CVE-2018-3896 (An exploitable buffer overflow vulnerabilities exist in the /cameras/X ...) NOT-FOR-US: Samsung CVE-2018-3895 (An exploitable buffer overflow vulnerability exists in the /cameras/XX ...) NOT-FOR-US: Samsung SmartThings Hub STH-ETH-250 Firmware CVE-2018-3894 (An exploitable buffer overflow vulnerability exists in the /cameras/XX ...) NOT-FOR-US: Samsung CVE-2018-3893 (An exploitable buffer overflow vulnerability exists in the /cameras/XX ...) NOT-FOR-US: Samsung SmartThings Hub STH-ETH-250 devices CVE-2018-3892 (An exploitable firmware downgrade vulnerability exists in the time syn ...) NOT-FOR-US: Yi Home Camera CVE-2018-3891 (An exploitable firmware downgrade vulnerability exists in the firmware ...) NOT-FOR-US: Yi Home Camera CVE-2018-3890 (An exploitable code execution vulnerability exists in the firmware upd ...) NOT-FOR-US: Yi Home Camera CVE-2018-3889 (A specially crafted PCX image processed via the application can lead t ...) NOT-FOR-US: Computerinsel Photoline CVE-2018-3888 (A memory corruption vulnerability exists in the PCX-parsing functional ...) NOT-FOR-US: Computerinsel Photoline CVE-2018-3887 (A memory corruption vulnerability exists in the PCX-parsing functional ...) NOT-FOR-US: Computerinsel Photoline CVE-2018-3886 (A memory corruption vulnerability exists in the PCX-parsing functional ...) NOT-FOR-US: Computerinsel Photoline CVE-2018-3885 (An exploitable SQL injection vulnerability exists in the authenticated ...) NOT-FOR-US: ERPNext CVE-2018-3884 (An exploitable SQL injection vulnerability exists in the authenticated ...) NOT-FOR-US: ERPNext CVE-2018-3883 (An exploitable SQL injection vulnerability exists in the authenticated ...) NOT-FOR-US: ERPNext CVE-2018-3882 (An exploitable SQL injection vulnerability exists in the authenticated ...) NOT-FOR-US: ERPNext CVE-2018-3881 (An exploitable unauthenticated XML external injection vulnerability wa ...) NOT-FOR-US: FocalScope CVE-2018-3880 (An exploitable stack-based buffer overflow vulnerability exists in the ...) NOT-FOR-US: Samsung SmartThings Hub STH-ETH-250 devices CVE-2018-3879 (An exploitable JSON injection vulnerability exists in the credentials ...) NOT-FOR-US: Samsung SmartThings Hub STH-ETH-250 devices CVE-2018-3878 (Multiple exploitable buffer overflow vulnerabilities exist in the cred ...) NOT-FOR-US: Samsung SmartThings Hub STH-ETH-250 devices CVE-2018-3877 (An exploitable buffer overflow vulnerability exists in the credentials ...) NOT-FOR-US: Samsung CVE-2018-3876 (An exploitable buffer overflow vulnerability exists in the credentials ...) NOT-FOR-US: Samsung CVE-2018-3875 (An exploitable buffer overflow vulnerability exists in the credentials ...) NOT-FOR-US: Samsung CVE-2018-3874 (An exploitable buffer overflow vulnerability exists in the credentials ...) NOT-FOR-US: Samsung CVE-2018-3873 (An exploitable buffer overflow vulnerability exists in the credentials ...) NOT-FOR-US: Samsung CVE-2018-3872 (An exploitable buffer overflow vulnerability exists in the credentials ...) NOT-FOR-US: Samsung SmartThings Hub STH-ETH-250 devices CVE-2018-3871 (An exploitable out-of-bounds write exists in the PCX parsing functiona ...) NOT-FOR-US: Canvas Draw CVE-2018-3870 (An exploitable out-of-bounds write exists in the PCX parsing functiona ...) NOT-FOR-US: Canvas Draw CVE-2018-3869 REJECTED CVE-2018-3868 (A specially crafted TIFF image processed via the application can lead ...) NOT-FOR-US: Computerinsel Photoline CVE-2018-3867 (An exploitable stack-based buffer overflow vulnerability exists in the ...) NOT-FOR-US: Samsung SmartThings Hub STH-ETH-250 devices CVE-2018-3866 (An exploitable buffer overflow vulnerability exists in the samsungWifi ...) NOT-FOR-US: Samsung SmartThings Hub STH-ETH-250 devices CVE-2018-3865 (An exploitable buffer overflow vulnerability exists in the Samsung Wif ...) NOT-FOR-US: Samsung CVE-2018-3864 (An exploitable buffer overflow vulnerability exists in the Samsung Wif ...) NOT-FOR-US: Samsung CVE-2018-3863 (On Samsung SmartThings Hub STH-ETH-250 devices with firmware version 0 ...) NOT-FOR-US: Samsung SmartThings Hub STH-ETH-250 devices CVE-2018-3862 (A specially crafted TIFF image processed via the application can lead ...) NOT-FOR-US: Computerinsel Photoline CVE-2018-3861 (A specially crafted TIFF image processed via the application can lead ...) NOT-FOR-US: Computerinsel Photoline CVE-2018-3860 (An exploitable out-of-bounds write exists in the TIFF parsing function ...) NOT-FOR-US: Canvas Draw CVE-2018-3859 (An exploitable out-of-bounds write exists in the TIFF parsing function ...) NOT-FOR-US: Canvas Draw CVE-2018-3858 (An exploitable heap overflow exists in the TIFF parsing functionality ...) NOT-FOR-US: Canvas Draw CVE-2018-3857 (An exploitable heap overflow exists in the TIFF parsing functionality ...) NOT-FOR-US: Canvas Draw CVE-2018-3856 (An exploitable vulnerability exists in the smart cameras RTSP configur ...) NOT-FOR-US: Samsung SmartThings Hub STH-ETH-250 devices CVE-2018-3855 (In Hyland Perceptive Document Filters 11.4.0.2647 - x86/x64 Windows/Li ...) NOT-FOR-US: Hyland Perceptive Document Filters CVE-2018-3854 (An exploitable information disclosure vulnerability exists in the pass ...) NOT-FOR-US: Quicken CVE-2018-3853 (An exploitable use-after-free vulnerability exists in the JavaScript e ...) NOT-FOR-US: Foxit PDF Reader CVE-2018-3852 (An exploitable denial of service vulnerability exists in the Ocularis ...) NOT-FOR-US: Ocularis Recorder CVE-2018-3851 (In Hyland Perceptive Document Filters 11.4.0.2647 - x86/x64 Windows/Li ...) NOT-FOR-US: Hyland Perceptive Document Filters CVE-2018-3850 (An exploitable use-after-free vulnerability exists in the JavaScript e ...) NOT-FOR-US: Foxit PDF Reader CVE-2018-3849 (In the ffghtb function in NASA CFITSIO 3.42, specially crafted images ...) - cfitsio 3.430-1 (low; bug #892458) [stretch] - cfitsio (Minor issue) [jessie] - cfitsio (Minor issue) NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0531 NOTE: Mitigated to a crash due to hardened build flags CVE-2018-3848 (In the ffghbn function in NASA CFITSIO 3.42, specially crafted images ...) - cfitsio 3.430-1 (low; bug #892458) [stretch] - cfitsio (Minor issue) [jessie] - cfitsio (Minor issue) NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0531 NOTE: Mitigated to a crash due to hardened build flags CVE-2018-3847 (Multiple exploitable buffer overflow vulnerabilities exist in image pa ...) - cfitsio 3.430-1 (low; bug #892458) [stretch] - cfitsio (Minor issue) [jessie] - cfitsio (Minor issue) NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0530 CVE-2018-3846 (In the ffgphd and ffgtkn functions in NASA CFITSIO 3.42, specially cra ...) - cfitsio 3.430-1 (low; bug #892458) [stretch] - cfitsio (Minor issue) [jessie] - cfitsio (Minor issue) NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0529 NOTE: Mitigated to a crash due to hardened build flags CVE-2018-3845 (In Hyland Perceptive Document Filters 11.4.0.2647 - x86/x64 Windows/Li ...) NOT-FOR-US: Hyland Perceptive Document Filters CVE-2018-3844 (In Hyland Perceptive Document Filters 11.4.0.2647 - x86/x64 Windows/Li ...) NOT-FOR-US: Hyland Perceptive Document Filters CVE-2018-3843 (An exploitable type confusion vulnerability exists in the way Foxit PD ...) NOT-FOR-US: Foxit PDF Reader CVE-2018-3842 (An exploitable use of an uninitialized pointer vulnerability exists in ...) NOT-FOR-US: Foxit PDF Reader CVE-2018-3841 (A denial-of-service vulnerability exists in the Pixar Renderman IT Dis ...) NOT-FOR-US: Renderman CVE-2018-3840 (A denial-of-service vulnerability exists in the Pixar Renderman IT Dis ...) NOT-FOR-US: Renderman CVE-2018-3839 (An exploitable code execution vulnerability exists in the XCF image re ...) {DSA-4184-1 DSA-4177-1 DLA-1341-1} - libsdl2-image 2.0.3+dfsg1-1 - sdl-image1.2 1.2.12-8 NOTE: https://hg.libsdl.org/SDL_image/rev/fb643e371806910f1973abfdfe7f981e8dba60f5 NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0521 CVE-2018-3838 (An exploitable information vulnerability exists in the XCF image rende ...) {DSA-4184-1 DSA-4177-1 DLA-1341-1} - libsdl2-image 2.0.3+dfsg1-1 - sdl-image1.2 1.2.12-8 NOTE: https://hg.libsdl.org/SDL_image/rev/c5f9cbb5d2bbcb2150ba0596ea56b49efeed660d NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0520 CVE-2018-3837 (An exploitable information disclosure vulnerability exists in the PCX ...) {DSA-4184-1 DSA-4177-1 DLA-1341-1} - libsdl2-image 2.0.3+dfsg1-1 - sdl-image1.2 1.2.12-8 NOTE: https://hg.libsdl.org/SDL_image/rev/2938fc80591abeae74b971cbdf966eff3213297e NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0519 CVE-2018-7442 (An issue was discovered in Leptonica through 1.75.3. The gplotMakeOutp ...) - leptonlib 1.76.0-1 (bug #898439) [stretch] - leptonlib (Minor issue) [jessie] - leptonlib (Minor issue) [wheezy] - leptonlib (Minor issue) NOTE: https://lists.debian.org/debian-lts/2018/02/msg00086.html CVE-2018-7441 (Leptonica through 1.75.3 uses hardcoded /tmp pathnames, which might al ...) - leptonlib 1.76.0-1 (unimportant) NOTE: https://lists.debian.org/debian-lts/2018/02/msg00054.html NOTE: Neutralised by kernel hardening CVE-2017-18196 (Leptonica 1.74.4 constructs unintended pathnames (containing duplicate ...) - leptonlib 1.74.4-2 (low; bug #885704) [stretch] - leptonlib (Minor issue) [jessie] - leptonlib (Vulnerable code not present) [wheezy] - leptonlib (Vulnerable code not present) CVE-2018-7440 (An issue was discovered in Leptonica through 1.75.3. The gplotMakeOutp ...) {DLA-1302-1} - leptonlib 1.75.3-3 (bug #891932) [stretch] - leptonlib (Incomplete fix for CVE-2018-3836 not applied) [jessie] - leptonlib (Incomplete fix for CVE-2018-3836 not applied) NOTE: https://github.com/DanBloomberg/leptonica/issues/303#issuecomment-366472212 NOTE: https://github.com/DanBloomberg/leptonica/pull/313/commits/49ecb6c2dfd6ed5078c62f4a8eeff03e3beced3b CVE-2018-3836 (An exploitable command injection vulnerability exists in the gplotMake ...) {DLA-1284-1} - leptonlib 1.75.3-1 (bug #889759) [stretch] - leptonlib (Minor issue) [jessie] - leptonlib (Minor issue) NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0516 NOTE: https://github.com/DanBloomberg/leptonica/issues/303 NOTE: When fixing this issue make sure the fix is complete and includes as well NOTE: https://github.com/DanBloomberg/leptonica/pull/313/commits/49ecb6c2dfd6ed5078c62f4a8eeff03e3beced3b NOTE: to not open CVE-2018-7440. CVE-2018-3835 (An exploitable out of bounds write vulnerability exists in version 2.2 ...) NOT-FOR-US: Per Face Texture (PTEX) CVE-2018-3834 (An exploitable permanent denial of service vulnerability exists in Ins ...) NOT-FOR-US: Insteon Hub CVE-2018-3833 (An exploitable firmware downgrade vulnerability exists in Insteon Hub ...) NOT-FOR-US: Insteon Hub CVE-2018-3832 (An exploitable firmware update vulnerability exists in Insteon Hub run ...) NOT-FOR-US: Insteon Hub CVE-2018-3831 (Elasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6. ...) - elasticsearch CVE-2018-3830 (Kibana versions 5.3.0 to 6.4.1 had a cross-site scripting (XSS) vulner ...) - kibana (bug #700337) CVE-2018-3829 (In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 it was disco ...) NOT-FOR-US: Elastic Cloud Enterprise CVE-2018-3828 (Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 contain an info ...) NOT-FOR-US: Elastic Cloud Enterprise CVE-2018-3827 (A sensitive data disclosure flaw was found in the Elasticsearch reposi ...) NOT-FOR-US: Elasticsearch repository-azure CVE-2018-3826 (In Elasticsearch versions 6.0.0-beta1 to 6.2.4 a disclosure flaw was f ...) - elasticsearch CVE-2018-3825 (In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 a default ma ...) NOT-FOR-US: Elastic Cloud Enterprise CVE-2018-3824 (X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-si ...) NOT-FOR-US: Elastic X-Pack Machine Learning CVE-2018-3823 (X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-si ...) NOT-FOR-US: Elastic X-Pack Machine Learning CVE-2018-3822 (X-Pack Security versions 6.2.0, 6.2.1, and 6.2.2 are vulnerable to a u ...) NOT-FOR-US: Elastic X-Pack Security CVE-2018-3821 (Kibana versions after 5.1.1 and before 5.6.7 and 6.1.3 had a cross-sit ...) - kibana (bug #700337) CVE-2018-3820 (Kibana versions after 6.1.0 and before 6.1.3 had a cross-site scriptin ...) - kibana (bug #700337) CVE-2018-3819 (The fix in Kibana for ESA-2017-23 was incomplete. With X-Pack security ...) - kibana (bug #700337) CVE-2018-3818 (Kibana versions 5.1.1 to 6.1.2 and 5.6.6 had a cross-site scripting (X ...) - kibana (bug #700337) CVE-2018-3817 (When logging warnings regarding deprecated settings, Logstash before 5 ...) - logstash (bug #664841) CVE-2017-18017 (The tcpmss_mangle_packet function in net/netfilter/xt_TCPMSS.c in the ...) {DSA-4187-1 DLA-1369-1} - linux 4.11.6-1 [stretch] - linux 4.9.47-1 NOTE: Fixed by: https://git.kernel.org/linus/2638fd0f92d4397884fd991d8f4925cb3f081901 CVE-2017-18016 (Parity Browser 1.6.10 and earlier allows remote attackers to bypass th ...) NOT-FOR-US: Paritytech Parity Ethereum CVE-2017-1000493 (Rocket.Chat Server version 0.59 and prior is vulnerable to a NoSQL inj ...) NOT-FOR-US: Rocket.Chat Server CVE-2017-1000492 (Leanote-desktop version v2.5 is vulnerable to a XSS which leads to cod ...) NOT-FOR-US: Leanote-desktop CVE-2017-1000491 (Shiba markdown live preview app version 1.1.0 is vulnerable to XSS whi ...) NOT-FOR-US: Shiba markdown live preview app CVE-2017-1000466 (Invoice Ninja version 3.8.1 is vulnerable to stored cross-site scripti ...) NOT-FOR-US: Invoice Ninja CVE-2017-1000463 (Leafpub version 1.2.0-beta6 is vulnerable to stored cross-site scripti ...) NOT-FOR-US: Leafpub CVE-2017-1000459 (Leanote version <= 2.5 is vulnerable to XSS due to not sanitized in ...) NOT-FOR-US: Leanote CVE-2017-1000438 (In OMERO 5.3.3 or earlier a user could create an OriginalFile and adju ...) NOT-FOR-US: OMERO CVE-2017-1000437 (Creolabs Gravity 1.0 contains a stack based buffer overflow in the ope ...) NOT-FOR-US: Creolabs Gravity CVE-2017-1000434 (Wordpress plugin Furikake version 0.1.0 is vulnerable to an Open Redir ...) NOT-FOR-US: Wordpress plugin Furikake CVE-2017-1000433 (pysaml2 version 4.4.0 and older accept any password when run with pyth ...) {DLA-1410-1} - python-pysaml2 4.5.0-2 (bug #886423) [stretch] - python-pysaml2 (Minor issue) NOTE: https://github.com/rohe/pysaml2/issues/451 NOTE: Fixed by: https://github.com/rohe/pysaml2/commit/6312a41e037954850867f29d329e5007df1424a5 CVE-2017-1000432 (Vanilla Forums below 2.1.5 are affected by CSRF leading to Deleting to ...) NOT-FOR-US: Vanilla Forums CVE-2017-1000427 (marked version 0.3.6 and earlier is vulnerable to an XSS attack in the ...) - node-marked 0.3.9+dfsg-1 (unimportant; bug #886451) NOTE: https://github.com/chjj/marked/commit/cd2f6f5b7091154c5526e79b5f3bfb4d15995a51 NOTE: nodejs not covered by security support CVE-2017-1000426 (MapProxy version 1.10.3 and older is vulnerable to a Cross Site Script ...) - mapproxy 1.10.4-1 (low) [stretch] - mapproxy 1.9.0-3+deb9u1 NOTE: https://github.com/mapproxy/mapproxy/issues/322 NOTE: https://github.com/mapproxy/mapproxy/commit/2e102843203c11b02c002daa08ca59d05d5eff5a (master) NOTE: https://github.com/mapproxy/mapproxy/commit/87faa667007b00ef11ee09b16707aa9ad2e8da28 (1.10.x) CVE-2017-1000425 (Cross-site scripting (XSS) vulnerability in the /html/portal/flash.jsp ...) NOT-FOR-US: Liferay Portal CE CVE-2017-1000458 (Bro before Bro v2.5.2 is vulnerable to an out of bounds write in the C ...) - bro 2.5.2-1 [stretch] - bro (Minor issue) NOTE: https://bro-tracker.atlassian.net/browse/BIT-1856 NOTE: https://github.com/bro/bro/commit/6c0f101a62489b1c5927b4ed63b0e1d37db40282 CVE-2017-1000457 (Cross-site scripting (XSS) vulnerability in Help.aspx in mojoPortal ve ...) NOT-FOR-US: mojoPortal CVE-2017-1000456 (freedesktop.org libpoppler 0.60.1 fails to validate boundaries in Text ...) {DSA-4097-1 DLA-1228-1} - poppler 0.61.1-2 NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=103116 NOTE: Fixed by: https://cgit.freedesktop.org/poppler/poppler/commit/?id=7ee9dadef37b20bca707a6b1e858e17d191e368b CVE-2017-1000455 (GuixSD prior to Git commit 5e66574a128937e7f2fcf146d146225703ccfd5d us ...) - guix (bug #850644) NOTE: https://lists.gnu.org/archive/html/guix-devel/2017-10/msg00090.html CVE-2017-1000454 (CMS Made Simple 2.1.6, 2.2, 2.2.1 are vulnerable to Smarty Template In ...) NOT-FOR-US: CMS Made Simple CVE-2017-1000453 (CMS Made Simple version 2.1.6 and 2.2 are vulnerable to Smarty templat ...) NOT-FOR-US: CMS Made Simple CVE-2017-1000452 (An XML Signature Wrapping vulnerability exists in Samlify 2.2.0 and ea ...) NOT-FOR-US: Samlify CVE-2017-1000451 (fs-git is a file system like api for git repository. The fs-git versio ...) NOT-FOR-US: fs-git CVE-2017-1000450 (In opencv/modules/imgcodecs/src/utils.cpp, functions FillUniColor and ...) {DLA-1438-1 DLA-1235-1} [experimental] - opencv 3.4.4+dfsg-1~exp1 - opencv 3.2.0+dfsg-6 (bug #886282) [stretch] - opencv (Minor issue) NOTE: https://github.com/opencv/opencv/issues/9723 NOTE: https://github.com/blendin/pocs/blob/master/opencv/0.OOB_Write_FillUniColor NOTE: https://github.com/opencv/opencv/pull/9726 CVE-2017-1000449 REJECTED CVE-2017-1000448 (Structured Data Linter versions 2.4.1 and older are vulnerable to a di ...) NOT-FOR-US: Structured Data Linter CVE-2017-1000445 (ImageMagick 7.0.7-1 and older version are vulnerable to null pointer d ...) {DLA-1785-1 DLA-1229-1} - imagemagick 8:6.9.9.34+dfsg-3 (bug #886281) [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/775 NOTE: https://github.com/ImageMagick/ImageMagick/commit/441fde32557eb3cec573b0f877ac324173feed7f NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/839a14e43d0c88db7b3fffe8aa4ec57d80c93623 CVE-2017-1000444 (Eleix Openhacker version 0.1.47 is vulnerable to an SQL injection in t ...) NOT-FOR-US: Eleix Openhacker CVE-2017-1000443 (Eleix Openhacker version 0.1.47 is vulnerable to a XSS vulnerability i ...) NOT-FOR-US: Eleix Openhacker CVE-2017-1000442 (Passbolt API version 1.6.4 and older are vulnerable to a XSS in the ur ...) NOT-FOR-US: Passbolt API CVE-2017-1000431 (eZ Systems eZ Publish version 5.4.0 to 5.4.9, and 5.3.12 and older, is ...) NOT-FOR-US: eZ Systems eZ Publish CVE-2017-1000430 (rust-base64 version <= 0.5.1 is vulnerable to a buffer overflow whe ...) NOTE: https://github.com/RustSec/advisory-db/blob/master/crates/base64/RUSTSEC-2017-0004.toml NOT-FOR-US: rust-base64 CVE-2017-1000424 (Github Electron version 1.6.4 - 1.6.11 and 1.7.0 - 1.7.5 is vulnerable ...) - electron (bug #842420) CVE-2017-1000423 (b2evolution version 6.6.0 - 6.8.10 is vulnerable to input validation ( ...) - b2evolution CVE-2017-1000422 (Gnome gdk-pixbuf 2.36.8 and older is vulnerable to several integer ove ...) {DSA-4088-1 DLA-1234-1} - gdk-pixbuf 2.36.11-1 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=785973 NOTE: Fixed by: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=0012e066ba37439d402ce46afbc1311530a4ec61 CVE-2017-1000421 (Gifsicle gifview 1.89 and older is vulnerable to a use-after-free in t ...) {DSA-4084-1 DLA-1233-1} - gifsicle 1.90-1 NOTE: https://github.com/kohler/gifsicle/issues/114 NOTE: https://github.com/kohler/gifsicle/commit/81fd7823f6d9c85ab598bc850e40382068361185 CVE-2017-1000420 (Syncthing version 0.14.33 and older is vulnerable to symlink traversal ...) - syncthing 0.14.36+ds1-1 [stretch] - syncthing (Minor issue) NOTE: https://github.com/syncthing/syncthing/commit/1f09488a0f1fdca07076b007b9789f23a6df1060 (v0.14.34) NOTE: https://github.com/syncthing/syncthing/commit/a0f771c221f6ef18fcc496e736670d85f36b8dec NOTE: https://github.com/syncthing/syncthing/issues/4286 CVE-2017-1000419 (phpBB version 3.2.0 is vulnerable to SSRF in the Remote Avatar functio ...) - phpbb3 [jessie] - phpbb3 (Vulnerable code not present) [wheezy] - phpbb3 (Vulnerable code not present) CVE-2017-1000418 (The WildMidi_Open function in WildMIDI since commit d8a466829c67cacbb1 ...) - wildmidi 0.4.2-1 (bug #886503) [stretch] - wildmidi (Minor issue) [jessie] - wildmidi (Vulnerable code introduced later) [wheezy] - wildmidi (Vulnerable code introduced later) NOTE: https://github.com/Mindwerks/wildmidi/issues/178 NOTE: https://github.com/Mindwerks/wildmidi/commit/814f31d8eceda8401eb812fc2e94ed143fdad0ab CVE-2017-1000413 (Linaro's open source TEE solution called OP-TEE, version 2.4.0 (and ol ...) NOT-FOR-US: OP-TEE CVE-2017-1000412 (Linaro's open source TEE solution called OP-TEE, version 2.4.0 (and ol ...) NOT-FOR-US: OP-TEE CVE-2018-3816 RESERVED CVE-2018-3815 (The "XML Interface to Messaging, Scheduling, and Signaling" (XIMSS) pr ...) NOT-FOR-US: CommuniGate Pro CVE-2017-18015 (The ILLID Share This Image plugin before 1.04 for WordPress has XSS vi ...) NOT-FOR-US: ILLID Share This Image plugin for WordPress CVE-2017-18014 (An NC-25986 issue was discovered in the Logging subsystem of Sophos XG ...) NOT-FOR-US: Sophos CVE-2018-3814 (Craft CMS 2.6.3000 allows remote attackers to execute arbitrary PHP co ...) NOT-FOR-US: Craft CMS CVE-2018-3813 (getConfigExportFile.cgi on FLIR Brickstream 2300 devices 2.0 4.1.53.16 ...) NOT-FOR-US: FLIR Brickstream 2300 devices CVE-2018-3812 RESERVED CVE-2018-3811 (SQL Injection vulnerability in the Oturia Smart Google Code Inserter p ...) NOT-FOR-US: Oturia Smart Google Code Inserter plugin for WordPress CVE-2018-3810 (Authentication Bypass vulnerability in the Oturia Smart Google Code In ...) NOT-FOR-US: Oturia Smart Google Code Inserter plugin for WordPress CVE-2017-18013 (In LibTIFF 4.0.9, there is a Null-Pointer Dereference in the tif_print ...) {DSA-4100-1 DLA-1260-1 DLA-1259-1} - tiff 4.0.9-3 (bug #885985) - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2770 NOTE: https://gitlab.com/libtiff/libtiff/commit/c6f41df7b581402dfba3c19a1e3df4454c551a01 CVE-2017-18012 (The Z-URL Preview plugin 1.6.1 for WordPress has XSS via the class.zli ...) NOT-FOR-US: Z-URL Preview plugin for WordPress CVE-2017-18011 (The MyCBGenie Affiliate Ads for Clickbank Products plugin through 1.6 ...) NOT-FOR-US: MyCBGenie Affiliate Ads for Clickbank Products plugin WordPress CVE-2017-18010 (The E-goi Smart Marketing SMS and Newsletters Forms plugin before 2.0. ...) NOT-FOR-US: E-goi Smart Marketing SMS and Newsletters Forms plugin for WordPress CVE-2017-18009 (In OpenCV 3.3.1, a heap-based buffer over-read exists in the function ...) [experimental] - opencv 3.4.4+dfsg-1~exp1 - opencv 4.1.2+dfsg-3 (low; bug #924884) [buster] - opencv (Minor issue) [stretch] - opencv (Vulnerable code introduced later) [jessie] - opencv (Vulnerable code introduced later) [wheezy] - opencv (Vulnerable code introduced later) NOTE: https://github.com/opencv/opencv/issues/10479 NOTE: Introduced after: https://github.com/opencv/opencv/commit/7469c935f3ec8e9fe4f56b7eed07b284b7b7b5df NOTE: Fixed: https://github.com/opencv/opencv/commit/4ca89db22dea962690f31c1781bce5937ee91837 CVE-2017-18008 (In ImageMagick 7.0.7-17 Q16, there is a Memory Leak in ReadPWPImage in ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/921 NOTE: https://github.com/ImageMagick/ImageMagick/commit/1a5f95fc018a5667de5a9448aee9d7251b2eb952 CVE-2017-18007 RESERVED CVE-2017-18006 (netpub/server.np in Extensis Portfolio NetPublish has XSS in the quick ...) NOT-FOR-US: Extensis Portfolio NetPublish CVE-2017-18005 (Exiv2 0.26 has a Null Pointer Dereference in the Exiv2::DataValue::toL ...) - exiv2 0.27.2-6 (low; bug #885981) [buster] - exiv2 (Minor issue) [stretch] - exiv2 (Minor issue) [jessie] - exiv2 (Minor issue) [wheezy] - exiv2 (Minor issue) NOTE: https://github.com/Exiv2/exiv2/issues/168 NOTE: Fixed via: https://github.com/Exiv2/exiv2/pull/199 CVE-2017-18004 (Zurmo 3.2.3 allows XSS via the latitude or longitude parameter to maps ...) NOT-FOR-US: Zurmo CVE-2017-18003 RESERVED CVE-2017-18002 RESERVED CVE-2017-18001 (Trustwave Secure Web Gateway (SWG) through 11.8.0.27 allows remote att ...) NOT-FOR-US: Trustwave Secure Web Gateway CVE-2016-10704 (Magento Community Edition and Enterprise Edition before 2.0.10 and 2.1 ...) NOT-FOR-US: Magento CVE-2017-18000 RESERVED CVE-2017-17999 (SQL injection vulnerability in RISE Ultimate Project Manager 1.9 allow ...) NOT-FOR-US: RISE Ultimate Project Manager CVE-2017-17998 RESERVED CVE-2017-17997 (In Wireshark before 2.2.12, the MRDISC dissector misuses a NULL pointe ...) {DLA-1634-1} - wireshark 2.4.0-1 [wheezy] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2018-02.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14299 NOTE: https://code.wireshark.org/review/#/c/25063/ NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=80a695869c9aef2fb473d9361da068022be7cb50 CVE-2017-17996 (A buffer overflow vulnerability in "Add command" functionality exists ...) NOT-FOR-US: Flexense SyncBreeze Enterprise CVE-2017-17995 (Biometric Shift Employee Management System has XSS via the Last_Name p ...) NOT-FOR-US: Biometric Shift Employee Management System CVE-2017-17994 (Biometric Shift Employee Management System has XSS via the criteria pa ...) NOT-FOR-US: Biometric Shift Employee Management System CVE-2017-17993 (Biometric Shift Employee Management System has XSS via the amount para ...) NOT-FOR-US: Biometric Shift Employee Management System CVE-2017-17992 (Biometric Shift Employee Management System allows Arbitrary File Downl ...) NOT-FOR-US: Biometric Shift Employee Management System CVE-2017-17991 (Biometric Shift Employee Management System has XSS via the expense_nam ...) NOT-FOR-US: Biometric Shift Employee Management System CVE-2017-17990 (Biometric Shift Employee Management System has CSRF via index.php in a ...) NOT-FOR-US: Biometric Shift Employee Management System CVE-2017-17989 (Biometric Shift Employee Management System has XSS via the index.php h ...) NOT-FOR-US: Biometric Shift Employee Management System CVE-2017-17988 (PHP Scripts Mall Muslim Matrimonial Script has XSS via the admin/event ...) NOT-FOR-US: PHP Scripts Mall Muslim Matrimonial Script CVE-2017-17987 (PHP Scripts Mall Muslim Matrimonial Script allows arbitrary file uploa ...) NOT-FOR-US: PHP Scripts Mall Muslim Matrimonial Script CVE-2017-17986 (PHP Scripts Mall Muslim Matrimonial Script has XSS via the admin/caste ...) NOT-FOR-US: PHP Scripts Mall Muslim Matrimonial Script CVE-2017-17985 (PHP Scripts Mall Muslim Matrimonial Script has XSS via the admin/state ...) NOT-FOR-US: PHP Scripts Mall Muslim Matrimonial Script CVE-2017-17984 (PHP Scripts Mall Muslim Matrimonial Script has XSS via the admin/event ...) NOT-FOR-US: PHP Scripts Mall Muslim Matrimonial Script CVE-2017-17983 (PHP Scripts Mall Muslim Matrimonial Script has SQL injection via the v ...) NOT-FOR-US: PHP Scripts Mall Muslim Matrimonial Script CVE-2017-17982 (PHP Scripts Mall Muslim Matrimonial Script has CSRF via admin/subadmin ...) NOT-FOR-US: PHP Scripts Mall Muslim Matrimonial Script CVE-2017-17981 (PHP Scripts Mall Muslim Matrimonial Script has XSS via the admin/slide ...) NOT-FOR-US: PHP Scripts Mall Muslim Matrimonial Script CVE-2017-17980 RESERVED CVE-2017-17979 RESERVED CVE-2017-17978 RESERVED CVE-2017-17977 RESERVED CVE-2017-17976 (In Utilities.php in Perfex CRM 1.9.7, Unrestricted file upload can lea ...) NOT-FOR-US: Perfex CRM CVE-2017-17975 (Use-after-free in the usbtv_probe function in drivers/media/usb/usbtv/ ...) {DSA-4188-1} - linux 4.15.17-1 [jessie] - linux (Vulnerable code path not present) [wheezy] - linux (Vulnerable code path not present) CVE-2017-17974 (BA SYSTEMS BAS Web on BAS920 devices (with Firmware 01.01.00*, HTTPser ...) NOT-FOR-US: BA SYSTEMS BAS Web on BAS920 devices CVE-2017-17973 (** DISPUTED ** In LibTIFF 4.0.8, there is a heap-based use-after-free ...) - tiff (unimportant) - tiff3 (unimportant) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2769 NOTE: Details on the issue are not confirmed by the reporter after several attempts NOTE: and this does like a non-issue. More reprodicibly reports are from SUSE in NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1074318#c5 claiming this might be NOTE: a duplicate of CVE-2017-9935. Unless the reporter provides more details on NOTE: upstream report go and consider this as non-issue. CVE-2017-1000447 REJECTED CVE-2017-1000446 REJECTED CVE-2017-1000440 REJECTED CVE-2017-1000436 REJECTED CVE-2017-1000435 REJECTED CVE-2017-1000501 (Awstats version 7.6 and earlier is vulnerable to a path traversal flaw ...) {DSA-4092-1 DLA-1238-1} - awstats 7.6+dfsg-2 (bug #885835) NOTE: https://github.com/eldy/awstats/commit/cf219843a74c951bf5986f3a7fffa3dcf99c3899 NOTE: https://github.com/eldy/awstats/commit/06c0ab29c1e5059d9e0279c6b64d573d619e1651 CVE-2017-17972 (packages/subjects/pub/subjects.php in Archon 3.21 rev-1 has XSS in the ...) NOT-FOR-US: Archon CVE-2017-17971 (The test_sql_and_script_inject function in htdocs/main.inc.php in Doli ...) - dolibarr (bug #885828) NOTE: https://github.com/Dolibarr/dolibarr/issues/8000 CVE-2018-3809 (Information exposure through directory listings in serve 6.5.3 allows ...) NOT-FOR-US: serve nodejs module CVE-2018-3808 RESERVED CVE-2018-3807 RESERVED CVE-2018-3806 RESERVED CVE-2018-3805 RESERVED CVE-2018-3804 RESERVED CVE-2018-3803 RESERVED CVE-2018-3802 RESERVED CVE-2018-3801 RESERVED CVE-2018-3800 RESERVED CVE-2018-3799 RESERVED CVE-2018-3798 RESERVED CVE-2018-3797 RESERVED CVE-2018-3796 RESERVED CVE-2018-3795 RESERVED CVE-2018-3794 RESERVED CVE-2018-3793 RESERVED CVE-2018-3792 RESERVED CVE-2018-3791 RESERVED CVE-2018-3790 RESERVED CVE-2018-3789 RESERVED CVE-2018-3788 RESERVED CVE-2018-3787 (Path traversal in simplehttpserver <v0.2.1 allows listing any file ...) NOT-FOR-US: simplehttpserver node module CVE-2018-3786 (A command injection vulnerability in egg-scripts <v2.8.1 allows arb ...) NOT-FOR-US: egg-scripts CVE-2018-3785 (A command injection in git-dummy-commit v1.3.0 allows os level command ...) NOT-FOR-US: Node.js third-party module git-dummy-commit CVE-2018-3784 (A code injection in cryo 0.0.6 allows an attacker to arbitrarily execu ...) NOT-FOR-US: cryo CVE-2018-3783 (A privilege escalation detected in flintcms versions <= 1.1.9 allow ...) NOT-FOR-US: flintcms CVE-2018-3782 REJECTED CVE-2018-3781 (A missing sanitization of search results for an autocomplete field in ...) NOT-FOR-US: NextCloud Talk CVE-2018-3780 (A missing sanitization of search results for an autocomplete field in ...) - nextcloud (bug #835086) CVE-2018-3779 (active-support ruby gem 5.2.0 could allow a remote attacker to execute ...) NOT-FOR-US: Trojaned gem release CVE-2018-3778 (Improper authorization in aedes version <0.35.0 will publish a LWT ...) NOT-FOR-US: aedes CVE-2018-3777 (Insufficient URI encoding in restforce before 3.0.0 allows attacker to ...) NOT-FOR-US: restforce CVE-2018-3776 (Improper input validator in Nextcloud Server prior to 12.0.3 and 11.0. ...) - nextcloud (bug #835086) CVE-2018-3775 (Improper Authentication in Nextcloud Server prior to version 12.0.3 wo ...) - nextcloud (bug #835086) CVE-2018-3774 (Incorrect parsing in url-parse <1.4.3 returns wrong hostname which ...) - node-url-parse 1.2.0-2 (bug #906058) [stretch] - node-url-parse (Nodejs in stretch not covered by security support) NOTE: https://hackerone.com/reports/384029 NOTE: https://github.com/unshiftio/url-parse/commit/53b1794e54d0711ceb52505e0f74145270570d5a NOTE: https://github.com/unshiftio/url-parse/commit/d7b582ec1243e8024e60ac0b62d2569c939ef5de CVE-2018-3773 (There is a stored Cross-Site Scripting vulnerability in Open Graph met ...) NOT-FOR-US: metascrape nodejs module CVE-2018-3772 (Concatenating unsanitized user input in the `whereis` npm module < ...) NOT-FOR-US: whereis nodejs module CVE-2018-3771 (An XSS in statics-server <= 0.0.9 can be used via injected iframe i ...) NOT-FOR-US: statics-server nodejs module CVE-2018-3770 (A path traversal exists in markdown-pdf version <9.0.0 that allows ...) NOT-FOR-US: markdown-pdf nodejs module CVE-2018-3769 (ruby-grape ruby gem suffers from a cross-site scripting (XSS) vulnerab ...) - ruby-grape 1.1.0-1 (bug #903086) [stretch] - ruby-grape (Minor issue) NOTE: https://github.com/ruby-grape/grape/commit/6876b71efc7b03f7ce1be3f075eaa4e7e6de19af NOTE: https://github.com/ruby-grape/grape/issues/1762 NOTE: https://github.com/ruby-grape/grape/pull/1763 CVE-2018-3768 REJECTED CVE-2018-3767 (`memjs` versions <= 1.1.0 allocates and stores buffers on typed inp ...) NOT-FOR-US: memjs node module CVE-2018-3766 (Path traversal in buttle module versions <= 0.2.0 allows to read an ...) NOT-FOR-US: buttle node module CVE-2018-3765 RESERVED CVE-2018-3764 (In Nextcloud Contacts before 2.1.2, a missing sanitization of search r ...) NOT-FOR-US: Nextcloud Contacts CVE-2018-3763 (In Nextcloud Calendar before 1.5.8 and 1.6.1, a missing sanitization o ...) NOT-FOR-US: Nextcloud Contacts CVE-2018-3762 (Nextcloud Server before 12.0.8 and 13.0.3 suffers from improper checks ...) - nextcloud (bug #835086) CVE-2018-3761 (Nextcloud Server before 12.0.8 and 13.0.3 suffer from improper authent ...) - nextcloud (bug #835086) CVE-2018-3760 (There is an information leak vulnerability in Sprockets. Versions Affe ...) {DSA-4242-1 DLA-1419-1} - ruby-sprockets 3.7.0-1.1 (bug #901913) NOTE: http://www.openwall.com/lists/oss-security/2018/06/19/2 NOTE: https://github.com/rails/sprockets/commit/c09131cf5b2c479263939c8582e22b98ed616c5f (master) NOTE: https://github.com/rails/sprockets/commit/9c34fa05900b968d74f08ccf40917848a7be9441 (3.x) NOTE: https://github.com/rails/sprockets/commit/18b8a7f07a50c245e9aee7854ecdbe606bbd8bb5 (2.x) CVE-2018-3759 (private_address_check ruby gem before 0.5.0 is vulnerable to a time-of ...) NOT-FOR-US: private_address_check CVE-2018-3758 (Unrestricted file upload (RCE) in express-cart module before 1.1.7 all ...) NOT-FOR-US: express-cart CVE-2018-3757 (Command injection exists in pdf-image v2.0.0 due to an unescaped strin ...) NOT-FOR-US: node pdf-image CVE-2018-3756 (Hyperledger Iroha versions v1.0_beta and v1.0.0_beta-1 are vulnerable ...) NOT-FOR-US: Hyperledger Iroha CVE-2018-3755 (XSS in sexstatic <=0.6.2 causes HTML injection in directory name(s) ...) NOT-FOR-US: sexstatic CVE-2018-3754 (Node.js third-party module query-mysql versions 0.0.0, 0.0.1, and 0.0. ...) NOT-FOR-US: query-mysql CVE-2018-3753 (The utilities function in all versions <= 1.0.0 of the merge-object ...) NOT-FOR-US: merge-objects CVE-2018-3752 (The utilities function in all versions <= 1.0.0 of the merge-option ...) NOT-FOR-US: merge-options CVE-2018-3751 (The utilities function in all versions <= 0.3.0 of the merge-recurs ...) NOT-FOR-US: merge-recursive CVE-2018-3750 (The utilities function in all versions <= 0.5.0 of the deep-extend ...) - node-deep-extend 0.4.1-2 (unimportant; bug #926616) NOTE: https://nodesecurity.io/advisories/612 NOTE: nodejs not covered by security support CVE-2018-3749 (The utilities function in all versions < 1.0.1 of the deap node mod ...) NOT-FOR-US: deap CVE-2018-3748 (There is a Stored XSS vulnerability in the glance node module versions ...) NOT-FOR-US: glance node module (different from src:glance) CVE-2018-3747 (The public node module versions <= 1.0.3 allows to embed HTML in fi ...) NOT-FOR-US: public node module versions CVE-2018-3746 (The pdfinfojs NPM module versions <= 0.3.6 has a command injection ...) NOT-FOR-US: pdfinfojs nodejs module CVE-2018-3745 (atob 2.0.3 and earlier allocates uninitialized Buffers when number is ...) NOT-FOR-US: nodejs atob module CVE-2018-3744 (The html-pages node module contains a path traversal vulnerabilities t ...) NOT-FOR-US: html-pages nodejs module CVE-2018-3743 (Open redirect in hekto <=0.2.3 when target domain name is used as h ...) NOT-FOR-US: hekto nodejs module CVE-2018-3742 REJECTED CVE-2018-3741 (There is a possible XSS vulnerability in all rails-html-sanitizer gem ...) - ruby-rails-html-sanitizer 1.0.4-1 (bug #893994) [stretch] - ruby-rails-html-sanitizer (Minor issue; can be fixed via point release) NOTE: https://github.com/rails/rails-html-sanitizer/commit/f3ba1a839a35f2ba7f941c15e239a1cb379d56ae CVE-2018-3740 (A specially crafted HTML fragment can cause Sanitize gem for Ruby to a ...) {DSA-4358-1} [experimental] - ruby-sanitize 4.6.5-1 - ruby-sanitize 4.6.6-1 (bug #893610) [jessie] - ruby-sanitize (Only occurs with libxml2 >= 2.9.2, jessie has 2.9.1) NOTE: https://github.com/rgrove/sanitize/issues/176 NOTE: https://github.com/rgrove/sanitize/commit/01629a162e448a83d901456d0ba8b65f3b03d46e (v4.6.3) NOTE: Fixes for 2.1.x: https://github.com/rgrove/sanitize/compare/v2.1.0...v2.1.1 NOTE: Only an issue in combination with libxml2 >= 2.9.2 NOTE: The 'fragment' method was renamed from 'clean' method in earlier version NOTE: in v3.0.0 CVE-2018-3739 (https-proxy-agent before 2.1.1 passes auth option to the Buffer constr ...) NOT-FOR-US: https-proxy-agent CVE-2018-3738 (protobufjs is vulnerable to ReDoS when parsing crafted invalid .proto ...) NOT-FOR-US: protobufjs CVE-2018-3737 (sshpk is vulnerable to ReDoS when parsing crafted invalid public keys. ...) - node-sshpk 1.13.1+dfsg-2 (bug #901093) NOTE: https://github.com/joyent/node-sshpk/issues/44 NOTE: https://github.com/joyent/node-sshpk/commit/46065d38a5e6d1bccf86d3efb2fb83c14e3f9957 CVE-2018-3736 REJECTED CVE-2018-3735 (bracket-template suffers from reflected XSS possible when variable pas ...) NOT-FOR-US: bracket-template nodejs module CVE-2018-3734 (stattic node module suffers from a Path Traversal vulnerability due to ...) NOT-FOR-US: stattic nodejs module CVE-2018-3733 (crud-file-server node module before 0.9.0 suffers from a Path Traversa ...) NOT-FOR-US: crud-file-server nodejs module CVE-2018-3732 (resolve-path node module before 1.4.0 suffers from a Path Traversal vu ...) NOT-FOR-US: resolve-path nodejs module CVE-2018-3731 (public node module suffers from a Path Traversal vulnerability due to ...) NOT-FOR-US: public nodejs module CVE-2018-3730 (mcstatic node module suffers from a Path Traversal vulnerability due t ...) NOT-FOR-US: mcstatic nodejs module CVE-2018-3729 (localhost-now node module suffers from a Path Traversal vulnerability ...) NOT-FOR-US: localhost-now nodejs module CVE-2018-3728 (hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Mo ...) - node-hoek 5.0.3-1 (unimportant) NOTE: fixed in 4.2.1 NOTE: https://github.com/hapijs/hoek/issues/230 NOTE: https://hackerone.com/reports/310439 NOTE: https://snyk.io/vuln/npm:hoek:20180212 NOTE: https://nodesecurity.io/advisories/566 NOTE: nodejs not covered by security support CVE-2018-3727 (626 node module suffers from a Path Traversal vulnerability due to lac ...) NOT-FOR-US: 626 node module CVE-2018-3726 (crud-file-server node module before 0.8.0 suffers from a Cross-Site Sc ...) NOT-FOR-US: crud-file-server nodejs module CVE-2018-3725 (hekto node module suffers from a Path Traversal vulnerability due to l ...) NOT-FOR-US: hekto nodejs module CVE-2018-3724 (general-file-server node module suffers from a Path Traversal vulnerab ...) NOT-FOR-US: general-file-server node module CVE-2018-3723 (defaults-deep node module before 0.2.4 suffers from a Modification of ...) NOT-FOR-US: defaults-deep node module CVE-2018-3722 (merge-deep node module before 3.0.1 suffers from a Modification of Ass ...) NOT-FOR-US: merge-deep node module CVE-2018-3721 (lodash node module before 4.17.5 suffers from a Modification of Assume ...) - node-lodash 4.17.11+dfsg-1 (unimportant; bug #890575) NOTE: https://snyk.io/vuln/npm:lodash:20180130 NOTE: https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a NOTE: nodejs not covered by security support CVE-2018-3720 (assign-deep node module before 0.4.7 suffers from a Modification of As ...) NOT-FOR-US: assign-deep node module CVE-2018-3719 (mixin-deep node module before 1.3.1 suffers from a Modification of Ass ...) - node-mixin-deep 1.1.3-2 (bug #898315) [stretch] - node-mixin-deep 1.1.3-1+deb9u1 NOTE: https://nodesecurity.io/advisories/578 CVE-2018-3718 (serve node module suffers from Improper Handling of URL Encoding by pe ...) NOT-FOR-US: serve node module CVE-2018-3717 (connect node module before 2.14.0 suffers from a Cross-Site Scripting ...) - node-connect 3.0.0-1 NOTE: https://github.com/senchalabs/connect/commit/6d5dd30075d2bc4ee97afdbbe3d9d98d8d52d74b CVE-2018-3716 (simplehttpserver node module suffers from a Cross-Site Scripting vulne ...) NOT-FOR-US: simplehttpserver node module CVE-2018-3715 (glance node module before 3.0.4 suffers from a Path Traversal vulnerab ...) NOT-FOR-US: glance node module CVE-2018-3714 (node-srv node module suffers from a Path Traversal vulnerability due t ...) NOT-FOR-US: node-srv node module CVE-2018-3713 (angular-http-server node module suffers from a Path Traversal vulnerab ...) NOT-FOR-US: angular-http-server node module CVE-2018-3712 (serve node module before 6.4.9 suffers from a Path Traversal vulnerabi ...) NOT-FOR-US: npm serve NOTE: fixed in 6.4.9 upstream NOTE: https://github.com/zeit/serve/commit/6adad6881c61991da61ebc857857c53409544575 NOTE: https://github.com/zeit/serve/pull/316 NOTE: https://hackerone.com/reports/307666 NOTE: https://nodesecurity.io/advisories/561 CVE-2018-3711 (Fastify node module before 0.38.0 is vulnerable to a denial-of-service ...) NOT-FOR-US: Fastify NOTE: fixed in 0.38.0 upstream NOTE: https://github.com/fastify/fastify/commit/fabd2a011f2ffbb877394abe699f549513ffbd76 NOTE: https://hackerone.com/reports/303632 NOTE: https://nodesecurity.io/advisories/564 CVE-2018-3710 (Gitlab Community and Enterprise Editions version 10.3.3 is vulnerable ...) {DSA-4145-1} - gitlab 10.5.5+dfsg-1 (bug #888508) NOTE: https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/ CVE-2017-17970 (Multiple SQL injection vulnerabilities in Muviko 1.1 allow remote atta ...) NOT-FOR-US: Muviko CVE-2017-17969 (Heap-based buffer overflow in the NCompress::NShrink::CDecoder::CodeRe ...) {DSA-4104-1 DLA-1268-1} - p7zip 16.02+dfsg-5 (bug #888297) NOTE: https://landave.io/2018/01/7-zip-multiple-memory-corruptions-via-rar-and-zip/ NOTE: Fixed in upstream 18.00-beta. CVE-2018-3709 RESERVED CVE-2018-3708 RESERVED CVE-2018-3707 RESERVED CVE-2018-3706 RESERVED CVE-2018-3705 (Improper directory permissions in the installer for the Intel(R) Syste ...) NOT-FOR-US: Intel System Defense Utility CVE-2018-3704 (Improper directory permissions in the installer for the Intel Parallel ...) NOT-FOR-US: Intel Parallel Studio CVE-2018-3703 (Improper directory permissions in the installer for the Intel(R) SSD D ...) NOT-FOR-US: Intel CVE-2018-3702 (Improper permissions in the installer for the ITE Tech* Consumer Infra ...) NOT-FOR-US: ITE Tech* Consumer Infrared Driver for Windows 10 CVE-2018-3701 (Improper directory permissions in the installer for Intel(R) PROSet/Wi ...) NOT-FOR-US: Intel CVE-2018-3700 (Code injection vulnerability in the installer for Intel(R) USB 3.0 eXt ...) NOT-FOR-US: Intel CVE-2018-3699 (Cross-site scripting in the Intel RAID Web Console v3 for Windows may ...) NOT-FOR-US: Intel RAID Web Console CVE-2018-3698 (Improper file permissions in the installer for the Intel Ready Mode Te ...) NOT-FOR-US: Intel CVE-2018-3697 (Improper directory permissions in the installer for the Intel Media Se ...) NOT-FOR-US: Intel CVE-2018-3696 (Authentication bypass in the Intel RAID Web Console 3 for Windows befo ...) NOT-FOR-US: Intel RAID Web Console CVE-2018-3695 RESERVED CVE-2018-3694 RESERVED CVE-2018-3693 (Systems with microprocessors utilizing speculative execution and branc ...) - linux NOTE: https://access.redhat.com/solutions/3523601 NOTE: https://01.org/security/advisories/intel-oss-10002 NOTE: Speculative Bounds Checks Bypass with Store (BCBS) CVE-2018-3692 RESERVED CVE-2018-3691 (Some implementations in Intel Integrated Performance Primitives Crypto ...) NOT-FOR-US: Intel CVE-2018-3690 REJECTED CVE-2018-3689 (AESM daemon in Intel Software Guard Extensions Platform Software Compo ...) NOT-FOR-US: Intel CVE-2018-3688 (Unquoted service paths in Intel Quartus Prime Programmer and Tools in ...) NOT-FOR-US: Intel CVE-2018-3687 (Unquoted service paths in Intel Quartus II Programmer and Tools in ver ...) NOT-FOR-US: Intel CVE-2018-3686 (Code injection vulnerability in INTEL-SA-00086 Detection Tool before v ...) NOT-FOR-US: Intel CVE-2018-3685 RESERVED CVE-2018-3684 (Unquoted service paths in Intel Quartus II in versions 11.0 - 15.0 all ...) NOT-FOR-US: Intel CVE-2018-3683 (Unquoted service paths in Intel Quartus Prime in versions 15.1 - 18.0 ...) NOT-FOR-US: Intel CVE-2018-3682 (BMC Firmware in Intel server boards, compute modules, and systems pote ...) NOT-FOR-US: Intel CVE-2018-3681 RESERVED CVE-2018-3680 RESERVED CVE-2018-3679 (Escalation of privilege in Reference UI in Intel Data Center Manager S ...) NOT-FOR-US: Intel CVE-2018-3678 RESERVED CVE-2018-3677 RESERVED CVE-2018-3676 RESERVED CVE-2018-3675 RESERVED CVE-2018-3674 RESERVED CVE-2018-3673 RESERVED CVE-2018-3672 (Driver module in Intel Smart Sound Technology before version 9.21.00.3 ...) NOT-FOR-US: Driver module in Intel Smart Sound Technology CVE-2018-3671 (Escalation of privilege in Intel Saffron admin application before 11.4 ...) NOT-FOR-US: Intel Saffron admin application CVE-2018-3670 (Driver module in Intel Smart Sound Technology before version 9.21.00.3 ...) NOT-FOR-US: Driver module in Intel Smart Sound Technology CVE-2018-3669 (A STOP error (BSoD) in the ibtfltcoex.sys driver for Intel Centrino Wi ...) NOT-FOR-US: Intel CVE-2018-3668 (Unquoted service paths in Intel Processor Diagnostic Tool (IPDT) befor ...) NOT-FOR-US: Intel CVE-2018-3667 (Installation tool IPDT (Intel Processor Diagnostic Tool) 4.1.0.24 sets ...) NOT-FOR-US: Intel CVE-2018-3666 (Driver module in Intel Smart Sound Technology before version 9.21.00.3 ...) NOT-FOR-US: Driver module in Intel Smart Sound Technology CVE-2018-3665 (System software utilizing Lazy FP state restore technique on systems u ...) {DSA-4232-1 DLA-1422-1} - linux 4.6.1-1 - xen 4.8.3+xsa267+shim4.10.1+xsa267-1+deb9u8 [jessie] - xen (Depends on fix for CVE-2017-5715, CVE-2017-5753, CVE-2017-5754) NOTE: https://xenbits.xen.org/xsa/advisory-267.html NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00145.html NOTE: Default eagerfpu=on on all CPUs: https://git.kernel.org/linus/58122bf1d856a4ea9581d62a07c557d997d46a19 NOTE: Hard-disable lazy FPU mode: https://git.kernel.org/linus/ca6938a1cd8a1c5e861a99b67f84ac166fc2b9e7 CVE-2018-3664 RESERVED CVE-2018-3663 (Escalation of privilege in Intel Saffron MemoryBase before 11.4 allows ...) NOT-FOR-US: Intel Saffron MemoryBase CVE-2018-3662 (Escalation of privilege in Intel Saffron MemoryBase before version 11. ...) NOT-FOR-US: Intel Saffron MemoryBase CVE-2018-3661 (Buffer overflow in Intel system Configuration utilities selview.exe an ...) NOT-FOR-US: Intel CVE-2018-3660 RESERVED CVE-2018-3659 (A vulnerability in Intel PTT module in Intel CSME firmware before vers ...) NOT-FOR-US: Intel CVE-2018-3658 (Multiple memory leaks in Intel AMT in Intel CSME firmware versions bef ...) NOT-FOR-US: Intel CVE-2018-3657 (Multiple buffer overflows in Intel AMT in Intel CSME firmware versions ...) NOT-FOR-US: Intel CVE-2018-3656 RESERVED CVE-2018-3655 (A vulnerability in a subsystem in Intel CSME before version 11.21.55, ...) NOT-FOR-US: Intel CVE-2018-3654 RESERVED CVE-2018-3653 RESERVED CVE-2018-3652 (Existing UEFI setting restrictions for DCI (Direct Connect Interface) ...) NOT-FOR-US: Intel CVE-2018-3651 RESERVED CVE-2018-3650 (Insufficient Input Validation in Bleach module in INTEL Distribution f ...) NOT-FOR-US: Intel CVE-2018-3649 (DLL injection vulnerability in the installation executables (Autorun.e ...) NOT-FOR-US: Intel CVE-2018-3648 RESERVED CVE-2018-3647 RESERVED CVE-2018-3646 (Systems with microprocessors utilizing speculative execution and addre ...) {DSA-4279-1 DSA-4274-1 DLA-1481-1} - linux 4.17.15-1 [jessie] - linux (Too invasive and risky to apply) - xen 4.11.1~pre.20180911.5acdd26fdc+dfsg-2 [jessie] - xen (Depends on fix for CVE-2017-5715, CVE-2017-5753, CVE-2017-5754) - intel-microcode 3.20180703.1 NOTE: https://software.intel.com/security-software-guidance/software-guidance/l1-terminal-fault NOTE: https://foreshadowattack.eu/ NOTE: https://git.kernel.org/linus/958f338e96f874a0d29442396d6adf9c1e17aa2d NOTE: https://xenbits.xen.org/xsa/advisory-273.html NOTE: Updates were already shipped with 20180703 release, but only disclosed later, see #906158 NOTE: The 3.20180703.1 release for intel-microcode was the first batch of updates which targeted NOTE: most server type CPUs, additional models were supported in the 3.20180807a.1 release CVE-2018-3645 (Escalation of privilege in all versions of the Intel Remote Keyboard a ...) NOT-FOR-US: Intel CVE-2018-3644 RESERVED CVE-2018-3643 (A vulnerability in Power Management Controller firmware in systems usi ...) NOT-FOR-US: Intel CVE-2018-3642 RESERVED CVE-2018-3641 (Escalation of privilege in all versions of the Intel Remote Keyboard a ...) NOT-FOR-US: Intel CVE-2018-3640 (Systems with microprocessors utilizing speculative execution and that ...) {DSA-4273-2 DSA-4273-1 DLA-1446-1} - intel-microcode 3.20180703.1 NOTE: https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability NOTE: No software mitigations planned to be implemented in src:linux NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html NOTE: The 3.20180703.1 release for intel-microcode was the first batch of updates which targeted NOTE: most server type CPUs, additional models were supported in the 3.20180807a.1 release CVE-2018-3639 (Systems with microprocessors utilizing speculative execution and specu ...) {DSA-4273-2 DSA-4273-1 DSA-4210-1 DLA-1731-1 DLA-1715-1 DLA-1529-1 DLA-1446-1 DLA-1423-1} - intel-microcode 3.20180703.1 - linux 4.16.12-1 [stretch] - linux 4.9.107-1 [wheezy] - linux (Too much work to backport) - xen 4.8.3+xsa262+shim4.10.0+comet3-1+deb9u7 [jessie] - xen (Depends on fix for CVE-2017-5715, CVE-2017-5753, CVE-2017-5754) NOTE: https://xenbits.xen.org/xsa/advisory-263.html NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1528 NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html NOTE: The 3.20180703.1 release for intel-microcode was the first batch of updates which targeted NOTE: most server type CPUs, additional models were supported in the 3.20180807a.1 release NOTE: Qemu part of the mitigations for the speculative store buffer bypass NOTE: vulnerabilities on x86 are needed: #908682 NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=d19d1f965904a533998739698020ff4ee8a103da NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=cfeea0c021db6234c154dbc723730e81553924ff NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=403503b162ffc33fb64cfefdf7b880acf41772cd CVE-2018-3638 (Escalation of privilege in all versions of the Intel Remote Keyboard a ...) NOT-FOR-US: Intel CVE-2018-3637 RESERVED CVE-2018-3636 RESERVED CVE-2018-3635 (Insufficient input validation in installer in Intel Rapid Store Techno ...) NOT-FOR-US: Intel CVE-2018-3634 (Parameter corruption in NDIS filter driver in Intel Online Connect Acc ...) NOT-FOR-US: Intel CVE-2018-3633 RESERVED CVE-2018-3632 (Memory corruption in Intel Active Management Technology in Intel Conve ...) NOT-FOR-US: Intel CVE-2018-3631 RESERVED CVE-2018-3630 REJECTED CVE-2018-3629 (Buffer overflow in event handler in Intel Active Management Technology ...) NOT-FOR-US: Intel CVE-2018-3628 (Buffer overflow in HTTP handler in Intel Active Management Technology ...) NOT-FOR-US: Intel CVE-2018-3627 (Logic bug in Intel Converged Security Management Engine 11.x may allow ...) NOT-FOR-US: Intel CVE-2018-3626 (Edger8r tool in the Intel SGX SDK before version 2.1.2 (Linux) and 1.9 ...) NOT-FOR-US: Intel CVE-2018-3625 RESERVED CVE-2018-3624 (Buffer overflow in ETWS processing module Intel XMM71xx, XMM72xx, XMM7 ...) NOT-FOR-US: Intel CVE-2018-3623 RESERVED CVE-2018-3622 RESERVED CVE-2018-3621 (Insufficient input validation in the Intel Driver & Support Assist ...) NOT-FOR-US: Intel CVE-2018-3620 (Systems with microprocessors utilizing speculative execution and addre ...) {DSA-4279-1 DSA-4274-1 DLA-1529-1 DLA-1481-1} - linux 4.17.15-1 - xen 4.11.1~pre.20180911.5acdd26fdc+dfsg-2 [jessie] - xen (Depends on fix for CVE-2017-5715, CVE-2017-5753, CVE-2017-5754) - intel-microcode 3.20180703.1 NOTE: Updates were already shipped with 20180703 release, but only disclosed later, see #906158 NOTE: https://software.intel.com/security-software-guidance/software-guidance/l1-terminal-fault NOTE: https://foreshadowattack.eu/ NOTE: https://git.kernel.org/linus/958f338e96f874a0d29442396d6adf9c1e17aa2d NOTE: https://xenbits.xen.org/xsa/advisory-273.html NOTE: The 3.20180703.1 release for intel-microcode was the first batch of updates which targeted NOTE: most server type CPUs, additional models were supported in the 3.20180807a.1 release CVE-2018-3619 (Information disclosure vulnerability in storage media in systems with ...) NOT-FOR-US: Intel CVE-2018-3618 RESERVED CVE-2018-3617 REJECTED CVE-2018-3616 (Bleichenbacher-style side channel vulnerability in TLS implementation ...) NOT-FOR-US: Intel CVE-2018-3615 (Systems with microprocessors utilizing speculative execution and Intel ...) - intel-microcode 3.20180703.1 NOTE: https://software.intel.com/security-software-guidance/software-guidance/l1-terminal-fault NOTE: https://foreshadowattack.eu/ NOTE: The 3.20180703.1 release for intel-microcode was the first batch of updates which targeted NOTE: most server type CPUs, additional models were supported in the 3.20180807a.1 release CVE-2018-3614 RESERVED NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=751 NOTE: https://edk2-docs.gitbooks.io/security-advisory/content/untested-memory-not-covered-by-smm-page-protection.html CVE-2018-3613 (Logic issue in variable service module for EDK II/UDK2018/UDK2017/UDK2 ...) NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=415 NOTE: https://bugzilla.tianocore.org/attachment.cgi?id=44 NOTE: https://edk2-docs.gitbooks.io/security-advisory/content/edk-ii-authenticated-variable-bypass.html CVE-2018-3612 (Intel NUC kits with insufficient input validation in system firmware, ...) NOT-FOR-US: Intel CVE-2018-3611 (Bounds check vulnerability in User Mode Driver in Intel Graphics Drive ...) NOT-FOR-US: Intel CVE-2018-3610 (SEMA driver in Intel Driver and Support Assistant before version 3.1.1 ...) NOT-FOR-US: Intel CVE-2017-17968 (A buffer overflow vulnerability in NetTransport.exe in NetTransport Do ...) NOT-FOR-US: NetTransport Download Manager CVE-2017-17967 (pptreader.dll in Kingsoft WPS Office 10.1.0.6930 allows remote attacke ...) NOT-FOR-US: Kingsoft WPS Office CVE-2017-17966 RESERVED CVE-2017-17965 RESERVED CVE-2017-17964 RESERVED CVE-2017-17963 RESERVED CVE-2017-17962 RESERVED CVE-2017-17961 RESERVED CVE-2017-17960 (PHP Scripts Mall PHP Multivendor Ecommerce has CSRF via admin/sellerup ...) NOT-FOR-US: PHP Scripts Mall PHP Multivendor Ecommerce CVE-2017-17959 (PHP Scripts Mall PHP Multivendor Ecommerce has SQL Injection via the s ...) NOT-FOR-US: PHP Scripts Mall PHP Multivendor Ecommerce CVE-2017-17958 (PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the my_wishlist ...) NOT-FOR-US: PHP Scripts Mall PHP Multivendor Ecommerce CVE-2017-17957 (PHP Scripts Mall PHP Multivendor Ecommerce has SQL Injection via the m ...) NOT-FOR-US: PHP Scripts Mall PHP Multivendor Ecommerce CVE-2017-17956 (PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the admin/selle ...) NOT-FOR-US: PHP Scripts Mall PHP Multivendor Ecommerce CVE-2017-17955 (PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the shopping-ca ...) NOT-FOR-US: PHP Scripts Mall PHP Multivendor Ecommerce CVE-2017-17954 (PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the seller-view ...) NOT-FOR-US: PHP Scripts Mall PHP Multivendor Ecommerce CVE-2017-17953 (PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the category.ph ...) NOT-FOR-US: PHP Scripts Mall PHP Multivendor Ecommerce CVE-2017-17952 (PHP Scripts Mall PHP Multivendor Ecommerce has a predicable registrati ...) NOT-FOR-US: PHP Scripts Mall PHP Multivendor Ecommerce CVE-2017-17951 (PHP Scripts Mall PHP Multivendor Ecommerce has SQL Injection via the s ...) NOT-FOR-US: PHP Scripts Mall PHP Multivendor Ecommerce CVE-2017-17950 (Cells Blog 3.5 has SQL Injection via the pub_readpost.php ptid paramet ...) NOT-FOR-US: Cells Blog CVE-2017-17949 (Cells Blog 3.5 has XSS via the pub_readpost.php fmid parameter. ...) NOT-FOR-US: Cells Blog CVE-2017-17948 (Cells Blog 3.5 has XSS via the jfdname parameter in an act=showpic req ...) NOT-FOR-US: Cells Blog CVE-2017-17947 (A cross site scripting issue has been found in custompage.cgi in Pulse ...) NOT-FOR-US: Pulse Secure Pulse Connect Secure CVE-2017-1000411 (OpenFlow Plugin and OpenDayLight Controller versions Nitrogen, Carbon, ...) NOT-FOR-US: OpenDayLight CVE-2017-17946 (A buffer overflow in Handy Password 4.9.3 allows remote attackers to e ...) NOT-FOR-US: Handy Password CVE-2017-17945 (The ASUS HiVivo aspplication before 5.6.27 for ASUS Watch has Missing ...) NOT-FOR-US: ASUS HiVivo CVE-2017-17944 (The ASUS Vivobaby application before 1.1.09 for Android has Missing SS ...) NOT-FOR-US: ASUS Vivobaby application CVE-2017-17943 RESERVED CVE-2017-17942 (In LibTIFF 4.0.9, there is a heap-based buffer over-read in the functi ...) - tiff 4.0.6-3 (unimportant; bug #885579) [jessie] - tiff 4.0.3-12.3+deb8u2 - tiff3 (unimportant) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2767 NOTE: https://gitlab.com/libtiff/libtiff/issues/120 NOTE: No patch available. Marked as wontfix by upstream. NOTE: bmp2tiff was removed in 4.0.6-3 and DSA 3762, marking as fixed NOTE: although technically still present in the source package. CVE-2017-17941 (PHP Scripts Mall Single Theater Booking has SQL Injection via the admi ...) NOT-FOR-US: PHP Scripts Mall Single Theater Booking CVE-2017-17940 (PHP Scripts Mall Single Theater Booking has XSS via the title paramete ...) NOT-FOR-US: PHP Scripts Mall Single Theater Booking CVE-2017-17939 (PHP Scripts Mall Single Theater Booking has CSRF via admin/sitesetting ...) NOT-FOR-US: PHP Scripts Mall Single Theater Booking CVE-2017-17938 (PHP Scripts Mall Single Theater Booking has XSS via the admin/viewthea ...) NOT-FOR-US: PHP Scripts Mall Single Theater Booking CVE-2017-17937 (Vanguard Marketplace Digital Products PHP has XSS via the phps_query p ...) NOT-FOR-US: Vanguard Marketplace Digital Products PHP CVE-2017-17936 (Vanguard Marketplace Digital Products PHP has CSRF via /search. ...) NOT-FOR-US: Vanguard Marketplace Digital Products PHP CVE-2018-3609 (A vulnerability in the Trend Micro InterScan Messaging Security Virtua ...) NOT-FOR-US: Trend Micro CVE-2018-3608 (A vulnerability in Trend Micro Maximum Security's (Consumer) 2018 (ver ...) NOT-FOR-US: Trend Micro CVE-2018-3607 (XXXTreeNode method SQL injection remote code execution (RCE) vulnerabi ...) NOT-FOR-US: Trend Micro CVE-2018-3606 (XXXStatusXXX, XXXSummary, TemplateXXX and XXXCompliance method SQL inj ...) NOT-FOR-US: Trend Micro CVE-2018-3605 (TopXXX, ViolationXXX, and IncidentXXX method SQL injection remote code ...) NOT-FOR-US: Trend Micro CVE-2018-3604 (GetXXX method SQL injection remote code execution (RCE) vulnerabilitie ...) NOT-FOR-US: Trend Micro CVE-2018-3603 (A CGGIServlet SQL injection remote code execution (RCE) vulnerability ...) NOT-FOR-US: Trend Micro CVE-2018-3602 (An AdHocQuery_Processor SQL injection remote code execution (RCE) vuln ...) NOT-FOR-US: Trend Micro CVE-2018-3601 (A password hash usage authentication bypass vulnerability in Trend Mic ...) NOT-FOR-US: Trend Micro CVE-2018-3600 (A external entity processing information disclosure (XXE) vulnerabilit ...) NOT-FOR-US: Trend Micro CVE-2017-17935 (The File_read_line function in epan/wslua/wslua_file.c in Wireshark th ...) {DLA-1634-1} - wireshark 2.4.4-1 (bug #885831) [wheezy] - wireshark (Minor issue) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14295 NOTE: https://code.wireshark.org/review/#/c/24997/ NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=137ab7d5681486c6d6cc8faac4300b7cd4ec0cf1 CVE-2017-17934 (ImageMagick 7.0.7-17 Q16 x86_64 has memory leaks in coders/msl.c, rela ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/920 NOTE: https://github.com/ImageMagick/ImageMagick/commit/3755d2289b032919c065f6ab11ef570063f7f828 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/08278c7cf1c0b4f1da4cdcfaa857ff6b2373a1b2 CVE-2017-17933 (cgi/surgeftpmgr.cgi (aka the Web Manager interface on TCP port 7021 or ...) NOT-FOR-US: NetWin SurgeFTP CVE-2017-17932 (A buffer overflow vulnerability exists in MediaServer.exe in ALLPlayer ...) NOT-FOR-US: ALLPlayer CVE-2017-17931 (PHP Scripts Mall Resume Clone Script has SQL Injection via the forget. ...) NOT-FOR-US: PHP Scripts Mall Resume Clone Script CVE-2017-17930 (PHP Scripts Mall Professional Service Script has CSRF via admin/genera ...) NOT-FOR-US: PHP Scripts Mall Professional Service Script CVE-2017-17929 (PHP Scripts Mall Professional Service Script has XSS via the admin/ban ...) NOT-FOR-US: PHP Scripts Mall Professional Service Script CVE-2017-17928 (PHP Scripts Mall Professional Service Script has SQL injection via the ...) NOT-FOR-US: PHP Scripts Mall Professional Service Script CVE-2017-17927 (PHP Scripts Mall Professional Service Script allows remote attackers t ...) NOT-FOR-US: PHP Scripts Mall Professional Service Script CVE-2017-17926 (PHP Scripts Mall Professional Service Script has a predicable registra ...) NOT-FOR-US: PHP Scripts Mall Professional Service Script CVE-2017-17925 (PHP Scripts Mall Professional Service Script has XSS via the admin/gen ...) NOT-FOR-US: PHP Scripts Mall Professional Service Script CVE-2017-17924 (PHP Scripts Mall Professional Service Script allows remote attackers t ...) NOT-FOR-US: PHP Scripts Mall Professional Service Script CVE-2017-17923 RESERVED CVE-2017-17922 RESERVED CVE-2017-17921 RESERVED CVE-2017-17920 (** DISPUTED ** SQL injection vulnerability in the 'reorder' method in ...) - rails (unimportant) NOTE: https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/ NOTE: All of those methods accept arbitrary SQL by design. CVE-2017-17919 (** DISPUTED ** SQL injection vulnerability in the 'order' method in Ru ...) - rails (unimportant) NOTE: https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/ NOTE: All of those methods accept arbitrary SQL by design. CVE-2017-17918 RESERVED CVE-2017-17917 (** DISPUTED ** SQL injection vulnerability in the 'where' method in Ru ...) - rails (unimportant) NOTE: https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/ NOTE: All of those methods accept arbitrary SQL by design. CVE-2017-17916 (** DISPUTED ** SQL injection vulnerability in the 'find_by' method in ...) - rails (unimportant) NOTE: https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/ NOTE: All of those methods accept arbitrary SQL by design. CVE-2017-17915 (In GraphicsMagick 1.4 snapshot-20171217 Q8, there is a heap-based buff ...) {DSA-4321-1 DLA-1401-1 DLA-1231-1} - graphicsmagick 1.3.27-3 NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/1721f1b7e67a NOTE: https://sourceforge.net/p/graphicsmagick/bugs/535/ CVE-2017-17914 (In ImageMagick 7.0.7-16 Q16, a vulnerability was found in the function ...) {DLA-1785-1 DLA-1227-1} - imagemagick 8:6.9.9.34+dfsg-3 (bug #886584) [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/908 NOTE: https://github.com/ImageMagick/ImageMagick/commit/650ec57d84b7b1dce66435b8cd3b58f7ae66db1b NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/42781eeebadf111a2e01559735ea504a78192046 CVE-2017-17913 (In GraphicsMagick 1.4 snapshot-20171217 Q8, there is a stack-based buf ...) {DSA-4321-1} - graphicsmagick 1.3.27-3 [jessie] - graphicsmagick (webp feature was not compiled in) [wheezy] - graphicsmagick (webp feature has not been implemented) NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/88313ebe379c NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/6dda3c33f35f NOTE: https://sourceforge.net/p/graphicsmagick/bugs/536/ CVE-2017-17912 (In GraphicsMagick 1.4 snapshot-20171217 Q8, there is a heap-based buff ...) {DSA-4321-1 DLA-1401-1 DLA-1231-1} - graphicsmagick 1.3.27-3 NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/0d871e813a4f NOTE: https://sourceforge.net/p/graphicsmagick/bugs/533/ CVE-2017-17911 (packages/core/contact.php in Archon 3.21 rev-1 has XSS in the referer ...) NOT-FOR-US: Archon CVE-2017-17910 (On Hoermann BiSecur devices before 2018, a vulnerability can be exploi ...) NOT-FOR-US: Hoermann BiSecur CVE-2017-17909 (PHP Scripts Mall Responsive Realestate Script has XSS via the admin/ge ...) NOT-FOR-US: PHP Scripts Mall Responsive Realestate Script CVE-2017-17908 (PHP Scripts Mall Responsive Realestate Script has CSRF via admin/gener ...) NOT-FOR-US: PHP Scripts Mall Responsive Realestate Script CVE-2017-17907 (PHP Scripts Mall Car Rental Script has XSS via the admin/areaedit.php ...) NOT-FOR-US: PHP Scripts Mall Car Rental Script CVE-2017-17906 (PHP Scripts Mall Car Rental Script has SQL Injection via the admin/car ...) NOT-FOR-US: PHP Scripts Mall Car Rental Script CVE-2017-17905 (PHP Scripts Mall Car Rental Script has CSRF via admin/sitesettings.php ...) NOT-FOR-US: PHP Scripts Mall Car Rental Script CVE-2017-17904 (FS Lynda Clone has XSS via the keywords parameter to tutorial/ or the ...) NOT-FOR-US: FS Lynda Clone CVE-2017-17903 (FS Lynda Clone has CSRF via user/edit_profile, as demonstrated by addi ...) NOT-FOR-US: FS Lynda Clone CVE-2017-17902 (SQL Injection exists in Kliqqi CMS 3.5.2 via the randkey parameter of ...) NOT-FOR-US: Kliqqi CMS CVE-2017-17901 (ZyXEL P-660HW v3 devices allow remote attackers to cause a denial of s ...) NOT-FOR-US: ZyXEL CVE-2017-17900 (SQL injection vulnerability in fourn/index.php in Dolibarr ERP/CRM ver ...) - dolibarr (bug #885321) NOTE: https://github.com/Dolibarr/dolibarr/commit/4a5988accbb770b74105baacd5a034689272128c CVE-2017-17899 (SQL injection vulnerability in adherents/subscription/info.php in Doli ...) - dolibarr (bug #885321) NOTE: https://github.com/Dolibarr/dolibarr/commit/4a5988accbb770b74105baacd5a034689272128c CVE-2017-17898 (Dolibarr ERP/CRM version 6.0.4 does not block direct requests to *.tpl ...) - dolibarr (bug #885321) NOTE: https://github.com/Dolibarr/dolibarr/commit/4a5988accbb770b74105baacd5a034689272128c NOTE: https://github.com/Dolibarr/dolibarr/commit/6a62e139604dbbd5729e57df2433b37a5950c35c CVE-2017-17897 (SQL injection vulnerability in comm/multiprix.php in Dolibarr ERP/CRM ...) - dolibarr (bug #885321) NOTE: https://github.com/Dolibarr/dolibarr/commit/4a5988accbb770b74105baacd5a034689272128c CVE-2017-17896 (Readymade Job Site Script has XSS via the keyword parameter to the /jo ...) NOT-FOR-US: Readymade Job Site Script CVE-2017-17895 (Readymade Job Site Script has SQL Injection via the location_name arra ...) NOT-FOR-US: Readymade Job Site Script CVE-2017-17894 (Readymade Job Site Script has CSRF via the /job URI. ...) NOT-FOR-US: Readymade Job Site Script CVE-2017-17893 (Readymade Video Sharing Script has XSS via the search_video.php search ...) NOT-FOR-US: Readymade Video Sharing Script CVE-2017-17892 (Readymade Video Sharing Script has SQL Injection via the viewsubs.php ...) NOT-FOR-US: Readymade Video Sharing Script CVE-2017-17891 (Readymade Video Sharing Script has CSRF via user-profile-edit.php. ...) NOT-FOR-US: Readymade Video Sharing Script CVE-2017-17890 RESERVED CVE-2017-17889 (Kliqqi CMS 3.5.2 has XSS via a crafted group name in pligg/groups.php, ...) NOT-FOR-US: Kliqqi CMS CVE-2017-17888 (cgi-bin/write.cgi in Anti-Web through 3.8.7, as used on NetBiter / HMS ...) NOT-FOR-US: Anti-Web CVE-2017-17887 (In ImageMagick 7.0.7-16 Q16, a memory leak vulnerability was found in ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/903 NOTE: https://github.com/ImageMagick/ImageMagick/commit/7a42f63927e7f2e26846b7ed4560e9cb4984af7b NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/dddce3e790b5b0f5dad91a7960de67af5bdea789 CVE-2017-17886 (In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/874 NOTE: https://github.com/ImageMagick/ImageMagick/commit/8204599ef0e85324876459e5d45db00660920482 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/4a71d71f4ae289b6672102efaef6543643e8efb8 CVE-2017-17885 (In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/879 NOTE: https://github.com/ImageMagick/ImageMagick/commit/2ba085736fd49ad89c1937d1ee2b80ae4e11ab97 NOTE: Imagemagick-6: https://github.com/ImageMagick/ImageMagick/commit/5e863ae629010110772321fd181bac34c4b57345 CVE-2017-17884 (In ImageMagick 7.0.7-16 Q16, a memory leak vulnerability was found in ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/902 NOTE: https://github.com/ImageMagick/ImageMagick/commit/4d6accd355119d54429a86a1859b8329f0130f30 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/82f20a898107a9c1ef6ad2024c4b191719b294ea CVE-2017-17883 (In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/877 NOTE: https://github.com/ImageMagick/ImageMagick/commit/b0a7241df0f889cc3158ba82774ff21fa1da87ec NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/2a1ec7d97f356e9fb6dbc328da17d93ab7a8167c CVE-2017-17882 (In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/880 NOTE: https://github.com/ImageMagick/ImageMagick/commit/903f14eb94521aa6dca9d9ac55d3d9a6c7676a63 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/92fbef516b94ed96fa2a672831acd5dafb242ac5 CVE-2017-17881 (In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/878 NOTE: https://github.com/ImageMagick/ImageMagick/commit/ece953bbe14e8514afc23e05e4030eea872e29da NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/aa601d79a630f6de0694fadbeee31456a357fa73 CVE-2017-17880 (In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-21, there is a stack-based ...) - imagemagick 8:6.9.9.39+dfsg-1 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/907 NOTE: https://github.com/ImageMagick/ImageMagick/commit/4b5d1edb02c432040e3ff894d0c461bcce6fd2c9 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/663b3b432c202cd2aeda7ea7e82b74cce51ab1cf NOTE: webp support not enabled, see #806425 CVE-2017-17879 (In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-21, there is a heap-based b ...) {DSA-4204-1 DSA-4074-1 DLA-1227-1} - imagemagick 8:6.9.9.34+dfsg-3 (bug #885125) NOTE: https://github.com/ImageMagick/ImageMagick/issues/906 NOTE: https://github.com/ImageMagick/ImageMagick/commit/72b3994a948a8a90dc664f3e7f72464878a31fbf NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/e41f18ecccbdd1c38e1382057718e91e8f8d6d80 CVE-2017-17878 (An issue was discovered in Valve Steam Link build 643. Root passwords ...) NOT-FOR-US: Valve Steam Link CVE-2017-17877 (An issue was discovered in Valve Steam Link build 643. When the SSH da ...) NOT-FOR-US: Valve Steam Link CVE-2017-17876 (Biometric Shift Employee Management System 3.0 allows remote attackers ...) NOT-FOR-US: Biometric Shift Employee Management System CVE-2017-17875 (The JEXTN FAQ Pro extension 4.0.0 for Joomla! has SQL Injection via th ...) NOT-FOR-US: JEXTN FAQ Pro extension for Joomla! CVE-2017-17874 (Vanguard Marketplace Digital Products PHP 1.4 allows arbitrary file up ...) NOT-FOR-US: Vanguard Marketplace Digital Products PHP CVE-2017-17873 (Vanguard Marketplace Digital Products PHP 1.4 has SQL Injection via th ...) NOT-FOR-US: Vanguard Marketplace Digital Products PHP CVE-2017-17872 (The JEXTN Video Gallery extension 3.0.5 for Joomla! has SQL Injection ...) NOT-FOR-US: JEXTN Video Gallery extension for Joomla! CVE-2017-17871 (The "JEXTN Question And Answer" extension 3.1.0 for Joomla! has SQL In ...) NOT-FOR-US: "JEXTN Question And Answer" extension for Joomla! CVE-2017-17870 (The JBuildozer extension 1.4.1 for Joomla! has SQL Injection via the a ...) NOT-FOR-US: JBuildozer extension for Joomla! CVE-2017-17869 (The mgl-instagram-gallery plugin for WordPress has XSS via the single- ...) NOT-FOR-US: mgl-instagram-gallery plugin for WordPress CVE-2017-17868 (In Liferay Portal 6.1.0, the tags section has XSS via a Public Render ...) NOT-FOR-US: Liferay Portal CVE-2017-17867 (Inteno iopsys 2.0-3.14 and 4.0 devices allow remote authenticated user ...) NOT-FOR-US: Inteno iopsys CVE-2017-17866 (pdf/pdf-write.c in Artifex MuPDF before 1.12.0 mishandles certain leng ...) {DSA-4334-1} - mupdf 1.12.0+ds1-1 (bug #885120) [jessie] - mupdf (Minor issue) [wheezy] - mupdf (Minor issue) NOTE: Fixed by: http://git.ghostscript.com/?p=mupdf.git;h=520cc26d18c9ee245b56e9e91f9d4fcae02be5f0 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698699 (not public) CVE-2017-17865 RESERVED CVE-2017-17864 (kernel/bpf/verifier.c in the Linux kernel through 4.14.8 mishandles st ...) {DSA-4073-1} - linux 4.14.7-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) CVE-2017-17863 (kernel/bpf/verifier.c in the Linux kernel 4.9.x through 4.9.71 does no ...) {DSA-4073-1} - linux 4.14.7-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: https://www.spinics.net/lists/stable/msg206985.html CVE-2017-17862 (kernel/bpf/verifier.c in the Linux kernel through 4.14.8 ignores unrea ...) {DSA-4073-1} - linux 4.14.7-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/c131187db2d3fa2f8bf32fdf4e9a4ef805168467 NOTE: https://www.spinics.net/lists/stable/msg206984.html CVE-2017-17861 RESERVED CVE-2017-17860 (In Samsung Gear products, Bluetooth link key is updated to the differe ...) NOT-FOR-US: Samsung CVE-2017-17859 (Samsung Internet Browser 6.2.01.12 allows remote attackers to bypass t ...) NOT-FOR-US: Samsung Internet Browser CVE-2017-17858 (Heap-based buffer overflow in the ensure_solid_xref function in pdf/pd ...) - mupdf (Vulnerable code introduced in 1.11.1) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698819 (not public) NOTE: Fixed by: http://git.ghostscript.com/?p=mupdf.git;a=commit;h=55c3f68d638ac1263a386e0aaa004bb6e8bde731 NOTE: Commit http://git.ghostscript.com/?p=mupdf.git;a=commit;h=f595e889b91a674eb94db7ca4d832da54f5194cd NOTE: switches to use int64_t for public file API offsets and introduced the flaw. NOTE: https://github.com/mzet-/Security-Advisories/blob/master/mzet-adv-2017-01.md CVE-2017-17851 RESERVED CVE-2017-17850 (An issue was discovered in Asterisk 13.18.4 and older, 14.7.4 and olde ...) - asterisk 1:13.18.5~dfsg-1 (bug #885072) [stretch] - asterisk (Vulnerable code introduced after 13.15.0) [jessie] - asterisk (Vulnerable code introduced after 13.15.0) [wheezy] - asterisk (Vulnerable code introduced after 13.15.0) NOTE: http://downloads.asterisk.org/pub/security/AST-2017-014.html NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27480 CVE-2017-17849 (A buffer overflow vulnerability in GetGo Download Manager 5.3.0.2712 a ...) NOT-FOR-US: GetGo Download Manager CVE-2017-17857 (The check_stack_boundary function in kernel/bpf/verifier.c in the Linu ...) - linux 4.14.7-1 [stretch] - linux (Vulnerable code introdued later) [jessie] - linux (Vulnerable code introdued later) [wheezy] - linux (Vulnerable code introdued later) NOTE: Fixed by: https://git.kernel.org/linus/ea25f914dc164c8d56b36147ecc86bc65f83c469 CVE-2017-17856 (kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local ...) - linux 4.14.7-1 [stretch] - linux (Vulnerable code introdued later) [jessie] - linux (Vulnerable code introdued later) [wheezy] - linux (Vulnerable code introdued later) NOTE: Fixed by: https://git.kernel.org/linus/a5ec6ae161d72f01411169a938fa5f8baea16e8f CVE-2017-17855 (kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local ...) - linux 4.14.7-1 [stretch] - linux (Vulnerable code introdued later) [jessie] - linux (Vulnerable code introdued later) [wheezy] - linux (Vulnerable code introdued later) NOTE: Fixed by: https://git.kernel.org/linus/179d1c5602997fef5a940c6ddcf31212cbfebd14 CVE-2017-17854 (kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local ...) - linux 4.14.7-1 [stretch] - linux (Vulnerable code introdued later) [jessie] - linux (Vulnerable code introdued later) [wheezy] - linux (Vulnerable code introdued later) NOTE: Fixed by: https://git.kernel.org/linus/bb7f0f989ca7de1153bd128a40a71709e339fa03 CVE-2017-17853 (kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local ...) - linux 4.14.7-1 [stretch] - linux (Vulnerable code introdued later) [jessie] - linux (Vulnerable code introdued later) [wheezy] - linux (Vulnerable code introdued later) NOTE: Fixed by: https://git.kernel.org/linus/4374f256ce8182019353c0c639bb8d0695b4c941 CVE-2017-17852 (kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local ...) - linux 4.14.7-1 [stretch] - linux (Vulnerable code introdued later) [jessie] - linux (Vulnerable code introdued later) [wheezy] - linux (Vulnerable code introdued later) NOTE: Fixed by: https://git.kernel.org/linus/468f6eafa6c44cb2c5d8aad35e12f06c240a812a CVE-2017-17842 RESERVED CVE-2017-17841 (Palo Alto Networks PAN-OS 6.1, 7.1, and 8.0.x before 8.0.7, when an in ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2017-17840 (An issue was discovered in Open-iSCSI through 2.0.875. A local attacke ...) - open-iscsi 2.0.874-5 (bug #885021) [stretch] - open-iscsi (Minor issue) [jessie] - open-iscsi (Minor issue, iscsiuio not built in this version, source affected) [wheezy] - open-iscsi (Vulnerable code not present) NOTE: http://www.openwall.com/lists/oss-security/2017/12/13/2 NOTE: https://bugzilla.opensuse.org/show_bug.cgi?id=1072312 NOTE: Specfic CVE fixed by https://github.com/open-iscsi/open-iscsi/pull/72/commits/b9c33683bdc0aed28ffe31c3f3d50bf5cdf519ea NOTE: But all of the commits in https://github.com/open-iscsi/open-iscsi/pull/72 NOTE: should be applied. NOTE: Not marking the issue as unimportant, since vulnerable source is present, but NOTE: not in all suites iscsiuio is built. CVE-2017-17839 REJECTED CVE-2017-17838 REJECTED CVE-2017-17837 (The Apache DeltaSpike-JSF 1.8.0 module has a XSS injection leak in the ...) NOT-FOR-US: Apache DeltaSpike-JSF module CVE-2017-17836 (In Apache Airflow 1.8.2 and earlier, an experimental Airflow feature d ...) - airflow (bug #819700) CVE-2017-17835 (In Apache Airflow 1.8.2 and earlier, a CSRF vulnerability allowed for ...) - airflow (bug #819700) CVE-2017-17834 REJECTED CVE-2017-17833 (OpenSLP releases in the 1.0.2 and 1.1.0 code streams have a heap-relat ...) {DLA-2025-1 DLA-1364-1} - openslp-dfsg (low) NOTE: https://sourceforge.net/p/openslp/mercurial/ci/151f07745901cbdba6e00e4889561b4083250da1/ CVE-2017-17832 (ServersCheck Monitoring Software before 14.2.3 is prone to a cross-sit ...) NOT-FOR-US: ServersCheck Monitoring Software CVE-2017-17843 (An issue was discovered in Enigmail before 1.9.9 that allows remote at ...) {DSA-4070-1 DLA-1219-1} - enigmail 2:1.9.9-1 NOTE: https://enigmail.net/download/other/Enigmail%20Pentest%20Report%20by%20Cure53%20-%20Excerpt.pdf CVE-2017-17844 (An issue was discovered in Enigmail before 1.9.9. A remote attacker ca ...) {DSA-4070-1 DLA-1219-1} - enigmail 2:1.9.9-1 NOTE: https://enigmail.net/download/other/Enigmail%20Pentest%20Report%20by%20Cure53%20-%20Excerpt.pdf CVE-2017-17845 (An issue was discovered in Enigmail before 1.9.9. Improper Random Secr ...) {DSA-4070-1 DLA-1219-1} - enigmail 2:1.9.9-1 NOTE: https://enigmail.net/download/other/Enigmail%20Pentest%20Report%20by%20Cure53%20-%20Excerpt.pdf CVE-2017-17846 (An issue was discovered in Enigmail before 1.9.9. Regular expressions ...) {DSA-4070-1 DLA-1219-1} - enigmail 2:1.9.9-1 NOTE: https://enigmail.net/download/other/Enigmail%20Pentest%20Report%20by%20Cure53%20-%20Excerpt.pdf CVE-2017-17847 (An issue was discovered in Enigmail before 1.9.9. Signature spoofing i ...) {DSA-4070-1 DLA-1219-1} - enigmail 2:1.9.9-1 NOTE: https://enigmail.net/download/other/Enigmail%20Pentest%20Report%20by%20Cure53%20-%20Excerpt.pdf CVE-2017-17848 (An issue was discovered in Enigmail before 1.9.9. In a variant of CVE- ...) {DSA-4070-1 DLA-1219-1} - enigmail 2:1.9.9-1 NOTE: https://enigmail.net/download/other/Enigmail%20Pentest%20Report%20by%20Cure53%20-%20Excerpt.pdf CVE-2017-17831 (GitHub Git LFS before 2.1.1 allows remote attackers to execute arbitra ...) - git-lfs (Fixed before initial upload to Debian) NOTE: https://github.com/git-lfs/git-lfs/pull/2242 NOTE: https://github.com/git-lfs/git-lfs/releases/tag/v2.1.1 CVE-2017-17830 (Bus Booking Script has CSRF via admin/new_master.php. ...) NOT-FOR-US: Bus Booking Script CVE-2017-17829 (Bus Booking Script has SQL Injection via the admin/view_seatseller.php ...) NOT-FOR-US: Bus Booking Script CVE-2017-17828 (Bus Booking Script has XSS via the results.php datepicker parameter or ...) NOT-FOR-US: Bus Booking Script CVE-2017-17827 (Piwigo 2.9.2 is vulnerable to Cross-Site Request Forgery via /admin.ph ...) - piwigo NOTE: https://github.com/Piwigo/Piwigo/issues/822 NOTE: https://github.com/Piwigo/Piwigo/commit/c3b4c6f7f0ddeaea492080fb8211d7b4cfedaf6f NOTE: https://github.com/Piwigo/Piwigo/commit/77f02bfd76ed13dd14044d04cdd8d28213e1848d CVE-2017-17826 (The Configuration component of Piwigo 2.9.2 is vulnerable to Persisten ...) - piwigo CVE-2017-17825 (The Batch Manager component of Piwigo 2.9.2 is vulnerable to Persisten ...) - piwigo CVE-2017-17824 (The Batch Manager component of Piwigo 2.9.2 is vulnerable to SQL Injec ...) - piwigo CVE-2017-17823 (The Configuration component of Piwigo 2.9.2 is vulnerable to SQL Injec ...) - piwigo CVE-2017-17822 (The List Users API of Piwigo 2.9.2 is vulnerable to SQL Injection via ...) - piwigo CVE-2017-17821 (WTF/wtf/FastBitVector.h in WebKit, as distributed in Safari Technology ...) - webkit2gtk 2.22.0-2 (unimportant) NOTE: https://bugs.webkit.org/show_bug.cgi?id=181020 (not public) NOTE: Not covered by security support CVE-2017-17820 (In Netwide Assembler (NASM) 2.14rc0, there is a use-after-free in pp_l ...) - nasm 2.13.02-0.1 [stretch] - nasm (Minor issue) [jessie] - nasm (Minor issue) [wheezy] - nasm (Minor issue) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392433 CVE-2017-17819 (In Netwide Assembler (NASM) 2.14rc0, there is an illegal address acces ...) - nasm 2.13.02-0.1 [stretch] - nasm (Minor issue) [jessie] - nasm (Minor issue) [wheezy] - nasm (Minor issue) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392435 NOTE: http://repo.or.cz/nasm.git/commit/7524cfd91492e6e3719b959498be584a9ced13af (nasm-2.13.02rc3) CVE-2017-17818 (In Netwide Assembler (NASM) 2.14rc0, there is a heap-based buffer over ...) - nasm 2.13.02-0.1 [stretch] - nasm (Minor issue) [jessie] - nasm (Minor issue) [wheezy] - nasm (Minor issue) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392428 CVE-2017-17817 (In Netwide Assembler (NASM) 2.14rc0, there is a use-after-free in pp_v ...) - nasm 2.13.02-0.1 [stretch] - nasm (Minor issue) [jessie] - nasm (Minor issue) [wheezy] - nasm (Minor issue) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392427 CVE-2017-17816 (In Netwide Assembler (NASM) 2.14rc0, there is a use-after-free in pp_g ...) - nasm 2.13.02-0.1 [stretch] - nasm (Minor issue) [jessie] - nasm (Minor issue) [wheezy] - nasm (Minor issue) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392426 CVE-2017-17815 (In Netwide Assembler (NASM) 2.14rc0, there is an illegal address acces ...) - nasm 2.13.02-0.1 [stretch] - nasm (Minor issue) [jessie] - nasm (Minor issue) [wheezy] - nasm (Minor issue) NOTE: http://repo.or.cz/nasm.git/commit/c9244eaadd05b27637cde06021bac3fa1d920aa3 (nasm-2.13.02rc3) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392436 CVE-2017-17814 (In Netwide Assembler (NASM) 2.14rc0, there is a use-after-free in do_d ...) - nasm 2.13.02-0.1 [stretch] - nasm (Minor issue) [jessie] - nasm (Minor issue) [wheezy] - nasm (Minor issue) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392430 CVE-2017-17813 (In Netwide Assembler (NASM) 2.14rc0, there is a use-after-free in the ...) - nasm 2.13.02-0.1 [stretch] - nasm (Minor issue) [jessie] - nasm (Minor issue) [wheezy] - nasm (Minor issue) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392429 CVE-2017-17812 (In Netwide Assembler (NASM) 2.14rc0, there is a heap-based buffer over ...) - nasm 2.13.02-0.1 [stretch] - nasm (Minor issue) [jessie] - nasm (Minor issue) [wheezy] - nasm (Minor issue) NOTE: http://repo.or.cz/nasm.git/commit/9b7ee09abfd426b99aa1ea81d19a3b2818eeabf9 (nasm-2.13.02rc3) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392424 CVE-2017-17811 (In Netwide Assembler (NASM) 2.14rc0, there is a heap-based buffer over ...) - nasm 2.13.02-0.1 [stretch] - nasm (Minor issue) [jessie] - nasm (Minor issue) [wheezy] - nasm (Minor issue) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392432 CVE-2017-17810 (In Netwide Assembler (NASM) 2.14rc0, there is a "SEGV on unknown addre ...) - nasm 2.13.02-0.1 [stretch] - nasm (Minor issue) [jessie] - nasm (Minor issue) [wheezy] - nasm (Minor issue) NOTE: http://repo.or.cz/nasm.git/commit/59ce1c67b16967c652765e62aa130b7e43f21dd4 (nasm-2.13.02rc3) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392431 CVE-2017-17809 (In Golden Frog VyprVPN before 2.15.0.5828 for macOS, the vyprvpnservic ...) NOT-FOR-US: Golden Frog VyprVPN CVE-2017-17808 RESERVED CVE-2018-3599 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-3598 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-3597 (In the ADSP RPC driver in Android releases from CAF using the linux ke ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-3596 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-3595 (Anti-rollback can be bypassed in replay scenario during app loading du ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-3594 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-3593 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-3592 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-3591 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-3590 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-3589 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-3588 (There is improper access control of the SSC and GPU mapped regions whi ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-3587 (In a firmware memory dump feature in all Android releases from CAF usi ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-3586 (An integer overflow to buffer overflow vulnerability exists in the ADS ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-3585 RESERVED CVE-2018-3584 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-3583 (A buffer overflow can occur while processing an extscan hotlist event ...) NOT-FOR-US: Snapdragon CVE-2018-3582 (Buffer overflow can occur due to improper input validation in multiple ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-3581 (In the WLAN driver in all Android releases from CAF (Android for MSM, ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-3580 (Stack-based buffer overflow can occur In the WLAN driver if the pmkid_ ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-3579 (In the WLAN driver in all Android releases from CAF (Android for MSM, ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-3578 (Type mismatch for ie_len can cause the WLAN driver to allocate less me ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-3577 (While processing fragments, when the fragment count becomes very large ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-3576 (improper validation of array index in WiFi driver function sapInterfer ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-3575 RESERVED CVE-2018-3574 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) - linux (Qualcomm specific changes) CVE-2018-3573 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-3572 (While processing a DSP buffer in an audio driver's event handler, an i ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-3571 (In the KGSL driver in all Android releases from CAF (Android for MSM, ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-3570 (In the cpuidle driver in all Android releases(Android for MSM, Firefox ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-3569 (A buffer over-read can occur during a fast initial link setup (FILS) c ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-3568 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-3567 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-3566 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-3565 (While sending a probe request indication in lim_send_sme_probe_req_ind ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-3564 (In the FastRPC driver in Android releases from CAF using the linux ker ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-3563 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-3562 (Buffer over -read can occur while processing a FILS authentication fra ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-3561 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-3560 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-17807 (The KEYS subsystem in the Linux kernel before 4.14.6 omitted an access ...) {DSA-4082-1 DSA-4073-1 DLA-1232-1} - linux 4.14.7-1 NOTE: Fixed by: https://git.kernel.org/linus/4dca6ea1d9432052afb06baf2e3ae78188a4410b (v4.15-rc3) CVE-2017-17806 (The HMAC implementation (crypto/hmac.c) in the Linux kernel before 4.1 ...) {DSA-4082-1 DSA-4073-1 DLA-1232-1} - linux 4.14.7-1 NOTE: Fixed by: https://git.kernel.org/linus/af3ff8045bbf3e32f1a448542e73abb4c8ceb6f1 (v4.15-rc4) CVE-2017-17805 (The Salsa20 encryption algorithm in the Linux kernel before 4.14.8 doe ...) {DSA-4082-1 DSA-4073-1 DLA-1232-1} - linux 4.14.7-1 NOTE: Fixed by: https://git.kernel.org/linus/ecaaab5649781c5a0effdaf298a925063020500e (4.15-rc4) CVE-2017-17804 (In IKARUS anti.virus 2.16.20, the driver file (ntguard.SYS) allows loc ...) NOT-FOR-US: IKARUS anti.virus CVE-2017-17803 (In TG Soft Vir.IT eXplorer Lite 8.5.65, the driver file (VIRAGTLT.SYS) ...) NOT-FOR-US: TG Soft Vir.IT eXplorer Lite CVE-2017-17802 (In TG Soft Vir.IT eXplorer Lite 8.5.65, the driver file (VIRAGTLT.SYS) ...) NOT-FOR-US: TG Soft Vir.IT eXplorer Lite CVE-2017-17801 (In TG Soft Vir.IT eXplorer Lite 8.5.65, the driver file (VIRAGTLT.SYS) ...) NOT-FOR-US: TG Soft Vir.IT eXplorer Lite CVE-2017-17800 (In TG Soft Vir.IT eXplorer Lite 8.5.65, the driver file (VIRAGTLT.SYS) ...) NOT-FOR-US: TG Soft Vir.IT eXplorer Lite CVE-2017-17799 (In TG Soft Vir.IT eXplorer Lite 8.5.65, the driver file (VIRAGTLT.SYS) ...) NOT-FOR-US: TG Soft Vir.IT eXplorer Lite CVE-2017-17798 (In TG Soft Vir.IT eXplorer Lite 8.5.42, the driver file (VIRAGTLT.SYS) ...) NOT-FOR-US: TG Soft Vir.IT eXplorer Lite CVE-2017-17797 (In IKARUS anti.virus 2.16.20, the driver file (ntguard.SYS) allows loc ...) NOT-FOR-US: IKARUS anti.virus CVE-2017-17796 (In TG Soft Vir.IT eXplorer Lite 8.5.65, the driver file (VIRAGTLT.SYS) ...) NOT-FOR-US: TG Soft Vir.IT eXplorer Lite CVE-2017-17795 (In IKARUS anti.virus 2.16.20, the driver file (ntguard.SYS) allows loc ...) NOT-FOR-US: IKARUS anti.virus CVE-2017-17794 (validate_form_preferences in admin/preferences.php in BlogoText throug ...) NOT-FOR-US: BlogoText CVE-2017-17793 (Information Disclosure vulnerability in creer_fichier_zip in admin/mai ...) NOT-FOR-US: BlogoText CVE-2017-17792 (Cross site scripting (XSS) vulnerability in the markup_clean_href func ...) NOT-FOR-US: BlogoText CVE-2017-17791 RESERVED CVE-2017-17790 (The lazy_initialize function in lib/resolv.rb in Ruby through 2.4.3 us ...) {DSA-4259-1 DLA-1421-1 DLA-1222-1 DLA-1221-1} - ruby2.5 2.5.0-1 (bug #884878) - ruby2.3 (bug #884879) - ruby2.1 - ruby1.9.1 - ruby1.8 NOTE: https://github.com/ruby/ruby/pull/1777 NOTE: Fixed by: https://github.com/ruby/ruby/commit/e7464561b5151501beb356fc750d5dd1a88014f7 CVE-2017-17783 (In GraphicsMagick 1.3.27a, there is a buffer over-read in ReadPALMImag ...) {DSA-4321-1} - graphicsmagick 1.3.27-2 (bug #884904) [jessie] - graphicsmagick (Minor issue) [wheezy] - graphicsmagick (vulnerable code not present, unreproducible with ASAN) NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset;node=60932931559a NOTE: https://sourceforge.net/p/graphicsmagick/bugs/529/ CVE-2017-17782 (In GraphicsMagick 1.3.27a, there is a heap-based buffer over-read in R ...) {DSA-4321-1 DLA-1401-1 DLA-1231-1} - graphicsmagick 1.3.27-2 (bug #884905) NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset;node=8e3d2264109c NOTE: https://sourceforge.net/p/graphicsmagick/bugs/530/ CVE-2017-17781 REJECTED CVE-2017-17780 (The Clockwork SMS clockwork-test-message.php component has XSS via a c ...) NOT-FOR-US: Clockwork SMS plugins for WordPress CVE-2017-17779 (Paid To Read Script 2.0.5 has SQL injection via the referrals.php id p ...) NOT-FOR-US: Paid To Read Script CVE-2017-17778 (Paid To Read Script 2.0.5 has XSS via the referrals.php tier parameter ...) NOT-FOR-US: Paid To Read Script CVE-2017-17777 (Paid To Read Script 2.0.5 has authentication bypass in the admin panel ...) NOT-FOR-US: Paid To Read Script CVE-2017-17776 (Paid To Read Script 2.0.5 has full path disclosure via an invalid admi ...) NOT-FOR-US: Paid To Read Script CVE-2017-17775 (Piwigo 2.9.2 has XSS via the name parameter in an admin.php?page=album ...) - piwigo CVE-2017-17774 (admin/configuration.php in Piwigo 2.9.2 has CSRF. ...) - piwigo CVE-2017-17773 (In Snapdragon Automobile, Snapdragon Wearable and Snapdragon Mobile MD ...) NOT-FOR-US: Android Qualcomm closed-source components CVE-2017-17772 RESERVED NOT-FOR-US: Qualcomm component for Android CVE-2017-17771 (In msm_isp_prepare_v4l2_buf in Android for MSM, Firefox OS for MSM, an ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-17770 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) NOT-FOR-US: Android Linux component (source code not availalable, so probably Android-specific) CVE-2017-17769 (Information leakage in Android for MSM, Firefox OS for MSM, and QRD An ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-17768 RESERVED CVE-2017-17767 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-17766 (In wma_peer_info_event_handler() in Android for MSM, Firefox OS for MS ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-17765 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-17764 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-17763 (SuperBeam through 4.1.3, when using the LAN or WiFi Direct Share featu ...) NOT-FOR-US: SuperBeam CVE-2017-17762 (XML external entity (XXE) vulnerability in Episerver 7 patch 4 and ear ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-17761 (An issue was discovered on Ichano AtHome IP Camera devices. The device ...) NOT-FOR-US: Ichano AtHome IP Camera CVE-2017-17476 (Open Ticket Request System (OTRS) 4.0.x before 4.0.28, 5.0.x before 5. ...) {DSA-4069-1 DLA-1215-1} - otrs2 6.0.3-1 (bug #884801) NOTE: https://www.otrs.com/security-advisory-2017-10-security-update-otrs-framework/ NOTE: OTRS-6: https://github.com/OTRS/otrs/commit/36e3be99cfe8a9e09afa1b75fdc39f3e28f561fc NOTE: OTRS-5: https://github.com/OTRS/otrs/commit/720c73fbf53e476ca7dfdf2ae1d4d3d2aad2b953 NOTE: OTRS-4: https://github.com/OTRS/otrs/commit/26707eaaa791648e6c7ad6aeaa27efd70e7c66eb CVE-2017-17785 (In GIMP 2.8.22, there is a heap-based buffer overflow in the fli_read_ ...) {DSA-4077-1 DLA-1220-1} - gimp 2.8.20-1.1 (bug #884836) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=739133 NOTE: https://git.gnome.org/browse/gimp/commit/?id=edb251a7ef1602d20a5afcbf23f24afb163de63b (master) NOTE: https://git.gnome.org/browse/gimp/commit/?id=1882bac996a20ab5c15c42b0c5e8f49033a1af54 (gimp-2-8) NOTE: Can be reproduced (at least in wheezy) with "valgrind --trace-children=yes gimp " CVE-2017-17786 (In GIMP 2.8.22, there is a heap-based buffer over-read in ReadImage in ...) {DSA-4077-1 DLA-1220-1} - gimp 2.8.20-1.1 (unimportant; bug #884862) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=739134 NOTE: https://git.gnome.org/browse/gimp/commit/?id=674b62ad45b6579ec6d7923dc3cb1ef4e8b5498b (master) NOTE: https://git.gnome.org/browse/gimp/commit/?id=8ea316667c8a3296bce2832b3986b58d0fdfc077 (master) NOTE: https://git.gnome.org/browse/gimp/commit/?h=gimp-2-8&id=ef9c821fff8b637a2178eab1c78cae6764c50e12 (gimp-2-8) NOTE: https://git.gnome.org/browse/gimp/commit/?h=gimp-2-8&id=22e2571c25425f225abdb11a566cc281fca6f366 (gimp-2-8) NOTE: Crash in desktop tool, no/negligible security impact CVE-2017-17788 (In GIMP 2.8.22, there is a stack-based buffer over-read in xcf_load_st ...) {DSA-4077-1 DLA-1220-1} - gimp 2.8.20-1.1 (unimportant; bug #885347) NOTE: https://git.gnome.org/browse/gimp/commit/?id=702c4227e8b6169f781e4bb5ae4b5733f51ab126 (master) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=790783 NOTE: Crash in desktop tool, no/negligible security impact CVE-2017-17784 (In GIMP 2.8.22, there is a heap-based buffer over-read in load_image i ...) {DSA-4077-1 DLA-1220-1} - gimp 2.8.20-1.1 (unimportant; bug #884925) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=790784 NOTE: https://git.gnome.org/browse/gimp/commit/?id=06d24a79af94837d615d0024916bb95a01bf3c59 (master) NOTE: https://git.gnome.org/browse/gimp/commit/?id=c57f9dcf1934a9ab0cd67650f2dea18cb0902270 (gimp-2-8) NOTE: Crash in desktop tool, no/negligible security impact CVE-2017-17789 (In GIMP 2.8.22, there is a heap-based buffer overflow in read_channel_ ...) {DSA-4077-1 DLA-1220-1} - gimp 2.8.20-1.1 (bug #884837) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=790849 NOTE: https://git.gnome.org/browse/GIMP/commit/?id=28e95fbeb5720e6005a088fa811f5bf3c1af48b8 (master) NOTE: https://git.gnome.org/browse/GIMP/commit/?id=01898f10f87a094665a7fdcf7153990f4e511d3f (gimp-2-8) NOTE: Cannot be reproduced in wheezy with "valgrind --trace-children=yes gimp " NOTE: Some OOB read/write can be reproduced in sid with "valgrind --trace-children=yes gimp " CVE-2017-17787 (In GIMP 2.8.22, there is a heap-based buffer over-read in read_creator ...) {DSA-4077-1 DLA-1220-1} - gimp 2.8.20-1.1 (unimportant; bug #884927) NOTE: https://git.gnome.org/browse/GIMP/commit/?id=eb2980683e6472aff35a3117587c4f814515c74d (master) NOTE: https://git.gnome.org/browse/GIMP/commit/?id=87ba505fff85989af795f4ab6a047713f4d9381d (gimp-2-8) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=790853 NOTE: Crash in desktop tool, no/negligible security impact CVE-2017-17760 (OpenCV 3.3.1 has a Buffer Overflow in the cv::PxMDecoder::readData fun ...) {DLA-1438-1 DLA-1235-1} [experimental] - opencv 3.4.4+dfsg-1~exp1 - opencv 3.2.0+dfsg-6 (bug #885843) [stretch] - opencv (Minor issue) NOTE: https://github.com/opencv/opencv/issues/10351 NOTE: https://github.com/opencv/opencv/pull/10369/commits/7bbe1a53cfc097b82b1589f7915a2120de39274c CVE-2017-17759 (Conarc iChannel allows remote attackers to obtain sensitive informatio ...) NOT-FOR-US: Conarc iChannel CVE-2017-17758 (TP-Link TL-WVR and TL-WAR devices allow remote authenticated users to ...) NOT-FOR-US: TP-Link CVE-2017-17757 (TP-Link TL-WVR and TL-WAR devices allow remote authenticated users to ...) NOT-FOR-US: TP-Link CVE-2017-17756 RESERVED CVE-2017-17755 RESERVED CVE-2017-17754 RESERVED CVE-2017-17753 (Multiple cross-site scripting (XSS) vulnerabilities in the esb-csv-imp ...) NOT-FOR-US: esb-csv-import-export plugin for WordPress CVE-2017-17752 (Ability Mail Server 3.3.2 has Cross Site Scripting (XSS) via the body ...) NOT-FOR-US: Ability Mail Server CVE-2017-17751 (Bose SoundTouch devices allows remote attackers to achieve remote cont ...) NOT-FOR-US: Bose SoundTouch devices CVE-2017-17750 (Bose SoundTouch devices allow XSS via a crafted public playlist from S ...) NOT-FOR-US: Bose SoundTouch devices CVE-2017-17749 (Bose SoundTouch devices allow XSS via crafted song data from a music s ...) NOT-FOR-US: Bose SoundTouch devices CVE-2017-17748 RESERVED CVE-2017-17747 (Weak access controls in the Device Logout functionality on the TP-Link ...) NOT-FOR-US: TP-Link CVE-2017-17746 (Weak access control methods on the TP-Link TL-SG108E 1.0.0 allow any u ...) NOT-FOR-US: TP-Link CVE-2017-17745 (Cross-site scripting (XSS) vulnerability in system_name_set.cgi in TP- ...) NOT-FOR-US: TP-Link CVE-2017-17744 (A cross-site scripting (XSS) vulnerability in the custom-map plugin th ...) NOT-FOR-US: custom-map plugin for WordPress CVE-2017-17743 (Improper input sanitization within the restricted administration shell ...) NOT-FOR-US: UCOPIA Wireless Appliance CVE-2017-17742 (Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x befo ...) {DSA-4259-1 DLA-2027-1 DLA-1421-1 DLA-1359-1 DLA-1358-1} - ruby2.5 2.5.1-1 - ruby2.3 - ruby2.1 - ruby1.9.1 - ruby1.8 NOTE: https://www.ruby-lang.org/en/news/2018/03/28/http-response-splitting-in-webrick-cve-2017-17742/ CVE-2017-17741 (The KVM implementation in the Linux kernel through 4.14.7 allows attac ...) {DSA-4082-1 DSA-4073-1 DLA-1232-1} - linux 4.14.7-1 NOTE: https://www.spinics.net/lists/kvm/msg160796.html CVE-2017-17740 (contrib/slapd-modules/nops/nops.c in OpenLDAP through 2.4.45, when bot ...) - openldap (unimportant) NOTE: http://www.openldap.org/its/index.cgi/Incoming?id=8759 NOTE: nops slapd-module not built CVE-2017-17739 (The BrightSign Digital Signage (4k242) device (Firmware 6.2.63 and bel ...) NOT-FOR-US: BrightSign Digital Signage CVE-2017-17738 (The BrightSign Digital Signage (4k242) device (Firmware 6.2.63 and bel ...) NOT-FOR-US: BrightSign Digital Signage CVE-2017-17737 (The BrightSign Digital Signage (4k242) device (Firmware 6.2.63 and bel ...) NOT-FOR-US: BrightSign Digital Signage CVE-2017-17736 (Kentico 9.0 before 9.0.51 and 10.0 before 10.0.48 allows remote attack ...) NOT-FOR-US: Kentico CVE-2017-17735 (CMS Made Simple (CMSMS) before 2.2.5 does not properly cache login inf ...) NOT-FOR-US: CMS Made Simple (CMSMS) CVE-2017-17734 (CMS Made Simple (CMSMS) before 2.2.5 does not properly cache login inf ...) NOT-FOR-US: CMS Made Simple (CMSMS) CVE-2017-17733 (Maccms 8.x allows remote command execution via the wd parameter in an ...) NOT-FOR-US: Maccms CVE-2017-17732 RESERVED CVE-2017-17731 (DedeCMS through 5.7 has SQL Injection via the $_FILES superglobal to p ...) NOT-FOR-US: DedeCMS CVE-2017-17730 (DedeCMS through 5.7 has SQL Injection via the logo parameter to plus/f ...) NOT-FOR-US: DedeCMS CVE-2017-17729 RESERVED CVE-2017-17728 RESERVED CVE-2017-17727 (DedeCMS through 5.6 allows arbitrary file upload and PHP code executio ...) NOT-FOR-US: DedeCMS CVE-2017-17726 RESERVED CVE-2017-17725 (In Exiv2 0.26, there is an integer overflow leading to a heap-based bu ...) - exiv2 (Introduced in 0.26; only affected experimental) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1525055 NOTE: https://github.com/Exiv2/exiv2/issues/188 NOTE: https://github.com/Exiv2/exiv2/pull/193 CVE-2017-17724 (In Exiv2 0.26, there is a heap-based buffer over-read in the Exiv2::Ip ...) - exiv2 (Introduced in 0.26; only affected experimental; bug #891783) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1524107 NOTE: https://github.com/Exiv2/exiv2/issues/210 NOTE: https://github.com/Exiv2/exiv2/commit/962962a8e9885ccbca28f624492f1427152a0695 CVE-2017-17723 (In Exiv2 0.26, there is a heap-based buffer over-read in the Exiv2::Im ...) - exiv2 (Introduced in 0.26; only affected experimental) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1524104 NOTE: https://github.com/Exiv2/exiv2/issues/229 NOTE: https://github.com/Exiv2/exiv2/commit/36df4bc997d74ecc447e4541e2fc3fda10586103 CVE-2017-17722 (In Exiv2 0.26, there is a reachable assertion in the readHeader functi ...) - exiv2 (Vulnerable code introduced in 0.26; only affected experimental; bug #891044) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1524116 NOTE: https://github.com/Exiv2/exiv2/issues/208 NOTE: https://github.com/Exiv2/exiv2/issues/228 (duplicate) NOTE: https://github.com/Kicer86/exiv2/commit/1647908e00a4df7246d76678e59587e62c690dcd CVE-2017-17721 (CWEBNET/WOSummary/List in ZUUSE BEIMS ContractorWeb .NET 5.18.0.0 allo ...) NOT-FOR-US: ZUUSE BEIMS ContractorWeb .NET CVE-2017-17720 RESERVED CVE-2017-17719 (A cross-site scripting (XSS) vulnerability in the wp-concours plugin t ...) NOT-FOR-US: wp-concours plugin for WordPress CVE-2017-17718 (The Net::LDAP (aka net-ldap) gem before 0.16.0 for Ruby has Missing SS ...) - ruby-net-ldap 0.16.1-1 (bug #884693) [stretch] - ruby-net-ldap (Minor issue) [jessie] - ruby-net-ldap (Documentation already states that there is no validation) [wheezy] - ruby-net-ldap (Doc always said that there is no validation) NOTE: https://github.com/ruby-ldap/ruby-net-ldap/issues/258 NOTE: Versions < 0.10 properly acknowledge in their documentation the lack of any SSL NOTE: validation, see https://sources.debian.org/src/ruby-net-ldap/0.8.0-1/lib/net/ldap.rb/#L476 NOTE: In wheezy/jessie, only reverse dependencies are redmine (which is unsupported in wheezy) NOTE: and ruby-omniauth-ldap (which has no reverse dep either). CVE-2017-17717 (Sonatype Nexus Repository Manager through 2.14.5 has weak password enc ...) NOT-FOR-US: Sonatype Nexus CVE-2017-17716 (GitLab 9.4.x before 9.4.2 does not support LDAP SSL certificate verifi ...) - gitlab (vulnerable version never uploaded to the archive) CVE-2017-17715 (The saveFile method in MediaController.java in the Telegram Messenger ...) NOT-FOR-US: Telegram Messenger for Android CVE-2017-17714 (Trape before 2017-11-05 has XSS via the /nr red parameter, the /nr vId ...) NOT-FOR-US: Trape CVE-2017-17713 (Trape before 2017-11-05 has SQL injection via the /nr red parameter, t ...) NOT-FOR-US: Trape CVE-2017-17712 (The raw_sendmsg() function in net/ipv4/raw.c in the Linux kernel throu ...) {DSA-4073-1} - linux 4.14.7-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/8f659a03a0ba9289b9aeb9b4470e6fb263d6f483 CVE-2017-17711 RESERVED CVE-2017-17710 RESERVED CVE-2017-17709 RESERVED CVE-2017-17708 (Because of insufficient authorization checks it is possible for any au ...) NOT-FOR-US: Pleasant Password Server CVE-2017-17707 (Due to missing authorization checks, any authenticated user is able to ...) NOT-FOR-US: Pleasant Password Server CVE-2017-17706 RESERVED CVE-2017-17705 RESERVED CVE-2017-17704 (A door-unlocking issue was discovered on Software House iStar Ultra de ...) NOT-FOR-US: Software House iStar Ultra devices CVE-2017-17703 (Synacor Zimbra Collaboration Suite (ZCS) before 8.8.3 has Persistent X ...) NOT-FOR-US: Zimbra CVE-2017-17702 RESERVED CVE-2018-3559 RESERVED CVE-2018-3558 RESERVED CVE-2018-3557 RESERVED CVE-2018-3556 RESERVED CVE-2018-3555 RESERVED CVE-2018-3554 RESERVED CVE-2018-3553 RESERVED CVE-2018-3552 RESERVED CVE-2018-3551 RESERVED CVE-2018-3550 RESERVED CVE-2018-3549 RESERVED CVE-2018-3548 RESERVED CVE-2018-3547 RESERVED CVE-2018-3546 RESERVED CVE-2018-3545 RESERVED CVE-2018-3544 RESERVED CVE-2018-3543 RESERVED CVE-2018-3542 RESERVED CVE-2018-3541 RESERVED CVE-2018-3540 RESERVED CVE-2018-3539 RESERVED CVE-2018-3538 RESERVED CVE-2018-3537 RESERVED CVE-2018-3536 RESERVED CVE-2018-3535 RESERVED CVE-2018-3534 RESERVED CVE-2018-3533 RESERVED CVE-2018-3532 RESERVED CVE-2018-3531 RESERVED CVE-2018-3530 RESERVED CVE-2018-3529 RESERVED CVE-2018-3528 RESERVED CVE-2018-3527 RESERVED CVE-2018-3526 RESERVED CVE-2018-3525 RESERVED CVE-2018-3524 RESERVED CVE-2018-3523 RESERVED CVE-2018-3522 RESERVED CVE-2018-3521 RESERVED CVE-2018-3520 RESERVED CVE-2018-3519 RESERVED CVE-2018-3518 RESERVED CVE-2018-3517 RESERVED CVE-2018-3516 RESERVED CVE-2018-3515 RESERVED CVE-2018-3514 RESERVED CVE-2018-3513 RESERVED CVE-2018-3512 RESERVED CVE-2018-3511 RESERVED CVE-2018-3510 RESERVED CVE-2018-3509 RESERVED CVE-2018-3508 RESERVED CVE-2018-3507 RESERVED CVE-2018-3506 RESERVED CVE-2018-3505 RESERVED CVE-2018-3504 RESERVED CVE-2018-3503 RESERVED CVE-2018-3502 RESERVED CVE-2018-3501 RESERVED CVE-2018-3500 RESERVED CVE-2018-3499 RESERVED CVE-2018-3498 RESERVED CVE-2018-3497 RESERVED CVE-2018-3496 RESERVED CVE-2018-3495 RESERVED CVE-2018-3494 RESERVED CVE-2018-3493 RESERVED CVE-2018-3492 RESERVED CVE-2018-3491 RESERVED CVE-2018-3490 RESERVED CVE-2018-3489 RESERVED CVE-2018-3488 RESERVED CVE-2018-3487 RESERVED CVE-2018-3486 RESERVED CVE-2018-3485 RESERVED CVE-2018-3484 RESERVED CVE-2018-3483 RESERVED CVE-2018-3482 RESERVED CVE-2018-3481 RESERVED CVE-2018-3480 RESERVED CVE-2018-3479 RESERVED CVE-2018-3478 RESERVED CVE-2018-3477 RESERVED CVE-2018-3476 RESERVED CVE-2018-3475 RESERVED CVE-2018-3474 RESERVED CVE-2018-3473 RESERVED CVE-2018-3472 RESERVED CVE-2018-3471 RESERVED CVE-2018-3470 RESERVED CVE-2018-3469 RESERVED CVE-2018-3468 RESERVED CVE-2018-3467 RESERVED CVE-2018-3466 RESERVED CVE-2018-3465 RESERVED CVE-2018-3464 RESERVED CVE-2018-3463 RESERVED CVE-2018-3462 RESERVED CVE-2018-3461 RESERVED CVE-2018-3460 RESERVED CVE-2018-3459 RESERVED CVE-2018-3458 RESERVED CVE-2018-3457 RESERVED CVE-2018-3456 RESERVED CVE-2018-3455 RESERVED CVE-2018-3454 RESERVED CVE-2018-3453 RESERVED CVE-2018-3452 RESERVED CVE-2018-3451 RESERVED CVE-2018-3450 RESERVED CVE-2018-3449 RESERVED CVE-2018-3448 RESERVED CVE-2018-3447 RESERVED CVE-2018-3446 RESERVED CVE-2018-3445 RESERVED CVE-2018-3444 RESERVED CVE-2018-3443 RESERVED CVE-2018-3442 RESERVED CVE-2018-3441 RESERVED CVE-2018-3440 RESERVED CVE-2018-3439 RESERVED CVE-2018-3438 RESERVED CVE-2018-3437 RESERVED CVE-2018-3436 RESERVED CVE-2018-3435 RESERVED CVE-2018-3434 RESERVED CVE-2018-3433 RESERVED CVE-2018-3432 RESERVED CVE-2018-3431 RESERVED CVE-2018-3430 RESERVED CVE-2018-3429 RESERVED CVE-2018-3428 RESERVED CVE-2018-3427 RESERVED CVE-2018-3426 RESERVED CVE-2018-3425 RESERVED CVE-2018-3424 RESERVED CVE-2018-3423 RESERVED CVE-2018-3422 RESERVED CVE-2018-3421 RESERVED CVE-2018-3420 RESERVED CVE-2018-3419 RESERVED CVE-2018-3418 RESERVED CVE-2018-3417 RESERVED CVE-2018-3416 RESERVED CVE-2018-3415 RESERVED CVE-2018-3414 RESERVED CVE-2018-3413 RESERVED CVE-2018-3412 RESERVED CVE-2018-3411 RESERVED CVE-2018-3410 RESERVED CVE-2018-3409 RESERVED CVE-2018-3408 RESERVED CVE-2018-3407 RESERVED CVE-2018-3406 RESERVED CVE-2018-3405 RESERVED CVE-2018-3404 RESERVED CVE-2018-3403 RESERVED CVE-2018-3402 RESERVED CVE-2018-3401 RESERVED CVE-2018-3400 RESERVED CVE-2018-3399 RESERVED CVE-2018-3398 RESERVED CVE-2018-3397 RESERVED CVE-2018-3396 RESERVED CVE-2018-3395 RESERVED CVE-2018-3394 RESERVED CVE-2018-3393 RESERVED CVE-2018-3392 RESERVED CVE-2018-3391 RESERVED CVE-2018-3390 RESERVED CVE-2018-3389 RESERVED CVE-2018-3388 RESERVED CVE-2018-3387 RESERVED CVE-2018-3386 RESERVED CVE-2018-3385 RESERVED CVE-2018-3384 RESERVED CVE-2018-3383 RESERVED CVE-2018-3382 RESERVED CVE-2018-3381 RESERVED CVE-2018-3380 RESERVED CVE-2018-3379 RESERVED CVE-2018-3378 RESERVED CVE-2018-3377 RESERVED CVE-2018-3376 RESERVED CVE-2018-3375 RESERVED CVE-2018-3374 RESERVED CVE-2018-3373 RESERVED CVE-2018-3372 RESERVED CVE-2018-3371 RESERVED CVE-2018-3370 RESERVED CVE-2018-3369 RESERVED CVE-2018-3368 RESERVED CVE-2018-3367 RESERVED CVE-2018-3366 RESERVED CVE-2018-3365 RESERVED CVE-2018-3364 RESERVED CVE-2018-3363 RESERVED CVE-2018-3362 RESERVED CVE-2018-3361 RESERVED CVE-2018-3360 RESERVED CVE-2018-3359 RESERVED CVE-2018-3358 RESERVED CVE-2018-3357 RESERVED CVE-2018-3356 RESERVED CVE-2018-3355 RESERVED CVE-2018-3354 RESERVED CVE-2018-3353 RESERVED CVE-2018-3352 RESERVED CVE-2018-3351 RESERVED CVE-2018-3350 RESERVED CVE-2018-3349 RESERVED CVE-2018-3348 RESERVED CVE-2018-3347 RESERVED CVE-2018-3346 RESERVED CVE-2018-3345 RESERVED CVE-2018-3344 RESERVED CVE-2018-3343 RESERVED CVE-2018-3342 RESERVED CVE-2018-3341 RESERVED CVE-2018-3340 RESERVED CVE-2018-3339 RESERVED CVE-2018-3338 RESERVED CVE-2018-3337 RESERVED CVE-2018-3336 RESERVED CVE-2018-3335 RESERVED CVE-2018-3334 RESERVED CVE-2018-3333 RESERVED CVE-2018-3332 RESERVED CVE-2018-3331 RESERVED CVE-2018-3330 RESERVED CVE-2018-3329 RESERVED CVE-2018-3328 RESERVED CVE-2018-3327 RESERVED CVE-2018-3326 RESERVED CVE-2018-3325 RESERVED CVE-2018-3324 RESERVED CVE-2018-3323 RESERVED CVE-2018-3322 RESERVED CVE-2018-3321 RESERVED CVE-2018-3320 RESERVED CVE-2018-3319 RESERVED CVE-2018-3318 RESERVED CVE-2018-3317 RESERVED CVE-2018-3316 (Vulnerability in the Oracle Retail Customer Management and Segmentatio ...) NOT-FOR-US: Oracle CVE-2018-3315 (Vulnerability in the Oracle Retail Customer Management and Segmentatio ...) NOT-FOR-US: Oracle CVE-2018-3314 (Vulnerability in the MICROS Relate CRM Software component of Oracle Re ...) NOT-FOR-US: Oracle CVE-2018-3313 RESERVED CVE-2018-3312 (Vulnerability in the Oracle Retail Customer Engagement component of Or ...) NOT-FOR-US: Oracle CVE-2018-3311 (Vulnerability in the Oracle Retail Xstore Payment component of Oracle ...) NOT-FOR-US: Oracle CVE-2018-3310 RESERVED CVE-2018-3309 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.22-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2018-3308 RESERVED CVE-2018-3307 RESERVED CVE-2018-3306 RESERVED CVE-2018-3305 (Vulnerability in the Oracle Application Testing Suite component of Ora ...) NOT-FOR-US: Oracle CVE-2018-3304 (Vulnerability in the Oracle Application Testing Suite component of Ora ...) NOT-FOR-US: Oracle CVE-2018-3303 (Vulnerability in the Enterprise Manager Base Platform component of Ora ...) NOT-FOR-US: Oracle CVE-2018-3302 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2018-3301 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2018-3300 (Vulnerability in the Oracle Retail Xstore Office product of Oracle Ret ...) NOT-FOR-US: Oracle CVE-2018-3299 (Vulnerability in the Oracle Text component of Oracle Database Server. ...) NOT-FOR-US: Oracle CVE-2018-3298 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.20-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2018-3297 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.20-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2018-3296 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.20-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2018-3295 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.20-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2018-3294 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.20-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2018-3293 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.20-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2018-3292 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.20-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2018-3291 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.20-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2018-3290 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.20-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2018-3289 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.20-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2018-3288 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.20-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2018-3287 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.20-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2018-3286 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) - mysql-5.5 (Only affects MySQL 8) NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#AppendixMSQL CVE-2018-3285 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) - mysql-5.5 (Only affects MySQL 8) NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#AppendixMSQL CVE-2018-3284 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.24-1 (bug #911221) - mysql-5.5 (Only affects MySQL 5.7 and MySQL 8) NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#AppendixMSQL CVE-2018-3283 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.24-1 (bug #911221) - mysql-5.5 (Only affects MySQL 5.7 and MySQL 8) NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#AppendixMSQL CVE-2018-3282 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-4341-1 DLA-1570-1 DLA-1566-1} - mariadb-10.1 1:10.1.37-1 (bug #912848) - mariadb-10.0 - mysql-5.7 5.7.24-1 (bug #911221) - mysql-5.5 NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#AppendixMSQL NOTE: Fixed in MariaDB: 10.1.37, 10.0.37 CVE-2018-3281 (Vulnerability in the Primavera P6 Enterprise Project Portfolio Managem ...) NOT-FOR-US: Oracle CVE-2018-3280 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) - mysql-5.5 (Only affects MySQL 8) NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#AppendixMSQL CVE-2018-3279 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) - mysql-5.5 (Only affects MySQL 8) NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#AppendixMSQL CVE-2018-3278 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.24-1 (bug #911221) - mysql-5.5 (Only affects MySQL 5.6, MySQL 5.7 and MySQL 8) NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#AppendixMSQL CVE-2018-3277 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.24-1 (bug #911221) - mysql-5.5 (Only affects MySQL 5.6, MySQL 5.7 and MySQL 8) NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#AppendixMSQL CVE-2018-3276 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.24-1 (bug #911221) - mysql-5.5 (Only affects MySQL 5.6, MySQL 5.7 and MySQL 8) NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#AppendixMSQL CVE-2018-3275 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Oracle CVE-2018-3274 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Oracle CVE-2018-3273 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Oracle CVE-2018-3272 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Oracle CVE-2018-3271 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Oracle CVE-2018-3270 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Oracle CVE-2018-3269 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Oracle CVE-2018-3268 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Oracle CVE-2018-3267 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Oracle CVE-2018-3266 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Oracle CVE-2018-3265 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Oracle CVE-2018-3264 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Oracle CVE-2018-3263 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Oracle CVE-2018-3262 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2018-3261 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2018-3260 RESERVED CVE-2018-3259 (Vulnerability in the Java VM component of Oracle Database Server. Supp ...) NOT-FOR-US: Oracle CVE-2018-3258 (Vulnerability in the MySQL Connectors component of Oracle MySQL (subco ...) - mysql-connector-java (Only affects 8.x, bug #912916) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html CVE-2018-3257 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2018-3256 (Vulnerability in the Oracle Email Center component of Oracle E-Busines ...) NOT-FOR-US: Oracle CVE-2018-3255 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2018-3254 (Vulnerability in the Oracle WebCenter Portal component of Oracle Fusio ...) NOT-FOR-US: Oracle CVE-2018-3253 (Vulnerability in the Oracle Virtual Directory component of Oracle Fusi ...) NOT-FOR-US: Oracle CVE-2018-3252 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2018-3251 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-4341-1 DLA-1570-1} - mariadb-10.1 1:10.1.37-1 (bug #912848) - mariadb-10.0 - mysql-5.7 5.7.24-1 (bug #911221) - mysql-5.5 (Only affects MySQL 5.6, MySQL 5.7 and MySQL 8) NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#AppendixMSQL NOTE: Fixed in MariaDB 10.1.37, 10.0.37 CVE-2018-3250 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2018-3249 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2018-3248 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2018-3247 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.24-1 (bug #911221) - mysql-5.5 (Only affects MySQL 5.6, MySQL 5.7 and MySQL 8) NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#AppendixMSQL CVE-2018-3246 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2018-3245 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2018-3244 (Vulnerability in the Oracle Application Object Library component of Or ...) NOT-FOR-US: Oracle CVE-2018-3243 (Vulnerability in the Oracle Applications Framework component of Oracle ...) NOT-FOR-US: Oracle CVE-2018-3242 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2018-3241 (Vulnerability in the Primavera P6 Enterprise Project Portfolio Managem ...) NOT-FOR-US: Oracle CVE-2018-3240 RESERVED CVE-2018-3239 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2018-3238 (Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2018-3237 (Vulnerability in the Oracle Applications Manager component of Oracle E ...) NOT-FOR-US: Oracle CVE-2018-3236 (Vulnerability in the Oracle User Management component of Oracle E-Busi ...) NOT-FOR-US: Oracle CVE-2018-3235 (Vulnerability in the Oracle Applications Manager component of Oracle E ...) NOT-FOR-US: Oracle CVE-2018-3234 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2018-3233 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2018-3232 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2018-3231 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2018-3230 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2018-3229 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2018-3228 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2018-3227 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2018-3226 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2018-3225 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2018-3224 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2018-3223 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2018-3222 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2018-3221 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2018-3220 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2018-3219 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2018-3218 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2018-3217 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2018-3216 RESERVED CVE-2018-3215 (Vulnerability in the Oracle Endeca Information Discovery Integrator co ...) NOT-FOR-US: Oracle CVE-2018-3214 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-4326-1 DLA-1590-1} - openjdk-7 - openjdk-8 8u181-b13-2 CVE-2018-3213 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2018-3212 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) - mysql-5.5 (Only affects MySQL 8) NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#AppendixMSQL CVE-2018-3211 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) - openjdk-8 (Specific to Oracle Java) CVE-2018-3210 (Vulnerability in the Oracle GlassFish Server component of Oracle Fusio ...) NOT-FOR-US: Oracle CVE-2018-3209 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...) - openjfx 11+26-1 [stretch] - openjfx (Specific details withheld by Oracle, impossible to fix) NOTE: CPU marks this as only affecting 8.x, so marking first 11 upload as fixed CVE-2018-3208 (Vulnerability in the Hyperion Data Relationship Management component o ...) NOT-FOR-US: Oracle CVE-2018-3207 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2018-3206 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2018-3205 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2018-3204 (Vulnerability in the Oracle Business Intelligence Enterprise Edition c ...) NOT-FOR-US: Oracle CVE-2018-3203 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) - mysql-5.5 (Only affects MySQL 8) NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#AppendixMSQL CVE-2018-3202 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2018-3201 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2018-3200 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.24-1 (bug #911221) - mysql-5.5 (Only affects MySQL 5.7 and MySQL 8) NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#AppendixMSQL CVE-2018-3199 RESERVED CVE-2018-3198 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2018-3197 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2018-3196 (Vulnerability in the Oracle Partner Management component of Oracle E-B ...) NOT-FOR-US: Oracle CVE-2018-3195 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) - mysql-5.5 (Only affects MySQL 8) NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#AppendixMSQL CVE-2018-3194 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2018-3193 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2018-3192 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2018-3191 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2018-3190 (Vulnerability in the Oracle E-Business Intelligence component of Oracl ...) NOT-FOR-US: Oracle CVE-2018-3189 (Vulnerability in the Oracle Customer Interaction History component of ...) NOT-FOR-US: Oracle CVE-2018-3188 (Vulnerability in the Oracle iStore component of Oracle E-Business Suit ...) NOT-FOR-US: Oracle CVE-2018-3187 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.24-1 (bug #911221) - mysql-5.5 (Only affects MySQL 5.7 and MySQL 8) NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#AppendixMSQL CVE-2018-3186 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) - mysql-5.5 (Only affects MySQL 8) NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#AppendixMSQL CVE-2018-3185 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.24-1 (bug #911221) - mysql-5.5 (Only affects MySQL 5.7 and MySQL 8) NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#AppendixMSQL CVE-2018-3184 (Vulnerability in the Hyperion BI+ component of Oracle Hyperion (subcom ...) NOT-FOR-US: Oracle CVE-2018-3183 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-4326-1} - openjdk-8 8u181-b13-2 - openjdk-10 10.0.2+13-2 CVE-2018-3182 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) - mysql-5.5 (Only affects MySQL 8) NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#AppendixMSQL CVE-2018-3181 (Vulnerability in the Oracle Hospitality Cruise Shipboard Property Mana ...) NOT-FOR-US: Oracle CVE-2018-3180 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-4326-1 DLA-1590-1} - openjdk-7 - openjdk-8 8u181-b13-2 - openjdk-10 10.0.2+13-2 - openjdk-11 11.0.1+13-1 CVE-2018-3179 (Vulnerability in the Oracle Identity Manager component of Oracle Fusio ...) NOT-FOR-US: Oracle CVE-2018-3178 (Vulnerability in the Hyperion Common Events component of Oracle Hyperi ...) NOT-FOR-US: Oracle CVE-2018-3177 (Vulnerability in the Hyperion Common Events component of Oracle Hyperi ...) NOT-FOR-US: Oracle CVE-2018-3176 (Vulnerability in the Hyperion Common Events component of Oracle Hyperi ...) NOT-FOR-US: Oracle CVE-2018-3175 (Vulnerability in the Hyperion Common Events component of Oracle Hyperi ...) NOT-FOR-US: Oracle CVE-2018-3174 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-4341-1 DLA-1570-1 DLA-1566-1} - mariadb-10.1 1:10.1.37-1 (bug #912848) - mariadb-10.0 - mysql-5.7 5.7.24-1 (bug #911221) - mysql-5.5 NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#AppendixMSQL NOTE: Fixed in MariaDB 10.1.37, 10.0.37 CVE-2018-3173 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.24-1 (bug #911221) - mysql-5.5 (Only affects MySQL 5.7 and MySQL 8) NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#AppendixMSQL CVE-2018-3172 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Oracle CVE-2018-3171 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.24-1 (bug #911221) - mysql-5.5 (Only affects MySQL 5.7 and MySQL 8) NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#AppendixMSQL CVE-2018-3170 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) - mysql-5.5 (Only affects MySQL 8) NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#AppendixMSQL CVE-2018-3169 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-4326-1 DLA-1590-1} - openjdk-7 - openjdk-8 8u181-b13-2 - openjdk-10 10.0.2+13-2 - openjdk-11 11.0.1+13-1 CVE-2018-3168 (Vulnerability in the Oracle Identity Analytics component of Oracle Fus ...) NOT-FOR-US: Oracle CVE-2018-3167 (Vulnerability in the Application Management Pack for Oracle E-Business ...) NOT-FOR-US: Oracle CVE-2018-3166 (Vulnerability in the Oracle Hospitality Cruise Fleet Management compon ...) NOT-FOR-US: Oracle CVE-2018-3165 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2018-3164 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2018-3163 (Vulnerability in the Oracle Hospitality Cruise Fleet Management compon ...) NOT-FOR-US: Oracle CVE-2018-3162 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.24-1 (bug #911221) - mysql-5.5 (Only affects MySQL 5.7 and MySQL 8) NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#AppendixMSQL CVE-2018-3161 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.24-1 (bug #911221) - mysql-5.5 (Only affects MySQL 5.7 and MySQL 8) NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#AppendixMSQL CVE-2018-3160 (Vulnerability in the Oracle Hospitality Cruise Shipboard Property Mana ...) NOT-FOR-US: Oracle CVE-2018-3159 (Vulnerability in the Oracle Hospitality Cruise Fleet Management compon ...) NOT-FOR-US: Oracle CVE-2018-3158 (Vulnerability in the Oracle Hospitality Cruise Fleet Management compon ...) NOT-FOR-US: Oracle CVE-2018-3157 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...) - openjdk-11 11.0.1+13-1 CVE-2018-3156 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-4341-1 DLA-1570-1} - mariadb-10.1 1:10.1.37-1 (bug #912848) - mariadb-10.0 - mysql-5.7 5.7.24-1 (bug #911221) - mysql-5.5 (Only affects MySQL 5.6, MySQL 5.7 and MySQL 8) NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#AppendixMSQL NOTE: Fixed in MariaDB 10.1.37, 10.0.37 CVE-2018-3155 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.24-1 (bug #911221) - mysql-5.5 (Only affects MySQL 5.7 and MySQL 8) NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#AppendixMSQL CVE-2018-3154 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2018-3153 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2018-3152 (Vulnerability in the Oracle GlassFish Server component of Oracle Fusio ...) NOT-FOR-US: Oracle CVE-2018-3151 (Vulnerability in the Oracle iProcurement component of Oracle E-Busines ...) NOT-FOR-US: Oracle CVE-2018-3150 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...) - openjdk-10 10.0.2+13-2 - openjdk-11 11.0.1+13-1 CVE-2018-3149 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-4326-1 DLA-1590-1} - openjdk-7 - openjdk-8 8u181-b13-2 - openjdk-10 10.0.2+13-2 - openjdk-11 11.0.1+13-1 CVE-2018-3148 (Vulnerability in the Primavera Unifier component of Oracle Constructio ...) NOT-FOR-US: Oracle CVE-2018-3147 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2018-3146 (Vulnerability in the Oracle iLearning component of Oracle iLearning (s ...) NOT-FOR-US: Oracle CVE-2018-3145 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) - mysql-5.5 (Only affects MySQL 8) NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#AppendixMSQL CVE-2018-3144 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.24-1 (bug #911221) - mysql-5.5 (Only affects MySQL 5.7 and MySQL 8) NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#AppendixMSQL CVE-2018-3143 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-4341-1 DLA-1570-1} - mariadb-10.1 1:10.1.37-1 (bug #912848) - mariadb-10.0 - mysql-5.7 5.7.24-1 (bug #911221) - mysql-5.5 (Only affects MySQL 5.6, MySQL 5.7 and MySQL 8) NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#AppendixMSQL NOTE: Fixed in MariaDB 10.1.37, 10.0.37 CVE-2018-3142 (Vulnerability in the Hyperion Essbase Administration Services componen ...) NOT-FOR-US: Oracle CVE-2018-3141 (Vulnerability in the Hyperion Essbase Administration Services componen ...) NOT-FOR-US: Oracle CVE-2018-3140 (Vulnerability in the Hyperion Essbase Administration Services componen ...) NOT-FOR-US: Oracle CVE-2018-3139 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-4326-1 DLA-1590-1} - openjdk-7 - openjdk-8 8u181-b13-2 - openjdk-10 10.0.2+13-2 - openjdk-11 11.0.1+13-1 CVE-2018-3138 (Vulnerability in the Oracle Application Object Library component of Or ...) NOT-FOR-US: Oracle CVE-2018-3137 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 8) - mysql-5.5 (Only affects MySQL 8) NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#AppendixMSQL CVE-2018-3136 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-4326-1 DLA-1590-1} - openjdk-7 - openjdk-8 8u181-b13-2 - openjdk-10 10.0.2+13-2 - openjdk-11 11.0.1+13-1 CVE-2018-3135 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2018-3134 (Vulnerability in the Oracle Agile Product Lifecycle Management for Pro ...) NOT-FOR-US: Oracle CVE-2018-3133 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DLA-1566-1} - mysql-5.7 5.7.24-1 (bug #911221) - mysql-5.5 NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#AppendixMSQL CVE-2018-3132 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2018-3131 (Vulnerability in the Oracle Hospitality Gift and Loyalty component of ...) NOT-FOR-US: Oracle CVE-2018-3130 (Vulnerability in the PeopleSoft Enterprise Interaction Hub component o ...) NOT-FOR-US: Oracle CVE-2018-3129 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2018-3128 (Vulnerability in the Oracle Hospitality Reporting and Analytics compon ...) NOT-FOR-US: Oracle CVE-2018-3127 (Vulnerability in the Oracle Demantra Demand Management component of Or ...) NOT-FOR-US: Oracle CVE-2018-3126 (Vulnerability in the Oracle Retail Xstore Point of Service component o ...) NOT-FOR-US: Oracle CVE-2018-3125 (Vulnerability in the Oracle Retail Merchandising System component of O ...) NOT-FOR-US: Oracle CVE-2018-3124 RESERVED CVE-2018-3123 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.25-1 CVE-2018-3122 (Vulnerability in the Oracle Retail Open Commerce Platform component of ...) NOT-FOR-US: Oracle CVE-2018-3121 RESERVED CVE-2018-3120 (Vulnerability in the MICROS Lucas component of Oracle Retail Applicati ...) NOT-FOR-US: Oracle CVE-2018-3119 RESERVED CVE-2018-3118 RESERVED CVE-2018-3117 RESERVED CVE-2018-3116 RESERVED CVE-2018-3115 (Vulnerability in the Oracle Retail Sales Audit component of Oracle Ret ...) NOT-FOR-US: Oracle CVE-2018-3114 RESERVED CVE-2018-3113 RESERVED CVE-2018-3112 RESERVED CVE-2018-3111 (Vulnerability in the Oracle Retail Xstore Office component of Oracle R ...) NOT-FOR-US: Oracle CVE-2018-3110 (A vulnerability was discovered in the Java VM component of Oracle Data ...) NOT-FOR-US: Oracle CVE-2018-3109 (Vulnerability in the Oracle Fusion Middleware MapViewer component of O ...) NOT-FOR-US: Oracle CVE-2018-3108 (Vulnerability in the Oracle Fusion Middleware component of Oracle Fusi ...) NOT-FOR-US: Oracle CVE-2018-3107 RESERVED CVE-2018-3106 RESERVED CVE-2018-3105 (Vulnerability in the Oracle SOA Suite component of Oracle Fusion Middl ...) NOT-FOR-US: Oracle CVE-2018-3104 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2018-3103 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2018-3102 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2018-3101 (Vulnerability in the Oracle WebCenter Portal component of Oracle Fusio ...) NOT-FOR-US: Oracle CVE-2018-3100 (Vulnerability in the Oracle Business Process Management Suite componen ...) NOT-FOR-US: Oracle CVE-2018-3099 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2018-3098 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2018-3097 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2018-3096 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2018-3095 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2018-3094 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2018-3093 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2018-3092 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2018-3091 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.16-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2018-3090 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.16-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2018-3089 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.16-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2018-3088 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.16-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2018-3087 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.16-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2018-3086 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.16-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2018-3085 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.16-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2018-3084 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) NOT-FOR-US: Oracle MySQL 8 CVE-2018-3083 RESERVED CVE-2018-3082 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) NOT-FOR-US: Oracle MySQL 8 CVE-2018-3081 (Vulnerability in the MySQL Client component of Oracle MySQL (subcompon ...) {DSA-4341-1 DLA-1566-1 DLA-1407-1} - mariadb-10.1 1:10.1.34-1 - mariadb-10.0 - mysql-5.7 5.7.23-1 (bug #904121) - mysql-5.5 NOTE: Fixed in MariaDB: 10.2.15, 10.1.33, 10.0.35 CVE-2018-3080 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) NOT-FOR-US: Oracle MySQL 8 CVE-2018-3079 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) NOT-FOR-US: Oracle MySQL 8 CVE-2018-3078 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) NOT-FOR-US: Oracle MySQL 8 CVE-2018-3077 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.23-1 (bug #904121) CVE-2018-3076 (Vulnerability in the PeopleSoft Enterprise CS Financial Aid component ...) NOT-FOR-US: Oracle CVE-2018-3075 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) NOT-FOR-US: Oracle MySQL 8 CVE-2018-3074 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) NOT-FOR-US: Oracle MySQL 8 CVE-2018-3073 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) NOT-FOR-US: Oracle MySQL 8 CVE-2018-3072 (Vulnerability in the PeopleSoft HRMS component of Oracle PeopleSoft Pr ...) NOT-FOR-US: Oracle CVE-2018-3071 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.23-1 (bug #904121) CVE-2018-3070 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DLA-1566-1} - mysql-5.7 5.7.23-1 (bug #904121) - mysql-5.5 CVE-2018-3069 (Vulnerability in the Oracle Agile Product Lifecycle Management for Pro ...) NOT-FOR-US: Oracle CVE-2018-3068 (Vulnerability in the PeopleSoft Enterprise HCM Human Resources compone ...) NOT-FOR-US: Oracle CVE-2018-3067 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) NOT-FOR-US: Oracle MySQL 8 CVE-2018-3066 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-4341-1 DLA-1566-1 DLA-1488-1} - mariadb-10.1 1:10.1.35-1 - mariadb-10.0 - mysql-5.7 5.7.23-1 (bug #904121) - mysql-5.5 NOTE: MariaDB fixed in 10.0.36, 10.1.35 CVE-2018-3065 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.23-1 (bug #904121) CVE-2018-3064 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-4341-1 DLA-1488-1} - mariadb-10.1 1:10.1.35-1 - mariadb-10.0 - mysql-5.7 5.7.23-1 (bug #904121) NOTE: MariaDB: Fixed in 10.0.36, 10.1.35 CVE-2018-3063 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-4341-1 DLA-1566-1 DLA-1488-1} - mariadb-10.1 1:10.1.35-1 - mariadb-10.0 - mysql-5.5 NOTE: MariaDB: Fixed in 10.0.36, 10.1.35 CVE-2018-3062 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.23-1 (bug #904121) CVE-2018-3061 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.23-1 (bug #904121) CVE-2018-3060 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.23-1 (bug #904121) CVE-2018-3059 (Vulnerability in the Siebel UI Framework component of Oracle Siebel CR ...) NOT-FOR-US: Oracle CVE-2018-3058 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-4341-1 DLA-1566-1 DLA-1488-1} - mariadb-10.1 1:10.1.35-1 - mariadb-10.0 - mysql-5.7 5.7.23-1 (bug #904121) - mysql-5.5 NOTE: MariaDB fixed in 10.0.36, 10.1.35 CVE-2018-3057 (Vulnerability in the Sun ZFS Storage Appliance Kit (AK) component of O ...) NOT-FOR-US: Oracle CVE-2018-3056 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.23-1 (bug #904121) CVE-2018-3055 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.16-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2018-3054 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.23-1 (bug #904121) CVE-2018-3053 (Vulnerability in the Oracle Retail Customer Management and Segmentatio ...) NOT-FOR-US: Oracle CVE-2018-3052 (Vulnerability in the MICROS Relate CRM Software component of Oracle Re ...) NOT-FOR-US: Oracle CVE-2018-3051 (Vulnerability in the Oracle FLEXCUBE Enterprise Limits and Collateral ...) NOT-FOR-US: Oracle CVE-2018-3050 (Vulnerability in the Oracle Banking Corporate Lending component of Ora ...) NOT-FOR-US: Oracle CVE-2018-3049 (Vulnerability in the Oracle FLEXCUBE Enterprise Limits and Collateral ...) NOT-FOR-US: Oracle CVE-2018-3048 (Vulnerability in the Oracle Banking Corporate Lending component of Ora ...) NOT-FOR-US: Oracle CVE-2018-3047 (Vulnerability in the Oracle FLEXCUBE Enterprise Limits and Collateral ...) NOT-FOR-US: Oracle CVE-2018-3046 (Vulnerability in the Oracle Banking Corporate Lending component of Ora ...) NOT-FOR-US: Oracle CVE-2018-3045 (Vulnerability in the Oracle FLEXCUBE Enterprise Limits and Collateral ...) NOT-FOR-US: Oracle CVE-2018-3044 (Vulnerability in the Oracle Banking Corporate Lending component of Ora ...) NOT-FOR-US: Oracle CVE-2018-3043 (Vulnerability in the Oracle FLEXCUBE Enterprise Limits and Collateral ...) NOT-FOR-US: Oracle CVE-2018-3042 (Vulnerability in the Oracle Banking Corporate Lending component of Ora ...) NOT-FOR-US: Oracle CVE-2018-3041 (Vulnerability in the Oracle FLEXCUBE Enterprise Limits and Collateral ...) NOT-FOR-US: Oracle CVE-2018-3040 (Vulnerability in the Oracle Banking Corporate Lending component of Ora ...) NOT-FOR-US: Oracle CVE-2018-3039 (Vulnerability in the Oracle FLEXCUBE Enterprise Limits and Collateral ...) NOT-FOR-US: Oracle CVE-2018-3038 (Vulnerability in the Oracle Banking Corporate Lending component of Ora ...) NOT-FOR-US: Oracle CVE-2018-3037 (Vulnerability in the Oracle FLEXCUBE Enterprise Limits and Collateral ...) NOT-FOR-US: Oracle CVE-2018-3036 (Vulnerability in the Oracle Banking Corporate Lending component of Ora ...) NOT-FOR-US: Oracle CVE-2018-3035 (Vulnerability in the Oracle FLEXCUBE Investor Servicing component of O ...) NOT-FOR-US: Oracle CVE-2018-3034 (Vulnerability in the Oracle FLEXCUBE Investor Servicing component of O ...) NOT-FOR-US: Oracle CVE-2018-3033 (Vulnerability in the Oracle FLEXCUBE Investor Servicing component of O ...) NOT-FOR-US: Oracle CVE-2018-3032 (Vulnerability in the Oracle FLEXCUBE Investor Servicing component of O ...) NOT-FOR-US: Oracle CVE-2018-3031 (Vulnerability in the Oracle FLEXCUBE Investor Servicing component of O ...) NOT-FOR-US: Oracle CVE-2018-3030 (Vulnerability in the Oracle FLEXCUBE Investor Servicing component of O ...) NOT-FOR-US: Oracle CVE-2018-3029 (Vulnerability in the Oracle FLEXCUBE Investor Servicing component of O ...) NOT-FOR-US: Oracle CVE-2018-3028 (Vulnerability in the Oracle FLEXCUBE Investor Servicing component of O ...) NOT-FOR-US: Oracle CVE-2018-3027 (Vulnerability in the Oracle Banking Payments component of Oracle Finan ...) NOT-FOR-US: Oracle CVE-2018-3026 (Vulnerability in the Oracle Banking Payments component of Oracle Finan ...) NOT-FOR-US: Oracle CVE-2018-3025 (Vulnerability in the Oracle Banking Payments component of Oracle Finan ...) NOT-FOR-US: Oracle CVE-2018-3024 (Vulnerability in the Oracle Banking Payments component of Oracle Finan ...) NOT-FOR-US: Oracle CVE-2018-3023 (Vulnerability in the Oracle Banking Payments component of Oracle Finan ...) NOT-FOR-US: Oracle CVE-2018-3022 (Vulnerability in the Oracle Banking Payments component of Oracle Finan ...) NOT-FOR-US: Oracle CVE-2018-3021 (Vulnerability in the Oracle Banking Payments component of Oracle Finan ...) NOT-FOR-US: Oracle CVE-2018-3020 (Vulnerability in the Oracle Banking Payments component of Oracle Finan ...) NOT-FOR-US: Oracle CVE-2018-3019 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle CVE-2018-3018 (Vulnerability in the Oracle iStore component of Oracle E-Business Suit ...) NOT-FOR-US: Oracle CVE-2018-3017 (Vulnerability in the Oracle CRM Technical Foundation component of Orac ...) NOT-FOR-US: Oracle CVE-2018-3016 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2018-3015 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle CVE-2018-3014 (Vulnerability in the Oracle Hospitality OPERA 5 Property Services comp ...) NOT-FOR-US: Oracle CVE-2018-3013 (Vulnerability in the Oracle Hospitality OPERA 5 Property Services comp ...) NOT-FOR-US: Oracle CVE-2018-3012 (Vulnerability in the Oracle Trade Management component of Oracle E-Bus ...) NOT-FOR-US: Oracle CVE-2018-3011 (Vulnerability in the Oracle Trade Management component of Oracle E-Bus ...) NOT-FOR-US: Oracle CVE-2018-3010 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2018-3009 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2018-3008 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2018-3007 (Vulnerability in the Oracle Tuxedo component of Oracle Fusion Middlewa ...) NOT-FOR-US: Oracle CVE-2018-3006 (Vulnerability in the JD Edwards EnterpriseOne Tools component of Oracl ...) NOT-FOR-US: Oracle CVE-2018-3005 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.16-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2018-3004 (Vulnerability in the Java VM component of Oracle Database Server. Supp ...) NOT-FOR-US: Oracle CVE-2018-3003 (Vulnerability in the Oracle Hospitality Cruise Fleet Management System ...) NOT-FOR-US: Oracle CVE-2018-3002 (Vulnerability in the Oracle Hospitality Cruise Fleet Management System ...) NOT-FOR-US: Oracle CVE-2018-3001 (Vulnerability in the Oracle Hospitality Cruise Shipboard Property Mana ...) NOT-FOR-US: Oracle CVE-2018-3000 (Vulnerability in the Oracle Hospitality Cruise Shipboard Property Mana ...) NOT-FOR-US: Oracle CVE-2018-2999 (Vulnerability in the JD Edwards EnterpriseOne Tools component of Oracl ...) NOT-FOR-US: Oracle CVE-2018-2998 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2018-2997 (Vulnerability in the Oracle Scripting component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2018-2996 (Vulnerability in the Oracle Applications Manager component of Oracle E ...) NOT-FOR-US: Oracle CVE-2018-2995 (Vulnerability in the Oracle iStore component of Oracle E-Business Suit ...) NOT-FOR-US: Oracle CVE-2018-2994 (Vulnerability in the Oracle iStore component of Oracle E-Business Suit ...) NOT-FOR-US: Oracle CVE-2018-2993 (Vulnerability in the Oracle CRM Technical Foundation component of Orac ...) NOT-FOR-US: Oracle CVE-2018-2992 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2018-2991 (Vulnerability in the Oracle Trade Management component of Oracle E-Bus ...) NOT-FOR-US: Oracle CVE-2018-2990 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2018-2989 (Vulnerability in the Oracle iLearning component of Oracle iLearning (s ...) NOT-FOR-US: Oracle CVE-2018-2988 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2018-2987 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2018-2986 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2018-2985 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2018-2984 (Vulnerability in the Oracle Hospitality Cruise Fleet Management System ...) NOT-FOR-US: Oracle CVE-2018-2983 RESERVED CVE-2018-2982 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle CVE-2018-2981 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle CVE-2018-2980 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle CVE-2018-2979 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle CVE-2018-2978 (Vulnerability in the Oracle Hospitality Simphony component of Oracle H ...) NOT-FOR-US: Oracle CVE-2018-2977 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2018-2976 (Vulnerability in the Enterprise Manager Ops Center component of Oracle ...) NOT-FOR-US: Oracle CVE-2018-2975 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle CVE-2018-2974 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle CVE-2018-2973 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) - openjdk-7 (Apparently specific to Oracle Java) - openjdk-8 (Apparently specific to Oracle Java) - openjdk-10 (Apparently specific to Oracle Java) CVE-2018-2972 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...) - openjdk-10 10.0.2+13-1 CVE-2018-2971 (Vulnerability in the Oracle Applications Framework component of Oracle ...) NOT-FOR-US: Oracle CVE-2018-2970 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2018-2969 (Vulnerability in the Primavera Unifier component of Oracle Constructio ...) NOT-FOR-US: Oracle CVE-2018-2968 (Vulnerability in the Primavera Unifier component of Oracle Constructio ...) NOT-FOR-US: Oracle CVE-2018-2967 (Vulnerability in the Primavera Unifier component of Oracle Constructio ...) NOT-FOR-US: Oracle CVE-2018-2966 (Vulnerability in the Primavera Unifier component of Oracle Constructio ...) NOT-FOR-US: Oracle CVE-2018-2965 (Vulnerability in the Primavera Unifier component of Oracle Constructio ...) NOT-FOR-US: Oracle CVE-2018-2964 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...) - openjdk-8 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-10 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2018-2963 (Vulnerability in the Primavera P6 Enterprise Project Portfolio Managem ...) NOT-FOR-US: Oracle CVE-2018-2962 (Vulnerability in the Primavera P6 Enterprise Project Portfolio Managem ...) NOT-FOR-US: Oracle CVE-2018-2961 (Vulnerability in the Primavera P6 Enterprise Project Portfolio Managem ...) NOT-FOR-US: Oracle CVE-2018-2960 (Vulnerability in the Primavera P6 Enterprise Project Portfolio Managem ...) NOT-FOR-US: Oracle CVE-2018-2959 (Vulnerability in the Siebel UI Framework component of Oracle Siebel CR ...) NOT-FOR-US: Oracle CVE-2018-2958 (Vulnerability in the BI Publisher component of Oracle Fusion Middlewar ...) NOT-FOR-US: Oracle CVE-2018-2957 (Vulnerability in the Oracle Hospitality OPERA 5 Property Services comp ...) NOT-FOR-US: Oracle CVE-2018-2956 (Vulnerability in the Oracle Hospitality OPERA 5 Property Services comp ...) NOT-FOR-US: Oracle CVE-2018-2955 (Vulnerability in the Oracle Hospitality OPERA 5 Property Services comp ...) NOT-FOR-US: Oracle CVE-2018-2954 (Vulnerability in the Oracle Order Management component of Oracle E-Bus ...) NOT-FOR-US: Oracle CVE-2018-2953 (Vulnerability in the Oracle One-to-One Fulfillment component of Oracle ...) NOT-FOR-US: Oracle CVE-2018-2952 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-4268-1 DLA-1590-1} - openjdk-7 - openjdk-8 8u181-b13-1 - openjdk-10 10.0.2+13-1 NOTE: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/baac18e216fb CVE-2018-2951 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2018-2950 (Vulnerability in the JD Edwards EnterpriseOne Tools component of Oracl ...) NOT-FOR-US: Oracle CVE-2018-2949 (Vulnerability in the JD Edwards EnterpriseOne Tools component of Oracl ...) NOT-FOR-US: Oracle CVE-2018-2948 (Vulnerability in the JD Edwards EnterpriseOne Tools component of Oracl ...) NOT-FOR-US: Oracle CVE-2018-2947 (Vulnerability in the JD Edwards EnterpriseOne Tools component of Oracl ...) NOT-FOR-US: Oracle CVE-2018-2946 (Vulnerability in the JD Edwards EnterpriseOne Tools component of Oracl ...) NOT-FOR-US: Oracle CVE-2018-2945 (Vulnerability in the JD Edwards EnterpriseOne Tools component of Oracl ...) NOT-FOR-US: Oracle CVE-2018-2944 (Vulnerability in the JD Edwards EnterpriseOne Tools component of Oracl ...) NOT-FOR-US: Oracle CVE-2018-2943 (Vulnerability in the Oracle Fusion Middleware MapViewer component of O ...) NOT-FOR-US: Oracle CVE-2018-2942 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...) - openjdk-7 (Windows-specific) - openjdk-8 (Windows-specific) CVE-2018-2941 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...) - openjfx 11+26-1 (bug #905215) [stretch] - openjfx (Specific details withheld by Oracle, impossible to fix) CVE-2018-2940 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) - openjdk-7 (Apparently specific to Oracle Java) - openjdk-8 (Apparently specific to Oracle Java) - openjdk-10 (Apparently specific to Oracle Java) CVE-2018-2939 (Vulnerability in the Core RDBMS component of Oracle Database Server. S ...) NOT-FOR-US: Oracle CVE-2018-2938 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...) - openjdk-7 (Specific to Oracle Java, OpenJDK doesn't bundle Derby) - openjdk-8 (Specific to Oracle Java, OpenJDK doesn't bundle Derby) CVE-2018-2937 (Vulnerability in the Sun ZFS Storage Appliance Kit (AK) component of O ...) NOT-FOR-US: Oracle CVE-2018-2936 (Vulnerability in the Oracle Communications Messaging Server component ...) NOT-FOR-US: Oracle CVE-2018-2935 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2018-2934 (Vulnerability in the Oracle Application Object Library component of Or ...) NOT-FOR-US: Oracle CVE-2018-2933 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2018-2932 (Vulnerability in the Oracle SuperCluster Specific Software component o ...) NOT-FOR-US: Oracle CVE-2018-2931 RESERVED CVE-2018-2930 (Vulnerability in the Solaris Cluster component of Oracle Sun Systems P ...) NOT-FOR-US: Oracle CVE-2018-2929 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2018-2928 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Oracle CVE-2018-2927 (Vulnerability in the Sun ZFS Storage Appliance Kit (AK) component of O ...) NOT-FOR-US: Oracle CVE-2018-2926 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Oracle CVE-2018-2925 (Vulnerability in the BI Publisher component of Oracle Fusion Middlewar ...) NOT-FOR-US: Oracle CVE-2018-2924 (Vulnerability in the Sun ZFS Storage Appliance Kit (AK) component of O ...) NOT-FOR-US: Oracle CVE-2018-2923 (Vulnerability in the Sun ZFS Storage Appliance Kit (AK) component of O ...) NOT-FOR-US: Oracle CVE-2018-2922 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Oracle CVE-2018-2921 (Vulnerability in the Sun ZFS Storage Appliance Kit (AK) component of O ...) NOT-FOR-US: Oracle CVE-2018-2920 (Vulnerability in the Sun ZFS Storage Appliance Kit (AK) component of O ...) NOT-FOR-US: Oracle CVE-2018-2919 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2018-2918 (Vulnerability in the Sun ZFS Storage Appliance Kit (AK) component of O ...) NOT-FOR-US: Oracle CVE-2018-2917 (Vulnerability in the Sun ZFS Storage Appliance Kit (AK) component of O ...) NOT-FOR-US: Oracle CVE-2018-2916 (Vulnerability in the Sun ZFS Storage Appliance Kit (AK) component of O ...) NOT-FOR-US: Oracle CVE-2018-2915 (Vulnerability in the Hyperion Data Relationship Management component o ...) NOT-FOR-US: Oracle CVE-2018-2914 (Vulnerability in the Oracle GoldenGate component of Oracle GoldenGate ...) NOT-FOR-US: Oracle CVE-2018-2913 (Vulnerability in the Oracle GoldenGate component of Oracle GoldenGate ...) NOT-FOR-US: Oracle CVE-2018-2912 (Vulnerability in the Oracle GoldenGate component of Oracle GoldenGate ...) NOT-FOR-US: Oracle CVE-2018-2911 (Vulnerability in the Oracle GlassFish Server component of Oracle Fusio ...) NOT-FOR-US: Oracle CVE-2018-2910 RESERVED CVE-2018-2909 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.20-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2018-2908 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Oracle CVE-2018-2907 (Vulnerability in the Hyperion Financial Reporting component of Oracle ...) NOT-FOR-US: Oracle CVE-2018-2906 (Vulnerability in the Hardware Management Pack component of Oracle Sun ...) NOT-FOR-US: Oracle CVE-2018-2905 (Vulnerability in the Sun ZFS Storage Appliance Kit (AK) component of O ...) NOT-FOR-US: Oracle CVE-2018-2904 (Vulnerability in the Oracle Communications EAGLE LNP Application Proce ...) NOT-FOR-US: Oracle CVE-2018-2903 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Oracle CVE-2018-2902 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2018-2901 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Oracle CVE-2018-2900 (Vulnerability in the BI Publisher component of Oracle Fusion Middlewar ...) NOT-FOR-US: Oracle CVE-2018-2899 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle CVE-2018-2898 (Vulnerability in the Oracle FLEXCUBE Investor Servicing component of O ...) NOT-FOR-US: Oracle CVE-2018-2897 (Vulnerability in the Oracle FLEXCUBE Enterprise Limits and Collateral ...) NOT-FOR-US: Oracle CVE-2018-2896 (Vulnerability in the Oracle Banking Payments component of Oracle Finan ...) NOT-FOR-US: Oracle CVE-2018-2895 (Vulnerability in the Oracle Banking Corporate Lending component of Ora ...) NOT-FOR-US: Oracle CVE-2018-2894 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2018-2893 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2018-2892 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Oracle CVE-2018-2891 (Vulnerability in the Oracle Retail Bulk Data Integration component of ...) NOT-FOR-US: Oracle CVE-2018-2890 RESERVED CVE-2018-2889 (Vulnerability in the MICROS Retail-J component of Oracle Retail Applic ...) NOT-FOR-US: Oracle CVE-2018-2888 (Vulnerability in the MICROS Retail-J component of Oracle Retail Applic ...) NOT-FOR-US: Oracle CVE-2018-2887 (Vulnerability in the MICROS Retail-J component of Oracle Retail Applic ...) NOT-FOR-US: Oracle CVE-2018-2886 RESERVED CVE-2018-2885 RESERVED CVE-2018-2884 RESERVED CVE-2018-2883 (Vulnerability in the Oracle Retail Xstore Office component of Oracle R ...) NOT-FOR-US: Oracle CVE-2018-2882 (Vulnerability in the MICROS Retail-J component of Oracle Retail Applic ...) NOT-FOR-US: Oracle CVE-2018-2881 (Vulnerability in the MICROS Retail-J component of Oracle Retail Applic ...) NOT-FOR-US: Oracle CVE-2018-2880 (Vulnerability in the MICROS Retail-J component of Oracle Retail Applic ...) NOT-FOR-US: Oracle CVE-2018-2879 (Vulnerability in the Oracle Access Manager component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2018-2878 (Vulnerability in the PeopleSoft Enterprise HCM Shared Components compo ...) NOT-FOR-US: Oracle CVE-2018-2877 (Vulnerability in the MySQL Cluster component of Oracle MySQL (subcompo ...) - mysql-cluster (bug #833356) CVE-2018-2876 (Vulnerability in the Oracle Retail Integration Bus component of Oracle ...) NOT-FOR-US: Oracle CVE-2018-2875 (Vulnerability in the Core RDBMS component of Oracle Database Server. S ...) NOT-FOR-US: Oracle CVE-2018-2874 (Vulnerability in the Oracle Application Object Library component of Or ...) NOT-FOR-US: Oracle CVE-2018-2873 (Vulnerability in the Oracle General Ledger component of Oracle E-Busin ...) NOT-FOR-US: Oracle CVE-2018-2872 (Vulnerability in the Oracle General Ledger component of Oracle E-Busin ...) NOT-FOR-US: Oracle CVE-2018-2871 (Vulnerability in the Oracle Human Resources component of Oracle E-Busi ...) NOT-FOR-US: Oracle CVE-2018-2870 (Vulnerability in the Oracle Human Resources component of Oracle E-Busi ...) NOT-FOR-US: Oracle CVE-2018-2869 (Vulnerability in the Oracle Human Resources component of Oracle E-Busi ...) NOT-FOR-US: Oracle CVE-2018-2868 (Vulnerability in the Oracle Human Resources component of Oracle E-Busi ...) NOT-FOR-US: Oracle CVE-2018-2867 (Vulnerability in the Oracle Application Object Library component of Or ...) NOT-FOR-US: Oracle CVE-2018-2866 (Vulnerability in the Oracle General Ledger component of Oracle E-Busin ...) NOT-FOR-US: Oracle CVE-2018-2865 (Vulnerability in the Oracle General Ledger component of Oracle E-Busin ...) NOT-FOR-US: Oracle CVE-2018-2864 (Vulnerability in the Oracle Application Object Library component of Or ...) NOT-FOR-US: Oracle CVE-2018-2863 (Vulnerability in the Sun ZFS Storage Appliance Kit (AK) component of O ...) NOT-FOR-US: Oracle CVE-2018-2862 (Vulnerability in the Oracle Retail Point-of-Service component of Oracl ...) NOT-FOR-US: Oracle CVE-2018-2861 (Vulnerability in the Oracle Retail Back Office component of Oracle Ret ...) NOT-FOR-US: Oracle CVE-2018-2860 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.10-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2018-2859 (Vulnerability in the Oracle Financial Services Basel Regulatory Capita ...) NOT-FOR-US: Oracle CVE-2018-2858 (Vulnerability in the Sun ZFS Storage Appliance Kit (AK) component of O ...) NOT-FOR-US: Oracle CVE-2018-2857 (Vulnerability in the Sun ZFS Storage Appliance Kit (AK) component of O ...) NOT-FOR-US: Oracle CVE-2018-2856 (Vulnerability in the Oracle Financial Services Basel Regulatory Capita ...) NOT-FOR-US: Oracle CVE-2018-2855 (Vulnerability in the Oracle Financial Services Basel Regulatory Capita ...) NOT-FOR-US: Oracle CVE-2018-2854 (Vulnerability in the Oracle Financial Services Basel Regulatory Capita ...) NOT-FOR-US: Oracle CVE-2018-2853 (Vulnerability in the Oracle Hospitality Simphony First Edition compone ...) NOT-FOR-US: Oracle CVE-2018-2852 (Vulnerability in the Oracle Hospitality Guest Access component of Orac ...) NOT-FOR-US: Oracle CVE-2018-2851 (Vulnerability in the Oracle Hospitality Simphony First Edition compone ...) NOT-FOR-US: Oracle CVE-2018-2850 (Vulnerability in the Oracle Hospitality Cruise Fleet Management System ...) NOT-FOR-US: Oracle CVE-2018-2849 (Vulnerability in the Primavera P6 Enterprise Project Portfolio Managem ...) NOT-FOR-US: Oracle CVE-2018-2848 (Vulnerability in the Oracle Hospitality Simphony First Edition compone ...) NOT-FOR-US: Oracle CVE-2018-2847 (Vulnerability in the Oracle Hospitality Simphony First Edition compone ...) NOT-FOR-US: Oracle CVE-2018-2846 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.22-1 (bug #895997) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixMSQL CVE-2018-2845 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.10-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2018-2844 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.10-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) NOTE: https://www.voidsecurity.in/2018/08/from-compiler-optimization-to-code.html CVE-2018-2843 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.10-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2018-2842 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.10-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2018-2841 (Vulnerability in the Java VM component of Oracle Database Server. Supp ...) NOT-FOR-US: Oracle CVE-2018-2840 (Vulnerability in the Oracle Retail Xstore Point of Service component o ...) NOT-FOR-US: Oracle CVE-2018-2839 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.22-1 (bug #895997) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixMSQL CVE-2018-2838 (Vulnerability in the PeopleSoft Enterprise PRTL Interaction Hub compon ...) NOT-FOR-US: Oracle CVE-2018-2837 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.10-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2018-2836 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.10-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2018-2835 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.10-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2018-2834 (Vulnerability in the Oracle Data Visualization Desktop component of Or ...) NOT-FOR-US: Oracle CVE-2018-2833 (Vulnerability in the Oracle Hospitality Simphony component of Oracle H ...) NOT-FOR-US: Oracle CVE-2018-2832 (Vulnerability in the Oracle GoldenGate component of Oracle GoldenGate. ...) NOT-FOR-US: Oracle CVE-2018-2831 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.10-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2018-2830 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.10-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2018-2829 (Vulnerability in the Oracle Hospitality Simphony component of Oracle H ...) NOT-FOR-US: Oracle CVE-2018-2828 (Vulnerability in the Oracle WebCenter Content component of Oracle Fusi ...) NOT-FOR-US: Oracle CVE-2018-2827 (Vulnerability in the Oracle Hospitality Suite8 component of Oracle Hos ...) NOT-FOR-US: Oracle CVE-2018-2826 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...) - openjdk-10 10.0.2+13-1 CVE-2018-2825 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...) - openjdk-10 10.0.2+13-1 CVE-2018-2824 (Vulnerability in the Oracle Hospitality Simphony component of Oracle H ...) NOT-FOR-US: Oracle CVE-2018-2823 (Vulnerability in the Oracle Transportation Management component of Ora ...) NOT-FOR-US: Oracle CVE-2018-2822 (Vulnerability in the Solaris Cluster component of Oracle Sun Systems P ...) NOT-FOR-US: Oracle CVE-2018-2821 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2018-2820 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2018-2819 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-4341-1 DSA-4176-1 DLA-1407-1 DLA-1355-1} - mariadb-10.1 1:10.1.34-1 (bug #898445) - mariadb-10.0 - mysql-5.7 5.7.22-1 (bug #895997) - mysql-5.5 NOTE: Fixed in MariaDB 10.0.35, 10.1.33 NOTE: http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixMSQL CVE-2018-2818 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-4176-1 DLA-1355-1} - mysql-5.7 5.7.22-1 (bug #895997) - mysql-5.5 NOTE: http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixMSQL CVE-2018-2817 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-4341-1 DSA-4176-1 DLA-1407-1 DLA-1355-1} - mariadb-10.1 1:10.1.34-1 (bug #898445) - mariadb-10.0 - mysql-5.7 5.7.22-1 (bug #895997) - mysql-5.5 NOTE: Fixed in MariaDB 10.0.35, 10.1.33 NOTE: http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixMSQL CVE-2018-2816 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.22-1 (bug #895997) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixMSQL CVE-2018-2815 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-4225-1 DSA-4185-1} - openjdk-10 10.0.1+10-4 - openjdk-8 8u171-b11-1 [experimental] - openjdk-7 7u181-2.6.14-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2018-2814 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-4225-1 DSA-4185-1} - openjdk-10 10.0.1+10-4 - openjdk-8 8u171-b11-1 [experimental] - openjdk-7 7u181-2.6.14-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2018-2813 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-4341-1 DSA-4176-1 DLA-1407-1 DLA-1355-1} - mariadb-10.1 1:10.1.34-1 (bug #898445) - mariadb-10.0 - mysql-5.7 5.7.22-1 (bug #895997) - mysql-5.5 NOTE: Fixed in MariaDB 10.0.35, 10.1.33 NOTE: http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixMSQL CVE-2018-2812 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.22-1 (bug #895997) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixMSQL CVE-2018-2811 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...) - openjdk-8 (Specific to Oracle Java, our installation procedure are obviously different) CVE-2018-2810 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.22-1 (bug #895997) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixMSQL CVE-2018-2809 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2018-2808 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Oracle CVE-2018-2807 (Vulnerability in the Oracle FLEXCUBE Core Banking component of Oracle ...) NOT-FOR-US: Oracle CVE-2018-2806 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2018-2805 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects GIS Extension in Oracle MySQL 5.6) - mysql-5.5 (Only affects GIS Extension in Oracle MySQL 5.6) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixMSQL CVE-2018-2804 (Vulnerability in the Oracle Application Object Library component of Or ...) NOT-FOR-US: Oracle CVE-2018-2803 (Vulnerability in the Oracle Hospitality Reporting and Analytics compon ...) NOT-FOR-US: Oracle CVE-2018-2802 (Vulnerability in the Oracle Hospitality Simphony component of Oracle H ...) NOT-FOR-US: Oracle CVE-2018-2801 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2018-2800 (Vulnerability in the Java SE, JRockit component of Oracle Java SE (sub ...) {DSA-4225-1 DSA-4185-1} - openjdk-10 10.0.1+10-4 - openjdk-8 8u171-b11-1 [experimental] - openjdk-7 7u181-2.6.14-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2018-2799 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-4225-1 DSA-4185-1} - openjdk-10 10.0.1+10-4 - openjdk-8 8u171-b11-1 [experimental] - openjdk-7 7u181-2.6.14-1 - openjdk-7 CVE-2018-2798 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-4225-1 DSA-4185-1} - openjdk-10 10.0.1+10-4 - openjdk-8 8u171-b11-1 [experimental] - openjdk-7 7u181-2.6.14-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2018-2797 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-4225-1 DSA-4185-1} - openjdk-10 10.0.1+10-4 - openjdk-8 8u171-b11-1 [experimental] - openjdk-7 7u181-2.6.14-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2018-2796 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-4225-1 DSA-4185-1} - openjdk-10 10.0.1+10-4 - openjdk-8 8u171-b11-1 [experimental] - openjdk-7 7u181-2.6.14-1 - openjdk-7 CVE-2018-2795 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-4225-1 DSA-4185-1} - openjdk-10 10.0.1+10-4 - openjdk-8 8u171-b11-1 [experimental] - openjdk-7 7u181-2.6.14-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2018-2794 (Vulnerability in the Java SE, JRockit component of Oracle Java SE (sub ...) {DSA-4225-1 DSA-4185-1} - openjdk-10 10.0.1+10-4 - openjdk-8 8u171-b11-1 [experimental] - openjdk-7 7u181-2.6.14-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2018-2793 (Vulnerability in the PeopleSoft Enterprise PT PeopleTools component of ...) NOT-FOR-US: Oracle CVE-2018-2792 (Vulnerability in the Hardware Management Pack component of Oracle Sun ...) NOT-FOR-US: Oracle CVE-2018-2791 (Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2018-2790 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-4225-1 DSA-4185-1} - openjdk-10 10.0.1+10-4 - openjdk-8 8u171-b11-1 [experimental] - openjdk-7 7u181-2.6.14-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2018-2789 (Vulnerability in the Siebel Core - Server Framework component of Oracl ...) NOT-FOR-US: Oracle CVE-2018-2788 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2018-2787 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-4341-1 DLA-1407-1} - mariadb-10.1 1:10.1.34-1 (bug #898445) - mariadb-10.0 - mysql-5.7 5.7.22-1 (bug #895997) - mysql-5.5 (Only affects MySQL 5.6 and 5.7) NOTE: Fixed in MariaDB 10.0.35, 10.1.33 NOTE: http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixMSQL CVE-2018-2786 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.22-1 (bug #895997) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixMSQL CVE-2018-2785 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2018-2784 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-4341-1 DLA-1407-1} - mariadb-10.1 1:10.1.34-1 (bug #898445) - mariadb-10.0 - mysql-5.7 5.7.22-1 (bug #895997) - mysql-5.5 (Only affects MySQL 5.6 and 5.7) NOTE: Fixed in MariaDB 10.0.35, 10.1.33 NOTE: http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixMSQL CVE-2018-2783 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) - openjdk-10 (Apparently specific to Oracle Java) - openjdk-8 (Apparently specific to Oracle Java) - openjdk-7 (Apparently specific to Oracle Java) - openjdk-6 (Apparently specific to Oracle Java) CVE-2018-2782 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-4341-1 DLA-1407-1} - mariadb-10.1 1:10.1.34-1 (bug #898445) - mariadb-10.0 - mysql-5.7 5.7.22-1 (bug #895997) - mysql-5.5 (Only affects MySQL 5.6 and 5.7) NOTE: Fixed in MariaDB 10.0.35, 10.1.33 NOTE: http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixMSQL CVE-2018-2781 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-4341-1 DSA-4176-1 DLA-1407-1 DLA-1355-1} - mariadb-10.1 1:10.1.34-1 (bug #898445) - mariadb-10.0 - mysql-5.7 5.7.22-1 (bug #895997) - mysql-5.5 NOTE: Fixed in MariaDB 10.0.35, 10.1.33 NOTE: http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixMSQL CVE-2018-2780 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.22-1 (bug #895997) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixMSQL CVE-2018-2779 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.22-1 (bug #895997) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixMSQL CVE-2018-2778 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.22-1 (bug #895997) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixMSQL CVE-2018-2777 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.22-1 (bug #895997) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixMSQL CVE-2018-2776 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.22-1 (bug #895997) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixMSQL CVE-2018-2775 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.22-1 (bug #895997) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixMSQL CVE-2018-2774 (Vulnerability in the PeopleSoft Enterprise PT PeopleTools component of ...) NOT-FOR-US: Oracle CVE-2018-2773 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-4176-1 DLA-1355-1} - mysql-5.7 5.7.22-1 (bug #895997) - mysql-5.5 NOTE: http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixMSQL CVE-2018-2772 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2018-2771 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-4341-1 DSA-4176-1 DLA-1407-1 DLA-1355-1} - mariadb-10.1 1:10.1.34-1 (bug #898445) - mariadb-10.0 - mysql-5.7 5.7.22-1 (bug #895997) - mysql-5.5 NOTE: Fixed in MariaDB 10.0.35, 10.1.33 NOTE: http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixMSQL CVE-2018-2770 (Vulnerability in the Oracle Adaptive Access Manager component of Oracl ...) NOT-FOR-US: Oracle CVE-2018-2769 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.22-1 (bug #895997) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixMSQL CVE-2018-2768 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2018-2767 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-4341-1 DLA-1566-1 DLA-1407-1} - mariadb-10.2 - mariadb-10.1 1:10.1.34-1 - mariadb-10.0 - mysql-5.7 5.7.23-1 (bug #904121) - mysql-5.5 [wheezy] - mysql-5.5 (Wait for next upstream security/bugfix release) NOTE: http://www.openwall.com/lists/oss-security/2018/04/08/2 NOTE: Result from an incomplete fix for CVE-2015-3152 and related CVE for NOTE: Oracle products. NOTE: For MariaDB: if one connects to the remote server using the embedded library NOTE: (libmysqld), then SSL is not enforced. NOTE: Fixed in MariaDB: 5.5.60, 10.0.35, 10.1.33, 10.2.15, and 10.3.7 NOTE: https://github.com/MariaDB/server/commit/f5369faf5bbf NOTE: For Oracle: https://github.com/mysql/mysql-server/commit/bbc2e37fe4e NOTE: fixed in 5.5.61, 5.6.41, 5.7.23 NOTE: Strictly speaking though the CVE would be only for Oracle MySQL, for practical NOTE: reasons still tracking as well MariaDB here. CVE-2018-2766 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-4341-1 DLA-1407-1} - mariadb-10.1 1:10.1.34-1 (bug #898445) - mariadb-10.0 - mysql-5.7 5.7.22-1 (bug #895997) - mysql-5.5 (Only affects MySQL 5.6 and 5.7) NOTE: Fixed in MariaDB 10.0.35, 10.1.33 NOTE: http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixMSQL CVE-2018-2765 (Vulnerability in the Oracle Security Service component of Oracle Fusio ...) NOT-FOR-US: Oracle CVE-2018-2764 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Oracle CVE-2018-2763 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Oracle CVE-2018-2762 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.22-1 (bug #895997) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixMSQL CVE-2018-2761 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-4341-1 DSA-4176-1 DLA-1407-1 DLA-1355-1} - mariadb-10.1 1:10.1.34-1 (bug #898445) - mariadb-10.0 - mysql-5.7 5.7.22-1 (bug #895997) - mysql-5.5 NOTE: Fixed in MariaDB 10.0.35, 10.1.33 NOTE: http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixMSQL CVE-2018-2760 (Vulnerability in the Oracle HTTP Server component of Oracle Fusion Mid ...) NOT-FOR-US: Oracle CVE-2018-2759 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.22-1 (bug #895997) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixMSQL CVE-2018-2758 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.22-1 (bug #895997) - mysql-5.5 (Only affects MySQL 5.6 and 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixMSQL CVE-2018-2757 RESERVED CVE-2018-2756 (Vulnerability in the Oracle Communications Order and Service Managemen ...) NOT-FOR-US: Oracle CVE-2018-2755 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-4341-1 DSA-4176-1 DLA-1407-1 DLA-1355-1} - mariadb-10.1 1:10.1.34-1 (bug #898445) - mariadb-10.0 - mysql-5.7 5.7.22-1 (bug #895997) - mysql-5.5 NOTE: Fixed in MariaDB 10.0.35, 10.1.33 NOTE: http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixMSQL CVE-2018-2754 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Oracle CVE-2018-2753 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Oracle CVE-2018-2752 (Vulnerability in the PeopleSoft Enterprise HCM component of Oracle Peo ...) NOT-FOR-US: Oracle CVE-2018-2751 RESERVED CVE-2018-2750 (Vulnerability in the Enterprise Manager Base Platform component of Ora ...) NOT-FOR-US: Oracle CVE-2018-2749 (Vulnerability in the Oracle Banking Corporate Lending component of Ora ...) NOT-FOR-US: Oracle CVE-2018-2748 (Vulnerability in the Oracle Banking Corporate Lending component of Ora ...) NOT-FOR-US: Oracle CVE-2018-2747 (Vulnerability in the Oracle Banking Corporate Lending component of Ora ...) NOT-FOR-US: Oracle CVE-2018-2746 (Vulnerability in the Oracle Banking Corporate Lending component of Ora ...) NOT-FOR-US: Oracle CVE-2018-2745 RESERVED CVE-2018-2744 RESERVED CVE-2018-2743 RESERVED CVE-2018-2742 (Vulnerability in the Enterprise Manager Ops Center component of Oracle ...) NOT-FOR-US: Oracle CVE-2018-2741 RESERVED CVE-2018-2740 RESERVED CVE-2018-2739 (Vulnerability in the Oracle Access Manager component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2018-2738 (Vulnerability in the Oracle Retail Central Office component of Oracle ...) NOT-FOR-US: Oracle CVE-2018-2737 (Vulnerability in the Oracle Retail Returns Management component of Ora ...) NOT-FOR-US: Oracle CVE-2018-2736 RESERVED CVE-2018-2735 RESERVED CVE-2018-2734 RESERVED CVE-2018-2733 (Vulnerability in the Oracle Hyperion Planning component of Oracle Hype ...) NOT-FOR-US: Oracle CVE-2018-2732 (Vulnerability in the Oracle Financial Services Analytical Applications ...) NOT-FOR-US: Oracle CVE-2018-2731 (Vulnerability in the PeopleSoft Enterprise SCM eProcurement component ...) NOT-FOR-US: Oracle CVE-2018-2730 (Vulnerability in the Oracle Retail Merchandising System component of O ...) NOT-FOR-US: Oracle CVE-2018-2729 (Vulnerability in the Oracle Financial Services Funds Transfer Pricing ...) NOT-FOR-US: Oracle CVE-2018-2728 (Vulnerability in the Oracle Financial Services Funds Transfer Pricing ...) NOT-FOR-US: Oracle CVE-2018-2727 (Vulnerability in the Oracle Financial Services Market Risk Measurement ...) NOT-FOR-US: Oracle CVE-2018-2726 (Vulnerability in the Oracle Financial Services Market Risk component o ...) NOT-FOR-US: Oracle CVE-2018-2725 (Vulnerability in the Oracle Financial Services Hedge Management and IF ...) NOT-FOR-US: Oracle CVE-2018-2724 (Vulnerability in the Oracle Financial Services Loan Loss Forecasting a ...) NOT-FOR-US: Oracle CVE-2018-2723 (Vulnerability in the Oracle Financial Services Asset Liability Managem ...) NOT-FOR-US: Oracle CVE-2018-2722 (Vulnerability in the Oracle Financial Services Price Creation and Disc ...) NOT-FOR-US: Oracle CVE-2018-2721 (Vulnerability in the Oracle Financial Services Price Creation and Disc ...) NOT-FOR-US: Oracle CVE-2018-2720 (Vulnerability in the Oracle Financial Services Liquidity Risk Manageme ...) NOT-FOR-US: Oracle CVE-2018-2719 (Vulnerability in the Oracle Financial Services Hedge Management and IF ...) NOT-FOR-US: Oracle CVE-2018-2718 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Oracle CVE-2018-2717 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Oracle CVE-2018-2716 (Vulnerability in the Oracle Financial Services Market Risk Measurement ...) NOT-FOR-US: Oracle CVE-2018-2715 (Vulnerability in the Oracle Business Intelligence Enterprise Edition c ...) NOT-FOR-US: Oracle CVE-2018-2714 (Vulnerability in the Oracle Financial Services Market Risk component o ...) NOT-FOR-US: Oracle CVE-2018-2713 (Vulnerability in the Oracle WebCenter Portal component of Oracle Fusio ...) NOT-FOR-US: Oracle CVE-2018-2712 (Vulnerability in the Oracle Financial Services Loan Loss Forecasting a ...) NOT-FOR-US: Oracle CVE-2018-2711 (Vulnerability in the Oracle JDeveloper component of Oracle Fusion Midd ...) NOT-FOR-US: Oracle CVE-2018-2710 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Oracle CVE-2018-2709 (Vulnerability in the Oracle Banking Corporate Lending component of Ora ...) NOT-FOR-US: Oracle CVE-2018-2708 (Vulnerability in the Oracle Banking Payments component of Oracle Finan ...) NOT-FOR-US: Oracle CVE-2018-2707 (Vulnerability in the Oracle Banking Corporate Lending component of Ora ...) NOT-FOR-US: Oracle CVE-2018-2706 (Vulnerability in the Oracle Banking Corporate Lending component of Ora ...) NOT-FOR-US: Oracle CVE-2018-2705 (Vulnerability in the Oracle Banking Payments component of Oracle Finan ...) NOT-FOR-US: Oracle CVE-2018-2704 (Vulnerability in the Oracle Banking Payments component of Oracle Finan ...) NOT-FOR-US: Oracle CVE-2018-2703 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.21-1 (bug #887477) - mysql-5.5 (Only affects MySQL 5.6 and 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html#AppendixMSQL CVE-2018-2702 (Vulnerability in the PeopleSoft Enterprise FSCM component of Oracle Pe ...) NOT-FOR-US: Oracle CVE-2018-2701 (Vulnerability in the Oracle Hospitality Cruise Fleet Management compon ...) NOT-FOR-US: Oracle CVE-2018-2700 (Vulnerability in the Oracle Hospitality Cruise Fleet Management compon ...) NOT-FOR-US: Oracle CVE-2018-2699 (Vulnerability in the Application Express component of Oracle Database ...) NOT-FOR-US: Oracle CVE-2018-2698 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.6-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2018-2697 (Vulnerability in the Oracle Hospitality Cruise Fleet Management compon ...) NOT-FOR-US: Oracle CVE-2018-2696 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.21-1 (bug #887477) - mysql-5.5 (Only affects MySQL 5.6 and 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html#AppendixMSQL CVE-2018-2695 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2018-2694 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.6-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2018-2693 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox-guest-additions-iso 5.2.6-1 [jessie] - virtualbox-guest-additions-iso (Non-free not supported) [wheezy] - virtualbox-guest-additions-iso (Non-free not supported) NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html CVE-2018-2692 (Vulnerability in the Oracle Financial Services Asset Liability Managem ...) NOT-FOR-US: Oracle CVE-2018-2691 (Vulnerability in the Oracle User Management component of Oracle E-Busi ...) NOT-FOR-US: Oracle CVE-2018-2690 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.6-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2018-2689 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.6-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2018-2688 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.6-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2018-2687 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.6-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2018-2686 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.6-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2018-2685 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.6-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2018-2684 (Vulnerability in the Oracle User Management component of Oracle E-Busi ...) NOT-FOR-US: Oracle CVE-2018-2683 (Vulnerability in the Oracle Hospitality Simphony component of Oracle H ...) NOT-FOR-US: Oracle CVE-2018-2682 (Vulnerability in the Oracle Financial Services Liquidity Risk Manageme ...) NOT-FOR-US: Oracle CVE-2018-2681 (Vulnerability in the PeopleSoft Enterprise HCM Human Resources compone ...) NOT-FOR-US: Oracle CVE-2018-2680 (Vulnerability in the Java VM component of Oracle Database Server. Supp ...) NOT-FOR-US: Oracle CVE-2018-2679 (Vulnerability in the Oracle Financial Services Profitability Managemen ...) NOT-FOR-US: Oracle Financial Services Applications CVE-2018-2678 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-4166-1 DSA-4144-1 DLA-1339-1} - openjdk-9 9.0.4+12-1 - openjdk-8 8u162-b12-1 [experimental] - openjdk-7 7u171-2.6.13-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2018-2677 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-4166-1 DSA-4144-1 DLA-1339-1} - openjdk-9 9.0.4+12-1 - openjdk-8 8u162-b12-1 [experimental] - openjdk-7 7u171-2.6.13-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2018-2676 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.2.6-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2018-2675 (Vulnerability in the Java Advanced Management Console component of Ora ...) NOT-FOR-US: Java Advanced Management Console CVE-2018-2674 (Vulnerability in the Oracle FLEXCUBE Direct Banking component of Oracl ...) NOT-FOR-US: Oracle CVE-2018-2673 (Vulnerability in the Oracle Hospitality Simphony component of Oracle H ...) NOT-FOR-US: Oracle CVE-2018-2672 (Vulnerability in the Oracle Hospitality Simphony component of Oracle H ...) NOT-FOR-US: Oracle CVE-2018-2671 (Vulnerability in the PeopleSoft Enterprise SCM Purchasing component of ...) NOT-FOR-US: Oracle CVE-2018-2670 (Vulnerability in the Oracle Financial Services Profitability Managemen ...) NOT-FOR-US: Oracle CVE-2018-2669 (Vulnerability in the Oracle Hospitality Reporting and Analytics compon ...) NOT-FOR-US: Oracle CVE-2018-2668 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-4341-1 DSA-4091-1 DLA-1407-1 DLA-1250-1} - mariadb-10.1 1:10.1.34-1 (bug #898444) - mariadb-10.0 - mysql-5.7 5.7.21-1 (bug #887477) - mysql-5.5 NOTE: Fixed in MariaDB 10.0.34, 10.1.31 NOTE: http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html#AppendixMSQL CVE-2018-2667 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.21-1 (bug #887477) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html#AppendixMSQL CVE-2018-2666 (Vulnerability in the Oracle Hospitality Labor Management component of ...) NOT-FOR-US: Oracle CVE-2018-2665 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-4341-1 DSA-4091-1 DLA-1407-1 DLA-1250-1} - mariadb-10.1 1:10.1.34-1 (bug #898444) - mariadb-10.0 - mysql-5.7 5.7.21-1 (bug #887477) - mysql-5.5 NOTE: Fixed in MariaDB 10.0.34, 10.1.31 NOTE: http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html#AppendixMSQL CVE-2018-2664 (Vulnerability in the Sun ZFS Storage Appliance Kit (AK) component of O ...) NOT-FOR-US: Oracle CVE-2018-2663 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-4166-1 DSA-4144-1 DLA-1339-1} - openjdk-9 9.0.4+12-1 - openjdk-8 8u162-b12-1 [experimental] - openjdk-7 7u171-2.6.13-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2018-2662 (Vulnerability in the Oracle Transportation Management component of Ora ...) NOT-FOR-US: Oracle CVE-2018-2661 (Vulnerability in the Oracle Financial Services Analytical Applications ...) NOT-FOR-US: Oracle CVE-2018-2660 (Vulnerability in the Oracle Financial Services Analytical Applications ...) NOT-FOR-US: Oracle CVE-2018-2659 (Vulnerability in the JD Edwards EnterpriseOne Tools component of Oracl ...) NOT-FOR-US: Oracle CVE-2018-2658 (Vulnerability in the JD Edwards EnterpriseOne Tools component of Oracl ...) NOT-FOR-US: Oracle CVE-2018-2657 (Vulnerability in the Java SE, JRockit component of Oracle Java SE (sub ...) - openjdk-9 (Seems to be specific to Oracle Java) - openjdk-8 (Seems to be specific to Oracle Java) - openjdk-7 (Seems to be specific to Oracle Java) - openjdk-6 (Seems to be specific to Oracle Java) CVE-2018-2656 (Vulnerability in the Oracle General Ledger component of Oracle E-Busin ...) NOT-FOR-US: Oracle CVE-2018-2655 (Vulnerability in the Oracle Work in Process component of Oracle E-Busi ...) NOT-FOR-US: Oracle CVE-2018-2654 (Vulnerability in the PeopleSoft Enterprise HCM Human Resources compone ...) NOT-FOR-US: Oracle CVE-2018-2653 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2018-2652 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2018-2651 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2018-2650 (Vulnerability in the Oracle Hospitality Reporting and Analytics compon ...) NOT-FOR-US: Oracle CVE-2018-2649 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle CVE-2018-2648 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle CVE-2018-2647 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.21-1 (bug #887477) - mysql-5.5 (Only affects MySQL 5.6 and 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html#AppendixMSQL CVE-2018-2646 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.21-1 (bug #887477) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html#AppendixMSQL CVE-2018-2645 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.21-1 (bug #887477) - mysql-5.5 (Only affects MySQL 5.6 and 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html#AppendixMSQL CVE-2018-2644 (Vulnerability in the Oracle Argus Safety component of Oracle Health Sc ...) NOT-FOR-US: Oracle CVE-2018-2643 (Vulnerability in the Oracle Argus Safety component of Oracle Health Sc ...) NOT-FOR-US: Oracle CVE-2018-2642 (Vulnerability in the Oracle Argus Safety component of Oracle Health Sc ...) NOT-FOR-US: Oracle CVE-2018-2641 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-4166-1 DSA-4144-1 DLA-1339-1} [experimental] - openjdk-7 7u171-2.6.13-1 - openjdk-9 9.0.4+12-1 - openjdk-8 8u162-b12-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2018-2640 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-4341-1 DSA-4091-1 DLA-1407-1 DLA-1250-1} - mariadb-10.1 1:10.1.34-1 (bug #898444) - mariadb-10.0 - mysql-5.7 5.7.21-1 (bug #887477) - mysql-5.5 NOTE: Fixed in MariaDB 10.0.34, 10.1.33 NOTE: http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html#AppendixMSQL CVE-2018-2639 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...) - openjdk-9 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-8 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2018-2638 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...) - openjdk-9 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-8 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2018-2637 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-4166-1 DSA-4144-1 DLA-1339-1} - openjdk-9 9.0.4+12-1 - openjdk-8 8u162-b12-1 [experimental] - openjdk-7 7u171-2.6.13-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2018-2636 (Vulnerability in the Oracle Hospitality Simphony component of Oracle H ...) NOT-FOR-US: Oracle CVE-2018-2635 (Vulnerability in the Oracle Application Object Library component of Or ...) NOT-FOR-US: Oracle CVE-2018-2634 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-4166-1 DSA-4144-1 DLA-1339-1} - openjdk-9 9.0.4+12-1 - openjdk-8 8u162-b12-1 [experimental] - openjdk-7 7u171-2.6.13-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2018-2633 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-4166-1 DSA-4144-1 DLA-1339-1} - openjdk-9 9.0.4+12-1 - openjdk-8 8u162-b12-1 [experimental] - openjdk-7 7u171-2.6.13-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2018-2632 (Vulnerability in the Siebel Engineering - Installer and Deployment com ...) NOT-FOR-US: Oracle CVE-2018-2631 (Vulnerability in the Oracle Transportation Management component of Ora ...) NOT-FOR-US: Oracle CVE-2018-2630 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle CVE-2018-2629 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-4166-1 DSA-4144-1 DLA-1339-1} - openjdk-9 9.0.4+12-1 - openjdk-8 8u162-b12-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2018-2628 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2018-2627 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...) - openjdk-9 (Specific to installer for Windows) - openjdk-8 (Specific to installer for Windows) CVE-2018-2626 (Vulnerability in the Oracle Financial Services Balance Sheet Planning ...) NOT-FOR-US: Oracle CVE-2018-2625 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2018-2624 (Vulnerability in the Sun ZFS Storage Appliance Kit (AK) component of O ...) NOT-FOR-US: Oracle CVE-2018-2623 (Vulnerability in the Sun ZFS Storage Appliance Kit (AK) component of O ...) NOT-FOR-US: Oracle CVE-2018-2622 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-4341-1 DSA-4091-1 DLA-1407-1 DLA-1250-1} - mariadb-10.1 1:10.1.34-1 (bug #898444) - mariadb-10.0 - mysql-5.7 5.7.21-1 (bug #887477) - mysql-5.5 NOTE: Fixed in MariaDB 10.0.34, 10.1.31 NOTE: http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html#AppendixMSQL CVE-2018-2621 (Vulnerability in the Oracle Hospitality Cruise Shipboard Property Mana ...) NOT-FOR-US: Oracle CVE-2018-2620 (Vulnerability in the Primavera Unifier component of Oracle Constructio ...) NOT-FOR-US: Oracle CVE-2018-2619 (Vulnerability in the Oracle Hospitality Simphony component of Oracle H ...) NOT-FOR-US: Oracle CVE-2018-2618 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-4166-1 DSA-4144-1 DLA-1339-1} - openjdk-9 9.0.4+12-1 - openjdk-8 8u162-b12-1 [experimental] - openjdk-7 7u171-2.6.13-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2018-2617 (Vulnerability in the OSS Support Tools component of Oracle Support Too ...) NOT-FOR-US: Oracle CVE-2018-2616 (Vulnerability in the OSS Support Tools component of Oracle Support Too ...) NOT-FOR-US: Oracle CVE-2018-2615 (Vulnerability in the OSS Support Tools component of Oracle Support Too ...) NOT-FOR-US: Oracle CVE-2018-2614 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle CVE-2018-2613 (Vulnerability in the Oracle Argus Safety component of Oracle Health Sc ...) NOT-FOR-US: Oracle CVE-2018-2612 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-4341-1 DLA-1407-1} - mariadb-10.1 1:10.1.34-1 (bug #898444) - mariadb-10.0 - mysql-5.7 5.7.21-1 (bug #887477) - mysql-5.5 (Only affects MySQL 5.6 and 5.7) NOTE: Fixed in MariaDB 10.0.34, 10.1.31 NOTE: http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html#AppendixMSQL CVE-2018-2611 (Vulnerability in the Sun ZFS Storage Appliance Kit (AK) component of O ...) NOT-FOR-US: Oracle CVE-2018-2610 (Vulnerability in the Hyperion Data Relationship Management component o ...) NOT-FOR-US: Oracle CVE-2018-2609 (Vulnerability in the Oracle Agile PLM component of Oracle Supply Chain ...) NOT-FOR-US: Oracle CVE-2018-2608 (Vulnerability in the Oracle Hospitality Simphony component of Oracle H ...) NOT-FOR-US: Oracle CVE-2018-2607 (Vulnerability in the Oracle Hospitality Guest Access component of Orac ...) NOT-FOR-US: Oracle CVE-2018-2606 (Vulnerability in the Oracle Hospitality Guest Access component of Orac ...) NOT-FOR-US: Oracle CVE-2018-2605 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2018-2604 (Vulnerability in the Oracle Hospitality Guest Access component of Orac ...) NOT-FOR-US: Oracle CVE-2018-2603 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-4166-1 DSA-4144-1 DLA-1339-1} - openjdk-9 9.0.4+12-1 - openjdk-8 8u162-b12-1 [experimental] - openjdk-7 7u171-2.6.13-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2018-2602 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-4166-1 DSA-4144-1 DLA-1339-1} - openjdk-9 9.0.4+12-1 - openjdk-8 8u162-b12-1 [experimental] - openjdk-7 7u171-2.6.13-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2018-2601 (Vulnerability in the Oracle Internet Directory component of Oracle Fus ...) NOT-FOR-US: Oracle CVE-2018-2600 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.21-1 (bug #887477) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html#AppendixMSQL CVE-2018-2599 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-4166-1 DSA-4144-1 DLA-1339-1} - openjdk-9 9.0.4+12-1 - openjdk-8 8u162-b12-1 [experimental] - openjdk-7 7u171-2.6.13-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2018-2598 (Vulnerability in the MySQL Workbench component of Oracle MySQL (subcom ...) - mysql-workbench 8.0.17+dfsg-1 (bug #904112) [stretch] - mysql-workbench (Exact details undisclosed, but marginal CVSS score) [jessie] - mysql-workbench (Exact details undisclosed, but marginal CVSS score) CVE-2018-2597 (Vulnerability in the Oracle Hospitality Cruise Dining Room Management ...) NOT-FOR-US: Oracle CVE-2018-2596 (Vulnerability in the Oracle WebCenter Content component of Oracle Fusi ...) NOT-FOR-US: Oracle CVE-2018-2595 (Vulnerability in the Hyperion BI+ component of Oracle Hyperion (subcom ...) NOT-FOR-US: Oracle CVE-2018-2594 (Vulnerability in the Hyperion BI+ component of Oracle Hyperion (subcom ...) NOT-FOR-US: Oracle CVE-2018-2593 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2018-2592 (Vulnerability in the Oracle Financial Services Balance Sheet Planning ...) NOT-FOR-US: Oracle CVE-2018-2591 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.20-1 - mysql-5.5 (Only affects MySQL 5.6 and 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html#AppendixMSQL CVE-2018-2590 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.21-1 (bug #887477) - mysql-5.5 (Only affects MySQL 5.6 and 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html#AppendixMSQL CVE-2018-2589 (Vulnerability in the Oracle Hospitality Simphony component of Oracle H ...) NOT-FOR-US: Oracle CVE-2018-2588 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-4166-1 DSA-4144-1 DLA-1339-1} - openjdk-9 9.0.4+12-1 - openjdk-8 8u162-b12-1 [experimental] - openjdk-7 7u171-2.6.13-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2018-2587 (Vulnerability in the Oracle Access Manager component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2018-2586 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.21-1 (bug #887477) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html#AppendixMSQL CVE-2018-2585 (Vulnerability in the MySQL Connectors component of Oracle MySQL (subco ...) - mysql-connector-net (bug #887751) [stretch] - mysql-connector-net (Minor issue) [jessie] - mysql-connector-net (Minor issue) [wheezy] - mysql-connector-net (Minor issue) NOTE: http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html#AppendixMSQL CVE-2018-2584 (Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2018-2583 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.21-1 (bug #887477) - mysql-5.5 (Only affects MySQL 5.6 and 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html#AppendixMSQL CVE-2018-2582 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-4144-1} - openjdk-9 9.0.4+12-1 - openjdk-8 8u162-b12-1 CVE-2018-2581 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...) - openjfx 8u161-b12-1 (bug #888530) [stretch] - openjfx (Specific details withheld by Oracle, impossible to fix) CVE-2018-2580 (Vulnerability in the Oracle Applications DBA component of Oracle E-Bus ...) NOT-FOR-US: Oracle CVE-2018-2579 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-4166-1 DSA-4144-1 DLA-1339-1} - openjdk-9 9.0.4+12-1 - openjdk-8 8u162-b12-1 [experimental] - openjdk-7 7u171-2.6.13-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2018-2578 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Oracle CVE-2018-2577 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Oracle CVE-2018-2576 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.21-1 (bug #887477) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html#AppendixMSQL CVE-2018-2575 (Vulnerability in the Core RDBMS component of Oracle Database Server. S ...) NOT-FOR-US: Oracle CVE-2018-2574 (Vulnerability in the Siebel CRM Desktop component of Oracle Siebel CRM ...) NOT-FOR-US: Oracle CVE-2018-2573 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.21-1 (bug #887477) - mysql-5.5 (Only affects MySQL 5.6 and 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html#AppendixMSQL CVE-2018-2572 (Vulnerability in the Oracle Agile Product Lifecycle Management for Pro ...) NOT-FOR-US: Oracle CVE-2018-2571 (Vulnerability in the Oracle Communications Unified Inventory Managemen ...) NOT-FOR-US: Oracle CVE-2018-2570 (Vulnerability in the Oracle Communications Unified Inventory Managemen ...) NOT-FOR-US: Oracle CVE-2018-2569 (Vulnerability in the Java ME SDK component of Oracle Java Micro Editio ...) NOT-FOR-US: Oracle CVE-2018-2568 (Vulnerability in the Integrated Lights Out Manager (ILOM) component of ...) NOT-FOR-US: Oracle CVE-2018-2567 (Vulnerability in the Oracle Communications Order and Service Managemen ...) NOT-FOR-US: Oracle CVE-2018-2566 (Vulnerability in the Integrated Lights Out Manager (ILOM) component of ...) NOT-FOR-US: Oracle CVE-2018-2565 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.21-1 (bug #887477) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html#AppendixMSQL CVE-2018-2564 (Vulnerability in the Oracle WebCenter Content component of Oracle Fusi ...) NOT-FOR-US: Oracle CVE-2018-2563 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Oracle CVE-2018-2562 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-4341-1 DSA-4091-1 DLA-1407-1 DLA-1250-1} - mariadb-10.1 1:10.1.34-1 (bug #898444) - mariadb-10.0 - mysql-5.7 5.7.20-1 - mysql-5.5 NOTE: Fixed in MariaDB 10.0.34, 10.1.31 NOTE: http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html#AppendixMSQL CVE-2018-2561 (Vulnerability in the Oracle HTTP Server component of Oracle Fusion Mid ...) NOT-FOR-US: Oracle CVE-2018-2560 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Oracle CVE-2018-2559 RESERVED CVE-2018-2558 RESERVED CVE-2018-2557 RESERVED CVE-2018-2556 RESERVED CVE-2018-2555 RESERVED CVE-2018-2554 RESERVED CVE-2018-2553 RESERVED CVE-2018-2552 RESERVED CVE-2018-2551 RESERVED CVE-2018-2550 RESERVED CVE-2018-2549 RESERVED CVE-2018-2548 RESERVED CVE-2018-2547 RESERVED CVE-2018-2546 RESERVED CVE-2018-2545 RESERVED CVE-2018-2544 RESERVED CVE-2018-2543 RESERVED CVE-2018-2542 RESERVED CVE-2018-2541 RESERVED CVE-2018-2540 RESERVED CVE-2018-2539 RESERVED CVE-2018-2538 RESERVED CVE-2018-2537 RESERVED CVE-2018-2536 RESERVED CVE-2018-2535 RESERVED CVE-2018-2534 RESERVED CVE-2018-2533 RESERVED CVE-2018-2532 RESERVED CVE-2018-2531 RESERVED CVE-2018-2530 RESERVED CVE-2018-2529 RESERVED CVE-2018-2528 RESERVED CVE-2018-2527 RESERVED CVE-2018-2526 RESERVED CVE-2018-2525 RESERVED CVE-2018-2524 RESERVED CVE-2018-2523 RESERVED CVE-2018-2522 RESERVED CVE-2018-2521 RESERVED CVE-2018-2520 RESERVED CVE-2018-2519 RESERVED CVE-2018-2518 RESERVED CVE-2018-2517 RESERVED CVE-2018-2516 RESERVED CVE-2018-2515 REJECTED CVE-2018-2514 RESERVED CVE-2018-2513 RESERVED CVE-2018-2512 RESERVED CVE-2018-2511 RESERVED CVE-2018-2510 RESERVED CVE-2018-2509 RESERVED CVE-2018-2508 RESERVED CVE-2018-2507 RESERVED CVE-2018-2506 RESERVED CVE-2018-2505 (SAP Commerce does not sufficiently validate user-controlled inputs, re ...) NOT-FOR-US: SAP CVE-2018-2504 (SAP NetWeaver AS Java Web Container service does not validate against ...) NOT-FOR-US: SAP CVE-2018-2503 (By default, the SAP NetWeaver AS Java keystore service does not suffic ...) NOT-FOR-US: SAP CVE-2018-2502 (TRACE method is enabled in SAP Business One Service Layer . Attacker c ...) NOT-FOR-US: SAP CVE-2018-2501 RESERVED CVE-2018-2500 (Under certain conditions SAP Mobile Secure Android client (before vers ...) NOT-FOR-US: SAP CVE-2018-2499 (A security weakness in SAP Financial Consolidation Cube Designer (BOBJ ...) NOT-FOR-US: SAP CVE-2018-2498 RESERVED CVE-2018-2497 (The security audit log of SAP HANA, versions 1.0 and 2.0, does not log ...) NOT-FOR-US: SAP CVE-2018-2496 RESERVED CVE-2018-2495 RESERVED CVE-2018-2494 (Necessary authorization checks for an authenticated user, resulting in ...) NOT-FOR-US: SAP CVE-2018-2493 RESERVED CVE-2018-2492 (SAML 2.0 functionality in SAP NetWeaver AS Java, does not sufficiently ...) NOT-FOR-US: SAP CVE-2018-2491 (When opening a deep link URL in SAP Fiori Client with log level set to ...) NOT-FOR-US: SAP CVE-2018-2490 (The broadcast messages received by SAP Fiori Client are not protected ...) NOT-FOR-US: SAP CVE-2018-2489 (Locally, without any permission, an arbitrary android application coul ...) NOT-FOR-US: SAP CVE-2018-2488 (It is possible for a malware application installed on an Android devic ...) NOT-FOR-US: SAP CVE-2018-2487 (SAP Disclosure Management 10.x allows an attacker to exploit through a ...) NOT-FOR-US: SAP CVE-2018-2486 (SAP Marketing (UICUAN (1.20, 1.30, 1.40), SAPSCORE (1.13, 1.14)) does ...) NOT-FOR-US: SAP CVE-2018-2485 (It is possible for a malicious application or malware to execute JavaS ...) NOT-FOR-US: SAP CVE-2018-2484 (SAP Enterprise Financial Services (fixed in SAPSCORE 1.13, 1.14, 1.15; ...) NOT-FOR-US: SAP CVE-2018-2483 (HTTP Verb Tampering is possible in SAP BusinessObjects Business Intell ...) NOT-FOR-US: SAP CVE-2018-2482 (SAP Mobile Secure Android Application, Mobile-secure.apk Android clien ...) NOT-FOR-US: SAP CVE-2018-2481 (In some SAP standard roles, in SAP_ABA versions, 7.00 to 7.02, 7.10 to ...) NOT-FOR-US: SAP CVE-2018-2480 RESERVED CVE-2018-2479 (SAP BusinessObjects Business Intelligence Platform (BIWorkspace), vers ...) NOT-FOR-US: SAP CVE-2018-2478 (An attacker can use specially crafted inputs to execute commands on th ...) NOT-FOR-US: SAP CVE-2018-2477 (Knowledge Management (XMLForms) in SAP NetWeaver, versions 7.30, 7.31, ...) NOT-FOR-US: SAP CVE-2018-2476 (Due to insufficient URL Validation in forums in SAP NetWeaver versions ...) NOT-FOR-US: SAP CVE-2018-2475 (Following the Gardener architecture, the Kubernetes apiserver of a Gar ...) NOT-FOR-US: SAP CVE-2018-2474 (SAP Fiori 1.0 for SAP ERP HCM (Approve Leave Request, version 2) appli ...) NOT-FOR-US: SAP CVE-2018-2473 (SAP BusinessObjects Business Intelligence Platform Server, versions 4. ...) NOT-FOR-US: SAP CVE-2018-2472 (SAP BusinessObjects Business Intelligence Platform 4.10 and 4.20 (Web ...) NOT-FOR-US: SAP CVE-2018-2471 (Under certain conditions SAP BusinessObjects Business Intelligence Pla ...) NOT-FOR-US: SAP CVE-2018-2470 (In SAP NetWeaver Application Server for ABAP, from 7.0 to 7.02, 7.30, ...) NOT-FOR-US: SAP CVE-2018-2469 (Under certain conditions SAP Adaptive Server Enterprise (ASE), version ...) NOT-FOR-US: SAP CVE-2018-2468 (Under certain conditions the backup server in SAP Adaptive Server Ente ...) NOT-FOR-US: SAP CVE-2018-2467 (In the Software Development Kit in SAP BusinessObjects BI Platform Ser ...) NOT-FOR-US: SAP CVE-2018-2466 (In Impact and Lineage Analysis in SAP Data Services, version 4.2, the ...) NOT-FOR-US: SAP CVE-2018-2465 (SAP HANA (versions 1.0 and 2.0) Extended Application Services classic ...) NOT-FOR-US: SAP CVE-2018-2464 (SAP WebDynpro Java, versions 7.20, 7.30, 7.31, 7.40, 7.50, does not su ...) NOT-FOR-US: SAP CVE-2018-2463 (The Omni Commerce Connect API (OCC) of SAP Hybris Commerce, versions 6 ...) NOT-FOR-US: SAP CVE-2018-2462 (In certain cases, BEx Web Java Runtime Export Web Service in SAP NetWe ...) NOT-FOR-US: SAP CVE-2018-2461 (Missing authorization check in SAP HCM Fiori "People Profile" (GBX01 H ...) NOT-FOR-US: SAP CVE-2018-2460 (SAP Business One Android application, version 1.2, does not verify the ...) NOT-FOR-US: SAP CVE-2018-2459 (Users of an SAP Mobile Platform (version 3.0) Offline OData applicatio ...) NOT-FOR-US: SAP CVE-2018-2458 (Under certain conditions, Crystal Report using SAP Business One, versi ...) NOT-FOR-US: SAP CVE-2018-2457 (Under certain conditions SAP Adaptive Server Enterprise, version 16.0, ...) NOT-FOR-US: SAP CVE-2018-2456 RESERVED CVE-2018-2455 (SAP Enterprise Financial Services, versions 6.05, 6.06, 6.16, 6.17, 6. ...) NOT-FOR-US: SAP CVE-2018-2454 (SAP Enterprise Financial Services, versions 6.05, 6.06, 6.16, 6.17, 6. ...) NOT-FOR-US: SAP CVE-2018-2453 RESERVED CVE-2018-2452 (The logon application of SAP NetWeaver AS Java 7.10 to 7.11, 7.20, 7.3 ...) NOT-FOR-US: SAP CVE-2018-2451 (XS Command-Line Interface (CLI) user sessions with the SAP HANA Extend ...) NOT-FOR-US: SAP HANA Extended Application Services CVE-2018-2450 (SAP MaxDB (liveCache), versions 7.8 and 7.9, allows an attacker who ge ...) NOT-FOR-US: SAP MaxDB CVE-2018-2449 (SAP SRM MDM Catalog versions 3.73, 7.31, 7.32 in (SAP NetWeaver 7.3) - ...) NOT-FOR-US: SAP SRM MDM Catalog CVE-2018-2448 (Under certain conditions SAP SRM-MDM (CATALOG versions 3.0, 7.01, 7.02 ...) NOT-FOR-US: SAP BusinessObjects Business Intelligence Platform CVE-2018-2447 (SAP BusinessObjects Business Intelligence (Launchpad Web Intelligence) ...) NOT-FOR-US: SAP BusinessObjects Business Intelligence CVE-2018-2446 (Admin tools in SAP BusinessObjects Business Intelligence, versions 4.1 ...) NOT-FOR-US: SAP BusinessObjects Business Intelligence CVE-2018-2445 (AdminTools in SAP BusinessObjects Business Intelligence, versions 4.1, ...) NOT-FOR-US: SAP BusinessObjects Business Intelligence CVE-2018-2444 (SAP BusinessObjects Financial Consolidation, versions 10.0, 10.1, does ...) NOT-FOR-US: SAP BusinessObjects Financial Consolidation CVE-2018-2443 RESERVED CVE-2018-2442 (In SAP BusinessObjects Business Intelligence, versions 4.0, 4.1 and 4. ...) NOT-FOR-US: SAP BusinessObjects Business Intelligence CVE-2018-2441 (Under certain conditions the SAP Change and Transport System (ABAP), S ...) NOT-FOR-US: SAP Change and Transport System CVE-2018-2440 (Under certain circumstances SAP Dynamic Authorization Management (DAM) ...) NOT-FOR-US: SAP CVE-2018-2439 (The SAP Internet Graphics Server (IGS), 7.20, 7.20EXT, 7.45, 7.49, 7.5 ...) NOT-FOR-US: SAP CVE-2018-2438 (The SAP Internet Graphics Server (IGS), 7.20, 7.20EXT, 7.45, 7.49, 7.5 ...) NOT-FOR-US: SAP CVE-2018-2437 (The SAP Internet Graphics Service (IGS), 7.20, 7.20EXT, 7.45, 7.49, 7. ...) NOT-FOR-US: SAP CVE-2018-2436 (Executing transaction WRCK in SAP R/3 Enterprise Retail (EHP6) does no ...) NOT-FOR-US: SAP CVE-2018-2435 (SAP NetWeaver Enterprise Portal from 7.0 to 7.02, 7.11, 7.20, 7.30, 7. ...) NOT-FOR-US: SAP CVE-2018-2434 (A content spoofing vulnerability in the following components allows to ...) NOT-FOR-US: SAP CVE-2018-2433 (SAP Gateway (SAP KERNEL 32 NUC, SAP KERNEL 32 Unicode, SAP KERNEL 64 N ...) NOT-FOR-US: SAP CVE-2018-2432 (SAP BusinessObjects Business Intelligence (BI Launchpad and Central Ma ...) NOT-FOR-US: SAP CVE-2018-2431 (SAP BusinessObjects Business Intelligence Suite, versions 4.10 and 4.2 ...) NOT-FOR-US: SAP CVE-2018-2430 RESERVED CVE-2018-2429 RESERVED CVE-2018-2428 (Under certain conditions SAP UI5 Handler allows an attacker to access ...) NOT-FOR-US: SAP CVE-2018-2427 (SAP BusinessObjects Business Intelligence Suite, versions 4.10 and 4.2 ...) NOT-FOR-US: SAP CVE-2018-2426 RESERVED CVE-2018-2425 (Under certain conditions, SAP Business One, 9.2, 9.3, for SAP HANA bac ...) NOT-FOR-US: SAP CVE-2018-2424 (SAP UI5 did not validate user input before adding it to the DOM struct ...) NOT-FOR-US: SAP CVE-2018-2423 (SAP Internet Graphics Server (IGS), 7.20, 7.20EXT, 7.45, 7.49, 7.53, H ...) NOT-FOR-US: SAP Internet Graphics Server CVE-2018-2422 (SAP Internet Graphics Server (IGS) Portwatcher, 7.20, 7.20EXT, 7.45, 7 ...) NOT-FOR-US: SAP Internet Graphics Server CVE-2018-2421 (SAP Internet Graphics Server (IGS) Portwatcher, 7.20, 7.20EXT, 7.45, 7 ...) NOT-FOR-US: SAP Internet Graphics Server CVE-2018-2420 (SAP Internet Graphics Server (IGS), 7.20, 7.20EXT, 7.45, 7.49, 7.53, a ...) NOT-FOR-US: SAP Internet Graphics Server CVE-2018-2419 (SAP Enterprise Financial Services (SAPSCORE 1.11, 1.12; S4CORE 1.01, 1 ...) NOT-FOR-US: SAP Enterprise Financial Services CVE-2018-2418 (SAP MaxDB ODBC driver (all versions before 7.9.09.07) allows an attack ...) NOT-FOR-US: SAP MaxDB ODBC driver CVE-2018-2417 (Under certain conditions, the SAP Identity Management 8.0 (pass of typ ...) NOT-FOR-US: SAP Identity Management CVE-2018-2416 (SAP Identity Management 7.2 and 8.0 do not sufficiently validate an XM ...) NOT-FOR-US: SAP Identity Management CVE-2018-2415 (SAP NetWeaver Application Server Java Web Container and HTTP Service ( ...) NOT-FOR-US: SAP NetWeaver Application Server Java Web Container and HTTP Service CVE-2018-2414 RESERVED CVE-2018-2413 (SAP Disclosure Management 10.1 does not perform necessary authorizatio ...) NOT-FOR-US: SAP CVE-2018-2412 (SAP Disclosure Management 10.1 does not perform necessary authorizatio ...) NOT-FOR-US: SAP CVE-2018-2411 RESERVED CVE-2018-2410 (SAP Business One, 9.2, 9.3, browser access does not sufficiently encod ...) NOT-FOR-US: SAP CVE-2018-2409 (Improper session management when using SAP Cloud Platform 2.0 (Connect ...) NOT-FOR-US: SAP CVE-2018-2408 (Improper Session Management in SAP Business Objects, 4.0, from 4.10, f ...) NOT-FOR-US: SAP CVE-2018-2407 RESERVED CVE-2018-2406 (Unquoted windows search path (directory/path traversal) vulnerability ...) NOT-FOR-US: Crystal Reports Server CVE-2018-2405 (SAP Solution Manager, 7.10, 7.20, Incident Management Work Center allo ...) NOT-FOR-US: SAP CVE-2018-2404 (SAP Disclosure Management 10.1 allows an attacker to upload any file w ...) NOT-FOR-US: SAP CVE-2018-2403 (Under certain conditions, SAP Disclosure Management 10.1 allows an att ...) NOT-FOR-US: SAP CVE-2018-2402 (In systems using the optional capture & replay functionality of SA ...) NOT-FOR-US: SAP CVE-2018-2401 (SAP Business Process Automation (BPA) By Redwood does not sufficiently ...) NOT-FOR-US: SAP CVE-2018-2400 (Under certain conditions SAP Business Process Automation (BPA) By Redw ...) NOT-FOR-US: SAP CVE-2018-2399 (Cross-Site Scripting in Process Monitoring Infrastructure, from 7.10 t ...) NOT-FOR-US: SAP CVE-2018-2398 (Under certain conditions SAP Business Client 6.5 allows an attacker to ...) NOT-FOR-US: SAP CVE-2018-2397 (In SAP Business Objects Business Intelligence Platform, 4.00, 4.10, 4. ...) NOT-FOR-US: SAP CVE-2018-2396 (Under certain conditions a malicious user can prevent legitimate users ...) NOT-FOR-US: SAP Internet Graphics Server CVE-2018-2395 (Under certain conditions a malicious user may retrieve information on ...) NOT-FOR-US: SAP Internet Graphic Server CVE-2018-2394 (Under certain conditions an unauthenticated malicious user can prevent ...) NOT-FOR-US: SAP Internet Graphics Server CVE-2018-2393 (Under certain conditions SAP Internet Graphics Server (IGS) 7.20, 7.20 ...) NOT-FOR-US: SAP Internet Graphics Server CVE-2018-2392 (Under certain conditions SAP Internet Graphics Server (IGS) 7.20, 7.20 ...) NOT-FOR-US: SAP Internet Graphics Server CVE-2018-2391 (Under certain conditions a malicious user can prevent legitimate users ...) NOT-FOR-US: SAP Internet Graphics Server CVE-2018-2390 (Under certain conditions a malicious user can prevent legitimate users ...) NOT-FOR-US: SAP Internet Graphics Server CVE-2018-2389 (Under certain conditions a malicious user can inject log files of SAP ...) NOT-FOR-US: SAP Internet Graphics Server CVE-2018-2388 (Stored cross-site scripting vulnerability in SAP internet Graphics Ser ...) NOT-FOR-US: SAP internet Graphics Server CVE-2018-2387 (A vulnerability in the SAP internet Graphics Server, 7.20, 7.20EXT, 7. ...) NOT-FOR-US: SAP internet Graphics Server CVE-2018-2386 (Under certain conditions a malicious user provoking an out of bounds b ...) NOT-FOR-US: SAP Internet Graphics Server CVE-2018-2385 (Under certain conditions a malicious user provoking a divide by zero c ...) NOT-FOR-US: SAP Internet Graphics Server CVE-2018-2384 (Under certain conditions a malicious user provoking a Null Pointer der ...) NOT-FOR-US: SAP Internet Graphics Server CVE-2018-2383 (Reflected cross-site scripting vulnerability in SAP internet Graphics ...) NOT-FOR-US: SAP Internet Graphics Server CVE-2018-2382 (A vulnerability in the SAP internet Graphics Server, 7.20, 7.20EXT, 7. ...) NOT-FOR-US: SAP internet Graphics Server CVE-2018-2381 (SAP ERP Financials Information System (SAP_APPL 6.00, 6.02, 6.03, 6.04 ...) NOT-FOR-US: SAP ERP Financials Information System CVE-2018-2380 (SAP CRM, 7.01, 7.02,7.30, 7.31, 7.33, 7.54, allows an attacker to expl ...) NOT-FOR-US: SAP CRM CVE-2018-2379 (In SAP HANA Extended Application Services, 1.0, an unauthenticated use ...) NOT-FOR-US: SAP HANA Extended Application Services CVE-2018-2378 (In SAP HANA Extended Application Services, 1.0, unauthorized users can ...) NOT-FOR-US: SAP HANA Extended Application Services CVE-2018-2377 (In SAP HANA Extended Application Services, 1.0, some general server st ...) NOT-FOR-US: SAP HANA Extended Application Services CVE-2018-2376 (In SAP HANA Extended Application Services, 1.0, a controller user who ...) NOT-FOR-US: SAP HANA Extended Application Services CVE-2018-2375 (In SAP HANA Extended Application Services, 1.0, a controller user who ...) NOT-FOR-US: SAP HANA Extended Application Services CVE-2018-2374 (In SAP HANA Extended Application Services, 1.0, a controller user who ...) NOT-FOR-US: SAP HANA Extended Application Services CVE-2018-2373 (Under certain circumstances, a specific endpoint of the Controller's A ...) NOT-FOR-US: SAP HANA Extended Application Services CVE-2018-2372 (A plain keystore password is written to a system log file in SAP HANA ...) NOT-FOR-US: SAP HANA Extended Application Services CVE-2018-2371 (The SAML 2.0 service provider of SAP Netweaver AS Java Web Application ...) NOT-FOR-US: SAP Netweaver AS Java Web Application CVE-2018-2370 (Server Side Request Forgery (SSRF) vulnerability in SAP Central Manage ...) NOT-FOR-US: SAP Central Management Console CVE-2018-2369 (Under certain conditions SAP HANA, 1.00, 2.00, allows an unauthenticat ...) NOT-FOR-US: SAP HANA CVE-2018-2368 (SAP NetWeaver System Landscape Directory, LM-CORE 7.10, 7.20, 7.30, 7. ...) NOT-FOR-US: SAP NetWeaver System Landscape Directory CVE-2018-2367 (ABAP File Interface in, SAP BASIS, from 7.00 to 7.02, from 7.10 to 7.1 ...) NOT-FOR-US: SAP BASIS CVE-2018-2366 (SAP Business Process Automation (BPA) By Redwood, 9.0, 9.1, allows an ...) NOT-FOR-US: SAP CVE-2018-2365 (SAP NetWeaver Portal, WebDynpro Java, 7.30, 7.31, 7.40, 7.50, does not ...) NOT-FOR-US: SAP NetWeaver Portal CVE-2018-2364 (SAP CRM WebClient UI 7.01, 7.31, 7.46, 7.47, 7.48, 8.00, 8.01, S4FND 1 ...) NOT-FOR-US: SAP CVE-2018-2363 (SAP NetWeaver, SAP BASIS from 7.00 to 7.02, from 7.10 to 7.11, 7.30, 7 ...) NOT-FOR-US: SAP NetWeaver CVE-2018-2362 (A remote unauthenticated attacker, SAP HANA 1.00 and 2.00, could send ...) NOT-FOR-US: SAP HANA CVE-2018-2361 (In SAP Solution Manager 7.20, the role SAP_BPO_CONFIG gives the Busine ...) NOT-FOR-US: SAP Solution Manager CVE-2018-2360 (SAP Startup Service, SAP KERNEL 7.45, 7.49, and 7.52, is missing an au ...) NOT-FOR-US: SAP Startup Service CVE-2017-17701 (K7Sentry.sys 15.1.0.59 in K7 Antivirus 15.1.0309 has a NULL pointer de ...) NOT-FOR-US: K7 Antivirus CVE-2017-17700 (K7Sentry.sys 15.1.0.59 in K7 Antivirus 15.1.0309 has a NULL pointer de ...) NOT-FOR-US: K7 Antivirus CVE-2017-17699 (K7Sentry.sys 15.1.0.59 in K7 Antivirus 15.1.0309 has a NULL pointer de ...) NOT-FOR-US: K7 Antivirus CVE-2017-17698 (Zoho ManageEngine Password Manager Pro 9 before 9.4 (9400) has reflect ...) NOT-FOR-US: Zoho ManageEngine Password Manager Pro CVE-2017-17697 (The Ping() function in ui/api/target.go in Harbor through 1.3.0-rc4 ha ...) NOT-FOR-US: Harbor CVE-2017-17696 (Techno - Portfolio Management Panel through 2017-11-16 allows full pat ...) NOT-FOR-US: Techno - Portfolio Management Panel CVE-2017-17695 (Techno - Portfolio Management Panel through 2017-11-16 allows SQL Inje ...) NOT-FOR-US: Techno - Portfolio Management Panel CVE-2017-17694 (Techno - Portfolio Management Panel through 2017-11-16 allows XSS via ...) NOT-FOR-US: Techno - Portfolio Management Panel CVE-2017-17693 (Techno - Portfolio Management Panel through 2017-11-16 does not check ...) NOT-FOR-US: Techno - Portfolio Management Panel CVE-2017-17692 (Samsung Internet Browser 5.4.02.3 allows remote attackers to bypass th ...) NOT-FOR-US: Samsung Internet Browser CVE-2017-17691 (Homeputer CL Studio fur HomeMatic 4.0 Rel 160808 and earlier uses clea ...) NOT-FOR-US: Homeputer CL Studio fur HomeMatic CVE-2017-17690 RESERVED CVE-2017-17689 (The S/MIME specification allows a Cipher Block Chaining (CBC) malleabi ...) - evolution (bug #898633; unimportant) - kf5-messagelib 4:18.08.1-1 (bug #899127) [stretch] - kf5-messagelib (Defaults to secure handling, change to disable it entirely can be fixed via spu) - kdepim (bug #899128) [stretch] - kdepim (Defaults to secure handling, change to disable it entirely can be fixed via spu) [jessie] - kdepim (Defaults to secure handling, change to disable it entirely can be fixed via spu) NOTE: https://efail.de NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=796135 NOTE: https://dot.kde.org/2018/05/15/efail-and-kmail NOTE: protocol vulnerability can't be fixed in implementations but they can prevent exploitation by disabling loading of remote content NOTE: kmail bug is #898634, but src:kmail is not affected, the code in question is in kf5-messagelib NOTE: kf5-messagelib: https://phabricator.kde.org/D12391 (v18.04.1) NOTE: kf5-messagelib: https://phabricator.kde.org/D12393 (v18.04.1) NOTE: kmail: https://phabricator.kde.org/D12394 CVE-2017-17688 (** DISPUTED ** The OpenPGP specification allows a Cipher Feedback Mode ...) - enigmail 2:2.0.6.1-4 (bug #898630) [jessie] - enigmail (see https://lists.debian.org/debian-lts-announce/2019/02/msg00002.html) NOTE: vulnerability is in the clients handling, not in OpenPGP NOTE: https://efail.de NOTE: possibly https://sourceforge.net/p/enigmail/source/ci/f6c111 and https://sourceforge.net/p/enigmail/source/ci/d2a83a NOTE: Marking the first 2.x version which reached unstable as fixed, see discussion in #898630 CVE-2017-17687 RESERVED CVE-2017-17686 RESERVED CVE-2017-17685 RESERVED CVE-2016-10703 (A regular expression Denial of Service (DoS) vulnerability in the file ...) NOT-FOR-US: ecstatic npm CVE-2018-2359 REJECTED CVE-2018-2358 REJECTED CVE-2018-2357 REJECTED CVE-2018-2356 REJECTED CVE-2018-2355 REJECTED CVE-2018-2354 REJECTED CVE-2018-2353 REJECTED CVE-2018-2352 REJECTED CVE-2018-2351 REJECTED CVE-2018-2350 REJECTED CVE-2018-2349 REJECTED CVE-2018-2348 REJECTED CVE-2018-2347 REJECTED CVE-2018-2346 REJECTED CVE-2018-2345 REJECTED CVE-2018-2344 REJECTED CVE-2018-2343 REJECTED CVE-2018-2342 REJECTED CVE-2018-2341 REJECTED CVE-2018-2340 REJECTED CVE-2018-2339 REJECTED CVE-2018-2338 REJECTED CVE-2018-2337 REJECTED CVE-2018-2336 REJECTED CVE-2018-2335 REJECTED CVE-2018-2334 REJECTED CVE-2018-2333 REJECTED CVE-2018-2332 REJECTED CVE-2018-2331 REJECTED CVE-2018-2330 REJECTED CVE-2018-2329 REJECTED CVE-2018-2328 REJECTED CVE-2018-2327 REJECTED CVE-2018-2326 REJECTED CVE-2018-2325 REJECTED CVE-2018-2324 REJECTED CVE-2018-2323 REJECTED CVE-2018-2322 REJECTED CVE-2018-2321 REJECTED CVE-2018-2320 REJECTED CVE-2018-2319 REJECTED CVE-2018-2318 REJECTED CVE-2018-2317 REJECTED CVE-2018-2316 REJECTED CVE-2018-2315 REJECTED CVE-2018-2314 REJECTED CVE-2018-2313 REJECTED CVE-2018-2312 REJECTED CVE-2018-2311 REJECTED CVE-2018-2310 REJECTED CVE-2018-2309 REJECTED CVE-2018-2308 REJECTED CVE-2018-2307 REJECTED CVE-2018-2306 REJECTED CVE-2018-2305 REJECTED CVE-2018-2304 REJECTED CVE-2018-2303 REJECTED CVE-2018-2302 REJECTED CVE-2018-2301 REJECTED CVE-2018-2300 REJECTED CVE-2018-2299 REJECTED CVE-2018-2298 REJECTED CVE-2018-2297 REJECTED CVE-2018-2296 REJECTED CVE-2018-2295 REJECTED CVE-2018-2294 REJECTED CVE-2018-2293 REJECTED CVE-2018-2292 REJECTED CVE-2018-2291 REJECTED CVE-2018-2290 REJECTED CVE-2018-2289 REJECTED CVE-2018-2288 REJECTED CVE-2018-2287 REJECTED CVE-2018-2286 REJECTED CVE-2018-2285 REJECTED CVE-2018-2284 REJECTED CVE-2018-2283 REJECTED CVE-2018-2282 REJECTED CVE-2018-2281 REJECTED CVE-2018-2280 REJECTED CVE-2018-2279 REJECTED CVE-2018-2278 REJECTED CVE-2018-2277 REJECTED CVE-2018-2276 REJECTED CVE-2018-2275 REJECTED CVE-2018-2274 REJECTED CVE-2018-2273 REJECTED CVE-2018-2272 REJECTED CVE-2018-2271 REJECTED CVE-2018-2270 REJECTED CVE-2018-2269 REJECTED CVE-2018-2268 REJECTED CVE-2018-2267 REJECTED CVE-2018-2266 REJECTED CVE-2018-2265 REJECTED CVE-2018-2264 REJECTED CVE-2018-2263 REJECTED CVE-2018-2262 REJECTED CVE-2018-2261 REJECTED CVE-2018-2260 REJECTED CVE-2018-2259 REJECTED CVE-2018-2258 REJECTED CVE-2018-2257 REJECTED CVE-2018-2256 REJECTED CVE-2018-2255 REJECTED CVE-2018-2254 REJECTED CVE-2018-2253 REJECTED CVE-2018-2252 REJECTED CVE-2018-2251 REJECTED CVE-2018-2250 REJECTED CVE-2018-2249 REJECTED CVE-2018-2248 REJECTED CVE-2018-2247 REJECTED CVE-2018-2246 REJECTED CVE-2018-2245 REJECTED CVE-2018-2244 REJECTED CVE-2018-2243 REJECTED CVE-2018-2242 REJECTED CVE-2018-2241 REJECTED CVE-2018-2240 REJECTED CVE-2018-2239 REJECTED CVE-2018-2238 REJECTED CVE-2018-2237 REJECTED CVE-2018-2236 REJECTED CVE-2018-2235 REJECTED CVE-2018-2234 REJECTED CVE-2018-2233 REJECTED CVE-2018-2232 REJECTED CVE-2018-2231 REJECTED CVE-2018-2230 REJECTED CVE-2018-2229 REJECTED CVE-2018-2228 REJECTED CVE-2018-2227 REJECTED CVE-2018-2226 REJECTED CVE-2018-2225 REJECTED CVE-2018-2224 REJECTED CVE-2018-2223 REJECTED CVE-2018-2222 REJECTED CVE-2018-2221 REJECTED CVE-2018-2220 REJECTED CVE-2018-2219 REJECTED CVE-2018-2218 REJECTED CVE-2018-2217 REJECTED CVE-2018-2216 REJECTED CVE-2018-2215 REJECTED CVE-2018-2214 REJECTED CVE-2018-2213 REJECTED CVE-2018-2212 REJECTED CVE-2018-2211 REJECTED CVE-2018-2210 REJECTED CVE-2018-2209 REJECTED CVE-2018-2208 REJECTED CVE-2018-2207 REJECTED CVE-2018-2206 REJECTED CVE-2018-2205 REJECTED CVE-2018-2204 REJECTED CVE-2018-2203 REJECTED CVE-2018-2202 REJECTED CVE-2018-2201 REJECTED CVE-2018-2200 REJECTED CVE-2018-2199 REJECTED CVE-2018-2198 REJECTED CVE-2018-2197 REJECTED CVE-2018-2196 REJECTED CVE-2018-2195 REJECTED CVE-2018-2194 REJECTED CVE-2018-2193 REJECTED CVE-2018-2192 REJECTED CVE-2018-2191 REJECTED CVE-2018-2190 REJECTED CVE-2018-2189 REJECTED CVE-2018-2188 REJECTED CVE-2018-2187 REJECTED CVE-2018-2186 REJECTED CVE-2018-2185 REJECTED CVE-2018-2184 REJECTED CVE-2018-2183 REJECTED CVE-2018-2182 REJECTED CVE-2018-2181 REJECTED CVE-2018-2180 REJECTED CVE-2018-2179 REJECTED CVE-2018-2178 REJECTED CVE-2018-2177 REJECTED CVE-2018-2176 REJECTED CVE-2018-2175 REJECTED CVE-2018-2174 REJECTED CVE-2018-2173 REJECTED CVE-2018-2172 REJECTED CVE-2018-2171 REJECTED CVE-2018-2170 REJECTED CVE-2018-2169 REJECTED CVE-2018-2168 REJECTED CVE-2018-2167 REJECTED CVE-2018-2166 REJECTED CVE-2018-2165 REJECTED CVE-2018-2164 REJECTED CVE-2018-2163 REJECTED CVE-2018-2162 REJECTED CVE-2018-2161 REJECTED CVE-2018-2160 REJECTED CVE-2018-2159 REJECTED CVE-2018-2158 REJECTED CVE-2018-2157 REJECTED CVE-2018-2156 REJECTED CVE-2018-2155 REJECTED CVE-2018-2154 REJECTED CVE-2018-2153 REJECTED CVE-2018-2152 REJECTED CVE-2018-2151 REJECTED CVE-2018-2150 REJECTED CVE-2018-2149 REJECTED CVE-2018-2148 REJECTED CVE-2018-2147 REJECTED CVE-2018-2146 REJECTED CVE-2018-2145 REJECTED CVE-2018-2144 REJECTED CVE-2018-2143 REJECTED CVE-2018-2142 REJECTED CVE-2018-2141 REJECTED CVE-2018-2140 REJECTED CVE-2018-2139 REJECTED CVE-2018-2138 REJECTED CVE-2018-2137 REJECTED CVE-2018-2136 REJECTED CVE-2018-2135 REJECTED CVE-2018-2134 REJECTED CVE-2018-2133 REJECTED CVE-2018-2132 REJECTED CVE-2018-2131 REJECTED CVE-2018-2130 REJECTED CVE-2018-2129 REJECTED CVE-2018-2128 REJECTED CVE-2018-2127 REJECTED CVE-2018-2126 REJECTED CVE-2018-2125 REJECTED CVE-2018-2124 REJECTED CVE-2018-2123 REJECTED CVE-2018-2122 REJECTED CVE-2018-2121 REJECTED CVE-2018-2120 REJECTED CVE-2018-2119 REJECTED CVE-2018-2118 REJECTED CVE-2018-2117 REJECTED CVE-2018-2116 REJECTED CVE-2018-2115 REJECTED CVE-2018-2114 REJECTED CVE-2018-2113 REJECTED CVE-2018-2112 REJECTED CVE-2018-2111 REJECTED CVE-2018-2110 REJECTED CVE-2018-2109 REJECTED CVE-2018-2108 REJECTED CVE-2018-2107 REJECTED CVE-2018-2106 REJECTED CVE-2018-2105 REJECTED CVE-2018-2104 REJECTED CVE-2018-2103 REJECTED CVE-2018-2102 REJECTED CVE-2018-2101 REJECTED CVE-2018-2100 REJECTED CVE-2018-2099 REJECTED CVE-2018-2098 REJECTED CVE-2018-2097 REJECTED CVE-2018-2096 REJECTED CVE-2018-2095 REJECTED CVE-2018-2094 REJECTED CVE-2018-2093 REJECTED CVE-2018-2092 REJECTED CVE-2018-2091 REJECTED CVE-2018-2090 REJECTED CVE-2018-2089 REJECTED CVE-2018-2088 REJECTED CVE-2018-2087 REJECTED CVE-2018-2086 REJECTED CVE-2018-2085 REJECTED CVE-2018-2084 REJECTED CVE-2018-2083 REJECTED CVE-2018-2082 REJECTED CVE-2018-2081 REJECTED CVE-2018-2080 REJECTED CVE-2018-2079 REJECTED CVE-2018-2078 REJECTED CVE-2018-2077 REJECTED CVE-2018-2076 REJECTED CVE-2018-2075 REJECTED CVE-2018-2074 REJECTED CVE-2018-2073 REJECTED CVE-2018-2072 REJECTED CVE-2018-2071 REJECTED CVE-2018-2070 REJECTED CVE-2018-2069 REJECTED CVE-2018-2068 REJECTED CVE-2018-2067 REJECTED CVE-2018-2066 REJECTED CVE-2018-2065 REJECTED CVE-2018-2064 REJECTED CVE-2018-2063 REJECTED CVE-2018-2062 REJECTED CVE-2018-2061 REJECTED CVE-2018-2060 REJECTED CVE-2018-2059 REJECTED CVE-2018-2058 REJECTED CVE-2018-2057 REJECTED CVE-2018-2056 REJECTED CVE-2018-2055 REJECTED CVE-2018-2054 REJECTED CVE-2018-2053 REJECTED CVE-2018-2052 REJECTED CVE-2018-2051 REJECTED CVE-2018-2050 REJECTED CVE-2018-2049 REJECTED CVE-2018-2048 REJECTED CVE-2018-2047 REJECTED CVE-2018-2046 REJECTED CVE-2018-2045 REJECTED CVE-2018-2044 REJECTED CVE-2018-2043 REJECTED CVE-2018-2042 REJECTED CVE-2018-2041 REJECTED CVE-2018-2040 REJECTED CVE-2018-2039 REJECTED CVE-2018-2038 REJECTED CVE-2018-2037 REJECTED CVE-2018-2036 REJECTED CVE-2018-2035 REJECTED CVE-2018-2034 REJECTED CVE-2018-2033 REJECTED CVE-2018-2032 REJECTED CVE-2018-2031 REJECTED CVE-2018-2030 RESERVED CVE-2018-2029 RESERVED CVE-2018-2028 (IBM Maximo Asset Management 7.6 could allow a an authenticated user to ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2018-2027 RESERVED CVE-2018-2026 (IBM Financial Transaction Manager 3.2.1 for Digital Payments could all ...) NOT-FOR-US: IBM CVE-2018-2025 (IBM Spectrum Protect Backup-Archive Client and IBM Spectrum Protect fo ...) NOT-FOR-US: IBM CVE-2018-2024 (IBM QRadar SIEM 7.2 and 7.3 specifies permissions for a security-criti ...) NOT-FOR-US: IBM CVE-2018-2023 RESERVED CVE-2018-2022 (IBM QRadar SIEM 7.2 and 7.3 discloses sensitive information to unautho ...) NOT-FOR-US: IBM CVE-2018-2021 (IBM QRadar SIEM 7.2 and 7.3 is vulnerable to cross-site scripting. Thi ...) NOT-FOR-US: IBM CVE-2018-2020 RESERVED CVE-2018-2019 (IBM Security Identity Manager 6.0.0 Virtual Appliance is vulnerable to ...) NOT-FOR-US: IBM CVE-2018-2018 RESERVED CVE-2018-2017 RESERVED CVE-2018-2016 RESERVED CVE-2018-2015 (IBM API Connect 2018.1 and 2018.4.1.4 could allow a remote attacker to ...) NOT-FOR-US: IBM CVE-2018-2014 RESERVED CVE-2018-2013 (IBM API Connect 2018.1 through 2018.4.1.5 could disclose sensitive inf ...) NOT-FOR-US: IBM CVE-2018-2012 RESERVED CVE-2018-2011 (IBM API Connect 2018.1 through 2018.4.1.5 could allow an attacker to o ...) NOT-FOR-US: IBM CVE-2018-2010 RESERVED CVE-2018-2009 (IBM API Connect v2018.1 and 2018.4.1 is affected by an information dis ...) NOT-FOR-US: IBM CVE-2018-2008 (IBM TRIRIGA Application Platform 3.5.3 and 3.6.0 could disclose sensit ...) NOT-FOR-US: IBM CVE-2018-2007 (IBM API Connect 2018.1 and 2018.4.1.2 uses weaker than expected crypto ...) NOT-FOR-US: IBM CVE-2018-2006 (IBM Robotic Process Automation with Automation Anywhere 11 could allow ...) NOT-FOR-US: IBM CVE-2018-2005 (IBM BigFix Platform 9.2 and 9.5 stores potentially sensitive informati ...) NOT-FOR-US: IBM CVE-2018-2004 (IBM Jazz Reporting Service (JRS) 6.0 through 6.0.6 is vulnerable to cr ...) NOT-FOR-US: IBM CVE-2018-2003 RESERVED CVE-2018-2002 RESERVED CVE-2018-2001 (IBM Cram Social Program Management 6.1.1, 6.2.0, 7.0.4, and 7.0.5 is v ...) NOT-FOR-US: IBM CVE-2018-2000 (IBM Business Automation Workflow 18.0.0.0 and 18.0.0.1 is vulnerable t ...) NOT-FOR-US: IBM CVE-2018-1999 (IBM Business Automation Workflow 18.0.0.0, 18.0.0.1, and 18.0.0.2 coul ...) NOT-FOR-US: IBM CVE-2018-1998 (IBM WebSphere MQ 8.0.0.0 through 9.1.1 could allow a local user to inj ...) NOT-FOR-US: IBM CVE-2018-1997 (IBM Business Automation Workflow and Business Process Manager 18.0.0.0 ...) NOT-FOR-US: IBM CVE-2018-1996 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could provide ...) NOT-FOR-US: IBM CVE-2018-1995 RESERVED CVE-2018-1994 (IBM InfoSphere Information Server 11.5 and 11.7 is vulnerable to SQL i ...) NOT-FOR-US: IBM CVE-2018-1993 (IBM Spectrum Scale (GPFS) 4.1.1, 4.2.0, 4.2.1, 4.2.2, 4.2.3, and 5.0.0 ...) NOT-FOR-US: IBM CVE-2018-1992 (The IBM Power 9 OP910, OP920, and FW910 boot firmware's bootloader is ...) NOT-FOR-US: IBM CVE-2018-1991 (IBM API Connect 5.0.0.0, and 5.0.8.6 could could return sensitive info ...) NOT-FOR-US: IBM CVE-2018-1990 (IBM Cloud App Management V2018.2.0, V2018.4.0, and V2018.4.1 could all ...) NOT-FOR-US: IBM CVE-2018-1989 RESERVED CVE-2018-1988 RESERVED CVE-2018-1987 (IBM Spectrum Protect for Enterprise Resource Planning 7.1 and 8.1, if ...) NOT-FOR-US: IBM CVE-2018-1986 RESERVED CVE-2018-1985 RESERVED CVE-2018-1984 (IBM Rational Team Concert 5.0 through 6.0.6 is vulnerable to cross-sit ...) NOT-FOR-US: IBM CVE-2018-1983 (IBM Rational Team Concert 5.0 through 6.0.6 is vulnerable to cross-sit ...) NOT-FOR-US: IBM CVE-2018-1982 (IBM Rational Team Concert 5.0 through 6.0.6 is vulnerable to cross-sit ...) NOT-FOR-US: IBM CVE-2018-1981 RESERVED CVE-2018-1980 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, ...) NOT-FOR-US: IBM CVE-2018-1979 RESERVED CVE-2018-1978 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, ...) NOT-FOR-US: IBM CVE-2018-1977 (IBM DB2 for Linux, UNIX and Windows 11.1 (includes DB2 Connect Server) ...) NOT-FOR-US: IBM CVE-2018-1976 (IBM API Connect 5.0.0.0 through 5.0.8.4 is impacted by sensitive infor ...) NOT-FOR-US: IBM CVE-2018-1975 (IBM Rational DOORS Web Access 9.5.1 through 9.5.2.9, and 9.6 through 9 ...) NOT-FOR-US: IBM CVE-2018-1974 (IBM WebSphere 8.0.0.0 through 9.1.1 could allow an authenticated attac ...) NOT-FOR-US: IBM CVE-2018-1973 (IBM API Connect 5.0.0.0 through 5.0.8.4 allows a user with limited 'AP ...) NOT-FOR-US: IBM CVE-2018-1972 RESERVED CVE-2018-1971 RESERVED CVE-2018-1970 (IBM Security Identity Manager 7.0.1 is vulnerable to a XML External En ...) NOT-FOR-US: IBM CVE-2018-1969 (IBM Security Identity Manager 6.0.0 allows the attacker to upload or t ...) NOT-FOR-US: IBM CVE-2018-1968 (IBM Security Identity Manager 7.0.1 discloses sensitive information to ...) NOT-FOR-US: IBM CVE-2018-1967 (IBM Security Identity Manager 6.0.0 is vulnerable to cross-site script ...) NOT-FOR-US: IBM CVE-2018-1966 RESERVED CVE-2018-1965 RESERVED CVE-2018-1964 RESERVED CVE-2018-1963 RESERVED CVE-2018-1962 (IBM Security Identity Manager 7.0.1 Virtual Appliance does not invalid ...) NOT-FOR-US: IBM CVE-2018-1961 (IBM Emptoris Contract Management 10.0.0 and 10.1.3.0 could disclose se ...) NOT-FOR-US: IBM CVE-2018-1960 RESERVED CVE-2018-1959 (IBM Security Identity Manager 7.0.1 Virtual Appliance contains hard-co ...) NOT-FOR-US: IBM CVE-2018-1958 RESERVED CVE-2018-1957 (IBM WebSphere Application Server 9 could allow sensitive information t ...) NOT-FOR-US: IBM CVE-2018-1956 (IBM Security Identity Manager 6.0.0 does not require that users should ...) NOT-FOR-US: IBM CVE-2018-1955 RESERVED CVE-2018-1954 RESERVED CVE-2018-1953 RESERVED CVE-2018-1952 (IBM Jazz Foundation (IBM Rational Engineering Lifecycle Manager 5.0 th ...) NOT-FOR-US: IBM CVE-2018-1951 (IBM Publishing Engine 2.1.2, 6.0.5, and 6.0.6 is vulnerable to cross-s ...) NOT-FOR-US: IBM CVE-2018-1950 (IBM Security Identity Governance and Intelligence 5.2 through 5.2.4.1 ...) NOT-FOR-US: IBM CVE-2018-1949 (IBM Security Identity Governance and Intelligence 5.2 through 5.2.4.1 ...) NOT-FOR-US: IBM CVE-2018-1948 (IBM Security Identity Governance and Intelligence 5.2 through 5.2.4.1 ...) NOT-FOR-US: IBM CVE-2018-1947 (IBM Security Identity Governance and Intelligence 5.2 through 5.2.4.1 ...) NOT-FOR-US: IBM CVE-2018-1946 (IBM Security Identity Governance and Intelligence 5.2 through 5.2.4.1 ...) NOT-FOR-US: IBM CVE-2018-1945 (IBM Security Identity Governance and Intelligence 5.2 through 5.2.4.1 ...) NOT-FOR-US: IBM CVE-2018-1944 (IBM Security Identity Governance and Intelligence 5.2 through 5.2.4.1 ...) NOT-FOR-US: IBM CVE-2018-1943 (IBM Cloud Private 3.1.0 and 3.1.1 is vulnerable to HTTP HOST header in ...) NOT-FOR-US: IBM CVE-2018-1942 RESERVED CVE-2018-1941 (IBM Campaign 9.1.0 and 9.1.2 could allow a local user to obtain admini ...) NOT-FOR-US: IBM CVE-2018-1940 RESERVED CVE-2018-1939 (IBM Cloud Private 3.1.1 could allow a remote attacker to conduct phish ...) NOT-FOR-US: IBM CVE-2018-1938 (IBM Cloud Private 3.1.1 could alllow a local user with administrator p ...) NOT-FOR-US: IBM CVE-2018-1937 (IBM Cloud Private 3.1.1 could alllow a local user with administrator p ...) NOT-FOR-US: IBM CVE-2018-1936 (IBM DB2 9.7, 10.1, 10.5, and 11.1 libdb2e.so.1 is vulnerable to a stac ...) NOT-FOR-US: IBM CVE-2018-1935 (IBM Connections 5.0, 5.5, and 6.0 could allow an authenticated user to ...) NOT-FOR-US: IBM CVE-2018-1934 (IBM Cognos Business Intelligence 10.2.2 is vulnerable to cross-site re ...) NOT-FOR-US: IBM CVE-2018-1933 (IBM Planning Analytics 2.0 through 2.0.6 is vulnerable to cross-site s ...) NOT-FOR-US: IBM CVE-2018-1932 (IBM API Connect 5.0.0.0 through 5.0.8.4 is affected by a vulnerability ...) NOT-FOR-US: IBM CVE-2018-1931 RESERVED CVE-2018-1930 RESERVED CVE-2018-1929 (IBM Rational Engineering Lifecycle Manager 5.0 through 6.0.6 could all ...) NOT-FOR-US: IBM CVE-2018-1928 (IBM StoredIQ 7.6.0 does not implement proper authorization of user rol ...) NOT-FOR-US: IBM CVE-2018-1927 (IBM StoredIQ 7.6 is vulnerable to cross-site request forgery which cou ...) NOT-FOR-US: IBM CVE-2018-1926 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 Admin Console ...) NOT-FOR-US: IBM CVE-2018-1925 (IBM WebShere MQ 9.1.0.0, 9.1.0.1, 9.1.1 uses weaker than expected cryp ...) NOT-FOR-US: IBM CVE-2018-1924 RESERVED CVE-2018-1923 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, ...) NOT-FOR-US: IBM CVE-2018-1922 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, ...) NOT-FOR-US: IBM CVE-2018-1921 (IBM Campaign 9.1.0, 9.1.2, 10.1, and 11.0 is vulnerable to cross-site ...) NOT-FOR-US: IBM CVE-2018-1920 (IBM Marketing Platform 9.1.0, 9.1.2 and 10.1 is vulnerable to a XML Ex ...) NOT-FOR-US: IBM CVE-2018-1919 RESERVED CVE-2018-1918 (IBM Jazz Reporting Service (JRS) 6.0.3, 6.0.4, 6.0.5, and 6.0.6 is vul ...) NOT-FOR-US: IBM CVE-2018-1917 (IBM InfoSphere Information Server 11.3, 11.5, and 11.7 could allow an ...) NOT-FOR-US: IBM CVE-2018-1916 (IBM Jazz Foundation (IBM Rational Engineering Lifecycle Manager 5.0 th ...) NOT-FOR-US: IBM CVE-2018-1915 RESERVED CVE-2018-1914 (IBM Rational Engineering Lifecycle Manager 5.0 through 6.0.6 is vulner ...) NOT-FOR-US: IBM CVE-2018-1913 (IBM DOORS Next Generation (DNG/RRC) 5.0 through 5.0.3 and 6.0 through ...) NOT-FOR-US: IBM CVE-2018-1912 (IBM DOORS Next Generation (DNG/RRC) 6.0.2 through 6.0.6 is vulnerable ...) NOT-FOR-US: IBM CVE-2018-1911 (IBM DOORS Next Generation (DNG/RRC) 5.0 through 5.0.2 and 6.0 through ...) NOT-FOR-US: IBM CVE-2018-1910 (IBM Rational Engineering Lifecycle Manager 5.0 through 6.0.6 is vulner ...) NOT-FOR-US: IBM CVE-2018-1909 RESERVED CVE-2018-1908 (IBM Robotic Process Automation with Automation Anywhere 11 is vulnerab ...) NOT-FOR-US: IBM CVE-2018-1907 RESERVED CVE-2018-1906 (IBM InfoSphere Information Server 11.3, 11.5, and 11.7could allow an a ...) NOT-FOR-US: IBM CVE-2018-1905 (IBM WebSphere Application Server 9.0.0.0 through 9.0.0.9 is vulnerable ...) NOT-FOR-US: IBM CVE-2018-1904 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow re ...) NOT-FOR-US: IBM CVE-2018-1903 (IBM Sterling Connect:Direct for UNIX 4.2.0, 4.3.0, and 6.0.0 could all ...) NOT-FOR-US: IBM CVE-2018-1902 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a ...) NOT-FOR-US: IBM CVE-2018-1901 (IBM WebSphere Application Server 8.5 and 9.0 could allow a remote atta ...) NOT-FOR-US: IBM CVE-2018-1900 (IBM Curam Social Program Management 6.0.5, 6.1.1, 6.2.0, 7.0.1, and 7. ...) NOT-FOR-US: IBM CVE-2018-1899 (IBM InfoSphere Information Server 11.3, 11.5, and 11.7 could allow an ...) NOT-FOR-US: IBM CVE-2018-1898 RESERVED CVE-2018-1897 (IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5., and 11.1 db2pdcf ...) NOT-FOR-US: IBM CVE-2018-1896 (IBM Connections 5.0, 5.5, and 6.0 is vulnerable to possible host heade ...) NOT-FOR-US: IBM CVE-2018-1895 (IBM InfoSphere Information Server 11.3, 11.5, and 11.7 is vulnerable t ...) NOT-FOR-US: IBM CVE-2018-1894 RESERVED CVE-2018-1893 (IBM Rational Collaborative Lifecycle Management 6.0 through 6.0.6.1 is ...) NOT-FOR-US: IBM CVE-2018-1892 (IBM Rational Collaborative Lifecycle Management 6.0 through 6.0.6.1 is ...) NOT-FOR-US: IBM CVE-2018-1891 (IBM Security Guardium 10 and 10.5 is vulnerable to cross-site scriptin ...) NOT-FOR-US: IBM CVE-2018-1890 (IBM SDK, Java Technology Edition Version 8 on the AIX platform uses ab ...) NOT-FOR-US: IBM Java on AIX CVE-2018-1889 (IBM Security Guardium 10.0 and 10.5 is vulnerable to cross-site script ...) NOT-FOR-US: IBM CVE-2018-1888 (An untrusted search path vulnerability in IBM i Access for Windows ver ...) NOT-FOR-US: IBM CVE-2018-1887 (IBM Security Access Manager Appliance 9.0.1.0, 9.0.2.0, 9.0.3.0, 9.0.4 ...) NOT-FOR-US: IBM CVE-2018-1886 (IBM Security Access Manager Appliance 9.0.1.0, 9.0.2.0, 9.0.3.0, 9.0.4 ...) NOT-FOR-US: IBM CVE-2018-1885 (IBM Business Automation Workflow 18.0.0.0, 18.0.0.1, and 18.0.0.2 coul ...) NOT-FOR-US: IBM CVE-2018-1884 (IBM Case Manager 5.2.0.0, 5.2.0.4, 5.2.1.0, 5.2.1.7, 5.3.0.0, and 5.3. ...) NOT-FOR-US: IBM Case Manager CVE-2018-1883 (A problem within the IBM MQ 9.0.2, 9.0.3, 9.0.4, 9.0.5, and 9.1.0.0 Co ...) NOT-FOR-US: IBM CVE-2018-1882 (In a certain atypical IBM Spectrum Protect 7.1 and 8.1 configurations, ...) NOT-FOR-US: IBM CVE-2018-1881 RESERVED CVE-2018-1880 RESERVED CVE-2018-1879 RESERVED CVE-2018-1878 (IBM Robotic Process Automation with Automation Anywhere 11 could discl ...) NOT-FOR-US: IBM CVE-2018-1877 (IBM Robotic Process Automation with Automation Anywhere 11 could store ...) NOT-FOR-US: IBM CVE-2018-1876 (IBM Robotic Process Automation with Automation Anywhere 11 could under ...) NOT-FOR-US: IBM CVE-2018-1875 (IBM InfoSphere Information Governance Catalog 11.3, 11.5, and 11.7 cou ...) NOT-FOR-US: IBM CVE-2018-1874 (IBM API Connect 5.0.0.0 through 5.0.8.5 could display highly sensitive ...) NOT-FOR-US: IBM CVE-2018-1873 RESERVED CVE-2018-1872 (IBM Maximo Asset Management 7.6 is vulnerable to cross-site scripting. ...) NOT-FOR-US: IBM CVE-2018-1871 (IBM Financial Transaction Manager for Digital Payments for Multi-Platf ...) NOT-FOR-US: IBM CVE-2018-1870 RESERVED CVE-2018-1869 RESERVED CVE-2018-1868 RESERVED CVE-2018-1867 RESERVED CVE-2018-1866 RESERVED CVE-2018-1865 RESERVED CVE-2018-1864 RESERVED CVE-2018-1863 RESERVED CVE-2018-1862 RESERVED CVE-2018-1861 RESERVED CVE-2018-1860 RESERVED CVE-2018-1859 (IBM API Connect 5.0.0.0 through 5.0.8.4 could allow a user authenticat ...) NOT-FOR-US: IBM CVE-2018-1858 (IBM API Connect 5.0.0.0 through 5.0.8.6 is vulnerable to cross-site re ...) NOT-FOR-US: IBM CVE-2018-1857 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.1 ...) NOT-FOR-US: IBM CVE-2018-1856 RESERVED CVE-2018-1855 RESERVED CVE-2018-1854 RESERVED CVE-2018-1853 (IBM Tivoli Storage Manager (IBM Spectrum Protect 7.1 and 8.1) could al ...) NOT-FOR-US: IBM CVE-2018-1852 RESERVED CVE-2018-1851 (IBM WebSphere Application Server Liberty OpenID Connect could allow a ...) NOT-FOR-US: IBM CVE-2018-1850 (IBM Security Access Manager Appliance 9.0.3.1, 9.0.4.0 and 9.0.5.0 cou ...) NOT-FOR-US: IBM CVE-2018-1849 RESERVED CVE-2018-1848 (IBM Business Automation Workflow 18.0.0.0 and 18.0.0.1 is vulnerable t ...) NOT-FOR-US: IBM CVE-2018-1847 (IBM Financial Transaction Manager (FTM) for Multi-Platform (MP) v2.0.0 ...) NOT-FOR-US: IBM CVE-2018-1846 (IBM Rational Engineering Lifecycle Manager 5.0 through 5.0.2 and 6.0 t ...) NOT-FOR-US: IBM CVE-2018-1845 (IBM InfoSphere Information Server 11.3, 11.5, and 11.7 is vulnerable t ...) NOT-FOR-US: IBM CVE-2018-1844 (IBM FileNet Content Manager 5.2.1 and 5.5.0 is vulnerable to a XML Ext ...) NOT-FOR-US: IBM CVE-2018-1843 (The Identity and Access Management (IAM) services (IBM Cloud Private 3 ...) NOT-FOR-US: IBM CVE-2018-1842 (IBM Cognos Analytics 11 Configuration tool, under certain circumstance ...) NOT-FOR-US: IBM CVE-2018-1841 (IBM Cloud Private 2.1.0 could allow a local user to obtain the CA Priv ...) NOT-FOR-US: IBM CVE-2018-1840 (IBM WebSphere Application Server 8.5 and 9.0 could allow a remote atta ...) NOT-FOR-US: IBM CVE-2018-1839 RESERVED CVE-2018-1838 (IBM WebSphere Application Server 8.5 and 9.0 in IBM Cloud could allow ...) NOT-FOR-US: IBM CVE-2018-1837 RESERVED CVE-2018-1836 (IBM WebSphere MQ 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.1.0.0, and 9.1.0.1 cons ...) NOT-FOR-US: IBM CVE-2018-1835 (IBM Daeja ViewONE Professional, Standard & Virtual 5 is vulnerable ...) NOT-FOR-US: IBM CVE-2018-1834 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, ...) NOT-FOR-US: IBM CVE-2018-1833 (IBM Event Streams 2018.3.0 could allow a remote attacker to submit an ...) NOT-FOR-US: IBM Event Streams CVE-2018-1832 RESERVED CVE-2018-1831 RESERVED CVE-2018-1830 RESERVED CVE-2018-1829 (IBM Rational Quality Manager 5.0 through 6.0.6 is vulnerable to cross- ...) NOT-FOR-US: IBM CVE-2018-1828 (IBM Rational Collaborative Lifecycle Management 6.0 through 6.0.6.1 is ...) NOT-FOR-US: IBM CVE-2018-1827 (IBM Rational Collaborative Lifecycle Management 6.0 through 6.0.6.1 is ...) NOT-FOR-US: IBM CVE-2018-1826 (IBM Rational Collaborative Lifecycle Management 6.0 through 6.0.6.1 is ...) NOT-FOR-US: IBM CVE-2018-1825 (IBM Rational Quality Manager 5.0 through 6.0.6 is vulnerable to cross- ...) NOT-FOR-US: IBM CVE-2018-1824 (IBM Rational Quality Manager 5.0 through 6.0.6 is vulnerable to cross- ...) NOT-FOR-US: IBM CVE-2018-1823 (IBM Rational Quality Manager 5.0 through 6.0.6 is vulnerable to cross- ...) NOT-FOR-US: IBM CVE-2018-1822 (IBM FlashSystem 900 product GUI allows a specially crafted attack to b ...) NOT-FOR-US: IBM CVE-2018-1821 (IBM Operational Decision Management 8.5, 8.6, 8.7, 8.8, and 8.9 is vul ...) NOT-FOR-US: IBM CVE-2018-1820 (IBM WebSphere Portal 8.0, 8.5, and 9.0 is vulnerable to cross-site scr ...) NOT-FOR-US: IBM CVE-2018-1819 (IBM Financial Transaction Manager for Digital Payments for Multi-Platf ...) NOT-FOR-US: IBM CVE-2018-1818 (IBM Security Guardium 10 and 10.5 contains hard-coded credentials, suc ...) NOT-FOR-US: IBM CVE-2018-1817 (IBM Security Guardium 10 and 10.5 is vulnerable to cross-site scriptin ...) NOT-FOR-US: IBM CVE-2018-1816 RESERVED CVE-2018-1815 (IBM Security Access Manager Appliance 9.0.1.0, 9.0.2.0, 9.0.3.0, 9.0.4 ...) NOT-FOR-US: IBM CVE-2018-1814 (IBM Security Access Manager Appliance 9.0.1.0, 9.0.2.0, 9.0.3.0, 9.0.4 ...) NOT-FOR-US: IBM CVE-2018-1813 (IBM Security Access Manager Appliance 9.0.1.0, 9.0.2.0, 9.0.3.0, 9.0.4 ...) NOT-FOR-US: IBM CVE-2018-1812 (IBM Robotic Process Automation with Automation Anywhere Enterprise 10 ...) NOT-FOR-US: IBM CVE-2018-1811 RESERVED CVE-2018-1810 RESERVED CVE-2018-1809 RESERVED CVE-2018-1808 (IBM WebSphere Commerce 9.0.0.0 through 9.0.0.6 could allow some server ...) NOT-FOR-US: IBM CVE-2018-1807 RESERVED CVE-2018-1806 RESERVED CVE-2018-1805 (IBM Security Access Manager Appliance 9.0.1.0, 9.0.2.0, 9.0.3.0, 9.0.4 ...) NOT-FOR-US: IBM CVE-2018-1804 (IBM Security Access Manager Appliance 9.0.1.0, 9.0.2.0, 9.0.3.0, 9.0.4 ...) NOT-FOR-US: IBM CVE-2018-1803 (IBM Security Access Manager Appliance 9.0.1.0, 9.0.2.0, 9.0.3.0, 9.0.4 ...) NOT-FOR-US: IBM CVE-2018-1802 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, ...) NOT-FOR-US: IBM CVE-2018-1801 (IBM App Connect V11.0.0.0 through V11.0.0.1, IBM Integration Bus V10.0 ...) NOT-FOR-US: IBM CVE-2018-1800 (IBM Sterling B2B Integrator Standard Edition 5.2.6.0 and 6.2.6.1 could ...) NOT-FOR-US: IBM CVE-2018-1799 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, ...) NOT-FOR-US: IBM CVE-2018-1798 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2018-1797 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 using Enterpri ...) NOT-FOR-US: IBM CVE-2018-1796 (IBM Informix Dynamic Server Enterprise Edition 12.1 could allow a loca ...) NOT-FOR-US: IBM CVE-2018-1795 (IBM Robotic Process Automation with Automation Anywhere Enterprise 10 ...) NOT-FOR-US: IBM CVE-2018-1794 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 using OAuth ea ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2018-1793 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 using SAML ear ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2018-1792 (IBM WebSphere MQ 8.0.0.0 through 8.0.0.10, 9.0.0.0 through 9.0.0.5, 9. ...) NOT-FOR-US: IBM CVE-2018-1791 (IBM Connections 5.0, 5.5, and 6.0 is vulnerable to an External Service ...) NOT-FOR-US: IBM CVE-2018-1790 (IBM Financial Transaction Manager for Digital Payments for Multi-Platf ...) NOT-FOR-US: IBM CVE-2018-1789 (IBM API Connect v2018.1.0 through v2018.3.4 could allow an attacker to ...) NOT-FOR-US: IBM CVE-2018-1788 (IBM Spectrum Protect Server 7.1 and 8.1 could disclose highly sensitiv ...) NOT-FOR-US: IBM CVE-2018-1787 (IBM Spectrum Protect 7.1 and 8.1 is affected by a password exposure vu ...) NOT-FOR-US: IBM CVE-2018-1786 (IBM Spectrum Protect 7.1 and 8.1 dsmc and dsmcad processes incorrectly ...) NOT-FOR-US: IBM Spectrum Protect CVE-2018-1785 (IBM Tivoli Storage Manager (IBM Spectrum Protect 7.1 and 8.1) uses wea ...) NOT-FOR-US: IBM CVE-2018-1784 (IBM API Connect 5.0.0.0 and 5.0.8.4 is affected by a NoSQL Injection i ...) NOT-FOR-US: IBM CVE-2018-1783 (IBM GPFS (IBM Spectrum Scale 4.1.1.0, 4.1.1.20, 4.2.0.0, 4.2.3.10, 5.0 ...) NOT-FOR-US: IBM CVE-2018-1782 (IBM GPFS (IBM Spectrum Scale 5.0.1.0 and 5.0.1.1) allows a local, unpr ...) NOT-FOR-US: IBM CVE-2018-1781 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, ...) NOT-FOR-US: IBM CVE-2018-1780 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, ...) NOT-FOR-US: IBM CVE-2018-1779 (IBM API Connect 2018.1 through 2018.3.7 could allow an unauthenticated ...) NOT-FOR-US: IBM CVE-2018-1778 (IBM LoopBack (IBM API Connect 2018.1, 2018.4.1, 5.0.8.0, and 5.0.8.4) ...) NOT-FOR-US: IBM CVE-2018-1777 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable ...) NOT-FOR-US: IBM CVE-2018-1776 RESERVED CVE-2018-1775 (IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and I ...) NOT-FOR-US: IBM CVE-2018-1774 (IBM API Connect 5.0.0.0, 5.0.8.4, 2018.1 and 2018.3.6 is vulnerable to ...) NOT-FOR-US: IBM CVE-2018-1773 (IBM Datacap Fastdoc Capture 9.1.1, 9.1.3, and 9.1.4 could allow an aut ...) NOT-FOR-US: IBM CVE-2018-1772 (IBM SPSS Analytic Server 3.1.1.1 is vulnerable to cross-site scripting ...) NOT-FOR-US: IBM CVE-2018-1771 (IBM Domino 9.0 and 9.0.1 could allow an attacker to execute commands o ...) NOT-FOR-US: IBM CVE-2018-1770 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a ...) NOT-FOR-US: IBM CVE-2018-1769 RESERVED CVE-2018-1768 (IBM Spectrum Protect Plus 10.1.0 and 10.1.1 could disclose sensitive i ...) NOT-FOR-US: IBM CVE-2018-1767 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 Cachemonitor i ...) NOT-FOR-US: IBM CVE-2018-1766 (IBM Team Concert (RTC) 5.0 through 5.0.2 and 6.0 through 6.0.5 are vul ...) NOT-FOR-US: IBM CVE-2018-1765 RESERVED CVE-2018-1764 (IBM Rational Quality Manager 5.0 through 6.0.6 is vulnerable to cross- ...) NOT-FOR-US: IBM CVE-2018-1763 (IBM Rational Quality Manager 5.0 through 6.0.6 is vulnerable to cross- ...) NOT-FOR-US: IBM CVE-2018-1762 (IBM Rational Collaborative Lifecycle Management 5.0 through 5.0.2 and ...) NOT-FOR-US: IBM CVE-2018-1761 (IBM Rational Team Concert 5.0 through 6.0.6 is vulnerable to cross-sit ...) NOT-FOR-US: IBM CVE-2018-1760 (IBM Rational Collaborative Lifecycle Management 6.0 through 6.0.6.1 is ...) NOT-FOR-US: IBM CVE-2018-1759 (IBM Rational Quality Manager 5.0 through 6.0.6 is vulnerable to cross- ...) NOT-FOR-US: IBM CVE-2018-1758 (IBM Rational Collaborative Lifecycle Management 6.0 through 6.0.6.1 is ...) NOT-FOR-US: IBM CVE-2018-1757 (IBM Security Identity Governance and Intelligence 5.2.3.2 and 5.2.4 co ...) NOT-FOR-US: IBM CVE-2018-1756 (IBM Security Identity Governance and Intelligence 5.2.3.2 and 5.2.4 is ...) NOT-FOR-US: IBM CVE-2018-1755 (IBM WebSphere Application Server Liberty could allow a remote attacker ...) NOT-FOR-US: IBM CVE-2018-1754 RESERVED CVE-2018-1753 (IBM Tivoli Key Lifecycle Manager 2.6, 2.7, and 3.0 generates an error ...) NOT-FOR-US: IBM CVE-2018-1752 RESERVED CVE-2018-1751 (IBM Security Key Lifecycle Manager 3.0 through 3.0.0.2 uses weaker tha ...) NOT-FOR-US: IBM CVE-2018-1750 (IBM Security Key Lifecycle Manager 3.0 specifies permissions for a sec ...) NOT-FOR-US: IBM CVE-2018-1749 (IBM Tivoli Key Lifecycle Manager 2.6, 2.7, and 3.0 uses incomplete bla ...) NOT-FOR-US: IBM CVE-2018-1748 RESERVED CVE-2018-1747 (IBM Security Key Lifecycle Manager 2.5, 2.6, 2.7, and 3.0 is vulnerabl ...) NOT-FOR-US: IBM CVE-2018-1746 RESERVED CVE-2018-1745 (IBM Security Key Lifecycle Manager 2.7 and 3.0 could allow an unauthen ...) NOT-FOR-US: IBM CVE-2018-1744 (IBM Security Key Lifecycle Manager 2.5, 2.6, 2.7, and 3.0 could allow ...) NOT-FOR-US: IBM CVE-2018-1743 (IBM Tivoli Key Lifecycle Manager 2.6, 2.7, and 3.0 discloses sensitive ...) NOT-FOR-US: IBM CVE-2018-1742 (IBM Tivoli Key Lifecycle Manager 2.6, 2.7, and 3.0 contains hard-coded ...) NOT-FOR-US: IBM CVE-2018-1741 (IBM Tivoli Key Lifecycle Manager 2.6, 2.7, and 3.0 does not properly l ...) NOT-FOR-US: IBM CVE-2018-1740 (IBM Security Access Manager Appliance 9.0.1.0, 9.0.2.0, 9.0.3.0, 9.0.4 ...) NOT-FOR-US: IBM CVE-2018-1739 RESERVED CVE-2018-1738 (IBM Security Key Lifecycle Manager 2.6, 2.7, 3.0 could allow an authen ...) NOT-FOR-US: IBM CVE-2018-1737 RESERVED CVE-2018-1736 (IBM WebSphere Portal 7.0, 8.0, 8.5, and 9.0 could allow a remote attac ...) NOT-FOR-US: IBM CVE-2018-1735 RESERVED CVE-2018-1734 (IBM Rational Collaborative Lifecycle Management 6.0 through 6.0.6.1 di ...) NOT-FOR-US: IBM CVE-2018-1733 (IBM QRadar SIEM 7.2 and 7.3 fails to adequately filter user-controlled ...) NOT-FOR-US: IBM CVE-2018-1732 (IBM QRadar Advisor with Watson 1.14.0 discloses sensitive information ...) NOT-FOR-US: IBM CVE-2018-1731 (IBM DOORS Next Generation (DNG/RRC) 5.0 through 5.0.3 and 6.0 through ...) NOT-FOR-US: IBM CVE-2018-1730 (IBM QRadar SIEM 7.2 and 7.3 is vulnerable to a XML External Entity Inj ...) NOT-FOR-US: IBM CVE-2018-1729 (IBM QRadar SIEM 7.3 discloses sensitive information to unauthorized us ...) NOT-FOR-US: IBM CVE-2018-1728 (IBM QRadar SIEM 7.2 and 7.3 is vulnerable to cross-site scripting. Thi ...) NOT-FOR-US: IBM CVE-2018-1727 (IBM InfoSphere Information Server 9.1, 11.3, 11.5, and 11.7 is vulnera ...) NOT-FOR-US: IBM CVE-2018-1726 RESERVED CVE-2018-1725 RESERVED CVE-2018-1724 (IBM Spectrum LSF 9.1.1 9.1.2, 9.1.3, and 10.1 could allow a local user ...) NOT-FOR-US: IBM CVE-2018-1723 (IBM Spectrum Scale 4.1.1.0, 4.1.1.20, 4.2.0.0, 4.2.3.10, 5.0.0 and 5.0 ...) NOT-FOR-US: IBM CVE-2018-1722 (IBM Security Access Manager Appliance 9.0.4.0 and 9.0.5.0 could allow ...) NOT-FOR-US: IBM CVE-2018-1721 (IBM Cognos Analytics 11.0 and 11.1 is vulnerable to a XML External Ent ...) NOT-FOR-US: IBM CVE-2018-1720 (IBM Sterling B2B Integrator Standard Edition 5.2.0.1, 5.2.6.3_6, 6.0.0 ...) NOT-FOR-US: IBM CVE-2018-1719 (IBM WebSphere Application Server 8.5 and 9.0 could provide weaker than ...) NOT-FOR-US: IBM CVE-2018-1718 (IBM Sterling B2B Integrator Standard Edition 5.2.0.1 - 5.2.6.3 is vuln ...) NOT-FOR-US: IBM CVE-2018-1717 RESERVED CVE-2018-1716 (IBM WebSphere Portal 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-sit ...) NOT-FOR-US: IBM CVE-2018-1715 (IBM Maximo Asset Management 7.6 through 7.6.3 is vulnerable to cross-s ...) NOT-FOR-US: IBM CVE-2018-1714 RESERVED CVE-2018-1713 RESERVED CVE-2018-1712 (IBM API Connect's Developer Portal 5.0.0.0 through 5.0.8.3 is vulnerab ...) NOT-FOR-US: IBM CVE-2018-1711 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, ...) NOT-FOR-US: IBM CVE-2018-1710 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 10.1 ...) NOT-FOR-US: IBM CVE-2018-1709 RESERVED CVE-2018-1708 (IBM Spectrum Symphony 7.1.2 and 7.2.0.2 could allow an authenticated u ...) NOT-FOR-US: IBM CVE-2018-1707 RESERVED CVE-2018-1706 (IBM Spectrum Symphony 7.2.0.2 is vulnerable to cross-site scripting. T ...) NOT-FOR-US: IBM CVE-2018-1705 (IBM Platform Symphony 7.1 Fix Pack 1 and 7.1.1 and IBM Spectrum Sympho ...) NOT-FOR-US: IBM Platform Symphony CVE-2018-1704 (IBM Platform Symphony 7.1 Fix Pack 1 and 7.1.1 and IBM Spectrum Sympho ...) NOT-FOR-US: IBM CVE-2018-1703 RESERVED CVE-2018-1702 (IBM Platform Symphony 7.1 Fix Pack 1 and 7.1.1 and IBM Spectrum Sympho ...) NOT-FOR-US: IBM CVE-2018-1701 (IBM InfoSphere Information Server 11.7 could allow an authenciated use ...) NOT-FOR-US: IBM CVE-2018-1700 RESERVED CVE-2018-1699 (IBM Maximo Asset Management 7.6 through 7.6.3 is vulnerable to SQL inj ...) NOT-FOR-US: IBM CVE-2018-1698 (IBM Maximo Asset Management 7.6 through 7.6.3 could allow an unauthent ...) NOT-FOR-US: IBM CVE-2018-1697 (IBM Maximo Asset Management 7.6 could allow an authenticated user to e ...) NOT-FOR-US: IBM CVE-2018-1696 RESERVED CVE-2018-1695 (IBM WebSphere Application Server 7.0, 8.0, and 8.5.5 installations usi ...) NOT-FOR-US: IBM CVE-2018-1694 (IBM Jazz applications (IBM Rational Collaborative Lifecycle Management ...) NOT-FOR-US: IBM CVE-2018-1693 RESERVED CVE-2018-1692 (IBM Rational Quality Manager (RQM) 5.0 through 5.02 and 6.0 through 6. ...) NOT-FOR-US: IBM CVE-2018-1691 (IBM Rational Quality Manager (RQM) 5.0 through 5.02 and 6.0 through 6. ...) NOT-FOR-US: IBM CVE-2018-1690 (IBM Rhapsody Model Manager 6.0.6 is vulnerable to cross-site scripting ...) NOT-FOR-US: IBM Rhapsody Model Manager CVE-2018-1689 RESERVED CVE-2018-1688 (IBM Jazz Foundation (IBM Rational Collaborative Lifecycle Management 5 ...) NOT-FOR-US: IBM CVE-2018-1687 RESERVED CVE-2018-1686 (IBM Maximo Asset Management 7.6 through 7.6.3 is vulnerable to cross-s ...) NOT-FOR-US: IBM CVE-2018-1685 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, ...) NOT-FOR-US: IBM CVE-2018-1684 (IBM WebSphere MQ 8.0 through 9.1 is vulnerable to a error with MQTT to ...) NOT-FOR-US: IBM CVE-2018-1683 (IBM WebSphere Application Server Liberty could allow a remote attacker ...) NOT-FOR-US: IBM CVE-2018-1682 (IBM Watson Studio Local 1.2.3 could disclose sensitive information ove ...) NOT-FOR-US: IBM CVE-2018-1681 RESERVED CVE-2018-1680 (IBM Security Privileged Identity Manager Virtual Appliance 2.2.1 does ...) NOT-FOR-US: IBM CVE-2018-1679 (IBM Sterling B2B Integrator Standard Edition 5.2 through 5.2.6 could a ...) NOT-FOR-US: IBM CVE-2018-1678 RESERVED CVE-2018-1677 (IBM DataPower Gateways 7.1, 7.2, 7.5, 7.5.1, 7.5.2, 7.6, and 7.7 and I ...) NOT-FOR-US: IBM CVE-2018-1676 (IBM Planning Analytics 2.0.0 through 2.0.4 is vulnerable to cross-site ...) NOT-FOR-US: IBM Planning Analytics CVE-2018-1675 (IBM Tivoli Application Dependency Discovery Manager 7.2.2 and 7.3 coul ...) NOT-FOR-US: IBM CVE-2018-1674 (IBM Business Process Manager 8.5 through 8.6 and 18.0.0.0 through 18.0 ...) NOT-FOR-US: IBM CVE-2018-1673 (IBM WebSphere Portal 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-sit ...) NOT-FOR-US: IBM CVE-2018-1672 (IBM WebSphere Portal 7.0, 8.0, 8.5, and 9.0 may fail to set the correc ...) NOT-FOR-US: IBM CVE-2018-1671 (IBM Curam Social Program Management 7.0.3 is vulnerable to HTML inject ...) NOT-FOR-US: IBM CVE-2018-1670 (IBM Financial Transaction Manager for ACH Services for Multi-Platform ...) NOT-FOR-US: IBM CVE-2018-1669 (IBM DataPower Gateway 7.1.0.0 - 7.1.0.23, 7.2.0.0 - 7.2.0.21, 7.5.0.0 ...) NOT-FOR-US: IBM CVE-2018-1668 (IBM DataPower Gateway 7.5.0.0 through 7.5.0.19, 7.5.1.0 through 7.5.1. ...) NOT-FOR-US: IBM CVE-2018-1667 (IBM DataPower Gateway 7.6.0.0 through 7.6.0.10, 7.5.2.0 through 7.5.2. ...) NOT-FOR-US: IBM CVE-2018-1666 (IBM DataPower Gateway 2018.4.1.0, 7.6.0.0 through 7.6.0.11, 7.5.2.0 th ...) NOT-FOR-US: IBM CVE-2018-1665 (IBM DataPower Gateway 7.6.0.0 through 7.6.0.10, 7.5.2.0 through 7.5.2. ...) NOT-FOR-US: IBM CVE-2018-1664 (IBM DataPower Gateway 7.1.0.0 - 7.1.0.23, 7.2.0.0 - 7.2.0.21, 7.5.0.0 ...) NOT-FOR-US: IBM CVE-2018-1663 (IBM DataPower Gateways 7.5, 7.5.1, 7.5.2, 7.6, and 2018.4 could allow ...) NOT-FOR-US: IBM CVE-2018-1662 RESERVED CVE-2018-1661 (IBM DataPower Gateways 7.5, 7.5.1, 7.5.2, and 7.6 is vulnerable to cro ...) NOT-FOR-US: IBM CVE-2018-1660 (IBM WebSphere Portal 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-sit ...) NOT-FOR-US: IBM CVE-2018-1659 (IBM Rational Engineering Lifecycle Manager 5.0 through 5.02 and 6.0 th ...) NOT-FOR-US: IBM CVE-2018-1658 (IBM Jazz Foundation (IBM Rational Collaborative Lifecycle Management 5 ...) NOT-FOR-US: IBM CVE-2018-1657 (IBM Publishing Engine 2.1.2, 6.0.5, and 6.0.6 is vulnerable to cross-s ...) NOT-FOR-US: IBM CVE-2018-1656 (The IBM Java Runtime Environment's Diagnostic Tooling Framework for Ja ...) NOT-FOR-US: IBM JDK CVE-2018-1655 (IBM AIX 5.3, 6.1, 7.1, and 7.2 contains a vulnerability in the rmsock ...) NOT-FOR-US: IBM AIX CVE-2018-1654 (IBM Curam Social Program Management 6.0.5, 6.1.1, 6.2.0, 7.0.1, and 7. ...) NOT-FOR-US: IBM CVE-2018-1653 (IBM Security Access Manager Appliance 9.0.1.0, 9.0.2.0, 9.0.3.0, 9.0.4 ...) NOT-FOR-US: IBM CVE-2018-1652 (IBM DataPower Gateway 7.1.0.0 through 7.1.0.19, 7.2.0.0 through 7.2.0. ...) NOT-FOR-US: IBM CVE-2018-1651 RESERVED CVE-2018-1650 (IBM QRadar SIEM 7.2 and 7.3 uses hard-coded credentials which could al ...) NOT-FOR-US: IBM CVE-2018-1649 (IBM QRadar Incident Forensics 7.2 and 7.3 could allow a remote attacke ...) NOT-FOR-US: IBM CVE-2018-1648 (IBM QRadar SIEM 7.2 and 7.3 uses weaker than expected cryptographic al ...) NOT-FOR-US: IBM CVE-2018-1647 (IBM QRadar Incident Forensics 7.2 and 7.3 does not properly restrict t ...) NOT-FOR-US: IBM CVE-2018-1646 RESERVED CVE-2018-1645 RESERVED CVE-2018-1644 (IBM WebSphere Commerce Enterprise, Professional, Express, and Develope ...) NOT-FOR-US: IBM CVE-2018-1643 (The Installation Verification Tool of IBM WebSphere Application Server ...) NOT-FOR-US: IBM CVE-2018-1642 RESERVED CVE-2018-1641 RESERVED CVE-2018-1640 (IBM Security Privileged Identity Manager Virtual Appliance 2.2.1 could ...) NOT-FOR-US: IBM CVE-2018-1639 (The Report Builder of Jazz Reporting Service 5.0 through 5.0.2 and 6.0 ...) NOT-FOR-US: IBM CVE-2018-1638 (IBM API Connect 5.0.0.0-5.0.8.3 Developer Portal does not enforce Two ...) NOT-FOR-US: IBM CVE-2018-1637 RESERVED CVE-2018-1636 (Stack-based buffer overflow in oninit in IBM Informix Dynamic Server E ...) NOT-FOR-US: IBM CVE-2018-1635 (Stack-based buffer overflow in oninit in IBM Informix Dynamic Server E ...) NOT-FOR-US: IBM CVE-2018-1634 (IBM Informix Dynamic Server Enterprise Edition 12.1 could allow a loca ...) NOT-FOR-US: IBM CVE-2018-1633 (IBM Informix Dynamic Server Enterprise Edition 12.1 could allow a loca ...) NOT-FOR-US: IBM CVE-2018-1632 (IBM Informix Dynamic Server Enterprise Edition 12.1 could allow a loca ...) NOT-FOR-US: IBM CVE-2018-1631 (IBM Informix Dynamic Server Enterprise Edition 12.1 could allow a loca ...) NOT-FOR-US: IBM CVE-2018-1630 (IBM Informix Dynamic Server Enterprise Edition 12.1 could allow a loca ...) NOT-FOR-US: IBM CVE-2018-1629 RESERVED CVE-2018-1628 RESERVED CVE-2018-1627 RESERVED CVE-2018-1626 (IBM Security Privileged Identity Manager Virtual Appliance 2.2.1 does ...) NOT-FOR-US: IBM CVE-2018-1625 (IBM Security Privileged Identity Manager Virtual Appliance 2.2.1 gener ...) NOT-FOR-US: IBM CVE-2018-1624 RESERVED CVE-2018-1623 (IBM Security Privileged Identity Manager Virtual Appliance 2.2.1 allow ...) NOT-FOR-US: IBM CVE-2018-1622 (IBM Security Privileged Identity Manager Virtual Appliance 2.2.1 is vu ...) NOT-FOR-US: IBM CVE-2018-1621 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2018-1620 RESERVED CVE-2018-1619 RESERVED CVE-2018-1618 (IBM Security Privileged Identity Manager Virtual Appliance 2.2.1 could ...) NOT-FOR-US: IBM CVE-2018-1617 RESERVED CVE-2018-1616 RESERVED CVE-2018-1615 RESERVED CVE-2018-1614 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 using malforme ...) NOT-FOR-US: IBM CVE-2018-1613 RESERVED CVE-2018-1612 (IBM QRadar Incident Forensics (IBM QRadar SIEM 7.2, and 7.3) could all ...) NOT-FOR-US: IBM CVE-2018-1611 RESERVED CVE-2018-1610 (IBM Rational DOORS Next Generation 5.0 through 5.0.2 and 6.0 through 6 ...) NOT-FOR-US: IBM CVE-2018-1609 RESERVED CVE-2018-1608 (IBM Rational Engineering Lifecycle Manager 6.0 through 6.0.6 uses weak ...) NOT-FOR-US: IBM CVE-2018-1607 (IBM Rational Engineering Lifecycle Manager 5.0 through 5.02 and 6.0 th ...) NOT-FOR-US: IBM CVE-2018-1606 (IBM Jazz based applications (IBM Rational Collaborative Lifecycle Mana ...) NOT-FOR-US: IBM CVE-2018-1605 (IBM Rational Quality Manager (RQM) 5.0 through 5.02 and 6.0 through 6. ...) NOT-FOR-US: IBM CVE-2018-1604 (IBM Rational Quality Manager (RQM) 5.0 through 5.02 and 6.0 through 6. ...) NOT-FOR-US: IBM CVE-2018-1603 (IBM Rational Quality Manager (RQM) 5.0 through 5.02 and 6.0 through 6. ...) NOT-FOR-US: IBM CVE-2018-1602 (IBM Rational Quality Manager (RQM) 5.0 through 5.02 and 6.0 through 6. ...) NOT-FOR-US: IBM CVE-2018-1601 (IBM Rational Quality Manager (RQM) 5.0 through 5.02 and 6.0 through 6. ...) NOT-FOR-US: IBM CVE-2018-1600 (IBM BigFix Platform 9.2 and 9.5 transmits sensitive or security-critic ...) NOT-FOR-US: IBM CVE-2018-1599 (IBM API Connect 5.0.0.0 through 5.0.8.3 could allow a remote attacker ...) NOT-FOR-US: IBM CVE-2018-1598 RESERVED CVE-2018-1597 RESERVED CVE-2018-1596 RESERVED CVE-2018-1595 (IBM Spectrum Symphony and Platform Symphony 7.1.2 and 7.2.0.2 could al ...) NOT-FOR-US: IBM CVE-2018-1594 RESERVED CVE-2018-1593 (IBM Multi-Cloud Data Encryption (MDE) 2.1 could allow an unauthorized ...) NOT-FOR-US: IBM CVE-2018-1592 RESERVED CVE-2018-1591 RESERVED CVE-2018-1590 RESERVED CVE-2018-1589 RESERVED CVE-2018-1588 (IBM Jazz Foundation (IBM Rational Engineering Lifecycle Manager 5.0 th ...) NOT-FOR-US: IBM CVE-2018-1587 (IBM Rational Rhapsody Design Manager 5.0 through 5.0.2 and 6.0 through ...) NOT-FOR-US: IBM Rational Rhapsody Design Manager CVE-2018-1586 RESERVED CVE-2018-1585 (IBM Rational Rhapsody Design Manager 5.0 through 5.0.2 and 6.0 through ...) NOT-FOR-US: IBM Rational Rhapsody Design Manager CVE-2018-1584 (IBM Maximo Asset Management 7.6 is vulnerable to cross-site scripting. ...) NOT-FOR-US: IBM CVE-2018-1583 (IBM StoredIQ 7.6 could allow an authenticated attacker to bypass certa ...) NOT-FOR-US: IBM CVE-2018-1582 RESERVED CVE-2018-1581 RESERVED CVE-2018-1580 RESERVED CVE-2018-1579 RESERVED CVE-2018-1578 RESERVED CVE-2018-1577 RESERVED CVE-2018-1576 RESERVED CVE-2018-1575 RESERVED CVE-2018-1574 RESERVED CVE-2018-1573 RESERVED CVE-2018-1572 RESERVED CVE-2018-1571 (IBM QRadar 7.2 and 7.3 could allow a remote authenticated attacker to ...) NOT-FOR-US: IBM CVE-2018-1570 RESERVED CVE-2018-1569 RESERVED CVE-2018-1568 (IBM QRadar SIEM 7.2 and 7.3 allows web pages to be stored locally whic ...) NOT-FOR-US: IBM CVE-2018-1567 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow re ...) NOT-FOR-US: IBM CVE-2018-1566 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, ...) NOT-FOR-US: IBM CVE-2018-1565 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, ...) NOT-FOR-US: IBM CVE-2018-1564 (IBM Sterling B2B Integrator Standard Edition 5.2 through 5.2.6 could a ...) NOT-FOR-US: IBM CVE-2018-1563 (IBM Sterling B2B Integrator Standard Edition (IBM Sterling File Gatewa ...) NOT-FOR-US: IBM CVE-2018-1562 RESERVED CVE-2018-1561 RESERVED CVE-2018-1560 (IBM Rational Engineering Lifecycle Manager 5.0 through 5.02 and 6.0 th ...) NOT-FOR-US: IBM CVE-2018-1559 RESERVED CVE-2018-1558 (IBM Rational Collaborative Lifecycle Management 5.0 through 5.02 and 6 ...) NOT-FOR-US: IBM CVE-2018-1557 (IBM Rational Quality Manager (RQM) 5.0 through 5.02 and 6.0 through 6. ...) NOT-FOR-US: IBM CVE-2018-1556 (IBM FileNet Content Manager 5.2.1 and 5.5.0 is vulnerable to cross-sit ...) NOT-FOR-US: IBM FileNet Content Manager CVE-2018-1555 (IBM FileNet Content Manager 5.2.1 and 5.5.0 is vulnerable to cross-sit ...) NOT-FOR-US: IBM FileNet Content Manager CVE-2018-1554 (IBM Maximo Asset Management 7.6 is vulnerable to cross-site scripting. ...) NOT-FOR-US: IBM CVE-2018-1553 (IBM WebSphere Application Server Liberty prior to 18.0.0.2 could allow ...) NOT-FOR-US: IBM CVE-2018-1552 (IBM Robotic Process Automation with Automation Anywhere 10.0 and 11.0 ...) NOT-FOR-US: IBM CVE-2018-1551 (IBM WebSphere MQ 8.0.0.2 through 8.0.0.8 and 9.0.0.0 through 9.0.0.3 c ...) NOT-FOR-US: IBM CVE-2018-1550 (IBM Spectrum Protect 7.1 and 8.1 could allow a local user to corrupt o ...) NOT-FOR-US: IBM CVE-2018-1549 (IBM Rational Quality Manager 5.0 through 5.0.2 and 6.0 through 6.0.5 a ...) NOT-FOR-US: IBM CVE-2018-1548 (IBM API Connect 2018.1.0.0, 2018.2.1, 2018.2.2, 2018.2.3, and 2018.2.4 ...) NOT-FOR-US: IBM CVE-2018-1547 (IBM Robotic Process Automation with Automation Anywhere 10.0 could all ...) NOT-FOR-US: IBM CVE-2018-1546 (IBM API Connect 5.0.0.0 through 5.0.8.3 could allow a remote attacker ...) NOT-FOR-US: IBM API Connect CVE-2018-1545 (IBM Tivoli Storage Manager (IBM Spectrum Protect 7.1 and 8.1) uses wea ...) NOT-FOR-US: IBM CVE-2018-1544 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, ...) NOT-FOR-US: IBM CVE-2018-1543 (IBM WebSphere MQ 8.0 and 9.0 could allow a remote attacker to obtain s ...) NOT-FOR-US: IBM CVE-2018-1542 (IBM FileNet Content Manager, IBM Content Foundation, and IBM Case Foun ...) NOT-FOR-US: IBM CVE-2018-1541 (IBM WebSphere Commerce Enterprise V7, V8, and V9 is vulnerable to cros ...) NOT-FOR-US: IBM CVE-2018-1540 RESERVED CVE-2018-1539 (IBM Rational Engineering Lifecycle Manager 5.0 through 5.02 and 6.0 th ...) NOT-FOR-US: IBM CVE-2018-1538 RESERVED CVE-2018-1537 RESERVED CVE-2018-1536 (IBM Rational Rhapsody Design Manager 5.0 through 5.0.2 and 6.0 through ...) NOT-FOR-US: IBM Rational Rhapsody Design Manager CVE-2018-1535 (IBM Rational Rhapsody Design Manager 5.0 through 5.0.2 and 6.0 through ...) NOT-FOR-US: IBM Rational Rhapsody Design Manager CVE-2018-1534 (IBM Rational Publishing Engine 6.0.5 and 6.0.6 is vulnerable to cross- ...) NOT-FOR-US: IBM CVE-2018-1533 (IBM Rational Publishing Engine 6.0.5 and 6.0.6 is vulnerable to cross- ...) NOT-FOR-US: IBM CVE-2018-1532 (IBM API Connect 5.0.0.0 through 5.0.8.2 does not properly update the S ...) NOT-FOR-US: IBM API Connect CVE-2018-1531 RESERVED CVE-2018-1530 RESERVED CVE-2018-1529 (IBM Rational DOORS Next Generation 5.0 through 5.0.2, 6.0 through 6.0. ...) NOT-FOR-US: IBM Rational DOORS Next Generation CVE-2018-1528 (IBM Maximo Asset Management 7.6 through 7.6.3 could allow an authentic ...) NOT-FOR-US: IBM CVE-2018-1527 RESERVED CVE-2018-1526 RESERVED CVE-2018-1525 (IBM i2 Enterprise Insight Analysis 2.1.7 could allow a remote attacker ...) NOT-FOR-US: IBM CVE-2018-1524 (IBM Maximo Asset Management 7.6 through 7.6.3 installs with a default ...) NOT-FOR-US: IBM CVE-2018-1523 (IBM Rational Quality Manager 5.0 through 5.0.2 and 6.0 through 6.0.5 a ...) NOT-FOR-US: IBM CVE-2018-1522 (IBM Rational Quality Manager (RQM) 5.0 through 5.02 and 6.0 through 6. ...) NOT-FOR-US: IBM CVE-2018-1521 (IBM Rational Team Concert 5.0 through 5.0.2 and 6.0 through 6.0.5 are ...) NOT-FOR-US: IBM CVE-2018-1520 RESERVED CVE-2018-1519 RESERVED CVE-2018-1518 (IBM InfoSphere Information Server 11.7 is affected by a weak password ...) NOT-FOR-US: IBM CVE-2018-1517 (A flaw in the java.math component in IBM SDK, Java Technology Edition ...) NOT-FOR-US: IBM JDK CVE-2018-1516 RESERVED CVE-2018-1515 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 10.5 ...) NOT-FOR-US: IBM CVE-2018-1514 (IBM Robotic Process Automation with Automation Anywhere 10.0 is vulner ...) NOT-FOR-US: IBM CVE-2018-1513 (IBM Sterling B2B Integrator Standard Edition 5.2.0 through 5.2.6 is vu ...) NOT-FOR-US: IBM CVE-2018-1512 RESERVED CVE-2018-1511 RESERVED CVE-2018-1510 RESERVED CVE-2018-1509 (IBM Security Guardium EcoSystem 10.5 does not validate, or incorrectly ...) NOT-FOR-US: IBM CVE-2018-1508 RESERVED CVE-2018-1507 (IBM DOORS Next Generation (DNG/RRC) 6.0.5 is vulnerable to cross-site ...) NOT-FOR-US: IBM CVE-2018-1506 RESERVED CVE-2018-1505 (IBM i2 Enterprise Insight Analysis 2.1.7 allows web pages to be stored ...) NOT-FOR-US: IBM CVE-2018-1504 (IBM i2 Enterprise Insight Analysis 2.1.7 could allow a remote attacker ...) NOT-FOR-US: IBM CVE-2018-1503 (IBM WebSphere MQ 7.5, 8.0, and 9.0 could allow a remotely authenticate ...) NOT-FOR-US: IBM CVE-2018-1502 (IBM Content Manager Enterprise Edition Resource Manager 8.4.3 and 9.5 ...) NOT-FOR-US: IBM CVE-2018-1501 RESERVED CVE-2018-1500 RESERVED CVE-2018-1499 RESERVED CVE-2018-1498 (IBM Security Guardium EcoSystem 10.5 stores user credentials in plain ...) NOT-FOR-US: IBM CVE-2018-1497 RESERVED CVE-2018-1496 (IBM Content Navigator 2.0.3, 3.0.0, 3.0.1, 3.0.2, and 3.0.3 is vulnera ...) NOT-FOR-US: IBM Content Navigator CVE-2018-1495 (IBM FlashSystem V840 and V900 products could allow an authenticated at ...) NOT-FOR-US: IBM CVE-2018-1494 (IBM DOORS Next Generation (DNG/RRC) 5.0 through 5.0.2 and 6.0 through ...) NOT-FOR-US: IBM CVE-2018-1493 RESERVED CVE-2018-1492 (IBM Jazz Foundation products could allow a user with physical access t ...) NOT-FOR-US: IBM CVE-2018-1491 RESERVED CVE-2018-1490 RESERVED CVE-2018-1489 RESERVED CVE-2018-1488 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 10.5 ...) NOT-FOR-US: IBM CVE-2018-1487 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, ...) NOT-FOR-US: IBM CVE-2018-1486 RESERVED CVE-2018-1485 (IBM BigFix Platform 9.2.0 through 9.2.14 and 9.5 through 9.5.9 does no ...) NOT-FOR-US: IBM CVE-2018-1484 (IBM BigFix Platform 9.2.0 through 9.2.14 and 9.5 through 9.5.9 does no ...) NOT-FOR-US: IBM CVE-2018-1483 (IBM WebSphere Portal 8.5 and 9.0 is vulnerable to cross-site scripting ...) NOT-FOR-US: IBM WebSphere Portal CVE-2018-1482 RESERVED CVE-2018-1481 (IBM BigFix Platform 9.2.0 through 9.2.14 and 9.5 through 9.5.9 stores ...) NOT-FOR-US: IBM CVE-2018-1480 (IBM BigFix Platform 9.2.0 through 9.2.14 and 9.5 through 9.5.9 does no ...) NOT-FOR-US: IBM CVE-2018-1479 (IBM BigFix Platform 9.2 and 9.5 is vulnerable to cross-site request fo ...) NOT-FOR-US: IBM CVE-2018-1478 (IBM BigFix Platform 9.2.0 through 9.2.14 and 9.5 through 9.5.9 could a ...) NOT-FOR-US: IBM CVE-2018-1477 RESERVED CVE-2018-1476 (IBM BigFix Platform 9.2.0 through 9.2.14 and 9.5 through 9.5.9 disclos ...) NOT-FOR-US: IBM CVE-2018-1475 (IBM BigFix Platform 9.2 and 9.5 uses an inadequate account lockout set ...) NOT-FOR-US: IBM CVE-2018-1474 (IBM BigFix Platform 9.2.0 through 9.2.14 and 9.5 through 9.5.9 is vuln ...) NOT-FOR-US: IBM CVE-2018-1473 (IBM BigFix Platform 9.2 and 9.5 is vulnerable to cross-site scripting. ...) NOT-FOR-US: IBM CVE-2018-1472 RESERVED CVE-2018-1471 REJECTED CVE-2018-1470 (IBM Sterling File Gateway 2.2.0 through 2.2.6 could allow a remote aut ...) NOT-FOR-US: IBM CVE-2018-1469 (IBM API Connect Developer Portal 5.0.0.0 through 5.0.8.2 could allow a ...) NOT-FOR-US: IBM API Connect Developer Portal CVE-2018-1468 (IBM API Connect 5.0.8.1 and 5.0.8.2 could allow a user to get access t ...) NOT-FOR-US: IBM API Connect CVE-2018-1467 (The IBM Storwize V7000 Unified management Web interface 1.6 exposes in ...) NOT-FOR-US: IBM CVE-2018-1466 (IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and I ...) NOT-FOR-US: IBM CVE-2018-1465 (IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and I ...) NOT-FOR-US: IBM CVE-2018-1464 (IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and I ...) NOT-FOR-US: IBM CVE-2018-1463 (IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and I ...) NOT-FOR-US: IBM CVE-2018-1462 (IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and I ...) NOT-FOR-US: IBM CVE-2018-1461 (IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and I ...) NOT-FOR-US: IBM CVE-2018-1460 (IBM Netezza Platform Software (IBM PureData System for Analytics 1.0.0 ...) NOT-FOR-US: IBM CVE-2018-1459 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, ...) NOT-FOR-US: IBM CVE-2018-1458 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, ...) NOT-FOR-US: IBM CVE-2018-1457 (An undisclosed vulnerability in IBM Rational DOORS 9.5.1 through 9.6.1 ...) NOT-FOR-US: IBM CVE-2018-1456 (IBM Rhapsody DM 5.0 through 5.0.2 and 6.0 through 6.0.5 is vulnerable ...) NOT-FOR-US: IBM CVE-2018-1455 (IBM Tivoli Application Dependency Discovery Manager 7.2.2 and 7.3 is v ...) NOT-FOR-US: IBM CVE-2018-1454 (IBM InfoSphere Information Server 11.3, 11.5, and 11.7 could allow a r ...) NOT-FOR-US: IBM InfoSphere Information Server CVE-2018-1453 (IBM Security Identity Manager Virtual Appliance 7.0 allows an authenti ...) NOT-FOR-US: IBM CVE-2018-1452 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, ...) NOT-FOR-US: IBM CVE-2018-1451 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, ...) NOT-FOR-US: IBM CVE-2018-1450 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, ...) NOT-FOR-US: IBM CVE-2018-1449 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, ...) NOT-FOR-US: IBM CVE-2018-1448 (IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, and 11.1 (include ...) NOT-FOR-US: IBM CVE-2018-1447 (The GSKit (IBM Spectrum Protect 7.1 and 7.2) and (IBM Spectrum Protect ...) NOT-FOR-US: IBM Spectrum Protect CVE-2018-1446 RESERVED CVE-2018-1445 (IBM WebSphere Portal 8.0.0 through 8.0.0.1, 8.5, and 9.0 is vulnerable ...) NOT-FOR-US: IBM WebSphere Portal CVE-2018-1444 (IBM WebSphere Portal 8.5 and 9.0 is vulnerable to cross-site scripting ...) NOT-FOR-US: IBM CVE-2018-1443 (An XML parsing vulnerability affects IBM SAML-based single sign-on (SS ...) NOT-FOR-US: IBM CVE-2018-1442 (IBM Application Performance Management - Response Time Monitoring Agen ...) NOT-FOR-US: IBM CVE-2018-1441 (IBM Application Performance Management - Response Time Monitoring Agen ...) NOT-FOR-US: IBM CVE-2018-1440 (IBM Rational Quality Manager (RQM) 5.0 through 5.02 and 6.0 through 6. ...) NOT-FOR-US: IBM CVE-2018-1439 (IBM Rational Quality Manager (RQM) 5.0 through 5.02 and 6.0 through 6. ...) NOT-FOR-US: IBM CVE-2018-1438 (IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and I ...) NOT-FOR-US: IBM CVE-2018-1437 (IBM Notes 8.5 and 9.0 could allow an attacker to execute arbitrary cod ...) NOT-FOR-US: IBM CVE-2018-1436 RESERVED CVE-2018-1435 (IBM Notes 8.5 and 9.0 is vulnerable to a DLL hijacking attack. A remot ...) NOT-FOR-US: IBM CVE-2018-1434 (IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and I ...) NOT-FOR-US: IBM CVE-2018-1433 (IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and I ...) NOT-FOR-US: IBM CVE-2018-1432 (IBM InfoSphere Information Server 9.1, 11.3, 11.5, and 11.7 is vulnera ...) NOT-FOR-US: IBM InfoSphere Information Server CVE-2018-1431 (A vulnerability in GSKit affects IBM Spectrum Scale 4.1.1, 4.2.0, 4.2. ...) NOT-FOR-US: IBM CVE-2018-1430 (IBM API Connect 5.0.0.0 through 5.0.8.2 is vulnerable to cross-site sc ...) NOT-FOR-US: IBM API Connect CVE-2018-1429 (IBM MQ Appliance 9.0.1, 9.0.2, 9.0.3, amd 9.0.4 is vulnerable to cross ...) NOT-FOR-US: IBM CVE-2018-1428 (IBM GSKit (IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, and 11 ...) NOT-FOR-US: IBM CVE-2018-1427 (IBM GSKit (IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, and 11 ...) NOT-FOR-US: IBM CVE-2018-1426 (IBM GSKit (IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, and 11 ...) NOT-FOR-US: IBM CVE-2018-1425 (IBM Security Guardium Big Data Intelligence (SonarG) 3.1 uses weaker t ...) NOT-FOR-US: IBM Security Guardium Big Data Intelligence CVE-2018-1424 (IBM Marketing Platform 9.1.0, 9.1.2, and 10.1 is vulnerable to a XML E ...) NOT-FOR-US: IBM CVE-2018-1423 (IBM Jazz Foundation products could disclose sensitive information to a ...) NOT-FOR-US: IBM CVE-2018-1422 (IBM Jazz Foundation products (IBM Rational DOORS Next Generation 5.0 t ...) NOT-FOR-US: IBM CVE-2018-1421 (IBM WebSphere DataPower Appliances 7.1, 7.2, 7.5, 7.5.1, 7.5.2, and 7. ...) NOT-FOR-US: IBM WebSphere DataPower Appliances CVE-2018-1420 (IBM WebSphere Portal 7.0, 8.0, 8.5, and 9.0 resets access control sett ...) NOT-FOR-US: IBM CVE-2018-1419 (IBM WebSphere MQ 8.0 and 9.0, when configured to use a PAM module for ...) NOT-FOR-US: IBM CVE-2018-1418 (IBM Security QRadar SIEM 7.2 and 7.3 could allow a user to bypass auth ...) NOT-FOR-US: IBM CVE-2018-1417 (Under certain circumstances, a flaw in the J9 JVM (IBM SDK, Java Techn ...) NOT-FOR-US: IBM Runtimes for Java Technology CVE-2018-1416 (IBM WebSphere Portal 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-sit ...) NOT-FOR-US: IBM WebSphere Portal CVE-2018-1415 (IBM Maximo Asset Management 7.6 is vulnerable to cross-site scripting. ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2018-1414 (IBM Maximo Asset Management 7.5 and 7.6 is vulnerable to SQL injection ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2018-1413 (IBM Cognos Analytics 11.0 is vulnerable to cross-site scripting. This ...) NOT-FOR-US: IBM Cognos Analytics CVE-2018-1412 RESERVED CVE-2018-1411 (IBM Notes Diagnostics (IBM Client Application Access and IBM Notes) co ...) NOT-FOR-US: IBM Notes Diagnostics CVE-2018-1410 (IBM Notes Diagnostics (IBM Client Application Access and IBM Notes) co ...) NOT-FOR-US: IBM Notes Diagnostics CVE-2018-1409 (IBM Notes Diagnostics (IBM Client Application Access and IBM Notes) co ...) NOT-FOR-US: IBM Notes Diagnostics CVE-2018-1408 (IBM Rational Team Concert 5.0 through 5.0.2 and 6.0 through 6.0.5 are ...) NOT-FOR-US: IBM CVE-2018-1407 (IBM Rational Team Concert 5.0 through 5.0.2 and 6.0 through 6.0.5 are ...) NOT-FOR-US: IBM CVE-2018-1406 RESERVED CVE-2018-1405 (IBM Rational Quality Manager (RQM) 5.0 through 5.02 and 6.0 through 6. ...) NOT-FOR-US: IBM CVE-2018-1404 (IBM Rational Quality Manager (RQM) 5.0 through 5.02 and 6.0 through 6. ...) NOT-FOR-US: IBM CVE-2018-1403 (IBM Rational Quality Manager (RQM) 5.0 through 5.02 and 6.0 through 6. ...) NOT-FOR-US: IBM CVE-2018-1402 RESERVED CVE-2018-1401 (IBM WebSphere Portal 8.0, 8.5, and 9.0 is vulnerable to cross-site scr ...) NOT-FOR-US: IBM WebSphere Portal CVE-2018-1400 RESERVED CVE-2018-1399 (IBM Daeja ViewONE Professional, Standard & Virtual 4.1.5 and 5.0 i ...) NOT-FOR-US: IBM Daeja ViewONE Professional CVE-2018-1398 (IBM Sterling File Gateway 2.2.0 through 2.2.6 could allow a remote att ...) NOT-FOR-US: IBM CVE-2018-1397 RESERVED CVE-2018-1396 (IBM Rational Quality Manager 5.0 through 5.0.2 and 6.0 through 6.0.5 a ...) NOT-FOR-US: IBM CVE-2018-1395 (IBM Rational Quality Manager (RQM) 5.0 through 5.02 and 6.0 through 6. ...) NOT-FOR-US: IBM CVE-2018-1394 (Multiple IBM Rational products are vulnerable to cross-site scripting. ...) NOT-FOR-US: IBM CVE-2018-1393 (IBM Financial Transaction Manager for ACH Services for Multi-Platform ...) NOT-FOR-US: IBM CVE-2018-1392 (IBM Financial Transaction Manager 3.0.4 and 3.1.0 for ACH Services for ...) NOT-FOR-US: IBM Financial Transaction Manager CVE-2018-1391 (IBM Financial Transaction Manager 3.0.4 and 3.1.0 for ACH Services for ...) NOT-FOR-US: IBM Financial Transaction Manager CVE-2018-1390 (IBM Financial Transaction Manager for Check Services for Multi-Platfor ...) NOT-FOR-US: IBM CVE-2018-1389 (IBM API Connect 5.0.0.0 through 5.0.8.2 is impacted by generated LoopB ...) NOT-FOR-US: IBM API Connect CVE-2018-1388 (GSKit V7 may disclose side channel information via discrepancies betwe ...) NOT-FOR-US: IBM WebSphere MQ CVE-2018-1387 (IBM Application Performance Management for Monitoring & Diagnostic ...) NOT-FOR-US: IBM CVE-2018-1386 (IBM Tivoli Workload Automation for AIX (IBM Workload Scheduler 8.6, 9. ...) NOT-FOR-US: IBM CVE-2018-1385 RESERVED CVE-2018-1384 (IBM Business Process Manager 8.6 is vulnerable to cross-site scripting ...) NOT-FOR-US: IBM CVE-2018-1383 (A software logic bug creates a vulnerability in an AIX 6.1, 7.1, and 7 ...) NOT-FOR-US: AIX CVE-2018-1382 (IBM API Connect 5.0.0.0 is vulnerable to cross-site scripting. This vu ...) NOT-FOR-US: IBM API Connect CVE-2018-1381 RESERVED CVE-2018-1380 (IBM InfoSphere Master Data Management Collaboration Server 11.4, 11.5, ...) NOT-FOR-US: IBM CVE-2018-1379 RESERVED CVE-2018-1378 RESERVED CVE-2018-1377 (IBM Security Guardium Big Data Intelligence (SonarG) 3.1 stores user c ...) NOT-FOR-US: IBM Security Guardium Big Data Intelligence CVE-2018-1376 (IBM Security Guardium Big Data Intelligence (SonarG) 3.1 is vulnerable ...) NOT-FOR-US: IBM CVE-2018-1375 (IBM Security Guardium Big Data Intelligence (SonarG) 3.1 does not rene ...) NOT-FOR-US: IBM CVE-2018-1374 (An IBM WebSphere MQ (Maintenance levels 7.1.0.0 - 7.1.0.9, 7.5.0.0 - 7 ...) NOT-FOR-US: IBM CVE-2018-1373 (IBM Security Guardium Big Data Intelligence (SonarG) 3.1 uses an inade ...) NOT-FOR-US: IBM Security Guardium Big Data Intelligence CVE-2018-1372 (IBM Security Guardium Big Data Intelligence (SonarG) 3.1 does not requ ...) NOT-FOR-US: IBM Security Guardium Big Data Intelligence CVE-2018-1371 (An IBM WebSphere MQ 8.0.0.8, 9.0.0.2, and 9.0.4 Client connecting to a ...) NOT-FOR-US: IBM WebSphere MQ CVE-2018-1370 (IBM Security Guardium Big Data Intelligence (SonarG) 3.1 specifies per ...) NOT-FOR-US: IBM CVE-2018-1369 (IBM Security Guardium Big Data Intelligence (SonarG) 3.1 stores sensit ...) NOT-FOR-US: IBM CVE-2018-1368 (IBM Security Guardium Database Activity Monitor 9.0, 9.1, and 9.5 coul ...) NOT-FOR-US: IBM Security Guardium Database Activity Monitor CVE-2018-1367 RESERVED CVE-2018-1366 (IBM Content Navigator 2.0 and 3.0 is vulnerable to Comma Separated Val ...) NOT-FOR-US: IBM Content Navigator CVE-2018-1365 RESERVED CVE-2018-1364 (IBM Content Navigator 2.0 and 3.0 is vulnerable to a XML External Enti ...) NOT-FOR-US: IBM Content Navigator CVE-2018-1363 (IBM Jazz Reporting Service (JRS) 5.0 through 5.0.2 and 6.0 through 6.0 ...) NOT-FOR-US: IBM Jazz Reporting Service CVE-2018-1362 (IBM Curam Social Program Management 6.0.5, 6.1.1, 6.2.0, and 7.0.1 wit ...) NOT-FOR-US: IBM Curam Social Program Management CVE-2018-1361 (IBM WebSphere Portal 8.5 and 9.0 is vulnerable to cross-site scripting ...) NOT-FOR-US: IBM WebSphere Portal CVE-2017-17684 (Panda Global Protection 17.0.1 allows a system crash via a 0xb3702c04 ...) NOT-FOR-US: Panda Global Protection CVE-2017-17683 (Panda Global Protection 17.0.1 allows a system crash via a 0xb3702c44 ...) NOT-FOR-US: Panda Global Protection CVE-2017-17682 (In ImageMagick 7.0.7-12 Q16, a large loop vulnerability was found in t ...) {DLA-1785-1 DLA-1227-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #885942) [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/870 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/da649f031e36753c69268c5c027e695b8ae45e9a NOTE: https://github.com/ImageMagick/ImageMagick/commit/06c8dd4de59e48d282d4f224faa64ab9012a711a CVE-2017-17681 (In ImageMagick 7.0.7-12 Q16, an infinite loop vulnerability was found ...) - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #885941) [stretch] - imagemagick (Minor issue) [jessie] - imagemagick (Minor issue) [wheezy] - imagemagick (vulnerable code not present, unreproducible) NOTE: https://github.com/ImageMagick/ImageMagick/issues/869 NOTE: https://github.com/ImageMagick/ImageMagick/commit/f6ca1441a5260165dabc627d26f60c32af1d5678 NOTE: different fix: https://github.com/ImageMagick/ImageMagick/commit/73d59a74e0b0a864c1a9581b8a4bdbee427125e2 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/edf1b9408492b97cd08111a0a9cb123f6391dc5b NOTE: different fix for IM-6: https://github.com/ImageMagick/ImageMagick/commit/cae42160e5ab6de4b2a9433267e143ce295ae957 NOTE: The fix involves all done changes on the relevant part of coders/psd.c between NOTE: (and including) edf1b9408492b97cd08111a0a9cb123f6391dc5b and cae42160e5ab6de4b2a9433267e143ce295ae957 . CVE-2017-17680 (In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/873 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/69601843684dd038a8397e1a12dd15777d2513bf NOTE: https://github.com/ImageMagick/ImageMagick/commit/7b97357e7f8d6ae848a4c699fe17db6fcf4bd7a9 CVE-2017-17679 RESERVED CVE-2017-17678 RESERVED CVE-2017-17677 RESERVED CVE-2017-17676 RESERVED CVE-2017-17675 RESERVED CVE-2017-17674 RESERVED CVE-2017-17673 RESERVED CVE-2017-17672 (In vBulletin through 5.3.x, there is an unauthenticated deserializatio ...) NOT-FOR-US: vBulletin CVE-2017-17671 (vBulletin through 5.3.x on Windows allows remote PHP code execution be ...) NOT-FOR-US: vBulletin CVE-2017-17670 (In VideoLAN VLC media player through 2.2.8, there is a type conversion ...) {DSA-4203-1} - vlc 3.0.0~rc2-1 [jessie] - vlc (See DSA-4203-1) [wheezy] - vlc (Not supported in wheezy LTS) NOTE: http://www.openwall.com/lists/oss-security/2017/12/15/1 NOTE: POC: https://gist.github.com/dyntopia/194d912287656f66dd502158b0cd2e68 CVE-2017-17669 (There is a heap-based buffer over-read in the Exiv2::Internal::PngChun ...) - exiv2 0.27.2-6 (bug #886006) [buster] - exiv2 (Minor issue) [stretch] - exiv2 (Minor issue) [jessie] - exiv2 (Minor issue) [wheezy] - exiv2 (Minor issue) NOTE: https://github.com/Exiv2/exiv2/issues/187 CVE-2017-17668 (Memory write mechanism in NCR S1 Dispenser controller before firmware ...) NOT-FOR-US: NCR S1 Dispenser controller CVE-2017-17667 RESERVED CVE-2017-17666 RESERVED CVE-2017-17665 (In Octopus Deploy before 4.1.3, the machine update process doesn't che ...) NOT-FOR-US: Octopus Deploy CVE-2017-17664 (A Remote Crash issue was discovered in Asterisk Open Source 13.x befor ...) - asterisk 1:13.18.5~dfsg-1 (bug #884345) [stretch] - asterisk 1:13.14.1~dfsg-2+deb9u3 [jessie] - asterisk (Vulnerable code introduced later) [wheezy] - asterisk (Vulnerable code introduced later) NOTE: http://downloads.digium.com/pub/security/AST-2017-012.html NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27382 NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27429 CVE-2017-17663 (The htpasswd implementation of mini_httpd before v1.28 and of thttpd b ...) - mini-httpd (unimportant) - thttpd (unimportant) NOTE: http://acme.com/updates/archive/199.html CVE-2017-17662 (Directory traversal in the HTTP server on Yawcam 0.2.6 through 0.6.0 d ...) NOT-FOR-US: Yawcam CVE-2017-17661 RESERVED CVE-2017-17660 RESERVED CVE-2017-17659 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Quest NetVault Backup CVE-2017-17658 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Quest NetVault Backup CVE-2017-17657 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Quest NetVault Backup CVE-2017-17656 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Quest NetVault Backup CVE-2017-17655 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Quest NetVault Backup CVE-2017-17654 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Quest NetVault Backup CVE-2017-17653 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Quest NetVault Backup CVE-2017-17652 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Quest NetVault Backup CVE-2017-17651 (Paid To Read Script 2.0.5 has SQL Injection via the admin/userview.php ...) NOT-FOR-US: Paid To Read Script CVE-2017-17650 RESERVED CVE-2017-17649 (Readymade Video Sharing Script 3.2 has HTML Injection via the single-v ...) NOT-FOR-US: Readymade Video Sharing Script CVE-2017-17648 (Entrepreneur Dating Script 2.0.1 has SQL Injection via the search_resu ...) NOT-FOR-US: Entrepreneur Dating Script CVE-2017-17647 RESERVED CVE-2017-17646 RESERVED CVE-2017-17645 (Bus Booking Script 1.0 has SQL Injection via the txtname parameter to ...) NOT-FOR-US: Bus Booking Script CVE-2017-17644 RESERVED CVE-2017-17643 (FS Lynda Clone 1.0 has SQL Injection via the keywords parameter to tut ...) NOT-FOR-US: FS Lynda Clone CVE-2017-17642 (Basic Job Site Script 2.0.5 has SQL Injection via the keyword paramete ...) NOT-FOR-US: Basic Job Site Script CVE-2017-17641 (Resume Clone Script 2.0.5 has SQL Injection via the preview.php id par ...) NOT-FOR-US: Resume Clone Script CVE-2017-17640 (Advanced World Database 2.0.5 has SQL Injection via the city.php count ...) NOT-FOR-US: Advanced World Database CVE-2017-17639 (Muslim Matrimonial Script 3.02 has SQL Injection via the success-story ...) NOT-FOR-US: Muslim Matrimonial Script CVE-2017-17638 (Groupon Clone Script 3.01 has SQL Injection via the city_ajax.php stat ...) NOT-FOR-US: Groupon Clone Script CVE-2017-17637 (Car Rental Script 2.0.4 has SQL Injection via the countrycode1.php val ...) NOT-FOR-US: Car Rental Script CVE-2017-17636 (MLM Forced Matrix 2.0.9 has SQL Injection via the news-detail.php newi ...) NOT-FOR-US: MLM Forced Matrix CVE-2017-17635 (MLM Forex Market Plan Script 2.0.4 has SQL Injection via the news_deta ...) NOT-FOR-US: MLM Forex Market Plan Script CVE-2017-17634 (Single Theater Booking Script 3.2.1 has SQL Injection via the findcity ...) NOT-FOR-US: Single Theater Booking Script CVE-2017-17633 (Multiplex Movie Theater Booking Script 3.1.5 has SQL Injection via the ...) NOT-FOR-US: Multiplex Movie Theater Booking Script CVE-2017-17632 (Responsive Events And Movie Ticket Booking Script 3.2.1 has SQL Inject ...) NOT-FOR-US: Responsive Events And Movie Ticket Booking Script CVE-2017-17631 (Multireligion Responsive Matrimonial 4.7.2 has SQL Injection via the s ...) NOT-FOR-US: Multireligion Responsive Matrimonial CVE-2017-17630 (Yoga Class Script 1.0 has SQL Injection via the /list city parameter. ...) NOT-FOR-US: Yoga Class Script CVE-2017-17629 (Secure E-commerce Script 2.0.1 has SQL Injection via the category.php ...) NOT-FOR-US: Secure E-commerce Script CVE-2017-17628 (Responsive Realestate Script 3.2 has SQL Injection via the property-li ...) NOT-FOR-US: Responsive Realestate Script CVE-2017-17627 (Readymade Video Sharing Script 3.2 has SQL Injection via the single-vi ...) NOT-FOR-US: Readymade Video Sharing Script CVE-2017-17626 (Readymade PHP Classified Script 3.3 has SQL Injection via the /categor ...) NOT-FOR-US: Readymade PHP Classified Script CVE-2017-17625 (Professional Service Script 1.0 has SQL Injection via the service-list ...) NOT-FOR-US: Professional Service Script CVE-2017-17624 (PHP Multivendor Ecommerce 1.0 has SQL Injection via the single_detail. ...) NOT-FOR-US: PHP Multivendor Ecommerce CVE-2017-17623 (Opensource Classified Ads Script 3.2 has SQL Injection via the advance ...) NOT-FOR-US: Opensource Classified Ads Script CVE-2017-17622 (Online Exam Test Application Script 1.6 has SQL Injection via the exam ...) NOT-FOR-US: Online Exam Test Application Script CVE-2017-17621 (Multivendor Penny Auction Clone Script 1.0 has SQL Injection via the P ...) NOT-FOR-US: Multivendor Penny Auction Clone Script CVE-2017-17620 (Lawyer Search Script 1.1 has SQL Injection via the /lawyer-list city p ...) NOT-FOR-US: Lawyer Search Script CVE-2017-17619 (Laundry Booking Script 1.0 has SQL Injection via the /list city parame ...) NOT-FOR-US: Laundry Booking Script CVE-2017-17618 (Kickstarter Clone Script 2.0 has SQL Injection via the investcalc.php ...) NOT-FOR-US: Kickstarter Clone Script CVE-2017-17617 (Foodspotting Clone Script 1.0 has SQL Injection via the quicksearch.ph ...) NOT-FOR-US: Foodspotting Clone Script CVE-2017-17616 (Event Search Script 1.0 has SQL Injection via the /event-list city par ...) NOT-FOR-US: Event Search Script CVE-2017-17615 (Facebook Clone Script 1.0 has SQL Injection via the friend-profile.php ...) NOT-FOR-US: Facebook Clone Script CVE-2017-17614 (Food Order Script 1.0 has SQL Injection via the /list city parameter. ...) NOT-FOR-US: Food Order Script CVE-2017-17613 (Freelance Website Script 2.0.6 has SQL Injection via the jobdetails.ph ...) NOT-FOR-US: Freelance Website Script CVE-2017-17612 (Hot Scripts Clone 3.1 has SQL Injection via the /categories subctid or ...) NOT-FOR-US: Hot Scripts Clone CVE-2017-17611 (Doctor Search Script 1.0 has SQL Injection via the /list city paramete ...) NOT-FOR-US: Doctor Search Script CVE-2017-17610 (E-commerce MLM Software 1.0 has SQL Injection via the service_detail.p ...) NOT-FOR-US: E-commerce MLM Software CVE-2017-17609 (Chartered Accountant Booking Script 1.0 has SQL Injection via the /ser ...) NOT-FOR-US: Chartered Accountant Booking Script CVE-2017-17608 (Child Care Script 1.0 has SQL Injection via the /list city parameter. ...) NOT-FOR-US: Child Care Script CVE-2017-17607 (CMS Auditor Website 1.0 has SQL Injection via the PATH_INFO to /news-d ...) NOT-FOR-US: CMS Auditor Website CVE-2017-17606 (Co-work Space Search Script 1.0 has SQL Injection via the /list city p ...) NOT-FOR-US: Co-work Space Search Script CVE-2017-17605 (Consumer Complaints Clone Script 1.0 has SQL Injection via the other-u ...) NOT-FOR-US: Consumer Complaints Clone Script CVE-2017-17604 (Entrepreneur Bus Booking Script 3.0.4 has SQL Injection via the booker ...) NOT-FOR-US: Entrepreneur Bus Booking Script CVE-2017-17603 (Advanced Real Estate Script 4.0.7 has SQL Injection via the search-res ...) NOT-FOR-US: Advanced Real Estate Script CVE-2017-17602 (Advance B2B Script 2.1.3 has SQL Injection via the tradeshow-list-deta ...) NOT-FOR-US: Advance B2B Script CVE-2017-17601 (Cab Booking Script 1.0 has SQL Injection via the /service-list city pa ...) NOT-FOR-US: Cab Booking Script CVE-2017-17600 (Basic B2B Script 2.0.8 has SQL Injection via the product_details.php i ...) NOT-FOR-US: Basic B2B Script CVE-2017-17599 (Advance Online Learning Management Script 3.1 has SQL Injection via th ...) NOT-FOR-US: Advance Online Learning Management Script CVE-2017-17598 (Affiliate MLM Script 1.0 has SQL Injection via the product-category.ph ...) NOT-FOR-US: Affiliate MLM Script CVE-2017-17597 (Nearbuy Clone Script 3.2 has SQL Injection via the category_list.php s ...) NOT-FOR-US: Nearbuy Clone Script CVE-2017-17596 (Entrepreneur Job Portal Script 2.0.6 has SQL Injection via the jobsear ...) NOT-FOR-US: Entrepreneur Job Portal Script CVE-2017-17595 (Beauty Parlour Booking Script 1.0 has SQL Injection via the /list gend ...) NOT-FOR-US: Beauty Parlour Booking Script CVE-2017-17594 (DomainSale PHP Script 1.0 has SQL Injection via the domain.php id para ...) NOT-FOR-US: DomainSale PHP Script CVE-2017-17593 (Simple Chatting System 1.0 allows Arbitrary File Upload via view/my_pr ...) NOT-FOR-US: Simple Chatting System CVE-2017-17592 (Website Auction Marketplace 2.0.5 has SQL Injection via the search.php ...) NOT-FOR-US: Website Auction Marketplace CVE-2017-17591 (Realestate Crowdfunding Script 2.7.2 has SQL Injection via the single- ...) NOT-FOR-US: Realestate Crowdfunding Script CVE-2017-17590 (FS Stackoverflow Clone 1.0 has SQL Injection via the /question keyword ...) NOT-FOR-US: FS Stackoverflow Clone CVE-2017-17589 (FS Thumbtack Clone 1.0 has SQL Injection via the browse-category.php c ...) NOT-FOR-US: FS Thumbtack Clone CVE-2017-17588 (FS IMDB Clone 1.0 has SQL Injection via the movie.php f parameter, tvs ...) NOT-FOR-US: FS IMDB Clone CVE-2017-17587 (FS Indiamart Clone 1.0 has SQL Injection via the catcompany.php token ...) NOT-FOR-US: FS Indiamart Clone CVE-2017-17586 (FS Olx Clone 1.0 has SQL Injection via the subpage.php scat parameter ...) NOT-FOR-US: FS Olx Clone CVE-2017-17585 (FS Monster Clone 1.0 has SQL Injection via the Employer_Details.php id ...) NOT-FOR-US: FS Monster Clone CVE-2017-17584 (FS Makemytrip Clone 1.0 has SQL Injection via the show-flight-result.p ...) NOT-FOR-US: FS Makemytrip Clone CVE-2017-17583 (FS Shutterstock Clone 1.0 has SQL Injection via the /Category keywords ...) NOT-FOR-US: FS Shutterstock Clone CVE-2017-17582 (FS Grubhub Clone 1.0 has SQL Injection via the /food keywords paramete ...) NOT-FOR-US: FS Grubhub Clone CVE-2017-17581 (FS Quibids Clone 1.0 has SQL Injection via the itechd.php productid pa ...) NOT-FOR-US: FS Quibids Clone CVE-2017-17580 (FS Linkedin Clone 1.0 has SQL Injection via the group.php grid paramet ...) NOT-FOR-US: FS Linkedin Clone CVE-2017-17579 (FS Freelancer Clone 1.0 has SQL Injection via the profile.php u parame ...) NOT-FOR-US: FS Freelancer Clone CVE-2017-17578 (FS Crowdfunding Script 1.0 has SQL Injection via the latest_news_detai ...) NOT-FOR-US: FS Crowdfunding Script CVE-2017-17577 (FS Trademe Clone 1.0 has SQL Injection via the search_item.php search ...) NOT-FOR-US: FS Trademe Clone CVE-2017-17576 (FS Gigs Script 1.0 has SQL Injection via the browse-category.php cat p ...) NOT-FOR-US: FS Gigs Script CVE-2017-17575 (FS Groupon Clone 1.0 has SQL Injection via the item_details.php id par ...) NOT-FOR-US: FS Groupon Clone CVE-2017-17574 (FS Care Clone 1.0 has SQL Injection via the searchJob.php jobType or j ...) NOT-FOR-US: FS Care Clone CVE-2017-17573 (FS Ebay Clone 1.0 has SQL Injection via the product.php id parameter, ...) NOT-FOR-US: FS Ebay Clone CVE-2017-17572 (FS Amazon Clone 1.0 has SQL Injection via the PATH_INFO to /VerAyari. ...) NOT-FOR-US: FS Amazon Clone CVE-2017-17571 (FS Foodpanda Clone 1.0 has SQL Injection via the /food keywords parame ...) NOT-FOR-US: FS Foodpanda Clone CVE-2017-17570 (FS Expedia Clone 1.0 has SQL Injection via the pages.php or content.ph ...) NOT-FOR-US: FS Expedia Clone CVE-2017-17569 (Scubez Posty Readymade Classifieds has XSS via the admin/user_activate ...) NOT-FOR-US: Scubez Posty Readymade Classifieds CVE-2017-17568 (Scubez Posty Readymade Classifieds has Incorrect Access Control for vi ...) NOT-FOR-US: Scubez Posty Readymade Classifieds CVE-2017-17567 (Scubez Posty Readymade Classifieds has SQL Injection via the admin/use ...) NOT-FOR-US: Scubez Posty Readymade Classifieds CVE-2017-17562 (Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is ...) NOT-FOR-US: Embedthis GoAhead CVE-2017-17561 (SeaCMS 6.56 allows remote authenticated administrators to execute arbi ...) NOT-FOR-US: SeaCMS CVE-2017-17560 (An issue was discovered on Western Digital MyCloud PR4100 2.30.172 dev ...) NOT-FOR-US: Western Digital MyCloud CVE-2017-17559 RESERVED CVE-2017-17565 (An issue was discovered in Xen through 4.9.x allowing PV guest OS user ...) {DSA-4112-1 DLA-1549-1 DLA-1230-1} - xen 4.8.3+comet2+shim4.10.0+comet3-1+deb9u5 NOTE: https://xenbits.xen.org/xsa/advisory-251.html CVE-2017-17564 (An issue was discovered in Xen through 4.9.x allowing guest OS users t ...) {DSA-4112-1 DLA-1549-1 DLA-1230-1} - xen 4.8.3+comet2+shim4.10.0+comet3-1+deb9u5 NOTE: https://xenbits.xen.org/xsa/advisory-250.html CVE-2017-17563 (An issue was discovered in Xen through 4.9.x allowing guest OS users t ...) {DSA-4112-1 DLA-1549-1 DLA-1230-1} - xen 4.8.3+comet2+shim4.10.0+comet3-1+deb9u5 NOTE: https://xenbits.xen.org/xsa/advisory-249.html CVE-2017-17566 (An issue was discovered in Xen through 4.9.x allowing PV guest OS user ...) {DSA-4112-1 DLA-1549-1 DLA-1230-1} - xen 4.8.3+comet2+shim4.10.0+comet3-1+deb9u5 NOTE: https://xenbits.xen.org/xsa/advisory-248.html CVE-2017-17558 (The usb_destroy_configuration function in drivers/usb/core/config.c in ...) {DSA-4082-1 DSA-4073-1 DLA-1232-1} - linux 4.14.7-1 NOTE: https://www.spinics.net/lists/linux-usb/msg163644.html NOTE: Fixed by: https://git.kernel.org/linus/48a4ff1c7bb5a32d2e396b03132d20d552c0eca7 CVE-2017-17557 (In Foxit Reader before 9.1 and Foxit PhantomPDF before 9.1, a flaw exi ...) NOT-FOR-US: Foxit Reader CVE-2017-17556 (A debug tool in Synaptics TouchPad drivers allows local users with adm ...) NOT-FOR-US: debug tool in Synaptics TouchPad drivers CVE-2017-17555 (The swri_audio_convert function in audioconvert.c in FFmpeg libswresam ...) - aubio 0.4.6-1 (low; bug #884232) [stretch] - aubio (Minor issue) [jessie] - aubio (Minor issue) [wheezy] - aubio (Minor issue) NOTE: Fixed by: https://github.com/aubio/aubio/commit/265fe9a2ca606f8b9ae4a110390f26c139c01ad7 NOTE: https://github.com/IvanCql/vulnerability/blob/master/An%20NULL%20pointer%20dereference(DoS)%20Vulnerability%20was%20found%20in%20function%20swri_audio_convert%20of%20ffmpeg%20libswresample.md NOTE: aubio initializes libswresample with 2 channels and then passes data NOTE: that contains just one channel. Not an issue in src:ffmpeg. NOTE: https://github.com/aubio/aubio/issues/137 CVE-2017-17554 (A NULL pointer dereference (DoS) Vulnerability was found in the functi ...) - aubio 0.4.6-1 (low; bug #884237) [stretch] - aubio (Minor issue) [jessie] - aubio (Minor issue) [wheezy] - aubio (Minor issue) NOTE: Fixed by: https://github.com/aubio/aubio/commit/a81b12a3b4174953b3bc7ef4c37103f4d5636740 NOTE: https://github.com/IvanCql/vulnerability/blob/master/An%20NULL%20pointer%20dereference(DoS)%20Vulnerability%20was%20found%20in%20function%20%20aubio_source_avcodec_readframe%20of%20aubio.md NOTE: https://github.com/aubio/aubio/issues/137 CVE-2017-17553 (The Dolphin Browser for Android 12.0.2 suffers from an insecure parsin ...) NOT-FOR-US: Dolphin Browser for Android CVE-2017-17552 (/LoadFrame in Zoho ManageEngine AD Manager Plus build 6590 - 6613 allo ...) NOT-FOR-US: Zoho ManageEngine AD Manager Plus CVE-2018-1360 (A cleartext transmission of sensitive information vulnerability in For ...) NOT-FOR-US: Fortinet CVE-2018-1359 RESERVED CVE-2018-1358 RESERVED CVE-2018-1357 RESERVED CVE-2018-1356 (A reflected Cross-Site-Scripting (XSS) vulnerability in Fortinet Forti ...) NOT-FOR-US: Fortinet FortiSandbox CVE-2018-1355 (An open redirect vulnerability in Fortinet FortiManager 6.0.0, 5.6.5 a ...) NOT-FOR-US: Fortinet CVE-2018-1354 (An improper access control vulnerability in Fortinet FortiManager 6.0. ...) NOT-FOR-US: Fortinet CVE-2018-1353 (An information disclosure vulnerability in Fortinet FortiManager 6.0.1 ...) NOT-FOR-US: Fortinet FortiManager CVE-2018-1352 (A format string vulnerability in Fortinet FortiOS 5.6.0 allows attacke ...) NOT-FOR-US: Fortinet CVE-2018-1351 (A Cross-site Scripting (XSS) vulnerability in Fortinet FortiManager 6. ...) NOT-FOR-US: Fortinet CVE-2017-17551 (The Backup and Restore feature in Mobotap Dolphin Browser for Android ...) NOT-FOR-US: Dolphin Browser for Android CVE-2017-17550 (ZyXEL ZyWALL USG 2.12 AQQ.2 and 3.30 AQQ.7 devices are affected by a C ...) NOT-FOR-US: ZyXEL CVE-2017-17549 (Citrix NetScaler Application Delivery Controller (ADC) and NetScaler G ...) NOT-FOR-US: Citrix NetScaler Application Delivery Controller CVE-2017-17548 RESERVED CVE-2017-17547 RESERVED CVE-2017-17546 RESERVED CVE-2017-17545 RESERVED CVE-2017-17544 (A privilege escalation vulnerability in Fortinet FortiOS 6.0.0 to 6.0. ...) NOT-FOR-US: Fortinet FortiOS CVE-2017-17543 (Users' VPN authentication credentials are unsafely encrypted in Fortin ...) NOT-FOR-US: Fortinet FortiClient CVE-2017-17542 RESERVED CVE-2017-17541 (A Cross-site Scripting (XSS) vulnerability in Fortinet FortiManager 6. ...) NOT-FOR-US: Fortinet CVE-2017-17540 (The presence of a hardcoded account in Fortinet FortiWLC 8.3.3 allows ...) NOT-FOR-US: Fortinet FortiWLC CVE-2017-17539 (The presence of a hardcoded account in Fortinet FortiWLC 7.0.11 and ea ...) NOT-FOR-US: Fortinet FortiWLC CVE-2017-17538 (MikroTik v6.40.5 devices allow remote attackers to cause a denial of s ...) NOT-FOR-US: MikroTik CVE-2017-17537 (MikroTik RouterBOARD v6.39.2 and v6.40.5 allows an unauthenticated rem ...) NOT-FOR-US: MikroTik CVE-2018-1350 (The NetIQ Identity Manager driver log file, in versions prior to 4.7, ...) NOT-FOR-US: NetIQ Identity Manager CVE-2018-1349 (The NetIQ Identity Manager driver log file, in versions prior to 4.7, ...) NOT-FOR-US: NetIQ Identity Manager CVE-2018-1348 (NetIQ Identity Manager driver, in versions prior to 4.7, allows for an ...) NOT-FOR-US: NetIQ Identity Manager CVE-2018-1347 (The administrative web interface in NetIQ iManager, versions prior to ...) NOT-FOR-US: NetIQ CVE-2018-1346 (Addresses denial of service attack to eDirectory versions prior to 9.1 ...) NOT-FOR-US: NetIQ CVE-2018-1345 (NetIQ iManager, versions prior to 3.1, under some circumstances could ...) NOT-FOR-US: NetIQ CVE-2018-1344 (Addresses potential communication downgrade attack in NetIQ iManager v ...) NOT-FOR-US: NetIQ CVE-2018-1343 (PAM exposure enabling unauthenticated access to remote host ...) NOT-FOR-US: NetIQ CVE-2018-1342 (A Vulnerability exists on Admin Console where an attacker can upload f ...) NOT-FOR-US: NetIQ Access Manager CVE-2018-1341 RESERVED CVE-2017-17536 (Phabricator before 2017-11-10 does not block the --config and --debugg ...) - phabricator (unimportant) NOTE: Fixed by: https://github.com/phacility/phabricator/commit/a7921a4448093d00defa8bd18f35b8c8f8bf3314 NOTE: Starting with 0~git20160726-3 the Phabricator package is not built NOTE: The issue is unfixed in the source up to 0~git20170812-1 NOTE: Fixed in 0~git20171202-1 (not yet accepted from NEW) CVE-2017-17535 (lib/gui.py in Bob Hepple gjots2 2.4.1 does not validate strings before ...) - gjots2 (unimportant) NOTE: https://sources.debian.org/src/gjots2/2.4.1-2/lib/gui.py/?hl=2188#L2188 CVE-2017-17534 (uiutil.c in Mensis 0.0.080507 does not validate strings before launchi ...) - mensis (unimportant) NOTE: https://sources.debian.org/src/mensis/0.0.080507-4/uiutil.c/?hl=293#L428 CVE-2017-17533 (** DISPUTED ** default.tcl in Tkabber 1.1 does not validate strings be ...) NOTE: Originally assigned for src:tkabber NOTE: https://sources.debian.org/src/tkabber/1.1-1/default.tcl/?hl=118#L118 NOTE: TCL's exec call does not involve the shell. It does its own argument parsing NOTE: which safely forwards the content of any variable. No command injection is NOTE: thus possible. See https://tcl.tk/man/tcl/TclCmd/exec.htm NOTE: MITRE only considers this as DISPUTED rather than fully REJECT The CVE. CVE-2017-17532 (examples/framework/news/news3.py in Kiwi 1.9.22 does not validate stri ...) - kiwi (unimportant) NOTE: https://sources.debian.org/src/kiwi/1.9.22-4/examples/framework/news/news3.py/?hl=88#L88 NOTE: Only in examples code, negligible impact CVE-2017-17531 (gozilla.c in GNU GLOBAL 4.8.6 does not validate strings before launchi ...) - global 6.6.1-1 (unimportant; bug #884912) [stretch] - global 6.5.6-2+deb9u1 NOTE: https://sources.debian.org/src/global/4.8.6-2/gozilla/gozilla.c/#L269 CVE-2017-17530 (common/help.c in Geomview 1.9.5 does not validate strings before launc ...) - geomview (unimportant) NOTE: https://sources.debian.org/src/geomview/1.9.5-1/src/bin/geomview/common/help.c/?hl=51#L83 CVE-2017-17529 (af/util/xp/ut_go_file.cpp in AbiWord 3.0.2-2 does not validate strings ...) - abiword (unimportant; bug #884923) NOTE: Non-issue, nothing exploitable, should be rejected CVE-2017-17528 (backends/platform/sdl/posix/posix.cpp in ScummVM 1.9.0 does not valida ...) - scummvm (unimportant) [wheezy] - scummvm (Vulnerable code not there) NOTE: https://sources.debian.org/src/scummvm/1.9.0+dfsg-2/backends/platform/sdl/posix/posix.cpp/?hl=274#L274 CVE-2017-17527 (** DISPUTED ** delphi_gui/WWWBrowserRunnerDM.pas in PasDoc 0.14 does n ...) - pasdoc 0.15.0-1 (unimportant) NOTE: https://sources.debian.org/src/pasdoc/0.14.0-1/source/delphi_gui/WWWBrowserRunnerDM.pas/?hl=63#L63 NOTE: Marked as unimportant since issue in unused code. MITRE marks CVE as NOTE: disputed. CVE-2017-17526 (Input.cc in Bernard Parisse Giac 1.2.3.57 does not validate strings be ...) - giac (unimportant) NOTE: https://sources.debian.org/src/giac/1.2.3.57+dfsg1-2/src/Input.cc/?hl=68#L77 CVE-2017-17525 (guiclient/guiclient.cpp in xTuple PostBooks 4.7.0 does not validate st ...) - postbooks (unimportant) NOTE: https://sources.debian.org/src/postbooks/4.7.0-3/guiclient/guiclient.cpp/?hl=1610#L1610 CVE-2017-17524 (library/www_browser.pl in SWI-Prolog 7.2.3 does not validate strings b ...) - swi-prolog (unimportant) NOTE: https://sources.debian.org/src/swi-prolog/7.2.3+dfsg-1/library/www_browser.pl/?hl=68#L68 NOTE: In wheezy it is technically possible to trigger an argument injection NOTE: vulnerability however it is quoted in an unusual way which makes it highly NOTE: unlikely that it going to be. CVE-2017-17523 (lilypond-invoke-editor in LilyPond 2.19.80 does not validate strings b ...) - lilypond 2.18.2-12 (bug #884136) [jessie] - lilypond (Minor issue) [wheezy] - lilypond (Minor issue) NOTE: https://sourceforge.net/p/testlilyissues/issues/5243/ CVE-2017-17522 (** DISPUTED ** Lib/webbrowser.py in Python through 3.6.3 does not vali ...) - jython (unimportant) [wheezy] - jython (Vulnerable code is not provided in the binary package) - python2.6 (unimportant) - python2.7 (unimportant) - python3.2 (unimportant) - python3.4 (unimportant) - python3.5 (unimportant) - python3.6 (unimportant) - python3.7 (unimportant) NOTE: Lib/webbrowser.py does not validate strings before launching the program NOTE: specified by the BROWSER environment variable. NOTE: https://bugs.python.org/issue32367 NOTE: Hardly an issue with security impact, as the problematic code further relies NOTE: on subprocess.Popen with the default shell=False. CVE-2017-17521 (uiutil.c in FontForge through 20170731 does not validate strings befor ...) - fontforge (unimportant) NOTE: https://sources.debian.org/src/fontforge/1:20170731%7Edfsg-1/fontforgeexe/uiutil.c/#L285 CVE-2017-17520 (** DISPUTED ** tools/url_handler.pl in TIN 2.4.1 does not validate str ...) - tin (unimportant) NOTE: https://sources.debian.org/src/tin/1:2.4.1-1/tools/url_handler.pl/?hl=120#L120 NOTE: Documentation has a clear SECURITY section mentioning that [...] url_handler NOTE: does not try hard to shell escape its input nor does it convert relative URLs NOTE: into abosulte ones. If you use url_handler.pl from other applications be sure to NOTE: at least shell escaped its input. CVE-2017-17519 (batteriesConfig.mlp in OCaml Batteries Included (aka ocaml-batteries) ...) - ocaml-batteries (unimportant) NOTE: https://sources.debian.org/src/ocaml-batteries/2.6.0-1/src/batteriesConfig.mlp/?hl=23#L23 CVE-2017-17518 (** DISPUTED ** swt/motif/browser.c in White_dune (aka whitedune) 0.30. ...) - whitedune (unimportant) NOTE: https://sources.debian.org/src/whitedune/0.30.10-2.1/src/swt/motif/browser.c/?hl=159#L214 CVE-2017-17517 (libsylph/utils.c in Sylpheed through 3.6 does not validate strings bef ...) - sylpheed (unimportant) NOTE: https://sources.debian.org/src/sylpheed/3.5.1-1/libsylph/utils.c/?hl=4292#L4292 CVE-2017-17516 (scripts/inspect_webbrowser.py in Reddit Terminal Viewer (RTV) 1.19.0 d ...) - rtv (unimportant) NOTE: https://sources.debian.org/src/rtv/1.20.0+dfsg-1/scripts/inspect_webbrowser.py/ CVE-2017-17515 (** DISPUTED ** etc/ObjectList in Metview 4.7.3 does not validate strin ...) - metview (unimportant) NOTE: https://sources.debian.org/src/metview/4.7.2-3/share/metview/etc/ObjectList/?hl=2857#L2857 CVE-2017-17514 (** DISPUTED ** boxes.c in nip2 8.4.0 does not validate strings before ...) - nip2 (unimportant) NOTE: https://sources.debian.org/src/nip2/8.4.0-1/src/boxes.c/?hl=727#L727 CVE-2017-17513 (TeX Live through 20170524 does not validate strings before launching t ...) - texlive-base (unimportant) [wheezy] - texlive-base (Vulnerable code do not exist) - texlive-bin (unimportant) [wheezy] - texlive-bin (Vulnerable code do not exist) - context (unimportant) [wheezy] - context (Vulnerable code do not exist) NOTE: https://sources.debian.org/src/texlive-base/2017.20171128-1/texmf-dist/tex/luatex/lualibs/lualibs-os.lua/#L153 NOTE: https://sources.debian.org/src/texlive-bin/2016.20160513.41080.dfsg-2/texk/texlive/linked_scripts/context/stubs/unix/mtxrun/#L3004 NOTE: https://sources.debian.org/src/context/2017.05.15.20170613-2/texmf-dist/scripts/context/stubs/mswin/mtxrun.lua/?hl=3424#L3424 CVE-2017-17512 (sensible-browser in sensible-utils before 0.0.11 does not validate str ...) {DSA-4071-1 DLA-1209-1} - sensible-utils 0.0.11 (bug #881767) NOTE: https://anonscm.debian.org/git/collab-maint/sensible-utils.git/commit/?id=e16c937c43126df7f08d355277f99dd94cc21ce5 CVE-2017-17511 (KildClient 3.1.0 does not validate strings before launching the progra ...) {DLA-1210-1} - kildclient 3.2.0-1 (bug #885007) [stretch] - kildclient 3.1.0-1+deb9u1 [jessie] - kildclient (Minor issue) NOTE: https://sources.debian.org/src/kildclient/3.1.0-1/src/worldgui.c/?hl=1159#L1159 NOTE: https://sources.debian.org/src/kildclient/3.1.0-1/src/prefs.c/?hl=324#L324 CVE-2017-17510 RESERVED CVE-2017-17509 (In HDF5 1.10.1, there is an out of bounds write vulnerability in the f ...) - hdf5 1.10.4+repack-1 (bug #884365) [stretch] - hdf5 (Minor issue) [jessie] - hdf5 (Minor issue) [wheezy] - hdf5 (Minor issue) NOTE: POC: https://github.com/xiaoqx/pocs/blob/master/hdf5/5-hdf5-heap-overflow-H5G__ent_decode_vec NOTE: https://github.com/xiaoqx/pocs/blob/master/hdf5/readme.md NOTE: https://bitbucket.hdfgroup.org/projects/HDFFV/repos/hdf5/commits/2636f401ba236e99adda4cc50fb89bebbe0b73fd CVE-2017-17508 (In HDF5 1.10.1, there is a divide-by-zero vulnerability in the functio ...) - hdf5 1.10.4+repack-1 (bug #884365) [stretch] - hdf5 (Minor issue) [jessie] - hdf5 (Minor issue) [wheezy] - hdf5 (Minor issue) NOTE: POC: https://github.com/xiaoqx/pocs/blob/master/hdf5/1-hdf5-divbyzero-H5T_set_loc NOTE: https://github.com/xiaoqx/pocs/blob/master/hdf5/readme.md NOTE: https://bitbucket.hdfgroup.org/projects/HDFFV/repos/hdf5/commits/0a7128c0d5bd035288be7b02ca9cf9bba321aadd CVE-2017-17507 (In HDF5 1.10.1, there is an out of bounds read vulnerability in the fu ...) - hdf5 (low; bug #915807) [buster] - hdf5 (Minor issue, requires ABI change) [stretch] - hdf5 (Minor issue) [jessie] - hdf5 (Minor issue) [wheezy] - hdf5 (Minor issue) NOTE: POC: https://github.com/xiaoqx/pocs/blob/master/hdf5/3-hdf5-outbound-read-H5T_conv_struct_opt NOTE: https://github.com/xiaoqx/pocs/blob/master/hdf5/readme.md NOTE: Fixing the bug requires an ABI changes thus upstream will only include a fix NOTE: on a major version bump. CVE-2017-17506 (In HDF5 1.10.1, there is an out of bounds read vulnerability in the fu ...) - hdf5 1.10.4+repack-1 (bug #884365) [stretch] - hdf5 (Minor issue) [jessie] - hdf5 (Minor issue) [wheezy] - hdf5 (Minor issue) NOTE: POC: https://github.com/xiaoqx/pocs/blob/master/hdf5/4-hdf5-outbound-read-H5Opline_pline_decode NOTE: https://github.com/xiaoqx/pocs/blob/master/hdf5/readme.md NOTE: https://bitbucket.hdfgroup.org/projects/HDFFV/repos/hdf5/commits/b1a6873b1021c967b661727edae9de87d194f744 CVE-2017-17505 (In HDF5 1.10.1, there is a NULL pointer dereference in the function H5 ...) - hdf5 1.10.4+repack-1 (bug #884365) [stretch] - hdf5 (Minor issue) [jessie] - hdf5 (Minor issue) [wheezy] - hdf5 (Minor issue) NOTE: POC: https://github.com/xiaoqx/pocs/blob/master/hdf5/2-hdf5-null-pointer-H5O_pline_decode NOTE: https://github.com/xiaoqx/pocs/blob/master/hdf5/readme.md NOTE: https://bitbucket.hdfgroup.org/projects/HDFFV/repos/hdf5/commits/7e3f95679677db07a5cc606f5edfb723ea56d04e CVE-2017-17504 (ImageMagick before 7.0.7-12 has a coders/png.c Magick_png_read_raw_pro ...) {DSA-4204-1 DSA-4074-1 DLA-1227-1} - imagemagick 8:6.9.9.34+dfsg-3 (bug #885340) NOTE: https://github.com/ImageMagick/ImageMagick/issues/872 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/ce3a586a43a7d13442587eb7f28d129557b6a135 NOTE: ImageMagick-7: https://github.com/ImageMagick/ImageMagick/commit/59c49559e302e06bfba46cb6feb4e39adbe675b6 NOTE: ImageMagick-7: https://github.com/ImageMagick/ImageMagick/commit/fb89192c4ca1600741af79dd22166a7d91e76924 CVE-2017-17503 (ReadGRAYImage in coders/gray.c in GraphicsMagick 1.3.26 has a magick/i ...) {DSA-4321-1 DLA-1401-1 DLA-1231-1} - graphicsmagick 1.3.27-1 NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/460ef5e858ad NOTE: https://sourceforge.net/p/graphicsmagick/bugs/522/ CVE-2017-17502 (ReadCMYKImage in coders/cmyk.c in GraphicsMagick 1.3.26 has a magick/i ...) {DSA-4321-1 DLA-1401-1 DLA-1231-1} - graphicsmagick 1.3.27-1 NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/a9c425688397 NOTE: https://sourceforge.net/p/graphicsmagick/bugs/521/ CVE-2017-17501 (WriteOnePNGImage in coders/png.c in GraphicsMagick 1.3.26 has a heap-b ...) {DSA-4321-1 DLA-1401-1 DLA-1231-1} - graphicsmagick 1.3.27-1 NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/5b8414c0d0c4 NOTE: https://sourceforge.net/p/graphicsmagick/bugs/526/ CVE-2017-17500 (ReadRGBImage in coders/rgb.c in GraphicsMagick 1.3.26 has a magick/imp ...) {DSA-4321-1 DLA-1401-1 DLA-1231-1} - graphicsmagick 1.3.27-1 NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/1366f2dd9931 NOTE: https://sourceforge.net/p/graphicsmagick/bugs/523/ CVE-2017-17499 (ImageMagick before 6.9.9-24 and 7.x before 7.0.7-12 has a use-after-fr ...) {DSA-4074-1} - imagemagick 8:6.9.9.34+dfsg-3 (bug #885339) [jessie] - imagemagick (Vulnerable code not present) [wheezy] - imagemagick (vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/commit/8c35502217c1879cb8257c617007282eee3fe1cc NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/dd96d671e4d5ae22c6894c302e8996c13f24c45a NOTE: https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=33078&sid=5fbb164c3830293138917f9b14264ed1 CVE-2017-17498 (WritePNMImage in coders/pnm.c in GraphicsMagick 1.3.26 allows remote a ...) {DSA-4321-1 DLA-1401-1 DLA-1231-1} - graphicsmagick 1.3.27-1 NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/f1c418ef0260 NOTE: https://sourceforge.net/p/graphicsmagick/bugs/525/ CVE-2017-17497 (In Tidy 5.7.0, the prvTidyTidyMetaCharset function in clean.c allows a ...) - tidy-html5 2:5.6.0-3 [stretch] - tidy-html5 (Vulnerable code introduced after 5.6.0) - tidy (Vulnerable code not present) NOTE: https://github.com/htacg/tidy-html5/issues/656 NOTE: https://github.com/htacg/tidy-html5/commit/a111d7a9691953f903ffa1fdbc3762dec22fc215 NOTE: Issue originally never in DEbian because teh vulnerable code was NOTE: introduced in 5.6.0. But with the 2:5.6.0-1 upload the package got NOTE: vulnerable and needed a targeted fix via 2:5.6.0-3 upload. CVE-2017-17496 REJECTED CVE-2017-17495 RESERVED CVE-2017-17494 RESERVED CVE-2017-17493 RESERVED CVE-2017-17492 RESERVED CVE-2017-17491 RESERVED CVE-2017-17490 RESERVED CVE-2017-17489 RESERVED CVE-2017-17488 RESERVED CVE-2017-17487 RESERVED CVE-2017-17486 RESERVED CVE-2017-17485 (FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allo ...) {DSA-4114-1} - jackson-databind 2.9.4-1 (bug #888318) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1528565#c0 NOTE: https://github.com/FasterXML/jackson-databind/issues/1855 CVE-2017-17484 (The ucnv_UTF8FromUTF8 function in ucnv_u8.cpp in International Compone ...) - icu (Vulnerable code not present, only experimental was ever affected and fixed in 60.2-1) NOTE: https://ssl.icu-project.org/trac/ticket/13510 NOTE: https://ssl.icu-project.org/trac/ticket/13490 NOTE: Fixed by: https://ssl.icu-project.org/trac/changeset/40714 NOTE: Testcase: https://ssl.icu-project.org/trac/changeset/40715 NOTE: POC: https://ssl.icu-project.org/trac/attachment/ticket/13490/poc.2.cpp NOTE: Introduced by https://ssl.icu-project.org/trac/changeset/40455/ CVE-2017-17483 RESERVED CVE-2017-17482 (An issue was discovered in OpenVMS through V8.4-2L2 on Alpha and throu ...) NOT-FOR-US: OpenVMS CVE-2017-17481 RESERVED CVE-2017-17480 (In OpenJPEG 2.3.0, a stack-based buffer overflow was discovered in the ...) {DSA-4405-1 DLA-1579-1} - openjpeg2 2.3.0-2 (bug #884738) NOTE: https://github.com/uclouvain/openjpeg/issues/1044 NOTE: https://github.com/uclouvain/openjpeg/commit/0bc90e4062a5f9258c91eca018c019b179066c62 CVE-2017-17479 (In OpenJPEG 2.3.0, a stack-based buffer overflow was discovered in the ...) - openjpeg2 (unimportant) NOTE: https://github.com/uclouvain/openjpeg/issues/1044 NOTE: Debian packaging does not build JPWL, has BUILD_JPWL:BOOL=OFF CVE-2017-17478 (An XSS issue was discovered in Designer Studio in Pegasystems Pega Pla ...) NOT-FOR-US: Pegasystems Pega Platform CVE-2017-17477 RESERVED CVE-2017-17475 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to cause a deni ...) NOT-FOR-US: TG Soft Vir.IT eXplorer Lite CVE-2017-17474 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to cause a deni ...) NOT-FOR-US: TG Soft Vir.IT eXplorer Lite CVE-2017-17473 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to cause a deni ...) NOT-FOR-US: TG Soft Vir.IT eXplorer Lite CVE-2017-17472 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to cause a deni ...) NOT-FOR-US: TG Soft Vir.IT eXplorer Lite CVE-2017-17471 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to cause a deni ...) NOT-FOR-US: TG Soft Vir.IT eXplorer Lite CVE-2017-17470 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to cause a deni ...) NOT-FOR-US: TG Soft Vir.IT eXplorer Lite CVE-2017-17469 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to cause a deni ...) NOT-FOR-US: TG Soft Vir.IT eXplorer Lite CVE-2017-17468 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to gain privile ...) NOT-FOR-US: TG Soft Vir.IT eXplorer Lite CVE-2017-17467 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to cause a deni ...) NOT-FOR-US: TG Soft Vir.IT eXplorer Lite CVE-2017-17466 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to gain privile ...) NOT-FOR-US: TG Soft Vir.IT eXplorer Lite CVE-2017-17465 (K7Sentry.sys 15.1.0.59 in K7 Antivirus 15.1.0309 has a NULL pointer de ...) NOT-FOR-US: K7 Antivirus CVE-2017-17464 (K7Sentry.sys 15.1.0.59 in K7 Antivirus 15.1.0309 has a NULL pointer de ...) NOT-FOR-US: K7 Antivirus CVE-2017-17463 (Vivo modems allow remote attackers to obtain sensitive information by ...) NOT-FOR-US: Vivo modems CVE-2017-17462 RESERVED CVE-2017-17461 REJECTED CVE-2017-17460 RESERVED CVE-2018-1340 (Prior to 1.0.0, Apache Guacamole used a cookie for client-side storage ...) - guacamole-client (bug #920796) [stretch] - guacamole-client (Minor issue) [jessie] - guacamole-client (Vulnerable code not present) - guacamole NOTE: https://www.openwall.com/lists/oss-security/2019/01/24/2 NOTE: https://issues.apache.org/jira/browse/GUACAMOLE-549 NOTE: https://github.com/apache/guacamole-client/pull/273 NOTE: https://www.openwall.com/lists/oss-security/2019/02/02/1 CVE-2018-1339 (A carefully crafted (or fuzzed) file can trigger an infinite loop in A ...) - tika 1.18-1 (low; bug #900000) [jessie] - tika (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2018/04/25/7 CVE-2018-1338 (A carefully crafted (or fuzzed) file can trigger an infinite loop in A ...) - tika 1.18-1 [jessie] - tika (BGP parser introduced in 1.7) NOTE: http://www.openwall.com/lists/oss-security/2018/04/25/6 CVE-2018-1337 (In Apache Directory LDAP API before 1.0.2, a bug in the way the SSL Fi ...) NOT-FOR-US: Apache LDAP API CVE-2018-1336 (An improper handing of overflow in the UTF-8 decoder with supplementar ...) {DSA-4281-1 DLA-1491-1} - tomcat9 (Fixed before initial upload to Debian) - tomcat8 8.5.31-1 - tomcat8.0 (unimportant) NOTE: tomcat8.0 builds only tomcat8.0-user and libtomcat8.0-java - tomcat7 7.0.72-3 [jessie] - tomcat7 7.0.56-3+really7.0.88-1 NOTE: Since 7.0.72-3, src:tomcat7 only builds the Servlet API NOTE: https://svn.apache.org/r1830373 (9.0.x) NOTE: https://svn.apache.org/r1830374 (8.5.x) NOTE: https://svn.apache.org/r1830375 (8.0.x) NOTE: https://svn.apache.org/r1830376 (7.0.x) CVE-2018-1335 (From Apache Tika versions 1.7 to 1.17, clients could send carefully cr ...) - tika 1.18-1 [jessie] - tika (Server functionality not present) NOTE: http://www.openwall.com/lists/oss-security/2018/04/25/8 CVE-2018-1334 (In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using ...) - apache-spark (bug #802194) CVE-2018-1333 (By specially crafting HTTP/2 requests, workers would be allocated 60 s ...) - apache2 2.4.34-1 (bug #904106) [stretch] - apache2 2.4.25-3+deb9u6 [jessie] - apache2 (Vulnerable code not present) NOTE: Affects 2.4.18-2.4.33 NOTE: HTTP/2 support introduced in 2.4.17 NOTE: http://www.openwall.com/lists/oss-security/2018/07/18/1 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2018-1333 CVE-2018-1332 (Apache Storm version 1.0.6 and earlier, 1.2.1 and earlier, and version ...) NOT-FOR-US: Apache Storm CVE-2018-1331 (In Apache Storm 0.10.0 through 0.10.2, 1.0.0 through 1.0.6, 1.1.0 thro ...) NOT-FOR-US: Apache Storm CVE-2018-1330 (When parsing a malformed JSON payload, libprocess in Apache Mesos vers ...) - apache-mesos (bug #760315) CVE-2018-1329 REJECTED CVE-2018-1328 (Apache Zeppelin prior to 0.8.0 had a stored XSS issue via Note permiss ...) NOT-FOR-US: Apache Zeppelin CVE-2018-1327 (The Apache Struts REST Plugin is using XStream library which is vulner ...) - libstruts1.2-java (Specific to 2.x) NOTE: https://cwiki.apache.org/confluence/display/WW/S2-056 CVE-2018-1326 REJECTED CVE-2018-1325 (In Apache wicket-jquery-ui <= 6.29.0, <= 7.10.1, <= 8.0.0-M9. ...) NOT-FOR-US: Wicket jQuery UI CVE-2018-1324 (A specially crafted ZIP archive can be used to cause an infinite loop ...) - libcommons-compress-java 1.13-2 (bug #893174) [stretch] - libcommons-compress-java (Minor issue) [jessie] - libcommons-compress-java (Vulnerable code introduced later) [wheezy] - libcommons-compress-java (Vulnerable code introduced later) NOTE: Fixed by: https://git-wip-us.apache.org/repos/asf?p=commons-compress.git;a=blobdiff;f=src/main/java/org/apache/commons/compress/archivers/zip/X0017_StrongEncryptionHeader.java;h=acc3b22346b49845e85b5ef27a5814b69e834139;hp=0feb9c98cc622cde1defa3bbd268ef82b4ae5c18;hb=2a2f1dc48e22a34ddb72321a4db211da91aa933b;hpb=dcb0486fb4cb2b6592c04d6ec2edbd3f690df5f2 NOTE: https://issues.apache.org/jira/browse/COMPRESS-432 CVE-2018-1323 (The IIS/ISAPI specific code in the Apache Tomcat JK ISAPI Connector 1. ...) - libapache-mod-jk (Windows/IIS vhost handling specific issue) NOTE: http://tomcat.apache.org/security-jk.html#Fixed_in_Apache_Tomcat_JK_Connector_1.2.43 NOTE: Fixed by: http://svn.apache.org/r1825658 CVE-2018-1322 (An administrator with user search entitlements in Apache Syncope 1.2.x ...) NOT-FOR-US: Apache Syncope CVE-2018-1321 (An administrator with report and template entitlements in Apache Synco ...) NOT-FOR-US: Apache Syncope CVE-2018-1320 (Apache Thrift Java client library versions 0.5.0 through 0.11.0 can by ...) {DLA-1662-1} - libthrift-java 0.9.1-2.1 (bug #918736) [stretch] - libthrift-java 0.9.1-2.1~deb9u1 NOTE: https://issues.apache.org/jira/browse/THRIFT-4506 NOTE: https://github.com/apache/thrift/commit/d973409661f820d80d72c0034d06a12348c8705e CVE-2018-1319 (In Apache Allura prior to 1.8.1, attackers may craft URLs that cause H ...) NOT-FOR-US: Apache Allura CVE-2018-1318 (Adding method ACLs in remap.config can cause a segfault when the user ...) {DSA-4282-1} - trafficserver 7.1.4+ds-1 NOTE: http://www.openwall.com/lists/oss-security/2018/08/29/3 NOTE: https://github.com/apache/trafficserver/pull/3195 NOTE: https://github.com/apache/trafficserver/commit/e6dfda305acf85250861ecfa14a7bd6bb2fad5c3 CVE-2018-1317 (In Apache Zeppelin prior to 0.8.0 the cron scheduler was enabled by de ...) NOT-FOR-US: Apache Zeppelin CVE-2018-1316 (The ODE process deployment web service was sensible to deployment mess ...) NOT-FOR-US: Apache ODE CVE-2018-1315 (In Apache Hive 2.1.0 to 2.3.2, when 'COPY FROM FTP' statement is run u ...) NOT-FOR-US: Apache Hive CVE-2018-1314 (In Apache Hive 2.3.3, 3.1.0 and earlier, Hive "EXPLAIN" operation does ...) NOT-FOR-US: Apache Hive CVE-2018-1313 (In Apache Derby 10.3.1.4 to 10.14.1.0, a specially-crafted network pac ...) - derby 10.14.2.0-1 [jessie] - derby (Minor issue) [stretch] - derby (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2018/05/05/1 CVE-2018-1312 (In Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest authen ...) {DSA-4164-1 DLA-1389-1} - apache2 2.4.33-1 NOTE: http://www.openwall.com/lists/oss-security/2018/03/24/7 CVE-2018-1311 (The Apache Xerces-C 3.0.0 to 3.2.2 XML parser contains a use-after-fre ...) - xerces-c (bug #947431) [jessie] - xerces-c (slow upstream interest, proper fix likely to break ABI compatibility) NOTE: http://xerces.apache.org/xerces-c/secadv/CVE-2018-1311.txt NOTE: https://issues.apache.org/jira/browse/XERCESC-2188 NOTE: http://vault.centos.org/7.7.1908/updates/Source/SPackages/xerces-c-3.1.1-10.el7_7.src.rpm (fix with memory leak) NOTE: Mitigation by setting the XERCES_DISABLE_DTD environment variable CVE-2018-1310 (Apache NiFi JMS Deserialization issue because of ActiveMQ client vulne ...) NOT-FOR-US: Apache NiFi CVE-2018-1309 (Apache NiFi External XML Entity issue in SplitXML processor. Malicious ...) NOT-FOR-US: Apache NiFi CVE-2018-1308 (This vulnerability in Apache Solr 1.2 to 6.6.2 and 7.0.0 to 7.2.1 rela ...) {DSA-4194-1 DLA-1360-1} - lucene-solr 3.6.2+dfsg-12 (bug #896604) NOTE: http://www.openwall.com/lists/oss-security/2018/04/08/3 NOTE: https://issues.apache.org/jira/browse/SOLR-11971 NOTE: master: http://git-wip-us.apache.org/repos/asf/lucene-solr/commit/02c693f3 NOTE: branch_7x: http://git-wip-us.apache.org/repos/asf/lucene-solr/commit/739a7933 NOTE: branch_6_6: http://git-wip-us.apache.org/repos/asf/lucene-solr/commit/dd3be31f CVE-2018-1307 (In Apache jUDDI 3.2 through 3.3.4, if using the WADL2Java or WSDL2Java ...) NOT-FOR-US: Apache juddi-client CVE-2018-1306 (The PortletV3AnnotatedDemo Multipart Portlet war file code provided in ...) NOT-FOR-US: Apache Portals Pluto CVE-2018-1305 (Security constraints defined by annotations of Servlets in Apache Tomc ...) {DSA-4281-1 DLA-1450-1 DLA-1400-1 DLA-1301-1} - tomcat9 (Fixed before initial upload to Debian) - tomcat8 8.5.28-1 - tomcat8.0 (unimportant) NOTE: tomcat8.0 builds only tomcat8.0-user and libtomcat8.0-java - tomcat7 7.0.72-3 NOTE: Since 7.0.72-3, src:tomcat7 only builds the Servlet API NOTE: https://svn.apache.org/r1823314 (8.5.x) NOTE: https://svn.apache.org/r1824358 (8.5.x) NOTE: https://svn.apache.org/r1823319 (8.0.x) NOTE: https://svn.apache.org/r1824359 (8.0.x) NOTE: https://svn.apache.org/r1823322 (7.0.x) NOTE: https://svn.apache.org/r1824360 (7.0.x) CVE-2018-1304 (The URL pattern of "" (the empty string) which exactly maps to the con ...) {DSA-4281-1 DLA-1450-1 DLA-1400-1 DLA-1301-1} - tomcat9 (Fixed before initial upload to Debian) - tomcat8 8.5.28-1 - tomcat8.0 (unimportant) NOTE: tomcat8.0 builds only tomcat8.0-user and libtomcat8.0-java - tomcat7 7.0.72-3 NOTE: Since 7.0.72-3, src:tomcat7 only builds the Servlet API NOTE: https://svn.apache.org/r1823307 (8.5.x) NOTE: https://svn.apache.org/r1823308 (8.0.x) NOTE: https://svn.apache.org/r1823309 (7.0.x) NOTE: https://bz.apache.org/bugzilla/show_bug.cgi?id=62067 CVE-2018-1303 (A specially crafted HTTP request header could have crashed the Apache ...) {DSA-4164-1} - apache2 2.4.33-1 [wheezy] - apache2 (Vulnerable code not present) NOTE: http://www.openwall.com/lists/oss-security/2018/03/24/3 CVE-2018-1302 (When an HTTP/2 stream was destroyed after being handled, the Apache HT ...) - apache2 2.4.33-1 [stretch] - apache2 2.4.25-3+deb9u5 [jessie] - apache2 (Vulnerable code not present) [wheezy] - apache2 (Vulnerable code not present) NOTE: HTTP/2 support introduced in 2.4.17 NOTE: http://www.openwall.com/lists/oss-security/2018/03/24/5 CVE-2018-1301 (A specially crafted request could have crashed the Apache HTTP Server ...) {DSA-4164-1 DLA-1389-1} - apache2 2.4.33-1 NOTE: http://www.openwall.com/lists/oss-security/2018/03/24/2 CVE-2018-1300 REJECTED CVE-2018-1299 (In Apache Allura before 1.8.0, unauthenticated attackers may retrieve ...) NOT-FOR-US: Apache Allura CVE-2018-1298 (A Denial of Service vulnerability was found in Apache Qpid Broker-J 7. ...) - qpid-java (bug #840131) NOTE: https://issues.apache.org/jira/browse/QPID-8046 NOTE: https://git-wip-us.apache.org/repos/asf?p=qpid-broker-j.git;h=de509dd NOTE: https://git-wip-us.apache.org/repos/asf?p=qpid-broker-j.git;h=30ca170 NOTE: https://git-wip-us.apache.org/repos/asf?p=qpid-broker-j.git;h=4b9fb37 CVE-2018-1297 (When using Distributed Test only (RMI based), Apache JMeter 2.x and 3. ...) - jakarta-jmeter (low; bug #897259) [buster] - jakarta-jmeter (Minor issue, too intrusive to backport) [stretch] - jakarta-jmeter (Minor issue, too intrusive to backport) [jessie] - jakarta-jmeter (Minor issue, too intrusive to backport) [wheezy] - jakarta-jmeter (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2018/02/11/1 NOTE: https://bz.apache.org/bugzilla/show_bug.cgi?id=62039 CVE-2018-1296 (In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5 ...) - hadoop (bug #793644) CVE-2018-1295 (In Apache Ignite 2.3 or earlier, the serialization mechanism does not ...) NOT-FOR-US: Apache Ignite CVE-2018-1294 (If a user of Apache Commons Email (typically an application programmer ...) - commons-email (Fixed with first upload to Debian) NOTE: https://marc.info/?i=CAF8HOZ+J3NkaywfbHuQpHxK9ZXeT4=4Vs9rOwCDiUdnt1QA1Yw@mail.gmail.com NOTE: Fixed by: https://svn.apache.org/r1777030 CVE-2018-1293 REJECTED CVE-2018-1292 (Within the 'getReportType' method in Apache Fineract 1.0.0, 0.6.0-incu ...) NOT-FOR-US: Apache Fineract CVE-2018-1291 (Apache Fineract 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incub ...) NOT-FOR-US: Apache Fineract CVE-2018-1290 (In Apache Fineract versions 1.0.0, 0.6.0-incubating, 0.5.0-incubating, ...) NOT-FOR-US: Apache Fineract CVE-2018-1289 (In Apache Fineract versions 1.0.0, 0.6.0-incubating, 0.5.0-incubating, ...) NOT-FOR-US: Apache Fineract CVE-2018-1288 (In Apache Kafka 0.9.0.0 to 0.9.0.1, 0.10.0.0 to 0.10.2.1, 0.11.0.0 to ...) - kafka (bug #786460) CVE-2018-1287 (In Apache JMeter 2.X and 3.X, when using Distributed Test only (RMI ba ...) - jakarta-jmeter (low) [buster] - jakarta-jmeter (Minor issue) [stretch] - jakarta-jmeter (Minor issue) [jessie] - jakarta-jmeter (Minor issue) [wheezy] - jakarta-jmeter (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2018/02/11/2 NOTE: https://bz.apache.org/bugzilla/show_bug.cgi?id=62039 CVE-2018-1286 (In Apache OpenMeetings 3.0.0 - 4.0.1, CRUD operations on privileged us ...) NOT-FOR-US: Apache OpenMeetings CVE-2018-1285 (Apache log4net before 2.0.8 does not disable XML external entities whe ...) {DLA-2211-1} - log4net (low) [buster] - log4net (Minor issue) NOTE: https://issues.apache.org/jira/browse/LOG4NET-575 NOTE: https://github.com/apache/logging-log4net/commit/d0b4b0157d4af36b23c24a23739c47925c3bd8d7 CVE-2018-1284 (In Apache Hive 0.6.0 to 2.3.2, malicious user might use any xpath UDFs ...) NOT-FOR-US: Apache Hive CVE-2018-1283 (In Apache httpd 2.4.0 to 2.4.29, when mod_session is configured to for ...) {DSA-4164-1} - apache2 2.4.33-1 [wheezy] - apache2 (Vulnerable code not present) NOTE: http://www.openwall.com/lists/oss-security/2018/03/24/4 CVE-2018-1282 (This vulnerability in Apache Hive JDBC driver 0.7.1 to 2.3.2 allows ca ...) NOT-FOR-US: Apache Hive CVE-2018-1281 (The clustered setup of Apache MXNet allows users to specify which IP a ...) NOT-FOR-US: Apache MXNet CVE-2017-17459 (http_transport.c in Fossil before 2.4, when the SSH sync protocol is u ...) - fossil 1:2.4-1 [stretch] - fossil (Minor issue) [jessie] - fossil (Minor issue) [wheezy] - fossil (Minor issue) NOTE: https://www.fossil-scm.org/xfer/info/1f63db591c77108c CVE-2017-17458 (In Mercurial before 4.4.1, it is possible that a specially malformed r ...) {DLA-1414-2 DLA-1414-1 DLA-1224-1} - mercurial 4.4.1-1 NOTE: https://bz.mercurial-scm.org/show_bug.cgi?id=5730 NOTE: https://www.mercurial-scm.org/pipermail/mercurial-devel/2017-November/107333.html NOTE: https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.4.1_.282017-11-07.29 NOTE: Fixed by: https://mercurial-scm.org/repo/hg/rev/071cbeba4212 NOTE: Alternative workaround/additionally needed: https://mercurial-scm.org/repo/hg/rev/5e27afeddaee CVE-2017-1002102 (In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to version ...) - kubernetes 1.7.16+dfsg-1 (bug #894051) NOTE: https://github.com/kubernetes/kubernetes/issues/60814 CVE-2017-1002101 (In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to version ...) - kubernetes 1.7.16+dfsg-1 (bug #892801) NOTE: https://github.com/kubernetes/kubernetes/issues/60813 CVE-2017-17457 REJECTED CVE-2017-17456 REJECTED CVE-2017-17455 (Mahara 16.10 before 16.10.7, 17.04 before 17.04.5, and 17.10 before 17 ...) - mahara CVE-2017-17454 (Mahara 16.10 before 16.10.7 and 17.04 before 17.04.5 and 17.10 before ...) - mahara CVE-2017-17453 RESERVED CVE-2017-17452 RESERVED CVE-2017-17451 (The WP Mailster plugin before 1.5.5 for WordPress has XSS in the unsub ...) NOT-FOR-US: Wordpress plugin CVE-2017-17450 (net/netfilter/xt_osf.c in the Linux kernel through 4.14.4 does not req ...) {DSA-4082-1 DSA-4073-1} - linux 4.14.7-1 [wheezy] - linux (User namespaces not supported) NOTE: https://lkml.org/lkml/2017/12/5/982 CVE-2017-17449 (The __netlink_deliver_tap_skb function in net/netlink/af_netlink.c in ...) {DSA-4082-1 DSA-4073-1} - linux 4.14.7-1 [wheezy] - linux (Vulnerable code not present) NOTE: https://lkml.org/lkml/2017/12/5/950 CVE-2017-17448 (net/netfilter/nfnetlink_cthelper.c in the Linux kernel through 4.14.4 ...) {DSA-4082-1 DSA-4073-1} - linux 4.14.7-1 [wheezy] - linux (User namespaces not supported) NOTE: https://patchwork.kernel.org/patch/10089373/ CVE-2018-1280 (Pivotal Greenplum Command Center versions 2.x prior to 2.5.1 contains ...) NOT-FOR-US: Pivotal CVE-2018-1279 (Pivotal RabbitMQ for PCF, all versions, uses a deterministically gener ...) - rabbitmq-server (Specific to RabbitMQ setup in Pivotal, see bug #924768) NOTE: https://pivotal.io/security/cve-2018-1279 CVE-2018-1278 (Apps Manager included in Pivotal Application Service, versions 1.12.x ...) NOT-FOR-US: Pivotal CVE-2018-1277 (Cloud Foundry Garden-runC, versions prior to 1.13.0, does not correctl ...) NOT-FOR-US: Cloud Foundry CVE-2018-1276 (Windows 2012R2 stemcells, versions prior to 1200.17, contain an inform ...) NOT-FOR-US: Cloud Foundry CVE-2018-1275 (Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior t ...) - libspring-java (Partial fix for CVE-2018-1270 not applied) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1565307 CVE-2018-1274 (Spring Data Commons, versions 1.13 to 1.13.10, 2.0 to 2.0.5, and older ...) NOT-FOR-US: Spring Data Commons CVE-2018-1273 (Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, ...) NOT-FOR-US: Spring Data Commons CVE-2018-1272 (Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior t ...) - libspring-java 4.3.19-1 (bug #895114) [stretch] - libspring-java (Minor issue) [jessie] - libspring-java (vulnerable code not found) [wheezy] - libspring-java (Vulnerable broker code introduced in various commits re. https://github.com/spring-projects/spring-framework/blame/0009806debb578e884f6dc98bd1f2dc668020021/spring-messaging/src/main/java/org/springframework/messaging/simp/broker/DefaultSubscriptionRegistry.java) NOTE: https://pivotal.io/security/cve-2018-1272 CVE-2018-1271 (Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior t ...) - libspring-java (Issue specific when served from a file system on Windows) NOTE: https://pivotal.io/security/cve-2018-1271 CVE-2018-1270 (Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior t ...) - libspring-java 4.3.19-1 (bug #895114) [stretch] - libspring-java (Minor issue) [jessie] - libspring-java (vulnerable code not found) [wheezy] - libspring-java (Vulnerable broker code introduced in various commits re. https://github.com/spring-projects/spring-framework/blame/0009806debb578e884f6dc98bd1f2dc668020021/spring-messaging/src/main/java/org/springframework/messaging/simp/broker/DefaultSubscriptionRegistry.java) NOTE: https://pivotal.io/security/cve-2018-1270 NOTE: when addressing this issue make sure to not only apply a partial fix but NOTE: make it complete, cf. https://bugzilla.redhat.com/show_bug.cgi?id=1565307 CVE-2018-1269 (Cloud Foundry Loggregator, versions 89.x prior to 89.5 or 96.x prior t ...) NOT-FOR-US: Cloud Foundry CVE-2018-1268 (Cloud Foundry Loggregator, versions 89.x prior to 89.5 or 96.x prior t ...) NOT-FOR-US: Cloud Foundry CVE-2018-1267 (Cloud Foundry Silk CNI plugin, versions prior to 0.2.0, contains an im ...) NOT-FOR-US: Cloud Foundry CVE-2018-1266 (Cloud Foundry Cloud Controller, versions prior to 1.52.0, contains inf ...) NOT-FOR-US: Cloud Foundry CVE-2018-1265 (Cloud Foundry Diego, release versions prior to 2.8.0, does not properl ...) NOT-FOR-US: Cloud Foundry CVE-2018-1264 (Cloud Foundry Log Cache, versions prior to 1.1.1, logs its UAA client ...) NOT-FOR-US: Cloud Foundry CVE-2018-1263 (Addresses partial fix in CVE-2018-1261. Pivotal spring-integration-zip ...) NOT-FOR-US: Spring-integration-zip CVE-2018-1262 (Cloud Foundry Foundation UAA, versions 4.12.X and 4.13.X, introduced a ...) NOT-FOR-US: Cloud Foundry Foundation UAA CVE-2018-1261 (Spring-integration-zip versions prior to 1.0.1 exposes an arbitrary fi ...) NOT-FOR-US: Spring-integration-zip CVE-2018-1260 (Spring Security OAuth, versions 2.3 prior to 2.3.3, 2.2 prior to 2.2.2 ...) NOT-FOR-US: Spring Security OAuth CVE-2018-1259 (Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2 ...) NOT-FOR-US: Spring Data Commons CVE-2018-1258 (Spring Framework version 5.0.5 when used in combination with any versi ...) - libspring-security-2.0-java [jessie] - libspring-security-2.0-java (Affected version not in jessie) NOTE: https://pivotal.io/security/cve-2018-1258 CVE-2018-1257 (Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior ...) - libspring-java 4.3.19-1 [stretch] - libspring-java (Minor issue) [jessie] - libspring-java (hard to find upstream commits regarding this) NOTE: https://pivotal.io/security/cve-2018-1257 CVE-2018-1256 (Spring Cloud SSO Connector, version 2.1.2, contains a regression which ...) NOT-FOR-US: Spring Cloud SSO Connector CVE-2018-1255 (RSA Identity Lifecycle and Governance versions 7.0.1, 7.0.2 and 7.1.0 ...) NOT-FOR-US: RSA CVE-2018-1254 (RSA Authentication Manager Security Console, versions 8.3 P1 and earli ...) NOT-FOR-US: RSA Authentication Manager Security Console CVE-2018-1253 (RSA Authentication Manager Operation Console, versions 8.3 P1 and earl ...) NOT-FOR-US: RSA Authentication Manager Operation Console CVE-2018-1252 (RSA Web Threat Detection versions prior to 6.4, contain an SQL injecti ...) NOT-FOR-US: RSA Web Threat Detection CVE-2018-1251 (Dell EMC Unity and UnityVSA versions prior to 4.3.1.1525703027 contain ...) NOT-FOR-US: EMC Unity and UnityVSA CVE-2018-1250 (Dell EMC Unity and UnityVSA versions prior to 4.3.1.1525703027 contain ...) NOT-FOR-US: EMC Unity and UnityVSA CVE-2018-1249 (Dell EMC iDRAC9 versions prior to 3.21.21.21 did not enforce the use o ...) NOT-FOR-US: EMC CVE-2018-1248 (RSA Authentication Manager Security Console, Operation Console and Sel ...) NOT-FOR-US: RSA Authentication Mamager CVE-2018-1247 (RSA Authentication Manager Security Console, version 8.3 and earlier, ...) NOT-FOR-US: RSA Authentication Manager CVE-2018-1246 (Dell EMC Unity and UnityVSA contains reflected cross-site scripting vu ...) NOT-FOR-US: EMC Unity and UnityVSA CVE-2018-1245 (RSA Identity Lifecycle and Governance versions 7.0.1, 7.0.2 and 7.1.0 ...) NOT-FOR-US: RSA CVE-2018-1244 (Dell EMC iDRAC7/iDRAC8, versions prior to 2.60.60.60, and iDRAC9 versi ...) NOT-FOR-US: EMC CVE-2018-1243 (Dell EMC iDRAC6, versions prior to 2.91, iDRAC7/iDRAC8, versions prior ...) NOT-FOR-US: EMC CVE-2018-1242 (Dell EMC RecoverPoint versions prior to 5.1.2 and RecoverPoint for VMs ...) NOT-FOR-US: Dell CVE-2018-1241 (Dell EMC RecoverPoint versions prior to 5.1.2 and RecoverPoint for VMs ...) NOT-FOR-US: Dell CVE-2018-1240 (Dell EMC ViPR Controller, versions after 3.0.0.38, contain an informat ...) NOT-FOR-US: EMC ViPR Controller CVE-2018-1239 (Dell EMC Unity Operating Environment (OE) versions prior to 4.3.0.1522 ...) NOT-FOR-US: EMC Unity Operating Environment CVE-2018-1238 (Dell EMC ScaleIO versions prior to 2.5, contain a command injection vu ...) NOT-FOR-US: EMC ScaleIO CVE-2018-1237 (Dell EMC ScaleIO versions prior to 2.5, contain improper restriction o ...) NOT-FOR-US: EMC ScaleIO CVE-2018-1236 REJECTED CVE-2018-1235 (Dell EMC RecoverPoint versions prior to 5.1.2 and RecoverPoint for VMs ...) NOT-FOR-US: Dell CVE-2018-1234 (RSA Authentication Agent version 8.0.1 and earlier for Web for IIS is ...) NOT-FOR-US: RSA Authentication Agent CVE-2018-1233 (RSA Authentication Agent version 8.0.1 and earlier for Web for both II ...) NOT-FOR-US: RSA Authentication Agent CVE-2018-1232 (RSA Authentication Agent version 8.0.1 and earlier for Web for both II ...) NOT-FOR-US: RSA Authentication Agent CVE-2018-1231 (Cloud Foundry BOSH CLI, versions prior to v3.0.1, contains an improper ...) NOT-FOR-US: Cloud Foundry CVE-2018-1230 (Pivotal Spring Batch Admin, all versions, does not contain cross site ...) NOT-FOR-US: Pivotal CVE-2018-1229 (Pivotal Spring Batch Admin, all versions, contains a stored XSS vulner ...) NOT-FOR-US: Pivotal CVE-2018-1228 REJECTED CVE-2018-1227 (Pivotal Concourse after 2018-03-05 might allow remote attackers to hav ...) NOT-FOR-US: Pivotal CVE-2018-1226 REJECTED CVE-2018-1225 REJECTED CVE-2018-1224 REJECTED CVE-2018-1223 (Cloud Foundry Container Runtime (kubo-release), versions prior to 0.14 ...) NOT-FOR-US: Cloud Foundry CVE-2018-1222 REJECTED CVE-2018-1221 (In cf-deployment before 1.14.0 and routing-release before 0.172.0, the ...) NOT-FOR-US: Cloud Foundry CVE-2018-1220 (EMC RSA Archer, versions prior to 6.2.0.8, contains a redirect vulnera ...) NOT-FOR-US: EMC RSA Archer CVE-2018-1219 (EMC RSA Archer, versions prior to 6.2.0.8, contains an improper access ...) NOT-FOR-US: EMC RSA Archer CVE-2018-1218 (In Dell EMC NetWorker versions prior to 9.2.1.1, versions prior to 9.1 ...) NOT-FOR-US: EMC NetWorker CVE-2018-1217 (Avamar Installation Manager in Dell EMC Avamar Server 7.3.1, 7.4.1, an ...) NOT-FOR-US: EMC Avamar Server CVE-2018-1216 (A hard-coded password vulnerability was discovered in vApp Manager whi ...) NOT-FOR-US: EMC CVE-2018-1215 (An arbitrary file upload vulnerability was discovered in vApp Manager ...) NOT-FOR-US: EMC CVE-2018-1214 (Dell EMC SupportAssist Enterprise version 1.1 creates a local Windows ...) NOT-FOR-US: EMC CVE-2018-1213 (Dell EMC Isilon OneFS versions between 8.1.0.0 - 8.1.0.1, 8.0.1.0 - 8. ...) NOT-FOR-US: Dell CVE-2018-1212 (The web-based diagnostics console in Dell EMC iDRAC6 (Monolithic versi ...) NOT-FOR-US: EMC CVE-2018-1211 (Dell EMC iDRAC7/iDRAC8, versions prior to 2.52.52.52, contain a path t ...) NOT-FOR-US: Dell EMC iDRAC7/iDRAC8 CVE-2018-1210 REJECTED CVE-2018-1209 REJECTED CVE-2018-1208 REJECTED CVE-2018-1207 (Dell EMC iDRAC7/iDRAC8, versions prior to 2.52.52.52, contain CGI inje ...) NOT-FOR-US: Dell EMC iDRAC7/iDRAC8 CVE-2018-1206 (Dell EMC Data Protection Advisor versions prior to 6.3 Patch 159 and D ...) NOT-FOR-US: EMC Data Protection Advisor CVE-2018-1205 (Dell EMC ScaleIO, versions prior to 2.5, do not properly handle some p ...) NOT-FOR-US: EMC ScaleIO CVE-2018-1204 (Dell EMC Isilon OneFS versions between 8.1.0.0 - 8.1.0.1, 8.0.1.0 - 8. ...) NOT-FOR-US: Dell CVE-2018-1203 (In Dell EMC Isilon OneFS, the compadmin is able to run tcpdump binary ...) NOT-FOR-US: Dell CVE-2018-1202 (Dell EMC Isilon versions between 8.1.0.0 - 8.1.0.1, 8.0.1.0 - 8.0.1.2, ...) NOT-FOR-US: Dell CVE-2018-1201 (Dell EMC Isilon versions between 8.1.0.0 - 8.1.0.1, 8.0.1.0 - 8.0.1.2, ...) NOT-FOR-US: Dell CVE-2018-1200 (Apps Manager for PCF (Pivotal Application Service 1.11.x before 1.11.2 ...) NOT-FOR-US: Pivotal CVE-2018-1199 (Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2. ...) - libspring-java 4.3.14-1 (bug #890001) [stretch] - libspring-java (Minor issue) [wheezy] - libspring-java (Too intrusive to fix by upgrade) [jessie] - libspring-java (fix for spring-security available but not for springframework) - libspring-security-java (bug #582181) NOTE: https://pivotal.io/security/cve-2018-1199 CVE-2018-1198 (Pivotal Cloud Cache, versions prior to 1.3.1, prints a superuser passw ...) NOT-FOR-US: Pivotal Cloud Cache CVE-2018-1197 (In Windows Stemcells versions prior to 1200.14, apps running inside co ...) NOT-FOR-US: Windows Stemcells CVE-2018-1196 (Spring Boot supports an embedded launch script that can be used to eas ...) NOT-FOR-US: Spring Boot CVE-2018-1195 (In Cloud Controller versions prior to 1.46.0, cf-deployment versions p ...) NOT-FOR-US: Cloud Foundry CVE-2018-1194 REJECTED CVE-2018-1193 (Cloud Foundry routing-release, versions prior to 0.175.0, lacks saniti ...) NOT-FOR-US: Cloud Foundry CVE-2018-1192 (In Cloud Foundry Foundation cf-release versions prior to v285; cf-depl ...) NOT-FOR-US: Cloud Foundry CVE-2018-1191 (Cloud Foundry Garden-runC, versions prior to 1.11.0, contains an infor ...) NOT-FOR-US: Cloud Foundry CVE-2018-1190 (An issue was discovered in these Pivotal Cloud Foundry products: all v ...) NOT-FOR-US: Pivotal CVE-2018-1189 (Dell EMC Isilon versions between 8.1.0.0 - 8.1.0.1, 8.0.1.0 - 8.0.1.2, ...) NOT-FOR-US: Dell CVE-2018-1188 (Dell EMC Isilon versions between 8.1.0.0 - 8.1.0.1, 8.0.1.0 - 8.0.1.2, ...) NOT-FOR-US: Dell CVE-2018-1187 (Dell EMC Isilon versions between 8.1.0.0 - 8.1.0.1, 8.0.1.0 - 8.0.1.2, ...) NOT-FOR-US: Dell CVE-2018-1186 (Dell EMC Isilon versions between 8.1.0.0 - 8.1.0.1, 8.0.1.0 - 8.0.1.2, ...) NOT-FOR-US: Dell CVE-2018-1185 (An issue was discovered in EMC RecoverPoint for Virtual Machines versi ...) NOT-FOR-US: EMC CVE-2018-1184 (An issue was discovered in EMC RecoverPoint for Virtual Machines versi ...) NOT-FOR-US: EMC CVE-2018-1183 (In Dell EMC Unisphere for VMAX Virtual Appliance versions prior to 8.4 ...) NOT-FOR-US: EMC CVE-2018-1182 (An issue was discovered in EMC RSA Identity Governance and Lifecycle v ...) NOT-FOR-US: EMC CVE-2018-1181 REJECTED CVE-2017-17447 RESERVED CVE-2017-17445 RESERVED CVE-2017-17444 RESERVED CVE-2017-17443 (OPC Foundation Local Discovery Server (LDS) 1.03.370 required a securi ...) NOT-FOR-US: OPC Foundation Local Discovery Server CVE-2017-17442 (In BlackBerry UEM Management Console version 12.7.1 and earlier, a ref ...) NOT-FOR-US: BlackBerry CVE-2017-17441 RESERVED CVE-2017-17446 (The Mem_File_Reader::read_avail function in Data_Reader.cpp in the Gam ...) - game-music-emu 0.6.2-1 (bug #883691) [stretch] - game-music-emu (Minor issue) [jessie] - game-music-emu (Minor issue) [wheezy] - game-music-emu (Minor issue) NOTE: https://bitbucket.org/mpyne/game-music-emu/issues/14/addresssanitizer-negative-size-param-size NOTE: Patch: https://bitbucket.org/mpyne/game-music-emu/commits/205290614cdc057541b26adeea05a9d45993f860 NOTE: Additional hardening: https://bitbucket.org/mpyne/game-music-emu/commits/4a441e94cba14268bc4e983d4dfd6ed112084d00 CVE-2017-17440 (GNU Libextractor 1.6 allows remote attackers to cause a denial of serv ...) - libextractor 1:1.6-2 (bug #883528) [stretch] - libextractor 1:1.3-4+deb9u1 [jessie] - libextractor 1:1.3-2+deb8u1 [wheezy] - libextractor (Minor issue) NOTE: Fixed by: https://git.gnunet.org/libextractor.git/commit/?id=7cc63b001ceaf81143795321379c835486d0c92e CVE-2017-17439 (In Heimdal through 7.4, remote unauthenticated attackers are able to c ...) {DSA-4055-1} - heimdal 7.5.0+dfsg-1 (bug #878144) [jessie] - heimdal (Vulnerability introduced in 7.0) [wheezy] - heimdal (Vulnerability introduced in 7.0) NOTE: https://github.com/heimdal/heimdal/issues/353 NOTE: Fixed by: https://github.com/heimdal/heimdal/commit/749d377fa357351a7bbba51f8aae72cdf0629592 (7.1) NOTE: Fixed by: https://github.com/heimdal/heimdal/commit/1a6a6e462dc2ac6111f9e02c6852ddec4849b887 (master) CVE-2017-17438 RESERVED CVE-2017-17437 RESERVED CVE-2017-17436 (An issue was discovered in the software on Vaultek Gun Safe VT20i prod ...) NOT-FOR-US: Vaultek Gun Safe CVE-2017-17435 (An issue was discovered in the software on Vaultek Gun Safe VT20i prod ...) NOT-FOR-US: Vaultek Gun Safe CVE-2017-17434 (The daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, do ...) {DSA-4068-1 DLA-1218-1} - rsync 3.1.2-2.1 (bug #883665) NOTE: https://git.samba.org/?p=rsync.git;a=commit;h=5509597decdbd7b91994210f700329d8a35e70a1 NOTE: https://git.samba.org/?p=rsync.git;a=commit;h=70aeb5fddd1b2f8e143276f8d5a085db16c593b9 CVE-2017-17433 (The recv_files function in receiver.c in the daemon in rsync 3.1.2, an ...) {DSA-4068-1 DLA-1218-1} - rsync 3.1.2-2.1 (bug #883667) NOTE: https://git.samba.org/?p=rsync.git;a=commit;h=3e06d40029cfdce9d0f73d87cfd4edaf54be9c51 CVE-2017-17431 (GeniXCMS 1.1.5 has XSS via the from, id, lang, menuid, mod, q, status, ...) NOT-FOR-US: GeniXCMS CVE-2017-17430 (Sangoma NetBorder / Vega Session Controller before 2.3.12-80-GA allows ...) NOT-FOR-US: Sangoma NetBorder / Vega Session Controller CVE-2017-17429 (In K7 Antivirus Premium before 15.1.0.53, user-controlled input to the ...) NOT-FOR-US: K7 Antivirus CVE-2017-17428 (Cavium Nitrox SSL, Nitrox V SSL, and TurboSSL software development kit ...) NOT-FOR-US: Cisco ACE NOTE: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171212-bleichenbacher NOTE: https://robotattack.org/ CVE-2017-17427 (Radware Alteon devices with a firmware version between 31.0.0.0-31.0.3 ...) NOT-FOR-US: Radware NOTE: https://portals.radware.com/getattachment/21be0b7b-fa1c-4cbc-8bd2-c19946aee270/Security-Advisory-Adaptive-chosen-ciphertext-atta/ NOTE: https://robotattack.org/ CVE-2017-17426 (The malloc function in the GNU C Library (aka glibc or libc6) 2.26 cou ...) - glibc (Issue introduced in glibc-2.26 with addition of per-thread cache to malloc) - eglibc (Issue introduced in glibc-2.26 with addition of per-thread cache to malloc) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22375 NOTE: Introduced by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d5c3fafc4307c9b7a4c7d5cb381fcdbfad340bcc NOTE: Fixed by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=34697694e8a93b325b18f25f7dcded55d6baeaf6 NOTE: The upload of 2.26-0experimental2 to experimental fixed the issue (cf. #883729). CVE-2017-1000410 (The Linux kernel version 3.3-rc1 and later is affected by a vulnerabil ...) {DSA-4082-1 DSA-4073-1} - linux 4.14.7-1 [wheezy] - linux (Vulnerable code introduced in 3.3) NOTE: http://www.openwall.com/lists/oss-security/2017/12/06/3 CVE-2017-1000409 (A buffer overflow in glibc 2.5 (released on September 29, 2006) and ca ...) - glibc 2.25-5 (bug #884133) [stretch] - glibc 2.24-11+deb9u4 [jessie] - glibc (Minor issue) - eglibc [wheezy] - eglibc (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2017/12/11/4 CVE-2017-1000408 (A memory leak in glibc 2.1.1 (released on May 24, 1999) can be reached ...) - glibc 2.25-5 (bug #884132) [stretch] - glibc 2.24-11+deb9u4 [jessie] - glibc (Minor issue) - eglibc [wheezy] - eglibc (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2017/12/11/4 CVE-2017-17432 (OpenAFS 1.x before 1.6.22 does not properly validate Rx ack packets, w ...) {DSA-4067-1 DLA-1213-1} - openafs 1.6.22-1 (bug #883602) NOTE: https://www.openafs.org/pages/security/OPENAFS-SA-2017-001.txt CVE-2018-1180 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-1179 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2018-1178 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-1177 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-1176 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-1175 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2018-1174 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2018-1173 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2018-1172 (This vulnerability allows remote attackers to deny service on vulnerab ...) [experimental] - squid 4.0.21-1~exp5 (unimportant) - squid 4.1-1 (unimportant) [wheezy] - squid (Vunerable code introduced in 3.1) - squid3 (unimportant) NOTE: src:squid as source package reintroduced for 4.x in experimental NOTE: http://www.squid-cache.org/Advisories/SQUID-2018_3.txt NOTE: Squid 3.5 patch: http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2018_3.patch NOTE: Only affects custom builds with OpenSSL support enabled CVE-2018-1171 (This vulnerability allows local attackers to escalate privileges on vu ...) NOT-FOR-US: Joyent SmartOS CVE-2018-1170 (This vulnerability allows adjacent attackers to inject arbitrary Contr ...) NOT-FOR-US: Volkswagen Customer-Link App and HTC Customer-Link Bridge CVE-2018-1169 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Amazon Music Player CVE-2018-1168 (This vulnerability allows local attackers to escalate privileges on vu ...) NOT-FOR-US: ABB MicroSCADA CVE-2018-1167 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Spotify Music Player CVE-2018-1166 (This vulnerability allows local attackers to escalate privileges on vu ...) NOT-FOR-US: Joyent SmartOS CVE-2018-1165 (This vulnerability allows local attackers to escalate privileges on vu ...) NOT-FOR-US: Joyent SmartOS CVE-2018-1164 (This vulnerability allows remote attackers to cause a denial-of-servic ...) NOT-FOR-US: ZyXEL CVE-2018-1163 (This vulnerability allows remote attackers to bypass authentication on ...) NOT-FOR-US: Quest NetVault Backup CVE-2018-1162 (This vulnerability allows remote attackers to create a denial-of-servi ...) NOT-FOR-US: Quest NetVault Backup CVE-2018-1161 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Quest NetVault Backup CVE-2018-1160 (Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_ ...) {DSA-4356-1} - netatalk 2.2.6-2 (bug #916930) NOTE: https://bugzilla.samba.org/show_bug.cgi?id=13711 CVE-2018-1159 (Mikrotik RouterOS before 6.42.7 and 6.40.9 is vulnerable to a memory c ...) NOT-FOR-US: Mikrotik RouterOS CVE-2018-1158 (Mikrotik RouterOS before 6.42.7 and 6.40.9 is vulnerable to a stack ex ...) NOT-FOR-US: Mikrotik RouterOS CVE-2018-1157 (Mikrotik RouterOS before 6.42.7 and 6.40.9 is vulnerable to a memory e ...) NOT-FOR-US: Mikrotik RouterOS CVE-2018-1156 (Mikrotik RouterOS before 6.42.7 and 6.40.9 is vulnerable to stack buff ...) NOT-FOR-US: Mikrotik RouterOS CVE-2018-1155 (In SecurityCenter versions prior to 5.7.0, a cross-site scripting (XSS ...) NOT-FOR-US: SecurityCenter CVE-2018-1154 (In SecurityCenter versions prior to 5.7.0, a username enumeration issu ...) NOT-FOR-US: SecurityCenter CVE-2018-1153 (Burp Suite Community Edition 1.7.32 and 1.7.33 fail to validate the se ...) NOT-FOR-US: Burp Suite (different from src:burp) CVE-2018-1152 (libjpeg-turbo 1.5.90 is vulnerable to a denial of service vulnerabilit ...) {DLA-1638-1} [experimental] - libjpeg-turbo 1:2.0.2-1~exp1 - libjpeg-turbo (low; bug #902950) [buster] - libjpeg-turbo (Minor issue) [stretch] - libjpeg-turbo (Minor issue) NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/commit/43e84cff1bb2bd8293066f6ac4eb0df61ddddbc6 CVE-2018-1151 (The web server on Western Digital TV Media Player 1.03.07 and TV Live ...) NOT-FOR-US: web server on Western Digital TV Media Player and TV Live Hub CVE-2018-1150 (NUUO's NVRMini2 3.8.0 and below contains a backdoor that would allow a ...) NOT-FOR-US: NUUO CVE-2018-1149 (cgi_system in NUUO's NVRMini2 3.8.0 and below allows remote attackers ...) NOT-FOR-US: NUUO CVE-2018-1148 (In Nessus before 7.1.0, Session Fixation exists due to insufficient se ...) NOT-FOR-US: Nessus CVE-2018-1147 (In Nessus before 7.1.0, a XSS vulnerability exists due to improper inp ...) NOT-FOR-US: Nessus CVE-2018-1146 (A remote unauthenticated user can enable telnet on the Belkin N750 usi ...) NOT-FOR-US: Belkin CVE-2018-1145 (A remote unauthenticated user can overflow a stack buffer in the Belki ...) NOT-FOR-US: Belkin CVE-2018-1144 (A remote unauthenticated user can execute commands as root in the Belk ...) NOT-FOR-US: Belkin CVE-2018-1143 (A remote unauthenticated user can execute commands as root in the Belk ...) NOT-FOR-US: Belkin CVE-2018-1142 (Tenable Appliance versions 4.6.1 and earlier have been found to contai ...) NOT-FOR-US: Tenable CVE-2018-1141 (When installing Nessus to a directory outside of the default location, ...) NOT-FOR-US: Nessus CVE-2017-17425 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Quest NetVault Backup CVE-2017-17424 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Quest NetVault Backup CVE-2017-17423 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Quest NetVault Backup CVE-2017-17422 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Quest NetVault Backup CVE-2017-17421 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Quest NetVault Backup CVE-2017-17420 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Quest NetVault Backup CVE-2017-17419 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Quest NetVault Backup CVE-2017-17418 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Quest NetVault Backup CVE-2017-17417 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Quest NetVault Backup CVE-2017-17416 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Quest NetVault Backup CVE-2017-17415 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Quest NetVault Backup CVE-2017-17414 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Quest NetVault Backup CVE-2017-17413 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Quest NetVault Backup CVE-2017-17412 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Quest NetVault Backup CVE-2017-17411 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: web management portal of Linksys WVBR0 WVBR0 CVE-2017-17410 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Bitdefender Internet Security 2018 CVE-2017-17409 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Bitdefender Internet Security 2018 CVE-2017-17408 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Bitdefender Internet Security 2018 CVE-2017-17407 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: NetGain CVE-2017-17406 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: NetGain CVE-2017-17405 (Ruby before 2.4.3 allows Net::FTP command injection. Net::FTP#get, get ...) {DSA-4259-1 DLA-1421-1 DLA-1222-1 DLA-1221-1} - ruby2.5 2.5.0~rc1-1 (bug #884437) - ruby2.3 2.3.6-1 (bug #884438) - ruby2.1 - ruby1.9.1 - ruby1.8 NOTE: https://www.ruby-lang.org/en/news/2017/12/14/net-ftp-command-injection-cve-2017-17405/ NOTE: https://github.com/ruby/ruby/commit/6d3f72e5be2312be312f2acbf3465b05293c1431 NOTE: ruby2.3: https://github.com/ruby/ruby/commit/1cfe43fd85c66a9e2b5068480b3e043c31e6b8ca NOTE: ruby2.3: https://github.com/ruby/ruby/commit/3ec034c597e6d40543bb844dc8f96645bef4bed2 CVE-2017-17404 RESERVED CVE-2017-17403 RESERVED CVE-2017-17402 RESERVED CVE-2017-17401 RESERVED CVE-2017-17400 RESERVED CVE-2017-17399 RESERVED CVE-2017-17398 RESERVED CVE-2017-17397 RESERVED CVE-2017-17396 RESERVED CVE-2017-17395 RESERVED CVE-2017-17394 RESERVED CVE-2017-17393 RESERVED CVE-2017-17392 RESERVED CVE-2017-17391 RESERVED CVE-2017-17390 RESERVED CVE-2017-17389 RESERVED CVE-2017-17388 RESERVED CVE-2017-17387 RESERVED CVE-2017-17386 RESERVED CVE-2017-17385 RESERVED CVE-2017-17384 (ISPConfig 3.x before 3.1.9 allows remote authenticated users to obtain ...) NOT-FOR-US: ISPConfig CVE-2017-17383 (Jenkins through 2.93 allows remote authenticated administrators to con ...) - jenkins CVE-2017-17382 (Citrix NetScaler Application Delivery Controller (ADC) and NetScaler G ...) NOT-FOR-US: Citrix NOTE: https://support.citrix.com/article/CTX230238 NOTE: https://robotattack.org/ CVE-2017-17381 (The Virtio Vring implementation in QEMU allows local OS guest users to ...) {DSA-4213-1} - qemu 1:2.11+dfsg-1 (bug #883625) [jessie] - qemu (Vulnerable code not present) [wheezy] - qemu (Can be fixed along in later update) - qemu-kvm [wheezy] - qemu-kvm (Can be fixed along in later update) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-12/msg00166.html CVE-2018-1140 (A missing input sanitization flaw was found in the implementation of L ...) - samba 2:4.8.4+dfsg-1 [stretch] - samba (Only affects Samba 4.8.0 onwards) [jessie] - samba (Only affects Samba 4.8.0 onwards) NOTE: https://www.samba.org/samba/security/CVE-2018-1140.html CVE-2018-1139 (A flaw was found in the way samba before 4.7.9 and 4.8.4 allowed the u ...) - samba 2:4.8.4+dfsg-1 [stretch] - samba (Issue introduced in 4.7.0) [jessie] - samba (Issue introduced in 4.7.0) NOTE: https://www.samba.org/samba/security/CVE-2018-1139.html CVE-2018-1138 RESERVED CVE-2018-1137 (An issue was discovered in Moodle 3.x. By substituting URLs in portfol ...) - moodle CVE-2018-1136 (An issue was discovered in Moodle 3.x. An authenticated user is allowe ...) - moodle CVE-2018-1135 (An issue was discovered in Moodle 3.x. Students who posted on forums a ...) - moodle CVE-2018-1134 (An issue was discovered in Moodle 3.x. Students who submitted assignme ...) - moodle CVE-2018-1133 (An issue was discovered in Moodle 3.x. A Teacher creating a Calculated ...) - moodle CVE-2018-1132 (A flaw was found in Opendaylight's SDNInterfaceapp (SDNI). Attackers c ...) NOT-FOR-US: OpenDaylight CVE-2018-1131 (Infinispan permits improper deserialization of trusted data via XML an ...) NOT-FOR-US: infinispan CVE-2018-1130 (Linux kernel before version 4.16-rc7 is vulnerable to a null pointer d ...) {DLA-1423-1 DLA-1422-1 DLA-1392-1} - linux 4.15.17-1 [stretch] - linux 4.9.107-1 NOTE: Fixed by: https://git.kernel.org/linus/67f93df79aeefc3add4e4b31a752600f834236e2 CVE-2018-1129 (A flaw was found in the way signature calculation was handled by cephx ...) {DSA-4339-1 DLA-1715-1} - linux 4.19.9-1 [stretch] - linux 4.9.144-1 [jessie] - linux (Message signatures not implemented) NOTE: https://git.kernel.org/linus/cc255c76c70f7a87d97939621eae04b600d9f4a1 - ceph 12.2.8+dfsg1-1 (bug #913472) [jessie] - ceph (Intrusive changes) NOTE: http://tracker.ceph.com/issues/24837 NOTE: https://github.com/ceph/ceph/commit/8f396cf35a3826044b089141667a196454c0a587 CVE-2018-1128 (It was found that cephx authentication protocol did not verify ceph cl ...) {DSA-4339-1 DLA-1715-1} - linux 4.19.9-1 [stretch] - linux 4.9.144-1 [jessie] - linux (Protocol change is too difficult) NOTE: https://git.kernel.org/linus/6daca13d2e72bedaaacfc08f873114c9307d5aea - ceph 12.2.8+dfsg1-1 (bug #913471) [jessie] - ceph (Intrusive changes) NOTE: http://tracker.ceph.com/issues/24836 NOTE: https://github.com/ceph/ceph/commit/5ead97120e07054d80623dada90a5cc764c28468 CVE-2018-1127 (Tendrl API in Red Hat Gluster Storage before 3.4.0 does not immediatel ...) NOT-FOR-US: tendrl-api CVE-2018-1126 (procps-ng before version 3.3.15 is vulnerable to an incorrect integer ...) {DSA-4208-1 DLA-1390-1} - procps 2:3.3.15-1 (bug #899170) NOTE: http://www.openwall.com/lists/oss-security/2018/05/17/1 NOTE: https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt NOTE: Patch: 0035-proc-alloc.-Use-size_t-not-unsigned-int.patch NOTE: https://gitlab.com/procps-ng/procps/commit/f1077b7a558a5545837aae068422e58f1f9b1d33 CVE-2018-1125 (procps-ng before version 3.3.15 is vulnerable to a stack buffer overfl ...) {DSA-4208-1 DLA-1390-1} - procps 2:3.3.15-1 (bug #899170) NOTE: http://www.openwall.com/lists/oss-security/2018/05/17/1 NOTE: https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt NOTE: Patch: 0008-pgrep-Prevent-a-potential-stack-based-buffer-overflo.patch NOTE: https://gitlab.com/procps-ng/procps/commit/b51ca2a1f8ca779f7632ade6a0a259ed882fa584 CVE-2018-1124 (procps-ng before version 3.3.15 is vulnerable to multiple integer over ...) {DSA-4208-1 DLA-1390-1} - procps 2:3.3.15-1 (bug #899170) NOTE: http://www.openwall.com/lists/oss-security/2018/05/17/1 NOTE: https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt NOTE: Patch: 0074-proc-readproc.c-Fix-bugs-and-overflows-in-file2strve.patch NOTE: https://gitlab.com/procps-ng/procps/commit/36c350f07c75aabf747fb833f52a234ae5781b20 CVE-2018-1123 (procps-ng before version 3.3.15 is vulnerable to a denial of service i ...) {DSA-4208-1 DLA-1390-1} - procps 2:3.3.15-1 (bug #899170) NOTE: http://www.openwall.com/lists/oss-security/2018/05/17/1 NOTE: https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt NOTE: Patch: 0054-ps-output.c-Fix-outbuf-overflows-in-pr_args-etc.patch NOTE: https://gitlab.com/procps-ng/procps/commit/136e3724952827bbae8887a42d9d2b6f658a48ab CVE-2018-1122 (procps-ng before version 3.3.15 is vulnerable to a local privilege esc ...) {DSA-4208-1 DLA-1390-1} - procps 2:3.3.15-1 (bug #899170) NOTE: http://www.openwall.com/lists/oss-security/2018/05/17/1 NOTE: https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt NOTE: Patch: 0097-top-Do-not-default-to-the-cwd-in-configs_read.patch NOTE: https://gitlab.com/procps-ng/procps/commit/b45c4803dd176f4e3f9d3d47421ddec9bbbe66cd CVE-2018-1121 (procps-ng, procps is vulnerable to a process hiding through race condi ...) - linux (unimportant) NOTE: http://www.openwall.com/lists/oss-security/2018/05/17/1 NOTE: https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt CVE-2018-1120 (A flaw was found affecting the Linux kernel before version 4.17. By mm ...) {DLA-1423-1} - linux 4.16.12-1 [stretch] - linux 4.9.107-1 [jessie] - linux (Too risky to backport) NOTE: http://www.openwall.com/lists/oss-security/2018/05/17/1 NOTE: https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt NOTE: Fixed by: https://git.kernel.org/linus/7f7ccc2ccc2e70c6054685f5e3522efa81556830 CVE-2018-1119 REJECTED CVE-2018-1118 (Linux kernel vhost since version 4.8 does not properly initialize memo ...) {DLA-1423-1} - linux 4.17.3-1 [stretch] - linux 4.9.110-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: https://lkml.org/lkml/2018/4/27/833 NOTE: Fixed by: https://git.kernel.org/linus/670ae9caaca467ea1bfd325cb2a5c98ba87f94ad CVE-2018-1117 (ovirt-ansible-roles before version 1.0.6 has a vulnerability due to a ...) NOT-FOR-US: ovirt-ansible-roles CVE-2018-1116 (A flaw was found in polkit before version 0.116. The implementation of ...) {DLA-1448-1} - policykit-1 0.105-21 (bug #903563) [stretch] - policykit-1 (Minor issue; can be fixed via point release) NOTE: https://cgit.freedesktop.org/polkit/commit/?id=bc7ffad53643a9c80231fc41f5582d6a8931c32c NOTE: https://lists.freedesktop.org/archives/polkit-devel/2018-July/000583.html NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1099031 CVE-2018-1115 (postgresql before versions 10.4, 9.6.9 is vulnerable in the adminpack ...) - postgresql-10 10.4-1 - postgresql-9.6 [stretch] - postgresql-9.6 9.6.9-0+deb9u1 - postgresql-9.4 [jessie] - postgresql-9.4 (Code not present) - postgresql-9.1 [jessie] - postgresql-9.1 (Code not present) [wheezy] - postgresql-9.1 (Code not present) CVE-2018-1114 (It was found that URLResource.getLastModified() in Undertow closes the ...) - undertow 1.4.25-1 (bug #897247) NOTE: https://issues.jboss.org/browse/UNDERTOW-1338 NOTE: https://github.com/undertow-io/undertow/commit/882d5884f2614944a0c2ae69bafd9d13bfc5b64a NOTE: https://bugs.openjdk.java.net/browse/JDK-6956385 CVE-2018-1113 (setup before version 2.11.4-1.fc28 in Fedora and Red Hat Enterprise Li ...) NOT-FOR-US: Red Hat specific CVE assignment for Red Hat / Fedora setups (nologin listed in /etc/shells violates security expectations) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1571094 CVE-2018-1112 (glusterfs server before versions 3.10.12, 4.0.2 is vulnerable when usi ...) - glusterfs (Fix for CVE-2018-1088 was not applied/ incomplete fix not applied) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1570891 CVE-2018-1111 (DHCP packages in Red Hat Enterprise Linux 6 and 7, Fedora 28, and earl ...) NOT-FOR-US: Red Hat Specific script NOTE: https://access.redhat.com/security/vulnerabilities/3442151 CVE-2018-1110 [Improper Input Validation] RESERVED - knot-resolver 2.3.0-1 (bug #896681) NOTE: http://www.openwall.com/lists/oss-security/2018/04/23/2 CVE-2018-1109 RESERVED - node-braces (Vulnerable code introduced in 2.2.0) NOTE: https://snyk.io/vuln/npm:braces:20180219 NOTE: Introduced by: https://github.com/micromatch/braces/commit/dcc1acab4de9a43e86ab4be4acde209ff1dca113 (2.2.0) NOTE: Fixed by: https://github.com/micromatch/braces/commit/abdafb0cae1e0c00f184abbadc692f4eaa98f451 (2.3.1) NOTE: Cf. analysis in https://bugs.debian.org/927716#38 CVE-2018-1108 (kernel drivers before version 4.17-rc1 are vulnerable to a weakness in ...) - linux 4.16.5-1 [stretch] - linux (Can't be fixed without many user-space changes) [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/43838a23a05fbd13e47d750d3dfd77001536dd33 NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1559 CVE-2018-1107 RESERVED NOT-FOR-US: is-my-json-valid package for Node.js CVE-2018-1106 (An authentication bypass flaw has been found in PackageKit before 1.1. ...) {DSA-4207-1} - packagekit 1.1.10-1 (bug #896703) [jessie] - packagekit (Issue introduced later) [wheezy] - packagekit (Issue introduced later) NOTE: http://www.openwall.com/lists/oss-security/2018/04/23/3 NOTE: Fixed by: https://github.com/hughsie/PackageKit/commit/7e8a7905ea9abbd1f384f05f36a4458682cd4697 (PACKAGEKIT_1_1_10) NOTE: Introduced by: https://github.com/hughsie/PackageKit/commit/f176976e24e8c17b80eff222572275517c16bdad NOTE: Resulting affected (upstream) versions: >= 1.0.10 up until current 1.1.9 CVE-2018-1105 RESERVED CVE-2018-1104 (Ansible Tower through version 3.2.3 has a vulnerability that allows us ...) NOT-FOR-US: Ansible Tower CVE-2018-1103 (Openshift Enterprise source-to-image before version 1.1.10 is vulnerab ...) NOT-FOR-US: source-to-image in OpenShift CVE-2018-1102 (A flaw was found in source-to-image function as shipped with Openshift ...) NOT-FOR-US: source-to-image in OpenShift CVE-2018-1101 (Ansible Tower before version 3.2.4 has a flaw in the management of sys ...) NOT-FOR-US: Ansible Tower CVE-2018-1100 (zsh through version 5.4.2 is vulnerable to a stack-based buffer overfl ...) - zsh 5.5-1 (bug #895225) [stretch] - zsh (Minor issue) [jessie] - zsh (Minor issue) [wheezy] - zsh (Minor issue) NOTE: https://www.zsh.org/cgi-bin/mla/redirect?WORKERNUMBER=42607 NOTE: https://sourceforge.net/p/zsh/code/ci/31f72205630687c1cef89347863aab355296a27f/ CVE-2018-1099 (DNS rebinding vulnerability found in etcd 3.3.1 and earlier. An attack ...) - etcd (low; bug #921156) [buster] - etcd (Minor issue) NOTE: https://github.com/coreos/etcd/issues/9353 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1552717 CVE-2018-1098 (A cross-site request forgery flaw was found in etcd 3.3.1 and earlier. ...) - etcd (low; bug #921156) [buster] - etcd (Minor issue) NOTE: https://github.com/coreos/etcd/issues/9353 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1552714 CVE-2018-1097 (A flaw was found in foreman before 1.16.1. The issue allows users with ...) - foreman (bug #663101) NOTE: https://projects.theforeman.org/issues/22546 NOTE: https://github.com/theforeman/foreman/pull/5369 CVE-2018-1096 (An input sanitization flaw was found in the id field in the dashboard ...) - foreman (bug #663101) NOTE: http://projects.theforeman.org/issues/23028 NOTE: https://github.com/theforeman/foreman/pull/5363 CVE-2018-1095 (The ext4_xattr_check_entries function in fs/ext4/xattr.c in the Linux ...) - linux 4.16.5-1 [stretch] - linux (Vulnerable code introduced later) [jessie] - linux (Vulnerable code introduced later) [wheezy] - linux (Vulnerable code introduced later) NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=199185 CVE-2018-1094 (The ext4_fill_super function in fs/ext4/super.c in the Linux kernel th ...) - linux 4.15.17-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code introduced later) NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=199183 CVE-2018-1093 (The ext4_valid_block_bitmap function in fs/ext4/balloc.c in the Linux ...) {DSA-4188-1 DLA-1422-1 DLA-1392-1} - linux 4.15.17-1 NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=199181 CVE-2018-1092 (The ext4_iget function in fs/ext4/inode.c in the Linux kernel through ...) {DSA-4188-1 DSA-4187-1 DLA-1369-1} - linux 4.15.17-1 NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=199179 NOTE: Fixed by: https://git.kernel.org/linus/8e4b5eae5decd9dfe5a4ee369c22028f90ab4c44 CVE-2018-1091 (In the flush_tmregs_to_thread function in arch/powerpc/kernel/ptrace.c ...) - linux 4.13.10-1 [stretch] - linux 4.9.65-1 [jessie] - linux (Hardware not supported; POWER9 support missing) [wheezy] - linux (Hardware not supported) NOTE: Fixed by: https://git.kernel.org/linus/c1fa0768a8713b135848f78fd43ffc208d8ded70 CVE-2018-1090 (In Pulp before version 2.16.2, secrets are passed into override_config ...) NOT-FOR-US: Pulp (Red Hat) CVE-2018-1089 (389-ds-base before versions 1.4.0.9, 1.3.8.1, 1.3.6.15 did not properl ...) {DLA-1428-1} - 389-ds-base 1.3.8.2-1 (bug #898138) [stretch] - 389-ds-base (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2018/05/07/2 CVE-2018-1088 (A privilege escalation flaw was found in gluster 3.x snapshot schedule ...) - glusterfs 4.0.2-1 (bug #896128) [stretch] - glusterfs (Minor issue; can be fixed via point release) [jessie] - glusterfs (vulnerable code not present) [wheezy] - glusterfs (vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1558721 NOTE: https://review.gluster.org/#/c/19899/ NOTE: https://review.gluster.org/#/c/19898/ NOTE: When fixing the issue it's important to not apply the incomplete fix and open NOTE: CVE-2018-1112 causing that auth.allow allows all clients to mount volumes. NOTE: Cf. https://bugzilla.redhat.com/show_bug.cgi?id=1570891 NOTE: Needs: https://review.gluster.org/#/c/19899/1..2 CVE-2018-1087 (kernel KVM before versions kernel 4.16, kernel 4.16-rc7, kernel 4.17-r ...) {DSA-4196-1} - linux 4.15.17-1 [wheezy] - linux (Issue introduced in 3.16) NOTE: Fixed by: https://git.kernel.org/linus/32d43cd391bacb5f0814c2624399a5dad3501d09 (4.16-rc7) NOTE: http://www.openwall.com/lists/oss-security/2018/05/08/5 CVE-2018-1086 (pcs before versions 0.9.164 and 0.10 is vulnerable to a debug paramete ...) {DSA-4169-1} - pcs 0.9.164-1 (bug #895313) NOTE: http://www.openwall.com/lists/oss-security/2018/04/09/2 CVE-2018-1085 (openshift-ansible before versions 3.9.23, 3.7.46 deploys a misconfigur ...) NOT-FOR-US: openshift-ansible CVE-2018-1084 (corosync before version 2.4.4 is vulnerable to an integer overflow in ...) {DSA-4174-1} - corosync 2.4.4-1 (bug #895653) [jessie] - corosync (Vulnerable code introduced later) [wheezy] - corosync (Vulnerable code introduced later) NOTE: http://www.openwall.com/lists/oss-security/2018/04/12/2 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1552830 NOTE: Fixed by: https://github.com/corosync/corosync/commit/fc1d5418533c1faf21616b282c2559bed7d361c4 NOTE: https://oss.clusterlabs.org/pipermail/users/2018-April/014856.html CVE-2018-1083 (Zsh before version 5.4.2-test-1 is vulnerable to a buffer overflow in ...) {DLA-1335-1} - zsh 5.4.2-4 (low; bug #894043) [stretch] - zsh (Minor issue) [jessie] - zsh (Minor issue) NOTE: https://sourceforge.net/p/zsh/code/ci/259ac472eac291c8c103c7a0d8a4eaf3c2942ed7 CVE-2018-1082 (A flaw was found in Moodle 3.4 to 3.4.1, and 3.3 to 3.3.4. If a user a ...) - moodle CVE-2018-1081 (A flaw was found in Moodle 3.4 to 3.4.1, 3.3 to 3.3.4, 3.2 to 3.2.7, 3 ...) - moodle CVE-2018-1080 (Dogtag PKI, through version 10.6.1, has a vulnerability in AAclAuthz.j ...) [experimental] - dogtag-pki 10.6.0-2 - dogtag-pki 10.6.6-1 (bug #893690) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1556657 NOTE: https://pagure.io/freeipa/issue/7453 NOTE: https://review.gerrithub.io/#/c/404435/ CVE-2018-1079 (pcs before version 0.9.164 and 0.10 is vulnerable to a privilege escal ...) - pcs 0.9.164-1 (bug #895314) [stretch] - pcs (Vulnerable code introduced in 0.9.157) NOTE: http://www.openwall.com/lists/oss-security/2018/04/09/2 CVE-2018-1078 (OpenDayLight version Carbon SR3 and earlier contain a vulnerability du ...) NOT-FOR-US: OpenDayLight CVE-2018-1077 (Spacewalk 2.6 contains an API which has an XXE flaw allowing for the d ...) NOT-FOR-US: NOT-FOR-US: Red Hat Satellite / Spacewalk CVE-2018-1076 RESERVED CVE-2018-1075 (ovirt-engine up to version 4.2.3 is vulnerable to an unfiltered passwo ...) NOT-FOR-US: ovirt-engine CVE-2018-1074 (ovirt-engine API and administration web portal before versions 4.2.2.5 ...) NOT-FOR-US: ovirt-engine CVE-2018-1073 (The web console login form in ovirt-engine before version 4.2.3 return ...) NOT-FOR-US: ovirt-engine CVE-2018-1072 (ovirt-engine before version ovirt 4.2.2 is vulnerable to an informatio ...) NOT-FOR-US: ovirt-engine CVE-2018-1071 (zsh through version 5.4.2 is vulnerable to a stack-based buffer overfl ...) {DLA-1335-1} - zsh 5.4.2-4 (low; bug #894044) [stretch] - zsh (Minor issue) [jessie] - zsh (Minor issue) NOTE: https://sourceforge.net/p/zsh/code/ci/679b71ec4d852037fe5f73d35bf557b0f406c8d4 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1553531 CVE-2018-1070 (routing before version 3.10 is vulnerable to an improper input validat ...) NOT-FOR-US: OpenShift (Routing configuration) CVE-2018-1069 (Red Hat OpenShift Enterprise version 3.7 is vulnerable to access contr ...) NOT-FOR-US: OpenShift CVE-2018-1068 (A flaw was found in the Linux 4.x kernel's implementation of 32-bit sy ...) {DSA-4188-1 DSA-4187-1 DLA-1369-1} - linux 4.15.11-1 NOTE: https://git.kernel.org/linus/b71812168571fa55e44cdd0254471331b9c4c4c6 NOTE: Unprivileged user namespaces are disabled in Debian, this only affects NOTE: non-standard setups CVE-2018-1067 (In Undertow before versions 7.1.2.CR1, 7.1.2.GA it was found that the ...) - undertow 1.4.25-1 (bug #900323) NOTE: https://issues.jboss.org/browse/UNDERTOW-1302 NOTE: Issue is incomplete fix for CVE-2016-4993 NOTE: Fixed by https://github.com/undertow-io/undertow/commit/85d4478e598105fe94ac152d3e11e388374e8b86 (1.4.25.Final) CVE-2018-1066 (The Linux kernel before version 4.11 is vulnerable to a NULL pointer d ...) {DSA-4188-1 DSA-4187-1 DLA-1422-1} - linux 4.11.6-1 [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/cabfb3680f78981d26c078a26e5c748531257ebb CVE-2018-1065 (The netfilter subsystem in the Linux kernel through 4.15.7 mishandles ...) {DSA-4188-1} - linux 4.15.11-1 [jessie] - linux (Vulnerable code introduced later) [wheezy] - linux (Vulnerable code introduced later) NOTE: Fixed by: https://git.kernel.org/linus/57ebd808a97d7c5b1e1afb937c2db22beba3c1f8 CVE-2018-1064 (libvirt version before 4.2.0-rc1 is vulnerable to a resource exhaustio ...) {DSA-4137-1 DLA-1315-1} - libvirt 4.1.0-1 NOTE: Fixed by: https://libvirt.org/git/?p=libvirt.git;a=commit;h=fbf31e1a4cd19d6f6e33e0937a009775cd7d9513 CVE-2018-1063 (Context relabeling of filesystems is vulnerable to symbolic link attac ...) - policycoreutils 2.7-1 [stretch] - policycoreutils (Minor issue) [jessie] - policycoreutils (Minor issue) [wheezy] - policycoreutils (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1550122 NOTE: Mitigation by removing any symbolic link in /tmp and /var/tmp directories NOTE: before relabeling the file system. Futhtermore only triggerable at NOTE: relabeling time. NOTE: https://github.com/SELinuxProject/selinux/commit/2608b4d6660af0fb8ad93f2cc144bdaab3c2afa8 CVE-2018-1062 (A vulnerability was discovered in oVirt 4.1.x before 4.1.9, where the ...) NOT-FOR-US: ovirt-engine CVE-2018-1061 (python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is ...) {DSA-4307-1 DSA-4306-1 DLA-1520-1 DLA-1519-1} - python3.7 3.7.0~b3-1 (low) - python3.6 3.6.5~rc1-1 (low) - python3.5 3.5.6-1 (low) - python3.4 (low) - python3.2 (low) [wheezy] - python3.2 (Minor issue) - python2.7 2.7.14-7 (low) [wheezy] - python2.7 (Minor issue) - python2.6 (low) [wheezy] - python2.6 (Minor issue) NOTE: https://bugs.python.org/issue32981 NOTE: https://github.com/python/cpython/commit/0e6c8ee2358a2e23117501826c008842acb835ac (master) NOTE: https://github.com/python/cpython/commit/0902a2d6b2d1d9dbde36aeaaccf1788ceaa97143 (3.7) NOTE: https://github.com/python/cpython/commit/c9516754067d71fd7429a25ccfcb2141fc583523 (3.6) NOTE: https://github.com/python/cpython/commit/937ac1fe069a4dc8471dff205f553d82e724015b (3.5) NOTE: https://github.com/python/cpython/commit/942cc04ae44825ea120e3a19a80c9b348b8194d0 (3.4) NOTE: https://github.com/python/cpython/commit/e052d40cea15f582b50947f7d906b39744dc62a2 (2.7) CVE-2018-1060 (python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is ...) {DSA-4307-1 DSA-4306-1 DLA-1520-1 DLA-1519-1} - python3.7 3.7.0~b3-1 (low) - python3.6 3.6.5~rc1-1 (low) - python3.5 3.5.6-1 (low) - python3.4 (low) - python3.2 (low) [wheezy] - python3.2 (Minor issue) - python2.7 2.7.14-7 (low) [wheezy] - python2.7 (Minor issue) - python2.6 (low) [wheezy] - python2.6 (Minor issue) NOTE: https://bugs.python.org/issue32981 NOTE: https://github.com/python/cpython/commit/0e6c8ee2358a2e23117501826c008842acb835ac (master) NOTE: https://github.com/python/cpython/commit/0902a2d6b2d1d9dbde36aeaaccf1788ceaa97143 (3.7) NOTE: https://github.com/python/cpython/commit/c9516754067d71fd7429a25ccfcb2141fc583523 (3.6) NOTE: https://github.com/python/cpython/commit/937ac1fe069a4dc8471dff205f553d82e724015b (3.5) NOTE: https://github.com/python/cpython/commit/942cc04ae44825ea120e3a19a80c9b348b8194d0 (3.4) NOTE: https://github.com/python/cpython/commit/e052d40cea15f582b50947f7d906b39744dc62a2 (2.7) CVE-2018-1059 (The DPDK vhost-user interface does not check to verify that all the re ...) - dpdk 17.11.2-1 (bug #896688) [stretch] - dpdk 16.11.6-1+deb9u1 CVE-2018-1058 (A flaw was found in the way Postgresql allowed a user to modify the be ...) - postgresql-10 10.3-1 - postgresql-9.6 [stretch] - postgresql-9.6 9.6.8-0+deb9u1 - postgresql-9.4 [jessie] - postgresql-9.4 (Minor issue; documentation update for recommendations) - postgresql-9.1 [jessie] - postgresql-9.1 (postgresql-9.1 in jessie is PL/Perl only) [wheezy] - postgresql-9.1 (Minor issue) NOTE: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=3d2aed664ee8271fd6c721ed0aa10168cda112ea NOTE: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=582edc369cdbd348d68441fc50fa26a84afd0c1a NOTE: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=5770172cb0c9df9e6ce27c507b449557e5b45124 CVE-2018-1057 (On a Samba 4 AD DC the LDAP server in all versions of Samba from 4.0.0 ...) {DSA-4135-1 DLA-1754-1} - samba 2:4.7.4+dfsg-2 [wheezy] - samba (Vulnerable code introduced later in 4.0.0alpha13) NOTE: https://www.samba.org/samba/security/CVE-2018-1057.html NOTE: https://wiki.samba.org/index.php/CVE-2018-1057 CVE-2018-1056 (An out-of-bounds heap buffer read flaw was found in the way advancecom ...) {DLA-1702-1 DLA-1281-1} - advancecomp 2.1-1 (bug #889270) [stretch] - advancecomp (Minor issue, can be fixed via point release) NOTE: https://sourceforge.net/p/advancemame/bugs/259/ NOTE: https://github.com/amadvance/advancecomp/commit/7deeafc02b29cc51d51079e66f4f43f986ff9cc5 CVE-2018-1055 REJECTED CVE-2018-1054 (An out-of-bounds memory read flaw was found in the way 389-ds-base han ...) {DLA-1428-1} - 389-ds-base 1.3.7.10-1 (bug #892124) [stretch] - 389-ds-base (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1537314 NOTE: https://pagure.io/389-ds-base/issue/49545 NOTE: https://pagure.io/389-ds-base/c/14ce2fe0dfa67405dae0ae2e7fde13f6a1360d30?branch=master CVE-2018-1053 (In postgresql 9.3.x before 9.3.21, 9.4.x before 9.4.16, 9.5.x before 9 ...) {DLA-1271-1} - postgresql-10 10.2-1 - postgresql-9.6 [stretch] - postgresql-9.6 9.6.7-0+deb9u1 - postgresql-9.4 [jessie] - postgresql-9.4 (Minor issue) - postgresql-9.1 [jessie] - postgresql-9.1 (postgresql-9.1 in jessie is PL/Perl only) NOTE: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=6ba52aeb24e62586b51e77723d87627c18a844ca CVE-2018-1052 (Memory disclosure vulnerability in table partitioning was found in pos ...) - postgresql-10 10.2-1 - postgresql-9.6 (code introduced in 10) - postgresql-9.4 (code introduced in 10) - postgresql-9.1 (code introduced in 10) CVE-2018-1051 (It was found that the fix for CVE-2016-9606 in versions 3.0.22 and 3.1 ...) - resteasy [jessie] - resteasy (Incomplete fix for CVE-2016-9606 wasn't backported) - resteasy3.0 (Incomplete fix for CVE-2016-9606 not applied) NOTE: Removing deprecated YamlProvider was done in 4.0.0.Beta4 CVE-2018-1050 (All versions of Samba from 4.0.0 onwards are vulnerable to a denial of ...) {DSA-4135-1 DLA-1754-1 DLA-1320-1} - samba 2:4.7.4+dfsg-2 NOTE: https://www.samba.org/samba/security/CVE-2018-1050.html CVE-2018-1049 (In systemd prior to 234 a race condition exists between .mount and .au ...) {DLA-1580-1} - systemd 234-1 [stretch] - systemd 232-25+deb9u10 [wheezy] - systemd (Minor issue, can be fixed along in next DLA) NOTE: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1709649 NOTE: https://github.com/systemd/systemd/pull/5916 NOTE: https://github.com/systemd/systemd/commit/e7d54bf58789545a9eb0b3964233defa0b007318 CVE-2018-1048 (It was found that the AJP connector in undertow, as shipped in Jboss E ...) - undertow 1.4.22-1 (bug #891928) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1534343 NOTE: https://issues.jboss.org/browse/UNDERTOW-1245 NOTE: Fixed by https://github.com/undertow-io/undertow/commit/1bc0c275aadf5835abfbd3835d5d78095c2f1cf5 CVE-2018-1047 (A flaw was found in Wildfly 9.x. A path traversal vulnerability throug ...) - wildfly (bug #752018) NOTE: https://issues.jboss.org/browse/WFLY-9620 NOTE: https://developer.jboss.org/thread/276826 NOTE: Fixed by https://github.com/wildfly/wildfly/pull/10748 CVE-2018-1046 (pdns before version 4.1.2 is vulnerable to a buffer overflow in dnsrep ...) - pdns 4.1.2-1 (bug #898255) [stretch] - pdns 4.0.3-1+deb9u3 [jessie] - pdns (Vulnerable code not present) [wheezy] - pdns (Vulnerable code not present) NOTE: https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-02.html NOTE: Fixed by https://github.com/PowerDNS/pdns/commit/f9c57c98da1b1007a51680629b667d57d9b702b8 CVE-2018-1045 (In Moodle 3.x, there is XSS via a calendar event name. ...) - moodle CVE-2018-1044 (In Moodle 3.x, quiz web services allow students to see quiz results wh ...) - moodle CVE-2018-1043 (In Moodle 3.x, the setting for blocked hosts list can be bypassed with ...) - moodle CVE-2018-1042 (Moodle 3.x has Server Side Request Forgery in the filepicker. ...) - moodle CVE-2018-1041 (A vulnerability was found in the way RemoteMessageChannel, introduced ...) - libjboss-remoting-java [wheezy] - libjboss-remoting-java (unimportant leaf package) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1530457 CVE-2017-17380 RESERVED CVE-2017-17379 RESERVED CVE-2017-17378 RESERVED CVE-2017-17377 RESERVED CVE-2017-17376 RESERVED CVE-2017-17375 RESERVED CVE-2017-17374 RESERVED CVE-2017-17373 RESERVED CVE-2017-17372 RESERVED CVE-2017-17371 RESERVED CVE-2017-17370 RESERVED CVE-2017-17369 RESERVED CVE-2017-17368 RESERVED CVE-2017-17367 RESERVED CVE-2017-17366 RESERVED CVE-2017-17365 RESERVED CVE-2017-17364 RESERVED CVE-2017-17363 RESERVED CVE-2017-17362 RESERVED CVE-2017-17361 RESERVED CVE-2017-17360 RESERVED CVE-2017-17359 RESERVED CVE-2017-17358 RESERVED CVE-2017-17357 RESERVED CVE-2017-17356 RESERVED CVE-2017-17355 RESERVED CVE-2017-17354 RESERVED CVE-2017-17353 RESERVED CVE-2017-17352 RESERVED CVE-2017-17351 RESERVED CVE-2017-17350 RESERVED CVE-2017-17349 RESERVED CVE-2017-17348 RESERVED CVE-2017-17347 RESERVED CVE-2017-17346 RESERVED CVE-2017-17345 RESERVED CVE-2017-17344 RESERVED CVE-2017-17343 RESERVED CVE-2017-17342 RESERVED CVE-2017-17341 RESERVED CVE-2017-17340 RESERVED CVE-2017-17339 RESERVED CVE-2017-17338 RESERVED CVE-2017-17337 RESERVED CVE-2017-17336 RESERVED CVE-2017-17335 RESERVED CVE-2017-17334 RESERVED CVE-2017-17333 RESERVED CVE-2017-17332 RESERVED CVE-2017-17331 RESERVED CVE-2017-17330 (Huawei AR3200 V200R005C32; V200R006C10; V200R006C11; V200R007C00; V200 ...) NOT-FOR-US: Huawei CVE-2017-17329 (Huawei ViewPoint 8660 V100R008C03 have a memory leak vulnerability. Th ...) NOT-FOR-US: Huawei CVE-2017-17328 (Huawei smartphones with software of MHA-AL00AC00B125 have an integer o ...) NOT-FOR-US: Huawei CVE-2017-17327 (Huawei smartphones with software of MHA-AL00AC00B125 have an improper ...) NOT-FOR-US: Huawei CVE-2017-17326 (Huawei Mate 9 Pro Smartphones with software of LON-AL00BC00B139D; LON- ...) NOT-FOR-US: Huawei CVE-2017-17325 (Huawei video applications HiCinema with software of 8.0.3.308; 8.0.4.3 ...) NOT-FOR-US: Huawei CVE-2017-17324 (Huawei Mate 9 Pro smartphones with software LON-AL00BC00B139D; LON-AL0 ...) NOT-FOR-US: Huawei CVE-2017-17323 (Huawei iBMC V200R002C10; V200R002C20; V200R002C30 have an improper aut ...) NOT-FOR-US: Huawei CVE-2017-17322 (Huawei Honor Smart Scale Application with software of 1.1.1 has an inf ...) NOT-FOR-US: Huawei CVE-2017-17321 (Huawei eNSP software with software of versions earlier than V100R002C0 ...) NOT-FOR-US: Huawei CVE-2017-17320 (Huawei Mate 9 Pro smartphones with software of LON-AL00BC00B139D, LON- ...) NOT-FOR-US: Huawei CVE-2017-17319 (Huawei P9 smartphones with the versions before EVA-AL10C00B399SP02 hav ...) NOT-FOR-US: Huawei CVE-2017-17318 (Huawei MBB (Mobile Broadband) products E5771h-937 with the versions be ...) NOT-FOR-US: Huawei CVE-2017-17317 (Common Open Policy Service Protocol (COPS) module in Huawei USG6300 V1 ...) NOT-FOR-US: Huawei CVE-2017-17316 (Huawei DP300 V500R002C00; RP200 V500R002C00; V600R006C00; TE30 V100R00 ...) NOT-FOR-US: Huawei CVE-2017-17315 (Huawei DP300 V500R002C00; RP200 V600R006C00; TE30 V100R001C10; V500R00 ...) NOT-FOR-US: Huawei CVE-2017-17314 (Huawei DP300 V500R002C00, RP200 V600R006C00, TE30 V100R001C10, V500R00 ...) NOT-FOR-US: Huawei CVE-2017-17313 (The inputhub driver of HUAWEI P9 Lite mobile phones with Versions earl ...) NOT-FOR-US: inputhub driver of HUAWEI P9 Lite mobile phones CVE-2017-17312 (Some Huawei Firewall products USG2205BSR V300R001C10SPC600; USG2220BSR ...) NOT-FOR-US: Huawei CVE-2017-17311 (Some Huawei Firewall products USG2205BSR V300R001C10SPC600; USG2220BSR ...) NOT-FOR-US: Huawei CVE-2017-17310 (Electronic Numbers to URI Mapping (ENUM) module in some Huawei product ...) NOT-FOR-US: Huawei CVE-2017-17309 (Huawei HG255s-10 V100R001C163B025SP02 has a path traversal vulnerabili ...) NOT-FOR-US: Huawei CVE-2017-17308 (SCCPX module in Huawei DP300 V500R002C00, RP200 V500R002C00, V600R006C ...) NOT-FOR-US: Huawei CVE-2017-17307 (Some Huawei Smartphones with software of VNS-L21AUTC555B141 have an ou ...) NOT-FOR-US: Huawei CVE-2017-17306 (Some Huawei Smartphones with software of VNS-L21AUTC555B141, VNS-L21C1 ...) NOT-FOR-US: Huawei CVE-2017-17305 (Some Huawei Firewall products USG2205BSR V300R001C10SPC600; USG2220BSR ...) NOT-FOR-US: Huawei CVE-2017-17304 (The CIDAM Protocol on some Huawei Products has multiple input validati ...) NOT-FOR-US: Huawei CVE-2017-17303 (Huawei DP300 V500R002C00; V500R002C00B010; V500R002C00B011; V500R002C0 ...) NOT-FOR-US: Huawei CVE-2017-17302 (Huawei DP300 V500R002C00, RP200 V600R006C00, TE30 V100R001C10, V500R00 ...) NOT-FOR-US: Huawei CVE-2017-17301 (Huawei AR120-S V200R005C32, V200R006C10, V200R007C00, V200R008C20, AR1 ...) NOT-FOR-US: Huawei CVE-2017-17300 (Huawei S12700 V200R008C00, V200R009C00, S5700 V200R007C00, V200R008C00 ...) NOT-FOR-US: Huawei CVE-2017-17299 (Huawei AR120-S V200R006C10, V200R007C00, AR1200 V200R006C10, V200R006C ...) NOT-FOR-US: Huawei CVE-2017-17298 (Huawei AR120-S V200R006C10, V200R007C00, V200R008C20, V200R008C30, AR1 ...) NOT-FOR-US: Huawei CVE-2017-17297 (Huawei AR120-S V200R006C10, V200R007C00, V200R008C20, V200R008C30, AR1 ...) NOT-FOR-US: Huawei CVE-2017-17296 (Huawei AR120-S V200R006C10, V200R007C00, V200R008C20, V200R008C30, AR1 ...) NOT-FOR-US: Huawei CVE-2017-17295 (Huawei AR120-S V200R006C10, V200R007C00, V200R008C20, V200R008C30, AR1 ...) NOT-FOR-US: Huawei CVE-2017-17294 (Huawei AR120-S V200R006C10, V200R007C00, V200R008C20, V200R008C30, AR1 ...) NOT-FOR-US: Huawei CVE-2017-17293 (Huawei AR120-S V200R006C10, V200R007C00, V200R008C20, V200R008C30, AR1 ...) NOT-FOR-US: Huawei CVE-2017-17292 (Huawei AR120-S V200R006C10, V200R007C00, V200R008C20, V200R008C30, AR1 ...) NOT-FOR-US: Huawei CVE-2017-17291 (Huawei AR120-S V200R006C10, V200R007C00, V200R008C20, V200R008C30, AR1 ...) NOT-FOR-US: Huawei CVE-2017-17290 (The Light Directory Access Protocol (LDAP) clients of Huawei TE60 with ...) NOT-FOR-US: Huawei CVE-2017-17289 (Huawei DP300 V500R002C00, RP200 V500R002C00, V600R006C00, TE30 V100R00 ...) NOT-FOR-US: Huawei CVE-2017-17288 (Huawei DP300 V500R002C00, RP200 V500R002C00, V600R006C00, TE30 V100R00 ...) NOT-FOR-US: Huawei CVE-2017-17287 (Huawei AR120-S V200R005C32, V200R006C10, V200R007C00, V200R008C20, V20 ...) NOT-FOR-US: Huawei CVE-2017-17286 (Huawei AR120-S V200R005C32, V200R006C10, V200R007C00, V200R008C20, V20 ...) NOT-FOR-US: Huawei CVE-2017-17285 (Bluetooth module in some Huawei mobile phones with software LON-AL00BC ...) NOT-FOR-US: Huawei CVE-2017-17284 (Huawei DP300 V500R002C00, RP200 V500R002C00, V600R006C00, TE30 V100R00 ...) NOT-FOR-US: Huawei CVE-2017-17283 (Huawei DP300 V500R002C00, RP200 V500R002C00, V600R006C00, TE30 V100R00 ...) NOT-FOR-US: Huawei CVE-2017-17282 (SCCP (Signalling Connection Control Part) module in Huawei DP300 V500R ...) NOT-FOR-US: Huawei CVE-2017-17281 (SFTP module in Huawei DP300 V500R002C00; RP200 V600R006C00; TE30 V100R ...) NOT-FOR-US: Huawei CVE-2017-17280 (NFC (Near Field Communication) module in Huawei mobile phones with sof ...) NOT-FOR-US: Huawei CVE-2017-17279 (The soundtrigger module in Huawei Mate 9 Pro smart phones with softwar ...) NOT-FOR-US: Huawei CVE-2017-17278 REJECTED CVE-2017-17277 REJECTED CVE-2017-17276 REJECTED CVE-2017-17275 REJECTED CVE-2017-17274 REJECTED CVE-2017-17273 REJECTED CVE-2017-17272 REJECTED CVE-2017-17271 REJECTED CVE-2017-17270 REJECTED CVE-2017-17269 REJECTED CVE-2017-17268 REJECTED CVE-2017-17267 REJECTED CVE-2017-17266 REJECTED CVE-2017-17265 REJECTED CVE-2017-17264 REJECTED CVE-2017-17263 REJECTED CVE-2017-17262 REJECTED CVE-2017-17261 REJECTED CVE-2017-17260 REJECTED CVE-2017-17259 REJECTED CVE-2017-17258 (Huawei AR120-S V200R006C10, V200R007C00, V200R008C20, V200R008C30, AR1 ...) NOT-FOR-US: Huawei CVE-2017-17257 (Huawei AR120-S V200R006C10, V200R007C00, V200R008C20, V200R008C30, AR1 ...) NOT-FOR-US: Huawei CVE-2017-17256 (Huawei AR120-S V200R006C10, V200R007C00, V200R008C20, V200R008C30, AR1 ...) NOT-FOR-US: Huawei CVE-2017-17255 (Huawei AR120-S V200R006C10, V200R007C00, V200R008C20, V200R008C30, AR1 ...) NOT-FOR-US: Huawei CVE-2017-17254 (Huawei AR120-S V200R006C10, V200R007C00, V200R008C20, V200R008C30, AR1 ...) NOT-FOR-US: Huawei CVE-2017-17253 (Huawei AR120-S V200R006C10, V200R007C00, V200R008C20, V200R008C30, AR1 ...) NOT-FOR-US: Huawei CVE-2017-17252 (Huawei AR120-S V200R006C10, V200R007C00, V200R008C20, V200R008C30, AR1 ...) NOT-FOR-US: Huawei CVE-2017-17251 (Huawei AR120-S V200R006C10, V200R007C00, V200R008C20, V200R008C30, AR1 ...) NOT-FOR-US: Huawei CVE-2017-17250 (Huawei AR120-S V200R005C32; AR1200 V200R005C32; AR1200-S V200R005C32; ...) NOT-FOR-US: Huawei CVE-2017-17249 REJECTED CVE-2017-17248 REJECTED CVE-2017-17247 REJECTED CVE-2017-17246 REJECTED CVE-2017-17245 REJECTED CVE-2017-17244 REJECTED CVE-2017-17243 REJECTED CVE-2017-17242 REJECTED CVE-2017-17241 REJECTED CVE-2017-17240 REJECTED CVE-2017-17239 REJECTED CVE-2017-17238 REJECTED CVE-2017-17237 REJECTED CVE-2017-17236 REJECTED CVE-2017-17235 REJECTED CVE-2017-17234 REJECTED CVE-2017-17233 REJECTED CVE-2017-17232 REJECTED CVE-2017-17231 REJECTED CVE-2017-17230 REJECTED CVE-2017-17229 REJECTED CVE-2017-17228 REJECTED CVE-2017-17227 (GPU driver in Huawei Mate 10 smart phones with the versions before ALP ...) NOT-FOR-US: Huawei CVE-2017-17226 (The TripAdvisor app with the versions before TAMobileApp-24.6.4 pre-in ...) NOT-FOR-US: The TripAdvisor app on Huawei CVE-2017-17225 (The Near Field Communication (NFC) module in Huawei Mate 9 Pro mobile ...) NOT-FOR-US: Huawei CVE-2017-17224 (Some Huawei smart phones with versions earlier than Harry-AL00C 9.1.0. ...) NOT-FOR-US: Huawei smart phones CVE-2017-17223 (Huawei eSpace 7910 V200R003C30; eSpace 7950 V200R003C30; eSpace 8950 V ...) NOT-FOR-US: Huawei CVE-2017-17222 (Import Language Package function in Huawei eSpace 7950 V200R003C30; eS ...) NOT-FOR-US: Huawei CVE-2017-17221 (Import Signal Tone function in Huawei eSpace 7950 V200R003C30; eSpace ...) NOT-FOR-US: Huawei CVE-2017-17220 (SCCPX module in Huawei DP300 V500R002C00; RP200 V500R002C00; V600R006C ...) NOT-FOR-US: Huawei CVE-2017-17219 (SCCPX module in Huawei DP300 V500R002C00; RP200 V500R002C00; V600R006C ...) NOT-FOR-US: Huawei CVE-2017-17218 (SCCPX module in Huawei DP300 V500R002C00; RP200 V500R002C00; V600R006C ...) NOT-FOR-US: Huawei CVE-2017-17217 (Media Gateway Control Protocol (MGCP) in Huawei DP300 V500R002C00; RP2 ...) NOT-FOR-US: Huawei CVE-2017-17216 (Media Gateway Control Protocol (MGCP) in Huawei DP300 V500R002C00; RP2 ...) NOT-FOR-US: Huawei CVE-2017-17215 (Huawei HG532 with some customized versions has a remote code execution ...) NOT-FOR-US: Huawei CVE-2017-17214 REJECTED CVE-2017-17213 REJECTED CVE-2017-17212 REJECTED CVE-2017-17211 REJECTED CVE-2017-17210 REJECTED CVE-2017-17209 REJECTED CVE-2017-17208 REJECTED CVE-2017-17207 REJECTED CVE-2017-17206 REJECTED CVE-2017-17205 REJECTED CVE-2017-17204 REJECTED CVE-2017-17203 REJECTED CVE-2017-17202 (Huawei AR120-S V200R005C32, V200R006C10, V200R007C00, V200R008C20, V20 ...) NOT-FOR-US: Huawei CVE-2017-17201 (Some huawei smartphones with software BTV-DL09C233B350, Berlin-L21HNC4 ...) NOT-FOR-US: Huawei CVE-2017-17200 (Huawei DP300 V500R002C00; RP200 V500R002C00; V600R006C00; TE30 V100R00 ...) NOT-FOR-US: Huawei CVE-2017-17199 (Huawei DP300 V500R002C00; RP200 V500R002C00; V600R006C00; TE30 V100R00 ...) NOT-FOR-US: Huawei CVE-2017-17198 REJECTED CVE-2017-17197 REJECTED CVE-2017-17196 REJECTED CVE-2017-17195 REJECTED CVE-2017-17194 REJECTED CVE-2017-17193 REJECTED CVE-2017-17192 REJECTED CVE-2017-17191 REJECTED CVE-2017-17190 REJECTED CVE-2017-17189 REJECTED CVE-2017-17188 REJECTED CVE-2017-17187 (Huawei DP300 V500R002C00, RP200 V500R002C00, V600R006C00, TE30 V100R00 ...) NOT-FOR-US: Huawei CVE-2017-17186 (Huawei DP300 V500R002C00, RP200 V500R002C00, V600R006C00, TE30 V100R00 ...) NOT-FOR-US: Huawei CVE-2017-17185 (Huawei DP300 V500R002C00, RP200 V500R002C00, V600R006C00, TE30 V100R00 ...) NOT-FOR-US: Huawei CVE-2017-17184 (Huawei DP300 V500R002C00, RP200 V500R002C00, V600R006C00, TE30 V100R00 ...) NOT-FOR-US: Huawei CVE-2017-17183 (Huawei DP300 V500R002C00, RP200 V500R002C00, V600R006C00, TE30 V100R00 ...) NOT-FOR-US: Huawei CVE-2017-17182 (Huawei DP300 V500R002C00, RP200 V500R002C00, V600R006C00, TE30 V100R00 ...) NOT-FOR-US: Huawei CVE-2017-17181 REJECTED CVE-2017-17180 REJECTED CVE-2017-17179 REJECTED CVE-2017-17178 REJECTED CVE-2017-17177 REJECTED CVE-2017-17176 (The hardware security module of Mate 9 and Mate 9 Pro Huawei smart pho ...) NOT-FOR-US: Huawei CVE-2017-17175 (Short Message Service (SMS) module of Mate 9 Pro Huawei smart phones w ...) NOT-FOR-US: Huawei CVE-2017-17174 (Some Huawei products RSE6500 V500R002C00; SoftCo V200R003C20SPCb00; VP ...) NOT-FOR-US: Huawei CVE-2017-17173 (Due to insufficient parameters verification GPU driver of Mate 9 Pro H ...) NOT-FOR-US: Huawei CVE-2017-17172 (Huawei smart phones LYO-L21 with software LYO-L21C479B107, LYO-L21C479 ...) NOT-FOR-US: Huawei CVE-2017-17171 (Some Huawei smart phones have the denial of service (DoS) vulnerabilit ...) NOT-FOR-US: Huawei CVE-2017-17170 (The CIDAM Protocol on some Huawei Products has multiple input validati ...) NOT-FOR-US: Huawei CVE-2017-17169 (The CIDAM Protocol on some Huawei Products has multiple input validati ...) NOT-FOR-US: Huawei CVE-2017-17168 (The CIDAM Protocol on some Huawei Products has multiple input validati ...) NOT-FOR-US: Huawei CVE-2017-17167 (Huawei DP300 V500R002C00; TP3206 V100R002C00; ViewPoint 9030 V100R011C ...) NOT-FOR-US: Huawei CVE-2017-17166 (Huawei DP300 V500R002C00, Secospace USG6300 V500R001C00, V500R001C20, ...) NOT-FOR-US: Huawei CVE-2017-17165 (IPv6 function in Huawei Quidway S2700 V200R003C00SPC300, Quidway S5300 ...) NOT-FOR-US: Huawei CVE-2017-17164 (Huawei Secospace AntiDDoS8000 V500R001C20SPC500 have a memory leak vul ...) NOT-FOR-US: Huawei CVE-2017-17163 (Huawei Secospace USG6600 V500R001C30SPC100 has an Out-of-Bounds memory ...) NOT-FOR-US: Huawei CVE-2017-17162 (Huawei Secospace USG6600 V500R001C30SPC100, Secospace USG6600 V500R001 ...) NOT-FOR-US: Huawei CVE-2017-17161 (The 'Find Phone' function in some Huawei smart phones with software ea ...) NOT-FOR-US: Huawei CVE-2017-17160 (Huawei AR120-S V200R006C10, V200R007C00, AR1200 V200R006C10, V200R006C ...) NOT-FOR-US: Huawei CVE-2017-17159 (Some Huawei smart phones with software of NXT-AL10C00B386, NXT-CL00C92 ...) NOT-FOR-US: Huawei CVE-2017-17158 (Some Huawei smart phones with the versions before Berlin-L21HNC185B381 ...) NOT-FOR-US: Huawei CVE-2017-17157 (IKEv2 in Huawei IPS Module V500R001C00, V500R001C00SPC200, V500R001C00 ...) NOT-FOR-US: Huawei CVE-2017-17156 (IKEv2 in Huawei IPS Module V500R001C00, V500R001C00SPC200, V500R001C00 ...) NOT-FOR-US: Huawei CVE-2017-17155 (IKEv2 in Huawei IPS Module V500R001C00, V500R001C00SPC200, V500R001C00 ...) NOT-FOR-US: Huawei CVE-2017-17154 (IKEv2 in Huawei IPS Module V500R001C00, V500R001C00SPC200, V500R001C00 ...) NOT-FOR-US: Huawei CVE-2017-17153 (IKEv2 in Huawei IPS Module V500R001C00, V500R001C00SPC200, V500R001C00 ...) NOT-FOR-US: Huawei CVE-2017-17152 (IKEv2 in Huawei IPS Module V500R001C00, V500R001C00SPC200, V500R001C00 ...) NOT-FOR-US: Huawei CVE-2017-17151 (Huawei AR100, AR100-S, AR110-S, AR120, AR120-S, AR1200, AR1200-S, AR15 ...) NOT-FOR-US: Huawei CVE-2017-17150 (Timergrp module in Huawei DP300 V500R002C00; RP200 V500R002C00; V600R0 ...) NOT-FOR-US: Huawei CVE-2017-17149 (Huawei HiWallet App with the versions before 8.0.4 has an arbitrary lo ...) NOT-FOR-US: Huawei CVE-2017-17148 (Huawei DP300 V500R002C00 have a DoS vulnerability due to the lack of v ...) NOT-FOR-US: Huawei CVE-2017-17147 (Huawei DP300 V500R002C00 have an integer overflow vulnerability due to ...) NOT-FOR-US: Huawei CVE-2017-17146 (Huawei DP300 V500R002C00 have a buffer overflow vulnerability due to t ...) NOT-FOR-US: Huawei CVE-2017-17145 (Huawei Honor V9 Play smart phones with the versions before Jimmy-AL00A ...) NOT-FOR-US: Huawei CVE-2017-17144 (Backup feature of SIP module in Huawei DP300 V500R002C00; V500R002C00S ...) NOT-FOR-US: Huawei CVE-2017-17143 (SIP module in Huawei DP300 V500R002C00; V500R002C00SPC100; V500R002C00 ...) NOT-FOR-US: Huawei CVE-2017-17142 (SIP module in Huawei DP300 V500R002C00; V500R002C00SPC100; V500R002C00 ...) NOT-FOR-US: Huawei CVE-2017-17141 (Huawei S12700 V200R005C00; V200R006C00; V200R007C00; V200R007C01; V200 ...) NOT-FOR-US: Huawei CVE-2017-17140 (Huawei Enjoy 5s and Y6 Pro smartphones with software the versions befo ...) NOT-FOR-US: Huawei CVE-2017-17139 (Huawei Mate 9 and Mate 9 pro smart phones with software the versions b ...) NOT-FOR-US: Huawei CVE-2017-17138 (PEM module of DP300 V500R002C00; IPS Module V500R001C00; V500R001C30; ...) NOT-FOR-US: Huawei CVE-2017-17137 (PEM module of Huawei DP300 V500R002C00; IPS Module V500R001C00; V500R0 ...) NOT-FOR-US: Huawei CVE-2017-17136 (PEM module of Huawei DP300 V500R002C00; IPS Module V500R001C00; V500R0 ...) NOT-FOR-US: Huawei CVE-2017-17135 (PEM module of Huawei DP300 V500R002C00; IPS Module V500R001C00; V500R0 ...) NOT-FOR-US: Huawei CVE-2017-17134 (XML parser in Huawei DP300 V500R002C00; RP200 V500R002C00SPC200; V600R ...) NOT-FOR-US: Huawei CVE-2017-17133 (Huawei VP9660 V500R002C10 has a null pointer reference vulnerability i ...) NOT-FOR-US: Huawei CVE-2017-17132 (Huawei VP9660 V500R002C10 has a uncontrolled format string vulnerabili ...) NOT-FOR-US: Huawei CVE-2017-17131 (Huawei DP300 V500R002C00; RP200 V500R002C00; V600R006C00; TE30 V100R00 ...) NOT-FOR-US: Huawei CVE-2017-17130 (The ff_free_picture_tables function in libavcodec/mpegpicture.c in Lib ...) {DLA-1630-1} - libav NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1100 CVE-2017-17129 (The ff_vc1_mc_4mv_chroma4 function in libavcodec/vc1_mc.c in Libav 12. ...) - libav (Vulnerable code introduced in 12.x) NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1101 CVE-2017-17128 (The h264_slice_init function in libavcodec/h264_slice.c in Libav 12.2 ...) - libav [jessie] - libav (Unable to reproduce on i386 and amd64 with current version and upstream Git; upstream bug also closed WORKSFORME) NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1104 CVE-2017-17127 (The vc1_decode_frame function in libavcodec/vc1dec.c in Libav 12.2 all ...) {DLA-2021-1} - libav [wheezy] - libav (Minor issue) NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1099 NOTE: Duplicate of CVE-2018-19130 CVE-2017-17126 (The load_debug_section function in readelf.c in GNU Binutils 2.29.1 al ...) [experimental] - binutils 2.29.51.20171208-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22510 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f425ec6600b69e39eb605f3128806ff688137ea8 CVE-2017-17125 (nm.c and objdump.c in GNU Binutils 2.29.1 mishandle certain global sym ...) [experimental] - binutils 2.29.51.20171128-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22443 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=160b1a618ad94988410dc81fce9189fcda5b7ff4 CVE-2017-17124 (The _bfd_coff_read_string_table function in coffgen.c in the Binary Fi ...) [experimental] - binutils 2.29.51.20171208-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22507 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b0029dce6867de1a2828293177b0e030d2f0f03c CVE-2017-17123 (The coff_slurp_reloc_table function in coffcode.h in the Binary File D ...) [experimental] - binutils 2.29.51.20171208-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22509 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=4581a1c7d304ce14e714b27522ebf3d0188d6543 CVE-2017-17122 (The dump_relocs_in_section function in objdump.c in GNU Binutils 2.29. ...) [experimental] - binutils 2.29.51.20171208-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22508 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d785b7d4b877ed465d04072e17ca19d0f47d840f CVE-2017-17121 (The Binary File Descriptor (BFD) library (aka libbfd), as distributed ...) [experimental] - binutils 2.29.51.20171208-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22506 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b23dc97fe237a1d9e850d7cbeee066183a00630b CVE-2017-17120 RESERVED CVE-2017-17119 RESERVED CVE-2017-17118 RESERVED CVE-2017-17117 RESERVED CVE-2017-17116 RESERVED CVE-2017-17115 RESERVED CVE-2017-17114 (ntguard.sys and ntguard_x64.sys 0.18780.0.0 in IKARUS anti.virus 2.16. ...) NOT-FOR-US: IKARUS CVE-2017-17113 (ntguard_x64.sys 0.18780.0.0 in IKARUS anti.virus 2.16.15 has a NULL po ...) NOT-FOR-US: IKARUS CVE-2017-17112 (ntguard_x64.sys 0.18780.0.0 in IKARUS anti.virus 2.16.15 has a Pool Co ...) NOT-FOR-US: IKARUS CVE-2017-17111 (Posty Readymade Classifieds Script 1.0 allows an attacker to inject SQ ...) NOT-FOR-US: Posty Readymade Classifieds Script CVE-2017-17110 (Techno Portfolio Management Panel 1.0 allows an attacker to inject SQL ...) NOT-FOR-US: Techno Portfolio Management Panel CVE-2017-17109 RESERVED CVE-2017-17108 (Path traversal vulnerability in the administrative panel in KonaKart e ...) NOT-FOR-US: KonaKart eCommerce Platform CVE-2017-17107 (Zivif PR115-204-P-RS V2.3.4.2103 web cameras contain a hard-coded cat1 ...) NOT-FOR-US: Zivif web cameras CVE-2017-17106 (Credentials for Zivif PR115-204-P-RS V2.3.4.2103 Webcams can be obtain ...) NOT-FOR-US: Zivif web cameras CVE-2017-17105 (Zivif PR115-204-P-RS V2.3.4.2103 and V4.7.4.2121 (and possibly in-betw ...) NOT-FOR-US: Zivif web cameras CVE-2017-17104 (Fiyo CMS 2.0.7 has an arbitrary file read vulnerability in dapur/apps/ ...) NOT-FOR-US: Fiyo CMS CVE-2017-17103 (Fiyo CMS 2.0.7 has SQL injection in /apps/app_user/sys_user.php via $_ ...) NOT-FOR-US: Fiyo CMS CVE-2017-17102 (Fiyo CMS 2.0.7 has SQL injection in /system/site.php via $_REQUEST['li ...) NOT-FOR-US: Fiyo CMS CVE-2017-17101 (An issue was discovered in Apexis APM-H803-MPC software, as used with ...) NOT-FOR-US: Apexis CVE-2017-17100 RESERVED CVE-2017-17099 (There exists an unauthenticated SEH based Buffer Overflow vulnerabilit ...) NOT-FOR-US: Flexense SyncBreeze Enterprise CVE-2017-17098 (The writeLog function in fn_common.php in gps-server.net GPS Tracking ...) NOT-FOR-US: gps-server.net GPS Tracking Software CVE-2017-17097 (gps-server.net GPS Tracking Software (self hosted) 2.x has a password ...) NOT-FOR-US: gps-server.net GPS Tracking Software CVE-2017-17096 (Cross-site scripting (XSS) vulnerability in the Content Cards plugin b ...) NOT-FOR-US: Wordpress plugin CVE-2017-17090 (An issue was discovered in chan_skinny.c in Asterisk Open Source 13.18 ...) {DSA-4076-1 DLA-1225-1} - asterisk 1:13.18.3~dfsg-1 (bug #883342) NOTE: http://downloads.digium.com/pub/security/AST-2017-013.html NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27452 CVE-2018-1040 (A denial of service vulnerability exists in the way that the Windows C ...) NOT-FOR-US: Microsoft CVE-2018-1039 (A security feature bypass vulnerability exists in .Net Framework which ...) NOT-FOR-US: Microsoft CVE-2018-1038 (The Windows kernel in Windows 7 SP1 and Windows Server 2008 R2 SP1 all ...) NOT-FOR-US: Microsoft CVE-2018-1037 (An information disclosure vulnerability exists when Visual Studio impr ...) NOT-FOR-US: Microsoft CVE-2018-1036 (An elevation of privilege vulnerability exists when NTFS improperly ch ...) NOT-FOR-US: Microsoft CVE-2018-1035 (A security feature bypass vulnerability exists in Windows which could ...) NOT-FOR-US: Microsoft CVE-2018-1034 (An elevation of privilege vulnerability exists when Microsoft SharePoi ...) NOT-FOR-US: Microsoft CVE-2018-1033 RESERVED CVE-2018-1032 (An elevation of privilege vulnerability exists when Microsoft SharePoi ...) NOT-FOR-US: Microsoft CVE-2018-1031 RESERVED CVE-2018-1030 (A remote code execution vulnerability exists in Microsoft Office softw ...) NOT-FOR-US: Microsoft CVE-2018-1029 (A remote code execution vulnerability exists in Microsoft Excel softwa ...) NOT-FOR-US: Microsoft CVE-2018-1028 (A remote code execution vulnerability exists when the Office graphics ...) NOT-FOR-US: Microsoft CVE-2018-1027 (A remote code execution vulnerability exists in Microsoft Excel softwa ...) NOT-FOR-US: Microsoft CVE-2018-1026 (A remote code execution vulnerability exists in Microsoft Office softw ...) NOT-FOR-US: Microsoft CVE-2018-1025 (An information disclosure vulnerability exists when affected Microsoft ...) NOT-FOR-US: Microsoft CVE-2018-1024 RESERVED CVE-2018-1023 (A remote code execution vulnerability exists in the way that Microsoft ...) NOT-FOR-US: Microsoft CVE-2018-1022 (A remote code execution vulnerability exists in the way the scripting ...) NOT-FOR-US: Microsoft CVE-2018-1021 (An information disclosure vulnerability exists when Microsoft Edge imp ...) NOT-FOR-US: Microsoft CVE-2018-1020 (A remote code execution vulnerability exists when Internet Explorer im ...) NOT-FOR-US: Microsoft CVE-2018-1019 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2018-1018 (A remote code execution vulnerability exists when Internet Explorer im ...) NOT-FOR-US: Microsoft CVE-2018-1017 RESERVED CVE-2018-1016 (A remote code execution vulnerability exists when the Windows font lib ...) NOT-FOR-US: Microsoft CVE-2018-1015 (A remote code execution vulnerability exists when the Windows font lib ...) NOT-FOR-US: Microsoft CVE-2018-1014 (An elevation of privilege vulnerability exists when Microsoft SharePoi ...) NOT-FOR-US: Microsoft CVE-2018-1013 (A remote code execution vulnerability exists when the Windows font lib ...) NOT-FOR-US: Microsoft CVE-2018-1012 (A remote code execution vulnerability exists when the Windows font lib ...) NOT-FOR-US: Microsoft CVE-2018-1011 (A remote code execution vulnerability exists in Microsoft Excel softwa ...) NOT-FOR-US: Microsoft CVE-2018-1010 (A remote code execution vulnerability exists when the Windows font lib ...) NOT-FOR-US: Microsoft CVE-2018-1009 (An elevation of privilege vulnerability exists when Windows improperly ...) NOT-FOR-US: Microsoft CVE-2018-1008 (An elevation of privilege vulnerability exists in Windows Adobe Type M ...) NOT-FOR-US: Microsoft CVE-2018-1007 (An information disclosure vulnerability exists when Microsoft Office i ...) NOT-FOR-US: Microsoft CVE-2018-1006 RESERVED CVE-2018-1005 (An elevation of privilege vulnerability exists when Microsoft SharePoi ...) NOT-FOR-US: Microsoft CVE-2018-1004 (A remote code execution vulnerability exists in the way that the VBScr ...) NOT-FOR-US: Microsoft CVE-2018-1003 (A buffer overflow vulnerability exists in the Microsoft JET Database E ...) NOT-FOR-US: Microsoft CVE-2018-1002 RESERVED CVE-2018-1001 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2018-1000 (An information disclosure vulnerability exists in the way that the scr ...) NOT-FOR-US: Microsoft CVE-2018-0999 RESERVED CVE-2018-0998 (An information disclosure vulnerability exists when Microsoft Edge PDF ...) NOT-FOR-US: Microsoft CVE-2018-0997 (A remote code execution vulnerability exists when Internet Explorer im ...) NOT-FOR-US: Microsoft CVE-2018-0996 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2018-0995 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2018-0994 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2018-0993 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2018-0992 RESERVED CVE-2018-0991 (A remote code execution vulnerability exists when Internet Explorer im ...) NOT-FOR-US: Microsoft CVE-2018-0990 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2018-0989 (An information disclosure vulnerability exists in the way that the scr ...) NOT-FOR-US: Microsoft CVE-2018-0988 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2018-0987 (An information disclosure vulnerability exists when the scripting engi ...) NOT-FOR-US: Microsoft CVE-2018-0986 (A remote code execution vulnerability exists when the Microsoft Malwar ...) NOT-FOR-US: Microsoft CVE-2018-0985 RESERVED CVE-2018-0984 RESERVED CVE-2018-0983 (Windows Storage Services in Windows 10 versions 1511, 1607, 1703 and 1 ...) NOT-FOR-US: Microsoft CVE-2018-0982 (An elevation of privilege vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2018-0981 (An information disclosure vulnerability exists in the way that the scr ...) NOT-FOR-US: Microsoft CVE-2018-0980 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2018-0979 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2018-0978 (A remote code execution vulnerability exists when Internet Explorer im ...) NOT-FOR-US: Microsoft CVE-2018-0977 (The Windows kernel mode driver in Windows 10 Gold, 1511, 1607, 1703, a ...) NOT-FOR-US: Microsoft CVE-2018-0976 (A denial of service vulnerability exists in Remote Desktop Protocol (R ...) NOT-FOR-US: Microsoft CVE-2018-0975 (An information disclosure vulnerability exists in the Windows kernel t ...) NOT-FOR-US: Microsoft CVE-2018-0974 (An information disclosure vulnerability exists in the Windows kernel t ...) NOT-FOR-US: Microsoft CVE-2018-0973 (An information disclosure vulnerability exists in the Windows kernel t ...) NOT-FOR-US: Microsoft CVE-2018-0972 (An information disclosure vulnerability exists in the Windows kernel t ...) NOT-FOR-US: Microsoft CVE-2018-0971 (An information disclosure vulnerability exists in the Windows kernel t ...) NOT-FOR-US: Microsoft CVE-2018-0970 (An information disclosure vulnerability exists in the Windows kernel t ...) NOT-FOR-US: Microsoft CVE-2018-0969 (An information disclosure vulnerability exists in the Windows kernel t ...) NOT-FOR-US: Microsoft CVE-2018-0968 (An information disclosure vulnerability exists in the Windows kernel t ...) NOT-FOR-US: Microsoft CVE-2018-0967 (A denial of service vulnerability exists in the way that Windows SNMP ...) NOT-FOR-US: Microsoft CVE-2018-0966 (A security feature bypass exists when Device Guard incorrectly validat ...) NOT-FOR-US: Microsoft CVE-2018-0965 (A remote code execution vulnerability exists when Windows Hyper-V on a ...) NOT-FOR-US: Microsoft CVE-2018-0964 (An information disclosure vulnerability exists when Windows Hyper-V on ...) NOT-FOR-US: Microsoft CVE-2018-0963 (An elevation of privilege vulnerability exists in the way that the Win ...) NOT-FOR-US: Microsoft CVE-2018-0962 RESERVED CVE-2018-0961 (A remote code execution vulnerability exists when Windows Hyper-V on a ...) NOT-FOR-US: Microsoft CVE-2018-0960 (An information disclosure vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2018-0959 (A remote code execution vulnerability exists when Windows Hyper-V on a ...) NOT-FOR-US: Microsoft CVE-2018-0958 (A security feature bypass vulnerability exists in Windows which could ...) NOT-FOR-US: Microsoft CVE-2018-0957 (An information disclosure vulnerability exists when Windows Hyper-V on ...) NOT-FOR-US: Microsoft CVE-2018-0956 (A denial of service vulnerability exists in the HTTP 2.0 protocol stac ...) NOT-FOR-US: Microsoft CVE-2018-0955 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2018-0954 (A remote code execution vulnerability exists in the way the scripting ...) NOT-FOR-US: Microsoft CVE-2018-0953 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2018-0952 (An Elevation of Privilege vulnerability exists when Diagnostics Hub St ...) NOT-FOR-US: Microsoft CVE-2018-0951 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2018-0950 (An information disclosure vulnerability exists when Office renders Ric ...) NOT-FOR-US: Microsoft CVE-2018-0949 (A security feature bypass vulnerability exists when Microsoft Internet ...) NOT-FOR-US: Microsoft CVE-2018-0948 RESERVED CVE-2018-0947 (Microsoft SharePoint Foundation 2013 SP1 and Microsoft SharePoint Ente ...) NOT-FOR-US: Microsoft CVE-2018-0946 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2018-0945 (A remote code execution vulnerability exists in the way that the scrip ...) NOT-FOR-US: Microsoft CVE-2018-0944 (Microsoft Project Server 2013 SP1 and Microsoft SharePoint Enterprise ...) NOT-FOR-US: Microsoft CVE-2018-0943 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2018-0942 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 SP2 ...) NOT-FOR-US: Microsoft CVE-2018-0941 (Microsoft Exchange Server 2016 Cumulative Update 7 and Microsoft Excha ...) NOT-FOR-US: Microsoft CVE-2018-0940 (Microsoft Exchange Outlook Web Access (OWA) in Microsoft Exchange Serv ...) NOT-FOR-US: Microsoft CVE-2018-0939 (ChakraCore and Microsoft Edge in Windows 10 1703 and 1709 allow inform ...) NOT-FOR-US: Microsoft CVE-2018-0938 RESERVED CVE-2018-0937 (ChakraCore and Microsoft Windows 10 1703 and 1709 allow remote code ex ...) NOT-FOR-US: Microsoft CVE-2018-0936 (ChakraCore and Microsoft Windows 10 1709 allow remote code execution, ...) NOT-FOR-US: Microsoft CVE-2018-0935 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 and ...) NOT-FOR-US: Microsoft CVE-2018-0934 (ChakraCore and Microsoft Windows 10 Gold, 1511, 1607, 1703, 1709, and ...) NOT-FOR-US: Microsoft CVE-2018-0933 (ChakraCore and Microsoft Windows 10 Gold, 1511, 1607, 1703, 1709, and ...) NOT-FOR-US: Microsoft CVE-2018-0932 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 R2 S ...) NOT-FOR-US: Microsoft CVE-2018-0931 (ChakraCore and Microsoft Windows 10 Gold, 1511, 1607, 1703, 1709, and ...) NOT-FOR-US: Microsoft CVE-2018-0930 (ChakraCore and Microsoft Edge in Microsoft Windows 10 1709 allows remo ...) NOT-FOR-US: Microsoft CVE-2018-0929 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 SP2 ...) NOT-FOR-US: Microsoft CVE-2018-0928 RESERVED CVE-2018-0927 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 R2 S ...) NOT-FOR-US: Microsoft CVE-2018-0926 (The Windows kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Wi ...) NOT-FOR-US: Microsoft CVE-2018-0925 (ChakraCore allows remote code execution, due to how the ChakraCore scr ...) NOT-FOR-US: Microsoft CVE-2018-0924 (Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 20, Micros ...) NOT-FOR-US: Microsoft CVE-2018-0923 (Microsoft SharePoint Enterprise Server 2016 allows an elevation of pri ...) NOT-FOR-US: Microsoft CVE-2018-0922 (Microsoft Office 2010 SP2, 2013 SP1, and 2016, Microsoft Office 2016 C ...) NOT-FOR-US: Microsoft CVE-2018-0921 (Microsoft SharePoint Enterprise Server 2016 allows an elevation of pri ...) NOT-FOR-US: Microsoft CVE-2018-0920 (A remote code execution vulnerability exists in Microsoft Excel softwa ...) NOT-FOR-US: Microsoft CVE-2018-0919 (Microsoft Office 2010 SP2, 2013 SP1, and 2016, Microsoft Office 2016 C ...) NOT-FOR-US: Microsoft CVE-2018-0918 RESERVED CVE-2018-0917 (Microsoft SharePoint Enterprise Server 2016 allows an elevation of pri ...) NOT-FOR-US: Microsoft CVE-2018-0916 (Microsoft Project Server 2013 SP1 and Microsoft SharePoint Enterprise ...) NOT-FOR-US: Microsoft CVE-2018-0915 (Microsoft Project Server 2013 SP1 and Microsoft SharePoint Enterprise ...) NOT-FOR-US: Microsoft CVE-2018-0914 (Microsoft Project Server 2013 SP1 and Microsoft SharePoint Enterprise ...) NOT-FOR-US: Microsoft CVE-2018-0913 (Microsoft Project Server 2013 SP1 and Microsoft SharePoint Enterprise ...) NOT-FOR-US: Microsoft CVE-2018-0912 (Microsoft Project Server 2013 SP1 and Microsoft SharePoint Enterprise ...) NOT-FOR-US: Microsoft CVE-2018-0911 (Microsoft Project Server 2013 SP1 and Microsoft SharePoint Enterprise ...) NOT-FOR-US: Microsoft CVE-2018-0910 (Microsoft Project Server 2013 SP1 and Microsoft SharePoint Enterprise ...) NOT-FOR-US: Microsoft CVE-2018-0909 (Microsoft Project Server 2013 SP1 and Microsoft SharePoint Enterprise ...) NOT-FOR-US: Microsoft CVE-2018-0908 (Microsoft Identity Manager 2016 SP1 allows an attacker to gain elevate ...) NOT-FOR-US: Microsoft CVE-2018-0907 (Microsoft Excel 2007 SP3, Microsoft Excel 2010 SP2, Microsoft Excel 20 ...) NOT-FOR-US: Microsoft CVE-2018-0906 RESERVED CVE-2018-0905 RESERVED CVE-2018-0904 (The Windows kernel in Microsoft Windows Server 2008 R2 SP1, Windows 7 ...) NOT-FOR-US: Microsoft CVE-2018-0903 (Microsoft Access 2010 SP2, Microsoft Access 2013 SP1, Microsoft Access ...) NOT-FOR-US: Microsoft CVE-2018-0902 (The Cryptography Next Generation (CNG) kernel-mode driver (cng.sys) in ...) NOT-FOR-US: Microsoft CVE-2018-0901 (The Windows kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Wi ...) NOT-FOR-US: Microsoft CVE-2018-0900 (The Windows kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Wi ...) NOT-FOR-US: Microsoft CVE-2018-0899 (The Windows kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Wi ...) NOT-FOR-US: Microsoft CVE-2018-0898 (The Windows kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Wi ...) NOT-FOR-US: Microsoft CVE-2018-0897 (The Windows kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Wi ...) NOT-FOR-US: Microsoft CVE-2018-0896 (The Windows kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Wi ...) NOT-FOR-US: Microsoft CVE-2018-0895 (The Windows kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Wi ...) NOT-FOR-US: Microsoft CVE-2018-0894 (The Windows kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Wi ...) NOT-FOR-US: Microsoft CVE-2018-0893 (Microsoft Edge in Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows ...) NOT-FOR-US: Microsoft CVE-2018-0892 (An information disclosure vulnerability exists when Microsoft Edge imp ...) NOT-FOR-US: Microsoft CVE-2018-0891 (ChakraCore, and Internet Explorer in Microsoft Windows 7 SP1, Windows ...) NOT-FOR-US: Microsoft CVE-2018-0890 (A security feature bypass vulnerability exists when Active Directory i ...) NOT-FOR-US: Microsoft CVE-2018-0889 (Microsoft Edge in Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows ...) NOT-FOR-US: Microsoft CVE-2018-0888 (The Microsoft Hyper-V Network Switch in 64-bit versions of Microsoft W ...) NOT-FOR-US: Microsoft CVE-2018-0887 (An information disclosure vulnerability exists when the Windows kernel ...) NOT-FOR-US: Microsoft CVE-2018-0886 (The Credential Security Support Provider protocol (CredSSP) in Microso ...) NOT-FOR-US: Microsoft CVE-2018-0885 (The Microsoft Hyper-V Network Switch in 64-bit versions of Microsoft W ...) NOT-FOR-US: Microsoft CVE-2018-0884 (Windows Scripting Host (WSH) in Windows 10 Gold, 1511, 1607, 1703 and ...) NOT-FOR-US: Microsoft CVE-2018-0883 (Windows Shell in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows ...) NOT-FOR-US: Microsoft CVE-2018-0882 (The Desktop Bridge in Windows 10 1607, 1703, and 1709, Windows Server ...) NOT-FOR-US: Microsoft CVE-2018-0881 (The Microsoft Video Control in Microsoft Windows Server 2008 R2 SP1, W ...) NOT-FOR-US: Microsoft CVE-2018-0880 (The Desktop Bridge in Windows 10 1607, 1703, and 1709, Windows Server ...) NOT-FOR-US: Microsoft CVE-2018-0879 (Microsoft Edge in Windows 10 1709 allows information disclosure, due t ...) NOT-FOR-US: Microsoft CVE-2018-0878 (Windows Remote Assistance in Microsoft Windows Server 2008 SP2 and R2 ...) NOT-FOR-US: Microsoft CVE-2018-0877 (The Desktop Bridge Virtual File System (VFS) in Windows 10 1607, 1703, ...) NOT-FOR-US: Microsoft CVE-2018-0876 (Microsoft Edge in Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows ...) NOT-FOR-US: Microsoft CVE-2018-0875 (.NET Core 1.0, .NET Core 1.1, NET Core 2.0 and PowerShell Core 6.0.0 a ...) NOT-FOR-US: Microsoft CVE-2018-0874 (ChakraCore and Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607 ...) NOT-FOR-US: Microsoft CVE-2018-0873 (ChakraCore and Microsoft Edge in Microsoft Windows 10 1511, 1607, 1703 ...) NOT-FOR-US: Microsoft CVE-2018-0872 (ChakraCore and Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607 ...) NOT-FOR-US: Microsoft CVE-2018-0871 (An information disclosure vulnerability exists when Edge improperly ma ...) NOT-FOR-US: Microsoft CVE-2018-0870 (A remote code execution vulnerability exists when Internet Explorer im ...) NOT-FOR-US: Microsoft CVE-2018-0869 (SharePoint Server 2016 allows an elevation of privilege vulnerability ...) NOT-FOR-US: Microsoft CVE-2018-0868 (Windows Installer in Microsoft Windows Server 2008 SP2 and R2 SP1, Win ...) NOT-FOR-US: Microsoft CVE-2018-0867 RESERVED CVE-2018-0866 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 and ...) NOT-FOR-US: Microsoft CVE-2018-0865 RESERVED CVE-2018-0864 (SharePoint Project Server 2013 and SharePoint Enterprise Server 2016 a ...) NOT-FOR-US: Microsoft CVE-2018-0863 RESERVED CVE-2018-0862 (Equation Editor in Microsoft Office 2003, Microsoft Office 2007, Micro ...) NOT-FOR-US: Microsoft CVE-2018-0861 (Microsoft Edge in Microsoft Windows 10 1607, 1703, and Windows Server ...) NOT-FOR-US: Microsoft CVE-2018-0860 (Microsoft Edge and ChakraCore in Microsoft Windows 10 Gold, 1511, 1607 ...) NOT-FOR-US: Microsoft CVE-2018-0859 (Microsoft Edge and ChakraCore in Microsoft Windows 10 Gold, 1511, 1607 ...) NOT-FOR-US: Microsoft CVE-2018-0858 (ChakraCore allows remote code execution, due to how the ChakraCore scr ...) NOT-FOR-US: Microsoft CVE-2018-0857 (Microsoft Edge and ChakraCore in Microsoft Windows 10 Gold, 1511, 1607 ...) NOT-FOR-US: Microsoft CVE-2018-0856 (Microsoft Edge and ChakraCore in Microsoft Windows 10 1703 and 1709 al ...) NOT-FOR-US: Microsoft CVE-2018-0855 (The Microsoft Windows Embedded OpenType (EOT) font engine in Microsoft ...) NOT-FOR-US: Microsoft CVE-2018-0854 (A security feature bypass vulnerability exists in Windows Scripting Ho ...) NOT-FOR-US: Microsoft CVE-2018-0853 (Microsoft Office 2010 SP2, Microsoft Office 2013 SP1 and RT SP1, Micro ...) NOT-FOR-US: Microsoft CVE-2018-0852 (Microsoft Outlook 2007 SP3, Microsoft Outlook 2010 SP2, Microsoft Outl ...) NOT-FOR-US: Microsoft CVE-2018-0851 (Microsoft Office 2007 SP2, Microsoft Office Word Viewer, Microsoft Off ...) NOT-FOR-US: Microsoft CVE-2018-0850 (Microsoft Outlook 2007, Microsoft Outlook 2010, Microsoft Outlook 2013 ...) NOT-FOR-US: Microsoft CVE-2018-0849 (Equation Editor in Microsoft Office 2003, Microsoft Office 2007, Micro ...) NOT-FOR-US: Microsoft CVE-2018-0848 (Equation Editor in Microsoft Office 2003, Microsoft Office 2007, Micro ...) NOT-FOR-US: Microsoft CVE-2018-0847 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 R2 S ...) NOT-FOR-US: Microsoft CVE-2018-0846 (The Windows Common Log File System (CLFS) driver in Windows 7 SP1, Win ...) NOT-FOR-US: Microsoft CVE-2018-0845 (Equation Editor in Microsoft Office 2003, Microsoft Office 2007, Micro ...) NOT-FOR-US: Microsoft CVE-2018-0844 (The Windows Common Log File System (CLFS) driver in Windows 7 SP1, Win ...) NOT-FOR-US: Microsoft CVE-2018-0843 (The Windows kernel in Windows 10 version 1709 and Windows Server, vers ...) NOT-FOR-US: Microsoft CVE-2018-0842 (Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2008 SP2 and R2 ...) NOT-FOR-US: Microsoft CVE-2018-0841 (Microsoft Office 2016 Click-to-Run allows a remote code execution vuln ...) NOT-FOR-US: Microsoft CVE-2018-0840 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 R2 S ...) NOT-FOR-US: Microsoft CVE-2018-0839 (Microsoft Edge in Microsoft Windows 10 1703 allows information disclos ...) NOT-FOR-US: Microsoft CVE-2018-0838 (Microsoft Edge and ChakraCore in Microsoft Windows 10 Gold, 1511, 1607 ...) NOT-FOR-US: Microsoft CVE-2018-0837 (Microsoft Edge and ChakraCore in Microsoft Windows 10 Gold, 1511, 1607 ...) NOT-FOR-US: Microsoft CVE-2018-0836 (Microsoft Edge and ChakraCore in Microsoft Windows 10 1703 and 1709 al ...) NOT-FOR-US: Microsoft CVE-2018-0835 (Microsoft Edge and ChakraCore in Microsoft Windows 10 Gold, 1511, 1607 ...) NOT-FOR-US: Microsoft CVE-2018-0834 (Microsoft Edge and ChakraCore in Microsoft Windows 10 Gold, 1511, 1607 ...) NOT-FOR-US: Microsoft CVE-2018-0833 (The Microsoft Server Message Block 2.0 and 3.0 (SMBv2/SMBv3) client in ...) NOT-FOR-US: Microsoft CVE-2018-0832 (The Windows kernel in Windows 8.1 and RT 8.1, Windows Server 2012 R2, ...) NOT-FOR-US: Microsoft CVE-2018-0831 (The Windows kernel in Windows 10 versions 1607, 1703 and 1709, Windows ...) NOT-FOR-US: Microsoft CVE-2018-0830 (The Windows kernel in Windows 7 SP1, Windows 8.1 and RT 8.1, Windows S ...) NOT-FOR-US: Microsoft CVE-2018-0829 (The Windows kernel in Windows 7 SP1, Windows 8.1 and RT 8.1, Windows S ...) NOT-FOR-US: Microsoft CVE-2018-0828 (Windows 10 version 1607 and Windows Server 2016 allow an elevation of ...) NOT-FOR-US: Microsoft CVE-2018-0827 (Windows Scripting Host (WSH) in Windows 10 versions 1703 and 1709 and ...) NOT-FOR-US: Microsoft CVE-2018-0826 (Windows Storage Services in Windows 10 versions 1511, 1607, 1703 and 1 ...) NOT-FOR-US: Microsoft CVE-2018-0825 (StructuredQuery in Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Serv ...) NOT-FOR-US: Microsoft CVE-2018-0824 (A remote code execution vulnerability exists in "Microsoft COM for Win ...) NOT-FOR-US: Microsoft CVE-2018-0823 (The Named Pipe File System in Windows 10 version 1709 and Windows Serv ...) NOT-FOR-US: Microsoft CVE-2018-0822 (NTFS in Windows 10 Gold, 1511, 1607, 1703 and 1709, Windows Server 201 ...) NOT-FOR-US: Microsoft CVE-2018-0821 (AppContainer in Windows 10 Gold, 1511, 1607, 1703 and 1709, Windows Se ...) NOT-FOR-US: Microsoft CVE-2018-0820 (The Windows kernel in Windows 7 SP1, Windows 8.1 and RT 8.1, Windows S ...) NOT-FOR-US: Microsoft CVE-2018-0819 (Microsoft Office 2016 for Mac allows an attacker to send a specially c ...) NOT-FOR-US: Microsoft CVE-2018-0818 (Microsoft ChakraCore allows an attacker to bypass Control Flow Guard ( ...) NOT-FOR-US: Microsoft CVE-2018-0817 (The Windows Graphics Device Interface (GDI) in Microsoft Windows Serve ...) NOT-FOR-US: Microsoft CVE-2018-0816 (The Windows Graphics Device Interface (GDI) in Microsoft Windows Serve ...) NOT-FOR-US: Microsoft CVE-2018-0815 (The Windows Graphics Device Interface (GDI) in Microsoft Windows Serve ...) NOT-FOR-US: Microsoft CVE-2018-0814 (The Windows kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Wi ...) NOT-FOR-US: Microsoft CVE-2018-0813 (The Windows kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Wi ...) NOT-FOR-US: Microsoft CVE-2018-0812 (Equation Editor in Microsoft Office 2003, Microsoft Office 2007, Micro ...) NOT-FOR-US: Microsoft CVE-2018-0811 (The Windows kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Wi ...) NOT-FOR-US: Microsoft CVE-2018-0810 (The Windows kernel in Windows 7 SP1, Windows Server 2008 SP2 and R2, a ...) NOT-FOR-US: Microsoft CVE-2018-0809 (The Windows kernel in Windows 10, versions 1703 and 1709, and Windows ...) NOT-FOR-US: Microsoft CVE-2018-0808 (ASP.NET Core 1.0. 1.1, and 2.0 allow an elevation of privilege vulnera ...) NOT-FOR-US: Microsoft CVE-2018-0807 (Equation Editor in Microsoft Office 2003, Microsoft Office 2007, Micro ...) NOT-FOR-US: Microsoft CVE-2018-0806 (Equation Editor in Microsoft Office 2003, Microsoft Office 2007, Micro ...) NOT-FOR-US: Microsoft CVE-2018-0805 (Equation Editor in Microsoft Office 2003, Microsoft Office 2007, Micro ...) NOT-FOR-US: Microsoft CVE-2018-0804 (Equation Editor in Microsoft Office 2003, Microsoft Office 2007, Micro ...) NOT-FOR-US: Microsoft CVE-2018-0803 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, 1709, a ...) NOT-FOR-US: Microsoft CVE-2018-0802 (Equation Editor in Microsoft Office 2007, Microsoft Office 2010, Micro ...) NOT-FOR-US: Microsoft CVE-2018-0801 (Equation Editor in Microsoft Office 2007, Microsoft Office 2010, Micro ...) NOT-FOR-US: Microsoft CVE-2018-0800 (Microsoft Edge in Microsoft Windows 10 1709 allows an attacker to obta ...) NOT-FOR-US: Microsoft CVE-2018-0799 (Microsoft Access in Microsoft SharePoint Enterprise Server 2013 and Mi ...) NOT-FOR-US: Microsoft CVE-2018-0798 (Equation Editor in Microsoft Office 2007, Microsoft Office 2010, Micro ...) NOT-FOR-US: Microsoft CVE-2018-0797 (Microsoft Office 2010, Microsoft Office 2013, and Microsoft Office 201 ...) NOT-FOR-US: Microsoft CVE-2018-0796 (Microsoft Excel in Microsoft Office 2007, Microsoft Office 2010, Micro ...) NOT-FOR-US: Microsoft CVE-2018-0795 (Microsoft Office 2010, Microsoft Office 2013, and Microsoft Office 201 ...) NOT-FOR-US: Microsoft CVE-2018-0794 (Microsoft Word in Microsoft Office 2007, Microsoft Office 2010, Micros ...) NOT-FOR-US: Microsoft CVE-2018-0793 (Microsoft Outlook 2007, Microsoft Outlook 2010 and Microsoft Outlook 2 ...) NOT-FOR-US: Microsoft CVE-2018-0792 (Microsoft Word 2016 in Microsoft Office 2016 allows a remote code exec ...) NOT-FOR-US: Microsoft CVE-2018-0791 (Microsoft Outlook 2007, Microsoft Outlook 2010, Microsoft Outlook 2013 ...) NOT-FOR-US: Microsoft CVE-2018-0790 (Microsoft SharePoint Foundation 2010, Microsoft SharePoint Server 2013 ...) NOT-FOR-US: Microsoft CVE-2018-0789 (Microsoft SharePoint Foundation 2010, Microsoft SharePoint Server 2013 ...) NOT-FOR-US: Microsoft CVE-2018-0788 (The Windows Adobe Type Manager Font Driver (Atmfd.dll) in Windows 7 SP ...) NOT-FOR-US: Microsoft CVE-2018-0787 (ASP.NET Core 1.0. 1.1, and 2.0 allow an elevation of privilege vulnera ...) NOT-FOR-US: Microsoft CVE-2018-0786 (Microsoft .NET Framework 2.0 SP2, 3.0 SP2, 3.5, 3.5.1, 4.5.2, 4.6, 4.6 ...) NOT-FOR-US: Microsoft CVE-2018-0785 (ASP.NET Core 1.0. 1.1, and 2.0 allow a cross site request forgery vuln ...) NOT-FOR-US: Microsoft CVE-2018-0784 (ASP.NET Core 1.0. 1.1, and 2.0 allow an elevation of privilege vulnera ...) NOT-FOR-US: Microsoft CVE-2018-0783 RESERVED CVE-2018-0782 RESERVED CVE-2018-0781 (Microsoft Edge in Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows ...) NOT-FOR-US: Microsoft CVE-2018-0780 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, 1709, a ...) NOT-FOR-US: Microsoft CVE-2018-0779 RESERVED CVE-2018-0778 (Microsoft Edge in Windows 10 1709 allows an attacker to execute arbitr ...) NOT-FOR-US: Microsoft CVE-2018-0777 (Microsoft Edge in Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows ...) NOT-FOR-US: Microsoft CVE-2018-0776 (Microsoft Edge in Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows ...) NOT-FOR-US: Microsoft CVE-2018-0775 (Microsoft Edge in Windows 10 1709 allows an attacker to execute arbitr ...) NOT-FOR-US: Microsoft CVE-2018-0774 (Microsoft Edge in Windows 10 1709 allows an attacker to execute arbitr ...) NOT-FOR-US: Microsoft CVE-2018-0773 (Microsoft Edge in Windows 10 1709 allows an attacker to execute arbitr ...) NOT-FOR-US: Microsoft CVE-2018-0772 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 and ...) NOT-FOR-US: Microsoft CVE-2018-0771 (Microsoft Edge in Microsoft Windows 10 1607, 1703, and Windows Server ...) NOT-FOR-US: Microsoft CVE-2018-0770 (Microsoft Edge in Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows ...) NOT-FOR-US: Microsoft CVE-2018-0769 (Microsoft Edge in Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows ...) NOT-FOR-US: Microsoft CVE-2018-0768 (Microsoft Edge in Windows 10 1709 allows an attacker to execute arbitr ...) NOT-FOR-US: Microsoft CVE-2018-0767 (Microsoft Edge in Microsoft Windows 10 1511, 1607, 1703, 1709, and Win ...) NOT-FOR-US: Microsoft CVE-2018-0766 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, 1709, a ...) NOT-FOR-US: Microsoft CVE-2018-0765 (A denial of service vulnerability exists when .NET and .NET Core impro ...) NOT-FOR-US: .dotnet CoreFX NOTE: https://github.com/dotnet/announcements/issues/67 NOTE: https://github.com/dotnet/corefx/issues/29578 CVE-2018-0764 (Microsoft .NET Framework 1.1, 2.0, 3.0, 3.5, 3.5.1, 4, 4.5, 4.5.1, 4.5 ...) NOT-FOR-US: Microsoft CVE-2018-0763 (Microsoft Edge in Microsoft Windows 10 1703 and 1709 allows informatio ...) NOT-FOR-US: Microsoft CVE-2018-0762 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 and ...) NOT-FOR-US: Microsoft CVE-2018-0761 (The Microsoft Windows Embedded OpenType (EOT) font engine in Microsoft ...) NOT-FOR-US: Microsoft CVE-2018-0760 (The Microsoft Windows Embedded OpenType (EOT) font engine in Microsoft ...) NOT-FOR-US: Microsoft CVE-2018-0759 RESERVED CVE-2018-0758 (Microsoft Edge in Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows ...) NOT-FOR-US: Microsoft CVE-2018-0757 (The Windows kernel in Windows 7 SP1, Windows 8.1 and RT 8.1, Windows S ...) NOT-FOR-US: Microsoft CVE-2018-0756 (The Windows kernel in Windows 10 Gold, 1511, 1607, 1703 and 1709, Wind ...) NOT-FOR-US: Microsoft CVE-2018-0755 (The Microsoft Windows Embedded OpenType (EOT) font engine in Microsoft ...) NOT-FOR-US: Microsoft CVE-2018-0754 (The Windows Adobe Type Manager Font Driver (Atmfd.dll) in Windows 7 SP ...) NOT-FOR-US: Microsoft CVE-2018-0753 (Windows 8.1 and RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1 ...) NOT-FOR-US: Microsoft CVE-2018-0752 (The Windows Kernel API in Windows 8.1 and RT 8.1, Windows Server 2012 ...) NOT-FOR-US: Microsoft CVE-2018-0751 (The Windows Kernel API in Windows 8.1 and RT 8.1, Windows Server 2012 ...) NOT-FOR-US: Microsoft CVE-2018-0750 (The Windows GDI component in Windows 7 SP1 and Windows Server 2008 SP2 ...) NOT-FOR-US: Microsoft CVE-2018-0749 (The Microsoft Server Message Block (SMB) Server in Windows 7 SP1, Wind ...) NOT-FOR-US: Microsoft CVE-2018-0748 (The Windows kernel in Windows 7 SP1, Windows 8.1 and RT 8.1, Windows S ...) NOT-FOR-US: Microsoft CVE-2018-0747 (The Windows kernel in Windows 7 SP1, Windows 8.1 and RT 8.1, Windows S ...) NOT-FOR-US: Microsoft CVE-2018-0746 (The Windows kernel in Windows 8.1 and RT 8.1, Windows Server 2012 and ...) NOT-FOR-US: Microsoft CVE-2018-0745 (The Windows kernel in Windows 10 version 1703. Windows 10 version 1709 ...) NOT-FOR-US: Microsoft CVE-2018-0744 (The Windows kernel in Windows 8.1 and RT 8.1, Windows Server 2012 and ...) NOT-FOR-US: Microsoft CVE-2018-0743 (Windows Subsystem for Linux in Windows 10 version 1703, Windows 10 ver ...) NOT-FOR-US: Microsoft CVE-2018-0742 (The Windows kernel in Windows 7 SP1, Windows 8.1 and RT 8.1, Windows S ...) NOT-FOR-US: Microsoft CVE-2018-0741 (The Color Management Module (Icm32.dll) in Windows 7 SP1 and Windows S ...) NOT-FOR-US: Microsoft CVE-2017-17089 (custom/run.cgi in Webmin before 1.870 allows remote authenticated admi ...) - webmin CVE-2017-17091 (wp-admin/user-new.php in WordPress before 4.9.1 sets the newbloguser k ...) {DSA-4090-1 DLA-1216-1} - wordpress 4.9.1+dfsg-1 (bug #883314) NOTE: https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c NOTE: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/ CVE-2017-17093 (wp-includes/general-template.php in WordPress before 4.9.1 does not pr ...) {DSA-4090-1 DLA-1216-1} - wordpress 4.9.1+dfsg-1 (bug #883314) NOTE: https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a NOTE: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/ CVE-2017-17094 (wp-includes/feed.php in WordPress before 4.9.1 does not properly restr ...) {DSA-4090-1 DLA-1216-1} - wordpress 4.9.1+dfsg-1 (bug #883314) NOTE: https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de NOTE: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/ CVE-2017-17092 (wp-includes/functions.php in WordPress before 4.9.1 does not require t ...) {DSA-4090-1 DLA-1216-1} - wordpress 4.9.1+dfsg-1 (bug #883314) NOTE: https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509 NOTE: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/ CVE-2017-17095 (tools/pal2rgb.c in pal2rgb in LibTIFF 4.0.9 allows remote attackers to ...) {DSA-4349-1 DLA-2009-1} - tiff 4.0.9-5 (unimportant; bug #883320) - tiff3 (unimportant) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2750 NOTE: Crash in CLI tool not treated as a security issue NOTE: https://gitlab.com/libtiff/libtiff/commit/9171da596c88e6a2dadcab4a3a89dddd6e1b4655 CVE-2017-17088 (The Enterprise version of SyncBreeze 10.2.12 and earlier is affected b ...) NOT-FOR-US: SyncBreeze CVE-2017-17087 (fileio.c in Vim prior to 8.0.1263 sets the group ownership of a .swp f ...) {DLA-1871-1} - vim 2:8.0.1401-1 [stretch] - vim (Minor issue) [wheezy] - vim (Minor issue) NOTE: https://github.com/vim/vim/commit/5a73e0ca54c77e067c3b12ea6f35e3e8681e8cf8 (8.0.1263) CVE-2017-17086 (Indeo Otter through 1.7.4 mishandles a "</script>" substring in ...) NOT-FOR-US: Indeo Otter CVE-2017-17085 (In Wireshark 2.4.0 to 2.4.2 and 2.2.0 to 2.2.10, the CIP Safety dissec ...) {DSA-4060-1 DLA-1226-1} - wireshark 2.4.3-1 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14250 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=f5939debe96e3c3953c6020818f1fbb80eb83ce8 NOTE: https://www.wireshark.org/security/wnpa-sec-2017-49.html CVE-2017-17084 (In Wireshark 2.4.0 to 2.4.2 and 2.2.0 to 2.2.10, the IWARP_MPA dissect ...) {DSA-4060-1 DLA-1226-1} - wireshark 2.4.3-1 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14236 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=8502fe94ef9e431860921507e1a351c5e3f5c634 NOTE: https://www.wireshark.org/security/wnpa-sec-2017-47.html CVE-2017-17083 (In Wireshark 2.4.0 to 2.4.2 and 2.2.0 to 2.2.10, the NetBIOS dissector ...) {DSA-4060-1 DLA-1226-1} - wireshark 2.4.3-1 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14249 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=79768d63d14fbce6bf7fb4d4a1c86be0c5205eb3 NOTE: https://www.wireshark.org/security/wnpa-sec-2017-48.html CVE-2017-17082 REJECTED CVE-2017-17081 (The gmc_mmx function in libavcodec/x86/mpegvideodsp.c in FFmpeg 3.4 do ...) {DSA-4099-1} - ffmpeg 7:3.4.1-1 NOTE: https://github.com/FFmpeg/FFmpeg/commit/58cf31cee7a456057f337b3102a03206d833d5e8 CVE-2017-17080 (elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as dis ...) [experimental] - binutils 2.29.51.20171128-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22421 CVE-2018-0740 REJECTED CVE-2018-0739 (Constructed ASN.1 types with a recursive definition (such as can be fo ...) {DSA-4158-1 DSA-4157-1 DLA-1330-1} - openssl 1.1.0h-1 - openssl1.0 1.0.2o-1 - libtomcrypt 1.18.2-1 (low) [stretch] - libtomcrypt (Minor issue) [jessie] - libtomcrypt (Minor issue) NOTE: https://www.openssl.org/news/secadv/20180327.txt NOTE: OpenSSL_1_1_0-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=2ac4c6f7b2b2af20c0e2b0ba05367e454cd11b33 NOTE: OpenSSL_1_0_2-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=9310d45087ae546e27e61ddf8f6367f29848220d NOTE: https://github.com/libtom/libtomcrypt/pull/373 CVE-2018-0738 REJECTED CVE-2018-0737 (The OpenSSL RSA Key generation algorithm has been shown to be vulnerab ...) {DSA-4355-1 DSA-4348-1 DLA-1449-1} - openssl 1.1.0h-3 (low; bug #895844) [wheezy] - openssl (Can wait for next update) - openssl1.0 1.0.2q-1 (low; bug #895845) NOTE: https://www.openssl.org/news/secadv/20180416.txt NOTE: OpenSSL_1_1_0-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=6939eab03a6e23d2bd2c3f5e34fe1d48e542e787 NOTE: OpenSSL_1_0_2-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=349a41da1ad88ad87825414752a8ff5fdd6a6c3f NOTE: https://eprint.iacr.org/2018/367 CVE-2018-0736 REJECTED CVE-2018-0735 (The OpenSSL ECDSA signature algorithm has been shown to be vulnerable ...) {DSA-4348-1 DLA-1586-1} - openssl 1.1.1a-1 - openssl1.0 (Vulnerable code never present in 1.0.2 series) NOTE: https://www.openssl.org/news/secadv/20181029.txt NOTE: OpenSSL_1_1_1-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=b1d6d55ece1c26fa2829e2b819b038d7b6d692b4 NOTE: OpenSSL_1_1_0-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=56fb454d281a023b3f950d969693553d3f3ceea1 CVE-2018-0734 (The OpenSSL DSA signature algorithm has been shown to be vulnerable to ...) {DSA-4355-1 DSA-4348-1} - openssl 1.1.1a-1 [jessie] - openssl (vulnerable code not present, but see note below) - openssl1.0 1.0.2q-1 NOTE: https://www.openssl.org/news/secadv/20181030.txt NOTE: OpenSSL_1_1_1-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=8abfe72e8c1de1b95f50aa0d9134803b4d00070f NOTE: OpenSSL_1_1_0-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=ef11e19d1365eea2b1851e6f540a0bf365d303e7 NOTE: OpenSSL_1_0_2-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=43e6a58d4991a451daf4891ff05a48735df871ac NOTE: Actually the version in Jessie is not vulnerable. Nevertheless there is a bug fix which NOTE: futher reduces the amount of leaked timing information. It got no CVE on its own and NOTE: introduced this vulnerability. In order to not forget this issue and probably get more NOTE: information about it later, it is marked as instead of NOTE: https://git.openssl.org/?p=openssl.git;a=commitdiff;h=b96bebacfe814deb99fb64a3ed2296d95c573600 CVE-2018-0733 (Because of an implementation bug the PA-RISC CRYPTO_memcmp function is ...) - openssl 1.1.0h-1 (unimportant) [stretch] - openssl 1.1.0f-3+deb9u2 [jessie] - openssl (vulnerable code not present) [wheezy] - openssl (vulnerable code not present) - openssl1.0 (Only affects OpenSSL 1.1.0) NOTE: Issue specific to HP-UX NOTE: https://www.openssl.org/news/secadv/20180327.txt CVE-2018-0732 (During key agreement in a TLS handshake using a DH(E) based ciphersuit ...) {DSA-4355-1 DSA-4348-1 DLA-1449-1} - openssl 1.1.1-1 (low) - openssl1.0 1.0.2q-1 (low) NOTE: OpenSSL_1_1_0-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=ea7abeeabf92b7aca160bdd0208636d4da69f4f4 NOTE: OpenSSL_1_0_2-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=3984ef0b72831da8b3ece4745cac4f8575b19098 NOTE: https://www.openssl.org/news/secadv/20180612.txt CVE-2018-0731 REJECTED CVE-2017-17079 REJECTED CVE-2017-17078 REJECTED CVE-2017-17077 REJECTED CVE-2017-17076 REJECTED CVE-2017-17075 REJECTED CVE-2017-17074 REJECTED CVE-2017-17073 REJECTED CVE-2017-17072 REJECTED CVE-2017-17071 REJECTED CVE-2017-17070 REJECTED CVE-2017-17069 (ActiveSetupN.exe in Amazon Audible for Windows before November 2017 al ...) NOT-FOR-US: ActiveSetupN.exe in Amazon Audible for Windows CVE-2017-17068 (A cross-origin vulnerability has been discovered in the Auth0 auth0.js ...) NOT-FOR-US: Auth0 auth0.js library CVE-2017-17067 (Splunk Web in Splunk Enterprise 7.0.x before 7.0.0.1, 6.6.x before 6.6 ...) NOT-FOR-US: Splunk Web CVE-2017-17066 (The (1) i2pd before 2.17 and (2) kovri pre-alpha implementations of th ...) - i2pd (Fixed before/with the initial upload to Debian) NOTE: Issue fixed with 2.17.0 upstream CVE-2017-17065 (An issue was discovered on D-Link DIR-605L Model B before FW2.11betaB0 ...) NOT-FOR-US: D-Link CVE-2017-17064 RESERVED CVE-2017-17063 RESERVED CVE-2017-17062 (The backend component in Open-Xchange OX App Suite before 7.6.3-rev35, ...) NOT-FOR-US: Open-Xchange CVE-2017-17061 (OX Software GmbH OX App Suite 7.8.4 and earlier is affected by: Cross ...) NOT-FOR-US: OX Software GmbH OX App Suite CVE-2017-17060 (OX Software GmbH OX App Suite 7.8.4 and earlier is affected by: Insecu ...) NOT-FOR-US: OX Software GmbH OX App Suite CVE-2017-17059 (XSS exists in the amtyThumb amty-thumb-recent-post (aka amtyThumb post ...) NOT-FOR-US: WordPress plugin wp-thumb-post CVE-2017-1000385 (The Erlang otp TLS server answers with different TLS alerts to differe ...) {DSA-4057-1 DLA-1207-1} - erlang 1:20.1.7+dfsg-1 NOTE: https://groups.google.com/forum/#!topic/erlang-programming/J0LH-j6fRlM NOTE: https://github.com/erlang/otp/commit/38b07caa2a1c6cd3537eadd36770afa54f067562 (OTP-20.1.7) NOTE: https://github.com/erlang/otp/commit/3b4386dd19b7e669f557c95ace8d7ba228291927 (OTP-19.3.6.4) NOTE: https://github.com/erlang/otp/commit/de3b9cdb8521d7edd524b4e17d1e3f883f832ec0 (OTP-18.3.4.7) NOTE: https://robotattack.org/ CVE-2017-17058 (** DISPUTED ** The WooCommerce plugin through 3.x for WordPress has a ...) NOT-FOR-US: WooCommerce plugin for WordPress CVE-2017-17057 (There is a reflected XSS vulnerability in ZKTime Web 2.0.1.12280. The ...) NOT-FOR-US: ZKTeco ZKTime Web Software CVE-2017-17056 (The ZKTime Web Software 2.0.1.12280 allows the Administrator to elevat ...) NOT-FOR-US: ZKTeco ZKTime Web Software CVE-2017-17055 (Artica Web Proxy before 3.06.112911 allows remote attackers to execute ...) NOT-FOR-US: Artica Web Proxy CVE-2017-17054 (In aubio 0.4.6, a divide-by-zero error exists in the function new_aubi ...) - aubio 0.4.6-1 (bug #883355) [stretch] - aubio (Minor issue) [jessie] - aubio (Vulnerability introduced in 0.4.3) [wheezy] - aubio (Vulnerability introduced in 0.4.3) NOTE: https://github.com/aubio/aubio/issues/148 CVE-2017-17050 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to cause a deni ...) NOT-FOR-US: TG Soft Vir.IT eXplorer Lite CVE-2017-17049 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to cause a deni ...) NOT-FOR-US: TG Soft Vir.IT eXplorer Lite CVE-2017-17048 RESERVED CVE-2017-17047 RESERVED CVE-2017-17043 (The Emag Marketplace Connector plugin 1.0.0 for WordPress has reflecte ...) NOT-FOR-US: Emag Marketplace Connector for WordPress CVE-2017-17053 (The init_new_context function in arch/x86/include/asm/mmu_context.h in ...) - linux 4.12.12-1 [stretch] - linux 4.9.47-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/ccd5b3235180eef3cfec337df1c8554ab151b5cc CVE-2017-17052 (The mm_init function in kernel/fork.c in the Linux kernel before 4.12. ...) - linux 4.12.12-1 [stretch] - linux 4.9.47-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/2b7e8665b4ff51c034c55df3cff76518d1a9ee3a CVE-2018-0730 (This command injection vulnerability in File Station allows attackers ...) NOT-FOR-US: QNAP CVE-2018-0729 (This command injection vulnerability in Music Station allows attackers ...) NOT-FOR-US: QNAP CVE-2018-0728 (This improper access control vulnerability in Helpdesk allows attacker ...) NOT-FOR-US: QNAP CVE-2018-0727 RESERVED CVE-2018-0726 RESERVED CVE-2018-0725 RESERVED CVE-2018-0724 (Cross-site scripting (XSS) vulnerability in Q'center Virtual Appliance ...) NOT-FOR-US: Q'center Virtual Appliance CVE-2018-0723 (Cross-site scripting (XSS) vulnerability in Q'center Virtual Appliance ...) NOT-FOR-US: Q'center Virtual Appliance CVE-2018-0722 (Path Traversal vulnerability in Photo Station versions: 5.7.2 and earl ...) NOT-FOR-US: QNAP CVE-2018-0721 (Buffer Overflow vulnerability in NAS devices. QTS allows attackers to ...) NOT-FOR-US: QNAP QTS CVE-2018-0720 RESERVED CVE-2018-0719 (Cross-site Scripting (XSS) vulnerability in NAS devices of QNAP System ...) NOT-FOR-US: QNAP QTS CVE-2018-0718 (Command injection vulnerability in Music Station 5.1.2 and earlier ver ...) NOT-FOR-US: Music Station CVE-2018-0717 RESERVED CVE-2018-0716 (Cross-site scripting vulnerability in QTS 4.2.6 build 20180711, QTS 4. ...) NOT-FOR-US: QNAP CVE-2018-0715 (Cross-site scripting vulnerability in QNAP Photo Station versions 5.7. ...) NOT-FOR-US: QNAP Photo Station CVE-2018-0714 (Command injection vulnerability in Helpdesk versions 1.1.21 and earlie ...) NOT-FOR-US: Helpdesk CVE-2018-0713 RESERVED CVE-2018-0712 (Command injection vulnerability in LDAP Server in QNAP QTS 4.2.6 build ...) NOT-FOR-US: QNAP CVE-2018-0711 (Cross-site scripting (XSS) vulnerability in QNAP QTS 4.3.3 build 20180 ...) NOT-FOR-US: QNAP CVE-2018-0710 (Command injection vulnerability in SSH of QNAP Q'center Virtual Applia ...) NOT-FOR-US: QNAP CVE-2018-0709 (Command injection vulnerability in date of QNAP Q'center Virtual Appli ...) NOT-FOR-US: QNAP CVE-2018-0708 (Command injection vulnerability in networking of QNAP Q'center Virtual ...) NOT-FOR-US: QNAP CVE-2018-0707 (Command injection vulnerability in change password of QNAP Q'center Vi ...) NOT-FOR-US: QNAP CVE-2018-0706 (Exposure of Private Information in QNAP Q'center Virtual Appliance ver ...) NOT-FOR-US: QNAP CVE-2017-17042 (lib/yard/core_ext/file.rb in the server in YARD before 0.9.11 does not ...) - yard 0.9.12-1 [stretch] - yard (Minor issue) [jessie] - yard (Minor issue) [wheezy] - yard (Minor issue) NOTE: Fixed by: https://github.com/lsegal/yard/commit/b0217b3e30dc53d057b1682506333335975e62b4 (0.9.11) CVE-2017-17041 RESERVED CVE-2017-17040 RESERVED CVE-2017-17039 RESERVED CVE-2017-17038 RESERVED CVE-2017-17037 RESERVED CVE-2017-17036 RESERVED CVE-2017-17035 RESERVED CVE-2017-17034 RESERVED CVE-2017-17033 (A buffer overflow vulnerability in password function in QNAP QTS versi ...) NOT-FOR-US: QNAP QTS CVE-2017-17032 (A buffer overflow vulnerability in password function in QNAP QTS versi ...) NOT-FOR-US: QNAP QTS CVE-2017-17031 (A buffer overflow vulnerability in password function in QNAP QTS versi ...) NOT-FOR-US: QNAP QTS CVE-2017-17030 (A buffer overflow vulnerability in login function in QNAP QTS version ...) NOT-FOR-US: QNAP QTS CVE-2017-17029 (A buffer overflow vulnerability in login function in QNAP QTS version ...) NOT-FOR-US: QNAP QTS CVE-2017-17028 (A buffer overflow vulnerability in external device function in QNAP QT ...) NOT-FOR-US: QNAP QTS CVE-2017-17027 (A buffer overflow vulnerability in FTP service in QNAP QTS version 4.2 ...) NOT-FOR-US: QNAP QTS CVE-2017-17045 (An issue was discovered in Xen through 4.9.x allowing HVM guest OS use ...) {DSA-4050-1 DLA-1559-1 DLA-1230-1} - xen 4.8.2+xsa245-0+deb9u1 NOTE: https://xenbits.xen.org/xsa/advisory-247.html CVE-2017-17044 (An issue was discovered in Xen through 4.9.x allowing HVM guest OS use ...) {DSA-4050-1 DLA-1559-1 DLA-1230-1} - xen 4.8.2+xsa245-0+deb9u1 NOTE: https://xenbits.xen.org/xsa/advisory-246.html CVE-2017-17046 (An issue was discovered in Xen through 4.9.x on the ARM platform allow ...) {DSA-4050-1 DLA-1549-1} - xen 4.8.2+xsa245-0+deb9u1 [wheezy] - xen (arm not supported) NOTE: https://xenbits.xen.org/xsa/advisory-245.html CVE-2018-0705 (Directory traversal vulnerability in Cybozu Dezie 8.0.2 to 8.1.2 allow ...) NOT-FOR-US: Cybozu CVE-2018-0704 (Directory traversal vulnerability in Cybozu Office 10.0.0 to 10.8.1 al ...) NOT-FOR-US: Cybozu CVE-2018-0703 (Directory traversal vulnerability in Cybozu Office 10.0.0 to 10.8.1 al ...) NOT-FOR-US: Cybozu CVE-2018-0702 (Directory traversal vulnerability in Cybozu Mailwise 5.0.0 to 5.4.5 al ...) NOT-FOR-US: Cybozu CVE-2018-0701 (BlueStacks App Player (BlueStacks App Player for Windows 3.0.0 to 4.31 ...) NOT-FOR-US: BlueStacks App Player CVE-2018-0700 (YukiWiki 2.1.3 and earlier does not process a particular request prope ...) NOT-FOR-US: YukiWiki CVE-2018-0699 (Cross-site scripting vulnerability in YukiWiki 2.1.3 and earlier allow ...) NOT-FOR-US: YukiWiki CVE-2018-0698 (Cross-site scripting vulnerability in GROWI v3.2.3 and earlier allows ...) NOT-FOR-US: GROWI CVE-2018-0697 (Cross-site scripting vulnerability in Metabase version 0.29.3 and earl ...) NOT-FOR-US: Metabase CVE-2018-0696 (OpenAM (Open Source Edition) 13.0 and later does not properly manage s ...) NOT-FOR-US: OpenAM (different from src:openam) CVE-2018-0695 (Cross-site scripting vulnerability in User-friendly SVN (USVN) Version ...) NOT-FOR-US: User-friendly SVN CVE-2018-0694 (FileZen V3.0.0 to V4.2.1 allows remote attackers to execute arbitrary ...) NOT-FOR-US: FileZen CVE-2018-0693 (Directory traversal vulnerability in FileZen V3.0.0 to V4.2.1 allows r ...) NOT-FOR-US: FileZen CVE-2018-0692 (Untrusted search path vulnerability in Baidu Browser Version 43.23.100 ...) NOT-FOR-US: Baidu CVE-2018-0691 (Multiple +Message Apps (Softbank +Message App for Android prior to ver ...) NOT-FOR-US: Softbank +Message App for Android CVE-2018-0690 (An unvalidated software update vulnerability in Music Center for PC ve ...) NOT-FOR-US: Music Center for PC CVE-2018-0689 (HTTP header injection vulnerability in SEIKO EPSON printers and scanne ...) NOT-FOR-US: SEIKO CVE-2018-0688 (Open redirect vulnerability in SEIKO EPSON printers and scanners (DS-5 ...) NOT-FOR-US: SEIKO CVE-2018-0687 (Cross-site scripting vulnerability in Denbun by NEOJAPAN Inc. (Denbun ...) NOT-FOR-US: NEOJAPAN CVE-2018-0686 (Denbun by NEOJAPAN Inc. (Denbun POP version V3.3P R4.0 and earlier, De ...) NOT-FOR-US: NEOJAPAN CVE-2018-0685 (SQL injection vulnerability in the Denbun POP version V3.3P R4.0 and e ...) NOT-FOR-US: NEOJAPAN CVE-2018-0684 (Buffer overflow in Denbun by NEOJAPAN Inc. (Denbun POP version V3.3P R ...) NOT-FOR-US: NEOJAPAN CVE-2018-0683 (Buffer overflow in Denbun by NEOJAPAN Inc. (Denbun POP version V3.3P R ...) NOT-FOR-US: NEOJAPAN CVE-2018-0682 (Denbun by NEOJAPAN Inc. (Denbun POP version V3.3P R4.0 and earlier, De ...) NOT-FOR-US: NEOJAPAN CVE-2018-0681 (Denbun by NEOJAPAN Inc. (Denbun POP version V3.3P R4.0 and earlier, De ...) NOT-FOR-US: NEOJAPAN CVE-2018-0680 (Denbun by NEOJAPAN Inc. (Denbun POP version V3.3P R4.0 and earlier, De ...) NOT-FOR-US: NEOJAPAN CVE-2018-0679 (Cross-site scripting vulnerability in multiple FXC Inc. network device ...) NOT-FOR-US: FXC CVE-2018-0678 (Buffer overflow in BN-SDWBP3 firmware version 1.0.9 and earlier allows ...) NOT-FOR-US: BN-SDWBP3 CVE-2018-0677 (BN-SDWBP3 firmware version 1.0.9 and earlier allows attacker with admi ...) NOT-FOR-US: BN-SDWBP3 CVE-2018-0676 (BN-SDWBP3 firmware version 1.0.9 and earlier allows an attacker on the ...) NOT-FOR-US: BN-SDWBP3 CVE-2018-0675 (AttacheCase ver.3.3.0.0 and earlier allows an arbitrary script executi ...) NOT-FOR-US: AttacheCase CVE-2018-0674 (AttacheCase ver.2.8.4.0 and earlier allows an arbitrary script executi ...) NOT-FOR-US: AttacheCase CVE-2018-0673 (Directory traversal vulnerability in Cybozu Garoon 3.5.0 to 4.6.3 allo ...) NOT-FOR-US: Cybozu Garoon CVE-2018-0672 (Cross-site scripting vulnerability in Movable Type versions prior to V ...) - movabletype-opensource CVE-2018-0671 (Privilege escalation vulnerability in INplc-RT 3.08 and earlier allows ...) NOT-FOR-US: INplc-RT CVE-2018-0670 (INplc-RT 3.08 and earlier allows remote attackers to bypass authentica ...) NOT-FOR-US: INplc-RT CVE-2018-0669 (INplc-RT 3.08 and earlier allows remote attackers to bypass authentica ...) NOT-FOR-US: INplc-RT CVE-2018-0668 (Buffer overflow in INplc-RT 3.08 and earlier allows remote attackers t ...) NOT-FOR-US: INplc-RT CVE-2018-0667 (Untrusted search path vulnerability in Installer of INplc SDK Express ...) NOT-FOR-US: INplc CVE-2018-0666 (Yamaha routers RT57i Rev.8.00.95 and earlier, RT58i Rev.9.01.51 and ea ...) NOT-FOR-US: Yamaha CVE-2018-0665 (Yamaha routers RT57i Rev.8.00.95 and earlier, RT58i Rev.9.01.51 and ea ...) NOT-FOR-US: Yamaha CVE-2018-0664 (A vulnerability in NoMachine App for Android 5.0.63 and earlier allows ...) NOT-FOR-US: NoMachine App for Android CVE-2018-0663 (Multiple I-O DATA network camera products (TS-WRLP firmware Ver.1.09.0 ...) NOT-FOR-US: I-O DATA network camera products CVE-2018-0662 (Multiple I-O DATA network camera products (TS-WRLP firmware Ver.1.09.0 ...) NOT-FOR-US: I-O DATA network camera products CVE-2018-0661 (Multiple I-O DATA network camera products (TS-WRLP firmware Ver.1.09.0 ...) NOT-FOR-US: I-O DATA network camera products CVE-2018-0660 (Directory traversal vulnerability in ver.2.8.4.0 and earlier and ver.3 ...) NOT-FOR-US: AttacheCase CVE-2018-0659 (Directory traversal vulnerability in ver.2.8.4.0 and earlier and ver.3 ...) NOT-FOR-US: AttacheCase CVE-2018-0658 (Input validation issue in EC-CUBE Payment Module (2.12) version 3.5.23 ...) NOT-FOR-US: EC-CUBE CVE-2018-0657 (Cross-site scripting vulnerability in EC-CUBE Payment Module and GMO-P ...) NOT-FOR-US: EC-CUBE CVE-2018-0656 (Untrusted search path vulnerability in The installer of Digital Paper ...) NOT-FOR-US: Digital Paper App CVE-2018-0655 (Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allow ...) NOT-FOR-US: GROWI CVE-2018-0654 (Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allow ...) NOT-FOR-US: GROWI CVE-2018-0653 (Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allow ...) NOT-FOR-US: GROWI CVE-2018-0652 (Cross-site scripting vulnerability in GROWI v.3.1.11 and earlier allow ...) NOT-FOR-US: GROWI CVE-2018-0651 (Buffer overflow in the license management function of YOKOGAWA product ...) NOT-FOR-US: YOKOGAWA CVE-2018-0650 (The LINE MUSIC for Android version 3.1.0 to versions prior to 3.6.5 do ...) NOT-FOR-US: LINE MUSIC for Android CVE-2018-0649 (Untrusted search path vulnerability in the installers of multiple Cano ...) NOT-FOR-US: CANON CVE-2018-0648 (Untrusted search path vulnerability in installer of ChatWork Desktop A ...) NOT-FOR-US: installer of ChatWork Desktop App for Windows CVE-2018-0647 (Cross-site request forgery (CSRF) vulnerability in WL-330NUL Firmware ...) NOT-FOR-US: WL-330NUL Firmware CVE-2018-0646 (Directory traversal vulnerability in Explzh v.7.58 and earlier allows ...) NOT-FOR-US: Explzh CVE-2018-0645 (MTAppjQuery 1.8.1 and earlier allows remote PHP code execution via uns ...) NOT-FOR-US: MTAppjQuery CVE-2018-0644 (Buffer overflow in Ubuntu14.04 ORCA (Online Receipt Computer Advantage ...) NOT-FOR-US: ORCA (Online Receipt Computer Advantage) CVE-2018-0643 (Ubuntu14.04 ORCA (Online Receipt Computer Advantage) 4.8.0 (panda-serv ...) NOT-FOR-US: ORCA (Online Receipt Computer Advantage) CVE-2018-0642 (Cross-site scripting vulnerability in FV Flowplayer Video Player 6.1.2 ...) NOT-FOR-US: FV Flowplayer Video Player CVE-2018-0641 (Buffer overflow in Aterm HC100RC Ver1.0.1 and earlier allows attacker ...) NOT-FOR-US: Aterm CVE-2018-0640 (Buffer overflow in Aterm HC100RC Ver1.0.1 and earlier allows attacker ...) NOT-FOR-US: Aterm CVE-2018-0639 (Aterm HC100RC Ver1.0.1 and earlier allows attacker with administrator ...) NOT-FOR-US: Aterm CVE-2018-0638 (Aterm HC100RC Ver1.0.1 and earlier allows attacker with administrator ...) NOT-FOR-US: Aterm CVE-2018-0637 (Aterm HC100RC Ver1.0.1 and earlier allows attacker with administrator ...) NOT-FOR-US: Aterm CVE-2018-0636 (Aterm HC100RC Ver1.0.1 and earlier allows attacker with administrator ...) NOT-FOR-US: Aterm CVE-2018-0635 (Aterm HC100RC Ver1.0.1 and earlier allows attacker with administrator ...) NOT-FOR-US: Aterm CVE-2018-0634 (Aterm HC100RC Ver1.0.1 and earlier allows attacker with administrator ...) NOT-FOR-US: Aterm CVE-2018-0633 (Buffer overflow in Aterm W300P Ver1.0.13 and earlier allows attacker w ...) NOT-FOR-US: Aterm CVE-2018-0632 (Buffer overflow in Aterm W300P Ver1.0.13 and earlier allows attacker w ...) NOT-FOR-US: Aterm CVE-2018-0631 (Aterm W300P Ver1.0.13 and earlier allows attacker with administrator r ...) NOT-FOR-US: Aterm CVE-2018-0630 (Aterm W300P Ver1.0.13 and earlier allows attacker with administrator r ...) NOT-FOR-US: Aterm CVE-2018-0629 (Aterm W300P Ver1.0.13 and earlier allows attacker with administrator r ...) NOT-FOR-US: Aterm CVE-2018-0628 (Aterm WG1200HP firmware Ver1.0.31 and earlier allows attacker with adm ...) NOT-FOR-US: Aterm CVE-2018-0627 (Aterm WG1200HP firmware Ver1.0.31 and earlier allows attacker with adm ...) NOT-FOR-US: Aterm CVE-2018-0626 (Aterm WG1200HP firmware Ver1.0.31 and earlier allows attacker with adm ...) NOT-FOR-US: Aterm CVE-2018-0625 (Aterm WG1200HP firmware Ver1.0.31 and earlier allows attacker with adm ...) NOT-FOR-US: Aterm CVE-2018-0624 (Untrusted search path vulnerability in Multiple Yayoi 17 Series produc ...) NOT-FOR-US: Yayoi CVE-2018-0623 (Untrusted search path vulnerability in Multiple Yayoi 17 Series produc ...) NOT-FOR-US: Yayoi CVE-2018-0622 (The DHC Online Shop App for Android version 3.2.0 and earlier does not ...) NOT-FOR-US: DHC Online Shop App for Android CVE-2018-0621 (Untrusted search path vulnerability in LOGICOOL CONNECTION UTILITY SOF ...) NOT-FOR-US: LOGICOOL CVE-2018-0620 (Untrusted search path vulnerability in LOGICOOL Game Software versions ...) NOT-FOR-US: LOGICOOL CVE-2018-0619 (Untrusted search path vulnerability in the installer of Glarysoft Glar ...) NOT-FOR-US: Glarysoft CVE-2018-0618 (Cross-site scripting vulnerability in Mailman 2.1.26 and earlier allow ...) {DSA-4246-1 DLA-1442-1} - mailman 1:2.1.27-1 NOTE: https://mail.python.org/pipermail/mailman-announce/2018-June/000236.html NOTE: https://launchpad.net/mailman/+milestone/2.1.27 NOTE: https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1747 NOTE: https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1754 NOTE: https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1783 NOTE: https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1785 CVE-2018-0617 (Directory traversal vulnerability in ChamaNet MemoCGI v2.1800 to v2.22 ...) NOT-FOR-US: ChamaNet MemoCGI CVE-2018-0616 RESERVED CVE-2018-0615 RESERVED CVE-2018-0614 (Cross-site scripting vulnerability in NEC Platforms Calsos CSDX and CS ...) NOT-FOR-US: NEC CVE-2018-0613 (NEC Platforms Calsos CSDX and CSDJ series products (CSDX 1.37210411 an ...) NOT-FOR-US: NEC CVE-2018-0612 (Cross-site scripting vulnerability in 5000 trillion yen converter v1.0 ...) NOT-FOR-US: 5000 trillion yen converter CVE-2018-0611 (The ANA App for iOS version 4.0.22 and earlier does not verify X.509 c ...) NOT-FOR-US: ANA App CVE-2018-0610 (Local file inclusion vulnerability in Zenphoto 1.4.14 and earlier allo ...) NOT-FOR-US: Zenphoto CVE-2018-0609 (Untrusted search path vulnerability in LINE for Windows versions befor ...) NOT-FOR-US: LINE CVE-2018-0608 (Buffer overflow in H2O version 2.2.4 and earlier allows remote attacke ...) - h2o 2.2.5+dfsg1-1 NOTE: https://github.com/h2o/h2o/issues/1775 CVE-2018-0607 (SQL injection vulnerability in the Notifications application in the Cy ...) NOT-FOR-US: Cybozu Garoon CVE-2018-0606 (SQL injection vulnerability in the Pixelpost v1.7.3 and earlier allows ...) NOT-FOR-US: Pixelpost CVE-2018-0605 (Cross-site scripting vulnerability in Pixelpost v1.7.3 and earlier all ...) NOT-FOR-US: Pixelpost CVE-2018-0604 (Pixelpost v1.7.3 and earlier allows remote code execution via unspecif ...) NOT-FOR-US: Pixelpost CVE-2018-0603 (Cross-site scripting vulnerability in Site Reviews versions prior to 2 ...) NOT-FOR-US: Site Reviews CVE-2018-0602 (Cross-site scripting vulnerability in Email Subscribers & Newslett ...) NOT-FOR-US: Email Subscribers & Newsletters CVE-2018-0601 (Untrusted search path vulnerability in axpdfium v0.01 allows an attack ...) NOT-FOR-US: axpdfium CVE-2018-0600 (Untrusted search path vulnerability in the installer of PlayMemories H ...) NOT-FOR-US: PlayMemories CVE-2018-0599 (Untrusted search path vulnerability in the installer of Visual C++ Red ...) NOT-FOR-US: Visual C++ CVE-2018-0598 (Untrusted search path vulnerability in Self-extracting archive files c ...) NOT-FOR-US: IExpress CVE-2018-0597 (Untrusted search path vulnerability in the installer of Visual Studio ...) NOT-FOR-US: Visual Studio CVE-2018-0596 (Untrusted search path vulnerability in the installer of Visual Studio ...) NOT-FOR-US: Visual Studio CVE-2018-0595 (Untrusted search path vulnerability in the installer of Skype for Wind ...) NOT-FOR-US: Skype CVE-2018-0594 (Untrusted search path vulnerability in Skype for Windows allows an att ...) NOT-FOR-US: Skype CVE-2018-0593 (Untrusted search path vulnerability in the installer of Microsoft OneD ...) NOT-FOR-US: OneDrive CVE-2018-0592 (Untrusted search path vulnerability in Microsoft OneDrive allows an at ...) NOT-FOR-US: OneDrive CVE-2018-0591 (The KINEPASS App for Android Ver 3.1.1 and earlier, and for iOS Ver 3. ...) NOT-FOR-US: KINEPASS CVE-2018-0590 (Ultimate Member plugin prior to version 2.0.4 for WordPress allows rem ...) NOT-FOR-US: WordPress plugin ultimate-member CVE-2018-0589 (Ultimate Member plugin prior to version 2.0.4 for WordPress allows rem ...) NOT-FOR-US: WordPress plugin ultimate-member CVE-2018-0588 (Directory traversal vulnerability in the AJAX function of Ultimate Mem ...) NOT-FOR-US: WordPress plugin ultimate-member CVE-2018-0587 (Unrestricted file upload vulnerability in Ultimate Member plugin prior ...) NOT-FOR-US: WordPress plugin ultimate-member CVE-2018-0586 (Directory traversal vulnerability in the shortcodes function of Ultima ...) NOT-FOR-US: WordPress plugin ultimate-member CVE-2018-0585 (Cross-site scripting vulnerability in Ultimate Member plugin prior to ...) NOT-FOR-US: WordPress plugin ultimate-member CVE-2018-0584 (IIJ SmartKey App for Android version 2.1.0 and earlier allows remote a ...) NOT-FOR-US: IIJ SmartKey CVE-2018-0583 (Cross-site scripting vulnerability in ASUS RT-AC1200HP Firmware versio ...) NOT-FOR-US: ASUS CVE-2018-0582 (Cross-site scripting vulnerability in ASUS RT-AC68U Firmware version p ...) NOT-FOR-US: ASUS CVE-2018-0581 (Cross-site scripting vulnerability in ASUS RT-AC87U Firmware version p ...) NOT-FOR-US: ASUS CVE-2018-0580 (Untrusted search path vulnerability in CELSYS, Inc CLIP STUDIO series ...) NOT-FOR-US: CELSYS CVE-2018-0579 (Cross-site scripting vulnerability in Open Graph for Facebook, Google+ ...) NOT-FOR-US: WordPress plugin wonderm00ns-simple-facebook-open-graph-tags CVE-2018-0578 (Cross-site scripting vulnerability in PixelYourSite plugin prior to ve ...) NOT-FOR-US: WordPress plugin pixelyoursite CVE-2018-0577 (Cross-site scripting vulnerability in WP Google Map Plugin prior to ve ...) NOT-FOR-US: WordPress plugin wp-google-map-plugin CVE-2018-0576 (Cross-site scripting vulnerability in Events Manager plugin prior to v ...) NOT-FOR-US: WordPress plugin events-manager CVE-2018-0575 (baserCMS (baserCMS 4.1.0.1 and earlier versions, baserCMS 3.0.15 and e ...) NOT-FOR-US: baserCMS CVE-2018-0574 (Cross-site scripting vulnerability in baserCMS (baserCMS 4.1.0.1 and e ...) NOT-FOR-US: baserCMS CVE-2018-0573 (baserCMS (baserCMS 4.1.0.1 and earlier versions, baserCMS 3.0.15 and e ...) NOT-FOR-US: baserCMS CVE-2018-0572 (baserCMS (baserCMS 4.1.0.1 and earlier versions, baserCMS 3.0.15 and e ...) NOT-FOR-US: baserCMS CVE-2018-0571 (baserCMS (baserCMS 4.1.0.1 and earlier versions, baserCMS 3.0.15 and e ...) NOT-FOR-US: baserCMS CVE-2018-0570 (Cross-site scripting vulnerability in baserCMS (baserCMS 4.1.0.1 and e ...) NOT-FOR-US: baserCMS CVE-2018-0569 (baserCMS (baserCMS 4.1.0.1 and earlier versions, baserCMS 3.0.15 and e ...) NOT-FOR-US: baserCMS CVE-2018-0568 (Unrestricted file upload vulnerability in SiteBridge Inc. Joruri Gw Ve ...) NOT-FOR-US: Joruri Gw CVE-2018-0567 (Cybozu Office 10.0.0 to 10.8.0 allows authenticated attackers to bypas ...) NOT-FOR-US: Cybozu Office CVE-2018-0566 (Cybozu Office 10.0.0 to 10.8.0 allows authenticated attackers to bypas ...) NOT-FOR-US: Cybozu Office CVE-2018-0565 (Cross-site scripting vulnerability in Cybozu Office 10.0.0 to 10.8.0 a ...) NOT-FOR-US: Cybozu Office CVE-2018-0564 (Session fixation vulnerability in EC-CUBE (EC-CUBE 3.0.0, EC-CUBE 3.0. ...) NOT-FOR-US: EC-CUBE CVE-2018-0563 (Untrusted search path vulnerability in the installer of FLET'S VIRUS C ...) NOT-FOR-US: FLET CVE-2018-0562 (Untrusted search path vulnerability in Installer of SoundEngine Free v ...) NOT-FOR-US: Installer of SoundEngine Free CVE-2018-0561 (Untrusted search path vulnerability in The installer of PhishWall Clie ...) NOT-FOR-US: Installer of PhishWall Client Internet Explorer CVE-2018-0560 (Hatena Bookmark App for iOS Version 3.0 to 3.70 allows remote attacker ...) NOT-FOR-US: Hatena Bookmark App for iOS CVE-2018-0559 (Cross-site scripting vulnerability in Cybozu Mailwise 5.0.0 to 5.4.1 a ...) NOT-FOR-US: Cybozu Mailwise CVE-2018-0558 (Reflected cross-site scripting vulnerability in Cybozu Mailwise 5.0.0 ...) NOT-FOR-US: Cybozu Mailwise CVE-2018-0557 (Stored cross-site scripting vulnerability in Cybozu Mailwise 5.0.0 to ...) NOT-FOR-US: Cybozu Mailwise CVE-2018-0556 (Buffalo WZR-1750DHP2 Ver.2.30 and earlier allows an attacker to execut ...) NOT-FOR-US: Buffalo WZR-1750DHP2 CVE-2018-0555 (Buffer overflow in Buffalo WZR-1750DHP2 Ver.2.30 and earlier allows an ...) NOT-FOR-US: Buffalo WZR-1750DHP2 CVE-2018-0554 (Buffalo WZR-1750DHP2 Ver.2.30 and earlier allows an attacker to bypass ...) NOT-FOR-US: Buffalo WZR-1750DHP2 CVE-2018-0553 (The iRemoconWiFi App for Android version 4.1.7 and earlier does not ve ...) NOT-FOR-US: iRemoconWiFi App for Android CVE-2018-0552 (Untrusted search path vulnerability in The installer of PhishWall Clie ...) NOT-FOR-US: installer of PhishWall Client (Firefox and Chrome edition for Windows) CVE-2018-0551 (Cross-site scripting vulnerability in Cybozu Garoon 3.0.0 to 4.6.1 all ...) NOT-FOR-US: Cybozu Garoon CVE-2018-0550 (Cybozu Garoon 3.5.0 to 4.6.1 allows remote authenticated attackers to ...) NOT-FOR-US: Cybozu Garoon CVE-2018-0549 (Cross-site scripting vulnerability in Cybozu Garoon 3.0.0 to 4.6.0 all ...) NOT-FOR-US: Cybozu Garoon CVE-2018-0548 (Cybozu Garoon 4.0.0 to 4.6.0 allows remote authenticated attackers to ...) NOT-FOR-US: Cybozu Garoon CVE-2018-0547 (Cross-site scripting vulnerability in WP All Import plugin prior to ve ...) NOT-FOR-US: WP All Import plugin for WordPress CVE-2018-0546 (Cross-site scripting vulnerability in WP All Import plugin prior to ve ...) NOT-FOR-US: WP All Import plugin for WordPress CVE-2018-0545 (LXR version 1.0.0 to 2.3.0 allows remote attackers to execute arbitrar ...) NOT-FOR-US: LXR CVE-2018-0544 (Untrusted search path vulnerability in WinShot 1.53a and earlier (Inst ...) NOT-FOR-US: WinShot CVE-2018-0543 (Untrusted search path vulnerability in Jtrim 1.53c and earlier (Instal ...) NOT-FOR-US: Jtrim installer CVE-2018-0542 (Directory traversal vulnerability in WebProxy version 1.7.8 allows an ...) NOT-FOR-US: WebProxy (some software released by LunarLight) CVE-2018-0541 (Buffer overflow in Tiny FTP Daemon Ver0.52d allows an attacker to caus ...) NOT-FOR-US: Tiny FTP Daemon CVE-2018-0540 (Untrusted search path vulnerability in ViX version 2.21.148.0 allows a ...) NOT-FOR-US: ViX CVE-2018-0539 (QQQ SYSTEMS version 2.24 allows an attacker to execute arbitrary comma ...) NOT-FOR-US: QQQ SYSTEMS CVE-2018-0538 (Cross-site scripting vulnerability in QQQ SYSTEMS ver2.24 allows an at ...) NOT-FOR-US: QQQ SYSTEMS CVE-2018-0537 (Cross-site scripting vulnerability in QQQ SYSTEMS ver2.24 allows an at ...) NOT-FOR-US: QQQ SYSTEMS CVE-2018-0536 (Cross-site scripting vulnerability in QQQ SYSTEMS ver2.24 allows an at ...) NOT-FOR-US: QQQ SYSTEMS CVE-2018-0535 (Cross-site scripting vulnerability in PHP 2chBBS version bbs18c allows ...) NOT-FOR-US: PHP 2chBBS CVE-2018-0534 (Cross-site scripting vulnerability in ArsenoL Version 0.5 allows an at ...) NOT-FOR-US: ArsenoL CVE-2018-0533 (Cybozu Garoon 3.0.0 to 4.2.6 allows remote authenticated attackers to ...) NOT-FOR-US: Cybozu Garoon CVE-2018-0532 (Cybozu Garoon 3.0.0 to 4.2.6 allows remote authenticated attackers to ...) NOT-FOR-US: Cybozu Garoon CVE-2018-0531 (Cybozu Garoon 3.0.0 to 4.2.6 allows remote authenticated attackers to ...) NOT-FOR-US: Cybozu Garoon CVE-2018-0530 (SQL injection vulnerability in the Cybozu Garoon 3.5.0 to 4.2.6 allows ...) NOT-FOR-US: Cybozu Garoon CVE-2018-0529 (Cybozu Office 10.0.0 to 10.7.0 allows remote attackers to cause a deni ...) NOT-FOR-US: Cybozu Office CVE-2018-0528 (Cybozu Office 10.0.0 to 10.7.0 allows authenticated attackers to bypas ...) NOT-FOR-US: Cybozu Office CVE-2018-0527 (Cross-site scripting vulnerability in Cybozu Office 10.0.0 to 10.7.0 a ...) NOT-FOR-US: Cybozu Office CVE-2018-0526 (Cybozu Office 10.0.0 to 10.7.0 allow remote attackers to display an im ...) NOT-FOR-US: Cybozu Office CVE-2018-0525 (Directory traversal vulnerability in Jubatus 1.0.2 and earlier allows ...) - jubatus (bug #704100) CVE-2018-0524 (Jubatus 1.0.2 and earlier allows remote code execution via unspecified ...) - jubatus (bug #704100) CVE-2018-0523 (Buffalo WXR-1900DHP2 firmware Ver.2.48 and earlier allows an attacker ...) NOT-FOR-US: Buffalo CVE-2018-0522 (Buffer overflow in Buffalo WXR-1900DHP2 firmware Ver.2.48 and earlier ...) NOT-FOR-US: Buffalo CVE-2018-0521 (Buffalo WXR-1900DHP2 firmware Ver.2.48 and earlier allows an attacker ...) NOT-FOR-US: Buffalo CVE-2018-0520 (Cross-site request forgery (CSRF) vulnerability in FS010W firmware FS0 ...) NOT-FOR-US: FS010W firmware CVE-2018-0519 (Cross-site scripting vulnerability in FS010W firmware FS010W_00_V1.3.0 ...) NOT-FOR-US: FS010W firmware CVE-2018-0518 (LINE for iOS version 7.1.3 to 7.1.5 does not verify X.509 certificates ...) NOT-FOR-US: LINE for iOS CVE-2018-0517 (Untrusted search path vulnerability in Anshin net security for Windows ...) NOT-FOR-US: Anshin net security for Windows CVE-2018-0516 (Untrusted search path vulnerability in FLET'S v4 / v6 address selectio ...) NOT-FOR-US: FLET'S v4 / v6 address selection tool CVE-2018-0515 (Untrusted search path vulnerability in "FLET'S Azukeru Backup Tool" ve ...) NOT-FOR-US: FLET'S Azukeru Backup Tool CVE-2018-0514 (MP Form Mail CGI eCommerce Edition Ver 2.0.13 and earlier allows remot ...) NOT-FOR-US: MP Form Mail CGI eCommerce Edition CVE-2018-0513 (Cross-site scripting vulnerability in MTS Simple Booking C, MTS Simple ...) NOT-FOR-US: MTS Simple Booking CVE-2018-0512 (Devices with IP address setting tool "MagicalFinder" provided by I-O D ...) NOT-FOR-US: IP address setting tool "MagicalFinder" provided by I-O DATA DEVICE, INC. CVE-2018-0511 (Cross-site scripting vulnerability in WP Retina 2x prior to version 5. ...) NOT-FOR-US: WP Retina CVE-2018-0510 (Buffer overflow in epg search result viewer (kkcald) 0.7.19 and earlie ...) NOT-FOR-US: kkcal CVE-2018-0509 (Cross-site request forgery (CSRF) vulnerability in epg search result v ...) NOT-FOR-US: kkcal CVE-2018-0508 (Cross-site scripting vulnerability in epg search result viewer (kkcald ...) NOT-FOR-US: kkcal CVE-2018-0507 (Untrusted search path vulnerability in FLET'S VIRUS CLEAR Easy Setup & ...) NOT-FOR-US: FLET'S VIRUS CLEAR CVE-2018-0506 (Nootka 1.4.4 and earlier allows remote attackers to execute arbitrary ...) NOT-FOR-US: Nootka CVE-2018-0505 (Mediawiki 1.31 before 1.31.1, 1.30.1, 1.29.3 and 1.27.5 contains a fla ...) {DSA-4301-1} - mediawiki 1:1.31.1-1 NOTE: https://lists.wikimedia.org/pipermail/wikitech-l/2018-September/090849.html NOTE: https://phabricator.wikimedia.org/T194605 CVE-2018-0504 (Mediawiki 1.31 before 1.31.1, 1.30.1, 1.29.3 and 1.27.5 contains an in ...) {DSA-4301-1} - mediawiki 1:1.31.1-1 NOTE: https://lists.wikimedia.org/pipermail/wikitech-l/2018-September/090849.html NOTE: https://phabricator.wikimedia.org/T187638 CVE-2018-0503 (Mediawiki 1.31 before 1.31.1, 1.30.1, 1.29.3 and 1.27.5 contains a fla ...) {DSA-4301-1} - mediawiki 1:1.31.1-1 NOTE: https://lists.wikimedia.org/pipermail/wikitech-l/2018-September/090849.html NOTE: https://phabricator.wikimedia.org/T169545 CVE-2018-0502 (An issue was discovered in zsh before 5.6. The beginning of a #! scrip ...) - zsh 5.6-1 (bug #908000) [stretch] - zsh (Minor issue) [jessie] - zsh (Minor issue) NOTE: https://www.zsh.org/mla/zsh-announce/136 NOTE: https://sourceforge.net/p/zsh/code/ci/1c4c7b6a4d17294df028322b70c53803a402233d CVE-2018-0501 (The mirror:// method implementation in Advanced Package Tool (APT) 1.6 ...) - apt 1.6.4 [stretch] - apt (Vulnerable code introduced in 1.6~alpha6) [jessie] - apt (Vulnerable code introduced in 1.6~alpha6) NOTE: https://mirror.fail/ CVE-2018-0500 (Curl_smtp_escape_eob in lib/smtp.c in curl 7.54.1 to and including cur ...) - curl 7.61.0-1 (bug #903546) [stretch] - curl (Only affects 7.54.1 to 7.60.0) [jessie] - curl (Only affects 7.54.1 to 7.60.0) NOTE: https://curl.haxx.se/docs/adv_2018-70a2.html CVE-2018-0499 (A cross-site scripting vulnerability in queryparser/termgenerator_inte ...) - xapian-core 1.4.6-1 (bug #902886) [stretch] - xapian-core 1.4.3-2+deb9u1 [jessie] - xapian-core (vulnerable code not present) NOTE: https://lists.xapian.org/pipermail/xapian-discuss/2018-July/009652.html CVE-2018-0498 (ARM mbed TLS before 2.12.0, before 2.7.5, and before 2.1.14 allows loc ...) {DSA-4296-1 DLA-1518-1} - mbedtls 2.12.0-1 (bug #904821) - polarssl NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-02 CVE-2018-0497 (ARM mbed TLS before 2.12.0, before 2.7.5, and before 2.1.14 allows rem ...) {DSA-4296-1 DLA-1518-1} - mbedtls 2.12.0-1 (bug #904821) - polarssl NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-02 CVE-2018-0496 (Directory traversal issues in the D-Mod extractor in DFArc and DFArc2 ...) {DLA-1686-1} - freedink-dfarc 3.14-1 [stretch] - freedink-dfarc 3.12-1+deb9u1 NOTE: https://savannah.gnu.org/forum/forum.php?forum_id=9169 NOTE: https://git.savannah.gnu.org/cgit/freedink/dfarc.git/commit/?id=40cc957f52e772f45125126439ba9333cf2d2998 CVE-2018-0495 (Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache s ...) {DSA-4231-1 DLA-1405-1} - libgcrypt20 1.8.3-1 NOTE: https://dev.gnupg.org/T4011 NOTE: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=9010d1576e278a4274ad3f4aa15776c28f6ba965 CVE-2018-0494 (GNU Wget before 1.19.5 is prone to a cookie injection vulnerability in ...) {DSA-4195-1 DLA-1375-1} - wget 1.19.5-1 (bug #898076) NOTE: https://lists.gnu.org/archive/html/bug-wget/2018-05/msg00020.html NOTE: https://savannah.gnu.org/bugs/?53763 NOTE: https://git.savannah.gnu.org/cgit/wget.git/commit/?id=1fc9c95ec144499e69dc8ec76dbe07799d7d82cd NOTE: https://sintonen.fi/advisories/gnu-wget-cookie-injection.txt CVE-2018-0493 (remctld in remctl before 3.14, when an attacker is authorized to execu ...) {DSA-4159-1} - remctl 3.14-1 [jessie] - remctl (Affected code introduced in 3.12) [wheezy] - remctl (Affected code introduced in 3.12) NOTE: https://www.eyrie.org/~eagle/software/remctl/security/2018-04-01.html NOTE: https://git.eyrie.org/?p=kerberos/remctl.git;a=commitdiff;h=e2b34e086f199b39f8ea36dd621684003835d172 CVE-2018-0492 (Johnathan Nightingale beep through 1.3.4, if setuid, has a race condit ...) {DSA-4163-1 DLA-1338-1} - beep 1.3-5 (bug #894667) NOTE: https://github.com/johnath/beep/issues/11 CVE-2018-0491 (A use-after-free issue was discovered in Tor 0.3.2.x before 0.3.2.10. ...) - tor 0.3.2.10-1 [stretch] - tor (Only affects tor 0.3.2.x series and later) [jessie] - tor (Only affects tor 0.3.2.x series and later) [wheezy] - tor (Only affects tor 0.3.2.x series and later) NOTE: https://trac.torproject.org/projects/tor/ticket/25117 NOTE: https://trac.torproject.org/projects/tor/ticket/24700 NOTE: https://blog.torproject.org/new-stable-tor-releases-security-fixes-and-dos-prevention-03210-03110-02915 NOTE: https://gitweb.torproject.org/tor.git/commit/?id=adaf3e9b89f62d68ab631b8f672d9bff996689b9 CVE-2018-0490 (An issue was discovered in Tor before 0.2.9.15, 0.3.1.x before 0.3.1.1 ...) {DSA-4183-1} - tor 0.3.2.10-1 [jessie] - tor (Vulnerable code introduced after tor-0.2.9.4-alpha) [wheezy] - tor (Vulnerable code introduced after tor-0.2.9.4-alpha) NOTE: https://trac.torproject.org/projects/tor/ticket/25074 NOTE: https://blog.torproject.org/new-stable-tor-releases-security-fixes-and-dos-prevention-03210-03110-02915 NOTE: https://gitweb.torproject.org/tor.git/commit/?id=65f2eec694f18a64291cc85317b9f22dacc1d8e4 CVE-2018-0489 (Shibboleth XMLTooling-C before 1.6.4, as used in Shibboleth Service Pr ...) {DSA-4126-1 DLA-1296-1} - xmltooling 1.6.4-1 NOTE: https://shibboleth.net/community/advisories/secadv_20180227.txt NOTE: https://issues.shibboleth.net/jira/browse/CPPXT-128 NOTE: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations NOTE: https://www.kb.cert.org/vuls/id/475445 CVE-2018-0488 (ARM mbed TLS before 1.3.22, before 2.1.10, and before 2.7.0, when the ...) {DSA-4147-1 DSA-4138-1} - mbedtls 2.7.0-2 (bug #890287) - polarssl [wheezy] - polarssl (according to the upstream advisory < 1.2.19 not affected) NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-01 NOTE: https://github.com/ARMmbed/mbedtls/commit/992b6872f3ca717282ae367749a47f006d337a87 NOTE: https://github.com/ARMmbed/mbedtls/commit/464147cadc694379b7717afb7b517fe05cdb323f CVE-2018-0487 (ARM mbed TLS before 1.3.22, before 2.1.10, and before 2.7.0 allows rem ...) {DSA-4147-1 DSA-4138-1} - mbedtls 2.7.0-2 (bug #890288) - polarssl [wheezy] - polarssl (according to the upstream advisory < 1.3.7 not affected) NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-01 NOTE: https://github.com/ARMmbed/mbedtls/commit/28a0c727957990ac655cbe40c7eb20b7ef01167d CVE-2018-0486 (Shibboleth XMLTooling-C before 1.6.3, as used in Shibboleth Service Pr ...) {DSA-4085-1 DLA-1242-1} - xmltooling 1.6.3-1 [stretch] - xmltooling 1.6.0-4+deb9u1 NOTE: https://shibboleth.net/community/advisories/secadv_20180112.txt NOTE: Fixed upstream in 1.6.3 to workaround bug independent of if parser already NOTE: disallow DTD use. NOTE: https://issues.shibboleth.net/jira/browse/CPPXT-127 NOTE: https://git.shibboleth.net/view/?p=cpp-xmltooling.git;a=commit;h=a02314e96d6746d29c5697b504d37f2e04a6e6cd CVE-2017-17026 RESERVED CVE-2017-17025 RESERVED CVE-2017-17024 RESERVED CVE-2017-17023 (The Sophos UTM VPN endpoint interacts with client software provided by ...) NOT-FOR-US: Sophos IPSec Client and NCP "Secure Entry Client" CVE-2017-17022 RESERVED CVE-2017-17021 RESERVED CVE-2017-17020 (On D-Link DCS-5009 devices with firmware 1.08.11 and earlier, DCS-5010 ...) NOT-FOR-US: D-Link CVE-2017-17019 RESERVED CVE-2017-17018 RESERVED CVE-2017-17017 RESERVED CVE-2017-17016 RESERVED CVE-2017-17015 RESERVED CVE-2017-17014 RESERVED CVE-2017-17013 RESERVED CVE-2017-17012 RESERVED CVE-2017-17011 RESERVED CVE-2017-17010 (Untrusted search path vulnerability in Content Manager Assistant for P ...) NOT-FOR-US: Content Manager Assistant for PlayStation CVE-2017-17009 REJECTED CVE-2017-17008 REJECTED CVE-2017-17007 REJECTED CVE-2017-17006 REJECTED CVE-2017-17005 REJECTED CVE-2017-17004 REJECTED CVE-2017-17003 REJECTED CVE-2017-17002 REJECTED CVE-2017-17001 REJECTED CVE-2017-17000 REJECTED CVE-2017-16999 REJECTED CVE-2017-16998 REJECTED CVE-2017-16997 (elf/dl-load.c in the GNU C Library (aka glibc or libc6) 2.19 through 2 ...) - glibc 2.25-6 (bug #884615) [stretch] - glibc 2.24-11+deb9u4 [jessie] - glibc (Minor issue) - eglibc [wheezy] - eglibc (Minor issue) NOTE: Upstream bug: https://sourceware.org/bugzilla/show_bug.cgi?id=22625 NOTE: Proposed patch: https://sourceware.org/ml/libc-alpha/2017-12/msg00528.html CVE-2017-16996 (kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local ...) - linux 4.14.7-1 [stretch] - linux (Vulnerable code introduced later) [jessie] - linux (Vulnerable code introduced later) [wheezy] - linux (Vulnerable code introduced later) NOTE: https://git.kernel.org/linus/0c17d1d2c61936401f4702e1846e2c19b200f958 CVE-2017-16995 (The check_alu_op function in kernel/bpf/verifier.c in the Linux kernel ...) {DSA-4073-1} - linux 4.14.7-1 [jessie] - linux (Vulnerable code introduced later) [wheezy] - linux (Vulnerable code introduced later) NOTE: https://git.kernel.org/linus/95a762e2c8c942780948091f8f2a4f32fce1ac6f CVE-2016-10702 (Pebble Smartwatch devices through 4.3 mishandle UUID storage, which al ...) NOT-FOR-US: Pebble CVE-2016-10701 (In Hitachi Vantara Pentaho BA Platform through 8.0, a CSRF issue exist ...) NOT-FOR-US: Hitachi Vantara Pentaho BA Platform CVE-2017-1001004 (typed-function before 0.10.6 had an arbitrary code execution in the Ja ...) NOT-FOR-US: typed-function CVE-2017-1001003 (math.js before 3.17.0 had an issue where private properties such as a ...) NOT-FOR-US: math.js CVE-2017-1001002 (math.js before 3.17.0 had an arbitrary code execution in the JavaScrip ...) NOT-FOR-US: math.js CVE-2017-1000214 (GitPHP by xiphux is vulnerable to OS Command Injections ...) NOT-FOR-US: GitPHP CVE-2017-1000207 (A vulnerability in Swagger-Parser's version <= 1.0.30 and Swagger c ...) NOT-FOR-US: Swagger-Parser CVE-2017-1000159 (Command injection in evince via filename when printing to PDF. This af ...) {DSA-4624-1 DLA-1882-1 DLA-1881-1 DLA-1204-1} - atril 1.20.0-1 (low) [stretch] - atril (Minor issue) - evince 3.25.92-1 (low) [stretch] - evince (Minor issue) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=784947 NOTE: Introduced by: https://git.gnome.org/browse/evince/commit/?id=1fcca0b8041de0d6074d7e17fba174da36c65f99 (EVINCE_0_9_1) NOTE: Fixed by: https://git.gnome.org/browse/evince/commit/?id=350404c76dc8601e2cdd2636490e2afc83d3090e (3.25.91) CVE-2018-0485 (A vulnerability in the SM-1T3/E3 firmware on Cisco Second Generation I ...) NOT-FOR-US: Cisco CVE-2018-0484 (A vulnerability in the access control logic of the Secure Shell (SSH) ...) NOT-FOR-US: Cisco CVE-2018-0483 (A vulnerability in Cisco Jabber Client Framework (JCF) could allow an ...) NOT-FOR-US: Cisco CVE-2018-0482 (A vulnerability in the web-based management interface of Cisco Prime N ...) NOT-FOR-US: Cisco CVE-2018-0481 (A vulnerability in the CLI parser of Cisco IOS XE Software could allow ...) NOT-FOR-US: Cisco CVE-2018-0480 (A vulnerability in the errdisable per VLAN feature of Cisco IOS XE Sof ...) NOT-FOR-US: Cisco CVE-2018-0479 RESERVED CVE-2018-0478 RESERVED CVE-2018-0477 (A vulnerability in the CLI parser of Cisco IOS XE Software could allow ...) NOT-FOR-US: Cisco CVE-2018-0476 (A vulnerability in the Network Address Translation (NAT) Session Initi ...) NOT-FOR-US: Cisco CVE-2018-0475 (A vulnerability in the implementation of the cluster feature of Cisco ...) NOT-FOR-US: Cisco CVE-2018-0474 (A vulnerability in the web-based management interface of Cisco Unified ...) NOT-FOR-US: Cisco CVE-2018-0473 (A vulnerability in the Precision Time Protocol (PTP) subsystem of Cisc ...) NOT-FOR-US: Cisco CVE-2018-0472 (A vulnerability in the IPsec driver code of multiple Cisco IOS XE Soft ...) NOT-FOR-US: Cisco CVE-2018-0471 (A vulnerability in the Cisco Discovery Protocol (CDP) module of Cisco ...) NOT-FOR-US: Cisco CVE-2018-0470 (A vulnerability in the web framework of Cisco IOS XE Software could al ...) NOT-FOR-US: Cisco CVE-2018-0469 (A vulnerability in the web user interface of Cisco IOS XE Software cou ...) NOT-FOR-US: Cisco CVE-2018-0468 (A vulnerability in the configuration of a local database installed as ...) NOT-FOR-US: Cisco CVE-2018-0467 (A vulnerability in the IPv6 processing code of Cisco IOS and IOS XE So ...) NOT-FOR-US: Cisco CVE-2018-0466 (A vulnerability in the Open Shortest Path First version 3 (OSPFv3) imp ...) NOT-FOR-US: Cisco CVE-2018-0465 (A vulnerability in the web-based management interface of Cisco Small B ...) NOT-FOR-US: Cisco CVE-2018-0464 (A vulnerability in Cisco Data Center Network Manager software could al ...) NOT-FOR-US: Cisco CVE-2018-0463 (A vulnerability in the Cisco Network Plug and Play server component of ...) NOT-FOR-US: Cisco CVE-2018-0462 (A vulnerability in the user management functionality of Cisco Enterpri ...) NOT-FOR-US: Cisco CVE-2018-0461 (A vulnerability in the Cisco IP Phone 8800 Series Software could allow ...) NOT-FOR-US: Cisco CVE-2018-0460 (A vulnerability in the REST API of Cisco Enterprise NFV Infrastructure ...) NOT-FOR-US: Cisco CVE-2018-0459 (A vulnerability in the web-based management interface of Cisco Enterpr ...) NOT-FOR-US: Cisco CVE-2018-0458 (A vulnerability in the web-based management interface of Cisco Prime C ...) NOT-FOR-US: Cisco CVE-2018-0457 (A vulnerability in the Cisco Webex Player for Webex Recording Format ( ...) NOT-FOR-US: Cisco CVE-2018-0456 (A vulnerability in the Simple Network Management Protocol (SNMP) input ...) NOT-FOR-US: Cisco CVE-2018-0455 (A vulnerability in the Server Message Block Version 2 (SMBv2) and Vers ...) NOT-FOR-US: Cisco CVE-2018-0454 (A vulnerability in the web-based management interface of Cisco Cloud S ...) NOT-FOR-US: Cisco CVE-2018-0453 (A vulnerability in the Sourcefire tunnel control channel protocol in C ...) NOT-FOR-US: Cisco CVE-2018-0452 (A vulnerability in the web-based management interface of Cisco Tetrati ...) NOT-FOR-US: Cisco CVE-2018-0451 (A vulnerability in the web-based management interface of Cisco Tetrati ...) NOT-FOR-US: Cisco CVE-2018-0450 (A vulnerability in the web-based management interface of Cisco Data Ce ...) NOT-FOR-US: Cisco CVE-2018-0449 (A vulnerability in the Cisco Jabber Client Framework (JCF) software, i ...) NOT-FOR-US: Cisco CVE-2018-0448 (A vulnerability in the identity management service of Cisco Digital Ne ...) NOT-FOR-US: Cisco CVE-2018-0447 (A vulnerability in the anti-spam protection mechanisms of Cisco AsyncO ...) NOT-FOR-US: Cisco CVE-2018-0446 (A vulnerability in the web-based management interface of Cisco Industr ...) NOT-FOR-US: Cisco CVE-2018-0445 (A vulnerability in the web-based management interface of Cisco Package ...) NOT-FOR-US: Cisco CVE-2018-0444 (A vulnerability in the web-based management interface of Cisco Package ...) NOT-FOR-US: Cisco CVE-2018-0443 (A vulnerability in the Control and Provisioning of Wireless Access Poi ...) NOT-FOR-US: Cisco CVE-2018-0442 (A vulnerability in the Control and Provisioning of Wireless Access Poi ...) NOT-FOR-US: Cisco CVE-2018-0441 (A vulnerability in the 802.11r Fast Transition feature set of Cisco IO ...) NOT-FOR-US: Cisco CVE-2018-0440 (A vulnerability in the web interface of Cisco Data Center Network Mana ...) NOT-FOR-US: Cisco CVE-2018-0439 (A vulnerability in the web-based management interface of Cisco Meeting ...) NOT-FOR-US: Cisco CVE-2018-0438 (A vulnerability in the Cisco Umbrella Enterprise Roaming Client (ERC) ...) NOT-FOR-US: Cisco CVE-2018-0437 (A vulnerability in the Cisco Umbrella Enterprise Roaming Client (ERC) ...) NOT-FOR-US: Cisco CVE-2018-0436 (A vulnerability in Cisco Webex Teams, formerly Cisco Spark, could allo ...) NOT-FOR-US: Cisco CVE-2018-0435 (A vulnerability in the Cisco Umbrella API could allow an authenticated ...) NOT-FOR-US: Cisco CVE-2018-0434 (A vulnerability in the Zero Touch Provisioning feature of the Cisco SD ...) NOT-FOR-US: Cisco CVE-2018-0433 (A vulnerability in the command-line interface (CLI) in the Cisco SD-WA ...) NOT-FOR-US: Cisco CVE-2018-0432 (A vulnerability in the error reporting feature of the Cisco SD-WAN Sol ...) NOT-FOR-US: Cisco CVE-2018-0431 (A vulnerability in the web-based management interface of Cisco Integra ...) NOT-FOR-US: Cisco CVE-2018-0430 (A vulnerability in the web-based management interface of Cisco Integra ...) NOT-FOR-US: Cisco CVE-2018-0429 (Stack-based buffer overflow in the Cisco Thor decoder before commit 18 ...) NOT-FOR-US: Cisco CVE-2018-0428 (A vulnerability in the account management subsystem of Cisco Web Secur ...) NOT-FOR-US: Cisco CVE-2018-0427 (A vulnerability in the CronJob scheduler API of Cisco Digital Network ...) NOT-FOR-US: Cisco CVE-2018-0426 (A vulnerability in the web-based management interface of the Cisco RV1 ...) NOT-FOR-US: Cisco CVE-2018-0425 (A vulnerability in the web-based management interface of the Cisco RV1 ...) NOT-FOR-US: Cisco CVE-2018-0424 (A vulnerability in the web-based management interface of the Cisco RV1 ...) NOT-FOR-US: Cisco CVE-2018-0423 (A vulnerability in the web-based management interface of the Cisco RV1 ...) NOT-FOR-US: Cisco CVE-2018-0422 (A vulnerability in the folder permissions of Cisco Webex Meetings clie ...) NOT-FOR-US: Cisco CVE-2018-0421 (A vulnerability in TCP connection management in Cisco Prime Access Reg ...) NOT-FOR-US: Cisco CVE-2018-0420 (A vulnerability in the web-based interface of Cisco Wireless LAN Contr ...) NOT-FOR-US: Cisco CVE-2018-0419 (A vulnerability in certain attachment detection mechanisms of Cisco Em ...) NOT-FOR-US: Cisco CVE-2018-0418 (A vulnerability in the Local Packet Transport Services (LPTS) feature ...) NOT-FOR-US: Cisco CVE-2018-0417 (A vulnerability in TACACS authentication with Cisco Wireless LAN Contr ...) NOT-FOR-US: Cisco CVE-2018-0416 (A vulnerability in the web-based interface of Cisco Wireless LAN Contr ...) NOT-FOR-US: Cisco CVE-2018-0415 (A vulnerability in the implementation of Extensible Authentication Pro ...) NOT-FOR-US: Cisco CVE-2018-0414 (A vulnerability in the web-based UI of Cisco Secure Access Control Ser ...) NOT-FOR-US: Cisco CVE-2018-0413 (A vulnerability in the web-based management interface of Cisco Identit ...) NOT-FOR-US: Cisco CVE-2018-0412 (A vulnerability in the implementation of Extensible Authentication Pro ...) NOT-FOR-US: Cisco CVE-2018-0411 (A vulnerability in the web-based management interface of Cisco Unified ...) NOT-FOR-US: Cisco CVE-2018-0410 (A vulnerability in the web proxy functionality of Cisco AsyncOS Softwa ...) NOT-FOR-US: Cisco CVE-2018-0409 (A vulnerability in the XCP Router service of the Cisco Unified Communi ...) NOT-FOR-US: Cisco CVE-2018-0408 (A vulnerability in the web-based management interface of Cisco Small B ...) NOT-FOR-US: Cisco CVE-2018-0407 (A vulnerability in the web-based management interface of Cisco Small B ...) NOT-FOR-US: Cisco CVE-2018-0406 (A vulnerability in the web-based management interface of Cisco Web Sec ...) NOT-FOR-US: Cisco CVE-2018-0405 (A vulnerability in the web framework code for Cisco RV180W Wireless-N ...) NOT-FOR-US: Cisco CVE-2018-0404 (A vulnerability in the web framework code for Cisco RV180W Wireless-N ...) NOT-FOR-US: Cisco CVE-2018-0403 (Multiple vulnerabilities in the web-based management interface of Cisc ...) NOT-FOR-US: Cisco CVE-2018-0402 (Multiple vulnerabilities in the web-based management interface of Cisc ...) NOT-FOR-US: Cisco CVE-2018-0401 (Multiple vulnerabilities in the web-based management interface of Cisc ...) NOT-FOR-US: Cisco CVE-2018-0400 (Multiple vulnerabilities in the web-based management interface of Cisc ...) NOT-FOR-US: Cisco CVE-2018-0399 (Multiple vulnerabilities in the web-based management interface of Cisc ...) NOT-FOR-US: Cisco CVE-2018-0398 (Multiple vulnerabilities in the web-based management interface of Cisc ...) NOT-FOR-US: Cisco CVE-2018-0397 (A vulnerability in Cisco AMP for Endpoints Mac Connector Software inst ...) NOT-FOR-US: Cisco CVE-2018-0396 (A vulnerability in the web framework of the Cisco Unified Communicatio ...) NOT-FOR-US: Cisco CVE-2018-0395 (A vulnerability in the Link Layer Discovery Protocol (LLDP) implementa ...) NOT-FOR-US: Cisco CVE-2018-0394 (A vulnerability in the web upload function of Cisco Cloud Services Pla ...) NOT-FOR-US: Cisco CVE-2018-0393 (A Read-Only User Effect Change vulnerability in the Policy Builder int ...) NOT-FOR-US: Cisco CVE-2018-0392 (A vulnerability in the CLI of Cisco Policy Suite could allow an authen ...) NOT-FOR-US: Cisco CVE-2018-0391 (A vulnerability in the password change function of Cisco Prime Collabo ...) NOT-FOR-US: Cisco CVE-2018-0390 (A vulnerability in the web framework of Cisco Webex could allow an una ...) NOT-FOR-US: Cisco CVE-2018-0389 (A vulnerability in the implementation of Session Initiation Protocol ( ...) NOT-FOR-US: Cisco CVE-2018-0388 (A vulnerability in the web-based interface of Cisco Wireless LAN Contr ...) NOT-FOR-US: Cisco CVE-2018-0387 (A vulnerability in Cisco Webex Teams (for Windows and macOS) could all ...) NOT-FOR-US: Cisco CVE-2018-0386 (A vulnerability in Cisco Unified Communications Domain Manager Softwar ...) NOT-FOR-US: Cisco CVE-2018-0385 (A vulnerability in the detection engine parsing of Security Socket Lay ...) NOT-FOR-US: Cisco CVE-2018-0384 (A vulnerability in the detection engine of Cisco FireSIGHT System Soft ...) NOT-FOR-US: Cisco CVE-2018-0383 (A vulnerability in the detection engine of Cisco FireSIGHT System Soft ...) NOT-FOR-US: Cisco CVE-2018-0382 (A vulnerability in the session identification management functionality ...) NOT-FOR-US: Cisco CVE-2018-0381 (A vulnerability in the Cisco Aironet Series Access Points (APs) softwa ...) NOT-FOR-US: Cisco CVE-2018-0380 (Multiple vulnerabilities exist in the Cisco Webex Network Recording Pl ...) NOT-FOR-US: Cisco CVE-2018-0379 (Multiple vulnerabilities exist in the Cisco Webex Network Recording Pl ...) NOT-FOR-US: Cisco CVE-2018-0378 (A vulnerability in the Precision Time Protocol (PTP) feature of Cisco ...) NOT-FOR-US: Cisco CVE-2018-0377 (A vulnerability in the Open Systems Gateway initiative (OSGi) interfac ...) NOT-FOR-US: Cisco CVE-2018-0376 (A vulnerability in the Policy Builder interface of Cisco Policy Suite ...) NOT-FOR-US: Cisco CVE-2018-0375 (A vulnerability in the Cluster Manager of Cisco Policy Suite before 18 ...) NOT-FOR-US: Cisco CVE-2018-0374 (A vulnerability in the Policy Builder database of Cisco Policy Suite b ...) NOT-FOR-US: Cisco CVE-2018-0373 (A vulnerability in vpnva-6.sys for 32-bit Windows and vpnva64-6.sys fo ...) NOT-FOR-US: Cisco CVE-2018-0372 (A vulnerability in the DHCPv6 feature of the Cisco Nexus 9000 Series F ...) NOT-FOR-US: Cisco CVE-2018-0371 (A vulnerability in the Web Admin Interface of Cisco Meeting Server cou ...) NOT-FOR-US: Cisco CVE-2018-0370 (A vulnerability in the detection engine of Cisco Firepower System Soft ...) NOT-FOR-US: Cisco CVE-2018-0369 (A vulnerability in the reassembly logic for fragmented IPv4 packets of ...) NOT-FOR-US: Cisco CVE-2018-0368 (A vulnerability in Cisco Digital Network Architecture (DNA) Center cou ...) NOT-FOR-US: Cisco CVE-2018-0367 (A vulnerability in the web-based management interface of the Cisco Reg ...) NOT-FOR-US: Cisco CVE-2018-0366 (A vulnerability in the web-based management interface of Cisco Web Sec ...) NOT-FOR-US: Cisco CVE-2018-0365 (A vulnerability in the web-based management interface of Cisco Firepow ...) NOT-FOR-US: Cisco CVE-2018-0364 (A vulnerability in the web-based management interface of Cisco Unified ...) NOT-FOR-US: Cisco CVE-2018-0363 (A vulnerability in the web-based management interface of Cisco Unified ...) NOT-FOR-US: Cisco CVE-2018-0362 (A vulnerability in BIOS authentication management of Cisco 5000 Series ...) NOT-FOR-US: Cisco CVE-2018-0361 (ClamAV before 0.100.1 lacks a PDF object length check, resulting in an ...) {DLA-1461-1} - clamav 0.100.1+dfsg-1 [stretch] - clamav 0.100.1+dfsg-0+deb9u1 NOTE: https://blog.clamav.net/2018/07/clamav-01001-has-been-released.html CVE-2018-0360 (ClamAV before 0.100.1 has an HWP integer overflow with a resultant inf ...) {DLA-1461-1} - clamav 0.100.1+dfsg-1 [stretch] - clamav 0.100.1+dfsg-0+deb9u1 NOTE: https://blog.clamav.net/2018/07/clamav-01001-has-been-released.html CVE-2018-0359 (A vulnerability in the session identification management functionality ...) NOT-FOR-US: Cisco CVE-2018-0358 (A vulnerability in the file descriptor handling of Cisco TelePresence ...) NOT-FOR-US: Cisco CVE-2018-0357 (A vulnerability in the web framework of Cisco WebEx could allow an una ...) NOT-FOR-US: Cisco CVE-2018-0356 (A vulnerability in the web framework of Cisco WebEx could allow an una ...) NOT-FOR-US: Cisco CVE-2018-0355 (A vulnerability in the web UI of Cisco Unified Communications Manager ...) NOT-FOR-US: Cisco CVE-2018-0354 (A vulnerability in the web framework of Cisco Unity Connection could a ...) NOT-FOR-US: Cisco CVE-2018-0353 (A vulnerability in traffic-monitoring functions in Cisco Web Security ...) NOT-FOR-US: Cisco CVE-2018-0352 (A vulnerability in the Disk Check Tool (disk-check.sh) for Cisco Wide ...) NOT-FOR-US: Cisco CVE-2018-0351 (A vulnerability in the command-line tcpdump utility in the Cisco SD-WA ...) NOT-FOR-US: Cisco (tcpdump utility in Cisco SD-WAN Solution, but CVE is Cisco specific assigned) CVE-2018-0350 (A vulnerability in the VPN subsystem configuration in the Cisco SD-WAN ...) NOT-FOR-US: Cisco CVE-2018-0349 (A vulnerability in the Cisco SD-WAN Solution could allow an authentica ...) NOT-FOR-US: Cisco CVE-2018-0348 (A vulnerability in the CLI of the Cisco SD-WAN Solution could allow an ...) NOT-FOR-US: Cisco CVE-2018-0347 (A vulnerability in the Zero Touch Provisioning (ZTP) subsystem of the ...) NOT-FOR-US: Cisco CVE-2018-0346 (A vulnerability in the Zero Touch Provisioning service of the Cisco SD ...) NOT-FOR-US: Cisco CVE-2018-0345 (A vulnerability in the configuration and management database of the Ci ...) NOT-FOR-US: Cisco CVE-2018-0344 (A vulnerability in the vManage dashboard for the configuration and man ...) NOT-FOR-US: Cisco CVE-2018-0343 (A vulnerability in the configuration and management service of the Cis ...) NOT-FOR-US: Cisco CVE-2018-0342 (A vulnerability in the configuration and monitoring service of the Cis ...) NOT-FOR-US: Cisco CVE-2018-0341 (A vulnerability in the web-based UI of Cisco IP Phone 6800, 7800, and ...) NOT-FOR-US: Cisco CVE-2018-0340 (A vulnerability in the web framework of the Cisco Unified Communicatio ...) NOT-FOR-US: Cisco CVE-2018-0339 (A vulnerability in the web-based management interface of Cisco Identit ...) NOT-FOR-US: Cisco CVE-2018-0338 (A vulnerability in the role-based access-checking mechanisms of Cisco ...) NOT-FOR-US: Cisco CVE-2018-0337 (A vulnerability in the role-based access-checking mechanisms of Cisco ...) NOT-FOR-US: Cisco CVE-2018-0336 (A vulnerability in the batch provisioning feature of Cisco Prime Colla ...) NOT-FOR-US: Cisco CVE-2018-0335 (A vulnerability in the web portal authentication process of Cisco Prim ...) NOT-FOR-US: Cisco CVE-2018-0334 (A vulnerability in the certificate management subsystem of Cisco AnyCo ...) NOT-FOR-US: Cisco CVE-2018-0333 (A vulnerability in the VPN configuration management of Cisco FireSIGHT ...) NOT-FOR-US: Cisco CVE-2018-0332 (A vulnerability in the Session Initiation Protocol (SIP) ingress packe ...) NOT-FOR-US: Cisco CVE-2018-0331 (A vulnerability in the Cisco Discovery Protocol (formerly known as CDP ...) NOT-FOR-US: Cisco CVE-2018-0330 (A vulnerability in the NX-API management application programming inter ...) NOT-FOR-US: Cisco CVE-2018-0329 (A vulnerability in the default configuration of the Simple Network Man ...) NOT-FOR-US: Cisco CVE-2018-0328 (A vulnerability in the web framework of Cisco Unified Communications M ...) NOT-FOR-US: Cisco CVE-2018-0327 (A vulnerability in the web framework of Cisco Identity Services Engine ...) NOT-FOR-US: Cisco CVE-2018-0326 (A vulnerability in the web UI of Cisco TelePresence Server Software co ...) NOT-FOR-US: Cisco CVE-2018-0325 (A vulnerability in the Session Initiation Protocol (SIP) call-handling ...) NOT-FOR-US: Cisco CVE-2018-0324 (A vulnerability in the CLI of Cisco Enterprise NFV Infrastructure Soft ...) NOT-FOR-US: Cisco CVE-2018-0323 (A vulnerability in the web management interface of Cisco Enterprise NF ...) NOT-FOR-US: Cisco CVE-2018-0322 (A vulnerability in the web management interface of Cisco Prime Collabo ...) NOT-FOR-US: Cisco CVE-2018-0321 (A vulnerability in Cisco Prime Collaboration Provisioning (PCP) could ...) NOT-FOR-US: Cisco CVE-2018-0320 (A vulnerability in the web framework code of Cisco Prime Collaboration ...) NOT-FOR-US: Cisco CVE-2018-0319 (A vulnerability in the password recovery function of Cisco Prime Colla ...) NOT-FOR-US: Cisco CVE-2018-0318 (A vulnerability in the password reset function of Cisco Prime Collabor ...) NOT-FOR-US: Cisco CVE-2018-0317 (A vulnerability in the web interface of Cisco Prime Collaboration Prov ...) NOT-FOR-US: Cisco CVE-2018-0316 (A vulnerability in the Session Initiation Protocol (SIP) call-handling ...) NOT-FOR-US: Cisco CVE-2018-0315 (A vulnerability in the authentication, authorization, and accounting ( ...) NOT-FOR-US: Cisco CVE-2018-0314 (A vulnerability in the Cisco Fabric Services (CFS) component of Cisco ...) NOT-FOR-US: Cisco CVE-2018-0313 (A vulnerability in the NX-API feature of Cisco NX-OS Software could al ...) NOT-FOR-US: Cisco CVE-2018-0312 (A vulnerability in the Cisco Fabric Services component of Cisco FXOS S ...) NOT-FOR-US: Cisco CVE-2018-0311 (A vulnerability in the Cisco Fabric Services component of Cisco FXOS S ...) NOT-FOR-US: Cisco CVE-2018-0310 (A vulnerability in the Cisco Fabric Services component of Cisco FXOS S ...) NOT-FOR-US: Cisco CVE-2018-0309 (A vulnerability in the implementation of a specific CLI command and th ...) NOT-FOR-US: Cisco CVE-2018-0308 (A vulnerability in the Cisco Fabric Services component of Cisco FXOS S ...) NOT-FOR-US: Cisco CVE-2018-0307 (A vulnerability in the CLI of Cisco NX-OS Software could allow an auth ...) NOT-FOR-US: Cisco CVE-2018-0306 (A vulnerability in the CLI parser of Cisco NX-OS Software could allow ...) NOT-FOR-US: Cisco CVE-2018-0305 (A vulnerability in the Cisco Fabric Services component of Cisco FXOS S ...) NOT-FOR-US: Cisco CVE-2018-0304 (A vulnerability in the Cisco Fabric Services component of Cisco FXOS S ...) NOT-FOR-US: Cisco CVE-2018-0303 (A vulnerability in the Cisco Discovery Protocol component of Cisco FXO ...) NOT-FOR-US: Cisco CVE-2018-0302 (A vulnerability in the CLI parser of Cisco FXOS Software and Cisco UCS ...) NOT-FOR-US: Cisco CVE-2018-0301 (A vulnerability in the NX-API feature of Cisco NX-OS Software could al ...) NOT-FOR-US: Cisco CVE-2018-0300 (A vulnerability in the process of uploading new application images to ...) NOT-FOR-US: Cisco CVE-2018-0299 (A vulnerability in the Simple Network Management Protocol (SNMP) featu ...) NOT-FOR-US: Cisco CVE-2018-0298 (A vulnerability in the web UI of Cisco FXOS and Cisco UCS Fabric Inter ...) NOT-FOR-US: Cisco CVE-2018-0297 (A vulnerability in the detection engine of Cisco Firepower Threat Defe ...) NOT-FOR-US: Cisco CVE-2018-0296 (A vulnerability in the web interface of the Cisco Adaptive Security Ap ...) NOT-FOR-US: Cisco CVE-2018-0295 (A vulnerability in the Border Gateway Protocol (BGP) implementation of ...) NOT-FOR-US: Cisco CVE-2018-0294 (A vulnerability in the write-erase feature of Cisco FXOS Software and ...) NOT-FOR-US: Cisco CVE-2018-0293 (A vulnerability in role-based access control (RBAC) for Cisco NX-OS So ...) NOT-FOR-US: Cisco CVE-2018-0292 (A vulnerability in the Internet Group Management Protocol (IGMP) Snoop ...) NOT-FOR-US: Cisco CVE-2018-0291 (A vulnerability in the Simple Network Management Protocol (SNMP) input ...) NOT-FOR-US: Cisco CVE-2018-0290 (A vulnerability in the TCP stack of Cisco SocialMiner could allow an u ...) NOT-FOR-US: Cisco CVE-2018-0289 (A vulnerability in the logs component of Cisco Identity Services Engin ...) NOT-FOR-US: Cisco CVE-2018-0288 (A vulnerability in Cisco WebEx Recording Format (WRF) Player could all ...) NOT-FOR-US: Cisco CVE-2018-0287 (A vulnerability in the Cisco WebEx Network Recording Player for Advanc ...) NOT-FOR-US: Cisco CVE-2018-0286 (A vulnerability in the netconf interface of Cisco IOS XR Software coul ...) NOT-FOR-US: Cisco CVE-2018-0285 (A vulnerability in service logging for Cisco Prime Service Catalog cou ...) NOT-FOR-US: Cisco CVE-2018-0284 (A vulnerability in the local status page functionality of the Cisco Me ...) NOT-FOR-US: Cisco CVE-2018-0283 (A vulnerability in the detection engine of Cisco Firepower System Soft ...) NOT-FOR-US: Cisco CVE-2018-0282 (A vulnerability in the TCP socket code of Cisco IOS and IOS XE Softwar ...) NOT-FOR-US: Cisco CVE-2018-0281 (A vulnerability in the detection engine of Cisco Firepower System Soft ...) NOT-FOR-US: Cisco CVE-2018-0280 (A vulnerability in the Real-Time Transport Protocol (RTP) bitstream pr ...) NOT-FOR-US: Cisco CVE-2018-0279 (A vulnerability in the Secure Copy Protocol (SCP) server of Cisco Ente ...) NOT-FOR-US: Cisco CVE-2018-0278 (A vulnerability in the management console of Cisco Firepower System So ...) NOT-FOR-US: Cisco CVE-2018-0277 (A vulnerability in the Extensible Authentication Protocol-Transport La ...) NOT-FOR-US: Cisco CVE-2018-0276 (A vulnerability in Cisco WebEx Connect IM could allow an unauthenticat ...) NOT-FOR-US: Cisco CVE-2018-0275 (A vulnerability in the support tunnel feature of Cisco Identity Servic ...) NOT-FOR-US: Cisco CVE-2018-0274 (A vulnerability in the CLI parser of Cisco Network Services Orchestrat ...) NOT-FOR-US: Cisco CVE-2018-0273 (A vulnerability in the IPsec Manager of Cisco StarOS for Cisco Aggrega ...) NOT-FOR-US: Cisco CVE-2018-0272 (A vulnerability in the Secure Sockets Layer (SSL) Engine of Cisco Fire ...) NOT-FOR-US: Cisco CVE-2018-0271 (A vulnerability in the API gateway of the Cisco Digital Network Archit ...) NOT-FOR-US: Cisco CVE-2018-0270 (A vulnerability in the web-based management interface of Cisco IoT Fie ...) NOT-FOR-US: Cisco CVE-2018-0269 (A vulnerability in the web framework of the Cisco Digital Network Arch ...) NOT-FOR-US: Cisco CVE-2018-0268 (A vulnerability in the container management subsystem of Cisco Digital ...) NOT-FOR-US: Cisco CVE-2018-0267 (A vulnerability in the web framework of Cisco Unified Communications M ...) NOT-FOR-US: Cisco CVE-2018-0266 (A vulnerability in the web framework of Cisco Unified Communications M ...) NOT-FOR-US: Cisco CVE-2018-0265 REJECTED CVE-2018-0264 (A vulnerability in the Cisco WebEx Network Recording Player for Advanc ...) NOT-FOR-US: Cisco CVE-2018-0263 (A vulnerability in Cisco Meeting Server (CMS) could allow an unauthent ...) NOT-FOR-US: Cisco CVE-2018-0262 (A vulnerability in Cisco Meeting Server could allow an unauthenticated ...) NOT-FOR-US: Cisco CVE-2018-0261 RESERVED CVE-2018-0260 (A vulnerability in the web interface of Cisco MATE Live could allow an ...) NOT-FOR-US: Cisco CVE-2018-0259 (A vulnerability in the web-based management interface of Cisco MATE Co ...) NOT-FOR-US: Cisco CVE-2018-0258 (A vulnerability in the Cisco Prime File Upload servlet affecting multi ...) NOT-FOR-US: Cisco CVE-2018-0257 (A vulnerability in Cisco IOS XE Software running on Cisco cBR Series C ...) NOT-FOR-US: Cisco CVE-2018-0256 (A vulnerability in the peer-to-peer message processing functionality o ...) NOT-FOR-US: Cisco CVE-2018-0255 (A vulnerability in the device manager web interface of Cisco Industria ...) NOT-FOR-US: Cisco CVE-2018-0254 (A vulnerability in the detection engine of Cisco Firepower System Soft ...) NOT-FOR-US: Cisco CVE-2018-0253 (A vulnerability in the ACS Report component of Cisco Secure Access Con ...) NOT-FOR-US: Cisco CVE-2018-0252 (A vulnerability in the IP Version 4 (IPv4) fragment reassembly functio ...) NOT-FOR-US: Cisco CVE-2018-0251 (A vulnerability in the Web Server Authentication Required screen of th ...) NOT-FOR-US: Cisco CVE-2018-0250 (A vulnerability in Central Web Authentication (CWA) with FlexConnect A ...) NOT-FOR-US: Cisco CVE-2018-0249 (A vulnerability when handling incoming 802.11 Association Requests for ...) NOT-FOR-US: Cisco CVE-2018-0248 (A vulnerability in the administrative GUI configuration feature of Cis ...) NOT-FOR-US: Cisco CVE-2018-0247 (A vulnerability in Web Authentication (WebAuth) clients for the Cisco ...) NOT-FOR-US: Cisco CVE-2018-0246 REJECTED CVE-2018-0245 (A vulnerability in the REST API of Cisco 5500 and 8500 Series Wireless ...) NOT-FOR-US: Cisco CVE-2018-0244 (A vulnerability in the detection engine of Cisco Firepower System Soft ...) NOT-FOR-US: Cisco CVE-2018-0243 (A vulnerability in the detection engine of Cisco Firepower System Soft ...) NOT-FOR-US: Cisco CVE-2018-0242 (A vulnerability in the WebVPN web-based management interface of Cisco ...) NOT-FOR-US: Cisco CVE-2018-0241 (A vulnerability in the UDP broadcast forwarding function of Cisco IOS ...) NOT-FOR-US: Cisco CVE-2018-0240 (Multiple vulnerabilities in the Application Layer Protocol Inspection ...) NOT-FOR-US: Cisco CVE-2018-0239 (A vulnerability in the egress packet processing functionality of the C ...) NOT-FOR-US: Cisco CVE-2018-0238 (A vulnerability in the role-based resource checking functionality of t ...) NOT-FOR-US: Cisco CVE-2018-0237 (A vulnerability in the file type detection mechanism of the Cisco Adva ...) NOT-FOR-US: Cisco CVE-2018-0236 REJECTED CVE-2018-0235 (A vulnerability in the 802.11 frame validation functionality of the Ci ...) NOT-FOR-US: Cisco CVE-2018-0234 (A vulnerability in the implementation of Point-to-Point Tunneling Prot ...) NOT-FOR-US: Cisco CVE-2018-0233 (A vulnerability in the Secure Sockets Layer (SSL) packet reassembly fu ...) NOT-FOR-US: Cisco CVE-2018-0232 RESERVED CVE-2018-0231 (A vulnerability in the Transport Layer Security (TLS) library of Cisco ...) NOT-FOR-US: Cisco CVE-2018-0230 (A vulnerability in the internal packet-processing functionality of Cis ...) NOT-FOR-US: Cisco CVE-2018-0229 (A vulnerability in the implementation of Security Assertion Markup Lan ...) NOT-FOR-US: Cisco CVE-2018-0228 (A vulnerability in the ingress flow creation functionality of Cisco Ad ...) NOT-FOR-US: Cisco CVE-2018-0227 (A vulnerability in the Secure Sockets Layer (SSL) Virtual Private Netw ...) NOT-FOR-US: Cisco CVE-2018-0226 (A vulnerability in the assignment and management of default user accou ...) NOT-FOR-US: Cisco CVE-2018-0225 (The Enterprise Console in Cisco AppDynamics App iQ Platform before 4.4 ...) NOT-FOR-US: Cisco CVE-2018-0224 (A vulnerability in the CLI of the Cisco StarOS operating system for Ci ...) NOT-FOR-US: Cisco CVE-2018-0223 (A vulnerability in DesktopServlet in the web-based management interfac ...) NOT-FOR-US: Cisco CVE-2018-0222 (A vulnerability in Cisco Digital Network Architecture (DNA) Center cou ...) NOT-FOR-US: Cisco CVE-2018-0221 (A vulnerability in specific CLI commands for the Cisco Identity Servic ...) NOT-FOR-US: Cisco CVE-2018-0220 (A vulnerability in the web-based management interface of Cisco Videosc ...) NOT-FOR-US: Cisco CVE-2018-0219 (A vulnerability in the web-based management interface of Cisco Unified ...) NOT-FOR-US: Cisco CVE-2018-0218 (A vulnerability in the web-based user interface of the Cisco Secure Ac ...) NOT-FOR-US: Cisco CVE-2018-0217 (A vulnerability in the CLI of the Cisco StarOS operating system for Ci ...) NOT-FOR-US: Cisco CVE-2018-0216 (A vulnerability in the web-based management interface of Cisco Identit ...) NOT-FOR-US: Cisco CVE-2018-0215 (A vulnerability in the web-based management interface of Cisco Identit ...) NOT-FOR-US: Cisco CVE-2018-0214 (A vulnerability in certain CLI commands of Cisco Identity Services Eng ...) NOT-FOR-US: Cisco CVE-2018-0213 (A vulnerability in the credential reset functionality for Cisco Identi ...) NOT-FOR-US: Cisco CVE-2018-0212 (A vulnerability in the web-based management interface of Cisco Identit ...) NOT-FOR-US: Cisco CVE-2018-0211 (A vulnerability in specific CLI commands for the Cisco Identity Servic ...) NOT-FOR-US: Cisco CVE-2018-0210 (A vulnerability in the web-based management interface of Cisco Data Ce ...) NOT-FOR-US: Cisco CVE-2018-0209 (A vulnerability in the Simple Network Management Protocol (SNMP) subsy ...) NOT-FOR-US: Cisco CVE-2018-0208 (A vulnerability in the web-based management interface of the (cloud ba ...) NOT-FOR-US: Cisco CVE-2018-0207 (A vulnerability in the web-based user interface of the Cisco Secure Ac ...) NOT-FOR-US: Cisco CVE-2018-0206 (A vulnerability in the web-based management interface of Cisco Unified ...) NOT-FOR-US: Cisco CVE-2018-0205 (A vulnerability in the User Provisioning tab in the Cisco Prime Collab ...) NOT-FOR-US: Cisco CVE-2018-0204 (A vulnerability in the web portal of the Cisco Prime Collaboration Pro ...) NOT-FOR-US: Cisco CVE-2018-0203 (A vulnerability in the SMTP relay of Cisco Unity Connection could allo ...) NOT-FOR-US: Cisco CVE-2018-0202 (clamscan in ClamAV before 0.99.4 contains a vulnerability that could a ...) {DLA-1307-1} - clamav 0.100.0~beta+dfsg-2 [stretch] - clamav 0.99.4+dfsg-1+deb9u1 NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11973 NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11980 NOTE: https://github.com/Cisco-Talos/clamav-devel/commit/87aaa10b29476958f5bf54b6119a133069f944fc NOTE: https://github.com/Cisco-Talos/clamav-devel/commit/700ed96af56077cb1a9bff7b91d21db112f6465d NOTE: https://github.com/Cisco-Talos/clamav-devel/commit/0df2fedf2805e574512c486b32a0fff4ed394560 NOTE: https://github.com/Cisco-Talos/clamav-devel/commit/495fce917445063d519f14b0009cee025f817bc3 NOTE: https://github.com/Cisco-Talos/clamav-devel/commit/99eadf7a9ad351210165312362d1f32b77c6f857 CVE-2018-0201 (A vulnerability in Cisco Jabber Client Framework (JCF) could allow an ...) NOT-FOR-US: Cisco CVE-2018-0200 (A vulnerability in the web-based interface of Cisco Prime Service Cata ...) NOT-FOR-US: Cisco CVE-2018-0199 (A vulnerability in Cisco Jabber Client Framework (JCF) could allow an ...) NOT-FOR-US: Cisco CVE-2018-0198 (A vulnerability in the web framework of Cisco Unified Communications M ...) NOT-FOR-US: Cisco CVE-2018-0197 (A vulnerability in the VLAN Trunking Protocol (VTP) subsystem of Cisco ...) NOT-FOR-US: Cisco CVE-2018-0196 (A vulnerability in the web-based user interface (web UI) of Cisco IOS ...) NOT-FOR-US: Cisco CVE-2018-0195 (A vulnerability in the Cisco IOS XE Software REST API could allow an a ...) NOT-FOR-US: Cisco CVE-2018-0194 (Multiple vulnerabilities in the CLI parser of Cisco IOS XE Software co ...) NOT-FOR-US: Cisco CVE-2018-0193 (Multiple vulnerabilities in the CLI parser of Cisco IOS XE Software co ...) NOT-FOR-US: Cisco CVE-2018-0192 RESERVED CVE-2018-0191 REJECTED CVE-2018-0190 (Multiple vulnerabilities in the web-based user interface (web UI) of C ...) NOT-FOR-US: Cisco CVE-2018-0189 (A vulnerability in the Forwarding Information Base (FIB) code of Cisco ...) NOT-FOR-US: Cisco CVE-2018-0188 (Multiple vulnerabilities in the web-based user interface (web UI) of C ...) NOT-FOR-US: Cisco CVE-2018-0187 (A vulnerability in the Admin portal of Cisco Identity Services Engine ...) NOT-FOR-US: Cisco CVE-2018-0186 (Multiple vulnerabilities in the web-based user interface (web UI) of C ...) NOT-FOR-US: Cisco CVE-2018-0185 (Multiple vulnerabilities in the CLI parser of Cisco IOS XE Software co ...) NOT-FOR-US: Cisco CVE-2018-0184 (A vulnerability in the CLI parser of Cisco IOS XE Software could allow ...) NOT-FOR-US: Cisco CVE-2018-0183 (A vulnerability in the CLI parser of Cisco IOS XE Software could allow ...) NOT-FOR-US: Cisco CVE-2018-0182 (Multiple vulnerabilities in the CLI parser of Cisco IOS XE Software co ...) NOT-FOR-US: Cisco CVE-2018-0181 (A vulnerability in the Redis implementation used by the Cisco Policy S ...) NOT-FOR-US: Cisco CVE-2018-0180 (Multiple vulnerabilities in the Login Enhancements (Login Block) featu ...) NOT-FOR-US: Cisco CVE-2018-0179 (Multiple vulnerabilities in the Login Enhancements (Login Block) featu ...) NOT-FOR-US: Cisco CVE-2018-0178 REJECTED CVE-2018-0177 (A vulnerability in the IP Version 4 (IPv4) processing code of Cisco IO ...) NOT-FOR-US: Cisco CVE-2018-0176 (Multiple vulnerabilities in the CLI parser of Cisco IOS XE Software co ...) NOT-FOR-US: Cisco CVE-2018-0175 (Format String vulnerability in the Link Layer Discovery Protocol (LLDP ...) NOT-FOR-US: Cisco CVE-2018-0174 (A vulnerability in the DHCP option 82 encapsulation functionality of C ...) NOT-FOR-US: Cisco CVE-2018-0173 (A vulnerability in the Cisco IOS Software and Cisco IOS XE Software fu ...) NOT-FOR-US: Cisco CVE-2018-0172 (A vulnerability in the DHCP option 82 encapsulation functionality of C ...) NOT-FOR-US: Cisco CVE-2018-0171 (A vulnerability in the Smart Install feature of Cisco IOS Software and ...) NOT-FOR-US: Cisco CVE-2018-0170 (A vulnerability in the Cisco Umbrella Integration feature of Cisco IOS ...) NOT-FOR-US: Cisco CVE-2018-0169 (Multiple vulnerabilities in the CLI parser of Cisco IOS XE Software co ...) NOT-FOR-US: Cisco CVE-2018-0168 RESERVED CVE-2018-0167 (Multiple Buffer Overflow vulnerabilities in the Link Layer Discovery P ...) NOT-FOR-US: Cisco CVE-2018-0166 RESERVED CVE-2018-0165 (A vulnerability in the Internet Group Management Protocol (IGMP) packe ...) NOT-FOR-US: Cisco CVE-2018-0164 (A vulnerability in the Switch Integrated Security Features of Cisco IO ...) NOT-FOR-US: Cisco CVE-2018-0163 (A vulnerability in the 802.1x multiple-authentication (multi-auth) fea ...) NOT-FOR-US: Cisco CVE-2018-0162 RESERVED CVE-2018-0161 (A vulnerability in the Simple Network Management Protocol (SNMP) subsy ...) NOT-FOR-US: Cisco CVE-2018-0160 (A vulnerability in Simple Network Management Protocol (SNMP) subsystem ...) NOT-FOR-US: Cisco CVE-2018-0159 (A vulnerability in the implementation of Internet Key Exchange Version ...) NOT-FOR-US: Cisco CVE-2018-0158 (A vulnerability in the Internet Key Exchange Version 2 (IKEv2) module ...) NOT-FOR-US: Cisco CVE-2018-0157 (A vulnerability in the Zone-Based Firewall code of Cisco IOS XE Softwa ...) NOT-FOR-US: Cisco CVE-2018-0156 (A vulnerability in the Smart Install feature of Cisco IOS Software and ...) NOT-FOR-US: Cisco CVE-2018-0155 (A vulnerability in the Bidirectional Forwarding Detection (BFD) offloa ...) NOT-FOR-US: Cisco CVE-2018-0154 (A vulnerability in the crypto engine of the Cisco Integrated Services ...) NOT-FOR-US: Cisco CVE-2018-0153 REJECTED CVE-2018-0152 (A vulnerability in the web-based user interface (web UI) of Cisco IOS ...) NOT-FOR-US: Cisco CVE-2018-0151 (A vulnerability in the quality of service (QoS) subsystem of Cisco IOS ...) NOT-FOR-US: Cisco CVE-2018-0150 (A vulnerability in Cisco IOS XE Software could allow an unauthenticate ...) NOT-FOR-US: Cisco CVE-2018-0149 (A vulnerability in the web-based management interface of Cisco Integra ...) NOT-FOR-US: Cisco CVE-2018-0148 (A vulnerability in the web-based management interface of Cisco UCS Dir ...) NOT-FOR-US: Cisco CVE-2018-0147 (A vulnerability in Java deserialization used by Cisco Secure Access Co ...) NOT-FOR-US: Cisco CVE-2018-0146 (A vulnerability in the Cisco Data Center Analytics Framework applicati ...) NOT-FOR-US: Cisco CVE-2018-0145 (A vulnerability in the web-based management interface of the Cisco Dat ...) NOT-FOR-US: Cisco CVE-2018-0144 (A vulnerability in the web-based management interface of Cisco Prime D ...) NOT-FOR-US: Cisco CVE-2018-0143 REJECTED CVE-2018-0142 RESERVED CVE-2018-0141 (A vulnerability in Cisco Prime Collaboration Provisioning (PCP) Softwa ...) NOT-FOR-US: Cisco CVE-2018-0140 (A vulnerability in the spam quarantine of Cisco Email Security Applian ...) NOT-FOR-US: Cisco CVE-2018-0139 (A vulnerability in the Interactive Voice Response (IVR) management con ...) NOT-FOR-US: Cisco CVE-2018-0138 (A vulnerability in the detection engine of Cisco Firepower System Soft ...) NOT-FOR-US: Cisco CVE-2018-0137 (A vulnerability in the TCP throttling process of Cisco Prime Network c ...) NOT-FOR-US: Cisco CVE-2018-0136 (A vulnerability in the IPv6 subsystem of Cisco IOS XR Software Release ...) NOT-FOR-US: Cisco CVE-2018-0135 (A vulnerability in Cisco Unified Communications Manager could allow an ...) NOT-FOR-US: Cisco CVE-2018-0134 (A vulnerability in the RADIUS authentication module of Cisco Policy Su ...) NOT-FOR-US: Cisco CVE-2018-0133 RESERVED CVE-2018-0132 (A vulnerability in the forwarding information base (FIB) code of Cisco ...) NOT-FOR-US: Cisco CVE-2018-0131 (A vulnerability in the implementation of RSA-encrypted nonces in Cisco ...) NOT-FOR-US: Cisco CVE-2018-0130 (A vulnerability in the use of JSON web tokens by the web-based service ...) NOT-FOR-US: Cisco CVE-2018-0129 (A vulnerability in the web-based management interface of Cisco Data Ce ...) NOT-FOR-US: Cisco CVE-2018-0128 (A vulnerability in the web-based management interface of Cisco Data Ce ...) NOT-FOR-US: Cisco CVE-2018-0127 (A vulnerability in the web interface of Cisco RV132W ADSL2+ Wireless-N ...) NOT-FOR-US: Cisco CVE-2018-0126 RESERVED CVE-2018-0125 (A vulnerability in the web interface of the Cisco RV132W ADSL2+ Wirele ...) NOT-FOR-US: Cisco CVE-2018-0124 (A vulnerability in Cisco Unified Communications Domain Manager could a ...) NOT-FOR-US: Cisco CVE-2018-0123 (A Path Traversal vulnerability in the diagnostic shell for Cisco IOS a ...) NOT-FOR-US: Cisco CVE-2018-0122 (A vulnerability in the CLI of the Cisco StarOS operating system for Ci ...) NOT-FOR-US: Cisco CVE-2018-0121 (A vulnerability in the authentication functionality of the web-based s ...) NOT-FOR-US: Cisco CVE-2018-0120 (A vulnerability in the web framework of Cisco Unified Communications M ...) NOT-FOR-US: Cisco CVE-2018-0119 (A vulnerability in certain authentication controls in the account serv ...) NOT-FOR-US: Cisco CVE-2018-0118 (A vulnerability in the web-based management interface of Cisco Unified ...) NOT-FOR-US: Cisco CVE-2018-0117 (A vulnerability in the ingress packet processing functionality of the ...) NOT-FOR-US: Cisco CVE-2018-0116 (A vulnerability in the RADIUS authentication module of Cisco Policy Su ...) NOT-FOR-US: Cisco CVE-2018-0115 (A vulnerability in the CLI of the Cisco StarOS operating system for Ci ...) NOT-FOR-US: Cisco CVE-2018-0114 (A vulnerability in the Cisco node-jose open source library before 0.11 ...) NOT-FOR-US: Cisco node-jose CVE-2018-0113 (A vulnerability in an operations script of Cisco UCS Central could all ...) NOT-FOR-US: Cisco CVE-2018-0112 (A vulnerability in Cisco WebEx Business Suite clients, Cisco WebEx Mee ...) NOT-FOR-US: Cisco CVE-2018-0111 (A vulnerability in Cisco WebEx Meetings Server could allow an unauthen ...) NOT-FOR-US: Cisco CVE-2018-0110 (A vulnerability in Cisco WebEx Meetings Server could allow an authenti ...) NOT-FOR-US: Cisco CVE-2018-0109 (A vulnerability in Cisco WebEx Meetings Server could allow an authenti ...) NOT-FOR-US: Cisco CVE-2018-0108 (A vulnerability in Cisco WebEx Meetings Server could allow an unauthen ...) NOT-FOR-US: Cisco CVE-2018-0107 (A vulnerability in the web framework of Cisco Prime Service Catalog co ...) NOT-FOR-US: Cisco CVE-2018-0106 (A vulnerability in the ConfD server of the Cisco Elastic Services Cont ...) NOT-FOR-US: Cisco CVE-2018-0105 (A vulnerability in the web framework of Cisco Unified Communications M ...) NOT-FOR-US: Cisco CVE-2018-0104 (A vulnerability in Cisco WebEx Network Recording Player for Advanced R ...) NOT-FOR-US: Cisco CVE-2018-0103 (A Buffer Overflow vulnerability in Cisco WebEx Network Recording Playe ...) NOT-FOR-US: Cisco CVE-2018-0102 (A vulnerability in the Pong tool of Cisco NX-OS Software could allow a ...) NOT-FOR-US: Cisco CVE-2018-0101 (A vulnerability in the Secure Sockets Layer (SSL) VPN functionality of ...) NOT-FOR-US: Cisco CVE-2018-0100 (A vulnerability in the Profile Editor of the Cisco AnyConnect Secure M ...) NOT-FOR-US: Cisco CVE-2018-0099 (A vulnerability in the web management GUI of the Cisco D9800 Network T ...) NOT-FOR-US: Cisco CVE-2018-0098 (A vulnerability in the web-based management interface of Cisco WAP150 ...) NOT-FOR-US: Cisco CVE-2018-0097 (A vulnerability in the web interface of Cisco Prime Infrastructure cou ...) NOT-FOR-US: Cisco CVE-2018-0096 (A vulnerability in the role-based access control (RBAC) functionality ...) NOT-FOR-US: Cisco CVE-2018-0095 (A vulnerability in the administrative shell of Cisco AsyncOS on Cisco ...) NOT-FOR-US: Cisco CVE-2018-0094 (A vulnerability in IPv6 ingress packet processing for Cisco UCS Centra ...) NOT-FOR-US: Cisco CVE-2018-0093 (A vulnerability in the web-based management interface of Cisco Web Sec ...) NOT-FOR-US: Cisco CVE-2018-0092 (A vulnerability in the network-operator user role implementation for C ...) NOT-FOR-US: Cisco CVE-2018-0091 (A vulnerability in the web-based management interface of Cisco Identit ...) NOT-FOR-US: Cisco CVE-2018-0090 (A vulnerability in management interface access control list (ACL) conf ...) NOT-FOR-US: Cisco CVE-2018-0089 (A vulnerability in the Policy and Charging Rules Function (PCRF) of th ...) NOT-FOR-US: Cisco CVE-2018-0088 (A vulnerability in one of the diagnostic test CLI commands on Cisco In ...) NOT-FOR-US: Cisco CVE-2018-0087 (A vulnerability in the FTP server of the Cisco Web Security Appliance ...) NOT-FOR-US: Cisco CVE-2018-0086 (A vulnerability in the application server of the Cisco Unified Custome ...) NOT-FOR-US: Cisco CVE-2017-16994 (The walk_hugetlb_range function in mm/pagewalk.c in the Linux kernel b ...) - linux 4.14.2-1 [stretch] - linux 4.9.65-1 [jessie] - linux (Vulnerable code introduced in 4.0) [wheezy] - linux (Vulnerable code introduced in 4.0) NOTE: Fixed by: https://git.kernel.org/linus/373c4557d2aa362702c4c2d41288fb1e54990b7c (4.15-rc1) CVE-2017-16993 REJECTED CVE-2017-16992 REJECTED CVE-2017-16991 REJECTED CVE-2017-16990 REJECTED CVE-2017-16989 REJECTED CVE-2017-16988 REJECTED CVE-2017-16987 REJECTED CVE-2017-16986 REJECTED CVE-2017-16985 REJECTED CVE-2017-16984 REJECTED CVE-2017-16983 REJECTED CVE-2017-16982 REJECTED CVE-2017-16981 REJECTED CVE-2017-16980 REJECTED CVE-2017-16979 REJECTED CVE-2017-16978 REJECTED CVE-2017-16977 REJECTED CVE-2017-16976 REJECTED CVE-2017-16975 REJECTED CVE-2017-16974 REJECTED CVE-2017-16973 REJECTED CVE-2017-16972 REJECTED CVE-2017-16971 REJECTED CVE-2017-16970 REJECTED CVE-2017-16969 REJECTED CVE-2017-16968 REJECTED CVE-2017-16967 REJECTED CVE-2017-16966 REJECTED CVE-2017-16965 REJECTED CVE-2017-16964 REJECTED CVE-2017-16963 RESERVED CVE-2017-16962 (The WebMail components (Crystal, pronto, and pronto4) in CommuniGate P ...) NOT-FOR-US: CommuniGate Pro CVE-2017-16961 (A SQL injection vulnerability in core/inc/auto-modules.php in BigTree ...) NOT-FOR-US: BigTree CMS CVE-2017-16960 (TP-Link TL-WVR, TL-WAR, TL-ER, and TL-R devices allow remote authentic ...) NOT-FOR-US: TP-Link CVE-2017-16959 (The locale feature in cgi-bin/luci on TP-Link TL-WVR, TL-WAR, TL-ER, a ...) NOT-FOR-US: TP-Link CVE-2017-16958 (TP-Link TL-WVR, TL-WAR, TL-ER, and TL-R devices allow remote authentic ...) NOT-FOR-US: TP-Link CVE-2017-16957 (TP-Link TL-WVR, TL-WAR, TL-ER, and TL-R devices allow remote authentic ...) NOT-FOR-US: TP-Link CVE-2017-16956 (b3log Symphony (aka Sym) 2.2.0 allows an XSS attack by sending a priva ...) NOT-FOR-US: b3log Symphony CVE-2017-16955 (SQL injection vulnerability in the InLinks plugin through 1.1 for Word ...) NOT-FOR-US: InLinks plugin for WordPress CVE-2017-16954 RESERVED CVE-2017-16953 (connoppp.cgi on ZTE ZXDSL 831CII devices does not require HTTP Basic A ...) NOT-FOR-US: ZTE CVE-2017-16952 (KMPlayer 4.2.2.4 allows remote attackers to cause a denial of service ...) NOT-FOR-US: K-Multimedia Player CVE-2017-16951 (Winamp Pro 5.66 Build 3512 allows remote attackers to cause a denial o ...) NOT-FOR-US: Winamp CVE-2017-16950 (Cross - site scripting (XSS) vulnerability in UrBackup Server before 2 ...) - urbackup-server (bug #697325) CVE-2017-16949 (An issue was discovered in the AccessKeys AccessPress Anonymous Post P ...) NOT-FOR-US: AccessKeys AccessPress Anonymous Post Pro plugin for WordPress CVE-2017-16948 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to cause a deni ...) NOT-FOR-US: TG Soft Vir.IT eXplorer Lite CVE-2017-16947 RESERVED CVE-2017-16946 (The admin_edit function in app/Controller/UsersController.php in MISP ...) NOT-FOR-US: MISP CVE-2017-16945 (The standardrestorer binary in Arq 5.10 and earlier for Mac allows loc ...) NOT-FOR-US: standardrestorer binary in Arq CVE-2017-16942 (In libsndfile 1.0.25 (fixed in 1.0.26), a divide-by-zero error exists ...) - libsndfile 1.0.27-1 [jessie] - libsndfile (Minor issue) [wheezy] - libsndfile (Minor issue) NOTE: https://github.com/erikd/libsndfile/issues/341 CVE-2017-16944 (The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 ...) {DSA-4053-1} - exim4 4.89-13 (bug #882671) [jessie] - exim4 (ESMTP CHUNKING extension introduced in 4.88) [wheezy] - exim4 (ESMTP CHUNKING extension introduced in 4.88) NOTE: https://bugs.exim.org/show_bug.cgi?id=2201 NOTE: https://git.exim.org/exim.git/commitdiff/178ecb70987f024f0e775d87c2f8b2cf587dd542 NOTE: https://lists.exim.org/lurker/message/20171125.034842.d1d75cac.en.html NOTE: 4.89-10 adds a workaround which disables the affected code by default CVE-2017-16943 (The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 ...) {DSA-4053-1} - exim4 4.89-12 (bug #882648) [jessie] - exim4 (ESMTP CHUNKING extension introduced in 4.88) [wheezy] - exim4 (ESMTP CHUNKING extension introduced in 4.88) NOTE: https://bugs.exim.org/show_bug.cgi?id=2199 NOTE: https://git.exim.org/exim.git/commitdiff/4e6ae6235c68de243b1c2419027472d7659aa2b4 NOTE: https://lists.exim.org/lurker/message/20171125.034842.d1d75cac.en.html NOTE: https://twitter.com/philpennock/status/934270613811875840 NOTE: 4.89-10 adds a workaround which disables the affected code by default CVE-2017-16941 (** DISPUTED ** October CMS through 1.0.428 does not prevent use of .ht ...) NOT-FOR-US: October CMS CVE-2017-16940 RESERVED CVE-2017-16939 (The XFRM dump policy implementation in net/xfrm/xfrm_user.c in the Lin ...) {DSA-4082-1 DLA-1200-1} - linux 4.13.13-1 [stretch] - linux 4.9.65-1 NOTE: Fixed by: https://git.kernel.org/linus/1137b5e2529a8f5ca8ee709288ecba3e68044df2 CVE-2017-16938 (A global buffer overflow in OptiPNG 0.7.6 allows remote attackers to c ...) {DSA-4058-1 DLA-1196-1} - optipng 0.7.6-1.1 (bug #878839) NOTE: https://sourceforge.net/p/optipng/bugs/69/ CVE-2017-16937 RESERVED CVE-2017-16936 (Directory Traversal vulnerability in app_data_center on Shenzhen Tenda ...) NOT-FOR-US: Shenzhen Tenda CVE-2017-16935 (Ametys before 4.0.3 requires authentication only for URIs containing a ...) NOT-FOR-US: Ametys CMS CVE-2017-16934 (The web server on DBL DBLTek devices allows remote attackers to execut ...) NOT-FOR-US: DBL DBLTek devices CVE-2017-16933 (etc/initsystem/prepare-dirs in Icinga 2.x through 2.8.1 has a chown ca ...) - icinga2 2.8.4-1 (low; bug #883247) [stretch] - icinga2 (Minor issue) [jessie] - icinga2 (Minor issue) NOTE: https://github.com/Icinga/icinga2/issues/5793 NOTE: CVE is for the unsafe use of chown(1) CVE-2016-10700 (auth_login.php in Cacti before 1.0.0 allows remote authenticated users ...) - cacti 0.8.8h+ds1-5 (bug #833420) [jessie] - cacti 0.8.8b+dfsg-8+deb8u6 [wheezy] - cacti 0.8.8a+dfsg-5+deb7u9 NOTE: https://web.archive.org/web/20160817090458/http://bugs.cacti.net/view.php?id=2697 NOTE: https://github.com/Cacti/cacti/commit/69983495cd41bf0903fe02baeef84b1fa85f2846 NOTE: Fix for the incomplete fix for CVE-2016-2313 CVE-2017-16932 (parser.c in libxml2 before 2.9.5 does not prevent infinite recursion i ...) {DLA-1194-1} [experimental] - libxml2 2.9.7+dfsg-1 - libxml2 2.9.10+dfsg-2 (bug #882613) [buster] - libxml2 (Minor issue; too intrusive to backport) [stretch] - libxml2 (Minor issue; too intrusive to backport) [jessie] - libxml2 (Minor issue; too intrusive to backport) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=759579 NOTE: https://github.com/GNOME/libxml2/commit/899a5d9f0ed13b8e32449a08a361e0de127dd961 NOTE: Applying only 899a5d9f0ed13b8e32449a08a361e0de127dd961 does not completely NOTE: fix the issue, see https://bugs.debian.org/882613#12 for discussion. CVE-2017-16931 (parser.c in libxml2 before 2.9.5 mishandles parameter-entity reference ...) {DLA-1194-1} - libxml2 2.9.4+dfsg1-3.1 [stretch] - libxml2 2.9.4+dfsg1-2.2+deb9u1 [jessie] - libxml2 2.9.1+dfsg1-5+deb8u5 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=766956 NOTE: https://github.com/GNOME/libxml2/commit/e26630548e7d138d2c560844c43820b6767251e3 NOTE: Not a duplicate but a variant of the issue of CVE-2017-9049 and CVE-2017-9050 CVE-2017-16930 (The remote management interface on the Claymore Dual GPU miner 10.1 al ...) NOT-FOR-US: Claymore's Dual Ethereum+Decred AMD+NVIDIA GPU Miner CVE-2017-16929 (The remote management interface on the Claymore Dual GPU miner 10.1 is ...) NOT-FOR-US: Claymore's Dual Ethereum+Decred AMD+NVIDIA GPU Miner CVE-2017-16928 (The arq_updater binary in Arq 5.10 and earlier for Mac allows local us ...) NOT-FOR-US: arq_updater binary in Arq CVE-2017-16927 (The scp_v0s_accept function in sesman/libscp/libscp_v0.c in the sessio ...) {DLA-1203-1} - xrdp 0.9.4-3 (bug #882463) [stretch] - xrdp 0.9.1-9+deb9u2 [jessie] - xrdp (Minor issue) NOTE: Proposed pull request: https://github.com/neutrinolabs/xrdp/pull/958 NOTE: https://groups.google.com/forum/#!topic/xrdp-devel/PmVfMuy_xBA NOTE: Originally fixed with upstream patch in 0.9.4-2 but which caused regression NOTE: thus marking it only as fixed in the followup version, cf. #884702 CVE-2017-16926 (Ohcount 3.0.0 is prone to a command injection via specially crafted fi ...) - ohcount 3.1.0-1 (bug #882372) [stretch] - ohcount (Minor issue) [jessie] - ohcount (Minor issue) [wheezy] - ohcount (Minor issue) NOTE: https://github.com/blackducksoftware/ohcount/commit/6bed45d6fb7c080ae5c163c12b4eb8749a3492ac (v3.1.0) CVE-2017-16925 RESERVED CVE-2017-16924 (Remote Information Disclosure and Escalation of Privileges in ManageEn ...) NOT-FOR-US: ManageEngine Desktop Central CVE-2017-16923 (Command Injection vulnerability in app_data_center on Shenzhen Tenda A ...) NOT-FOR-US: Shenzhen Tenda CVE-2017-16922 (In com.wowza.wms.timedtext.http.HTTPProviderCaptionFile in Wowza Strea ...) NOT-FOR-US: Wowza CVE-2017-16921 (In OTRS 6.0.x up to and including 6.0.1, OTRS 5.0.x up to and includin ...) {DSA-4066-1 DLA-1212-1} - otrs2 6.0.2-1 (bug #883774) NOTE: https://www.otrs.com/security-advisory-2017-09-security-update-otrs-framework/ NOTE: https://bugs.otrs.org/show_bug.cgi?id=13357 NOTE: OTRS-6: https://github.com/OTRS/otrs/commit/d12797bf1efa6722c2ba9af6d8238446c2903cd1 NOTE: OTRS-5: https://github.com/OTRS/otrs/commit/d433518d7bd8e9e079af67ef9ea7079cd2f59646 NOTE: OTRS-4: https://github.com/OTRS/otrs/commit/368bc37f137e6344f4db014ee2e03c38e2fc62d2 NOTE: OTRS-4: https://github.com/OTRS/otrs/commit/4043ebb2580cd8f87e7758e95bf0d77eea5c82ae CVE-2017-16920 (v5/config/system.php in dayrui FineCms 5.2.0 has a default SYS_KEY val ...) NOT-FOR-US: dayrui FineCms CVE-2017-16919 (MapOS 3.1.11 and earlier has a Stored Cross-site Scripting (XSS) vulne ...) NOT-FOR-US: MapOS CVE-2017-16918 RESERVED CVE-2017-16917 RESERVED CVE-2017-16916 RESERVED CVE-2017-16915 RESERVED CVE-2017-16914 (The "stub_send_ret_submit()" function (drivers/usb/usbip/stub_tx.c) in ...) {DSA-4187-1 DLA-1369-1} - linux 4.14.12-1 [stretch] - linux 4.9.80-1 NOTE: Fixed by: https://git.kernel.org/linus/be6123df1ea8f01ee2f896a16c2b7be3e4557a5a CVE-2017-16913 (The "stub_recv_cmd_submit()" function (drivers/usb/usbip/stub_rx.c) in ...) {DSA-4187-1 DLA-1369-1} - linux 4.14.12-1 [stretch] - linux 4.9.80-1 NOTE: Fixed by: https://git.kernel.org/linus/c6688ef9f29762e65bce325ef4acd6c675806366 CVE-2017-16912 (The "get_pipe()" function (drivers/usb/usbip/stub_rx.c) in the Linux K ...) {DSA-4187-1 DLA-1369-1} - linux 4.14.12-1 [stretch] - linux 4.9.80-1 NOTE: Fixed by: https://git.kernel.org/linus/635f545a7e8be7596b9b2b6a43cab6bbd5a88e43 CVE-2017-16911 (The vhci_hcd driver in the Linux Kernel before version 4.14.8 and 4.4. ...) {DSA-4187-1 DLA-1369-1} - linux 4.14.12-1 [stretch] - linux 4.9.80-1 NOTE: Fixed by: https://git.kernel.org/linus/2f2d0088eb93db5c649d2a5e34a3800a8a935fc5 CVE-2017-16910 (An error within the "LibRaw::xtrans_interpolate()" function (internal/ ...) - libraw 0.18.6-1 [stretch] - libraw (Minor issue) [jessie] - libraw (Minor issue) [wheezy] - libraw (Minor issue) NOTE: https://secuniaresearch.flexerasoftware.com/secunia_research/2017-19 NOTE: https://github.com/LibRaw/LibRaw/commit/2f59bac59dbcbf6bbcf01a9f3eed74307e96ca7e CVE-2017-16909 (An error related to the "LibRaw::panasonic_load_raw()" function (dcraw ...) - libraw 0.18.6-1 [stretch] - libraw (Minor issue) [jessie] - libraw (Minor issue) [wheezy] - libraw (Minor issue) NOTE: https://secuniaresearch.flexerasoftware.com/secunia_research/2017-19 NOTE: https://github.com/LibRaw/LibRaw/commit/2f59bac59dbcbf6bbcf01a9f3eed74307e96ca7e CVE-2017-16908 (In Horde Groupware 5.2.19, there is XSS via the Name field during crea ...) - php-horde-kronolith 4.2.24-1 (bug #909738) [stretch] - php-horde-kronolith (Minor issue) [jessie] - php-horde-kronolith (vulnerable code not present) NOTE: http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html NOTE: https://bugs.horde.org/ticket/14857 NOTE: https://github.com/horde/kronolith/commit/39f740068ad21618f6f70b6e37855c61cadbd716 CVE-2017-16907 (In Horde Groupware 5.2.19 and 5.2.21, there is XSS via the Color field ...) {DLA-1536-1 DLA-1535-1} - php-horde 5.2.18+debian0-1 (bug #909739) [stretch] - php-horde (Minor issue) - php-horde-core 2.31.3+debian0-1 (bug #909800) [stretch] - php-horde-core (Minor issue) NOTE: http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html NOTE: https://bugs.horde.org/ticket/14857 NOTE: php-horde: https://github.com/horde/base/commit/fb2113bbcd04bd4a28c46aad0889fb0a3979a230 NOTE: php-horde-core: https://github.com/horde/Core/commit/ecea6ea740419e19122a50579ba2903c1cb71d7a CVE-2017-16906 (In Horde Groupware 5.2.19-5.2.22, there is XSS via the URL field in a ...) {DLA-1537-1} - php-horde-kronolith 4.2.24-1 (bug #909737) [stretch] - php-horde-kronolith (Minor issue) NOTE: http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html NOTE: https://bugs.horde.org/ticket/14857 NOTE: https://github.com/horde/kronolith/commit/09d90141292f9ec516a7a2007bf828ce2bbdf60d CVE-2017-16905 (The DuoLingo TinyCards application before 1.0 for Android has one use ...) NOT-FOR-US: DuoLingo TinyCards application CVE-2017-16904 (The Public tologin feature in admin.php in LvyeCMS through 3.1 allows ...) NOT-FOR-US: LvyeCMS CVE-2017-16903 (LvyeCMS through 3.1 allows remote attackers to upload and execute arbi ...) NOT-FOR-US: LvyeCMS CVE-2017-16902 (On the Vonage VDV-23 115 3.2.11-0.9.40 home router, sending a long str ...) NOT-FOR-US: Vonage VDV-23 115 3.2.11-0.9.40 home router CVE-2017-16901 RESERVED CVE-2017-16900 (Incorrect Access Control in Hunesion i-oneNet 3.0.6042.1200 allows the ...) NOT-FOR-US: Hunesion i-oneNet CVE-2017-16899 (An array index error in the fig2dev program in Xfig 3.2.6a allows remo ...) - fig2dev 1:3.2.6a-5 (bug #881143) [stretch] - fig2dev 1:3.2.6a-2+deb9u1 - transfig [jessie] - transfig 1:3.2.5.e-4+deb8u1 [wheezy] - transfig (Minor issue) CVE-2017-16898 (The printMP3Headers function in util/listmp3.c in libming v0.4.8 or ea ...) {DLA-1240-1} - ming NOTE: https://github.com/libming/libming/issues/75 CVE-2017-16897 (A vulnerability has been discovered in the Auth0 passport-wsfed-saml2 ...) NOT-FOR-US: Auth0 passport-wsfed-saml2 library CVE-2017-16896 (A SQL injection in classes/handler/public.php in the forgotpass compon ...) - tt-rss 17.4+git20180312+dfsg-1 (bug #882543) NOTE: https://discourse.tt-rss.org/t/sql-injection-in-forgotpass-fixed/669 NOTE: https://git.tt-rss.org/git/tt-rss/commit/2352c320c2ed34ec7df1ad22f0c55a1b26489815 CVE-2017-16895 (The (1) arq_updater, (2) arqcommitter, (3) standardrestorer, (4) arqgl ...) NOT-FOR-US: Arq CVE-2017-16894 (In Laravel framework through 5.5.21, remote attackers can obtain sensi ...) NOT-FOR-US: Laravel framework CVE-2017-16893 (The application Piwigo is affected by an SQL injection vulnerability i ...) - piwigo CVE-2017-16892 (In Bftpd before 4.7, there is a memory leak in the file rename functio ...) - bftpd (bug #640469) NOTE: http://bftpd.sourceforge.net/news.html#032390 CVE-2017-16891 RESERVED CVE-2017-16890 (SWFTools 0.9.2 has a divide-by-zero error in the wav_convert2mono func ...) - swftools (unimportant) NOTE: https://github.com/matthiaskramm/swftools/issues/57 NOTE: Crash in CLI tool, no security impact CVE-2017-16889 RESERVED CVE-2017-16888 RESERVED CVE-2017-16887 (The portal on FiberHome Mobile WIFI Device Model LM53Q1 VH519R05C01S38 ...) NOT-FOR-US: FiberHome Mobile WIFI Device Model LM53Q1 VH519R05C01S38 CVE-2017-16886 (The portal on FiberHome Mobile WIFI Device Model LM53Q1 VH519R05C01S38 ...) NOT-FOR-US: FiberHome Mobile WIFI Device Model LM53Q1 VH519R05C01S38 CVE-2017-16885 (Improper Permissions Handling in the Portal on FiberHome LM53Q1 VH519R ...) NOT-FOR-US: FiberHome LM53Q1 VH519R05C01S38 devices CVE-2017-1000407 (The Linux Kernel 2.6.32 and later are affected by a denial of service, ...) {DSA-4082-1 DSA-4073-1 DLA-1200-1} - linux 4.14.7-1 NOTE: https://www.spinics.net/lists/kvm/msg159809.html CVE-2017-1000406 (OpenDaylight Karaf 0.6.1-Carbon fails to clear the cache after a passw ...) NOT-FOR-US: OpenDayLight CVE-2017-1000405 (The Linux Kernel versions 2.6.38 through 4.14 have a problematic use o ...) - linux 4.14.2-1 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.51-1 [wheezy] - linux (vulnerable code not present, cf. kernel-sec information) NOTE: Fixed by: https://git.kernel.org/linus/a8f97366452ed491d13cf1e44241bc0b5740b1f0 NOTE: http://www.openwall.com/lists/oss-security/2017/11/30/1 NOTE: https://github.com/bindecy/HugeDirtyCowPOC CVE-2017-1000404 (The Jenkins Delivery Pipeline Plugin version 1.0.7 and earlier used th ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000403 (Jenkins Speaks! Plugin, all current versions, allows users with Job/Co ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000402 (Jenkins Swarm Plugin Client 3.4 and earlier bundled a version of the c ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000401 (The Jenkins 2.73.1 and earlier, 2.83 and earlier default form control ...) NOT-FOR-US: Jenkins CVE-2017-1000400 (The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /job/(j ...) NOT-FOR-US: Jenkins CVE-2017-1000399 (The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /queue/ ...) NOT-FOR-US: Jenkins CVE-2017-1000398 (The remote API in Jenkins 2.73.1 and earlier, 2.83 and earlier at /com ...) NOT-FOR-US: Jenkins CVE-2017-1000397 (Jenkins Maven Plugin 2.17 and earlier bundled a version of the commons ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000396 (Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the ...) NOT-FOR-US: Jenkins CVE-2017-1000395 (Jenkins 2.73.1 and earlier, 2.83 and earlier provides information abou ...) NOT-FOR-US: Jenkins CVE-2017-1000394 (Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the ...) NOT-FOR-US: Jenkins CVE-2017-1000393 (Jenkins 2.73.1 and earlier, 2.83 and earlier users with permission to ...) NOT-FOR-US: Jenkins CVE-2017-1000392 (Jenkins 2.88 and earlier; 2.73.2 and earlier Autocompletion suggestion ...) NOT-FOR-US: Jenkins CVE-2017-1000391 (Jenkins versions 2.88 and earlier and 2.73.2 and earlier stores metada ...) NOT-FOR-US: Jenkins CVE-2017-1000390 (Jenkins Multijob plugin version 1.25 and earlier did not check permiss ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000389 (Some URLs provided by Jenkins global-build-stats plugin version 1.4 an ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000388 (Jenkins Dependency Graph Viewer plugin 0.12 and earlier did not perfor ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000387 (Jenkins Build-Publisher plugin version 1.21 and earlier stores credent ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000386 (Jenkins Active Choices plugin version 1.5.3 and earlier allowed users ...) NOT-FOR-US: Jenkins plugin CVE-2017-16884 (Cross-site scripting (XSS) vulnerability in MistServer before 2.13 all ...) NOT-FOR-US: MistServer CVE-2017-16883 (The outputSWF_TEXT_RECORD function in util/outputscript.c in libming & ...) {DLA-1240-1} - ming NOTE: https://github.com/libming/libming/issues/77 CVE-2017-16882 (Icinga Core through 1.14.0 initially executes bin/icinga as root but s ...) - icinga (Doesn't affect Icinga 1.x as packaged in Debian) NOTE: https://github.com/Icinga/icinga-core/issues/1601 NOTE: State is not fully correct, since "affected" source would be there, NOTE: But Debian does not install the binaries nor configuration files as NOTE: respective icinga user. CVE-2017-16881 (b3log Symphony (aka Sym) 2.2.0 does not properly address XSS in JSON o ...) NOT-FOR-US: b3log Symphony CVE-2017-16880 (The dump function in Util/TemplateHelper.php in filp whoops before 2.1 ...) NOT-FOR-US: filp whoops CVE-2017-1000230 (The Snap7 Server version 1.4.1 can be crashed when the ItemCount field ...) NOT-FOR-US: Snap7 Server CVE-2017-1000227 (Stored XSS in Salutation Responsive WordPress + BuddyPress Theme versi ...) NOT-FOR-US: Wordpress plugin CVE-2017-1000221 (In Opencast 2.2.3 and older if user names overlap, the Opencast search ...) NOT-FOR-US: Opencast CVE-2017-1000217 (Opencast 2.3.2 and older versions are vulnerable to script injections ...) NOT-FOR-US: Opencast CVE-2017-1000190 (SimpleXML (latest version 2.7.1) is vulnerable to an XXE vulnerability ...) - simple-xml 2.7.1-3 (low; bug #888547) [stretch] - simple-xml (Minor issue) [jessie] - simple-xml (Minor issue) [wheezy] - simple-xml (Minor issue) NOTE: https://github.com/ngallagher/simplexml/issues/18 NOTE: Fixing commit in a new fork of the library (which is renamed simple-xml-safe): NOTE: https://github.com/dweiss/simplexml/commit/c8d4b4310549bfaf6dc0a20abea7fbcca6e51edd CVE-2017-1000163 (The Phoenix Framework versions 1.0.0 through 1.0.4, 1.1.0 through 1.1. ...) NOT-FOR-US: Phoenix Framework CVE-2017-1000128 (Exiv2 0.26 contains a stack out of bounds read in JPEG2000 parser ...) - exiv2 (Vulnerable code introduced in 0.26; only affected experimental) NOTE: http://www.openwall.com/lists/oss-security/2017/06/30/1 NOTE: https://github.com/Exiv2/exiv2/issues/177 CVE-2017-1000127 (Exiv2 0.26 contains a heap buffer overflow in tiff parser ...) - exiv2 (Vulnerable code introduced after 0.25; only affected experimental; bug #888863) NOTE: http://www.openwall.com/lists/oss-security/2017/06/30/1 NOTE: https://github.com/Exiv2/exiv2/issues/176 CVE-2017-1000126 (exiv2 0.26 contains a Stack out of bounds read in webp parser ...) - exiv2 (WebP support introduced in 0.26; only affected experimental; bug #888864) NOTE: http://www.openwall.com/lists/oss-security/2017/06/30/1 NOTE: https://github.com/Exiv2/exiv2/issues/175 CVE-2017-16879 (Stack-based buffer overflow in the _nc_write_entry function in tinfo/w ...) - ncurses 6.0+20171125-1 (bug #882620) [stretch] - ncurses 6.0+20161126-1+deb9u2 [jessie] - ncurses 5.9+20140913-1+deb8u3 [wheezy] - ncurses (Minor issue) NOTE: PoC https://packetstormsecurity.com/files/download/145045/tic-overflow.tgz NOTE: http://invisible-island.net/ncurses/NEWS.html#t20171125 CVE-2017-16878 (Cross-site scripting (XSS) vulnerability in the Captive Portal functio ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2017-16877 (ZEIT Next.js before 2.4.1 has directory traversal under the /_next and ...) NOT-FOR-US: ZEIT Next.js CVE-2017-16876 (Cross-site scripting (XSS) vulnerability in the _keyify function in mi ...) - mistune 0.8.1-1 [stretch] - mistune (Minor issue) NOTE: https://github.com/lepture/mistune/commit/5f06d724bc05580e7f203db2d4a4905fc1127f98 CVE-2017-16875 (An issue was discovered in Teluu pjproject (pjlib and pjlib-util) in P ...) {DSA-4170-1} - pjproject 2.7.1~dfsg-1 [jessie] - pjproject (Minor issue) NOTE: https://trac.pjsip.org/repos/ticket/2055 NOTE: https://trac.pjsip.org/repos/changeset/5680 NOTE: In jessie Asterisk doesn't use pjproject for SIP (only for ICE, STUN and TURN) CVE-2017-16874 RESERVED CVE-2017-16873 (It is possible to exploit an unsanitized PATH in the suid binary that ...) NOT-FOR-US: vagrant-vmware-fusion CVE-2017-1000233 REJECTED CVE-2017-1000222 REJECTED CVE-2017-1000215 (ROOT xrootd version 4.6.0 and below is vulnerable to an unauthenticate ...) - xrootd (bug #687222) CVE-2017-1000212 (Elixir's vim plugin, alchemist.vim is vulnerable to remote code execut ...) NOT-FOR-US: Elixir's vim plugin CVE-2017-1000211 (Lynx before 2.8.9dev.16 is vulnerable to a use after free in the HTML ...) {DLA-1175-1} - lynx 2.8.9dev16-1 [stretch] - lynx (Minor issue) - lynx-cur [jessie] - lynx-cur (Minor issue) NOTE: https://github.com/ThomasDickey/lynx-snapshots/commit/280a61b300a1614f6037efc0902ff7ecf17146e9 CVE-2017-1000206 (samtools htslib library version 1.4.0 and earlier is vulnerable to buf ...) - htslib 1.4.1-1 [stretch] - htslib (Minor issue) [jessie] - htslib (Minor issue) CVE-2017-1000204 REJECTED CVE-2017-1000203 (ROOT version 6.9.03 and below is vulnerable to an authenticated shell ...) - root-system [jessie] - root-system (Minor issue) [wheezy] - root-system (Minor issue as it's restricted to authenticated users) NOTE: https://github.com/root-project/root/commit/88ccff152604e0f1012653a596d802ff7ede3145#diff-6cd6f6c31bac70116b7ca7abdc8e517e CVE-2017-1000192 (Cygnux sysPass version 2.1.7 and older is vulnerable to a Local File I ...) NOT-FOR-US: Cygnux sysPass CVE-2017-1000191 (Jool 3.5.0-3.5.1 is vulnerable to a kernel crashing packet resulting i ...) NOT-FOR-US: Jool CVE-2017-1000170 (jqueryFileTree 2.1.5 and older Directory Traversal ...) NOT-FOR-US: jqueryFileTree CVE-2017-1000169 (QuickerBB version <= 0.7.2 is vulnerable to arbitrary file writes w ...) NOT-FOR-US: QuickerBB CVE-2017-1000168 (sodiumoxide 0.0.13 and older scalarmult() vulnerable to degenerate pub ...) NOT-FOR-US: sodiumoxide CVE-2017-1000161 REJECTED CVE-2017-16872 (An issue was discovered in Teluu pjproject (pjlib and pjlib-util) in P ...) {DSA-4170-1} - pjproject 2.7.1~dfsg-1 [jessie] - pjproject (Minor issue) NOTE: https://trac.pjsip.org/repos/ticket/2056 NOTE: https://trac.pjsip.org/repos/changeset/5682 NOTE: In jessie Asterisk doesn't use pjproject for SIP (only for ICE, STUN and TURN) CVE-2017-16871 (** DISPUTED ** The UpdraftPlus plugin through 1.13.12 for WordPress al ...) NOT-FOR-US: UpdraftPlus plugin for WordPress CVE-2017-16870 (** DISPUTED ** The UpdraftPlus plugin through 1.13.12 for WordPress ha ...) NOT-FOR-US: UpdraftPlus plugin for WordPress CVE-2017-16869 (** DISPUTED ** p_mach.cpp in UPX 3.94 allows remote attackers to cause ...) - upx-ucl 3.94-4 (bug #882041; unimportant) NOTE: https://github.com/upx/upx/issues/146 NOTE: crash in CLI tool, no security impact CVE-2017-16868 (In SWFTools 0.9.2, the wav_convert2mono function in lib/wav.c does not ...) - swftools (unimportant) NOTE: https://github.com/matthiaskramm/swftools/issues/52 NOTE: Crash in CLI tool, no security impact CVE-2017-16867 (Amazon Key through 2017-11-16 mishandles Cloud Cam 802.11 deauthentica ...) NOT-FOR-US: Amazon Key CVE-2017-1000248 (Redis-store <=v1.3.0 allows unsafe objects to be loaded from redis ...) - ruby-redis-store 1.1.6-2 (bug #882034) [stretch] - ruby-redis-store 1.1.6-1+deb9u1 NOTE: https://github.com/redis-store/redis-store/commit/e0c1398d54a9661c8c70267c3a925ba6b192142e CVE-2017-1000247 (British Columbia Institute of Technology CodeIgniter 3.1.3 is vulnerab ...) - codeigniter (bug #471583) CVE-2017-1000246 (Python package pysaml2 version 4.4.0 and earlier reuses the initializa ...) - python-pysaml2 4.5.0-4 (bug #882012) [stretch] - python-pysaml2 (Minor issue) [jessie] - python-pysaml2 (Minor issue) NOTE: https://github.com/rohe/pysaml2/issues/417 NOTE: https://github.com/c00kiemon5ter/pysaml2/commit/7323f5c20efb59424d853c822e7a26d1aa3e84aa CVE-2017-1000241 (The application OpenEMR version 5.0.0, 5.0.1-dev and prior is affected ...) NOT-FOR-US: OpenEMR CVE-2017-1000240 (The application OpenEMR is affected by multiple reflected & stored ...) NOT-FOR-US: OpenEMR CVE-2017-1000239 (InvoicePlane version 1.4.10 is vulnerable to a Stored Cross Site Scrip ...) NOT-FOR-US: InvoicePlane CVE-2017-1000238 (InvoicePlane version 1.4.10 is vulnerable to a Arbitrary File Upload r ...) NOT-FOR-US: InvoicePlane CVE-2017-1000237 (I, Librarian version <=4.6 & 4.7 is vulnerable to Server-Side R ...) - i-librarian (bug #649291) CVE-2017-1000236 (I, Librarian version <=4.6 & 4.7 is vulnerable to Reflected Cro ...) - i-librarian (bug #649291) CVE-2017-1000235 (I, Librarian version <=4.6 & 4.7 is vulnerable to OS Command In ...) - i-librarian (bug #649291) CVE-2017-1000234 (I, Librarian version <=4.6 & 4.7 is vulnerable to Directory Enu ...) - i-librarian (bug #649291) CVE-2017-1000232 (A double-free vulnerability in str2host.c in ldns 1.7.0 have unspecifi ...) - ldns 1.7.0-4 (bug #882014) [stretch] - ldns (Minor issue) [jessie] - ldns (Minor issue) [wheezy] - ldns (Vulnerable code not present) NOTE: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=1257 NOTE: https://git.nlnetlabs.nl/ldns/commit/?id=3bdeed02505c9bbacb3b64a97ddcb1de967153b7 CVE-2017-1000231 (A double-free vulnerability in parse.c in ldns 1.7.0 have unspecified ...) {DLA-1182-1} - ldns 1.7.0-4 (bug #882015) [stretch] - ldns (Minor issue) [jessie] - ldns (Minor issue) NOTE: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=1256 NOTE: https://git.nlnetlabs.nl/ldns/commit/?id=c8391790c96d4c8a2c10f9ab1460fda83b509fc2 CVE-2017-1000229 (Integer overflow bug in function minitiff_read_info() of optipng 0.7.6 ...) {DSA-4058-1 DLA-1184-1} - optipng 0.7.6-1.1 (bug #882032) NOTE: https://sourceforge.net/p/optipng/bugs/65/ NOTE: Proposed patch: https://sourceforge.net/p/optipng/bugs/_discuss/thread/2a56b3aa/f6bb/attachment/0001-Prevent-integer-overflow-bug-65-CVE-2017-1000229.patch CVE-2017-1000228 (nodejs ejs versions older than 2.5.3 is vulnerable to remote code exec ...) NOT-FOR-US: nodejs ejs CVE-2017-1000226 (Stop User Enumeration 1.3.8 allows user enumeration via the REST API ...) NOT-FOR-US: Wordpress plugin CVE-2017-1000225 (Reflected XSS in Relevanssi Premium version 1.14.8 when using relevans ...) NOT-FOR-US: Relevanssi CVE-2017-1000224 (CSRF in YouTube (WordPress plugin) could allow unauthenticated attacke ...) NOT-FOR-US: Wordpress plugin CVE-2017-1000223 (A stored web content injection vulnerability (WCI, a.k.a XSS) is prese ...) NOT-FOR-US: MODX Revolution CVE-2017-1000220 (soyuka/pidusage <=1.1.4 is vulnerable to command injection in the m ...) NOT-FOR-US: soyuka/pidusage CVE-2017-1000219 (npm/KyleRoss windows-cpu all versions vulnerable to command injection ...) NOT-FOR-US: npm/KyleRoss windows-cpu CVE-2017-1000218 (LightFTP version 1.1 is vulnerable to a buffer overflow in the "writel ...) NOT-FOR-US: LightFTP CVE-2017-1000213 (WBCE v1.1.11 is vulnerable to reflected XSS via the "begriff" POST par ...) NOT-FOR-US: WBCE CVE-2017-1000210 (picoTCP (versions 1.7.0 - 1.5.0) is vulnerable to stack buffer overflo ...) NOT-FOR-US: picoTCP CVE-2017-1000209 (The Java WebSocket client nv-websocket-client does not verify that the ...) NOT-FOR-US: Java WebSocket client nv-websocket-client CVE-2017-1000208 (A vulnerability in Swagger-Parser's (version <= 1.0.30) yaml parsin ...) NOT-FOR-US: Swagger-Parser CVE-2017-1000197 (October CMS build 412 is vulnerable to file path modification in asset ...) NOT-FOR-US: October CMS CVE-2017-1000196 (October CMS build 412 is vulnerable to PHP code execution in the asset ...) NOT-FOR-US: October CMS CVE-2017-1000195 (October CMS build 412 is vulnerable to PHP object injection in asset m ...) NOT-FOR-US: October CMS CVE-2017-1000194 (October CMS build 412 is vulnerable to Apache configuration modificati ...) NOT-FOR-US: October CMS CVE-2017-1000193 (October CMS build 412 is vulnerable to stored WCI (a.k.a XSS) in brand ...) NOT-FOR-US: October CMS CVE-2017-1000189 (nodejs ejs version older than 2.5.5 is vulnerable to a denial-of-servi ...) NOT-FOR-US: nodejs ejs CVE-2017-1000188 (nodejs ejs version older than 2.5.5 is vulnerable to a Cross-site-scri ...) NOT-FOR-US: nodejs ejs CVE-2017-1000187 (In SWFTools, an address access exception was found in pdf2swf. FoFiTru ...) - swftools (unimportant) NOTE: https://github.com/matthiaskramm/swftools/issues/36 NOTE: Crash in CLI tool, no security implications CVE-2017-1000186 (In SWFTools, a stack overflow was found in pdf2swf. ...) - swftools (unimportant) NOTE: https://github.com/matthiaskramm/swftools/issues/34 NOTE: Crash in CLI tool, no security implications CVE-2017-1000185 (In SWFTools, a memcpy buffer overflow was found in gif2swf. ...) - swftools [stretch] - swftools (Minor issue) [jessie] - swftools (Minor issue) [wheezy] - swftools (Minor issue) NOTE: https://github.com/matthiaskramm/swftools/issues/33 CVE-2017-1000182 (In SWFTools, a memory leak was found in wav2swf. ...) - swftools (unimportant) NOTE: https://github.com/matthiaskramm/swftools/issues/30 NOTE: Crash in CLI tool, no security implications CVE-2017-1000176 (In SWFTools, a memcpy buffer overflow was found in swfc. ...) - swftools [stretch] - swftools (Minor issue) [jessie] - swftools (Minor issue) [wheezy] - swftools (Minor issue) NOTE: https://github.com/matthiaskramm/swftools/issues/23 CVE-2017-1000174 (In SWFTools, an address access exception was found in swfdump swf_GetB ...) - swftools (unimportant) NOTE: https://github.com/matthiaskramm/swftools/issues/21 NOTE: Crash in CLI tool, no security implications CVE-2017-1000173 (Creolabs Gravity Version: 1.0 Heap Overflow Potential Code Execution. ...) NOT-FOR-US: Creolabs Gravity CVE-2017-1000172 (Creolabs Gravity Version: 1.0 Use-After-Free Possible code execution. ...) NOT-FOR-US: Creolabs Gravity CVE-2017-1000164 (Tine 2.0 version 2017.02.4 is vulnerable to XSS in the Addressbook res ...) NOT-FOR-US: Tine groupware CVE-2017-1000160 (EllisLab ExpressionEngine 3.4.2 is vulnerable to cross-site scripting ...) NOT-FOR-US: EllisLab ExpressionEngine CVE-2017-1000158 (CPython (aka Python) up to 2.7.13 is vulnerable to an integer overflow ...) {DSA-4307-1 DLA-1520-1 DLA-1519-1 DLA-1190-1 DLA-1189-1} - python3.5 3.5.5-1 - python3.4 - python2.7 2.7.13-4 [stretch] - python2.7 2.7.13-2+deb9u2 - python2.6 NOTE: https://bugs.python.org/issue30657 NOTE: 2.7 https://github.com/python/cpython/commit/c3c9db89273fabc62ea1b48389d9a3000c1c03ae (v2.7.14rc1) NOTE: 3.4 https://github.com/python/cpython/commit/6c004b40f9d51872d848981ef1a18bb08c2dfc42 (v3.4.8rc1) NOTE: 3.5 https://github.com/python/cpython/commit/fd8614c5c5466a14a945db5b059c10c0fb8f76d9 (v3.5.5rc1) NOTE: The 2.7.13-4 upload included the commit in debian/patches/git-updates.diff CVE-2017-1000129 (Serendipity 2.0.3 is vulnerable to a SQL injection in the blog compone ...) - serendipity CVE-2017-1000125 (Codiad(full version) is vulnerable to write anything to configure file ...) NOT-FOR-US: Codiad CVE-2018-0085 RESERVED CVE-2018-0084 RESERVED CVE-2018-0083 RESERVED CVE-2018-0082 RESERVED CVE-2018-0081 RESERVED CVE-2018-0080 RESERVED CVE-2018-0079 RESERVED CVE-2018-0078 RESERVED CVE-2018-0077 RESERVED CVE-2018-0076 RESERVED CVE-2018-0075 RESERVED CVE-2018-0074 RESERVED CVE-2018-0073 RESERVED CVE-2018-0072 RESERVED CVE-2018-0071 RESERVED CVE-2018-0070 RESERVED CVE-2018-0069 RESERVED CVE-2018-0068 RESERVED CVE-2018-0067 RESERVED CVE-2018-0066 RESERVED CVE-2018-0065 RESERVED CVE-2018-0064 RESERVED CVE-2018-0063 (A vulnerability in the IP next-hop index database in Junos OS 17.3R3 m ...) NOT-FOR-US: Juniper CVE-2018-0062 (A Denial of Service vulnerability in J-Web service may allow a remote ...) NOT-FOR-US: Juniper CVE-2018-0061 (A denial of service vulnerability in the telnetd service on Junos OS a ...) NOT-FOR-US: Juniper CVE-2018-0060 (An improper input validation weakness in the device control daemon pro ...) NOT-FOR-US: Juniper CVE-2018-0059 (A persistent cross-site scripting vulnerability in the graphical user ...) NOT-FOR-US: Juniper CVE-2018-0058 (Receipt of a specially crafted IPv6 exception packet may be able to tr ...) NOT-FOR-US: Juniper CVE-2018-0057 (On MX Series and M120/M320 platforms configured in a Broadband Edge (B ...) NOT-FOR-US: Juniper CVE-2018-0056 (If a duplicate MAC address is learned by two different interfaces on a ...) NOT-FOR-US: Juniper CVE-2018-0055 (Receipt of a specially crafted DHCPv6 message destined to a Junos OS d ...) NOT-FOR-US: Juniper CVE-2018-0054 (On QFX5000 Series and EX4600 switches, a high rate of Ethernet pause f ...) NOT-FOR-US: Juniper CVE-2018-0053 (An authentication bypass vulnerability in the initial boot sequence of ...) NOT-FOR-US: Juniper CVE-2018-0052 (If RSH service is enabled on Junos OS and if the PAM authentication is ...) NOT-FOR-US: Juniper CVE-2018-0051 (A Denial of Service vulnerability in the SIP application layer gateway ...) NOT-FOR-US: Juniper CVE-2018-0050 (An error handling vulnerability in Routing Protocols Daemon (RPD) of J ...) NOT-FOR-US: Juniper CVE-2018-0049 (A NULL Pointer Dereference vulnerability in Juniper Networks Junos OS ...) NOT-FOR-US: Juniper CVE-2018-0048 (A vulnerability in the Routing Protocols Daemon (RPD) with Juniper Ext ...) NOT-FOR-US: Juniper CVE-2018-0047 (A persistent cross-site scripting vulnerability in the UI framework us ...) NOT-FOR-US: Juniper CVE-2018-0046 (A reflected cross-site scripting vulnerability in OpenNMS included wit ...) NOT-FOR-US: Juniper CVE-2018-0045 (Receipt of a specific Draft-Rosen MVPN control packet may cause the ro ...) NOT-FOR-US: Juniper CVE-2018-0044 (An insecure SSHD configuration in Juniper Device Manager (JDM) and hos ...) NOT-FOR-US: Juniper CVE-2018-0043 (Receipt of a specific MPLS packet may cause the routing protocol daemo ...) NOT-FOR-US: Juniper CVE-2018-0042 (Juniper Networks CSO versions prior to 4.0.0 may log passwords in log ...) NOT-FOR-US: Juniper Networks CSO CVE-2018-0041 (Juniper Networks Contrail Service Orchestration releases prior to 3.3. ...) NOT-FOR-US: Juniper CVE-2018-0040 (Juniper Networks Contrail Service Orchestrator versions prior to 4.0.0 ...) NOT-FOR-US: Juniper CVE-2018-0039 (Juniper Networks Contrail Service Orchestration releases prior to 4.0. ...) NOT-FOR-US: Juniper CVE-2018-0038 (Juniper Networks Contrail Service Orchestration releases prior to 3.3. ...) NOT-FOR-US: Juniper CVE-2018-0037 (Junos OS routing protocol daemon (RPD) process may crash and restart o ...) NOT-FOR-US: Junos OS CVE-2018-0036 RESERVED CVE-2018-0035 (QFX5200 and QFX10002 devices that have been shipped with Junos OS 15.1 ...) NOT-FOR-US: Junos OS CVE-2018-0034 (A Denial of Service vulnerability exists in the Juniper Networks Junos ...) NOT-FOR-US: Juniper CVE-2018-0033 RESERVED CVE-2018-0032 (The receipt of a crafted BGP UPDATE can lead to a routing process daem ...) NOT-FOR-US: Juniper CVE-2018-0031 (Receipt of specially crafted UDP/IP packets over MPLS may be able to b ...) NOT-FOR-US: Juniper CVE-2018-0030 (Receipt of a specific MPLS packet may cause MPC7/8/9, PTX-FPC3 (FPC-P1 ...) NOT-FOR-US: Juniper CVE-2018-0029 (While experiencing a broadcast storm, placing the fxp0 interface into ...) NOT-FOR-US: Juniper CVE-2018-0028 RESERVED CVE-2018-0027 (Receipt of a crafted or malformed RSVP PATH message may cause the rout ...) NOT-FOR-US: Juniper CVE-2018-0026 (After Junos OS device reboot or upgrade, the stateless firewall filter ...) NOT-FOR-US: Juniper CVE-2018-0025 (When an SRX Series device is configured to use HTTP/HTTPS pass-through ...) NOT-FOR-US: Juniper CVE-2018-0024 (An Improper Privilege Management vulnerability in a shell session of J ...) NOT-FOR-US: Juniper CVE-2018-0023 (JSNAPy is an open source python version of Junos Snapshot Administrato ...) NOT-FOR-US: JSNAPy CVE-2018-0022 (A Junos device with VPLS routing-instances configured on one or more i ...) NOT-FOR-US: Juniper CVE-2018-0021 (If all 64 digits of the connectivity association name (CKN) key or all ...) NOT-FOR-US: Juniper CVE-2018-0020 (Junos OS may be impacted by the receipt of a malformed BGP UPDATE whic ...) NOT-FOR-US: Juniper CVE-2018-0019 (A vulnerability in Junos OS SNMP MIB-II subagent daemon (mib2d) may al ...) NOT-FOR-US: Juniper CVE-2018-0018 (On SRX Series devices during compilation of IDP policies, an attacker ...) NOT-FOR-US: Juniper CVE-2018-0017 (A vulnerability in the Network Address Translation - Protocol Translat ...) NOT-FOR-US: Juniper CVE-2018-0016 (Receipt of a specially crafted Connectionless Network Protocol (CLNP) ...) NOT-FOR-US: Juniper CVE-2018-0015 (A malicious user with unrestricted access to the AppFormix application ...) NOT-FOR-US: AppFormix CVE-2018-0014 (Juniper Networks ScreenOS devices do not pad Ethernet packets with zer ...) NOT-FOR-US: Juniper CVE-2018-0013 (A local file inclusion vulnerability in Juniper Networks Junos Space N ...) NOT-FOR-US: Juniper CVE-2018-0012 (Junos Space is affected by a privilege escalation vulnerability that m ...) NOT-FOR-US: Juniper CVE-2018-0011 (A reflected cross site scripting (XSS) vulnerability in Junos Space ma ...) NOT-FOR-US: Juniper CVE-2018-0010 (A vulnerability in the Juniper Networks Junos Space Security Director ...) NOT-FOR-US: Juniper CVE-2018-0009 (On Juniper Networks SRX series devices, firewall rules configured to m ...) NOT-FOR-US: Juniper CVE-2018-0008 (An unauthenticated root login may allow upon reboot when a commit scri ...) NOT-FOR-US: Juniper CVE-2018-0007 (An unauthenticated network-based attacker able to send a maliciously c ...) NOT-FOR-US: Juniper CVE-2018-0006 (A high rate of VLAN authentication attempts sent from an adjacent host ...) NOT-FOR-US: Juniper CVE-2018-0005 (QFX and EX Series switches configured to drop traffic when the MAC mov ...) NOT-FOR-US: Juniper CVE-2018-0004 (A sustained sequence of different types of normal transit traffic can ...) NOT-FOR-US: Juniper CVE-2018-0003 (A specially crafted MPLS packet received or processed by the system, o ...) NOT-FOR-US: Juniper CVE-2018-0002 (On SRX Series and MX Series devices with a Service PIC with any ALG en ...) NOT-FOR-US: Juniper CVE-2018-0001 (A remote, unauthenticated attacker may be able to execute code by expl ...) NOT-FOR-US: Juniper CVE-2017-16866 (dayrui FineCms 5.2.0 before 2017.11.16 has Cross Site Scripting (XSS) ...) NOT-FOR-US: dayrui FineCms CVE-2017-16865 (The Trello importer in Atlassian Jira before version 7.6.1 allows remo ...) NOT-FOR-US: Atlassian Jira CVE-2017-16864 (The issue search resource in Atlassian Jira before version 7.4.2 allow ...) NOT-FOR-US: Atlassian Jira CVE-2017-16863 (The PieChart gadget in Atlassian Jira before version 7.5.3 allows remo ...) NOT-FOR-US: PieChart gadget in Atlassian Jira CVE-2017-16862 (The IncomingMailServers resource in Atlassian Jira before version 7.6. ...) NOT-FOR-US: Atlassian Jira CVE-2017-16861 (It was possible for double OGNL evaluation in certain redirect action ...) NOT-FOR-US: Atlassian Fisheye and Crucible CVE-2017-16860 (The invalidRedirectUrl template in Atlassian Application Links before ...) NOT-FOR-US: Atlassian CVE-2017-16859 (The review attachment resource in Atlassian Fisheye and Crucible befor ...) NOT-FOR-US: Atlassian CVE-2017-16858 (The 'crowd-application' plugin module (notably used by the Google Apps ...) NOT-FOR-US: 'crowd-application' plugin module in Atlassian Crowd CVE-2017-16857 (It is possible to bypass the bitbucket auto-unapprove plugin via minim ...) NOT-FOR-US: Atlassian CVE-2017-16856 (The RSS Feed macro in Atlassian Confluence before version 6.5.2 allows ...) NOT-FOR-US: Atlassian Confluence CVE-2017-16855 REJECTED CVE-2017-16854 (In Open Ticket Request System (OTRS) through 3.3.20, 4 through 4.0.26, ...) {DSA-4066-1 DLA-1212-1} - otrs2 6.0.2-1 NOTE: https://www.otrs.com/security-advisory-2017-08-security-update-otrs-framework/ NOTE: https://bugs.otrs.org/show_bug.cgi?id=13347 NOTE: OTRS-6: https://github.com/OTRS/otrs/commit/867aba14900f17caacb0285a08b6981bbdbbe016 NOTE: OTRS-5: https://github.com/OTRS/otrs/commit/8748d040058695fda5c9cfcb2a78d8947ed4188d NOTE: OTRS-4: https://github.com/OTRS/otrs/commit/e0deab303e3d0f7c860bba291410512734f4d6b0 CVE-2017-16851 (Zoho ManageEngine Applications Manager 13 before build 13530 allows SQ ...) NOT-FOR-US: Zoho ManageEngine Applications Manager CVE-2017-16850 (Zoho ManageEngine Applications Manager 13 before build 13530 allows SQ ...) NOT-FOR-US: Zoho ManageEngine Applications Manager CVE-2017-16849 (Zoho ManageEngine Applications Manager 13 before build 13530 allows SQ ...) NOT-FOR-US: Zoho ManageEngine Applications Manager CVE-2017-16848 (Zoho ManageEngine Applications Manager 13 allows SQL injection via the ...) NOT-FOR-US: Zoho ManageEngine Applications Manager CVE-2017-16847 (Zoho ManageEngine Applications Manager 13 before build 13530 allows SQ ...) NOT-FOR-US: Zoho ManageEngine Applications Manager CVE-2017-16846 (Zoho ManageEngine Applications Manager 13 before build 13530 allows SQ ...) NOT-FOR-US: Zoho ManageEngine Applications Manager CVE-2017-16845 (hw/input/ps2.c in Qemu does not validate 'rptr' and 'count' values dur ...) {DSA-4213-1 DLA-1497-1} - qemu 1:2.12~rc3+dfsg-1 (bug #882136) [wheezy] - qemu (Can be fixed along in a future update) - qemu-kvm [wheezy] - qemu-kvm (Can be fixed along in a future update) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-11/msg02982.html NOTE: https://git.qemu.org/?p=qemu.git;a=commitdiff;h=802cbcb73002b92e6ddc8464d39b668a71b78d74 CVE-2017-16844 (Heap-based buffer overflow in the loadbuf function in formisc.c in for ...) {DSA-4041-1 DLA-1173-1} - procmail 3.22-26 (bug #876511) CVE-2017-16843 (Vonage VDV-23 115 3.2.11-0.9.40 devices have stored XSS via the NewKey ...) NOT-FOR-US: Vonage VDV-23 CVE-2017-16842 (Cross-site scripting (XSS) vulnerability in admin/google_search_consol ...) NOT-FOR-US: Yoast SEO plugin for WordPress CVE-2017-16841 (LanSweeper 6.0.100.75 has XSS via the description parameter to /Calend ...) NOT-FOR-US: LanSweeper CVE-2017-16840 (The VC-2 Video Compression encoder in FFmpeg 3.4 allows remote attacke ...) {DSA-4049-1} - ffmpeg 7:3.4.1-1 NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=a94cb36ab2ad99d3a1331c9f91831ef593d94f74 CVE-2017-16839 (Hashicorp vagrant-vmware-fusion 5.0.4 allows local users to steal root ...) NOT-FOR-US: vagrant-vmware-fusion CVE-2017-16838 RESERVED CVE-2017-16837 (Certain function pointers in Trusted Boot (tboot) through 1.9.6 are no ...) - tboot (bug #803180) CVE-2017-16836 (Arris TG1682G devices with Comcast TG1682_2.0s7_PRODse 10.0.59.SIP.PC2 ...) NOT-FOR-US: Arris TG1682G devices CVE-2017-16835 (The "Photo,Video Locker-Calculator" application 12.0 for Android has a ...) NOT-FOR-US: Photo Video Locker-Calculator application for Android CVE-2017-16834 (PNP4Nagios through 0.6.26 has /usr/bin/npcd and npcd.cfg owned by an u ...) - pnp4nagios (/etc/pnp4nagios and its content is installed as root by the Debian package) NOTE: https://github.com/lingej/pnp4nagios/issues/140 CVE-2017-16833 (Stored cross-site scripting (XSS) vulnerability in Gemirro before 0.16 ...) NOT-FOR-US: Gemirro CVE-2017-16853 (The DynamicMetadataProvider class in saml/saml2/metadata/impl/DynamicM ...) {DSA-4039-1 DLA-1178-1} - opensaml2 2.6.1-1 (bug #881856) NOTE: https://git.shibboleth.net/view/?p=cpp-opensaml.git;a=commit;h=6182b0acf2df670e75423c2ed7afe6950ef11c9d NOTE: https://shibboleth.net/community/advisories/secadv_20171115.txt CVE-2017-16852 (shibsp/metadata/DynamicMetadataProvider.cpp in the Dynamic MetadataPro ...) {DSA-4038-1 DLA-1179-1} - shibboleth-sp2 2.6.1+dfsg1-1 (bug #881857) NOTE: https://git.shibboleth.net/view/?p=cpp-sp.git;a=commit;h=b66cceb0e992c351ad5e2c665229ede82f261b16 NOTE: https://shibboleth.net/community/advisories/secadv_20171115.txt CVE-2017-16832 (The pe_bfd_read_buildid function in peicode.h in the Binary File Descr ...) [experimental] - binutils 2.29.51.20171128-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22373 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0bb6961f18b8e832d88b490d421ca56cea16c45b CVE-2017-16831 (coffgen.c in the Binary File Descriptor (BFD) library (aka libbfd), as ...) [experimental] - binutils 2.29.51.20171128-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22385 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6cee897971d4d7cd37d2a686bb6d2aa3e759c8ca CVE-2017-16830 (The print_gnu_property_note function in readelf.c in GNU Binutils 2.29 ...) [experimental] - binutils 2.29.51.20171128-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22384 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6ab2c4ed51f9c4243691755e1b1d2149c6a426f4 CVE-2017-16829 (The _bfd_elf_parse_gnu_properties function in elf-properties.c in the ...) [experimental] - binutils 2.29.51.20171128-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22307 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=cf54ebff3b7361989712fd9c0128a9b255578163 CVE-2017-16828 (The display_debug_frames function in dwarf.c in GNU Binutils 2.29.1 al ...) [experimental] - binutils 2.29.51.20171128-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22386 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=bf59c5d5f4f5b8b4da1f5f605cfa546f8029b43d CVE-2017-16827 (The aout_get_external_symbols function in aoutx.h in the Binary File D ...) [experimental] - binutils 2.29.51.20171128-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22306 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0301ce1486b1450f219202677f30d0fa97335419 CVE-2017-16826 (The coff_slurp_line_table function in coffcode.h in the Binary File De ...) [experimental] - binutils 2.29.51.20171128-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22376 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=a67d66eb97e7613a38ffe6622d837303b3ecd31d CVE-2017-16825 RESERVED CVE-2017-16824 RESERVED CVE-2017-16823 RESERVED CVE-2017-16822 RESERVED CVE-2017-16821 (b3log Symphony (aka Sym) 2.2.0 has XSS in processor/AdminProcessor.jav ...) NOT-FOR-US: b3log Symphony CVE-2017-16819 (A stored cross-site scripting vulnerability in the Icon Time Systems R ...) NOT-FOR-US: Icon Time Systems RTC-1000 CVE-2017-16818 (RADOS Gateway in Ceph 12.1.0 through 12.2.1 allows remote authenticate ...) - ceph (Vulnerable code introduced after 12.1.0) NOTE: https://github.com/ceph/ceph/commit/b3118cabb8060a8cc6a01c4e8264cb18e7b1745a CVE-2017-16817 RESERVED CVE-2017-16816 (The condor_schedd component in HTCondor before 8.6.8 and 8.7.x before ...) - condor 8.6.8~dfsg.1-1 [stretch] - condor (VOMS support disabled) [jessie] - condor (Minor issue) [wheezy] - condor (Minor issue) NOTE: http://research.cs.wisc.edu/htcondor//security/vulnerabilities/HTCONDOR-2017-0001.html CVE-2017-16815 (installer.php in the Snap Creek Duplicator (WordPress Site Migration & ...) NOT-FOR-US: Snap Creek Duplicator (WordPress Site Migration & Backup) plugin for WordPress CVE-2017-16820 (The csnmp_read_table function in snmp.c in the SNMP plugin in collectd ...) - collectd 5.8.0-1 (bug #881757) [stretch] - collectd (Minor issue) [jessie] - collectd (Minor issue) [wheezy] - collectd (Vulnerable code not present) NOTE: https://github.com/collectd/collectd/issues/2291 CVE-2017-16814 (A Directory Traversal issue was discovered in the Foxit MobilePDF app ...) NOT-FOR-US: Foxit CVE-2017-16813 (A denial-of-service issue was discovered in the Foxit MobilePDF app be ...) NOT-FOR-US: Foxit CVE-2017-16812 RESERVED CVE-2017-16811 RESERVED CVE-2017-16810 (Cross-site scripting (XSS) vulnerability in the All Variables tab in O ...) NOT-FOR-US: Octopus Deploy CVE-2017-16809 RESERVED CVE-2017-16808 (tcpdump before 4.9.3 has a heap-based buffer over-read related to aoe_ ...) - tcpdump 4.9.3~git20190901-1 (unimportant; bug #881862) NOTE: https://github.com/the-tcpdump-group/tcpdump/issues/645 NOTE: Crash in CLI tool, no security impact CVE-2017-16807 (A cross-site Scripting (XSS) vulnerability in Kirby Panel before 2.3.3 ...) NOT-FOR-US: Kirby Panel CVE-2017-16806 (The Process function in RemoteTaskServer/WebServer/HttpServer.cs in Ul ...) NOT-FOR-US: Ulterius CVE-2017-16805 (In radare2 2.0.1, libr/bin/dwarf.c allows remote attackers to cause a ...) - radare2 2.1.0+dfsg-1 (bug #882134) [jessie] - radare2 (Minor issue) [wheezy] - radare2 (Vulnerable code does not exist; no dwarf support) NOTE: https://github.com/radare/radare2/commit/2ca9ab45891b6ae8e32b6c28c81eebca059cbe5d NOTE: https://github.com/radare/radare2/issues/8813 CVE-2017-16803 (In Libav through 11.11 and 12.x through 12.1, the smacker_decode_tree ...) {DSA-4119-1} - libav (low) - ffmpeg 7:2.2.1-1 NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1098 NOTE: https://github.com/libav/libav/commit/cd4663dc80323ba64989d0c103d51ad3ee0e9c2f NOTE: ffmpeg: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/cd4663dc80323ba64989d0c103d51ad3ee0e9c2f NOTE: ffmpeg originally fixed by: https://git.ffmpeg.org/gitweb/ffmpeg.git/commitdiff/b829da363985cb2f80130bba304cc29a632f6446 CVE-2017-16802 (In the sharingGroupPopulateOrganisations function in app/webroot/js/mi ...) NOT-FOR-US: MISP CVE-2017-16804 (In Redmine before 3.2.7 and 3.3.x before 3.3.4, the reminders function ...) {DSA-4191-1} - redmine 3.4.2-1 [jessie] - redmine (Not supported in Jessie-LTS) [wheezy] - redmine (Not supported in wheezy LTS) NOTE: https://www.redmine.org/issues/25713 (private) NOTE: upstream fixed in 3.2.7, 3.3.4 and 3.4.0 NOTE: https://github.com/redmine/redmine/commit/0f09f161f64f4190a52166675ff380a15b72a8bc CVE-2017-16801 (Cross-site scripting (XSS) vulnerability in Octopus Deploy 3.7.0-3.17. ...) NOT-FOR-US: Octopus Deploy CVE-2017-16800 RESERVED CVE-2017-16799 (In CMS Made Simple 2.2.3.1, in modules/New/action.addcategory.php, sto ...) NOT-FOR-US: CMS Made Simple CVE-2017-16798 (In CMS Made Simple 2.2.3.1, the is_file_acceptable function in modules ...) NOT-FOR-US: CMS Made Simple CVE-2017-16797 (In SWFTools 0.9.2, the png_load function in lib/png.c does not properl ...) - swftools [stretch] - swftools (Minor issue) [jessie] - swftools (Minor issue) [wheezy] - swftools (Minor issue) NOTE: https://github.com/matthiaskramm/swftools/issues/51 CVE-2017-16796 (In SWFTools 0.9.2, the png_load function in lib/png.c does not check t ...) - swftools (unimportant) NOTE: https://github.com/matthiaskramm/swftools/issues/51 NOTE: Crash in CLI tool, no security implications CVE-2017-16795 RESERVED CVE-2017-16794 (The png_load function in lib/png.c in SWFTools 0.9.2 does not properly ...) - swftools (unimportant) NOTE: https://github.com/matthiaskramm/swftools/issues/50 NOTE: Crash in CLI tool, no security implications CVE-2017-16793 (The wav_convert2mono function in lib/wav.c in SWFTools 0.9.2 does not ...) - swftools [stretch] - swftools (Minor issue) [jessie] - swftools (Minor issue) [wheezy] - swftools (Minor issue) NOTE: https://github.com/matthiaskramm/swftools/issues/47 CVE-2017-16792 (Stored cross-site scripting (XSS) vulnerability in "geminabox" (Gem in ...) NOT-FOR-US: geminabox CVE-2017-16791 RESERVED CVE-2017-16790 (An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3. ...) {DSA-4262-1} - symfony 3.4.0+dfsg-1 [jessie] - symfony (vulnerable code introduced in 2.4.*) NOTE: https://symfony.com/blog/cve-2017-16790-ensure-that-submitted-data-are-uploaded-files NOTE: https://github.com/symfony/symfony/pull/24993 CVE-2017-16789 (Cross-site scripting (XSS) vulnerability in Integration Matters nJAMS ...) NOT-FOR-US: TIBCO CVE-2017-16788 (Directory traversal vulnerability in the "Upload Groupkey" functionali ...) NOT-FOR-US: Meinberg LANTIME CVE-2017-16787 (The Web Configuration Utility in Meinberg LANTIME devices with firmwar ...) NOT-FOR-US: Meinberg LANTIME CVE-2017-16786 (The Web Configuration Utility in Meinberg LANTIME devices with firmwar ...) NOT-FOR-US: Meinberg LANTIME CVE-2017-16784 (In CMS Made Simple 2.2.2, there is Reflected XSS via the cntnt01detail ...) NOT-FOR-US: CMS Made Simple CVE-2017-16783 (In CMS Made Simple 2.1.6, there is Server-Side Template Injection via ...) NOT-FOR-US: CMS Made Simple CVE-2017-16782 (In Home Assistant before 0.57, it is possible to inject JavaScript cod ...) NOT-FOR-US: Home Assistant CVE-2017-16781 (The installer in MyBB before 1.8.13 has XSS. ...) NOT-FOR-US: MyBB CVE-2017-16780 (The installer in MyBB before 1.8.13 allows remote attackers to execute ...) NOT-FOR-US: MyBB CVE-2017-16785 (Cacti 1.1.27 has reflected XSS via the PATH_INFO to host.php. ...) - cacti 1.1.27+ds1-3 [stretch] - cacti (Vulnerable code does not exist) [jessie] - cacti (Vulnerable code does not exist) [wheezy] - cacti (Vulnerable code does not exist) NOTE: https://github.com/Cacti/cacti/issues/1071 NOTE: this is more or less a dublicate of CVE-2017-16641 NOTE: one of the applied patches reopened the vulnerability CVE-2017-16779 RESERVED CVE-2017-16778 (An access control weakness in the DTMF tone receiver of Fermax Outdoor ...) NOT-FOR-US: Fermax Outdoor Panel CVE-2017-16777 (If HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) ...) NOT-FOR-US: HashiCorp Vagrant VMware Fusion plugin CVE-2017-16776 (Security researchers discovered an authentication bypass vulnerability ...) NOT-FOR-US: Conserus Workflow Intelligence CVE-2017-16775 (Improper restriction of rendered UI layers or frames vulnerability in ...) NOT-FOR-US: Synology CVE-2017-16774 (Cross-site scripting (XSS) vulnerability in SYNO.Core.PersonalNotifica ...) NOT-FOR-US: Synology CVE-2017-16773 (Improper authorization vulnerability in Highlight Preview in Synology ...) NOT-FOR-US: Synology CVE-2017-16772 (Improper input validation vulnerability in SYNOPHOTO_Flickr_MultiUploa ...) NOT-FOR-US: Synology Photo Station CVE-2017-16771 (Cross-site scripting (XSS) vulnerability in Log Viewer in Synology Pho ...) NOT-FOR-US: Synology Photo Station CVE-2017-16770 (File and directory information exposure vulnerability in SYNO.Surveill ...) NOT-FOR-US: Synology Surveillance Station CVE-2017-16769 (Exposure of private information vulnerability in Photo Viewer in Synol ...) NOT-FOR-US: Synology Photo Station CVE-2017-16768 (Cross-site scripting (XSS) vulnerability in User Policy editor in Syno ...) NOT-FOR-US: Synology MailPlus Server CVE-2017-16767 (Cross-site scripting (XSS) vulnerability in User Profile in Synology S ...) NOT-FOR-US: Synology Surveillance Station CVE-2017-16766 (An improper access control vulnerability in synodsmnotify in Synology ...) NOT-FOR-US: Synology DiskStation Manager CVE-2017-16765 (XSS exists on D-Link DWR-933 1.00(WW)B17 devices via cgi-bin/gui.cgi. ...) NOT-FOR-US: D-Link CVE-2017-16764 (An exploitable vulnerability exists in the YAML parsing functionality ...) NOT-FOR-US: django_make_app CVE-2017-16763 (An exploitable vulnerability exists in the YAML parsing functionality ...) NOT-FOR-US: Confire CVE-2017-16762 (Sanic before 0.5.1 allows reading arbitrary files with directory trave ...) NOT-FOR-US: Sanic CVE-2017-16761 (An Open Redirect vulnerability in Inedo BuildMaster before 5.8.2 allow ...) NOT-FOR-US: Inedo BuildMaster CVE-2017-16760 (Inedo BuildMaster before 5.8.2 has XSS. ...) NOT-FOR-US: Inedo BuildMaster CVE-2017-16759 (The installation process in LibreNMS before 2017-08-18 allows remote a ...) NOT-FOR-US: LibreNMS CVE-2017-16758 (Cross-site scripting (XSS) vulnerability in admin/partials/uif-access- ...) NOT-FOR-US: Wordpress plugin CVE-2017-16757 (Hola VPN 1.34 has weak permissions (Everyone:F) under %PROGRAMFILES%, ...) NOT-FOR-US: Hola VPN CVE-2017-16756 (An issue was discovered in Userscape HelpSpot before 4.7.2. A cross-si ...) NOT-FOR-US: Userscape HelpSpot CVE-2017-16755 (An issue was discovered in Userscape HelpSpot before 4.7.2. A reflecte ...) NOT-FOR-US: Userscape HelpSpot CVE-2017-16754 (Bolt before 3.3.6 does not properly restrict access to _profiler route ...) NOT-FOR-US: Bolt CMS CVE-2017-16753 (An Improper Input Validation issue was discovered in Advantech WebAcce ...) NOT-FOR-US: Advantech WebAccess CVE-2017-16752 RESERVED CVE-2017-16751 (A Stack-based Buffer Overflow issue was discovered in Delta Electronic ...) NOT-FOR-US: Delta Electronics Delta Industrial Automation Screen Editor CVE-2017-16750 RESERVED CVE-2017-16749 (A Use-after-Free issue was discovered in Delta Electronics Delta Indus ...) NOT-FOR-US: Delta Electronics Delta Industrial Automation Screen Editor CVE-2017-16748 (An attacker can log into the local Niagara platform (Niagara AX Framew ...) NOT-FOR-US: Niagara AX CVE-2017-16747 (An Out-of-bounds Write issue was discovered in Delta Electronics Delta ...) NOT-FOR-US: Delta Electronics Delta Industrial Automation Screen Editor CVE-2017-16746 RESERVED CVE-2017-16745 (A Type Confusion issue was discovered in Delta Electronics Delta Indus ...) NOT-FOR-US: Delta Electronics Delta Industrial Automation Screen Editor CVE-2017-16744 (A path traversal vulnerability in Tridium Niagara AX Versions 3.8 and ...) NOT-FOR-US: Niagara AX CVE-2017-16743 (An Improper Authorization issue was discovered in PHOENIX CONTACT FL S ...) NOT-FOR-US: PHOENIX CONTACT FL SWITCH CVE-2017-16742 RESERVED CVE-2017-16741 (An Information Exposure issue was discovered in PHOENIX CONTACT FL SWI ...) NOT-FOR-US: PHOENIX CONTACT FL SWITCH CVE-2017-16740 (A Buffer Overflow issue was discovered in Rockwell Automation Allen-Br ...) NOT-FOR-US: Rockwell Automation Allen-Bradley MicroLogix 1400 Controllers CVE-2017-16739 (An issue was discovered in WECON Technology LEVI Studio HMI Editor v1. ...) NOT-FOR-US: WECON Technology LEVI Studio HMI Editor CVE-2017-16738 RESERVED CVE-2017-16737 (An issue was discovered in WECON Technology LEVI Studio HMI Editor v1. ...) NOT-FOR-US: WECON Technology LEVI Studio HMI Editor CVE-2017-16736 (An Unrestricted Upload Of File With Dangerous Type issue was discovere ...) NOT-FOR-US: Advantech WebAccess CVE-2017-16735 (A SQL Injection issue was discovered in Ecava IntegraXor v 6.1.1030.1 ...) NOT-FOR-US: Ecava IntegraXor CVE-2017-16734 RESERVED CVE-2017-16733 (A SQL Injection issue was discovered in Ecava IntegraXor v 6.1.1030.1 ...) NOT-FOR-US: Ecava IntegraXor CVE-2017-16732 (A use-after-free issue was discovered in Advantech WebAccess versions ...) NOT-FOR-US: Advantech WebAccess CVE-2017-16731 (An Unprotected Transport of Credentials issue was discovered in ABB El ...) NOT-FOR-US: Ellipse CVE-2017-16730 RESERVED CVE-2017-16729 RESERVED CVE-2017-16728 (An Untrusted Pointer Dereference issue was discovered in Advantech Web ...) NOT-FOR-US: Advantech WebAccess CVE-2017-16727 (A Credentials Management issue was discovered in Moxa NPort W2150A ver ...) NOT-FOR-US: Moxa CVE-2017-16726 (Beckhoff TwinCAT supports communication over ADS. ADS is a protocol fo ...) NOT-FOR-US: Beckhoff TwinCAT CVE-2017-16725 (A Stack-based Buffer Overflow issue was discovered in Xiongmai Technol ...) NOT-FOR-US: Xiongmai Technology IP Cameras and DVRs CVE-2017-16724 (A Stack-based Buffer Overflow issue was discovered in Advantech WebAcc ...) NOT-FOR-US: Advantech WebAccess CVE-2017-16723 (A Cross-site Scripting issue was discovered in PHOENIX CONTACT FL COMS ...) NOT-FOR-US: PHOENIX CVE-2017-16722 RESERVED CVE-2017-16721 (A Cross-site Scripting issue was discovered in Geovap Reliance SCADA V ...) NOT-FOR-US: Geovap Reliance SCADA CVE-2017-16720 (A Path Traversal issue was discovered in WebAccess versions 8.3.2 and ...) NOT-FOR-US: Advantech WebAccess CVE-2017-16719 (An Injection issue was discovered in Moxa NPort 5110 Version 2.2, NPor ...) NOT-FOR-US: Moxa CVE-2017-16718 (Beckhoff TwinCAT 3 supports communication over ADS. ADS is a protocol ...) NOT-FOR-US: Beckhoff TwinCAT CVE-2017-16717 (A Heap-based Buffer Overflow issue was discovered in WECON LeviStudio ...) NOT-FOR-US: WECON LeviStudio HMI CVE-2017-16716 (A SQL Injection issue was discovered in WebAccess versions prior to 8. ...) NOT-FOR-US: Advantech WebAccess CVE-2017-16715 (An Information Exposure issue was discovered in Moxa NPort 5110 Versio ...) NOT-FOR-US: Moxa CVE-2017-16714 (In Ice Qube Thermal Management Center versions prior to version 4.13, ...) NOT-FOR-US: Ice Qube Thermal Management Center CVE-2017-16713 RESERVED CVE-2017-16712 RESERVED CVE-2017-16711 (The swf_DefineLosslessBitsTagToImage function in lib/modules/swfbits.c ...) - swftools (unimportant; bug #881390) NOTE: https://github.com/matthiaskramm/swftools/issues/46 NOTE: Crash in CLI tool, no security implications CVE-2017-16710 (Cross-site scripting (XSS) vulnerability in Crestron Airmedia AM-100 d ...) NOT-FOR-US: Creston CVE-2017-16709 (Crestron Airmedia AM-100 devices with firmware before 1.6.0 and AM-101 ...) NOT-FOR-US: Creston CVE-2017-16708 RESERVED CVE-2017-16707 RESERVED CVE-2017-16706 RESERVED CVE-2017-16705 RESERVED CVE-2017-16704 RESERVED CVE-2017-16703 RESERVED CVE-2017-16702 RESERVED CVE-2017-16701 RESERVED CVE-2017-16700 RESERVED CVE-2017-16699 RESERVED CVE-2017-16698 RESERVED CVE-2017-16697 RESERVED CVE-2017-16696 RESERVED CVE-2017-16695 RESERVED CVE-2017-16694 RESERVED CVE-2017-16693 RESERVED CVE-2017-16692 RESERVED CVE-2017-16691 (SAP Note Assistant tool (SAP BASIS from 7.00 to 7.02, from 7.10 to 7.1 ...) NOT-FOR-US: SAP Note Assistant CVE-2017-16690 (A malicious DLL preload attack possible on NwSapSetup and Installation ...) NOT-FOR-US: SAP Plant Connectivity CVE-2017-16689 (A Trusted RFC connection in SAP KERNEL 32NUC, SAP KERNEL 32Unicode, SA ...) NOT-FOR-US: SAP KERNEL CVE-2017-16688 RESERVED CVE-2017-16687 (The user self-service tools of SAP HANA extended application services, ...) NOT-FOR-US: SAP HANA CVE-2017-16686 RESERVED CVE-2017-16685 (Cross-Site scripting (XSS) in SAP Business Warehouse Universal Data In ...) NOT-FOR-US: SAP Business Warehouse Universal Data Integration CVE-2017-16684 (SAP Business Intelligence Promotion Management Application, Enterprise ...) NOT-FOR-US: SAP Business Intelligence Promotion Management Application CVE-2017-16683 (Denial of Service (DOS) in SAP Business Objects Platform, Enterprise 4 ...) NOT-FOR-US: SAP Business Objects Platform CVE-2017-16682 (SAP NetWeaver Internet Transaction Server (ITS), SAP Basis from 7.00 t ...) NOT-FOR-US: SAP NetWeaver Internet Transaction Server CVE-2017-16681 (Cross-Site Scripting (XSS) vulnerability in SAP Business Intelligence ...) NOT-FOR-US: SAP Business Intelligence Promotion Management Application CVE-2017-16680 (Two potential audit log injections in SAP HANA extended application se ...) NOT-FOR-US: SAP HANA extended application services CVE-2017-16679 (URL redirection vulnerability in SAP's Startup Service, SAP KERNEL 32 ...) NOT-FOR-US: SAP's Startup Service CVE-2017-16678 (Server Side Request Forgery (SSRF) vulnerability in SAP NetWeaver Know ...) NOT-FOR-US: SAP NetWeaver Knowledge Management Configuration Service CVE-2017-16677 RESERVED CVE-2017-16676 RESERVED CVE-2017-16675 RESERVED CVE-2017-16674 (Datto Windows Agent allows unauthenticated remote command execution vi ...) NOT-FOR-US: Datto Windows Agent CVE-2017-16673 (Datto Backup Agent 1.0.6.0 and earlier does not authenticate incoming ...) NOT-FOR-US: Datto Backup Agent CVE-2017-16672 (An issue was discovered in Asterisk Open Source 13 before 13.18.1, 14 ...) - asterisk 1:13.18.1~dfsg-1 (bug #881256) [stretch] - asterisk 1:13.14.1~dfsg-2+deb9u3 [jessie] - asterisk (Vulnerable code not present) [wheezy] - asterisk (Vulnerable code not present) NOTE: http://downloads.digium.com/pub/security/AST-2017-011.html NOTE: http://downloads.asterisk.org/pub/security/AST-2017-011-13.diff NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27345 CVE-2017-16671 (A Buffer Overflow issue was discovered in Asterisk Open Source 13 befo ...) - asterisk 1:13.18.1~dfsg-1 (bug #881257) [stretch] - asterisk 1:13.14.1~dfsg-2+deb9u3 [jessie] - asterisk (Vulnerable code do not exist) [wheezy] - asterisk (Vulnerable code do not exist) NOTE: http://downloads.digium.com/pub/security/AST-2017-010.html NOTE: http://downloads.asterisk.org/pub/security/AST-2017-010-13.diff NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27337 CVE-2017-16670 (The project import functionality in SoapUI 5.3.0 allows remote attacke ...) NOT-FOR-US: SoapUI CVE-2017-16669 (coders/wpg.c in GraphicsMagick 1.3.26 allows remote attackers to cause ...) {DSA-4321-1 DLA-1401-1 DLA-1168-1} - graphicsmagick 1.3.26-19 (bug #881391) NOTE: https://sourceforge.net/p/graphicsmagick/bugs/450/ NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/135bdcb88b8d NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/1b9e64a8901e NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/2a21cda3145b NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/2b7c826d36af NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/3dc7b4e3779d NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/75245a215fff NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/e8086faa52d0 NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/fcd3ed3394f6 CVE-2017-16668 RESERVED CVE-2017-16666 (Xplico before 1.2.1 allows remote authenticated users to execute arbit ...) NOT-FOR-US: Xplico CVE-2017-16665 (RemObjects Remoting SDK 9 1.0.0.0 for Delphi is vulnerable to a reflec ...) NOT-FOR-US: RemObjects Remoting SDK CVE-2017-16664 (Code injection exists in Kernel/System/Spelling.pm in Open Ticket Requ ...) {DSA-4047-1 DLA-1212-1} - otrs2 5.0.24-1 (bug #882370) NOTE: https://www.otrs.com/security-advisory-2017-07-security-update-otrs-framework/ NOTE: OTRS 5: https://github.com/OTRS/otrs/commit/4c36932d0c42343f21246a107e17a2ebbd9c2c7d NOTE: OTRS 3.3: https://github.com/OTRS/otrs/commit/2e58a4bbd99b2477d72c3b2d9fef009537ab19ce CVE-2017-16667 (backintime (aka Back in Time) before 1.1.24 did improper escaping/quot ...) - backintime 1.1.24-0.1 (bug #881205) [stretch] - backintime (Minor issue) [jessie] - backintime (Minor issue) [wheezy] - backintime (Vulnerable code does not exist) NOTE: https://github.com/bit-team/backintime/issues/834 NOTE: https://github.com/bit-team/backintime/commit/cef81d0da93ff601252607df3db1a48f7f6f01b3 CVE-2017-16663 (In sam2p 0.49.4, there are integer overflows (with resultant heap-base ...) {DLA-1185-1} - sam2p [jessie] - sam2p 0.49.2-3+deb8u1 NOTE: https://github.com/pts/sam2p/issues/16 CVE-2017-16662 RESERVED CVE-2017-16659 (The Gentoo mail-filter/assp package 1.9.8.13030 and earlier allows loc ...) NOT-FOR-US: assp as packaged by Gentoo CVE-2017-16658 RESERVED CVE-2017-16657 RESERVED CVE-2017-16656 RESERVED CVE-2017-16655 RESERVED CVE-2017-16654 (An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3. ...) {DSA-4262-1 DLA-1707-1} - symfony 3.4.0+dfsg-1 NOTE: https://symfony.com/blog/cve-2017-16654-intl-bundle-readers-breaking-out-of-paths NOTE: https://github.com/symfony/symfony/pull/24994 CVE-2017-16653 (An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3. ...) {DSA-4262-1} - symfony 3.4.0+dfsg-1 [jessie] - symfony (vulnerable code not present in branch 2.3) NOTE: https://symfony.com/blog/cve-2017-16653-csrf-protection-does-not-use-different-tokens-for-http-and-https NOTE: https://github.com/symfony/symfony/pull/24992 CVE-2017-16652 (An issue was discovered in Symfony 2.7.x before 2.7.38, 2.8.x before 2 ...) {DSA-4262-1 DLA-1707-1} - symfony 3.4.0+dfsg-1 NOTE: https://symfony.com/blog/cve-2017-16652-open-redirect-vulnerability-on-security-handlers NOTE: https://github.com/symfony/symfony/pull/24995 NOTE: See CVE-2018-11408 to address original incomplete fix for CVE-2017-16652 CVE-2017-16651 (Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before ...) {DSA-4030-1 DLA-1193-1} - roundcube 1.3.3+dfsg.1-1 NOTE: master: https://github.com/roundcube/roundcubemail/commit/2a32f51c91d5e9c7b1a9d931846dd44c008ff36d NOTE: release-1.3: https://github.com/roundcube/roundcubemail/commit/c90ad5a97784fb32683b8e3c21d6c95baab6d806 NOTE: release-1.2: https://github.com/roundcube/roundcubemail/commit/9be2224c779d7abc7b29eea2b83a8a3671c543e0 NOTE: release-1.1: https://github.com/roundcube/roundcubemail/commit/e757cc410145d043c30889d28fa0b5f67a5cf2fd NOTE: release-1.0: https://github.com/roundcube/roundcubemail/commit/8d87bb34f3c6103ab81e5342d8b3d297832d178a NOTE: https://github.com/roundcube/roundcubemail/issues/6026 CVE-2017-16650 (The qmi_wwan_bind function in drivers/net/usb/qmi_wwan.c in the Linux ...) - linux 4.13.13-1 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.51-1 [wheezy] - linux (Vulnerable code not present) CVE-2017-16649 (The usbnet_generic_cdc_bind function in drivers/net/usb/cdc_ether.c in ...) {DLA-1200-1} - linux 4.13.13-1 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.51-1 CVE-2017-16648 (The dvb_frontend_free function in drivers/media/dvb-core/dvb_frontend. ...) - linux (Vulnerable code not present) CVE-2017-16647 (drivers/net/usb/asix_devices.c in the Linux kernel through 4.13.11 all ...) - linux 4.13.13-1 [stretch] - linux 4.9.65-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) CVE-2017-16646 (drivers/media/usb/dvb-usb/dib0700_devices.c in the Linux kernel throug ...) - linux 4.13.13-1 [stretch] - linux 4.9.65-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) CVE-2017-16645 (The ims_pcu_get_cdc_union_desc function in drivers/input/misc/ims-pcu. ...) - linux 4.14.2-1 (unimportant) [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.56-1 [wheezy] - linux (Vulnerable code not present) NOTE: CONFIG_INPUT_IMS_PCU is not set in Debian config CVE-2017-16644 (The hdpvr_probe function in drivers/media/usb/hdpvr/hdpvr-core.c in th ...) {DSA-4073-1} - linux 4.14.7-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) CVE-2017-16643 (The parse_hid_report_descriptor function in drivers/input/tablet/gtco. ...) {DLA-1200-1} - linux 4.13.13-1 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.51-1 CVE-2017-16642 (In PHP before 5.6.32, 7.x before 7.0.25, and 7.1.x before 7.1.11, an e ...) {DSA-4081-1 DSA-4080-1} - php7.1 7.1.11-1 - php7.0 7.0.25-1 - php5 [wheezy] - php5 (Vulnerable code not present; proof of concept produces expected non-buggy output; upstream patch also appears overly intrusive) NOTE: Fixed in: 5.6.32, 7.0.25, 7.1.11 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=75055 NOTE: https://github.com/derickr/timelib/commit/aa9156006e88565e1f1a5f7cc088b18322d57536 NOTE: https://github.com/php/php-src/commit/5c0455bf2c8cd3c25401407f158e820aa3b239e1 CVE-2017-16661 (Cacti 1.1.27 allows remote authenticated administrators to read arbitr ...) - cacti 1.1.27+ds1-3 [stretch] - cacti (Vulnerable code does not exist) [jessie] - cacti (Vulnerable code does not exist) [wheezy] - cacti (Vulnerable code does not exist) NOTE: https://github.com/Cacti/cacti/issues/1066 NOTE: affected code was introduced in the 1.x release CVE-2017-16660 (Cacti 1.1.27 allows remote authenticated administrators to conduct Rem ...) - cacti 1.1.27+ds1-3 [stretch] - cacti (Vulnerable code does not exist) [jessie] - cacti (Vulnerable code does not exist) [wheezy] - cacti (Vulnerable code does not exist) NOTE: https://github.com/Cacti/cacti/issues/1066 NOTE: affected code was introduced in the 1.x release CVE-2017-16641 (lib/rrd.php in Cacti 1.1.27 allows remote authenticated administrators ...) - cacti 1.1.27+ds1-3 (bug #881110) [stretch] - cacti (Minor issue, due to CVE-2009-4112 does not make sense to isolately fix unless CVE-2009-4112 adressed upstream) [jessie] - cacti (Minor issue, due to CVE-2009-4112 does not make sense to isolately fix unless CVE-2009-4112 adressed upstream) [wheezy] - cacti (Minor issue, due to CVE-2009-4112 does not make sense to isolately fix unless CVE-2009-4112 adressed upstream) NOTE: https://github.com/Cacti/cacti/issues/1057 NOTE: https://github.com/Cacti/cacti/commit/e8088bb6593e6a49d000c342d17402f01db8740e CVE-2017-16640 RESERVED CVE-2017-16639 (Tor Browser on Windows before 8.0 allows remote attackers to bypass th ...) NOT-FOR-US: Tor Browser on Windows CVE-2008-7319 (The Net::Ping::External extension through 0.15 for Perl does not prope ...) - libnet-ping-external-perl (bug #881097) [wheezy] - libnet-ping-external-perl (Package may be removed from Wheezy, see #881102) NOTE: https://rt.cpan.org/Public/Bug/Display.html?id=33230 NOTE: Proposed patch: http://matthias.sdfeu.org/devel/net-ping-external-cmd-injection.patch CVE-2017-16638 (The Gentoo net-misc/vde package before version 2.3.2-r4 may allow memb ...) NOT-FOR-US: Gentoo net-misc/vde packaging issue CVE-2017-16637 (In Vectura Perfect Privacy VPN Manager v1.10.10 and v1.10.11, when res ...) NOT-FOR-US: Vectura Perfect Privacy VPN Manager CVE-2017-16636 (In Bludit v1.5.2 and v2.0.1, an XSS vulnerability is located in the ne ...) NOT-FOR-US: Bludit CVE-2017-16635 (In TinyWebGallery v2.4, an XSS vulnerability is located in the `mkname ...) NOT-FOR-US: TinyWebGallery CVE-2017-16634 (In Joomla! before 3.8.2, a bug allowed third parties to bypass a user' ...) NOT-FOR-US: Joomla! CVE-2017-16633 (In Joomla! before 3.8.2, a logic bug in com_fields exposed read-only i ...) NOT-FOR-US: Joomla! CVE-2017-16632 RESERVED CVE-2017-16631 RESERVED CVE-2017-16630 RESERVED CVE-2017-16629 RESERVED CVE-2017-16628 RESERVED CVE-2017-16627 RESERVED CVE-2017-16626 RESERVED CVE-2017-16625 RESERVED CVE-2017-16624 RESERVED CVE-2017-16623 RESERVED CVE-2017-16622 RESERVED CVE-2017-16621 RESERVED CVE-2017-16620 RESERVED CVE-2017-16619 RESERVED CVE-2017-16618 (An exploitable vulnerability exists in the YAML loading functionality ...) NOT-FOR-US: OwlMixin CVE-2017-16617 RESERVED CVE-2017-16616 (An exploitable vulnerability exists in the YAML parsing functionality ...) NOT-FOR-US: pyanyapi CVE-2017-16615 (An exploitable vulnerability exists in the YAML parsing functionality ...) NOT-FOR-US: MLAlchemy CVE-2017-16614 (SSRF (Server Side Request Forgery) in tpshop 2.0.5 and 2.0.6 allows re ...) NOT-FOR-US: tpshop CVE-2017-16613 (An issue was discovered in middleware.py in OpenStack Swauth through 1 ...) {DSA-4044-1} - swauth 1.2.0-4 (bug #882314) NOTE: https://bugs.launchpad.net/swift/+bug/1655781 CVE-2017-16612 (libXcursor before 1.1.15 has various integer overflows that could lead ...) {DSA-4059-1 DLA-1201-1} - libxcursor 1:1.1.14-3.1 (bug #883792) - wayland 1.14.0-2 (bug #889681) [stretch] - wayland 1.12.0-1+deb9u1 [jessie] - wayland (Minor issue) [wheezy] - wayland (vulnerable code not present) NOTE: http://www.openwall.com/lists/oss-security/2017/11/28/6 NOTE: https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=4794b5dd34688158fb51a2943032569d3780c4b8 NOTE: https://marc.info/?l=freedesktop-xorg-announce&m=151188036018262&w=2 NOTE: Wayland: https://bugs.freedesktop.org/show_bug.cgi?id=103961 NOTE: Wayland: https://cgit.freedesktop.org/wayland/wayland/commit/?id=5d201df72f3d4f4cb8b8f75f980169b03507da38 NOTE: For src:wayland originally fixed in 1.14.0-2 but the 1.15.0-1 upload NOTE: did not merge in the 1.14.0-2 upload. CVE-2017-16611 (In libXfont before 1.5.4 and libXfont2 before 2.0.3, a local attacker ...) - libxfont 1:2.0.3-1 (low; bug #883929) [stretch] - libxfont (Minor issue) [jessie] - libxfont (Minor issue) [wheezy] - libxfont (Minor issue) - libxfont1 (unimportant) NOTE: http://www.openwall.com/lists/oss-security/2017/11/28/7 NOTE: https://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=7b377456f95d2ec3ead40f4fb74ea620191f88c8 NOTE: (for 1.5.x): https://cgit.freedesktop.org/xorg/lib/libXfont/commit/?h=libXfont-1.5-branch&id=5ed8ac0e4f063825b8ecda48e9a111d3ce92e825 NOTE: https://marc.info/?l=freedesktop-xorg-announce&m=151188049718337&w=2 NOTE: https://marc.info/?l=freedesktop-xorg-announce&m=151188044218304&w=2 CVE-2017-16610 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Netgain CVE-2017-16609 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Netgain CVE-2017-16608 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Netgain CVE-2017-16607 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Netgain CVE-2017-16606 (This vulnerability allows remote attackers to execute code by creating ...) NOT-FOR-US: Netgain CVE-2017-16605 (This vulnerability allows remote attackers to overwrite arbitrary file ...) NOT-FOR-US: Netgain CVE-2017-16604 (This vulnerability allows remote attackers to overwrite arbitrary file ...) NOT-FOR-US: Netgain CVE-2017-16603 (This vulnerability allows remote attackers to execute code by creating ...) NOT-FOR-US: Netgain CVE-2017-16602 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Netgain CVE-2017-16601 (This vulnerability allows remote attackers to overwrite arbitrary file ...) NOT-FOR-US: Netgain CVE-2017-16600 (This vulnerability allows remote attackers to overwrite files on vulne ...) NOT-FOR-US: Netgain CVE-2017-16599 (This vulnerability allows remote attackers to delete arbitrary files o ...) NOT-FOR-US: Netgain CVE-2017-16598 (This vulnerability allows remote attackers to execute code by overwrit ...) NOT-FOR-US: Netgain CVE-2017-16597 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Netgain CVE-2017-16596 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Netgain CVE-2017-16595 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Netgain CVE-2017-16594 (This vulnerability allows remote attackers to create arbitrary files o ...) NOT-FOR-US: Netgain CVE-2017-16593 (This vulnerability allows remote attackers to delete arbitrary files o ...) NOT-FOR-US: Netgain CVE-2017-16592 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Netgain CVE-2017-16591 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Netgain CVE-2017-16590 (This vulnerability allows remote attackers to bypass authentication on ...) NOT-FOR-US: Netgain CVE-2017-16589 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2017-16588 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2017-16587 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-16586 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-16585 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-16584 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2017-16583 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-16582 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-16581 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-16580 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2017-16579 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2017-16578 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-16577 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-16576 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-16575 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-16574 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2017-16573 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2017-16572 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-16571 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-16570 (KeystoneJS before 4.0.0-beta.7 allows application-wide CSRF bypass by ...) NOT-FOR-US: KeystoneJS CVE-2017-16569 (An Open URL Redirect issue exists in Zurmo 3.2.1.57987acc3018 via an h ...) NOT-FOR-US: Zurmo CVE-2017-16568 (Cross-site scripting (XSS) vulnerability in Logitech Media Server 7.9. ...) NOT-FOR-US: Logitech Media Server CVE-2017-16567 (Cross-site scripting (XSS) vulnerability in Logitech Media Server 7.9. ...) NOT-FOR-US: Logitech Media Server CVE-2017-16566 (On Jooan IP Camera A5 2.3.36 devices, an insecure FTP server does not ...) NOT-FOR-US: Jooan IP Camera A5 2.3.36 devices CVE-2017-16565 (Cross-Site Request Forgery (CSRF) in /cgi-bin/login on Vonage (Grandst ...) NOT-FOR-US: Vonage CVE-2017-16564 (Stored Cross-site scripting (XSS) vulnerability in /cgi-bin/config2 on ...) NOT-FOR-US: Vonage CVE-2017-16563 (Cross-Site Request Forgery (CSRF) in the Basic Settings screen on Vona ...) NOT-FOR-US: Vonage CVE-2017-16562 (The UserPro plugin before 4.9.17.1 for WordPress, when used on a site ...) NOT-FOR-US: WordPress plugin userpro CVE-2017-16561 (/view/friend_profile.php in Ingenious School Management System 2.3.0 i ...) NOT-FOR-US: Ingenious School Management System CVE-2017-16560 (SanDisk Secure Access 3.01 vault decrypts and copies encrypted files t ...) NOT-FOR-US: SanDisk Secure Access CVE-2017-16559 RESERVED CVE-2017-16558 (Contao 3.0.0 to 3.5.30 and 4.0.0 to 4.4.7 contains an SQL injection vu ...) NOT-FOR-US: Contao CVE-2017-16557 (K7 Antivirus Premium before 15.1.0.53 allows local users to gain privi ...) NOT-FOR-US: K7 Antivirus CVE-2017-16556 (In K7 Antivirus Premium before 15.1.0.53, user-controlled input can be ...) NOT-FOR-US: K7 Antivirus CVE-2017-16555 (K7 Antivirus Premium before 15.1.0.53 allows local users to gain privi ...) NOT-FOR-US: K7 Antivirus CVE-2017-16554 (K7 Antivirus Premium before 15.1.0.53 allows local users to write to a ...) NOT-FOR-US: K7 Antivirus CVE-2017-16553 (K7 Antivirus Premium before 15.1.0.53 allows local users to gain privi ...) NOT-FOR-US: K7 Antivirus CVE-2017-16552 (K7 Antivirus Premium before 15.1.0.53 allows local users to write to a ...) NOT-FOR-US: K7 Antivirus CVE-2017-16551 (K7 Antivirus Premium before 15.1.0.53 allows local users to gain privi ...) NOT-FOR-US: K7 Antivirus CVE-2017-16550 (K7 Antivirus Premium before 15.1.0.53 allows local users to write to a ...) NOT-FOR-US: K7 Antivirus CVE-2017-16549 (K7 Antivirus Premium before 15.1.0.53 allows local users to write to a ...) NOT-FOR-US: K7 Antivirus CVE-2017-16548 (The receive_xattr function in xattrs.c in rsync 3.1.2 and 3.1.3-develo ...) {DSA-4068-1 DLA-1218-1} - rsync 3.1.2-2.1 (bug #880954) NOTE: https://bugzilla.samba.org/show_bug.cgi?id=13112 NOTE: https://git.samba.org/rsync.git/?p=rsync.git;a=commit;h=47a63d90e71d3e19e0e96052bb8c6b9cb140ecc1 CVE-2017-16547 (The DrawImage function in magick/render.c in GraphicsMagick 1.3.26 doe ...) {DSA-4321-1 DLA-1456-1 DLA-1170-1} - graphicsmagick 1.3.26-18 NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/785758bbbfcc NOTE: https://sourceforge.net/p/graphicsmagick/bugs/517/ CVE-2017-16546 (The ReadWPGImage function in coders/wpg.c in ImageMagick 7.0.7-9 does ...) {DSA-4074-1 DSA-4040-1} - imagemagick 8:6.9.9.34+dfsg-3 (bug #881392) [wheezy] - imagemagick (Vulnerable code not present; PoC from GitHub issue results in memory allocation exception thrown at coders/wpg.c:1109 and valgrind does not report any issues) NOTE: https://github.com/ImageMagick/ImageMagick/commit/2130bf6f89ded32ef0c88a11694f107c52566c53 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/e04cf3e9524f50ca336253513d977224e083b816 NOTE: https://github.com/ImageMagick/ImageMagick/issues/851 CVE-2017-16545 (The ReadWPGImage function in coders/wpg.c in GraphicsMagick 1.3.26 doe ...) {DSA-4321-1} - graphicsmagick 1.3.26-18 [jessie] - graphicsmagick 1.3.20-3+deb8u3 [wheezy] - graphicsmagick (Not possible to trigger with presented test case) NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/e8086faa52d0 NOTE: https://sourceforge.net/p/graphicsmagick/bugs/519/ NOTE: The wheezy version gives an assert before the vulnerability can be triggered. Due to this NOTE: the severity of the wheezy version is low even though the vulnerable code is still present. NOTE: The patch is trivial so it may be worth fixing in combination with some other fix. CVE-2017-16544 (In the add_match function in libbb/lineedit.c in BusyBox through 1.27. ...) {DLA-1445-1} - busybox 1:1.27.2-2 (bug #882258) [stretch] - busybox (Minor issue, can be fixed via point release) [wheezy] - busybox (Minor issue) NOTE: https://www.twistlock.com/2017/11/20/cve-2017-16544-busybox-autocompletion-vulnerability/ NOTE: https://git.busybox.net/busybox/commit/?id=c3797d40a1c57352192c6106cc0f435e7d9c11e8 CVE-2017-16543 (Zoho ManageEngine Applications Manager 13 before build 13500 allows SQ ...) NOT-FOR-US: Zoho CVE-2017-16542 (Zoho ManageEngine Applications Manager 13 before build 13500 allows Po ...) NOT-FOR-US: Zoho CVE-2017-16541 (Tor Browser before 7.0.9 on macOS and Linux allows remote attackers to ...) {DSA-4327-1 DLA-1575-1} - firefox 62.0-1 (unimportant) - firefox-esr 60.2.0esr-1 (unimportant) [stretch] - firefox-esr 60.2.0esr-1~deb9u2 - thunderbird 1:60.2.1-1 NOTE: https://trac.torproject.org/projects/tor/ticket/24052 NOTE: https://blog.torproject.org/tor-browser-709-released NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-20/#CVE-2017-16541 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-21/#CVE-2017-16541 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-25/#CVE-2017-16541 CVE-2017-16540 (OpenEMR before 5.0.0 Patch 5 allows unauthenticated remote database co ...) NOT-FOR-US: OpenEMR CVE-2017-16539 (The DefaultLinuxSpec function in oci/defaults.go in Docker Moby throug ...) - docker.io 1.13.1~ds3-1 (bug #900140) NOTE: https://github.com/moby/moby/pull/35399 NOTE: https://github.com/moby/moby/pull/35399/commits/a21ecdf3c8a343a7c94e4c4d01b178c87ca7aaa1 CVE-2017-16538 (drivers/media/usb/dvb-usb-v2/lmedm04.c in the Linux kernel through 4.1 ...) {DSA-4082-1 DSA-4073-1} - linux 4.14.7-1 [wheezy] - linux (Vulnerable code not present) CVE-2017-16537 (The imon_probe function in drivers/media/rc/imon.c in the Linux kernel ...) {DLA-1200-1} - linux 4.13.13-1 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.51-1 CVE-2017-16536 (The cx231xx_usb_probe function in drivers/media/usb/cx231xx/cx231xx-ca ...) {DLA-1200-1} - linux 4.13.13-1 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.51-1 CVE-2017-16535 (The usb_get_bos_descriptor function in drivers/usb/core/config.c in th ...) {DLA-1200-1} - linux 4.13.10-1 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.51-1 NOTE: Fixed by: https://git.kernel.org/linus/1c0edc3633b56000e18d82fc241e3995ca18a69e CVE-2017-16534 (The cdc_parse_cdc_header function in drivers/usb/core/message.c in the ...) - linux 4.13.10-1 [stretch] - linux 4.9.65-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/2e1c42391ff2556387b3cb6308b24f6f65619feb CVE-2017-16533 (The usbhid_parse function in drivers/hid/usbhid/hid-core.c in the Linu ...) {DLA-1200-1} - linux 4.13.10-1 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.51-1 NOTE: Fixed by: https://git.kernel.org/linus/f043bfc98c193c284e2cd768fefabe18ac2fed9b CVE-2017-16532 (The get_endpoints function in drivers/usb/misc/usbtest.c in the Linux ...) {DLA-1200-1} - linux 4.13.13-1 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.51-1 NOTE: Fixed by: https://git.kernel.org/linus/7c80f9e4a588f1925b07134bb2e3689335f6c6d8 CVE-2017-16531 (drivers/usb/core/config.c in the Linux kernel before 4.13.6 allows loc ...) {DLA-1200-1} - linux 4.13.10-1 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.51-1 NOTE: Fixed by: https://git.kernel.org/linus/bd7a3fe770ebd8391d1c7d072ff88e9e76d063eb CVE-2017-16530 (The uas driver in the Linux kernel before 4.13.6 allows local users to ...) - linux 4.13.10-1 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.51-1 [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/786de92b3cb26012d3d0f00ee37adf14527f35c4 CVE-2017-16529 (The snd_usb_create_streams function in sound/usb/card.c in the Linux k ...) {DLA-1200-1} - linux 4.13.10-1 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.51-1 NOTE: Fixed by: https://git.kernel.org/linus/bfc81a8bc18e3c4ba0cbaa7666ff76be2f998991 CVE-2017-16528 (sound/core/seq_device.c in the Linux kernel before 4.13.4 allows local ...) - linux 4.13.4-1 [stretch] - linux 4.9.65-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/fc27fe7e8deef2f37cba3f2be2d52b6ca5eb9d57 CVE-2017-16527 (sound/usb/mixer.c in the Linux kernel before 4.13.8 allows local users ...) {DLA-1200-1} - linux 4.13.10-1 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.51-1 NOTE: Fixed by: https://git.kernel.org/linus/124751d5e63c823092060074bd0abaae61aaa9c4 CVE-2017-16526 (drivers/uwb/uwbd.c in the Linux kernel before 4.13.6 allows local user ...) {DSA-4187-1 DLA-1369-1} - linux 4.13.10-1 [stretch] - linux 4.9.65-1 NOTE: Fixed by: https://git.kernel.org/linus/bbf26183b7a6236ba602f4d6a2f7cade35bba043 CVE-2017-16525 (The usb_serial_console_disconnect function in drivers/usb/serial/conso ...) {DLA-1200-1} - linux 4.13.10-1 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.51-1 CVE-2017-16524 (Web Viewer 1.0.0.193 on Samsung SRN-1670D devices suffers from an Unre ...) NOT-FOR-US: Samsung SRN-1670D devices CVE-2017-16523 (MitraStar GPT-2541GNAC (HGU) 1.00(VNJ0)b1 and DSL-100HN-T1 ES_113WJY0b ...) NOT-FOR-US: MitraStar CVE-2017-16522 (MitraStar GPT-2541GNAC (HGU) 1.00(VNJ0)b1 and DSL-100HN-T1 ES_113WJY0b ...) NOT-FOR-US: MitraStar CVE-2017-16521 (In Inedo BuildMaster before 5.8.2, XslTransform was used where XslComp ...) NOT-FOR-US: Inedo BuildMaster CVE-2017-16520 (Inedo BuildMaster before 5.8.2 does not properly restrict creation of ...) NOT-FOR-US: Inedo BuildMaster CVE-2017-16519 RESERVED CVE-2017-16518 RESERVED CVE-2017-16517 RESERVED CVE-2017-16516 (In the yajl-ruby gem 1.3.0 for Ruby, when a crafted JSON file is suppl ...) {DLA-1167-1} - ruby-yajl 1.2.0-3.1 (low; bug #880691) [stretch] - ruby-yajl (Minor issue) [jessie] - ruby-yajl (Minor issue) NOTE: https://github.com/brianmario/yajl-ruby/issues/176 NOTE: https://github.com/brianmario/yajl-ruby/commit/a8ca8f476655adaa187eedc60bdc770fff3c51ce CVE-2017-16515 RESERVED CVE-2017-16514 (Multiple persistent stored Cross-Site-Scripting (XSS) vulnerabilities ...) NOT-FOR-US: WebsiteBaker CVE-2017-16513 (Ipswitch WS_FTP Professional before 12.6.0.3 has buffer overflows in t ...) NOT-FOR-US: Ipswitch WS_FTP Professional CVE-2017-16512 (The vagrant update process in Hashicorp vagrant-vmware-fusion 5.0.2 th ...) NOT-FOR-US: vagrant-vmware-fusion CVE-2017-16511 RESERVED CVE-2017-1000171 (Mahara Mobile before 1.2.1 is vulnerable to passwords being sent to th ...) - mahara CVE-2017-1000157 (Mahara 15.04 before 15.04.13 and 16.04 before 16.04.7 and 16.10 before ...) - mahara CVE-2017-1000156 (Mahara 15.04 before 15.04.9 and 15.10 before 15.10.5 and 16.04 before ...) - mahara CVE-2017-1000155 (Mahara 15.04 before 15.04.8 and 15.10 before 15.10.4 and 16.04 before ...) - mahara CVE-2017-1000154 (Mahara 15.04 before 15.04.8 and 15.10 before 15.10.4 and 16.04 before ...) - mahara CVE-2017-1000153 (Mahara 15.04 before 15.04.10 and 15.10 before 15.10.6 and 16.04 before ...) - mahara CVE-2017-1000152 (Mahara 15.04 before 15.04.7 and 15.10 before 15.10.3 running PHP 5.3 a ...) - mahara CVE-2017-1000151 (Mahara 15.04 before 15.04.9 and 15.10 before 15.10.5 and 16.04 before ...) - mahara CVE-2017-1000150 (Mahara 15.04 before 15.04.7 and 15.10 before 15.10.3 are vulnerable to ...) - mahara CVE-2017-1000149 (Mahara 1.10 before 1.10.9 and 15.04 before 15.04.6 and 15.10 before 15 ...) - mahara CVE-2017-1000148 (Mahara 15.04 before 15.04.8 and 15.10 before 15.10.4 and 16.04 before ...) - mahara CVE-2017-1000147 (Mahara 1.9 before 1.9.8 and 1.10 before 1.10.6 and 15.04 before 15.04. ...) - mahara CVE-2017-1000146 (Mahara 1.9 before 1.9.7 and 1.10 before 1.10.5 and 15.04 before 15.04. ...) - mahara CVE-2017-1000145 (Mahara 1.9 before 1.9.7 and 1.10 before 1.10.5 and 15.04 before 15.04. ...) - mahara CVE-2017-1000144 (Mahara 1.9 before 1.9.6 and 1.10 before 1.10.4 and 15.04 before 15.04. ...) - mahara CVE-2017-1000143 (Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before 1.10.3 an ...) - mahara CVE-2017-1000142 (Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before 1.10.3 an ...) - mahara CVE-2017-1000141 (An issue was discovered in Mahara before 18.10.0. It mishandled user r ...) - mahara NOTE: https://bugs.launchpad.net/mahara/+bug/1422492 CVE-2017-1000140 (Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before 1.10.3 an ...) - mahara CVE-2017-1000139 (Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before 1.10.3 an ...) - mahara CVE-2017-1000138 (Mahara 1.10 before 1.10.0 and 15.04 before 15.04.0 are vulnerable to p ...) - mahara CVE-2017-1000137 (Mahara 1.10 before 1.10.0 and 15.04 before 15.04.0 are vulnerable to p ...) - mahara CVE-2017-1000136 (Mahara 1.8 before 1.8.6 and 1.9 before 1.9.4 and 1.10 before 1.10.1 an ...) - mahara CVE-2017-1000135 (Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before 1.10.3 an ...) - mahara CVE-2017-1000134 (Mahara 1.8 before 1.8.6 and 1.9 before 1.9.4 and 1.10 before 1.10.1 an ...) - mahara CVE-2017-1000133 (Mahara 15.04 before 15.04.8 and 15.10 before 15.10.4 and 16.04 before ...) - mahara CVE-2017-1000132 (Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before 1.10.3 an ...) - mahara CVE-2017-1000131 (Mahara 15.04 before 15.04.8 and 15.10 before 15.10.4 and 16.04 before ...) - mahara CVE-2017-16510 (WordPress before 4.8.3 is affected by an issue where $wpdb->prepare ...) {DSA-4090-1 DLA-1160-1} - wordpress 4.8.3+dfsg-1 (bug #880528) NOTE: https://wpvulndb.com/vulnerabilities/8941 NOTE: https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d NOTE: https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html CVE-2017-16509 REJECTED CVE-2017-16508 REJECTED CVE-2017-16507 REJECTED CVE-2017-16506 REJECTED CVE-2017-16505 REJECTED CVE-2017-16504 REJECTED CVE-2017-16503 REJECTED CVE-2017-16502 REJECTED CVE-2017-16501 REJECTED CVE-2017-16500 REJECTED CVE-2017-16499 REJECTED CVE-2017-16498 REJECTED CVE-2017-16497 REJECTED CVE-2017-16496 REJECTED CVE-2017-16495 REJECTED CVE-2017-16494 REJECTED CVE-2017-16493 REJECTED CVE-2017-16492 REJECTED CVE-2017-16491 REJECTED CVE-2017-16490 REJECTED CVE-2017-16489 REJECTED CVE-2017-16488 REJECTED CVE-2017-16487 REJECTED CVE-2017-16486 REJECTED CVE-2017-16485 REJECTED CVE-2017-16484 REJECTED CVE-2017-16483 REJECTED CVE-2017-16482 REJECTED CVE-2017-16481 REJECTED CVE-2017-16480 REJECTED CVE-2017-16479 REJECTED CVE-2017-16478 REJECTED CVE-2017-16477 REJECTED CVE-2017-16476 REJECTED CVE-2017-16475 REJECTED CVE-2017-16474 REJECTED CVE-2017-16473 REJECTED CVE-2017-16472 REJECTED CVE-2017-16471 REJECTED CVE-2017-16470 REJECTED CVE-2017-16469 REJECTED CVE-2017-16468 REJECTED CVE-2017-16467 REJECTED CVE-2017-16466 REJECTED CVE-2017-16465 REJECTED CVE-2017-16464 REJECTED CVE-2017-16463 REJECTED CVE-2017-16462 REJECTED CVE-2017-16461 REJECTED CVE-2017-16460 REJECTED CVE-2017-16459 REJECTED CVE-2017-16458 REJECTED CVE-2017-16457 REJECTED CVE-2017-16456 REJECTED CVE-2017-16455 REJECTED CVE-2017-16454 REJECTED CVE-2017-16453 REJECTED CVE-2017-16452 REJECTED CVE-2017-16451 REJECTED CVE-2017-16450 REJECTED CVE-2017-16449 REJECTED CVE-2017-16448 REJECTED CVE-2017-16447 REJECTED CVE-2017-16446 REJECTED CVE-2017-16445 REJECTED CVE-2017-16444 REJECTED CVE-2017-16443 REJECTED CVE-2017-16442 REJECTED CVE-2017-16441 REJECTED CVE-2017-16440 REJECTED CVE-2017-16439 REJECTED CVE-2017-16438 REJECTED CVE-2017-16437 REJECTED CVE-2017-16436 REJECTED CVE-2017-16435 REJECTED CVE-2017-16434 REJECTED CVE-2017-16433 REJECTED CVE-2017-16432 REJECTED CVE-2017-16431 REJECTED CVE-2017-16430 REJECTED CVE-2017-16429 REJECTED CVE-2017-16428 REJECTED CVE-2017-16427 REJECTED CVE-2017-16426 REJECTED CVE-2017-16425 REJECTED CVE-2017-16424 REJECTED CVE-2017-16423 REJECTED CVE-2017-16422 REJECTED CVE-2017-16421 REJECTED CVE-2017-16420 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16419 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16418 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16417 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16416 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16415 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16414 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16413 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16412 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16411 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16410 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16409 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16408 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16407 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16406 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16405 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16404 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16403 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16402 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16401 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16400 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16399 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16398 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16397 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16396 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16395 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16394 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16393 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16392 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16391 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16390 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16389 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16388 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16387 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16386 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16385 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16384 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16383 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16382 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16381 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16380 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16379 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16378 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16377 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16376 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16375 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16374 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16373 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16372 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16371 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16370 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16369 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16368 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16367 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16366 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16365 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16364 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16363 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16362 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16361 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16360 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16359 (In radare 2.0.1, a pointer wraparound vulnerability exists in store_ve ...) - radare2 2.1.0+dfsg-1 (bug #880616) [jessie] - radare2 (Vulnerable code introduced later) [wheezy] - radare2 (Vulnerable code introduced later) NOTE: https://github.com/radare/radare2/commit/62e39f34b2705131a2d08aff0c2e542c6a52cf0e NOTE: https://github.com/radare/radare2/commit/d21e91f075a7a7a8ed23baa5c1bb1fac48313882 NOTE: https://github.com/radare/radare2/commit/fbaf24bce7ea4211e4608b3ab6c1b45702cb243d NOTE: https://github.com/radare/radare2/issues/8764 CVE-2017-16358 (In radare 2.0.1, an out-of-bounds read vulnerability exists in string_ ...) - radare2 2.1.0+dfsg-1 (bug #880619) [jessie] - radare2 (Vulnerable code introduced later) [wheezy] - radare2 (Vulnerable code introduced later) NOTE: https://github.com/radare/radare2/commit/d31c4d3cbdbe01ea3ded16a584de94149ecd31d9 NOTE: https://github.com/radare/radare2/issues/8748 CVE-2017-16357 (In radare 2.0.1, a memory corruption vulnerability exists in store_ver ...) - radare2 2.1.0+dfsg-1 (bug #880620) [jessie] - radare2 (Vulnerable code introduced later) [wheezy] - radare2 (Vulnerable code introduced later) NOTE: https://github.com/radare/radare2/commit/0b973e28166636e0ff1fad80baa0385c9c09c53a NOTE: https://github.com/radare/radare2/issues/8742 CVE-2017-16356 (Reflected XSS in Kubik-Rubik SIGE (aka Simple Image Gallery Extended) ...) NOT-FOR-US: Kubik-Rubik SIGE CVE-2017-16355 (In agent/Core/SpawningKit/Spawner.h in Phusion Passenger 5.1.10 (fixed ...) {DSA-4415-1} - passenger 5.0.30-1.1 (bug #884463) - ruby-passenger [jessie] - ruby-passenger (Minor issue) [wheezy] - ruby-passenger (Vulnerable code introduced later) NOTE: https://blog.phusion.nl/2017/10/13/passenger-security-advisory-5-1-11/ NOTE: https://github.com/phusion/passenger/commit/4043718264095cde6623c2cbe8c644541036d7bf NOTE: http://www.openwall.com/lists/oss-security/2017/11/21/2 and following. NOTE: Problem mitigated in versions prior to 5.0.10 where root privileges were required to NOTE: get the status information. CVE-2017-16354 RESERVED CVE-2017-16353 (GraphicsMagick 1.3.26 is vulnerable to a memory information disclosure ...) {DSA-4321-1 DLA-1401-1 DLA-1159-1} - graphicsmagick 1.3.26-17 NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset;node=e4e1c2a581d8 NOTE: https://blogs.securiteam.com/index.php/archives/3494 CVE-2017-16352 (GraphicsMagick 1.3.26 is vulnerable to a heap-based buffer overflow vu ...) {DSA-4321-1 DLA-1456-1 DLA-1159-1} - graphicsmagick 1.3.26-17 NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset;node=7292230dd185 NOTE: https://blogs.securiteam.com/index.php/archives/3494 CVE-2017-1001001 (PluXml version 5.6 is vulnerable to stored cross-site scripting vulner ...) - pluxml 5.6-1 (bug #881796) [stretch] - pluxml (Minor issue) [jessie] - pluxml (Minor issue) NOTE: https://github.com/pluxml/PluXml/issues/253 CVE-2017-1000244 (Jenkins Favorite Plugin version 2.2.0 and older is vulnerable to CSRF ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000243 (Jenkins Favorite Plugin 2.1.4 and older does not perform permission ch ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000242 (Jenkins Git Client Plugin 2.4.2 and earlier creates temporary file wit ...) NOT-FOR-US: Jenkins plugin CVE-2017-16351 REJECTED CVE-2017-16350 REJECTED CVE-2017-16349 (An exploitable XML external entity vulnerability exists in the reporti ...) NOT-FOR-US: SAP CVE-2017-16348 (An exploitable denial of service vulnerability exists in Insteon Hub r ...) NOT-FOR-US: Insteon Hub CVE-2017-16347 (An attacker could send an authenticated HTTP request to trigger this v ...) NOT-FOR-US: Insteon Hub CVE-2017-16346 (An attacker could send an authenticated HTTP request to trigger this v ...) NOT-FOR-US: Insteon Hub CVE-2017-16345 (An attacker could send an authenticated HTTP request to trigger this v ...) NOT-FOR-US: Insteon Hub CVE-2017-16344 (An attacker could send an authenticated HTTP request to trigger this v ...) NOT-FOR-US: Insteon Hub CVE-2017-16343 (An attacker could send an authenticated HTTP request to trigger this v ...) NOT-FOR-US: Insteon Hub CVE-2017-16342 (An attacker could send an authenticated HTTP request to trigger this v ...) NOT-FOR-US: Insteon Hub CVE-2017-16341 (An attacker could send an authenticated HTTP request to trigger this v ...) NOT-FOR-US: Insteon Hub CVE-2017-16340 (An attacker could send an authenticated HTTP request to trigger this v ...) NOT-FOR-US: Insteon Hub CVE-2017-16339 (An attacker could send an authenticated HTTP request to trigger this v ...) NOT-FOR-US: Insteon Hub CVE-2017-16338 (An attacker could send an authenticated HTTP request to trigger this v ...) NOT-FOR-US: Insteon Hub CVE-2017-16337 (On Insteon Hub 2245-222 devices with firmware version 1012, specially ...) NOT-FOR-US: Insteon Hub CVE-2017-16336 RESERVED CVE-2017-16335 RESERVED CVE-2017-16334 RESERVED CVE-2017-16333 RESERVED CVE-2017-16332 RESERVED CVE-2017-16331 RESERVED CVE-2017-16330 RESERVED CVE-2017-16329 RESERVED CVE-2017-16328 RESERVED CVE-2017-16327 RESERVED CVE-2017-16326 RESERVED CVE-2017-16325 RESERVED CVE-2017-16324 RESERVED CVE-2017-16323 RESERVED CVE-2017-16322 RESERVED CVE-2017-16321 RESERVED CVE-2017-16320 RESERVED CVE-2017-16319 RESERVED CVE-2017-16318 RESERVED CVE-2017-16317 RESERVED CVE-2017-16316 RESERVED CVE-2017-16315 RESERVED CVE-2017-16314 RESERVED CVE-2017-16313 RESERVED CVE-2017-16312 RESERVED CVE-2017-16311 RESERVED CVE-2017-16310 RESERVED CVE-2017-16309 RESERVED CVE-2017-16308 RESERVED CVE-2017-16307 RESERVED CVE-2017-16306 RESERVED CVE-2017-16305 RESERVED CVE-2017-16304 RESERVED CVE-2017-16303 RESERVED CVE-2017-16302 RESERVED CVE-2017-16301 RESERVED CVE-2017-16300 RESERVED CVE-2017-16299 RESERVED CVE-2017-16298 RESERVED CVE-2017-16297 RESERVED CVE-2017-16296 RESERVED CVE-2017-16295 RESERVED CVE-2017-16294 RESERVED CVE-2017-16293 RESERVED CVE-2017-16292 RESERVED CVE-2017-16291 RESERVED CVE-2017-16290 RESERVED CVE-2017-16289 RESERVED CVE-2017-16288 RESERVED CVE-2017-16287 RESERVED CVE-2017-16286 RESERVED CVE-2017-16285 RESERVED CVE-2017-16284 RESERVED CVE-2017-16283 RESERVED CVE-2017-16282 RESERVED CVE-2017-16281 RESERVED CVE-2017-16280 RESERVED CVE-2017-16279 RESERVED CVE-2017-16278 RESERVED CVE-2017-16277 RESERVED CVE-2017-16276 RESERVED CVE-2017-16275 RESERVED CVE-2017-16274 RESERVED CVE-2017-16273 RESERVED CVE-2017-16272 RESERVED CVE-2017-16271 RESERVED CVE-2017-16270 RESERVED CVE-2017-16269 RESERVED CVE-2017-16268 RESERVED CVE-2017-16267 RESERVED CVE-2017-16266 RESERVED CVE-2017-16265 RESERVED CVE-2017-16264 RESERVED CVE-2017-16263 RESERVED CVE-2017-16262 RESERVED CVE-2017-16261 RESERVED CVE-2017-16260 RESERVED CVE-2017-16259 RESERVED CVE-2017-16258 RESERVED CVE-2017-16257 RESERVED CVE-2017-16256 RESERVED CVE-2017-16255 (An exploitable buffer overflow vulnerability exists in the PubNub mess ...) NOT-FOR-US: Insteon Hub CVE-2017-16254 (An exploitable buffer overflow vulnerability exists in the PubNub mess ...) NOT-FOR-US: Insteon Hub CVE-2017-16253 (An exploitable buffer overflow vulnerability exists in the PubNub mess ...) NOT-FOR-US: Insteon Hub CVE-2017-16252 (Specially crafted commands sent through the PubNub service in Insteon ...) NOT-FOR-US: Insteon Hub CVE-2017-16251 (A vulnerability in the conferencing component of Mitel ST 14.2, releas ...) NOT-FOR-US: Mitel CVE-2017-16250 (A vulnerability in Mitel ST 14.2, release GA28 and earlier, could allo ...) NOT-FOR-US: Mitel CVE-2017-16249 (The Debut embedded http server contains a remotely exploitable denial ...) NOT-FOR-US: Debut embedded http server CVE-2017-16247 RESERVED CVE-2017-16246 RESERVED CVE-2017-16245 RESERVED CVE-2017-16244 (Cross-Site Request Forgery exists in OctoberCMS 1.0.426 (aka Build 426 ...) NOT-FOR-US: OctoberCMS CVE-2017-16243 RESERVED CVE-2017-16242 (An issue was discovered on MECO USB Memory Stick with Fingerprint MECO ...) NOT-FOR-US: MECO CVE-2017-1000384 REJECTED CVE-2017-1000383 (GNU Emacs version 25.3.1 (and other versions most likely) ignores umas ...) NOTE: This CVE assignment is nonsense, GNU emacs reuses the umask of the original NOTE: file when creating a backup file. That's hardly incorrect behaviour NOTE: Upstream report: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=29182 CVE-2017-1000382 (VIM version 8.0.1187 (and other versions most likely) ignores umask wh ...) - vim (unimportant) NOTE: http://www.openwall.com/lists/oss-security/2017/10/31/15 NOTE: Cf. http://www.openwall.com/lists/oss-security/2017/11/01/4 NOTE: vim creates the .swp file according to the permissions of the file being NOTE: edited, admitely ignoring the umask, so in the reporters case the .swp NOTE: file is readable by others. But that seem to be the intended behaviour. CVE-2017-16248 (The Catalyst-Plugin-Static-Simple module before 0.34 for Perl allows r ...) - libcatalyst-plugin-static-simple-perl 0.34-1 (bug #880458) [stretch] - libcatalyst-plugin-static-simple-perl (Minor issue) [jessie] - libcatalyst-plugin-static-simple-perl (Minor issue) NOTE: https://rt.cpan.org/Public/Bug/Display.html?id=120558 CVE-2017-16241 (Incorrect access control in AMAG Symmetry Door Edge Network Controller ...) NOT-FOR-US: AMAG Symmetry Door Edge Network Controllers CVE-2017-16240 RESERVED CVE-2017-17051 (An issue was discovered in the default FilterScheduler in OpenStack No ...) - nova 2:16.0.3-6 (bug #883621) [stretch] - nova (Fix for CVE-2017-16239 not applied and not affecting 14.x.y) [jessie] - nova (Vulnerable code not present) [wheezy] - nova (Vulnerable code not present) NOTE: http://www.openwall.com/lists/oss-security/2017/12/05/5 NOTE: https://launchpad.net/bugs/1732976 CVE-2017-16239 (In OpenStack Nova through 14.0.9, 15.x through 15.0.7, and 16.x throug ...) {DSA-4056-1} - nova 2:16.0.3-1 (bug #882009) [jessie] - nova (Vulnerble code introduced later) [wheezy] - nova (Vulnerble code introduced later) NOTE: https://launchpad.net/bugs/1664931 NOTE: https://security.openstack.org/ossa/OSSA-2017-005.html NOTE: Regression fix: http://www.openwall.com/lists/oss-security/2017/12/05/4 CVE-2017-16238 RESERVED CVE-2017-16237 (In Vir.IT eXplorer Anti-Virus before 8.5.42, the driver file (VIAGLT64 ...) NOT-FOR-US: Vir.IT eXplorer Anti-Virus CVE-2017-16236 RESERVED CVE-2017-16235 RESERVED CVE-2017-16234 RESERVED CVE-2017-16233 RESERVED CVE-2016-10699 (D-Link DSL-2740E 1.00_BG_20150720 devices are prone to persistent XSS ...) NOT-FOR-US: D-Link devices CVE-2015-9245 (Insecure default configuration in Progress Software OpenEdge 10.2x and ...) NOT-FOR-US: Progress Software OpenEdge CVE-2017-16232 (** DISPUTED ** LibTIFF 4.0.8 has multiple memory leak vulnerabilities, ...) - tiff (unimportant) NOTE: http://seclists.org/oss-sec/2017/q4/168 NOTE: Related commit: https://gitlab.com/libtiff/libtiff/commit/25f9ffa56548c1846c4a1f19308b7f561f7b1ab0 NOTE: This is actually only a partial fix, but upstream will not fix it completely. NOTE: The related commit is included in 4.0.9. The underlying memory-based DOS NOTE: would still be present. CVE-2017-16231 (** DISPUTED ** In PCRE 8.41, after compiling, a pcretest load test PoC ...) - pcre3 (unimportant) CVE-2017-16230 (In admin/write-post.php in Typecho through 1.1, one can log in to the ...) NOT-FOR-US: Typecho CVE-2017-16229 (In the Ox gem 2.8.1 for Ruby, the process crashes with a stack-based b ...) - ruby-ox 2.8.2-1 [stretch] - ruby-ox (Minor issue) [jessie] - ruby-ox (Minor issue) NOTE: https://github.com/ohler55/ox/issues/195 NOTE: https://github.com/ohler55/ox/pull/196 NOTE: https://github.com/ohler55/ox/commit/0708ae44faf2ffc3d9330daf6ae023859a8b168b CVE-2017-16228 (Dulwich before 0.18.5, when an SSH subprocess is used, allows remote a ...) - dulwich 0.18.5-1 [stretch] - dulwich (Minor issue) [jessie] - dulwich (Minor issue) [wheezy] - dulwich (Minor issue) NOTE: https://www.dulwich.io/code/dulwich/commit/7116a0cbbda571f7dac863f4b1c00b6e16d6d8d6/ NOTE: This is similar class of issue as for CVE-2017-1000117/git NOTE: But needs a separate CVE since different codebasis. CVE-2017-16227 (The aspath_put function in bgpd/bgp_aspath.c in Quagga before 1.2.2 al ...) {DSA-4011-1 DLA-1152-1} - quagga 1.2.2-1 (bug #879474) NOTE: https://lists.quagga.net/pipermail/quagga-dev/2017-September/033284.html NOTE: http://git.savannah.gnu.org/cgit/quagga.git/commit/?id=7a42b78be9a4108d98833069a88e6fddb9285008 CVE-2017-16226 (The static-eval module is intended to evaluate statically-analyzable e ...) NOT-FOR-US: static-eval module CVE-2017-16225 (aegir is a module to help automate JavaScript project management. Vers ...) NOT-FOR-US: aegir CVE-2017-16224 (st is a module for serving static files. An attacker is able to craft ...) NOT-FOR-US: st CVE-2017-16223 (nodeaaaaa is a static file server. nodeaaaaa is vulnerable to a direct ...) NOT-FOR-US: nodeaaaaa CVE-2017-16222 (elding is a simple web server. elding is vulnerable to a directory tra ...) NOT-FOR-US: elding CVE-2017-16221 (yzt is a simple file server. yzt is vulnerable to a directory traversa ...) NOT-FOR-US: yzt CVE-2017-16220 (wind-mvc is an mvc framework. wind-mvc is vulnerable to a directory tr ...) NOT-FOR-US: wind-mvc CVE-2017-16219 (yttivy is a static file server. yttivy is vulnerable to a directory tr ...) NOT-FOR-US: yttivy CVE-2017-16218 (dgard8.lab6 is a static file server. dgard8.lab6 is vulnerable to a di ...) NOT-FOR-US: dgard8.lab6 CVE-2017-16217 (fbr-client sends files through sockets via socket.io and webRTC. fbr-c ...) NOT-FOR-US: fbr-client CVE-2017-16216 (tencent-server is a simple web server. tencent-server is vulnerable to ...) NOT-FOR-US: tencent-server CVE-2017-16215 (sgqserve is a simple file server. sgqserve is vulnerable to a director ...) NOT-FOR-US: sgqserve CVE-2017-16214 (peiserver is a static file server. peiserver is vulnerable to a direct ...) NOT-FOR-US: peiserver CVE-2017-16213 (mfrserver is a simple file server. mfrserver is vulnerable to a direct ...) NOT-FOR-US: mfrserver CVE-2017-16212 (ltt is a static file server. ltt is vulnerable to a directory traversa ...) NOT-FOR-US: ltt CVE-2017-16211 (lessindex is a static file server. lessindex is vulnerable to a direct ...) NOT-FOR-US: lessindex CVE-2017-16210 (jn_jj_server is a static file server. jn_jj_server is vulnerable to a ...) NOT-FOR-US: jn_jj_server CVE-2017-16209 (enserver is a simple web server. enserver is vulnerable to a directory ...) NOT-FOR-US: enserver CVE-2017-16208 (dmmcquay.lab6 is a REST server. dmmcquay.lab6 is vulnerable to a direc ...) NOT-FOR-US: dmmcquay.lab6 CVE-2017-16207 (discordi.js is a malicious module based on the discord.js library that ...) NOT-FOR-US: discordi.js CVE-2017-16206 (The cofee-script module exfiltrates sensitive data such as a user's pr ...) NOT-FOR-US: cofee-script CVE-2017-16205 (The coffescript module exfiltrates sensitive data such as a user's pri ...) NOT-FOR-US: coffescript CVE-2017-16204 (The jquey module exfiltrates sensitive data such as a user's private S ...) NOT-FOR-US: jquey CVE-2017-16203 (The coffe-script module exfiltrates sensitive data such as a user's pr ...) NOT-FOR-US: coffe-script CVE-2017-16202 (The cofeescript module exfiltrates sensitive data such as a user's pri ...) NOT-FOR-US: cofeescript CVE-2017-16201 (zjjserver is a static file server. zjjserver is vulnerable to a direct ...) NOT-FOR-US: zjjserver CVE-2017-16200 (uv-tj-demo is a static file server. uv-tj-demo is vulnerable to a dire ...) NOT-FOR-US: uv-tj-demo CVE-2017-16199 (susu-sum is a static file server. susu-sum is vulnerable to a director ...) NOT-FOR-US: sus-sum CVE-2017-16198 (ritp is a static web server. ritp is vulnerable to a directory travers ...) NOT-FOR-US: ritp CVE-2017-16197 (qinserve is a static file server. qinserve is vulnerable to a director ...) NOT-FOR-US: sinserve CVE-2017-16196 (quickserver is a simple static file server. quickserver is vulnerable ...) NOT-FOR-US: quickserver CVE-2017-16195 (pytservce is a static file server. pytservce is vulnerable to a direct ...) NOT-FOR-US: pytservce CVE-2017-16194 (picard is a micro framework. picard is vulnerable to a directory trave ...) NOT-FOR-US: picard CVE-2017-16193 (mfrs is a static file server. mfrs is vulnerable to a directory traver ...) NOT-FOR-US: mfrs CVE-2017-16192 (getcityapi.yoehoehne is a web server. getcityapi.yoehoehne is vulnerab ...) NOT-FOR-US: getcityapi.yoehoehne CVE-2017-16191 (cypserver is a static file server. cypserver is vulnerable to a direct ...) NOT-FOR-US: cypserver CVE-2017-16190 (dcdcdcdcdc is a static file server. dcdcdcdcdc is vulnerable to a dire ...) NOT-FOR-US: dcdcdcdcdc CVE-2017-16189 (sly07 is an API for censoring text. sly07 is vulnerable to a directory ...) NOT-FOR-US: sly07 CVE-2017-16188 (reecerver is a web server. reecerver is vulnerable to a directory trav ...) NOT-FOR-US: reecerver CVE-2017-16187 (open-device creates a web interface for any device. open-device is vul ...) NOT-FOR-US: open-device CVE-2017-16186 (360class.jansenhm is a static file server. 360class.jansenhm is vulner ...) NOT-FOR-US: 360class.jansenhm CVE-2017-16185 (uekw1511server is a static file server. uekw1511server is vulnerable t ...) NOT-FOR-US: uekw1511server CVE-2017-16184 (scott-blanch-weather-app is a sample Node.js app using Express 4. scot ...) NOT-FOR-US: scott-blanch-weather-app CVE-2017-16183 (iter-server is a static file server. iter-server is vulnerable to a di ...) NOT-FOR-US: iter-server CVE-2017-16182 (serverxxx is a static file server. serverxxx is vulnerable to a direct ...) NOT-FOR-US: serverxxx CVE-2017-16181 (wintiwebdev is a static file server. wintiwebdev is vulnerable to a di ...) NOT-FOR-US: wintiwebdev CVE-2017-16180 (serverabc is a static file server. serverabc is vulnerable to a direct ...) NOT-FOR-US: serverabc CVE-2017-16179 (dasafio is a web server. dasafio is vulnerable to a directory traversa ...) NOT-FOR-US: dasafio CVE-2017-16178 (intsol-package is a file server. intsol-package is vulnerable to a dir ...) NOT-FOR-US: intsol-package CVE-2017-16177 (chatbyvista is a file server. chatbyvista is vulnerable to a directory ...) NOT-FOR-US: chatbyvista CVE-2017-16176 (jansenstuffpleasework is a file server. jansenstuffpleasework is vulne ...) NOT-FOR-US: jansenstuffpleasework CVE-2017-16175 (ewgaddis.lab6 is a file server. ewgaddis.lab6 is vulnerable to a direc ...) NOT-FOR-US: ewgaddis.lab6 CVE-2017-16174 (whispercast is a file server. whispercast is vulnerable to a directory ...) NOT-FOR-US: whispercast CVE-2017-16173 (utahcityfinder constructs lists of Utah cities with a certain prefix. ...) NOT-FOR-US: utahcityfinder CVE-2017-16172 (section2.madisonjbrooks12 is a simple web server. section2.madisonjbro ...) NOT-FOR-US: section2.madisonjbrooks12 CVE-2017-16171 (hcbserver is a static file server. hcbserver is vulnerable to a direct ...) NOT-FOR-US: hcbserver CVE-2017-16170 (liuyaserver is a static file server. liuyaserver is vulnerable to a di ...) NOT-FOR-US: liuyaserver CVE-2017-16169 (looppake is a simple http server. looppake is vulnerable to a director ...) NOT-FOR-US: looppake CVE-2017-16168 (wffserve is vulnerable to a directory traversal issue, giving an attac ...) NOT-FOR-US: wffserve CVE-2017-16167 (yyooopack is a simple file server. yyooopack is vulnerable to a direct ...) NOT-FOR-US: yyooopack CVE-2017-16166 (byucslabsix is an http server. byucslabsix is vulnerable to a director ...) NOT-FOR-US: byucslabsix CVE-2017-16165 (calmquist.static-server is a static file server. calmquist.static-serv ...) NOT-FOR-US: calmquist.static-server CVE-2017-16164 (desafio is a simple web server. desafio is vulnerable to a directory t ...) NOT-FOR-US: desafio CVE-2017-16163 (dylmomo is a simple file server. dylmomo is vulnerable to a directory ...) NOT-FOR-US: dylmomo CVE-2017-16162 (22lixian is a simple file server. 22lixian is vulnerable to a director ...) NOT-FOR-US: 22lixian CVE-2017-16161 (shenliru is a simple file server. shenliru is vulnerable to a director ...) NOT-FOR-US: shenliru CVE-2017-16160 (11xiaoli is a simple file server. 11xiaoli is vulnerable to a director ...) NOT-FOR-US: 11xiaoli CVE-2017-16159 (caolilinode is a simple file server. caolilinode is vulnerable to a di ...) NOT-FOR-US: caolilinode CVE-2017-16158 (dcserver is a static file server. dcserver is vulnerable to a director ...) NOT-FOR-US: dcserver CVE-2017-16157 (censorify.tanisjr is a simple web server and API RESTful service. cens ...) NOT-FOR-US: censorify.tanisjr CVE-2017-16156 (myprolyz is a static file server. myprolyz is vulnerable to a director ...) NOT-FOR-US: myprolyz CVE-2017-16155 (fast-http-cli is the command line interface for fast-http, a simple we ...) NOT-FOR-US: fast-http-cli CVE-2017-16154 (earlybird is a web server module for early development. earlybird is v ...) NOT-FOR-US: earlybird CVE-2017-16153 (gaoxuyan is vulnerable to a directory traversal issue, giving an attac ...) NOT-FOR-US: gaoxuyan CVE-2017-16152 (static-html-server is a static file server. static-html-server is vuln ...) NOT-FOR-US: static-html-server CVE-2017-16151 (Based on details posted by the ElectronJS team; A remote code executio ...) NOT-FOR-US: Electron CVE-2017-16150 (wanggoujing123 is a simple webserver. wanggoujing123 is vulnerable to ...) NOT-FOR-US: wanggoujing123 CVE-2017-16149 (zwserver is a weather web server. zwserver is vulnerable to a director ...) NOT-FOR-US: zwserver CVE-2017-16148 (serve46 is a static file server. serve46 is vulnerable to a directory ...) NOT-FOR-US: serve46 CVE-2017-16147 (shit-server is a file server. shit-server is vulnerable to a directory ...) NOT-FOR-US: shit-server CVE-2017-16146 (mockserve is a file server. mockserve is vulnerable to a directory tra ...) NOT-FOR-US: mockserve CVE-2017-16145 (sspa is a server dedicated to single-page apps. sspa is vulnerable to ...) NOT-FOR-US: sspa CVE-2017-16144 (myserver.alexcthomas18 is a file server. myserver.alexcthomas18 is vul ...) NOT-FOR-US: myserver.alexcthomas18 CVE-2017-16143 (commentapp.stetsonwood is an http server. commentapp.stetsonwood is vu ...) NOT-FOR-US: commentapp.stetsonwood CVE-2017-16142 (infraserver is a RESTful server. infraserver is vulnerable to a direct ...) NOT-FOR-US: infraserver CVE-2017-16141 (lab6drewfusbyu is an http server. lab6drewfusbyu is vulnerable to a di ...) NOT-FOR-US: lab6drewfusbyu CVE-2017-16140 (lab6.brit95 is a file server. lab6.brit95 is vulnerable to a directory ...) NOT-FOR-US: lab6.brit95 CVE-2017-16139 (jikes is a file server. jikes is vulnerable to a directory traversal i ...) NOT-FOR-US: jikes CVE-2017-16138 (The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expr ...) - node-mime 2.3.1-1 (unimportant; bug #901277) NOTE: https://github.com/broofa/node-mime/issues/167 NOTE: https://nodesecurity.io/advisories/535 NOTE: https://github.com/broofa/node-mime/commit/855d0c4b8b22e4a80b9401a81f2872058eae274d (1.x) NOTE: https://github.com/broofa/node-mime/commit/1df903fdeb9ae7eaa048795b8d580ce2c98f40b0 (2.x) NOTE: nodejs not covered by security support CVE-2017-16137 (The debug module is vulnerable to regular expression denial of service ...) - node-debug 3.1.0-1 (unimportant) NOTE: https://nodesecurity.io/advisories/534 NOTE: nodejs not covered by security support CVE-2017-16136 (method-override is a module used by the Express.js framework to let yo ...) NOT-FOR-US: method-override nodejs module CVE-2017-16135 (serverzyy is a static file server. serverzyy is vulnerable to a direct ...) NOT-FOR-US: serverzyy CVE-2017-16134 (http_static_simple is an http server. http_static_simple is vulnerable ...) NOT-FOR-US: http_static_simple CVE-2017-16133 (goserv is an http server. goserv is vulnerable to a directory traversa ...) NOT-FOR-US: goserv CVE-2017-16132 (simple-npm-registry is a local npm package cache. simple-npm-registry ...) NOT-FOR-US: simple-npm-registry CVE-2017-16131 (unicorn-list is a web framework. unicorn-list is vulnerable to a direc ...) NOT-FOR-US: unicorn-list CVE-2017-16130 (exxxxxxxxxxx is an Http eX Frame Google Style JavaScript Guide. exxxxx ...) NOT-FOR-US: exxxxxxxxxxx CVE-2017-16129 (The HTTP client module superagent is vulnerable to ZIP bomb attacks. I ...) - node-superagent 0.20.0+dfsg-2 [stretch] - node-superagent 0.20.0+dfsg-1+deb9u2 [jessie] - node-superagent (Nodejs in jessie not covered by security support) NOTE: https://github.com/visionmedia/superagent/issues/1259 NOTE: https://nodesecurity.io/advisories/479 CVE-2017-16128 (The module npm-script-demo opened a connection to a command and contro ...) NOT-FOR-US: npm-script-demo CVE-2017-16127 (The module pandora-doomsday infects other modules. It's since been unp ...) NOT-FOR-US: pandora-doomsday CVE-2017-16126 (The module botbait is a tool to be used to track bot and automated too ...) NOT-FOR-US: botbait CVE-2017-16125 (rtcmulticonnection-client is a signaling implementation for RTCMultiCo ...) NOT-FOR-US: rtcmulticonnection-client CVE-2017-16124 (node-server-forfront is a simple static file server. node-server-forfr ...) NOT-FOR-US: node-server-forfront CVE-2017-16123 (welcomyzt is a simple file server. welcomyzt is vulnerable to a direct ...) NOT-FOR-US: welcomyzt CVE-2017-16122 (cuciuci is a simple fileserver. cuciuci is vulnerable to a directory t ...) NOT-FOR-US: cuciuci CVE-2017-16121 (datachannel-client is a signaling implementation for DataChannel.js. d ...) NOT-FOR-US: datachannel-client CVE-2017-16120 (liyujing is a static file server. liyujing is vulnerable to a director ...) NOT-FOR-US: liyujing CVE-2017-16119 (Fresh is a module used by the Express.js framework for HTTP response f ...) - node-fresh 0.2.0-2 (bug #927715) [stretch] - node-fresh (Nodejs in stretch not covered by security support) [jessie] - node-fresh (Nodejs in jessie not covered by security support) NOTE: https://nodesecurity.io/advisories/526 CVE-2017-16118 (The forwarded module is used by the Express.js framework to handle the ...) NOT-FOR-US: forwarded nodejs module CVE-2017-16117 (slug is a module to slugify strings, even if they contain unicode. slu ...) NOT-FOR-US: slug node module CVE-2017-16116 (The string module is a module that provides extra string operations. T ...) NOT-FOR-US: string node module CVE-2017-16115 (The timespan module is vulnerable to regular expression denial of serv ...) NOT-FOR-US: timespane node module CVE-2017-16114 (The marked module is vulnerable to a regular expression denial of serv ...) - node-marked 0.3.9+dfsg-1 (unimportant) NOTE: https://nodesecurity.io/advisories/531 CVE-2017-16113 (The parsejson module is vulnerable to regular expression denial of ser ...) NOT-FOR-US: parsejson node module CVE-2017-16112 REJECTED CVE-2017-16111 (The content module is a module to parse HTTP Content-* headers. It is ...) NOT-FOR-US: node content CVE-2017-16110 (weather.swlyons is a simple web server for weather updates. weather.sw ...) NOT-FOR-US: weather.swlyons CVE-2017-16109 (easyquick is a simple web server. easyquick is vulnerable to a directo ...) NOT-FOR-US: easyquick CVE-2017-16108 (gaoxiaotingtingting is an HTTP server. gaoxiaotingtingting is vulnerab ...) NOT-FOR-US: gaoxiaotingtingting CVE-2017-16107 (pooledwebsocket is vulnerable to a directory traversal issue, giving a ...) NOT-FOR-US: pooledwebsocket CVE-2017-16106 (tmock is a static file server. tmock is vulnerable to a directory trav ...) NOT-FOR-US: tmock CVE-2017-16105 (serverwzl is a simple http server. serverwzl is vulnerable to a direct ...) NOT-FOR-US: serverwzl CVE-2017-16104 (citypredict.whauwiller is vulnerable to a directory traversal issue, g ...) NOT-FOR-US: citypredict.whauwiller CVE-2017-16103 (serveryztyzt is a simple http server. serveryztyzt is vulnerable to a ...) NOT-FOR-US: serveryztyzt CVE-2017-16102 (serverhuwenhui is a simple http server. serverhuwenhui is vulnerable t ...) NOT-FOR-US: serverhuwenhui CVE-2017-16101 (serverwg is a simple http server. serverwg is vulnerable to a director ...) NOT-FOR-US: serverwg CVE-2017-16100 (dns-sync is a sync/blocking dns resolver. If untrusted user input is a ...) NOT-FOR-US: dns-sync CVE-2017-16099 (The no-case module is vulnerable to regular expression denial of servi ...) NOT-FOR-US: no-case CVE-2017-16098 (charset 1.0.0 and below are vulnerable to regular expression denial of ...) NOT-FOR-US: charset CVE-2017-16097 (tiny-http is a simple http server. tiny-http is vulnerable to a direct ...) NOT-FOR-US: tiny-http CVE-2017-16096 (serveryaozeyan is a simple HTTP server. serveryaozeyan is vulnerable t ...) NOT-FOR-US: serveryaozeyan CVE-2017-16095 (serverliujiayi1 is a simple http server. serverliujiayi1 is vulnerable ...) NOT-FOR-US: serverliujiayi1 CVE-2017-16094 (iter-http is a server for static files. iter-http is vulnerable to a d ...) NOT-FOR-US: iter-http CVE-2017-16093 (cyber-js is a simple http server. A cyberjs server is vulnerable to a ...) NOT-FOR-US: cyber-js CVE-2017-16092 (Sencisho is a simple http server for local development. Sencisho is vu ...) NOT-FOR-US: Sencisho CVE-2017-16091 (xtalk helps your browser talk to nodex, a simple web framework. xtalk ...) NOT-FOR-US: xtalk (not the chat client) CVE-2017-16090 (fsk-server is a simple http server. fsk-server is vulnerable to a dire ...) NOT-FOR-US: fsk-server CVE-2017-16089 (serverlyr is a simple http server. serverlyr is vulnerable to a direct ...) NOT-FOR-US: serverlyr CVE-2017-16088 (The safe-eval module describes itself as a safer version of eval. By a ...) NOT-FOR-US: safe-eval CVE-2017-16087 RESERVED CVE-2017-16086 (ua-parser is a port of Browserscope's user agent parser. ua-parser is ...) NOT-FOR-US: ua-parser CVE-2017-16085 (tinyserver2 is a webserver for static files. tinyserver2 is vulnerable ...) NOT-FOR-US: tinyserver2 CVE-2017-16084 (list-n-stream is a server for static files to list and stream local vi ...) NOT-FOR-US: list-n-stream CVE-2017-16083 (node-simple-router is a minimalistic router for Node. node-simple-rout ...) NOT-FOR-US: node-simple-router CVE-2017-16082 (A remote code execution vulnerability was found within the pg module w ...) - node-postgres 7.7.1-1 (unimportant) NOTE: https://nodesecurity.io/advisories/521 NOTE: nodejs not covered by security support CVE-2017-16081 (cross-env.js was a malicious module published with the intent to hijac ...) NOT-FOR-US: malicious node module CVE-2017-16080 (nodesass was a malicious module published with the intent to hijack en ...) NOT-FOR-US: malicious node module CVE-2017-16079 (smb was a malicious module published with the intent to hijack environ ...) NOT-FOR-US: malicious node module CVE-2017-16078 (shadowsock was a malicious module published with the intent to hijack ...) NOT-FOR-US: malicious node module CVE-2017-16077 (mongose was a malicious module published with the intent to hijack env ...) NOT-FOR-US: malicious node module CVE-2017-16076 (proxy.js was a malicious module published with the intent to hijack en ...) NOT-FOR-US: malicious node module CVE-2017-16075 (http-proxy.js was a malicious module published with the intent to hija ...) NOT-FOR-US: malicious node module CVE-2017-16074 (crossenv was a malicious module published with the intent to hijack en ...) NOT-FOR-US: malicious node module CVE-2017-16073 (noderequest was a malicious module published with the intent to hijack ...) NOT-FOR-US: malicious node module CVE-2017-16072 (nodemailer.js was a malicious module published with the intent to hija ...) NOT-FOR-US: malicious node module CVE-2017-16071 (nodemailer-js was a malicious module published with the intent to hija ...) NOT-FOR-US: malicious node module CVE-2017-16070 (nodecaffe was a malicious module published with the intent to hijack e ...) NOT-FOR-US: malicious node module CVE-2017-16069 (nodeffmpeg was a malicious module published with the intent to hijack ...) NOT-FOR-US: malicious node module CVE-2017-16068 (ffmepg was a malicious module published with the intent to hijack envi ...) NOT-FOR-US: malicious node module CVE-2017-16067 (node-opencv was a malicious module published with the intent to hijack ...) NOT-FOR-US: malicious node module CVE-2017-16066 (opencv.js was a malicious module published with the intent to hijack e ...) NOT-FOR-US: malicious node module CVE-2017-16065 (openssl.js was a malicious module published with the intent to hijack ...) NOT-FOR-US: malicious node module CVE-2017-16064 (node-openssl was a malicious module published with the intent to hijac ...) NOT-FOR-US: malicious node module CVE-2017-16063 (node-opensl was a malicious module published with the intent to hijack ...) NOT-FOR-US: malicious node module CVE-2017-16062 (node-tkinter was a malicious module published with the intent to hijac ...) NOT-FOR-US: malicious node module CVE-2017-16061 (tkinter was a malicious module published with the intent to hijack env ...) NOT-FOR-US: malicious node module CVE-2017-16060 (babelcli was a malicious module published with the intent to hijack en ...) NOT-FOR-US: malicious node module CVE-2017-16059 (mssql-node was a malicious module published with the intent to hijack ...) NOT-FOR-US: malicious node module CVE-2017-16058 (gruntcli was a malicious module published with the intent to hijack en ...) NOT-FOR-US: malicious node module CVE-2017-16057 (nodemssql was a malicious module published with the intent to hijack e ...) NOT-FOR-US: malicious node module CVE-2017-16056 (mssql.js was a malicious module published with the intent to hijack en ...) NOT-FOR-US: malicious node module CVE-2017-16055 (`sqlserver` was a malicious module published with the intent to hijack ...) NOT-FOR-US: malicious node module CVE-2017-16054 (`nodefabric` was a malicious module published with the intent to hijac ...) NOT-FOR-US: malicious node module CVE-2017-16053 (`fabric-js` was a malicious module published with the intent to hijack ...) NOT-FOR-US: malicious node module CVE-2017-16052 (`node-fabric` was a malicious module published with the intent to hija ...) NOT-FOR-US: malicious node module CVE-2017-16051 (`sqliter` was a malicious module published with the intent to hijack e ...) NOT-FOR-US: malicious node module CVE-2017-16050 (`sqlite.js` was a malicious module published with the intent to hijack ...) NOT-FOR-US: malicious node module CVE-2017-16049 (`nodesqlite` was a malicious module published with the intent to hijac ...) NOT-FOR-US: malicious node module CVE-2017-16048 (`node-sqlite` was a malicious module published with the intent to hija ...) NOT-FOR-US: malicious node module CVE-2017-16047 (mysqljs was a malicious module published with the intent to hijack env ...) NOT-FOR-US: malicious node module CVE-2017-16046 (`mariadb` was a malicious module published with the intent to hijack e ...) NOT-FOR-US: malicious node module CVE-2017-16045 (`jquery.js` was a malicious module published with the intent to hijack ...) NOT-FOR-US: malicious node module CVE-2017-16044 (`d3.js` was a malicious module published with the intent to hijack env ...) NOT-FOR-US: malicious node module CVE-2017-16043 (Shout is an IRC client. Because the `/topic` command in messages is un ...) NOT-FOR-US: Shout CVE-2017-16042 (Growl adds growl notification support to nodejs. Growl before 1.10.2 d ...) - node-growl 1.10.5-1 (unimportant; bug #900868) [stretch] - node-growl 1.7.0-1+deb9u1 NOTE: Issue: https://github.com/tj/node-growl/issues/60 NOTE: https://github.com/tj/node-growl/pull/61 NOTE: https://nodesecurity.io/advisories/146 NOTE: nodejs not covered by security support CVE-2017-16041 (ikst versions before 1.1.2 download resources over HTTP, which leaves ...) NOT-FOR-US: ikst CVE-2017-16040 (gfe-sass is a library for promises (CommonJS/Promises/A,B,D) gfe-sass ...) NOT-FOR-US: gfe-sass CVE-2017-16039 (`hftp` is a static http or ftp server `hftp` is vulnerable to a direct ...) NOT-FOR-US: hftp CVE-2017-16038 (`f2e-server` 1.12.11 and earlier is vulnerable to a directory traversa ...) NOT-FOR-US: f2e-server CVE-2017-16037 (`gomeplus-h5-proxy` is vulnerable to a directory traversal issue, allo ...) NOT-FOR-US: gomeplus-h5-proxy CVE-2017-16036 (`badjs-sourcemap-server` receives files sent by `badjs-sourcemap`. `ba ...) NOT-FOR-US: badjs-sourcemap-server CVE-2017-16035 (The hubl-server module is a wrapper for the HubL Development Server. D ...) NOT-FOR-US: hubl-server CVE-2017-16034 RESERVED CVE-2017-16033 RESERVED CVE-2017-16032 RESERVED CVE-2017-16031 (Socket.io is a realtime application framework that provides communicat ...) NOT-FOR-US: Socket.io CVE-2017-16030 (Useragent is used to parse useragent headers. It uses several regular ...) NOT-FOR-US: useragent nodejs module CVE-2017-16029 (hostr is a simple web server that serves up the contents of the curren ...) NOT-FOR-US: hostr CVE-2017-16028 (react-native-meteor-oauth is a library for Oauth2 login to a Meteor se ...) NOT-FOR-US: react-native-meteor-oauth CVE-2017-16027 RESERVED CVE-2017-16026 (Request is an http client. If a request is made using ```multipart```, ...) - node-request 2.88.1-1 (bug #901708) [stretch] - node-request (Nodejs in stretch not covered by security support) [jessie] - node-request (Nodejs in jessie not covered by security support) NOTE: https://github.com/request/request/issues/1904 NOTE: https://nodesecurity.io/advisories/309 NOTE: https://github.com/request/request/pull/2018 CVE-2017-16025 (Nes is a websocket extension library for hapi. Hapi is a webserver fra ...) NOT-FOR-US: Nes CVE-2017-16024 (The sync-exec module is used to simulate child_process.execSync in nod ...) NOT-FOR-US: sync-exec CVE-2017-16023 (Decamelize is used to convert a dash/dot/underscore/space separated st ...) - node-decamelize (Fixed before initial upload to Debian) NOTE: https://github.com/sindresorhus/decamelize/issues/5 NOTE: https://github.com/sindresorhus/decamelize/commit/76d47d8de360afb574da2e34db87430ce11094e0 NOTE: nodejs not covered by security support CVE-2017-16022 (Morris.js creates an svg graph, with labels that appear when hovering ...) NOT-FOR-US: Morris.js CVE-2017-16021 (uri-js is a module that tries to fully implement RFC 3986. One of thes ...) NOT-FOR-US: uri-js nodejs module CVE-2017-16020 (Summit is a node web framework. When using the PouchDB driver in the m ...) NOT-FOR-US: Summit CVE-2017-16019 (GitBook is a command line tool (and Node.js library) for building beau ...) NOT-FOR-US: GitBook CVE-2017-16018 (Restify is a framework for building REST APIs. Restify >=2.0.0 < ...) NOT-FOR-US: Restify CVE-2017-16017 (sanitize-html is a library for scrubbing html input for malicious valu ...) NOT-FOR-US: sanitize-html CVE-2017-16016 (Sanitize-html is a library for scrubbing html input of malicious value ...) NOT-FOR-US: sanitize-html CVE-2017-16015 (Forms is a library for easily creating HTML forms. Versions before 1.3 ...) NOT-FOR-US: Forms CVE-2017-16014 (Http-proxy is a proxying library. Because of the way errors are handle ...) - node-http-proxy (bug #896978) NOTE: https://nodesecurity.io/advisories/323 NOTE: https://github.com/nodejitsu/node-http-proxy/pull/101 CVE-2017-16013 (hapi is a web and services application framework. When hapi >= 15.0 ...) NOT-FOR-US: hapi CVE-2017-16012 REJECTED CVE-2017-16011 REJECTED CVE-2017-16010 (i18next is a language translation framework. When using the .init meth ...) - libjs-i18next (unimportant) NOTE: https://github.com/i18next/i18next/pull/826 NOTE: https://nodesecurity.io/advisories/326 NOTE: nodejs not covered by security support CVE-2017-16009 (ag-grid is an advanced data grid that is library agnostic. ag-grid is ...) NOT-FOR-US: ag-grid CVE-2017-16008 (i18next is a language translation framework. Because of how the interp ...) NOT-FOR-US: i18next CVE-2017-16007 (node-jose is a JavaScript implementation of the JSON Object Signing an ...) NOT-FOR-US: node-jose CVE-2017-16006 (Remarkable is a markdown parser. In versions 1.6.2 and lower, remarkab ...) NOT-FOR-US: Remarkable CVE-2017-16005 (Http-signature is a "Reference implementation of Joyent's HTTP Signatu ...) - node-http-signature (Fixed before initial upload to Debian) NOTE: https://github.com/joyent/node-http-signature/issues/10 NOTE: https://nodesecurity.io/advisories/318 NOTE: nodejs not covered by security support CVE-2017-16004 RESERVED CVE-2017-16003 (windows-build-tools is a module for installing C++ Build Tools for Win ...) NOT-FOR-US: windows-build-tools CVE-2017-16002 RESERVED CVE-2017-16001 (In HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) ...) NOT-FOR-US: VMware CVE-2017-16000 (SQL injection vulnerability in the EyesOfNetwork web interface (aka eo ...) NOT-FOR-US: EyesOfNetwork (EON) CVE-2017-15999 (In the "NQ Contacts Backup & Restore" application 1.1 for Android, ...) NOT-FOR-US: Contacts Backup & Restore CVE-2017-15998 (In the "NQ Contacts Backup & Restore" application 1.1 for Android, ...) NOT-FOR-US: Contacts Backup & Restore CVE-2017-15997 (In the "NQ Contacts Backup & Restore" application 1.1 for Android, ...) NOT-FOR-US: Contacts Backup & Restore CVE-2017-15996 (elfcomm.c in readelf in GNU Binutils 2.29 allows remote attackers to c ...) [experimental] - binutils 2.29.51.20171128-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22361 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d91f0b20e561e326ee91a09a76206257bde8438b CVE-2017-15995 RESERVED CVE-2016-10698 (mystem-fix is a node.js wrapper for MyStem morphology text analyzer by ...) NOT-FOR-US: mystem-fix CVE-2016-10697 (react-native-baidu-voice-synthesizer is a baidu voice speech synthesiz ...) NOT-FOR-US: react-native-baidu-voice-synthesizer CVE-2016-10696 (windows-latestchromedriver downloads the latest version of chromedrive ...) NOT-FOR-US: windows-latestchromedriver CVE-2016-10695 (The npm-test-sqlite3-trunk module provides asynchronous, non-blocking ...) NOT-FOR-US: npm-test-sqlite3-trunk CVE-2016-10694 (alto-saxophone is a module to install and launch Chromedriver for Mac, ...) NOT-FOR-US: alto-saxophone CVE-2016-10693 (pm2-kafka is a PM2 module that installs and runs a kafka server pm2-ka ...) NOT-FOR-US: pm2-kafka CVE-2016-10692 (haxeshim haxe shim to deal with coexisting versions. haxeshim download ...) NOT-FOR-US: haxeshim CVE-2016-10691 (windows-seleniumjar is a module that downloads the Selenium Jar file w ...) NOT-FOR-US: windows-seleniumjar CVE-2016-10690 (openframe-ascii-image module is an openframe plugin which adds support ...) NOT-FOR-US: openframe-ascii-image CVE-2016-10689 (The windows-iedriver module downloads fixed version of iedriverserver. ...) NOT-FOR-US: The windows-iedriver CVE-2016-10688 (Haxe 3 : The Cross-Platform Toolkit (a fork from David Mouton's damoeb ...) NOT-FOR-US: Haxe node module, different from src:haxe CVE-2016-10687 (windows-selenium-chromedriver is a module that downloads the Selenium ...) NOT-FOR-US: windows-selenium-chromedriver CVE-2016-10686 (fis-sass-all is another libsass wrapper for node. fis-sass-all downloa ...) NOT-FOR-US: fis-sass-all CVE-2016-10685 (pk-app-wonderbox is an integration with wonderbox pk-app-wonderbox dow ...) NOT-FOR-US: pk-app-wonderbox CVE-2016-10684 (healthcenter - IBM Monitoring and Diagnostic Tools health Center agent ...) NOT-FOR-US: IBM CVE-2016-10683 (arcanist downloads resources over HTTP, which leaves it vulnerable to ...) NOT-FOR-US: arcanist node module, different from src:arcanist CVE-2016-10682 (massif is a Phantomjs fork massif downloads resources over HTTP, which ...) NOT-FOR-US: massif CVE-2016-10681 (roslib-socketio - The standard ROS Javascript Library fork for add sup ...) NOT-FOR-US: roslib-socketio CVE-2016-10680 (adamvr-geoip-lite is a light weight native JavaScript implementation o ...) NOT-FOR-US: adamvr-geoip-lite CVE-2016-10679 (selenium-standalone-painful installs a start-selenium command line to ...) NOT-FOR-US: selenium-standalone-painful CVE-2016-10678 (serc.js is a Selenium RC process wrapper serc.js downloads binary reso ...) NOT-FOR-US: serc.js CVE-2016-10677 (google-closure-tools-latest is a Node.js module wrapper for downloadin ...) NOT-FOR-US: google-closure-tools-latest CVE-2016-10676 (rs-brightcove is a wrapper around brightcove's web api rs-brightcove d ...) NOT-FOR-US: rs-brightcove CVE-2016-10675 (libsbmlsim is a module that installs linux binaries for libsbmlsim lib ...) NOT-FOR-US: libsbmlsim CVE-2016-10674 (limbus-buildgen is a "build anywhere" build system. limbus-buildgen ve ...) NOT-FOR-US: limbus-buildgen CVE-2016-10673 (ipip-coffee queries geolocation information from IP ipip-coffee downlo ...) NOT-FOR-US: ipip-coffee CVE-2016-10672 (cloudpub-redis is a module for CloudPub: Redis Backend cloudpub-redis ...) NOT-FOR-US: cloudpub-redis CVE-2016-10671 (mystem-wrapper is a Yandex mystem app wrapper module. mystem-wrapper d ...) NOT-FOR-US: mystem-wrapper CVE-2016-10670 (windows-seleniumjar-mirror downloads the Selenium Jar file windows-sel ...) NOT-FOR-US: windows-seleniumjar-mirror CVE-2016-10669 (soci downloads binary resources over HTTP, which leaves it vulnerable ...) NOT-FOR-US: soci CVE-2016-10668 (libsbml is a module that installs Linux binaries for libSBML libsbml d ...) NOT-FOR-US: libsbml node integration, different from src:libsml CVE-2016-10667 (selenium-portal is a Selenium Testing Framework selenium-portal downlo ...) NOT-FOR-US: selenium-portal CVE-2016-10666 (tomita-parser is a Node wrapper for Yandex Tomita Parser tomita-parser ...) NOT-FOR-US: tomita-parser CVE-2016-10665 (herbivore is a packet sniffing and crafting library. Built on libtins ...) NOT-FOR-US: herbivore CVE-2016-10664 (mystem is a Node.js wrapper for MyStem morphology text analyzer by Yan ...) NOT-FOR-US: mystem CVE-2016-10663 (wixtoolset is a Node module wrapper around the wixtoolset binaries wix ...) NOT-FOR-US: wixtoolset CVE-2016-10662 (tomita is a node wrapper for Yandex Tomita Parser tomita downloads bin ...) NOT-FOR-US: tomita CVE-2016-10661 (phantomjs-cheniu is a Headless WebKit with JS API phantomjs-cheniu dow ...) NOT-FOR-US: phantomjs-cheniu CVE-2016-10660 (fis-parser-sass-bin a plugin for fis to compile sass using node-sass-b ...) NOT-FOR-US: fis-parser-sass-bin CVE-2016-10659 (poco - The POCO libraries, downloads source file resources used for co ...) NOT-FOR-US: nodejs poco module CVE-2016-10658 (native-opencv is the OpenCV library installed via npm native-opencv do ...) NOT-FOR-US: native-opencv binding for node, different from src:opencv CVE-2016-10657 (co-cli-installer downloads the co-cli module as part of the install pr ...) NOT-FOR-US: co-cli-installer CVE-2016-10656 (qbs is a build tool that helps simplify the build process for developi ...) NOT-FOR-US: npm qbs (different from src:qbs) CVE-2016-10655 (The clang-extra module installs LLVM's clang-extra tools. clang-extra ...) NOT-FOR-US: npm clang-extra CVE-2016-10654 (sfml downloads resources over HTTP, which leaves it vulnerable to MITM ...) NOT-FOR-US: node-sfml CVE-2016-10653 (xd-testing is a testing library for cross-device (XD) web applications ...) NOT-FOR-US: node xp-testing CVE-2016-10652 (prebuild-lwip is a module for comprehensive, fast, and simple image pr ...) NOT-FOR-US: node prebuild-lwip CVE-2016-10651 (webdriver-launcher is a Node.js Selenium Webdriver Launcher. webdriver ...) NOT-FOR-US: webdriver-launcher CVE-2016-10650 (ntfserver is a Network Testing Framework Server. ntfserver downloads b ...) NOT-FOR-US: ntfserver CVE-2016-10649 (frames-compiler downloads binary resources over HTTP, which leaves it ...) NOT-FOR-US: frames-compiler CVE-2016-10648 (marionette-socket-host is a marionette-js-runner host for sending acti ...) NOT-FOR-US: marionette-socket-host CVE-2016-10647 (node-air-sdk is an AIR SDK for nodejs. node-air-sdk downloads binary r ...) NOT-FOR-US: node-air-sdk CVE-2016-10646 (resourcehacker is a Node wrapper of Resource Hacker (windows executabl ...) NOT-FOR-US: resourcehacker CVE-2016-10645 (grunt-images is a grunt plugin for processing images. grunt-images dow ...) NOT-FOR-US: grunt-images CVE-2016-10644 (slimerjs-edge is a npm wrapper for installing the bleeding edge versio ...) NOT-FOR-US: slimerjs-edge CVE-2016-10643 (jstestdriver is a wrapper for Google's jstestdriver. jstestdriver down ...) NOT-FOR-US: jstestdriver CVE-2016-10642 (cmake installs the cmake x86 linux binaries. cmake downloads binary re ...) NOT-FOR-US: cmake node intregration CVE-2016-10641 (node-bsdiff-android downloads resources over HTTP, which leaves it vul ...) NOT-FOR-US: node-bsdiff-android CVE-2016-10640 (node-thulac is a node binding for thulac. node-thulac downloads binary ...) NOT-FOR-US: node-thulac CVE-2016-10639 (redis-srvr is a npm wrapper for redis-server. redis-srvr downloads bin ...) NOT-FOR-US: redis-srvr CVE-2016-10638 (js-given is a JavaScript frontend to jgiven. js-given downloads binary ...) NOT-FOR-US: js-given CVE-2016-10637 (haxe-dev is a cross-platform toolkit. haxe-dev downloads binary resour ...) NOT-FOR-US: haxe-dev, different from src:haxe CVE-2016-10636 (grunt-ccompiler is a Closure Compiler Grunt Plugin. grunt-ccompiler do ...) NOT-FOR-US: grunt-ccompiler CVE-2016-10635 (broccoli-closure is a Closure compiler plugin for Broccoli. broccoli-c ...) NOT-FOR-US: broccoli-closure CVE-2016-10634 (scala-standalone-bin is a Binary wrapper for ScalaJS. scala-standalone ...) NOT-FOR-US: scala-standalone-bin CVE-2016-10633 (dwebp-bin is a dwebp node.js wrapper that convert WebP into PNG. dwebp ...) NOT-FOR-US: dwebp-bin CVE-2016-10632 (apk-parser2 is a module which extracts Android Manifest info from an A ...) NOT-FOR-US: apk-parser2 CVE-2016-10631 (jvminstall is a module for downloading and unpacking jvm to local syst ...) NOT-FOR-US: jvminstall CVE-2016-10630 (install-g-test downloads resources over HTTP, which leaves it vulnerab ...) NOT-FOR-US: install-g-test CVE-2016-10629 (nw-with-arm is a NW Installer including ARM-Build. nw-with-arm downloa ...) NOT-FOR-US: nw-with-arm CVE-2016-10628 (selenium-wrapper is a selenium server wrapper, including installation ...) NOT-FOR-US: selenium-wrapper CVE-2016-10627 (scala-bin is a binary wrapper for Scala. scala-bin downloads binary re ...) NOT-FOR-US: scala-bin CVE-2016-10626 (mystem3 is a NodeJS wrapper for the Yandex MyStem 3. mystem3 downloads ...) NOT-FOR-US: mystem3 CVE-2016-10625 (headless-browser-lite is a minimal npm installer for phantomjs and sli ...) NOT-FOR-US: headless-browser-lite CVE-2016-10624 (selenium-chromedriver is a simple utility for downloading the Selenium ...) NOT-FOR-US: selenium-chromedriver CVE-2016-10623 (macaca-chromedriver-zxa is a Node.js wrapper for the selenium chromedr ...) NOT-FOR-US: macaca-chromedriver-zxa CVE-2016-10622 (nodeschnaps is a NodeJS compatibility layer for Java (Rhino). nodeschn ...) NOT-FOR-US: nodeschnaps CVE-2016-10621 (fibjs is a runtime for javascript applictions built on google v8 JS. f ...) NOT-FOR-US: fibjs CVE-2016-10620 (atom-node-module-installer installs node modules for atom-shell applic ...) NOT-FOR-US: atom-node-module-installer CVE-2016-10619 (pennyworth is a natural language templating engine. pennyworth downloa ...) NOT-FOR-US: pennyworth CVE-2016-10618 (node-browser is a wrapper webdriver by nodejs. node-browser downloads ...) NOT-FOR-US: node-browser CVE-2016-10617 (box2d-native downloads binary resources over HTTP, which leaves it vul ...) NOT-FOR-US: box2d-native (different from src:box2d) CVE-2016-10616 (openframe-image is an Openframe extension which adds support for image ...) NOT-FOR-US: openframe-image CVE-2016-10615 (curses is bindings for the native curses library, a full featured cons ...) NOT-FOR-US: curses node module CVE-2016-10614 (httpsync is a port of libcurl to node.js. httpsync downloads binary re ...) NOT-FOR-US: httpsync node module CVE-2016-10613 (bionode-sra is a Node.js wrapper for SRA Toolkit. bionode-sra download ...) NOT-FOR-US: bionode-sra CVE-2016-10612 (dalek-browser-ie-canary is Internet Explorer bindings for DalekJS. dal ...) NOT-FOR-US: dalek-browser-ie-canary CVE-2016-10611 (strider-sauce is Sauce Labs / Selenium support for Strider. strider-sa ...) NOT-FOR-US: strider-sauce CVE-2016-10610 (unicode-json is a unicode lookup table. unicode-json before 2.0.0 down ...) NOT-FOR-US: unicode-json CVE-2016-10609 (chromedriver126 is chromedriver version 1.26 for linux OS. chromedrive ...) NOT-FOR-US: chromedriver126 CVE-2016-10608 (robot-js is a module for native system automation for node.js. robot-j ...) NOT-FOR-US: robot-js CVE-2016-10607 (openframe-glsviewer is a Openframe extension which adds support for sh ...) NOT-FOR-US: openframe-glsviewer CVE-2016-10606 (grunt-webdriver-qunit is a grunt plugin to run qunit with webdriver in ...) NOT-FOR-US: grunt-webdriver-qunit CVE-2016-10605 (dalek-browser-ie is Internet Explorer bindings for DalekJS. dalek-brow ...) NOT-FOR-US: dalek-browser-ie CVE-2016-10604 (dalek-browser-chrome is Google Chrome bindings for DalekJS. dalek-brow ...) NOT-FOR-US: dalek-browser-chrome CVE-2016-10603 (air-sdk is a NPM wrapper for the Adobe AIR SDK. air-sdk downloads bina ...) NOT-FOR-US: air-sdk CVE-2016-10602 (haxe is a cross-platform toolkit haxe downloads zipped resources over ...) NOT-FOR-US: Haxe node module, different from src:haxe CVE-2016-10601 (webdrvr is a npm wrapper for Selenium Webdriver including Chromedriver ...) NOT-FOR-US: webdrvr CVE-2016-10600 (webrtc-native uses WebRTC from chromium project. webrtc-native downloa ...) NOT-FOR-US: webrtc-native CVE-2016-10599 (sauce-connect is a Node.js wrapper over the SauceLabs SauceConnect.jar ...) NOT-FOR-US: sauce-connect CVE-2016-10598 (arrayfire-js is a module for ArrayFire for the Node.js platform. array ...) NOT-FOR-US: arrayfire-js CVE-2016-10597 (cobalt-cli downloads resources over HTTP, which leaves it vulnerable t ...) NOT-FOR-US: cobalt-cli CVE-2016-10596 (imageoptim is a Node.js wrapper for some images compression algorithms ...) NOT-FOR-US: imageoptim CVE-2016-10595 (jdf-sass is a fork from node-sass, jdf use only. jdf-sass downloads ex ...) NOT-FOR-US: jdf-sass CVE-2016-10594 (ipip is a Node.js module to query geolocation information for an IP or ...) NOT-FOR-US: ibip CVE-2016-10593 (ibapi is an Interactive Brokers API addon for NodeJS. ibapi downloads ...) NOT-FOR-US: ibapi CVE-2016-10592 (jser-stat is a JSer.info stat library. jser-stat downloads data resour ...) NOT-FOR-US: jser-stat CVE-2016-10591 (Prince is a Node API for executing XML/HTML to PDF renderer PrinceXML ...) NOT-FOR-US: Prince Node API CVE-2016-10590 (cue-sdk-node is a Corsair Cue SDK wrapper for node.js. cue-sdk-node do ...) NOT-FOR-US: cue-sdk-node CVE-2016-10589 (selenium-binaries downloads Selenium related binaries for your OS. sel ...) NOT-FOR-US: selenium-binaries CVE-2016-10588 (nw is an installer for nw.js. nw downloads zipped resources over HTTP, ...) NOT-FOR-US: nw CVE-2016-10587 (wasdk is a toolkit for creating WebAssembly modules. wasdk downloads b ...) NOT-FOR-US: wasdk CVE-2016-10586 (macaca-chromedriver is a Node.js wrapper for the selenium chromedriver ...) NOT-FOR-US: macaca-chromedriver CVE-2016-10585 (libxl provides Node bindings for the libxl library for reading and wri ...) NOT-FOR-US: libxl node bindings CVE-2016-10584 (dalek-browser-chrome-canary provides Google Chrome bindings for DalekJ ...) NOT-FOR-US: dalek-browser-chrome-canary CVE-2016-10583 (closure-utils is Utilities for Closure Library based projects. closure ...) NOT-FOR-US: closure-utils CVE-2016-10582 (closurecompiler is a Closure Compiler for node.js. closurecompiler dow ...) NOT-FOR-US: closurecompiler CVE-2016-10581 (Steroids is PhoneGap on Steroids, providing native UI elements, multip ...) NOT-FOR-US: PhoneGap on Steroids CVE-2016-10580 (nodewebkit is an installer for node-webkit. nodewebkit downloads zippe ...) NOT-FOR-US: nodewebkit CVE-2016-10579 (Chromedriver is an NPM wrapper for selenium ChromeDriver. Chromedriver ...) NOT-FOR-US: Chromedriver CVE-2016-10578 (unicode loads unicode data downloaded from unicode.org into nodejs. Un ...) NOT-FOR-US: nodejs unicode module CVE-2016-10577 (ibm_db is an asynchronous/synchronous interface for node.js to IBM DB2 ...) NOT-FOR-US: ibm_db node.js module CVE-2016-10576 (Fuseki server wrapper and management API in fuseki before 1.0.1 downlo ...) NOT-FOR-US: Fuseki CVE-2016-10575 (Kindlegen is a simple Node.js wrapper of the official kindlegen progra ...) NOT-FOR-US: Kindlegen CVE-2016-10574 (apk-parser3 is a module to extract Android Manifest info from an APK f ...) NOT-FOR-US: apk-parser3 CVE-2016-10573 (baryton-saxophone is a module to install and launch Selenium Server fo ...) NOT-FOR-US: baryton-saxophone CVE-2016-10572 (mongodb-instance before 0.0.3 installs mongodb locally. mongodb-instan ...) NOT-FOR-US: mongodb-instance CVE-2016-10571 (bkjs-wand is imagemagick wand support for node.js and backendjs bkjs-w ...) NOT-FOR-US: bkjs-wand CVE-2016-10570 (pngcrush-installer is an installer for Pngcrush. pngcrush-installer ve ...) NOT-FOR-US: pngcrush-installer CVE-2016-10569 (embedza is a module to create HTML snippets/embeds from URLs using inf ...) NOT-FOR-US: embedza CVE-2016-10568 (geoip-lite-country is a stripped down version of geoip-lite, supportin ...) NOT-FOR-US: geoip-lite-country CVE-2016-10567 (product-monitor is a HTML/JavaScript template for monitoring a product ...) NOT-FOR-US: product-monitor CVE-2016-10566 (install-nw is a module which quickly and robustly installs and caches ...) NOT-FOR-US: install-nw CVE-2016-10565 (operadriver is a Opera Driver for Selenium. operadriver versions below ...) NOT-FOR-US: operadriver CVE-2016-10564 (apk-parser is a tool to extract Android Manifest info from an APK file ...) NOT-FOR-US: apk-parser CVE-2016-10563 (During the installation process, the go-ipfs-deps module before 0.4.4 ...) NOT-FOR-US: go-ipfs-deps CVE-2016-10562 (iedriver is an NPM wrapper for Selenium IEDriver. iedriver versions be ...) NOT-FOR-US: iedriver CVE-2016-10561 (Bitty is a development web server tool that functions similar to `pyth ...) NOT-FOR-US: Bitty CVE-2016-10560 (galenframework-cli is the node wrapper for the Galen Framework. galenf ...) NOT-FOR-US: galenframework-cli CVE-2016-10559 (selenium-download downloads the latest versions of the selenium standa ...) NOT-FOR-US: selenium-download CVE-2016-10558 (aerospike is an Aerospike add-on module for Node.js. aerospike version ...) NOT-FOR-US: aerospike CVE-2016-10557 (appium-chromedriver is a Node.js wrapper around Chromedriver. Versions ...) NOT-FOR-US: appium-chromedriver CVE-2016-10556 (sequelize is an Object-relational mapping, or a middleman to convert t ...) NOT-FOR-US: sequelize CVE-2016-10555 (Since "algorithm" isn't enforced in jwt.decode()in jwt-simple 0.3.0 an ...) NOT-FOR-US: nodejs-jwt-simple CVE-2016-10554 (sequelize is an Object-relational mapping, or a middleman to convert t ...) NOT-FOR-US: sequelize CVE-2016-10553 (sequelize is an Object-relational mapping, or a middleman to convert t ...) NOT-FOR-US: sequelize CVE-2016-10552 (igniteui 0.0.5 and earlier downloads JavaScript and CSS resources over ...) NOT-FOR-US: igniteui CVE-2016-10551 (waterline-sequel is a module that helps generate SQL statements for Wa ...) NOT-FOR-US: waterline-sequel CVE-2016-10550 (sequelize is an Object-relational mapping, or a middleman to convert t ...) NOT-FOR-US: sequelize CVE-2016-10549 (Sails is an MVC style framework for building realtime web applications ...) NOT-FOR-US: Sails CVE-2016-10548 (Arbitrary code execution is possible in reduce-css-calc node module &l ...) NOT-FOR-US: reduce-css-calc CVE-2016-10547 (Nunjucks is a full featured templating engine for JavaScript. Versions ...) NOT-FOR-US: Nunjucks CVE-2016-10546 (An arbitrary code injection vector was found in PouchDB 6.0.4 and less ...) NOT-FOR-US: PouchDB CVE-2016-10545 REJECTED CVE-2016-10544 (uws is a WebSocket server library. By sending a 256mb websocket messag ...) NOT-FOR-US: uws CVE-2016-10543 (call is an HTTP router that is primarily used by the hapi framework. T ...) NOT-FOR-US: call HTTP router CVE-2016-10542 (ws is a "simple to use, blazing fast and thoroughly tested websocket c ...) - node-ws 1.1.0+ds1.e6ddaae4-5 (bug #927671) [stretch] - node-ws 1.1.0+ds1.e6ddaae4-3+deb9u1 [jessie] - node-ws (Nodejs in jessie not covered by security support) NOTE: https://nodesecurity.io/advisories/120 NOTE: https://github.com/nodejs/node/issues/7388 CVE-2016-10541 (The npm module "shell-quote" 1.6.0 and earlier cannot correctly escape ...) - node-shell-quote (Fixed before initial upload to Debian) NOTE: https://nodesecurity.io/advisories/117 NOTE: nodejs not covered by security support CVE-2016-10540 (Minimatch is a minimal matching utility that works by converting glob ...) - node-minimatch 3.0.3-1 (unimportant) NOTE: https://nodesecurity.io/advisories/118 NOTE: https://github.com/isaacs/minimatch/commit/6944abf9e0694bd22fd9dad293faa40c2bc8a955 NOTE: libv8 is not covered by security support CVE-2016-10539 (negotiator is an HTTP content negotiator for Node.js and is used by ma ...) - node-negotiator 0.6.1-1 (unimportant) NOTE: https://nodesecurity.io/advisories/106 NOTE: nodejs not covered by security support CVE-2016-10538 (The package `node-cli` before 1.0.0 insecurely uses the lock_file and ...) - node-cli (unimportant; bug #809252) NOTE: https://github.com/node-js-libs/cli/issues/81 NOTE: https://nodesecurity.io/advisories/95 CVE-2016-10537 (backbone is a module that adds in structure to a JavaScript heavy appl ...) - backbone 0.5.3-1 NOTE: https://nodesecurity.io/advisories/108 CVE-2016-10536 (engine.io-client is the client for engine.io, the implementation of a ...) NOT-FOR-US: engine.io-client CVE-2016-10535 (csrf-lite is a cross-site request forgery protection library for frame ...) NOT-FOR-US: csrf-lite CVE-2016-10534 (electron-packager is a command line tool that packages Electron source ...) NOT-FOR-US: electron-packager CVE-2016-10533 (express-restify-mongoose is a module to easily create a flexible REST ...) NOT-FOR-US: express-restify-mongoose CVE-2016-10532 (console-io is a module that allows users to implement a web console in ...) NOT-FOR-US: console-io CVE-2016-10531 (marked is an application that is meant to parse and compile markdown. ...) - node-marked 0.3.6+dfsg-1 (unimportant) NOTE: https://nodesecurity.io/advisories/101 NOTE: nodejs not covered by security support CVE-2016-10530 (The airbrake module 0.3.8 and earlier defaults to sending environment ...) NOT-FOR-US: airbrake CVE-2016-10529 (Droppy versions <3.5.0 does not perform any verification for cross- ...) NOT-FOR-US: Droppy CVE-2016-10528 (restafary is a REpresentful State Transfer API for Creating, Reading, ...) NOT-FOR-US: restafary CVE-2016-10527 (The riot-compiler version version 2.3.21 has an issue in a regex (Cata ...) NOT-FOR-US: riot-compiler CVE-2016-10526 (A common setup to deploy to gh-pages on every commit via a CI system i ...) NOT-FOR-US: gh-pages CVE-2016-10525 (When attempting to allow authentication mode `try` in hapi, hapi-auth- ...) NOT-FOR-US: hapi CVE-2016-10524 (i18n-node-angular is a module used to interact between i18n and angula ...) NOT-FOR-US: i18n-node-angular CVE-2016-10523 (MQTT before 3.4.6 and 4.0.x before 4.0.5 allows specifically crafted M ...) - node-mqtt-packet (Fixed before initial upload to the archive) NOTE: https://nodesecurity.io/advisories/75 CVE-2016-10522 (rails_admin ruby gem <v1.1.1 is vulnerable to cross-site request fo ...) - ruby-rails-admin (bug #903855) [stretch] - ruby-rails-admin (Minor issue; has regression potential) NOTE: https://github.com/sferik/rails_admin/commit/b13e879eb93b661204e9fb5e55f7afa4f397537a NOTE: Regression: https://github.com/sferik/rails_admin/issues/2830 CVE-2016-10521 (jshamcrest is vulnerable to regular expression denial of service (ReDo ...) NOT-FOR-US: jshamcrest CVE-2016-10520 (jadedown is vulnerable to regular expression denial of service (ReDoS) ...) NOT-FOR-US: jadedown CVE-2016-10519 (A security issue was found in bittorrent-dht before 5.1.3 that allows ...) NOT-FOR-US: bittorrent-dht CVE-2016-10518 (A vulnerability was found in the ping functionality of the ws module b ...) - node-ws 1.0.1+ds1.e6ddaae4-1 (unimportant) NOTE: https://nodesecurity.io/advisories/67 NOTE: Nodefs not covered by security support CVE-2015-9243 (When server level, connection level or route level CORS configurations ...) NOT-FOR-US: hapi CVE-2015-9242 (Certain input strings when passed to new Date() or Date.parse() in ecs ...) NOT-FOR-US: ecstatic CVE-2015-9241 (Certain input passed into the If-Modified-Since or Last-Modified heade ...) NOT-FOR-US: hapi CVE-2015-9240 (Due to a bug in the the default sign in functionality in the keystone ...) NOT-FOR-US: keystone node module CVE-2015-9239 (ansi2html is vulnerable to regular expression denial of service (ReDoS ...) NOT-FOR-US: ansi2html CVE-2015-9238 (secure-compare 3.0.0 and below do not actually compare two strings pro ...) NOT-FOR-US: secure-compare node module CVE-2015-9237 RESERVED CVE-2015-9236 (Hapi versions less than 11.0.0 implement CORS incorrectly and allowed ...) NOT-FOR-US: hapi CVE-2015-9235 (In jsonwebtoken node module before 4.2.2 it is possible for an attacke ...) NOT-FOR-US: jsonwebtoken node module CVE-2014-10068 (The inert directory handler in inert node module before 1.1.1 always a ...) NOT-FOR-US: inert CVE-2014-10067 (paypal-ipn before 3.0.0 uses the `test_ipn` parameter (which is set by ...) NOT-FOR-US: paypal-ipn CVE-2014-10066 (Versions less than 0.1.4 of the static file server module fancy-server ...) NOT-FOR-US: fancy-server CVE-2014-10065 (Certain input when passed into remarkable before 1.4.1 will bypass the ...) NOT-FOR-US: remarkable CVE-2014-10064 (The qs module before 1.0.0 does not have an option or default for spec ...) - node-qs 2.2.4-1 (unimportant) NOTE: https://nodesecurity.io/advisories/28 NOTE: nodejs not security by security support CVE-2017-15994 (rsync 3.1.3-development before 2017-10-24 mishandles archaic checksums ...) - rsync (Problematic code to allow checksum choice only introduced after 3.1.2 release) NOTE: https://git.samba.org/?p=rsync.git;a=commit;h=7b8a4ecd6ff9cdf4e5d3850ebf822f1e989255b3 NOTE: https://git.samba.org/?p=rsync.git;a=commit;h=9a480deec4d20277d8e20bc55515ef0640ca1e55 NOTE: https://git.samba.org/?p=rsync.git;a=commit;h=c252546ceeb0925eb8a4061315e3ff0a8c55b48b NOTE: And possibly the following two commits on top: NOTE: https://git.samba.org/?p=rsync.git;a=commit;h=bc112b0e7feece62ce98708092306639a8a53cce NOTE: https://git.samba.org/?p=rsync.git;a=commit;h=416e719bea4f5466c8dd2b34cac0059b6ff84ff3 NOTE: The following commit introduced special handling of archaic versions / handling of NOTE: --checksum-choice option to choose the checksum algorithms: NOTE: https://git.samba.org/?p=rsync.git;a=commit;h=a5a7d3a297b836387b0ac677383bdddaf2ac3598 CVE-2017-15993 (Zomato Clone Script allows SQL Injection via the restaurant-menu.php r ...) NOT-FOR-US: Zomato Clone Script CVE-2017-15992 (Website Broker Script allows SQL Injection via the 'status_id' Paramet ...) NOT-FOR-US: Website Broker Script CVE-2017-15991 (Vastal I-Tech Agent Zone (aka The Real Estate Script) allows SQL Injec ...) NOT-FOR-US: Vastal I-Tech Agent Zone CVE-2017-15990 (Php Inventory & Invoice Management System allows Arbitrary File Up ...) NOT-FOR-US: Php Inventory & Invoice Management System CVE-2017-15989 (Online Exam Test Application allows SQL Injection via the resources.ph ...) NOT-FOR-US: Online Exam Test Application CVE-2017-15988 (Nice PHP FAQ Script allows SQL Injection via the index.php nice_theme ...) NOT-FOR-US: PHP FAQ Script CVE-2017-15987 (Fake Magazine Cover Script allows SQL Injection via the rate.php value ...) NOT-FOR-US: Fake Magazine Cover Script CVE-2017-15986 (CPA Lead Reward Script allows SQL Injection via the username parameter ...) NOT-FOR-US: CPA Lead Reward Script CVE-2017-15985 (Basic B2B Script allows SQL Injection via the product_view1.php pid or ...) NOT-FOR-US: Basic B2B Script CVE-2017-15984 (Creative Management System (CMS) Lite 1.4 allows SQL Injection via the ...) NOT-FOR-US: Creative Management System (CMS) Lite CVE-2017-15983 (MyMagazine Magazine & Blog CMS 1.0 allows SQL Injection via the id ...) NOT-FOR-US: MyMagazine Magazine & Blog CMS CVE-2017-15982 (Dynamic News Magazine & Blog CMS 1.0 allows SQL Injection via the ...) NOT-FOR-US: Dynamic News Magazine & Blog CMS CVE-2017-15981 (Responsive Newspaper Magazine & Blog CMS 1.0 allows SQL Injection ...) NOT-FOR-US: Responsive Newspaper Magazine & Blog CMS CVE-2017-15980 (US Zip Codes Database Script 1.0 allows SQL Injection via the state pa ...) NOT-FOR-US: US Zip Codes Database Script CVE-2017-15979 (Shareet - Photo Sharing Social Network 1.0 allows SQL Injection via th ...) NOT-FOR-US: Shareet - Photo Sharing Social Network CVE-2017-15978 (AROX School ERP PHP Script 1.0 allows SQL Injection via the office_adm ...) NOT-FOR-US: AROX School ERP PHP Script CVE-2017-15977 (Protected Links - Expiring Download Links 1.0 allows SQL Injection via ...) NOT-FOR-US: Protected Links - Expiring Download Links CVE-2017-15976 (ZeeBuddy 2x allows SQL Injection via the admin/editadgroup.php groupid ...) NOT-FOR-US: ZeeBuddy CVE-2017-15975 (Vastal I-Tech Dating Zone 0.9.9 allows SQL Injection via the 'product_ ...) NOT-FOR-US: Vastal I-Tech Dating Zone CVE-2017-15974 (tPanel 2009 allows SQL injection for Authentication Bypass via 'or 1=1 ...) NOT-FOR-US: tPanel CVE-2017-15973 (Sokial Social Network Script 1.0 allows SQL Injection via the id param ...) NOT-FOR-US: Sokial Social Network Script CVE-2017-15972 (SoftDatepro Dating Social Network 1.3 allows SQL Injection via the vie ...) NOT-FOR-US: SoftDatepro Dating Social Network CVE-2017-15971 (Same Sex Dating Software Pro 1.0 allows SQL Injection via the viewprof ...) NOT-FOR-US: Same Sex Dating Software Pro CVE-2017-15970 (PHP CityPortal 2.0 allows SQL Injection via the nid parameter to index ...) NOT-FOR-US: PHP CityPortal CVE-2017-15969 (PG All Share Video 1.0 allows SQL Injection via the PATH_INFO to searc ...) NOT-FOR-US: PG All Share Video CVE-2017-15968 (MyBuilder Clone 1.0 allows SQL Injection via the phpsqlsearch_genxml.p ...) NOT-FOR-US: MyBuilder Clone CVE-2017-15967 (Mailing List Manager Pro 3.0 allows SQL Injection via the edit paramet ...) NOT-FOR-US: Mailing List Manager Pro CVE-2017-15966 (The Zh YandexMap (aka com_zhyandexmap) component 6.1.1.0 for Joomla! a ...) NOT-FOR-US: Zh YandexMap CVE-2017-15965 (The NS Download Shop (aka com_ns_downloadshop) component 2.2.6 for Joo ...) NOT-FOR-US: NS Download Shop CVE-2017-15964 (Job Board Script Software allows SQL Injection via the PATH_INFO to a ...) NOT-FOR-US: Job Board Script Software CVE-2017-15963 (iTech Gigs Script 1.21 allows SQL Injection via the browse-scategory.p ...) NOT-FOR-US: iTech Gigs Script CVE-2017-15962 (iStock Management System 1.0 allows Arbitrary File Upload via user/pro ...) NOT-FOR-US: iStock Management System CVE-2017-15961 (iProject Management System 1.0 allows SQL Injection via the ID paramet ...) NOT-FOR-US: iProject Management System CVE-2017-15960 (Article Directory Script 3.0 allows SQL Injection via the id parameter ...) NOT-FOR-US: Article Directory Scrip CVE-2017-15959 (Adult Script Pro 2.2.4 allows SQL Injection via the PATH_INFO to a /do ...) NOT-FOR-US: Adult Script Pro CVE-2017-15958 (D-Park Pro Domain Parking Script 1.0 allows SQL Injection via the user ...) NOT-FOR-US: D-Park Pro Domain Parking Script CVE-2017-15957 (my_profile.php in Ingenious School Management System 2.3.0 allows a st ...) NOT-FOR-US: Ingenious School Management System CVE-2017-15956 (ConverTo Video Downloader & Converter 1.4.1 allows Arbitrary File ...) NOT-FOR-US: ConverTo Video Downloader CVE-2017-15955 (bchunk (related to BinChunker) 1.2.0 and 1.2.1 is vulnerable to an "Ac ...) {DSA-4026-1 DLA-1158-1} - bchunk 1.2.0-12.1 (bug #880116) NOTE: https://github.com/extramaster/bchunk/issues/4 CVE-2017-15954 (bchunk (related to BinChunker) 1.2.0 and 1.2.1 is vulnerable to a heap ...) {DSA-4026-1 DLA-1158-1} - bchunk 1.2.0-12.1 (bug #880116) NOTE: https://github.com/extramaster/bchunk/issues/3 CVE-2017-15953 (bchunk (related to BinChunker) 1.2.0 and 1.2.1 is vulnerable to a heap ...) {DSA-4026-1 DLA-1158-1} - bchunk 1.2.0-12.1 (bug #880116) NOTE: https://github.com/extramaster/bchunk/issues/2 CVE-2017-15952 RESERVED CVE-2017-15951 (The KEYS subsystem in the Linux kernel before 4.13.10 does not correct ...) - linux 4.13.10-1 [stretch] - linux 4.9.65-1 [jessie] - linux (Vulnerable code introduced later) [wheezy] - linux (Vulnerable code introduced later) NOTE: Fixed by: https://git.kernel.org/linus/363b02dab09b3226f3bd1420dad9c72b79a42a76 (v4.14-rc6) CVE-2017-15950 (Flexense SyncBreeze Enterprise version 10.1.16 is vulnerable to a buff ...) NOT-FOR-US: Flexense SyncBreeze CVE-2017-15949 (Xavier PHP Management Panel 2.4 allows SQL injection via the usertoedi ...) NOT-FOR-US: Xavier PHP Management Panel CVE-2017-15948 (Perch Content Management System 3.0.3 allows unrestricted file upload ...) NOT-FOR-US: Perch Content Management System CVE-2017-15947 (Simple ASC Content Management System v1.2 has XSS in the location fiel ...) NOT-FOR-US: Simple ASC Content Management CVE-2017-15946 (In the com_tag component 1.7.6 for Joomla!, a SQL injection vulnerabil ...) NOT-FOR-US: Joomla addon CVE-2017-15945 (The installation scripts in the Gentoo dev-db/mysql, dev-db/mariadb, d ...) NOT-FOR-US: Gentoo installation scripts CVE-2017-15944 (Palo Alto Networks PAN-OS before 6.1.19, 7.0.x before 7.0.19, 7.1.x be ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2017-15943 (The configuration file import for applications, spyware and vulnerabil ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2017-15942 (Palo Alto Networks PAN-OS before 6.1.19, 7.0.x before 7.0.19, 7.1.x be ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2017-15941 (Cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2017-15940 (The web interface packet capture management component in Palo Alto Net ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2017-15939 (dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as ...) - binutils (Incomplete fix not applied) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22205 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=a54018b72d75abf2e74bf36016702da06399c1d9 NOTE: https://blogs.gentoo.org/ago/2017/10/24/binutils-null-pointer-dereference-in-concat_filename-dwarf2-c-incomplete-fix-for-cve-2017-15023/ CVE-2017-15938 (dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as ...) [experimental] - binutils 2.29.51.20171128-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22209 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=1b86808a86077722ee4f42ff97f836b12420bb2a NOTE: https://blogs.gentoo.org/ago/2017/10/24/binutils-invalid-memory-read-in-find_abstract_instance_name-dwarf2-c/ CVE-2017-15937 (Artica Pandora FMS version 7.0 leaks a full installation pathname via ...) NOT-FOR-US: Artica Pandora FMS CVE-2017-15936 (In Artica Pandora FMS version 7.0, an Attacker with write Permission c ...) NOT-FOR-US: Artica Pandora FMS CVE-2017-15935 (Artica Pandora FMS version 7.0 is vulnerable to remote PHP code execut ...) NOT-FOR-US: Artica Pandora FMS CVE-2017-15934 (Artica Pandora FMS version 7.0 is vulnerable to stored Cross-Site Scri ...) NOT-FOR-US: Artica Pandora FMS CVE-2017-15933 (SQL injection vulnerability vulnerability in the EyesOfNetwork web int ...) NOT-FOR-US: EyesOfNetwork (EON) CVE-2017-15932 (In radare2 2.0.1, an integer exception (negative number leading to an ...) - radare2 2.1.0+dfsg-1 (bug #880024) [jessie] - radare2 (Vulnerable code introduced in 0.10.2) [wheezy] - radare2 (Vulnerable code introduced in 0.10.2) NOTE: https://github.com/radare/radare2/commit/44ded3ff35b8264f54b5a900cab32ec489d9e5b9 NOTE: https://github.com/radare/radare2/issues/8743 CVE-2017-15931 (In radare2 2.0.1, an integer exception (negative number leading to an ...) - radare2 2.1.0+dfsg-1 (bug #880025) [jessie] - radare2 (Vulnerable code introduced in 0.10.2) [wheezy] - radare2 (Vulnerable code introduced in 0.10.2) NOTE: https://github.com/radare/radare2/commit/c6d0076c924891ad9948a62d89d0bcdaf965f0cd NOTE: https://github.com/radare/radare2/issues/8731 CVE-2017-15930 (In ReadOneJNGImage in coders/png.c in GraphicsMagick 1.3.26, a Null Po ...) {DSA-4321-1 DLA-1456-1 DLA-1154-1} - graphicsmagick 1.3.26-16 (bug #879999) NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset;node=6fc54b6d2be8 NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset;node=da135eaedc3b NOTE: https://sourceforge.net/p/graphicsmagick/bugs/518/ CVE-2017-15929 RESERVED CVE-2017-15928 (In the Ox gem 2.8.0 for Ruby, the process crashes with a segmentation ...) - ruby-ox 2.8.2-1 (bug #881445) [stretch] - ruby-ox 2.1.1-2+deb9u1 [jessie] - ruby-ox 2.1.1-2+deb8u1 NOTE: https://github.com/ohler55/ox/issues/194 NOTE: https://github.com/ohler55/ox/commit/e4565dbc167f0d38c3f93243d7a4fcfc391cbfc8 CVE-2017-15927 RESERVED CVE-2017-15926 RESERVED CVE-2017-15925 RESERVED CVE-2017-15923 (Konversation 1.4.x, 1.5.x, 1.6.x, and 1.7.x before 1.7.3 allow remote ...) {DSA-4033-1 DLA-1174-1} - konversation 1.7.3-1 (bug #881586) NOTE: https://cgit.kde.org/konversation.git/commit/?h=1.7&id=6a7f59ee1b9dbc6e5cf9e5f3b306504d02b73ef0 CVE-2017-15922 (In GNU Libextractor 1.4, there is an out-of-bounds read in the EXTRACT ...) {DLA-1198-1} - libextractor 1:1.6-2 (low; bug #880016) [stretch] - libextractor 1:1.3-4+deb9u1 [jessie] - libextractor 1:1.3-2+deb8u1 NOTE: http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00008.html NOTE: Fixed by: https://git.gnunet.org/libextractor.git/commit/?id=d4d488b0e5ab13dda241d688d87a07816368f117 CVE-2017-15921 (In Watchdog Anti-Malware 2.74.186.150 and Online Security Pro 2.74.186 ...) NOT-FOR-US: Watchdog Anti-Malware CVE-2017-15920 (In Watchdog Anti-Malware 2.74.186.150 and Online Security Pro 2.74.186 ...) NOT-FOR-US: Watchdog Anti-Malware CVE-2017-15918 (Sera 1.2 stores the user's login password in plain text in their home ...) NOT-FOR-US: Sera CVE-2017-15917 (In Paessler PRTG Network Monitor 17.3.33.2830, it's possible to create ...) NOT-FOR-US: Paessler PRTG Network Monitor CVE-2017-15908 (In systemd 223 through 235, a remote DNS server can respond with a cus ...) - systemd 235-3 (bug #880026) [stretch] - systemd 232-25+deb9u2 [jessie] - systemd (Vulnerable code introduced later) [wheezy] - systemd (Vulnerable code introduced later) NOTE: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1725351 NOTE: https://github.com/systemd/systemd/pull/7184 NOTE: Fix: https://github.com/systemd/systemd/commit/9f939335a07085aa9a9663efd1dca06ef6405d62 CVE-2017-15919 (The ultimate-form-builder-lite plugin before 1.3.7 for WordPress has S ...) NOT-FOR-US: WordPress plugin ultimate-form-builder-lite CVE-2017-15916 RESERVED CVE-2017-15915 RESERVED CVE-2017-15914 (Incorrect implementation of access controls allows remote users to ove ...) - borgbackup 1.1.3-1 [stretch] - borgbackup (Only affects 1.1.0, 1.1.1 and 1.1.2 releases) NOTE: https://borgbackup.readthedocs.io/en/stable/changes.html#version-1-1-3-2017-11-27 CVE-2017-15913 (The Installer in Whale allows DLL hijacking. ...) NOT-FOR-US: Installer in Whale CVE-2017-15912 RESERVED CVE-2017-15911 (The Admin Console in Ignite Realtime Openfire Server before 4.1.7 allo ...) NOT-FOR-US: Ignite Realtime Openfire Server CVE-2017-15910 RESERVED CVE-2017-15909 (D-Link DGS-1500 Ax devices before 2.51B021 have a hardcoded password, ...) NOT-FOR-US: D-Link CVE-2017-15907 (SQL injection vulnerability in phpCollab 2.5.1 and earlier allows remo ...) NOT-FOR-US: phpCollab CVE-2017-15906 (The process_open function in sftp-server.c in OpenSSH before 7.6 does ...) {DLA-1500-1} - openssh 1:7.6p1-1 (low) [stretch] - openssh 1:7.4p1-10+deb9u3 [wheezy] - openssh (Minor issue) NOTE: https://github.com/openbsd/src/commit/a6981567e8e215acc1ef690c8dbb30f2d9b00a19 CVE-2017-15905 RESERVED CVE-2017-15904 RESERVED CVE-2017-15903 RESERVED CVE-2017-15902 RESERVED CVE-2017-15901 RESERVED CVE-2017-15900 RESERVED CVE-2017-15899 RESERVED CVE-2017-15898 RESERVED CVE-2017-15897 (Node.js had a bug in versions 8.X and 9.X which caused buffers to not ...) - nodejs (Only affects 8.x and 9.x) CVE-2017-15896 (Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards ...) - nodejs (HTTP2 module only in 8.x and 9.x and Debian package uses the system copy of OpenSSL) CVE-2017-15895 (Directory traversal vulnerability in the SYNO.FileStation.Extract in S ...) NOT-FOR-US: Synology Router Manager CVE-2017-15894 (Directory traversal vulnerability in the SYNO.FileStation.Extract in S ...) NOT-FOR-US: Synology DiskStation Manager CVE-2017-15893 (Directory traversal vulnerability in the SYNO.FileStation.Extract in S ...) NOT-FOR-US: Synology File Station CVE-2017-15892 (Multiple cross-site scripting (XSS) vulnerabilities in Slash Command C ...) NOT-FOR-US: Synology Chat CVE-2017-15891 (Improper access control vulnerability in SYNO.Cal.EventBase in Synolog ...) NOT-FOR-US: Synology Calendar CVE-2017-15890 (Cross-site scripting (XSS) vulnerability in Disclaimer in Synology Mai ...) NOT-FOR-US: Synology CVE-2017-15889 (Command injection vulnerability in smart.cgi in Synology DiskStation M ...) NOT-FOR-US: Synology DiskStation Manager CVE-2017-15888 (Cross-site scripting (XSS) vulnerability in Custom Internet Radio List ...) NOT-FOR-US: Synology CVE-2017-15887 (An improper restriction of excessive authentication attempts vulnerabi ...) NOT-FOR-US: Synology CVE-2017-15886 (Server-side request forgery (SSRF) vulnerability in Link Preview in Sy ...) NOT-FOR-US: Synology Chat CVE-2017-15885 (Reflected XSS in the web administration portal on the Axis 2100 Networ ...) NOT-FOR-US: Axis CVE-2017-15884 (In HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) ...) NOT-FOR-US: HashiCorp Vagrant VMware Fusion plugin CVE-2017-15883 (Sitefinity 5.1, 5.2, 5.3, 5.4, 6.x, 7.x, 8.x, 9.x, and 10.x allow remo ...) NOT-FOR-US: Sitefinity CVE-2017-15882 (The London Trust Media Private Internet Access (PIA) application befor ...) NOT-FOR-US: London Trust Media Private Internet Access (PIA) application CVE-2017-15881 (Cross-Site Scripting vulnerability in KeystoneJS before 4.0.0-beta.7 a ...) NOT-FOR-US: KeystoneJS CVE-2017-15880 (SQL injection vulnerability vulnerability in the EyesOfNetwork web int ...) NOT-FOR-US: EyesOfNetwork (EON) CVE-2017-15879 (CSV Injection (aka Excel Macro Injection or Formula Injection) exists ...) NOT-FOR-US: KeystoneJS CVE-2017-15878 (A cross-site scripting (XSS) vulnerability exists in fields/types/mark ...) NOT-FOR-US: KeystoneJS CVE-2017-15877 (Insecure Permissions vulnerability in db.php file in GPWeb 8.4.61 allo ...) NOT-FOR-US: GPWeb CVE-2017-15876 (Unrestricted File Upload vulnerability in GPWeb 8.4.61 allows remote a ...) NOT-FOR-US: GPWeb CVE-2017-15875 (SQL injection vulnerability in Password Recovery in GPWeb 8.4.61 allow ...) NOT-FOR-US: GPWeb CVE-2017-15874 (archival/libarchive/decompress_unlzma.c in BusyBox 1.27.2 has an Integ ...) - busybox 1:1.27.2-2 (bug #879732) [stretch] - busybox (Vulnerable code not present) [jessie] - busybox (Vulnerable code not present) [wheezy] - busybox (Vulnerable code not present) NOTE: https://bugs.busybox.net/show_bug.cgi?id=10436 NOTE: Introduced in: https://git.busybox.net/busybox/commit/?id=3989e5adf454a3ab98412b249c2c9bd2a3175ae0 NOTE: Fixed by: https://git.busybox.net/busybox/commit/?id=9ac42c500586fa5f10a1f6d22c3f797df11b1f6b CVE-2017-15873 (The get_next_block function in archival/libarchive/decompress_bunzip2. ...) {DLA-1445-1} - busybox 1:1.27.2-2 (bug #879732) [stretch] - busybox (Minor issue) [wheezy] - busybox (Minor issue) NOTE: Fixed by: https://git.busybox.net/busybox/commit/?id=0402cb32df015d9372578e3db27db47b33d5c7b0 NOTE: https://bugs.busybox.net/show_bug.cgi?id=10431 CVE-2017-15872 (phpwcms 1.8.9 has XSS in include/inc_tmpl/admin.edituser.tmpl.php and ...) NOT-FOR-US: phpwcms CVE-2017-15871 (** DISPUTED ** The deserialize function in serialize-to-js through 1.1 ...) NOT-FOR-US: Disputed serialize-to-js issue CVE-2017-15870 (Palo Alto Networks GlobalProtect Agent before 4.0.3 allows attackers w ...) NOT-FOR-US: Palo Alto Networks GlobalProtect Agent CVE-2017-15869 (Cross-site scripting (XSS) vulnerability in knowledgebase.php in LiveZ ...) NOT-FOR-US: LiveZilla CVE-2017-15868 (The bnep_add_connection function in net/bluetooth/bnep/core.c in the L ...) {DSA-4082-1 DLA-1200-1} - linux 4.0.2-1 NOTE: Fixed by: https://git.kernel.org/linus/71bb99a02b32b4cc4265118e85f6035ca72923f0 (v3.19-rc3) CVE-2017-15867 (Multiple cross-site scripting (XSS) vulnerabilities in the user-login- ...) NOT-FOR-US: user-login-history plugin for WordPress CVE-2017-15866 RESERVED CVE-2017-15865 (bgpd in FRRouting (FRR) before 2.0.2 and 3.x before 3.0.2, as used in ...) - frr (Fixed before initial upload) CVE-2017-15864 (In the Agent Frontend in Open Ticket Request System (OTRS) 3.3.x throu ...) {DLA-1212-1} - otrs2 4.0.7-2 [jessie] - otrs2 3.3.18-1+deb8u2 NOTE: https://www.otrs.com/security-advisory-2017-06-security-update-otrs-3-3/ NOTE: https://github.com/OTRS/otrs/compare/3bc58ebeb9bdbe8107251a03cf7b9b8cfc515f53...80a0a9a138278d63a2621d146eb3c29e982aa2d5 NOTE: Root cause for the issue is the recursive parsing handling in the old NOTE: DTL template engine that OTRS used up to OTRS 3.3. Starting with OTRS 4 NOTE: OTRS switched to a new Template::Toolkit based engine which does not perform NOTE: recursive parsing and not affected by this issue. CVE-2016-10517 (networking.c in Redis before 3.2.7 allows "Cross Protocol Scripting" b ...) {DLA-1161-1} - redis 3:3.2.7-1 [stretch] - redis (Minor issue) [jessie] - redis (Minor issue) NOTE: https://github.com/antirez/redis/commit/874804da0c014a7d704b3d285aa500098a931f50 CVE-2017-15863 (Cross Site Scripting (XSS) exists in the wp-noexternallinks plugin bef ...) NOT-FOR-US: WordPress plugin wp-noexternallinks CVE-2017-15862 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-15861 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-15860 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-15859 (While processing the QCA_NL80211_VENDOR_SUBCMD_SET_TXPOWER_SCALE_DECR_ ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-15858 RESERVED CVE-2017-15857 (In the camera driver, an out-of-bounds access can occur due to an erro ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-15856 (Due to a race condition while processing the power stats debug file to ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-15855 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-15854 (The value of fix_param->num_chans is received from firmware and if ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-15853 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-15852 (Information leak of the ISPIF base address in Android for MSM, Firefox ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-15851 (Lack of copy_from_user and information leak in function "msm_ois_subde ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-15850 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-15849 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-15848 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-15847 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-15846 (In the video_ioctl2() function in the camera driver in Android for MSM ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-15845 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-15844 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-15843 (Due to a race condition in a bus driver, a double free in msm_bus_floo ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-15842 (Buffer might get used after it gets freed due to unlocking the mutex b ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-15841 (When HOST sends a Special command ID packet, Controller triggers a RAM ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-15840 REJECTED CVE-2017-15839 REJECTED CVE-2017-15838 REJECTED CVE-2017-15837 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-15836 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-15835 (In all android releases(Android for MSM, Firefox OS for MSM, QRD Andro ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-15834 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-15833 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-15832 RESERVED NOT-FOR-US: Qualcomm components for Android CVE-2017-15831 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-15830 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-15829 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-15828 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-15827 RESERVED CVE-2017-15826 (Due to a race condition in MDSS rotator in Android for MSM, Firefox OS ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-15825 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-15824 (In Android releases from CAF using the linux kernel (Android for MSM, ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-15823 (In spectral_create_samp_msg() in Android for MSM, Firefox OS for MSM, ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-15822 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-15821 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-15820 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-15819 RESERVED CVE-2017-15818 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-15817 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-15816 REJECTED CVE-2017-15815 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-15814 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-15813 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm closed-source components on Android CVE-2017-15812 (The Easy Appointments plugin before 1.12.0 for WordPress has XSS via a ...) NOT-FOR-US: Wordpress plugin CVE-2017-15811 (The Pootle Button plugin before 1.2.0 for WordPress has XSS via the as ...) NOT-FOR-US: Wordpress plugin CVE-2017-15810 (The PopCash.Net Code Integration Tool plugin before 1.1 for WordPress ...) NOT-FOR-US: Wordpress plugin CVE-2017-15809 (In phpMyFaq before 2.9.9, there is XSS in admin/tags.main.php via a cr ...) NOT-FOR-US: phpMyFaq CVE-2017-15808 (In phpMyFaq before 2.9.9, there is CSRF in admin/ajax.config.php. ...) NOT-FOR-US: phpMyFaq CVE-2017-15807 RESERVED CVE-2017-15806 (The send function in the ezcMailMtaTransport class in Zeta Components ...) NOT-FOR-US: Zeta Components Mail CVE-2016-10516 (Cross-site scripting (XSS) vulnerability in the render_full function i ...) {DLA-1191-1} - python-werkzeug 0.11.11+dfsg1-1 [jessie] - python-werkzeug (Minor issue) NOTE: http://blog.neargle.com/2016/09/21/flask-src-review-get-a-xss-from-debuger/ NOTE: https://github.com/pallets/werkzeug/pull/1001 NOTE: https://github.com/pallets/werkzeug/commit/1034edc7f901dd645ec6e462754111b39002bd65 CVE-2017-15805 (Cisco Small Business SA520 and SA540 devices with firmware 2.1.71 and ...) NOT-FOR-US: Cisco CVE-2017-15804 (The glob function in glob.c in the GNU C Library (aka glibc or libc6) ...) - glibc 2.25-3 (low; bug #879955) [stretch] - glibc 2.24-11+deb9u4 [jessie] - glibc (Minor issue) - eglibc (low) [wheezy] - eglibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22332 NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=a159b53fa059947cc2548e3b0d5bdcf7b9630ba8 CVE-2017-15803 (XnView Classic for Windows Version 2.43 allows attackers to cause a de ...) NOT-FOR-US: XnView CVE-2017-15802 (XnView Classic for Windows Version 2.43 allows attackers to cause a de ...) NOT-FOR-US: XnView CVE-2017-15801 (XnView Classic for Windows Version 2.43 allows attackers to cause a de ...) NOT-FOR-US: XnView CVE-2017-15800 REJECTED CVE-2017-15799 REJECTED CVE-2017-15798 REJECTED CVE-2017-15797 REJECTED CVE-2017-15796 REJECTED CVE-2017-15795 REJECTED CVE-2017-15794 REJECTED CVE-2017-15793 REJECTED CVE-2017-15792 REJECTED CVE-2017-15791 REJECTED CVE-2017-15790 REJECTED CVE-2017-15789 (XnView Classic for Windows Version 2.43 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-15788 (XnView Classic for Windows Version 2.43 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-15787 (XnView Classic for Windows Version 2.43 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-15786 (XnView Classic for Windows Version 2.43 allows attackers to cause a de ...) NOT-FOR-US: XnView CVE-2017-15785 (XnView Classic for Windows Version 2.43 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-15784 (XnView Classic for Windows Version 2.43 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-15783 (XnView Classic for Windows Version 2.43 allows attackers to cause a de ...) NOT-FOR-US: XnView CVE-2017-15782 (XnView Classic for Windows Version 2.43 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-15781 (XnView Classic for Windows Version 2.43 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-15780 (XnView Classic for Windows Version 2.43 allows attackers to cause a de ...) NOT-FOR-US: XnView CVE-2017-15779 (XnView Classic for Windows Version 2.43 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-15778 (XnView Classic for Windows Version 2.43 allows attackers to cause a de ...) NOT-FOR-US: XnView CVE-2017-15777 (XnView Classic for Windows Version 2.43 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-15776 (XnView Classic for Windows Version 2.43 allows attackers to cause a de ...) NOT-FOR-US: XnView CVE-2017-15775 (XnView Classic for Windows Version 2.43 allows attackers to cause a de ...) NOT-FOR-US: XnView CVE-2017-15774 (XnView Classic for Windows Version 2.43 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-15773 (XnView Classic for Windows Version 2.43 allows attackers to cause a de ...) NOT-FOR-US: XnView CVE-2017-15772 (XnView Classic for Windows Version 2.43 allows attackers to cause a de ...) NOT-FOR-US: XnView CVE-2017-15771 REJECTED CVE-2017-15770 REJECTED CVE-2017-15769 (IrfanView 4.50 - 64bit allows attackers to cause a denial of service o ...) NOT-FOR-US: IrfanView CVE-2017-15768 (IrfanView version 4.50 - 64bit allows attackers to cause a denial of s ...) NOT-FOR-US: IrfanView CVE-2017-15767 (IrfanView 4.50 - 64bit with CADImage plugin version 12.0.0.5 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15766 (IrfanView 4.50 - 64bit with BabaCAD4Image plugin version 1.3 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15765 (IrfanView 4.50 - 64bit with CADImage plugin version 12.0.0.5 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15764 (IrfanView 4.50 - 64bit with BabaCAD4Image plugin version 1.3 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15763 (IrfanView 4.50 - 64bit with BabaCAD4Image plugin version 1.3 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15762 (IrfanView 4.50 - 64bit with BabaCAD4Image plugin version 1.3 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15761 (IrfanView 4.50 - 64bit with BabaCAD4Image plugin version 1.3 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15760 (IrfanView 4.50 - 64bit with BabaCAD4Image plugin version 1.3 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15759 (IrfanView 4.50 - 64bit with BabaCAD4Image plugin version 1.3 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15758 (IrfanView 4.50 - 64bit with BabaCAD4Image plugin version 1.3 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15757 (IrfanView 4.50 - 64bit with BabaCAD4Image plugin version 1.3 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15756 (IrfanView 4.50 - 64bit with BabaCAD4Image plugin version 1.3 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15755 (IrfanView 4.50 - 64bit with BabaCAD4Image plugin version 1.3 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15754 (IrfanView 4.50 - 64bit with BabaCAD4Image plugin version 1.3 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15753 (IrfanView 4.50 - 64bit with BabaCAD4Image plugin version 1.3 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15752 (IrfanView 4.50 - 64bit with BabaCAD4Image plugin version 1.3 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15751 (IrfanView 4.50 - 64bit with BabaCAD4Image plugin version 1.3 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15750 (IrfanView 4.50 - 64bit with BabaCAD4Image plugin version 1.3 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15749 (IrfanView 4.50 - 64bit with CADImage plugin version 12.0.0.5 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15748 (IrfanView 4.50 - 64bit with CADImage plugin version 12.0.0.5 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15747 (IrfanView 4.50 - 64bit with CADImage plugin version 12.0.0.5 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15746 (IrfanView 4.50 - 64bit with CADImage plugin version 12.0.0.5 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15745 (IrfanView 4.50 - 64bit with CADImage plugin version 12.0.0.5 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15744 (IrfanView 4.50 - 64bit with CADImage plugin version 12.0.0.5 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15743 (IrfanView 4.50 - 64bit with CADImage plugin version 12.0.0.5 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15742 (IrfanView 4.50 - 64bit with CADImage plugin version 12.0.0.5 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15741 (IrfanView 4.50 - 64bit with CADImage plugin version 12.0.0.5 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15740 (IrfanView 4.50 - 64bit with CADImage plugin version 12.0.0.5 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15739 (IrfanView 4.50 - 64bit with CADImage plugin version 12.0.0.5 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15738 (IrfanView 4.50 - 64bit with CADImage plugin version 12.0.0.5 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15737 (IrfanView 4.50 - 64bit with CADImage plugin version 12.0.0.5 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15736 (Cross-site scripting (XSS) vulnerability (stored) in SPIP before 3.1.7 ...) {DSA-4228-1} - spip 3.1.4-4 (bug #879954) [wheezy] - spip (vulnerable code not present) NOTE: https://core.spip.net/projects/spip/repository/revisions/23701 CVE-2017-15735 (In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) f ...) NOT-FOR-US: phpMyFAQ CVE-2017-15734 (In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) i ...) NOT-FOR-US: phpMyFAQ CVE-2017-15733 (In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) i ...) NOT-FOR-US: phpMyFAQ CVE-2017-15732 (In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) i ...) NOT-FOR-US: phpMyFAQ CVE-2017-15731 (In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) i ...) NOT-FOR-US: phpMyFAQ CVE-2017-15730 (In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) i ...) NOT-FOR-US: phpMyFAQ CVE-2017-15729 (In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) f ...) NOT-FOR-US: phpMyFAQ CVE-2017-15728 (In phpMyFAQ before 2.9.9, there is Stored Cross-site Scripting (XSS) v ...) NOT-FOR-US: phpMyFAQ CVE-2017-15727 (In phpMyFAQ before 2.9.9, there is Stored Cross-site Scripting (XSS) v ...) NOT-FOR-US: phpMyFAQ CVE-2017-15726 RESERVED CVE-2017-15725 (An XML External Entity Injection vulnerability exists in Dzone AnswerH ...) NOT-FOR-US: Dzone AnswerHub CVE-2017-15724 RESERVED CVE-2017-15723 (In Irssi before 1.0.5, overlong nicks or targets may result in a NULL ...) {DSA-4016-1} - irssi 1.0.5-1 (bug #879521) [wheezy] - irssi (Vulnerable code introduced in 0.8.17) NOTE: https://irssi.org/security/irssi_sa_2017_10.txt NOTE: https://github.com/irssi/irssi/commit/43e44d553d44e313003cee87e6ea5e24d68b84a1 CVE-2017-15722 (In certain cases, Irssi before 1.0.5 may fail to verify that a Safe ch ...) {DSA-4016-1 DLA-1217-1} - irssi 1.0.5-1 (bug #879521) NOTE: https://irssi.org/security/irssi_sa_2017_10.txt NOTE: https://github.com/irssi/irssi/commit/43e44d553d44e313003cee87e6ea5e24d68b84a1 CVE-2017-15721 (In Irssi before 1.0.5, certain incorrectly formatted DCC CTCP messages ...) {DSA-4016-1 DLA-1217-1} - irssi 1.0.5-1 (bug #879521) NOTE: https://irssi.org/security/irssi_sa_2017_10.txt NOTE: https://github.com/irssi/irssi/commit/43e44d553d44e313003cee87e6ea5e24d68b84a1 CVE-2017-15720 (In Apache Airflow 1.8.2 and earlier, an authenticated user can execute ...) - airflow (bug #819700) CVE-2017-15719 (In Wicket jQuery UI 6.28.0 and earlier, 7.9.1 and earlier, and 8.0.0-M ...) NOT-FOR-US: Wicket jQuery UI CVE-2017-15718 (The YARN NodeManager in Apache Hadoop 2.7.3 and 2.7.4 can leak the pas ...) - hadoop (bug #793644) CVE-2017-15717 (A flaw in the way URLs are escaped and encoded in the org.apache.sling ...) NOT-FOR-US: Apache Sling CVE-2017-15716 REJECTED CVE-2017-15715 (In Apache httpd 2.4.0 to 2.4.29, the expression specified in <Files ...) {DSA-4164-1} - apache2 2.4.33-1 [wheezy] - apache2 (Vulnerable code not present) NOTE: http://www.openwall.com/lists/oss-security/2018/03/24/6 CVE-2017-15714 (The BIRT plugin in Apache OFBiz 16.11.01 to 16.11.03 does not escape u ...) NOT-FOR-US: BIRT plugin in Apache OFBiz CVE-2017-15713 (Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before ...) - hadoop (bug #793644) CVE-2017-15712 (Vulnerability allows a user of Apache Oozie 3.1.3-incubating to 4.3.0 ...) NOT-FOR-US: Apache Oozie CVE-2017-15711 REJECTED CVE-2017-15710 (In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to 2.4.29 ...) {DSA-4164-1 DLA-1389-1} - apache2 2.4.33-1 NOTE: http://www.openwall.com/lists/oss-security/2018/03/24/8 CVE-2017-15709 (When using the OpenWire protocol in ActiveMQ versions 5.14.0 to 5.15.2 ...) - activemq 5.15.3-1 (bug #890352) [stretch] - activemq (Minor issue) [jessie] - activemq (Issue introduced with OpenWire protocol support) [wheezy] - activemq (Issue introduced with OpenWire protocol support) CVE-2017-15708 (In Apache Synapse, by default no authentication is required for Java R ...) NOT-FOR-US: Apache Synapse CVE-2017-15707 (In Apache Struts 2.5 to 2.5.14, the REST Plugin is using an outdated J ...) - libstruts1.2-java (Specific to 2.x) CVE-2017-15706 (As part of the fix for bug 61201, the documentation for Apache Tomcat ...) - tomcat9 (Fixed before initial upload to Debian) - tomcat8 8.5.24-1 [stretch] - tomcat8 (Issue introduced later) [jessie] - tomcat8 (Issue introduced later) - tomcat8.0 (unimportant) NOTE: tomcat8.0 builds only tomcat8.0-user and libtomcat8.0-java - tomcat7 (Only affects 7.0.79 to 7.0.82, Upstream bugzilla entry bz#61201 not addressed) NOTE: https://svn.apache.org/r1814828 (7.0.x) NOTE: https://svn.apache.org/r1814827 (8.0.x) NOTE: https://svn.apache.org/r1814826 (8.5.x) NOTE: Introduced by fix for https://bz.apache.org/bugzilla/show_bug.cgi?id=61201 NOTE: https://lists.apache.org/thread.html/e1ef853fc0079cdb55befbd2dac042934e49288b476d5f6a649e5da2@%3Cannounce.tomcat.apache.org%3E CVE-2017-15705 (A denial of service vulnerability was identified that exists in Apache ...) {DLA-1578-1} - spamassassin 3.4.2-1 (bug #908969) [stretch] - spamassassin 3.4.2-1~deb9u1 NOTE: https://www.openwall.com/lists/oss-security/2018/09/16/1 CVE-2017-15704 REJECTED CVE-2017-15703 (Any authenticated user (valid client certificate but without ACL permi ...) NOT-FOR-US: Apache NiFi CVE-2017-15702 (In Apache Qpid Broker-J 0.18 through 0.32, if the broker is configured ...) - qpid-java (bug #840131) CVE-2017-15701 (In Apache Qpid Broker-J versions 6.1.0 through 6.1.4 (inclusive) the b ...) - qpid-java (bug #840131) CVE-2017-15700 (A flaw in the org.apache.sling.auth.core.AuthUtil#isRedirectValid meth ...) NOT-FOR-US: Apache Sling Authentication Service CVE-2017-15699 (A Denial of Service vulnerability was found in Apache Qpid Dispatch Ro ...) - qpid-dispatch (bug #737776) NOTE: http://www.openwall.com/lists/oss-security/2018/02/13/5 CVE-2017-15698 (When parsing the AIA-Extension field of a client certificate, Apache T ...) {DSA-4118-1 DLA-1276-1} - tomcat-native 1.2.16-1 NOTE: https://lists.apache.org/thread.html/6eb0a53e5827d97db1a05c736d01101fec21202a5b8fc77bb0eaaed8@%3Cannounce.tomcat.apache.org%3E NOTE: http://svn.apache.org/r1815200 NOTE: http://svn.apache.org/r1815218 NOTE: Affects: 1.2.0 to 1.2.14 and 1.1.23 to 1.1.34 CVE-2017-15697 (A malicious X-ProxyContextPath or X-Forwarded-Context header containin ...) NOT-FOR-US: Apache NiFi CVE-2017-15696 (When an Apache Geode cluster before v1.4.0 is operating in secure mode ...) NOT-FOR-US: Apache Geode CVE-2017-15695 (When an Apache Geode server versions 1.0.0 to 1.4.0 is configured with ...) NOT-FOR-US: Apache Geode CVE-2017-15694 (When an Apache Geode server versions 1.0.0 to 1.8.0 is operating in se ...) NOT-FOR-US: Apache Geode CVE-2017-15693 (In Apache Geode before v1.4.0, the Geode server stores application obj ...) NOT-FOR-US: Apache Geode CVE-2017-15692 (In Apache Geode before v1.4.0, the TcpServer within the Geode locator ...) NOT-FOR-US: Apache Geode CVE-2017-15691 (In Apache uimaj prior to 2.10.2, Apache uimaj 3.0.0-xxx prior to 3.0.0 ...) - uimaj 2.10.2-1 (bug #897009) [stretch] - uimaj (Minor issue) [jessie] - uimaj (Minor issue) [wheezy] - uimaj (Minor issue) NOTE: https://uima.apache.org/security_report#CVE-2017-15691 CVE-2017-15924 (In manager.c in ss-manager in shadowsocks-libev 3.1.0, improper parsin ...) {DSA-4009-1} - shadowsocks-libev 3.1.0+ds-2 NOTE: https://www.x41-dsec.de/lab/advisories/x41-2017-010-shadowsocks-libev/ NOTE: https://github.com/shadowsocks/shadowsocks-libev/issues/1734 NOTE: https://github.com/shadowsocks/shadowsocks-libev/commit/c67d275 CVE-2017-15690 RESERVED CVE-2017-15689 RESERVED CVE-2017-15688 RESERVED CVE-2017-15687 (DOM Based Cross Site Scripting (XSS) exists in Logitech Media Server 7 ...) NOT-FOR-US: Logitech CVE-2017-15686 RESERVED CVE-2017-15685 RESERVED CVE-2017-15684 RESERVED CVE-2017-15683 RESERVED CVE-2017-15682 RESERVED CVE-2017-15681 RESERVED CVE-2017-15680 RESERVED CVE-2017-15679 RESERVED CVE-2017-15678 RESERVED CVE-2017-15677 RESERVED CVE-2017-15676 RESERVED CVE-2017-15675 RESERVED CVE-2017-15674 RESERVED CVE-2017-15673 (The files function in the administration section in CS-Cart 4.6.2 and ...) NOT-FOR-US: CS-Cart CVE-2017-15672 (The read_header function in libavcodec/ffv1dec.c in FFmpeg 3.3.4 and e ...) {DSA-4049-1 DLA-1630-1} - ffmpeg 7:3.4-1 - libav NOTE: Fixed by: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=c20f4fcb74da2d0432c7b54499bb98f48236b904 CVE-2017-15671 (The glob function in glob.c in the GNU C Library (aka glibc or libc6) ...) [experimental] - glibc 2.26-0experimental0 - glibc 2.25-3 (low; bug #879500) [stretch] - glibc 2.24-11+deb9u4 [jessie] - glibc (Minor issue) - eglibc (low) [wheezy] - eglibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22325 NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c66c908230169c1bab1f83b071eb585baa214b9f CVE-2017-15670 (The GNU C Library (aka glibc or libc6) before 2.27 contains an off-by- ...) [experimental] - glibc 2.26-0experimental0 - glibc 2.25-3 (low; bug #879501) [stretch] - glibc 2.24-11+deb9u4 [jessie] - glibc (Minor issue) - eglibc (low) [wheezy] - eglibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22320 NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c369d66e5426a30e4725b100d5cd28e372754f90 (master) NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=a76376df7c07e577a9515c3faa5dbd50bda5da07 (release/2.26/master) CVE-2017-15669 RESERVED CVE-2017-15668 RESERVED CVE-2017-15667 (In Flexense SysGauge Server 3.6.18, the Control Protocol suffers from ...) NOT-FOR-US: Flexense SysGauge Server CVE-2017-15666 RESERVED CVE-2017-15665 (In Flexense DiskBoss Enterprise 8.5.12, the Control Protocol suffers f ...) NOT-FOR-US: Flexense DiskBoss Enterprise CVE-2017-15664 (In Flexense Sync Breeze Enterprise v10.1.16, the Control Protocol suff ...) NOT-FOR-US: Flexense Sync Breeze Enterprise CVE-2017-15663 (In Flexense Disk Pulse Enterprise v10.1.18, the Control Protocol suffe ...) NOT-FOR-US: Flexense Disk Pulse Enterprise CVE-2017-15662 (In Flexense VX Search Enterprise v10.1.12, the Control Protocol suffer ...) NOT-FOR-US: Flexense VX Search Enterprise CVE-2017-15661 RESERVED CVE-2017-15660 RESERVED CVE-2017-15659 RESERVED CVE-2017-15658 RESERVED CVE-2017-15657 RESERVED CVE-2017-15656 (Password are stored in plaintext in nvram in the HTTPd server in all c ...) NOT-FOR-US: HTTPd server in Asus asuswrt CVE-2017-15655 (Multiple buffer overflow vulnerabilities exist in the HTTPd server in ...) NOT-FOR-US: HTTPd server in Asus asuswrt CVE-2017-15654 (Highly predictable session tokens in the HTTPd server in all current v ...) NOT-FOR-US: HTTPd server in Asus asuswrt CVE-2017-15653 (Improper administrator IP validation after his login in the HTTPd serv ...) NOT-FOR-US: HTTPd server in Asus asuswrt CVE-2017-15652 (Artifex Ghostscript 9.22 is affected by: Obtain Information. The impac ...) - ghostscript 9.25~dfsg-1 [stretch] - ghostscript 9.25~dfsg-0+deb9u1 [jessie] - ghostscript 9.26a~dfsg-0+deb8u1 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2fc463d0e (ghostpdl-9.23rc1) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698676 CVE-2017-15651 (PRTG Network Monitor 17.3.33.2830 allows remote authenticated administ ...) NOT-FOR-US: PRTG Network Monitor CVE-2017-15649 (net/packet/af_packet.c in the Linux kernel before 4.13.6 allows local ...) {DLA-1200-1} - linux 4.13.10-1 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.51-1 NOTE: Fixed by: https://git.kernel.org/linus/008ba2a13f2d04c947adc536d19debb8fe66f110 NOTE: Fixed by: https://git.kernel.org/linus/4971613c1639d8e5f102c4e797c3bf8f83a5a69e CVE-2017-15648 (In PHPSUGAR PHP Melody before 2.7.3, page_manager.php has XSS via the ...) NOT-FOR-US: PHPSUGAR PHP Melody CVE-2017-15647 (On FiberHome routers, Directory Traversal exists in /cgi-bin/webproc v ...) NOT-FOR-US: On FiberHome CVE-2017-15646 (Webmin before 1.860 has XSS with resultant remote code execution. Unde ...) - webmin CVE-2017-15645 (CSRF exists in Webmin 1.850. By sending a GET request to at/create_job ...) - webmin CVE-2017-15644 (SSRF exists in Webmin 1.850 via the PATH_INFO to tunnel/link.cgi, as d ...) - webmin CVE-2017-15643 (An active network attacker (MiTM) can achieve remote code execution on ...) NOT-FOR-US: IKARUS Anti Virus CVE-2017-15650 (musl libc before 1.1.17 has a buffer overflow via crafted DNS replies ...) - musl 1.1.17-1 [stretch] - musl (Minor issue) [jessie] - musl (Minor issue) NOTE: https://git.musl-libc.org/cgit/musl/patch/?id=45ca5d3fcb6f874bf5ba55d0e9651cef68515395 CVE-2017-15642 (In lsx_aiffstartread in aiff.c in Sound eXchange (SoX) 14.4.2, there i ...) {DLA-1695-1 DLA-1197-1} - sox 14.4.2-2 (bug #882144) [stretch] - sox 14.4.1-5+deb9u2 NOTE: https://sourceforge.net/p/sox/bugs/298/ NOTE: https://github.com/mansr/sox/commit/0be259eaa9ce3f3fa587a3ef0cf2c0b9c73167a2 CVE-2017-15641 RESERVED CVE-2017-15640 (app/sections/user-menu.php in phpIPAM before 1.3.1 has XSS via the ip ...) NOT-FOR-US: phpIPAM CVE-2017-15639 (tasks/feed/readRSS.cfm in Mura CMS before 6.2 allows attackers to bypa ...) NOT-FOR-US: Mura CMS CVE-2017-15638 (The SuSEfirewall2 package before 3.6.312-2.13.1 in SUSE Linux Enterpri ...) NOT-FOR-US: SuSEfirewall2 in SUSE CVE-2012-6707 (WordPress through 4.8.2 uses a weak MD5-based password hashing algorit ...) - wordpress (bug #880868) [buster] - wordpress (Minor issue, can be revisited with upstream has picked a new hashing solution) [stretch] - wordpress (Minor issue, can be revisited with upstream has picked a new hashing solution) [jessie] - wordpress (Minor issue, can be revisited with upstream has picked a new hashing solution) [wheezy] - wordpress (Minor issue, can be revisited with upstream has picked a new hashing solution) NOTE: https://core.trac.wordpress.org/ticket/21022 NOTE: Proposed patch (but not merged): https://core.trac.wordpress.org/attachment/ticket/21022/21022.3.diff NOTE: Cf. https://core.trac.wordpress.org/ticket/21022#comment:80 and following. CVE-2017-15637 (TP-Link WVR, WAR and ER devices allow remote authenticated administrat ...) NOT-FOR-US: TP-Link CVE-2017-15636 (TP-Link WVR, WAR and ER devices allow remote authenticated administrat ...) NOT-FOR-US: TP-Link CVE-2017-15635 (TP-Link WVR, WAR and ER devices allow remote authenticated administrat ...) NOT-FOR-US: TP-Link CVE-2017-15634 (TP-Link WVR, WAR and ER devices allow remote authenticated administrat ...) NOT-FOR-US: TP-Link CVE-2017-15633 (TP-Link WVR, WAR and ER devices allow remote authenticated administrat ...) NOT-FOR-US: TP-Link CVE-2017-15632 (TP-Link WVR, WAR and ER devices allow remote authenticated administrat ...) NOT-FOR-US: TP-Link CVE-2017-15631 (TP-Link WVR, WAR and ER devices allow remote authenticated administrat ...) NOT-FOR-US: TP-Link CVE-2017-15630 (TP-Link WVR, WAR and ER devices allow remote authenticated administrat ...) NOT-FOR-US: TP-Link CVE-2017-15629 (TP-Link WVR, WAR and ER devices allow remote authenticated administrat ...) NOT-FOR-US: TP-Link CVE-2017-15628 (TP-Link WVR, WAR and ER devices allow remote authenticated administrat ...) NOT-FOR-US: TP-Link CVE-2017-15627 (TP-Link WVR, WAR and ER devices allow remote authenticated administrat ...) NOT-FOR-US: TP-Link CVE-2017-15626 (TP-Link WVR, WAR and ER devices allow remote authenticated administrat ...) NOT-FOR-US: TP-Link CVE-2017-15625 (TP-Link WVR, WAR and ER devices allow remote authenticated administrat ...) NOT-FOR-US: TP-Link CVE-2017-15624 (TP-Link WVR, WAR and ER devices allow remote authenticated administrat ...) NOT-FOR-US: TP-Link CVE-2017-15623 (TP-Link WVR, WAR and ER devices allow remote authenticated administrat ...) NOT-FOR-US: TP-Link CVE-2017-15622 (TP-Link WVR, WAR and ER devices allow remote authenticated administrat ...) NOT-FOR-US: TP-Link CVE-2017-15621 (TP-Link WVR, WAR and ER devices allow remote authenticated administrat ...) NOT-FOR-US: TP-Link CVE-2017-15620 (TP-Link WVR, WAR and ER devices allow remote authenticated administrat ...) NOT-FOR-US: TP-Link CVE-2017-15619 (TP-Link WVR, WAR and ER devices allow remote authenticated administrat ...) NOT-FOR-US: TP-Link CVE-2017-15618 (TP-Link WVR, WAR and ER devices allow remote authenticated administrat ...) NOT-FOR-US: TP-Link CVE-2017-15617 (TP-Link WVR, WAR and ER devices allow remote authenticated administrat ...) NOT-FOR-US: TP-Link CVE-2017-15616 (TP-Link WVR, WAR and ER devices allow remote authenticated administrat ...) NOT-FOR-US: TP-Link CVE-2017-15615 (TP-Link WVR, WAR and ER devices allow remote authenticated administrat ...) NOT-FOR-US: TP-Link CVE-2017-15614 (TP-Link WVR, WAR and ER devices allow remote authenticated administrat ...) NOT-FOR-US: TP-Link CVE-2017-15613 (TP-Link WVR, WAR and ER devices allow remote authenticated administrat ...) NOT-FOR-US: TP-Link CVE-2017-15612 (mistune.py in Mistune 0.7.4 allows XSS via an unexpected newline (such ...) - mistune 0.8-1 (bug #879098) [stretch] - mistune (Minor issue) NOTE: https://github.com/lepture/mistune/pull/140 NOTE: https://github.com/lepture/mistune/commit/d6f0b6402299bf5a380e7b4e77bd80e8736630fe CVE-2017-15611 (In Octopus before 3.17.7, an authenticated user who was explicitly gra ...) NOT-FOR-US: Octopus Deploy CVE-2017-15610 (An issue was discovered in Octopus before 3.17.7. When the special Gue ...) NOT-FOR-US: Octopus Deploy CVE-2017-15609 (Octopus before 3.17.7 allows attackers to obtain sensitive cleartext i ...) NOT-FOR-US: Octopus Deploy CVE-2017-15608 (Inedo ProGet before 5.0 Beta5 has CSRF, allowing an attacker to change ...) NOT-FOR-US: Inedo ProGet CVE-2017-15607 (Inedo Otter before 1.7.4 has directory traversal in filesystem-based r ...) NOT-FOR-US: Inedo Otter CVE-2017-15606 RESERVED CVE-2017-15605 RESERVED CVE-2017-15604 RESERVED CVE-2017-15603 RESERVED CVE-2017-15602 (In GNU Libextractor 1.4, there is an integer signedness error for the ...) {DLA-1198-1} - libextractor 1:1.6-1 (low) [stretch] - libextractor 1:1.3-4+deb9u1 [jessie] - libextractor 1:1.3-2+deb8u1 NOTE: http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00005.html NOTE: Fixed by https://git.gnunet.org/libextractor.git/commit/?id=ffab889c1710c7646af9ed360c796a2a0a619efc CVE-2017-15601 (In GNU Libextractor 1.4, there is a heap-based buffer overflow in the ...) {DLA-1198-1} - libextractor 1:1.6-1 (low) [stretch] - libextractor 1:1.3-4+deb9u1 [jessie] - libextractor 1:1.3-2+deb8u1 NOTE: http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00006.html NOTE: Fixed by https://git.gnunet.org/libextractor.git/commit/?id=f813535dad4ad860b989952a46266a1469801091 CVE-2017-15600 (In GNU Libextractor 1.4, there is a NULL Pointer Dereference in the EX ...) {DLA-1198-1} - libextractor 1:1.6-1 (low) [stretch] - libextractor 1:1.3-4+deb9u1 [jessie] - libextractor 1:1.3-2+deb8u1 NOTE: http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00004.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1501695 NOTE: Fixed by https://git.gnunet.org/libextractor.git/commit/?id=38e8933539ee9d044057b18a971c2eae3c21aba7 CVE-2017-15599 RESERVED CVE-2017-15598 RESERVED CVE-2017-15597 (An issue was discovered in Xen through 4.9.x. Grant copying code made ...) {DSA-4050-1 DLA-1549-1} - xen 4.8.2+xsa245-0+deb9u1 [wheezy] - xen (Vulnerable code not present) NOTE: https://xenbits.xen.org/xsa/advisory-236.html CVE-2017-15586 RESERVED CVE-2017-15585 RESERVED CVE-2017-15584 RESERVED CVE-2017-15583 (The embedded web server on ABB Fox515T 1.0 devices is vulnerable to Lo ...) NOT-FOR-US: ABB Fox515T 1.0 devices CVE-2017-15582 (In net.MCrypt in the "Diary with lock" (aka WriteDiary) application 4. ...) NOT-FOR-US: Diary with lock CVE-2017-15581 (In the "Diary with lock" (aka WriteDiary) application 4.72 for Android ...) NOT-FOR-US: Diary with lock CVE-2017-15580 (osTicket 1.10.1 provides a functionality to upload 'html' files with a ...) NOT-FOR-US: osTicket CVE-2017-15579 (In PHPSUGAR PHP Melody before 2.7.3, SQL Injection exists via an aa_pa ...) NOT-FOR-US: PHPSUGAR PHP Melody CVE-2017-15578 (In PHPSUGAR PHP Melody before 2.7.3, SQL Injection exists via the imag ...) NOT-FOR-US: PHPSUGAR PHP Melody CVE-2017-15567 (** DISPUTED ** The certificate import component in IDEMIA (formerly Mo ...) NOT-FOR-US: IDEMIA CVE-2017-15566 (Insecure SPANK environment variable handling exists in SchedMD Slurm b ...) {DSA-4023-1} - slurm-llnl 17.02.9-1 (bug #880530) [jessie] - slurm-llnl (Vulnerable code introduced later) [wheezy] - slurm-llnl (Vulnerable code introduced later) NOTE: https://bugs.schedmd.com/show_bug.cgi?id=4228 (not public) NOTE: Fixed by: https://github.com/SchedMD/slurm/commit/b30e9e9ee2ade6951bfaf28e15ef77325a206971 CVE-2017-15565 (In Poppler 0.59.0, a NULL Pointer Dereference exists in the GfxImageCo ...) {DSA-4079-1 DLA-1177-1} - poppler 0.61.1-2 (bug #879066) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=103016 NOTE: Fixed by: https://cgit.freedesktop.org/poppler/poppler/commit/?id=19ebd40547186a8ea6da08c8d8e2a6d6b7e84f5d CVE-2017-15564 REJECTED CVE-2017-15563 REJECTED CVE-2017-15562 REJECTED CVE-2017-15561 REJECTED CVE-2017-15560 REJECTED CVE-2017-15559 REJECTED CVE-2017-15558 REJECTED CVE-2017-15557 REJECTED CVE-2017-15556 REJECTED CVE-2017-15555 REJECTED CVE-2017-15554 REJECTED CVE-2017-15553 REJECTED CVE-2017-15552 REJECTED CVE-2017-15551 REJECTED CVE-2017-15550 (An issue was discovered in EMC Avamar Server 7.1.x, 7.2.x, 7.3.x, 7.4. ...) NOT-FOR-US: EMC Avamar Server CVE-2017-15549 (An issue was discovered in EMC Avamar Server 7.1.x, 7.2.x, 7.3.x, 7.4. ...) NOT-FOR-US: EMC Avamar Server CVE-2017-15548 (An issue was discovered in EMC Avamar Server 7.1.x, 7.2.x, 7.3.x, 7.4. ...) NOT-FOR-US: EMC Avamar Server CVE-2017-15547 REJECTED CVE-2017-15546 (The Security Console in EMC RSA Authentication Manager 8.2 SP1 P6 and ...) NOT-FOR-US: EMC RSA Authentication Manager CVE-2017-15545 REJECTED CVE-2017-15544 REJECTED CVE-2017-15543 REJECTED CVE-2017-15542 REJECTED CVE-2017-15541 REJECTED CVE-2017-15540 REJECTED CVE-2017-15539 (SQL Injection exists in zorovavi/blog through 2017-10-17 via the id pa ...) NOT-FOR-US: zorovavi/blog CVE-2017-15587 (An integer overflow was discovered in pdf_read_new_xref_section in pdf ...) {DSA-4006-2 DSA-4006-1 DLA-1164-1} - mupdf 1.11+ds1-2 (bug #879055) NOTE: http://git.ghostscript.com/?p=mupdf.git;h=82df2631d7d0446b206ea6b434ea609b6c28b0e8 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698605 (not public) NOTE: https://nandynarwhals.org/CVE-2017-15587/ CVE-2017-15538 (Stored XSS vulnerability in the Media Objects component of ILIAS befor ...) NOT-FOR-US: ILIAS CVE-2017-15536 (An issue was discovered in Cloudera Data Science Workbench (CDSW) 1.x ...) NOT-FOR-US: Cloudera Data Science Workbench CVE-2017-15535 (MongoDB 3.4.x before 3.4.10, and 3.5.x-development, has a disabled-by- ...) - mongodb (wire protocol compression introduced in 3.4.x and disabled by default) NOTE: https://jira.mongodb.org/browse/SERVER-31273 CVE-2017-15534 (The Norton App Lock prior to version 1.3.0.13 can be susceptible to an ...) NOT-FOR-US: Noron App Lock CVE-2017-15533 (Symantec SSL Visibility (SSLV) 3.8.4FC, 3.10 prior to 3.10.4.1, 3.11, ...) NOT-FOR-US: Symantec CVE-2017-15532 (Prior to 10.6.4, Symantec Messaging Gateway may be susceptible to a pa ...) NOT-FOR-US: Symantec CVE-2017-15531 (Symantec Reporter 9.5 prior to 9.5.4.1 and 10.1 prior to 10.1.5.5 does ...) NOT-FOR-US: Symantec CVE-2017-15530 (Prior to 4.4.1.10, the Norton Family Android App can be susceptible to ...) NOT-FOR-US: Norton CVE-2017-15529 (Prior to 4.4.1.10, the Norton Family Android App can be susceptible to ...) NOT-FOR-US: Norton CVE-2017-15528 (Prior to v 7.6, the Install Norton Security (INS) product can be susce ...) NOT-FOR-US: Install Norton Security CVE-2017-15527 (Prior to ITMS 8.1 RU4, the Symantec Management Console can be suscepti ...) NOT-FOR-US: Symantec CVE-2017-15526 (Prior to SEE v11.1.3MP1, Symantec Endpoint Encryption can be susceptib ...) NOT-FOR-US: Symantec CVE-2017-15525 (Prior to SEE v11.1.3MP1, Symantec Endpoint Encryption can be susceptib ...) NOT-FOR-US: Symantec CVE-2017-15524 (The Application Firewall Pack (AFP, aka Web Application Firewall) comp ...) NOT-FOR-US: Kemp Load Balancer CVE-2017-15523 REJECTED CVE-2017-15522 REJECTED CVE-2017-15521 REJECTED CVE-2017-15520 REJECTED CVE-2017-15519 (Versions of SnapCenter 2.0 through 3.0.1 allow unauthenticated remote ...) NOT-FOR-US: SnapCenter CVE-2017-15518 (All versions of OnCommand API Services prior to 2.1 and NetApp Service ...) NOT-FOR-US: NetApp CVE-2017-15517 (AltaVault OST Plug-in versions prior to 1.2.2 may allow attackers to o ...) NOT-FOR-US: AltaVault OST Plug-in CVE-2017-15516 (NetApp SnapCenter Server versions 1.1 through 2.x are susceptible to a ...) NOT-FOR-US: NetApp CVE-2017-15515 (NetApp SnapCenter Server prior to 4.0 is susceptible to cross site scr ...) NOT-FOR-US: NetApp SnapCenter Server CVE-2017-15514 REJECTED CVE-2017-15568 (In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, X ...) {DSA-4191-1} - redmine 3.4.4-1 (bug #882544) [jessie] - redmine (Not supported in Jessie-LTS) [wheezy] - redmine (Not supported in wheezy LTS) NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories NOTE: https://www.redmine.org/issues/27186 (private) NOTE: upstream fixed in 3.2.8, 3.3.5 and 3.4.3 NOTE: https://github.com/redmine/redmine/commit/94f7cfbf990028348b9262578acbc53a94fce448 CVE-2017-15569 (In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, X ...) {DSA-4191-1} - redmine 3.4.4-1 (bug #882545) [jessie] - redmine (Not supported in Jessie-LTS) [wheezy] - redmine (Not supported in wheezy LTS) NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories NOTE: https://www.redmine.org/issues/27186 (private) NOTE: https://github.com/redmine/redmine/commit/56c8ee0440d8555aa7822d947ba9091c8a791508 CVE-2017-15570 (In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, X ...) {DSA-4191-1} - redmine 3.4.4-1 (bug #882547) [jessie] - redmine (Not supported in Jessie-LTS) [wheezy] - redmine (Not supported in wheezy LTS) NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories NOTE: https://www.redmine.org/issues/27186 (private) NOTE: https://github.com/redmine/redmine/commit/1a0976417975a128b0a932ba1552c37e9414953b CVE-2017-15571 (In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, X ...) {DSA-4191-1} - redmine 3.4.4-1 (bug #882548) [jessie] - redmine (Not supported in Jessie-LTS) [wheezy] - redmine (Not supported in wheezy LTS) NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories NOTE: https://www.redmine.org/issues/27186 (private) NOTE: https://github.com/redmine/redmine/commit/273dd9cb3bcfb1e0a0b90570b3b34eafa07d67aa CVE-2017-15573 (In Redmine before 3.2.6 and 3.3.x before 3.3.3, XSS exists because mar ...) {DSA-4191-1} - redmine 3.4.2-1 [jessie] - redmine (Not supported in Jessie-LTS) [wheezy] - redmine (Not supported in wheezy LTS) NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories NOTE: https://www.redmine.org/issues/25503 (private) NOTE: upstream fixed in 3.2.6 and 3.3.3 CVE-2017-15572 (In Redmine before 3.2.6 and 3.3.x before 3.3.3, remote attackers can o ...) {DSA-4191-1} - redmine 3.4.2-1 [jessie] - redmine (Not supported in Jessie-LTS) [wheezy] - redmine (Not supported in wheezy LTS) NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories NOTE: https://www.redmine.org/issues/24416 (private) NOTE: upstream fixed in 3.2.6 and 3.3.3 CVE-2017-15575 (In Redmine before 3.2.6 and 3.3.x before 3.3.3, Redmine.pm lacks a che ...) {DSA-4191-1} - redmine 3.4.2-1 [jessie] - redmine (Not supported in Jessie-LTS) [wheezy] - redmine (Not supported in wheezy LTS) NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories NOTE: https://www.redmine.org/issues/24307 (private) NOTE: upstream fixed in 3.2.6 and 3.3.3 CVE-2017-15574 (In Redmine before 3.2.6 and 3.3.x before 3.3.3, stored XSS is possible ...) {DSA-4191-1} - redmine 3.4.2-1 [jessie] - redmine (Not supported in Jessie-LTS) [wheezy] - redmine (Not supported in wheezy LTS) NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories NOTE: https://www.redmine.org/issues/24199 (private) NOTE: upstream fixed in 3.2.6 and 3.3.3 CVE-2017-15576 (Redmine before 3.2.6 and 3.3.x before 3.3.3 mishandles Time Entry rend ...) {DSA-4191-1} - redmine 3.4.2-1 [jessie] - redmine (Not supported in Jessie-LTS) [wheezy] - redmine (Not supported in wheezy LTS) NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories NOTE: https://www.redmine.org/issues/23803 (private) NOTE: upstream fixed in 3.2.6 and 3.3.3 CVE-2017-15577 (Redmine before 3.2.6 and 3.3.x before 3.3.3 mishandles the rendering o ...) {DSA-4191-1} - redmine 3.4.2-1 [jessie] - redmine (Not supported in Jessie-LTS) [wheezy] - redmine (Not supported in wheezy LTS) NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories NOTE: https://www.redmine.org/issues/23793 (private) NOTE: upstream fixed in 3.2.6 and 3.3.3 CVE-2016-10515 (In Redmine before 3.2.3, there are stored XSS vulnerabilities affectin ...) - redmine 3.2.3-1 [jessie] - redmine (Not supported in Jessie-LTS) [wheezy] - redmine (Not supported in wheezy LTS) NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories NOTE: upstream fixed in 3.2.3 CVE-2017-15537 (The x86/fpu (Floating Point Unit) subsystem in the Linux kernel before ...) - linux 4.13.10-1 [stretch] - linux 4.9.65-1 [jessie] - linux (Vulnerable code introduced later) [wheezy] - linux (Vulnerable code introduced later) NOTE: Fixed by: https://git.kernel.org/linus/814fb7bb7db5433757d76f4c4502c96fc53b0b5e (v4.14-rc3) CVE-2017-15513 REJECTED CVE-2017-15512 REJECTED CVE-2017-15511 REJECTED CVE-2017-15510 REJECTED CVE-2017-15509 REJECTED CVE-2017-15508 REJECTED CVE-2017-15507 REJECTED CVE-2017-15506 REJECTED CVE-2017-15505 REJECTED CVE-2017-15504 REJECTED CVE-2017-15503 REJECTED CVE-2017-15502 REJECTED CVE-2017-15501 REJECTED CVE-2017-15500 REJECTED CVE-2017-15499 REJECTED CVE-2017-15498 REJECTED CVE-2017-15497 REJECTED CVE-2017-15496 REJECTED CVE-2017-15495 REJECTED CVE-2017-15494 REJECTED CVE-2017-15493 REJECTED CVE-2017-15492 REJECTED CVE-2017-15491 REJECTED CVE-2017-15490 REJECTED CVE-2017-15489 REJECTED CVE-2017-15488 REJECTED CVE-2017-15487 REJECTED CVE-2017-15486 REJECTED CVE-2017-15485 REJECTED CVE-2017-15484 REJECTED CVE-2017-15483 REJECTED CVE-2017-15482 REJECTED CVE-2017-15481 REJECTED CVE-2017-15480 REJECTED CVE-2017-15479 REJECTED CVE-2017-15478 REJECTED CVE-2017-15477 REJECTED CVE-2017-15476 REJECTED CVE-2017-15475 REJECTED CVE-2017-15474 REJECTED CVE-2017-15473 REJECTED CVE-2017-15472 REJECTED CVE-2017-15471 REJECTED CVE-2017-15470 REJECTED CVE-2017-15469 REJECTED CVE-2017-15468 REJECTED CVE-2017-15467 REJECTED CVE-2017-15466 REJECTED CVE-2017-15465 REJECTED CVE-2017-15464 REJECTED CVE-2017-15463 REJECTED CVE-2017-15462 REJECTED CVE-2017-15461 REJECTED CVE-2017-15460 REJECTED CVE-2017-15459 REJECTED CVE-2017-15458 REJECTED CVE-2017-15457 REJECTED CVE-2017-15456 REJECTED CVE-2017-15455 REJECTED CVE-2017-15454 REJECTED CVE-2017-15453 REJECTED CVE-2017-15452 REJECTED CVE-2017-15451 REJECTED CVE-2017-15450 REJECTED CVE-2017-15449 REJECTED CVE-2017-15448 REJECTED CVE-2017-15447 REJECTED CVE-2017-15446 REJECTED CVE-2017-15445 REJECTED CVE-2017-15444 REJECTED CVE-2017-15443 REJECTED CVE-2017-15442 REJECTED CVE-2017-15441 REJECTED CVE-2017-15440 REJECTED CVE-2017-15439 REJECTED CVE-2017-15438 REJECTED CVE-2017-15437 REJECTED CVE-2017-15436 REJECTED CVE-2017-15435 REJECTED CVE-2017-15434 REJECTED CVE-2017-15433 REJECTED CVE-2017-15432 REJECTED CVE-2017-15431 RESERVED CVE-2017-15430 (Insufficient data validation in Chromecast plugin in Google Chrome pri ...) - chromium-browser (Plugin specific to Chrome) CVE-2017-15429 (Inappropriate implementation in V8 WebAssembly JS bindings in Google C ...) {DSA-4103-1} - chromium-browser 64.0.3282.119-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2017-15428 (Insufficient data validation in V8 builtins string generator could lea ...) {DSA-4064-1} - chromium-browser 63.0.3239.84-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15427 (Insufficient policy enforcement in Omnibox in Google Chrome prior to 6 ...) {DSA-4064-1} - chromium-browser 63.0.3239.84-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15426 (Insufficient policy enforcement in Omnibox in Google Chrome prior to 6 ...) {DSA-4064-1} - chromium-browser 63.0.3239.84-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15425 (Insufficient policy enforcement in Omnibox in Google Chrome prior to 6 ...) {DSA-4064-1} - chromium-browser 63.0.3239.84-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15424 (Insufficient policy enforcement in Omnibox in Google Chrome prior to 6 ...) {DSA-4064-1} - chromium-browser 63.0.3239.84-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15423 (Inappropriate implementation in BoringSSL SPAKE2 in Google Chrome prio ...) {DSA-4064-1} - chromium-browser 63.0.3239.84-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15422 (Integer overflow in international date handling in International Compo ...) {DSA-4150-1} - icu 57.1-9 (bug #892766) [wheezy] - icu (Vulnerable code not present) NOTE: https://code.google.com/p/chromium/issues/detail?id=774382 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1523136 NOTE: Issue fixed in: https://ssl.icu-project.org/trac/changeset/40654 CVE-2017-15421 RESERVED CVE-2017-15420 (Incorrect handling of back navigations in error pages in Navigation in ...) {DSA-4103-1 DSA-4064-1} - chromium-browser 63.0.3239.84-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15419 (Insufficient policy enforcement in Resource Timing API in Google Chrom ...) {DSA-4064-1} - chromium-browser 63.0.3239.84-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15418 (Use of uninitialized memory in Skia in Google Chrome prior to 63.0.323 ...) {DSA-4064-1} - chromium-browser 63.0.3239.84-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15417 (Inappropriate implementation in Skia canvas composite operations in Go ...) {DSA-4064-1} - chromium-browser 63.0.3239.84-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15416 (Heap buffer overflow in Blob API in Google Chrome prior to 63.0.3239.8 ...) {DSA-4064-1} - chromium-browser 63.0.3239.84-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15415 (Incorrect serialization in IPC in Google Chrome prior to 63.0.3239.84 ...) {DSA-4064-1} - chromium-browser 63.0.3239.84-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15414 RESERVED CVE-2017-15413 (Type confusion in WebAssembly in V8 in Google Chrome prior to 63.0.323 ...) {DSA-4064-1} - chromium-browser 63.0.3239.84-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15412 (Use after free in libxml2 before 2.9.5, as used in Google Chrome prior ...) {DSA-4086-1 DLA-1211-1} - libxml2 2.9.4+dfsg1-5.2 (bug #883790) NOTE: https://bugs.chromium.org/p/chromium/issues/detail?id=727039 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=783160 (not public) NOTE: Fixed by: https://git.gnome.org/browse/libxml2/commit/?id=0f3b843b3534784ef57a4f9b874238aa1fda5a73 CVE-2017-15411 (Use after free in PDFium in Google Chrome prior to 63.0.3239.84 allowe ...) {DSA-4064-1} - chromium-browser 63.0.3239.84-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15410 (Use after free in PDFium in Google Chrome prior to 63.0.3239.84 allowe ...) {DSA-4064-1} - chromium-browser 63.0.3239.84-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15409 (Heap buffer overflow in Skia in Google Chrome prior to 63.0.3239.84 al ...) {DSA-4064-1} - chromium-browser 63.0.3239.84-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15408 (Heap buffer overflow in Omnibox in Google Chrome prior to 63.0.3239.84 ...) {DSA-4064-1} - chromium-browser 63.0.3239.84-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15407 (Out-of-bounds Write in the QUIC networking stack in Google Chrome prio ...) {DSA-4064-1} - chromium-browser 63.0.3239.84-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15406 (A stack buffer overflow in V8 in Google Chrome prior to 62.0.3202.75 a ...) {DSA-4020-1} - chromium-browser 62.0.3202.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2017-15405 (Inappropriate symlink handling and a race condition in the stateful re ...) NOT-FOR-US: Chrome OS CVE-2017-15404 (An ability to process crash dumps under root privileges and inappropri ...) NOT-FOR-US: Chrome OS CVE-2017-15403 (Insufficient data validation in crosh could lead to a command injectio ...) NOT-FOR-US: Chrome OS CVE-2017-15402 (Using an ID that can be controlled by a compromised renderer which all ...) NOT-FOR-US: Chrome OS CVE-2017-15401 (A memory corruption bug in WebAssembly could lead to out of bounds rea ...) NOT-FOR-US: Chrome OS CVE-2017-15400 (Insufficient restriction of IPP filters in CUPS in Google Chrome OS pr ...) {DSA-4243-1} - cups 2.2.3-2 [jessie] - cups (Vulnerable code not present, ppdCreateFromIPP() introduced in v2.2.0) [wheezy] - cups (Vulnerable code not present) NOTE: https://bugs.chromium.org/p/chromium/issues/detail?id=777215 NOTE: Patches from upstream to restrict what filters will be accpeted NOTE: https://github.com/apple/cups/commit/07428f6a640ff93aa0b4cc69ca372e2cf8490e41 (v2.2.2) NOTE: https://github.com/apple/cups/commit/1add23375658e9163e5493ee19de7c9f7a9b483b (v2.2.2) CVE-2017-15399 (A use after free in V8 in Google Chrome prior to 62.0.3202.89 allowed ...) {DSA-4024-1} - chromium-browser 62.0.3202.89-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2017-15398 (A stack buffer overflow in the QUIC networking stack in Google Chrome ...) {DSA-4024-1} - chromium-browser 62.0.3202.89-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15397 (Inappropriate implementation in ChromeVox in Google Chrome OS prior to ...) NOT-FOR-US: ChromeVox in Google Chrome OS CVE-2017-15396 (A stack buffer overflow in NumberingSystem in International Components ...) {DSA-4020-1} - chromium-browser 62.0.3202.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2017-15395 (A use after free in Blink in Google Chrome prior to 62.0.3202.62 allow ...) {DSA-4020-1} - chromium-browser 62.0.3202.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15394 (Insufficient Policy Enforcement in Extensions in Google Chrome prior t ...) {DSA-4020-1} - chromium-browser 62.0.3202.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15393 (Insufficient Policy Enforcement in Devtools remote debugging in Google ...) {DSA-4020-1} - chromium-browser 62.0.3202.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15392 (Insufficient data validation in V8 in Google Chrome prior to 62.0.3202 ...) {DSA-4020-1} - chromium-browser 62.0.3202.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15391 (Insufficient Policy Enforcement in Extensions in Google Chrome prior t ...) {DSA-4020-1} - chromium-browser 62.0.3202.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15390 (Insufficient Policy Enforcement in Omnibox in Google Chrome prior to 6 ...) {DSA-4020-1} - chromium-browser 62.0.3202.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15389 (An insufficient watchdog timer in navigation in Google Chrome prior to ...) {DSA-4020-1} - chromium-browser 62.0.3202.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15388 (Iteration through non-finite points in Skia in Google Chrome prior to ...) {DSA-4020-1} - chromium-browser 62.0.3202.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15387 (Insufficient enforcement of Content Security Policy in Blink in Google ...) {DSA-4020-1} - chromium-browser 62.0.3202.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15386 (Incorrect implementation in Blink in Google Chrome prior to 62.0.3202. ...) {DSA-4020-1} - chromium-browser 62.0.3202.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15385 (The store_versioninfo_gnu_verdef function in libr/bin/format/elf/elf.c ...) - radare2 2.1.0+dfsg-1 (bug #879119) [jessie] - radare2 (Vulnerable code introduced in 0.10.2) [wheezy] - radare2 (Vulnerable code introduced in 0.10.2) NOTE: https://github.com/radare/radare2/issues/8685 NOTE: https://github.com/radare/radare2/commit/21a6f570ba33fa9f52f1bba87f07acc4e8c178f4 CVE-2017-15384 (rate-me.php in Rate Me 1.0 has XSS via the id field in a rate action. ...) NOT-FOR-US: Rate Me CVE-2017-15383 (Nero 7.10.1.0 has an unquoted BINARY_PATH_NAME for NBService, exploita ...) NOT-FOR-US: Nero CVE-2017-15382 RESERVED CVE-2017-15381 (SQL Injection exists in E-Sic 1.0 via the f parameter to esiclivre/res ...) NOT-FOR-US: E-Sic CVE-2017-15380 (XSS exists in the E-Sic 1.0 /cadastro/index.php URI (aka the requester ...) NOT-FOR-US: E-Sic CVE-2017-15379 (An authentication bypass exists in the E-Sic 1.0 /index (aka login) UR ...) NOT-FOR-US: E-Sic CVE-2017-15378 (SQL Injection exists in the E-Sic 1.0 password reset parameter (aka th ...) NOT-FOR-US: E-Sic CVE-2017-15377 (In Suricata before 4.x, it was possible to trigger lots of redundant c ...) {DLA-1603-1} - suricata 1:4.0.0-1 (low) [stretch] - suricata (Minor issue) [wheezy] - suricata (Vulnerable code introduced later) NOTE: https://github.com/OISF/suricata/pull/2680/commits/47afc577ff763150f9b47f10331f5ef9eb847a57 NOTE: https://redmine.openinfosecfoundation.org/issues/2231 NOTE: introduced in https://github.com/OISF/suricata/commit/35f1f7e8d944a3 CVE-2017-15376 (The TELNET service in Mobatek MobaXterm 10.4 does not require authenti ...) NOT-FOR-US: Mobatek MobaXterm CVE-2017-15375 (Multiple client-side cross site scripting vulnerabilities have been di ...) NOT-FOR-US: WpJobBoard CVE-2017-15374 (Shopware v5.2.5 - v5.3 is vulnerable to cross site scripting in the cu ...) NOT-FOR-US: Shopware CVE-2017-15373 (E-Sic 1.0 allows SQL injection via the q parameter to esiclivre/restri ...) NOT-FOR-US: E-Sic CVE-2017-15372 (There is a stack-based buffer overflow in the lsx_ms_adpcm_block_expan ...) {DLA-1695-1 DLA-1197-1} - sox 14.4.2-2 (bug #878808) [stretch] - sox 14.4.1-5+deb9u2 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1500553 NOTE: https://github.com/mansr/sox/commit/001c337552912d286ba68086ac378f6fdc1e8b50 CVE-2017-15371 (There is a reachable assertion abort in the function sox_append_commen ...) {DLA-1705-1 DLA-1197-1} - sox 14.4.2-2 (bug #878809) [stretch] - sox 14.4.1-5+deb9u2 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1500570 NOTE: https://github.com/mansr/sox/commit/818bdd0ccc1e5b6cae742c740c17fd414935cf39 CVE-2017-15370 (There is a heap-based buffer overflow in the ImaExpandS function of im ...) {DLA-1695-1 DLA-1197-1} - sox 14.4.2-2 (bug #878810) [stretch] - sox 14.4.1-5+deb9u2 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1500554 NOTE: https://github.com/mansr/sox/commit/ef3d8be0f80cbb650e4766b545d61e10d7a24c9e CVE-2017-15369 (The build_filter_chain function in pdf/pdf-stream.c in Artifex MuPDF b ...) - mupdf (Vulnerable code introduced later) NOTE: Fixed by: http://git.ghostscript.com/?p=mupdf.git;h=c2663e51238ec8256da7fc61ad580db891d9fe9a NOTE: Introduced by: http://git.ghostscript.com/?p=mupdf.git;h=2707fa9e8e6d17d794330e719dec1b08161fb045 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698592 CVE-2017-15368 (The wasm_dis function in libr/asm/arch/wasm/wasm.c in radare2 2.0.0 al ...) - radare2 2.1.0+dfsg-1 (bug #878767) [jessie] - radare2 (Vulnerable code introduced in 2.0.0) [wheezy] - radare2 (Vulnerable code introduced in 2.0.0) NOTE: https://github.com/radare/radare2/issues/8673 NOTE: https://github.com/radare/radare2/commit/52b1526443c1f433087928291d1c3d37a5600515 CVE-2017-15367 (Bacula-web before 8.0.0-rc2 is affected by multiple SQL Injection vuln ...) NOT-FOR-US: Bacula-Web CVE-2017-15366 (Before Thornberry NDoc version 8.0, laptop clients and the server have ...) NOT-FOR-US: Thornberry NDoc CVE-2017-15365 (sql/event_data_objects.cc in MariaDB before 10.1.30 and 10.2.x before ...) {DSA-4341-1} - mariadb-10.2 (bug #884065) - mariadb-10.1 1:10.1.34-1 (bug #885345) - mariadb-10.0 [jessie] - mariadb-10.0 (vulnerable code not present) - percona-xtrabackup [jessie] - percona-xtrabackup (vulnerable code not present) - mysql-5.7 - mysql-5.5 (Vulnerable code not present) NOTE: MariaDB: Fixed in 10.2.10, 10.1.30 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1524234 NOTE: https://www.percona.com/doc/percona-xtradb-cluster/LATEST/release-notes/Percona-XtraDB-Cluster-5.7.19-29.22-3.html NOTE: Likely (unconfirmed) fix: https://github.com/MariaDB/server/commit/0b5a5258abbeaf8a0c3a18c7e753699787fdf46e?diff=unified NOTE: Possibly only introduced with https://github.com/MariaDB/server/commit/df4dd593f29aec8e2116aec1775ad4b8833d8c93 (mariadb-10.1.1) NOTE: starting to be present in mariadb-10.1.1. CVE-2017-15364 (The foreach function in ext/ccsv.c in Ccsv 1.1.0 allows remote attacke ...) NOT-FOR-US: ccsv CVE-2017-15363 (Directory traversal vulnerability in public/examples/resources/getsour ...) NOT-FOR-US: Luracast Restler CVE-2017-15362 (osTicket 1.10.1 allows arbitrary client-side JavaScript code execution ...) NOT-FOR-US: osTicket CVE-2017-15361 (The Infineon RSA library 1.02.013 in Infineon Trusted Platform Module ...) NOT-FOR-US: Infineon RSA library CVE-2017-15360 (PRTG Network Monitor version 17.3.33.2830 is vulnerable to stored Cros ...) NOT-FOR-US: PRTG Network Monitor CVE-2017-15359 (In the 3CX Phone System 15.5.3554.1, the Management Console typically ...) NOT-FOR-US: 3CX Phone System CVE-2017-15358 (Race condition in the Charles Proxy Settings suid binary in Charles Pr ...) NOT-FOR-US: Charles Proxy CVE-2017-15357 (The setpermissions function in the auto-updater in Arq before 5.9.7 fo ...) NOT-FOR-US: Arq CVE-2017-15356 (Huawei DP300, V500R002C00, RP200, V600R006C00, TE30, V100R001C10, V500 ...) NOT-FOR-US: Huawei CVE-2017-15355 (Huawei DP300, V500R002C00, RP200, V600R006C00, TE30, V100R001C10, V500 ...) NOT-FOR-US: Huawei CVE-2017-15354 (Huawei DP300, V500R002C00, RP200, V600R006C00, TE30, V100R001C10, V500 ...) NOT-FOR-US: Huawei CVE-2017-15353 (Huawei DP300, V500R002C00, RP200, V500R002C00, V600R006C00, RSE6500, V ...) NOT-FOR-US: Huawei CVE-2017-15352 (Huawei OceanStor 2800 V3, V300R003C00, V300R003C20, OceanStor 5300 V3, ...) NOT-FOR-US: Huawei CVE-2017-15351 (The 'Find Phone' function in Huawei Honor V9 play smart phones with ve ...) NOT-FOR-US: Huawei CVE-2017-15350 (The Common Open Policy Service Protocol (COPS) module in Huawei DP300 ...) NOT-FOR-US: Huawei CVE-2017-15349 (Huawei CloudEngine 12800 V100R003C00, V100R005C00, V100R005C10, V100R0 ...) NOT-FOR-US: Huawei CVE-2017-15348 (Huawei IPS Module V500R001C00, NGFW Module V500R001C00, NIP6300 V500R0 ...) NOT-FOR-US: Huawei CVE-2017-15347 (Huawei Mate 9 Pro mobile phones with software of versions earlier than ...) NOT-FOR-US: Huawei CVE-2017-15346 (XML parser in Huawei S12700 V200R005C00,S1700 V200R009C00, V200R010C00 ...) NOT-FOR-US: Huawei CVE-2017-15345 (Huawei Smartphones with software LON-L29DC721B186 have a denial of ser ...) NOT-FOR-US: Huawei CVE-2017-15344 (Huawei AR3200 with software V200R006C10, V200R006C11, V200R007C00, V20 ...) NOT-FOR-US: Huawei CVE-2017-15343 (Huawei AR3200 with software V200R006C10, V200R006C11, V200R007C00, V20 ...) NOT-FOR-US: Huawei CVE-2017-15342 (Huawei DP300 V500R002C00, TE60 V600R006C00, TP3106 V100R002C00, eSpace ...) NOT-FOR-US: Huawei CVE-2017-15341 (Huawei AR3200 V200R008C20, V200R008C30, TE40 V600R006C00, TE50 V600R00 ...) NOT-FOR-US: Huawei CVE-2017-15340 (Huawei smartphones with software of TAG-AL00C92B168 have an informatio ...) NOT-FOR-US: Huawei CVE-2017-15339 (The SIP module in Huawei DP300 V500R002C00, IPS Module V100R001C10, V1 ...) NOT-FOR-US: Huawei CVE-2017-15338 (The SIP module in Huawei DP300 V500R002C00, IPS Module V100R001C10, V1 ...) NOT-FOR-US: Huawei CVE-2017-15337 (The SIP module in Huawei DP300 V500R002C00, IPS Module V100R001C10, V1 ...) NOT-FOR-US: Huawei CVE-2017-15336 (The SIP backup feature in Huawei DP300 V500R002C00, IPS Module V100R00 ...) NOT-FOR-US: Huawei CVE-2017-15335 (The SIP backup feature in Huawei DP300 V500R002C00, IPS Module V100R00 ...) NOT-FOR-US: Huawei CVE-2017-15334 (The SIP backup feature in Huawei DP300 V500R002C00, IPS Module V100R00 ...) NOT-FOR-US: Huawei CVE-2017-15333 (XML parser in Huawei S12700 V200R005C00,S1700 V200R009C00, V200R010C00 ...) NOT-FOR-US: Huawei CVE-2017-15332 (Huawei AR120-S V200R006C10, V200R007C00, V200R008C20, V200R008C30, AR1 ...) NOT-FOR-US: Huawei CVE-2017-15331 (Huawei AR120-S V200R006C10, V200R007C00, V200R008C20, V200R008C30, AR1 ...) NOT-FOR-US: Huawei CVE-2017-15330 (The Flp Driver in some Huawei smartphones of the software Vicky-AL00AC ...) NOT-FOR-US: Huawei CVE-2017-15329 (Huawei UMA V200R001C00 has a SQL injection vulnerability in the operat ...) NOT-FOR-US: Huawei CVE-2017-15328 (Huawei HG8245H version earlier than V300R018C00SPC110 has an authentic ...) NOT-FOR-US: Huawei CVE-2017-15327 (S12700 V200R005C00, V200R006C00, V200R006C01, V200R007C00, V200R007C01 ...) NOT-FOR-US: Huawei CVE-2017-15326 (DBS3900 TDD LTE V100R003C00, V100R004C10 have a weak encryption algori ...) NOT-FOR-US: Huawei CVE-2017-15325 (The Bdat driver of Prague smart phones with software versions earlier ...) NOT-FOR-US: Bdat driver of Prague smart phones CVE-2017-15324 (Huawei S5700 and S6700 with software of V200R005C00 have a DoS vulnera ...) NOT-FOR-US: Huawei CVE-2017-15323 (Huawei DP300 V500R002C00, NIP6600 V500R001C00, V500R001C20, V500R001C3 ...) NOT-FOR-US: Huawei CVE-2017-15322 (Some Huawei smartphones with software of BGO-L03C158B003CUSTC158D001 a ...) NOT-FOR-US: Huawei CVE-2017-15321 (Huawei FusionSphere OpenStack V100R006C000SPC102 (NFV) has an informat ...) NOT-FOR-US: Huawei CVE-2017-15320 (RP200 V500R002C00, V600R006C00; TE30 V100R001C10, V500R002C00, V600R00 ...) NOT-FOR-US: Huawei CVE-2017-15319 (RP200 V500R002C00, V600R006C00; TE30 V100R001C10, V500R002C00, V600R00 ...) NOT-FOR-US: Huawei CVE-2017-15318 (RP200 V500R002C00, V600R006C00; TE30 V100R001C10, V500R002C00, V600R00 ...) NOT-FOR-US: Huawei CVE-2017-15317 (AR120-S V200R006C10, V200R007C00, V200R008C20, V200R008C30; AR1200 V20 ...) NOT-FOR-US: Huawei CVE-2017-15316 (The GPU driver of Mate 9 Huawei smart phones with software before MHA- ...) NOT-FOR-US: Huawei CVE-2017-15315 (Patch module of Huawei NIP6300 V500R001C20SPC100, V500R001C20SPC200, N ...) NOT-FOR-US: Huawei CVE-2017-15314 (Huawei DP300 V500R002C00, RP200 V500R002C00SPC200, V600R006C00, TE30 V ...) NOT-FOR-US: Huawei CVE-2017-15313 (Huawei SmartCare V200R003C10 has a CSV injection vulnerability. An rem ...) NOT-FOR-US: Huawei CVE-2017-15312 (Huawei SmartCare V200R003C10 has a stored XSS (cross-site scripting) v ...) NOT-FOR-US: Huawei CVE-2017-15311 (The baseband modules of Mate 10, Mate 10 Pro, Mate 9, Mate 9 Pro Huawe ...) NOT-FOR-US: Huawei CVE-2017-15310 (Huawei iReader app before 8.0.2.301 has an arbitrary file deletion vul ...) NOT-FOR-US: Huawei CVE-2017-15309 (Huawei iReader app before 8.0.2.301 has a path traversal vulnerability ...) NOT-FOR-US: Huawei CVE-2017-15308 (Huawei iReader app before 8.0.2.301 has an input validation vulnerabil ...) NOT-FOR-US: Huawei CVE-2017-15307 (Huawei Honor 8 smartphone with software versions earlier than FRD-L04C ...) NOT-FOR-US: Huawei CVE-2017-15306 (The kvm_vm_ioctl_check_extension function in arch/powerpc/kvm/powerpc. ...) - linux 4.13.13-1 [stretch] - linux 4.9.65-1 [jessie] - linux (Vulnerable code introduced later) [wheezy] - linux (Vulnerable code introduced later) NOTE: Fixed by: https://git.kernel.org/linus/ac64115a66c18c01745bbd3c47a36b124e5fd8c0 (4.14-rc7) CVE-2017-15305 (XSS exists in NexusPHP 1.5 via the keyword parameter to messages.php. ...) NOT-FOR-US: NexusPHP CVE-2017-15304 (/bin/login.php in the Web Panel on the Airtame HDMI dongle with firmwa ...) NOT-FOR-US: Airtame HDMI dongle CVE-2017-15303 (In CPUID CPU-Z before 1.43, there is an arbitrary memory write that re ...) NOT-FOR-US: CPUID CPU-Z CVE-2017-15302 (In CPUID CPU-Z through 1.81, there are improper access rights to a ker ...) NOT-FOR-US: CPUID CPU-Z CVE-2017-15301 RESERVED CVE-2017-15300 (The miner statistics HTTP API in EWBF Cuda Zcash Miner Version 0.3.4b ...) NOT-FOR-US: EWBF Cuda Zcash Miner CVE-2017-15299 (The KEYS subsystem in the Linux kernel through 4.13.7 mishandles use o ...) {DLA-1200-1} - linux 4.13.10-1 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.51-1 NOTE: Fixed by: https://git.kernel.org/linus/60ff5b2f547af3828aebafd54daded44cfb0807a (4.14-rc6) CVE-2017-15298 (Git through 2.14.2 mishandles layers of tree objects, which allows rem ...) - git 1:2.16.1-1 (unimportant) NOTE: https://kate.io/blog/git-bomb/ NOTE: https://github.com/Katee/git-bomb NOTE: https://git.kernel.org/pub/scm/git/git.git/commit/?id=a937b37e766479c8e780b17cce9c4b252fd97e40 NOTE: No practical security implications CVE-2017-15297 (SAP Hostcontrol does not require authentication for the SOAP SAPContro ...) NOT-FOR-US: SAP CVE-2017-15296 (The Java component in SAP CRM has CSRF. This is SAP Security Note 2478 ...) NOT-FOR-US: SAP CVE-2017-15295 (Xpress Server in SAP POS does not require authentication for read/writ ...) NOT-FOR-US: SAP CVE-2017-15294 (The Java administration console in SAP CRM has XSS. This is SAP Securi ...) NOT-FOR-US: SAP CVE-2017-15293 (Xpress Server in SAP POS does not require authentication for file read ...) NOT-FOR-US: SAP CVE-2017-15292 RESERVED CVE-2017-15291 (Cross-site scripting (XSS) vulnerability in the Wireless MAC Filtering ...) NOT-FOR-US: TP-LINK TL-MR3220 wireless routers CVE-2017-15290 (Mirasys Video Management System (VMS) 6.x before 6.4.6, 7.x before 7.5 ...) NOT-FOR-US: Mirasys Video Management System CVE-2017-15594 (An issue was discovered in Xen through 4.9.x allowing x86 SVM PV guest ...) {DSA-4050-1 DLA-1559-1} - xen 4.8.2+xsa245-0+deb9u1 [wheezy] - xen (minor issue) NOTE: https://xenbits.xen.org/xsa/advisory-244.html CVE-2017-15592 (An issue was discovered in Xen through 4.9.x allowing x86 HVM guest OS ...) {DSA-4050-1 DLA-1559-1 DLA-1181-1} - xen 4.8.2+xsa245-0+deb9u1 NOTE: https://xenbits.xen.org/xsa/advisory-243.html CVE-2017-15593 (An issue was discovered in Xen through 4.9.x allowing x86 PV guest OS ...) {DSA-4050-1 DLA-1559-1 DLA-1181-1} - xen 4.8.2+xsa245-0+deb9u1 NOTE: https://xenbits.xen.org/xsa/advisory-242.html CVE-2017-15588 (An issue was discovered in Xen through 4.9.x allowing x86 PV guest OS ...) {DSA-4050-1 DLA-1549-1 DLA-1181-1} - xen 4.8.2+xsa245-0+deb9u1 NOTE: https://xenbits.xen.org/xsa/advisory-241.html CVE-2017-15595 (An issue was discovered in Xen through 4.9.x allowing x86 PV guest OS ...) {DSA-4050-1 DLA-1559-1 DLA-1181-1} - xen 4.8.2+xsa245-0+deb9u1 NOTE: https://xenbits.xen.org/xsa/advisory-240.html CVE-2017-15589 (An issue was discovered in Xen through 4.9.x allowing x86 HVM guest OS ...) {DSA-4050-1 DLA-1549-1 DLA-1181-1} - xen 4.8.2+xsa245-0+deb9u1 NOTE: https://xenbits.xen.org/xsa/advisory-239.html CVE-2017-15591 (An issue was discovered in Xen 4.5.x through 4.9.x allowing attackers ...) {DSA-4050-1} - xen 4.8.2+xsa245-0+deb9u1 [jessie] - xen (Only affects 4.5 and later) [wheezy] - xen (Only affects 4.5 and later) NOTE: https://xenbits.xen.org/xsa/advisory-238.html CVE-2017-15590 (An issue was discovered in Xen through 4.9.x allowing x86 guest OS use ...) {DSA-4050-1 DLA-1549-1} - xen 4.8.2+xsa245-0+deb9u1 [wheezy] - xen (Patches too intrusive to backport) NOTE: https://xenbits.xen.org/xsa/advisory-237.html CVE-2017-15289 (The mode4and5 write functions in hw/display/cirrus_vga.c in Qemu allow ...) {DSA-4213-1 DLA-1497-1} - qemu 1:2.11+dfsg-1 (bug #880832) [wheezy] - qemu (Can be fixed along in a future update) - qemu-kvm [wheezy] - qemu-kvm (Can be fixed along in a future update) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-10/msg02557.html NOTE: Fixed by: https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=eb38e1bc3740725ca29a535351de94107ec58d51 CVE-2017-15288 (The compilation daemon in Scala before 2.10.7, 2.11.x before 2.11.12, ...) - scala 2.11.12-1 (unimportant) NOTE: http://scala-lang.org/news/security-update-nov17.html NOTE: For 2.11.x: https://github.com/scala/scala/pull/6108 NOTE: For 2.12.x: https://github.com/scala/scala/pull/6120 NOTE: For 2.10.x: https://github.com/scala/scala/pull/6128 NOTE: Neutralised by kernel hardening CVE-2017-15287 (There is XSS in the BouquetEditor WebPlugin for Dream Multimedia Dream ...) NOT-FOR-US: BouquetEditor WebPlugin CVE-2017-15286 (SQLite 3.20.1 has a NULL pointer dereference in tableColumnList in she ...) - sqlite3 3.20.1-2 (low; bug #878680) [stretch] - sqlite3 (Vulnerable code introduced later) [jessie] - sqlite3 (Vulnerable code introduced later) [wheezy] - sqlite3 (Vulnerable code not present) NOTE: https://github.com/Ha0Team/crash-of-sqlite3/blob/master/poc.md NOTE: https://www.sqlite.org/src/info/5d0ceb8dcdef92cd CVE-2017-15285 (X-Cart 5.2.23, 5.3.1.9, 5.3.2.13, and 5.3.3 is vulnerable to Remote Co ...) NOT-FOR-US: X-Cart CVE-2017-15284 (Cross-Site Scripting exists in OctoberCMS 1.0.425 (aka Build 425), all ...) NOT-FOR-US: OctoberCMS CVE-2017-15283 RESERVED CVE-2017-15282 RESERVED CVE-2017-15281 (ReadPSDImage in coders/psd.c in ImageMagick 7.0.7-6 allows remote atta ...) {DLA-1785-1 DLA-1139-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #878579) [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/832 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/e9d1c2adae866861a291535997b2263f26becb1e NOTE: https://github.com/ImageMagick/ImageMagick/commit/32cbfceeee57962321b2ead627129c9d9ffbfcdb CVE-2017-15280 (XML external entity (XXE) vulnerability in Umbraco CMS before 7.7.3 al ...) NOT-FOR-US: Umbraco CMS CVE-2017-15279 (Cross-site scripting (XSS) vulnerability in Umbraco CMS before 7.7.3 a ...) NOT-FOR-US: Umbraco CMS CVE-2017-15278 (Cross-Site Scripting (XSS) was discovered in TeamPass before 2.1.27.9. ...) - teampass (bug #730180) CVE-2017-15277 (ReadGIFImage in coders/gif.c in ImageMagick 7.0.6-1 and GraphicsMagick ...) {DSA-4321-1 DSA-4040-1 DSA-4032-1 DLA-1456-1 DLA-1140-1 DLA-1139-1} - imagemagick 8:6.9.9.34+dfsg-3 (bug #878578) - graphicsmagick 1.3.26-14 NOTE: IM6: https://github.com/ImageMagick/ImageMagick/commit/10aae21bf9dac47e16d8fcde7eba7f7f9d1e52f8 NOTE: https://github.com/ImageMagick/ImageMagick/issues/592 NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/923c4a525c99 NOTE: https://github.com/neex/gifoeb CVE-2017-15276 (OpenText Documentum Content Server (formerly EMC Documentum Content Se ...) NOT-FOR-US: OpenText Documentum Content Server CVE-2017-15275 (Samba before 4.7.3 might allow remote attackers to obtain sensitive in ...) {DSA-4043-1 DLA-1183-1} - samba 2:4.7.1+dfsg-2 NOTE: https://www.samba.org/samba/security/CVE-2017-15275.html CVE-2017-15274 (security/keys/keyctl.c in the Linux kernel before 4.11.5 does not cons ...) - linux 4.11.6-1 [stretch] - linux 4.9.47-1 [jessie] - linux 3.16.48-1 [wheezy] - linux 3.2.93-1 NOTE: Fixed by: https://git.kernel.org/linus/5649645d725c73df4302428ee4e02c869248b4c5 (4.12-rc5) CVE-2017-15273 (Mahara 15.04 before 15.04.15, 16.04 before 16.04.9, 16.10 before 16.10 ...) - mahara NOTE: https://mahara.org/interaction/forum/topic.php?id=8081 CVE-2017-15272 (The PSFTPd 10.0.4 Build 729 server stores its configuration inside PSF ...) NOT-FOR-US: PSFTPd CVE-2017-15271 (A use-after-free issue could be triggered remotely in the SFTP compone ...) NOT-FOR-US: PSFTPd CVE-2017-15270 (The PSFTPd 10.0.4 Build 729 server does not properly escape data befor ...) NOT-FOR-US: PSFTPd CVE-2017-15269 (The PSFTPd 10.0.4 Build 729 server does not prevent FTP bounce scans b ...) NOT-FOR-US: PSFTPd CVE-2017-15268 (Qemu through 2.10.0 allows remote attackers to cause a memory leak by ...) {DSA-4213-1} - qemu 1:2.11+dfsg-1 (bug #880836) [jessie] - qemu (I/O channels driver websockets introduced later) [wheezy] - qemu (I/O channels driver websockets introduced later) - qemu-kvm (I/O channels driver websockets introduced later) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-10/msg02278.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1496879 NOTE: https://bugs.launchpad.net/bugs/1718964 NOTE: Fixed by: https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=a7b20a8efa28e5f22c26c06cd06c2f12bc863493 CVE-2017-15267 (In GNU Libextractor 1.4, there is a NULL Pointer Dereference in flac_m ...) {DLA-1198-1} - libextractor 1:1.6-1 (bug #878314) [stretch] - libextractor 1:1.3-4+deb9u1 [jessie] - libextractor 1:1.3-2+deb8u1 NOTE: http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00003.html NOTE: http://openwall.com/lists/oss-security/2017/10/11/1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1499600 NOTE: Fixed by: https://git.gnunet.org/libextractor.git/commit/?id=6095d7132b57fc7368fc7a40bab2a71b735724d2 CVE-2017-15266 (In GNU Libextractor 1.4, there is a Divide-By-Zero in EXTRACTOR_wav_ex ...) {DLA-1198-1} - libextractor 1:1.6-1 (bug #878314) [stretch] - libextractor 1:1.3-4+deb9u1 [jessie] - libextractor 1:1.3-2+deb8u1 NOTE: http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00002.html NOTE: http://openwall.com/lists/oss-security/2017/10/11/1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1499599 NOTE: Fixed by: https://git.gnunet.org/libextractor.git/commit/?id=b577d5452c5c4ee9d552da62a24b95f461551fe2 CVE-2017-15265 (Race condition in the ALSA subsystem in the Linux kernel before 4.13.8 ...) {DLA-1200-1} - linux 4.13.4-2 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.51-1 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1062520 NOTE: http://mailman.alsa-project.org/pipermail/alsa-devel/2017-October/126292.html CVE-2017-15264 (IrfanView version 4.44 (32bit) allows attackers to cause a denial of s ...) NOT-FOR-US: IrfanView CVE-2017-15263 (IrfanView version 4.44 (32bit) with PDF plugin version 4.43 allows att ...) NOT-FOR-US: IrfanView CVE-2017-15262 (IrfanView version 4.44 (32bit) with PDF plugin version 4.43 allows att ...) NOT-FOR-US: IrfanView CVE-2017-15261 (IrfanView version 4.44 (32bit) with PDF plugin version 4.43 allows att ...) NOT-FOR-US: IrfanView CVE-2017-15260 (IrfanView version 4.44 (32bit) with PDF plugin version 4.43 allows att ...) NOT-FOR-US: IrfanView CVE-2017-15259 (IrfanView version 4.44 (32bit) with PDF plugin version 4.43 allows att ...) NOT-FOR-US: IrfanView CVE-2017-15258 (IrfanView version 4.44 (32bit) with PDF plugin version 4.43 allows att ...) NOT-FOR-US: IrfanView CVE-2017-15257 (IrfanView version 4.44 (32bit) with PDF plugin version 4.43 allows att ...) NOT-FOR-US: IrfanView CVE-2017-15256 (IrfanView version 4.44 (32bit) with PDF plugin version 4.43 allows att ...) NOT-FOR-US: IrfanView CVE-2017-15255 (IrfanView version 4.44 (32bit) with PDF plugin version 4.43 allows att ...) NOT-FOR-US: IrfanView CVE-2017-15254 (IrfanView version 4.44 (32bit) with PDF plugin version 4.43 allows att ...) NOT-FOR-US: IrfanView CVE-2017-15253 (IrfanView version 4.44 (32bit) with PDF plugin version 4.43 allows att ...) NOT-FOR-US: IrfanView CVE-2017-15252 (IrfanView version 4.44 (32bit) with PDF plugin version 4.43 allows att ...) NOT-FOR-US: IrfanView CVE-2017-15251 (IrfanView version 4.44 (32bit) with PDF plugin version 4.43 allows att ...) NOT-FOR-US: IrfanView CVE-2017-15250 (IrfanView version 4.44 (32bit) with PDF plugin version 4.43 allows att ...) NOT-FOR-US: IrfanView CVE-2017-15249 (IrfanView version 4.44 (32bit) with PDF plugin version 4.43 allows att ...) NOT-FOR-US: IrfanView CVE-2017-15248 (IrfanView version 4.44 (32bit) with PDF plugin version 4.43 allows att ...) NOT-FOR-US: IrfanView CVE-2017-15247 (IrfanView version 4.44 (32bit) with PDF plugin version 4.43 allows att ...) NOT-FOR-US: IrfanView CVE-2017-15246 (IrfanView version 4.44 (32bit) with PDF plugin version 4.43 allows att ...) NOT-FOR-US: IrfanView CVE-2017-15245 (IrfanView version 4.44 (32bit) with PDF plugin version 4.43 allows att ...) NOT-FOR-US: IrfanView CVE-2017-15244 (IrfanView version 4.44 (32bit) with PDF plugin version 4.43 allows att ...) NOT-FOR-US: IrfanView CVE-2017-15243 (IrfanView version 4.44 (32bit) with PDF plugin version 4.43 allows att ...) NOT-FOR-US: IrfanView CVE-2017-15242 (IrfanView version 4.44 (32bit) with PDF plugin version 4.43 allows att ...) NOT-FOR-US: IrfanView CVE-2017-15241 (IrfanView version 4.44 (32bit) with PDF plugin version 4.43 allows att ...) NOT-FOR-US: IrfanView CVE-2017-15240 (IrfanView version 4.44 (32bit) with PDF plugin version 4.43 allows att ...) NOT-FOR-US: IrfanView CVE-2017-15239 (IrfanView 4.44 - 32bit with PDF plugin version 4.43 allows attackers t ...) NOT-FOR-US: IrfanView CVE-2017-15238 (ReadOneJNGImage in coders/png.c in GraphicsMagick 1.3.26 has a use-aft ...) {DSA-4321-1} - graphicsmagick 1.3.26-14 [jessie] - graphicsmagick (Vulnerable code not present) [wheezy] - graphicsmagick (Vulnerable code do not exist) NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset;node=93bdb9b30076 NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset;node=df946910910d NOTE: https://sourceforge.net/p/graphicsmagick/bugs/469/ CVE-2017-15237 RESERVED CVE-2017-15236 (Tiandy IP cameras 5.56.17.120 do not properly restrict a certain propr ...) NOT-FOR-US: Tiandy IP cameras CVE-2017-15235 (The File Manager (gollem) module 3.0.11 in Horde Groupware 5.2.21 allo ...) - php-horde-gollem 3.0.12-1 [stretch] - php-horde-gollem (Minor issue) [jessie] - php-horde-gollem (Minor issue) NOTE: https://blogs.securiteam.com/index.php/archives/3454 NOTE: https://lists.horde.org/archives/announce/2017/001260.html NOTE: https://github.com/horde/gollem/commit/416249efa0fb9e98b596783565258806542a2c51 CVE-2017-15234 RESERVED CVE-2017-15233 RESERVED CVE-2017-15232 (libjpeg-turbo 1.5.2 has a NULL Pointer Dereference in jdpostct.c and j ...) [experimental] - libjpeg-turbo 1:2.0.2-1~exp1 - libjpeg-turbo (unimportant; bug #878567) - libjpeg6b (Vulnerable code not present) - libjpeg8 (Vulnerable code not present) - libjpeg9 (Vulnerable code not present) NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/pull/182 NOTE: https://github.com/mozilla/mozjpeg/issues/268 NOTE: IJG libjpeg releases not affected, see https://lists.debian.org/debian-lts/2017/10/msg00061.html NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/commit/073b0e88a192adebbb479ee2456beb089d8b5de7 NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/commit/5bc43c7821df982f65aa1c738f67fbf7cba8bd69 NOTE: Crash in CLI tools, no security impact CVE-2017-15231 RESERVED CVE-2017-15230 RESERVED CVE-2017-15229 RESERVED CVE-2017-15228 (Irssi before 1.0.5, when installing themes with unterminated colour fo ...) {DSA-4016-1 DLA-1217-1} - irssi 1.0.5-1 (bug #879521) NOTE: https://irssi.org/security/irssi_sa_2017_10.txt NOTE: https://github.com/irssi/irssi/commit/43e44d553d44e313003cee87e6ea5e24d68b84a1 CVE-2017-15227 (Irssi before 1.0.5, while waiting for the channel synchronisation, may ...) {DSA-4016-1 DLA-1217-1} - irssi 1.0.5-1 (bug #879521) NOTE: https://irssi.org/security/irssi_sa_2017_10.txt NOTE: https://github.com/irssi/irssi/commit/43e44d553d44e313003cee87e6ea5e24d68b84a1 CVE-2017-15226 (Zyxel NBG6716 V1.00(AAKG.9)C0 devices allow command injection in the o ...) NOT-FOR-US: Zyxel CVE-2017-15225 (_bfd_dwarf2_cleanup_debug_info in dwarf2.c in the Binary File Descript ...) [experimental] - binutils 2.29.51.20171128-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22212 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b55ec8b676ed05d93ee49d6c79ae0403616c4fb0 CVE-2017-15224 RESERVED CVE-2017-15223 (Denial-of-service vulnerability in ArGoSoft Mini Mail Server 1.0.0.2 a ...) NOT-FOR-US: ArGoSoft Mini Mail Server CVE-2017-15222 (Buffer Overflow vulnerability in Ayukov NFTPD 2.0 and earlier allows r ...) NOT-FOR-US: Ayukov NFTPD CVE-2017-15221 (ASX to MP3 converter 3.1.3.7.2010.11.05 has a buffer overflow via a cr ...) NOT-FOR-US: ASX to MP3 converter CVE-2017-15220 (Flexense VX Search Enterprise 10.1.12 is vulnerable to a buffer overfl ...) NOT-FOR-US: Flexense VX Search Enterprise CVE-2017-15219 (The dotCMS 4.1.1 application is vulnerable to Stored Cross-Site Script ...) NOT-FOR-US: dotCMS CVE-2017-15218 (ImageMagick 7.0.7-2 has a memory leak in ReadOneJNGImage in coders/png ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/760 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/698c09d05a749664288281012f319cd51da664ee NOTE: https://github.com/ImageMagick/ImageMagick/commit/6387479aa974709d5c329c8efbde38175f386844 CVE-2017-15217 (ImageMagick 7.0.7-2 has a memory leak in ReadSGIImage in coders/sgi.c. ...) [experimental] - imagemagick 8:6.9.9.34+dfsg-1 - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/759 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/9bad9cd6752bf8dc5825f555fd1117855bd2fc47 NOTE: https://github.com/ImageMagick/ImageMagick/commit/8fa3c10977f668c92688272a4802f4477df61076 CVE-2016-10514 (url_check_format in include/functions.inc.php in Piwigo before 2.8.3 a ...) - piwigo CVE-2016-10513 (Cross Site Scripting (XSS) exists in Piwigo before 2.8.3 via a crafted ...) - piwigo CVE-2017-15216 (MISP before 2.4.81 has a potential reflected XSS in a quickDelete acti ...) NOT-FOR-US: MISP CVE-2017-15215 (Reflected XSS vulnerability in Shaarli v0.9.1 allows an unauthenticate ...) - shaarli (bug #864559) CVE-2017-15214 (Stored XSS vulnerability in Flyspray 1.0-rc4 before 1.0-rc6 allows an ...) NOT-FOR-US: Flyspray CVE-2017-15213 (Stored XSS vulnerability in Flyspray before 1.0-rc6 allows an authenti ...) NOT-FOR-US: Flyspray CVE-2017-15212 (In Kanboard before 1.0.47, by altering form data, an authenticated use ...) - kanboard (bug #790814) CVE-2017-15211 (In Kanboard before 1.0.47, by altering form data, an authenticated use ...) - kanboard (bug #790814) CVE-2017-15210 (In Kanboard before 1.0.47, by altering form data, an authenticated use ...) - kanboard (bug #790814) CVE-2017-15209 (In Kanboard before 1.0.47, by altering form data, an authenticated use ...) - kanboard (bug #790814) CVE-2017-15208 (In Kanboard before 1.0.47, by altering form data, an authenticated use ...) - kanboard (bug #790814) CVE-2017-15207 (In Kanboard before 1.0.47, by altering form data, an authenticated use ...) - kanboard (bug #790814) CVE-2017-15206 (In Kanboard before 1.0.47, by altering form data, an authenticated use ...) - kanboard (bug #790814) CVE-2017-15205 (In Kanboard before 1.0.47, by altering form data, an authenticated use ...) - kanboard (bug #790814) CVE-2017-15204 (In Kanboard before 1.0.47, by altering form data, an authenticated use ...) - kanboard (bug #790814) CVE-2017-15203 (In Kanboard before 1.0.47, by altering form data, an authenticated use ...) - kanboard (bug #790814) CVE-2017-15202 (In Kanboard before 1.0.47, by altering form data, an authenticated use ...) - kanboard (bug #790814) CVE-2017-15201 (In Kanboard before 1.0.47, by altering form data, an authenticated use ...) - kanboard (bug #790814) CVE-2017-15200 (In Kanboard before 1.0.47, by altering form data, an authenticated use ...) - kanboard (bug #790814) CVE-2017-15199 (In Kanboard before 1.0.47, by altering form data, an authenticated use ...) - kanboard (bug #790814) CVE-2017-15198 (In Kanboard before 1.0.47, by altering form data, an authenticated use ...) - kanboard (bug #790814) CVE-2017-15197 (In Kanboard before 1.0.47, by altering form data, an authenticated use ...) - kanboard (bug #790814) CVE-2017-15196 (In Kanboard before 1.0.47, by altering form data, an authenticated use ...) - kanboard (bug #790814) CVE-2017-15195 (In Kanboard before 1.0.47, by altering form data, an authenticated use ...) - kanboard (bug #790814) CVE-2017-15193 (In Wireshark 2.4.0 to 2.4.1 and 2.2.0 to 2.2.9, the MBIM dissector cou ...) - wireshark 2.4.2-1 (low) [jessie] - wireshark (Vulnerable code not present) [wheezy] - wireshark (Vulnerable code not present) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14056 NOTE: https://code.wireshark.org/review/23537 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=afb9ff7982971aba6e42472de0db4c1bedfc641b NOTE: https://www.wireshark.org/security/wnpa-sec-2017-43.html CVE-2017-15192 (In Wireshark 2.4.0 to 2.4.1 and 2.2.0 to 2.2.9, the BT ATT dissector c ...) - wireshark 2.4.2-1 (low) [jessie] - wireshark (Vulnerable code introduced in version 1.99) [wheezy] - wireshark (Vulnerable code introduced in version 1.99) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14049 NOTE: https://code.wireshark.org/review/23470 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=3689dc1db36037436b1616715f9a3f888fc9a0f6 NOTE: https://www.wireshark.org/security/wnpa-sec-2017-42.html CVE-2017-15191 (In Wireshark 2.4.0 to 2.4.1, 2.2.0 to 2.2.9, and 2.0.0 to 2.0.15, the ...) {DLA-1634-1} - wireshark 2.4.2-1 (low) [wheezy] - wireshark (Minor issue) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14068 NOTE: https://code.wireshark.org/review/23591 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=8dbb21dfde14221dab09b6b9c7719b9067c1f06e NOTE: https://www.wireshark.org/security/wnpa-sec-2017-44.html CVE-2017-15190 (In Wireshark 2.4.0 to 2.4.1, the RTSP dissector could crash. This was ...) - wireshark 2.4.2-1 (low) [stretch] - wireshark (Only affects 2.4) [jessie] - wireshark (Only affects 2.4) [wheezy] - wireshark (Only affects 2.4) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14077 NOTE: https://code.wireshark.org/review/23635 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=e27870eaa6efa1c2dac08aa41a67fe9f0839e6e0 NOTE: https://www.wireshark.org/security/wnpa-sec-2017-45.html CVE-2017-15189 (In Wireshark 2.4.0 to 2.4.1, the DOCSIS dissector could go into an inf ...) - wireshark 2.4.2-1 (low) [jessie] - wireshark (vulnerable code not present) [wheezy] - wireshark (vulnerable code not present) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14080 NOTE: https://code.wireshark.org/review/23663 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=625bab309d9dd21db2d8ae2aa3511810d32842a8 NOTE: https://www.wireshark.org/security/wnpa-sec-2017-46.html NOTE: vulnerable introduced in https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=3e1828e35188e1 CVE-2017-15188 (A persistent (stored) XSS vulnerability in the EyesOfNetwork web inter ...) NOT-FOR-US: EyesOfNetwork (EON) CVE-2017-15187 RESERVED CVE-2017-15194 (include/global_session.php in Cacti 1.1.25 has XSS related to (1) the ...) - cacti 1.1.25+ds1-1 (bug #878304) [stretch] - cacti (Vulnerable code introduced in 1.0.0) [jessie] - cacti (Vulnerable code introduced in 1.0.0) [wheezy] - cacti (Vulnerable code introduced in 1.0.0) NOTE: https://github.com/Cacti/cacti/issues/1010 NOTE: https://github.com/Cacti/cacti/commit/93f661d8adcfa6618b11522cdab30e97bada33fd NOTE: https://github.com/Cacti/cacti/commit/4f87256e63859117f81d2a2bd40c9c730e39b65d CVE-2017-15186 (Double free vulnerability in FFmpeg 3.3.4 and earlier allows remote at ...) {DSA-4049-1} - ffmpeg 7:3.4-1 - libav [jessie] - libav (vulnerable code was introduced later) NOTE: http://www.openwall.com/lists/oss-security/2017/10/20/4 NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/df62b70de8aaa285168e72fe8f6e740843ca91fa CVE-2017-15185 (plugins/ogg.c in Libmp3splt 0.9.2 calls the libvorbis vorbis_block_cle ...) - mp3splt 2.6.2+20170630-2 [jessie] - mp3splt (Vulnerable code not present) [wheezy] - mp3splt (Vulnerable code does not exist) - libmp3splt [stretch] - libmp3splt (Minor issue) [jessie] - libmp3splt (Minor issue) [wheezy] - libmp3splt (Minor issue) NOTE: https://anonscm.debian.org/cgit/users/ron/mp3splt.git/commit/?id=18f018cd774cb931116ce06a520dc0c5f9443932 CVE-2017-15184 RESERVED CVE-2017-15183 RESERVED CVE-2017-15182 RESERVED CVE-2017-15181 RESERVED CVE-2017-15180 RESERVED CVE-2017-15179 RESERVED CVE-2017-15178 RESERVED CVE-2017-15177 RESERVED CVE-2017-15176 RESERVED CVE-2017-15175 RESERVED CVE-2017-15174 RESERVED CVE-2017-15173 RESERVED CVE-2017-15172 RESERVED CVE-2017-15171 RESERVED CVE-2017-15170 RESERVED CVE-2017-15169 RESERVED CVE-2017-15168 RESERVED CVE-2017-15167 RESERVED CVE-2017-15166 RESERVED CVE-2017-15165 RESERVED CVE-2017-15164 RESERVED CVE-2017-15163 RESERVED CVE-2017-15162 RESERVED CVE-2017-15161 RESERVED CVE-2017-15160 RESERVED CVE-2017-15159 RESERVED CVE-2017-15158 RESERVED CVE-2017-15157 RESERVED CVE-2017-15156 RESERVED CVE-2017-15155 RESERVED CVE-2017-15154 RESERVED CVE-2017-15153 RESERVED CVE-2017-15152 RESERVED CVE-2017-15151 RESERVED CVE-2017-15150 RESERVED CVE-2017-15149 RESERVED CVE-2017-15148 RESERVED CVE-2017-15147 RESERVED CVE-2017-15146 RESERVED CVE-2017-15145 RESERVED CVE-2017-15144 RESERVED CVE-2017-15143 RESERVED CVE-2017-15142 RESERVED CVE-2017-15141 RESERVED CVE-2017-15140 RESERVED CVE-2017-15139 (A vulnerability was found in openstack-cinder releases up to and inclu ...) [experimental] - cinder 2:13.0.0-1 - cinder 2:13.0.0-2 [stretch] - cinder (Minor issue) [jessie] - cinder (ScaleIO Driver support does not exist) NOTE: https://wiki.openstack.org/wiki/OSSN/OSSN-0084 NOTE: https://bugs.launchpad.net/ossn/+bug/1699573 CVE-2017-15138 (The OpenShift Enterprise cluster-read can access webhook tokens which ...) NOT-FOR-US: atomic-openshift CVE-2017-15137 (The OpenShift image import whitelist failed to enforce restrictions co ...) NOT-FOR-US: atomic-openshift CVE-2017-15136 (When registering and activating a new system with Red Hat Satellite 6 ...) NOT-FOR-US: Red Hat Satellite 6 CVE-2017-15135 (It was found that 389-ds-base since 1.3.6.1 up to and including 1.4.0. ...) - 389-ds-base 1.3.7.9-1 (bug #888451) [stretch] - 389-ds-base (Affected code was never backported) [jessie] - 389-ds-base (vulnerable code (patch for CVE-2016-5405) not applied) CVE-2017-15134 (A stack buffer overflow flaw was found in the way 389-ds-base 1.3.6.x ...) {DLA-1428-1} - 389-ds-base 1.3.7.9-1 (bug #888452) [stretch] - 389-ds-base (Minor issue) NOTE: Fixed by: https://pagure.io/389-ds-base/c/6aa2acdc3cad9 CVE-2017-15133 (A denial of service flaw was found in miekg-dns before 1.0.4. A remote ...) - golang-github-miekg-dns 0.0~git20170501.0.f282f80-3 (bug #888777) [stretch] - golang-github-miekg-dns (Minor issue) NOTE: https://github.com/miekg/dns/issues/627 NOTE: https://github.com/miekg/dns/pull/631 CVE-2017-15132 (A flaw was found in dovecot 2.0 up to 2.2.33 and 2.3.0. An abort of SA ...) {DSA-4130-1 DLA-1333-1} - dovecot 1:2.2.34-1 (bug #888432) NOTE: Fixed by: https://github.com/dovecot/core/commit/1a29ed2f96da1be22fa5a4d96c7583aa81b8b060.patch NOTE: Regression fix needed on top: https://github.com/dovecot/core/commit/a9b135760aea6d1790d447d351c56b78889dac22 CVE-2017-15131 (It was found that system umask policy is not being honored when creati ...) - xdg-user-dirs (unimportant) NOTE: The CVE relates that created directories by xdg-user-dirs might not NOTE: respect a system policy for user created files by setting a umask NOTE: system-wide in e.g. /etc/profile due to xdg-user-dirs beeing invoked NOTE: from Xsession scripts. This can be mitigated by e.g. using pam_umask NOTE: on session start and having it when xdg-user-dirs is executed. NOTE: In Debian xdg-user-dirs starting from 0.15-3 replaces the use of NOTE: /etc/X11/Xsession.d/*xdg-user-dirs-update with an autostart .desktop NOTE: file for user-dirs-update primarly to work as well with Wayland NOTE: sessions. NOTE: Enforcements can be achieved e.g. by using pam_umask. NOTE: http://bugs.freedesktop.org/show_bug.cgi?id=102303 CVE-2017-15130 (A denial of service flaw was found in dovecot before 2.2.34. An attack ...) {DSA-4130-1 DLA-1333-1} - dovecot 1:2.2.34-1 (bug #891820) NOTE: https://www.dovecot.org/list/dovecot-news/2018-February/000370.html NOTE: https://github.com/dovecot/core/commit/22311315b9f780211329c1522eb5aaa4faaa9391 NOTE: https://github.com/dovecot/core/commit/f3504763c27c2661716c0d1dbd3e0fc662107a21 NOTE: https://github.com/dovecot/core/commit/02da33a59fddd51cc3b8d95989de95574b7332f1 NOTE: https://github.com/dovecot/core/commit/390592e6af07e02064ebdbb1bbcf06528887370f NOTE: https://github.com/dovecot/core/commit/bc27538d084e01a7a1aca3330e27aebfc0e311eb NOTE: https://github.com/dovecot/core/commit/00016646cc32a3fa1cf54c22ed7388ed06bbc0f1 CVE-2017-15129 (A use-after-free vulnerability was found in network namespaces code af ...) - linux 4.14.12-1 [stretch] - linux 4.9.80-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/21b5944350052d2583e82dd59b19a9ba94a007f0 CVE-2017-15128 (A flaw was found in the hugetlb_mcopy_atomic_pte function in mm/hugetl ...) - linux 4.13.13-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: http://post-office.corp.redhat.com/archives/rhkernel-list/2017-October/msg09574.html CVE-2017-15127 (A flaw was found in the hugetlb_mcopy_atomic_pte function in mm/hugetl ...) - linux 3.13.4-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/5af10dfd0afc559bb4b0f7e3e8227a1578333995 CVE-2017-15126 (A use-after-free flaw was found in fs/userfaultfd.c in the Linux kerne ...) - linux 4.13.10-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/384632e67e0829deb8015ee6ad916b180049d252 CVE-2017-15125 (A flaw was found in CloudForms before 5.9.0.22 in the self-service UI ...) NOT-FOR-US: Red Hat CloudForms CVE-2017-15124 (VNC server implementation in Quick Emulator (QEMU) 2.11.0 and older wa ...) {DSA-4213-1} - qemu 1:2.12~rc3+dfsg-1 (bug #884806) [jessie] - qemu (invasive patch, also builds on 2.5 socket refactoring, tentative backport crashes, no other distro fix for 2.1) [wheezy] - qemu (Can be fixed along in later update) - qemu-kvm [wheezy] - qemu-kvm (Can be fixed along in later update) NOTE: http://www.openwall.com/lists/oss-security/2017/12/19/4 NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-12/msg03705.html NOTE: https://lists.gnu.org/archive/html/qemu-devel/2018-02/msg00796.html CVE-2017-15123 (A flaw was found in the CloudForms web interface, versions 5.8 - 5.10, ...) NOT-FOR-US: CloudForms CVE-2017-15122 RESERVED CVE-2017-15121 (A non-privileged user is able to mount a fuse filesystem on RHEL 6 or ...) - linux 3.11.5-1 [wheezy] - linux (Too much work to backport) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1520893 NOTE: Fixed by: https://git.kernel.org/linus/5a7203947a1d9b6f3a00a39fda08c2466489555f (v3.11-rc1) CVE-2017-15120 (An issue has been found in the parsing of authoritative answers in Pow ...) {DSA-4063-1} - pdns-recursor 4.1.0-1 [jessie] - pdns-recursor (Vulnerable code introduced in 4.0.0) [wheezy] - pdns-recursor (Vulnerable code introduced in 4.0.0) NOTE: Patch: https://downloads.powerdns.com/patches/2017-08 NOTE: https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-08.html CVE-2017-15119 (The Network Block Device (NBD) server in Quick Emulator (QEMU) before ...) {DSA-4213-1} - qemu 1:2.11+dfsg-1 (bug #883399) [jessie] - qemu (Vulnerable code not present) [wheezy] - qemu (Vulnerable code not present) - qemu-kvm [wheezy] - qemu-kvm (Vulnerable code introduced later) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-11/msg05044.html CVE-2017-15118 (A stack-based buffer overflow vulnerability was found in NBD server im ...) - qemu 1:2.11+dfsg-1 (bug #883406) [stretch] - qemu (Vulnerable code introduced in 2.10) [jessie] - qemu (Vulnerable code introduced in 2.10) [wheezy] - qemu (Vulnerable code introduced in 2.10) - qemu-kvm (Vulnerable code introduced in 2.10) NOTE: Introduced by: https://git.qemu.org/?p=qemu.git;a=commit;h=f37708f6b8 NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-11/msg05045.html CVE-2017-15117 REJECTED CVE-2017-15116 (The rngapi_reset function in crypto/rng.c in the Linux kernel before 4 ...) - linux 4.2.1-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) CVE-2017-15115 (The sctp_do_peeloff function in net/sctp/socket.c in the Linux kernel ...) {DLA-1200-1} - linux 4.13.13-1 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.51-1 NOTE: https://git.kernel.org/linus/df80cd9b28b9ebaa284a41df611dbf3a2d05ca74 (v4.14-rc6) CVE-2017-15114 (When libvirtd is configured by OSP director (tripleo-heat-templates) t ...) - tripleo-heat-templates (Vulnerability introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1510015 NOTE: Bug: https://bugs.launchpad.net/tripleo/+bug/1730370 NOTE: TLS libvirt live migration disabled in: https://review.openstack.org/#/c/519015/ NOTE: TLS libvirt live migration introduced in: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=fa740c5e49994ffdd3a5aa1f43a0305c8e5a0b3a NOTE: Re-enabled libvirt TLS with SASL auth: NOTE: https://bugs.launchpad.net/tripleo/+bug/1732479 CVE-2017-15113 (ovirt-engine before version 4.1.7.6 with log level set to DEBUG includ ...) NOT-FOR-US: ovirt-engine CVE-2017-15112 (keycloak-httpd-client-install versions before 0.8 allow users to insec ...) NOT-FOR-US: Keycloak CVE-2017-15111 (keycloak-httpd-client-install versions before 0.8 insecurely creates t ...) NOT-FOR-US: Keycloak CVE-2017-15110 (In Moodle 3.x, students can find out email addresses of other students ...) - moodle CVE-2017-15109 RESERVED CVE-2017-15108 (spice-vdagent up to and including 0.17.0 does not properly escape save ...) - spice-vdagent 0.18.0-1 (bug #883238) [stretch] - spice-vdagent (Minor issue) [jessie] - spice-vdagent (Minor issue) [wheezy] - spice-vdagent (Vulnerable code not present) NOTE: Fixed by: https://cgit.freedesktop.org/spice/linux/vd_agent/commit/?id=8ba174816d245757e743e636df357910e1d5eb61 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1510864 CVE-2017-15107 (A vulnerability was found in the implementation of DNSSEC in Dnsmasq u ...) - dnsmasq 2.79-1 (bug #888200) [stretch] - dnsmasq (Minor issue) [jessie] - dnsmasq (Minor issue) [wheezy] - dnsmasq (Minor issue) NOTE: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2018q1/011896.html NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=4fe6744a220eddd3f1749b40cac3dfc510787de6 NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=cd7df612b14ec1bf831a966ccaf076be0dae7404 NOTE: https://medium.com/nlnetlabs/the-peculiar-case-of-nsec-processing-using-expanded-wildcard-records-ae8285f236be CVE-2017-15106 RESERVED CVE-2017-15105 (A flaw was found in the way unbound before 1.6.8 validated wildcard-sy ...) {DLA-1676-1 DLA-1264-1} - unbound 1.7.1-1 (bug #887733) [stretch] - unbound 1.6.0-3+deb9u2 NOTE: https://unbound.net/downloads/CVE-2017-15105.txt NOTE: https://unbound.net/downloads/patch_cve_2017_15105.diff NOTE: https://medium.com/nlnetlabs/the-peculiar-case-of-nsec-processing-using-expanded-wildcard-records-ae8285f236be CVE-2017-15104 (An access flaw was found in Heketi 5, where the heketi.json configurat ...) - heketi (bug #903384) CVE-2017-15103 (A security-check flaw was found in the way the Heketi 5 server API han ...) - heketi (bug #903384) CVE-2017-15102 (The tower_probe function in drivers/usb/misc/legousbtower.c in the Lin ...) - linux 4.7.8-1 [jessie] - linux 3.16.43-1 [wheezy] - linux 3.2.86-1 NOTE: Fixed by: https://git.kernel.org/linus/2fae9e5a7babada041e2e161699ade2447a01989 (4.9-rc1) CVE-2017-15101 (A missing patch for a stack-based buffer overflow in findTable() was f ...) - liblouis (Incomplete fix not applied in Debian) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1492701#c12 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1511023 CVE-2017-15100 (An attacker submitting facts to the Foreman server containing HTML can ...) - foreman (bug #663101) CVE-2017-15099 (INSERT ... ON CONFLICT DO UPDATE commands in PostgreSQL 10.x before 10 ...) {DSA-4028-1} - postgresql-10 10.1-1 - postgresql-9.6 - postgresql-9.4 (ON CONFLICT DO UPDATE and RLS introduced in 9.5) - postgresql-9.1 (ON CONFLICT DO UPDATE and RLS introduced in 9.5) CVE-2017-15098 (Invalid json_populate_recordset or jsonb_populate_recordset function c ...) {DSA-4028-1 DSA-4027-1} - postgresql-10 10.1-1 - postgresql-9.6 - postgresql-9.4 - postgresql-9.1 [jessie] - postgresql-9.1 (postgresql-9.1 in jessie only provides PL/Perl) [wheezy] - postgresql-9.1 (Vulnerable code does not exist) CVE-2017-15097 (Privilege escalation flaws were found in the Red Hat initialization sc ...) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1508985 NOTE: Similar issues as CVE-2016-1255 in Debian NOT-FOR-US: Red Hat specific provides scripts for starting the database server during system boot and for initializing the database CVE-2017-15096 (A flaw was found in GlusterFS in versions prior to 3.10. A null pointe ...) - glusterfs 3.12.2-2 (bug #880017) [stretch] - glusterfs (Vulnerable code introduced later) [jessie] - glusterfs (Vulnerable code introduced later) [wheezy] - glusterfs (Vulnerable code introduced later) NOTE: https://review.gluster.org/18538 (master) NOTE: https://review.gluster.org/18539 (release-3.10) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1502928 NOTE: Fixed by: http://git.gluster.org/cgit/glusterfs.git/commit/?id=1f48d17fee0cac95648ec34d13f038b27ef5c6ac CVE-2017-15095 (A deserialization flaw was discovered in the jackson-databind in versi ...) {DSA-4037-1 DLA-2091-1} - jackson-databind 2.9.1-1 - libjackson-json-java NOTE: The Debian upload for stretch (2.8.6-1+deb9u1) and jessie (2.4.2-2+deb8u1) NOTE: misses the further sets of blacklists, in particular as well NOTE: https://github.com/FasterXML/jackson-databind/commit/3bfbb835 NOTE: which was already for CVE-2017-7525 but then the further tickets and patches NOTE: to block more dangerous types (at leas they are): NOTE: https://github.com/FasterXML/jackson-databind/issues/1680 NOTE: https://github.com/FasterXML/jackson-databind/issues/1723 NOTE: https://github.com/FasterXML/jackson-databind/issues/1737 NOTE: https://github.com/FasterXML/jackson-databind/commit/e8f043d1 NOTE: https://github.com/FasterXML/jackson-databind/commit/ddfddfba NOTE: This CVE-2017-15095 should be considered to include everything in NOTE: NO_DESER_CLASS_NAMES as of: NOTE: https://github.com/FasterXML/jackson-databind/blob/7093008aa2afe8068e120df850189ae072dfa1b2/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java#L43 NOTE: Details: http://www.openwall.com/lists/oss-security/2017/11/02/3 NOTE: For libjackson-json-java: NOTE: https://github.com/FasterXML/jackson-1/commit/9ac68db819bce7b9546bc4bf1c44f82ca910fa31 CVE-2017-15094 (An issue has been found in the DNSSEC parsing code of PowerDNS Recurso ...) - pdns-recursor 4.0.7-1 [stretch] - pdns-recursor 4.0.4-1+deb9u2 [jessie] - pdns-recursor (Issue introduced in 4.0.0) [wheezy] - pdns-recursor (Issue introduced in 4.0.0) NOTE: https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-07.html NOTE: https://downloads.powerdns.com/patches/2017-07/ CVE-2017-15093 (When api-config-dir is set to a non-empty value, which is not the case ...) - pdns-recursor 4.0.7-1 [stretch] - pdns-recursor 4.0.4-1+deb9u2 [jessie] - pdns-recursor 3.6.2-2+deb8u4 [wheezy] - pdns-recursor (Vulnerable code introduced later) NOTE: https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-06.html NOTE: https://downloads.powerdns.com/patches/2017-06/ CVE-2017-15092 (A cross-site scripting issue has been found in the web interface of Po ...) - pdns-recursor 4.0.7-1 [stretch] - pdns-recursor 4.0.4-1+deb9u2 [jessie] - pdns-recursor (Issue introduced in 4.0.0) [wheezy] - pdns-recursor (Issue introduced in 4.0.0) NOTE: https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-05.html NOTE: https://downloads.powerdns.com/patches/2017-05/ CVE-2017-15091 (An issue has been found in the API component of PowerDNS Authoritative ...) - pdns 4.0.5-1 [stretch] - pdns 4.0.3-1+deb9u2 [jessie] - pdns 3.4.1-4+deb8u8 [wheezy] - pdns (Vulnerable code not present) NOTE: https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2017-04.html NOTE: https://downloads.powerdns.com/patches/2017-04/ CVE-2017-15090 (An issue has been found in the DNSSEC validation component of PowerDNS ...) - pdns-recursor 4.0.7-1 [stretch] - pdns-recursor 4.0.4-1+deb9u2 [jessie] - pdns-recursor (Issue introduced in 4.0.0) [wheezy] - pdns-recursor (Issue introduced in 4.0.0) NOTE: https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-03.html NOTE: https://downloads.powerdns.com/patches/2017-03/ CVE-2017-15089 (It was found that the Hotrod client in Infinispan before 9.2.0.CR1 wou ...) NOT-FOR-US: infinispan CVE-2017-15088 (plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka ...) - krb5 1.15.2-2 (unimportant; bug #871698) NOTE: https://github.com/krb5/krb5/pull/707 NOTE: Fixed by: https://github.com/krb5/krb5/commit/fbb687db1088ddd894d975996e5f6a4252b9a2b4 NOTE: Red Hat eanbled the code in question in the KDC and thus having it NOTE: exposed as network-facing issue. For Debian and upstream the code only NOTE: runs on client systems, and only with a certificate that is explicitly NOTE: configured locally, leading to a local kinit crash if passed a crafted NOTE: local certificate. This is hardly has any harmful security implication. CVE-2017-15087 (It was discovered that the fix for CVE-2017-12163 was not properly shi ...) - samba (Incomplete Red Hat backport for CVE-2017-12163) CVE-2017-15086 (It was discovered that the fix for CVE-2017-12151 was not properly shi ...) - samba (Incomplete Red Hat backport for CVE-2017-12151) CVE-2017-15085 (It was discovered that the fix for CVE-2017-12150 was not properly shi ...) - samba (Incomplete Red Hat backport for CVE-2017-12150) CVE-2017-15084 (The web UI in Rapid7 Metasploit before 4.14.1-20170828 allows logout C ...) NOT-FOR-US: Metasploit Framework CVE-2017-15083 REJECTED CVE-2017-15082 RESERVED CVE-2017-15081 (In PHPSUGAR PHP Melody CMS 2.6.1, SQL Injection exists via the playlis ...) NOT-FOR-US: PHPSUGAR PHP Melody CMS CVE-2017-15080 RESERVED CVE-2017-15079 (The Smush Image Compression and Optimization plugin before 2.7.6 for W ...) NOT-FOR-US: Smush Image Compression and Optimization plugin for WordPress CVE-2017-15078 REJECTED CVE-2017-15077 REJECTED CVE-2017-15076 REJECTED CVE-2017-15075 REJECTED CVE-2017-15074 REJECTED CVE-2017-15073 REJECTED CVE-2017-15072 REJECTED CVE-2017-15071 REJECTED CVE-2017-15070 REJECTED CVE-2017-15069 REJECTED CVE-2017-15068 REJECTED CVE-2017-15067 REJECTED CVE-2017-15066 REJECTED CVE-2017-15065 REJECTED CVE-2017-15064 REJECTED CVE-2017-1002153 (Koji 1.13.0 does not properly validate SCM paths, allowing an attacker ...) - koji 1.16.0-1 (bug #877921) [stretch] - koji 1.10.0-1+deb9u1 NOTE: https://pagure.io/koji/issue/563 NOTE: https://pagure.io/koji/c/ba7b5a3cbed11ade11c3af5e834c9a6de4f6d7c3 CVE-2017-1000257 (An IMAP FETCH response line indicates the size of the returned data, i ...) {DSA-4007-1 DLA-1143-1} - curl 7.56.1-1 NOTE: https://curl.haxx.se/docs/adv_20171023.html CVE-2017-1000256 (libvirt version 2.3.0 and later is vulnerable to a bad default configu ...) {DSA-4003-1} - libvirt 3.8.0-3 (bug #878799) [jessie] - libvirt (Vulnerable code introduced later) [wheezy] - libvirt (Vulnerable code introduced later) NOTE: https://www.redhat.com/archives/libvirt-announce/2017-October/msg00001.html NOTE: https://security.libvirt.org/2017/0002.html NOTE: Broken by: http://libvirt.org/git/?p=libvirt.git;a=commit;h=ce61c16450d4992612d1fc6f39a39e79bfccead5 (master) NOTE: Fixed by: http://libvirt.org/git/?p=libvirt.git;a=commit;h=441d3eb6d1be940a67ce45a286602a967601b157 (master) CVE-2017-1000255 (On Linux running on PowerPC hardware (Power8 or later) a user process ...) - linux 4.13.4-2 [stretch] - linux 4.9.65-1 [jessie] - linux (Vulnerable code introduced later) [wheezy] - linux (Vulnerable code introduced later) NOTE: Fixed by: https://git.kernel.org/linus/265e60a170d0a0ecfc2d20490134ed2c48dd45ab CVE-2017-15063 (There are CSRF vulnerabilities in Subrion CMS 4.1.x through 4.1.5, and ...) NOT-FOR-US: Subrion CMS CVE-2017-15062 RESERVED CVE-2017-15061 RESERVED CVE-2017-15060 RESERVED CVE-2017-15059 RESERVED CVE-2017-15058 RESERVED CVE-2017-15057 RESERVED CVE-2017-15056 (p_lx_elf.cpp in UPX 3.94 mishandles ELF headers, which allows remote a ...) - upx-ucl 3.94-4 (unimportant) NOTE: https://github.com/upx/upx/issues/128 NOTE: https://github.com/upx/upx/commit/ef336dbcc6dc8344482f8cf6c909ae96c3286317 NOTE: crash in CLI tool, no security impact CVE-2017-15055 (TeamPass before 2.1.27.9 does not properly enforce item access control ...) - teampass (bug #730180) CVE-2017-15054 (An arbitrary file upload vulnerability, present in TeamPass before 2.1 ...) - teampass (bug #730180) CVE-2017-15053 (TeamPass before 2.1.27.9 does not properly enforce manager access cont ...) - teampass (bug #730180) CVE-2017-15052 (TeamPass before 2.1.27.9 does not properly enforce manager access cont ...) - teampass (bug #730180) CVE-2017-15051 (Multiple stored cross-site scripting (XSS) vulnerabilities in TeamPass ...) - teampass (bug #730180) CVE-2017-15050 RESERVED CVE-2017-15049 (The ZoomLauncher binary in the Zoom client for Linux before 2.0.115900 ...) NOT-FOR-US: Zoom CVE-2017-15048 (Stack-based buffer overflow in the ZoomLauncher binary in the Zoom cli ...) NOT-FOR-US: Zoom CVE-2017-15047 (The clusterLoadConfig function in cluster.c in Redis 4.0.2 allows atta ...) - redis 4:4.0.2-5 (bug #878076; unimportant) [jessie] - redis (Vulnerable code introduced later) [wheezy] - redis (Vulnerable code introduced later) NOTE: https://github.com/antirez/redis/issues/4278 NOTE: Pull request: https://github.com/antirez/redis/pull/4365 CVE-2017-15046 (LAME 3.99.5 has a stack-based buffer overflow in unpack_read_samples i ...) - lame 3.99.5+repack1-8 [jessie] - lame 3.99.5+repack1-7+deb8u2 NOTE: https://sourceforge.net/p/lame/bugs/479/ NOTE: Starting with 3.99.5+repack1-8 libsndfile is used to read the input file, marking that as the fixed NOTE: version, although the internal lame code was only fixed in 3.100 (strictly speaking that would be NOTE: severity:unimportant for stretch onwards, but we don't have suite-specific severity annotations CVE-2017-15045 (LAME 3.99.5 has a heap-based buffer over-read in fill_buffer in libmp3 ...) - lame 3.99.5+repack1-8 [jessie] - lame 3.99.5+repack1-7+deb8u2 NOTE: https://sourceforge.net/p/lame/bugs/478/ NOTE: Starting with 3.99.5+repack1-8 libsndfile is used to read the input file, marking that as the fixed NOTE: version, although the internal lame code was only fixed in 3.100 (strictly speaking that would be NOTE: severity:unimportant for stretch onwards, but we don't have suite-specific severity annotations CVE-2017-15044 (The default installation of DocuWare Fulltext Search server through 6. ...) NOT-FOR-US: DocuWare Fulltext Search server CVE-2017-15043 (A vulnerability in Sierra Wireless AirLink GX400, GX440, ES440, and LS ...) NOT-FOR-US: Sierra Wireless AirLink routers CVE-2017-15042 (An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x befo ...) - golang-1.9 1.9.1-1 - golang-1.8 1.8.4-1 [stretch] - golang-1.8 (Minor issue, would require builds of all go packages in stable) - golang-1.7 [stretch] - golang-1.7 (Minor issue, would require builds of all go packages in stable) - golang [jessie] - golang (Minor issue, would require builds of all go packages in stable) [wheezy] - golang (Vulnerable code introduced later in version 1.1) NOTE: https://github.com/golang/go/issues/22134 NOTE: https://golang.org/cl/68023 NOTE: https://golang.org/cl/68210 NOTE: https://groups.google.com/d/msg/golang-dev/RinSE3EiJBI/kYL7zb07AgAJ CVE-2017-15041 (Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote command ...) {DLA-1148-1} - golang-1.9 1.9.1-1 - golang-1.8 1.8.4-1 [stretch] - golang-1.8 (Minor issue) - golang-1.7 [stretch] - golang-1.7 (Minor issue) - golang [jessie] - golang (Minor issue) NOTE: https://go.googlesource.com/go/+/a4544a0f8af001d1fb6df0e70750f570ec49ccf9%5E%21/ NOTE: https://github.com/golang/go/issues/22125 NOTE: https://golang.org/cl/68022 NOTE: https://golang.org/cl/68190 NOTE: https://groups.google.com/d/msg/golang-dev/RinSE3EiJBI/kYL7zb07AgAJ CVE-2017-15040 RESERVED CVE-2017-15039 (Cross-site scripting (XSS) exists in Zurmo 3.2.1.57987acc3018 via a da ...) NOT-FOR-US: Zurmo CVE-2017-15038 (Race condition in the v9fs_xattrwalk function in hw/9pfs/9p.c in QEMU ...) {DSA-4213-1 DLA-1497-1 DLA-1129-1 DLA-1128-1} - qemu 1:2.10.0+dfsg-2 (bug #877890) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-10/msg00729.html CVE-2017-15037 (In FreeBSD through 11.1, the smb_strdupin function in sys/netsmb/smb_s ...) - kfreebsd-10 (unimportant; bug #877903) NOTE: kfreebsd not covered by security support CVE-2017-15036 RESERVED CVE-2017-15035 (EmTec PyroBatchFTP before 3.18 allows remote servers to cause a denial ...) NOT-FOR-US: EmTec PyroBatchFTP CVE-2017-15034 RESERVED CVE-2017-15033 (ImageMagick version 7.0.7-2 contains a memory leak in ReadYUVImage in ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/pull/756 NOTE: https://github.com/ImageMagick/ImageMagick/commit/ef8f40689ac452398026c07da41656a7c87e4683 CVE-2017-15032 (ImageMagick version 7.0.7-2 contains a memory leak in ReadYCBCRImage i ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/pull/752 NOTE: https://github.com/ImageMagick/ImageMagick/commit/241988ca28139ad970c1d9717c419f41e360ddb0 CVE-2017-15031 (In all versions of ARM Trusted Firmware up to and including v1.4, not ...) NOT-FOR-US: ARM Trusted Firmware CVE-2017-15030 (Open-Xchange GmbH OX App Suite 7.8.4 and earlier is affected by: Cross ...) NOT-FOR-US: Open-Xchange GmbH OX App Suite CVE-2017-15029 (Open-Xchange GmbH OX App Suite 7.8.4 and earlier is affected by: SSRF. ...) NOT-FOR-US: Open-Xchange GmbH OX App Suite CVE-2017-15028 RESERVED CVE-2017-15027 RESERVED CVE-2017-15026 RESERVED CVE-2017-15025 (decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) libra ...) [experimental] - binutils 2.29.51.20171128-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://blogs.gentoo.org/ago/2017/10/03/binutils-divide-by-zero-in-decode_line_info-dwarf2-c/ NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22186 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d8010d3e75ec7194a4703774090b27486b742d48 CVE-2017-15024 (find_abstract_instance_name in dwarf2.c in the Binary File Descriptor ...) [experimental] - binutils 2.29.51.20171128-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://blogs.gentoo.org/ago/2017/10/03/binutils-infinite-loop-in-find_abstract_instance_name-dwarf2-c/ NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22187 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=52a93b95ec0771c97e26f0bb28630a271a667bd2 CVE-2017-15023 (read_formatted_entries in dwarf2.c in the Binary File Descriptor (BFD) ...) [experimental] - binutils 2.29.51.20171128-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://blogs.gentoo.org/ago/2017/10/03/binutils-null-pointer-dereference-in-concat_filename-dwarf2-c/ NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22200 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=c361faae8d964db951b7100cada4dcdc983df1bf NOTE: When this issue is fixed it is to make sure to not open CVE-2017-15939, i.e. NOTE: not to apply the incomplete fix. See notes on CVE-2017-15939 CVE-2017-15022 (dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as ...) [experimental] - binutils 2.29.51.20171128-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://blogs.gentoo.org/ago/2017/10/03/binutils-null-pointer-dereference-in-bfd_hash_hash-hash-c/ NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22201 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=11855d8a1f11b102a702ab76e95b22082cccf2f8 CVE-2017-15021 (bfd_get_debug_link_info_1 in opncls.c in the Binary File Descriptor (B ...) [experimental] - binutils 2.29.51.20171128-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://blogs.gentoo.org/ago/2017/10/03/binutils-heap-based-buffer-overflow-in-bfd_getl32-opncls-c/ NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22197 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=52b36c51e5bf6d7600fdc6ba115b170b0e78e31d CVE-2017-15020 (dwarf1.c in the Binary File Descriptor (BFD) library (aka libbfd), as ...) [experimental] - binutils 2.29.51.20171128-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://blogs.gentoo.org/ago/2017/10/03/binutils-heap-based-buffer-overflow-in-parse_die-dwarf1-c/ NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22202 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=1da5c9a485f3dcac4c45e96ef4b7dae5948314b5 CVE-2017-15019 (LAME 3.99.5 has a NULL Pointer Dereference in the hip_decode_init func ...) - lame 3.100-1 [stretch] - lame (Minor issue) [jessie] - lame (Minor issue) NOTE: https://sourceforge.net/p/lame/bugs/477/ CVE-2017-15018 (LAME 3.99.5 has a heap-based buffer over-read when handling a malforme ...) - lame 3.99.5+repack1-8 [jessie] - lame 3.99.5+repack1-7+deb8u2 NOTE: https://sourceforge.net/p/lame/bugs/480/ NOTE: Starting with 3.99.5+repack1-8 libsndfile is used to read the input file, marking that as the fixed NOTE: version, although the internal lame code was only fixed in 3.100 (strictly speaking that would be NOTE: severity:unimportant for stretch onwards, but we don't have suite-specific severity annotations CVE-2017-15017 (ImageMagick 7.0.7-0 Q16 has a NULL pointer dereference vulnerability i ...) {DLA-1785-1 DLA-1131-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #878554) [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/723 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/5a1006a249516a875558c3d642e719b1eac8f820 NOTE: https://github.com/ImageMagick/ImageMagick/commit/0cff8bac0a47f8693cfe57f026fcd752689ff375 CVE-2017-15016 (ImageMagick 7.0.7-0 Q16 has a NULL pointer dereference vulnerability i ...) {DLA-1131-1} - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/725 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/8254d24b86a62803231773ecf54c707aef4a1457 NOTE: https://github.com/ImageMagick/ImageMagick/commit/27f8ba82ddd665ab41cef6588128f680cbd69905 NOTE: emf.c not compiled under Debian CVE-2017-15015 (ImageMagick 7.0.7-0 Q16 has a NULL pointer dereference vulnerability i ...) {DLA-1785-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #878555) [stretch] - imagemagick (Minor issue) [wheezy] - imagemagick (Vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/724 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/0cbb3b3b02e7af493a9aafa8f7e7d23fc70644e4 NOTE: https://github.com/ImageMagick/ImageMagick/commit/a0cef9db632ef8e1b9de4c463700c6a24d4f96ca CVE-2017-15014 (OpenText Documentum Content Server (formerly EMC Documentum Content Se ...) NOT-FOR-US: OpenText Documentum Content Server CVE-2017-15013 (OpenText Documentum Content Server (formerly EMC Documentum Content Se ...) NOT-FOR-US: OpenText Documentum Content Server CVE-2017-15012 (OpenText Documentum Content Server (formerly EMC Documentum Content Se ...) NOT-FOR-US: OpenText Documentum Content Server CVE-2017-1000120 ([ERPNext][Frappe Version <= 7.1.27] SQL injection vulnerability in ...) NOT-FOR-US: ERPNext Frappe framework CVE-2017-1000119 (October CMS build 412 is vulnerable to PHP code execution in the file ...) NOT-FOR-US: October CMS CVE-2017-1000118 (Akka HTTP versions <= 10.0.5 Illegal Media Range in Accept Header C ...) NOT-FOR-US: Akka HTTP CVE-2017-1000114 (The Datadog Plugin stores an API key to access the Datadog service in ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000113 (The Deploy to container Plugin stored passwords unencrypted as part of ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000110 (Blue Ocean allows the creation of GitHub organization folders that are ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000109 (The custom Details view of the Static Analysis Utilities based OWASP D ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000106 (Blue Ocean allows the creation of GitHub organization folders that are ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000105 (The optional Run/Artifacts permission can be enabled by setting a Java ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000104 (The Config File Provider Plugin is used to centrally manage configurat ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000103 (The custom Details view of the Static Analysis Utilities based DRY Plu ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000102 (The Details view of some Static Analysis Utilities based plugins, was ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000098 (The net/http package's Request.ParseMultipartForm method starts writin ...) {DLA-1123-1} - golang-1.9 (Fixed before initial release to Debian) - golang-1.8 (Fixed before initial release to Debian) - golang-1.7 1.7.4-1 - golang [jessie] - golang (Minor issue) NOTE: https://groups.google.com/forum/#!msg/golang-dev/4NdLzS8sls8/uIz8QlnIBQAJ NOTE: https://golang.org/cl/30410 NOTE: https://golang.org/issue/17965 CVE-2017-1000097 (On Darwin, user's trust preferences for root certificates were not hon ...) - golang (OS X specific issue) - golang-1.7 (OS X specific issue) - golang-1.8 (OS X specific issue) - golang-1.9 (OS X specific issue) NOTE: https://github.com/golang/go/issues/18141 CVE-2017-15011 (The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and S ...) - qbittorrent (Only affects Windows) CVE-2017-15010 (A ReDoS (regular expression denial of service) flaw was found in the t ...) - node-tough-cookie 2.3.4+dfsg-1 (bug #877660) NOTE: https://github.com/salesforce/tough-cookie/issues/92 NOTE: https://nodesecurity.io/advisories/525 CVE-2017-15009 (PRTG Network Monitor version 17.3.33.2830 is vulnerable to reflected C ...) NOT-FOR-US: PRTG Network Monitor CVE-2017-15008 (PRTG Network Monitor version 17.3.33.2830 is vulnerable to stored Cros ...) NOT-FOR-US: PRTG Network Monitor CVE-2017-15007 RESERVED CVE-2017-15006 RESERVED CVE-2017-15005 RESERVED CVE-2017-15004 RESERVED CVE-2017-15003 RESERVED CVE-2017-15002 RESERVED CVE-2017-15001 RESERVED CVE-2017-15000 RESERVED CVE-2017-14999 RESERVED CVE-2017-14998 RESERVED CVE-2017-14997 (GraphicsMagick 1.3.26 allows remote attackers to cause a denial of ser ...) {DSA-4321-1 DLA-1456-1 DLA-1130-1} - graphicsmagick 1.3.26-13 NOTE: https://sourceforge.net/p/graphicsmagick/code/ci/0683f8724200495059606c03f04e0d589b33ebe8/ NOTE: https://sourceforge.net/p/graphicsmagick/bugs/511/ CVE-2017-14996 RESERVED CVE-2017-14995 (The Management Console in WSO2 Application Server 5.3.0, WSO2 Business ...) NOT-FOR-US: WSO2 Application Server CVE-2017-14994 (ReadDCMImage in coders/dcm.c in GraphicsMagick 1.3.26 allows remote at ...) {DSA-4321-1 DLA-1456-1 DLA-1130-1} - graphicsmagick 1.3.26-13 NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset;node=b3eca3eaa264 NOTE: https://sourceforge.net/p/graphicsmagick/bugs/512/ CVE-2017-14993 (OXID eShop Community Edition before 6.0.0 RC3 (development), 4.10.x be ...) NOT-FOR-US: OXID eShop Community Edition CVE-2017-14992 (Lack of content verification in Docker-CE (Also known as Moby) version ...) - docker.io 18.03.1+dfsg1-2 (bug #908055) - golang-github-vbatts-tar-split 0.10.2-1 (bug #908056) [stretch] - golang-github-vbatts-tar-split (Minor issue) NOTE: Issue needs to be fixed in src:golang-github-vbatts-tar-split first NOTE: https://github.com/vbatts/tar-split/issues/41 NOTE: docker.io needs then a rebuild with a fixed golang-github-vbatts-tar-split NOTE: version. NOTE: 17.12.1+dfsg-1 was the first upload (to experimental) using the fixed version NOTE: golang-github-vbatts-tar-split. CVE-2017-14991 (The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel before ...) - linux 4.13.4-1 [stretch] - linux (Vulnerable code introduced later) [jessie] - linux (Vulnerable code introduced later) [wheezy] - linux (Vulnerable code introduced later) NOTE: Fixed by: https://git.kernel.org/linus/3e0097499839e0fe3af380410eababe5a47c4cf9 CVE-2017-14758 (OpenText Document Sciences xPression (formerly EMC Document Sciences x ...) NOT-FOR-US: EMC CVE-2017-14990 (WordPress 4.8.2 stores cleartext wp_signups.activation_key values (but ...) {DSA-3997-1} - wordpress 4.8.2+dfsg-2 (bug #877629) [wheezy] - wordpress (Fix requires database upgrade which is too intrusive compared to the actual benefit.) NOTE: https://core.trac.wordpress.org/ticket/38474 CVE-2017-14989 (A use-after-free in RenderFreetype in MagickCore/annotate.c in ImageMa ...) {DSA-4040-1 DSA-4032-1 DLA-1131-1} - imagemagick 8:6.9.9.34+dfsg-3 (bug #878562) NOTE: https://github.com/ImageMagick/ImageMagick/issues/781 NOTE: https://github.com/ImageMagick/ImageMagick/commit/97740ccc177ee264e79091fa573d994eb6b05628 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/28bad01242898d7f863deedbfa8502c348293093 CVE-2017-14988 (** DISPUTED ** Header::readfrom in IlmImf/ImfHeader.cpp in OpenEXR 2.2 ...) - openexr (bug #878551; unimportant) NOTE: https://github.com/openexr/openexr/issues/248 NOTE: Issue in the use of openexr via ImageMagick, no real security impact CVE-2017-14987 RESERVED CVE-2017-14986 RESERVED CVE-2017-14985 (Cross-site scripting (XSS) vulnerability in the EyesOfNetwork web inte ...) NOT-FOR-US: EyesOfNetwork (EON) CVE-2017-14984 (Cross-site scripting (XSS) vulnerability in the EyesOfNetwork web inte ...) NOT-FOR-US: EyesOfNetwork (EON) CVE-2017-14983 (Cross-site scripting (XSS) vulnerability in the EyesOfNetwork web inte ...) NOT-FOR-US: EyesOfNetwork (EON) CVE-2017-14982 RESERVED CVE-2017-14981 (Cross-Site Scripting (XSS) was discovered in ATutor before 2.2.3. The ...) NOT-FOR-US: ATutor CVE-2017-14980 (Buffer overflow in Sync Breeze Enterprise 10.0.28 allows remote attack ...) NOT-FOR-US: Sync Breeze Enterprise CVE-2017-14979 (Gxlcms uses an unsafe character-replacement approach in an attempt to ...) NOT-FOR-US: Gxlcms CVE-2017-14978 RESERVED CVE-2017-14977 (The FoFiTrueType::getCFFBlock function in FoFiTrueType.cc in Poppler 0 ...) {DSA-4079-1 DLA-1177-1} - poppler 0.61.1-2 (low; bug #877952) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=103045 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=19eedc6fb693a62f305e13079501e3105f869f3c CVE-2017-14976 (The FoFiType1C::convertToType0 function in FoFiType1C.cc in Poppler 0. ...) {DSA-4079-1 DLA-1177-1} - poppler 0.61.1-2 (low; bug #877954) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102724 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=da63c35549e8852a410946ab016a3f25ac701bdf CVE-2017-14975 (The FoFiType1C::convertToType0 function in FoFiType1C.cc in Poppler 0. ...) {DSA-4079-1 DLA-1177-1} - poppler 0.61.1-2 (low; bug #877957) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102653 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=a5e5649ecf16fa05770620dbbd4985935dc2bbff CVE-2017-14974 (The *_get_synthetic_symtab functions in the Binary File Descriptor (BF ...) - binutils 2.29.1-2 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: First version containing the fix was 2.29.1-2, which was quickly followed by NOTE: a fixed 2.29.1-3 for unrelated issues. NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22163 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e70c19e3a4c26e9c1ebf0c9170d105039b56d7cf CVE-2017-14973 (IDenticard Two-Reader Controller Configuration Manager 1.18.8 (396) is ...) NOT-FOR-US: IDenticard Two-Reader Controller Configuration Manager CVE-2017-14972 (InFocus Mondopad 2.2.08 is vulnerable to authentication bypass when ac ...) NOT-FOR-US: InFocus Mondopad CVE-2017-14971 (Infocus Mondopad 2.2.08 is vulnerable to a Hashed Credential Disclosur ...) NOT-FOR-US: InFocus Mondopad CVE-2017-14970 (In lib/ofp-util.c in Open vSwitch (OvS) before 2.8.1, there are multip ...) [experimental] - openvswitch 2.8.1+dfsg1-1 - openvswitch 2.8.1+dfsg1-2 (unimportant; bug #877543) NOTE: https://mail.openvswitch.org/pipermail/ovs-dev/2017-September/339085.html NOTE: https://mail.openvswitch.org/pipermail/ovs-dev/2017-September/339086.html NOTE: Not considered a security issue by upstream, see #877543 CVE-2017-14969 (In IKARUS anti.virus before 2.16.18, the ntguard.sys driver contains a ...) NOT-FOR-US: IKARUS anti.virus CVE-2017-14968 (In IKARUS anti.virus before 2.16.18, the ntguard.sys driver contains a ...) NOT-FOR-US: IKARUS anti.virus CVE-2017-14967 (In IKARUS anti.virus before 2.16.18, the ntguard.sys driver contains a ...) NOT-FOR-US: IKARUS anti.virus CVE-2017-14966 (In IKARUS anti.virus before 2.16.18, the ntguard.sys driver contains a ...) NOT-FOR-US: IKARUS anti.virus CVE-2017-14965 (In IKARUS anti.virus before 2.16.18, the ntguard.sys driver contains a ...) NOT-FOR-US: IKARUS anti.virus CVE-2017-14964 (In IKARUS anti.virus before 2.16.18, the ntguard.sys driver contains a ...) NOT-FOR-US: IKARUS anti.virus CVE-2017-14963 (In IKARUS anti.virus before 2.16.18, the ntguard.sys driver contains a ...) NOT-FOR-US: IKARUS anti.virus CVE-2017-14962 (In IKARUS anti.virus before 2.16.18, the ntguard.sys driver contains a ...) NOT-FOR-US: IKARUS anti.virus CVE-2017-14961 (In IKARUS anti.virus 2.16.7, the ntguard.sys driver contains an Arbitr ...) NOT-FOR-US: IKARUS anti.virus CVE-2017-14960 (xDashboard in OpenText Document Sciences xPression (formerly EMC Docum ...) NOT-FOR-US: EMC Document Sciences xPression CVE-2017-14959 RESERVED CVE-2017-14958 (lib.php in PivotX 2.3.11 does not properly block uploads of dangerous ...) NOT-FOR-US: PivotX CVE-2017-14957 (Stored XSS vulnerability via a comment in inc/conv.php in BlogoText be ...) NOT-FOR-US: BlogoText CVE-2017-14956 (AlienVault USM v5.4.2 and earlier offers authenticated users the funct ...) NOT-FOR-US: AlienVault CVE-2017-14955 (Check_MK before 1.2.8p26 mishandles certain errors within the failed-l ...) - check-mk 1.2.8p26-1 [wheezy] - check-mk (Vulnerable code not present) NOTE: http://mathias-kettner.com/check_mk_werks.php?edition_id=raw&branch=1.2.8 NOTE: https://mathias-kettner.de/check_mk_werks.php?werk_id=5208&HTML=yes NOTE: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commitdiff;h=a4a2cc1f30ff6032899ca80eed29fa26b8898c54 CVE-2017-14954 (The waitid implementation in kernel/exit.c in the Linux kernel through ...) - linux (Vulnerable code introduced in v4.13-rc1) NOTE: Fixed by: https://git.kernel.org/linus/6c85501f2fabcfc4fc6ed976543d252c4eaf4be9 CVE-2017-14953 (** DISPUTED ** HikVision Wi-Fi IP cameras, when used in a wired config ...) NOT-FOR-US: HikVision CVE-2017-14952 (Double free in i18n/zonemeta.cpp in International Components for Unico ...) - icu 57.1-7 (bug #878840) [stretch] - icu 57.1-6+deb9u1 [jessie] - icu 52.1-8+deb8u6 [wheezy] - icu (Can be fixed in next update) NOTE: http://www.sourcebrella.com/blog/double-free-vulnerability-international-components-unicode-icu/ NOTE: http://bugs.icu-project.org/trac/changeset/40324/trunk/icu4c/source/i18n/zonemeta.cpp CVE-2017-14951 RESERVED CVE-2017-14950 RESERVED CVE-2015-9234 (The cp-contact-form-with-paypal (aka CP Contact Form with PayPal) plug ...) NOT-FOR-US: Wordpress plugin CVE-2015-9233 (The cp-contact-form-with-paypal (aka CP Contact Form with PayPal) plug ...) NOT-FOR-US: Wordpress plugin CVE-2017-14949 (Restlet Framework before 2.3.12 allows remote attackers to access arbi ...) - restlet (bug #596472) CVE-2017-14948 (Certain D-Link products are affected by: Buffer Overflow. This affects ...) NOT-FOR-US: D-Link CVE-2017-14947 (Artifex GSView 6.0 Beta on Windows allows attackers to execute arbitra ...) NOT-FOR-US: GSView (different from gv) CVE-2017-14946 (Artifex GSView 6.0 Beta on Windows allows attackers to cause a denial ...) NOT-FOR-US: GSView (different from gv) CVE-2017-14945 (Artifex GSView 6.0 Beta on Windows allows attackers to cause a denial ...) NOT-FOR-US: GSView (different from gv) CVE-2017-14944 (Inedo ProGet before 4.7.14 does not properly address dangerous package ...) NOT-FOR-US: Inedo ProGet CVE-2017-14943 (Trapeze TransitMaster is vulnerable to information disclosure (emails ...) NOT-FOR-US: Trapeze TransitMaster CVE-2017-14942 (Intelbras WRN 150 devices allow remote attackers to read the configura ...) NOT-FOR-US: Intelbras WRN 150 devices CVE-2017-14941 (Jaspersoft JasperReports 4.7 suffers from a saved credential disclosur ...) - jasperreports (bug #880467; bug #884131) [jessie] - jasperreports (no detailed information available, only needed as build-dependency for Spring) [wheezy] - jasperreports (cannot be supported due to lack of information) NOTE: https://github.com/binary1985/VulnerabilityDisclosure/blob/master/JasperSoft%20JasperReports%20-%204.7%20-%20CVE-2017-14941 CVE-2017-14940 (scan_unit_for_symbols in dwarf2.c in the Binary File Descriptor (BFD) ...) [experimental] - binutils 2.29.51.20171128-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22166 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0d76029f92182c3682d8be2c833d45bc9a2068fe NOTE: https://blogs.gentoo.org/ago/2017/09/26/binutils-null-pointer-dereference-in-scan_unit_for_symbols-dwarf2-c CVE-2017-14939 (decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) libra ...) [experimental] - binutils 2.29.51.20171128-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22169 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=515f23e63c0074ab531bc954f84ca40c6281a724 NOTE: https://blogs.gentoo.org/ago/2017/09/26/binutils-heap-based-buffer-overflow-in-read_1_byte-dwarf2-c CVE-2017-14938 (_bfd_elf_slurp_version_tables in elf.c in the Binary File Descriptor ( ...) [experimental] - binutils 2.29.51.20171128-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22166 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=bd61e135492ecf624880e6b78e5fcde3c9716df6 NOTE: https://blogs.gentoo.org/ago/2017/09/26/binutils-memory-allocation-failure-in-_bfd_elf_slurp_version_tables-elf-c/ CVE-2017-14937 (The airbag detonation algorithm allows injury to passenger-car occupan ...) NOT-FOR-US: passenger-car CVE-2017-14936 RESERVED CVE-2016-10512 (MultiTech FaxFinder before 4.1.2 stores Passwords unencrypted for main ...) NOT-FOR-US: MultiTech FaxFinder CVE-2017-14935 (Pulse Secure Pulse One On-Premise 2.0.1649 and below does not properly ...) NOT-FOR-US: Pulse Secure CVE-2017-14934 (process_debug_info in dwarf.c in the Binary File Descriptor (BFD) libr ...) [experimental] - binutils 2.29.51.20171128-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22219 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=19485196044b2521af979f1e5c4a89bfb90fba0b CVE-2017-14933 (read_formatted_entries in dwarf2.c in the Binary File Descriptor (BFD) ...) [experimental] - binutils 2.29.51.20171128-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22210 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=30d0157a2ad64e64e5ff9fcc0dbe78a3e682f573 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=33e0a9a056bd23e923b929a4f2ab049ade0b1c32 CVE-2017-14932 (decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) libra ...) [experimental] - binutils 2.29.51.20171128-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22204 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e338894dc2e603683bed2172e8e9f25b29051005 CVE-2017-14931 (ExifImageFile::readDQT in ExifImageFileRead.cpp in OpenExif 2.1.4 allo ...) NOT-FOR-US: OpenExif CVE-2017-14930 (Memory leak in decode_line_info in dwarf2.c in the Binary File Descrip ...) [experimental] - binutils 2.29.51.20171128-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22191 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=a26a013f22a19e2c16729e64f40ef8a7dfcc086e CVE-2017-14929 (In Poppler 0.59.0, memory corruption occurs in a call to Object::dictL ...) - poppler 0.61.1-2 (bug #877222) [stretch] - poppler 0.48.0-2+deb9u2 [jessie] - poppler (Minor impact, too intrusive to backport) [wheezy] - poppler (unreproducible, requires API change which appears to be too intrusive in this case.) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102969 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=2c92c7b6a828c9db8a38f079ea7a3d51c12a481d CVE-2017-14928 (In Poppler 0.59.0, a NULL Pointer Dereference exists in AnnotRichMedia ...) - poppler 0.61.1-2 (low; bug #877231) [stretch] - poppler (Minor issue) [jessie] - poppler (Problematic code introduced in 0.36) [wheezy] - poppler (Problematic code introduced in 0.36) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102607 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=1316c7a41f4dd7276f404f775ebb5fef2d24ab1c CVE-2017-14927 (In Poppler 0.59.0, a NULL Pointer Dereference exists in the SplashOutp ...) - poppler 0.61.1-2 (low; bug #877237) [stretch] - poppler (Vulnerable code introduced in 0.49) [jessie] - poppler (Vulnerable code introduced in 0.49) [wheezy] - poppler (Vulnerable code introduced in 0.49) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102604 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=6472d8493f7e82cc78b41da20a2bf19fcb4e0a7d CVE-2017-14926 (In Poppler 0.59.0, a NULL Pointer Dereference exists in AnnotRichMedia ...) - poppler 0.61.1-2 (low; bug #877239) [stretch] - poppler (Minor issue) [jessie] - poppler (Problematic code introduced in 0.36) [wheezy] - poppler (Problematic code introduced in 0.36) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102601 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=2532df6060092e9fab7f041ae9598aff9cdd94bb CVE-2017-14925 (Cross-Site Request Forgery (CSRF) vulnerability via IMG element in Tik ...) NOT-FOR-US: Tiki CVE-2017-14924 (Cross-Site Request Forgery (CSRF) vulnerability via IMG element in Tik ...) NOT-FOR-US: Tiki CVE-2017-14923 (Stored XSS vulnerability via IMG element at "Leadname" of CRM in Tine ...) NOT-FOR-US: Tine groupware CVE-2017-14922 (Stored XSS vulnerability via IMG element at "History" of Profile, Cale ...) NOT-FOR-US: Tine groupware CVE-2017-14921 (Stored XSS vulnerability via IMG element at "Filename" of Filemanager ...) NOT-FOR-US: Tine groupware CVE-2017-14920 (Stored XSS vulnerability in eGroupware Community Edition before 16.1.2 ...) NOT-FOR-US: eGroupware CVE-2017-14919 (Node.js before 4.8.5, 6.x before 6.11.5, and 8.x before 8.8.0 allows r ...) - nodejs (Debian didn't use an affected zlib version) NOTE: Debian doesn't use zlib 1.2.9 yet NOTE: https://nodejs.org/en/blog/vulnerability/oct-2017-dos/ CVE-2017-14918 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-14917 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-14916 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-14915 (In Android before 2018-01-05 on Qualcomm Snapdragon Mobile SD 625, SD ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-14914 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-14913 (In Android before 2018-01-05 on Qualcomm Snapdragon IoT, Snapdragon Mo ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-14912 (In Android before 2018-01-05 on Qualcomm Snapdragon IoT, Snapdragon Mo ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-14911 (In Android before 2018-01-05 on Qualcomm Snapdragon IoT, Snapdragon Mo ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-14910 (In Snapdragon Automobile, Snapdragon IoT and Snapdragon Mobile MDM9206 ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-14909 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-14908 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-14907 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm closed-source components on Android CVE-2017-14906 (In Android before 2018-01-05 on Qualcomm Snapdragon IoT, Snapdragon Mo ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-14905 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-14904 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Android MediaServer CVE-2017-14903 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-14902 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Android CVE-2017-14901 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-14900 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-14899 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-14898 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-14897 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Android CVE-2017-14896 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-14895 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Android CVE-2017-14894 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-14893 (While flashing meta image, a buffer over-read may potentially occur wh ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-14892 (In the function msm_pcm_hw_params() in Android for MSM, Firefox OS for ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-14891 (In the KGSL driver function _gpuobj_map_useraddr() in Android for MSM, ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-14890 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-14889 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-14888 (In all android releases(Android for MSM, Firefox OS for MSM, QRD Andro ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-14887 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-14886 RESERVED CVE-2017-14885 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-14884 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-14883 (In the function wma_unified_power_debug_stats_event_handler() in Andro ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-14882 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-14881 (While calling the IPA IOCTL handler for IPA_IOC_ADD_HDR_PROC_CTX in An ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-14880 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-14879 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-14878 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-14877 (While the IPA driver in Android for MSM, Firefox OS for MSM, and QRD A ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-14876 (In msm_ispif_config_stereo() in Android for MSM, Firefox OS for MSM, a ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-14875 (In the handler for the ioctl command VIDIOC_MSM_ISP_DUAL_HW_LPM_MODE i ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-14874 RESERVED CVE-2017-14873 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-14872 (While flashing a meta image, a buffer over-read can potentially occur ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-14871 RESERVED CVE-2017-14870 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-14869 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-14868 (Restlet Framework before 2.3.11, when using SimpleXMLProvider, allows ...) - restlet (bug #596472) CVE-2017-14866 (There is a heap-based buffer overflow in the Exiv2::s2Data function of ...) - exiv2 (Versions prior to 0.26 don't parse ICC profiles yet; only affected experimental; bug #880015) NOTE: https://github.com/Exiv2/exiv2/issues/140 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1494781 CVE-2017-14865 (There is a heap-based buffer overflow in the Exiv2::us2Data function o ...) - exiv2 (Vulnerable code introduced after 0.25; only affected experimental; bug #888865) NOTE: https://github.com/Exiv2/exiv2/issues/134 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1494778 NOTE: Patch: https://github.com/Exiv2/exiv2/commit/d3c2b9938583440f87ce9115de5a7e8cd8f8db57 CVE-2017-14864 (An Invalid memory address dereference was discovered in Exiv2::getULon ...) {DLA-1147-1} - exiv2 0.27.2-6 (low) [buster] - exiv2 (Minor issue) [stretch] - exiv2 (Minor issue) [jessie] - exiv2 (Minor issue) NOTE: https://github.com/Exiv2/exiv2/issues/73 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1494467 NOTE: Patches here: https://github.com/Exiv2/exiv2/pull/110 NOTE: Depends on: https://github.com/Exiv2/exiv2/commit/65f45a350516bfde4941d7906f2d67462f48d1ca CVE-2017-14863 (A NULL pointer dereference was discovered in Exiv2::Image::printIFDStr ...) - exiv2 (Vulnerable code introduced after 0.25; only affected experimental; bug #888866) NOTE: https://github.com/Exiv2/exiv2/issues/132 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1494443 CVE-2017-14862 (An Invalid memory address dereference was discovered in Exiv2::DataVal ...) {DLA-1147-1} - exiv2 0.27.2-6 (low) [buster] - exiv2 (Minor issue) [stretch] - exiv2 (Minor issue) [jessie] - exiv2 (Minor issue) NOTE: https://github.com/Exiv2/exiv2/issues/75 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1494786 NOTE: Patches here: https://github.com/Exiv2/exiv2/pull/110 NOTE: Depends on: https://github.com/Exiv2/exiv2/commit/65f45a350516bfde4941d7906f2d67462f48d1ca CVE-2017-14861 (There is a stack consumption vulnerability in the Exiv2::Internal::str ...) - exiv2 (printIFDStructure introduced in 0.26; only affected experimental; bug #880027) NOTE: https://github.com/Exiv2/exiv2/issues/139 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1494787 CVE-2017-14860 (There is a heap-based buffer over-read in the Exiv2::Jp2Image::readMet ...) - exiv2 (Vulnerable code introduced after 0.25; only affected experimental; bug #888867) NOTE: https://github.com/Exiv2/exiv2/issues/71 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1494776 NOTE: Patch: https://github.com/Exiv2/exiv2/pull/108 CVE-2017-14859 (An Invalid memory address dereference was discovered in Exiv2::StringV ...) {DLA-1147-1} - exiv2 0.27.2-6 (low) [buster] - exiv2 (Minor issue) [stretch] - exiv2 (Minor issue) [jessie] - exiv2 (Minor issue) NOTE: https://github.com/Exiv2/exiv2/issues/74 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1494780 NOTE: Patches here: https://github.com/Exiv2/exiv2/pull/110 NOTE: Depends on: https://github.com/Exiv2/exiv2/commit/65f45a350516bfde4941d7906f2d67462f48d1ca CVE-2017-14858 (There is a heap-based buffer overflow in the Exiv2::l2Data function of ...) - exiv2 (TIFF meta data handler doesn't parse ICC profiles; only affected experimental; bug #897134) NOTE: https://github.com/Exiv2/exiv2/issues/138 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1494782 CVE-2017-14857 (In Exiv2 0.26, there is an invalid free in the Image class in image.cp ...) - exiv2 (Vulnerable code not present; only affected experimental; bug #888869) NOTE: https://github.com/Exiv2/exiv2/issues/76 NOTE: https://github.com/Exiv2/exiv2/issues/124 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1495043 CVE-2017-14856 RESERVED CVE-2017-14855 (Red Lion HMI panels allow remote attackers to cause a denial of servic ...) NOT-FOR-US: Red Lion HMI CVE-2017-14854 (A stack buffer overflow exists in one of the Orpak SiteOmat CGI compon ...) NOT-FOR-US: Orpak SiteOmat CVE-2017-14853 (The Orpak SiteOmat OrCU component is vulnerable to code injection, for ...) NOT-FOR-US: Orpak SiteOmat CVE-2017-14852 (An insecure communication was found between a user and the Orpak SiteO ...) NOT-FOR-US: Orpak SiteOmat CVE-2017-14851 (A SQL injection vulnerability exists in all Orpak SiteOmat versions pr ...) NOT-FOR-US: Orpak SiteOmat CVE-2017-14850 (All known versions of the Orpak SiteOmat web management console is vul ...) NOT-FOR-US: Orpak SiteOmat CVE-2017-14849 (Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintende ...) - nodejs (Vulnerable code introduced in 8.5.0) NOTE: https://nodejs.org/en/blog/vulnerability/september-2017-path-validation/ NOTE: https://twitter.com/nodejs/status/913131152868876288 CVE-2017-14848 (WPHRM Human Resource Management System for WordPress 1.0 allows SQL In ...) NOT-FOR-US: Wordpress plugin CVE-2017-14847 (Mojoomla WPAMS Apartment Management System for WordPress allows SQL In ...) NOT-FOR-US: Mojoomla WPAMS Apartment Management System for WordPress CVE-2017-14846 (Mojoomla Hospital Management System for WordPress allows SQL Injection ...) NOT-FOR-US: Mojoomla Hospital Management System for WordPress CVE-2017-14845 (Mojoomla WPCHURCH Church Management System for WordPress allows SQL In ...) NOT-FOR-US: Mojoomla WPCHURCH Church Management System for WordPress CVE-2017-14844 (Mojoomla WPGYM WordPress Gym Management System allows SQL Injection vi ...) NOT-FOR-US: Mojoomla WPGYM WordPress Gym Management System CVE-2017-14843 (Mojoomla School Management System for WordPress allows SQL Injection v ...) NOT-FOR-US: Mojoomla School Management System for WordPress CVE-2017-14842 (Mojoomla SMSmaster Multipurpose SMS Gateway for WordPress allows SQL I ...) NOT-FOR-US: Mojoomla SMSmaster Multipurpose SMS Gateway for WordPress CVE-2017-14841 (Mojoomla Annual Maintenance Contract (AMC) Management System allows Ar ...) NOT-FOR-US: Mojoomla Annual Maintenance Contract (AMC) Management System CVE-2017-14840 (TeamWork TicketPlus allows Arbitrary File Upload in updateProfile. ...) NOT-FOR-US: TeamWork TicketPlus CVE-2017-14839 (TeamWork Photo Fusion allows Arbitrary File Upload in changeAvatar and ...) NOT-FOR-US: TeamWork Photo Fusion CVE-2017-14838 (TeamWork Job Links allows Arbitrary File Upload in profileChange and c ...) NOT-FOR-US: TeamWork Job Links CVE-2017-14837 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-14836 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-14835 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-14834 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-14833 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-14832 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-14831 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-14830 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-14829 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-14828 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-14827 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-14826 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-14825 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-14824 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-14823 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-14822 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2017-14821 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2017-14820 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2017-14819 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2017-14818 (This vulnerability allows remote attackers to disclose sensitive on vu ...) NOT-FOR-US: Foxit Reader CVE-2017-14817 REJECTED CVE-2017-14816 REJECTED CVE-2017-14815 REJECTED CVE-2017-14814 REJECTED CVE-2017-14813 REJECTED CVE-2017-14812 REJECTED CVE-2017-14811 REJECTED CVE-2017-14810 REJECTED CVE-2017-14809 REJECTED CVE-2017-14808 REJECTED CVE-2017-14807 (An Improper Neutralization of Special Elements used in an SQL Command ...) NOT-FOR-US: SUSE Studio CVE-2017-14806 (A Improper Certificate Validation vulnerability in susestudio-common o ...) NOT-FOR-US: SUSE Studio CVE-2017-14805 RESERVED CVE-2017-14804 (The build package before 20171128 did not check directory names during ...) - obs-build 20180302-1 (bug #887306) [stretch] - obs-build 20160921-1+deb9u1 [jessie] - obs-build (Minor issue) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1069904 CVE-2017-14803 (In NetIQ Access Manager 4.3 and 4.4, a bug exists in Identity Server w ...) NOT-FOR-US: NetIQ Access Manager CVE-2017-14802 (Novell Access Manager Admin Console and IDP servers before 4.3.3 have ...) NOT-FOR-US: Novell Access Manager Admin Console CVE-2017-14801 (Reflected XSS in the NetIQ Access Manager before 4.3.3 allowed attacke ...) NOT-FOR-US: NetIQ CVE-2017-14800 (A reflected cross site scripting attack in the NetIQ Access Manager be ...) NOT-FOR-US: NetIQ CVE-2017-14799 (A cross site scripting attack in handling the ESP login parameter hand ...) NOT-FOR-US: NetIQ Access Manager CVE-2017-14798 (A race condition in the postgresql init script could be used by attack ...) NOT-FOR-US: SuSE-specific flaw in Postgres init script CVE-2017-14797 (Lack of Transport Encryption in the public API in Philips Hue Bridge B ...) NOT-FOR-US: Philips Hue CVE-2017-14796 (The hevc_write_frame function in libbpg.c in libbpg 0.9.7 allows remot ...) NOT-FOR-US: libbpg CVE-2017-14795 (The hevc_write_frame function in libbpg.c in libbpg 0.9.7 allows remot ...) NOT-FOR-US: libbpg CVE-2017-14794 REJECTED CVE-2017-14793 REJECTED CVE-2017-14792 REJECTED CVE-2017-14791 REJECTED CVE-2017-14790 REJECTED CVE-2017-14789 REJECTED CVE-2017-14788 REJECTED CVE-2017-14787 REJECTED CVE-2017-14786 REJECTED CVE-2017-14785 REJECTED CVE-2017-14784 REJECTED CVE-2017-14783 REJECTED CVE-2017-14782 REJECTED CVE-2017-14781 REJECTED CVE-2017-14780 REJECTED CVE-2017-14779 REJECTED CVE-2017-14778 REJECTED CVE-2017-14777 REJECTED CVE-2017-14776 REJECTED CVE-2017-14775 (Laravel before 5.5.10 mishandles the remember_me token verification pr ...) NOT-FOR-US: Laravel CVE-2017-14774 RESERVED CVE-2017-14773 (Skybox Manager Client Application prior to 8.5.501 is prone to an elev ...) NOT-FOR-US: Skybox Manager Client Application CVE-2017-14772 (Skybox Manager Client Application is prone to information disclosure v ...) NOT-FOR-US: Skybox Manager Client Application CVE-2017-14771 (Skybox Manager Client Application prior to 8.5.501 is prone to an arbi ...) NOT-FOR-US: Skybox Manager Client Application CVE-2017-14770 (Skybox Manager Client Application prior to 8.5.501 is prone to an info ...) NOT-FOR-US: Skybox Manager Client Application CVE-2017-14769 RESERVED CVE-2017-14768 RESERVED CVE-2017-14767 (The sdp_parse_fmtp_config_h264 function in libavformat/rtpdec_h264.c i ...) {DSA-3996-1 DLA-1630-1} - ffmpeg 7:3.3.4-1 - libav NOTE: https://github.com/FFmpeg/FFmpeg/commit/c42a1388a6d1bfd8001bf6a4241d8ca27e49326d NOTE: Fixed in 3.2.8 NOTE: The check is completely missing in Jessie. It should be added. CVE-2017-14766 (The Simple Student Result plugin before 1.6.4 for WordPress has an Aut ...) NOT-FOR-US: Wordpress plugin CVE-2017-14765 (In GeniXCMS 1.1.4, gxadmin/index.php has XSS via the Menu ID field in ...) NOT-FOR-US: GeniXCMS CVE-2017-14764 (In the Upload Modules page in GeniXCMS 1.1.4, remote authenticated use ...) NOT-FOR-US: GeniXCMS CVE-2017-14763 (In the Install Themes page in GeniXCMS 1.1.4, remote authenticated use ...) NOT-FOR-US: GeniXCMS CVE-2017-14762 (In GeniXCMS 1.1.4, /inc/lib/Control/Backend/menus.control.php has XSS ...) NOT-FOR-US: GeniXCMS CVE-2017-14761 (In GeniXCMS 1.1.4, /inc/lib/backend/menus.control.php has XSS via the ...) NOT-FOR-US: GeniXCMS CVE-2017-14760 (SQL Injection exists in /includes/event-management/index.php in the ev ...) NOT-FOR-US: Event Espresso Lite CVE-2017-14759 (OpenText Document Sciences xPression (formerly EMC Document Sciences x ...) NOT-FOR-US: OpenText Document Sciences xPression CVE-2017-14757 (OpenText Document Sciences xPression (formerly EMC Document Sciences x ...) NOT-FOR-US: OpenText Document Sciences xPression CVE-2017-14756 (OpenText Document Sciences xPression (formerly EMC Document Sciences x ...) NOT-FOR-US: OpenText Document Sciences xPression CVE-2017-14755 (OpenText Document Sciences xPression (formerly EMC Document Sciences x ...) NOT-FOR-US: OpenText Document Sciences xPression CVE-2017-14754 (OpenText Document Sciences xPression (formerly EMC Document Sciences x ...) NOT-FOR-US: OpenText Document Sciences xPression CVE-2017-14753 (Cross-site scripting (XSS) vulnerability in the EyesOfNetwork web inte ...) NOT-FOR-US: EyesOfNetwork (EON) CVE-2017-14752 (Mahara 15.04 before 15.04.15, 16.04 before 16.04.9, 16.10 before 16.10 ...) - mahara NOTE: https://mahara.org/interaction/forum/topic.php?id=8083 CVE-2017-14751 (The Intense WP "WP Jobs" plugin 1.5 for WordPress has XSS, related to ...) NOT-FOR-US: Wordpress plugin CVE-2017-14750 RESERVED CVE-2017-14749 (JerryScript 1.0 allows remote attackers to cause a denial of service ( ...) NOT-FOR-US: JerryScript CVE-2017-14748 (Race condition in Blizzard Overwatch 1.15.0.2 allows remote authentica ...) NOT-FOR-US: Blizzard Overwatch CVE-2017-14747 RESERVED CVE-2017-14746 (Use-after-free vulnerability in Samba 4.x before 4.7.3 allows remote a ...) {DSA-4043-1} - samba 2:4.7.1+dfsg-2 [wheezy] - samba (Issue introduced in 4.0.0) NOTE: https://www.samba.org/samba/security/CVE-2017-14746.html CVE-2017-14745 (The *_get_synthetic_symtab functions in the Binary File Descriptor (BF ...) - binutils 2.29-11 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22148 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=94670f6cf11fc29cc6db6814b38c4305d9bcac96 (master) NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e6ff33ca50c1180725dde11c84ee93fcdb4235ef (binutils-2_29-branch) CVE-2017-14867 (Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x ...) {DSA-3984-1 DLA-1120-1} - git 1:2.14.2-1 (bug #876854) NOTE: http://www.openwall.com/lists/oss-security/2017/09/26/9 NOTE: https://public-inbox.org/git/xmqqy3p29ekj.fsf@gitster.mtv.corp.google.com/T/#u CVE-2017-14744 (UEditor 1.4.3.3 has XSS via the SRC attribute of an IFRAME element. ...) NOT-FOR-US: UEditor CVE-2017-14743 (Faleemi FSC-880 00.01.01.0048P2 devices allow unauthenticated SQL inje ...) NOT-FOR-US: Faleemi FSC-880 00.01.01.0048P2 devices CVE-2017-14742 (Buffer overflow in LabF nfsAxe FTP client 3.7 allows an attacker to ex ...) NOT-FOR-US: LabF nfsAxe CVE-2017-14741 (The ReadCAPTIONImage function in coders/caption.c in ImageMagick 7.0.7 ...) {DLA-1785-1 DLA-1131-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #878548) [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/771 NOTE: https://github.com/ImageMagick/ImageMagick/commit/7d8e14899c562157c7760a77fc91625a27cb596f NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/bb11d07139efe0f5e4ce0e4afda32abdbe82fa9d CVE-2017-14740 (Cross-site scripting (XSS) vulnerability in GeniXCMS 1.1.0 allows remo ...) NOT-FOR-US: GeniXCMS CVE-2017-14739 (The AcquireResampleFilterThreadSet function in magick/resample-private ...) {DLA-1785-1 DLA-1131-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #878547) [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/780 NOTE: https://github.com/ImageMagick/ImageMagick/commit/6017a80fe8327fefb77fa677d81154db2b857d1d NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/700fcf95b2c3f554dfbe75833b91f19dde208089 NOTE: Requires additional fixes: NOTE: https://github.com/ImageMagick/ImageMagick/commit/bbc582d5439a7f9338c6bdc8c34b1ae221ae5214 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/67a633df9386704f45d1ad24f7f5af8a5d11f4a3 CVE-2017-14738 (FileRun (version 2017.09.18 and below) suffers from a remote SQL injec ...) NOT-FOR-US: FileRun CVE-2017-14737 (A cryptographic cache-based side channel in the RSA implementation in ...) {DLA-1125-1} - botan1.10 1.10.17-0.1 (bug #877436) [stretch] - botan1.10 (Minor issue) [jessie] - botan1.10 (Minor issue) NOTE: https://github.com/randombit/botan/issues/1222 NOTE: https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/wang-shuai NOTE: for 1.10: https://github.com/randombit/botan/commit/aeb87170d1b9013b079c300c8858bad477d30bd4 NOTE: for 2.x: https://github.com/randombit/botan/commit/95df7f155570949837e8e28e733f3d59408092da CVE-2017-14736 RESERVED CVE-2017-14735 (OWASP AntiSamy before 1.5.7 allows XSS via HTML5 entities, as demonstr ...) NOT-FOR-US: OWASP AntiSamy CVE-2017-14734 (The build_msps function in libbpg.c in libbpg 0.9.7 allows remote atta ...) NOT-FOR-US: libbpg CVE-2017-14733 (ReadRLEImage in coders/rle.c in GraphicsMagick 1.3.26 mishandles RLE h ...) {DSA-4321-1 DLA-1401-1 DLA-1130-1} - graphicsmagick 1.3.26-13 NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset;node=5381c71724e3 NOTE: https://sourceforge.net/p/graphicsmagick/bugs/458/ CVE-2017-14732 RESERVED CVE-2017-14731 (ofx_proc_file in ofx_preproc.cpp in LibOFX 0.9.12 allows remote attack ...) {DLA-1192-1} - libofx 1:0.9.11-5 (bug #877442) [stretch] - libofx 1:0.9.10-2+deb9u1 [jessie] - libofx 1:0.9.10-1+deb8u1 NOTE: https://github.com/libofx/libofx/issues/10 NOTE: https://github.com/libofx/libofx/commit/fad8418f34094de42e1307113598e0e8bee0a2bd CVE-2017-14730 (The init script in the Gentoo app-admin/logstash-bin package before 5. ...) NOT-FOR-US: Gentoo packagin flaw for Logstash CVE-2017-14729 (The *_get_synthetic_symtab functions in the Binary File Descriptor (BF ...) - binutils 2.29.1-2 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: First version containing the fix was 2.29.1-2, which was quickly followed by NOTE: a fixed 2.29.1-3 for unrelated issues. NOTE: https://blogs.gentoo.org/ago/2017/09/25/binutils-heap-based-buffer-overflow-in-_bfd_x86_elf_get_synthetic_symtab-elfxx-x86-c/ NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22170 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commitdiff;h=56933f9e3e90eebf1018ed7417d6c1184b91db6b NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commitdiff;h=61e3bf5f83f7e505b6bc51ef65426e5b31e6e360 CVE-2017-14728 (An authentication bypass was found in an unknown area of the SiteOmat ...) NOT-FOR-US: Orpak SiteOmat CVE-2017-14726 (Before version 4.8.2, WordPress was vulnerable to a cross-site scripti ...) {DSA-3997-1} - wordpress 4.8.2+dfsg-1 (bug #876274) [wheezy] - wordpress (Vulnerable code not present) NOTE: https://core.trac.wordpress.org/changeset/41395 CVE-2017-14725 (Before version 4.8.2, WordPress was susceptible to an open redirect at ...) {DSA-3997-1 DLA-1151-1} - wordpress 4.8.2+dfsg-1 (bug #876274) NOTE: https://core.trac.wordpress.org/changeset/41398 CVE-2017-14724 (Before version 4.8.2, WordPress was vulnerable to cross-site scripting ...) - wordpress 4.8.2+dfsg-1 (bug #876274) [stretch] - wordpress 4.7.5+dfsg-2+deb9u1 [jessie] - wordpress (Vulnerable code not present) [wheezy] - wordpress (Vulnerable code not present) NOTE: https://core.trac.wordpress.org/changeset/41448 CVE-2017-14723 (Before version 4.8.2, WordPress mishandled % characters and additional ...) {DSA-3997-1 DLA-1151-1} - wordpress 4.8.2+dfsg-1 (bug #876274) NOTE: https://core.trac.wordpress.org/changeset/41470 NOTE: https://core.trac.wordpress.org/changeset/41496 NOTE: https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48 NOTE: https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec NOTE: https://medium.com/websec/wordpress-sqli-bbb2afcc8e94 NOTE: https://medium.com/websec/wordpress-sqli-poc-f1827c20bf8e CVE-2017-14722 (Before version 4.8.2, WordPress allowed a Directory Traversal attack i ...) {DSA-3997-1 DLA-1151-1} - wordpress 4.8.2+dfsg-1 (bug #876274) NOTE: https://core.trac.wordpress.org/changeset/41397 CVE-2017-14721 (Before version 4.8.2, WordPress allowed Cross-Site scripting in the pl ...) {DSA-3997-1 DLA-1151-1} - wordpress 4.8.2+dfsg-1 (bug #876274) NOTE: https://core.trac.wordpress.org/changeset/41412 CVE-2017-14720 (Before version 4.8.2, WordPress allowed a Cross-Site scripting attack ...) {DSA-3997-1 DLA-1151-1} - wordpress 4.8.2+dfsg-1 (bug #876274) NOTE: https://core.trac.wordpress.org/changeset/41412 CVE-2017-14719 (Before version 4.8.2, WordPress was vulnerable to a directory traversa ...) {DSA-3997-1 DLA-1151-1} - wordpress 4.8.2+dfsg-1 (bug #876274) NOTE: https://core.trac.wordpress.org/changeset/41457 CVE-2017-14718 (Before version 4.8.2, WordPress was susceptible to a Cross-Site Script ...) {DSA-3997-1 DLA-1151-1} - wordpress 4.8.2+dfsg-1 (bug #876274) NOTE: https://core.trac.wordpress.org/changeset/41393 CVE-2017-14727 (logger.c in the logger plugin in WeeChat before 1.9.1 allows a crash v ...) {DLA-1111-1} - weechat 1.9.1-1 (bug #876553) [stretch] - weechat 1.6-1+deb9u2 [jessie] - weechat 1.0.1-1+deb8u2 NOTE: Fixed by: https://github.com/weechat/weechat/commit/f105c6f0b56fb5687b2d2aedf37cb1d1b434d556 CVE-2017-14717 (In EPESI 1.8.2 rev20170830, there is Stored XSS in the Tasks Descripti ...) NOT-FOR-US: EPESI CVE-2017-14716 (In EPESI 1.8.2 rev20170830, there is Stored XSS in the Tasks Title par ...) NOT-FOR-US: EPESI CVE-2017-14715 (In EPESI 1.8.2 rev20170830, there is Stored XSS in the Tasks Alerts Ti ...) NOT-FOR-US: EPESI CVE-2017-14714 (In EPESI 1.8.2 rev20170830, there is Stored XSS in the Phonecalls Subj ...) NOT-FOR-US: EPESI CVE-2017-14713 (In EPESI 1.8.2 rev20170830, there is Stored XSS in the Phonecalls Desc ...) NOT-FOR-US: EPESI CVE-2017-14712 (In EPESI 1.8.2 rev20170830, there is Stored XSS in the Tasks Phonecall ...) NOT-FOR-US: EPESI CVE-2017-14711 (The Kickbase GmbH "Kickbase Bundesliga Manager" app before 2.2.1 -- ak ...) NOT-FOR-US: Kickbase GmbH "Kickbase Bundesliga Manager" CVE-2017-14710 (The Shein Group Ltd. "SHEIN - Fashion Shopping" app -- aka shein fashi ...) NOT-FOR-US: Fashion Shopping app CVE-2017-14709 (The komoot GmbH "Komoot - Cycling & Hiking Maps" app before 9.3.2 ...) NOT-FOR-US: Cycling & Hiking Maps app CVE-2017-14708 RESERVED CVE-2017-14707 RESERVED CVE-2017-14706 (DenyAll WAF before 6.4.1 allows unauthenticated remote attackers to ob ...) NOT-FOR-US: DenyAll WAF CVE-2017-14705 (DenyAll WAF before 6.4.1 allows unauthenticated remote command executi ...) NOT-FOR-US: DenyAll WAF CVE-2017-14704 (Multiple unrestricted file upload vulnerabilities in the (1) imageSubm ...) NOT-FOR-US: Claydip Laravel Airbnb Clone CVE-2017-14703 (SQL injection vulnerability in Cash Back Comparison Script 1.0 allows ...) NOT-FOR-US: Cash Back Comparison Script CVE-2017-14702 (ERS Data System 1.8.1.0 allows remote attackers to execute arbitrary c ...) NOT-FOR-US: ERS Data System CVE-2017-14701 RESERVED CVE-2017-14700 RESERVED CVE-2017-14699 (Multiple XML external entity (XXE) vulnerabilities in the AiCloud feat ...) NOT-FOR-US: ASUS routers CVE-2017-14698 (ASUS DSL-AC51, DSL-AC52U, DSL-AC55U, DSL-N55U C1, DSL-N55U D1, DSL-AC5 ...) NOT-FOR-US: ASUS routers CVE-2017-14697 RESERVED CVE-2017-14696 (SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7 ...) - salt 2016.11.8+dfsg1-1 (bug #879090) [stretch] - salt 2016.11.2+ds-1+deb9u1 [jessie] - salt (Minor issue) NOTE: Fixed by: https://github.com/saltstack/salt/commit/5f8b5e1a0f23fe0f2be5b3c3e04199b57a53db5b NOTE: Fixed by: https://github.com/saltstack/salt/commit/89e084bda356739de645c15e7d1968afebdcc56e (2016.11) CVE-2017-14695 (Directory traversal vulnerability in minion id validation in SaltStack ...) - salt 2016.11.8+dfsg1-1 (bug #879089) [stretch] - salt 2016.11.2+ds-1+deb9u1 [jessie] - salt (Minor issue) NOTE: Fixed by: https://github.com/saltstack/salt/commit/80d90307b07b3703428ecbb7c8bb468e28a9ae6d NOTE: Fixed by: https://github.com/saltstack/salt/commit/206ae23f15cb7ec95a07dee4cbe9802da84f9c42 (2016.11) CVE-2017-14694 (Foxit Reader 8.3.2.25013 and earlier and Foxit PhantomPDF 8.3.2.25013 ...) NOT-FOR-US: Foxit Reader CVE-2017-14693 (IrfanView 4.44 - 32bit allows attackers to cause a denial of service o ...) NOT-FOR-US: IrfanView CVE-2017-14692 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14691 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or p ...) NOT-FOR-US: STDU Viewer CVE-2017-14690 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14689 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or p ...) NOT-FOR-US: STDU Viewer CVE-2017-14688 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or p ...) NOT-FOR-US: STDU Viewer CVE-2017-14687 (Artifex MuPDF 1.11 allows attackers to cause a denial of service or po ...) {DSA-4006-1 DLA-1164-1} - mupdf 1.11+ds1-1.1 (bug #877379) [jessie] - mupdf (Minor issue) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698558 NOTE: Fixed by: http://git.ghostscript.com/?p=mupdf.git;h=2b16dbd8f73269cb15ca61ece75cf8d2d196ed28 NOTE: Several fz_xml_tag && !strcmp idoms are used in older versions CVE-2017-14686 (Artifex MuPDF 1.11 allows attackers to execute arbitrary code or cause ...) {DSA-4006-1} - mupdf 1.11+ds1-1.1 (bug #877379) [jessie] - mupdf (vulnerable code not present, poc not effective) [wheezy] - mupdf (vulnerable code not present) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698540 NOTE: Fixed by: http://git.ghostscript.com/?p=mupdf.git;h=0f0fbc07d9be31f5e83ec5328d7311fdfd8328b1 CVE-2017-14685 (Artifex MuPDF 1.11 allows attackers to cause a denial of service or po ...) {DSA-4006-1} - mupdf 1.11+ds1-1.1 (bug #877379) [jessie] - mupdf (vulnerable code not present, poc not effective) [wheezy] - mupdf (vulnerable code not present) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698539 NOTE: Fixed by: http://git.ghostscript.com/?p=mupdf.git;h=ab1a420613dec93c686acbee2c165274e922f82a CVE-2017-14684 (In ImageMagick 7.0.7-4 Q16, a memory leak vulnerability was found in t ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant; bug #876487) NOTE: https://github.com/ImageMagick/ImageMagick/issues/770 NOTE: https://github.com/ImageMagick/ImageMagick/commit/dd367e0c3c3f37fbf1c20fa107b67a668b22c6e2 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/a25142f284384a10306f14393d9bfd7af95ddfff CVE-2017-14683 (geminabox (aka Gem in a Box) before 0.13.7 has CSRF, as demonstrated b ...) NOT-FOR-US: geminabox CVE-2017-14682 (GetNextToken in MagickCore/token.c in ImageMagick 7.0.6 allows remote ...) {DSA-4040-1 DSA-4032-1 DLA-1131-1} - imagemagick 8:6.9.9.34+dfsg-3 (bug #876488) NOTE: https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=32726 NOTE: https://github.com/ImageMagick/ImageMagick/commit/3bee958ee63eb6ec62834d0c7b28b4b6835e6a00 CVE-2017-14681 (The daemon in P3Scan 3.0_rc1 and earlier creates a p3scan.pid file aft ...) - p3scan (bug #876674) [stretch] - p3scan (Minor issue) [jessie] - p3scan (Minor issue) [wheezy] - p3scan (Minor issue) NOTE: https://sourceforge.net/p/p3scan/bugs/33/ CVE-2017-14680 (ZKTeco ZKTime Web 2.0.1.12280 allows remote attackers to obtain sensit ...) NOT-FOR-US: ZKTeco ZKTime Web CVE-2017-14679 REJECTED CVE-2017-14678 REJECTED CVE-2017-14677 REJECTED CVE-2017-14676 REJECTED CVE-2017-14675 REJECTED CVE-2017-14674 REJECTED CVE-2017-14673 REJECTED CVE-2017-14672 REJECTED CVE-2017-14671 REJECTED CVE-2017-14670 REJECTED CVE-2017-14669 REJECTED CVE-2017-14668 REJECTED CVE-2017-14667 REJECTED CVE-2017-14666 REJECTED CVE-2017-14665 REJECTED CVE-2017-14664 REJECTED CVE-2017-14663 REJECTED CVE-2017-14662 REJECTED CVE-2017-14661 REJECTED CVE-2017-14660 REJECTED CVE-2017-14659 REJECTED CVE-2017-14658 REJECTED CVE-2017-14657 REJECTED CVE-2017-14656 REJECTED CVE-2017-14655 REJECTED CVE-2017-14654 RESERVED CVE-2017-14653 (member/Orderinfo.asp in ASP4CMS AspCMS 2.7.2 allows remote authenticat ...) NOT-FOR-US: ASP4CMS AspCMS CVE-2017-14652 (SQL Injection vulnerability in mobiquo/lib/classTTForum.php in the Tap ...) NOT-FOR-US: Tapatalk plugin for MyBB CVE-2017-14651 (WSO2 Data Analytics Server 3.1.0 has XSS in carbon/resources/add_colle ...) NOT-FOR-US: WSO2 Data Analytics Server CVE-2017-14649 (ReadOneJNGImage in coders/png.c in GraphicsMagick version 1.3.26 does ...) - graphicsmagick 1.3.26-12 (unimportant; bug #876460) NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/358608a46f0a NOTE: https://blogs.gentoo.org/ago/2017/09/19/graphicsmagick-assertion-failure-in-pixel_cache-c/ NOTE: https://sourceforge.net/p/graphicsmagick/bugs/439/ CVE-2017-14648 (A global buffer overflow was discovered in the iteration_loop function ...) NOT-FOR-US: BladeEnc CVE-2017-14647 (A heap-based buffer overflow was discovered in AP4_VisualSampleEntry:: ...) NOT-FOR-US: Bento4 CVE-2017-14646 (The AP4_AvccAtom and AP4_HvccAtom classes in Bento4 version 1.5.0-617 ...) NOT-FOR-US: Bento4 CVE-2017-14645 (A heap-based buffer over-read was discovered in AP4_BitStream::ReadByt ...) NOT-FOR-US: Bento4 CVE-2017-14644 (A heap-based buffer overflow was discovered in the AP4_HdlrAtom class ...) NOT-FOR-US: Bento4 CVE-2017-14643 (The AP4_HdlrAtom class in Core/Ap4HdlrAtom.cpp in Bento4 version 1.5.0 ...) NOT-FOR-US: Bento4 CVE-2017-14642 (A NULL pointer dereference was discovered in the AP4_HdlrAtom class in ...) NOT-FOR-US: Bento4 CVE-2017-14641 (A NULL pointer dereference was discovered in the AP4_DataAtom class in ...) NOT-FOR-US: Bento4 CVE-2017-14640 (A NULL pointer dereference was discovered in AP4_AtomSampleTable::GetS ...) NOT-FOR-US: Bento4 CVE-2017-14639 (AP4_VisualSampleEntry::ReadFields in Core/Ap4SampleEntry.cpp in Bento4 ...) NOT-FOR-US: Bento4 CVE-2017-14638 (AP4_AtomFactory::CreateAtomFromStream in Core/Ap4AtomFactory.cpp in Be ...) NOT-FOR-US: Bento4 CVE-2017-14637 (In sam2p 0.49.3, there is an invalid read of size 2 in the parse_rgb f ...) {DLA-1127-1} - sam2p (bug #876744) [jessie] - sam2p 0.49.2-3+deb8u1 NOTE: https://github.com/pts/sam2p/issues/14 (bug 5) CVE-2017-14636 (Because of an integer overflow in sam2p 0.49.3, a loop executes 0xffff ...) {DLA-1127-1} - sam2p (bug #876744) [jessie] - sam2p 0.49.2-3+deb8u1 NOTE: https://github.com/pts/sam2p/issues/14 (bug 4) CVE-2017-14635 (In Open Ticket Request System (OTRS) 3.3.x before 3.3.18, 4.x before 4 ...) {DSA-4021-1 DLA-1119-1} - otrs2 5.0.23-1 (bug #876462) NOTE: https://github.com/OTRS/otrs/commit/a4093dc404fcbd87b235b31c72913141672f2a85 (rel-5_0) NOTE: https://github.com/OTRS/otrs/commit/00bcc89dc2443b5d8b34a0908e224373926aa618 (rel-5_0) NOTE: https://github.com/OTRS/otrs/commit/b69c2533c951fa72bfe238f255ce76352f054897 (rel-5_0) NOTE: https://github.com/OTRS/otrs/commit/b92ec17196ac3e1fdcab40fbb16dbb602d5d52b5 (rel-5_0) NOTE: https://github.com/OTRS/otrs/commit/3ccc426ec220267d0cac8e3fdc39015a3db7d720 (rel-3_3) NOTE: https://github.com/OTRS/otrs/commit/f27dc65e4a937ba832d60e212ce6c9e3a28e406b (rel-3_3) NOTE: https://github.com/OTRS/otrs/commit/454c50116c2bf82dcd9dfee9146a7416be686875 (rel-3_3) NOTE: https://github.com/OTRS/otrs/commit/5468720cc8225a85699b1977ff230adbf9f8362d (rel-3_3) NOTE: https://github.com/OTRS/otrs/commit/0583dfda7bc9c7d76457aad68083f4b28a288ce5 (rel-3_3) NOTE: https://www.otrs.com/security-advisory-2017-04-security-update-otrs-versions/ CVE-2017-14650 (A Remote Code Execution vulnerability has been found in the Horde_Imag ...) {DSA-4276-1 DLA-1395-1} - php-horde-image 2.5.2-1 (bug #876400) NOTE: https://marc.info/?l=horde-announce&m=150600299528079&w=2 NOTE: https://github.com/horde/horde/commit/eb3afd14c22c77ae0d29e2848f5ac726ef6e7c5b CVE-2017-14634 (In libsndfile 1.0.28, a divide-by-zero error exists in the function do ...) {DLA-1618-1} - libsndfile 1.0.28-5 (bug #876783) [stretch] - libsndfile (Minor issue) [wheezy] - libsndfile (Minor issue) NOTE: https://github.com/erikd/libsndfile/issues/318 NOTE: Fixed by: https://github.com/erikd/libsndfile/commit/85c877d5072866aadbe8ed0c3e0590fbb5e16788 CVE-2017-14633 (In Xiph.Org libvorbis 1.3.5, an out-of-bounds array read vulnerability ...) {DSA-4113-1 DLA-2039-1 DLA-1368-1} - libvorbis 1.3.5-4.1 (bug #876778) NOTE: https://gitlab.xiph.org/xiph/vorbis/issues/2329 NOTE: https://github.com/xiph/vorbis/pull/34 NOTE: https://gitlab.xiph.org/xiph/vorbis/commit/a79ec216cd119069c68b8f3542c6a425a74ab993 CVE-2017-14632 (Xiph.Org libvorbis 1.3.5 allows Remote Code Execution upon freeing uni ...) {DSA-4113-1 DLA-1368-1} - libvorbis 1.3.5-4.1 (bug #876779) [jessie] - libvorbis (Vulnerable code not present) [wheezy] - libvorbis (Vulnerable code not present) NOTE: https://gitlab.xiph.org/xiph/vorbis/issues/2328 NOTE: https://github.com/xiph/vorbis/issues/29 NOTE: https://github.com/xiph/vorbis/pull/34 CVE-2017-14631 (In sam2p 0.49.3, the pcxLoadRaster function in in_pcx.cpp has an integ ...) {DLA-1127-1} - sam2p (bug #876744) [jessie] - sam2p 0.49.2-3+deb8u1 NOTE: https://github.com/pts/sam2p/issues/14 (bug 1) CVE-2017-14630 (In sam2p 0.49.3, an integer overflow exists in the pcxLoadImage24 func ...) {DLA-1127-1} - sam2p (bug #876744) [jessie] - sam2p 0.49.2-3+deb8u1 NOTE: https://github.com/pts/sam2p/issues/14 (bug 6) CVE-2017-14629 (In sam2p 0.49.3, the in_xpm_reader function in in_xpm.cpp has an integ ...) {DLA-1127-1} - sam2p (bug #876744) [jessie] - sam2p 0.49.2-3+deb8u1 NOTE: https://github.com/pts/sam2p/issues/14 (bug 3) CVE-2017-14628 (In sam2p 0.49.3, a heap-based buffer overflow exists in the pcxLoadIma ...) {DLA-1127-1} - sam2p (bug #876744) [jessie] - sam2p 0.49.2-3+deb8u1 NOTE: https://github.com/pts/sam2p/issues/14 (bug 2) CVE-2017-14627 (Stack-based buffer overflows in CyberLink LabelPrint 2.5 allow remote ...) NOT-FOR-US: CyberLink LabelPrint CVE-2017-14626 (ImageMagick 7.0.7-0 Q16 has a NULL Pointer Dereference vulnerability i ...) {DLA-1785-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #878524) [stretch] - imagemagick (Minor issue) [wheezy] - imagemagick (Vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/720 NOTE: https://github.com/ImageMagick/ImageMagick/issues/721 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/90b301db18434b2c2228776d06c2898b5fed74f0 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/cc797c296c30f3ec31cd02418b58a2c27549b0a9 CVE-2017-14625 (ImageMagick 7.0.7-0 Q16 has a NULL Pointer Dereference vulnerability i ...) {DLA-1785-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #877355) [stretch] - imagemagick (Minor issue) [wheezy] - imagemagick (Vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/721 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/cc797c296c30f3ec31cd02418b58a2c27549b0a9 CVE-2017-14624 (ImageMagick 7.0.7-0 Q16 has a NULL Pointer Dereference vulnerability i ...) {DLA-1785-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #877354) [stretch] - imagemagick (Minor issue) [wheezy] - imagemagick (Vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/722 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/9ff805077fd5297dc41dc989f9dba59877e12f97 CVE-2017-14623 (In the ldap.v2 (aka go-ldap) package through 2.5.0 for Go, an attacker ...) - golang-github-go-ldap-ldap 2.5.1-1 (low; bug #876404) [stretch] - golang-github-go-ldap-ldap 2.4.1-1+deb9u1 NOTE: https://github.com/go-ldap/ldap/pull/126 NOTE: https://github.com/go-ldap/ldap/commit/95ede1266b237bf8e9aa5dce0b3250e51bfefe66 CVE-2017-14622 (Multiple cross-site scripting (XSS) vulnerabilities in the 2kb Amazon ...) NOT-FOR-US: 2kb Amazon Affiliates Store plugin for WordPress CVE-2017-14621 (Portus 2.2.0 has XSS via the Team field, related to typeahead. ...) NOT-FOR-US: Portus CVE-2017-14620 (SmarterStats Version 11.3.6347 will Render the Referer Field of HTTP L ...) NOT-FOR-US: SmarterStats CVE-2017-14619 (Cross-site scripting (XSS) vulnerability in phpMyFAQ through 2.9.8 all ...) NOT-FOR-US: phpMyFAQ CVE-2017-14618 (Cross-site scripting (XSS) vulnerability in inc/PMF/Faq.php in phpMyFA ...) NOT-FOR-US: phpMyFAQ CVE-2017-14617 (In Poppler 0.59.0, a floating point exception occurs in the ImageStrea ...) {DLA-1116-1} - poppler 0.61.1-2 (bug #876385) [stretch] - poppler (Minor issue) [jessie] - poppler (Minor issue) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102854 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=939465c40902d72e0c05d4f3a27ee67e4a007ed7 NOTE: The patch applied in 0.48.0-2+deb9u1 (stretch) and 0.26.5-2+deb8u2 (jessie) NOTE: does not completely fix the issue thus still marked as unfixed even if the NOTE: CVE is recorded in debian/changelog. CVE-2015-9232 (The Good for Enterprise application 3.0.0.415 for Android does not use ...) NOT-FOR-US: Good for Enterprise application for Android CVE-2017-14616 (An FBX-5312 issue was discovered in WatchGuard Fireware before 12.0. I ...) NOT-FOR-US: WatchGuard Fireware CVE-2017-14615 (An FBX-5313 issue was discovered in WatchGuard Fireware before 12.0. W ...) NOT-FOR-US: WatchGuard Fireware CVE-2017-14614 (Directory traversal vulnerability in the Visor GUI Console in GridGain ...) NOT-FOR-US: GridGain CVE-2017-14613 RESERVED CVE-2017-14612 ("Shpock Boot Sale & Classifieds" app before 3.17.0 -- aka shpock-b ...) NOT-FOR-US: Book sale app CVE-2017-14611 (SSRF (Server Side Request Forgery) in Cockpit 0.13.0 allows remote att ...) NOT-FOR-US: Cockpit CMS (different from src:cockpit) CVE-2017-14610 (bareos-dir, bareos-fd, and bareos-sd in bareos-core in Bareos 16.2.6 a ...) - bareos (low; bug #877334) [buster] - bareos (Minor issue) [stretch] - bareos (Minor issue) [jessie] - bareos (Minor issue) NOTE: https://bugs.bareos.org/view.php?id=847 CVE-2017-14609 (The server daemons in Kannel 1.5.0 and earlier create a PID file after ...) - kannel (No real security issue in combination with start-stop-daemon from dpkg, see #877361) NOTE: https://redmine.kannel.org/issues/771 CVE-2017-14608 (In LibRaw through 0.18.4, an out of bounds read flaw related to kodak_ ...) {DLA-1109-1} - libraw 0.18.5-1 (low) [stretch] - libraw (Minor issue) [jessie] - libraw (Minor issue) NOTE: https://github.com/LibRaw/LibRaw/commit/d13e8f6d1e987b7491182040a188c16a395f1d21 NOTE: https://github.com/LibRaw/LibRaw/issues/101 CVE-2017-14607 (In ImageMagick 7.0.7-4 Q16, an out of bounds read flaw related to Read ...) {DSA-4040-1 DSA-4032-1 DLA-1131-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #878527) NOTE: IM6 patch: https://github.com/ImageMagick/ImageMagick/commit/cd665c3d05b46d1579c738a72214175ff50aec74 NOTE: https://github.com/ImageMagick/ImageMagick/issues/765 CVE-2017-14606 RESERVED CVE-2017-14605 RESERVED CVE-2015-9231 (iTerm2 3.x before 3.1.1 allows remote attackers to discover passwords ...) NOT-FOR-US: iTerm2 CVE-2017-14604 (GNOME Nautilus before 3.23.90 allows attackers to spoof a file type by ...) {DSA-3994-1} - nautilus 3.25.90-1 (bug #860268) [jessie] - nautilus (Minor issue, issue mitigated because does not silently decompress tarballs) [wheezy] - nautilus (Minor issue, issue mitigated because does not silently decompress tarballs) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=777991 NOTE: https://micahflee.com/2017/04/breaking-the-security-model-of-subgraph-os/ NOTE: https://github.com/freedomofpress/securedrop/issues/2238 NOTE: https://github.com/GNOME/nautilus/commit/1630f53481f445ada0a455e9979236d31a8d3bb0 CVE-2017-14603 (In Asterisk 11.x before 11.25.3, 13.x before 13.17.2, and 14.x before ...) {DSA-3990-1} - asterisk 1:13.17.2~dfsg-1 (bug #876328) [wheezy] - asterisk (strictrtp option is disabled by default. Too intrusive too backport) NOTE: http://downloads.asterisk.org/pub/security/AST-2017-008.html NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27274 NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27252 CVE-2017-14602 (A vulnerability has been identified in the management interface of Cit ...) NOT-FOR-US: Citrix CVE-2017-14601 (Pragyan CMS v3.0 is vulnerable to a Boolean-based SQL injection in cms ...) NOT-FOR-US: Pragyan CMS CVE-2017-14600 (Pragyan CMS v3.0 is vulnerable to an Error-Based SQL injection in cms/ ...) NOT-FOR-US: Pragyan CMS CVE-2017-14599 RESERVED CVE-2017-14598 RESERVED CVE-2017-14597 (AdminPanel in AfterLogic WebMail 7.7 and Aurora 7.7.5 has XSS via the ...) NOT-FOR-US: AfterLogic WebMail CVE-2017-14596 (In Joomla! before 3.8.0, inadequate escaping in the LDAP authenticatio ...) NOT-FOR-US: Joomla! CVE-2017-14595 (In Joomla! before 3.8.0, a logic bug in a SQL query could lead to the ...) NOT-FOR-US: Joomla! CVE-2017-14594 (The printable searchrequest issue resource in Atlassian Jira before ve ...) NOT-FOR-US: Atlassian Jira CVE-2017-14593 (Sourcetree for Windows had several argument and command injection bugs ...) NOT-FOR-US: Atlassian Sourcetree CVE-2017-14592 (Sourcetree for macOS had several argument and command injection bugs i ...) NOT-FOR-US: Atlassian Sourcetree CVE-2017-14591 (Atlassian Fisheye and Crucible versions less than 4.4.3 and version 4. ...) NOT-FOR-US: Atlassian CVE-2017-14590 (Bamboo did not check that the name of a branch in a Mercurial reposito ...) NOT-FOR-US: Atlassian Bamboo CVE-2017-14589 (It was possible for double OGNL evaluation in FreeMarker templates thr ...) NOT-FOR-US: Atlassian Bamboo CVE-2017-14588 (Various resources in Atlassian FishEye and Crucible before version 4.4 ...) NOT-FOR-US: Atlassian CVE-2017-14587 (The administration user deletion resource in Atlassian FishEye and Cru ...) NOT-FOR-US: Atlassian CVE-2017-14586 (The Hipchat for Mac desktop client is vulnerable to client-side remote ...) NOT-FOR-US: Atlassian CVE-2017-14585 (A Server Side Request Forgery (SSRF) vulnerability could lead to remot ...) NOT-FOR-US: Atlassian CVE-2017-14584 RESERVED CVE-2017-14583 (NetApp Clustered Data ONTAP versions 9.x prior to 9.1P10 and 9.2P2 are ...) NOT-FOR-US: NetApp Clustered Data ONTAP CVE-2017-14582 (The Zoho Site24x7 Mobile Network Poller application before 1.1.5 for A ...) NOT-FOR-US: Zoho CVE-2017-XXXX [pcb code injection by malicious layout file] - pcb-rnd 1.2.5-2 (bug #876540) [stretch] - pcb-rnd 1.1.4-2 CVE-2017-14581 (The Host Control web service in SAP NetWeaver AS JAVA 7.0 through 7.5 ...) NOT-FOR-US: SAP CVE-2017-14580 (XnView Classic for Windows Version 2.41 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-14579 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14578 (IrfanView 4.44 - 32bit allows attackers to cause a denial of service o ...) NOT-FOR-US: IrfanView CVE-2017-14577 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14576 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or p ...) NOT-FOR-US: STDU Viewer CVE-2017-14575 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14574 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14573 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14572 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14571 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14570 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14569 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or p ...) NOT-FOR-US: STDU Viewer CVE-2017-14568 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14567 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14566 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14565 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or p ...) NOT-FOR-US: STDU Viewer CVE-2017-14564 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or p ...) NOT-FOR-US: STDU Viewer CVE-2017-14563 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14562 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or p ...) NOT-FOR-US: STDU Viewer CVE-2017-14561 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14560 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or p ...) NOT-FOR-US: STDU Viewer CVE-2017-14559 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14558 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14557 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14556 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14555 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or p ...) NOT-FOR-US: STDU Viewer CVE-2017-14554 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or p ...) NOT-FOR-US: STDU Viewer CVE-2017-14553 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14552 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14551 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or p ...) NOT-FOR-US: STDU Viewer CVE-2017-14550 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or p ...) NOT-FOR-US: STDU Viewer CVE-2017-14549 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14548 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14547 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or p ...) NOT-FOR-US: STDU Viewer CVE-2017-14546 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or p ...) NOT-FOR-US: STDU Viewer CVE-2017-14545 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or p ...) NOT-FOR-US: STDU Viewer CVE-2017-14544 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or p ...) NOT-FOR-US: STDU Viewer CVE-2017-14543 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or p ...) NOT-FOR-US: STDU Viewer CVE-2017-14542 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14541 (XnView Classic for Windows Version 2.40 allows attackers to cause a de ...) NOT-FOR-US: XnView CVE-2017-14540 (IrfanView 4.44 - 32bit allows attackers to cause a denial of service o ...) NOT-FOR-US: IrfanView CVE-2017-14539 (IrfanView 4.44 - 32bit allows attackers to cause a denial of service o ...) NOT-FOR-US: IrfanView CVE-2017-14538 (XnView Classic for Windows Version 2.40 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-14537 (trixbox 2.8.0.4 has path traversal via the xajaxargs array parameter t ...) NOT-FOR-US: trixbox CVE-2017-14536 (trixbox 2.8.0.4 has XSS via the PATH_INFO to /maint/index.php or /user ...) NOT-FOR-US: trixbox CVE-2017-14535 (trixbox 2.8.0.4 has OS command injection via shell metacharacters in t ...) NOT-FOR-US: trixbox CVE-2017-14534 (Cross Site Scripting (XSS) exists in NexusPHP 1.5.beta5.20120707 via t ...) NOT-FOR-US: NexusPHP CVE-2017-14533 (ImageMagick 7.0.6-6 has a memory leak in ReadMATImage in coders/mat.c. ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/648 NOTE: https://github.com/ImageMagick/ImageMagick/commit/f1f2089e79bcf5714cefba7cdc47049b4ac53c6b NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/bdfc5538051ad0d1c2083ba2a29180ff6abea907 CVE-2017-14532 (ImageMagick 7.0.7-0 has a NULL Pointer Dereference in TIFFIgnoreTags i ...) {DLA-1785-1} - imagemagick 8:6.9.9.34+dfsg-3 (bug #878541) [stretch] - imagemagick (Minor issue) [wheezy] - imagemagick (Vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/719 NOTE: https://github.com/ImageMagick/ImageMagick/commit/1942317d9208ea17ee17d976a39768cd51d74160 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/c55fb18c3f78445d100a378ab8b3c0acd53c6590 CVE-2017-14531 (ImageMagick 7.0.7-0 has a memory exhaustion issue in ReadSUNImage in c ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/718 NOTE: https://github.com/ImageMagick/ImageMagick/commit/69967f4161bd14d8e03ea463d6545da442a6ea78 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/1385a09732c261f1f403a9af6700979ca56c76d3 CVE-2017-14530 (WP_Admin_UI in the Crony Cronjob Manager plugin before 0.4.7 for WordP ...) NOT-FOR-US: Crony Cronjob Manager plugin for WordPress CVE-2017-14529 (The pe_print_idata function in peXXigen.c in the Binary File Descripto ...) - binutils 2.29-10 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22113 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=4d465c689a8fb27212ef358d0aee89d60dee69a6 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=dcaaca89e8618eba35193c27afcb1cfa54f74582 CVE-2017-14528 (The TIFFSetProfiles function in coders/tiff.c in ImageMagick 7.0.6 has ...) [experimental] - imagemagick 8:6.9.10.2+dfsg-1 - imagemagick 8:6.9.10.2+dfsg-2 (bug #878544) [stretch] - imagemagick (Minor issue) [jessie] - imagemagick (Vulnerable code not present) [wheezy] - imagemagick (Can't reproduce crash with file) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2730 NOTE: https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=32560 CVE-2017-14527 (Multiple XML external entity (XXE) vulnerabilities in the OpenText Doc ...) NOT-FOR-US: OpenText Documentum Webtop CVE-2017-14526 (Multiple XML external entity (XXE) vulnerabilities in the OpenText Doc ...) NOT-FOR-US: OpenText Documentum Administrator CVE-2017-14525 (Multiple open redirect vulnerabilities in OpenText Documentum Webtop 6 ...) NOT-FOR-US: OpenText Documentum Webtop CVE-2017-14524 (Multiple open redirect vulnerabilities in OpenText Documentum Administ ...) NOT-FOR-US: OpenText Documentum Administrator CVE-2017-14523 (** DISPUTED ** WonderCMS 2.3.1 is vulnerable to an HTTP Host header i ...) NOT-FOR-US: WonderCMS CVE-2017-14522 (** DISPUTED ** In WonderCMS 2.3.1, the application's input fields acc ...) NOT-FOR-US: WonderCMS CVE-2017-14521 (In WonderCMS 2.3.1, the upload functionality accepts random applicatio ...) NOT-FOR-US: WonderCMS CVE-2017-14520 (In Poppler 0.59.0, a floating point exception occurs in Splash::scaleI ...) {DSA-4079-1} - poppler 0.61.1-2 (low; bug #876081) [wheezy] - poppler (vulnerable code not present) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102719 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=504b3590182175390f474657a372e78fb1508262 CVE-2017-14519 (In Poppler 0.59.0, memory corruption occurs in a call to Object::strea ...) {DSA-4079-1 DLA-1116-1} - poppler 0.61.1-2 (bug #876086) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102701 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=aaf5327649e8f7371c9d3270e7813c43ddfd47ee CVE-2017-14518 (In Poppler 0.59.0, a floating point exception exists in the isImageInt ...) {DSA-4079-1} - poppler 0.61.1-2 (low; bug #876082) [wheezy] - poppler (vulnerable code not present) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102688 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=80f9819b6233f9f9b5fd44f0e4cad026e5d048c2 CVE-2017-14517 (In Poppler 0.59.0, a NULL Pointer Dereference exists in the XRef::pars ...) {DSA-4079-1 DLA-1116-1} - poppler 0.61.1-2 (low; bug #876079) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102687 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=476394e7a025e02e4897da2e765df2c895d0708f CVE-2017-14516 (Cross-Site Scripting (XSS) exists in SAP Business Objects Financial Co ...) NOT-FOR-US: SAP Business Objects Financial Consolidation CVE-2017-14515 (Heap-based Buffer Overflow on Tenda W15E devices before 15.11.0.14 all ...) NOT-FOR-US: Tenda W15E devices CVE-2017-14514 (Directory Traversal on Tenda W15E devices before 15.11.0.14 allows rem ...) NOT-FOR-US: Tenda W15E devices CVE-2017-14513 (Directory traversal vulnerability in MetInfo 5.3.17 allows remote atta ...) NOT-FOR-US: MetInfo CVE-2017-14512 (NexusPHP 1.5.beta5.20120707 has SQL Injection in forummanage.php via t ...) NOT-FOR-US: NexusPHP CVE-2017-14511 (An issue was discovered in SAP E-Recruiting (aka ERECRUIT) 605 through ...) NOT-FOR-US: SAP CVE-2017-14510 (An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2 ...) NOT-FOR-US: SugarCRM CVE-2017-14509 (An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2 ...) NOT-FOR-US: SugarCRM CVE-2017-14508 (An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2 ...) NOT-FOR-US: SugarCRM CVE-2016-10511 (The Twitter iOS client versions 6.62 and 6.62.1 fail to validate Twitt ...) NOT-FOR-US: Twitter iOS client CVE-2017-14507 (Multiple SQL injection vulnerabilities in the Content Timeline plugin ...) NOT-FOR-US: Content Timeline plugin for WordPress CVE-2017-14506 (geminabox (aka Gem in a Box) before 0.13.6 has XSS, as demonstrated by ...) NOT-FOR-US: geminabox CVE-2017-14505 (DrawGetStrokeDashArray in wand/drawing-wand.c in ImageMagick 7.0.7-1 m ...) {DLA-1785-1 DLA-1131-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #878545) [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/716 NOTE: https://github.com/ImageMagick/ImageMagick/commit/6ad5fc3c9b652eec27fc0b1a0817159f8547d5d9 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/f7b0cf098bc800c5b6181dc522a99997bfee8948 CVE-2017-14504 (ReadPNMImage in coders/pnm.c in GraphicsMagick 1.3.26 does not ensure ...) {DSA-4321-1 DLA-1456-1 DLA-1130-1} - graphicsmagick 1.3.26-11 NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset;node=fb09ca6dd22c NOTE: https://sourceforge.net/p/graphicsmagick/bugs/465/ NOTE: https://sourceforge.net/p/graphicsmagick/bugs/466/ CVE-2017-14503 (libarchive 3.3.2 suffers from an out-of-bounds read within lha_read_da ...) {DSA-4360-1 DLA-1600-1} - libarchive 3.2.2-4.1 (bug #875960) [wheezy] - libarchive (Minor issue) NOTE: https://github.com/libarchive/libarchive/issues/948 NOTE: https://github.com/libarchive/libarchive/commit/2c8c83b9731ff822fad6cc8c670ea5519c366a14 CVE-2017-14502 (read_header in archive_read_support_format_rar.c in libarchive 3.3.2 s ...) {DSA-4360-1 DLA-1600-1} - libarchive 3.2.2-4.1 (bug #875974) [wheezy] - libarchive (Minor issue) NOTE: https://github.com/libarchive/libarchive/commit/5562545b5562f6d12a4ef991fae158bf4ccf92b6 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=573 CVE-2017-14501 (An out-of-bounds read flaw exists in parse_file_info in archive_read_s ...) {DSA-4360-1 DLA-1600-1} - libarchive 3.2.2-4.2 (bug #875966) [wheezy] - libarchive (Minor issue) NOTE: https://github.com/libarchive/libarchive/issues/949 NOTE: https://github.com/libarchive/libarchive/commit/f9569c086ff29259c73790db9cbf39fe8fb9d862 CVE-2017-14500 (Improper Neutralization of Special Elements used in an OS Command in t ...) {DSA-3977-1 DLA-1104-1} - newsbeuter 2.9-7 (bug #876004) NOTE: http://openwall.com/lists/oss-security/2017/09/16/1 NOTE: newsbeuter-2.9.x: https://github.com/akrennmair/newsbeuter/commit/26f5a4350f3ab5507bb8727051c87bb04660f333 NOTE: master: https://github.com/akrennmair/newsbeuter/commit/c8fea2f60c18ed30bdd1bb6f798e994e51a58260 NOTE: https://github.com/akrennmair/newsbeuter/issues/598 CVE-2017-14499 RESERVED CVE-2017-14498 (SilverStripe CMS before 3.6.1 has XSS via an SVG document that is mish ...) NOT-FOR-US: SilverStripe CMS CVE-2017-14497 (The tpacket_rcv function in net/packet/af_packet.c in the Linux kernel ...) - linux 4.12.13-1 [stretch] - linux 4.9.30-2+deb9u5 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/edbd58be15a957f6a760c4a514cd475217eb97fd (v4.13) CVE-2017-14496 (Integer underflow in the add_pseudoheader function in dnsmasq before 2 ...) - dnsmasq 2.78-1 [stretch] - dnsmasq 2.76-5+deb9u1 [jessie] - dnsmasq (Vulnerable code introduced later) [wheezy] - dnsmasq (Vulnerable code introduced later) NOTE: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=897c113fda0886a28a986cc6ba17bb93bd6cb1c7 CVE-2017-14495 (Memory leak in dnsmasq before 2.78, when the --add-mac, --add-cpe-id o ...) - dnsmasq 2.78-1 [stretch] - dnsmasq 2.76-5+deb9u1 [jessie] - dnsmasq (Vulnerable code introduced later) [wheezy] - dnsmasq (Vulnerable code introduced later) NOTE: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=51eadb692a5123b9838e5a68ecace3ac579a3a45 CVE-2017-14494 (dnsmasq before 2.78, when configured as a relay, allows remote attacke ...) {DSA-3989-1 DLA-1124-1} - dnsmasq 2.78-1 NOTE: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=33e3f1029c9ec6c63e430ff51063a6301d4b2262 CVE-2017-14493 (Stack-based buffer overflow in dnsmasq before 2.78 allows remote attac ...) {DSA-3989-1} - dnsmasq 2.78-1 [wheezy] - dnsmasq (Vulnerable code introduced later) NOTE: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=3d4ff1ba8419546490b464418223132529514033 CVE-2017-14492 (Heap-based buffer overflow in dnsmasq before 2.78 allows remote attack ...) {DSA-3989-1 DLA-1124-1} - dnsmasq 2.78-1 NOTE: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=24036ea507862c7b7898b68289c8130f85599c10 CVE-2017-14491 (Heap-based buffer overflow in dnsmasq before 2.78 allows remote attack ...) {DSA-3989-1 DLA-1124-1} - dnsmasq 2.78-1 NOTE: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=0549c73b7ea6b22a3c49beb4d432f185a81efcbc NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=62cb936cb7ad5f219715515ae7d32dd281a5aa1f CVE-2017-14490 RESERVED CVE-2017-14489 (The iscsi_if_rx function in drivers/scsi/scsi_transport_iscsi.c in the ...) {DSA-3981-1 DLA-1099-1} - linux 4.12.13-1 NOTE: https://patchwork.kernel.org/patch/9923803/ NOTE: Fixed by: https://git.kernel.org/linus/c88f0e6b06f4092995688211a631bb436125d77b CVE-2017-14488 RESERVED CVE-2017-14487 (The OhMiBod Remote app for Android and iOS allows remote attackers to ...) NOT-FOR-US: OhMiBod Remote app CVE-2017-14486 (The Vibease Wireless Remote Vibrator app for Android and the Vibease C ...) NOT-FOR-US: Vibease Wireless Remote Vibrator app CVE-2017-14485 RESERVED CVE-2017-14484 (The Gentoo sci-mathematics/gimps package before 28.10-r1 for Great Int ...) NOT-FOR-US: Gentoo packaging flaw in gimps CVE-2017-14483 (flower.initd in the Gentoo dev-python/flower package before 0.9.1-r1 f ...) - flower (Gentoo-specific issue, Debian doesn't provide an init script at all) CVE-2017-1002100 (Default access permissions for Persistent Volumes (PVs) created by the ...) - kubernetes (Vulnerable code not yet present) CVE-2017-1002028 (Vulnerability in wordpress plugin wordpress-gallery-transformation v1. ...) NOT-FOR-US: Wordpress plugin CVE-2017-1002027 (Vulnerability in wordpress plugin rk-responsive-contact-form v1.0, The ...) NOT-FOR-US: Wordpress plugin CVE-2017-1002026 (Vulnerability in wordpress plugin Event Expresso Free v3.1.37.11.L, Th ...) NOT-FOR-US: Wordpress plugin CVE-2017-1002025 (Vulnerability in wordpress plugin add-edit-delete-listing-for-member-m ...) NOT-FOR-US: Wordpress plugin CVE-2017-1002023 (Vulnerability in wordpress plugin Easy Team Manager v1.3.2, The code d ...) NOT-FOR-US: Wordpress plugin CVE-2017-1002022 (Vulnerability in wordpress plugin surveys v1.01.8, The code in questio ...) NOT-FOR-US: Wordpress plugin CVE-2017-1002021 (Vulnerability in wordpress plugin surveys v1.01.8, The code in individ ...) NOT-FOR-US: Wordpress plugin CVE-2017-1002020 (Vulnerability in wordpress plugin surveys v1.01.8, The code in survey_ ...) NOT-FOR-US: Wordpress plugin CVE-2017-1002019 (Vulnerability in wordpress plugin eventr v1.02.2, The edit.php form an ...) NOT-FOR-US: Wordpress plugin CVE-2017-1002018 (Vulnerability in wordpress plugin eventr v1.02.2, The edit.php form an ...) NOT-FOR-US: Wordpress plugin CVE-2017-1002017 (Vulnerability in wordpress plugin gift-certificate-creator v1.0, The c ...) NOT-FOR-US: Wordpress plugin CVE-2017-1002016 (Vulnerability in wordpress plugin flickr-picture-backup v0.7, The code ...) NOT-FOR-US: Wordpress plugin CVE-2017-1002015 (Vulnerability in wordpress plugin image-gallery-with-slideshow v1.5.2, ...) NOT-FOR-US: Wordpress plugin CVE-2017-1002014 (Vulnerability in wordpress plugin image-gallery-with-slideshow v1.5.2, ...) NOT-FOR-US: Wordpress plugin CVE-2017-1002013 (Vulnerability in wordpress plugin image-gallery-with-slideshow v1.5.2, ...) NOT-FOR-US: Wordpress plugin CVE-2017-1002012 (Vulnerability in wordpress plugin image-gallery-with-slideshow v1.5.2, ...) NOT-FOR-US: Wordpress plugin CVE-2017-1002011 (Vulnerability in wordpress plugin image-gallery-with-slideshow v1.5.2, ...) NOT-FOR-US: Wordpress plugin CVE-2017-1002010 (Vulnerability in wordpress plugin Membership Simplified v1.58, The cod ...) NOT-FOR-US: Wordpress plugin CVE-2017-1002009 (Vulnerability in wordpress plugin Membership Simplified v1.58, The cod ...) NOT-FOR-US: Wordpress plugin CVE-2017-1002008 (Vulnerability in wordpress plugin membership-simplified-for-oap-member ...) NOT-FOR-US: Wordpress plugin CVE-2017-1002007 (Vulnerability in wordpress plugin DTracker v1.5, The code dtracker/sav ...) NOT-FOR-US: Wordpress plugin CVE-2017-1002006 (Vulnerability in wordpress plugin DTracker v1.5, The code dtracker/sav ...) NOT-FOR-US: Wordpress plugin CVE-2017-1002005 (Vulnerability in wordpress plugin DTracker v1.5, In file ./dtracker/de ...) NOT-FOR-US: Wordpress plugin CVE-2017-1002004 (Vulnerability in wordpress plugin DTracker v1.5, In file ./dtracker/do ...) NOT-FOR-US: Wordpress plugin CVE-2017-1002003 (Vulnerability in wordpress plugin wp2android-turn-wp-site-into-android ...) NOT-FOR-US: Wordpress plugin CVE-2017-1002002 (Vulnerability in wordpress plugin webapp-builder v2.0, The plugin incl ...) NOT-FOR-US: Wordpress plugin CVE-2017-1002001 (Vulnerability in wordpress plugin mobile-app-builder-by-wappress v1.05 ...) NOT-FOR-US: Wordpress plugin CVE-2017-1002000 (Vulnerability in wordpress plugin mobile-friendly-app-builder-by-easyt ...) NOT-FOR-US: Wordpress plugin CVE-2017-14481 (In the MMM::Agent::Helpers::Network::send_arp function in MySQL Multi- ...) NOT-FOR-US: MySQL ulti-Master Replication Manager CVE-2017-14480 (In the MMM::Agent::Helpers::Network::clear_ip function in MySQL Multi- ...) NOT-FOR-US: MySQL ulti-Master Replication Manager CVE-2017-14479 (In the MMM::Agent::Helpers::Network::clear_ip function in MySQL Multi- ...) NOT-FOR-US: MySQL ulti-Master Replication Manager CVE-2017-14478 (In the MMM::Agent::Helpers::Network::clear_ip function in MySQL Multi- ...) NOT-FOR-US: MySQL ulti-Master Replication Manager CVE-2017-14477 (In the MMM::Agent::Helpers::Network::add_ip function in MySQL Multi-Ma ...) NOT-FOR-US: MySQL ulti-Master Replication Manager CVE-2017-14476 (In the MMM::Agent::Helpers::Network::add_ip function in MySQL Multi-Ma ...) NOT-FOR-US: MySQL ulti-Master Replication Manager CVE-2017-14475 (In the MMM::Agent::Helpers::Network::add_ip function in MySQL Multi-Ma ...) NOT-FOR-US: MySQL ulti-Master Replication Manager CVE-2017-14474 (In the MMM::Agent::Helpers::_execute function in MySQL Multi-Master Re ...) NOT-FOR-US: MySQL ulti-Master Replication Manager CVE-2017-14473 (An exploitable access control vulnerability exists in the data, progra ...) NOT-FOR-US: Allen Bradley Micrologix CVE-2017-14472 (An exploitable access control vulnerability exists in the data, progra ...) NOT-FOR-US: Allen Bradley Micrologix CVE-2017-14471 (An exploitable access control vulnerability exists in the data, progra ...) NOT-FOR-US: Allen Bradley Micrologix CVE-2017-14470 (An exploitable access control vulnerability exists in the data, progra ...) NOT-FOR-US: Allen Bradley Micrologix CVE-2017-14469 (An exploitable access control vulnerability exists in the data, progra ...) NOT-FOR-US: Allen Bradley Micrologix CVE-2017-14468 (An exploitable access control vulnerability exists in the data, progra ...) NOT-FOR-US: Allen Bradley Micrologix CVE-2017-14467 (An exploitable access control vulnerability exists in the data, progra ...) NOT-FOR-US: Allen Bradley Micrologix CVE-2017-14466 (An exploitable access control vulnerability exists in the data, progra ...) NOT-FOR-US: Allen Bradley Micrologix CVE-2017-14465 (An exploitable access control vulnerability exists in the data, progra ...) NOT-FOR-US: Allen Bradley Micrologix CVE-2017-14464 (An exploitable access control vulnerability exists in the data, progra ...) NOT-FOR-US: Allen Bradley Micrologix CVE-2017-14463 (An exploitable access control vulnerability exists in the data, progra ...) NOT-FOR-US: Allen Bradley Micrologix CVE-2017-14462 (An exploitable access control vulnerability exists in the data, progra ...) NOT-FOR-US: Allen Bradley Micrologix CVE-2017-14461 (A specially crafted email delivered over SMTP and passed on to Dovecot ...) {DSA-4130-1 DLA-1333-1} - dovecot 1:2.2.34-1 (bug #891819) NOTE: https://www.dovecot.org/list/dovecot-news/2018-February/000370.html NOTE: https://github.com/dovecot/core/commit/30dc856f7b97b75b0e0d69f5003d5d99a13249b4 NOTE: https://github.com/dovecot/core/commit/8d65e2345e1dbedb00b662ee0abd05be2e7e6b7e NOTE: https://github.com/dovecot/core/commit/b72d864b8c34cb21076214c0b28101baec530141 NOTE: https://github.com/dovecot/core/commit/e9b86842441a668b30796bff7d60828614570a1b NOTE: https://github.com/dovecot/core/commit/f5cd17a27f0b666567747f8c921ebe1026970f11 NOTE: https://github.com/dovecot/core/commit/18a7a161c8dae6f630770a3cbab7374a0c3dd732 NOTE: https://github.com/dovecot/core/commit/0ed696987e5e5d44e971da2a10f6275b276ece34 NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0510 CVE-2017-14460 (An exploitable overly permissive cross-domain (CORS) whitelist vulnera ...) - parity (bug #890550) CVE-2017-14459 (An exploitable OS Command Injection vulnerability exists in the Telnet ...) NOT-FOR-US: Moxa CVE-2017-14458 (An exploitable use-after-free vulnerability exists in the JavaScript e ...) NOT-FOR-US: Foxit PDF Reader CVE-2017-14457 (An exploitable information leak/denial of service vulnerability exists ...) - cpp-etherum (bug #860434) CVE-2017-14456 REJECTED CVE-2017-14455 (On Insteon Hub 2245-222 devices with firmware version 1012, specially ...) NOT-FOR-US: Insteon Hub CVE-2017-14454 RESERVED CVE-2017-14453 (On Insteon Hub 2245-222 devices with firmware version 1012, specially ...) NOT-FOR-US: Insteon Hub CVE-2017-14452 (An exploitable buffer overflow vulnerability exists in the PubNub mess ...) NOT-FOR-US: Insteon Hub CVE-2017-14451 RESERVED CVE-2017-14450 (A buffer overflow vulnerability exists in the GIF image parsing functi ...) {DSA-4184-1 DSA-4177-1 DLA-1341-1} - libsdl2-image 2.0.3+dfsg1-1 - sdl-image1.2 1.2.12-8 NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0499 NOTE: https://hg.libsdl.org/SDL_image/rev/45e750f92c84 CVE-2017-14449 (A double-Free vulnerability exists in the XCF image rendering function ...) {DSA-4177-1} - libsdl2-image 2.0.3+dfsg1-1 - sdl-image1.2 (Vulnerable code not present) NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0498 NOTE: https://hg.libsdl.org/SDL_image/rev/d0142861559c CVE-2017-14448 (An exploitable code execution vulnerability exists in the XCF image re ...) {DSA-4184-1 DSA-4177-1 DLA-1341-1} - libsdl2-image 2.0.3+dfsg1-1 - sdl-image1.2 1.2.12-8 NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0497 NOTE: https://hg.libsdl.org/SDL_image/rev/7df1580f1695 CVE-2017-14447 (An exploitable buffer overflow vulnerability exists in the PubNub mess ...) NOT-FOR-US: Insteon Hub CVE-2017-14446 (An exploitable stack-based buffer overflow vulnerability exists in Ins ...) NOT-FOR-US: Insteon Hub CVE-2017-14445 (An exploitable buffer overflow vulnerability exists in Insteon Hub run ...) NOT-FOR-US: Insteon Hub CVE-2017-14444 (An exploitable buffer overflow vulnerability exists in Insteon Hub run ...) NOT-FOR-US: Insteon Hub CVE-2017-14443 (An exploitable information leak vulnerability exists in Insteon Hub ru ...) NOT-FOR-US: Insteon Hub CVE-2017-14442 (An exploitable code execution vulnerability exists in the BMP image re ...) {DSA-4184-1 DSA-4177-1 DLA-1341-1} - libsdl2-image 2.0.3+dfsg1-1 - sdl-image1.2 1.2.12-8 NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0491 NOTE: https://hg.libsdl.org/SDL_image/rev/37445f6180a8 CVE-2017-14441 (An exploitable code execution vulnerability exists in the ICO image re ...) {DSA-4184-1 DSA-4177-1 DLA-1341-1} - libsdl2-image 2.0.3+dfsg1-1 - sdl-image1.2 1.2.12-8 NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0490 NOTE: https://hg.libsdl.org/SDL_image/rev/a1e9b624ca10 CVE-2017-14440 (An exploitable code execution vulnerability exists in the ILBM image r ...) {DSA-4184-1 DSA-4177-1 DLA-1341-1} - libsdl2-image 2.0.3+dfsg1-1 - sdl-image1.2 1.2.12-8 NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0489 NOTE: https://hg.libsdl.org/SDL_image/rev/bfa08dc02b3c CVE-2017-14439 (Exploitable denial of service vulnerabilities exists in the Service Ag ...) NOT-FOR-US: Moxa CVE-2017-14438 (Exploitable denial of service vulnerabilities exists in the Service Ag ...) NOT-FOR-US: Moxa CVE-2017-14437 (An exploitable denial of service vulnerability exists in the web serve ...) NOT-FOR-US: Moxa CVE-2017-14436 (An exploitable denial of service vulnerability exists in the web serve ...) NOT-FOR-US: Moxa CVE-2017-14435 (An exploitable denial of service vulnerability exists in the web serve ...) NOT-FOR-US: Moxa CVE-2017-14434 (An exploitable command injection vulnerability exists in the web serve ...) NOT-FOR-US: Moxa CVE-2017-14433 (An exploitable command injection vulnerability exists in the web serve ...) NOT-FOR-US: Moxa CVE-2017-14432 (An exploitable command injection vulnerability exists in the web serve ...) NOT-FOR-US: Moxa CVE-2017-14430 (D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) a ...) NOT-FOR-US: D-Link CVE-2017-14429 (The DHCP client on D-Link DIR-850L REV. A (with firmware through FW114 ...) NOT-FOR-US: D-Link CVE-2017-14428 (D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) a ...) NOT-FOR-US: D-Link CVE-2017-14427 (D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) a ...) NOT-FOR-US: D-Link CVE-2017-14426 (D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) a ...) NOT-FOR-US: D-Link CVE-2017-14425 (D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) a ...) NOT-FOR-US: D-Link CVE-2017-14424 (D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) a ...) NOT-FOR-US: D-Link CVE-2017-14423 (htdocs/parentalcontrols/bind.php on D-Link DIR-850L REV. A (with firmw ...) NOT-FOR-US: D-Link CVE-2017-14422 (D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) a ...) NOT-FOR-US: D-Link CVE-2017-14421 (D-Link DIR-850L REV. B (with firmware through FW208WWb02) devices have ...) NOT-FOR-US: D-Link CVE-2017-14420 (The D-Link NPAPI extension, as used on D-Link DIR-850L REV. A (with fi ...) NOT-FOR-US: D-Link CVE-2017-14419 (The D-Link NPAPI extension, as used on D-Link DIR-850L REV. A (with fi ...) NOT-FOR-US: D-Link CVE-2017-14418 (The D-Link NPAPI extension, as used in conjunction with D-Link DIR-850 ...) NOT-FOR-US: D-Link CVE-2017-14417 (register_send.php on D-Link DIR-850L REV. B (with firmware through FW2 ...) NOT-FOR-US: D-Link CVE-2017-14416 (D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) d ...) NOT-FOR-US: D-Link CVE-2017-14415 (D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) d ...) NOT-FOR-US: D-Link CVE-2017-14414 (D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) d ...) NOT-FOR-US: D-Link CVE-2017-14413 (D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) d ...) NOT-FOR-US: D-Link CVE-2017-14412 (An invalid memory write was discovered in copy_mp in interface.c in mp ...) - mp3gain [wheezy] - mp3gain NOTE: https://blogs.gentoo.org/ago/2017/09/08/mp3gain-invalid-memory-write-in-copy_mp-mpglibdblinterface-c/ CVE-2017-14411 (A stack-based buffer overflow was discovered in copy_mp in interface.c ...) - mp3gain [wheezy] - mp3gain NOTE: https://blogs.gentoo.org/ago/2017/09/08/mp3gain-stack-based-buffer-overflow-in-copy_mp-mpglibdblinterface-c/ CVE-2017-14410 (A buffer over-read was discovered in III_i_stereo in layer3.c in mpgli ...) - mp3gain [wheezy] - mp3gain NOTE: https://blogs.gentoo.org/ago/2017/09/08/mp3gain-global-buffer-overflow-in-iii_i_stereo-mpglibdbllayer3-c/ CVE-2017-14409 (A buffer overflow was discovered in III_dequantize_sample in layer3.c ...) - mp3gain [wheezy] - mp3gain NOTE: https://blogs.gentoo.org/ago/2017/09/08/mp3gain-global-buffer-overflow-in-iii_dequantize_sample-mpglibdbllayer3-c/ CVE-2017-14408 (A stack-based buffer over-read was discovered in dct36 in layer3.c in ...) - mp3gain [wheezy] - mp3gain NOTE: https://blogs.gentoo.org/ago/2017/09/08/mp3gain-stack-based-buffer-overflow-in-dct36-mpglibdbllayer3-c/ CVE-2017-14407 (A stack-based buffer over-read was discovered in filterYule in gain_an ...) - mp3gain [wheezy] - mp3gain NOTE: https://blogs.gentoo.org/ago/2017/09/08/mp3gain-stack-based-buffer-overflow-in-filteryule-gain_analysis-c/ CVE-2017-14406 (A NULL pointer dereference was discovered in sync_buffer in interface. ...) - mp3gain [wheezy] - mp3gain NOTE: https://blogs.gentoo.org/ago/2017/09/08/mp3gain-null-pointer-dereference-in-sync_buffer-mpglibdblinterface-c/ CVE-2017-14405 (The EyesOfNetwork web interface (aka eonweb) 5.1-0 allows remote comma ...) NOT-FOR-US: EyesOfNetwork (EON) CVE-2017-14404 (The EyesOfNetwork web interface (aka eonweb) 5.1-0 allows local file i ...) NOT-FOR-US: EyesOfNetwork (EON) CVE-2017-14403 (The EyesOfNetwork web interface (aka eonweb) 5.1-0 has SQL injection v ...) NOT-FOR-US: EyesOfNetwork (EON) CVE-2017-14402 (The EyesOfNetwork web interface (aka eonweb) 5.1-0 has SQL injection v ...) NOT-FOR-US: EyesOfNetwork (EON) CVE-2017-14401 (The EyesOfNetwork web interface (aka eonweb) 5.1-0 has SQL injection v ...) NOT-FOR-US: EyesOfNetwork (EON) CVE-2017-14400 (In ImageMagick 7.0.7-1 Q16, the PersistPixelCache function in magick/c ...) {DLA-1785-1 DLA-1131-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #878546) [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/746 NOTE: im6 patch: https://github.com/ImageMagick/ImageMagick/commit/04b863f15effa4375e4ee42f413f0246062b48af NOTE: im6 patch: https://github.com/ImageMagick/ImageMagick/commit/44a55580ac8c01d8cff1e6e0063820af113f8591 CVE-2017-14399 (In BlackCat CMS 1.2.2, unrestricted file upload is possible in backend ...) NOT-FOR-US: BlackCat CMS CVE-2017-14398 (rzpnk.sys in Razer Synapse 2.20.15.1104 allows local users to read and ...) NOT-FOR-US: Razer Synapse CVE-2017-14397 (AnyDesk before 3.6.1 on Windows has a DLL injection vulnerability. ...) NOT-FOR-US: AnyDesk CVE-2017-14396 (In osTicket before 1.10.1, SQL injection is possible by constructing a ...) NOT-FOR-US: osTicket CVE-2017-14395 (Auth 2.0 Authorization Server of ForgeRock Access Management (OpenAM) ...) NOT-FOR-US: OpenAM CVE-2017-14394 (OAuth 2.0 Authorization Server of ForgeRock Access Management (OpenAM) ...) NOT-FOR-US: OpenAM CVE-2017-14393 REJECTED CVE-2017-14392 REJECTED CVE-2017-14391 REJECTED CVE-2017-14390 (In Cloud Foundry Foundation cf-deployment v0.35.0, a misconfiguration ...) NOT-FOR-US: Cloud Foundry CVE-2017-14389 (An issue was discovered in Cloud Foundry Foundation capi-release (all ...) NOT-FOR-US: Cloud Foundry CVE-2017-14388 (Cloud Foundry Foundation GrootFS release 0.3.x versions prior to 0.30. ...) NOT-FOR-US: Cloud Foundry Foundation GrootFS CVE-2017-14387 (The NFS service in EMC Isilon OneFS 8.1.0.0, 8.0.1.0 - 8.0.1.1, and 8. ...) NOT-FOR-US: EMC Isilon OneFS CVE-2017-14386 (The web user interface of Dell 2335dn and 2355dn Multifunction Laser P ...) NOT-FOR-US: Dell CVE-2017-14385 (An issue was discovered in EMC Data Domain DD OS 5.7 family, versions ...) NOT-FOR-US: EMC Data Domain DD OS CVE-2017-14384 (In Dell Storage Manager versions earlier than 16.3.20, the EMConfigMig ...) NOT-FOR-US: EMConfigMigration service CVE-2017-14383 (In Dell EMC VNX2 versions prior to Operating Environment for File 8.1. ...) NOT-FOR-US: EMC VNX CVE-2017-14382 REJECTED CVE-2017-14381 REJECTED CVE-2017-14380 (In EMC Isilon OneFS 8.1.0.0, 8.0.1.0 - 8.0.1.1, 8.0.0.0 - 8.0.0.4, 7.2 ...) NOT-FOR-US: EMC Isilon OneFS CVE-2017-14379 (EMC RSA Authentication Manager before 8.2 SP1 P6 has a cross-site scri ...) NOT-FOR-US: EMC RSA CVE-2017-14378 (EMC RSA Authentication Agent API 8.5 for C and RSA Authentication Agen ...) NOT-FOR-US: EMC RSA CVE-2017-14377 (EMC RSA Authentication Agent for Web: Apache Web Server version 8.0 an ...) NOT-FOR-US: EMC RSA CVE-2017-14376 (EMC AppSync Server prior to 3.5.0.1 contains database accounts with ha ...) NOT-FOR-US: EMC AppSync Server CVE-2017-14375 (EMC Unisphere for VMAX Virtual Appliance (vApp) versions prior to 8.4. ...) NOT-FOR-US: EMC CVE-2017-14374 (The SMI-S service in Dell Storage Manager versions earlier than 16.3.2 ...) NOT-FOR-US: Dell CVE-2017-14373 (EMC RSA Authentication Manager 8.2 SP1 P4 and earlier contains a refle ...) NOT-FOR-US: RSA Authentication Manager CVE-2017-14372 (RSA Archer GRC Platform prior to 6.2.0.5 is affected by reflected cros ...) NOT-FOR-US: RSA Archer GRC Platform CVE-2017-14371 (RSA Archer GRC Platform prior to 6.2.0.5 is affected by reflected cros ...) NOT-FOR-US: RSA Archer GRC Platform CVE-2017-14370 (RSA Archer GRC Platform prior to 6.2.0.5 is affected by stored cross-s ...) NOT-FOR-US: RSA Archer GRC Platform CVE-2017-14369 (RSA Archer GRC Platform prior to 6.2.0.5 is affected by a privilege es ...) NOT-FOR-US: RSA Archer GRC Platform CVE-2017-14368 RESERVED CVE-2017-14367 RESERVED CVE-2017-14366 RESERVED CVE-2017-14365 RESERVED CVE-2017-14364 RESERVED CVE-2017-14363 (Cross-Site Scripting (XSS) vulnerability has been identified in Micro ...) NOT-FOR-US: Micro Focus Operations Manager CVE-2017-14362 (Cross-Site Request Forgery vulnerability in Micro Focus Project and Po ...) NOT-FOR-US: Micro Focus Project and Portfolio Management Center CVE-2017-14361 (Man-In-The-Middle vulnerability in Micro Focus Project and Portfolio M ...) NOT-FOR-US: Micro Focus Project and Portfolio Management Center CVE-2017-14360 (A potential security vulnerability has been identified in HPE Content ...) NOT-FOR-US: HPE CVE-2017-14359 (A potential security vulnerability has been identified in HPE Performa ...) NOT-FOR-US: HPE Performance Center CVE-2017-14358 (A URL redirection to untrusted site vulnerability in HP ArcSight ESM a ...) NOT-FOR-US: HP ArcSight CVE-2017-14357 (A Reflected and Stored Cross-Site Scripting (XSS) vulnerability in HP ...) NOT-FOR-US: HP ArcSight CVE-2017-14356 (An SQL Injection vulnerability in HP ArcSight ESM and HP ArcSight ESM ...) NOT-FOR-US: HP ArcSight CVE-2017-14355 (A potential security vulnerability has been identified in HPE Connecte ...) NOT-FOR-US: HPE Connected Backup CVE-2017-14354 (A remote cross-site scripting vulnerability in HP UCMDB Foundation Sof ...) NOT-FOR-US: HP UCMDB Foundation CVE-2017-14353 (A remote code execution vulnerability in HP UCMDB Foundation Software ...) NOT-FOR-US: HP UCMDB Foundation CVE-2017-14352 (A potential security vulnerability has been identified in HP UCMDB Con ...) NOT-FOR-US: HP CVE-2017-14351 (A potential security vulnerability has been identified in HP UCMDB Con ...) NOT-FOR-US: HP CVE-2017-14350 (A potential security vulnerability has been identified in HPE Applicat ...) NOT-FOR-US: HP CVE-2017-14349 (An authentication vulnerability in HPE SiteScope product versions 11.2 ...) NOT-FOR-US: HP CVE-2015-9230 (In the admin/db-backup-security/db-backup-security.php page in the Bul ...) NOT-FOR-US: Wordpress plugin CVE-2015-9229 (In the nggallery-manage-gallery page in the Photocrati NextGEN Gallery ...) NOT-FOR-US: Photocrati NextGEN Gallery CVE-2017-14347 (NexusPHP 1.5.beta5.20120707 has XSS in the returnto parameter to fun.p ...) NOT-FOR-US: NexusPHP CVE-2017-14346 (upload.php in tianchoy/blog through 2017-09-12 allows unrestricted fil ...) NOT-FOR-US: tianchoy/blog CVE-2017-14345 (SQL Injection exists in tianchoy/blog through 2017-09-12 via the id pa ...) NOT-FOR-US: tianchoy/blog CVE-2017-14344 (This vulnerability allows local attackers to escalate privileges on Ju ...) NOT-FOR-US: Jungo WinDriver CVE-2017-14343 (ImageMagick 7.0.6-6 has a memory leak vulnerability in ReadXCFImage in ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/649 CVE-2017-14342 (ImageMagick 7.0.6-6 has a memory exhaustion vulnerability in ReadWPGIm ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/650 NOTE: https://github.com/ImageMagick/ImageMagick/commit/4e378ea8fb99e869768f34e900105e8c769adfcd NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/6d5b22baedd49ef8a35011789bd600762ce1ef21 CVE-2017-14341 (ImageMagick 7.0.6-6 has a large loop vulnerability in ReadWPGImage in ...) {DLA-1785-1 DLA-1131-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #876105) [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/654 NOTE: https://github.com/ImageMagick/ImageMagick/commit/7d63315a64267c565d1f34b9cb523a14616fed24 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/4eae304e773bad8a876c3c26fdffac24d4253ae4 CVE-2017-14348 (LibRaw before 0.18.4 has a heap-based Buffer Overflow in the processCa ...) - libraw 0.18.5-1 [stretch] - libraw (Minor issue) [jessie] - libraw (Vulnerable code not present) [wheezy] - libraw (Vulnerable code not present) NOTE: https://github.com/LibRaw/LibRaw/issues/100 NOTE: https://github.com/LibRaw/LibRaw/commit/8303e74b0567806dd5f16fc39aab70fe928de1a2 CVE-2017-14340 (The XFS_IS_REALTIME_INODE macro in fs/xfs/xfs_linux.h in the Linux ker ...) {DSA-3981-1 DLA-1099-1} - linux 4.12.13-1 NOTE: Fixed by: https://git.kernel.org/linus/b31ff3cdf540110da4572e3e29bd172087af65cc CVE-2017-14339 (The DNS packet parser in YADIFA before 2.2.6 does not check for the pr ...) {DSA-4001-1} - yadifa 2.2.6-1 (bug #876315) NOTE: https://www.tarlogic.com/blog/fuzzing-yadifa-dns/ NOTE: https://github.com/yadifa/yadifa/blob/v2.2.6/ChangeLog CVE-2017-14338 RESERVED CVE-2017-14337 (When MISP before 2.4.80 is configured with X.509 certificate authentic ...) NOT-FOR-US: MISP (Malware Information Sharing Platform and Threat Sharing) CVE-2017-14336 RESERVED CVE-2017-14335 (On Beijing Hanbang Hanbanggaoke devices, because user-controlled input ...) NOT-FOR-US: Beijing Hanbang Hanbanggaoke devices CVE-2017-14334 RESERVED CVE-2017-14333 (The process_version_sections function in readelf.c in GNU Binutils 2.2 ...) - binutils 2.29-9 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21990 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=452bf675ea772002aa86fb1d28f3474da70ee1de CVE-2017-14332 (Extreme EXOS 15.7, 16.x, 21.x, and 22.x allows remote attackers to hij ...) NOT-FOR-US: Extreme EXOS CVE-2017-14331 (Extreme EXOS 16.x, 21.x, and 22.x allows administrators to bypass the ...) NOT-FOR-US: Extreme EXOS CVE-2017-14330 (Extreme EXOS 16.x, 21.x, and 22.x allows administrators to obtain a ro ...) NOT-FOR-US: Extreme EXOS CVE-2017-14329 (Extreme EXOS 16.x, 21.x, and 22.x allows administrators to obtain a ro ...) NOT-FOR-US: Extreme EXOS CVE-2017-14328 (Extreme EXOS 15.7, 16.x, 21.x, and 22.x allows remote attackers to tri ...) NOT-FOR-US: Extreme EXOS CVE-2017-14327 (Extreme EXOS 16.x, 21.x, and 22.x allows administrators to read arbitr ...) NOT-FOR-US: Extreme EXOS CVE-2017-14326 (In ImageMagick 7.0.7-1 Q16, a memory leak vulnerability was found in t ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/740 NOTE: https://github.com/ImageMagick/ImageMagick/commit/dfefe8de5068a547ae4097c69456f02f93935164 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/a542c9f9a53327b623333150874d4e5a5b3bcbd0 CVE-2017-14325 (In ImageMagick 7.0.7-1 Q16, a memory leak vulnerability was found in t ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/741 CVE-2017-14324 (In ImageMagick 7.0.7-1 Q16, a memory leak vulnerability was found in t ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/739 NOTE: https://github.com/ImageMagick/ImageMagick/commit/399631650b38eaf21c2f3c306b8b74e66be6a0d2 CVE-2017-14323 (SSRF (Server Side Request Forgery) in getRemoteImage.php in Ueditor in ...) NOT-FOR-US: Onethink CVE-2017-14322 (The function in charge to check whether the user is already logged in ...) NOT-FOR-US: Interspire Email Marketer CVE-2017-14321 (Multiple cross-site scripting (XSS) vulnerabilities in the administrat ...) NOT-FOR-US: Mirasvit Helpdesk MX CVE-2017-14320 (Mirasvit Helpdesk MX before 1.5.3 might allow remote attackers to exec ...) NOT-FOR-US: Mirasvit Helpdesk MX CVE-2017-14319 (A grant unmapping issue was discovered in Xen through 4.9.x. When remo ...) {DSA-4050-1 DLA-1549-1 DLA-1132-1} - xen 4.8.2+xsa245-0+deb9u1 NOTE: https://xenbits.xen.org/xsa/advisory-234.html CVE-2017-14318 (An issue was discovered in Xen 4.5.x through 4.9.x. The function `__gn ...) {DSA-4050-1 DLA-1132-1} - xen 4.8.2+xsa245-0+deb9u1 [jessie] - xen (Only affects 4.5 and later) NOTE: https://xenbits.xen.org/xsa/advisory-232.html NOTE: Wheezy will be affected with the upcoming grant table backport CVE-2017-14317 (A domain cleanup issue was discovered in the C xenstore daemon (aka cx ...) {DSA-4050-1 DLA-1549-1 DLA-1132-1} - xen 4.8.2+xsa245-0+deb9u1 NOTE: https://xenbits.xen.org/xsa/advisory-233.html CVE-2017-14316 (A parameter verification issue was discovered in Xen through 4.9.x. Th ...) {DSA-4050-1 DLA-1549-1 DLA-1132-1} - xen 4.8.2+xsa245-0+deb9u1 NOTE: https://xenbits.xen.org/xsa/advisory-231.html CVE-2017-14315 (In Apple iOS 7 through 9, due to a BlueBorne flaw in the implementatio ...) NOT-FOR-US: Apple CVE-2017-14314 (Off-by-one error in the DrawImage function in magick/render.c in Graph ...) {DSA-4321-1 DLA-1401-1 DLA-1130-1} - graphicsmagick 1.3.26-10 NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/2835184bfb78 NOTE: https://sourceforge.net/p/graphicsmagick/bugs/448/ CVE-2017-14312 (Nagios Core through 4.3.4 initially executes /usr/sbin/nagios as root ...) - nagios3 (Doesn't affect Nagios as packaged in Debian) NOTE: https://github.com/NagiosEnterprises/nagioscore/issues/424 NOTE: State is not fully correct, since "affected" source would be there. CVE-2015-9228 (In post-new.php in the Photocrati NextGEN Gallery plugin 2.1.10 for Wo ...) NOT-FOR-US: Photocrati NextGEN Gallery plugin for WordPress CVE-2017-15596 (An issue was discovered in Xen 4.4.x through 4.9.x allowing ARM guest ...) {DSA-3969-1} - xen 4.8.1-1+deb9u3 [wheezy] - xen (No arm support in Wheezy) NOTE: https://xenbits.xen.org/xsa/advisory-235.html CVE-2017-14311 (The Winring0x32.sys driver in NetMechanica NetDecision 5.8.2 allows lo ...) NOT-FOR-US: NetMechanica NetDecision CVE-2017-14310 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or p ...) NOT-FOR-US: STDU Viewer CVE-2017-14309 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or p ...) NOT-FOR-US: STDU Viewer CVE-2017-14308 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or p ...) NOT-FOR-US: STDU Viewer CVE-2017-14307 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or p ...) NOT-FOR-US: STDU Viewer CVE-2017-14306 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or p ...) NOT-FOR-US: STDU Viewer CVE-2017-14305 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or p ...) NOT-FOR-US: STDU Viewer CVE-2017-14304 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or p ...) NOT-FOR-US: STDU Viewer CVE-2017-14303 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or p ...) NOT-FOR-US: STDU Viewer CVE-2017-14302 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or p ...) NOT-FOR-US: STDU Viewer CVE-2017-14301 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14300 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14299 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14298 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14297 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14296 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14295 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14294 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14293 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14292 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14291 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14290 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14289 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14288 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14287 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14286 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14285 (XnView Classic for Windows Version 2.40 allows attackers to cause a de ...) NOT-FOR-US: XnView CVE-2017-14284 (XnView Classic for Windows Version 2.40 allows attackers to cause a de ...) NOT-FOR-US: XnView CVE-2017-14283 (XnView Classic for Windows Version 2.40 allows attackers to cause a de ...) NOT-FOR-US: XnView CVE-2017-14282 (XnView Classic for Windows Version 2.40 allows attackers to cause a de ...) NOT-FOR-US: XnView CVE-2017-14281 (XnView Classic for Windows Version 2.40 allows attackers to cause a de ...) NOT-FOR-US: XnView CVE-2017-14280 (XnView Classic for Windows Version 2.40 allows attackers to cause a de ...) NOT-FOR-US: XnView CVE-2017-14279 (XnView Classic for Windows Version 2.40 allows attackers to cause a de ...) NOT-FOR-US: XnView CVE-2017-14278 (XnView Classic for Windows Version 2.40 allows attackers to cause a de ...) NOT-FOR-US: XnView CVE-2017-14277 (XnView Classic for Windows Version 2.40 allows attackers to cause a de ...) NOT-FOR-US: XnView CVE-2017-14276 (XnView Classic for Windows Version 2.40 allows attackers to cause a de ...) NOT-FOR-US: XnView CVE-2017-14275 (XnView Classic for Windows Version 2.40 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-14274 (XnView Classic for Windows Version 2.40 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-14273 (XnView Classic for Windows Version 2.40 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-14272 (XnView Classic for Windows Version 2.40 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-14271 (XnView Classic for Windows Version 2.40 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-14270 (XnView Classic for Windows Version 2.40 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2015-9227 (PHP remote file inclusion vulnerability in the get_file function in up ...) NOT-FOR-US: AlegroCart CVE-2015-9226 (Multiple SQL injection vulnerabilities in AlegroCart 1.2.8 allow remot ...) NOT-FOR-US: AlegroCart CVE-2017-14482 (GNU Emacs before 25.3 allows remote attackers to execute arbitrary cod ...) {DSA-3975-1 DSA-3970-1 DLA-1101-1} - emacs25 25.2+1-6 (bug #875447) - emacs24 (bug #875448) - emacs23 (bug #875449) NOTE: http://www.openwall.com/lists/oss-security/2017/09/11/1 NOTE: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=28350 NOTE: https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-25&id=9ad0fcc54442a9a01d41be19880250783426db70 CVE-2017-14313 (The shibboleth_login_form function in shibboleth.php in the Shibboleth ...) {DSA-3973-1 DLA-1096-1} - wordpress-shibboleth 1.8-1 (bug #874416) NOTE: https://github.com/michaelryanmcneill/shibboleth/commit/1d65ad6786282d23ba1865f56e2fd19188e7c26a NOTE: https://make.wordpress.org/plugins/2015/04/20/fixing-add_query_arg-and-remove_query_arg-usage/ CVE-2017-14269 (EE 4GEE WiFi MBB (before EE60_00_05.00_31) devices allow remote attack ...) NOT-FOR-US: EE 4GEE WiFi MBB CVE-2017-14268 (EE 4GEE WiFi MBB (before EE60_00_05.00_31) devices have XSS in the sms ...) NOT-FOR-US: EE 4GEE WiFi MBB CVE-2017-14267 (EE 4GEE WiFi MBB (before EE60_00_05.00_31) devices have CSRF, related ...) NOT-FOR-US: EE 4GEE WiFi MBB CVE-2017-14266 (tcprewrite in Tcpreplay 3.4.4 has a Heap-Based Buffer Overflow vulnera ...) - tcpreplay 3.4.4-3 [jessie] - tcpreplay 3.4.4-2+deb8u1 [wheezy] - tcpreplay 3.4.3-2+wheezy2 NOTE: Fixed by http://launchpadlibrarian.net/270778908/tcpreplay_3.4.4-2_3.4.4-3.diff.gz NOTE: Not a duplicate of CVE-2016-6160 the detailed MITRE description, but both issues NOTE: are addressed with the same patch: NOTE: Patch enforce-maxpacket.patch addresses the issue CVE-2017-14265 (A Stack-based Buffer Overflow was discovered in xtrans_interpolate in ...) - libraw 0.18.5-1 [stretch] - libraw (Minor issue) [jessie] - libraw (Minor issue) [wheezy] - libraw (Vulnerable code not present) NOTE: https://github.com/LibRaw/LibRaw/issues/99 NOTE: https://github.com/LibRaw/LibRaw/commit/82616eff4c7f7437e96bdeeed238c3ef3dc12d60 CVE-2017-14264 RESERVED CVE-2017-14263 (Honeywell NVR devices allow remote attackers to create a user account ...) NOT-FOR-US: Honeywell CVE-2017-14262 (On Samsung NVR devices, remote attackers can read the MD5 password has ...) NOT-FOR-US: Samsung CVE-2017-14261 (In the SDK in Bento4 1.5.0-616, the AP4_StszAtom class in Ap4StszAtom. ...) NOT-FOR-US: Bento4 CVE-2017-14260 (In the SDK in Bento4 1.5.0-616, the AP4_StssAtom class in Ap4StssAtom. ...) NOT-FOR-US: Bento4 CVE-2017-14259 (In the SDK in Bento4 1.5.0-616, the AP4_StscAtom class in Ap4StscAtom. ...) NOT-FOR-US: Bento4 CVE-2017-14258 (In the SDK in Bento4 1.5.0-616, SetItemCount in Core/Ap4StscAtom.h fil ...) NOT-FOR-US: Bento4 CVE-2017-14257 (In the SDK in Bento4 1.5.0-616, AP4_AtomSampleTable::GetSample in Core ...) NOT-FOR-US: Bento4 CVE-2017-14256 RESERVED CVE-2017-14255 RESERVED CVE-2017-14254 RESERVED CVE-2017-14253 RESERVED CVE-2017-14252 (SQL Injection exists in the EyesOfNetwork web interface (aka eonweb) 5 ...) NOT-FOR-US: EyesOfNetwork (EON) CVE-2017-14251 (Unrestricted File Upload vulnerability in the fileDenyPattern in sysex ...) - typo3-src [wheezy] - typo3-src (Not supported in Wheezy LTS) CVE-2017-14250 (In TP-LINK TL-WR741N / TL-WR741ND 150M Wireless Lite N Router with Fir ...) NOT-FOR-US: TP-LINK Router CVE-2017-14249 (ImageMagick 7.0.6-8 Q16 mishandles EOF checks in ReadMPCImage in coder ...) {DLA-1785-1 DLA-1131-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #876099) [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/708 NOTE: https://github.com/ImageMagick/ImageMagick/commit/2071d67ebf729f76d73c33c1152df4816d1d79ac NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/66112b7a7b64f688efe6fec53a829874a74dea04 CVE-2017-14248 (A heap-based buffer over-read in SampleImage() in MagickCore/resize.c ...) - imagemagick (Vulnerable code introduced later) NOTE: https://github.com/ImageMagick/ImageMagick/issues/717 NOTE: https://github.com/ImageMagick/ImageMagick/commit/c5402b6e0fcf8b694ae2af6a6652ebb8ce0ccf46 CVE-2017-14247 (SQL Injection exists in the EyesOfNetwork web interface (aka eonweb) 5 ...) NOT-FOR-US: EyesOfNetwork (EON) CVE-2017-14246 (An out of bounds read in the function d2ulaw_array() in ulaw.c of libs ...) {DLA-1618-1} - libsndfile 1.0.28-5 (low; bug #876682) [stretch] - libsndfile (Minor issue) [wheezy] - libsndfile (Minor issue) NOTE: https://github.com/erikd/libsndfile/issues/317 NOTE: https://github.com/erikd/libsndfile/commit/8ddc442d539ca775d80cdbc7af17a718634a743f CVE-2017-14245 (An out of bounds read in the function d2alaw_array() in alaw.c of libs ...) {DLA-1618-1} - libsndfile 1.0.28-5 (low; bug #876682) [stretch] - libsndfile (Minor issue) [wheezy] - libsndfile (Minor issue) NOTE: https://github.com/erikd/libsndfile/issues/317 NOTE: https://github.com/erikd/libsndfile/commit/8ddc442d539ca775d80cdbc7af17a718634a743f CVE-2017-14244 (An authentication bypass vulnerability on iBall Baton ADSL2+ Home Rout ...) NOT-FOR-US: iBall CVE-2017-14243 (An authentication bypass vulnerability on UTStar WA3002G4 ADSL Broadba ...) NOT-FOR-US: UTStar CVE-2017-14242 (SQL injection vulnerability in don/list.php in Dolibarr version 6.0.0 ...) - dolibarr (bug #885319) NOTE: https://github.com/Dolibarr/dolibarr/commit/33e2179b65331d9d9179b59d746817c5be1fecdb CVE-2017-14241 (Cross-site scripting (XSS) vulnerability in Dolibarr ERP/CRM 6.0.0 all ...) - dolibarr (bug #885320) NOTE: https://github.com/Dolibarr/dolibarr/commit/d26b2a694de30f95e46ea54ea72cc54f0d38e548 CVE-2017-14240 (There is a sensitive information disclosure vulnerability in document. ...) - dolibarr (bug #885320) NOTE: https://github.com/Dolibarr/dolibarr/commit/d26b2a694de30f95e46ea54ea72cc54f0d38e548 CVE-2017-14239 (Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CR ...) - dolibarr (bug #885320) NOTE: https://github.com/Dolibarr/dolibarr/commit/d26b2a694de30f95e46ea54ea72cc54f0d38e548 CVE-2017-14238 (SQL injection vulnerability in admin/menus/edit.php in Dolibarr ERP/CR ...) - dolibarr (bug #885320) NOTE: https://github.com/Dolibarr/dolibarr/commit/d26b2a694de30f95e46ea54ea72cc54f0d38e548 CVE-2017-14237 RESERVED CVE-2017-14236 RESERVED CVE-2017-14235 RESERVED CVE-2017-14234 RESERVED CVE-2017-14233 RESERVED CVE-2017-14232 (The read_chunk function in flif-dec.cpp in Free Lossless Image Format ...) - flif CVE-2017-14231 (GeniXCMS before 1.1.0 allows remote attackers to cause a denial of ser ...) NOT-FOR-US: GenixCMS CVE-2017-14230 (In the mboxlist_do_find function in imap/mboxlist.c in Cyrus IMAP befo ...) - cyrus-imapd (Vulnerable code introduced later) - cyrus-imapd-2.4 (Vulnerable code introduced later) NOTE: Fixed by: https://github.com/cyrusimap/cyrus-imapd/commit/6bd33275368edfa71ae117de895488584678ac79 NOTE: Introduced by: https://github.com/cyrusimap/cyrus-imapd/commit/1fe918087237f55e09a37fa414bf988873739021 (cyrus-imapd-3.0.0-beta1) NOTE: https://github.com/cyrusimap/cyrus-imapd/issues/2132 CVE-2017-14229 (There is an infinite loop in the jpc_dec_tileinit function in jpc/jpc_ ...) - jasper [jessie] - jasper (Minor issue) [wheezy] - jasper (Minor issue) NOTE: https://github.com/mdadams/jasper/issues/146 NOTE: Possible false-positive, cf. https://github.com/mdadams/jasper/issues/146#issuecomment-330674648 CVE-2017-14228 (In Netwide Assembler (NASM) 2.14rc0, there is an illegal address acces ...) - nasm 2.13.02-0.1 (unimportant; bug #874731) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392423 NOTE: Crash in CLI tool, no securiy impact CVE-2017-14227 (In MongoDB libbson 1.7.0, the bson_iter_codewscope function in bson-it ...) - libbson 1.8.0-1 (bug #874754) [stretch] - libbson (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1489355 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1489356 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1489362 NOTE: Latest https://github.com/mongodb/libbson/commit/0f501e7ed51a42d5502d319bce35b41f1a3aa112 (1.7.0-rc0) NOTE: uncovers the issue, which introduces UTF-8 validation during JSON encoding. NOTE: Only after that the utf8_len=4294967295 as shown with the POC is passed to NOTE: bson_utf8_validate via src/bson/bson-iter.c:2069 NOTE: Still the underlying issue in bson-iter.c when parsing BSON with a codewscope NOTE: type is present in earlier versions. NOTE: Upstream issue: https://jira.mongodb.org/browse/CDRIVER-2269 NOTE: Fixed by: https://github.com/mongodb/libbson/commit/42900956dc461dfe7fb91d93361d10737c1602b3 CVE-2017-14226 (WP1StylesListener.cpp, WP5StylesListener.cpp, and WP42StylesListener.c ...) - libwpd 0.10.2-1 (bug #876001) [stretch] - libwpd 0.10.1-5+deb9u1 [jessie] - libwpd 0.10.0-2+deb8u1 [wheezy] - libwpd (Vulnerable code do not exist) NOTE: https://bugs.documentfoundation.org/show_bug.cgi?id=112269 NOTE: https://sourceforge.net/p/libwpd/code/ci/0329a9c57f9b3b0efa0f09a5235dfd90236803a5/ NOTE: https://sourceforge.net/p/libwpd/code/ci/f40827b3eae260ce657c67d9fecc855b09dea3c3/ CVE-2017-14225 (The av_color_primaries_name function in libavutil/pixdesc.c in FFmpeg ...) {DSA-3996-1} - ffmpeg 7:3.3.4-1 (low) - libav [jessie] - libav (Vulnerable code not present) NOTE: https://github.com/FFmpeg/FFmpeg/commit/837cb4325b712ff1aab531bf41668933f61d75d2 CVE-2017-14224 (A heap-based buffer overflow in WritePCXImage in coders/pcx.c in Image ...) {DSA-4040-1 DSA-4032-1 DLA-1131-1} - imagemagick 8:6.9.9.34+dfsg-3 (bug #876097) NOTE: https://github.com/ImageMagick/ImageMagick/issues/733 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/7f2d6fe34d695d3445e2d50937db5541a1b76bde NOTE: https://github.com/ImageMagick/ImageMagick/commit/c6409227c430f114b6425337e64b848535b62e0b CVE-2017-14223 (In libavformat/asfdec_f.c in FFmpeg 3.3.3, a DoS in asf_build_simple_i ...) {DSA-3996-1 DLA-1654-1} - ffmpeg 7:3.3.4-1 (low) - libav NOTE: https://github.com/FFmpeg/FFmpeg/commit/afc9c683ed9db01edb357bc8c19edad4282b3a97 CVE-2017-14222 (In libavformat/mov.c in FFmpeg 3.3.3, a DoS in read_tfra() due to lack ...) {DSA-3996-1} - ffmpeg 7:3.3.4-1 (low) - libav [jessie] - libav (vulnerable code not present) NOTE: https://github.com/FFmpeg/FFmpeg/commit/9cb4eb772839c5e1de2855d126bf74ff16d13382 CVE-2017-14221 RESERVED CVE-2017-14220 RESERVED CVE-2017-14219 (XSS (persistent) on the Intelbras Wireless N 150Mbps router with firmw ...) NOT-FOR-US: Intelbras Wireless N 150Mbps router CVE-2017-14218 RESERVED CVE-2017-14217 RESERVED CVE-2017-14216 RESERVED CVE-2017-14215 RESERVED CVE-2017-14214 RESERVED CVE-2017-14213 RESERVED CVE-2017-14212 RESERVED CVE-2017-14211 RESERVED CVE-2017-14210 RESERVED CVE-2017-14209 RESERVED CVE-2017-14208 REJECTED CVE-2017-14207 REJECTED CVE-2017-14206 REJECTED CVE-2017-14205 REJECTED CVE-2017-14204 REJECTED CVE-2017-14203 REJECTED CVE-2017-14202 (Improper Restriction of Operations within the Bounds of a Memory Buffe ...) NOT-FOR-US: Zephyr CVE-2017-14201 (Use After Free vulnerability in the Zephyr shell allows a serial or te ...) NOT-FOR-US: Zephyr CVE-2017-14200 REJECTED CVE-2017-14199 (A buffer overflow has been found in the Zephyr Project's getaddrinfo() ...) NOT-FOR-US: Zephyr OS CVE-2017-14198 (An issue was discovered in Squiz Matrix before 5.3.6.1 and 5.4.x befor ...) NOT-FOR-US: Squiz Matrix CVE-2017-14197 (An issue was discovered in Squiz Matrix before 5.3.6.1 and 5.4.x befor ...) NOT-FOR-US: Squiz Matrix CVE-2017-14196 (An issue was discovered in Squiz Matrix from 5.3 through to 5.3.6.1 an ...) NOT-FOR-US: Squiz Matrix CVE-2017-14195 (The call_msg function in controllers/Form.php in dayrui FineCms 5.0.11 ...) NOT-FOR-US: dayrui FineCms CVE-2017-14194 (The out function in controllers/member/Login.php in dayrui FineCms 5.0 ...) NOT-FOR-US: dayrui FineCms CVE-2017-14193 (The oauth function in controllers/member/api.php in dayrui FineCms 5.0 ...) NOT-FOR-US: dayrui FineCms CVE-2017-14192 (The checktitle function in controllers/member/api.php in dayrui FineCm ...) NOT-FOR-US: dayrui FineCms CVE-2017-14191 (An Improper Access Control vulnerability in Fortinet FortiWeb 5.6.0 up ...) NOT-FOR-US: Fortinet CVE-2017-14190 (A Cross-site Scripting vulnerability in Fortinet FortiOS 5.6.0 to 5.6. ...) NOT-FOR-US: Fortinet FortiOS CVE-2017-14189 (An improper access control vulnerability in Fortinet FortiWebManager 5 ...) NOT-FOR-US: Fortinet CVE-2017-14188 RESERVED CVE-2017-14187 (A local privilege escalation and local code execution vulnerability in ...) NOT-FOR-US: Fortinet CVE-2017-14186 (A Cross-site Scripting (XSS) vulnerability in Fortinet FortiOS 6.0.0 t ...) NOT-FOR-US: Fortinet CVE-2017-14185 (An Information Disclosure vulnerability in Fortinet FortiOS 5.6.0 to 5 ...) NOT-FOR-US: Fortinet FortiOS CVE-2017-14184 (An Information Disclosure vulnerability in Fortinet FortiClient for Wi ...) NOT-FOR-US: Fortinet CVE-2017-14183 RESERVED CVE-2017-14182 (A Denial of Service (DoS) vulnerability in Fortinet FortiOS 5.4.0 to 5 ...) NOT-FOR-US: Fortinet CVE-2017-14180 (Apport 2.13 through 2.20.7 does not properly handle crashes originatin ...) NOT-FOR-US: Apport CVE-2017-14179 (Apport before 2.13 does not properly handle crashes originating from a ...) NOT-FOR-US: Apport CVE-2017-14178 (In snapd 2.27 through 2.29.2 the 'snap logs' command could be made to ...) - snapd 2.30-1 [stretch] - snapd (Issue introduced in 2.27) NOTE: https://launchpad.net/bugs/1730255 CVE-2017-14177 (Apport through 2.20.7 does not properly handle core dumps from setuid ...) NOT-FOR-US: Apport CVE-2017-14181 (DeleteBitBuffer in libbitbuf/bitbuffer.c in mp4tools aacplusenc 0.17.5 ...) NOT-FOR-US: aacplusenc CVE-2017-14175 (In coders/xbm.c in ImageMagick 7.0.6-1 Q16, a DoS in ReadXBMImage() du ...) {DLA-1785-1 DLA-1131-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #875502) [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/712 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/b8c63b156bf26b52e710b1a0643c846a6cd01e56 CVE-2017-14174 (In coders/psd.c in ImageMagick 7.0.7-0 Q16, a DoS in ReadPSDLayersInte ...) {DLA-1785-1 DLA-1131-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #875503) [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/714 NOTE: https://github.com/ImageMagick/ImageMagick/commit/04a567494786d5bb50894fc8bb8fea0cf496bea8 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/f68a98a9d385838a1c73ec960a14102949940a64 CVE-2017-14173 (In the function ReadTXTImage() in coders/txt.c in ImageMagick 7.0.6-10 ...) {DLA-1785-1 DLA-1131-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #875504) [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/713 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/48bcf7c39302cdf9b0d9202ad03bf1b95152c44d CVE-2017-14172 (In coders/ps.c in ImageMagick 7.0.7-0 Q16, a DoS in ReadPSImage() due ...) {DLA-1785-1 DLA-1131-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #875506) [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/715 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/8598a497e2d1f556a34458cf54b40ba40674734c CVE-2017-14171 (In libavformat/nsvdec.c in FFmpeg 3.3.3, a DoS in nsv_parse_NSVf_heade ...) {DSA-3996-1 DLA-1630-1} - ffmpeg 7:3.3.4-1 (low) - libav NOTE: https://github.com/FFmpeg/FFmpeg/commit/c24bcb553650b91e9eff15ef6e54ca73de2453b7 CVE-2017-14170 (In libavformat/mxfdec.c in FFmpeg 3.3.3, a DoS in mxf_read_index_entry ...) {DSA-3996-1 DLA-1630-1} - ffmpeg 7:3.3.4-1 (low) - libav NOTE: https://github.com/FFmpeg/FFmpeg/commit/900f39692ca0337a98a7cf047e4e2611071810c2 CVE-2017-14169 (In the mxf_read_primer_pack function in libavformat/mxfdec.c in FFmpeg ...) {DSA-3996-1 DLA-1654-1} - ffmpeg 7:3.3.4-1 (low) - libav NOTE: libav in Jessie uses a different guard for item_num. Check whether NOTE: the guard is necessary at all. NOTE: https://github.com/FFmpeg/FFmpeg/commit/9d00fb9d70ee8c0cc7002b89318c5be00f1bbdad CVE-2017-14168 RESERVED CVE-2017-14167 (Integer overflow in the load_multiboot function in hw/i386/multiboot.c ...) {DSA-3991-1 DLA-1497-1 DLA-1129-1 DLA-1128-1} - qemu 1:2.10.0-1 (bug #874606) - qemu-kvm NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2017-09/msg01483.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1489375 CVE-2017-14163 (An issue was discovered in Mahara before 15.04.14, 16.x before 16.04.8 ...) - mahara CVE-2017-14162 RESERVED CVE-2017-14161 RESERVED CVE-2017-14166 (libarchive 3.3.2 allows remote attackers to cause a denial of service ...) {DSA-4360-1 DLA-1600-1 DLA-1092-1} - libarchive 3.2.2-3.1 (bug #874539) NOTE: http://www.openwall.com/lists/oss-security/2017/09/06/5 NOTE: https://github.com/libarchive/libarchive/commit/fa7438a0ff4033e4741c807394a9af6207940d71 NOTE: https://github.com/libarchive/libarchive/issues/935 CVE-2017-14165 (The ReadSUNImage function in coders/sun.c in GraphicsMagick 1.3.26 has ...) - graphicsmagick 1.3.26-9 (unimportant; bug #874724) NOTE: Fixed by: http://hg.code.sf.net/p/graphicsmagick/code/rev/493da54370aa NOTE: http://www.openwall.com/lists/oss-security/2017/09/06/4 NOTE: https://sourceforge.net/p/graphicsmagick/bugs/442/ CVE-2017-14160 (The bark_noise_hybridmp function in psy.c in Xiph.Org libvorbis 1.3.5 ...) {DLA-2013-1} - libvorbis 1.3.6-2 (bug #876780) [stretch] - libvorbis (Minor issue) [wheezy] - libvorbis (Minor issue, can be revisited once fixed upstream) NOTE: http://www.openwall.com/lists/oss-security/2017/09/21/2 NOTE: http://www.openwall.com/lists/oss-security/2017/09/21/3 NOTE: https://gitlab.xiph.org/xiph/vorbis/issues/2330 NOTE: Upstream fix: https://gitlab.xiph.org/xiph/vorbis/commit/018ca26dece618457dd13585cad52941193c4a25 CVE-2017-14176 (Bazaar through 2.7.0, when Subprocess SSH is used, allows remote attac ...) {DSA-4052-1 DLA-1107-1} - bzr 2.7.0+bzr6622-7 (bug #874429) - breezy 3.0.0~bzr6772-1 NOTE: https://bugs.launchpad.net/bzr/+bug/1710979 CVE-2017-14159 (slapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping ...) - openldap (unimportant) NOTE: http://www.openldap.org/its/index.cgi?findid=8703 NOTE: Negligible security impact, but filed #877512 CVE-2017-14158 (Scrapy 1.4 allows remote attackers to cause a denial of service (memor ...) - python-scrapy (unimportant; bug #875947) NOTE: http://blog.csdn.net/wangtua/article/details/75228728 NOTE: https://github.com/scrapy/scrapy/issues/482 NOTE: Negligable security impact CVE-2017-14157 RESERVED CVE-2017-14156 (The atyfb_ioctl function in drivers/video/fbdev/aty/atyfb_base.c in th ...) {DSA-3981-1 DLA-1099-1} - linux 4.12.13-1 (low) CVE-2017-14155 RESERVED CVE-2017-14154 RESERVED CVE-2017-14153 (This vulnerability allows local attackers to escalate privileges on Ju ...) NOT-FOR-US: Jungo WinDriver CVE-2017-14164 (A size-validation issue was discovered in opj_j2k_write_sot in lib/ope ...) - openjpeg2 (Incomplete fix for CVE-2017-14152 not applied) CVE-2017-14152 (A mishandled zero case was discovered in opj_j2k_set_cinema_parameters ...) {DSA-4013-1} - openjpeg2 2.3.0-1 (bug #874431) NOTE: https://blogs.gentoo.org/ago/2017/08/16/openjpeg-heap-based-buffer-overflow-in-opj_write_bytes_le-cio-c/ NOTE: https://github.com/uclouvain/openjpeg/commit/4241ae6fbbf1de9658764a80944dc8108f2b4154 NOTE: https://github.com/uclouvain/openjpeg/issues/985 NOTE: When fixing this issue make sure to apply the complete fix including the following NOTE: commit: NOTE: https://github.com/uclouvain/openjpeg/commit/dcac91b8c72f743bda7dbfa9032356bc8110098a NOTE: to not make openjpeg2 vulnerable to CVE-2017-14164. CVE-2017-14151 (An off-by-one error was discovered in opj_tcd_code_block_enc_allocate_ ...) - openjpeg2 2.3.0-1 (bug #874430) [stretch] - openjpeg2 2.1.2-1.1+deb9u2 [jessie] - openjpeg2 (Vulnerable code introduced later, see #874430) NOTE: https://blogs.gentoo.org/ago/2017/08/16/openjpeg-heap-based-buffer-overflow-in-opj_mqc_flush-mqc-c/ NOTE: https://github.com/uclouvain/openjpeg/commit/afb308b9ccbe129608c9205cf3bb39bbefad90b9 NOTE: https://github.com/uclouvain/openjpeg/issues/982 CVE-2017-1000254 (libcurl may read outside of a heap allocated buffer when doing FTP. Wh ...) {DSA-3992-1 DLA-1121-1} - curl 7.56.1-1 (bug #877671) NOTE: https://curl.haxx.se/docs/adv_20171004.html NOTE: Patch: https://curl.haxx.se/CVE-2017-1000254.patch NOTE: Introduced by: https://github.com/curl/curl/commit/415d2e7cb7 NOTE: Upstream fix: https://github.com/curl/curl/commit/5ff2c5ff25750aba1a8f64fbcad8e5b891512584 CVE-2017-1000253 (Linux distributions that have not patched their long-term kernels with ...) - linux 4.0.2-1 [jessie] - linux 3.16.7-ckt11-1 [wheezy] - linux 3.2.71-1 CVE-2017-1000252 (The KVM subsystem in the Linux kernel through 4.13.3 allows guest OS u ...) - linux 4.12.13-1 [stretch] - linux 4.9.30-2+deb9u5 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/3a8b0677fc6180a467e26cc32ce6b0c09a32f9bb (v4.14-rc1) NOTE: https://marc.info/?l=kvm&m=150549145711115&w=2 NOTE: https://marc.info/?l=kvm&m=150549146311117&w=2 CVE-2017-1000251 (The native Bluetooth stack in the Linux Kernel (BlueZ), starting at th ...) {DSA-3981-1 DLA-1099-1} - linux 4.12.13-1 (bug #875881) NOTE: Fixed by: https://git.kernel.org/linus/e860d2c904d1a9f38a24eb44c9f34b8f915a6ea3 NOTE: https://www.armis.com/blueborne/ NOTE: https://access.redhat.com/security/vulnerabilities/blueborne CVE-2017-1000250 (All versions of the SDP server in BlueZ 5.46 and earlier are vulnerabl ...) {DSA-3972-1 DLA-1103-1} - bluez 5.46-1 (bug #875633) NOTE: https://www.armis.com/blueborne/ NOTE: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=9e009647b14e810e06626dde7f1bb9ea3c375d09 CVE-2017-1000249 (An issue in file() was introduced in commit 9611f31313a93aa036389c5f3b ...) {DSA-3965-1} - file 1:5.32-1 [jessie] - file (Vulnerable code introduced later) [wheezy] - file (Vulnerable code introduced later) NOTE: Upstream fix: https://github.com/file/file/commit/35c94dc6acc418f1ad7f6241a6680e5327495793 NOTE: Introduced by: https://github.com/file/file/commit/9611f31313a93aa036389c5f3b15eea53510d4d1 CVE-2017-14150 RESERVED CVE-2017-14149 (GoAhead 3.4.0 through 3.6.5 has a NULL Pointer Dereference in the webs ...) NOT-FOR-US: GoAhead CVE-2017-14148 RESERVED CVE-2017-14147 (An issue was discovered on FiberHome User End Routers Bearing Model Nu ...) NOT-FOR-US: FiberHome CVE-2017-14146 (HelpDEZk 1.1.1 allows remote authenticated users to execute arbitrary ...) NOT-FOR-US: HelpDEZk CVE-2017-14145 (HelpDEZk 1.1.1 has SQL Injection in app\modules\admin\controllers\logi ...) NOT-FOR-US: HelpDEZk CVE-2017-14144 RESERVED CVE-2017-14143 (The getUserzoneCookie function in Kaltura before 13.2.0 uses a hardcod ...) NOT-FOR-US: Kaltura CVE-2017-14142 (Multiple cross-site scripting (XSS) vulnerabilities in Kaltura before ...) NOT-FOR-US: Kaltura CVE-2017-14141 (The wiki_decode Developer System Helper function in the admin panel in ...) NOT-FOR-US: Kaltura CVE-2017-14140 (The move_pages system call in mm/migrate.c in the Linux kernel before ...) {DSA-3981-1 DLA-1099-1} - linux 4.12.12-1 NOTE: Fixed by: https://git.kernel.org/linus/197e7e521384a23b9e585178f3f11c9fa08274b9 CVE-2017-14139 (ImageMagick 7.0.6-2 has a memory leak vulnerability in WriteMSLImage i ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/578 NOTE: https://github.com/ImageMagick/ImageMagick/commit/955bd1008a5371bbd1b8db0a1e41e333ebfc63ef NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/dbe0008c6fa225d01085ca86f3e425c306ee6240 NOTE: Requires: https://github.com/ImageMagick/ImageMagick/commit/d426a1dc84cfdafdac67bdb2a1ecc6e1798053e6 NOTE: Requires: https://github.com/ImageMagick/ImageMagick/commit/0dfce0579c881245e495aa2d8d114e63b96a860e CVE-2017-14138 (ImageMagick 7.0.6-5 has a memory leak vulnerability in ReadWEBPImage i ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/639 CVE-2017-14137 (ReadWEBPImage in coders/webp.c in ImageMagick 7.0.6-5 has an issue whe ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) [wheezy] - imagemagick (Vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/641 NOTE: https://github.com/ImageMagick/ImageMagick/commit/cb63560ba25e4a6c51ab282538c24877fff7d471 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/cfc2bd4c87481d4cf60308cc6ffd3c61288ff004 NOTE: ImageMagick in Debian not compiled with webp support (--with-webp=yes) CVE-2017-14136 (OpenCV (Open Source Computer Vision Library) 3.3 has an out-of-bounds ...) - opencv (Incomplete patch never shipped) NOTE: https://github.com/opencv/opencv/issues/9443 NOTE: https://github.com/opencv/opencv/pull/9448 CVE-2017-14135 (enigma2-plugins/blob/master/webadmin/src/WebChilds/Script.py in the we ...) NOT-FOR-US: webadmin plugin for opendreambox CVE-2017-14134 (A Reflected XSS Vulnerability affects the forgotten password page of M ...) NOT-FOR-US: Maplesoft Maple CVE-2017-14133 RESERVED CVE-2017-14132 (JasPer 2.0.13 allows remote attackers to cause a denial of service (he ...) {DLA-1583-1} - jasper (low) [wheezy] - jasper (Minor issue) NOTE: https://github.com/mdadams/jasper/issues/147 NOTE: The suggested fix by thoger addresses the reported issue. CVE-2017-14131 RESERVED CVE-2017-14130 (The _bfd_elf_parse_attributes function in elf-attrs.c in the Binary Fi ...) - binutils 2.29-9 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22058 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=2a143b99fc4a5094a9cf128f3184d8e6818c8229 CVE-2017-14129 (The read_section function in dwarf2.c in the Binary File Descriptor (B ...) - binutils 2.29-10 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22047 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e4f2723003859dc6b33ca0dadbc4a7659ebf1643 CVE-2017-14128 (The decode_line_info function in dwarf2.c in the Binary File Descripto ...) - binutils 2.29-9 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22059 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7e8b60085eb3e6f2c41bc0c00c0d759fa7f72780 CVE-2017-14127 (Command Injection in the Ping Module in the Web Interface on Technicol ...) NOT-FOR-US: Technicolor CVE-2017-14126 (The Participants Database plugin before 1.7.5.10 for WordPress has XSS ...) NOT-FOR-US: Wordpress plugin CVE-2017-14125 (SQL injection vulnerability in the Responsive Image Gallery plugin bef ...) NOT-FOR-US: Responsive Image Gallery plugin for WordPress CVE-2017-14124 (In eLux RP 5.x before 5.5.1000 LTSR and 5.6.x before 5.6.2 CR when cla ...) NOT-FOR-US: eLux CVE-2017-14123 (Zoho ManageEngine Firewall Analyzer 12200 has an unrestricted File Upl ...) NOT-FOR-US: Zoho ManageEngine CVE-2017-14122 (unrar 0.0.1 (aka unrar-free or unrar-gpl) suffers from a stack-based b ...) - unrar-free 1:0.0.1+cvs20140707-4 (unimportant; bug #874060) NOTE: http://www.openwall.com/lists/oss-security/2017/08/20/1 NOTE: Crash in CLI tool, no security impact CVE-2017-14121 (The DecodeNumber function in unrarlib.c in unrar 0.0.1 (aka unrar-free ...) - unrar-free 1:0.0.1+cvs20140707-4 (unimportant; bug #874061) NOTE: http://www.openwall.com/lists/oss-security/2017/08/20/1 NOTE: Crash in CLI tool, no security impact CVE-2017-14120 (unrar 0.0.1 (aka unrar-free or unrar-gpl) suffers from a directory tra ...) {DLA-1091-1} - unrar-free 1:0.0.1+cvs20140707-2 (bug #874059) [stretch] - unrar-free (Minor issue) [jessie] - unrar-free (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2017/08/20/1 NOTE: Proposed patch: https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=874059;filename=874059.diff.txt;msg=29 CVE-2017-14119 (In the EyesOfNetwork web interface (aka eonweb) 5.1-0, module\tool_all ...) NOT-FOR-US: EyesOfNetwork (EON) CVE-2017-14118 (In the EyesOfNetwork web interface (aka eonweb) 5.1-0, module\tool_all ...) NOT-FOR-US: EyesOfNetwork (EON) CVE-2017-14117 (The AT&T U-verse 9.2.2h0d83 firmware for the Arris NVG589 and NVG5 ...) NOT-FOR-US: Arris CVE-2017-14116 (The AT&T U-verse 9.2.2h0d83 firmware for the Arris NVG599 device, ...) NOT-FOR-US: Arris CVE-2017-14115 (The AT&T U-verse 9.2.2h0d83 firmware for the Arris NVG589 and NVG5 ...) NOT-FOR-US: Arris CVE-2017-14114 (RTPproxy through 2.2.alpha.20160822 has a NAT feature that results in ...) - rtpproxy (unimportant; bug #874070) NOTE: https://rtpbleed.com/ NOTE: https://github.com/sippy/rtpproxy/issues/70 NOTE: Design limitation in RTP protocol CVE-2017-14113 REJECTED CVE-2017-14112 RESERVED CVE-2017-14111 (The workstation logging function in Philips IntelliSpace Cardiovascula ...) NOT-FOR-US: Philips IntelliSpace Cardiovascular and Xcelera CVE-2017-14110 RESERVED CVE-2017-1000201 (The tcmu-runner daemon in tcmu-runner version 1.0.5 to 1.2.0 is vulner ...) NOT-FOR-US: tcmu-runner CVE-2017-1000200 (tcmu-runner version 1.0.5 to 1.2.0 is vulnerable to a dbus triggered N ...) NOT-FOR-US: tcmu-runner CVE-2017-1000199 (tcmu-runner version 0.91 up to 1.20 is vulnerable to information discl ...) NOT-FOR-US: tcmu-runner CVE-2017-1000198 (tcmu-runner daemon version 0.9.0 to 1.2.0 is vulnerable to invalid mem ...) NOT-FOR-US: tcmu-runner CVE-2017-14109 RESERVED CVE-2017-14108 (libgedit.a in GNOME gedit through 3.22.1 allows remote attackers to ca ...) - gedit (unimportant; bug #875311) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=791037 NOTE: negligible security impact CVE-2017-14107 (The _zip_read_eocd64 function in zip_open.c in libzip before 1.3.0 mis ...) [experimental] - libzip 1.3.0+dfsg.1-1 - libzip 1.5.1-3 (low; bug #874010) [stretch] - libzip (Minor issue) [jessie] - libzip (Minor issue) [wheezy] - libzip (Minor issue) - php5 (unimportant) [jessie] - php5 5.6.33+dfsg-0+deb8u1 NOTE: https://blogs.gentoo.org/ago/2017/09/01/libzip-memory-allocation-failure-in-_zip_cdir_grow-zip_dirent-c/ NOTE: https://github.com/nih-at/libzip/commit/9b46957ec98d85a572e9ef98301247f39338a3b5 NOTE: PHP commit: https://github.com/php/php-src/commit/f6e8ce812174343b5c9fd1860f9e2e2864428567 NOTE: Marked as unimportant, php5 uses system libzip since 5.4.5-1 CVE-2017-14105 (HiveManager Classic through 8.1r1 allows arbitrary JSP code execution ...) NOT-FOR-US: HiveManager CVE-2017-14104 RESERVED CVE-2017-14106 (The tcp_disconnect function in net/ipv4/tcp.c in the Linux kernel befo ...) {DSA-3981-1 DLA-1099-1} - linux 4.12.6-1 NOTE: Fixed by: https://git.kernel.org/linus/499350a5a6e7512d9ed369ed63a4244b6536f4f8 (v4.12-rc3) CVE-2017-14103 (The ReadJNGImage and ReadOneJNGImage functions in coders/png.c in Grap ...) {DLA-1130-1} - graphicsmagick 1.3.26-8 [stretch] - graphicsmagick (Incomplete fix for CVE-2017-11403 not applied) [jessie] - graphicsmagick (Incomplete fix for CVE-2017-11403 not applied) NOTE: Fixed by: http://hg.code.sf.net/p/graphicsmagick/code/rev/98721124e51f NOTE: http://www.openwall.com/lists/oss-security/2017/09/01/6 NOTE: https://blogs.gentoo.org/ago/2017/07/12/graphicsmagick-use-after-free-in-closeblob-blob-c/ CVE-2017-14102 (MIMEDefang 2.80 and earlier creates a PID file after dropping privileg ...) - mimedefang 2.83-1 (bug #877363) [stretch] - mimedefang (Minor issue) [jessie] - mimedefang (Minor issue) [wheezy] - mimedefang (Minor issue only exploitable if daemon is compromised in some other way) NOTE: http://lists.roaringpenguin.com/pipermail/mimedefang/2017-August/038077.html NOTE: http://lists.roaringpenguin.com/pipermail/mimedefang/2017-August/038085.html CVE-2017-14101 (A security researcher found an XML External Entity (XXE) vulnerability ...) NOT-FOR-US: Conserus Image Repository CVE-2017-14097 (An improper access control vulnerability in Trend Micro Smart Protecti ...) NOT-FOR-US: Trend Micro CVE-2017-14096 (A stored cross site scripting (XSS) vulnerability in Trend Micro Smart ...) NOT-FOR-US: Trend Micro CVE-2017-14095 (A vulnerability in Trend Micro Smart Protection Server (Standalone) ve ...) NOT-FOR-US: Trend Micro CVE-2017-14094 (A vulnerability in Trend Micro Smart Protection Server (Standalone) ve ...) NOT-FOR-US: Trend Micro CVE-2017-14093 (The Log Query and Quarantine Query pages in Trend Micro ScanMail for E ...) NOT-FOR-US: Trend Micro ScanMail for Exchange CVE-2017-14092 (The absence of Anti-CSRF tokens in Trend Micro ScanMail for Exchange 1 ...) NOT-FOR-US: Trend Micro ScanMail for Exchange CVE-2017-14091 (A vulnerability in Trend Micro ScanMail for Exchange 12.0 exists in wh ...) NOT-FOR-US: Trend Micro ScanMail for Exchange CVE-2017-14090 (A vulnerability in Trend Micro ScanMail for Exchange 12.0 exists in wh ...) NOT-FOR-US: Trend Micro ScanMail for Exchange CVE-2017-14089 (An Unauthorized Memory Corruption vulnerability in Trend Micro OfficeS ...) NOT-FOR-US: Trend Micro CVE-2017-14088 (Memory Corruption Privilege Escalation vulnerabilities in Trend Micro ...) NOT-FOR-US: Trend Micro CVE-2017-14087 (A Host Header Injection vulnerability in Trend Micro OfficeScan XG (12 ...) NOT-FOR-US: Trend Micro CVE-2017-14086 (Pre-authorization Start Remote Process vulnerabilities in Trend Micro ...) NOT-FOR-US: Trend Micro CVE-2017-14085 (Information disclosure vulnerabilities in Trend Micro OfficeScan 11.0 ...) NOT-FOR-US: Trend Micro CVE-2017-14084 (A potential Man-in-the-Middle (MitM) attack vulnerability in Trend Mic ...) NOT-FOR-US: Trend Micro CVE-2017-14083 (A vulnerability in Trend Micro OfficeScan 11.0 and XG allows remote un ...) NOT-FOR-US: Trend Micro CVE-2017-14082 (An uninitialized pointer information disclosure vulnerability in Trend ...) NOT-FOR-US: Trend Micro CVE-2017-14081 (Proxy command injection vulnerabilities in Trend Micro Mobile Security ...) NOT-FOR-US: Trend Micro Mobile Security CVE-2017-14080 (Authentication bypass vulnerability in Trend Micro Mobile Security (En ...) NOT-FOR-US: Trend Micro Mobile Security CVE-2017-14079 (Unrestricted file uploads in Trend Micro Mobile Security (Enterprise) ...) NOT-FOR-US: Trend Micro Mobile Security CVE-2017-14078 (SQL Injection vulnerabilities in Trend Micro Mobile Security (Enterpri ...) NOT-FOR-US: Trend Micro Mobile Security CVE-2017-14098 (In the pjsip channel driver (res_pjsip) in Asterisk 13.x before 13.17. ...) - asterisk 1:13.17.1~dfsg-1 (bug #873909) [stretch] - asterisk (Vulnerable code not present; issue introduced in 13.15) [jessie] - asterisk (Vulnerable code not present; issue introduced in 13.15) [wheezy] - asterisk (Vulnerable code not present; issue introduced in 13.15) NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27152 NOTE: Fix: https://gerrit.asterisk.org/#/q/topic:ASTERISK-27152 CVE-2017-14100 (In Asterisk 11.x before 11.25.2, 13.x before 13.17.1, and 14.x before ...) {DSA-3964-1 DLA-1122-1} - asterisk 1:13.17.1~dfsg-1 (bug #873908) NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27103 NOTE: Fix: https://gerrit.asterisk.org/#/q/topic:ASTERISK-27103 CVE-2017-14099 (In res/res_rtp_asterisk.c in Asterisk 11.x before 11.25.2, 13.x before ...) {DSA-3964-1} - asterisk 1:13.17.1~dfsg-1 (bug #873907) [wheezy] - asterisk (strictrtp option is disabled by default. Too intrusive too backport) NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27013 NOTE: Fix: https://gerrit.asterisk.org/#/q/topic:ASTERISK-27013 CVE-2017-14077 (HTML Injection in Securimage 3.6.4 and earlier allows remote attackers ...) NOT-FOR-US: Securimage CVE-2017-14076 (SQL Injection exists in NexusPHP 1.5.beta5.20120707 via the id paramet ...) NOT-FOR-US: NexusPHP CVE-2017-14075 (This vulnerability allows local attackers to escalate privileges on Ju ...) NOT-FOR-US: Jungo WinDriver CVE-2017-14074 RESERVED CVE-2017-14073 RESERVED CVE-2017-14072 RESERVED CVE-2017-14071 RESERVED CVE-2017-14070 (Cross Site Scripting (XSS) exists in NexusPHP 1.5.beta5.20120707 via t ...) NOT-FOR-US: NexusPHP CVE-2017-14069 (SQL Injection exists in NexusPHP 1.5.beta5.20120707 via the usernw arr ...) NOT-FOR-US: NexusPHP CVE-2017-14068 RESERVED CVE-2017-14067 RESERVED CVE-2017-14066 RESERVED CVE-2017-14065 RESERVED CVE-2017-14064 (Ruby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 can e ...) {DSA-3966-1 DLA-1421-1 DLA-1114-1} - ruby2.3 2.3.3-1+deb9u1 (bug #873906) - ruby2.1 - ruby1.9.1 NOTE: https://bugs.ruby-lang.org/issues/13853 NOTE: https://github.com/flori/json/commit/8f782fd8e181d9cfe9387ded43a5ca9692266b85 CVE-2017-14062 (Integer overflow in the decode_digit function in puny_decode.c in Libi ...) {DSA-3988-1 DLA-1447-1 DLA-1085-1 DLA-1084-1} - libidn2-0 2.0.2-4 (bug #873902) - libidn 1.33-2 (bug #873903) [stretch] - libidn 1.33-1+deb9u1 NOTE: https://gitlab.com/libidn/libidn2/commit/3284eb342cd0ed1a18786e3fcdf0cdd7e76676bd CVE-2017-14061 (Integer overflow in the _isBidi function in bidi.c in Libidn2 before 2 ...) - libidn2-0 2.0.2-4 (bug #873904) [stretch] - libidn2-0 (Vulnerable code not present) [jessie] - libidn2-0 (Vulnerable code not present) [wheezy] - libidn2-0 (Vulnerable code not present) - libidn (Vulnerable code not present) NOTE: https://gitlab.com/libidn/libidn2/commit/16853b6973a1e72fee2b7cccda85472cb9951305 CVE-2017-14060 (In ImageMagick 7.0.6-10, a NULL Pointer Dereference issue is present i ...) {DLA-1785-1 DLA-1131-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #878506) [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/710 NOTE: https://github.com/ImageMagick/ImageMagick/commit/c535e1f1a6b1faaa35e007df4fc535ec08daa97c NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/5bdfef29f5e6744f36f25ec04583c6b6f4a13b48 CVE-2017-14059 (In FFmpeg 3.3.3, a DoS in cine_read_header() due to lack of an EOF che ...) {DSA-3996-1} - ffmpeg 7:3.3.4-1 (low) - libav [jessie] - libav (vulnerable code is not present) NOTE: https://github.com/FFmpeg/FFmpeg/commit/7e80b63ecd259d69d383623e75b318bf2bd491f6 CVE-2017-14058 (In FFmpeg 3.3.3, the read_data function in libavformat/hls.c does not ...) {DSA-3996-1 DLA-1740-1} - ffmpeg 7:3.3.4-1 (low) - libav NOTE: https://github.com/FFmpeg/FFmpeg/commit/7ec414892ddcad88313848494b6fc5f437c9ca4a CVE-2017-14057 (In FFmpeg 3.3.3, a DoS in asf_read_marker() due to lack of an EOF (End ...) {DSA-3996-1 DLA-1630-1} - ffmpeg 7:3.3.4-1 (low) - libav NOTE: https://github.com/FFmpeg/FFmpeg/commit/7f9ec5593e04827249e7aeb466da06a98a0d7329 NOTE: libav: The vulnerable code is in asfdec.c. CVE-2017-14056 (In libavformat/rl2.c in FFmpeg 3.3.3, a DoS in rl2_read_header() due t ...) {DSA-3996-1 DLA-1630-1} - ffmpeg 7:3.3.4-1 (low) - libav NOTE: https://github.com/FFmpeg/FFmpeg/commit/96f24d1bee7fe7bac08e2b7c74db1a046c9dc0de CVE-2017-14055 (In libavformat/mvdec.c in FFmpeg 3.3.3, a DoS in mv_read_header() due ...) {DSA-3996-1 DLA-1630-1} - ffmpeg 7:3.3.4-1 (low) - libav NOTE: https://github.com/FFmpeg/FFmpeg/commit/4f05e2e2dc1a89f38cd9f0960a6561083d714f1e CVE-2017-14054 (In libavformat/rmdec.c in FFmpeg 3.3.3, a DoS in ivr_read_header() due ...) {DSA-3996-1} - ffmpeg 7:3.3.4-1 (low) - libav [jessie] - libav (vulnerable code is not present) NOTE: https://github.com/FFmpeg/FFmpeg/commit/124eb202e70678539544f6268efc98131f19fa49 CVE-2017-14053 (NetApp OnCommand Unified Manager for Clustered Data ONTAP before 7.2P1 ...) NOT-FOR-US: NetApp CVE-2017-14052 RESERVED CVE-2016-10510 (Cross-site scripting (XSS) vulnerability in the Security component of ...) {DLA-1241-1} - libkohana2-php [jessie] - libkohana2-php (Minor issue) NOTE: https://github.com/kohana/kohana/issues/107 NOTE: Fixed by https://github.com/kohana/core/pull/697 CVE-2016-10509 (SQL injection vulnerability in the updateAmazonOrderTracking function ...) NOT-FOR-US: OpenCart CVE-2016-10508 (Multiple cross-site scripting (XSS) vulnerabilities in phpThumb() befo ...) NOT-FOR-US: phpThumb CVE-2017-14063 (Async Http Client (aka async-http-client) before 2.0.35 can be tricked ...) - async-http-client (Vulnerable code introduced later after port to new Request API) NOTE: https://github.com/AsyncHttpClient/async-http-client/issues/1455 NOTE: https://github.com/AsyncHttpClient/async-http-client/commit/eb9e3347e45319be494db24d285a2aee4396f5d3 CVE-2017-14050 (In BlackCat CMS 1.2, backend/addons/install.php allows remote authenti ...) NOT-FOR-US: BlackCat CMS CVE-2017-14049 (In BlackCat CMS 1.2, backend/settings/ajax_save_settings.php allows re ...) NOT-FOR-US: BlackCat CMS CVE-2017-14048 (BlackCat CMS 1.2 allows remote authenticated users to inject arbitrary ...) NOT-FOR-US: BlackCat CMS CVE-2017-14047 RESERVED CVE-2017-14046 RESERVED CVE-2017-14045 RESERVED CVE-2017-14044 RESERVED CVE-2017-14043 RESERVED CVE-2017-14038 (CrushFTP before 7.8.0 and 8.x before 8.2.0 has a redirect vulnerabilit ...) NOT-FOR-US: CrushFTP CVE-2017-14037 (CrushFTP before 7.8.0 and 8.x before 8.2.0 has an HTTP header vulnerab ...) NOT-FOR-US: CrushFTP CVE-2017-14036 (CrushFTP before 7.8.0 and 8.x before 8.2.0 has XSS. ...) NOT-FOR-US: CrushFTP CVE-2017-14035 (CrushFTP 8.x before 8.2.0 has a serialization vulnerability. ...) NOT-FOR-US: CrushFTP CVE-2017-14051 (An integer overflow in the qla2x00_sysfs_write_optrom_ctl function in ...) {DLA-1200-1} - linux 4.12.13-1 (unimportant) [stretch] - linux 4.9.30-2+deb9u5 [jessie] - linux 3.16.43-2+deb8u5 NOTE: Fixed by: https://git.kernel.org/linus/e6f77540c067b48dee10f1e33678415bfcc89017 NOTE: https://patchwork.kernel.org/patch/9929625/ NOTE: Non issue, only "exploitable" with root access CVE-2017-14034 (The restore_tqb_pixels function in hevc_filter.c in libavcodec, as use ...) NOT-FOR-US: libbpg NOTE: Issue 3 from https://github.com/ebel34/bpg-web-encoder/issues/1 CVE-2017-14033 (The decode method in the OpenSSL::ASN1 module in Ruby before 2.2.8, 2. ...) {DSA-4031-1 DLA-1421-1 DLA-1114-1} - ruby2.3 2.3.5-1 (bug #875928) - ruby2.1 - ruby1.9.1 - ruby1.8 (vunlerable code not present) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1058757 NOTE: https://www.ruby-lang.org/en/news/2017/09/14/openssl-asn1-buffer-underrun-cve-2017-14033/ NOTE: https://github.com/ruby/openssl/commit/1648afef33c1d97fb203c82291b8a61269e85d3b CVE-2017-14031 (An Improper Access Control issue was discovered in Trihedral VTScada 1 ...) NOT-FOR-US: Trihedral VTScada CVE-2017-14030 (An issue was discovered in Moxa MXview v2.8 and prior. The unquoted se ...) NOT-FOR-US: Moxa MXview CVE-2017-14029 (An Uncontrolled Search Path Element issue was discovered in Trihedral ...) NOT-FOR-US: Trihedral VTScada CVE-2017-14028 (A Resource Exhaustion issue was discovered in Moxa NPort 5110 Version ...) NOT-FOR-US: Moxa CVE-2017-14027 (A Use of Hard-coded Credentials issue was discovered in Korenix JetNet ...) NOT-FOR-US: Korenix CVE-2017-14026 (In Ice Qube Thermal Management Center versions prior to version 4.13, ...) NOT-FOR-US: Ice Qube Thermal Management Center CVE-2017-14025 (An Improper Input Validation issue was discovered in ABB FOX515T relea ...) NOT-FOR-US: ABB FOX515T CVE-2017-14024 (A Stack-based Buffer Overflow issue was discovered in Schneider Electr ...) NOT-FOR-US: Schneider Electric CVE-2017-14023 (An Improper Input Validation issue was discovered in Siemens SIMATIC P ...) NOT-FOR-US: Siemens CVE-2017-14022 (An Improper Input Validation issue was discovered in Rockwell Automati ...) NOT-FOR-US: Rockwell Automation FactoryTalk Alarms and Events CVE-2017-14021 (A Use of Hard-coded Cryptographic Key issue was discovered in Korenix ...) NOT-FOR-US: Korenix CVE-2017-14020 (In AutomationDirect CLICK Programming Software (Part Number C0-PGMSW) ...) NOT-FOR-US: AutomationDirect CVE-2017-14019 (An Unquoted Search Path or Element issue was discovered in Progea Movi ...) NOT-FOR-US: Progea Movicon CVE-2017-14018 (An improper authentication issue was discovered in Johnson & Johns ...) NOT-FOR-US: Johnson & Johnson Ethicon Endo-Surgery Generator Gen11 CVE-2017-14017 (An Uncontrolled Search Path Element issue was discovered in Progea Mov ...) NOT-FOR-US: Progea Movicon CVE-2017-14016 (A Stack-based Buffer Overflow issue was discovered in Advantech WebAcc ...) NOT-FOR-US: Advantech CVE-2017-14015 RESERVED CVE-2017-14014 (Boston Scientific ZOOM LATITUDE PRM Model 3120 uses a hard-coded crypt ...) NOT-FOR-US: Boston Scientific ZOOM LATITUDE PRM Model 3120 CVE-2017-14013 (A Client-Side Enforcement of Server-Side Security issue was discovered ...) NOT-FOR-US: ProMinent MultiFLEX M10a Controller CVE-2017-14012 (Boston Scientific ZOOM LATITUDE PRM Model 3120 does not encrypt PHI at ...) NOT-FOR-US: Boston Scientific ZOOM LATITUDE PRM Model 3120 CVE-2017-14011 (A Cross-Site Request Forgery issue was discovered in ProMinent MultiFL ...) NOT-FOR-US: ProMinent MultiFLEX M10a Controller CVE-2017-14010 (In SpiderControl MicroBrowser Windows XP, Vista 7, 8 and 10, Versions ...) NOT-FOR-US: SpiderControl CVE-2017-14009 (An Information Exposure issue was discovered in ProMinent MultiFLEX M1 ...) NOT-FOR-US: ProMinent MultiFLEX M10a Controller CVE-2017-14008 (GE Centricity PACS RA1000, diagnostic image analysis, all current vers ...) NOT-FOR-US: GE Centricity PACS RA1000 CVE-2017-14007 (An Insufficient Session Expiration issue was discovered in ProMinent M ...) NOT-FOR-US: ProMinent MultiFLEX M10a Controller CVE-2017-14006 (GE Xeleris versions 1.0,1.1,2.1,3.0,3.1, medical imaging systems, all ...) NOT-FOR-US: GE Xeleris CVE-2017-14005 (An Unverified Password Change issue was discovered in ProMinent MultiF ...) NOT-FOR-US: ProMinent MultiFLEX M10a Controller CVE-2017-14004 (GE GEMNet License server (EchoServer) all current versions are affecte ...) NOT-FOR-US: GE GEMNet License server CVE-2017-14003 (An Authentication Bypass by Spoofing issue was discovered in LAVA Ethe ...) NOT-FOR-US: LAVA Ether-Serial Link CVE-2017-14002 (GE Infinia/Infinia with Hawkeye 4 medical imaging systems all current ...) NOT-FOR-US: GE Infinia/Infinia with Hawkeye 4 medical imaging systems CVE-2017-14001 (An Improper Neutralization of Special Elements used in an OS Command i ...) NOT-FOR-US: Asterisk GUI NOTE: Different from standard asterisk: https://wiki.asterisk.org/wiki/display/AST/Asterisk+GUI CVE-2017-14000 (An Improper Authentication issue was discovered in Ctek SkyRouter Seri ...) NOT-FOR-US: Ctek SkyRouter CVE-2017-13999 (A Stack-based Buffer Overflow issue was discovered in WECON LEVI Studi ...) NOT-FOR-US: WECON LEVI Studio HMI Editor CVE-2017-13998 (An Insufficiently Protected Credentials issue was discovered in LOYTEC ...) NOT-FOR-US: LOYTEC LVIS-3ME CVE-2017-13997 (A Missing Authentication for Critical Function issue was discovered in ...) NOT-FOR-US: Schneider CVE-2017-13996 (A Relative Path Traversal issue was discovered in LOYTEC LVIS-3ME vers ...) NOT-FOR-US: LOYTEC LVIS-3ME CVE-2017-13995 (An Improper Authentication issue was discovered in iniNet Solutions in ...) NOT-FOR-US: iniNet Solutions iniNet Webserver CVE-2017-13994 (A Cross-site Scripting issue was discovered in LOYTEC LVIS-3ME version ...) NOT-FOR-US: LOYTEC LVIS-3ME CVE-2017-13993 (An Uncontrolled Search Path or Element issue was discovered in i-SENS ...) NOT-FOR-US: i-SENS SmartLog Diabetes Management Software CVE-2017-13992 (An Insufficient Entropy issue was discovered in LOYTEC LVIS-3ME versio ...) NOT-FOR-US: LOYTEC LVIS-3ME CVE-2017-13991 (An information leakage vulnerability in ArcSight ESM and ArcSight ESM ...) NOT-FOR-US: ArcSight CVE-2017-13990 (An information leakage vulnerability in ArcSight ESM and ArcSight ESM ...) NOT-FOR-US: ArcSight CVE-2017-13989 (An improper access control vulnerability in ArcSight ESM and ArcSight ...) NOT-FOR-US: ArcSight CVE-2017-13988 (An improper access control vulnerability in ArcSight ESM and ArcSight ...) NOT-FOR-US: ArcSight CVE-2017-13987 (An insufficient access control vulnerability in ArcSight ESM and ArcSi ...) NOT-FOR-US: ArcSight CVE-2017-13986 (A reflected Cross-Site Scripting(XSS) vulnerability in ArcSight ESM an ...) NOT-FOR-US: ArcSight CVE-2017-13985 (An authentication vulnerability in HPE BSM Platform Application Perfor ...) NOT-FOR-US: HP CVE-2017-13984 (An authentication vulnerability in HPE BSM Platform Application Perfor ...) NOT-FOR-US: HP CVE-2017-13983 (An authentication vulnerability in HPE BSM Platform Application Perfor ...) NOT-FOR-US: HP CVE-2017-13982 (A directory traversal vulnerability in HPE BSM Platform Application Pe ...) NOT-FOR-US: HP CVE-2017-13981 RESERVED CVE-2017-13980 RESERVED CVE-2017-13979 RESERVED CVE-2017-13978 RESERVED CVE-2017-13977 RESERVED CVE-2017-13976 RESERVED CVE-2017-13975 RESERVED CVE-2017-13974 RESERVED CVE-2017-13973 RESERVED CVE-2017-13972 RESERVED CVE-2017-13971 RESERVED CVE-2017-13970 RESERVED CVE-2017-13969 RESERVED CVE-2017-13968 RESERVED CVE-2017-13967 RESERVED CVE-2017-13966 RESERVED CVE-2017-13965 RESERVED CVE-2017-13964 RESERVED CVE-2017-13963 RESERVED CVE-2017-13962 RESERVED CVE-2017-13961 RESERVED CVE-2017-13960 RESERVED CVE-2017-13959 RESERVED CVE-2017-13958 RESERVED CVE-2017-13957 RESERVED CVE-2017-13956 RESERVED CVE-2017-13955 RESERVED CVE-2017-13954 RESERVED CVE-2017-13953 RESERVED CVE-2017-13952 RESERVED CVE-2017-13951 RESERVED CVE-2017-13950 RESERVED CVE-2017-13949 RESERVED CVE-2017-13948 RESERVED CVE-2017-13947 RESERVED CVE-2017-13946 RESERVED CVE-2017-13945 RESERVED CVE-2017-13944 RESERVED CVE-2017-13943 RESERVED CVE-2017-13942 RESERVED CVE-2017-13941 RESERVED CVE-2017-13940 RESERVED CVE-2017-13939 RESERVED CVE-2017-13938 RESERVED CVE-2017-13937 RESERVED CVE-2017-13936 RESERVED CVE-2017-13935 RESERVED CVE-2017-13934 RESERVED CVE-2017-13933 RESERVED CVE-2017-13932 RESERVED CVE-2017-13931 RESERVED CVE-2017-13930 RESERVED CVE-2017-13929 RESERVED CVE-2017-13928 RESERVED CVE-2017-13927 RESERVED CVE-2017-13926 RESERVED CVE-2017-13925 RESERVED CVE-2017-13924 RESERVED CVE-2017-13923 RESERVED CVE-2017-13922 RESERVED CVE-2017-13921 RESERVED CVE-2017-13920 RESERVED CVE-2017-13919 RESERVED CVE-2017-13918 RESERVED CVE-2017-13917 RESERVED CVE-2017-13916 RESERVED CVE-2017-13915 RESERVED CVE-2017-13914 RESERVED CVE-2017-13913 RESERVED CVE-2017-13912 RESERVED CVE-2017-13911 (A configuration issue was addressed with additional restrictions. This ...) NOT-FOR-US: Apple CVE-2017-13910 RESERVED CVE-2017-13909 RESERVED CVE-2017-13908 RESERVED CVE-2017-13907 RESERVED CVE-2017-13906 RESERVED CVE-2017-13905 RESERVED CVE-2017-13904 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) NOT-FOR-US: Apple CVE-2017-13903 (An issue was discovered in certain Apple products. iOS before 11.2.1 i ...) NOT-FOR-US: Apple CVE-2017-13902 RESERVED CVE-2017-13901 RESERVED CVE-2017-13900 RESERVED CVE-2017-13899 RESERVED CVE-2017-13898 RESERVED CVE-2017-13897 RESERVED CVE-2017-13896 RESERVED CVE-2017-13895 RESERVED CVE-2017-13894 RESERVED CVE-2017-13893 RESERVED CVE-2017-13892 RESERVED CVE-2017-13891 (In iOS before 11.2, an inconsistent user interface issue was addressed ...) NOT-FOR-US: Apple CVE-2017-13890 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13889 (In macOS High Sierra before 10.13.3, Security Update 2018-001 Sierra, ...) NOT-FOR-US: Apple CVE-2017-13888 (In iOS before 11.2, a type confusion issue was addressed with improved ...) NOT-FOR-US: Apple CVE-2017-13887 (In macOS High Sierra before 10.13.2, a logic issue existed in APFS whe ...) NOT-FOR-US: Apple CVE-2017-13886 (In macOS High Sierra before 10.13.2, an access issue existed with priv ...) NOT-FOR-US: Apple CVE-2017-13885 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) - webkit2gtk 2.18.6-1 (unimportant) [stretch] - webkit2gtk 2.18.6-1~deb9u1 NOTE: https://webkitgtk.org/security/WSA-2018-0002.html NOTE: Not covered by security support CVE-2017-13884 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) - webkit2gtk 2.18.6-1 (unimportant) [stretch] - webkit2gtk 2.18.6-1~deb9u1 NOTE: https://webkitgtk.org/security/WSA-2018-0002.html NOTE: Not covered by security support CVE-2017-13883 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13882 RESERVED CVE-2017-13881 RESERVED CVE-2017-13880 RESERVED CVE-2017-13879 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) NOT-FOR-US: Apple CVE-2017-13878 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13877 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-13876 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) NOT-FOR-US: Apple CVE-2017-13875 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13874 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) NOT-FOR-US: Apple CVE-2017-13873 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-13872 (An issue was discovered in certain Apple products. macOS High Sierra b ...) NOT-FOR-US: Apple CVE-2017-13871 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13870 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) - webkit2gtk 2.18.4-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0010.html NOTE: Not covered by security support CVE-2017-13869 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) NOT-FOR-US: Apple CVE-2017-13868 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) NOT-FOR-US: Apple CVE-2017-13867 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) NOT-FOR-US: Apple CVE-2017-13866 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) - webkit2gtk 2.18.4-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0010.html NOTE: Not covered by security support CVE-2017-13865 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) NOT-FOR-US: Apple CVE-2017-13864 (An issue was discovered in certain Apple products. iCloud before 7.2 o ...) NOT-FOR-US: Apple CVE-2017-13863 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-13862 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) NOT-FOR-US: Apple CVE-2017-13861 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) NOT-FOR-US: Apple CVE-2017-13860 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) NOT-FOR-US: Apple CVE-2017-13859 RESERVED CVE-2017-13858 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13857 RESERVED CVE-2017-13856 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) - webkit2gtk 2.18.4-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0010.html NOTE: Not covered by security support CVE-2017-13855 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) NOT-FOR-US: Apple CVE-2017-13854 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-13853 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-13852 (An issue was discovered in certain Apple products. iOS before 11.1 is ...) NOT-FOR-US: Apple CVE-2017-13851 (An issue was discovered in certain Apple products. macOS before 10.13 ...) NOT-FOR-US: Apple CVE-2017-13850 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-13849 (An issue was discovered in certain Apple products. iOS before 11.1 is ...) NOT-FOR-US: Apple CVE-2017-13848 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13847 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) NOT-FOR-US: Apple CVE-2017-13846 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Potentially src:pcre3, but Apple doesn't play by the rules CVE-2017-13845 RESERVED CVE-2017-13844 (An issue was discovered in certain Apple products. iOS before 11.1 is ...) NOT-FOR-US: Apple CVE-2017-13843 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13842 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13841 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13840 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13839 (An issue was discovered in certain Apple products. macOS before 10.13 ...) NOT-FOR-US: Apple CVE-2017-13838 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13837 (An issue was discovered in certain Apple products. macOS before 10.13 ...) NOT-FOR-US: Apple CVE-2017-13836 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13835 RESERVED CVE-2017-13834 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13833 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13832 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13831 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13830 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13829 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13828 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13827 (An issue was discovered in certain Apple products. macOS before 10.13 ...) NOT-FOR-US: Apple CVE-2017-13826 REJECTED CVE-2017-13825 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13824 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13823 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13822 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13821 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13820 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13819 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13818 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13817 (An out-of-bounds read issue was discovered in certain Apple products. ...) NOT-FOR-US: Apple CVE-2017-13816 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Potentially src:libarchive, but Apple doesn't play by the rules CVE-2017-13815 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Potentially src:file, but Apple doesn't play by the rules CVE-2017-13814 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13813 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Potentially src:libarchive, but Apple doesn't play by the rules CVE-2017-13812 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Potentially src:libarchive, but Apple doesn't play by the rules CVE-2017-13811 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13810 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13809 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13808 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13807 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13806 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-13805 (An issue was discovered in certain Apple products. iOS before 11.1 is ...) NOT-FOR-US: Apple CVE-2017-13804 (An issue was discovered in certain Apple products. iOS before 11.1 is ...) NOT-FOR-US: Apple CVE-2017-13803 (An issue was discovered in certain Apple products. iOS before 11.1 is ...) - webkit2gtk 2.18.3-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0009.html NOTE: Not covered by security support CVE-2017-13802 (An issue was discovered in certain Apple products. iOS before 11.1 is ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0009.html NOTE: Not covered by security support CVE-2017-13801 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13800 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13799 (An issue was discovered in certain Apple products. iOS before 11.1 is ...) NOT-FOR-US: Apple CVE-2017-13798 (An issue was discovered in certain Apple products. iOS before 11.1 is ...) - webkit2gtk 2.18.3-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0009.html NOTE: Not covered by security support CVE-2017-13797 (An issue was discovered in certain Apple products. iOS before 11.1 is ...) NOT-FOR-US: Apple-specific Webkit change (since not mentioned in webkitgtk releases) CVE-2017-13796 (An issue was discovered in certain Apple products. iOS before 11.1 is ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0009.html NOTE: Not covered by security support CVE-2017-13795 (An issue was discovered in certain Apple products. iOS before 11.1 is ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0009.html NOTE: Not covered by security support CVE-2017-13794 (An issue was discovered in certain Apple products. iOS before 11.1 is ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0009.html NOTE: Not covered by security support CVE-2017-13793 (An issue was discovered in certain Apple products. iOS before 11.1 is ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0009.html NOTE: Not covered by security support CVE-2017-13792 (An issue was discovered in certain Apple products. iOS before 11.1 is ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0009.html NOTE: Not covered by security support CVE-2017-13791 (An issue was discovered in certain Apple products. iOS before 11.1 is ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0009.html NOTE: Not covered by security support CVE-2017-13790 (An issue was discovered in certain Apple products. Safari before 11.0. ...) NOT-FOR-US: Apple Safari CVE-2017-13789 (An issue was discovered in certain Apple products. Safari before 11.0. ...) NOT-FOR-US: Apple Safari CVE-2017-13788 (An issue was discovered in certain Apple products. iOS before 11.1 is ...) - webkit2gtk 2.18.3-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0009.html NOTE: Not covered by security support CVE-2017-13787 RESERVED CVE-2017-13786 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13785 (An issue was discovered in certain Apple products. iOS before 11.1 is ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0009.html NOTE: Not covered by security support CVE-2017-13784 (An issue was discovered in certain Apple products. iOS before 11.1 is ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0009.html NOTE: Not covered by security support CVE-2017-13783 (An issue was discovered in certain Apple products. iOS before 11.1 is ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0009.html NOTE: Not covered by security support CVE-2017-13782 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13781 RESERVED CVE-2017-13780 (The EyesOfNetwork web interface (aka eonweb) 5.1-0 allows directory tr ...) NOT-FOR-US: EyesOfNetwork (EON) CVE-2017-14032 (ARM mbed TLS before 1.3.21 and 2.x before 2.1.9, if optional authentic ...) {DSA-3967-1} - mbedtls 2.6.0-1 (bug #873557) - polarssl [jessie] - polarssl (Vulnerable code not present) [wheezy] - polarssl (Vulnerable code not present) NOTE: Affected versions: all from version 1.3.10 up and including 2.1 and later releases NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2017-02 NOTE: https://github.com/ARMmbed/mbedtls/commit/31458a18788b0cf0b722acda9bb2f2fe13a3fb32 NOTE: https://github.com/ARMmbed/mbedtls/commit/d15795acd5074e0b44e71f7ede8bdfe1b48591fc CVE-2017-13779 (GSTN_offline_tool in India Goods and Services Tax Network (GSTN) Offli ...) NOT-FOR-US: India Goods and Services Tax Network CVE-2017-13778 (Fiyo CMS 2.0.7 has XSS in dapur\apps\app_config\sys_config.php via the ...) NOT-FOR-US: Fiyo CMS CVE-2017-13777 (GraphicsMagick 1.3.26 has a denial of service issue in ReadXBMImage() ...) {DSA-4321-1 DLA-1456-1 DLA-1082-1} - graphicsmagick 1.3.26-8 (low) NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/233a720bfd5e CVE-2017-13776 (GraphicsMagick 1.3.26 has a denial of service issue in ReadXBMImage() ...) {DSA-4321-1 DLA-1456-1 DLA-1082-1} - graphicsmagick 1.3.26-8 (low) NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/233a720bfd5e CVE-2017-13775 (GraphicsMagick 1.3.26 has a denial of service issue in ReadJNXImage() ...) {DSA-4321-1 DLA-1456-1} - graphicsmagick 1.3.26-8 (low) [wheezy] - graphicsmagick (Vulnerable code not present) NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/b037d79b6ccd CVE-2017-13774 (Hikvision iVMS-4200 devices before v2.6.2.7 allow local users to gener ...) NOT-FOR-US: Hikvision CVE-2017-13773 RESERVED CVE-2017-13772 (Multiple stack-based buffer overflows in TP-Link WR940N WiFi routers w ...) NOT-FOR-US: TP-Link CVE-2017-13771 (Lexmark Scan To Network (SNF) 3.2.9 and earlier stores network configu ...) NOT-FOR-US: Lexmark Scan To Network CVE-2017-13770 RESERVED CVE-2017-13769 (The WriteTHUMBNAILImage function in coders/thumbnail.c in ImageMagick ...) {DSA-4040-1 DSA-4032-1 DLA-1131-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #878507) NOTE: https://github.com/ImageMagick/ImageMagick/issues/705 NOTE: https://github.com/ImageMagick/ImageMagick/commit/45d342155b5e9b83904c695411d20f33cf9b524c NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/457e63263de6f732785608504b6e607799ad3dd5 NOTE: Extra checks: NOTE: https://github.com/ImageMagick/ImageMagick/commit/5a3897693a8b4e97add649c0ca1d538bd90f59c9 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/abb9d1322317733b799e8b87b2e346b3038f3260 CVE-2017-13768 (Null Pointer Dereference in the IdentifyImage function in MagickCore/i ...) {DLA-1785-1 DLA-1131-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #875352) [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/706 NOTE: https://github.com/ImageMagick/ImageMagick/commit/152e510e2b7858efe5992ed95090d8e0049417f3 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/2c1b360d80e5f8f7c7108c0afedde64ab79318ff CVE-2017-13767 (In Wireshark 2.4.0, 2.2.0 to 2.2.8, and 2.0.0 to 2.0.14, the MSDP diss ...) - wireshark 2.4.1-1 [jessie] - wireshark (Minor issue) [wheezy] - wireshark (Minor issue) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13933 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=6f18ace2a2683418a9368a8dfd92da6bd8213e15 NOTE: https://www.wireshark.org/security/wnpa-sec-2017-38.html CVE-2017-13766 (In Wireshark 2.4.0 and 2.2.0 to 2.2.8, the Profinet I/O dissector coul ...) - wireshark 2.4.1-1 [stretch] - wireshark 2.2.6+g32dac6a-2+deb9u1 [jessie] - wireshark (Vulnerable code not present) [wheezy] - wireshark (Vulnerable code not present) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13847 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=2096bc1e5078732543e0a3ee115a2ce520a72bbc NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=af7b093ca528516c14247acb545046199d30843e NOTE: https://www.wireshark.org/security/wnpa-sec-2017-39.html CVE-2017-13765 (In Wireshark 2.4.0, 2.2.0 to 2.2.8, and 2.0.0 to 2.0.14, the IrCOMM di ...) {DLA-1634-1} - wireshark 2.4.1-1 [wheezy] - wireshark (Minor issue) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13929 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=94666d4357096fc45e3bcad3d9414a14f0831bc8 NOTE: https://www.wireshark.org/security/wnpa-sec-2017-41.html CVE-2017-13764 (In Wireshark 2.4.0, the Modbus dissector could crash with a NULL point ...) - wireshark 2.4.1-1 [jessie] - wireshark (vulnerable request not implemented) [wheezy] - wireshark (vulnerable request not implemented) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13925 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=b87ffbd12bddf64582c0a6e082b462744474de94 NOTE: https://www.wireshark.org/security/wnpa-sec-2017-40.html CVE-2017-13763 (ONOS versions 1.8.0, 1.9.0, and 1.10.0 do not restrict the amount of m ...) NOT-FOR-US: ONOS CVE-2017-13762 (ONOS versions 1.8.0, 1.9.0, and 1.10.0 are vulnerable to XSS. ...) NOT-FOR-US: ONOS CVE-2017-13761 (The Fastly CDN module before 1.2.26 for Magento2, when used with a thi ...) NOT-FOR-US: Fastly CDN module for Magento2 CVE-2017-13760 (In The Sleuth Kit (TSK) 4.4.2, fls hangs on a corrupt exfat image in t ...) - sleuthkit 4.4.2-3 (unimportant; bug #873724) NOTE: https://github.com/sleuthkit/sleuthkit/issues/906 NOTE: Negligible security impact CVE-2017-13759 RESERVED CVE-2017-13758 (In ImageMagick 7.0.6-10, there is a heap-based buffer overflow in the ...) {DSA-4040-1 DSA-4032-1 DLA-1131-1} - imagemagick 8:6.9.9.34+dfsg-3 (bug #878508) NOTE: https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=32583 NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick/commit/ef6cee1bcf144b7c9285787920361a53296e7907 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/57eced684ad0660fe580800d977ba94623ec67ac CVE-2017-13757 (The Binary File Descriptor (BFD) library (aka libbfd), as distributed ...) - binutils 2.29-10 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22018 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=90efb6422939ca031804266fba669f77c22a274a CVE-2017-13756 (In The Sleuth Kit (TSK) 4.4.2, opening a crafted disk image triggers i ...) - sleuthkit 4.4.2-3 (unimportant; bug #873725) NOTE: https://github.com/sleuthkit/sleuthkit/issues/914 NOTE: Negligible security impact CVE-2017-13755 (In The Sleuth Kit (TSK) 4.4.2, opening a crafted ISO 9660 image trigge ...) - sleuthkit 4.4.2-3 (unimportant; bug #873726) NOTE: https://github.com/sleuthkit/sleuthkit/issues/913 NOTE: Negligible security impact CVE-2017-13754 (Cross-site scripting (XSS) vulnerability in the "advanced settings - t ...) NOT-FOR-US: Wibu-Systems CVE-2016-10507 (Integer overflow vulnerability in the bmp24toimage function in convert ...) - openjpeg2 2.1.2-1 [jessie] - openjpeg2 (Vulnerable code introduced later) NOTE: Introduced by: https://github.com/uclouvain/openjpeg/commit/33a0e66eb129c4e91b555a6b8dd9eab512fbfeb8 (v2.1.1) NOTE: Fixed by: https://github.com/uclouvain/openjpeg/commit/da940424816e11d624362ce080bc026adffa26e8 (v2.1.2) NOTE: https://github.com/uclouvain/openjpeg/issues/833 CVE-2016-10506 (Division-by-zero vulnerabilities in the functions opj_pi_next_cprl, op ...) - openjpeg2 (unimportant) NOTE: https://github.com/uclouvain/openjpeg/commit/d27ccf01c68a31ad62b33d2dc1ba2bb1eeaafe7b NOTE: https://github.com/uclouvain/openjpeg/issues/731 NOTE: https://github.com/uclouvain/openjpeg/issues/732 NOTE: https://github.com/uclouvain/openjpeg/issues/777 NOTE: https://github.com/uclouvain/openjpeg/issues/778 NOTE: https://github.com/uclouvain/openjpeg/issues/779 NOTE: https://github.com/uclouvain/openjpeg/issues/780 CVE-2016-10505 (NULL pointer dereference vulnerabilities in the imagetopnm function in ...) - openjpeg2 (unimportant) NOTE: https://github.com/uclouvain/openjpeg/issues/776 NOTE: https://github.com/uclouvain/openjpeg/issues/784 NOTE: https://github.com/uclouvain/openjpeg/issues/785 NOTE: https://github.com/uclouvain/openjpeg/issues/792 CVE-2016-10504 (Heap-based buffer overflow vulnerability in the opj_mqc_byteout functi ...) - openjpeg2 2.2.0-1 (bug #874113) [stretch] - openjpeg2 2.1.2-1.1+deb9u2 [jessie] - openjpeg2 (Vulnerable code introduced later, see #874113) NOTE: https://github.com/uclouvain/openjpeg/commit/397f62c0a838e15d667ef50e27d5d011d2c79c04 NOTE: https://github.com/uclouvain/openjpeg/issues/835 CVE-2017-13753 REJECTED CVE-2017-13752 (There is a reachable assertion abort in the function jpc_dequantize() ...) - jasper (unimportant) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1485276 CVE-2017-13751 (There is a reachable assertion abort in the function calcstepsizes() i ...) - jasper (unimportant) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1485283 CVE-2017-13750 (There is a reachable assertion abort in the function jpc_dec_process_s ...) - jasper (unimportant) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1485280 CVE-2017-13749 (There is a reachable assertion abort in the function jpc_pi_nextrpcl() ...) - jasper (unimportant) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1485285 CVE-2017-13748 (There are lots of memory leaks in JasPer 2.0.12, triggered in the func ...) {DLA-1583-1} - jasper (low) [wheezy] - jasper (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1485287 NOTE: https://github.com/mdadams/jasper/issues/168 NOTE: Fixed by https://github.com/mdadams/jasper/pull/159 but still no upstream comment. CVE-2017-13747 (There is a reachable assertion abort in the function jpc_floorlog2() i ...) - jasper (unimportant) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1485282 CVE-2017-13746 (There is a reachable assertion abort in the function jpc_dec_process_s ...) - jasper (unimportant) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1485286 CVE-2017-13745 (There is a reachable assertion abort in the function jpc_dec_process_s ...) - jasper (unimportant) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1485274 CVE-2017-13744 (There is an illegal address access in the function _lou_getALine() in ...) - liblouis 3.3.0-1 (low; bug #874302) [stretch] - liblouis 3.0.0-3+deb9u1 [jessie] - liblouis (Minor issue) [wheezy] - liblouis (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1484338 NOTE: Proposed fix via pull request: https://github.com/liblouis/liblouis/pull/393/commits/edf8ee00197e5a9b062554bdca00fe1617d257a4 CVE-2017-13743 (There is a buffer overflow in Liblouis 3.2.0, triggered in the functio ...) - liblouis 3.3.0-1 (low; bug #874302) [stretch] - liblouis 3.0.0-3+deb9u1 [jessie] - liblouis (Minor issue) [wheezy] - liblouis (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1484335 CVE-2017-13742 (There is a stack-based buffer overflow in Liblouis 3.2.0, triggered in ...) - liblouis 3.3.0-1 (low; bug #874302) [stretch] - liblouis 3.0.0-3+deb9u1 [jessie] - liblouis (Minor issue) [wheezy] - liblouis (vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1484334 NOTE: Proposed fix via pull request: https://github.com/liblouis/liblouis/pull/393/commits/d8cfdf1ab64a4c9c6685efe45bc735f68dac618c CVE-2017-13741 (There is a use-after-free in the function compileBrailleIndicator() in ...) - liblouis 3.3.0-1 (low; bug #874302) [stretch] - liblouis 3.0.0-3+deb9u1 [jessie] - liblouis (Minor issue) [wheezy] - liblouis (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1484332 NOTE: Proposed fix via pull request: https://github.com/liblouis/liblouis/pull/393/commits/af5791ea792acc0a9707738001aa1df3daff7a66 CVE-2017-13740 (There is a stack-based buffer overflow in Liblouis 3.2.0, triggered in ...) - liblouis 3.3.0-1 (low; bug #874302) [stretch] - liblouis 3.0.0-3+deb9u1 [jessie] - liblouis (Minor issue) [wheezy] - liblouis (vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1484306 NOTE: Proposed fix via pull request: https://github.com/liblouis/liblouis/pull/393/commits/d8cfdf1ab64a4c9c6685efe45bc735f68dac618c CVE-2017-13739 (There is a heap-based buffer overflow that causes a more than two thou ...) - liblouis 3.3.0-1 (low; bug #874302) [stretch] - liblouis 3.0.0-3+deb9u1 [jessie] - liblouis (Minor issue) [wheezy] - liblouis (vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1484299 NOTE: Proposed fix via pull request: https://github.com/liblouis/liblouis/pull/393/commits/d8cfdf1ab64a4c9c6685efe45bc735f68dac618c CVE-2017-13738 (There is an illegal address access in the _lou_getALine function in co ...) - liblouis 3.3.0-1 (low; bug #874302) [stretch] - liblouis 3.0.0-3+deb9u1 [jessie] - liblouis (Minor issue) [wheezy] - liblouis (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1484297 NOTE: Proposed fix via pull request: https://github.com/liblouis/liblouis/pull/393/commits/edf8ee00197e5a9b062554bdca00fe1617d257a4 CVE-2017-13737 (There is an invalid free in the MagickFree function in magick/memory.c ...) {DSA-4321-1 DLA-1456-1 DLA-1140-1} - graphicsmagick 1.3.26-15 (low; bug #878511) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1484196 NOTE: Fixed by: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/3db9449e3d6a/ CVE-2017-13736 (There are lots of memory leaks in the GMCommand function in magick/com ...) - graphicsmagick (unimportant) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1484192 CVE-2017-13735 (There is a floating point exception in the kodak_radc_load_raw functio ...) - libraw 0.18.5-1 (low; bug #874729) [stretch] - libraw (Minor issue) [jessie] - libraw (Minor issue) [wheezy] - libraw (Minor issue) NOTE: https://github.com/LibRaw/LibRaw/issues/96 NOTE: Isolated patch: https://github.com/LibRaw/LibRaw/files/1276421/radc_divbyzero.txt NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1483988 CVE-2017-13734 (There is an illegal address access in the _nc_safe_strcat function in ...) - ncurses 6.0+20170827-1 (bug #873723) [stretch] - ncurses 6.0+20161126-1+deb9u1 [jessie] - ncurses 5.9+20140913-1+deb8u1 [wheezy] - ncurses (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1484291 CVE-2017-13733 (There is an illegal address access in the fmt_entry function in progs/ ...) - ncurses 6.0+20170902-1 (bug #873746) [stretch] - ncurses 6.0+20161126-1+deb9u1 [jessie] - ncurses 5.9+20140913-1+deb8u1 [wheezy] - ncurses (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1484290 CVE-2017-13732 (There is an illegal address access in the function dump_uses() in prog ...) - ncurses 6.0+20170827-1 (bug #873723) [stretch] - ncurses 6.0+20161126-1+deb9u1 [jessie] - ncurses 5.9+20140913-1+deb8u1 [wheezy] - ncurses (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1484287 CVE-2017-13731 (There is an illegal address access in the function postprocess_termcap ...) - ncurses 6.0+20170827-1 (bug #873723) [stretch] - ncurses 6.0+20161126-1+deb9u1 [jessie] - ncurses 5.9+20140913-1+deb8u1 [wheezy] - ncurses (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1484285 CVE-2017-13730 (There is an illegal address access in the function _nc_read_entry_sour ...) - ncurses 6.0+20170827-1 (bug #873723) [stretch] - ncurses 6.0+20161126-1+deb9u1 [jessie] - ncurses 5.9+20140913-1+deb8u1 [wheezy] - ncurses (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1484284 CVE-2017-13729 (There is an illegal address access in the _nc_save_str function in all ...) - ncurses 6.0+20170827-1 (bug #873723) [stretch] - ncurses 6.0+20161126-1+deb9u1 [jessie] - ncurses 5.9+20140913-1+deb8u1 [wheezy] - ncurses (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1484276 CVE-2017-13728 (There is an infinite loop in the next_char function in comp_scan.c in ...) - ncurses 6.0+20170827-1 (bug #873723) [stretch] - ncurses 6.0+20161126-1+deb9u1 [jessie] - ncurses 5.9+20140913-1+deb8u1 [wheezy] - ncurses (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1484274 CVE-2017-13727 (There is a reachable assertion abort in the function TIFFWriteDirector ...) {DSA-4100-1 DLA-1093-1} - tiff 4.0.8-5 (bug #873879) - tiff3 [wheezy] - tiff3 (Vulnerable code not present) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2728 NOTE: Fixed by: https://github.com/vadz/libtiff/commit/b6af137bf9ef852f1a48a50a5afb88f9e9da01cc CVE-2017-13726 (There is a reachable assertion abort in the function TIFFWriteDirector ...) {DSA-4100-1 DLA-1093-1} - tiff 4.0.8-5 (bug #873880) - tiff3 [wheezy] - tiff3 (Vulnerable code not present) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2727 NOTE: Fixed by: https://github.com/vadz/libtiff/commit/f91ca83a21a6a583050e5a5755ce1441b2bf1d7e CVE-2017-13725 (The IPv6 routing header parser in tcpdump before 4.9.2 has a buffer ov ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13724 (On the Axesstel MU553S MU55XS-V1.14, there is a Stored Cross Site Scri ...) NOT-FOR-US: Axesstel MU553S MU55XS-V1.14 CVE-2017-13723 (In X.Org Server (aka xserver and xorg-server) before 1.19.4, a local a ...) {DSA-4000-1 DLA-1186-1} - xorg-server 2:1.19.4-1 NOTE: https://cgit.freedesktop.org/xorg/xserver/commit/?id=94f11ca5cf011ef123bd222cabeaef6f424d76ac NOTE: This is in libxkbfile in wheezy CVE-2017-13722 (In the pcfGetProperties function in bitmap/pcfread.c in libXfont throu ...) {DSA-3995-1 DLA-1126-1} - libxfont 1:2.0.1-4 - libxfont1 (unimportant) NOTE: Fixed by: https://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=672bb944311392e2415b39c0d63b1e1902905bcd NOTE: libxfont1 is only used by xfonts-utils, no security impact CVE-2017-13721 (In X.Org Server (aka xserver and xorg-server) before 1.19.4, an attack ...) {DSA-4000-1} - xorg-server 2:1.19.4-1 [wheezy] - xorg-server (Vulnerable code introduced later) NOTE: https://cgit.freedesktop.org/xorg/xserver/commit/?id=b95f25af141d33a65f6f821ea9c003f66a01e1f1 CVE-2017-13720 (In the PatternMatch function in fontfile/fontdir.c in libXfont through ...) {DSA-3995-1 DLA-1126-1} - libxfont 1:2.0.1-4 - libxfont1 (unimportant) NOTE: Fixed by: https://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=d1e670a4a8704b8708e493ab6155589bcd570608 NOTE: libxfont1 is only used by xfonts-utils, no security impact CVE-2017-13719 (The Amcrest IPM-721S Amcrest_IPC-AWXX_Eng_N_V2.420.AC00.17.R.20170322 ...) NOT-FOR-US: Amcrest CVE-2017-13718 (The HTTP API supported by Starry Station (aka Starry Router) allows br ...) NOT-FOR-US: Starry Station CVE-2017-13717 (Starry Station (aka Starry Router) sets the Access-Control-Allow-Origi ...) NOT-FOR-US: Starry Station CVE-2017-13716 (The C++ symbol demangler routine in cplus-dem.c in libiberty, as distr ...) - binutils (unimportant) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22009 NOTE: Underlying bug is though in the C++ demangler part of libiberty, but MITRE NOTE: has assigned it specifically to the issue as raised within binutils. NOTE: binutils not covered by security support CVE-2016-10503 (IBM Sametime Meeting Server 8.5.2 and 9.0 could allow an authenticated ...) NOT-FOR-US: IBM CVE-2017-13715 (The __skb_flow_dissect function in net/core/flow_dissector.c in the Li ...) - linux 4.3.1-1 [jessie] - linux (Vulnerable code introduced later) [wheezy] - linux (Vulnerable code introduced later) NOTE: Fixed by: https://git.kernel.org/linus/a6e544b0a88b53114bfa5a57e21b7be7a8dfc9d0 (4.3-rc1) NOTE: Introduced by: https://git.kernel.org/linus/b3baa0fbd02a1a9d493d8cb92ae4a4491b9e9d13 (4.2-rc1) CVE-2017-13714 RESERVED CVE-2017-13713 (T&W WIFI Repeater BE126 allows remote authenticated users to execu ...) NOT-FOR-US: T&W WIFI Repeater BE126 CVE-2017-13712 (NULL Pointer Dereference in the id3v2AddAudioDuration function in libm ...) - lame 3.100-1 (low) [stretch] - lame (Minor issue) [jessie] - lame (Minor issue) NOTE: https://sourceforge.net/p/lame/bugs/472/ CVE-2017-13711 (Use-after-free vulnerability in the sofree function in slirp/socket.c ...) {DSA-3991-1} - qemu 1:2.10.0-1 (bug #873875) [jessie] - qemu (Vulnerable code introduced later) [wheezy] - qemu (Vulnerable code introduced later) - qemu-kvm [wheezy] - qemu-kvm (Vulnerable code introduced later) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-08/msg05201.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1486400 CVE-2017-14041 (A stack-based buffer overflow was discovered in the pgxtoimage functio ...) {DSA-4013-1} - openjpeg2 2.3.0-1 (bug #874115) NOTE: Fixed by: https://github.com/uclouvain/openjpeg/commit/e5285319229a5d77bf316bb0d3a6cbd3cb8666d9 NOTE: Reproducer: https://blogs.gentoo.org/ago/2017/08/28/openjpeg-stack-based-buffer-overflow-write-in-pgxtoimage-convert-c/ NOTE: https://github.com/uclouvain/openjpeg/issues/997 CVE-2017-14040 (An invalid write access was discovered in bin/jp2/convert.c in OpenJPE ...) {DSA-4013-1} - openjpeg2 2.3.0-1 (bug #874117) NOTE: Fixed by: https://github.com/uclouvain/openjpeg/commit/2cd30c2b06ce332dede81cccad8b334cde997281 NOTE: Reproducer: https://blogs.gentoo.org/ago/2017/08/28/openjpeg-invalid-memory-write-in-tgatoimage-convert-c/ NOTE: https://github.com/uclouvain/openjpeg/issues/995 CVE-2017-14039 (A heap-based buffer overflow was discovered in the opj_t2_encode_packe ...) {DSA-4013-1} - openjpeg2 2.3.0-1 (bug #874118) NOTE: Fixed by: https://github.com/uclouvain/openjpeg/commit/c535531f03369623b9b833ef41952c62257b507e NOTE: Reproducer: https://blogs.gentoo.org/ago/2017/08/28/openjpeg-heap-based-buffer-overflow-in-opj_t2_encode_packet-t2-c/ NOTE: https://github.com/uclouvain/openjpeg/issues/992 NOTE: The issue is covered by https://github.com/uclouvain/openjpeg/commit/4241ae6fbbf1de9658764a80944dc8108f2b4154 CVE-2017-14042 (A memory allocation failure was discovered in the ReadPNMImage functio ...) - graphicsmagick 1.3.26-9 (unimportant; bug #873538) NOTE: Fixed by: http://hg.code.sf.net/p/graphicsmagick/code/rev/3bbf7a13643d NOTE: https://blogs.gentoo.org/ago/2017/08/28/graphicsmagick-memory-allocation-failure-in-magickrealloc-memory-c-2/ NOTE: https://sourceforge.net/p/graphicsmagick/bugs/441/ CVE-2017-13710 (The setup_group function in elf.c in the Binary File Descriptor (BFD) ...) - binutils 2.29-9 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0c54f69295208331faab9bc5e995111a35672f9b CVE-2017-13708 (Buffer overflow in the web server service in VX Search Enterprise 10.0 ...) NOT-FOR-US: VX Search Enterprise CVE-2017-13707 (Privilege escalation in Replibit Backup Manager earlier than version 2 ...) NOT-FOR-US: Replibit CVE-2017-13706 (XML external entity (XXE) vulnerability in the import package function ...) NOT-FOR-US: Lansweeper CVE-2017-13709 (In FlightGear before version 2017.3.1, Main/logger.cxx in the FGLogger ...) - flightgear 1:2017.2.1+dfsg-4 (low; bug #873439) [stretch] - flightgear 1:2016.4.4+dfsg-3+deb9u1 [jessie] - flightgear 3.0.0-5+deb8u3 NOTE: http://www.openwall.com/lists/oss-security/2017/08/27/1 CVE-2017-13705 RESERVED CVE-2017-13704 (In dnsmasq before 2.78, if the DNS packet size does not match the expe ...) - dnsmasq 2.78-1 (bug #877102) [stretch] - dnsmasq (Vulnerable code not present; Upstream: Regression introduced in 2.77) [jessie] - dnsmasq (Vulnerable code not present; Upstream: Regression introduced in 2.77) [wheezy] - dnsmasq (Vulnerable code not present; Upstream: Regression introduced in 2.77) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1495510 NOTE: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2017q3/011729.html NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=63437ffbb58837b214b4b92cb1c54bc5f3279928 CVE-2017-13703 (An issue was discovered on MOXA EDS-G512E 5.1 build 16072215 devices. ...) NOT-FOR-US: Moxa CVE-2017-13702 (An issue was discovered on MOXA EDS-G512E 5.1 build 16072215 devices. ...) NOT-FOR-US: Moxa CVE-2017-13701 (An issue was discovered on MOXA EDS-G512E 5.1 build 16072215 devices. ...) NOT-FOR-US: Moxa CVE-2017-13700 (An issue was discovered on MOXA EDS-G512E 5.1 build 16072215 devices. ...) NOT-FOR-US: Moxa CVE-2017-13699 (An issue was discovered on MOXA EDS-G512E 5.1 build 16072215 devices. ...) NOT-FOR-US: MOXA CVE-2017-13698 (An issue was discovered on MOXA EDS-G512E 5.1 build 16072215 devices. ...) NOT-FOR-US: MOXA CVE-2017-13697 (controllers/member/api.php in dayrui FineCms 5.0.11 has XSS related to ...) NOT-FOR-US: FineCMS CVE-2017-13696 (A buffer overflow vulnerability lies in the web server component of Du ...) NOT-FOR-US: Dup Scout Enterprise CVE-2017-1000122 (The UNIX IPC layer in WebKit, including WebKitGTK+ prior to 2.16.3, do ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0007.html NOTE: Not covered by security support CVE-2017-1000121 (The UNIX IPC layer in WebKit, including WebKitGTK+ prior to 2.16.3, do ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0007.html NOTE: Not covered by security support CVE-2017-13695 (The acpi_ns_evaluate() function in drivers/acpi/acpica/nseval.c in the ...) - acpica-unix 20180209-1 (unimportant) - linux 4.17.3-1 (unimportant) NOTE: https://patchwork.kernel.org/patch/9850567/ NOTE: non-issue/no relevant security impact CVE-2017-13694 (The acpi_ps_complete_final_op() function in drivers/acpi/acpica/psobje ...) - acpica-unix 20180209-1 (unimportant) - linux (unimportant) NOTE: https://patchwork.kernel.org/patch/9806085/ NOTE: non-issue/no relevant security impact CVE-2017-13693 (The acpi_ds_create_operands() function in drivers/acpi/acpica/dsutils. ...) - acpica-unix 20180209-1 (unimportant) - linux (unimportant) NOTE: https://patchwork.kernel.org/patch/9919053/ NOTE: non-issue/no relevant security impact CVE-2017-13692 (In Tidy 5.5.31, the IsURLCodePoint function in attrs.c allows attacker ...) - tidy-html5 (Vulnerable code introduced later) - tidy (Vulnerable code introduced later) NOTE: https://github.com/htacg/tidy-html5/issues/588 CVE-2017-13691 RESERVED CVE-2017-13690 (The IKEv2 parser in tcpdump before 4.9.2 has a buffer over-read in pri ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13689 (The IKEv1 parser in tcpdump before 4.9.2 has a buffer over-read in pri ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13688 (The OLSR parser in tcpdump before 4.9.2 has a buffer over-read in prin ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13687 (The Cisco HDLC parser in tcpdump before 4.9.2 has a buffer over-read i ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13686 (net/ipv4/route.c in the Linux kernel 4.13-rc1 through 4.13-rc6 is too ...) - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/bc3aae2bbac46dd894c89db5d5e98f7f0ef9e205 CVE-2016-1000245 RESERVED CVE-2017-13685 (The dump_callback function in SQLite 3.20.0 allows remote attackers to ...) - sqlite3 3.20.1-1 (unimportant; bug #873762) NOTE: https://sqlite.org/src/info/02f0f4c54f2819b3 NOTE: http://www.mail-archive.com/sqlite-users%40mailinglists.sqlite.org/msg105314.html NOTE: Crash in the command-line shell program, not the the core SQLite library. CVE-2017-13684 (Unisys Libra 64xx and 84xx and FS601 class systems with MCP-FIRMWARE b ...) NOT-FOR-US: Unisys Libra CVE-2017-13683 (In Symantec Endpoint Encryption before SEE 11.1.3HF3, a kernel memory ...) NOT-FOR-US: Symantec CVE-2017-13682 (In Symantec Encryption Desktop before SED 10.4.1 MP2HF1, a kernel memo ...) NOT-FOR-US: Symantec CVE-2017-13681 (Symantec Endpoint Protection prior to SEP 12.1 RU6 MP9 could be suscep ...) NOT-FOR-US: Symantec Endpoint Protection CVE-2017-13680 (Prior to SEP 12.1 RU6 MP9 & SEP 14 RU1 Symantec Endpoint Protectio ...) NOT-FOR-US: Symantec Endpoint Protection CVE-2017-13679 (A denial of service (DoS) attack in Symantec Encryption Desktop before ...) NOT-FOR-US: Symantec CVE-2017-13678 (Stored XSS vulnerability in the Symantec Advanced Secure Gateway (ASG) ...) NOT-FOR-US: Symantec CVE-2017-13677 (Denial-of-service (DoS) vulnerability in the Symantec Advanced Secure ...) NOT-FOR-US: Symantec CVE-2017-13676 (Norton Remove & Reinstall can be susceptible to a DLL preloading v ...) NOT-FOR-US: Symantec CVE-2017-13675 (A denial of service (DoS) attack in Symantec Endpoint Encryption befor ...) NOT-FOR-US: Symantec CVE-2017-13674 (Symantec ProxyClient 3.4 for Windows is susceptible to a privilege esc ...) NOT-FOR-US: Symantec ProxyClient CVE-2017-13673 (The vga display update in mis-calculated the region for the dirty bitm ...) - qemu 1:2.10.0+dfsg-2 [stretch] - qemu (Vulnerable code introduced later) [jessie] - qemu (Vulnerable code introduced later) [wheezy] - qemu (Vulnerable code introduced later) - qemu-kvm (Vulnerable code introduced later) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-08/msg04685.html NOTE: Fixed by: https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=d6f7f3b0cf4b6c5e7cdff9dfa6d20545e1051375 (v2.10.1) NOTE: Introduced by: https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=fec5e8c92becad223df9d972770522f64aafdb72 NOTE: In the unstable upload the fix is integrated in debian/patches/qemu-2.10.1.diff CVE-2017-13672 (QEMU (aka Quick Emulator), when built with the VGA display emulator su ...) {DSA-3991-1} - qemu 1:2.10.0-1 (low; bug #873851) [jessie] - qemu (Minor issue, root DoS, too complex to backport) [wheezy] - qemu (Can be fixed along in a future DSA) - qemu-kvm [wheezy] - qemu-kvm (Can be fixed along in a future DSA) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-08/msg04684.html NOTE: Fixed by https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=3d90c6254863693a6b13d918d2b8682e08bbc681 NOTE: CentOS7 has a backport/upgrade(?) for their frankenstein version NOTE: http://vault.centos.org/7.6.1810/updates/Source/SPackages/qemu-kvm-1.5.3-160.el7_6.3.src.rpm CVE-2017-13671 (app/View/Helper/CommandHelper.php in MISP before 2.4.79 has persistent ...) NOT-FOR-US: MISP (Malware Information Sharing Platform and Threat Sharing) CVE-2017-13670 (In BlackCat CMS 1.2, remote authenticated users can upload any file vi ...) NOT-FOR-US: BlackCat CMS CVE-2017-13669 (SQL Injection exists in NexusPHP 1.5.beta5.20120707 via the setanswere ...) NOT-FOR-US: NexusPHP CVE-2017-13668 (OX Software GmbH OX App Suite 7.8.4 and earlier is affected by: Cross ...) NOT-FOR-US: OX Software GmbH OX App Suite CVE-2017-13667 (OX Software GmbH OX App Suite 7.8.4 and earlier is affected by: SSRF. ...) NOT-FOR-US: OX Software GmbH OX App Suite CVE-2017-13666 (An integer underflow vulnerability exists in pixel-a.asm, the x86 asse ...) - x265 (Affected code is not enabled) CVE-2017-13665 RESERVED CVE-2017-13664 (Password file exposure in firmware in iSmartAlarm CubeOne version 2.2. ...) NOT-FOR-US: iSmartAlarm CubeOne CVE-2017-13663 (Encryption key exposure in firmware in iSmartAlarm CubeOne version 2.2 ...) NOT-FOR-US: iSmartAlarm CubeOne CVE-2017-13662 RESERVED CVE-2017-13661 RESERVED CVE-2017-13660 RESERVED CVE-2017-13659 RESERVED CVE-2017-13657 REJECTED CVE-2017-13656 REJECTED CVE-2017-13655 REJECTED CVE-2017-13654 REJECTED CVE-2017-13653 REJECTED CVE-2017-13652 (NetApp OnCommand Insight version 7.3.0 and versions prior to 7.2.0 are ...) NOT-FOR-US: NetApp CVE-2017-13651 REJECTED CVE-2017-13650 RESERVED CVE-2017-1002150 (python-fedora 0.8.0 and lower is vulnerable to an open redirect result ...) - python-fedora 0.9.0-1 [stretch] - python-fedora (Minor issue) [jessie] - python-fedora (Minor issue) NOTE: https://github.com/fedora-infra/python-fedora/commit/b27f38a67573f4c989710c9bfb726dd4c1eeb929.patch CVE-2017-13649 (UnrealIRCd 4.0.13 and earlier creates a PID file after dropping privil ...) - unrealircd (bug #515130) CVE-2017-13648 (In GraphicsMagick 1.3.26, a memory leak vulnerability was found in the ...) - graphicsmagick 1.3.27-1 (unimportant) NOTE: https://sourceforge.net/p/graphicsmagick/bugs/433/ CVE-2017-13647 RESERVED CVE-2017-13646 RESERVED CVE-2017-13645 RESERVED CVE-2017-13644 RESERVED CVE-2017-13643 RESERVED CVE-2017-13642 RESERVED CVE-2017-13641 RESERVED CVE-2017-13640 RESERVED CVE-2017-13639 RESERVED CVE-2017-13638 RESERVED CVE-2017-13637 RESERVED CVE-2017-13636 RESERVED CVE-2017-13635 RESERVED CVE-2017-13634 RESERVED CVE-2017-13633 RESERVED CVE-2017-13632 RESERVED CVE-2017-13631 RESERVED CVE-2017-13630 RESERVED CVE-2017-13629 RESERVED CVE-2017-13628 RESERVED CVE-2017-13627 RESERVED CVE-2017-13626 RESERVED CVE-2017-13625 RESERVED CVE-2017-13624 RESERVED CVE-2017-13623 RESERVED CVE-2017-13622 RESERVED CVE-2017-13621 RESERVED CVE-2017-13620 RESERVED CVE-2017-13619 RESERVED CVE-2017-13618 RESERVED CVE-2017-13617 RESERVED CVE-2017-13616 RESERVED CVE-2017-13615 RESERVED CVE-2017-13614 RESERVED CVE-2017-13613 RESERVED CVE-2017-13612 RESERVED CVE-2017-13611 RESERVED CVE-2017-13610 RESERVED CVE-2017-13609 RESERVED CVE-2017-13608 RESERVED CVE-2017-13607 RESERVED CVE-2017-13606 RESERVED CVE-2017-13605 RESERVED CVE-2017-13604 RESERVED CVE-2017-13603 RESERVED CVE-2017-13602 RESERVED CVE-2017-13601 RESERVED CVE-2017-13600 RESERVED CVE-2017-13599 RESERVED CVE-2017-13598 RESERVED CVE-2017-13597 RESERVED CVE-2017-13596 RESERVED CVE-2017-13595 RESERVED CVE-2017-13594 RESERVED CVE-2017-13593 RESERVED CVE-2017-13592 RESERVED CVE-2017-13591 RESERVED CVE-2017-13590 RESERVED CVE-2017-13589 RESERVED CVE-2017-13588 RESERVED CVE-2017-13587 RESERVED CVE-2017-13586 RESERVED CVE-2017-13585 RESERVED CVE-2017-13584 RESERVED CVE-2017-13583 RESERVED CVE-2017-13582 RESERVED CVE-2017-13581 RESERVED CVE-2017-13580 RESERVED CVE-2017-13579 RESERVED CVE-2017-13578 RESERVED CVE-2017-13577 RESERVED CVE-2017-13576 RESERVED CVE-2017-13575 RESERVED CVE-2017-13574 RESERVED CVE-2017-13573 RESERVED CVE-2017-13572 RESERVED CVE-2017-13571 RESERVED CVE-2017-13570 RESERVED CVE-2017-13569 RESERVED CVE-2017-13568 RESERVED CVE-2017-13567 RESERVED CVE-2017-13566 RESERVED CVE-2017-13565 RESERVED CVE-2017-13564 RESERVED CVE-2017-13563 RESERVED CVE-2017-13562 RESERVED CVE-2017-13561 RESERVED CVE-2017-13560 RESERVED CVE-2017-13559 RESERVED CVE-2017-13558 RESERVED CVE-2017-13557 RESERVED CVE-2017-13556 RESERVED CVE-2017-13555 RESERVED CVE-2017-13554 RESERVED CVE-2017-13553 RESERVED CVE-2017-13552 RESERVED CVE-2017-13551 RESERVED CVE-2017-13550 RESERVED CVE-2017-13549 RESERVED CVE-2017-13548 RESERVED CVE-2017-13547 RESERVED CVE-2017-13546 RESERVED CVE-2017-13545 RESERVED CVE-2017-13544 RESERVED CVE-2017-13543 RESERVED CVE-2017-13542 RESERVED CVE-2017-13541 RESERVED CVE-2017-13540 RESERVED CVE-2017-13539 RESERVED CVE-2017-13538 RESERVED CVE-2017-13537 RESERVED CVE-2017-13536 RESERVED CVE-2017-13535 RESERVED CVE-2017-13534 RESERVED CVE-2017-13533 RESERVED CVE-2017-13532 RESERVED CVE-2017-13531 RESERVED CVE-2017-13530 RESERVED CVE-2017-13529 RESERVED CVE-2017-13528 RESERVED CVE-2017-13527 RESERVED CVE-2017-13526 RESERVED CVE-2017-13525 RESERVED CVE-2017-13524 RESERVED CVE-2017-13523 RESERVED CVE-2017-13522 RESERVED CVE-2017-13521 RESERVED CVE-2017-13520 RESERVED CVE-2017-13519 RESERVED CVE-2017-13518 RESERVED CVE-2017-13517 RESERVED CVE-2017-13516 RESERVED CVE-2017-13515 RESERVED CVE-2017-13514 RESERVED CVE-2017-13513 RESERVED CVE-2017-13512 RESERVED CVE-2017-13511 RESERVED CVE-2017-13510 RESERVED CVE-2017-13509 RESERVED CVE-2017-13508 RESERVED CVE-2017-13507 RESERVED CVE-2017-13506 RESERVED CVE-2017-13505 RESERVED CVE-2017-13504 RESERVED CVE-2017-13503 RESERVED CVE-2017-13502 RESERVED CVE-2017-13501 RESERVED CVE-2017-13500 RESERVED CVE-2017-13499 RESERVED CVE-2017-13498 RESERVED CVE-2017-13497 RESERVED CVE-2017-13496 RESERVED CVE-2017-13495 RESERVED CVE-2017-13494 RESERVED CVE-2017-13493 RESERVED CVE-2017-13492 RESERVED CVE-2017-13491 RESERVED CVE-2017-13490 RESERVED CVE-2017-13489 RESERVED CVE-2017-13488 RESERVED CVE-2017-13487 RESERVED CVE-2017-13486 RESERVED CVE-2017-13485 RESERVED CVE-2017-13484 RESERVED CVE-2017-13483 RESERVED CVE-2017-13482 RESERVED CVE-2017-13481 RESERVED CVE-2017-13480 RESERVED CVE-2017-13479 RESERVED CVE-2017-13478 RESERVED CVE-2017-13477 RESERVED CVE-2017-13476 RESERVED CVE-2017-13475 RESERVED CVE-2017-13474 RESERVED CVE-2017-13473 RESERVED CVE-2017-13472 RESERVED CVE-2017-13471 RESERVED CVE-2017-13470 RESERVED CVE-2017-13469 RESERVED CVE-2017-13468 RESERVED CVE-2017-13467 RESERVED CVE-2017-13466 RESERVED CVE-2017-13465 RESERVED CVE-2017-13464 RESERVED CVE-2017-13463 RESERVED CVE-2017-13462 RESERVED CVE-2017-13461 RESERVED CVE-2017-13460 RESERVED CVE-2017-13459 RESERVED CVE-2017-13458 RESERVED CVE-2017-13457 RESERVED CVE-2017-13456 RESERVED CVE-2017-13455 RESERVED CVE-2017-13454 RESERVED CVE-2017-13453 RESERVED CVE-2017-13452 RESERVED CVE-2017-13451 RESERVED CVE-2017-13450 RESERVED CVE-2017-13449 RESERVED CVE-2017-13448 RESERVED CVE-2017-13447 RESERVED CVE-2017-13446 RESERVED CVE-2017-13445 RESERVED CVE-2017-13444 RESERVED CVE-2017-13443 RESERVED CVE-2017-13442 RESERVED CVE-2017-13441 RESERVED CVE-2017-13440 RESERVED CVE-2017-13439 RESERVED CVE-2017-13438 RESERVED CVE-2017-13437 RESERVED CVE-2017-13436 RESERVED CVE-2017-13435 RESERVED CVE-2017-13434 RESERVED CVE-2017-13433 RESERVED CVE-2017-13432 RESERVED CVE-2017-13431 RESERVED CVE-2017-13430 RESERVED CVE-2017-13429 RESERVED CVE-2017-13428 RESERVED CVE-2017-13427 RESERVED CVE-2017-13426 RESERVED CVE-2017-13425 RESERVED CVE-2017-13424 RESERVED CVE-2017-13423 RESERVED CVE-2017-13422 RESERVED CVE-2017-13421 RESERVED CVE-2017-13420 RESERVED CVE-2017-13419 RESERVED CVE-2017-13418 RESERVED CVE-2017-13417 RESERVED CVE-2017-13416 RESERVED CVE-2017-13415 RESERVED CVE-2017-13414 RESERVED CVE-2017-13413 RESERVED CVE-2017-13412 RESERVED CVE-2017-13411 RESERVED CVE-2017-13410 RESERVED CVE-2017-13409 RESERVED CVE-2017-13408 RESERVED CVE-2017-13407 RESERVED CVE-2017-13406 RESERVED CVE-2017-13405 RESERVED CVE-2017-13404 RESERVED CVE-2017-13403 RESERVED CVE-2017-13402 RESERVED CVE-2017-13401 RESERVED CVE-2017-13400 RESERVED CVE-2017-13399 RESERVED CVE-2017-13398 RESERVED CVE-2017-13397 RESERVED CVE-2017-13396 RESERVED CVE-2017-13395 RESERVED CVE-2017-13394 RESERVED CVE-2017-13393 RESERVED CVE-2017-13392 RESERVED CVE-2017-13391 RESERVED CVE-2017-13390 RESERVED CVE-2017-13389 RESERVED CVE-2017-13388 RESERVED CVE-2017-13387 RESERVED CVE-2017-13386 RESERVED CVE-2017-13385 RESERVED CVE-2017-13384 RESERVED CVE-2017-13383 RESERVED CVE-2017-13382 RESERVED CVE-2017-13381 RESERVED CVE-2017-13380 RESERVED CVE-2017-13379 RESERVED CVE-2017-13378 RESERVED CVE-2017-13377 RESERVED CVE-2017-13376 RESERVED CVE-2017-13375 RESERVED CVE-2017-13374 RESERVED CVE-2017-13373 RESERVED CVE-2017-13372 RESERVED CVE-2017-13371 RESERVED CVE-2017-13370 RESERVED CVE-2017-13369 RESERVED CVE-2017-13368 RESERVED CVE-2017-13367 RESERVED CVE-2017-13366 RESERVED CVE-2017-13365 RESERVED CVE-2017-13364 RESERVED CVE-2017-13363 RESERVED CVE-2017-13362 RESERVED CVE-2017-13361 RESERVED CVE-2017-13360 RESERVED CVE-2017-13359 RESERVED CVE-2017-13358 RESERVED CVE-2017-13357 RESERVED CVE-2017-13356 RESERVED CVE-2017-13355 RESERVED CVE-2017-13354 RESERVED CVE-2017-13353 RESERVED CVE-2017-13352 RESERVED CVE-2017-13351 RESERVED CVE-2017-13350 RESERVED CVE-2017-13349 RESERVED CVE-2017-13348 RESERVED CVE-2017-13347 RESERVED CVE-2017-13346 RESERVED CVE-2017-13345 RESERVED CVE-2017-13344 RESERVED CVE-2017-13343 RESERVED CVE-2017-13342 RESERVED CVE-2017-13341 RESERVED CVE-2017-13340 RESERVED CVE-2017-13339 RESERVED CVE-2017-13338 RESERVED CVE-2017-13337 RESERVED CVE-2017-13336 RESERVED CVE-2017-13335 RESERVED CVE-2017-13334 RESERVED CVE-2017-13333 RESERVED CVE-2017-13332 RESERVED CVE-2017-13331 RESERVED CVE-2017-13330 RESERVED CVE-2017-13329 RESERVED CVE-2017-13328 RESERVED CVE-2017-13327 RESERVED CVE-2017-13326 RESERVED CVE-2017-13325 RESERVED CVE-2017-13324 RESERVED CVE-2017-13323 RESERVED NOT-FOR-US: Android CVE-2017-13322 RESERVED NOT-FOR-US: Android CVE-2017-13321 RESERVED NOT-FOR-US: Android CVE-2017-13320 RESERVED NOT-FOR-US: Android Media Framework CVE-2017-13319 RESERVED NOT-FOR-US: Android Media Framework CVE-2017-13318 RESERVED NOT-FOR-US: Android Media Framework CVE-2017-13317 RESERVED NOT-FOR-US: Android Media Framework CVE-2017-13316 RESERVED NOT-FOR-US: Android CVE-2017-13315 RESERVED CVE-2017-13314 RESERVED CVE-2017-13313 RESERVED CVE-2017-13312 RESERVED CVE-2017-13311 RESERVED CVE-2017-13310 RESERVED CVE-2017-13309 RESERVED CVE-2017-13308 RESERVED CVE-2017-13307 (A elevation of privilege vulnerability in the Upstream kernel pci sysf ...) NOT-FOR-US: Android kernel (no source release, so apparently not in mainline) CVE-2017-13306 (A elevation of privilege vulnerability in the Upstream kernel mnh driv ...) NOT-FOR-US: Android kernel (no source release, so apparently not in mainline) CVE-2017-13305 (A information disclosure vulnerability in the Upstream kernel encrypte ...) {DLA-1731-1} - linux 4.12.6-1 [stretch] - linux 4.9.82-1+deb9u1 NOTE: Fixed by: https://git.kernel.org/linus/794b4bc292f5d31739d89c0202c54e7dc9bc3add CVE-2017-13304 (A information disclosure vulnerability in the Upstream kernel mnh_sm d ...) NOT-FOR-US: Android kernel (no source release, so apparently not in mainline) CVE-2017-13303 (A information disclosure vulnerability in the Broadcom bcmdhd driver. ...) NOT-FOR-US: Broadcom components for Android CVE-2017-13302 (A denial of service vulnerability in the Android system (system ui). P ...) NOT-FOR-US: Android CVE-2017-13301 (A denial of service vulnerability in the Android system (system ui). P ...) NOT-FOR-US: Android CVE-2017-13300 (A denial of service vulnerability in the Android media framework (libh ...) NOT-FOR-US: Android media framework CVE-2017-13299 (A other vulnerability in the Android media framework (libavc). Product ...) NOT-FOR-US: Android media framework CVE-2017-13298 (A information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-13297 (A information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-13296 (A information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-13295 (A denial of service vulnerability in the Android framework (package in ...) NOT-FOR-US: Android CVE-2017-13294 (A information disclosure vulnerability in the Android framework (aosp ...) NOT-FOR-US: Android framework (aosp email application) CVE-2017-13293 (In the nfc_hci_cmd_received() function of core.c, there is a possible ...) NOT-FOR-US: Android kernel (no source release, so apparently not in mainline) CVE-2017-13292 (In wl_get_assoc_ies of wl_cfg80211.c, there is a possible out of bound ...) NOT-FOR-US: Broadcom components for Android CVE-2017-13291 (In avrc_ctrl_pars_vendor_rsp of avrc_pars_ct.cc, there is a possible N ...) NOT-FOR-US: Android CVE-2017-13290 (In sdp_server_handle_client_req of sdp_server.cc, there is an out of b ...) NOT-FOR-US: Android CVE-2017-13289 (In writeToParcel and createFromParcel of RttManager.java, there is a p ...) NOT-FOR-US: Android CVE-2017-13288 (In writeToParcel and readFromParcel of PeriodicAdvertisingReport.java, ...) NOT-FOR-US: Android CVE-2017-13287 (In createFromParcel of VerifyCredentialResponse.java, there is a possi ...) NOT-FOR-US: Android CVE-2017-13286 (In writeToParcel and readFromParcel of OutputConfiguration.java, there ...) NOT-FOR-US: Android CVE-2017-13285 (In SvoxSsmlParser and startElement of svox_ssml_parser.cpp, there is a ...) NOT-FOR-US: Android CVE-2017-13284 (In config_set_string of config.cc, it is possible to pair a second BT ...) NOT-FOR-US: Android CVE-2017-13283 (In avrc_ctrl_pars_vendor_rsp of bluetooth avrcp_ctrl, there is a possi ...) NOT-FOR-US: Android CVE-2017-13282 (In avrc_ctrl_pars_vendor_rsp of avrc_pars_ct.cc, there is a possible s ...) NOT-FOR-US: Android CVE-2017-13281 (In avrc_pars_browsing_cmd of avrc_pars_tg.cc, there is a possible stac ...) NOT-FOR-US: Android CVE-2017-13280 (In the FrameSequence_gif::FrameSequence_gif function of libframesequen ...) NOT-FOR-US: Android media framework CVE-2017-13279 (In M3UParser::parse of M3UParser.cpp, there is a memory resource exhau ...) NOT-FOR-US: Android media framework CVE-2017-13278 (In MediaPlayerService::Client::notify of MediaPlayerService.cpp, there ...) NOT-FOR-US: Android media framework CVE-2017-13277 (In ihevcd_fmt_conv of ihevcd_fmt_conv.c, there is a possible out of bo ...) NOT-FOR-US: Android media framework CVE-2017-13276 (In CProgramConfig_ReadHeightExt of tpdec_asc.cpp, there is a possible ...) NOT-FOR-US: Android media framework CVE-2017-13275 (In getVSCoverage of CmapCoverage.cpp, there is a possible out of bound ...) NOT-FOR-US: Android CVE-2017-13274 (In the getHost() function of UriTest.java, there is the possibility of ...) NOT-FOR-US: Android CVE-2017-13273 (In xt_qtaguid.c, there is a race condition due to insufficient locking ...) NOT-FOR-US: Android CVE-2017-13272 (In alarm_ready_generic of alarm.cc, there is a possible out of bounds ...) NOT-FOR-US: Android CVE-2017-13271 (A elevation of privilege vulnerability in the upstream kernel mnh_sm d ...) NOT-FOR-US: Android kernel (no source release, so apparently not in mainline) CVE-2017-13270 (A elevation of privilege vulnerability in the upstream kernel mnh_sm d ...) NOT-FOR-US: Android kernel (no source release, so apparently not in mainline) CVE-2017-13269 (A information disclosure vulnerability in the Android system (bluetoot ...) NOT-FOR-US: Android CVE-2017-13268 (A information disclosure vulnerability in the Android system (bluetoot ...) NOT-FOR-US: Android CVE-2017-13267 (In avrc_pars_vendor_cmd of avrc_pars_tg.cc, there is a possible stack ...) NOT-FOR-US: Android CVE-2017-13266 (In avrc_pars_vendor_cmd of avrc_pars_tg.cc, there is a possible stack ...) NOT-FOR-US: Android CVE-2017-13265 (A elevation of privilege vulnerability in the Android system (OTA upda ...) NOT-FOR-US: Android CVE-2017-13264 (A other vulnerability in the Android media framework (Avcdec). Product ...) NOT-FOR-US: Android Media Framework CVE-2017-13263 (A elevation of privilege vulnerability in the Android framework. Produ ...) NOT-FOR-US: Android CVE-2017-13262 (In bnep_data_ind of bnep_main.cc, there is a possible out of bounds re ...) NOT-FOR-US: Android CVE-2017-13261 (In bnep_process_control_packet of bnep_utils.cc, there is a possible o ...) NOT-FOR-US: Android CVE-2017-13260 (In bnep_data_ind of bnep_main.cc, there is a possible out of bounds re ...) NOT-FOR-US: Android CVE-2017-13259 (In functionality implemented in sdp_discovery.cc, there are possible o ...) NOT-FOR-US: Android CVE-2017-13258 (In bnep_data_ind of bnep_main.cc, there is a possible out of bounds re ...) NOT-FOR-US: Android CVE-2017-13257 (In bta_pan_data_buf_ind_cback of bta_pan_act.cc there is a use after f ...) NOT-FOR-US: Android CVE-2017-13256 (In process_service_search_attr_req of sdp_server.cc, there is an out o ...) NOT-FOR-US: Android CVE-2017-13255 (In process_service_attr_req of sdp_server.c, there is an out of bounds ...) NOT-FOR-US: Android CVE-2017-13254 (A other vulnerability in the Android media framework (AACExtractor). P ...) NOT-FOR-US: Android Media Framework CVE-2017-13253 (In CryptoPlugin::decrypt of CryptoPlugin.cpp, there is a possible out ...) NOT-FOR-US: Android Media Framework CVE-2017-13252 (In CryptoHal::decrypt of CryptoHal.cpp, there is an out of bounds writ ...) NOT-FOR-US: Android Media Framework CVE-2017-13251 (In impeg2d_dec_pic_data_thread of impeg2d_dec_hdr.c, there is a possib ...) NOT-FOR-US: Android Media Framework CVE-2017-13250 (In ih264d_fmt_conv_420sp_to_420p of ih264d_utils.c, there is an out of ...) NOT-FOR-US: Android Media Framework CVE-2017-13249 (In impeg2d_api_set_display_frame of impeg2d_api_main.c, there is an ou ...) NOT-FOR-US: Android Media Framework CVE-2017-13248 (In impeg2_idct_recon_sse42() of impeg2_idct_recon_sse42_intr.c, there ...) NOT-FOR-US: Android Media Framework CVE-2017-13247 (In the Pixel 2 bootloader, there is a missing permission check which b ...) NOT-FOR-US: HTC Android components CVE-2017-13246 (A information disclosure vulnerability in the Upstream kernel network ...) NOT-FOR-US: Closed source network driver for Pixel phones CVE-2017-13245 (A elevation of privilege vulnerability in the Upstream kernel audio dr ...) NOT-FOR-US: Closed source audio driver for Pixel phones CVE-2017-13244 (A elevation of privilege vulnerability in the Upstream kernel easel. P ...) NOT-FOR-US: Easel driver for Pixel phones CVE-2017-13243 (A information disclosure vulnerability in the Android system (ui). Pro ...) NOT-FOR-US: Android CVE-2017-13242 (A information disclosure vulnerability in the Android system (bluetoot ...) NOT-FOR-US: Android CVE-2017-13241 (A information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android Media Framework CVE-2017-13240 (A information disclosure vulnerability in the Android framework (crypt ...) NOT-FOR-US: Android CVE-2017-13239 (A information disclosure vulnerability in the Android framework (ui fr ...) NOT-FOR-US: Android CVE-2017-13238 (In XBLRamDump mode, there is a debug feature that can be used to dump ...) NOT-FOR-US: HTC Android components CVE-2017-13237 RESERVED CVE-2017-13236 (In the KeyStore service, there is a permissions bypass that allows acc ...) NOT-FOR-US: Android CVE-2017-13235 (A other vulnerability in the Android media framework (n/a). Product: A ...) NOT-FOR-US: Android Media Framework CVE-2017-13234 (In DLSParser of the sonivox library, there is possible resource exhaus ...) NOT-FOR-US: Android Media Framework CVE-2017-13233 (In ihevcd_ctb_boundary_strength_pbslice of libhevc, there is possible ...) NOT-FOR-US: Android Media Framework CVE-2017-13232 (In audioserver, there is an out-of-bounds write due to a log statement ...) NOT-FOR-US: Android Media Framework CVE-2017-13231 (In libmediadrm, there is an out-of-bounds write due to improper input ...) NOT-FOR-US: Android Media Framework CVE-2017-13230 (In hevc codec, there is an out-of-bounds write due to an incorrect bou ...) NOT-FOR-US: Android Media Framework CVE-2017-13229 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android Media Framework CVE-2017-13228 (In function ih264d_ref_idx_reordering of libavc, there is an out-of-bo ...) NOT-FOR-US: Android Media Framework CVE-2017-13227 RESERVED NOT-FOR-US: Android CVE-2017-13226 (An elevation of privilege vulnerability in the MediaTek mtk. Product: ...) NOT-FOR-US: Mediatek components for Android CVE-2017-13225 (In libMtkOmxVdec.so there is a possible heap buffer overflow. This cou ...) NOT-FOR-US: Mediatek components for Android CVE-2017-13224 RESERVED CVE-2017-13223 RESERVED CVE-2017-13222 (An information disclosure vulnerability in the Upstream kernel kernel. ...) NOT-FOR-US: Android kernel component (no source release, no apparently not affecting mainline) CVE-2017-13221 (An elevation of privilege vulnerability in the Upstream kernel wifi dr ...) NOT-FOR-US: Android kernel component (no source release, no apparently not affecting mainline) CVE-2017-13220 (An elevation of privilege vulnerability in the Upstream kernel bluez. ...) {DSA-4187-1} - linux 4.0.2-1 [wheezy] - linux (Vulnerable code introduced later) NOTE: https://git.kernel.org/linus/51bda2bca53b265715ca1852528f38dc67429d9a CVE-2017-13219 (A denial of service vulnerability in the Upstream kernel synaptics tou ...) NOT-FOR-US: Android kernel component (no source release, no apparently not affecting mainline) CVE-2017-13218 (Access to CNTVCT_EL0 in Small Cell SoC, Snapdragon Automobile, Snapdra ...) NOT-FOR-US: Android kernel component (no source release, no apparently not affecting mainline) CVE-2017-13217 (In DisplayFtmItem in the bootloader, there is an out-of-bounds write d ...) NOT-FOR-US: Android kernel component (no source release, no apparently not affecting mainline) CVE-2017-13216 (In ashmem_ioctl of ashmem.c, there is an out-of-bounds write due to in ...) - linux 4.14.17-1 (unimportant) [stretch] - linux 4.9.80-1 [jessie] - linux 3.16.56-1 [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/443064cb0b1fb4569fe0a71209da7625129f CVE-2017-13215 (A elevation of privilege vulnerability in the Upstream kernel skcipher ...) - linux 4.4.2-1 [jessie] - linux 3.16.7-ckt25-1 [wheezy] - linux 3.2.78-1 CVE-2017-13214 (In the hardware HEVC decoder, some media files could cause a page faul ...) NOT-FOR-US: HTC components for Android CVE-2017-13213 (An elevation of privilege vulnerability in the Broadcom bcmdhd driver. ...) NOT-FOR-US: Broadcom component for Android CVE-2017-13212 (An elevation of privilege vulnerability in the Android system (systemu ...) NOT-FOR-US: Android CVE-2017-13211 (In bta_scan_results_cb_impl of btif_ble_scanner.cc, there is possible ...) NOT-FOR-US: Android CVE-2017-13210 (In CameraDeviceClient::submitRequestList of CameraDeviceClient.cpp, th ...) NOT-FOR-US: Android CVE-2017-13209 (In the ServiceManager::add function in the hardware service manager, t ...) NOT-FOR-US: Android CVE-2017-13208 (In receive_packet of libnetutils/packet.c, there is a possible out-of- ...) NOT-FOR-US: Android CVE-2017-13207 (An information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-13206 (An information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-13205 (An information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-13204 (An information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-13203 (An information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-13202 (An information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-13201 (An information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-13200 (An information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-13199 (In Bitmap.ccp if Bitmap.nativeCreate fails an out of memory exception ...) NOT-FOR-US: Android media framework CVE-2017-13198 (A vulnerability in the Android media framework (ex) related to composi ...) NOT-FOR-US: Android media framework CVE-2017-13197 (In the ihevcd_parse_slice.c function, slave threads are not joined if ...) NOT-FOR-US: Android media framework CVE-2017-13196 (In several places in ihevcd_decode.c, a dead loop could occur due to i ...) NOT-FOR-US: Android media framework CVE-2017-13195 (In the ihevcd_parse_sps function of ihevcd_parse_headers.c, several pa ...) NOT-FOR-US: Android media framework CVE-2017-13194 (A vulnerability in the Android media framework (libvpx) related to odd ...) {DSA-4132-1 DLA-1290-1} - libvpx 1.7.0-2 NOTE: Android patch: https://android.googlesource.com/platform/external/libvpx/+/55cd1dd7c8d0a3de907d22e0f12718733f4e41d9 CVE-2017-13193 (In ihevcd_decode.c there is a possible infinite loop due to bytes for ...) NOT-FOR-US: Android media framework CVE-2017-13192 (In the ihevcd_parse_slice_header function of ihevcd_parse_slice_header ...) NOT-FOR-US: Android media framework CVE-2017-13191 (In the ihevcd_decode function of ihevcd_decode.c, there is an infinite ...) NOT-FOR-US: Android media framework CVE-2017-13190 (A vulnerability in the Android media framework (libhevc) related to ha ...) NOT-FOR-US: Android media framework CVE-2017-13189 (A vulnerability in the Android media framework (libavc) related to han ...) NOT-FOR-US: Android media framework CVE-2017-13188 (An information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-13187 (An information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-13186 (A vulnerability in the Android media framework (libavc) related to inc ...) NOT-FOR-US: Android media framework CVE-2017-13185 (An information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-13184 (In the enableVSyncInjections function of SurfaceFlinger, there is a po ...) NOT-FOR-US: Android media framework CVE-2017-13183 (In the OMXNodeInstance::useBuffer and IOMX::freeBuffer functions, ther ...) NOT-FOR-US: Android media framework CVE-2017-13182 (In the sendFormatChange function of ACodec, there is a possible intege ...) NOT-FOR-US: Android media framework CVE-2017-13181 (In the doGetThumb and getThumbnail functions of MtpServer, there is a ...) NOT-FOR-US: Android media framework CVE-2017-13180 (In the onQueueFilled function of SoftAVCDec, there is a possible out-o ...) NOT-FOR-US: Android media framework CVE-2017-13179 (In the ihevcd_allocate_static_bufs and ihevcd_create functions of Soft ...) NOT-FOR-US: Android media framework CVE-2017-13178 (In the initDecoder function of SoftAVCDec, there is a possible out-of- ...) NOT-FOR-US: Android media framework CVE-2017-13177 (In several functions of libhevc, NEON registers are not preserved. Thi ...) NOT-FOR-US: Android media framework CVE-2017-13176 (In the parseURL function of URLStreamHandler, there is improper input ...) NOT-FOR-US: Android CVE-2017-13175 (An information disclosure vulnerability in the NVIDIA libwilhelm. Prod ...) NOT-FOR-US: NVIDIA driver for Android CVE-2017-13174 (An elevation of privilege vulnerability in the kernel edl. Product: An ...) NOT-FOR-US: Android kernel components (no source release, so apparently not present in mainline) CVE-2017-13173 (An elevation of privilege vulnerability in the MediaTek system server. ...) NOT-FOR-US: MediaTek driver for Android CVE-2017-13172 (An elevation of privilege vulnerability in the MediaTek bluetooth driv ...) NOT-FOR-US: MediaTek driver for Android CVE-2017-13171 (An elevation of privilege vulnerability in the MediaTek performance se ...) NOT-FOR-US: MediaTek driver for Android CVE-2017-13170 (An elevation of privilege vulnerability in the MediaTek display driver ...) NOT-FOR-US: MediaTek driver for Android CVE-2017-13169 (An information disclosure vulnerability in the kernel camera server. P ...) NOT-FOR-US: Android kernel components (no source release, so apparently not present in mainline) CVE-2017-13168 (An elevation of privilege vulnerability in the kernel scsi driver. Pro ...) - linux 4.17.6-1 [stretch] - linux 4.9.130-1 NOTE: Fixed by: https://git.kernel.org/linus/26b5b874aff5659a7e26e5b1997e3df2c41fa7fd CVE-2017-13167 (An elevation of privilege vulnerability in the kernel sound timer. Pro ...) - linux 4.4.2-1 [jessie] - linux 3.16.7-ckt25-1 NOTE: Fixed by: https://git.kernel.org/linus/c3b1681375dc6e71d89a3ae00cc3ce9e775a8917 NOTE: Fixed by: https://git.kernel.org/linus/4dff5c7b7093b19c19d3a100f8a3ad87cb7cd9e7 CVE-2017-13166 (An elevation of privilege vulnerability in the kernel v4l2 video drive ...) {DSA-4187-1 DSA-4120-1 DLA-1369-1} - linux 4.15.4-1 NOTE: https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-13166.html NOTE: https://git.kernel.org/linus/a1dfb4c48cc1e64eeb7800a27c66a6f7e88d075a CVE-2017-13165 (An elevation of privilege vulnerability in the kernel file system. Pro ...) NOT-FOR-US: Android kernel components (no source release, so apparently not present in mainline) CVE-2017-13164 (An information disclosure vulnerability in the kernel binder driver. P ...) NOT-FOR-US: Android kernel components (no source release, so apparently not present in mainline) CVE-2017-13163 (An elevation of privilege vulnerability in the kernel mtp usb driver. ...) NOT-FOR-US: Android kernel components (no source release, so apparently not present in mainline) CVE-2017-13162 (An elevation of privilege vulnerability in the kernel binder. Product: ...) NOT-FOR-US: Android kernel components (no source release, so apparently not present in mainline) CVE-2017-13161 (An elevation of privilege vulnerability in the Broadcom wireless drive ...) NOT-FOR-US: Broadcom components for Android CVE-2017-13160 (A remote code execution vulnerability in the Android system (bluetooth ...) NOT-FOR-US: Android CVE-2017-13159 (An information disclosure vulnerability in the Android system (activit ...) NOT-FOR-US: Android CVE-2017-13158 (An information disclosure vulnerability in the Android system (activit ...) NOT-FOR-US: Android CVE-2017-13157 (An information disclosure vulnerability in the Android system (activit ...) NOT-FOR-US: Android CVE-2017-13156 (An elevation of privilege vulnerability in the Android system (art). P ...) - android-platform-system-core (Not exploitable on Debian, see #890949) CVE-2017-13155 RESERVED CVE-2017-13154 (An elevation of privilege vulnerability in the Android media framework ...) NOT-FOR-US: Android Media Framework CVE-2017-13153 (An elevation of privilege vulnerability in the Android media framework ...) NOT-FOR-US: Android Media Framework CVE-2017-13152 (An information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android Media Framework CVE-2017-13151 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android Media Framework CVE-2017-13150 (An information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android Media Framework CVE-2017-13149 (An information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android Media Framework CVE-2017-13148 (A denial of service vulnerability in the Android media framework (libm ...) NOT-FOR-US: Android Media Framework CVE-2017-13147 (In GraphicsMagick 1.3.26, an allocation failure vulnerability was foun ...) - graphicsmagick 1.3.27-1 (unimportant) NOTE: https://sourceforge.net/p/graphicsmagick/bugs/446/ CVE-2017-13146 (In ImageMagick before 6.9.8-5 and 7.x before 7.0.5-6, there is a memor ...) {DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-14 (unimportant; bug #870013) NOTE: https://github.com/ImageMagick/ImageMagick/commit/437a35e57db5ec078f4a3ccbf71f941276e88430 CVE-2017-13141 (In ImageMagick before 6.9.9-4 and 7.x before 7.0.6-4, a crafted file c ...) {DSA-4019-1} - imagemagick 8:6.9.7.4+dfsg-15 (unimportant; bug #870116) NOTE: https://github.com/ImageMagick/ImageMagick/issues/600 CVE-2017-13138 (DOM based Cross-site scripting (XSS) vulnerability in the Bridge theme ...) NOT-FOR-US: Wordpress theme CVE-2017-13137 (The FormCraft Basic plugin 1.0.5 for WordPress has SQL injection in th ...) NOT-FOR-US: Wordpress plugin CVE-2017-13136 (The image_alloc function in bpgenc.c in libbpg 0.9.7 has an integer ov ...) NOT-FOR-US: libbpg CVE-2017-13135 (A NULL Pointer Dereference exists in VideoLAN x265, as used in libbpg ...) - x265 2.6-3 (low) [stretch] - x265 (Minor issue) NOTE: https://github.com/ebel34/bpg-web-encoder/issues/1 NOTE: https://bitbucket.org/multicoreware/x265/issues/385/cve-2017-13135 NOTE: https://bitbucket.org/multicoreware/x265/commits/78c0f2c8ba087b38e291226a9555b4b4dab323a5/raw CVE-2017-13134 (In ImageMagick 7.0.6-6 and GraphicsMagick 1.3.26, a heap-based buffer ...) {DSA-4321-1 DSA-4040-1 DSA-4032-1 DLA-1401-1 DLA-1170-1 DLA-1081-1} - imagemagick 8:6.9.9.34+dfsg-3 (bug #873099) - graphicsmagick 1.3.26-19 (bug #881524) NOTE: https://github.com/ImageMagick/ImageMagick/issues/670 NOTE: https://github.com/ImageMagick/ImageMagick/commit/5304ae14655a67b9a3db00563fe44d9abd6de4f0 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/1b234b4fe2ec864b2d5af898a31c06c9736da904 NOTE: GraphicsMagick: http://hg.code.sf.net/p/graphicsmagick/code/rev/1b47e0078e05 CVE-2017-13133 (In ImageMagick 7.0.6-8, the load_level function in coders/xcf.c lacks ...) {DLA-1785-1 DLA-1081-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #873100) [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/679 NOTE: https://github.com/ImageMagick/ImageMagick/commit/19dbe11c5060f66abb393d1945107c5f54894fa8 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/fad03699658d2607562a8487c944c300d59a1ca5 CVE-2017-13132 (In ImageMagick 7.0.6-8, the WritePDFImage function in coders/pdf.c ope ...) - imagemagick (Vulnerable code not present, introduced in 7.0.1-0) NOTE: https://github.com/ImageMagick/ImageMagick/issues/674 CVE-2017-13131 (In ImageMagick 7.0.6-8, a memory leak vulnerability was found in the f ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/676 CVE-2017-13130 (mcmnm in BMC Patrol allows local users to gain privileges via a crafte ...) NOT-FOR-US: BMC Patrol CVE-2017-13129 (Cross-site request forgery (CSRF) vulnerability in ZKTeco ZKTime Web 2 ...) NOT-FOR-US: ZKTeco ZKTime Web CVE-2017-13128 RESERVED CVE-2017-13127 (The VIP.com application for IOS and Android allows remote attackers to ...) NOT-FOR-US: VIP.com app CVE-2017-13126 REJECTED CVE-2017-13125 REJECTED CVE-2017-13124 REJECTED CVE-2017-13123 REJECTED CVE-2017-13122 REJECTED CVE-2017-13121 REJECTED CVE-2017-13120 REJECTED CVE-2017-13119 REJECTED CVE-2017-13118 REJECTED CVE-2017-13117 REJECTED CVE-2017-13116 REJECTED CVE-2017-13115 REJECTED CVE-2017-13114 REJECTED CVE-2017-13113 REJECTED CVE-2017-13112 REJECTED CVE-2017-13111 REJECTED CVE-2017-13110 REJECTED CVE-2017-13109 REJECTED CVE-2017-13108 (DFNDR Security Antivirus, Anti-hacking & Cleaner, 5.0.9, 2017-11-0 ...) NOT-FOR-US: DFNDR Security Antivirus, Anti-hacking & Cleaner CVE-2017-13107 (Live.me - live stream video chat, 3.7.20, 2017-11-06, Android applicat ...) NOT-FOR-US: Live.me - live stream video chat Android application CVE-2017-13106 (Cheetahmobile CM Launcher 3D - Theme, wallpaper, Secure, Efficient, 5. ...) NOT-FOR-US: Cheetahmobile CM Launcher 3D - Theme, wallpaper, Secure, Efficient Android application CVE-2017-13105 (Hi Security Virus Cleaner - Antivirus, Booster, 3.7.1.1329, 2017-09-13 ...) NOT-FOR-US: Hi Security Virus Cleaner - Antivirus, Booster Android application CVE-2017-13104 (Uber Technologies, Inc. UberEATS: Uber for Food Delivery, 1.108.10001, ...) NOT-FOR-US: Uber Technologies, Inc. UberEATS: Uber for Food Delivery iOS application CVE-2017-13103 REJECTED CVE-2017-13102 (Gameloft Asphalt Xtreme: Offroad Rally Racing, 1.6.0, 2017-08-13, iOS ...) NOT-FOR-US: Gameloft Asphalt Xtreme: Offroad Rally Racing iOS application CVE-2017-13101 (Musical.ly Inc., musical.ly - your video social network, 6.1.6, 2017-1 ...) NOT-FOR-US: Musical.ly Inc., musical.ly - your video social network iOS application CVE-2017-13100 (DistinctDev, Inc., The Moron Test, 6.3.1, 2017-05-04, iOS application ...) NOT-FOR-US: DistinctDev, Inc., The Moron Test iOS application CVE-2017-13099 (wolfSSL prior to version 3.12.2 provides a weak Bleichenbacher oracle ...) - wolfssl 3.13.0+dfsg-1 (bug #884235) NOTE: https://github.com/wolfSSL/wolfssl/pull/1229 NOTE: https://robotattack.org/ CVE-2017-13098 (BouncyCastle TLS prior to version 1.0.3, when configured to use the JC ...) {DSA-4072-1} - bouncycastle 1.58-1 (bug #884241) [jessie] - bouncycastle (Vulnerable code introduced in 1.56 with tls API addition) [wheezy] - bouncycastle (Vulnerable code not present) NOTE: Introduced by: https://github.com/bcgit/bc-java/commit/9b53e60792e14c65cd1dbfad65e88ec5949ce4b3 NOTE: Fixed by: https://github.com/bcgit/bc-java/commit/a00b684465b38d722ca9a3543b8af8568e6bad5c NOTE: Fixed in 1.59 beta 9 NOTE: https://robotattack.org/ CVE-2017-13097 (The P1735 IEEE standard describes flawed methods for encrypting electr ...) NOT-FOR-US: P1735 IEEE standard CVE-2017-13096 (The P1735 IEEE standard describes flawed methods for encrypting electr ...) NOT-FOR-US: P1735 IEEE standard CVE-2017-13095 (The P1735 IEEE standard describes flawed methods for encrypting electr ...) NOT-FOR-US: P1735 IEEE standard CVE-2017-13094 (The P1735 IEEE standard describes flawed methods for encrypting electr ...) NOT-FOR-US: P1735 IEEE standard CVE-2017-13093 (The P1735 IEEE standard describes flawed methods for encrypting electr ...) NOT-FOR-US: P1735 IEEE standard CVE-2017-13092 (The P1735 IEEE standard describes flawed methods for encrypting electr ...) NOT-FOR-US: P1735 IEEE standard CVE-2017-13091 (The P1735 IEEE standard describes flawed methods for encrypting electr ...) NOT-FOR-US: P1735 IEEE standard CVE-2017-13090 (The retr.c:fd_read_body() function is called when processing OK respon ...) {DSA-4008-1 DLA-1149-1} - wget 1.19.2-1 (bug #879957) NOTE: http://git.savannah.gnu.org/cgit/wget.git/commit/?id=ba6b44f6745b14dce414761a8e4b35d31b176bba CVE-2017-13089 (The http.c:skip_short_body() function is called in some circumstances, ...) {DSA-4008-1 DLA-1149-1} - wget 1.19.2-1 (bug #879957) NOTE: http://git.savannah.gnu.org/cgit/wget.git/commit/?id=d892291fb8ace4c3b734ea5125770989c215df3f CVE-2017-13088 (Wi-Fi Protected Access (WPA and WPA2) that support 802.11v allows rein ...) {DSA-3999-1 DLA-1150-1} - wpa 2:2.4-1.1 NOTE: https://w1.fi/security/2017-1/ CVE-2017-13087 (Wi-Fi Protected Access (WPA and WPA2) that support 802.11v allows rein ...) {DSA-3999-1 DLA-1150-1} - wpa 2:2.4-1.1 NOTE: https://w1.fi/security/2017-1/ CVE-2017-13086 (Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Tun ...) {DSA-3999-1 DLA-1150-1} - wpa 2:2.4-1.1 NOTE: https://w1.fi/security/2017-1/ CVE-2017-13085 RESERVED CVE-2017-13084 (Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Sta ...) - wpa (unimportant) NOTE: From https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt NOTE: As far as the related CVE-2017-13084 (reinstallation of the STK key in NOTE: the PeerKey handshake) is concerned, it should be noted that PeerKey NOTE: implementation in wpa_supplicant is not fully functional and the actual NOTE: installation of the key into the driver does not work. As such, this NOTE: item is not applicable in practice. Furthermore, the PeerKey handshake NOTE: for IEEE 802.11e DLS is obsolete and not known to have been deployed. CVE-2017-13083 (Akeo Consulting Rufus prior to version 2.17.1187 does not adequately v ...) NOT-FOR-US: Akeo Consulting Rufus CVE-2017-13082 (Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11r allow ...) {DSA-3999-1 DLA-1150-1} - wpa 2:2.4-1.1 NOTE: https://w1.fi/security/2017-1/ CVE-2017-13081 (Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11w allow ...) {DSA-3999-1 DLA-1573-1 DLA-1150-1} - firmware-nonfree 20180825-1 [stretch] - firmware-nonfree 20161130-4 [jessie] - firmware-nonfree (non-free not supported) - wpa 2:2.4-1.1 NOTE: https://w1.fi/security/2017-1/ CVE-2017-13080 (Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Gro ...) {DSA-3999-1 DLA-1573-1 DLA-1200-1 DLA-1150-1} - firmware-nonfree 20180825-1 [stretch] - firmware-nonfree 20161130-4 [jessie] - firmware-nonfree (non-free not supported) - wpa 2:2.4-1.1 - linux 4.13.13-1 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.51-1 NOTE: https://w1.fi/security/2017-1/ NOTE: https://git.kernel.org/linus/fdf7cb4185b60c68e1a75e61691c4afdc15dea0e (v4.14-rc6) CVE-2017-13079 (Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11w allow ...) {DSA-3999-1 DLA-1573-1 DLA-1150-1} - firmware-nonfree 20180825-1 [stretch] - firmware-nonfree 20161130-4 [jessie] - firmware-nonfree (non-free not supported) - wpa 2:2.4-1.1 NOTE: https://w1.fi/security/2017-1/ CVE-2017-13078 (Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Gro ...) {DSA-3999-1 DLA-1573-1 DLA-1150-1} - firmware-nonfree 20180825-1 [stretch] - firmware-nonfree 20161130-4 [jessie] - firmware-nonfree (non-free not supported) - wpa 2:2.4-1.1 NOTE: https://w1.fi/security/2017-1/ CVE-2017-13077 (Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Pai ...) {DSA-3999-1 DLA-1573-1 DLA-1150-1} - firmware-nonfree 20180825-1 [stretch] - firmware-nonfree 20161130-4 [jessie] - firmware-nonfree (non-free not supported) - wpa 2:2.4-1.1 NOTE: https://w1.fi/security/2017-1/ CVE-2017-13076 RESERVED CVE-2017-13075 RESERVED CVE-2017-13074 RESERVED CVE-2017-13073 (Cross-site scripting (XSS) vulnerability in QNAP NAS application Photo ...) NOT-FOR-US: NAP NAS application Photo Station CVE-2017-13072 (Cross-site scripting (XSS) vulnerability in App Center in QNAP QTS 4.2 ...) NOT-FOR-US: QNAP CVE-2017-13071 (QNAP has already patched this vulnerability. This security concern all ...) NOT-FOR-US: QNAP CVE-2017-13070 (A DLL Hijacking vulnerability in QNAP Qsync for Windows (exe) version ...) NOT-FOR-US: QNAP CVE-2017-13069 (QNAP discovered a number of command injection vulnerabilities found in ...) NOT-FOR-US: QNAP CVE-2017-13068 (QNAP has already patched this vulnerability. This security concern all ...) NOT-FOR-US: QNAP CVE-2017-13067 (QNAP has patched a remote code execution vulnerability affecting the Q ...) NOT-FOR-US: QNAP CVE-2017-13066 (GraphicsMagick 1.3.26 has a memory leak vulnerability in the function ...) - graphicsmagick 1.3.27-1 (unimportant) NOTE: https://sourceforge.net/p/graphicsmagick/bugs/430/ CVE-2017-13065 (GraphicsMagick 1.3.26 has a NULL pointer dereference vulnerability in ...) {DSA-4321-1 DLA-1401-1 DLA-1082-1} - graphicsmagick 1.3.26-7 (bug #873119) NOTE: https://sourceforge.net/p/graphicsmagick/bugs/435/ NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/54f48ab2d52a CVE-2017-13064 (GraphicsMagick 1.3.26 has a heap-based buffer overflow vulnerability i ...) {DSA-4321-1 DLA-1401-1 DLA-1082-1} - graphicsmagick 1.3.26-7 (bug #873129) NOTE: https://sourceforge.net/p/graphicsmagick/bugs/436/ NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/54f48ab2d52a CVE-2017-13063 (GraphicsMagick 1.3.26 has a heap-based buffer overflow vulnerability i ...) {DSA-4321-1 DLA-1401-1 DLA-1082-1} - graphicsmagick 1.3.26-7 (bug #873130) NOTE: https://sourceforge.net/p/graphicsmagick/bugs/434/ NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/54f48ab2d52a CVE-2017-13062 (In ImageMagick 7.0.6-6, a memory leak vulnerability was found in the f ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/669 CVE-2017-13061 (In ImageMagick 7.0.6-5, a length-validation vulnerability was found in ...) - imagemagick 8:6.9.9.34+dfsg-3 (bug #873131) [stretch] - imagemagick (Minor issue) [jessie] - imagemagick (Vulnerable code not present) [wheezy] - imagemagick (Vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/645 NOTE: https://github.com/ImageMagick/ImageMagick/commit/90ed66889d6455a1d7f36e939977fa099e2d7ca7 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/90ed66889d6455a1d7f36e939977fa099e2d7ca7 CVE-2017-13060 (In ImageMagick 7.0.6-5, a memory leak vulnerability was found in the f ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/644 CVE-2017-13059 (In ImageMagick 7.0.6-6, a memory leak vulnerability was found in the f ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/667 CVE-2017-13058 (In ImageMagick 7.0.6-6, a memory leak vulnerability was found in the f ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/666 CVE-2017-13057 RESERVED CVE-2017-13056 (The launchURL function in PDF-XChange Viewer 2.5 (Build 314.0) might a ...) NOT-FOR-US: PDF-XChange Viewer CVE-2017-13055 (The ISO IS-IS parser in tcpdump before 4.9.2 has a buffer over-read in ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13054 (The LLDP parser in tcpdump before 4.9.2 has a buffer over-read in prin ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13053 (The BGP parser in tcpdump before 4.9.2 has a buffer over-read in print ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13052 (The CFM parser in tcpdump before 4.9.2 has a buffer over-read in print ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13051 (The RSVP parser in tcpdump before 4.9.2 has a buffer over-read in prin ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13050 (The RPKI-Router parser in tcpdump before 4.9.2 has a buffer over-read ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13049 (The Rx protocol parser in tcpdump before 4.9.2 has a buffer over-read ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13048 (The RSVP parser in tcpdump before 4.9.2 has a buffer over-read in prin ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13047 (The ISO ES-IS parser in tcpdump before 4.9.2 has a buffer over-read in ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13046 (The BGP parser in tcpdump before 4.9.2 has a buffer over-read in print ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13045 (The VQP parser in tcpdump before 4.9.2 has a buffer over-read in print ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13044 (The HNCP parser in tcpdump before 4.9.2 has a buffer over-read in prin ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13043 (The BGP parser in tcpdump before 4.9.2 has a buffer over-read in print ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13042 (The HNCP parser in tcpdump before 4.9.2 has a buffer over-read in prin ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13041 (The ICMPv6 parser in tcpdump before 4.9.2 has a buffer over-read in pr ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13040 (The MPTCP parser in tcpdump before 4.9.2 has a buffer over-read in pri ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13039 (The ISAKMP parser in tcpdump before 4.9.2 has a buffer over-read in pr ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13038 (The PPP parser in tcpdump before 4.9.2 has a buffer over-read in print ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13037 (The IP parser in tcpdump before 4.9.2 has a buffer over-read in print- ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13036 (The OSPFv3 parser in tcpdump before 4.9.2 has a buffer over-read in pr ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13035 (The ISO IS-IS parser in tcpdump before 4.9.2 has a buffer over-read in ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13034 (The PGM parser in tcpdump before 4.9.2 has a buffer over-read in print ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13033 (The VTP parser in tcpdump before 4.9.2 has a buffer over-read in print ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13032 (The RADIUS parser in tcpdump before 4.9.2 has a buffer over-read in pr ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13031 (The IPv6 fragmentation header parser in tcpdump before 4.9.2 has a buf ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13030 (The PIM parser in tcpdump before 4.9.2 has a buffer over-read in print ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13029 (The PPP parser in tcpdump before 4.9.2 has a buffer over-read in print ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13028 (The BOOTP parser in tcpdump before 4.9.2 has a buffer over-read in pri ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13027 (The LLDP parser in tcpdump before 4.9.2 has a buffer over-read in prin ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13026 (The ISO IS-IS parser in tcpdump before 4.9.2 has a buffer over-read in ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13025 (The IPv6 mobility parser in tcpdump before 4.9.2 has a buffer over-rea ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13024 (The IPv6 mobility parser in tcpdump before 4.9.2 has a buffer over-rea ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13023 (The IPv6 mobility parser in tcpdump before 4.9.2 has a buffer over-rea ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13022 (The IP parser in tcpdump before 4.9.2 has a buffer over-read in print- ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13021 (The ICMPv6 parser in tcpdump before 4.9.2 has a buffer over-read in pr ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13020 (The VTP parser in tcpdump before 4.9.2 has a buffer over-read in print ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13019 (The PGM parser in tcpdump before 4.9.2 has a buffer over-read in print ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13018 (The PGM parser in tcpdump before 4.9.2 has a buffer over-read in print ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13017 (The DHCPv6 parser in tcpdump before 4.9.2 has a buffer over-read in pr ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13016 (The ISO ES-IS parser in tcpdump before 4.9.2 has a buffer over-read in ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13015 (The EAP parser in tcpdump before 4.9.2 has a buffer over-read in print ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13014 (The White Board protocol parser in tcpdump before 4.9.2 has a buffer o ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13013 (The ARP parser in tcpdump before 4.9.2 has a buffer over-read in print ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13012 (The ICMP parser in tcpdump before 4.9.2 has a buffer over-read in prin ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13011 (Several protocol parsers in tcpdump before 4.9.2 could cause a buffer ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13010 (The BEEP parser in tcpdump before 4.9.2 has a buffer over-read in prin ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13009 (The IPv6 mobility parser in tcpdump before 4.9.2 has a buffer over-rea ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13008 (The IEEE 802.11 parser in tcpdump before 4.9.2 has a buffer over-read ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13007 (The Apple PKTAP parser in tcpdump before 4.9.2 has a buffer over-read ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13006 (The L2TP parser in tcpdump before 4.9.2 has a buffer over-read in prin ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13005 (The NFS parser in tcpdump before 4.9.2 has a buffer over-read in print ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13004 (The Juniper protocols parser in tcpdump before 4.9.2 has a buffer over ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13003 (The LMP parser in tcpdump before 4.9.2 has a buffer over-read in print ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13002 (The AODV parser in tcpdump before 4.9.2 has a buffer over-read in prin ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13001 (The NFS parser in tcpdump before 4.9.2 has a buffer over-read in print ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13000 (The IEEE 802.15.4 parser in tcpdump before 4.9.2 has a buffer over-rea ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-12999 (The IS-IS parser in tcpdump before 4.9.2 has a buffer over-read in pri ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-12998 (The IS-IS parser in tcpdump before 4.9.2 has a buffer over-read in pri ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-12997 (The LLDP parser in tcpdump before 4.9.2 could enter an infinite loop d ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-12996 (The PIMv2 parser in tcpdump before 4.9.2 has a buffer over-read in pri ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-12995 (The DNS parser in tcpdump before 4.9.2 could enter an infinite loop du ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-12994 (The BGP parser in tcpdump before 4.9.2 has a buffer over-read in print ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-12993 (The Juniper protocols parser in tcpdump before 4.9.2 has a buffer over ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-12992 (The RIPng parser in tcpdump before 4.9.2 has a buffer over-read in pri ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-12991 (The BGP parser in tcpdump before 4.9.2 has a buffer over-read in print ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-12990 (The ISAKMP parser in tcpdump before 4.9.2 could enter an infinite loop ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-12989 (The RESP parser in tcpdump before 4.9.2 could enter an infinite loop d ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-12988 (The telnet parser in tcpdump before 4.9.2 has a buffer over-read in pr ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-12987 (The IEEE 802.11 parser in tcpdump before 4.9.2 has a buffer over-read ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-12986 (The IPv6 routing header parser in tcpdump before 4.9.2 has a buffer ov ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-12985 (The IPv6 parser in tcpdump before 4.9.2 has a buffer over-read in prin ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-12984 (PHPMyWind 5.3 has XSS in shoppingcart.php, related to message.php, adm ...) NOT-FOR-US: PHPMyWind CVE-2017-12983 (Heap-based buffer overflow in the ReadSFWImage function in coders/sfw. ...) {DSA-4040-1 DSA-4032-1 DLA-1081-1} - imagemagick 8:6.9.9.34+dfsg-3 (bug #873134) NOTE: https://github.com/ImageMagick/ImageMagick/issues/682 NOTE: https://github.com/ImageMagick/ImageMagick/commit/d4145e664aea3752ca6d3bf1ee825352b595dab5 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/26078285f49c361ad8ddc8e14bd1d4aab7ed5682 CVE-2017-12981 (NexusPHP 1.5.beta5.20120707 has SQL Injection in forummanage.php via t ...) NOT-FOR-US: NexusPHP CVE-2017-12980 (DokuWiki through 2017-02-19c has stored XSS when rendering a malicious ...) - dokuwiki 0.0.20180422.a-1 (bug #872941) [jessie] - dokuwiki (Minor issue) [wheezy] - dokuwiki (Minor issue) NOTE: https://github.com/splitbrain/dokuwiki/issues/2081 NOTE: https://github.com/splitbrain/dokuwiki/commit/f883db117a4fdeae72071db41b3ef5932d6335da CVE-2017-12979 (DokuWiki through 2017-02-19c has stored XSS when rendering a malicious ...) - dokuwiki 0.0.20180422.a-1 (bug #872940) [jessie] - dokuwiki (Minor issue) [wheezy] - dokuwiki (Minor issue) NOTE: https://github.com/splitbrain/dokuwiki/issues/2080 NOTE: https://github.com/splitbrain/dokuwiki/commit/56bd9509ab2037512829392fda6427af7f390724 CVE-2017-12978 (lib/html.php in Cacti before 1.1.18 has XSS via the title field of an ...) - cacti 1.1.18+ds1-1 [stretch] - cacti (Vulnerable code, external link support, introduced later) [jessie] - cacti (Vulnerable code, external link support, introduced later) [wheezy] - cacti (Vulnerable code, external link support, introduced later) NOTE: https://github.com/Cacti/cacti/commit/9c610a7a4e29595dcaf7d7082134e4b89619ea24 NOTE: https://github.com/Cacti/cacti/issues/918 CVE-2017-12977 (The Web-Dorado "Photo Gallery by WD - Responsive Photo Gallery" plugin ...) NOT-FOR-US: Web-Dorado plugin for Wordpress CVE-2017-1000216 REJECTED CVE-2017-1000205 REJECTED CVE-2017-1000202 REJECTED CVE-2017-1000184 REJECTED CVE-2017-1000183 REJECTED CVE-2017-1000181 REJECTED CVE-2017-1000180 REJECTED CVE-2017-1000179 REJECTED CVE-2017-1000178 REJECTED CVE-2017-1000177 REJECTED CVE-2017-1000175 REJECTED CVE-2017-1000167 REJECTED CVE-2017-1000166 REJECTED CVE-2017-1000165 REJECTED CVE-2017-1000162 REJECTED CVE-2017-1000124 REJECTED CVE-2017-1000123 REJECTED CVE-2017-12982 (The bmp_read_info_header function in bin/jp2/convertbmp.c in OpenJPEG ...) - openjpeg2 2.3.0-1 (unimportant) NOTE: https://github.com/uclouvain/openjpeg/issues/983 NOTE: https://github.com/uclouvain/openjpeg/commit/baf0c1ad4572daa89caa3b12985bdd93530f0dd7 CVE-2017-12975 RESERVED CVE-2017-12974 (Nimbus JOSE+JWT before 4.36 proceeds with ECKey construction without e ...) NOT-FOR-US: Nimbus JOSE + JWT CVE-2017-12973 (Nimbus JOSE+JWT before 4.39 proceeds improperly after detection of an ...) NOT-FOR-US: Nimbus JOSE + JWT CVE-2017-12972 (In Nimbus JOSE+JWT before 4.39, there is no integer-overflow check whe ...) NOT-FOR-US: Nimbus JOSE + JWT CVE-2017-12976 (git-annex before 6.20170818 allows remote attackers to execute arbitra ...) {DSA-4010-1 DLA-1495-1 DLA-1144-1} - git-annex 6.20170818-1 (bug #873088) NOTE: http://source.git-annex.branchable.com/?p=source.git;a=commit;h=df11e54788b254efebb4898b474de11ae8d3b471 NOTE: http://source.git-annex.branchable.com/?p=source.git;a=commit;h=c24d0f0e8984576654e2be149005bc884fe0403a NOTE: http://source.git-annex.branchable.com/?p=source.git;a=blob;f=doc/bugs/dashed_ssh_hostname_security_hole.mdwn NOTE: jessie patch: https://gitlab.com/anarcat/git-annex/commit/58daf6cbe4c1ea1cf71f3a538a0e27b5075c7265 NOTE: stretch patch: https://gitlab.com/anarcat/git-annex/commit/115585df48dce16aa702663dab220de625b9de7d NOTE: This is similar class of issue as for CVE-2017-1000117/git CVE-2017-12971 (Cross-site scripting (XSS) vulnerability in Apache2Triad 1.5.4 allows ...) NOT-FOR-US: Apache2Triad CVE-2017-12970 (Cross-site request forgery (CSRF) vulnerability in Apache2Triad 1.5.4 ...) NOT-FOR-US: Apache2Triad CVE-2017-12969 (Buffer overflow in the ViewerCtrlLib.ViewerCtrl ActiveX control in Ava ...) NOT-FOR-US: Avaya IP Office Contact Center CVE-2017-12968 RESERVED CVE-2017-12967 (The getsym function in tekhex.c in the Binary File Descriptor (BFD) li ...) - binutils 2.29-5 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21962 CVE-2017-12966 (The asn1f_lookup_symbol_impl function in asn1fix_retrieve.c in libasn1 ...) - asn1c (unimportant) CVE-2017-12965 (Session fixation vulnerability in Apache2Triad 1.5.4 allows remote att ...) NOT-FOR-US: Apache2Triad CVE-2017-12964 (There is a stack consumption issue in LibSass 3.4.5 that is triggered ...) - libsass (low; bug #873034) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1482397 CVE-2017-12963 (There is an illegal address access in Sass::Eval::operator() in eval.c ...) - libsass (low; bug #873034) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1482335 NOTE: Similar issue to CVE-2017-11555 but for the issue which remains unfixed NOTE: with the upstream patch for CVE-2017-11555. CVE-2017-12962 (There are memory leaks in LibSass 3.4.5 triggered by deeply nested cod ...) - libsass (low; bug #873034) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1482331 CVE-2017-12961 (There is an assertion abort in the function parse_attributes() in data ...) - pspp 1.0.1-1 (unimportant) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1482436 NOTE: Crash in CLI tool, no security impact CVE-2017-12960 (There is a reachable assertion abort in the function dict_rename_var() ...) - pspp 1.0.1-1 (unimportant) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1482433 NOTE: Crash in CLI tool, no security impact CVE-2017-12959 (There is a reachable assertion abort in the function dict_add_mrset() ...) - pspp 1.0.1-1 (unimportant) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1482432 NOTE: Crash in CLI tool, no security impact CVE-2017-12958 (There is an illegal address access in the function output_hex() in dat ...) - pspp 1.0.1-1 (unimportant) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1482429 NOTE: Crash in CLI tool, no security impact CVE-2017-12957 (There is a heap-based buffer over-read in libexiv2 in Exiv2 0.26 that ...) - exiv2 (Incorrect memory allocation introduced in 0.26) NOTE: https://github.com/Exiv2/exiv2/issues/60 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1482423 NOTE: Experimental is affected, tracking as #876242 CVE-2017-12956 (There is an illegal address access in Exiv2::FileIo::path[abi:cxx11]() ...) - exiv2 (Vulnerable code introduced after 0.25; only affected experimental; bug #888872) NOTE: https://github.com/Exiv2/exiv2/issues/59 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1482296 CVE-2017-12955 (There is a heap-based buffer overflow in basicio.cpp of Exiv2 0.26. Th ...) - exiv2 (Vulnerable code introduced after 0.25; only affected experimental; bug #888873) NOTE: https://github.com/Exiv2/exiv2/issues/58 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1482295 CVE-2017-12954 (The gig::Region::GetSampleFromWavePool function in gig.cpp in libgig 4 ...) - libgig 4.0.0-5 (low; bug #877652) [stretch] - libgig (Minor issue) [jessie] - libgig (Minor issue) [wheezy] - libgig (Minor issue) NOTE: http://seclists.org/fulldisclosure/2017/Aug/39 (provides repoducer files) NOTE: http://svn.linuxsampler.org/cgi-bin/viewvc.cgi?view=revision&revision=3350 CVE-2017-12953 (The gig::Instrument::UpdateRegionKeyTable function in gig.cpp in libgi ...) - libgig 4.0.0-4 (low; bug #873718) [stretch] - libgig (Minor issue) [jessie] - libgig (Minor issue) [wheezy] - libgig (Minor issue) NOTE: http://seclists.org/fulldisclosure/2017/Aug/39 (provides repoducer files) NOTE: http://svn.linuxsampler.org/cgi-bin/viewvc.cgi?view=revision&revision=3348 CVE-2017-12952 (The LoadString function in helper.h in libgig 4.0.0 allows remote atta ...) - libgig 4.0.0-4 (low; bug #873718) [stretch] - libgig (Minor issue) [jessie] - libgig (Minor issue) [wheezy] - libgig (Minor issue) NOTE: http://seclists.org/fulldisclosure/2017/Aug/39 (provides repoducer files) NOTE: http://svn.linuxsampler.org/cgi-bin/viewvc.cgi?view=revision&revision=3348 CVE-2017-12951 (The gig::DimensionRegion::CreateVelocityTable function in gig.cpp in l ...) - libgig 4.0.0-5 (low; bug #877651) [stretch] - libgig (Minor issue) [jessie] - libgig (Minor issue) [wheezy] - libgig (Minor issue) NOTE: http://seclists.org/fulldisclosure/2017/Aug/39 (provides repoducer files) NOTE: http://svn.linuxsampler.org/cgi-bin/viewvc.cgi?view=revision&revision=3349 CVE-2017-12950 (The gig::Region::Region function in gig.cpp in libgig 4.0.0 allows rem ...) - libgig 4.0.0-4 (low; bug #873718) [stretch] - libgig (Minor issue) [jessie] - libgig (Minor issue) [wheezy] - libgig (Minor issue) NOTE: http://seclists.org/fulldisclosure/2017/Aug/39 (provides repoducer files) NOTE: http://svn.linuxsampler.org/cgi-bin/viewvc.cgi?view=revision&revision=3348 CVE-2017-12949 (lib\modules\contributors\contributor_list_table.php in the Podlove Pod ...) NOT-FOR-US: Podlove Podcast Publisher plugin for Wordpress CVE-2017-12948 (Core\Admin\PFTemplater.php in the PressForward plugin 4.3.0 and earlie ...) NOT-FOR-US: PressForward plugin for Wordpress CVE-2017-12947 (classes\controller\admin\modals.php in the Easy Modal plugin before 2. ...) NOT-FOR-US: Easy Modal plugin for WordPress CVE-2017-12946 (classes\controller\admin\modals.php in the Easy Modal plugin before 2. ...) NOT-FOR-US: Easy Modal plugin for WordPress CVE-2017-12945 (Insufficient validation of user-supplied input for the Solstice Pod be ...) NOT-FOR-US: Solstice Pod CVE-2017-12944 (The TIFFReadDirEntryArray function in tif_read.c in LibTIFF 4.0.8 mish ...) {DSA-4100-1 DLA-1093-1} - tiff 4.0.8-6 (bug #872607) - tiff3 [wheezy] - tiff3 (Vulnerable code not present) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2725 NOTE: Fixed by: https://github.com/vadz/libtiff/commit/dc02f9050311a90b3c0655147cee09bfa7081cfc CVE-2017-12943 (D-Link DIR-600 Rev Bx devices with v2.x firmware allow remote attacker ...) NOT-FOR-US: D-Link DIR-600 Rev Bx devices CVE-2017-12939 (A Remote Code Execution vulnerability was identified in all Windows ve ...) NOT-FOR-US: Unity Editor CVE-2017-12942 (libunrar.a in UnRAR before 5.5.7 has a buffer overflow in the Unpack:: ...) - unrar-nonfree 1:5.5.8-1 [stretch] - unrar-nonfree (Non-free not supported) [jessie] - unrar-nonfree (Non-free not supported) [wheezy] - unrar-nonfree (Non-free not supported) NOTE: http://www.openwall.com/lists/oss-security/2017/08/18/6 CVE-2017-12941 (libunrar.a in UnRAR before 5.5.7 has an out-of-bounds read in the Unpa ...) - unrar-nonfree 1:5.5.8-1 [stretch] - unrar-nonfree (Non-free not supported) [jessie] - unrar-nonfree (Non-free not supported) [wheezy] - unrar-nonfree (Non-free not supported) NOTE: http://www.openwall.com/lists/oss-security/2017/08/18/6 CVE-2017-12940 (libunrar.a in UnRAR before 5.5.7 has an out-of-bounds read in the Enco ...) - unrar-nonfree 1:5.5.8-1 [stretch] - unrar-nonfree (Non-free not supported) [jessie] - unrar-nonfree (Non-free not supported) [wheezy] - unrar-nonfree (Non-free not supported) NOTE: http://www.openwall.com/lists/oss-security/2017/08/18/6 CVE-2017-12938 (UnRAR before 5.5.7 allows remote attackers to bypass a directory-trave ...) - unrar-nonfree 1:5.5.8-1 [stretch] - unrar-nonfree (Non-free not supported) [jessie] - unrar-nonfree (Non-free not supported) [wheezy] - unrar-nonfree (Non-free not supported) NOTE: http://www.openwall.com/lists/oss-security/2017/08/18/2 CVE-2017-12937 (The ReadSUNImage function in coders/sun.c in GraphicsMagick 1.3.26 has ...) {DSA-4321-1 DLA-1401-1 DLA-1082-1} - graphicsmagick 1.3.26-6 (bug #872574) NOTE: http://www.openwall.com/lists/oss-security/2017/08/18/5 NOTE: Fixed by: http://hg.code.sf.net/p/graphicsmagick/code/rev/95d00d55e978 CVE-2017-12936 (The ReadWMFImage function in coders/wmf.c in GraphicsMagick 1.3.26 has ...) {DSA-4321-1 DLA-1456-1 DLA-1082-1} - graphicsmagick 1.3.26-6 (bug #872575) NOTE: http://www.openwall.com/lists/oss-security/2017/08/18/3 NOTE: Fixed by: http://hg.code.sf.net/p/graphicsmagick/code/rev/be898b7c97bd CVE-2017-12935 (The ReadMNGImage function in coders/png.c in GraphicsMagick 1.3.26 mis ...) {DSA-4321-1 DLA-1456-1 DLA-1082-1} - graphicsmagick 1.3.26-6 (bug #872576) NOTE: http://www.openwall.com/lists/oss-security/2017/08/18/4 NOTE: Fixed by: http://hg.code.sf.net/p/graphicsmagick/code/rev/cd699a44f188 CVE-2017-12934 (ext/standard/var_unserializer.re in PHP 7.0.x before 7.0.21 and 7.1.x ...) {DSA-4080-1} - php7.1 7.1.8-1 - php7.0 7.0.22-1 NOTE: Fixed in 7.1.7, 7.0.21 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=74101 CVE-2017-12933 (The finish_nested_data function in ext/standard/var_unserializer.re in ...) {DSA-4081-1 DSA-4080-1 DLA-1076-1} - php7.1 7.1.8-1 - php7.0 7.0.22-1 - php5 NOTE: Fixed in 7.1.7, 7.0.21, 5.6.31 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=74111 CVE-2017-12932 (ext/standard/var_unserializer.re in PHP 7.0.x through 7.0.22 and 7.1.x ...) {DSA-4080-1} - php7.1 7.1.8-1 - php7.0 7.0.22-1 NOTE: Fixed in 7.1.8, 7.0.22 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=74103 NOTE: https://github.com/php/php-src/commit/1a23ebc1fff59bf480ca92963b36eba5c1b904c4 CVE-2017-12931 RESERVED CVE-2017-12930 (SQL Injection in the admin interface in TecnoVISION DLX Spot Player4 v ...) NOT-FOR-US: TecnoVISION DLX Spot Player4 CVE-2017-12929 (Arbitrary File Upload in resource.php of TecnoVISION DLX Spot Player4 ...) NOT-FOR-US: TecnoVISION DLX Spot Player4 CVE-2017-12928 (A hard-coded password of tecn0visi0n for the dlxuser account in TecnoV ...) NOT-FOR-US: TecnoVISION DLX Spot Player4 CVE-2017-12926 RESERVED CVE-2017-12918 RESERVED CVE-2017-12917 RESERVED CVE-2017-12916 RESERVED CVE-2017-12915 RESERVED CVE-2017-12914 RESERVED CVE-2017-12913 RESERVED CVE-2017-12912 (The "mpglibDBL/layer3.c" file in MP3Gain 1.5.2.r2 has a vulnerability ...) - mp3gain [wheezy] - mp3gain NOTE: https://drive.google.com/open?id=0B9DojFnTUSNGeS1hZlJkeGVkYlU CVE-2017-12911 (The "apetag.c" file in MP3Gain 1.5.2.r2 has a vulnerability which resu ...) - mp3gain [wheezy] - mp3gain NOTE: https://drive.google.com/open?id=0B9DojFnTUSNGeS1hZlJkeGVkYlU CVE-2017-12910 (SQL injection vulnerability in massmail.php in NexusPHP 1.5 allows rem ...) NOT-FOR-US: NexusPHP CVE-2017-12909 (SQL injection vulnerability in modtask.php in NexusPHP 1.5 allows remo ...) NOT-FOR-US: NexusPHP CVE-2017-12908 (SQL injection vulnerability in takeconfirm.php in NexusPHP 1.5 allows ...) NOT-FOR-US: NexusPHP CVE-2017-12907 (Cross-Site Scripting (XSS) exists in NexusPHP version v1.5 via the url ...) NOT-FOR-US: NexusPHP CVE-2017-12906 (Multiple cross-site scripting (XSS) vulnerabilities in NexusPHP allow ...) NOT-FOR-US: NexusPHP CVE-2017-12905 (Server Side Request Forgery vulnerability in Vebto Pixie Image Editor ...) NOT-FOR-US: Vebto Pixie Image Editor CVE-2017-12904 (Improper Neutralization of Special Elements used in an OS Command in b ...) {DSA-3947-1 DLA-1061-1} - newsbeuter 2.9-6 NOTE: https://github.com/akrennmair/newsbeuter/issues/591 NOTE: https://github.com/akrennmair/newsbeuter/commit/96e9506ae9e252c548665152d1b8968297128307 CVE-2017-12903 RESERVED CVE-2017-12902 (The Zephyr parser in tcpdump before 4.9.2 has a buffer over-read in pr ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-12901 (The EIGRP parser in tcpdump before 4.9.2 has a buffer over-read in pri ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-12900 (Several protocol parsers in tcpdump before 4.9.2 could cause a buffer ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-12899 (The DECnet parser in tcpdump before 4.9.2 has a buffer over-read in pr ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-12898 (The NFS parser in tcpdump before 4.9.2 has a buffer over-read in print ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-12897 (The ISO CLNS parser in tcpdump before 4.9.2 has a buffer over-read in ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-12896 (The ISAKMP parser in tcpdump before 4.9.2 has a buffer over-read in pr ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-12895 (The ICMP parser in tcpdump before 4.9.2 has a buffer over-read in prin ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-12894 (Several protocol parsers in tcpdump before 4.9.2 could cause a buffer ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-12893 (The SMB/CIFS parser in tcpdump before 4.9.2 has a buffer over-read in ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-12925 (Double free vulnerability in DfFromLB in docfile.cxx in libfpx 1.3.1_p ...) NOT-FOR-US: libfpx CVE-2017-12924 (CDirVector::GetTable in dirfunc.hxx in libfpx 1.3.1_p6 allows remote a ...) NOT-FOR-US: libfpx CVE-2017-12923 (OLEStream::WriteVT_LPSTR in olestrm.cpp in libfpx 1.3.1_p6 allows remo ...) NOT-FOR-US: libfpx CVE-2017-12922 (wchar.c in libfpx 1.3.1_p6 allows remote attackers to cause a denial o ...) NOT-FOR-US: libfpx CVE-2017-12921 (PFileFlashPixView::GetGlobalInfoProperty in f_fpxvw.cpp in libfpx 1.3. ...) NOT-FOR-US: libfpx CVE-2017-12920 (CDirectory::GetDirEntry in dir.cxx in libfpx 1.3.1_p6 allows remote at ...) NOT-FOR-US: libfpx CVE-2017-12919 (Heap-based buffer overflow in OLEStream::WriteVT_LPSTR in olestrm.cpp ...) NOT-FOR-US: libfpx CVE-2017-12927 (A cross-site scripting vulnerability exists in Cacti 1.1.17 in the met ...) - cacti 1.1.17+ds1-2 (bug #872478) [stretch] - cacti (Vulnerable code introduced later) [jessie] - cacti (Vulnerable code introduced later) [wheezy] - cacti (Vulnerable code introduced later) NOTE: https://github.com/Cacti/cacti/issues/907 NOTE: https://github.com/Cacti/cacti/commit/a032ce0be6a4ea47862c594e40a619ac8de1ef99 CVE-2017-1000108 (The Pipeline: Input Step Plugin by default allowed users with Item/Rea ...) NOT-FOR-US: Jenkins Input Step Plugin CVE-2017-1000107 (Script Security Plugin did not apply sandboxing restrictions to constr ...) NOT-FOR-US: Jenkins Script Security Plugin CVE-2017-12892 (Foxit PDF Compressor installers from versions from 7.0.0.183 to 7.7.2. ...) NOT-FOR-US: Foxit PDF Compressor CVE-2017-12891 RESERVED CVE-2017-12890 RESERVED CVE-2017-12889 RESERVED CVE-2017-12888 RESERVED CVE-2017-12887 RESERVED CVE-2017-12886 RESERVED CVE-2017-12885 (OX Software GmbH App Suite 7.8.4 and earlier is affected by: Cross Sit ...) NOT-FOR-US: OX Software GmbH App Suite CVE-2017-12884 (OX Software GmbH App Suite 7.8.4 and earlier is affected by: Informati ...) NOT-FOR-US: OX Software GmbH App Suite CVE-2017-12883 (Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 ...) {DSA-3982-1} - perl 5.26.0-8 (bug #875597) [wheezy] - perl (Vulnerable code introduced later) NOTE: https://rt.perl.org/Public/Bug/Display.html?id=131598 (not yet public) NOTE: https://perl5.git.perl.org/perl.git/commitdiff/2be4edede4ae226e2eebd4eff28cedd2041f300f NOTE: maint-5.26: https://perl5.git.perl.org/perl.git/commitdiff/2692dda97731c37082a0075eff50d741901c665f NOTE: maint-5.24: https://perl5.git.perl.org/perl.git/commitdiff/40b3cdad3649334585cee8f4630ec9a025e62be6 CVE-2017-12882 (Stored Cross-site scripting (XSS) vulnerability in Spring Batch Admin ...) NOT-FOR-US: Spring Batch Admin CVE-2017-12881 (Cross-site request forgery (CSRF) vulnerability in the Spring Batch Ad ...) NOT-FOR-US: Spring Batch Admin CVE-2017-12880 REJECTED CVE-2017-12879 (Cross-site scripting (XSS-STORED) vulnerability in the DEVICES OR SENS ...) NOT-FOR-US: Paessler PRTG Network Monitor CVE-2017-12878 RESERVED CVE-2016-10502 (While generating trusted application id, An integer overflow can occur ...) NOT-FOR-US: Snapdragon CVE-2016-10501 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10500 REJECTED CVE-2016-10499 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10498 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10497 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10496 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10495 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10494 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10493 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10492 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10491 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10490 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10489 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10488 REJECTED CVE-2016-10487 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10486 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10485 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10484 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10483 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10482 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10481 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10480 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10479 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10478 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10477 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10476 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10475 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10474 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10473 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10472 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10471 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10470 REJECTED CVE-2016-10469 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10468 REJECTED CVE-2016-10467 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10466 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10465 REJECTED CVE-2016-10464 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10463 REJECTED CVE-2016-10462 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10461 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10460 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10459 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10458 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10457 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10456 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10455 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10454 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10453 REJECTED CVE-2016-10452 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10451 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10450 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10449 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10448 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10447 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10446 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10445 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10444 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10443 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10442 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10441 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10440 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10439 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10438 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10437 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10436 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10435 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10434 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10433 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10432 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10431 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10430 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10429 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10428 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10427 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10426 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10425 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10424 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10423 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10422 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10421 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10420 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10419 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10418 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10417 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10416 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10415 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10414 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10413 REJECTED CVE-2016-10412 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10411 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10410 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10409 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10408 RESERVED NOT-FOR-US: Qualcomm components for Android CVE-2016-10407 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10406 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9225 RESERVED CVE-2015-9224 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9223 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9222 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9221 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9220 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9219 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9218 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9217 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9216 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9215 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9214 RESERVED CVE-2015-9213 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9212 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9211 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9210 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9209 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9208 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9207 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9206 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9205 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9204 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9203 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9202 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9201 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9200 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9199 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9198 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9197 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9196 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9195 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9194 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9193 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9192 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9191 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9190 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9189 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9188 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9187 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9186 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9185 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9184 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9183 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9182 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9181 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9180 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9179 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9178 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9177 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9176 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9175 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9174 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9173 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9172 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9171 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9170 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9169 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9168 RESERVED CVE-2015-9167 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9166 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9165 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9164 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9163 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9162 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9161 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9160 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9159 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9158 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9157 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9156 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9155 RESERVED CVE-2015-9154 RESERVED CVE-2015-9153 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9152 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9151 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9150 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9149 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9148 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9147 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9146 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9145 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9144 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9143 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9142 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9141 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9140 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9139 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9138 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9137 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9136 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9135 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9134 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9133 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9132 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9131 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9130 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9129 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9128 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9127 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9126 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9125 RESERVED CVE-2015-9124 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9123 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9122 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9121 RESERVED CVE-2015-9120 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9119 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9118 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9117 RESERVED CVE-2015-9116 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9115 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9114 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9113 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9112 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9111 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9110 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9109 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9108 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-9998 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-9997 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-9996 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-9995 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-9994 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-9993 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-9992 REJECTED CVE-2014-9991 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-9990 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-9989 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-9988 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-9987 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-9986 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-9985 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-10063 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-10062 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-10061 REJECTED CVE-2014-10060 REJECTED CVE-2014-10059 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-10058 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-10057 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-10056 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-10055 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-10054 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-10053 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-10052 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-10051 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-10050 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-10049 REJECTED CVE-2014-10048 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-10047 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-10046 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-10045 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-10044 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-10043 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-10039 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-12877 (Use-after-free vulnerability in the DestroyImage function in image.c i ...) {DSA-4074-1 DSA-4040-1 DLA-1081-1} - imagemagick 8:6.9.9.34+dfsg-3 (bug #872373) NOTE: https://github.com/ImageMagick/ImageMagick/issues/662 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/98dda239ec398dd56453460849b4c9057fc424e5 NOTE: ImageMagick-7: https://github.com/ImageMagick/ImageMagick/commit/04178de2247e353fc095846784b9a10fefdbf890 NOTE: This doesn't affect the base releases, but got introduced via security fixes, which got backported to older suites CVE-2017-12876 (Heap-based buffer overflow in enhance.c in ImageMagick before 7.0.6-6 ...) - imagemagick (Specific to Imagemagick 7, 6.x uses fixed pixel cache morphology) NOTE: https://github.com/ImageMagick/ImageMagick/issues/663 NOTE: https://github.com/ImageMagick/ImageMagick/commit/1cc6f0ccc92c20c7cab6c4a7335daf29c91f0d8e CVE-2017-12875 (The WritePixelCachePixels function in ImageMagick 7.0.6-6 allows remot ...) {DLA-1785-1 DLA-1131-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #873871) [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/659 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/6f95e543c80319721e22d623bb23712cd29afa9e NOTE: https://github.com/ImageMagick/ImageMagick/commit/d96b55ea41e71de43663818ccd17c6af3fa6c4fd CVE-2017-12866 RESERVED CVE-2017-12865 (Stack-based buffer overflow in "dnsproxy.c" in connman 1.34 and earlie ...) {DSA-3956-1 DLA-1078-1} - connman 1.35-1 (bug #872844) NOTE: https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=5c281d182ecdd0a424b64f7698f32467f8f67b71 (1.35) CVE-2017-12864 (In opencv/modules/imgcodecs/src/grfmt_pxm.cpp, function ReadNumber did ...) {DLA-1438-1 DLA-1117-1} [experimental] - opencv 3.4.4+dfsg-1~exp1 - opencv 3.2.0+dfsg-6 (bug #875345) [stretch] - opencv (Minor issue) NOTE: https://github.com/opencv/opencv/issues/9372 CVE-2017-12863 (In opencv/modules/imgcodecs/src/grfmt_pxm.cpp, function PxMDecoder::re ...) {DLA-1438-1 DLA-1117-1} [experimental] - opencv 3.4.4+dfsg-1~exp1 - opencv 3.2.0+dfsg-6 (bug #875344) [stretch] - opencv (Minor issue) NOTE: https://github.com/opencv/opencv/issues/9371 CVE-2017-12862 (In modules/imgcodecs/src/grfmt_pxm.cpp, the length of buffer AutoBuffe ...) {DLA-1438-1 DLA-1117-1} [experimental] - opencv 3.4.4+dfsg-1~exp1 - opencv 3.2.0+dfsg-6 (bug #875342) [stretch] - opencv (Minor issue) NOTE: https://github.com/opencv/opencv/issues/9370 CVE-2017-12861 (The Epson "EasyMP" software is designed to remotely stream a users com ...) NOT-FOR-US: Epson "EasyMP" CVE-2017-12860 (The Epson "EasyMP" software is designed to remotely stream a users com ...) NOT-FOR-US: Epson "EasyMP" CVE-2017-12859 (NetApp Data ONTAP before 8.2.5, when operating in 7-Mode in NFS enviro ...) NOT-FOR-US: NetApp CVE-2017-12858 (Double free vulnerability in the _zip_dirent_read function in zip_dire ...) - libzip (Vulnerable code introduced later) NOTE: Introduced after: https://github.com/nih-at/libzip/commit/796c5968ad679220db3fb65ec6f48c66e554e5d5 (rel-1-2-0) NOTE: Fixed by: https://github.com/nih-at/libzip/commit/2217022b7d1142738656d891e00b3d2d9179b796 CVE-2017-12857 (Polycom SoundStation IP, VVX, and RealPresence Trio that are running s ...) NOT-FOR-US: Polycom CVE-2017-12856 (Cross-site scripting (XSS) vulnerability in C.P.Sub 5.2 allows remote ...) NOT-FOR-US: C.P.Sub CVE-2017-12854 RESERVED CVE-2017-12874 (The InfoCard module 1.0 for SimpleSAMLphp allows attackers to spoof XM ...) {DSA-4127-1 DLA-1205-1} - simplesamlphp 1.14.11-1 NOTE: Issue lies in simplesamlphp/simplesamlphp-module-infocard and fixed NOTE: in 1.0.1. The module is embedded in src:simplesamlphp NOTE: https://simplesamlphp.org/security/201612-03 NOTE: Patch: https://github.com/simplesamlphp/simplesamlphp-module-infocard/commit/7353762acacd827a61378629f87de991451089da CVE-2017-12873 (SimpleSAMLphp 1.7.0 through 1.14.10 might allow attackers to obtain se ...) {DSA-4127-1 DLA-1205-1} - simplesamlphp 1.14.11-1 NOTE: https://simplesamlphp.org/security/201612-04 NOTE: Patches: https://github.com/simplesamlphp/simplesamlphp/commit/90dca835158495b173808273e7df127303b8b953aa NOTE: https://github.com/simplesamlphp/simplesamlphp/commit/e2daf4ceb6e580815c3741384b3a09b85a5fc231 NOTE: https://github.com/simplesamlphp/simplesamlphp/commit/300d8aa48fe93706ade95be481c68e9cf2f32d1f CVE-2017-12872 (The (1) Htpasswd authentication source in the authcrypt module and (2) ...) {DLA-1408-1 DLA-1205-1} - simplesamlphp 1.14.15-1 [stretch] - simplesamlphp (Minor issue) NOTE: https://simplesamlphp.org/security/201703-01 NOTE: Patches: https://github.com/simplesamlphp/simplesamlphp/commit/ab7761d4a523a4ed00479fb1ddba688e7ca72439 NOTE: https://github.com/simplesamlphp/simplesamlphp/commit/caf764cc2c9b68ac29741070ebdf133a595443f1 CVE-2017-12871 (The aesEncrypt method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAML ...) - simplesamlphp 1.14.15-1 [stretch] - simplesamlphp (Minor issue mitigated by HTTPS usage, hard to backport) [jessie] - simplesamlphp (Vulnerable code not present) [wheezy] - simplesamlphp (Vulnerable code not present) NOTE: https://simplesamlphp.org/security/201703-02 CVE-2017-12870 (SimpleSAMLphp 1.14.12 and earlier make it easier for man-in-the-middle ...) - simplesamlphp 1.14.15-1 [stretch] - simplesamlphp (Minor issue mitigated by HTTPS usage, hard to backport) [jessie] - simplesamlphp (Minor issue mitigated by HTTPS usage, hard to backport) [wheezy] - simplesamlphp (Minor issue mitigated by HTTPS usage, hard to backport) NOTE: https://simplesamlphp.org/security/201704-01 CVE-2017-12869 (The multiauth module in SimpleSAMLphp 1.14.13 and earlier allows remot ...) {DSA-4127-1 DLA-1205-1} - simplesamlphp 1.14.15-1 NOTE: https://simplesamlphp.org/security/201704-02 NOTE: Patch: https://github.com/simplesamlphp/simplesamlphp/commit/f1e485284dd428ab3cd9500c62e19c7c7234be9a CVE-2017-12868 (The secureCompare method in lib/SimpleSAML/Utils/Crypto.php in SimpleS ...) {DLA-1408-1 DLA-1205-1} - simplesamlphp 1.14.15-1 [stretch] - simplesamlphp (Only affects setups with old PHP versions not found in stable) NOTE: https://simplesamlphp.org/security/201705-01 NOTE: Patch: https://github.com/simplesamlphp/simplesamlphp/commit/caf764cc2c9b68ac29741070ebdf133a595443f1 CVE-2017-12867 (The SimpleSAML_Auth_TimeLimitedToken class in SimpleSAMLphp 1.14.14 an ...) {DSA-4127-1 DLA-1205-1} - simplesamlphp 1.14.15-1 NOTE: https://simplesamlphp.org/security/201708-01 NOTE: Patch: https://github.com/simplesamlphp/simplesamlphp/commit/608f24c2d5afd70c2af050785d2b12f878b33c68 CVE-2017-12855 (Xen maintains the _GTF_{read,writ}ing bits as appropriate, to inform t ...) {DSA-3969-1 DLA-1132-1} - xen 4.8.1-1+deb9u3 NOTE: https://xenbits.xen.org/xsa/advisory-230.html CVE-2017-12853 (The RealTime RWR-3G-100 Router Firmware Version : Ver1.0.56 is affecte ...) NOT-FOR-US: RealTime RWR-3G-100 Router Firmware CVE-2017-12852 (The numpy.pad function in Numpy 1.13.1 and older versions is missing i ...) - python-numpy 1:1.14.3-1 (unimportant; bug #872407) NOTE: https://github.com/numpy/numpy/issues/9560#issuecomment-322395292 NOTE: Negligible security impact CVE-2017-12851 (An authenticated standard user could reset the password of the admin b ...) - kanboard (bug #790814) CVE-2017-12850 (An authenticated standard user could reset the password of other users ...) - kanboard (bug #790814) NOTE: https://github.com/kanboard/kanboard/commit/88dd6abbf3f519897f2f6280e95c9eec9123a4ae CVE-2017-12849 (Response discrepancy in the login and password reset forms in SilverSt ...) NOT-FOR-US: SilverStripe CMS CVE-2017-12848 RESERVED CVE-2017-12847 (Nagios Core before 4.3.3 creates a nagios.lock PID file after dropping ...) - nagios3 [jessie] - nagios3 (Minor issue) [wheezy] - nagios3 (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2017/08/16/7 NOTE: https://github.com/NagiosEnterprises/nagioscore/issues/404 NOTE: https://github.com/NagiosEnterprises/nagioscore/commit/1b197346d490df2e2d3b1dcce5ac6134ad0c8752 NOTE: https://github.com/orlitzky/nagioscore/commit/3baffa78bafebbbdf9f448890ba5a952ea2d73cb CVE-2017-12846 RESERVED CVE-2017-12845 RESERVED CVE-2017-12844 (Cross-site scripting (XSS) vulnerability in the admin panel in IceWarp ...) NOT-FOR-US: IceWarp CVE-2017-12843 (Cyrus IMAP before 3.0.3 allows remote authenticated users to write to ...) - cyrus-imapd (Vulnerable code introduced later) - cyrus-imapd-2.4 (Vulnerable code introduced later) NOTE: https://github.com/cyrusimap/cyrus-imapd/commit/d734a23122155f3522a8cb6aef118223aa73cde0 CVE-2017-12842 (Bitcoin Core before 0.14 allows an attacker to create an ostensibly va ...) - bitcoin 0.14.2~dfsg-1~exp2 CVE-2017-12841 RESERVED CVE-2017-12840 (A kernel driver, namely DLMFENC.sys, bundled with the DESLock+ client ...) NOTE: DESLock+ CVE-2017-12839 (A heap-based buffer over-read in the getbits function in src/libmpg123 ...) - mpg123 1.25.6-1 [stretch] - mpg123 (Minor issue) [jessie] - mpg123 (Minor issue) NOTE: https://sourceforge.net/p/mpg123/bugs/255/ NOTE: https://www.mpg123.de/cgi-bin/scm/mpg123/trunk/src/libmpg123/getbits.h?r1=2024&r2=4323&sortby=date CVE-2017-12838 (Cross-site request forgery (CSRF) vulnerability in NexusPHP 1.5 allows ...) NOT-FOR-US: NexusPHP CVE-2017-12837 (Heap-based buffer overflow in the S_regatom function in regcomp.c in P ...) {DSA-3982-1} - perl 5.26.0-8 (bug #875596) [wheezy] - perl (Vulnerable code introduced after 5.14.4) NOTE: https://rt.perl.org/Public/Bug/Display.html?id=131582 (not yet public) NOTE: https://perl5.git.perl.org/perl.git/commitdiff/96c83ed78aeea1a0496dd2b2d935869a822dc8a5 NOTE: maint-5.26: https://perl5.git.perl.org/perl.git/commitdiff/66288bb3f44c8aa5122e5f40d8cfc0eada8b1695 NOTE: maint-5.24: https://perl5.git.perl.org/perl.git/commitdiff/f7e5417e7bffba03947b66e4d8622d7c220f2876 CVE-2017-12835 REJECTED CVE-2017-12834 REJECTED CVE-2017-12833 REJECTED CVE-2017-12832 REJECTED CVE-2017-12831 REJECTED CVE-2017-12830 REJECTED CVE-2017-12829 REJECTED CVE-2017-12828 REJECTED CVE-2017-12827 REJECTED CVE-2017-12826 REJECTED CVE-2017-12825 RESERVED CVE-2017-12824 (Special crafted InPage document leads to arbitrary code execution in I ...) NOT-FOR-US: InPage CVE-2017-12823 (Kernel pool memory corruption in one of drivers in Kaspersky Embedded ...) NOT-FOR-US: Kaspersky CVE-2017-12822 (Remote enabling and disabling admin interface in Gemalto's HASP SRM, S ...) NOT-FOR-US: Gemalto CVE-2017-12821 (Memory corruption in Gemalto's HASP SRM, Sentinel HASP and Sentinel LD ...) NOT-FOR-US: Gemalto CVE-2017-12820 (Arbitrary memory read from controlled memory pointer in Gemalto's HASP ...) NOT-FOR-US: Gemalto CVE-2017-12819 (Remote manipulations with language pack updater lead to NTLM-relay att ...) NOT-FOR-US: Gemalto CVE-2017-12818 (Stack overflow in custom XML-parser in Gemalto's HASP SRM, Sentinel HA ...) NOT-FOR-US: Gemalto CVE-2017-12817 (In Kaspersky Internet Security for Android 11.12.4.1622, some of the a ...) NOT-FOR-US: Kaspersky Internet Security for Android CVE-2017-12816 (In Kaspersky Internet Security for Android 11.12.4.1622, some of appli ...) NOT-FOR-US: Kaspersky Internet Security for Android CVE-2017-12815 (Analysis of the Bomgar Remote Support Portal JavaStart.jar Applet 5279 ...) NOT-FOR-US: Bomgar Remote Support Portal JavaStart Applet CVE-2017-12814 (Stack-based buffer overflow in the CPerlHost::Add method in win32/perl ...) - perl (Windows specific issue) NOTE: https://rt.perl.org/Public/Bug/Display.html?id=131665 (not yet public) CVE-2017-12813 (PHPJabbers File Sharing Script 1.0 has stored XSS in the comments sect ...) NOT-FOR-US: PHPJabbers File Sharing Script CVE-2017-12812 (PHPJabbers Night Club Booking Software has stored XSS in the name para ...) NOT-FOR-US: PHPJabbers Night Club Booking Software CVE-2017-12811 (PHPJabbers Star Rating Script 4.0 has stored XSS via a rating item. ...) NOT-FOR-US: PHPJabbers Star Rating Script CVE-2017-12810 (PHPJabbers PHP Newsletter Script 4.2 has stored XSS in lists in the ad ...) NOT-FOR-US: PHPJabbers PHP Newsletter Script CVE-2017-12809 (QEMU (aka Quick Emulator), when built with the IDE disk and CD/DVD-ROM ...) {DSA-3991-1} - qemu 1:2.10.0-1 (bug #873849) [jessie] - qemu (Vulnerable code not present) [wheezy] - qemu (Minor issue) - qemu-kvm [wheezy] - qemu-kvm (Minor issue) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-08/msg01850.html CVE-2017-12808 RESERVED CVE-2017-12807 REJECTED CVE-2017-12806 (In ImageMagick 7.0.6-6, a memory exhaustion vulnerability was found in ...) - imagemagick 8:6.9.9.34+dfsg-3 [stretch] - imagemagick (Minor issue) [jessie] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/660 CVE-2017-12805 (In ImageMagick 7.0.6-6, a memory exhaustion vulnerability was found in ...) - imagemagick 8:6.9.9.34+dfsg-3 [stretch] - imagemagick (Minor issue) [jessie] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/664 CVE-2017-12804 (The iwgif_init_screen function in imagew-gif.c:510 in ImageWorsener 1. ...) NOT-FOR-US: ImageWorsener CVE-2017-12803 (The Node_ValidatePtr function in corec/corec/node/node.c in mkclean 0. ...) NOT-FOR-US: mkclean CVE-2017-12802 (The EBML_IntegerValue function in ebmlnumber.c in libebml2 through 201 ...) NOT-FOR-US: libembl2 (different codebase than src:libebml) CVE-2017-12801 (The UpdateDataSize function in ebmlmaster.c in libebml2 through 2012-0 ...) NOT-FOR-US: libembl2 (different codebase than src:libebml) CVE-2017-12800 (The EBML_FindNextElement function in ebmlmain.c in libebml2 through 20 ...) NOT-FOR-US: libembl2 (different codebase than src:libebml) CVE-2016-10405 (Session fixation vulnerability in D-Link DIR-600L routers (rev. Ax) wi ...) NOT-FOR-US: D-Link CVE-2017-12836 (CVS 1.12.x, when configured to use SSH for remote repositories, might ...) {DSA-3940-1 DLA-1056-1} - cvs 2:1.12.13+real-24 (bug #871810) NOTE: http://www.openwall.com/lists/oss-security/2017/08/11/1 CVE-2017-12799 (The elf_read_notesfunction in bfd/elf.c in GNU Binutils 2.29 allows re ...) - binutils 2.29-9 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21933 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=957e1fc1c5d0262e4b2f764cf031ad1458446498 CVE-2017-12798 (Cross-Site Scripting (XSS) exists in NexusPHP version v1.5 via the q p ...) NOT-FOR-US: NexusPHP CVE-2017-12797 (Integer overflow in the INT123_parse_new_id3 function in the ID3 parse ...) - mpg123 1.25.6-1 [stretch] - mpg123 (Minor issue) [jessie] - mpg123 (Minor issue) [wheezy] - mpg123 (Minor issue) NOTE: https://sourceforge.net/p/mpg123/bugs/254/ NOTE: https://sourceforge.net/p/mpg123/mailman/message/35987663/ CVE-2017-12796 (The Reporting Compatibility Add On before 2.0.4 for OpenMRS, as distri ...) NOT-FOR-US: OpenMRS addon CVE-2017-12795 (OpenMRS openmrs-module-htmlformentry 3.3.2 is affected by: (Improper I ...) NOT-FOR-US: OpenMRS CVE-2017-12794 (In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoesca ...) - python-django 1:1.11.5-1 (low; bug #874415) [stretch] - python-django 1:1.10.7-2+deb9u2 [jessie] - python-django (Vulnerable code do not exist) [wheezy] - python-django (Vulnerable code do not exist) NOTE: https://www.djangoproject.com/weblog/2017/sep/05/security-releases/ CVE-2017-12793 RESERVED CVE-2017-12792 (Multiple cross-site request forgery (CSRF) vulnerabilities in NexusPHP ...) NOT-FOR-US: NexusPHP CVE-2017-12791 (Directory traversal vulnerability in minion id validation in SaltStack ...) - salt 2016.11.8+dfsg1-1 (bug #872399) [stretch] - salt 2016.11.2+ds-1+deb9u1 [jessie] - salt (Minor issue) NOTE: https://github.com/saltstack/salt/pull/42944 NOTE: https://github.com/saltstack/salt/commit/6366e05d0d70bd709cc4233c3faf32a759d0173a NOTE: https://docs.saltstack.com/en/2016.11/topics/releases/2016.11.7.html CVE-2017-12790 (Metinfo 5.3.18 is affected by: Cross Site Request Forgery (CSRF). The ...) NOT-FOR-US: Metinfo CVE-2017-12789 (Metinfo 5.3.18 is affected by: Cross Site Request Forgery (CSRF). The ...) NOT-FOR-US: Metinfo CVE-2017-12788 (Multiple cross-site scripting (XSS) vulnerabilities in admin/index.php ...) NOT-FOR-US: Metinfo CVE-2017-12787 (A network interface of the novi_process_manager_daemon service, includ ...) NOT-FOR-US: NoviWare CVE-2017-12786 (Network interfaces of the cliengine and noviengine services, included ...) NOT-FOR-US: NoviWare CVE-2017-12785 (The novish command-line interface, included in the NoviWare software d ...) NOT-FOR-US: NoviWare CVE-2017-12784 (In Youngzsoft CCFile (aka CC File Transfer) 3.6, by sending a crafted ...) NOT-FOR-US: Youngzsoft CCFile CVE-2017-12783 (The ReadDataFloat function in ebmlnumber.c in libebml2 through 2012-08 ...) NOT-FOR-US: libembl2 (different codebase than src:libebml) CVE-2017-12782 (The ReadData function in ebmlmaster.c in libebml2 through 2012-08-26 a ...) NOT-FOR-US: libembl2 (different codebase than src:libebml) CVE-2017-12781 (The EBML_BufferToID function in ebmlelement.c in libebml2 through 2012 ...) NOT-FOR-US: libembl2 (different codebase than src:libebml) CVE-2017-12780 (The ReadData function in ebmlstring.c in libebml2 through 2012-08-26 a ...) NOT-FOR-US: libembl2 (different codebase than src:libebml) CVE-2017-12779 (The Node_GetData function in corec/corec/node/node.c in mkvalidator 0. ...) NOT-FOR-US: libembl2 (different codebase than src:libebml) CVE-2017-12778 (** DISPUTED ** The UI Lock feature in qBittorrent version 3.3.15 is vu ...) NOT-FOR-US: qBittorrent non issue CVE-2017-1000112 (Linux kernel: Exploitable memory corruption due to UFO to non-UFO path ...) {DSA-3981-1} - linux 4.12.6-1 (low) [wheezy] - linux (Low severity and difficult to backport) NOTE: Introduced by: https://git.kernel.org/linus/e89e9cf539a28df7d0eb1d0a545368e9920b34ac (2.6.15-rc1) NOTE: Fixed by: https://git.kernel.org/linus/85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa CVE-2017-1000111 (Linux kernel: heap out-of-bounds in AF_PACKET sockets. This new issue ...) {DSA-3981-1 DLA-1099-1} - linux 4.12.6-1 NOTE: Introduced by: https://git.kernel.org/linus/8913336a7e8d56e984109a3137d6c0e3362596a4 (2.6.27-rc1) NOTE: Fixed by: https://git.kernel.org/linus/c27927e372f0785f3303e8fad94b85945e2c97b7 NOTE: Non-privileged user namespaces disabled by default, only exploitable by arbitrary user if sysctl kernel.unprivileged_userns_clone=1 CVE-2017-1000117 (A malicious third-party can give a crafted "ssh://..." URL to an unsus ...) {DSA-3934-1 DLA-1068-1} - git 1:2.14.1-1 NOTE: https://public-inbox.org/git/xmqqh8xf482j.fsf@gitster.mtv.corp.google.com/T/#u CVE-2017-1000116 (Mercurial prior to 4.3 did not adequately sanitize hostnames passed to ...) {DSA-3963-1 DLA-1072-1} - mercurial 4.3.1-1 (bug #871710) NOTE: https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.3_.282017-08-10.29 NOTE: 11 patches need to be applied, the following are for 4.2: NOTE: https://www.mercurial-scm.org/repo/hg/rev/53224b1ffbc2 NOTE: https://www.mercurial-scm.org/repo/hg/rev/e10745311406 NOTE: https://www.mercurial-scm.org/repo/hg/rev/f93975a5ebe8 NOTE: https://www.mercurial-scm.org/repo/hg/rev/f9134e96ed0f NOTE: https://www.mercurial-scm.org/repo/hg/rev/92b583e3e522 NOTE: https://www.mercurial-scm.org/repo/hg/rev/08cfc4baf3ba NOTE: https://www.mercurial-scm.org/repo/hg/rev/55681baf4cf9 NOTE: https://www.mercurial-scm.org/repo/hg/rev/173ecccb9ee7 NOTE: https://www.mercurial-scm.org/repo/hg/rev/ca398a50ca00 NOTE: https://www.mercurial-scm.org/repo/hg/rev/00a75672a9cb NOTE: https://www.mercurial-scm.org/repo/hg/rev/943c91326b23 NOTE: 3.7 and 4.1 backports also available at https://bitbucket.org/atlassian/mercurial/commits/branch/sec-3.7 NOTE: and https://bitbucket.org/octobus/mercurial-backport/branch/backport-4.1 CVE-2017-1000115 (Mercurial prior to version 4.3 is vulnerable to a missing symlink chec ...) {DSA-3963-1 DLA-1072-1} - mercurial 4.3.1-1 (bug #871709) NOTE: https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.3_.282017-08-10.29 NOTE: https://www.mercurial-scm.org/repo/hg/rev/47ea28293d30 (test) NOTE: https://www.mercurial-scm.org/repo/hg/rev/377e8ddaebef (fix) NOTE: 3.7 and 4.1 backports available at https://bitbucket.org/atlassian/mercurial/commits/branch/sec-3.7 NOTE: and https://bitbucket.org/octobus/mercurial-backport/branch/backport-4.1CVE-2017-12777 CVE-2017-12777 (Cross-Site Scripting (XSS) exists in NexusPHP version v1.5 via some pa ...) NOT-FOR-US: NexusPHP CVE-2017-12776 (SQL injection vulnerability in reports.php in NexusPHP 1.5 allows remo ...) NOT-FOR-US: NexusPHP CVE-2017-12775 (qa-include/qa-install.php in Question2Answer before 1.7.5 allows remot ...) NOT-FOR-US: question2answer CVE-2017-12774 (finecms in 1.9.5\controllers\member\ContentController.php allows remot ...) NOT-FOR-US: FineCMS CVE-2017-12773 RESERVED CVE-2017-12772 RESERVED CVE-2017-12771 RESERVED CVE-2017-12770 RESERVED CVE-2017-12769 RESERVED CVE-2017-12768 RESERVED CVE-2017-12767 RESERVED CVE-2017-12766 RESERVED CVE-2017-12765 RESERVED CVE-2017-12764 RESERVED CVE-2017-12763 (An unspecified server utility in NoMachine before 5.3.10 on Mac OS X a ...) NOT-FOR-US: NoMachine CVE-2017-12762 (In /drivers/isdn/i4l/isdn_net.c: A user-controlled buffer is copied in ...) - linux 4.13.4-1 (unimportant) NOTE: Fixed by: https://git.kernel.org/linus/9f5af546e6acc30f075828cb58c7f09665033967 (v4.13-rc4) NOTE: Driver is disabled since squeeze and unmaintained for a long time CVE-2017-12761 (http://codecanyon.net/user/Endober WebFile Explorer 1.0 is affected by ...) NOT-FOR-US: Endober WebFile Explorer CVE-2017-12760 (Ynet Interactive - http://demo.ynetinteractive.com/mobiketa/ Mobiketa ...) NOT-FOR-US: Ynet Interactive CVE-2017-12759 (Ynet Interactive - http://demo.ynetinteractive.com/soa/ SOA School Man ...) NOT-FOR-US: Ynet Interactive CVE-2017-12758 (https://www.joomlaextensions.co.in/ Joomla! Component Appointment 1.1 ...) NOT-FOR-US: Joomla! Component Appointment CVE-2017-12757 (Certain Ambit Technologies Pvt. Ltd products are affected by: SQL Inje ...) NOT-FOR-US: Ambit CVE-2017-12756 (Command inject in transfer from another server in extplorer 2.1.9 and ...) {DLA-1063-1} - extplorer NOTE: http://extplorer.net/news/21 CVE-2017-12755 RESERVED CVE-2017-12754 (Stack buffer overflow in httpd in Asuswrt-Merlin firmware 380.67_0RT-A ...) NOT-FOR-US: Asuswrt-Merlin firmware CVE-2017-12753 RESERVED CVE-2017-12752 RESERVED CVE-2017-12751 RESERVED CVE-2017-12750 RESERVED CVE-2017-12749 RESERVED CVE-2017-12748 RESERVED CVE-2017-12747 RESERVED CVE-2017-12746 RESERVED CVE-2017-12745 RESERVED CVE-2017-12744 RESERVED CVE-2017-12743 RESERVED CVE-2017-12742 RESERVED CVE-2017-12741 (A vulnerability has been identified in SIMATIC S7-200 Smart (All versi ...) NOT-FOR-US: Siemens CVE-2017-12740 (Siemens LOGO! Soft Comfort (All versions before V8.2) lacks integrity ...) NOT-FOR-US: Siemens CVE-2017-12739 (An issue was discovered on Siemens SICAM RTUs SM-2556 COM Modules with ...) NOT-FOR-US: Siemens CVE-2017-12738 (An issue was discovered on Siemens SICAM RTUs SM-2556 COM Modules with ...) NOT-FOR-US: Siemens CVE-2017-12737 (An issue was discovered on Siemens SICAM RTUs SM-2556 COM Modules with ...) NOT-FOR-US: Siemens CVE-2017-12736 (A vulnerability has been identified in RUGGEDCOM ROS for RSL910 device ...) NOT-FOR-US: Siemens CVE-2017-12735 (A vulnerability has been identified in Siemens LOGO! devices. An attac ...) NOT-FOR-US: Siemens CVE-2017-12734 (A vulnerability has been identified in Siemens LOGO! devices before V1 ...) NOT-FOR-US: Siemens CVE-2017-12733 (A Missing Authentication for Critical Function issue was discovered in ...) NOT-FOR-US: SiteSentinel CVE-2017-12732 (A Stack-based Buffer Overflow issue was discovered in GE CIMPLICITY Ve ...) NOT-FOR-US: GE CIMPLICITY CVE-2017-12731 (A SQL Injection issue was discovered in OPW Fuel Management Systems Si ...) NOT-FOR-US: SiteSentinel CVE-2017-12730 (An Unquoted Search Path issue was discovered in mySCADA myPRO Versions ...) NOT-FOR-US: mySCADA myPRO CVE-2017-12729 (A SQL Injection issue was discovered in Moxa SoftCMS Live Viewer throu ...) NOT-FOR-US: Moxa SoftCMS Live Viewer CVE-2017-12728 (An Improper Privilege Management issue was discovered in SpiderControl ...) NOT-FOR-US: SpiderControl SCADA Web Server CVE-2017-12727 RESERVED CVE-2017-12726 (A Use of Hard-coded Password issue was discovered in Smiths Medical Me ...) NOT-FOR-US: Smiths Medical Medfusion CVE-2017-12725 (A Use of Hard-coded Credentials issue was discovered in Smiths Medical ...) NOT-FOR-US: Smiths Medical Medfusion CVE-2017-12724 (A Use of Hard-coded Credentials issue was discovered in Smiths Medical ...) NOT-FOR-US: Smiths Medical Medfusion CVE-2017-12723 (A Password in Configuration File issue was discovered in Smiths Medica ...) NOT-FOR-US: Smiths Medical Medfusion CVE-2017-12722 (An Out-of-bounds Read issue was discovered in Smiths Medical Medfusion ...) NOT-FOR-US: Smiths Medical Medfusion CVE-2017-12721 (An Improper Certificate Validation issue was discovered in Smiths Medi ...) NOT-FOR-US: Smiths Medical Medfusion CVE-2017-12720 (An Improper Access Control issue was discovered in Smiths Medical Medf ...) NOT-FOR-US: Smiths Medical Medfusion CVE-2017-12719 (An Untrusted Pointer Dereference issue was discovered in Advantech Web ...) NOT-FOR-US: Advantech CVE-2017-12718 (A Classic Buffer Overflow issue was discovered in Smiths Medical Medfu ...) NOT-FOR-US: Smiths Medical Medfusion CVE-2017-12717 (An Uncontrolled Search Path Element issue was discovered in Advantech ...) NOT-FOR-US: Advantech WebAccess CVE-2017-12716 (Abbott Laboratories Accent and Anthem pacemakers manufactured prior to ...) NOT-FOR-US: Abbott Laboratories Accent and Anthem pacemakers CVE-2017-12715 RESERVED CVE-2017-12714 (Abbott Laboratories pacemakers manufactured prior to Aug 28, 2017 do n ...) NOT-FOR-US: Abbott Laboratories pacemakers CVE-2017-12713 (An Incorrect Permission Assignment for Critical Resource issue was dis ...) NOT-FOR-US: Advantech WebAccess CVE-2017-12712 (The authentication algorithm in Abbott Laboratories pacemakers manufac ...) NOT-FOR-US: Abbott Laboratories pacemakers CVE-2017-12711 (An Incorrect Privilege Assignment issue was discovered in Advantech We ...) NOT-FOR-US: Advantech WebAccess CVE-2017-12710 (A SQL Injection issue was discovered in Advantech WebAccess versions p ...) NOT-FOR-US: Advantech WebAccess CVE-2017-12709 (A Use of Hard-Coded Credentials issue was discovered in MRD-305-DIN ve ...) NOT-FOR-US: Westermo devices CVE-2017-12708 (An Improper Restriction Of Operations Within The Bounds Of A Memory Bu ...) NOT-FOR-US: Advantech WebAccess CVE-2017-12707 (A Stack-based Buffer Overflow issue was discovered in SpiderControl SC ...) NOT-FOR-US: SpiderControl SCADA MicroBrowser CVE-2017-12706 (A stack-based buffer overflow issue was discovered in Advantech WebAcc ...) NOT-FOR-US: Advantech WebAccess CVE-2017-12705 (A Heap-Based Buffer Overflow issue was discovered in Advantech WebOP. ...) NOT-FOR-US: Advantech CVE-2017-12704 (A heap-based buffer overflow issue was discovered in Advantech WebAcce ...) NOT-FOR-US: Advantech WebAccess CVE-2017-12703 (A Cross-Site Request Forgery (CSRF) issue was discovered in Westermo M ...) NOT-FOR-US: Westermo CVE-2017-12702 (An Externally Controlled Format String issue was discovered in Advante ...) NOT-FOR-US: Advantech WebAccess CVE-2017-12701 (BMC Medical Luna CPAP Machines released prior to July 1, 2017, contain ...) NOT-FOR-US: BMC Medical Luna CPAP Machines CVE-2017-12700 RESERVED CVE-2017-12699 (An Incorrect Default Permissions issue was discovered in AzeoTech DAQF ...) NOT-FOR-US: AzeoTech DAQFactory CVE-2017-12698 (An Improper Authentication issue was discovered in Advantech WebAccess ...) NOT-FOR-US: Advantech WebAccess CVE-2017-12697 (A Man-in-the-Middle issue was discovered in General Motors (GM) and Sh ...) NOT-FOR-US: General Motors (GM) and Shanghai OnStar (SOS) SOS iOS Client CVE-2017-12696 RESERVED CVE-2017-12695 (An Improper Authentication issue was discovered in General Motors (GM) ...) NOT-FOR-US: General Motors (GM) and Shanghai OnStar (SOS) SOS iOS Client CVE-2017-12694 (A Directory Traversal issue was discovered in SpiderControl SCADA Web ...) NOT-FOR-US: SpiderControl SCADA Web Server CVE-2017-1000101 (curl supports "globbing" of URLs, in which a user can pass a numerical ...) {DSA-3992-1} - curl 7.55.0-1 (bug #871554) [wheezy] - curl (Vulnerable code not present, introduced later in 7.34.0) NOTE: https://curl.haxx.se/docs/adv_20170809A.html NOTE: https://curl.haxx.se/CVE-2017-1000101.patch CVE-2017-1000100 (When doing a TFTP transfer and curl/libcurl is given a URL that contai ...) {DSA-3992-1 DLA-1062-1} - curl 7.55.0-1 (bug #871555) NOTE: https://curl.haxx.se/docs/adv_20170809B.html NOTE: https://curl.haxx.se/CVE-2017-1000100.patch CVE-2017-1000099 (When asking to get a file from a file:// URL, libcurl provides a featu ...) - curl (Only affects 7.54.1, no affected version ever in the archive) NOTE: https://curl.haxx.se/docs/adv_20170809C.html NOTE: https://curl.haxx.se/CVE-2017-1000099.patch NOTE: Introduced by: https://github.com/curl/curl/commit/7c312f84ea930d8 CVE-2017-12693 (The ReadBMPImage function in coders/bmp.c in ImageMagick 7.0.6-6 allow ...) {DLA-1785-1 DLA-1131-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #875341) [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/652 NOTE: https://github.com/ImageMagick/ImageMagick/commit/75fcbf5d649bba046c6a0db650a518f7bfc0fb3f NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/6709bd585b9609a9cf98a7042089f3e725886d5e CVE-2017-12692 (The ReadVIFFImage function in coders/viff.c in ImageMagick 7.0.6-6 all ...) {DLA-1785-1 DLA-1131-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #875339) [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/653 NOTE: https://github.com/ImageMagick/ImageMagick/commit/4a25fe5447bfb3a1918a2e9d595928e853b09d2e NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/5919dc606bc1d6022d3d2d205a91fdbe98de9e15 CVE-2017-12691 (The ReadOneLayer function in coders/xcf.c in ImageMagick 7.0.6-6 allow ...) {DLA-1785-1 DLA-1131-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #875338) [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/656 NOTE: https://github.com/ImageMagick/ImageMagick/commit/f1ea048a3a34df293764502401d966aeacf9179d NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/68bbe7b8b226ed79e339296793f68f1b2bebc519 CVE-2017-12690 RESERVED CVE-2017-12689 RESERVED CVE-2017-12688 RESERVED CVE-2017-12687 RESERVED CVE-2017-12686 RESERVED CVE-2017-12685 RESERVED CVE-2017-12684 RESERVED CVE-2017-12683 RESERVED CVE-2017-12682 RESERVED CVE-2017-12681 RESERVED CVE-2017-12680 (Cross-Site Scripting (XSS) exists in NexusPHP 1.5 via the type paramet ...) NOT-FOR-US: NexusPHP CVE-2017-12679 (SQL Injection exists in NexusPHP 1.5.beta5.20120707 via the delcheater ...) NOT-FOR-US: NexusPHP CVE-2017-12678 (In TagLib 1.11.1, the rebuildAggregateFrames function in id3v2framefac ...) - taglib 1.11.1+dfsg.1-0.2 (bug #871511) [stretch] - taglib (Minor issue) [jessie] - taglib (Vulnerable code not present) [wheezy] - taglib (Vulnerable code not present) - silverjuke (Vulnerable code not present, based on older taglib version) NOTE: https://github.com/taglib/taglib/issues/829 NOTE: https://github.com/taglib/taglib/pull/831/commits/eb9ded1206f18f2c319157337edea2533a40bea6#diff-37f706c8696a7c1ca939b169c0a04d97 CVE-2017-12677 (IdentityServer3 2.4.x, 2.5.x, and 2.6.x before 2.6.1 has XSS in an Ang ...) NOT-FOR-US: IdentityServer CVE-2017-12676 (In ImageMagick 7.0.6-3, a memory leak vulnerability was found in the f ...) {DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-15 (unimportant; bug #870118) NOTE: https://github.com/ImageMagick/ImageMagick/issues/618 NOTE: https://github.com/ImageMagick/ImageMagick/commit/387adbe4b05a545b9f3972e862602480c850303c NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/7287f50888c26b133ee173816332fcaec4e8cb62 CVE-2017-12675 (In ImageMagick 7.0.6-3, a missing check for multidimensional data was ...) {DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-14 (unimportant; bug #870022) NOTE: https://github.com/ImageMagick/ImageMagick/issues/616 NOTE: https://github.com/ImageMagick/ImageMagick/commit/7a020acbcfea6e53eff6766c87ea175eac9dcd18 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/e33a39a6a168cdd800fd160e8f93f0059432bdf7 CVE-2017-12674 (In ImageMagick 7.0.6-2, a CPU exhaustion vulnerability was found in th ...) {DLA-1785-1 DLA-1081-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #872609) [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/604 NOTE: https://github.com/ImageMagick/ImageMagick/commit/91651bd482b6637cf650700ffd7b3b63de1cb049 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/5a91708c6b70bd4e3d2b931465307e0aeababb3c CVE-2017-12673 (In ImageMagick 7.0.6-3, a memory leak vulnerability was found in the f ...) - imagemagick 8:6.9.7.4+dfsg-15 (unimportant; bug #870117) NOTE: https://github.com/ImageMagick/ImageMagick/issues/619 CVE-2017-12672 (In ImageMagick 7.0.6-3, a memory leak vulnerability was found in the f ...) - imagemagick 8:6.9.7.4+dfsg-14 (unimportant; bug #870021) NOTE: https://github.com/ImageMagick/ImageMagick/issues/617 CVE-2017-12671 (In ImageMagick 7.0.6-3, a missing NULL assignment was found in coders/ ...) {DSA-4019-1} - imagemagick 8:6.9.7.4+dfsg-15 (unimportant; bug #870119) NOTE: https://github.com/ImageMagick/ImageMagick/issues/621 CVE-2017-12669 (ImageMagick 7.0.6-2 has a memory leak vulnerability in WriteCALSImage ...) - imagemagick 8:6.9.7.4+dfsg-16 (unimportant; bug #870475) NOTE: https://github.com/ImageMagick/ImageMagick/issues/571 CVE-2017-12668 (ImageMagick 7.0.6-2 has a memory leak vulnerability in WritePCXImage i ...) {DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-16 (unimportant; bug #870489) NOTE: https://github.com/ImageMagick/ImageMagick/issues/575 NOTE: https://github.com/ImageMagick/ImageMagick/commit/2ba8f335fa06daf1165e0878462686028e633a74 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/560e6e512961008938aa1d1b9aab06347b1c8f9b CVE-2017-12667 (ImageMagick 7.0.6-1 has a memory leak vulnerability in ReadMATImage in ...) - imagemagick 8:6.9.7.4+dfsg-14 (unimportant; bug #870015) NOTE: https://github.com/ImageMagick/ImageMagick/issues/553 CVE-2017-12666 (ImageMagick 7.0.6-2 has a memory leak vulnerability in WriteINLINEImag ...) - imagemagick 8:6.9.7.4+dfsg-16 (unimportant; bug #870482) [jessie] - imagemagick (Vulnerable code not present) [wheezy] - imagemagick (Vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/572 NOTE: https://github.com/ImageMagick/ImageMagick/commit/d5559407ce29f4371e5df9c1cbde65455fe5854c NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/45aeda5da9eb328689afc221fa3b7dfa5cdea54d CVE-2017-12665 (ImageMagick 7.0.6-2 has a memory leak vulnerability in WritePICTImage ...) {DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-16 (unimportant; bug #870501) NOTE: https://github.com/ImageMagick/ImageMagick/issues/577 NOTE: https://github.com/ImageMagick/ImageMagick/commit/c1b09bbec148f6ae11d0b686fdb89ac6dc0ab14e NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/859084b4fd966ac007965c3d85caabccd8aee9b4 CVE-2017-12663 (ImageMagick 7.0.6-2 has a memory leak vulnerability in WriteMAPImage i ...) - imagemagick 8:6.9.7.4+dfsg-16 (unimportant; bug #870483) NOTE: https://github.com/ImageMagick/ImageMagick/issues/573 CVE-2017-12662 (ImageMagick 7.0.6-2 has a memory leak vulnerability in WritePDFImage i ...) - imagemagick 8:6.9.7.4+dfsg-16 (unimportant; bug #870492) NOTE: https://github.com/ImageMagick/ImageMagick/issues/576 CVE-2017-12661 RESERVED CVE-2017-12660 RESERVED CVE-2017-12659 RESERVED CVE-2017-12658 RESERVED CVE-2017-12657 RESERVED CVE-2017-12656 RESERVED CVE-2017-12655 (Cross-Site Scripting (XSS) exists in NexusPHP version v1.5 via the que ...) NOT-FOR-US: NexusPHP CVE-2017-12654 (The ReadPICTImage function in coders/pict.c in ImageMagick 7.0.6-3 all ...) {DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-16 (unimportant; bug #870502) NOTE: https://github.com/ImageMagick/ImageMagick/issues/620 NOTE: https://github.com/ImageMagick/ImageMagick/commit/ffcb8f8e2248fde38a2cb30aeb48403d2b3471cc NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/f2c26fa4db84e92d754c7f8b269db2883cf7f32c CVE-2017-12653 (360 Total Security 9.0.0.1202 before 2017-07-07 allows Privilege Escal ...) NOT-FOR-US: 360 Total Security CVE-2017-12652 (libpng before 1.6.32 does not properly check the length of chunks agai ...) - libpng1.6 1.6.32-1 [stretch] - libpng1.6 (Minor issue) NOTE: https://github.com/glennrp/libpng/commit/347538efbdc21b8df684ebd92d37400b3ce85d55 NOTE: https://github.com/glennrp/libpng/commit/a1fe2c98489519d415b72bc0026f0c86d82278b7 NOTE: https://github.com/glennrp/libpng/commit/095b4ce16bb46acb259ea1a4ca6562a623e58d93 NOTE: https://github.com/glennrp/libpng/commit/2dbef2f2a9e759a80d2decb6862518acf4919c59 NOTE: https://github.com/glennrp/libpng/commit/2dca15686fadb1b8951cb29b02bad4cae73448da NOTE: https://github.com/glennrp/libpng/commit/fcd1bb93124d76059abef98216d8390f520c577b NOTE: https://github.com/glennrp/libpng/commit/13bc0b6b1f8f2f2491fcc9f0c1c939ff06e13c15 CVE-2017-12651 (Cross Site Request Forgery (CSRF) exists in the Blacklist and Whitelis ...) NOT-FOR-US: Loginizer plugin for WordPress CVE-2017-12650 (SQL Injection exists in the Loginizer plugin before 1.3.6 for WordPres ...) NOT-FOR-US: Loginizer plugin for WordPress CVE-2017-12649 (XSS exists in Liferay Portal before 7.0 CE GA4 via a crafted title or ...) NOT-FOR-US: Liferay Portal CVE-2017-12648 (XSS exists in Liferay Portal before 7.0 CE GA4 via a bookmark URL. ...) NOT-FOR-US: Liferay Portal CVE-2017-12647 (XSS exists in Liferay Portal before 7.0 CE GA4 via a Knowledge Base ar ...) NOT-FOR-US: Liferay Portal CVE-2017-12646 (XSS exists in Liferay Portal before 7.0 CE GA4 via a login name, passw ...) NOT-FOR-US: Liferay Portal CVE-2017-12645 (XSS exists in Liferay Portal before 7.0 CE GA4 via an invalid portletI ...) NOT-FOR-US: Liferay Portal CVE-2017-12644 (ImageMagick 7.0.6-1 has a memory leak vulnerability in ReadDCMImage in ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/551 NOTE: https://github.com/ImageMagick/ImageMagick/commit/a33f7498f9052b50e8fe8c8422a11ba84474cb42 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/9f375e7080a2c1044cd546854d0548b4bfb429d0 CVE-2017-12642 (ImageMagick 7.0.6-1 has a memory leak vulnerability in ReadMPCImage in ...) {DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-13 (unimportant; bug #869796) NOTE: https://github.com/ImageMagick/ImageMagick/issues/552 CVE-2017-12641 (ImageMagick 7.0.6-1 has a memory leak vulnerability in ReadOneJNGImage ...) {DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-15 (unimportant; bug #870108) NOTE: https://github.com/ImageMagick/ImageMagick/issues/550 NOTE: https://github.com/ImageMagick/ImageMagick/commit/3320955045e5a2a22c13a04fa9422bb809e75eda CVE-2017-12640 (ImageMagick 7.0.6-1 has an out-of-bounds read vulnerability in ReadOne ...) {DSA-4040-1 DSA-4019-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-15 (bug #870106) NOTE: https://github.com/ImageMagick/ImageMagick/issues/542 NOTE: https://github.com/ImageMagick/ImageMagick/commit/78d4c5db50fbab0b4beb69c46c6167f2c6513dec CVE-2017-12639 (Stack based buffer overflow in Ipswitch IMail server up to and includi ...) NOT-FOR-US: Ipswitch IMail CVE-2017-12638 (Stack based buffer overflow in Ipswitch IMail server up to and includi ...) NOT-FOR-US: Ipswitch IMail CVE-2017-12637 (Directory traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/ ...) NOT-FOR-US: SAP CVE-2017-12636 (CouchDB administrative users can configure the database server via HTT ...) {DLA-1252-1} - couchdb NOTE: http://www.openwall.com/lists/oss-security/2017/11/14/6 NOTE: Likely patch for 1.2.x: https://github.com/apache/couchdb/commit/9a28df7e9703a1a3420e7616c4d33a523ee06354 NOTE: Possibly needs more updates: https://github.com/apache/couchdb/commit/bf6b6a1c84321baee2c4ad354059a45e0b8fdec7 CVE-2017-12635 (Due to differences in the Erlang-based JSON parser and JavaScript-base ...) {DLA-1252-1} - couchdb NOTE: http://www.openwall.com/lists/oss-security/2017/11/14/6 NOTE: Likely patch for 1.2.x: https://github.com/apache/couchdb/commit/3706a77c13a78672e5a3fbde06e7bffd3665f73b CVE-2017-12634 (The camel-castor component in Apache Camel 2.x before 2.19.4 and 2.20. ...) NOT-FOR-US: Apache Camel CVE-2017-12633 (The camel-hessian component in Apache Camel 2.x before 2.19.4 and 2.20 ...) NOT-FOR-US: Apache Camel CVE-2017-12632 (A malicious host header in an incoming HTTP request could cause NiFi t ...) NOT-FOR-US: Apache NiFi CVE-2017-12631 (Apache CXF Fediz ships with a number of container-specific plugins to ...) NOT-FOR-US: Apache CXF CVE-2017-12630 (In Apache Drill 1.11.0 and earlier when submitting form from Query pag ...) NOT-FOR-US: Apache Drill CVE-2017-12629 (Remote code execution occurs in Apache Solr before 7.1 with Apache Luc ...) {DSA-4124-1 DLA-1254-1} - lucene-solr 3.6.2+dfsg-11 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1501529 NOTE: http://lucene.472066.n3.nabble.com/Re-Several-critical-vulnerabilities-discovered-in-Apache-Solr-XXE-amp-RCE-td4358308.html NOTE: http://lucene.472066.n3.nabble.com/Re-Several-critical-vulnerabilities-discovered-in-Apache-Solr-XXE-amp-RCE-tt4358355.html NOTE: Patch removing RunExecutableListener: https://github.com/apache/lucene-solr/commit/7b313bb597a6d1f78773dc9c00f484c078a46c25 NOTE: Patch disallowing XXE: https://github.com/apache/lucene-solr/commit/926cc4d65b6d2cc40ff07f76d50ddeda947e3cc4 CVE-2017-12628 (The JMX server embedded in Apache James, also used by the command line ...) NOT-FOR-US: Apache James CVE-2017-12627 (In Apache Xerces-C XML Parser library before 3.2.1, processing of exte ...) {DLA-1328-1} - xerces-c 3.2.1+debian-1 (bug #894050) [stretch] - xerces-c 3.1.4+debian-2+deb9u1 [jessie] - xerces-c 3.1.1-5.1+deb8u4 NOTE: https://svn.apache.org/r1819998 NOTE: https://xerces.apache.org/xerces-c/secadv/CVE-2017-12627.txt CVE-2017-12626 (Apache POI in versions prior to release 3.17 are vulnerable to Denial ...) - libapache-poi-java 3.17-1 (bug #888651) [stretch] - libapache-poi-java (Minor issue) [jessie] - libapache-poi-java (Minor issue) [wheezy] - libapache-poi-java (Minor issue) NOTE: https://bz.apache.org/bugzilla/show_bug.cgi?id=61338 NOTE: https://bz.apache.org/bugzilla/show_bug.cgi?id=61294 NOTE: https://bz.apache.org/bugzilla/show_bug.cgi?id=52372 NOTE: https://bz.apache.org/bugzilla/show_bug.cgi?id=61295 CVE-2017-12625 (Apache Hive 2.1.x before 2.1.2, 2.2.x before 2.2.1, and 2.3.x before 2 ...) NOT-FOR-US: Apache Hive CVE-2017-12624 (Apache CXF supports sending and receiving attachments via either the J ...) NOT-FOR-US: Apache CXF CVE-2017-12623 (An authorized user could upload a template which contained malicious c ...) NOT-FOR-US: Apache NiFi CVE-2017-12622 (When an Apache Geode cluster before v1.3.0 is operating in secure mode ...) NOT-FOR-US: Apache Geode CVE-2017-12621 (During Jelly (xml) file parsing with Apache Xerces, if a custom doctyp ...) - jenkins-commons-jelly [jessie] - jenkins-commons-jelly (Minor issue, only used by Jenkins which got removed) [wheezy] - jenkins-commons-jelly (Minor issue, only used by Jenkins which got removed) NOTE: http://www.openwall.com/lists/oss-security/2017/09/27/6 CVE-2017-12620 (When loading models or dictionaries that contain XML it is possible to ...) NOT-FOR-US: Apache OpenNLP CVE-2017-12619 (Apache Zeppelin prior to 0.7.3 was vulnerable to session fixation whic ...) NOT-FOR-US: Apache Zeppelin CVE-2017-12618 (Apache Portable Runtime Utility (APR-util) 1.6.0 and prior fail to val ...) {DLA-1163-1} - apr-util 1.6.1-1 (low; bug #879996) [stretch] - apr-util (Minor issue) [jessie] - apr-util (Minor issue) NOTE: mail-archives.apache.org/mod_mbox/apr-dev/201710.mbox/%3CCACsi252POs4toeJJciwg09_eu2cO3XFg%3DUqsPjXsfjDoeC3-UQ%40mail.gmail.com%3E NOTE: https://github.com/apache/apr/commit/f672b565c825c34de9ee298b5bdc62c01cdd6147 CVE-2017-12617 (When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22 ...) {DLA-1166-1} - tomcat8 (Specific to running Tomcat on Windows) - tomcat8.0 (Specific to running Tomcat on Windows) - tomcat7 (Specific to running Tomcat on Windows) NOTE: https://svn.apache.org/r1809673 (8.5.x) NOTE: https://svn.apache.org/r1809675 (8.5.x) NOTE: https://svn.apache.org/r1809896 (8.5.x) NOTE: https://svn.apache.org/r1809921 (8.0.x) NOTE: https://svn.apache.org/r1809978 (7.0.x) NOTE: https://svn.apache.org/r1809992 (7.0.x) NOTE: https://svn.apache.org/r1810014 (7.0.x) NOTE: https://svn.apache.org/r1810026 (7.0.x) NOTE: https://bz.apache.org/bugzilla/show_bug.cgi?id=61542 CVE-2017-12616 (When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80 it w ...) {DLA-1400-1 DLA-1108-1} - tomcat7 7.0.72-3 NOTE: Since 7.0.72-3, src:tomcat7 only builds the Servlet API NOTE: https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81 NOTE: https://svn.apache.org/r1804729 CVE-2017-12615 (When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs e ...) - tomcat7 (Windows-specific) CVE-2017-12614 (It was noticed an XSS in certain 404 pages that could be exploited to ...) - airflow (bug #819700) CVE-2017-12613 (When apr_time_exp*() or apr_os_exp_time*() functions are invoked with ...) {DLA-1162-1} - apr 1.6.3-1 (low; bug #879708) [stretch] - apr (Minor issue) [jessie] - apr (Minor issue) NOTE: mail-archives.apache.org/mod_mbox/apr-dev/201710.mbox/%3CCACsi252POs4toeJJciwg09_eu2cO3XFg%3DUqsPjXsfjDoeC3-UQ%40mail.gmail.com%3E NOTE: Fixed by: https://github.com/apache/apr/commit/ad958385a4180d7a83d90589689fcd36e3bbc57a CVE-2017-12612 (In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe de ...) - apache-spark (bug #802194) CVE-2017-12611 (In Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1, using ...) - libstruts1.2-java [wheezy] - libstruts1.2-java (Minor issue) NOTE: Only a problem if the application programmer has made a security mistake. NOTE: https://struts.apache.org/docs/s2-053.html CVE-2017-12610 (In Apache Kafka 0.10.0.0 to 0.10.2.1 and 0.11.0.0 to 0.11.0.1, authent ...) - kafka (bug #786460) CVE-2017-12609 REJECTED CVE-2017-12608 (A vulnerability in Apache OpenOffice Writer DOC file parser before 4.1 ...) {DSA-4022-1 DLA-1214-1} - libreoffice 1:5.0.2-1 NOTE: https://www.talosintelligence.com/reports/TALOS-2017-0301 NOTE: https://www.libreoffice.org/about-us/security/advisories/CVE-2017-12608 NOTE: https://gerrit.libreoffice.org/gitweb?p=core.git;a=commitdiff_plain;h=42a709d1ef647aab9a1c9422b4e25ecaee857aba CVE-2017-12607 (A vulnerability in OpenOffice's PPT file parser before 4.1.4, and spec ...) {DSA-4022-1 DLA-1214-1} - libreoffice 1:5.0.2-1 NOTE: https://www.talosintelligence.com/reports/TALOS-2017-0300 NOTE: https://www.libreoffice.org/about-us/security/advisories/CVE-2017-12607 NOTE: https://cgit.freedesktop.org/libreoffice/core/commit/?id=334dba623dfb0c4fb2b5292c2d03741b7b33aef1 CVE-2016-10404 (XSS exists in Liferay Portal before 7.0 CE GA4 via a crafted redirect ...) NOT-FOR-US: Liferay Portal CVE-2017-12606 (OpenCV (Open Source Computer Vision Library) through 3.3 has an out-of ...) {DLA-1438-1 DLA-1117-1} [experimental] - opencv 3.4.4+dfsg-1~exp1 - opencv 3.2.0+dfsg-6 (bug #872044) [stretch] - opencv (Minor issue) NOTE: https://github.com/opencv/opencv/issues/9309 CVE-2017-12605 (OpenCV (Open Source Computer Vision Library) through 3.3 has an out-of ...) {DLA-1438-1 DLA-1117-1} [experimental] - opencv 3.4.4+dfsg-1~exp1 - opencv 3.2.0+dfsg-6 (bug #872044) [stretch] - opencv (Minor issue) NOTE: https://github.com/opencv/opencv/issues/9309 CVE-2017-12604 (OpenCV (Open Source Computer Vision Library) through 3.3 has an out-of ...) {DLA-1438-1 DLA-1117-1} [experimental] - opencv 3.4.4+dfsg-1~exp1 - opencv 3.2.0+dfsg-6 (bug #872044) [stretch] - opencv (Minor issue) NOTE: https://github.com/opencv/opencv/issues/9309 CVE-2017-12603 (OpenCV (Open Source Computer Vision Library) through 3.3 has an invali ...) {DLA-1438-1 DLA-1117-1} [experimental] - opencv 3.4.4+dfsg-1~exp1 - opencv 3.2.0+dfsg-6 (bug #872044) [stretch] - opencv (Minor issue) NOTE: https://github.com/opencv/opencv/issues/9309 CVE-2017-12602 (OpenCV (Open Source Computer Vision Library) through 3.3 has a denial ...) [experimental] - opencv 3.4.4+dfsg-1~exp1 - opencv 3.2.0+dfsg-6 (bug #872045) [stretch] - opencv (Minor issue) [jessie] - opencv (Minor issue) [wheezy] - opencv (Minor issue) NOTE: https://github.com/opencv/opencv/issues/9311 CVE-2017-12601 (OpenCV (Open Source Computer Vision Library) through 3.3 has a buffer ...) {DLA-1438-1 DLA-1117-1} [experimental] - opencv 3.4.4+dfsg-1~exp1 - opencv 3.2.0+dfsg-6 (bug #872044) [stretch] - opencv (Minor issue) NOTE: https://github.com/opencv/opencv/issues/9309 CVE-2017-12600 (OpenCV (Open Source Computer Vision Library) through 3.3 has a denial ...) [experimental] - opencv 3.4.4+dfsg-1~exp1 - opencv 3.2.0+dfsg-6 (bug #872045) [stretch] - opencv (Minor issue) [jessie] - opencv (Minor issue) [wheezy] - opencv (Minor issue) NOTE: https://github.com/opencv/opencv/issues/9311 CVE-2017-12599 (OpenCV (Open Source Computer Vision Library) through 3.3 has an out-of ...) {DLA-1438-1 DLA-1117-1} [experimental] - opencv 3.4.4+dfsg-1~exp1 - opencv 3.2.0+dfsg-6 (bug #872044) [stretch] - opencv (Minor issue) NOTE: https://github.com/opencv/opencv/issues/9309 CVE-2017-12598 (OpenCV (Open Source Computer Vision Library) through 3.3 has an out-of ...) {DLA-1438-1 DLA-1117-1} [experimental] - opencv 3.4.4+dfsg-1~exp1 - opencv 3.2.0+dfsg-6 (bug #872044) [stretch] - opencv (Minor issue) NOTE: https://github.com/opencv/opencv/issues/9309 CVE-2017-12597 (OpenCV (Open Source Computer Vision Library) through 3.3 has an out-of ...) {DLA-1438-1 DLA-1117-1} [experimental] - opencv 3.4.4+dfsg-1~exp1 - opencv 3.2.0+dfsg-6 (bug #872044) [stretch] - opencv (Minor issue) NOTE: https://github.com/opencv/opencv/issues/9309 CVE-2017-12596 (In OpenEXR 2.2.0, a crafted image causes a heap-based buffer over-read ...) - openexr 2.2.0-11.1 (bug #877352) [stretch] - openexr (Minor issue) [jessie] - openexr (Minor issue) [wheezy] - openexr 1.6.1-6+deb7u1 NOTE: https://github.com/openexr/openexr/issues/238 NOTE: Upstream fix https://github.com/openexr/openexr/commit/f09f5f26c1924c4f7e183428ca79c9881afaf53c CVE-2017-12595 (The tokenizer in QPDF 6.0.0 and 7.0.b1 is recursive for arrays and dic ...) - qpdf 7.0.0-1 [stretch] - qpdf (Minor issue) [jessie] - qpdf (Minor issue) [wheezy] - qpdf (Minor issue) NOTE: https://github.com/qpdf/qpdf/issues/146 NOTE: Fixed by: https://github.com/qpdf/qpdf/commit/ad527a64f93dca12f6aabab2ca99ae5eb352ab4b CVE-2017-12594 RESERVED CVE-2017-12593 (ASUS DSL-N10S V2.1.16_APAC devices allow CSRF. ...) NOT-FOR-US: ASUS DSL-N10S V2.1.16_APAC devices CVE-2017-12592 (ASUS DSL-N10S V2.1.16_APAC devices have a privilege escalation vulnera ...) NOT-FOR-US: ASUS DSL-N10S V2.1.16_APAC devices CVE-2017-12591 (ASUS DSL-N10S V2.1.16_APAC devices have reflected and stored cross sit ...) NOT-FOR-US: ASUS DSL-N10S V2.1.16_APAC devices CVE-2017-12590 (ASUS RT-N14UHP devices before 3.0.0.4.380.8015 have a reflected XSS vu ...) NOT-FOR-US: ASUS RT-N14UHP devices CVE-2017-12589 (ToMAX R60G R60GV2-V2.0-v.2.6.3-170330 devices do not have any protecti ...) NOT-FOR-US: ToMAX R60G R60GV2-V2.0-v.2.6.3-170330 devices CVE-2017-12588 (The zmq3 input and output modules in rsyslog before 8.28.0 interpreted ...) - rsyslog 8.28.0-1 (unimportant) NOTE: https://github.com/rsyslog/rsyslog/commit/062d0c671a29f7c6f7dff4a2f1f35df375bbb30b NOTE: https://github.com/rsyslog/rsyslog/pull/1565 NOTE: The zmq3 input and output modules are not enabled and built in Debian CVE-2017-12587 (ImageMagick 7.0.6-1 has a large loop vulnerability in the ReadPWPImage ...) {DSA-4019-1 DLA-1785-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-16 (bug #870526) NOTE: https://github.com/ImageMagick/ImageMagick/issues/535 NOTE: https://github.com/ImageMagick/ImageMagick/commit/bb5b16c512977e8134701063e0adb05a4a342add NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/d4192df5eb03892089806d52a317cc3101856726 CVE-2017-12586 (SLiMS 8 Akasia through 8.3.1 has an arbitrary file reading issue becau ...) NOT-FOR-US: SLiMS 8 Akasia CVE-2017-12585 (SLiMS 8 Akasia through 8.3.1 has SQL injection in admin/AJAX_lookup_ha ...) NOT-FOR-US: SLiMS 8 Akasia CVE-2017-12584 (There is no CSRF mitigation in SLiMS 8 Akasia through 8.3.1. Also, an ...) NOT-FOR-US: SLiMS 8 Akasia CVE-2017-12583 (DokuWiki through 2017-02-19b has XSS in the at parameter (aka the DATE ...) - dokuwiki 0.0.20180422.a-1 (bug #870903) [jessie] - dokuwiki (Vulnerable code not present) [wheezy] - dokuwiki (Vulnerable code not present) NOTE: https://github.com/splitbrain/dokuwiki/issues/2061 CVE-2017-12582 (Unprivileged user can access all functions in the Surveillance Station ...) NOT-FOR-US: QNAP CVE-2017-12581 (GitHub Electron before 1.6.8 allows remote command execution because o ...) - electron (bug #842420) CVE-2017-12580 (An issue was discovered in IDM UltraEdit through 24.10.0.32. To exploi ...) NOT-FOR-US: IDM UltraEdit CVE-2017-12579 (An insecure suid wrapper binary in the HashiCorp Vagrant VMware Fusion ...) NOT-FOR-US: HashiCorp Vagrant VMware Fusion plugin CVE-2017-12578 RESERVED CVE-2017-12577 (An issue was discovered on the PLANEX CS-QR20 1.30. A hardcoded accoun ...) NOT-FOR-US: PLANEX CVE-2017-12576 (An issue was discovered on the PLANEX CS-QR20 1.30. A hidden and undoc ...) NOT-FOR-US: PLANEX CVE-2017-12575 (An issue was discovered on the NEC Aterm WG2600HP2 1.0.2. The router h ...) NOT-FOR-US: NEC CVE-2017-12574 (An issue was discovered on PLANEX CS-W50HD devices with firmware befor ...) NOT-FOR-US: PLANEX CVE-2017-12573 (An issue was discovered on PLANEX CS-W50HD devices with firmware befor ...) NOT-FOR-US: PLANEX CVE-2017-12572 (Persistent Cross Site Scripting (XSS) exists in Splunk Enterprise 6.5. ...) NOT-FOR-US: Splunk CVE-2017-12571 RESERVED CVE-2017-12570 RESERVED CVE-2017-12569 RESERVED CVE-2017-12568 (Denial of Service vulnerability in Debut embedded httpd 1.20 in Brothe ...) NOT-FOR-US: Brother CVE-2017-12567 (SQL injection exists in Quest KACE Asset Management Appliance 6.4.1208 ...) NOT-FOR-US: Quest KACE Asset Management Appliance CVE-2017-12566 (In ImageMagick 7.0.6-2, a memory leak vulnerability was found in the f ...) {DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-16 (unimportant; bug #870503) NOTE: https://github.com/ImageMagick/ImageMagick/issues/603 NOTE: https://github.com/ImageMagick/ImageMagick/commit/2477eacf09d3a26efe814590a5dbbe1efd16764f NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/27b3b9ca5cfb7b8935852cf315abc005ea7c1e16 CVE-2017-12565 (In ImageMagick 7.0.6-2, a memory leak vulnerability was found in the f ...) {DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-15 (unimportant; bug #870115) NOTE: https://github.com/ImageMagick/ImageMagick/issues/602 NOTE: https://github.com/ImageMagick/ImageMagick/commit/e0e544bb173213df00f82a810d66321e1bb4f3c8 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/4d0ac66c9778faebd2d1fac7140462b043626458 CVE-2017-12564 (In ImageMagick 7.0.6-2, a memory leak vulnerability was found in the f ...) {DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-14 (unimportant; bug #870017) NOTE: https://github.com/ImageMagick/ImageMagick/issues/601 NOTE: https://github.com/ImageMagick/ImageMagick/commit/ff3faa31166439d81b72de22daea2b6404569137 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/a4779cfbee2e4235fa9f9f8f2e58dca17f7ccc6b CVE-2017-12563 (In ImageMagick 7.0.6-2, a memory exhaustion vulnerability was found in ...) {DLA-1785-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-16 (low; bug #870530) [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/599 NOTE: https://github.com/ImageMagick/ImageMagick/commit/82b53bd74df1489332e4043035a51b43f54d43f1 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/7d3af83d8b946f952bfd028451e6dfb1f7ace07a CVE-2017-12561 (A remote code execution vulnerability in HPE intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12560 (A Remote Denial of Service vulnerability in HPE Intelligent Management ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12559 (A Remote Denial of Service vulnerability in HPE Intelligent Management ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12558 (A Remote Code Execution vulnerability in HPE intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12557 (A Remote Code Execution vulnerability in HPE intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12556 (A Remote Code Execution vulnerability in HPE intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12555 (A remote arbitrary file download and disclosure of information vulnera ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12554 (A remote code execution vulnerability in HPE intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12553 (A local authentication bypass vulnerability in HPE System Management H ...) NOT-FOR-US: HPE System Management Homepage CVE-2017-12552 (A local arbitrary execution of commands vulnerability in HPE System Ma ...) NOT-FOR-US: HPE System Management Homepage CVE-2017-12551 (A local arbitrary execution of commands vulnerability in HPE System Ma ...) NOT-FOR-US: HPE System Management Homepage CVE-2017-12550 (A local security misconfiguration vulnerability in HPE System Manageme ...) NOT-FOR-US: HPE System Management Homepage CVE-2017-12549 (A local authentication bypass vulnerability in HPE System Management H ...) NOT-FOR-US: HPE System Management Homepage CVE-2017-12548 (A local arbitrary command execution vulnerability in HPE System Manage ...) NOT-FOR-US: HPE System Management Homepage CVE-2017-12547 (A local arbitrary command execution vulnerability in HPE System Manage ...) NOT-FOR-US: HPE System Management Homepage CVE-2017-12546 (A local buffer overflow vulnerability in HPE System Management Homepag ...) NOT-FOR-US: HPE System Management Homepage CVE-2017-12545 (A remote denial of service vulnerability in HPE System Management Home ...) NOT-FOR-US: HPE System Management Homepage CVE-2017-12544 (A cross-site scripting vulnerability in HPE System Management Homepage ...) NOT-FOR-US: HPE System Management Homepage CVE-2017-12543 (A remote disclosure of information vulnerability in Moonshot Remote Co ...) NOT-FOR-US: Moonshot Remote Console Administrator Pro CVE-2017-12542 (A authentication bypass and execution of code vulnerability in HPE Int ...) NOT-FOR-US: HPE ILO 4 CVE-2017-12541 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12540 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12539 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12538 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12537 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12536 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12535 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12534 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12533 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12532 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12531 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12530 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12529 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12528 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12527 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12526 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12525 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12524 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12523 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12522 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12521 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12520 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12519 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12518 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12517 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12516 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12515 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12514 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12513 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12512 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12511 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12510 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12509 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12508 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12507 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12506 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12505 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12504 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12503 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12502 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12501 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12500 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12499 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12498 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12497 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12496 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12495 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12494 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12493 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12492 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12491 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12490 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12489 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12488 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12487 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12486 RESERVED CVE-2017-12485 RESERVED CVE-2017-12484 RESERVED CVE-2017-12483 RESERVED CVE-2017-12482 (The ledger::parse_date_mask_routine function in times.cc in Ledger 3.1 ...) - ledger 3.1.2+dfsg1-1 (low; bug #870900) [stretch] - ledger (Minor issue) [jessie] - ledger (Minor issue) [wheezy] - ledger (Minor issue) NOTE: http://bugs.ledger-cli.org/show_bug.cgi?id=1224 NOTE: https://github.com/ledger/ledger/issues/1224 NOTE: https://github.com/ledger/ledger/commit/7c0ae5b02571e21f97d45f5d091cb78af9885713 CVE-2017-12481 (The find_option function in option.cc in Ledger 3.1.1 allows remote at ...) - ledger 3.1.2+dfsg1-1 (low; bug #870900) [stretch] - ledger (Minor issue) [jessie] - ledger (Minor issue) [wheezy] - ledger (Minor issue) NOTE: http://bugs.ledger-cli.org/show_bug.cgi?id=1222 NOTE: https://github.com/ledger/ledger/issues/1222 NOTE: https://github.com/ledger/ledger/commit/c5343f18744d0f6fddcc590f9a54c23674d8c489 CVE-2017-12480 (Sandboxie installer 5071703 has a DLL Hijacking or Unsafe DLL Loading ...) NOT-FOR-US: Sandboxie CVE-2017-12479 (It was discovered that an issue in the session logic in Unitrends Back ...) NOT-FOR-US: Unitrends Backup CVE-2017-12478 (It was discovered that the api/storage web interface in Unitrends Back ...) NOT-FOR-US: Unitrends Backup CVE-2017-12477 (It was discovered that the bpserverd proprietary protocol in Unitrends ...) NOT-FOR-US: Unitrends Backup CVE-2017-12476 (The AP4_AvccAtom::InspectFields function in Core/Ap4AvccAtom.cpp in Be ...) NOT-FOR-US: Bento4 CVE-2017-12475 (The AP4_Processor::Process function in Core/Ap4Processor.cpp in Bento4 ...) NOT-FOR-US: Bento4 CVE-2017-12474 (The AP4_AtomSampleTable::GetSample function in Core/Ap4AtomSampleTable ...) NOT-FOR-US: Bento4 CVE-2017-12473 (ccnl_ccntlv_bytes2pkt in CCN-lite allows context-dependent attackers t ...) NOT-FOR-US: CCN-lite CVE-2017-12472 (ccnl-ext-mgmt.c in CCN-lite before 2.00 allows context-dependent attac ...) NOT-FOR-US: CCN-lite CVE-2017-12471 (The cnb_parse_lev function in CCN-lite before 2.00 allows context-depe ...) NOT-FOR-US: CCN-lite CVE-2017-12470 (Integer overflow in the ndn_parse_sequence function in CCN-lite before ...) NOT-FOR-US: CCN-lite CVE-2017-12469 (Buffer overflow in util/ccnl-common.c in CCN-lite before 2.00 allows c ...) NOT-FOR-US: CCN-lite CVE-2017-12468 (Buffer overflow in ccn-lite-ccnb2xml.c in CCN-lite before 2.00 allows ...) NOT-FOR-US: CCN-lite CVE-2017-12467 (Memory leak in CCN-lite before 2.00 allows context-dependent attackers ...) NOT-FOR-US: CCN-lite CVE-2017-12466 (CCN-lite before 2.00 allows context-dependent attackers to have unspec ...) NOT-FOR-US: CCN-lite CVE-2017-12465 (Multiple integer overflows in CCN-lite before 2.00 allow context-depen ...) NOT-FOR-US: CCN-lite CVE-2017-12464 (ccn-lite-valid.c in CCN-lite before 2.00 allows context-dependent atta ...) NOT-FOR-US: CCN-lite CVE-2017-12463 (Memory leak in the ccnl_app_RX function in ccnl-uapi.c in CCN-lite bef ...) NOT-FOR-US: CCN-lite CVE-2017-12462 RESERVED CVE-2017-12461 RESERVED CVE-2017-12460 (An issue was discovered in Barco ClickShare CSM-1 firmware before v1.7 ...) NOT-FOR-US: Barco ClickShare CSM-1 firmware CVE-2017-12459 (The bfd_mach_o_read_symtab_strtab function in bfd/mach-o.c in the Bina ...) - binutils 2.29-8 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21840 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8bdf0be19d2777565a8b1c88347f65d6a4b8c5fc CVE-2017-12458 (The nlm_swap_auxiliary_headers_in function in bfd/nlmcode.h in the Bin ...) - binutils 2.29-8 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21840 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8bdf0be19d2777565a8b1c88347f65d6a4b8c5fc CVE-2017-12457 (The bfd_make_section_with_flags function in section.c in the Binary Fi ...) - binutils 2.29-8 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21840 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=patch;h=8bdf0be19d2777565a8b1c88347f65d6a4b8c5fc CVE-2017-12456 (The read_symbol_stabs_debugging_info function in rddbg.c in GNU Binuti ...) - binutils 2.29-9 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21813 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ca4cf9b9c622a5695e01f7f5815a7382a31fcf51 CVE-2017-12455 (The evax_bfd_print_emh function in vms-alpha.c in the Binary File Desc ...) - binutils 2.29-8 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21840 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8bdf0be19d2777565a8b1c88347f65d6a4b8c5fc CVE-2017-12454 (The _bfd_vms_slurp_egsd function in bfd/vms-alpha.c in the Binary File ...) - binutils 2.29-9 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21813 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ca4cf9b9c622a5695e01f7f5815a7382a31fcf51 CVE-2017-12453 (The _bfd_vms_slurp_eeom function in libbfd.c in the Binary File Descri ...) - binutils 2.29-9 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21813 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ca4cf9b9c622a5695e01f7f5815a7382a31fcf51 CVE-2017-12452 (The bfd_mach_o_i386_canonicalize_one_reloc function in bfd/mach-o-i386 ...) - binutils 2.29-9 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21813 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ca4cf9b9c622a5695e01f7f5815a7382a31fcf51 CVE-2017-12451 (The _bfd_xcoff_read_ar_hdr function in bfd/coff-rs6000.c and bfd/coff6 ...) - binutils 2.29-9 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21786 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=29866fa186ee3ebda5242221607dba360b2e541e CVE-2017-12450 (The alpha_vms_object_p function in bfd/vms-alpha.c in the Binary File ...) - binutils 2.29-9 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21813 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8a2df5e2df374289e00ecd8f099eb46d76ef982e CVE-2017-12449 (The _bfd_vms_save_sized_string function in vms-misc.c in the Binary Fi ...) - binutils 2.29-8 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21840 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8bdf0be19d2777565a8b1c88347f65d6a4b8c5fc CVE-2017-12448 (The bfd_cache_close function in bfd/cache.c in the Binary File Descrip ...) - binutils 2.29-9 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21787 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=909e4e716c4d77e33357bbe9bc902bfaf2e1af24 CVE-2017-12447 (GdkPixBuf (aka gdk-pixbuf), possibly 2.32.2, as used by GNOME Nautilus ...) - gdk-pixbuf 2.34.0-1 [jessie] - gdk-pixbuf 2.31.1-2+deb8u5 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=785979 NOTE: Fixed by: https://gitlab.gnome.org/GNOME/gdk-pixbuf/commit/b7bf6fbfb310fceba2d35d4de143b8d5ffdad990 (2.33.2) CVE-2017-12446 RESERVED CVE-2017-12445 (The JB2BitmapCoder::code_row_by_refinement function in jb2/bmpcoder.cp ...) - minidjvu (unimportant; bug #871495) NOTE: https://sourceforge.net/p/minidjvu/bugs/8/ CVE-2017-12444 (The mdjvu_bitmap_get_bounding_box function in base/4bitmap.c in minidj ...) - minidjvu (unimportant; bug #871495) NOTE: https://sourceforge.net/p/minidjvu/bugs/8/ CVE-2017-12443 (The mdjvu_bitmap_pack_row function in base/4bitmap.c in minidjvu 0.8 c ...) - minidjvu (unimportant; bug #871495) NOTE: https://sourceforge.net/p/minidjvu/bugs/8/ CVE-2017-12442 (The row_is_empty function in base/4bitmap.c:272 in minidjvu 0.8 can ca ...) - minidjvu (unimportant; bug #871495) NOTE: https://sourceforge.net/p/minidjvu/bugs/8/ CVE-2017-12441 (The row_is_empty function in base/4bitmap.c:274 in minidjvu 0.8 can ca ...) - minidjvu (unimportant; bug #871495) NOTE: https://sourceforge.net/p/minidjvu/bugs/8/ CVE-2017-12440 (Aodh as packaged in Openstack Ocata and Newton before change-ID I8fd11 ...) {DSA-3953-1} - aodh 5.0.0-2 (bug #872605) NOTE: https://wiki.openstack.org/wiki/OSSN/OSSN-0080 NOTE: Master: https://review.openstack.org/#/c/493823/ NOTE: Ocata: https://review.openstack.org/#/c/493824/ NOTE: Newton: https://review.openstack.org/#/c/493826/ NOTE: https://github.com/openstack/aodh/commit/cb90d3ad472bba8d648803ca94a9196dff97f0e8 CVE-2017-12439 (SocuSoft Flash Slideshow Maker Professional through v5.20, when the ad ...) NOT-FOR-US: SocuSoft Flash Slideshow Maker Professional CVE-2017-12438 RESERVED CVE-2017-12437 RESERVED CVE-2017-12436 RESERVED CVE-2017-12435 (In ImageMagick 7.0.6-1, a memory exhaustion vulnerability was found in ...) {DLA-1785-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-16 (low; bug #870504) [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/543 NOTE: https://github.com/ImageMagick/ImageMagick/commit/2dd8d55742fce7d079b6a16039c18e49c091224f NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/44cb8dfd4cbe6fc475c863a5946cff64e34c2088 CVE-2017-12433 (In ImageMagick 7.0.6-1, a memory leak vulnerability was found in the f ...) {DLA-1081-1} - imagemagick 8:6.9.9.34+dfsg-3 (unimportant; bug #872481) NOTE: https://github.com/ImageMagick/ImageMagick/issues/548 NOTE: https://github.com/ImageMagick/ImageMagick/commit/7beec9a7a8a5701652b313e6e94bafd36b3627dc NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/0a170d18390d3762586f164e6abe3c4766d14620 CVE-2017-12432 (In ImageMagick 7.0.6-1, a memory exhaustion vulnerability was found in ...) {DSA-4019-1 DLA-1785-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-16 (low; bug #870491) [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/536 NOTE: https://github.com/ImageMagick/ImageMagick/commit/061de02095a56d438409c63f723f340b2d9d36c7 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/3ded916c5da6febe9660c3cfa44c3114567adf74 CVE-2017-12429 (In ImageMagick 7.0.6-1, a memory exhaustion vulnerability was found in ...) {DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-13 [stretch] - imagemagick (Minor issue) [jessie] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/545 NOTE: https://github.com/ImageMagick/ImageMagick/commit/30a74ed25a4890acfa94f452d653d54c9628c87e NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/3ac6c73d39d59a7b0285b3756810272121759a31 NOTE: The fix applied for #869727 included the change for upstream issue 545, cf. NOTE: https://github.com/ImageMagick/ImageMagick/issues/546#issuecomment-313968413 CVE-2017-12427 (The ProcessMSLScript function in coders/msl.c in ImageMagick before 6. ...) {DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-16 (unimportant; bug #870525) NOTE: https://github.com/ImageMagick/ImageMagick/issues/636 NOTE: ImageMagick-7: https://github.com/ImageMagick/ImageMagick/commit/e793eb203e5e0f91f5037aed6585e81b1e27395b NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/841f7b27dc88c685c61252d59b7e20e94c982456 CVE-2017-12426 (GitLab Community Edition (CE) and Enterprise Edition (EE) before 8.17. ...) - gitlab 9.5.4+dfsg-7 (bug #872190; unimportant) NOTE: https://gitlab.com/gitlab-org/gitlab-ce/issues/35212 NOTE: The fix for git for CVE-2017-1000117 mitgates the issue in gitlab itself. NOTE: The CVE is for the issue when importing a project via crafted SSH URLs, NOTE: which becomes ineffective with a fixed git version itself. CVE-2017-12424 (In shadow before 4.5, the newusers tool could be made to manipulate in ...) - shadow 1:4.5-1 (bug #756630) [stretch] - shadow (Minor issue) [jessie] - shadow (Minor issue) [wheezy] - shadow (Minor issue) NOTE: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1266675 NOTE: https://github.com/shadow-maint/shadow/commit/954e3d2e7113e9ac06632aee3c69b8d818cc8952 (4.5) CVE-2017-12423 (NetApp Clustered Data ONTAP 8.3.x before 8.3.2P12 allows remote authen ...) NOT-FOR-US: NetApp CVE-2017-12422 (NetApp StorageGRID Webscale 10.2.x before 10.2.2.3, 10.3.x before 10.3 ...) NOT-FOR-US: NetApp CVE-2017-12421 (NetApp Clustered Data ONTAP 8.3.x before 8.3.2P12 allows remote authen ...) NOT-FOR-US: NetApp CVE-2017-12420 (Heap-based buffer overflow in the SMB implementation in NetApp Cluster ...) NOT-FOR-US: NetApp CVE-2017-12419 (If, after successful installation of MantisBT through 2.5.2 on MySQL/M ...) - mantis [wheezy] - mantis (Not supported in Wheezy) NOTE: https://mantisbt.org/bugs/view.php?id=23173 CVE-2017-12418 (ImageMagick 7.0.6-5 has memory leaks in the parse8BIMW and format8BIM ...) {DLA-1081-1} - imagemagick 8:6.9.9.34+dfsg-3 (unimportant; bug #872498) NOTE: https://github.com/ImageMagick/ImageMagick/issues/643 NOTE: https://github.com/ImageMagick/ImageMagick/commit/46382526a3f09cebf9f2af680fc55b2a668fcbef NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/bfd93888beccf2eff49cc9abfa6b5167c9c9109d CVE-2017-12417 RESERVED CVE-2017-12416 (Cross-site scripting (XSS) vulnerability in the GlobalProtect internal ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2017-12415 (OXID eShop Community Edition before 6.0.0 RC2 (development), 4.10.x be ...) NOT-FOR-US: OXID eShop CVE-2015-9107 (Zoho ManageEngine OpManager 11 through 12.2 uses a custom encryption a ...) NOT-FOR-US: Zoho ManageEngine OpManager CVE-2017-12414 (Format Factory 4.1.0 has a DLL Hijacking Vulnerability because an untr ...) NOT-FOR-US: Format Factory CVE-2017-12413 (AXIS 2100 devices 2.43 have XSS via the URI, possibly related to admin ...) NOT-FOR-US: AXIS 2100 devices CVE-2017-12412 (ccn-lite-ccnb2xml in CCN-lite before 2.0.0 allows context-dependent at ...) NOT-FOR-US: CCN-lite CVE-2017-12411 RESERVED CVE-2017-12410 (It is possible to exploit a Time of Check & Time of Use (TOCTOU) v ...) NOT-FOR-US: Kaseya Virtual System Administrator agent CVE-2017-12409 RESERVED CVE-2017-12408 RESERVED CVE-2017-12407 RESERVED CVE-2017-12406 RESERVED CVE-2017-12405 RESERVED CVE-2017-12404 RESERVED CVE-2017-12403 RESERVED CVE-2017-12402 RESERVED CVE-2017-12401 RESERVED CVE-2017-12400 RESERVED CVE-2017-12399 RESERVED CVE-2017-12398 RESERVED CVE-2017-12397 RESERVED CVE-2017-12396 RESERVED CVE-2017-12395 RESERVED CVE-2017-12394 RESERVED CVE-2017-12393 RESERVED CVE-2017-12392 RESERVED CVE-2017-12391 RESERVED CVE-2017-12390 RESERVED CVE-2017-12389 RESERVED CVE-2017-12388 RESERVED CVE-2017-12387 RESERVED CVE-2017-12386 RESERVED CVE-2017-12385 RESERVED CVE-2017-12384 RESERVED CVE-2017-12383 RESERVED CVE-2017-12382 RESERVED CVE-2017-12381 RESERVED CVE-2017-12380 (ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerab ...) {DLA-1261-1} - clamav 0.99.3~beta2+dfsg-1 (bug #888484) [stretch] - clamav 0.99.2+dfsg-6+deb9u1 [jessie] - clamav 0.99.2+dfsg-0+deb8u3 NOTE: http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11945 NOTE: https://github.com/vrtadmin/clamav-devel/commit/39c89d14a61aef2958b8ea64ade1be7a5faca897 CVE-2017-12379 (ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerab ...) {DLA-1261-1} - clamav 0.99.3~beta2+dfsg-1 (bug #888484) [stretch] - clamav 0.99.2+dfsg-6+deb9u1 [jessie] - clamav 0.99.2+dfsg-0+deb8u3 NOTE: http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11944 NOTE: https://github.com/vrtadmin/clamav-devel/commit/0604618374dc0dfd148b0ce7bf7a3d2b7528e66b CVE-2017-12378 (ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerab ...) {DLA-1261-1} - clamav 0.99.3~beta2+dfsg-1 (bug #888484) [stretch] - clamav 0.99.2+dfsg-6+deb9u1 [jessie] - clamav 0.99.2+dfsg-0+deb8u3 NOTE: http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11946 NOTE: https://github.com/vrtadmin/clamav-devel/commit/292d6878fa3e7fd2ab0f7275a78190639ad116d4 NOTE: https://github.com/vrtadmin/clamav-devel/commit/0cf813f835e48ab0f94dd54200ceba0dc25fa1c4 CVE-2017-12377 (ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerab ...) {DLA-1261-1} - clamav 0.99.3~beta2+dfsg-1 (bug #888484) [stretch] - clamav 0.99.2+dfsg-6+deb9u1 [jessie] - clamav 0.99.2+dfsg-0+deb8u3 NOTE: http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11943 NOTE: https://github.com/vrtadmin/clamav-devel/commit/38da4800bfb2d6b13579950b6543302d13e3015c NOTE: https://github.com/vrtadmin/clamav-devel/commit/e887f113242ffcb0ea8735c3f567c6be77f382d6 CVE-2017-12376 (ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerab ...) {DLA-1261-1} - clamav 0.99.3~beta2+dfsg-1 (bug #888484) [stretch] - clamav 0.99.2+dfsg-6+deb9u1 [jessie] - clamav 0.99.2+dfsg-0+deb8u3 NOTE: http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11942 NOTE: https://github.com/vrtadmin/clamav-devel/commit/c8ba4ae2e47a4f49add3e85ef7041b166be6bfdb CVE-2017-12375 (The ClamAV AntiVirus software versions 0.99.2 and prior contain a vuln ...) {DLA-1261-1} - clamav 0.99.3~beta2+dfsg-1 (bug #888484) [stretch] - clamav 0.99.2+dfsg-6+deb9u1 [jessie] - clamav 0.99.2+dfsg-0+deb8u3 NOTE: http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11940 NOTE: https://github.com/vrtadmin/clamav-devel/commit/d1100be31a567718ce7c7dd6e6c632eddab55209 CVE-2017-12374 (The ClamAV AntiVirus software versions 0.99.2 and prior contain a vuln ...) {DLA-1261-1} - clamav 0.99.3~beta2+dfsg-1 (bug #888484) [stretch] - clamav 0.99.2+dfsg-6+deb9u1 [jessie] - clamav 0.99.2+dfsg-0+deb8u3 NOTE: http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11939 NOTE: https://github.com/vrtadmin/clamav-devel/commit/7cf2a701041b775dda9743d01665279facc9b326 CVE-2017-12373 (A vulnerability in the TLS protocol implementation of legacy Cisco ASA ...) NOT-FOR-US: Cisco CVE-2017-12372 (A "Cisco WebEx Network Recording Player Remote Code Execution Vulnerab ...) NOT-FOR-US: Cisco CVE-2017-12371 (A "Cisco WebEx Network Recording Player Remote Code Execution Vulnerab ...) NOT-FOR-US: Cisco CVE-2017-12370 (A "Cisco WebEx Network Recording Player Remote Code Execution Vulnerab ...) NOT-FOR-US: Cisco CVE-2017-12369 (A "Cisco WebEx Network Recording Player Out-of-Bounds Vulnerability" e ...) NOT-FOR-US: Cisco CVE-2017-12368 (A "Cisco WebEx Network Recording Player Remote Code Execution Vulnerab ...) NOT-FOR-US: Cisco CVE-2017-12367 (A "Cisco WebEx Network Recording Player Denial of Service Vulnerabilit ...) NOT-FOR-US: Cisco CVE-2017-12366 (A vulnerability in Cisco WebEx Meeting Center could allow an unauthent ...) NOT-FOR-US: Cisco CVE-2017-12365 (A vulnerability in Cisco WebEx Event Center could allow an authenticat ...) NOT-FOR-US: Cisco CVE-2017-12364 (A SQL Injection vulnerability in the web framework of Cisco Prime Serv ...) NOT-FOR-US: Cisco CVE-2017-12363 (A vulnerability in Cisco WebEx Meeting Server could allow an unauthent ...) NOT-FOR-US: Cisco CVE-2017-12362 (A vulnerability in Cisco Meeting Server versions prior to 2.2.2 could ...) NOT-FOR-US: Cisco CVE-2017-12361 (A vulnerability in Cisco Jabber for Windows could allow an unauthentic ...) NOT-FOR-US: Cisco CVE-2017-12360 (A vulnerability in Cisco WebEx Network Recording Player for WebEx Reco ...) NOT-FOR-US: Cisco CVE-2017-12359 (A Buffer Overflow vulnerability in Cisco WebEx Network Recording Playe ...) NOT-FOR-US: Cisco CVE-2017-12358 (A vulnerability in the web-based management interface of Cisco Jabber ...) NOT-FOR-US: Cisco CVE-2017-12357 (A vulnerability in the web-based management interface of Cisco Unified ...) NOT-FOR-US: Cisco CVE-2017-12356 (A vulnerability in the web-based management interface of Cisco Jabber ...) NOT-FOR-US: Cisco CVE-2017-12355 (A vulnerability in the Local Packet Transport Services (LPTS) ingress ...) NOT-FOR-US: Cisco CVE-2017-12354 (A vulnerability in the web-based interface of Cisco Secure Access Cont ...) NOT-FOR-US: Cisco CVE-2017-12353 (A vulnerability in the Multipurpose Internet Mail Extensions (MIME) sc ...) NOT-FOR-US: Cisco CVE-2017-12352 (A vulnerability in certain system script files that are installed at b ...) NOT-FOR-US: Cisco CVE-2017-12351 (A vulnerability in the guest shell feature of Cisco NX-OS System Softw ...) NOT-FOR-US: Cisco CVE-2017-12350 (A vulnerability in Cisco Umbrella Insights Virtual Appliances 2.1.0 an ...) NOT-FOR-US: Cisco CVE-2017-12349 (Multiple vulnerabilities in the web-based management interface of Cisc ...) NOT-FOR-US: Cisco CVE-2017-12348 (Multiple vulnerabilities in the web-based management interface of Cisc ...) NOT-FOR-US: Cisco CVE-2017-12347 (Multiple vulnerabilities in Cisco Data Center Network Manager (DCNM) S ...) NOT-FOR-US: Cisco CVE-2017-12346 (Multiple vulnerabilities in Cisco Data Center Network Manager (DCNM) S ...) NOT-FOR-US: Cisco CVE-2017-12345 (Multiple vulnerabilities in Cisco Data Center Network Manager (DCNM) S ...) NOT-FOR-US: Cisco CVE-2017-12344 (Multiple vulnerabilities in Cisco Data Center Network Manager (DCNM) S ...) NOT-FOR-US: Cisco CVE-2017-12343 (Multiple vulnerabilities in Cisco Data Center Network Manager (DCNM) S ...) NOT-FOR-US: Cisco CVE-2017-12342 (A vulnerability in the Open Agent Container (OAC) feature of Cisco Nex ...) NOT-FOR-US: Cisco CVE-2017-12341 (A vulnerability in the CLI of Cisco NX-OS System Software could allow ...) NOT-FOR-US: Cisco CVE-2017-12340 (A vulnerability in Cisco NX-OS System Software running on Cisco MDS Mu ...) NOT-FOR-US: Cisco CVE-2017-12339 (A vulnerability in the CLI of Cisco NX-OS System Software could allow ...) NOT-FOR-US: Cisco CVE-2017-12338 (A vulnerability in the CLI of Cisco NX-OS System Software could allow ...) NOT-FOR-US: Cisco CVE-2017-12337 (A vulnerability in the upgrade mechanism of Cisco collaboration produc ...) NOT-FOR-US: Cisco CVE-2017-12336 (A vulnerability in the TCL scripting subsystem of Cisco NX-OS System S ...) NOT-FOR-US: Cisco CVE-2017-12335 (A vulnerability in the CLI of Cisco NX-OS System Software could allow ...) NOT-FOR-US: Cisco CVE-2017-12334 (A vulnerability in the CLI of Cisco NX-OS System Software could allow ...) NOT-FOR-US: Cisco CVE-2017-12333 (A vulnerability in Cisco NX-OS System Software could allow an authenti ...) NOT-FOR-US: Cisco CVE-2017-12332 (A vulnerability in Cisco NX-OS System Software patch installation coul ...) NOT-FOR-US: Cisco CVE-2017-12331 (A vulnerability in Cisco NX-OS System Software could allow an authenti ...) NOT-FOR-US: Cisco CVE-2017-12330 (A vulnerability in the CLI of Cisco NX-OS System Software could allow ...) NOT-FOR-US: Cisco CVE-2017-12329 (A vulnerability in the CLI of Cisco Firepower Extensible Operating Sys ...) NOT-FOR-US: Cisco CVE-2017-12328 (A vulnerability in Session Initiation Protocol (SIP) call handling in ...) NOT-FOR-US: Cisco CVE-2017-12327 RESERVED CVE-2017-12326 RESERVED CVE-2017-12325 RESERVED CVE-2017-12324 RESERVED CVE-2017-12323 (Multiple vulnerabilities in the web interface of the Cisco Registered ...) NOT-FOR-US: Cisco CVE-2017-12322 (Multiple vulnerabilities in the web interface of the Cisco Registered ...) NOT-FOR-US: Cisco CVE-2017-12321 (Multiple vulnerabilities in the web interface of the Cisco Registered ...) NOT-FOR-US: Cisco CVE-2017-12320 (Multiple vulnerabilities in the web interface of the Cisco Registered ...) NOT-FOR-US: Cisco CVE-2017-12319 (A vulnerability in the Border Gateway Protocol (BGP) over an Ethernet ...) NOT-FOR-US: Cisco CVE-2017-12318 (A vulnerability in the TCP state machine of Cisco RF Gateway 1 devices ...) NOT-FOR-US: Cisco CVE-2017-12317 (The Cisco AMP For Endpoints application allows an authenticated, local ...) NOT-FOR-US: Cisco CVE-2017-12316 (A vulnerability in the Guest Portal login page of Cisco Identity Servi ...) NOT-FOR-US: Cisco CVE-2017-12315 (A vulnerability in system logging when replication is being configured ...) NOT-FOR-US: Cisco CVE-2017-12314 (A vulnerability in the Cisco FindIT Network Discovery Utility could al ...) NOT-FOR-US: Cisco CVE-2017-12313 (An untrusted search path (aka DLL Preload) vulnerability in the Cisco ...) NOT-FOR-US: Cisco CVE-2017-12312 (An untrusted search path (aka DLL Preloading) vulnerability in the Cis ...) NOT-FOR-US: Cisco CVE-2017-12311 (A vulnerability in the H.264 decoder function of Cisco Meeting Server ...) NOT-FOR-US: Cisco CVE-2017-12310 (A vulnerability in the auto discovery phase of Cisco Spark Hybrid Cale ...) NOT-FOR-US: Cisco CVE-2017-12309 (A vulnerability in the Cisco Email Security Appliance (ESA) could allo ...) NOT-FOR-US: Cisco CVE-2017-12308 (A vulnerability in the web framework of Cisco Small Business Managed S ...) NOT-FOR-US: Cisco CVE-2017-12307 (A vulnerability in the web framework of Cisco Small Business Managed S ...) NOT-FOR-US: Cisco CVE-2017-12306 (A vulnerability in the upgrade process of Cisco Spark Board could allo ...) NOT-FOR-US: Cisco CVE-2017-12305 (A vulnerability in the debug interface of Cisco IP Phone 8800 series c ...) NOT-FOR-US: Cisco CVE-2017-12304 (A vulnerability in the IOS daemon (IOSd) web-based management interfac ...) NOT-FOR-US: Cisco CVE-2017-12303 (A vulnerability in the Advanced Malware Protection (AMP) file filterin ...) NOT-FOR-US: Cisco CVE-2017-12302 (A vulnerability in the Cisco Unified Communications Manager SQL databa ...) NOT-FOR-US: Cisco CVE-2017-12301 (A vulnerability in the Python scripting subsystem of Cisco NX-OS Softw ...) NOT-FOR-US: Cisco CVE-2017-12300 (A vulnerability in the SNORT detection engine of Cisco Firepower Syste ...) NOT-FOR-US: Cisco CVE-2017-12299 (A vulnerability exists in the process of creating default IP blocks du ...) NOT-FOR-US: Cisco CVE-2017-12298 (A vulnerability in Cisco WebEx Meeting Center could allow an unauthent ...) NOT-FOR-US: Cisco CVE-2017-12297 (A vulnerability in Cisco WebEx Meeting Center could allow an authentic ...) NOT-FOR-US: Cisco CVE-2017-12296 (A vulnerability in Cisco WebEx Meetings Server could allow an unauthen ...) NOT-FOR-US: Cisco CVE-2017-12295 (A vulnerability in Cisco WebEx Meetings Server could allow an unauthen ...) NOT-FOR-US: Cisco CVE-2017-12294 (A vulnerability in Cisco WebEx Meetings Server could allow an authenti ...) NOT-FOR-US: Cisco CVE-2017-12293 (A vulnerability in Cisco WebEx Meetings Server could allow an unauthen ...) NOT-FOR-US: Cisco CVE-2017-12292 (Multiple vulnerabilities in the web interface of the Cisco Registered ...) NOT-FOR-US: Cisco CVE-2017-12291 (Multiple vulnerabilities in the web interface of the Cisco Registered ...) NOT-FOR-US: Cisco CVE-2017-12290 (Multiple vulnerabilities in the web interface of the Cisco Registered ...) NOT-FOR-US: Cisco CVE-2017-12289 (A vulnerability in conditional, verbose debug logging for the IPsec fe ...) NOT-FOR-US: Cisco CVE-2017-12288 (A vulnerability in the web-based management interface of Cisco Unified ...) NOT-FOR-US: Cisco CVE-2017-12287 (A vulnerability in the cluster database (CDB) management component of ...) NOT-FOR-US: Cisco CVE-2017-12286 (A vulnerability in the web interface of Cisco Jabber could allow an au ...) NOT-FOR-US: Cisco CVE-2017-12285 (A vulnerability in the web interface of Cisco Network Analysis Module ...) NOT-FOR-US: Cisco CVE-2017-12284 (A vulnerability in the web interface of Cisco Jabber for Windows Clien ...) NOT-FOR-US: Cisco CVE-2017-12283 (A vulnerability in the handling of 802.11w Protected Management Frames ...) NOT-FOR-US: Cisco CVE-2017-12282 (A vulnerability in the Access Network Query Protocol (ANQP) ingress fr ...) NOT-FOR-US: Cisco CVE-2017-12281 (A vulnerability in the implementation of Protected Extensible Authenti ...) NOT-FOR-US: Cisco CVE-2017-12280 (A vulnerability in the Control and Provisioning of Wireless Access Poi ...) NOT-FOR-US: Cisco CVE-2017-12279 (A vulnerability in the packet processing code of Cisco IOS Software fo ...) NOT-FOR-US: Cisco CVE-2017-12278 (A vulnerability in the Simple Network Management Protocol (SNMP) subsy ...) NOT-FOR-US: Cisco CVE-2017-12277 (A vulnerability in the Smart Licensing Manager service of the Cisco Fi ...) NOT-FOR-US: Cisco CVE-2017-12276 (A vulnerability in the web framework code for the SQL database interfa ...) NOT-FOR-US: Cisco CVE-2017-12275 (A vulnerability in the implementation of 802.11v Basic Service Set (BS ...) NOT-FOR-US: Cisco CVE-2017-12274 (A vulnerability in Extensible Authentication Protocol (EAP) ingress fr ...) NOT-FOR-US: Cisco CVE-2017-12273 (A vulnerability in 802.11 association request frame processing for the ...) NOT-FOR-US: Cisco CVE-2017-12272 (A vulnerability in the web framework code of Cisco IOS XE Software cou ...) NOT-FOR-US: Cisco CVE-2017-12271 (A vulnerability in Cisco SPA300 and SPA500 Series IP Phones could allo ...) NOT-FOR-US: Cisco CVE-2017-12270 (A vulnerability in the gRPC code of Cisco IOS XR Software for Cisco Ne ...) NOT-FOR-US: Cisco CVE-2017-12269 (A vulnerability in the web UI of Cisco Spark Messaging Software could ...) NOT-FOR-US: Cisco CVE-2017-12268 (A vulnerability in the Network Access Manager (NAM) of Cisco AnyConnec ...) NOT-FOR-US: Cisco CVE-2017-12267 (A vulnerability in the Independent Computing Architecture (ICA) accele ...) NOT-FOR-US: Cisco CVE-2017-12266 (A vulnerability in the routine that loads DLL files in Cisco Meeting A ...) NOT-FOR-US: Cisco CVE-2017-12265 (A vulnerability in the web-based management interface of Cisco Adaptiv ...) NOT-FOR-US: Cisco CVE-2017-12264 (A vulnerability in the Web Admin Interface of Cisco Meeting Server cou ...) NOT-FOR-US: Cisco CVE-2017-12263 (A vulnerability in the web interface of Cisco License Manager software ...) NOT-FOR-US: Cisco CVE-2017-12262 (A vulnerability within the firewall configuration of the Cisco Applica ...) NOT-FOR-US: Cisco CVE-2017-12261 (A vulnerability in the restricted shell of the Cisco Identity Services ...) NOT-FOR-US: Cisco CVE-2017-12260 (A vulnerability in the implementation of Session Initiation Protocol ( ...) NOT-FOR-US: Cisco CVE-2017-12259 (A vulnerability in the implementation of Session Initiation Protocol ( ...) NOT-FOR-US: Cisco CVE-2017-12258 (A vulnerability in the web-based UI of Cisco Unified Communications Ma ...) NOT-FOR-US: Cisco CVE-2017-12257 (A vulnerability in the web framework of Cisco WebEx Meetings Server co ...) NOT-FOR-US: Cisco CVE-2017-12256 (A vulnerability in the Akamai Connect feature of Cisco Wide Area Appli ...) NOT-FOR-US: Cisco CVE-2017-12255 (A vulnerability in the CLI of Cisco UCS Central Software could allow a ...) NOT-FOR-US: Cisco CVE-2017-12254 (A vulnerability in the web interface of Cisco Unified Intelligence Cen ...) NOT-FOR-US: Cisco CVE-2017-12253 (A vulnerability in the Cisco Unified Intelligence Center could allow a ...) NOT-FOR-US: Cisco CVE-2017-12252 (A vulnerability in the Cisco FindIT Network Discovery Utility could al ...) NOT-FOR-US: Cisco CVE-2017-12251 (A vulnerability in the web console of the Cisco Cloud Services Platfor ...) NOT-FOR-US: Cisco CVE-2017-12250 (A vulnerability in the HTTP web interface for Cisco Wide Area Applicat ...) NOT-FOR-US: Cisco CVE-2017-12249 (A vulnerability in the Traversal Using Relay NAT (TURN) server include ...) NOT-FOR-US: Cisco Meeting Server CVE-2017-12248 (A vulnerability in the web framework code of Cisco Unified Intelligenc ...) NOT-FOR-US: Cisco CVE-2017-12247 RESERVED CVE-2017-12246 (A vulnerability in the implementation of the direct authentication fea ...) NOT-FOR-US: Cisco CVE-2017-12245 (A vulnerability in SSL traffic decryption for Cisco Firepower Threat D ...) NOT-FOR-US: Cisco CVE-2017-12244 (A vulnerability in the detection engine parsing of IPv6 packets for Ci ...) NOT-FOR-US: Cisco CVE-2017-12243 (A vulnerability in the Cisco Unified Computing System (UCS) Manager, C ...) NOT-FOR-US: Cisco CVE-2017-12242 RESERVED CVE-2017-12241 RESERVED CVE-2017-12240 (The DHCP relay subsystem of Cisco IOS 12.2 through 15.6 and Cisco IOS ...) NOT-FOR-US: Cisco CVE-2017-12239 (A vulnerability in motherboard console ports of line cards for Cisco A ...) NOT-FOR-US: Cisco CVE-2017-12238 (A vulnerability in the Virtual Private LAN Service (VPLS) code of Cisc ...) NOT-FOR-US: Cisco CVE-2017-12237 (A vulnerability in the Internet Key Exchange Version 2 (IKEv2) module ...) NOT-FOR-US: Cisco CVE-2017-12236 (A vulnerability in the implementation of the Locator/ID Separation Pro ...) NOT-FOR-US: Cisco CVE-2017-12235 (A vulnerability in the implementation of the PROFINET Discovery and Co ...) NOT-FOR-US: Cisco CVE-2017-12234 (Multiple vulnerabilities in the implementation of the Common Industria ...) NOT-FOR-US: Cisco CVE-2017-12233 (Multiple vulnerabilities in the implementation of the Common Industria ...) NOT-FOR-US: Cisco CVE-2017-12232 (A vulnerability in the implementation of a protocol in Cisco Integrate ...) NOT-FOR-US: Cisco CVE-2017-12231 (A vulnerability in the implementation of Network Address Translation ( ...) NOT-FOR-US: Cisco CVE-2017-12230 (A vulnerability in the web-based user interface (web UI) of Cisco IOS ...) NOT-FOR-US: Cisco CVE-2017-12229 (A vulnerability in the REST API of the web-based user interface (web U ...) NOT-FOR-US: Cisco CVE-2017-12228 (A vulnerability in the Cisco Network Plug and Play application of Cisc ...) NOT-FOR-US: Cisco CVE-2017-12227 (A vulnerability in the SQL database interface for Cisco Emergency Resp ...) NOT-FOR-US: Cisco CVE-2017-12226 (A vulnerability in the web-based Wireless Controller GUI of Cisco IOS ...) NOT-FOR-US: Cisco CVE-2017-12225 (A vulnerability in the web functionality of the Cisco Prime LAN Manage ...) NOT-FOR-US: Cisco CVE-2017-12224 (A vulnerability in the ability for guest users to join meetings via a ...) NOT-FOR-US: Cisco CVE-2017-12223 (A vulnerability in the ROM Monitor (ROMMON) code of Cisco IR800 Integr ...) NOT-FOR-US: Cisco CVE-2017-12222 (A vulnerability in the wireless controller manager of Cisco IOS XE cou ...) NOT-FOR-US: Cisco CVE-2017-12221 (A vulnerability in the web framework of Cisco Firepower Management Cen ...) NOT-FOR-US: Cisco CVE-2017-12220 (A vulnerability in the web-based management interface of Cisco Firepow ...) NOT-FOR-US: Cisco CVE-2017-12219 (A vulnerability in the handling of IP fragments for the Cisco Small Bu ...) NOT-FOR-US: Cisco CVE-2017-12218 (A vulnerability in the malware detection functionality within Advanced ...) NOT-FOR-US: Cisco CVE-2017-12217 (A vulnerability in the General Packet Radio Service (GPRS) Tunneling P ...) NOT-FOR-US: Cisco CVE-2017-12216 (A vulnerability in the web-based user interface of Cisco SocialMiner c ...) NOT-FOR-US: Cisco CVE-2017-12215 (A vulnerability in the email message filtering feature of Cisco AsyncO ...) NOT-FOR-US: Cisco CVE-2017-12214 (A vulnerability in the Operations, Administration, Maintenance, and Pr ...) NOT-FOR-US: Cisco CVE-2017-12213 (A vulnerability in the dynamic access control list (ACL) feature of Ci ...) NOT-FOR-US: Cisco CVE-2017-12212 (A vulnerability in the web framework of Cisco Unity Connection could a ...) NOT-FOR-US: Cisco CVE-2017-12211 (A vulnerability in the IPv6 Simple Network Management Protocol (SNMP) ...) NOT-FOR-US: Cisco CVE-2017-12210 RESERVED CVE-2017-12209 RESERVED CVE-2017-12208 RESERVED CVE-2017-12207 RESERVED CVE-2017-12206 RESERVED CVE-2017-12205 RESERVED CVE-2017-12204 RESERVED CVE-2017-12203 RESERVED CVE-2017-12202 RESERVED CVE-2017-12201 RESERVED CVE-2016-10403 (Insufficient data validation on image data in PDFium in Google Chrome ...) {DSA-3590-1} - chromium-browser 51.0.2704.63-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-12425 (An issue was discovered in Varnish HTTP Cache 4.0.1 through 4.0.4, 4.1 ...) {DSA-3924-1} - varnish 5.0.0-7.1 (bug #870467) [wheezy] - varnish (code path is not exposed to clients) NOTE: https://www.varnish-cache.org/security/VSV00001.html#vsv00001 NOTE: https://github.com/varnishcache/varnish-cache/issues/2379 NOTE: https://github.com/varnishcache/varnish-cache/commit/09731b24b2225e3c0d66d3ec1b4fedef6fa22b6e CVE-2017-12200 (The Etoile Ultimate Product Catalog plugin 4.2.11 for WordPress has XS ...) NOT-FOR-US: Wordpress plugin CVE-2017-12199 (The Etoile Ultimate Product Catalog plugin 4.2.11 for WordPress has SQ ...) NOT-FOR-US: Wordpress plugin CVE-2017-12198 RESERVED CVE-2017-12197 (It was found that libpam4j up to and including 1.8 did not properly va ...) {DSA-4025-1 DLA-1165-1} - libpam4j 1.4-3 (bug #879001) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1503103 NOTE: https://github.com/kohsuke/libpam4j/issues/18 NOTE: (Non-upstream) patch: https://github.com/letonez/libpam4j/commit/84f32f4001fc6bdcc125ccc959081de022d18b6d CVE-2017-12196 (undertow before versions 1.4.18.SP1, 2.0.2.Final, 1.4.24.Final was fou ...) - undertow 1.4.25-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1503055 NOTE: Fixed by https://github.com/undertow-io/undertow/commit/facb33a5cedaf4b7b96d3840a08210370a806870 NOTE: See also https://github.com/undertow-io/undertow/commit/8804170ce3186bdd83b486959399ec7ac0f59d0f CVE-2017-12195 (A flaw was found in all Openshift Enterprise versions using the opensh ...) NOT-FOR-US: OpenShift CVE-2017-12194 (A flaw was found in the way spice-client processed certain messages se ...) - spice-gtk 0.35-1 (bug #898503) [stretch] - spice-gtk (Minor issue) [jessie] - spice-gtk (Minor issue) [wheezy] - spice-gtk (Vulnerable code is not in any binary package, only in the source package) NOTE: Proposed patches in: https://bugzilla.redhat.com/show_bug.cgi?id=1240165 NOTE: Although not present in the binary packages the (de)marshal.py are used to NOTE: generate repsecitve code which should be in libspice-common-client. CVE-2017-12193 (The assoc_array_insert_into_terminal_node function in lib/assoc_array. ...) - linux 4.13.13-1 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.51-1 [wheezy] - linux (Vulnerable code introduced in 3.13-rc1) NOTE: Fixed by: https://git.kernel.org/linus/ea6789980fdaa610d7eb63602c746bf6ec70cd2b (4.14-rc7) NOTE: Introduced by: https://git.kernel.org/linus/3cb989501c2688cacbb7dc4b0d353faf838f53a1 (3.13-rc1) CVE-2017-12192 (The keyctl_read_key function in security/keys/keyctl.c in the Key Mana ...) - linux 4.13.4-2 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.51-1 [wheezy] - linux (Vulnerable code introduced later) NOTE: Fixed by: https://git.kernel.org/linus/37863c43b2c6464f252862bf2e9768264e961678 (4.14-rc3) NOTE: Introduced by: https://git.kernel.org/linus/61ea0c0ba904a55f55317d850c1072ff7835ac92 (3.13-rc1) CVE-2017-12191 (A flaw was found in the CloudForms account configuration when using VM ...) NOT-FOR-US: Red Hat CloudForms CVE-2017-12190 (The bio_map_user_iov and bio_unmap_user functions in block/bio.c in th ...) {DLA-1200-1} - linux 4.13.10-1 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.51-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1495089 CVE-2017-12189 (It was discovered that the jboss init script as used in Red Hat JBoss ...) NOT-FOR-US: Red Hat JBoss; jbossas init script CVE-2017-12188 (arch/x86/kvm/mmu.c in the Linux kernel through 4.13.5, when nested vir ...) - linux 4.13.4-2 [stretch] - linux 4.9.65-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1500380 NOTE: https://www.spinics.net/lists/kvm/msg156651.html CVE-2017-12187 (xorg-x11-server before 1.19.5 was missing length validation in RENDER ...) {DSA-4000-1 DLA-1186-1} - xorg-server 2:1.19.5-1 NOTE: https://cgit.freedesktop.org/xorg/xserver/commit/?id=cad5a1050b7184d828aef9c1dd151c3ab649d37e CVE-2017-12186 (xorg-x11-server before 1.19.5 was missing length validation in X-Resou ...) {DSA-4000-1} - xorg-server 2:1.19.5-1 [wheezy] - xorg-server (Vulnerable code introduced later) NOTE: https://cgit.freedesktop.org/xorg/xserver/commit/?id=cad5a1050b7184d828aef9c1dd151c3ab649d37e CVE-2017-12185 (xorg-x11-server before 1.19.5 was missing length validation in MIT-SCR ...) {DSA-4000-1 DLA-1186-1} - xorg-server 2:1.19.5-1 NOTE: https://cgit.freedesktop.org/xorg/xserver/commit/?id=cad5a1050b7184d828aef9c1dd151c3ab649d37e CVE-2017-12184 (xorg-x11-server before 1.19.5 was missing length validation in XINERAM ...) {DSA-4000-1 DLA-1186-1} - xorg-server 2:1.19.5-1 NOTE: https://cgit.freedesktop.org/xorg/xserver/commit/?id=cad5a1050b7184d828aef9c1dd151c3ab649d37e CVE-2017-12183 (xorg-x11-server before 1.19.5 was missing length validation in XFIXES ...) {DSA-4000-1 DLA-1186-1} - xorg-server 2:1.19.5-1 NOTE: https://cgit.freedesktop.org/xorg/xserver/commit/?id=55caa8b08c84af2b50fbc936cf334a5a93dd7db5 CVE-2017-12182 (xorg-x11-server before 1.19.5 was missing length validation in XFree86 ...) {DSA-4000-1 DLA-1186-1} - xorg-server 2:1.19.5-1 NOTE: https://cgit.freedesktop.org/xorg/xserver/commit/?id=1b1d4c04695dced2463404174b50b3581dbd857b CVE-2017-12181 (xorg-x11-server before 1.19.5 was missing length validation in XFree86 ...) {DSA-4000-1} - xorg-server 2:1.19.5-1 [wheezy] - xorg-server (Vulnerable code introduced later) NOTE: https://cgit.freedesktop.org/xorg/xserver/commit/?id=1b1d4c04695dced2463404174b50b3581dbd857b CVE-2017-12180 (xorg-x11-server before 1.19.5 was missing length validation in XFree86 ...) {DSA-4000-1 DLA-1186-1} - xorg-server 2:1.19.5-1 NOTE: https://cgit.freedesktop.org/xorg/xserver/commit/?id=1b1d4c04695dced2463404174b50b3581dbd857b CVE-2017-12179 (xorg-x11-server before 1.19.5 was vulnerable to integer overflow in (S ...) {DSA-4000-1} - xorg-server 2:1.19.5-1 [wheezy] - xorg-server (Vulnerable code introduced later) CVE-2017-12178 (xorg-x11-server before 1.19.5 had wrong extra length check in ProcXICh ...) {DSA-4000-1 DLA-1186-1} - xorg-server 2:1.19.5-1 NOTE: https://cgit.freedesktop.org/xorg/xserver/commit/?id=859b08d523307eebde7724fd1a0789c44813e821 CVE-2017-12177 (xorg-x11-server before 1.19.5 was vulnerable to integer overflow in Pr ...) {DSA-4000-1 DLA-1186-1} - xorg-server 2:1.19.5-1 NOTE: https://cgit.freedesktop.org/xorg/xserver/commit/?id=4ca68b878e851e2136c234f40a25008297d8d831 CVE-2017-12176 (xorg-x11-server before 1.19.5 was missing extra length validation in P ...) {DSA-4000-1 DLA-1186-1} - xorg-server 2:1.19.5-1 NOTE: https://cgit.freedesktop.org/xorg/xserver/commit/?id=b747da5e25be944337a9cd1415506fc06b70aa81 CVE-2017-12175 (Red Hat Satellite before 6.5 is vulnerable to a XSS in discovery rule ...) NOT-FOR-US: Red Hat Satellite CVE-2017-12174 (It was found that when Artemis and HornetQ before 2.4.0 are configured ...) NOT-FOR-US: Artemis and HornetQ CVE-2017-12173 (It was found that sssd's sysdb_search_user_by_upn_res() function befor ...) - sssd 1.15.3-2 (bug #877885) [stretch] - sssd 1.15.0-3+deb9u1 [jessie] - sssd (Vulnerable code introduced later) [wheezy] - sssd (Vulnerable code introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1498173 NOTE: Fixed by: https://pagure.io/SSSD/sssd/c/1f2662c8f97c9c0fa250055d4b6750abfc6d0835 NOTE: Introduced by https://pagure.io/SSSD/sssd/c/7ecb5aea65cb1899f16e7a41bffa93d074defd4a (sssd-1_12_0) CVE-2017-12172 (PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, 9.5.x before 9.5.10, ...) - postgresql-10 10.1-1 (unimportant) - postgresql-9.6 (unimportant) [stretch] - postgresql-9.6 9.6.6-0+deb9u1 - postgresql-9.4 (unimportant) [jessie] - postgresql-9.4 9.4.15-0+deb8u1 - postgresql-9.1 (unimportant) [jessie] - postgresql-9.1 (postgresql-9.1 in jessie only provides PL/Perl) [wheezy] - postgresql-9.1 (Vulnerable code not installed) NOTE: Issue in sample init-scirpt as provided by postgresql project, but not installed CVE-2017-12171 (A regression was found in the Red Hat Enterprise Linux 6.9 version of ...) - apache2 (Introduced by Red Hat RHEL 6.9 specific non-security patch) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1493056 CVE-2017-12170 (Downstream version 1.0.46-1 of pure-ftpd as shipped in Fedora was vuln ...) - pure-ftpd (Fedora specific packaging error) CVE-2017-12169 (It was found that FreeIPA 4.2.0 and later could disclose password hash ...) - freeipa (unimportant; bug #895950) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1487697 NOTE: Proposed patch: https://bugzilla.redhat.com/attachment.cgi?id=1331008 NOTE: Negligible security impact CVE-2017-12168 (The access_pmu_evcntr function in arch/arm64/kvm/sys_regs.c in the Lin ...) - linux 4.8.11-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/9e3f7a29694049edd728e2400ab57ad7553e5aa9 (4.9-rc6) CVE-2017-12167 (It was found in EAP 7 before 7.0.9 that properties based files of the ...) NOT-FOR-US: Red Hat JBoss EAP CVE-2017-12166 (OpenVPN versions before 2.3.3 and 2.4.x before 2.4.4 are vulnerable to ...) - openvpn 2.4.4-1 (bug #877089) [stretch] - openvpn (Minor issue) [jessie] - openvpn (Minor issue) [wheezy] - openvpn (Minor issue) NOTE: https://community.openvpn.net/openvpn/wiki/CVE-2017-12166 NOTE: http://www.openwall.com/lists/oss-security/2017/09/28/2 NOTE: https://community.openvpn.net/openvpn/changeset/3b1a61e9fb27213c46f76312f4065816bee8ed01/ (master) NOTE: https://community.openvpn.net/openvpn/changeset/c7e259160b28e94e4ea7f0ef767f8134283af255/ (release/2.4) NOTE: https://community.openvpn.net/openvpn/changeset/fce34375295151f548a26c2d0eb30141e427c81a/ (release/2.3) NOTE: https://community.openvpn.net/openvpn/changeset/a9f5c744d6b09f2495ca48d2c926efd3a4b981e6/ (release/2.2) CVE-2017-12165 (It was discovered that Undertow before 1.4.17, 1.3.31 and 2.0.0 proces ...) - undertow 2.0.23-1 (bug #885338) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1490301 NOTE: Fix likely included in the same commit as the fix for CVE-2017-7559 NOTE: https://github.com/undertow-io/undertow/commit/3436b03eda8b0b62c1855698c4d7c358add836c2 CVE-2017-12164 (A flaw was discovered in gdm 3.24.1 where gdm greeter was no longer se ...) - gdm3 3.26.0-1 [stretch] - gdm3 (Vulnerable code not present) [jessie] - gdm3 (Vulnerable code not present) [wheezy] - gdm3 (Vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1490417 NOTE: Introduced in https://git.gnome.org/browse/gdm/commit/?id=ff98b28 CVE-2017-12163 (An information leak flaw was found in the way SMB1 protocol was implem ...) {DSA-3983-1 DLA-1110-1} - samba 2:4.6.7+dfsg-2 NOTE: https://www.samba.org/samba/security/CVE-2017-12163.html CVE-2017-12162 RESERVED CVE-2017-12161 (It was found that keycloak before 3.4.2 final would permit misuse of a ...) NOT-FOR-US: Keycloak CVE-2017-12160 (It was found that Keycloak oauth would permit an authenticated resourc ...) NOT-FOR-US: Keycloak CVE-2017-12159 (It was found that the cookie used for CSRF prevention in Keycloak was ...) NOT-FOR-US: Keycloak CVE-2017-12158 (It was found that Keycloak would accept a HOST header URL in the admin ...) NOT-FOR-US: Keycloak CVE-2017-12157 (In Moodle 3.x, various course reports allow teachers to view details a ...) - moodle NOTE: https://moodle.org/mod/forum/discuss.php?d=358586 CVE-2017-12156 (Moodle 3.x has XSS in the contact form on the "non-respondents" page i ...) - moodle NOTE: https://moodle.org/mod/forum/discuss.php?d=358585 CVE-2017-12155 (A resource-permission flaw was found in the openstack-tripleo-heat-tem ...) - tripleo-heat-templates (bug #900176) NOTE: https://bugs.launchpad.net/tripleo/+bug/1720787 CVE-2017-12154 (The prepare_vmcs02 function in arch/x86/kvm/vmx.c in the Linux kernel ...) {DSA-3981-1 DLA-1099-1} - linux 4.12.13-1 NOTE: Fixed by: https://git.kernel.org/linus/51aa68e7d57e3217192d88ce90fd5b8ef29ec94f (v4.14-rc1) NOTE: https://www.spinics.net/lists/kvm/msg155414.html CVE-2017-12153 (A security flaw was discovered in the nl80211_set_rekey_data() functio ...) {DSA-3981-1 DLA-1099-1} - linux 4.12.13-1 NOTE: https://marc.info/?t=150525503100001&r=1&w=2 NOTE: https://marc.info/?l=linux-wireless&m=150525493517953&w=2 CVE-2017-12152 RESERVED CVE-2017-12151 (A flaw was found in the way samba client before samba 4.4.16, samba 4. ...) {DSA-3983-1} - samba 2:4.6.7+dfsg-2 [wheezy] - samba (Vulnerable code introduced later) NOTE: https://www.samba.org/samba/security/CVE-2017-12151.html CVE-2017-12150 (It was found that samba before 4.4.16, 4.5.x before 4.5.14, and 4.6.x ...) {DSA-3983-1 DLA-1110-1} - samba 2:4.6.7+dfsg-2 NOTE: https://www.samba.org/samba/security/CVE-2017-12150.html CVE-2017-12149 (In Jboss Application Server as shipped with Red Hat Enterprise Applica ...) - jbossas4 [wheezy] - jbossas4 (incomplete packaging, 4.x series released more than nine years ago.) CVE-2017-12148 (A flaw was found in Ansible Tower's interface before 3.1.5 and 3.2.0 w ...) NOT-FOR-US: Ansible Tower CVE-2017-12147 RESERVED CVE-2017-12146 (The driver_override implementation in drivers/base/platform.c in the L ...) - linux 4.11.11-1 [stretch] - linux 4.9.30-2+deb9u5 [jessie] - linux (Vulnerable code introduced later) [wheezy] - linux (Vulnerable code introduced later) NOTE: Fixed by: https://git.kernel.org/linus/6265539776a0810b7ce6398c27866ddb9c6bd154 (v4.13-rc1) CVE-2017-12145 (In libquicktime 1.2.4, an allocation failure was found in the function ...) - libquicktime (unimportant) NOTE: Negligible security impact CVE-2017-12144 (In ytnef 1.9.2, an allocation failure was found in the function TNEFFi ...) - libytnef 1.9.3-1 (bug #870817) [stretch] - libytnef (Minor issue) [jessie] - libytnef (Minor issue) [wheezy] - libytnef (Minor issue) NOTE: https://github.com/Yeraze/ytnef/issues/51 NOTE: https://github.com/ohwgiles/ytnef/commit/a341b7f1bf8a2c59ece89f2d6cdc09856d501cc0 CVE-2017-12143 (In libquicktime 1.2.4, an allocation failure was found in the function ...) - libquicktime (unimportant) NOTE: Negligible security impact CVE-2017-12142 (In ytnef 1.9.2, an invalid memory read vulnerability was found in the ...) - libytnef 1.9.3-1 (low; bug #870816) [stretch] - libytnef (Minor issue) [jessie] - libytnef (Minor issue) [wheezy] - libytnef (Minor issue) NOTE: https://github.com/Yeraze/ytnef/issues/49 NOTE: https://github.com/Yeraze/ytnef/commit/35dc50190aac54947bafb3d84ab7727e940c6236 CVE-2017-12141 (In ytnef 1.9.2, a heap-based buffer overflow vulnerability was found i ...) - libytnef 1.9.3-1 (low; bug #870815) [stretch] - libytnef (Minor issue) [jessie] - libytnef (Minor issue) [wheezy] - libytnef (Minor issue) NOTE: https://github.com/Yeraze/ytnef/issues/50 CVE-2017-12140 (The ReadDCMImage function in coders\dcm.c in ImageMagick 7.0.6-1 has a ...) {DLA-1785-1 DLA-1081-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #873059) [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/533 NOTE: https://github.com/ImageMagick/ImageMagick/commit/94933146cb2d9d95889a385f08d5eb5f92d4e3cd NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/6bf56fbe1fc551f198c3491ed58d56bb5efea23c CVE-2017-12139 (XOOPS Core 2.5.8 has stored XSS in imagemanager.php because of missing ...) NOT-FOR-US: XOOPS CVE-2017-12138 (XOOPS Core 2.5.8 has a stored URL redirect bypass vulnerability in /mo ...) NOT-FOR-US: XOOPS CVE-2017-12137 (arch/x86/mm.c in Xen allows local PV guest OS users to gain host OS pr ...) {DSA-3969-1 DLA-1132-1} - xen 4.8.1-1+deb9u3 NOTE: https://xenbits.xen.org/xsa/advisory-227.html CVE-2017-12136 (Race condition in the grant table code in Xen 4.6.x through 4.9.x allo ...) - xen 4.8.1-1+deb9u3 [stretch] - xen 4.8.1-1+deb9u3 [jessie] - xen (Only affects 4.6 and later) [wheezy] - xen (Only affects 4.6 and later) NOTE: https://xenbits.xen.org/xsa/advisory-228.html CVE-2017-12135 (Xen allows local OS guest users to cause a denial of service (crash) o ...) {DSA-3969-1 DLA-1132-1} - xen 4.8.1-1+deb9u3 NOTE: https://xenbits.xen.org/xsa/advisory-226.html CVE-2017-12134 (The xen_biovec_phys_mergeable function in drivers/xen/biomerge.c in Xe ...) {DSA-3981-1 DLA-1099-1} - linux 4.12.12-1 NOTE: https://xenbits.xen.org/xsa/advisory-229.html NOTE: https://git.kernel.org/linus/462cdace790ac2ed6aad1b19c9c0af0143b6aab0 (v4.13-rc6) CVE-2017-12133 (Use-after-free vulnerability in the clntudp_call function in sunrpc/cl ...) - glibc 2.24-15 (bug #870648) [stretch] - glibc 2.24-11+deb9u2 [jessie] - glibc (Minor issue) - eglibc [wheezy] - eglibc (Minor issue) NOTE: issue introduced by fix for CVE-2016-4429 NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21115 NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d42eed4a044e5e10dfb885cf9891c2518a72a491 CVE-2017-12132 (The DNS stub resolver in the GNU C Library (aka glibc or libc6) before ...) [experimental] - glibc 2.25-0experimental1 - glibc 2.25-1 (bug #870650) [stretch] - glibc (Minor issue) [jessie] - glibc (Minor issue) - eglibc [wheezy] - eglibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21361 NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e14a27723cc3a154d67f3f26e719d08c0ba9ad25 NOTE: https://arxiv.org/pdf/1205.4011.pdf CVE-2017-12131 (The Easy Testimonials plugin 3.0.4 for WordPress has XSS in include/se ...) NOT-FOR-US: Wordpress plugin CVE-2017-12130 (An exploitable NULL pointer dereference vulnerability exists in the ti ...) NOT-FOR-US: tinysvcmdns CVE-2017-12129 (An exploitable Weak Cryptography for Passwords vulnerability exists in ...) NOT-FOR-US: Moxa CVE-2017-12128 (An exploitable information disclosure vulnerability exists in the Serv ...) NOT-FOR-US: Moxa CVE-2017-12127 (A password storage vulnerability exists in the operating system functi ...) NOT-FOR-US: Moxa CVE-2017-12126 (An exploitable cross-site request forgery vulnerability exists in the ...) NOT-FOR-US: Moxa CVE-2017-12125 (An exploitable command injection vulnerability exists in the web serve ...) NOT-FOR-US: Moxa CVE-2017-12124 (An exploitable denial of service vulnerability exists in the web serve ...) NOT-FOR-US: Moxa CVE-2017-12123 (An exploitable clear text transmission of password vulnerability exist ...) NOT-FOR-US: Moxa CVE-2017-12122 (An exploitable code execution vulnerability exists in the ILBM image r ...) {DSA-4184-1 DSA-4177-1 DLA-1341-1} - libsdl2-image 2.0.3+dfsg1-1 - sdl-image1.2 1.2.12-8 NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0488 NOTE: https://hg.libsdl.org/SDL_image/rev/16772bbb1b09 NOTE: https://hg.libsdl.org/SDL_image/rev/97f7f01e0665 CVE-2017-12121 (An exploitable command injection vulnerability exists in the web serve ...) NOT-FOR-US: Moxa CVE-2017-12120 (An exploitable command injection vulnerability exists in the web serve ...) NOT-FOR-US: Moxa CVE-2017-12119 (An exploitable unhandled exception vulnerability exists in multiple AP ...) - cpp-ethereum (bug #860434) CVE-2017-12118 (An exploitable improper authorization vulnerability exists in miner_st ...) - cpp-ethereum (bug #860434) CVE-2017-12117 (An exploitable improper authorization vulnerability exists in miner_st ...) - cpp-ethereum (bug #860434) CVE-2017-12116 (An exploitable improper authorization vulnerability exists in miner_se ...) - cpp-ethereum (bug #860434) CVE-2017-12115 (An exploitable improper authorization vulnerability exists in miner_se ...) - cpp-ethereum (bug #860434) CVE-2017-12114 (An exploitable improper authorization vulnerability exists in admin_pe ...) - cpp-ethereum (bug #860434) CVE-2017-12113 (An exploitable improper authorization vulnerability exists in admin_no ...) - cpp-ethereum (bug #860434) CVE-2017-12112 (An exploitable improper authorization vulnerability exists in admin_ad ...) - cpp-ethereum (bug #860434) CVE-2017-12111 (An exploitable out-of-bounds vulnerability exists in the xls_addCell f ...) {DSA-4173-1} - r-cran-readxl 1.0.0-2 (bug #895564) NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0463 CVE-2017-12110 (An exploitable integer overflow vulnerability exists in the xls_append ...) {DSA-4173-1} - r-cran-readxl 1.0.0-2 (bug #895564) NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0462 CVE-2017-12109 (An exploitable integer overflow vulnerability exists in the xls_prepar ...) {DSA-4173-1} - r-cran-readxl 1.0.0-2 NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0461 CVE-2017-12108 (An exploitable integer overflow vulnerability exists in the xls_prepar ...) {DSA-4173-1} - r-cran-readxl 1.0.0-2 NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0460 CVE-2017-12107 (An memory corruption vulnerability exists in the .PCX parsing function ...) NOT-FOR-US: Computerinsel Photoline CVE-2017-12106 (A memory corruption vulnerability exists in the .TGA parsing functiona ...) NOT-FOR-US: Computerinsel Photoline CVE-2017-12105 (An exploitable integer overflow exists in the way that the Blender ope ...) {DSA-4248-1 DLA-1465-1} - blender 2.79.a+dfsg0-1 [wheezy] - blender (Vulnerable but not ignored) NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/e04d7c49dca9dc7bbf1cbe446b612aaa5ba12581 NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0457 CVE-2017-12104 (An exploitable integer overflow exists in the way that the Blender ope ...) {DSA-4248-1 DLA-1465-1} - blender 2.79.a+dfsg0-1 [wheezy] - blender (Vulnerable but not ignored) NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/e6df02861e17f75d4dd243776f35208681b78465 NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0456 CVE-2017-12103 (An exploitable integer overflow exists in the way that the Blender ope ...) {DSA-4248-1 DLA-1465-1} - blender 2.79.a+dfsg0-1 [wheezy] - blender (Vulnerable but not ignored) NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/e6df02861e17f75d4dd243776f35208681b78465 NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0455 CVE-2017-12102 (An exploitable integer overflow exists in the way that the Blender ope ...) {DSA-4248-1 DLA-1465-1} - blender 2.79.a+dfsg0-1 [wheezy] - blender (Vulnerable but not ignored) NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/e6df02861e17f75d4dd243776f35208681b78465 NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0454 CVE-2017-12101 (An exploitable integer overflow exists in the 'modifier_mdef_compact_i ...) {DSA-4248-1 DLA-1465-1} - blender 2.79.a+dfsg0-1 [wheezy] - blender (Vulnerable but not ignored) NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/e04d7c49dca9dc7bbf1cbe446b612aaa5ba12581 NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0453 CVE-2017-12100 (An exploitable integer overflow exists in the 'multires_load_old_dm' f ...) {DSA-4248-1 DLA-1465-1} - blender 2.79.a+dfsg0-1 [wheezy] - blender (Vulnerable but not ignored) NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/e04d7c49dca9dc7bbf1cbe446b612aaa5ba12581 NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0452 CVE-2017-12099 (An exploitable integer overflow exists in the upgrade of the legacy Me ...) {DSA-4248-1 DLA-1465-1} - blender 2.79.a+dfsg0-1 [wheezy] - blender (Vulnerable but not ignored) NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/e04d7c49dca9dc7bbf1cbe446b612aaa5ba12581 NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0451 CVE-2017-12098 (An exploitable cross site scripting (XSS) vulnerability exists in the ...) - ruby-rails-admin (bug #900178) [stretch] - ruby-rails-admin (Minor issue) NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0450 NOTE: https://github.com/sferik/rails_admin/issues/2985 NOTE: https://github.com/sferik/rails_admin/commit/44f09ed72b5e0e917a5d61bd89c48d97c494b41c CVE-2017-12097 (An exploitable cross site scripting (XSS) vulnerability exists in the ...) NOT-FOR-US: delayed_job_web rails gem CVE-2017-12096 (An exploitable vulnerability exists in the WiFi management of Circle w ...) NOT-FOR-US: Circle of Disney CVE-2017-12095 (An exploitable vulnerability exists in the WiFi Access Point feature o ...) NOT-FOR-US: Circle of Disney CVE-2017-12094 (An exploitable vulnerability exists in the WiFi Channel parsing of Cir ...) NOT-FOR-US: Circle with Disney CVE-2017-12093 (An exploitable insufficient resource pool vulnerability exists in the ...) NOT-FOR-US: Allen Bradley Micrologix CVE-2017-12092 (An exploitable file write vulnerability exists in the memory module fu ...) NOT-FOR-US: Allen Bradley Micrologix CVE-2017-12091 REJECTED CVE-2017-12090 (An exploitable denial of service vulnerability exists in the processin ...) NOT-FOR-US: Allen Bradley Micrologix CVE-2017-12089 (An exploitable denial of service vulnerability exists in the program d ...) NOT-FOR-US: Allen Bradley Micrologix CVE-2017-12088 (An exploitable denial of service vulnerability exists in the Ethernet ...) NOT-FOR-US: Allen Bradley Micrologix CVE-2017-12087 (An exploitable heap overflow vulnerability exists in the tinysvcmdns l ...) - shairport-sync 3.1.4-1 (unimportant; bug #882508) NOTE: Debian build uses Avahi instead NOTE: https://bugs.launchpad.net/ubuntu/+source/shairport-sync/+bug/1729668 CVE-2017-12086 (An exploitable integer overflow exists in the 'BKE_mesh_calc_normals_t ...) {DSA-4248-1 DLA-1465-1} - blender 2.79.a+dfsg0-1 [wheezy] - blender (Vulnerable but not ignored) NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/e04d7c49dca9dc7bbf1cbe446b612aaa5ba12581 NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0438 CVE-2017-12085 (An exploitable routing vulnerability exists in the Circle with Disney ...) NOT-FOR-US: Circle with Disney CVE-2017-12084 (A backdoor vulnerability exists in remote control functionality of Cir ...) NOT-FOR-US: Circle with Disney CVE-2017-12083 (An exploitable information disclosure vulnerability exists in the apid ...) NOT-FOR-US: Circle with Disney CVE-2017-12082 (An exploitable integer overflow exists in the 'CustomData' Mesh loadin ...) {DSA-4248-1 DLA-1465-1} - blender 2.79.a+dfsg0-1 [wheezy] - blender (Vulnerable but not ignored) NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/e04d7c49dca9dc7bbf1cbe446b612aaa5ba12581 NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0434 CVE-2017-12081 (An exploitable integer overflow exists in the upgrade of a legacy Mesh ...) {DSA-4248-1 DLA-1465-1} - blender 2.79.a+dfsg0-1 [wheezy] - blender (Vulnerable but not ignored) NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/e04d7c49dca9dc7bbf1cbe446b612aaa5ba12581 NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0433 CVE-2017-12080 (An information exposure vulnerability in default HTTP configuration fi ...) NOT-FOR-US: Synology Photo Station CVE-2017-12079 (Files or directories accessible to external parties vulnerability in p ...) NOT-FOR-US: Synology Photo Station CVE-2017-12078 (Command injection vulnerability in EZ-Internet in Synology Router Mana ...) NOT-FOR-US: Synology CVE-2017-12077 (Uncontrolled Resource Consumption vulnerability in SYNO.Core.PortForwa ...) NOT-FOR-US: Synology CVE-2017-12076 (Uncontrolled Resource Consumption vulnerability in SYNO.Core.PortForwa ...) NOT-FOR-US: Synology CVE-2017-12075 (Command injection vulnerability in EZ-Internet in Synology DiskStation ...) NOT-FOR-US: Synology CVE-2017-12074 (Directory traversal vulnerability in the SYNO.DNSServer.Zone.MasterZon ...) NOT-FOR-US: Synology CVE-2017-12073 RESERVED CVE-2017-12072 (Cross-site scripting (XSS) vulnerability in PixlrEditorHandler.php in ...) NOT-FOR-US: Synology CVE-2017-12071 (Server-side request forgery (SSRF) vulnerability in file_upload.php in ...) NOT-FOR-US: Synology CVE-2017-12070 (Unsigned versions of the DLLs distributed by the OPC Foundation may be ...) NOT-FOR-US: OPC Foundation CVE-2017-12069 (An XXE vulnerability has been identified in OPC Foundation UA .NET Sam ...) NOT-FOR-US: OPC Foundation UA .NET Sampe code and Local Discovery Server affecting various vendors CVE-2017-12068 (The Event List plugin 0.7.9 for WordPress has XSS in the slug array pa ...) NOT-FOR-US: Wordpress plugin CVE-2017-12067 (Potrace 1.14 has a heap-based buffer over-read in the interpolate_cubi ...) - potrace 1.15-1 (unimportant; bug #870356) NOTE: https://github.com/hackerlib/hackerlib-vul/tree/master/potrace/heap-buffer-overflow-mkbitmap NOTE: Upstream bug report https://sourceforge.net/p/potrace/bugs/22/ NOTE: Crash only in CLI tool mkbitmap, negligible security impact CVE-2017-12066 (Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Ca ...) - cacti 1.1.16+ds1-1 (bug #870354) [stretch] - cacti (Vulnerable code introduced later) [jessie] - cacti (Vulnerable code introduced later) [wheezy] - cacti (Vulnerable code introduced later) NOTE: https://github.com/Cacti/cacti/commit/bd0e586f6f46d814930226f1516a194e7e72293e NOTE: https://github.com/Cacti/cacti/issues/877 CVE-2017-12065 (spikekill.php in Cacti before 1.1.16 might allow remote attackers to e ...) - cacti 1.1.16+ds1-1 (bug #870353) [stretch] - cacti (Vulnerable code introduced later) [jessie] - cacti (Vulnerable code introduced later) [wheezy] - cacti (Vulnerable code introduced later) NOTE: https://github.com/Cacti/cacti/commit/bd0e586f6f46d814930226f1516a194e7e72293e NOTE: https://github.com/Cacti/cacti/issues/877 CVE-2017-12064 (The csv_log_html function in library/edihistory/edih_csv_inc.php in Op ...) NOT-FOR-US: OpenEMR CVE-2017-12063 RESERVED CVE-2017-12062 (An XSS issue was discovered in manage_user_page.php in MantisBT 2.x be ...) - mantis [wheezy] - mantis (Not supported in Wheezy LTS) CVE-2017-12061 (An XSS issue was discovered in admin/install.php in MantisBT before 1. ...) - mantis [wheezy] - mantis (Not supported in Wheezy LTS) CVE-2017-12060 RESERVED CVE-2017-12059 RESERVED CVE-2017-12058 RESERVED CVE-2017-12057 RESERVED CVE-2017-12056 RESERVED CVE-2017-12055 RESERVED CVE-2017-12054 RESERVED CVE-2017-12053 RESERVED CVE-2017-12052 RESERVED CVE-2017-12051 RESERVED CVE-2017-12050 RESERVED CVE-2017-12049 RESERVED CVE-2017-12048 RESERVED CVE-2017-12047 RESERVED CVE-2017-12046 RESERVED CVE-2017-12045 RESERVED CVE-2017-12044 RESERVED CVE-2017-12043 RESERVED CVE-2017-12042 RESERVED CVE-2017-12041 RESERVED CVE-2017-12040 RESERVED CVE-2017-12039 RESERVED CVE-2017-12038 RESERVED CVE-2017-12037 RESERVED CVE-2017-12036 RESERVED CVE-2017-12035 RESERVED CVE-2017-12034 RESERVED CVE-2017-12033 RESERVED CVE-2017-12032 RESERVED CVE-2017-12031 RESERVED CVE-2017-12030 RESERVED CVE-2017-12029 RESERVED CVE-2017-12028 RESERVED CVE-2017-12027 RESERVED CVE-2017-12026 RESERVED CVE-2017-12025 RESERVED CVE-2017-12024 RESERVED CVE-2017-12023 RESERVED CVE-2017-12022 RESERVED CVE-2017-12021 RESERVED CVE-2017-12020 RESERVED CVE-2017-12019 RESERVED CVE-2017-12018 RESERVED CVE-2017-12017 RESERVED CVE-2017-12016 RESERVED CVE-2017-12015 RESERVED CVE-2017-12014 RESERVED CVE-2017-12013 RESERVED CVE-2017-12012 RESERVED CVE-2017-12011 RESERVED CVE-2017-12010 RESERVED CVE-2017-12009 RESERVED CVE-2017-12008 RESERVED CVE-2017-12007 RESERVED CVE-2017-12006 RESERVED CVE-2017-12005 RESERVED CVE-2017-12004 RESERVED CVE-2017-12003 RESERVED CVE-2017-12002 RESERVED CVE-2017-12001 RESERVED CVE-2017-12000 RESERVED CVE-2017-11999 RESERVED CVE-2017-11998 RESERVED CVE-2017-11997 RESERVED CVE-2017-11996 RESERVED CVE-2017-11995 RESERVED CVE-2017-11994 RESERVED CVE-2017-11993 RESERVED CVE-2017-11992 RESERVED CVE-2017-11991 RESERVED CVE-2017-11990 RESERVED CVE-2017-11989 RESERVED CVE-2017-11988 RESERVED CVE-2017-11987 RESERVED CVE-2017-11986 RESERVED CVE-2017-11985 RESERVED CVE-2017-11984 RESERVED CVE-2017-11983 RESERVED CVE-2017-11982 RESERVED CVE-2017-11981 RESERVED CVE-2017-11980 RESERVED CVE-2017-11979 RESERVED CVE-2017-11978 RESERVED CVE-2017-11977 RESERVED CVE-2017-11976 RESERVED CVE-2017-11975 RESERVED CVE-2017-11974 RESERVED CVE-2017-11973 RESERVED CVE-2017-11972 RESERVED CVE-2017-11971 RESERVED CVE-2017-11970 RESERVED CVE-2017-11969 RESERVED CVE-2017-11968 RESERVED CVE-2017-11967 RESERVED CVE-2017-11966 RESERVED CVE-2017-11965 RESERVED CVE-2017-11964 RESERVED CVE-2017-11963 RESERVED CVE-2017-11962 RESERVED CVE-2017-11961 RESERVED CVE-2017-11960 RESERVED CVE-2017-11959 RESERVED CVE-2017-11958 RESERVED CVE-2017-11957 RESERVED CVE-2017-11956 RESERVED CVE-2017-11955 RESERVED CVE-2017-11954 RESERVED CVE-2017-11953 RESERVED CVE-2017-11952 RESERVED CVE-2017-11951 RESERVED CVE-2017-11950 RESERVED CVE-2017-11949 RESERVED CVE-2017-11948 RESERVED CVE-2017-11947 RESERVED CVE-2017-11946 RESERVED CVE-2017-11945 RESERVED CVE-2017-11944 RESERVED CVE-2017-11943 RESERVED CVE-2017-11942 RESERVED CVE-2017-11941 RESERVED CVE-2017-11940 (The Microsoft Malware Protection Engine running on Microsoft Forefront ...) NOT-FOR-US: Microsoft CVE-2017-11939 (Microsoft Office 2016 Click-to-Run (C2R) allows an information disclos ...) NOT-FOR-US: Microsoft CVE-2017-11938 RESERVED CVE-2017-11937 (The Microsoft Malware Protection Engine running on Microsoft Forefront ...) NOT-FOR-US: Microsoft CVE-2017-11936 (Microsoft SharePoint Enterprise Server 2016 allows an elevation of pri ...) NOT-FOR-US: Microsoft CVE-2017-11935 (Microsoft Office 2016 Click-to-Run (C2R) allows a remote code executio ...) NOT-FOR-US: Microsoft CVE-2017-11934 (Microsoft Office 2013 RT SP1, Microsoft Office 2013 SP1, and Microsoft ...) NOT-FOR-US: Microsoft CVE-2017-11933 RESERVED CVE-2017-11932 (Microsoft Exchange Server 2016 CU5 and Microsoft Exchange Server 2016 ...) NOT-FOR-US: Microsoft CVE-2017-11931 RESERVED CVE-2017-11930 (ChakraCore, and Internet Explorer in Microsoft Windows 7 SP1, Windows ...) NOT-FOR-US: Microsoft ChakraCore CVE-2017-11929 RESERVED CVE-2017-11928 RESERVED CVE-2017-11927 (Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2008 SP2 and R2 ...) NOT-FOR-US: Microsoft Windows CVE-2017-11926 RESERVED CVE-2017-11925 RESERVED CVE-2017-11924 RESERVED CVE-2017-11923 RESERVED CVE-2017-11922 RESERVED CVE-2017-11921 RESERVED CVE-2017-11920 RESERVED CVE-2017-11919 (ChakraCore, and Internet Explorer in Microsoft Windows 7 SP1, Windows ...) NOT-FOR-US: Microsoft ChakraCore CVE-2017-11918 (ChakraCore and Microsoft Edge in Windows 10 Gold, 1511, 1607, 1703, 17 ...) NOT-FOR-US: Microsoft ChakraCore CVE-2017-11917 RESERVED CVE-2017-11916 (ChakraCore allows an attacker to execute arbitrary code in the context ...) NOT-FOR-US: Microsoft ChakraCore CVE-2017-11915 RESERVED CVE-2017-11914 (ChakraCore and Microsoft Edge in Windows 10 1511, 1607, 1703, 1709, an ...) NOT-FOR-US: Microsoft ChakraCore CVE-2017-11913 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 and ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2017-11912 (ChakraCore, and Internet Explorer in Microsoft Windows 7 SP1, Windows ...) NOT-FOR-US: Microsoft ChakraCore CVE-2017-11911 (ChakraCore and Windows 10 1511, 1607, 1703, 1709, and Windows Server 2 ...) NOT-FOR-US: Microsoft ChakraCore CVE-2017-11910 (ChakraCore and Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Se ...) NOT-FOR-US: Microsoft ChakraCore CVE-2017-11909 (ChakraCore and Windows 10 1511, 1607, 1703, 1709, and Windows Server 2 ...) NOT-FOR-US: Microsoft ChakraCore CVE-2017-11908 (ChakraCore and Windows 10 1709 allows an attacker to execute arbitrary ...) NOT-FOR-US: Microsoft ChakraCore CVE-2017-11907 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 and ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2017-11906 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 and ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2017-11905 (ChakraCore and Microsoft Edge in Windows 10 1511, 1607, 1703, 1709, an ...) NOT-FOR-US: Microsoft ChakraCore CVE-2017-11904 RESERVED CVE-2017-11903 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 and ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2017-11902 RESERVED CVE-2017-11901 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 R2 S ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2017-11900 RESERVED CVE-2017-11899 (Device Guard in Windows 10 1511, 1607, 1703 and 1709, Windows Server 2 ...) NOT-FOR-US: Microsoft Windows CVE-2017-11898 RESERVED CVE-2017-11897 RESERVED CVE-2017-11896 RESERVED CVE-2017-11895 (ChakraCore, and Internet Explorer in Microsoft Windows 7 SP1, Windows ...) NOT-FOR-US: Microsoft ChakraCore CVE-2017-11894 (ChakraCore, and Internet Explorer in Microsoft Windows 7 SP1, Windows ...) NOT-FOR-US: Microsoft ChakraCore CVE-2017-11893 (ChakraCore and Microsoft Edge in Windows 10 1511, 1607, 1703, 1709, an ...) NOT-FOR-US: Microsoft ChakraCore CVE-2017-11892 RESERVED CVE-2017-11891 RESERVED CVE-2017-11890 (Microsoft Windows 7 SP1, Windows Server 2008 and R2 SP1, Windows 8.1 a ...) NOT-FOR-US: Microsoft Windows CVE-2017-11889 (ChakraCore and Microsoft Edge in Windows 10 Gold, 1511, 1607, 1703, 17 ...) NOT-FOR-US: Microsoft ChakraCore CVE-2017-11888 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, 1709, a ...) NOT-FOR-US: Microsoft Edge CVE-2017-11887 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 SP2 ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2017-11886 (Microsoft Windows 7 SP1, Windows Server 2008 and R2 SP1, Windows 8.1 a ...) NOT-FOR-US: Microsoft Windows CVE-2017-11885 (Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2008 SP2 and R2 ...) NOT-FOR-US: Microsoft Windows CVE-2017-11884 (Microsoft Excel 2016 Click-to-Run (C2R) allows an attacker to run arbi ...) NOT-FOR-US: Microsoft CVE-2017-11883 (.NET Core 1.0, 1.1, and 2.0 allow an unauthenticated attacker to remot ...) NOT-FOR-US: .NET core CVE-2017-11882 (Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pa ...) NOT-FOR-US: Microsoft CVE-2017-11881 RESERVED CVE-2017-11880 (Windows kernel in Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, W ...) NOT-FOR-US: Microsoft CVE-2017-11879 (ASP.NET Core 2.0 allows an attacker to steal log-in session informatio ...) NOT-FOR-US: Microsoft CVE-2017-11878 (Microsoft Excel 2007 Service Pack 3, Microsoft Excel 2010 Service Pack ...) NOT-FOR-US: Microsoft CVE-2017-11877 (Microsoft Excel 2007 Service Pack 3, Microsoft Excel 2010 Service Pack ...) NOT-FOR-US: Microsoft CVE-2017-11876 (Microsoft Project Server and Microsoft SharePoint Enterprise Server 20 ...) NOT-FOR-US: Microsoft CVE-2017-11875 RESERVED CVE-2017-11874 (Microsoft Edge in Microsoft Windows 10 1703, 1709, Windows Server, ver ...) NOT-FOR-US: Microsoft CVE-2017-11873 (ChakraCore and Microsoft Edge in Windows 10 1511, 1607, 1703, 1709, Wi ...) NOT-FOR-US: Microsoft CVE-2017-11872 (Microsoft Edge in Microsoft Windows 10 1607, 1703, and Windows Server ...) NOT-FOR-US: Microsoft CVE-2017-11871 (ChakraCore and Microsoft Edge in Windows 10 1703, 1709, and Windows Se ...) NOT-FOR-US: Microsoft CVE-2017-11870 (ChakraCore and Microsoft Edge in Windows 10 1703, 1709, and Windows Se ...) NOT-FOR-US: Microsoft CVE-2017-11869 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 and ...) NOT-FOR-US: Microsoft CVE-2017-11868 RESERVED CVE-2017-11867 RESERVED CVE-2017-11866 (ChakraCore and Microsoft Edge in Windows 10 Gold, 1511, 1607, 1703, 17 ...) NOT-FOR-US: Microsoft CVE-2017-11865 RESERVED CVE-2017-11864 RESERVED CVE-2017-11863 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, 1709, W ...) NOT-FOR-US: Microsoft CVE-2017-11862 (ChakraCore and Microsoft Edge in Windows 10 1709 and Windows Server, v ...) NOT-FOR-US: Microsoft CVE-2017-11861 (Microsoft Edge in Windows 10 1607, 1703, 1709, Windows Server 2016 and ...) NOT-FOR-US: Microsoft CVE-2017-11860 RESERVED CVE-2017-11859 RESERVED CVE-2017-11858 (ChakraCore and Internet Explorer in Microsoft Windows 7 SP1, Windows S ...) NOT-FOR-US: Microsoft CVE-2017-11857 RESERVED CVE-2017-11856 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 SP2 ...) NOT-FOR-US: Microsoft CVE-2017-11855 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 SP2 ...) NOT-FOR-US: Microsoft CVE-2017-11854 (Microsoft Word 2007 Service Pack 3, Microsoft Word 2010 Service Pack 2 ...) NOT-FOR-US: Microsoft CVE-2017-11853 (Windows kernel in Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, W ...) NOT-FOR-US: Microsoft CVE-2017-11852 (Microsoft GDI Component in Windows 7 SP1 and Windows Server 2008 SP2 a ...) NOT-FOR-US: Microsoft CVE-2017-11851 (The Windows kernel component on Windows 7 SP1, Windows Server 2008 SP2 ...) NOT-FOR-US: Microsoft CVE-2017-11850 (Microsoft Graphics Component in Windows 8.1 and RT 8.1, Windows Server ...) NOT-FOR-US: Microsoft CVE-2017-11849 (Windows kernel in Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, W ...) NOT-FOR-US: Microsoft CVE-2017-11848 (Internet Explorer in Microsoft Microsoft Windows 7 SP1, Windows Server ...) NOT-FOR-US: Microsoft CVE-2017-11847 (Windows kernel in Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, W ...) NOT-FOR-US: Microsoft CVE-2017-11846 (ChakraCore and Internet Explorer in Microsoft Windows 7 SP1, Windows S ...) NOT-FOR-US: Microsoft CVE-2017-11845 (Microsoft Edge in Microsoft Windows 10 1703 allows an attacker to exec ...) NOT-FOR-US: Microsoft CVE-2017-11844 (Microsoft Edge in Microsoft Windows 10 1703, 1709 and Windows Server, ...) NOT-FOR-US: Microsoft CVE-2017-11843 (ChakraCore and Internet Explorer in Microsoft Windows 7 SP1, Windows S ...) NOT-FOR-US: Microsoft CVE-2017-11842 (Windows kernel in Windows 8.1 and RT 8.1, Server 2012 and R2, Windows ...) NOT-FOR-US: Microsoft CVE-2017-11841 (ChakraCore and Microsoft Edge in Windows 10 Gold, 1511, 1607, 1703, 17 ...) NOT-FOR-US: Microsoft CVE-2017-11840 (ChakraCore and Microsoft Edge in Windows 10 Gold, 1511, 1607, 1703, 17 ...) NOT-FOR-US: Microsoft CVE-2017-11839 (Microsoft Edge in Windows 10 Gold, 1511, 1607, 1703, 1709, Windows Ser ...) NOT-FOR-US: Microsoft CVE-2017-11838 (ChakraCore and Internet Explorer in Microsoft Windows 7 SP1, Windows S ...) NOT-FOR-US: Microsoft CVE-2017-11837 (ChakraCore and Internet Explorer in Microsoft Windows 7 SP1, Windows S ...) NOT-FOR-US: Microsoft CVE-2017-11836 (ChakraCore, and Microsoft Edge in Microsoft Windows 10 Gold, 1511, 160 ...) NOT-FOR-US: Microsoft CVE-2017-11835 (Microsoft graphics in Windows 7 SP1 and Windows Server 2008 SP2 and R2 ...) NOT-FOR-US: Microsoft CVE-2017-11834 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 SP2 ...) NOT-FOR-US: Microsoft CVE-2017-11833 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, 1709, W ...) NOT-FOR-US: Microsoft CVE-2017-11832 (The Microsoft Windows embedded OpenType (EOT) font engine in Windows 7 ...) NOT-FOR-US: Microsoft CVE-2017-11831 (Windows kernel in Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Serve ...) NOT-FOR-US: Microsoft CVE-2017-11830 (Device Guard in Windows 10 Gold, 1511, 1607, 1703, and 1709, Windows S ...) NOT-FOR-US: Microsoft CVE-2017-11829 (Microsoft Windows 10 allows an elevation of privilege vulnerability wh ...) NOT-FOR-US: Microsoft CVE-2017-11828 RESERVED CVE-2017-11827 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 R2 S ...) NOT-FOR-US: Microsoft CVE-2017-11826 (Microsoft Office 2010, SharePoint Enterprise Server 2010, SharePoint S ...) NOT-FOR-US: Microsoft CVE-2017-11825 (Microsoft Office 2016 Click-to-Run (C2R) and Microsoft Office 2016 for ...) NOT-FOR-US: Microsoft CVE-2017-11824 (The Microsoft Graphics Component on Microsoft Windows Server 2008 SP2 ...) NOT-FOR-US: Microsoft CVE-2017-11823 (The Microsoft Device Guard on Microsoft Windows 10 Gold, 1511, 1607, a ...) NOT-FOR-US: Microsoft CVE-2017-11822 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 SP2 ...) NOT-FOR-US: Microsoft CVE-2017-11821 (ChakraCore and Microsoft Edge in Microsoft Windows 10 1703 allows an a ...) NOT-FOR-US: Microsoft CVE-2017-11820 (Microsoft SharePoint Enterprise Server 2013 SP1 and Microsoft SharePoi ...) NOT-FOR-US: Microsoft CVE-2017-11819 (Microsoft Windows 7 SP1 allows an attacker to execute arbitrary code i ...) NOT-FOR-US: Microsoft CVE-2017-11818 (The Microsoft Windows Storage component on Microsoft Windows 8.1, Wind ...) NOT-FOR-US: Microsoft CVE-2017-11817 (The Microsoft Windows Kernel component on Microsoft Windows Server 200 ...) NOT-FOR-US: Microsoft CVE-2017-11816 (The Microsoft Windows Graphics Device Interface (GDI) on Microsoft Win ...) NOT-FOR-US: Microsoft CVE-2017-11815 (The Microsoft Server Block Message (SMB) on Microsoft Windows Server 2 ...) NOT-FOR-US: Microsoft CVE-2017-11814 (The Microsoft Windows Kernel component on Microsoft Windows Server 200 ...) NOT-FOR-US: Microsoft CVE-2017-11813 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 R2 S ...) NOT-FOR-US: Microsoft CVE-2017-11812 (ChakraCore and Microsoft Edge in Microsoft Windows 10 1511, 1607, 1703 ...) NOT-FOR-US: Microsoft CVE-2017-11811 (ChakraCore and Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607 ...) NOT-FOR-US: Microsoft CVE-2017-11810 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 SP2 ...) NOT-FOR-US: Microsoft CVE-2017-11809 (ChakraCore and Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607 ...) NOT-FOR-US: Microsoft CVE-2017-11808 (ChakraCore and Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607 ...) NOT-FOR-US: Microsoft CVE-2017-11807 (ChakraCore and Microsoft Edge in Microsoft Windows 10 1703 allows an a ...) NOT-FOR-US: Microsoft CVE-2017-11806 (ChakraCore and Microsoft Edge in Microsoft Windows 10 1703 allows an a ...) NOT-FOR-US: Microsoft CVE-2017-11805 (ChakraCore and Microsoft Edge in Microsoft Windows 10 1703 allows an a ...) NOT-FOR-US: Microsoft CVE-2017-11804 (ChakraCore and Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607 ...) NOT-FOR-US: Microsoft CVE-2017-11803 (Microsoft Edge in Microsoft Windows 10 1703, 1709 and Windows Server, ...) NOT-FOR-US: Microsoft CVE-2017-11802 (ChakraCore and Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607 ...) NOT-FOR-US: Microsoft CVE-2017-11801 (ChakraCore allows an attacker to execute arbitrary code in the context ...) NOT-FOR-US: Microsoft CVE-2017-11800 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, and Windows S ...) NOT-FOR-US: Microsoft CVE-2017-11799 (ChakraCore and Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607 ...) NOT-FOR-US: Microsoft CVE-2017-11798 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, and Win ...) NOT-FOR-US: Microsoft CVE-2017-11797 (ChakraCore allows an attacker to execute arbitrary code in the context ...) NOT-FOR-US: Microsoft CVE-2017-11796 (ChakraCore and Microsoft Edge in Windows 10 1703 allows an attacker to ...) NOT-FOR-US: Microsoft CVE-2017-11795 RESERVED CVE-2017-11794 (Microsoft Edge in Microsoft Windows 10 1703 allows an attacker to obta ...) NOT-FOR-US: Microsoft CVE-2017-11793 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 SP2 ...) NOT-FOR-US: Microsoft CVE-2017-11792 (ChakraCore and Microsoft Edge in Microsoft Windows 10 1703 allow an at ...) NOT-FOR-US: Microsoft CVE-2017-11791 (ChakraCore and Internet Explorer in Microsoft Windows 7 SP1, Windows S ...) NOT-FOR-US: Microsoft CVE-2017-11790 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 SP2 ...) NOT-FOR-US: Microsoft CVE-2017-11789 RESERVED CVE-2017-11788 (Windows Search in Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, W ...) NOT-FOR-US: Microsoft CVE-2017-11787 RESERVED CVE-2017-11786 (Skype for Business in Microsoft Lync 2013 SP1 and Skype for Business 2 ...) NOT-FOR-US: Skype CVE-2017-11785 (The Microsoft Windows Kernel component on Microsoft Windows Server 200 ...) NOT-FOR-US: Microsoft CVE-2017-11784 (The Microsoft Windows Kernel component on Microsoft Windows Server 200 ...) NOT-FOR-US: Microsoft CVE-2017-11783 (Microsoft Windows 8.1, Windows Server 2012 R2, Windows RT 8.1, Windows ...) NOT-FOR-US: Microsoft CVE-2017-11782 (The Microsoft Server Block Message (SMB) on Microsoft Windows 10 1607 ...) NOT-FOR-US: Microsoft CVE-2017-11781 (The Microsoft Server Block Message (SMB) on Microsoft Windows Server 2 ...) NOT-FOR-US: Microsoft CVE-2017-11780 (The Server Message Block 1.0 (SMBv1) on Microsoft Windows Server 2008 ...) NOT-FOR-US: Microsoft CVE-2017-11779 (The Microsoft Windows Domain Name System (DNS) DNSAPI.dll on Microsoft ...) NOT-FOR-US: Microsoft CVE-2017-11778 RESERVED CVE-2017-11777 (Microsoft SharePoint Enterprise Server 2013 SP1 and Microsoft SharePoi ...) NOT-FOR-US: Microsoft CVE-2017-11776 (Microsoft Outlook 2016 allows an attacker to obtain the email content ...) NOT-FOR-US: Microsoft CVE-2017-11775 (Microsoft SharePoint Enterprise Server 2013 SP1 and Microsoft SharePoi ...) NOT-FOR-US: Microsoft CVE-2017-11774 (Microsoft Outlook 2010 SP2, Outlook 2013 SP1 and RT SP1, and Outlook 2 ...) NOT-FOR-US: Microsoft CVE-2017-11773 RESERVED CVE-2017-11772 (The Microsoft Windows Search component on Microsoft Windows Server 200 ...) NOT-FOR-US: Microsoft CVE-2017-11771 (The Microsoft Windows Search component on Microsoft Windows Server 200 ...) NOT-FOR-US: Microsoft CVE-2017-11770 (.NET Core 1.0, 1.1, and 2.0 allow an unauthenticated attacker to remot ...) NOT-FOR-US: .NET Core CVE-2017-11769 (The Microsoft Windows TRIE component on Microsoft Windows 10 Gold, 151 ...) NOT-FOR-US: Microsoft CVE-2017-11768 (Windows Media Player in Windows 7 SP1, Windows Server 2008 SP2 and R2 ...) NOT-FOR-US: Microsoft CVE-2017-11767 (ChakraCore allows an attacker to gain the same user rights as the curr ...) NOT-FOR-US: Microsoft CVE-2017-11766 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, and Win ...) NOT-FOR-US: Microsoft CVE-2017-11765 (The Microsoft Windows Kernel component on Microsoft Windows Server 200 ...) NOT-FOR-US: Microsoft CVE-2017-11764 (Microsoft Edge in Microsoft Windows 10 1607, 1703, and Windows Server ...) NOT-FOR-US: Microsoft CVE-2017-11763 (The Microsoft Graphics Component on Microsoft Windows Server 2008 SP2 ...) NOT-FOR-US: Microsoft CVE-2017-11762 (The Microsoft Graphics Component on Microsoft Windows Server 2008 SP2 ...) NOT-FOR-US: Microsoft CVE-2017-11761 (Microsoft Exchange Server 2013 and Microsoft Exchange Server 2016 allo ...) NOT-FOR-US: Microsoft CVE-2017-11760 (uploadImage.php in ProjeQtOr before 6.3.2 allows remote authenticated ...) NOT-FOR-US: ProjeQtOr CVE-2017-11759 RESERVED CVE-2017-11758 RESERVED CVE-2017-11757 (Heap-based buffer overflow in Actian Pervasive PSQL v12.10 and Zen v13 ...) NOT-FOR-US: Actian Pervasive PSQL server CVE-2017-XXXX [executes javascript code downloaded from insecure URL] - smplayer 17.7.0~ds0-1 (low; bug #870233) [stretch] - smplayer (Minor issue) [jessie] - smplayer (Minor issue) [wheezy] - smplayer (vulnerable code not present) NOTE: The version tracking here is not 100% since the vulnerable code still would NOTE: be present in the source. Users though need to explicitly rebuilt the package NOTE: changing the upstream pro file to enable YT_USE_YTSIG. YT_USE_YTSIG is NOTE: disabled by default on upstream since 17.2.0 CVE-2017-13140 (In ImageMagick before 6.9.9-1 and 7.x before 7.0.6-2, the ReadOnePNGIm ...) {DSA-4019-1} - imagemagick 8:6.9.7.4+dfsg-15 (bug #870111) [stretch] - imagemagick (Minor issue) [jessie] - imagemagick (Vulnerable code not present) [wheezy] - imagemagick (Vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/596 NOTE: https://github.com/ImageMagick/ImageMagick/commit/62fcf3d9638b87cd7ac81962cadf5bf88db62fa0 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/75f7e994e4e990627a5a37385bcc9a0205013645 CVE-2017-13139 (In ImageMagick before 6.9.9-0 and 7.x before 7.0.6-1, the ReadOneMNGIm ...) {DSA-4040-1 DSA-4019-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-15 (bug #870109) NOTE: https://github.com/ImageMagick/ImageMagick/commit/22e0310345499ffe906c604428f2a3a668942b05 CVE-2017-12643 (ImageMagick 7.0.6-1 has a memory exhaustion vulnerability in ReadOneJN ...) {DLA-1785-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-15 (low; bug #870107) [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/549 NOTE: https://github.com/ImageMagick/ImageMagick/commit/9eedb5660f1704cde8e8cd784c5c2a09dd2fd60f CVE-2017-13142 (In ImageMagick before 6.9.9-0 and 7.x before 7.0.6-1, a crafted PNG fi ...) {DSA-4019-1 DLA-1785-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-15 (low; bug #870105) NOTE: https://github.com/ImageMagick/ImageMagick/commit/46e3aabbf8d59a1bdebdbb65acb9b9e0484577d3 NOTE: https://github.com/ImageMagick/ImageMagick/commit/aa84944b405acebbeefe871d0f64969b9e9f31ac CVE-2017-11756 (In Earcms Ear Music through 4.1 build 20170710, remote authenticated u ...) NOT-FOR-US: Earcms CVE-2017-11755 (The WritePICONImage function in coders/xpm.c in ImageMagick 7.0.6-4 al ...) - imagemagick (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/634 NOTE: Possibly fixed by same commit as issue #631 upstream CVE-2017-11754 (The WritePICONImage function in coders/xpm.c in ImageMagick 7.0.6-4 al ...) - imagemagick (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/633 NOTE: ossibly fixed by same commit as issue #631 upstream CVE-2017-11753 (The GetImageDepth function in MagickCore/attribute.c in ImageMagick 7. ...) - imagemagick (Affects only ImageMagick-7; vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/629 CVE-2017-11752 (The ReadMAGICKImage function in coders/magick.c in ImageMagick 7.0.6-4 ...) {DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-16 (unimportant; bug #870481) NOTE: https://github.com/ImageMagick/ImageMagick/issues/628 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/21d19d0c64ff070dbf37279432837bf425c0d5dd NOTE: https://github.com/ImageMagick/ImageMagick/commit/9eccfd52199616da66c93b6d627d4d4126f5a5f0 CVE-2017-11751 (The WritePICONImage function in coders/xpm.c in ImageMagick 7.0.6-4 al ...) {DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-16 (unimportant; bug #870480) NOTE: https://github.com/ImageMagick/ImageMagick/issues/631 NOTE: https://github.com/ImageMagick/ImageMagick/commit/cb713211bad3fa4f0c535255fa043917482fc964 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/b04e9c949d917a4a603f1a9bfe09737246229323 CVE-2017-11750 (The ReadOneJNGImage function in coders/png.c in ImageMagick 6.9.9-4 an ...) - imagemagick 8:6.9.7.4+dfsg-16 (bug #870478) [stretch] - imagemagick (Incomplete patch for upstream issues/618 not applied) [jessie] - imagemagick (Incomplete patch for upstream issues/618 not applied) [wheezy] - imagemagick (Incomplete patch for upstream issues/618 not applied) NOTE: https://github.com/ImageMagick/ImageMagick/issues/632 NOTE: Introduced by: https://github.com/ImageMagick/ImageMagick/commit/8cc53f1d8946bad2a2c62e084aaf956d4d889f08 NOTE: Introduced by (ImageMagick-6): https://github.com/ImageMagick/ImageMagick/commit/3cba1bb43acf5b3cba7388f67bf87b6f192138f0 NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick/commit/1828667e81e53345cfb3eb46539d78757f1aa680 NOTE: Fixed by (ImageMagick-6): https://github.com/ImageMagick/ImageMagick/commit/253d56027765dcbd8d6bc2bbd7d59aa41dab60e7 NOTE: Issue introduced by the original patch for https://github.com/ImageMagick/ImageMagick/issues/618 CVE-2017-11749 (InternetSoft FTP Commander 8.02 and prior has an untrusted search path ...) NOT-FOR-US: InternetSoft FTP Commander CVE-2017-11748 (VIT Spider Player 2.5.3 has an untrusted search path, allowing DLL hij ...) NOT-FOR-US: VIT Spider Player CVE-2017-11747 (main.c in Tinyproxy 1.8.4 and earlier creates a /run/tinyproxy/tinypro ...) {DLA-2163-1} - tinyproxy 1.10.0-1 (bug #870307) [stretch] - tinyproxy (Minor issue) [wheezy] - tinyproxy (Minor issue) NOTE: https://github.com/tinyproxy/tinyproxy/issues/106 CVE-2017-11746 (Tenshi 0.15 creates a tenshi.pid file after dropping privileges to a n ...) {DLA-1069-1} - tenshi 0.13-2.1 (unimportant; bug #871321) [stretch] - tenshi 0.13-2.1~deb9u1 NOTE: https://github.com/inversepath/tenshi/issues/6 NOTE: https://github.com/inversepath/tenshi/commit/d0e7f28c13ffbd5888b31d6532c2faf78f10f176 NOTE: Negligible security impact CVE-2017-11745 RESERVED CVE-2017-11744 (In MODX Revolution 2.5.7, the "key" and "name" parameters in the Syste ...) NOT-FOR-US: MODX Revolution CVE-2017-11743 (MEDHOST Connex contains a hard-coded Mirth Connect admin credential th ...) NOT-FOR-US: MEDHOST Connex CVE-2017-11742 (The writeRandomBytes_RtlGenRandom function in xmlparse.c in libexpat i ...) - expat (Windows specfic issue) CVE-2017-11741 (HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) bef ...) NOT-FOR-US: HashiCorp Vagrant VMware Fusion plugin CVE-2017-11740 (In Zoho ManageEngine Application Manager 13.1 Build 13100, the adminis ...) NOT-FOR-US: Zoho ManageEngine Application Manager CVE-2017-11739 (In Zoho ManageEngine Application Manager 13.1 Build 13100, an authenti ...) NOT-FOR-US: Zoho ManageEngine Application Manager CVE-2017-11738 (In Zoho ManageEngine Application Manager 13.1 Build 13100, the 'haid' ...) NOT-FOR-US: Zoho ManageEngine Application Manager CVE-2017-11737 (interface/js/app/history.js in WebUI in Rspamd before 1.6.3 allows XSS ...) - rspamd 1.7.6-1 [jessie] - rspamd (Vulnerable code not present) NOTE: https://github.com/vstakhov/rspamd/issues/1738 NOTE: https://github.com/rspamd/rspamd/pull/1739 CVE-2017-11736 (SQL injection vulnerability in core\admin\auto-modules\forms\process.p ...) NOT-FOR-US: BigTree CMS CVE-2017-11735 REJECTED CVE-2017-11734 (A heap-based buffer over-read was found in the function decompileCALLF ...) {DLA-1133-1} - ming NOTE: https://github.com/libming/libming/issues/83 CVE-2017-11733 (A null pointer dereference vulnerability was found in the function sta ...) {DLA-1176-1} - ming NOTE: https://github.com/libming/libming/issues/78 CVE-2017-11732 (A heap-based buffer overflow vulnerability was found in the function d ...) {DLA-1240-1} - ming NOTE: https://github.com/libming/libming/issues/80 CVE-2017-11731 (An invalid memory read vulnerability was found in the function OpCode ...) {DLA-1133-1} - ming NOTE: https://github.com/libming/libming/issues/84 CVE-2017-11730 (A heap-based buffer over-read was found in the function OpCode (called ...) {DLA-1133-1} - ming NOTE: https://github.com/libming/libming/issues/81 CVE-2017-11729 (A heap-based buffer over-read was found in the function OpCode (called ...) {DLA-1133-1} - ming NOTE: https://github.com/libming/libming/issues/79 CVE-2017-11728 (A heap-based buffer over-read was found in the function OpCode (called ...) {DLA-1133-1} - ming NOTE: https://github.com/libming/libming/issues/82 CVE-2017-11727 (services/system_io/actionprocessor/Contact.rails in ConnectWise Manage ...) NOT-FOR-US: ConnectWise Manage CVE-2017-11726 (services/system_io/actionprocessor/System.rails in ConnectWise Manage ...) NOT-FOR-US: ConnectWise Manage CVE-2017-11725 (The share function in Thycotic Secret Server before 10.2.000019 mishan ...) NOT-FOR-US: Thycotic Secret Server CVE-2017-11723 (Directory traversal vulnerability in plugins/ImageManager/backend.php ...) NOT-FOR-US: Xinha CVE-2017-11724 (The ReadMATImage function in coders/mat.c in ImageMagick through 6.9.9 ...) {DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-14 (unimportant; bug #870023) NOTE: https://github.com/ImageMagick/ImageMagick/issues/624 NOTE: https://github.com/ImageMagick/ImageMagick/commit/5163756a1f829a561912dfdb74a0dae41d8ed8cf CVE-2017-12670 (In ImageMagick 7.0.6-3, missing validation was found in coders/mat.c, ...) {DLA-1785-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-14 (low; bug #870020) [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/610 NOTE: https://github.com/ImageMagick/ImageMagick/commit/ab440f9ea11e0dbefb7a808cbb9441198758b0cb NOTE: https://github.com/ImageMagick/ImageMagick/commit/75db34b6a4d642cb6f88c792942de27490c900e0 CVE-2017-13658 (In ImageMagick before 6.9.9-3 and 7.x before 7.0.6-3, there is a missi ...) {DLA-1785-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-14 (low; bug #870019) [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/598 NOTE: https://github.com/ImageMagick/ImageMagick/commit/e5c063a1007506ba69e97a35effcdef944421c89 CVE-2017-12434 (In ImageMagick 7.0.6-1, a missing NULL check vulnerability was found i ...) {DSA-4019-1} - imagemagick 8:6.9.7.4+dfsg-14 (bug #870014) [stretch] - imagemagick (Minor issue) [jessie] - imagemagick (vulnerable code not present) [wheezy] - imagemagick (vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/547 NOTE: https://github.com/ImageMagick/ImageMagick/commit/6767f31cac3eacdc9dc41b3193a73bdd37610375 CVE-2017-13143 (In ImageMagick before 6.9.7-6 and 7.x before 7.0.4-6, the ReadMATImage ...) {DSA-4204-1 DSA-4019-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-14 (bug #870012) NOTE: https://github.com/ImageMagick/ImageMagick/issues/362 NOTE: https://github.com/ImageMagick/ImageMagick/commit/51b0ae01709adc1e4a9245e158ef17b85a110960 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/f86268752ffc70e40b6e1afdebfc96dcc29452db CVE-2017-11722 (The WriteOnePNGImage function in coders/png.c in GraphicsMagick 1.3.26 ...) {DSA-4321-1} - graphicsmagick 1.3.26-4 (bug #870158) [jessie] - graphicsmagick (vulnerable code not present) [wheezy] - graphicsmagick (vulnerable code not present) NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/f423ba88ca4e CVE-2017-11721 (Buffer overflow in ioquake3 before 2017-08-02 allows remote attackers ...) {DSA-3948-1 DSA-3941-1} - ioquake3 1.36+u20170803+dfsg1-1 (bug #870725) [wheezy] - ioquake3 (games are not supported in Wheezy) NOTE: https://github.com/ioquake/ioq3/commit/d2b1d124d4055c2fcbe5126863487c52fd58cca1 - iortcw 1.51+dfsg1-3 (bug #870811) NOTE: https://github.com/iortcw/iortcw/commit/260c39a29af517a08b3ee1a0e78ad654bdd70934 NOTE: Also affects openjk (only in experimental; fixed in 0~20170718+dfsg1-2 CVE-2017-11720 (There is a division-by-zero vulnerability in LAME 3.99.5, caused by a ...) - lame 3.99.5+repack1-6 (low; bug #870809; bug #777159) [wheezy] - lame 3.99.5+repack1-3+deb7u1 NOTE: https://sourceforge.net/p/lame/bugs/460/ NOTE: Duplicate/same as: https://blogs.gentoo.org/ago/2017/06/17/lame-divide-by-zero-in-parse_wave_header-get_audio-c/ CVE-2017-11719 (The dnxhd_decode_header function in libavcodec/dnxhddec.c in FFmpeg th ...) {DSA-3957-1} - ffmpeg 7:3.3.3-1 - libav [jessie] - libav (Issue only present in ffmpeg since 6f1ccca4) NOTE: https://github.com/FFmpeg/FFmpeg/commit/296debd213bd6dce7647cedd34eb64e5b94cdc92 NOTE: Fixed in 3.2.7 CVE-2017-11718 (There is URL Redirector Abuse in MetInfo through 5.3.17 via the gourl ...) NOT-FOR-US: MetInfo CVE-2017-11717 (MetInfo through 5.3.17 accepts the same CAPTCHA response for 120 secon ...) NOT-FOR-US: MetInfo CVE-2017-11716 (MetInfo through 5.3.17 allows stored XSS via HTML Edit Mode. ...) NOT-FOR-US: MetInfo CVE-2017-11715 (job/uploadfile_save.php in MetInfo through 5.3.17 blocks the .php exte ...) NOT-FOR-US: MetInfo CVE-2017-11714 (psi/ztoken.c in Artifex Ghostscript 9.21 mishandles references to the ...) {DSA-3986-1 DLA-1048-1} [experimental] - ghostscript 9.22~~rc1~dfsg-1 - ghostscript 9.22~dfsg-1 (bug #869977) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698158 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=671fd59eb657743aa86fbc1895cb15872a317caa (ghostpdl-9.22rc1) CVE-2017-11713 RESERVED CVE-2017-11712 RESERVED CVE-2017-11711 RESERVED CVE-2017-11710 RESERVED CVE-2017-11709 RESERVED CVE-2017-11708 RESERVED CVE-2017-11707 RESERVED CVE-2017-11706 (The Boozt Fashion application before 2.3.4 for Android allows remote a ...) NOT-FOR-US: Boozt Fashion application CVE-2017-11705 (A memory leak was found in the function parseSWF_SHAPEWITHSTYLE in uti ...) - ming [wheezy] - ming (Minor issue present everywhere in the source code, hard to fix) NOTE: https://github.com/libming/libming/issues/71 CVE-2017-11704 (A heap-based buffer over-read was found in the function decompileIF in ...) {DLA-1133-1} - ming NOTE: https://github.com/libming/libming/issues/76 CVE-2017-11703 (A memory leak vulnerability was found in the function parseSWF_DOACTIO ...) - ming [wheezy] - ming (Minor issue present everywhere in the source code, hard to fix) NOTE: https://github.com/libming/libming/issues/72 CVE-2017-11702 RESERVED CVE-2017-11701 RESERVED CVE-2017-11700 RESERVED CVE-2017-11699 RESERVED CVE-2017-11698 (Heap-based buffer overflow in the __get_page function in lib/dbm/src/h ...) - nss (bug #873259; unimportant) NOTE: Issues triggered by crafted DBM databases, which would NOTE: require local user access to a machine running NSS and NOTE: crafting the local DBM files. NOTE: http://seclists.org/fulldisclosure/2017/Aug/17 NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1360779 CVE-2017-11697 (The __hash_open function in hash.c:229 in Mozilla Network Security Ser ...) - nss (bug #873258; unimportant) NOTE: Issues triggered by crafted DBM databases, which would NOTE: require local user access to a machine running NSS and NOTE: crafting the local DBM files. NOTE: http://seclists.org/fulldisclosure/2017/Aug/17 NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1360900 CVE-2017-11696 (Heap-based buffer overflow in the __hash_open function in lib/dbm/src/ ...) - nss (bug #873257; unimportant) NOTE: Issues triggered by crafted DBM databases, which would NOTE: require local user access to a machine running NSS and NOTE: crafting the local DBM files. NOTE: http://seclists.org/fulldisclosure/2017/Aug/17 NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1360778 CVE-2017-11695 (Heap-based buffer overflow in the alloc_segs function in lib/dbm/src/h ...) - nss (bug #873256; unimportant) NOTE: Issues triggered by crafted DBM databases, which would NOTE: require local user access to a machine running NSS and NOTE: crafting the local DBM files. NOTE: http://seclists.org/fulldisclosure/2017/Aug/17 NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1360782 CVE-2017-11694 (MEDHOST Document Management System contains hard-coded credentials tha ...) NOT-FOR-US: MEDHOST Document Management System CVE-2017-11693 (MEDHOST Document Management System contains hard-coded credentials tha ...) NOT-FOR-US: MEDHOST Document Management System CVE-2017-11692 (The function "Token& Scanner::peek" in scanner.cpp in yaml-cpp 0.5 ...) - yaml-cpp 0.6.3-1 (low; bug #870326) [buster] - yaml-cpp (Minor issue) [stretch] - yaml-cpp (Minor issue) [jessie] - yaml-cpp (Minor issue) [wheezy] - yaml-cpp (Minor issue) - yaml-cpp0.3 (bug #870327) [stretch] - yaml-cpp0.3 (Minor issue) [jessie] - yaml-cpp0.3 (Minor issue) NOTE: https://github.com/jbeder/yaml-cpp/issues/519 NOTE: https://github.com/jbeder/yaml-cpp/commit/c9460110e072df84b7dee3eb651f2ec5df75fb18 CVE-2016-10402 (Avira Antivirus engine versions before 8.3.36.60 allow remote code exe ...) NOT-FOR-US: Avira CVE-2017-11690 RESERVED CVE-2017-11689 RESERVED CVE-2017-11688 RESERVED CVE-2017-11687 (Multiple Persistent cross-site scripting (XSS) vulnerabilities in Even ...) NOT-FOR-US: Zoho ManageEngine Event Log Analyzer CVE-2017-11686 (Zoho ManageEngine Event Log Analyzer 11.4 and 11.5 allows remote attac ...) NOT-FOR-US: Zoho ManageEngine Event Log Analyzer CVE-2017-11685 (Multiple Reflective cross-site scripting (XSS) vulnerabilities in sear ...) NOT-FOR-US: Zoho ManageEngine Event Log Analyzer CVE-2017-11684 (There is an illegal address access in the build_table function in liba ...) - libav [jessie] - libav 6:11.11-1~deb8u1 - ffmpeg 7:2.3.1-1 NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1073 NOTE: Fixed by https://github.com/libav/libav/commit/ec683ed527cef9aad208d1daeb10d0e7fb63e75e.patch CVE-2017-11683 (There is a reachable assertion in the Internal::TiffReader::visitDirec ...) {DLA-1147-1} - exiv2 0.27.2-6 (unimportant) NOTE: http://dev.exiv2.org/issues/1307 NOTE: https://github.com/Exiv2/exiv2/issues/57 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1475124 NOTE: Problematic assert() exists in all versions in Debian. NOTE: Negligable security impact CVE-2017-11682 (Stored Cross-site scripting vulnerability in Hashtopussy 0.4.0 allows ...) NOT-FOR-US: Hashtopussy CVE-2017-11681 (Incorrect Access Control vulnerability in Hashtopussy 0.4.0 allows rem ...) NOT-FOR-US: Hashtopussy CVE-2017-11680 (Cross-Site Request Forgery (CSRF) exists in Hashtopussy 0.4.0, allowin ...) NOT-FOR-US: Hashtopussy CVE-2017-11679 (Cross-Site Request Forgery (CSRF) exists in Hashtopus 1.5g via the pas ...) NOT-FOR-US: Hashtopus CVE-2017-11678 (SQL injection vulnerability in Hashtopus 1.5g allows remote authentica ...) NOT-FOR-US: Hashtopus CVE-2017-11677 (Cross-site scripting (XSS) vulnerability in Hashtopus 1.5g allows remo ...) NOT-FOR-US: Hashtopus CVE-2017-11676 RESERVED CVE-2017-11675 (The traverseStrictSanitize function in admin_dir/includes/classes/Admi ...) NOT-FOR-US: ZenCart CVE-2017-11674 (Reporter.exe in Acunetix 8 allows remote attackers to cause a denial o ...) NOT-FOR-US: Acunetix CVE-2017-11673 (Reporter.exe in Acunetix 8 allows remote attackers to execute arbitrar ...) NOT-FOR-US: Acunetix CVE-2017-11672 (The OPC Foundation Local Discovery Server (LDS) before 1.03.367 is ins ...) NOT-FOR-US: OPC Foundation Local Discovery Server CVE-2017-11671 (Under certain circumstances, the ix86_expand_builtin function in i386. ...) - gcc-6 6.3.0-12 - gcc-5 5.4.1-10 - gcc-4.9 [jessie] - gcc-4.9 (Minor issue) - gcc-4.8 [jessie] - gcc-4.8 (Minor issue) - gcc-4.7 [wheezy] - gcc-4.7 (Minor issue) - gcc-4.6 [wheezy] - gcc-4.6 (Minor issue) NOTE: http://openwall.com/lists/oss-security/2017/07/27/2 NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=80180 NOTE: https://gcc.gnu.org/ml/gcc-patches/2017-03/msg01349.html CVE-2017-11670 (A length validation (leading to out-of-bounds read and write) flaw was ...) NOT-FOR-US: eapmd5pass CVE-2017-11669 (An out-of-bounds read flaw related to the assess_packet function in ea ...) NOT-FOR-US: eapmd5pass CVE-2017-11668 (An out-of-bounds read flaw related to the assess_packet function in ea ...) NOT-FOR-US: eapmd5pass CVE-2017-13145 (In ImageMagick before 6.9.8-8 and 7.x before 7.0.5-9, the ReadJP2Image ...) {DSA-4019-1 DLA-1785-1} - imagemagick 8:6.9.7.4+dfsg-13 (bug #869830) [wheezy] - imagemagick (Vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/501 NOTE: https://github.com/ImageMagick/ImageMagick/commit/acee073df34aa4d491bf5cb74d3a15fc80f0a3aa NOTE: https://github.com/ImageMagick/ImageMagick/commit/ac23b02ecb741e5de60f5235ea443790c88a0b80 NOTE: https://github.com/ImageMagick/ImageMagick/commit/b0c5222ce31e8f941fa02ff9c7a040fb2db30dbc CVE-2017-11691 (Cross-site scripting (XSS) vulnerability in auth_profile.php in Cacti ...) - cacti 1.1.15+ds1-1 (bug #869848) [stretch] - cacti (Vulnerable code introduced later with addition of user profile management page for users) [jessie] - cacti (Vulnerable code introduced later with addition of user profile management page for users) [wheezy] - cacti (Vulnerable code introduced later with addition of user profile management page for users) NOTE: https://github.com/Cacti/cacti/issues/867 NOTE: /for/fohttps://github.com/Cacti/cacti/commit/104090aeead4aa433bf1f18cd6d52dcfeb71236c CVE-2017-11667 (OpenProject before 6.1.6 and 7.x before 7.0.3 mishandles session expir ...) NOT-FOR-US: OpenProject CVE-2017-11666 (Cross-site scripting (XSS) vulnerability in js/ViewerPanel.js in the f ...) NOT-FOR-US: Kopano CVE-2017-11665 (The ff_amf_get_field_value function in libavformat/rtmppkt.c in FFmpeg ...) {DSA-3957-1} - ffmpeg 7:3.3.3-1 NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/ffcc82219cef0928bed2d558b19ef6ea35634130 NOTE: Fixed in 3.2.7 CVE-2017-11664 (The _WM_SetupMidiEvent function in internal_midi.c:2122 in WildMIDI 0. ...) - wildmidi 0.4.2-1 (low; bug #871616) [stretch] - wildmidi (Minor issue) [jessie] - wildmidi (vulnerable code not present) [wheezy] - wildmidi (vulnerable code not present) NOTE: http://seclists.org/fulldisclosure/2017/Aug/12 NOTE: https://github.com/Mindwerks/wildmidi/commit/660b513d99bced8783a4a5984ac2f742c74ebbdd CVE-2017-11663 (The _WM_SetupMidiEvent function in internal_midi.c:2315 in WildMIDI 0. ...) - wildmidi 0.4.2-1 (low; bug #871616) [stretch] - wildmidi (Minor issue) [jessie] - wildmidi (vulnerable code not present) [wheezy] - wildmidi (vulnerable code not present) NOTE: http://seclists.org/fulldisclosure/2017/Aug/12 NOTE: https://github.com/Mindwerks/wildmidi/commit/660b513d99bced8783a4a5984ac2f742c74ebbdd CVE-2017-11662 (The _WM_ParseNewMidi function in f_midi.c in WildMIDI 0.4.2 can cause ...) - wildmidi 0.4.2-1 (low; bug #871616) [stretch] - wildmidi (Minor issue) [jessie] - wildmidi (vulnerable code not present) [wheezy] - wildmidi (vulnerable code not present) NOTE: http://seclists.org/fulldisclosure/2017/Aug/12 NOTE: https://github.com/Mindwerks/wildmidi/commit/660b513d99bced8783a4a5984ac2f742c74ebbdd CVE-2017-11661 (The _WM_SetupMidiEvent function in internal_midi.c:2318 in WildMIDI 0. ...) - wildmidi 0.4.2-1 (low; bug #871616) [stretch] - wildmidi (Minor issue) [jessie] - wildmidi (vulnerable code not present) [wheezy] - wildmidi (vulnerable code not present) NOTE: http://seclists.org/fulldisclosure/2017/Aug/12 NOTE: https://github.com/Mindwerks/wildmidi/commit/660b513d99bced8783a4a5984ac2f742c74ebbdd CVE-2017-11660 RESERVED CVE-2017-11659 RESERVED CVE-2017-11658 (In the WP Rocket plugin 2.9.3 for WordPress, the Local File Inclusion ...) NOT-FOR-US: Wordpress plugin CVE-2017-11657 (Dashlane might allow local users to gain privileges by placing a Troja ...) NOT-FOR-US: Dashlane CVE-2017-11656 RESERVED CVE-2017-11655 (A memory leak was found in the way SIPcrack 0.2 handled processing of ...) - sipcrack (unimportant; bug #869803) NOTE: http://www.openwall.com/lists/oss-security/2017/07/26/1 NOTE: Negligible security impact CVE-2017-11654 (An out-of-bounds read and write flaw was found in the way SIPcrack 0.2 ...) - sipcrack (unimportant; bug #869803) NOTE: http://www.openwall.com/lists/oss-security/2017/07/26/1 NOTE: Negligible security impact CVE-2017-11653 (Razer Synapse 2.20.15.1104 and earlier uses weak permissions for the D ...) NOT-FOR-US: Razer Synapse CVE-2017-11652 (Razer Synapse 2.20.15.1104 and earlier uses weak permissions for the C ...) NOT-FOR-US: Razer Synapse CVE-2017-11651 (NexusPHP V1.5 has XSS via a javascript: or data: URL in a UBBCode url ...) NOT-FOR-US: NexusPHP CVE-2017-11650 (Cross-site scripting (XSS) vulnerability in DrayTek Vigor AP910C devic ...) NOT-FOR-US: DrayTek CVE-2017-11649 (Cross-site request forgery (CSRF) vulnerability in DrayTek Vigor AP910 ...) NOT-FOR-US: DrayTek CVE-2017-11648 (Techroutes TR 1803-3G Wireless Cellular Router/Modem 2.4.25 devices do ...) NOT-FOR-US: Techroutes TR 1803-3G Wireless Cellular Router/Modem 2.4.25 devices CVE-2017-11647 (NetComm Wireless 4GT101W routers with Hardware: 0.01 / Software: V1.1. ...) NOT-FOR-US: NetComm Wireless 4GT101W routers CVE-2017-11646 (NetComm Wireless 4GT101W routers with Hardware: 0.01 / Software: V1.1. ...) NOT-FOR-US: NetComm Wireless 4GT101W routers CVE-2017-11645 (NetComm Wireless 4GT101W routers with Hardware: 0.01 / Software: V1.1. ...) NOT-FOR-US: NetComm Wireless 4GT101W routers CVE-2017-11644 (When ImageMagick 7.0.6-1 processes a crafted file in convert, it can l ...) {DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-14 (unimportant; bug #870016) NOTE: https://github.com/ImageMagick/ImageMagick/issues/587 NOTE: https://github.com/ImageMagick/ImageMagick/commit/a6802e21d824e786d1e2a8440cf749a6e1a8d95f NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/418f88dd18af34b6cb64f709567c81b89865d7bc CVE-2017-11643 (GraphicsMagick 1.3.26 has a heap overflow in the WriteCMYKImage() func ...) {DSA-4321-1 DLA-1401-1 DLA-1045-1} - graphicsmagick 1.3.26-4 (bug #870157) NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/d00b74315a71 CVE-2017-11642 (GraphicsMagick 1.3.26 has a NULL pointer dereference in the WriteMAPIm ...) {DSA-4321-1 DLA-1456-1 DLA-1045-1} - graphicsmagick 1.3.26-4 (bug #870156) NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/29550606d8b9 CVE-2017-11641 (GraphicsMagick 1.3.26 has a Memory Leak in the PersistCache function i ...) {DSA-4321-1 DLA-1456-1 DLA-1045-1} - graphicsmagick 1.3.26-4 (bug #870155) NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/db732abd9318 CVE-2017-11640 (When ImageMagick 7.0.6-1 processes a crafted file in convert, it can l ...) {DSA-4040-1 DSA-4019-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-15 (bug #870067) NOTE: https://github.com/ImageMagick/ImageMagick/issues/584 NOTE: https://github.com/ImageMagick/ImageMagick/commit/1b811f7e7dad92b2992939f854201370a7d8084a NOTE: https://github.com/ImageMagick/ImageMagick/commit/1fcd0feb93b51b9363176097ee5f360c62687d86 CVE-2017-11639 (When ImageMagick 7.0.6-1 processes a crafted file in convert, it can l ...) {DSA-4204-1 DSA-4019-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-15 (bug #870065) NOTE: https://github.com/ImageMagick/ImageMagick/issues/588 NOTE: https://github.com/ImageMagick/ImageMagick/commit/65b7c57502bb2b6d22f607383e87cc3eaed94014 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/8ec8ca4c61b1199b727cf52e440f3db79a5b0d0a CVE-2017-11638 (GraphicsMagick 1.3.26 has a segmentation violation in the WriteMAPImag ...) {DSA-4321-1 DLA-1456-1 DLA-1045-1} - graphicsmagick 1.3.26-4 (bug #870154) NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/29550606d8b9 CVE-2017-11637 (GraphicsMagick 1.3.26 has a NULL pointer dereference in the WritePCLIm ...) {DSA-4321-1 DLA-1456-1 DLA-1045-1} - graphicsmagick 1.3.26-4 (bug #870153) NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/f3ffc5541257 CVE-2017-11636 (GraphicsMagick 1.3.26 has a heap overflow in the WriteRGBImage() funct ...) {DSA-4321-1 DLA-1401-1 DLA-1045-1} - graphicsmagick 1.3.26-4 (bug #870149) NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/39961adf974c CVE-2017-11635 (An issue was discovered on Wireless IP Camera 360 devices. Attackers c ...) NOT-FOR-US: Wireless IP Camera 360 devices CVE-2017-11634 (An issue was discovered on Wireless IP Camera 360 devices. Remote atta ...) NOT-FOR-US: Wireless IP Camera 360 devices CVE-2017-11633 (An issue was discovered on Wireless IP Camera 360 devices. Remote atta ...) NOT-FOR-US: Wireless IP Camera 360 devices CVE-2017-11632 (An issue was discovered on Wireless IP Camera 360 devices. A root acco ...) NOT-FOR-US: Wireless IP Camera 360 devices CVE-2017-11631 (dapur/app/app_user/controller/status.php in Fiyo CMS 2.0.7 has SQL inj ...) NOT-FOR-US: Fiyo CMS CVE-2017-11630 (dapur\apps\app_config\controller\backuper.php in Fiyo CMS 2.0.7 allows ...) NOT-FOR-US: Fiyo CMS CVE-2017-11629 (dayrui FineCms through 5.0.10 has Cross Site Scripting (XSS) in contro ...) NOT-FOR-US: FineCMS CVE-2017-11628 (In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, a sta ...) {DSA-4081-1 DSA-4080-1 DLA-1066-1} - php7.1 7.1.8-1 (low) - php7.0 7.0.22-1 (low) - php5 (low) NOTE: https://bugs.php.net/bug.php?id=74603 NOTE: Fixed in 7.1.7, 7.0.21, 5.6.31 NOTE: Fixed by https://git.php.net/?p=php-src.git;a=commit;h=05255749139b3686c8a6a58ee01131ac0047465e CVE-2017-11627 (A stack-consumption vulnerability was found in libqpdf in QPDF 6.0.0, ...) [experimental] - qpdf 7.0~b1-1 - qpdf 7.0.0-1 (low; bug #871320) [stretch] - qpdf (Minor issue) [jessie] - qpdf (Minor issue) [wheezy] - qpdf (Minor issue) NOTE: https://github.com/qpdf/qpdf/issues/118 CVE-2017-11626 (A stack-consumption vulnerability was found in libqpdf in QPDF 6.0.0, ...) [experimental] - qpdf 7.0~b1-1 - qpdf 7.0.0-1 (low; bug #871320) [stretch] - qpdf (Minor issue) [jessie] - qpdf (Minor issue) [wheezy] - qpdf (Minor issue) NOTE: https://github.com/qpdf/qpdf/issues/119 CVE-2017-11625 (A stack-consumption vulnerability was found in libqpdf in QPDF 6.0.0, ...) [experimental] - qpdf 7.0~b1-1 - qpdf 7.0.0-1 (low; bug #871320) [stretch] - qpdf (Minor issue) [jessie] - qpdf (Minor issue) [wheezy] - qpdf (Minor issue) NOTE: https://github.com/qpdf/qpdf/issues/120 CVE-2017-11624 (A stack-consumption vulnerability was found in libqpdf in QPDF 6.0.0, ...) [experimental] - qpdf 7.0~b1-1 - qpdf 7.0.0-1 (low; bug #871320) [stretch] - qpdf (Minor issue) [jessie] - qpdf (Minor issue) [wheezy] - qpdf (Minor issue) NOTE: https://github.com/qpdf/qpdf/issues/117 CVE-2017-11623 RESERVED CVE-2017-11622 RESERVED CVE-2017-11621 RESERVED CVE-2017-11620 RESERVED CVE-2017-11619 RESERVED CVE-2017-XXXX [out-of-bounds read in eexec_line()] - t1utils 1.40-1 (bug #868134; unimportant) [jessie] - t1utils (Vulnerable code introduced in 1.39) [wheezy] - t1utils (Vulnerable code introduced in 1.39) NOTE: Crash in CLI tool, no security impact NOTE: https://github.com/kohler/t1utils/issues/6 CVE-2017-13144 (In ImageMagick before 6.9.7-10, there is a crash (rather than a "width ...) {DSA-4040-1 DSA-4019-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-13 (bug #869728) NOTE: https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=31438 NOTE: https://github.com/ImageMagick/ImageMagick/commit/9b580ad0564aefd9beeccbcbb8d62ccd05795a84 CVE-2017-12430 (In ImageMagick 7.0.6-1, a memory exhaustion vulnerability was found in ...) {DLA-1785-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-13 (low; bug #869727) [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/546 NOTE: https://github.com/ImageMagick/ImageMagick/commit/98e5d0001cda195da0e8ea7650ab85c6f8333ff5 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/8d537f6d778675e08ef9d238606d05101bf471b9 CVE-2017-XXXX [memory leak in quantize] - imagemagick 8:6.9.7.4+dfsg-13 (unimportant; bug #869722) [wheezy] - imagemagick 8:6.7.7.10-5+deb7u16 NOTE: Workaround entry for DLA-1081-1 since no CVE assigned NOTE: https://github.com/ImageMagick/ImageMagick/issues/574 NOTE: https://github.com/ImageMagick/ImageMagick/commit/7b604a554dfb6630fe32e739334fa57341dc6123 CVE-2017-12664 (ImageMagick 7.0.6-2 has a memory leak vulnerability in WritePALMImage ...) {DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-13 (unimportant; bug #869721) NOTE: https://github.com/ImageMagick/ImageMagick/issues/574 NOTE: https://github.com/ImageMagick/ImageMagick/commit/db1ffb6cf44bcfe5c4d5fcf9d9109ded5617387f CVE-2017-12431 (In ImageMagick 7.0.6-1, a use-after-free vulnerability was found in th ...) {DSA-4040-1 DSA-4019-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-13 (bug #869715) NOTE: https://github.com/ImageMagick/ImageMagick/issues/555 NOTE: https://github.com/ImageMagick/ImageMagick/commit/784fcac688161aeaea221e00b706c88b08196945 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/5660836f9197107e9c38f14f27a45c2d9f26afe2 CVE-2017-12428 (In ImageMagick 7.0.6-1, a memory leak vulnerability was found in the f ...) {DSA-4019-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-13 (unimportant; bug #869713) NOTE: https://github.com/ImageMagick/ImageMagick/issues/544 NOTE: https://github.com/ImageMagick/ImageMagick/commit/b2b48d50300a9fbcd0aa0d9230fd6d7a08f7671e NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/f37d26336bf13737db45e556c25fc098f8a8b277 CVE-2017-11618 RESERVED CVE-2017-11617 (Cross-site scripting (XSS) vulnerability in atmail prior to version 7. ...) - atmailopen CVE-2017-11616 RESERVED CVE-2017-11615 (A sandbox escape in the Lua interface in Wube Factorio before 0.15.31 ...) NOT-FOR-US: Wube Factorio CVE-2017-11614 (MEDHOST Connex contains hard-coded credentials that are used for custo ...) NOT-FOR-US: MEDHOST Connex CVE-2017-11613 (In LibTIFF 4.0.8, there is a denial of service vulnerability in the TI ...) {DSA-4349-1 DLA-1411-1 DLA-1391-1} - tiff 4.0.9-5 (low; bug #869823) - tiff3 [wheezy] - tiff3 (Minor issue, revisit once fixed upstream) NOTE: https://gist.github.com/dazhouzhou/1a3b7400547f23fe316db303ab9b604f NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2724 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1475530 NOTE: Upstream fix 1/2: https://gitlab.com/libtiff/libtiff/commit/3719385a3fac5cfb20b487619a5f08abbf967cf8 NOTE: Upstream fix 2/2: https://gitlab.com/libtiff/libtiff/commit/7a092f8af2568d61993a8cc2e7a35a998d7d37be CVE-2017-11612 (In Joomla! before 3.7.4, inadequate filtering of potentially malicious ...) NOT-FOR-US: Joomla! CVE-2016-10401 (ZyXEL PK5001Z devices have zyad5001 as the su password, which makes it ...) NOT-FOR-US: ZyXEL CVE-2017-11611 (Wolf CMS 0.8.3.1 allows Cross-Site Scripting (XSS) attacks. The vulner ...) NOT-FOR-US: Wolf CMS CVE-2017-11610 (The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2 ...) {DSA-3942-1 DLA-1047-1} - supervisor 3.3.1-1.1 (bug #870187) NOTE: https://github.com/Supervisor/supervisor/issues/964 NOTE: 3.3.3 https://github.com/Supervisor/supervisor/commit/058f46141e346b18dee0497ba11203cb81ecb19e NOTE: 3.2.4 https://github.com/Supervisor/supervisor/commit/aac3c21893cab7361f5c35c8e20341b298f6462e NOTE: 3.1.4 https://github.com/Supervisor/supervisor/commit/dbe0f55871a122eac75760aef511efc3a8830b88 NOTE: 3.0.1 https://github.com/Supervisor/supervisor/commit/83060f3383ebd26add094398174f1de34cf7b7f0 CVE-2017-11609 RESERVED CVE-2017-11608 (There is a heap-based buffer over-read in the Sass::Prelexer::re_lineb ...) - libsass 3.4.6-1 (bug #870186) [stretch] - libsass (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1474276 NOTE: https://github.com/sass/libsass/commit/648f763ede97f9a2c2c843a0a18ac18bbde3507b (3.4.6) CVE-2017-11607 RESERVED CVE-2017-11606 RESERVED CVE-2017-11605 (There is a heap based buffer over-read in LibSass 3.4.5, related to ad ...) - libsass (bug #870184) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1474019 CVE-2017-11604 RESERVED CVE-2017-11603 RESERVED CVE-2017-11602 RESERVED CVE-2017-11601 RESERVED CVE-2017-11600 (net/xfrm/xfrm_policy.c in the Linux kernel through 4.12.3, when CONFIG ...) {DSA-3981-1 DLA-1099-1} - linux 4.12.6-1 NOTE: http://seclists.org/bugtraq/2017/Jul/30 CVE-2017-11599 RESERVED CVE-2017-11598 RESERVED CVE-2017-11597 RESERVED CVE-2017-11596 RESERVED CVE-2017-11595 RESERVED CVE-2017-11594 (Cross-site scripting (XSS) vulnerability in the Markdown parser in Loo ...) - loomio (bug #756319) CVE-2017-11593 (Cross-site scripting (XSS) vulnerability in the Markdown Preview Plus ...) NOT-FOR-US: Chrome extension Markdown Preview Plus CVE-2017-11592 (There is a Mismatched Memory Management Routines vulnerability in the ...) - exiv2 (printTiffStructure introduced in 0.26; only affected experimental; bug #895568) NOTE: https://github.com/Exiv2/exiv2/issues/56 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1473889 CVE-2017-11591 (There is a Floating point exception in the Exiv2::ValueType function i ...) {DLA-1147-1} - exiv2 0.27.2-6 (low; bug #876893) [buster] - exiv2 (Minor issue) [stretch] - exiv2 (Minor issue) [jessie] - exiv2 (Minor issue) NOTE: https://github.com/Exiv2/exiv2/issues/55 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1473888 NOTE: Reproducible in wheezy/jessie/stretch/sid(0.25-3.1)/experimental(0.26-1). CVE-2017-11590 (There is a NULL pointer dereference in the caseless_hash function in g ...) {DLA-1054-1} - libgxps 0.3.0-1 (low; bug #870183) [stretch] - libgxps (Minor issue) [jessie] - libgxps (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1473167 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=785479 NOTE: Fixed by: https://git.gnome.org/browse/libgxps/commit/?id=9d5d2920 CVE-2017-11589 (On Cisco DDR2200 ADSL2+ Residential Gateway DDR2200B-NA-AnnexA-FCC-V00 ...) NOT-FOR-US: Cisco CVE-2017-11588 (On Cisco DDR2200 ADSL2+ Residential Gateway DDR2200B-NA-AnnexA-FCC-V00 ...) NOT-FOR-US: Cisco CVE-2017-11587 (On Cisco DDR2200 ADSL2+ Residential Gateway DDR2200B-NA-AnnexA-FCC-V00 ...) NOT-FOR-US: Cisco CVE-2017-11586 (dayrui FineCms 5.0.9 has URL Redirector Abuse via the url parameter in ...) NOT-FOR-US: FineCms CVE-2017-11585 (dayrui FineCms 5.0.9 has remote PHP code execution via the param param ...) NOT-FOR-US: FineCms CVE-2017-11584 (dayrui FineCms 5.0.9 has SQL Injection via the field parameter in an a ...) NOT-FOR-US: FineCms CVE-2017-11583 (dayrui FineCms 5.0.9 has SQL Injection via the catid parameter in an a ...) NOT-FOR-US: FineCms CVE-2017-11582 (dayrui FineCms 5.0.9 has SQL Injection via the num parameter in an act ...) NOT-FOR-US: FineCms CVE-2017-11581 (dayrui FineCms 5.0.9 has Cross Site Scripting (XSS) in admin/Login.php ...) NOT-FOR-US: FineCms CVE-2017-11580 (Blipcare Wifi blood pressure monitor BP700 10.1 devices allow memory c ...) NOT-FOR-US: Blipcare Wifi blood pressure monitor BP700 10.1 devices CVE-2017-11579 (In the most recent firmware for Blipcare, the device provides an open ...) NOT-FOR-US: Blipcare CVE-2017-11578 (It was discovered as a part of the research on IoT devices in the most ...) NOT-FOR-US: Blipcare CVE-2017-11577 (FontForge 20161012 is vulnerable to a buffer over-read in getsid (pars ...) {DSA-3958-1 DLA-1065-1} - fontforge 1:20170731~dfsg-1 (bug #869614) NOTE: https://github.com/fontforge/fontforge/issues/3088 NOTE: https://github.com/fontforge/fontforge/commit/3245d354865def9d712bdffe61fa211ad6aa4081 CVE-2017-11576 (FontForge 20161012 does not ensure a positive size in a weight vector ...) {DSA-3958-1 DLA-1065-1} - fontforge 1:20170731~dfsg-1 (bug #869614) NOTE: https://github.com/fontforge/fontforge/issues/3091 NOTE: https://github.com/fontforge/fontforge/commit/df349365630344ef3004a3c7934c7e7496692fb1 CVE-2017-11575 (FontForge 20161012 is vulnerable to a buffer over-read in strnmatch (c ...) {DSA-3958-1 DLA-1065-1} - fontforge 1:20170731~dfsg-1 (bug #869614) NOTE: https://github.com/fontforge/fontforge/issues/3096 NOTE: https://github.com/fontforge/fontforge/commit/4de0c58a01e5e30610c200e9aea98bc7db12c7ac CVE-2017-11574 (FontForge 20161012 is vulnerable to a heap-based buffer overflow in re ...) {DSA-3958-1 DLA-1065-1} - fontforge 1:20170731~dfsg-1 (bug #869614) NOTE: https://github.com/fontforge/fontforge/issues/3090 NOTE: https://github.com/fontforge/fontforge/commit/62b6433a81ee7ed6e0ac2d6b09ac85b885046ac3 CVE-2017-11573 (FontForge 20161012 is vulnerable to a buffer over-read in ValidatePost ...) - fontforge (unimportant; bug #873588) NOTE: https://github.com/fontforge/fontforge/issues/3098 NOTE: Crash in GUI tool/related desktop libs, no security impact CVE-2017-11572 (FontForge 20161012 is vulnerable to a heap-based buffer over-read in r ...) {DSA-3958-1 DLA-1065-1} - fontforge 1:20170731~dfsg-1 (bug #869614) NOTE: https://github.com/fontforge/fontforge/issues/3092 CVE-2017-11571 (FontForge 20161012 is vulnerable to a stack-based buffer overflow in a ...) {DSA-3958-1 DLA-1065-1} - fontforge 1:20170731~dfsg-1 (bug #869614) NOTE: https://github.com/fontforge/fontforge/issues/3087 NOTE: https://github.com/fontforge/fontforge/commit/5a0c6522682b0788fc478dd159dd6168cb5fa38b CVE-2017-11570 (FontForge 20161012 is vulnerable to a buffer over-read in umodenc (par ...) - fontforge (unimportant; bug #873587) NOTE: https://github.com/fontforge/fontforge/issues/3097 NOTE: Crash in GUI tool/related desktop libs, no security impact CVE-2017-11569 (FontForge 20161012 is vulnerable to a heap-based buffer over-read in r ...) {DSA-3958-1 DLA-1065-1} - fontforge 1:20170731~dfsg-1 (bug #869614) NOTE: https://github.com/fontforge/fontforge/issues/3093 NOTE: https://github.com/fontforge/fontforge/commit/7bfec47910293bf149b8debe44c6f3f788506092 CVE-2017-11568 (FontForge 20161012 is vulnerable to a heap-based buffer over-read in P ...) {DSA-3958-1 DLA-1065-1} - fontforge 1:20170731~dfsg-1 (bug #869614) NOTE: https://github.com/fontforge/fontforge/issues/3089 CVE-2017-11567 (Cross-site request forgery (CSRF) vulnerability in Mongoose Web Server ...) NOT-FOR-US: Mongoose CVE-2017-11566 (AppUse 4.0 allows shell command injection via a proxy field. ...) NOT-FOR-US: AppUse CVE-2017-1002151 (Pagure 3.3.0 and earlier is vulnerable to loss of confidentially due t ...) - pagure (Fixed before initial upload to the archive) NOTE: https://pagure.io/pagure/pull-request/2426 CVE-2017-11564 (The D-Link EyeOn Baby Monitor (DCS-825L) 1.08.1 has multiple command i ...) NOT-FOR-US: D-Link CVE-2017-11563 (D-Link EyeOn Baby Monitor (DCS-825L) 1.08.1 has a remote code executio ...) NOT-FOR-US: D-Link CVE-2017-11562 (A Session Fixation Vulnerability exists in the MT4 Networks SenhaSegur ...) NOT-FOR-US: MT4 SenhaSegura CVE-2017-11561 (An issue was discovered in ZOHO ManageEngine OpManager 12.2. An authen ...) NOT-FOR-US: ZOHO ManageEngine OpManager CVE-2017-11560 (An issue was discovered in ZOHO ManageEngine OpManager 12.2. By adding ...) NOT-FOR-US: ZOHO ManageEngine OpManager CVE-2017-11559 (An issue was discovered in ZOHO ManageEngine OpManager 12.2. The 'apiK ...) NOT-FOR-US: ZOHO ManageEngine OpManager CVE-2017-11558 RESERVED CVE-2017-11557 (An issue was discovered in ZOHO ManageEngine Applications Manager 12.3 ...) NOT-FOR-US: ZOHO ManageEngine Applications Manager CVE-2017-11556 (There is a stack consumption vulnerability in the Parser::advanceToNex ...) - libsass 3.5.4-1 (bug #870182) [stretch] - libsass (Minor issue) NOTE: https://github.com/sass/libsass/issues/2447 NOTE: https://github.com/sass/libsass/commit/7664114543757e932f5b1a2ff5295aa9b34f8623 CVE-2017-11555 (There is an illegal address access in the Eval::operator function in e ...) - libsass 3.5.4-1 (bug #870182) [stretch] - libsass (Minor issue) NOTE: https://github.com/sass/libsass/issues/2446 NOTE: https://github.com/sass/libsass/commit/946ef4995bee1b19de581b69850e1eb841c06b12 CVE-2017-11554 (There is a stack consumption vulnerability in the lex function in pars ...) - libsass 3.5.4-1 (bug #870182) [stretch] - libsass (Minor issue) NOTE: https://github.com/sass/libsass/issues/2445 NOTE: https://github.com/sass/libsass/commit/7664114543757e932f5b1a2ff5295aa9b34f8623 CVE-2017-11553 (There is an illegal address access in the extend_alias_table function ...) - exiv2 (Vulnerable code introduced after 0.25; only present in experimental; bug #888874) NOTE: https://github.com/Exiv2/exiv2/issues/54 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1471772 CVE-2017-11552 (mpg321.c in mpg321 0.3.2-1 does not properly manage memory for use wit ...) - mpg321 0.3.2-2 (bug #870406) [stretch] - mpg321 (Minor issue) [jessie] - mpg321 (Minor issue) [wheezy] - mpg321 (Minor issue) NOTE: CVE was originally assigned for libmad, but further analysis has shown NOTE: that the underlying issue is in src:mpg321 NOTE: Cf. https://bugs.debian.org/870406#25 for more Details. NOTE: http://seclists.org/fulldisclosure/2017/Jul/94 CVE-2017-11551 (The id3_field_parse function in field.c in libid3tag 0.15.1b allows re ...) - libid3tag 0.15.1b-5 (bug #870333) NOTE: http://seclists.org/fulldisclosure/2017/Jul/85 NOTE: Same issue as #304913 CVE-2017-11550 (The id3_ucs4_length function in ucs4.c in libid3tag 0.15.1b allows rem ...) - libid3tag 0.15.1b-9 (bug #405801) NOTE: http://seclists.org/fulldisclosure/2017/Jul/85 NOTE: Addressed by the 11_unknown_encoding.dpatch patch CVE-2017-11549 (The play_midi function in playmidi.c in TiMidity++ 2.14.0 allows remot ...) - timidity (unimportant; bug #870338) NOTE: http://seclists.org/fulldisclosure/2017/Jul/83 NOTE: https://sourceforge.net/p/timidity/discussion/217458/thread/9a1c9620/ NOTE: Crash in CLI tool, no security impact CVE-2017-11548 (The _tokenize_matrix function in audio_out.c in Xiph.Org libao 1.2.0 a ...) - libao (unimportant; bug #870608) NOTE: http://seclists.org/fulldisclosure/2017/Jul/84 NOTE: Not a security issue in ao, needs to be validated in applications using it, see #870608 CVE-2017-11547 (The resample_gauss function in resample.c in TiMidity++ 2.14.0 allows ...) - timidity 2.14.0-4 (unimportant; bug #870338) NOTE: http://seclists.org/fulldisclosure/2017/Jul/83 NOTE: https://sourceforge.net/p/timidity/discussion/217458/thread/9a1c9620/ NOTE: Crash in CLI tool, no security impact CVE-2017-11546 (The insert_note_steps function in readmidi.c in TiMidity++ 2.14.0 allo ...) - timidity 2.14.0-4 (unimportant; bug #870338) NOTE: http://seclists.org/fulldisclosure/2017/Jul/83 NOTE: https://sourceforge.net/p/timidity/discussion/217458/thread/9a1c9620/ NOTE: Crash in CLI tool, no security impact CVE-2017-11545 REJECTED CVE-2017-11544 REJECTED CVE-2017-11543 (tcpdump 4.9.0 has a buffer overflow in the sliplink_print function in ...) {DSA-3971-1 DLA-1090-1} - tcpdump 4.9.1-3 (bug #873806) NOTE: Fixed by: https://github.com/the-tcpdump-group/tcpdump/commit/7039327875525278d17edee59720e29a3e76b7b3 NOTE: https://github.com/hackerlib/hackerlib-vul/tree/master/tcpdump-vul/global-overflow/print-sl CVE-2017-11542 (tcpdump 4.9.0 has a heap-based buffer over-read in the pimv1_print fun ...) {DSA-3971-1 DLA-1090-1} - tcpdump 4.9.1-3 (bug #873805) NOTE: Fixed by: https://github.com/the-tcpdump-group/tcpdump/commit/bed48062a64fca524156d7684af19f5b4a116fae NOTE: https://github.com/hackerlib/hackerlib-vul/tree/master/tcpdump-vul/heap-buffer-overflow/print-pim CVE-2017-11541 (tcpdump 4.9.0 has a heap-based buffer over-read in the lldp_print func ...) {DSA-3971-1 DLA-1090-1} - tcpdump 4.9.1-3 (bug #873804) NOTE: Fixed by: https://github.com/the-tcpdump-group/tcpdump/commit/21d702a136c5c16882e368af7c173df728242280 NOTE: https://github.com/hackerlib/hackerlib-vul/tree/master/tcpdump-vul/heap-buffer-overflow/util-print CVE-2017-11540 (When ImageMagick 7.0.6-1 processes a crafted file in convert, it can l ...) - imagemagick (Only affects ImageMagick-7 series) NOTE: https://github.com/ImageMagick/ImageMagick/issues/581 CVE-2017-11539 (When ImageMagick 7.0.6-1 processes a crafted file in convert, it can l ...) {DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-15 (unimportant; bug #870120) NOTE: https://github.com/ImageMagick/ImageMagick/issues/582 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/4e81160d66f02bf7b4f569669ca7dd80d416ba6e NOTE: ImageMagick-7: https://github.com/ImageMagick/ImageMagick/commit/36aad912d1f405a28a9a1204120b569e7da5898e CVE-2017-11538 (When ImageMagick 7.0.6-1 processes a crafted file in convert, it can l ...) - imagemagick (Vulnerable code introduced later, cf bug #870110) NOTE: https://github.com/ImageMagick/ImageMagick/issues/569 NOTE: https://github.com/ImageMagick/ImageMagick/commit/0a80c9e5f293a8de51011ac784ac52b96932c08f NOTE: Introduced after: https://github.com/ImageMagick/ImageMagick/commit/0bf18387ae1336475631284854b664d0e2d89697 CVE-2017-11537 (When ImageMagick 7.0.6-1 processes a crafted file in convert, it can l ...) {DSA-4019-1 DLA-1785-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-13 (low; bug #869712) NOTE: https://github.com/ImageMagick/ImageMagick/issues/560 NOTE: https://github.com/ImageMagick/ImageMagick/commit/2bbc1b96f0d9371df675fdf7b8fc9bd4a42ae9cd NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/bac384563f557d1ac7413d2eaec00dd59c3cc29b CVE-2017-11536 (When ImageMagick 7.0.6-1 processes a crafted file in convert, it can l ...) - imagemagick 8:6.9.7.4+dfsg-13 (unimportant; bug #869831) [wheezy] - imagemagick (vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/567 NOTE: https://github.com/ImageMagick/ImageMagick/commit/167e1538ae9818d46c9462a4273082871e35a480 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/dba1ccfbcdf61c0eb599c7c308b42ed46dc92be6 CVE-2017-11535 (When ImageMagick 7.0.6-1 processes a crafted file in convert, it can l ...) {DSA-4204-1 DSA-4019-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-13 (bug #869827) NOTE: https://github.com/ImageMagick/ImageMagick/issues/561 NOTE: https://github.com/ImageMagick/ImageMagick/commit/b8647f11ddfd6f85a6cc39654c7e78c2bc6412e4 NOTE: Imagemagick-6: https://github.com/ImageMagick/ImageMagick/commit/bba95cfcc19fa8a261e12692f31279148ad42441 CVE-2017-11534 (When ImageMagick 7.0.6-1 processes a crafted file in convert, it can l ...) {DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-13 (unimportant; bug #869711) NOTE: https://github.com/ImageMagick/ImageMagick/issues/564 NOTE: https://github.com/ImageMagick/ImageMagick/commit/3f21b17f06eacb40dab08738e0abf68fb0d58c90 CVE-2017-11533 (When ImageMagick 7.0.6-1 processes a crafted file in convert, it can l ...) {DSA-4204-1 DSA-4019-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-13 (bug #869834) NOTE: https://github.com/ImageMagick/ImageMagick/issues/562 NOTE: https://github.com/ImageMagick/ImageMagick/commit/f0c29cc251578fe0ad8ec7b72f2487a77a1696b8 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/ed1fd69231ab21dc540167c63bc3b0fa3282ec59 CVE-2017-11532 (When ImageMagick 7.0.6-1 processes a crafted file in convert, it can l ...) {DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-13 (unimportant; bug #869726) NOTE: https://github.com/ImageMagick/ImageMagick/issues/563 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/d60d705cddac7fa5d0e6596c183bbb9b46a57161 CVE-2017-11531 (When ImageMagick 7.0.6-1 processes a crafted file in convert, it can l ...) {DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-13 (unimportant; bug #869725) NOTE: https://github.com/ImageMagick/ImageMagick/issues/566 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/c81594c6ee93581b97e8f8c743200b1366d83989 NOTE: https://github.com/ImageMagick/ImageMagick/commit/1885ab1231e82f90d3f0e839555ee3e1a441bbf8 CVE-2017-11521 (The SdpContents::Session::Medium::parse function in resip/stack/SdpCon ...) {DLA-1439-1 DLA-1040-1} - resiprocate (low; bug #869404) [stretch] - resiprocate (Minor issue) NOTE: https://github.com/resiprocate/resiprocate/pull/88 NOTE: https://github.com/resiprocate/resiprocate/pull/88/commits/4b8ffa5afd3291a2701f8d39c31ada443f79a5c8 CVE-2016-10400 (Directory Traversal exists in ATutor before 2.2.2 via the icon paramet ...) NOT-FOR-US: ATutor CVE-2017-11520 RESERVED CVE-2017-11519 (passwd_recovery.lua on the TP-Link Archer C9(UN)_V2_160517 allows an a ...) NOT-FOR-US: TP-Link CVE-2016-10399 (Sendio versions before 8.2.1 were affected by a Local File Inclusion v ...) NOT-FOR-US: Sendio CVE-2017-11518 RESERVED CVE-2017-11517 (Stack-based buffer overflow in GCoreServer.exe in the server in Geuteb ...) NOT-FOR-US: Geutebrueck Gcore CVE-2017-11516 (An XSS vulnerability exists in framework/views/errorHandler/exception. ...) NOT-FOR-US: Yii Framework CVE-2017-11515 RESERVED CVE-2017-11514 RESERVED CVE-2017-11513 RESERVED CVE-2017-11512 (The ManageEngine ServiceDesk 9.3.9328 is vulnerable to arbitrary file ...) NOT-FOR-US: ManageEngine ServiceDesk CVE-2017-11511 (The ManageEngine ServiceDesk 9.3.9328 is vulnerable to arbitrary file ...) NOT-FOR-US: ManageEngine ServiceDesk CVE-2017-11510 (An information leak exists in Wanscam's HW0021 network camera that all ...) NOT-FOR-US: Wanscam's HW0021 network camera CVE-2017-11509 (An authenticated remote attacker can execute arbitrary code in Firebir ...) {DLA-2129-1 DLA-1374-1} - firebird3.0 3.0.3.32900.ds4-3 [stretch] - firebird3.0 (Minor issue, can be fixed along in a future update) - firebird2.5 NOTE: https://www.tenable.com/security/research/tra-2017-36 NOTE: Firebird upstream responded to Tenable the issue is not intended to be addressed NOTE: in "any current release". NOTE: Issue adressed by disabling UDFs in firebird.conf, this is not a source code fix, NOTE: and might actually be considered more justof a mitigation. NOTE: Steps to reproduce (partly) in: https://lists.debian.org/874lk9wyz5.fsf@curie.anarc.at CVE-2017-11508 (SecurityCenter versions 5.5.0, 5.5.1 and 5.5.2 contain a SQL Injection ...) NOT-FOR-US: SecurityCenter CVE-2017-11507 (A cross site scripting (XSS) vulnerability exists in Check_MK versions ...) - check-mk 1.2.8p26-1 [wheezy] - check-mk (Minor issue) NOTE: http://mathias-kettner.com/check_mk_werks.php?werk_id=7661 NOTE: https://www.tenable.com/security/research/tra-2017-20 CVE-2017-11506 (When linking a Nessus scanner or agent to Tenable.io or other manager, ...) NOT-FOR-US: Nessus CVE-2017-11565 (debian/tor.init in the Debian tor_0.2.9.11-1~deb9u1 package for Tor wa ...) - tor 0.3.1.7-1 (bug #869153) [stretch] - tor (Minor issue) [jessie] - tor (aa-exec in jessie is located in /usr/sbin/) [wheezy] - tor (aa-exec in jessie is located in /usr/sbin/) NOTE: https://twitter.com/pissquark/status/888142796414226432 CVE-2017-11523 (The ReadTXTImage function in coders/txt.c in ImageMagick through 6.9.9 ...) {DSA-4019-1 DLA-1785-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-14 (low; bug #869210) NOTE: https://github.com/ImageMagick/ImageMagick/issues/591 NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick/commit/83e0f8ffd7eeb7661b0ff83257da23d24ca7f078 NOTE: Fixed by (ImageMagick-6): https://github.com/ImageMagick/ImageMagick/commit/a8f9c2aabed37cd6a728532d1aed13ae0f3dfd78 CVE-2017-11522 (The WriteOnePNGImage function in coders/png.c in ImageMagick through 6 ...) - imagemagick (bug #869209; vulnerable code not present, ImageMagick-7 issue only) NOTE: https://github.com/ImageMagick/ImageMagick/issues/586 NOTE: https://github.com/ImageMagick/ImageMagick/commit/816ecab6c532ae086ff4186b3eaf4aa7092d536f CVE-2017-11504 RESERVED CVE-2017-11503 (PHPMailer 5.2.23 has XSS in the "From Email Address" and "To Email Add ...) - libphp-phpmailer 6.0.6-0.1 (unimportant) NOTE: code_generator.phps installed to examples CVE-2017-11502 (Technicolor DPC3928AD DOCSIS devices allow remote attackers to read ar ...) NOT-FOR-US: Technicolor CVE-2017-11501 (NixOS 17.03 and earlier has an unintended default absence of SSL Certi ...) NOT-FOR-US: NixOS CVE-2017-11500 (A directory traversal vulnerability exists in MetInfo 5.3.17. A remote ...) NOT-FOR-US: MetInfo CVE-2017-11499 (Node.js v4.0 through v4.8.3, all versions of v5.x, v6.0 through v6.11. ...) - nodejs 4.8.4~dfsg-1 (bug #868162; unimportant) NOTE: https://nodejs.org/en/blog/release/v6.11.1/ NOTE: https://nodejs.org/en/blog/release/v4.8.4/ CVE-2017-11498 (Buffer overflow in hasplms in Gemalto ACC (Admin Control Center), all ...) NOT-FOR-US: Gemalto ACC CVE-2017-11497 (Stack buffer overflow in hasplms in Gemalto ACC (Admin Control Center) ...) NOT-FOR-US: Gemalto ACC CVE-2017-11496 (Stack buffer overflow in hasplms in Gemalto ACC (Admin Control Center) ...) NOT-FOR-US: Gemalto ACC CVE-2017-11495 (PHICOMM K2(PSG1218) devices V22.5.11.5 and earlier allow unauthenticat ...) NOT-FOR-US: PHICOMM CVE-2017-11494 (SQL injection vulnerability in SOL.Connect ISET-mpp meter 1.2.4.2 and ...) NOT-FOR-US: SOL.Connect ISET-mpp meter CVE-2017-11493 REJECTED CVE-2017-11492 REJECTED CVE-2017-11491 REJECTED CVE-2017-11490 REJECTED CVE-2017-11489 REJECTED CVE-2017-11488 REJECTED CVE-2017-11487 REJECTED CVE-2017-11486 REJECTED CVE-2017-11485 REJECTED CVE-2017-11484 REJECTED CVE-2017-11483 REJECTED CVE-2017-11482 (The Kibana fix for CVE-2017-8451 was found to be incomplete. With X-Pa ...) - kibana (bug #700337) CVE-2017-11481 (Kibana versions prior to 6.0.1 and 5.6.5 had a cross-site scripting (X ...) - kibana (bug #700337) CVE-2017-11480 (Packetbeat versions prior to 5.6.4 are affected by a denial of service ...) NOT-FOR-US: Packetbeat CVE-2017-11479 (Kibana versions prior to 5.6.1 had a cross-site scripting (XSS) vulner ...) - kibana (bug #700337) CVE-2017-11477 RESERVED CVE-2017-11476 RESERVED CVE-2017-11475 (GLPI before 9.1.5.1 has SQL Injection in the condition rule field, exp ...) - glpi (unimportant) NOTE: Only supported behind an authenticated HTTP zone CVE-2017-11474 (GLPI before 9.1.5.1 has SQL Injection in the $crit variable in inc/com ...) - glpi (unimportant) NOTE: Only supported behind an authenticated HTTP zone CVE-2017-11471 (IDERA Uptime Monitor 7.8 has SQL injection in /gadgets/definitions/upt ...) NOT-FOR-US: IDERA Uptime Monitor CVE-2017-11470 (IDERA Uptime Monitor 7.8 has SQL injection in /gadgets/definitions/upt ...) NOT-FOR-US: IDERA Uptime Monitor CVE-2017-11469 (get2post.php in IDERA Uptime Monitor 7.8 has directory traversal in th ...) NOT-FOR-US: IDERA Uptime Monitor CVE-2017-11468 (Docker Registry before 2.6.2 in Docker Distribution does not properly ...) - docker-registry 2.6.2~ds1-1 (bug #869242) CVE-2017-11467 (OrientDB through 2.2.22 does not enforce privilege requirements during ...) NOT-FOR-US: OrientDB CVE-2017-11465 (The parser_yyerror function in the UTF-8 parser in Ruby 2.4.1 allows a ...) - ruby2.3 (Specific to Ruby 2.4) - ruby2.1 (Specific to Ruby 2.4) CVE-2017-11464 (A SIGFPE is raised in the function box_blur_line of rsvg-filter.c in G ...) - librsvg 2.40.18-1 (bug #869129) [stretch] - librsvg (Minor issue) [jessie] - librsvg (Vulnerable code introduced in 2.40.9) [wheezy] - librsvg (Vulnerable code introduced in 2.40.9) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=783835 NOTE: Introduced in: https://git.gnome.org/browse/librsvg/commit/?id=054807726db76558728e7a7513aabc4698b3dc95 (2.40.9) NOTE: Fixed by: https://git.gnome.org/browse/librsvg/commit/?id=ecf9267a24b2c3c0cd211dbdfa9ef2232511972a CVE-2017-11473 (Buffer overflow in the mp_override_legacy_irq() function in arch/x86/k ...) - linux 4.13.4-1 (unimportant) [stretch] - linux 4.9.47-1 [jessie] - linux 3.16.51-1 [wheezy] - linux 3.2.96-1 NOTE: Fixed by: https://git.kernel.org/linus/dad5ab0db8deac535d03e3fe3d8f2892173fa6a4 NOTE: Non-issue since ACPI tables are trusted CVE-2017-11472 (The acpi_ns_terminate() function in drivers/acpi/acpica/nsutils.c in t ...) - linux 4.12.6-1 (unimportant) NOTE: Fixed by: https://git.kernel.org/linus/3b2d69114fefa474fca542e51119036dceb4aa6f (4.12-rc1) NOTE: Non-issue since ACPI tables are trusted CVE-2017-11466 (Arbitrary file upload vulnerability in com/dotmarketing/servlets/AjaxF ...) NOT-FOR-US: dotCMS CVE-2017-11463 (In Ivanti Service Desk (formerly LANDESK Management Suite) versions be ...) NOT-FOR-US: LANDESK CVE-2017-11462 (Double free vulnerability in MIT Kerberos 5 (aka krb5) allows attacker ...) - krb5 1.15.2-1 (low; bug #873563) [stretch] - krb5 (Minor issue, might lead to behaviour changes) [jessie] - krb5 (Minor issue, might lead to behaviour changes) [wheezy] - krb5 (Minor issue, might lead to behaviour changes) NOTE: Fixed by: https://github.com/krb5/krb5/commit/56f7b1bc95a2a3eeb420e069e7655fb181ade5cf NOTE: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8598 CVE-2017-11461 (NetApp OnCommand Unified Manager for 7-mode (core package) versions pr ...) NOT-FOR-US: NetApp CVE-2017-11460 (Cross-site scripting (XSS) vulnerability in the DataArchivingService s ...) NOT-FOR-US: SAP CVE-2017-11459 (SAP TREX 7.10 allows remote attackers to (1) read arbitrary files via ...) NOT-FOR-US: SAP CVE-2017-11458 (Cross-site scripting (XSS) vulnerability in the ctcprotocol/Protocol s ...) NOT-FOR-US: SAP CVE-2017-11457 (XML external entity (XXE) vulnerability in com.sap.km.cm.ice in SAP Ne ...) NOT-FOR-US: SAP CVE-2017-11456 (Geneko GWR routers allow directory traversal sequences starting with a ...) NOT-FOR-US: Geneko GWR routers CVE-2017-11455 (diag.cgi in Pulse Connect Secure 8.2R1 through 8.2R5, 8.1R1 through 8. ...) NOT-FOR-US: Pulse Connect Secure CVE-2017-11454 RESERVED CVE-2017-11453 RESERVED CVE-2017-11452 RESERVED CVE-2017-11451 RESERVED CVE-2017-11450 (coders/jpeg.c in ImageMagick before 7.0.6-1 allows remote attackers to ...) {DSA-3914-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-12 (bug #867894) NOTE: https://github.com/ImageMagick/ImageMagick/issues/556 NOTE: https://github.com/ImageMagick/ImageMagick/commit/948356eec65aea91995d4b7cc487d197d2c5f602 CVE-2017-11449 (coders/mpc.c in ImageMagick before 7.0.6-1 does not enable seekable st ...) {DSA-3914-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-12 (bug #867896) NOTE: https://github.com/ImageMagick/ImageMagick/issues/556 NOTE: https://github.com/ImageMagick/ImageMagick/commit/b007dd3a048097d8f58949297f5b434612e1e1a3#diff-cdb21e3ad4d6e304030bd19bdc881fce NOTE: https://github.com/ImageMagick/ImageMagick/commit/529ff26b68febb2ac03062c58452ea0b4c6edbc1#diff-cdb21e3ad4d6e304030bd19bdc881fce CVE-2017-11448 (The ReadJPEGImage function in coders/jpeg.c in ImageMagick before 7.0. ...) {DSA-3914-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-12 (bug #867893) NOTE: https://github.com/ImageMagick/ImageMagick/issues/556 NOTE: https://github.com/ImageMagick/ImageMagick/commit/1737ac82b335e53376382c07b9a500d73dd2aa11 CVE-2017-11447 (The ReadSCREENSHOTImage function in coders/screenshot.c in ImageMagick ...) {DSA-3914-1} - imagemagick 8:6.9.7.4+dfsg-12 (bug #867897) [wheezy] - imagemagick (vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/556 NOTE: https://github.com/ImageMagick/ImageMagick/commit/8c10b9247509c0484b55330458846115131ec2ae#diff-0a5dc34e461f3c458e758c199f2dc46d CVE-2017-11446 (The ReadPESImage function in coders\pes.c in ImageMagick 7.0.6-1 has a ...) {DSA-4019-1 DLA-1785-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-13 (low; bug #868950) NOTE: https://github.com/ImageMagick/ImageMagick/issues/537 NOTE: ImageMagick-7: https://github.com/ImageMagick/ImageMagick/commit/787ee25e9fb0e4e0509121342371d925fe5044f8 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/96182884778bfc43d6a9a0abd90cedb5d8cf8977 CVE-2017-11445 (Subrion CMS before 4.1.6 has a SQL injection vulnerability in /front/a ...) NOT-FOR-US: Subrion CMS CVE-2017-11444 (Subrion CMS before 4.1.5.10 has a SQL injection vulnerability in /fron ...) NOT-FOR-US: Subrion CMS CVE-2017-11443 RESERVED CVE-2017-11442 RESERVED CVE-2017-11441 (The WHM Upload Locale interface in cPanel before 56.0.51, 58.x before ...) NOT-FOR-US: WHM Upload Locale interface in cPanel CVE-2017-11440 (In Sitecore 8.2, there is absolute path traversal via the shell/Applic ...) NOT-FOR-US: Sitecore CVE-2017-11439 (In Sitecore 8.2, there is reflected XSS in the shell/Applications/Tool ...) NOT-FOR-US: Sitecore CVE-2017-11438 (GitLab Community Edition (CE) and Enterprise Edition (EE) before 9.0.1 ...) - gitlab (Only affects 8.5 onwards) NOTE: https://about.gitlab.com/2017/07/19/gitlab-9-dot-3-dot-8-released/ CVE-2017-11437 (GitLab Enterprise Edition (EE) before 8.17.7, 9.0.11, 9.1.8, 9.2.8, an ...) - gitlab (Only affects Enterprise Edition) NOTE: https://gitlab.com/gitlab-org/gitlab-ee/issues/2905 NOTE: https://about.gitlab.com/2017/07/19/gitlab-9-dot-3-dot-8-released/ CVE-2017-11436 (D-Link DIR-615 before v20.12PTb04 has a second admin account with a 0x ...) NOT-FOR-US: D-Link CVE-2017-11435 (The Humax Wi-Fi Router model HG100R-* 2.0.6 is prone to an authenticat ...) NOT-FOR-US: Humax Wi-Fi Router model HG100R-* CVE-2017-11434 (The dhcp_decode function in slirp/bootp.c in QEMU (aka Quick Emulator) ...) {DSA-3925-1 DLA-1497-1 DLA-1071-1 DLA-1070-1} - qemu 1:2.8+dfsg-7 (bug #869171) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-07/msg05001.html CVE-2017-11433 RESERVED CVE-2017-11432 RESERVED CVE-2017-11431 RESERVED CVE-2017-11430 (OmniAuth OmnitAuth-SAML 1.9.0 and earlier may incorrectly utilize the ...) - ruby-omniauth-saml (The actual vulnerability is in ruby-saml, which is used by the Debian package) NOTE: The change in 1.10.0 simply bumps the version requirement NOTE: https://github.com/omniauth/omniauth-saml/issues/156 NOTE: https://github.com/omniauth/omniauth-saml/pull/157 NOTE: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations NOTE: https://www.kb.cert.org/vuls/id/475445 CVE-2017-11429 (Clever saml2-js 2.0 and earlier may incorrectly utilize the results of ...) NOT-FOR-US: Clever saml2-js NOTE: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations NOTE: https://nodesecurity.io/advisories/567 NOTE: https://www.kb.cert.org/vuls/id/475445 CVE-2017-11428 (OneLogin Ruby-SAML 1.6.0 and earlier may incorrectly utilize the resul ...) - ruby-saml 1.7.2-1 (bug #892865) [stretch] - ruby-saml (Minor issue) NOTE: fixed in 1.7.0 NOTE: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations NOTE: https://www.kb.cert.org/vuls/id/475445 NOTE: https://github.com/onelogin/ruby-saml/commit/048a544730930f86e46804387a6b6fad50d8176f CVE-2017-11427 (OneLogin PythonSAML 2.3.0 and earlier may incorrectly utilize the resu ...) NOT-FOR-US: OneLogin python-saml NOTE: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations NOTE: https://www.kb.cert.org/vuls/id/475445 CVE-2017-11426 RESERVED CVE-2017-11425 RESERVED CVE-2017-11424 (In PyJWT 1.5.0 and below the `invalid_strings` check in `HMACAlgorithm ...) {DSA-3979-1} - pyjwt 1.4.2-1.1 (bug #873244) NOTE: https://github.com/jpadilla/pyjwt/pull/277 CVE-2017-11423 (The cabd_read_string function in mspack/cabd.c in libmspack 0.5alpha, ...) {DSA-3946-1 DLA-1279-1} - libmspack 0.6-1 (bug #868956) - clamav 0.99.3~beta1+dfsg-1 (unimportant) [stretch] - clamav 0.99.4+dfsg-1+deb9u1 NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11873 (not public) NOTE: https://github.com/kyz/libmspack/commit/17038206fcc384dcee6dd9e3a75f08fd3ddc6a38 NOTE: https://github.com/hackerlib/hackerlib-vul/tree/master/clamav-vul NOTE: ClamAV: https://github.com/vrtadmin/clamav-devel/commit/ffa31264a657618a0e40c51c01e4bfc32e244d13 NOTE: ClamaV: https://github.com/vrtadmin/clamav-devel/commit/ada5f94e5cfb04e1ac2a6f383f2184753f475b96 NOTE: ClamAV uses the libmspack system library when available. This is the NOTE: case from starting from Debian Jessie. Debian Wheezy does not have NOTE: libmspack and thus need to have the fix as well in the src:clamav source package. CVE-2017-11422 (Statamic framework before 2.6.0 does not correctly check a session's p ...) NOT-FOR-US: Statamic CVE-2017-11420 (Stack-based buffer overflow in ASUS_Discovery.c in networkmap in Asusw ...) NOT-FOR-US: ASUS CVE-2017-11419 (Fiyo CMS 2.0.7 has SQL injection in /apps/app_article/controller/edito ...) NOT-FOR-US: Fiyo CMS CVE-2017-11418 (Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_article/controller/ ...) NOT-FOR-US: Fiyo CMS CVE-2017-11417 (Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_article/controller/ ...) NOT-FOR-US: Fiyo CMS CVE-2017-11416 (Fiyo CMS 2.0.7 has SQL injection in /apps/app_comment/controller/inser ...) NOT-FOR-US: Fiyo CMS CVE-2017-11415 (Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_article/sys_article ...) NOT-FOR-US: Fiyo CMS CVE-2017-11414 (Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_comment/sys_comment ...) NOT-FOR-US: Fiyo CMS CVE-2017-11413 (Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_article/controller/ ...) NOT-FOR-US: Fiyo CMS CVE-2017-11412 (Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_comment/controller/ ...) NOT-FOR-US: Fiyo CMS CVE-2017-11411 (In Wireshark through 2.0.13 and 2.2.x through 2.2.7, the openSAFETY di ...) - wireshark 2.4.0-1 (bug #870179) [stretch] - wireshark (Incomplete fix for CVE-2017-9350 not applied) [jessie] - wireshark (Incomplete fix for CVE-2017-9350 not applied) [wheezy] - wireshark (Incomplete fix for CVE-2017-9350 not applied) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13755 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=a83a324acdfc07a0ca8b65e6ebaba3374ab19c76 NOTE: https://www.wireshark.org/security/wnpa-sec-2017-28.html CVE-2017-11410 (In Wireshark through 2.0.13 and 2.2.x through 2.2.7, the WBXML dissect ...) - wireshark 2.4.0-1 (bug #870180) [jessie] - wireshark (Incomplete fix for CVE-2017-7702 not applied) [wheezy] - wireshark (Incomplete fix for CVE-2017-7702 not applied) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13796 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=3c7168cc5f044b4da8747d35da0b2b204dabf398 NOTE: https://www.wireshark.org/security/wnpa-sec-2017-13.html CVE-2017-11409 (In Wireshark 2.0.0 to 2.0.13, the GPRS LLC dissector could go into a l ...) {DLA-1634-1} - wireshark 2.2.0~rc1+g438c022-1 (low) [wheezy] - wireshark (Minor issue) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13603 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=57b83bbbd76f543eb8d108919f13b662910bff9a NOTE: https://www.wireshark.org/security/wnpa-sec-2017-37.html NOTE: Technically the 2.2.0~rc1+g438c022-1 is just the first version in unstable NOTE: after 2.1.0 from upstream. Upstream changed the types in llc_gprs_dissect_xid NOTE: in version 2.1.0. CVE-2017-11408 (In Wireshark 2.2.0 to 2.2.7 and 2.0.0 to 2.0.13, the AMQP dissector co ...) {DSA-4060-1 DLA-1226-1} - wireshark 2.4.0-1 (bug #870172) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13780 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=a102c172b0b2fe231fdb49f4f6694603f5b93b0c NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=e57c86ef8e3b57b7f90c224f6053d1eacf20e1ba NOTE: https://www.wireshark.org/security/wnpa-sec-2017-34.html CVE-2017-11407 (In Wireshark 2.2.0 to 2.2.7 and 2.0.0 to 2.0.13, the MQ dissector coul ...) {DLA-1634-1} - wireshark 2.4.0-1 (low; bug #870172) [wheezy] - wireshark (Minor issue) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13792 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=4e54dae7f0d7840836ee6d5ce1e688f152ab2978 NOTE: https://www.wireshark.org/security/wnpa-sec-2017-35.html CVE-2017-11406 (In Wireshark 2.2.0 to 2.2.7 and 2.0.0 to 2.0.13, the DOCSIS dissector ...) {DLA-1634-1} - wireshark 2.4.0-1 (bug #870172) [wheezy] - wireshark (Minor issue) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13797 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=250216263c3a3f2c651e80d9c6b3dc0adc53dc2c NOTE: https://www.wireshark.org/security/wnpa-sec-2017-36.html CVE-2017-11405 (In CMS Made Simple (CMSMS) 2.2.2, remote authenticated administrators ...) NOT-FOR-US: CMS Made Simple CVE-2017-11404 (In CMS Made Simple (CMSMS) 2.2.2, remote authenticated administrators ...) NOT-FOR-US: CMS Made Simple CVE-2017-11403 (The ReadMNGImage function in coders/png.c in GraphicsMagick 1.3.26 has ...) {DSA-4321-1 DLA-1456-1 DLA-1045-1} - graphicsmagick 1.3.26-3 NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/d0a76868ca37 NOTE: When fixing this CVE make sure to not make the fix incomplete and open the CVE-2017-14103 NOTE: issue. See: http://www.openwall.com/lists/oss-security/2017/09/01/6 NOTE: The addition required commit is: http://hg.code.sf.net/p/graphicsmagick/code/rev/98721124e51f CVE-2017-11402 (An issue has been discovered on the Belden Hirschmann Tofino Xenon Sec ...) NOT-FOR-US: Belden Hirschmann Tofino Xenon Security Appliance CVE-2017-11401 (An issue has been discovered on the Belden Hirschmann Tofino Xenon Sec ...) NOT-FOR-US: Belden Hirschmann Tofino Xenon Security Appliance CVE-2017-11400 (An issue has been discovered on the Belden Hirschmann Tofino Xenon Sec ...) NOT-FOR-US: Belden Hirschmann Tofino Xenon Security Appliance CVE-2017-11421 (gnome-exe-thumbnailer before 0.9.5 is prone to a VBScript Injection wh ...) - gnome-exe-thumbnailer 0.9.5-1 (bug #868705) [stretch] - gnome-exe-thumbnailer 0.9.4-2+deb9u1 NOTE: http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html NOTE: https://github.com/gnome-exe-thumbnailer/gnome-exe-thumbnailer/commit/1d8e3102dd8fd23431ae6127d14a236da6b4a4a5 CVE-2017-11399 (Integer overflow in the ape_decode_frame function in libavcodec/apedec ...) {DSA-3957-1} - ffmpeg 7:3.3.3-1 NOTE: https://github.com/FFmpeg/FFmpeg/commit/ba4beaf6149f7241c8bd85fe853318c2f6837ad0 NOTE: Fixed in 3.2.7 CVE-2017-11398 (A session hijacking via log disclosure vulnerability in Trend Micro Sm ...) NOT-FOR-US: Trend Micro CVE-2017-11397 (A service DLL preloading vulnerability in Trend Micro Encryption for E ...) NOT-FOR-US: Trend Micro CVE-2017-11396 (Vulnerability issues with the web service inspection of input paramete ...) NOT-FOR-US: Trend Micro Web Security Virtual Appliance CVE-2017-11395 (Command injection vulnerability in Trend Micro Smart Protection Server ...) NOT-FOR-US: Trend Micro Smart Protection Server CVE-2017-11394 (Proxy command injection vulnerability in Trend Micro OfficeScan 11 and ...) NOT-FOR-US: Trend Micro CVE-2017-11393 (Proxy command injection vulnerability in Trend Micro OfficeScan 11 and ...) NOT-FOR-US: Trend Micro CVE-2017-11392 (Proxy command injection vulnerability in Trend Micro InterScan Messagi ...) NOT-FOR-US: Trend Micro CVE-2017-11391 (Proxy command injection vulnerability in Trend Micro InterScan Messagi ...) NOT-FOR-US: Trend Micro CVE-2017-11390 (XML external entity (XXE) processing vulnerability in Trend Micro Cont ...) NOT-FOR-US: Trend Micro Control Manager CVE-2017-11389 (Directory traversal vulnerability in Trend Micro Control Manager 6.0 a ...) NOT-FOR-US: Trend Micro Control Manager CVE-2017-11388 (SQL Injection in Trend Micro Control Manager 6.0 causes Remote Code Ex ...) NOT-FOR-US: Trend Micro Control Manager CVE-2017-11387 (Authentication Bypass in Trend Micro Control Manager 6.0 causes Inform ...) NOT-FOR-US: Trend Micro Control Manager CVE-2017-11386 (SQL Injection in Trend Micro Control Manager 6.0 causes Remote Code Ex ...) NOT-FOR-US: Trend Micro Control Manager CVE-2017-11385 (SQL Injection in Trend Micro Control Manager 6.0 causes Remote Code Ex ...) NOT-FOR-US: Trend Micro Control Manager CVE-2017-11384 (SQL Injection in Trend Micro Control Manager 6.0 causes Remote Code Ex ...) NOT-FOR-US: Trend Micro Control Manager CVE-2017-11383 (SQL Injection in Trend Micro Control Manager 6.0 causes Remote Code Ex ...) NOT-FOR-US: Trend Micro Control Manager CVE-2017-11382 (Denial of Service vulnerability in Trend Micro Deep Discovery Email In ...) NOT-FOR-US: Trend Micro CVE-2017-11381 (A command injection vulnerability exists in Trend Micro Deep Discovery ...) NOT-FOR-US: Trend Micro Deep Discovery Director CVE-2017-11380 (Backup archives were found to be encrypted with a static password acro ...) NOT-FOR-US: Trend Micro Deep Discovery Director CVE-2017-11379 (Configuration and database backup archives are not signed or validated ...) NOT-FOR-US: Trend Micro Deep Discovery Director CVE-2017-11378 RESERVED CVE-2017-11377 RESERVED CVE-2017-11376 RESERVED CVE-2017-11375 RESERVED CVE-2017-11374 RESERVED CVE-2017-11373 RESERVED CVE-2017-11372 RESERVED CVE-2017-11371 RESERVED CVE-2017-11370 RESERVED CVE-2017-11369 RESERVED CVE-2017-11368 (In MIT Kerberos 5 (aka krb5) 1.7 and later, an authenticated attacker ...) {DLA-1058-1} - krb5 1.15.1-2 (bug #869260) [stretch] - krb5 1.15-1+deb9u1 [jessie] - krb5 1.12.1+dfsg-19+deb8u3 NOTE: https://github.com/krb5/krb5/pull/678/commits/a860385dd8fbd239fdb31b347e07f4e6b2fbdcc2 CVE-2017-11367 (The shoco_decompress function in the API in shoco through 2017-07-17 a ...) NOT-FOR-US: shoco CVE-2017-11366 (components/filemanager/class.filemanager.php in Codiad before 2.8.4 is ...) NOT-FOR-US: Codiad CVE-2017-11365 (Certain Symfony products are affected by: Incorrect Access Control. Th ...) - symfony (introduced in versions that were never packaged in Debian) NOTE: https://symfony.com/blog/cve-2017-11365-empty-passwords-validation-issue CVE-2017-11364 (The CMS installer in Joomla! before 3.7.4 does not verify a user's own ...) NOT-FOR-US: Joomla! CVE-2017-11363 RESERVED CVE-2017-11362 (In PHP 7.x before 7.0.21 and 7.1.x before 7.1.7, ext/intl/msgformat/ms ...) - php7.1 7.1.8-1 (unimportant) - php7.0 7.0.22-1 (unimportant) - php5 (unimportant) NOTE: PHP Bug: https://bugs.php.net/bug.php?id=73473 NOTE: Fixed in 7.1.7, 7.0.21 NOTE: Only triggerable by malicious script CVE-2017-11361 (Inteno routers have a JUCI ACL misconfiguration that allows the "user" ...) NOT-FOR-US: Inteno routers CVE-2017-11360 (The ReadRLEImage function in coders\rle.c in ImageMagick 7.0.6-1 has a ...) {DSA-3914-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-12 (bug #867808) NOTE: https://github.com/ImageMagick/ImageMagick/issues/518 NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick/commit/224bc946b24824a77e8e8c52ee07e9bc65796e30 CVE-2017-11359 (The wavwritehdr function in wav.c in Sound eXchange (SoX) 14.4.2 allow ...) {DLA-1705-1 DLA-1197-1} - sox 14.4.2-2 (bug #870328) [stretch] - sox 14.4.1-5+deb9u2 NOTE: http://seclists.org/fulldisclosure/2017/Jul/81 NOTE: Upstream bug report https://sourceforge.net/p/sox/bugs/296/ NOTE: https://github.com/mansr/sox/commit/8b590b3a52f4ccc4eea3f41b4a067c38b3565b60 CVE-2017-11358 (The read_samples function in hcom.c in Sound eXchange (SoX) 14.4.2 all ...) {DLA-1705-1 DLA-1197-1} - sox 14.4.2-2 (bug #870328) [stretch] - sox 14.4.1-5+deb9u2 NOTE: http://seclists.org/fulldisclosure/2017/Jul/81 NOTE: Upstream bug report https://sourceforge.net/p/sox/bugs/296/ NOTE: https://github.com/mansr/sox/commit/6cb44a44b9eda6b321ccdbf6483348d4a9798b00 CVE-2017-11357 (Progress Telerik UI for ASP.NET AJAX before R2 2017 SP2 does not prope ...) NOT-FOR-US: Progress Telerik UI CVE-2017-11356 (The application distribution export functionality in PEGA Platform 7.2 ...) NOT-FOR-US: PEGA Platform CVE-2017-11355 (Multiple cross-site scripting (XSS) vulnerabilities in PEGA Platform 7 ...) NOT-FOR-US: PEGA Platform CVE-2017-11354 (Fiyo CMS v2.0.7 has an SQL injection vulnerability in dapur/apps/app_a ...) NOT-FOR-US: Fiyo CMS CVE-2017-11351 (Axesstel MU553S MU55XS-V1.14 devices have a default password of admin ...) NOT-FOR-US: Axesstel MU553S MU55XS-V1.14 CVE-2017-11350 (Cross-Site Request Forgery (CSRF) exists in cgi-bin/ConfigSet on Axess ...) NOT-FOR-US: Axesstel MU553S MU55XS-V1.14 CVE-2017-11349 (dataTaker DT8x dEX 1.72.007 allows remote attackers to compose program ...) NOT-FOR-US: dataTaker CVE-2017-11348 (In Octopus Deploy 3.x before 3.15.4, an authenticated user with Packag ...) NOT-FOR-US: Octopus Deploy CVE-2017-11347 (Authenticated Code Execution Vulnerability in MetInfo 5.3.17 allows a ...) NOT-FOR-US: MetInfo CVE-2017-11346 (Zoho ManageEngine Desktop Central before build 100092 allows remote at ...) NOT-FOR-US: Zoho ManageEngine Desktop Central CVE-2017-11345 (Stack buffer overflow in networkmap in Asuswrt-Merlin firmware for ASU ...) NOT-FOR-US: ASUS CVE-2017-11344 (Global buffer overflow in networkmap in Asuswrt-Merlin firmware for AS ...) NOT-FOR-US: ASUS CVE-2017-11353 (yadm (yet another dotfile manager) 1.10.0 has a race condition (relate ...) - yadm 1.11.1-1 (bug #868300) [stretch] - yadm 1.06-1+deb9u1 NOTE: https://github.com/TheLocehiliosan/yadm/issues/74 CVE-2017-11343 (Due to an incomplete fix for CVE-2012-6125, all versions of CHICKEN Sc ...) - chicken 4.12.0-0.2 (bug #870266) [stretch] - chicken (Minor issue) [jessie] - chicken (Minor issue) [wheezy] - chicken (Minor issue) NOTE: http://lists.nongnu.org/archive/html/chicken-announce/2017-07/msg00000.html CVE-2017-11342 (There is an illegal address access in ast.cpp of LibSass 3.4.5. A craf ...) - libsass (bug #868577) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1470722 CVE-2017-11341 (There is a heap based buffer over-read in lexer.hpp of LibSass 3.4.5. ...) - libsass (bug #868577) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1470714 CVE-2017-11340 (There is a Segmentation fault in the XmpParser::terminate() function i ...) - exiv2 (Vulnerable code introduced after 0.25; only affected experimental; bug #868578) NOTE: https://github.com/Exiv2/exiv2/issues/53 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1470950 NOTE: Not reproducible in wheezy/jessie/stretch, I get "The file contains data of an unknown image type". NOTE: Reproducible with 0.26-1 (experimental) although I get another error "free(): invalid next size (fast)". CVE-2017-11339 (There is a heap-based buffer overflow in the Image::printIFDStructure ...) - exiv2 (Vulnerable code introduced after 0.25; only affected experimental; bug #868578) NOTE: https://github.com/Exiv2/exiv2/issues/52 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1470946 NOTE: Not reproducible in wheezy/jessie/stretch, I get "The file contains data of an unknown image type". NOTE: Reproducible with 0.26-1 (experimental) although I get another error "free(): invalid next size (fast)". CVE-2017-11338 (There is an infinite loop in the Exiv2::Image::printIFDStructure funct ...) - exiv2 (Vulnerable code introduced after 0.25; only affected experimental; bug #868578) NOTE: https://github.com/Exiv2/exiv2/issues/51 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1470913 NOTE: Not reproducible in wheezy/jessie/stretch, I get "No Exif data found in the file". NOTE: Reproducible with 0.26-1 (experimental). CVE-2017-11337 (There is an invalid free in the Action::TaskFactory::cleanup function ...) - exiv2 (Vulnerable code introduced after 0.25; only affected experimental; bug #868578) NOTE: https://github.com/Exiv2/exiv2/issues/50 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1470737 NOTE: Not reproducible in wheezy/jessie/stretch (even with valgrind), I get "No Exif data found in the file". NOTE: Reproducible with 0.26-1 (experimental). NOTE: Action::TaskFactory::cleanup function is the same in all versions, so the problem is likely an earlier memory corruption. CVE-2017-11336 (There is a heap-based buffer over-read in the Image::printIFDStructure ...) - exiv2 (Vulnerable code introduced after 0.25; only affected experimental; bug #868578) NOTE: https://github.com/Exiv2/exiv2/issues/49 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1470729 NOTE: Not reproducible in wheezy/jessie/stretch (even with valgrind). NOTE: Reproducible with 0.26-1 (experimental) although I get another error "free(): invalid next size (fast)". CVE-2017-11335 (There is a heap based buffer overflow in tools/tiff2pdf.c of LibTIFF 4 ...) {DSA-4100-1 DLA-1094-1 DLA-1093-1} - tiff 4.0.8-4 (bug #868513) [stretch] - tiff (Minor issue) [jessie] - tiff (Minor issue) - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2715 NOTE: Fixed by: https://github.com/vadz/libtiff/commit/69bfeec247899776b1b396651adb47436e5f1556 CVE-2017-11529 (The ReadMATImage function in coders/mat.c in ImageMagick before 6.9.9- ...) {DSA-3914-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-12 (bug #867823) NOTE: https://github.com/ImageMagick/ImageMagick/issues/525 CVE-2017-11478 (The ReadOneDJVUImage function in coders/djvu.c in ImageMagick through ...) {DSA-3914-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-12 (bug #867826) NOTE: https://github.com/ImageMagick/ImageMagick/issues/528 CVE-2017-11526 (The ReadOneMNGImage function in coders/png.c in ImageMagick before 6.9 ...) {DSA-3914-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-12 (bug #867825) NOTE: https://github.com/ImageMagick/ImageMagick/issues/527 CVE-2017-11505 (The ReadOneJNGImage function in coders/png.c in ImageMagick through 6. ...) {DSA-3914-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-12 (bug #867824) [jessie] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/526 CVE-2017-11530 (The ReadEPTImage function in coders/ept.c in ImageMagick before 6.9.9- ...) {DSA-3914-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-12 (bug #867821) NOTE: https://github.com/ImageMagick/ImageMagick/issues/524 CVE-2017-11524 (The WriteBlob function in MagickCore/blob.c in ImageMagick before 6.9. ...) {DSA-3914-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-12 (bug #867798) NOTE: https://github.com/ImageMagick/ImageMagick/issues/506 CVE-2017-11334 (The address_space_write_continue function in exec.c in QEMU (aka Quick ...) {DSA-3925-1} - qemu 1:2.8+dfsg-7 (bug #869173) [jessie] - qemu (Minor issue, root DoS, backport caused Xen regression in Ubuntu and was reverted) [wheezy] - qemu (Minor issue) - qemu-kvm [wheezy] - qemu-kvm (Minor issue) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-07/msg03775.html NOTE: https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=f5aa69bdc3418773f26747ca282c291519626ece NOTE: https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=04bf2526ce87f21b32c9acba1c5518708c243ad0 NOTE: https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/1752761 CVE-2017-11333 (The vorbis_analysis_wrote function in lib/block.c in Xiph.Org libvorbi ...) {DSA-4113-1 DLA-2039-1 DLA-1368-1} - libvorbis 1.3.5-4.1 (low; bug #870341) NOTE: http://seclists.org/fulldisclosure/2017/Jul/82 NOTE: https://gitlab.xiph.org/xiph/vorbis/issues/2332 NOTE: Fixed by: https://gitlab.xiph.org/xiph/vorbis/commit/a79ec216cd119069c68b8f3542c6a425a74ab993 CVE-2017-11332 (The startread function in wav.c in Sound eXchange (SoX) 14.4.2 allows ...) {DLA-1705-1 DLA-1197-1} - sox 14.4.2-2 (bug #870328) [stretch] - sox 14.4.1-5+deb9u2 NOTE: http://seclists.org/fulldisclosure/2017/Jul/81 NOTE: Upstream bug report https://sourceforge.net/p/sox/bugs/296/ NOTE: https://github.com/mansr/sox/commit/7405bcaacb1ded8c595cb751d407cf738cb26571 CVE-2017-11331 (The wav_open function in oggenc/audio.c in Xiph.Org vorbis-tools 1.4.0 ...) - vorbis-tools (unimportant) NOTE: The issue is "covered" by the fix applied in 0016-oggenc-validate-count-of-channels-in-the-header-CVE-.patch NOTE: still the return of malloc is not checked. NOTE: http://seclists.org/fulldisclosure/2017/Jul/80 NOTE: Crash in CLI tool only, negligible security impact CVE-2017-11330 (The DivFixppCore::avi_header_fix function in DivFix++Core.cpp in DivFi ...) NOT-FOR-US: DivFix++ CVE-2017-11329 (GLPI before 9.1.5 allows SQL injection via an ajax/getDropdownValue.ph ...) - glpi (unimportant) NOTE: Only supported behind an authenticated HTTP zone CVE-2016-10398 (Android 6.0 has an authentication bypass for attackers with root and p ...) NOT-FOR-US: Android CVE-2017-11328 (Heap buffer overflow in the yr_object_array_set_item() function in obj ...) - yara 3.6.3+dfsg-1 [stretch] - yara (Minor issue, too intrusive to backport) [jessie] - yara (Minor issue, too intrusive to backport) NOTE: Fixed by: https://github.com/VirusTotal/yara/commit/4a342f01e5439b9bb901aff1c6c23c536baeeb3f CVE-2017-11327 (An issue was discovered in Tilde CMS 1.0.1. It is possible to retrieve ...) NOT-FOR-US: Tilde CMS CVE-2017-11326 (An issue was discovered in Tilde CMS 1.0.1. It is possible to bypass t ...) NOT-FOR-US: Tilde CMS CVE-2017-11325 (An issue was discovered in Tilde CMS 1.0.1. Arbitrary files can be rea ...) NOT-FOR-US: Tilde CMS CVE-2017-11324 (An issue was discovered in Tilde CMS 1.0.1. Due to missing escaping of ...) NOT-FOR-US: Tilde CMS CVE-2017-11323 (Stack-based buffer overflow in ESTsoft ALZip 8.51 and earlier allows r ...) NOT-FOR-US: ESTsoft ALZip CVE-2017-11322 (The chroothole_client executable in UCOPIA Wireless Appliance before 5 ...) NOT-FOR-US: UCOPIA Wireless Appliance CVE-2017-11321 (The restricted shell interface in UCOPIA Wireless Appliance before 5.1 ...) NOT-FOR-US: UCOPIA Wireless Appliance CVE-2017-11320 (Persistent XSS through the SSID of nearby Wi-Fi devices on Technicolor ...) NOT-FOR-US: Technicolor TC7337 routers CVE-2017-11319 (Perspective ICM Investigation & Case 5.1.1.16 allows remote authen ...) NOT-FOR-US: Perspective ICM Investigation CVE-2017-11318 (Cobian Backup 11 client allows man-in-the-middle attackers to add and ...) NOT-FOR-US: Cobian CVE-2017-11317 (Telerik.Web.UI in Progress Telerik UI for ASP.NET AJAX before R1 2017 ...) NOT-FOR-US: Progress Telerik UI CVE-2017-11316 RESERVED CVE-2017-11315 RESERVED CVE-2017-11314 RESERVED CVE-2017-11313 RESERVED CVE-2017-11312 RESERVED CVE-2017-11311 (soundlib/Load_psm.cpp in OpenMPT through 1.26.12.00 and libopenmpt bef ...) - libopenmpt 0.2.8461~beta26-1 (bug #867579) [stretch] - libopenmpt 0.2.7386~beta20.3-3+deb9u2 CVE-2017-11310 (The read_user_chunk_callback function in coders\png.c in ImageMagick 7 ...) - imagemagick (Vulnerable code not present, Only affects ImageMagick-7) NOTE: https://github.com/ImageMagick/ImageMagick/issues/517 NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick/commit/8ca35831e91c3db8c6d281d09b605001003bec08 CVE-2017-11309 (Buffer overflow in the SoftConsole client in Avaya IP Office before 10 ...) NOT-FOR-US: Avaya IP Office CVE-2017-11308 (Adobe Acrobat and Reader versions 2017.012.20098 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2017-11307 (Adobe Acrobat and Reader versions 2017.012.20098 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2017-11306 (Adobe Acrobat and Reader versions 2017.012.20098 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2017-11305 (A regression affecting Adobe Flash Player version 27.0.0.187 (and earl ...) NOT-FOR-US: Adobe CVE-2017-11304 (An issue was discovered in Adobe Photoshop 18.1.1 (2017.1.1) and earli ...) NOT-FOR-US: Adobe CVE-2017-11303 (An issue was discovered in Adobe Photoshop 18.1.1 (2017.1.1) and earli ...) NOT-FOR-US: Adobe CVE-2017-11302 (An issue was discovered in Adobe InDesign 12.1.0 and earlier versions. ...) NOT-FOR-US: Adobe CVE-2017-11301 (An issue was discovered in Adobe Digital Editions 4.5.6 and earlier ve ...) NOT-FOR-US: Adobe CVE-2017-11300 (An issue was discovered in Adobe Digital Editions 4.5.6 and earlier ve ...) NOT-FOR-US: Adobe CVE-2017-11299 (An issue was discovered in Adobe Digital Editions 4.5.6 and earlier ve ...) NOT-FOR-US: Adobe CVE-2017-11298 (An issue was discovered in Adobe Digital Editions 4.5.6 and earlier ve ...) NOT-FOR-US: Adobe CVE-2017-11297 (An issue was discovered in Adobe Digital Editions 4.5.6 and earlier ve ...) NOT-FOR-US: Adobe CVE-2017-11296 (An issue was discovered in Adobe Experience Manager 6.3, 6.2, 6.1, 6.0 ...) NOT-FOR-US: Adobe CVE-2017-11295 (An issue was discovered in Adobe DNG Converter 9.12.1 and earlier vers ...) NOT-FOR-US: Adobe CVE-2017-11294 (An issue was discovered in Adobe Shockwave 12.2.9.199 and earlier. An ...) NOT-FOR-US: Adobe CVE-2017-11293 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-11292 (Adobe Flash Player version 27.0.0.159 and earlier has a flawed bytecod ...) NOT-FOR-US: Adobe Flash Player CVE-2017-11291 (An issue was discovered in Adobe Connect 9.6.2 and earlier versions. A ...) NOT-FOR-US: Adobe CVE-2017-11290 (An issue was discovered in Adobe Connect 9.6.2 and earlier versions. A ...) NOT-FOR-US: Adobe CVE-2017-11289 (An issue was discovered in Adobe Connect 9.6.2 and earlier versions. A ...) NOT-FOR-US: Adobe CVE-2017-11288 (An issue was discovered in Adobe Connect 9.6.2 and earlier versions. A ...) NOT-FOR-US: Adobe CVE-2017-11287 (An issue was discovered in Adobe Connect 9.6.2 and earlier versions. A ...) NOT-FOR-US: Adobe CVE-2017-11286 (Adobe ColdFusion has an XML external entity (XXE) injection vulnerabil ...) NOT-FOR-US: Adobe ColdFusion CVE-2017-11285 (Adobe ColdFusion has a cross-site scripting (XSS) vulnerability. This ...) NOT-FOR-US: Adobe ColdFusion CVE-2017-11284 (Adobe ColdFusion has an Untrusted Data Deserialization vulnerability. ...) NOT-FOR-US: Adobe ColdFusion CVE-2017-11283 (Adobe ColdFusion has an Untrusted Data Deserialization vulnerability. ...) NOT-FOR-US: Adobe ColdFusion CVE-2017-11282 (Adobe Flash Player has an exploitable memory corruption vulnerability ...) NOT-FOR-US: Adobe CVE-2017-11281 (Adobe Flash Player has an exploitable memory corruption vulnerability ...) NOT-FOR-US: Adobe CVE-2017-11280 (Adobe Digital Editions 4.5.4 and earlier has an exploitable memory cor ...) NOT-FOR-US: Adobe CVE-2017-11279 (Adobe Digital Editions 4.5.4 and earlier has an exploitable use after ...) NOT-FOR-US: Adobe CVE-2017-11278 (Adobe Digital Editions 4.5.4 and earlier has an exploitable memory cor ...) NOT-FOR-US: Adobe CVE-2017-11277 (Adobe Digital Editions 4.5.4 and earlier has an exploitable memory cor ...) NOT-FOR-US: Adobe CVE-2017-11276 (Adobe Digital Editions 4.5.4 and earlier has an exploitable memory cor ...) NOT-FOR-US: Adobe CVE-2017-11275 (Adobe Digital Editions 4.5.4 and earlier has an exploitable heap overf ...) NOT-FOR-US: Adobe CVE-2017-11274 (Adobe Digital Editions 4.5.4 and earlier has an exploitable use after ...) NOT-FOR-US: Adobe CVE-2017-11273 (An issue was discovered in Adobe Digital Editions 4.5.6 and earlier ve ...) NOT-FOR-US: Adobe CVE-2017-11272 (Adobe Digital Editions 4.5.4 and earlier has a security bypass vulnera ...) NOT-FOR-US: Adobe CVE-2017-11271 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11270 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11269 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11268 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11267 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11266 REJECTED CVE-2017-11265 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11264 REJECTED CVE-2017-11263 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11262 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11261 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11260 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11259 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11258 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11257 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11256 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11255 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11254 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11253 (Adobe Acrobat and Reader versions 2017.012.20098 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2017-11252 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11251 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11250 (Adobe Acrobat and Reader versions 2017.012.20098 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2017-11249 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11248 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11247 REJECTED CVE-2017-11246 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11245 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11244 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11243 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11242 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11241 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11240 (Adobe Acrobat and Reader versions 2017.012.20098 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2017-11239 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11238 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11237 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11236 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11235 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11234 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11233 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11232 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11231 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11230 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11229 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11228 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11227 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11226 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11225 (An issue was discovered in Adobe Flash Player 27.0.0.183 and earlier v ...) NOT-FOR-US: Adobe CVE-2017-11224 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11223 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11222 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11221 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11220 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11219 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11218 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11217 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11216 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11215 (An issue was discovered in Adobe Flash Player 27.0.0.183 and earlier v ...) NOT-FOR-US: Adobe CVE-2017-11214 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11213 (An issue was discovered in Adobe Flash Player 27.0.0.183 and earlier v ...) NOT-FOR-US: Adobe CVE-2017-11212 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11211 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11210 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11209 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-1000083 (backend/comics/comics-document.c (aka the comic book backend) in GNOME ...) {DSA-3916-1 DSA-3911-1 DLA-1031-1} - evince 3.22.1-4 - atril 1.16.1-2.1 (bug #868500) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=784630 CVE-2017-11208 RESERVED CVE-2017-11207 RESERVED CVE-2017-11206 RESERVED CVE-2017-11205 RESERVED CVE-2017-11204 RESERVED CVE-2017-11203 RESERVED CVE-2017-11202 (FineCMS through 2017-07-12 allows XSS in visitors.php because JavaScri ...) NOT-FOR-US: FineCMS CVE-2017-11201 (application/core/controller/images.php in FineCMS through 2017-07-12 a ...) NOT-FOR-US: FineCMS CVE-2017-11200 (SQL Injection exists in FineCMS through 2017-07-12 via the application ...) NOT-FOR-US: FineCMS CVE-2017-11199 RESERVED CVE-2017-11198 (Cross-site scripting (XSS) vulnerability in /application/lib/ajax/get_ ...) NOT-FOR-US: FineCMS CVE-2017-11197 RESERVED CVE-2017-12562 (Heap-based Buffer Overflow in the psf_binheader_writef function in com ...) {DLA-1049-1} - libsndfile 1.0.28-3 (bug #869166) [stretch] - libsndfile (Minor issue) [jessie] - libsndfile (Minor issue) NOTE: https://github.com/erikd/libsndfile/issues/292 NOTE: https://github.com/erikd/libsndfile/commit/cf7a8182c2642c50f1cf90dddea9ce96a8bad2e8 CVE-2017-11196 (Pulse Connect Secure 8.3R1 has CSRF in logout.cgi. The logout function ...) NOT-FOR-US: Pulse Connect Secure CVE-2017-11195 (Pulse Connect Secure 8.3R1 has Reflected XSS in launchHelp.cgi. The he ...) NOT-FOR-US: Pulse Connect Secure CVE-2017-11194 (Pulse Connect Secure 8.3R1 has Reflected XSS in adminservercacertdetai ...) NOT-FOR-US: Pulse Connect Secure CVE-2017-11193 (Pulse Connect Secure 8.3R1 has CSRF in diag.cgi. In the panel, the dia ...) NOT-FOR-US: Pulse Connect Secure CVE-2017-11192 RESERVED CVE-2017-11191 (** DISPUTED ** FreeIPA 4.x with API version 2.213 allows a remote auth ...) NOTE: non-issue claimed for freepia CVE-2017-11190 (unrarlib.c in unrar-free 0.0.1, when _DEBUG_LOG mode is enabled, might ...) - unrar-free (unimportant) NOTE: Affected debug code not enabled CVE-2017-11189 (unrarlib.c in unrar-free 0.0.1 might allow remote attackers to cause a ...) - unrar-free (unimportant) NOTE: Crash in CLI tool, no security impact CVE-2017-11187 (phpMyFAQ before 2.9.8 does not properly mitigate brute-force attacks t ...) NOT-FOR-US: phpMyFAQ CVE-2017-11186 RESERVED CVE-2017-11185 (The gmp plugin in strongSwan before 5.6.0 allows remote attackers to c ...) {DSA-3962-1 DLA-1059-1} - strongswan 5.6.0-1 (bug #872155) NOTE: https://www.strongswan.org/blog/2017/08/14/strongswan-vulnerability-(cve-2017-11185).html NOTE: https://git.strongswan.org/?p=strongswan.git;a=commit;h=ef5c37fcdf47273feea320091598135688df4ef7 CVE-2017-11184 (SQL injection exists in front/devicesoundcard.php in GLPI before 9.1.5 ...) - glpi (unimportant) NOTE: Only supported behind an authenticated HTTP zone CVE-2017-11183 (front/backup.php in GLPI before 9.1.5 allows remote authenticated admi ...) - glpi (unimportant) NOTE: Only supported behind an authenticated HTTP zone CVE-2017-11182 (In Rise Ultimate Project Manager v1.8, XSS vulnerabilities were found ...) NOT-FOR-US: Rise Ultimate Project Manager CVE-2017-11181 (In Rise Ultimate Project Manager v1.8, XSS vulnerabilities were found ...) NOT-FOR-US: Rise Ultimate Project Manager CVE-2017-11180 (FineCMS through 2017-07-11 has stored XSS in the logging functionality ...) NOT-FOR-US: FineCMS CVE-2017-11179 (FineCMS through 2017-07-11 has stored XSS in route=admin when modifyin ...) NOT-FOR-US: FineCMS CVE-2017-11178 (In FineCMS through 2017-07-11, application/core/controller/style.php a ...) NOT-FOR-US: FineCMS CVE-2017-11177 (TRITON AP-EMAIL 8.2 before 8.2 IB does not properly restrict file acce ...) NOT-FOR-US: TRITON CVE-2017-11176 (The mq_notify function in the Linux kernel through 4.11.9 does not set ...) {DSA-3945-1 DSA-3927-1 DLA-1099-1} - linux 4.11.11-1 NOTE: Fixed by: https://git.kernel.org/linus/f991af3daabaecff34684fd51fac80319d1baad1 CVE-2017-11175 (In J2 Innovations FIN Stack 4.0, the authentication webform is vulnera ...) NOT-FOR-US: J2 Innovations FIN Stack CVE-2017-11174 (In install/page_dbsettings.php in the Core distribution of XOOPS 2.5.8 ...) NOT-FOR-US: XOOPS CVE-2017-11173 (Missing anchor in generated regex for rack-cors before 0.4.1 allows a ...) {DSA-3931-1} - ruby-rack-cors 0.4.1-1 [jessie] - ruby-rack-cors (Vulnerable code not present) CVE-2017-11172 RESERVED CVE-2017-1000096 (Arbitrary code execution due to incomplete sandbox protection: Constru ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000095 (The default whitelist included the following unsafe entries: DefaultGr ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000094 (Docker Commons Plugin provides a list of applicable credential IDs to ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000093 (Poll SCM Plugin was not requiring requests to its API be sent via POST ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000092 (Git Plugin connects to a user-specified Git repository as part of form ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000091 (GitHub Branch Source Plugin connects to a user-specified GitHub API UR ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000090 (Role-based Authorization Strategy Plugin was not requiring requests to ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000089 (Builds in Jenkins are associated with an authentication that controls ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000088 (The Sidebar Link plugin allows users able to configure jobs, views, an ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000087 (GitHub Branch Source provides a list of applicable credential IDs to a ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000086 (The Periodic Backup Plugin did not perform any permission checks, allo ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000085 (Subversion Plugin connects to a user-specified Subversion repository a ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000084 (Parameterized Trigger Plugin fails to check Item/Build permission: The ...) NOT-FOR-US: Jenkins plugin CVE-2017-11171 (Bad reference counting in the context of accept_ice_connection() in gs ...) - gnome-session 2.30.0-1 NOTE: https://github.com/GNOME/gnome-session/commit/b0dc999e0b45355314616321dbb6cb71e729fc9d CVE-2017-11170 (The ReadTGAImage function in coders\tga.c in ImageMagick 7.0.5-6 has a ...) {DSA-3914-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-12 (low; bug #868184) NOTE: https://github.com/ImageMagick/ImageMagick/issues/472 CVE-2017-11169 (Privilege Escalation on iBall iB-WRA300N3GT iB-WRA300N3GT_1.1.1 device ...) NOT-FOR-US: iBall iB-WRA300N3GT iB-WRA300N3GT_1.1.1 devices CVE-2017-11168 RESERVED CVE-2017-11167 (FineCMS 2.1.0 allows remote attackers to execute arbitrary PHP code by ...) NOT-FOR-US: FineCMS CVE-2017-11166 (The ReadXWDImage function in coders\xwd.c in ImageMagick 7.0.5-6 has a ...) - imagemagick 8:6.9.7.4+dfsg-7 (unimportant; bug #868263) [wheezy] - imagemagick 8:6.7.7.10-5+deb7u14 NOTE: https://github.com/ImageMagick/ImageMagick/issues/471 CVE-2017-11165 (dataTaker DT80 dEX 1.50.012 allows remote attackers to obtain sensitiv ...) NOT-FOR-US: dataTaker CVE-2017-11164 (In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exe ...) - pcre3 (unimportant) NOTE: http://openwall.com/lists/oss-security/2017/07/11/3 CVE-2017-11163 (Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Ca ...) - cacti 1.1.12+ds1-1 (bug #868080) [stretch] - cacti (Vulnerable code introduced later) [jessie] - cacti (Vulnerable code introduced later) [wheezy] - cacti (Vulnerable code introduced later) NOTE: https://github.com/Cacti/cacti/issues/847 NOTE: aggregate_graphs.php not available in 0.8.8. NOTE: Upstream claims fix for CVE-2017-10970 also fixes this CVE NOTE: but produced this patch anyway: https://github.com/Cacti/cacti/commit/bf5b1309dcf68578c3bdc4db54112dfb2e8ec4f4 CVE-2017-11162 (Directory traversal vulnerability in synphotoio in Synology Photo Stat ...) NOT-FOR-US: Synology CVE-2017-11161 (Multiple SQL injection vulnerabilities in Synology Photo Station befor ...) NOT-FOR-US: Synology CVE-2017-11160 (Multiple untrusted search path vulnerabilities in installer in Synolog ...) NOT-FOR-US: Installer in Synology Assistant CVE-2017-11159 (Multiple untrusted search path vulnerabilities in installer in Synolog ...) NOT-FOR-US: Installer in Synology Photo Station Uploader CVE-2017-11158 (Multiple untrusted search path vulnerabilities in the installer in Syn ...) NOT-FOR-US: Synology Cloud Station Drive CVE-2017-11157 (Multiple untrusted search path vulnerabilities in the installer in Syn ...) NOT-FOR-US: Synology CVE-2017-11156 (Synology Download Station 3.8.x before 3.8.5-3475 and 3.x before 3.5-2 ...) NOT-FOR-US: Synology Download Station CVE-2017-11155 (An information exposure vulnerability in index.php in Synology Photo S ...) NOT-FOR-US: Synology Photo Station CVE-2017-11154 (Unrestricted file upload vulnerability in PixlrEditorHandler.php in Sy ...) NOT-FOR-US: Synology Photo Station CVE-2017-11153 (Deserialization vulnerability in synophoto_csPhotoMisc.php in Synology ...) NOT-FOR-US: Synology Photo Station CVE-2017-11152 (Directory traversal vulnerability in PixlrEditorHandler.php in Synolog ...) NOT-FOR-US: Synology Photo Station CVE-2017-11151 (A vulnerability in synotheme_upload.php in Synology Photo Station befo ...) NOT-FOR-US: Synology Photo Station CVE-2017-11150 (Command injection vulnerability in Document.php in Synology Office 2.2 ...) NOT-FOR-US: Synology Office CVE-2017-11149 (Server-side request forgery (SSRF) vulnerability in Downloader in Syno ...) NOT-FOR-US: Synology Download Station CVE-2017-11148 (Server-side request forgery (SSRF) vulnerability in link preview in Sy ...) NOT-FOR-US: Synology Chat CVE-2017-11146 REJECTED CVE-2017-11145 (In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, an er ...) {DSA-4081-1 DSA-4080-1 DLA-1034-1} - php7.1 7.1.8-1 - php7.0 7.0.22-1 - php5 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=74819 NOTE: Fixed in 7.1.7, 7.0.21, 5.6.31 NOTE: Fixed by: https://github.com/php/php-src/commit/e8b7698f5ee757ce2c8bd10a192a491a498f891c NOTE: http://openwall.com/lists/oss-security/2017/07/10/6 CVE-2017-1000362 (The re-key admin monitor was introduced in Jenkins 1.498 and re-encryp ...) - jenkins CVE-2017-1000081 (Linux foundation ONOS 1.9.0 is vulnerable to unauthenticated upload of ...) NOT-FOR-US: ONOS CVE-2017-1000080 (Linux foundation ONOS 1.9.0 allows unauthenticated use of websockets. ...) NOT-FOR-US: ONOS CVE-2017-1000079 (Linux foundation ONOS 1.9.0 is vulnerable to a DoS. ...) NOT-FOR-US: ONOS CVE-2017-1000078 (Linux foundation ONOS 1.9 is vulnerable to XSS in the device. registra ...) NOT-FOR-US: ONOS CVE-2017-1000077 REJECTED CVE-2017-1000076 REJECTED CVE-2017-1000075 (Creolabs Gravity version 1.0 is vulnerable to a stack overflow in the ...) NOT-FOR-US: Creolabs Gravity CVE-2017-1000074 (Creolabs Gravity version 1.0 is vulnerable to a stack overflow in the ...) NOT-FOR-US: Creolabs Gravity CVE-2017-1000073 (Creolabs Gravity version 1.0 is vulnerable to a heap overflow in an un ...) NOT-FOR-US: Creolabs Gravity CVE-2017-1000072 (Creolabs Gravity version 1.0 is vulnerable to a Double Free in gravity ...) NOT-FOR-US: Creolabs Gravity CVE-2017-1000071 (Jasig phpCAS version 1.3.4 is vulnerable to an authentication bypass i ...) - php-cas 1.3.6-1 (bug #868466) [stretch] - php-cas (Minor issue) [jessie] - php-cas (Minor issue) [wheezy] - php-cas (Minor issue, only works with old CAS server) NOTE: https://github.com/Jasig/phpCAS/issues/228 NOTE: Fixed by: https://github.com/apereo/phpCAS/commit/c9ba00327fd0ac8faecc62ce150c1986022856cd NOTE: The vulnerability only exists when the server is affected by NOTE: another very old vulnerability fixed in 2010. CVE-2017-1000070 (The Bitly oauth2_proxy in version 2.1 and earlier was affected by an o ...) NOT-FOR-US: Bitly oauth2_proxy CVE-2017-1000069 (CSRF in Bitly oauth2_proxy 2.1 during authentication flow ...) NOT-FOR-US: Bitly oauth2_proxy CVE-2017-1000068 (TestTrack Server versions 1.0 and earlier are vulnerable to an authent ...) NOT-FOR-US: TestTrack CVE-2017-1000067 (MODX Revolution version 2.x - 2.5.6 is vulnerable to blind SQL injecti ...) NOT-FOR-US: MODX Revolution CVE-2017-1000066 (The entry details view function in KeePass version 1.32 inadvertently ...) - keepass2 (Only affects 1.x) CVE-2017-1000065 (Multiple Cross-site scripting (XSS) vulnerabilities in rpc.php in Open ...) NOT-FOR-US: OpenMediaVault CVE-2017-1000064 (kittoframework kitto version 0.5.1 is vulnerable to memory exhaustion ...) NOT-FOR-US: kittoframework kitto CVE-2017-1000063 (kittoframework kitto version 0.5.1 is vulnerable to an XSS in the 404 ...) NOT-FOR-US: kittoframework kitto CVE-2017-1000062 (kittoframework kitto 0.5.1 is vulnerable to directory traversal in the ...) NOT-FOR-US: kittoframework kitto CVE-2017-1000061 (xmlsec 1.2.23 and before is vulnerable to XML External Entity Expansio ...) - xmlsec1 1.2.24-1 [stretch] - xmlsec1 (Minor issue) [jessie] - xmlsec1 (Minor issue) [wheezy] - xmlsec1 (Minor issue) NOTE: https://github.com/lsh123/xmlsec/issues/43 CVE-2017-1000060 (EyesOfNetwork (EON) 5.1 Unauthenticated SQL Injection in eonweb leadin ...) NOT-FOR-US: EyesOfNetwork (EON) CVE-2017-1000059 (Live Helper Chat version 2.06v and older is vulnerable to Cross-Site S ...) NOT-FOR-US: Live Helper Chat CVE-2017-1000058 (Stored XSS vulnerabilities in chevereto CMS before version 3.8.11, one ...) NOT-FOR-US: chevereto CMS CVE-2017-1000057 REJECTED CVE-2017-1000056 (Kubernetes version 1.5.0-1.5.4 is vulnerable to a privilege escalation ...) - kubernetes 1.5.5+dfsg-1 NOTE: https://github.com/kubernetes/kubernetes/issues/43459 CVE-2017-1000055 REJECTED CVE-2017-1000054 (Rocket.Chat version 0.8.0 and newer is vulnerable to XSS in the markdo ...) NOT-FOR-US: Rocket.Chat CVE-2017-1000053 (Elixir Plug before v1.0.4, v1.1.7, v1.2.3 and v1.3.2 is vulnerable to ...) NOT-FOR-US: Elixir Plug CVE-2017-1000052 (Elixir Plug before v1.0.4, v1.1.7, v1.2.3 and v1.3.2 is vulnerable to ...) NOT-FOR-US: Elixir Plug CVE-2017-1000051 (Cross-site scripting (XSS) vulnerability in pad export in XWiki labs C ...) NOT-FOR-US: XWiki labs CVE-2017-1000049 REJECTED CVE-2017-1000048 (the web framework using ljharb's qs module older than v6.3.2, v6.2.3, ...) NOT-FOR-US: ljharb CVE-2017-1000047 (rbenv (all current versions) is vulnerable to Directory Traversal in t ...) - rbenv (bug #869702) [buster] - rbenv (Minor issue) [stretch] - rbenv (Minor issue) [jessie] - rbenv (Minor issue) [wheezy] - rbenv (Minor issue) NOTE: https://github.com/rbenv/rbenv/issues/977 NOTE: .ruby-version is .rbenv-version in wheezy CVE-2017-1000046 (Mautic 2.6.1 and earlier fails to set flags on session cookies ...) NOT-FOR-US: Mautic CVE-2017-1000045 REJECTED CVE-2017-1000043 (Mapbox.js versions 1.x prior to 1.6.6 and 2.x prior to 2.2.4 are vulne ...) NOT-FOR-US: Mapbox.js CVE-2017-1000042 (Mapbox.js versions 1.x prior to 1.6.5 and 2.x prior to 2.1.7 are vulne ...) NOT-FOR-US: Mapbox.js CVE-2017-1000039 (Framadate version 1.0 is vulnerable to Formula Injection in the CSV Ex ...) NOT-FOR-US: Framadate CVE-2017-1000038 (WordPress plugin Relevanssi version 3.5.7.1 is vulnerable to stored XS ...) NOT-FOR-US: WordPress plugin CVE-2017-1000037 (RVM automatically loads environment variables from files in $PWD resul ...) NOT-FOR-US: RVM CVE-2017-1000036 REJECTED CVE-2017-1000035 (Tiny Tiny RSS before 829d478f is vulnerable to XSS window.opener attac ...) - tt-rss 17.1+git20170410+dfsg-1 NOTE: https://git.tt-rss.org/git/tt-rss/commit/829d478f1b054c8ce1eeb4f15170dc4a1abb3e47 CVE-2017-1000034 (Akka versions <=2.4.16 and 2.5-M1 are vulnerable to a java deserial ...) NOT-FOR-US: Akka CVE-2017-1000033 (Wordpress Plugin Vospari Forms version < 1.4 is vulnerable to a ref ...) NOT-FOR-US: WordPress plugin CVE-2017-1000032 (Cross-Site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remot ...) - cacti 0.8.8b+dfsg-6 [wheezy] - cacti 0.8.8a+dfsg-5+deb7u3 NOTE: MITRE will not reject the entry, but the issue is already covered by the NOTE: patch as for CVE-2014-4002. See discussion in NOTE: https://github.com/distributedweaknessfiling/DWF-CVE-Database/issues/27 CVE-2017-1000031 (SQL injection vulnerability in graph_templates_inputs.php in Cacti 0.8 ...) - cacti 0.8.8e+ds1-1 [jessie] - cacti (Minor issue, can be mitigated with Web Application Firewalls) [wheezy] - cacti (Minor issue, can be mitigated with Web Application Firewalls) NOTE: https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2016-007/?fid=7789 NOTE: MITRE disagrees that this CVE is a duplicate of CVE-2014-4002 and CVE-2016-3172. NOTE: MITRE believes that CVE-2017-1000031 is a different vulnerability than NOTE: CVE-2014-4002 and CVE-2016-3172. This is because they seprate on vulnerability NOTE: type, so it cannot be a duplicate of CVE-2014-4002 despite sharing attack NOTE: vectors with this vulnerability, and covers different attack vectors than NOTE: CVE-2016-3172 despite sharing vulnerability type, and appears to be NOTE: independently fixable from said vulnerability based on the fix provided here: NOTE: https://github.com/Cacti/cacti/issues/866 NOTE: According to https://github.com/Cacti/cacti/issues/866#issuecomment-316865448 NOTE: the first issue was fixed by https://github.com/Cacti/cacti/commit/be800c9e552d2929106b576922e9693c83b4bd46 NOTE: whereas the second issue was fixed by https://github.com/Cacti/cacti/commit/4e4dd6784adfc07b6011da999809d86a06f0f4e5 NOTE: After the request to MITRE to reject this CVE, elbrus discovered that also NOTE: CVE-2015-4634 seems part of the duplication. Upstream commit 4e4dd67 was in the NOTE: preperation git tree for 1.x, its equivalent svn commit was used to fix NOTE: CVE-2015-4634 in Debian. CVE-2017-1000030 (Oracle, GlassFish Server Open Source Edition 3.0.1 (build 22) is vulne ...) - glassfish (Vulnerable code not included, see bug #853998) CVE-2017-1000029 (Oracle, GlassFish Server Open Source Edition 3.0.1 (build 22) is vulne ...) - glassfish (Vulnerable code not included, see bug #853998) CVE-2017-1000028 (Oracle, GlassFish Server Open Source Edition 4.1 is vulnerable to both ...) - glassfish (Vulnerable code not included, see bug #853998) CVE-2017-1000027 (Koozali Foundation SME Server versions 8.x, 9.x, 10.x are vulnerable t ...) NOT-FOR-US: Koozali Foundation SME Server CVE-2017-1000026 (Chef Software's mixlib-archive versions 0.3.0 and older are vulnerable ...) {DSA-3915-1} - ruby-mixlib-archive 0.4.1-1 (bug #868572) NOTE: https://github.com/chef/mixlib-archive/pull/6 NOTE: https://github.com/chef/mixlib-archive/pull/6/commits/3a874a24aed6ee93fbccf97efe0ecc999bafe87d CVE-2017-1000025 (GNOME Web (Epiphany) 3.23 before 3.23.5, 3.22 before 3.22.6, 3.20 befo ...) - epiphany-browser 3.22.6-1 (unimportant) NOTE: webkit not covered by security support CVE-2017-1000024 (Shotwell version 0.24.4 or earlier and 0.25.3 or earlier is vulnerable ...) - shotwell 0.25.4+really0.24.5-0.1 (unimportant) CVE-2017-1000023 (LogicalDoc Community Edition 7.5.3 and prior is vulnerable to an XSS w ...) NOT-FOR-US: LogicalDoc Community Edition CVE-2017-1000022 (LogicalDoc Community Edition 7.5.3 and prior contain an Incorrect acce ...) NOT-FOR-US: LogicalDoc Community Edition CVE-2017-1000021 (LogicalDoc Community Edition 7.5.3 and prior is vulnerable to XXE when ...) NOT-FOR-US: LogicalDoc Community Edition CVE-2017-1000020 (SYN Flood or FIN Flood attack in ECos 1 and other versions embedded de ...) NOT-FOR-US: ECos CVE-2017-1000018 (phpMyAdmin 4.0, 4.4., and 4.6 are vulnerable to a DOS attack in the re ...) - phpmyadmin 4:4.6.6-1 (unimportant) NOTE: https://www.phpmyadmin.net/security/PMASA-2017-7 NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/afe84645f29f5acc9970f3ffa5673585bf2dee7d (4.0-branch) NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/4549ebde5a044b42c36da50dbf1af76a88545352 (4.4-branch) NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/96b4f13e54c9ebbebfd19d0690bfa0812b6818c1 (4.6-branch) CVE-2017-1000017 (phpMyAdmin 4.0, 4.4 and 4.6 are vulnerable to a weakness where a user ...) - phpmyadmin 4:4.6.6-1 (unimportant) NOTE: https://www.phpmyadmin.net/security/PMASA-2017-6 NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/f8ad5bd759156c8c00a1c3e0ef374660027a3bb4 (4.0-branch) NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/ca8edbcd83fcd624701f43c99e7e675c1ab20387 (4.{4,6}-branch) CVE-2017-1000016 (A weakness was discovered where an attacker can inject arbitrary value ...) - phpmyadmin 4:4.6.6-1 (unimportant) NOTE: https://www.phpmyadmin.net/security/PMASA-2017-5 NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/3b6ed1f9ecaab86c488d106b1588d7683a6d53ef CVE-2017-1000015 (phpMyAdmin 4.0, 4.4, and 4.6 are vulnerable to a CSS injection attack ...) - phpmyadmin 4:4.6.6-1 (unimportant) NOTE: https://www.phpmyadmin.net/security/PMASA-2017-4 NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/8a0816266cc1db9e9889829f9f0d88a19650c977 (4.0-branch) NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/bd3677f161977bf0cc800cae82e65355bf49f342 (4.4-branch) NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/3a6247674e653507294f23480b4c0e1c532badbe (4.6-branch) CVE-2017-1000014 (phpMyAdmin 4.0, 4.4, and 4.6 are vulnerable to a DOS weakness in the t ...) - phpmyadmin 4:4.6.6-1 (unimportant) NOTE: https://www.phpmyadmin.net/security/PMASA-2017-3 NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/3d230b6ab76ff018645f2090c2664169835f465b (4.{0,4,6}-branch) CVE-2017-1000013 (phpMyAdmin 4.0, 4.4, and 4.6 are vulnerable to an open redirect weakne ...) - phpmyadmin 4:4.6.6-1 (unimportant) NOTE: https://www.phpmyadmin.net/security/PMASA-2017-1 NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/7fe97a1f3c4695f630e39d9433b8fa7539eee30e (4.0-branch) NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/1e5c0ae5b44c58296e11b92497767c8677653cba (4.4-branch) NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/4c84070ad6136c3158caa93286754ebbfbce61ab (4.6-branch) NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/e37bf40f44a3272a6709eb5b38feccac41658e3f (4.6-branch) CVE-2017-1000012 (MySQL Dumper version 1.24 is vulnerable to stored XSS when displaying ...) NOT-FOR-US: MySQL Dumper CVE-2017-1000011 (MyWebSQL version 3.6 is vulnerable to stored XSS in the database manag ...) NOT-FOR-US: MyWebSQL CVE-2017-1000010 (Audacity 2.1.2 through 2.3.2 is vulnerable to Dll HIjacking in the avf ...) - audacity (Specific to Windows packaging) CVE-2017-1000009 (Akeneo PIM CE and EE <1.6.6, <1.5.15, <1.4.28 are vulnerable ...) NOT-FOR-US: Akeneo PIM CVE-2017-1000008 (Chyrp Lite version 2016.04 is vulnerable to a CSRF in the user setting ...) NOT-FOR-US: Chyrp Lite CVE-2017-1000007 (txAWS (all current versions) fail to perform complete certificate veri ...) NOT-FOR-US: txAWS CVE-2017-1000006 (Plotly, Inc. plotly.js versions prior to 1.16.0 are vulnerable to an X ...) NOT-FOR-US: plotly.js (different from the plotly Python package) CVE-2017-1000005 (PHPMiniAdmin version 1.9.160630 is vulnerable to stored XSS in the nam ...) NOT-FOR-US: PHPMiniAdmin CVE-2017-1000004 (ATutor version 2.2.1 and earlier are vulnerable to a SQL injection in ...) NOT-FOR-US: ATutor CVE-2017-1000003 (ATutor versions 2.2.1 and earlier are vulnerable to an incorrect acces ...) NOT-FOR-US: ATutor CVE-2017-1000002 (ATutor versions 2.2.1 and earlier are vulnerable to a directory traver ...) NOT-FOR-US: ATutor CVE-2017-1000001 (FedMsg 0.18.1 and older is vulnerable to a message validation flaw res ...) - fedmsg (bug #868508) [jessie] - fedmsg (Minor issue) NOTE: https://github.com/fedora-infra/fedmsg/commit/5c21cf88a CVE-2017-11141 (The ReadMATImage function in coders\mat.c in ImageMagick 7.0.5-6 has a ...) {DSA-3914-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-12 (low; bug #868264) NOTE: https://github.com/ImageMagick/ImageMagick/issues/469 NOTE: https://github.com/ImageMagick/ImageMagick/commit/353b942bd83da7e1356ba99c942848bd1871ee9f CVE-2017-11140 (The ReadJPEGImage function in coders/jpeg.c in GraphicsMagick 1.3.26 c ...) {DSA-4321-1 DLA-1456-1 DLA-1045-1} - graphicsmagick 1.3.26-3 (low) NOTE: Fixed by: http://hg.code.sf.net/p/graphicsmagick/code/rev/b4139088b49a CVE-2017-11139 (GraphicsMagick 1.3.26 has double free vulnerabilities in the ReadOneJN ...) {DSA-4321-1} - graphicsmagick 1.3.26-2 (low) [jessie] - graphicsmagick (vulnerable code for CVE-2017-11102 not applied in Jessie) [wheezy] - graphicsmagick (vulnerable code for CVE-2017-11102 not applied in Wheezy) NOTE: Fixed by: http://hg.code.sf.net/p/graphicsmagick/code/rev/4d0baa77245b CVE-2017-11138 RESERVED CVE-2017-11137 RESERVED CVE-2017-11136 (An issue was discovered in heinekingmedia StashCat through 1.7.5 for A ...) NOT-FOR-US: heinekingmedia StashCat CVE-2017-11135 (An issue was discovered in heinekingmedia StashCat through 1.7.5 for A ...) NOT-FOR-US: heinekingmedia StashCat CVE-2017-11134 (An issue was discovered in heinekingmedia StashCat through 1.7.5 for A ...) NOT-FOR-US: heinekingmedia StashCat CVE-2017-11133 (An issue was discovered in heinekingmedia StashCat through 1.7.5 for A ...) NOT-FOR-US: heinekingmedia StashCat CVE-2017-11132 (An issue was discovered in heinekingmedia StashCat before 1.5.18 for A ...) NOT-FOR-US: heinekingmedia StashCat CVE-2017-11131 (An issue was discovered in heinekingmedia StashCat through 1.7.5 for A ...) NOT-FOR-US: heinekingmedia StashCat CVE-2017-11130 (An issue was discovered in heinekingmedia StashCat through 1.7.5 for A ...) NOT-FOR-US: heinekingmedia StashCat CVE-2017-11129 (An issue was discovered in heinekingmedia StashCat through 1.7.5 for A ...) NOT-FOR-US: heinekingmedia StashCat CVE-2017-11128 (Bolt CMS 3.2.14 allows stored XSS via text input, as demonstrated by t ...) NOT-FOR-US: Bolt CMS CVE-2017-11127 (Bolt CMS 3.2.14 allows stored XSS by uploading an SVG document with a ...) NOT-FOR-US: Bolt CMS CVE-2017-11126 (The III_i_stereo function in libmpg123/layer3.c in mpg123 through 1.25 ...) - mpg123 1.25.3-1 (unimportant) NOTE: no security impact CVE-2017-11125 (libxar.so in xar 1.6.1 has a NULL pointer dereference in the xar_get_p ...) - xar CVE-2017-11124 (libxar.so in xar 1.6.1 has a NULL pointer dereference in the xar_unser ...) - xar CVE-2017-11123 RESERVED CVE-2017-11122 (On Broadcom BCM4355C0 Wi-Fi chips 9.44.78.27.0.1.56, an attacker can t ...) NOT-FOR-US: Broadcom CVE-2017-11121 (On Broadcom BCM4355C0 Wi-Fi chips 9.44.78.27.0.1.56 and other chips, p ...) NOT-FOR-US: Broadcom CVE-2017-11120 (On Broadcom BCM4355C0 Wi-Fi chips 9.44.78.27.0.1.56 and other chips, a ...) NOT-FOR-US: Broadcom CVE-2017-11119 (The chk_mem_access function in cpu/nes6502/nes6502.c in libnosefart.a ...) - xine-lib-1.2 (it is built with --disable-nosefart) - xine-lib (it is built with --disable-nosefart) NOTE: https://sourceforge.net/p/nosefart/bugs/6/ CVE-2017-11118 (The ExifImageFile::readImage function in ExifImageFileRead.cpp in Open ...) NOT-FOR-US: OpenExif CVE-2017-11117 (The ExifImageFile::readDHT function in ExifImageFileRead.cpp in OpenEx ...) NOT-FOR-US: OpenExif CVE-2017-11116 (The ExifImageFile::readDQT function in ExifImageFileRead.cpp in OpenEx ...) NOT-FOR-US: OpenExif CVE-2017-11115 (The ExifJpegHUFFTable::deriveTable function in ExifHuffmanTable.cpp in ...) NOT-FOR-US: OpenExif CVE-2017-11114 (The put_chars function in html_r.c in Twibright Links 2.14 allows remo ...) - links2 2.14-3 (unimportant; bug #870299) NOTE: PoC: http://seclists.org/fulldisclosure/2017/Jul/76 CVE-2017-11527 (The ReadDPXImage function in coders/dpx.c in ImageMagick before 6.9.9- ...) {DSA-3914-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-12 (bug #867812) NOTE: https://github.com/ImageMagick/ImageMagick/issues/523 CVE-2017-11528 (The ReadDIBImage function in coders/dib.c in ImageMagick before 6.9.9- ...) {DSA-3914-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-12 (bug #867811) NOTE: https://github.com/ImageMagick/ImageMagick/issues/522 CVE-2017-11525 (The ReadCINImage function in coders/cin.c in ImageMagick before 6.9.9- ...) {DSA-3914-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-12 (bug #867810) NOTE: https://github.com/ImageMagick/ImageMagick/issues/519 CVE-2017-11188 (The ReadDPXImage function in coders\dpx.c in ImageMagick 7.0.6-0 has a ...) {DSA-3914-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-12 (bug #867806) NOTE: https://github.com/ImageMagick/ImageMagick/issues/509 CVE-2017-11113 (In ncurses 6.0, there is a NULL Pointer Dereference in the _nc_parse_e ...) - ncurses 6.0+20170701-1 [stretch] - ncurses 6.0+20161126-1+deb9u1 [jessie] - ncurses 5.9+20140913-1+deb8u1 [wheezy] - ncurses (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1464691 CVE-2017-11112 (In ncurses 6.0, there is an attempted 0xffffffffffffffff access in the ...) - ncurses 6.0+20170701-1 [stretch] - ncurses 6.0+20161126-1+deb9u1 [jessie] - ncurses 5.9+20140913-1+deb8u1 [wheezy] - ncurses (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1464686 CVE-2017-11111 (In Netwide Assembler (NASM) 2.14rc0, preproc.c allows remote attackers ...) {DLA-1041-1} - nasm 2.13.02-0.1 (bug #867988) [stretch] - nasm (Minor issue) [jessie] - nasm (Minor issue) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392415 CVE-2017-11110 (The ole_init function in ole.c in catdoc 0.95 allows remote attackers ...) {DSA-3917-1 DLA-1037-1} - catdoc 1:0.95-3 (bug #867717) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1468471 CVE-2017-11109 (Vim 8.0 allows attackers to cause a denial of service (invalid free) o ...) {DLA-1871-1 DLA-1030-1} - vim 2:8.0.0197-5 (low; bug #867720) [stretch] - vim 2:8.0.0197-4+deb9u1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1468492 CVE-2017-11108 (tcpdump 4.9.0 allows remote attackers to cause a denial of service (he ...) {DSA-3971-1 DLA-1090-1} - tcpdump 4.9.1-1 (bug #867718) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1468504 NOTE: Proposed patch: https://github.com/the-tcpdump-group/tcpdump/pull/617 NOTE: https://github.com/the-tcpdump-group/tcpdump/commit/d9e65de3d94698ec90dbca42962a30dd2f0680e1 (4.9.1) CVE-2017-11107 (phpLDAPadmin through 1.2.3 has XSS in htdocs/entry_chooser.php via the ...) {DLA-1561-1 DLA-1019-1} - phpldapadmin 1.2.2-6.2 (bug #867719) NOTE: https://github.com/leenooks/phpLDAPadmin/issues/50 NOTE: https://bugs.launchpad.net/ubuntu/+source/phpldapadmin/+bug/1701731 CVE-2017-11106 RESERVED CVE-2017-11105 (The OnePlus 2 Primary Bootloader (PBL) does not validate the SBL1 part ...) NOT-FOR-US: OnePlus CVE-2017-1000050 (JasPer 2.0.12 is vulnerable to a NULL pointer exception in the functio ...) - jasper (unimportant) NOTE: http://www.openwall.com/lists/oss-security/2017/03/06/1 NOTE: https://github.com/mdadams/jasper/issues/120 NOTE: Fixed by: https://github.com/mdadams/jasper/commit/58ba0365d911b9f9dd68e9abf826682c0b4f2293 CVE-2017-1002024 (Vulnerability in web application Kind Editor v4.1.12, kindeditor/php/u ...) NOT-FOR-US: kindeditor CVE-2017-11103 (Heimdal before 7.4 allows remote attackers to impersonate services wit ...) {DSA-3912-1 DSA-3909-1 DLA-1027-1} - heimdal 7.4.0.dfsg.1-1 (bug #868208) - samba 2:4.6.5+dfsg-4 (bug #868209) [wheezy] - samba (Heimdal is only used in 4.x, wheezy ships 3.6.6) - samba4 [wheezy] - samba4 (dynamically linked against system heimdal) NOTE: https://orpheus-lyre.info/ NOTE: https://github.com/heimdal/heimdal/commit/6dd3eb836bbb80a00ffced4ad57077a1cdf227ea NOTE: samba's source package embeds heimdal but the binary is statically linked to src:heimdal NOTE: https://www.samba.org/samba/security/CVE-2017-11103.html NOTE: Upstream Samba Bug: https://bugzilla.samba.org/show_bug.cgi?id=12894 CVE-2017-11102 (The ReadOneJNGImage function in coders/png.c in GraphicsMagick 1.3.26 ...) {DSA-4321-1 DLA-1456-1 DLA-1045-1} - graphicsmagick 1.3.26-2 (bug #867746) NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/d445af60a8d5 NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/dea93a690fc1 NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/4d0baa77245b NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/e8f859704230 CVE-2017-11101 (When SWFTools 0.9.2 processes a crafted file in swfcombine, it can lea ...) - swftools (unimportant; bug #871022) NOTE: https://github.com/matthiaskramm/swftools/issues/26 CVE-2017-11100 (When SWFTools 0.9.2 processes a crafted file in swfextract, it can lea ...) - swftools (unimportant; bug #871024) NOTE: https://github.com/matthiaskramm/swftools/issues/27 CVE-2017-11099 (When SWFTools 0.9.2 processes a crafted file in wav2swf, it can lead t ...) - swftools (unimportant; bug #871018) NOTE: https://github.com/matthiaskramm/swftools/issues/31 CVE-2017-11098 (When SWFTools 0.9.2 processes a crafted file in png2swf, it can lead t ...) - swftools (unimportant; bug #871020) NOTE: https://github.com/matthiaskramm/swftools/issues/32 CVE-2017-11097 (When SWFTools 0.9.2 processes a crafted file in swfc, it can lead to a ...) - swftools (unimportant; bug #871025) NOTE: https://github.com/matthiaskramm/swftools/issues/24 CVE-2017-11096 (When SWFTools 0.9.2 processes a crafted file in swfcombine, it can lea ...) - swftools (unimportant; bug #871026) NOTE: https://github.com/matthiaskramm/swftools/issues/25 CVE-2017-11095 RESERVED CVE-2017-11094 RESERVED CVE-2017-11093 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11092 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11091 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11090 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11089 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) - linux 4.12.6-1 [stretch] - linux 4.9.47-1 [jessie] - linux 3.16.51-1 NOTE: Fixed by: https://git.kernel.org/linus/8feb69c7bd89513be80eb19198d48f154b254021 CVE-2017-11088 (Improper Input Validation in Linux io-prefetch in Snapdragon Mobile an ...) NOT-FOR-US: Snapdragon CVE-2017-11087 (libOmxVenc in Android for MSM, Firefox OS for MSM, and QRD Android cop ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-11086 RESERVED CVE-2017-11085 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11084 RESERVED CVE-2017-11083 RESERVED CVE-2017-11082 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11081 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11080 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11079 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11078 (In all android releases(Android for MSM, Firefox OS for MSM, QRD Andro ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11077 RESERVED CVE-2017-11076 RESERVED CVE-2017-11075 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11074 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11073 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11072 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: HTC component for Android CVE-2017-11071 RESERVED CVE-2017-11070 RESERVED CVE-2017-11069 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11068 RESERVED CVE-2017-11067 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11066 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11065 RESERVED CVE-2017-11064 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11063 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11062 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11061 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11060 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11059 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11058 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11057 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11056 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11055 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11054 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11053 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11052 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11051 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11050 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11049 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11048 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11047 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11046 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11045 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11044 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11043 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11042 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11041 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-11040 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-11039 RESERVED CVE-2017-11038 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11037 RESERVED CVE-2017-11036 RESERVED CVE-2017-11035 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11034 RESERVED CVE-2017-11033 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11032 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11031 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11030 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11029 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11028 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Android CVE-2017-11027 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11026 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11025 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11024 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11023 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11022 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11021 RESERVED CVE-2017-11020 RESERVED CVE-2017-11019 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11018 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11017 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11016 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11015 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11014 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11013 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11012 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11011 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11010 (In Android before 2018-01-05 on Qualcomm Snapdragon IoT, Snapdragon Mo ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11009 RESERVED CVE-2017-11008 REJECTED CVE-2017-11007 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11006 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm closed-source components for Android CVE-2017-11005 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm closed-source components for Android CVE-2017-11004 (A non-secure user may be able to access certain registers in snapdrago ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11003 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11002 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-11001 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-11000 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-10999 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-10998 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-10997 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-10996 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-10995 (The mng_get_long function in coders/png.c in ImageMagick 7.0.6-0 allow ...) {DSA-4204-1 DLA-1081-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #867748) NOTE: https://github.com/ImageMagick/ImageMagick/issues/538 NOTE: https://github.com/ImageMagick/ImageMagick/commit/24430226caf7eb468b4180f2883b2563e8cc1b23 NOTE: https://github.com/ImageMagick/ImageMagick/commit/1fdc09dc8f9522f07f5f501fe8453765ad82556c NOTE: The second commit is not security sensitive relevant, cf. NOTE: https://github.com/ImageMagick/ImageMagick/issues/538#issuecomment-317047977 CVE-2017-10994 (Foxit Reader before 8.3.1 and PhantomPDF before 8.3.1 have an Arbitrar ...) NOT-FOR-US: Foxit Reader CVE-2017-10993 (Contao before 3.5.28 and 4.x before 4.4.1 allows remote attackers to i ...) NOT-FOR-US: Contao CVE-2017-10992 (In HPE Storage Essentials 9.5.0.142, there is Unauthenticated Java Des ...) NOT-FOR-US: HPE CVE-2017-10991 (The WP Statistics plugin through 12.0.9 for WordPress has XSS in the r ...) NOT-FOR-US: Wordpress plugin CVE-2017-10990 RESERVED CVE-2017-10989 (The getNodeSize function in ext/rtree/rtree.c in SQLite through 3.19.3 ...) {DLA-1633-1 DLA-1018-1} - sqlite3 3.19.3-3 (bug #867618) [stretch] - sqlite3 3.16.2-5+deb9u1 NOTE: https://sqlite.org/src/vpatch?from=0db20efe201736b3&to=66de6f4a9504ec26 NOTE: https://sqlite.org/src/info/66de6f4a NOTE: https://bugs.launchpad.net/ubuntu/+source/sqlite3/+bug/1700937 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2405 NOTE: http://marc.info/?l=sqlite-users&m=149933696214713&w=2 CVE-2017-10988 REJECTED CVE-2017-10987 (An FR-GV-304 issue in FreeRADIUS 3.x before 3.0.15 allows "DHCP - Buff ...) - freeradius 3.0.15+dfsg-1 (bug #868765) [stretch] - freeradius 3.0.12+dfsg-5+deb9u1 [jessie] - freeradius (Only affects 3.x series) [wheezy] - freeradius (Only affects 3.x series) NOTE: http://freeradius.org/security/fuzzer-2017.html#FR-GV-304 NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/19a18bf7c8af649c9e9742fb6a046f6aff639866 CVE-2017-10986 (An FR-GV-303 issue in FreeRADIUS 3.x before 3.0.15 allows "DHCP - Infi ...) - freeradius 3.0.15+dfsg-1 (bug #868765) [stretch] - freeradius 3.0.12+dfsg-5+deb9u1 [jessie] - freeradius (Only affects 3.x series) [wheezy] - freeradius (Only affects 3.x series) NOTE: http://freeradius.org/security/fuzzer-2017.html#FR-GV-303 NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/21e2e95751bfb54c0fb0328392d06671a75c191c CVE-2017-10985 (An FR-GV-302 issue in FreeRADIUS 3.x before 3.0.15 allows "Infinite lo ...) - freeradius 3.0.15+dfsg-1 (bug #868765) [stretch] - freeradius 3.0.12+dfsg-5+deb9u1 [jessie] - freeradius (Only affects 3.x series) [wheezy] - freeradius (Only affects 3.x series) NOTE: http://freeradius.org/security/fuzzer-2017.html#FR-GV-302 NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/6726c16549b131ed39f6f8886cdf5d9d922a9a97 CVE-2017-10984 (An FR-GV-301 issue in FreeRADIUS 3.x before 3.0.15 allows "Write overf ...) - freeradius 3.0.15+dfsg-1 (bug #868765) [stretch] - freeradius 3.0.12+dfsg-5+deb9u1 [jessie] - freeradius (Only affects 3.x series) [wheezy] - freeradius (Only affects 3.x series) NOTE: http://freeradius.org/security/fuzzer-2017.html#FR-GV-301 NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/931850e5d2f65193520c2d9c9878148c0cdc16a6 NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/4b059296e14b6ab75dc17163077490528a819806 CVE-2017-10983 (An FR-GV-206 issue in FreeRADIUS 2.x before 2.2.10 and 3.x before 3.0. ...) {DSA-3930-1 DLA-1064-1} - freeradius 3.0.15+dfsg-1 (bug #868765) NOTE: http://freeradius.org/security/fuzzer-2017.html#FR-GV-206 NOTE: 2.x: https://github.com/FreeRADIUS/freeradius-server/commit/ec08b30f87066f82073d02fab57e8ffeef81373d NOTE: 3.x: https://github.com/FreeRADIUS/freeradius-server/commit/5759b20af99af6d30924f0efd8da5eac2a17163d CVE-2017-10982 (An FR-GV-205 issue in FreeRADIUS 2.x before 2.2.10 allows "DHCP - Buff ...) {DLA-1064-1} - freeradius 3.0.12+dfsg-3 [jessie] - freeradius 2.2.5+dfsg-0.2+deb8u1 NOTE: http://freeradius.org/security/fuzzer-2017.html#FR-GV-205 NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/10b6de9345c9e0d9d4d5e0426fa5c3d68d702875 NOTE: Mark as fixed in 3.0.12+dfsg-3 the first 3.x version in unstable NOTE: This is not fully technically correct, the issue affects only the 2.x NOTE: series but not 3.x. CVE-2017-10981 (An FR-GV-204 issue in FreeRADIUS 2.x before 2.2.10 allows "DHCP - Memo ...) {DLA-1064-1} - freeradius 3.0.12+dfsg-3 [jessie] - freeradius 2.2.5+dfsg-0.2+deb8u1 NOTE: http://freeradius.org/security/fuzzer-2017.html#FR-GV-204 NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/812766e2150faa07b4c574e51393b014feaffe6c NOTE: Mark as fixed in 3.0.12+dfsg-3 the first 3.x version in unstable NOTE: This is not fully technically correct, the issue affects only the 2.x NOTE: series but not 3.x. CVE-2017-10980 (An FR-GV-203 issue in FreeRADIUS 2.x before 2.2.10 allows "DHCP - Memo ...) {DLA-1064-1} - freeradius 3.0.12+dfsg-3 [jessie] - freeradius 2.2.5+dfsg-0.2+deb8u1 NOTE: http://freeradius.org/security/fuzzer-2017.html#FR-GV-203 NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/ef0727fc68e211a36637b5c4e4a6fa1326f0a029 NOTE: Mark as fixed in 3.0.12+dfsg-3 the first 3.x version in unstable NOTE: This is not fully technically correct, the issue affects only the 2.x NOTE: series but not 3.x. CVE-2017-10979 (An FR-GV-202 issue in FreeRADIUS 2.x before 2.2.10 allows "Write overf ...) {DLA-1064-1} - freeradius 3.0.12+dfsg-3 [jessie] - freeradius 2.2.5+dfsg-0.2+deb8u1 NOTE: http://freeradius.org/security/fuzzer-2017.html#FR-GV-202 NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/ae3ba0011e7d299e92c45300e0137a56a650e8f5 NOTE: Mark as fixed in 3.0.12+dfsg-3 the first 3.x version in unstable NOTE: This is not fully technically correct, the issue affects only the 2.x NOTE: series but not 3.x. CVE-2017-10978 (An FR-GV-201 issue in FreeRADIUS 2.x before 2.2.10 and 3.x before 3.0. ...) {DSA-3930-1 DLA-1064-1} - freeradius 3.0.15+dfsg-1 (bug #868765) NOTE: http://freeradius.org/security/fuzzer-2017.html#FR-GV-201 NOTE: 2.x: https://github.com/FreeRADIUS/freeradius-server/commit/38ee90f2a5a28dc5887a30bdfdc98109c0418e68 NOTE: 3.x: https://github.com/FreeRADIUS/freeradius-server/commit/fc8662d7e827f630d515eaa0bddfa94754c8047f CVE-2017-1000082 (systemd v233 and earlier fails to safely parse usernames starting with ...) - systemd 234-1 (unimportant) [jessie] - systemd (Vulnerable code introduced in systemd-229) [wheezy] - systemd (Vulnerable code introduced in systemd-229) NOTE: https://github.com/systemd/systemd/issues/6237 NOTE: Fixed by: https://github.com/systemd/systemd/commit/bb28e68477a3a39796e4999a6cbc6ac6345a9159 NOTE: http://www.openwall.com/lists/oss-security/2017/07/02/1 CVE-2017-10977 RESERVED CVE-2017-10976 (When SWFTools 0.9.2 processes a crafted file in ttftool, it can lead t ...) - swftools (unimportant) NOTE: ttftool not shipped in Debian package CVE-2017-10975 (Cross-site scripting (XSS) vulnerability in Lutim before 0.8 might all ...) NOT-FOR-US: Lutim CVE-2017-10974 (Yaws 1.91 allows Unauthenticated Remote File Disclosure via HTTP Direc ...) - yaws 1.91-2 NOTE: Slightly different, additional CVE assignment which MITRE insists on, but fixed by the NOTE: original patch for CVE-2011-4350 CVE-2017-10973 (In FineCMS before 2017-07-06, application/lib/ajax/get_image_data.php ...) NOT-FOR-US: FineCMS CVE-2017-10970 (Cross-site scripting (XSS) vulnerability in link.php in Cacti 1.1.12 a ...) - cacti 1.1.12+ds1-1 (bug #867532) [stretch] - cacti (Vulnerable code introduced later) [jessie] - cacti (Vulnerable code introduced later) [wheezy] - cacti (Vulnerable code introduced later) NOTE: https://github.com/Cacti/cacti/issues/838 NOTE: https://github.com/Cacti/cacti/commit/3381cba6a9e36b01ed0ab0acfd41b00487966cb5 CVE-2017-11147 (In PHP before 5.6.30 and 7.x before 7.0.15, the PHAR archive handler c ...) {DLA-1034-1} - php7.1 7.1.1-1 - php7.0 7.0.15-1 - php5 [jessie] - php5 5.6.30+dfsg-0+deb8u1 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=73773 NOTE: Fixed in 7.1.1, 7.0.15, 5.6.30 NOTE: http://git.php.net/?p=php-src.git;a=commitdiff;h=e5246580a85f031e1a3b8064edbaa55c1643a451 NOTE: http://openwall.com/lists/oss-security/2017/07/10/6 CVE-2016-10397 (In PHP before 5.6.28 and 7.x before 7.0.13, incorrect handling of vari ...) {DLA-1034-1} - php7.1 (Fixed with initial upload to unstable) - php7.0 7.0.13-1 - php5 [jessie] - php5 5.6.28+dfsg-0+deb8u1 NOTE: PHP bug: https://bugs.php.net/bug.php?id=73192 NOTE: Fixed in 7.1.0, 7.0.13, 5.6.28 NOTE: http://git.php.net/?p=php-src.git;a=commitdiff;h=b061fa909de77085d3822a89ab901b934d0362c4 NOTE: http://openwall.com/lists/oss-security/2017/07/10/6 CVE-2017-11144 (In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, the o ...) {DSA-4081-1 DSA-4080-1 DLA-1034-1} - php7.1 7.1.8-1 - php7.0 7.0.22-1 - php5 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=74651 NOTE: Fixed in 7.1.7, 7.0.21, 5.6.31 NOTE: http://git.php.net/?p=php-src.git;a=commitdiff;h=89637c6b41b510c20d262c17483f582f115c66d6 NOTE: http://git.php.net/?p=php-src.git;a=commit;h=73cabfedf519298e1a11192699f44d53c529315e NOTE: http://git.php.net/?p=php-src.git;a=commit;h=91826a311dd37f4c4e5d605fa7af331e80ddd4c3 NOTE: http://openwall.com/lists/oss-security/2017/07/10/6 CVE-2017-11143 (In PHP before 5.6.31, an invalid free in the WDDX deserialization of b ...) {DSA-4081-1 DLA-1034-1} - php7.1 (Only affected 5.6) - php7.0 (Only affected 5.6) - php5 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=74145 NOTE: http://git.php.net/?p=php-src.git;a=commitdiff;h=2aae60461c2ff7b7fbcdd194c789ac841d0747d7 NOTE: http://git.php.net/?p=php-src.git;a=commitdiff;h=f269cdcd4f76accbecd03884f327cffb9a7f1ca9 NOTE: http://openwall.com/lists/oss-security/2017/07/10/6 CVE-2017-11142 (In PHP before 5.6.31, 7.x before 7.0.17, and 7.1.x before 7.1.3, remot ...) {DSA-4081-1} - php7.1 7.1.3+-1 - php7.0 7.0.17-1 - php5 [wheezy] - php5 (vulnerable code not present) NOTE: PHP Bug: https://bugs.php.net/bug.php?id=73807 NOTE: Fixed in 7.1.3, 7.0.17, 5.6.31 NOTE: https://github.com/php/php-src/commit/a15bffd105ac28fd0dd9b596632dbf035238fda3 NOTE: https://github.com/php/php-src/commit/0f8cf3b8497dc45c010c44ed9e96518e11e19fc3 NOTE: http://openwall.com/lists/oss-security/2017/07/10/6 CVE-2017-10972 (Uninitialized data in endianness conversion in the XEvent handling of ...) {DSA-3905-1 DLA-1026-1} - xorg-server 2:1.19.3-2 (bug #867492) NOTE: https://cgit.freedesktop.org/xorg/xserver/commit/?id=05442de962d3dc624f79fc1a00eca3ffc5489ced NOTE: http://www.openwall.com/lists/oss-security/2017/07/06/6 CVE-2017-10971 (In the X.Org X server before 2017-06-19, a user authenticated to an X ...) {DSA-3905-1 DLA-1026-1} - xorg-server 2:1.19.3-2 (bug #867492) NOTE: https://cgit.freedesktop.org/xorg/xserver/commit/?id=ba336b24052122b136486961c82deac76bbde455 NOTE: https://cgit.freedesktop.org/xorg/xserver/commit/?id=8caed4df36b1f802b4992edcfd282cbeeec35d9d NOTE: https://cgit.freedesktop.org/xorg/xserver/commit/?id=215f894965df5fb0bb45b107d84524e700d2073c NOTE: http://www.openwall.com/lists/oss-security/2017/07/06/6 CVE-2017-10969 RESERVED CVE-2017-10968 (In FineCMS through 2017-07-07, application\core\controller\template.ph ...) NOT-FOR-US: FineCMS CVE-2017-10967 (In FineCMS before 2017-07-06, application\core\controller\config.php a ...) NOT-FOR-US: FineCMS CVE-2017-10966 (An issue was discovered in Irssi before 1.0.4. While updating the inte ...) {DLA-1089-1} - irssi 1.0.4-1 (low; bug #867598) [stretch] - irssi 1.0.2-1+deb9u2 [jessie] - irssi 0.8.17-1+deb8u5 NOTE: https://irssi.org/security/irssi_sa_2017_07.txt NOTE: https://github.com/irssi/irssi/commit/5e26325317c72a04c1610ad952974e206384d291 CVE-2017-10965 (An issue was discovered in Irssi before 1.0.4. When receiving messages ...) {DLA-1089-1} - irssi 1.0.4-1 (low; bug #867598) [stretch] - irssi 1.0.2-1+deb9u2 [jessie] - irssi 0.8.17-1+deb8u5 NOTE: https://irssi.org/security/irssi_sa_2017_07.txt NOTE: https://github.com/irssi/irssi/commit/5e26325317c72a04c1610ad952974e206384d291 CVE-2017-10964 RESERVED CVE-2017-10963 (In Knox SDS IAM (Identity Access Management) and EMM (Enterprise Mobil ...) NOT-FOR-US: Samsung CVE-2017-10962 (REDCap before 7.5.1 has XSS via the query string. ...) NOT-FOR-US: REDCap CVE-2017-10961 (REDCap before 7.5.1 has CSRF in the deletion feature of the File Repos ...) NOT-FOR-US: REDCap CVE-2017-10960 RESERVED CVE-2017-10959 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-10958 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-10957 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-10956 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2017-10955 (** DISPUTED ** This vulnerability allows remote attackers to execute a ...) NOT-FOR-US: EMC CVE-2017-10954 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Bitdefender Internet Security Internet Security 2018 CVE-2017-10953 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-10952 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-10951 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-10950 (This vulnerability allows local attackers to execute arbitrary code on ...) NOT-FOR-US: Bitdefender Total Security CVE-2017-10949 (Directory Traversal in Dell Storage Manager 2016 R2.1 causes Informati ...) NOT-FOR-US: Dell Storage Manager CVE-2017-10948 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-10947 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-10946 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-10945 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-10944 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2017-10943 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2017-10942 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2017-10941 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-10940 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Joyent CVE-2017-10939 REJECTED CVE-2017-10938 REJECTED CVE-2017-10937 (SQL injection vulnerability in all versions prior to V2.01.05.09 of th ...) NOT-FOR-US: ZTE CVE-2017-10936 (SQL injection vulnerability in all versions prior to V4.01.01 of the Z ...) NOT-FOR-US: ZTE ZXCDN-SNS CVE-2017-10935 (All versions prior to ZSRV2 V3.00.40 of the ZTE ZXR10 1800-2S products ...) NOT-FOR-US: ZTE ZXR10 1800-2S products CVE-2017-10934 (All versions prior to V5.09.02.02T4 of the ZTE ZXIPTV-EPG product use ...) NOT-FOR-US: ZTE ZXIPTV-EPG product CVE-2017-10933 (All versions prior to V2.06.00.00 of ZTE ZXDT22 SF01, an monitoring sy ...) NOT-FOR-US: ZTE ZXDT22 SF01 CVE-2017-10932 (All versions prior to V12.17.20 of the ZTE Microwave NR8000 series pro ...) NOT-FOR-US: ZTE Microwave CVE-2017-10931 (The ZXR10 1800-2S before v3.00.40 incorrectly restricts the download o ...) NOT-FOR-US: ZXR10 1800-2S CVE-2017-10930 (The ZXR10 1800-2S before v3.00.40 incorrectly restricts access to a re ...) NOT-FOR-US: ZXR10 1800-2S CVE-2016-10396 (The racoon daemon in IPsec-Tools 0.8.2 contains a remotely exploitable ...) {DLA-1044-1} - ipsec-tools 1:0.8.2+20140711-9 (bug #867986) [stretch] - ipsec-tools 1:0.8.2+20140711-8+deb9u1 [jessie] - ipsec-tools (Will be fixed via point release) NOTE: NetBSD applied patch: http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c.diff?r1=1.5&r2=1.5.36.1 NOTE: NetBSD Problem report: https://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=51682 NOTE: Patch disputed, cf. https://bugzilla.suse.com/show_bug.cgi?id=1047443#c1 NOTE: Updated patch: https://anonscm.debian.org/cgit/pkg-ipsec-tools/pkg-ipsec-tools.git/plain/debian/patches/CVE-2016-10396.patch?id=62ac12648a4eb7c5ba5dba0f81998d1acf310d8b CVE-2017-10929 (The grub_memmove function in shlr/grub/kern/misc.c in radare2 1.5.0 al ...) {DLA-1016-1} - radare2 1.6.0+dfsg-1 (low; bug #867369) [jessie] - radare2 (Minor issue) NOTE: https://github.com/radare/radare2/issues/7855 NOTE: https://github.com/radare/radare2/commit/c57997e76ec70862174a1b3b3aeb62a6f8570e85 CVE-2017-10928 (In ImageMagick 7.0.6-0, a heap-based buffer over-read in the GetNextTo ...) {DSA-3914-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-12 (bug #867367) NOTE: https://github.com/ImageMagick/ImageMagick/issues/539 CVE-2017-10927 RESERVED CVE-2017-10926 (IrfanView 4.44 (32bit) with FPX Plugin 4.47 might allow attackers to c ...) NOT-FOR-US: IrfanView CVE-2017-10925 (IrfanView 4.44 (32bit) with FPX Plugin 4.47 might allow attackers to c ...) NOT-FOR-US: IrfanView CVE-2017-10924 (IrfanView 4.44 (32bit) with FPX Plugin 4.47 allows attackers to execut ...) NOT-FOR-US: IrfanView CVE-2017-10910 (MQTT.js 2.x.x prior to 2.15.0 issue in handling PUBLISH tickets may le ...) - node-mqtt (Fixed before initial upload) CVE-2017-10909 (Untrusted search path vulnerability in Music Center for PC version 1.0 ...) NOT-FOR-US: Music Center for PC CVE-2017-10908 (H2O version 2.2.3 and earlier allows remote attackers to cause a denia ...) - h2o 2.2.4+dfsg-1 (medium) NOTE: https://github.com/h2o/h2o/issues/1544 CVE-2017-10907 (Directory traversal vulnerability in OneThird CMS Show Off v1.85 and e ...) NOT-FOR-US: OneThird CMS Show Off CVE-2017-10906 (Escape sequence injection vulnerability in Fluentd versions 0.12.29 th ...) NOT-FOR-US: Fluentd CVE-2017-10905 (A vulnerability in applications created using Qt for Android prior to ...) NOT-FOR-US: Qt for Android CVE-2017-10904 (Qt for Android prior to 5.9.0 allows remote attackers to execute arbit ...) NOT-FOR-US: Qt for Android CVE-2017-10903 (Improper authentication issue in PTW-WMS1 firmware version 2.000.012 a ...) NOT-FOR-US: PTW-WMS1 firmware CVE-2017-10902 (PTW-WMS1 firmware version 2.000.012 allows remote attackers to execute ...) NOT-FOR-US: PTW-WMS1 firmware CVE-2017-10901 (Buffer overflow in PTW-WMS1 firmware version 2.000.012 allows remote a ...) NOT-FOR-US: PTW-WMS1 firmware CVE-2017-10900 (PTW-WMS1 firmware version 2.000.012 allows remote attackers to bypass ...) NOT-FOR-US: PTW-WMS1 firmware CVE-2017-10899 (SQL injection vulnerability in the A-Reserve and A-Reserve for MT clou ...) NOT-FOR-US: A-Reserve CVE-2017-10898 (SQL injection vulnerability in the A-Member and A-Member for MT cloud ...) NOT-FOR-US: A-Member CVE-2017-10897 (Input validation issue in Buffalo BBR-4HG and and BBR-4MG broadband ro ...) NOT-FOR-US: Buffalo BBR-4HG and and BBR-4MG broadband routers CVE-2017-10896 (Cross-site scripting vulnerability in Buffalo BBR-4HG and and BBR-4MG ...) NOT-FOR-US: Buffalo BBR-4HG and and BBR-4MG broadband routers CVE-2017-10895 (sDNSProxy.exe ver1.1.0.0 and earlier allows remote attackers to cause ...) NOT-FOR-US: sDNSProxy CVE-2017-10894 (StreamRelay.NET.exe ver2.14.0.7 and earlier allows remote attackers to ...) NOT-FOR-US: StreamRelay.NET CVE-2017-10893 (Untrusted search path vulnerability in The Public Certification Servic ...) NOT-FOR-US: The Public Certification Service for Individuals CVE-2017-10892 (Untrusted search path vulnerability in Music Center for PC version 1.0 ...) NOT-FOR-US: Music Center for PC CVE-2017-10891 (Untrusted search path vulnerability in Media Go version 3.2.0.191 and ...) NOT-FOR-US: Media Go CVE-2017-10890 (Session management issue in RX-V200 firmware versions prior to 09.87.1 ...) NOT-FOR-US: RX-V200 firmware CVE-2017-10889 (TablePress prior to version 1.8.1 allows an attacker to conduct XML Ex ...) NOT-FOR-US: TablePress CVE-2017-10888 (BOOK WALKER for Windows Ver.1.2.9 and earlier, BOOK WALKER for Mac Ver ...) NOT-FOR-US: BOOK WALKER CVE-2017-10887 (Untrusted search path vulnerability in BOOK WALKER for Windows Ver.1.2 ...) NOT-FOR-US: BOOK WALKER CVE-2017-10886 (Cross-site scripting vulnerability in CS-Cart Japanese Edition v4.3.10 ...) NOT-FOR-US: CS-Cart CVE-2017-10885 (Untrusted search path vulnerability in HYPER SBI Ver. 2.2 and earlier ...) NOT-FOR-US: HYPER SBI CVE-2017-10884 RESERVED CVE-2017-10883 RESERVED CVE-2017-10882 RESERVED CVE-2017-10881 RESERVED CVE-2017-10880 RESERVED CVE-2017-10879 RESERVED CVE-2017-10878 RESERVED CVE-2017-10877 RESERVED CVE-2017-10876 RESERVED CVE-2017-10875 (I-O DATA DEVICE LAN DISK Connect Ver2.02 and earlier allows an attacke ...) NOT-FOR-US: I-O DATA DEVICE LAN DISK Connect CVE-2017-10874 (PWR-Q200 does not use random values for source ports of DNS query pack ...) NOT-FOR-US: PWR-Q200 CVE-2017-10873 (OpenAM (Open Source Edition) allows an attacker to bypass authenticati ...) NOT-FOR-US: OpenAM CVE-2017-10872 (H2O version 2.2.3 and earlier allows remote attackers to cause a denia ...) - h2o 2.2.4+dfsg-1 (medium) NOTE: https://github.com/h2o/h2o/issues/1543 CVE-2017-10871 (Buffer overflow in NTT DOCOMO Wi-Fi STATION L-02F Software version L02 ...) NOT-FOR-US: NTT DOCOMO Wi-Fi STATION L-02F Software CVE-2017-10870 (Memory corruption vulnerability in Rakuraku Hagaki (Rakuraku Hagaki 20 ...) NOT-FOR-US: Rakuraku Hagaki CVE-2017-10869 (Buffer overflow in H2O version 2.2.2 and earlier allows remote attacke ...) - h2o 2.2.3+dfsg-1 (medium) NOTE: https://github.com/h2o/h2o/issues/1460 CVE-2017-10868 (H2O version 2.2.2 and earlier allows remote attackers to cause a denia ...) - h2o 2.2.3+dfsg-1 (medium) NOTE: https://github.com/h2o/h2o/issues/1459 CVE-2017-10867 RESERVED CVE-2017-10866 RESERVED CVE-2017-10865 (Untrusted search path vulnerability in HIBUN Confidential File Decrypt ...) NOT-FOR-US: HIBUN Confidential File Decryption CVE-2017-10864 (Untrusted search path vulnerability in Installer of HIBUN Confidential ...) NOT-FOR-US: HIBUN Confidential File Decryption CVE-2017-10863 (Untrusted search path vulnerability in HIBUN Confidential File Decrypt ...) NOT-FOR-US: HIBUN Confidential File Decryption CVE-2017-10862 (jwt-scala 1.2.2 and earlier fails to verify token signatures correctly ...) NOT-FOR-US: jwt-scala CVE-2017-10861 (Directory traversal vulnerability in QND Advance/Standard allows an at ...) NOT-FOR-US: QND Advance/Standard CVE-2017-10860 (Untrusted search path vulnerability in "i-filter 6.0 installer" timest ...) NOT-FOR-US: i-filter 6.0 installer CVE-2017-10859 (Untrusted search path vulnerability in "i-filter 6.0 installer" timest ...) NOT-FOR-US: i-filter 6.0 installer CVE-2017-10858 (Untrusted search path vulnerability in "i-filter 6.0 install program" ...) NOT-FOR-US: i-filter 6.0 install program CVE-2017-10857 (Cybozu Office 10.0.0 to 10.6.1 allows authenticated attackers to bypas ...) NOT-FOR-US: Cybozu CVE-2017-10856 (SEIL/X 4.60 to 5.72, SEIL/B1 4.60 to 5.72, SEIL/x86 3.20 to 5.72, SEIL ...) NOT-FOR-US: SEIL CVE-2017-10855 (Untrusted search path vulnerability in FENCE-Explorer for Windows V8.4 ...) NOT-FOR-US: FENCE-Explorer for Windows CVE-2017-10854 (Corega CG-WGR1200 firmware 2.20 and earlier allows an attacker to bypa ...) NOT-FOR-US: Corega CG-WGR1200 firmware CVE-2017-10853 (Buffer overflow in Corega CG-WGR1200 firmware 2.20 and earlier allows ...) NOT-FOR-US: Corega CG-WGR1200 firmware CVE-2017-10852 (Buffer overflow in Corega CG-WGR1200 firmware 2.20 and earlier allows ...) NOT-FOR-US: Corega CG-WGR1200 firmware CVE-2017-10851 (Untrusted search path vulnerability in Installer for ContentsBridge Ut ...) NOT-FOR-US: Installer for ContentsBridge Utility for Windows CVE-2017-10850 (Untrusted search path vulnerability in Installers of ART EX Driver for ...) NOT-FOR-US: Various installer for Drivers for ApeosPort-VI and DocuCentre-VI products CVE-2017-10849 (Untrusted search path vulnerability in Self-extracting document genera ...) NOT-FOR-US: DocuWorks CVE-2017-10848 (Untrusted search path vulnerability in Installers for DocuWorks 8.0.7 ...) NOT-FOR-US: Installers for DocuWorks CVE-2017-10847 RESERVED CVE-2017-10846 (Wi-Fi STATION L-02F Software version V10b and earlier allows remote at ...) NOT-FOR-US: Wi-Fi STATION L-02F Software CVE-2017-10845 (Wi-Fi STATION L-02F Software version V10g and earlier allows remote at ...) NOT-FOR-US: Wi-Fi STATION L-02F Software CVE-2017-10844 (baserCMS 3.0.14 and earlier, 4.0.5 and earlier allows an attacker to e ...) NOT-FOR-US: baserCMS CVE-2017-10843 (baserCMS version 3.0.14 and earlier, 4.0.5 and earlier allows remote a ...) NOT-FOR-US: baserCMS CVE-2017-10842 (SQL injection vulnerability in the baserCMS 3.0.14 and earlier, 4.0.5 ...) NOT-FOR-US: baserCMS CVE-2017-10841 (Directory traversal vulnerability in WebCalendar 1.2.7 and earlier all ...) - webcalendar CVE-2017-10840 (Cross-site scripting vulnerability in WebCalendar 1.2.7 and earlier al ...) - webcalendar CVE-2017-10839 (SQL injection vulnerability in the SEO Panel prior to version 3.11.0 a ...) NOT-FOR-US: SEO Panel CVE-2017-10838 (Cross-site scripting vulnerability in SEO Panel prior to version 3.11. ...) NOT-FOR-US: SEO Panel CVE-2017-10837 (Cross-site scripting vulnerability in BackupGuard prior to version 1.1 ...) NOT-FOR-US: BackupGuard CVE-2017-10836 (Untrusted search path vulnerability in Optimal Guard 1.1.21 and earlie ...) NOT-FOR-US: Optimal Guard CVE-2017-10835 ("Dokodemo eye Smart HD" SCR02HD Firmware 1.0.3.1000 and earlier allows ...) NOT-FOR-US: "Dokodemo eye Smart HD" SCR02HD Firmware CVE-2017-10834 (Directory traversal vulnerability in "Dokodemo eye Smart HD" SCR02HD F ...) NOT-FOR-US: "Dokodemo eye Smart HD" SCR02HD Firmware CVE-2017-10833 ("Dokodemo eye Smart HD" SCR02HD Firmware 1.0.3.1000 and earlier allows ...) NOT-FOR-US: "Dokodemo eye Smart HD" SCR02HD Firmware CVE-2017-10832 ("Dokodemo eye Smart HD" SCR02HD Firmware 1.0.3.1000 and earlier allows ...) NOT-FOR-US: "Dokodemo eye Smart HD" SCR02HD Firmware CVE-2017-10831 (Untrusted search path vulnerability in The electronic authentication s ...) NOT-FOR-US: The CRCA user's Software system CVE-2017-10830 (Untrusted search path vulnerability in Security Setup Tool all version ...) NOT-FOR-US: Security Setup Tool CVE-2017-10829 (Untrusted search path vulnerability in Remote Support Tool (Enkaku Sup ...) NOT-FOR-US: Remote Support Tool (Enkaku Support Tool) CVE-2017-10828 (Untrusted search path vulnerability in Flets Install Tool all versions ...) NOT-FOR-US: Flets Install Tool CVE-2017-10827 (Untrusted search path vulnerability in Flets Azukeru for Windows Auto ...) NOT-FOR-US: Flets Azukeru for Windows Auto Backup Tool CVE-2017-10826 (Untrusted search path vulnerability in Security Kinou Mihariban v1.0.2 ...) NOT-FOR-US: Security Kinou Mihariban CVE-2017-10825 (Untrusted search path vulnerability in Installer of Flets Easy Setup T ...) NOT-FOR-US: Installer of Flets Easy Setup Tool CVE-2017-10824 (Untrusted search path vulnerability in TDB CA TypeA use software Versi ...) NOT-FOR-US: TDB CA TypeA use software CVE-2017-10823 (Untrusted search path vulnerability in Installer for Shin Kinkyuji Hou ...) NOT-FOR-US: Installer for Shin Kinkyuji Houkoku Data Nyuryoku Program CVE-2017-10822 (Untrusted search path vulnerability in Installer for Shin Sekiyu Yunyu ...) NOT-FOR-US: Installer for Shin Sekiyu Yunyu Chousa Houkoku Data Nyuryoku Program CVE-2017-10821 (Untrusted search path vulnerability in Installer for Shin Kikan Toukei ...) NOT-FOR-US: Installer for Shin Kikan Toukei Houkoku Data Nyuryokuyou Program CVE-2017-10820 (Untrusted search path vulnerability in Installer of IP Messenger for W ...) NOT-FOR-US: Installer of IP Messenger for Win CVE-2017-10819 (MaLion for Mac 4.3.0 to 5.2.1 does not properly validate certificates, ...) NOT-FOR-US: MaLion CVE-2017-10818 (MaLion for Windows and Mac versions 3.2.1 to 5.2.1 uses a hardcoded cr ...) NOT-FOR-US: MaLion CVE-2017-10817 (MaLion for Windows and Mac 5.0.0 to 5.2.1 allows remote attackers to b ...) NOT-FOR-US: MaLion CVE-2017-10816 (SQL injection vulnerability in the MaLion for Windows and Mac 5.0.0 to ...) NOT-FOR-US: MaLion CVE-2017-10815 (MaLion for Windows 5.2.1 and earlier (only when "Remote Control" is in ...) NOT-FOR-US: MaLion CVE-2017-10814 (Buffer overflow in CG-WLR300NM Firmware version 1.90 and earlier allow ...) NOT-FOR-US: CG-WLR300NM Firmware CVE-2017-10813 (CG-WLR300NM Firmware version 1.90 and earlier allows an attacker to ex ...) NOT-FOR-US: CG-WLR300NM Firmware CVE-2017-10812 (Untrusted search path vulnerability in Photo Collection PC Software Ve ...) NOT-FOR-US: Photo Collection PC Software CVE-2017-10811 (Buffalo WCR-1166DS devices with firmware 1.30 and earlier allow an att ...) NOT-FOR-US: Buffalo WCR-1166DS devices CVE-2017-10810 (Memory leak in the virtio_gpu_object_create function in drivers/gpu/dr ...) {DSA-3927-1} - linux 4.11.11-1 (low) [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/385aee965b4e4c36551c362a334378d2985b722a CVE-2017-10809 RESERVED CVE-2017-10808 RESERVED CVE-2017-10806 (Stack-based buffer overflow in hw/usb/redirect.c in QEMU (aka Quick Em ...) {DSA-3925-1 DLA-1497-1} - qemu 1:2.8+dfsg-7 (bug #867751) [wheezy] - qemu (Minor issue) - qemu-kvm [wheezy] - qemu-kvm (Minor issue) NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2017-05/msg03087.html CVE-2017-10807 (JabberD 2.x (aka jabberd2) before 2.6.1 allows anyone to authenticate ...) {DSA-3902-1} - jabberd2 2.6.1-1 (bug #867032) NOTE: Fixed by: https://github.com/jabberd2/jabberd2/commit/8416ae54ecefa670534f27a31db71d048b9c7f16 NOTE: https://github.com/jabberd2/jabberd2/releases/tag/jabberd-2.6.1 CVE-2017-10805 (In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise ...) NOT-FOR-US: Odoo CVE-2017-10804 (In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise ...) NOT-FOR-US: Odoo CVE-2017-10803 (In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise ...) NOT-FOR-US: Odoo CVE-2017-10802 RESERVED CVE-2017-10801 (phpSocial (formerly phpDolphin) before 3.0.1 has XSS in the PATH_INFO ...) NOT-FOR-US: phpSocial CVE-2017-10800 (When GraphicsMagick 1.3.25 processes a MATLAB image in coders/mat.c, i ...) {DSA-4321-1} - graphicsmagick 1.3.26-1 (bug #867060) [jessie] - graphicsmagick (Minor issue) [wheezy] - graphicsmagick (Minor issue) NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/e5761e3a2012 NOTE: The above commit unfortunately is not enough. There are more related NOTE: changes, and Bob Friesenhahn commented that it's not complete. All NOTE: the rlated changesets to mat.c since the one referenced should be NOTE: picked up. CVE-2017-10799 (When GraphicsMagick 1.3.25 processes a DPX image (with metadata indica ...) {DSA-4321-1 DLA-1755-1 DLA-1045-1} - graphicsmagick 1.3.26-1 (bug #867077) NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/f10b9bb3ca62 CVE-2017-10798 (In ObjectPlanet Opinio before 7.6.4, there is XSS. ...) NOT-FOR-US: ObjectPlanet Opinio CVE-2017-10797 RESERVED CVE-2017-10796 (On TP-Link NC250 devices with firmware through 1.2.1 build 170515, any ...) NOT-FOR-US: TP-Link CVE-2017-10795 (Cross-site scripting (XSS) vulnerability in Subrion CMS 4.1.4 allows r ...) NOT-FOR-US: Subrion CMS CVE-2017-10794 (When GraphicsMagick 1.3.25 processes an RGB TIFF picture (with metadat ...) {DSA-4321-1} - graphicsmagick 1.3.26-1 (bug #867085) [jessie] - graphicsmagick (vulnerable code not present) [wheezy] - graphicsmagick (vulnerable code not present) NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/a20bee0a0ad2 CVE-2017-10793 (The AT&T U-verse 9.2.2h0d83 firmware for the Arris NVG589, NVG599, ...) NOT-FOR-US: Arris CVE-2017-10792 (There is a NULL Pointer Dereference in the function ll_insert() of the ...) - pspp 1.0.0-1 (unimportant; bug #866890) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1467005 NOTE: No security impact, crash in CLI tool CVE-2017-10791 (There is an Integer overflow in the hash_int function of the libpspp l ...) - pspp 1.0.0-1 (unimportant; bug #866890) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1467004 NOTE: No security impact as built in Debian CVE-2017-10790 (The _asn1_check_identifier function in GNU Libtasn1 through 4.12 cause ...) {DSA-4106-1 DLA-2255-1 DLA-1038-1} - libtasn1-6 4.12-2.1 (bug #867398) - libtasn1-3 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1464141 NOTE: Fixed by: https://gitlab.com/gnutls/libtasn1/commit/d8d805e1f2e6799bb2dff4871a8598dc83088a39 CVE-2017-10789 (The DBD::mysql module through 4.043 for Perl uses the mysql_ssl=1 sett ...) {DLA-1079-1} - libdbd-mysql-perl 4.046-1 (bug #866821) [stretch] - libdbd-mysql-perl (Minor issue, can be fixed via point release) [jessie] - libdbd-mysql-perl (Minor issue, can be fixed via point release) NOTE: https://github.com/perl5-dbi/DBD-mysql/issues/110 NOTE: https://github.com/perl5-dbi/DBD-mysql/pull/114 NOTE: Upstream 4.042 fixed this issue, but was reverted upstream in 4.043: NOTE: https://www.nntp.perl.org/group/perl.dbi.dev/2017/08/msg8037.html NOTE: No upstream-blessed patch available. CVE-2017-10788 (The DBD::mysql module through 4.043 for Perl allows remote attackers t ...) {DLA-1079-1} - libdbd-mysql-perl 4.046-1 (bug #866818) [stretch] - libdbd-mysql-perl (Minor issue, can be fixed via point release) [jessie] - libdbd-mysql-perl (Minor issue, can be fixed via point release) NOTE: http://seclists.org/oss-sec/2017/q2/443 NOTE: https://github.com/perl5-dbi/DBD-mysql/issues/120 NOTE: https://github.com/perl5-dbi/DBD-mysql/pull/142 CVE-2017-10787 RESERVED CVE-2017-10786 RESERVED CVE-2017-10785 RESERVED CVE-2017-10784 (The Basic authentication code in WEBrick library in Ruby before 2.2.8, ...) {DSA-4031-1 DLA-1421-1 DLA-1114-1 DLA-1113-1} - ruby2.3 2.3.5-1 (bug #875931) - ruby2.1 - ruby1.9.1 - ruby1.8 NOTE: https://www.ruby-lang.org/en/news/2017/09/14/webrick-basic-auth-escape-sequence-injection-cve-2017-10784/ NOTE: https://github.com/ruby/ruby/commit/6617c41292b7d1e097abb8fdb0cab9ddd83c77e7 NOTE: https://hackerone.com/reports/223363 CVE-2017-10783 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10782 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10781 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10780 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10779 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10778 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10777 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10776 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10775 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10774 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10773 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10772 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10771 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10770 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10769 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10768 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10767 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10766 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10765 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10764 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10763 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10762 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10761 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10760 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10759 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10758 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10757 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10756 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10755 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10754 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10753 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10752 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10751 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10750 (XnView Classic for Windows Version 2.40 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-10749 (XnView Classic for Windows Version 2.40 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-10748 (XnView Classic for Windows Version 2.40 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-10747 (XnView Classic for Windows Version 2.40 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-10746 (XnView Classic for Windows Version 2.40 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-10745 (XnView Classic for Windows Version 2.40 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-10744 (XnView Classic for Windows Version 2.40 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-10743 (XnView Classic for Windows Version 2.40 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-10742 (XnView Classic for Windows Version 2.40 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-10741 (XnView Classic for Windows Version 2.40 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-10740 (XnView Classic for Windows Version 2.40 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-10739 (XnView Classic for Windows Version 2.40 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-10738 (XnView Classic for Windows Version 2.40 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-10737 (XnView Classic for Windows Version 2.40 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-10736 (XnView Classic for Windows Version 2.40 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-10735 (IrfanView version 4.44 (32bit) might allow attackers to cause a denial ...) NOT-FOR-US: IrfanView CVE-2017-10734 (IrfanView version 4.44 (32bit) might allow attackers to cause a denial ...) NOT-FOR-US: IrfanView CVE-2017-10733 (IrfanView version 4.44 (32bit) might allow attackers to cause a denial ...) NOT-FOR-US: IrfanView CVE-2017-10732 (IrfanView version 4.44 (32bit) might allow attackers to cause a denial ...) NOT-FOR-US: IrfanView CVE-2017-10731 (IrfanView version 4.44 (32bit) allows attackers to execute arbitrary c ...) NOT-FOR-US: IrfanView CVE-2017-10730 (IrfanView version 4.44 (32bit) allows attackers to execute arbitrary c ...) NOT-FOR-US: IrfanView CVE-2017-10729 (IrfanView version 4.44 (32bit) allows attackers to execute arbitrary c ...) NOT-FOR-US: IrfanView CVE-2017-10728 (Winamp 5.666 Build 3516(x86) might allow attackers to execute arbitrar ...) NOT-FOR-US: Winamp CVE-2017-10727 (Winamp 5.666 Build 3516(x86) might allow attackers to execute arbitrar ...) NOT-FOR-US: Winamp CVE-2017-10726 (Winamp 5.666 Build 3516(x86) might allow attackers to execute arbitrar ...) NOT-FOR-US: Winamp CVE-2017-10725 (Winamp 5.666 Build 3516(x86) allows attackers to execute arbitrary cod ...) NOT-FOR-US: Winamp CVE-2017-10724 (Recently it was discovered as a part of the research on IoT devices in ...) NOT-FOR-US: Shekar Endoscope CVE-2017-10723 (Recently it was discovered as a part of the research on IoT devices in ...) NOT-FOR-US: Shekar Endoscope CVE-2017-10722 (Recently it was discovered as a part of the research on IoT devices in ...) NOT-FOR-US: Shekar Endoscope CVE-2017-10721 (Recently it was discovered as a part of the research on IoT devices in ...) NOT-FOR-US: Shekar Endoscope CVE-2017-10720 (Recently it was discovered as a part of the research on IoT devices in ...) NOT-FOR-US: Shekar Endoscope CVE-2017-10719 (Recently it was discovered as a part of the research on IoT devices in ...) NOT-FOR-US: Shekar Endoscope CVE-2017-10718 (Recently it was discovered as a part of the research on IoT devices in ...) NOT-FOR-US: Shekar Endoscope CVE-2017-10717 RESERVED CVE-2017-10716 RESERVED CVE-2017-10715 RESERVED CVE-2017-10714 RESERVED CVE-2017-10713 RESERVED CVE-2017-10712 RESERVED CVE-2017-10711 (In SimpleRisk 20170614-001, a CSRF attack on reset.php (aka the Send P ...) NOT-FOR-US: SimpleRisk CVE-2017-10710 RESERVED CVE-2017-10709 (The lockscreen on Elephone P9000 devices (running Android 6.0) allows ...) NOT-FOR-US: Elephone P9000 devices CVE-2017-10708 (An issue was discovered in Apport through 2.20.x. In apport/report.py, ...) NOT-FOR-US: Apport CVE-2017-10707 RESERVED CVE-2017-10706 (When Antiy Antivirus Engine before 5.0.0.05171547 scans a special ZIP ...) NOT-FOR-US: When Antiy Antivirus Engine CVE-2017-10705 RESERVED CVE-2017-10704 RESERVED CVE-2017-10703 RESERVED CVE-2017-10702 RESERVED CVE-2017-10701 (Cross site scripting (XSS) vulnerability in SAP Enterprise Portal 7.50 ...) NOT-FOR-US: SAP Enterprise Portal CVE-2017-10700 (In the medialibrary component in QNAP NAS 4.3.3.0229, an un-authentica ...) NOT-FOR-US: QNAP CVE-2017-10699 (avcodec 2.2.x, as used in VideoLAN VLC media player 2.2.7-x before 201 ...) {DSA-4045-1} - vlc 2.2.6-3 [wheezy] - vlc (Not supported in wheezy LTS) NOTE: http://git.videolan.org/?p=vlc/vlc-2.2.git;a=commitdiff;h=6cc73bcad19da2cd2e95671173f2e0d203a57e9b NOTE: http://git.videolan.org/?p=vlc/vlc-2.2.git;a=commitdiff;h=a38a85db58c569cc592d9380cc07096757ef3d49 NOTE: https://trac.videolan.org/vlc/ticket/18467 CVE-2017-10698 RESERVED CVE-2017-10697 RESERVED CVE-2017-10696 RESERVED CVE-2017-10695 RESERVED CVE-2017-10694 RESERVED CVE-2017-10693 RESERVED CVE-2017-10692 RESERVED CVE-2017-10691 RESERVED CVE-2017-10690 (In previous versions of Puppet Agent it was possible for the agent to ...) - puppet (Only affects Puppet 5, only in experimental) NOTE: https://puppet.com/security/cve/CVE-2017-10690 NOTE: https://tickets.puppetlabs.com/browse/PUP-8225 NOTE: Fixed by: https://github.com/puppetlabs/puppet/commit/bd87bef2c3862d333f4c1f2b148b147d449a375b CVE-2017-10689 (In previous versions of Puppet Agent it was possible to install a modu ...) - puppet 5.4.0-1 (bug #890412) [stretch] - puppet (Minor issue) [jessie] - puppet (Minor issue) [wheezy] - puppet (vulnerable code not present) NOTE: https://puppet.com/security/cve/CVE-2017-10689 NOTE: https://tickets.puppetlabs.com/browse/PUP-7866 NOTE: https://github.com/puppetlabs/puppet/commit/17d9e02da3882e44c1876e2805cf9708481715ee NOTE: https://github.com/puppetlabs/puppet/commit/983154f7e29a2a50d416d889a6fed012b9b12399 CVE-2017-10688 (In LibTIFF 4.0.8, there is a assertion abort in the TIFFWriteDirectory ...) {DSA-3903-1 DLA-1022-1} - tiff 4.0.8-3 (bug #866611) - tiff3 [wheezy] - tiff3 (vulnerable code not present) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2712 NOTE: Fixed by: https://github.com/vadz/libtiff/commit/6173a57d39e04d68b139f8c1aa499a24dbe74ba1 CVE-2017-10687 (In LibSass 3.4.5, there is a heap-based buffer over-read in the functi ...) - libsass (low; bug #866672) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1466411 CVE-2017-10686 (In Netwide Assembler (NASM) 2.14rc0, there are multiple heap use after ...) {DLA-1041-1} - nasm 2.13.02-0.1 (bug #867988) [stretch] - nasm (Minor issue) [jessie] - nasm (Minor issue) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392414 CVE-2017-10685 (In ncurses 6.0, there is a format string vulnerability in the fmt_entr ...) - ncurses 6.0+20170701-1 [stretch] - ncurses 6.0+20161126-1+deb9u1 [jessie] - ncurses 5.9+20140913-1+deb8u1 [wheezy] - ncurses (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1464692 CVE-2017-10684 (In ncurses 6.0, there is a stack-based buffer overflow in the fmt_entr ...) - ncurses 6.0+20170708-1 [stretch] - ncurses 6.0+20161126-1+deb9u1 [jessie] - ncurses 5.9+20140913-1+deb8u1 [wheezy] - ncurses (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1464687 CVE-2017-10683 (In mpg123 1.25.0, there is a heap-based buffer over-read in the conver ...) {DLA-1017-1} - mpg123 1.25.1-1 (bug #866860) [stretch] - mpg123 (Minor issue) [jessie] - mpg123 (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1465819 NOTE: Duplicate of https://sourceforge.net/p/mpg123/bugs/252/ NOTE: Patch: http://scm.orgis.org/view/mpg123/trunk/src/libmpg123/id3.c?sortby=date&r1=4249&r2=4248&pathrev=4249 CVE-2017-10682 (SQL injection vulnerability in the administrative backend in Piwigo th ...) - piwigo CVE-2017-10681 (Cross-site request forgery (CSRF) vulnerability in Piwigo through 2.9. ...) - piwigo CVE-2017-10680 (Cross-site request forgery (CSRF) vulnerability in Piwigo through 2.9. ...) - piwigo CVE-2017-10679 (Piwigo through 2.9.1 allows remote attackers to obtain sensitive infor ...) - piwigo CVE-2017-10678 (Cross-site request forgery (CSRF) vulnerability in Piwigo through 2.9. ...) - piwigo CVE-2017-10677 (Cross-Site Request Forgery (CSRF) exists on Linksys EA4500 devices wit ...) NOT-FOR-US: Linksys EA4500 devices CVE-2017-10676 (On D-Link DIR-600M devices before C1_v3.05ENB01_beta_20170306, XSS was ...) NOT-FOR-US: D-Link CVE-2017-10675 RESERVED CVE-2017-10674 (Antiy Antivirus Engine 5.0.0.06281654 allows local users to cause a de ...) NOT-FOR-US: Antiy Antivirus Engine CVE-2015-9106 RESERVED NOT-FOR-US: WordPress plugin the-holiday-calendar CVE-2015-9105 (Multiple cross-site scripting (XSS) vulnerabilities in Synology Video ...) NOT-FOR-US: Synology CVE-2015-9104 (Cross-site scripting (XSS) vulnerabilities in Synology Audio Station 5 ...) NOT-FOR-US: Synology CVE-2015-9103 (Multiple cross-site scripting (XSS) vulnerabilities in Synology Note S ...) NOT-FOR-US: Synology CVE-2015-9102 (Multiple cross-site scripting (XSS) vulnerabilities in Synology Photo ...) NOT-FOR-US: Synology CVE-2017-10673 (admin/profile.php in GetSimple CMS 3.x has XSS in a name field. ...) NOT-FOR-US: GetSimple CMS CVE-2017-10672 (Use-after-free in the XML-LibXML module through 2.0129 for Perl allows ...) {DSA-4042-1 DLA-1171-1} - libxml-libxml-perl 2.0128+dfsg-5 (bug #866676) NOTE: https://rt.cpan.org/Public/Bug/Display.html?id=122246 NOTE: Pull request: https://github.com/shlomif/perl-XML-LibXML/pull/8 CVE-2017-10671 (Heap-based Buffer Overflow in the de_dotdot function in libhttpd.c in ...) - thttpd CVE-2017-10670 (An XML External Entity (XXE) issue exists in OSCI-Transport 1.2 as use ...) NOT-FOR-US: OSCI-Transport CVE-2017-10669 (Signature Wrapping exists in OSCI-Transport 1.2 as used in OSCI Transp ...) NOT-FOR-US: OSCI-Transport CVE-2017-10668 (A Padding Oracle exists in OSCI-Transport 1.2 as used in OSCI Transpor ...) NOT-FOR-US: OSCI-Transport CVE-2017-10667 (In index.php in Zen Cart 1.6.0, the products_id parameter can cause XS ...) NOT-FOR-US: Zen Cart CVE-2017-10666 RESERVED CVE-2017-10665 (Directory traversal vulnerability in ajaxfileupload.php in Kayson Grou ...) NOT-FOR-US: Kayson Group Ltd. phpGrid CVE-2017-9998 (The _dwarf_decode_s_leb128_chk function in dwarf_leb.c in libdwarf thr ...) - dwarfutils 20170416-3 (bug #866968) [stretch] - dwarfutils 20161124-1+deb9u1 [jessie] - dwarfutils (Minor issue) [wheezy] - dwarfutils (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1465756 CVE-2017-9997 RESERVED CVE-2017-10664 (qemu-nbd in QEMU (aka Quick Emulator) does not ignore SIGPIPE, which a ...) {DSA-3920-1 DLA-1599-1 DLA-1071-1 DLA-1070-1} - qemu 1:2.8+dfsg-7 (bug #866674) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-06/msg02693.html NOTE: Fixed by (master): http://git.qemu.org/?p=qemu.git;a=commitdiff;h=041e32b8d9d076980b4e35317c0339e57ab888f1 CVE-2017-10663 (The sanity_check_ckpt function in fs/f2fs/super.c in the Linux kernel ...) - linux 4.12.6-1 [stretch] - linux 4.9.47-1 [jessie] - linux (Hard to backport and low priority outside of Android) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/15d3042a937c13f5d9244241c7a9c8416ff6e82a (v4.13-rc1) CVE-2017-10662 (The sanity_check_raw_super function in fs/f2fs/super.c in the Linux ke ...) - linux 4.9.30-1 [jessie] - linux (Hard to backport and low priority outside of Android) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/b9dd46188edc2f0d1f37328637860bb65a771124 (v4.12-rc1) CVE-2017-10661 (Race condition in fs/timerfd.c in the Linux kernel before 4.10.15 allo ...) {DLA-1099-1} - linux 4.9.30-1 [jessie] - linux 3.16.43-2+deb8u5 NOTE: Fixed by: https://git.kernel.org/linus/1e38da300e1e395a15048b0af1e5305bd91402f6 (v4.11-rc1) CVE-2017-10660 REJECTED CVE-2017-10659 REJECTED CVE-2017-10658 REJECTED CVE-2017-10657 REJECTED CVE-2017-10656 REJECTED CVE-2017-10655 REJECTED CVE-2017-10654 REJECTED CVE-2017-10653 REJECTED CVE-2017-10652 REJECTED CVE-2017-10651 REJECTED CVE-2017-10650 RESERVED CVE-2017-10649 RESERVED CVE-2017-10648 RESERVED CVE-2017-10647 RESERVED CVE-2017-10646 RESERVED CVE-2017-10645 RESERVED CVE-2017-10644 RESERVED CVE-2017-10643 RESERVED CVE-2017-10642 RESERVED CVE-2017-10641 RESERVED CVE-2017-10640 RESERVED CVE-2017-10639 RESERVED CVE-2017-10638 RESERVED CVE-2017-10637 RESERVED CVE-2017-10636 RESERVED CVE-2017-10635 RESERVED CVE-2017-10634 RESERVED CVE-2017-10633 RESERVED CVE-2017-10632 RESERVED CVE-2017-10631 RESERVED CVE-2017-10630 RESERVED CVE-2017-10629 RESERVED CVE-2017-10628 RESERVED CVE-2017-10627 RESERVED CVE-2017-10626 RESERVED CVE-2017-10625 RESERVED CVE-2017-10624 (Insufficient verification of node certificates in Juniper Networks Jun ...) NOT-FOR-US: Juniper CVE-2017-10623 (Lack of authentication and authorization of cluster messages in Junipe ...) NOT-FOR-US: Juniper CVE-2017-10622 (An authentication bypass vulnerability in Juniper Networks Junos Space ...) NOT-FOR-US: Juniper CVE-2017-10621 (A denial of service vulnerability in telnetd service on Juniper Networ ...) NOT-FOR-US: Juniper CVE-2017-10620 (Juniper Networks Junos OS on SRX series devices do not verify the HTTP ...) NOT-FOR-US: Juniper CVE-2017-10619 (When Express Path (formerly known as service offloading) is configured ...) NOT-FOR-US: Juniper CVE-2017-10618 (When the 'bgp-error-tolerance' feature &#xe2;&#x80;" designed ...) NOT-FOR-US: Juniper CVE-2017-10617 (The ifmap service that comes bundled with Contrail has an XML External ...) NOT-FOR-US: Juniper CVE-2017-10616 (The ifmap service that comes bundled with Juniper Networks Contrail re ...) NOT-FOR-US: Juniper CVE-2017-10615 (A vulnerability in the pluggable authentication module (PAM) of Junipe ...) NOT-FOR-US: Juniper CVE-2017-10614 (A vulnerability in telnetd service on Junos OS allows a remote attacke ...) NOT-FOR-US: Juniper CVE-2017-10613 (A vulnerability in a specific loopback filter action command, processe ...) NOT-FOR-US: Juniper CVE-2017-10612 (A persistent site scripting vulnerability in Juniper Networks Junos Sp ...) NOT-FOR-US: Juniper CVE-2017-10611 (If extended statistics are enabled via 'set chassis extended-statistic ...) NOT-FOR-US: Juniper CVE-2017-10610 (On SRX Series devices, a crafted ICMP packet embedded within a NAT64 I ...) NOT-FOR-US: Juniper CVE-2017-10609 RESERVED CVE-2017-10608 (Any Juniper Networks SRX series device with one or more ALGs enabled m ...) NOT-FOR-US: Juniper CVE-2017-10607 (Juniper Networks Junos OS 16.1R1, and services releases based off of 1 ...) NOT-FOR-US: Juniper CVE-2017-10606 (Version 4.40 of the TPM (Trusted Platform Module) firmware on Juniper ...) NOT-FOR-US: Juniper CVE-2017-10605 (On all vSRX and SRX Series devices, when the DHCP or DHCP relay is con ...) NOT-FOR-US: Juniper CVE-2017-10604 (When the device is configured to perform account lockout with a define ...) NOT-FOR-US: Juniper CVE-2017-10603 (An XML injection vulnerability in Junos OS CLI can allow a locally aut ...) NOT-FOR-US: Juniper CVE-2017-10602 (A buffer overflow vulnerability in Junos OS CLI may allow a local auth ...) NOT-FOR-US: Juniper CVE-2017-10601 (A specific device configuration can result in a commit failure conditi ...) NOT-FOR-US: Juniper CVE-2017-10600 (ubuntu-image 1.0 before 2017-07-07, when invoked as non-root, creates ...) NOT-FOR-US: ubuntu-image CVE-2017-9996 (The cdxl_decode_frame function in libavcodec/cdxl.c in FFmpeg 2.8.x be ...) - ffmpeg 7:3.2.5-1 - libav (Vulnerable feature not present) NOTE: https://github.com/FFmpeg/FFmpeg/commit/1e42736b95065c69a7481d0cf55247024f54b660 NOTE: https://github.com/FFmpeg/FFmpeg/commit/e1b60aad77c27ed5d4dfc11e5e6a05a38c70489d NOTE: The bug affects FFmpeg's support for CHUNKY cdxl files, a feature that is NOTE: not present in Libav. Libav detects CHUNKY files and bails out early. CVE-2017-9995 (libavcodec/scpr.c in FFmpeg 3.3 before 3.3.1 does not properly validat ...) - ffmpeg (Vulnerable code not present) - libav (Vulnerable code not present) NOTE: https://github.com/FFmpeg/FFmpeg/commit/2171dfae8c065878a2e130390eb78cf2947a5b69 NOTE: https://github.com/FFmpeg/FFmpeg/commit/7ac5067146613997bb38442cb022d7f41321a706 CVE-2017-9994 (libavcodec/webp.c in FFmpeg before 2.8.12, 3.0.x before 3.0.8, 3.1.x b ...) {DLA-1630-1} - ffmpeg 7:3.2.5-1 - libav [wheezy] - libav (Vulnerable code not present, WebP decoder feature introduced in v10) NOTE: https://github.com/FFmpeg/FFmpeg/commit/6b5d3fb26fb4be48e4966e4b1d97c2165538d4ef CVE-2017-9993 (FFmpeg before 2.8.12, 3.0.x and 3.1.x before 3.1.9, 3.2.x before 3.2.6 ...) {DSA-3957-1 DLA-1630-1} - ffmpeg 7:3.2.6-1 - libav NOTE: https://github.com/FFmpeg/FFmpeg/commit/189ff4219644532bdfa7bab28dfedaee4d6d4021 NOTE: https://github.com/FFmpeg/FFmpeg/commit/a5d849b149ca67ced2d271dc84db0bc95a548abb NOTE: Fixed in 3.2.6 NOTE: Jessie is only partially affected. Only the second commit is NOTE: relevant. HTTP Live Streaming filename extension code is not present. CVE-2017-9992 (Heap-based buffer overflow in the decode_dds1 function in libavcodec/d ...) {DSA-4012-1 DLA-1142-1} - ffmpeg 7:3.2.5-1 - libav NOTE: https://github.com/FFmpeg/FFmpeg/commit/f52fbf4f3ed02a7d872d8a102006f29b4421f360 NOTE: Fixed in 11.11 CVE-2017-9991 (Heap-based buffer overflow in the xwd_decode_frame function in libavco ...) - ffmpeg 7:3.2.5-1 - libav (Vulnerable feature not present) NOTE: https://github.com/FFmpeg/FFmpeg/commit/441026fcb13ac23aa10edc312bdacb6445a0ad06 NOTE: The error occurs in the support for 8bpp XWD images where bpp and image NOTE: depth are not checked thoroughly enough. Libav does not support 8bpp NOTE: images and bails out early -- Diego Biurrun (libav project) CVE-2017-9990 (Stack-based buffer overflow in the color_string_to_rgba function in li ...) - ffmpeg (Vulnerable code not present) - libav (Vulnerable code not present) NOTE: https://github.com/FFmpeg/FFmpeg/commit/cb243972b121b1ae6b60a78ff55a0506c69f3879 CVE-2017-9989 (util/outputtxt.c in libming 0.4.8 mishandles memory allocation. A craf ...) {DLA-1176-1} - ming NOTE: https://github.com/libming/libming/issues/86 CVE-2017-9988 (The readEncUInt30 function in util/read.c in libming 0.4.8 mishandles ...) {DLA-1176-1} - ming NOTE: https://github.com/libming/libming/issues/85 CVE-2017-9987 (There is a heap-based buffer overflow in the function hpel_motion in m ...) {DLA-1907-1} - libav NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1067 NOTE: Five different issues but only one POC instead of five attached. NOTE: Requires more information. CVE-2017-9986 (The intr function in sound/oss/msnd_pinnacle.c in the Linux kernel thr ...) - linux 4.15.4-1 (unimportant) NOTE: No security issue, only "exploitable" with malicious ISA cards CVE-2017-9985 (The snd_msndmidi_input_read function in sound/isa/msnd/msnd_midi.c in ...) - linux 4.13.4-1 (unimportant) [stretch] - linux 4.9.51-1 NOTE: No security issue, only "exploitable" with malicious ISA cards NOTE: Fixed by: https://git.kernel.org/linus/20e2b791796bd68816fa115f12be5320de2b8021 (v4.13-rc1) NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=196133 CVE-2017-9984 (The snd_msnd_interrupt function in sound/isa/msnd/msnd_pinnacle.c in t ...) - linux 4.13.4-1 (unimportant) [stretch] - linux 4.9.51-1 NOTE: No security issue, only "exploitable" with malicious ISA cards NOTE: Fixed by: https://git.kernel.org/linus/20e2b791796bd68816fa115f12be5320de2b8021 (v4.13-rc1) NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=196131 CVE-2017-9983 RESERVED CVE-2017-9982 (TeamSpeak Client 3.0.19 allows remote attackers to cause a denial of s ...) - teamspeak-client [wheezy] - teamspeak-client (non-free is not supported) CVE-2017-9981 RESERVED CVE-2017-9980 (In Green Packet DX-350 Firmware version v2.8.9.5-g1.4.8-atheeb, the "P ...) NOT-FOR-US: Green Packet CVE-2017-9979 (On the OSNEXUS QuantaStor v4 virtual appliance before 4.3.1, if the RE ...) NOT-FOR-US: QuantaStor CVE-2017-9978 (On the OSNEXUS QuantaStor v4 virtual appliance before 4.3.1, a flaw wa ...) NOT-FOR-US: QuantaStor CVE-2017-9977 (AVG AntiVirus for MacOS with scan engine before 4668 might allow remot ...) NOT-FOR-US: AVG CVE-2017-9976 RESERVED CVE-2017-9975 REJECTED CVE-2017-9974 REJECTED CVE-2017-9973 REJECTED CVE-2017-9972 REJECTED CVE-2017-9971 REJECTED CVE-2017-9970 (A remote code execution vulnerability exists in Schneider Electric's S ...) NOT-FOR-US: Schneider Electric CVE-2017-9969 (An information disclosure vulnerability exists in Schneider Electric's ...) NOT-FOR-US: Schneider Electric CVE-2017-9968 (A security misconfiguration vulnerability exists in Schneider Electric ...) NOT-FOR-US: Schneider Electric CVE-2017-9967 (A security misconfiguration vulnerability exists in Schneider Electric ...) NOT-FOR-US: Schneider Electric CVE-2017-9966 (A privilege escalation vulnerability exists in Schneider Electric's Pe ...) NOT-FOR-US: Schneider Electric CVE-2017-9965 (An exposure of sensitive information vulnerability exists in Schneider ...) NOT-FOR-US: Schneider Electric CVE-2017-9964 (A Path Traversal issue was discovered in Schneider Electric Pelco Vide ...) NOT-FOR-US: Schneider Electric CVE-2017-9963 (A cross-site request forgery vulnerability exists on the Secure Gatewa ...) NOT-FOR-US: Schneider Electric CVE-2017-9962 (Schneider Electric's ClearSCADA versions released prior to August 2017 ...) NOT-FOR-US: Schneider Electric CVE-2017-9961 (A vulnerability exists in Schneider Electric's Pro-Face GP Pro EX vers ...) NOT-FOR-US: Schneider Electric CVE-2017-9960 (An information disclosure vulnerability exists in Schneider Electric's ...) NOT-FOR-US: Schneider Electric CVE-2017-9959 (A vulnerability exists in Schneider Electric's U.motion Builder softwa ...) NOT-FOR-US: Schneider Electric CVE-2017-9958 (An improper access control vulnerability exists in Schneider Electric' ...) NOT-FOR-US: Schneider Electric CVE-2017-9957 (A vulnerability exists in Schneider Electric's U.motion Builder softwa ...) NOT-FOR-US: Schneider Electric CVE-2017-9956 (An authentication bypass vulnerability exists in Schneider Electric's ...) NOT-FOR-US: Schneider Electric CVE-2017-9955 (The get_build_id function in opncls.c in the Binary File Descriptor (B ...) - binutils 2.29-1 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21665 CVE-2017-9954 (The getvalue function in tekhex.c in the Binary File Descriptor (BFD) ...) - binutils 2.29-1 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21670 CVE-2017-9953 (There is an invalid free in Image::printIFDStructure that leads to a S ...) - exiv2 (Vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1465061 NOTE: Possibly introduced after https://github.com/Exiv2/exiv2/commit/fd5e983746c336336039e91cb6b656cf8eeccdea NOTE: which introduces printIFDStructure function and later restructurated NOTE: again. Around that commit upstream source though does not build. CVE-2017-9952 RESERVED CVE-2017-9951 (The try_read_command function in memcached.c in memcached before 1.4.3 ...) {DSA-4218-1 DLA-1033-1} - memcached 1.5.0-1 (bug #868701) NOTE: https://www.twistlock.com/2017/07/13/cve-2017-9951-heap-overflow-memcached-server-1-4-38-twistlock-vulnerability-report/ NOTE: https://github.com/memcached/memcached/commit/328629445c71e6c17074f6e9e0e3ef585b58f167 CVE-2017-9950 RESERVED CVE-2017-9949 (The grub_memmove function in shlr/grub/kern/misc.c in radare2 1.5.0 al ...) - radare2 1.6.0+dfsg-1 (bug #866068) [jessie] - radare2 (Minor issue) [wheezy] - radare2 (Minor issue) NOTE: https://github.com/radare/radare2/issues/7683 NOTE: https://github.com/radare/radare2/commit/796dd28aaa6b9fa76d99c42c4d5ff8b257cc2191 CVE-2017-9948 (A stack buffer overflow vulnerability has been discovered in Microsoft ...) NOT-FOR-US: Microsoft Skype CVE-2017-9947 (A vulnerability has been identified in Siemens APOGEE PXC and TALON TC ...) NOT-FOR-US: Siemens CVE-2017-9946 (A vulnerability has been identified in Siemens APOGEE PXC and TALON TC ...) NOT-FOR-US: Siemens CVE-2017-9945 (In the Siemens 7KM PAC Switched Ethernet PROFINET expansion module (Al ...) NOT-FOR-US: Siemens CVE-2017-9944 (A vulnerability has been identified in Siemens 7KT PAC1200 data manage ...) NOT-FOR-US: Siemens CVE-2017-9943 RESERVED CVE-2017-9942 (A vulnerability was discovered in Siemens SiPass integrated (All versi ...) NOT-FOR-US: Siemens CVE-2017-9941 (A vulnerability was discovered in Siemens SiPass integrated (All versi ...) NOT-FOR-US: Siemens CVE-2017-9940 (A vulnerability was discovered in Siemens SiPass integrated (All versi ...) NOT-FOR-US: Siemens CVE-2017-9939 (A vulnerability was discovered in Siemens SiPass integrated (All versi ...) NOT-FOR-US: Siemens CVE-2017-9938 (A vulnerability was discovered in Siemens SIMATIC Logon (All versions ...) NOT-FOR-US: Siemens CVE-2017-9937 (In LibTIFF 4.0.8, there is a memory malloc failure in tif_jbig.c. A cr ...) - jbigkit (unimportant; bug #869708) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2707 NOTE: The CVE was assigned for src:tiff by MITRE, but the issue actually lies NOTE: in jbigkit itself. CVE-2017-9936 (In LibTIFF 4.0.8, there is a memory leak in tif_jbig.c. A crafted TIFF ...) {DSA-3903-1 DLA-1023-1 DLA-1022-1} - tiff 4.0.8-3 (bug #866113) - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2706 NOTE: Fixed by: https://github.com/vadz/libtiff/commit/fe8d7165956b88df4837034a9161dc5fd20cf67a CVE-2017-9935 (In LibTIFF 4.0.8, there is a heap-based buffer overflow in the t2p_wri ...) {DSA-4100-1 DLA-1206-1} - tiff 4.0.9-2 (bug #866109) - tiff3 [wheezy] - tiff3 (does not build vulnerable tiff2pdf) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2704 NOTE: https://gitlab.com/libtiff/libtiff/commit/3dd8f6a357981a4090f126ab9025056c938b6940 CVE-2017-9934 (Missing CSRF token checks and improper input validation in Joomla! CMS ...) NOT-FOR-US: Joomla! CVE-2017-9933 (Improper cache invalidation in Joomla! CMS 1.7.3 through 3.7.2 leads t ...) NOT-FOR-US: Joomla! CVE-2017-9932 (Green Packet DX-350 Firmware version v2.8.9.5-g1.4.8-atheeb has a defa ...) NOT-FOR-US: Green Packet CVE-2017-9931 (Cross-Site Scripting (XSS) exists in Green Packet DX-350 Firmware vers ...) NOT-FOR-US: Green Packet CVE-2017-9930 (Cross-Site Request Forgery (CSRF) exists in Green Packet DX-350 Firmwa ...) NOT-FOR-US: Green Packet CVE-2017-9929 (In lrzip 0.631, a stack buffer overflow was found in the function get_ ...) - lrzip 0.631+git180517-1 (bug #866020) [stretch] - lrzip (Minor issue) [jessie] - lrzip (Minor issue) [wheezy] - lrzip (Minor issue) NOTE: https://github.com/ckolivas/lrzip/issues/75 CVE-2017-9928 (In lrzip 0.631, a stack buffer overflow was found in the function get_ ...) - lrzip 0.631+git180517-1 (bug #866022) [stretch] - lrzip (Minor issue) [jessie] - lrzip (Minor issue) [wheezy] - lrzip (Minor issue) NOTE: https://github.com/ckolivas/lrzip/issues/74 CVE-2017-9927 (In SWFTools 2013-04-09-1007 on Windows, png2swf allows remote attacker ...) - swftools (unimportant) NOTE: No actionable information, just a crash report against a four year old release NOTE: https://github.com/matthiaskramm/swftools/issues/41 CVE-2017-9926 (In SWFTools 2013-04-09-1007 on Windows, png2swf allows remote attacker ...) - swftools (unimportant) NOTE: No actionable information, just a crash report against a four year old release NOTE: https://github.com/matthiaskramm/swftools/issues/41 CVE-2017-9925 (In SWFTools 2013-04-09-1007 on Windows, png2swf allows remote attacker ...) - swftools (unimportant) NOTE: No actionable information, just a crash report against a four year old release NOTE: https://github.com/matthiaskramm/swftools/issues/41 CVE-2017-9924 (In SWFTools 2013-04-09-1007 on Windows, png2swf allows remote attacker ...) - swftools (unimportant) NOTE: No actionable information, just a crash report against a four year old release NOTE: https://github.com/matthiaskramm/swftools/issues/41 CVE-2017-9923 (IrfanView version 4.44 (32bit) with TOOLS Plugin 4.50 might allow atta ...) NOT-FOR-US: IrfanView CVE-2017-9922 (IrfanView version 4.44 (32bit) with TOOLS Plugin 4.50 might allow atta ...) NOT-FOR-US: IrfanView CVE-2017-9921 (IrfanView version 4.44 (32bit) with TOOLS Plugin 4.50 might allow atta ...) NOT-FOR-US: IrfanView CVE-2017-9920 (IrfanView version 4.44 (32bit) with TOOLS Plugin 4.50 might allow atta ...) NOT-FOR-US: IrfanView CVE-2017-9919 (IrfanView version 4.44 (32bit) with TOOLS Plugin 4.50 might allow atta ...) NOT-FOR-US: IrfanView CVE-2017-9918 (IrfanView version 4.44 (32bit) with TOOLS Plugin 4.50 might allow atta ...) NOT-FOR-US: IrfanView CVE-2017-9917 (IrfanView version 4.44 (32bit) with TOOLS Plugin 4.50 might allow atta ...) NOT-FOR-US: IrfanView CVE-2017-9916 (IrfanView version 4.44 (32bit) with TOOLS Plugin 4.50 might allow atta ...) NOT-FOR-US: IrfanView CVE-2017-9915 (IrfanView version 4.44 (32bit) with TOOLS plugin 4.50 allows attackers ...) NOT-FOR-US: IrfanView CVE-2017-9914 (XnView Classic for Windows Version 2.40 allows remote attackers to exe ...) NOT-FOR-US: XnView CVE-2017-9913 (XnView Classic for Windows Version 2.40 allows remote attackers to cau ...) NOT-FOR-US: XnView CVE-2017-9912 (XnView Classic for Windows Version 2.40 allows remote attackers to cau ...) NOT-FOR-US: XnView CVE-2017-9911 (XnView Classic for Windows Version 2.40 allows remote attackers to cau ...) NOT-FOR-US: XnView CVE-2017-9910 (XnView Classic for Windows Version 2.40 allows remote attackers to cau ...) NOT-FOR-US: XnView CVE-2017-9909 (XnView Classic for Windows Version 2.40 allows remote attackers to cau ...) NOT-FOR-US: XnView CVE-2017-9908 (XnView Classic for Windows Version 2.40 allows remote attackers to cau ...) NOT-FOR-US: XnView CVE-2017-9907 (XnView Classic for Windows Version 2.40 allows remote attackers to cau ...) NOT-FOR-US: XnView CVE-2017-9906 (XnView Classic for Windows Version 2.40 allows remote attackers to cau ...) NOT-FOR-US: XnView CVE-2017-9905 (XnView Classic for Windows Version 2.40 allows remote attackers to cau ...) NOT-FOR-US: XnView CVE-2017-9904 (XnView Classic for Windows Version 2.40 allows remote attackers to cau ...) NOT-FOR-US: XnView CVE-2017-9903 (XnView Classic for Windows Version 2.40 allows remote attackers to exe ...) NOT-FOR-US: XnView CVE-2017-9902 (XnView Classic for Windows Version 2.40 allows remote attackers to exe ...) NOT-FOR-US: XnView CVE-2017-9901 (XnView Classic for Windows Version 2.40 allows remote attackers to exe ...) NOT-FOR-US: XnView CVE-2017-9900 (XnView Classic for Windows Version 2.40 allows remote attackers to exe ...) NOT-FOR-US: XnView CVE-2017-9899 (XnView Classic for Windows Version 2.40 allows remote attackers to exe ...) NOT-FOR-US: XnView CVE-2017-9898 (XnView Classic for Windows Version 2.40 allows remote attackers to exe ...) NOT-FOR-US: XnView CVE-2017-9897 (XnView Classic for Windows Version 2.40 allows remote attackers to exe ...) NOT-FOR-US: XnView CVE-2017-9896 (XnView Classic for Windows Version 2.40 allows remote attackers to exe ...) NOT-FOR-US: XnView CVE-2017-9895 (XnView Classic for Windows Version 2.40 allows remote attackers to exe ...) NOT-FOR-US: XnView CVE-2017-9894 (XnView Classic for Windows Version 2.40 allows remote attackers to exe ...) NOT-FOR-US: XnView CVE-2017-9893 (XnView Classic for Windows Version 2.40 allows remote attackers to exe ...) NOT-FOR-US: XnView CVE-2017-9892 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows attackers t ...) NOT-FOR-US: IrfanView CVE-2017-9891 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows attackers t ...) NOT-FOR-US: IrfanView CVE-2017-9890 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows attackers t ...) NOT-FOR-US: IrfanView CVE-2017-9889 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows attackers t ...) NOT-FOR-US: IrfanView CVE-2017-9888 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows attackers t ...) NOT-FOR-US: IrfanView CVE-2017-9887 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows attackers t ...) NOT-FOR-US: IrfanView CVE-2017-9886 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows attackers t ...) NOT-FOR-US: IrfanView CVE-2017-9885 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows attackers t ...) NOT-FOR-US: IrfanView CVE-2017-9884 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows attackers t ...) NOT-FOR-US: IrfanView CVE-2017-9883 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows attackers t ...) NOT-FOR-US: IrfanView CVE-2017-9882 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows attackers t ...) NOT-FOR-US: IrfanView CVE-2017-9881 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows attackers t ...) NOT-FOR-US: IrfanView CVE-2017-9880 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows attackers t ...) NOT-FOR-US: IrfanView CVE-2017-9879 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows attackers t ...) NOT-FOR-US: IrfanView CVE-2017-9878 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows attackers t ...) NOT-FOR-US: IrfanView CVE-2017-9877 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows attackers t ...) NOT-FOR-US: IrfanView CVE-2017-9876 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows attackers t ...) NOT-FOR-US: IrfanView CVE-2017-9875 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows attackers t ...) NOT-FOR-US: IrfanView CVE-2017-9874 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows attackers t ...) NOT-FOR-US: IrfanView CVE-2017-9873 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows attackers t ...) NOT-FOR-US: IrfanView CVE-2017-9872 (The III_dequantize_sample function in layer3.c in mpglib, as used in l ...) - lame 3.99.5+repack1-8 (bug #867725) [jessie] - lame 3.99.5+repack1-7+deb8u2 NOTE: https://blogs.gentoo.org/ago/2017/06/17/lame-stack-based-buffer-overflow-in-iii_dequantize_sample-layer3-c/ NOTE: https://sourceforge.net/p/lame/bugs/482/ NOTE: Starting with 3.99.5+repack1-8 libsndfile is used to read the input file, marking that as the fixed NOTE: version, although the internal lame code was only fixed in 3.100 (strictly speaking that would be NOTE: severity:unimportant for stretch onwards, but we don't have suite-specific severity annotations CVE-2017-9871 (The III_i_stereo function in layer3.c in mpglib, as used in libmpgdeco ...) - lame 3.99.5+repack1-8 (bug #867725) [jessie] - lame 3.99.5+repack1-7+deb8u2 NOTE: https://blogs.gentoo.org/ago/2017/06/17/lame-stack-based-buffer-overflow-in-iii_i_stereo-layer3-c/ NOTE: https://sourceforge.net/p/lame/bugs/483/ NOTE: Starting with 3.99.5+repack1-8 libsndfile is used to read the input file, marking that as the fixed NOTE: version, although the internal lame code was only fixed in 3.100 (strictly speaking that would be NOTE: severity:unimportant for stretch onwards, but we don't have suite-specific severity annotations CVE-2017-9870 (The III_i_stereo function in layer3.c in mpglib, as used in libmpgdeco ...) - lame 3.99.5+repack1-8 (bug #867725) [jessie] - lame 3.99.5+repack1-7+deb8u2 NOTE: https://blogs.gentoo.org/ago/2017/06/17/lame-global-buffer-overflow-in-iii_i_stereo-layer3-c/ NOTE: https://sourceforge.net/p/lame/bugs/481/ NOTE: Starting with 3.99.5+repack1-8 libsndfile is used to read the input file, marking that as the fixed NOTE: version, although the internal lame code was only fixed in 3.100 (strictly speaking that would be NOTE: severity:unimportant for stretch onwards, but we don't have suite-specific severity annotations CVE-2017-9869 (The II_step_one function in layer2.c in mpglib, as used in libmpgdecod ...) - lame 3.99.5+repack1-8 (bug #867725) [jessie] - lame 3.99.5+repack1-7+deb8u2 NOTE: https://blogs.gentoo.org/ago/2017/06/17/lame-global-buffer-overflow-in-ii_step_one-layer2-c/ NOTE: https://sourceforge.net/p/lame/bugs/475/ NOTE: Starting with 3.99.5+repack1-8 libsndfile is used to read the input file, marking that as the fixed NOTE: version, although the internal lame code was only fixed in 3.100 (strictly speaking that would be NOTE: severity:unimportant for stretch onwards, but we don't have suite-specific severity annotations CVE-2017-9868 (In Mosquitto through 1.4.12, mosquitto.db (aka the persistence file) i ...) {DLA-1525-1 DLA-1146-1} - mosquitto 1.4.14-1 (bug #865959) [stretch] - mosquitto 1.4.10-3+deb9u1 NOTE: https://github.com/eclipse/mosquitto/issues/468 NOTE: https://github.com/eclipse/mosquitto/commit/09cb1b61c8f48284d9c42bd911faa7525cc689c7 CVE-2017-9867 RESERVED CVE-2017-9866 RESERVED CVE-2017-9865 (The function GfxImageColorMap::getGray in GfxState.cc in Poppler 0.54. ...) {DSA-4079-1 DLA-1074-1} - poppler 0.57.0-2 (bug #867477) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=100774 NOTE: http://somevulnsofadlab.blogspot.com/2017/06/popplerstack-buffer-overflow-in.html NOTE: Fixed by: https://cgit.freedesktop.org/poppler/poppler/commit/?id=75fff6556eaf0ef3a6fcdef2c2229d0b6d1c58d9 CVE-2017-9864 (** DISPUTED ** An issue was discovered in SMA Solar Technology product ...) NOT-FOR-US: SMA Solar Technology products CVE-2017-9863 (** DISPUTED ** An issue was discovered in SMA Solar Technology product ...) NOT-FOR-US: SMA Solar Technology products CVE-2017-9862 (** DISPUTED ** An issue was discovered in SMA Solar Technology product ...) NOT-FOR-US: SMA Solar Technology products CVE-2017-9861 (** DISPUTED ** An issue was discovered in SMA Solar Technology product ...) NOT-FOR-US: SMA Solar Technology products CVE-2017-9860 (** DISPUTED ** An issue was discovered in SMA Solar Technology product ...) NOT-FOR-US: SMA Solar Technology products CVE-2017-9859 (** DISPUTED ** An issue was discovered in SMA Solar Technology product ...) NOT-FOR-US: SMA Solar Technology products CVE-2017-9858 (** DISPUTED ** An issue was discovered in SMA Solar Technology product ...) NOT-FOR-US: SMA Solar Technology products CVE-2017-9857 (** DISPUTED ** An issue was discovered in SMA Solar Technology product ...) NOT-FOR-US: SMA Solar Technology products CVE-2017-9856 (** DISPUTED ** An issue was discovered in SMA Solar Technology product ...) NOT-FOR-US: SMA Solar Technology products CVE-2017-9855 (** DISPUTED ** An issue was discovered in SMA Solar Technology product ...) NOT-FOR-US: SMA Solar Technology products CVE-2017-9854 (** DISPUTED ** An issue was discovered in SMA Solar Technology product ...) NOT-FOR-US: SMA Solar Technology products CVE-2017-9853 (** DISPUTED ** An issue was discovered in SMA Solar Technology product ...) NOT-FOR-US: SMA Solar Technology products CVE-2017-9852 (** DISPUTED ** An Incorrect Password Management issue was discovered i ...) NOT-FOR-US: SMA Solar Technology products CVE-2017-9851 (** DISPUTED ** An issue was discovered in SMA Solar Technology product ...) NOT-FOR-US: SMA Solar Technology products CVE-2017-9850 RESERVED CVE-2017-9849 RESERVED CVE-2017-9848 (SQL injection vulnerability in C_InfoService.asmx in WebServices in Ea ...) NOT-FOR-US: Easysite CVE-2017-9847 (The bdecode function in bdecode.cpp in libtorrent 1.1.3 allows remote ...) - libtorrent-rasterbar 1.1.4-1 (bug #865845) [stretch] - libtorrent-rasterbar (Minor issue) [jessie] - libtorrent-rasterbar (Minor issue) [wheezy] - libtorrent-rasterbar (new bdecode introduced in 1.1.0; vulnerable code not present) NOTE: https://github.com/arvidn/libtorrent/issues/2099 NOTE: Fixed by: https://github.com/arvidn/libtorrent/commit/ec30a5e9ec703afb8abefba757c6d401303b53db NOTE: Pre-1.1.0 versions possibly similarly affected in lazy_bdecode.cpp CVE-2017-9846 (Winmail Server 6.1 allows remote code execution by authenticated users ...) NOT-FOR-US: Winmail Server CVE-2017-9845 (disp+work 7400.12.21.30308 in SAP NetWeaver 7.40 allows remote attacke ...) NOT-FOR-US: SAP CVE-2017-9844 (SAP NetWeaver 7400.12.21.30308 allows remote attackers to cause a deni ...) NOT-FOR-US: SAP CVE-2017-9843 (SAP NetWeaver AS ABAP 7.40 allows remote authenticated users with cert ...) NOT-FOR-US: SAP CVE-2017-9842 RESERVED CVE-2017-9841 (Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 ...) - phpunit 5.4.6-2 (bug #866200) [stretch] - phpunit 5.4.6-2~deb9u1 [jessie] - phpunit (Issue introduced later; vulnerable code not present) [wheezy] - phpunit (Issue introduced later; vulnerable code not present) NOTE: https://github.com/sebastianbergmann/phpunit/pull/1956 NOTE: https://github.com/sebastianbergmann/phpunit/commit/284a69fb88a2d0845d23f42974a583d8f59bf5a5 NOTE: http://phpunit.vulnbusters.com/ CVE-2017-9840 (Dolibarr ERP/CRM 5.0.3 and prior allows low-privilege users to upload ...) - dolibarr (bug #867495) CVE-2017-9839 (Dolibarr ERP/CRM is affected by SQL injection in versions before 5.0.4 ...) - dolibarr CVE-2017-9838 (Dolibarr ERP/CRM is affected by multiple reflected Cross-Site Scriptin ...) - dolibarr CVE-2017-9837 REJECTED CVE-2017-9836 (Cross-site scripting (XSS) vulnerability in Piwigo 2.9.1 allows remote ...) - piwigo CVE-2017-9835 (The gs_alloc_ref_array function in psi/ialloc.c in Artifex Ghostscript ...) {DSA-3986-1 DLA-1048-1} [experimental] - ghostscript 9.22~~rc1~dfsg-1 - ghostscript 9.22~dfsg-1 (bug #869907) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697985 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=cfde94be1d4286bc47633c6e6eaf4e659bd78066 (ghostpdl-9.22rc1) CVE-2017-9834 (SQL injection vulnerability in the WatuPRO plugin before 5.5.3.7 for W ...) NOT-FOR-US: WatuPRO plugin for WordPress CVE-2017-9833 (/cgi-bin/wapopen in BOA Webserver 0.94.14rc21 allows the injection of ...) NOT-FOR-US: Undetermined product NOTE: /wapopen is not part of BOA, it's probably an insecure CGI NOTE: script used in some embedded product relying on BOA as webserver. NOTE: I asked Mitre to reject the CVE. -- Raphael Hertzog CVE-2017-9832 (An integer overflow vulnerability in ptp-pack.c (ptp_unpack_OPL functi ...) {DLA-2169-1 DLA-1029-1} - libmtp 1.1.13-1 NOTE: https://sourceforge.net/p/libmtp/mailman/message/35729062/ NOTE: https://sourceforge.net/p/libmtp/code/ci/aa7d91a789873a9d86969028e57f888a1241c085/ NOTE: reduced patchset: https://lists.debian.org/87lgnzvjvb.fsf@curie.anarc.at CVE-2017-9831 (An integer overflow vulnerability in the ptp_unpack_EOS_CustomFuncEx f ...) {DLA-2169-1 DLA-1029-1} - libmtp 1.1.13-1 NOTE: https://sourceforge.net/p/libmtp/mailman/message/35735992/ NOTE: https://sourceforge.net/p/libmtp/code/ci/aa7d91a789873a9d86969028e57f888a1241c085/ NOTE: reduced patchset: https://lists.debian.org/87lgnzvjvb.fsf@curie.anarc.at CVE-2017-9830 (Remote Code Execution is possible in Code42 CrashPlan 5.4.x via the or ...) NOT-FOR-US: Code42 CVE-2017-9829 ('/cgi-bin/admin/downloadMedias.cgi' of the web service in most of the ...) NOT-FOR-US: VIVOTEK Network Cameras CVE-2017-9828 ('/cgi-bin/admin/testserver.cgi' of the web service in most of the VIVO ...) NOT-FOR-US: VIVOTEK Network Cameras CVE-2017-9827 RESERVED CVE-2017-9826 RESERVED CVE-2017-11104 (Knot DNS before 2.4.5 and 2.5.x before 2.5.2 contains a flaw within th ...) {DSA-3910-1} - knot 2.5.3-1 (bug #865678) NOTE: https://lists.nic.cz/pipermail/knot-dns-users/2017-June/001144.html NOTE: http://www.synacktiv.ninja/ressources/Knot_DNS_TSIG_Signature_Forgery.pdf CVE-2017-9825 RESERVED CVE-2017-9824 RESERVED CVE-2017-9823 RESERVED CVE-2017-9822 (DNN (aka DotNetNuke) before 9.1.1 has Remote Code Execution via a cook ...) NOT-FOR-US: DotNetNuke CVE-2017-9821 (The National Payments Corporation of India BHIM application 1.3 for An ...) NOT-FOR-US: India BHIM CVE-2017-9820 (The National Payments Corporation of India BHIM application 1.3 for An ...) NOT-FOR-US: India BHIM CVE-2017-9819 (The National Payments Corporation of India BHIM application 1.3 for An ...) NOT-FOR-US: India BHIM CVE-2017-9818 (The National Payments Corporation of India BHIM application 1.3 for An ...) NOT-FOR-US: India BHIM CVE-2017-9817 RESERVED CVE-2017-9816 (Cross-site scripting (XSS) vulnerability in Paessler PRTG Network Moni ...) NOT-FOR-US: Paessler PRTG Network Monitor CVE-2017-9815 (In LibTIFF 4.0.7, the TIFFReadDirEntryLong8Array function in libtiff/t ...) - tiff 4.0.8-1 [jessie] - tiff 4.0.3-12.3+deb8u4 [wheezy] - tiff 4.0.2-6+deb7u14 - tiff3 [wheezy] - tiff3 3.9.6-11+deb7u6 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2682 NOTE: Fixed by: https://github.com/vadz/libtiff/commit/fb3dc46a2fcf6197ff3b93fc76f0c37fddc0333b NOTE: The issue is addressed with the same commit as for CVE-2017-9403 CVE-2017-9814 (cairo-truetype-subset.c in cairo 1.15.6 and earlier allows remote atta ...) - cairo (low; bug #868580) [buster] - cairo (Minor issue) [stretch] - cairo (Minor issue) [jessie] - cairo (Minor issue) [wheezy] - cairo (Minor issue) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=101547 NOTE: https://gitlab.freedesktop.org/cairo/cairo/issues/264 CVE-2017-9813 (In Kaspersky Anti-Virus for Linux File Server before Maintenance Pack ...) NOT-FOR-US: Kaspersky Anti-Virus CVE-2017-9812 (The reportId parameter of the getReportStatus action method can be abu ...) NOT-FOR-US: Kaspersky Anti-Virus CVE-2017-9811 (The kluser is able to interact with the kav4fs-control binary in Kaspe ...) NOT-FOR-US: Kaspersky Anti-Virus CVE-2017-9810 (There are no Anti-CSRF tokens in any forms on the web interface in Kas ...) NOT-FOR-US: Kaspersky Anti-Virus CVE-2017-9809 (OX Software GmbH OX App Suite 7.8.4 and earlier is affected by: Inform ...) NOT-FOR-US: OX Software GmbH OX App Suite CVE-2017-9808 (OX Software GmbH OX App Suite 7.8.4 and earlier is affected by: Cross ...) NOT-FOR-US: OX Software GmbH OX App Suite CVE-2015-9098 (In Redgate SQL Monitor before 3.10 and 4.x before 4.2, a remote attack ...) NOT-FOR-US: Redgate SQL Monitor CVE-2017-9807 (An issue was discovered in the OpenWebif plugin through 1.2.4 for E2 o ...) NOT-FOR-US: OpenWebif plugin for E2 CVE-2017-9806 (A vulnerability in the OpenOffice Writer DOC file parser before 4.1.4, ...) - libreoffice 1:3.4.3-1 NOTE: https://www.talosintelligence.com/reports/TALOS-2017-0295 NOTE: https://www.libreoffice.org/about-us/security/advisories/CVE-2017-9806 NOTE: https://gerrit.libreoffice.org/gitweb?p=core.git;a=commitdiff_plain;h=bb494d6bd8c5868f34bd8f9444ed3eb401145f10 CVE-2017-9805 (The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and ...) - libstruts1.2-java [wheezy] - libstruts1.2-java (vulnerable code not present) NOTE: https://struts.apache.org/docs/s2-052.html CVE-2017-9804 (In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an ap ...) - libstruts1.2-java [wheezy] - libstruts1.2-java (Minor issue) NOTE: DOS class vulnerability and classified as low by upstream. NOTE: https://struts.apache.org/docs/s2-050.html CVE-2017-9803 (Apache Solr's Kerberos plugin can be configured to use delegation toke ...) - lucene-solr (Introduced in 6.2) CVE-2017-9802 (The Javascript method Sling.evalString() in Apache Sling Servlets Post ...) NOT-FOR-US: Apache Sling CVE-2017-9801 (When a call-site passes a subject for an email that contains line-brea ...) - commons-email (Fixed with first upload to Debian) NOTE: https://commons.apache.org/proper/commons-email/security-reports.html NOTE: Fixed by: https://svn.apache.org/viewvc?view=revision&revision=1801385 NOTE: Fixed by: https://svn.apache.org/viewvc?view=revision&revision=1801388 NOTE: Fixed by: https://svn.apache.org/viewvc?view=revision&revision=1801389 CVE-2017-9800 (A maliciously constructed svn+ssh:// URL would cause Subversion client ...) {DSA-3932-1 DLA-1052-1} - subversion 1.9.7-1 NOTE: Fixed by: http://svn.apache.org/viewvc?view=revision&sortby=rev&revision=1804691 NOTE: http://subversion.apache.org/security/CVE-2017-9800-advisory.txt CVE-2017-9799 (It was found that under some situations and configurations of Apache S ...) NOT-FOR-US: Apache Storm CVE-2017-9798 (Apache httpd allows remote attackers to read secret data from process ...) {DSA-3980-1 DLA-1102-1} - apache2 2.4.27-6 (bug #876109) NOTE: https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html NOTE: https://github.com/hannob/optionsbleed NOTE: Patch: https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?r1=1805223&r2=1807754&pathrev=1807754&view=patch NOTE: Patch backport for 2.2: https://blog.fuzzing-project.org/uploads/apache-2.2-optionsbleed-backport.patch CVE-2017-9797 (When an Apache Geode cluster before v1.2.1 is operating in secure mode ...) NOT-FOR-US: Apache Geode CVE-2017-9796 (When an Apache Geode cluster before v1.3.0 is operating in secure mode ...) NOT-FOR-US: Apache Geode CVE-2017-9795 (When an Apache Geode cluster before v1.3.0 is operating in secure mode ...) NOT-FOR-US: Apache Geode CVE-2017-9794 (When a cluster is operating in secure mode, a user with read privilege ...) NOT-FOR-US: Apache Geode CVE-2017-9793 (The REST Plugin in Apache Struts 2.1.x, 2.3.7 through 2.3.33 and 2.5 t ...) - libstruts1.2-java [wheezy] - libstruts1.2-java (vulnerable code not present) NOTE: https://struts.apache.org/docs/s2-051.html CVE-2017-9792 (In Apache Impala (incubating) before 2.10.0, a malicious user with "AL ...) NOT-FOR-US: Apache Impala CVE-2017-9791 (The Struts 1 plugin in Apache Struts 2.1.x and 2.3.x might allow remot ...) - libstruts1.2-java (Vulnerable code not present) NOTE: Issue is specific to Struts 2.x. CVE-2017-9790 (When handling a libprocess message wrapped in an HTTP request, libproc ...) - apache-mesos (bug #760315) CVE-2017-9789 (When under stress, closing many connections, the HTTP/2 handling code ...) - apache2 (Only affected 2.4.26) NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#2.4.27 CVE-2017-9788 (In Apache httpd before 2.2.34 and 2.4.x before 2.4.27, the value place ...) {DSA-3913-1 DLA-1028-1} - apache2 2.4.27-1 (bug #868467) NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#2.4.27 NOTE: Fixed by (2.4.x): https://svn.apache.org/r1800955 NOTE: 2.4.x: https://github.com/apache/httpd/commit/549ba6a39aa0df78a610025f74f3a06503a70f67 NOTE: trunk: https://github.com/apache/httpd/commit/c5d3719133b9e5dab0d540c5aa03b2fdabc30395 CVE-2017-9787 (When using a Spring AOP functionality to secure Struts actions it is p ...) - libstruts1.2-java (Vulnerable code not present) NOTE: Issue is specific to Struts 2.x. NOTE: https://struts.apache.org/docs/s2-049.html CVE-2017-9786 (Cross-site scripting (XSS) vulnerability in ProjectSend (formerly cFTP ...) NOT-FOR-US: ProjectSend CVE-2017-9785 (Csrf.cs in NancyFX Nancy before 1.4.4 and 2.x before 2.0-dangermouse h ...) NOT-FOR-US: NancyFX Nancy CVE-2017-9784 RESERVED CVE-2017-9783 (Cross-site scripting (XSS) vulnerability in ProjectSend (formerly cFTP ...) NOT-FOR-US: ProjectSend CVE-2017-10599 RESERVED CVE-2017-10598 RESERVED CVE-2017-10597 RESERVED CVE-2017-10596 RESERVED CVE-2017-10595 RESERVED CVE-2017-10594 RESERVED CVE-2017-10593 RESERVED CVE-2017-10592 RESERVED CVE-2017-10591 RESERVED CVE-2017-10590 RESERVED CVE-2017-10589 RESERVED CVE-2017-10588 RESERVED CVE-2017-10587 RESERVED CVE-2017-10586 RESERVED CVE-2017-10585 RESERVED CVE-2017-10584 RESERVED CVE-2017-10583 RESERVED CVE-2017-10582 RESERVED CVE-2017-10581 RESERVED CVE-2017-10580 RESERVED CVE-2017-10579 RESERVED CVE-2017-10578 RESERVED CVE-2017-10577 RESERVED CVE-2017-10576 RESERVED CVE-2017-10575 RESERVED CVE-2017-10574 RESERVED CVE-2017-10573 RESERVED CVE-2017-10572 RESERVED CVE-2017-10571 RESERVED CVE-2017-10570 RESERVED CVE-2017-10569 RESERVED CVE-2017-10568 RESERVED CVE-2017-10567 RESERVED CVE-2017-10566 RESERVED CVE-2017-10565 RESERVED CVE-2017-10564 RESERVED CVE-2017-10563 RESERVED CVE-2017-10562 RESERVED CVE-2017-10561 RESERVED CVE-2017-10560 RESERVED CVE-2017-10559 RESERVED CVE-2017-10558 RESERVED CVE-2017-10557 RESERVED CVE-2017-10556 RESERVED CVE-2017-10555 RESERVED CVE-2017-10554 RESERVED CVE-2017-10553 RESERVED CVE-2017-10552 RESERVED CVE-2017-10551 RESERVED CVE-2017-10550 RESERVED CVE-2017-10549 RESERVED CVE-2017-10548 RESERVED CVE-2017-10547 RESERVED CVE-2017-10546 RESERVED CVE-2017-10545 RESERVED CVE-2017-10544 RESERVED CVE-2017-10543 RESERVED CVE-2017-10542 RESERVED CVE-2017-10541 RESERVED CVE-2017-10540 RESERVED CVE-2017-10539 RESERVED CVE-2017-10538 RESERVED CVE-2017-10537 RESERVED CVE-2017-10536 RESERVED CVE-2017-10535 RESERVED CVE-2017-10534 RESERVED CVE-2017-10533 RESERVED CVE-2017-10532 RESERVED CVE-2017-10531 RESERVED CVE-2017-10530 RESERVED CVE-2017-10529 RESERVED CVE-2017-10528 RESERVED CVE-2017-10527 RESERVED CVE-2017-10526 RESERVED CVE-2017-10525 RESERVED CVE-2017-10524 RESERVED CVE-2017-10523 RESERVED CVE-2017-10522 RESERVED CVE-2017-10521 RESERVED CVE-2017-10520 RESERVED CVE-2017-10519 RESERVED CVE-2017-10518 RESERVED CVE-2017-10517 RESERVED CVE-2017-10516 RESERVED CVE-2017-10515 RESERVED CVE-2017-10514 RESERVED CVE-2017-10513 RESERVED CVE-2017-10512 RESERVED CVE-2017-10511 RESERVED CVE-2017-10510 RESERVED CVE-2017-10509 RESERVED CVE-2017-10508 RESERVED CVE-2017-10507 RESERVED CVE-2017-10506 RESERVED CVE-2017-10505 RESERVED CVE-2017-10504 RESERVED CVE-2017-10503 RESERVED CVE-2017-10502 RESERVED CVE-2017-10501 RESERVED CVE-2017-10500 RESERVED CVE-2017-10499 RESERVED CVE-2017-10498 RESERVED CVE-2017-10497 RESERVED CVE-2017-10496 RESERVED CVE-2017-10495 RESERVED CVE-2017-10494 RESERVED CVE-2017-10493 RESERVED CVE-2017-10492 RESERVED CVE-2017-10491 RESERVED CVE-2017-10490 RESERVED CVE-2017-10489 RESERVED CVE-2017-10488 RESERVED CVE-2017-10487 RESERVED CVE-2017-10486 RESERVED CVE-2017-10485 RESERVED CVE-2017-10484 RESERVED CVE-2017-10483 RESERVED CVE-2017-10482 RESERVED CVE-2017-10481 RESERVED CVE-2017-10480 RESERVED CVE-2017-10479 RESERVED CVE-2017-10478 RESERVED CVE-2017-10477 RESERVED CVE-2017-10476 RESERVED CVE-2017-10475 RESERVED CVE-2017-10474 RESERVED CVE-2017-10473 RESERVED CVE-2017-10472 RESERVED CVE-2017-10471 RESERVED CVE-2017-10470 RESERVED CVE-2017-10469 RESERVED CVE-2017-10468 RESERVED CVE-2017-10467 RESERVED CVE-2017-10466 RESERVED CVE-2017-10465 RESERVED CVE-2017-10464 RESERVED CVE-2017-10463 RESERVED CVE-2017-10462 RESERVED CVE-2017-10461 RESERVED CVE-2017-10460 RESERVED CVE-2017-10459 RESERVED CVE-2017-10458 RESERVED CVE-2017-10457 RESERVED CVE-2017-10456 RESERVED CVE-2017-10455 RESERVED CVE-2017-10454 RESERVED CVE-2017-10453 RESERVED CVE-2017-10452 RESERVED CVE-2017-10451 RESERVED CVE-2017-10450 RESERVED CVE-2017-10449 RESERVED CVE-2017-10448 RESERVED CVE-2017-10447 RESERVED CVE-2017-10446 RESERVED CVE-2017-10445 RESERVED CVE-2017-10444 RESERVED CVE-2017-10443 RESERVED CVE-2017-10442 RESERVED CVE-2017-10441 RESERVED CVE-2017-10440 RESERVED CVE-2017-10439 RESERVED CVE-2017-10438 RESERVED CVE-2017-10437 RESERVED CVE-2017-10436 RESERVED CVE-2017-10435 RESERVED CVE-2017-10434 RESERVED CVE-2017-10433 RESERVED CVE-2017-10432 RESERVED CVE-2017-10431 RESERVED CVE-2017-10430 RESERVED CVE-2017-10429 RESERVED CVE-2017-10428 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.30-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-10427 (Vulnerability in the Oracle Retail Xstore Point of Service component o ...) NOT-FOR-US: Oracle CVE-2017-10426 (Vulnerability in the PeopleSoft Enterprise FSCM component of Oracle Pe ...) NOT-FOR-US: Oracle CVE-2017-10425 (Vulnerability in the Oracle Hospitality Simphony component of Oracle H ...) NOT-FOR-US: Oracle CVE-2017-10424 (Vulnerability in the MySQL Enterprise Monitor component of Oracle MySQ ...) NOT-FOR-US: MySQL Enterprise Monitor component of Oracle MySQL CVE-2017-10423 (Vulnerability in the Oracle Retail Back Office component of Oracle Ret ...) NOT-FOR-US: Oracle CVE-2017-10422 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2017-10421 (Vulnerability in the Oracle Hospitality Suite8 component of Oracle Hos ...) NOT-FOR-US: Oracle CVE-2017-10420 (Vulnerability in the Oracle Hospitality Suite8 component of Oracle Hos ...) NOT-FOR-US: Oracle CVE-2017-10419 (Vulnerability in the Oracle Hospitality Suite8 component of Oracle Hos ...) NOT-FOR-US: Oracle CVE-2017-10418 (Vulnerability in the PeopleSoft Enterprise PT PeopleTools component of ...) NOT-FOR-US: Oracle CVE-2017-10417 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-10416 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-10415 (Vulnerability in the Oracle iSupport component of Oracle E-Business Su ...) NOT-FOR-US: Oracle CVE-2017-10414 (Vulnerability in the Oracle iStore component of Oracle E-Business Suit ...) NOT-FOR-US: Oracle CVE-2017-10413 (Vulnerability in the Oracle Mobile Field Service component of Oracle E ...) NOT-FOR-US: Oracle CVE-2017-10412 (Vulnerability in the Oracle Knowledge Management component of Oracle E ...) NOT-FOR-US: Oracle CVE-2017-10411 (Vulnerability in the Oracle Knowledge Management component of Oracle E ...) NOT-FOR-US: Oracle CVE-2017-10410 (Vulnerability in the Oracle Knowledge Management component of Oracle E ...) NOT-FOR-US: Oracle CVE-2017-10409 (Vulnerability in the Oracle iStore component of Oracle E-Business Suit ...) NOT-FOR-US: Oracle CVE-2017-10408 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.30-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-10407 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.30-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-10406 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2017-10405 (Vulnerability in the Oracle Hospitality Reporting and Analytics compon ...) NOT-FOR-US: Oracle CVE-2017-10404 (Vulnerability in the Oracle Hospitality Reporting and Analytics compon ...) NOT-FOR-US: Oracle CVE-2017-10403 (Vulnerability in the Oracle Hospitality Reporting and Analytics compon ...) NOT-FOR-US: Oracle CVE-2017-10402 (Vulnerability in the Oracle Hospitality Reporting and Analytics compon ...) NOT-FOR-US: Oracle CVE-2017-10401 (Vulnerability in the Oracle Hospitality Cruise Materials Management co ...) NOT-FOR-US: Oracle CVE-2017-10400 (Vulnerability in the Oracle GlassFish Server component of Oracle Fusio ...) - glassfish (Vulnerable code not included, see bug #853998) CVE-2017-10399 (Vulnerability in the Oracle Hospitality Cruise Fleet Management compon ...) NOT-FOR-US: Oracle CVE-2017-10398 (Vulnerability in the Oracle Hospitality Cruise Fleet Management compon ...) NOT-FOR-US: Oracle CVE-2017-10397 (Vulnerability in the Oracle Hospitality Cruise Fleet Management compon ...) NOT-FOR-US: Oracle CVE-2017-10396 (Vulnerability in the Oracle Hospitality Cruise AffairWhere component o ...) NOT-FOR-US: Oracle CVE-2017-10395 (Vulnerability in the Oracle Hospitality Cruise Fleet Management compon ...) NOT-FOR-US: Oracle CVE-2017-10394 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2017-10393 (Vulnerability in the Oracle GlassFish Server component of Oracle Fusio ...) - glassfish (Vulnerable code not included, see bug #853998) CVE-2017-10392 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.30-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-10391 (Vulnerability in the Oracle GlassFish Server component of Oracle Fusio ...) - glassfish (Vulnerable code not included, see bug #853998) CVE-2017-10390 RESERVED CVE-2017-10389 (Vulnerability in the Oracle Hospitality Suite8 component of Oracle Hos ...) NOT-FOR-US: Oracle CVE-2017-10388 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-4048-1 DSA-4015-1 DLA-1187-1} - openjdk-9 9.0.1+11-1 - openjdk-8 8u151-b12-1 [experimental] - openjdk-7 7u151-2.6.11-2 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10387 (Vulnerability in the Oracle CRM Technical Foundation component of Orac ...) NOT-FOR-US: Oracle CVE-2017-10386 (Vulnerability in the Java Advanced Management Console component of Ora ...) NOT-FOR-US: Java Advanced Management Console CVE-2017-10385 (Vulnerability in the Oracle GlassFish Server component of Oracle Fusio ...) - glassfish (Vulnerable code not included, see bug #853998) CVE-2017-10384 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-4002-1 DSA-3944-1 DLA-1141-1} - mariadb-10.2 (bug #884065) - mariadb-10.0 - mysql-5.7 5.7.20-1 (bug #878398) - mysql-5.5 (bug #878402) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL CVE-2017-10383 (Vulnerability in the Oracle Hospitality Guest Access component of Orac ...) NOT-FOR-US: Oracle CVE-2017-10382 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2017-10381 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2017-10380 (Vulnerability in the Java Advanced Management Console component of Ora ...) NOT-FOR-US: Java Advanced Management Console CVE-2017-10379 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-4002-1 DSA-3944-1 DLA-1141-1} - mariadb-10.2 (bug #884065) - mariadb-10.0 - mysql-5.7 5.7.20-1 (bug #878398) - mysql-5.5 (bug #878402) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL CVE-2017-10378 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-4341-1 DSA-4002-1 DLA-1407-1 DLA-1141-1} - mariadb-10.2 (bug #884065) - mariadb-10.1 10.1.29-1 - mariadb-10.0 - mysql-5.7 (Fixed before initial release to Debian, upstream 5.7.12) - mysql-5.5 (bug #878402) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL NOTE: https://jira.mariadb.org/browse/MDEV-13819 NOTE: https://github.com/MariaDB/server/commit/b000e169562697aa072600695d4f0c0412f94f4f CVE-2017-10377 RESERVED CVE-2017-10376 RESERVED CVE-2017-10375 (Vulnerability in the Oracle Hospitality Guest Access component of Orac ...) NOT-FOR-US: Oracle CVE-2017-10374 RESERVED CVE-2017-10373 (Vulnerability in the PeopleSoft Enterprise PT PeopleTools component of ...) NOT-FOR-US: Oracle CVE-2017-10372 (Vulnerability in the Oracle Hospitality Guest Access component of Orac ...) NOT-FOR-US: Oracle CVE-2017-10371 RESERVED CVE-2017-10370 (Vulnerability in the Oracle Hospitality Guest Access component of Orac ...) NOT-FOR-US: Oracle CVE-2017-10369 (Vulnerability in the Oracle Virtual Directory component of Oracle Fusi ...) NOT-FOR-US: Oracle CVE-2017-10368 (Vulnerability in the PeopleSoft Enterprise SCM eProcurement component ...) NOT-FOR-US: Oracle CVE-2017-10367 (Vulnerability in the Oracle Hospitality Simphony component of Oracle H ...) NOT-FOR-US: Oracle CVE-2017-10366 (Vulnerability in the PeopleSoft Enterprise PT PeopleTools component of ...) NOT-FOR-US: Oracle CVE-2017-10365 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mariadb-10.2 (bug #884065) - mysql-5.7 5.7.20-1 (bug #878398) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL CVE-2017-10364 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2017-10363 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle CVE-2017-10362 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2017-10361 (Vulnerability in the Oracle Hospitality Cruise Shipboard Property Mana ...) NOT-FOR-US: Oracle CVE-2017-10360 (Vulnerability in the Oracle WebCenter Content component of Oracle Fusi ...) NOT-FOR-US: Oracle CVE-2017-10359 (Vulnerability in the Oracle Hyperion BI+ component of Oracle Hyperion ...) NOT-FOR-US: Oracle CVE-2017-10358 (Vulnerability in the Oracle Hyperion Financial Reporting component of ...) NOT-FOR-US: Oracle CVE-2017-10357 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-4048-1 DSA-4015-1 DLA-1187-1} - openjdk-9 9.0.1+11-1 - openjdk-8 8u151-b12-1 [experimental] - openjdk-7 7u151-2.6.11-2 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10356 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-4048-1 DSA-4015-1 DLA-1187-1} - openjdk-9 9.0.1+11-1 - openjdk-8 8u151-b12-1 [experimental] - openjdk-7 7u151-2.6.11-2 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10355 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-4048-1 DSA-4015-1 DLA-1187-1} - openjdk-9 9.0.1+11-1 - openjdk-8 8u151-b12-1 [experimental] - openjdk-7 7u151-2.6.11-2 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10354 (Vulnerability in the PeopleSoft Enterprise PRTL Interaction Hub compon ...) NOT-FOR-US: Oracle CVE-2017-10353 (Vulnerability in the Oracle Hospitality Hotel Mobile component of Orac ...) NOT-FOR-US: Oracle CVE-2017-10352 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-10351 (Vulnerability in the PeopleSoft Enterprise PT PeopleTools component of ...) NOT-FOR-US: Oracle CVE-2017-10350 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-4048-1 DSA-4015-1 DLA-1187-1} - openjdk-9 9.0.1+11-1 - openjdk-8 8u151-b12-1 [experimental] - openjdk-7 7u151-2.6.11-2 - openjdk-7 CVE-2017-10349 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-4048-1 DSA-4015-1 DLA-1187-1} - openjdk-9 9.0.1+11-1 - openjdk-8 8u151-b12-1 [experimental] - openjdk-7 7u151-2.6.11-2 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10348 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-4048-1 DSA-4015-1 DLA-1187-1} - openjdk-9 9.0.1+11-1 - openjdk-8 8u151-b12-1 [experimental] - openjdk-7 7u151-2.6.11-2 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10347 (Vulnerability in the Java SE, JRockit component of Oracle Java SE (sub ...) {DSA-4048-1 DSA-4015-1 DLA-1187-1} - openjdk-9 9.0.1+11-1 - openjdk-8 8u151-b12-1 [experimental] - openjdk-7 7u151-2.6.11-2 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10346 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-4048-1 DSA-4015-1 DLA-1187-1} - openjdk-9 9.0.1+11-1 - openjdk-8 8u151-b12-1 [experimental] - openjdk-7 7u151-2.6.11-2 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10345 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-4048-1 DSA-4015-1 DLA-1187-1} - openjdk-9 9.0.1+11-1 - openjdk-8 8u151-b12-1 [experimental] - openjdk-7 7u151-2.6.11-2 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10344 (Vulnerability in the Oracle Hospitality Simphony component of Oracle H ...) NOT-FOR-US: Oracle CVE-2017-10343 (Vulnerability in the Oracle Hospitality Simphony component of Oracle H ...) NOT-FOR-US: Oracle CVE-2017-10342 (Vulnerability in the Java Advanced Management Console component of Ora ...) NOT-FOR-US: Java Advanced Management Console CVE-2017-10341 (Vulnerability in the Java Advanced Management Console component of Ora ...) NOT-FOR-US: Java Advanced Management Console CVE-2017-10340 (Vulnerability in the Oracle Hospitality Simphony component of Oracle H ...) NOT-FOR-US: Oracle CVE-2017-10339 (Vulnerability in the Oracle Hospitality Suite8 component of Oracle Hos ...) NOT-FOR-US: Oracle CVE-2017-10338 (Vulnerability in the PeopleSoft Enterprise PRTL Interaction Hub compon ...) NOT-FOR-US: Oracle CVE-2017-10337 (Vulnerability in the Oracle Hospitality Suite8 component of Oracle Hos ...) NOT-FOR-US: Oracle CVE-2017-10336 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-10335 (Vulnerability in the PeopleSoft Enterprise PT PeopleTools component of ...) NOT-FOR-US: Oracle CVE-2017-10334 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-10333 (Vulnerability in the Siebel UI Framework component of Oracle Siebel CR ...) NOT-FOR-US: Oracle CVE-2017-10332 (Vulnerability in the Oracle Universal Work Queue component of Oracle E ...) NOT-FOR-US: Oracle CVE-2017-10331 (Vulnerability in the Oracle Application Object Library component of Or ...) NOT-FOR-US: Oracle CVE-2017-10330 (Vulnerability in the Oracle Common Applications component of Oracle E- ...) NOT-FOR-US: Oracle CVE-2017-10329 (Vulnerability in the Oracle Global Order Promising component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-10328 (Vulnerability in the Oracle Application Object Library component of Or ...) NOT-FOR-US: Oracle CVE-2017-10327 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2017-10326 (Vulnerability in the Oracle Common Applications Calendar component of ...) NOT-FOR-US: Oracle CVE-2017-10325 (Vulnerability in the Oracle Common Applications Calendar component of ...) NOT-FOR-US: Oracle CVE-2017-10324 (Vulnerability in the Oracle Applications Technology Stack component of ...) NOT-FOR-US: Oracle CVE-2017-10323 (Vulnerability in the Oracle Web Applications Desktop Integrator compon ...) NOT-FOR-US: Oracle CVE-2017-10322 (Vulnerability in the Oracle Common Applications Calendar component of ...) NOT-FOR-US: Oracle CVE-2017-10321 (Vulnerability in the Core RDBMS component of Oracle Database Server. S ...) NOT-FOR-US: Oracle CVE-2017-10320 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mariadb-10.2 (bug #884065) - mysql-5.7 5.7.20-1 (bug #878398) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL CVE-2017-10319 (Vulnerability in the Oracle Hospitality Suite8 component of Oracle Hos ...) NOT-FOR-US: Oracle CVE-2017-10318 (Vulnerability in the Oracle Hospitality Suite8 component of Oracle Hos ...) NOT-FOR-US: Oracle CVE-2017-10317 (Vulnerability in the Oracle Hospitality Suite8 component of Oracle Hos ...) NOT-FOR-US: Oracle CVE-2017-10316 (Vulnerability in the Oracle Hospitality Suite8 component of Oracle Hos ...) NOT-FOR-US: Oracle CVE-2017-10315 (Vulnerability in the Siebel UI Framework component of Oracle Siebel CR ...) NOT-FOR-US: Oracle CVE-2017-10314 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.20-1 (bug #878398) - mysql-5.5 (Only affects MySQL 5.6 and 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL CVE-2017-10313 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.20-1 (bug #878398) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL CVE-2017-10312 (Vulnerability in the Oracle Hyperion BI+ component of Oracle Hyperion ...) NOT-FOR-US: Oracle CVE-2017-10311 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.20-1 (bug #878398) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL CVE-2017-10310 (Vulnerability in the Oracle Hyperion Financial Reporting component of ...) NOT-FOR-US: Oracle CVE-2017-10309 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...) - openjdk-9 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-8 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2017-10308 (Vulnerability in the Oracle Agile PLM component of Oracle Supply Chain ...) NOT-FOR-US: Oracle CVE-2017-10307 RESERVED CVE-2017-10306 (Vulnerability in the PeopleSoft Enterprise HCM component of Oracle Peo ...) NOT-FOR-US: Oracle CVE-2017-10305 RESERVED CVE-2017-10304 (Vulnerability in the PeopleSoft Enterprise HCM component of Oracle Peo ...) NOT-FOR-US: Oracle CVE-2017-10303 (Vulnerability in the Oracle Interaction Center Intelligence component ...) NOT-FOR-US: Oracle CVE-2017-10302 (Vulnerability in the Siebel UI Framework component of Oracle Siebel CR ...) NOT-FOR-US: Oracle CVE-2017-10301 (Vulnerability in the PeopleSoft Enterprise PRTL Interaction Hub compon ...) NOT-FOR-US: Oracle CVE-2017-10300 (Vulnerability in the Siebel CRM Desktop component of Oracle Siebel CRM ...) NOT-FOR-US: Oracle CVE-2017-10299 (Vulnerability in the Oracle Agile PLM component of Oracle Supply Chain ...) NOT-FOR-US: Oracle CVE-2017-10298 RESERVED CVE-2017-10297 RESERVED CVE-2017-10296 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.20-1 (bug #878398) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL CVE-2017-10295 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-4048-1 DSA-4015-1 DLA-1187-1} - openjdk-9 9.0.1+11-1 - openjdk-8 8u151-b12-1 [experimental] - openjdk-7 7u151-2.6.11-2 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10294 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.20-1 (bug #878398) - mysql-5.5 (Only affects MySQL 5.6 and 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL CVE-2017-10293 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...) - openjdk-8 (Seems to be specific to Oracle Java) - openjdk-7 (Seems to be specific to Oracle Java) - openjdk-6 (Seems to be specific to Oracle Java) CVE-2017-10292 (Vulnerability in the RDBMS Security component of Oracle Database Serve ...) NOT-FOR-US: Oracle CVE-2017-10291 RESERVED CVE-2017-10290 RESERVED CVE-2017-10289 RESERVED CVE-2017-10288 RESERVED CVE-2017-10287 (Vulnerability in the PeopleSoft Enterprise FSCM component of Oracle Pe ...) NOT-FOR-US: Oracle CVE-2017-10286 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-3944-1} - mariadb-10.2 (bug #884065) - mariadb-10.0 - mysql-5.7 5.7.20-1 (bug #878398) - mysql-5.5 (Only affects MySQL 5.6 and 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL CVE-2017-10285 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-4048-1 DSA-4015-1 DLA-1187-1} - openjdk-9 9.0.1+11-1 - openjdk-8 8u151-b12-1 [experimental] - openjdk-7 7u151-2.6.11-2 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10284 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.20-1 (bug #878398) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL CVE-2017-10283 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.20-1 (bug #878398) - mysql-5.5 (Only affects MySQL 5.6 and 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL CVE-2017-10282 (Vulnerability in the Core RDBMS component of Oracle Database Server. S ...) NOT-FOR-US: Oracle CVE-2017-10281 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-4048-1 DSA-4015-1 DLA-1187-1} - openjdk-9 9.0.1+11-1 - openjdk-8 8u151-b12-1 [experimental] - openjdk-7 7u151-2.6.11-2 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10280 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2017-10279 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.20-1 (bug #878398) - mysql-5.5 (Only affects MySQL 5.6 and 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL CVE-2017-10278 (Vulnerability in the Oracle Tuxedo component of Oracle Fusion Middlewa ...) NOT-FOR-US: Oracle CVE-2017-10277 (Vulnerability in the MySQL Connectors component of Oracle MySQL (subco ...) - mysql-connector-net (bug #883923) [stretch] - mysql-connector-net (Minor issue) [jessie] - mysql-connector-net (Minor issue) [wheezy] - mysql-connector-net (Minor issue) CVE-2017-10276 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.20-1 (bug #878398) - mysql-5.5 (Only affects MySQL 5.6 and 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL CVE-2017-10275 (Vulnerability in the Sun ZFS Storage Appliance Kit (AK) component of O ...) NOT-FOR-US: Oracle CVE-2017-10274 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...) {DSA-4048-1 DSA-4015-1 DLA-1187-1} - openjdk-9 9.0.1+11-1 - openjdk-8 8u151-b12-1 [experimental] - openjdk-7 7u151-2.6.11-2 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10273 (Vulnerability in the Oracle JDeveloper component of Oracle Fusion Midd ...) NOT-FOR-US: Oracle CVE-2017-10272 (Vulnerability in the Oracle Tuxedo component of Oracle Fusion Middlewa ...) NOT-FOR-US: Oracle CVE-2017-10271 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-10270 (Vulnerability in the Oracle Identity Manager Connector component of Or ...) NOT-FOR-US: Oracle CVE-2017-10269 (Vulnerability in the Oracle Tuxedo component of Oracle Fusion Middlewa ...) NOT-FOR-US: Oracle CVE-2017-10268 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-4341-1 DSA-4002-1 DLA-1407-1 DLA-1141-1} - mariadb-10.2 (bug #884065) - mariadb-10.1 10.1.29-1 - mariadb-10.0 - mysql-5.7 5.7.20-1 (bug #878398) - mysql-5.5 (bug #878402) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL CVE-2017-10267 (Vulnerability in the Oracle Tuxedo component of Oracle Fusion Middlewa ...) NOT-FOR-US: Oracle CVE-2017-10266 (Vulnerability in the Oracle Tuxedo component of Oracle Fusion Middlewa ...) NOT-FOR-US: Oracle CVE-2017-10265 (Vulnerability in the Oracle Integrated Lights Out Manager (ILOM) compo ...) NOT-FOR-US: Oracle CVE-2017-10264 (Vulnerability in the Siebel UI Framework component of Oracle Siebel CR ...) NOT-FOR-US: Oracle CVE-2017-10263 (Vulnerability in the Siebel UI Framework component of Oracle Siebel CR ...) NOT-FOR-US: Oracle CVE-2017-10262 (Vulnerability in the Oracle Access Manager component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-10261 (Vulnerability in the XML Database component of Oracle Database Server. ...) NOT-FOR-US: Oracle CVE-2017-10260 (Vulnerability in the Oracle Integrated Lights Out Manager (ILOM) compo ...) NOT-FOR-US: Oracle CVE-2017-10259 (Vulnerability in the Oracle Access Manager component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-10258 (Vulnerability in the PeopleSoft Enterprise PRTL Interaction Hub compon ...) NOT-FOR-US: PeopleSoft CVE-2017-10257 (Vulnerability in the PeopleSoft Enterprise PRTL Interaction Hub compon ...) NOT-FOR-US: PeopleSoft CVE-2017-10256 (Vulnerability in the PeopleSoft Enterprise PRTL Interaction Hub compon ...) NOT-FOR-US: PeopleSoft CVE-2017-10255 (Vulnerability in the PeopleSoft Enterprise PRTL Interaction Hub compon ...) NOT-FOR-US: PeopleSoft CVE-2017-10254 (Vulnerability in the PeopleSoft Enterprise FSCM component of Oracle Pe ...) NOT-FOR-US: PeopleSoft CVE-2017-10253 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: PeopleSoft CVE-2017-10252 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: PeopleSoft CVE-2017-10251 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: PeopleSoft CVE-2017-10250 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: PeopleSoft CVE-2017-10249 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: PeopleSoft CVE-2017-10248 (Vulnerability in the PeopleSoft Enterprise PRTL Interaction Hub compon ...) NOT-FOR-US: PeopleSoft CVE-2017-10247 (Vulnerability in the PeopleSoft Enterprise PRTL Interaction Hub compon ...) NOT-FOR-US: PeopleSoft CVE-2017-10246 (Vulnerability in the Oracle Application Object Library component of Or ...) NOT-FOR-US: Oracle CVE-2017-10245 (Vulnerability in the Oracle General Ledger component of Oracle E-Busin ...) NOT-FOR-US: Oracle CVE-2017-10244 (Vulnerability in the Oracle Application Object Library component of Or ...) NOT-FOR-US: Oracle CVE-2017-10243 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-3954-1 DSA-3919-1 DLA-1073-1} - openjdk-8 8u141-b15-1 [experimental] - openjdk-7 7u151-2.6.11-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10242 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-10241 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-10240 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-10239 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-10238 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-10237 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-10236 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-10235 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-10234 (Vulnerability in the Solaris Cluster component of Oracle Sun Systems P ...) NOT-FOR-US: Oracle CVE-2017-10233 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-10232 (Vulnerability in the Hospitality WebSuite8 Cloud Service component of ...) NOT-FOR-US: Oracle CVE-2017-10231 (Vulnerability in the Oracle Hospitality Cruise AffairWhere component o ...) NOT-FOR-US: Oracle CVE-2017-10230 (Vulnerability in the Oracle Hospitality Cruise Dining Room Management ...) NOT-FOR-US: Oracle CVE-2017-10229 (Vulnerability in the Oracle Hospitality Cruise Materials Management co ...) NOT-FOR-US: Oracle CVE-2017-10228 (Vulnerability in the Oracle Hospitality Cruise Shipboard Property Mana ...) NOT-FOR-US: Oracle CVE-2017-10227 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.20-1 (bug #878398) - mysql-5.5 (Only affects MySQL 5.6 and 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL CVE-2017-10226 (Vulnerability in the Oracle Hospitality Cruise Fleet Management compon ...) NOT-FOR-US: Oracle CVE-2017-10225 (Vulnerability in the Oracle Hospitality RES 3700 component of Oracle H ...) NOT-FOR-US: Oracle CVE-2017-10224 (Vulnerability in the Oracle Hospitality Inventory Management component ...) NOT-FOR-US: Oracle CVE-2017-10223 (Vulnerability in the Oracle Hospitality Materials Control component of ...) NOT-FOR-US: Oracle CVE-2017-10222 (Vulnerability in the Oracle Hospitality Materials Control component of ...) NOT-FOR-US: Oracle CVE-2017-10221 (Vulnerability in the Oracle Hospitality RES 3700 component of Oracle H ...) NOT-FOR-US: Oracle CVE-2017-10220 (Vulnerability in the Hospitality Property Interfaces component of Orac ...) NOT-FOR-US: Oracle CVE-2017-10219 (Vulnerability in the Oracle Hospitality Guest Access component of Orac ...) NOT-FOR-US: Oracle CVE-2017-10218 (Vulnerability in the Oracle Hospitality Guest Access component of Orac ...) NOT-FOR-US: Oracle CVE-2017-10217 (Vulnerability in the Oracle Hospitality Guest Access component of Orac ...) NOT-FOR-US: Oracle CVE-2017-10216 (Vulnerability in the Hospitality Property Interfaces component of Orac ...) NOT-FOR-US: Oracle CVE-2017-10215 (Vulnerability in the PeopleSoft Enterprise PRTL Interaction Hub compon ...) NOT-FOR-US: PeopleSoft CVE-2017-10214 (Vulnerability in the Oracle Retail Xstore Point of Service component o ...) NOT-FOR-US: Oracle CVE-2017-10213 (Vulnerability in the Hospitality Suite8 component of Oracle Hospitalit ...) NOT-FOR-US: Oracle CVE-2017-10212 (Vulnerability in the Hospitality Suite8 component of Oracle Hospitalit ...) NOT-FOR-US: Oracle CVE-2017-10211 (Vulnerability in the Hospitality Suite8 component of Oracle Hospitalit ...) NOT-FOR-US: Oracle CVE-2017-10210 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-10209 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-10208 (Vulnerability in the Oracle Hospitality e7 component of Oracle Hospita ...) NOT-FOR-US: Oracle CVE-2017-10207 (Vulnerability in the Oracle Hospitality Simphony component of Oracle H ...) NOT-FOR-US: Oracle CVE-2017-10206 (Vulnerability in the Oracle Hospitality Simphony component of Oracle H ...) NOT-FOR-US: Oracle CVE-2017-10205 (Vulnerability in the Oracle Hospitality Simphony component of Oracle H ...) NOT-FOR-US: Oracle CVE-2017-10204 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-10203 (Vulnerability in the MySQL Connectors component of Oracle MySQL (subco ...) - mysql-connector-net (bug #883923) [stretch] - mysql-connector-net (Minor issue) [jessie] - mysql-connector-net (Minor issue) [wheezy] - mysql-connector-net (Minor issue) CVE-2017-10202 (Vulnerability in the OJVM component of Oracle Database Server. Support ...) NOT-FOR-US: Oracle CVE-2017-10201 (Vulnerability in the Oracle Hospitality e7 component of Oracle Hospita ...) NOT-FOR-US: Oracle CVE-2017-10200 (Vulnerability in the Oracle Hospitality e7 component of Oracle Hospita ...) NOT-FOR-US: Oracle CVE-2017-10199 (Vulnerability in the Oracle iLearning component of Oracle iLearning (s ...) NOT-FOR-US: Oracle CVE-2017-10198 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-3954-1 DSA-3919-1 DLA-1073-1} - openjdk-8 8u141-b15-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10197 (Vulnerability in the Oracle Hospitality OPERA 5 Property Services comp ...) NOT-FOR-US: Oracle CVE-2017-10196 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-10195 (Vulnerability in the Oracle Hospitality Simphony component of Oracle H ...) NOT-FOR-US: Oracle CVE-2017-10194 (Vulnerability in the Oracle Integrated Lights Out Manager (ILOM) compo ...) NOT-FOR-US: Oracle CVE-2017-10193 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-3954-1 DSA-3919-1 DLA-1073-1} - openjdk-8 8u141-b15-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10192 (Vulnerability in the Oracle iStore component of Oracle E-Business Suit ...) NOT-FOR-US: Oracle CVE-2017-10191 (Vulnerability in the Oracle Web Analytics component of Oracle E-Busine ...) NOT-FOR-US: Oracle CVE-2017-10190 (Vulnerability in the Java VM component of Oracle Database Server. Supp ...) NOT-FOR-US: Oracle CVE-2017-10189 (Vulnerability in the Hospitality Suite8 component of Oracle Hospitalit ...) NOT-FOR-US: Oracle CVE-2017-10188 (Vulnerability in the Hospitality Hotel Mobile component of Oracle Hosp ...) NOT-FOR-US: Oracle CVE-2017-10187 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-10186 (Vulnerability in the Oracle iStore component of Oracle E-Business Suit ...) NOT-FOR-US: Oracle CVE-2017-10185 (Vulnerability in the Oracle CRM Technical Foundation component of Orac ...) NOT-FOR-US: Oracle CVE-2017-10184 (Vulnerability in the Oracle Field Service component of Oracle E-Busine ...) NOT-FOR-US: Oracle CVE-2017-10183 (Vulnerability in the Oracle Retail Xstore Point of Service component o ...) NOT-FOR-US: Oracle CVE-2017-10182 (Vulnerability in the Oracle Hospitality OPERA 5 Property Services comp ...) NOT-FOR-US: Oracle CVE-2017-10181 (Vulnerability in the Oracle FLEXCUBE Direct Banking component of Oracl ...) NOT-FOR-US: Oracle CVE-2017-10180 (Vulnerability in the Oracle CRM Technical Foundation component of Orac ...) NOT-FOR-US: Oracle CVE-2017-10179 (Vulnerability in the Application Management Pack for Oracle E-Business ...) NOT-FOR-US: Oracle CVE-2017-10178 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-10177 (Vulnerability in the Oracle Application Object Library component of Or ...) NOT-FOR-US: Oracle CVE-2017-10176 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-3954-1 DSA-3919-1 DLA-1073-1} - openjdk-8 8u141-b15-1 [experimental] - openjdk-7 7u151-2.6.11-1 - openjdk-7 CVE-2017-10175 (Vulnerability in the Oracle iSupport component of Oracle E-Business Su ...) NOT-FOR-US: Oracle CVE-2017-10174 (Vulnerability in the Oracle iSupport component of Oracle E-Business Su ...) NOT-FOR-US: Oracle CVE-2017-10173 (Vulnerability in the Oracle Retail Open Commerce Platform component of ...) NOT-FOR-US: Oracle CVE-2017-10172 (Vulnerability in the Oracle Retail Open Commerce Platform component of ...) NOT-FOR-US: Oracle CVE-2017-10171 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2017-10170 (Vulnerability in the Oracle Field Service component of Oracle E-Busine ...) NOT-FOR-US: Oracle CVE-2017-10169 (Vulnerability in the Oracle Hospitality 9700 component of Oracle Hospi ...) NOT-FOR-US: Oracle CVE-2017-10168 (Vulnerability in the Hospitality Hotel Mobile component of Oracle Hosp ...) NOT-FOR-US: Oracle CVE-2017-10167 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.20-1 (bug #878398) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL CVE-2017-10166 (Vulnerability in the Oracle Security Service component of Oracle Fusio ...) NOT-FOR-US: Oracle CVE-2017-10165 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.20-1 (bug #878398) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL CVE-2017-10164 (Vulnerability in the PeopleSoft Enterprise FSCM component of Oracle Pe ...) NOT-FOR-US: Oracle CVE-2017-10163 (Vulnerability in the Oracle Business Intelligence Enterprise Edition c ...) NOT-FOR-US: Oracle CVE-2017-10162 (Vulnerability in the Siebel Core - Server Framework component of Oracl ...) NOT-FOR-US: Oracle CVE-2017-10161 (Vulnerability in the Oracle Engineering Data Management component of O ...) NOT-FOR-US: Oracle CVE-2017-10160 (Vulnerability in the Primavera P6 Enterprise Project Portfolio Managem ...) NOT-FOR-US: Primavera CVE-2017-10159 (Vulnerability in the Oracle Communications Policy Management component ...) NOT-FOR-US: Oracle CVE-2017-10158 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2017-10157 (Vulnerability in the BI Publisher component of Oracle Fusion Middlewar ...) NOT-FOR-US: Oracle CVE-2017-10156 (Vulnerability in the BI Publisher component of Oracle Fusion Middlewar ...) NOT-FOR-US: Oracle CVE-2017-10155 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.20-1 (bug #878398) - mysql-5.5 (Only affects MySQL 5.6 and 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL CVE-2017-10154 (Vulnerability in the Oracle Access Manager component of Oracle Fusion ...) NOT-FOR-US: Java Advanced Management Console CVE-2017-10153 (Vulnerability in the Oracle Communications WebRTC Session Controller c ...) NOT-FOR-US: Oracle CVE-2017-10152 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-10151 (Vulnerability in the Oracle Identity Manager component of Oracle Fusio ...) NOT-FOR-US: Oracle CVE-2017-10150 (Vulnerability in the Primavera Unifier component of Oracle Primavera P ...) NOT-FOR-US: Primavera CVE-2017-10149 (Vulnerability in the Primavera Unifier component of Oracle Primavera P ...) NOT-FOR-US: Primavera CVE-2017-10148 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-10147 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-10146 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2017-10145 (Vulnerability in the Java Advanced Management Console component of Ora ...) NOT-FOR-US: Oracle CVE-2017-10144 (Vulnerability in the Oracle Applications Manager component of Oracle E ...) NOT-FOR-US: Oracle CVE-2017-10143 (Vulnerability in the Oracle CRM Technical Foundation component of Orac ...) NOT-FOR-US: Oracle CVE-2017-10142 (Vulnerability in the Oracle Hospitality Reporting and Analytics compon ...) NOT-FOR-US: Oracle CVE-2017-10141 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-10140 (Postfix before 2.11.10, 3.0.x before 3.0.10, 3.1.x before 3.1.6, and 3 ...) {DLA-1137-1 DLA-1136-1 DLA-1135-1} - db5.3 5.3.28-13.1 (bug #872436) [stretch] - db5.3 5.3.28-12+deb9u1 [jessie] - db5.3 5.3.28-9+deb8u1 - db5.2 - db5.1 - db4.8 - db4.7 - db4.6 - db4.5 - db4.4 - db4.3 - db4.2 - db4.1 - db4.0 - db [jessie] - db 5.1.29-9+deb8u1 NOTE: http://www.openwall.com/lists/oss-security/2017/08/12/1 NOTE: Patch as used in Fedora: https://src.fedoraproject.org/rpms/libdb/raw/8047fa8580659fcae740c25e91b490539b8453eb/f/db-5.3.28-cwd-db_config.patch NOTE: and is acknowledged by libdb upstream, cf. https://bugzilla.redhat.com/show_bug.cgi?id=1464032#c9 CVE-2017-10139 RESERVED CVE-2017-10138 RESERVED CVE-2017-10137 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-10136 (Vulnerability in the Oracle Hospitality Simphony component of Oracle H ...) NOT-FOR-US: Oracle CVE-2017-10135 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-3954-1 DSA-3919-1 DLA-1073-1} - openjdk-8 8u141-b15-1 [experimental] - openjdk-7 7u151-2.6.11-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 NOTE: OpenJDK-8 upstream commit: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/079cd6c5de27 CVE-2017-10134 (Vulnerability in the PeopleSoft Enterprise FSCM component of Oracle Pe ...) NOT-FOR-US: Oracle CVE-2017-10133 (Vulnerability in the Hospitality Hotel Mobile component of Oracle Hosp ...) NOT-FOR-US: Oracle CVE-2017-10132 (Vulnerability in the Hospitality Hotel Mobile component of Oracle Hosp ...) NOT-FOR-US: Oracle CVE-2017-10131 (Vulnerability in the Primavera P6 Enterprise Project Portfolio Managem ...) NOT-FOR-US: Oracle CVE-2017-10130 (Vulnerability in the Oracle iStore component of Oracle E-Business Suit ...) NOT-FOR-US: Oracle CVE-2017-10129 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-10128 (Vulnerability in the Hospitality WebSuite8 Cloud Service component of ...) NOT-FOR-US: Oracle CVE-2017-10127 RESERVED CVE-2017-10126 (Vulnerability in the PeopleSoft Enterprise PRTL Interaction Hub compon ...) NOT-FOR-US: Oracle CVE-2017-10125 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...) - openjdk-8 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2017-10124 RESERVED CVE-2017-10123 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-10122 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Oracle CVE-2017-10121 (Vulnerability in the Java Advanced Management Console component of Ora ...) NOT-FOR-US: Java Advanced Management Console CVE-2017-10120 (Vulnerability in the RDBMS Security component of Oracle Database Serve ...) NOT-FOR-US: Oracle CVE-2017-10119 (Vulnerability in the Oracle Service Bus component of Oracle Fusion Mid ...) NOT-FOR-US: Oracle CVE-2017-10118 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-3954-1 DSA-3919-1 DLA-1073-1} - openjdk-8 8u141-b15-1 [experimental] - openjdk-7 7u151-2.6.11-1 - openjdk-7 CVE-2017-10117 (Vulnerability in the Java Advanced Management Console component of Ora ...) NOT-FOR-US: Java Advanced Management Console CVE-2017-10116 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-3954-1 DSA-3919-1 DLA-1073-1} - openjdk-8 8u141-b15-1 [experimental] - openjdk-7 7u151-2.6.11-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10115 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-3954-1 DSA-3919-1 DLA-1073-1} - openjdk-8 8u141-b15-1 [experimental] - openjdk-7 7u151-2.6.11-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10114 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...) {DSA-4005-1} - openjfx 8u141-b14-1 (low; bug #870860) CVE-2017-10113 (Vulnerability in the Oracle Common Applications component of Oracle E- ...) NOT-FOR-US: Oracle CVE-2017-10112 (Vulnerability in the Oracle iStore component of Oracle E-Business Suit ...) NOT-FOR-US: Oracle CVE-2017-10111 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-3919-1} - openjdk-8 8u141-b15-1 CVE-2017-10110 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...) {DSA-3954-1 DSA-3919-1 DLA-1073-1} - openjdk-8 8u141-b15-1 [experimental] - openjdk-7 7u151-2.6.11-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10109 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-3954-1 DSA-3919-1 DLA-1073-1} - openjdk-8 8u141-b15-1 [experimental] - openjdk-7 7u151-2.6.11-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10108 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-3954-1 DSA-3919-1 DLA-1073-1} - openjdk-8 8u141-b15-1 [experimental] - openjdk-7 7u151-2.6.11-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10107 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-3954-1 DSA-3919-1 DLA-1073-1} - openjdk-8 8u141-b15-1 [experimental] - openjdk-7 7u151-2.6.11-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10106 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2017-10105 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...) - openjdk-8 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2017-10104 (Vulnerability in the Java Advanced Management Console component of Ora ...) NOT-FOR-US: Java Advanced Management Console CVE-2017-10103 (Vulnerability in the Oracle FLEXCUBE Private Banking component of Orac ...) NOT-FOR-US: Oracle CVE-2017-10102 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-3954-1 DSA-3919-1 DLA-1073-1} - openjdk-8 8u141-b15-1 [experimental] - openjdk-7 7u151-2.6.11-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10101 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-3954-1 DSA-3919-1 DLA-1073-1} - openjdk-8 8u141-b15-1 [experimental] - openjdk-7 7u151-2.6.11-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10100 (Vulnerability in the PeopleSoft Enterprise PRTL Interaction Hub compon ...) NOT-FOR-US: Oracle CVE-2017-10099 (Vulnerability in the SPARC M7, T7, S7 based Servers component of Oracl ...) NOT-FOR-US: Oracle CVE-2017-10098 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle CVE-2017-10097 (Vulnerability in the Oracle Hospitality Reporting and Analytics compon ...) NOT-FOR-US: Oracle CVE-2017-10096 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-3954-1 DSA-3919-1 DLA-1073-1} - openjdk-8 8u141-b15-1 [experimental] - openjdk-7 7u151-2.6.11-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10095 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Oracle CVE-2017-10094 (Vulnerability in the Oracle Agile PLM component of Oracle Supply Chain ...) NOT-FOR-US: Oracle CVE-2017-10093 (Vulnerability in the Oracle Agile PLM component of Oracle Supply Chain ...) NOT-FOR-US: Oracle CVE-2017-10092 (Vulnerability in the Oracle Agile PLM component of Oracle Supply Chain ...) NOT-FOR-US: Oracle CVE-2017-10091 (Vulnerability in the Enterprise Manager Base Platform component of Ora ...) NOT-FOR-US: Oracle CVE-2017-10090 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-3954-1 DSA-3919-1 DLA-1073-1} - openjdk-8 8u141-b15-1 [experimental] - openjdk-7 7u151-2.6.11-1 - openjdk-7 CVE-2017-10089 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...) {DSA-3954-1 DSA-3919-1 DLA-1073-1} - openjdk-8 8u141-b15-1 [experimental] - openjdk-7 7u151-2.6.11-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10088 (Vulnerability in the Oracle Agile PLM component of Oracle Supply Chain ...) NOT-FOR-US: Oracle CVE-2017-10087 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-3954-1 DSA-3919-1 DLA-1073-1} - openjdk-8 8u141-b15-1 [experimental] - openjdk-7 7u151-2.6.11-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10086 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...) {DSA-4005-1} - openjfx 8u141-b14-1 (low; bug #870860) CVE-2017-10085 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle CVE-2017-10084 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle CVE-2017-10083 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle CVE-2017-10082 (Vulnerability in the Oracle Agile PLM component of Oracle Supply Chain ...) NOT-FOR-US: Oracle CVE-2017-10081 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-3954-1 DSA-3919-1 DLA-1073-1} - openjdk-8 8u141-b15-1 [experimental] - openjdk-7 7u151-2.6.11-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10080 (Vulnerability in the Oracle Agile PLM component of Oracle Supply Chain ...) NOT-FOR-US: Oracle CVE-2017-10079 (Vulnerability in the Oracle Hospitality Suites Management component of ...) NOT-FOR-US: Oracle CVE-2017-10078 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...) {DSA-3919-1} - openjdk-8 8u141-b15-1 CVE-2017-10077 (Vulnerability in the Oracle Applications DBA component of Oracle E-Bus ...) NOT-FOR-US: Oracle CVE-2017-10076 (Vulnerability in the Oracle Hospitality Simphony First Edition Venue M ...) NOT-FOR-US: Oracle CVE-2017-10075 (Vulnerability in the Oracle WebCenter Content component of Oracle Fusi ...) NOT-FOR-US: Oracle CVE-2017-10074 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-3954-1 DSA-3919-1 DLA-1073-1} - openjdk-8 8u141-b15-1 [experimental] - openjdk-7 7u151-2.6.11-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10073 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle CVE-2017-10072 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle CVE-2017-10071 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle CVE-2017-10070 (Vulnerability in the PeopleSoft Enterprise PRTL Interaction Hub compon ...) NOT-FOR-US: Oracle CVE-2017-10069 (Vulnerability in the Oracle Payment Interface component of Oracle Hosp ...) NOT-FOR-US: Oracle CVE-2017-10068 (Vulnerability in the Oracle Business Intelligence Enterprise Edition c ...) NOT-FOR-US: Oracle CVE-2017-10067 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...) {DSA-3954-1 DSA-3919-1 DLA-1073-1} - openjdk-8 8u141-b15-1 [experimental] - openjdk-7 7u151-2.6.11-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10066 (Vulnerability in the Oracle Applications Technology Stack component of ...) NOT-FOR-US: Oracle CVE-2017-10065 (Vulnerability in the Oracle Retail Point-of-Service component of Oracl ...) NOT-FOR-US: Oracle CVE-2017-10064 (Vulnerability in the Hospitality WebSuite8 Cloud Service component of ...) NOT-FOR-US: Oracle CVE-2017-10063 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-10062 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Oracle CVE-2017-10061 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2017-10060 (Vulnerability in the Oracle Business Intelligence Enterprise Edition c ...) NOT-FOR-US: Oracle CVE-2017-10059 (Vulnerability in the BI Publisher component of Oracle Fusion Middlewar ...) NOT-FOR-US: Oracle CVE-2017-10058 (Vulnerability in the Oracle Business Intelligence Enterprise Edition c ...) NOT-FOR-US: Oracle CVE-2017-10057 (Vulnerability in the PeopleSoft Enterprise PRTL Interaction Hub compon ...) NOT-FOR-US: Oracle CVE-2017-10056 (Vulnerability in the Oracle Hospitality 9700 component of Oracle Hospi ...) NOT-FOR-US: Oracle CVE-2017-10055 (Vulnerability in the Oracle iPlanet Web Server component of Oracle Fus ...) NOT-FOR-US: Oracle CVE-2017-10054 (Vulnerability in the Oracle Hospitality Cruise Materials Management co ...) NOT-FOR-US: Oracle CVE-2017-10053 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-3954-1 DSA-3919-1 DLA-1073-1} - openjdk-8 8u141-b15-1 [experimental] - openjdk-7 7u151-2.6.11-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10052 (Vulnerability in the Oracle Agile PLM component of Oracle Supply Chain ...) NOT-FOR-US: Oracle CVE-2017-10051 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-10050 (Vulnerability in the Oracle Hospitality Suite8 component of Oracle Hos ...) NOT-FOR-US: Oracle CVE-2017-10049 (Vulnerability in the Siebel Core CRM component of Oracle Siebel CRM (s ...) NOT-FOR-US: Oracle CVE-2017-10048 (Vulnerability in the Oracle Enterprise Repository component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-10047 (Vulnerability in the MICROS BellaVita component of Oracle Hospitality ...) NOT-FOR-US: Oracle CVE-2017-10046 (Vulnerability in the Primavera P6 Enterprise Project Portfolio Managem ...) NOT-FOR-US: Oracle CVE-2017-10045 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2017-10044 (Vulnerability in the Oracle Hospitality Reporting and Analytics compon ...) NOT-FOR-US: Oracle CVE-2017-10043 (Vulnerability in the BI Publisher component of Oracle Fusion Middlewar ...) NOT-FOR-US: Oracle CVE-2017-10042 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Oracle CVE-2017-10041 (Vulnerability in the BI Publisher component of Oracle Fusion Middlewar ...) NOT-FOR-US: Oracle CVE-2017-10040 (Vulnerability in the Oracle WebCenter Content component of Oracle Fusi ...) NOT-FOR-US: Oracle CVE-2017-10039 (Vulnerability in the Oracle Agile PLM component of Oracle Supply Chain ...) NOT-FOR-US: Oracle CVE-2017-10038 (Vulnerability in the Primavera P6 Enterprise Project Portfolio Managem ...) NOT-FOR-US: Oracle CVE-2017-10037 (Vulnerability in the Oracle BI Publisher component of Oracle Fusion Mi ...) NOT-FOR-US: Oracle CVE-2017-10036 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Oracle CVE-2017-10035 (Vulnerability in the BI Publisher component of Oracle Fusion Middlewar ...) NOT-FOR-US: Oracle CVE-2017-10034 (Vulnerability in the Oracle BI Publisher component of Oracle Fusion Mi ...) NOT-FOR-US: Oracle CVE-2017-10033 (Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-10032 (Vulnerability in the Oracle Transportation Management component of Ora ...) NOT-FOR-US: Oracle CVE-2017-10031 (Vulnerability in the Oracle Communications Convergence component of Or ...) NOT-FOR-US: Oracle CVE-2017-10030 (Vulnerability in the BI Publisher component of Oracle Fusion Middlewar ...) NOT-FOR-US: Oracle CVE-2017-10029 (Vulnerability in the BI Publisher component of Oracle Fusion Middlewar ...) NOT-FOR-US: Oracle CVE-2017-10028 (Vulnerability in the BI Publisher component of Oracle Fusion Middlewar ...) NOT-FOR-US: Oracle CVE-2017-10027 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2017-10026 (Vulnerability in the Oracle SOA Suite component of Oracle Fusion Middl ...) NOT-FOR-US: Oracle CVE-2017-10025 (Vulnerability in the BI Publisher component of Oracle Fusion Middlewar ...) NOT-FOR-US: Oracle CVE-2017-10024 (Vulnerability in the BI Publisher component of Oracle Fusion Middlewar ...) NOT-FOR-US: Oracle CVE-2017-10023 (Vulnerability in the Oracle FLEXCUBE Private Banking component of Orac ...) NOT-FOR-US: Oracle CVE-2017-10022 (Vulnerability in the Oracle FLEXCUBE Private Banking component of Orac ...) NOT-FOR-US: Oracle CVE-2017-10021 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2017-10020 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2017-10019 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2017-10018 (Vulnerability in the PeopleSoft Enterprise FSCM component of Oracle Pe ...) NOT-FOR-US: Oracle CVE-2017-10017 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2017-10016 (Vulnerability in the Sun ZFS Storage Appliance Kit (AK) component of O ...) NOT-FOR-US: Oracle CVE-2017-10015 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2017-10014 (Vulnerability in the Oracle Hospitality Hotel Mobile component of Orac ...) NOT-FOR-US: Oracle CVE-2017-10013 (Vulnerability in the Sun ZFS Storage Appliance Kit (AK) component of O ...) NOT-FOR-US: Oracle CVE-2017-10012 (Vulnerability in the Oracle FLEXCUBE Private Banking component of Orac ...) NOT-FOR-US: Oracle CVE-2017-10011 (Vulnerability in the Oracle FLEXCUBE Private Banking component of Orac ...) NOT-FOR-US: Oracle CVE-2017-10010 (Vulnerability in the Oracle FLEXCUBE Private Banking component of Orac ...) NOT-FOR-US: Oracle CVE-2017-10009 (Vulnerability in the Oracle FLEXCUBE Private Banking component of Orac ...) NOT-FOR-US: Oracle CVE-2017-10008 (Vulnerability in the Oracle FLEXCUBE Private Banking component of Orac ...) NOT-FOR-US: Oracle CVE-2017-10007 (Vulnerability in the Oracle FLEXCUBE Private Banking component of Orac ...) NOT-FOR-US: Oracle CVE-2017-10006 (Vulnerability in the Oracle FLEXCUBE Private Banking component of Orac ...) NOT-FOR-US: Oracle CVE-2017-10005 (Vulnerability in the Oracle FLEXCUBE Private Banking component of Orac ...) NOT-FOR-US: Oracle CVE-2017-10004 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Oracle CVE-2017-10003 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Oracle CVE-2017-10002 (Vulnerability in the Oracle Hospitality Inventory Management component ...) NOT-FOR-US: Oracle CVE-2017-10001 (Vulnerability in the Oracle Hospitality Simphony First Edition compone ...) NOT-FOR-US: Oracle CVE-2017-10000 (Vulnerability in the Oracle Hospitality Reporting and Analytics compon ...) NOT-FOR-US: Oracle CVE-2017-9782 (JasPer 2.0.12 allows remote attackers to cause a denial of service (he ...) - jasper [jessie] - jasper (Minor issue) [wheezy] - jasper (Minor issue) NOTE: https://github.com/mdadams/jasper/issues/140 CVE-2017-9781 (A cross site scripting (XSS) vulnerability exists in Check_MK versions ...) [experimental] - check-mk 1.4.0p9-1 - check-mk (bug #865497) [wheezy] - check-mk (Minor issue) NOTE: http://mathias-kettner.com/check_mk_werks.php?werk_id=4757 NOTE: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commitdiff;h=c248f0b6ff7b15ced9f07a3df8a80fad656ea5b1 CVE-2017-9779 (OCaml compiler allows attackers to have unspecified impact via unknown ...) - ocaml 4.05.0-9 (bug #874700) [stretch] - ocaml (Minor issue) [jessie] - ocaml (Minor issue) [wheezy] - ocaml (Minor issue) NOTE: https://sympa.inria.fr/sympa/arc/caml-list/2017-06/msg00094.html NOTE: https://caml.inria.fr/mantis/view.php?id=7557 NOTE: Make sure any potential advisories are clear that any created suid NOTE: binaries using ocaml must be re-created once ocaml has been updated. CVE-2012-6706 (A VMSF_DELTA memory corruption was discovered in unrar before 5.5.5, a ...) {DLA-1014-1 DLA-1003-1} - unrar-nonfree 1:5.5.5-1 (bug #865461) [stretch] - unrar-nonfree 1:5.3.2-1+deb9u1 [jessie] - unrar-nonfree 1:5.2.7-0.1+deb8u1 - libclamunrar 0.99-4 (bug #867223) [stretch] - libclamunrar 0.99-3+deb9u1 [jessie] - libclamunrar 0.99-0+deb8u3 NOTE: http://www.openwall.com/lists/oss-security/2017/06/21/9 NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1286&desc=6 NOTE: https://github.com/vrtadmin/clamav-devel/commit/d4699442bce76574573dc564e7f2177d679b88bd CVE-2017-9778 (GNU Debugger (GDB) 8.0 and earlier fails to detect a negative length f ...) - gdb 8.3.1-1 (unimportant; bug #865607) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21600 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=723adb650a31859d7cc45832cb8adca0206455ed CVE-2017-9777 RESERVED CVE-2017-9776 (Integer overflow leading to Heap buffer overflow in JBIG2Stream.cc in ...) {DSA-4079-2 DSA-4079-1 DLA-1074-1} - poppler 0.57.0-2 (bug #865679) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=101541 NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/55db66c69fd56826b8523710046deab1a8d14ba2 NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/22c4701d5f7be0010ee4519daa546fba5ab7ac13 CVE-2017-9775 (Stack buffer overflow in GfxState.cc in pdftocairo in Poppler before 0 ...) {DSA-4079-1 DLA-1074-1} - poppler 0.57.0-2 (bug #865680) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=101540 NOTE: Fixed by: https://cgit.freedesktop.org/poppler/poppler/commit/?id=8f4ff8243a3d599ff2a6c08b1da389e606ba4fc9 CVE-2017-9774 (Remote Code Execution was found in Horde_Image 2.x before 2.5.0 via a ...) {DSA-4276-1 DLA-1395-1} - php-horde-image 2.5.1-1 (bug #865505) NOTE: https://lists.horde.org/archives/announce/2017/001234.html NOTE: https://github.com/horde/horde/commit/01a11ccd37149101d67e0b20261fa48ab07dae13 NOTE: Regression in upstream patch, fixing in https://github.com/horde/Image/pull/1 CVE-2017-9773 (Denial of Service was found in Horde_Image 2.x before 2.5.0 via a craf ...) {DSA-4276-1} - php-horde-image 2.5.1-1 (bug #865504) [jessie] - php-horde-image (Only Horde_Image above 2.3.0 affected) NOTE: https://lists.horde.org/archives/announce/2017/001234.html NOTE: https://github.com/horde/horde/commit/2b8a6fe1a5fc0fc662178145f853c65956985538 CVE-2017-9772 (Insufficient sanitisation in the OCaml compiler versions 4.04.0 and 4. ...) - ocaml (Only affects 4.04.0 and 4.04.1) NOTE: https://caml.inria.fr/mantis/view.php?id=7557 CVE-2017-9771 (install\save.php in WebsiteBaker v2.10.0 allows remote attackers to ex ...) NOT-FOR-US: WebsiteBaker CVE-2017-9770 (A specially crafted IOCTL can be issued to the rzpnk.sys driver in Raz ...) NOT-FOR-US: Razer Synapse CVE-2017-9769 (A specially crafted IOCTL can be issued to the rzpnk.sys driver in Raz ...) NOT-FOR-US: Razer Synapse CVE-2017-9768 RESERVED CVE-2017-9767 (Multiple cross-site scripting (XSS) vulnerabilities in Quali CloudShel ...) NOT-FOR-US: Quali CloudShell CVE-2017-9766 (In Wireshark 2.2.7, PROFINET IO data with a high recursion depth allow ...) {DLA-1634-1} - wireshark 2.4.0-1 (low; bug #870175) [wheezy] - wireshark (Minor issue) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13811 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=d6e888400ba64de3147d1111a4c23edf389b0000 CVE-2017-9765 (Integer overflow in the soap_get function in Genivia gSOAP 2.7.x and 2 ...) {DLA-1036-1} - gsoap 2.8.48-1 [stretch] - gsoap 2.8.35-4+deb9u1 [jessie] - gsoap 2.8.17-1+deb8u1 - r-other-x4r 1.0.1+git20150806.c6bd9bd-2 NOTE: http://blog.senr.io/blog/devils-ivy-flaw-in-widely-used-third-party-code-impacts-millions NOTE: https://www.genivia.com/changelog.html#Version_2.8.48_upd_(06/21/2017) NOTE: SuSE patch: https://bugzilla.suse.com/attachment.cgi?id=733005 CVE-2017-9764 (Cross-site scripting (XSS) vulnerability in MetInfo 5.3.17 allows remo ...) NOT-FOR-US: MetInfo CVE-2017-9780 (In Flatpak before 0.8.7, a third-party app repository could include ma ...) {DSA-3895-1} - flatpak 0.8.7-1 (bug #865413) NOTE: https://github.com/flatpak/flatpak/issues/845 CVE-2017-10923 (Xen through 4.8.x does not validate a vCPU array index upon the sendin ...) - xen 4.8.1-1+deb9u3 [stretch] - xen 4.8.1-1+deb9u3 [jessie] - xen (Vulnerable code not present) [wheezy] - xen (Vulnerable code not present) NOTE: https://xenbits.xen.org/xsa/advisory-225.html CVE-2017-10922 (The grant-table feature in Xen through 4.8.x mishandles MMIO region gr ...) {DSA-3969-1 DLA-1132-1} - xen 4.8.1-1+deb9u3 NOTE: https://xenbits.xen.org/xsa/advisory-224.html CVE-2017-10921 (The grant-table feature in Xen through 4.8.x does not ensure sufficien ...) {DSA-3969-1 DLA-1132-1} - xen 4.8.1-1+deb9u3 NOTE: https://xenbits.xen.org/xsa/advisory-224.html CVE-2017-10920 (The grant-table feature in Xen through 4.8.x mishandles a GNTMAP_devic ...) {DSA-3969-1 DLA-1132-1} - xen 4.8.1-1+deb9u3 NOTE: https://xenbits.xen.org/xsa/advisory-224.html CVE-2017-10919 (Xen through 4.8.x mishandles virtual interrupt injection, which allows ...) - xen 4.8.1-1+deb9u3 [stretch] - xen 4.8.1-1+deb9u3 [jessie] - xen (No backport available, limited to arm) [wheezy] - xen (arm not supported) NOTE: https://xenbits.xen.org/xsa/advisory-223.html CVE-2017-10918 (Xen through 4.8.x does not validate memory allocations during certain ...) {DSA-3969-1 DLA-1132-1} - xen 4.8.1-1+deb9u3 NOTE: https://xenbits.xen.org/xsa/advisory-222.html CVE-2017-10917 (Xen through 4.8.x does not validate the port numbers of polled event c ...) {DSA-3969-1} - xen 4.8.1-1+deb9u3 [wheezy] - xen (Vulnerable code not present) NOTE: https://xenbits.xen.org/xsa/advisory-221.html CVE-2017-10916 (The vCPU context-switch implementation in Xen through 4.8.x improperly ...) - xen 4.8.1-1+deb9u3 [stretch] - xen 4.8.1-1+deb9u3 [jessie] - xen (Vulnerable code not present) [wheezy] - xen (Vulnerable code not present) NOTE: https://xenbits.xen.org/xsa/advisory-220.html CVE-2017-10915 (The shadow-paging feature in Xen through 4.8.x mismanages page referen ...) {DSA-3969-1 DLA-1132-1} - xen 4.8.1-1+deb9u3 NOTE: https://xenbits.xen.org/xsa/advisory-219.html CVE-2017-10914 (The grant-table feature in Xen through 4.8.x has a race condition lead ...) {DSA-3969-1 DLA-1132-1} - xen 4.8.1-1+deb9u3 NOTE: https://xenbits.xen.org/xsa/advisory-218.html CVE-2017-10913 (The grant-table feature in Xen through 4.8.x provides false mapping in ...) {DSA-3969-1 DLA-1132-1} - xen 4.8.1-1+deb9u3 NOTE: https://xenbits.xen.org/xsa/advisory-218.html CVE-2017-10912 (Xen through 4.8.x mishandles page transfer, which allows guest OS user ...) {DSA-3969-1 DLA-1132-1} - xen 4.8.1-1+deb9u3 NOTE: https://xenbits.xen.org/xsa/advisory-217.html CVE-2017-10911 (The make_response function in drivers/block/xen-blkback/blkback.c in t ...) {DSA-3945-1 DSA-3927-1 DSA-3920-1 DLA-1497-1 DLA-1099-1} - linux 4.11.11-1 - qemu 1:2.8+dfsg-7 (bug #869706) [wheezy] - qemu (Wheezy's xen uses an embedded qemu copy) - qemu-kvm [wheezy] - qemu-kvm (Wheezy's xen uses an embedded qemu copy) NOTE: https://xenbits.xen.org/xsa/advisory-216.html CVE-2017-1000381 (The c-ares function `ares_parse_naptr_reply()`, which is used for pars ...) {DLA-998-1} - c-ares 1.12.0-4 (bug #865360) [stretch] - c-ares 1.12.0-1+deb9u1 [jessie] - c-ares 1.10.0-2+deb8u2 NOTE: https://c-ares.haxx.se/adv_20170620.html NOTE: Patch: https://c-ares.haxx.se/CVE-2017-1000381.patch CVE-2017-9763 (The grub_ext2_read_block function in fs/ext2.c in GNU GRUB before 2013 ...) - grub2 2.02~beta2-8 (unimportant) - radare2 1.6.0+dfsg-1 (bug #869423) [jessie] - radare2 (Minor issue) [wheezy] - radare2 (Minor issue) NOTE: https://github.com/radare/radare2/commit/65000a7fd9eea62359e6d6714f17b94a99a82edd NOTE: https://github.com/radare/radare2/issues/7723 NOTE: Not a security issue for Grub CVE-2017-9762 (The cmd_info function in libr/core/cmd_info.c in radare2 1.5.0 allows ...) - radare2 1.6.0+dfsg-1 (low; bug #869426) [jessie] - radare2 (Minor issue) [wheezy] - radare2 (Minor issue) NOTE: https://github.com/radare/radare2/issues/7726 NOTE: https://github.com/radare/radare2/commit/f85bc674b2a2256a364fe796351bc1971e106005 CVE-2017-9761 (The find_eoq function in libr/core/cmd.c in radare2 1.5.0 allows remot ...) - radare2 1.6.0+dfsg-1 (low; bug #869428) [jessie] - radare2 (Minor issue) [wheezy] - radare2 (Minor issue) NOTE: https://github.com/radare/radare2/commit/00e8f205475332d7842d0f0d1481eeab4e83017c NOTE: https://github.com/radare/radare2/issues/7727 CVE-2017-9760 RESERVED CVE-2017-9759 (SQL Injection exists in admin/index.php in Zenbership 1.0.8 via the fi ...) NOT-FOR-US: Zenbership CVE-2017-9758 (Savitech driver packages for Windows silently install a self-signed ce ...) NOT-FOR-US: Savitech driver packages for Windows CVE-2017-9757 (IPFire 2.19 has a Remote Command Injection vulnerability in ids.cgi vi ...) NOT-FOR-US: IPFire CVE-2017-1000375 (NetBSD maps the run-time link-editor ld.so directly below the stack re ...) NOT-FOR-US: NetBSD CVE-2017-1000374 (A flaw exists in NetBSD's implementation of the stack guard page that ...) NOT-FOR-US: NetBSD CVE-2017-1000373 (The OpenBSD qsort() function is recursive, and not randomized, an atta ...) NOT-FOR-US: OpenBSD CVE-2017-1000372 (A flaw exists in OpenBSD's implementation of the stack guard page that ...) NOT-FOR-US: OpenBSD CVE-2017-1000364 (An issue was discovered in the size of the stack guard page on Linux, ...) {DSA-3886-1 DLA-993-1} - linux 4.11.6-1 [stretch] - linux 4.9.30-2+deb9u1 NOTE: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt CVE-2017-1000365 (The Linux Kernel imposes a size restriction on the arguments and envir ...) {DSA-3945-1 DSA-3927-1 DLA-1099-1} - linux 4.11.11-1 NOTE: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt NOTE: Fixed by: https://git.kernel.org/linus/98da7d08850fb8bdeb395d6368ed15753304aa0c CVE-2017-1000366 (glibc contains a vulnerability that allows specially crafted LD_LIBRAR ...) {DSA-3887-1 DLA-992-1} - glibc 2.24-12 - eglibc NOTE: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt CVE-2017-1000369 (Exim supports the use of multiple "-p" command line arguments which ar ...) {DSA-3888-1 DLA-1001-1} - exim4 4.89-3 NOTE: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt CVE-2017-1000370 (The offset2lib patch as used in the Linux Kernel contains a vulnerabil ...) {DSA-3981-1} - linux 4.11.11-1 [wheezy] - linux (Memory layout is different) NOTE: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt CVE-2017-1000371 (The offset2lib patch as used by the Linux Kernel contains a vulnerabil ...) {DSA-3981-1} - linux 4.11.11-1 [wheezy] - linux (Memory layout is different) NOTE: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt CVE-2017-1000376 (libffi requests an executable stack allowing attackers to more easily ...) {DSA-3889-1 DLA-997-1} - libffi 3.2.1-4 NOTE: https://github.com/libffi/libffi/commit/978c9540154d320525488db1b7049277122f736d NOTE: and additionally cf. #751907 for the configure flag. NOTE: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt CVE-2017-1000377 (An issue was discovered in the size of the default stack guard page on ...) NOT-FOR-US: GRSecurity/PAX Linux specific assignment CVE-2017-9756 (The aarch64_ext_ldst_reglist function in opcodes/aarch64-dis.c in GNU ...) - binutils 2.29-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21595 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=cd3ea7c69acc5045eb28f9bf80d923116e15e4f5 CVE-2017-9755 (opcodes/i386-dis.c in GNU Binutils 2.28 does not consider the number o ...) - binutils 2.29-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21594 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0d96e4df4812c3bad77c229dfef47a9bc115ac12 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8cac017d35ef374e65acc98818a17cf8a652cbd0 CVE-2017-9754 (The process_otr function in bfd/versados.c in the Binary File Descript ...) - binutils 2.29-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21591 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=04f963fd489cae724a60140e13984415c205f4ac CVE-2017-9753 (The versados_mkobject function in bfd/versados.c in the Binary File De ...) - binutils 2.29-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21591 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=04f963fd489cae724a60140e13984415c205f4ac CVE-2017-9752 (bfd/vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbf ...) - binutils 2.29-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21589 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=c53d2e6d744da000aaafe0237bced090aab62818 CVE-2017-9751 (opcodes/rl78-decode.opc in GNU Binutils 2.28 has an unbounded GETBYTE ...) - binutils 2.29-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21588 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=63323b5b23bd83fa7b04ea00dff593c933e9b0e3 CVE-2017-9750 (opcodes/rx-decode.opc in GNU Binutils 2.28 lacks bounds checks for cer ...) - binutils 2.29-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21587 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=db5fa770268baf8cc82cf9b141d69799fd485fe2 CVE-2017-9749 (The *regs* macros in opcodes/bfin-dis.c in GNU Binutils 2.28 allow rem ...) - binutils 2.29-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21586 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=08c7881b814c546efc3996fd1decdf0877f7a779 CVE-2017-9748 (The ieee_object_p function in bfd/ieee.c in the Binary File Descriptor ...) - binutils 2.29-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21582 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=63634bb4a107877dd08b6282e28e11cfd1a1649e CVE-2017-9747 (The ieee_archive_p function in bfd/ieee.c in the Binary File Descripto ...) - binutils 2.29-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21581 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=62b76e4b6e0b4cb5b3e0053d1de4097b32577049 CVE-2017-9746 (The disassemble_bytes function in objdump.c in GNU Binutils 2.28 allow ...) - binutils 2.29-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21580 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ae87f7e73eba29bd38b3a9684a10b948ed715612 CVE-2017-9745 (The _bfd_vms_slurp_etir function in bfd/vms-alpha.c in the Binary File ...) - binutils 2.29-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21579 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=76800cba595efc3fe95a446c2d664e42ae4ee869 CVE-2017-9744 (The sh_elf_set_mach_from_flags function in bfd/elf32-sh.c in the Binar ...) - binutils 2.29-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21578 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f461bbd847f15657f3dd2f317c30c75a7520da1f CVE-2017-9743 (The print_insn_score32 function in opcodes/score7-dis.c:552 in GNU Bin ...) - binutils 2.29-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21577 CVE-2017-9742 (The score_opcodes function in opcodes/score7-dis.c in GNU Binutils 2.2 ...) - binutils 2.29-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21576 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e64519d1ed7fd8f990f05a5562d5b5c0c44b7d7e CVE-2017-9741 (install/make-config.php in ProjectSend r754 allows remote attackers to ...) NOT-FOR-US: ProjectSend CVE-2017-9740 (The xps_decode_font_char_imp function in xps/xpsfont.c in Artifex Ghos ...) - ghostscript 9.22~dfsg-1 (unimportant; bug #869879) [jessie] - ghostscript (Vulnerable code not present) [wheezy] - ghostscript (Vulnerable code not present) NOTE: The Debian binary package is not affected xps/ not used NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698064 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=961b10cdd71403072fb99401a45f3bef6ce53626 CVE-2017-9739 (The Ins_JMPR function in base/ttinterp.c in Artifex Ghostscript GhostX ...) {DSA-3986-1 DLA-1048-1} [experimental] - ghostscript 9.22~~rc1~dfsg-1 - ghostscript 9.22~dfsg-1 (bug #869910) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698063 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=c501a58f8d5650c8ba21d447c0d6f07eafcb0f15 (ghostpdl-9.22rc1) CVE-2017-9738 RESERVED CVE-2017-9737 RESERVED CVE-2017-9736 (SPIP 3.1.x before 3.1.6 and 3.2.x before Beta 3 does not remove shell ...) {DSA-3890-1} - spip 3.1.4-3 (bug #864921) [jessie] - spip (Vulnerable code not present) [wheezy] - spip (Vulnerable code not present) NOTE: https://contrib.spip.net/CRITICAL-security-update-SPIP-3-1-6-and-SPIP-3-2-Beta NOTE: https://core.spip.net/projects/spip/repository/revisions/23593 NOTE: https://core.spip.net/projects/spip/repository/revisions/23594 CVE-2017-9734 RESERVED CVE-2017-9733 RESERVED CVE-2017-9732 (The read_packet function in knc (Kerberised NetCat) before 1.11-1 is v ...) NOT-FOR-US: knc (Kerberised NetCat) CVE-2017-9731 (In meta/classes/package_ipk.bbclass in Poky in poky-pyro 17.0.0 for Yo ...) NOT-FOR-US: Poky for Yocto Project CVE-2017-9730 (SQL injection vulnerability in rdr.php in nuevoMailer version 6.0 and ...) NOT-FOR-US: nuevoMailer CVE-2017-9729 (In uClibc 0.9.33.2, there is stack exhaustion (uncontrolled recursion) ...) - uclibc (unimportant) CVE-2017-9728 (In uClibc 0.9.33.2, there is an out-of-bounds read in the get_subexp f ...) - uclibc (unimportant) CVE-2017-9727 (The gx_ttfReader__Read function in base/gxttfb.c in Artifex Ghostscrip ...) {DSA-3986-1 DLA-1048-1} [experimental] - ghostscript 9.22~~rc1~dfsg-1 - ghostscript 9.22~dfsg-1 (bug #869913) NOTE: http://bugs.ghostscript.com/show_bug.cgi?id=698056 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=937ccd17ac65935633b2ebc06cb7089b91e17e6b (ghostpdl-9.22rc1) CVE-2017-9726 (The Ins_MDRP function in base/ttinterp.c in Artifex Ghostscript GhostX ...) {DSA-3986-1 DLA-1048-1} [experimental] - ghostscript 9.22~~rc1~dfsg-1 - ghostscript 9.22~dfsg-1 (bug #869915) NOTE: http://bugs.ghostscript.com/show_bug.cgi?id=698055 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=7755e67116e8973ee0e3b22d653df026a84fa01b (ghostpdl-9.22rc1) CVE-2017-9735 (Jetty through 9.4.x is prone to a timing channel in util/security/Pass ...) {DLA-1021-1 DLA-1020-1} - jetty9 9.2.22-1 (bug #864898) [stretch] - jetty9 (Harmless information leak) - jetty8 [jessie] - jetty8 (Minor issue) - jetty [jessie] - jetty (Minor issue) NOTE: https://github.com/eclipse/jetty.project/issues/1556 NOTE: https://github.com/eclipse/jetty.project/commit/042f325f1cd6e7891d72c7e668f5947b5457dc02 NOTE: https://github.com/eclipse/jetty.project/commit/f3751d70787fd8ab93932a51c60514c2eb37cb58 NOTE: https://github.com/eclipse/jetty.project/commit/2baa1abe4b1c380a30deacca1ed367466a1a62ea CVE-2017-9725 (In all Qualcomm products with Android releases from CAF using the Linu ...) - linux 4.3.1-1 NOTE: Fixed by: https://git.kernel.org/linus/67a2e213e7e937c41c52ab5bc46bf3f4de469f6e (4.3-rc7) CVE-2017-9724 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-9723 (The touchscreen driver synaptics_dsx in Android for MSM, Firefox OS fo ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-9722 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-9721 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Android boot loader (aboot) CVE-2017-9720 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-9719 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-9718 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-9717 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-9716 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: qbt1000 driver in Android CVE-2017-9715 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-9714 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-9713 RESERVED CVE-2017-9712 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-9711 RESERVED CVE-2017-9710 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-9709 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-9708 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-9707 RESERVED CVE-2017-9706 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-9705 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-9704 (In all android releases(Android for MSM, Firefox OS for MSM, QRD Andro ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-9703 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-9702 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-9701 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-9700 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-9699 RESERVED CVE-2017-9698 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-9697 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-9696 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-9695 RESERVED CVE-2017-9694 (While parsing Netlink attributes in QCA_WLAN_VENDOR_ATTR_EXTSCAN_BSSID ...) NOT-FOR-US: Google drivers for Android CVE-2017-9693 (The length of attribute value for STA_EXT_CAPABILITY in __wlan_hdd_cha ...) NOT-FOR-US: Google drivers for Android CVE-2017-9692 (When an atomic commit is issued on a writeback panel with a NULL outpu ...) NOT-FOR-US: Google drivers for Android CVE-2017-9691 (There is a race condition in Android for MSM, Firefox OS for MSM, and ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-9690 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-9689 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-9688 REJECTED CVE-2017-9687 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-9686 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-9685 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-9684 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-9683 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-9682 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-9681 (In Android before 2017-08-05 on Qualcomm MSM, Firefox OS for MSM, QRD ...) NOT-FOR-US: Google drivers for Android CVE-2017-9680 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Google drivers for Android CVE-2017-9679 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Google drivers for Android CVE-2017-9678 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-9677 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-9676 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-9675 (On D-Link DIR-605L devices, firmware before 2.08UIBetaB01.bin allows a ...) NOT-FOR-US: D-Link DIR-605L devices CVE-2017-9674 (In SimpleCE 2.3.0, an authenticated XSS vulnerability was found on ind ...) NOT-FOR-US: SimpleCE CVE-2017-9673 (In SimpleCE 2.3.0, a CSRF vulnerability can be exploited to add an adm ...) NOT-FOR-US: SimpleCE CVE-2017-9672 RESERVED CVE-2017-9671 (A heap overflow in apk (Alpine Linux's package manager) allows a remot ...) NOT-FOR-US: apk (Alpine's package manager) CVE-2017-9670 (An uninitialized stack variable vulnerability in load_tic_series() in ...) - gnuplot 5.0.5+dfsg1-7 (unimportant; bug #864901) [stretch] - gnuplot 5.0.5+dfsg1-6+deb9u1 [jessie] - gnuplot (Vulnerable code introduced later) [wheezy] - gnuplot (Vulnerable code introduced later) - gnuplot5 (unimportant; bug #864903) [jessie] - gnuplot5 (Vulnerable code introduced later) NOTE: https://sourceforge.net/p/gnuplot/bugs/1933/ NOTE: The specific CVE is for the uninitialized stack variable fixed via set.c NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1044638#c5 NOTE: Fixed by: https://github.com/gnuplot/gnuplot/commit/4e39b1d7b274c7d4a69cbaba85ff321264f4457e NOTE: Introduced by: https://github.com/gnuplot/gnuplot/commit/cd4b777389379598740fc02decff772b0e7bcbd6 NOTE: Crash in a CLI tool, no security impact CVE-2017-9669 (A heap overflow in apk (Alpine Linux's package manager) allows a remot ...) NOT-FOR-US: apk (Alpine's package manager) CVE-2017-9668 (In admin\addgroup.php in CMS Made Simple 2.1.6, when adding a user gro ...) NOT-FOR-US: CMS Made Simple CVE-2017-9667 RESERVED CVE-2017-9666 RESERVED CVE-2017-9665 RESERVED CVE-2017-9664 (In ABB SREA-01 revisions A, B, C: application versions up to 3.31.5, a ...) NOT-FOR-US: ABB CVE-2017-9663 (An Cleartext Storage of Sensitive Information issue was discovered in ...) NOT-FOR-US: General Motors (GM) and Shanghai OnStar (SOS) SOS iOS Client CVE-2017-9662 (An Improper Privilege Management issue was discovered in Fuji Electric ...) NOT-FOR-US: Fuji Electric Monitouch V-SFT CVE-2017-9661 (An Uncontrolled Search Path Element issue was discovered in SIMPlight ...) NOT-FOR-US: SIMPlight SCADA Software CVE-2017-9660 (A Heap-Based Buffer Overflow was discovered in Fuji Electric Monitouch ...) NOT-FOR-US: Fuji Electric Monitouch V-SFT CVE-2017-9659 (A Stack-Based Buffer Overflow issue was discovered in Fuji Electric Mo ...) NOT-FOR-US: Fuji Electric Monitouch V-SFT CVE-2017-9658 (Certain 802.11 network management messages have been determined to inv ...) NOT-FOR-US: Philips IntelliVue MX40 CVE-2017-9657 (Under specific 802.11 network conditions, a partial re-association of ...) NOT-FOR-US: Philips IntelliVue MX40 CVE-2017-9656 (The backend database of the Philips DoseWise Portal application versio ...) NOT-FOR-US: Philips DoseWise Portal CVE-2017-9655 (A Cross-Site Scripting issue was discovered in OSIsoft PI Integrator f ...) NOT-FOR-US: OSIsoft CVE-2017-9654 (The Philips DoseWise Portal web-based application versions 1.1.7.333 a ...) NOT-FOR-US: Philips DoseWise Portal CVE-2017-9653 (An Improper Authorization issue was discovered in OSIsoft PI Integrato ...) NOT-FOR-US: OSIsoft CVE-2017-9652 RESERVED CVE-2017-9651 RESERVED CVE-2017-9650 (An Unrestricted Upload of File with Dangerous Type issue was discovere ...) NOT-FOR-US: Automated Logic Corporation (ALC) CVE-2017-9649 (A Use of Hard-Coded Cryptographic Key issue was discovered in Mirion T ...) NOT-FOR-US: Mirion CVE-2017-9648 (An Uncontrolled Search Path Element issue was discovered in Solar Cont ...) NOT-FOR-US: Solar Controls WATTConfig M Software CVE-2017-9647 (A Stack-Based Buffer Overflow issue was discovered in the Continental ...) NOT-FOR-US: Continental AG Infineon S-Gold CVE-2017-9646 (An Uncontrolled Search Path Element issue was discovered in Solar Cont ...) NOT-FOR-US: Solar Controls Heating Control Downloader (HCDownloader) CVE-2017-9645 (An Inadequate Encryption Strength issue was discovered in Mirion Techn ...) NOT-FOR-US: Mirion CVE-2017-9644 (An Unquoted Search Path or Element issue was discovered in Automated L ...) NOT-FOR-US: Automated Logic Corporation (ALC) CVE-2017-9643 RESERVED CVE-2017-9642 RESERVED CVE-2017-9641 (PI Coresight 2016 R2 contains a cross-site request forgery vulnerabili ...) NOT-FOR-US: PI Coresight CVE-2017-9640 (A Path Traversal issue was discovered in Automated Logic Corporation ( ...) NOT-FOR-US: Automated Logic Corporation (ALC) CVE-2017-9639 (An issue was discovered in Fuji Electric V-Server Version 3.3.22.0 and ...) NOT-FOR-US: Fuji Electric V-Server CVE-2017-9638 (Mitsubishi E-Designer, Version 7.52 Build 344 contains six code sectio ...) NOT-FOR-US: Mitsubishi E-Designer CVE-2017-9637 (Schneider Electric Ampla MES 6.4 provides capability to interact with ...) NOT-FOR-US: Schneider Electric CVE-2017-9636 (Mitsubishi E-Designer, Version 7.52 Build 344 contains five code secti ...) NOT-FOR-US: Mitsubishi E-Designer CVE-2017-9635 (Schneider Electric Ampla MES 6.4 provides capability to configure user ...) NOT-FOR-US: Schneider Electric CVE-2017-9634 (Mitsubishi E-Designer, Version 7.52 Build 344 contains two code sectio ...) NOT-FOR-US: Mitsubishi E-Designer CVE-2017-9633 (An Improper Restriction of Operations within the Bounds of a Memory Bu ...) NOT-FOR-US: Continental AG Infineon S-Gold 2 CVE-2017-9632 (A Missing Encryption of Sensitive Data issue was discovered in PDQ Man ...) NOT-FOR-US: PDQ Manufacturing LaserWash CVE-2017-9631 (A Null Pointer Dereference issue was discovered in Schneider Electric ...) NOT-FOR-US: Schneider Electric CVE-2017-9630 (An Improper Authentication issue was discovered in PDQ Manufacturing L ...) NOT-FOR-US: PDQ Manufacturing LaserWash CVE-2017-9629 (A Stack-Based Buffer Overflow issue was discovered in Schneider Electr ...) NOT-FOR-US: Schneider Electric CVE-2017-9628 (An Information Exposure issue was discovered in Saia Burgess Controls ...) NOT-FOR-US: Saia Burgess Controls CVE-2017-9627 (An Uncontrolled Resource Consumption issue was discovered in Schneider ...) NOT-FOR-US: Schneider Electric CVE-2017-9626 (Systems using the Marel Food Processing Systems Pluto platform do not ...) NOT-FOR-US: Marel Food Processing Systems Pluto platform CVE-2017-9625 (An Improper Authentication issue was discovered in Envitech EnviDAS Ul ...) NOT-FOR-US: Envitech EnviDAS Ultimate CVE-2017-9624 (Multiple cross-site scripting (XSS) vulnerabilities in Telaxus/EPESI 1 ...) NOT-FOR-US: Telaxus/EPESI CVE-2017-9623 (Multiple cross-site scripting (XSS) vulnerabilities in Telaxus/EPESI 1 ...) NOT-FOR-US: Telaxus/EPESI CVE-2017-9622 (Multiple cross-site scripting (XSS) vulnerabilities in Telaxus/EPESI 1 ...) NOT-FOR-US: Telaxus/EPESI CVE-2017-9621 (Cross-site scripting (XSS) vulnerability in modules/Base/Lang/Administ ...) NOT-FOR-US: Telaxus/EPESI CVE-2017-9620 (The xps_select_font_encoding function in xps/xpsfont.c in Artifex Ghos ...) - ghostscript 9.22~dfsg-1 (unimportant; bug #869879) [jessie] - ghostscript (Vulnerable code not present) [wheezy] - ghostscript (Vulnerable code not present) NOTE: The Debian binary package is not affected xps/ not used NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698050 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=3ee55637480d5e319a5de0481b01c3346855cbc9 CVE-2017-9619 (The xps_true_callback_glyph_name function in xps/xpsttf.c in Artifex G ...) - ghostscript 9.22~dfsg-1 (unimportant; bug #869879) [jessie] - ghostscript (Vulnerable code not present) [wheezy] - ghostscript (Vulnerable code not present) NOTE: The Debian binary package is not affected xps/ not used NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698042 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=c53183d4e7103e87368b7cfa15367a47d559e323 CVE-2017-9618 (The xps_load_sfnt_name function in xps/xpsfont.c in Artifex Ghostscrip ...) - ghostscript 9.22~dfsg-1 (unimportant; bug #869879) [jessie] - ghostscript (Vulnerable code not present) [wheezy] - ghostscript (Vulnerable code not present) NOTE: The Debian binary package is not affected xps/ not used NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698044 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=3c2aebbedd37fab054e80f2e315de07d7e9b5bdb CVE-2017-9617 (In Wireshark 2.2.7, deeply nested DAAP data may cause stack exhaustion ...) - wireshark 2.4.0-1 (low; bug #870174) [jessie] - wireshark (Minor issue) [wheezy] - wireshark (Minor issue) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13799 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=82fc557bed30b1aa69ca43a4291b64a9ce54c78a CVE-2017-9616 (In Wireshark 2.2.7, overly deep mp4 chunks may cause stack exhaustion ...) - wireshark 2.4.0-1 (low; bug #870173) [jessie] - wireshark (Minor issue) [wheezy] - wireshark (Minor issue) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13777 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=620f69a74b18908e3424920c7bb01cb5e4cbd8b1 CVE-2017-9615 (Password exposure in Cognito Software Moneyworks 8.0.3 and earlier all ...) NOT-FOR-US: Cognito Software Moneyworks CVE-2017-9614 (The fill_input_buffer function in jdatasrc.c in libjpeg-turbo 1.5.1 al ...) NOT-FOR-US: Not a bug in libjpeg itself, but incorrect API usage NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/issues/167 CVE-2017-9613 (Stored Cross-site scripting (XSS) vulnerability in SAP SuccessFactors ...) NOT-FOR-US: SAP SuccessFactors CVE-2017-9612 (The Ins_IP function in base/ttinterp.c in Artifex Ghostscript GhostXPS ...) {DSA-3986-1 DLA-1048-1} [experimental] - ghostscript 9.22~~rc1~dfsg-1 - ghostscript 9.22~dfsg-1 (bug #869916) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698026 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=98f6da60b9d463c617e631fc254cf6d66f2e8e3c (ghostpdl-9.22rc1) CVE-2017-9611 (The Ins_MIRP function in base/ttinterp.c in Artifex Ghostscript GhostX ...) {DSA-3986-1 DLA-1048-1} [experimental] - ghostscript 9.22~~rc1~dfsg-1 - ghostscript 9.22~dfsg-1 (bug #869917) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698024 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=c7c55972758a93350882c32147801a3485b010fe (ghostpdl-9.22rc1) CVE-2017-9610 (The xps_load_sfnt_name function in xps/xpsfont.c in Artifex Ghostscrip ...) - ghostscript 9.22~dfsg-1 (unimportant; bug #869879) [jessie] - ghostscript (Vulnerable code not present) [wheezy] - ghostscript (Vulnerable code not present) NOTE: The Debian binary package is not affected xps/ not used NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698025 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=d2ab84732936b6e7e5a461dc94344902965e9a06 CVE-2017-9609 (Cross-site scripting (XSS) vulnerability in Blackcat CMS 1.2 allows re ...) NOT-FOR-US: Blackcat CMS CVE-2017-9608 (The dnxhd decoder in FFmpeg before 3.2.6, and 3.3.x before 3.3.3 allow ...) {DSA-3957-1} - ffmpeg 7:3.3.3-1 NOTE: http://www.openwall.com/lists/oss-security/2017/08/14/1 NOTE: https://github.com/FFmpeg/FFmpeg/commit/611b35627488a8d0763e75c25ee0875c5b7987dd NOTE: https://github.com/FFmpeg/FFmpeg/commit/0a709e2a10b8288a0cc383547924ecfe285cef89 CVE-2017-9607 (The BL1 FWU SMC handling code in ARM Trusted Firmware before 1.4 might ...) NOT-FOR-US: ARM Trusted Firmware CVE-2017-9606 (Infotecs ViPNet Client and Coordinator before 4.3.2-42442 allow local ...) NOT-FOR-US: Infotecs ViPNet Client and Coordinator CVE-2017-9604 (KDE kmail before 5.5.2 and messagelib before 5.5.2, as distributed in ...) - kdepim 4:16.04.3-4 (bug #864804) [stretch] - kdepim 4:16.04.3-4~deb9u1 [jessie] - kdepim 4:4.14.1-1+deb8u1 [wheezy] - kdepim (sendlater issue is not present in kdepim-4.4.11.1+l10n) - kf5-messagelib 4:16.04.3-3 (bug #864803) [stretch] - kf5-messagelib 4:16.04.3-3~deb9u1 NOTE: Fixed by (kmail): https://commits.kde.org/kmail/78c5552be2f00a4ac25bd77ca39386522fca70a8 NOTE: Fixed by (messagelib): https://commits.kde.org/messagelib/c54706e990bbd6498e7b1597ec7900bc809e8197 NOTE: https://www.kde.org/info/security/advisory-20170615-1.txt CVE-2017-1000379 (The Linux Kernel running on AMD64 systems will sometimes map the conte ...) - linux 4.11.6-1 [stretch] - linux 4.9.30-2+deb9u1 [jessie] - linux 3.16.43-2+deb8u1 NOTE: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt CVE-2017-1000378 (The NetBSD qsort() function is recursive, and not randomized, an attac ...) NOT-FOR-US: NetBSD CVE-2017-9605 (The vmw_gb_surface_define_ioctl function (accessible via DRM_IOCTL_VMW ...) {DSA-3945-1 DSA-3927-1} - linux 4.11.6-1 [wheezy] - linux (Vulnerable code not present) NOTE: http://www.openwall.com/lists/oss-security/2017/06/13/2 NOTE: Fixed by: https://git.kernel.org/linus/07678eca2cf9c9a18584e546c2b2a0d0c9a3150c (v4.12-rc5) CVE-2017-9603 (SQL injection vulnerability in the WP Jobs plugin before 1.5 for WordP ...) NOT-FOR-US: WP Jobs plugin for WordPress CVE-2017-9602 (KBVault Mysql Free Knowledge Base application package 0.16a comes with ...) NOT-FOR-US: KBVault Mysql Free Knowledge Base application CVE-2017-9601 (The "FNB Kemp Mobile Banking" by First National Bank of Kemp app 3.0.2 ...) NOT-FOR-US: "FNB Kemp Mobile Banking" by First National Bank of Kemp app CVE-2017-9600 (The "Peoples Bank Tulsa" by Peoples Bank - OK app 3.0.2 -- aka peoples ...) NOT-FOR-US: "Peoples Bank Tulsa" by Peoples Bank - OK app CVE-2017-9599 (The "Fountain Trust Mobile Banking" by FOUNTAIN TRUST COMPANY app befo ...) NOT-FOR-US: "Fountain Trust Mobile Banking" by FOUNTAIN TRUST COMPANY app CVE-2017-9598 (The "Morton Credit Union Mobile Banking" by Morton Credit Union app 3. ...) NOT-FOR-US: "Morton Credit Union Mobile Banking" by Morton Credit Union app CVE-2017-9597 (The "Blue Ridge Bank and Trust Co. Mobile Banking" by Blue Ridge Bank ...) NOT-FOR-US: "Blue Ridge Bank and Trust Co. Mobile Banking" app CVE-2017-9596 (The "CFB Mobile Banking" by Citizens First Bank Wisconsin app 3.0.1 -- ...) NOT-FOR-US: "CFB Mobile Banking" by Citizens First Bank Wisconsin app CVE-2017-9595 (The "First State Bank of Bigfork Mobile Banking" by First State Bank o ...) NOT-FOR-US: "First State Bank of Bigfork Mobile Banking" by First State Bank of Bigfork app CVE-2017-9594 (The "SVB Mobile" by Sauk Valley Bank Mobile Banking app 3.0.0 -- aka s ...) NOT-FOR-US: "SVB Mobile" by Sauk Valley Bank Mobile Banking app CVE-2017-9593 (The "Oculina Mobile Banking" by Oculina Bank app 3.0.0 -- aka oculina- ...) NOT-FOR-US: "Oculina Mobile Banking" by Oculina Bank app CVE-2017-9592 (The "Your Legacy Federal Credit Union Mobile Banking" by Your Legacy F ...) NOT-FOR-US: "Your Legacy Federal Credit Union Mobile Banking" by Your Legacy Federal Credit Union app CVE-2017-9591 (The "PCB Mobile" by Phelps County Bank app 3.0.2 -- aka pcb-mobile/id4 ...) NOT-FOR-US: "PCB Mobile" by Phelps County Bank app CVE-2017-9590 (The "State Bank of Waterloo Mobile Banking" by State Bank of Waterloo ...) NOT-FOR-US: "State Bank of Waterloo Mobile Banking" by State Bank of Waterloo app CVE-2017-9589 (The "SCSB Shelbyville IL Mobile Banking" by Shelby County State Bank a ...) NOT-FOR-US: "SCSB Shelbyville IL Mobile Banking" by Shelby County State Bank app CVE-2017-9588 (The "Oritani Mobile Banking" by Oritani Bank app 3.0.0 -- aka oritani- ...) NOT-FOR-US: "Oritani Mobile Banking" by Oritani Bank app CVE-2017-9587 (The "PCSB BANK Mobile" by PCSB Bank app 3.0.4 -- aka pcsb-bank-mobile/ ...) NOT-FOR-US: "PCSB BANK Mobile" by PCSB Bank app CVE-2017-9586 (The "FSBY Mobile Banking" by First State Bank of Yoakum TX app 3.0.0 - ...) NOT-FOR-US: "FSBY Mobile Banking" by First State Bank of Yoakum TX app CVE-2017-9585 (The "Community State Bank - Lamar Mobile Banking" by Community State B ...) NOT-FOR-US: "Community State Bank - Lamar Mobile Banking" by Community State Bank - Lamar app CVE-2017-9584 (The "HBO Mobile Banking" by Heritage Bank of Ozarks app 3.0.0 -- aka h ...) NOT-FOR-US: "HBO Mobile Banking" by Heritage Bank of Ozarks app CVE-2017-9583 (The "Charlevoix State Bank" by Charlevoix State Bank app 3.0.1 -- aka ...) NOT-FOR-US: "Charlevoix State Bank" by Charlevoix State Bank app CVE-2017-9582 (The "BNB Mobile Banking" by Brady National Bank app 3.0.0 -- aka bnb-m ...) NOT-FOR-US: "BNB Mobile Banking" by Brady National Bank app CVE-2017-9581 (The "Algonquin State Bank Mobile Banking" by Algonquin State Bank app ...) NOT-FOR-US: "Algonquin State Bank Mobile Banking" by Algonquin State Bank app CVE-2017-9580 (The "Pioneer Bank & Trust Mobile Banking" by PIONEER BANK AND TRUS ...) NOT-FOR-US: "Pioneer Bank & Trust Mobile Banking" by PIONEER BANK AND TRUST app CVE-2017-9579 (The "JMCU Mobile Banking" by Joplin Metro Credit Union app 3.0.0 -- ak ...) NOT-FOR-US: "JMCU Mobile Banking" by Joplin Metro Credit Union app CVE-2017-9578 (The "RVCB Mobile" by RVCB Mobile Banking app 3.0.0 -- aka rvcb-mobile/ ...) NOT-FOR-US: "RVCB Mobile" by RVCB Mobile Banking app CVE-2017-9577 (The "First Citizens Bank-Mobile Banking" by First Citizens Bank (AL) a ...) NOT-FOR-US: "First Citizens Bank-Mobile Banking" by First Citizens Bank (AL) app CVE-2017-9576 (The "Middleton Community Bank Mobile Banking" by Middleton Community B ...) NOT-FOR-US: "Middleton Community Bank Mobile Banking" by Middleton Community Bank app CVE-2017-9575 (The "FVB Mobile Banking" by First Volunteer Bank of Tennessee app 3.1. ...) NOT-FOR-US: "FVB Mobile Banking" by First Volunteer Bank of Tennessee app CVE-2017-9574 (The "KC Area Credit Union Mobile Banking" by K C Area Credit Union app ...) NOT-FOR-US: "KC Area Credit Union Mobile Banking" by K C Area Credit Union app CVE-2017-9573 (The North Adams State Bank (Ursa) nasb-mobile-banking/id980573797 app ...) NOT-FOR-US: North Adams State Bank (Ursa) nasb-mobile-banking/id980573797 app CVE-2017-9572 (The athens-state-bank-mobile-banking/id719748589 app 3.0.0 for iOS doe ...) NOT-FOR-US: athens-state-bank-mobile-banking/id719748589 app CVE-2017-9571 (The Citizens Community Bank (TN) ccb-mobile-banking/id610030469 app 3. ...) NOT-FOR-US: Citizens Community Bank (TN) ccb-mobile-banking/id610030469 app CVE-2017-9570 (The mount-vernon-bank-trust-mobile-banking/id542706679 app 3.0.0 for i ...) NOT-FOR-US: mount-vernon-bank-trust-mobile-banking/id542706679 app CVE-2017-9569 (The Citizens Bank (TX) cbtx-on-the-go/id892396102 app 3.0.0 for iOS do ...) NOT-FOR-US: Citizens Bank (TX) cbtx-on-the-go/id892396102 app CVE-2017-9568 (The financial-plus-mobile-banking/id731070564 app 3.0.3 for iOS does n ...) NOT-FOR-US: financial-plus-mobile-banking/id731070564 app CVE-2017-9567 (The avb-bank-mobile-banking/id592565443 app 3.0.0 for iOS does not ver ...) NOT-FOR-US: avb-bank-mobile-banking/id592565443 app CVE-2017-9566 (The fsb-dequeen-mobile-banking/id1091025340 app 3.0.1 for iOS does not ...) NOT-FOR-US: fsb-dequeen-mobile-banking/id1091025340 app CVE-2017-9565 (The first-security-bank-sleepy-eye-mobile/id870531890 app 3.0.0 for iO ...) NOT-FOR-US: first-security-bank-sleepy-eye-mobile/id870531890 app CVE-2017-9564 (The community-banks-cb2go/id445828071 app 3.1.3 for iOS does not verif ...) NOT-FOR-US: community-banks-cb2go/id445828071 app CVE-2017-9563 (The First Citizens Community Bank fccb/id809930960 app 3.0.1 for iOS d ...) NOT-FOR-US: First Citizens Community Bank fccb/id809930960 app CVE-2017-9562 (The Freedom First freedom-1st-credit-union-mobile-banking/id1085229458 ...) NOT-FOR-US: Freedom First freedom-1st-credit-union-mobile-banking/id1085229458 app CVE-2017-9561 (The Lee Bank & Trust lbtc-mobile/id1068984753 app 3.0.1 for iOS do ...) NOT-FOR-US: Lee Bank & Trust lbtc-mobile/id1068984753 app CVE-2017-9560 (The cayuga-lake-national-bank/id1151601539 app 4.0.1 for iOS does not ...) NOT-FOR-US: cayuga-lake-national-bank/id1151601539 app CVE-2017-9559 (The MEA Financial vision-bank/id420406345 app 3.0.1 for iOS does not v ...) NOT-FOR-US: MEA Financial vision-bank/id420406345 app CVE-2017-9558 (The wawa-employees-credit-union-mobile/id1158082793 app 4.0.1 for iOS ...) NOT-FOR-US: wawa-employees-credit-union-mobile/id1158082793 app CVE-2017-9557 (register.ghp in EFS Software Easy Chat Server versions 2.0 to 3.1 allo ...) NOT-FOR-US: EFS Software Easy Chat Server CVE-2017-9556 (Cross-site scripting (XSS) vulnerability in Video Metadata Editor in S ...) NOT-FOR-US: Synology Video Station CVE-2017-9555 (Cross-site scripting (XSS) vulnerability in PixlrEditorHandler.php in ...) NOT-FOR-US: Synology Photo Station CVE-2017-9554 (An information exposure vulnerability in forget_passwd.cgi in Synology ...) NOT-FOR-US: Synology DiskStation Manager CVE-2017-9553 (A design flaw in SYNO.API.Encryption in Synology DiskStation Manager ( ...) NOT-FOR-US: Synology DiskStation Manager CVE-2017-9552 (A design flaw in authentication in Synology Photo Station 6.0-2528 thr ...) NOT-FOR-US: Synology Photo Station CVE-2015-9096 (Net::SMTP in Ruby before 2.4.0 is vulnerable to SMTP command injection ...) {DSA-3966-1 DLA-1421-1} - ruby2.3 2.3.3-1+deb9u1 (bug #864860) - ruby2.1 - ruby1.9.1 [wheezy] - ruby1.9.1 (Minor issue, Net::SMTP users should validate data they send too) - ruby1.8 [wheezy] - ruby1.8 (Minor issue, Net::SMTP users should validate data they send too) NOTE: https://github.com/ruby/ruby/commit/0827a7e52ba3d957a634b063bf5a391239b9ffee NOTE: https://github.com/rubysec/ruby-advisory-db/issues/215 CVE-2017-9551 (Mahara 15.04 before 15.04.14 and 16.04 before 16.04.8 and 16.10 before ...) - mahara CVE-2017-9550 RESERVED CVE-2017-9549 RESERVED CVE-2017-9548 (admin.php in BigTree through 4.2.18 has a Cross-site Scripting (XSS) v ...) NOT-FOR-US: BigTree CMS CVE-2017-9547 (admin.php in BigTree through 4.2.18 has a Cross-site Scripting (XSS) v ...) NOT-FOR-US: BigTree CMS CVE-2017-9546 (admin.php in BigTree through 4.2.18 allows remote authenticated users ...) NOT-FOR-US: BigTree CMS CVE-2017-9545 (The next_text function in src/libmpg123/id3.c in mpg123 1.24.0 allows ...) - mpg123 1.25.4-1 (low; bug #870799) [stretch] - mpg123 (Minor issue) [jessie] - mpg123 (Minor issue) [wheezy] - mpg123 (Minor issue) NOTE: http://seclists.org/fulldisclosure/2017/Jul/65 CVE-2017-9544 (There is a remote stack-based buffer overflow (SEH) in register.ghp in ...) NOT-FOR-US: EFS Software Easy Chat Server CVE-2017-9543 (register.ghp in EFS Software Easy Chat Server versions 2.0 to 3.1 allo ...) NOT-FOR-US: EFS Software Easy Chat Server CVE-2017-9542 (D-Link DIR-615 Wireless N 300 Router allows authentication bypass via ...) NOT-FOR-US: D-Link CVE-2017-9541 RESERVED CVE-2017-9540 RESERVED CVE-2017-9539 RESERVED CVE-2017-9538 (The 'Upload logo from external path' function of SolarWinds Network Pe ...) NOT-FOR-US: SolarWinds Network Performance Monitor CVE-2017-9537 (Persistent cross-site scripting (XSS) in the Add Node function of Sola ...) NOT-FOR-US: SolarWinds Network Performance Monitor CVE-2017-9536 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows attackers t ...) NOT-FOR-US: IrfanView CVE-2017-9535 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows attackers t ...) NOT-FOR-US: IrfanView CVE-2017-9534 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows attackers t ...) NOT-FOR-US: IrfanView CVE-2017-9533 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows attackers t ...) NOT-FOR-US: IrfanView CVE-2017-9532 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows attackers t ...) NOT-FOR-US: IrfanView CVE-2017-9531 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows attackers t ...) NOT-FOR-US: IrfanView CVE-2017-9530 (IrfanView version 4.44 (32bit) might allow attackers to cause a denial ...) NOT-FOR-US: IrfanView CVE-2017-9529 (XnView Classic for Windows Version 2.40 allows remote attackers to exe ...) NOT-FOR-US: XnView CVE-2017-9528 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows remote atta ...) NOT-FOR-US: IrfanView CVE-2017-9527 (The mark_context_stack function in gc.c in mruby through 1.2.0 allows ...) [experimental] - mruby 1.2.0+20170601+git51e0e690-1 - mruby 1.3.0-1 (low; bug #865778) [stretch] - mruby (Minor issue) [jessie] - mruby (Minor issue) NOTE: https://github.com/mruby/mruby/issues/3486 NOTE: Fixed by: https://github.com/mruby/mruby/commit/5c114c91d4ff31859fcd84cf8bf349b737b90d99 CVE-2017-9526 (In Libgcrypt before 1.7.7, an attacker who learns the EdDSA session ke ...) {DSA-3880-1} - libgcrypt20 1.7.6-2 - libgcrypt11 (Curve Ed25519 signing and verification introduced in 1.6.0) NOTE: master: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=5a22de904a0a366ae79f03ff1e13a1232a89e26b NOTE: 1.7.x: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=f9494b3f258e01b6af8bd3941ce436bcc00afc56 NOTE: Curve Ed25519 signing and verification inplemented in 1.6.0 with NOTE: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=bc5199a02abe428ad377443280b3eda60141a1d6 NOTE: and following refactorings. CVE-2017-9524 (The qemu-nbd server in QEMU (aka Quick Emulator), when built with the ...) {DSA-3925-1} - qemu 1:2.8+dfsg-7 (bug #865755) [jessie] - qemu (Vulnerable code not present) [wheezy] - qemu (Vulnerable code not present) - qemu-kvm [wheezy] - qemu-kvm (Vulnerable code not present) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-05/msg06240.html NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-06/msg02321.html CVE-2017-9525 (In the cron package through 3.0pl1-128 on Debian, and through 3.0pl1-1 ...) {DLA-1723-1} - cron 3.0pl1-129 (bug #864466) [stretch] - cron (Minor issue) [wheezy] - cron (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2017/06/08/3 CVE-2017-9523 (The Sophos Web Appliance before 4.3.2 has XSS in the FTP redirect page ...) NOT-FOR-US: Sophos CVE-2017-9522 (The Time Warner firmware on Technicolor TC8717T devices sets the defau ...) NOT-FOR-US: Time Warner firmware on Technicolor TC8717T devices CVE-2017-9521 (The Comcast firmware on Cisco DPC3939 (firmware version dpc3939-P20-18 ...) NOT-FOR-US: Comcast firmware on various devices CVE-2017-9520 (The r_config_set function in libr/config/config.c in radare2 1.5.0 all ...) - radare2 1.6.0+dfsg-1 (low; bug #864533) [jessie] - radare2 (Minor issue) [wheezy] - radare2 (Minor issue) NOTE: https://github.com/radare/radare2/commit/f85bc674b2a2256a364fe796351bc1971e106005 NOTE: https://github.com/radare/radare2/issues/7698 CVE-2017-9519 (atmail before 7.8.0.2 has CSRF, allowing an attacker to create a user ...) NOT-FOR-US: atmail CVE-2017-9518 (atmail before 7.8.0.2 has CSRF, allowing an attacker to change the SMT ...) NOT-FOR-US: atmail CVE-2017-9517 (atmail before 7.8.0.2 has CSRF, allowing an attacker to upload and imp ...) NOT-FOR-US: atmail CVE-2017-9516 (Craft CMS before 2.6.2982 allows for a potential XSS attack vector by ...) NOT-FOR-US: Craft CMS CVE-2017-9515 RESERVED CVE-2017-9514 (Bamboo before 6.0.5, 6.1.x before 6.1.4, and 6.2.x before 6.2.1 had a ...) NOT-FOR-US: Atlassian Bamboo CVE-2017-9513 (Several rest inline action resources of Atlassian Activity Streams bef ...) NOT-FOR-US: Atlassian Activity Streams CVE-2017-9512 (The mostActiveCommitters.do resource in Atlassian FishEye and Crucible ...) NOT-FOR-US: Atlassian CVE-2017-9511 (The MultiPathResource class in Atlassian FishEye and Crucible, before ...) NOT-FOR-US: Atlassian CVE-2017-9510 (The repository changelog resource in Atlassian FishEye before version ...) NOT-FOR-US: Atlassian CVE-2017-9509 (The review file upload resource in Atlassian Crucible before version 4 ...) NOT-FOR-US: Atlassian CVE-2017-9508 (Various resources in Atlassian FishEye and Crucible before version 4.4 ...) NOT-FOR-US: Atlassian CVE-2017-9507 (The review dashboard resource in Atlassian Crucible from version 4.1.0 ...) NOT-FOR-US: Atlassian CVE-2017-9506 (The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 be ...) NOT-FOR-US: Atlassian CVE-2017-9505 (Atlassian Confluence starting with 4.3.0 before 6.2.1 did not check if ...) NOT-FOR-US: Atlassian Confluence CVE-2017-9504 REJECTED CVE-2017-9503 (QEMU (aka Quick Emulator), when built with MegaRAID SAS 8708EM2 Host B ...) {DLA-1497-1} - qemu 1:2.10.0-1 (low; bug #865754) [stretch] - qemu (Minor issue, too intrusive to backport) [wheezy] - qemu (Vulnerable code not present) - qemu-kvm [wheezy] - qemu-kvm (Vulnerable code not present) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-06/msg01313.html NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-06/msg01309.html NOTE: https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=87e459a810d7b1ec1638085b5a80ea3d9b43119a NOTE: https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=b356807fcdfc45583c437f761fc579ab2a8eab11 NOTE: https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=36c327a69d723571f02a7691631667cdb1865ee1 NOTE: https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=5104fac8539eaf155fc6de93e164be43e1e62242 NOTE: https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=24c0c77af515acbf0f9705e8096f33ef24d37430 NOTE: https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=134550bf81a026e18cf58b81e2c2cceaf516f92e NOTE: https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=660174fc1b346803b3f1d7c260e2a36329b66435 CVE-2017-9502 (In curl before 7.54.1 on Windows and DOS, libcurl's default protocol f ...) - curl (Windows only) CVE-2017-9501 (In ImageMagick 7.0.5-7 Q16, an assertion failure was found in the func ...) {DSA-3914-1 DLA-1081-1 DLA-1000-1} - imagemagick 8:6.9.7.4+dfsg-12 (low; bug #867721) NOTE: https://github.com/ImageMagick/ImageMagick/issues/491 NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick/commit/01843366d6a7b96e22ad7bb67f3df7d9fd4d5d74 CVE-2017-9500 (In ImageMagick 7.0.5-8 Q16, an assertion failure was found in the func ...) {DSA-4019-1 DLA-1785-1 DLA-1000-1} - imagemagick 8:6.9.7.4+dfsg-13 (low; bug #867778) NOTE: https://github.com/ImageMagick/ImageMagick/issues/500 NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick/commit/5d95b4c24a964114e2b1ae85c2b36769251ed11d NOTE: Fixed by (6.x): https://github.com/ImageMagick/ImageMagick/commit/837085e7725f6eb591eb019e299c1ddcf34b9a79 CVE-2017-9499 (In ImageMagick 7.0.5-7 Q16, an assertion failure was found in the func ...) - imagemagick (Vulnerable code introduced later, only affects ImageMagick 7.x) NOTE: https://github.com/ImageMagick/ImageMagick/issues/492 NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick/commit/7fd419441bc7103398e313558171d342c6315f44 CVE-2017-9498 (The Comcast firmware on Motorola MX011ANM (firmware version MX011AN_2. ...) NOT-FOR-US: Comcast firmware on various devices CVE-2017-9497 (The Comcast firmware on Motorola MX011ANM (firmware version MX011AN_2. ...) NOT-FOR-US: Comcast firmware on various devices CVE-2017-9496 (The Comcast firmware on Motorola MX011ANM (firmware version MX011AN_2. ...) NOT-FOR-US: Comcast firmware on various devices CVE-2017-9495 (The Comcast firmware on Motorola MX011ANM (firmware version MX011AN_2. ...) NOT-FOR-US: Comcast firmware on various devices CVE-2017-9494 (The Comcast firmware on Motorola MX011ANM (firmware version MX011AN_2. ...) NOT-FOR-US: Comcast firmware on various devices CVE-2017-9493 (The Comcast firmware on Motorola MX011ANM (firmware version MX011AN_2. ...) NOT-FOR-US: Comcast firmware on various devices CVE-2017-9492 (The Comcast firmware on Cisco DPC3939 (firmware version dpc3939-P20-18 ...) NOT-FOR-US: Comcast firmware on various devices CVE-2017-9491 (The Comcast firmware on Cisco DPC3939 (firmware version dpc3939-P20-18 ...) NOT-FOR-US: Comcast firmware on various devices CVE-2017-9490 (The Comcast firmware on Arris TG1682G (eMTA&DOCSIS version 10.0.13 ...) NOT-FOR-US: Comcast firmware on various devices CVE-2017-9489 (The Comcast firmware on Cisco DPC3939B (firmware version dpc3939b-v303 ...) NOT-FOR-US: Comcast firmware on various devices CVE-2017-9488 (The Comcast firmware on Cisco DPC3939 (firmware version dpc3939-P20-18 ...) NOT-FOR-US: Comcast firmware on various devices CVE-2017-9487 (The Comcast firmware on Cisco DPC3939 (firmware version dpc3939-P20-18 ...) NOT-FOR-US: Comcast firmware on various devices CVE-2017-9486 (The Comcast firmware on Cisco DPC3939 (firmware version dpc3939-P20-18 ...) NOT-FOR-US: Comcast firmware on various devices CVE-2017-9485 (The Comcast firmware on Cisco DPC3939 (firmware version dpc3939-P20-18 ...) NOT-FOR-US: Comcast firmware on various devices CVE-2017-9484 (The Comcast firmware on Cisco DPC3939 (firmware version dpc3939-P20-18 ...) NOT-FOR-US: Comcast firmware on various devices CVE-2017-9483 (The Comcast firmware on Cisco DPC3939 (firmware version dpc3939-P20-18 ...) NOT-FOR-US: Comcast firmware on various devices CVE-2017-9482 (The Comcast firmware on Cisco DPC3939 (firmware version dpc3939-P20-18 ...) NOT-FOR-US: Comcast firmware on various devices CVE-2017-9481 (The Comcast firmware on Cisco DPC3939 (firmware version dpc3939-P20-18 ...) NOT-FOR-US: Comcast firmware on various devices CVE-2017-9480 (The Comcast firmware on Cisco DPC3939 (firmware version dpc3939-P20-18 ...) NOT-FOR-US: Comcast firmware on various devices CVE-2017-9479 (The Comcast firmware on Cisco DPC3939 (firmware version dpc3939-P20-18 ...) NOT-FOR-US: Comcast firmware on various devices CVE-2017-9478 (The Comcast firmware on Cisco DPC3939 (firmware version dpc3939-P20-18 ...) NOT-FOR-US: Comcast firmware on various devices CVE-2017-9477 (The Comcast firmware on Cisco DPC3939 (firmware version dpc3939-P20-18 ...) NOT-FOR-US: Comcast firmware on various devices CVE-2017-9476 (The Comcast firmware on Cisco DPC3939 (firmware version dpc3939-P20-18 ...) NOT-FOR-US: Comcast firmware on various devices CVE-2017-9475 (Comcast XFINITY WiFi Home Hotspot devices allow remote attackers to sp ...) NOT-FOR-US: Comcast XFINITY WiFi Home Hotspot devices CVE-2017-9474 (In ytnef 1.9.2, the DecompressRTF function in lib/ytnef.c allows remot ...) - libytnef 1.9.3-1 (low; bug #870192) [stretch] - libytnef (Minor issue) [jessie] - libytnef (Minor issue) [wheezy] - libytnef (Minor issue) NOTE: https://github.com/Yeraze/ytnef/issues/40 NOTE: https://blogs.gentoo.org/ago/2017/05/24/ytnef-heap-based-buffer-overflow-in-decompressrtf-ytnef-c/ CVE-2017-9473 (In ytnef 1.9.2, the TNEFFillMapi function in lib/ytnef.c allows remote ...) - libytnef 1.9.3-1 (low; bug #870197) [stretch] - libytnef (Minor issue) [jessie] - libytnef (Minor issue) [wheezy] - libytnef (Minor issue) NOTE: https://github.com/Yeraze/ytnef/issues/42 NOTE: https?//github.com/Yeraze/ytnef/commit/a341b7f1bf8a2c59ece89f2d6cdc09856d501cc0 NOTE: https://blogs.gentoo.org/ago/2017/05/24/ytnef-memory-allocation-failure-in-tneffillmapi-ytnef-c/ CVE-2017-9472 (In ytnef 1.9.2, the SwapDWord function in lib/ytnef.c allows remote at ...) - libytnef 1.9.3-1 (low; bug #870193) [stretch] - libytnef (Minor issue) [jessie] - libytnef (Minor issue) [wheezy] - libytnef (Minor issue) NOTE: https://github.com/Yeraze/ytnef/issues/41 NOTE: https://blogs.gentoo.org/ago/2017/05/24/ytnef-heap-based-buffer-overflow-in-swapdword-ytnef-c/ CVE-2017-9471 (In ytnef 1.9.2, the SwapWord function in lib/ytnef.c allows remote att ...) - libytnef 1.9.3-1 (low; bug #870194) [stretch] - libytnef (Minor issue) [jessie] - libytnef (Minor issue) [wheezy] - libytnef (Minor issue) NOTE: https://github.com/Yeraze/ytnef/issues/39 NOTE: https://blogs.gentoo.org/ago/2017/05/24/ytnef-heap-based-buffer-overflow-in-swapword-ytnef-c/ CVE-2017-9470 (In ytnef 1.9.2, the MAPIPrint function in lib/ytnef.c allows remote at ...) - libytnef 1.9.3-1 (low; bug #870196) [stretch] - libytnef (Minor issue) [jessie] - libytnef (Minor issue) [wheezy] - libytnef (Minor issue) NOTE: https://github.com/Yeraze/ytnef/issues/37 NOTE: https://blogs.gentoo.org/ago/2017/05/24/ytnef-null-pointer-dereference-in-mapiprint-ytnef-c/ CVE-2017-9469 (In Irssi before 1.0.3, when receiving certain incorrectly quoted DCC f ...) {DSA-3885-1 DLA-1088-1} - irssi 1.0.3-1 (bug #864400) NOTE: https://github.com/irssi/irssi/commit/30a92754bb650c3dedd507d41110443142899a65 NOTE: https://irssi.org/security/irssi_sa_2017_06.txt CVE-2017-9468 (In Irssi before 1.0.3, when receiving a DCC message without source nic ...) {DSA-3885-1 DLA-1088-1} - irssi 1.0.3-1 (bug #864400) NOTE: https://github.com/irssi/irssi/commit/528f51bfbe5c65c5b24546faa244009dd5b3c586 NOTE: https://irssi.org/security/irssi_sa_2017_06.txt CVE-2017-9467 (Cross-site scripting (XSS) vulnerability in the GlobalProtect external ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2017-9466 (The executable httpd on the TP-Link WR841N V8 router before TL-WR841N( ...) NOT-FOR-US: TP-Link CVE-2017-9465 (The yr_arena_write_data function in YARA 3.6.1 allows remote attackers ...) - yara 3.6.2+dfsg-1 (low; bug #864517) [stretch] - yara (Minor issue, too intrusive to backport) [jessie] - yara (Minor issue, too intrusive to backport) NOTE: https://github.com/VirusTotal/yara/issues/678 NOTE: https://github.com/VirusTotal/yara/commit/992480c30f75943e9cd6245bb2015c7737f9b661 CVE-2017-9464 (An open redirect vulnerability is present in Piwigo 2.9 and probably p ...) - piwigo CVE-2017-9463 (The application Piwigo is affected by a SQL injection vulnerability in ...) - piwigo CVE-2017-9460 RESERVED CVE-2017-9459 (Cross-site scripting (XSS) vulnerability in the management web interfa ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2017-9458 (XML external entity (XXE) vulnerability in the GlobalProtect internal ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2017-9457 (Intense PC Phoenix SecureCore UEFI firmware does not perform capsule s ...) NOT-FOR-US: Intense PC (aka MintBox 2) Phoenix SecureCore UEFI firmware CVE-2017-9456 RESERVED CVE-2017-9455 RESERVED CVE-2017-9454 (Buffer overflow in the ares_parse_a_reply function in the embedded are ...) - resiprocate 1:1.11.0~beta4-1 (unimportant) NOTE: https://github.com/resiprocate/resiprocate/commit/d67a9ca6fd06ca65d23e313bdbad1ef4dd3aa0df NOTE: Fixed sourcewise in 1:1.11.0~beta4-1 but unimportant since uses the NOTE: system library. CVE-2017-9453 RESERVED CVE-2017-9452 (Cross-site scripting (XSS) vulnerability in admin.php in Piwigo 2.9.0 ...) - piwigo CVE-2017-9451 (Cross site scripting (XSS) vulnerability in pages.edit_form.php in fla ...) NOT-FOR-US: flatCore CMS CVE-2017-9450 (The Amazon Web Services (AWS) CloudFormation bootstrap tools package ( ...) NOT-FOR-US: Amazon Web Services (AWS) CloudFormation bootstrap tools package CVE-2017-9449 (SQL injection vulnerability in BigTree CMS through 4.2.18 allows remot ...) NOT-FOR-US: BigTree CMS CVE-2017-9448 (Cross-site scripting (XSS) vulnerabilities in BigTree CMS through 4.2. ...) NOT-FOR-US: BigTree CMS CVE-2017-9462 (In Mercurial before 4.1.3, "hg serve --stdio" allows remote authentica ...) {DLA-1414-1 DLA-1005-1} - mercurial 4.3.1-1 (bug #861243) [stretch] - mercurial 4.0-1+deb9u1 NOTE: https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.1.3_.282017-4-18.29 NOTE: https://www.mercurial-scm.org/repo/hg/rev/77eaf9539499 CVE-2017-9461 (smbd in Samba before 4.4.10 and 4.5.x before 4.5.6 has a denial of ser ...) {DLA-1754-1} - samba 2:4.5.6+dfsg-1 (bug #864291) [wheezy] - samba (Minor, non reproducible issue) NOTE: https://git.samba.org/?p=samba.git;a=commitdiff;h=10c3e3923022485c720f322ca4f0aca5d7501310 NOTE: https://bugzilla.samba.org/show_bug.cgi?id=12572 CVE-2017-9447 (In the web interface of Parallels Remote Application Server (RAS) 15.5 ...) NOT-FOR-US: Parallels Remote Application Server CVE-2017-9446 RESERVED CVE-2017-9445 (In systemd through 233, certain sizes passed to dns_packet_new in syst ...) - systemd 233-10 (bug #866147) [stretch] - systemd 232-25+deb9u1 [jessie] - systemd (Vulnerable code not present) [wheezy] - systemd (Vulnerable code not present) NOTE: Introduced by: https://github.com/systemd/systemd/commit/a0166609f782da91710dea9183d1bf138538db37 NOTE: http://www.openwall.com/lists/oss-security/2017/06/27/8 CVE-2017-9444 (BigTree CMS through 4.2.18 has CSRF related to the core\admin\modules\ ...) NOT-FOR-US: BigTree CMS CVE-2017-9443 (** DISPUTED ** BigTree CMS through 4.2.18 allows remote authenticated ...) NOT-FOR-US: BigTree CMS CVE-2017-9442 (** DISPUTED ** BigTree CMS through 4.2.18 allows remote authenticated ...) NOT-FOR-US: BigTree CMS CVE-2017-9441 (** DISPUTED ** Multiple cross-site scripting (XSS) vulnerabilities in ...) NOT-FOR-US: BigTree CMS CVE-2017-9440 (In ImageMagick 7.0.5-5, a memory leak was found in the function ReadPS ...) {DSA-3914-1} - imagemagick 8:6.9.7.4+dfsg-12 (low; bug #864273) [wheezy] - imagemagick (vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/462 NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick/commit/c2be129c25763680afeca59f4de5d6d4240ca2cf CVE-2017-9439 (In ImageMagick 7.0.5-5, a memory leak was found in the function ReadPD ...) {DSA-3914-1 DLA-1000-1} - imagemagick 8:6.9.7.4+dfsg-12 (low; bug #864274) NOTE: https://github.com/ImageMagick/ImageMagick/issues/460 NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick/commit/6c6abed989ea4a3ef472db65ab487c1809a3a718 CVE-2017-9438 (libyara/re.c in the regexp module in YARA 3.5.0 allows remote attacker ...) - yara 3.6.1+dfsg-1 (low; bug #864518) [stretch] - yara (Minor issue, too intrusive to backport) [jessie] - yara (Minor issue, too intrusive to backport) NOTE: https://github.com/VirusTotal/yara/issues/674 NOTE: Fixed by: https://github.com/VirusTotal/yara/commit/10e8bd3071677dd1fa76beeef4bc2fc427cea5e7 CVE-2017-9437 (Openbravo Business Suite 3.0 is affected by SQL injection. This vulner ...) NOT-FOR-US: Openbravo Business Suite CVE-2017-9436 (TeamPass before 2.1.27.4 is vulnerable to a SQL injection in users.que ...) - teampass (bug #730180) CVE-2017-9435 (Dolibarr ERP/CRM before 5.0.3 is vulnerable to a SQL injection in user ...) - dolibarr 5.0.4+dfsg3-1 (bug #864569) NOTE: https://github.com/Dolibarr/dolibarr/commit/70636cc59ffa1ffbc0ce3dba315d7d9b837aad04 CVE-2017-9434 (Crypto++ (aka cryptopp) through 5.6.5 contains an out-of-bounds read v ...) - libcrypto++ 5.6.4-7 (bug #864214) [jessie] - libcrypto++ (Minor issue) [wheezy] - libcrypto++ (Minor issue) NOTE: https://github.com/weidai11/cryptopp/issues/414 NOTE: https://github.com/weidai11/cryptopp/commit/07dbcc3d9644b18e05c1776db2a57fe04d780965 CVE-2017-9433 (Document Liberation Project libmwaw before 2017-04-08 has an out-of-bo ...) {DSA-3875-1} - libmwaw 0.3.9-2 (bug #864366) NOTE: https://sourceforge.net/p/libmwaw/libmwaw/ci/68b3b74569881248bfb6cbb4266177cc253b292f/ CVE-2017-9432 (Document Liberation Project libstaroffice before 2017-04-07 has an out ...) - libstaroffice 0.0.3-3 (bug #864207) CVE-2017-9431 (Google gRPC before 2017-04-05 has an out-of-bounds write caused by a h ...) - grpc 1.3.2-0.1 (bug #864210) NOTE: https://github.com/grpc/grpc/pull/10492 NOTE: Fixed by: https://github.com/grpc/grpc/commit/c6ec1155d026c91b1badb07ef1605bb747cff064 CVE-2017-9430 (Stack-based buffer overflow in dnstracer through 1.9 allows attackers ...) - dnstracer (unimportant) NOTE: Crash in CLI tool, disputable if any exposed service makes use of dnstrace. NOTE: One scenario would be to have a web application that launches dnstracer NOTE: with user supplied name strings to evaluate. CVE-2017-9429 (SQL injection vulnerability in the Event List plugin 0.7.8 for WordPre ...) NOT-FOR-US: Event List plugin for WordPress CVE-2017-9428 (A directory traversal vulnerability exists in core\admin\ajax\develope ...) NOT-FOR-US: BigTree CMS CVE-2017-9427 (SQL injection vulnerability in BigTree CMS through 4.2.18 allows remot ...) NOT-FOR-US: BigTree CMS CVE-2017-9426 (ws.php in the Facetag extension 0.0.3 for Piwigo allows SQL injection ...) NOT-FOR-US: Piwigo extension CVE-2017-9425 (The Facetag extension 0.0.3 for Piwigo allows XSS via the name paramet ...) NOT-FOR-US: Piwigo extension CVE-2017-9424 (IdeaBlade Breeze Breeze.Server.NET before 1.6.5 allows remote attacker ...) NOT-FOR-US: IdeaBlade Breeze Breeze.Server.NET CVE-2017-9423 RESERVED CVE-2017-9422 REJECTED CVE-2017-9421 (Authentication Bypass vulnerability in Accellion kiteworks before 2017 ...) NOT-FOR-US: Accellion kiteworks CVE-2017-9420 (Cross site scripting (XSS) vulnerability in the Spiffy Calendar plugin ...) NOT-FOR-US: Spiffy Calendar plugin for WordPress CVE-2017-9419 (Cross-site scripting (XSS) vulnerability in the Webhammer WP Custom Fi ...) NOT-FOR-US: Webhammer WP Custom Fields Search plugin for WordPress CVE-2017-9418 (SQL injection vulnerability in the WP-Testimonials plugin 3.4.1 for Wo ...) NOT-FOR-US: WP-Testimonials plugin for WordPress CVE-2017-9417 (Broadcom BCM43xx Wi-Fi chips allow remote attackers to execute arbitra ...) {DLA-1573-1} - firmware-nonfree 20180518-1 (bug #869639) [stretch] - firmware-nonfree 20161130-4 [jessie] - firmware-nonfree (non-free not supported) [wheezy] - firmware-nonfree (non-free not supported) NOTE: https://www.blackhat.com/us-17/briefings/schedule/#broadpwn-remotely-compromising-android-and-ios-via-a-bug-in-broadcoms-wi-fi-chipsets-7603 NOTE: https://marc.info/?l=linux-wireless&m=150391055518346&w=2 CVE-2017-9416 (Directory traversal vulnerability in tools.file_open in Odoo 8.0, 9.0, ...) NOT-FOR-US: Odoo CVE-2017-9415 (Cross-site request forgery (CSRF) vulnerability in subsonic 6.1.1 allo ...) NOT-FOR-US: Subsonic CVE-2017-9414 (Cross-site request forgery (CSRF) vulnerability in the Subscribe to Po ...) NOT-FOR-US: Subsonic CVE-2017-9413 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Podc ...) NOT-FOR-US: Subsonic CVE-2012-6705 (Cross Site Scripting (XSS) exists in Jamroom before 4.2.7 via the Stat ...) NOT-FOR-US: Jamroom CVE-2017-9412 (The unpack_read_samples function in frontend/get_audio.c in LAME 3.99. ...) - lame 3.99.5+repack1-7 [wheezy] - lame 3.99.5+repack1-3+deb7u1 NOTE: Fixed by the improved 0001-Add-check-for-invalid-input-sample-rate.patch in NOTE: 3.99.5+repack1-7, https://anonscm.debian.org/cgit/pkg-multimedia/lame.git/commit/debian/patches?id=1c7c62d3c5614443524b5ad170ba2713a14d4e09 NOTE: http://seclists.org/fulldisclosure/2017/Jul/63 NOTE: https://sourceforge.net/p/lame/bugs/463/ NOTE: Invalid read in command line tool so no CVE is needed. MITRE contacted by ago@gentoo CVE-2017-9411 REJECTED CVE-2017-9410 REJECTED CVE-2017-9409 (In ImageMagick 7.0.5-5, the ReadMPCImage function in mpc.c allows atta ...) {DLA-1000-1} - imagemagick 8:6.9.7.4+dfsg-11 (low; bug #864090) [jessie] - imagemagick 8:6.8.9.9-5+deb8u10 NOTE: https://github.com/ImageMagick/ImageMagick/issues/458 CVE-2017-9408 (In Poppler 0.54.0, a memory leak vulnerability was found in the functi ...) {DSA-4079-1} - poppler 0.57.0-2 (low; bug #864009) [wheezy] - poppler (Vulnerable code not present) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=100776 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=b21b041f7948680c03109f0c404400a9dbc4544c CVE-2017-9407 (In ImageMagick 7.0.5-5, the ReadPALMImage function in palm.c allows at ...) {DLA-1000-1} - imagemagick 8:6.9.7.4+dfsg-11 (low; bug #864089) [jessie] - imagemagick 8:6.8.9.9-5+deb8u10 NOTE: https://github.com/ImageMagick/ImageMagick/issues/459 CVE-2017-9406 (In Poppler 0.54.0, a memory leak vulnerability was found in the functi ...) {DSA-4079-1} - poppler 0.57.0-2 (low; bug #864010) [wheezy] - poppler (Vulnerable code not present) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=100775 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=278439531b13b0b047dbe3a75aa3f1b3407c8bd4 CVE-2017-9405 (In ImageMagick 7.0.5-5, the ReadICONImage function in icon.c:452 allow ...) {DLA-1000-1} - imagemagick 8:6.9.7.4+dfsg-11 (low; bug #864087) [jessie] - imagemagick 8:6.8.9.9-5+deb8u10 NOTE: https://github.com/ImageMagick/ImageMagick/issues/457 CVE-2017-9404 (In LibTIFF 4.0.7, a memory leak vulnerability was found in the functio ...) {DLA-984-1 DLA-983-1} - tiff 4.0.8-1 [jessie] - tiff 4.0.3-12.3+deb8u4 - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2688 NOTE: Fixed by: https://github.com/vadz/libtiff/commit/2ea32f7372b65c24b2816f11c04bf59b5090d05b NOTE: Possibly sensible to add the other memory leaks fixes in OJPEGReadHeaderInfoSecTables NOTE: method from tif_ojpeg.c, i.e.: NOTE: https://github.com/vadz/libtiff/commit/e9bd1b06fe25219cf0873fca70e46f01843fd9f4 NOTE: https://github.com/vadz/libtiff/commit/8283e4d1b7e53340684d12932880cbcbaf23a8c1 NOTE: Reproducing the issue itself is "covered" after fixing https://github.com/vadz/libtiff/commit/5ed9fea523316c2f5cec4d393e4d5d671c2dbc33 NOTE: To verify 2ea32f7372b65c24b2816f11c04bf59b5090d05b fixes the issue build src:tiff NOTE: with ASAN with 5ed9fea523316c2f5cec4d393e4d5d671c2dbc33 reverted. Before the NOTE: 2ea32f7372b65c24b2816f11c04bf59b5090d05b commit the Direct leak of 73 byte NOTE: with backtrace following the methods in http://bugzilla.maptools.org/show_bug.cgi?id=2688 NOTE: is shown. CVE-2017-9403 (In LibTIFF 4.0.7, a memory leak vulnerability was found in the functio ...) {DLA-984-1 DLA-983-1} - tiff 4.0.8-1 [jessie] - tiff 4.0.3-12.3+deb8u4 - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2689 NOTE: Fixed by: https://github.com/vadz/libtiff/commit/fb3dc46a2fcf6197ff3b93fc76f0c37fddc0333b CVE-2017-9402 RESERVED CVE-2017-9401 RESERVED CVE-2017-9400 RESERVED CVE-2017-9399 RESERVED CVE-2017-9398 RESERVED CVE-2017-9397 RESERVED CVE-2017-9396 RESERVED CVE-2017-9395 RESERVED CVE-2017-9394 (A stored cross-site scripting vulnerability in CA Identity Governance ...) NOT-FOR-US: CA Identity Governance CVE-2017-9393 (CA Identity Manager r12.6 to r12.6 SP8, 14.0, and 14.1 allows remote a ...) NOT-FOR-US: CA Identity Manager CVE-2017-9392 (An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 d ...) NOT-FOR-US: Vera CVE-2017-9391 (An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 d ...) NOT-FOR-US: Vera CVE-2017-9390 (An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 d ...) NOT-FOR-US: Vera devices CVE-2017-9389 (An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 d ...) NOT-FOR-US: Vera CVE-2017-9388 (An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 d ...) NOT-FOR-US: Vera devices CVE-2017-9387 (An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 d ...) NOT-FOR-US: Vera CVE-2017-9386 (An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 d ...) NOT-FOR-US: Vera CVE-2017-9385 (An issue was discovered on Vera Veralite 1.7.481 devices. The device h ...) NOT-FOR-US: Vera CVE-2017-9384 (An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 d ...) NOT-FOR-US: Vera devices CVE-2017-9383 (An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 d ...) NOT-FOR-US: Vera CVE-2017-9382 (An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 d ...) NOT-FOR-US: Vera CVE-2017-9381 (An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 d ...) NOT-FOR-US: Vera devices CVE-2017-9380 (OpenEMR 5.0.0 and prior allows low-privilege users to upload files of ...) NOT-FOR-US: OpenEMR CVE-2017-9379 (Multiple CSRF issues exist in BigTree CMS through 4.2.18 - the clear p ...) NOT-FOR-US: BigTree CMS CVE-2017-9378 (BigTree CMS through 4.2.18 does not prevent a user from deleting their ...) NOT-FOR-US: BigTree CMS CVE-2017-9377 (A command injection was identified on Barco ClickShare Base Unit devic ...) NOT-FOR-US: Barco ClickShare Base Unit device CVE-2017-9376 (ManageEngine ServiceDesk Plus before 9314 contains a local file inclus ...) NOT-FOR-US: ManageEngine ServiceDesk Plus CVE-2017-9375 (QEMU (aka Quick Emulator), when built with USB xHCI controller emulato ...) {DSA-3991-1 DLA-1927-1} - qemu 1:2.10.0-1 (bug #864219) [wheezy] - qemu (vulnerable code not present) - qemu-kvm [wheezy] - qemu-kvm (vulnerable code not present) NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=96d87bdda3919bb16f754b3d3fd1227e1f38f13c CVE-2017-9374 (Memory leak in QEMU (aka Quick Emulator), when built with USB EHCI Emu ...) {DSA-3920-1 DLA-1497-1} - qemu 1:2.8+dfsg-7 (bug #864568) [wheezy] - qemu (Minor issue) - qemu-kvm [wheezy] - qemu-kvm (Minor issue) NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=d710e1e7bd3d5bfc26b631f02ae87901ebe646b0 CVE-2017-9373 (Memory leak in QEMU (aka Quick Emulator), when built with IDE AHCI Emu ...) {DSA-3920-1 DLA-1497-1} - qemu 1:2.8+dfsg-7 (bug #864216) [wheezy] - qemu (Minor issue) - qemu-kvm [wheezy] - qemu-kvm (Minor issue) NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=d68f0f778e7f4fbd674627274267f269e40f0b04 CVE-2017-9371 (In BlackBerry QNX Software Development Platform (SDP) 6.6.0 and 6.5.0 ...) NOT-FOR-US: BlackBerry QNX Software Development Platform (SDP) CVE-2017-9370 (An information disclosure / elevation of privilege vulnerability in th ...) NOT-FOR-US: BlackBerry CVE-2017-9369 (In BlackBerry QNX Software Development Platform (SDP) 6.6.0 and 6.5.0 ...) NOT-FOR-US: BlackBerry QNX Software Development Platform (SDP) CVE-2017-9368 (An information disclosure vulnerability in the BlackBerry Workspaces S ...) NOT-FOR-US: BlackBerry Workspaces Server CVE-2017-9367 (A directory traversal vulnerability in the BlackBerry Workspaces Serve ...) NOT-FOR-US: BlackBerry Workspaces Server CVE-2017-9366 (Telaxus EPESI 1.8.2 and earlier has a Stored Cross-site Scripting (XSS ...) NOT-FOR-US: Telaxus EPESI CVE-2017-9365 (CSRF exists in BigTree CMS through 4.2.18 with the force parameter to ...) NOT-FOR-US: BigTree CMS CVE-2017-9364 (Unrestricted File Upload exists in BigTree CMS through 4.2.18: if an a ...) NOT-FOR-US: BigTree CMS CVE-2017-9363 (Untrusted Java serialization in Soffid IAM console before 1.7.5 allows ...) NOT-FOR-US: Soffid IAM console CVE-2017-9362 (ManageEngine ServiceDesk Plus before 9312 contains an XML injection at ...) NOT-FOR-US: ManageEngine ServiceDesk Plus CVE-2017-9361 (WebsiteBaker v2.10.0 has a stored XSS vulnerability in /account/detail ...) NOT-FOR-US: WebsiteBaker CVE-2017-9360 (WebsiteBaker v2.10.0 has a SQL injection vulnerability in /account/det ...) NOT-FOR-US: WebsiteBaker CVE-2017-9357 RESERVED CVE-2017-9356 (Sitecore.NET 7.1 through 7.2 has a Cross Site Scripting Vulnerability ...) NOT-FOR-US: Sitecore.NET CVE-2017-9358 (A memory exhaustion vulnerability exists in Asterisk Open Source 13.x ...) - asterisk 1:13.14.1~dfsg-2 (bug #863906) [jessie] - asterisk (11.x series not affected) [wheezy] - asterisk (Vulnerable code not present) NOTE: http://downloads.asterisk.org/pub/security/AST-2017-004.txt CVE-2017-9359 (The multi-part body parser in PJSIP, as used in Asterisk Open Source 1 ...) {DSA-3933-1} - pjproject 2.5.5~dfsg-6 (bug #863902) NOTE: http://downloads.asterisk.org/pub/security/AST-2017-003.txt NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-26939 CVE-2017-9372 (PJSIP, as used in Asterisk Open Source 13.x before 13.15.1 and 14.x be ...) {DSA-3933-1} - pjproject 2.5.5~dfsg-6 (bug #863901) NOTE: http://downloads.asterisk.org/pub/security/AST-2017-002.txt CVE-2017-9355 (XML external entity (XXE) vulnerability in the import playlist feature ...) NOT-FOR-US: Subsonic CVE-2017-9354 (In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the RGMP dissector co ...) - wireshark 2.2.7-1 (bug #864058) [jessie] - wireshark (vulnerable code introduced later) [wheezy] - wireshark (vulnerable code introduced later) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-32.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13646 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=5debcf56eda16064c10f4e22b3db326c8b53406b CVE-2017-9353 (In Wireshark 2.2.0 to 2.2.6, the IPv6 dissector could crash. This was ...) - wireshark 2.2.7-1 (low; bug #864058) [jessie] - wireshark (Only affects 2.2.x) [wheezy] - wireshark (Only affects 2.2.x) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-33.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13675 CVE-2017-9352 (In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the Bazaar dissector ...) - wireshark 2.2.7-1 (low; bug #864058) [jessie] - wireshark (Minor issue) [wheezy] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-22.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13599 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=d8d7690a59059821e2a2a84ac8d925aa5e70b7ba CVE-2017-9351 (In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the DHCP dissector co ...) - wireshark 2.2.7-1 (low; bug #864058) [jessie] - wireshark (Minor issue) [wheezy] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-24.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13628 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13609 CVE-2017-9350 (In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the openSAFETY dissec ...) - wireshark 2.2.7-1 (low; bug #864058) [jessie] - wireshark (Minor issue) [wheezy] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-28.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13649 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=f6431695049116176361ce4691dfd3c77ab19858 NOTE: When fixing this entry make sure to apply the complete fix and adding NOTE: the related commits from the CVE-2017-11411. Otherwise those releases NOTE: are opened to CVE-2017-11411, which exists because of an incomplete fix. CVE-2017-9349 (In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the DICOM dissector h ...) {DLA-1729-1} - wireshark 2.2.7-1 (low; bug #864058) [wheezy] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-27.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13685 CVE-2017-9348 (In Wireshark 2.2.0 to 2.2.6, the DOF dissector could read past the end ...) - wireshark 2.2.7-1 (bug #864058) [jessie] - wireshark (Only affects 2.2.x) [wheezy] - wireshark (Only affects 2.2.x) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-23.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13608 CVE-2017-9347 (In Wireshark 2.2.0 to 2.2.6, the ROS dissector could crash with a NULL ...) - wireshark 2.2.7-1 (bug #864058) [stretch] - wireshark (Minor issue) [jessie] - wireshark (Only affects 2.2.x) [wheezy] - wireshark (Only affects 2.2.x) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-31.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13637 CVE-2017-9346 (In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the SoulSeek dissecto ...) - wireshark 2.2.7-1 (low; bug #864058) [jessie] - wireshark (Minor issue) [wheezy] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-25.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13631 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=7eab596c0824e6fa20aad6932bcd2fdb94b86edf CVE-2017-9345 (In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the DNS dissector cou ...) - wireshark 2.2.7-1 (low; bug #864058) [jessie] - wireshark (Minor issue) [wheezy] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-26.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13633 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=f6408d6a8e842148f677a9f9413776ebaa150bb0 CVE-2017-9344 (In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the Bluetooth L2CAP d ...) {DLA-1729-1} - wireshark 2.2.7-1 (low; bug #864058) [wheezy] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-29.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13701 CVE-2017-9343 (In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the MSNIP dissector m ...) - wireshark 2.2.7-1 (low; bug #864058) [jessie] - wireshark (Minor issue) [wheezy] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-30.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13725 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=7c39a77e8b6ed204d7c1ec9afd712ef30ac2db26 CVE-2017-9342 RESERVED CVE-2017-9341 RESERVED CVE-2017-9340 (An attacker is logged in as a normal user and can somehow make admin t ...) - owncloud CVE-2017-9339 (A logical error in ownCloud Server before 10.0.2 caused disclosure of ...) - owncloud CVE-2017-9338 (Inadequate escaping lead to XSS vulnerability in the search module in ...) - owncloud CVE-2017-9337 (The Markdown on Save Improved plugin 2.5 for WordPress has a stored XS ...) NOT-FOR-US: Wordpress plugin CVE-2017-9336 (The WP Editor.MD plugin 1.6 for WordPress has a stored XSS vulnerabili ...) NOT-FOR-US: Wordpress plugin CVE-2017-9335 RESERVED CVE-2017-9333 (OpenWebif 1.2.5 allows remote code execution via a URL to the CallOPKG ...) NOT-FOR-US: OpenWebif CVE-2017-9332 (The smarty_self function in modules/module_smarty.php in PivotX 2.3.11 ...) NOT-FOR-US: PivotX CVE-2017-9331 (The Agenda component in Telaxus EPESI 1.8.2 and earlier has a Stored C ...) NOT-FOR-US: Telaxus EPESI CVE-2017-9329 RESERVED CVE-2017-9328 (Shell metacharacter injection vulnerability in /usr/www/include/ajax/G ...) NOT-FOR-US: TerraMaster TOS CVE-2017-9327 (Secret data of processes managed by CM is not secured by file permissi ...) NOT-FOR-US: Cloudera CVE-2017-9326 (The keystore password for the Spark History Server may be exposed in u ...) NOT-FOR-US: Cloudera CVE-2017-9325 (The provided secure solrconfig.xml sample configuration does not enfor ...) NOT-FOR-US: Cloudera CVE-2017-9334 (An incorrect "pair?" check in the Scheme "length" procedure results in ...) - chicken 4.12.0-0.2 (low; bug #863884) [stretch] - chicken (Minor issue) [jessie] - chicken (Minor issue) [wheezy] - chicken (Minor issue) NOTE: Original announcement: http://lists.nongnu.org/archive/html/chicken-announce/2017-05/msg00000.html NOTE: Patch: http://lists.nongnu.org/archive/html/chicken-hackers/2017-05/msg00099.html CVE-2017-9330 (QEMU (aka Quick Emulator) before 2.9.0, when built with the USB OHCI E ...) {DSA-3920-1 DLA-1497-1} - qemu 1:2.8+dfsg-7 (bug #863943) [wheezy] - qemu (Vulnerable code no present) - qemu-kvm [wheezy] - qemu-kvm (Vulnerable code no present) NOTE: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=26f670a244982335cc08943fb1ec099a2c81e42d CVE-2017-9324 (In Open Ticket Request System (OTRS) 3.3.x through 3.3.16, 4.x through ...) {DSA-3876-1} - otrs2 5.0.20-1 (bug #864319) [stretch] - otrs2 5.0.16-1+deb9u1 [wheezy] - otrs2 (does not affect version 3.1.7) NOTE: https://www.otrs.com/security-advisory-2017-03-security-update-otrs-versions/ NOTE: https://github.com/OTRS/otrs/commit/45e05f854d2dc7c9fa7dd7467ea00cdcde350ac3 CVE-2017-9323 REJECTED CVE-2017-9322 REJECTED CVE-2017-9321 REJECTED CVE-2017-9320 RESERVED CVE-2017-9319 RESERVED CVE-2017-9318 RESERVED CVE-2017-9317 (Privilege escalation vulnerability found in some Dahua IP devices. Att ...) NOT-FOR-US: Dahua CVE-2017-9316 (Firmware upgrade authentication bypass vulnerability was found in Dahu ...) NOT-FOR-US: Dahua CVE-2017-9315 (Customer of Dahua IP camera or IP PTZ could submit relevant device inf ...) NOT-FOR-US: Dahua CVE-2017-9314 (Authentication vulnerability found in Dahua NVR models NVR50XX, NVR52X ...) NOT-FOR-US: Dahua NVR CVE-2017-9313 (Multiple Cross-site scripting (XSS) vulnerabilities in Webmin before 1 ...) - webmin CVE-2017-9312 (Improperly implemented option-field processing in the TCP/IP stack on ...) NOT-FOR-US: Allen-Bradley CVE-2017-9311 RESERVED CVE-2017-9309 RESERVED CVE-2017-9308 RESERVED CVE-2017-9307 (SSRF vulnerability in remotedownload.php in Allen Disk 1.6 allows remo ...) NOT-FOR-US: Allen Disk CVE-2017-9306 (inc/SP/Html/Html.class.php in sysPass 2.1.9 allows remote attackers to ...) NOT-FOR-US: sysPass CVE-2017-9305 (lib/core/TikiFilter/PreventXss.php in Tiki Wiki CMS Groupware 16.2 all ...) - tikiwiki CVE-2017-9304 (libyara/re.c in the regexp module in YARA 3.5.0 allows remote attacker ...) - yara 3.6.1+dfsg-1 (bug #863842) [stretch] - yara (Minor issue, too intrusive to backport) [jessie] - yara (Minor issue, too intrusive to backport) NOTE: https://github.com/VirusTotal/yara/issues/674 NOTE: https://github.com/VirusTotal/yara/commit/925bcf3c3b0a28b5b78e25d9efda5c0bf27ae699 CVE-2016-10395 (In FlexNet Publisher versions before Luton SP1 (11.14.1.1) running Fle ...) NOT-FOR-US: FlexNet Publisher CVE-2016-10394 RESERVED NOT-FOR-US: Android Qualcomm closed-source components CVE-2016-10393 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Android Qualcomm closed-source components CVE-2016-10392 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-10391 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-10390 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-10389 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-10388 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-10387 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-10386 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-10385 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-10384 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-10383 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-10382 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-10381 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-10380 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9095 RESERVED CVE-2015-9094 RESERVED CVE-2015-9093 RESERVED CVE-2015-9092 RESERVED CVE-2015-9091 RESERVED CVE-2015-9090 RESERVED CVE-2015-9089 RESERVED CVE-2015-9088 RESERVED CVE-2015-9087 RESERVED CVE-2015-9086 RESERVED CVE-2015-9085 RESERVED CVE-2015-9084 RESERVED CVE-2015-9083 RESERVED CVE-2015-9082 RESERVED CVE-2015-9081 RESERVED CVE-2015-9080 RESERVED CVE-2015-9079 RESERVED CVE-2015-9078 RESERVED CVE-2015-9077 RESERVED CVE-2015-9076 RESERVED CVE-2015-9075 RESERVED CVE-2015-9074 RESERVED CVE-2015-9073 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9072 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9071 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9070 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9069 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9068 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9067 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9066 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9065 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9064 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9063 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9062 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9061 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9060 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2014-9984 (nscd in the GNU C Library (aka glibc or libc6) before version 2.20 doe ...) - glibc 2.19-14 - eglibc [wheezy] - eglibc (Vulnerable code not present) NOTE: Upstream bug: https://sourceware.org/bugzilla/show_bug.cgi?id=16695 NOTE: Fixed by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c44496df2f090a56d3bf75df930592dac6bba46f CVE-2014-9982 REJECTED CVE-2014-9981 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2014-9980 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2014-9979 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2014-9978 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2014-9977 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2014-9976 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2014-9975 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2014-9974 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2014-9973 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2014-9972 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2014-9971 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-1000380 (sound/core/timer.c in the Linux kernel before 4.11.5 is vulnerable to ...) {DSA-3981-1 DLA-1099-1} - linux 4.11.6-1 NOTE: Fixed by: https://git.kernel.org/linus/d11662f4f798b50d8c8743f433842c3e40fe3378 (v4.12-rc5) NOTE: Fixed by: https://git.kernel.org/linus/ba3021b2c79b2fa9114f92790a99deb27a65b728 (v4.12-rc5) CVE-2017-1000368 (Todd Miller's sudo version 1.8.20p1 and earlier is vulnerable to an in ...) {DLA-1011-1} - sudo 1.8.20p1-1.1 (bug #863897) [buster] - sudo 1.8.19p1-2.1 [stretch] - sudo 1.8.19p1-2.1 [jessie] - sudo 1.8.10p3-1+deb8u5 NOTE: http://www.openwall.com/lists/oss-security/2017/06/02/7 NOTE: https://www.sudo.ws/repos/sudo/raw-rev/15a46f4007dd CVE-2017-1000367 (Todd Miller's sudo version 1.8.20 and earlier is vulnerable to an inpu ...) {DSA-3867-1 DLA-970-1} - sudo 1.8.20p1-1 (bug #863731) [buster] - sudo 1.8.19p1-2 [stretch] - sudo 1.8.19p1-2 NOTE: https://www.sudo.ws/alerts/linux_tty.html NOTE: http://www.openwall.com/lists/oss-security/2017/05/30/16 NOTE: https://www.sudo.ws/repos/sudo/raw-rev/b5460cbbb11b CVE-2017-9310 (QEMU (aka Quick Emulator), when built with the e1000e NIC emulation su ...) {DSA-3920-1} - qemu 1:2.8+dfsg-7 (bug #863840) [jessie] - qemu (Vulnerable code not present; e1000e introduced in 2.7.0-rc0) [wheezy] - qemu (Vulnerable code not present) - qemu-kvm [wheezy] - qemu-kvm (Vulnerable code not present) NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=4154c7e03fa55b4cf52509a83d50d6c09d743b7 CVE-2017-9303 (Laravel 5.4.x before 5.4.22 does not properly constrain the host porti ...) NOT-FOR-US: Laravel CVE-2017-9302 (RealPlayer 16.0.2.32 allows remote attackers to cause a denial of serv ...) NOT-FOR-US: RealPlayer CVE-2017-9301 (plugins\audio_filter\libmpgatofixed32_plugin.dll in VideoLAN VLC media ...) - vlc 2.2.5.1-1 [wheezy] - vlc (Not supported in wheezy LTS) CVE-2017-9300 (plugins\codec\libflac_plugin.dll in VideoLAN VLC media player 2.2.4 al ...) {DSA-4045-1} - vlc 2.2.6-3 [wheezy] - vlc (Not supported in wheezy LTS) NOTE: https://git.videolan.org/?p=vlc/vlc-2.2.git;a=commit;h=55a82442cfea9dab8b853f3a4610f2880c5fadf3 CVE-2017-9299 (Open Ticket Request System (OTRS) 3.3.9 has XSS in index.pl?Action=Age ...) NOTE: This report for OTRS is quite vague/unclear and upstream can NOTE: not track the issue down to a specific fixed release claims though that NOTE: it should not be reproducible with versions later than 3.3.17. CVE-2017-9298 (Cross-site scripting vulnerability in Hitachi Device Manager before 8. ...) NOT-FOR-US: Hitacho Device Manager CVE-2017-9297 (Open Redirect vulnerability in Hitachi Device Manager before 8.5.2-01 ...) NOT-FOR-US: Hitacho Device Manager CVE-2017-9296 (Open Redirect vulnerability in Hitachi Device Manager before 8.5.2-01 ...) NOT-FOR-US: Hitacho Device Manager CVE-2017-9295 (XXE vulnerability in Hitachi Device Manager before 8.5.2-01 and Hitach ...) NOT-FOR-US: Hitacho Device Manager CVE-2017-9294 (RMI vulnerability in Hitachi Device Manager before 8.5.2-01 allows rem ...) NOT-FOR-US: Hitacho Device Manager CVE-2017-9293 RESERVED CVE-2017-9292 (Lansweeper before 6.0.0.65 has XSS in an image retrieval URI, aka Bug ...) NOT-FOR-US: Lansweeper CVE-2017-9291 RESERVED CVE-2017-9290 RESERVED CVE-2017-9289 (Bram Korsten Note through 1.2.0 is vulnerable to a reflected XSS in no ...) NOT-FOR-US: Bram Korsten Note CVE-2017-9288 (The Raygun4WP plugin 1.8.0 for WordPress is vulnerable to a reflected ...) NOT-FOR-US: Wordpress plugin CVE-2017-9286 (The packaging of NextCloud in openSUSE used /srv/www/htdocs in an unsa ...) NOT-FOR-US: OpenSUSE specific packaging issue of NextCloud CVE-2017-9285 (NetIQ eDirectory before 9.0 SP4 did not enforce login restrictions whe ...) NOT-FOR-US: NetIQ eDirectory CVE-2017-9284 (IDM 4.6 Identity Applications prior to 4.6.2.1 may expose sensitive in ...) NOT-FOR-US: IDM CVE-2017-9283 (An out-of-bounds read (CWE-125) vulnerability exists in Micro Focus Vi ...) NOT-FOR-US: Micro Focus VisiBroker CVE-2017-9282 (An integer overflow (CWE-190) led to an out-of-bounds write (CWE-787) ...) NOT-FOR-US: Micro Focus VisiBroker CVE-2017-9281 (An integer overflow (CWE-190) potentially causing an out-of-bounds rea ...) NOT-FOR-US: Micro Focus VisiBroker CVE-2017-9280 (Some NetIQ Identity Manager Applications before Identity Manager 4.5.6 ...) NOT-FOR-US: NetIQ Identity Manager CVE-2017-9279 (NetIQ Identity Manager before 4.5.6.1 allowed uploading files with dou ...) NOT-FOR-US: NetIQ Identity Manager CVE-2017-9278 (The NetIQ Identity Manager Oracle EBS driver before 4.0.2.0 sent EBS l ...) NOT-FOR-US: NetIQ Identity Manager CVE-2017-9277 (The LDAP backend in Novell eDirectory before 9.0 SP4 when switched to ...) NOT-FOR-US: Novell eDirectory CVE-2017-9276 (Novell Access Manager iManager before 4.3.3 did not validate parameter ...) NOT-FOR-US: Novell Access Manager iManager CVE-2017-9275 (NetIQ Identity Reporting, in versions prior to 5.5 Service Pack 1, is ...) NOT-FOR-US: NetIQ Identity Reporting CVE-2017-9274 (A shell command injection in the obs-service-source_validator before 0 ...) - osc 0.162.1-1 (bug #887391) [stretch] - osc (Minor issue) [jessie] - osc (Minor issue) [wheezy] - osc (Minor issue) NOTE: Details in https://bugzilla.suse.com/show_bug.cgi?id=938556 NOTE: SUSE adressed the issue not only in the obs-service-source_validator NOTE: and adding a validation in 0.162.0 when using OBS 2.9, cf.: NOTE: https://github.com/openSUSE/osc/commit/f0325eb0b58c266eb0905ccf827dc7eb864378a1 CVE-2017-9273 (The Bi-directional driver in IDM 4.5 before 4.0.3.0 could be susceptib ...) NOT-FOR-US: IDM CVE-2017-9272 (The Bi-directional driver in IDM 4.5 before 4.0.3.0 could be susceptib ...) NOT-FOR-US: IDM CVE-2017-9271 (The commandline package update tool zypper writes HTTP proxy credentia ...) - zypper (low) [buster] - zypper (Minor issue) [jessie] - zypper (Minor issue) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1050625 CVE-2017-9270 (In cryptctl before version 2.0 a malicious server could send RPC reque ...) NOT-FOR-US: SuSE cryptctl CVE-2017-9269 (In libzypp before August 2018 GPG keys attached to YUM repositories we ...) - libzypp 17.3.1-1 (bug #899065) [jessie] - libzypp (Minor issue) CVE-2017-9268 (In the open build service before 201707022 the wipetrigger and rebuild ...) - open-build-service (low) [stretch] - open-build-service (Minor issue) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1045519 CVE-2017-9267 (In Novell eDirectory before 9.0.3.1 the LDAP interface was not strictl ...) NOT-FOR-US: Novell eDirectory CVE-2016-10379 (The VirtueMart com_virtuemart component 3.0.14 for Joomla! allows SQL ...) NOT-FOR-US: Joomla addon CVE-2016-10378 (e107 2.1.1 allows SQL injection by remote authenticated administrators ...) NOT-FOR-US: e107 CVE-2017-9266 RESERVED CVE-2017-9265 (In Open vSwitch (OvS) v2.7.0, there is a buffer over-read while parsin ...) [experimental] - openvswitch 2.8.1+dfsg1-1 - openvswitch 2.8.1+dfsg1-2 (unimportant; bug #863662) [jessie] - openvswitch (Vulnerable code not present) [wheezy] - openvswitch (Vulnerable code not present) NOTE: https://mail.openvswitch.org/pipermail/ovs-dev/2017-May/332965.html NOTE: OpenFlow 1.5 support still incomplete CVE-2017-9264 (In lib/conntrack.c in the firewall implementation in Open vSwitch (OvS ...) [experimental] - openvswitch 2.8.1+dfsg1-1 - openvswitch 2.8.1+dfsg1-2 (unimportant; bug #863661) [jessie] - openvswitch (Vulnerable code not present; connection tracking support introduced in 2.6.0) [wheezy] - openvswitch (Vulnerable code not present; connection tracking support introduced in 2.6.0) NOTE: https://mail.openvswitch.org/pipermail/ovs-dev/2017-March/329323.html NOTE: Userspace data path not enabled in Debian packaging CVE-2017-9263 (In Open vSwitch (OvS) 2.7.0, while parsing an OpenFlow role status mes ...) [experimental] - openvswitch 2.8.1+dfsg1-1 - openvswitch 2.8.1+dfsg1-2 (unimportant; bug #863655) [jessie] - openvswitch (No controllers implemented, cf. #863655) [wheezy] - openvswitch (No controllers implemented, cf. #863655) NOTE: https://mail.openvswitch.org/pipermail/ovs-dev/2017-May/332966.html NOTE: Controllers shipped in Debian not vulnerable, see #863655 CVE-2017-9262 (In ImageMagick 7.0.5-6 Q16, the ReadJNGImage function in coders/png.c ...) {DLA-1000-1} - imagemagick 8:6.9.7.4+dfsg-10 (low; bug #863834) [jessie] - imagemagick 8:6.8.9.9-5+deb8u10 NOTE: https://github.com/ImageMagick/ImageMagick/issues/475 NOTE: https://github.com/ImageMagick/ImageMagick/commit/4649578df8dcbfb2b08d8623d52486dc124da3a8 CVE-2017-9261 (In ImageMagick 7.0.5-6 Q16, the ReadMNGImage function in coders/png.c ...) {DLA-1000-1} - imagemagick 8:6.9.7.4+dfsg-10 (low; bug #863833) [jessie] - imagemagick 8:6.8.9.9-5+deb8u10 NOTE: https://github.com/ImageMagick/ImageMagick/issues/476 NOTE: https://github.com/ImageMagick/ImageMagick/commit/01d522e990aa57cbe67d222dd5e8f7196cc6d199 CVE-2017-9260 (The TDStretchSSE::calcCrossCorr function in source/SoundTouch/sse_opti ...) - soundtouch 1.9.2-3 (low; bug #870857) [stretch] - soundtouch 1.9.2-2+deb9u1 [jessie] - soundtouch 1.8.0-1+deb8u1 [wheezy] - soundtouch (Minor issue) CVE-2017-9259 (The TDStretch::acceptNewOverlapLength function in source/SoundTouch/TD ...) - soundtouch 1.9.2-3 (low; bug #870856) [stretch] - soundtouch 1.9.2-2+deb9u1 [jessie] - soundtouch 1.8.0-1+deb8u1 [wheezy] - soundtouch (Minor issue) CVE-2017-9258 (The TDStretch::processSamples function in source/SoundTouch/TDStretch. ...) - soundtouch 1.9.2-3 (low; bug #870854) [stretch] - soundtouch 1.9.2-2+deb9u1 [jessie] - soundtouch 1.8.0-1+deb8u1 [wheezy] - soundtouch (Minor issue) CVE-2017-9257 (The mp4ff_read_ctts function in common/mp4ff/mp4atom.c in Freeware Adv ...) {DLA-1077-1} - faad2 2.8.1-1 (low; bug #867724) [stretch] - faad2 2.8.0~cvs20161113-1+deb9u1 [jessie] - faad2 2.7-8+deb8u1 CVE-2017-9256 (The mp4ff_read_stco function in common/mp4ff/mp4atom.c in Freeware Adv ...) {DLA-1077-1} - faad2 2.8.1-1 (low; bug #867724) [stretch] - faad2 2.8.0~cvs20161113-1+deb9u1 [jessie] - faad2 2.7-8+deb8u1 CVE-2017-9255 (The mp4ff_read_stsc function in common/mp4ff/mp4atom.c in Freeware Adv ...) {DLA-1077-1} - faad2 2.8.1-1 (low; bug #867724) [stretch] - faad2 2.8.0~cvs20161113-1+deb9u1 [jessie] - faad2 2.7-8+deb8u1 CVE-2017-9254 (The mp4ff_read_stts function in common/mp4ff/mp4atom.c in Freeware Adv ...) {DLA-1077-1} - faad2 2.8.1-1 (low; bug #867724) [stretch] - faad2 2.8.0~cvs20161113-1+deb9u1 [jessie] - faad2 2.7-8+deb8u1 CVE-2017-9253 (The mp4ff_read_stsd function in common/mp4ff/mp4atom.c in Freeware Adv ...) {DLA-1077-1} - faad2 2.8.1-1 (low; bug #867724) [stretch] - faad2 2.8.0~cvs20161113-1+deb9u1 [jessie] - faad2 2.7-8+deb8u1 CVE-2016-10377 (In Open vSwitch (OvS) 2.5.0, a malformed IP packet can cause the switc ...) - openvswitch 2.6.1+git20161123-1 [jessie] - openvswitch (Vulnerable code using tot_len introduced later) [wheezy] - openvswitch (Vulnerable code using tot_len introduced later) NOTE: https://mail.openvswitch.org/pipermail/ovs-dev/2016-July/319503.html CVE-2017-9287 (servers/slapd/back-mdb/search.c in OpenLDAP through 2.4.44 is prone to ...) {DSA-3868-1 DLA-972-1} - openldap 2.4.44+dfsg-5 (bug #863563) NOTE: http://www.openldap.org/its/?findid=8655 NOTE: https://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=0cee1ffb6021b1aae3fcc9581699da1c85a6dd6e CVE-2017-9252 (andrzuk/FineCMS through 2017-05-28 is vulnerable to a reflected XSS in ...) NOT-FOR-US: FineCMS CVE-2017-9251 (andrzuk/FineCMS through 2017-05-28 is vulnerable to a reflected XSS in ...) NOT-FOR-US: FineCMS CVE-2017-9250 (The lexer_process_char_literal function in jerry-core/parser/js/js-lex ...) NOT-FOR-US: jerryscript CVE-2017-9249 (Cross-site scripting (XSS) vulnerability in Allen Disk 1.6 allows remo ...) NOT-FOR-US: Allen Disk CVE-2017-9248 (Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2 ...) NOT-FOR-US: Progress Telerik UI for ASP.NET AJAX CVE-2017-9247 (Multiple unquoted service path vulnerabilities in Sierra Wireless Wind ...) NOT-FOR-US: Sierra Wireless Windows Mobile Broadband Driver Packages CVE-2017-9246 (New Relic .NET Agent before 6.3.123.0 adds SQL injection flaws to safe ...) NOT-FOR-US: New Relic .NET Agent CVE-2017-9245 (The Google News and Weather application before 3.3.1 for Android allow ...) NOT-FOR-US: Google News and Weather application for Android CVE-2017-9244 (Cross-site scripting (XSS) vulnerability in the Trello app before 4.0. ...) NOT-FOR-US: Trello CVE-2017-9243 (Aries QWR-1104 Wireless-N Router with Firmware Version WRC.253.2.0913 ...) NOT-FOR-US: Aries QWR-1104 Wireless-N Router CVE-2015-9059 (picocom before 2.0 has a command injection vulnerability in the 'send ...) {DLA-2259-1 DLA-974-1} - picocom 1.7-2 (bug #863671) NOTE: https://github.com/npat-efault/picocom/commit/1ebc60b20fbe9a02436d5cbbf8951714e749ddb1 CVE-2017-9242 (The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux k ...) {DSA-3886-1 DLA-993-1} - linux 4.9.30-1 NOTE: https://git.kernel.org/linus/232cd35d0804cc241eb887bb8d4d9b3b9881c64a CVE-2017-9241 RESERVED CVE-2017-9240 RESERVED CVE-2016-10376 (Gajim through 0.16.7 unconditionally implements the "XEP-0146: Remote ...) {DSA-3943-1 DLA-967-1} - gajim 0.16.6-1.1 (bug #863445) NOTE: https://dev.gajim.org/gajim/gajim/commit/cb65cfc5aed9efe05208ebbb7fb2d41fcf7253cc NOTE: https://dev.gajim.org/gajim/gajim/issues/8378 CVE-2016-10375 (Yodl before 3.07.01 has a Buffer Over-read in the queue_push function ...) {DLA-2194-1 DLA-976-1} - yodl 3.07.01-1 NOTE: https://github.com/fbb-git/yodl/issues/1 NOTE: https://github.com/fbb-git/yodl/commit/fd85f8c94182558ff1480d06a236d6fb927979a3 CVE-2017-9239 (An issue was discovered in Exiv2 0.26. When the data structure of the ...) {DLA-963-1} - exiv2 0.25-3.1 (bug #863410) [jessie] - exiv2 (Minor issue) NOTE: http://dev.exiv2.org/issues/1296 NOTE: fix: https://github.com/Exiv2/exiv2/commit/2f8681e120d277e418941c4361c83b5028f67fd8 CVE-2017-9238 RESERVED CVE-2017-9237 RESERVED CVE-2017-9236 RESERVED CVE-2017-9235 RESERVED CVE-2017-9234 RESERVED CVE-2017-9233 (XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat ...) {DSA-3898-1 DLA-990-1} - expat 2.2.1-1 NOTE: https://libexpat.github.io/doc/cve-2017-9233/ NOTE: https://github.com/libexpat/libexpat/commit/c4bf96bb51dd2a1b0e185374362ee136fe2c9d7f CVE-2017-9232 (Juju before 1.25.12, 2.0.x before 2.0.4, and 2.1.x before 2.1.3 uses a ...) - juju CVE-2017-9231 (XML external entity (XXE) vulnerability in Citrix XenMobile Server 9.x ...) NOT-FOR-US: Citrix CVE-2017-9230 (** DISPUTED ** The Bitcoin Proof-of-Work algorithm does not consider a ...) NOT-FOR-US: Bitcoin Proof-of-Work algorithm CVE-2017-9229 (An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod i ...) {DLA-958-1} - libonig 6.1.3-2 (bug #863318) [jessie] - libonig 5.9.5-3.2+deb8u1 NOTE: https://github.com/kkos/oniguruma/issues/59 NOTE: https://github.com/kkos/oniguruma/commit/b690371bbf97794b4a1d3f295d4fb9a8b05d402d CVE-2017-9228 (An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod i ...) {DLA-958-1} - libonig 6.1.3-2 (bug #863316) [jessie] - libonig 5.9.5-3.2+deb8u1 NOTE: https://github.com/kkos/oniguruma/commit/3b63d12038c8d8fc278e81c942fa9bec7c704c8b NOTE: https://github.com/kkos/oniguruma/issues/60 CVE-2017-9227 (An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod i ...) {DLA-958-1} - libonig 6.1.3-2 (bug #863315) [jessie] - libonig 5.9.5-3.2+deb8u1 NOTE: https://github.com/kkos/oniguruma/commit/9690d3ab1f9bcd2db8cbe1fe3ee4a5da606b8814 NOTE: https://github.com/kkos/oniguruma/issues/58 CVE-2017-9226 (An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod i ...) {DLA-958-1} - libonig 6.1.3-2 (bug #863314) [jessie] - libonig 5.9.5-3.2+deb8u1 NOTE: https://github.com/kkos/oniguruma/commit/b4bf968ad52afe14e60a2dc8a95d3555c543353a NOTE: https://github.com/kkos/oniguruma/commit/f015fbdd95f76438cd86366467bb2b39870dd7c6 NOTE: https://github.com/kkos/oniguruma/issues/55 CVE-2017-9225 (An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod i ...) - libonig 6.1.3-2 (bug #863313) [jessie] - libonig (Vulnerable code introduced later) [wheezy] - libonig (Vulnerable code introduced later) NOTE: https://github.com/kkos/oniguruma/commit/166a6c3999bf06b4de0ab4ce6b088a468cc4029f NOTE: https://github.com/kkos/oniguruma/issues/56 CVE-2017-9224 (An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod i ...) {DLA-958-1} - libonig 6.1.3-2 (bug #863312) [jessie] - libonig 5.9.5-3.2+deb8u1 NOTE: https://github.com/kkos/oniguruma/commit/690313a061f7a4fa614ec5cc8368b4f2284e059b NOTE: https://github.com/kkos/oniguruma/issues/57 CVE-2017-9223 (The mp4ff_read_stts function in common/mp4ff/mp4atom.c in Freeware Adv ...) {DLA-1077-1} - faad2 2.8.1-1 (low; bug #867724) [stretch] - faad2 2.8.0~cvs20161113-1+deb9u1 [jessie] - faad2 2.7-8+deb8u1 CVE-2017-9222 (The mp4ff_parse_tag function in common/mp4ff/mp4meta.c in Freeware Adv ...) {DLA-1077-1} - faad2 2.8.1-1 (low; bug #867724) [stretch] - faad2 2.8.0~cvs20161113-1+deb9u1 [jessie] - faad2 2.7-8+deb8u1 CVE-2017-9221 (The mp4ff_read_mdhd function in common/mp4ff/mp4atom.c in Freeware Adv ...) {DLA-1077-1} - faad2 2.8.1-1 (low; bug #867724) [stretch] - faad2 2.8.0~cvs20161113-1+deb9u1 [jessie] - faad2 2.7-8+deb8u1 CVE-2017-9220 (The mp4ff_read_stco function in common/mp4ff/mp4atom.c in Freeware Adv ...) {DLA-1077-1} - faad2 2.8.1-1 (low; bug #867724) [stretch] - faad2 2.8.0~cvs20161113-1+deb9u1 [jessie] - faad2 2.7-8+deb8u1 CVE-2017-9219 (The mp4ff_read_stsc function in common/mp4ff/mp4atom.c in Freeware Adv ...) {DLA-1077-1} - faad2 2.8.1-1 (low; bug #867724) [stretch] - faad2 2.8.0~cvs20161113-1+deb9u1 [jessie] - faad2 2.7-8+deb8u1 CVE-2017-9218 (The mp4ff_read_stsd function in common/mp4ff/mp4atom.c in Freeware Adv ...) {DLA-1077-1} - faad2 2.8.1-1 (low; bug #867724) [stretch] - faad2 2.8.0~cvs20161113-1+deb9u1 [jessie] - faad2 2.7-8+deb8u1 CVE-2017-9217 (systemd-resolved through 233 allows remote attackers to cause a denial ...) [experimental] - systemd 233-8 - systemd 232-24 (bug #863277) [jessie] - systemd (vulnerable code introduced later) [wheezy] - systemd (vulnerable code introduced later) NOTE: https://github.com/systemd/systemd/pull/5998 CVE-2017-9216 (libjbig2dec.a in Artifex jbig2dec 0.13, as used in MuPDF and Ghostscri ...) - jbig2dec 0.13-5 (bug #863279) [stretch] - jbig2dec (Minor issue) [jessie] - jbig2dec (Minor issue) [wheezy] - jbig2dec (Minor issue, can be fixed in a future update) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697934 NOTE: Fixed by: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=3ebffb1d96ba0cacec23016eccb4047dab365853 CVE-2017-9215 RESERVED CVE-2017-9214 (In Open vSwitch (OvS) 2.7.0, while parsing an OFPT_QUEUE_GET_CONFIG_RE ...) [experimental] - openvswitch 2.8.1+dfsg1-1 - openvswitch 2.8.1+dfsg1-2 (bug #863228) [stretch] - openvswitch (Minor issue) [jessie] - openvswitch (Vulnerable code not present) [wheezy] - openvswitch (Vulnerable code not present) NOTE: https://mail.openvswitch.org/pipermail/ovs-dev/2017-May/332711.html CVE-2017-9213 RESERVED CVE-2017-9212 (The Bluetooth stack on the BMW 330i 2011 allows a remote crash of the ...) NOT-FOR-US: Bluetooth stack on the BMW 330i 2011 CVE-2017-9211 (The crypto_skcipher_init_tfm function in crypto/skcipher.c in the Linu ...) - linux 4.9.30-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/9933e113c2e87a9f46a40fde8dafbf801dca1ab9 CVE-2017-9200 (libautotrace.a in AutoTrace 0.31.1 has a "cannot be represented in typ ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9199 (libautotrace.a in AutoTrace 0.31.1 has a "cannot be represented in typ ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9198 (libautotrace.a in AutoTrace 0.31.1 has a "cannot be represented in typ ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9197 (libautotrace.a in AutoTrace 0.31.1 has a "cannot be represented in typ ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9196 (libautotrace.a in AutoTrace 0.31.1 has a "negative-size-param" issue i ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9195 (libautotrace.a in AutoTrace 0.31.1 has a heap-based buffer over-read i ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9194 (libautotrace.a in AutoTrace 0.31.1 has a heap-based buffer over-read i ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9193 (libautotrace.a in AutoTrace 0.31.1 has a heap-based buffer over-read i ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9192 (libautotrace.a in AutoTrace 0.31.1 has a heap-based buffer overflow in ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9191 (libautotrace.a in AutoTrace 0.31.1 has a heap-based buffer overflow in ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9190 (libautotrace.a in AutoTrace 0.31.1 allows remote attackers to cause a ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9189 (libautotrace.a in AutoTrace 0.31.1 allows remote attackers to cause a ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9188 (libautotrace.a in AutoTrace 0.31.1 has a "left shift ... cannot be rep ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9187 (libautotrace.a in AutoTrace 0.31.1 has a "cannot be represented in typ ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9186 (libautotrace.a in AutoTrace 0.31.1 has a "cannot be represented in typ ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9185 (libautotrace.a in AutoTrace 0.31.1 has a "cannot be represented in typ ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9184 (libautotrace.a in AutoTrace 0.31.1 has a "cannot be represented in typ ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9183 (libautotrace.a in AutoTrace 0.31.1 has a "cannot be represented in typ ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9182 (libautotrace.a in AutoTrace 0.31.1 allows remote attackers to cause a ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9181 (libautotrace.a in AutoTrace 0.31.1 allows remote attackers to cause a ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9180 (libautotrace.a in AutoTrace 0.31.1 allows remote attackers to cause a ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9179 (libautotrace.a in AutoTrace 0.31.1 allows remote attackers to cause a ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9178 (libautotrace.a in AutoTrace 0.31.1 allows remote attackers to cause a ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9177 (libautotrace.a in AutoTrace 0.31.1 allows remote attackers to cause a ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9176 (libautotrace.a in AutoTrace 0.31.1 allows remote attackers to cause a ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9175 (libautotrace.a in AutoTrace 0.31.1 allows remote attackers to cause a ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9174 (libautotrace.a in AutoTrace 0.31.1 allows remote attackers to cause a ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9173 (libautotrace.a in AutoTrace 0.31.1 has a heap-based buffer overflow in ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9172 (libautotrace.a in AutoTrace 0.31.1 has a heap-based buffer overflow in ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9171 (libautotrace.a in AutoTrace 0.31.1 has a heap-based buffer over-read i ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9170 (libautotrace.a in AutoTrace 0.31.1 has a heap-based buffer overflow in ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9169 (libautotrace.a in AutoTrace 0.31.1 has a heap-based buffer overflow in ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9168 (libautotrace.a in AutoTrace 0.31.1 has a heap-based buffer overflow in ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9167 (libautotrace.a in AutoTrace 0.31.1 has a heap-based buffer overflow in ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9166 (libautotrace.a in AutoTrace 0.31.1 has a heap-based buffer over-read i ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9165 (libautotrace.a in AutoTrace 0.31.1 has a heap-based buffer over-read i ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9164 (libautotrace.a in AutoTrace 0.31.1 has a heap-based buffer over-read i ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9163 (libautotrace.a in AutoTrace 0.31.1 has a "cannot be represented in typ ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9162 (libautotrace.a in AutoTrace 0.31.1 has a "cannot be represented in typ ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9161 (libautotrace.a in AutoTrace 0.31.1 has a "cannot be represented in typ ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9160 (libautotrace.a in AutoTrace 0.31.1 has a stack-based buffer overflow i ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9159 (libautotrace.a in AutoTrace 0.31.1 allows remote attackers to cause a ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9158 (libautotrace.a in AutoTrace 0.31.1 allows remote attackers to cause a ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9157 (libautotrace.a in AutoTrace 0.31.1 allows remote attackers to cause a ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9156 (libautotrace.a in AutoTrace 0.31.1 allows remote attackers to cause a ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9155 (libautotrace.a in AutoTrace 0.31.1 allows remote attackers to cause a ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9154 (libautotrace.a in AutoTrace 0.31.1 allows remote attackers to cause a ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9153 (libautotrace.a in AutoTrace 0.31.1 has a heap-based buffer overflow in ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9152 (libautotrace.a in AutoTrace 0.31.1 has a heap-based buffer over-read i ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9151 (libautotrace.a in AutoTrace 0.31.1 has a heap-based buffer overflow in ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9150 (The do_check function in kernel/bpf/verifier.c in the Linux kernel bef ...) - linux 4.9.30-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/0d0e57697f162da4aa218b5feafe614fb666db07 CVE-2017-9210 (libqpdf.a in QPDF 6.0.0 allows remote attackers to cause a denial of s ...) [experimental] - qpdf 7.0~b1-1 - qpdf 7.0.0-1 (low; bug #863390) [stretch] - qpdf (Minor issue) [jessie] - qpdf (Minor issue) [wheezy] - qpdf (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2017/05/23/10 NOTE: https://github.com/qpdf/qpdf/issues/101 CVE-2017-9209 (libqpdf.a in QPDF 6.0.0 allows remote attackers to cause a denial of s ...) [experimental] - qpdf 7.0~b1-1 - qpdf 7.0.0-1 (low; bug #863390) [stretch] - qpdf (Minor issue) [jessie] - qpdf (Minor issue) [wheezy] - qpdf (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2017/05/23/10 NOTE: https://github.com/qpdf/qpdf/issues/100 CVE-2017-9208 (libqpdf.a in QPDF 6.0.0 allows remote attackers to cause a denial of s ...) [experimental] - qpdf 7.0~b1-1 - qpdf 7.0.0-1 (low; bug #863390) [stretch] - qpdf (Minor issue) [jessie] - qpdf (Minor issue) [wheezy] - qpdf (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2017/05/23/10 NOTE: https://github.com/qpdf/qpdf/issues/99 CVE-2017-9207 (The iw_get_ui16be function in imagew-util.c:422:24 in libimageworsener ...) NOT-FOR-US: ImageWorsener CVE-2017-9206 (The iw_get_ui16le function in imagew-util.c:405:23 in libimageworsener ...) NOT-FOR-US: ImageWorsener CVE-2017-9205 (The iw_get_ui16be function in imagew-util.c:422:24 in libimageworsener ...) NOT-FOR-US: ImageWorsener CVE-2017-9204 (The iw_get_ui16le function in imagew-util.c:405:23 in libimageworsener ...) NOT-FOR-US: ImageWorsener CVE-2017-9203 (imagew-main.c:960:12 in libimageworsener.a in ImageWorsener 1.3.1 allo ...) NOT-FOR-US: ImageWorsener CVE-2017-9202 (imagew-cmd.c:854:45 in libimageworsener.a in ImageWorsener 1.3.1 allow ...) NOT-FOR-US: ImageWorsener CVE-2017-9201 (imagew-cmd.c:850:46 in libimageworsener.a in ImageWorsener 1.3.1 allow ...) NOT-FOR-US: ImageWorsener CVE-2017-9148 (The TLS session cache in FreeRADIUS 2.1.1 through 2.1.7, 3.0.x before ...) {DLA-977-1} - freeradius 3.0.12+dfsg-5 (bug #863673) [jessie] - freeradius (Only affects 2.1.1 to 2.1.7 and 3.0 to 3.0.13) NOTE: http://www.openwall.com/lists/oss-security/2017/05/29/1 NOTE: http://freeradius.org/security.html#session-resumption-2017 NOTE: https://anonscm.debian.org/cgit/pkg-freeradius/freeradius.git/commit/?id=8d681449aa95ee4388b5e3c266bdb070a264f563 CVE-2017-9147 (LibTIFF 4.0.7 has an invalid read in the _TIFFVGetField function in ti ...) {DLA-984-1 DLA-983-1} - tiff 4.0.8-2 (bug #863185) [jessie] - tiff 4.0.3-12.3+deb8u4 - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2693 CVE-2017-9146 (The TNEFFillMapi function in lib/ytnef.c in libytnef in ytnef through ...) - libytnef 1.9.3-1 (bug #862707) [stretch] - libytnef (Minor issue, can be fixed via a point update) [jessie] - libytnef (Minor issue, can be fixed via a point update) [wheezy] - libytnef (Minor issue) NOTE: https://github.com/Yeraze/ytnef/issues/47 NOTE: https://github.com/Yeraze/ytnef/commit/c576639e7e6bd9c7de0a288b9f94590d34ac9215 CVE-2017-9145 (TikiFilter.php in Tiki Wiki CMS Groupware 12.x through 16.x does not p ...) - tikiwiki CVE-2017-11352 (In ImageMagick before 7.0.5-10, a crafted RLE image can trigger a cras ...) {DSA-4040-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-12 (bug #868469) [stretch] - imagemagick 8:6.9.7.4+dfsg-11+deb9u1 NOTE: https://github.com/ImageMagick/ImageMagick/issues/502 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/7f1f01b695e869c410ee10e2176f8fd764f09373 NOTE: ImageMagick-7: https://github.com/ImageMagick/ImageMagick/commit/86cb33143c5b21912187403860a7c26761a3cd23 CVE-2017-9144 (In ImageMagick 7.0.5-5, a crafted RLE image can trigger a crash becaus ...) {DSA-3863-1 DLA-1081-1 DLA-960-1} - imagemagick 8:6.9.7.4+dfsg-9 (bug #863126) NOTE: https://github.com/ImageMagick/ImageMagick/commit/7fdf9ea808caa3c81a0eb42656e5fafc59084198 CVE-2017-9142 (In ImageMagick 7.0.5-7 Q16, a crafted file could trigger an assertion ...) {DSA-3863-1 DLA-960-1} - imagemagick 8:6.9.7.4+dfsg-9 (bug #863125) NOTE: https://github.com/ImageMagick/ImageMagick/issues/490 NOTE: https://github.com/ImageMagick/ImageMagick/commit/72f5c8632bff2daf3c95005f9b4cf2982786b52a CVE-2017-9141 (In ImageMagick 7.0.5-7 Q16, a crafted file could trigger an assertion ...) {DSA-3863-1 DLA-960-1} - imagemagick 8:6.9.7.4+dfsg-9 (bug #863124) NOTE: https://github.com/ImageMagick/ImageMagick/issues/489 NOTE: https://github.com/ImageMagick/ImageMagick/commit/f5910e91b0778e03ded45b9022be8eb8f77942cd CVE-2017-9143 (In ImageMagick 7.0.5-5, the ReadARTImage function in coders/art.c allo ...) {DSA-3863-1 DLA-960-1} - imagemagick 8:6.9.7.4+dfsg-9 (bug #863123) NOTE: https://github.com/ImageMagick/ImageMagick/issues/456 NOTE: https://github.com/ImageMagick/ImageMagick/commit/7b8c1df65b25d6671f113e2306982eded44ce3b4 CVE-2017-9140 (Cross-site scripting (XSS) vulnerability in Telerik.ReportViewer.WebFo ...) NOT-FOR-US: Telerik CVE-2017-9139 (There is a stack-based buffer overflow on some Tenda routers (FH1202/F ...) NOT-FOR-US: Tenda CVE-2017-9138 (There is a debug-interface vulnerability on some Tenda routers (FH1202 ...) NOT-FOR-US: Tenda CVE-2017-9137 (Ceragon FibeAir IP-10 wireless radios through 7.2.0 have a default pas ...) NOT-FOR-US: Ceragon FibeAir CVE-2017-9136 (An issue was discovered on Mimosa Client Radios before 2.2.3. In the d ...) NOT-FOR-US: Mimosa Client Radios CVE-2017-9135 (An issue was discovered on Mimosa Client Radios before 2.2.4 and Mimos ...) NOT-FOR-US: Mimosa Client Radios CVE-2017-9134 (An information-leakage issue was discovered on Mimosa Client Radios be ...) NOT-FOR-US: Mimosa Client Radios CVE-2017-9133 (An issue was discovered on Mimosa Client Radios before 2.2.3 and Mimos ...) NOT-FOR-US: Mimosa Client Radios CVE-2017-9132 (A hard-coded credentials issue was discovered on Mimosa Client Radios ...) NOT-FOR-US: Mimosa Client Radios CVE-2017-9131 (An issue was discovered on Mimosa Client Radios before 2.2.3 and Mimos ...) NOT-FOR-US: Mimosa Client Radios CVE-2017-9130 (The faacEncOpen function in libfaac/frame.c in Freeware Advanced Audio ...) - faac 1.29+git20170704-1 (bug #865909) [stretch] - faac (Non-free not supported) [jessie] - faac (Non-free not supported) NOTE: https://www.exploit-db.com/exploits/42207/ CVE-2017-9129 (The wav_open_read function in frontend/input.c in Freeware Advanced Au ...) - faac 1.29+git20170704-1 (bug #865909) [stretch] - faac (Non-free not supported) [jessie] - faac (Non-free not supported) NOTE: https://www.exploit-db.com/exploits/42207/ CVE-2017-9128 (The quicktime_video_width function in lqt_quicktime.c in libquicktime ...) {DLA-1042-1} - libquicktime 2:1.2.4-11 (low; bug #864664) [stretch] - libquicktime 2:1.2.4-10+deb9u1 [jessie] - libquicktime (Minor issue) CVE-2017-9127 (The quicktime_user_atoms_read_atom function in useratoms.c in libquick ...) {DLA-1042-1} - libquicktime 2:1.2.4-11 (low; bug #864664) [stretch] - libquicktime 2:1.2.4-10+deb9u1 [jessie] - libquicktime (Minor issue) CVE-2017-9126 (The quicktime_read_dref_table function in dref.c in libquicktime 1.2.4 ...) {DLA-1042-1} - libquicktime 2:1.2.4-11 (low; bug #864664) [stretch] - libquicktime 2:1.2.4-10+deb9u1 [jessie] - libquicktime (Minor issue) CVE-2017-9125 (The lqt_frame_duration function in lqt_quicktime.c in libquicktime 1.2 ...) {DLA-1042-1} - libquicktime 2:1.2.4-11 (low; bug #864664) [stretch] - libquicktime 2:1.2.4-10+deb9u1 [jessie] - libquicktime (Minor issue) CVE-2017-9124 (The quicktime_match_32 function in util.c in libquicktime 1.2.4 allows ...) {DLA-1042-1} - libquicktime 2:1.2.4-11 (low; bug #864664) [stretch] - libquicktime 2:1.2.4-10+deb9u1 [jessie] - libquicktime (Minor issue) CVE-2017-9123 (The lqt_frame_duration function in lqt_quicktime.c in libquicktime 1.2 ...) {DLA-1042-1} - libquicktime 2:1.2.4-11 (low; bug #864664) [stretch] - libquicktime 2:1.2.4-10+deb9u1 [jessie] - libquicktime (Minor issue) CVE-2017-9122 (The quicktime_read_moov function in moov.c in libquicktime 1.2.4 allow ...) {DLA-1042-1} - libquicktime 2:1.2.4-11 (low; bug #864664) [stretch] - libquicktime 2:1.2.4-10+deb9u1 [jessie] - libquicktime (Minor issue) CVE-2017-9121 RESERVED CVE-2017-9120 (PHP 7.x through 7.1.5 allows remote attackers to cause a denial of ser ...) - php7.2 (unimportant) - php7.1 (unimportant) - php7.0 (unimportant) - php5 (Not reproducible, vulnerable code not present.) NOTE: PHP Bug: https://bugs.php.net/bug.php?id=74544 NOTE: Not treated as a security issue by upstream CVE-2017-9119 (The i_zval_ptr_dtor function in Zend/zend_variables.h in PHP 7.1.5 all ...) - php7.1 (unimportant) - php7.0 (unimportant) - php5 (unimportant) NOTE: PHP Bug: https://bugs.php.net/bug.php?id=74593 NOTE: Only triggerable by malicious script CVE-2017-9118 (PHP 7.1.5 has an Out of bounds access in php_pcre_replace_impl via a c ...) - php7.2 (unimportant) - php7.1 (unimportant) - php7.0 (unimportant) - php5 (unimportant) NOTE: Check for Jessie again as soon as more information are available. NOTE: PHP Bug: https://bugs.php.net/bug.php?id=74604 NOTE: Not treated as a security issue by upstream CVE-2017-9117 (In LibTIFF 4.0.7, the program processes BMP images without verifying t ...) - tiff (unimportant) - tiff3 (Does not ship libtiff-tools) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2690 NOTE: bmp2tiff utility removed in 4.0.6-3 and 4.0.3-12.3+deb8u2 CVE-2017-9116 (In OpenEXR 2.2.0, an invalid read of size 1 in the uncompress function ...) {DLA-1083-1} - openexr 2.2.0-11.1 (bug #864078) [stretch] - openexr (Minor issue) [jessie] - openexr (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2017/05/12/5 NOTE: https://github.com/openexr/openexr/issues/232 CVE-2017-9115 (In OpenEXR 2.2.0, an invalid write of size 2 in the = operator functio ...) - openexr (bug #873885) [buster] - openexr (Minor issue) [stretch] - openexr (Minor issue) [jessie] - openexr (Minor issue) [wheezy] - openexr (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2017/05/12/5 NOTE: https://github.com/openexr/openexr/issues/232 CVE-2017-9114 (In OpenEXR 2.2.0, an invalid read of size 1 in the refill function in ...) - openexr (bug #873885) [buster] - openexr (Minor issue) [stretch] - openexr (Minor issue) [jessie] - openexr (Minor issue) [wheezy] - openexr (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2017/05/12/5 NOTE: https://github.com/openexr/openexr/issues/232 CVE-2017-9113 (In OpenEXR 2.2.0, an invalid write of size 1 in the bufferedReadPixels ...) - openexr (low; bug #873885) [buster] - openexr (Minor issue) [stretch] - openexr (Minor issue) [jessie] - openexr (Minor issue) [wheezy] - openexr (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2017/05/12/5 NOTE: https://github.com/openexr/openexr/issues/232 CVE-2017-9112 (In OpenEXR 2.2.0, an invalid read of size 1 in the getBits function in ...) {DLA-1083-1} - openexr 2.2.0-11.1 (bug #864078) [stretch] - openexr (Minor issue) [jessie] - openexr (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2017/05/12/5 NOTE: https://github.com/openexr/openexr/issues/232 CVE-2017-9111 (In OpenEXR 2.2.0, an invalid write of size 8 in the storeSSE function ...) - openexr (bug #873885) [buster] - openexr (Minor issue) [stretch] - openexr (Minor issue) [jessie] - openexr (Minor issue) [wheezy] - openexr (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2017/05/12/5 NOTE: https://github.com/openexr/openexr/issues/232 CVE-2017-9110 (In OpenEXR 2.2.0, an invalid read of size 2 in the hufDecode function ...) {DLA-1083-1} - openexr 2.2.0-11.1 (bug #864078) [stretch] - openexr (Minor issue) [jessie] - openexr (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2017/05/12/5 NOTE: https://github.com/openexr/openexr/issues/232 CVE-2017-9109 (An issue was discovered in adns before 1.5.2. It fails to ignore appar ...) - adns (unimportant) NOTE: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=adns.git;a=commit;h=fcf2b4e1faf22accb6184cca595aaee602839868 NOTE: Stub resolver that should only be used with trusted recursors CVE-2017-9108 (An issue was discovered in adns before 1.5.2. adnshost mishandles a mi ...) - adns (unimportant) NOTE: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=adns.git;a=commit;h=72c6bfd77dfdb34457a792874fd1c3030fca90ac NOTE: Stub resolver that should only be used with trusted recursors CVE-2017-9107 (An issue was discovered in adns before 1.5.2. It overruns reading a bu ...) - adns (unimportant) NOTE: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=adns.git;a=commit;h=278f8eee581c4c4a0ddd0f98c4dc8c2974cf6b90 NOTE: Stub resolver that should only be used with trusted recursors CVE-2017-9106 (An issue was discovered in adns before 1.5.2. adns_rr_info mishandles ...) - adns (unimportant) NOTE: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=adns.git;a=commit;h=37792aacaf7abbcdac6a02715a5ef794b5147f13 NOTE: Stub resolver that should only be used with trusted recursors CVE-2017-9105 (An issue was discovered in adns before 1.5.2. It corrupts a pointer wh ...) - adns (unimportant) NOTE: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=adns.git;a=commit;h=17afb298d90c5aafed76bd3855a5fe7dcd58594c NOTE: Stub resolver that should only be used with trusted recursors CVE-2017-9104 (An issue was discovered in adns before 1.5.2. It hangs, eating CPU, if ...) - adns (unimportant) NOTE: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=adns.git;a=commit;h=7ba7a232de0516d2cce934bdc91627b33b46ef47 NOTE: Stub resolver that should only be used with trusted recursors CVE-2017-9103 (An issue was discovered in adns before 1.5.2. pap_mailbox822 does not ...) - adns (unimportant) NOTE: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=adns.git;a=commit;h=020d86e2eccc2dbdfa9dcca08ddb327cc7ca3ae2 NOTE: Stub resolver that should only be used with trusted recursors CVE-2017-9102 RESERVED CVE-2017-9101 (import.php (aka the Phonebook import feature) in PlaySMS 1.4 allows re ...) NOT-FOR-US: PlaySMS CVE-2014-9970 (jasypt before 1.9.2 allows a timing attack against the password hash c ...) - jasypt 1.9.2-1 [jessie] - jasypt (Minor issue) [wheezy] - jasypt (Minor issue) NOTE: https://sourceforge.net/p/jasypt/code/668/ CVE-2017-9100 (login.cgi on D-Link DIR-600M devices with firmware 3.04 allows remote ...) NOT-FOR-US: D-Link CVE-2017-9099 RESERVED CVE-2017-9098 (ImageMagick before 7.0.5-2 and GraphicsMagick before 1.3.24 use uninit ...) {DSA-3863-1 DLA-1456-1 DLA-960-1 DLA-953-1} - imagemagick 8:6.9.7.4+dfsg-9 (bug #862967) - graphicsmagick 1.3.24-1 NOTE: ImageMagick fix: https://github.com/ImageMagick/ImageMagick/commit/1c358ffe0049f768dd49a8a889c1cbf99ac9849b NOTE: GraphicsMagick fix: http://hg.code.sf.net/p/graphicsmagick/code/diff/0a5b75e019b6/coders/rle.c NOTE: https://scarybeastsecurity.blogspot.com/2017/05/bleed-continues-18-byte-file-14k-bounty.html CVE-2017-9097 (In Anti-Web through 3.8.7, as used on NetBiter FGW200 devices through ...) NOT-FOR-US: Anti-Web CVE-2017-9096 (The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not dis ...) NOT-FOR-US: iText CVE-2017-9095 (XXE in Diving Log 6.0 allows attackers to remotely view local files th ...) NOT-FOR-US: Diving Log CVE-2017-9094 (The lzw_add_to_dict function in imagew-gif.c in libimageworsener.a in ...) NOT-FOR-US: ImageWorsener CVE-2017-9093 (The my_skip_input_data_fn function in imagew-jpeg.c in libimageworsene ...) NOT-FOR-US: ImageWorsener CVE-2017-9092 RESERVED CVE-2017-9091 (/admin/loginc.php in Allen Disk 1.6 doesn't check if isset($_SESSION[' ...) NOT-FOR-US: Allen Disk CVE-2017-9090 (reg.php in Allen Disk 1.6 doesn't check if isset($_SESSION['captcha'][ ...) NOT-FOR-US: Allen Disk CVE-2017-9089 RESERVED CVE-2017-9088 RESERVED CVE-2017-9087 RESERVED CVE-2017-9086 RESERVED CVE-2017-9085 (Multiple cross-site scripting (XSS) vulnerabilities in Kodak InSite 6. ...) NOT-FOR-US: Kodak InSite CVE-2017-9084 RESERVED CVE-2017-9083 (poppler 0.54.0, as used in Evince and other products, has a NULL point ...) - poppler (unimportant; bug #863016) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=101084 NOTE: Does not use JPX decoder but openjpeg; affected only source wise CVE-2017-9082 RESERVED CVE-2017-9081 RESERVED CVE-2017-9080 (PlaySMS 1.4 allows remote code execution because PHP code in the name ...) NOT-FOR-US: PlaySMS CVE-2017-9079 (Dropbear before 2017.75 might allow local users to read certain files ...) {DSA-3859-1 DLA-948-1} - dropbear 2016.74-5 (bug #862970) NOTE: Patch: https://secure.ucc.asn.au/hg/dropbear/rev/0d889b068123 CVE-2017-9078 (The server in Dropbear before 2017.75 might allow post-authentication ...) {DSA-3859-1} - dropbear 2016.74-5 (bug #862970) [wheezy] - dropbear (Vulnerable code not present) NOTE: Patch: https://secure.ucc.asn.au/hg/dropbear/rev/c8114a48837c CVE-2017-9077 (The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux ...) {DSA-3886-1 DLA-993-1} - linux 4.9.30-1 NOTE: Fixed by: https://git.kernel.org/linus/83eaddab4378db256d00d295bda6ca997cd13a52 CVE-2017-9076 (The dccp_v6_request_recv_sock function in net/dccp/ipv6.c in the Linux ...) {DSA-3886-1 DLA-993-1} - linux 4.9.30-1 NOTE: Fixed by: https://git.kernel.org/linus/83eaddab4378db256d00d295bda6ca997cd13a52 CVE-2017-9075 (The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux ...) {DSA-3886-1 DLA-993-1} - linux 4.9.30-1 NOTE: Fixed by: https://git.kernel.org/linus/fdcee2cbb8438702ea1b328fb6e0ac5e9a40c7f8 CVE-2017-9074 (The IPv6 fragmentation implementation in the Linux kernel through 4.11 ...) {DSA-3886-1 DLA-993-1} - linux 4.9.30-1 NOTE: Fixed by: https://git.kernel.org/linus/2423496af35d94a87156b063ea5cedffc10a70a1 CVE-2017-9073 REJECTED CVE-2017-9072 (Two CalendarXP products have XSS in common parts of HTML files. Calend ...) NOT-FOR-US: CalendarXP CVE-2017-9071 (In MODX Revolution before 2.5.7, an attacker might be able to trigger ...) NOT-FOR-US: MODX Revolution CVE-2017-9070 (In MODX Revolution before 2.5.7, a user with resource edit permissions ...) NOT-FOR-US: MODX Revolution CVE-2017-9069 (In MODX Revolution before 2.5.7, a user with file upload permissions i ...) NOT-FOR-US: MODX Revolution CVE-2017-9068 (In MODX Revolution before 2.5.7, an attacker is able to trigger Reflec ...) NOT-FOR-US: MODX Revolution CVE-2017-9067 (In MODX Revolution before 2.5.7, when PHP 5.3.3 is used, an attacker i ...) NOT-FOR-US: MODX Revolution CVE-2017-9060 (Memory leak in the virtio_gpu_set_scanout function in hw/display/virti ...) - qemu 1:2.10.0-1 (unimportant) [jessie] - qemu (Vulnerable code not present) [wheezy] - qemu (Vulnerable code not present) - qemu-kvm (Vulnerable code not present) NOTE: Marked as unimportant, since 1:2.8+dfsg-2 reverted the support for NOTE: virtio gpu (virglrenderer) and opengl, but the affected code is NOTE: still present. NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=dd248ed7e204ee8a1873914e02b8b526e8f1b80d CVE-2017-9059 (The NFSv4 implementation in the Linux kernel through 4.11.1 allows loc ...) - linux 4.9.30-1 [jessie] - linux (Introduced in 4.9) [wheezy] - linux (Introduced in 4.9) CVE-2017-9057 RESERVED CVE-2017-9056 RESERVED CVE-2017-9055 (An issue, also known as DW201703-001, was discovered in libdwarf 2017- ...) - dwarfutils 20170416-2 (bug #864064) [stretch] - dwarfutils 20161124-1+deb9u1 [jessie] - dwarfutils (Minor issue) [wheezy] - dwarfutils (Minor issue) NOTE: https://www.prevanders.net/dwarfbug.html#DW201703-001 CVE-2017-9054 (An issue, also known as DW201703-002, was discovered in libdwarf 2017- ...) - dwarfutils 20170416-2 (bug #864064) [stretch] - dwarfutils 20161124-1+deb9u1 [jessie] - dwarfutils (Minor issue) [wheezy] - dwarfutils (Minor issue) NOTE: https://www.prevanders.net/dwarfbug.html#DW201703-002 CVE-2017-9053 (An issue, also known as DW201703-005, was discovered in libdwarf 2017- ...) - dwarfutils 20170416-2 (bug #864064) [stretch] - dwarfutils 20161124-1+deb9u1 [jessie] - dwarfutils (Minor issue) [wheezy] - dwarfutils (Minor issue) NOTE: https://www.prevanders.net/dwarfbug.html#DW201703-005 CVE-2017-9052 (An issue, also known as DW201703-006, was discovered in libdwarf 2017- ...) - dwarfutils 20170416-2 (bug #864064) [stretch] - dwarfutils 20161124-1+deb9u1 [jessie] - dwarfutils (Minor issue) [wheezy] - dwarfutils (Minor issue) NOTE: https://www.prevanders.net/dwarfbug.html#DW201703-006 CVE-2017-9051 (libav before 12.1 is vulnerable to an invalid read of size 1 due to NU ...) - libav (low) [jessie] - libav (Tested with the original reproducer, 0.11 branch not vulnerable) [wheezy] - libav (Tested with the original reproducer, 0.8 branch not vulnerable) - ffmpeg 7:2.6.1-1 (low) NOTE: Fix in libav: https://github.com/libav/libav/commit/fe6eea99efac66839052af547426518efd970b24.patch NOTE: Fix in ffmpeg: https://github.com/FFmpeg/FFmpeg/commit/8d7ce5cdb707d4b22749f72d3f118e62e2b95cd3 NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1039 CVE-2017-9050 (libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buff ...) {DSA-3952-1 DLA-1008-1} - libxml2 2.9.4+dfsg1-3.1 (bug #863018) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=781361 (not public) NOTE: http://www.openwall.com/lists/oss-security/2017/05/15/1 NOTE: Fixed by: https://git.gnome.org/browse/libxml2/commit/?id=e26630548e7d138d2c560844c43820b6767251e3 CVE-2017-9049 (libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buff ...) {DSA-3952-1 DLA-1008-1} - libxml2 2.9.4+dfsg1-3.1 (bug #863019) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=781205 (not public) NOTE: http://www.openwall.com/lists/oss-security/2017/05/15/1 NOTE: Fixed by: https://git.gnome.org/browse/libxml2/commit/?id=e26630548e7d138d2c560844c43820b6767251e3 CVE-2017-9048 (libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a stack-based buf ...) {DSA-3952-1 DLA-1008-1} - libxml2 2.9.4+dfsg1-3.1 (bug #863021) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=781701 (not public) NOTE: http://www.openwall.com/lists/oss-security/2017/05/15/1 NOTE: Fixed by: https://git.gnome.org/browse/libxml2/commit/?id=932cc9896ab41475d4aa429c27d9afd175959d74 CVE-2017-9047 (A buffer overflow was discovered in libxml2 20904-GITv2.9.4-16-g074180 ...) {DSA-3952-1 DLA-1008-1} - libxml2 2.9.4+dfsg1-3.1 (bug #863022) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=781333 (not public) NOTE: http://www.openwall.com/lists/oss-security/2017/05/15/1 NOTE: Fixed by: https://git.gnome.org/browse/libxml2/commit/?id=932cc9896ab41475d4aa429c27d9afd175959d74 CVE-2017-9046 (winpm-32.exe in Pegasus Mail (aka Pmail) v4.72 build 572 allows code e ...) NOT-FOR-US: Pegasus Mail CVE-2017-9045 (The Google I/O 2017 application before 5.1.4 for Android downloads mul ...) NOT-FOR-US: Google I/O 2017 application CVE-2017-9044 (The print_symbol_for_build_attribute function in readelf.c in GNU Binu ...) - binutils 2.29-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) CVE-2017-9043 (readelf.c in GNU Binutils 2017-04-12 has a "shift exponent too large f ...) - binutils 2.29-1 (low; bug #863674) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ddef72cdc10d82ba011a7ff81cafbbd3466acf54 CVE-2017-9042 (readelf.c in GNU Binutils 2017-04-12 has a "cannot be represented in t ...) - binutils 2.29-1 (low; bug #863674) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7296a62a2a237f6b1ad8db8c38b090e9f592c8cf CVE-2017-9041 (GNU Binutils 2.28 allows remote attackers to cause a denial of service ...) - binutils 2.28-6 (low; bug #863674) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=75ec1fdbb797a389e4fe4aaf2e15358a070dcc19 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=c4ab9505b53cdc899506ed421fddb7e1f8faf7a3 CVE-2017-9040 (GNU Binutils 2017-04-03 allows remote attackers to cause a denial of s ...) - binutils 2.29-1 (low; bug #863674) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7296a62a2a237f6b1ad8db8c38b090e9f592c8cf CVE-2017-9039 (GNU Binutils 2.28 allows remote attackers to cause a denial of service ...) - binutils 2.28-6 (low; bug #863674) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=82156ab704b08b124d319c0decdbd48b3ca2dac5 CVE-2017-9038 (GNU Binutils 2.28 allows remote attackers to cause a denial of service ...) - binutils 2.28-6 (low; bug #863674) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f32ba72991d2406b21ab17edc234a2f3fa7fb23d CVE-2017-9037 (Multiple cross-site scripting (XSS) vulnerabilities in Trend Micro Ser ...) NOT-FOR-US: Trend Micro CVE-2017-9036 (Trend Micro ServerProtect for Linux 3.0 before CP 1531 allows local us ...) NOT-FOR-US: Trend Micro CVE-2017-9035 (Trend Micro ServerProtect for Linux 3.0 before CP 1531 allows attacker ...) NOT-FOR-US: Trend Micro CVE-2017-9034 (Trend Micro ServerProtect for Linux 3.0 before CP 1531 allows attacker ...) NOT-FOR-US: Trend Micro CVE-2017-9033 (Cross-site request forgery (CSRF) vulnerability in Trend Micro ServerP ...) NOT-FOR-US: Trend Micro CVE-2017-9032 (Multiple cross-site scripting (XSS) vulnerabilities in Trend Micro Ser ...) NOT-FOR-US: Trend Micro CVE-2017-9058 (In libytnef in ytnef through 1.9.2, there is a heap-based buffer over- ...) - libytnef 1.9.2-2 (low; bug #862556) [jessie] - libytnef (Minor issue) [wheezy] - libytnef (Minor issue) NOTE: https://github.com/Yeraze/ytnef/issues/45 CVE-2017-9030 (The Codextrous B2J Contact (aka b2j_contact) extension before 2.1.13 f ...) NOT-FOR-US: Joomla extension CVE-2017-9029 RESERVED CVE-2017-9028 RESERVED CVE-2017-9027 RESERVED CVE-2017-9026 (Stack buffer overflow in vshttpd (aka ioos) in HooToo Trip Mate 6 (TM6 ...) NOT-FOR-US: HooHoo Trip Mate CVE-2017-9025 (Heap buffer overflow in vshttpd (aka ioos) in HooToo Trip Mate 6 (TM6) ...) NOT-FOR-US: HooHoo Trip Mate CVE-2017-9066 (In WordPress before 4.7.5, there is insufficient redirect validation i ...) {DLA-1075-1} - wordpress 4.7.5+dfsg-1 (bug #862816) [jessie] - wordpress 4.1+dfsg-1+deb8u16 NOTE: https://wordpress.org/news/2017/05/wordpress-4-7-5/ NOTE: https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11 CVE-2017-9065 (In WordPress before 4.7.5, there is a lack of capability checks for po ...) {DSA-3870-1 DLA-975-1} - wordpress 4.7.5+dfsg-1 (bug #862816) NOTE: https://wordpress.org/news/2017/05/wordpress-4-7-5/ NOTE: https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4 CVE-2017-9064 (In WordPress before 4.7.5, a Cross Site Request Forgery (CSRF) vulnera ...) {DSA-3870-1 DLA-975-1} - wordpress 4.7.5+dfsg-1 (bug #862816) NOTE: https://wordpress.org/news/2017/05/wordpress-4-7-5/ NOTE: https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67 CVE-2017-9063 (In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability ...) {DSA-3870-1 DLA-975-1} - wordpress 4.7.5+dfsg-1 (bug #862816) NOTE: https://wordpress.org/news/2017/05/wordpress-4-7-5/ NOTE: https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3 CVE-2017-9062 (In WordPress before 4.7.5, there is improper handling of post meta dat ...) {DSA-3870-1 DLA-975-1} - wordpress 4.7.5+dfsg-1 (bug #862816) NOTE: https://wordpress.org/news/2017/05/wordpress-4-7-5/ NOTE: https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381 CVE-2017-9061 (In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability ...) {DSA-3870-1 DLA-975-1} - wordpress 4.7.5+dfsg-1 (bug #862816) NOTE: https://wordpress.org/news/2017/05/wordpress-4-7-5/ NOTE: https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6 CVE-2017-9024 (Secure Bytes Cisco Configuration Manager, as bundled in Secure Bytes S ...) NOT-FOR-US: Secure Bytes Cisco Configuration Manager CVE-2017-9023 (The ASN.1 parser in strongSwan before 5.5.3 improperly handles CHOICE ...) {DSA-3866-1 DLA-973-1} - strongswan 5.5.1-4 NOTE: upstream fix https://git.strongswan.org/?p=strongswan.git;a=commit;h=407fcca200fdf6a41a04ac0885a770b6b53c5d23 CVE-2017-9022 (The gmp plugin in strongSwan before 5.5.3 does not properly validate R ...) {DSA-3866-1 DLA-973-1} - strongswan 5.5.1-4 NOTE: upstream fix https://git.strongswan.org/?p=strongswan.git;a=commit;h=6681d98d18d24b31410fc12c3d61f150107481b3 CVE-2017-9021 REJECTED CVE-2017-9020 RESERVED CVE-2016-10373 REJECTED CVE-2016-10372 (The Eir D1000 modem does not properly restrict the TR-064 protocol, wh ...) NOT-FOR-US: Eir D1000 modem CVE-2017-9019 RESERVED CVE-2017-9018 RESERVED CVE-2017-9017 RESERVED CVE-2017-9016 RESERVED CVE-2017-9015 RESERVED CVE-2017-9014 RESERVED CVE-2017-9013 RESERVED CVE-2017-9012 RESERVED CVE-2017-9011 RESERVED CVE-2017-9010 RESERVED CVE-2017-9009 RESERVED CVE-2017-9008 RESERVED CVE-2017-9007 RESERVED CVE-2017-9006 RESERVED CVE-2017-9005 RESERVED CVE-2017-9004 RESERVED CVE-2017-9003 (Multiple memory corruption flaws are present in ArubaOS which could al ...) NOT-FOR-US: Aruba CVE-2017-9002 (All versions of Aruba ClearPass prior to 6.6.8 contain reflected cross ...) NOT-FOR-US: Aruba CVE-2017-9001 (Aruba ClearPass 6.6.3 and later includes a feature called "SSH Lockout ...) NOT-FOR-US: Aruba CVE-2017-9000 (ArubaOS, all versions prior to 6.3.1.25, 6.4 prior to 6.4.4.16, 6.5.x ...) NOT-FOR-US: Aruba CVE-2017-8999 RESERVED CVE-2017-8998 RESERVED CVE-2017-8997 RESERVED CVE-2017-8996 RESERVED CVE-2017-8995 RESERVED CVE-2017-8994 (A input validation vulnerability in HPE Operations Orchestration produ ...) NOT-FOR-US: HPE CVE-2017-8993 (A Remote Cross-Site Scripting vulnerability in HPE Project and Portfol ...) NOT-FOR-US: HPE Project and Portfolio Management CVE-2017-8992 (HPE has identified a remote privilege escalation vulnerability in HPE ...) NOT-FOR-US: HPE CVE-2017-8991 (HPE has identified a cross site scripting (XSS) vulnerability in HPE C ...) NOT-FOR-US: HPE CVE-2017-8990 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2017-8989 (A security vulnerability in HPE IceWall SSO Dfw 10.0 and 11.0 on RHEL, ...) NOT-FOR-US: HPE CVE-2017-8988 (A Remote Bypass of Security Restrictions vulnerability was identified ...) NOT-FOR-US: HPE CVE-2017-8987 (A Unauthenticated Remote Denial of Service vulnerability was identifie ...) NOT-FOR-US: HPE CVE-2017-8986 RESERVED CVE-2017-8985 (HPE XP Storage using Hitachi Global Link Manager (HGLM) has a local au ...) NOT-FOR-US: HPE XP Storage CVE-2017-8984 (A remote code execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-8983 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-8982 (A Remote Authentication Restriction Bypass vulnerability in HPE Intell ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-8981 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-8980 (A Remote Disclosure of Information vulnerability in HPE Intelligent Ma ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-8979 (Security vulnerabilities in the HPE Integrated Lights-Out 2 (iLO 2) fi ...) NOT-FOR-US: HPE Integrated Lights-Out 2 (iLO 2) firmware CVE-2017-8978 (A Remote Unauthorized Disclosure of Information vulnerability in HPE I ...) NOT-FOR-US: HPE IceWall Products CVE-2017-8977 (A Remote Denial of Service vulnerability in Hewlett Packard Enterprise ...) NOT-FOR-US: Hewlett Packard Enterprise Moonshot Provisioning Manager Appliance CVE-2017-8976 (A Remote Code Execution vulnerability in Hewlett Packard Enterprise Mo ...) NOT-FOR-US: Hewlett Packard Enterprise Moonshot Provisioning Manager Appliance CVE-2017-8975 (A Remote Code Execution vulnerability in Hewlett Packard Enterprise Mo ...) NOT-FOR-US: Hewlett Packard Enterprise Moonshot Provisioning Manager Appliance CVE-2017-8974 (A Local Authentication Restriction Bypass vulnerability in HPE NonStop ...) NOT-FOR-US: HPE NonStop Server CVE-2017-8973 (An improper input validation vulnerability in HPE Matrix Operating Env ...) NOT-FOR-US: HPE Matrix Operating Environment CVE-2017-8972 (A clickjacking vulnerability in HPE Matrix Operating Environment versi ...) NOT-FOR-US: HPE Matrix Operating Environment CVE-2017-8971 (A clickjacking vulnerability in HPE Matrix Operating Environment versi ...) NOT-FOR-US: HPE Matrix Operating Environment CVE-2017-8970 (A remote unauthenticated disclosure of information vulnerability in HP ...) NOT-FOR-US: HPE Matrix Operating Environment CVE-2017-8969 (An improper input validation vulnerability in HPE Insight Control vers ...) NOT-FOR-US: HPE Insight Control CVE-2017-8968 (A remote execution of arbitrary code vulnerability has been identified ...) NOT-FOR-US: HPE CVE-2017-8967 (A Deserialization of Untrusted Data vulnerability in Hewlett Packard E ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-8966 (A Deserialization of Untrusted Data vulnerability in Hewlett Packard E ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-8965 (A Deserialization of Untrusted Data vulnerability in Hewlett Packard E ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-8964 (A Deserialization of Untrusted Data vulnerability in Hewlett Packard E ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-8963 (A Deserialization of Untrusted Data vulnerability in Hewlett Packard E ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-8962 (A Deserialization of Untrusted Data vulnerability in Hewlett Packard E ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-8961 (A directory traversal vulnerability in HPE Intelligent Management Cent ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-8960 (An Authentication Bypass vulnerability in HPE MSA 1040 and MSA 2040 SA ...) NOT-FOR-US: HPE MSA CVE-2017-8959 (An Authentication Bypass vulnerability in HPE MSA 1040 and HPE MSA 204 ...) NOT-FOR-US: HPE MSA CVE-2017-8958 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-8957 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-8956 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-8955 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-8954 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-8953 (A Remote Cross-Site Scripting (XSS) vulnerability in HPE LoadRunner v1 ...) NOT-FOR-US: HPE LoadRunner CVE-2017-8952 (A Disclosure of Sensitive Information vulnerability in HPE SiteScope v ...) NOT-FOR-US: HPE SiteScope CVE-2017-8951 (A Disclosure of Sensitive Information vulnerability in HPE SiteScope v ...) NOT-FOR-US: HPE SiteScope CVE-2017-8950 (A Disclosure of Sensitive Information vulnerability in HPE SiteScope v ...) NOT-FOR-US: HPE SiteScope CVE-2017-8949 (A Disclosure of Sensitive Information vulnerability in HPE SiteScope v ...) NOT-FOR-US: HPE SiteScope CVE-2017-8948 (A Remote Bypass Security Restriction vulnerability in HPE Network Node ...) NOT-FOR-US: HPE Network Node Manager CVE-2017-8947 (A Remote Code Execution vulnerability in HPE UCMDB version v10.10, v10 ...) NOT-FOR-US: HPE UCMDB CVE-2017-8946 (A Remote Code Execution vulnerability in HPE Aruba AirWave Glass versi ...) NOT-FOR-US: HPE Aruba AirWave Glass CVE-2017-8945 (A Remote Unauthorized Disclosure of Information vulnerability in HPE I ...) NOT-FOR-US: HPE IceWall Federation Agent CVE-2017-8944 (A Remote Disclosure of Information vulnerability in HPE Cloud Optimize ...) NOT-FOR-US: HPE Cloud Optimizer CVE-2017-8943 (The PUMA PUMATRAC app 3.0.2 for iOS does not verify X.509 certificates ...) NOT-FOR-US: PUMA PUMATRAC app CVE-2017-8942 (The YottaMark ShopWell - Healthy Diet & Grocery Food Scanner app 5 ...) NOT-FOR-US: YottaMark ShopWell app CVE-2017-8941 (The Interval International app 3.3 through 3.5.1 for iOS does not veri ...) NOT-FOR-US: Interval International app CVE-2017-8940 (The Zipongo - Healthy Recipes and Grocery Deals app before 6.3 for iOS ...) NOT-FOR-US: Zipongo app CVE-2017-8939 (The Warner Bros. ellentube app 3.1.1 through 3.1.3 for iOS does not ve ...) NOT-FOR-US: ellentube app CVE-2017-8938 (The Radio Javan app 9.3.4 through 9.6.1 for iOS does not verify X.509 ...) NOT-FOR-US: Radio Javan app CVE-2017-8937 (The Life Before Us Yo app 2.5.8 for iOS does not verify X.509 certific ...) NOT-FOR-US: Life Before Us Yo app CVE-2017-8936 (The MoboTap Dolphin Web Browser - Fast Private Internet Search app 9.2 ...) NOT-FOR-US: MoboTap Dolphin Web Browser CVE-2017-8935 (The Quest Information Systems Indiana Voters app 1.1.24 for iOS does n ...) NOT-FOR-US: Quest Information Systems Indiana Voters app CVE-2016-10374 (perltidy through 20160302, as used by perlcritic, check-all-the-things ...) - perltidy 20140328-2 (bug #862667) [jessie] - perltidy (Minor issue; can be fixed via point release) [wheezy] - perltidy (Minor issue) CVE-2017-8932 (A bug in the standard library ScalarMult implementation of curve P-256 ...) - golang-1.8 1.8.3-1 (bug #863307) [stretch] - golang-1.8 (Minor issue, would require builds of all go packages in stable) - golang-1.7 1.7.6-1 (bug #863308) [stretch] - golang-1.7 (Minor issue, would require builds of all go packages in stable) - golang [wheezy] - golang (Vulnerable code not present, no ASM implementation of the p256 elliptic curve) [jessie] - golang (Vulnerable code not present, no ASM implementation of the p256 elliptic curve) NOTE: Upstream issue: https://github.com/golang/go/issues/20040 NOTE: Upstream patch: https://golang.org/cl/41070 NOTE: Fix for 1.7: https://go-review.googlesource.com/c/43773 NOTE: Fix for 1.8: https://go-review.googlesource.com/c/43770 CVE-2017-8931 (Bitdefender GravityZone VMware appliance before 6.2.1-35 might allow a ...) NOT-FOR-US: Bitdefender CVE-2017-8930 (Multiple cross-site request forgery (CSRF) vulnerabilities in Simple I ...) NOT-FOR-US: Simple Invoices CVE-2017-8929 (The sized_string_cmp function in libyara/sizedstr.c in YARA 3.5.0 allo ...) - yara 3.6.0+dfsg-1 [stretch] - yara (Minor issue, too intrusive to backport) [jessie] - yara (Minor issue, too intrusive to backport) NOTE: https://github.com/VirusTotal/yara/issues/658 NOTE: https://github.com/VirusTotal/yara/commit/053e67e3ec81cc9268ce30eaf0d6663d8639ed1e CVE-2017-8928 (mailcow 0.14, as used in "mailcow: dockerized" and other products, has ...) NOT-FOR-US: mailcow CVE-2017-9031 (The WebUI component in Deluge before 1.3.15 contains a directory trave ...) {DSA-3856-1 DLA-943-1} - deluge 1.3.13+git20161130.48cedf63-3 (bug #862611) NOTE: http://dev.deluge-torrent.org/wiki/ReleaseNotes/1.3.15 NOTE: Fixed by: http://git.deluge-torrent.org/deluge/commit/?h=1.3-stable&id=41acade01ae88f7b7bbdba308a0886771aa582fd CVE-2017-8934 (PCManFM 1.2.5 insecurely uses /tmp for a socket file, allowing a local ...) - pcmanfm 1.2.5-3 (low; bug #862571) [jessie] - pcmanfm (Minor issue) [wheezy] - pcmanfm (Minor issue) NOTE: Fixed by: https://git.lxde.org/gitweb/?p=lxde/pcmanfm.git;a=commitdiff;h=bc8c3d871e9ecc67c47ff002b68cf049793faf08 CVE-2017-8933 (Libmenu-cache 1.0.2 insecurely uses /tmp for a socket file, allowing a ...) - menu-cache 1.0.2-3 (low; bug #862570) [jessie] - menu-cache (Minor issue) [wheezy] - menu-cache (Minor issue) NOTE: Fixed by: https://git.lxde.org/gitweb/?p=lxde/menu-cache.git;a=commitdiff;h=56f66684592abf257c4004e6e1fff041c64a12ce CVE-2017-8927 (Buffer overflow in Larson VizEx Reader 9.7.5 allows attackers to cause ...) NOT-FOR-US: Larson VizEx Reader CVE-2017-8926 (Buffer overflow in Halliburton LogView Pro 10.0.1 allows attackers to ...) NOT-FOR-US: Halliburton LogView Pro CVE-2017-8925 (The omninet_open function in drivers/usb/serial/omninet.c in the Linux ...) {DSA-3886-1 DLA-993-1} - linux 4.9.16-1 (low) NOTE: Fixed by: https://git.kernel.org/linus/30572418b445d85fcfe6c8fe84c947d2606767d8 CVE-2017-8924 (The edge_bulk_in_callback function in drivers/usb/serial/io_ti.c in th ...) {DSA-3886-1 DLA-993-1} - linux 4.9.16-1 (low) NOTE: Fixed by: https://git.kernel.org/linus/654b404f2a222f918af9b0cd18ad469d0c941a8e CVE-2017-8923 (The zend_string_extend function in Zend/zend_string.h in PHP through 7 ...) - php7.1 (bug #881539) - php7.0 (bug #881538) [stretch] - php7.0 (Minor issue) NOTE: PHP Bug: https://bugs.php.net/bug.php?id=74577 NOTE: (Duplicate of) PHP Bug: https://bugs.php.net/bug.php?id=73122 CVE-2017-8922 RESERVED CVE-2017-8921 (In FlightGear before 2017.2.1, the FGCommand interface allows overwrit ...) - flightgear 1:2016.4.4+dfsg-3 (bug #862689) [jessie] - flightgear 3.0.0-5+deb8u2 NOTE: Fixed by: https://sourceforge.net/p/flightgear/flightgear/ci/faf872e7f71ca14c567ac7080561fc785d8d2fd0/ (next) NOTE: Fixed by: https://sourceforge.net/p/flightgear/flightgear/ci/19ab09406e4249f2c6f8ac51938258d1c51eace0/ (2016.4) NOTE: Fixed by: https://sourceforge.net/p/flightgear/flightgear/ci/c8250b10bb9a116889f831d2299678b0ef70fec2/ (3.0.0) CVE-2017-8920 (irc.cgi in CGI:IRC before 0.5.12 reflects user-supplied input from the ...) - cgiirc CVE-2017-8919 (NetApp OnCommand API Services before 1.2P3 logs the LDAP BIND password ...) NOT-FOR-US: NetApp CVE-2017-8918 (XXE in Dive Assistant - Template Builder in Blackwave Dive Assistant - ...) NOT-FOR-US: Dive Assistant CVE-2017-8917 (SQL injection vulnerability in Joomla! 3.7.x before 3.7.1 allows attac ...) NOT-FOR-US: Joomla! CVE-2017-8916 (In Center for Internet Security CIS-CAT Pro Dashboard before 1.0.4, an ...) NOT-FOR-US: Center for Internet Security CIS-CAT Pro Dashboard CVE-2017-8915 (sinopia, as used in SAP HANA XS 1.00 and 2.00, allows remote attackers ...) NOT-FOR-US: SAP CVE-2017-8914 (sinopia, as used in SAP HANA XS 1.00 and 2.00, allows remote attackers ...) NOT-FOR-US: SAP CVE-2017-8913 (The Visual Composer VC70RUNTIME component in SAP NetWeaver AS JAVA 7.5 ...) NOT-FOR-US: SAP CVE-2017-8912 (** DISPUTED ** CMS Made Simple (CMSMS) 2.1.6 allows remote authenticat ...) NOT-FOR-US: CMS Made Simple CVE-2017-8911 (An integer underflow has been identified in the unicode_to_utf8() func ...) {DSA-3869-1 DLA-962-1} - tnef 1.4.12-1.2 (bug #862442) NOTE: https://github.com/verdammelt/tnef/issues/23 NOTE: Fixed by: https://github.com/verdammelt/tnef/commit/a686971a1f124d9ae18946b1844dbc2c1f30df10 CVE-2017-8910 RESERVED CVE-2017-8909 RESERVED CVE-2017-8908 (The mark_line_tr function in gxscanc.c in Artifex Ghostscript 9.21 all ...) - ghostscript 9.22~dfsg-1 (unimportant) [jessie] - ghostscript (Vulnerable code not present) [wheezy] - ghostscript (Vulnerable code not present) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697810 NOTE: edgebuffer scan converter was made default only in: http://git.ghostscript.com/?p=ghostpdl.git;h=dd5da2cb3e08398ac6d86598b36b00994d058308 NOTE: But the vulnerable code via base/gxscan.c, a new scan converter introduced in 9.20 is present. CVE-2017-8907 (Atlassian Bamboo 5.x before 5.15.7 and 6.x before 6.0.1 did not correc ...) NOT-FOR-US: Atlassian Bamboo CVE-2017-8906 (An integer underflow vulnerability exists in pixel-a.asm, the x86 asse ...) - x265 (Affected code is not enabled) NOTE: https://bitbucket.org/multicoreware/x265/issues/345/integer-underflow-in-x265-source-common CVE-2017-8902 RESERVED CVE-2017-8901 RESERVED CVE-2017-8900 (LightDM through 1.22.0, when systemd is used in Ubuntu 16.10 and 17.x, ...) - lightdm (No guest account support in Debian, cf. #661230) CVE-2017-8899 (Invision Power Services (IPS) Community Suite 4.1.19.2 and earlier has ...) NOT-FOR-US: Invision Power Services CVE-2017-8898 (Invision Power Services (IPS) Community Suite 4.1.19.2 and earlier has ...) NOT-FOR-US: Invision Power Services CVE-2017-8897 (Invision Power Services (IPS) Community Suite 4.1.19.2 and earlier has ...) NOT-FOR-US: Invision Power Services CVE-2017-8896 (ownCloud Server before 8.2.12, 9.0.x before 9.0.10, 9.1.x before 9.1.6 ...) - owncloud CVE-2017-8895 (In Veritas Backup Exec 2014 before build 14.1.1187.1126, 15 before bui ...) NOT-FOR-US: Veritas CVE-2017-8894 (AeroAdmin 4.1 uses an insecure protocol (HTTP) to perform software upd ...) NOT-FOR-US: AeroAdmin CVE-2017-8893 (AeroAdmin 4.1 uses a function to copy data between two pointers where ...) NOT-FOR-US: AeroAdmin CVE-2017-8892 (Cross-site scripting (XSS) vulnerability in OpenText Tempo Box 10.0.3 ...) NOT-FOR-US: OpenText Tempo Box CVE-2017-8891 (Dropbox Lepton 1.2.1 allows DoS (SEGV and application crash) via a mal ...) - lepton 1.2.1+20170405-1 (bug #862446) NOTE: https://github.com/dropbox/lepton/issues/87 NOTE: https://github.com/dropbox/lepton/commit/82167c144a322cc956da45407f6dce8d4303d346 CVE-2017-8889 RESERVED CVE-2017-8888 RESERVED CVE-2017-8887 RESERVED CVE-2017-8886 RESERVED CVE-2017-8885 RESERVED CVE-2017-8884 RESERVED CVE-2017-8883 RESERVED CVE-2017-8882 RESERVED CVE-2017-8881 RESERVED CVE-2017-8880 RESERVED CVE-2017-8879 (Dolibarr ERP/CRM 4.0.4 allows password changes without supplying the c ...) - dolibarr 5.0.4+dfsg3-1 (bug #863544) CVE-2017-8878 (ASUS RT-AC* and RT-N* devices with firmware before 3.0.0.4.380.7378 al ...) NOT-FOR-US: ASUS CVE-2017-8877 (ASUS RT-AC* and RT-N* devices with firmware through 3.0.0.4.380.7378 a ...) NOT-FOR-US: ASUS CVE-2017-8890 (The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in ...) {DSA-3886-1 DLA-993-1} - linux 4.9.30-1 NOTE: Fixed by: https://git.kernel.org/linus/657831ffc38e30092a2d5f03d385d710eb88b09a CVE-2017-8876 (Symphony 2 2.6.11 has XSS in the meta[navigation_group] parameter to c ...) NOT-FOR-US: Symphony CMS CVE-2017-8875 (CSRF in the Clean Login plugin before 1.8 for WordPress allows remote ...) NOT-FOR-US: Wordpress addon CVE-2017-8874 (Multiple cross-site request forgery (CSRF) vulnerabilities in Mautic 1 ...) NOT-FOR-US: Mautic CVE-2017-8873 RESERVED CVE-2017-8872 (The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4 all ...) - libxml2 2.9.4+dfsg1-6.1 (bug #862450) [stretch] - libxml2 (Minor issue) [jessie] - libxml2 (Minor issue) [wheezy] - libxml2 (Minor issue) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=775200 NOTE: https://gitlab.gnome.org/GNOME/libxml2/commit/123234f2cfcd9e9b9f83047eee1dc17b4c3f4407 CVE-2017-8871 (The cr_parser_parse_selector_core function in cr-parser.c in libcroco ...) - libcroco (bug #864666; low) [buster] - libcroco (Minor issue) [stretch] - libcroco (Minor issue) [jessie] - libcroco (Minor issue) [wheezy] - libcroco (Vulnerable code not present) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=782649 CVE-2017-8870 (Buffer overflow in AudioCoder 0.8.46 allows remote attackers to execut ...) NOT-FOR-US: AudioCoder CVE-2017-8869 (Buffer overflow in MediaCoder 0.8.48.5888 allows remote attackers to e ...) NOT-FOR-US: MediaCoder CVE-2017-8868 (acp/core/files.browser.php in flatCore 1.4.7 allows file deletion via ...) NOT-FOR-US: flatCore CVE-2017-8867 (Elemental Path's CogniToys Dino smart toys through firmware version 0. ...) NOT-FOR-US: Elemental Path's CogniToys Dino smart toys CVE-2017-8866 (Elemental Path's CogniToys Dino smart toys through firmware version 0. ...) NOT-FOR-US: Elemental Path's CogniToys Dino smart toys CVE-2017-8865 (Elemental Path's CogniToys Dino smart toys through firmware version 0. ...) NOT-FOR-US: Elemental Path's CogniToys Dino smart toys CVE-2017-8864 (Client-side enforcement using JavaScript of server-side security optio ...) NOT-FOR-US: Cohu CVE-2017-8863 (Information disclosure of .esp source code on the Cohu 3960 allows an ...) NOT-FOR-US: Cohu CVE-2017-8862 (The webupgrade function on the Cohu 3960HD does not verify the firmwar ...) NOT-FOR-US: Cohu CVE-2017-8861 (Missing authentication for the remote configuration port 1236/tcp on t ...) NOT-FOR-US: Cohu CVE-2017-8860 (Information disclosure through directory listing on the Cohu 3960HD al ...) NOT-FOR-US: Cohu CVE-2017-8859 (In Veritas NetBackup Appliance 3.0 and earlier, unauthenticated users ...) NOT-FOR-US: Veritas NetBackup CVE-2017-8858 (In Veritas NetBackup 8.0 and earlier and NetBackup Appliance 3.0 and e ...) NOT-FOR-US: Veritas NetBackup CVE-2017-8857 (In Veritas NetBackup 8.0 and earlier and NetBackup Appliance 3.0 and e ...) NOT-FOR-US: Veritas NetBackup CVE-2017-8856 (In Veritas NetBackup 8.0 and earlier and NetBackup Appliance 3.0 and e ...) NOT-FOR-US: Veritas NetBackup CVE-2016-10371 (The TIFFWriteDirectoryTagCheckedRational function in tif_dirwrite.c in ...) {DLA-969-1} - tiff 4.0.7-7 (low; bug #862929) [jessie] - tiff 4.0.3-12.3+deb8u5 - tiff3 [wheezy] - tiff3 (tiff tools are not built, can be fixed later) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2535 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2612 NOTE: Fixed by: https://github.com/vadz/libtiff/commit/0abd094b6e5079c4d8be733829240491cb230f3d CVE-2017-1000044 (gtk-vnc 0.4.2 and older doesn't check framebuffer boundaries correctly ...) - gtk-vnc 0.4.3-1 NOTE: Fixed by: https://git.gnome.org/browse/gtk-vnc/commit/?id=f3fc5e57a78d4be9872f1394f697b9929873a737 (release-0.4.3) CVE-2017-8855 (wolfSSL before 3.11.0 does not prevent wc_DhAgree from accepting a mal ...) - wolfssl 3.12.0+dfsg-1 (bug #870170) NOTE: Fixed upstream in 3.11.0, https://github.com/wolfSSL/wolfssl/releases/tag/v3.11.0-stable CVE-2017-8854 (wolfSSL before 3.10.2 has an out-of-bounds memory access with loading ...) - wolfssl 3.10.2+dfsg-1 CVE-2017-8853 (Fiyo CMS v2.0.7 has an arbitrary file delete vulnerability in dapur/ap ...) NOT-FOR-US: Fiyo CMS CVE-2017-8852 (SAP SAPCAR 721.510 has a Heap Based Buffer Overflow Vulnerability. It ...) NOT-FOR-US: SAP CVE-2017-8851 (An issue was discovered on OnePlus One and X devices. Due to a lenient ...) NOT-FOR-US: OnePlus One CVE-2017-8850 (An issue was discovered on OnePlus One, X, 2, 3, and 3T devices. Due t ...) NOT-FOR-US: OnePlus One CVE-2017-8849 (smb4k before 2.0.1 allows local users to gain root privileges by lever ...) {DSA-3951-1 DLA-1002-1} - smb4k 1.2.1-2 (bug #862505) NOTE: http://www.openwall.com/lists/oss-security/2017/05/10/3 NOTE: https://www.kde.org/info/security/advisory-20170510-2.txt NOTE: https://github.com/stealth/plasmapulsar NOTE: smb4k 2.0.0: https://commits.kde.org/smb4k/a90289b0962663bc1d247bbbd31b9e65b2ca000e NOTE: smb4k 1.2.3: https://commits.kde.org/smb4k/71554140bdaede27b95dbe4c9b5a028a83c83cce CVE-2017-8848 (Allen Disk 1.6 has CSRF in setpass.php with an impact of changing a pa ...) NOT-FOR-US: Allen Disk CVE-2017-8847 (The bufRead::get() function in libzpaq/libzpaq.h in liblrzip.so in lrz ...) - lrzip 0.631+git180517-1 (unimportant; bug #863145) NOTE: https://github.com/ckolivas/lrzip/issues/67 NOTE: https://blogs.gentoo.org/ago/2017/05/07/lrzip-null-pointer-dereference-in-bufreadget-libzpaq-h/ NOTE: Crash in CLI tool, no security implications CVE-2017-8846 (The read_stream function in stream.c in liblrzip.so in lrzip 0.631 all ...) - lrzip 0.631+git180517-1 (bug #863150) [stretch] - lrzip (Minor issue) [jessie] - lrzip (Minor issue) [wheezy] - lrzip (Minor issue) NOTE: https://github.com/ckolivas/lrzip/issues/71 NOTE: https://blogs.gentoo.org/ago/2017/05/07/lrzip-use-after-free-in-read_stream-stream-c/ CVE-2017-8845 (The lzo1x_decompress function in lzo1x_d.ch in LZO 2.08, as used in lr ...) - lrzip 0.631+git180517-1 (unimportant; bug #863151) NOTE: https://github.com/ckolivas/lrzip/issues/68 NOTE: https://github.com/ckolivas/lrzip/commit/89d7b33e6a6450eed326b40084b547d42bad333f NOTE: https://blogs.gentoo.org/ago/2017/05/07/lrzip-invalid-memory-read-in-lzo_decompress_buf-stream-c/ NOTE: Crash in CLI tool, no security implications CVE-2017-8844 (The read_1g function in stream.c in liblrzip.so in lrzip 0.631 allows ...) - lrzip 0.631+git180517-1 (bug #863153) [stretch] - lrzip (Minor issue) [jessie] - lrzip (Minor issue) [wheezy] - lrzip (Minor issue) NOTE: https://github.com/ckolivas/lrzip/issues/70 NOTE: https://blogs.gentoo.org/ago/2017/05/07/lrzip-heap-based-buffer-overflow-write-in-read_1g-stream-c/ CVE-2017-8843 (The join_pthread function in stream.c in liblrzip.so in lrzip 0.631 al ...) - lrzip 0.631+git180517-1 (unimportant; bug #863155) NOTE: https://github.com/ckolivas/lrzip/issues/69 NOTE: https://blogs.gentoo.org/ago/2017/05/07/lrzip-null-pointer-dereference-in-join_pthread-stream-c/ NOTE: Crash in CLI tool, no security implications CVE-2017-8842 (The bufRead::get() function in libzpaq/libzpaq.h in liblrzip.so in lrz ...) - lrzip 0.631+git180517-1 (unimportant; bug #863156) NOTE: https://github.com/ckolivas/lrzip/issues/66 NOTE: https://blogs.gentoo.org/ago/2017/05/07/lrzip-divide-by-zero-in-bufreadget-libzpaq-h/ NOTE: Crash in CLI tool, no security implications CVE-2017-8841 (Arbitrary file deletion exists on Peplink Balance 305, 380, 580, 710, ...) NOT-FOR-US: Peplink Balance devices CVE-2017-8840 (Debug information disclosure exists on Peplink Balance 305, 380, 580, ...) NOT-FOR-US: Peplink Balance devices CVE-2017-8839 (XSS via orig_url exists on Peplink Balance 305, 380, 580, 710, 1350, a ...) NOT-FOR-US: Peplink Balance devices CVE-2017-8838 (XSS via syncid exists on Peplink Balance 305, 380, 580, 710, 1350, and ...) NOT-FOR-US: Peplink Balance devices CVE-2017-8837 (Cleartext password storage exists on Peplink Balance 305, 380, 580, 71 ...) NOT-FOR-US: Peplink Balance devices CVE-2017-8836 (CSRF exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devi ...) NOT-FOR-US: Peplink Balance devices CVE-2017-8835 (SQL injection exists on Peplink Balance 305, 380, 580, 710, 1350, and ...) NOT-FOR-US: Peplink Balance devices CVE-2016-10370 (An issue was discovered on OnePlus devices such as the 3T. The OnePlus ...) NOT-FOR-US: OnePlus CVE-2016-10369 (unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a so ...) {DLA-935-1} - lxterminal 0.3.0-2 (low; bug #862098) [jessie] - lxterminal 0.2.0-1+deb8u1 NOTE: Fixed by: https://git.lxde.org/gitweb/?p=lxde/lxterminal.git;a=commit;h=f99163c6ff8b2f57c5f37b1ce5d62cf7450d4648 CVE-2017-8834 (The cr_tknzr_parse_comment function in cr-tknzr.c in libcroco 0.6.12 a ...) - libcroco (bug #864666; low) [buster] - libcroco (Minor issue) [stretch] - libcroco (Minor issue) [jessie] - libcroco (Minor issue) [wheezy] - libcroco (Vulnerable code not present) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=782647 CVE-2017-8833 (Zen Cart 1.6.0 has XSS in the main_page parameter to index.php. NOTE: ...) NOT-FOR-US: Zen Cart CVE-2017-8832 (Allen Disk 1.6 has XSS in the id parameter to downfile.php. ...) NOT-FOR-US: Allen Disk CVE-2017-8831 (The saa7164_bus_get function in drivers/media/pci/saa7164/saa7164-bus. ...) {DLA-1200-1} - linux 4.12.6-1 [stretch] - linux 4.9.47-1 [jessie] - linux 3.16.51-1 NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=195559 CVE-2017-8830 (In ImageMagick 7.0.5-6, the ReadBMPImage function in bmp.c:1379 allows ...) {DSA-3863-1 DLA-960-1} - imagemagick 8:6.9.7.4+dfsg-7 (low; bug #862637) NOTE: https://github.com/ImageMagick/ImageMagick/issues/467 CVE-2017-8828 RESERVED CVE-2017-8827 (forgotpassword.php in GeniXCMS 1.0.2 lacks a rate limit, which might a ...) NOT-FOR-US: GenixCMS CVE-2017-8826 (FastStone Image Viewer 6.2 has a "User Mode Write AV" issue, possibly ...) NOT-FOR-US: FastStone Image Viewer CVE-2017-8825 (A null dereference vulnerability has been found in the MIME handling c ...) - libetpan 1.6-3 (bug #862151) [jessie] - libetpan (Minor issue) [wheezy] - libetpan (Minor issue) NOTE: https://github.com/dinhviethoa/libetpan/commit/1fe8fbc032ccda1db9af66d93016b49c16c1f22d NOTE: https://github.com/dinhviethoa/libetpan/issues/274 CVE-2017-8824 (The dccp_disconnect function in net/dccp/proto.c in the Linux kernel t ...) {DSA-4082-1 DSA-4073-1 DLA-1200-1} - linux 4.14.7-1 NOTE: http://lists.openwall.net/netdev/2017/12/04/224 NOTE: Fixed by: https://git.kernel.org/linus/69c64866ce072dea1d1e59a0d61e0f66c0dffb76 CVE-2017-8823 (In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 bef ...) {DSA-4054-1} - tor 0.3.1.9-1 [wheezy] - tor (Not supported in wheezy LTS) NOTE: https://bugs.torproject.org/24313 NOTE: https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516 CVE-2017-8822 (In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 bef ...) {DSA-4054-1} - tor 0.3.1.9-1 [wheezy] - tor (Not supported in wheezy LTS) NOTE: https://bugs.torproject.org/21534 NOTE: https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516 CVE-2017-8821 (In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 bef ...) {DSA-4054-1} - tor 0.3.1.9-1 [wheezy] - tor (Not supported in wheezy LTS) NOTE: https://bugs.torproject.org/24246 NOTE: https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516 CVE-2017-8820 (In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 bef ...) {DSA-4054-1} - tor 0.3.1.9-1 [wheezy] - tor (Not supported in wheezy LTS) NOTE: https://bugs.torproject.org/24245 NOTE: https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516 CVE-2017-8819 (In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 bef ...) {DSA-4054-1} - tor 0.3.1.9-1 [wheezy] - tor (Not supported in wheezy LTS) NOTE: https://bugs.torproject.org/24244 NOTE: https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516 CVE-2017-8818 (curl and libcurl before 7.57.0 on 32-bit platforms allow attackers to ...) - curl 7.57.0-1 [stretch] - curl (Vulnerable code not present) [jessie] - curl (Vulnerable code not present) [wheezy] - curl (Vulnerable code not present) NOTE: https://curl.haxx.se/docs/adv_2017-af0a.html NOTE: https://curl.haxx.se/CVE-2017-8818.patch CVE-2017-8817 (The FTP wildcard function in curl and libcurl before 7.57.0 allows rem ...) {DSA-4051-1 DLA-1195-1} - curl 7.57.0-1 NOTE: https://curl.haxx.se/docs/adv_2017-ae72.html NOTE: https://curl.haxx.se/CVE-2017-8817.patch CVE-2017-8816 (The NTLM authentication feature in curl and libcurl before 7.57.0 on 3 ...) {DSA-4051-1} - curl 7.57.0-1 [wheezy] - curl (Vulnerable code not present, introduced in 7.36.0) NOTE: https://curl.haxx.se/docs/adv_2017-11e7.html NOTE: https://curl.haxx.se/CVE-2017-8816.patch CVE-2017-8815 (The language converter in MediaWiki before 1.27.4, 1.28.x before 1.28. ...) {DSA-4036-1} - mediawiki 1:1.27.4-1 [wheezy] - mediawiki (Not supported in wheezy LTS) NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-November/000216.html NOTE: https://phabricator.wikimedia.org/T119158 CVE-2017-8814 (The language converter in MediaWiki before 1.27.4, 1.28.x before 1.28. ...) {DSA-4036-1} - mediawiki 1:1.27.4-1 [wheezy] - mediawiki (Not supported in wheezy LTS) NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-November/000216.html NOTE: https://phabricator.wikimedia.org/T124404 CVE-2017-8813 REJECTED CVE-2017-8812 (MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29. ...) {DSA-4036-1} - mediawiki 1:1.27.4-1 [wheezy] - mediawiki (Not supported in wheezy LTS) NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-November/000216.html NOTE: https://phabricator.wikimedia.org/T125163 CVE-2017-8811 (The implementation of raw message parameter expansion in MediaWiki bef ...) {DSA-4036-1} - mediawiki 1:1.27.4-1 [wheezy] - mediawiki (Not supported in wheezy LTS) NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-November/000216.html NOTE: https://phabricator.wikimedia.org/T176247 CVE-2017-8810 (MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29. ...) {DSA-4036-1} - mediawiki 1:1.27.4-1 [wheezy] - mediawiki (Not supported in wheezy LTS) NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-November/000216.html NOTE: https://phabricator.wikimedia.org/T134100 CVE-2017-8809 (api.php in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x b ...) {DSA-4036-1} - mediawiki 1:1.27.4-1 [wheezy] - mediawiki (Not supported in wheezy LTS) NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-November/000216.html NOTE: https://phabricator.wikimedia.org/T128209 CVE-2017-8808 (MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29. ...) {DSA-4036-1} - mediawiki 1:1.27.4-1 [wheezy] - mediawiki (Not supported in wheezy LTS) NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-November/000216.html NOTE: https://phabricator.wikimedia.org/T178451 CVE-2017-8807 (vbf_stp_error in bin/varnishd/cache/cache_fetch.c in Varnish HTTP Cach ...) {DSA-4034-1} - varnish 5.2.1-1 (bug #881808) [jessie] - varnish (Vulnerable code not present, issue introduced in 4.1.0) [wheezy] - varnish (Vulnerable code not present, issue introduced in 4.1.0) NOTE: http://varnish-cache.org/security/VSV00002.html NOTE: https://github.com/varnishcache/varnish-cache/pull/2429 NOTE: Fixed by: https://github.com/varnishcache/varnish-cache/commit/176f8a075a CVE-2017-8806 (The Debian pg_ctlcluster, pg_createcluster, and pg_upgradecluster scri ...) {DSA-4029-1 DLA-1169-1} - postgresql-common 188 CVE-2017-8805 (Debian ftpsync before 20171017 does not use the rsync --safe-links opt ...) - archvsync 20171017 NOTE: http://www.openwall.com/lists/oss-security/2017/10/17/2 NOTE: https://anonscm.debian.org/cgit/mirror/archvsync.git/commit/?id=d1ca2ab2210990b6dfb664cd6776a41b71c48016 CVE-2017-1000041 REJECTED CVE-2017-1000040 REJECTED CVE-2017-1000019 REJECTED CVE-2016-1000393 REJECTED CVE-2016-1000373 REJECTED CVE-2016-1000372 REJECTED CVE-2016-1000371 REJECTED CVE-2016-1000370 REJECTED CVE-2016-1000369 REJECTED CVE-2016-1000368 REJECTED CVE-2016-1000367 REJECTED CVE-2016-1000366 REJECTED CVE-2016-1000365 REJECTED CVE-2016-1000364 REJECTED CVE-2016-1000363 REJECTED CVE-2016-1000362 REJECTED CVE-2016-1000361 REJECTED CVE-2016-1000360 REJECTED CVE-2016-1000338 (In Bouncy Castle JCE Provider version 1.55 and earlier the DSA does no ...) {DLA-1418-1} - bouncycastle 1.56-1 NOTE: https://github.com/bcgit/bc-java/commit/b0c3ce99d43d73a096268831d0d120ffc89eac7f#diff-3679f5a9d2b939d0d3ee1601a7774fb0 CVE-2017-8829 (Deserialization vulnerability in lintian through 2.5.50.3 allows attac ...) - lintian 2.5.50.4 (bug #861958) [jessie] - lintian (upstream/metadata check introduced in 2.5.41; vulnerable code not present) [wheezy] - lintian (upstream/metadata check introduced in 2.5.41; vulnerable code not present) CVE-2017-8804 (The xdr_bytes and xdr_string functions in the GNU C Library (aka glibc ...) NOTE: This is not a vulnerability in glibc, but a bug in the application, see NOTE: https://sourceware.org/ml/libc-alpha/2017-05/msg00128.html and NOTE: https://sourceware.org/ml/libc-alpha/2017-05/msg00129.html NOTE: http://www.openwall.com/lists/oss-security/2017/05/05/2 NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21461 CVE-2017-8803 (Notepad++ 7.3.3 (32-bit) with Hex Editor Plugin v0.9.5 might allow use ...) NOT-FOR-US: Notepad++ CVE-2017-8802 (Cross-site scripting (XSS) vulnerability in Zimbra Collaboration Suite ...) NOT-FOR-US: Zimbra CVE-2017-8801 (Trend Micro OfficeScan 11.0 before SP1 CP 6325 (with Agent Module Buil ...) NOT-FOR-US: Trend Micro CVE-2017-8800 RESERVED CVE-2017-8799 (Untrusted input execution via igetwild in all iRODS versions before 4. ...) NOT-FOR-US: iRODS CVE-2017-8798 (Integer signedness error in MiniUPnP MiniUPnPc v1.4.20101221 through v ...) {DLA-2197-1 DLA-949-1} - miniupnpc 1.9.20140610-3 (bug #862273) NOTE: https://github.com/tintinweb/pub/blob/master/pocs/cve-2017-8798/Readme.md NOTE: Fixed by: https://github.com/miniupnp/miniupnp/commit/f0f1f4b22d6a98536377a1bb07e7c20e4703d229 CVE-2017-8797 (The NFSv4 server in the Linux kernel before 4.11.3 does not properly v ...) - linux 4.9.30-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/b550a32e60a4941994b437a8d662432a486235a5 (4.12-rc1) NOTE: Fixed by: https://git.kernel.org/linus/f961e3f2acae94b727380c0b74e2d3954d0edf79 (4.12-rc1) CVE-2017-8796 (An issue was discovered on Accellion FTA devices before FTA_9_12_180. ...) NOT-FOR-US: Accellion FTA devices CVE-2017-8795 (An issue was discovered on Accellion FTA devices before FTA_9_12_180. ...) NOT-FOR-US: Accellion FTA devices CVE-2017-8794 (An issue was discovered on Accellion FTA devices before FTA_9_12_180. ...) NOT-FOR-US: Accellion FTA devices CVE-2017-8793 (An issue was discovered on Accellion FTA devices before FTA_9_12_180. ...) NOT-FOR-US: Accellion FTA devices CVE-2017-8792 (An issue was discovered on Accellion FTA devices before FTA_9_12_180. ...) NOT-FOR-US: Accellion FTA devices CVE-2017-8791 (An issue was discovered on Accellion FTA devices before FTA_9_12_180. ...) NOT-FOR-US: Accellion FTA devices CVE-2017-8790 (An issue was discovered on Accellion FTA devices before FTA_9_12_180. ...) NOT-FOR-US: Accellion FTA devices CVE-2017-8789 (An issue was discovered on Accellion FTA devices before FTA_9_12_180. ...) NOT-FOR-US: Accellion FTA devices CVE-2017-8788 (An issue was discovered on Accellion FTA devices before FTA_9_12_180. ...) NOT-FOR-US: Accellion FTA devices CVE-2017-8787 (The PoDoFo::PdfXRefStreamParserObject::ReadXRefStreamEntry function in ...) - libpodofo 0.9.5-7 (bug #861738) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) NOTE: Possible unspecified impact. Needs further analysis. NOTE: Upstream commit: https://sourceforge.net/p/podofo/code/1851 CVE-2017-8786 (pcre2test.c in PCRE2 10.23 allows remote attackers to cause a denial o ...) - pcre2 10.31-1 (unimportant; bug #861873) NOTE: https://bugs.exim.org/show_bug.cgi?id=2079 NOTE: https://blogs.gentoo.org/ago/2017/04/29/libpcre-heap-based-buffer-overflow-write-in-pcre2test-c/ NOTE: https://vcs.pcre.org/pcre2/code/trunk/src/pcre2test.c?r1=692&r2=697 CVE-2017-8785 (FastStone Image Viewer 6.2 has a "Data from Faulting Address may be us ...) NOT-FOR-US: FastStone Image Viewer CVE-2017-8784 REJECTED CVE-2017-8783 (Synacor Zimbra Collaboration Suite (ZCS) before 8.7.10 has Persistent ...) NOT-FOR-US: Zimbra CVE-2017-8782 (The readString function in util/read.c and util/old/read.c in libming ...) {DLA-980-1} - ming NOTE: https://github.com/libming/libming/issues/70 CVE-2017-8781 (XnView Classic for Windows Version 2.40 allows user-assisted remote at ...) NOT-FOR-US: XnView CVE-2017-8780 (GeniXCMS 1.0.2 has XSS triggered by a comment that is mishandled durin ...) NOT-FOR-US: GenixCMS CVE-2017-8778 (GitLab before 8.14.9, 8.15.x before 8.15.6, and 8.16.x before 8.16.5 h ...) - gitlab (SVG rendering feature introduced later, cf. bug #861870) NOTE: https://gitlab.com/gitlab-org/gitlab-ce/issues/27471 CVE-2017-8777 (Open-Xchange GmbH OX Cloud Plugins 1.4.0 and earlier is affected by: M ...) NOT-FOR-US: Open-Xchange GmbH OX Cloud Plugins CVE-2017-8779 (rpcbind through 0.2.4, LIBTIRPC through 1.0.1 and 1.0.2-rc through 1.0 ...) {DSA-3845-1 DLA-937-1 DLA-936-1} - rpcbind 0.2.3-0.6 (bug #861835) - libtirpc 0.2.5-1.2 (bug #861834) - ntirpc 1.4.4-1 (bug #861836) NOTE: http://www.openwall.com/lists/oss-security/2017/05/04/1 NOTE: https://github.com/guidovranken/rpcbomb/ CVE-2017-8776 (Quick Heal Internet Security 10.1.0.316, Quick Heal Total Security 10. ...) NOT-FOR-US: Quick Heal Internet Security CVE-2017-8775 (Quick Heal Internet Security 10.1.0.316, Quick Heal Total Security 10. ...) NOT-FOR-US: Quick Heal Internet Security CVE-2017-8774 (Quick Heal Internet Security 10.1.0.316, Quick Heal Total Security 10. ...) NOT-FOR-US: Quick Heal Internet Security CVE-2017-8773 (Quick Heal Internet Security 10.1.0.316, Quick Heal Total Security 10. ...) NOT-FOR-US: Quick Heal Internet Security CVE-2017-8772 (On BE126 WIFI repeater 1.0 devices, an attacker can log into telnet (w ...) NOT-FOR-US: BE126 WIFI repeater CVE-2017-8771 (On BE126 WIFI repeater 1.0 devices, an attacker can log into telnet (w ...) NOT-FOR-US: BE126 WIFI repeater CVE-2017-8770 (There is LFD (local file disclosure) on BE126 WIFI repeater 1.0 device ...) NOT-FOR-US: BE126 WIFI repeater CVE-2017-8769 (** DISPUTED ** Facebook WhatsApp Messenger before 2.16.323 for Android ...) NOT-FOR-US: WhatsApp Messenger CVE-2017-8768 (Atlassian SourceTree v2.5c and prior are affected by a command injecti ...) NOT-FOR-US: Atlassian SourceTree CVE-2017-8767 REJECTED CVE-2017-8766 (IrfanView version 4.44 (32bit) allows remote attackers to execute code ...) NOT-FOR-US: IrfanView CVE-2017-8765 (The function named ReadICONImage in coders\icon.c in ImageMagick 7.0.5 ...) {DSA-3863-1 DLA-960-1} - imagemagick 8:6.9.7.4+dfsg-7 (low; bug #862653) NOTE: https://github.com/ImageMagick/ImageMagick/issues/466 CVE-2017-8764 RESERVED CVE-2017-8763 (Cross-site scripting (XSS) vulnerability in modules/Base/Box/check_for ...) NOT-FOR-US: EPESI CVE-2017-8762 (GeniXCMS 1.0.2 has XSS triggered by an authenticated user who submits ...) NOT-FOR-US: GenixCMS CVE-2017-8761 [Swift tempurl middleware reveals signatures in the logfiles] RESERVED - swift [buster] - swift (Minor issue) [stretch] - swift (Minor issue) [jessie] - swift (Not supported in Jessie LTS) NOTE: https://bugs.launchpad.net/swift/+bug/1685798 CVE-2017-8760 (An issue was discovered on Accellion FTA devices before FTA_9_12_180. ...) NOT-FOR-US: Accellion FTA devices CVE-2017-8759 (Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and ...) NOT-FOR-US: Microsoft CVE-2017-8758 (Microsoft Exchange Server 2016 allows an elevation of privilege vulner ...) NOT-FOR-US: Microsoft CVE-2017-8757 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, and Win ...) NOT-FOR-US: Microsoft CVE-2017-8756 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, and Win ...) NOT-FOR-US: Microsoft CVE-2017-8755 (Microsoft Edge in Microsoft Windows 10 1511, 1607, 1703, and Windows S ...) NOT-FOR-US: Microsoft CVE-2017-8754 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, and Win ...) NOT-FOR-US: Microsoft CVE-2017-8753 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, and Win ...) NOT-FOR-US: Microsoft CVE-2017-8752 (Microsoft Edge in Microsoft Windows 10 1511, 1607, 1703, and Windows S ...) NOT-FOR-US: Apache Atlas CVE-2017-8751 (Microsoft Edge in Microsoft Windows 1703 allows an attacker to execute ...) NOT-FOR-US: Microsoft CVE-2017-8750 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 R2 S ...) NOT-FOR-US: Microsoft CVE-2017-8749 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 SP2 ...) NOT-FOR-US: Microsoft CVE-2017-8748 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 R2 S ...) NOT-FOR-US: Microsoft CVE-2017-8747 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 R2 S ...) NOT-FOR-US: Microsoft CVE-2017-8746 (Windows Device Guard in Windows 10 1607, 1703, and Windows Server 2016 ...) NOT-FOR-US: Microsoft CVE-2017-8745 (An elevation of privilege vulnerability exists in Microsoft SharePoint ...) NOT-FOR-US: Microsoft CVE-2017-8744 (A remote code execution vulnerability exists in Excel Services, Micros ...) NOT-FOR-US: Microsoft CVE-2017-8743 (A remote code execution vulnerability exists in Microsoft PowerPoint 2 ...) NOT-FOR-US: Microsoft CVE-2017-8742 (A remote code execution vulnerability exists in Microsoft PowerPoint 2 ...) NOT-FOR-US: Microsoft CVE-2017-8741 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 SP2 ...) NOT-FOR-US: Microsoft CVE-2017-8740 (Microsoft Edge in Microsoft Windows 10 1703 allows an attacker to exec ...) NOT-FOR-US: Microsoft CVE-2017-8739 (Microsoft Edge in Microsoft Windows 10 1703 allows an attacker to obta ...) NOT-FOR-US: Microsoft CVE-2017-8738 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, and Windows S ...) NOT-FOR-US: Microsoft CVE-2017-8737 (Microsoft Windows PDF Library in Microsoft Windows 8.1 and Windows RT ...) NOT-FOR-US: Microsoft CVE-2017-8736 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 R2 S ...) NOT-FOR-US: Microsoft CVE-2017-8735 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, and Win ...) NOT-FOR-US: Microsoft CVE-2017-8734 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, and Win ...) NOT-FOR-US: Microsoft CVE-2017-8733 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 SP2 ...) NOT-FOR-US: Microsoft CVE-2017-8732 RESERVED CVE-2017-8731 (Microsoft Edge in Microsoft Windows 10 1607 and Windows Server 2016 al ...) NOT-FOR-US: Microsoft CVE-2017-8730 RESERVED CVE-2017-8729 (Microsoft Edge in Microsoft Windows 10 1703 allows an attacker to exec ...) NOT-FOR-US: Microsoft CVE-2017-8728 (Microsoft Windows PDF Library in Microsoft Windows 8.1 and Windows RT ...) NOT-FOR-US: Microsoft CVE-2017-8727 (Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8 ...) NOT-FOR-US: Microsoft CVE-2017-8726 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, and Win ...) NOT-FOR-US: Microsoft CVE-2017-8725 (A remote code execution vulnerability exists in Microsoft Publisher 20 ...) NOT-FOR-US: Microsoft CVE-2017-8724 (Microsoft Edge in Microsoft Windows 10 Version 1703 allows an attacker ...) NOT-FOR-US: Microsoft CVE-2017-8723 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, and Win ...) NOT-FOR-US: Microsoft CVE-2017-8722 RESERVED CVE-2017-8721 RESERVED CVE-2017-8720 (The Microsoft Windows graphics component on Microsoft Windows Server 2 ...) NOT-FOR-US: Microsoft CVE-2017-8719 (The Windows kernel component on Microsoft Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-8718 (The Microsoft JET Database Engine in Windows Server 2008 SP2 and R2 SP ...) NOT-FOR-US: Microsoft CVE-2017-8717 (The Microsoft JET Database Engine in Windows Server 2008 SP2 and R2 SP ...) NOT-FOR-US: Microsoft CVE-2017-8716 (Windows Control Flow Guard in Microsoft Windows 10 Version 1703 allows ...) NOT-FOR-US: Microsoft CVE-2017-8715 (The Microsoft Device Guard on Microsoft Windows 10 Gold, 1511, 1607, a ...) NOT-FOR-US: Microsoft CVE-2017-8714 (The Windows Hyper-V component on Microsoft Windows 8.1, Windows Server ...) NOT-FOR-US: Microsoft CVE-2017-8713 (The Windows Hyper-V component on Microsoft Windows Windows 8.1, Window ...) NOT-FOR-US: Microsoft CVE-2017-8712 (The Windows Hyper-V component on Microsoft Windows 10 1607, 1703, and ...) NOT-FOR-US: Microsoft CVE-2017-8711 (The Windows Hyper-V component on Microsoft Windows 10 1607 and Windows ...) NOT-FOR-US: Microsoft CVE-2017-8710 (The Microsoft Common Console Document (.msc) in Microsoft Windows 7 SP ...) NOT-FOR-US: Microsoft CVE-2017-8709 (The Windows kernel component on Microsoft Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-8708 (The Windows kernel component on Microsoft Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-8707 (The Windows Hyper-V component on Microsoft Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-8706 (The Windows Hyper-V component on Microsoft Windows 10 Gold, 1511, 1607 ...) NOT-FOR-US: Microsoft CVE-2017-8705 RESERVED CVE-2017-8704 (The Windows Hyper-V component on Microsoft Windows 10 1607 and Windows ...) NOT-FOR-US: Microsoft CVE-2017-8703 (The Microsoft Windows Subsystem for Linux on Microsoft Windows 10 1703 ...) NOT-FOR-US: Microsoft CVE-2017-8702 (Windows Error Reporting (WER) in Microsoft Windows 10 Gold, 1511, and ...) NOT-FOR-US: Microsoft CVE-2017-8701 RESERVED CVE-2017-8700 (ASP.NET Core 1.0, 1.1, and 2.0 allow an attacker to bypass Cross-origi ...) NOT-FOR-US: Microsoft CVE-2017-8699 (Windows Shell in Microsoft Windows 7 SP1, Windows Server 2008 and R2 S ...) NOT-FOR-US: Microsoft CVE-2017-8698 RESERVED CVE-2017-8697 RESERVED CVE-2017-8696 (Windows Uniscribe in Microsoft Windows Server 2008 SP2 and R2 SP1; Win ...) NOT-FOR-US: Microsoft CVE-2017-8695 (Windows Uniscribe in Microsoft Windows Server 2008 SP2 and R2 SP1; Win ...) NOT-FOR-US: Microsoft CVE-2017-8694 (The Microsoft Windows Kernel Mode Driver on Microsoft Windows Server 2 ...) NOT-FOR-US: Microsoft CVE-2017-8693 (The Microsoft Graphics Component on Microsoft Windows 10 Gold, 1511, 1 ...) NOT-FOR-US: Microsoft CVE-2017-8692 (The Windows Uniscribe component on Microsoft Windows 8.1, Windows Serv ...) NOT-FOR-US: Microsoft CVE-2017-8691 (Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allow an attacke ...) NOT-FOR-US: Microsoft Windows CVE-2017-8690 RESERVED CVE-2017-8689 (The Microsoft Windows Kernel Mode Driver on Microsoft Windows Server 2 ...) NOT-FOR-US: Microsoft CVE-2017-8688 (Windows GDI+ on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows ...) NOT-FOR-US: Microsoft CVE-2017-8687 (The Windows kernel component on Microsoft Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-8686 (The Windows Server DHCP service in Windows Server 2012 Gold and R2, an ...) NOT-FOR-US: Microsoft CVE-2017-8685 (Windows GDI+ on Microsoft Windows Server 2008 SP2 and R2 SP1, and Wind ...) NOT-FOR-US: Microsoft CVE-2017-8684 (Windows GDI+ on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows ...) NOT-FOR-US: Microsoft CVE-2017-8683 (Windows graphics on Microsoft Windows Server 2008 SP2 and R2 SP1, Wind ...) NOT-FOR-US: Microsoft CVE-2017-8682 (Windows graphics on Microsoft Windows Server 2008 SP2 and R2 SP1, Wind ...) NOT-FOR-US: Microsoft CVE-2017-8681 (The Windows kernel component on Microsoft Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-8680 (The Windows kernel component on Microsoft Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-8679 (The Windows kernel component on Microsoft Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-8678 (The Windows kernel component on Microsoft Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-8677 (The Windows GDI+ component on Microsoft Windows Server 2008 SP2 and R2 ...) NOT-FOR-US: Microsoft CVE-2017-8676 (The Windows Graphics Device Interface (GDI) in Microsoft Windows Serve ...) NOT-FOR-US: Microsoft CVE-2017-8675 (The Windows Kernel-Mode Drivers component on Microsoft Windows Server ...) NOT-FOR-US: Microsoft CVE-2017-8674 (Microsoft Edge in Microsoft Windows 10 1703 allows an attacker to exec ...) NOT-FOR-US: Microsoft CVE-2017-8673 (The Remote Desktop Protocol (RDP) implementation in Microsoft Windows ...) NOT-FOR-US: Microsoft CVE-2017-8672 (Microsoft Edge in Microsoft Windows 10 1511, 1607, 1703, and Windows S ...) NOT-FOR-US: Microsoft CVE-2017-8671 (Microsoft Edge in Microsoft Windows 10 1511, 1607, 1703, and Windows S ...) NOT-FOR-US: Microsoft CVE-2017-8670 (Microsoft Edge in Microsoft Windows 10 1607, 1703, and Windows Server ...) NOT-FOR-US: Microsoft CVE-2017-8669 (Microsoft browsers in Microsoft Windows 7 SP1, Windows Server 2008 R2 ...) NOT-FOR-US: Microsoft CVE-2017-8668 (The Volume Manager Extension Driver in Microsoft Windows 7 SP1, Window ...) NOT-FOR-US: Microsoft CVE-2017-8667 RESERVED CVE-2017-8666 (Microsoft Win32k in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, ...) NOT-FOR-US: Microsoft CVE-2017-8665 (The Xamarin.iOS update component on systems running macOS allows an at ...) NOT-FOR-US: Xamarin.iOS CVE-2017-8664 (Windows Hyper-V in Windows 8.1, Windows Server 2012 Gold and R2, Windo ...) NOT-FOR-US: Microsoft CVE-2017-8663 (Microsoft Outlook 2007 SP3, Outlook 2010 SP2, Outlook 2013 SP1, Outloo ...) NOT-FOR-US: Microsoft CVE-2017-8662 (Microsoft Edge in Microsoft Windows 10 1703 allows an attacker to disc ...) NOT-FOR-US: Microsoft CVE-2017-8661 (Microsoft Edge in Microsoft Windows 10 1607, 1703, and Windows Server ...) NOT-FOR-US: Microsoft CVE-2017-8660 (Microsoft Edge in Microsoft Windows 10 1511, 1607, 1703, and Windows S ...) NOT-FOR-US: Microsoft CVE-2017-8659 (Microsoft Edge in Microsoft Windows 10 1703 allows an attacker to obta ...) NOT-FOR-US: Microsoft CVE-2017-8658 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2017-8657 (Microsoft Edge in Microsoft Windows 10 1511, 1607, 1703, and Windows S ...) NOT-FOR-US: Microsoft CVE-2017-8656 (Microsoft Edge in Microsoft Windows 10 1607, 1703, and Windows Server ...) NOT-FOR-US: Microsoft CVE-2017-8655 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, and Win ...) NOT-FOR-US: Microsoft CVE-2017-8654 (Microsoft SharePoint Server 2010 Service Pack 2 allows a cross-site sc ...) NOT-FOR-US: Microsoft CVE-2017-8653 (Microsoft browsers in Microsoft Windows 7 SP1, Windows Server 2008 SP2 ...) NOT-FOR-US: Microsoft CVE-2017-8652 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, and Win ...) NOT-FOR-US: Microsoft CVE-2017-8651 (Internet Explorer in Microsoft Windows Server 2008 SP2 and Windows Ser ...) NOT-FOR-US: Microsoft CVE-2017-8650 (Microsoft Edge in Microsoft Windows 10 1703 allows an attacker to expl ...) NOT-FOR-US: Microsoft CVE-2017-8649 (Microsoft Edge in Microsoft Windows 10 1607, 1703, and Windows Server ...) NOT-FOR-US: Microsoft CVE-2017-8648 (Microsoft Edge in Microsoft Windows Version 1703 allows an attacker to ...) NOT-FOR-US: Microsoft CVE-2017-8647 (Microsoft Edge in Windows 10 1703 allows an attacker to execute arbitr ...) NOT-FOR-US: Microsoft CVE-2017-8646 (Microsoft Edge in Windows 10 1511, 1607, 1703, and Windows Server 2016 ...) NOT-FOR-US: Microsoft CVE-2017-8645 (Microsoft Edge in Windows 10 1511, 1607, 1703, and Windows Server 2016 ...) NOT-FOR-US: Microsoft CVE-2017-8644 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, and Win ...) NOT-FOR-US: Microsoft CVE-2017-8643 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, and Win ...) NOT-FOR-US: Microsoft CVE-2017-8642 (Microsoft Edge in Microsoft Windows 10 1703 allows an attacker to elev ...) NOT-FOR-US: Microsoft CVE-2017-8641 (Microsoft browsers in Microsoft Windows 7 SP1, Windows Server 2008 R2 ...) NOT-FOR-US: Microsoft CVE-2017-8640 (Microsoft Edge in Windows 10 Gold, 1511, 1607, 1703, and Windows Serve ...) NOT-FOR-US: Microsoft CVE-2017-8639 (Microsoft Edge in Windows 10 1607, 1703, and Windows Server 2016 allow ...) NOT-FOR-US: Microsoft CVE-2017-8638 (Microsoft Edge in Microsoft Windows 10 1703 allows an attacker to exec ...) NOT-FOR-US: Microsoft CVE-2017-8637 (Microsoft Edge in Microsoft Windows 10 1703 allows an attacker to bypa ...) NOT-FOR-US: Microsoft CVE-2017-8636 (Microsoft browsers in Microsoft Windows 7 SP1, Windows Server 2008 R2 ...) NOT-FOR-US: Microsoft CVE-2017-8635 (Microsoft browsers in Microsoft Windows 7 SP1, Windows Server 2008 R2 ...) NOT-FOR-US: MIcrosoft CVE-2017-8634 (Microsoft Edge in Microsoft Windows 10 1703 allows an attacker to exec ...) NOT-FOR-US: Microsoft CVE-2017-8633 (Windows Error Reporting (WER) in Windows Server 2008 SP2 and R2 SP1, W ...) NOT-FOR-US: Microsoft CVE-2017-8632 (A remote code execution vulnerability exists in Microsoft Excel 2010 S ...) NOT-FOR-US: Microsoft CVE-2017-8631 (A remote code execution vulnerability exists in Excel Services, Micros ...) NOT-FOR-US: Microsoft CVE-2017-8630 (Microsoft Office 2016 allows a remote code execution vulnerability whe ...) NOT-FOR-US: Microsoft CVE-2017-8629 (Microsoft SharePoint Server 2013 Service Pack 1 allows an elevation of ...) NOT-FOR-US: Microsoft CVE-2017-8628 (Microsoft Bluetooth Driver in Windows Server 2008 SP2, Windows 7 SP1, ...) NOT-FOR-US: Microsoft Windows NOTE: https://www.armis.com/blueborne/ CVE-2017-8627 (Windows Subsystem for Linux in Windows 10 1703, allows a denial of ser ...) NOT-FOR-US: Microsoft CVE-2017-8626 RESERVED CVE-2017-8625 (Internet Explorer in Windows 10 Gold, 1511, 1607, 1703, and Windows Se ...) NOT-FOR-US: Microsoft CVE-2017-8624 (CLFS in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1 ...) NOT-FOR-US: Microsoft CVE-2017-8623 (Windows Hyper-V in Windows 10 1607, 1703, and Windows Server 2016 allo ...) NOT-FOR-US: Microsoft CVE-2017-8622 (Windows Subsystem for Linux in Windows 10 1703 allows an elevation of ...) NOT-FOR-US: Microsoft CVE-2017-8621 (Microsoft Exchange Server 2010 SP3, Exchange Server 2013 SP3, Exchange ...) NOT-FOR-US: Microsoft CVE-2017-8620 (Windows Search in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, W ...) NOT-FOR-US: Microsoft CVE-2017-8619 (Microsoft Edge on Windows 10 Gold, 1511, 1607, and 1703, and Windows S ...) NOT-FOR-US: Microsoft CVE-2017-8618 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 R2 S ...) NOT-FOR-US: Microsoft CVE-2017-8617 (Microsoft Edge in Windows 10 1703 Microsoft Edge allows a remote code ...) NOT-FOR-US: Microsoft CVE-2017-8616 RESERVED CVE-2017-8615 RESERVED CVE-2017-8614 RESERVED CVE-2017-8613 (Azure AD Connect Password writeback, if misconfigured during enablemen ...) NOT-FOR-US: Azure AD Connect Password writeback CVE-2017-8612 RESERVED CVE-2017-8611 (Microsoft Edge on Microsoft Windows 10 Gold, 1511, 1607, and 1703, and ...) NOT-FOR-US: Microsoft CVE-2017-8610 (Microsoft Edge in Microsoft Windows 10 1703 allows an attacker to exec ...) NOT-FOR-US: Microsoft CVE-2017-8609 (Microsoft Internet Explorer in Microsoft Windows 10 Gold, 1511, 1607, ...) NOT-FOR-US: Microsoft CVE-2017-8608 (Microsoft browsers in Microsoft Windows Server 2008 and R2, Windows 8. ...) NOT-FOR-US: Microsoft CVE-2017-8607 (Microsoft browsers in Microsoft Windows 7, Windows Server 2008 and R2, ...) NOT-FOR-US: Microsoft CVE-2017-8606 (Microsoft browsers in Microsoft Windows 7, Windows Server 2008 and R2, ...) NOT-FOR-US: Microsoft CVE-2017-8605 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, and 1703, and ...) NOT-FOR-US: Microsoft CVE-2017-8604 (Microsoft Edge in Microsoft Windows 10 1511, 1607, and 1703, and Windo ...) NOT-FOR-US: Microsoft CVE-2017-8603 (Microsoft Edge in Microsoft Windows 10 1511, 1607, and 1703, and Windo ...) NOT-FOR-US: Microsoft CVE-2017-8602 (Microsoft browsers on Microsoft Windows 7 SP1, Windows Server 2008 R2 ...) NOT-FOR-US: Microsoft CVE-2017-8601 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, and 1703, and ...) NOT-FOR-US: Microsoft CVE-2017-8600 RESERVED CVE-2017-8599 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, and 1703, and ...) NOT-FOR-US: Microsoft CVE-2017-8598 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, and 1703, and ...) NOT-FOR-US: Microsoft CVE-2017-8597 (Microsoft Edge in Microsoft Windows 10 Version 1703 allows an attacker ...) NOT-FOR-US: Microsoft CVE-2017-8596 (Microsoft Edge in Microsoft Windows 10 1607, and 1703, and Windows Ser ...) NOT-FOR-US: Microsoft CVE-2017-8595 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, and 1703, and ...) NOT-FOR-US: Microsoft CVE-2017-8594 (Internet Explorer on Microsoft Windows 8.1 and Windows RT 8.1, and Win ...) NOT-FOR-US: Microsoft CVE-2017-8593 (Microsoft Win32k in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, ...) NOT-FOR-US: Microsoft CVE-2017-8592 (Microsoft browsers on when Microsoft Windows 7 SP1, Windows Server 200 ...) NOT-FOR-US: Microsoft CVE-2017-8591 (Windows Input Method Editor (IME) in Windows 8.1, Windows Server 2012 ...) NOT-FOR-US: Microsoft CVE-2017-8590 (Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8 ...) NOT-FOR-US: Microsoft CVE-2017-8589 (Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8 ...) NOT-FOR-US: Microsoft CVE-2017-8588 (Microsoft WordPad in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1 ...) NOT-FOR-US: Microsoft CVE-2017-8587 (Windows Explorer in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, ...) NOT-FOR-US: Microsoft CVE-2017-8586 RESERVED CVE-2017-8585 (Microsoft .NET Framework 4.6, 4.6.1, 4.6.2, and 4.7 allow an attacker ...) NOT-FOR-US: Microsoft CVE-2017-8584 (Windows 10 1607 and Windows Server 2016 allow an attacker to execute c ...) NOT-FOR-US: Microsoft CVE-2017-8583 RESERVED CVE-2017-8582 (HTTP.sys in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP ...) NOT-FOR-US: Microsoft CVE-2017-8581 (Win32k in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, ...) NOT-FOR-US: Microsoft CVE-2017-8580 (Win32k in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, ...) NOT-FOR-US: Microsoft CVE-2017-8579 (The DirectX component in Microsoft Windows 10 Gold, 1511, 1607, 1703, ...) NOT-FOR-US: Microsoft CVE-2017-8578 (Win32k in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, ...) NOT-FOR-US: Microsoft CVE-2017-8577 (Win32k in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, ...) NOT-FOR-US: Microsoft CVE-2017-8576 (The graphics component in Microsoft Windows 10 Gold, 1511, 1607, 1703, ...) NOT-FOR-US: Microsoft CVE-2017-8575 (The kernel in Microsoft Windows 10 Gold, 1511, 1607, 1703, and Windows ...) NOT-FOR-US: Windows CVE-2017-8574 (Graphics in Microsoft Windows 10 1607, 1703, and Windows Server 2016 a ...) NOT-FOR-US: Microsoft CVE-2017-8573 (Graphics in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP ...) NOT-FOR-US: Microsoft CVE-2017-8572 (Microsoft Outlook 2007 SP3, Outlook 2010 SP2, Outlook 2013 SP1, Outloo ...) NOT-FOR-US: Microsoft CVE-2017-8571 (Microsoft Outlook 2007 SP3, Outlook 2010 SP2, Outlook 2013 SP1, Outloo ...) NOT-FOR-US: Microsoft CVE-2017-8570 (Microsoft Office allows a remote code execution vulnerability due to t ...) NOT-FOR-US: Microsoft CVE-2017-8569 (Microsoft SharePoint Server allows an elevation of privilege vulnerabi ...) NOT-FOR-US: Microsoft CVE-2017-8568 RESERVED CVE-2017-8567 (A remote code execution vulnerability exists in Microsoft Excel for Ma ...) NOT-FOR-US: Microsoft CVE-2017-8566 (Microsoft Windows 1607, 1703, and Windows Server 2016 allows an elevat ...) NOT-FOR-US: Microsoft CVE-2017-8565 (Windows PowerShell in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP ...) NOT-FOR-US: Microsoft CVE-2017-8564 (Windows kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Window ...) NOT-FOR-US: Microsoft CVE-2017-8563 (Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8 ...) NOT-FOR-US: Microsoft CVE-2017-8562 (Microsoft Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, ...) NOT-FOR-US: Microsoft CVE-2017-8561 (Windows kernel in Microsoft Windows 8.1, Windows Server 2012 Gold and ...) NOT-FOR-US: Microsoft CVE-2017-8560 (Microsoft Exchange Server 2010 SP3, Exchange Server 2013 SP3, Exchange ...) NOT-FOR-US: Microsoft CVE-2017-8559 (Microsoft Exchange Server 2010 SP3, Exchange Server 2013 SP3, Exchange ...) NOT-FOR-US: Microsoft CVE-2017-8558 (The Microsoft Malware Protection Engine running on Microsoft Forefront ...) NOT-FOR-US: Microsoft CVE-2017-8557 (Windows System Information Console in Windows Server 2008 SP2 and R2 S ...) NOT-FOR-US: Microsoft CVE-2017-8556 (Graphics in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP ...) NOT-FOR-US: Microsoft CVE-2017-8555 (Microsoft Edge in Microsoft Windows 10 1703 allows an attacker to tric ...) NOT-FOR-US: Microsoft CVE-2017-8554 (The kernel in Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 ...) NOT-FOR-US: Microsoft CVE-2017-8553 (An information disclosure vulnerability exists in Microsoft Windows Se ...) NOT-FOR-US: Microsoft CVE-2017-8552 (A kernel-mode driver in Microsoft Windows XP SP3, Windows XP x64 XP2, ...) NOT-FOR-US: Microsoft CVE-2017-8551 (An elevation of privilege vulnerability exists when Microsoft SharePoi ...) NOT-FOR-US: Microsoft CVE-2017-8550 (A remote code execution vulnerability exists in Skype for Business whe ...) NOT-FOR-US: Microsoft CVE-2017-8549 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, and 1703, and ...) NOT-FOR-US: Microsoft CVE-2017-8548 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, and 1703, and ...) NOT-FOR-US: Microsoft CVE-2017-8547 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 R2 S ...) NOT-FOR-US: Microsoft CVE-2017-8546 RESERVED CVE-2017-8545 (A spoofing vulnerability exists in when Microsoft Outlook for Mac does ...) NOT-FOR-US: Microsoft CVE-2017-8544 (Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8 ...) NOT-FOR-US: Microsoft CVE-2017-8543 (Microsoft Windows XP SP3, Windows XP x64 XP2, Windows Server 2003 SP2, ...) NOT-FOR-US: Microsoft CVE-2017-8542 (The Microsoft Malware Protection Engine running on Microsoft Forefront ...) NOT-FOR-US: Microsoft CVE-2017-8541 (The Microsoft Malware Protection Engine running on Microsoft Forefront ...) NOT-FOR-US: Microsoft CVE-2017-8540 (The Microsoft Malware Protection Engine running on Microsoft Forefront ...) NOT-FOR-US: Microsoft CVE-2017-8539 (The Microsoft Malware Protection Engine running on Microsoft Forefront ...) NOT-FOR-US: Microsoft CVE-2017-8538 (The Microsoft Malware Protection Engine running on Microsoft Forefront ...) NOT-FOR-US: Microsoft CVE-2017-8537 (The Microsoft Malware Protection Engine running on Microsoft Forefront ...) NOT-FOR-US: Microsoft CVE-2017-8536 (The Microsoft Malware Protection Engine running on Microsoft Forefront ...) NOT-FOR-US: Microsoft CVE-2017-8535 (The Microsoft Malware Protection Engine running on Microsoft Forefront ...) NOT-FOR-US: Microsoft CVE-2017-8534 (Uniscribe in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Window ...) NOT-FOR-US: Microsoft CVE-2017-8533 (Graphics in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows ...) NOT-FOR-US: Microsoft CVE-2017-8532 (Graphics in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows ...) NOT-FOR-US: Microsoft CVE-2017-8531 (Graphics in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows ...) NOT-FOR-US: Microsoft CVE-2017-8530 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, and 1703, and ...) NOT-FOR-US: Microsoft CVE-2017-8529 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 R2 S ...) NOT-FOR-US: Microsoft CVE-2017-8528 (Uniscribe in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Window ...) NOT-FOR-US: Microsoft CVE-2017-8527 (Graphics in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows ...) NOT-FOR-US: Microsoft CVE-2017-8526 RESERVED CVE-2017-8525 RESERVED CVE-2017-8524 (Microsoft browsers in Microsoft Windows 7 SP1, Windows Server 2008 R2 ...) NOT-FOR-US: Microsoft CVE-2017-8523 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, and 1703, and ...) NOT-FOR-US: Microsoft CVE-2017-8522 (Microsoft browsers in Microsoft Windows 8.1 and Windows RT 8.1, Window ...) NOT-FOR-US: Microsoft CVE-2017-8521 (Microsoft Edge in Windows 10 1703 allows an attacker to execute arbitr ...) NOT-FOR-US: Microsoft CVE-2017-8520 (Microsoft Edge in Windows 10 1703 allows an attacker to execute arbitr ...) NOT-FOR-US: Microsoft CVE-2017-8519 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 and ...) NOT-FOR-US: Microsoft CVE-2017-8518 (Microsoft Edge allows a remote code execution vulnerability due to the ...) NOT-FOR-US: Microsoft CVE-2017-8517 (Microsoft browsers in Microsoft Windows Server 2008 SP2 and R2 SP1, Wi ...) NOT-FOR-US: Microsoft CVE-2017-8516 (Microsoft SQL Server Analysis Services in Microsoft SQL Server 2012, M ...) NOT-FOR-US: Microsoft CVE-2017-8515 (Microsoft Windows 10 1511, 1607, and 1703, and Windows Server 2016 all ...) NOT-FOR-US: Microsoft CVE-2017-8514 (An information disclosure vulnerability exists when Microsoft SharePoi ...) NOT-FOR-US: Microsoft CVE-2017-8513 (A remote code execution vulnerability exists in Microsoft PowerPoint w ...) NOT-FOR-US: Microsoft CVE-2017-8512 (A remote code execution vulnerability exists in Microsoft Office when ...) NOT-FOR-US: Microsoft CVE-2017-8511 (A remote code execution vulnerability exists in Microsoft Office when ...) NOT-FOR-US: Microsoft CVE-2017-8510 (A remote code execution vulnerability exists in Microsoft Office when ...) NOT-FOR-US: Microsoft CVE-2017-8509 (A remote code execution vulnerability exists in Microsoft Office when ...) NOT-FOR-US: Microsoft CVE-2017-8508 (A security feature bypass vulnerability exists in Microsoft Office sof ...) NOT-FOR-US: Microsoft CVE-2017-8507 (A remote code execution vulnerability exists in the way Microsoft Offi ...) NOT-FOR-US: Microsoft CVE-2017-8506 (A remote code execution vulnerability exists in Microsoft Office when ...) NOT-FOR-US: Microsoft CVE-2017-8505 RESERVED CVE-2017-8504 (Microsoft Edge in Windows 10 1607 and 1703, and Windows Server 2016 al ...) NOT-FOR-US: Microsoft CVE-2017-8503 (Microsoft Edge in Microsoft Windows 10 1511, 1607, 1703, and Windows S ...) NOT-FOR-US: Microsoft CVE-2017-8502 (Microsoft Office allows a remote code execution vulnerability due to t ...) NOT-FOR-US: Microsoft CVE-2017-8501 (Microsoft Office allows a remote code execution vulnerability due to t ...) NOT-FOR-US: Microsoft CVE-2017-8500 RESERVED CVE-2017-8499 (Microsoft Edge in Windows 10 1703 allows an attacker to execute arbitr ...) NOT-FOR-US: Microsoft CVE-2017-8498 (Microsoft Edge in Windows 10 1607 and 1703, and Windows Server 2016 al ...) NOT-FOR-US: Microsoft CVE-2017-8497 (Microsoft Edge in Windows 10 1607 and Windows Server 2016 allows an at ...) NOT-FOR-US: Microsoft CVE-2017-8496 (Microsoft Edge in Windows 10 1607 and Windows Server 2016 allows an at ...) NOT-FOR-US: Microsoft CVE-2017-8495 (Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8 ...) NOT-FOR-US: Microsoft CVE-2017-8494 (Microsoft Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 20 ...) NOT-FOR-US: Microsoft CVE-2017-8493 (Microsoft Windows 8.1 and Windows RT 8.1, Windows Server 2012 R2, Wind ...) NOT-FOR-US: Microsoft CVE-2017-8492 (The kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 ...) NOT-FOR-US: Microsoft CVE-2017-8491 (The kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 ...) NOT-FOR-US: Microsoft CVE-2017-8490 (The kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 ...) NOT-FOR-US: Microsoft CVE-2017-8489 (The kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 ...) NOT-FOR-US: Microsoft CVE-2017-8488 (The kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 ...) NOT-FOR-US: Microsoft CVE-2017-8487 (Windows OLE in Windows XP and Windows Server 2003 allows an attacker t ...) NOT-FOR-US: Microsoft CVE-2017-8486 (Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8 ...) NOT-FOR-US: Microsoft CVE-2017-8485 (The kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 ...) NOT-FOR-US: Microsoft CVE-2017-8484 (Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8 ...) NOT-FOR-US: Microsoft CVE-2017-8483 (The kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 ...) NOT-FOR-US: Microsoft CVE-2017-8482 (The kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 ...) NOT-FOR-US: Microsoft CVE-2017-8481 (The kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 ...) NOT-FOR-US: Microsoft CVE-2017-8480 (The kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 ...) NOT-FOR-US: Microsoft CVE-2017-8479 (The kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 ...) NOT-FOR-US: Microsoft CVE-2017-8478 (The kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 ...) NOT-FOR-US: Microsoft CVE-2017-8477 (Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8 ...) NOT-FOR-US: Microsoft CVE-2017-8476 (The kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 ...) NOT-FOR-US: Microsoft CVE-2017-8475 (Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows S ...) NOT-FOR-US: Microsoft CVE-2017-8474 (The kernel in Microsoft Windows Server 2008 R2 SP1, Windows 7 SP1, Win ...) NOT-FOR-US: Microsoft CVE-2017-8473 (Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows S ...) NOT-FOR-US: Microsoft CVE-2017-8472 (Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, and Windo ...) NOT-FOR-US: Microsoft CVE-2017-8471 (Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8 ...) NOT-FOR-US: Microsoft CVE-2017-8470 (Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8 ...) NOT-FOR-US: Microsoft CVE-2017-8469 (The kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 ...) NOT-FOR-US: Microsoft CVE-2017-8468 (Microsoft Windows 8.1 and Windows RT 8.1, Windows Server 2012 R2, Wind ...) NOT-FOR-US: Microsoft CVE-2017-8467 (Graphics in Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP ...) NOT-FOR-US: Microsoft CVE-2017-8466 (Windows Cursor in Windows 8.1, Windows Server 2012 Gold and R2, Window ...) NOT-FOR-US: Microsoft CVE-2017-8465 (Microsoft Windows 8.1 and Windows RT 8.1, Windows Server 2012 R2, Wind ...) NOT-FOR-US: Microsoft CVE-2017-8464 (Windows Shell in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows ...) NOT-FOR-US: Microsoft CVE-2017-8463 (Windows Shell in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Wi ...) NOT-FOR-US: Microsoft CVE-2017-8462 (The kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 ...) NOT-FOR-US: Microsoft CVE-2017-8461 (Windows RPC with Routing and Remote Access enabled in Windows XP and W ...) NOT-FOR-US: Microsoft CVE-2017-8460 (Windows PDF in Windows 8.1, Windows Server 2012 Gold and R2, Windows R ...) NOT-FOR-US: Microsoft CVE-2017-8459 (** DISPUTED ** Brave 0.12.4 has a Status Bar Obfuscation issue in whic ...) - brave-browser (bug #864795) CVE-2017-8458 (Brave 0.12.4 has a URI Obfuscation issue in which a string such as htt ...) - brave-browser (bug #864795) CVE-2017-8457 RESERVED CVE-2017-8456 RESERVED CVE-2017-8455 (Foxit Reader before 8.2.1 and PhantomPDF before 8.2.1 have an out-of-b ...) NOT-FOR-US: Foxit Reader CVE-2017-8454 (Foxit Reader before 8.2.1 and PhantomPDF before 8.2.1 have an out-of-b ...) NOT-FOR-US: Foxit Reader CVE-2017-8453 (Foxit Reader before 8.2.1 and PhantomPDF before 8.2.1 have an out-of-b ...) NOT-FOR-US: Foxit Reader CVE-2016-10368 (Open redirect vulnerability in Opsview Monitor Pro (Prior to 5.1.0.162 ...) NOT-FOR-US: Opsview Monitor Pro CVE-2016-10367 (In Opsview Monitor Pro (Prior to 5.1.0.162300841, prior to 5.0.2.27475 ...) NOT-FOR-US: Opsview Monitor Pro CVE-2015-9058 (Open redirect vulnerability in Proxmox Mail Gateway prior to hotfix 4. ...) NOT-FOR-US: Proxmox Mail Gateway CVE-2015-9057 (Multiple cross-site scripting (XSS) vulnerabilities in Proxmox Mail Ga ...) NOT-FOR-US: Proxmox Mail Gateway CVE-2017-8452 (Kibana versions prior to 5.2.1 configured for SSL client access, file ...) - kibana (bug #700337) CVE-2017-8451 (With X-Pack installed, Kibana versions before 5.3.1 have an open redir ...) NOT-FOR-US: Kibana addon CVE-2017-8450 (X-Pack 5.1.1 did not properly apply document and field level security ...) NOT-FOR-US: Kibana addon CVE-2017-8449 (X-Pack Security 5.2.x would allow access to more fields than the user ...) NOT-FOR-US: Kibana addon CVE-2017-8448 (An error was found in the permission model used by X-Pack Alerting 5.0 ...) - kibana (bug #700337) CVE-2017-8447 (An error was found in the X-Pack Security 5.3.0 to 5.5.2 privilege enf ...) NOT-FOR-US: X-Pack plugin for Kibana CVE-2017-8446 (The Reporting feature in X-Pack in versions prior to 5.5.2 and standal ...) NOT-FOR-US: X-Pack plugin for Kibana CVE-2017-8445 (An error was found in the X-Pack Security TLS trust manager for versio ...) NOT-FOR-US: X-PackSecurity TLS trust manager plugin for Elasticsearch CVE-2017-8444 (The client-forwarder in Elastic Cloud Enterprise versions prior to 1.0 ...) NOT-FOR-US: Elastic Cloud Enterprise CVE-2017-8443 (In Kibana X-Pack security versions prior to 5.4.3 if a Kibana user ope ...) NOT-FOR-US: Kibana X-Pack Security CVE-2017-8442 (Elasticsearch X-Pack Security versions 5.0.0 to 5.4.3, when enabled, c ...) NOT-FOR-US: Elastic X-Pack Security CVE-2017-8441 (Elastic X-Pack Security versions prior to 5.4.1 and 5.3.3 did not alwa ...) NOT-FOR-US: Elastic X-Pack Security CVE-2017-8440 (Starting in version 5.3.0, Kibana had a cross-site scripting (XSS) vul ...) - kibana (bug #700337) CVE-2017-8439 (Kibana version 5.4.0 was affected by a Cross Site Scripting (XSS) bug ...) - kibana (bug #700337) CVE-2017-8438 (Elastic X-Pack Security versions 5.0.0 to 5.4.0 contain a privilege es ...) NOT-FOR-US: Elastic X-Pack Security CVE-2017-8437 RESERVED CVE-2017-8436 RESERVED CVE-2017-8435 RESERVED CVE-2017-8434 RESERVED CVE-2017-8433 RESERVED CVE-2017-8432 RESERVED CVE-2017-8431 RESERVED CVE-2017-8430 RESERVED CVE-2017-8429 RESERVED CVE-2017-8428 RESERVED CVE-2017-8427 RESERVED CVE-2017-8426 RESERVED CVE-2017-8425 RESERVED CVE-2017-8424 RESERVED CVE-2017-8423 RESERVED CVE-2017-8422 (KDE kdelibs before 4.14.32 and KAuth before 5.34 allow local users to ...) {DSA-3849-1 DLA-952-1} - kauth 5.28.0-2 - kde4libs 4:4.14.26-2 NOTE: http://www.openwall.com/lists/oss-security/2017/05/10/3 NOTE: patch for kauth: https://cgit.kde.org/kauth.git/commit/?id=df875f725293af53399f5146362eb158b4f9216a NOTE: patch for kde4libs: https://cgit.kde.org/kdelibs.git/commit/?h=KDE/4.14&id=264e97625abe2e0334f97de17f6ffb52582888ab NOTE: https://www.kde.org/info/security/advisory-20170510-1.txt CVE-2017-8421 (The function coff_set_alignment_hook in coffcode.h in Binary File Desc ...) - binutils 2.28-5 [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21440 NOTE: Fixed by: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=39ff1b79f687b65f4144ddb379f22587003443fb CVE-2017-8420 (SWFTools 2013-04-09-1007 on Windows has a "Data from Faulting Address ...) - swftools (unimportant) NOTE: No actionable information, just a crash report against a four year old release NOTE: https://github.com/matthiaskramm/swftools/issues/41 CVE-2017-8419 (LAME through 3.99.5 relies on the signed integer data type for values ...) - lame 3.99.5+repack1-7 [wheezy] - lame 3.99.5+repack1-3+deb7u1 NOTE: https://sourceforge.net/p/lame/bugs/458/ NOTE: Issue addressed in Debian via: https://sources.debian.org/patches/lame/3.99.5%2Brepack1-9/0001-Add-check-for-invalid-input-sample-rate.patch/ NOTE: in the revised version as included in 3.99.5+repack1-7 CVE-2016-10366 (Kibana versions after and including 4.3 and before 4.6.2 are vulnerabl ...) - kibana (bug #700337) CVE-2016-10365 (Kibana versions before 4.6.3 and 5.0.1 have an open redirect vulnerabi ...) - kibana (bug #700337) CVE-2016-10364 (With X-Pack installed, Kibana versions 5.0.0 and 5.0.1 were not proper ...) NOT-FOR-US: Kibana addon CVE-2016-10363 (Logstash versions prior to 2.3.3, when using the Netflow Codec plugin, ...) - logstash (bug #664841) CVE-2016-10362 (Prior to Logstash version 5.0.1, Elasticsearch Output plugin when upda ...) - logstash (bug #664841) CVE-2016-10361 REJECTED CVE-2016-10360 REJECTED CVE-2016-10359 REJECTED CVE-2016-10358 REJECTED CVE-2016-10357 REJECTED CVE-2016-10356 REJECTED CVE-2016-10355 REJECTED CVE-2016-10354 REJECTED CVE-2016-10353 REJECTED CVE-2016-10352 REJECTED CVE-2015-9056 (Kibana versions prior to 4.1.3 and 4.2.1 are vulnerable to a XSS attac ...) - kibana (bug #700337) CVE-2017-8905 (Xen through 4.6.x on 64-bit platforms mishandles a failsafe callback, ...) {DSA-3847-1 DLA-964-1} - xen 4.8.0~rc3-1 (bug #861662) NOTE: https://xenbits.xen.org/xsa/advisory-215.html CVE-2017-8904 (Xen through 4.8.x mishandles the "contains segment descriptors" proper ...) {DSA-3847-1 DLA-964-1} - xen 4.8.1-1+deb9u1 (bug #861660) NOTE: https://xenbits.xen.org/xsa/advisory-214.html CVE-2017-8903 (Xen through 4.8.x on 64-bit platforms mishandles page tables after an ...) {DSA-3847-1 DLA-964-1} - xen 4.8.1-1+deb9u1 (bug #861659) NOTE: https://xenbits.xen.org/xsa/advisory-213.html CVE-2017-8418 (RuboCop 0.48.1 and earlier does not use /tmp in safe way, allowing loc ...) - rubocop 0.49.1+dfsg-1 (bug #870852) NOTE: https://github.com/bbatsov/rubocop/issues/4336 NOTE: https://github.com/bbatsov/rubocop/commit/dcb258fabd5f2624c1ea0e1634763094590c09d7 CVE-2017-8417 (An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The d ...) NOT-FOR-US: D-Link CVE-2017-8416 (An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The d ...) NOT-FOR-US: D-Link CVE-2017-8415 (An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The d ...) NOT-FOR-US: D-Link CVE-2017-8414 (An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The b ...) NOT-FOR-US: D-Link CVE-2017-8413 (An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The d ...) NOT-FOR-US: D-Link CVE-2017-8412 (An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The d ...) NOT-FOR-US: D-Link CVE-2017-8411 (An issue was discovered on D-Link DCS-1130 devices. The device provide ...) NOT-FOR-US: D-Link CVE-2017-8410 (An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The b ...) NOT-FOR-US: D-Link CVE-2017-8409 (An issue was discovered on D-Link DCS-1130 devices. The device require ...) NOT-FOR-US: D-Link CVE-2017-8408 (An issue was discovered on D-Link DCS-1130 devices. The device provide ...) NOT-FOR-US: D-Link CVE-2017-8407 (An issue was discovered on D-Link DCS-1130 devices. The device provide ...) NOT-FOR-US: D-Link CVE-2017-8406 (An issue was discovered on D-Link DCS-1130 devices. The device provide ...) NOT-FOR-US: D-Link CVE-2017-8405 (An issue was discovered on D-Link DCS-1130 and DCS-1100 devices. The b ...) NOT-FOR-US: D-Link CVE-2017-8404 (An issue was discovered on D-Link DCS-1130 devices. The device provide ...) NOT-FOR-US: D-Link CVE-2017-8403 (360fly 4K cameras allow unauthenticated Wi-Fi password changes and com ...) NOT-FOR-US: 360fly CVE-2017-8402 (PivotX 2.3.11 allows remote authenticated users to execute arbitrary P ...) NOT-FOR-US: PivotX CVE-2017-8401 (In SWFTools 0.9.2, an out-of-bounds read of heap data can occur in the ...) {DLA-995-1} - swftools (unimportant; bug #861998) NOTE: https://github.com/matthiaskramm/swftools/issues/14 NOTE: https://github.com/matthiaskramm/swftools/commit/392fb1f3cd9a5b167787c551615c651c3f5326f2 NOTE: Crash in CLI tool not considered a security issue CVE-2017-8400 (In SWFTools 0.9.2, an out-of-bounds write of heap data can occur in th ...) {DLA-995-1} - swftools 0.9.2+git20130725-4.1 (bug #861693) [jessie] - swftools (Minor issue) NOTE: https://github.com/matthiaskramm/swftools/issues/13 NOTE: https://github.com/matthiaskramm/swftools/commit/7139f3cf7c8bc576bea1dbd07c58ce1ad92b774a CVE-2017-8399 (PCRE2 before 10.30 has an out-of-bounds write caused by a stack-based ...) - pcre2 (Did only affect revision after r670 upstream; not in a released version) NOTE: Fixed by: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=783 NOTE: https://vcs.pcre.org/pcre2?view=revision&revision=674 CVE-2017-8398 (dwarf.c in GNU Binutils 2.28 is vulnerable to an invalid read of size ...) - binutils 2.28-5 [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21438 NOTE: Fixed by: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d949ff5607b9f595e0eed2ff15fbe5eb84eb3a34 CVE-2017-8397 (The Binary File Descriptor (BFD) library (aka libbfd), as distributed ...) - binutils 2.28-5 [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21434 NOTE: Fixed by: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=04b31182bf3f8a1a76e995bdfaaaab4c009b9cb2 CVE-2017-8396 (The Binary File Descriptor (BFD) library (aka libbfd), as distributed ...) - binutils 2.28-5 [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21432 NOTE: Fixed by: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=a941291cab71b9ac356e1c03968c177c03e602ab CVE-2017-8395 (The Binary File Descriptor (BFD) library (aka libbfd), as distributed ...) - binutils 2.28-5 [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21431 NOTE: Fixed by: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e63d123268f23a4cbc45ee55fb6dbc7d84729da3 CVE-2017-8394 (The Binary File Descriptor (BFD) library (aka libbfd), as distributed ...) - binutils 2.28-5 [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21414 NOTE: Fixed by: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7eacd66b086cabb1daab20890d5481894d4f56b2 CVE-2017-8393 (The Binary File Descriptor (BFD) library (aka libbfd), as distributed ...) - binutils 2.28-5 [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21412 NOTE: Fixed by: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=bce964aa6c777d236fbd641f2bc7bb931cfe4bf3 CVE-2017-8392 (The Binary File Descriptor (BFD) library (aka libbfd), as distributed ...) - binutils (Vulnerable code introduced later) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21409 NOTE: Fixed by: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=97e83a100aa8250be783304bfe0429761c6e6b6b NOTE: Introduced by: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=3239a4231ff79bf8b67b8faaf414b1667486167c CVE-2017-8391 (The OS Installation Management component in CA Client Automation r12.9 ...) NOT-FOR-US: OS Installation Management component in CA Client Automation CVE-2017-8390 (The DNS Proxy in Palo Alto Networks PAN-OS before 6.1.18, 7.x before 7 ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2017-8389 RESERVED CVE-2017-8388 (GeniXCMS 1.0.2 allows remote attackers to bypass the alertDanger MSG_U ...) NOT-FOR-US: GeniXCMS CVE-2017-8387 (STDU Viewer version 1.6.375 might allow user-assisted attackers to exe ...) NOT-FOR-US: STDU Viewer CVE-2017-8386 (git-shell in git before 2.4.12, 2.5.x before 2.5.6, 2.6.x before 2.6.7 ...) {DSA-3848-1 DLA-938-1} - git 1:2.11.0-3 NOTE: http://lkml.iu.edu/hypermail/linux/kernel/1705.1/01337.html NOTE: http://lkml.iu.edu/hypermail/linux/kernel/1705.1/01346.html NOTE: https://insinuator.net/2017/05/git-shell-bypass-by-abusing-less-cve-2017-8386/ NOTE: https://git.kernel.org/pub/scm/git/git.git/commit/?id=3ec804490a265f4c418a321428c12f3f18b7eff5 CVE-2017-8385 (Craft CMS before 2.6.2976 does not prevent modification of the URL in ...) NOT-FOR-US: Craft CMS CVE-2017-8384 (Craft CMS before 2.6.2976 allows XSS attacks because an array returned ...) NOT-FOR-US: Craft CMS CVE-2017-8383 (Craft CMS before 2.6.2976 does not properly restrict viewing the conte ...) NOT-FOR-US: Craft CMS CVE-2017-8382 (admidio 3.2.8 has CSRF in adm_program/modules/members/members_function ...) NOT-FOR-US: admidio CVE-2017-8381 (XnView Classic for Windows Version 2.40 allows user-assisted remote at ...) NOT-FOR-US: XnView Classic for Windows CVE-2017-8380 (Buffer overflow in the "megasas_mmio_write" function in Qemu 2.9.0 all ...) - qemu 1:2.8+dfsg-5 (bug #862282) [jessie] - qemu (Vulnerable code introduced later) [wheezy] - qemu (Vulnerable code introduced later) - qemu-kvm (Vulnerable code introduced later) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-04/msg04147.html NOTE: Introduced by: http://git.qemu.org/?p=qemu.git;a=commit;h=e23d04984a78490d8aaa5c45724a3a334933331f (v2.2.0-rc0) NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=24dfa9fa2f90a95ac33c7372de4f4f2c8a2c141f CVE-2017-8379 (Memory leak in the keyboard input event handlers support in QEMU (aka ...) {DLA-1497-1} - qemu 1:2.8+dfsg-5 (bug #862289) [wheezy] - qemu (Minor issue) - qemu-kvm [wheezy] - qemu-kvm (Minor issue) NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=fa18f36a461984eae50ab957e47ec78dae3c14fc CVE-2017-8378 (Heap-based buffer overflow in the PdfParser::ReadObjects function in b ...) - libpodofo 0.9.5-9 (bug #861597) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) NOTE: PoC: https://github.com/xiangxiaobo/poc_and_report/tree/master/podofo_heapoverflow_PdfParser.ReadObjects NOTE: Upstream commit: https://sourceforge.net/p/podofo/code/1833/ CVE-2017-8377 (GeniXCMS 1.0.2 has SQL Injection in inc/lib/Control/Backend/menus.cont ...) NOT-FOR-US: GeniXCMS CVE-2017-8376 (GeniXCMS 1.0.2 has XSS triggered by an authenticated comment that is m ...) NOT-FOR-US: GeniXCMS CVE-2017-8375 RESERVED CVE-2017-8374 (The mad_bit_skip function in bit.c in Underbit MAD libmad 0.15.1b allo ...) {DSA-4192-1 DLA-1380-1} - libmad 0.15.1b-9 NOTE: https://blogs.gentoo.org/ago/2017/04/30/libmad-heap-based-buffer-overflow-in-mad_bit_skip-bit-c/ NOTE: The patch from #508133 fixed things related to this, but did not fix this. NOTE: Patch in 0.15.1b-9: libmad-0.15.1b/debian/patches/length-check.patch CVE-2017-8373 (The mad_layer_III function in layer3.c in Underbit MAD libmad 0.15.1b ...) {DSA-4192-1 DLA-1380-1} - libmad 0.15.1b-9 (bug #287519) NOTE: https://blogs.gentoo.org/ago/2017/04/30/libmad-heap-based-buffer-overflow-in-mad_layer_iii-layer3-c/ NOTE: The patch from #508133 applied in 0.15.1b-4 only partially fixed it NOTE: "Duplicate with"/basically same as CVE-2017-8372 NOTE: Patch in 0.15.1b-9: libmad-0.15.1b/debian/patches/md_size.diff CVE-2017-8372 (The mad_layer_III function in layer3.c in Underbit MAD libmad 0.15.1b, ...) {DSA-4192-1 DLA-1380-1} - libmad 0.15.1b-9 (bug #287519) NOTE: https://blogs.gentoo.org/ago/2017/04/30/libmad-assertion-failure-in-layer3-c/ NOTE: The patch from #508133 applied in 0.15.1b-4 only partially fixed it NOTE: "Duplicate" with/basically same as CVE-2017-8373 NOTE: Patch in 0.15.1b-9: libmad-0.15.1b/debian/patches/md_size.diff CVE-2017-8371 (Schneider Electric StruxureWare Data Center Expert before 7.4.0 uses c ...) NOT-FOR-US: Schneider Electric CVE-2017-8370 (IrfanView version 4.44 (32bit) with FPX Plugin 4.45 allows remote atta ...) NOT-FOR-US: IrfanView CVE-2017-8369 (IrfanView version 4.44 (32bit) has a "Data from Faulting Address contr ...) NOT-FOR-US: IrfanView CVE-2017-8368 (Sublime Text 3 Build 3126 allows user-assisted attackers to cause a de ...) - sublime-text (bug #682158) CVE-2017-8367 (Buffer overflow in Ether Software Easy MOV Converter 1.4.24, Easy DVD ...) NOT-FOR-US: Ether Software CVE-2017-8366 (The strescape function in ec_strings.c in Ettercap 0.8.2 allows remote ...) {DSA-3874-1} - ettercap 1:0.8.2-5 (bug #861604) NOTE: https://github.com/Ettercap/ettercap/issues/792 NOTE: Fixed by: https://github.com/Ettercap/ettercap/commit/1083d604930ebb9f350126b83802ecd2cbc17f90 CVE-2017-8365 (The i2les_array function in pcm.c in libsndfile 1.0.28 allows remote a ...) {DLA-1618-1 DLA-956-1} - libsndfile 1.0.27-3 (bug #862202) NOTE: https://blogs.gentoo.org/ago/2017/04/29/libsndfile-global-buffer-overflow-in-i2les_array-pcm-c/ NOTE: https://github.com/erikd/libsndfile/issues/230 NOTE: Fixed by: https://github.com/erikd/libsndfile/commit/fd0484aba8e51d16af1e3a880f9b8b857b385eb3 CVE-2017-8364 (The read_buf function in stream.c in rzip 2.1 allows remote attackers ...) {DLA-2189-1 DLA-955-1} - rzip 2.1-4.1 (bug #861614) NOTE: https://blogs.gentoo.org/ago/2017/04/29/rzip-heap-based-buffer-overflow-in-read_buf-stream-c/ NOTE: Patch in http://download.opensuse.org/repositories/openSUSE:/Leap:/42.2:/Update/standard/src/rzip-2.1-151.3.1.src.rpm CVE-2017-8363 (The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows re ...) {DLA-1618-1 DLA-956-1} - libsndfile 1.0.27-3 (bug #862203) NOTE: https://blogs.gentoo.org/ago/2017/04/29/libsndfile-heap-based-buffer-overflow-in-flac_buffer_copy-flac-c/ NOTE: https://github.com/erikd/libsndfile/issues/233 NOTE: https://github.com/erikd/libsndfile/commit/fd0484aba8e51d16af1e3a880f9b8b857b385eb3 NOTE: https://github.com/erikd/libsndfile/commit/cd7da8dbf6ee4310d21d9e44b385d6797160d9e8 CVE-2017-8362 (The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows re ...) {DLA-1618-1 DLA-956-1} - libsndfile 1.0.27-3 (bug #862204) NOTE: https://blogs.gentoo.org/ago/2017/04/29/libsndfile-invalid-memory-read-in-flac_buffer_copy-flac-c/ NOTE: https://github.com/erikd/libsndfile/issues/231 NOTE: https://github.com/erikd/libsndfile/commit/ef1dbb2df1c0e741486646de40bd638a9c4cd808 CVE-2017-8361 (The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows re ...) {DLA-1618-1 DLA-956-1} - libsndfile 1.0.27-3 (bug #862205) NOTE: https://blogs.gentoo.org/ago/2017/04/29/libsndfile-global-buffer-overflow-in-flac_buffer_copy-flac-c/ NOTE: https://github.com/erikd/libsndfile/issues/232 NOTE: https://github.com/erikd/libsndfile/commit/fd0484aba8e51d16af1e3a880f9b8b857b385eb3 CVE-2017-8360 (Conexant Systems mictray64 task, as used on HP Elite, EliteBook, ProBo ...) NOT-FOR-US: Conexant Systems mictray64 task CVE-2017-8359 (Google gRPC before 2017-03-29 has an out-of-bounds write caused by a h ...) - grpc 1.3.2-0.1 NOTE: https://github.com/grpc/grpc/pull/10353 NOTE: Fixed by: https://github.com/grpc/grpc/commit/6544a2d5d9ecdb64214da1d228886a7d15bbf5c7 CVE-2017-8358 (LibreOffice before 2017-03-17 has an out-of-bounds write caused by a h ...) - libreoffice (Vulnerable code introduced on 2017-03-15; never in released version) NOTE: Fixed by: https://github.com/LibreOffice/core/commit/6e6e54f944a5ebb49e9110bdeff844d00a96c56c NOTE: Introduced by: https://github.com/LibreOffice/core/commit/ceb53ad9f34ae05d09f61845d581546eac0c6d60 CVE-2017-8357 (In ImageMagick 7.0.5-5, the ReadEPTImage function in ept.c allows atta ...) {DSA-3863-1 DLA-960-1} - imagemagick 8:6.9.7.4+dfsg-7 (bug #862636) NOTE: https://github.com/ImageMagick/ImageMagick/issues/453 CVE-2017-8356 (In ImageMagick 7.0.5-5, the ReadSUNImage function in sun.c allows atta ...) {DSA-3863-1 DLA-960-1} - imagemagick 8:6.9.7.4+dfsg-7 (bug #862635) NOTE: https://github.com/ImageMagick/ImageMagick/issues/449 CVE-2017-8355 (In ImageMagick 7.0.5-5, the ReadMTVImage function in mtv.c allows atta ...) {DSA-3863-1 DLA-960-1} - imagemagick 8:6.9.7.4+dfsg-7 (bug #862634) NOTE: https://github.com/ImageMagick/ImageMagick/issues/450 CVE-2017-8354 (In ImageMagick 7.0.5-5, the ReadBMPImage function in bmp.c allows atta ...) {DSA-3863-1 DLA-960-1} - imagemagick 8:6.9.7.4+dfsg-7 (bug #862633) NOTE: https://github.com/ImageMagick/ImageMagick/issues/451 CVE-2017-8353 (In ImageMagick 7.0.5-5, the ReadPICTImage function in pict.c allows at ...) {DSA-3863-1 DLA-960-1} - imagemagick 8:6.9.7.4+dfsg-7 (bug #862632) NOTE: https://github.com/ImageMagick/ImageMagick/issues/454 CVE-2017-8352 (In ImageMagick 7.0.5-5, the ReadXWDImage function in xwd.c allows atta ...) {DSA-3863-1 DLA-1081-1 DLA-960-1} - imagemagick 8:6.9.7.4+dfsg-7 (bug #862590) NOTE: https://github.com/ImageMagick/ImageMagick/issues/452 CVE-2017-8351 (In ImageMagick 7.0.5-5, the ReadPCDImage function in pcd.c allows atta ...) {DSA-3863-1 DLA-960-1} - imagemagick 8:6.9.7.4+dfsg-7 (bug #862589) NOTE: https://github.com/ImageMagick/ImageMagick/issues/448 CVE-2017-8350 (In ImageMagick 7.0.5-5, the ReadJNGImage function in png.c allows atta ...) {DSA-3863-1 DLA-960-1} - imagemagick 8:6.9.7.4+dfsg-7 (bug #862587) NOTE: https://github.com/ImageMagick/ImageMagick/issues/447 CVE-2017-8349 (In ImageMagick 7.0.5-5, the ReadSFWImage function in sfw.c allows atta ...) {DSA-3863-1 DLA-960-1} - imagemagick 8:6.9.7.4+dfsg-7 (bug #862579) NOTE: https://github.com/ImageMagick/ImageMagick/issues/443 CVE-2017-8348 (In ImageMagick 7.0.5-5, the ReadMATImage function in mat.c allows atta ...) {DSA-3863-1 DLA-960-1} - imagemagick 8:6.9.7.4+dfsg-7 (bug #862578) NOTE: https://github.com/ImageMagick/ImageMagick/issues/445 CVE-2017-8347 (In ImageMagick 7.0.5-5, the ReadEXRImage function in exr.c allows atta ...) {DSA-3863-1 DLA-960-1} - imagemagick 8:6.9.7.4+dfsg-7 (bug #862577) NOTE: https://github.com/ImageMagick/ImageMagick/issues/441 CVE-2017-8346 (In ImageMagick 7.0.5-5, the ReadDCMImage function in dcm.c allows atta ...) {DSA-3863-1 DLA-960-1} - imagemagick 8:6.9.7.4+dfsg-7 (bug #862575) NOTE: https://github.com/ImageMagick/ImageMagick/issues/440 CVE-2017-8345 (In ImageMagick 7.0.5-5, the ReadMNGImage function in png.c allows atta ...) {DSA-3863-1 DLA-960-1} - imagemagick 8:6.9.7.4+dfsg-7 (bug #862573) NOTE: https://github.com/ImageMagick/ImageMagick/issues/442 CVE-2017-8344 (In ImageMagick 7.0.5-5, the ReadPCXImage function in pcx.c allows atta ...) {DSA-3863-1 DLA-960-1} - imagemagick 8:6.9.7.4+dfsg-7 (bug #862574) NOTE: https://github.com/ImageMagick/ImageMagick/issues/446 CVE-2017-8343 (In ImageMagick 7.0.5-5, the ReadAAIImage function in aai.c allows atta ...) {DSA-3863-1 DLA-960-1} - imagemagick 8:6.9.7.4+dfsg-7 (bug #862572) NOTE: https://github.com/ImageMagick/ImageMagick/issues/444 CVE-2017-8341 (Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Conte ...) NOT-FOR-US: Open-Xchange GmbH OX App Suite CVE-2017-8340 (Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Incor ...) NOT-FOR-US: Open-Xchange GmbH OX App Suite CVE-2017-8339 (PSKMAD.sys in Panda Free Antivirus 18.0 allows local users to cause a ...) NOT-FOR-US: Panda Free Antivirus CVE-2017-8338 (A vulnerability in MikroTik Version 6.38.5 could allow an unauthentica ...) NOT-FOR-US: MikroTik CVE-2017-8337 (An issue was discovered on Securifi Almond, Almond+, and Almond 2015 d ...) NOT-FOR-US: Securifi CVE-2017-8336 (An issue was discovered on Securifi Almond, Almond+, and Almond 2015 d ...) NOT-FOR-US: Securifi CVE-2017-8335 (An issue was discovered on Securifi Almond, Almond+, and Almond 2015 d ...) NOT-FOR-US: Securifi CVE-2017-8334 (An issue was discovered on Securifi Almond, Almond+, and Almond 2015 d ...) NOT-FOR-US: Securifi CVE-2017-8333 (An issue was discovered on Securifi Almond, Almond+, and Almond 2015 d ...) NOT-FOR-US: Securifi CVE-2017-8332 (An issue was discovered on Securifi Almond, Almond+, and Almond 2015 d ...) NOT-FOR-US: Securifi CVE-2017-8331 (An issue was discovered on Securifi Almond, Almond+, and Almond 2015 d ...) NOT-FOR-US: Securifi CVE-2017-8330 (An issue was discovered on Securifi Almond, Almond+, and Almond 2015 d ...) NOT-FOR-US: Securifi CVE-2017-8329 (An issue was discovered on Securifi Almond, Almond+, and Almond 2015 d ...) NOT-FOR-US: Securifi CVE-2017-8328 (An issue was discovered on Securifi Almond, Almond+, and Almond 2015 d ...) NOT-FOR-US: Securifi CVE-2016-10351 (Telegram Desktop 0.10.19 uses 0755 permissions for $HOME/.TelegramDesk ...) - telegram-desktop 1.1.19-2 NOTE: https://github.com/telegramdesktop/tdesktop/issues/2666 CVE-2016-10350 (The archive_read_format_cab_read_header function in archive_read_suppo ...) {DSA-4360-1 DLA-1600-1 DLA-1006-1} - libarchive 3.2.2-3.1 (bug #861609) NOTE: https://github.com/libarchive/libarchive/issues/835 NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/88eb9e1d73fef46f04677c25b1697b8e25777ed3 (v3.3.0) CVE-2016-10349 (The archive_le32dec function in archive_endian.h in libarchive 3.2.2 a ...) {DSA-4360-1 DLA-1600-1 DLA-1006-1} - libarchive 3.2.2-3.1 (bug #861609) NOTE: https://github.com/libarchive/libarchive/issues/834 NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/88eb9e1d73fef46f04677c25b1697b8e25777ed3 (v3.3.0) CVE-2017-8342 (Radicale before 1.1.2 and 2.x before 2.0.0rc2 is prone to timing oracl ...) {DLA-2187-1 DLA-934-1} - radicale 1.1.1+20160115-4 (bug #861514) NOTE: https://github.com/Kozea/Radicale/commit/190b1dd795f0c552a4992445a231da760211183b (1.1.x) NOTE: https://github.com/Kozea/Radicale/commit/059ba8dec1f22ccbeab837e288b3833a099cee2d (master) CVE-2017-8327 (The bmpr_read_uncompressed function in imagew-bmp.c in libimageworsene ...) NOT-FOR-US: ImageWorsener CVE-2017-8326 (libimageworsener.a in ImageWorsener before 1.3.1 has "left shift canno ...) NOT-FOR-US: ImageWorsener CVE-2017-8325 (The iw_process_cols_to_intermediate function in imagew-main.c in libim ...) NOT-FOR-US: ImageWorsener CVE-2017-8324 RESERVED CVE-2017-8323 RESERVED CVE-2017-8322 RESERVED CVE-2017-8321 RESERVED CVE-2017-8320 RESERVED CVE-2017-8319 RESERVED CVE-2017-8318 RESERVED CVE-2017-8317 RESERVED CVE-2017-8316 (IntelliJ IDEA XML parser was found vulnerable to XML External Entity a ...) NOT-FOR-US: IntelliJ IDEA XML parser CVE-2017-8315 (Eclipse XML parser for the Eclipse IDE versions 2017.2.5 and earlier w ...) - apktool 2.2.4-1 (low) [stretch] - apktool (Minor issue) NOTE: Upstream bug with details is restricted NOTE: According to Red Hat only eclipse-andmore was affected but it was NOTE: never shipped with Debian. Apktool is affected though. NOTE: Possible fixes: https://github.com/iBotPeaches/Apktool/commit/f19317d87c316ed254aafa0a27eddd024e25ec6c NOTE: https://github.com/iBotPeaches/Apktool/commit/657a44f5938b072898a0de913c03760210e0f4ed NOTE: https://github.com/iBotPeaches/Apktool/commit/dbb144f9af5478c780e59c8b65036ae882595063 CVE-2017-8314 (Directory Traversal in Zip Extraction built-in function in Kodi 17.1 a ...) {DLA-1243-1} - kodi 2:17.1+dfsg1-3 (bug #863230) - xbmc [jessie] - xbmc (Minor issue) NOTE: http://blog.checkpoint.com/2017/05/23/hacked-in-translation/ NOTE: https://kodi.tv/article/kodi-v172-minor-bug-fix-and-security-release NOTE: Fixed by https://github.com/xbmc/xbmc/commit/35cfe35608b15335ef21d798947fceab3f47c8d7 CVE-2017-8313 (Heap out-of-bound read in ParseJSS in VideoLAN VLC before 2.2.5 due to ...) {DSA-3899-1} - vlc 2.2.5-1 [wheezy] - vlc (Not supported in wheezy LTS) NOTE: http://git.videolan.org/?p=vlc/vlc-2.2.git;a=commitdiff;h=05b653355ce303ada3b5e0e645ae717fea39186c CVE-2017-8312 (Heap out-of-bound read in ParseJSS in VideoLAN VLC due to missing chec ...) {DSA-3899-1} - vlc 2.2.6-1~deb9u1 [wheezy] - vlc (Not supported in wheezy LTS) NOTE: http://git.videolan.org/?p=vlc.git;a=commitdiff;h=611398fc8d32f3fe4331f60b220c52ba3557beaa CVE-2017-8311 (Potential heap based buffer overflow in ParseJSS in VideoLAN VLC befor ...) {DSA-3899-1} - vlc 2.2.5-1 [wheezy] - vlc (Not supported in wheezy LTS) NOTE: http://git.videolan.org/?p=vlc.git;a=commitdiff;h=775de716add17322f24b476439f903a829446eb6 CVE-2017-8310 (Heap out-of-bound read in CreateHtmlSubtitle in VideoLAN VLC 2.2.x due ...) {DSA-3899-1} - vlc 2.2.5.1-1~deb9u1 [wheezy] - vlc (Not supported in wheezy LTS) NOTE: http://git.videolan.org/?p=vlc/vlc-2.2.git;a=commit;h=7cac839692ab79dbfe5e4ebd4c4e37d9a8b1b328 CVE-2017-8309 (Memory leak in the audio/audio.c in QEMU (aka Quick Emulator) allows r ...) {DLA-1497-1 DLA-1071-1 DLA-1070-1} - qemu 1:2.8+dfsg-5 (bug #862280) - qemu-kvm NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=3268a845f41253fb55852a8429c32b50f36f349a CVE-2017-8308 (In Avast Antivirus before v17, an unprivileged user (and thus malware ...) NOT-FOR-US: Avast Antivirus CVE-2017-8307 (In Avast Antivirus before v17, using the LPC interface API exposed by ...) NOT-FOR-US: Avast Antivirus CVE-2017-8306 RESERVED CVE-2017-8304 (An issue was discovered on Accellion FTA devices before FTA_9_12_180. ...) NOT-FOR-US: Accellion FTA devices CVE-2017-8303 (An issue was discovered on Accellion FTA devices before FTA_9_12_180. ...) NOT-FOR-US: Accellion FTA devices CVE-2017-8302 (Mura CMS 7.0.6967 allows admin/?muraAction= XSS attacks, related to ad ...) NOT-FOR-US: Mura CMS CVE-2017-8300 RESERVED CVE-2017-8299 RESERVED CVE-2017-8298 (cnvs.io Canvas 3.3.0 has XSS in the title and content fields of a "Pos ...) NOT-FOR-US: cnvs.io Canvas CVE-2017-8297 (A path traversal vulnerability exists in simple-file-manager before 20 ...) NOT-FOR-US: simple-file-manager CVE-2017-8296 (kedpm 0.5 and 1.0 creates a history file in ~/.kedpm/history that is w ...) {DLA-925-1} - kedpm (bug #860817) [jessie] - kedpm 1.0+deb8u1 NOTE: patch in BTS gives workaround to always prompt for password and do not save NOTE: to database. NOTE: http://www.openwall.com/lists/oss-security/2017/04/25/9 CVE-2017-8295 (WordPress through 4.7.4 relies on the Host HTTP header for a password- ...) {DSA-3870-1 DLA-975-1} - wordpress 4.7.5+dfsg-2 (bug #862053) NOTE: https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html NOTE: http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html NOTE: https://core.trac.wordpress.org/ticket/25239 CVE-2017-8294 (libyara/re.c in the regex component in YARA 3.5.0 allows remote attack ...) - yara 3.6.0+dfsg-1 (bug #861590) [stretch] - yara (Minor issue, too intrusive to backport) [jessie] - yara (Minor issue, too intrusive to backport) NOTE: https://github.com/VirusTotal/yara/issues/646 NOTE: https://github.com/VirusTotal/yara/commit/83d799804648c2a0895d40a19835d9b757c6fa4e CVE-2017-8293 RESERVED CVE-2017-8292 RESERVED CVE-2017-8290 (A potential Buffer Overflow Vulnerability (from a BB Code handling iss ...) - teamspeak-server [wheezy] - teamspeak-server (non-free is not supported) CVE-2017-8289 (Stack-based buffer overflow in the ipv6_addr_from_str function in sys/ ...) NOT-FOR-US: RIOS OS CVE-2017-8288 (gnome-shell 3.22 through 3.24.1 mishandles extensions that fail to rel ...) - gnome-shell 3.22.3-3 [jessie] - gnome-shell (Minor issue) [wheezy] - gnome-shell (Minor issue) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=781728 NOTE: https://github.com/GNOME/gnome-shell/commit/ff425d1db7082e2755d2a405af53861552acf2a1 CVE-2017-8305 (The UDFclient (before 0.8.8) custom strlcpy implementation has a buffe ...) - udfclient 0.8.8-1 (bug #861347) CVE-2017-8301 (LibreSSL 2.5.1 to 2.5.3 lacks TLS certificate verification if SSL_get_ ...) - libressl (bug #754513) NOTE: http://www.openwall.com/lists/oss-security/2017/04/27/11 CVE-2017-8291 (Artifex Ghostscript through 2017-04-26 allows -dSAFER bypass and remot ...) {DSA-3838-1 DLA-932-1} - ghostscript 9.20~dfsg-3.1 (bug #861295) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697808 (duplicate of 697799) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697799 (made private) NOTE: Full report viewable at: https://bugzilla.suse.com/show_bug.cgi?id=1036453 NOTE: Fixed by: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=04b37bbce174eed24edec7ad5b920eb93db4d47d NOTE: Fixed by: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=4f83478c88c2e05d6e8d79ca4557eb039354d2f3 CVE-2017-8287 (FreeType 2 before 2017-03-26 has an out-of-bounds write caused by a he ...) {DSA-3839-1 DLA-931-1} - freetype 2.6.3-3.2 (bug #861308) NOTE: Fixed by: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=3774fc08b502c3e685afca098b6e8a195aded6a0 CVE-2017-8286 RESERVED CVE-2017-8285 RESERVED CVE-2017-8284 (** DISPUTED ** The disas_insn function in target/i386/translate.c in Q ...) - qemu 1:2.10.0-1 (unimportant) - qemu-kvm (unimportant) NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=30663fd26c0307e414622c7a8607fbc04f92ec14 NOTE: qemu issue without security implication per upstream CVE-2017-8282 (XnView Classic for Windows Version 2.40 allows user-assisted remote at ...) NOT-FOR-US: XnView Classic for Windows CVE-2017-8281 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8280 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8279 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-8278 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8277 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8276 (Improper authorization involving a fuse in TrustZone in snapdragon aut ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8275 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-8274 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-8273 (In all Qualcomm products with Android release from CAF using the Linux ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8272 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8271 (Out of bound memory write can happen in the MDSS Rotator driver in all ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8270 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8269 (Userspace-controlled non null terminated parameter for IPA WAN ioctl i ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8268 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8267 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8266 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8265 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8264 (A userspace process can cause a Denial of Service in the camera driver ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8263 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8262 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8261 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8260 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8259 (In the service locator in all Qualcomm products with Android releases ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8258 (An array out-of-bounds access in all Qualcomm products with Android re ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8257 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8256 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8255 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8254 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8253 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8252 (Kernel can inject faults in computations during the execution of Trust ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8251 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8250 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8249 RESERVED CVE-2017-8248 (A buffer overflow may occur in the processing of a downlink NAS messag ...) NOT-FOR-US: Qualcomm Telephony CVE-2017-8247 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8246 (In function msm_pcm_playback_close() in all Android releases from CAF ...) - linux (Android-specific patch) CVE-2017-8245 (In all Android releases from CAF using the Linux kernel, while process ...) - linux (Android-specific patch) CVE-2017-8244 (In core_info_read and inst_info_read in all Android releases from CAF ...) - linux (Android-specific patch) CVE-2017-8243 (A buffer overflow can occur in all Qualcomm products with Android for ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8242 (In all Android releases from CAF using the Linux kernel, a race condit ...) - linux (Android-specific patch) CVE-2017-8241 (In all Android releases from CAF using the Linux kernel, a buffer over ...) NOT-FOR-US: Android driver CVE-2017-8240 (In all Android releases from CAF using the Linux kernel, a kernel driv ...) - linux 4.0.2-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) CVE-2017-8239 (In all Android releases from CAF using the Linux kernel, userspace-con ...) NOT-FOR-US: Android driver CVE-2017-8238 (In all Android releases from CAF using the Linux kernel, a buffer over ...) NOT-FOR-US: Android driver CVE-2017-8237 (In all Android releases from CAF using the Linux kernel, a buffer over ...) NOT-FOR-US: Android driver CVE-2017-8236 (In all Android releases from CAF using the Linux kernel, a buffer over ...) NOT-FOR-US: Android driver CVE-2017-8235 (In all Android releases from CAF using the Linux kernel, a memory stru ...) NOT-FOR-US: Android driver CVE-2017-8234 (In all Android releases from CAF using the Linux kernel, an out of bou ...) NOT-FOR-US: Android driver CVE-2017-8233 (In a camera driver function in all Android releases from CAF using the ...) NOT-FOR-US: Android driver CVE-2017-8232 RESERVED CVE-2017-8231 RESERVED CVE-2017-8230 (On Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices, the users on th ...) NOT-FOR-US: Amcrest CVE-2017-8229 (Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices allow an unauthenti ...) NOT-FOR-US: Amcrest CVE-2017-8228 (Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices mishandle reboots w ...) NOT-FOR-US: Amcrest CVE-2017-8227 (Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices have a timeout poli ...) NOT-FOR-US: Amcrest CVE-2017-8226 (Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices have default creden ...) NOT-FOR-US: Amcrest CVE-2017-8283 (dpkg-source in dpkg 1.3.0 through 1.18.23 is able to use a non-GNU pat ...) - dpkg 1.18.24 (unimportant) NOTE: http://www.openwall.com/lists/oss-security/2017/04/20/2 CVE-2017-8225 (On Wireless IP Camera (P2P) WIFICAM devices, access to .ini files (con ...) NOT-FOR-US: Wireless IP Camera (P2P) WIFICAM devices CVE-2017-8224 (Wireless IP Camera (P2P) WIFICAM devices have a backdoor root account ...) NOT-FOR-US: Wireless IP Camera (P2P) WIFICAM devices CVE-2017-8223 (On Wireless IP Camera (P2P) WIFICAM devices, an attacker can use the R ...) NOT-FOR-US: Wireless IP Camera (P2P) WIFICAM devices CVE-2017-8222 (Wireless IP Camera (P2P) WIFICAM devices have an "Apple Production IOS ...) NOT-FOR-US: Wireless IP Camera (P2P) WIFICAM devices CVE-2017-8221 (Wireless IP Camera (P2P) WIFICAM devices rely on a cleartext UDP tunne ...) NOT-FOR-US: Wireless IP Camera (P2P) WIFICAM devices CVE-2017-8220 (TP-Link C2 and C20i devices through firmware 0.9.1 4.2 v0032.0 Build 1 ...) NOT-FOR-US: TP-Link CVE-2017-8219 (TP-Link C2 and C20i devices through firmware 0.9.1 4.2 v0032.0 Build 1 ...) NOT-FOR-US: TP-Link CVE-2017-8218 (vsftpd on TP-Link C2 and C20i devices through firmware 0.9.1 4.2 v0032 ...) NOT-FOR-US: TP-Link CVE-2017-8217 (TP-Link C2 and C20i devices through firmware 0.9.1 4.2 v0032.0 Build 1 ...) NOT-FOR-US: TP-Link CVE-2017-8216 (Warsaw Huawei Smart phones with software of versions earlier than Wars ...) NOT-FOR-US: Huawei CVE-2017-8215 (Honor 8,Honor V8,Honor 9,Honor V9,Nova 2,Nova 2 Plus,P9,P10 Plus,Toron ...) NOT-FOR-US: Huawei CVE-2017-8214 (Honor 8,Honor V8,Honor 9,Honor V9,Nova 2,Nova 2 Plus,P9,P10 Plus,Toron ...) NOT-FOR-US: Huawei CVE-2017-8213 (Huawei SMC2.0 with software of V100R003C10, V100R005C00SPC100, V100R00 ...) NOT-FOR-US: Huawei CVE-2017-8212 (The driver of honor 5C,honor 6x Huawei smart phones with software of v ...) NOT-FOR-US: Huawei CVE-2017-8211 (The driver of honor 5C,honor 6x Huawei smart phones with software of v ...) NOT-FOR-US: Huawei CVE-2017-8210 (The driver of honor 5C,honor 6x Huawei smart phones with software of v ...) NOT-FOR-US: Huawei CVE-2017-8209 (The driver of honor 5C,honor 6x Huawei smart phones with software of v ...) NOT-FOR-US: Huawei CVE-2017-8208 (The driver of honor 5C,honor 6x Huawei smart phones with software of v ...) NOT-FOR-US: Huawei CVE-2017-8207 (The driver of honor 5C, honor 6x Huawei smart phones with software of ...) NOT-FOR-US: Huawei CVE-2017-8206 (HONOR 7 Lite mobile phones with software of versions earlier than NEM- ...) NOT-FOR-US: Huawei CVE-2017-8205 (The Bastet driver of Honor 9 Huawei smart phones with software of vers ...) NOT-FOR-US: Huawei CVE-2017-8204 (The Bastet driver of Honor 9 Huawei smart phones with software of vers ...) NOT-FOR-US: Huawei CVE-2017-8203 (The Bastet Driver of Nova 2 Plus,Nova 2 Huawei smart phones with softw ...) NOT-FOR-US: Huawei CVE-2017-8202 (The CameraISP driver of some Huawei smart phones with software of vers ...) NOT-FOR-US: Huawei CVE-2017-8201 (MAX PRESENCE V100R001C00, TP3106 V100R002C00, TP3206 V100R002C00 have ...) NOT-FOR-US: Huawei CVE-2017-8200 (MAX PRESENCE V100R001C00, TP3106 V100R002C00, TP3206 V100R002C00 have ...) NOT-FOR-US: Huawei CVE-2017-8199 (MAX PRESENCE V100R001C00, TP3106 V100R002C00, TP3206 V100R002C00 have ...) NOT-FOR-US: Huawei CVE-2017-8198 (FusionSphere V100R006C00SPC102(NFV) has an SQL injection vulnerability ...) NOT-FOR-US: Huawei CVE-2017-8197 (FusionSphere V100R006C00SPC102(NFV) has a command injection vulnerabil ...) NOT-FOR-US: Huawei CVE-2017-8196 (FusionSphere V100R006C00SPC102(NFV) has an incorrect authorization vul ...) NOT-FOR-US: Huawei CVE-2017-8195 (The FusionSphere OpenStack V100R006C00SPC102(NFV) has an improper auth ...) NOT-FOR-US: Huawei CVE-2017-8194 (The FusionSphere OpenStack V100R006C00SPC102(NFV) has an improper auth ...) NOT-FOR-US: Huawei CVE-2017-8193 (The FusionSphere OpenStack V100R006C00SPC102(NFV) has a command inject ...) NOT-FOR-US: Huawei CVE-2017-8192 (FusionSphere OpenStack V100R006C00 has an improper authorization vulne ...) NOT-FOR-US: Huawei CVE-2017-8191 (FusionSphere OpenStack V100R006C00SPC102(NFV)has a week cryptographic ...) NOT-FOR-US: Huawei CVE-2017-8190 (FusionSphere OpenStack V100R006C00SPC102(NFV)has an improper verificat ...) NOT-FOR-US: Huawei CVE-2017-8189 (FusionSphere OpenStack V100R006C00SPC102(NFV)has a path traversal vuln ...) NOT-FOR-US: Huawei CVE-2017-8188 (FusionSphere OpenStack V100R006C00SPC102(NFV)has a command injection v ...) NOT-FOR-US: Huawei CVE-2017-8187 (Huawei FusionSphere OpenStack V100R006C00SPC102(NFV) has a privilege e ...) NOT-FOR-US: Huawei CVE-2017-8186 (The Bastet of some Huawei mobile phones with software of earlier than ...) NOT-FOR-US: Huawei CVE-2017-8185 (ME906s-158 earlier than ME906S_Installer_13.1805.10.3 versions has a p ...) NOT-FOR-US: Huawei CVE-2017-8184 (MTK platform in Huawei smart phones with software of earlier than Nice ...) NOT-FOR-US: Huawei CVE-2017-8183 (MTK platform in Huawei smart phones with software of earlier than Nice ...) NOT-FOR-US: Huawei CVE-2017-8182 (MTK platform in Huawei smart phones with software of earlier than Nice ...) NOT-FOR-US: Huawei CVE-2017-8181 (The camera driver of MTK platform in Huawei smart phones with software ...) NOT-FOR-US: Huawei CVE-2017-8180 (The camera driver of MTK platform in Huawei smart phones with software ...) NOT-FOR-US: Huawei CVE-2017-8179 (The camera driver of MTK platform in Huawei smart phones with software ...) NOT-FOR-US: Huawei CVE-2017-8178 (Huawei Email APP Vicky-AL00 smartphones with software of earlier than ...) NOT-FOR-US: Huawei CVE-2017-8177 (Huawei APP HiWallet earlier than 5.0.3.100 versions do not support sig ...) NOT-FOR-US: Huawei CVE-2017-8176 (Huawei IPTV STB with earlier than IPTV STB V100R003C01LMYTa6SPC001 ver ...) NOT-FOR-US: Huawei CVE-2017-8175 (The Bastet of some Huawei mobile phones with software earlier than Vic ...) NOT-FOR-US: Huawei CVE-2017-8174 (Huawei USG6300 V100R001C30SPC300 and USG6600 with software of V100R001 ...) NOT-FOR-US: Huawei CVE-2017-8173 (Maya-L02,VKY-L09,VTR-L29,Vicky-AL00A,Victoria-AL00A,Warsaw-AL00 smart ...) NOT-FOR-US: Huawei CVE-2017-8172 (Isub service in P10 Plus and P10 smart phones with earlier than VKY-AL ...) NOT-FOR-US: Huawei CVE-2017-8171 (Huawei smart phones with software earlier than Vicky-AL00AC00B172D ver ...) NOT-FOR-US: Huawei CVE-2017-8170 (Huawei smart phones with software earlier than VIE-L09C40B360 versions ...) NOT-FOR-US: Huawei CVE-2017-8169 (Huawei smart phones with software earlier than VIE-L09C40B360 versions ...) NOT-FOR-US: Huawei CVE-2017-8168 (FusionSphere OpenStack with software V100R006C00SPC102(NFV) and V100R0 ...) NOT-FOR-US: Huawei CVE-2017-8167 (Huawei firewall products USG9500 V500R001C50 has a DoS vulnerability.A ...) NOT-FOR-US: Huawei CVE-2017-8166 (Huawei mobile phones Honor V9 with the software versions before Duke-A ...) NOT-FOR-US: Huawei CVE-2017-8165 (Mate 9 Huawei smart phones with versions earlier than MHA-AL00BC00B233 ...) NOT-FOR-US: Huawei CVE-2017-8164 (Some Huawei smart phones with software EVA-L09C34B142; EVA-L09C40B196; ...) NOT-FOR-US: Huawei CVE-2017-8163 (AR120-S with software V200R006C10, V200R007C00, V200R008C20, V200R008C ...) NOT-FOR-US: Huawei CVE-2017-8162 (AR120-S with software V200R006C10, V200R007C00, V200R008C20, V200R008C ...) NOT-FOR-US: Huawei CVE-2017-8161 (EVA-L09 smartphones with software Earlier than EVA-L09C25B150CUSTC25D0 ...) NOT-FOR-US: Huawei CVE-2017-8160 (The Madapt Driver of some Huawei smart phones with software Earlier th ...) NOT-FOR-US: Huawei CVE-2017-8159 (Some Huawei smartphones with software AGS-L09C233B019,AGS-W09C233B019, ...) NOT-FOR-US: Huawei CVE-2017-8158 (FusionCompute V100R005C00 and V100R005C10 have an improper authorizati ...) NOT-FOR-US: Huawei CVE-2017-8157 (OceanStor 5800 V3 with software V300R002C00 and V300R002C10, OceanStor ...) NOT-FOR-US: Huawei CVE-2017-8156 (The outdoor unit of Customer Premise Equipment (CPE) product B2338-168 ...) NOT-FOR-US: Huawei CVE-2017-8155 (The outdoor unit of Customer Premise Equipment (CPE) product B2338-168 ...) NOT-FOR-US: Huawei CVE-2017-8154 (The Themes App Honor 8 Lite Huawei mobile phones with software of vers ...) NOT-FOR-US: Huawei CVE-2017-8153 (Huawei VMall (for Android) with the versions before 1.5.8.5 have a pri ...) NOT-FOR-US: Huawei CVE-2017-8152 (Huawei Honor 5S smart phones with software the versions before TAG-TL0 ...) NOT-FOR-US: Huawei CVE-2017-8151 (Huawei Honor 5S smart phones with software the versions before TAG-TL0 ...) NOT-FOR-US: Huawei CVE-2017-8150 (The boot loaders of P10 and P10 Plus Huawei mobile phones with softwar ...) NOT-FOR-US: Huawei CVE-2017-8149 (The boot loaders of P10 and P10 Plus Huawei mobile phones with softwar ...) NOT-FOR-US: Huawei CVE-2017-8148 (Audio driver in P9 smartphones with software The versions before EVA-A ...) NOT-FOR-US: Huawei CVE-2017-8147 (AC6005 V200R006C10SPC200,AC6605 V200R006C10SPC200,AR1200 with software ...) NOT-FOR-US: Huawei CVE-2017-8146 (The call module of P10 and P10 Plus smartphones with software versions ...) NOT-FOR-US: Huawei CVE-2017-8145 (The call module of P10 and P10 Plus smartphones with software versions ...) NOT-FOR-US: Huawei CVE-2017-8144 (Honor 5A,Honor 8 Lite,Mate9,Mate9 Pro,P10,P10 Plus Huawei smartphones ...) NOT-FOR-US: Huawei CVE-2017-8143 (Wi-Fi driver of Honor 5C and P9 Lite Huawei smart phones with software ...) NOT-FOR-US: Huawei CVE-2017-8142 (The Trusted Execution Environment (TEE) module driver of Mate 9 and Ma ...) NOT-FOR-US: Huawei CVE-2017-8141 (The Touch Panel (TP) driver in P10 Plus smart phones with software ver ...) NOT-FOR-US: Huawei CVE-2017-8140 (The soundtrigger driver in P9 Plus smart phones with software versions ...) NOT-FOR-US: Huawei CVE-2017-8139 (HedEx Earlier than V200R006C00 versions have the stored cross-site scr ...) NOT-FOR-US: Huawei CVE-2017-8138 (HedEx Earlier than V200R006C00 versions has a cross-site request forge ...) NOT-FOR-US: Huawei CVE-2017-8137 (HedEx Earlier than V200R006C00 versions has a dynamic link library (DL ...) NOT-FOR-US: Huawei CVE-2017-8136 (HedEx Earlier than V200R006C00 versions has an arbitrary file download ...) NOT-FOR-US: Huawei CVE-2017-8135 (The FusionSphere OpenStack with software V100R006C00 and V100R006C10 h ...) NOT-FOR-US: Huawei CVE-2017-8134 (The FusionSphere OpenStack with software V100R006C00 and V100R006C10 h ...) NOT-FOR-US: Huawei CVE-2017-8133 (Huawei iManager NetEco with software V600R008C00 and V600R008C10 has a ...) NOT-FOR-US: Huawei CVE-2017-8132 (The FusionSphere OpenStack with software V100R006C00 and V100R006C10 h ...) NOT-FOR-US: Huawei CVE-2017-8131 (The FusionSphere OpenStack with software V100R006C00 and V100R006C10 h ...) NOT-FOR-US: Huawei CVE-2017-8130 (The UMA product with software V200R001 and V300R001 has an information ...) NOT-FOR-US: Huawei CVE-2017-8129 (The UMA product with software V200R001 and V300R001 has a privilege el ...) NOT-FOR-US: Huawei CVE-2017-8128 (The UMA product with software V200R001 and V300R001 has a privilege el ...) NOT-FOR-US: Huawei CVE-2017-8127 (The UMA product with software V200R001 has a cross-site scripting (XSS ...) NOT-FOR-US: Huawei CVE-2017-8126 (The UMA product with software V200R001 has a privilege elevation vulne ...) NOT-FOR-US: Huawei CVE-2017-8125 (The UMA product with software V200R001 and V300R001 has a cross-site s ...) NOT-FOR-US: Huawei CVE-2017-8124 (The UMA product with software V200R001 has a privilege elevation vulne ...) NOT-FOR-US: Huawei CVE-2017-8123 (The UMA product with software V200R001 has a privilege elevation vulne ...) NOT-FOR-US: Huawei CVE-2017-8122 (The UMA product with software V200R001 has a privilege elevation vulne ...) NOT-FOR-US: Huawei CVE-2017-8121 (The UMA product with software V200R001 and V300R001 has an information ...) NOT-FOR-US: Huawei CVE-2017-8120 (The UMA product with software V200R001 and V300R001 has a privilege el ...) NOT-FOR-US: Huawei CVE-2017-8119 (The UMA product with software V200R001 and V300R001 has a privilege el ...) NOT-FOR-US: Huawei CVE-2017-8118 (The UMA product with software V200R001 and V300R001 has an information ...) NOT-FOR-US: Huawei CVE-2017-8117 (The UMA product with software V200R001 and V300R001 has a privilege el ...) NOT-FOR-US: Huawei CVE-2017-8116 (The management interface for the Teltonika RUT9XX routers (aka LuCI) w ...) NOT-FOR-US: Teltonika RUT9XX routers CVE-2017-8115 (Directory traversal in setup/processors/url_search.php (aka the search ...) NOT-FOR-US: MODX CVE-2017-8114 (Roundcube Webmail allows arbitrary password resets by authenticated us ...) {DLA-933-1} - roundcube 1.2.3+dfsg.1-4 (bug #861388) NOTE: https://github.com/roundcube/roundcubemail/releases/tag/1.2.5 NOTE: https://github.com/roundcube/roundcubemail/commit/6e054a37d13dc3772d0aa454a32d5dc3bdcc7003 (1.2.x) NOTE: https://github.com/roundcube/roundcubemail/releases/tag/1.1.9 NOTE: https://github.com/roundcube/roundcubemail/commit/10b227d70a03e33682aaaa0138e84f9256f3cd50 (1.1.x) NOTE: https://github.com/roundcube/roundcubemail/releases/tag/1.0.11 NOTE: https://github.com/roundcube/roundcubemail/commit/271426429bfbb5b63e6dec91b1e4780e8ef1c67e (1.0.x) CVE-2017-8113 RESERVED CVE-2017-8112 (hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest O ...) {DLA-1497-1} - qemu 1:2.8+dfsg-5 (bug #861351) [wheezy] - qemu (Vulnerable code not present) - qemu-kvm (Vulnerable code not present) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-04/msg04578.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1445621 NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=f68826989cd4d1217797251339579c57b3c0934e CVE-2017-8111 RESERVED CVE-2017-8110 (www.modified-shop.org modified eCommerce Shopsoftware 2.0.2.2 rev 1069 ...) NOT-FOR-US: modified eCommerce Shopsoftware CVE-2017-8109 (The salt-ssh minion code in SaltStack Salt 2016.11 before 2016.11.4 co ...) - salt 2016.11.5+ds-1 (bug #861219) [stretch] - salt 2016.11.2+ds-1+deb9u2 [jessie] - salt (Vulnerable code not present) NOTE: https://github.com/saltstack/salt/issues/40075 NOTE: https://github.com/saltstack/salt/pull/40609 NOTE: https://github.com/saltstack/salt/commit/8492cef7a5c8871a3978ffc2f6e48b3b960e0151 CVE-2017-8108 (Unspecified tests in Lynis before 2.5.0 allow local users to write to ...) - lynis 2.5.0-1 (unimportant) [wheezy] - lynis (Vulnerable code do not exist) NOTE: Neutralised by kernel hardening CVE-2017-8107 RESERVED CVE-2017-8106 (The handle_invept function in arch/x86/kvm/vmx.c in the Linux kernel 3 ...) - linux 3.16.2-1 [wheezy] - linux (Vulnerable code not present) NOTE: Introduced by: https://git.kernel.org/linus/bfd0a56b90005f8c8a004baf407ad90045c2b11e (3.12-rc1) NOTE: Fixed by: https://git.kernel.org/linus/4b855078601fc422dbac3059f2215e776f49780f (3.16-rc4) CVE-2017-8105 (FreeType 2 before 2017-03-24 has an out-of-bounds write caused by a he ...) {DSA-3839-1 DLA-918-1} - freetype 2.6.3-3.2 (bug #861220) NOTE: Fixed by: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=f958c48ee431bef8d4d466b40c9cb2d4dbcb7791 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=935 CVE-2017-8104 (In MyBB before 1.8.11, the smilie module allows Directory Traversal vi ...) NOT-FOR-US: MyBB CVE-2017-8103 (In MyBB before 1.8.11, the Email MyCode component allows XSS, as demon ...) NOT-FOR-US: MyBB CVE-2017-8102 (Stored XSS in Serendipity v2.1-rc1 allows an attacker to steal an admi ...) - serendipity CVE-2017-8101 (There is CSRF in Serendipity 2.0.5, allowing attackers to install any ...) - serendipity CVE-2017-8100 (There is CSRF in the CopySafe Web Protection plugin before 2.6 for Wor ...) NOT-FOR-US: CopySafe Web Protection plugin CVE-2017-8099 (There is CSRF in the WHIZZ plugin before 1.1.1 for WordPress, allowing ...) NOT-FOR-US: WHIZZ plugin for Wordpress CVE-2017-8098 (e107 2.1.4 is vulnerable to cross-site request forgery in plugin-insta ...) NOT-FOR-US: e107 CVE-2017-8097 RESERVED CVE-2017-8096 RESERVED CVE-2017-8095 RESERVED CVE-2017-8094 RESERVED CVE-2017-8093 RESERVED CVE-2017-8092 RESERVED CVE-2017-8091 RESERVED CVE-2017-8090 RESERVED CVE-2017-8089 RESERVED CVE-2017-8088 RESERVED CVE-2017-8087 (Information Leakage in PPPoE Packet Padding in AVM Fritz!Box 7490 with ...) NOT-FOR-US: AVM CVE-2017-8086 (Memory leak in the v9fs_list_xattr function in hw/9pfs/9p-xattr.c in Q ...) {DLA-1497-1 DLA-1035-1 DLA-965-1} - qemu 1:2.8+dfsg-5 (bug #861348) - qemu-kvm NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=4ffcdef4277a91af15a3c09f7d16af072c29f3f2 (v2.9.0-rc4) NOTE: Introduced possibly by the fix d10142c11bdcecebe97fd834a834167053b7a05c to NOTE: partially fix CVE-2016-9602. CVE-2017-8085 (In Exponent CMS before 2.4.1 Patch #5, XSS in elFinder is possible in ...) NOT-FOR-US: Exponent CMS CVE-2017-1000363 (Linux drivers/char/lp.c Out-of-Bounds Write. Due to a missing bounds c ...) {DSA-3945-1 DLA-1099-1} - linux 4.9.30-1 (low) NOTE: Fixed by: https://git.kernel.org/linus/3e21f4af170bebf47c187c1ff8bf155583c9f3b1 (4.12-rc2) NOTE: https://alephsecurity.com/vulns/aleph-2017023 CVE-2017-1000361 (DOMRpcImplementationNotAvailableException when sending Port-Status pac ...) NOT-FOR-US: OpenDaylight CVE-2017-1000360 (StreamCorruptedException and NullPointerException in OpenDaylight odl- ...) NOT-FOR-US: OpenDaylight CVE-2017-1000359 (Java out of memory error and significant increase in resource consumpt ...) NOT-FOR-US: OpenDaylight CVE-2017-1000358 (Controller throws an exception and does not allow user to add subseque ...) NOT-FOR-US: OpenDaylight CVE-2017-1000357 (Denial of Service attack when the switch rejects to receive packets fr ...) NOT-FOR-US: OpenDaylight CVE-2017-1000356 (Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier ar ...) - jenkins CVE-2017-1000355 (Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier ar ...) - jenkins CVE-2017-1000354 (Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier ar ...) - jenkins CVE-2017-1000353 (Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier ar ...) - jenkins CVE-2017-8084 RESERVED CVE-2017-8083 (CompuLab Intense PC and MintBox 2 devices with BIOS before 2017-05-21 ...) NOT-FOR-US: CompuLab Intense PC and MintBox 2 devices CVE-2017-8082 (concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, whic ...) NOT-FOR-US: concrete5 CVE-2017-8081 (Poor cryptographic salt initialization in admin/inc/template_functions ...) NOT-FOR-US: GetSimple CMS CVE-2017-8080 (Atlassian Hipchat Server before 2.2.4 allows remote authenticated user ...) NOT-FOR-US: HipChat CVE-2010-5329 (The video_usercopy function in drivers/media/video/v4l2-ioctl.c in the ...) - linux (Fixed before src:linux-2.6 -> src:linux rename) NOTE: Fixed by: https://git.kernel.org/linus/fc0a80798576f80ca10b3f6c9c7097f12fd1d64e (v2.6.39-rc2) CVE-2007-6761 (drivers/media/video/videobuf-vmalloc.c in the Linux kernel before 2.6. ...) - linux (Fixed before src:linux-2.6 -> src:linux rename) NOTE: Fixed by: https://git.kernel.org/linus/0b29669c065f60501e7289e1950fa2a618962358 (v2.6.24-rc6) CVE-2017-8079 RESERVED CVE-2017-8078 (On the TP-Link TL-SG108E 1.0, the upgrade process can be requested rem ...) NOT-FOR-US: TP-Link CVE-2017-8077 (On the TP-Link TL-SG108E 1.0, there is a hard-coded ciphering key (a l ...) NOT-FOR-US: TP-Link CVE-2017-8076 (On the TP-Link TL-SG108E 1.0, admin network communications are RC4 enc ...) NOT-FOR-US: TP-Link CVE-2017-8075 (On the TP-Link TL-SG108E 1.0, a remote attacker could retrieve credent ...) NOT-FOR-US: TP-Link CVE-2017-8074 (On the TP-Link TL-SG108E 1.0, a remote attacker could retrieve credent ...) NOT-FOR-US: TP-Link CVE-2017-8073 (WeeChat before 1.7.1 allows a remote crash by sending a filename via D ...) {DSA-3836-1 DLA-919-1} - weechat 1.7-3 (bug #861121) [stretch] - weechat 1.6-1+deb9u1 NOTE: https://github.com/weechat/weechat/commit/2fb346f25f79e412cf0ed314fdf791763c19b70b CVE-2017-8072 (The cp2112_gpio_direction_input function in drivers/hid/hid-cp2112.c i ...) - linux 4.9.10-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/8e9faa15469ed7c7467423db4c62aeed3ff4cae3 CVE-2017-8071 (drivers/hid/hid-cp2112.c in the Linux kernel 4.9.x before 4.9.9 uses a ...) - linux 4.9.10-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/7a7b5df84b6b4e5d599c7289526eed96541a0654 CVE-2017-8070 (drivers/net/usb/catc.c in the Linux kernel 4.9.x before 4.9.11 interac ...) - linux 4.9.13-1 [jessie] - linux (Introduced in 4.9-rc1 in combination with VMAP_STACK) [wheezy] - linux (Introduced in 4.9-rc1 in combination with VMAP_STACK) NOTE: Fixed by: https://git.kernel.org/linus/2d6a0e9de03ee658a9adc3bfb2f0ca55dff1e478 CVE-2017-8069 (drivers/net/usb/rtl8150.c in the Linux kernel 4.9.x before 4.9.11 inte ...) - linux 4.9.13-1 [jessie] - linux (Introduced in 4.9-rc1 in combination with VMAP_STACK) [wheezy] - linux (Introduced in 4.9-rc1 in combination with VMAP_STACK) NOTE: Fixed by: https://git.kernel.org/linus/7926aff5c57b577ab0f43364ff0c59d968f6a414 CVE-2017-8068 (drivers/net/usb/pegasus.c in the Linux kernel 4.9.x before 4.9.11 inte ...) - linux 4.9.10-1 (bug #852556) [jessie] - linux (Introduced in 4.9-rc1 in combination with VMAP_STACK) [wheezy] - linux (Introduced in 4.9-rc1 in combination with VMAP_STACK) NOTE: Fixed by: https://git.kernel.org/linus/5593523f968bc86d42a035c6df47d5e0979b5ace CVE-2017-8067 (drivers/char/virtio_console.c in the Linux kernel 4.9.x and 4.10.x bef ...) - linux 4.9.25-1 [jessie] - linux (Introduced in 4.9-rc1 in combination with VMAP_STACK) [wheezy] - linux (Introduced in 4.9-rc1 in combination with VMAP_STACK) NOTE: Fixed by: https://git.kernel.org/linus/c4baad50297d84bde1a7ad45e50c73adae4a2192 CVE-2017-8066 (drivers/net/can/usb/gs_usb.c in the Linux kernel 4.9.x and 4.10.x befo ...) - linux 4.9.16-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/c919a3069c775c1c876bec55e00b2305d5125caa CVE-2017-8065 (crypto/ccm.c in the Linux kernel 4.9.x and 4.10.x through 4.10.12 inte ...) - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/3b30460c5b0ed762be75a004e924ec3f8711e032 CVE-2017-8064 (drivers/media/usb/dvb-usb-v2/dvb_usb_core.c in the Linux kernel 4.9.x ...) {DSA-3886-1} - linux 4.9.25-1 [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/005145378c9ad7575a01b6ce1ba118fb427f583a CVE-2017-8063 (drivers/media/usb/dvb-usb/cxusb.c in the Linux kernel 4.9.x and 4.10.x ...) - linux 4.9.25-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/3f190e3aec212fc8c61e202c51400afa7384d4bc CVE-2017-8062 (drivers/media/usb/dvb-usb/dw2102.c in the Linux kernel 4.9.x and 4.10. ...) - linux 4.9.16-1 [jessie] - linux (Introduced in 4.9-rc1 in combination with VMAP_STACK) [wheezy] - linux (Introduced in 4.9-rc1 in combination with VMAP_STACK) NOTE: Fixed by: https://git.kernel.org/linus/606142af57dad981b78707234cfbd15f9f7b7125 CVE-2017-8061 (drivers/media/usb/dvb-usb/dvb-usb-firmware.c in the Linux kernel 4.9.x ...) - linux 4.9.25-1 [jessie] - linux (Introduced in 4.9-rc1 in combination with VMAP_STACK) [wheezy] - linux (Introduced in 4.9-rc1 in combination with VMAP_STACK) NOTE: Fixed by: https://git.kernel.org/linus/67b0503db9c29b04eadfeede6bebbfe5ddad94ef CVE-2017-8060 (Acceptance of invalid/self-signed TLS certificates in "Panda Mobile Se ...) NOT-FOR-US: Panda CVE-2017-8059 (Acceptance of invalid/self-signed TLS certificates in "Foxit PDF - PDF ...) NOT-FOR-US: Foxit CVE-2017-8058 (Acceptance of invalid/self-signed TLS certificates in Atlassian HipCha ...) NOT-FOR-US: HipChat CVE-2017-8057 (In Joomla! 3.4.0 through 3.6.5 (fixed in 3.7.0), multiple files caused ...) NOT-FOR-US: Joomla! CVE-2017-8056 (WatchGuard Fireware v11.12.1 and earlier mishandles requests referring ...) NOT-FOR-US: WatchGuard CVE-2017-8055 (WatchGuard Fireware allows user enumeration, e.g., in the Firebox XML- ...) NOT-FOR-US: WatchGuard CVE-2017-8054 (The function PdfPagesTree::GetPageNodeFromArray in PdfPageTree.cpp:464 ...) - libpodofo 0.9.5-9 (bug #860995) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) NOTE: The motivation for no-dsa in wheezy is that there are no known NOTE: services that use this library (apart from desktop applications) NOTE: and the worst case is a DoS. NOTE: http://qwertwwwe.github.io/2017/04/22/PoDoFo-0-9-5-allows-remote-attackers-to-cause-a-denial-of-service-infinit-loop/ NOTE: PoC: https://github.com/qwertwwwe/PoC/blob/master/podofo/PoC NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1872 NOTE: partially reverted in: https://sourceforge.net/p/podofo/code/1881 NOTE: ... and re-fixed in: https://sourceforge.net/p/podofo/code/1882 NOTE: and https://sourceforge.net/p/podofo/code/1883 CVE-2017-8053 (PoDoFo 0.9.5 allows denial of service (infinite recursion and stack co ...) - libpodofo 0.9.6+dfsg-3 (bug #860994) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) NOTE: http://openwall.com/lists/oss-security/2017/04/22/1 NOTE: https://sourceforge.net/p/podofo/tickets/7/ NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1834 NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1924 CVE-2017-8052 (Craft CMS before 2.6.2974 allows XSS attacks. ...) NOT-FOR-US: Craft CMS CVE-2017-8051 (Tenable Appliance 3.5 - 4.4.0, and possibly prior versions, contains a ...) NOT-FOR-US: Tenable Appliance CVE-2017-8050 (Tenable Appliance 4.4.0, and possibly prior, contains a flaw in the We ...) NOT-FOR-US: Tenable Appliance CVE-2017-8049 REJECTED CVE-2017-8048 (In Cloud Foundry capi-release versions 1.33.0 and later, prior to 1.42 ...) NOT-FOR-US: Cloud Foundry CVE-2017-8047 (In Cloud Foundry router routing-release all versions prior to v0.163.0 ...) NOT-FOR-US: Cloud Foundry CVE-2017-8046 (Malicious PATCH requests submitted to servers using Spring Data REST v ...) NOT-FOR-US: Spring Data REST CVE-2017-8045 (In Pivotal Spring AMQP versions prior to 1.7.4, 1.6.11, and 1.5.7, an ...) NOT-FOR-US: Spring AMQP CVE-2017-8044 (In Pivotal Single Sign-On for PCF (1.3.x versions prior to 1.3.4 and 1 ...) NOT-FOR-US: Pivotal SSO CVE-2017-8043 REJECTED CVE-2017-8042 REJECTED CVE-2017-8041 (In Single Sign-On for Pivotal Cloud Foundry (PCF) 1.3.x versions prior ...) NOT-FOR-US: Pivotal CVE-2017-8040 (In Single Sign-On for Pivotal Cloud Foundry (PCF) 1.3.x versions prior ...) NOT-FOR-US: Pivotal CVE-2017-8039 (An issue was discovered in Pivotal Spring Web Flow through 2.4.5. Appl ...) NOT-FOR-US: Spring Web Flow CVE-2017-8038 (In Cloud Foundry Foundation Credhub-release version 1.1.0, access cont ...) NOT-FOR-US: Cloud Foundry Foundation Credhub-release CVE-2017-8037 (In Cloud Foundry Foundation CAPI-release versions after v1.6.0 and pri ...) NOT-FOR-US: Cloud Foundry CVE-2017-8036 (An issue was discovered in the Cloud Controller API in Cloud Foundry F ...) NOT-FOR-US: Cloud Foundry CVE-2017-8035 (An issue was discovered in the Cloud Controller API in Cloud Foundry F ...) NOT-FOR-US: Cloud Foundry CVE-2017-8034 (The Cloud Controller and Router in Cloud Foundry (CAPI-release capi ve ...) NOT-FOR-US: Cloud Foundry CVE-2017-8033 (An issue was discovered in the Cloud Controller API in Cloud Foundry F ...) NOT-FOR-US: Cloud Foundry CVE-2017-8032 (In Cloud Foundry cf-release versions prior to v264; UAA release all ve ...) NOT-FOR-US: Cloud Foundry CVE-2017-8031 (An issue was discovered in Cloud Foundry Foundation cf-release (all ve ...) NOT-FOR-US: Cloud Foundry CVE-2017-8030 REJECTED CVE-2017-8029 REJECTED CVE-2017-8028 (In Pivotal Spring-LDAP versions 1.3.0 - 2.3.1, when connected to some ...) {DSA-4046-1 DLA-1180-1} - libspring-ldap-java NOTE: https://pivotal.io/security/cve-2017-8028 NOTE: https://github.com/spring-projects/spring-ldap/issues/430 CVE-2017-8027 REJECTED CVE-2017-8026 REJECTED CVE-2017-8025 (RSA Archer GRC Platform prior to 6.2.0.5 is affected by an arbitrary f ...) NOT-FOR-US: RSA Archer GRC Platform CVE-2017-8024 (EMC Isilon OneFS (versions prior to 8.1.0.1, versions prior to 8.0.1.2 ...) NOT-FOR-US: EMC CVE-2017-8023 (EMC NetWorker may potentially be vulnerable to an unauthenticated remo ...) NOT-FOR-US: EMC CVE-2017-8022 (An issue was discovered in EMC NetWorker (prior to 8.2.4.9, all suppor ...) NOT-FOR-US: EMC CVE-2017-8021 (EMC Elastic Cloud Storage (ECS) before 3.1 is affected by an undocumen ...) NOT-FOR-US: EMC Elastic Cloud Storage CVE-2017-8020 (An issue was discovered in EMC ScaleIO 2.0.1.x. A buffer overflow vuln ...) NOT-FOR-US: EMC CVE-2017-8019 (An issue was discovered in EMC ScaleIO 2.0.1.x. A vulnerability in mes ...) NOT-FOR-US: EMC CVE-2017-8018 (EMC AppSync host plug-in versions 3.5 and below (Windows platform only ...) NOT-FOR-US: EMC AppSync CVE-2017-8017 (EMC Network Configuration Manager (NCM) 9.3.x, 9.4.0.x, 9.4.1.x, and 9 ...) NOT-FOR-US: EMC Network Configuration Manager CVE-2017-8016 (RSA Archer GRC Platform prior to 6.2.0.5 is affected by stored cross-s ...) NOT-FOR-US: RSA Archer GRC Platform CVE-2017-8015 (EMC AppSync (all versions prior to 3.5) contains a SQL injection vulne ...) NOT-FOR-US: EMC CVE-2017-8014 REJECTED CVE-2017-8013 (EMC Data Protection Advisor 6.3.x before patch 67 and 6.4.x before pat ...) NOT-FOR-US: EMC Data Protection Adv CVE-2017-8012 (In EMC ViPR SRM, Storage M&R, VNX M&R, and M&R (Watch4Net) ...) NOT-FOR-US: EMC CVE-2017-8011 (EMC ViPR SRM, EMC Storage M&R, EMC VNX M&R, EMC M&R for SA ...) NOT-FOR-US: EMC CVE-2017-8010 REJECTED CVE-2017-8009 REJECTED CVE-2017-8008 REJECTED CVE-2017-8007 (In EMC ViPR SRM, Storage M&R, VNX M&R, and M&R (Watch4Net) ...) NOT-FOR-US: EMC CVE-2017-8006 (In EMC RSA Authentication Manager 8.2 SP1 Patch 1 and earlier, a malic ...) NOT-FOR-US: EMC CVE-2017-8005 (The EMC RSA Identity Governance and Lifecycle, RSA Via Lifecycle and G ...) NOT-FOR-US: EMC CVE-2017-8004 (The EMC RSA Identity Governance and Lifecycle, RSA Via Lifecycle and G ...) NOT-FOR-US: EMC CVE-2017-8003 (EMC Data Protection Advisor prior to 6.4 contains a path traversal vul ...) NOT-FOR-US: EMC Data Protection Advisor CVE-2017-8002 (EMC Data Protection Advisor prior to 6.4 contains multiple blind SQL i ...) NOT-FOR-US: EMC Data Protection Advisor CVE-2017-8001 (An issue was discovered in EMC ScaleIO 2.0.1.x. In a Linux environment ...) NOT-FOR-US: EMC CVE-2017-8000 (In EMC RSA Authentication Manager 8.2 SP1 and earlier, a malicious RSA ...) NOT-FOR-US: EMC CVE-2017-7999 (Atlassian Eucalyptus before 4.4.1, when in EDGE mode, allows remote au ...) NOT-FOR-US: Atlassian Eucalyptus CVE-2017-7998 (Multiple cross-site scripting (XSS) vulnerabilities in Gespage before ...) NOT-FOR-US: Gespage CVE-2017-7997 (Multiple SQL injection vulnerabilities in Gespage before 7.4.9 allow r ...) NOT-FOR-US: Gespage CVE-2017-7996 RESERVED CVE-2017-7995 (Xen PV guest before Xen 4.3 checked access permissions to MMIO ranges ...) {DLA-964-1} - xen 4.3.0-1 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1033948 CVE-2017-7994 (The function TextExtractor::ExtractText in TextExtractor.cpp:77 in PoD ...) - libpodofo 0.9.5-7 (bug #860930) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) NOTE: https://github.com/icepng/PoC/tree/master/PoC1 NOTE: https://icepng.github.io/2017/04/21/PoDoFo-1/ NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1849 CVE-2017-7993 RESERVED CVE-2017-7992 (Heartland Payment Systems Payment Gateway PHP SDK hps/heartland-php v2 ...) NOT-FOR-US: Heartland Payment Systems Payment Gateway PHP SDK CVE-2016-10348 RESERVED CVE-2017-7991 (Exponent CMS 2.4.1 and earlier has SQL injection via a base64 serializ ...) NOT-FOR-US: Exponent CMS CVE-2017-7990 (The Reporting Module 1.12.0 for OpenMRS allows CSRF attacks with resul ...) NOT-FOR-US: OpenMRS CVE-2017-7989 (In Joomla! 3.2.0 through 3.6.5 (fixed in 3.7.0), inadequate MIME type ...) NOT-FOR-US: Joomla! CVE-2017-7988 (In Joomla! 1.6.0 through 3.6.5 (fixed in 3.7.0), inadequate filtering ...) NOT-FOR-US: Joomla! CVE-2017-7987 (In Joomla! 3.2.0 through 3.6.5 (fixed in 3.7.0), inadequate escaping o ...) NOT-FOR-US: Joomla! CVE-2017-7986 (In Joomla! 1.5.0 through 3.6.5 (fixed in 3.7.0), inadequate filtering ...) NOT-FOR-US: Joomla! CVE-2017-7985 (In Joomla! 1.5.0 through 3.6.5 (fixed in 3.7.0), inadequate filtering ...) NOT-FOR-US: Joomla! CVE-2017-7984 (In Joomla! 3.2.0 through 3.6.5 (fixed in 3.7.0), inadequate filtering ...) NOT-FOR-US: Joomla! CVE-2017-7983 (In Joomla! 1.5.0 through 3.6.5 (fixed in 3.7.0), mail sent using the J ...) NOT-FOR-US: Joomla! CVE-2017-7982 (Integer overflow in the plist_from_bin function in bplist.c in libimob ...) {DLA-2168-1} - libplist 1.12+git+1+e37ca00-0.3 (bug #860945) [wheezy] - libplist (Minor issue) NOTE: Fixed by: https://github.com/libimobiledevice/libplist/commit/fdebf8b319b9280cd0e9b4382f2c7cbf26ef9325 NOTE: https://github.com/libimobiledevice/libplist/issues/103 NOTE: The issue seems covered in prior versions of upstream dccd9290745345896e3a4a73154576a599fd8b7b NOTE: which is CVE-2017-6440. CVE-2017-7981 (Tuleap before 9.7 allows command injection via the PhpWiki 1.3.10 Synt ...) NOT-FOR-US: Enalean Tuleap CVE-2017-7980 (Heap-based buffer overflow in Cirrus CLGD 54xx VGA Emulator in Quick E ...) {DLA-1497-1 DLA-1035-1 DLA-939-1} - qemu 1:2.8+dfsg-4 - qemu-kvm NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=026aeffcb4752054830ba203020ed6eb05bcaba8 NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=ffaf857778286ca54e3804432a2369a279e73aa7 NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=f019722cbbb45aea153294fc8921fcc96a4d3fa2 CVE-2017-7978 (Samsung Android devices with L(5.0/5.1), M(6.0), and N(7.x) software a ...) NOT-FOR-US: Samsung CVE-2017-7979 (The cookie feature in the packet action API implementation in net/sche ...) - linux (Only affects 4.11-rc1 onwards) CVE-2017-7977 (The Screensavercc component in eLux RP before 5.5.0 allows attackers t ...) NOT-FOR-US: Screensavercc component in eLux RP CVE-2017-7976 (Artifex jbig2dec 0.13 allows out-of-bounds writes and reads because of ...) {DSA-3855-1 DLA-942-1} - jbig2dec 0.13-4.1 (bug #860787) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697683 NOTE: Fixed by: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=ed6c5133a1004ce8d CVE-2017-7975 (Artifex jbig2dec 0.13, as used in Ghostscript, allows out-of-bounds wr ...) {DSA-3855-1 DLA-942-1} - jbig2dec 0.13-4.1 (bug #860788) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697693 NOTE: Fixed by: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=5e57e483298dae8b CVE-2017-7974 (A path traversal information disclosure vulnerability exists in Schnei ...) NOT-FOR-US: Schneider Electric CVE-2017-7973 (A SQL injection vulnerability exists in Schneider Electric's U.motion ...) NOT-FOR-US: Schneider Electric CVE-2017-7972 (A vulnerability exists in Schneider Electric's PowerSCADA Anywhere v1. ...) NOT-FOR-US: Schneider Electric CVE-2017-7971 (A vulnerability exists in Schneider Electric's PowerSCADA Anywhere v1. ...) NOT-FOR-US: Schneider Electric CVE-2017-7970 (A vulnerability exists in Schneider Electric's PowerSCADA Anywhere v1. ...) NOT-FOR-US: Schneider Electric CVE-2017-7969 (A cross-site request forgery vulnerability exists on the Secure Gatewa ...) NOT-FOR-US: Schneider Electric CVE-2017-7968 (An Incorrect Default Permissions issue was discovered in Schneider Ele ...) NOT-FOR-US: Schneider CVE-2017-7967 (All versions of VAMPSET software produced by Schneider Electric, prior ...) NOT-FOR-US: Schneider CVE-2017-7966 (A DLL Hijacking vulnerability in the programming software in Schneider ...) NOT-FOR-US: Schneider CVE-2017-7965 (A buffer overflow vulnerability exists in Programming Software executa ...) NOT-FOR-US: Schneider CVE-2017-7964 (Zyxel WRE6505 devices have a default TELNET password of 1234 for the r ...) NOT-FOR-US: Zyxel CVE-2017-7963 (** DISPUTED ** The GNU Multiple Precision Arithmetic Library (GMP) int ...) NOTE: PHP non-issue, might get rejected CVE-2017-7962 (The iwgif_read_image function in imagew-gif.c in libimageworsener.a in ...) NOT-FOR-US: ImageWorsener CVE-2017-7961 (** DISPUTED ** The cr_tknzr_parse_rgb function in cr-tknzr.c in libcro ...) {DLA-909-1} - libcroco 0.6.11-3 (bug #860961) [jessie] - libcroco (Minor issue; will be fixed via point release) NOTE: https://blogs.gentoo.org/ago/2017/04/17/libcroco-heap-overflow-and-undefined-behavior/ NOTE: https://git.gnome.org/browse/libcroco/commit/?id=9ad72875e9f08e4c519ef63d44cdbd94aa9504f7 CVE-2017-7960 (The cr_input_new_from_uri function in cr-input.c in libcroco 0.6.11 an ...) {DLA-909-1} - libcroco 0.6.11-3 (bug #860961) [jessie] - libcroco (Minor issue; will be fixed via point release) NOTE: https://blogs.gentoo.org/ago/2017/04/17/libcroco-heap-overflow-and-undefined-behavior/ NOTE: https://git.gnome.org/browse/libcroco/commit/?id=898e3a8c8c0314d2e6b106809a8e3e93cf9d4394 CVE-2017-7959 RESERVED CVE-2017-7958 RESERVED CVE-2017-7957 (XStream through 1.4.9, when a certain denyTypes workaround is not used ...) {DSA-3841-1 DLA-930-1} - libxstream-java 1.4.9-2 (bug #861521) NOTE: https://x-stream.github.io/CVE-2017-7957.html NOTE: Fixed by: https://github.com/x-stream/xstream/commit/b3570be CVE-2017-7956 RESERVED CVE-2017-7955 RESERVED CVE-2017-7954 RESERVED CVE-2017-7953 (INFOR EAM V11.0 Build 201410 has XSS via comment fields. ...) NOT-FOR-US: INFOR EAM CVE-2017-7952 (INFOR EAM V11.0 Build 201410 has SQL injection via search fields, rela ...) NOT-FOR-US: INFOR EAM CVE-2017-7951 (WonderCMS before 2.0.3 has CSRF because of lack of a token in an unspe ...) NOT-FOR-US: WonderCMS CVE-2017-7950 (Nitro Pro 11.0.3 and earlier allows remote attackers to cause a denial ...) NOT-FOR-US: Nitro Pro CVE-2017-7949 RESERVED CVE-2017-7948 (Integer overflow in the mark_curve function in Artifex Ghostscript 9.2 ...) - ghostscript 9.22~dfsg-1 (unimportant) [jessie] - ghostscript (Vulnerable code not present) [wheezy] - ghostscript (Vulnerable code not present) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697762 NOTE: Fixed by: http://git.ghostscript.com/?p=ghostpdl.git;h=8210a2864372723b49c526e2b102fdc00c9c4699 NOTE: edgebuffer scan converter was made default only in: http://git.ghostscript.com/?p=ghostpdl.git;h=dd5da2cb3e08398ac6d86598b36b00994d058308 NOTE: But the vulnerable code via base/gxscan.c, a new scan converter introduced in 9.20 is present. CVE-2017-7947 (NetApp Clustered Data ONTAP before 8.3.2P11, 9.0 before P4, and 9.1 be ...) NOT-FOR-US: NetApp CVE-2016-10347 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-10346 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9055 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2013-7463 (The aescrypt gem 1.0.0 for Ruby does not randomize the CBC IV for use ...) NOT-FOR-US: aescrypt gem for Ruby CVE-2017-7946 (The get_relocs_64 function in libr/bin/format/mach0/mach0.c in radare2 ...) - radare2 1.1.0+dfsg-5 (low; bug #860962) [jessie] - radare2 (Minor issue) [wheezy] - radare2 (Minor issue) NOTE: https://github.com/radare/radare2/issues/7301 NOTE: https://github.com/radare/radare2/commit/d1e8ac62c6d978d4662f69116e30230d43033c92 CVE-2017-7945 (The GlobalProtect external interface in Palo Alto Networks PAN-OS befo ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2017-7944 (XOOPS Core 2.5.8.1 has XSS due to unescaped HTML output of an Install ...) NOT-FOR-US: XOOPS CVE-2017-7943 (The ReadSVGImage function in svg.c in ImageMagick 7.0.5-4 allows remot ...) {DSA-3863-1 DLA-960-1} - imagemagick 8:6.9.7.4+dfsg-6 (low; bug #860736) NOTE: https://github.com/ImageMagick/ImageMagick/issues/427 CVE-2017-7942 (The ReadAVSImage function in avs.c in ImageMagick 7.0.5-4 allows remot ...) - imagemagick 8:6.9.7.4+dfsg-6 (low; bug #860735) [jessie] - imagemagick (Vulnerable code not present, does not use pixel_info yet) [wheezy] - imagemagick (Vulnerable code not present, does not use pixel_info yet) NOTE: https://github.com/ImageMagick/ImageMagick/issues/429 CVE-2017-7941 (The ReadSGIImage function in sgi.c in ImageMagick 7.0.5-4 allows remot ...) {DSA-3863-1 DLA-960-1} - imagemagick 8:6.9.7.4+dfsg-6 (low; bug #860734) NOTE: https://github.com/ImageMagick/ImageMagick/issues/428 CVE-2017-7940 (The iw_read_gif_file function in imagew-gif.c in libimageworsener.a in ...) NOT-FOR-US: ImageWorsener CVE-2017-7939 (The read_next_pam_token function in imagew-pnm.c in libimageworsener.a ...) NOT-FOR-US: ImageWorsener CVE-2017-7938 (Stack-based buffer overflow in DMitry (Deepmagic Information Gathering ...) NOT-FOR-US: DMitry CVE-2017-7937 (An Improper Authentication issue was discovered in Phoenix Contact Gmb ...) NOT-FOR-US: Phoenix Contact CVE-2017-7936 (A stack-based buffer overflow issue was discovered in NXP i.MX 50, i.M ...) NOT-FOR-US: NXP i.MX devices CVE-2017-7935 (A Resource Exhaustion issue was discovered in Phoenix Contact GmbH mGu ...) NOT-FOR-US: Phoenix Contact CVE-2017-7934 (An Improper Authentication issue was discovered in OSIsoft PI Server 2 ...) NOT-FOR-US: OSIsoft CVE-2017-7933 (In ABB IP GATEWAY 3.39 and prior, some configuration files contain pas ...) NOT-FOR-US: ABB CVE-2017-7932 (An improper certificate validation issue was discovered in NXP i.MX 28 ...) NOT-FOR-US: NXP i.MX devices CVE-2017-7931 (In ABB IP GATEWAY 3.39 and prior, by accessing a specific uniform reso ...) NOT-FOR-US: ABB CVE-2017-7930 (An Improper Authentication issue was discovered in OSIsoft PI Server 2 ...) NOT-FOR-US: OSIsoft CVE-2017-7929 (An Absolute Path Traversal issue was discovered in Advantech WebAccess ...) NOT-FOR-US: Advantech WebAccess CVE-2017-7928 (An Improper Access Control issue was discovered in Schweitzer Engineer ...) NOT-FOR-US: Schweitzer Engineering Laboratories Security Gateway CVE-2017-7927 (A Use of Password Hash Instead of Password for Authentication issue wa ...) NOT-FOR-US: Dahua CVE-2017-7926 (A Cross-Site Request Forgery issue was discovered in OSIsoft PI Web AP ...) NOT-FOR-US: OSIsoft CVE-2017-7925 (A Password in Configuration File issue was discovered in Dahua DH-IPC- ...) NOT-FOR-US: Dahua CVE-2017-7924 (An Improper Input Validation issue was discovered in Rockwell Automati ...) NOT-FOR-US: Rockwell CVE-2017-7923 (A Password in Configuration File issue was discovered in Hikvision DS- ...) NOT-FOR-US: Hikvision CVE-2017-7922 (An Improper Privilege Management issue was discovered in Cambium Netwo ...) NOT-FOR-US: Cambium Networks ePMP CVE-2017-7921 (An Improper Authentication issue was discovered in Hikvision DS-2CD2xx ...) NOT-FOR-US: Hikvision CVE-2017-7920 (An Improper Authentication issue was discovered in ABB VSN300 WiFi Log ...) NOT-FOR-US: ABB WiFi Logger Card CVE-2017-7919 (An Improper Authentication issue was discovered in Newport XPS-Cx and ...) NOT-FOR-US: Newport CVE-2017-7918 (An Improper Access Control issue was discovered in Cambium Networks eP ...) NOT-FOR-US: Cambium Networks ePMP CVE-2017-7917 (A Cross-Site Request Forgery issue was discovered in Moxa OnCell G3110 ...) NOT-FOR-US: Moxa CVE-2017-7916 (A Permissions, Privileges, and Access Controls issue was discovered in ...) NOT-FOR-US: ABB WiFi Logger Card CVE-2017-7915 (An Improper Restriction of Excessive Authentication Attempts issue was ...) NOT-FOR-US: Moxa CVE-2017-7914 (A Missing Authorization issue was discovered in Rockwell Automation Pa ...) NOT-FOR-US: Rockwell Rockwell PanelView Plus CVE-2017-7913 (A Plaintext Storage of a Password issue was discovered in Moxa OnCell ...) NOT-FOR-US: Moxa CVE-2017-7912 (Hanwha Techwin SRN-4000, SRN-4000 firmware versions prior to SRN4000_v ...) NOT-FOR-US: Hanwha Techwin firmware CVE-2017-7911 (A Code Injection issue was discovered in CyberVision Kaa IoT Platform, ...) NOT-FOR-US: CyberVision Kaa IoT Platform CVE-2017-7910 (A Stack-Based Buffer Overflow issue was discovered in Digital Canal St ...) NOT-FOR-US: Digital Canal Structural Wind Analysis CVE-2017-7909 (A Use of Client-Side Authentication issue was discovered in Advantech ...) NOT-FOR-US: Advantech CVE-2017-7908 (A heap-based buffer overflow exists in the third-party product Gigasof ...) NOT-FOR-US: Gigasoft CVE-2017-7907 (An Improper XML Parser Configuration issue was discovered in Schneider ...) NOT-FOR-US: Schneider CVE-2017-7906 (In ABB IP GATEWAY 3.39 and prior, the web server does not sufficiently ...) NOT-FOR-US: ABB CVE-2017-7905 (A Weak Cryptography for Passwords issue was discovered in General Elec ...) NOT-FOR-US: General Electric CVE-2017-7904 RESERVED CVE-2017-7903 (A Weak Password Requirements issue was discovered in Rockwell Automati ...) NOT-FOR-US: Rockwell Automation CVE-2017-7902 (A "Reusing a Nonce, Key Pair in Encryption" issue was discovered in Ro ...) NOT-FOR-US: Rockwell Automation CVE-2017-7901 (A Predictable Value Range from Previous Values issue was discovered in ...) NOT-FOR-US: Rockwell Automation CVE-2017-7900 RESERVED CVE-2017-7899 (An Information Exposure issue was discovered in Rockwell Automation Al ...) NOT-FOR-US: Rockwell Automation CVE-2017-7898 (An Improper Restriction of Excessive Authentication Attempts issue was ...) NOT-FOR-US: Rockwell Automation CVE-2017-7897 (A cross-site scripting (XSS) vulnerability in the MantisBT (2.3.x befo ...) - mantis [wheezy] - mantis (Unsupported in Wheezy LTS) CVE-2017-7896 (Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 ...) NOT-FOR-US: Trend Micro CVE-2017-7895 (The NFSv2 and NFSv3 server implementations in the Linux kernel through ...) {DSA-3886-1 DLA-993-1} - linux 4.9.25-1 NOTE: Fixed by: https://git.kernel.org/linus/13bf9fbff0e5e099e2b6f003a0ab8ae145436309 CVE-2016-10345 (In Phusion Passenger before 5.1.0, a known /tmp filename was used duri ...) - passenger (unimportant) NOTE: https://github.com/phusion/passenger/commit/e5b4b0824d6b648525b4bf63d9fa37e5beeae441 NOTE: Source present, but passenger-install-nginx-module not installed CVE-2016-10344 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-10343 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-10342 (In all Android releases from CAF using the Linux kernel, a buffer over ...) NOT-FOR-US: Qualcomm component for Android CVE-2016-10341 (In all Android releases from CAF using the Linux kernel, 3rd party TEE ...) NOT-FOR-US: Qualcomm component for Android CVE-2016-10340 (In all Android releases from CAF using the Linux kernel, an integer un ...) NOT-FOR-US: Qualcomm component for Android CVE-2016-10339 (In all Android releases from CAF using the Linux kernel, HLOS can over ...) NOT-FOR-US: Qualcomm component for Android CVE-2016-10338 (In all Android releases from CAF using the Linux kernel, there was an ...) NOT-FOR-US: Qualcomm component for Android CVE-2016-10337 (In all Android releases from CAF using the Linux kernel, some validati ...) NOT-FOR-US: Qualcomm component for Android CVE-2016-10336 (In all Android releases from CAF using the Linux kernel, some regions ...) NOT-FOR-US: Qualcomm component for Android CVE-2016-10335 (In all Android releases from CAF using the Linux kernel, libtomcrypt w ...) NOT-FOR-US: Qualcomm component for Android CVE-2016-10334 (In all Android releases from CAF using the Linux kernel, a dynamically ...) NOT-FOR-US: Qualcomm component for Android CVE-2016-10333 (In all Android releases from CAF using the Linux kernel, a sensitive s ...) NOT-FOR-US: Qualcomm component for Android CVE-2016-10332 (In all Android releases from CAF using the Linux kernel, stack protect ...) NOT-FOR-US: Qualcomm component for Android CVE-2016-10331 (Directory traversal vulnerability in download.php in Synology Photo St ...) NOT-FOR-US: Synology Photo Station CVE-2016-10330 (Directory traversal vulnerability in synophoto_dsm_user, a SUID progra ...) NOT-FOR-US: Synology Photo Station CVE-2016-10329 (Command injection vulnerability in login.php in Synology Photo Station ...) NOT-FOR-US: Synology Photo Station CVE-2015-9054 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9053 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9052 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9051 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9050 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9049 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9048 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9047 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9046 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9045 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9044 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9043 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9042 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9041 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9040 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9039 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9038 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9037 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9036 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9035 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9034 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9033 (In all Android releases from CAF using the Linux kernel, a QTEE system ...) NOT-FOR-US: Qualcomm component for Android CVE-2015-9032 (In all Android releases from CAF using the Linux kernel, a DRM key was ...) NOT-FOR-US: Qualcomm component for Android CVE-2015-9031 (In all Android releases from CAF using the Linux kernel, a TZ memory a ...) NOT-FOR-US: Qualcomm component for Android CVE-2015-9030 (In all Android releases from CAF using the Linux kernel, the Hyperviso ...) NOT-FOR-US: Qualcomm component for Android CVE-2015-9029 (In all Android releases from CAF using the Linux kernel, a vulnerabili ...) NOT-FOR-US: Qualcomm component for Android CVE-2015-9028 (In all Android releases from CAF using the Linux kernel, a buffer over ...) NOT-FOR-US: Qualcomm component for Android CVE-2015-9027 (In all Android releases from CAF using the Linux kernel, an untrusted ...) NOT-FOR-US: Qualcomm component for Android CVE-2015-9026 (In all Android releases from CAF using the Linux kernel, an untrusted ...) NOT-FOR-US: Qualcomm component for Android CVE-2015-9025 (In all Android releases from CAF using the Linux kernel, a buffer over ...) NOT-FOR-US: Qualcomm component for Android CVE-2015-9024 (In all Android releases from CAF using the Linux kernel, some interfac ...) NOT-FOR-US: Qualcomm component for Android CVE-2015-9023 (In all Android releases from CAF using the Linux kernel, a buffer over ...) NOT-FOR-US: Qualcomm component for Android CVE-2015-9022 (In all Android releases from CAF using the Linux kernel, time-of-check ...) NOT-FOR-US: Qualcomm component for Android CVE-2015-9021 (In all Android releases from CAF using the Linux kernel, access contro ...) NOT-FOR-US: Qualcomm component for Android CVE-2015-9020 (In all Android releases from CAF using the Linux kernel, an untrusted ...) NOT-FOR-US: Qualcomm component for Android CVE-2014-9969 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2014-9968 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2014-9967 (In all Android releases from CAF using the Linux kernel, an untrusted ...) NOT-FOR-US: Qualcomm component for Android CVE-2014-9966 (In all Android releases from CAF using the Linux kernel, a Time-of-che ...) NOT-FOR-US: Qualcomm component for Android CVE-2014-9965 (In all Android releases from CAF using the Linux kernel, a vulnerabili ...) NOT-FOR-US: Qualcomm component for Android CVE-2014-9964 (In all Android releases from CAF using the Linux kernel, an integer ov ...) NOT-FOR-US: Qualcomm component for Android CVE-2014-9963 (In all Android releases from CAF using the Linux kernel, a buffer over ...) NOT-FOR-US: Qualcomm component for Android CVE-2014-9962 (In all Android releases from CAF using the Linux kernel, a vulnerabili ...) NOT-FOR-US: Qualcomm component for Android CVE-2014-9961 (In all Android releases from CAF using the Linux kernel, a vulnerabili ...) NOT-FOR-US: Qualcomm component for Android CVE-2014-9960 (In all Android releases from CAF using the Linux kernel, a buffer over ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-7894 (WinDjView 2.1 might allow user-assisted attackers to execute code via ...) NOT-FOR-US: WinDjView CVE-2017-7893 (In SaltStack Salt before 2016.3.6, compromised salt-minions can impers ...) - salt 2016.11.5+ds-1 [stretch] - salt (Minor issue) [jessie] - salt (Vulnerable code introduced later, but older versions did not verify master anyways) NOTE: https://docs.saltstack.com/en/2017.7/topics/releases/2016.3.6.html NOTE: https://github.com/saltstack/salt/issues/48939 NOTE: https://patch-diff.githubusercontent.com/raw/saltstack/salt/pull/40159.patch NOTE: https://patch-diff.githubusercontent.com/raw/saltstack/salt/pull/40206.patch NOTE: The behaviour though was back off by default in a later commit again NOTE: cf. https://github.com/saltstack/salt/pull/40206 NOTE: The fix is the second part of the #40159 PR, but the behaviour is turned NOTE: off by default and needs considerations of admins before enabling. We still NOTE: consider the issue as fixed starting with this change. Details in NOTE: https://github.com/saltstack/salt/issues/48939#issuecomment-410777638 CVE-2017-7892 (Sandstorm Cap'n Proto before 0.5.3.1 allows remote crashes related to ...) - capnproto 0.6.1-1 (unimportant; bug #860960) NOTE: https://github.com/sandstorm-io/capnproto/blob/master/security-advisories/2017-04-17-0-apple-clang-elides-bounds-check.md NOTE: Fixed by: https://github.com/sandstorm-io/capnproto/commit/52bc956459a5e83d7c31be95763ff6399e064ae4 NOTE: So far only Apple's compiler has been shown to apply the problematic optimization, fixed in 0.5.3.1 upstream CVE-2017-7891 (sourcebans-pp (SourceBans++) 1.5.4.7 has XSS in admin.comms.php via th ...) NOT-FOR-US: SourceBans++ CVE-2017-7890 (The GIF decoding function gdImageCreateFromGifCtx in gd_gif_in.c in th ...) {DSA-3938-1 DLA-1055-1} - php7.1 7.1.8-1 (unimportant) - php7.0 7.0.22-1 (unimportant) - php5 (unimportant) NOTE: PHP Bug: https://bugs.php.net/bug.php?id=74435 NOTE: Fixed in 7.1.7, 7.0.21, 5.6.31 - libgd2 2.2.5-1 (bug #869263) NOTE: https://github.com/libgd/libgd/issues/399 NOTE: https://github.com/libgd/libgd/commit/c613bc169802bb4b639ee2e15c61b25b80a88424 CVE-2017-7888 (Dolibarr ERP/CRM 4.0.4 stores passwords with the MD5 algorithm, which ...) - dolibarr 5.0.4+dfsg3-1 (bug #863544) NOTE: http://www.openwall.com/lists/oss-security/2017/05/10/6 CVE-2017-7887 (Dolibarr ERP/CRM 4.0.4 has XSS in doli/societe/list.php via the sall p ...) - dolibarr 5.0.4+dfsg3-1 (bug #863544) NOTE: http://www.openwall.com/lists/oss-security/2017/05/10/6 CVE-2017-7886 (Dolibarr ERP/CRM 4.0.4 has SQL Injection in doli/theme/eldy/style.css. ...) - dolibarr 5.0.4+dfsg3-1 (bug #863544) NOTE: http://www.openwall.com/lists/oss-security/2017/05/10/6 CVE-2017-7885 (Artifex jbig2dec 0.13 has a heap-based buffer over-read leading to den ...) {DSA-3855-1 DLA-942-1} - jbig2dec 0.13-4.1 (bug #860460) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697703 NOTE: Fixed by: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=b184e783702246e15 CVE-2017-7884 (In Adam Kropelin adk0212 APC UPS Daemon through 3.14.14, the default i ...) - apcupsd (Only APC UPS Daemon on Windows) CVE-2017-7889 (The mm subsystem in the Linux kernel through 4.10.10 does not properly ...) {DSA-3945-1 DLA-1099-1} - linux 4.9.25-1 NOTE: Fixed by: https://git.kernel.org/linus/a4866aa812518ed1a37d8ea0c881dc946409de94 (v4.11-rc7) CVE-2017-7883 RESERVED CVE-2017-7882 (LibreOffice before 2017-03-14 has an out-of-bounds write related to th ...) - libreoffice (Vulnerable code not present in any release) NOTE: Fixed by: https://github.com/LibreOffice/core/commit/65dcd1d8195069c8c8acb3a188b8e5616c51029c CVE-2017-7881 (BigTree CMS through 4.2.17 relies on a substring check for CSRF protec ...) NOT-FOR-US: BigTree CMS CVE-2017-7880 RESERVED CVE-2017-7879 (SQL Injection vulnerability in flatCore version 1.4.6 allows an attack ...) NOT-FOR-US: flatCore CVE-2017-7878 (SQL Injection vulnerability in flatCore version 1.4.6 allows an attack ...) NOT-FOR-US: flatCore CVE-2017-7877 (CSRF vulnerability in flatCore version 1.4.6 allows remote attackers t ...) NOT-FOR-US: flatCore CVE-2017-7876 (QNAP QTS before 4.2.6 build 20170517 allows command injection. ...) NOT-FOR-US: QNAP QTS CVE-2017-7875 (In wallpaper.c in feh before v2.18.3, if a malicious client pretends t ...) {DLA-2219-1 DLA-899-1} - feh 2.18-2 (low; bug #860367) NOTE: Fixed by: https://github.com/derf/feh/commit/f7a547b7ef8fc8ebdeaa4c28515c9d72e592fb6d CVE-2017-7874 REJECTED CVE-2017-7873 RESERVED CVE-2017-7872 RESERVED CVE-2017-7871 (trollepierre/tdm before 2017-04-13 is vulnerable to a reflected XSS in ...) NOT-FOR-US: trollepierre/tdm CVE-2016-1000259 REJECTED CVE-2016-1000258 REJECTED CVE-2017-7870 (LibreOffice before 2017-01-02 has an out-of-bounds write caused by a h ...) {DSA-3837-1 DLA-910-1} - libreoffice 1:5.2.5-1 NOTE: Fixed by: https://github.com/LibreOffice/core/commit/62a97e6a561ce65e88d4c537a1b82c336f012722 CVE-2017-7869 (GnuTLS before 2017-02-20 has an out-of-bounds write caused by an integ ...) - gnutls28 3.5.8-4 [jessie] - gnutls28 3.3.8-6+deb8u5 - gnutls26 [wheezy] - gnutls26 (Minor issue) NOTE: OpenPGP-related issue NOTE: https://gitlab.com/gnutls/gnutls/commit/51464af713d71802e3c6d5ac15f1a95132a354fe NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=420 NOTE: https://gnutls.org/security.html#GNUTLS-SA-2017-3 CVE-2017-7868 (International Components for Unicode (ICU) for C/C++ before 2017-02-13 ...) {DSA-3830-1 DLA-947-1} - icu 57.1-6 (bug #860314) NOTE: http://bugs.icu-project.org/trac/changeset/39671 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=437 CVE-2017-7867 (International Components for Unicode (ICU) for C/C++ before 2017-02-13 ...) {DSA-3830-1 DLA-947-1} - icu 57.1-6 (bug #860314) NOTE: http://bugs.icu-project.org/trac/changeset/39671 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=213 CVE-2017-7866 (FFmpeg before 2017-01-23 has an out-of-bounds write caused by a stack- ...) - ffmpeg 7:3.2.4-1 - libav [jessie] - libav (vulnerable code not present) NOTE: Fixed by: https://github.com/FFmpeg/FFmpeg/commit/e371f031b942d73e02c090170975561fabd5c264 CVE-2017-7865 (FFmpeg before 2017-01-24 has an out-of-bounds write caused by a heap-b ...) {DLA-1654-1} - ffmpeg 7:3.2.4-1 - libav NOTE: Fixed by: https://github.com/FFmpeg/FFmpeg/commit/2080bc33717955a0e4268e738acf8c1eeddbf8cb CVE-2017-7864 (FreeType 2 before 2017-02-02 has an out-of-bounds write caused by a he ...) - freetype (Vulnerable code not present; CFF2 support introduced in 2.7.1, cf #860313) NOTE: Fixed by: https://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=e6699596af5c5d6f0ae0ea06e19df87dce088df8 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=509 CVE-2017-7863 (FFmpeg before 2017-02-04 has an out-of-bounds write caused by a heap-b ...) {DLA-1654-1} - ffmpeg 7:3.2.4-1 - libav NOTE: Fixed by: https://github.com/FFmpeg/FFmpeg/commit/e477f09d0b3619f3d29173b2cd593e17e2d1978e NOTE: libav in jessie only supports transparency with RGB palette, only parts of the upstream fix apply CVE-2017-7862 (FFmpeg before 2017-02-07 has an out-of-bounds write caused by a heap-b ...) {DSA-4012-1 DLA-1142-1} - ffmpeg 7:3.2.4-1 - libav NOTE: Fixed by: https://github.com/FFmpeg/FFmpeg/commit/8c2ea3030af7b40a3c4275696fb5c76cdb80950a NOTE: Fixed in 11.11 CVE-2017-7861 (Google gRPC before 2017-02-22 has an out-of-bounds write related to th ...) - grpc 1.2.5-1+nmu0 (bug #860316) CVE-2017-7860 (Google gRPC before 2017-02-22 has an out-of-bounds write caused by a h ...) - grpc 1.2.5-1+nmu0 (bug #860316) CVE-2017-7859 (FFmpeg before 2017-03-05 has an out-of-bounds write caused by a heap-b ...) - ffmpeg (Only affected master, not present in a release) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1034183 NOTE: https://github.com/FFmpeg/FFmpeg/commit/70ebc05bce51215cd0857194d6cabf1e4d1440fb CVE-2017-7858 (FreeType 2 before 2017-03-07 has an out-of-bounds write related to the ...) - freetype (Vulnerable code introduced in 2.6.4) NOTE: Introduced after: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=813aca51d28704f7ffc470721167738fa8decb3d NOTE: Fixed by: https://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=779309744222a736eba0f1731e8162fce6288d4e NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=738 CVE-2017-7857 (FreeType 2 before 2017-03-08 has an out-of-bounds write caused by a he ...) - freetype (Vulnerable code introduced in 2.6.4) NOTE: Introduced after: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=813aca51d28704f7ffc470721167738fa8decb3d NOTE: Fixed by: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=7bbb91fbf47fc0775cc9705673caf0c47a81f94b NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=759 CVE-2017-7856 (LibreOffice before 2017-03-11 has an out-of-bounds write caused by a h ...) - libreoffice (Didn't affect any released version of LibreOffice) CVE-2016-10328 (FreeType 2 before 2016-12-16 has an out-of-bounds write caused by a he ...) - freetype (Only affected head for about a day, see bug #860303) NOTE: Introduced with: https://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=010e0614f2effe058855aacfc3e61c71e1cb5739 NOTE: Fixed with http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=beecf80a6deecbaf5d264d4f864451bde4fe98b8 NOTE: http://savannah.nongnu.org/bugs/?func=detailitem&item_id=49858 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=289 CVE-2016-10327 (LibreOffice before 2016-12-22 has an out-of-bounds write caused by a h ...) - libreoffice 1:5.2.5-1 [jessie] - libreoffice (Vulnerable code not present) [wheezy] - libreoffice (Vulnerable code not present) NOTE: Fixed by: https://github.com/LibreOffice/core/commit/7485fc2a1484f31631f62f97e5c64c0ae74c6416 CVE-2017-7855 (In the webmail component in IceWarp Server 11.3.1.5, there was an XSS ...) NOT-FOR-US: IceWarp CVE-2017-7854 (The consume_init_expr function in wasm.c in radare2 1.3.0 allows remot ...) - radare2 (Vulnerable code introduced later) CVE-2017-7853 (In libosip2 in GNU oSIP 4.1.0 and 5.0.0, a malformed SIP message can l ...) {DSA-3879-1 DLA-898-1} - libosip2 4.1.0-2.1 (bug #860287) NOTE: https://savannah.gnu.org/support/index.php?109265 NOTE: Fixed by: https://git.savannah.gnu.org/cgit/osip.git/commit/?id=1ae06daf3b2375c34af23083394a6f010be24a45 CVE-2017-7852 (D-Link DCS cameras have a weak/insecure CrossDomain.XML file that allo ...) NOT-FOR-US: D-Link CVE-2017-7851 (D-Link DCS-936L devices with firmware before 1.05.07 have an inadequat ...) NOT-FOR-US: D-Link CVE-2016-10326 (In libosip2 in GNU oSIP 4.1.0, a malformed SIP message can lead to a h ...) {DSA-3879-1 DLA-898-1} - libosip2 4.1.0-2.1 (bug #860287) NOTE: https://savannah.gnu.org/support/index.php?109132 NOTE: Fixed by: https://git.savannah.gnu.org/cgit/osip.git/commit/?id=b9dd097b5b24f5ee54b0a8739e59641cd51b6ead CVE-2016-10325 (In libosip2 in GNU oSIP 4.1.0, a malformed SIP message can lead to a h ...) {DSA-3879-1 DLA-898-1} - libosip2 4.1.0-2.1 (bug #860287) NOTE: https://savannah.gnu.org/support/index.php?109131 NOTE: https://git.savannah.gnu.org/cgit/osip.git/commit/?id=1d9fb1d3a71cc85ef95352e549b140c706cf8696 CVE-2016-10324 (In libosip2 in GNU oSIP 4.1.0, a malformed SIP message can lead to a h ...) {DSA-3879-1 DLA-898-1} - libosip2 4.1.0-2.1 (bug #860287) NOTE: https://savannah.gnu.org/support/index.php?109133 NOTE: https://git.savannah.gnu.org/cgit/osip.git/commit/?id=7e0793e15e21f68337e130c67b031ca38edf055f CVE-2017-7850 (Nessus 6.10.x before 6.10.5 was found to be vulnerable to a local priv ...) NOT-FOR-US: Nessus CVE-2017-7849 (Nessus 6.10.x before 6.10.5 was found to be vulnerable to a local deni ...) NOT-FOR-US: Nessus CVE-2017-7848 (RSS fields can inject new lines into the created email structure, modi ...) {DSA-4075-1 DLA-1223-1} - thunderbird 1:52.5.2-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-30/#CVE-2017-7848 CVE-2017-7847 (Crafted CSS in an RSS feed can leak and reveal local path strings, whi ...) {DSA-4075-1 DLA-1223-1} - thunderbird 1:52.5.2-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-30/#CVE-2017-7847 CVE-2017-7846 (It is possible to execute JavaScript in the parsed RSS feed when RSS f ...) {DSA-4075-1 DLA-1223-1} - thunderbird 1:52.5.2-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-30/#CVE-2017-7846 CVE-2017-7845 (A buffer overflow occurs when drawing and validating elements using Di ...) - firefox (Only affects Firefox on Windows) - firefox-esr (Only affects Firefox on Windows) - thunderbird (Only affects Firefox on Windows) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-29/#CVE-2017-7845 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-28/#CVE-2017-7845 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-30/#CVE-2017-7845 CVE-2017-7844 (A combination of an external SVG image referenced on a page and the co ...) - firefox 57.0.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-27/#CVE-2017-7844 CVE-2017-7843 (When Private Browsing mode is used, it is possible for a web worker to ...) {DSA-4062-1 DLA-1202-1} - firefox 57.0.1-1 - firefox-esr 52.5.2esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-27/#CVE-2017-7843 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-28/#CVE-2017-7843 NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1410106 CVE-2017-7842 (If a document's Referrer Policy attribute is set to "no-referrer" some ...) - firefox 57.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7842 CVE-2017-7841 RESERVED CVE-2017-7840 (JavaScript can be injected into an exported bookmarks file by placing ...) - firefox 57.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7840 CVE-2017-7839 (Control characters prepended before "javascript:" URLs pasted in the a ...) - firefox 57.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7839 CVE-2017-7838 (Punycode format text will be displayed for entire qualified internatio ...) - firefox 57.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7838 CVE-2017-7837 (SVG loaded through "<img>" tags can use "<meta>" tags with ...) - firefox 57.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7837 CVE-2017-7836 (The "pingsender" executable used by the Firefox Health Report dynamica ...) - firefox 57.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7836 CVE-2017-7835 (Mixed content blocking of insecure (HTTP) sub-resources in a secure (H ...) - firefox 57.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7835 CVE-2017-7834 (A "data:" URL loaded in a new tab did not inherit the Content Security ...) - firefox 57.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7834 CVE-2017-7833 (Some Arabic and Indic vowel marker characters can be combined with Lat ...) - firefox 57.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7833 CVE-2017-7832 (The combined, single character, version of the letter 'i' with any of ...) - firefox 57.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7832 CVE-2017-7831 (A vulnerability where the security wrapper does not deny access to som ...) - firefox 57.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7831 CVE-2017-7830 (The Resource Timing API incorrectly revealed navigations in cross-orig ...) {DSA-4075-1 DSA-4061-1 DSA-4035-1 DLA-1199-1 DLA-1172-1} - firefox 57.0-1 - firefox-esr 52.5.0esr-1 - thunderbird 1:52.5.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7830 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-25/#CVE-2017-7830 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-26/#CVE-2017-7830 CVE-2017-7829 (It is possible to spoof the sender's email address and display an arbi ...) {DSA-4075-1 DLA-1223-1} - thunderbird 1:52.5.2-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-30/#CVE-2017-7829 CVE-2017-7828 (A use-after-free vulnerability can occur when flushing and resizing la ...) {DSA-4075-1 DSA-4061-1 DSA-4035-1 DLA-1199-1 DLA-1172-1} - firefox 57.0-1 - firefox-esr 52.5.0esr-1 - thunderbird 1:52.5.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7828 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-25/#CVE-2017-7828 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-26/#CVE-2017-7828 CVE-2017-7827 (Memory safety bugs were reported in Firefox 56. Some of these bugs sho ...) - firefox 57.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7827 CVE-2017-7826 (Memory safety bugs were reported in Firefox 56 and Firefox ESR 52.4. S ...) {DSA-4075-1 DSA-4061-1 DSA-4035-1 DLA-1199-1 DLA-1172-1} - firefox 57.0-1 - firefox-esr 52.5.0esr-1 - thunderbird 1:52.5.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7826 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-25/#CVE-2017-7826 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-26/#CVE-2017-7826 CVE-2017-7825 (Several fonts on OS X display some Tibetan and Arabic characters as wh ...) - firefox (Only affects Firefox on OS X) - firefox-esr (Only affects Firefox on OS X) - icedove (Only affects Thunderbird on OS X) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-21/#CVE-2017-7825 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-22/#CVE-2017-7825 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-23/#CVE-2017-7825 CVE-2017-7824 (A buffer overflow occurs when drawing and validating elements with the ...) {DSA-4014-1 DSA-3987-1 DLA-1153-1 DLA-1118-1} - firefox 56.0-1 - firefox-esr 52.4.0esr-2 - thunderbird 1:52.4.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-21/#CVE-2017-7824 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-22/#CVE-2017-7824 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-23/#CVE-2017-7824 CVE-2017-7823 (The content security policy (CSP) "sandbox" directive did not create a ...) {DSA-4014-1 DSA-3987-1 DLA-1153-1 DLA-1118-1} - firefox 56.0-1 - firefox-esr 52.4.0esr-2 - thunderbird 1:52.4.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-21/#CVE-2017-7823 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-22/#CVE-2017-7823 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-23/#CVE-2017-7823 CVE-2017-7822 (The AES-GCM implementation in WebCrypto API accepts 0-length IV when i ...) - firefox 56.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-21/#CVE-2017-7822 CVE-2017-7821 (A vulnerability where WebExtensions can download and attempt to open a ...) - firefox 56.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-21/#CVE-2017-7821 CVE-2017-7820 (The "instanceof" operator can bypass the Xray wrapper mechanism. When ...) - firefox 56.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-21/#CVE-2017-7820 CVE-2017-7819 (A use-after-free vulnerability can occur in design mode when image obj ...) {DSA-4014-1 DSA-3987-1 DLA-1153-1 DLA-1118-1} - firefox 56.0-1 - firefox-esr 52.4.0esr-2 - thunderbird 1:52.4.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-21/#CVE-2017-7819 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-22/#CVE-2017-7819 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-23/#CVE-2017-7819 CVE-2017-7818 (A use-after-free vulnerability can occur when manipulating arrays of A ...) {DSA-4014-1 DSA-3987-1 DLA-1153-1 DLA-1118-1} - firefox 56.0-1 - firefox-esr 52.4.0esr-2 - thunderbird 1:52.4.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-21/#CVE-2017-7818 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-22/#CVE-2017-7818 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-23/#CVE-2017-7818 CVE-2017-7817 (A spoofing vulnerability can occur when a page switches to fullscreen ...) - firefox (Only affects Firefox on Android) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-21/#CVE-2017-7817 CVE-2017-7816 (WebExtensions could use popups and panels in the extension UI to load ...) - firefox 56.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-21/#CVE-2017-7816 CVE-2017-7815 (On pages containing an iframe, the "data:" protocol can be used to cre ...) - firefox 56.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-21/#CVE-2017-7815 CVE-2017-7814 (File downloads encoded with "blob:" and "data:" URL elements bypassed ...) {DSA-4014-1 DSA-3987-1 DLA-1153-1 DLA-1118-1} - firefox 56.0-1 - firefox-esr 52.4.0esr-2 - thunderbird 1:52.4.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-21/#CVE-2017-7814 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-22/#CVE-2017-7814 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-23/#CVE-2017-7814 CVE-2017-7813 (Inside the JavaScript parser, a cast of an integer to a narrower type ...) - firefox 56.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-21/#CVE-2017-7813 CVE-2017-7812 (If web content on a page is dragged onto portions of the browser UI, s ...) - firefox 56.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-21/#CVE-2017-7812 CVE-2017-7811 (Memory safety bugs were reported in Firefox 55. Some of these bugs sho ...) - firefox 56.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-21/#CVE-2017-7811 CVE-2017-7810 (Memory safety bugs were reported in Firefox 55 and Firefox ESR 52.3. S ...) {DSA-4014-1 DSA-3987-1 DLA-1153-1 DLA-1118-1} - firefox 56.0-1 - firefox-esr 52.4.0esr-2 - thunderbird 1:52.4.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-21/#CVE-2017-7810 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-22/#CVE-2017-7810 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-23/#CVE-2017-7810 CVE-2017-7809 (A use-after-free vulnerability can occur when an editor DOM node is de ...) {DSA-3968-1 DSA-3928-1 DLA-1087-1 DLA-1053-1} - firefox 55.0-1 - firefox-esr 52.3.0esr-1 - icedove 1:52.3.0-1 (bug #872834) CVE-2017-7808 (A content security policy (CSP) "frame-ancestors" directive containing ...) - firefox 55.0-1 CVE-2017-7807 (A mechanism that uses AppCache to hijack a URL in a domain using fallb ...) {DSA-3968-1 DSA-3928-1 DLA-1087-1 DLA-1053-1} - firefox 55.0-1 - firefox-esr 52.3.0esr-1 - icedove 1:52.3.0-1 (bug #872834) CVE-2017-7806 (A use-after-free vulnerability can occur when the layer manager is fre ...) - firefox 55.0-1 CVE-2017-7805 (During TLS 1.2 exchanges, handshake hashes are generated which point t ...) {DSA-4014-1 DSA-3998-1 DSA-3987-1 DLA-1153-1 DLA-1138-1 DLA-1118-1} - firefox 56.0-1 - firefox-esr 52.4.0esr-2 - thunderbird 1:52.4.0-1 - nss 2:3.33-1 NOTE: https://hg.mozilla.org/projects/nss/rev/839200ce0943166a079284bdf45dcc37bb672925 NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1377618 (not public) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-21/#CVE-2017-7805 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-22/#CVE-2017-7805 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-23/#CVE-2017-7805 CVE-2017-7804 (The destructor function for the "WindowsDllDetourPatcher" class can be ...) - firefox (Windows-specific) - firefox-esr (Windows-specific) - icedove (Windows-specific) CVE-2017-7803 (When a page's content security policy (CSP) header contains a "sandbox ...) {DSA-3968-1 DSA-3928-1 DLA-1087-1 DLA-1053-1} - firefox 55.0-1 - firefox-esr 52.3.0esr-1 - icedove 1:52.3.0-1 (bug #872834) CVE-2017-7802 (A use-after-free vulnerability can occur when manipulating the DOM dur ...) {DSA-3968-1 DSA-3928-1 DLA-1087-1 DLA-1053-1} - firefox 55.0-1 - firefox-esr 52.3.0esr-1 - icedove 1:52.3.0-1 (bug #872834) CVE-2017-7801 (A use-after-free vulnerability can occur while re-computing layout for ...) {DSA-3968-1 DSA-3928-1 DLA-1087-1 DLA-1053-1} - firefox 55.0-1 - firefox-esr 52.3.0esr-1 - icedove 1:52.3.0-1 (bug #872834) CVE-2017-7800 (A use-after-free vulnerability can occur in WebSockets when the object ...) {DSA-3968-1 DSA-3928-1 DLA-1087-1 DLA-1053-1} - firefox 55.0-1 - firefox-esr 52.3.0esr-1 - icedove 1:52.3.0-1 (bug #872834) CVE-2017-7799 (JavaScript in the "about:webrtc" page is not sanitized properly being ...) - firefox 55.0-1 CVE-2017-7798 (The Developer Tools feature suffers from a XUL injection vulnerability ...) {DSA-3928-1 DLA-1053-1} - firefox 55.0-1 - firefox-esr 52.3.0esr-1 CVE-2017-7797 (Response header name interning does not have same-origin protections a ...) - firefox 55.0-1 CVE-2017-7796 (On Windows systems, the logger run by the Windows updater deletes the ...) - firefox (Windows-specific) CVE-2017-7795 RESERVED CVE-2017-7794 (On Linux systems, if the content process is compromised, the sandbox b ...) - firefox 55.0-1 CVE-2017-7793 (A use-after-free vulnerability can occur in the Fetch API when the wor ...) {DSA-4014-1 DSA-3987-1 DLA-1153-1 DLA-1118-1} - firefox 56.0-1 - firefox-esr 52.4.0esr-2 - thunderbird 1:52.4.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-21/#CVE-2017-7793 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-22/#CVE-2017-7793 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-23/#CVE-2017-7793 CVE-2017-7792 (A buffer overflow will occur when viewing a certificate in the certifi ...) {DSA-3968-1 DSA-3928-1 DLA-1087-1 DLA-1053-1} - firefox 55.0-1 - firefox-esr 52.3.0esr-1 - icedove 1:52.3.0-1 (bug #872834) CVE-2017-7791 (On pages containing an iframe, the "data:" protocol can be used to cre ...) {DSA-3968-1 DSA-3928-1 DLA-1087-1 DLA-1053-1} - firefox 55.0-1 - firefox-esr 52.3.0esr-1 - icedove 1:52.3.0-1 (bug #872834) CVE-2017-7790 (On Windows systems, if non-null-terminated strings are copied into the ...) - firefox (Windows-specific) CVE-2017-7789 (If a server sends two Strict-Transport-Security (STS) headers for a si ...) - firefox 55.0-1 (low) NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1074642 CVE-2017-7788 (When an "iframe" has a "sandbox" attribute and its content is specifie ...) - firefox 55.0-1 CVE-2017-7787 (Same-origin policy protections can be bypassed on pages with embedded ...) {DSA-3968-1 DSA-3928-1 DLA-1087-1 DLA-1053-1} - firefox 55.0-1 - firefox-esr 52.3.0esr-1 - icedove 1:52.3.0-1 (bug #872834) CVE-2017-7786 (A buffer overflow can occur when the image renderer attempts to paint ...) {DSA-3968-1 DSA-3928-1 DLA-1087-1 DLA-1053-1} - firefox 55.0-1 - firefox-esr 52.3.0esr-1 - icedove 1:52.3.0-1 (bug #872834) CVE-2017-7785 (A buffer overflow can occur when manipulating Accessible Rich Internet ...) {DSA-3968-1 DSA-3928-1 DLA-1087-1 DLA-1053-1} - firefox 55.0-1 - firefox-esr 52.3.0esr-1 - icedove 1:52.3.0-1 (bug #872834) CVE-2017-7784 (A use-after-free vulnerability can occur when reading an image observe ...) {DSA-3968-1 DSA-3928-1 DLA-1087-1 DLA-1053-1} - firefox 55.0-1 - firefox-esr 52.3.0esr-1 - icedove 1:52.3.0-1 (bug #872834) CVE-2017-7783 (If a long user name is used in a username/password combination in a si ...) - firefox 55.0-1 CVE-2017-7782 (An error in the "WindowsDllDetourPatcher" where a RWX ("Read/Write/Exe ...) - firefox (Windows-specific) - firefox-esr (Windows-specific) - icedove (Windows-specific) CVE-2017-7781 (An error occurs in the elliptic curve point addition algorithm that us ...) - firefox 55.0-1 CVE-2017-7780 (Memory safety bugs were reported in Firefox 54. Some of these bugs sho ...) - firefox 55.0-1 CVE-2017-7779 (Memory safety bugs were reported in Firefox 54, Firefox ESR 52.2, and ...) {DSA-3968-1 DSA-3928-1 DLA-1087-1 DLA-1053-1} - firefox 55.0-1 - firefox-esr 52.3.0esr-1 - icedove 1:52.3.0-1 (bug #872834) CVE-2017-7778 (A number of security vulnerabilities in the Graphite 2 library includi ...) {DSA-3918-1 DSA-3894-1 DSA-3881-1 DLA-1013-1 DLA-1007-1 DLA-991-1} - graphite2 1.3.10-1 NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1349310 - firefox 54.0-1 - firefox-esr 52.2.0esr-1 - icedove 1:52.2.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7778 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-16/#CVE-2017-7778 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-17/#CVE-2017-7778 CVE-2017-7777 (Use of uninitialized memory in Graphite2 library in Firefox before 54 ...) {DSA-3918-1 DSA-3894-1 DSA-3881-1 DLA-1013-1 DLA-1007-1 DLA-991-1} - graphite2 1.3.10-1 - firefox 54.0-1 - firefox-esr 52.2.0esr-1 - icedove 1:52.2.0-1 NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1349310 NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1358551 CVE-2017-7776 (Heap-based Buffer Overflow read in Graphite2 library in Firefox before ...) {DSA-3918-1 DSA-3894-1 DSA-3881-1 DLA-1013-1 DLA-1007-1 DLA-991-1} - graphite2 1.3.10-1 - firefox 54.0-1 - firefox-esr 52.2.0esr-1 - icedove 1:52.2.0-1 NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1356607 CVE-2017-7775 REJECTED CVE-2017-7774 (Out-of-bounds read in Graphite2 Library in Firefox before 54 in graphi ...) {DSA-3918-1 DSA-3894-1 DSA-3881-1 DLA-1013-1 DLA-1007-1 DLA-991-1} - graphite2 1.3.10-1 - firefox 54.0-1 - firefox-esr 52.2.0esr-1 - icedove 1:52.2.0-1 NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1355174 CVE-2017-7773 (Heap-based Buffer Overflow write in Graphite2 library in Firefox befor ...) {DSA-3918-1 DSA-3894-1 DSA-3881-1 DLA-1013-1 DLA-1007-1 DLA-991-1} - graphite2 1.3.10-1 - firefox 54.0-1 - firefox-esr 52.2.0esr-1 - icedove 1:52.2.0-1 NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1352747 CVE-2017-7772 (Heap-based Buffer Overflow in Graphite2 library in Firefox before 54 i ...) {DSA-3918-1 DSA-3894-1 DSA-3881-1 DLA-1013-1 DLA-1007-1 DLA-991-1} - graphite2 1.3.10-1 - firefox 54.0-1 - firefox-esr 52.2.0esr-1 - icedove 1:52.2.0-1 NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1352745 CVE-2017-7771 (Out-of-bounds read in Graphite2 Library in Firefox before 54 in graphi ...) {DSA-3918-1 DSA-3894-1 DSA-3881-1 DLA-1013-1 DLA-1007-1 DLA-991-1} - graphite2 1.3.10-1 - firefox 54.0-1 - firefox-esr 52.2.0esr-1 - icedove 1:52.2.0-1 NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1350047 CVE-2017-7770 (A mechanism where when a new tab is loaded through JavaScript events, ...) - firefox (Only Firefox on Android) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7770 CVE-2017-7769 RESERVED CVE-2017-7768 (The Mozilla Maintenance Service can be invoked by an unprivileged user ...) - firefox (Only Firefox on Windows) - firefox-esr (Only Firefox ESR on Windows) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7768 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-16/#CVE-2017-7768 CVE-2017-7767 (The Mozilla Maintenance Service can be invoked by an unprivileged user ...) - firefox (Only Firefox on Windows) - firefox-esr (Only Firefox ESR on Windows) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7767 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-16/#CVE-2017-7767 CVE-2017-7766 (An attack using manipulation of "updater.ini" contents, used by the Mo ...) - firefox (Only Firefox on Windows) - firefox-esr (Only Firefox ESR on Windows) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7766 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-16/#CVE-2017-7766 CVE-2017-7765 (The "Mark of the Web" was not correctly saved on Windows when files wi ...) - firefox (Only Firefox on Windows) - firefox-esr (Only Firefox ESR on Windows) - icedove (Only Thunderbird on Windows) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7765 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-16/#CVE-2017-7765 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-17/#CVE-2017-7765 CVE-2017-7764 (Characters from the "Canadian Syllabics" unicode block can be mixed wi ...) {DSA-3918-1 DSA-3881-1 DLA-1007-1 DLA-991-1} - firefox 54.0-1 - firefox-esr 52.2.0esr-1 - icedove 1:52.2.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7764 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-16/#CVE-2017-7764 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-17/#CVE-2017-7764 CVE-2017-7763 (Default fonts on OS X display some Tibetan characters as whitespace. W ...) - firefox (Only firefox on Mac OS X) - firefox-esr (Only Firefox ESR on Mac OS X) - icedove (Only Thunderbird on Mac OS X) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7763 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-16/#CVE-2017-7763 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-17/#CVE-2017-7763 CVE-2017-7762 (When entered directly, Reader Mode did not strip the username and pass ...) - firefox 54.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7762 CVE-2017-7761 (The Mozilla Maintenance Service "helper.exe" application creates a tem ...) - firefox (Only Firefox on Windows) - firefox-esr (Only Firefox ESR on Windows) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7761 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-16/#CVE-2017-7761 CVE-2017-7760 (The Mozilla Windows updater modifies some files to be updated by readi ...) - firefox (Only Firefox on Windows) - firefox-esr (Only Firefox ESR on Windows) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7760 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-16/#CVE-2017-7760 CVE-2017-7759 (Android intent URLs given to Firefox for Android can be used to naviga ...) - firefox (Only Firefox on Android) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7759 CVE-2017-7758 (An out-of-bounds read vulnerability with the Opus encoder when the num ...) {DSA-3918-1 DSA-3881-1 DLA-1007-1 DLA-991-1} - firefox 54.0-1 - firefox-esr 52.2.0esr-1 - icedove 1:52.2.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7758 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-16/#CVE-2017-7758 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-17/#CVE-2017-7758 CVE-2017-7757 (A use-after-free vulnerability in IndexedDB when one of its objects is ...) {DSA-3918-1 DSA-3881-1 DLA-1007-1 DLA-991-1} - firefox 54.0-1 - firefox-esr 52.2.0esr-1 - icedove 1:52.2.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7757 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-16/#CVE-2017-7757 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-17/#CVE-2017-7757 CVE-2017-7756 (A use-after-free and use-after-scope vulnerability when logging errors ...) {DSA-3918-1 DSA-3881-1 DLA-1007-1 DLA-991-1} - firefox 54.0-1 - firefox-esr 52.2.0esr-1 - icedove 1:52.2.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7756 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-16/#CVE-2017-7756 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-17/#CVE-2017-7756 CVE-2017-7755 (The Firefox installer on Windows can be made to load malicious DLL fil ...) - firefox (Only Firefox on Windows) - firefox-esr (Only Firefox ESR on Windows) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7755 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-16/#CVE-2017-7755 CVE-2017-7754 (An out-of-bounds read in WebGL with a maliciously crafted "ImageInfo" ...) {DSA-3918-1 DSA-3881-1 DLA-1007-1 DLA-991-1} - firefox 54.0-1 - firefox-esr 52.2.0esr-1 - icedove 1:52.2.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7754 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-16/#CVE-2017-7754 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-17/#CVE-2017-7754 CVE-2017-7753 (An out-of-bounds read occurs when applying style rules to pseudo-eleme ...) {DSA-3968-1 DSA-3928-1 DLA-1087-1 DLA-1053-1} - firefox 55.0-1 - firefox-esr 52.3.0esr-1 - icedove 1:52.3.0-1 (bug #872834) CVE-2017-7752 (A use-after-free vulnerability during specific user interactions with ...) {DSA-3918-1 DSA-3881-1 DLA-1007-1 DLA-991-1} - firefox 54.0-1 - firefox-esr 52.2.0esr-1 - icedove 1:52.2.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7752 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-16/#CVE-2017-7752 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-17/#CVE-2017-7752 CVE-2017-7751 (A use-after-free vulnerability with content viewer listeners that resu ...) {DSA-3918-1 DSA-3881-1 DLA-1007-1 DLA-991-1} - firefox 54.0-1 - firefox-esr 52.2.0esr-1 - icedove 1:52.2.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7751 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-16/#CVE-2017-7751 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-17/#CVE-2017-7751 CVE-2017-7750 (A use-after-free vulnerability during video control operations when a ...) {DSA-3918-1 DSA-3881-1 DLA-1007-1 DLA-991-1} - firefox 54.0-1 - firefox-esr 52.2.0esr-1 - icedove 1:52.2.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7750 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-16/#CVE-2017-7750 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-17/#CVE-2017-7750 CVE-2017-7749 (A use-after-free vulnerability when using an incorrect URL during the ...) {DSA-3918-1 DSA-3881-1 DLA-1007-1 DLA-991-1} - firefox 54.0-1 - firefox-esr 52.2.0esr-1 - icedove 1:52.2.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7749 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-16/#CVE-2017-7749 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-17/#CVE-2017-7749 CVE-2017-7748 (In Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the WSP dissector cou ...) - wireshark 2.2.6+g32dac6a-1 (low) [jessie] - wireshark (Vulnerable code introduced later) [wheezy] - wireshark (Vulnerable code introduced later) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-21.html NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=f55cbcde2c8f74b652add4450b0592082eb6acff NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13581 CVE-2017-7747 (In Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the PacketBB dissecto ...) {DLA-1634-1} - wireshark 2.2.6+g32dac6a-1 [wheezy] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-18.html NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=5cfd52d6629cf8a7ab67c6bacd3431a964f43584 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13559 CVE-2017-7746 (In Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the SLSK dissector co ...) {DLA-1634-1} - wireshark 2.2.6+g32dac6a-1 (low) [wheezy] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-19.html NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=58e69cc769dea24b721abd8a29f9eedc11024b7e NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13576 CVE-2017-7745 (In Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the SIGCOMP dissector ...) - wireshark 2.2.6+g32dac6a-1 [jessie] - wireshark (Vulnerable code not present) [wheezy] - wireshark (Vulnerable code not present) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-20.html NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=acd8e1a9b17ad274bea1e01e10e4481508a1cbf0 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13578 CVE-2017-7744 RESERVED CVE-2017-7743 RESERVED CVE-2017-7742 (In libsndfile before 1.0.28, an error in the "flac_buffer_copy()" func ...) {DLA-928-1} - libsndfile 1.0.27-3 (bug #860255) [jessie] - libsndfile (Minor issue) NOTE: Fixed by: https://github.com/erikd/libsndfile/commit/60b234301adf258786d8b90be5c1d437fc8799e0 NOTE: https://blogs.gentoo.org/ago/2017/04/11/libsndfile-invalid-memory-read-and-invalid-memory-write-in/ CVE-2017-7741 (In libsndfile before 1.0.28, an error in the "flac_buffer_copy()" func ...) {DLA-928-1} - libsndfile 1.0.27-2 [jessie] - libsndfile (Minor issue) NOTE: Fixed by: https://github.com/erikd/libsndfile/commit/60b234301adf258786d8b90be5c1d437fc8799e0 NOTE: https://blogs.gentoo.org/ago/2017/04/11/libsndfile-invalid-memory-read-and-invalid-memory-write-in/ NOTE: 1.0.27-2 in unstable contain fix_bufferoverflows.patch meant to address this issue NOTE: https://sources.debian.org/data/main/libs/libsndfile/1.0.27-2/debian/patches/fix_bufferoverflows.patch CVE-2017-7740 RESERVED CVE-2017-7739 (A reflected Cross-site Scripting (XSS) vulnerability in web proxy disc ...) NOT-FOR-US: Fortinet FortiOS CVE-2017-7738 (An Information Disclosure vulnerability in Fortinet FortiOS 5.6.0 to 5 ...) NOT-FOR-US: Fortinet FortiOS CVE-2017-7737 (An information disclosure vulnerability in Fortinet FortiWeb 5.8.2 and ...) NOT-FOR-US: Fortinet CVE-2017-7736 (A stored Cross-site Scripting (XSS) vulnerability in Fortinet FortiWeb ...) NOT-FOR-US: Fortinet CVE-2017-7735 (A Cross-Site Scripting vulnerability in Fortinet FortiOS versions 5.2. ...) NOT-FOR-US: Fortinet FortiOS CVE-2017-7734 (A Cross-Site Scripting vulnerability in Fortinet FortiOS versions 5.4. ...) NOT-FOR-US: Fortinet FortiOS CVE-2017-7733 (A Cross-Site-Scripting (XSS) vulnerability in Fortinet FortiOS 5.4.0 t ...) NOT-FOR-US: Fortinet CVE-2017-7732 (A reflected Cross-Site Scripting (XSS) vulnerability in Fortinet Forti ...) NOT-FOR-US: Fortinet CVE-2017-7731 (A weak password recovery vulnerability in Fortinet FortiPortal version ...) NOT-FOR-US: Fortinet FortiPortal CVE-2017-7730 (iSmartAlarm cube devices allow Denial of Service. Sending a SYN flood ...) NOT-FOR-US: iSmartAlarm CVE-2017-7729 (On iSmartAlarm cube devices, there is Incorrect Access Control because ...) NOT-FOR-US: iSmartAlarm CVE-2017-7728 (On iSmartAlarm cube devices, there is authentication bypass leading to ...) NOT-FOR-US: iSmartAlarm CVE-2017-7727 REJECTED CVE-2017-7726 (iSmartAlarm cube devices have an SSL Certificate Validation Vulnerabil ...) NOT-FOR-US: iSmartAlarm CVE-2017-7725 (concrete5 8.1.0 places incorrect trust in the HTTP Host header during ...) NOT-FOR-US: concrete5 CVE-2017-7724 RESERVED CVE-2017-7723 (XSS exists in Easy WP SMTP (before 1.2.5), a WordPress Plugin, via the ...) NOT-FOR-US: Easy WP SMTP WordPress plugin CVE-2017-7722 (In SolarWinds Log & Event Manager (LEM) before 6.3.1 Hotfix 4, a m ...) NOT-FOR-US: SolarWinds CVE-2017-7721 (IrfanView version 4.44 (32bit) with FPX Plugin before 4.45 has an Acce ...) NOT-FOR-US: IrfanView CVE-2017-7720 (Buffer overflow in PrivateTunnel 2.7 and 2.8 allows local attackers to ...) NOT-FOR-US: PrivateTunnel CVE-2017-7719 (SQL injection in the Spider Event Calendar (aka spider-event-calendar) ...) NOT-FOR-US: Spider Event Calendar CVE-2017-7718 (hw/display/cirrus_vga_rop.h in QEMU (aka Quick Emulator) allows local ...) {DLA-1497-1 DLA-1035-1 DLA-939-1} - qemu 1:2.8+dfsg-4 - qemu-kvm NOTE: http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=215902d7b6fb50c6fc216fc74f770858278ed904 NOTE: http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=3328c14e63f08fb07e8c6dec779c9d365e9e9864 (v2.8.1) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1443441 CVE-2017-7717 (SQL injection vulnerability in the getUserUddiElements method in the E ...) NOT-FOR-US: SAP CVE-2017-7716 (The read_u32_leb128 function in libr/util/uleb128.c in radare2 1.3.0 a ...) - radare2 (Vulnerable code introduced later) NOTE: https://github.com/radare/radare2/issues/7260 CVE-2017-7715 RESERVED CVE-2017-7714 RESERVED CVE-2017-7713 RESERVED CVE-2017-7712 RESERVED CVE-2017-7711 RESERVED CVE-2017-7710 RESERVED CVE-2017-7709 RESERVED CVE-2017-7708 RESERVED CVE-2017-7707 RESERVED CVE-2017-7706 RESERVED CVE-2017-7705 (In Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the RPC over RDMA dis ...) - wireshark 2.2.6+g32dac6a-1 [jessie] - wireshark (Vulnerable code not present) [wheezy] - wireshark (Vulnerable code not present) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-15.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13558 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=08d392bbecc8fb666bf979e70a34536007b83ea2 CVE-2017-7704 (In Wireshark 2.2.0 to 2.2.5, the DOF dissector could go into an infini ...) - wireshark 2.2.6+g32dac6a-1 [jessie] - wireshark (Vulnerable code not present) [wheezy] - wireshark (Vulnerable code not present) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-17.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13453 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=6032b0fe5fc1176ab77e03e20765f95fbd21b19e NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=da53a90b6895e47e03c5de05edf84bd99d535fd8 CVE-2017-7703 (In Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the IMAP dissector co ...) {DLA-1634-1} - wireshark 2.2.6+g32dac6a-1 (low) [wheezy] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-12.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13466 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=671e32820ab29d41d712cc8a472eab9b672684d9 CVE-2017-7702 (In Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the WBXML dissector c ...) - wireshark 2.2.6+g32dac6a-1 (low) [jessie] - wireshark (Minor issue) [wheezy] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-13.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13477 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=2f322f66cbcca2fefdaa630494f9d6c97eb659b7 NOTE: When for older releases fixing this entry, make sure to fix apply the NOTE: complete patch including https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=2f322f66cbcca2fefdaa630494f9d6c97eb659b7 NOTE: to not open CVE-2017-11410. CVE-2017-7701 (In Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the BGP dissector cou ...) - wireshark 2.2.6+g32dac6a-1 [jessie] - wireshark (Vulnerable code not present) [wheezy] - wireshark (Vulnerable code not present) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-16.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13557 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=fa31f69b407436d0946f84baa0acdcc50962bf7a CVE-2017-7700 (In Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the NetScaler file pa ...) {DLA-1634-1 DLA-858-1} - wireshark 2.2.6+g32dac6a-1 (low) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-14.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13478 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=8fc0af859de4993951a915ad735be350221f3f53 CVE-2017-7699 RESERVED CVE-2017-7698 (A Use After Free in the pdf2swf part of swftools 0.9.2 and earlier all ...) - swftools 0.9.2+ds1-2 NOTE: https://github.com/matthiaskramm/swftools/pull/19 NOTE: Vulnerable code removed with the 0.9.2+dfs1-2 upload CVE-2017-7697 (In libsamplerate before 0.1.9, a buffer over-read occurs in the calc_o ...) - libsamplerate 0.1.9-1 (bug #860159) [stretch] - libsamplerate (Minor issue) [jessie] - libsamplerate (Minor issue) [wheezy] - libsamplerate (Minor issue) NOTE: https://github.com/erikd/libsamplerate/issues/11 NOTE: https://blogs.gentoo.org/ago/2017/04/11/libsamplerate-global-buffer-overflow-in-calc_output_single-src_sinc-c/ NOTE: Fixed by: https://github.com/erikd/libsamplerate/commit/c3b66186656de44da18b7058aec099dbe782dd0b CVE-2017-7696 (SAP AS JAVA SSO Authentication Library 2.0 through 3.0 allow remote at ...) NOT-FOR-US: SAP CVE-2017-7695 (Unrestricted File Upload exists in BigTree CMS before 4.2.17: if an at ...) NOT-FOR-US: BigTree CMS CVE-2017-7694 (Remote Code Execution vulnerability in symphony/content/content.bluepr ...) NOT-FOR-US: Symphony CMS CVE-2017-7693 (Directory traversal vulnerability in viewer_script.jsp in Riverbed OPN ...) NOT-FOR-US: Riverbed OPNET App Response Xpert (ARX) CVE-2017-7692 (SquirrelMail 1.4.22 (and other versions before 20170427_0200-SVN) allo ...) {DSA-3852-1 DLA-941-1} - squirrelmail NOTE: http://www.openwall.com/lists/oss-security/2017/04/19/6 NOTE: https://legalhackers.com/advisories/SquirrelMail-Exploit-Remote-Code-Exec-CVE-2017-7692-Vuln.html CVE-2017-7691 (A code injection vulnerability exists in SAP TREX / Business Warehouse ...) NOT-FOR-US: SAP TREX CVE-2017-7690 (Proxifier for Mac before 2.19.2, when first run, allows local users to ...) NOT-FOR-US: Proxifier for Mac CVE-2017-7689 (A Command Injection vulnerability in Schneider Electric homeLYnk Contr ...) NOT-FOR-US: Schneider Electric CVE-2017-7688 (Apache OpenMeetings 1.0.0 updates user password in insecure manner. ...) NOT-FOR-US: Apache OpenMeetings CVE-2017-7687 (When handling a decoding failure for a malformed URL path of an HTTP r ...) - apache-mesos (bug #760315) CVE-2017-7686 (Apache Ignite 1.0.0-RC3 to 2.0 uses an update notifier component to up ...) NOT-FOR-US: Apache Ignite CVE-2017-7685 (Apache OpenMeetings 1.0.0 responds to the following insecure HTTP meth ...) NOT-FOR-US: Apache OpenMeetings CVE-2017-7684 (Apache OpenMeetings 1.0.0 doesn't check contents of files being upload ...) NOT-FOR-US: Apache OpenMeetings CVE-2017-7683 (Apache OpenMeetings 1.0.0 displays Tomcat version and detailed error s ...) NOT-FOR-US: Apache OpenMeetings CVE-2017-7682 (Apache OpenMeetings 3.2.0 is vulnerable to parameter manipulation atta ...) NOT-FOR-US: Apache OpenMeetings CVE-2017-7681 (Apache OpenMeetings 1.0.0 is vulnerable to SQL injection. This allows ...) NOT-FOR-US: Apache OpenMeetings CVE-2017-7680 (Apache OpenMeetings 1.0.0 has an overly permissive crossdomain.xml fil ...) NOT-FOR-US: Apache OpenMeetings CVE-2017-7679 (In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_mime ...) {DSA-3896-1 DLA-1009-1} - apache2 2.4.25-4 CVE-2017-7678 (In Apache Spark before 2.2.0, it is possible for an attacker to take a ...) - apache-spark (bug #802194) CVE-2017-7677 (In environments that use external location for hive tables, Hive Autho ...) NOT-FOR-US: Apache Ranger CVE-2017-7676 (Policy resource matcher in Apache Ranger before 0.7.1 ignores characte ...) NOT-FOR-US: Apache Ranger CVE-2017-7675 (The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M21 and 8 ...) - tomcat9 (Fixed before initial upload to Debian) - tomcat8 8.5.16-1 [stretch] - tomcat8 8.5.14-1+deb9u2 [jessie] - tomcat8 (Only affects 8.5.0 to 8.5.15) - tomcat7 (Only affects Tomcat 8.5.x and 9.x series; vulnerable code not present) - tomcat6 (Only affects Tomcat 8.5.x and 9.x series; vulnerable code not present) NOTE: Fixed by: http://svn.apache.org/r1796091 (8.5.x) NOTE: https://bz.apache.org/bugzilla/show_bug.cgi?id=61120 CVE-2017-7674 (The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.1 ...) {DSA-3974-1 DLA-1400-1} - tomcat9 (Fixed before initial upload to Debian) - tomcat8 8.5.16-1 - tomcat7 7.0.72-3 [wheezy] - tomcat7 (Vulnerable code not present) NOTE: Since 7.0.72-3, src:tomcat7 only builds the Servlet API NOTE: Fixed by: http://svn.apache.org/r1795814 (8.5.x) NOTE: Fixed by: http://svn.apache.org/r1795815 (8.0.x) NOTE: Fixed by: http://svn.apache.org/r1795816 (7.0.x) NOTE: https://bz.apache.org/bugzilla/show_bug.cgi?id=61101 CVE-2017-7673 (Apache OpenMeetings 1.0.0 uses not very strong cryptographic storage, ...) NOT-FOR-US: Apache OpenMeetings CVE-2017-7672 (If an application allows enter an URL in a form field and built-in URL ...) - libstruts1.2-java (Vulnerable code not present) NOTE: Issue is specific to Struts 2.x. CVE-2017-7671 (There is a DOS attack vulnerability in Apache Traffic Server (ATS) 5.2 ...) {DSA-4128-1} - trafficserver 7.1.2+ds-1 [wheezy] - trafficserver (Vulnerable code not present) NOTE: https://github.com/apache/trafficserver/pull/1941 CVE-2017-7670 (The Traffic Router component of the incubating Apache Traffic Control ...) NOT-FOR-US: Apache Traffic Control CVE-2017-7669 (In Apache Hadoop 2.8.0, 3.0.0-alpha1, and 3.0.0-alpha2, the LinuxConta ...) - hadoop (bug #793644) CVE-2017-7668 (The HTTP strict parsing changes added in Apache httpd 2.2.32 and 2.4.2 ...) {DSA-3896-1 DLA-1009-1} - apache2 2.4.25-4 CVE-2017-7667 (Apache NiFi before 0.7.4 and 1.x before 1.3.0 need to establish the re ...) NOT-FOR-US: Apache NiFi CVE-2017-7666 (Apache OpenMeetings 1.0.0 is vulnerable to Cross-Site Request Forgery ...) NOT-FOR-US: Apache OpenMeetings CVE-2017-7665 (In Apache NiFi before 0.7.4 and 1.x before 1.3.0, there are certain us ...) NOT-FOR-US: Apache NiFi CVE-2017-7664 (Uploaded XML documents were not correctly validated in Apache OpenMeet ...) NOT-FOR-US: Apache OpenMeetings CVE-2017-7663 (Both global and Room chat are vulnerable to XSS attack in Apache OpenM ...) NOT-FOR-US: Apache OpenMeetings CVE-2017-7662 (Apache CXF Fediz ships with an OpenId Connect (OIDC) service which has ...) NOT-FOR-US: Apache CXF CVE-2017-7661 (Apache CXF Fediz ships with a number of container-specific plugins to ...) NOT-FOR-US: Apache CXF CVE-2017-7660 (Apache Solr uses a PKI based mechanism to secure inter-node communicat ...) - lucene-solr (Vulnerable code introduced later) NOTE: https://issues.apache.org/jira/browse/SOLR-10624 NOTE: http://git-wip-us.apache.org/repos/asf/lucene-solr/commit/2f5ecbcf CVE-2017-7659 (A maliciously constructed HTTP/2 request could cause mod_http2 in Apac ...) - apache2 2.4.25-4 [stretch] - apache2 2.4.25-3+deb9u1 [jessie] - apache2 (Vulnerable code not present) [wheezy] - apache2 (Vulnerable code not present) NOTE: HTTP/2 support introduced in 2.4.17 NOTE: http://www.openwall.com/lists/oss-security/2017/06/19/5 CVE-2017-7658 (In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP ...) {DSA-4278-1} - jetty [jessie] - jetty (very hard to exploit, complex patch) - jetty8 [jessie] - jetty8 (very hard to exploit, complex patch) - jetty9 9.2.25-1 (low; bug #902953) NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=535669 NOTE: https://github.com/eclipse/jetty.project/commit/a285deea NOTE: Exploit very unlikely, needs a very particular intermediary behaviour. CVE-2017-7657 (In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations) ...) {DSA-4278-1} - jetty [jessie] - jetty (very hard to exploit, complex patch) - jetty8 [jessie] - jetty8 (very hard to exploit, complex patch) - jetty9 9.2.25-1 (low; bug #902953) NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=535668 NOTE: https://github.com/eclipse/jetty.project/commit/a285deea CVE-2017-7656 (In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations) ...) {DSA-4278-1} - jetty [jessie] - jetty (very hard to exploit, complex patch) - jetty8 [jessie] - jetty8 (very hard to exploit, complex patch) - jetty9 9.2.25-1 (low; bug #902953) NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=535667 NOTE: https://github.com/eclipse/jetty.project/commit/a285deea CVE-2017-7655 (In Eclipse Mosquitto version from 1.0 to 1.4.15, a Null Dereference vu ...) {DLA-1972-1} - mosquitto 1.5.4-1 (low) [stretch] - mosquitto (Minor issue) NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=533775 NOTE: https://github.com/eclipse/mosquitto/commit/79a7b36d207c9142468a7ea33695a14181a9fd24 CVE-2017-7654 (In Eclipse Mosquitto 1.4.15 and earlier, a Memory Leak vulnerability w ...) {DSA-4325-1 DLA-1525-1} - mosquitto 1.5.4-1 (bug #911265) NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=533493 NOTE: https://github.com/eclipse/mosquitto/commit/51ec5601c2ec523bf2973fdc1eca77335eafb8de CVE-2017-7653 (The Eclipse Mosquitto broker up to version 1.4.15 does not reject stri ...) {DSA-4325-1 DLA-1525-1} - mosquitto 1.5.4-1 (bug #911266) NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=532113 NOTE: https://github.com/eclipse/mosquitto/commit/729a09310a7a56fbe5933b70b4588049da1a42b4 CVE-2017-7652 (In Eclipse Mosquitto 1.4.14, if a Mosquitto instance is set running wi ...) {DSA-4325-1 DLA-1409-1 DLA-1334-1} - mosquitto 1.4.15-1 NOTE: Patches: https://mosquitto.org/files/cve/2017-7652 NOTE: http://mosquitto.org/blog/2018/02/security-advisory-cve-2017-7651-cve-2017-7652/ CVE-2017-7651 (In Eclipse Mosquitto 1.4.14, a user can shutdown the Mosquitto server ...) {DSA-4325-1 DLA-1409-1 DLA-1334-1} - mosquitto 1.4.15-1 NOTE: Patches: https://mosquitto.org/files/cve/2017-7651 NOTE: http://mosquitto.org/blog/2018/02/security-advisory-cve-2017-7651-cve-2017-7652/ CVE-2017-7650 (In Mosquitto before 1.4.12, pattern based ACLs can be bypassed by clie ...) {DSA-3865-1 DLA-961-1} - mosquitto 1.4.10-3 NOTE: http://mosquitto.org/2017/05/security-advisory-cve-2017-7650/ NOTE: Patches: https://mosquitto.org/files/cve/2017-7650/ CVE-2017-7649 (The network enabled distribution of Kura before 2.1.0 takes control ov ...) NOT-FOR-US: Kura CVE-2017-7648 (Foscam networked devices use the same hardcoded SSL private key across ...) NOT-FOR-US: Foscam CVE-2017-7647 (SolarWinds Log & Event Manager (LEM) before 6.3.1 Hotfix 4 allows ...) NOT-FOR-US: SolarWinds CVE-2017-7646 (SolarWinds Log & Event Manager (LEM) before 6.3.1 Hotfix 4 allows ...) NOT-FOR-US: SolarWinds CVE-2017-7645 (The NFSv2/NFSv3 server in the nfsd subsystem in the Linux kernel throu ...) {DSA-3886-1 DLA-993-1} - linux 4.9.25-1 NOTE: Fixed by: https://git.kernel.org/linus/e6838a29ecb484c97e4efef9429643b9851fba6e CVE-2017-7644 (The Management Web Interface in Palo Alto Networks PAN-OS before 6.1.1 ...) NOT-FOR-US: Management Web Interface in Palo Alto Networks PAN-OS CVE-2017-7643 (Proxifier for Mac before 2.19 allows local users to gain privileges vi ...) NOT-FOR-US: Proxifier for Mac CVE-2017-7642 (The sudo helper in the HashiCorp Vagrant VMware Fusion plugin (aka vag ...) NOT-FOR-US: HashiCorp Vagrant VMware Fusion plugin CVE-2017-7641 (QNAP NAS application Media Streaming add-on version 421.1.0.2, 430.1.2 ...) NOT-FOR-US: QNAP NAS application Media Streaming add-on CVE-2017-7640 (QNAP NAS application Media Streaming add-on version 421.1.0.2, 430.1.2 ...) NOT-FOR-US: QNAP NAS application Media Streaming add-on CVE-2017-7639 (QNAP NAS application Proxy Server through version 1.2.0 does not authe ...) NOT-FOR-US: QNAP CVE-2017-7638 (QNAP NAS application Media Streaming add-on version 421.1.0.2, 430.1.2 ...) NOT-FOR-US: QNAP NAS application Media Streaming add-on CVE-2017-7637 (QNAP NAS application Proxy Server through version 1.2.0 allows remote ...) NOT-FOR-US: QNAP CVE-2017-7636 (Cross-site scripting (XSS) vulnerability in QNAP NAS application Proxy ...) NOT-FOR-US: QNAP CVE-2017-7635 (QNAP NAS application Proxy Server through version 1.2.0 does not utili ...) NOT-FOR-US: QNAP CVE-2017-7634 (Cross-site scripting (XSS) vulnerability in QNAP NAS application Media ...) NOT-FOR-US: QNAP NAS application Media Streaming add-on CVE-2017-7633 (QNAP Qfinder Pro 6.1.0.0317 and earlier may expose sensitive informati ...) NOT-FOR-US: QNAP CVE-2017-7632 (Cross-site scripting (XSS) vulnerability in File Station of QNAP QTS 4 ...) NOT-FOR-US: File Station of QNAP QTS CVE-2017-7631 (Cross-site scripting (XSS) vulnerability in the share link function of ...) NOT-FOR-US: File Station of QNAP CVE-2017-7630 (QNAP QTS 4.2.6 build 20171026, QTS 4.3.3 build 20170727 and earlier al ...) NOT-FOR-US: QNAP CVE-2017-7629 (QNAP QTS before 4.2.6 build 20170517 has a flaw in the change password ...) NOT-FOR-US: QNAP QTS CVE-2017-7628 (The "Smart related articles" extension 1.1 for Joomla! has SQL injecti ...) NOT-FOR-US: Joomla extension CVE-2017-7627 (The "Smart related articles" extension 1.1 for Joomla! does not preven ...) NOT-FOR-US: Joomla extension CVE-2017-7626 (The "Smart related articles" extension 1.1 for Joomla! has XSS in dial ...) NOT-FOR-US: Joomla extension CVE-2017-7625 (In Fiyo CMS 2.x through 2.0.7, attackers may upload a webshell via the ...) NOT-FOR-US: Fiyo CMS CVE-2017-7624 (The iw_read_bmp_file function in imagew-bmp.c in libimageworsener.a in ...) NOT-FOR-US: ImageWorsener CVE-2017-7623 (The iwmiffr_convert_row32 function in imagew-miff.c in libimageworsene ...) NOT-FOR-US: ImageWorsener CVE-2017-7622 (dde-daemon, the daemon process of DDE (Deepin Desktop Environment) 15. ...) NOT-FOR-US: dde-daemon CVE-2017-7621 (Cross Site Scripting Vulnerability in core-eMLi in AuroMeera Technomet ...) NOT-FOR-US: core-eMLi CVE-2017-7620 (MantisBT before 1.3.11, 2.x before 2.3.3, and 2.4.x before 2.4.1 omits ...) - mantis [wheezy] - mantis (Not supported in Wheezy LTS) NOTE: https://mantisbt.org/bugs/view.php?id=22909 NOTE: https://mantisbt.org/bugs/view.php?id=22702 CVE-2017-7618 (crypto/ahash.c in the Linux kernel through 4.10.9 allows attackers to ...) {DLA-922-1} - linux 4.9.25-1 [jessie] - linux 3.16.43-1 NOTE: http://marc.info/?l=linux-crypto-vger&m=149181655623850&w=2 CVE-2017-7616 (Incorrect error handling in the set_mempolicy and mbind compat syscall ...) {DLA-922-1} - linux 4.9.25-1 [jessie] - linux 3.16.43-1 NOTE: Fixed by: https://git.kernel.org/linus/cf01fb9985e8deb25ccf0ea54d916b8871ae0e62 (4.11-rc6) NOTE: https://grsecurity.net/the_infoleak_that_mostly_wasnt.php CVE-2016-10323 (Synology Photo Station before 6.3-2958 allows local users to gain priv ...) NOT-FOR-US: Synology Photo Station CVE-2016-10322 (Synology Photo Station before 6.3-2958 allows remote authenticated gue ...) NOT-FOR-US: Synology Photo Station CVE-2017-7615 (MantisBT through 2.3.0 allows arbitrary password reset and unauthentic ...) - mantis [wheezy] - mantis (Unsupported in Wheezy LTS) NOTE: http://www.openwall.com/lists/oss-security/2017/04/16/2 CVE-2017-7614 (elflink.c in the Binary File Descriptor (BFD) library (aka libbfd), as ...) - binutils 2.28-4 (low; bug #859989) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://blogs.gentoo.org/ago/2017/04/05/binutils-two-null-pointer-dereference-in-elflink-c/ NOTE: Fixed by: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ad32986fdf9da1c8748e47b8b45100398223dba8 CVE-2017-7613 (elflint.c in elfutils 0.168 does not validate the number of sections a ...) {DLA-1689-1} - elfutils 0.168-1 (bug #859990) [wheezy] - elfutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21312 NOTE: https://blogs.gentoo.org/ago/2017/04/03/elfutils-memory-allocation-failure-in-xcalloc-xmalloc-c/ NOTE: https://sourceware.org/git/?p=elfutils.git;a=commit;h=4314716cd498bb51639db717bd7ce6182de33322 CVE-2017-7612 (The check_sysv_hash function in elflint.c in elfutils 0.168 allows rem ...) {DLA-1689-1} - elfutils 0.168-1 (bug #859991) [wheezy] - elfutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21311 NOTE: https://blogs.gentoo.org/ago/2017/04/03/elfutils-heap-based-buffer-overflow-in-check_sysv_hash-elflint-c/ NOTE: https://sourceware.org/git/?p=elfutils.git;a=commit;h=61fe61898747f63eb35a81c2261f3590a3dab8fd CVE-2017-7611 (The check_symtab_shndx function in elflint.c in elfutils 0.168 allows ...) {DLA-1689-1} - elfutils 0.168-1 (bug #859992) [wheezy] - elfutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21310 NOTE: https://blogs.gentoo.org/ago/2017/04/03/elfutils-heap-based-buffer-overflow-in-check_symtab_shndx-elflint-c/ NOTE: https://sourceware.org/git/?p=elfutils.git;a=commit;h=9a0d9d314a6342b56e3277bd7ad7ecb6e73a7d38 CVE-2017-7610 (The check_group function in elflint.c in elfutils 0.168 allows remote ...) {DLA-1689-1} - elfutils 0.168-1 (bug #859993) [wheezy] - elfutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21320 NOTE: https://blogs.gentoo.org/ago/2017/04/03/elfutils-heap-based-buffer-overflow-in-check_group-elflint-c/ NOTE: https://sourceware.org/git/?p=elfutils.git;a=commit;h=fb6709f1a41b58a9557ea45b7f53ae678c660b21 CVE-2017-7609 (elf_compress.c in elfutils 0.168 does not validate the zlib compressio ...) - elfutils 0.168-1 (bug #859994) [jessie] - elfutils (Vulnerable code not present) [wheezy] - elfutils (Vulnerable code not present) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21301 NOTE: https://blogs.gentoo.org/ago/2017/04/03/elfutils-memory-allocation-failure-in-__libelf_decompress-elf_compress-c/ CVE-2017-7608 (The ebl_object_note_type_name function in eblobjnotetypename.c in elfu ...) {DLA-1689-1} - elfutils 0.168-1 (bug #859995) [wheezy] - elfutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21300 NOTE: https://blogs.gentoo.org/ago/2017/04/03/elfutils-heap-based-buffer-overflow-in-ebl_object_note_type_name-eblobjnotetypename-c/ NOTE: https://sourceware.org/git/?p=elfutils.git;a=commit;h=b0b58c5e0b34e54194aa042f2310af58ee7de603 CVE-2017-7607 (The handle_gnu_hash function in readelf.c in elfutils 0.168 allows rem ...) - elfutils 0.168-1 (bug #859996) [jessie] - elfutils (vulnerable code not present) [wheezy] - elfutils (vulnerable code not present) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21299 NOTE: https://blogs.gentoo.org/ago/2017/04/03/elfutils-heap-based-buffer-overflow-in-handle_gnu_hash-readelf-c/ CVE-2017-7605 (aacplusenc.c in HE-AAC+ Codec (aka libaacplus) 2.0.2 has an assertion ...) NOT-FOR-US: libaacplus CVE-2017-7604 (au_channel.h in HE-AAC+ Codec (aka libaacplus) 2.0.2 has a left-shift ...) NOT-FOR-US: libaacplus CVE-2017-7603 (au_channel.h in HE-AAC+ Codec (aka libaacplus) 2.0.2 has a signed inte ...) NOT-FOR-US: libaacplus CVE-2017-7602 (LibTIFF 4.0.7 has a signed integer overflow, which might allow remote ...) {DSA-3844-1 DLA-911-1} - tiff 4.0.7-6 - tiff3 [wheezy] - tiff3 (vulnerable code not present) NOTE: https://github.com/vadz/libtiff/commit/66e7bd59520996740e4df5495a830b42fae48bc4 NOTE: https://blogs.gentoo.org/ago/2017/04/01/libtiff-multiple-ubsan-crashes CVE-2017-7601 (LibTIFF 4.0.7 has a "shift exponent too large for 64-bit type long" un ...) {DSA-3844-1 DLA-912-1 DLA-911-1} - tiff 4.0.7-6 - tiff3 NOTE: https://github.com/vadz/libtiff/commit/0a76a8c765c7b8327c59646284fa78c3c27e5490 NOTE: https://blogs.gentoo.org/ago/2017/04/01/libtiff-multiple-ubsan-crashes CVE-2017-7600 (LibTIFF 4.0.7 has an "outside the range of representable values of typ ...) {DSA-3844-1 DLA-912-1 DLA-911-1} - tiff 4.0.7-6 - tiff3 NOTE: https://github.com/vadz/libtiff/commit/3144e57770c1e4d26520d8abee750f8ac8b75490 NOTE: https://blogs.gentoo.org/ago/2017/04/01/libtiff-multiple-ubsan-crashes CVE-2017-7599 (LibTIFF 4.0.7 has an "outside the range of representable values of typ ...) {DSA-3844-1 DLA-912-1 DLA-911-1} - tiff 4.0.7-6 - tiff3 NOTE: https://github.com/vadz/libtiff/commit/3144e57770c1e4d26520d8abee750f8ac8b75490 NOTE: https://blogs.gentoo.org/ago/2017/04/01/libtiff-multiple-ubsan-crashes CVE-2017-7598 (tif_dirread.c in LibTIFF 4.0.7 might allow remote attackers to cause a ...) {DSA-3844-1 DLA-911-1} - tiff 4.0.7-6 (low) - tiff3 [wheezy] - tiff3 (vulnerable code not present) NOTE: https://github.com/vadz/libtiff/commit/3cfd62d77c2a7e147a05bd678524c345fa9c2bb8 NOTE: https://blogs.gentoo.org/ago/2017/04/01/libtiff-multiple-ubsan-crashes CVE-2017-7597 (tif_dirread.c in LibTIFF 4.0.7 has an "outside the range of representa ...) {DSA-3844-1 DLA-912-1 DLA-911-1} - tiff 4.0.7-6 - tiff3 NOTE: https://github.com/vadz/libtiff/commit/3144e57770c1e4d26520d8abee750f8ac8b75490 NOTE: https://blogs.gentoo.org/ago/2017/04/01/libtiff-multiple-ubsan-crashes CVE-2017-7596 (LibTIFF 4.0.7 has an "outside the range of representable values of typ ...) {DSA-3844-1 DLA-912-1 DLA-911-1} - tiff 4.0.7-6 - tiff3 NOTE: https://blogs.gentoo.org/ago/2017/04/01/libtiff-multiple-ubsan-crashes NOTE: https://github.com/vadz/libtiff/commit/3144e57770c1e4d26520d8abee750f8ac8b75490 CVE-2017-7595 (The JPEGSetupEncode function in tiff_jpeg.c in LibTIFF 4.0.7 allows re ...) {DSA-3844-1 DLA-912-1 DLA-911-1} - tiff 4.0.7-6 (low; bug #860003) - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2653 NOTE: https://blogs.gentoo.org/ago/2017/04/01/libtiff-divide-by-zero-in-jpegsetupencode-tiff_jpeg-c NOTE: https://github.com/vadz/libtiff/commit/47f2fb61a3a64667bce1a8398a8fcb1b348ff122 CVE-2017-7594 (The OJPEGReadHeaderInfoSecTablesDcTable function in tif_ojpeg.c in Lib ...) {DSA-3844-1 DLA-912-1 DLA-911-1} - tiff 4.0.7-6 (low; bug #860001) - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2659 NOTE: https://github.com/vadz/libtiff/commit/2ea32f7372b65c24b2816f11c04bf59b5090d05b NOTE: https://github.com/vadz/libtiff/commit/8283e4d1b7e53340684d12932880cbcbaf23a8c1 CVE-2017-7593 (tif_read.c in LibTIFF 4.0.7 does not ensure that tif_rawdata is proper ...) {DSA-3844-1 DLA-912-1 DLA-911-1} - tiff 4.0.7-6 (bug #860000) - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2651 NOTE: https://github.com/vadz/libtiff/commit/d60332057b9575ada4f264489582b13e30137be1 CVE-2017-7592 (The putagreytile function in tif_getimage.c in LibTIFF 4.0.7 has a lef ...) {DSA-3844-1 DLA-911-1} - tiff 4.0.7-6 (bug #859998) - tiff3 [wheezy] - tiff3 (vulnerable code not present) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2658 NOTE: https://github.com/vadz/libtiff/commit/48780b4fcc425cddc4ef8ffdf536f96a0d1b313b CVE-2017-7617 (Remote code execution can occur in Asterisk Open Source 13.x before 13 ...) - asterisk 1:13.14.1~dfsg-1 (bug #859910) [jessie] - asterisk (Vulnerable code not present) [wheezy] - asterisk (Vulnerable code not present) NOTE: http://downloads.asterisk.org/pub/security/AST-2017-001.html CVE-2017-7619 (In ImageMagick 7.0.4-9, an infinite loop can occur because of a floati ...) {DSA-3863-1 DLA-902-1} - imagemagick 8:6.9.7.4+dfsg-4 (bug #859769) NOTE: https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=31506 NOTE: Fixed by: http://git.imagemagick.org/repos/ImageMagick/commit/63757068c803f692bd70304b06ce3406e0b67c7f CVE-2017-7606 (coders/rle.c in ImageMagick 7.0.5-4 has an "outside the range of repre ...) {DSA-3863-1 DLA-902-1} - imagemagick 8:6.9.7.4+dfsg-4 (bug #859771) NOTE: https://github.com/ImageMagick/ImageMagick/issues/415 NOTE: https://blogs.gentoo.org/ago/2017/04/02/imagemagick-undefined-behavior-in-codersrle-c/ CVE-2017-7591 (OpenIDM through 4.0.0 and 4.5.0 is vulnerable to reflected cross-site ...) NOT-FOR-US: ForgeRock OpenIDM CVE-2017-7590 (OpenIDM through 4.0.0 and 4.5.0 is vulnerable to persistent cross-site ...) NOT-FOR-US: ForgeRock OpenIDM CVE-2017-7589 (In OpenIDM through 4.0.0 before 4.5.0, the info endpoint may leak sens ...) NOT-FOR-US: ForgeRock OpenIDM CVE-2017-7588 (On certain Brother devices, authorization is mishandled by including a ...) NOT-FOR-US: Brother devices CVE-2017-7587 RESERVED CVE-2017-7586 (In libsndfile before 1.0.28, an error in the "header_read()" function ...) {DLA-928-1} - libsndfile 1.0.27-2 [jessie] - libsndfile (Minor issue) NOTE: https://github.com/erikd/libsndfile/commit/708e996c87c5fae77b104ccfeb8f6db784c32074 NOTE: https://github.com/erikd/libsndfile/commit/f457b7b5ecfe91697ed01cfc825772c4d8de1236 NOTE: 1.0.27-2 in unstable contain fix_bufferoverflows.patch meant to address this issue NOTE: https://sources.debian.org/data/main/libs/libsndfile/1.0.27-2/debian/patches/fix_bufferoverflows.patch CVE-2017-7585 (In libsndfile before 1.0.28, an error in the "flac_buffer_copy()" func ...) {DLA-928-1} - libsndfile 1.0.27-2 [jessie] - libsndfile (Minor issue) NOTE: https://github.com/erikd/libsndfile/commit/60b234301adf258786d8b90be5c1d437fc8799e0 NOTE: https://secuniaresearch.flexerasoftware.com/secunia_research/2017-4/ NOTE: 1.0.27-2 in unstable contain fix_bufferoverflows.patch meant to address this issue NOTE: https://sources.debian.org/data/main/libs/libsndfile/1.0.27-2/debian/patches/fix_bufferoverflows.patch CVE-2017-7584 (Memory Corruption Vulnerability in Foxit PDF Toolkit before 2.1 allows ...) NOT-FOR-US: Foxit PDF Toolkit CVE-2017-7583 (ILIAS before 5.2.3 has XSS via SVG documents. ...) NOT-FOR-US: ILIAS CVE-2017-7582 RESERVED CVE-2017-7581 (SQL injection vulnerability in NewsController.php in the News module 5 ...) NOT-FOR-US: News module for TYPO3 CVE-2017-7580 RESERVED CVE-2017-7579 (inc/PMF/Faq.php in phpMyFAQ before 2.9.7 has XSS in the question field ...) NOT-FOR-US: phpMyFAQ CVE-2007-6760 (Dataprobe iBootBar (with 2007-09-20 and possibly later beta firmware) ...) NOT-FOR-US: Dataprobe iBootBar CVE-2007-6759 (Dataprobe iBootBar (with 2007-09-20 and possibly later released firmwa ...) NOT-FOR-US: Dataprobe iBootBar CVE-2017-7577 (XiongMai uc-httpd has directory traversal allowing the reading of arbi ...) NOT-FOR-US: XiongMai uc-httpd CVE-2017-7576 (DragonWave Horizon 1.01.03 wireless radios have hardcoded login creden ...) NOT-FOR-US: DragonWave Horizon CVE-2017-7575 (Schneider Electric Modicon TM221CE16R 1.3.3.3 devices allow remote att ...) NOT-FOR-US: Schneider CVE-2017-7574 (Schneider Electric SoMachine Basic 1.4 SP1 and Schneider Electric Modi ...) NOT-FOR-US: Schneider CVE-2017-7573 RESERVED CVE-2017-7572 (The _checkPolkitPrivilege function in serviceHelper.py in Back In Time ...) - backintime 1.1.12-2 (bug #859815) [jessie] - backintime (Minor issue) [wheezy] - backintime (Vulnerable code not present) NOTE: http://www.openwall.com/lists/oss-security/2017/04/07/2 NOTE: https://github.com/bit-team/backintime/commit/7f208dc547f569b689c888103e3b593a48cd1869 CVE-2017-7571 (public/rolechangeadmin in Faveo 1.9.3 allows CSRF. The impact is obtai ...) NOT-FOR-US: Faveo CVE-2017-7570 (PivotX 2.3.11 allows remote authenticated Advanced users to execute ar ...) NOT-FOR-US: PivotX CVE-2017-7569 (In vBulletin before 5.3.0, remote attackers can bypass the CVE-2016-64 ...) NOT-FOR-US: vBulletin CVE-2017-7568 (NetApp OnCommand Unified Manager for 7-Mode (core package) versions pr ...) NOT-FOR-US: NetApp CVE-2017-7567 RESERVED CVE-2017-7566 (MyBB before 1.8.11 allows remote attackers to bypass an SSRF protectio ...) NOT-FOR-US: MyBB CVE-2017-7565 (Splunk Hadoop Connect App has a path traversal vulnerability that allo ...) NOT-FOR-US: Splunk Hadoop Connect App CVE-2017-7564 (In ARM Trusted Firmware through 1.3, the secure self-hosted invasive d ...) NOT-FOR-US: ARM CVE-2017-7563 (In ARM Trusted Firmware 1.3, RO memory is always executable at AArch64 ...) NOT-FOR-US: ARM CVE-2016-10320 (textract before 1.5.0 allows OS Command Injection attacks via a filena ...) NOT-FOR-US: textract CVE-2016-10319 (In ARM Trusted Firmware 1.2 and 1.3, a malformed firmware update SMC c ...) NOT-FOR-US: ARM CVE-2016-1000307 (Multiple Cross Site Scripting (XSS) Vulnerabilities in ClipBucket v2.8 ...) NOT-FOR-US: ClipBucket CVE-2016-1000306 REJECTED CVE-2017-7578 (Multiple heap-based buffer overflows in parser.c in libming 0.4.7 allo ...) {DLA-890-1} - ming NOTE: http://www.openwall.com/lists/oss-security/2017/04/07/1 NOTE: https://github.com/libming/libming/issues/68 CVE-2017-7562 (An authentication bypass flaw was found in the way krb5's certauth int ...) - krb5 (Vulnerable code introduced later, cf. #873281) NOTE: https://github.com/krb5/krb5/pull/694 NOTE: https://github.com/krb5/krb5/pull/694/commits/50fe4074f188c2d4da0c421e96553acea8378db2 NOTE: https://github.com/krb5/krb5/pull/694/commits/1de6ca2f2eb1fdbab51f1549a25a6903aefcc196 NOTE: https://github.com/krb5/krb5/pull/694/commits/b7af544e50a4d8291524f590e20dd44430bf627d CVE-2017-7561 (Red Hat JBoss EAP version 3.0.7 through before 4.0.0.Beta1 is vulnerab ...) - resteasy 3.6.2-1 (bug #873392) [jessie] - resteasy (CORS Filter added in 3.0.7.Final) - resteasy3.0 3.0.26-1 (bug #908836) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1483823 NOTE: https://issues.jboss.org/projects/RESTEASY/issues/RESTEASY-1704 NOTE: Fixed by: https://github.com/resteasy/Resteasy/commit/517db971d8f7094124416bf72091fd0b45a13028 NOTE: Fixed in 4.0.0.Beta1, 3.0.25.Final, 3.5.0.CR1 CVE-2017-7560 (It was found that rhnsd PID files are created as world-writable that a ...) - rhnsd (Vulnerable code introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1480550 NOTE: Introduced by: https://github.com/spacewalkproject/spacewalk/commit/75d9c00b96ab430221c5c7668baebebc74ddd67e CVE-2017-7559 (In Undertow 2.x before 2.0.0.Alpha2, 1.4.x before 1.4.17.Final, and 1. ...) - undertow 1.4.23-1 (bug #885576) NOTE: CVE is for an incomplete fix of CVE-2017-2666 NOTE: Invalid characters were still allowed in the query string and path parameters. NOTE: https://issues.jboss.org/browse/UNDERTOW-1165 NOTE: https://issues.jboss.org/browse/UNDERTOW-1295 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1481665#c7 NOTE: Fixed by https://github.com/undertow-io/undertow/commit/3436b03eda8b0b62c1855698c4d7c358add836c2 CVE-2017-7558 (A kernel data leak due to an out-of-bound read was found in the Linux ...) - linux 4.12.13-1 [stretch] - linux 4.9.30-2+deb9u5 [jessie] - linux (Vulnerable code introduced later 4.7 and not backported) [wheezy] - linux (Vulnerable code introduced later 4.7 and not backported) CVE-2017-7557 (dnsdist version 1.1.0 is vulnerable to a flaw in authentication mechan ...) - dnsdist 1.2.0-1 (low; bug #872854) [stretch] - dnsdist 1.1.0-2+deb9u1 NOTE: https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2017-02.html NOTE: https://downloads.powerdns.com/patches/2017-02 CVE-2017-7556 (Hawtio versions up to and including 1.5.3 are vulnerable to CSRF vulne ...) NOT-FOR-US: hawtio CVE-2017-7555 (Augeas versions up to and including 1.8.0 are vulnerable to heap-based ...) {DSA-3949-1 DLA-1067-1} - augeas 1.8.1-1 (bug #872400) NOTE: https://github.com/hercules-team/augeas/pull/480 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1478373 CVE-2017-7554 (It was found that the App Studio component of RHMAP 4.4 executes javas ...) NOT-FOR-US: Red Hat Mobile Application Platform CVE-2017-7553 (The external_request api call in App Studio (millicore) allows server ...) NOT-FOR-US: Red Hat Mobile Application Platform CVE-2017-7552 (A flaw was discovered in the file editor of millicore, affecting versi ...) NOT-FOR-US: Red Hat Mobile Application Platform CVE-2017-7551 (389-ds-base version before 1.3.5.19 and 1.3.6.7 are vulnerable to pass ...) - 389-ds-base 1.3.6.7-1 (bug #870752) [stretch] - 389-ds-base (Minor issue) [jessie] - 389-ds-base (vulnerable code not present) NOTE: https://pagure.io/389-ds-base/issue/49336 CVE-2017-7550 (A flaw was found in the way Ansible (2.3.x before 2.3.3, and 2.4.x bef ...) - ansible 2.4.2.0+dfsg-1 (unimportant) NOTE: https://github.com/ansible/ansible/issues/30874 NOTE: https://github.com/ansible/ansible/pull/30875 NOTE: Just an insecure example CVE-2017-7549 (A flaw was found in instack-undercloud 7.2.0 as packaged in Red Hat Op ...) NOT-FOR-US: instack-undercloud CVE-2017-7548 (PostgreSQL versions before 9.4.13, 9.5.8 and 9.6.4 are vulnerable to a ...) {DSA-3936-1 DSA-3935-1} - postgresql-9.6 9.6.4-1 - postgresql-9.4 - postgresql-9.1 [jessie] - postgresql-9.1 (postgresql-9.1 in jessie only provides PL/Perl) [wheezy] - postgresql-9.1 (Vulnerable code not present) - postgresql-8.4 [wheezy] - postgresql-8.4 (postgresql-8.4 in wheezy only provides PL/Perl) NOTE: https://www.postgresql.org/about/news/1772/ CVE-2017-7547 (PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are ...) {DSA-3936-1 DSA-3935-1 DLA-1051-1} - postgresql-9.6 9.6.4-1 - postgresql-9.4 - postgresql-9.1 [jessie] - postgresql-9.1 (postgresql-9.1 in jessie only provides PL/Perl) - postgresql-8.4 [wheezy] - postgresql-8.4 (postgresql-8.4 in wheezy only provides PL/Perl) NOTE: https://www.postgresql.org/about/news/1772/ CVE-2017-7546 (PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are ...) {DSA-3936-1 DSA-3935-1 DLA-1051-1} - postgresql-9.6 9.6.4-1 - postgresql-9.4 - postgresql-9.1 [jessie] - postgresql-9.1 (postgresql-9.1 in jessie only provides PL/Perl) - postgresql-8.4 [wheezy] - postgresql-8.4 (postgresql-8.4 in wheezy only provides PL/Perl) NOTE: https://www.postgresql.org/about/news/1772/ CVE-2017-7545 (It was discovered that the XmlUtils class in jbpmmigration 6.5 perform ...) NOT-FOR-US: jbpm-designer / jBPM CVE-2017-7544 (libexif through 0.6.21 is vulnerable to out-of-bounds heap read vulner ...) {DLA-2214-1} - libexif 0.6.21-2.1 (bug #876466) [stretch] - libexif (Minor issue) [wheezy] - libexif (Minor issue) NOTE: https://sourceforge.net/p/libexif/bugs/130/ CVE-2017-7543 (A race-condition flaw was discovered in openstack-neutron before 7.2.0 ...) - neutron (Specific to Red Hat packaging) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1473792 CVE-2017-7542 (The ip6_find_1stfragopt function in net/ipv6/output_core.c in the Linu ...) {DSA-3945-1 DSA-3927-1 DLA-1099-1} - linux 4.12.6-1 NOTE: Fixed by: https://git.kernel.org/linus/6399f1fae4ec29fab5ec76070435555e256ca3a6 CVE-2017-7541 (The brcmf_cfg80211_mgmt_tx function in drivers/net/wireless/broadcom/b ...) {DSA-3945-1 DSA-3927-1} - linux 4.12.6-1 [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/8f44c9a41386729fea410e688959ddaa9d51be7c CVE-2017-7540 (rubygem-safemode, as used in Foreman, versions 1.3.2 and earlier are v ...) NOT-FOR-US: Safemode ruby gem CVE-2017-7539 (An assertion-failure flaw was found in Qemu before 2.10.1, in the Netw ...) - qemu (Vulnerable code introduced in v2.9.0-rc0) - qemu-kvm (Vulnerable code introduced in v2.9.0-rc0) NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=2b0bbc4f8809c972bad134bc1a2570dbb01dea0b NOTE: Introduced by: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=ff82911cd3f69f028f2537825c9720ff78bc3f19 CVE-2017-7538 (A cross-site scripting (XSS) flaw was found in how an organization nam ...) NOT-FOR-US: Red Hat Satellite CVE-2017-7537 (It was found that a mock CMC authentication plugin with a hardcoded se ...) - dogtag-pki 10.3.5+12-5 (bug #869261) NOTE: https://github.com/dogtagpki/pki/commit/876d13c6d20e7e1235b9 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1470817 CVE-2017-7536 (In Hibernate Validator 5.2.x before 5.2.5 final, 5.3.x, and 5.4.x, it ...) - libhibernate-validator-java 4.3.3-4 (bug #885577) [stretch] - libhibernate-validator-java 4.3.3-1+deb9u1 [jessie] - libhibernate-validator-java (Vulnerable code introduced in 4.3) [wheezy] - libhibernate-validator-java (Vulnerable code introduced in 4.3) NOTE: https://github.com/hibernate/hibernate-validator/commit/0ed45f37c4680998167179e631113a2c9cb5d113 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1465573 CVE-2017-7535 (foreman before version 1.16.0 is vulnerable to a stored XSS in organiz ...) - foreman (bug #663101) CVE-2017-7534 (OpenShift Enterprise version 3.x is vulnerable to a stored XSS via the ...) NOT-FOR-US: OpenShift CVE-2017-7533 (Race condition in the fsnotify implementation in the Linux kernel thro ...) {DSA-3945-1 DSA-3927-1} - linux 4.12.6-1 [wheezy] - linux (Vulnerable code not present) NOTE: http://www.openwall.com/lists/oss-security/2017/08/03/2 NOTE: Fixed by: https://git.kernel.org/linus/49d31c2f389acfe83417083e1208422b4091cd9 (v4.13-rc1) CVE-2017-7532 (In Moodle 3.x, course creators are able to change system default setti ...) - moodle NOTE: https://moodle.org/mod/forum/discuss.php?d=355556 CVE-2017-7531 (In Moodle 3.3, the course overview block reveals activities in hidden ...) - moodle (Only affects 3.3) NOTE: https://moodle.org/mod/forum/discuss.php?d=355555 CVE-2017-7530 (In CloudForms Management Engine (cfme) before 5.7.3 and 5.8.x before 5 ...) NOT-FOR-US: Red Hat CloudForms Management Engine CVE-2017-7529 (Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable t ...) {DSA-3908-1 DLA-1024-1} - nginx 1.13.3-1 (bug #868109) NOTE: http://mailman.nginx.org/pipermail/nginx-announce/2017/000200.html NOTE: Fixed in 1.13.3, 1.12.1. CVE-2017-7528 (Ansible Tower as shipped with Red Hat CloudForms Management Engine 5 i ...) NOT-FOR-US: Ansible Tower CVE-2017-7527 RESERVED CVE-2017-7526 (libgcrypt before version 1.7.8 is vulnerable to a cache side-channel a ...) {DSA-3960-1 DSA-3901-1 DLA-1080-1 DLA-1015-1} - libgcrypt20 1.7.8-1 - libgcrypt11 - gnupg2 (Uses system libgcrypt) - gnupg1 1.4.22-1 [stretch] - gnupg1 (Only affects the legacy packages) - gnupg NOTE: https://eprint.iacr.org/2017/627 NOTE: Fixes for RSA exponent blinding fixes (A): NOTE: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=a9f612def801c8145d551d995475e5d51a4c988c NOTE: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=aff5fd0f2650e24cf99efcd7b499627ea48782c3 NOTE: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=312101e1f266314b4391fcdbe11c03de5c147e38 NOTE: Fixes for mpi_powm itsef (B): NOTE: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=0e6788517eac6f508fa32ec5d5c1cada7fb980bc NOTE: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=fbd10abc057453789017f11c7f1fc8e6c61b79a3 NOTE: For the particular attack to RSA, either (A) or (B) is enough. In NOTE: general cases, (A) plus (B) is needed. NOTE: For GnuPG: https://lists.gnupg.org/pipermail/gnupg-users/2017-July/058598.html NOTE: GnuPG: https://dev.gnupg.org/rC8725c99ffa41778f382ca97233183bcd687bb0ce NOTE: GnuPG1: https://dev.gnupg.org/D438 CVE-2017-7525 (A deserialization flaw was discovered in the jackson-databind, version ...) {DSA-4004-1 DLA-2091-1} - jackson-databind 2.9.1-1 (bug #870848) - libjackson-json-java NOTE: https://github.com/FasterXML/jackson-databind/issues/1599 NOTE: For libjackson-json-java: NOTE: https://github.com/FasterXML/jackson-1/commit/9ac68db819bce7b9546bc4bf1c44f82ca910fa31 CVE-2017-7524 (tpm2-tools versions before 1.1.1 are vulnerable to a password leak due ...) - tpm2-tools 2.1.0-1 (bug #866257) NOTE: https://github.com/01org/tpm2.0-tools/commit/c5d72beaab1cbbbe68271f4bc4b6670d69985157 CVE-2017-7523 (Cygwin versions 1.7.2 up to and including 1.8.0 are vulnerable to buff ...) NOT-FOR-US: Cygwin CVE-2017-7522 (OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to deni ...) - openvpn 2.4.3-1 (unimportant) [jessie] - openvpn (x509-track implemented in 2.4.0) [wheezy] - openvpn (x509-track implemented in 2.4.0) NOTE: Fixed by: https://github.com/OpenVPN/openvpn/commit/426392940c NOTE: https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243 NOTE: http://www.openwall.com/lists/oss-security/2017/06/21/6 NOTE: In Debian openvpn is compiled against OpenSSL, thus even affected NOTE: code present. CVE-2017-7521 (OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to remo ...) {DSA-3900-1} - openvpn 2.4.3-1 (bug #865480) [wheezy] - openvpn (Vulnerable code not present) NOTE: Fixed by (master): https://github.com/OpenVPN/openvpn/commit/2d032c7fcdfd692c851ea2fa858b4c2d9ea7d52d NOTE: Fixed by (master): https://github.com/OpenVPN/openvpn/commit/cb4e35ece4a5b70b10ef9013be3bff263d82f32b NOTE: Fixed by (2.4.x): https://github.com/OpenVPN/openvpn/commit/2341f716198fa90193e040b3fdb16959a47c6c27 NOTE: Fixed by (2.4.x): https://github.com/OpenVPN/openvpn/commit/040084067119dd5a9e15eb3bcfc0079debaa3777 NOTE: Fixed by (2.3.x): https://github.com/OpenVPN/openvpn/commit/84e1775961de1c9d2ab32159fc03f758591f5238 NOTE: Fixed by (2.3.x): https://github.com/OpenVPN/openvpn/commit/1dde0cd6e5e6a0f2f45ec9969b7ff1b6537514ad NOTE: https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243 NOTE: http://www.openwall.com/lists/oss-security/2017/06/21/6 CVE-2017-7520 (OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to deni ...) {DSA-3900-1 DLA-999-1} - openvpn 2.4.3-1 (bug #865480) NOTE: Fixed by (master): https://github.com/OpenVPN/openvpn/commit/7718c8984f04b507c1885f363970e2124e3c6c77 NOTE: Fixed by (2.4.x): https://github.com/OpenVPN/openvpn/commit/043fe327878eba75efa13794c9845f85c3c629f2 NOTE: Fixed by (2.3.x): https://github.com/OpenVPN/openvpn/commit/f38a4a105979b87ebebe9be1c3d323116d3fb924 NOTE: https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243 NOTE: http://www.openwall.com/lists/oss-security/2017/06/21/6 CVE-2017-7519 (In Ceph, a format string flaw was found in the way libradosstriper par ...) {DSA-4339-1} - ceph 12.2.8+dfsg1-1 (bug #864535) [jessie] - ceph (Vulnerable code not present) NOTE: http://tracker.ceph.com/issues/20240 CVE-2017-7518 (A flaw was found in the Linux kernel before version 4.12 in the way th ...) {DSA-3981-1} - linux 4.11.11-1 [wheezy] - linux (Vulnerable code not present) NOTE: http://www.openwall.com/lists/oss-security/2017/06/23/5 NOTE: https://www.spinics.net/lists/kvm/msg151817.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1464473 NOTE: Fixed by: https://git.kernel.org/linus/c8401dda2f0a00cd25c0af6a95ed50e478d25de4 CVE-2017-7517 RESERVED NOT-FOR-US: OpenShift CVE-2017-7516 REJECTED CVE-2017-7515 (poppler through version 0.55.0 is vulnerable to an uncontrolled recurs ...) - poppler 0.57.0-2 (unimportant) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=101208 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=771c82623e8e1e0c92b8ca6f7c2b8a81ccbb60d3 NOTE: Crash in CLI tool, no security implications CVE-2017-7514 (A cross-site scripting (XSS) flaw was found in how the failed action e ...) NOT-FOR-US: Red Hat Satellite CVE-2017-7513 (It was found that Satellite 5 configured with SSL/TLS for the PostgreS ...) NOT-FOR-US: Red Hat Satellite CVE-2017-7512 (Red Hat 3scale (aka RH-3scale) API Management Platform (AMP) before 2. ...) NOT-FOR-US: Red Hat 3scale CVE-2017-7511 (poppler since version 0.17.3 has been vulnerable to NULL pointer deref ...) - poppler 0.57.0-2 (unimportant; bug #863759) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=101149 NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=101153 NOTE: Fixed by: https://cgit.freedesktop.org/poppler/poppler/commit/?id=5c9b08a875b07853be6c44e43ff5f7f059df666a NOTE: Crash in CLI tool, no security implications CVE-2017-7510 (In ovirt-engine 4.1, if a host was provisioned with cloud-init, the ro ...) NOT-FOR-US: ovirt-engine CVE-2017-7509 (An input validation error was found in Red Hat Certificate System's ha ...) NOT-FOR-US: Red Hat Certificate System CVE-2017-7508 (OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to remo ...) {DSA-3900-1} - openvpn 2.4.3-1 (bug #865480) [wheezy] - openvpn (Vulnerable code not present) NOTE: http://www.openwall.com/lists/oss-security/2017/06/21/6 NOTE: https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243 NOTE: Fixed by (master): https://github.com/OpenVPN/openvpn/commit/c3f47077a7756de5929094569421a95aa66f2022 NOTE: Fixed by (2.4.x): https://github.com/OpenVPN/openvpn/commit/ed28cde3d8bf3f1459b2f42f0e27d64801009f92 NOTE: Fixed by (2.3.x): https://github.com/OpenVPN/openvpn/commit/fc61d1bda112ffc669dbde961fab19f60b3c7439 CVE-2017-7507 (GnuTLS version 3.5.12 and earlier is vulnerable to a NULL pointer dere ...) {DSA-3884-1} [experimental] - gnutls28 3.5.13-1 - gnutls28 3.5.8-6 (bug #864560) - gnutls26 [wheezy] - gnutls26 (Vulnerable code not present) NOTE: https://gnutls.org/security.html#GNUTLS-SA-2017-4 NOTE: https://gitlab.com/gnutls/gnutls/commit/4c4d35264fada08b6536425c051fb8e0b05ee86b NOTE: https://gitlab.com/gnutls/gnutls/commit/3efb6c5fd0e3822ec11879d5bcbea0e8d322cd03 NOTE: https://gitlab.com/gnutls/gnutls/commit/e1d6c59a7b0392fb3b8b75035614084a53e2c8c9 CVE-2017-7506 (spice versions though 0.13 are vulnerable to out-of-bounds memory acce ...) {DSA-3907-1} - spice 0.12.8-2.2 (bug #868083) [wheezy] - spice (Vulnerable code not introduced later) CVE-2017-7505 (Foreman since version 1.5 is vulnerable to an incorrect authorization ...) - foreman (bug #663101) CVE-2017-7504 (HTTPServerILServlet.java in JMS over HTTP Invocation Layer of the Jbos ...) NOT-FOR-US: Red Hat JBoss CVE-2017-7503 (It was found that the Red Hat JBoss EAP 7.0.5 implementation of javax. ...) NOT-FOR-US: Red Hat JBoss EAP implementation of javax.xml.transform.TransformerFactory CVE-2017-7502 (Null pointer dereference vulnerability in NSS since 3.24.0 was found w ...) {DSA-3872-1 DLA-971-1} [experimental] - nss 2:3.29-1 - nss 2:3.26.2-1.1 (bug #863839) NOTE: https://hg.mozilla.org/projects/nss/rev/55ea60effd0d CVE-2017-7501 (It was found that versions of rpm before 4.13.0.2 use temporary files ...) - rpm (unimportant) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1452133 NOTE: Not supported for installations in Debian (and an unprivileged attacker would not have permissions for systems directories anyway) CVE-2017-7500 (It was found that rpm did not properly handle RPM installations when a ...) - rpm (unimportant) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1450369 NOTE: Not supported for installations in Debian (and an unprivileged attacker would not have permissions for systems directories anyway) CVE-2017-7499 REJECTED CVE-2017-7498 REJECTED CVE-2017-7497 (The dialog for creating cloud volumes (cinder provider) in CloudForms ...) NOT-FOR-US: Red Hat CloudForms Management Engine CVE-2017-7496 (fedora-arm-installer up to and including 1.99.16 is vulnerable to loca ...) NOT-FOR-US: fedora-arm-installer CVE-2017-7495 (fs/ext4/inode.c in the Linux kernel before 4.6.2, when ext4 data=order ...) - linux 4.6.2-1 [jessie] - linux 3.16.39-1 [wheezy] - linux (Vulnerable code introduced later) NOTE: Fixed by: https://git.kernel.org/linus/06bd3c36a733ac27962fea7d6f47168841376824 CVE-2017-7494 (Samba since version 3.5.0 and before 4.6.4, 4.5.10 and 4.4.14 is vulne ...) {DSA-3860-1 DLA-951-1} - samba 2:4.5.8+dfsg-2 NOTE: https://www.samba.org/samba/security/CVE-2017-7494.html CVE-2017-7493 (Quick Emulator (Qemu) built with the VirtFS, host directory sharing vi ...) {DLA-1497-1 DLA-1035-1 DLA-965-1} - qemu 1:2.8+dfsg-6 - qemu-kvm NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1451709 NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-05/msg03663.html CVE-2017-7492 REJECTED CVE-2017-7491 (In Moodle 2.x and 3.x, a CSRF attack is possible that allows attackers ...) - moodle NOTE: https://moodle.org/mod/forum/discuss.php?d=352355 CVE-2017-7490 (In Moodle 2.x and 3.x, searching of arbitrary blogs is possible becaus ...) - moodle NOTE: https://moodle.org/mod/forum/discuss.php?d=352354 CVE-2017-7489 (In Moodle 2.x and 3.x, remote authenticated users can take ownership o ...) - moodle NOTE: https://moodle.org/mod/forum/discuss.php?d=352353 CVE-2017-7488 (Authconfig version 6.2.8 is vulnerable to an Information exposure whil ...) NOT-FOR-US: authconfig in Red Hat CVE-2017-7487 (The ipxitf_ioctl function in net/ipx/af_ipx.c in the Linux kernel thro ...) {DSA-3886-1 DLA-993-1} - linux 4.9.30-1 NOTE: Fixed by: https://git.kernel.org/linus/ee0d8d8482345ff97a75a7d747efc309f13b0d80 CVE-2017-7486 (PostgreSQL versions 8.4 - 9.6 are vulnerable to information leak in pg ...) {DSA-3851-1 DLA-1051-1} - postgresql-9.6 9.6.3-1 - postgresql-9.4 - postgresql-9.1 [jessie] - postgresql-9.1 (postgresql-9.1 in jessie only provides PL/Perl) - postgresql-8.4 (feature not present in 8.x) NOTE: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=c928addfccd7f9905472dddd94e9cd10bc3f6808 CVE-2017-7485 (In PostgreSQL 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9 ...) {DSA-3851-1} - postgresql-9.6 9.6.3-1 - postgresql-9.4 - postgresql-9.1 (bug introduced in 9.3) - postgresql-8.4 (bug introduced in 9.3) NOTE: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=aafbd1df969135c185947c596c46608fc9f4a67c CVE-2017-7484 (It was found that some selectivity estimation functions in PostgreSQL ...) {DSA-3851-1} - postgresql-9.6 9.6.3-1 - postgresql-9.4 - postgresql-9.1 [jessie] - postgresql-9.1 (postgresql-9.1 in jessie only provides PL/Perl) [wheezy] - postgresql-9.1 (Vulnerable code do not exist) - postgresql-8.4 [wheezy] - postgresql-8.4 (Vulnerable code do not exist) NOTE: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=c33c42362256382ed398df9dcda559cd547c68a7 NOTE: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=cad15943225adbcadea51602b38b04d71d1183d2 NOTE: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=935e77d527a018b652f247c7374c558871210db6 CVE-2017-7483 (Rxvt 2.7.10 is vulnerable to a denial of service attack by passing the ...) - rxvt 1:2.7.10-7.1 (low; bug #861694) [stretch] - rxvt (Minor issue) [jessie] - rxvt (Minor issue) [wheezy] - rxvt (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2017/05/01/15 CVE-2017-7482 (In the Linux kernel before version 4.12, Kerberos 5 tickets decoded wh ...) {DSA-3945-1 DSA-3927-1 DLA-1099-1} - linux 4.11.11-1 NOTE: Fixed by: https://git.kernel.org/linus/5f2f97656ada8d811d3c1bef503ced266fcd53a0 CVE-2017-7481 (Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark loo ...) - ansible 2.3.1.0+dfsg-1 (bug #862666) [stretch] - ansible (Minor issue) [jessie] - ansible (vulnerable code introduced in version 2.x) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1450018 NOTE: Fixed by: https://github.com/ansible/ansible/commit/ed56f51f185a1ffd7ea57130d260098686fcc7c2 CVE-2017-7480 (rkhunter versions before 1.4.4 are vulnerable to file download over in ...) {DLA-1039-1} - rkhunter 1.4.4-1 (bug #866677) [stretch] - rkhunter 1.4.2-6+deb9u1 [jessie] - rkhunter 1.4.2-0.4+deb8u1 NOTE: http://www.openwall.com/lists/oss-security/2017/06/29/2 NOTE: http://rkhunter.cvs.sourceforge.net/viewvc/rkhunter/rkhunter/files/rkhunter?r1=1.549&r2=1.550&view=patch CVE-2017-7479 (OpenVPN versions before 2.3.15 and before 2.4.2 are vulnerable to reac ...) {DLA-944-1} - openvpn 2.4.0-5 (low) [jessie] - openvpn 2.3.4-5+deb8u2 NOTE: https://github.com/OpenVPN/openvpn/commit/e498cb0ea8d3a451b39eaf6f9b6a7488f18250b8 (master) NOTE: https://github.com/OpenVPN/openvpn/commit/591a4e574c43cb9e820950f15dcaabda261def78 (2.4.x) NOTE: https://github.com/OpenVPN/openvpn/commit/b727643cdf4e078f132a90e1c474a879a5760578 (2.3.x) NOTE: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14643.html (3 patches for 2.2.x) NOTE: https://community.openvpn.net/openvpn/wiki/QuarkslabAndCryptographyEngineerAudits CVE-2017-7478 (OpenVPN version 2.3.12 and newer is vulnerable to unauthenticated Deni ...) - openvpn 2.4.0-5 [jessie] - openvpn (Vulnerable code introduced later) [wheezy] - openvpn (Vulnerable code introduced later) NOTE: https://github.com/OpenVPN/openvpn/commit/5774cf4c25e1d8bf4e544702db8f157f111c9d93 (master) NOTE: https://github.com/OpenVPN/openvpn/commit/66b99a0753352c5cc43e11e39835b6423112df98 (2.4.x) NOTE: https://github.com/OpenVPN/openvpn/commit/feb35ee5cac605edddd6e9dc62941e2c53f96fb3 (2.3.x) NOTE: Introduced in: https://github.com/OpenVPN/openvpn/commit/3c1b19e04745177185decd14da82c71458442b82 (2.4.0) NOTE: Introduced in (backported to 2.3.12): https://github.com/OpenVPN/openvpn/commit/358f513c008bf01fadb82759ac75ffb8613fc785 NOTE: https://community.openvpn.net/openvpn/wiki/QuarkslabAndCryptographyEngineerAudits CVE-2017-7477 (Heap-based buffer overflow in drivers/net/macsec.c in the MACsec modul ...) - linux 4.9.25-1 [jessie] - linux (Introduced in 4.6) [wheezy] - linux (Introduced in 4.6) NOTE: http://www.openwall.com/lists/oss-security/2017/04/25/4 NOTE: Fixed by: https://git.kernel.org/linus/4d6fa57b4dab0d77f4d8e9d9c73d1e63f6fe8fee NOTE: Fixed by: https://git.kernel.org/linus/5294b83086cc1c35b4efeca03644cf9d12282e5b CVE-2017-7476 (Gnulib before 2017-04-26 has a heap-based buffer overflow with the TZ ...) - gnulib (Vulnerable code introduced later) NOTE: Fixed by: http://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=commitdiff;h=94e01571 NOTE: Introduced with 4bc76593 and 4e6e16b3f. CVE-2017-7475 (Cairo version 1.15.4 is vulnerable to a NULL pointer dereference relat ...) - cairo (low; bug #870264) [buster] - cairo (Minor issue) [stretch] - cairo (Minor issue) [jessie] - cairo (Minor issue) [wheezy] - cairo (Minor issue) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=100763 NOTE: https://gitlab.freedesktop.org/cairo/cairo/issues/80 CVE-2017-7474 (It was found that the Keycloak Node.js adapter 2.5 - 3.0 did not handl ...) NOT-FOR-US: Keycloak CVE-2017-7473 REJECTED CVE-2017-7472 (The KEYS subsystem in the Linux kernel before 4.10.13 allows local use ...) {DLA-922-1} - linux 4.9.25-1 [jessie] - linux 3.16.43-1 NOTE: https://lkml.org/lkml/2017/4/1/235 NOTE: https://lkml.org/lkml/2017/4/3/724 CVE-2017-7471 (Quick Emulator (Qemu) built with the VirtFS, host directory sharing vi ...) {DLA-1035-1} - qemu 1:2.8+dfsg-5 (bug #860785) [jessie] - qemu (Vulnerable code introduced with fix for CVE-2016-9602) [wheezy] - qemu (Vulnerable code introduced with fix for CVE-2016-9602) - qemu-kvm (Vulnerable code introduced with fix for CVE-2016-9602) NOTE: Fixed by: http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=9c6b899f7a46893ab3b671e341a2234e9c0c060e NOTE: Fixed by (stable-2.8): http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=96bae145e27d4df62671b4eebd6c735f412016cf (v2.8.1.1) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1443401 NOTE: Introduced by: http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=acf22d2264a131ad2695b5a18746dabf0cc8b843 NOTE: which is part of the fix for CVE-2016-9602. CVE-2017-7470 (It was found that spacewalk-channel can be used by a non-admin user or ...) NOT-FOR-US: Red Hat / spacewalk-backend CVE-2017-7469 REJECTED CVE-2017-7468 (In curl and libcurl 7.52.0 to and including 7.53.1, libcurl would atte ...) - curl 7.52.1-5 [jessie] - curl (Only affects 7.52 and later) [wheezy] - curl (Only affects 7.52 and later) NOTE: https://curl.haxx.se/docs/adv_20170419.html CVE-2017-7467 (A buffer overflow flaw was found in the way minicom before version 2.7 ...) {DLA-914-1} - minicom 2.7-1.1 (bug #860940) [jessie] - minicom 2.7-1+deb8u1 NOTE: http://www.openwall.com/lists/oss-security/2017/04/18/5 CVE-2017-7466 (Ansible before version 2.3 has an input validation vulnerability in th ...) - ansible 2.2.1.0-2 [jessie] - ansible (Vulnerable code not present) NOTE: https://github.com/ansible/ansible/commit/0d418789a298561fded9bce977d34babc9097079 (v2.3.0.0-0.1.rc1) CVE-2017-7465 (It was found that the JAXP implementation used in JBoss EAP 7.0 for XS ...) NOT-FOR-US: JBoss JAXP CVE-2017-7464 (It was found that the JAXP implementation used in JBoss EAP 7.0 for SA ...) NOT-FOR-US: JBoss JAXP CVE-2017-7463 (JBoss BRMS 6 and BPM Suite 6 before 6.4.3 are vulnerable to a reflecte ...) NOT-FOR-US: Red Hat business central CVE-2017-7462 (Intellinet NFC-30ir IP Camera has a vendor backdoor that can allow a r ...) NOT-FOR-US: Intellinet NFC-30ir IP Camera CVE-2017-7461 (Directory traversal vulnerability in the web-based management site on ...) NOT-FOR-US: Intellinet NFC-30ir IP Camera CVE-2017-7460 RESERVED CVE-2017-7459 (ntopng before 3.0 allows HTTP Response Splitting. ...) - ntopng 2.4+dfsg1-4 (bug #866719) [stretch] - ntopng (Minor issue) [jessie] - ntopng (Minor issue) NOTE: https://github.com/ntop/ntopng/commit/9469e58f07e043da712e6d6c41244852a11bcaeb CVE-2017-7458 (The NetworkInterface::getHost function in NetworkInterface.cpp in ntop ...) - ntopng 2.4+dfsg1-4 (bug #866721) [stretch] - ntopng (Minor issue) [jessie] - ntopng (Minor issue) NOTE: https://github.com/ntop/ntopng/commit/01f47e04fd7c8d54399c9e465f823f0017069f8f CVE-2017-7457 (XML External Entity via ".AOP" files used by Moxa MX-AOPC Server 1.5 r ...) NOT-FOR-US: Moxa CVE-2017-7456 (Moxa MXView 2.8 allows remote attackers to cause a Denial of Service b ...) NOT-FOR-US: Moxa CVE-2017-7455 (Moxa MXView 2.8 allows remote attackers to read web server's private k ...) NOT-FOR-US: Moxa CVE-2017-7454 (The iwgif_record_pixel function in imagew-gif.c in libimageworsener.a ...) NOT-FOR-US: ImageWorsener CVE-2017-7453 (The iwgif_record_pixel function in imagew-gif.c in libimageworsener.a ...) NOT-FOR-US: ImageWorsener CVE-2017-7452 (The iwbmp_read_info_header function in imagew-bmp.c in libimageworsene ...) NOT-FOR-US: ImageWorsener CVE-2017-7451 RESERVED CVE-2017-7450 (AIRTAME HDMI dongle with firmware before 2.2.0 allows unauthenticated ...) NOT-FOR-US: AIRTAME HDMI dongle CVE-2017-7449 RESERVED CVE-2017-7448 (The allocate_channel_framebuffer function in uncompressed_components.h ...) - lepton 1.2.1-3 (bug #859714) NOTE: https://github.com/dropbox/lepton/issues/86 NOTE: https://github.com/dropbox/lepton/commit/7789d99ac156adfd7bbf66e7824bd3e948a74cf7 CVE-2017-7447 (HelpDEZk 1.1.1 has CSRF in admin/home#/logos/ with an impact of remote ...) NOT-FOR-US: HelpDEZk CVE-2017-7446 (HelpDEZk 1.1.1 has CSRF in admin/home#/person/ with an impact of obtai ...) NOT-FOR-US: HelpDEZk CVE-2017-7445 RESERVED CVE-2017-0887 (Nextcloud Server before 9.0.55 and 10.0.2 suffers from a bypass in the ...) - nextcloud (bug #835086) CVE-2016-7443 (Exponent CMS 2.3.0 through 2.3.9 allows remote attackers to have unspe ...) NOT-FOR-US: Exponent CMS CVE-2015-9019 (In libxslt 1.1.29 and earlier, the EXSLT math.random function was not ...) - libxslt (unimportant; bug #859796) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=758400 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=934119 NOTE: There's no indication that math.random() in intended to ensure cryptographic NOTE: randomness requirements. Proper seeding needs to happen in the application NOTE: using libxslt. CVE-2017-7444 (In Veritas System Recovery before 16 SP1, there is a DLL hijacking vul ...) NOT-FOR-US: Veritas System Recovery CVE-2017-7442 (Nitro Pro 11.0.3.173 allows remote attackers to execute arbitrary code ...) NOT-FOR-US: Nitro Pro CVE-2017-7441 (In Sophos SurfRight HitmanPro before 3.7.20 Build 286 (included in the ...) NOT-FOR-US: Sophos CVE-2017-7440 (Kerio Connect 8.0.0 through 9.2.2, and Kerio Connect Client desktop ap ...) NOT-FOR-US: Kerio CVE-2017-7439 (NetApp OnCommand Unified Manager Core Package 5.x before 5.2.2P1 might ...) NOT-FOR-US: NetApp CVE-2017-7438 (NetIQ Privileged Account Manager before 3.1 Patch Update 3 allowed cro ...) NOT-FOR-US: NetIQ Privileged Account Manager CVE-2017-7437 (NetIQ Privileged Account Manager before 3.1 Patch Update 3 allowed cro ...) NOT-FOR-US: NetIQ Privileged Account Manager CVE-2017-7436 (In libzypp before 20170803 it was possible to retrieve unsigned packag ...) - libzypp 17.3.1-1 (bug #899065) [jessie] - libzypp (Minor issue) CVE-2017-7435 (In libzypp before 20170803 it was possible to add unsigned YUM reposit ...) - libzypp 17.3.1-1 (bug #899065) [jessie] - libzypp (Minor issue) CVE-2017-7434 (In the JDBC driver of NetIQ Identity Manager before 4.6 sending out in ...) NOT-FOR-US: NetIQ Identity Manager CVE-2017-7433 (An absolute path traversal vulnerability (CWE-36) in Micro Focus Vibe ...) NOT-FOR-US: Micro Focus Vibe CVE-2017-7432 (Novell iManager 2.7.x before 2.7 SP7 Patch 10 HF1 and NetIQ iManager 3 ...) NOT-FOR-US: Novell Novell iManager and NetIQ iManager CVE-2017-7431 (Novell iManager 2.7.x before 2.7 SP7 Patch 10 HF1 and NetIQ iManager 3 ...) NOT-FOR-US: Novell Novell iManager and NetIQ iManager CVE-2017-7430 (Novell iManager 2.7.x before 2.7 SP7 Patch 10 HF1 and NetIQ iManager 3 ...) NOT-FOR-US: Novell Novell iManager and NetIQ iManager CVE-2017-7429 (The certificate upload in NetIQ eDirectory PKI plugin before 8.8.8 Pat ...) NOT-FOR-US: NetIQ eDirectory PKI plugin CVE-2017-7428 (NetIQ iManager 3.x before 3.0.3.1 has an issue in the renegotiation of ...) NOT-FOR-US: NetIQ iManager CVE-2017-7427 (Multiple cross site scripting attacks were found in the Identity Manag ...) NOT-FOR-US: NetIQ Identity Manager Plug-in CVE-2017-7426 (The NetIQ Identity Manager Plugins before 4.6.1 contained various XML ...) NOT-FOR-US: NetIQ Identity Manager Plugins CVE-2017-7425 (Multiple potential reflected XSS issues exist in NetIQ iManager versio ...) NOT-FOR-US: NetIQ CVE-2017-7424 (A Path Traversal (CWE-22) vulnerability in esfadmingui in Micro Focus ...) NOT-FOR-US: Micro Focus CVE-2017-7423 (A Cross-Site Request Forgery (CWE-352) vulnerability in esfadmingui in ...) NOT-FOR-US: Micro Focus CVE-2017-7422 (Reflected and stored Cross-Site Scripting (XSS, CWE-79) vulnerabilitie ...) NOT-FOR-US: Micro Focus CVE-2017-7421 (Reflected and stored Cross-Site Scripting (XSS, CWE-79) vulnerabilitie ...) NOT-FOR-US: Micro Focus CVE-2017-7420 (An Authentication Bypass (CWE-287) vulnerability in ESMAC (aka Enterpr ...) NOT-FOR-US: Micro Focus CVE-2017-7419 (A OAuth application in NetIQ Access Manager 4.3 before 4.3.2 and 4.2 b ...) NOT-FOR-US: NetIQ Access Manager CVE-2017-7418 (ProFTPD before 1.3.5e and 1.3.6 before 1.3.6rc5 controls whether the h ...) - proftpd-dfsg 1.3.5b-4 (low; bug #859592) [jessie] - proftpd-dfsg 1.3.5-1.1+deb8u2 [wheezy] - proftpd-dfsg (Minor issue) NOTE: http://bugs.proftpd.org/show_bug.cgi?id=4295 NOTE: https://github.com/proftpd/proftpd/commit/ecff21e0d0e84f35c299ef91d7fda088e516d4ed NOTE: https://github.com/proftpd/proftpd/commit/f59593e6ff730b832dbe8754916cb5c821db579f CVE-2017-7417 RESERVED CVE-2017-7416 (ntopng before 3.0 allows XSS because GET and POST parameters are impro ...) - ntopng 3.2+dfsg1-1 (bug #866722) [stretch] - ntopng (Minor issue) [jessie] - ntopng (Minor issue) CVE-2017-7415 (Atlassian Confluence 6.x before 6.0.7 allows remote attackers to bypas ...) NOT-FOR-US: Atlassian Confluence CVE-2016-10318 (A missing authorization check in the fscrypt_process_policy function i ...) - linux 4.7.4-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) CVE-2017-7414 (In Horde_Crypt before 2.7.6, as used in Horde Groupware Webmail Editio ...) {DLA-1398-1} - php-horde-crypt 2.7.5-2 (bug #859635) CVE-2017-7413 (In Horde_Crypt before 2.7.6, as used in Horde Groupware Webmail Editio ...) {DLA-1398-1} - php-horde-crypt 2.7.5-2 (bug #859635) CVE-2017-7412 (NixOS 17.03 before 17.03.887 has a world-writable Docker socket, which ...) NOT-FOR-US: NixOS specific Docker issue CVE-2017-7411 (An issue was discovered in Enalean Tuleap 9.6 and prior versions. The ...) NOT-FOR-US: Enalean Tuleap CVE-2017-7410 (Multiple SQL injection vulnerabilities in account/signup.php and accou ...) NOT-FOR-US: WebsiteBaker CVE-2017-7409 (Palo Alto Networks PAN-OS before 7.0.15 has XSS in the GlobalProtect e ...) NOT-FOR-US: Palo Alto Networks CVE-2017-7408 (Palo Alto Networks Traps ESM Console before 3.4.4 allows attackers to ...) NOT-FOR-US: Palo Alto Networks Traps ESM Console CVE-2017-7407 (The ourWriteOut function in tool_writeout.c in curl 7.53.1 might allow ...) {DLA-883-1} - curl 7.52.1-4 (unimportant; bug #859500) NOTE: https://github.com/curl/curl/commit/1890d59905414ab84a35892b2e45833654aa5c13 NOTE: Negligible security impact CVE-2017-7406 (The D-Link DIR-615 device before v20.12PTb04 doesn't use SSL for any o ...) NOT-FOR-US: D-Link CVE-2017-7405 (On the D-Link DIR-615 before v20.12PTb04, once authenticated, this dev ...) NOT-FOR-US: D-Link CVE-2017-7404 (On the D-Link DIR-615 before v20.12PTb04, if a victim logged in to the ...) NOT-FOR-US: D-Link CVE-2017-7403 RESERVED CVE-2017-7402 (Pixie 1.0.4 allows remote authenticated users to upload and execute ar ...) NOT-FOR-US: Pixie CMS CVE-2017-7401 (Incorrect interaction of the parse_packet() and parse_part_sign_sha256 ...) {DLA-884-1} - collectd 5.7.2-1 (bug #859494) [stretch] - collectd (Minor issue) [jessie] - collectd (Minor issue) NOTE: https://github.com/collectd/collectd/issues/2174 NOTE: https://github.com/collectd/collectd/commit/f6be4f9b49b949b379326c3d7002476e6ce4f211 CVE-2017-7400 (OpenStack Horizon 9.x through 9.1.1, 10.x through 10.0.2, and 11.0.0 a ...) - horizon 3:10.0.1-1 (bug #859559) [jessie] - horizon (Vulnerable code not present) [wheezy] - horizon (Vulnerable code not present) NOTE: https://launchpad.net/bugs/1667086 CVE-2016-10317 (The fill_threshhold_buffer function in base/gxht_thresh.c in Artifex S ...) - ghostscript 9.22~dfsg-2.1 (bug #860869) [stretch] - ghostscript 9.20~dfsg-3.2+deb9u2 [jessie] - ghostscript 9.06~dfsg-2+deb8u7 [wheezy] - ghostscript (Not directly reproducible, to re-evaluate once the upstream fix is known) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697459 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;h=362ec9daadb9992b0def3520cd1dc6fa52edd1c4 NOTE: I got the reproducer file from the bug submitter and tried to reproduce it. NOTE: Results are the following: sid/stretch with 9.20~dfsg-3 are NOTE: affected, it even segfaults. But with wheezy 9.05~dfsg-6.3+deb7u2 NOTE: and jessie 9.06~dfsg-2+deb8u4, we have no segfault and valgrind NOTE: reports no buffer overrun. -- Raphael Hertzog CVE-2017-1001000 (The register_routes function in wp-includes/rest-api/endpoints/class-w ...) - wordpress 4.7.2+dfsg-1 [jessie] - wordpress (Vulnerable code introduced after 4.4) [wheezy] - wordpress (Vulnerable code not present) NOTE: https://github.com/WordPress/WordPress/commit/e357195ce303017d517aff944644a7a1232926f7 NOTE: rest-api introduced in 4.4 upstream CVE-2016-10316 (Jensen of Scandinavia AS Air:Link 3G (AL3G) version 2.23m (Rev. 3), Ai ...) NOT-FOR-US: Jensen of Scandinavia AS Air:Link 3G CVE-2016-10315 (Jensen of Scandinavia AS Air:Link 3G (AL3G) version 2.23m (Rev. 3), Ai ...) NOT-FOR-US: Jensen of Scandinavia AS Air:Link 3G CVE-2016-10314 (Jensen of Scandinavia AS Air:Link 3G (AL3G) version 2.23m (Rev. 3), Ai ...) NOT-FOR-US: Jensen of Scandinavia AS Air:Link 3G CVE-2016-10313 (Jensen of Scandinavia AS Air:Link 3G (AL3G) version 2.23m (Rev. 3), Ai ...) NOT-FOR-US: Jensen of Scandinavia AS Air:Link 3G CVE-2016-10312 (Jensen of Scandinavia AS Air:Link 3G (AL3G) version 2.23m (Rev. 3), Ai ...) NOT-FOR-US: Jensen of Scandinavia AS Air:Link 3G CVE-2016-1000351 REJECTED CVE-2016-1000350 REJECTED CVE-2016-1000349 REJECTED CVE-2016-1000348 REJECTED CVE-2016-1000268 REJECTED CVE-2017-7399 (Cloudera Manager 5.8.x before 5.8.5, 5.9.x before 5.9.2, and 5.10.x be ...) NOT-FOR-US: Cloudera CVE-2017-7398 (D-Link DIR-615 HW: T1 FW:20.09 is vulnerable to Cross-Site Request For ...) NOT-FOR-US: D-Link CVE-2017-7397 (** DISPUTED ** BackBox Linux 4.6 allows remote attackers to cause a de ...) NOT-FOR-US: BackBox OS specific CVE assignment CVE-2017-7396 (In TigerVNC 1.7.1 (CConnection.cxx CConnection::CConnection), an unaut ...) - tigervnc 1.7.0+dfsg-7 (bug #859259) NOTE: https://github.com/TigerVNC/tigervnc/pull/436 NOTE: https://github.com/TigerVNC/tigervnc/pull/436/commits/dccb5f7d776e93863ae10bbff56a45c523c6eeb0 CVE-2017-7395 (In TigerVNC 1.7.1 (SMsgReader.cxx SMsgReader::readClientCutText), by c ...) - tigervnc 1.7.0+dfsg-7 (bug #859259) NOTE: https://github.com/TigerVNC/tigervnc/pull/436 NOTE: https://github.com/TigerVNC/tigervnc/pull/436/commits/bf3bdac082978ca32895a4b6a123016094905689 CVE-2017-7394 (In TigerVNC 1.7.1 (SSecurityPlain.cxx SSecurityPlain::processMsg), una ...) - tigervnc 1.7.0+dfsg-7 (bug #859259) NOTE: https://github.com/TigerVNC/tigervnc/pull/440 CVE-2017-7393 (In TigerVNC 1.7.1 (VNCSConnectionST.cxx VNCSConnectionST::fence), an a ...) - tigervnc 1.7.0+dfsg-7 (bug #859259) NOTE: https://github.com/TigerVNC/tigervnc/pull/438 CVE-2017-7392 (In TigerVNC 1.7.1 (SSecurityVeNCrypt.cxx SSecurityVeNCrypt::SSecurityV ...) - tigervnc 1.7.0+dfsg-7 (bug #859259) NOTE: https://github.com/TigerVNC/tigervnc/pull/441 CVE-2017-7391 (A Cross-Site Scripting (XSS) was discovered in 'Magmi 0.7.22'. The vul ...) NOT-FOR-US: Magmi CVE-2017-7390 (A Cross-Site Scripting (XSS) was discovered in 'SocialNetwork v1.2.1'. ...) NOT-FOR-US: SocialNetwork CVE-2017-7389 (Multiple Cross-Site Scripting (XSS) were discovered in 'openeclass Rel ...) NOT-FOR-US: The Open eClass Platform CVE-2017-7388 (A Cross-Site Scripting (XSS) was discovered in 'wallacepos v1.4.1'. Th ...) NOT-FOR-US: WallacePOS CVE-2017-7387 (TheFirstQuestion/HelpMeWatchWho before 2017-03-28 is vulnerable to a r ...) NOT-FOR-US: HelpMeWatchWho CVE-2017-7386 (citymont/symetrie v.0.9.6 is vulnerable to a reflected XSS in symetrie ...) NOT-FOR-US: symetrie CVE-2017-7385 RESERVED CVE-2017-7384 (Cross-site scripting (XSS) vulnerability in FlipBuilder Flip PDF allow ...) NOT-FOR-US: FlipBuilder Flip PDF CVE-2017-7383 (The PdfFontFactory.cpp:195:62 code in PoDoFo 0.9.5 allows remote attac ...) {DLA-968-1} - libpodofo 0.9.4-6 (bug #859329) [jessie] - libpodofo (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2017/04/01/3 NOTE: https://github.com/asarubbo/poc/blob/master/00252-podofo-nullptr4 NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1848 CVE-2017-7382 (The PdfFontFactory.cpp:200:88 code in PoDoFo 0.9.5 allows remote attac ...) {DLA-968-1} - libpodofo 0.9.4-6 (bug #859329) [jessie] - libpodofo (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2017/04/01/3 NOTE: https://github.com/asarubbo/poc/blob/master/00251-podofo-nullptr3 NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1848 CVE-2017-7381 (The doc/PdfPage.cpp:609:23 code in PoDoFo 0.9.5 allows remote attacker ...) {DLA-968-1} - libpodofo 0.9.4-6 (bug #859329) [jessie] - libpodofo (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2017/04/01/3 NOTE: https://github.com/asarubbo/poc/blob/master/00251-podofo-nullptr2 NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1848 CVE-2017-7380 (The doc/PdfPage.cpp:614:20 code in PoDoFo 0.9.5 allows remote attacker ...) {DLA-968-1} - libpodofo 0.9.4-6 (bug #859329) [jessie] - libpodofo (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2017/04/01/3 NOTE: https://github.com/asarubbo/poc/blob/master/00250-podofo-nullptr1 NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1848 CVE-2017-7379 (The PoDoFo::PdfSimpleEncoding::ConvertToEncoding function in PdfEncodi ...) {DLA-929-1} - libpodofo 0.9.4-5 (bug #859331) [jessie] - libpodofo (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2017/04/01/2 NOTE: upstream fix: https://sourceforge.net/p/podofo/code/1842/ CVE-2017-7378 (The PoDoFo::PdfPainter::ExpandTabs function in PdfPainter.cpp in PoDoF ...) {DLA-968-1} - libpodofo 0.9.4-6 (bug #859330) [jessie] - libpodofo (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2017/04/01/1 NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1847 CVE-2017-7377 (The (1) v9fs_create and (2) v9fs_lcreate functions in hw/9pfs/9p.c in ...) {DLA-1497-1 DLA-1035-1 DLA-965-1} - qemu 1:2.8+dfsg-4 (bug #859854) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-03/msg05449.html NOTE: http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=d63fb193e71644a073b77ff5ac6f1216f2f6cf6e NOTE: http://www.openwall.com/lists/oss-security/2017/04/03/2 NOTE: For older releases affected code is in hw/9pfs/virtio-9p.c CVE-2017-7376 (Buffer overflow in libxml2 allows remote attackers to execute arbitrar ...) {DSA-3952-1 DLA-1060-1} - libxml2 2.9.4+dfsg1-3.1 (bug #870865) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=780690 (not yet public) NOTE: Android patch: https://android.googlesource.com/platform/external/libxml2/+/51e0cb2e5ec18eaf6fb331bc573ff27b743898f4 NOTE: Fix upstream: https://git.gnome.org/browse/libxml2/commit/?id=5dca9eea1bd4263bfa4d037ab2443de1cd730f7e NOTE: The upstream patch has the slight consequence that some port values end up NOTE: negative when cast to a 32-bit int. A negative port though in the URL would NOTE: make the URL invalid. It is discussed if instead it would be best to prevent NOTE: the port from ever being negative. Upstream decided to leave the above patch. CVE-2017-7375 (A flaw in libxml2 allows remote XML entity inclusion with default pars ...) {DSA-3952-1 DLA-1008-1} - libxml2 2.9.4+dfsg1-3.1 (bug #870867) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=780691 (not yet public) NOTE: Android patch: https://android.googlesource.com/platform/external/libxml2/+/308396a55280f69ad4112d4f9892f4cbeff042aa NOTE: Fix upstream: https://git.gnome.org/browse/libxml2/commit/?id=90ccb58242866b0ba3edbef8fe44214a101c2b3e CVE-2017-7374 (Use-after-free vulnerability in fs/crypto/ in the Linux kernel before ...) - linux 4.9.25-1 [jessie] - linux (Vulnerable code not present; Introduced in 4.2-rc1) [wheezy] - linux (Vulnerable code not present; Introduced in 4.2-rc1) NOTE: Fixed by: https://git.kernel.org/linus/1b53cf9815bb4744958d41f3795d5d5a1d365e2d (4.11-rc4) CVE-2017-7373 (In all Android releases from CAF using the Linux kernel, a double free ...) NOT-FOR-US: Android display driver CVE-2017-7372 (In all Android releases from CAF using the Linux kernel, a race condit ...) NOT-FOR-US: Android CVE-2017-7371 (In all Android releases from CAF using the Linux kernel, a data pointe ...) NOT-FOR-US: Android CVE-2017-7370 (In all Android releases from CAF using the Linux kernel, a race condit ...) NOT-FOR-US: Android CVE-2017-7369 (In all Android releases from CAF using the Linux kernel, an array inde ...) - linux (Android-specific) CVE-2017-7368 (In all Android releases from CAF using the Linux kernel, a race condit ...) NOT-FOR-US: Android driver CVE-2017-7367 (In all Android releases from CAF using the Linux kernel, an integer un ...) NOT-FOR-US: Android CVE-2017-7366 (In all Android releases from CAF using the Linux kernel, a KGSL ioctl ...) NOT-FOR-US: Android driver CVE-2017-7365 (In all Android releases from CAF using the Linux kernel, a buffer over ...) NOT-FOR-US: Android CVE-2017-7364 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-7363 (Pixie 1.0.4 allows an admin/index.php s=publish&m=module&x= XS ...) NOT-FOR-US: Pixie CMS CVE-2017-7362 (Pixie 1.0.4 allows an admin/index.php s=publish&m=dynamic&x= X ...) NOT-FOR-US: Pixie CMS CVE-2017-7361 (Pixie 1.0.4 allows an admin/index.php s=publish&m=static&x= XS ...) NOT-FOR-US: Pixie CMS CVE-2017-7360 (Pixie 1.0.4 allows an admin/index.php s=settings&x= XSS attack. ...) NOT-FOR-US: Pixie CMS CVE-2017-7359 (Pixie 1.0.4 allows an admin/index.php s=login&m= XSS attack. ...) NOT-FOR-US: Pixie CMS CVE-2017-7358 (In LightDM through 1.22.0, a directory traversal issue in debian/guest ...) - lightdm (Vulnerable code not present) NOTE: https://launchpad.net/bugs/1677924 NOTE: Specific script debian/guest-account.sh not merged from Ubuntu CVE-2017-7357 (Hipchat Server before 2.2.3 allows remote authenticated users with Ser ...) NOT-FOR-US: Hipchat Server CVE-2017-7356 RESERVED CVE-2017-7355 RESERVED CVE-2017-7354 RESERVED CVE-2017-7353 RESERVED CVE-2017-7352 (Stored Cross-site scripting (XSS) vulnerability in Pure Storage Purity ...) NOT-FOR-US: Pure Storage Purity CVE-2017-7351 (A SQL injection issue exists in a file upload handler in REDCap 7.x be ...) NOT-FOR-US: REDCap CVE-2017-7350 RESERVED CVE-2017-7349 RESERVED CVE-2017-7348 RESERVED CVE-2017-7347 RESERVED CVE-2017-7346 (The vmw_gb_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmw ...) {DSA-3945-1 DSA-3927-1} - linux 4.11.6-1 [wheezy] - linux (Vulnerable code introduced in 3.14) NOTE: Fixed by: https://git.kernel.org/linus/ee9c4e681ec4f58e42a83cb0c22a0289ade1aacf CVE-2017-7345 (NetApp OnCommand Performance Manager and OnCommand Unified Manager for ...) NOT-FOR-US: NetApp CVE-2016-10311 (Stack-based buffer overflow in SAP NetWeaver 7.0 through 7.5 allows re ...) NOT-FOR-US: SAP CVE-2016-10310 (Buffer overflow in the MobiLink Synchronization Server component in SA ...) NOT-FOR-US: MobiLink Synchronization Server CVE-2017-7344 (A privilege escalation in Fortinet FortiClient Windows 5.4.3 and earli ...) NOT-FOR-US: Fortinet FortiClient Windows CVE-2017-7343 (An open redirect vulnerability in Fortinet FortiPortal 4.0.0 and below ...) NOT-FOR-US: Fortinet FortiPortal CVE-2017-7342 (A weak password recovery process vulnerability in Fortinet FortiPortal ...) NOT-FOR-US: Fortinet CVE-2017-7341 (An OS Command Injection vulnerability in Fortinet FortiWLC 6.1-2 throu ...) NOT-FOR-US: Fortinet CVE-2017-7340 (A Cross-Site Scripting vulnerability in Fortinet FortiPortal versions ...) NOT-FOR-US: Fortinet CVE-2017-7339 (A Cross-Site Scripting vulnerability in Fortinet FortiPortal versions ...) NOT-FOR-US: Fortinet FortiPortal CVE-2017-7338 (A password management vulnerability in Fortinet FortiPortal versions 4 ...) NOT-FOR-US: Fortinet FortiPortal CVE-2017-7337 (An improper Access Control vulnerability in Fortinet FortiPortal versi ...) NOT-FOR-US: Fortinet FortiPortal CVE-2017-7336 (A hard-coded account named 'upgrade' in Fortinet FortiWLM 8.3.0 and lo ...) NOT-FOR-US: Fortinet CVE-2017-7335 (A Cross-Site Scripting (XSS) vulnerability in Fortinet FortiWLC 6.1-x ...) NOT-FOR-US: Fortinet CVE-2017-7334 RESERVED CVE-2017-7333 RESERVED CVE-2017-7332 RESERVED CVE-2017-7331 RESERVED CVE-2017-7330 RESERVED CVE-2017-7329 RESERVED CVE-2017-7328 RESERVED CVE-2017-7327 (Yandex Browser installer for Desktop before 17.4.1 has a DLL Hijacking ...) NOT-FOR-US: Yandex Browser installer for Desktop CVE-2017-7326 (Race condition issue in Yandex Browser for Android before 17.4.0.16 al ...) NOT-FOR-US: Yandex Browser for Android CVE-2017-7325 (Yandex Browser before 16.9.0 allows remote attackers to spoof the addr ...) NOT-FOR-US: Yandex Browser CVE-2017-7324 (setup/templates/findcore.php in MODX Revolution 2.5.4-pl and earlier a ...) NOT-FOR-US: MODX Revolution CVE-2017-7323 (The (1) update and (2) package-installation features in MODX Revolutio ...) NOT-FOR-US: MODX Revolution CVE-2017-7322 (The (1) update and (2) package-installation features in MODX Revolutio ...) NOT-FOR-US: MODX Revolution CVE-2017-7321 (setup/controllers/welcome.php in MODX Revolution 2.5.4-pl and earlier ...) NOT-FOR-US: MODX Revolution CVE-2017-7320 (setup/controllers/language.php in MODX Revolution 2.5.4-pl and earlier ...) NOT-FOR-US: MODX Revolution CVE-2017-7319 REJECTED CVE-2017-7318 (Siklu EtherHaul devices before 7.4.0 are vulnerable to a remote comman ...) NOT-FOR-US: Siklu EtherHaul CVE-2017-7317 (An issue was discovered on Humax Digital HG100 2.0.6 devices. The atta ...) NOT-FOR-US: Humax Digital HG100 CVE-2017-7316 (An issue was discovered on Humax Digital HG100R 2.0.6 devices. There i ...) NOT-FOR-US: Humax Digital HG100R CVE-2017-7315 (An issue was discovered on Humax Digital HG100R 2.0.6 devices. To down ...) NOT-FOR-US: Humax Digital HG100R CVE-2017-7314 (An issue was discovered in Personify360 e-Business 7.5.2 through 7.6.1 ...) NOT-FOR-US: Personify360 e-Business CVE-2017-7313 (An issue was discovered in Personify360 e-Business 7.5.2 through 7.6.1 ...) NOT-FOR-US: Personify360 e-Business CVE-2017-7312 (An issue was discovered in Personify360 e-Business 7.5.2 through 7.6.1 ...) NOT-FOR-US: Personify360 e-Business CVE-2017-7311 RESERVED CVE-2017-7310 (A buffer overflow vulnerability in Import Command in SyncBreeze before ...) NOT-FOR-US: Sync Breeze Enterprise CVE-2017-7309 (A cross-site scripting (XSS) vulnerability in the MantisBT Configurati ...) - mantis [wheezy] - mantis (Unsupported in Wheezy LTS) NOTE: http://www.openwall.com/lists/oss-security/2017/03/30/4 CVE-2017-7307 (Riverbed RiOS before 9.0.1 does not properly restrict shell access in ...) NOT-FOR-US: Riverbed RiOS CVE-2017-7306 (** DISPUTED ** Riverbed RiOS through 9.6.0 has a weak default password ...) NOT-FOR-US: Riverbed RiOS CVE-2017-7305 (** DISPUTED ** Riverbed RiOS through 9.6.0 does not require a bootload ...) NOT-FOR-US: Riverbed RiOS CVE-2017-7304 (The Binary File Descriptor (BFD) library (aka libbfd), as distributed ...) - binutils 2.27.51.20161212-1 [jessie] - binutils (Minor issue) [wheezy] - binutils (vulnerable code not present) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=20931 CVE-2017-7303 (The Binary File Descriptor (BFD) library (aka libbfd), as distributed ...) - binutils 2.27.51.20161212-1 [jessie] - binutils (Minor issue) [wheezy] - binutils (vulnerable code not present) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=20922 CVE-2017-7302 (The Binary File Descriptor (BFD) library (aka libbfd), as distributed ...) - binutils 2.27.51.20161212-1 [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=20921 CVE-2017-7301 (The Binary File Descriptor (BFD) library (aka libbfd), as distributed ...) - binutils 2.27.51.20161212-1 [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=20924 CVE-2017-7300 (The Binary File Descriptor (BFD) library (aka libbfd), as distributed ...) - binutils 2.27.51.20161212-1 [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=20909 CVE-2017-7299 (The Binary File Descriptor (BFD) library (aka libbfd), as distributed ...) - binutils 2.27.51.20161220-1 [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=20908 CVE-2016-10309 (In the GUI of Ceragon FibeAir IP-10 (before 7.2.0) devices, a remote a ...) NOT-FOR-US: Ceragon FibeAir CVE-2016-10308 (Siklu EtherHaul radios before 3.7.1 and 6.x before 6.9.0 have a built- ...) NOT-FOR-US: Siklu EtherHaul CVE-2016-10307 (Trango ApexLynx 2.0, ApexOrion 2.0, GigaLynx 2.0, GigaOrion 2.0, and S ...) NOT-FOR-US: Trango CVE-2016-10306 (Trango Altum AC600 devices have a built-in, hidden root account, with ...) NOT-FOR-US: Trango CVE-2016-10305 (Trango Apex <= 2.1.1, ApexLynx < 2.0, ApexOrion < 2.0, ApexPl ...) NOT-FOR-US: Trango CVE-2016-10304 (The SAP EP-RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows remot ...) NOT-FOR-US: SAP CVE-2017-7308 (The packet_set_ring function in net/packet/af_packet.c in the Linux ke ...) {DLA-922-1} - linux 4.9.18-1 [jessie] - linux 3.16.43-1 NOTE: Fixed by: https://git.kernel.org/linus/2b6867c2ce76c596676bec7d2d525af525fdc6e2 NOTE: Fixed by: https://git.kernel.org/linus/8f8d28e4d6d815a391285e121c3a53a0b6cb9e7b NOTE: Fixed by: https://git.kernel.org/linus/bcc5364bdcfe131e6379363f089e7b4108d35b70 NOTE: https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html CVE-2017-7298 (In Moodle 3.2.2+, there is XSS in the Course summary filter of the "Ad ...) - moodle (unimportant) NOTE: http://www.daimacn.com/post/12.html NOTE: https://tracker.moodle.org/browse/MDL-52038 NOTE: Not considered a security issue/bug upstream, disputed that it got a CVE NOTE: assigned. Mark as unimportant as non-issue. CVE-2017-7297 (Rancher Labs rancher server 1.2.0+ is vulnerable to authenticated user ...) NOT-FOR-US: Rancher Labs rancher server CVE-2017-7296 (An issue was discovered in Contiki Operating System 3.0. A Persistent ...) NOT-FOR-US: Contiki Operating System CVE-2017-7295 (An issue was discovered in Contiki Operating System 3.0. A use-after-f ...) NOT-FOR-US: Contiki Operating System CVE-2017-7293 (The Dolby DAX2 and DAX3 API services are vulnerable to a privilege esc ...) NOT-FOR-US: Dolby CVE-2017-7294 (The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx ...) {DLA-922-1} - linux 4.9.18-1 [jessie] - linux 3.16.43-1 NOTE: Fixed by: https://git.kernel.org/linus/e7e11f99564222d82f0ce84bd521e57d78a6b678 CVE-2017-7292 RESERVED CVE-2017-7291 RESERVED CVE-2017-7290 (SQL injection vulnerability in XOOPS 2.5.7.2 and other versions before ...) NOT-FOR-US: XOOPS CVE-2017-7289 RESERVED CVE-2017-7288 (Cross-site scripting (XSS) vulnerability in Zimbra Collaboration Suite ...) NOT-FOR-US: Zimbra CVE-2017-7287 RESERVED CVE-2017-7286 REJECTED CVE-2016-10303 RESERVED CVE-2016-10302 RESERVED CVE-2016-10301 RESERVED CVE-2016-10300 RESERVED CVE-2016-10299 (An elevation of privilege vulnerability in Qualcomm closed source comp ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10298 (An elevation of privilege vulnerability in Qualcomm closed source comp ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10297 (In TrustZone in all Android releases from CAF using the Linux kernel, ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10296 (An information disclosure vulnerability in the Qualcomm shared memory ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-10295 (An information disclosure vulnerability in the Qualcomm LED driver cou ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-10294 (An information disclosure vulnerability in the Qualcomm power driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-10293 (An information disclosure vulnerability in the Qualcomm video driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-10292 (A denial of service vulnerability in the Qualcomm Wi-Fi driver could e ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-10291 (An elevation of privilege vulnerability in the Qualcomm Slimbus driver ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-10290 (An elevation of privilege vulnerability in the Qualcomm shared memory ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-10289 (An elevation of privilege vulnerability in the Qualcomm crypto driver ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-10288 (An elevation of privilege vulnerability in the Qualcomm LED driver cou ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-10287 (An elevation of privilege vulnerability in the Qualcomm sound driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-10286 (An elevation of privilege vulnerability in the Qualcomm video driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-10285 (An elevation of privilege vulnerability in the Qualcomm video driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-10284 (An elevation of privilege vulnerability in the Qualcomm video driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-10283 (An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-10282 (An elevation of privilege vulnerability in the MediaTek thermal driver ...) NOT-FOR-US: Mediatek driver for Android CVE-2016-10281 (An elevation of privilege vulnerability in the MediaTek thermal driver ...) NOT-FOR-US: Mediatek driver for Android CVE-2016-10280 (An elevation of privilege vulnerability in the MediaTek thermal driver ...) NOT-FOR-US: Mediatek driver for Android CVE-2016-10279 RESERVED NOT-FOR-US: Qualcomm components for Android CVE-2016-10278 RESERVED NOT-FOR-US: Qualcomm components for Android CVE-2016-10277 (An elevation of privilege vulnerability in the Motorola bootloader cou ...) NOT-FOR-US: Motorola component for Android CVE-2016-10276 (An elevation of privilege vulnerability in the Qualcomm bootloader cou ...) NOT-FOR-US: Qualcomm component for Android CVE-2016-10275 (An elevation of privilege vulnerability in the Qualcomm bootloader cou ...) NOT-FOR-US: Qualcomm component for Android CVE-2016-10274 (An elevation of privilege vulnerability in the MediaTek touchscreen dr ...) NOT-FOR-US: Mediatek driver for Android CVE-2015-9018 RESERVED CVE-2015-9017 RESERVED CVE-2015-9016 (In blk_mq_tag_to_rq in blk-mq.c in the upstream kernel, there is a pos ...) {DSA-4187-1} - linux 4.2.3-1 [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/0048b4837affd153897ed1222283492070027aa9 (4.3-rc1) CVE-2015-9015 (An elevation of privilege vulnerability in Qualcomm closed source comp ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9014 (An elevation of privilege vulnerability in Qualcomm closed source comp ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9013 (An elevation of privilege vulnerability in Qualcomm closed source comp ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9012 (An elevation of privilege vulnerability in Qualcomm closed source comp ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9011 (An elevation of privilege vulnerability in Qualcomm closed source comp ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9010 (An elevation of privilege vulnerability in Qualcomm closed source comp ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9009 (An elevation of privilege vulnerability in Qualcomm closed source comp ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9008 (An elevation of privilege vulnerability in Qualcomm closed source comp ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9007 (In TrustZone in all Android releases from CAF using the Linux kernel, ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9006 (In Resource Power Manager (RPM) in all Android releases from CAF using ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9005 (In TrustZone in all Android releases from CAF using the Linux kernel, ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9004 (kernel/events/core.c in the Linux kernel before 3.19 mishandles counte ...) - linux 3.16.7-ckt7-1 [wheezy] - linux (Vulnerable code not present) CVE-2014-9959 (An elevation of privilege vulnerability in Qualcomm closed source comp ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-9958 (An elevation of privilege vulnerability in Qualcomm closed source comp ...) NOT-FOR-US: Qualcomm component for Android CVE-2014-9957 (An elevation of privilege vulnerability in Qualcomm closed source comp ...) NOT-FOR-US: Qualcomm component for Android CVE-2014-9956 (An elevation of privilege vulnerability in Qualcomm closed source comp ...) NOT-FOR-US: Qualcomm component for Android CVE-2014-9955 (An elevation of privilege vulnerability in Qualcomm closed source comp ...) NOT-FOR-US: Qualcomm component for Android CVE-2014-9954 (An elevation of privilege vulnerability in Qualcomm closed source comp ...) NOT-FOR-US: Qualcomm component for Android CVE-2014-9953 (An elevation of privilege vulnerability in Qualcomm closed source comp ...) NOT-FOR-US: Qualcomm component for Android CVE-2014-9952 (In the Secure File System in all Android releases from CAF using the L ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-9951 (In TrustZone in all Android releases from CAF using the Linux kernel, ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-9950 (In Core Kernel in all Android releases from CAF using the Linux kernel ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-9949 (In TrustZone in all Android releases from CAF using the Linux kernel, ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-9948 (In TrustZone in all Android releases from CAF using the Linux kernel, ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-9947 (In TrustZone in all Android releases from CAF using the Linux kernel, ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-9946 (In Core Kernel in all Android releases from CAF using the Linux kernel ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-9945 (In TrustZone in all Android releases from CAF using the Linux kernel, ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-9944 (In the Secure File System in all Android releases from CAF using the L ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-9943 (In Core Kernel in all Android releases from CAF using the Linux kernel ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-9942 (In Boot in all Android releases from CAF using the Linux kernel, a Use ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-9941 (In the Embedded File System in all Android releases from CAF using the ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-9940 (The regulator_ena_gpio_free function in drivers/regulator/core.c in th ...) {DSA-3945-1} - linux 4.0.2-1 (low) [wheezy] - linux (Vulnerable code not present) CVE-2017-7285 (A vulnerability in the network stack of MikroTik Version 6.38.5 releas ...) NOT-FOR-US: MikroTik CVE-2017-7284 (An attacker that has hijacked a Unitrends Enterprise Backup (before 9. ...) NOT-FOR-US: Unitrends Enterprise Backup CVE-2017-7283 (An authenticated user of Unitrends Enterprise Backup before 9.1.2 can ...) NOT-FOR-US: Unitrends Enterprise Backup CVE-2017-7282 (An issue was discovered in Unitrends Enterprise Backup before 9.1.1. T ...) NOT-FOR-US: Unitrends Enterprise Backup CVE-2017-7281 (An issue was discovered in Unitrends Enterprise Backup before 9.1.2. A ...) NOT-FOR-US: Unitrends Enterprise Backup CVE-2017-7280 (An issue was discovered in api/includes/systems.php in Unitrends Enter ...) NOT-FOR-US: Unitrends Enterprise Backup CVE-2017-7279 (An unprivileged user of the Unitrends Enterprise Backup before 9.0.0 w ...) NOT-FOR-US: Unitrends Enterprise Backup CVE-2017-7278 (Unspecified vulnerability in ASSA ABLOY APTUS Styra Porttelefonkort 44 ...) NOT-FOR-US: ASSA ABLOY APTUS Styra Porttelefonkort 4400 CVE-2017-7277 (The TCP stack in the Linux kernel through 4.10.6 mishandles the SCM_TI ...) - linux (Vulnerable code introduced in 4.10-rc1) CVE-2017-7276 (There is reflected XSS in TOPdesk before 5.7.6 and 6.x and 7.x before ...) NOT-FOR-US: TOPdesk CVE-2017-7275 (The ReadPCXImage function in coders/pcx.c in ImageMagick 7.0.4.9 allow ...) - imagemagick (unimportant; bug #859025) NOTE: https://blogs.gentoo.org/ago/2017/03/27/imagemagick-memory-allocation-failure-in-acquiremagickmemory-memory-c-incomplete-fix-for-cve-2016-8862-and-cve-2016-8866/ NOTE: https://github.com/ImageMagick/ImageMagick/issues/271 NOTE: Furthermore: upstream is not able to reproduce the problem as well NOTE: The problem result in a memory allocation issue when compiled with ASAN NOTE: but unreproducible from unstream. Since no more details can be provided NOTE: and the issue not addressed, treat this as "non-issue" (and thus marked NOTE: unimportant). If in future details can be elaborated by the reporter NOTE: we might re-evaluate this entry. CVE-2017-7274 (The r_pkcs7_parse_cms function in libr/util/r_pkcs7.c in radare2 1.3.0 ...) - radare2 (Vulnerable parsers introduced in 1.3.0-git, cf. #858873) NOTE: https://github.com/radare/radare2/commit/7ab66cca5bbdf6cb2d69339ef4f513d95e532dbf NOTE: https://github.com/radare/radare2/issues/7152 CVE-2017-7271 (Reflected Cross-site scripting (XSS) vulnerability in Yii Framework be ...) - yii (bug #597899) CVE-2017-7270 RESERVED CVE-2017-7273 (The cp_report_fixup function in drivers/hid/hid-cypress.c in the Linux ...) {DLA-922-1} - linux 4.9.6-1 [jessie] - linux 3.16.43-1 NOTE: Fixed by: https://git.kernel.org/linus/1ebb71143758f45dc0fa76e2f48429e13b16d110 CVE-2017-7272 (PHP through 7.1.11 enables potential SSRF in applications that accept ...) {DLA-875-1} - php7.3 [buster] - php7.3 (Upstream patch breaks existing applications, was reverted again, revisit if a new approach has been identified) - php7.1 - php7.0 [stretch] - php7.0 (Upstream patch breaks existing applications, revisit if a new approach has been identified) - php5 [jessie] - php5 (Never applied to PHP 5 by upstream, breaks existing applications) NOTE: https://github.com/php/php-src/commit/bab0b99f376dac9170ac81382a5ed526938d595a NOTE: https://bugs.php.net/bug.php?id=74216 NOTE: Fixed in 7.1.4 and 7.0.18, but were later reverted: https://bugzilla.redhat.com/show_bug.cgi?id=1437837#c3 CVE-2017-7269 (Buffer overflow in the ScStoragePathFromUrl function in the WebDAV ser ...) NOT-FOR-US: Windows CVE-2017-7268 RESERVED CVE-2017-7267 RESERVED CVE-2017-7266 (Netflix Security Monkey before 0.8.0 has an Open Redirect. The logout ...) NOT-FOR-US: Netflix Security Monkey CVE-2017-7265 RESERVED CVE-2017-7264 (Use-after-free vulnerability in the fz_subsample_pixmap function in fi ...) {DSA-3797-1} - mupdf 1.9a+ds1-3 (bug #854734) [wheezy] - mupdf (vulnerable code not present) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697515 NOTE: Fix http://git.ghostscript.com/?p=mupdf.git;h=2c4e5867ee699b1081527bc6c6ea0e99a35a5c27 NOTE: https://blogs.gentoo.org/ago/2017/02/09/mupdf-use-after-free-in-fz_subsample_pixmap-pixmap-c/ NOTE: Related to CVE-2017-5896. But CVE-2017-7264 is for the use-after-free NOTE: vulnerability whereas CVE-2017-5896 is for the hea-based buffer overflow NOTE: in fz_subsample_pixmap. CVE-2017-7263 (The bm_readbody_bmp function in bitmap_io.c in Potrace 1.14 allows rem ...) - potrace 1.15-1 (bug #858763) [stretch] - potrace (Minor issue) [jessie] - potrace (Minor issue) [wheezy] - potrace (Minor issue) NOTE: https://blogs.gentoo.org/ago/2017/03/03/potrace-heap-based-buffer-overflow-in-bm_readbody_bmp-bitmap_io-c-incomplete-fix-for-cve-2016-8698/ NOTE: Proposed patch: https://github.com/asarubbo/poc/blob/master/00219-potrace-heapoverflow-bm_readbody_bmp-PATCH NOTE: This CVE is for an incomplete fix of CVE-2016-8698 CVE-2016-10273 (Multiple stack buffer overflow vulnerabilities in Jensen of Scandinavi ...) NOT-FOR-US: Jensen of Scandinavia Air:Link Routers CVE-2017-7262 (The AMD Ryzen processor with AGESA microcode through 2017-01-27 allows ...) NOT-FOR-US: Hardware bug in AMD Ryzen CPUs, cannot be fixed via micro code updates, but only BIOS updates CVE-2017-7261 (The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx ...) {DLA-922-1} - linux 4.9.18-1 [jessie] - linux 3.16.43-1 NOTE: Fixed by: https://git.kernel.org/linus/36274ab8c596f1240c606bb514da329add2a1bcd CVE-2017-7260 RESERVED CVE-2017-7259 REJECTED CVE-2017-7258 (HTTP Exploit in eMLi Portal in AuroMeera Technometrix Pvt. Ltd. eMLi a ...) NOT-FOR-US: AuroMeera Technometrix CVE-2017-7257 (XSS exists in the CMS Made Simple (CMSMS) 2.1.6 "Content-->News--&g ...) NOT-FOR-US: CMS Made Simple CVE-2017-7256 (XSS exists in the CMS Made Simple (CMSMS) 2.1.6 "Content-->News--&g ...) NOT-FOR-US: CMS Made Simple CVE-2017-7255 (XSS exists in the CMS Made Simple (CMSMS) 2.1.6 "Content-->News--&g ...) NOT-FOR-US: CMS Made Simple CVE-2016-10272 (LibTIFF 4.0.7 allows remote attackers to cause a denial of service (he ...) {DSA-3762-1 DLA-795-1} - tiff 4.0.7-2 - tiff3 [wheezy] - tiff3 (libtiff-tools not shipped by this source package) NOTE: https://blogs.gentoo.org/ago/2017/01/01/libtiff-multiple-heap-based-buffer-overflow/ NOTE: https://github.com/vadz/libtiff/commit/9657bbe3cdce4aaa90e07d50c1c70ae52da0ba6a NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2620 CVE-2016-10271 (tools/tiffcrop.c in LibTIFF 4.0.7 allows remote attackers to cause a d ...) {DSA-3762-1 DLA-795-1} - tiff 4.0.7-2 - tiff3 [wheezy] - tiff3 (libtiff-tools not shipped by this source package) NOTE: https://blogs.gentoo.org/ago/2017/01/01/libtiff-multiple-heap-based-buffer-overflow/ NOTE: https://github.com/vadz/libtiff/commit/9657bbe3cdce4aaa90e07d50c1c70ae52da0ba6a NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2620 CVE-2016-10270 (LibTIFF 4.0.7 allows remote attackers to cause a denial of service (he ...) {DSA-3844-1} - tiff 4.0.7-2 (bug #846837) [wheezy] - tiff 4.0.2-6+deb7u9 - tiff3 [wheezy] - tiff3 (Unreproducible) NOTE: https://blogs.gentoo.org/ago/2017/01/01/libtiff-multiple-heap-based-buffer-overflow/ NOTE: https://github.com/vadz/libtiff/commit/9a72a69e035ee70ff5c41541c8c61cd97990d018 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2608 CVE-2016-10269 (LibTIFF 4.0.7 allows remote attackers to cause a denial of service (he ...) {DSA-3844-1 DLA-877-1} - tiff 4.0.7-2 - tiff3 [wheezy] - tiff3 (Unreproducible) NOTE: https://blogs.gentoo.org/ago/2017/01/01/libtiff-multiple-heap-based-buffer-overflow/ NOTE: https://github.com/vadz/libtiff/commit/1044b43637fa7f70fb19b93593777b78bd20da86 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2604 CVE-2016-10268 (tools/tiffcp.c in LibTIFF 4.0.7 allows remote attackers to cause a den ...) {DLA-877-1} - tiff 4.0.7-2 (unimportant) - tiff3 (unimportant) [wheezy] - tiff3 (issue in tiffcp that is not shipped by the source package) NOTE: https://blogs.gentoo.org/ago/2017/01/01/libtiff-multiple-heap-based-buffer-overflow/ NOTE: https://github.com/vadz/libtiff/commit/5397a417e61258c69209904e652a1f409ec3b9df NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2598 NOTE: Crash in CLI tool not treated as a security issue CVE-2016-10267 (LibTIFF 4.0.7 allows remote attackers to cause a denial of service (di ...) {DSA-3844-1 DLA-877-1} - tiff 4.0.7-2 - tiff3 [wheezy] - tiff3 (Unreproducible, BigTIFF not supported by this version) NOTE: https://blogs.gentoo.org/ago/2017/01/01/libtiff-multiple-divide-by-zero/ NOTE: https://github.com/vadz/libtiff/commit/43bc256d8ae44b92d2734a3c5bc73957a4d7c1ec NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2611 CVE-2016-10266 (LibTIFF 4.0.7 allows remote attackers to cause a denial of service (di ...) {DSA-3844-1 DLA-877-1} - tiff 4.0.7-2 - tiff3 [wheezy] - tiff3 (Unreproducible) NOTE: https://blogs.gentoo.org/ago/2017/01/01/libtiff-multiple-divide-by-zero NOTE: https://github.com/vadz/libtiff/commit/438274f938e046d33cb0e1230b41da32ffe223e1 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2596 CVE-2017-7254 RESERVED CVE-2017-7253 (Dahua IP Camera devices 3.200.0001.6 can be exploited via these steps: ...) NOT-FOR-US: Dahua IP Camera devices CVE-2017-7252 [Incorrect bcrypt computation] RESERVED - botan1.10 (Introduced in 1.11.0) NOTE: Bug introduced in 1.11.0, fixed in 2.1.0. CVE-2017-7251 (A Cross-Site Scripting (XSS) was discovered in pi-engine/pi 2.5.0. The ...) NOT-FOR-US: pi-engine CVE-2017-7250 (A Cross-Site Scripting (XSS) was discovered in Gazelle before 2017-03- ...) NOT-FOR-US: Gazelle torrent tracker CVE-2017-7249 (Multiple Cross-Site Scripting (XSS) were discovered in Gazelle before ...) NOT-FOR-US: Gazelle torrent tracker CVE-2017-7248 (A Cross-Site Scripting (XSS) was discovered in Gazelle before 2017-03- ...) NOT-FOR-US: Gazelle torrent tracker CVE-2017-7247 (Multiple Cross-Site Scripting (XSS) were discovered in Gazelle before ...) NOT-FOR-US: Gazelle torrent tracker CVE-2017-7246 (Stack-based buffer overflow in the pcre32_copy_substring function in p ...) - pcre3 (bug #858679; unimportant) [jessie] - pcre3 (Minor issue; 32bit character support not enabled) [wheezy] - pcre3 (Vulnerable code not present) NOTE: https://bugs.exim.org/show_bug.cgi?id=2057 NOTE: https://blogs.gentoo.org/ago/2017/03/20/libpcre-two-stack-based-buffer-overflow-write-in-pcre32_copy_substring-pcre_get-c/ NOTE: pcre32 support enabled only in pcre3/1:8.35-4 NOTE: Fixed by: http://vcs.pcre.org/pcre?view=revision&revision=1691 (8.41) CVE-2017-7245 (Stack-based buffer overflow in the pcre32_copy_substring function in p ...) - pcre3 (bug #858678; unimportant) [jessie] - pcre3 (Minor issue; 32bit character support not enabled) [wheezy] - pcre3 (Vulnerable code not present) NOTE: https://bugs.exim.org/show_bug.cgi?id=2055 NOTE: https://blogs.gentoo.org/ago/2017/03/20/libpcre-two-stack-based-buffer-overflow-write-in-pcre32_copy_substring-pcre_get-c/ NOTE: pcre32 support enabled only in pcre3/1:8.35-4 NOTE: Fixed by: http://vcs.pcre.org/pcre?view=revision&revision=1691 (8.41) CVE-2017-7244 (The _pcre32_xclass function in pcre_xclass.c in libpcre1 in PCRE 8.40 ...) - pcre3 2:8.39-3 (bug #858683) [jessie] - pcre3 (Minor issue; 32bit character support not enabled) [wheezy] - pcre3 (Vulnerable code not present) NOTE: https://bugs.exim.org/show_bug.cgi?id=2054 NOTE: https://blogs.gentoo.org/ago/2017/03/20/libpcre-invalid-memory-read-in-_pcre32_xclass-pcre_xclass-c/ NOTE: pcre32 support enabled only in pcre3/1:8.35-4 NOTE: Bisected and the following change addresses the issue for pcre3: NOTE: http://vcs.pcre.org/pcre?view=revision&revision=1688 (8.41) CVE-2017-7243 (Eclipse tinydtls 0.8.2 for Eclipse IoT allows remote attackers to caus ...) NOT-FOR-US: Eclipse tinydtls for Eclipse IoT CVE-2017-7242 (Multiple Cross-Site Scripting (XSS) were discovered in admin/modules c ...) NOT-FOR-US: SLiMS CVE-2017-7241 (A cross-site scripting (XSS) vulnerability in the MantisBT Move Attach ...) - mantis [wheezy] - mantis (Unsupported in Wheezy LTS) NOTE: http://www.openwall.com/lists/oss-security/2017/03/30/4 CVE-2017-7240 (An issue was discovered on Miele Professional PST10 devices. The corre ...) NOT-FOR-US: Miele Professional PG 8528 PST10 devices CVE-2017-7239 (Ninka before 1.3.2 might allow remote attackers to obtain sensitive in ...) - ninka (Fixed with the initial release to Debian) NOTE: https://github.com/dmgerman/ninka/commit/81f185261c8863c5b84344ee31192870be939faf CVE-2017-7238 RESERVED CVE-2017-7237 (The Spiceworks TFTP Server, as distributed with Spiceworks Inventory 7 ...) NOT-FOR-US: Spiceworks CVE-2017-7236 (SQL injection vulnerability in NetApp OnCommand Unified Manager Core P ...) NOT-FOR-US: NetApp CVE-2016-10265 RESERVED CVE-2016-10264 RESERVED CVE-2016-10263 RESERVED CVE-2016-10262 RESERVED CVE-2016-10261 RESERVED CVE-2016-10260 RESERVED CVE-2016-10259 (Symantec SSL Visibility (SSLV) 3.8.4FC, 3.9, 3.10 before 3.10.4.1, and ...) NOT-FOR-US: Blue Coat CVE-2016-10258 (Unrestricted file upload vulnerability in the Symantec Advanced Secure ...) NOT-FOR-US: Symantec CVE-2016-10257 (The Symantec Advanced Secure Gateway (ASG) 6.6, ASG 6.7 (prior to 6.7. ...) NOT-FOR-US: Symantec CVE-2016-10256 (The Symantec ProxySG 6.5 (prior to 6.5.10.6), 6.6, and 6.7 (prior to 6 ...) NOT-FOR-US: Symantec CVE-2017-7235 (An issue was discovered in cloudflare-scrape 1.6.6 through 1.7.1. A ma ...) NOT-FOR-US: cloudflare-scrape CVE-2017-7234 (A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before ...) {DSA-3835-1 DLA-885-1} - python-django 1:1.10.7-1 (bug #859516) NOTE: https://www.djangoproject.com/weblog/2017/apr/04/security-releases/ NOTE: Fixed by (master): https://github.com/django/django/commit/a1f948b468b6621083a03b0d53432341b7a4d753 CVE-2017-7233 (Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 re ...) {DSA-3835-1 DLA-885-1} - python-django 1:1.10.7-1 (bug #859515) NOTE: https://www.djangoproject.com/weblog/2017/apr/04/security-releases/ NOTE: Fixed by (master): https://github.com/django/django/commit/5ea48a70afac5e5684b504f09286e7defdd1a81a CVE-2017-7232 RESERVED CVE-2017-7231 (pngdefry through 2017-03-22 is prone to a heap-based buffer-overflow v ...) NOT-FOR-US: pngdefry CVE-2017-7230 (A buffer overflow vulnerability in Disk Sorter Enterprise 9.5.12 and e ...) NOT-FOR-US: Disk Sorter Enterprise CVE-2017-7229 (PGP/MIME encrypted messages injected into a Vaultive O365 (before 4.5. ...) NOT-FOR-US: Vaultive O365 CVE-2017-7228 (An issue (known as XSA-212) was discovered in Xen, with fixes availabl ...) {DSA-3847-1 DLA-907-1} - xen 4.8.1-1 (bug #859560) NOTE: https://xenbits.xen.org/xsa/advisory-212.html CVE-2017-7227 (GNU linker (ld) in GNU Binutils 2.28 is vulnerable to a heap-based buf ...) - binutils 2.27.51.20161212-1 [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=20906 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=406bd128dba2a59d0736839fc87a59bce319076c CVE-2017-7226 (The pe_ILF_object_p function in the Binary File Descriptor (BFD) libra ...) - binutils 2.27.51.20161212-1 [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=20905 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=fa6631b4eecfcca00c13b9594e6336dffd40982f CVE-2017-7225 (The find_nearest_line function in addr2line in GNU Binutils 2.28 does ...) - binutils 2.27.51.20161201-1 [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=20891 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=50455f1ab2935f7321215dfa681745c9b1cb5b19 CVE-2017-7224 (The find_nearest_line function in objdump in GNU Binutils 2.28 is vuln ...) - binutils 2.27.51.20161201-1 [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=20892 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e82ab856bb4689330c29fb9f1c57a8555b26380e CVE-2017-7223 (GNU assembler in GNU Binutils 2.28 is vulnerable to a global buffer ov ...) - binutils 2.27.51.20161212-1 [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=20898 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=69ace2200106348a1b00d509a6a234337c104c17 CVE-2017-7222 (A cross-site scripting (XSS) vulnerability in MantisBT before 2.1.1 al ...) - mantis [wheezy] - mantis (Unsupported in Wheezy LTS) CVE-2017-7221 (OpenText Documentum Content Server has an inadequate protection mechan ...) NOT-FOR-US: OpenText Documentum Content Server CVE-2017-7220 (OpenText Documentum Content Server allows superuser access via sys_obj ...) NOT-FOR-US: OpenText Documentum Content Server CVE-2017-7219 (A heap overflow vulnerability in Citrix NetScaler Gateway versions 10. ...) NOT-FOR-US: Citrix CVE-2017-7218 (The Management Web Interface in Palo Alto Networks PAN-OS before 7.1.9 ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2017-7217 (The Management Web Interface in Palo Alto Networks PAN-OS before 7.0.1 ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2017-7216 (The Management Web Interface in Palo Alto Networks PAN-OS before 7.1.9 ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2016-10255 (The __libelf_set_rawdata_wrlock function in elf_getdata.c in elfutils ...) - elfutils 0.168-0.2 (low) [jessie] - elfutils (Minor issue) [wheezy] - elfutils (Minor issue) NOTE: 0.168-0.2 first version uploaded to unstable NOTE: https://blogs.gentoo.org/ago/2016/11/04/elfutils-memory-allocation-failure-in-__libelf_set_rawdata_wrlock-elf_getdata-c/ NOTE: https://git.fedorahosted.org/cgit/elfutils.git/commit/?id=09ec02ec7f7e6913d10943148e2a898264345b07 CVE-2016-10254 (The allocate_elf function in common.h in elfutils before 0.168 allows ...) - elfutils 0.168-0.2 (low) [jessie] - elfutils (Minor issue) [wheezy] - elfutils (Minor issue) NOTE: 0.168-0.2 first version uploaded to unstable NOTE: https://blogs.gentoo.org/ago/2016/11/04/elfutils-memory-allocation-failure-in-allocate_elf-common-h/ NOTE: https://git.fedorahosted.org/cgit/elfutils.git/commit/?id=191000fdedba3fafe4d5b8cddad3f3318b49c3fb CVE-2017-7215 (Cross site scripting in some view elements in the index filter tool in ...) NOT-FOR-US: MISP (Malware Information Sharing Platform and Threat Sharing) CVE-2017-7214 (An issue was discovered in exception_wrapper.py in OpenStack Nova 13.x ...) - nova 2:14.0.0-4 (bug #858568) [jessie] - nova (Vulnerable code not present) [wheezy] - nova (Not supported in Wheezy LTS) NOTE: https://bugs.launchpad.net/nova/+bug/1673569 CVE-2017-7213 (Zoho ManageEngine Desktop Central before build 100082 allows remote at ...) NOT-FOR-US: Zoho ManageEngine Desktop Central CVE-2017-7212 RESERVED CVE-2017-7211 RESERVED CVE-2017-7210 (objdump in GNU Binutils 2.28 is vulnerable to multiple heap-based buff ...) - binutils 2.28-3 (low; bug #858324) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21157 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=a2dea0b20bc66a4c287c3c50002b8c3b3e9d953a CVE-2017-7209 (The dump_section_as_bytes function in readelf in GNU Binutils 2.28 acc ...) - binutils 2.28-3 (low; bug #858323) [jessie] - binutils (Vulnerable code introduced later) [wheezy] - binutils (Vulnerable code introduced later) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21135 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f055032e4e922f1e1a5e11026c7c2669fa2a7d19 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=1835f746a7c7fff70a2cc03a051b14fdc6b3f73f CVE-2017-7208 (The decode_residual function in libavcodec in libav 9.21 allows remote ...) {DSA-4012-1 DLA-1142-1} - libav (low) NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1000 NOTE: https://git.libav.org/?p=libav.git;a=commit;h=522d850e68ec4b77d3477b3c8f55b1ba00a9d69a CVE-2017-7207 (The mem_get_bits_rectangle function in Artifex Software, Inc. Ghostscr ...) {DSA-3838-1 DLA-1048-1} - ghostscript 9.20~dfsg-3 (bug #858350) NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=309eca4e0a31ea70dcc844812691439312dad091 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697676 CVE-2017-7206 (The ff_h2645_extract_rbsp function in libavcodec in libav 9.21 allows ...) - libav [jessie] - libav (Vulnerable code not present) - ffmpeg (bug #872517; Previous patches mitigated the issue) NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1002 NOTE: https://git.libav.org/?p=libav.git;a=commit;h=83b2b34d06e74cc8775ba3d833f9782505e17539 CVE-2017-7205 (A Cross-Site Scripting (XSS) was discovered in GamePanelX-V3 3.0.12. T ...) NOT-FOR-US: GamePanelX-V3 CVE-2017-7204 (A Cross-Site Scripting (XSS) was discovered in imdbphp 5.1.1. The vuln ...) NOT-FOR-US: imdbphp CVE-2017-7203 (A Cross-Site Scripting (XSS) was discovered in ZoneMinder before 1.30. ...) - zoneminder 1.30.4+dfsg-1 (bug #858329) [wheezy] - zoneminder (Minor issue) NOTE: https://github.com/ZoneMinder/ZoneMinder/issues/1797 NOTE: Fixed in 1.30.2 upstream. CVE-2017-7202 (Multiple Cross-Site Scripting (XSS) were discovered in SLiMS 7 Cendana ...) NOT-FOR-US: SLiMS CVE-2017-7201 RESERVED CVE-2017-7199 (Nessus 6.6.2 - 6.10.3 contains a flaw related to insecure permissions ...) NOT-FOR-US: Nessus CVE-2017-7200 (An SSRF issue was discovered in OpenStack Glance before Newton. The 'c ...) - glance 2:13.0.0-1 [jessie] - glance (Minor issue, too intrusive to backport) [wheezy] - glance (Not supported in Wheezy LTS) NOTE: https://wiki.openstack.org/wiki/OSSN/OSSN-0078 NOTE: https://bugs.launchpad.net/ossn/+bug/1606495 NOTE: https://bugs.launchpad.net/ossn/+bug/1153614 NOTE: The only implemented solution is to move to the v2 API (deprecated in NOTE: 2:13.0.0-1, using that as the fixed version) CVE-2017-7198 RESERVED CVE-2017-7197 RESERVED CVE-2017-7196 RESERVED CVE-2017-7195 RESERVED CVE-2017-7194 RESERVED CVE-2017-7193 RESERVED CVE-2017-7192 (WebSocket.swift in Starscream before 2.0.4 allows an SSL Pinning bypas ...) NOT-FOR-US: Starscream CVE-2017-7190 RESERVED CVE-2017-7189 (main/streams/xp_socket.c in PHP 7.x before 2017-03-07 misparses fsocko ...) - php7.3 [buster] - php7.3 (Upstream patch breaks existing applications, was reverted again, revisit if a new approach has been identified) - php7.0 [stretch] - php7.0 (Upstream patch breaks existing applications, was reverted again, revisit if a new approach has been identified) - php5 [jessie] - php5 (Upstream patch breaks existing applications, was reverted again, revisit if a new approach has been identified) NOTE: PHP Bug: https://bugs.php.net/bug.php?id=74192 NOTE: https://github.com/php/php-src/commit/bab0b99f376dac9170ac81382a5ed526938d595a NOTE: The commit was later on reverted again because of breaking some features. NOTE: See as well the related CVE-2017-7272. CVE-2017-7188 (Zurmo 3.1.1 Stable allows a Cross-Site Scripting (XSS) attack with a b ...) NOT-FOR-US: Zurmo CVE-2017-7187 (The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel through ...) - linux 4.9.18-1 [jessie] - linux (Introduced in 3.17) [wheezy] - linux (Introduced in 3.17) NOTE: Fixed by: https://git.kernel.org/linus/bf33f87dd04c371ea33feb821b60d63d754e3124 (4.11-rc5) NOTE: Introduced by: https://git.kernel.org/linus/65c26a0f39695ba01d9693754f27ca76cc8a3ab5 (3.17-rc1) CVE-2017-7185 (Use-after-free vulnerability in the mg_http_multipart_wait_for_boundar ...) NOT-FOR-US: Mongoose CVE-2017-7183 (The TFTP server in ExtraPuTTY 0.30 and earlier allows remote attackers ...) NOT-FOR-US: ExtraPuTTY CVE-2017-7182 RESERVED CVE-2017-7181 RESERVED CVE-2017-7180 (Net Monitor for Employees Pro through 5.3.4 has an unquoted service pa ...) NOT-FOR-US: Net Monitor for Employees Pro CVE-2017-7179 RESERVED CVE-2016-10253 (An issue was discovered in Erlang/OTP 18.x. Erlang's generation of com ...) - erlang 1:19.2.1+dfsg-2 (bug #858313) [jessie] - erlang 1:17.3-dfsg-4+deb8u1 [wheezy] - erlang (Vulnerable code not present) NOTE: https://github.com/erlang/otp/pull/1108 CVE-2017-7184 (The xfrm_replay_verify_len function in net/xfrm/xfrm_user.c in the Lin ...) {DLA-922-1} - linux 4.9.18-1 (low) [jessie] - linux 3.16.43-1 NOTE: Unprivileged user namespaces are disabled in Debian, this only affects NOTE: non-standard setups CVE-2017-7186 (libpcre1 in PCRE 8.40 and libpcre2 in PCRE2 10.23 allow remote attacke ...) - pcre3 2:8.39-3 (bug #858230) [jessie] - pcre3 (Minor issue; 32bit character support not enabled) [wheezy] - pcre3 (Vulnerable code not present) - pcre2 10.22-3 (bug #858233) NOTE: https://bugs.exim.org/show_bug.cgi?id=2052 NOTE: https://vcs.pcre.org/pcre/code/trunk/pcre_internal.h?r1=1649&r2=1688&sortby=date (for pcre3) NOTE: https://vcs.pcre.org/pcre/code/trunk/pcre_ucd.c?r1=1490&r2=1688&sortby=date (for pcre3) NOTE: https://vcs.pcre.org/pcre2/code/trunk/src/pcre2_ucd.c?r1=316&r2=670&sortby=date (for pcre2) NOTE: https://vcs.pcre.org/pcre2/code/trunk/src/pcre2_internal.h?r1=600&r2=670&sortby=date (for pcre2) CVE-2017-7178 (CSRF was discovered in the web UI in Deluge before 1.3.14. The exploit ...) {DSA-3856-1 DLA-863-1} - deluge 1.3.13+git20161130.48cedf63-2 (bug #857903) NOTE: http://git.deluge-torrent.org/deluge/commit/?h=1.3-stable&id=318ab179865e0707d7945edc3a13a464a108d583 CVE-2017-9149 (Metadata Anonymisation Toolkit (MAT) 0.6 and 0.6.1 silently fails to p ...) - mat 0.6.1-4 (bug #858058) [jessie] - mat (Vulnerable code not present) [wheezy] - mat (Vulnerable code not present) NOTE: https://0xacab.org/mat/mat/issues/11527 NOTE: Fixed by: https://0xacab.org/mat/mat/commit/94ca62a429bb6a3a5f293de26053e54bbfeea9f9 NOTE: Fixed by: https://0xacab.org/mat/mat/commit/8f6303a1f26fe8dad83ba96ab8328dbdfa3af59a NOTE: Introduced by: https://0xacab.org/mat/mat/commit/0d1fe2555e90db35eeb531a1b6026ff64f1f5ae5 CVE-2017-7176 REJECTED CVE-2017-7175 (NfSen before 1.3.8 allows remote attackers to execute arbitrary OS com ...) NOT-FOR-US: NfSen CVE-2017-7174 (The user-account creation feature in Chef Manage 2.1.0 through 2.4.4 a ...) NOT-FOR-US: Chef Manage CVE-2017-7173 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-7172 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) NOT-FOR-US: Apple CVE-2017-7171 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) NOT-FOR-US: Apple CVE-2017-7170 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-7169 RESERVED CVE-2017-7168 RESERVED CVE-2017-7167 (An issue was discovered in certain Apple products. Xcode before 9.2 is ...) NOT-FOR-US: Apple CVE-2017-7166 RESERVED CVE-2017-7165 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) - webkit2gtk 2.18.6-1 (unimportant) [stretch] - webkit2gtk 2.18.6-1~deb9u1 NOTE: https://webkitgtk.org/security/WSA-2018-0002.html NOTE: Not covered by security support CVE-2017-7164 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) NOT-FOR-US: Apple CVE-2017-7163 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Intel Graphics Driver on Apple / macOS CVE-2017-7162 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) NOT-FOR-US: Apple CVE-2017-7161 (An issue was discovered in certain Apple products. Safari before 11.0. ...) - webkit2gtk 2.18.6-1 (unimportant) [stretch] - webkit2gtk 2.18.6-1~deb9u1 NOTE: https://webkitgtk.org/security/WSA-2018-0002.html NOTE: Not covered by security support CVE-2017-7160 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) - webkit2gtk 2.18.6-1 (unimportant) [stretch] - webkit2gtk 2.18.6-1~deb9u1 NOTE: https://webkitgtk.org/security/WSA-2018-0002.html NOTE: Not covered by security support CVE-2017-7159 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-7158 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-7157 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0010.html NOTE: Not covered by security support CVE-2017-7156 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) - webkit2gtk 2.18.4-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0010.html NOTE: Not covered by security support CVE-2017-7155 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Intel Graphics Driver on Apple / macOS CVE-2017-7154 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) NOT-FOR-US: Apple CVE-2017-7153 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) - webkit2gtk 2.18.6-1 (unimportant) [stretch] - webkit2gtk 2.18.6-1~deb9u1 NOTE: https://webkitgtk.org/security/WSA-2018-0002.html NOTE: Not covered by security support CVE-2017-7152 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) NOT-FOR-US: Apple CVE-2017-7151 (A race condition was addressed with additional validation. This issue ...) NOT-FOR-US: Apple CVE-2017-7150 (An issue was discovered in certain Apple products. macOS before 10.13 ...) NOT-FOR-US: Apple CVE-2017-7149 (An issue was discovered in certain Apple products. macOS before 10.13 ...) NOT-FOR-US: Apple CVE-2017-7148 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-7147 (An issue was discovered in certain Apple products. The Apple Support a ...) NOT-FOR-US: Apple CVE-2017-7146 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-7145 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-7144 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-7143 (An issue was discovered in certain Apple products. macOS before 10.13 ...) NOT-FOR-US: Apple CVE-2017-7142 (An issue was discovered in certain Apple products. Safari before 11 is ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0008.html NOTE: Not covered by security support CVE-2017-7141 (An issue was discovered in certain Apple products. macOS before 10.13 ...) NOT-FOR-US: Apple CVE-2017-7140 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-7139 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-7138 (An issue was discovered in certain Apple products. macOS before 10.13 ...) NOT-FOR-US: Apple CVE-2017-7137 (An issue was discovered in certain Apple products. Xcode before 9 is a ...) NOT-FOR-US: Apple CVE-2017-7136 (An issue was discovered in certain Apple products. Xcode before 9 is a ...) NOT-FOR-US: Apple CVE-2017-7135 (An issue was discovered in certain Apple products. Xcode before 9 is a ...) NOT-FOR-US: Apple CVE-2017-7134 (An issue was discovered in certain Apple products. Xcode before 9 is a ...) NOT-FOR-US: Apple CVE-2017-7133 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-7132 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-7131 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-7130 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Potentially src:sqlite, but Apple doesn't play by the rules CVE-2017-7129 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Potentially src:sqlite, but Apple doesn't play by the rules CVE-2017-7128 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Potentially src:sqlite, but Apple doesn't play by the rules CVE-2017-7127 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Potentially src:sqlite, but Apple doesn't play by the rules CVE-2017-7126 (An issue was discovered in certain Apple products. macOS before 10.13 ...) NOT-FOR-US: Potentially src:file, but Apple doesn't play by the rules CVE-2017-7125 (An issue was discovered in certain Apple products. macOS before 10.13 ...) NOT-FOR-US: Potentially src:file, but Apple doesn't play by the rules CVE-2017-7124 (An issue was discovered in certain Apple products. macOS before 10.13 ...) NOT-FOR-US: Potentially src:file, but Apple doesn't play by the rules CVE-2017-7123 (An issue was discovered in certain Apple products. macOS before 10.13 ...) NOT-FOR-US: Potentially src:file, but Apple doesn't play by the rules CVE-2017-7122 (An issue was discovered in certain Apple products. macOS before 10.13 ...) NOT-FOR-US: Potentially src:file, but Apple doesn't play by the rules CVE-2017-7121 (An issue was discovered in certain Apple products. macOS before 10.13 ...) NOT-FOR-US: Potentially src:file, but Apple doesn't play by the rules CVE-2017-7120 (An issue was discovered in certain Apple products. iOS before 11 is af ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0008.html NOTE: Not covered by security support CVE-2017-7119 (An issue was discovered in certain Apple products. macOS before 10.13 ...) NOT-FOR-US: Apple CVE-2017-7118 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-7117 (An issue was discovered in certain Apple products. iOS before 11 is af ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0008.html NOTE: Not covered by security support CVE-2017-7116 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-7115 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-7114 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-7113 (An issue was discovered in certain Apple products. iOS before 11.1 is ...) NOT-FOR-US: Apple CVE-2017-7112 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-7111 (An issue was discovered in certain Apple products. iOS before 11 is af ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0008.html NOTE: Not covered by security support CVE-2017-7110 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-7109 (An issue was discovered in certain Apple products. iOS before 11 is af ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0008.html NOTE: Not covered by security support CVE-2017-7108 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-7107 (An issue was discovered in certain Apple products. iOS before 11 is af ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0008.html NOTE: Not covered by security support CVE-2017-7106 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-7105 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-7104 (An issue was discovered in certain Apple products. iOS before 11 is af ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0008.html NOTE: Not covered by security support CVE-2017-7103 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-7102 (An issue was discovered in certain Apple products. iOS before 11 is af ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0008.html NOTE: Not covered by security support CVE-2017-7101 RESERVED CVE-2017-7100 (An issue was discovered in certain Apple products. iOS before 11 is af ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0008.html NOTE: Not covered by security support CVE-2017-7099 (An issue was discovered in certain Apple products. iOS before 11 is af ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0008.html NOTE: Not covered by security support CVE-2017-7098 (An issue was discovered in certain Apple products. iOS before 11 is af ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0008.html NOTE: Not covered by security support CVE-2017-7097 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-7096 (An issue was discovered in certain Apple products. iOS before 11 is af ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0008.html NOTE: Not covered by security support CVE-2017-7095 (An issue was discovered in certain Apple products. iOS before 11 is af ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0008.html NOTE: Not covered by security support CVE-2017-7094 (An issue was discovered in certain Apple products. iOS before 11 is af ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0008.html NOTE: Not covered by security support CVE-2017-7093 (An issue was discovered in certain Apple products. iOS before 11 is af ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0008.html NOTE: Not covered by security support CVE-2017-7092 (An issue was discovered in certain Apple products. iOS before 11 is af ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0008.html NOTE: Not covered by security support CVE-2017-7091 (An issue was discovered in certain Apple products. iOS before 11 is af ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0008.html NOTE: Not covered by security support CVE-2017-7090 (An issue was discovered in certain Apple products. iOS before 11 is af ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0008.html NOTE: Not covered by security support CVE-2017-7089 (An issue was discovered in certain Apple products. iOS before 11 is af ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0008.html NOTE: Not covered by security support CVE-2017-7088 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-7087 (An issue was discovered in certain Apple products. iOS before 11 is af ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0008.html NOTE: Not covered by security support CVE-2017-7086 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-7085 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-7084 (An issue was discovered in certain Apple products. macOS before 10.13 ...) NOT-FOR-US: Apple CVE-2017-7083 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-7082 (An issue was discovered in certain Apple products. macOS before 10.13 ...) NOT-FOR-US: Apple CVE-2017-7081 (An issue was discovered in certain Apple products. iOS before 11 is af ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0008.html NOTE: Not covered by security support CVE-2017-7080 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-7079 (An issue was discovered in certain Apple products. iTunes before 12.7 ...) NOT-FOR-US: Apple CVE-2017-7078 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-7077 (An issue was discovered in certain Apple products. macOS before 10.13 ...) NOT-FOR-US: Apple CVE-2017-7076 (An issue was discovered in certain Apple products. Xcode before 9 is a ...) NOT-FOR-US: Apple CVE-2017-7075 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-7074 (An issue was discovered in certain Apple products. macOS before 10.13 ...) NOT-FOR-US: Apple CVE-2017-7073 RESERVED CVE-2017-7072 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-7071 (An issue was discovered in certain Apple products. Safari before 10.1 ...) NOT-FOR-US: Apple CVE-2017-7070 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-7069 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) NOT-FOR-US: Apple CVE-2017-7068 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) NOT-FOR-US: Apple / libarchive NOTE: Possibly Apple-specific, but noone really knows and Apple doesn't cooperate CVE-2017-7067 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-7066 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) NOT-FOR-US: Apple CVE-2017-7065 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) NOT-FOR-US: Broadcom driver for Android CVE-2017-7064 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) - webkit2gtk 2.16.6-1 (unimportant) [stretch] - webkit2gtk 2.16.6-0+deb9u1 NOTE: https://webkitgtk.org/security/WSA-2017-0006.html NOTE: Not covered by security support CVE-2017-7063 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) NOT-FOR-US: Apple CVE-2017-7062 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) NOT-FOR-US: Apple CVE-2017-7061 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) - webkit2gtk 2.16.6-1 (unimportant) [stretch] - webkit2gtk 2.16.6-0+deb9u1 NOTE: Not covered by security support CVE-2017-7060 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) NOT-FOR-US: Apple CVE-2017-7059 (A DOMParser XSS issue was discovered in certain Apple products. iOS be ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-7058 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) NOT-FOR-US: Apple CVE-2017-7057 RESERVED CVE-2017-7056 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) - webkit2gtk 2.16.6-1 (unimportant) [stretch] - webkit2gtk 2.16.6-0+deb9u1 NOTE: Not covered by security support CVE-2017-7055 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) - webkit2gtk 2.16.6-1 (unimportant) [stretch] - webkit2gtk 2.16.6-0+deb9u1 NOTE: https://webkitgtk.org/security/WSA-2017-0006.html NOTE: Not covered by security support CVE-2017-7054 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-7053 (An issue was discovered in certain Apple products. iTunes before 12.6. ...) NOT-FOR-US: Apple CVE-2017-7052 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) - webkit2gtk 2.16.4-1 (unimportant) [stretch] - webkit2gtk 2.16.6-0+deb9u1 NOTE: https://webkitgtk.org/security/WSA-2017-0006.html NOTE: Not covered by security support CVE-2017-7051 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-7050 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-7049 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0006.html NOTE: Not covered by security support CVE-2017-7048 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) - webkit2gtk 2.16.6-1 (unimportant) [stretch] - webkit2gtk 2.16.6-0+deb9u1 NOTE: https://webkitgtk.org/security/WSA-2017-0006.html NOTE: Not covered by security support CVE-2017-7047 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) NOT-FOR-US: Apple CVE-2017-7046 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) - webkit2gtk 2.16.6-1 (unimportant) [stretch] - webkit2gtk 2.16.6-0+deb9u1 NOTE: https://webkitgtk.org/security/WSA-2017-0006.html NOTE: Not covered by security support CVE-2017-7045 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-7044 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-7043 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0006.html NOTE: Not covered by security support CVE-2017-7042 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0006.html NOTE: Not covered by security support CVE-2017-7041 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0006.html NOTE: Not covered by security support CVE-2017-7040 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0006.html NOTE: Not covered by security support CVE-2017-7039 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) - webkit2gtk 2.16.6-1 (unimportant) [stretch] - webkit2gtk 2.16.6-0+deb9u1 NOTE: https://webkitgtk.org/security/WSA-2017-0006.html NOTE: Not covered by security support CVE-2017-7038 (A DOMParser XSS issue was discovered in certain Apple products. iOS be ...) - webkit2gtk 2.16.3-2 (unimportant) [stretch] - webkit2gtk 2.16.6-0+deb9u1 NOTE: https://webkitgtk.org/security/WSA-2017-0006.html NOTE: Not covered by security support CVE-2017-7037 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) - webkit2gtk 2.16.6-1 (unimportant) [stretch] - webkit2gtk 2.16.6-0+deb9u1 NOTE: https://webkitgtk.org/security/WSA-2017-0006.html NOTE: Not covered by security support CVE-2017-7036 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-7035 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-7034 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) - webkit2gtk 2.16.6-1 (unimportant) [stretch] - webkit2gtk 2.16.6-0+deb9u1 NOTE: https://webkitgtk.org/security/WSA-2017-0006.html NOTE: Not covered by security support CVE-2017-7033 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-7032 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-7031 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-7030 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) - webkit2gtk 2.16.6-1 (unimportant) [stretch] - webkit2gtk 2.16.6-0+deb9u1 NOTE: https://webkitgtk.org/security/WSA-2017-0006.html NOTE: Not covered by security support CVE-2017-7029 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) NOT-FOR-US: Apple CVE-2017-7028 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) NOT-FOR-US: Apple CVE-2017-7027 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) NOT-FOR-US: Apple CVE-2017-7026 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) NOT-FOR-US: Apple CVE-2017-7025 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) NOT-FOR-US: Apple CVE-2017-7024 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) NOT-FOR-US: Apple CVE-2017-7023 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) NOT-FOR-US: Apple CVE-2017-7022 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) NOT-FOR-US: Apple CVE-2017-7021 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-7020 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0006.html NOTE: Not covered by security support CVE-2017-7019 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0006.html NOTE: Not covered by security support CVE-2017-7018 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) - webkit2gtk 2.16.6-1 (unimportant) [stretch] - webkit2gtk 2.16.6-0+deb9u1 NOTE: https://webkitgtk.org/security/WSA-2017-0006.html NOTE: Not covered by security support CVE-2017-7017 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-7016 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-7015 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-7014 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-7013 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) NOT-FOR-US: Possibly Apple-specific CVE ID for libxml2 CVE-2017-7012 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0006.html NOTE: Not covered by security support CVE-2017-7011 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0006.html NOTE: Not covered by security support CVE-2017-7010 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) NOT-FOR-US: Possibly Apple-specific CVE ID for libxml2 CVE-2017-7009 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) NOT-FOR-US: Apple CVE-2017-7008 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) NOT-FOR-US: Apple CVE-2017-7007 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) NOT-FOR-US: Apple CVE-2017-7006 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0006.html NOTE: Not covered by security support CVE-2017-7005 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) NOT-FOR-US: Apple CVE-2017-7004 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) NOT-FOR-US: Apple CVE-2017-7003 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) NOT-FOR-US: Apple CVE-2017-7002 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) NOT-FOR-US: Potentially src:sqlite, but Apple doesn't play by the rules CVE-2017-7001 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) NOT-FOR-US: Potentially src:sqlite, but Apple doesn't play by the rules CVE-2017-7000 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) {DSA-3926-1} - chromium-browser 60.0.3112.78-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-6999 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) NOT-FOR-US: Apple CVE-2017-6998 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) NOT-FOR-US: Apple CVE-2017-6997 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) NOT-FOR-US: Apple CVE-2017-6996 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) NOT-FOR-US: Apple CVE-2017-6995 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) NOT-FOR-US: Apple CVE-2017-6994 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) NOT-FOR-US: Apple CVE-2017-6993 RESERVED CVE-2017-6992 RESERVED CVE-2017-6991 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) NOTE: Unspecified sqlite issue found by Apple, no further details available CVE-2017-6990 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-6989 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) NOT-FOR-US: Apple CVE-2017-6988 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-6987 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) NOT-FOR-US: Apple CVE-2017-6986 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-6985 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-6984 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-6983 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) NOTE: Unspecified sqlite issue found by Apple, no further details available CVE-2017-6982 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) NOT-FOR-US: Apple CVE-2017-6981 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) NOT-FOR-US: Apple CVE-2017-6980 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-6979 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) NOT-FOR-US: Apple CVE-2017-6978 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-6977 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-6976 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple CVE-2017-6975 (Wi-Fi in Apple iOS before 10.3.1 does not prevent CVE-2017-6956 stack ...) NOT-FOR-US: Applie CVE-2017-6974 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-6973 (A cross-site scripting (XSS) vulnerability in the MantisBT Configurati ...) - mantis [wheezy] - mantis (Unsupported in Wheezy LTS) NOTE: http://www.openwall.com/lists/oss-security/2017/03/30/4 CVE-2017-6972 (AlienVault USM and OSSIM before 5.3.7 and NfSen before 1.3.8 have an e ...) NOT-FOR-US: AlienVault CVE-2017-6971 (AlienVault USM and OSSIM before 5.3.7 and NfSen before 1.3.8 allow rem ...) NOT-FOR-US: AlienVault CVE-2017-6970 (AlienVault USM and OSSIM before 5.3.7 and NfSen before 1.3.8 allow loc ...) NOT-FOR-US: AlienVault CVE-2017-6968 (GMV Checker ATM Security prior to 5.0.18 allows remote authenticated u ...) NOT-FOR-US: GMV Checker ATM Security CVE-2017-6969 (readelf in GNU Binutils 2.28 is vulnerable to a heap-based buffer over ...) - binutils 2.28-3 (bug #858256) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21156 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b814a36d3440de95f2ac6eaa4fc7935c322ea456 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=43a444f9c5bfd44b4304eafd78338e21d54bea14 CVE-2017-6967 (xrdp 0.9.1 calls the PAM function auth_start_session() in an incorrect ...) {DLA-872-1} [experimental] - xrdp 0.9.2~20170325-1~exp1 - xrdp 0.9.1-9 (bug #858143) [jessie] - xrdp (Minor issue) NOTE: https://bugs.launchpad.net/ubuntu/+source/xrdp/+bug/1672742 NOTE: https://github.com/neutrinolabs/xrdp/issues/350 NOTE: First attempt: https://github.com/neutrinolabs/xrdp/pull/694 NOTE: Followed by: https://github.com/neutrinolabs/xrdp/pull/696 NOTE: http://www.openwall.com/lists/oss-security/2017/03/18/1 NOTE: https://github.com/neutrinolabs/xrdp/pull/696/commits/44129acd210c803fc8bbcfaf1b0db05e5bb4034f CVE-2017-6966 (readelf in GNU Binutils 2.28 has a use-after-free (specifically read-a ...) - binutils 2.28-3 (bug #858263) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21139 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f84ce13b6708801ca1d6289b7c4003e2f5a6d7f9 CVE-2017-6965 (readelf in GNU Binutils 2.28 writes to illegal addresses while process ...) - binutils 2.28-3 (bug #858264) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21137 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=03f7786e2f440b9892b1c34a58fb26222ce1b493 CVE-2017-6964 (dmcrypt-get-device, as shipped in the eject package of Debian and Ubun ...) {DSA-3823-1 DLA-876-1} - eject 2.1.5+deb1+cvs20081104-13.2 (bug #858872) NOTE: https://bugs.launchpad.net/ubuntu/+source/eject/+bug/1673627 CVE-2017-6963 RESERVED CVE-2017-6962 (An issue was discovered in apng2gif 1.7. There is an integer overflow ...) - apng2gif 1.8-0.1 (bug #854447) [stretch] - apng2gif (Minor issue; can be fixed via point release) [jessie] - apng2gif (Vulnerable code introduced later with refactoring) [wheezy] - apng2gif (Vulnerable code introduced later with refactoring) CVE-2017-6961 (An issue was discovered in apng2gif 1.7. There is improper sanitizatio ...) - apng2gif 1.8-0.1 (bug #854441) [stretch] - apng2gif (Minor issue; can be fixed via point release) [jessie] - apng2gif (Vulnerable code introduced later with refactoring) [wheezy] - apng2gif (Vulnerable code introduced later with refactoring) CVE-2017-6960 (An issue was discovered in apng2gif 1.7. There is an integer overflow ...) {DLA-2165-1 DLA-981-1} - apng2gif 1.8-0.1 (bug #854367) [stretch] - apng2gif (Minor issue; can be fixed via point release) CVE-2017-6959 REJECTED CVE-2017-6958 (An XSS vulnerability in the MantisBT Source Integration Plugin (before ...) NOT-FOR-US: MantisBT Source Integration Plugin CVE-2017-6957 (Stack-based buffer overflow in the firmware in Broadcom Wi-Fi HardMAC ...) NOT-FOR-US: Firmware on some Broadcom SoCs CVE-2017-6956 (On the Broadcom Wi-Fi HardMAC SoC with fbt firmware, a stack buffer ov ...) NOT-FOR-US: Firmware on some Broadcom SoCs CVE-2017-6955 (An issue was discovered in by-email/by-email.php in the Invite Anyone ...) NOT-FOR-US: wordpress Anyone plugin CVE-2017-6954 (An issue was discovered in includes/component.php in the BuddyPress Do ...) NOT-FOR-US: wordpress buddypress docs plugin CVE-2017-6953 (Gemalto SmartDiag Diagnosis Tool v2.5 has a stack-based Buffer Overflo ...) NOT-FOR-US: Gemalto SmartDiag Diagnosis Tool CVE-2017-6952 (Integer overflow in the cs_winkernel_malloc function in winkernel_mm.c ...) - capstone (Vulnerable code not present, in Windows specific distribution) CVE-2017-9999 REJECTED CVE-2017-6951 (The keyring_search_aux function in security/keys/keyring.c in the Linu ...) {DLA-922-1} - linux 4.0.2-1 [jessie] - linux 3.16.43-1 CVE-2017-6950 (SAP GUI 7.2 through 7.5 allows remote attackers to bypass intended sec ...) NOT-FOR-US: SAP CVE-2017-6949 (An issue was discovered in CHICKEN Scheme through 4.12.0. When using a ...) {DLA-908-1} - chicken 4.12.0-0.2 (bug #858057) [stretch] - chicken (Minor issue) [jessie] - chicken (Minor issue) NOTE: http://lists.gnu.org/archive/html/chicken-announce/2017-03/msg00000.html CVE-2017-6948 RESERVED CVE-2017-6947 RESERVED CVE-2017-6946 RESERVED CVE-2017-6945 RESERVED CVE-2017-6944 RESERVED CVE-2017-6943 RESERVED CVE-2017-6942 RESERVED CVE-2017-6941 RESERVED CVE-2017-6940 RESERVED CVE-2017-6939 RESERVED CVE-2017-6938 RESERVED CVE-2017-6937 RESERVED CVE-2017-6936 RESERVED CVE-2017-6935 RESERVED CVE-2017-6934 RESERVED CVE-2017-6933 RESERVED CVE-2017-6931 (In Drupal versions 8.4.x versions before 8.4.5 the Settings Tray modul ...) - drupal8 (bug #756305) NOTE: https://www.drupal.org/sa-core-2018-001 CVE-2017-6930 (In Drupal versions 8.4.x versions before 8.4.5 when using node access ...) - drupal8 (bug #756305) NOTE: https://www.drupal.org/sa-core-2018-001 CVE-2017-6926 (In Drupal versions 8.4.x versions before 8.4.5 users with permission t ...) - drupal8 (bug #756305) NOTE: https://www.drupal.org/sa-core-2018-001 CVE-2017-6925 (In versions of Drupal 8 core prior to 8.3.7; There is a vulnerability ...) - drupal8 (bug #756305) NOTE: https://www.drupal.org/SA-CORE-2017-004 CVE-2017-6924 (In Drupal 8 prior to 8.3.7; When using the REST API, users without the ...) - drupal8 (bug #756305) NOTE: https://www.drupal.org/SA-CORE-2017-004 CVE-2017-6923 (In Drupal 8.x prior to 8.3.7 When creating a view, you can optionally ...) - drupal8 (bug #756305) NOTE: https://www.drupal.org/SA-CORE-2017-004 CVE-2017-6922 (In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56; P ...) {DSA-3897-1 DLA-1004-1} - drupal8 (bug #756305) - drupal7 7.56-1 (bug #865498) NOTE: https://www.drupal.org/SA-CORE-2017-003 NOTE: http://cgit.drupalcode.org/drupal/diff/?h=7.x&id=600c1346ed976e6f35fc2b0f907a7837f0f7c145&id2=9eebe462d1e93e785e6c028dc6cf689623c4d936 CVE-2017-6921 (In Drupal 8 prior to 8.3.4; The file REST resource does not properly v ...) - drupal8 (bug #756305) NOTE: https://www.drupal.org/SA-CORE-2017-003 CVE-2017-6920 (Drupal core 8 before versions 8.3.4 allows remote attackers to execute ...) - drupal8 (bug #756305) NOTE: https://www.drupal.org/SA-CORE-2017-003 CVE-2017-6919 (Drupal 8 before 8.2.8 and 8.3 before 8.3.1 allows critical access bypa ...) - drupal8 (bug #756305) NOTE: https://www.drupal.org/SA-CORE-2017-002 CVE-2017-6918 (CSRF exists in BigTree CMS 4.2.16 with the value[#][*] parameter to th ...) NOT-FOR-US: BigTree CMS CVE-2017-6917 (CSRF exists in BigTree CMS 4.2.16 with the value parameter to the admi ...) NOT-FOR-US: BigTree CMS CVE-2017-6916 (CSRF exists in BigTree CMS 4.1.18 with the nav-social[#] parameter to ...) NOT-FOR-US: BigTree CMS CVE-2017-6915 (CSRF exists in BigTree CMS 4.1.18 with the colophon parameter to the a ...) NOT-FOR-US: BigTree CMS CVE-2017-6914 (CSRF exists in BigTree CMS 4.1.18 and 4.2.16 with the id parameter to ...) NOT-FOR-US: BigTree CMS CVE-2017-6913 (Cross-site scripting (XSS) vulnerability in the Open-Xchange webmail b ...) NOT-FOR-US: Open-Xchange CVE-2017-6912 (Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Incor ...) NOT-FOR-US: Open-Xchange GmbH OX App Suite CVE-2017-6911 (USB Pratirodh is prone to sensitive information disclosure. It stores ...) NOT-FOR-US: USB Pratirodh CVE-2017-6910 (The HTTP and WebSocket engine components in the server in Kaazing Gate ...) NOT-FOR-US: Kaazing Gateway CVE-2017-6909 (An issue was discovered in Shimmie <= 2.5.1. The vulnerability exis ...) NOT-FOR-US: Shimmie CVE-2017-6908 (An issue was discovered in concrete5 <= 5.6.3.4. The vulnerability ...) NOT-FOR-US: concrete5 CVE-2017-6907 (An issue was discovered in Open.GL before 2017-03-13. The vulnerabilit ...) NOT-FOR-US: Open.GL CVE-2017-6906 (An issue was discovered in SiberianCMS before 4.10.0. The vulnerabili ...) NOT-FOR-US: SiberianCMS CVE-2017-6905 (An issue was discovered in concrete5 <= 5.6.3.4. The vulnerability ...) NOT-FOR-US: concrete5 CVE-2017-6904 RESERVED CVE-2017-6902 REJECTED CVE-2017-6901 RESERVED CVE-2017-6900 (An issue was discovered in Riello NetMan 204 14-2 and 15-2. The issue ...) NOT-FOR-US: Riello NetMan CVE-2017-6899 (The msm_bus_dbg_update_request_write function in drivers/platform/msm/ ...) NOT-FOR-US: android_kernel_huawei_msm8916 in LineageOS (and other kernels for MSM devices) CVE-2017-6898 RESERVED CVE-2017-6897 RESERVED CVE-2017-6896 (Privilege escalation vulnerability on the DIGISOL DG-HR1400 1.00.02 wi ...) NOT-FOR-US: DIGISOL DG-HR1400 1.00.02 wireless router CVE-2017-6895 (USB Pratirodh allows remote attackers to conduct XML External Entity ( ...) NOT-FOR-US: USB Pratirodh CVE-2017-6894 RESERVED CVE-2017-6893 RESERVED CVE-2017-6892 (In libsndfile version 1.0.28, an error in the "aiff_read_chanmap()" fu ...) {DLA-985-1} - libsndfile 1.0.28-1 (bug #864704) [stretch] - libsndfile (Minor issue) [jessie] - libsndfile (Minor issue) NOTE: Fixed by: https://github.com/erikd/libsndfile/commit/f833c53cb596e9e1792949f762e0b33661822748 CVE-2017-6891 (Two errors in the "asn1_find_node()" function (lib/parser_aux.c) withi ...) {DSA-3861-1 DLA-950-1} - libtasn1-6 4.10-1.1 (bug #863186) - libtasn1-3 NOTE: https://secuniaresearch.flexerasoftware.com/secunia_research/2017-11/ NOTE: https://gitlab.com/gnutls/libtasn1/commit/5520704d075802df25ce4ffccc010ba1641bd484 CVE-2017-6890 (A boundary error within the "foveon_load_camf()" function (dcraw_foveo ...) NOT-FOR-US: libraw demosaic extension (not packaged in Debian) CVE-2017-6889 (An integer overflow error within the "foveon_load_camf()" function (dc ...) NOT-FOR-US: libraw demosaic extension (not packaged in Debian) CVE-2017-6888 (An error in the "read_metadata_vorbiscomment_()" function (src/libFLAC ...) - flac 1.3.2-2 (low; bug #897015) [stretch] - flac (Minor issue) [jessie] - flac (Minor issue) [wheezy] - flac (Minor issue) NOTE: https://secuniaresearch.flexerasoftware.com/secunia_research/2017-7/ NOTE: https://git.xiph.org/?p=flac.git;a=commit;h=4f47b63e9c971e6391590caf00a0f2a5ed612e67 CVE-2017-6887 (A boundary error within the "parse_tiff_ifd()" function (internal/dcra ...) {DSA-3950-1 DLA-1057-1} - libraw 0.18.2-2 (bug #864183) NOTE: https://github.com/LibRaw/LibRaw/commit/d7c3d2cb460be10a3ea7b32e9443a83c243b2251 CVE-2017-6886 (An error within the "parse_tiff_ifd()" function (internal/dcraw_common ...) {DSA-3950-1 DLA-1057-1} - libraw 0.18.2-2 (bug #864183) NOTE: https://github.com/LibRaw/LibRaw/commit/d7c3d2cb460be10a3ea7b32e9443a83c243b2251 CVE-2017-6885 (An error when handling certain external commands and services related ...) NOT-FOR-US: FlexNet CVE-2017-6903 (In ioquake3 before 2017-03-14, the auto-downloading feature has insuff ...) {DSA-3812-1} - ioquake3 1.36+u20161101+dfsg1-2 (bug #857699) [wheezy] - ioquake3 (Not supported in Wheezy LTS) - iortcw 1.50a+dfsg1-3 (bug #857714) NOTE: https://ioquake3.org/2017/03/13/important-security-update-please-update-ioquake3-immediately/ NOTE: Also affects openjk (only in experimental; bug #857715) CVE-2017-6884 (A command injection vulnerability was discovered on the Zyxel EMG2926 ...) NOT-FOR-US: Zyxel CVE-2017-6883 (The ConvertToPDF plugin in Foxit Reader before 8.2.1 and PhantomPDF be ...) NOT-FOR-US: Foxit CVE-2017-6882 RESERVED CVE-2017-6881 RESERVED CVE-2017-6880 (Buffer overflow in Cerberus FTP Server 8.0.10.3 allows remote attacker ...) NOT-FOR-US: Cerberus FTP Server CVE-2017-6879 RESERVED CVE-2017-6878 (Cross-site scripting (XSS) vulnerability in MetInfo 5.3.15 allows remo ...) NOT-FOR-US: MetInfo CVE-2017-6877 (Cross-site scripting (XSS) vulnerability in SVG file handling in Lutim ...) NOT-FOR-US: Lutim CVE-2017-6876 RESERVED CVE-2017-6875 RESERVED CVE-2017-6874 (Race condition in kernel/ucount.c in the Linux kernel through 4.10.2 a ...) - linux 4.9.16-1 [jessie] - linux (Vulnerable code introduced later) [wheezy] - linux (Vulnerable code introduced later) NOTE: Fixed by: https://git.kernel.org/linus/040757f738e13caaa9c5078bca79aa97e11dde88 CVE-2017-6873 (A vulnerability was discovered in Siemens OZW672 (all versions) and OZ ...) NOT-FOR-US: Siemens CVE-2017-6872 (A vulnerability was discovered in Siemens OZW672 (all versions) and OZ ...) NOT-FOR-US: Siemens CVE-2017-6871 (A vulnerability was discovered in Siemens SIMATIC WinCC Sm@rtClient fo ...) NOT-FOR-US: Siemens CVE-2017-6870 (A vulnerability was discovered in Siemens SIMATIC WinCC Sm@rtClient fo ...) NOT-FOR-US: Siemens CVE-2017-6869 (A vulnerability was discovered in Siemens ViewPort for Web Office Port ...) NOT-FOR-US: Siemens CVE-2017-6868 (An Improper Authentication issue was discovered in Siemens SIMATIC CP ...) NOT-FOR-US: Siemens CVE-2017-6867 (A vulnerability was discovered in Siemens SIMATIC WinCC (V7.3 before U ...) NOT-FOR-US: Siemens CVE-2017-6866 (A vulnerability was discovered in Siemens XHQ server 4 and 5 (4 before ...) NOT-FOR-US: Siemens CVE-2017-6865 (A vulnerability has been identified in Primary Setup Tool (PST) (All v ...) NOT-FOR-US: Siemens CVE-2017-6864 (The integrated web server in Siemens RUGGEDCOM ROX I (all versions) at ...) NOT-FOR-US: Siemens CVE-2017-6863 RESERVED CVE-2017-6862 (NETGEAR WNR2000v3 devices before 1.1.2.14, WNR2000v4 devices before 1. ...) NOT-FOR-US: NETGEAR CVE-2017-6861 RESERVED CVE-2017-6860 RESERVED CVE-2017-6859 RESERVED CVE-2017-6858 RESERVED CVE-2017-6857 RESERVED CVE-2017-6856 RESERVED CVE-2017-6855 RESERVED CVE-2017-6854 RESERVED CVE-2017-6853 RESERVED CVE-2017-6839 (Integer overflow in modules/MSADPCM.cpp in Audio File Library (aka aud ...) {DSA-3814-1 DLA-867-1} - audiofile 0.3.6-4 (bug #857651) NOTE: https://blogs.gentoo.org/ago/2017/02/20/audiofile-multiple-ubsan-crashes/ NOTE: https://github.com/mpruett/audiofile/issues/41 NOTE: https://github.com/antlarr/audiofile/commit/beacc44eb8cdf6d58717ec1a5103c5141f1b37f9 CVE-2017-6838 (Integer overflow in sfcommands/sfconvert.c in Audio File Library (aka ...) {DSA-3814-1 DLA-867-1} - audiofile 0.3.6-4 (bug #857651) NOTE: https://blogs.gentoo.org/ago/2017/02/20/audiofile-multiple-ubsan-crashes/ NOTE: https://github.com/mpruett/audiofile/issues/41 NOTE: https://github.com/antlarr/audiofile/commit/7d65f89defb092b63bcbc5d98349fb222ca73b3c NOTE: https://github.com/antlarr/audiofile/commit/ce536d707b8e2a26baca77320398c45238224ca7 CVE-2017-6837 (WAVE.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote att ...) {DSA-3814-1 DLA-867-1} - audiofile 0.3.6-4 (bug #857651) NOTE: https://blogs.gentoo.org/ago/2017/02/20/audiofile-multiple-ubsan-crashes/ NOTE: https://github.com/mpruett/audiofile/issues/41 NOTE: https://github.com/antlarr/audiofile/commit/c48e4c6503f7dabd41f11d4c9c7b7f8960e7f2c0 CVE-2017-6836 (Heap-based buffer overflow in the Expand3To4Module::run function in li ...) {DSA-3814-1 DLA-867-1} - audiofile 0.3.6-4 (bug #857651) NOTE: https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-expand3to4modulerun-simplemodule-h NOTE: https://github.com/mpruett/audiofile/issues/40 NOTE: https://github.com/mpruett/audiofile/commit/7d65f89defb092b63bcbc5d98349fb222ca73b3c NOTE: https://github.com/antlarr/audiofile/commit/ce536d707b8e2a26baca77320398c45238224ca7 CVE-2017-6835 (The reset1 function in libaudiofile/modules/BlockCodec.cpp in Audio Fi ...) {DSA-3814-1 DLA-867-1} - audiofile 0.3.6-4 (bug #857651) NOTE: https://blogs.gentoo.org/ago/2017/02/20/audiofile-divide-by-zero-in-blockcodecreset1-blockcodec-cpp NOTE: https://github.com/mpruett/audiofile/issues/39 NOTE: https://github.com/mpruett/audiofile/commit/c48e4c6503f7dabd41f11d4c9c7b7f8960e7f2c0 CVE-2017-6834 (Heap-based buffer overflow in the ulaw2linear_buf function in G711.cpp ...) {DSA-3814-1 DLA-867-1} - audiofile 0.3.6-4 (bug #857651) NOTE: https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-ulaw2linear_buf-g711-cpp NOTE: https://github.com/mpruett/audiofile/issues/38 NOTE: https://github.com/mpruett/audiofile/commit/7d65f89defb092b63bcbc5d98349fb222ca73b3c NOTE: https://github.com/antlarr/audiofile/commit/ce536d707b8e2a26baca77320398c45238224ca7 CVE-2017-6833 (The runPull function in libaudiofile/modules/BlockCodec.cpp in Audio F ...) {DSA-3814-1 DLA-867-1} - audiofile 0.3.6-4 (bug #857651) NOTE: https://blogs.gentoo.org/ago/2017/02/20/audiofile-divide-by-zero-in-blockcodecrunpull-blockcodec-cpp NOTE: https://github.com/mpruett/audiofile/issues/37 NOTE: https://github.com/mpruett/audiofile/commit/c48e4c6503f7dabd41f11d4c9c7b7f8960e7f2c0 CVE-2017-6832 (Heap-based buffer overflow in the decodeBlock in MSADPCM.cpp in Audio ...) {DSA-3814-1 DLA-867-1} - audiofile 0.3.6-4 (bug #857651) NOTE: https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-msadpcmdecodeblock-msadpcm-cpp NOTE: https://github.com/mpruett/audiofile/issues/36 NOTE: https://github.com/mpruett/audiofile/commit/c48e4c6503f7dabd41f11d4c9c7b7f8960e7f2c0 CVE-2017-6831 (Heap-based buffer overflow in the decodeBlockWAVE function in IMA.cpp ...) {DSA-3814-1 DLA-867-1} - audiofile 0.3.6-4 (bug #857651) NOTE: https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-imadecodeblockwave-ima-cpp NOTE: https://github.com/mpruett/audiofile/issues/35 NOTE: https://github.com/antlarr/audiofile/commit/a2e9eab8ea87c4ffc494d839ebb4ea145eb9f2e6 CVE-2017-6830 (Heap-based buffer overflow in the alaw2linear_buf function in G711.cpp ...) {DSA-3814-1 DLA-867-1} - audiofile 0.3.6-4 (bug #857651) NOTE: https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-alaw2linear_buf-g711-cpp NOTE: https://github.com/mpruett/audiofile/issues/34 NOTE: https://github.com/mpruett/audiofile/commit/7d65f89defb092b63bcbc5d98349fb222ca73b3c NOTE: https://github.com/antlarr/audiofile/commit/ce536d707b8e2a26baca77320398c45238224ca7 CVE-2017-6829 (The decodeSample function in IMA.cpp in Audio File Library (aka audiof ...) {DSA-3814-1 DLA-867-1} - audiofile 0.3.6-4 (bug #857651) NOTE: https://github.com/mpruett/audiofile/issues/33 NOTE: https://blogs.gentoo.org/ago/2017/02/20/audiofile-global-buffer-overflow-in-decodesample-ima-cpp NOTE: https://github.com/mpruett/audiofile/pull/43/commits/25eb00ce913452c2e614548d7df93070bf0d066f CVE-2017-6828 (Heap-based buffer overflow in the readValue function in FileHandle.cpp ...) {DSA-3814-1 DLA-867-1} - audiofile 0.3.6-4 (bug #857651) NOTE: https://github.com/mpruett/audiofile/issues/31 NOTE: https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-readvalue-filehandle-cpp NOTE: https://github.com/mpruett/audiofile/commit/c48e4c6503f7dabd41f11d4c9c7b7f8960e7f2c0 CVE-2017-6827 (Heap-based buffer overflow in the MSADPCM::initializeCoefficients func ...) {DSA-3814-1 DLA-867-1} - audiofile 0.3.6-4 (bug #857651) NOTE: https://github.com/mpruett/audiofile/issues/32 NOTE: https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-msadpcminitializecoefficients-msadpcm-cpp NOTE: https://github.com/mpruett/audiofile/commit/c48e4c6503f7dabd41f11d4c9c7b7f8960e7f2c0 CVE-2016-10252 (Memory leak in the IsOptionMember function in MagickCore/option.c in I ...) {DSA-3808-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #857426) [wheezy] - imagemagick (vulnerable code not present) NOTE: Fixed by: http://git.imagemagick.org/repos/ImageMagick/commit/6790815c75bdea0357df5564345847856e995d6b CVE-2016-10251 (Integer overflow in the jpc_pi_nextcprl function in jpc_t2cod.c in Jas ...) {DSA-3827-1 DLA-920-1} - jasper NOTE: http://www.openwall.com/lists/oss-security/2016/11/04/11 NOTE: https://github.com/mdadams/jasper/commit/1f0dfe5a42911b6880a1445f13f6d615ddb55387 NOTE: https://github.com/asarubbo/poc/blob/master/00029-jasper-uninitvalue-jpc_pi_nextcprl CVE-2016-10248 (The jpc_tsfb_synthesize function in jpc_tsfb.c in JasPer before 1.900. ...) - jasper (unimportant) NOTE: http://www.openwall.com/lists/oss-security/2016/10/20/5 NOTE: Not suitable for code injection, hardly denial of service NOTE: https://github.com/mdadams/jasper/commit/2e82fa00466ae525339754bb3ab0a0474a31d4bd CVE-2016-10247 (Buffer overflow in the my_getline function in jstest_main.c in Mujstes ...) - mupdf (unimportant) [wheezy] - mupdf (Vulnerable code not present) NOTE: Although jstest_main.c compiled during build and mujstest is created NOTE: it is not included in the produced binary packages NOTE: http://www.openwall.com/lists/oss-security/2016/10/16/19 CVE-2016-10246 (Buffer overflow in the main function in jstest_main.c in Mujstest in A ...) - mupdf (unimportant) [wheezy] - mupdf (Vulnerable code not present) NOTE: Although jstest_main.c compiled during build and mujstest is created NOTE: it is not included in the produced binary packages NOTE: http://www.openwall.com/lists/oss-security/2016/10/16/20 CVE-2017-XXXX [Server certificates are not verified] - profanity 0.5.1-1 (bug #857546) [jessie] - profanity (Minor issue) NOTE: https://github.com/boothj5/profanity/issues/280 CVE-2017-7191 (The netjoin processing in Irssi 1.x before 1.0.2 allows attackers to c ...) - irssi 1.0.2-1 (bug #857502) [jessie] - irssi (Different code path caused the netjoins to be flushed prior reaching use-after-free condition) [wheezy] - irssi (Different code path caused the netjoins to be flushed prior reaching use-after-free condition) NOTE: https://irssi.org/security/irssi_sa_2017_03.txt NOTE: https://github.com/irssi/irssi/commit/77b2631c78461965bc9a7414aae206b5c514e1b3 CVE-2017-6826 RESERVED CVE-2017-6825 RESERVED CVE-2017-6824 RESERVED CVE-2017-6823 (Fiyo CMS 2.0.6.1 allows remote authenticated users to gain privileges ...) NOT-FOR-US: Fiyo CMS CVE-2017-6822 RESERVED CVE-2017-6821 (Directory traversal vulnerability in Zimbra Collaboration Suite (aka Z ...) NOT-FOR-US: Zimbra CVE-2017-6820 (rcube_utils.php in Roundcube before 1.1.8 and 1.2.x before 1.2.4 is su ...) {DLA-855-1} - roundcube 1.2.3+dfsg.1-3 (bug #857473) NOTE: https://github.com/roundcube/roundcubemail/commit/fa2824fdcd44af3f970b2797feb47652482c8305 NOTE: https://github.com/roundcube/roundcubemail/commit/cbd35626f7db7855f3b5e2db00d28ecc1554e9f4 NOTE: https://github.com/roundcube/roundcubemail/wiki/Changelog#release-124 NOTE: https://github.com/roundcube/roundcubemail/releases/tag/1.1.8 CVE-2017-6813 (A service provided by Zimbra Collaboration Suite (ZCS) before 8.7.6 fa ...) NOT-FOR-US: Zimbra CVE-2017-6812 (paintballrefjosh/MaNGOSWebV4 4.0.8 is vulnerable to a reflected XSS in ...) NOT-FOR-US: MaNGOSWebV4 CVE-2017-6811 (paintballrefjosh/MaNGOSWebV4 4.0.8 is vulnerable to a reflected XSS in ...) NOT-FOR-US: MaNGOSWebV4 CVE-2017-6810 (paintballrefjosh/MaNGOSWebV4 4.0.8 is vulnerable to a reflected XSS in ...) NOT-FOR-US: MaNGOSWebV4 CVE-2017-6809 (paintballrefjosh/MaNGOSWebV4 4.0.8 is vulnerable to a reflected XSS in ...) NOT-FOR-US: MaNGOSWebV4 CVE-2017-6808 (paintballrefjosh/MaNGOSWebV4 4.0.8 is vulnerable to a reflected XSS in ...) NOT-FOR-US: MaNGOSWebV4 CVE-2017-6807 (mod_auth_mellon before 0.13.1 is vulnerable to a Cross-Site Session Tr ...) - libapache2-mod-auth-mellon 0.12.0-2 [jessie] - libapache2-mod-auth-mellon (Minor issue) CVE-2017-6806 RESERVED CVE-2017-6805 (Directory traversal vulnerability in the TFTP server in MobaXterm Pers ...) NOT-FOR-US: MobaXterm CVE-2017-6804 REJECTED CVE-2017-6803 (Multiple cross-site request forgery (CSRF) vulnerabilities in the web ...) NOT-FOR-US: SolarWinds (formerly Serv-U) FTP Voyager CVE-2017-6798 (Trend Micro Endpoint Sensor 1.6 before b1290 has a DLL hijacking vulne ...) NOT-FOR-US: Trend Micro Endpoint Sensor CVE-2017-6802 (An issue was discovered in ytnef before 1.9.2. There is a potential he ...) {DSA-3846-1 DLA-878-1} - libytnef 1.9.2-1 NOTE: Fixed by: https://github.com/Yeraze/ytnef/commit/22f8346c8d4f0020a40d9f258fdb3bfc097359cc CVE-2017-6801 (An issue was discovered in ytnef before 1.9.2. There is a potential ou ...) {DSA-3846-1 DLA-878-1} - libytnef 1.9.2-1 NOTE: Fixed by: https://github.com/Yeraze/ytnef/commit/3cb0f914d6427073f262e1b2b5fd973e3043cdf7 CVE-2017-6800 (An issue was discovered in ytnef before 1.9.2. An invalid memory acces ...) {DSA-3846-1} - libytnef 1.9.2-1 [wheezy] - libytnef (vulnerable code not present) NOTE: Fixed by: https://github.com/Yeraze/ytnef/commit/f98f5d4adc1c4bd4033638f6167c1bb95d642f89 CVE-2017-6799 (A cross-site scripting (XSS) vulnerability in view_filters_page.php in ...) - mantis (Vulnerable versions only 2.1.0 through 2.2.0) [wheezy] - mantis (Unsupported in Wheezy LTS) NOTE: https://github.com/mantisbt/mantisbt/commit/1677251434b6e8b2be8f1d4376a3e78f7be14d95 NOTE: http://www.mantisbt.org/bugs/view.php?id=22497 CVE-2017-6797 (A cross-site scripting (XSS) vulnerability in bug_change_status_page.p ...) - mantis [wheezy] - mantis (Unsupported in Wheezy LTS) NOTE: https://github.com/mantisbt/mantisbt/commit/a2d90ecabf3bcf3aa22ed9dbbecfd3d37902956f NOTE: https://github.com/mantisbt/mantisbt/commit/c272c3f65da9677e505ff692b1f1e476b3afa56e NOTE: http://www.mantisbt.org/bugs/view.php?id=22486 CVE-2017-6796 (A vulnerability in the USB-modem code of Cisco IOS XE Software running ...) NOT-FOR-US: Cisco CVE-2017-6795 (A vulnerability in the USB-modem code of Cisco IOS XE Software running ...) NOT-FOR-US: Cisco CVE-2017-6794 (A vulnerability in the CLI command-parsing code of Cisco Meeting Serve ...) NOT-FOR-US: Cisco CVE-2017-6793 (A vulnerability in the Inventory Management feature of Cisco Prime Col ...) NOT-FOR-US: Cisco CVE-2017-6792 (A vulnerability in the batch provisioning feature in Cisco Prime Colla ...) NOT-FOR-US: Cisco CVE-2017-6791 (A vulnerability in the Trust Verification Service (TVS) of Cisco Unifi ...) NOT-FOR-US: Cisco CVE-2017-6790 (A vulnerability in the Session Initiation Protocol (SIP) on the Cisco ...) NOT-FOR-US: Cisco CVE-2017-6789 (A vulnerability in the Cisco Unified Intelligence Center web interface ...) NOT-FOR-US: Cisco CVE-2017-6788 (The WebLaunch functionality of Cisco AnyConnect Secure Mobility Client ...) NOT-FOR-US: Cisco CVE-2017-6787 RESERVED CVE-2017-6786 (A vulnerability in Cisco Elastic Services Controller could allow an au ...) NOT-FOR-US: Cisco CVE-2017-6785 (A vulnerability in configuration modification permissions validation f ...) NOT-FOR-US: Cisco CVE-2017-6784 (A vulnerability in the web interface of the Cisco RV340, RV345, and RV ...) NOT-FOR-US: Cisco CVE-2017-6783 (A vulnerability in SNMP polling for the Cisco Web Security Appliance ( ...) NOT-FOR-US: Cisco CVE-2017-6782 (A vulnerability in the administrative web interface of Cisco Prime Inf ...) NOT-FOR-US: Cisco CVE-2017-6781 (A vulnerability in the management of shell user accounts for Cisco Pol ...) NOT-FOR-US: Cisco CVE-2017-6780 (A vulnerability in the TCP throttling process for Cisco IoT Field Netw ...) NOT-FOR-US: Cisco CVE-2017-6779 (Multiple Cisco products are affected by a vulnerability in local file ...) NOT-FOR-US: Cisco CVE-2017-6778 (A vulnerability in the Elastic Services Controller (ESC) web interface ...) NOT-FOR-US: Cisco CVE-2017-6777 (A vulnerability in the ConfD server of the Cisco Elastic Services Cont ...) NOT-FOR-US: Cisco CVE-2017-6776 (A vulnerability in the web framework of Cisco Elastic Services Control ...) NOT-FOR-US: Cisco CVE-2017-6775 (A vulnerability in the CLI of Cisco ASR 5000 Series Aggregated Service ...) NOT-FOR-US: Cisco CVE-2017-6774 (A vulnerability in Cisco ASR 5000 Series Aggregated Services Routers r ...) NOT-FOR-US: Cisco CVE-2017-6773 (A vulnerability in the CLI of Cisco ASR 5000 Series Aggregated Service ...) NOT-FOR-US: Cisco CVE-2017-6772 (A vulnerability in Cisco Elastic Services Controller (ESC) could allow ...) NOT-FOR-US: Cisco CVE-2017-6771 (A vulnerability in the AutoVNF automation tool of the Cisco Ultra Serv ...) NOT-FOR-US: Cisco CVE-2017-6770 (Cisco IOS 12.0 through 15.6, Adaptive Security Appliance (ASA) Softwar ...) NOT-FOR-US: Cisco CVE-2017-6769 (A vulnerability in the web-based management interface of the Cisco Sec ...) NOT-FOR-US: Cisco CVE-2017-6768 (A vulnerability in the build procedure for certain executable system f ...) NOT-FOR-US: Cisco CVE-2017-6767 (A vulnerability in Cisco Application Policy Infrastructure Controller ...) NOT-FOR-US: Cisco CVE-2017-6766 (A vulnerability in the Secure Sockets Layer (SSL) Decryption and Inspe ...) NOT-FOR-US: Cisco CVE-2017-6765 (A vulnerability in the web-based management interface of Cisco Adaptiv ...) NOT-FOR-US: Cisco CVE-2017-6764 (A vulnerability in the web-based management interface of Cisco Adaptiv ...) NOT-FOR-US: Cisco CVE-2017-6763 (A vulnerability in the implementation of the H.264 protocol in Cisco M ...) NOT-FOR-US: Cisco CVE-2017-6762 (A vulnerability in the web-based management interface of Cisco Jabber ...) NOT-FOR-US: Cisco CVE-2017-6761 (A vulnerability in the web-based management interface of Cisco Finesse ...) NOT-FOR-US: Cisco CVE-2017-6760 RESERVED CVE-2017-6759 (A vulnerability in the UpgradeManager of the Cisco Prime Collaboration ...) NOT-FOR-US: Cisco CVE-2017-6758 (A vulnerability in the web framework of Cisco Unified Communications M ...) NOT-FOR-US: Cisco CVE-2017-6757 (A vulnerability in Cisco Unified Communications Manager 10.5(2.10000.5 ...) NOT-FOR-US: Cisco CVE-2017-6756 (A vulnerability in the Web UI Application of the Cisco Prime Collabora ...) NOT-FOR-US: Cisco CVE-2017-6755 (A vulnerability in the web portal of the Cisco Prime Collaboration Pro ...) NOT-FOR-US: Cisco CVE-2017-6754 (A vulnerability in the web-based management interface of the Cisco Sma ...) NOT-FOR-US: Cisco CVE-2017-6753 (A vulnerability in Cisco WebEx browser extensions for Google Chrome an ...) NOT-FOR-US: Cisco CVE-2017-6752 (A vulnerability in the web interface of the Cisco Adaptive Security Ap ...) NOT-FOR-US: Cisco CVE-2017-6751 (A vulnerability in the web proxy functionality of the Cisco Web Securi ...) NOT-FOR-US: Cisco CVE-2017-6750 (A vulnerability in AsyncOS for the Cisco Web Security Appliance (WSA) ...) NOT-FOR-US: Cisco CVE-2017-6749 (A vulnerability in the web-based management interface of Cisco Web Sec ...) NOT-FOR-US: Cisco CVE-2017-6748 (A vulnerability in the CLI parser of the Cisco Web Security Appliance ...) NOT-FOR-US: Cisco CVE-2017-6747 (A vulnerability in the authentication module of Cisco Identity Service ...) NOT-FOR-US: Cisco CVE-2017-6746 (A vulnerability in the web interface of the Cisco Web Security Applian ...) NOT-FOR-US: Cisco CVE-2017-6745 (A vulnerability in the cache server within Cisco Videoscape Distributi ...) NOT-FOR-US: Cisco CVE-2017-6744 (The Simple Network Management Protocol (SNMP) subsystem of Cisco IOS 1 ...) NOT-FOR-US: Cisco CVE-2017-6743 (The Simple Network Management Protocol (SNMP) subsystem of Cisco IOS 1 ...) NOT-FOR-US: Cisco CVE-2017-6742 (The Simple Network Management Protocol (SNMP) subsystem of Cisco IOS 1 ...) NOT-FOR-US: Cisco CVE-2017-6741 (The Simple Network Management Protocol (SNMP) subsystem of Cisco IOS 1 ...) NOT-FOR-US: Cisco CVE-2017-6740 (The Simple Network Management Protocol (SNMP) subsystem of Cisco IOS 1 ...) NOT-FOR-US: Cisco CVE-2017-6739 (The Simple Network Management Protocol (SNMP) subsystem of Cisco IOS 1 ...) NOT-FOR-US: Cisco CVE-2017-6738 (The Simple Network Management Protocol (SNMP) subsystem of Cisco IOS 1 ...) NOT-FOR-US: Cisco CVE-2017-6737 (The Simple Network Management Protocol (SNMP) subsystem of Cisco IOS 1 ...) NOT-FOR-US: Cisco CVE-2017-6736 (The Simple Network Management Protocol (SNMP) subsystem of Cisco IOS 1 ...) NOT-FOR-US: Cisco CVE-2017-6735 (A vulnerability in the backup and restore functionality of Cisco FireS ...) NOT-FOR-US: Cisco CVE-2017-6734 (A vulnerability in the web-based management interface of Cisco Identit ...) NOT-FOR-US: Cisco CVE-2017-6733 (A vulnerability in the web-based application interface of the Cisco Id ...) NOT-FOR-US: Cisco CVE-2017-6732 (A vulnerability in the installation procedure for Cisco Prime Network ...) NOT-FOR-US: Cisco CVE-2017-6731 (A vulnerability in Multicast Source Discovery Protocol (MSDP) ingress ...) NOT-FOR-US: Cisco CVE-2017-6730 (A vulnerability in the web-based GUI of Cisco Wide Area Application Se ...) NOT-FOR-US: Cisco CVE-2017-6729 (A vulnerability in the Border Gateway Protocol (BGP) processing functi ...) NOT-FOR-US: Cisco CVE-2017-6728 (A vulnerability in the CLI of Cisco IOS XR Software could allow an aut ...) NOT-FOR-US: Cisco CVE-2017-6727 (A vulnerability in the Server Message Block (SMB) protocol of Cisco Wi ...) NOT-FOR-US: Cisco CVE-2017-6726 (A vulnerability in the CLI of the Cisco Prime Network Gateway could al ...) NOT-FOR-US: Cisco CVE-2017-6725 (A vulnerability in the web framework code of Cisco Prime Infrastructur ...) NOT-FOR-US: Cisco CVE-2017-6724 (A vulnerability in the web framework code of Cisco Prime Infrastructur ...) NOT-FOR-US: Cisco CVE-2017-6723 RESERVED CVE-2017-6722 (A vulnerability in the Extensible Messaging and Presence Protocol (XMP ...) NOT-FOR-US: Cisco CVE-2017-6721 (A vulnerability in the ingress processing of fragmented TCP packets by ...) NOT-FOR-US: Cisco CVE-2017-6720 (A vulnerability in the Secure Shell (SSH) subsystem of Cisco Small Bus ...) NOT-FOR-US: Cisco CVE-2017-6719 (A vulnerability in the CLI of Cisco IOS XR Software could allow an aut ...) NOT-FOR-US: Cisco CVE-2017-6718 (A vulnerability in the CLI of Cisco IOS XR Software could allow an aut ...) NOT-FOR-US: Cisco CVE-2017-6717 (A vulnerability in the web framework of Cisco Firepower Management Cen ...) NOT-FOR-US: Cisco CVE-2017-6716 (A vulnerability in the web framework code of Cisco Firepower Managemen ...) NOT-FOR-US: Cisco CVE-2017-6715 (A vulnerability in the web framework of Cisco Firepower Management Cen ...) NOT-FOR-US: Cisco CVE-2017-6714 (A vulnerability in the AutoIT service of Cisco Ultra Services Framewor ...) NOT-FOR-US: Cisco CVE-2017-6713 (A vulnerability in the Play Framework of Cisco Elastic Services Contro ...) NOT-FOR-US: Cisco CVE-2017-6712 (A vulnerability in certain commands of Cisco Elastic Services Controll ...) NOT-FOR-US: Cisco CVE-2017-6711 (A vulnerability in the Ultra Automation Service (UAS) of the Cisco Ult ...) NOT-FOR-US: Cisco CVE-2017-6710 (A vulnerability in the Cisco Virtual Network Function (VNF) Element Ma ...) NOT-FOR-US: Cisco CVE-2017-6709 (A vulnerability in the AutoVNF tool for the Cisco Ultra Services Frame ...) NOT-FOR-US: Cisco CVE-2017-6708 (A vulnerability in the symbolic link (symlink) creation functionality ...) NOT-FOR-US: Cisco CVE-2017-6707 (A vulnerability in the CLI command-parsing code of the Cisco StarOS op ...) NOT-FOR-US: Cisco CVE-2017-6706 (A vulnerability in the logging subsystem of the Cisco Prime Collaborat ...) NOT-FOR-US: Cisco CVE-2017-6705 (A vulnerability in the filesystem of the Cisco Prime Collaboration Pro ...) NOT-FOR-US: Cisco CVE-2017-6704 (A vulnerability in the web application in the Cisco Prime Collaboratio ...) NOT-FOR-US: Cisco CVE-2017-6703 (A vulnerability in the web application in the Cisco Prime Collaboratio ...) NOT-FOR-US: Cisco CVE-2017-6702 (A vulnerability in the web framework of Cisco SocialMiner could allow ...) NOT-FOR-US: Cisco CVE-2017-6701 (A vulnerability in the web application interface of the Cisco Identity ...) NOT-FOR-US: Cisco CVE-2017-6700 (A vulnerability in the web-based management interface of Cisco Prime I ...) NOT-FOR-US: Cisco CVE-2017-6699 (A vulnerability in the web-based management interface of Cisco Prime I ...) NOT-FOR-US: Cisco CVE-2017-6698 (A vulnerability in the Cisco Prime Infrastructure (PI) and Evolved Pro ...) NOT-FOR-US: Cisco CVE-2017-6697 (A vulnerability in the web interface of Cisco Elastic Services Control ...) NOT-FOR-US: Cisco CVE-2017-6696 (A vulnerability in the file system of Cisco Elastic Services Controlle ...) NOT-FOR-US: Cisco CVE-2017-6695 (A vulnerability in the ConfD server in Cisco Ultra Services Platform c ...) NOT-FOR-US: Cisco CVE-2017-6694 (A vulnerability in the Virtual Network Function Manager's (VNFM) loggi ...) NOT-FOR-US: Cisco CVE-2017-6693 (A vulnerability in the ConfD server component of Cisco Elastic Service ...) NOT-FOR-US: Cisco CVE-2017-6692 (A vulnerability in Cisco Ultra Services Framework Element Manager coul ...) NOT-FOR-US: Cisco CVE-2017-6691 (A vulnerability in the ConfD CLI of Cisco Elastic Services Controllers ...) NOT-FOR-US: Cisco CVE-2017-6690 (A vulnerability in the file check operation of Cisco ASR 5000 Series A ...) NOT-FOR-US: Cisco CVE-2017-6689 (A vulnerability in the ConfD CLI of Cisco Elastic Services Controllers ...) NOT-FOR-US: Cisco CVE-2017-6688 (A vulnerability in Cisco Elastic Services Controllers could allow an a ...) NOT-FOR-US: Cisco CVE-2017-6687 (A vulnerability in Cisco Ultra Services Framework Element Manager coul ...) NOT-FOR-US: Cisco CVE-2017-6686 (A vulnerability in Cisco Ultra Services Framework Element Manager coul ...) NOT-FOR-US: Cisco CVE-2017-6685 (A vulnerability in Cisco Ultra Services Framework Staging Server could ...) NOT-FOR-US: Cisco CVE-2017-6684 (A vulnerability in Cisco Elastic Services Controllers could allow an a ...) NOT-FOR-US: Cisco CVE-2017-6683 (A vulnerability in the esc_listener.py script of Cisco Elastic Service ...) NOT-FOR-US: Cisco CVE-2017-6682 (A vulnerability in the ConfD CLI of Cisco Elastic Services Controllers ...) NOT-FOR-US: Cisco CVE-2017-6681 (A vulnerability in the AutoVNF VNFStagingView class of Cisco Ultra Ser ...) NOT-FOR-US: Cisco CVE-2017-6680 (A vulnerability in the AutoVNF logging function of Cisco Ultra Service ...) NOT-FOR-US: Cisco CVE-2017-6679 (The Cisco Umbrella Virtual Appliance Version 2.0.3 and prior contained ...) NOT-FOR-US: Cisco CVE-2017-6678 (A vulnerability in the ingress UDP packet processing functionality of ...) NOT-FOR-US: Cisco CVE-2017-6677 RESERVED CVE-2017-6676 RESERVED CVE-2017-6675 (A vulnerability in the web interface of Cisco Industrial Network Direc ...) NOT-FOR-US: Cisco CVE-2017-6674 (A vulnerability in the feature-license management functionality of Cis ...) NOT-FOR-US: Cisco CVE-2017-6673 (A vulnerability in Cisco Firepower Management Center could allow an au ...) NOT-FOR-US: Cisco CVE-2017-6672 (A vulnerability in certain filtering mechanisms of access control list ...) NOT-FOR-US: Cisco CVE-2017-6671 (A vulnerability in the email message scanning of Cisco AsyncOS Softwar ...) NOT-FOR-US: Cisco CVE-2017-6670 (A vulnerability in the web-based GUI of Cisco Unified Communications D ...) NOT-FOR-US: Cisco CVE-2017-6669 (Multiple buffer overflow vulnerabilities exist in the Cisco WebEx Netw ...) NOT-FOR-US: Cisco CVE-2017-6668 (Vulnerabilities in the web-based GUI of Cisco Unified Communications D ...) NOT-FOR-US: Cisco CVE-2017-6667 (A vulnerability in the update process for the dynamic JAR file of the ...) NOT-FOR-US: Cisco CVE-2017-6666 (A vulnerability in the forwarding component of Cisco IOS XR Software f ...) NOT-FOR-US: Cisco CVE-2017-6665 (A vulnerability in the Autonomic Networking feature of Cisco IOS Softw ...) NOT-FOR-US: Cisco CVE-2017-6664 (A vulnerability in the Autonomic Networking feature of Cisco IOS XE So ...) NOT-FOR-US: Cisco CVE-2017-6663 (A vulnerability in the Autonomic Networking feature of Cisco IOS Softw ...) NOT-FOR-US: Cisco CVE-2017-6662 (A vulnerability in the web-based user interface of Cisco Prime Infrast ...) NOT-FOR-US: Cisco CVE-2017-6661 (A vulnerability in the web-based management interface of Cisco Email S ...) NOT-FOR-US: Cisco CVE-2017-6660 RESERVED CVE-2017-6659 (A vulnerability in the web-based management interface of Cisco Prime C ...) NOT-FOR-US: Cisco CVE-2017-6658 (Cisco Sourcefire Snort 3.0 before build 233 has a Buffer Overread rela ...) NOT-FOR-US: Cisco CVE-2017-6657 (Cisco Sourcefire Snort 3.0 before build 233 mishandles Ether Type Vali ...) NOT-FOR-US: Cisco CVE-2017-6656 (A vulnerability in Session Initiation Protocol (SIP) call handling of ...) NOT-FOR-US: Cisco CVE-2017-6655 (A vulnerability in the Fibre Channel over Ethernet (FCoE) protocol imp ...) NOT-FOR-US: Cisco CVE-2017-6654 (A vulnerability in the web-based management interface of Cisco Unified ...) NOT-FOR-US: Cisco CVE-2017-6653 (A vulnerability in the TCP throttling process for the GUI of the Cisco ...) NOT-FOR-US: Cisco CVE-2017-6652 (A vulnerability in the web framework of the Cisco TelePresence IX5000 ...) NOT-FOR-US: Cisco CVE-2017-6651 (A vulnerability in Cisco WebEx Meetings Server could allow unauthentic ...) NOT-FOR-US: Cisco CVE-2017-6650 (A vulnerability in the Telnet CLI command of Cisco NX-OS System Softwa ...) NOT-FOR-US: Cisco CVE-2017-6649 (A vulnerability in the CLI of Cisco NX-OS System Software 7.1 through ...) NOT-FOR-US: Cisco CVE-2017-6648 (A vulnerability in the Session Initiation Protocol (SIP) of the Cisco ...) NOT-FOR-US: Cisco CVE-2017-6647 (A vulnerability in the web interface of Cisco Remote Expert Manager So ...) NOT-FOR-US: Cisco CVE-2017-6646 (A vulnerability in the web interface of Cisco Remote Expert Manager So ...) NOT-FOR-US: Cisco CVE-2017-6645 (A vulnerability in the web interface of Cisco Remote Expert Manager So ...) NOT-FOR-US: Cisco CVE-2017-6644 (A vulnerability in the web interface of Cisco Remote Expert Manager So ...) NOT-FOR-US: Cisco CVE-2017-6643 (A vulnerability in the web interface of Cisco Remote Expert Manager So ...) NOT-FOR-US: Cisco CVE-2017-6642 (A vulnerability in the web interface of Cisco Remote Expert Manager So ...) NOT-FOR-US: Cisco CVE-2017-6641 (A vulnerability in the TCP connection handling functionality of Cisco ...) NOT-FOR-US: Cisco CVE-2017-6640 (A vulnerability in Cisco Prime Data Center Network Manager (DCNM) Soft ...) NOT-FOR-US: Cisco CVE-2017-6639 (A vulnerability in the role-based access control (RBAC) functionality ...) NOT-FOR-US: Cisco CVE-2017-6638 (A vulnerability in how DLL files are loaded with Cisco AnyConnect Secu ...) NOT-FOR-US: Cisco CVE-2017-6637 (A vulnerability in the web interface of Cisco Prime Collaboration Prov ...) NOT-FOR-US: Cisco CVE-2017-6636 (A vulnerability in the web interface of Cisco Prime Collaboration Prov ...) NOT-FOR-US: Cisco CVE-2017-6635 (A vulnerability in the web interface of Cisco Prime Collaboration Prov ...) NOT-FOR-US: Cisco CVE-2017-6634 (A vulnerability in the Device Manager web interface of Cisco Industria ...) NOT-FOR-US: Cisco CVE-2017-6633 (A vulnerability in the TCP throttling process of Cisco UCS C-Series Ra ...) NOT-FOR-US: Cisco CVE-2017-6632 (A vulnerability in the logging configuration of Secure Sockets Layer ( ...) NOT-FOR-US: Cisco CVE-2017-6631 (A vulnerability in the HTTP remote procedure call (RPC) service of set ...) NOT-FOR-US: Cisco CVE-2017-6630 (A vulnerability in the Session Initiation Protocol (SIP) implementatio ...) NOT-FOR-US: Cisco CVE-2017-6629 (A vulnerability in the ImageID parameter of Cisco Unity Connection 10. ...) NOT-FOR-US: Cisco CVE-2017-6628 (A vulnerability in SMART-SSL Accelerator functionality for Cisco Wide ...) NOT-FOR-US: Cisco CVE-2017-6627 (A vulnerability in the UDP processing code of Cisco IOS 15.1, 15.2, an ...) NOT-FOR-US: Cisco CVE-2017-6626 (A vulnerability in the Cisco Finesse Notification Service for Cisco Un ...) NOT-FOR-US: Cisco CVE-2017-6625 (A "Cisco Firepower Threat Defense 6.0.0 through 6.2.2 and Cisco ASA wi ...) NOT-FOR-US: Cisco CVE-2017-6624 (A vulnerability in Cisco IOS 15.5(3)M Software for Cisco CallManager E ...) NOT-FOR-US: Cisco CVE-2017-6623 (A vulnerability in a script file that is installed as part of the Cisc ...) NOT-FOR-US: Cisco CVE-2017-6622 (A vulnerability in the web interface for Cisco Prime Collaboration Pro ...) NOT-FOR-US: Cisco CVE-2017-6621 (A vulnerability in the web interface of Cisco Prime Collaboration Prov ...) NOT-FOR-US: Cisco CVE-2017-6620 (A vulnerability in the remote management access control list (ACL) fea ...) NOT-FOR-US: Cisco CVE-2017-6619 (A vulnerability in the web-based GUI of Cisco Integrated Management Co ...) NOT-FOR-US: Cisco CVE-2017-6618 (A vulnerability in the web-based GUI of Cisco Integrated Management Co ...) NOT-FOR-US: Cisco CVE-2017-6617 (A vulnerability in the session identification management functionality ...) NOT-FOR-US: Cisco CVE-2017-6616 (A vulnerability in the web-based GUI of Cisco Integrated Management Co ...) NOT-FOR-US: Cisco CVE-2017-6615 (A vulnerability in the Simple Network Management Protocol (SNMP) subsy ...) NOT-FOR-US: Cisco CVE-2017-6614 (A vulnerability in the file-download feature of the web user interface ...) NOT-FOR-US: Cisco CVE-2017-6613 (A vulnerability in the DNS input packet processor for Cisco Prime Netw ...) NOT-FOR-US: Cisco CVE-2017-6612 (A vulnerability in the gateway GPRS support node (GGSN) of Cisco ASR 5 ...) NOT-FOR-US: Cisco CVE-2017-6611 (A vulnerability in the web framework code of Cisco Prime Infrastructur ...) NOT-FOR-US: Cisco CVE-2017-6610 (A vulnerability in the Internet Key Exchange Version 1 (IKEv1) XAUTH c ...) NOT-FOR-US: Cisco CVE-2017-6609 (A vulnerability in the IPsec code of Cisco ASA Software could allow an ...) NOT-FOR-US: Cisco CVE-2017-6608 (A vulnerability in the Secure Sockets Layer (SSL) and Transport Layer ...) NOT-FOR-US: Cisco CVE-2017-6607 (A vulnerability in the DNS code of Cisco ASA Software could allow an u ...) NOT-FOR-US: Cisco CVE-2017-6606 (A vulnerability in a startup script of Cisco IOS XE Software could all ...) NOT-FOR-US: Cisco CVE-2017-6605 (A vulnerability in the web-based management interface of Cisco Identit ...) NOT-FOR-US: Cisco CVE-2017-6604 (A vulnerability in the web interface of Cisco Integrated Management Co ...) NOT-FOR-US: Cisco CVE-2017-6603 (A vulnerability in Cisco ASR 903 or ASR 920 Series Devices running wit ...) NOT-FOR-US: Cisco CVE-2017-6602 (A vulnerability in the CLI of Cisco Unified Computing System (UCS) Man ...) NOT-FOR-US: Cisco CVE-2017-6601 (A vulnerability in the CLI of the Cisco Unified Computing System (UCS) ...) NOT-FOR-US: Cisco CVE-2017-6600 (A vulnerability in the CLI of the Cisco Unified Computing System (UCS) ...) NOT-FOR-US: Cisco CVE-2017-6599 (A vulnerability in Google-defined remote procedure call (gRPC) handlin ...) NOT-FOR-US: Cisco CVE-2017-6598 (A vulnerability in the debug plug-in functionality of the Cisco Unifie ...) NOT-FOR-US: Cisco CVE-2017-6597 (A vulnerability in the local-mgmt CLI command of the Cisco Unified Com ...) NOT-FOR-US: Cisco CVE-2017-6596 (partclone.chkimg in partclone 0.2.89 is prone to a heap-based buffer o ...) {DLA-923-1} [experimental] - partclone 0.2.90-1 - partclone 0.2.89-3 (bug #857966) [jessie] - partclone (Minor issue) NOTE: https://github.com/insidej/Partclone_HeapOverFlow/blob/master/README.md NOTE: https://github.com/Thomas-Tsai/partclone/issues/91 NOTE: https://github.com/Thomas-Tsai/partclone/commit/2d6bcfd8016dc6090090934bab71c663d9a4d36d NOTE: https://github.com/Thomas-Tsai/partclone/commit/96401fb5b7221fc5f44df7079485c395f9c3a428 CVE-2017-6595 RESERVED CVE-2017-6594 (The transit path validation code in Heimdal before 7.3 might allow att ...) - heimdal 7.1.0+dfsg-12 [jessie] - heimdal (Minor issue) [wheezy] - heimdal (Minor issue) NOTE: https://github.com/heimdal/heimdal/commit/b1e699103f08d6a0ca46a122193c9da65f6cf837 NOTE: See https://lists.debian.org/debian-lts/2017/05/msg00010.html CVE-2017-6593 RESERVED CVE-2017-6592 RESERVED CVE-2017-6591 (There is a cross-site scripting vulnerability in django-epiceditor 0.2 ...) NOT-FOR-US: django-epiceditor CVE-2017-6590 (An issue was discovered in network-manager-applet (aka network-manager ...) - network-manager-applet (unimportant) NOTE: Marked as 'unimportant', since not exploitable in Debian, although the source NOTE: would be affected as well for Debian. NOTE: https://bugs.launchpad.net/ubuntu/+source/network-manager-applet/+bug/1668321 CVE-2017-6589 (EpicEditor through 0.2.3 has Cross-Site Scripting because of an insecu ...) NOT-FOR-US: django-epiceditor CVE-2017-6588 RESERVED CVE-2017-6587 RESERVED CVE-2017-6586 RESERVED CVE-2017-6585 RESERVED CVE-2017-6584 RESERVED CVE-2017-6583 RESERVED CVE-2017-6582 RESERVED CVE-2017-6581 RESERVED CVE-2017-6580 RESERVED CVE-2017-6579 RESERVED CVE-2017-6578 (A SQL injection issue is exploitable, with WordPress admin access, in ...) NOT-FOR-US: Mail Masta (aka mail-masta) plugin 1.0 for WordPress CVE-2017-6577 (A SQL injection issue is exploitable, with WordPress admin access, in ...) NOT-FOR-US: Mail Masta (aka mail-masta) plugin 1.0 for WordPress CVE-2017-6576 (A SQL injection issue is exploitable, with WordPress admin access, in ...) NOT-FOR-US: Mail Masta (aka mail-masta) plugin 1.0 for WordPress CVE-2017-6575 (A SQL injection issue is exploitable, with WordPress admin access, in ...) NOT-FOR-US: Mail Masta (aka mail-masta) plugin 1.0 for WordPress CVE-2017-6574 (A SQL injection issue is exploitable, with WordPress admin access, in ...) NOT-FOR-US: Mail Masta (aka mail-masta) plugin 1.0 for WordPress CVE-2017-6573 (A SQL injection issue is exploitable, with WordPress admin access, in ...) NOT-FOR-US: Mail Masta (aka mail-masta) plugin 1.0 for WordPress CVE-2017-6572 (A SQL injection issue is exploitable, with WordPress admin access, in ...) NOT-FOR-US: Mail Masta (aka mail-masta) plugin 1.0 for WordPress CVE-2017-6571 (A SQL injection issue is exploitable, with WordPress admin access, in ...) NOT-FOR-US: Mail Masta (aka mail-masta) plugin 1.0 for WordPress CVE-2017-6570 (A SQL injection issue is exploitable, with WordPress admin access, in ...) NOT-FOR-US: Mail Masta (aka mail-masta) plugin 1.0 for WordPress CVE-2017-6569 RESERVED CVE-2017-6568 RESERVED CVE-2017-6567 RESERVED CVE-2017-6566 RESERVED CVE-2017-6565 (On Franklin Fueling Systems TS-550 evo 2.3.0.7332 devices, the roleDia ...) NOT-FOR-US: Franklin Fueling Systems TS-550 evo CVE-2017-6564 (On Franklin Fueling Systems TS-550 evo 2.3.0.7332 devices, the Guest u ...) NOT-FOR-US: Franklin Fueling Systems TS-550 evo CVE-2017-6563 RESERVED CVE-2017-6562 (XSS in Agora-Project 3.2.2 exists with an index.php?ctrl=file&targ ...) NOT-FOR-US: Agora-Project CVE-2017-6561 (XSS in Agora-Project 3.2.2 exists with an index.php?ctrl=object&ac ...) NOT-FOR-US: Agora-Project CVE-2017-6560 (XSS in Agora-Project 3.2.2 exists with an index.php?ctrl=misc&acti ...) NOT-FOR-US: Agora-Project CVE-2017-6559 (XSS in Agora-Project 3.2.2 exists with an index.php?disconnect=1&m ...) NOT-FOR-US: Agora-Project CVE-2017-6558 (iball Baton 150M iB-WRA150N v1 00000001 1.2.6 build 110401 Rel.47776n ...) NOT-FOR-US: iball Baton CVE-2017-6557 (SQL injection vulnerability in ArrayOS before AG 9.4.0.135, when the p ...) NOT-FOR-US: ArrayOS CVE-2017-6556 (Cross-site scripting (XSS) vulnerability in CMS Made Simple (CMSMS) 2. ...) NOT-FOR-US: CMS Made Simple CVE-2017-6555 (Cross-site scripting (XSS) vulnerability in /admin/moduleinterface.php ...) NOT-FOR-US: CMS Made Simple CVE-2017-6554 (pmmasterd in Quest Privilege Manager before 6.0.0.061, when configured ...) NOT-FOR-US: Quest Privilege Manager CVE-2017-6553 (Buffer Overflow in Quest One Identity Privilege Manager for Unix befor ...) NOT-FOR-US: Quest One Identity Privilege Manager for Unix CVE-2017-6552 (Livebox 3 Sagemcom SG30_sip-fr-5.15.8.1 devices have an insufficiently ...) NOT-FOR-US: Livebox 3 Sagemcom CVE-2017-6551 (Pexip Infinity before 14.2 allows remote attackers to cause a denial o ...) NOT-FOR-US: Pexip Infinity CVE-2017-6550 (Multiple SQL injection vulnerabilities in Kinsey Infor-Lawson (formerl ...) NOT-FOR-US: Kinsey Infor-Lawson CVE-2017-6549 (Session hijack vulnerability in httpd on ASUS RT-N56U, RT-N66U, RT-AC6 ...) NOT-FOR-US: ASUS CVE-2017-6548 (Buffer overflows in networkmap on ASUS RT-N56U, RT-N66U, RT-AC66U, RT- ...) NOT-FOR-US: ASUS CVE-2017-6547 (Cross-site scripting (XSS) vulnerability in httpd on ASUS RT-N56U, RT- ...) NOT-FOR-US: ASUS CVE-2017-6546 RESERVED CVE-2017-6545 RESERVED CVE-2017-6544 (Gargaj/wuhu through 2017-03-08 is vulnerable to a reflected XSS in wuh ...) NOT-FOR-US: wuhu CVE-2017-6543 (Tenable Nessus before 6.10.2 (as used alone or in Tenable Appliance be ...) NOT-FOR-US: Nessus CVE-2017-6542 (The ssh_agent_channel_data function in PuTTY before 0.68 allows remote ...) - putty 0.67-3 (bug #857642) [jessie] - putty (Minor issue) [wheezy] - putty (Minor issue) NOTE: http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-agent-fwd-overflow.html NOTE: Fixed by: https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=4ff22863d895cb7ebfced4cf923a012a614adaa8 (0.68) NOTE: Bug only exploitable if SSH agent forwarding enabled (not the default) and if NOTE: the attacker can already be able to connect to the Unix-domain socket NOTE: representing the forwarded agent connection. CVE-2017-6541 (Multiple Cross-Site Scripting (XSS) issues were discovered in webpaget ...) NOT-FOR-US: webpagetest CVE-2017-6540 (Multiple Cross-Site Scripting (XSS) issues were discovered in webpaget ...) NOT-FOR-US: webpagetest CVE-2017-6539 (Multiple Cross-Site Scripting (XSS) issues were discovered in webpaget ...) NOT-FOR-US: webpagetest CVE-2017-6538 (A Cross-Site Scripting (XSS) issue was discovered in webpagetest 3.0. ...) NOT-FOR-US: webpagetest CVE-2017-6537 (A Cross-Site Scripting (XSS) issue was discovered in webpagetest 3.0. ...) NOT-FOR-US: webpagetest CVE-2017-6536 (Multiple Cross-Site Scripting (XSS) issues were discovered in webpaget ...) NOT-FOR-US: webpagetest CVE-2017-6535 (Multiple Cross-Site Scripting (XSS) issues were discovered in webpaget ...) NOT-FOR-US: webpagetest CVE-2017-6534 (A Cross-Site Scripting (XSS) issue was discovered in webpagetest 3.0. ...) NOT-FOR-US: webpagetest CVE-2017-6533 (A Cross-Site Scripting (XSS) issue was discovered in webpagetest 3.0. ...) NOT-FOR-US: webpagetest CVE-2017-6532 (Televes COAXDATA GATEWAY 1Gbps devices doc-wifi-hgw_v1.02.0014 4.20 ha ...) NOT-FOR-US: Televes COAXDATA GATEWAY CVE-2017-6531 (On Televes COAXDATA GATEWAY 1Gbps devices doc-wifi-hgw_v1.02.0014 4.20 ...) NOT-FOR-US: Televes COAXDATA GATEWAY CVE-2017-6530 (Televes COAXDATA GATEWAY 1Gbps devices doc-wifi-hgw_v1.02.0014 4.20 do ...) NOT-FOR-US: Televes COAXDATA GATEWAY CVE-2017-6529 (An issue was discovered in dnaTools dnaLIMS 4-2015s13. dnaLIMS is vuln ...) NOT-FOR-US: dnaLIMS CVE-2017-6528 (An issue was discovered in dnaTools dnaLIMS 4-2015s13. dnaLIMS is affe ...) NOT-FOR-US: dnaLIMS CVE-2017-6527 (An issue was discovered in dnaTools dnaLIMS 4-2015s13. dnaLIMS is vuln ...) NOT-FOR-US: dnaLIMS CVE-2017-6526 (An issue was discovered in dnaTools dnaLIMS 4-2015s13. dnaLIMS is vuln ...) NOT-FOR-US: dnaLIMS CVE-2017-6525 RESERVED CVE-2017-6524 RESERVED CVE-2017-6523 RESERVED CVE-2017-6522 RESERVED CVE-2017-6521 RESERVED CVE-2017-6520 (The Multicast DNS (mDNS) responder used in BOSE Soundtouch 30 inadvert ...) NOT-FOR-US: Multicast DNS (mDNS) responder used in BOSE Soundtouch 30 CVE-2017-6519 (avahi-daemon in Avahi through 0.6.32 and 0.7 inadvertently responds to ...) - avahi 0.7-5 (unimportant; bug #917047) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1426712 NOTE: https://github.com/lathiat/avahi/issues/203 NOTE: https://github.com/lathiat/avahi/commit/e111def44a7df4624a4aa3f85fe98054bffb6b4f CVE-2017-6518 (Cross-site scripting (XSS) vulnerability in /sanadata/seo/index.asp in ...) NOT-FOR-US: SanaCMS CVE-2017-6517 (Microsoft Skype 7.16.0.102 contains a vulnerability that could allow a ...) NOT-FOR-US: Microsoft CVE-2017-6516 (A Local Privilege Escalation Vulnerability in MagniComp's Sysinfo befo ...) NOT-FOR-US: MagniComp CVE-2017-6515 RESERVED CVE-2017-6514 (WordPress 4.7.2 mishandles listings of post authors, which allows remo ...) - wordpress (unimportant) NOTE: No security impact CVE-2017-6513 (The WHMCS Reseller Module V2 2.0.2 in Softaculous Virtualizor before 2 ...) NOT-FOR-US: Softaculous Virtualizor CVE-2017-6512 (Race condition in the rmtree and remove_tree functions in the File-Pat ...) {DSA-3873-1 DLA-978-1} - perl 5.24.1-3 (bug #863870) NOTE: https://rt.cpan.org/Public/Bug/Display.html?id=121951 NOTE: https://github.com/jkeenan/File-Path/commit/e5ef95276ee8ad471c66ee574a5d42552b3a6af2 CVE-2016-10245 (Insufficient sanitization of the query parameter in templates/html/sea ...) {DLA-1812-1} - doxygen 1.8.12-1 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=762934 NOTE: https://github.com/doxygen/doxygen/commit/1cc1adad2de03a0f013881b8960daf89aa155081 (Release_1_8_12) CVE-2017-6511 (andrzuk/FineCMS before 2017-03-06 is vulnerable to a reflected XSS in ...) NOT-FOR-US: FineCMS CVE-2017-6510 (Easy File Sharing FTP Server version 3.6 is vulnerable to a directory ...) NOT-FOR-US: Easy File Sharing FTP Server CVE-2017-6509 (Smith0r/burgundy-cms before 2017-03-06 is vulnerable to a reflected XS ...) NOT-FOR-US: burgundy-cms CVE-2017-6507 (An issue was discovered in AppArmor before 2.12. Incorrect handling of ...) - apparmor 2.11.0-3 (bug #858768) [jessie] - apparmor (Minor issue) [wheezy] - apparmor (Experimental/unsupported feature) NOTE: http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3647 NOTE: http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3648 NOTE: https://bugs.launchpad.net/apparmor/+bug/1668892 NOTE: affects only third-party rules, e.g. from Docker or LXC NOTE: LXC in wheezy doesn't support proper isolation CVE-2017-6814 (In WordPress before 4.7.3, there is authenticated Cross-Site Scripting ...) {DSA-3815-1 DLA-860-1} - wordpress 4.7.3+dfsg-1 (bug #857026) NOTE: https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/ NOTE: https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7 CVE-2017-6815 (In WordPress before 4.7.3 (wp-includes/pluggable.php), control charact ...) {DSA-3815-1 DLA-860-1} - wordpress 4.7.3+dfsg-1 (bug #857026) NOTE: https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/ NOTE: https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e CVE-2017-6816 (In WordPress before 4.7.3 (wp-admin/plugins.php), unintended files can ...) {DSA-3815-1 DLA-860-1} - wordpress 4.7.3+dfsg-1 (bug #857026) NOTE: https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/ NOTE: https://github.com/WordPress/WordPress/commit/4d80f8b3e1b00a3edcee0774dc9c2f4c78f9e663 CVE-2017-6817 (In WordPress before 4.7.3 (wp-includes/embed.php), there is authentica ...) {DSA-3815-1} - wordpress 4.7.3+dfsg-1 (bug #857026) [wheezy] - wordpress (vulnerable code was introduced later) NOTE: https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/ NOTE: https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8 CVE-2017-6818 (In WordPress before 4.7.3 (wp-admin/js/tags-box.js), there is cross-si ...) - wordpress 4.7.3+dfsg-1 (bug #857026) [jessie] - wordpress (Only affects 4.7.x) [wheezy] - wordpress (Only affects 4.7.x) NOTE: https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/ NOTE: https://github.com/WordPress/WordPress/commit/9092fd01e1f452f37c313d38b18f9fe6907541f9 CVE-2017-6819 (In WordPress before 4.7.3, there is cross-site request forgery (CSRF) ...) - wordpress 4.7.3+dfsg-1 (bug #857026) [jessie] - wordpress (Only affects 4.2 and later) [wheezy] - wordpress (Only affects 4.2 and later) NOTE: https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/ NOTE: https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829 CVE-2017-6508 (CRLF injection vulnerability in the url_parse function in url.c in Wge ...) {DLA-851-1} - wget 1.19.1-2 (bug #857073) [buster] - wget 1.18-5 [stretch] - wget 1.18-5 [jessie] - wget 1.16-1+deb8u2 NOTE: http://lists.gnu.org/archive/html/bug-wget/2017-03/msg00018.html NOTE: http://git.savannah.gnu.org/cgit/wget.git/commit/?id=4d729e322fae359a1aefaafec1144764a54e8ad4 CVE-2017-6506 (In Azure Data Expert Ultimate 2.2.16, the SMTP verification function s ...) NOT-FOR-US: Azure Data Expert Ultimate CVE-2017-6505 (The ohci_service_ed_list function in hw/usb/hcd-ohci.c in QEMU (aka Qu ...) {DLA-1497-1 DLA-1071-1 DLA-1070-1} - qemu 1:2.8+dfsg-4 (bug #856969) - qemu-kvm NOTE: Fixed by: http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=95ed56939eb2eaa4e2f349fe6dcd13ca4edfd8fb CVE-2017-6504 (WebUI in qBittorrent before 3.3.11 did not set the X-Frame-Options hea ...) {DLA-897-1} - qbittorrent 3.3.7-3 (low; bug #856978) [jessie] - qbittorrent (Minor issue) NOTE: https://github.com/qbittorrent/qBittorrent/commit/f5ad04766f4abaa78374ff03704316f8ce04627d NOTE: Fixed upstream in 3.3.11 CVE-2017-6503 (WebUI in qBittorrent before 3.3.11 did not escape many values, which c ...) {DLA-897-1} - qbittorrent 3.3.7-3 (low; bug #856977) [jessie] - qbittorrent (Minor issue) NOTE: https://github.com/qbittorrent/qBittorrent/commit/6ca3e4f094da0a0017cb2d483ec1db6176bb0b16 NOTE: Fixed upstream in 3.3.11 CVE-2017-6502 (An issue was discovered in ImageMagick 6.9.7. A specially crafted webp ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant; bug #856883) NOTE: webp is disable under Debian, cf. https://bugs.debian.org/856883#14 NOTE: https://github.com/ImageMagick/ImageMagick/commit/126c7c98ea788241922c30df4a5633ea692cf8df CVE-2017-6501 (An issue was discovered in ImageMagick 6.9.7. A specially crafted xcf ...) - imagemagick 8:6.9.7.4+dfsg-2 (bug #856881) [jessie] - imagemagick (Vulnerable code not present) [wheezy] - imagemagick (vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/commit/d31fec57e9dfb0516deead2053a856e3c71e9751 CVE-2017-6500 (An issue was discovered in ImageMagick 6.9.7. A specially crafted sun ...) {DSA-3808-1 DLA-868-1} - imagemagick 8:6.9.7.4+dfsg-2 (bug #856879) NOTE: https://github.com/ImageMagick/ImageMagick/commit/3007531bfd326c5c1e29cd41d2cd80c166de8528 NOTE: https://github.com/ImageMagick/ImageMagick/issues/375 NOTE: https://github.com/ImageMagick/ImageMagick/issues/376 CVE-2017-6499 (An issue was discovered in Magick++ in ImageMagick 6.9.7. A specially ...) {DSA-3808-1} - imagemagick 8:6.9.7.4+dfsg-2 (bug #856880) [wheezy] - imagemagick (vulnerable code not present) NOTE: https://www.imagemagick.org/discourse-server/viewtopic.php?f=23&p=142634 NOTE: https://github.com/ImageMagick/ImageMagick/commit/3358f060fc182551822576b2c0a8850faab5d543 CVE-2017-6498 (An issue was discovered in ImageMagick 6.9.7. Incorrect TGA files coul ...) {DSA-3808-1 DLA-868-1} - imagemagick 8:6.9.7.4+dfsg-2 (bug #856878) NOTE: https://github.com/ImageMagick/ImageMagick/commit/65f75a32a93ae4044c528a987a68366ecd4b46b9 NOTE: https://github.com/ImageMagick/ImageMagick/pull/359 CVE-2017-6497 (An issue was discovered in ImageMagick 6.9.7. A specially crafted psd ...) - imagemagick 8:6.9.7.4+dfsg-2 (bug #856882) [jessie] - imagemagick (Vulnerable code not present) [wheezy] - imagemagick (vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/commit/7f2dc7a1afc067d0c89f12c82bcdec0445fb1b94 CVE-2017-6496 RESERVED CVE-2017-6495 RESERVED CVE-2017-6494 RESERVED CVE-2017-6493 RESERVED CVE-2017-6492 (SQL Injection was discovered in adm_program/modules/dates/dates_functi ...) NOT-FOR-US: Admidio CVE-2017-6491 (Multiple Cross-Site Scripting (XSS) issues were discovered in EPESI 1. ...) NOT-FOR-US: EPESI CVE-2017-6490 (Multiple Cross-Site Scripting (XSS) issues were discovered in EPESI 1. ...) NOT-FOR-US: EPESI CVE-2017-6489 (Multiple Cross-Site Scripting (XSS) issues were discovered in EPESI 1. ...) NOT-FOR-US: EPESI CVE-2017-6488 (Multiple Cross-Site Scripting (XSS) issues were discovered in EPESI 1. ...) NOT-FOR-US: EPESI CVE-2017-6487 (Multiple Cross-Site Scripting (XSS) issues were discovered in EPESI 1. ...) NOT-FOR-US: EPESI CVE-2017-6486 (A Cross-Site Scripting (XSS) issue was discovered in reasoncms before ...) NOT-FOR-US: reasoncms CVE-2017-6485 (A Cross-Site Scripting (XSS) issue was discovered in php-calendar befo ...) NOT-FOR-US: PHP-Calendar CVE-2017-6484 (Multiple Cross-Site Scripting (XSS) issues were discovered in INTER-Me ...) NOT-FOR-US: INTER-Mediator CVE-2017-6483 (Multiple Cross-Site Scripting (XSS) issues were discovered in ATutor 2 ...) NOT-FOR-US: ATutor CVE-2017-6482 REJECTED CVE-2017-6481 (Multiple Cross-Site Scripting (XSS) issues were discovered in phpipam ...) NOT-FOR-US: phpipam CVE-2017-6480 (groovel/cmsgroovel before 3.3.7-beta is vulnerable to a reflected XSS ...) NOT-FOR-US: cmsgroovel CVE-2017-6479 (FenixHosting/fenix-open-source before 2017-03-04 is vulnerable to a re ...) NOT-FOR-US: FenixHosting (different than fenix game engine) CVE-2017-6478 (paintballrefjosh/MaNGOSWebV4 before 4.0.8 is vulnerable to a reflected ...) NOT-FOR-US: MaNGOSWebV4 CVE-2016-10244 (The parse_charstrings function in type1/t1load.c in FreeType 2 before ...) {DSA-3839-1 DLA-848-1} [experimental] - freetype 2.7.1-0.1 - freetype 2.6.3-3.1 (bug #856971) NOTE: Fixed in 2.7: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/tree/ChangeLog?h=VER-2-7 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36 NOTE: Fixed by: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=a660e3de422731b94d4a134d27555430cbb6fb39 (VER-2-7) CVE-2016-10243 (TeX Live allows remote attackers to execute arbitrary commands by leve ...) {DSA-3803-1 DLA-847-1} - texlive-bin 2019.20190605.51237-2 (unimportant) - texlive-base 2016.20161130-1 NOTE: https://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/ NOTE: http://www.tug.org/svn/texlive?view=revision&revision=42605 CVE-2017-6477 RESERVED CVE-2017-6476 RESERVED CVE-2017-6475 RESERVED CVE-2017-6474 (In Wireshark 2.2.0 to 2.2.4 and 2.0.0 to 2.0.10, there is a NetScaler ...) {DSA-3811-1 DLA-858-1} - wireshark 2.2.5+g440fd4d-2 NOTE: https://www.wireshark.org/security/wnpa-sec-2017-07.html NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=a998c9195f183d85f5b0bbeebba21a2d4d303d47 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13429 CVE-2017-6473 (In Wireshark 2.2.0 to 2.2.4 and 2.0.0 to 2.0.10, there is a K12 file p ...) {DSA-3811-1 DLA-858-1} - wireshark 2.2.5+g440fd4d-2 NOTE: https://www.wireshark.org/security/wnpa-sec-2017-09.html NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=7edc761a01cda8e1b37677f673985582330317d2 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13431 CVE-2017-6472 (In Wireshark 2.2.0 to 2.2.4 and 2.0.0 to 2.0.10, there is an RTMPT dis ...) {DSA-3811-1 DLA-858-1} - wireshark 2.2.5+g440fd4d-2 NOTE: https://www.wireshark.org/security/wnpa-sec-2017-04.html NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=2b3a0909beff8963b390034c594e0b6be6a4e531 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13347 CVE-2017-6471 (In Wireshark 2.2.0 to 2.2.4 and 2.0.0 to 2.0.10, there is a WSP infini ...) {DSA-3811-1 DLA-858-1} - wireshark 2.2.5+g440fd4d-2 NOTE: https://www.wireshark.org/security/wnpa-sec-2017-05.html NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=62afef41277dfac37f515207ca73d33306e3302b NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13348 CVE-2017-6470 (In Wireshark 2.2.0 to 2.2.4 and 2.0.0 to 2.0.10, there is an IAX2 infi ...) {DSA-3811-1 DLA-858-1} - wireshark 2.2.5+g440fd4d-2 NOTE: https://www.wireshark.org/security/wnpa-sec-2017-10.html NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=0b89174ef4c531a1917437fff586fe525ee7bf2d NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13432 CVE-2017-6469 (In Wireshark 2.2.0 to 2.2.4 and 2.0.0 to 2.0.10, there is an LDSS diss ...) {DSA-3811-1 DLA-858-1} - wireshark 2.2.5+g440fd4d-2 NOTE: https://www.wireshark.org/security/wnpa-sec-2017-03.html NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=4f753c127082d5e28abf482d6d175cbfee6661f7 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13346 CVE-2017-6468 (In Wireshark 2.2.0 to 2.2.4 and 2.0.0 to 2.0.10, there is a NetScaler ...) {DSA-3811-1 DLA-858-1} - wireshark 2.2.5+g440fd4d-2 NOTE: https://www.wireshark.org/security/wnpa-sec-2017-08.html NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=9f3bc84b7e7e435c50b8b68f0fc526d0f5676cbf NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13430 CVE-2017-6467 (In Wireshark 2.2.0 to 2.2.4 and 2.0.0 to 2.0.10, there is a Netscaler ...) {DSA-3811-1 DLA-858-1} - wireshark 2.2.5+g440fd4d-2 NOTE: https://www.wireshark.org/security/wnpa-sec-2017-11.html NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=284ad58d288722a8725401967bff0c4455488f0c NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12083 CVE-2017-6466 (F-Secure Software Updater 2.20, as distributed in several F-Secure pro ...) NOT-FOR-US: F-Secure CVE-2017-6465 (Remote Code Execution was discovered in FTPShell Client 6.53. By defau ...) NOT-FOR-US: FTPShell Client CVE-2017-6464 (NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows remote attackers to ...) - ntp 1:4.2.8p10+dfsg-1 (low) [jessie] - ntp (Minor issue) [wheezy] - ntp (Minor issue) NOTE: http://support.ntp.org/bin/view/Main/NtpBug3389 NOTE: https://cure53.de/pentest-report_ntp.pdf CVE-2017-6463 (NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows remote authenticate ...) - ntp 1:4.2.8p10+dfsg-1 [jessie] - ntp (Minor issue) [wheezy] - ntp (Minor issue) NOTE: http://support.ntp.org/bin/view/Main/NtpBug3387 NOTE: https://cure53.de/pentest-report_ntp.pdf CVE-2017-6462 (Buffer overflow in the legacy Datum Programmable Time Server (DPTS) re ...) - ntp 1:4.2.8p10+dfsg-1 (unimportant) NOTE: http://support.ntp.org/bin/view/Main/NtpBug3388 NOTE: https://cure53.de/pentest-report_ntp.pdf NOTE: Obscure legacy feature, no real impact CVE-2017-6461 REJECTED CVE-2017-6460 (Stack-based buffer overflow in the reslist function in ntpq in NTP bef ...) - ntp 1:4.2.8p10+dfsg-1 [jessie] - ntp (Vulnerable code not present) [wheezy] - ntp (Vulnerable code not present) NOTE: http://support.ntp.org/bin/view/Main/NtpBug3377 NOTE: https://cure53.de/pentest-report_ntp.pdf CVE-2017-6459 (The Windows installer for NTP before 4.2.8p10 and 4.3.x before 4.3.94 ...) - ntp (NTP on Windows) NOTE: http://support.ntp.org/bin/view/Main/NtpBug3382 CVE-2017-6458 (Multiple buffer overflows in the ctl_put* functions in NTP before 4.2. ...) - ntp 1:4.2.8p10+dfsg-1 (unimportant) NOTE: http://support.ntp.org/bin/view/Main/NtpBug3379 NOTE: https://cure53.de/pentest-report_ntp.pdf NOTE: This is not a vulnerability per se, but a weakness in an internal helper function CVE-2017-6457 REJECTED CVE-2017-6456 REJECTED CVE-2017-6455 (NTP before 4.2.8p10 and 4.3.x before 4.3.94, when using PPSAPI, allows ...) - ntp (NTP on Windows) NOTE: http://support.ntp.org/bin/view/Main/NtpBug3384 CVE-2017-6454 REJECTED CVE-2017-6453 REJECTED CVE-2017-6452 (Stack-based buffer overflow in the Windows installer for NTP before 4. ...) - ntp (NTP on Windows) NOTE: http://support.ntp.org/bin/view/Main/NtpBug3383 CVE-2017-6451 (The mx4200_send function in the legacy MX4200 refclock in NTP before 4 ...) - ntp (Vulnerable code not enabled at build time) NOTE: http://support.ntp.org/bin/view/Main/NtpBug3378 CVE-2017-6450 RESERVED CVE-2017-6449 RESERVED CVE-2017-6448 (The dalvik_disassemble function in libr/asm/p/asm_dalvik.c in radare2 ...) {DLA-901-1} [experimental] - radare2 1.3.0+dfsg-1 - radare2 1.1.0+dfsg-4 (bug #859447) [jessie] - radare2 (Minor issue) NOTE: https://github.com/radare/radare2/commit/f41e941341e44aa86edd4483c4487ec09a074257 (1.3.0-git) NOTE: https://github.com/radare/radare2/issues/6885 CVE-2017-6447 RESERVED CVE-2017-6446 (XSS was discovered in Dotclear v2.11.2, affecting admin/blogs.php and ...) - dotclear CVE-2017-6445 (The auto-update feature of Open Embedded Linux Entertainment Center (O ...) NOT-FOR-US: OpenELEC CVE-2017-6444 (The MikroTik Router hAP Lite 6.25 has no protection mechanism for unso ...) NOT-FOR-US: MikroTik Router hAP Lite CVE-2017-6443 (Cross-site scripting (XSS) vulnerability in EPSON TMNet WebConfig 1.00 ...) NOT-FOR-US: EPSON TMNet WebConfig CVE-2002-2447 RESERVED CVE-2017-XXXX [dns: out of bound memory read] - suricata 3.2.1-1 (bug #856648) [jessie] - suricata 2.0.7-2+deb8u3 [wheezy] - suricata (vulnerable code not present) NOTE: https://redmine.openinfosecfoundation.org/issues/2022 NOTE: Fixed by: https://github.com/inliniac/suricata/commit/20990f7a7eb7939946a275dfc9a95426b0080a19 (3.2.1) CVE-2017-7177 (Suricata before 3.2.1 has an IPv4 defragmentation evasion issue caused ...) {DLA-1603-1 DLA-865-1} - suricata 3.2.1-1 (bug #856649) NOTE: https://redmine.openinfosecfoundation.org/issues/2019 NOTE: Fixed by: https://github.com/inliniac/suricata/commit/4a04f814b15762eb446a5ead4d69d021512df6f8 (3.2.1) CVE-2017-6442 RESERVED CVE-2017-6441 (** DISPUTED ** The _zval_get_long_func_ex in Zend/zend_operators.c in ...) NOTE: PHP bug without security relevance CVE-2017-6440 (The parse_data_node function in bplist.c in libimobiledevice libplist ...) - libplist 1.12+git+1+e37ca00-0.2 (bug #858055) [jessie] - libplist (Minor issue) [wheezy] - libplist (vulnerable code not present) NOTE: https://github.com/libimobiledevice/libplist/issues/99 NOTE: Fixed by: https://github.com/libimobiledevice/libplist/commit/dccd9290745345896e3a4a73154576a599fd8b7b CVE-2017-6439 (Heap-based buffer overflow in the parse_string_node function in bplist ...) {DLA-2168-1 DLA-870-1} - libplist 1.12+git+1+e37ca00-0.1 NOTE: https://github.com/libimobiledevice/libplist/issues/95 NOTE: https://github.com/libimobiledevice/libplist/commit/32ee5213fe64f1e10ec76c1ee861ee6f233120dd CVE-2017-6438 (Heap-based buffer overflow in the parse_unicode_node function in bplis ...) - libplist 1.12+git+1+e37ca00-0.2 (bug #858786) [jessie] - libplist (Minor issue) [wheezy] - libplist (vulnerable code not present) NOTE: https://github.com/libimobiledevice/libplist/issues/98 NOTE: Fixed by: https://github.com/libimobiledevice/libplist/commit/dccd9290745345896e3a4a73154576a599fd8b7b CVE-2017-6437 (The base64encode function in base64.c in libimobiledevice libplist 1.1 ...) - libplist 1.12+git+1+e37ca00-0.2 (bug #858787) [jessie] - libplist (Minor issue) [wheezy] - libplist (vulnerable code not present) NOTE: https://github.com/libimobiledevice/libplist/issues/100 NOTE: Fixed by: https://github.com/libimobiledevice/libplist/commit/dccd9290745345896e3a4a73154576a599fd8b7b CVE-2017-6436 (The parse_string_node function in bplist.c in libimobiledevice libplis ...) {DLA-2168-1 DLA-870-1} - libplist 1.12+git+1+e37ca00-0.1 NOTE: https://github.com/libimobiledevice/libplist/issues/94 NOTE: https://github.com/libimobiledevice/libplist/commit/32ee5213fe64f1e10ec76c1ee861ee6f233120dd CVE-2017-6435 (The parse_string_node function in bplist.c in libimobiledevice libplis ...) {DLA-2168-1 DLA-870-1} - libplist 1.12+git+1+e37ca00-0.1 NOTE: https://github.com/libimobiledevice/libplist/issues/93 NOTE: https://github.com/libimobiledevice/libplist/commit/fbd8494d5e4e46bf2e90cb6116903e404374fb56 CVE-2017-6434 RESERVED CVE-2017-6433 RESERVED CVE-2017-6432 (An issue was discovered on Dahua DHI-HCVR7216A-S3 3.210.0001.10 build ...) NOT-FOR-US: Dahua DVR CVE-2017-6431 RESERVED CVE-2017-6430 (The compile_tree function in ef_compiler.c in the Etterfilter utility ...) {DSA-3874-1} - ettercap 1:0.8.2-4 (bug #857035) NOTE: https://github.com/Ettercap/ettercap/issues/782 NOTE: Patch: https://github.com/LocutusOfBorg/ettercap/commit/626dc56686f15f2dda13c48f78c2a666cb6d8506 CVE-2017-6429 (Buffer overflow in the tcpcapinfo utility in Tcpreplay before 4.2.0 Be ...) - tcpreplay (Vulnerable code not present) NOTE: https://github.com/appneta/tcpreplay/issues/278 NOTE: https://github.com/appneta/tcpreplay/commit/d689d14dbcd768c028eab2fb378d849e543dcfe9 CVE-2017-6428 RESERVED CVE-2017-6427 (A Buffer Overflow was discovered in EvoStream Media Server 1.7.1. A cr ...) NOT-FOR-US: EvoStream Media Server CVE-2017-6849 (The PoDoFo::PdfColorGray::~PdfColorGray function in PdfColor.cpp in Po ...) - libpodofo 0.9.5-9 (bug #861566) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/10 NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-podofopdfcolorgraypdfcolorgray-pdfcolor-cpp NOTE: https://sourceforge.net/p/podofo/tickets/8/ NOTE: Same fix as for CVE-2017-6845 CVE-2017-6848 (The PoDoFo::PdfXObject::PdfXObject function in PdfXObject.cpp in PoDoF ...) {DLA-968-1} - libpodofo 0.9.4-6 (bug #861565) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/9 NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-podofopdfxobjectpdfxobject-pdfxobject-cpp NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1846 CVE-2017-6847 (The PoDoFo::PdfVariant::DelayedLoad function in PdfVariant.h in PoDoFo ...) {DLA-968-1} - libpodofo 0.9.4-6 (bug #861564) [jessie] - libpodofo (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/8 NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-podofopdfvariantdelayedload-pdfvariant-h NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1846 CVE-2017-6846 (The GraphicsStack::TGraphicsStackElement::SetNonStrokingColorSpace fun ...) - libpodofo 0.9.5-9 (bug #861563) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/7 NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-graphicsstacktgraphicsstackelementsetnonstrokingcolorspace-graphicsstack-h/ NOTE: https://sourceforge.net/p/podofo/tickets/9/ NOTE: Same fix as for CVE-2017-6845 CVE-2017-6845 (The PoDoFo::PdfColor::operator function in PdfColor.cpp in PoDoFo 0.9. ...) - libpodofo 0.9.5-9 (bug #861562) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) NOTE: The motivation for no-dsa in wheezy is that there are no known NOTE: services that use this library (apart from desktop applications) NOTE: and the worst case is a DoS. NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/6 NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-podofopdfcoloroperator-pdfcolor-cpp NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1892 CVE-2017-6844 (Buffer overflow in the PoDoFo::PdfParser::ReadXRefSubsection function ...) {DLA-929-1} - libpodofo 0.9.4-5 (bug #861561) [jessie] - libpodofo (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/5 NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-global-buffer-overflow-in-podofopdfparserreadxrefsubsection-pdfparser-cpp NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1840/ CVE-2017-6843 (Heap-based buffer overflow in the PoDoFo::PdfVariant::DelayedLoad func ...) {DLA-968-1} - libpodofo 0.9.4-6 (bug #861560) [jessie] - libpodofo (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/4 NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-heap-based-buffer-overflow-in-podofopdfvariantdelayedload-pdfvariant-h NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1844 NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1845 CVE-2017-6842 (The ColorChanger::GetColorFromStack function in colorchanger.cpp in Po ...) {DLA-968-1} - libpodofo 0.9.4-6 (bug #861559) [jessie] - libpodofo (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/3 NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-colorchangergetcolorfromstack-colorchanger-cpp NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1844 NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1845 CVE-2017-6841 (The GraphicsStack::TGraphicsStackElement::~TGraphicsStackElement funct ...) - libpodofo 0.9.5-9 (bug #861558) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/2 NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-graphicsstacktgraphicsstackelementtgraphicsstackelement-graphicsstack-h NOTE: https://sourceforge.net/p/podofo/tickets/10/ NOTE: Same fix as for CVE-2017-6845 CVE-2017-6840 (The ColorChanger::GetColorFromStack function in colorchanger.cpp in Po ...) {DLA-968-1} - libpodofo 0.9.4-6 (bug #861557) [jessie] - libpodofo (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/1 NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-invalid-memory-read-in-colorchangergetcolorfromstack-colorchanger-cpp NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1844 NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1845 CVE-2017-6426 (An information disclosure vulnerability in the Qualcomm SPMI driver. P ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-6425 (An information disclosure vulnerability in the Qualcomm video driver. ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-6424 (An elevation of privilege vulnerability in the Qualcomm WiFi driver. P ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-6423 (An elevation of privilege vulnerability in the Qualcomm kyro L2 driver ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-10242 (A time-of-check time-of-use race condition could potentially exist in ...) NOT-FOR-US: Qualcomm component/driver for Android CVE-2016-10241 RESERVED NOT-FOR-US: Qualcomm components for Android CVE-2016-10240 RESERVED NOT-FOR-US: Qualcomm components for Android CVE-2016-10239 (In TrustZone access control policy may potentially be bypassed in all ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10238 (In QSEE in all Android releases from CAF using the Linux kernel access ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10237 (If shared content protection memory were passed as the secure camera m ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10236 (An information disclosure vulnerability in the Qualcomm USB driver. Pr ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-10235 (A denial of service vulnerability in the Qualcomm WiFi driver. Product ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-10234 (An information disclosure vulnerability in the Qualcomm IPA driver. Pr ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-10233 (An elevation of privilege vulnerability in the Qualcomm video driver. ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-10232 (An elevation of privilege vulnerability in the Qualcomm video driver. ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-10231 (An elevation of privilege vulnerability in the Qualcomm sound codec dr ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-10230 (A remote code execution vulnerability in the Qualcomm crypto driver. P ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-10229 (udp.c in the Linux kernel before 4.5 allows remote attackers to execut ...) - linux 4.5.1-1 (bug #808293) [jessie] - linux 3.16.7-ckt20-1+deb8u2 [wheezy] - linux 3.2.73-2+deb7u2 NOTE: Fixed by: https://git.kernel.org/linus/197c949e7798fbf28cfadc69d9ca0c2abbf93191 (v4.5-rc1) CVE-2015-9003 (In TrustZone a cryptographic issue can potentially occur in all Androi ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9002 (In TrustZone an out-of-range pointer offset vulnerability can potentia ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9001 (In TrustZone an information exposure vulnerability can potentially occ ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9000 (In TrustZone an untrusted pointer dereference vulnerability can potent ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-8999 (In TrustZone a buffer overflow vulnerability can potentially occur in ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-8998 (In TrustZone an integer overflow vulnerability can potentially occur i ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-8997 (In TrustZone a time-of-check time-of-use race condition could potentia ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-8996 (In TrustZone a time-of-check time-of-use race condition could potentia ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-8995 (In TrustZone an integer overflow vulnerability can potentially occur i ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-9938 (contrib/completion/git-prompt.sh in Git before 1.9.3 does not sanitize ...) - git 1:2.0.0~rc2-1 [wheezy] - git (Vulnerable code introduced in 1.8.1-rc0) NOTE: https://github.com/git/git/commit/8976500cbbb13270398d3b3e07a17b8cc7bff43f NOTE: https://github.com/njhartwell/pw3nage NOTE: Vulnerability likely introduced by the "pc_mode" in https://github.com/git/git/commit/1bfc51ac814125de03ddf1900245e42d6ce0d250 CVE-2014-9937 (In TrustZone a buffer overflow vulnerability can potentially occur in ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-9936 (In TrustZone a time-of-check time-of-use race condition could potentia ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-9935 (In TrustZone an integer overflow vulnerability leading to a buffer ove ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-9934 (A PKCS#1 v1.5 signature verification routine in all Android releases f ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-9933 (Due to missing input validation in all Android releases from CAF using ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-9932 (In TrustZone, an integer overflow vulnerability can potentially occur ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-9931 (A buffer overflow vulnerability in all Android releases from CAF using ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-9930 (In WCDMA in all Android releases from CAF using the Linux kernel, a Us ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-9929 (In WCDMA in all Android releases from CAF using the Linux kernel, a Us ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-9928 (In GERAN in all Android releases from CAF using the Linux kernel, a Bu ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-9927 (In UIM in all Android releases from CAF using the Linux kernel, a Buff ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-9926 (In GNSS in all Android releases from CAF using the Linux kernel, a Use ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-9925 (In HDR in all Android releases from CAF using the Linux kernel, a Buff ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-9924 (In 1x in all Android releases from CAF using the Linux kernel, a Signe ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-9923 (In NAS in all Android releases from CAF using the Linux kernel, a Buff ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-9922 (The eCryptfs subsystem in the Linux kernel before 3.18 allows local us ...) - linux 4.0.2-1 [jessie] - linux 3.16.39-1 [wheezy] - linux 3.2.82-1 NOTE: Fixed by: https://git.kernel.org/linus/69c433ed2ecd2d3264efd7afec4439524b319121 (v3.18-rc2) CVE-2017-6422 RESERVED CVE-2017-6421 (In the touch controller function in all Qualcomm products with Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-6420 (The wwunpack function in libclamav/wwunpack.c in ClamAV 0.99.2 allows ...) {DLA-1261-1 DLA-1105-1} - clamav 0.99.3~beta1+dfsg-1 [stretch] - clamav 0.99.2+dfsg-6+deb9u1 [jessie] - clamav 0.99.2+dfsg-0+deb8u3 NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11798 NOTE: https://github.com/vrtadmin/clamav-devel/commit/dfc00cd3301a42b571454b51a6102eecf58407bc NOTE: https://github.com/vrtadmin/clamav-devel/commit/60671e3deb1df6c626e5c7e13752c2eec1649f98 CVE-2017-6419 (mspack/lzxd.c in libmspack 0.5alpha, as used in ClamAV 0.99.2, allows ...) {DSA-3946-1 DLA-1279-1} - libmspack 0.6-1 (bug #871263) - clamav 0.99.3~beta1+dfsg-1 (unimportant) [stretch] - clamav 0.99.4+dfsg-1+deb9u1 NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11701 NOTE: https://github.com/vrtadmin/clamav-devel/commit/a83773682e856ad6529ba6db8d1792e6d515d7f1 NOTE: ClamAV uses the libmspack system library when available. This is the NOTE: case from starting from Debian Jessie. Debian Wheezy does not have NOTE: have libmspack and thus need to have the fix as well in the NOTE: src:clamav source package. NOTE: libmspack: https://github.com/kyz/libmspack/commit/6139a0b9e93fcb7fcf423e56aa825bc869e02229 CVE-2017-6418 (libclamav/message.c in ClamAV 0.99.2 allows remote attackers to cause ...) {DLA-1261-1 DLA-1105-1} - clamav 0.99.3~beta1+dfsg-1 [stretch] - clamav 0.99.2+dfsg-6+deb9u1 [jessie] - clamav 0.99.2+dfsg-0+deb8u3 NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11797 NOTE: https://github.com/vrtadmin/clamav-devel/commit/586a5180287262070637c8943f2f7efd652e4a2c CVE-2017-6417 (Code injection vulnerability in Avira Total Security Suite 15.0 (and e ...) NOT-FOR-US: Avira Total Security Suite CVE-2017-6416 (An issue was discovered in SysGauge 1.5.18. A buffer overflow vulnerab ...) NOT-FOR-US: SysGauge CVE-2017-6415 (The dex_parse_debug_item function in libr/bin/p/bin_dex.c in radare2 1 ...) - radare2 1.1.0+dfsg-3 (bug #856572) [jessie] - radare2 (Vulnerable code introduced in 1.1.0) [wheezy] - radare2 (Vulnerable code introduced in 1.1.0) NOTE: https://github.com/radare/radare2/issues/6872 NOTE: https://github.com/radare/radare2/commit/252afb1cff9676f3ae1f341a28448bf2c8b6e308 CVE-2017-6414 (Memory leak in the vcard_apdu_new function in card_7816.c in libcacard ...) - libcacard 1:2.5.0-3 (bug #856501) NOTE: Fixed by: https://cgit.freedesktop.org/spice/libcacard/commit/?id=9113dc6a303604a2d9812ac70c17d076ef11886c CVE-2017-6413 (The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka ...) - libapache2-mod-auth-openidc 2.1.6-1 [jessie] - libapache2-mod-auth-openidc (Minor issue) NOTE: https://github.com/pingidentity/mod_auth_openidc/commit/21e3728a825c41ab41efa75e664108051bb9665e CVE-2017-6412 (In Sophos Web Appliance (SWA) before 4.3.1.2, Session Fixation could o ...) NOT-FOR-US: Sophos CVE-2017-6411 (Cross Site Request Forgery (CSRF) on D-Link DSL-2730U C1 IN_1.00 devic ...) NOT-FOR-US: D-Link CVE-2017-6410 (kpac/script.cpp in KDE kio before 5.32 and kdelibs before 4.14.30 call ...) {DSA-3849-1 DLA-952-1} - kio 5.28.0-2 (bug #856889) - kde4libs 4:4.14.26-2 (bug #856890) NOTE: https://www.kde.org/info/security/advisory-20170228-1.txt NOTE: Patch for kio: https://commits.kde.org/kio/f9d0cb47cf94e209f6171ac0e8d774e68156a6e4 NOTE: Patch for kde4libs: https://commits.kde.org/kdelibs/1804c2fde7bf4e432c6cf5bb8cce5701c7010559 CVE-2017-6409 (An issue was discovered in Veritas NetBackup 8.0 and earlier and NetBa ...) NOT-FOR-US: Veritas NetBackup CVE-2017-6408 (An issue was discovered in Veritas NetBackup 8.0 and earlier and NetBa ...) NOT-FOR-US: Veritas NetBackup CVE-2017-6407 (An issue was discovered in Veritas NetBackup Before 7.7.2 and NetBacku ...) NOT-FOR-US: Veritas NetBackup CVE-2017-6406 (An issue was discovered in Veritas NetBackup Before 7.7.2 and NetBacku ...) NOT-FOR-US: Veritas NetBackup CVE-2017-6405 (An issue was discovered in Veritas NetBackup 8.0 and earlier and NetBa ...) NOT-FOR-US: Veritas NetBackup CVE-2017-6404 (An issue was discovered in Veritas NetBackup Before 7.7 and NetBackup ...) NOT-FOR-US: Veritas NetBackup CVE-2017-6403 (An issue was discovered in Veritas NetBackup Before 8.0 and NetBackup ...) NOT-FOR-US: Veritas NetBackup CVE-2017-6402 (An issue was discovered in Veritas NetBackup 8.0 and earlier and NetBa ...) NOT-FOR-US: Veritas NetBackup CVE-2017-6401 (An issue was discovered in Veritas NetBackup before 8.0 and NetBackup ...) NOT-FOR-US: Veritas NetBackup CVE-2017-6400 (An issue was discovered in Veritas NetBackup Before 7.7.2 and NetBacku ...) NOT-FOR-US: Veritas NetBackup CVE-2017-6399 (An issue was discovered in Veritas NetBackup Before 7.7.2 and NetBacku ...) NOT-FOR-US: Veritas NetBackup CVE-2017-6398 (An issue was discovered in Trend Micro InterScan Messaging Security (V ...) NOT-FOR-US: Trend Micro CVE-2017-6397 (An issue was discovered in FlightAirMap v1.0-beta.10. The vulnerabilit ...) NOT-FOR-US: FlightAirMap CVE-2017-6396 (An issue was discovered in WPO-Foundation WebPageTest 3.0. The vulnera ...) NOT-FOR-US: WPO-Foundation WebPageTest CVE-2017-6395 (An issue was discovered in HashOver 2.0. The vulnerability exists due ...) NOT-FOR-US: HashOveer CVE-2017-6394 (Multiple Cross-Site Scripting (XSS) issues were discovered in OpenEMR ...) NOT-FOR-US: OpenEMR CVE-2017-6393 (An issue was discovered in NagVis 1.9b12. The vulnerability exists due ...) - nagvis (Vulnerable code introduced in nagvis-1.8.0) NOTE: https://github.com/NagVis/nagvis/issues/91 CVE-2017-6392 (An issue was discovered in Kaltura server Lynx-12.11.0. The vulnerabil ...) NOT-FOR-US: Kaltura server CVE-2017-6391 (An issue was discovered in Kaltura server Lynx-12.11.0. The vulnerabil ...) NOT-FOR-US: Kaltura server CVE-2017-6390 (An issue was discovered in whatanime.ga before c334dd8499a681587dd4199 ...) NOT-FOR-US: whatanime.ga CVE-2017-6389 RESERVED CVE-2017-6388 RESERVED CVE-2017-6387 (The dex_loadcode function in libr/bin/p/bin_dex.c in radare2 1.2.1 all ...) - radare2 1.1.0+dfsg-3 (bug #856574) [jessie] - radare2 (Vulnerable code not present) [wheezy] - radare2 (Vulnerable code not present) NOTE: https://github.com/radare/radare2/commit/ead645853a63bf83d8386702cad0cf23b31d7eeb NOTE: https://github.com/radare/radare2/issues/6857 CVE-2017-6386 (Memory leak in the vrend_create_vertex_elements_state function in vren ...) - virglrenderer 0.6.0-2 (bug #858255; bug #872884) NOTE: Fixed by: https://cgit.freedesktop.org/virglrenderer/commit/?id=737c3350850ca4dbc5633b3bdb4118176ce59920 CVE-2017-6385 RESERVED CVE-2017-6383 REJECTED CVE-2017-6382 RESERVED CVE-2017-6381 (A 3rd party development library including with Drupal 8 development de ...) - drupal8 (bug #756305) NOTE: https://www.drupal.org/SA-2017-001 CVE-2017-6380 RESERVED CVE-2017-6379 (Some administrative paths in Drupal 8.2.x before 8.2.7 did not include ...) - drupal8 (bug #756305) NOTE: https://www.drupal.org/SA-2017-001 CVE-2017-6378 RESERVED CVE-2017-6377 (When adding a private file via the editor in Drupal 8.2.x before 8.2.7 ...) - drupal8 (bug #756305) NOTE: https://www.drupal.org/SA-2017-001 CVE-2017-6376 RESERVED CVE-2017-6375 RESERVED CVE-2017-6374 RESERVED CVE-2017-6373 RESERVED CVE-2017-6372 RESERVED CVE-2017-6371 (Synchronet BBS 3.16c for Windows allows remote attackers to cause a de ...) NOT-FOR-US: Synchronet BBS CVE-2017-6370 (TYPO3 7.6.15 sends an http request to an index.php?loginProvider URI i ...) NOT-FOR-US: TYPO3 CVE-2017-6369 (Insufficient checks in the UDF subsystem in Firebird 2.5.x before 2.5. ...) {DSA-3824-1 DLA-879-1} - firebird2.5 (bug #858641) - firebird3.0 3.0.1.32609.ds4-14 (bug #858644) NOTE: http://tracker.firebirdsql.org/browse/CORE-5474 NOTE: Fixed by: https://github.com/FirebirdSQL/firebird/commit/8b2a9cb44bf6055e15f016d70a6842b8ada60375 (3.0) NOTE: https://github.com/FirebirdSQL/firebird/commit/9d9b9e0c94e201da489d1da81f858c570d3ca6ef (2.5) NOTE: https://github.com/FirebirdSQL/firebird/commit/a802126cd501f641f00d6cda12d5d9ee3ecda6f5 (2.5) CVE-2017-6368 RESERVED CVE-2017-6367 (In Cerberus FTP Server 8.0.10.1, a crafted HTTP request causes the Win ...) NOT-FOR-US: Cerberus FTP Server CVE-2017-6366 (Cross-site request forgery (CSRF) vulnerability in NETGEAR DGN2200 rou ...) NOT-FOR-US: Netgear CVE-2017-6365 RESERVED CVE-2017-6364 RESERVED CVE-2017-6363 (** DISPUTED ** In the GD Graphics Library (aka LibGD) through 2.2.5, t ...) - libgd2 2.3.0-1 [buster] - libgd2 (Minor issue) [stretch] - libgd2 (Minor issue) [jessie] - libgd2 (Minor issue) NOTE: https://github.com/libgd/libgd/commit/0be86e1926939a98afbd2f3a23c673dfc4df2a7c NOTE: https://github.com/libgd/libgd/commit/2dbd8f6e66b73ed43d9b81a45350922b80f75397 NOTE: https://github.com/libgd/libgd/issues/383 CVE-2017-6362 (Double free vulnerability in the gdImagePngPtr function in libgd2 befo ...) {DSA-3961-1 DLA-1106-1} - libgd2 2.2.5-1 NOTE: https://github.com/libgd/libgd/issues/381 NOTE: https://github.com/libgd/libgd/commit/56ce6ef068b954ad28379e83cca04feefc51320c CVE-2017-6361 (QNAP QTS before 4.2.4 Build 20170313 allows attackers to execute arbit ...) NOT-FOR-US: QNAP CVE-2017-6360 (QNAP QTS before 4.2.4 Build 20170313 allows attackers to gain administ ...) NOT-FOR-US: QNAP CVE-2017-6359 (QNAP QTS before 4.2.4 Build 20170313 allows attackers to gain administ ...) NOT-FOR-US: QNAP CVE-2017-6358 RESERVED CVE-2017-6357 RESERVED CVE-2017-6356 (Palo Alto Networks Terminal Services (aka TS) Agent 6.0, 7.0, and 8.0 ...) NOT-FOR-US: Palo Alto Networks Terminal Services CVE-2015-8994 (An issue was discovered in PHP 5.x and 7.x, when the configuration use ...) - php7.1 (Fixed before initial upload to Debian) - php7.0 7.0.14-1 - php5 [jessie] - php5 5.6.29+dfsg-0+deb8u1 [wheezy] - php5 (vulnerable code not present) NOTE: Fixed in 7.1.0, 7.0.14, 5.6.29 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=69090 CVE-2015-8993 (Malicious file execution vulnerability in Intel Security CloudAV (Beta ...) NOT-FOR-US: Intel antivirus CVE-2015-8992 (Malicious file execution vulnerability in Intel Security WebAdvisor be ...) NOT-FOR-US: Intel antivirus CVE-2015-8991 (Malicious file execution vulnerability in Intel Security McAfee Securi ...) NOT-FOR-US: Intel antivirus CVE-2015-8990 (Detection bypass vulnerability in Intel Security Advanced Threat Defen ...) NOT-FOR-US: Intel antivirus CVE-2015-8989 (Unsalted password vulnerability in the Enterprise Manager (web portal) ...) NOT-FOR-US: Intel antivirus CVE-2015-8988 (Unquoted executable path vulnerability in Client Management and Gatewa ...) NOT-FOR-US: Intel antivirus CVE-2015-8987 (Man-in-the-middle (MitM) attack vulnerability in non-Mac OS agents in ...) NOT-FOR-US: Intel antivirus CVE-2015-8986 (Sandbox detection evasion vulnerability in hardware appliances in McAf ...) NOT-FOR-US: Intel antivirus CVE-2014-9921 (Information disclosure vulnerability in McAfee (now Intel Security) Cl ...) NOT-FOR-US: Intel antivirus CVE-2014-9920 (Unauthorized execution of binary vulnerability in McAfee (now Intel Se ...) NOT-FOR-US: Intel antivirus CVE-2013-7462 (A directory traversal vulnerability in the web application in McAfee ( ...) NOT-FOR-US: Intel antivirus CVE-2013-7461 (A write protection and execution bypass vulnerability in McAfee (now I ...) NOT-FOR-US: Intel antivirus CVE-2013-7460 (A write protection and execution bypass vulnerability in McAfee (now I ...) NOT-FOR-US: Intel antivirus CVE-2017-6355 (Integer overflow in the vrend_create_shader function in vrend_renderer ...) - virglrenderer 0.6.0-1 (bug #858255) NOTE: Fixed by: https://cgit.freedesktop.org/virglrenderer/commit/?id=93761787b29f37fa627dea9082cdfc1a1ec608d6 (0.6.0) CVE-2017-6354 RESERVED CVE-2017-6352 RESERVED CVE-2017-6351 (The WePresent WiPG-1500 device with firmware 1.0.3.7 has a manufacture ...) NOT-FOR-US: WePresent WiPG-1500 CVE-2017-6350 (An integer overflow at an unserialize_uep memory allocation site would ...) {DLA-850-1} - vim 2:8.0.0197-3 (bug #856266) [jessie] - vim 2:7.4.488-7+deb8u3 - neovim 0.1.7-4 NOTE: Fixed by: https://github.com/vim/vim/commit/0c8485f0e4931463c0f7986e1ea84a7d79f10c75 CVE-2017-6349 (An integer overflow at a u_read_undo memory allocation site would occu ...) {DLA-850-1} - vim 2:8.0.0197-3 (bug #856266) [jessie] - vim 2:7.4.488-7+deb8u3 - neovim 0.1.7-4 NOTE: Fixed by: https://github.com/vim/vim/commit/3eb1637b1bba19519885dd6d377bd5596e91d22c CVE-2017-6344 (XML External Entity (XXE) vulnerability in Grails PDF Plugin 0.6 allow ...) NOT-FOR-US: Grails PDF plugin CVE-2017-6343 (The web interface on Dahua DHI-HCVR7216A-S3 devices with NVR Firmware ...) NOT-FOR-US: Dahua devices CVE-2017-6342 (An issue was discovered on Dahua DHI-HCVR7216A-S3 devices with NVR Fir ...) NOT-FOR-US: Dahua devices CVE-2017-6341 (Dahua DHI-HCVR7216A-S3 devices with NVR Firmware 3.210.0001.10 2016-06 ...) NOT-FOR-US: Dahua devices CVE-2017-6340 (Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 befor ...) NOT-FOR-US: Trend Micro CVE-2017-6339 (Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 befor ...) NOT-FOR-US: Trend Micro CVE-2017-6338 (Multiple Access Control issues in Trend Micro InterScan Web Security V ...) NOT-FOR-US: Trend Micro CVE-2017-6337 RESERVED CVE-2017-6336 RESERVED CVE-2017-6334 (dnslookup.cgi on NETGEAR DGN2200 devices with firmware through 10.0.0. ...) NOT-FOR-US: NETGEAR CVE-2017-6333 RESERVED CVE-2017-6332 RESERVED CVE-2017-6331 (Prior to SEP 14 RU1 Symantec Endpoint Protection product can encounter ...) NOT-FOR-US: Symantec CVE-2017-6330 (Symantec Encryption Desktop before SED 10.4.1MP2 can allow remote atta ...) NOT-FOR-US: Symantec CVE-2017-6329 (Symantec VIP Access for Desktop prior to 2.2.4 can be susceptible to a ...) NOT-FOR-US: Symantec CVE-2017-6328 (The Symantec Messaging Gateway before 10.6.3-267 can encounter an issu ...) NOT-FOR-US: Symantec CVE-2017-6327 (The Symantec Messaging Gateway before 10.6.3-267 can encounter an issu ...) NOT-FOR-US: Symantec CVE-2017-6326 (The Symantec Messaging Gateway can encounter an issue of remote code e ...) NOT-FOR-US: Symantec CVE-2017-6325 (The Symantec Messaging Gateway can encounter a file inclusion vulnerab ...) NOT-FOR-US: Symantec CVE-2017-6324 (The Symantec Messaging Gateway, when processing a specific email attac ...) NOT-FOR-US: Symantec CVE-2017-6323 (The Symantec Management Console prior to ITMS 8.1 RU1, ITMS 8.0_POST_H ...) NOT-FOR-US: Symantec CVE-2017-6322 RESERVED CVE-2017-XXXX [scanelf: out of bounds read in scanelf_file_get_symtabs (scanelf.c)] - pax-utils 1.2.3-1 (unimportant; bug #856196) NOTE: https://blogs.gentoo.org/ago/2017/02/25/pax-utils-scanelf-out-of-bounds-read-in-scanelf_file_get_symtabs-scanelf-c-2/ NOTE: https://github.com/gentoo/pax-utils/commit/e577c5b7e230c52e5fc4fa40e4e9014c634b3c1d NOTE: https://github.com/gentoo/pax-utils/commit/858939ea6ad63f1acb4ec74bba705c197a67d559 CVE-2017-6353 (net/sctp/socket.c in the Linux kernel through 4.10.1 does not properly ...) {DSA-3804-1 DLA-849-1} - linux 4.9.13-1 NOTE: https://marc.info/?l=linux-netdev&m=148785309416337&w=2 CVE-2017-6348 (The hashbin_delete function in net/irda/irqueue.c in the Linux kernel ...) {DSA-3804-1 DLA-849-1} - linux 4.9.13-1 NOTE: Fixed by: https://git.kernel.org/linus/4c03b862b12f980456f9de92db6d508a4999b788 CVE-2017-6347 (The ip_cmsg_recv_checksum function in net/ipv4/ip_sockglue.c in the Li ...) - linux 4.9.13-1 [jessie] - linux (Vulnerable code introduced in 4.0) [wheezy] - linux (Vulnerable code introduced in 4.0) NOTE: Fixed by: https://git.kernel.org/linus/ca4ef4574f1ee5252e2cd365f8f5d5bafd048f32 CVE-2017-6346 (Race condition in net/packet/af_packet.c in the Linux kernel before 4. ...) {DSA-3804-1 DLA-849-1} - linux 4.9.13-1 NOTE: Fixed by: https://git.kernel.org/linus/d199fab63c11998a602205f7ee7ff7c05c97164b CVE-2017-6345 (The LLC subsystem in the Linux kernel before 4.9.13 does not ensure th ...) {DSA-3804-1 DLA-849-1} - linux 4.9.13-1 NOTE: Fixed by: https://git.kernel.org/linus/8b74d439e1697110c5e5c600643e823eb1dd0762 CVE-2017-6321 RESERVED CVE-2017-6320 (A remote command injection vulnerability exists in the Barracuda Load ...) NOT-FOR-US: Barracuda CVE-2017-6319 (The dex_parse_debug_item function in libr/bin/p/bin_dex.c in radare2 1 ...) - radare2 1.1.0+dfsg-3 (bug #856579) [jessie] - radare2 (Vulnerable code introduced in 1.1.0) [wheezy] - radare2 (Vulnerable code introduced in 1.1.0) NOTE: https://github.com/radare/radare2/issues/6836 NOTE: https://github.com/radare/radare2/commit/ad55822430a03fe075221b543efb434567e9e431 CVE-2017-6318 (saned in sane-backends 1.0.25 allows remote attackers to obtain sensit ...) {DLA-940-1} - sane-backends 1.0.25-4 (low; bug #854804) [jessie] - sane-backends 1.0.24-8+deb8u2 NOTE: Upstream patch: https://anonscm.debian.org/cgit/sane/sane-backends.git/commit/frontend/saned.c?id=42896939822b44f44ecd1b6d35afdfa4473ed35d CVE-2017-6316 (Citrix NetScaler SD-WAN devices through v9.1.2.26.561201 allow remote ...) NOT-FOR-US: Citrix CVE-2017-6315 (Astaro Security Gateway (aka ASG) 7 allows remote attackers to execute ...) NOT-FOR-US: Astaro CVE-2017-6335 (The QuantumTransferMode function in coders/tiff.c in GraphicsMagick 1. ...) {DLA-1456-1} - graphicsmagick 1.3.25-8 [wheezy] - graphicsmagick (vulnerable code not present) NOTE: Fixed by: https://sourceforge.net/p/graphicsmagick/code/ci/6156b4c2992d855ece6079653b3b93c3229fc4b8/ CVE-2017-6317 (Memory leak in the add_shader_program function in vrend_renderer.c in ...) - virglrenderer 0.6.0-1 (bug #858255) NOTE: https://cgit.freedesktop.org/virglrenderer/commit/?id=a2f12a1b0f95b13b6f8dc3d05d7b74b4386394e4 (0.6.0) CVE-2017-6314 (The make_available_at_least function in io-tiff.c in gdk-pixbuf allows ...) {DLA-2043-1} - gdk-pixbuf 2.36.11-2 (low; bug #856448) [stretch] - gdk-pixbuf 2.36.5-2+deb9u2 [wheezy] - gdk-pixbuf (Minor issue, can be fixed in next update) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=779020 NOTE: http://mov.sx/2017/02/21/bug-hunting-gdk-pixbuf.html NOTE: Fixed by: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=1e513abdb55529f888233d3c96b27352d83aad5f CVE-2017-6313 (Integer underflow in the load_resources function in io-icns.c in gdk-p ...) {DLA-2043-1} - gdk-pixbuf 2.36.11-2 (low; bug #856445) [stretch] - gdk-pixbuf 2.36.5-2+deb9u2 [wheezy] - gdk-pixbuf (Minor issue, can be fixed in next update) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=779016 NOTE: http://mov.sx/2017/02/21/bug-hunting-gdk-pixbuf.html NOTE: Fixed by: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=210b16399a492d05efb209615a143920b24251f4 NOTE: Tests: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=4cc39d479356b6b09e3d62a0f3ab424db6c266d8 CVE-2017-6312 (Integer overflow in io-ico.c in gdk-pixbuf allows context-dependent at ...) {DLA-2043-1} - gdk-pixbuf 2.36.11-2 (low; bug #856444) [stretch] - gdk-pixbuf 2.36.5-2+deb9u2 [wheezy] - gdk-pixbuf (Minor issue, can be fixed in next update) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=779012 NOTE: http://mov.sx/2017/02/21/bug-hunting-gdk-pixbuf.html NOTE: Fixed by: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=dec9ca22d70c0f0d4492333b4e8147afb038afd2 NOTE: Tests: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=a6303ad765882555cf1b278a09be5f9e4cf3a39d CVE-2017-6311 (gdk-pixbuf-thumbnailer.c in gdk-pixbuf allows context-dependent attack ...) - gdk-pixbuf 2.36.10-1 (bug #858491; unimportant) [jessie] - gdk-pixbuf (Code introduced in 2.36.1) [wheezy] - gdk-pixbuf (Code introduced in 2.36.1) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=778204 NOTE: http://mov.sx/2017/02/21/bug-hunting-gdk-pixbuf.html NOTE: Upload of gdk-pixbuf 2.36.5-3 to experimental added a new binary package containing NOTE: the thumbnailer. NOTE: Fixed by: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=57362ed4c1f37c05723e25e136327e262f32d35f NOTE: Fixed by: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=758655315bc3760c2d646e1e935f7448847073af NOTE: Tests: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=67a02e1bfef1ae8f7fa50ca36f6d922c1b6d3ed6 CVE-2017-6310 (An issue was discovered in tnef before 1.4.13. Four type confusions ha ...) {DSA-3798-1 DLA-839-1} - tnef 1.4.12-1.1 (bug #856117) NOTE: https://www.x41-dsec.de/lab/advisories/x41-2017-004-tnef/ NOTE: Fixed by: https://github.com/verdammelt/tnef/commit/8dccf79857ceeb7a6d3e42c1e762e7b865d5344d NOTE: regression fixed by: https://github.com/verdammelt/tnef/commit/9c4015433ecd3177976f820f7aa524c7e64c7c92 NOTE: regression fixed by: https://github.com/verdammelt/tnef/commit/c0b99164d14dcc61348a2ddffd47dfe31d087bad CVE-2017-6309 (An issue was discovered in tnef before 1.4.13. Two type confusions hav ...) {DSA-3798-1 DLA-839-1} - tnef 1.4.12-1.1 (bug #856117) NOTE: https://www.x41-dsec.de/lab/advisories/x41-2017-004-tnef/ NOTE: Fixed by: https://github.com/verdammelt/tnef/commit/8dccf79857ceeb7a6d3e42c1e762e7b865d5344d CVE-2017-6308 (An issue was discovered in tnef before 1.4.13. Several Integer Overflo ...) {DSA-3798-1 DLA-839-1} - tnef 1.4.12-1.1 (bug #856117) NOTE: https://www.x41-dsec.de/lab/advisories/x41-2017-004-tnef/ NOTE: Fixed by: https://github.com/verdammelt/tnef/commit/c5044689e50039635e7700fe2472fd632ac77176 CVE-2017-6307 (An issue was discovered in tnef before 1.4.13. Two OOB Writes have bee ...) {DSA-3798-1 DLA-839-1} - tnef 1.4.12-1.1 (bug #856117) NOTE: https://www.x41-dsec.de/lab/advisories/x41-2017-004-tnef/ NOTE: Fixed by: https://github.com/verdammelt/tnef/commit/1a17af1ed0c791aec44dbdc9eab91218cc1e335a CVE-2017-6306 (An issue was discovered in ytnef before 1.9.1. This is related to a pa ...) {DSA-3846-1} - libytnef 1.9.1-1 [wheezy] - libytnef (vulnerable code not present) NOTE: https://www.x41-dsec.de/lab/advisories/x41-2017-002-ytnef/ NOTE: http://www.openwall.com/lists/oss-security/2017/02/15/4 NOTE: fixed in https://github.com/Yeraze/ytnef/commit/b36d6b25b7a546fc28d6c3812124e487987a4910 CVE-2017-6305 (An issue was discovered in ytnef before 1.9.1. This is related to a pa ...) {DSA-3846-1 DLA-878-1} - libytnef 1.9.1-1 NOTE: https://www.x41-dsec.de/lab/advisories/x41-2017-002-ytnef/ NOTE: http://www.openwall.com/lists/oss-security/2017/02/15/4 NOTE: fixed in https://github.com/Yeraze/ytnef/commit/b36d6b25b7a546fc28d6c3812124e487987a4910 CVE-2017-6304 (An issue was discovered in ytnef before 1.9.1. This is related to a pa ...) {DSA-3846-1 DLA-878-1} - libytnef 1.9.1-1 NOTE: https://www.x41-dsec.de/lab/advisories/x41-2017-002-ytnef/ NOTE: http://www.openwall.com/lists/oss-security/2017/02/15/4 NOTE: fixed in https://github.com/Yeraze/ytnef/commit/b36d6b25b7a546fc28d6c3812124e487987a4910 CVE-2017-6303 (An issue was discovered in ytnef before 1.9.1. This is related to a pa ...) {DSA-3846-1 DLA-878-1} - libytnef 1.9.1-1 NOTE: https://www.x41-dsec.de/lab/advisories/x41-2017-002-ytnef/ NOTE: http://www.openwall.com/lists/oss-security/2017/02/15/4 NOTE: fixed in https://github.com/Yeraze/ytnef/commit/b36d6b25b7a546fc28d6c3812124e487987a4910 CVE-2017-6302 (An issue was discovered in ytnef before 1.9.1. This is related to a pa ...) {DSA-3846-1 DLA-878-1} - libytnef 1.9.1-1 NOTE: https://www.x41-dsec.de/lab/advisories/x41-2017-002-ytnef/ NOTE: http://www.openwall.com/lists/oss-security/2017/02/15/4 NOTE: fixed in https://github.com/Yeraze/ytnef/commit/b36d6b25b7a546fc28d6c3812124e487987a4910 CVE-2017-6301 (An issue was discovered in ytnef before 1.9.1. This is related to a pa ...) {DSA-3846-1 DLA-878-1} - libytnef 1.9.1-1 NOTE: https://www.x41-dsec.de/lab/advisories/x41-2017-002-ytnef/ NOTE: http://www.openwall.com/lists/oss-security/2017/02/15/4 NOTE: fixed in https://github.com/Yeraze/ytnef/commit/b36d6b25b7a546fc28d6c3812124e487987a4910 CVE-2017-6300 (An issue was discovered in ytnef before 1.9.1. This is related to a pa ...) {DSA-3846-1 DLA-878-1} - libytnef 1.9.1-1 NOTE: https://www.x41-dsec.de/lab/advisories/x41-2017-002-ytnef/ NOTE: http://www.openwall.com/lists/oss-security/2017/02/15/4 NOTE: fixed in https://github.com/Yeraze/ytnef/commit/b36d6b25b7a546fc28d6c3812124e487987a4910 CVE-2017-6299 (An issue was discovered in ytnef before 1.9.1. This is related to a pa ...) {DSA-3846-1 DLA-878-1} - libytnef 1.9.1-1 NOTE: https://www.x41-dsec.de/lab/advisories/x41-2017-002-ytnef/ NOTE: http://www.openwall.com/lists/oss-security/2017/02/15/4 NOTE: fixed in https://github.com/Yeraze/ytnef/commit/b36d6b25b7a546fc28d6c3812124e487987a4910 CVE-2017-6298 (An issue was discovered in ytnef before 1.9.1. This is related to a pa ...) {DSA-3846-1 DLA-878-1} - libytnef 1.9.1-1 NOTE: https://www.x41-dsec.de/lab/advisories/x41-2017-002-ytnef/ NOTE: http://www.openwall.com/lists/oss-security/2017/02/15/4 NOTE: fixed in https://github.com/Yeraze/ytnef/commit/b36d6b25b7a546fc28d6c3812124e487987a4910 CVE-2017-6297 (The L2TP Client in MikroTik RouterOS versions 6.83.3 and 6.37.4 does n ...) NOT-FOR-US: MikroTik RouterOS CVE-2017-6296 (NVIDIA TrustZone Software contains a TOCTOU issue in the DRM applicati ...) NOT-FOR-US: NVIDIA CVE-2017-6295 (NVIDIA TrustZone Software contains a vulnerability in the Keymaster im ...) NOT-FOR-US: NVIDIA CVE-2017-6294 (In Android before the 2018-06-05 security patch level, NVIDIA Tegra X1 ...) NOT-FOR-US: NVIDIA CVE-2017-6293 (In Android before the 2018-05-05 security patch level, NVIDIA Tegra X1 ...) NOT-FOR-US: Nvidia component for Android CVE-2017-6292 (In Android before the 2018-06-05 security patch level, NVIDIA TLZ Trus ...) NOT-FOR-US: NVIDIA CVE-2017-6291 RESERVED CVE-2017-6290 (In Android before the 2018-06-05 security patch level, NVIDIA TLK Trus ...) NOT-FOR-US: NVIDIA CVE-2017-6289 (In Android before the 2018-05-05 security patch level, NVIDIA Trusted ...) NOT-FOR-US: Nvidia component for Android CVE-2017-6288 (NVIDIA libnvrm contains a possible out of bounds read due to a missing ...) NOT-FOR-US: Nvidia component for Android CVE-2017-6287 (NVIDIA libnvrm contains a possible out of bounds read due to a missing ...) NOT-FOR-US: Nvidia component for Android CVE-2017-6286 (NVIDIA libnvomx contains a possible out of bounds write due to a missi ...) NOT-FOR-US: NVIDIA CVE-2017-6285 (NVIDIA libnvrm contains a possible out of bounds read due to a missing ...) NOT-FOR-US: Nvidia component for Android CVE-2017-6284 (NVIDIA Security Engine contains a vulnerability in the Deterministic R ...) NOT-FOR-US: NVIDIA CVE-2017-6283 (NVIDIA Security Engine contains a vulnerability in the RSA function wh ...) NOT-FOR-US: NVIDIA CVE-2017-6282 (NVIDIA Tegra kernel driver contains a vulnerability in NVMAP where an ...) NOT-FOR-US: NVIDIA CVE-2017-6281 (NVIDIA libnvomx contains a possible out of bounds write due to a impro ...) NOT-FOR-US: NVIDIA CVE-2017-6280 (NVIDIA driver contains a possible out-of-bounds read vulnerability due ...) NOT-FOR-US: Nvidia component for Android CVE-2017-6279 (NVIDIA libnvmmlite_audio.so contains an elevation of privilege vulnera ...) NOT-FOR-US: Nvidia component for Android CVE-2017-6278 (NVIDIA Tegra kernel contains a vulnerability in the CORE DVFS Thermal ...) NOT-FOR-US: NVIDIA Tegra CVE-2017-6277 (NVIDIA Windows GPU Display Driver contains a vulnerability in the kern ...) NOT-FOR-US: NVIDIA Windows GPU Display Driver CVE-2017-6276 (NVIDIA mediaserver contains a vulnerability where it is possible a use ...) NOT-FOR-US: NVIDIA CVE-2017-6275 (An information disclosure vulnerability exists in the Thermal Driver, ...) NOT-FOR-US: NVIDIA components for Android CVE-2017-6274 (An elevation of Privilege vulnerability exists in the Thermal Driver, ...) NOT-FOR-US: NVIDIA components for Android CVE-2017-6273 (NVIDIA ADSP Firmware contains a vulnerability in the ADSP Loader compo ...) NOT-FOR-US: NVIDIA ADSP Firmware CVE-2017-6272 (NVIDIA GPU Display Driver contains a vulnerability in the kernel mode ...) [experimental] - nvidia-graphics-drivers 384.90-1 - nvidia-graphics-drivers 384.98-2 (bug #876414) [stretch] - nvidia-graphics-drivers 384.130-1 [jessie] - nvidia-graphics-drivers (Non-free not supported) [wheezy] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx [buster] - nvidia-graphics-drivers-legacy-340xx (Non-free not supported, no updates provided by Nvidia for 340) [stretch] - nvidia-graphics-drivers-legacy-340xx (Non-free not supported) - nvidia-graphics-drivers-legacy-304xx [stretch] - nvidia-graphics-drivers-legacy-304xx (Non-free not supported) [jessie] - nvidia-graphics-drivers-legacy-304xx (Non-free not supported) NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/4544 CVE-2017-6271 (NVIDIA Windows GPU Display Driver contains a vulnerability in the kern ...) NOT-FOR-US: NVIDIA Windows GPU Display Driver CVE-2017-6270 (NVIDIA Windows GPU Display Driver contains a vulnerability in the kern ...) NOT-FOR-US: NVIDIA Windows GPU Display Driver CVE-2017-6269 (NVIDIA Windows GPU Display Driver contains a vulnerability in the kern ...) NOT-FOR-US: NVIDIA Windows GPU Display Driver CVE-2017-6268 (NVIDIA Windows GPU Display Driver contains a vulnerability in the kern ...) NOT-FOR-US: NVIDIA Windows GPU Display Driver CVE-2017-6267 (NVIDIA GPU Display Driver contains a vulnerability in the kernel mode ...) [experimental] - nvidia-graphics-drivers 384.90-1 - nvidia-graphics-drivers 384.98-2 (bug #876414) [stretch] - nvidia-graphics-drivers 384.130-1 [jessie] - nvidia-graphics-drivers (Non-free not supported) [wheezy] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx [buster] - nvidia-graphics-drivers-legacy-340xx (Non-free not supported, no updates provided by Nvidia for 340) [stretch] - nvidia-graphics-drivers-legacy-340xx (Non-free not supported) - nvidia-graphics-drivers-legacy-304xx [stretch] - nvidia-graphics-drivers-legacy-304xx (Non-free not supported) [jessie] - nvidia-graphics-drivers-legacy-304xx (Non-free not supported) NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/4544 CVE-2017-6266 (NVIDIA GPU Display Driver contains a vulnerability in the kernel mode ...) [experimental] - nvidia-graphics-drivers 384.90-1 - nvidia-graphics-drivers 384.98-2 (bug #876414) [stretch] - nvidia-graphics-drivers 384.130-1 [jessie] - nvidia-graphics-drivers (Non-free not supported) [wheezy] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx [buster] - nvidia-graphics-drivers-legacy-340xx (Non-free not supported, no updates provided by Nvidia for 340) [stretch] - nvidia-graphics-drivers-legacy-340xx (Non-free not supported) - nvidia-graphics-drivers-legacy-304xx [stretch] - nvidia-graphics-drivers-legacy-304xx (Non-free not supported) [jessie] - nvidia-graphics-drivers-legacy-304xx (Non-free not supported) NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/4544 CVE-2017-6265 RESERVED CVE-2017-6264 (An elevation of privilege vulnerability exists in the NVIDIA GPU drive ...) NOT-FOR-US: NVIDIA components for Android CVE-2017-6263 (NVIDIA driver contains a vulnerability where it is possible a use afte ...) NOT-FOR-US: NVIDIA driver for Android CVE-2017-6262 (NVIDIA driver contains a vulnerability where it is possible a use afte ...) NOT-FOR-US: NVIDIA driver for Android CVE-2017-6261 (NVIDIA Vibrante Linux version 1.1, 2.0, and 2.2 contains a vulnerabili ...) NOT-FOR-US: NVIDIA Vibrante Linux CVE-2017-6260 (NVIDIA Windows GPU Display Driver contains a vulnerability in the kern ...) NOT-FOR-US: NVIDIA Windows GPU Display Driver CVE-2017-6259 (NVIDIA GPU Display Driver contains a vulnerability in the kernel mode ...) - nvidia-graphics-drivers 375.82-1 (bug #869783) [stretch] - nvidia-graphics-drivers 375.82-1~deb9u1 [jessie] - nvidia-graphics-drivers (Non-free not supported) [wheezy] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx (Limited to E384 and E375) - nvidia-graphics-drivers-legacy-304xx (Limited to E384 and E375) CVE-2017-6258 (NVIDIA libnvmmlite_audio.so contains an elevation of privilege vulnera ...) NOT-FOR-US: Nvidia component for Android CVE-2017-6257 (NVIDIA GPU Display Driver contains a vulnerability in the kernel mode ...) - nvidia-graphics-drivers 375.82-1 (bug #869783) [stretch] - nvidia-graphics-drivers 375.82-1~deb9u1 [jessie] - nvidia-graphics-drivers (Non-free not supported) [wheezy] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx (Limited to E384 and E375) - nvidia-graphics-drivers-legacy-304xx (Limited to E384 and E375) CVE-2017-6256 (NVIDIA Windows GPU Display Driver contains a vulnerability in the kern ...) NOT-FOR-US: NVIDIA Windows GPU Display Driver CVE-2017-6255 (NVIDIA Windows GPU Display Driver contains a vulnerability in the kern ...) NOT-FOR-US: NVIDIA Windows GPU Display Driver CVE-2017-6254 (NVIDIA Windows GPU Display Driver contains a vulnerability in the kern ...) NOT-FOR-US: NVIDIA Windows GPU Display Driver CVE-2017-6253 (NVIDIA Windows GPU Display Driver contains a vulnerability in the kern ...) NOT-FOR-US: NVIDIA Windows GPU Display Driver CVE-2017-6252 (NVIDIA Windows GPU Display Driver contains a vulnerability in the kern ...) NOT-FOR-US: NVIDIA Windows GPU Display Driver CVE-2017-6251 (NVIDIA Windows GPU Display Driver contains a vulnerability in the kern ...) NOT-FOR-US: NVIDIA Windows GPU Display Driver CVE-2017-6250 (NVIDIA GeForce Experience contains a vulnerability in NVIDIA Web Helpe ...) NOT-FOR-US: NVIDIA GeForce Experience CVE-2017-6249 (An elevation of privilege vulnerability in the NVIDIA sound driver cou ...) NOT-FOR-US: NVIDIA driver for Android CVE-2017-6248 (An elevation of privilege vulnerability in the NVIDIA sound driver cou ...) NOT-FOR-US: NVIDIA driver for Android CVE-2017-6247 (An elevation of privilege vulnerability in the NVIDIA sound driver cou ...) NOT-FOR-US: NVIDIA driver for Android CVE-2017-6246 RESERVED CVE-2017-6245 RESERVED CVE-2017-6244 RESERVED CVE-2017-6243 RESERVED CVE-2017-6242 RESERVED CVE-2017-6241 RESERVED CVE-2017-6240 RESERVED CVE-2017-6239 RESERVED CVE-2017-6238 RESERVED CVE-2017-6237 RESERVED CVE-2017-6236 RESERVED CVE-2017-6235 RESERVED CVE-2017-6234 RESERVED CVE-2017-6233 RESERVED CVE-2017-6232 RESERVED CVE-2017-6231 RESERVED CVE-2017-6230 (Ruckus Networks Solo APs firmware releases R110.x or before and Ruckus ...) NOT-FOR-US: Ruckus Networks firmware CVE-2017-6229 (Ruckus Networks Unleashed AP firmware releases before 200.6.10.1.x and ...) NOT-FOR-US: Ruckus Networks firmware CVE-2017-6228 RESERVED CVE-2017-6227 (A vulnerability in the IPv6 stack on Brocade Fibre Channel SAN product ...) NOT-FOR-US: Brocade CVE-2017-6226 RESERVED CVE-2017-6225 (Cross-site scripting (XSS) vulnerability in the web-based management i ...) NOT-FOR-US: Brocade CVE-2017-6224 (Ruckus Wireless Zone Director Controller firmware releases ZD9.x, ZD10 ...) NOT-FOR-US: Ruckus CVE-2017-6223 (Ruckus Wireless Zone Director Controller firmware releases ZD9.9.x, ZD ...) NOT-FOR-US: Ruckus CVE-2017-6222 RESERVED CVE-2017-6221 RESERVED CVE-2017-6220 RESERVED CVE-2017-6219 RESERVED CVE-2017-6218 RESERVED CVE-2017-6217 (paypal/adaptivepayments-sdk-php v3.9.2 is vulnerable to a reflected XS ...) NOT-FOR-US: paypal/adaptivepayments-sdk-php CVE-2017-6216 (novaksolutions/infusionsoft-php-sdk v2016-10-31 is vulnerable to a ref ...) NOT-FOR-US: novaksolutions/infusionsoft-php-sdk CVE-2017-6215 (paypal/permissions-sdk-php is vulnerable to reflected XSS in the sampl ...) NOT-FOR-US: PayPal permissions-sdk-php CVE-2017-6213 (paypal/invoice-sdk-php is vulnerable to reflected XSS in samples/permi ...) NOT-FOR-US: PayPal invoice-sdk-php CVE-2017-6212 REJECTED CVE-2017-6211 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-6214 (The tcp_splice_read function in net/ipv4/tcp.c in the Linux kernel bef ...) {DSA-3804-1 DLA-849-1} - linux 4.9.13-1 NOTE: Fixed by: https://git.kernel.org/linus/ccf7abb93af09ad0868ae9033d1ca8108bdaec82 (v4.10-rc8) CVE-2017-6210 (The vrend_decode_reset function in vrend_decode.c in virglrenderer bef ...) - virglrenderer 0.6.0-1 (bug #858255) NOTE: Fixed by: https://cgit.freedesktop.org/virglrenderer/commit/?id=0a5dff15912207b83018485f83e067474e818bab (0.6.0) CVE-2017-6209 (Stack-based buffer overflow in the parse_identifier function in tgsi_t ...) - virglrenderer 0.6.0-1 (bug #858255) NOTE: Fixed by: https://cgit.freedesktop.org/virglrenderer/commit/?id=e534b51ca3c3cd25f3990589932a9ed711c59b27 (0.6.0) CVE-2017-6208 RESERVED CVE-2017-6207 REJECTED CVE-2017-6206 (D-Link DGS-1510-28XMP, DGS-1510-28X, DGS-1510-52X, DGS-1510-52, DGS-15 ...) NOT-FOR-US: D-Link CVE-2017-6205 (D-Link DGS-1510-28XMP, DGS-1510-28X, DGS-1510-52X, DGS-1510-52, DGS-15 ...) NOT-FOR-US: D-Link CVE-2017-6204 RESERVED CVE-2017-6203 RESERVED CVE-2017-6202 RESERVED CVE-2017-6201 (A Server Side Request Forgery vulnerability exists in the install app ...) NOT-FOR-US: Sandstorm CVE-2017-6200 (Sandstorm before build 0.203 allows remote attackers to read any speci ...) NOT-FOR-US: Sandstorm CVE-2017-6199 (A remote attacker could bypass the Sandstorm organization restriction ...) NOT-FOR-US: Sandstorm CVE-2017-6198 (The Supervisor in Sandstorm doesn't set and enforce the resource limit ...) NOT-FOR-US: Sandstorm CVE-2017-6197 (The r_read_* functions in libr/include/r_endian.h in radare2 1.2.1 all ...) {DLA-837-1} - radare2 1.1.0+dfsg-2 (bug #856063) [jessie] - radare2 (Minor issue) NOTE: https://github.com/radare/radare2/issues/6816 NOTE: Fixed by: https://github.com/radare/radare2/commit/1ea23bd6040441a21fbcfba69dce9a01af03f989 NOTE: Although the respective new versions were only introduced in 0.10.3 NOTE: The NULL pointer dereferences are still triggerable, via the shown NOTE: vector and seen under valgrind. It might be disputable if that is the NOTE: same vulnerability though. CVE-2017-6196 (Multiple use-after-free vulnerabilities in the gx_image_enum_begin fun ...) - ghostscript (Issue introduced later, cf. bug #856142) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697596 NOTE: Fixed by: http://git.ghostscript.com/?p=ghostpdl.git;h=ecceafe3abba2714ef9b432035fe0739d9b1a283 NOTE: Possibly introduced only after http://git.ghostscript.com/?p=ghostpdl.git;h=cffb5712bc10c2c2f46adf311fc74aaae74cb784 CVE-2017-6195 (Ipswitch MOVEit Transfer (formerly DMZ) allows pre-authentication blin ...) NOT-FOR-US: Ipswitch MOVEit Transfer CVE-2017-6194 (The relocs function in libr/bin/p/bin_bflt.c in radare2 1.2.1 allows r ...) [experimental] - radare2 1.3.0+dfsg-1 - radare2 1.1.0+dfsg-4 (bug #859448) [jessie] - radare2 (Vulnerable code not present) [wheezy] - radare2 (Vulnerable code not present) NOTE: https://github.com/radare/radare2/commit/72794dc3523bbd5bb370de3c5857cb736c387e18 (1.3.0-git) NOTE: https://github.com/radare/radare2/issues/6829 CVE-2017-6193 (Buffer overflow in APNGDis 2.8 and earlier allows remote attackers to ...) NOT-FOR-US: APNGDis CVE-2017-6192 (Buffer overflow in APNGDis 2.8 and earlier allows a remote attackers t ...) NOT-FOR-US: APNGDis CVE-2017-6191 (Buffer overflow in APNGDis 2.8 and below allows a remote attacker to e ...) NOT-FOR-US: APNGDis CVE-2017-6190 (Directory traversal vulnerability in the web interface on the D-Link D ...) NOT-FOR-US: D-Link CVE-2017-6189 (Untrusted search path vulnerability in Amazon Kindle for PC before 1.1 ...) NOT-FOR-US: Amazon Kindle CVE-2017-6187 (Buffer overflow in the built-in web server in DiskSavvy Enterprise 9.4 ...) NOT-FOR-US: DiskSavvy Enterprise CVE-2017-6186 (Code injection vulnerability in Bitdefender Total Security 12.0 (and e ...) NOT-FOR-US: Bitdefender CVE-2017-6185 RESERVED CVE-2017-6184 (In Sophos Web Appliance (SWA) before 4.3.1.2, a section of the machine ...) NOT-FOR-US: Sophos CVE-2017-6183 (In Sophos Web Appliance (SWA) before 4.3.1.2, a section of the machine ...) NOT-FOR-US: Sophos CVE-2017-6182 (In Sophos Web Appliance (SWA) before 4.3.1.2, a section of the machine ...) NOT-FOR-US: Sophos CVE-2017-6181 (The parse_char_class function in regparse.c in the Onigmo (aka Oniguru ...) - ruby2.3 (Introduced in v2_4_0_rc1) - ruby2.1 (Introduced in v2_4_0_rc1) NOTE: Introduced by: https://github.com/ruby/ruby/commit/2873edeafb6f6df1fc99bb9b1167591b99dd378c NOTE: Fixed by: https://github.com/ruby/ruby/commit/ea940cc4dcff8d6c345d7015eda0bf06671f87e9 NOTE: https://bugs.ruby-lang.org/issues/13234 CVE-2017-6180 (Keekoon KK002 devices 1.8.12 HD have a Cross Site Request Forgery Vuln ...) NOT-FOR-US: Keekoon KK002 devices CVE-2017-6179 RESERVED CVE-2017-6178 (The IofCallDriver function in USBPcap 1.1.0.0 allows local users to ga ...) NOT-FOR-US: USBPcap CVE-2017-6177 REJECTED CVE-2017-6176 REJECTED CVE-2017-6175 REJECTED CVE-2017-6174 REJECTED CVE-2017-6173 REJECTED CVE-2017-6172 REJECTED CVE-2017-6171 REJECTED CVE-2017-6170 REJECTED CVE-2017-6169 (In versions 13.0.0, 12.0.0-12.1.3, or 11.6.0-11.6.2, an F5 BIG-IP virt ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6168 (On BIG-IP versions 11.6.0-11.6.2 (fixed in 11.6.2 HF1), 12.0.0-12.1.2 ...) NOT-FOR-US: F5 BIG-IP NOTE: https://support.f5.com/csp/article/K21905460 NOTE: https://robotattack.org/ CVE-2017-6167 (In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Link Controller, ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6166 (In BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Link Controller, PE ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6165 (In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, GTM, Link Contro ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6164 (In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, GT ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6163 (In F5 BIG-IP LTM, AAM, AFM, APM, ASM, Link Controller, PEM, PSM softwa ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6162 (In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, GT ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6161 (In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, GT ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6160 (In F5 BIG-IP AAM and PEM software version 12.0.0 to 12.1.1, 11.6.0 to ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6159 (F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, GTM, Link Controlle ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6158 (In F5 BIG-IP 12.0.0-12.1.2, 11.6.0-11.6.1, 11.5.1-11.5.5, or 11.2.1 th ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6157 (In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, GTM, Link Contro ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6156 (When the F5 BIG-IP 12.1.0-12.1.1, 11.6.0-11.6.1, 11.5.1-11.5.5, or 11. ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6155 (On F5 BIG-IP 13.0.0, 12.0.0-12.1.3.1, 11.6.0-11.6.2, 11.4.1-11.5.5, or ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6154 (On F5 BIG-IP systems running 13.0.0, 12.1.0 - 12.1.3.1, or 11.6.1 - 11 ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6153 (Features in F5 BIG-IP 13.0.0-13.1.0.3, 12.1.0-12.1.3.1, 11.6.1-11.6.3. ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6152 (A local user on F5 BIG-IQ Centralized Management 5.1.0-5.2.0 with the ...) NOT-FOR-US: F5 BIG-IQ Centralized Management CVE-2017-6151 (In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, GT ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6150 (Under certain conditions for F5 BIG-IP systems 13.0.0 or 12.1.0 - 12.1 ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6149 REJECTED CVE-2017-6148 (Responses to SOCKS proxy requests made through F5 BIG-IP version 13.0. ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6147 (In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Link Controller, ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6146 REJECTED CVE-2017-6145 (iControl REST in F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Li ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6144 (In F5 BIG-IP PEM 12.1.0 through 12.1.2 when downloading the Type Alloc ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6143 (X509 certificate verification was not correctly implemented in the IP ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6142 (X509 certificate verification was not correctly implemented in the ear ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6141 (In F5 BIG-IP LTM, AAM, AFM, APM, ASM, Link Controller, PEM, and WebSaf ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6140 (On the BIG-IP 2000s, 2200s, 4000s, 4200v, i5600, i5800, i7600, i7800, ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6139 (In F5 BIG-IP APM software version 13.0.0 and 12.1.2, under rare condit ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6138 (In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, GTM, Link Contro ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6137 (In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, GT ...) NOT-FOR-US: F5 CVE-2017-6136 (In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, GTM, Link Contro ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6135 (In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, GTM, Link Contro ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6134 (In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, GTM, Link Contro ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6133 (In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Link Controller, ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6132 (In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, GTM, Link Contro ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6131 (In some circumstances, an F5 BIG-IP version 12.0.0 to 12.1.2 and 13.0. ...) NOT-FOR-US: F5 CVE-2017-6130 (F5 SSL Intercept iApp 1.5.0 - 1.5.7 and SSL Orchestrator 2.0 is vulner ...) NOT-FOR-US: F5 CVE-2017-6129 (In F5 BIG-IP APM software version 13.0.0 and 12.1.2, in some circumsta ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6128 (An attacker may be able to cause a denial-of-service (DoS) attack agai ...) NOT-FOR-US: F5 CVE-2017-6188 (Munin before 2.999.6 has a local file write vulnerability when CGI gra ...) {DSA-3794-1 DLA-836-1} - munin 2.0.31-1 (bug #855705) NOTE: https://github.com/munin-monitoring/munin/issues/721 CVE-2017-6127 (Multiple cross-site request forgery (CSRF) vulnerabilities in the acce ...) NOT-FOR-US: DIGISOL DG-HR1400 Wireless Router CVE-2017-6126 RESERVED CVE-2017-6125 RESERVED CVE-2017-6124 RESERVED CVE-2017-6123 RESERVED CVE-2017-6122 RESERVED CVE-2017-6121 RESERVED CVE-2017-6120 RESERVED CVE-2017-6119 RESERVED CVE-2017-6118 RESERVED CVE-2017-6117 RESERVED CVE-2017-6116 RESERVED CVE-2017-6115 RESERVED CVE-2017-6114 RESERVED CVE-2017-6113 RESERVED CVE-2017-6112 RESERVED CVE-2017-6111 RESERVED CVE-2017-6110 RESERVED CVE-2017-6109 RESERVED CVE-2017-6108 RESERVED CVE-2017-6107 RESERVED CVE-2017-6106 RESERVED CVE-2017-6105 RESERVED CVE-2017-6104 (Remote file upload vulnerability in Wordpress Plugin Mobile App Native ...) NOT-FOR-US: Wordpress plugin CVE-2017-6103 (Persistent XSS Vulnerability in Wordpress plugin AnyVar v0.1.1. ...) NOT-FOR-US: Wordpress plugin CVE-2017-6102 (Persistent XSS in wordpress plugin rockhoist-badges v1.2.2. ...) NOT-FOR-US: Wordpress plugin CVE-2017-6384 (Memory leak in the login_user function in saslserv/main.c in saslserv/ ...) - atheme-services 7.2.9-1 (bug #855588) [jessie] - atheme-services (versions prior to 7.2.7 not vulnerable) NOTE: 7.2.7 vulnerable, fixed in 7.2.8, but the fix introduced another DOS, fixed in 7.2.9 NOTE: (Possibly) introduced in https://github.com/atheme/atheme/commit/8ac7aa8d007331ae694f099c288e27f911e8cad1 (v7.2.7) CVE-2017-6101 RESERVED CVE-2017-6099 (Cross-site scripting (XSS) vulnerability in GetAuthDetails.html.php in ...) NOT-FOR-US: PayPal PHP Merchant SDK CVE-2017-6098 (A SQL injection issue was discovered in the Mail Masta (aka mail-masta ...) NOT-FOR-US: Mail Masta plugin for Wordpress CVE-2017-6097 (A SQL injection issue was discovered in the Mail Masta (aka mail-masta ...) NOT-FOR-US: Mail Masta plugin for Wordpress CVE-2017-6096 (A SQL injection issue was discovered in the Mail Masta (aka mail-masta ...) NOT-FOR-US: Mail Masta plugin for Wordpress CVE-2017-6095 (A SQL injection issue was discovered in the Mail Masta (aka mail-masta ...) NOT-FOR-US: Mail Masta plugin for Wordpress CVE-2017-6094 (CPEs used by subscribers on the access network receive their individua ...) NOT-FOR-US: Genexis GASP CVE-2017-6093 RESERVED CVE-2017-6092 RESERVED CVE-2017-6091 RESERVED CVE-2017-6090 (Unrestricted file upload vulnerability in clients/editclient.php in Ph ...) NOT-FOR-US: PhpCollab CVE-2017-6089 (SQL injection vulnerability in PhpCollab 2.5.1 and earlier allows remo ...) NOT-FOR-US: PhpCollab CVE-2017-6088 (Multiple SQL injection vulnerabilities in EyesOfNetwork (aka EON) 5.0 ...) NOT-FOR-US: EyesOfNetwork CVE-2017-6087 (EyesOfNetwork ("EON") 5.0 and earlier allows remote authenticated user ...) NOT-FOR-US: EyesOfNetwork CVE-2017-6086 (Multiple cross-site request forgery (CSRF) vulnerabilities in the addA ...) NOT-FOR-US: ViMbAdmin CVE-2017-6085 RESERVED CVE-2017-6084 RESERVED CVE-2017-6083 RESERVED CVE-2017-6082 RESERVED CVE-2017-6081 (A CSRF issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3 ...) - zammad (bug #841355) CVE-2017-6080 (An issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3, an ...) - zammad (bug #841355) CVE-2017-6079 (The HTTP web-management application on Edgewater Networks Edgemarc app ...) NOT-FOR-US: Edgewater CVE-2017-6078 (FastStone MaxView 3.0 and 3.1 allows user-assisted attackers to cause ...) NOT-FOR-US: FastStone MaxView CVE-2017-6077 (ping.cgi on NETGEAR DGN2200 devices with firmware through 10.0.0.50 al ...) NOT-FOR-US: NETGEAR CVE-2016-10228 (The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and e ...) - glibc (low; bug #856503) [buster] - glibc (Minor issue) [stretch] - glibc (Minor issue) [jessie] - glibc (Minor issue) - eglibc [wheezy] - eglibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=19519 CVE-2016-10227 (Zyxel USG50 Security Appliance and NWA3560-N Access Point allow remote ...) NOT-FOR-US: Zyxel CVE-2017-6076 (In versions of wolfSSL before 3.10.2 the function fp_mul_comba makes i ...) - wolfssl 3.10.2+dfsg-1 (bug #856114) NOTE: https://github.com/wolfSSL/wolfssl/releases/tag/v3.10.2-stable NOTE: https://github.com/wolfSSL/wolfssl/commit/345df93978c41da1ac8047a37f1fed5286883d8d CVE-2017-6075 RESERVED CVE-2017-6074 (The dccp_rcv_state_process function in net/dccp/input.c in the Linux k ...) {DSA-3791-1 DLA-833-1} - linux 4.9.13-1 NOTE: Fixed by: https://git.kernel.org/linus/5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4 CVE-2017-6073 RESERVED CVE-2017-6072 (CMS Made Simple version 1.x Form Builder before version 0.8.1.6 allows ...) NOT-FOR-US: CMS Made Simple CVE-2017-6071 (CMS Made Simple version 1.x Form Builder before version 0.8.1.6 allows ...) NOT-FOR-US: CMS Made Simple CVE-2017-6070 (CMS Made Simple version 1.x Form Builder before version 0.8.1.6 allows ...) NOT-FOR-US: CMS Made Simple CVE-2017-6069 (Subrion CMS 4.0.5 has CSRF in admin/blog/add/. The attacker can add an ...) NOT-FOR-US: Subrion CMS CVE-2017-6068 (Subrion CMS 4.0.5 has CSRF in admin/blocks/add/. The attacker can crea ...) NOT-FOR-US: Subrion CMS CVE-2017-6067 (Symphony 2.6.9 has XSS in publish/notes/edit/##/saved/ via the bottom ...) NOT-FOR-US: Symphony CMS CVE-2017-6066 (Subrion CMS 4.0.5 has CSRF in admin/languages/edit/1/. The attacker ca ...) NOT-FOR-US: Subrion CMS CVE-2017-6065 (SQL injection vulnerability in inc/lib/Control/Backend/menus.control.p ...) NOT-FOR-US: GenixCMS CVE-2017-6064 RESERVED CVE-2017-6063 RESERVED CVE-2016-10226 (JavaScriptCore in WebKit, as distributed in Safari Technology Preview ...) - webkitgtk (unimportant) NOTE: Not covered by security support CVE-2017-6061 (Cross-site scripting (XSS) vulnerability in the help component of SAP ...) NOT-FOR-US: SAP CVE-2017-6060 (Stack-based buffer overflow in jstest_main.c in mujstest in Artifex So ...) - mupdf (unimportant) [wheezy] - mupdf (Vulnerable code not present) NOTE: Although jstest_main.c compiled during build and mujstest is created NOTE: it is not included in the produced binary packages NOTE: http://www.openwall.com/lists/oss-security/2017/02/18/1 CVE-2017-6058 (Buffer overflow in NetRxPkt::ehdr_buf in hw/net/net_rx_pkt.c in QEMU ( ...) - qemu 1:2.8+dfsg-3 (bug #855616) [jessie] - qemu (Vulnerable code not present) [wheezy] - qemu (Vulnerable code not present) - qemu-kvm (Vulnerable code not present) NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2017-02/msg03527.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1423358 CVE-2017-6057 RESERVED CVE-2017-6055 (XML external entity (XXE) vulnerability in eParakstitajs 3 before 1.3. ...) NOT-FOR-US: eParakstitajs and eParaksts Java lib CVE-2017-6054 (A Use of Hard-Coded Cryptographic Key issue was discovered in Hyundai ...) NOT-FOR-US: Hyundai CVE-2017-6053 (A Cross-Site Scripting issue was discovered in Trihedral VTScada Versi ...) NOT-FOR-US: Trihedral VTScada CVE-2017-6052 (A Man-in-the-Middle issue was discovered in Hyundai Motor America Blue ...) NOT-FOR-US: Hyundai CVE-2017-6051 (An Uncontrolled Search Path Element issue was discovered in BLF-Tech L ...) NOT-FOR-US: BLF-Tech LLC VisualView HMI CVE-2017-6050 (A SQL Injection issue was discovered in Ecava IntegraXor Versions 5.2. ...) NOT-FOR-US: Ecava IntegraXor CVE-2017-6049 (Detcon Sitewatch Gateway, all versions without cellular, an attacker c ...) NOT-FOR-US: Detcon Sitewatch Gateway CVE-2017-6048 (A Command Injection issue was discovered in Satel Iberia SenNet Data L ...) NOT-FOR-US: Satel Iberia SenNet Data Logger and Electricity Meters CVE-2017-6047 (Detcon Sitewatch Gateway, all versions without cellular, Passwords are ...) NOT-FOR-US: Detcon Sitewatch Gateway CVE-2017-6046 (An Insufficiently Protected Credentials issue was discovered in Sierra ...) NOT-FOR-US: Sierra Wireless AirLink Raven CVE-2017-6045 (An Information Exposure issue was discovered in Trihedral VTScada Vers ...) NOT-FOR-US: Trihedral VTScada CVE-2017-6044 (An Improper Authorization issue was discovered in Sierra Wireless AirL ...) NOT-FOR-US: Sierra Wireless AirLink Raven CVE-2017-6043 (A Resource Consumption issue was discovered in Trihedral VTScada Versi ...) NOT-FOR-US: Trihedral VTScada CVE-2017-6042 (A Cross-Site Request Forgery issue was discovered in Sierra Wireless A ...) NOT-FOR-US: Sierra Wireless AirLink Raven CVE-2017-6041 (An Unrestricted Upload issue was discovered in Marel Food Processing S ...) NOT-FOR-US: Marel CVE-2017-6040 (An Information Exposure issue was discovered in Belden Hirschmann GECK ...) NOT-FOR-US: Belden Hirschmann GECKO Lite Managed switch CVE-2017-6039 (A Use of Hard-Coded Password issue was discovered in Phoenix Broadband ...) NOT-FOR-US: Phoenix CVE-2017-6038 (A Cross-Site Request Forgery issue was discovered in Belden Hirschmann ...) NOT-FOR-US: Belden Hirschmann GECKO Lite Managed switch CVE-2017-6037 (A Heap-Based Buffer Overflow issue was discovered in Wecon Technologie ...) NOT-FOR-US: Wecon CVE-2017-6036 (A Server-Side Request Forgery issue was discovered in Belden Hirschman ...) NOT-FOR-US: Belden Hirschmann GECKO Lite Managed switch CVE-2017-6035 (A Stack-Based Buffer Overflow issue was discovered in Wecon Technologi ...) NOT-FOR-US: Wecon CVE-2017-6034 (An Authentication Bypass by Capture-Replay issue was discovered in Sch ...) NOT-FOR-US: Schneider Electric CVE-2017-6033 (A DLL Hijacking issue was discovered in Schneider Electric Interactive ...) NOT-FOR-US: Schneider Electric CVE-2017-6032 (A Violation of Secure Design Principles issue was discovered in Schnei ...) NOT-FOR-US: Schneider Electric CVE-2017-6031 (A Header Injection issue was discovered in Certec EDV GmbH atvise scad ...) NOT-FOR-US: Certec EDV GmbH atvise scada CVE-2017-6030 (A Predictable Value Range from Previous Values issue was discovered in ...) NOT-FOR-US: Schneider Electric CVE-2017-6029 (A Cross-Site Scripting issue was discovered in Certec EDV GmbH atvise ...) NOT-FOR-US: Certec EDV GmbH atvise scada CVE-2017-6028 (An Insufficiently Protected Credentials issue was discovered in Schnei ...) NOT-FOR-US: Schneider Electric CVE-2017-6027 (An Arbitrary File Upload issue was discovered in 3S-Smart Software Sol ...) NOT-FOR-US: 3S-Smart Software Solutions GmbH CODESYS Web Server CVE-2017-6026 (A Use of Insufficiently Random Values issue was discovered in Schneide ...) NOT-FOR-US: Schneider Electric CVE-2017-6025 (A Stack Buffer Overflow issue was discovered in 3S-Smart Software Solu ...) NOT-FOR-US: 3S-Smart Software Solutions GmbH CODESYS Web Server CVE-2017-6024 (A Resource Exhaustion issue was discovered in Rockwell Automation Cont ...) NOT-FOR-US: Rockwell CVE-2017-6023 (An issue was discovered in Fatek Automation PLC Ethernet Module. The a ...) NOT-FOR-US: Fatek CVE-2017-6022 (A hard-coded password issue was discovered in Becton, Dickinson and Co ...) NOT-FOR-US: BD's Kiestra PerformA and KLA Journal Service applications CVE-2017-6021 (In Schneider Electric ClearSCADA 2014 R1 (build 75.5210) and prior, 20 ...) NOT-FOR-US: Schneider CVE-2017-6020 (Leao Consultoria e Desenvolvimento de Sistemas (LCDS) LTDA ME LAquis S ...) NOT-FOR-US: Leao Consultoria e Desenvolvimento de Sistemas (LCDS) LTDA ME LAquis SCADA software CVE-2017-6019 (An issue was discovered in Schneider Electric Conext ComBox, model 865 ...) NOT-FOR-US: Schneider Electric CVE-2017-6018 (An open redirect issue was discovered in B. Braun Medical SpaceCom mod ...) NOT-FOR-US: SpaceCom / SpaceStation CVE-2017-6017 (A Resource Exhaustion issue was discovered in Schneider Electric Modic ...) NOT-FOR-US: Schneider Electric CVE-2017-6016 (An Improper Access Control issue was discovered in LCDS - Leao Consult ...) NOT-FOR-US: LCDS (Leao Consultoria e Desenvolvimento de Sistemas LTDA ME LAquis SCADA) CVE-2017-6015 (Without quotation marks, any whitespace in the file path for Rockwell ...) NOT-FOR-US: Rockwell CVE-2017-6014 (In Wireshark 2.2.4 and earlier, a crafted or malformed STANAG 4607 cap ...) {DSA-3811-1 DLA-826-1} - wireshark 2.2.5+g440fd4d-2 (bug #855408) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13416 CVE-2017-6013 (Subrion CMS 4.0.5.10 has SQL injection in admin/database/ via the quer ...) NOT-FOR-US: Subrion CMS CVE-2017-6012 RESERVED CVE-2017-6011 (An issue was discovered in icoutils 0.31.1. An out-of-bounds read lead ...) {DSA-3807-1 DLA-854-1} - icoutils 0.31.2-1 (bug #854054) NOTE: Fixed by: http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=bf97b99109607d4367a4e57df9a37cbcac02e220 NOTE: Fixed by: http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=45a0207225df4cd4b82f41eee636e21f11a7db74 NOTE: Proposed patch from Red Hat contributor: https://bugzilla.redhat.com/attachment.cgi?id=1256393 CVE-2017-6010 (An issue was discovered in icoutils 0.31.1. A buffer overflow was obse ...) {DSA-3807-1 DLA-854-1} - icoutils 0.31.2-1 (bug #854054) NOTE: Fixed by: http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=bf97b99109607d4367a4e57df9a37cbcac02e220 NOTE: Fixed by: http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=45a0207225df4cd4b82f41eee636e21f11a7db74 NOTE: Proposed patch from Red Hat contributor: https://bugzilla.redhat.com/attachment.cgi?id=1256393 CVE-2017-6009 (An issue was discovered in icoutils 0.31.1. A buffer overflow was obse ...) {DSA-3807-1 DLA-854-1} - icoutils 0.31.2-1 (bug #854050) NOTE: Fixed by: http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=f148ae5af1c9eeb85610a5653a7f625dd6c3ac2e NOTE: Proposed patch from Red Hat contributor: https://bugzilla.redhat.com/attachment.cgi?id=1256407 CVE-2017-6008 (A kernel pool overflow in the driver hitmanpro37.sys in Sophos SurfRig ...) NOT-FOR-US: Sophos CVE-2017-6007 (A kernel pool overflow in the driver hitmanpro37.sys in Sophos SurfRig ...) NOT-FOR-US: Sophos CVE-2017-6006 REJECTED CVE-2017-6005 (Waves MaxxAudio, as installed on Dell laptops, adds a "WavesSysSvc" Wi ...) NOT-FOR-US: Waves MaxxAudio CVE-2017-6004 (The compile_bracket_matchingpath function in pcre_jit_compile.c in PCR ...) - pcre3 2:8.39-2.1 (bug #855405) [jessie] - pcre3 (Vulnerable code introduced later) [wheezy] - pcre3 (Vulnerable code introduced later) NOTE: https://vcs.pcre.org/pcre/code/trunk/pcre_jit_compile.c?r1=1676&r2=1680&view=patch NOTE: https://bugs.exim.org/show_bug.cgi?id=2035 CVE-2017-6003 (dotCMS 3.7.0 has XSS reachable from ext/languages_manager/edit_languag ...) NOT-FOR-US: dotCMS CVE-2017-6002 (Subrion CMS 4.0.5.10 has CSRF in admin/blog/add/. The attacker can add ...) NOT-FOR-US: Subrion CMS CVE-2014-9919 (An issue was discovered in Bilboplanet 2.0. Stored XSS exists in the f ...) NOT-FOR-US: Bilboplanet CVE-2014-9918 (An issue was discovered in Bilboplanet 2.0. Stored XSS exists in the u ...) NOT-FOR-US: Bilboplanet CVE-2014-9917 (An issue was discovered in Bilboplanet 2.0. There is a stored XSS vuln ...) NOT-FOR-US: Bilboplanet CVE-2014-9916 (Multiple cross-site scripting (XSS) vulnerabilities in Bilboplanet 2.0 ...) NOT-FOR-US: Bilboplanet CVE-2017-6001 (Race condition in kernel/events/core.c in the Linux kernel before 4.9. ...) {DSA-3791-1 DLA-833-1} - linux 4.9.10-1 NOTE: Fixed by: https://git.kernel.org/linus/321027c1fe77f892f4ea07846aeae08cefbbb290 CVE-2017-6000 REJECTED CVE-2017-5999 (An issue was discovered in sysPass 2.x before 2.1, in which an algorit ...) NOT-FOR-US: sysPass CVE-2017-5998 (Cross-site scripting (XSS) vulnerability in InterSect Alliance SNARE E ...) NOT-FOR-US: InterSect Alliance SNARE Epilog CVE-2017-5997 (The SAP Message Server HTTP daemon in SAP KERNEL 7.21-7.49 allows remo ...) NOT-FOR-US: SAP Message Server CVE-2017-5996 (The agent in Bomgar Remote Support 15.2.x before 15.2.3, 16.1.x before ...) NOT-FOR-US: Bomgar Remote Support CVE-2017-5995 (The NetApp ONTAP Select Deploy administration utility 2.0 through 2.2. ...) NOT-FOR-US: NetApp ONTAP Select Deploy administration utility CVE-2017-14431 (Memory leak in Xen 3.3 through 4.8.x allows guest OS users to cause a ...) {DLA-1493-1} - xen 4.8.1-1 (bug #856229) [wheezy] - xen (Minor issue) NOTE: https://xenbits.xen.org/xsa/advisory-207.html CVE-2017-XXXX [XSA-206: xenstore denial of service via repeated update] - xen 4.8.1-1 (bug #860565) [jessie] - xen 4.4.4lts1-0+deb8u1 [wheezy] - xen (Too intrusive to backport) NOTE: https://xenbits.xen.org/xsa/advisory-206.html CVE-2017-5994 (Heap-based buffer overflow in the vrend_create_vertex_elements_state f ...) - virglrenderer 0.6.0-1 (bug #858255) NOTE: https://cgit.freedesktop.org/virglrenderer/commit/?id=114688c526fe45f341d75ccd1d85473c3b08f7a7 (0.6.0) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1422452 CVE-2017-5993 (Memory leak in the vrend_renderer_init_blit_ctx function in vrend_blit ...) - virglrenderer 0.6.0-1 (bug #858255) NOTE: https://cgit.freedesktop.org/virglrenderer/commit/?id=6eb13f7a2dcf391ec9e19b4c2a79e68305f63c22 (0.6.0) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1422438 CVE-2017-5991 (An issue was discovered in Artifex Software, Inc. MuPDF before 1912de5 ...) {DSA-3797-1} - mupdf 1.9a+ds1-4 (low) [wheezy] - mupdf (vulnerable code not present) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697500 NOTE: http://git.ghostscript.com/?p=mupdf.git;h=1912de5f08e90af1d9d0a9791f58ba3afdb9d465 CVE-2017-5990 (An issue was discovered in PhreeBooksERP before 2017-02-13. The vulner ...) NOT-FOR-US: PhreeBooksERP CVE-2017-5989 RESERVED CVE-2017-5988 (NetApp Clustered Data ONTAP 8.1 through 9.1P1, when NFS or SMB is enab ...) NOT-FOR-US: NetApp CVE-2017-5987 (The sdhci_sdma_transfer_multi_blocks function in hw/sd/sdhci.c in QEMU ...) {DLA-1497-1} - qemu 1:2.8+dfsg-3 (bug #855159) [wheezy] - qemu (Vulnerable code not present) - qemu-kvm [wheezy] - qemu-kvm (Vulnerable code not present) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg02776.html CVE-2017-5986 (Race condition in the sctp_wait_for_sndbuf function in net/sctp/socket ...) {DSA-3804-1 DLA-849-1} - linux 4.9.10-1 NOTE: Fixed by: https://git.kernel.org/linus/2dcab598484185dea7ec22219c76dcdd59e3cb90 CVE-2017-5985 (lxc-user-nic in Linux Containers (LXC) allows local users with a lxc-u ...) - lxc 1:2.0.7-2 (bug #857295) [jessie] - lxc 1:1.0.6-6+deb8u6 [wheezy] - lxc (vulnerable code not present) NOTE: https://lists.linuxcontainers.org/pipermail/lxc-users/2017-March/012925.html NOTE: https://launchpad.net/bugs/1654676 NOTE: master: https://github.com/lxc/lxc/commit/16af238036a5464ae8f2420ed3af214f0de875f9 NOTE: stable-2.0: https://github.com/lxc/lxc/commit/d512bd5efb0e407eba350c4e649c464a65b712a3 NOTE: stable-1.0: https://github.com/lxc/lxc/commit/c905f00ad78b78a5e9c0d67504b86e00dfe085ec CVE-2017-5984 (In libavcodec in Libav 9.21, ff_h264_execute_ref_pic_marking() has a h ...) - libav [jessie] - libav (Vulnerable code introduced later) - ffmpeg (ffmpeg not affected) NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1019 NOTE: https://patches.libav.org/patch/62534/ CVE-2017-5983 (The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3. ...) NOT-FOR-US: JIRA Workflow Designer Plugin CVE-2017-5982 (Directory traversal vulnerability in the Chorus2 2.4.2 add-on for Kodi ...) - kodi (bug #855225) [buster] - kodi (Minor issue) [stretch] - kodi (Minor issue) [jessie] - kodi (Minor issue) - xbmc (bug #861274) [jessie] - xbmc (Minor issue) [wheezy] - xbmc (Minor issue) NOTE: http://seclists.org/fulldisclosure/2017/Feb/27 NOTE: http://trac.kodi.tv/ticket/17314 NOTE: https://lists.debian.org/debian-lts/2017/04/msg00025.html NOTE: https://lists.debian.org/debian-lts/2017/04/msg00055.html (and followups) NOTE: https://lists.debian.org/debian-lts/2017/05/msg00006.html CVE-2017-5681 (The RSA-CRT implementation in the Intel QuickAssist Technology (QAT) E ...) NOT-FOR-US: Intel QuickAssist Technology (QAT) Engine CVE-2017-6056 (It was discovered that a programming error in the processing of HTTPS ...) {DSA-3788-1 DSA-3787-1 DLA-823-1} - tomcat8 8.0.21-2 (bug #851304) - tomcat7 7.0.72-3 (bug #854551) NOTE: Since 7.0.72-3, src:tomcat7 only builds the Servlet API NOTE: https://bz.apache.org/bugzilla/show_bug.cgi?id=57544 CVE-2017-5981 (seeko.c in zziplib 0.13.62 allows remote attackers to cause a denial o ...) {DSA-3878-1 DLA-994-1} - zziplib 0.13.62-3.1 (bug #854727) NOTE: http://blogs.gentoo.org/ago/2017/02/09/zziplib-assertion-failure-in-seeko-c/ CVE-2017-5980 (The zzip_mem_entry_new function in memdisk.c in zziplib 0.13.62 allows ...) {DSA-3878-1 DLA-994-1} - zziplib 0.13.62-3.1 (bug #854727) NOTE: http://blogs.gentoo.org/ago/2017/02/09/zziplib-null-pointer-dereference-in-zzip_mem_entry_new-memdisk-c/ CVE-2017-5979 (The prescan_entry function in fseeko.c in zziplib 0.13.62 allows remot ...) {DSA-3878-1 DLA-994-1} - zziplib 0.13.62-3.1 (bug #854727) NOTE: http://blogs.gentoo.org/ago/2017/02/09/zziplib-null-pointer-dereference-in-prescan_entry-fseeko-c/ CVE-2017-5978 (The zzip_mem_entry_new function in memdisk.c in zziplib 0.13.62 allows ...) {DSA-3878-1 DLA-994-1} - zziplib 0.13.62-3.1 (bug #854727) NOTE: http://blogs.gentoo.org/ago/2017/02/09/zziplib-out-of-bounds-read-in-zzip_mem_entry_new-memdisk-c/ CVE-2017-5977 (The zzip_mem_entry_extra_block function in memdisk.c in zziplib 0.13.6 ...) {DSA-3878-1} - zziplib 0.13.62-3.1 (bug #864150; bug #854727) [jessie] - zziplib (Minor issue) [wheezy] - zziplib (Minor issue) NOTE: http://blogs.gentoo.org/ago/2017/02/09/zziplib-invalid-memory-read-in-zzip_mem_entry_extra_block-memdisk-c/ CVE-2017-5976 (Heap-based buffer overflow in the zzip_mem_entry_extra_block function ...) {DSA-3878-1 DLA-994-1} - zziplib 0.13.62-3.1 (bug #854727) NOTE: http://blogs.gentoo.org/ago/2017/02/09/zziplib-heap-based-buffer-overflow-in-zzip_mem_entry_extra_block-memdisk-c/ CVE-2017-5975 (Heap-based buffer overflow in the __zzip_get64 function in fetch.c in ...) {DSA-3878-1 DLA-994-1} - zziplib 0.13.62-3.1 (bug #854727) NOTE: http://blogs.gentoo.org/ago/2017/02/09/zziplib-heap-based-buffer-overflow-in-__zzip_get64-fetch-c/ NOTE: https://github.com/gdraheim/zziplib/commit/33d6e9c52fcf1a8983896a512033994dc2ca5734 (v0.13.63) NOTE: https://github.com/gdraheim/zziplib/commit/64e745f8a3604ba1c444febed86b5e142ce03dd7 (v0.13.63) CVE-2017-5974 (Heap-based buffer overflow in the __zzip_get32 function in fetch.c in ...) {DSA-3878-1 DLA-994-1} - zziplib 0.13.62-3.1 (bug #854727) NOTE: http://blogs.gentoo.org/ago/2017/02/09/zziplib-heap-based-buffer-overflow-in-__zzip_get32-fetch-c/ CVE-2017-5973 (The xhci_kick_epctx function in hw/usb/hcd-xhci.c in QEMU (aka Quick E ...) {DLA-1497-1 DLA-845-1 DLA-842-1} - qemu 1:2.8+dfsg-3 (bug #855611) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg01101.html NOTE: http://www.openwall.com/lists/oss-security/2017/02/13/11 CVE-2017-5972 (The TCP stack in the Linux kernel 3.x does not properly implement a SY ...) - linux 4.4.2-1 [jessie] - linux (Known perfomance limitation) [wheezy] - linux (Known perfomance limitation) CVE-2016-10225 (The sunxi-debug driver in Allwinner 3.4 legacy kernel for H3, A83T and ...) NOT-FOR-US: sunxi-debug driver in Allwinner kernel CVE-2016-10224 (An issue was discovered in Sauter NovaWeb web HMI. The application use ...) NOT-FOR-US: Sauter NovaWeb CVE-2016-10223 (An issue was discovered in BigTree CMS before 4.2.15. The vulnerabilit ...) NOT-FOR-US: BigTree CMS CVE-2017-5971 (SQL injection vulnerability in NewsBee CMS allow remote attackers to e ...) NOT-FOR-US: NewsBee CMS CVE-2017-5970 (The ipv4_pktinfo_prepare function in net/ipv4/ip_sockglue.c in the Lin ...) {DSA-3791-1 DLA-922-1} - linux 4.9.10-1 NOTE: Fixed by: https://github.com/torvalds/linux/commit/34b2cef20f19c87999fff3da4071e66937db9644 (v4.10-rc8) NOTE: Introduced by: https://github.com/torvalds/linux/commit/f84af32cbca70a3c6d30463dc08c7984af11c277 (v2.6.35-rc1) CVE-2017-5969 (** DISPUTED ** libxml2 2.9.4, when used in recover mode, allows remote ...) - libxml2 2.9.4+dfsg1-5.1 (bug #855001) [stretch] - libxml2 (Minor issue, only a denial-of-service when using recover mode) [jessie] - libxml2 (Minor issue, only a denial-of-service when using recover mode) [wheezy] - libxml2 (Minor issue, only a denial-of-service when using recover mode) NOTE: http://www.openwall.com/lists/oss-security/2016/11/05/3 NOTE: Upstream bug: https://bugzilla.gnome.org/show_bug.cgi?id=778519 NOTE: Duplicate upstream bug (contains patch): https://bugzilla.gnome.org/show_bug.cgi?id=758422 NOTE: Fixed by: https://git.gnome.org/browse/libxml2/commit/?id=94691dc884d1a8ada39f073408b4bb92fe7fe882 CVE-2017-5968 RESERVED CVE-2017-5967 (The time subsystem in the Linux kernel through 4.9.9, when CONFIG_TIME ...) - linux 4.9.13-1 (low) CVE-2017-5966 (Sitecore CRM 8.1 Rev 151207 allows remote authenticated administrators ...) NOT-FOR-US: Sitecore CVE-2017-5965 (The package manager in Sitecore CRM 8.1 Rev 151207 allows remote authe ...) NOT-FOR-US: Sitecore CVE-2017-5964 (An issue was discovered in Emoncms through 9.8.0. The vulnerability ex ...) NOT-FOR-US: Emoncms CVE-2017-5963 (An issue was discovered in caddy (for TYPO3) before 7.2.10. The vulner ...) NOT-FOR-US: TYPO3 extension CVE-2017-5962 (An issue was discovered in contexts_wurfl (for TYPO3) before 0.4.2. Th ...) NOT-FOR-US: TYPO3 extension CVE-2017-5961 (An issue was discovered in ionize through 1.0.8. The vulnerability exi ...) NOT-FOR-US: ionize CVE-2017-5960 (An issue was discovered in Phalcon Eye through 0.4.1. The vulnerabilit ...) NOT-FOR-US: Phalcon Eye CVE-2017-5959 (CSRF token bypass in GeniXCMS before 1.0.2 could result in escalation ...) NOT-FOR-US: GenixCMS CVE-2017-5958 RESERVED CVE-2017-5957 (Stack-based buffer overflow in the vrend_decode_set_framebuffer_state ...) - virglrenderer 0.6.0-1 (bug #858255) NOTE: https://cgit.freedesktop.org/virglrenderer/commit/?id=926b9b3460a48f6454d8bbe9e44313d86a65447f (0.6.0) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1421126 CVE-2017-5956 (The vrend_draw_vbo function in virglrenderer before 0.6.0 allows local ...) - virglrenderer 0.6.0-1 (bug #858255) NOTE: https://cgit.freedesktop.org/virglrenderer/commit/?id=a5ac49940c40ae415eac0cf912eac7070b4ba95d (0.6.0) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1421073 NOTE: The original fix opens a memory leak: http://www.openwall.com/lists/oss-security/2017/02/24/2 NOTE: Additional patch required: https://bugzilla.suse.com/attachment.cgi?id=715395 CVE-2017-5955 RESERVED CVE-2017-5954 (An issue was discovered in the serialize-to-js package 0.5.0 for Node. ...) NOT-FOR-US: serialize-to-js Node package CVE-2017-5953 (vim before patch 8.0.0322 does not properly validate values for tree l ...) {DSA-3786-1 DLA-822-1} - vim 2:8.0.0197-2 (bug #854969) - neovim 0.1.7-4 NOTE: Fixed by https://github.com/vim/vim/commit/399c297aa93afe2c0a39e2a1b3f972aebba44c9d CVE-2017-5952 RESERVED CVE-2017-5951 (The mem_get_bits_rectangle function in base/gdevmem.c in Artifex Softw ...) {DSA-3838-1 DLA-905-1} - ghostscript 9.20~dfsg-3.1 (bug #859696) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697548 NOTE: Fixed by: http://git.ghostscript.com/?p=user/chrisl/ghostpdl.git;a=commitdiff;h=bfa6b2ecbe48edc69a7d9d22a12419aed25960b8 CVE-2017-5950 (The SingleDocParser::HandleNode function in yaml-cpp (aka LibYaml-C++) ...) - yaml-cpp 0.6.3-1 (low; bug #859891) [buster] - yaml-cpp (Minor issue) [stretch] - yaml-cpp (Minor issue) [jessie] - yaml-cpp (Minor issue) [wheezy] - yaml-cpp (Minor issue) - yaml-cpp0.3 (low; bug #859892) [stretch] - yaml-cpp0.3 (Minor issue) [jessie] - yaml-cpp0.3 (Minor issue) NOTE: https://github.com/jbeder/yaml-cpp/issues/459 NOTE: possible fix: https://github.com/jbeder/yaml-cpp/pull/489 CVE-2017-5949 (JavaScriptCore in WebKit, as distributed in Safari Technology Preview ...) - webkitgtk (unimportant) NOTE: Not covered by security support CVE-2017-5948 (An issue was discovered on OnePlus One, X, 2, 3, and 3T devices. Oxyge ...) NOT-FOR-US: OnePlus One CVE-2017-5947 (An issue was discovered in OnePlus One, X, 2, 3, 3T, and 5 devices wit ...) NOT-FOR-US: OnePlus One, X, 2, 3, 3T, and 5 devices with OxygenOS CVE-2017-5946 (The Zip::File component in the rubyzip gem before 1.2.1 for Ruby has a ...) {DSA-3801-1 DLA-846-1} - ruby-zip 1.2.0-1.1 (bug #856269) - libzip-ruby NOTE: https://github.com/rubyzip/rubyzip/issues/315 CVE-2017-5945 (An issue was discovered in the PoodLL Filter plugin through 3.0.20 for ...) NOT-FOR-US: Moodle plugin CVE-2017-5944 (The dashboard subscription interface in Request Tracker (RT) 4.x befor ...) {DSA-3882-1 DLA-987-1} - request-tracker4 4.4.1-4 CVE-2017-5943 (Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x ...) {DSA-3882-1 DLA-987-1} - request-tracker4 4.4.1-4 CVE-2017-5942 (An issue was discovered in the WP Mail plugin before 1.2 for WordPress ...) NOT-FOR-US: Wordpress plugin CVE-2016-10222 (runtime/JSONObject.cpp in JavaScriptCore in WebKit, as distributed in ...) - webkitgtk (unimportant) NOTE: Not covered by security support CVE-2016-10221 (The count_entries function in pdf-layer.c in Artifex Software, Inc. Mu ...) - mupdf (Vulnerable code not yet present) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697400 CVE-2016-10220 (The gs_makewordimagedevice function in base/gsdevmem.c in Artifex Soft ...) {DSA-3838-1 DLA-905-1} - ghostscript 9.20~dfsg-3.1 (bug #859694) NOTE: http://www.ghostscript.com/cgi-bin/findgit.cgi?daf85701dab05f17e924a48a81edc9195b4a04e8 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697450 CVE-2016-10219 (The intersect function in base/gxfill.c in Artifex Software, Inc. Ghos ...) {DSA-3838-1 DLA-905-1} - ghostscript 9.20~dfsg-3.1 (bug #859666) NOTE: http://www.ghostscript.com/cgi-bin/findgit.cgi?4bef1a1d32e29b68855616020dbff574b9cda08f NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697453 CVE-2016-10218 (The pdf14_pop_transparency_group function in base/gdevp14.c in the PDF ...) - ghostscript (Vulnerable code introduced later) NOTE: Fixed by: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=d621292fb2c8157d9899dcd83fd04dd250e30fe4 NOTE: Introduced by: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=47294ff5b168d25bfc7db64f51572d64b8ebde91 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697444 CVE-2016-10217 (The pdf14_open function in base/gdevp14.c in Artifex Software, Inc. Gh ...) - ghostscript 9.20~dfsg-3.1 (bug #859662) [jessie] - ghostscript (pdf14_cleanup_parent_color_profiles not yet present) [wheezy] - ghostscript (pdf14_cleanup_parent_color_profiles not yet present) NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=90fd0c7ca3efc1ddff64a86f4104b13b3ac969eb NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697456 CVE-2016-10216 (An issue was discovered in IT ITems DataBase (ITDB) through 1.23. The ...) NOT-FOR-US: IT ITems DataBase CVE-2016-10215 (An issue was discovered in Fastspot BigTree bigtree-form-builder befor ...) NOT-FOR-US: Fastspot BigTree bigtree-form-builder CVE-2017-5941 (An issue was discovered in the node-serialize package 0.0.4 for Node.j ...) NOT-FOR-US: node-serialize CVE-2017-5939 RESERVED CVE-2017-5936 (OpenStack Nova-LXD before 13.1.1 uses the wrong name for the veth pair ...) NOT-FOR-US: Nova-LXD CVE-2017-5937 (The util_format_is_pure_uint function in vrend_renderer.c in Virgil 3d ...) - virglrenderer 0.6.0-1 (bug #854728) NOTE: https://cgit.freedesktop.org/virglrenderer/commit/?id=48f67f60967f963b698ec8df57ec6912a43d6282 (0.6.0) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1420246 CVE-2016-10214 (Memory leak in the virgl_resource_attach_backing function in virglrend ...) - virglrenderer 0.6.0-1 (bug #854728) NOTE: https://cgit.freedesktop.org/virglrenderer/commit/?id=40b0e7813325b08077b6f541b3989edb2d86d837 (0.6.0) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1420266 CVE-2017-5935 RESERVED CVE-2017-5934 (Cross-site scripting (XSS) vulnerability in the link dialogue in GUI e ...) {DSA-4318-1 DLA-1546-1} - moin 1.9.9-1+deb9u1 (bug #910776) NOTE: https://github.com/moinwiki/moin-1.9/commit/70955a8eae091cc88fd9a6e510177e70289ec024 CVE-2017-5933 (Citrix NetScaler ADC and NetScaler Gateway 10.5 before Build 65.11, 11 ...) NOT-FOR-US: Citrix CVE-2016-10213 (A10 AX1030 and possibly other devices with software before 2.7.2-P8 us ...) NOT-FOR-US: A10 CVE-2016-10212 (Radware devices use the same value for the first two GCM nonces, which ...) NOT-FOR-US: Radware devices CVE-2017-5932 (The path autocompletion feature in Bash 4.4 allows local users to gain ...) - bash 4.4-3 [jessie] - bash (Introduced in 4.4) [wheezy] - bash (Introduced in 4.4) NOTE: https://github.com/jheyens/bash_completion_vuln/raw/master/2017-01-17.bash_completion_report.pdf NOTE: Fix http://git.savannah.gnu.org/cgit/bash.git/commit/?id=4f747edc625815f449048579f6e65869914dd715 CVE-2017-5931 (Integer overflow in hw/virtio/virtio-crypto.c in QEMU (aka Quick Emula ...) - qemu 1:2.8+dfsg-3 (bug #854730) [jessie] - qemu (Vulnerable code not present) [wheezy] - qemu (Vulnerable code not present) - qemu-kvm (Vulnerable code not present) NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2017-01/msg01368.html NOTE: http://www.openwall.com/lists/oss-security/2017/02/07/8 CVE-2017-5930 (The AliasHandler component in PostfixAdmin before 3.0.2 allows remote ...) - postfixadmin 3.0.2-1 (bug #854742) [jessie] - postfixadmin (Vulnerable code not present) [wheezy] - postfixadmin (Vulnerable code not present) NOTE: http://www.openwall.com/lists/oss-security/2017/02/07/6 CVE-2017-5929 (QOS.ch Logback before 1.2.0 has a serialization vulnerability affectin ...) {DLA-888-1} - logback 1:1.1.9-3 (bug #857343) [jessie] - logback 1:1.1.2-1+deb8u1 NOTE: https://github.com/qos-ch/logback/commit/f46044b805bca91efe5fd6afe52257cd02f775f8 NOTE: https://github.com/qos-ch/logback/commit/979b042cb1f0b4c1e5869ccc8912e68c39f769f9 NOTE: https://github.com/qos-ch/logback/commit/7fbea6127fa98fc48368ca5e8540eefe0e60cec5 NOTE: https://github.com/qos-ch/logback/commit/3b4f605454534b304770eeee3cb343521fcd6968 NOTE: Information asked about complete patchset to fix CVE-2017-5929: http://mailman.qos.ch/pipermail/logback-user/2017-March/004875.html CVE-2017-5928 (The W3C High Resolution Time API, as implemented in various web browse ...) NOT-FOR-US: Design limitation of W3C High Resolution Time API CVE-2017-5927 (Page table walks conducted by the MMU during virtual to physical addre ...) NOT-FOR-US: Hardware issue in some Intel CPUs CVE-2017-5926 (Page table walks conducted by the MMU during virtual to physical addre ...) NOT-FOR-US: Hardware issue in some Intel CPUs CVE-2017-5925 (Page table walks conducted by the MMU during virtual to physical addre ...) NOT-FOR-US: Hardware issue in some Intel CPUs CVE-2017-5924 (libyara/grammar.y in YARA 3.5.0 allows remote attackers to cause a den ...) - yara 3.5.0+dfsg-9 (bug #859821) [jessie] - yara 3.1.0-2+deb8u1 NOTE: https://github.com/VirusTotal/yara/issues/593 CVE-2017-5923 (libyara/grammar.y in YARA 3.5.0 allows remote attackers to cause a den ...) - yara 3.5.0+dfsg-9 (bug #859821) [jessie] - yara 3.1.0-2+deb8u1 NOTE: https://github.com/VirusTotal/yara/issues/597 CVE-2017-5922 RESERVED CVE-2017-5921 RESERVED CVE-2017-5920 RESERVED CVE-2016-10211 (libyara/grammar.y in YARA 3.5.0 allows remote attackers to cause a den ...) - yara 3.5.0+dfsg-9 (bug #859821) [jessie] - yara 3.1.0-2+deb8u1 NOTE: https://github.com/VirusTotal/yara/issues/575 CVE-2016-10210 (libyara/lexer.l in YARA 3.5.0 allows remote attackers to cause a denia ...) - yara 3.5.0+dfsg-9 (bug #859821) [jessie] - yara 3.1.0-2+deb8u1 NOTE: https://github.com/VirusTotal/yara/issues/576 CVE-2016-10209 (The archive_wstring_append_from_mbs function in archive_string.c in li ...) {DSA-4360-1 DLA-1600-1 DLA-1006-1} - libarchive 3.2.2-3.1 (low; bug #859456) NOTE: https://github.com/libarchive/libarchive/issues/842 NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/42a3408ac7df1e69bea9ea12b72e14f59f7400c0 (v3.3.0) CVE-2017-5919 (The 21st Century Insurance app 10.0.0 for iOS does not verify X.509 ce ...) NOT-FOR-US: 21st Century Insurance app for iOS CVE-2017-5918 (The Banco de Costa Rica BCR Movil app 3.7 for iOS does not verify X.50 ...) NOT-FOR-US: Banco de Costa Rica BCR Movil app for iOS CVE-2017-5917 REJECTED CVE-2017-5916 (The America's First Federal Credit Union (FCU) Mobile Banking app 3.1. ...) NOT-FOR-US: America's First Federal Credit Union (FCU) Mobile Banking app CVE-2017-5915 (The Emirates NBD Bank P.J.S.C Emirates NBD KSA app 3.10.0 through 3.10 ...) NOT-FOR-US: Emirates NBD Bank P.J.S.C Emirates NBD KSA app CVE-2017-5914 (The DOT IT Banque Zitouna app 2.1 for iOS does not verify X.509 certif ...) NOT-FOR-US: DOT IT Banque Zitouna app CVE-2017-5913 (The TradeKing Forex for iPhone app 1.2.1 for iOS does not verify X.509 ...) NOT-FOR-US: TradeKing Forex for iPhone app CVE-2017-5912 (The FOREX.com FOREXTrader for iPhone app 2.9.12 through 2.9.14 for iOS ...) NOT-FOR-US: FOREX.com FOREXTrader for iPhone app CVE-2017-5911 (The Banco Santander Mexico SA Supermovil app 3.5 through 3.7 for iOS d ...) NOT-FOR-US: Banco Santander Mexico SA Supermovil app CVE-2017-5910 RESERVED CVE-2017-5909 (The Electronic Funds Source (EFS) Mobile Driver Source app 2.5 for iOS ...) NOT-FOR-US: Electronic Funds Source (EFS) Mobile Driver Source app CVE-2017-5908 REJECTED CVE-2017-5907 (The Great Southern Bank Great Southern Mobile Banking app before 4.0.4 ...) NOT-FOR-US: Great Southern Bank Great Southern Mobile Banking app CVE-2017-5906 (The Everyday Health Diabetes in Check: Blood Glucose & Carb Tracke ...) NOT-FOR-US: Everyday Health Diabetes in Check: Blood Glucose & Carb Tracker app CVE-2017-5905 (The Dollar Bank Mobile app 2.6.3 for iOS does not verify X.509 certifi ...) NOT-FOR-US: Dollar Bank Mobile app CVE-2017-5904 RESERVED CVE-2017-5903 RESERVED CVE-2017-5902 (The PayQuicker app 1.0.0 for iOS does not verify X.509 certificates fr ...) NOT-FOR-US: PayQuicker app CVE-2017-5901 (The State Bank of India State Bank Anywhere app 5.1.0 for iOS does not ...) NOT-FOR-US: State Bank of India State Bank Anywhere app CVE-2017-5900 (Cross-site scripting (XSS) vulnerability in the NetComm NB16WV-02 rout ...) NOT-FOR-US: NetComm CVE-2017-5896 (Heap-based buffer overflow in the fz_subsample_pixmap function in fitz ...) {DSA-3797-1} - mupdf 1.9a+ds1-3 (bug #854734) [wheezy] - mupdf (vulnerable code not present) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697515 NOTE: Fix http://git.ghostscript.com/?p=mupdf.git;h=2c4e5867ee699b1081527bc6c6ea0e99a35a5c27 NOTE: https://blogs.gentoo.org/ago/2017/02/09/mupdf-use-after-free-in-fz_subsample_pixmap-pixmap-c/ NOTE: http://www.openwall.com/lists/oss-security/2017/02/10/1 CVE-2017-5895 RESERVED CVE-2017-5894 RESERVED CVE-2017-5893 RESERVED CVE-2017-5892 (ASUS RT-AC* and RT-N* devices with firmware before 3.0.0.4.380.7378 al ...) NOT-FOR-US: ASUS CVE-2017-5891 (ASUS RT-AC* and RT-N* devices with firmware before 3.0.0.4.380.7378 ha ...) NOT-FOR-US: ASUS CVE-2017-5898 (Integer overflow in the emulated_apdu_from_guest function in usb/dev-s ...) {DLA-845-1 DLA-842-1} - qemu 1:2.8+dfsg-3 (bug #854729) [jessie] - qemu (Vulnerable code not present) - qemu-kvm (Vulnerable code not present) NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2017-02/msg01075.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1419699 NOTE: http://git.qemu-project.org/?p=qemu.git;a=commit;h=c7dfbf322595ded4e70b626bf83158a9f3807c6a CVE-2017-5897 (The ip6gre_err function in net/ipv6/ip6_gre.c in the Linux kernel allo ...) {DSA-3791-1} - linux 4.9.13-1 [wheezy] - linux (Vulnerable code introduced later) NOTE: Fixed by: https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git/commit/?id=7892032cfe67f4bde6fc2ee967e45a8fbaf33756 NOTE: Introduced by: https://github.com/torvalds/linux/commit/c12b395a46646bab69089ce7016ac78177f6001f (3.7-rc1) CVE-2017-5890 RESERVED CVE-2017-5889 RESERVED CVE-2017-5888 RESERVED CVE-2017-5887 (WebSocket.swift in Starscream before 2.0.4 allows an SSL Pinning bypas ...) NOT-FOR-US: Starscream CVE-2017-5885 (Multiple integer overflows in the (1) vnc_connection_server_message an ...) {DLA-831-1} - gtk-vnc 0.6.0-3 (bug #854450) [jessie] - gtk-vnc (Minor issue) NOTE: http://openwall.com/lists/oss-security/2017/02/05/5 CVE-2017-5884 (gtk-vnc before 0.7.0 does not properly check boundaries of subrectangl ...) {DLA-831-1} - gtk-vnc 0.6.0-3 (bug #854450) [jessie] - gtk-vnc (Minor issue) NOTE: Scope of the CVE is all of https://bugzilla.gnome.org/show_bug.cgi?id=778048#c1 NOTE: http://openwall.com/lists/oss-security/2017/02/05/5 CVE-2017-5883 RESERVED CVE-2017-5882 (Cross-site scripting (XSS) vulnerability in index.asp in SANADATA Sana ...) NOT-FOR-US: SanaCMS CVE-2017-5881 (GOM Player 2.3.10.5266 allows remote attackers to cause a denial of se ...) NOT-FOR-US: GOM Player CVE-2017-5880 (Splunk Web in Splunk Enterprise versions 6.5.x before 6.5.2, 6.4.x bef ...) NOT-FOR-US: Splunk CVE-2017-5879 (An issue was discovered in Exponent CMS 2.4.1. This is a blind SQL inj ...) NOT-FOR-US: Exponent CMS CVE-2017-5878 (The AMF unmarshallers in Red5 Media Server before 1.0.8 do not restric ...) NOT-FOR-US: AMF unmarshallers in Red5 Media Server CVE-2016-10207 (The Xvnc server in TigerVNC allows remote attackers to cause a denial ...) - tigervnc 1.7.0-1 NOTE: https://github.com/TigerVNC/tigervnc/commit/8aa4bc53206c2430bbf0c8f4b642f59a379ee649 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1023012 CVE-2016-10200 (Race condition in the L2TPv3 IP Encapsulation feature in the Linux ker ...) {DLA-922-1} - linux 4.8.15-1 [jessie] - linux 3.16.43-1 NOTE: Fixed by: https://git.kernel.org/linus/32c231164b762dddefa13af5a0101032c70b50ef (v4.9-rc7) CVE-2017-5938 (Cross-site scripting (XSS) vulnerability in the nav_path function in l ...) {DSA-3784-1 DLA-820-1} - viewvc 1.1.26-1 (bug #854681) NOTE: http://www.openwall.com/lists/oss-security/2017/02/08/7 NOTE: https://github.com/viewvc/viewvc/commit/9dcfc7daa4c940992920d3b2fbd317da20e44aad CVE-2017-5992 (Openpyxl 2.4.1 resolves external entities by default, which allows rem ...) - openpyxl 2.3.0-3 (bug #854442) [jessie] - openpyxl (vulnerable code not present) [wheezy] - openpyxl (vulnerable code not present) NOTE: http://www.openwall.com/lists/oss-security/2017/02/07/5 NOTE: https://bitbucket.org/openpyxl/openpyxl/issues/749 NOTE: https://bitbucket.org/openpyxl/openpyxl/commits/3b4905f428e1 CVE-2017-6059 (Mod_auth_openidc.c in the Ping Identity OpenID Connect authentication ...) - libapache2-mod-auth-openidc 2.1.5-1 [jessie] - libapache2-mod-auth-openidc (Minor issue) NOTE: https://github.com/pingidentity/mod_auth_openidc/issues/212 CVE-2017-6062 (The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka ...) - libapache2-mod-auth-openidc 2.1.5-1 [jessie] - libapache2-mod-auth-openidc (support for OIDCUnAuthAction added in 1.8.5rc1) NOTE: https://github.com/pingidentity/mod_auth_openidc/issues/222 CVE-2017-XXXX [irssi memory leak] - irssi 1.0.1-1 (bug #855108) [jessie] - irssi (support for sasl not present) [wheezy] - irssi (support for sasl not present) NOTE: Patch: https://github.com/irssi/irssi/commit/19c51789967a2f63da033e60f6ef08848b9cd144 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2017/02/05/8 CVE-2017-XXXX [irssi missing null terminator] - irssi 1.0.1-1 (unimportant) NOTE: Patch: https://github.com/irssi/irssi/pull/619/commits/677fb1f55ca52d0e43c93f7d8361d333ff5bffd6 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2017/02/05/8 CVE-2016-10206 (Cross-site request forgery (CSRF) vulnerability in Zoneminder 1.30 and ...) - zoneminder 1.30.4+dfsg-1 (bug #854272) [jessie] - zoneminder (Minor issue) [wheezy] - zoneminder (Minor issue) CVE-2016-10205 (Session fixation vulnerability in Zoneminder 1.30 and earlier allows r ...) - zoneminder 1.30.4+dfsg-1 (bug #854272) [jessie] - zoneminder (Minor issue) [wheezy] - zoneminder (Minor issue) CVE-2016-10204 (SQL injection vulnerability in Zoneminder 1.30 and earlier allows remo ...) - zoneminder 1.30.4+dfsg-1 (bug #854272) [jessie] - zoneminder (Minor issue) [wheezy] - zoneminder (Minor issue) CVE-2016-10203 (Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlie ...) - zoneminder 1.30.4+dfsg-1 (bug #854272) [jessie] - zoneminder (Minor issue) [wheezy] - zoneminder (Minor issue) CVE-2016-10202 (Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlie ...) - zoneminder 1.30.4+dfsg-1 (bug #854272) [jessie] - zoneminder (Minor issue) [wheezy] - zoneminder (Minor issue) CVE-2016-10201 (Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlie ...) - zoneminder 1.30.4+dfsg-1 (bug #854272) [jessie] - zoneminder (Minor issue) [wheezy] - zoneminder (Minor issue) CVE-2016-10208 (The ext4_fill_super function in fs/ext4/super.c in the Linux kernel th ...) {DLA-1200-1} - linux 4.9.10-1 [jessie] - linux 3.16.43-1 NOTE: Fixed by: https://github.com/torvalds/linux/commit/3a4b77cd47bb837b8557595ec7425f281f2ca1fe (4.10-rc1) NOTE: Introduced by: https://github.com/torvalds/linux/commit/952fc18ef9ec707ebdc16c0786ec360295e5ff15 (3.6-rc1) CVE-2017-5886 (Heap-based buffer overflow in the PoDoFo::PdfTokenizer::GetNextToken f ...) {DLA-929-1} - libpodofo 0.9.4-5 (bug #854604) [jessie] - libpodofo (Minor issue) NOTE: https://blogs.gentoo.org/ago/2017/02/03/podofo-heap-based-buffer-overflow-in-podofopdftokenizergetnexttoken-pdftokenizer-cpp NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/1623824.EtgW9yDooZ%40blackgate/#msg35644693 NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1837 CVE-2017-5877 (XSS was discovered in dotCMS 3.7.0, with an unauthenticated attack aga ...) NOT-FOR-US: dotCMS CVE-2017-5876 (XSS was discovered in dotCMS 3.7.0, with an unauthenticated attack aga ...) NOT-FOR-US: dotCMS CVE-2017-5875 (XSS was discovered in dotCMS 3.7.0, with an authenticated attack again ...) NOT-FOR-US: dotCMS CVE-2017-5874 (CSRF exists on D-Link DIR-600M Rev. Cx devices before v3.05ENB01_beta_ ...) NOT-FOR-US: D-Link CVE-2017-5873 (Unquoted Windows search path vulnerability in the guest service in Uni ...) NOT-FOR-US: Unisys CVE-2017-5872 (The TCP/IP networking module in Unisys ClearPath MCP systems with TCP- ...) NOT-FOR-US: Unisys ClearPath CVE-2017-5871 (Odoo Version <= 8.0-20160726 and Version 9 is affected by: CWE-601: ...) NOT-FOR-US: Odoo CVE-2017-5870 (Multiple cross-site scripting (XSS) vulnerabilities in ViMbAdmin 3.0.1 ...) NOT-FOR-US: ViMbAdmin CVE-2017-5869 (Directory traversal vulnerability in the file import feature in Nuxeo ...) NOT-FOR-US: Nuxeo CVE-2017-5868 (CRLF injection vulnerability in the web interface in OpenVPN Access Se ...) NOT-FOR-US: OpenVPN Access Server CVE-2017-5867 (ownCloud Server before 8.1.11, 8.2.x before 8.2.9, 9.0.x before 9.0.7, ...) - owncloud CVE-2017-5866 (The autocomplete feature in the E-Mail share dialog in ownCloud Server ...) - owncloud CVE-2017-5865 (The password reset functionality in ownCloud Server before 8.1.11, 8.2 ...) - owncloud CVE-2017-5864 (Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Cross ...) NOT-FOR-US: Open-Xchange GmbH OX App Suite CVE-2017-5863 (Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Incor ...) NOT-FOR-US: Open-Xchange GmbH OX App Suite CVE-2017-5862 RESERVED CVE-2017-5861 REJECTED CVE-2017-5860 RESERVED CVE-2017-5859 (On Cambium Networks cnPilot R200/201 devices before 4.3, there is a vu ...) NOT-FOR-US: Cambium Networks cnPilot CVE-2017-5858 (An incorrect implementation of "XEP-0280: Message Carbons" in multiple ...) NOT-FOR-US: converse.js CVE-2017-5836 (The plist_free_data function in plist.c in libplist allows attackers t ...) - libplist 1.12+git+1+e37ca00-0.1 (bug #854000) [jessie] - libplist (Minor issue) [wheezy] - libplist (pointers are not incorrectly freed and non-string key nodes are officially allowed) NOTE: https://github.com/libimobiledevice/libplist/issues/86 NOTE: http://www.openwall.com/lists/oss-security/2017/01/31/6 CVE-2017-5835 (libplist allows attackers to cause a denial of service (large memory a ...) {DLA-2168-1 DLA-840-1} - libplist 1.12+git+1+e37ca00-0.1 (bug #854000) NOTE: https://github.com/libimobiledevice/libplist/issues/88 NOTE: http://www.openwall.com/lists/oss-security/2017/01/31/6 CVE-2017-5834 (The parse_dict_node function in bplist.c in libplist allows attackers ...) {DLA-2168-1 DLA-840-1} - libplist 1.12+git+1+e37ca00-0.1 (bug #854000) NOTE: https://github.com/libimobiledevice/libplist/issues/89 NOTE: http://www.openwall.com/lists/oss-security/2017/01/31/6 CVE-2017-5829 (An access restriction bypass vulnerability in HPE Aruba ClearPass Poli ...) NOT-FOR-US: HPE Aruba ClearPass Policy Manager CVE-2017-5828 (An arbitrary command execution vulnerability in HPE Aruba ClearPass Po ...) NOT-FOR-US: HPE Aruba ClearPass Policy Manager CVE-2017-5827 (A reflected cross site scripting vulnerability in HPE Aruba ClearPass ...) NOT-FOR-US: HPE Aruba ClearPass Policy Manager CVE-2017-5826 (An authenticated remote code execution vulnerability in HPE Aruba Clea ...) NOT-FOR-US: HPE Aruba ClearPass Policy Manager CVE-2017-5825 (A privilege escalation vulnerability in HPE Aruba ClearPass Policy Man ...) NOT-FOR-US: HPE Aruba ClearPass Policy Manager CVE-2017-5824 (An unauthenticated remote code execution vulnerability in HPE Aruba Cl ...) NOT-FOR-US: HPE Aruba ClearPass Policy Manager CVE-2017-5823 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-5822 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-5821 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-5820 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-5819 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-5818 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-5817 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-5816 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-5815 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-5814 (A remote sql injection authentication bypass in HPE Network Automation ...) NOT-FOR-US: HPE CVE-2017-5813 (A remote unauthenticated access vulnerability in HPE Network Automatio ...) NOT-FOR-US: HPE CVE-2017-5812 (A remote sql information disclosure vulnerability in HPE Network Autom ...) NOT-FOR-US: HPE CVE-2017-5811 (A remote code execution vulnerability in HPE Network Automation versio ...) NOT-FOR-US: HPE CVE-2017-5810 (A remote sql injection vulnerability in HPE Network Automation version ...) NOT-FOR-US: HPE CVE-2017-5809 (A Remote Arbitrary Code Execution vulnerability in HPE Data Protector ...) NOT-FOR-US: HPE CVE-2017-5808 (A Remote Arbitrary Code Execution vulnerability in HPE Data Protector ...) NOT-FOR-US: HPE CVE-2017-5807 (A Remote Arbitrary Code Execution vulnerability in HPE Data Protector ...) NOT-FOR-US: HPE CVE-2017-5806 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-5805 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-5804 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-5803 (A Remote Disclosure of Information vulnerability in HPE NonStop Server ...) NOT-FOR-US: HPE NonStop Servers CVE-2017-5802 (A Remote Gain Privileged Access vulnerability in HPE Vertica Analytics ...) NOT-FOR-US: HPE Vertica Analytics Platform CVE-2017-5801 (A Remote Unauthorized Access to Data vulnerability in HPE Business Pro ...) NOT-FOR-US: HPE Business Process Monitor CVE-2017-5800 (A Remote Cross-Site Scripting (XSS) vulnerability in HPE Operations Br ...) NOT-FOR-US: HPE Operations Bridge Analytics CVE-2017-5799 (A Remote Code Execution vulnerability in HPE OpenCall Media Platform ( ...) NOT-FOR-US: HPE OpenCall Media Platform CVE-2017-5798 (A Remote Code Execution vulnerability in HPE OpenCall Media Platform ( ...) NOT-FOR-US: HPE OpenCall Media Platform CVE-2017-5797 (A Remote Unauthenticated Disclosure of Information vulnerability in HP ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-5796 (A Remote Cross Site Request Forgery (CSRF) vulnerability in HPE 2620 S ...) NOT-FOR-US: HPE 2620 Series Network Switches CVE-2017-5795 (A Local Arbitrary File Download vulnerability in HPE Intelligent Manag ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-5794 (A Remote Arbitrary File Download vulnerability in HPE Intelligent Mana ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-5793 (A Remote Arbitrary Code Execution vulnerability in HPE Intelligent Man ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-5792 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-5791 (The doFilter method in UrlAccessController in HPE Intelligent Manageme ...) NOT-FOR-US: HPE Intelligent Management Center NOTE: it appears that it was incorrectly used for an issue in JanTek JTC-200 CVE-2017-5790 (A remote deserialization of untrusted data vulnerability in HPE Intell ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-5789 (HPE LoadRunner before 12.53 Patch 4 and HPE Performance Center before ...) NOT-FOR-US: HPE LoadRunner NOTE: it appears that it was incorrectly used for an issue in JanTek JTC-200 CVE-2017-5788 (A Local Disclosure of Sensitive Information vulnerability in HPE NonSt ...) NOT-FOR-US: HPE NonStop Software Essentials CVE-2017-5787 (A remote denial of service vulnerability in HPE Version Control Reposi ...) NOT-FOR-US: HPE Version Control Manager CVE-2017-5786 (A local Unauthorized Data Modification vulnerability in HPE OfficeConn ...) NOT-FOR-US: HPE OfficeConnect Network Switches CVE-2017-5785 (A remote information disclosure vulnerability in HPE Matrix Operating ...) NOT-FOR-US: HPE Matrix Operating Environment CVE-2017-5784 (A missing HSTS Header vulnerability in HPE Matrix Operating Environmen ...) NOT-FOR-US: HPE Matrix Operating Environment CVE-2017-5783 (A remote clickjacking vulnerability in HPE Matrix Operating Environmen ...) NOT-FOR-US: HPE Matrix Operating Environment CVE-2017-5782 (A missing HSTS Header vulnerability in HPE Matrix Operating Environmen ...) NOT-FOR-US: HPE Matrix Operating Environment CVE-2017-5781 (A CSRF vulnerability in HPE Matrix Operating Environment version v7.6 ...) NOT-FOR-US: HPE Matrix Operating Environment CVE-2017-5780 (A remote clickjacking vulnerability in HPE Matrix Operating Environmen ...) NOT-FOR-US: HPE Matrix Operating Environment CVE-2017-5779 RESERVED CVE-2017-5778 RESERVED CVE-2017-5777 RESERVED CVE-2017-5776 RESERVED CVE-2017-5775 RESERVED CVE-2017-5774 RESERVED CVE-2017-5773 RESERVED CVE-2017-5772 RESERVED CVE-2017-5771 RESERVED CVE-2017-5770 RESERVED CVE-2017-5769 RESERVED CVE-2017-5768 RESERVED CVE-2017-5767 RESERVED CVE-2017-5766 RESERVED CVE-2017-5765 RESERVED CVE-2017-5764 RESERVED CVE-2017-5763 RESERVED CVE-2017-5762 RESERVED CVE-2017-5761 RESERVED CVE-2017-5760 RESERVED CVE-2017-5759 RESERVED CVE-2017-5758 RESERVED CVE-2017-5757 RESERVED CVE-2017-5756 RESERVED CVE-2017-5755 RESERVED CVE-2017-5754 (Systems with microprocessors utilizing speculative execution and indir ...) {DSA-4120-1 DSA-4082-1 DSA-4078-1 DLA-1232-1} - linux 4.14.12-1 - nvidia-graphics-drivers 384.111-1 (bug #886852) [stretch] - nvidia-graphics-drivers 384.111-4~deb9u1 [jessie] - nvidia-graphics-drivers 340.106-1 [wheezy] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx 340.106-1 [stretch] - nvidia-graphics-drivers-legacy-340xx 340.106-1~deb9u1 - nvidia-graphics-drivers-legacy-304xx [stretch] - nvidia-graphics-drivers-legacy-304xx (Non-free not supported) [jessie] - nvidia-graphics-drivers-legacy-304xx (Non-free not supported) - linux-grsec - xen 4.11.1~pre+1.733450b39b-1 [stretch] - xen 4.8.3+comet2+shim4.10.0+comet3-1+deb9u4 [jessie] - xen (Too intrusive to backport) NOTE: https://meltdownattack.com/ NOTE: https://xenbits.xen.org/xsa/advisory-254.html NOTE: https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html NOTE: http://blog.cyberus-technology.de/posts/2018-01-03-meltdown.html NOTE: Paper: https://meltdownattack.com/meltdown.pdf NOTE: https://01.org/security/advisories/intel-oss-10003 CVE-2017-5753 (Systems with microprocessors utilizing speculative execution and branc ...) {DSA-4188-1 DSA-4187-1 DLA-1731-1 DLA-1423-1 DLA-1422-1} - linux 4.15.11-1 - nvidia-graphics-drivers 384.111-1 (bug #886852) [stretch] - nvidia-graphics-drivers 384.111-4~deb9u1 [jessie] - nvidia-graphics-drivers 340.106-1 [wheezy] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx 340.106-1 [stretch] - nvidia-graphics-drivers-legacy-340xx 340.106-1~deb9u1 - nvidia-graphics-drivers-legacy-304xx [stretch] - nvidia-graphics-drivers-legacy-304xx (Non-free not supported) [jessie] - nvidia-graphics-drivers-legacy-304xx (Non-free not supported) - linux-grsec NOTE: https://spectreattack.com/ NOTE: https://xenbits.xen.org/xsa/advisory-254.html NOTE: https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html NOTE: Paper: https://spectreattack.com/spectre.pdf NOTE: https://01.org/security/advisories/intel-oss-10002 CVE-2017-5752 RESERVED CVE-2017-5751 RESERVED CVE-2017-5750 RESERVED CVE-2017-5749 RESERVED CVE-2017-5748 RESERVED CVE-2017-5747 RESERVED CVE-2017-5746 RESERVED CVE-2017-5745 RESERVED CVE-2017-5744 RESERVED CVE-2017-5743 RESERVED CVE-2017-5742 RESERVED CVE-2017-5741 RESERVED CVE-2017-5740 RESERVED CVE-2017-5739 RESERVED CVE-2017-5738 (Escalation of privilege vulnerability in admin portal for Intel Unite ...) NOT-FOR-US: Intel Unite App CVE-2017-5737 RESERVED CVE-2017-5736 (An elevation of privilege in Intel Software Guard Extensions Platform ...) NOT-FOR-US: Intel CVE-2017-5735 REJECTED CVE-2017-5734 REJECTED CVE-2017-5733 REJECTED CVE-2017-5732 REJECTED CVE-2017-5731 (Bounds checking in Tianocompress before November 7, 2017 may allow an ...) NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=686 NOTE: https://bugzilla.tianocore.org/attachment.cgi?id=150 NOTE: https://edk2-docs.gitbooks.io/security-advisory/content/edk-ii-tianocompress-bounds-checking-issues.html CVE-2017-5730 RESERVED CVE-2017-5729 (Frame replay vulnerability in Wi-Fi subsystem in Intel Dual-Band and T ...) NOT-FOR-US: Intel CVE-2017-5728 RESERVED CVE-2017-5727 (Pointer dereference in subsystem in Intel Graphics Driver 15.40.x.x, 1 ...) NOT-FOR-US: Intel CVE-2017-5726 RESERVED CVE-2017-5725 RESERVED CVE-2017-5724 RESERVED CVE-2017-5723 RESERVED CVE-2017-5722 (Incorrect policy enforcement in system firmware for Intel NUC7i3BNK, N ...) NOT-FOR-US: Intel CVE-2017-5721 (Insufficient input validation in system firmware for Intel NUC7i3BNK, ...) NOT-FOR-US: Intel CVE-2017-5720 RESERVED CVE-2017-5719 (A vulnerability in the Intel Deep Learning Training Tool Beta 1 allows ...) NOT-FOR-US: Intel CVE-2017-5718 RESERVED CVE-2017-5717 (Type Confusion in Content Protection HECI Service in Intel Graphics Dr ...) NOT-FOR-US: Intel graphics driver CVE-2017-5716 REJECTED CVE-2017-5715 (Systems with microprocessors utilizing speculative execution and indir ...) {DSA-4213-1 DSA-4201-1 DSA-4188-1 DSA-4187-1 DLA-2148-1 DLA-1497-1 DLA-1422-1 DLA-1369-1} - linux 4.15.11-1 - intel-microcode 3.20180425.1 [stretch] - intel-microcode 3.20180425.1~deb9u1 [jessie] - intel-microcode 3.20180425.1~deb8u1 - amd64-microcode 3.20180515.1 [stretch] - amd64-microcode (Can be fixed via point release) NOTE: https://spectreattack.com/ NOTE: https://xenbits.xen.org/xsa/advisory-254.html NOTE: https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html NOTE: Paper: https://spectreattack.com/spectre.pdf NOTE: https://www.suse.com/de-de/support/kb/doc/?id=7022512 NOTE: https://www.suse.com/support/update/announcement/2018/suse-su-20180009-1/ NOTE: For the required microcode updates in advance: NOTE: intel-microcode: https://bugs.debian.org/886367 NOTE: intel-microcode: Some microcode updates to partially adress CVE-2017-5715 included in 3.20171215.1 NOTE: Further updates in 3.20180312.1 NOTE: amd64-microcode: https://bugs.debian.org/886382 NOTE: amd64-microcode updates in 3.20180515.1 - qemu 1:2.12~rc3+dfsg-1 (bug #886532) - qemu-kvm NOTE: Qemu patches: https://lists.nongnu.org/archive/html/qemu-devel/2018-01/msg00811.html NOTE: to pass thorugh new MSR and CPUID flags from the host VM to the CPU, to NOTE: allow (future) enabling/disabling ranch prediction features in the Intel NOTE: CPU. - virtualbox 5.2.6-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) - nvidia-graphics-drivers 384.111-1 (bug #886852) [stretch] - nvidia-graphics-drivers 384.111-4~deb9u1 [jessie] - nvidia-graphics-drivers 340.106-1 [wheezy] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx 340.106-1 [stretch] - nvidia-graphics-drivers-legacy-340xx 340.106-1~deb9u1 - nvidia-graphics-drivers-legacy-304xx [stretch] - nvidia-graphics-drivers-legacy-304xx (Non-free not supported) [jessie] - nvidia-graphics-drivers-legacy-304xx (Non-free not supported) - linux-grsec - xen 4.11.1~pre+1.733450b39b-1 [jessie] - xen (Too intrusive to backport) CVE-2017-5714 RESERVED CVE-2017-5713 RESERVED CVE-2017-5712 (Buffer overflow in Active Management Technology (AMT) in Intel Managea ...) NOT-FOR-US: Intel CVE-2017-5711 (Multiple buffer overflows in Active Management Technology (AMT) in Int ...) NOT-FOR-US: Intel CVE-2017-5710 (Multiple privilege escalations in kernel in Intel Trusted Execution En ...) NOT-FOR-US: Intel CVE-2017-5709 (Multiple privilege escalations in kernel in Intel Server Platform Serv ...) NOT-FOR-US: Intel CVE-2017-5708 (Multiple privilege escalations in kernel in Intel Manageability Engine ...) NOT-FOR-US: Intel CVE-2017-5707 (Multiple buffer overflows in kernel in Intel Trusted Execution Engine ...) NOT-FOR-US: Intel CVE-2017-5706 (Multiple buffer overflows in kernel in Intel Server Platform Services ...) NOT-FOR-US: Intel CVE-2017-5705 (Multiple buffer overflows in kernel in Intel Manageability Engine Firm ...) NOT-FOR-US: Intel CVE-2017-5704 (Platform sample code firmware included with 4th Gen Intel Core Process ...) NOT-FOR-US: Intel CVE-2017-5703 (Configuration of SPI Flash in platforms based on multiple Intel platfo ...) NOT-FOR-US: Intel CVE-2017-5702 RESERVED CVE-2017-5701 (Insecure platform configuration in system firmware for Intel NUC7i3BNK ...) NOT-FOR-US: Intel CVE-2017-5700 (Insufficient protection of password storage in system firmware for Int ...) NOT-FOR-US: Intel CVE-2017-5699 (Input validation error in Intel MinnowBoard 3 Firmware versions prior ...) NOT-FOR-US: Intel MinnowBoard 3 Firmware NOTE: https://edk2-docs.gitbooks.io/security-advisory/content/uefi-variable-deletioncorruption.html CVE-2017-5698 (Intel Active Management Technology, Intel Standard Manageability, and ...) NOT-FOR-US: Intel CVE-2017-5697 (Insufficient clickjacking protection in the Web User Interface of Inte ...) NOT-FOR-US: Intel CVE-2017-5696 (Untrusted search path in Intel Graphics Driver 15.40.x.x, 15.45.x.x, a ...) NOT-FOR-US: Intel CVE-2017-5695 (Data corruption vulnerability in firmware in Intel Solid-State Drive C ...) NOT-FOR-US: Intel CVE-2017-5694 (Data corruption vulnerability in firmware in Intel Solid-State Drive P ...) NOT-FOR-US: Intel CVE-2017-5693 (Firmware in the Intel Puma 5, 6, and 7 Series might experience resourc ...) NOT-FOR-US: Intel Puma CVE-2017-5692 (Out-of-bounds read condition in older versions of some Intel Graphics ...) NOT-FOR-US: Intel Graphics Driver for Windows CVE-2017-5691 (Incorrect check in Intel processors from 6th and 7th Generation Intel ...) NOT-FOR-US: Intel CPUs CVE-2017-5690 RESERVED CVE-2017-5689 (An unprivileged network attacker could gain system privileges to provi ...) NOT-FOR-US: Intel AMT CVE-2017-5688 (There is an escalation of privilege vulnerability in the Intel Solid S ...) NOT-FOR-US: Intel Solid State Drive Toolbox CVE-2017-5687 RESERVED CVE-2017-5686 (The BIOS in Intel NUC systems based on 6th Gen Intel Core processors p ...) NOT-FOR-US: BIOS in Intel NUC systems CVE-2017-5685 (The BIOS in Intel NUC systems based on 6th Gen Intel Core processors p ...) NOT-FOR-US: BIOS in Intel NUC systems CVE-2017-5684 (The BIOS in Intel Compute Stick systems based on 6th Gen Intel Core pr ...) NOT-FOR-US: BIOS in Intel NUC systems CVE-2017-5683 (Privilege escalation in IntelHAXM.sys driver in the Intel Hardware Acc ...) NOT-FOR-US: Intel Hardware Accelerated Execution Manager CVE-2017-5682 (Intel PSET Application Install wrapper of Intel Parallel Studio XE, In ...) NOT-FOR-US: Intel PSET CVE-2017-5680 RESERVED CVE-2016-10197 (The search_make_new function in evdns.c in libevent before 2.1.6-beta ...) {DSA-3789-1 DLA-824-1} - libevent 2.0.21-stable-3 (bug #854092) NOTE: https://github.com/libevent/libevent/issues/332 NOTE: http://www.openwall.com/lists/oss-security/2017/01/31/17 CVE-2016-10196 (Stack-based buffer overflow in the evutil_parse_sockaddr_port function ...) {DSA-3789-1 DLA-824-1} - libevent 2.0.21-stable-3 (bug #854092) NOTE: https://github.com/libevent/libevent/issues/318 NOTE: http://www.openwall.com/lists/oss-security/2017/01/31/17 CVE-2016-10195 (The name_parse function in evdns.c in libevent before 2.1.6-beta allow ...) {DSA-3789-1 DLA-824-1} - libevent 2.0.21-stable-3 (bug #854092) NOTE: https://github.com/libevent/libevent/issues/317 NOTE: http://www.openwall.com/lists/oss-security/2017/01/31/17 CVE-2017-5848 (The gst_ps_demux_parse_psm function in gst/mpegdemux/gstmpegdemux.c in ...) {DSA-3818-1 DLA-2164-1 DLA-830-1} - gst-plugins-bad1.0 1.10.4-1 (low) - gst-plugins-bad0.10 (low) NOTE: http://www.openwall.com/lists/oss-security/2017/02/01/7 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=777957 NOTE: Patch: https://bugzilla.gnome.org/show_bug.cgi?id=777957#c3 CVE-2017-5847 (The gst_asf_demux_process_ext_content_desc function in gst/asfdemux/gs ...) {DSA-3821-1 DLA-2226-1 DLA-829-1} - gst-plugins-ugly1.0 1.10.4-1 (low) - gst-plugins-ugly0.10 (low) NOTE: http://www.openwall.com/lists/oss-security/2017/02/01/7 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=777955 NOTE: https://github.com/GStreamer/gst-plugins-ugly/commit/d21017b52a585f145e8d62781bcc1c5fefc7ee37 CVE-2017-5846 (The gst_asf_demux_process_ext_stream_props function in gst/asfdemux/gs ...) {DSA-3821-1 DLA-2226-1 DLA-829-1} - gst-plugins-ugly1.0 1.10.3-1 (low) - gst-plugins-ugly0.10 (low) NOTE: http://www.openwall.com/lists/oss-security/2017/02/01/7 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=777937 CVE-2017-5845 (The gst_avi_demux_parse_ncdt function in gst/avi/gstavidemux.c in gst- ...) {DSA-3820-1} - gst-plugins-good1.0 1.10.3-1 (low) - gst-plugins-good0.10 (Vulnerable code not present) NOTE: http://www.openwall.com/lists/oss-security/2017/02/01/7 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=777532 CVE-2017-5844 (The gst_riff_create_audio_caps function in gst-libs/gst/riff/riff-medi ...) {DSA-3819-1 DLA-2126-1 DLA-827-1} - gst-plugins-base1.0 1.10.3-1 (low) - gst-plugins-base0.10 (low) NOTE: http://www.openwall.com/lists/oss-security/2017/02/01/7 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=777525 CVE-2017-5843 (Multiple use-after-free vulnerabilities in the (1) gst_mini_object_unr ...) {DSA-3818-1 DLA-2164-1 DLA-830-1} - gst-plugins-bad1.0 1.10.3-1 - gst-plugins-bad0.10 (low) NOTE: http://www.openwall.com/lists/oss-security/2017/02/01/7 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=777503 CVE-2017-5842 (The html_context_handle_element function in gst/subparse/samiparse.c i ...) {DSA-3819-1} - gst-plugins-base1.0 1.10.3-1 - gst-plugins-base0.10 (Vulnerable code not present) NOTE: http://www.openwall.com/lists/oss-security/2017/02/01/7 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=777502 CVE-2017-5841 (The gst_avi_demux_parse_ncdt function in gst/avi/gstavidemux.c in gst- ...) {DSA-3820-1} - gst-plugins-good1.0 1.10.3-1 (low) - gst-plugins-good0.10 (Vulnerable code not present) NOTE: http://www.openwall.com/lists/oss-security/2017/02/01/7 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=777500 CVE-2017-5840 (The qtdemux_parse_samples function in gst/isomp4/qtdemux.c in gst-plug ...) {DSA-3820-1 DLA-2225-1 DLA-828-1} - gst-plugins-good1.0 1.10.3-1 (low) - gst-plugins-good0.10 (low) NOTE: http://www.openwall.com/lists/oss-security/2017/02/01/7 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=777469 CVE-2017-5839 (The gst_riff_create_audio_caps function in gst-libs/gst/riff/riff-medi ...) {DSA-3819-1} - gst-plugins-base1.0 1.10.3-1 - gst-plugins-base0.10 (Vulnerable code not present) NOTE: http://www.openwall.com/lists/oss-security/2017/02/01/7 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=777265 CVE-2017-5838 (The gst_date_time_new_from_iso8601_string function in gst/gstdatetime. ...) {DSA-3822-1} - gstreamer1.0 1.10.3-1 (low) - gstreamer0.10 (Vulnerable code not present) NOTE: http://www.openwall.com/lists/oss-security/2017/02/01/7 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=777263 CVE-2017-5837 (The gst_riff_create_audio_caps function in gst-libs/gst/riff/riff-medi ...) {DSA-3819-1 DLA-2126-1 DLA-827-1} - gst-plugins-base1.0 1.10.3-1 (low) - gst-plugins-base0.10 (low) NOTE: http://www.openwall.com/lists/oss-security/2017/02/01/7 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=777262 CVE-2016-10199 (The qtdemux_tag_add_str_full function in gst/isomp4/qtdemux.c in gst-p ...) {DSA-3820-1} - gst-plugins-good1.0 1.10.3-1 (low) - gst-plugins-good0.10 (Vulnerable code not present) NOTE: http://www.openwall.com/lists/oss-security/2017/02/01/7 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=775451 CVE-2016-10198 (The gst_aac_parse_sink_setcaps function in gst/audioparsers/gstaacpars ...) {DSA-3820-1 DLA-2225-1 DLA-828-1} - gst-plugins-good1.0 1.10.3-1 (low) - gst-plugins-good0.10 (low) NOTE: http://www.openwall.com/lists/oss-security/2017/02/01/7 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=775450 CVE-2016-XXXX [iio-sensor-proxy: insecure dbus policy] - iio-sensor-proxy 2.0-4 (bug #853951) CVE-2016-10192 (Heap-based buffer overflow in ffserver.c in FFmpeg before 2.8.10, 3.0. ...) - ffmpeg 7:3.2.2-1 - libav (Vulnerable code not present in libav, only in ffmpeg) NOTE: Patch: https://github.com/FFmpeg/FFmpeg/commit/a5d25faa3f4b18dac737fdb35d0dd68eb0dc2156 NOTE: http://www.openwall.com/lists/oss-security/2017/01/31/12 CVE-2016-10191 (Heap-based buffer overflow in libavformat/rtmppkt.c in FFmpeg before 2 ...) {DLA-1611-1} - ffmpeg 7:3.2.2-1 - libav NOTE: Patch: https://github.com/FFmpeg/FFmpeg/commit/7d57ca4d9a75562fa32e40766211de150f8b3ee7 NOTE: http://www.openwall.com/lists/oss-security/2017/01/31/12 CVE-2016-10190 (Heap-based buffer overflow in libavformat/http.c in FFmpeg before 2.8. ...) {DLA-1611-1} - ffmpeg 7:3.2.2-1 - libav NOTE: Patch: https://github.com/FFmpeg/FFmpeg/commit/2a05c8f813de6f2278827734bf8102291e7484aa NOTE: http://www.openwall.com/lists/oss-security/2017/01/31/12 CVE-2017-5851 (The free_options function in options_manager.c in mp3splt 2.6.2 allows ...) - mp3splt (unimportant) NOTE: https://github.com/asarubbo/poc/blob/master/00127-mp3splt-nullptr-free_options NOTE: https://blogs.gentoo.org/ago/2017/02/01/mp3splt-null-pointer-dereference-in-free_options-options_manager-c NOTE: No security impact, crash in CLI tool CVE-2017-5679 RESERVED CVE-2017-5678 REJECTED CVE-2017-5677 (PEAR HTML_AJAX 0.3.0 through 0.5.7 has a PHP Object Injection Vulnerab ...) NOT-FOR-US: PEAR HTML_AJAX NOTE: http://karmainsecurity.com/KIS-2017-01 CVE-2017-5676 RESERVED CVE-2017-5857 (Memory leak in the virgl_cmd_resource_unref function in hw/display/vir ...) - qemu 1:2.8+dfsg-3 (bug #853996; unimportant) [jessie] - qemu (Vulnerable code not present) [wheezy] - qemu (Vulnerable code not present) - qemu-kvm (Vulnerable code not present) NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2017-01/msg04615.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1418382 NOTE: http://www.openwall.com/lists/oss-security/2017/02/01/21 CVE-2017-5856 (Memory leak in the megasas_handle_dcmd function in hw/scsi/megasas.c i ...) {DLA-1497-1} - qemu 1:2.8+dfsg-3 (bug #853996) [wheezy] - qemu (Vulnerable code not present) - qemu-kvm [wheezy] - qemu-kvm (Vulnerable code not present) NOTE: http://www.openwall.com/lists/oss-security/2017/02/01/19 NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=765a707000e838c30b18d712fe6cb3dd8e0435f3 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1418342 CVE-2016-10193 (The espeak-ruby gem before 1.0.3 for Ruby allows remote attackers to e ...) NOT-FOR-US: espeak-ruby Ruby gem CVE-2016-10194 (The festivaltts4r gem for Ruby allows remote attackers to execute arbi ...) NOT-FOR-US: festivaltts4r CVE-2015-8981 (Heap-based buffer overflow in the PdfParser::ReadXRefSubsection functi ...) {DLA-929-1} - libpodofo 0.9.4-1 (bug #854599) [jessie] - libpodofo (Minor issue) NOTE: https://sourceforge.net/p/podofo/mailman/message/34205419/ NOTE: https://sourceforge.net/p/podofo/code/1672 CVE-2017-5855 (The PoDoFo::PdfParser::ReadXRefSubsection function in PdfParser.cpp in ...) - libpodofo 0.9.4-6 (bug #854603) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) NOTE: https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-podofopdfparserreadxrefsubsection-pdfparser-cpp NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/12497325.VLNgGImML2%40blackgate/#msg35640936 NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1843 CVE-2017-5854 (base/PdfOutputStream.cpp in PoDoFo 0.9.4 allows remote attackers to ca ...) - libpodofo 0.9.5-9 (bug #854602) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) NOTE: https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-pdfoutputstream-cpp NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/12497325.VLNgGImML2%40blackgate/#msg35640936 NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1870 NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1876 NOTE: duplicate CVE: CVE-2018-5308 CVE-2017-5853 (Integer overflow in base/PdfParser.cpp in PoDoFo 0.9.4 allows remote a ...) {DLA-929-1} - libpodofo 0.9.4-5 (bug #854601) [jessie] - libpodofo (Minor issue) NOTE: https://blogs.gentoo.org/ago/2017/02/01/podofo-signed-integer-overflow-in-pdfparser-cpp NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/12497325.VLNgGImML2%40blackgate/#msg35640936 NOTE: Proposed fix: https://sourceforge.net/p/podofo/mailman/message/35692197/ NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1840/ CVE-2017-5852 (The PoDoFo::PdfPage::GetInheritedKeyFromObject function in base/PdfVar ...) {DLA-929-1} - libpodofo 0.9.5-7 (low; bug #854600) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) NOTE: https://blogs.gentoo.org/ago/2017/02/01/podofo-infinite-loop-in-podofopdfpagegetinheritedkeyfromobject-pdfpage-cpp NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/12497325.VLNgGImML2%40blackgate/#msg35640936 NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1835 NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1838 NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1841 NOTE: further patch for ABI compatibility: https://sourceforge.net/p/podofo/mailman/message/36084628/ CVE-2017-5849 (tiffttopnm in netpbm 10.47.63 does not properly use the libtiff TIFFRG ...) - netpbm-free (vulnerable code not present) NOTE: http://www.openwall.com/lists/oss-security/2017/02/02/2 NOTE: Debian uses an unaffected fork: NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2654#c8 CVE-2017-5850 (httpd in OpenBSD allows remote attackers to cause a denial of service ...) NOT-FOR-US: OpenBSD httpd CVE-2017-5833 (Cross-site scripting (XSS) vulnerability in the invocation code genera ...) NOT-FOR-US: Revive Adserver CVE-2017-5832 (Cross-site scripting (XSS) vulnerability in Revive Adserver before 4.0 ...) NOT-FOR-US: Revive Adserver CVE-2017-5831 (Session fixation vulnerability in the forgot password mechanism in Rev ...) NOT-FOR-US: Revive Adserver CVE-2017-5830 (Revive Adserver before 4.0.1 allows remote attackers to execute arbitr ...) NOT-FOR-US: Revive Adserver CVE-2017-5675 (A command-injection vulnerability exists in a web application on a cus ...) NOT-FOR-US: GoAhead Web Server CVE-2017-5674 (A vulnerability in a custom-built GoAhead web server used on Foscam, V ...) NOT-FOR-US: GoAhead Web Server CVE-2017-5673 (In the Kunena extension 5.0.2 through 5.0.4 for Joomla!, the forum mes ...) NOT-FOR-US: Joomla extension CVE-2017-5672 (Kony Enterprise Mobile Management (EMM) before 4.2.5.2 has the vulnera ...) NOT-FOR-US: Kony Enterprise Mobile Management CVE-2017-5671 (Honeywell Intermec PM23, PM42, PM43, PC23, PC43, PD43, and PC42 indust ...) NOT-FOR-US: Honeywell CVE-2017-5670 (Riverbed RiOS through 9.6.0 deletes the secure vault with the rm progr ...) NOT-FOR-US: Riverbed RiOS CVE-2017-5669 (The do_shmat function in ipc/shm.c in the Linux kernel through 4.9.12 ...) {DSA-3804-1 DLA-849-1} - linux 4.9.13-1 NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=192931 CVE-2017-5666 (The free_options function in options_manager.c in mp3splt 2.6.2 allows ...) - mp3splt (unimportant; bug #854278) NOTE: https://blogs.gentoo.org/ago/2017/01/29/mp3splt-invalid-free-in-free_options-options_manager-c NOTE: https://sourceforge.net/p/mp3splt/bugs/209/ NOTE: Negligable security impact CVE-2017-5665 (The splt_cue_export_to_file function in cue.c in libmp3splt 0.9.2 allo ...) - mp3splt (unimportant) NOTE: https://blogs.gentoo.org/ago/2017/01/29/mp3splt-null-pointer-dereference-in-splt_cue_export_to_file-cue-c NOTE: https://sourceforge.net/p/mp3splt/bugs/209/ NOTE: No security impact, crash in CLI tool CVE-2017-5664 (The error page mechanism of the Java Servlet Specification requires th ...) {DSA-3892-1 DSA-3891-1 DLA-996-1} - tomcat9 (Fixed before initial upload to Debian) - tomcat8 8.5.14-2 (bug #864447) - tomcat7 7.0.72-3 NOTE: Since 7.0.72-3, src:tomcat7 only builds the Servlet API - tomcat6 6.0.41-3 NOTE: Since 6.0.41-3, src:tomcat6 only builds a servlet and docs in Jessie [wheezy] - tomcat6 (Not supported in Wheezy) NOTE: https://lists.apache.org/thread.html/a42c48e37398d76334e17089e43ccab945238b8b7896538478d76066@%3Cannounce.tomcat.apache.org%3E NOTE: Fixed by: http://svn.apache.org/r1793469 (8.5.x) NOTE: Fixed by: http://svn.apache.org/r1793488 (8.5.x) NOTE: Fixed by: http://svn.apache.org/r1793489 (8.0.x) NOTE: Fixed by: http://svn.apache.org/r1793470 (8.0.x) NOTE: Fixed by: http://svn.apache.org/r1793471 (7.0.x) NOTE: Fixed by: http://svn.apache.org/r1793491 (7.0.x) CVE-2017-5663 (In Apache Fineract 0.4.0-incubating, 0.5.0-incubating, and 0.6.0-incub ...) NOT-FOR-US: Apache Fineract CVE-2017-5662 (In Apache Batik before 1.9, files lying on the filesystem of the serve ...) {DSA-4215-1 DLA-926-1} - batik 1.9-1 (bug #860566) NOTE: http://www.openwall.com/lists/oss-security/2017/04/18/1 NOTE: Upstream bug: https://issues.apache.org/jira/browse/BATIK-1139 NOTE: Fixed by: http://svn.apache.org/r1743326 NOTE: Similar issue to CVE-2015-0250 CVE-2017-5661 (In Apache FOP before 2.2, files lying on the filesystem of the server ...) {DSA-3864-1 DLA-927-1} - fop 1:2.1-6 (bug #860567) NOTE: http://www.openwall.com/lists/oss-security/2017/04/18/2 NOTE: Upstream bug: https://issues.apache.org/jira/browse/FOP-2668 NOTE: Fixed by: http://svn.apache.org/r1769967 NOTE: Fixed by: http://svn.apache.org/r1769968 (fix for Java 6) CVE-2017-5660 (There is a vulnerability in Apache Traffic Server (ATS) 6.2.0 and prio ...) {DSA-4128-1} - trafficserver 7.1.2+ds-1 [wheezy] - trafficserver (Vulnerable code not present) NOTE: https://github.com/apache/trafficserver/pull/1657 NOTE: https://issues.apache.org/jira/browse/TS-4930 CVE-2017-5659 (Apache Traffic Server before 6.2.1 generates a coredump when there is ...) - trafficserver 7.0.0-1 [wheezy] - trafficserver (PoC doesn't crash the server, fix too hard to backport) NOTE: https://issues.apache.org/jira/browse/TS-4507 NOTE: reproducer in https://issues.apache.org/jira/browse/TS-4819 (dupe of above) NOTE: https://github.com/apache/trafficserver/pull/787/commits/85c021123fd94c4d97a6015484eb1d8054bec9eb NOTE: evaluate related backport to 6.2: https://github.com/apache/trafficserver/pull/1153 CVE-2017-5658 (The statistics generator in Apache Pony Mail 0.7 to 0.9 was found to b ...) NOT-FOR-US: Apache Pony Mail CVE-2017-5657 (Several REST service endpoints of Apache Archiva are not protected aga ...) NOT-FOR-US: Apache Archiva CVE-2017-5656 (Apache CXF's STSClient before 3.1.11 and 3.0.13 uses a flawed way of c ...) NOT-FOR-US: Apache CXF CVE-2017-5655 (In Ambari 2.2.2 through 2.4.2 and Ambari 2.5.0, sensitive data may be ...) NOT-FOR-US: Apache Ambari CVE-2017-5654 (In Ambari 2.4.x (before 2.4.3) and Ambari 2.5.0, an authorized user of ...) NOT-FOR-US: Apache Ambari CVE-2017-5653 (JAX-RS XML Security streaming clients in Apache CXF before 3.1.11 and ...) NOT-FOR-US: Apache CXF CVE-2017-5652 (During a routine security analysis, it was found that one of the ports ...) NOT-FOR-US: Impala CVE-2017-5651 (In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the refact ...) - tomcat9 (Fixed before initial upload to Debian) - tomcat8 8.5.11-2 (bug #860071) [jessie] - tomcat8 (Only affects 8.5 and later) NOTE: http://www.openwall.com/lists/oss-security/2017/04/10/21 NOTE: Fixed by: http://svn.apache.org/r1788546 (8.5.x) CVE-2017-5650 (In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the handli ...) - tomcat9 (Fixed before initial upload to Debian) - tomcat8 8.5.11-2 (bug #860070) [jessie] - tomcat8 (Only affects 8.5 and later) NOTE: http://www.openwall.com/lists/oss-security/2017/04/10/22 NOTE: Fixed by: http://svn.apache.org/r1788480 (8.5.x) CVE-2017-5649 (Apache Geode before 1.1.1, when a cluster has enabled security by sett ...) NOT-FOR-US: Apache Geode CVE-2017-5648 (While investigating bug 60718, it was noticed that some calls to appli ...) {DSA-3843-1 DSA-3842-1 DLA-924-1} - tomcat9 (Fixed before initial upload to Debian) - tomcat8 8.5.11-2 (bug #860069) - tomcat7 7.0.72-3 NOTE: Since 7.0.72-3, src:tomcat7 only builds the Servlet API - tomcat6 (Only affects 7.0 an later) NOTE: http://www.openwall.com/lists/oss-security/2017/04/10/23 NOTE: Fixed by: http://svn.apache.org/r1785775 (8.5.x) NOTE: Fixed by: http://svn.apache.org/r1785776 (8.0.x) NOTE: Fixed by: http://svn.apache.org/r1785777 (7.0.x) CVE-2017-5647 (A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0 ...) {DSA-3843-1 DSA-3842-1 DLA-924-1} - tomcat9 (Fixed before initial upload to Debian) - tomcat8 8.5.11-2 (bug #860068) - tomcat7 7.0.72-3 NOTE: Since 7.0.72-3, src:tomcat7 only builds the Servlet API - tomcat6 6.0.41-3 NOTE: Since 6.0.41-3, src:tomcat6 only builds a servlet and docs in Jessie NOTE: http://www.openwall.com/lists/oss-security/2017/04/10/24 NOTE: Fixed by: http://svn.apache.org/r1788932 (8.5.x) NOTE: Fixed by: http://svn.apache.org/r1788999 (8.0.x) NOTE: Fixed by: http://svn.apache.org/r1789008 (7.0.x) NOTE: Fixed by: http://svn.apache.org/r1789024 (6.0.x) NOTE: Fixed by: http://svn.apache.org/r1789155 (6.0.x) NOTE: Fixed by: http://svn.apache.org/r1789856 (6.0.x) CVE-2017-5646 (For versions of Apache Knox from 0.2.0 to 0.11.0 - an authenticated us ...) NOT-FOR-US: Apache Knox CVE-2017-5645 (In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or ...) - apache-log4j2 2.7-2 (bug #860489) [jessie] - apache-log4j2 (Minor issue, no consumers of liblog4j2-java in Jessie) NOTE: https://issues.apache.org/jira/browse/LOG4J2-1863 NOTE: Fixed by: https://git-wip-us.apache.org/repos/asf?p=logging-log4j2.git;h=5dcc19215827db29c993d0305ee2b0d8dd05939d CVE-2017-5644 (Apache POI in versions prior to release 3.15 allows remote attackers t ...) - libapache-poi-java 3.17-1 (bug #858301) [stretch] - libapache-poi-java (Minor issue) [jessie] - libapache-poi-java (Minor issue) [wheezy] - libapache-poi-java (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2017/03/20/9 CVE-2017-5643 (Apache Camel's Validation Component is vulnerable against SSRF via rem ...) NOT-FOR-US: Apache Camel CVE-2017-5642 (During installation of Ambari 2.4.0 through 2.4.2, Ambari Server artif ...) NOT-FOR-US: Apache Ambari CVE-2017-5641 (Previous versions of Apache Flex BlazeDS (4.7.2 and earlier) did not r ...) NOT-FOR-US: Apache Flex BlazeDS CVE-2017-5640 (It was noticed that a malicious process impersonating an Impala daemon ...) NOT-FOR-US: Impala CVE-2017-5639 REJECTED CVE-2017-5638 (The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 an ...) - libstruts1.2-java (Only affects Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts 2.5.10) NOTE: https://cwiki.apache.org/confluence/display/WW/S2-045 CVE-2017-5637 (Two four letter word commands "wchp/wchc" are CPU intensive and could ...) {DSA-3871-1 DLA-986-1} - zookeeper 3.4.9-3 (bug #863811) NOTE: https://issues.apache.org/jira/browse/ZOOKEEPER-2693 CVE-2017-5636 (In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environm ...) NOT-FOR-US: Apache NiFi CVE-2017-5635 (In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environm ...) NOT-FOR-US: Apache NiFi CVE-2017-5634 (The Norwegian Air Shuttle (aka norwegian.com) airline kiosk allows phy ...) NOT-FOR-US: Norwegian CVE-2017-5633 (Multiple cross-site request forgery (CSRF) vulnerabilities on the D-Li ...) NOT-FOR-US: D-Link CVE-2017-5632 (An issue was discovered on the ASUS RT-N56U Wireless Router with Firmw ...) NOT-FOR-US: Asus router CVE-2017-5631 (An issue was discovered in KMCIS CaseAware. Reflected cross site scrip ...) NOT-FOR-US: KMCIS CaseAware CVE-2017-5630 (PECL in the download utility class in the Installer in PEAR Base Syste ...) - php5 (unimportant) - php-pear (unimportant) NOTE: https://pear.php.net/bugs/bug.php?id=21171 NOTE: pear performs no kind of authentication/integrity checks for downloads, so an attacker can MITM freely anyway CVE-2017-5629 RESERVED CVE-2017-5626 (OxygenOS before version 4.0.2, on OnePlus 3 and 3T, has two hidden fas ...) NOT-FOR-US: OxygenOS CVE-2017-5625 (In OxygenOS before 4.0.3 on OnePlus 3 and 3T devices, an unauthorized ...) NOT-FOR-US: OxygenOS CVE-2017-5624 (An issue was discovered in OxygenOS before 4.0.3 for OnePlus 3 and 3T. ...) NOT-FOR-US: OxygenOS CVE-2017-5623 (An issue was discovered in OxygenOS before 4.1.0 on OnePlus 3 and 3T d ...) NOT-FOR-US: OxygenOS CVE-2017-5622 (With OxygenOS before 4.0.3, when a charger is connected to a powered-o ...) NOT-FOR-US: OxygenOS CVE-2017-5621 (An issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3, an ...) - zammad (bug #841355) CVE-2017-5620 (An XSS issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3 ...) - zammad (bug #841355) CVE-2017-5619 (An issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3, an ...) - zammad (bug #841355) CVE-2017-5609 (SQL injection vulnerability in include/functions_entries.inc.php in Se ...) - serendipity CVE-2017-5607 (Splunk Enterprise 5.0.x before 5.0.18, 6.0.x before 6.0.14, 6.1.x befo ...) NOT-FOR-US: Splunk CVE-2017-5606 (An incorrect implementation of "XEP-0280: Message Carbons" in multiple ...) NOT-FOR-US: Xabber CVE-2017-5605 (An incorrect implementation of "XEP-0280: Message Carbons" in multiple ...) NOT-FOR-US: Movim CVE-2017-5604 (An incorrect implementation of "XEP-0280: Message Carbons" in multiple ...) - mcabber 1.0.4-1.1 (bug #854738) [jessie] - mcabber (XEP-0280: Message Carbons not implemented) [wheezy] - mcabber (XEP-0280: Message Carbons not implemented) CVE-2017-5603 (An incorrect implementation of "XEP-0280: Message Carbons" in multiple ...) - jitsi (bug #854737) CVE-2017-5602 (An incorrect implementation of "XEP-0280: Message Carbons" in multiple ...) - jappix (bug #619347) CVE-2017-5601 (An error in the lha_read_file_header_1() function (archive_read_suppor ...) {DLA-1600-1 DLA-810-1} - libarchive 3.2.1-6 (bug #853278) NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/98dcbbf0bf4854bf987557e55e55fff7abbf3ea9 NOTE: https://secunia.com/secunia_research/2017-3/ CVE-2016-10186 (An issue was discovered on the D-Link DWR-932B router. /var/miniupnpd. ...) NOT-FOR-US: D-Link CVE-2016-10185 (An issue was discovered on the D-Link DWR-932B router. A secure_mode=n ...) NOT-FOR-US: D-Link CVE-2016-10184 (An issue was discovered on the D-Link DWR-932B router. qmiweb allows f ...) NOT-FOR-US: D-Link CVE-2016-10183 (An issue was discovered on the D-Link DWR-932B router. qmiweb allows d ...) NOT-FOR-US: D-Link CVE-2016-10182 (An issue was discovered on the D-Link DWR-932B router. qmiweb allows c ...) NOT-FOR-US: D-Link CVE-2016-10181 (An issue was discovered on the D-Link DWR-932B router. qmiweb provides ...) NOT-FOR-US: D-Link CVE-2016-10180 (An issue was discovered on the D-Link DWR-932B router. WPS PIN generat ...) NOT-FOR-US: D-Link CVE-2016-10179 (An issue was discovered on the D-Link DWR-932B router. There is a hard ...) NOT-FOR-US: D-Link CVE-2016-10178 (An issue was discovered on the D-Link DWR-932B router. HELODBG on port ...) NOT-FOR-US: D-Link CVE-2016-10177 (An issue was discovered on the D-Link DWR-932B router. Undocumented TE ...) NOT-FOR-US: D-Link CVE-2016-10176 (The NETGEAR WNR2000v5 router allows an administrator to perform sensit ...) NOT-FOR-US: Netgear CVE-2016-10175 (The NETGEAR WNR2000v5 router leaks its serial number when performing a ...) NOT-FOR-US: Netgear CVE-2016-10174 (The NETGEAR WNR2000v5 router contains a buffer overflow in the hidden_ ...) NOT-FOR-US: Netgear CVE-2004-2778 (Ebuild in Gentoo may change directory and file permissions depending o ...) NOT-FOR-US: Gentoo ebuilds dir permissions at install time CVE-2017-5667 (The sdhci_sdma_transfer_multi_blocks function in hw/sd/sdhci.c in QEMU ...) {DLA-1497-1} - qemu 1:2.8+dfsg-3 (bug #853996) [wheezy] - qemu (Vulnerable code not present) - qemu-kvm [wheezy] - qemu-kvm (Vulnerable code not present) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-01/msg06191.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1417559 NOTE: http://www.openwall.com/lists/oss-security/2017/01/30/2 CVE-2017-5668 (bitlbee-libpurple before 3.5.1 allows remote attackers to cause a deni ...) - bitlbee 3.5.1-1 (bug #853282) [jessie] - bitlbee (Incomplete fix for CVE-2016-10189 not applied) [wheezy] - bitlbee (Incomplete fix for CVE-2016-10189 not applied) NOTE: https://bugs.bitlbee.org/ticket/1282 NOTE: Fixed by: https://github.com/bitlbee/bitlbee/commit/30d598ce7cd3f136ee9d7097f39fa9818a272441 (3.5.1) NOTE: http://www.openwall.com/lists/oss-security/2017/01/30/4 NOTE: This CVE exists because of an incomplete fix for CVE-2016-10189 CVE-2016-10189 (BitlBee before 3.5 allows remote attackers to cause a denial of servic ...) {DSA-3853-1 DLA-832-1} - bitlbee 3.5-1 NOTE: https://bugs.bitlbee.org/ticket/1282 NOTE: Fixed by: https://github.com/bitlbee/bitlbee/commit/701ab8129ba9ea64f569daedca9a8603abad740f (3.5) NOTE: http://www.openwall.com/lists/oss-security/2017/01/30/4 NOTE: When fixing this CVE make sure to apply as well NOTE: https://github.com/bitlbee/bitlbee/commit/30d598ce7cd3f136ee9d7097f39fa9818a272441 NOTE: to not open CVE-2017-5668 CVE-2016-10188 (Use-after-free vulnerability in bitlbee-libpurple before 3.5 allows re ...) {DSA-3853-1 DLA-832-1} - bitlbee 3.5-1 NOTE: https://bugs.bitlbee.org/ticket/1281 NOTE: Fixed by: https://github.com/bitlbee/bitlbee/commit/ea902752503fc5b356d6513911081ec932d804f2 (3.5) NOTE: http://www.openwall.com/lists/oss-security/2017/01/30/4 CVE-2017-5940 (Firejail before 0.9.44.6 and 0.9.38.x LTS before 0.9.38.10 LTS does no ...) - firejail 0.9.44.6-1 NOTE: Changelog mentions the new fix for CVE-2017-5180 in RELNOTES for 0.9.44.6 NOTE: an needs series of commits after 0.9.44.4 NOTE: https://github.com/netblue30/firejail/blob/0.9.44.6/RELNOTES NOTE: https://github.com/netblue30/firejail/commit/38d418505e9ee2d326557e5639e8da49c298858f (0.9.44.6) NOTE: https://github.com/netblue30/firejail/commit/b8a4ff9775318ca5e679183884a6a63f3da8f863 (0.9.44.6) NOTE: http://www.openwall.com/lists/oss-security/2017/01/29/4 CVE-2016-10187 (The E-book viewer in calibre before 2.75 allows remote attackers to re ...) {DLA-859-1} - calibre 2.75.1+dfsg-1 (low; bug #853004) [jessie] - calibre (Minor issue) NOTE: Upstream report: https://launchpad.net/bugs/1651728 NOTE: Upstream fix: https://github.com/kovidgoyal/calibre/commit/3a89718664cb8cce0449d1758eee585ed0d0433c NOTE: http://www.openwall.com/lists/oss-security/2017/01/29/8 CVE-2017-5899 (Directory traversal vulnerability in the setuid root helper binary in ...) - s-nail 14.8.16-1 (bug #852934) NOTE: https://www.mail-archive.com/s-nail-users@lists.sourceforge.net/msg00551.html NOTE: https://git.sdaoden.eu/cgit/s-nail.git/commit/?id=f797c27efecad45af191c518b7f87fda32ada160 NOTE: https://git.sdaoden.eu/cgit/s-nail.git/commit/?id=f2699449b66dd702a98925bd1b11153a6f7294bf NOTE: http://www.openwall.com/lists/oss-security/2017/01/27/7 CVE-2017-5628 (An issue was discovered in Artifex Software, Inc. MuJS before 8f62ea10 ...) NOT-FOR-US: MuJS CVE-2017-5627 (An issue was discovered in Artifex Software, Inc. MuJS before 4006739a ...) NOT-FOR-US: MuJS CVE-2017-5617 (The SVG Salamander (aka svgSalamander) library, when used in a web app ...) {DSA-3781-1 DLA-816-1} - svgsalamander 1.1.1+dfsg-2 (bug #853134) NOTE: https://github.com/blackears/svgSalamander/issues/11 NOTE: http://www.openwall.com/lists/oss-security/2017/01/27/3 CVE-2017-5608 (Cross-site scripting (XSS) vulnerability in the image upload function ...) - piwigo CVE-2017-5600 (The Data Warehouse component in NetApp OnCommand Insight before 7.2.3 ...) NOT-FOR-US: NetApp OnCommand Insight CVE-2017-5599 (An issue was discovered in eClinicalWorks Patient Portal 7.0 build 13. ...) NOT-FOR-US: eClinicalWorks CVE-2017-5598 (An issue was discovered in eClinicalWorks healow@work 8.0 build 8. Thi ...) NOT-FOR-US: eClinicalWorks CVE-2017-5612 (Cross-site scripting (XSS) vulnerability in wp-admin/includes/class-wp ...) {DSA-3779-1 DLA-813-1} - wordpress 4.7.2+dfsg-1 (bug #852767) NOTE: https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849 NOTE: http://www.openwall.com/lists/oss-security/2017/01/27/2 CVE-2017-5611 (SQL injection vulnerability in wp-includes/class-wp-query.php in WP_Qu ...) {DSA-3779-1 DLA-813-1} - wordpress 4.7.2+dfsg-1 (bug #852767) NOTE: https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb NOTE: http://www.openwall.com/lists/oss-security/2017/01/27/2 CVE-2017-5610 (wp-admin/includes/class-wp-press-this.php in Press This in WordPress b ...) {DSA-3779-1 DLA-813-1} - wordpress 4.7.2+dfsg-1 (bug #852767) NOTE: https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454 NOTE: http://www.openwall.com/lists/oss-security/2017/01/27/2 CVE-2017-5595 (A file disclosure and inclusion vulnerability exists in web/views/file ...) {DLA-1145-1} - zoneminder 1.30.4+dfsg-1 (bug #854733) NOTE: Check https://github.com/ZoneMinder/ZoneMinder/commit/8b19fca9927cdec07cc9dd09bdcf2496a5ae69b3 CVE-2017-5594 (An issue was discovered in Pagekit CMS before 1.0.11. In this vulnerab ...) NOT-FOR-US: Pagekit CMS CVE-2017-5593 (An incorrect implementation of "XEP-0280: Message Carbons" in multiple ...) - psi-plus (vulnerable code not present, XEP-0280 not implemented) CVE-2017-5592 (An incorrect implementation of "XEP-0280: Message Carbons" in multiple ...) - profanity 0.5.1-1 (bug #854735) [jessie] - profanity (Vulnerable code not present) CVE-2017-5591 (An incorrect implementation of "XEP-0280: Message Carbons" in multiple ...) - sleekxmpp 1.3.1-6 (bug #854739) [jessie] - sleekxmpp (vulnerable code not present, XEP-0280 not implemented) [wheezy] - sleekxmpp (vulnerable code not present, XEP-0280 not implemented) - slixmpp 1.2.2-1.1 (bug #854740) CVE-2017-5590 (An incorrect implementation of "XEP-0280: Message Carbons" in multiple ...) NOT-FOR-US: ChatSecure / Zom CVE-2017-5589 (An incorrect implementation of "XEP-0280: Message Carbons" in multiple ...) NOT-FOR-US: yaxim / Bruno CVE-2016-10173 (Directory traversal vulnerability in the minitar before 0.6 and archiv ...) {DSA-3778-1 DLA-808-1} - ruby-minitar 0.5.4-3.1 (bug #853075) - ruby-archive-tar-minitar (bug #853249) NOTE: https://github.com/halostatue/minitar/issues/16 NOTE: https://github.com/halostatue/minitar/commit/e25205ecbb6277ae8a3df1e6a306d7ed4458b6e4 NOTE: https://bugzilla.opensuse.org/show_bug.cgi?id=1021740 CVE-2016-10172 (The read_new_config_info function in open_utils.c in Wavpack before 5. ...) - wavpack 5.0.0-2 (bug #853076) [jessie] - wavpack (Vulnerable code not present) [wheezy] - wavpack (Vulnerable code not present) NOTE: https://sourceforge.net/p/wavpack/mailman/message/35561951/ NOTE: Fixed by: https://github.com/dbry/WavPack/commit/4bc05fc490b66ef2d45b1de26abf1455b486b0dc (5.1.0) CVE-2016-10171 (The unreorder_channels function in cli/wvunpack.c in Wavpack before 5. ...) - wavpack 5.0.0-2 (bug #853076) [jessie] - wavpack (Vulnerable code not present) [wheezy] - wavpack (Vulnerable code not present) NOTE: https://sourceforge.net/p/wavpack/mailman/message/35561939/ NOTE: Fixed by: https://github.com/dbry/WavPack/commit/4bc05fc490b66ef2d45b1de26abf1455b486b0dc (5.1.0) CVE-2016-10170 (The WriteCaffHeader function in cli/caff.c in Wavpack before 5.1.0 all ...) - wavpack 5.0.0-2 (bug #853076) [jessie] - wavpack (Vulnerable code not present) [wheezy] - wavpack (Vulnerable code not present) NOTE: https://sourceforge.net/p/wavpack/mailman/message/35561921/ NOTE: Fixed by: https://github.com/dbry/WavPack/commit/4bc05fc490b66ef2d45b1de26abf1455b486b0dc (5.1.0) CVE-2016-10169 (The read_code function in read_words.c in Wavpack before 5.1.0 allows ...) - wavpack 5.0.0-2 (bug #853076) [jessie] - wavpack (Minor issue) [wheezy] - wavpack (Minor issue) NOTE: https://sourceforge.net/p/wavpack/mailman/message/35557889/ NOTE: Fixed by: https://github.com/dbry/WavPack/commit/4bc05fc490b66ef2d45b1de26abf1455b486b0dc (5.1.0) CVE-2016-10166 (Integer underflow in the _gdContributionsAlloc function in gd_interpol ...) {DSA-3777-1} - libgd2 2.2.4-1 [wheezy] - libgd2 (Vulnerable code not present) NOTE: https://github.com/libgd/libgd/commit/60bfb401ad5a4a8ae995dcd36372fe15c71e1a35 NOTE: http://www.openwall.com/lists/oss-security/2017/01/26/1 CVE-2016-10167 (The gdImageCreateFromGd2Ctx function in gd_gd2.c in the GD Graphics Li ...) {DSA-3777-1 DLA-804-1} - php7.1 7.1.1-1 (unimportant) - php7.0 7.0.15-1 (unimportant) - php5 (unimportant) [jessie] - php5 5.6.30+dfsg-0+deb8u1 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=73868 NOTE: Fixed in PHP 7.1.1, 7.0.15, 5.6.30 - libgd2 2.2.4-1 NOTE: https://github.com/libgd/libgd/commit/fe9ed49dafa993e3af96b6a5a589efeea9bfb36f NOTE: http://www.openwall.com/lists/oss-security/2017/01/26/1 CVE-2016-10168 (Integer overflow in gd_io.c in the GD Graphics Library (aka libgd) bef ...) {DSA-3777-1 DLA-804-1} - php7.1 7.1.1-1 (unimportant) - php7.0 7.0.15-1 (unimportant) - php5 (unimportant) [jessie] - php5 5.6.30+dfsg-0+deb8u1 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=73869 NOTE: Fixed in PHP 7.1.1, 7.0.15, 5.6.30 - libgd2 2.2.4-1 NOTE: https://github.com/libgd/libgd/commit/69d2fd2c597ffc0c217de1238b9bf4d4bceba8e6 NOTE: http://www.openwall.com/lists/oss-security/2017/01/26/1 CVE-2017-5588 RESERVED CVE-2017-5587 RESERVED CVE-2017-5586 (OpenText Documentum D2 (formerly EMC Documentum D2) 4.x allows remote ...) NOT-FOR-US: OpenText Documentum D2 CVE-2017-5585 (OpenText Documentum Content Server (formerly EMC Documentum Content Se ...) NOT-FOR-US: OpenText Documentum Content Server CVE-2017-5584 (Cross-site scripting (XSS) vulnerability in the Management Web Interfa ...) NOT-FOR-US: Palo Alto Networks CVE-2017-5583 (The Management Web Interface in Palo Alto Networks PAN-OS before 6.1.1 ...) NOT-FOR-US: Palo Alto Networks CVE-2017-5582 RESERVED CVE-2017-6852 (Heap-based buffer overflow in the jpc_dec_decodepkt function in jpc_t2 ...) - jasper [jessie] - jasper (Minor issue) [wheezy] - jasper (Minor issue) NOTE: Upstream bug: https://github.com/mdadams/jasper/issues/114 NOTE: http://www.openwall.com/lists/oss-security/2017/01/25/10 NOTE: The POC only triggers an assertion failure but an overflow cannot be observed. CVE-2017-6850 (The jp2_cdef_destroy function in jp2_cod.c in JasPer before 2.0.13 all ...) - jasper (unimportant) NOTE: Upstream bug: https://github.com/mdadams/jasper/issues/112 NOTE: http://www.openwall.com/lists/oss-security/2017/01/25/8 NOTE: Not suitable for code injection, hardly denial of service CVE-2017-6851 (The jas_matrix_bindsub function in jas_seq.c in JasPer 2.0.10 allows r ...) - jasper (unimportant) NOTE: Upstream bug: https://github.com/mdadams/jasper/issues/113 NOTE: http://www.openwall.com/lists/oss-security/2017/01/25/9 NOTE: Not suitable for code injection, hardly denial of service CVE-2017-5618 (GNU screen before 4.5.1 allows local users to modify arbitrary files a ...) - screen 4.5.0-3 (bug #852484) [stretch] - screen (Vulnerable code not present/never migrated to stretch) [jessie] - screen (Vulnerable code not present) [wheezy] - screen (Vulnerable code not present) NOTE: https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html NOTE: https://savannah.gnu.org/bugs/?50142 NOTE: Introduced in (screen-v4): http://git.savannah.gnu.org/cgit/screen.git/commit/?h=screen-v4&id=5460f5d28c01a9a58e021eb1dffef2965e629d58 NOTE: Introduced in (master): http://git.savannah.gnu.org/cgit/screen.git/commit/?id=c575c40c9bd7653470639da32e06faed0a9b2ec4 NOTE: http://www.openwall.com/lists/oss-security/2017/01/24/10 CVE-2017-5597 (In Wireshark 2.2.0 to 2.2.3 and 2.0.0 to 2.0.9, the DHCPv6 dissector c ...) {DSA-3811-1 DLA-858-1} - wireshark 2.2.4+gcc3dc1b-1 NOTE: https://www.wireshark.org/security/wnpa-sec-2017-02.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13345 CVE-2017-5596 (In Wireshark 2.2.0 to 2.2.3 and 2.0.0 to 2.0.9, the ASTERIX dissector ...) {DSA-3811-1 DLA-858-1} - wireshark 2.2.4+gcc3dc1b-1 NOTE: https://www.wireshark.org/security/wnpa-sec-2017-01.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13344 CVE-2016-10165 (The Type_MLU_Read function in cmstypes.c in Little CMS (aka lcms2) all ...) {DSA-3774-1 DLA-803-1} - lcms2 2.8-4 (bug #852627) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1367357 NOTE: https://github.com/mm2/Little-CMS/commit/5ca71a7bc18b6897ab21d815d15e218e204581e2 CVE-2016-10164 (Multiple integer overflows in libXpm before 3.5.12, when a program req ...) {DSA-3772-1 DLA-801-1} - libxpm 1:3.5.12-1 NOTE: Fixed by: https://cgit.freedesktop.org/xorg/lib/libXpm/commit/?id=d1167418f0fd02a27f617ec5afd6db053afbe185 NOTE: http://www.openwall.com/lists/oss-security/2017/01/22/2 CVE-2016-10163 (Memory leak in the vrend_renderer_context_create_internal function in ...) - virglrenderer 0.6.0-1 (bug #852603) NOTE: https://cgit.freedesktop.org/virglrenderer/commit/?id=747a293ff6055203e529f083896b823e22523fe7 (0.6.0) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1415944 CVE-2017-5581 (Buffer overflow in the ModifiablePixelBuffer::fillRect function in Tig ...) - tigervnc 1.7.0+dfsg-3 (bug #852213) NOTE: https://github.com/TigerVNC/tigervnc/pull/399 NOTE: https://github.com/TigerVNC/tigervnc/commit/18c020124ff1b2441f714da2017f63dba50720ba CVE-2017-5580 (The parse_instruction function in gallium/auxiliary/tgsi/tgsi_text.c i ...) - virglrenderer 0.6.0-1 (bug #852604) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1415986 NOTE: https://cgit.freedesktop.org/virglrenderer/commit/?id=28894a30a17a84529be102b21118e55d6c9f23fa (0.6.0) NOTE: https://lists.freedesktop.org/archives/virglrenderer-devel/2017-January/000105.html CVE-2017-5579 (Memory leak in the serial_exit_core function in hw/char/serial.c in QE ...) {DLA-1497-1} - qemu 1:2.8+dfsg-3 (bug #853002) [wheezy] - qemu (Minor issue) - qemu-kvm [wheezy] - qemu-kvm (Minor issue) NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=8409dc884a201bf74b30a9d232b6bbdd00cb7e2b NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1416157 CVE-2017-5578 (Memory leak in the virtio_gpu_resource_attach_backing function in hw/d ...) - qemu 1:2.10.0-1 (unimportant) [jessie] - qemu (Vulnerable code introduced later) [wheezy] - qemu (Vulnerable code introduced later) - qemu-kvm (Vulnerable code introduced later) NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=204f01b30975923c64006f8067f0937b91eea68b (v2.9.0-rc0) NOTE: Introduced after: http://git.qemu.org/?p=qemu.git;a=commit;h=62232bf48456bda4058ceae05851bc58c1032338 (v2.4.0) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1415795 NOTE: Marked as unimportant, since 1:2.8+dfsg-2 upload reverts NOTE: enable virtio gpu (virglrenderer) and opengl support CVE-2017-5577 (The vc4_get_bcl function in drivers/gpu/drm/vc4/vc4_gem.c in the Video ...) - linux 4.9.6-1 [jessie] - linux (Vulnerable code introduced later) [wheezy] - linux (Vulnerable code introduced later) NOTE: Fixed by: https://git.kernel.org/linus/6b8ac63847bc2f958dd93c09edc941a0118992d9 NOTE: Introduced by: https://git.kernel.org/linus/d5b1a78a772f1e31a94f8babfa964152ec5e9aa5 (4.5-rc1) CVE-2017-5576 (Integer overflow in the vc4_get_bcl function in drivers/gpu/drm/vc4/vc ...) - linux 4.9.6-1 [jessie] - linux (Vulnerable code introduced later) [wheezy] - linux (Vulnerable code introduced later) NOTE: Fixed by: https://git.kernel.org/linus/0f2ff82e11c86c05d051cae32b58226392d33bbf NOTE: Introduced by: https://git.kernel.org/linus/d5b1a78a772f1e31a94f8babfa964152ec5e9aa5 (4.5-rc1) CVE-2017-5575 (SQL injection vulnerability in inc/lib/Options.class.php in GeniXCMS b ...) NOT-FOR-US: GenixCMS CVE-2017-5574 (SQL injection vulnerability in register.php in GeniXCMS before 1.0.0 a ...) NOT-FOR-US: GenixCMS CVE-2017-5573 (An issue was discovered in Linux Foundation xapi in Citrix XenServer t ...) NOT-FOR-US: Citrix CVE-2017-5572 (An issue was discovered in Linux Foundation xapi in Citrix XenServer t ...) NOT-FOR-US: Citrix CVE-2017-5571 (Open redirect vulnerability in the lmadmin component in Flexera FlexNe ...) NOT-FOR-US: Flexera FlexNet Publisher CVE-2017-5570 (An issue was discovered in eClinicalWorks Patient Portal 7.0 build 13. ...) NOT-FOR-US: eClinicalWorks CVE-2017-5569 (An issue was discovered in eClinicalWorks Patient Portal 7.0 build 13. ...) NOT-FOR-US: eClinicalWorks CVE-2017-5568 RESERVED CVE-2017-5567 (Code injection vulnerability in Avast Premier 12.3 (and earlier), Inte ...) NOT-FOR-US: Avast CVE-2017-5566 (Code injection vulnerability in AVG Ultimate 17.1 (and earlier), AVG I ...) NOT-FOR-US: AVG CVE-2017-5565 (Code injection vulnerability in Trend Micro Maximum Security 11.0 (and ...) NOT-FOR-US: Trend Micro CVE-2017-5564 RESERVED CVE-2017-5563 (LibTIFF version 4.0.7 is vulnerable to a heap-based buffer over-read i ...) - tiff (unimportant) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2664 NOTE: bmp2tiff utility removed in 4.0.6-3 and 4.0.3-12.3+deb8u2 CVE-2017-5562 RESERVED CVE-2017-5561 RESERVED CVE-2017-5560 RESERVED CVE-2017-5559 RESERVED CVE-2017-5558 RESERVED CVE-2017-5557 RESERVED CVE-2017-5556 (The ConvertToPDF plugin in Foxit Reader before 8.2 and PhantomPDF befo ...) NOT-FOR-US: Foxit Reader CVE-2017-5555 RESERVED CVE-2017-5554 (An issue was discovered in ABOOT in OnePlus 3 and 3T OxygenOS before 4 ...) NOT-FOR-US: OnePlus 3 / 3T OxygenOS CVE-2017-5553 (Cross-site scripting (XSS) vulnerability in plugins/markdown_plugin/_m ...) - b2evolution CVE-2017-5545 (The main function in plistutil.c in libimobiledevice libplist through ...) {DLA-2168-1 DLA-811-1} - libplist 1.12+git+1+e37ca00-0.1 (low; bug #852385) NOTE: https://github.com/libimobiledevice/libplist/issues/87 NOTE: Fixed by: https://github.com/libimobiledevice/libplist/commit/7391a506352c009fe044dead7baad9e22dd279ee CVE-2017-5544 (An issue was discovered on FiberHome Fengine S5800 switches V210R240. ...) NOT-FOR-US: FiberHome switches CVE-2017-5543 (includes/classes/ia.core.users.php in Subrion CMS 4.0.5 allows remote ...) NOT-FOR-US: Subrion CMS CVE-2017-5542 (Cross-site scripting (XSS) vulnerability in template/usererror.missing ...) NOT-FOR-US: Symphony CMS CVE-2017-5541 (Directory traversal vulnerability in template/usererror.missing_extens ...) NOT-FOR-US: Symphony CMS CVE-2017-5540 RESERVED CVE-2017-5539 (The patch for directory traversal (CVE-2017-5480) in b2evolution versi ...) - b2evolution CVE-2017-5536 (The GridServer Broker, and GridServer Director components of TIBCO Sof ...) NOT-FOR-US: TIBCO GridServer CVE-2017-5535 (The GridServer Broker, GridServer Driver, and GridServer Engine compon ...) NOT-FOR-US: TIBCO GridServer CVE-2017-5534 (The tibbr user profiles components of tibbr Community, and tibbr Enter ...) NOT-FOR-US: tibbr CVE-2017-5533 (A vulnerability in the server content cache of TIBCO JasperReports Ser ...) - jasperreports (bug #884131) [jessie] - jasperreports (no detailed information available, only needed as build-dependency for Spring) [wheezy] - jasperreports (cannot be supported due to lack of information) NOTE: http://www.tibco.com/support/advisories/2017/11/tibco-security-advisory-november-15-2017-tibco-jasperreports-server-2017 CVE-2017-5532 (A vulnerability in the report renderer component of TIBCO JasperReport ...) - jasperreports (bug #884131) [jessie] - jasperreports (no detailed information available, only needed as build-dependency for Spring) [wheezy] - jasperreports (cannot be supported due to lack of information) NOTE: https://www.tibco.com/support/advisories/2017/11/tibco-security-advisory-november-15-2017-tibco-jasperreports-2017-5532 CVE-2017-5531 (Deployments of TIBCO Managed File Transfer Command Center versions 8.0 ...) NOT-FOR-US: TIBCO CVE-2017-5530 (The tibbr web server components of tibbr Community, and tibbr Enterpri ...) NOT-FOR-US: tibbr CVE-2017-5529 (JasperReports library components contain an information disclosure vul ...) - jasperreports (bug #880467) [jessie] - jasperreports (no detailed information available, only needed as build-dependency for Spring) [wheezy] - jasperreports (cannot be supported due to lack of information) NOTE: https://www.tibco.com/support/advisories/2017/06/tibco-security-advisory-june-28-2017-tibco-jasperreports-server-2017-0 CVE-2017-5528 (Multiple JasperReports Server components contain vulnerabilities which ...) - jasperreports (bug #880467) [jessie] - jasperreports (no detailed information available, only needed as build-dependency for Spring) [wheezy] - jasperreports (cannot be supported due to lack of information) NOTE: https://www.tibco.com/support/advisories/2017/06/tibco-security-advisory-june-28-2017-tibco-jasperreports-server-2017 CVE-2017-5527 (TIBCO Spotfire Server 7.0.X before 7.0.2, 7.5.x before 7.5.1, 7.6.x be ...) NOT-FOR-US: TIBCO Spotfire Server CVE-2016-10162 (The php_wddx_pop_element function in ext/wddx/wddx.c in PHP 7.0.x befo ...) - php7.1 7.1.1-1 - php7.0 7.0.15-1 NOTE: PHP Bug: http://bugs.php.net/73831 NOTE: Fixed in 7.0.15, 7.1.1 CVE-2016-10161 (The object_common1 function in ext/standard/var_unserializer.c in PHP ...) {DSA-3783-1 DLA-818-1} - php7.1 7.1.1-1 - php7.0 7.0.15-1 - php5 NOTE: PHP Bug: http://bugs.php.net/73825 NOTE: Fixed in 5.6.30, 7.0.15, 7.1.1 CVE-2016-10160 (Off-by-one error in the phar_parse_pharfile function in ext/phar/phar. ...) {DSA-3783-1 DLA-818-1} - php7.1 7.1.1-1 - php7.0 7.0.15-1 - php5 NOTE: PHP Bug: http://bugs.php.net/73768 NOTE: Fixed in 5.6.30, 7.0.15, 7.1.1 CVE-2016-10159 (Integer overflow in the phar_parse_pharfile function in ext/phar/phar. ...) {DSA-3783-1 DLA-818-1} - php7.1 7.1.1-1 - php7.0 7.0.15-1 - php5 NOTE: PHP Bug: http://bugs.php.net/73764 NOTE: Fixed in 5.6.30, 7.0.15, 7.1.1 CVE-2016-10158 (The exif_convert_any_to_int function in ext/exif/exif.c in PHP before ...) {DSA-3783-1 DLA-818-1} - php7.1 7.1.1-1 - php7.0 7.0.15-1 - php5 NOTE: PHP Bug: http://bugs.php.net/73737 NOTE: Fixed in 5.6.30, 7.0.15, 7.1.1 CVE-2016-10157 (Akamai NetSession 1.9.3.1 is vulnerable to DLL Hijacking: it tries to ...) NOT-FOR-US: Akamai NetSession CVE-2016-10156 (A flaw in systemd v228 in /src/basic/fs-util.c caused world writable s ...) - systemd 229-1 [jessie] - systemd (Vulnerability introduced in v228) [wheezy] - systemd (Vulnerability introduced in v228) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1020601 NOTE: Fixed by: https://github.com/systemd/systemd/commit/06eeacb6fe029804f296b065b3ce91e796e1cd0e (v229) NOTE: Introduced by: https://github.com/systemd/systemd/commit/ee735086f8670be1591fa9593e80dd60163a7a2f (v228) CVE-2017-5616 (Cross-site scripting (XSS) vulnerability in cgiemail and cgiecho allow ...) {DLA-869-1} - cgiemail (bug #852031) NOTE: http://www.openwall.com/lists/oss-security/2017/01/20/6 CVE-2017-5615 (cgiemail and cgiecho allow remote attackers to inject HTTP headers via ...) {DLA-869-1} - cgiemail (bug #852031) NOTE: http://www.openwall.com/lists/oss-security/2017/01/20/6 CVE-2017-5614 (Open redirect vulnerability in cgiemail and cgiecho allows remote atta ...) {DLA-869-1} - cgiemail (bug #852031) NOTE: http://www.openwall.com/lists/oss-security/2017/01/20/6 CVE-2017-5613 (Format string vulnerability in cgiemail and cgiecho allows remote atta ...) {DLA-869-1} - cgiemail (bug #852031) NOTE: http://www.openwall.com/lists/oss-security/2017/01/20/6 CVE-2016-10155 (Memory leak in hw/watchdog/wdt_i6300esb.c in QEMU (aka Quick Emulator) ...) {DLA-1497-1} - qemu 1:2.8+dfsg-2 (low; bug #852232) [wheezy] - qemu (Minor issue) - qemu-kvm [wheezy] - qemu-kvm (Minor issue) NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2016-12/msg03104.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1415199 NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=eb7a20a3616085d46aa6b4b4224e15587ec67e6e CVE-2016-10154 (The smbhash function in fs/cifs/smbencrypt.c in the Linux kernel 4.9.x ...) - linux 4.9.2-1 [jessie] - linux (Introduced in 4.9 in combination with VMAP_STACK) [wheezy] - linux (Introduced in 4.9 in combination with VMAP_STACK) NOTE: Fixed by: https://git.kernel.org/linus/06deeec77a5a689cc94b21a8a91a76e42176685d (v4.10-rc1) CVE-2016-10153 (The crypto scatterlist API in the Linux kernel 4.9.x before 4.9.6 inte ...) - linux 4.9.6-1 [jessie] - linux (Introduced in 4.9 in combination with VMAP_STACK) [wheezy] - linux (Introduced in 4.9 in combination with VMAP_STACK) NOTE: Fixed by: https://git.kernel.org/linus/a45f795c65b479b4ba107b6ccde29b896d51ee98 (v4.10-rc1) CVE-2016-10152 (The read_config_file function in lib/hesiod.c in Hesiod 3.2.1 falls ba ...) {DLA-796-1} - hesiod 3.2.1-3.1 (low; bug #852093) [stretch] - hesiod (Minor issue) [jessie] - hesiod (Minor issue) NOTE: https://github.com/achernya/hesiod/pull/10 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1332493 CVE-2016-10151 (The hesiod_init function in lib/hesiod.c in Hesiod 3.2.1 compares EUID ...) {DLA-796-1} - hesiod 3.2.1-3.1 (low; bug #852094) [stretch] - hesiod (Minor issue) [jessie] - hesiod (Minor issue) NOTE: https://github.com/achernya/hesiod/pull/9 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1332508 CVE-2016-10150 (Use-after-free vulnerability in the kvm_ioctl_create_device function i ...) - linux 4.8.15-1 [jessie] - linux (Vulnerable code introduced later) [wheezy] - linux (Vulnerable code introduced later) NOTE: Fixed by: https://git.kernel.org/linus/a0f1d21c1ccb1da66629627a74059dd7f5ac9c61 (v4.9-rc8) NOTE: Introduced by: https://git.kernel.org/linus/a28ebea2adc4a2bef5989a5a181ec238f59fbcad (v4.8-rc2) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1414506 CVE-2016-10148 (The wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.p ...) - wordpress 4.6.1+dfsg-1 [jessie] - wordpress (wp_ajax_update_plugin function introduced in 4.2) [wheezy] - wordpress (wp_ajax_update_plugin function introduced in 4.2) NOTE: https://core.trac.wordpress.org/ticket/37490 NOTE: https://core.trac.wordpress.org/changeset/38168 CVE-2017-5552 (Memory leak in the virgl_resource_attach_backing function in hw/displa ...) - qemu 1:2.10.0-1 (bug #852119; unimportant) [jessie] - qemu (Vulnerable code not present) [wheezy] - qemu (Vulnerable code not present) - qemu-kvm (Vulnerable code not present) NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2017-01/msg00154.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1415281 NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=33243031dad02d161225ba99d782616da133f689 (v2.9.0-rc0) NOTE: Marked as unimportant, since 1:2.8+dfsg-2 reverted the support for NOTE: virtio gpu (virglrenderer) and opengl, but the affected code is NOTE: still present. CVE-2017-5551 (The simple_set_acl function in fs/posix_acl.c in the Linux kernel befo ...) {DSA-3791-1} - linux 4.9.6-1 [wheezy] - linux 3.2.84-1 NOTE: Backported fix for CVE-2016-7097 already covered this CVE for wheezy NOTE: Fixed by: https://git.kernel.org/linus/497de07d89c1410d76a15bec2bb41f24a2a89f31 (4.10-rc4) CVE-2017-5550 (Off-by-one error in the pipe_advance function in lib/iov_iter.c in the ...) - linux 4.9.6-1 [jessie] - linux (Introduced in 4.9) [wheezy] - linux (Introduced in 4.9) NOTE: Fixed by: https://git.kernel.org/linus/b9dc6f65bc5e232d1c05fe34b5daadc7e8bbf1fb (4.10-rc4) NOTE: Introduced by: https://github.com/torvalds/linux/commit/241699cd72a8489c9446ae3910ddd243e9b9061b (4.9-rc1) CVE-2017-5549 (The klsi_105_get_line_state function in drivers/usb/serial/kl5kusb105. ...) {DSA-3791-1 DLA-833-1} - linux 4.9.6-1 NOTE: Fixed by: https://git.kernel.org/linus/146cc8a17a3b4996f6805ee5c080e7101277c410 (4.10-rc4) CVE-2017-5548 (drivers/net/ieee802154/atusb.c in the Linux kernel 4.9.x before 4.9.6 ...) - linux 4.9.6-1 [jessie] - linux (Introduced in 4.9 in combination with VMAP_STACK) [wheezy] - linux (Introduced in 4.9 in combination with VMAP_STACK) NOTE: Fixed by: https://git.kernel.org/linus/05a974efa4bdf6e2a150e3f27dc6fcf0a9ad5655 CVE-2017-5547 (drivers/hid/hid-corsair.c in the Linux kernel 4.9.x before 4.9.6 inter ...) - linux 4.9.6-1 [jessie] - linux (Vulnerable code introduced in v4.4-rc1) [wheezy] - linux (Vulnerable code introduced in v4.4-rc1) NOTE: Fixed by: https://git.kernel.org/linus/6d104af38b570d37aa32a5803b04c354f8ed513d CVE-2017-5546 (The freelist-randomization feature in mm/slab.c in the Linux kernel 4. ...) - linux 4.9.6-1 [jessie] - linux (freelist randomisation introduced in 4.7) [wheezy] - linux (freelist randomisation introduced in 4.7) NOTE: Fixed by: https://git.kernel.org/linus/c4e490cf148e85ead0d1b1c2caaba833f1d5b29f (v4.10-rc4) CVE-2017-5538 (The kbase_dispatch function in arm/t7xx/r5p0/mali_kbase_core_linux.c i ...) NOT-FOR-US: Samsung Exynos CVE-2017-5524 (Plone 4.x through 4.3.11 and 5.x through 5.0.6 allow remote attackers ...) NOT-FOR-US: Plone CVE-2017-5537 (The password reset form in Weblate before 2.10.1 provides different er ...) - weblate (bug #745661) NOTE: http://www.openwall.com/lists/oss-security/2017/01/18/11 CVE-2017-5526 (Memory leak in hw/audio/es1370.c in QEMU (aka Quick Emulator) allows l ...) {DLA-1497-1} - qemu 1:2.8+dfsg-2 (bug #851910) [wheezy] - qemu (Minor issue) - qemu-kvm [wheezy] - qemu-kvm (Minor issue) NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2017-01/msg01742.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1414209 NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=069eb7b2b8fc47c7cb52e5a4af23ea98d939e3da NOTE: Sound device hotplug not supported by libvirt CVE-2017-5525 (Memory leak in hw/audio/ac97.c in QEMU (aka Quick Emulator) allows loc ...) {DLA-1497-1} - qemu 1:2.8+dfsg-2 (bug #852021) [wheezy] - qemu (Minor issue) - qemu-kvm [wheezy] - qemu-kvm (Minor issue) NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2017-01/msg01740.html NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=12351a91da97b414eec8cdb09f1d9f41e535a401 NOTE: Sound device hotplug not supported by libvirt CVE-2017-5523 RESERVED CVE-2017-5522 (Stack-based buffer overflow in MapServer before 6.0.6, 6.2.x before 6. ...) {DSA-3766-1 DLA-790-1} - mapserver 7.0.4-1 NOTE: https://lists.osgeo.org/pipermail/mapserver-dev/2017-January/015007.html NOTE: https://github.com/mapserver/mapserver/commit/e52a436c0e1c5e9f7ef13428dba83194a800f4df CVE-2017-2578 (In Moodle 3.x, there is XSS in the assignment submission page. ...) - moodle 2.7.18+dfsg-1 NOTE: https://moodle.org/mod/forum/discuss.php?d=345915 CVE-2017-2576 (In Moodle 2.x and 3.x, there is incorrect sanitization of attributes i ...) - moodle 2.7.18+dfsg-1 NOTE: https://moodle.org/mod/forum/discuss.php?d=345912 CVE-2017-5521 (An issue was discovered on NETGEAR R8500, R8300, R7000, R6400, R7300, ...) NOT-FOR-US: NETGEAR CVE-2017-5520 (The media rename feature in GeniXCMS through 0.0.8 does not consider a ...) NOT-FOR-US: GenixCMS CVE-2017-5519 (SQL injection vulnerability in Posts.class.php in GeniXCMS through 0.0 ...) NOT-FOR-US: GenixCMS CVE-2017-5518 (The media-file upload feature in GeniXCMS through 0.0.8 allows remote ...) NOT-FOR-US: GenixCMS CVE-2017-5517 (SQL injection vulnerability in author.control.php in GeniXCMS through ...) NOT-FOR-US: GenixCMS CVE-2017-5516 (Multiple cross-site scripting (XSS) vulnerabilities in the user forms ...) NOT-FOR-US: GenixCMS CVE-2017-5515 (Cross-site scripting (XSS) vulnerability in the user prompt function i ...) NOT-FOR-US: GenixCMS CVE-2017-5514 RESERVED CVE-2017-5513 RESERVED CVE-2017-5512 RESERVED CVE-2017-5497 RESERVED CVE-2017-5496 (Sawmill Enterprise 8.7.9 allows remote attackers to gain login access ...) NOT-FOR-US: Sawmill Enterprise CVE-2017-5495 (All versions of Quagga, 0.93 through 1.1.0, are vulnerable to an unbou ...) - quagga 1.1.1-1 (bug #852454) [jessie] - quagga (Minor issue) [wheezy] - quagga (Minor issue) NOTE: http://savannah.nongnu.org/forum/forum.php?forum_id=8783 NOTE: http://mirror.easyname.at/nongnu//quagga/quagga-1.1.1.changelog.txt NOTE: Fixed by: http://git.savannah.gnu.org/cgit/quagga.git/commit/?id=b7ceefea77a246fe5c1dcd1b91bf6079d1b97c02 NOTE: http://git.savannah.gnu.org/cgit/quagga.git/commit/?id=7d66284a5817a1613b1e4d64a0775ec04fdf8c01 CVE-2017-5494 (Multiple cross-site scripting (XSS) vulnerabilities in the file types ...) - b2evolution CVE-2017-5486 (The ISO CLNS parser in tcpdump before 4.9.0 has a buffer overflow in p ...) {DSA-3775-1 DLA-809-1} - tcpdump 4.9.0-1 CVE-2017-5485 (The ISO CLNS parser in tcpdump before 4.9.0 has a buffer overflow in a ...) {DSA-3775-1 DLA-809-1} - tcpdump 4.9.0-1 CVE-2017-5484 (The ATM parser in tcpdump before 4.9.0 has a buffer overflow in print- ...) {DSA-3775-1 DLA-809-1} - tcpdump 4.9.0-1 CVE-2017-5483 (The SNMP parser in tcpdump before 4.9.0 has a buffer overflow in print ...) {DSA-3775-1 DLA-809-1} - tcpdump 4.9.0-1 CVE-2017-5482 (The Q.933 parser in tcpdump before 4.9.0 has a buffer overflow in prin ...) {DSA-3775-1 DLA-809-1} - tcpdump 4.9.0-1 CVE-2017-5481 (Trend Micro OfficeScan 11.0 before SP1 CP 6325 and XG before CP 1352 a ...) NOT-FOR-US: Trend Micro CVE-2017-5480 (Directory traversal vulnerability in inc/files/files.ctrl.php in b2evo ...) - b2evolution CVE-2017-5479 RESERVED CVE-2017-5478 RESERVED CVE-2017-5477 RESERVED CVE-2017-5476 (Serendipity through 2.0.5 allows CSRF for the installation of an event ...) - serendipity CVE-2017-5475 (comment.php in Serendipity through 2.0.5 allows CSRF in deleting any c ...) - serendipity CVE-2017-5474 (Open redirect vulnerability in comment.php in Serendipity through 2.0. ...) - serendipity CVE-2017-5473 (Cross-site request forgery (CSRF) vulnerability in ntopng through 2.4 ...) - ntopng 2.4+dfsg1-3 (bug #852109) [jessie] - ntopng (Minor issue) NOTE: https://github.com/ntop/ntopng/commit/1b2ceac8f578a246af6351c4f476e3102cdf21b3 NOTE: https://github.com/ntop/ntopng/commit/f91fbe3d94c8346884271838ae3406ae633f6f15 CVE-2017-5472 (A use-after-free vulnerability with the frameloader during tree recons ...) {DSA-3918-1 DSA-3881-1 DLA-1007-1 DLA-991-1} - firefox 54.0-1 - firefox-esr 52.2.0esr-1 - icedove 1:52.2.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-5472 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-16/#CVE-2017-5472 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-17/#CVE-2017-5472 CVE-2017-5471 (Memory safety bugs were reported in Firefox 53. Some of these bugs sho ...) - firefox 54.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-5471 CVE-2017-5470 (Memory safety bugs were reported in Firefox 53 and Firefox ESR 52.1. S ...) {DSA-3918-1 DSA-3881-1 DLA-1007-1 DLA-991-1} - firefox 54.0-1 - firefox-esr 52.2.0esr-1 - icedove 1:52.2.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-5470 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-16/#CVE-2017-5470 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-17/#CVE-2017-5470 CVE-2017-5469 (Fixed potential buffer overflows in generated Firefox code due to CVE- ...) {DSA-3831-1 DLA-906-1} - firefox-esr 45.9.0esr-1 - firefox 52.0.1-1 CVE-2017-5468 (An issue with incorrect ownership model of "privateBrowsing" informati ...) - firefox 52.0.1-1 CVE-2017-5467 (A potential memory corruption and crash when using Skia content when d ...) - firefox 52.0.1-1 CVE-2017-5466 (If a page is loaded from an original site through a hyperlink and cont ...) - firefox 52.0.1-1 CVE-2017-5465 (An out-of-bounds read while processing SVG content in "ConvolvePixel". ...) {DSA-3831-1 DLA-906-1} - firefox 52.0.1-1 - firefox-esr 45.9.0esr-1 CVE-2017-5464 (During DOM manipulations of the accessibility tree through script, the ...) {DSA-3831-1 DLA-906-1} - firefox 52.0.1-1 - firefox-esr 45.9.0esr-1 CVE-2017-5463 (Android intents can be used to launch Firefox for Android in reader mo ...) - firefox (Only affects Firefox on Android) CVE-2017-5462 (A flaw in DRBG number generation within the Network Security Services ...) {DSA-3872-1 DSA-3831-1 DLA-946-1 DLA-906-1} - firefox 52.0.1-1 - firefox-esr 45.9.0esr-1 [experimental] - nss 2:3.30-1 - nss 2:3.26.2-1.1 (bug #862958) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5462 NOTE: https://hg.mozilla.org/projects/nss/rev/7248d38b76e5 CVE-2017-5461 (Mozilla Network Security Services (NSS) before 3.21.4, 3.22.x through ...) {DSA-3872-1 DSA-3831-1 DLA-946-1 DLA-906-1} - firefox 52.0.1-1 [experimental] - nss 2:3.30.1-1 - nss 2:3.26.2-1.1 (bug #862958) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5461 NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1344380 NOTE: https://hg.mozilla.org/projects/nss/rev/77a5bb81dbaa CVE-2017-5460 (A use-after-free vulnerability in frame selection triggered by a combi ...) {DSA-3831-1 DLA-906-1} - firefox 52.0.1-1 - firefox-esr 45.9.0esr-1 CVE-2017-5459 (A buffer overflow in WebGL triggerable by web content, resulting in a ...) {DSA-3831-1 DLA-906-1} - firefox 52.0.1-1 - firefox-esr 45.9.0esr-1 CVE-2017-5458 (When a "javascript:" URL is drag and dropped by a user into the addres ...) - firefox 52.0.1-1 CVE-2017-5457 RESERVED CVE-2017-5456 (A mechanism to bypass file system access protections in the sandbox us ...) - firefox 52.0.1-1 CVE-2017-5455 (The internal feed reader APIs that crossed the sandbox barrier allowed ...) - firefox 52.0.1-1 CVE-2017-5454 (A mechanism to bypass file system access protections in the sandbox to ...) - firefox 52.0.1-1 CVE-2017-5453 (A mechanism to inject static HTML into the RSS reader preview page due ...) - firefox 52.0.1-1 CVE-2017-5452 (Malicious sites can display a spoofed addressbar on a page when the ex ...) - firefox (Only affects Firefox on Android) CVE-2017-5451 (A mechanism to spoof the addressbar through the user interaction on th ...) - firefox 52.0.1-1 CVE-2017-5450 (A mechanism to spoof the Firefox for Android addressbar using a "javas ...) - firefox 52.0.1-1 CVE-2017-5449 (A possibly exploitable crash triggered during layout and manipulation ...) - firefox 52.0.1-1 CVE-2017-5448 (An out-of-bounds write in "ClearKeyDecryptor" while decrypting some Cl ...) {DSA-3831-1 DLA-906-1} - firefox 52.0.1-1 - firefox-esr 45.9.0esr-1 CVE-2017-5447 (An out-of-bounds read during the processing of glyph widths during tex ...) {DSA-3831-1 DLA-906-1} - firefox 52.0.1-1 - firefox-esr 45.9.0esr-1 CVE-2017-5446 (An out-of-bounds read when an HTTP/2 connection to a servers sends "DA ...) {DSA-3831-1 DLA-906-1} - firefox 52.0.1-1 - firefox-esr 45.9.0esr-1 CVE-2017-5445 (A vulnerability while parsing "application/http-index-format" format c ...) {DSA-3831-1 DLA-906-1} - firefox 52.0.1-1 - firefox-esr 45.9.0esr-1 CVE-2017-5444 (A buffer overflow vulnerability while parsing "application/http-index- ...) {DSA-3831-1 DLA-906-1} - firefox 52.0.1-1 - firefox-esr 45.9.0esr-1 CVE-2017-5443 (An out-of-bounds write vulnerability while decoding improperly formed ...) {DSA-3831-1 DLA-906-1} - firefox 52.0.1-1 - firefox-esr 45.9.0esr-1 CVE-2017-5442 (A use-after-free vulnerability during changes in style when manipulati ...) {DSA-3831-1 DLA-906-1} - firefox 52.0.1-1 - firefox-esr 45.9.0esr-1 CVE-2017-5441 (A use-after-free vulnerability when holding a selection during scroll ...) {DSA-3831-1 DLA-906-1} - firefox 52.0.1-1 - firefox-esr 45.9.0esr-1 CVE-2017-5440 (A use-after-free vulnerability during XSLT processing due to a failure ...) {DSA-3831-1 DLA-906-1} - firefox 52.0.1-1 - firefox-esr 45.9.0esr-1 CVE-2017-5439 (A use-after-free vulnerability during XSLT processing due to poor hand ...) {DSA-3831-1 DLA-906-1} - firefox 52.0.1-1 - firefox-esr 45.9.0esr-1 CVE-2017-5438 (A use-after-free vulnerability during XSLT processing due to the resul ...) {DSA-3831-1 DLA-906-1} - firefox 52.0.1-1 - firefox-esr 45.9.0esr-1 CVE-2017-5437 REJECTED CVE-2017-5436 (An out-of-bounds write in the Graphite 2 library triggered with a mali ...) {DSA-3831-1 DLA-906-1} - firefox 52.0.1-1 - firefox-esr 45.9.0esr-1 CVE-2017-5435 (A use-after-free vulnerability occurs during transaction processing in ...) {DSA-3831-1 DLA-906-1} - firefox 52.0.1-1 - firefox-esr 45.9.0esr-1 CVE-2017-5434 (A use-after-free vulnerability occurs when redirecting focus handling ...) {DSA-3831-1 DLA-906-1} - firefox 52.0.1-1 - firefox-esr 45.9.0esr-1 CVE-2017-5433 (A use-after-free vulnerability in SMIL animation functions occurs when ...) {DSA-3831-1 DLA-906-1} - firefox 52.0.1-1 - firefox-esr 45.9.0esr-1 CVE-2017-5432 (A use-after-free vulnerability occurs during certain text input select ...) {DSA-3831-1 DLA-906-1} - firefox 52.0.1-1 - firefox-esr 45.9.0esr-1 CVE-2017-5431 RESERVED CVE-2017-5430 (Memory safety bugs were reported in Firefox 52, Firefox ESR 52, and Th ...) - firefox 52.0.1-1 - firefox-esr (Only affects ESR52 and Firefox) CVE-2017-5429 (Memory safety bugs were reported in Firefox 52, Firefox ESR 45.8, Fire ...) {DSA-3831-1 DLA-906-1} - firefox-esr 45.9.0esr-1 - firefox 52.0.1-1 CVE-2017-5428 (An integer overflow in "createImageBitmap()" was reported through the ...) - firefox-esr (Only affects 52 ESR, which isn't packaged yet except experimental where it's fixed) - firefox 52.0.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-08/#CVE-2017-5428 CVE-2017-5427 (A non-existent chrome.manifest file will attempt to be loaded during s ...) - firefox 52.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5427 CVE-2017-5426 (On Linux, if the secure computing mode BPF (seccomp-bpf) filter is run ...) - firefox 52.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5426 CVE-2017-5425 (The Gecko Media Plugin sandbox allows access to local files that match ...) - firefox (Only Firefox on OS X) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5425 CVE-2017-5424 RESERVED CVE-2017-5423 RESERVED CVE-2017-5422 (If a malicious site uses the "view-source:" protocol in a series withi ...) - firefox 52.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5422 CVE-2017-5421 (A malicious site could spoof the contents of the print preview window ...) - firefox 52.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5421 CVE-2017-5420 (A "javascript:" url loaded by a malicious page can obfuscate its locat ...) - firefox 52.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5420 CVE-2017-5419 (If a malicious site repeatedly triggers a modal authentication prompt, ...) - firefox 52.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5419 CVE-2017-5418 (An out of bounds read error occurs when parsing some HTTP digest autho ...) - firefox 52.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5418 CVE-2017-5417 (When dragging content from the primary browser pane to the addressbar ...) - firefox 52.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5417 CVE-2017-5416 (In certain circumstances a networking event listener can be prematurel ...) - firefox 52.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5416 CVE-2017-5415 (An attack can use a blob URL and script to spoof an arbitrary addressb ...) - firefox 52.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5415 CVE-2017-5414 (The file picker dialog can choose and display the wrong local default ...) - firefox 52.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5414 CVE-2017-5413 (A segmentation fault can occur during some bidirectional layout operat ...) - firefox 52.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5413 CVE-2017-5412 (A buffer overflow read during SVG filter color value operations, resul ...) - firefox 52.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5412 CVE-2017-5411 (A use-after-free can occur during buffer storage operations within the ...) - firefox (Only Firefox on Windows) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5411 CVE-2017-5410 (Memory corruption resulting in a potentially exploitable crash during ...) {DSA-3832-1 DSA-3805-1 DLA-896-1 DLA-852-1} - firefox 52.0-1 - firefox-esr 45.8.0esr-1 - icedove 1:45.8.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5410 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-06/#CVE-2017-5410 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-07/#CVE-2017-5410 CVE-2017-5409 (The Mozilla Windows updater can be called by a non-privileged user to ...) - firefox (Only Firefox on Windows) - firefox-esr (Only Firefox on Windows) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5409 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-06/#CVE-2017-5409 CVE-2017-5408 (Video files loaded video captions cross-origin without checking for th ...) {DSA-3832-1 DSA-3805-1 DLA-896-1 DLA-852-1} - firefox 52.0-1 - firefox-esr 45.8.0esr-1 - icedove 1:45.8.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5408 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-06/#CVE-2017-5408 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-07/#CVE-2017-5408 CVE-2017-5407 (Using SVG filters that don't use the fixed point math implementation o ...) {DSA-3832-1 DSA-3805-1 DLA-896-1 DLA-852-1} - firefox 52.0-1 - firefox-esr 45.8.0esr-1 - icedove 1:45.8.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5407 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-06/#CVE-2017-5407 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-07/#CVE-2017-5407 CVE-2017-5406 (A segmentation fault can occur in the Skia graphics library during som ...) - firefox 52.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5406 CVE-2017-5405 (Certain response codes in FTP connections can result in the use of uni ...) {DSA-3832-1 DSA-3805-1 DLA-896-1 DLA-852-1} - firefox 52.0-1 - firefox-esr 45.8.0esr-1 - icedove 1:45.8.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5405 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-06/#CVE-2017-5405 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-07/#CVE-2017-5405 CVE-2017-5404 (A use-after-free error can occur when manipulating ranges in selection ...) {DSA-3832-1 DSA-3805-1 DLA-896-1 DLA-852-1} - firefox 52.0-1 - firefox-esr 45.8.0esr-1 - icedove 1:45.8.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5404 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-06/#CVE-2017-5404 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-07/#CVE-2017-5404 CVE-2017-5403 (When adding a range to an object in the DOM, it is possible to use "ad ...) - firefox 52.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5403 CVE-2017-5402 (A use-after-free can occur when events are fired for a "FontFace" obje ...) {DSA-3832-1 DSA-3805-1 DLA-896-1 DLA-852-1} - firefox 52.0-1 - firefox-esr 45.8.0esr-1 - icedove 1:45.8.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5402 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-06/#CVE-2017-5402 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-07/#CVE-2017-5402 CVE-2017-5401 (A crash triggerable by web content in which an "ErrorResult" reference ...) {DSA-3832-1 DSA-3805-1 DLA-896-1 DLA-852-1} - firefox 52.0-1 - firefox-esr 45.8.0esr-1 - icedove 1:45.8.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5401 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-06/#CVE-2017-5401 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-07/#CVE-2017-5401 CVE-2017-5400 (JIT-spray targeting asm.js combined with a heap spray allows for a byp ...) {DSA-3832-1 DSA-3805-1 DLA-896-1 DLA-852-1} - firefox 52.0-1 - firefox-esr 45.8.0esr-1 - icedove 1:45.8.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5400 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-06/#CVE-2017-5400 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-07/#CVE-2017-5400 CVE-2017-5399 (Memory safety bugs were reported in Firefox 51. Some of these bugs sho ...) - firefox 52.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5399 CVE-2017-5398 (Memory safety bugs were reported in Thunderbird 45.7. Some of these bu ...) {DSA-3832-1 DSA-3805-1 DLA-896-1 DLA-852-1} - firefox 52.0-1 - firefox-esr 45.8.0esr-1 - icedove 1:45.8.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5398 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-06/#CVE-2017-5398 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-07/#CVE-2017-5398 CVE-2017-5397 (The cache directory on the local file system is set to be world writab ...) - firefox (Firefox on Android) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-04/#CVE-2017-5397 CVE-2017-5396 (A use-after-free vulnerability in the Media Decoder when working with ...) {DSA-3832-1 DSA-3771-1 DLA-896-1 DLA-800-1} - firefox 51.0-1 - firefox-esr 45.7.0esr-1 - icedove 1:45.7.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5396 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/#CVE-2017-5396 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-03/#CVE-2017-5396 CVE-2017-5395 (Malicious sites can display a spoofed location bar on a subsequently l ...) - firefox (Firefox on Android) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5395 CVE-2017-5394 (A location bar spoofing attack where the location bar of loaded page w ...) - firefox (Firefox on Android) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5394 CVE-2017-5393 (The "mozAddonManager" allows for the installation of extensions from t ...) - firefox 51.0-1 - firefox-esr (Does not affect Firefox ESR) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5393 CVE-2017-5392 (Weak proxy objects have weak references on multiple threads when they ...) - firefox (Firefox on Android) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5392 CVE-2017-5391 (Special "about:" pages used by web content, such as RSS feeds, can loa ...) - firefox 51.0-1 - firefox-esr (Does not affect Firefox ESR) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5391 CVE-2017-5390 (The JSON viewer in the Developer Tools uses insecure methods to create ...) {DSA-3832-1 DSA-3771-1 DLA-896-1 DLA-800-1} - firefox 51.0-1 - firefox-esr 45.7.0esr-1 - icedove 1:45.7.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5390 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/#CVE-2017-5390 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-03/#CVE-2017-5390 CVE-2017-5389 (WebExtensions could use the "mozAddonManager" API by modifying the CSP ...) - firefox 51.0-1 - firefox-esr (Does not affect Firefox ESR) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5389 CVE-2017-5388 (A STUN server in conjunction with a large number of "webkitRTCPeerConn ...) - firefox 51.0-1 - firefox-esr (Does not affect Firefox ESR) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5388 CVE-2017-5387 (The existence of a specifically requested local file can be found due ...) - firefox 51.0-1 - firefox-esr (Does not affect Firefox ESR) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5387 CVE-2017-5386 (WebExtension scripts can use the "data:" protocol to affect pages load ...) {DSA-3771-1 DLA-800-1} - firefox 51.0-1 - firefox-esr 45.7.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5386 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/#CVE-2017-5386 CVE-2017-5385 (Data sent with in multipart channels, such as the multipart/x-mixed-re ...) - firefox 51.0-1 - firefox-esr (Does not affect Firefox ESR) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5385 CVE-2017-5384 (Proxy Auto-Config (PAC) files can specify a JavaScript function called ...) - firefox 51.0-1 - firefox-esr (Does not affect Firefox ESR) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5384 CVE-2017-5383 (URLs containing certain unicode glyphs for alternative hyphens and quo ...) {DSA-3832-1 DSA-3771-1 DLA-896-1 DLA-800-1} - firefox 51.0-1 - firefox-esr 45.7.0esr-1 - icedove 1:45.7.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5383 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/#CVE-2017-5383 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-03/#CVE-2017-5383 CVE-2017-5382 (Feed preview for RSS feeds can be used to capture errors and exception ...) - firefox 51.0-1 - firefox-esr (Does not affect Firefox ESR) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5382 CVE-2017-5381 (The "export" function in the Certificate Viewer can force local filesy ...) - firefox 51.0-1 - firefox-esr (Does not affect Firefox ESR) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5381 CVE-2017-5380 (A potential use-after-free found through fuzzing during DOM manipulati ...) {DSA-3832-1 DSA-3771-1 DLA-896-1 DLA-800-1} - firefox 51.0-1 - firefox-esr 45.7.0esr-1 - icedove 1:45.7.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5380 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/#CVE-2017-5380 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-03/#CVE-2017-5380 CVE-2017-5379 (Use-after-free vulnerability in Web Animations when interacting with c ...) - firefox 51.0-1 - firefox-esr (Does not affect Firefox ESR) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5379 CVE-2017-5378 (Hashed codes of JavaScript objects are shared between pages. This allo ...) {DSA-3832-1 DSA-3771-1 DLA-896-1 DLA-800-1} - firefox 51.0-1 - firefox-esr 45.7.0esr-1 - icedove 1:45.7.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5378 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/#CVE-2017-5378 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-03/#CVE-2017-5378 CVE-2017-5377 (A memory corruption vulnerability in Skia that can occur when using tr ...) - firefox 51.0-1 - firefox-esr (Does not affect Firefox ESR) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5377 CVE-2017-5376 (Use-after-free while manipulating XSL in XSLT documents. This vulnerab ...) {DSA-3832-1 DSA-3771-1 DLA-896-1 DLA-800-1} - firefox 51.0-1 - firefox-esr 45.7.0esr-1 - icedove 1:45.7.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5376 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/#CVE-2017-5376 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-03/#CVE-2017-5376 CVE-2017-5375 (JIT code allocation can allow for a bypass of ASLR and DEP protections ...) {DSA-3832-1 DSA-3771-1 DLA-896-1 DLA-800-1} - firefox 51.0-1 - firefox-esr 45.7.0esr-1 - icedove 1:45.7.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5375 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/#CVE-2017-5375 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-03/#CVE-2017-5375 CVE-2017-5374 (Memory safety bugs were reported in Firefox 50.1. Some of these bugs s ...) - firefox 51.0-1 - firefox-esr (Does not affect Firefox ESR) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5374 CVE-2017-5373 (Memory safety bugs were reported in Firefox 50.1 and Firefox ESR 45.6. ...) {DSA-3832-1 DSA-3771-1 DLA-896-1 DLA-800-1} - firefox 51.0-1 - firefox-esr 45.7.0esr-1 - icedove 1:45.7.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5373 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/#CVE-2017-5373 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-03/#CVE-2017-5373 CVE-2017-5372 (The function msp (aka MSPRuntimeInterface) in the P4 SERVERCORE compon ...) NOT-FOR-US: SAP CVE-2017-5371 (Odata Server in SAP Adaptive Server Enterprise (ASE) 16 allows remote ...) NOT-FOR-US: SAP CVE-2017-5370 RESERVED CVE-2017-5369 RESERVED CVE-2017-5368 (ZoneMinder v1.30 and v1.29, an open-source CCTV server web application ...) - zoneminder 1.30.4+dfsg-1 (bug #854733) [wheezy] - zoneminder (Too intrusive to backport) NOTE: https://github.com/ZoneMinder/ZoneMinder/pull/1822 CVE-2017-5367 (Multiple reflected XSS vulnerabilities exist within form and link inpu ...) - zoneminder 1.30.4+dfsg-1 (bug #854733) [wheezy] - zoneminder (Minor issue) CVE-2017-5366 RESERVED CVE-2017-5365 RESERVED CVE-2017-5364 (Memory Corruption Vulnerability in Foxit PDF Toolkit v1.3 allows an at ...) NOT-FOR-US: Foxit PDF Toolkit CVE-2017-5363 RESERVED CVE-2017-5362 RESERVED CVE-2017-5361 (Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x ...) {DSA-3883-1 DSA-3882-1 DLA-988-1 DLA-987-1} - request-tracker4 4.4.1-4 - rt-authen-externalauth NOTE: https://github.com/bestpractical/rt-authen-externalauth/commit/436255c04b4881bb6d8eec9a57b8593033d863a9 CVE-2017-5360 RESERVED CVE-2017-5359 (EasyCom SQL iPlug allows remote attackers to cause a denial of service ...) NOT-FOR-US: EasyCom CVE-2017-5358 (Stack-based buffer overflows in php_Easycom5_3_0.dll in EasyCom for PH ...) NOT-FOR-US: EasyCom CVE-2016-10147 (crypto/mcryptd.c in the Linux kernel before 4.8.15 allows local users ...) - linux 4.8.15-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/48a992727d82cb7db076fa15d372178743b1f4cd (v4.9) CVE-2016-10143 (A vulnerability in Tiki Wiki CMS 15.2 could allow a remote attacker to ...) - tikiwiki CVE-2016-10142 (An issue was discovered in the IPv6 protocol specification, related to ...) NOTE: Generic IPv6 issue CVE-2016-10139 (An issue was discovered on BLU R1 HD devices with Shanghai Adups softw ...) NOT-FOR-US: BLU CVE-2016-10138 (An issue was discovered on BLU Advance 5.0 and BLU R1 HD devices with ...) NOT-FOR-US: BLU CVE-2016-10137 (An issue was discovered on BLU R1 HD devices with Shanghai Adups softw ...) NOT-FOR-US: BLU CVE-2016-10136 (An issue was discovered on BLU R1 HD devices with Shanghai Adups softw ...) NOT-FOR-US: BLU CVE-2016-10135 (An issue was discovered on LG devices using the MTK chipset with L(5.0 ...) NOT-FOR-US: LG CVE-2017-5505 (The jas_matrix_asl function in jas_seq.c in JasPer 1.900.27 allows rem ...) - jasper (unimportant) NOTE: https://blogs.gentoo.org/ago/2017/01/16/jasper-invalid-memory-read-in-jas_matrix_asl-jas_seq-c NOTE: https://github.com/mdadams/jasper/issues/88 NOTE: Not suitable for code injection, hardly denial of service CVE-2017-5504 (The jpc_undo_roi function in libjasper/jpc/jpc_dec.c in JasPer 1.900.2 ...) - jasper (unimportant) NOTE: https://blogs.gentoo.org/ago/2017/01/16/jasper-invalid-memory-read-in-jpc_undo_roi-jpc_dec-c NOTE: https://github.com/mdadams/jasper/issues/89 NOTE: Not suitable for code injection, hardly denial of service CVE-2017-5503 (The dec_clnpass function in libjasper/jpc/jpc_t1dec.c in JasPer 1.900. ...) - jasper (Vulnerable code introduced later) NOTE: https://blogs.gentoo.org/ago/2017/01/16/jasper-invalid-memory-write-in-dec_clnpass-jpc_t1dec-c NOTE: https://github.com/mdadams/jasper/issues/90 CVE-2017-5502 (libjasper/jp2/jp2_dec.c in JasPer 1.900.17 allows remote attackers to ...) - jasper (unimportant) NOTE: Reproducer: https://github.com/asarubbo/poc/blob/master/00030-jasper-leftshift-jp2_dec_c NOTE: http://blogs.gentoo.org/ago/2017/01/16/jasper-multiple-crashes-with-ubsan/ NOTE: https://github.com/mdadams/jasper/issues/76 NOTE: Not suitable for code injection, hardly denial of service CVE-2017-5501 (Integer overflow in libjasper/jpc/jpc_tsfb.c in JasPer 1.900.17 allows ...) - jasper (unimportant) NOTE: Reproducer: https://github.com/asarubbo/poc/blob/master/00022-jasper-signedintoverflow-jpc_tsfb_c NOTE: http://blogs.gentoo.org/ago/2017/01/16/jasper-multiple-crashes-with-ubsan/ NOTE: https://github.com/mdadams/jasper/issues/70 NOTE: Only crashes with debug builds using ubsan CVE-2017-5500 (libjasper/jpc/jpc_dec.c in JasPer 1.900.17 allows remote attackers to ...) - jasper (unimportant) NOTE: Triggers an assert. Not suitable for code injection, hardly denial of service NOTE: Reproducer: https://github.com/asarubbo/poc/blob/master/00019-jasper-leftshift-jpc_dec_c NOTE: http://blogs.gentoo.org/ago/2017/01/16/jasper-multiple-crashes-with-ubsan/ NOTE: https://github.com/mdadams/jasper/issues/64 CVE-2017-5499 (Integer overflow in libjasper/jpc/jpc_dec.c in JasPer 1.900.17 allows ...) - jasper (unimportant) NOTE: Reproducer: https://github.com/asarubbo/poc/blob/master/00018-jasper-signedintoverflow-jpc_dec_c NOTE: http://blogs.gentoo.org/ago/2017/01/16/jasper-multiple-crashes-with-ubsan/ NOTE: https://github.com/mdadams/jasper/issues/63 NOTE: Triggers an assert. Not suitable for code injection, hardly denial of service CVE-2017-5498 (libjasper/include/jasper/jas_math.h in JasPer 1.900.17 allows remote a ...) - jasper (unimportant) NOTE: Triggers an assert. Not suitable for code injection, hardly denial of service NOTE: Reproducer: https://github.com/asarubbo/poc/blob/master/00017-jasper-leftshift-jas_math_h NOTE: http://blogs.gentoo.org/ago/2017/01/16/jasper-multiple-crashes-with-ubsan/ NOTE: https://github.com/mdadams/jasper/issues/62 CVE-2017-5506 (Double free vulnerability in magick/profile.c in ImageMagick allows re ...) {DSA-3799-1 DLA-807-1} - imagemagick 8:6.9.7.4+dfsg-1 (bug #851383) NOTE: https://github.com/ImageMagick/ImageMagick/issues/354 NOTE: http://www.openwall.com/lists/oss-security/2017/01/16/6 NOTE: https://github.com/ImageMagick/ImageMagick/commit/6235f1f7a9f7b0f83b197f6cd0073dbb6602d0fb CVE-2017-5507 (Memory leak in coders/mpc.c in ImageMagick before 6.9.7-4 and 7.x befo ...) {DSA-3799-1 DLA-807-1} - imagemagick 8:6.9.7.4+dfsg-1 (bug #851382) NOTE: https://github.com/ImageMagick/ImageMagick/commit/4493d9ca1124564da17f9b628ef9d0f1a6be9738 NOTE: http://www.openwall.com/lists/oss-security/2017/01/16/6 CVE-2017-5508 (Heap-based buffer overflow in the PushQuantumPixel function in ImageMa ...) {DSA-3799-1 DLA-807-1} - imagemagick 8:6.9.7.4+dfsg-1 (bug #851381) NOTE: https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=31161 NOTE: http://www.openwall.com/lists/oss-security/2017/01/16/6 NOTE: https://github.com/ImageMagick/ImageMagick/commit/379e21cd32483df6e128147af3bc4ce1f82eb9c4 CVE-2016-10146 (Multiple memory leaks in the caption and label handling code in ImageM ...) {DSA-3799-1 DLA-807-1} - imagemagick 8:6.9.7.0+dfsg-2 (bug #851380) NOTE: https://github.com/ImageMagick/ImageMagick/commit/aeff00de228bc5a158c2a975ab47845d8a1db456 NOTE: http://www.openwall.com/lists/oss-security/2017/01/16/6 CVE-2016-10140 (Information disclosure and authentication bypass vulnerability exists ...) {DLA-806-1} - zoneminder 1.30.4+dfsg-1 (bug #851710) NOTE: https://github.com/ZoneMinder/ZoneMinder/pull/1697 NOTE: https://github.com/ZoneMinder/ZoneMinder/commit/6361f143878ce00659f64ce42593951d773e4e63 NOTE: https://github.com/ZoneMinder/ZoneMinder/commit/aa0a4d1f5ad2c493f2bed175991e92c466ac3dc4 CVE-2017-5509 (coders/psd.c in ImageMagick allows remote attackers to have unspecifie ...) - imagemagick 8:6.9.7.4+dfsg-1 (bug #851377) [jessie] - imagemagick (Vulnerable code not present) [wheezy] - imagemagick (Vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/350 NOTE: http://www.openwall.com/lists/oss-security/2017/01/16/6 CVE-2017-5510 (coders/psd.c in ImageMagick allows remote attackers to have unspecifie ...) {DSA-3799-1 DLA-807-1} - imagemagick 8:6.9.7.4+dfsg-1 (bug #851376) NOTE: https://github.com/ImageMagick/ImageMagick/issues/348 NOTE: http://www.openwall.com/lists/oss-security/2017/01/16/6 NOTE: https://github.com/ImageMagick/ImageMagick/commit/e87af64b1ff1635a32d9b6162f1b0e260fb54ed9 CVE-2017-5511 (coders/psd.c in ImageMagick allows remote attackers to have unspecifie ...) {DSA-3799-1 DLA-807-1} - imagemagick 8:6.9.7.4+dfsg-1 (bug #851374) NOTE: https://github.com/ImageMagick/ImageMagick/issues/347 NOTE: http://www.openwall.com/lists/oss-security/2017/01/16/6 NOTE: https://github.com/ImageMagick/ImageMagick/commit/7d65a814ac76bd04760072c33e452371692ee790 CVE-2016-10144 (coders/ipl.c in ImageMagick allows remote attackers to have unspecific ...) {DSA-3799-1 DLA-807-1} - imagemagick 8:6.9.7.4+dfsg-1 (bug #851485) NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick/commit/97566cf2806c0a5a86e884c96831a0c3b1ec6c20 NOTE: http://www.openwall.com/lists/oss-security/2017/01/16/6 CVE-2016-10145 (Off-by-one error in coders/wpg.c in ImageMagick allows remote attacker ...) {DSA-3799-1 DLA-807-1} - imagemagick 8:6.9.7.4+dfsg-1 (bug #851483) NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick/commit/d23beebe7b1179fb75db1e85fbca3100e49593d9 NOTE: http://www.openwall.com/lists/oss-security/2017/01/16/6 CVE-2017-5487 (wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php in t ...) - wordpress 4.7.1+dfsg-1 (bug #851310) [jessie] - wordpress (vulnerable code not present) [wheezy] - wordpress (vulnerable code not present) NOTE: http://www.openwall.com/lists/oss-security/2017/01/14/1 NOTE: https://wpvulndb.com/vulnerabilities/8715 NOTE: https://github.com/WordPress/WordPress/commit/daf358983cc1ce0c77bf6d2de2ebbb43df2add60 CVE-2017-5488 (Multiple cross-site scripting (XSS) vulnerabilities in wp-admin/update ...) {DSA-3779-1 DLA-813-1} - wordpress 4.7.1+dfsg-1 (bug #851310) NOTE: http://www.openwall.com/lists/oss-security/2017/01/14/1 NOTE: https://wpvulndb.com/vulnerabilities/8716 NOTE: https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php CVE-2017-5489 (Cross-site request forgery (CSRF) vulnerability in WordPress before 4. ...) {DSA-3779-1 DLA-813-1} - wordpress 4.7.1+dfsg-1 (bug #851310) NOTE: http://www.openwall.com/lists/oss-security/2017/01/14/1 NOTE: https://wpvulndb.com/vulnerabilities/8717 CVE-2017-5490 (Cross-site scripting (XSS) vulnerability in the theme-name fallback fu ...) {DSA-3779-1 DLA-813-1} - wordpress 4.7.1+dfsg-1 (bug #851310) NOTE: http://www.openwall.com/lists/oss-security/2017/01/14/1 NOTE: https://wpvulndb.com/vulnerabilities/8718 NOTE: https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359 CVE-2017-5491 (wp-mail.php in WordPress before 4.7.1 might allow remote attackers to ...) {DSA-3779-1 DLA-813-1} - wordpress 4.7.1+dfsg-1 (bug #851310) NOTE: http://www.openwall.com/lists/oss-security/2017/01/14/1 NOTE: https://wpvulndb.com/vulnerabilities/8719 NOTE: https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a CVE-2017-5492 (Cross-site request forgery (CSRF) vulnerability in the widget-editing ...) {DSA-3779-1 DLA-813-1} - wordpress 4.7.1+dfsg-1 (bug #851310) NOTE: http://www.openwall.com/lists/oss-security/2017/01/14/1 NOTE: https://wpvulndb.com/vulnerabilities/8720 NOTE: https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733 CVE-2017-5493 (wp-includes/ms-functions.php in the Multisite WordPress API in WordPre ...) {DSA-3779-1 DLA-813-1} - wordpress 4.7.1+dfsg-1 (bug #851310) NOTE: http://www.openwall.com/lists/oss-security/2017/01/14/1 NOTE: https://wpvulndb.com/vulnerabilities/8721 NOTE: https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4 CVE-2017-5356 (Irssi before 0.8.21 allows remote attackers to cause a denial of servi ...) {DLA-1217-1} - irssi 0.8.21-1 (low) [jessie] - irssi 0.8.17-1+deb8u3 NOTE: https://github.com/irssi/irssi/commit/6c6c42e3d1b49d90aacc0b67f8540471cae02a1d NOTE: https://blog.fuzzing-project.org/55-Fuzzing-Irssi-with-Perl-Scripts.html NOTE: https://irssi.org/security/irssi_sa_2017_01.txt CVE-2017-5355 RESERVED CVE-2017-5354 RESERVED CVE-2017-5353 RESERVED CVE-2017-5352 RESERVED CVE-2017-5351 (Samsung Note devices with KK(4.4), L(5.0/5.1), and M(6.0) software all ...) NOT-FOR-US: Samsung CVE-2017-5350 (Samsung Note devices with L(5.0/5.1), M(6.0), and N(7.0) software allo ...) NOT-FOR-US: Samsung CVE-2017-5349 RESERVED CVE-2017-5348 RESERVED CVE-2017-5347 (SQL injection vulnerability in inc/mod/newsletter/options.php in GeniX ...) NOT-FOR-US: GeniXMS CVE-2017-5346 (SQL injection vulnerability in inc/lib/Control/Backend/posts.control.p ...) NOT-FOR-US: GeniXMS CVE-2017-5345 (SQL injection vulnerability in inc/lib/Control/Ajax/tags-ajax.control. ...) NOT-FOR-US: GeniXMS CVE-2017-5344 (An issue was discovered in dotCMS through 3.6.1. The findChildrenByFil ...) NOT-FOR-US: dotCMS CVE-2017-5343 RESERVED CVE-2017-5342 (In tcpdump before 4.9.0, a bug in multiple protocol parsers (Geneve, G ...) {DSA-3775-1 DLA-809-1} - tcpdump 4.9.0-1 CVE-2017-5341 (The OTV parser in tcpdump before 4.9.0 has a buffer overflow in print- ...) {DSA-3775-1 DLA-809-1} - tcpdump 4.9.0-1 CVE-2016-10141 (An integer overflow vulnerability was observed in the regemit function ...) NOT-FOR-US: MuJS CVE-2016-10133 (Heap-based buffer overflow in the js_stackoverflow function in jsrun.c ...) NOT-FOR-US: MuJS CVE-2016-10132 (regexp.c in Artifex Software, Inc. MuJS allows attackers to cause a de ...) NOT-FOR-US: MuJS CVE-2016-10131 (system/libraries/Email.php in CodeIgniter before 3.1.3 allows remote a ...) - codeigniter (bug #471583) CVE-2017-5357 (regex.c in GNU ed before 1.14.1 allows attackers to cause a denial of ...) - ed (Vulnerable code not present, cf #851159) NOTE: http://www.openwall.com/lists/oss-security/2017/01/12/5 NOTE: The issue is only present from 1.14 onwards, and prior to 1.14.1 since upstream NOTE: changed a malloc'ed buffer for a static one. NOTE: https://lists.gnu.org/archive/html/bug-ed/2017-01/msg00001.html CVE-2017-5329 (Palo Alto Networks Terminal Services Agent before 7.0.7 allows local u ...) NOT-FOR-US: Palo Alto Networks Terminal Services Agent CVE-2017-5328 (Palo Alto Networks Terminal Services Agent before 7.0.7 allows attacke ...) NOT-FOR-US: Palo Alto Networks Terminal Services Agent CVE-2017-5327 RESERVED CVE-2017-5326 RESERVED CVE-2017-5325 RESERVED CVE-2017-5324 RESERVED CVE-2017-5323 RESERVED CVE-2017-5322 RESERVED CVE-2017-5321 RESERVED CVE-2017-5320 RESERVED CVE-2017-5319 RESERVED CVE-2017-5318 RESERVED CVE-2017-5317 RESERVED CVE-2017-5316 RESERVED CVE-2017-5315 RESERVED CVE-2017-5314 RESERVED CVE-2017-5313 RESERVED CVE-2017-5312 RESERVED CVE-2017-5311 RESERVED CVE-2017-5310 RESERVED CVE-2017-5309 RESERVED CVE-2017-5308 RESERVED CVE-2017-5307 RESERVED CVE-2017-5306 RESERVED CVE-2017-5305 RESERVED CVE-2017-5304 RESERVED CVE-2017-5303 RESERVED CVE-2017-5302 RESERVED CVE-2017-5301 RESERVED CVE-2017-5300 RESERVED CVE-2017-5299 RESERVED CVE-2017-5298 RESERVED CVE-2017-5297 RESERVED CVE-2017-5296 RESERVED CVE-2017-5295 RESERVED CVE-2017-5294 RESERVED CVE-2017-5293 RESERVED CVE-2017-5292 RESERVED CVE-2017-5291 RESERVED CVE-2017-5290 RESERVED CVE-2017-5289 RESERVED CVE-2017-5288 RESERVED CVE-2017-5287 RESERVED CVE-2017-5286 RESERVED CVE-2017-5285 RESERVED CVE-2017-5284 RESERVED CVE-2017-5283 RESERVED CVE-2017-5282 RESERVED CVE-2017-5281 RESERVED CVE-2017-5280 RESERVED CVE-2017-5279 RESERVED CVE-2017-5278 RESERVED CVE-2017-5277 RESERVED CVE-2017-5276 RESERVED CVE-2017-5275 RESERVED CVE-2017-5274 RESERVED CVE-2017-5273 RESERVED CVE-2017-5272 RESERVED CVE-2017-5271 RESERVED CVE-2017-5270 RESERVED CVE-2017-5269 RESERVED CVE-2017-5268 RESERVED CVE-2017-5267 RESERVED CVE-2017-5266 RESERVED CVE-2017-5265 RESERVED CVE-2017-5264 (Versions of Nexpose prior to 6.4.66 fail to adequately validate the so ...) NOT-FOR-US: Nexpose CVE-2017-5263 (Versions 4.3.2-R4 and prior of Cambium Networks cnPilot firmware lack ...) NOT-FOR-US: Cambium Networks cnPilot firmware CVE-2017-5262 (In versions 4.3.2-R4 and prior of Cambium Networks cnPilot firmware, t ...) NOT-FOR-US: Cambium Networks cnPilot firmware CVE-2017-5261 (In versions 4.3.2-R4 and prior of Cambium Networks cnPilot firmware, t ...) NOT-FOR-US: Cambium Networks cnPilot firmware CVE-2017-5260 (In versions 4.3.2-R4 and prior of Cambium Networks cnPilot firmware, a ...) NOT-FOR-US: Cambium Networks cnPilot firmware CVE-2017-5259 (In versions 4.3.2-R4 and prior of Cambium Networks cnPilot firmware, a ...) NOT-FOR-US: Cambium Networks cnPilot firmware CVE-2017-5258 (In version 3.5 and prior of Cambium Networks ePMP firmware, an attacke ...) NOT-FOR-US: Cambium Networks ePMP firmware CVE-2017-5257 (In version 3.5 and prior of Cambium Networks ePMP firmware, an attacke ...) NOT-FOR-US: Cambium Networks ePMP firmware CVE-2017-5256 (In version 3.5 and prior of Cambium Networks ePMP firmware, all authen ...) NOT-FOR-US: Cambium Networks ePMP firmware CVE-2017-5255 (In version 3.5 and prior of Cambium Networks ePMP firmware, a lack of ...) NOT-FOR-US: Cambium Networks ePMP firmware CVE-2017-5254 (In version 3.5 and prior of Cambium Networks ePMP firmware, the non-ad ...) NOT-FOR-US: Cambium Networks ePMP firmware CVE-2017-5253 RESERVED CVE-2017-5252 RESERVED CVE-2017-5251 (In version 1012 and prior of Insteon's Insteon Hub, the radio transmis ...) NOT-FOR-US: Insteon CVE-2017-5250 (In version 1.9.7 and prior of Insteon's Insteon for Hub Android app, t ...) NOT-FOR-US: Insteon CVE-2017-5249 (In version 6.1.0.19 and prior of Wink Labs's Wink - Smart Home Android ...) NOT-FOR-US: Wink CVE-2017-5248 RESERVED CVE-2017-5247 (Biscom Secure File Transfer is vulnerable to cross-site scripting in t ...) NOT-FOR-US: Biscom Secure File Transfer CVE-2017-5246 (Biscom Secure File Transfer is vulnerable to AngularJS expression inje ...) NOT-FOR-US: Biscom Secure File Transfer CVE-2017-5245 REJECTED CVE-2017-5244 (Routes used to stop running Metasploit tasks (either particular ones o ...) NOT-FOR-US: Metasploit CVE-2017-5243 (The default SSH configuration in Rapid7 Nexpose hardware appliances sh ...) NOT-FOR-US: Rapid7 Nexpose hardware appliances CVE-2017-5242 RESERVED CVE-2017-5241 (Biscom Secure File Transfer versions 5.0.0.0 trough 5.1.1024 are vulne ...) NOT-FOR-US: Biscom Secure File Transfer CVE-2017-5240 (Editions of Rapid7 AppSpider Pro prior to version 6.14.060 contain a h ...) NOT-FOR-US: Rapid7 AppSpider Pro CVE-2017-5239 (Due to a lack of standard encryption when transmitting sensitive infor ...) NOT-FOR-US: Eview GPS trackers CVE-2017-5238 (Due to a lack of bounds checking, several input configuration fields f ...) NOT-FOR-US: Eview GPS trackers CVE-2017-5237 (Due to a lack of authentication, an unauthenticated user who knows the ...) NOT-FOR-US: Eview GPS trackers CVE-2017-5236 (Editions of Rapid7 AppSpider Pro installers prior to version 6.14.060 ...) NOT-FOR-US: Rapid7 AppSpider Pro CVE-2017-5235 (Rapid7 Metasploit Pro installers prior to version 4.13.0-2017022101 co ...) NOT-FOR-US: Rapid7 CVE-2017-5234 (Rapid7 Insight Collector installers prior to version 1.0.16 contain a ...) NOT-FOR-US: Rapid7 CVE-2017-5233 (Rapid7 AppSpider Pro installers prior to version 6.14.053 contain a DL ...) NOT-FOR-US: Rapid7 CVE-2017-5232 (All editions of Rapid7 Nexpose installers prior to version 6.4.24 cont ...) NOT-FOR-US: Rapid7 CVE-2017-5231 (All editions of Rapid7 Metasploit prior to version 4.13.0-2017020701 c ...) NOT-FOR-US: Rapid7 CVE-2017-5230 (The Java keystore in all versions and editions of Rapid7 Nexpose prior ...) NOT-FOR-US: Rapid7 CVE-2017-5229 (All editions of Rapid7 Metasploit prior to version 4.13.0-2017020701 c ...) NOT-FOR-US: Rapid7 CVE-2017-5228 (All editions of Rapid7 Metasploit prior to version 4.13.0-2017020701 c ...) NOT-FOR-US: Rapid7 CVE-2017-5227 (QNAP QTS before 4.2.4 Build 20170313 allows local users to obtain sens ...) NOT-FOR-US: QNAP CVE-2017-5225 (LibTIFF version 4.0.7 is vulnerable to a heap buffer overflow in the t ...) {DSA-3844-1 DLA-795-1} - tiff 4.0.7-5 (bug #851297) NOTE: Fixed by: https://github.com/vadz/libtiff/commit/5c080298d59efa53264d7248bbe3a04660db6ef7 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2656 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2657 CVE-2017-5224 RESERVED CVE-2017-5223 (An issue was discovered in PHPMailer before 5.2.22. PHPMailer's msgHTM ...) {DLA-1591-1 DLA-817-1} - libphp-phpmailer 5.2.14+dfsg-2.3 (bug #853232) NOTE: Fixed by: https://github.com/PHPMailer/PHPMailer/commit/ad4cb09682682da2217799a0c521d4cdc6753402 (v5.2.22) NOTE: http://kalilinux.co/2017/01/12/phpmailer-cve-2017-5223-local-information-disclosure-vulnerability-analysis/ CVE-2017-5222 RESERVED CVE-2017-5221 RESERVED CVE-2017-5220 RESERVED CVE-2017-5219 (An issue was discovered in SageCRM 7.x before 7.3 SP3. The Component M ...) NOT-FOR-US: SageCRM CVE-2017-5218 (A SQL Injection issue was discovered in SageCRM 7.x before 7.3 SP3. Th ...) NOT-FOR-US: SageCRM CVE-2017-5217 (Installing a zero-permission Android application on certain Samsung An ...) NOT-FOR-US: Samsung CVE-2017-5216 (Stack-based buffer overflow vulnerability in Netop Remote Control vers ...) NOT-FOR-US: Netop Remote Control CVE-2017-5215 (The Codextrous B2J Contact (aka b2j_contact) extension before 2.1.13 f ...) NOT-FOR-US: Joomla extension CVE-2017-5214 (The Codextrous B2J Contact (aka b2j_contact) extension before 2.1.13 f ...) NOT-FOR-US: Joomla extension CVE-2017-5213 (Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Cross ...) NOT-FOR-US: Open-Xchange GmbH OX App Suite CVE-2017-5212 (Open-Xchange GmbH OX App Suite 7.8.3 is affected by: Incorrect Access ...) NOT-FOR-US: Open-Xchange GmbH OX App Suite CVE-2017-5211 (Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Conte ...) NOT-FOR-US: Open-Xchange GmbH OX App Suite CVE-2017-5210 (Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Infor ...) NOT-FOR-US: Open-Xchange GmbH OX App Suite CVE-2017-5209 (The base64decode function in base64.c in libimobiledevice libplist thr ...) {DLA-2168-1 DLA-811-1} - libplist 1.12+git+1+e37ca00-0.1 (low; bug #851196) NOTE: Upstream bug: https://github.com/libimobiledevice/libplist/issues/84 NOTE: https://github.com/libimobiledevice/libplist/commit/3a55ddd3c4c11ce75a86afbefd085d8d397ff957 CVE-2017-5205 (The ISAKMP parser in tcpdump before 4.9.0 has a buffer overflow in pri ...) {DSA-3775-1 DLA-809-1} - tcpdump 4.9.0-1 CVE-2017-5204 (The IPv6 parser in tcpdump before 4.9.0 has a buffer overflow in print ...) {DSA-3775-1 DLA-809-1} - tcpdump 4.9.0-1 CVE-2017-5203 (The BOOTP parser in tcpdump before 4.9.0 has a buffer overflow in prin ...) {DSA-3775-1 DLA-809-1} - tcpdump 4.9.0-1 CVE-2017-5202 (The ISO CLNS parser in tcpdump before 4.9.0 has a buffer overflow in p ...) {DSA-3775-1 DLA-809-1} - tcpdump 4.9.0-1 CVE-2017-5201 (NetApp Clustered Data ONTAP before 8.3.2P8 and 9.0 before P2 allow rem ...) NOT-FOR-US: NetApp CVE-2017-5200 (Salt-api in SaltStack Salt before 2015.8.13, 2016.3.x before 2016.3.5, ...) - salt 2016.11.2+ds-1 [jessie] - salt (Vulnerable code not present) NOTE: https://github.com/saltstack/salt/compare/c0e5a1171d7ce2ba8747a971c024632e0d96d848~1...97b0f64923bc5382531b931625267a3c30d2f17e CVE-2017-5339 REJECTED CVE-2017-5338 REJECTED CVE-2016-10130 (The http_connect function in transports/http.c in libgit2 before 0.24. ...) - libgit2 0.25.1+really0.24.6-1 (bug #851406) [jessie] - libgit2 (Vulnerable code not present) [experimental] - cargo 0.17.0-1~exp1 - cargo 0.17.0-1 (bug #860990) NOTE: https://github.com/libgit2/libgit2/commit/9a64e62f0f20c9cf9b2e1609f037060eb2d8eb22 (v0.25.1) NOTE: https://github.com/libgit2/libgit2/commit/b5c6a1b407b7f8b952bded2789593b68b1876211 (v0.24.6) CVE-2016-10129 (The Git Smart Protocol support in libgit2 before 0.24.6 and 0.25.x bef ...) - libgit2 0.25.1+really0.24.6-1 (bug #851406) [jessie] - libgit2 (Minor issue) [experimental] - cargo 0.17.0-1~exp1 - cargo 0.17.0-1 (bug #860990) NOTE: https://github.com/libgit2/libgit2/commit/2fdef641fd0dd2828bd948234ae86de75221a11a (v0.25.1) NOTE: https://github.com/libgit2/libgit2/commit/84d30d569ada986f3eef527cbdb932643c2dd037 (v0.24.6) CVE-2016-10128 (Buffer overflow in the git_pkt_parse_line function in transports/smart ...) - libgit2 0.25.1+really0.24.6-1 (bug #851406) [jessie] - libgit2 (Minor issue) [experimental] - cargo 0.17.0-1~exp1 - cargo 0.17.0-1 (bug #860990) NOTE: https://github.com/libgit2/libgit2/commit/66e3774d279672ee51c3b54545a79d20d1ada834 (v0.25.1) NOTE: https://github.com/libgit2/libgit2/commit/4ac39c76c0153d1ee6889a0984c39e97731684b2 (v0.24.6) CVE-2016-10126 (Splunk Web in Splunk Enterprise 5.0.x before 5.0.17, 6.0.x before 6.0. ...) NOT-FOR-US: Splunk CVE-2016-10125 (D-Link DGS-1100 devices with Rev.B firmware 1.01.018 have a hardcoded ...) NOT-FOR-US: D-Link CVE-2016-10127 (PySAML2 allows remote attackers to conduct XML external entity (XXE) a ...) - python-pysaml2 (low; bug #859135) [buster] - python-pysaml2 (Minor issue) [stretch] - python-pysaml2 (Minor issue) [jessie] - python-pysaml2 (Minor issue) NOTE: https://github.com/rohe/pysaml2/issues/366 NOTE: A proper fix for this issue would be to fix the underlying issue in src:libxml2 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1411794#c12 NOTE: http://www.openwall.com/lists/oss-security/2017/01/19/5 (for the scope of the CVE) CVE-2016-10149 (XML External Entity (XXE) vulnerability in PySAML2 4.4.0 and earlier a ...) {DSA-3759-1} - python-pysaml2 3.0.0-5 (bug #850716) NOTE: https://github.com/rohe/pysaml2/pull/379 NOTE: https://github.com/rohe/pysaml2/commit/6e09a25d9b4b7aa7a506853210a9a14100b8bc9b CVE-2017-XXXX [multiple new security issues] - w3m 0.5.3-34 (bug #850432) [jessie] - w3m 0.5.3-19+deb8u2 [wheezy] - w3m (Minor issues) CVE-2016-10134 (SQL injection vulnerability in Zabbix before 2.2.14 and 3.0 before 3.0 ...) {DSA-3802-1} - zabbix 1:3.0.4+dfsg-1 (bug #850936) NOTE: https://support.zabbix.com/browse/ZBX-11023 NOTE: http://www.openwall.com/lists/oss-security/2017/01/12/4 CVE-2017-5337 (Multiple heap-based buffer overflows in the read_attribute function in ...) - gnutls28 3.5.8-1 [jessie] - gnutls28 3.3.8-6+deb8u5 - gnutls26 [wheezy] - gnutls26 (Minor issue) NOTE: OpenPGP-related issue NOTE: https://gnutls.org/security.html#GNUTLS-SA-2017-2 NOTE: https://gitlab.com/gnutls/gnutls/commit/94fcf1645ea17223237aaf8d19132e004afddc1a CVE-2017-5336 (Stack-based buffer overflow in the cdk_pk_get_keyid function in lib/op ...) - gnutls28 3.5.8-1 [jessie] - gnutls28 3.3.8-6+deb8u5 - gnutls26 [wheezy] - gnutls26 (Minor issue) NOTE: OpenPGP-related issue NOTE: https://gnutls.org/security.html#GNUTLS-SA-2017-2 NOTE: https://gitlab.com/gnutls/gnutls/commit/5140422e0d7319a8e2fe07f02cbcafc4d6538732 CVE-2017-5335 (The stream reading functions in lib/opencdk/read-packet.c in GnuTLS be ...) - gnutls28 3.5.8-1 [jessie] - gnutls28 3.3.8-6+deb8u5 - gnutls26 [wheezy] - gnutls26 (Minor issue) NOTE: OpenPGP-related issue NOTE: https://gnutls.org/security.html#GNUTLS-SA-2017-2 NOTE: https://gitlab.com/gnutls/gnutls/commit/49be4f7b82eba2363bb8d4090950dad976a77a3a CVE-2017-5334 (Double free vulnerability in the gnutls_x509_ext_import_proxy function ...) - gnutls28 3.5.8-1 [jessie] - gnutls28 3.3.8-6+deb8u5 NOTE: https://gnutls.org/security.html#GNUTLS-SA-2017-1 NOTE: https://gitlab.com/gnutls/gnutls/commit/c5aaa488a3d6df712dc8dff23a049133cab5ec1b CVE-2017-5330 (ark before 16.12.1 might allow remote attackers to execute arbitrary c ...) - ark 4:16.08.3-2 (bug #850874) [jessie] - ark (Vulnerable code introduced later) [wheezy] - ark (Vulnerable code introduced later) NOTE: Fixed by: https://cgit.kde.org/ark.git/commit/?id=82fdfd24d46966a117fa625b68784735a40f9065 NOTE: "Open File" action introduced in https://cgit.kde.org/ark.git/commit/?id=f1cf10f25af245823f81b8ff457a04c7593dede7 (v15.11.80) CVE-2017-5226 (When executing a program via the bubblewrap sandbox, the nonpriv sessi ...) - bubblewrap 0.1.5-2 (bug #850702) NOTE: https://github.com/projectatomic/bubblewrap/issues/142 CVE-2017-5207 (Firejail before 0.9.44.4, when running a bandwidth command, allows loc ...) - firejail 0.9.44.4-1 (bug #850528) NOTE: https://github.com/netblue30/firejail/issues/1023 NOTE: Fixed by: https://github.com/netblue30/firejail/commit/5d43fdcd215203868d440ffc42036f5f5ffc89fc NOTE: http://www.openwall.com/lists/oss-security/2017/01/07/3 CVE-2017-5206 (Firejail before 0.9.44.4, when running on a Linux kernel before 4.8, a ...) - firejail 0.9.44.4-1 (bug #850558) NOTE: Fixed by: https://github.com/netblue30/firejail/commit/6b8dba29d73257311564ee7f27b9b14758cc693e CVE-2017-5199 (The editbanner feature in SolarWinds LEM (aka SIEM) through 6.3.1 allo ...) NOT-FOR-US: SolarWinds LEM CVE-2017-5198 (SolarWinds LEM (aka SIEM) before 6.3.1 has an incorrect sudo configura ...) NOT-FOR-US: SolarWinds LEM CVE-2017-5197 (There is XSS in SilverStripe CMS before 3.4.4 and 3.5.x before 3.5.2. ...) NOT-FOR-US: SilverStripe CVE-2017-5192 (When using the local_batch client from salt-api in SaltStack Salt befo ...) - salt 2016.11.2+ds-1 [jessie] - salt (Vulnerable code not present) CVE-2017-5191 (An XSS vulnerability on the /NAGErrors URI in NetIQ Access Manager 4.2 ...) NOT-FOR-US: NetIQ Access Manager CVE-2017-5190 (NetIQ Access Manager 4.2 before SP3 HF1 and 4.3 before SP1 HF1, when c ...) NOT-FOR-US: NetIQ Access Manager CVE-2017-5189 (NetIQ iManager before 3.0.3 delivered a SSL private key in a Java appl ...) NOT-FOR-US: NetIQ iManager CVE-2017-5188 (The bs_worker code in open build service before 20170320 followed rela ...) - open-build-service 2.7.4-3 (low; bug #900133) [stretch] - open-build-service (Minor issue) NOTE: Fixed by: https://github.com/openSUSE/open-build-service/commit/00ec3c6f4132422f00d5c15e854755c331ef1661 (2.7.x) NOTE: https://github.com/openSUSE/open-build-service/commit/8595d06570ded81d8514c8c5a147b250541bf388 (2.9.x) NOTE: A followup https://bugzilla.suse.com/show_bug.cgi?id=1029824 shows NOTE: it might be wise to disallow as well other types (devices, sockets, NOTE: directories, symlinks, ...) and needs: NOTE: https://github.com/openSUSE/open-build-service/commit/ba27c91351878bc297ec4baba0bd488a2f3b568d CVE-2017-5187 (A Cross-Site Request Forgery (CWE-352) vulnerability in Directory Serv ...) NOT-FOR-US: Micro Focus CVE-2017-5186 (Novell iManager 2.7 before SP7 Patch 9, NetIQ iManager 3.x before 3.0. ...) NOT-FOR-US: Novell iManager CVE-2017-5185 (A vulnerability was discovered in NetIQ Sentinel Server 8.0 before 8.0 ...) NOT-FOR-US: NetIQ Sentinel CVE-2017-5184 (A vulnerability was discovered in NetIQ Sentinel Server 8.0 before 8.0 ...) NOT-FOR-US: NetIQ Sentinel CVE-2017-5183 (NetIQ Access Manager 4.2.2 and 4.3.x before 4.3.1+, when configured as ...) NOT-FOR-US: NetIQ Access Manager CVE-2017-5182 (Remote Manager in Open Enterprise Server (OES) allows unauthenticated ...) NOT-FOR-US: Open Enterprise Server CVE-2017-5181 REJECTED CVE-2017-5196 (Irssi 0.8.18 before 0.8.21 allows remote attackers to cause a denial o ...) - irssi 0.8.21-1 (bug #850403) [jessie] - irssi (Affects only 0.8.18 and later) [wheezy] - irssi (Affects only 0.8.18 and later) NOTE: http://www.openwall.com/lists/oss-security/2017/01/05/2 NOTE: https://github.com/irssi/irssi/commit/6c6c42e3d1b49d90aacc0b67f8540471cae02a1d NOTE: https://irssi.org/security/irssi_sa_2017_01.txt CVE-2017-5195 (Irssi 0.8.17 before 0.8.21 allows remote attackers to cause a denial o ...) - irssi 0.8.21-1 (bug #850403) [jessie] - irssi 0.8.17-1+deb8u3 [wheezy] - irssi (Affects only 0.8.17 and later) NOTE: http://www.openwall.com/lists/oss-security/2017/01/05/2 NOTE: https://github.com/irssi/irssi/commit/6c6c42e3d1b49d90aacc0b67f8540471cae02a1d NOTE: https://irssi.org/security/irssi_sa_2017_01.txt CVE-2017-5194 (Use-after-free vulnerability in Irssi before 0.8.21 allows remote atta ...) {DLA-1217-1} - irssi 0.8.21-1 (bug #850403) [jessie] - irssi 0.8.17-1+deb8u3 NOTE: http://www.openwall.com/lists/oss-security/2017/01/05/2 NOTE: https://github.com/irssi/irssi/commit/6c6c42e3d1b49d90aacc0b67f8540471cae02a1d NOTE: https://irssi.org/security/irssi_sa_2017_01.txt CVE-2017-5193 (The nickcmp function in Irssi before 0.8.21 allows remote attackers to ...) {DLA-1217-1} - irssi 0.8.21-1 (bug #850403) [jessie] - irssi 0.8.17-1+deb8u3 NOTE: http://www.openwall.com/lists/oss-security/2017/01/05/2 NOTE: https://github.com/irssi/irssi/commit/6c6c42e3d1b49d90aacc0b67f8540471cae02a1d NOTE: https://irssi.org/security/irssi_sa_2017_01.txt CVE-2017-5179 (Cross-site scripting (XSS) vulnerability in Tenable Nessus before 6.9. ...) NOT-FOR-US: Nessus CVE-2017-5178 (An issue was discovered in Schneider Electric Tableau Server/Desktop V ...) NOT-FOR-US: Schneider CVE-2017-5177 (A Stack Buffer Overflow issue was discovered in VIPA Controls WinPLC7 ...) NOT-FOR-US: VIPA Controls WinPLC7 CVE-2017-5176 (A DLL Hijack issue was discovered in Rockwell Automation Connected Com ...) NOT-FOR-US: Rockwell Automation Connected Components Workbench CVE-2017-5175 (Advantech WebAccess 8.1 and earlier contains a DLL hijacking vulnerabi ...) NOT-FOR-US: Advantech WebAccess CVE-2017-5174 (An Authentication Bypass issue was discovered in Geutebruck IP Camera ...) NOT-FOR-US: Geutebruck IP Camera G-Cam/EFD-2250 CVE-2017-5173 (An Improper Neutralization of Special Elements (in an OS command) issu ...) NOT-FOR-US: Geutebruck IP Camera G-Cam/EFD-2250 CVE-2017-5172 RESERVED CVE-2017-5171 RESERVED CVE-2017-5170 (An Uncontrolled Search Path Element issue was discovered in Moxa SoftN ...) NOT-FOR-US: Moxa CVE-2017-5169 (An issue was discovered in Hanwha Techwin Smart Security Manager Versi ...) NOT-FOR-US: Hanwha Techwin CVE-2017-5168 (An issue was discovered in Hanwha Techwin Smart Security Manager Versi ...) NOT-FOR-US: Hanwha Techwin CVE-2017-5167 (An issue was discovered in BINOM3 Universal Multifunctional Electric P ...) NOT-FOR-US: BINOM3 CVE-2017-5166 (An issue was discovered in BINOM3 Universal Multifunctional Electric P ...) NOT-FOR-US: BINOM3 CVE-2017-5165 (An issue was discovered in BINOM3 Universal Multifunctional Electric P ...) NOT-FOR-US: BINOM3 CVE-2017-5164 (An issue was discovered in BINOM3 Universal Multifunctional Electric P ...) NOT-FOR-US: BINOM3 CVE-2017-5163 (An issue was discovered in Belden Hirschmann GECKO Lite Managed switch ...) NOT-FOR-US: Belden Hirschmann CVE-2017-5162 (An issue was discovered in BINOM3 Universal Multifunctional Electric P ...) NOT-FOR-US: BINOM3 CVE-2017-5161 (An issue was discovered in Sielco Sistemi Winlog Lite SCADA Software, ...) NOT-FOR-US: Sielco Sistemi CVE-2017-5160 (An Inadequate Encryption Strength issue was discovered in Schneider El ...) NOT-FOR-US: Schneider Electric CVE-2017-5159 (An issue was discovered on Phoenix Contact mGuard devices that have be ...) NOT-FOR-US: Phoenix Contact mGuard CVE-2017-5158 (An Information Exposure issue was discovered in Schneider Electric Won ...) NOT-FOR-US: Schneider Electric CVE-2017-5157 (An issue was discovered in Schneider Electric homeLYnk Controller, LSS ...) NOT-FOR-US: Schneider CVE-2017-5156 (A Cross-Site Request Forgery issue was discovered in Schneider Electri ...) NOT-FOR-US: Schneider Electric CVE-2017-5155 (An issue was discovered in Schneider Electric Wonderware Historian 201 ...) NOT-FOR-US: Schneider CVE-2017-5154 (An issue was discovered in Advantech WebAccess Version 8.1. To be able ...) NOT-FOR-US: Advantech WebAccess CVE-2017-5153 (An issue was discovered in OSIsoft PI Coresight 2016 R2 and earlier ve ...) NOT-FOR-US: OSIsoft PI Coresight CVE-2017-5152 (An issue was discovered in Advantech WebAccess Version 8.1. By accessi ...) NOT-FOR-US: Advantech WebAccess CVE-2017-5151 (An issue was discovered in VideoInsight Web Client Version 6.3.5.11 an ...) NOT-FOR-US: VideoInsight Web Client CVE-2017-5150 RESERVED CVE-2017-5149 (An issue was discovered in St. Jude Medical Merlin@home, versions prio ...) NOT-FOR-US: St. Jude Medical Merlin@home CVE-2017-5148 RESERVED CVE-2017-5147 (An Uncontrolled Search Path Element issue was discovered in AzeoTech D ...) NOT-FOR-US: AzeoTech DAQFactory CVE-2017-5146 (An issue was discovered in Carlo Gavazzi VMU-C EM prior to firmware Ve ...) NOT-FOR-US: Carlo Gavazzi CVE-2017-5145 (An issue was discovered in Carlo Gavazzi VMU-C EM prior to firmware Ve ...) NOT-FOR-US: Carlo Gavazzi CVE-2017-5144 (An issue was discovered in Carlo Gavazzi VMU-C EM prior to firmware Ve ...) NOT-FOR-US: Carlo Gavazzi CVE-2017-5143 (An issue was discovered in Honeywell XL Web II controller XL1000C500 X ...) NOT-FOR-US: Honeywell CVE-2017-5142 (An issue was discovered in Honeywell XL Web II controller XL1000C500 X ...) NOT-FOR-US: Honeywell CVE-2017-5141 (An issue was discovered in Honeywell XL Web II controller XL1000C500 X ...) NOT-FOR-US: Honeywell CVE-2017-5140 (An issue was discovered in Honeywell XL Web II controller XL1000C500 X ...) NOT-FOR-US: Honeywell CVE-2017-5139 (An issue was discovered in Honeywell XL Web II controller XL1000C500 X ...) NOT-FOR-US: Honeywell CVE-2017-5138 RESERVED CVE-2017-5137 (An issue was discovered on SendQuick Entera and Avera devices before 2 ...) NOT-FOR-US: SendQuick Entera and Avera devices CVE-2017-5136 (An issue was discovered on SendQuick Entera and Avera devices before 2 ...) NOT-FOR-US: SendQuick Entera and Avera devices CVE-2016-10124 (An issue was discovered in Linux Containers (LXC) before 2016-02-22. W ...) - lxc 1:2.0.0-1 [jessie] - lxc (Minor issue) [wheezy] - lxc (Minor issue) NOTE: https://github.com/lxc/lxc/commit/e986ea3dfa4a2957f71ae9bfaed406dd6e1ffff6 NOTE: https://github.com/lxc/lxc/commit/5eacdc3dbd0e45abf3cc90cf0216a7f8ee560abf (lxc-2.0.0.rc2) CVE-2016-10123 (Firejail allows --chroot when seccomp is not supported, which might al ...) - firejail 0.9.38-1 NOTE: http://www.openwall.com/lists/oss-security/2017/01/05/4 NOTE: https://github.com/netblue30/firejail/commit/a23ac1bf390fa4c3db4ea31e6ee6100a9c511d59 (0.9.38-rc1) CVE-2016-10122 (Firejail does not properly clean environment variables, which allows l ...) - firejail 0.9.44.2-1 NOTE: http://www.openwall.com/lists/oss-security/2017/01/05/4 NOTE: https://github.com/netblue30/firejail/commit/3b81e1f2c331644ced87d26a943b22eed6242b8f NOTE: https://github.com/netblue30/firejail/commit/72bc0e145c67da24e555d868086953148c52b5fc NOTE: In 0.9.44-bugfixes: https://github.com/netblue30/firejail/commit/e847207df28e181a8f590ade825b5f06d4fadf17 (0.9.44.2) NOTE: In 0.9.44-bugfixes: https://github.com/netblue30/firejail/commit/18f6e9dc9b304f7aca291c3edce5122562b1e36c (0.9.44.2) CVE-2016-10121 (Firejail uses weak permissions for /dev/shm/firejail and possibly othe ...) - firejail 0.9.38-1 NOTE: http://www.openwall.com/lists/oss-security/2017/01/05/4 NOTE: https://github.com/netblue30/firejail/commit/1cab02f5ae3c90c01fae4d1c16381820b757a3a6 (0.9.38) CVE-2016-10120 (Firejail uses 0777 permissions when mounting (1) /dev, (2) /dev/shm, ( ...) - firejail 0.9.38-1 NOTE: http://www.openwall.com/lists/oss-security/2017/01/05/4 NOTE: https://github.com/netblue30/firejail/commit/cd0ecfc7a7b30abde20db6dea505cd8c58e7c046 (0.9.38-rc1) CVE-2016-10119 (Firejail uses 0777 permissions when mounting /tmp, which allows local ...) - firejail 0.9.38-1 NOTE: http://www.openwall.com/lists/oss-security/2017/01/05/4 NOTE: https://github.com/netblue30/firejail/commit/aa28ac9e09557b833f194f594e2940919d940d1f (0.9.38) CVE-2016-10118 (Firejail allows local users to truncate /etc/resolv.conf via a chroot ...) - firejail 0.9.44.2-1 (low) NOTE: http://www.openwall.com/lists/oss-security/2017/01/05/4 NOTE: https://github.com/netblue30/firejail/commit/6144229605177764b7f3f3450c1a47f56595dc9e NOTE: In 0.9.44-bugfixes: https://github.com/netblue30/firejail/commit/8b5b444c766b8d0592346decc6ed4a6d345e4f67 (0.9.44.2) CVE-2016-10117 (Firejail does not restrict access to --tmpfs, which allows local users ...) - firejail 0.9.38-1 NOTE: http://www.openwall.com/lists/oss-security/2017/01/05/4 NOTE: https://github.com/netblue30/firejail/commit/678cd1495457318dad39178bb646ba1b96332ddb (0.9.38-rc1) CVE-2016-10116 (NETGEAR Arlo base stations with firmware 1.7.5_6178 and earlier, Arlo ...) NOT-FOR-US: NETGEAR CVE-2016-10115 (NETGEAR Arlo base stations with firmware 1.7.5_6178 and earlier, Arlo ...) NOT-FOR-US: NETGEAR CVE-2016-10114 (SQL injection vulnerability in the "aWeb Cart Watching System for Virt ...) NOT-FOR-US: Joomla extension CVE-2016-10113 RESERVED CVE-2016-10112 (Cross-site scripting (XSS) vulnerability in the WooCommerce plugin bef ...) NOT-FOR-US: WordPress plugin woocommerce CVE-2016-10111 RESERVED CVE-2016-10110 RESERVED CVE-2017-5180 (Firejail before 0.9.44.4 and 0.9.38.x LTS before 0.9.38.8 LTS does not ...) - firejail 0.9.44.2-3 (bug #850160) NOTE: http://www.openwall.com/lists/oss-security/2017/01/04/1 NOTE: https://github.com/netblue30/firejail/issues/1020 CVE-2017-5135 (Certain Technicolor devices have an SNMP access-control bypass, possib ...) NOT-FOR-US: Technicolor CVE-2017-5134 RESERVED CVE-2017-5133 (Off-by-one read/write on the heap in Blink in Google Chrome prior to 6 ...) {DSA-4020-1} - chromium-browser 62.0.3202.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5132 (Inappropriate implementation in V8 in Google Chrome prior to 62.0.3202 ...) {DSA-4020-1} - chromium-browser 62.0.3202.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5131 (An integer overflow in Skia in Google Chrome prior to 62.0.3202.62 all ...) {DSA-4020-1} - chromium-browser 62.0.3202.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5130 (An integer overflow in xmlmemory.c in libxml2 before 2.9.5, as used in ...) {DLA-1188-1} - libxml2 2.9.4+dfsg1-5.1 (bug #880000) [stretch] - libxml2 (Minor issue) [jessie] - libxml2 (Minor issue) - chromium-browser 62.0.3202.75-1 (unimportant) NOTE: chromium-browser uses system libxml2. NOTE: https://bugs.chromium.org/p/chromium/issues/detail?id=722079 (not public) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=783026 (not public) NOTE: xmlMemoryStrdup is only for debugging with excpetion in xmlint when invoked NOTE: with --maxmem. Similar issue for xmlMallocLoc and xmlReallocLoc. NOTE: Fixed by: https://git.gnome.org/browse/libxml2/commit/?id=897dffbae322b46b83f99a607d527058a72c51ed NOTE: Needs follow up: https://git.gnome.org/browse/libxml2/commit/?id=ed48d65b4d6c5cec7be035ad5eebeba873b4b955 CVE-2017-5129 (A use after free in WebAudio in Blink in Google Chrome prior to 62.0.3 ...) {DSA-4020-1} - chromium-browser 62.0.3202.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5128 (Heap buffer overflow in Blink in Google Chrome prior to 62.0.3202.62 a ...) {DSA-4020-1} - chromium-browser 62.0.3202.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5127 (Use after free in PDFium in Google Chrome prior to 62.0.3202.62 allowe ...) {DSA-4020-1} - chromium-browser 62.0.3202.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5126 (A use after free in PDFium in Google Chrome prior to 62.0.3202.62 allo ...) {DSA-4020-1} - chromium-browser 62.0.3202.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5125 (Heap buffer overflow in Skia in Google Chrome prior to 62.0.3202.62 al ...) {DSA-4020-1} - chromium-browser 62.0.3202.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5124 (Incorrect application of sandboxing in Blink in Google Chrome prior to ...) {DSA-4020-1} - chromium-browser 62.0.3202.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5123 [waitid() not calling access_ok()] RESERVED - linux 4.13.4-2 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/96ca579a1ecc943b75beba58bebb0356f6cc4b51 CVE-2017-5122 (Inappropriate use of table size handling in V8 in Google Chrome prior ...) {DSA-3985-1} - chromium-browser 61.0.3163.100-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2017-5121 (Inappropriate use of JIT optimisation in V8 in Google Chrome prior to ...) {DSA-3985-1} - chromium-browser 61.0.3163.100-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2017-5120 (Inappropriate use of www mismatch redirects in browser navigation in G ...) {DSA-3985-1} - chromium-browser 61.0.3163.100-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5119 (Use of an uninitialized value in Skia in Google Chrome prior to 61.0.3 ...) {DSA-3985-1} - chromium-browser 61.0.3163.100-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5118 (Blink in Google Chrome prior to 61.0.3163.79 for Mac, Windows, and Lin ...) {DSA-3985-1} - chromium-browser 61.0.3163.100-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5117 (Use of an uninitialized value in Skia in Google Chrome prior to 61.0.3 ...) {DSA-3985-1} - chromium-browser 61.0.3163.100-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5116 (Type confusion in V8 in Google Chrome prior to 61.0.3163.79 for Mac, W ...) {DSA-3985-1} - chromium-browser 61.0.3163.100-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2017-5115 (Type confusion in V8 in Google Chrome prior to 61.0.3163.79 for Window ...) {DSA-3985-1} - chromium-browser 61.0.3163.100-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2017-5114 (Inappropriate use of partition alloc in PDFium in Google Chrome prior ...) {DSA-3985-1} - chromium-browser 61.0.3163.100-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5113 (Math overflow in Skia in Google Chrome prior to 61.0.3163.79 for Mac, ...) {DSA-3985-1} - chromium-browser 61.0.3163.100-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5112 (Heap buffer overflow in WebGL in Google Chrome prior to 61.0.3163.79 f ...) {DSA-3985-1} - chromium-browser 61.0.3163.100-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5111 (A use after free in PDFium in Google Chrome prior to 61.0.3163.79 for ...) {DSA-3985-1} - chromium-browser 61.0.3163.100-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5110 (Inappropriate implementation of the web payments API on blob: and data ...) {DSA-3926-1} - chromium-browser 60.0.3112.78-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5109 (Inappropriate implementation of unload handler handling in permission ...) {DSA-3926-1} - chromium-browser 60.0.3112.78-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5108 (Type confusion in PDFium in Google Chrome prior to 60.0.3112.78 for Ma ...) {DSA-3926-1} - chromium-browser 60.0.3112.78-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5107 (A timing attack in SVG rendering in Google Chrome prior to 60.0.3112.7 ...) {DSA-3926-1} - chromium-browser 60.0.3112.78-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5106 (Insufficient Policy Enforcement in Omnibox in Google Chrome prior to 6 ...) {DSA-3926-1} - chromium-browser 60.0.3112.78-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5105 (Insufficient Policy Enforcement in Omnibox in Google Chrome prior to 6 ...) {DSA-3926-1} - chromium-browser 60.0.3112.78-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5104 (Inappropriate implementation in interstitials in Google Chrome prior t ...) {DSA-3926-1} - chromium-browser 60.0.3112.78-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5103 (Use of an uninitialized value in Skia in Google Chrome prior to 60.0.3 ...) {DSA-3926-1} - chromium-browser 60.0.3112.78-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5102 (Use of an uninitialized value in Skia in Google Chrome prior to 60.0.3 ...) {DSA-3926-1} - chromium-browser 60.0.3112.78-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5101 (Inappropriate implementation in Omnibox in Google Chrome prior to 60.0 ...) {DSA-3926-1} - chromium-browser 60.0.3112.78-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5100 (A use after free in Apps in Google Chrome prior to 60.0.3112.78 for Wi ...) {DSA-3926-1} - chromium-browser 60.0.3112.78-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5099 (Insufficient validation of untrusted input in PPAPI Plugins in Google ...) {DSA-3926-1} - chromium-browser 60.0.3112.78-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5098 (A use after free in V8 in Google Chrome prior to 60.0.3112.78 for Mac, ...) {DSA-3926-1} - chromium-browser 60.0.3112.78-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5097 (Insufficient validation of untrusted input in Skia in Google Chrome pr ...) {DSA-3926-1} - chromium-browser 60.0.3112.78-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5096 (Insufficient policy enforcement during navigation between different sc ...) - chromium-browser (Android-specific) CVE-2017-5095 (Stack overflow in PDFium in Google Chrome prior to 60.0.3112.78 for Li ...) {DSA-3926-1} - chromium-browser 60.0.3112.78-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5094 (Type confusion in extensions JavaScript bindings in Google Chrome prio ...) {DSA-3926-1} - chromium-browser 60.0.3112.78-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5093 (Inappropriate implementation in modal dialog handling in Blink in Goog ...) {DSA-3926-1} - chromium-browser 60.0.3112.78-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5092 (Insufficient validation of untrusted input in PPAPI Plugins in Google ...) {DSA-3926-1} - chromium-browser 60.0.3112.78-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5091 (A use after free in IndexedDB in Google Chrome prior to 60.0.3112.78 f ...) {DSA-3926-1} - chromium-browser 60.0.3112.78-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5090 (Insufficient Policy Enforcement in Omnibox in Google Chrome prior to 5 ...) - chromium-browser (Chrome on Mac) CVE-2017-5089 (Insufficient Policy Enforcement in Omnibox in Google Chrome prior to 5 ...) {DSA-3926-1} - chromium-browser 59.0.3071.104-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5088 (Insufficient validation of untrusted input in V8 in Google Chrome prio ...) {DSA-3926-1} - chromium-browser 59.0.3071.104-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5087 (A use after free in Blink in Google Chrome prior to 59.0.3071.104 for ...) {DSA-3926-1} - chromium-browser 59.0.3071.104-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5086 (Insufficient Policy Enforcement in Omnibox in Google Chrome prior to 5 ...) - chromium-browser 59.0.3071.86-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5085 (Inappropriate implementation in Bookmarks in Google Chrome prior to 59 ...) - chromium-browser 59.0.3071.86-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5084 (Inappropriate implementation in image-burner in Google Chrome OS prior ...) - chromium-browser 59.0.3071.86-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5083 (Inappropriate implementation in Blink in Google Chrome prior to 59.0.3 ...) - chromium-browser 59.0.3071.86-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5082 (Failure to take advantage of available mitigations in credit card auto ...) - chromium-browser 59.0.3071.86-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5081 (Lack of verification of an extension's locale folder in Google Chrome ...) - chromium-browser 59.0.3071.86-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5080 (A use after free in credit card autofill in Google Chrome prior to 59. ...) - chromium-browser 59.0.3071.86-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5079 (Inappropriate implementation in Blink in Google Chrome prior to 59.0.3 ...) - chromium-browser 59.0.3071.86-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5078 (Insufficient validation of untrusted input in Blink's mailto: handling ...) - chromium-browser 59.0.3071.86-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5077 (Insufficient validation of untrusted input in Skia in Google Chrome pr ...) - chromium-browser 59.0.3071.86-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5076 (Insufficient Policy Enforcement in Omnibox in Google Chrome prior to 5 ...) - chromium-browser 59.0.3071.86-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5075 (Inappropriate implementation in CSP reporting in Blink in Google Chrom ...) - chromium-browser 59.0.3071.86-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5074 (A use after free in Chrome Apps in Google Chrome prior to 59.0.3071.86 ...) - chromium-browser 59.0.3071.86-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5073 (Use after free in print preview in Blink in Google Chrome prior to 59. ...) - chromium-browser 59.0.3071.86-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5072 (Inappropriate implementation in Omnibox in Google Chrome prior to 59.0 ...) - chromium-browser 59.0.3071.86-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5071 (Insufficient validation of untrusted input in V8 in Google Chrome prio ...) - chromium-browser 59.0.3071.86-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2017-5070 (Type confusion in V8 in Google Chrome prior to 59.0.3071.86 for Linux, ...) - chromium-browser 59.0.3071.86-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2017-5069 (Incorrect MIME type of XSS-Protection reports in Blink in Google Chrom ...) - chromium-browser 58.0.3029.81-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5068 (Incorrect handling of picture ID in WebRTC in Google Chrome prior to 5 ...) - chromium-browser 58.0.3029.96-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5067 (An insufficient watchdog timer in navigation in Google Chrome prior to ...) - chromium-browser 58.0.3029.81-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5066 (Insufficient consistency checks in signature handling in the networkin ...) - chromium-browser 58.0.3029.81-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5065 (Lack of an appropriate action on page navigation in Blink in Google Ch ...) - chromium-browser 58.0.3029.81-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5064 (Incorrect handling of DOM changes in Blink in Google Chrome prior to 5 ...) - chromium-browser 58.0.3029.81-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5063 (A numeric overflow in Skia in Google Chrome prior to 58.0.3029.81 for ...) - chromium-browser 58.0.3029.81-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5062 (A use after free in Chrome Apps in Google Chrome prior to 58.0.3029.81 ...) - chromium-browser 58.0.3029.81-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5061 (A race condition in navigation in Google Chrome prior to 58.0.3029.81 ...) - chromium-browser 58.0.3029.81-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5060 (Insufficient Policy Enforcement in Omnibox in Google Chrome prior to 5 ...) - chromium-browser 58.0.3029.81-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5059 (Type confusion in Blink in Google Chrome prior to 58.0.3029.81 for Lin ...) - chromium-browser 58.0.3029.81-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5058 (A use after free in PrintPreview in Google Chrome prior to 58.0.3029.8 ...) - chromium-browser 58.0.3029.81-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5057 (Type confusion in PDFium in Google Chrome prior to 58.0.3029.81 for Ma ...) - chromium-browser 58.0.3029.81-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5056 (A use after free in Blink in Google Chrome prior to 57.0.2987.133 for ...) - chromium-browser 57.0.2987.133-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5055 (A use after free in printing in Google Chrome prior to 57.0.2987.133 f ...) - chromium-browser 57.0.2987.133-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5054 (An out-of-bounds read in V8 in Google Chrome prior to 57.0.2987.133 fo ...) - chromium-browser 57.0.2987.133-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2017-5053 (An out-of-bounds read in V8 in Google Chrome prior to 57.0.2987.133 fo ...) - chromium-browser 57.0.2987.133-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2017-5052 (An incorrect assumption about block structure in Blink in Google Chrom ...) - chromium-browser 57.0.2987.133-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5051 (An integer overflow in FFmpeg in Google Chrome prior to 57.0.2987.98 f ...) - chromium-browser 57.0.2987.98-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) NOTE: https://codereview.chromium.org/2654913002 CVE-2017-5050 (An integer overflow in FFmpeg in Google Chrome prior to 57.0.2987.98 f ...) - chromium-browser 57.0.2987.98-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) NOTE: https://codereview.chromium.org/2654913002 CVE-2017-5049 (An integer overflow in FFmpeg in Google Chrome prior to 57.0.2987.98 f ...) - chromium-browser 57.0.2987.98-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) NOTE: https://codereview.chromium.org/2654913002 CVE-2017-5048 (An integer overflow in FFmpeg in Google Chrome prior to 57.0.2987.98 f ...) - chromium-browser 57.0.2987.98-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) NOTE: https://codereview.chromium.org/2654913002 CVE-2017-5047 (An integer overflow in FFmpeg in Google Chrome prior to 57.0.2987.98 f ...) - chromium-browser 57.0.2987.98-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) NOTE: https://codereview.chromium.org/2654913002 CVE-2017-5046 (V8 in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux ...) {DSA-3810-1} - chromium-browser 57.0.2987.98-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5045 (XSS Auditor in Google Chrome prior to 57.0.2987.98 for Mac, Windows, a ...) {DSA-3810-1} - chromium-browser 57.0.2987.98-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5044 (Heap buffer overflow in filter processing in Skia in Google Chrome pri ...) {DSA-3810-1} - chromium-browser 57.0.2987.98-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5043 (Chrome Apps in Google Chrome prior to 57.0.2987.98 for Linux, Windows, ...) {DSA-3810-1} - chromium-browser 57.0.2987.98-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5042 (Cast in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linu ...) {DSA-3810-1} - chromium-browser 57.0.2987.98-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5041 (Google Chrome prior to 57.0.2987.100 incorrectly handled back-forward ...) {DSA-3810-1} - chromium-browser 57.0.2987.98-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5040 (V8 in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux ...) {DSA-3810-1} - chromium-browser 57.0.2987.98-1 [wheezy] - chromium-browser (Not supported in Wheezy) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2017-5039 (A use after free in PDFium in Google Chrome prior to 57.0.2987.98 for ...) {DSA-3810-1} - chromium-browser 57.0.2987.98-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5038 (Chrome Apps in Google Chrome prior to 57.0.2987.98 for Linux, Windows, ...) {DSA-3810-1} - chromium-browser 57.0.2987.98-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5037 (An integer overflow in FFmpeg in Google Chrome prior to 57.0.2987.98 f ...) {DSA-3810-1} - chromium-browser 57.0.2987.98-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5036 (A use after free in PDFium in Google Chrome prior to 57.0.2987.98 for ...) {DSA-3810-1} - chromium-browser 57.0.2987.98-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5035 (Google Chrome prior to 57.0.2987.98 for Windows and Mac had a race con ...) {DSA-3810-1} - chromium-browser 57.0.2987.98-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5034 (A use after free in PDFium in Google Chrome prior to 57.0.2987.98 for ...) {DSA-3810-1} - chromium-browser 57.0.2987.98-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5033 (Blink in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Lin ...) {DSA-3810-1} - chromium-browser 57.0.2987.98-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5032 (PDFium in Google Chrome prior to 57.0.2987.98 for Windows could be mad ...) {DSA-3810-1} - chromium-browser 57.0.2987.98-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5031 (A use after free in ANGLE in Google Chrome prior to 57.0.2987.98 for W ...) {DSA-3810-1} - chromium-browser 57.0.2987.98-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5030 (Incorrect handling of complex species in V8 in Google Chrome prior to ...) {DSA-3810-1} - chromium-browser 57.0.2987.98-1 [wheezy] - chromium-browser (Not supported in Wheezy) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2017-5029 (The xsltAddTextString function in transform.c in libxslt 1.1.29, as us ...) {DSA-3810-1 DLA-866-1} - chromium-browser 57.0.2987.98-1 [wheezy] - chromium-browser (Not supported in Wheezy) - libxslt 1.1.29-2.1 (bug #858546) [jessie] - libxslt 1.1.28-2+deb8u3 NOTE: Upstream fix in libxslt: https://git.gnome.org/browse/libxslt/commit/?id=08ab2774b870de1c7b5a48693df75e8154addae5 CVE-2017-5028 (Insufficient data validation in V8 in Google Chrome prior to 56.0.2924 ...) {DSA-3776-1} - chromium-browser 56.0.2924.76-3 CVE-2017-5027 (Blink in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Ma ...) {DSA-3776-1} - chromium-browser 56.0.2924.76-3 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5026 (Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, failed ...) {DSA-3776-1} - chromium-browser 56.0.2924.76-3 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5025 (FFmpeg in Google Chrome prior to 56.0.2924.76 for Linux, Windows and M ...) {DSA-3776-1} - chromium-browser 44.0.2403.157-1 [wheezy] - chromium-browser (Not supported in Wheezy) - ffmpeg 7:3.2.4-1 CVE-2017-5024 (FFmpeg in Google Chrome prior to 56.0.2924.76 for Linux, Windows and M ...) {DSA-3776-1} - chromium-browser 44.0.2403.157-1 [wheezy] - chromium-browser (Not supported in Wheezy) - ffmpeg 7:3.2.4-1 CVE-2017-5023 (Type confusion in Histogram in Google Chrome prior to 56.0.2924.76 for ...) {DSA-3776-1} - chromium-browser 56.0.2924.76-3 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5022 (Blink in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Ma ...) {DSA-3776-1} - chromium-browser 56.0.2924.76-3 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5021 (A use after free in Google Chrome prior to 56.0.2924.76 for Linux, Win ...) {DSA-3776-1} - chromium-browser 56.0.2924.76-3 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5020 (Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56 ...) {DSA-3776-1} - chromium-browser 56.0.2924.76-3 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5019 (A use after free in Google Chrome prior to 56.0.2924.76 for Linux, Win ...) {DSA-3776-1} - chromium-browser 56.0.2924.76-3 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5018 (Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56 ...) {DSA-3776-1} - chromium-browser 56.0.2924.76-3 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5017 (Interactions with the OS in Google Chrome prior to 56.0.2924.76 for Ma ...) {DSA-3776-1} - chromium-browser 56.0.2924.76-3 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5016 (Blink in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Ma ...) {DSA-3776-1} - chromium-browser 56.0.2924.76-3 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5015 (Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56 ...) {DSA-3776-1} - chromium-browser 56.0.2924.76-3 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5014 (Heap buffer overflow during image processing in Skia in Google Chrome ...) {DSA-3776-1} - chromium-browser 56.0.2924.76-3 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5013 (Google Chrome prior to 56.0.2924.76 for Linux incorrectly handled new ...) {DSA-3776-1} - chromium-browser 56.0.2924.76-3 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5012 (A heap buffer overflow in V8 in Google Chrome prior to 56.0.2924.76 fo ...) {DSA-3776-1} - chromium-browser 56.0.2924.76-3 [wheezy] - chromium-browser (Not supported in Wheezy) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2017-5011 (Google Chrome prior to 56.0.2924.76 for Windows insufficiently sanitiz ...) {DSA-3776-1} - chromium-browser 56.0.2924.76-3 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5010 (Blink in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Ma ...) {DSA-3776-1} - chromium-browser 56.0.2924.76-3 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5009 (WebRTC in Google Chrome prior to 56.0.2924.76 for Linux, Windows and M ...) {DSA-3776-1} - chromium-browser 56.0.2924.76-3 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5008 (Blink in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Ma ...) {DSA-3776-1} - chromium-browser 56.0.2924.76-3 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5007 (Blink in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Ma ...) {DSA-3776-1} - chromium-browser 56.0.2924.76-3 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5006 (Blink in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Ma ...) {DSA-3776-1} - chromium-browser 56.0.2924.76-3 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5005 (Stack-based buffer overflow in Quick Heal Internet Security 10.1.0.316 ...) NOT-FOR-US: Quickheal CVE-2016-10108 (Unauthenticated Remote Command injection as root occurs in the Western ...) NOT-FOR-US: Western Digital MyCloud NAS CVE-2016-10107 (Unauthenticated Remote Command injection as root occurs in the Western ...) NOT-FOR-US: Western Digital MyCloud NAS CVE-2016-10106 (Directory traversal vulnerability in scgi-bin/platform.cgi on NETGEAR ...) NOT-FOR-US: NETGEAR devices CVE-2016-10105 (admin/plugin.php in Piwigo through 2.8.3 doesn't validate the sections ...) - piwigo CVE-2016-10104 (Information Disclosure can occur in sshProfiles.jsd in Hitek Software' ...) NOT-FOR-US: Hitek CVE-2016-10103 (Information Disclosure can occur in encryptionProfiles.jsd in Hitek So ...) NOT-FOR-US: Hitek CVE-2016-10102 (hitek.jar in Hitek Software's Automize uses weak encryption when encry ...) NOT-FOR-US: Hitek CVE-2016-10101 (Information Disclosure can occur in Hitek Software's Automize 10.x and ...) NOT-FOR-US: Hitek CVE-2016-10100 (Borg (aka BorgBackup) before 1.0.9 has a flaw in the way duplicate arc ...) - borgbackup 1.0.9-1 NOTE: https://borgbackup.readthedocs.io/en/stable/changes.html#pre-1-0-9-manifest-spoofing-vulnerability CVE-2016-10099 (Borg (aka BorgBackup) before 1.0.9 has a flaw in the cryptographic pro ...) - borgbackup 1.0.9-1 NOTE: https://borgbackup.readthedocs.io/en/stable/changes.html#pre-1-0-9-manifest-spoofing-vulnerability CVE-2017-5333 (Integer overflow in the extract_group_icon_cursor_resource function in ...) {DSA-3765-1 DLA-789-1} - icoutils 0.31.1-1 NOTE: Fixed by: http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=1a108713ac26215c7568353f6e02e727e6d4b24a NOTE: CVE for "the separate vulnerability fixed by the introduction of the "size >= sizeof(uint16_t)*2" test in NOTE: 1a108713ac26215c7568353f6e02e727e6d4b24a" NOTE: http://seclists.org/oss-sec/2017/q1/56 CVE-2017-5332 (The extract_group_icon_cursor_resource in wrestool/extract.c in icouti ...) {DSA-3765-1 DLA-789-1} - icoutils 0.31.1-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1249276 NOTE: Fixed by: http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=1aa9f28f7bcbdfff6a84a15ac8d9a87559b1596a NOTE: Fixed by: http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=1a108713ac26215c7568353f6e02e727e6d4b24a NOTE: http://www.openwall.com/lists/oss-security/2017/01/10/4 NOTE: CVE for "all of 1aa9f28f7bcbdfff6a84a15ac8d9a87559b1596a and also the index correction in NOTE: 1a108713ac26215c7568353f6e02e727e6d4b24a." CVE-2017-5331 (Integer overflow in the check_offset function in b/wrestool/fileread.c ...) {DSA-3765-1 DLA-789-1} - icoutils 0.31.1-1 NOTE: Fixed by: http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=4fbe9222fd79ee31b7ec031b0be070a9a400d1d3 NOTE: http://www.openwall.com/lists/oss-security/2017/01/10/4 CVE-2017-5208 (Integer overflow in the wrestool program in icoutils before 0.31.1 all ...) {DSA-3756-1 DLA-789-1} - icoutils 0.31.0-4 (bug #850017) NOTE: Fixed by: http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=0d569f458f306b88f60156d60c9cf058125cf173 NOTE: http://www.openwall.com/lists/oss-security/2017/01/08/1 CVE-2017-5340 (Zend/zend_hash.c in PHP before 7.0.15 and 7.1.x before 7.1.1 mishandle ...) - php7.1 7.1.1-1 (bug #852022) - php7.0 7.0.15-1 (bug #850158) NOTE: PHP Bug: https://bugs.php.net/bug.php?id=73832 NOTE: Fixed in PHP 7.1.1, 7.0.15 CVE-2016-10109 (Use-after-free vulnerability in pcsc-lite before 1.8.20 allows a remot ...) {DSA-3752-1 DLA-778-1} - pcsc-lite 1.8.20-1 NOTE: https://anonscm.debian.org/cgit/pcsclite/PCSC.git/commit/?id=697fe05967af7ea215bcd5d5774be587780c9e22 NOTE: https://anonscm.debian.org/cgit/pcsclite/PCSC.git/commit/?id=3aaab9d998b5deb16a246cc7517e44144d281d3b NOTE: http://www.openwall.com/lists/oss-security/2017/01/03/2 CVE-2016-10098 (An issue was discovered on SendQuick Entera and Avera devices before 2 ...) NOT-FOR-US: SendQuick Entera and Avera devices CVE-2016-10097 (XML External Entity (XXE) Vulnerability in /SSOPOST/metaAlias/%realm%/ ...) NOT-FOR-US: OpenAM CVE-2016-10096 (SQL injection vulnerability in register.php in GeniXCMS before 1.0.0 a ...) NOT-FOR-US: GenixCMS CVE-2016-10090 RESERVED CVE-2016-10086 (RESTful web services in CA Service Desk Manager 12.9 and CA Service De ...) NOT-FOR-US: CA Service Desk Manager CVE-2017-5004 (EMC RSA Identity Governance and Lifecycle versions 7.0.1, 7.0.2 (all p ...) NOT-FOR-US: RSA Identity Governance and Lifecycle CVE-2017-5003 (EMC RSA Identity Governance and Lifecycle versions 7.0.1, 7.0.2 (all p ...) NOT-FOR-US: RSA Identity Governance and Lifecycle CVE-2017-5002 (EMC RSA Archer 5.4.1.3, 5.5.3.1, 5.5.2.3, 5.5.2, 5.5.1.3.1, 5.5.1.1 is ...) NOT-FOR-US: EMC CVE-2017-5001 (EMC RSA Archer 5.4.1.3, 5.5.3.1, 5.5.2.3, 5.5.2, 5.5.1.3.1, 5.5.1.1 is ...) NOT-FOR-US: EMC CVE-2017-5000 (EMC RSA Archer 5.4.1.3, 5.5.3.1, 5.5.2.3, 5.5.2, 5.5.1.3.1, 5.5.1.1 is ...) NOT-FOR-US: EMC CVE-2017-4999 (EMC RSA Archer 5.4.1.3, 5.5.3.1, 5.5.2.3, 5.5.2, 5.5.1.3.1, 5.5.1.1 is ...) NOT-FOR-US: EMC CVE-2017-4998 (EMC RSA Archer 5.4.1.3, 5.5.3.1, 5.5.2.3, 5.5.2, 5.5.1.3.1, 5.5.1.1 is ...) NOT-FOR-US: EMC CVE-2017-4997 (EMC VASA Provider Virtual Appliance versions 8.3.x and prior has an un ...) NOT-FOR-US: EMC CVE-2017-4996 REJECTED CVE-2017-4995 (An issue was discovered in Pivotal Spring Security 4.2.0.RELEASE throu ...) - libspring-security-java (bug #582181) NOTE: https://pivotal.io/security/cve-2017-4995 CVE-2017-4994 (An issue was discovered in Cloud Foundry Foundation cf-release version ...) NOT-FOR-US: Cloud Foundry CVE-2017-4993 REJECTED CVE-2017-4992 (An issue was discovered in Cloud Foundry Foundation cf-release version ...) NOT-FOR-US: Cloud Foundry CVE-2017-4991 (An issue was discovered in Cloud Foundry Foundation cf-release version ...) NOT-FOR-US: Cloud Foundry CVE-2017-4990 (In EMC Avamar Server Software 7.4.1-58, 7.4.0-242, 7.3.1-125, 7.3.0-23 ...) NOT-FOR-US: EMC CVE-2017-4989 (In EMC Avamar Server Software 7.3.1-125, 7.3.0-233, 7.3.0-226, 7.2.1-3 ...) NOT-FOR-US: EMC CVE-2017-4988 (EMC Isilon OneFS 8.0.1.0, 8.0.0 - 8.0.0.3, 7.2.0 - 7.2.1.4, 7.1.x is a ...) NOT-FOR-US: EMC CVE-2017-4987 (In EMC VNX2 versions prior to OE for File 8.1.9.211 and VNX1 versions ...) NOT-FOR-US: EMC CVE-2017-4986 (EMC ESRS VE 3.18 or earlier contains Authentication Bypass that could ...) NOT-FOR-US: EMC CVE-2017-4985 (In EMC VNX2 versions prior to OE for File 8.1.9.211 and VNX1 versions ...) NOT-FOR-US: EMC CVE-2017-4984 (In EMC VNX2 versions prior to OE for File 8.1.9.211 and VNX1 versions ...) NOT-FOR-US: EMC CVE-2017-4983 (EMC Data Domain OS 5.2 through 5.7 before 5.7.3.0 and 6.0 before 6.0.1 ...) NOT-FOR-US: EMC Data Domain OS CVE-2017-4982 (EMC Mainframe Enablers ResourcePak Base versions 7.6.0, 8.0.0, and 8.1 ...) NOT-FOR-US: EMC Mainframe CVE-2017-4981 (EMC RSA BSAFE Cert-C before 2.9.0.5 contains a potential improper cert ...) NOT-FOR-US: EMC CVE-2017-4980 (EMC Isilon OneFS is affected by a path traversal vulnerability that ma ...) NOT-FOR-US: EMC CVE-2017-4979 (EMC Isilon OneFS 8.0.1.0, OneFS 8.0.0.0 - 8.0.0.2, OneFS 7.2.1.0 - 7.2 ...) NOT-FOR-US: EMC CVE-2017-4978 (EMC RSA Adaptive Authentication (On-Premise) versions prior to 7.3 P2 ...) NOT-FOR-US: EMC CVE-2017-4977 (EMC RSA Archer Security Operations Management with RSA Unified Collect ...) NOT-FOR-US: EMC CVE-2017-4976 (EMC ESRS Policy Manager prior to 6.8 contains an undocumented account ...) NOT-FOR-US: EMC CVE-2017-4975 (An issue was discovered in Pivotal PCF Tile Generator versions prior t ...) NOT-FOR-US: Pivotal PCF Tile Generator CVE-2017-4974 (An issue was discovered in Cloud Foundry Foundation cf-release version ...) NOT-FOR-US: Cloud Foundry CVE-2017-4973 (An issue was discovered in Cloud Foundry Foundation cf-release version ...) NOT-FOR-US: Cloud Foundry CVE-2017-4972 (An issue was discovered in Cloud Foundry Foundation cf-release version ...) NOT-FOR-US: Cloud Foundry CVE-2017-4971 (An issue was discovered in Pivotal Spring Web Flow through 2.4.4. Appl ...) NOT-FOR-US: Spring Web Flow CVE-2017-4970 (An issue was discovered in Cloud Foundry Foundation cf-release v255 an ...) NOT-FOR-US: Cloud Foundry CVE-2017-4969 (The Cloud Controller in Cloud Foundry cf-release versions prior to v25 ...) NOT-FOR-US: Cloud Foundry CVE-2017-4968 REJECTED CVE-2017-4967 (An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x ...) - rabbitmq-server 3.6.10-1 (low; bug #863586) [stretch] - rabbitmq-server (Minor issue) [jessie] - rabbitmq-server (Minor issue) [wheezy] - rabbitmq-server (Minor issue) CVE-2017-4966 (An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x ...) - rabbitmq-server 3.6.10-1 (low; bug #863586) [stretch] - rabbitmq-server (Minor issue) [jessie] - rabbitmq-server (Vulnerable code introduced later) [wheezy] - rabbitmq-server (Vulnerable code introduced later) NOTE: Fixed by: https://github.com/rabbitmq/rabbitmq-management/commit/2371633f99ad0d293899384f078872ff9e9f3e10 (rabbitmq_v3_6_9) NOTE: Introduced by: https://github.com/rabbitmq/rabbitmq-management/commit/ced47b0bdca862a58e8f31833643e948655f8368 (rabbitmq_v3_4_0) CVE-2017-4965 (An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x ...) - rabbitmq-server 3.6.10-1 (low; bug #863586) [stretch] - rabbitmq-server (Minor issue) [jessie] - rabbitmq-server (Minor issue) [wheezy] - rabbitmq-server (Minor issue) CVE-2017-4964 (Cloud Foundry Foundation BOSH Azure CPI v22 could potentially allow a ...) NOT-FOR-US: Cloud Foundry CVE-2017-4963 (An issue was discovered in Cloud Foundry Foundation Cloud Foundry rele ...) NOT-FOR-US: Cloud Foundry CVE-2017-4962 REJECTED CVE-2017-4961 (An issue was discovered in Cloud Foundry Foundation BOSH Release 261.x ...) NOT-FOR-US: Cloud Foundry CVE-2017-4960 (An issue was discovered in Cloud Foundry release v247 through v252, UA ...) NOT-FOR-US: Cloud Foundry CVE-2017-4959 (An issue was discovered in Pivotal PCF Elastic Runtime 1.8.x versions ...) NOT-FOR-US: Pivotal PCF Elastic Runtime CVE-2017-4958 REJECTED CVE-2017-4957 REJECTED CVE-2017-4956 REJECTED CVE-2017-4955 (An issue was discovered in Pivotal PCF Elastic Runtime 1.6.x versions ...) NOT-FOR-US: Pivotal PCF Elastic Runtime CVE-2016-10095 (Stack-based buffer overflow in the _TIFFVGetField function in tif_dir. ...) {DLA-984-1 DLA-983-1} - tiff 4.0.8-2 (bug #850316) [jessie] - tiff 4.0.3-12.3+deb8u4 - tiff3 NOTE: This is a duplicate of CVE-2015-7554, both were reported against tiffsplit NOTE: While the _TIFFVGetField function is a generic function, CVE IDs seem to be NOTE: assigned per tool using it, so CVE-2015-7554/CVE-2016-10095 refers to the NOTE: tiffsplit tool NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2625 NOTE: Fixes as per http://bugzilla.maptools.org/show_bug.cgi?id=2580 CVE-2016-10094 (Off-by-one error in the t2p_readwrite_pdf_image_tile function in tools ...) {DSA-3762-1} - tiff 4.0.7-4 [wheezy] - tiff (vulnerable code introduced later) - tiff3 (vulnerable code introduced later) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2640 NOTE: Fixed by: https://github.com/vadz/libtiff/commit/c7153361a4041260719b340f73f2f76b0969235c CVE-2016-10093 (Integer overflow in tools/tiffcp.c in LibTIFF 4.0.7 allows remote atta ...) {DSA-3762-1 DLA-795-1} - tiff 4.0.7-2 - tiff3 [wheezy] - tiff3 (libtiff-tools not shipped by this source package) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2610 NOTE: Fixed by: https://github.com/vadz/libtiff/commit/787c0ee906430b772f33ca50b97b8b5ca070faec CVE-2016-10092 (Heap-based buffer overflow in the readContigStripsIntoBuffer function ...) {DSA-3762-1 DLA-795-1} - tiff 4.0.7-2 - tiff3 [wheezy] - tiff3 (libtiff-tools not shipped by this source package) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2620 NOTE: Fixed by: https://github.com/vadz/libtiff/commit/9657bbe3cdce4aaa90e07d50c1c70ae52da0ba6a CVE-2016-10091 (Multiple stack-based buffer overflows in unrtf 0.21.9 allow remote att ...) - unrtf 0.21.9-clean-3 (bug #849705) [jessie] - unrtf 0.21.5-3+deb8u1 [wheezy] - unrtf (Minor issue) NOTE: http://hg.savannah.gnu.org/hgweb/unrtf/rev/3b16893a6406 CVE-2016-10085 (admin/languages.php in Piwigo through 2.8.3 allows remote authenticate ...) - piwigo CVE-2016-10084 (admin/batch_manager.php in Piwigo through 2.8.3 allows remote authenti ...) - piwigo CVE-2016-10083 (Cross-site scripting (XSS) vulnerability in admin/plugin.php in Piwigo ...) - piwigo CVE-2016-10082 (include/functions_installer.inc.php in Serendipity through 2.0.5 is vu ...) - serendipity CVE-2016-10081 (/usr/bin/shutter in Shutter through 0.93.1 allows user-assisted remote ...) - shutter 0.93.1-1.3 (bug #849777) [jessie] - shutter 0.92-0.1+deb8u2 [wheezy] - shutter (Minor issue) NOTE: https://bugs.launchpad.net/shutter/+bug/1652600 CVE-2016-10080 RESERVED CVE-2016-10079 (SAPlpd through 7400.3.11.33 in SAP GUI 7.40 on Windows has a Denial of ...) NOT-FOR-US: SAPlpd CVE-2016-10078 RESERVED CVE-2016-10077 RESERVED CVE-2016-10076 RESERVED CVE-2017-4954 RESERVED CVE-2017-4953 RESERVED CVE-2017-4952 (VMware Xenon 1.x, prior to 1.5.4-CR7_1, 1.5.7_7, 1.5.4-CR6_2, 1.3.7-CR ...) NOT-FOR-US: VMware Xenon CVE-2017-4951 (VMware AirWatch Console (9.2.x before 9.2.2 and 9.1.x before 9.1.5) co ...) NOT-FOR-US: VMware AirWatch Console CVE-2017-4950 (VMware Workstation and Fusion contain an integer overflow vulnerabilit ...) NOT-FOR-US: VMware CVE-2017-4949 (VMware Workstation and Fusion contain a use-after-free vulnerability i ...) NOT-FOR-US: VMware CVE-2017-4948 (VMware Workstation (14.x before 14.1.0 and 12.x) and Horizon View Clie ...) NOT-FOR-US: VMware CVE-2017-4947 (VMware Realize Automation (7.3 and 7.2) and vSphere Integrated Contain ...) NOT-FOR-US: VMware Realize Automation CVE-2017-4946 (The VMware V4H and V4PA desktop agents (6.x before 6.5.1) contain a pr ...) NOT-FOR-US: VMware CVE-2017-4945 (VMware Workstation (14.x and 12.x) and Fusion (10.x and 8.x) contain a ...) NOT-FOR-US: VMware CVE-2017-4944 RESERVED CVE-2017-4943 (VMware vCenter Server Appliance (vCSA) (6.5 before 6.5 U1d) contains a ...) NOT-FOR-US: VMware CVE-2017-4942 (VMware AirWatch Console (AWC) contains a Broken Access Control vulnera ...) NOT-FOR-US: VMware CVE-2017-4941 (VMware ESXi (6.0 before ESXi600-201711101-SG, 5.5 ESXi550-201709101-SG ...) NOT-FOR-US: VMware CVE-2017-4940 (The ESXi Host Client in VMware ESXi (6.5 before ESXi650-201712103-SG, ...) NOT-FOR-US: VMware CVE-2017-4939 (VMware Workstation (12.x before 12.5.8) installer contains a DLL hijac ...) NOT-FOR-US: VMware CVE-2017-4938 (VMware Workstation (12.x before 12.5.8) and Fusion (8.x before 8.5.9) ...) NOT-FOR-US: VMware CVE-2017-4937 (VMware Workstation (12.x before 12.5.8) and Horizon View Client for Wi ...) NOT-FOR-US: VMware CVE-2017-4936 (VMware Workstation (12.x before 12.5.8) and Horizon View Client for Wi ...) NOT-FOR-US: VMware CVE-2017-4935 (VMware Workstation (12.x before 12.5.8) and Horizon View Client for Wi ...) NOT-FOR-US: VMware CVE-2017-4934 (VMware Workstation (12.x before 12.5.8) and Fusion (8.x before 8.5.9) ...) NOT-FOR-US: VMware CVE-2017-4933 (VMware ESXi (6.5 before ESXi650-201710401-BG), Workstation (12.x befor ...) NOT-FOR-US: VMware CVE-2017-4932 (VMware AirWatch Launcher for Android prior to 3.2.2 contains a vulnera ...) NOT-FOR-US: VMware CVE-2017-4931 (VMware AirWatch Console 9.x prior to 9.2.0 contains a vulnerability th ...) NOT-FOR-US: VMware CVE-2017-4930 (VMware AirWatch Console 9.x prior to 9.2.0 contains a vulnerability th ...) NOT-FOR-US: VMware CVE-2017-4929 (VMware NSX Edge (6.2.x before 6.2.9 and 6.3.x before 6.3.5) contains a ...) NOT-FOR-US: VMware CVE-2017-4928 (The flash-based vSphere Web Client (6.0 prior to 6.0 U3c and 5.5 prior ...) NOT-FOR-US: VMware CVE-2017-4927 (VMware vCenter Server (6.5 prior to 6.5 U1 and 6.0 prior to 6.0 U3c) d ...) NOT-FOR-US: VMware CVE-2017-4926 (VMware vCenter Server (6.5 prior to 6.5 U1) contains a vulnerability t ...) NOT-FOR-US: VMware CVE-2017-4925 (VMware ESXi 6.5 without patch ESXi650-201707101-SG, ESXi 6.0 without p ...) NOT-FOR-US: VMware CVE-2017-4924 (VMware ESXi (ESXi 6.5 without patch ESXi650-201707101-SG), Workstation ...) NOT-FOR-US: VMware CVE-2017-4923 (VMware vCenter Server (6.5 prior to 6.5 U1) contains an information di ...) NOT-FOR-US: VMware CVE-2017-4922 (VMware vCenter Server (6.5 prior to 6.5 U1) contains an information di ...) NOT-FOR-US: VMware CVE-2017-4921 (VMware vCenter Server (6.5 prior to 6.5 U1) contains an insecure libra ...) NOT-FOR-US: VMware CVE-2017-4920 (The implementation of the OSPF protocol in VMware NSX-V Edge 6.2.x pri ...) NOT-FOR-US: VMware CVE-2017-4919 (VMware vCenter Server 5.5, 6.0, 6.5 allows vSphere users with certain, ...) NOT-FOR-US: VMware vCenter Server CVE-2017-4918 (VMware Horizon View Client (2.x, 3.x and 4.x prior to 4.5.0) contains ...) NOT-FOR-US: VMware CVE-2017-4917 (VMware vSphere Data Protection (VDP) 6.1.x, 6.0.x, 5.8.x, and 5.5.x lo ...) NOT-FOR-US: VMware CVE-2017-4916 (VMware Workstation Pro/Player contains a NULL pointer dereference vuln ...) NOT-FOR-US: VMware CVE-2017-4915 (VMware Workstation Pro/Player contains an insecure library loading vul ...) NOT-FOR-US: VMware CVE-2017-4914 (VMware vSphere Data Protection (VDP) 6.1.x, 6.0.x, 5.8.x, and 5.5.x co ...) NOT-FOR-US: VMware CVE-2017-4913 (VMware Workstation (12.x prior to 12.5.3) and Horizon View Client (4.x ...) NOT-FOR-US: VMware CVE-2017-4912 (VMware Workstation (12.x prior to 12.5.3) and Horizon View Client (4.x ...) NOT-FOR-US: VMware CVE-2017-4911 (VMware Workstation (12.x prior to 12.5.3) and Horizon View Client (4.x ...) NOT-FOR-US: VMware CVE-2017-4910 (VMware Workstation (12.x prior to 12.5.3) and Horizon View Client (4.x ...) NOT-FOR-US: VMware CVE-2017-4909 (VMware Workstation (12.x prior to 12.5.3) and Horizon View Client (4.x ...) NOT-FOR-US: VMware CVE-2017-4908 (VMware Workstation (12.x prior to 12.5.3) and Horizon View Client (4.x ...) NOT-FOR-US: VMware CVE-2017-4907 (VMware Unified Access Gateway (2.5.x, 2.7.x, 2.8.x prior to 2.8.1) and ...) NOT-FOR-US: VMware CVE-2017-4906 RESERVED CVE-2017-4905 (VMware ESXi 6.5 without patch ESXi650-201703410-SG, 6.0 U3 without pat ...) NOT-FOR-US: VMware CVE-2017-4904 (The XHCI controller in VMware ESXi 6.5 without patch ESXi650-201703410 ...) NOT-FOR-US: VMware CVE-2017-4903 (VMware ESXi 6.5 without patch ESXi650-201703410-SG, 6.0 U3 without pat ...) NOT-FOR-US: VMware CVE-2017-4902 (VMware ESXi 6.5 without patch ESXi650-201703410-SG and 5.5 without pat ...) NOT-FOR-US: VMware CVE-2017-4901 (The drag-and-drop (DnD) function in VMware Workstation 12.x before ver ...) NOT-FOR-US: VMware CVE-2017-4900 (VMware Workstation Pro/Player 12.x before 12.5.3 contains a NULL point ...) NOT-FOR-US: VMware CVE-2017-4899 (VMware Workstation Pro/Player 12.x before 12.5.3 contains a security v ...) NOT-FOR-US: VMware CVE-2017-4898 (VMware Workstation Pro/Player 12.x before 12.5.3 contains a DLL loadin ...) NOT-FOR-US: VMware CVE-2017-4897 (VMware Horizon DaaS before 7.0.0 contains a vulnerability that exists ...) NOT-FOR-US: VMware Horizon DaaS CVE-2017-4896 (Airwatch Inbox for Android contains a vulnerability that may allow a r ...) NOT-FOR-US: Airwatch Inbox for Android CVE-2017-4895 (Airwatch Agent for Android contains a vulnerability that may allow a d ...) NOT-FOR-US: Airwatch Inbox for Android CVE-2017-4894 REJECTED CVE-2017-4893 REJECTED CVE-2017-4892 REJECTED CVE-2017-4891 REJECTED CVE-2017-4890 REJECTED CVE-2017-4889 REJECTED CVE-2017-4888 REJECTED CVE-2017-4887 REJECTED CVE-2017-4886 REJECTED CVE-2017-4885 REJECTED CVE-2017-4884 REJECTED CVE-2017-4883 REJECTED CVE-2017-4882 REJECTED CVE-2017-4881 REJECTED CVE-2017-4880 REJECTED CVE-2017-4879 REJECTED CVE-2017-4878 REJECTED CVE-2017-4877 REJECTED CVE-2017-4876 REJECTED CVE-2017-4875 REJECTED CVE-2017-4874 REJECTED CVE-2017-4873 REJECTED CVE-2017-4872 REJECTED CVE-2017-4871 REJECTED CVE-2017-4870 REJECTED CVE-2017-4869 REJECTED CVE-2017-4868 REJECTED CVE-2017-4867 REJECTED CVE-2017-4866 REJECTED CVE-2017-4865 REJECTED CVE-2017-4864 REJECTED CVE-2017-4863 REJECTED CVE-2017-4862 REJECTED CVE-2017-4861 REJECTED CVE-2017-4860 REJECTED CVE-2017-4859 REJECTED CVE-2017-4858 REJECTED CVE-2017-4857 REJECTED CVE-2017-4856 REJECTED CVE-2017-4855 REJECTED CVE-2017-4854 REJECTED CVE-2017-4853 REJECTED CVE-2017-4852 REJECTED CVE-2017-4851 REJECTED CVE-2017-4850 REJECTED CVE-2017-4849 REJECTED CVE-2017-4848 REJECTED CVE-2017-4847 REJECTED CVE-2017-4846 REJECTED CVE-2017-4845 REJECTED CVE-2017-4844 REJECTED CVE-2017-4843 REJECTED CVE-2017-4842 REJECTED CVE-2017-4841 REJECTED CVE-2017-4840 REJECTED CVE-2017-4839 REJECTED CVE-2017-4838 REJECTED CVE-2017-4837 REJECTED CVE-2017-4836 REJECTED CVE-2017-4835 REJECTED CVE-2017-4834 REJECTED CVE-2017-4833 REJECTED CVE-2017-4832 REJECTED CVE-2017-4831 REJECTED CVE-2017-4830 REJECTED CVE-2017-4829 REJECTED CVE-2017-4828 REJECTED CVE-2017-4827 REJECTED CVE-2017-4826 REJECTED CVE-2017-4825 REJECTED CVE-2017-4824 REJECTED CVE-2017-4823 REJECTED CVE-2017-4822 REJECTED CVE-2017-4821 REJECTED CVE-2017-4820 REJECTED CVE-2017-4819 REJECTED CVE-2017-4818 REJECTED CVE-2017-4817 REJECTED CVE-2017-4816 REJECTED CVE-2017-4815 REJECTED CVE-2017-4814 REJECTED CVE-2017-4813 REJECTED CVE-2017-4812 REJECTED CVE-2017-4811 REJECTED CVE-2017-4810 REJECTED CVE-2017-4809 REJECTED CVE-2017-4808 REJECTED CVE-2017-4807 REJECTED CVE-2017-4806 REJECTED CVE-2017-4805 REJECTED CVE-2017-4804 REJECTED CVE-2017-4803 REJECTED CVE-2017-4802 REJECTED CVE-2017-4801 REJECTED CVE-2017-4800 REJECTED CVE-2017-4799 REJECTED CVE-2017-4798 REJECTED CVE-2017-4797 REJECTED CVE-2017-4796 REJECTED CVE-2017-4795 REJECTED CVE-2017-4794 REJECTED CVE-2017-4793 REJECTED CVE-2017-4792 REJECTED CVE-2017-4791 REJECTED CVE-2017-4790 REJECTED CVE-2017-4789 REJECTED CVE-2017-4788 REJECTED CVE-2017-4787 REJECTED CVE-2017-4786 REJECTED CVE-2017-4785 REJECTED CVE-2017-4784 REJECTED CVE-2017-4783 REJECTED CVE-2017-4782 REJECTED CVE-2017-4781 REJECTED CVE-2017-4780 REJECTED CVE-2017-4779 REJECTED CVE-2017-4778 REJECTED CVE-2017-4777 REJECTED CVE-2017-4776 REJECTED CVE-2017-4775 REJECTED CVE-2017-4774 REJECTED CVE-2017-4773 REJECTED CVE-2017-4772 REJECTED CVE-2017-4771 REJECTED CVE-2017-4770 REJECTED CVE-2017-4769 REJECTED CVE-2017-4768 REJECTED CVE-2017-4767 REJECTED CVE-2017-4766 REJECTED CVE-2017-4765 REJECTED CVE-2017-4764 REJECTED CVE-2017-4763 REJECTED CVE-2017-4762 REJECTED CVE-2017-4761 REJECTED CVE-2017-4760 REJECTED CVE-2017-4759 REJECTED CVE-2017-4758 REJECTED CVE-2017-4757 REJECTED CVE-2017-4756 REJECTED CVE-2017-4755 REJECTED CVE-2017-4754 REJECTED CVE-2017-4753 REJECTED CVE-2017-4752 REJECTED CVE-2017-4751 REJECTED CVE-2017-4750 REJECTED CVE-2017-4749 REJECTED CVE-2017-4748 REJECTED CVE-2017-4747 REJECTED CVE-2017-4746 REJECTED CVE-2017-4745 REJECTED CVE-2017-4744 REJECTED CVE-2017-4743 REJECTED CVE-2017-4742 REJECTED CVE-2017-4741 REJECTED CVE-2017-4740 REJECTED CVE-2017-4739 REJECTED CVE-2017-4738 REJECTED CVE-2017-4737 REJECTED CVE-2017-4736 REJECTED CVE-2017-4735 REJECTED CVE-2017-4734 REJECTED CVE-2017-4733 REJECTED CVE-2017-4732 REJECTED CVE-2017-4731 REJECTED CVE-2017-4730 REJECTED CVE-2017-4729 REJECTED CVE-2017-4728 REJECTED CVE-2017-4727 REJECTED CVE-2017-4726 REJECTED CVE-2017-4725 REJECTED CVE-2017-4724 REJECTED CVE-2017-4723 REJECTED CVE-2017-4722 REJECTED CVE-2017-4721 REJECTED CVE-2017-4720 REJECTED CVE-2017-4719 REJECTED CVE-2017-4718 REJECTED CVE-2017-4717 REJECTED CVE-2017-4716 REJECTED CVE-2017-4715 REJECTED CVE-2017-4714 REJECTED CVE-2017-4713 REJECTED CVE-2017-4712 REJECTED CVE-2017-4711 REJECTED CVE-2017-4710 REJECTED CVE-2017-4709 REJECTED CVE-2017-4708 REJECTED CVE-2017-4707 REJECTED CVE-2017-4706 REJECTED CVE-2017-4705 REJECTED CVE-2017-4704 REJECTED CVE-2017-4703 REJECTED CVE-2017-4702 REJECTED CVE-2017-4701 REJECTED CVE-2017-4700 REJECTED CVE-2017-4699 REJECTED CVE-2017-4698 REJECTED CVE-2017-4697 REJECTED CVE-2017-4696 REJECTED CVE-2017-4695 REJECTED CVE-2017-4694 REJECTED CVE-2017-4693 REJECTED CVE-2017-4692 REJECTED CVE-2017-4691 REJECTED CVE-2017-4690 REJECTED CVE-2017-4689 REJECTED CVE-2017-4688 REJECTED CVE-2017-4687 REJECTED CVE-2017-4686 REJECTED CVE-2017-4685 REJECTED CVE-2017-4684 REJECTED CVE-2017-4683 REJECTED CVE-2017-4682 REJECTED CVE-2017-4681 REJECTED CVE-2017-4680 REJECTED CVE-2017-4679 REJECTED CVE-2017-4678 REJECTED CVE-2017-4677 REJECTED CVE-2017-4676 REJECTED CVE-2017-4675 REJECTED CVE-2017-4674 REJECTED CVE-2017-4673 REJECTED CVE-2017-4672 REJECTED CVE-2017-4671 REJECTED CVE-2017-4670 REJECTED CVE-2017-4669 REJECTED CVE-2017-4668 REJECTED CVE-2017-4667 REJECTED CVE-2017-4666 REJECTED CVE-2017-4665 REJECTED CVE-2017-4664 REJECTED CVE-2017-4663 REJECTED CVE-2017-4662 REJECTED CVE-2017-4661 REJECTED CVE-2017-4660 REJECTED CVE-2017-4659 REJECTED CVE-2017-4658 REJECTED CVE-2017-4657 REJECTED CVE-2017-4656 REJECTED CVE-2017-4655 REJECTED CVE-2017-4654 REJECTED CVE-2017-4653 REJECTED CVE-2017-4652 REJECTED CVE-2017-4651 REJECTED CVE-2017-4650 REJECTED CVE-2017-4649 REJECTED CVE-2017-4648 REJECTED CVE-2017-4647 REJECTED CVE-2017-4646 REJECTED CVE-2017-4645 REJECTED CVE-2017-4644 REJECTED CVE-2017-4643 REJECTED CVE-2017-4642 REJECTED CVE-2017-4641 REJECTED CVE-2017-4640 REJECTED CVE-2017-4639 REJECTED CVE-2017-4638 REJECTED CVE-2017-4637 REJECTED CVE-2017-4636 REJECTED CVE-2017-4635 REJECTED CVE-2017-4634 REJECTED CVE-2017-4633 REJECTED CVE-2017-4632 REJECTED CVE-2017-4631 REJECTED CVE-2017-4630 REJECTED CVE-2017-4629 REJECTED CVE-2017-4628 REJECTED CVE-2017-4627 REJECTED CVE-2017-4626 REJECTED CVE-2017-4625 REJECTED CVE-2017-4624 REJECTED CVE-2017-4623 REJECTED CVE-2017-4622 REJECTED CVE-2017-4621 REJECTED CVE-2017-4620 REJECTED CVE-2017-4619 REJECTED CVE-2017-4618 REJECTED CVE-2017-4617 REJECTED CVE-2017-4616 REJECTED CVE-2017-4615 REJECTED CVE-2017-4614 REJECTED CVE-2017-4613 REJECTED CVE-2017-4612 REJECTED CVE-2017-4611 REJECTED CVE-2017-4610 REJECTED CVE-2017-4609 REJECTED CVE-2017-4608 REJECTED CVE-2017-4607 REJECTED CVE-2017-4606 REJECTED CVE-2017-4605 REJECTED CVE-2017-4604 REJECTED CVE-2017-4603 REJECTED CVE-2017-4602 REJECTED CVE-2017-4601 REJECTED CVE-2017-4600 REJECTED CVE-2017-4599 REJECTED CVE-2017-4598 REJECTED CVE-2017-4597 REJECTED CVE-2017-4596 REJECTED CVE-2017-4595 REJECTED CVE-2017-4594 REJECTED CVE-2017-4593 REJECTED CVE-2017-4592 REJECTED CVE-2017-4591 REJECTED CVE-2017-4590 REJECTED CVE-2017-4589 REJECTED CVE-2017-4588 REJECTED CVE-2017-4587 REJECTED CVE-2017-4586 REJECTED CVE-2017-4585 REJECTED CVE-2017-4584 REJECTED CVE-2017-4583 REJECTED CVE-2017-4582 REJECTED CVE-2017-4581 REJECTED CVE-2017-4580 REJECTED CVE-2017-4579 REJECTED CVE-2017-4578 REJECTED CVE-2017-4577 REJECTED CVE-2017-4576 REJECTED CVE-2017-4575 REJECTED CVE-2017-4574 REJECTED CVE-2017-4573 REJECTED CVE-2017-4572 REJECTED CVE-2017-4571 REJECTED CVE-2017-4570 REJECTED CVE-2017-4569 REJECTED CVE-2017-4568 REJECTED CVE-2017-4567 REJECTED CVE-2017-4566 REJECTED CVE-2017-4565 REJECTED CVE-2017-4564 REJECTED CVE-2017-4563 REJECTED CVE-2017-4562 REJECTED CVE-2017-4561 REJECTED CVE-2017-4560 REJECTED CVE-2017-4559 REJECTED CVE-2017-4558 REJECTED CVE-2017-4557 REJECTED CVE-2017-4556 REJECTED CVE-2017-4555 REJECTED CVE-2017-4554 REJECTED CVE-2017-4553 REJECTED CVE-2017-4552 REJECTED CVE-2017-4551 REJECTED CVE-2017-4550 REJECTED CVE-2017-4549 REJECTED CVE-2017-4548 REJECTED CVE-2017-4547 REJECTED CVE-2017-4546 REJECTED CVE-2017-4545 REJECTED CVE-2017-4544 REJECTED CVE-2017-4543 REJECTED CVE-2017-4542 REJECTED CVE-2017-4541 REJECTED CVE-2017-4540 REJECTED CVE-2017-4539 REJECTED CVE-2017-4538 REJECTED CVE-2017-4537 REJECTED CVE-2017-4536 REJECTED CVE-2017-4535 REJECTED CVE-2017-4534 REJECTED CVE-2017-4533 REJECTED CVE-2017-4532 REJECTED CVE-2017-4531 REJECTED CVE-2017-4530 REJECTED CVE-2017-4529 REJECTED CVE-2017-4528 REJECTED CVE-2017-4527 REJECTED CVE-2017-4526 REJECTED CVE-2017-4525 REJECTED CVE-2017-4524 REJECTED CVE-2017-4523 REJECTED CVE-2017-4522 REJECTED CVE-2017-4521 REJECTED CVE-2017-4520 REJECTED CVE-2017-4519 REJECTED CVE-2017-4518 REJECTED CVE-2017-4517 REJECTED CVE-2017-4516 REJECTED CVE-2017-4515 REJECTED CVE-2017-4514 REJECTED CVE-2017-4513 REJECTED CVE-2017-4512 REJECTED CVE-2017-4511 REJECTED CVE-2017-4510 REJECTED CVE-2017-4509 REJECTED CVE-2017-4508 REJECTED CVE-2017-4507 REJECTED CVE-2017-4506 REJECTED CVE-2017-4505 REJECTED CVE-2017-4504 REJECTED CVE-2017-4503 REJECTED CVE-2017-4502 REJECTED CVE-2017-4501 REJECTED CVE-2017-4500 REJECTED CVE-2017-4499 REJECTED CVE-2017-4498 REJECTED CVE-2017-4497 REJECTED CVE-2017-4496 REJECTED CVE-2017-4495 REJECTED CVE-2017-4494 REJECTED CVE-2017-4493 REJECTED CVE-2017-4492 REJECTED CVE-2017-4491 REJECTED CVE-2017-4490 REJECTED CVE-2017-4489 REJECTED CVE-2017-4488 REJECTED CVE-2017-4487 REJECTED CVE-2017-4486 REJECTED CVE-2017-4485 REJECTED CVE-2017-4484 REJECTED CVE-2017-4483 REJECTED CVE-2017-4482 REJECTED CVE-2017-4481 REJECTED CVE-2017-4480 REJECTED CVE-2017-4479 REJECTED CVE-2017-4478 REJECTED CVE-2017-4477 REJECTED CVE-2017-4476 REJECTED CVE-2017-4475 REJECTED CVE-2017-4474 REJECTED CVE-2017-4473 REJECTED CVE-2017-4472 REJECTED CVE-2017-4471 REJECTED CVE-2017-4470 REJECTED CVE-2017-4469 REJECTED CVE-2017-4468 REJECTED CVE-2017-4467 REJECTED CVE-2017-4466 REJECTED CVE-2017-4465 REJECTED CVE-2017-4464 REJECTED CVE-2017-4463 REJECTED CVE-2017-4462 REJECTED CVE-2017-4461 REJECTED CVE-2017-4460 REJECTED CVE-2017-4459 REJECTED CVE-2017-4458 REJECTED CVE-2017-4457 REJECTED CVE-2017-4456 REJECTED CVE-2017-4455 REJECTED CVE-2017-4454 REJECTED CVE-2017-4453 REJECTED CVE-2017-4452 REJECTED CVE-2017-4451 REJECTED CVE-2017-4450 REJECTED CVE-2017-4449 REJECTED CVE-2017-4448 REJECTED CVE-2017-4447 REJECTED CVE-2017-4446 REJECTED CVE-2017-4445 REJECTED CVE-2017-4444 REJECTED CVE-2017-4443 REJECTED CVE-2017-4442 REJECTED CVE-2017-4441 REJECTED CVE-2017-4440 REJECTED CVE-2017-4439 REJECTED CVE-2017-4438 REJECTED CVE-2017-4437 REJECTED CVE-2017-4436 REJECTED CVE-2017-4435 REJECTED CVE-2017-4434 REJECTED CVE-2017-4433 REJECTED CVE-2017-4432 REJECTED CVE-2017-4431 REJECTED CVE-2017-4430 REJECTED CVE-2017-4429 REJECTED CVE-2017-4428 REJECTED CVE-2017-4427 REJECTED CVE-2017-4426 REJECTED CVE-2017-4425 REJECTED CVE-2017-4424 REJECTED CVE-2017-4423 REJECTED CVE-2017-4422 REJECTED CVE-2017-4421 REJECTED CVE-2017-4420 REJECTED CVE-2017-4419 REJECTED CVE-2017-4418 REJECTED CVE-2017-4417 REJECTED CVE-2017-4416 REJECTED CVE-2017-4415 REJECTED CVE-2017-4414 REJECTED CVE-2017-4413 REJECTED CVE-2017-4412 REJECTED CVE-2017-4411 REJECTED CVE-2017-4410 REJECTED CVE-2017-4409 REJECTED CVE-2017-4408 REJECTED CVE-2017-4407 REJECTED CVE-2017-4406 REJECTED CVE-2017-4405 REJECTED CVE-2017-4404 REJECTED CVE-2017-4403 REJECTED CVE-2017-4402 REJECTED CVE-2017-4401 REJECTED CVE-2017-4400 REJECTED CVE-2017-4399 REJECTED CVE-2017-4398 REJECTED CVE-2017-4397 REJECTED CVE-2017-4396 REJECTED CVE-2017-4395 REJECTED CVE-2017-4394 REJECTED CVE-2017-4393 REJECTED CVE-2017-4392 REJECTED CVE-2017-4391 REJECTED CVE-2017-4390 REJECTED CVE-2017-4389 REJECTED CVE-2017-4388 REJECTED CVE-2017-4387 REJECTED CVE-2017-4386 REJECTED CVE-2017-4385 REJECTED CVE-2017-4384 REJECTED CVE-2017-4383 REJECTED CVE-2017-4382 REJECTED CVE-2017-4381 REJECTED CVE-2017-4380 REJECTED CVE-2017-4379 REJECTED CVE-2017-4378 REJECTED CVE-2017-4377 REJECTED CVE-2017-4376 REJECTED CVE-2017-4375 REJECTED CVE-2017-4374 REJECTED CVE-2017-4373 REJECTED CVE-2017-4372 REJECTED CVE-2017-4371 REJECTED CVE-2017-4370 REJECTED CVE-2017-4369 REJECTED CVE-2017-4368 REJECTED CVE-2017-4367 REJECTED CVE-2017-4366 REJECTED CVE-2017-4365 REJECTED CVE-2017-4364 REJECTED CVE-2017-4363 REJECTED CVE-2017-4362 REJECTED CVE-2017-4361 REJECTED CVE-2017-4360 REJECTED CVE-2017-4359 REJECTED CVE-2017-4358 REJECTED CVE-2017-4357 REJECTED CVE-2017-4356 REJECTED CVE-2017-4355 REJECTED CVE-2017-4354 REJECTED CVE-2017-4353 REJECTED CVE-2017-4352 REJECTED CVE-2017-4351 REJECTED CVE-2017-4350 REJECTED CVE-2017-4349 REJECTED CVE-2017-4348 REJECTED CVE-2017-4347 REJECTED CVE-2017-4346 REJECTED CVE-2017-4345 REJECTED CVE-2017-4344 REJECTED CVE-2017-4343 REJECTED CVE-2017-4342 REJECTED CVE-2017-4341 REJECTED CVE-2017-4340 REJECTED CVE-2017-4339 REJECTED CVE-2017-4338 REJECTED CVE-2017-4337 REJECTED CVE-2017-4336 REJECTED CVE-2017-4335 REJECTED CVE-2017-4334 REJECTED CVE-2017-4333 REJECTED CVE-2017-4332 REJECTED CVE-2017-4331 REJECTED CVE-2017-4330 REJECTED CVE-2017-4329 REJECTED CVE-2017-4328 REJECTED CVE-2017-4327 REJECTED CVE-2017-4326 REJECTED CVE-2017-4325 REJECTED CVE-2017-4324 REJECTED CVE-2017-4323 REJECTED CVE-2017-4322 REJECTED CVE-2017-4321 REJECTED CVE-2017-4320 REJECTED CVE-2017-4319 REJECTED CVE-2017-4318 REJECTED CVE-2017-4317 REJECTED CVE-2017-4316 REJECTED CVE-2017-4315 REJECTED CVE-2017-4314 REJECTED CVE-2017-4313 REJECTED CVE-2017-4312 REJECTED CVE-2017-4311 REJECTED CVE-2017-4310 REJECTED CVE-2017-4309 REJECTED CVE-2017-4308 REJECTED CVE-2017-4307 REJECTED CVE-2017-4306 REJECTED CVE-2017-4305 REJECTED CVE-2017-4304 REJECTED CVE-2017-4303 REJECTED CVE-2017-4302 REJECTED CVE-2017-4301 REJECTED CVE-2017-4300 REJECTED CVE-2017-4299 REJECTED CVE-2017-4298 REJECTED CVE-2017-4297 REJECTED CVE-2017-4296 REJECTED CVE-2017-4295 REJECTED CVE-2017-4294 REJECTED CVE-2017-4293 REJECTED CVE-2017-4292 REJECTED CVE-2017-4291 REJECTED CVE-2017-4290 REJECTED CVE-2017-4289 REJECTED CVE-2017-4288 REJECTED CVE-2017-4287 REJECTED CVE-2017-4286 REJECTED CVE-2017-4285 REJECTED CVE-2017-4284 REJECTED CVE-2017-4283 REJECTED CVE-2017-4282 REJECTED CVE-2017-4281 REJECTED CVE-2017-4280 REJECTED CVE-2017-4279 REJECTED CVE-2017-4278 REJECTED CVE-2017-4277 REJECTED CVE-2017-4276 REJECTED CVE-2017-4275 REJECTED CVE-2017-4274 REJECTED CVE-2017-4273 REJECTED CVE-2017-4272 REJECTED CVE-2017-4271 REJECTED CVE-2017-4270 REJECTED CVE-2017-4269 REJECTED CVE-2017-4268 REJECTED CVE-2017-4267 REJECTED CVE-2017-4266 REJECTED CVE-2017-4265 REJECTED CVE-2017-4264 REJECTED CVE-2017-4263 REJECTED CVE-2017-4262 REJECTED CVE-2017-4261 REJECTED CVE-2017-4260 REJECTED CVE-2017-4259 REJECTED CVE-2017-4258 REJECTED CVE-2017-4257 REJECTED CVE-2017-4256 REJECTED CVE-2017-4255 REJECTED CVE-2017-4254 REJECTED CVE-2017-4253 REJECTED CVE-2017-4252 REJECTED CVE-2017-4251 REJECTED CVE-2017-4250 REJECTED CVE-2017-4249 REJECTED CVE-2017-4248 REJECTED CVE-2017-4247 REJECTED CVE-2017-4246 REJECTED CVE-2017-4245 REJECTED CVE-2017-4244 REJECTED CVE-2017-4243 REJECTED CVE-2017-4242 REJECTED CVE-2017-4241 REJECTED CVE-2017-4240 REJECTED CVE-2017-4239 REJECTED CVE-2017-4238 REJECTED CVE-2017-4237 REJECTED CVE-2017-4236 REJECTED CVE-2017-4235 REJECTED CVE-2017-4234 REJECTED CVE-2017-4233 REJECTED CVE-2017-4232 REJECTED CVE-2017-4231 REJECTED CVE-2017-4230 REJECTED CVE-2017-4229 REJECTED CVE-2017-4228 REJECTED CVE-2017-4227 REJECTED CVE-2017-4226 REJECTED CVE-2017-4225 REJECTED CVE-2017-4224 REJECTED CVE-2017-4223 REJECTED CVE-2017-4222 REJECTED CVE-2017-4221 REJECTED CVE-2017-4220 REJECTED CVE-2017-4219 REJECTED CVE-2017-4218 REJECTED CVE-2017-4217 REJECTED CVE-2017-4216 REJECTED CVE-2017-4215 REJECTED CVE-2017-4214 REJECTED CVE-2017-4213 REJECTED CVE-2017-4212 REJECTED CVE-2017-4211 REJECTED CVE-2017-4210 REJECTED CVE-2017-4209 REJECTED CVE-2017-4208 REJECTED CVE-2017-4207 REJECTED CVE-2017-4206 REJECTED CVE-2017-4205 REJECTED CVE-2017-4204 REJECTED CVE-2017-4203 REJECTED CVE-2017-4202 REJECTED CVE-2017-4201 REJECTED CVE-2017-4200 REJECTED CVE-2017-4199 REJECTED CVE-2017-4198 REJECTED CVE-2017-4197 REJECTED CVE-2017-4196 REJECTED CVE-2017-4195 REJECTED CVE-2017-4194 REJECTED CVE-2017-4193 REJECTED CVE-2017-4192 REJECTED CVE-2017-4191 REJECTED CVE-2017-4190 REJECTED CVE-2017-4189 REJECTED CVE-2017-4188 REJECTED CVE-2017-4187 REJECTED CVE-2017-4186 REJECTED CVE-2017-4185 REJECTED CVE-2017-4184 REJECTED CVE-2017-4183 REJECTED CVE-2017-4182 REJECTED CVE-2017-4181 REJECTED CVE-2017-4180 REJECTED CVE-2017-4179 REJECTED CVE-2017-4178 REJECTED CVE-2017-4177 REJECTED CVE-2017-4176 REJECTED CVE-2017-4175 REJECTED CVE-2017-4174 REJECTED CVE-2017-4173 REJECTED CVE-2017-4172 REJECTED CVE-2017-4171 REJECTED CVE-2017-4170 REJECTED CVE-2017-4169 REJECTED CVE-2017-4168 REJECTED CVE-2017-4167 REJECTED CVE-2017-4166 REJECTED CVE-2017-4165 REJECTED CVE-2017-4164 REJECTED CVE-2017-4163 REJECTED CVE-2017-4162 REJECTED CVE-2017-4161 REJECTED CVE-2017-4160 REJECTED CVE-2017-4159 REJECTED CVE-2017-4158 REJECTED CVE-2017-4157 REJECTED CVE-2017-4156 REJECTED CVE-2017-4155 REJECTED CVE-2017-4154 REJECTED CVE-2017-4153 REJECTED CVE-2017-4152 REJECTED CVE-2017-4151 REJECTED CVE-2017-4150 REJECTED CVE-2017-4149 REJECTED CVE-2017-4148 REJECTED CVE-2017-4147 REJECTED CVE-2017-4146 REJECTED CVE-2017-4145 REJECTED CVE-2017-4144 REJECTED CVE-2017-4143 REJECTED CVE-2017-4142 REJECTED CVE-2017-4141 REJECTED CVE-2017-4140 REJECTED CVE-2017-4139 REJECTED CVE-2017-4138 REJECTED CVE-2017-4137 REJECTED CVE-2017-4136 REJECTED CVE-2017-4135 REJECTED CVE-2017-4134 REJECTED CVE-2017-4133 REJECTED CVE-2017-4132 REJECTED CVE-2017-4131 REJECTED CVE-2017-4130 REJECTED CVE-2017-4129 REJECTED CVE-2017-4128 REJECTED CVE-2017-4127 REJECTED CVE-2017-4126 REJECTED CVE-2017-4125 REJECTED CVE-2017-4124 REJECTED CVE-2017-4123 REJECTED CVE-2017-4122 REJECTED CVE-2017-4121 REJECTED CVE-2017-4120 REJECTED CVE-2017-4119 REJECTED CVE-2017-4118 REJECTED CVE-2017-4117 REJECTED CVE-2017-4116 REJECTED CVE-2017-4115 REJECTED CVE-2017-4114 REJECTED CVE-2017-4113 REJECTED CVE-2017-4112 REJECTED CVE-2017-4111 REJECTED CVE-2017-4110 REJECTED CVE-2017-4109 REJECTED CVE-2017-4108 REJECTED CVE-2017-4107 REJECTED CVE-2017-4106 REJECTED CVE-2017-4105 REJECTED CVE-2017-4104 REJECTED CVE-2017-4103 REJECTED CVE-2017-4102 REJECTED CVE-2017-4101 REJECTED CVE-2017-4100 REJECTED CVE-2017-4099 REJECTED CVE-2017-4098 REJECTED CVE-2017-4097 REJECTED CVE-2017-4096 REJECTED CVE-2017-4095 REJECTED CVE-2017-4094 REJECTED CVE-2017-4093 REJECTED CVE-2017-4092 REJECTED CVE-2017-4091 REJECTED CVE-2017-4090 REJECTED CVE-2017-4089 REJECTED CVE-2017-4088 REJECTED CVE-2017-4087 REJECTED CVE-2017-4086 REJECTED CVE-2017-4085 REJECTED CVE-2017-4084 REJECTED CVE-2017-4083 REJECTED CVE-2017-4082 REJECTED CVE-2017-4081 REJECTED CVE-2017-4080 REJECTED CVE-2017-4079 REJECTED CVE-2017-4078 REJECTED CVE-2017-4077 REJECTED CVE-2017-4076 REJECTED CVE-2017-4075 REJECTED CVE-2017-4074 REJECTED CVE-2017-4073 REJECTED CVE-2017-4072 REJECTED CVE-2017-4071 REJECTED CVE-2017-4070 REJECTED CVE-2017-4069 REJECTED CVE-2017-4068 REJECTED CVE-2017-4067 REJECTED CVE-2017-4066 REJECTED CVE-2017-4065 REJECTED CVE-2017-4064 REJECTED CVE-2017-4063 REJECTED CVE-2017-4062 REJECTED CVE-2017-4061 REJECTED CVE-2017-4060 REJECTED CVE-2017-4059 REJECTED CVE-2017-4058 REJECTED CVE-2017-4057 (Privilege Escalation vulnerability in the web interface in McAfee Adva ...) NOT-FOR-US: McAfee CVE-2017-4056 REJECTED CVE-2017-4055 (Exploitation of Authentication vulnerability in the web interface in M ...) NOT-FOR-US: McAfee CVE-2017-4054 (Command Injection vulnerability in the web interface in McAfee Advance ...) NOT-FOR-US: McAfee CVE-2017-4053 (Command Injection vulnerability in the web interface in McAfee Advance ...) NOT-FOR-US: McAfee CVE-2017-4052 (Authentication Bypass vulnerability in the web interface in McAfee Adv ...) NOT-FOR-US: McAfee CVE-2017-4051 RESERVED CVE-2017-4050 RESERVED CVE-2017-4049 REJECTED CVE-2017-4048 REJECTED CVE-2017-4047 REJECTED CVE-2017-4046 REJECTED CVE-2017-4045 REJECTED CVE-2017-4044 REJECTED CVE-2017-4043 REJECTED CVE-2017-4042 REJECTED CVE-2017-4041 REJECTED CVE-2017-4040 REJECTED CVE-2017-4039 REJECTED CVE-2017-4038 REJECTED CVE-2017-4037 REJECTED CVE-2017-4036 RESERVED CVE-2017-4035 REJECTED CVE-2017-4034 REJECTED CVE-2017-4033 REJECTED CVE-2017-4032 REJECTED CVE-2017-4031 REJECTED CVE-2017-4030 REJECTED CVE-2017-4029 REJECTED CVE-2017-4028 (Maliciously misconfigured registry vulnerability in all Microsoft Wind ...) NOT-FOR-US: MacAfee CVE-2017-4027 REJECTED CVE-2017-4026 REJECTED CVE-2017-4025 REJECTED CVE-2017-4024 REJECTED CVE-2017-4023 REJECTED CVE-2017-4022 REJECTED CVE-2017-4021 REJECTED CVE-2017-4020 REJECTED CVE-2017-4019 REJECTED CVE-2017-4018 REJECTED CVE-2017-4017 (User Name Disclosure in the server in McAfee Network Data Loss Prevent ...) NOT-FOR-US: McAfee CVE-2017-4016 (Web Server method disclosure in the server in McAfee Network Data Loss ...) NOT-FOR-US: McAfee CVE-2017-4015 (Clickjacking vulnerability in the server in McAfee Network Data Loss P ...) NOT-FOR-US: McAfee CVE-2017-4014 (Session Side jacking vulnerability in the server in McAfee Network Dat ...) NOT-FOR-US: McAfee CVE-2017-4013 (Banner Disclosure in the server in McAfee Network Data Loss Prevention ...) NOT-FOR-US: McAfee CVE-2017-4012 (Privilege Escalation vulnerability in the server in McAfee Network Dat ...) NOT-FOR-US: McAfee CVE-2017-4011 (Embedding Script (XSS) in HTTP Headers vulnerability in the server in ...) NOT-FOR-US: McAfee CVE-2017-4010 REJECTED CVE-2017-4009 REJECTED CVE-2017-4008 REJECTED CVE-2017-4007 REJECTED CVE-2017-4006 REJECTED CVE-2017-4005 REJECTED CVE-2017-4004 REJECTED CVE-2017-4003 REJECTED CVE-2017-4002 REJECTED CVE-2017-4001 REJECTED CVE-2017-4000 REJECTED CVE-2017-3999 REJECTED CVE-2017-3998 REJECTED CVE-2017-3997 REJECTED CVE-2017-3996 RESERVED CVE-2017-3995 REJECTED CVE-2017-3994 REJECTED CVE-2017-3993 REJECTED CVE-2017-3992 REJECTED CVE-2017-3991 REJECTED CVE-2017-3990 REJECTED CVE-2017-3989 REJECTED CVE-2017-3988 RESERVED CVE-2017-3987 REJECTED CVE-2017-3986 REJECTED CVE-2017-3985 REJECTED CVE-2017-3984 REJECTED CVE-2017-3983 REJECTED CVE-2017-3982 REJECTED CVE-2017-3981 REJECTED CVE-2017-3980 (A directory traversal vulnerability in the ePO Extension in McAfee ePo ...) NOT-FOR-US: McAfee ePolicy Orchestrator CVE-2017-3979 REJECTED CVE-2017-3978 REJECTED CVE-2017-3977 REJECTED CVE-2017-3976 REJECTED CVE-2017-3975 REJECTED CVE-2017-3974 REJECTED CVE-2017-3973 REJECTED CVE-2017-3972 (Infrastructure-based foot printing vulnerability in the web interface ...) NOT-FOR-US: McAfee CVE-2017-3971 (Cryptanalysis vulnerability in the web interface in McAfee Network Sec ...) NOT-FOR-US: McAfee CVE-2017-3970 RESERVED CVE-2017-3969 (Abuse of communication channels vulnerability in the server in McAfee ...) NOT-FOR-US: McAfee CVE-2017-3968 (Session fixation vulnerability in the web interface in McAfee Network ...) NOT-FOR-US: McAfee CVE-2017-3967 (Target influence via framing vulnerability in the web interface in McA ...) NOT-FOR-US: McAfee CVE-2017-3966 (Exploitation of session variables, resource IDs and other trusted cred ...) NOT-FOR-US: McAfee CVE-2017-3965 (Cross-Site Request Forgery (CSRF) (aka Session Riding) vulnerability i ...) NOT-FOR-US: McAfee CVE-2017-3964 (Reflective Cross-Site Scripting (XSS) vulnerability in the web interfa ...) NOT-FOR-US: McAfee CVE-2017-3963 REJECTED CVE-2017-3962 (Password recovery exploitation vulnerability in the non-certificate-ba ...) NOT-FOR-US: McAfee CVE-2017-3961 (Cross-Site Scripting (XSS) vulnerability in the web interface in McAfe ...) NOT-FOR-US: McAfee CVE-2017-3960 (Exploitation of Authorization vulnerability in the web interface in Mc ...) NOT-FOR-US: McAfee CVE-2017-3959 REJECTED CVE-2017-3958 REJECTED CVE-2017-3957 REJECTED CVE-2017-3956 REJECTED CVE-2017-3955 REJECTED CVE-2017-3954 REJECTED CVE-2017-3953 REJECTED CVE-2017-3952 REJECTED CVE-2017-3951 REJECTED CVE-2017-3950 REJECTED CVE-2017-3949 REJECTED CVE-2017-3948 (Cross Site Scripting (XSS) in IMG Tags in the ePO extension in McAfee ...) NOT-FOR-US: McAfee CVE-2017-3947 REJECTED CVE-2017-3946 REJECTED CVE-2017-3945 REJECTED CVE-2017-3944 REJECTED CVE-2017-3943 REJECTED CVE-2017-3942 REJECTED CVE-2017-3941 REJECTED CVE-2017-3940 REJECTED CVE-2017-3939 REJECTED CVE-2017-3938 REJECTED CVE-2017-3937 RESERVED CVE-2017-3936 (OS Command Injection vulnerability in McAfee ePolicy Orchestrator (ePO ...) NOT-FOR-US: McAfee CVE-2017-3935 (Network Data Loss Prevention is vulnerable to MIME type sniffing which ...) NOT-FOR-US: McAfee Network Data Loss Prevention CVE-2017-3934 (Missing HTTP Strict Transport Security state information vulnerability ...) NOT-FOR-US: McAfee Network Data Loss Prevention CVE-2017-3933 (Embedding Script (XSS) in HTTP Headers vulnerability in McAfee Network ...) NOT-FOR-US: McAfee Network Data Loss Prevention CVE-2017-3932 RESERVED CVE-2017-3931 REJECTED CVE-2017-3930 REJECTED CVE-2017-3929 REJECTED CVE-2017-3928 RESERVED CVE-2017-3927 RESERVED CVE-2017-3926 RESERVED CVE-2017-3925 RESERVED CVE-2017-3924 RESERVED CVE-2017-3923 RESERVED CVE-2017-3922 RESERVED CVE-2017-3921 RESERVED CVE-2017-3920 RESERVED CVE-2017-3919 RESERVED CVE-2017-3918 RESERVED CVE-2017-3917 RESERVED CVE-2017-3916 RESERVED CVE-2017-3915 RESERVED CVE-2017-3914 RESERVED CVE-2017-3913 RESERVED CVE-2017-3912 (Bypassing password security vulnerability in McAfee Application and Ch ...) NOT-FOR-US: McAfee CVE-2017-3911 RESERVED CVE-2017-3910 RESERVED CVE-2017-3909 RESERVED CVE-2017-3908 RESERVED CVE-2017-3907 (Code Injection vulnerability in the ePolicy Orchestrator (ePO) extensi ...) NOT-FOR-US: McAfee CVE-2017-3906 RESERVED CVE-2017-3905 RESERVED CVE-2017-3904 RESERVED CVE-2017-3903 RESERVED CVE-2017-3902 (Cross-site scripting (XSS) vulnerability in the Web user interface (UI ...) NOT-FOR-US: Intel Security ePO CVE-2017-3901 RESERVED CVE-2017-3900 RESERVED CVE-2017-3899 (SQL injection vulnerability in Intel Security Advanced Threat Defense ...) NOT-FOR-US: Intel antivirus CVE-2017-3898 (A man-in-the-middle attack vulnerability in the non-certificate-based ...) NOT-FOR-US: McAfee CVE-2017-3897 (A Code Injection vulnerability in the non-certificate-based authentica ...) NOT-FOR-US: McAfee CVE-2017-3896 (Unvalidated parameter vulnerability in the remote log viewing capabili ...) NOT-FOR-US: Intel McAfee CVE-2017-3895 REJECTED CVE-2016-10087 (The png_set_text_2 function in libpng 0.71 before 1.0.67, 1.2.x before ...) - libpng1.6 1.6.27-1 (bug #849799) - libpng [jessie] - libpng 1.2.50-2+deb8u3 [wheezy] - libpng (Minor issue) NOTE: Fixed in 1.0.67, 1.2.57, 1.4.20, 1.5.28, 1.6.27 NOTE: https://sourceforge.net/p/libpng/code/ci/243d4e5f3fe71740d52a53cf3dd77cc83a3430ba NOTE: https://sourceforge.net/p/libpng/code/ci/812768d7a9c973452222d454634496b25ed415eb (libpng16) NOTE: https://sourceforge.net/p/libpng/code/ci/794a15fad6add4d636369d0b46f603a02995b2e2/ (libpng12) CVE-2016-10075 (The tqdm._version module in tqdm versions 4.4.1 and 4.10 allows local ...) - tqdm 4.11.2-1 (bug #849632) NOTE: https://github.com/tqdm/tqdm/issues/328 CVE-2016-10074 (The mail transport (aka Swift_Transport_MailTransport) in Swift Mailer ...) {DSA-3769-1 DLA-792-1} - libphp-swiftmailer 5.4.2-1.1 (bug #849626) NOTE: https://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.html NOTE: https://github.com/swiftmailer/swiftmailer/issues/844 NOTE: Fixed by https://github.com/swiftmailer/swiftmailer/commit/e6ccf40d856af9598b76eb313b215eed25ae9e86 CVE-2016-10073 (The from method in library/core/class.email.php in Vanilla Forums befo ...) NOT-FOR-US: Vanilla Forums CVE-2016-10072 (** DISPUTED ** WampServer 3.0.6 has two files called 'wampmanager.exe' ...) NOT-FOR-US: WampServer CVE-2016-10044 (The aio_mount function in fs/aio.c in the Linux kernel before 4.7.7 do ...) - linux 4.7.8-1 [jessie] - linux 3.16.43-1 [wheezy] - linux (Changes required are too invasive) CVE-2016-10043 (An issue was discovered in Radisys MRF Web Panel (SWMS) 9.0.1. The MSM ...) NOT-FOR-US: Radisys MRF Web Panel CVE-2016-10042 (Authorization Bypass in the Web interface of Arcadyan SLT-00 Star* (ak ...) NOT-FOR-US: Arcadyan SLT-00 Star* devices CVE-2016-10041 (An issue was discovered in Sprecher Automation SPRECON-E Service Progr ...) NOT-FOR-US: Sprecher Automation SPRECON-E Service CVE-2016-10040 (Stack-based buffer overflow in QXmlSimpleReader in Qt 4.8.5 allows rem ...) - qt4-x11 4:4.8.7+dfsg-1 (low; bug #851058) [jessie] - qt4-x11 (Minor issue) [wheezy] - qt4-x11 (Minor issue) - qtbase-opensource-src 5.2.0+dfsg-7 NOTE: CVE assignment specific to http://www.openwall.com/lists/oss-security/2016/12/24/2 NOTE: http://www.openwall.com/lists/oss-security/2016/12/24/1 NOTE: https://github.com/qt/qtbase/commit/f1053d94f59f053ce4acad9320df14f1fbe4faac CVE-2016-10039 (Directory traversal in /connectors/index.php in MODX Revolution before ...) NOT-FOR-US: MODX Revolution CVE-2016-10038 (Directory traversal in /connectors/index.php in MODX Revolution before ...) NOT-FOR-US: MODX Revolution CVE-2016-10037 (Directory traversal in /connectors/index.php in MODX Revolution before ...) NOT-FOR-US: MODX Revolution CVE-2016-10036 (Unrestricted file upload vulnerability in ui/artifact/upload in JFrog ...) NOT-FOR-US: JFrog Artifactory CVE-2016-10035 RESERVED CVE-2016-10034 (The setFrom function in the Sendmail adapter in the zend-mail componen ...) - zendframework (Vulnerable code not present in ZF1, cf. #850215) NOTE: https://framework.zend.com/security/advisory/ZF2016-04 NOTE: https://github.com/zendframework/zendframework/commit/7c1e89815f5a9c016f4b8088e59b07cb2bf99dc0 NOTE: http://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034-Vuln.html CVE-2014-9914 (Race condition in the ip4_datagram_release_cb function in net/ipv4/dat ...) - linux 3.16.2-1 [wheezy] - linux (Vulnerable code introduced later) CVE-2016-10045 (The isMail transport in PHPMailer before 5.2.20 might allow remote att ...) - libphp-phpmailer (Incomplete fix not applied) NOTE: https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html CVE-2016-10033 (The mailSend function in the isMail transport in PHPMailer before 5.2. ...) {DSA-3750-1 DLA-770-1} - libphp-phpmailer 5.2.14+dfsg-2.1 (bug #849365) NOTE: https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html NOTE: Fixed by: https://github.com/PHPMailer/PHPMailer/commit/4835657cd639fbd09afd33307cef164edf807cdc#diff-ace81e501931d8763b49f2410cf3094dR1449 NOTE: Fix potentially incomplete, cf http://www.openwall.com/lists/oss-security/2016/12/28/1 NOTE: When updating libphp-phpmailer for CVE-2016-10033 make sure to apply the NOTE: complete patch to not make libphp-phpmailer affected by CVE-2016-10045. NOTE: https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html NOTE: Needs followup: https://github.com/PHPMailer/PHPMailer/commit/9743ff5c7ee16e8d49187bd2e11149afb9485eae NOTE: Another followup: https://github.com/PHPMailer/PHPMailer/commit/833c35fe39715c3d01934508987e97af1fbc1ba0 CVE-2016-10032 RESERVED CVE-2016-10031 (** DISPUTED ** WampServer 3.0.6 installs two services called 'wampapac ...) NOT-FOR-US: WampServer CVE-2016-10030 (The _prolog_error function in slurmd/req.c in Slurm before 15.08.13, 1 ...) {DLA-921-1} - slurm-llnl 16.05.8-1 (bug #850491) [jessie] - slurm-llnl 14.03.9-5+deb8u1 NOTE: https://www.schedmd.com/news.php?id=178 NOTE: https://github.com/SchedMD/slurm/commit/92362a92fffe60187df61f99ab11c249d44120ee CVE-2017-3894 (A stored cross site scripting vulnerability in the Management Console ...) NOT-FOR-US: BlackBerry CVE-2017-3893 (In BlackBerry QNX Software Development Platform (SDP) 6.6.0, the defau ...) NOT-FOR-US: BlackBerry QNX Software Development Platform (SDP) CVE-2017-3892 (In BlackBerry QNX Software Development Platform (SDP) 6.6.0, an inform ...) NOT-FOR-US: BlackBerry QNX Software Development Platform (SDP) CVE-2017-3891 (In BlackBerry QNX Software Development Platform (SDP) 6.6.0, an elevat ...) NOT-FOR-US: BlackBerry QNX Software Development Platform (SDP) CVE-2017-3890 (A reflected cross-site scripting vulnerability in the BlackBerry Watch ...) NOT-FOR-US: BlackBerry CVE-2017-3889 (A vulnerability in the web interface of the Cisco Registered Envelope ...) NOT-FOR-US: Cisco CVE-2017-3888 (A vulnerability in the web-based management interface of Cisco Unified ...) NOT-FOR-US: Cisco CVE-2017-3887 (A vulnerability in the detection engine that handles Secure Sockets La ...) NOT-FOR-US: Cisco CVE-2017-3886 (A vulnerability in the Cisco Unified Communications Manager web interf ...) NOT-FOR-US: Cisco CVE-2017-3885 (A vulnerability in the detection engine reassembly of Secure Sockets L ...) NOT-FOR-US: Cisco CVE-2017-3884 (A vulnerability in the web interface of Cisco Prime Infrastructure and ...) NOT-FOR-US: Cisco CVE-2017-3883 (A vulnerability in the authentication, authorization, and accounting ( ...) NOT-FOR-US: Cisco CVE-2017-3882 (A vulnerability in the Universal Plug-and-Play (UPnP) implementation i ...) NOT-FOR-US: Cisco CVE-2017-3881 (A vulnerability in the Cisco Cluster Management Protocol (CMP) process ...) NOT-FOR-US: Cisco CVE-2017-3880 (An Authentication Bypass vulnerability in Cisco WebEx Meetings Server ...) NOT-FOR-US: Cisco CVE-2017-3879 (A Denial of Service vulnerability in the remote login functionality fo ...) NOT-FOR-US: Cisco CVE-2017-3878 (A Denial of Service vulnerability in the Telnet remote login functiona ...) NOT-FOR-US: Cisco CVE-2017-3877 (A vulnerability in the web framework of Cisco Unified Communications M ...) NOT-FOR-US: Cisco CVE-2017-3876 (A vulnerability in the Event Management Service daemon (emsd) of Cisco ...) NOT-FOR-US: Cisco CVE-2017-3875 (An Access-Control Filtering Mechanisms Bypass vulnerability in certain ...) NOT-FOR-US: Cisco CVE-2017-3874 (A vulnerability in the web framework of Cisco Unified Communications M ...) NOT-FOR-US: Cisco CVE-2017-3873 (A vulnerability in the Plug-and-Play (PnP) subsystem of the Cisco Airo ...) NOT-FOR-US: Cisco CVE-2017-3872 (A cross-site scripting (XSS) filter bypass vulnerability in the web-ba ...) NOT-FOR-US: Cisco CVE-2017-3871 (A RADIUS Secret Disclosure vulnerability in the web network management ...) NOT-FOR-US: Cisco CVE-2017-3870 (A vulnerability in the URL filtering feature of Cisco AsyncOS Software ...) NOT-FOR-US: Cisco CVE-2017-3869 (An API Credentials Management vulnerability in the APIs for Cisco Prim ...) NOT-FOR-US: Cisco CVE-2017-3868 (A vulnerability in the web-based management interface of Cisco UCS Dir ...) NOT-FOR-US: Cisco CVE-2017-3867 (A vulnerability in the Border Gateway Protocol (BGP) Bidirectional For ...) NOT-FOR-US: Cisco CVE-2017-3866 (A vulnerability in the web framework code of Cisco Prime Service Catal ...) NOT-FOR-US: Cisco CVE-2017-3865 (A vulnerability in the IPsec component of Cisco StarOS for Cisco ASR 5 ...) NOT-FOR-US: Cisco CVE-2017-3864 (A vulnerability in the DHCP client implementation of Cisco IOS (12.2, ...) NOT-FOR-US: Cisco CVE-2017-3863 (Multiple vulnerabilities in the EnergyWise module of Cisco IOS (12.2 a ...) NOT-FOR-US: Cisco CVE-2017-3862 (Multiple vulnerabilities in the EnergyWise module of Cisco IOS (12.2 a ...) NOT-FOR-US: Cisco CVE-2017-3861 (Multiple vulnerabilities in the EnergyWise module of Cisco IOS (12.2 a ...) NOT-FOR-US: Cisco CVE-2017-3860 (Multiple vulnerabilities in the EnergyWise module of Cisco IOS (12.2 a ...) NOT-FOR-US: Cisco CVE-2017-3859 (A vulnerability in the DHCP code for the Zero Touch Provisioning featu ...) NOT-FOR-US: Cisco CVE-2017-3858 (A vulnerability in the web framework of Cisco IOS XE Software could al ...) NOT-FOR-US: Cisco CVE-2017-3857 (A vulnerability in the Layer 2 Tunneling Protocol (L2TP) parsing funct ...) NOT-FOR-US: Cisco CVE-2017-3856 (A vulnerability in the web user interface of Cisco IOS XE 3.1 through ...) NOT-FOR-US: Cisco CVE-2017-3855 RESERVED CVE-2017-3854 (A vulnerability in the mesh code of Cisco Wireless LAN Controller (WLC ...) NOT-FOR-US: Cisco CVE-2017-3853 (A vulnerability in the Data-in-Motion (DMo) process installed with the ...) NOT-FOR-US: Cisco CVE-2017-3852 (A vulnerability in the Cisco application-hosting framework (CAF) compo ...) NOT-FOR-US: Cisco CVE-2017-3851 (A Directory Traversal vulnerability in the web framework code of the C ...) NOT-FOR-US: Cisco CVE-2017-3850 (A vulnerability in the Autonomic Networking Infrastructure (ANI) featu ...) NOT-FOR-US: Cisco CVE-2017-3849 (A vulnerability in the Autonomic Networking Infrastructure (ANI) regis ...) NOT-FOR-US: Cisco CVE-2017-3848 (A vulnerability in the HTTP web-based management interface of Cisco Pr ...) NOT-FOR-US: Cisco CVE-2017-3847 (A vulnerability in the web framework of Cisco Firepower Management Cen ...) NOT-FOR-US: Cisco CVE-2017-3846 (A vulnerability in the Client Manager Server of Cisco Workload Automat ...) NOT-FOR-US: Cisco CVE-2017-3845 (A vulnerability in the web-based management interface of Cisco Prime C ...) NOT-FOR-US: Cisco CVE-2017-3844 (A vulnerability in exporting functions of the user interface for Cisco ...) NOT-FOR-US: Cisco CVE-2017-3843 (A vulnerability in the file download functions for Cisco Prime Collabo ...) NOT-FOR-US: Cisco CVE-2017-3842 (A vulnerability in the web-based management interface of the Cisco Int ...) NOT-FOR-US: Cisco CVE-2017-3841 (A vulnerability in the web interface of the Cisco Secure Access Contro ...) NOT-FOR-US: Cisco CVE-2017-3840 (A vulnerability in the web interface of the Cisco Secure Access Contro ...) NOT-FOR-US: Cisco CVE-2017-3839 (An XML External Entity vulnerability in the web-based user interface o ...) NOT-FOR-US: Cisco CVE-2017-3838 (A vulnerability in Cisco Secure Access Control System (ACS) could allo ...) NOT-FOR-US: Cisco CVE-2017-3837 (An HTTP Packet Processing vulnerability in the Web Bridge interface of ...) NOT-FOR-US: Cisco CVE-2017-3836 (A vulnerability in the web framework Cisco Unified Communications Mana ...) NOT-FOR-US: Cisco CVE-2017-3835 (A vulnerability in the sponsor portal of Cisco Identity Services Engin ...) NOT-FOR-US: Cisco CVE-2017-3834 (A vulnerability in Cisco Aironet 1830 Series and Cisco Aironet 1850 Se ...) NOT-FOR-US: Cisco CVE-2017-3833 (A vulnerability in the web framework of Cisco Unified Communications M ...) NOT-FOR-US: Cisco CVE-2017-3832 (A vulnerability in the web management interface of Cisco Wireless LAN ...) NOT-FOR-US: Cisco CVE-2017-3831 (A vulnerability in the web-based GUI of Cisco Mobility Express 1800 Se ...) NOT-FOR-US: Cisco CVE-2017-3830 (A vulnerability in an internal API of the Cisco Meeting Server (CMS) c ...) NOT-FOR-US: Cisco CVE-2017-3829 (A vulnerability in the web-based management interface of Cisco Unified ...) NOT-FOR-US: Cisco CVE-2017-3828 (A vulnerability in the web-based management interface of Cisco Unified ...) NOT-FOR-US: Cisco CVE-2017-3827 (A vulnerability in the Multipurpose Internet Mail Extensions (MIME) sc ...) NOT-FOR-US: Cisco CVE-2017-3826 (A vulnerability in the Stream Control Transmission Protocol (SCTP) dec ...) NOT-FOR-US: Cisco CVE-2017-3825 (A vulnerability in the ICMP ingress packet processing of Cisco TelePre ...) NOT-FOR-US: Cisco CVE-2017-3824 (A vulnerability in the handling of list headers in Cisco cBR Series Co ...) NOT-FOR-US: Cisco CVE-2017-3823 (An issue was discovered in the Cisco WebEx Extension before 1.0.7 on G ...) NOT-FOR-US: Cisco CVE-2017-3822 (A vulnerability in the logging subsystem of the Cisco Firepower Threat ...) NOT-FOR-US: Cisco Firepower Threat Defense CVE-2017-3821 (A vulnerability in the serviceability page of Cisco Unified Communicat ...) NOT-FOR-US: Cisco CVE-2017-3820 (A vulnerability in Simple Network Management Protocol (SNMP) functions ...) NOT-FOR-US: Cisco IOS XE CVE-2017-3819 (A privilege escalation vulnerability in the Secure Shell (SSH) subsyst ...) NOT-FOR-US: Cisco CVE-2017-3818 (A vulnerability in the Multipurpose Internet Mail Extensions (MIME) sc ...) NOT-FOR-US: Cisco Email Security Appliances CVE-2017-3817 (A vulnerability in the role-based resource checking functionality of C ...) NOT-FOR-US: Cisco CVE-2017-3816 RESERVED CVE-2017-3815 (An API Privilege vulnerability in Cisco TelePresence Server Software c ...) NOT-FOR-US: Cisco CVE-2017-3814 (A vulnerability in Cisco Firepower System Software could allow an unau ...) NOT-FOR-US: Cisco Firepower System Software CVE-2017-3813 (A vulnerability in the Start Before Logon (SBL) module of Cisco AnyCon ...) NOT-FOR-US: Cisco CVE-2017-3812 (A vulnerability in the implementation of Common Industrial Protocol (C ...) NOT-FOR-US: Cisco Industrial Ethernet 2000 Series Switches CVE-2017-3811 (An XML External Entity vulnerability in Cisco WebEx Meetings Server co ...) NOT-FOR-US: Cisco CVE-2017-3810 (A vulnerability in the web framework of Cisco Prime Service Catalog co ...) NOT-FOR-US: Cisco Prime Service Catalog CVE-2017-3809 (A vulnerability in the Policy deployment module of the Cisco Firepower ...) NOT-FOR-US: Cisco Firepower Management Center CVE-2017-3808 (A vulnerability in the Session Initiation Protocol (SIP) UDP throttlin ...) NOT-FOR-US: Cisco CVE-2017-3807 (A vulnerability in Common Internet Filesystem (CIFS) code in the Clien ...) NOT-FOR-US: Cisco CVE-2017-3806 (A vulnerability in CLI command processing in the Cisco Firepower 4100 ...) NOT-FOR-US: Cisco Firepower CVE-2017-3805 (A vulnerability in the web-based management interface of Cisco IOS and ...) NOT-FOR-US: Cisco IOS CVE-2017-3804 (A vulnerability in Intermediate System-to-Intermediate System (IS-IS) ...) NOT-FOR-US: Cisco CVE-2017-3803 (A vulnerability in the Cisco IOS Software forwarding queue of Cisco 29 ...) NOT-FOR-US: Cisco CVE-2017-3802 (A vulnerability in Cisco Unified Communications Manager could allow an ...) NOT-FOR-US: Cisco CVE-2017-3801 (A vulnerability in the web-based GUI of Cisco UCS Director 6.0.0.0 and ...) NOT-FOR-US: Cisco CVE-2017-3800 (A vulnerability in the content scanning engine of Cisco AsyncOS Softwa ...) NOT-FOR-US: Cisco Email Security Appliance CVE-2017-3799 (A vulnerability in a URL parameter of Cisco WebEx Meeting Center could ...) NOT-FOR-US: Cisco CVE-2017-3798 (A cross-site scripting (XSS) filter bypass vulnerability in the web-ba ...) NOT-FOR-US: Cisco CVE-2017-3797 (A vulnerability in Cisco WebEx Meetings Server could allow an unauthen ...) NOT-FOR-US: Cisco CVE-2017-3796 (A vulnerability in Cisco WebEx Meetings Server could allow an authenti ...) NOT-FOR-US: Cisco CVE-2017-3795 (A vulnerability in Cisco WebEx Meetings Server could allow an authenti ...) NOT-FOR-US: Cisco CVE-2017-3794 (A vulnerability in Cisco WebEx Meetings Server could allow an unauthen ...) NOT-FOR-US: Cisco CVE-2017-3793 (A vulnerability in the TCP normalizer of Cisco Adaptive Security Appli ...) NOT-FOR-US: Cisco CVE-2017-3792 (A vulnerability in a proprietary device driver in the kernel of Cisco ...) NOT-FOR-US: Cisco TelePresence CVE-2017-3791 (A vulnerability in the web-based GUI of Cisco Prime Home could allow a ...) NOT-FOR-US: Cisco CVE-2017-3790 (A vulnerability in the received packet parser of Cisco Expressway Seri ...) NOT-FOR-US: Cisco Expressway CVE-2016-5103 REJECTED CVE-2016-10027 (Race condition in the XMPP library in Smack before 4.1.9, when the Sec ...) - libsmack-java (bug #640873) CVE-2016-10023 REJECTED CVE-2016-10022 REJECTED CVE-2016-10021 REJECTED CVE-2016-10020 REJECTED CVE-2016-10019 REJECTED CVE-2016-10018 REJECTED CVE-2016-10017 REJECTED CVE-2016-10016 REJECTED CVE-2016-10015 REJECTED CVE-2016-10014 REJECTED CVE-2016-9645 (The fix for ikiwiki for CVE-2016-10026 was incomplete resulting in edi ...) - ikiwiki 3.20161229 [jessie] - ikiwiki (Incomplete fix for CVE-2016-10026 not applied) [wheezy] - ikiwiki (Incomplete fix for CVE-2016-10026 not applied) NOTE: https://ikiwiki.info/security/#cve-2016-9645 CVE-2016-10026 (ikiwiki 3.20161219 does not properly check if a revision changes the a ...) {DSA-3760-1 DLA-812-1} - ikiwiki 3.20161219 NOTE: http://ikiwiki.info/bugs/rcs_revert_can_bypass_authorization_if_affected_files_were_renamed/ NOTE: Fix: http://source.ikiwiki.branchable.com/?p=source.git;a=commitdiff;h=9cada49ed6ad24556dbe9861ad5b0a9f526167f9 NOTE: http://www.openwall.com/lists/oss-security/2016/12/20/7 NOTE: When fixing this issue make sure to apply the complete correct fix to NOTE: not open ikiwiki to be vulnerable for CVE-2016-9645. CVE-2016-10025 (VMFUNC emulation in Xen 4.6.x through 4.8.x on x86 systems using AMD v ...) - xen 4.8.0-1 [jessie] - xen (Vulnerable code introduced later) [wheezy] - xen (Vulnerable code introduced later) NOTE: https://xenbits.xen.org/xsa/advisory-203.html CVE-2016-10024 (Xen through 4.8.x allows local x86 PV guest OS kernel administrators t ...) {DSA-3847-1 DLA-783-1} - xen 4.8.0-1 NOTE: https://xenbits.xen.org/xsa/advisory-202.html CVE-2016-10028 (The virgl_cmd_get_capset function in hw/display/virtio-gpu-3d.c in QEM ...) - qemu 1:2.10.0-1 (bug #849798; unimportant) [jessie] - qemu (Vulnerable code not present) [wheezy] - qemu (Vulnerable code not present) - qemu-kvm (Vulnerable code not present) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-12/msg01903.html NOTE: http://www.openwall.com/lists/oss-security/2016/12/20/1 NOTE: Marked as unimportant, since 1:2.8+dfsg-2 reverted the support for NOTE: virtio gpu (virglrenderer) and opengl, but the affected code is NOTE: still present. NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=abd7f08b2353f43274b785db8c7224f082ef4d31 (v2.9.0-rc0) CVE-2016-10029 (The virtio_gpu_set_scanout function in QEMU (aka Quick Emulator) built ...) - qemu 1:2.7+dfsg-1 [jessie] - qemu (Vulnerable code not present) [wheezy] - qemu (Vulnerable code not present) - qemu-kvm (Vulnerable code not present) NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=acfc4846508a02cc4c83aa27799fd7 (v2.7.0-rc0) NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=2fe760554eb3769d70f608a158474f (v2.7.0-rc0) NOTE: http://www.openwall.com/lists/oss-security/2016/12/20/2 CVE-2017-3789 REJECTED CVE-2017-3788 REJECTED CVE-2017-3787 REJECTED CVE-2017-3786 REJECTED CVE-2017-3785 REJECTED CVE-2017-3784 REJECTED CVE-2017-3783 REJECTED CVE-2017-3782 REJECTED CVE-2017-3781 REJECTED CVE-2017-3780 REJECTED CVE-2017-3779 REJECTED CVE-2017-3778 REJECTED CVE-2017-3777 REJECTED CVE-2017-3776 (Lenovo Help Android mobile app versions earlier than 6.1.2.0327 allowe ...) NOT-FOR-US: Lenovo Help Android mobile app CVE-2017-3775 (Some Lenovo System x server BIOS/UEFI versions, when Secure Boot mode ...) NOT-FOR-US: Lenovo CVE-2017-3774 (A stack overflow vulnerability was discovered within the web administr ...) NOT-FOR-US: IBM CVE-2017-3773 REJECTED CVE-2017-3772 RESERVED CVE-2017-3771 (System boot process is not adequately secured In Lenovo E95 and ThinkC ...) NOT-FOR-US: Lenovo CVE-2017-3770 (Privilege escalation vulnerability in LXCA versions earlier than 1.3.2 ...) NOT-FOR-US: Lenovo LXCA CVE-2017-3769 RESERVED CVE-2017-3768 (An unprivileged attacker with connectivity to the IMM2 could cause a d ...) NOT-FOR-US: IBM System x / IMM2 CVE-2017-3767 (A local privilege escalation vulnerability was identified in the Realt ...) NOT-FOR-US: Lenovo CVE-2017-3766 RESERVED CVE-2017-3765 (In Enterprise Networking Operating System (ENOS) in Lenovo and IBM Rac ...) NOT-FOR-US: IBM RackSwitch and BladeCenter products CVE-2017-3764 (A vulnerability was identified in Lenovo XClarity Administrator (LXCA) ...) NOT-FOR-US: Lenovo XClarity Administrator CVE-2017-3763 (An attacker who obtains access to the location where the LXCA file sys ...) NOT-FOR-US: Lenovo LXCA CVE-2017-3762 (Sensitive data stored by Lenovo Fingerprint Manager Pro, version 8.01. ...) NOT-FOR-US: Lenovo Fingerprint Manager Pro CVE-2017-3761 (The Lenovo Service Framework Android application executes some system ...) NOT-FOR-US: Lenovo CVE-2017-3760 (The Lenovo Service Framework Android application uses a set of nonsecu ...) NOT-FOR-US: Lenovo CVE-2017-3759 (The Lenovo Service Framework Android application accepts some response ...) NOT-FOR-US: Lenovo CVE-2017-3758 (Improper access controls on several Android components in the Lenovo S ...) NOT-FOR-US: Lenovo CVE-2017-3757 (An unquoted service path vulnerability was identified in the driver fo ...) NOT-FOR-US: Lenovo CVE-2017-3756 (A privilege escalation vulnerability was identified in Lenovo Active P ...) NOT-FOR-US: Lenovo CVE-2017-3755 RESERVED CVE-2017-3754 (Some Lenovo brand notebook systems do not have write protections prope ...) NOT-FOR-US: Lenovo CVE-2017-3753 (A vulnerability has been identified in some Lenovo products that use U ...) NOT-FOR-US: Lenovo CVE-2017-3752 (An industry-wide vulnerability has been identified in the implementati ...) NOT-FOR-US: Lenovo CVE-2017-3751 (An unquoted service path vulnerability was identified in the driver fo ...) NOT-FOR-US: driver for the ThinkPad Compact USB Keyboard with TrackPoint CVE-2017-3750 (On Lenovo VIBE mobile phones, the Lenovo Security Android application ...) NOT-FOR-US: Lenovo CVE-2017-3749 (On Lenovo VIBE mobile phones, the Idea Friend Android application allo ...) NOT-FOR-US: Lenovo CVE-2017-3748 (On Lenovo VIBE mobile phones, improper access controls on the nac_serv ...) NOT-FOR-US: Lenovo CVE-2017-3747 (Privilege escalation vulnerability in Lenovo Nerve Center for Windows ...) NOT-FOR-US: Lenovo CVE-2017-3746 (ThinkPad USB 3.0 Ethernet Adapter (part number 4X90E51405) driver, var ...) NOT-FOR-US: Lenovo CVE-2017-3745 (In Lenovo XClarity Administrator (LXCA) before 1.3.0, if service data ...) NOT-FOR-US: Lenovo CVE-2017-3744 (In the IMM2 firmware of Lenovo System x servers, remote commands issue ...) NOT-FOR-US: Lenovo CVE-2017-3743 (If multiple users are concurrently logged into a single system where o ...) NOT-FOR-US: Lenovo CVE-2017-3742 (In Lenovo Connect2 versions earlier than 4.2.5.4885 for Windows and 4. ...) NOT-FOR-US: Lenovo CVE-2017-3741 (In the Lenovo Power Management driver before 1.67.12.24, a local user ...) NOT-FOR-US: Lenovo CVE-2017-3740 (In Lenovo Active Protection System before 1.82.0.14, an attacker with ...) NOT-FOR-US: Lenovo CVE-2017-3739 REJECTED CVE-2017-3738 (There is an overflow bug in the AVX2 Montgomery multiplication procedu ...) {DSA-4065-1} - openssl 1.1.0h-1 (low) [stretch] - openssl 1.1.0f-3+deb9u2 [jessie] - openssl (Vulnerable code not present) [wheezy] - openssl (Vulnerable code not present) - openssl1.0 1.0.2n-1 (low) NOTE: https://www.openssl.org/news/secadv/20171207.txt NOTE: OpenSSL_1_1_0-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=e502cc86df9dafded1694fceb3228ee34d11c11a NOTE: OpenSSL_1_0_2-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=ca51bafc1a88d8b8348f5fd97adc5d6ca93f8e76 CVE-2017-3737 (OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error stat ...) {DSA-4065-1} - openssl 1.1.0b-2 [jessie] - openssl (Issue introduced in 1.0.2b) [wheezy] - openssl (Issue introduced in 1.0.2b) - openssl1.0 1.0.2n-1 NOTE: Not fully correct tracking, the issue just does not affect OpenSSL 1.1.0 NOTE: thus mark as fixed in the first 1.1.0 version which entered unstable. NOTE: https://www.openssl.org/news/secadv/20171207.txt NOTE: OpenSSL_1_0_2-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=898fb884b706aaeb283de4812340bb0bde8476dc NOTE: 1.0.2b introduced a hardening mechanism designed to protect against bugs NOTE: in application code. This CVE applies to the hardening mechanism being NOTE: incomplete. OpenSSL versions older than 1.0.2b don't have the hardening NOTE: mechanism at all. NOTE: Hardening mechanism introduced in: NOTE: https://git.openssl.org/?p=openssl.git;a=commit;h=e4f77bf1833245d2b6aa4ce6a16c85e1cdf78589 CVE-2017-3736 (There is a carry propagating bug in the x86_64 Montgomery squaring pro ...) {DSA-4017-1} - openssl 1.1.0g-1 [stretch] - openssl 1.1.0f-3+deb9u1 [jessie] - openssl (Vulnerable code not present) [wheezy] - openssl (Vulnerable code not present) - openssl1.0 1.0.2m-1 NOTE: https://www.openssl.org/news/secadv/20171102.txt NOTE: Fix for 1.0.2: https://git.openssl.org/?p=openssl.git;a=commit;h=38d600147331d36e74174ebbd4008b63188b321b NOTE: Fix for 1.1.0: https://git.openssl.org/?p=openssl.git;a=commit;h=4443cf7aa0099e5ce615c18cee249fff77fb0871 CVE-2017-3735 (While parsing an IPAddressFamily extension in an X.509 certificate, it ...) {DSA-4018-1 DSA-4017-1 DLA-1157-1} - openssl 1.1.0g-1 - openssl1.0 1.0.2m-1 NOTE: Fix for 1.0.2: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=31c8b265591a0aaa462a1f3eb5770661aaac67db NOTE: Fix for 1.1.0: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=068b963bb7afc57f5bdd723de0dd15e7795d5822 CVE-2017-3734 REJECTED CVE-2017-3733 (During a renegotiation handshake if the Encrypt-Then-Mac extension is ...) - openssl 1.1.0e-1 [jessie] - openssl (Only affects 1.1) [wheezy] - openssl (Only affects 1.1) - openssl1.0 (Only affects 1.1) NOTE: https://www.openssl.org/news/secadv/20170216.txt CVE-2017-3732 (There is a carry propagating bug in the x86_64 Montgomery squaring pro ...) - openssl 1.1.0d-1 [jessie] - openssl (Only affects 1.0.2 and 1.1.0) [wheezy] - openssl (Only affects 1.0.2 and 1.1.0) - openssl1.0 1.0.2k-1 NOTE: https://www.openssl.org/news/secadv/20170126.txt CVE-2017-3731 (If an SSL/TLS server or client is running on a 32-bit host, and a spec ...) {DSA-3773-1 DLA-814-1} - openssl 1.1.0d-1 - openssl1.0 1.0.2k-1 NOTE: https://www.openssl.org/news/secadv/20170126.txt NOTE: Fix for 1.0.2: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=51d009043670a627d6abe66894126851cf3690e9 NOTE: Fix for 1.1.0: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=f3a7e57c92b2c9b87dc4b2997f2ebda6781300d0 NOTE: and https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=00d965474b22b54e4275232bc71ee0c699c5cd21 CVE-2017-3730 (In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad par ...) - openssl 1.1.0d-1 [jessie] - openssl (Only affects OpenSSL 1.1) [wheezy] - openssl (Only affects OpenSSL 1.1) - openssl1.0 (Only affects OpenSSL 1.1) NOTE: https://www.openssl.org/news/secadv/20170126.txt CVE-2016-9999 RESERVED CVE-2016-9996 REJECTED CVE-2016-9995 REJECTED CVE-2016-9994 (IBM Kenexa LCMS Premier on Cloud 9.0, and 10.0.0 is vulnerable to SQL ...) NOT-FOR-US: IBM CVE-2016-9993 (IBM Kenexa LCMS Premier on Cloud 9.0, and 10.0.0 is vulnerable to SQL ...) NOT-FOR-US: IBM CVE-2016-9992 (IBM Kenexa LCMS Premier on Cloud 9.0, and 10.0.0 is vulnerable to SQL ...) NOT-FOR-US: IBM CVE-2016-9991 (IBM Sterling Order Management 9.2 through 9.5 is vulnerable to cross-s ...) NOT-FOR-US: IBM CVE-2016-9990 (IBM iNotes 8.5 and 9.0 is vulnerable to cross-site scripting. This vul ...) NOT-FOR-US: IBM CVE-2016-9989 (IBM Jazz Foundation Reporting Service (JRS) 5.0 and 6.0 is vulnerable ...) NOT-FOR-US: IBM CVE-2016-9988 (IBM Jazz Foundation Reporting Service (JRS) 5.0 and 6.0 is vulnerable ...) NOT-FOR-US: IBM CVE-2016-9987 (IBM Jazz Foundation Reporting Service (JRS) 5.0 and 6.0 is vulnerable ...) NOT-FOR-US: IBM CVE-2016-9986 (IBM Jazz Foundation Reporting Service (JRS) 5.0 and 6.0 is vulnerable ...) NOT-FOR-US: IBM CVE-2016-9985 (IBM Cognos Server 10.1.1 and 10.2 stores highly sensitive information ...) NOT-FOR-US: IBM CVE-2016-9984 (IBM Maximo Asset Management 7.5 and 7.6 could allow a remote authentic ...) NOT-FOR-US: IBM CVE-2016-9983 (IBM Sterling B2B Integrator Standard Edition 5.2 could allow an authen ...) NOT-FOR-US: IBM CVE-2016-9982 (IBM Sterling B2B Integrator Standard Edition 5.2 could allow an authen ...) NOT-FOR-US: IBM CVE-2016-9981 (IBM AppScan Enterprise Edition 9.0 contains an unspecified vulnerabili ...) NOT-FOR-US: IBM CVE-2016-9980 (IBM Curam Social Program Management 5.2, 6.0, and 7.0 is vulnerable to ...) NOT-FOR-US: IBM CVE-2016-9979 (IBM Curam Social Program Management 5.2, 6.0, and 7.0 is vulnerable to ...) NOT-FOR-US: IBM CVE-2016-9978 (IBM Curam Social Program Management 5.2, 6.0, and 7.0 could allow an a ...) NOT-FOR-US: IBM CVE-2016-9977 (IBM Maximo Asset Management 7.1, 7.5, and 7.6 could allow a remote att ...) NOT-FOR-US: IBM CVE-2016-9976 (IBM Maximo Asset Management 7.1, 7.5, and 7.6 could allow a remote att ...) NOT-FOR-US: IBM CVE-2016-9975 (IBM Jazz for Service Management 1.1.2.1 and 1.1.3 is vulnerable to cro ...) NOT-FOR-US: IBM CVE-2016-9974 RESERVED CVE-2016-9973 (IBM Jazz Foundation is vulnerable to cross-site scripting. This vulner ...) NOT-FOR-US: IBM CVE-2016-9972 (IBM QRadar 7.2 and 7.3 could allow a remote attacker to obtain sensiti ...) NOT-FOR-US: IBM CVE-2016-9971 RESERVED CVE-2016-9970 RESERVED CVE-2016-9969 (In libwebp 0.5.1, there is a double free bug in libwebpmux. ...) - libwebp 0.5.2-1 [jessie] - libwebp (Vulnerable code not present; introduced later) NOTE: https://bugs.chromium.org/p/webp/issues/detail?id=322 NOTE: https://chromium.googlesource.com/webm/libwebp/+/5ab6d9de1fb690dc20a27e5120e4d976b96502aa CVE-2016-9968 RESERVED CVE-2016-9967 (Lack of appropriate exception handling in some receivers of the Teleco ...) NOT-FOR-US: Samsung CVE-2016-9966 (Lack of appropriate exception handling in some receivers of the Teleco ...) NOT-FOR-US: Samsung CVE-2016-9965 (Lack of appropriate exception handling in some receivers of the Teleco ...) NOT-FOR-US: Samsung CVE-2016-9962 (RunC allowed additional container processes via 'runc exec' to be ptra ...) - docker.io 1.13.1~ds1-2 (bug #850952) - runc 0.1.1+dfsg1-2 (bug #850951) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1012568 NOTE: https://github.com/docker/docker/compare/v1.12.5...v1.12.6 NOTE: https://github.com/opencontainers/runc/commit/50a19c6ff828c58e5dab13830bd3dacde268afe5 CVE-2016-9954 (The backtrack compilation code in the Irregex package (aka IrRegular E ...) - chicken 4.12.0-0.2 (low; bug #851278) [stretch] - chicken (Minor issue) [jessie] - chicken (Minor issue) [wheezy] - chicken (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2016/12/14/18 NOTE: https://github.com/ashinn/irregex/commit/a16ffc86eca15fca9e40607d41de3cea9cf868f1 NOTE: For chicken vulnerable code in ./irregex-core.scm CVE-2016-9953 (The verify_certificate function in lib/vtls/schannel.c in libcurl 7.30 ...) - curl (Windows CE specific issue) NOTE: https://curl.haxx.se/docs/adv_20161221C.html CVE-2016-9952 (The verify_certificate function in lib/vtls/schannel.c in libcurl 7.30 ...) - curl (Windows CE specific issue) NOTE: https://curl.haxx.se/docs/adv_20161221B.html CVE-2016-10008 (SQL injection vulnerability in the "Content Types > Content Types" ...) NOT-FOR-US: dotCMS CVE-2016-10007 (SQL injection vulnerability in the "Marketing > Forms" screen in do ...) NOT-FOR-US: dotCMS CVE-2016-10006 (In OWASP AntiSamy before 1.5.5, by submitting a specially crafted inpu ...) NOT-FOR-US: OWASP AntiSamy CVE-2016-10005 (Webdynpro in SAP Solman 7.1 through 7.31 allows remote attackers to ob ...) NOT-FOR-US: SAP CVE-2016-10004 RESERVED CVE-2016-10001 RESERVED CVE-2016-10000 RESERVED CVE-2016-10013 (Xen through 4.8.x allows local 64-bit x86 HVM guest OS users to gain p ...) {DSA-3847-1 DLA-783-1} - xen 4.8.0-1 (bug #848713) NOTE: https://xenbits.xen.org/xsa/advisory-204.html CVE-2016-10012 (The shared memory manager (associated with pre-authentication compress ...) {DLA-1500-1} - openssh 1:7.4p1-1 (low; bug #848717) [wheezy] - openssh (Minor issue) NOTE: Fixed in upstream 7.4: https://www.openssh.com/txt/release-7.4 NOTE: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/monitor.c.diff?r1=1.165&r2=1.166 NOTE: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/monitor.h.diff?r1=1.19&r2=1.20 CVE-2016-10011 (authfile.c in sshd in OpenSSH before 7.4 does not properly consider th ...) {DLA-1500-1} - openssh 1:7.4p1-1 (low; bug #848716) [wheezy] - openssh (Minor issue) NOTE: Fixed in upstream 7.4: https://www.openssh.com/txt/release-7.4 NOTE: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/authfile.c.diff?r1=1.121&r2=1.122 CVE-2016-10010 (sshd in OpenSSH before 7.4, when privilege separation is not used, cre ...) - openssh 1:7.4p1-1 (unimportant; bug #848715) NOTE: Fixed in upstream 7.4: https://www.openssh.com/txt/release-7.4 NOTE: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/serverloop.c.diff?r1=1.188&r2=1.189 NOTE: Privilege separation is enabled in the Debian package CVE-2016-10009 (Untrusted search path vulnerability in ssh-agent.c in ssh-agent in Ope ...) {DLA-1500-1} - openssh 1:7.4p1-1 (low; bug #848714) [wheezy] - openssh (Minor issue) NOTE: Fixed in upstream 7.4: https://www.openssh.com/txt/release-7.4 NOTE: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/ssh-agent.c.diff?r1=1.214&r2=1.215 CVE-2016-9998 (SPIP 3.1.x suffer from a Reflected Cross Site Scripting Vulnerability ...) {DLA-760-1} - spip 3.1.4-2 (bug #848641) [jessie] - spip 3.0.17-2+deb8u3 NOTE: https://core.spip.net/projects/spip/repository/revisions/23288 CVE-2016-9997 (SPIP 3.1.x suffers from a Reflected Cross Site Scripting Vulnerability ...) {DLA-760-1} - spip 3.1.4-2 (bug #848641) [jessie] - spip 3.0.17-2+deb8u3 NOTE: https://core.spip.net/projects/spip/repository/revisions/23288 CVE-2015-8980 (The plural form formula in ngettext family of calls in php-gettext bef ...) - php-gettext 1.0.12-0.1 (bug #851770) [jessie] - php-gettext (Minor issue) [wheezy] - php-gettext (Minor issue) - phpmyadmin 4:4.6.6-1 (unimportant) NOTE: For phpmyadmin, unimportant, since embeds lib but does not use in exploitable way NOTE: http://seclists.org/fulldisclosure/2016/Aug/76 NOTE: Upstream patch: https://bazaar.launchpad.net/~danilo/php-gettext/trunk/revision/61 CVE-2015-8979 (Stack-based buffer overflow in the parsePresentationContext function i ...) {DSA-3749-1 DLA-755-1} - dcmtk 3.6.1~20160216-2 (bug #848830) NOTE: 3.6.1~20160216-2 is the first version in unstable containing the fix NOTE: http://zeroscience.mk/en/vulnerabilities/ZSL-2016-5384.php NOTE: Fixed by: https://github.com/commontk/DCMTK/commit/1b6bb76 NOTE: http://www.openwall.com/lists/oss-security/2016/12/17/2 CVE-2016-10003 (Incorrect HTTP Request header comparison in Squid HTTP Proxy 3.5.0.1 t ...) - squid3 3.5.23-1 (bug #848491) [jessie] - squid3 (Does not affect Squid versions before 3.5.0.1) [wheezy] - squid3 (Does not affect Squid versions before 3.5.0.1) NOTE: Marked as not-affected, vulnerable vulnerability not present due to NOTE: the collapsed_forwarding directive beeing added in 3.5.0.1 only NOTE: http://www.squid-cache.org/Advisories/SQUID-2016_10.txt NOTE: http://www.squid-cache.org/Versions/v4/changesets/squid-4-14956.patch NOTE: http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2016_10_a.patch (for squid-3.5 excluding 3.5.22) NOTE: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14127.patch (for squid 3.5.22 only) NOTE: Vulnerable Squid Versions: NOTE: 3.5.0.1 up to and including 3.5.22 NOTE: 4.0.1 up to and including 4.0.16 NOTE: http://www.openwall.com/lists/oss-security/2016/12/17/1 CVE-2016-10002 (Incorrect processing of responses to If-None-Modified HTTP conditional ...) {DSA-3745-1 DLA-763-1} - squid3 3.5.23-1 (bug #848493) NOTE: http://www.squid-cache.org/Advisories/SQUID-2016_11.txt NOTE: http://bugs.squid-cache.org/show_bug.cgi?id=4169 NOTE: http://www.squid-cache.org/Versions/v3/3.1/changesets/SQUID-2016_11.patch NOTE: http://www.squid-cache.org/Versions/v3/3.2/changesets/SQUID-2016_11.patch NOTE: http://www.squid-cache.org/Versions/v3/3.3/changesets/SQUID-2016_11.patch NOTE: http://www.squid-cache.org/Versions/v3/3.4/changesets/SQUID-2016_11.patch NOTE: http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2016_11.patch NOTE: http://www.squid-cache.org/Versions/v4/changesets/SQUID-2016_11.patch NOTE: Vulnerable squid versions: NOTE: 3.1.10 up to and including 3.1.23 NOTE: 3.2.0.3 up to and including 3.5.22 NOTE: 4.0.1 up to and including 4.0.16 NOTE: http://www.openwall.com/lists/oss-security/2016/12/17/1 CVE-2016-582384 REJECTED CVE-2016-9964 (redirect() in bottle.py in bottle 0.12.10 doesn't filter a "\r\n" sequ ...) {DSA-3743-1 DLA-761-1} - python-bottle 0.12.11-1 (bug #848392) NOTE: Upstream bug: https://github.com/bottlepy/bottle/issues/913 NOTE: Upstream patch: https://github.com/bottlepy/bottle/commit/6d7e13da0f998820800ecb3fe9ccee4189aefb54 CVE-2016-9963 (Exim before 4.87.1 might allow remote attackers to obtain the private ...) {DSA-3747-1 DLA-762-1} - exim4 4.88~RC6-2 NOTE: https://bugs.exim.org/show_bug.cgi?id=1996 NOTE: http://www.openwall.com/lists/oss-security/2016/12/16/1 NOTE: https://exim.org/static/doc/CVE-2016-9963.txt CVE-2016-9961 (game-music-emu before 0.6.1 mishandles unspecified integer values. ...) {DSA-3735-1 DLA-750-1} - game-music-emu 0.6.0-4 (bug #848071) NOTE: http://scarybeastsecurity.blogspot.de/2016/12/redux-compromising-linux-using-snes.html NOTE: http://www.openwall.com/lists/oss-security/2016/12/15/1 CVE-2016-9960 (game-music-emu before 0.6.1 allows local users to cause a denial of se ...) {DSA-3735-1 DLA-750-1} - game-music-emu 0.6.0-4 (bug #848071) NOTE: http://scarybeastsecurity.blogspot.de/2016/12/redux-compromising-linux-using-snes.html NOTE: http://www.openwall.com/lists/oss-security/2016/12/15/1 CVE-2016-9959 (game-music-emu before 0.6.1 allows remote attackers to generate out of ...) {DSA-3735-1 DLA-750-1} - game-music-emu 0.6.0-4 (bug #848071) NOTE: http://scarybeastsecurity.blogspot.de/2016/12/redux-compromising-linux-using-snes.html NOTE: http://www.openwall.com/lists/oss-security/2016/12/15/1 CVE-2016-9958 (game-music-emu before 0.6.1 allows remote attackers to write to arbitr ...) {DSA-3735-1 DLA-750-1} - game-music-emu 0.6.0-4 (bug #848071) NOTE: http://scarybeastsecurity.blogspot.de/2016/12/redux-compromising-linux-using-snes.html NOTE: http://www.openwall.com/lists/oss-security/2016/12/15/1 CVE-2016-9957 (Stack-based buffer overflow in game-music-emu before 0.6.1. ...) {DSA-3735-1 DLA-750-1} - game-music-emu 0.6.0-4 (bug #848071) NOTE: http://scarybeastsecurity.blogspot.de/2016/12/redux-compromising-linux-using-snes.html NOTE: http://www.openwall.com/lists/oss-security/2016/12/15/1 CVE-2016-9956 (The route manager in FlightGear before 2016.4.4 allows remote attacker ...) {DSA-3742-1} - flightgear 1:2016.4.3+dfsg-1 (bug #848114) NOTE: http://www.openwall.com/lists/oss-security/2016/12/14/11 CVE-2016-9951 (An issue was discovered in Apport before 2.20.4. A malicious Apport cr ...) NOT-FOR-US: Apport CVE-2016-9950 (An issue was discovered in Apport before 2.20.4. There is a path trave ...) NOT-FOR-US: Apport CVE-2016-9949 (An issue was discovered in Apport before 2.20.4. In apport/ui.py, Appo ...) NOT-FOR-US: Apport CVE-2016-9948 RESERVED CVE-2016-9947 RESERVED CVE-2016-9946 RESERVED CVE-2016-9945 RESERVED CVE-2016-9944 RESERVED CVE-2016-9943 RESERVED CVE-2016-9942 (Heap-based buffer overflow in ultra.c in LibVNCClient in LibVNCServer ...) {DSA-3753-1 DLA-1979-1 DLA-777-1} - libvncserver 0.9.11+dfsg-1 (bug #850008) - italc 1:3.0.2+dfsg1-1 - veyon 4.1.4+repack1-1 NOTE: https://github.com/LibVNC/libvncserver/pull/137 NOTE: https://github.com/LibVNC/libvncserver/pull/137/commits/5fff4353f66427b467eb29e5fdc1da4f2be028bb CVE-2016-9941 (Heap-based buffer overflow in rfbproto.c in LibVNCClient in LibVNCServ ...) {DSA-3753-1 DLA-1979-1 DLA-777-1} - libvncserver 0.9.11+dfsg-1 (bug #850007) - italc 1:3.0.2+dfsg1-1 - veyon 4.1.4+repack1-1 NOTE: https://github.com/LibVNC/libvncserver/pull/137 NOTE: https://github.com/LibVNC/libvncserver/pull/137/commits/5418e8007c248bf9668d22a8c1fa9528149b69f2 CVE-2016-9940 RESERVED CVE-2016-9955 (The SimpleSAML_XML_Validator class constructor in SimpleSAMLphp before ...) {DLA-1298-1} - simplesamlphp 1.14.11-1 (low) [jessie] - simplesamlphp (Minor issue) NOTE: https://simplesamlphp.org/security/201612-02 NOTE: https://github.com/simplesamlphp/simplesamlphp/commit/a2326d75dd14accaac162dd2cb30aaefcc1f9205 NOTE: http://www.openwall.com/lists/oss-security/2016/12/14/7 CVE-2016-9939 (Crypto++ (aka cryptopp and libcrypto++) 5.6.4 contained a bug in its A ...) {DSA-3748-1 DLA-766-1} - libcrypto++ 5.6.4-5 (bug #848009) NOTE: https://github.com/weidai11/cryptopp/issues/346 CVE-2016-9932 (CMPXCHG8B emulation in Xen 3.3.x through 4.7.x on x86 systems allows l ...) {DSA-3847-1 DLA-964-1} - xen 4.8.0~rc3-1 (bug #848081) NOTE: https://xenbits.xen.org/xsa/advisory-200.html CVE-2016-9931 RESERVED CVE-2016-9930 RESERVED CVE-2016-9929 RESERVED CVE-2016-9927 RESERVED CVE-2016-9926 RESERVED CVE-2016-9925 RESERVED CVE-2016-9924 (Zimbra Collaboration Suite (ZCS) before 8.7.4 allows remote attackers ...) NOT-FOR-US: Zimbra CVE-2016-9936 (The unserialize implementation in ext/standard/var.c in PHP 7.x before ...) - php7.0 7.0.14-1 NOTE: Fixed in PHP 7.0.14 and 7.1.0 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=72978 NOTE: Fixed by: https://github.com/php/php-src/commit/b2af4e8868726a040234de113436c6e4f6372d17 NOTE: http://www.openwall.com/lists/oss-security/2016/12/12/2 CVE-2016-9935 (The php_wddx_push_element function in ext/wddx/wddx.c in PHP before 5. ...) {DSA-3737-1 DLA-818-1} - php7.0 7.0.14-1 - php5 NOTE: Fixed in PHP 5.6.29 and 7.0.14 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=73631 NOTE: Fixed by: https://github.com/php/php-src/commit/66fd44209d5ffcb9b3d1bc1b9fd8e35b485040c0 NOTE: http://www.openwall.com/lists/oss-security/2016/12/12/2 CVE-2016-9934 (ext/wddx/wddx.c in PHP before 5.6.28 and 7.x before 7.0.13 allows remo ...) {DSA-3732-1 DLA-818-1} - php7.0 7.0.13-1 - php5 NOTE: Fixed in PHP 5.6.28, 7.0.13 and 7.1.0 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=73331 NOTE: Fixed by: https://github.com/php/php-src/commit/6045de69c7dedcba3eadf7c4bba424b19c81d00d NOTE: http://www.openwall.com/lists/oss-security/2016/12/12/2 CVE-2016-9933 (Stack consumption vulnerability in the gdImageFillToBorder function in ...) {DSA-3751-1 DSA-3732-1 DLA-758-1} - libgd2 2.2.2-29-g3c2b605-1 (bug #849038) NOTE: This problem could be seen as a programmer fault but the fix is easy and NOTE: the effect is rather dramatic so it should be fixed anyway. NOTE: https://github.com/libgd/libgd/commit/77f619d48259383628c3ec4654b1ad578e9eb40e (gd-2.2.2) NOTE: Scope of CVE is only the missing "color < 0" test in older versions. NOTE: GD release info: https://libgd.github.io/release-2.2.2.html - php7.0 7.0.13-1 (unimportant) - php5 (unimportant) NOTE: Fixed in PHP 5.6.28, 7.0.13 and 7.1.0 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=72696 NOTE: Fixed by: https://github.com/php/php-src/commit/863d37ea66d5c960db08d6f4a2cbd2518f0f80d1 NOTE: Starting with 5.4.0-1 Debian uses the system copy of libgd NOTE: http://www.openwall.com/lists/oss-security/2016/12/12/2 CVE-2016-9937 (An issue was discovered in Asterisk Open Source 13.12.x and 13.13.x be ...) - asterisk (Introduced in 13.12.0 but fixed with first version to unstable based on 13.12.1) NOTE: Vulnerability introduced in 13.12.0, but the first upload to unstable NOTE: versioned as 1:13.12.1~dfsg-1 via opus.patch removed the offending NOTE: function. Thus Debian was never vulnerable. NOTE: http://downloads.asterisk.org/pub/security/AST-2016-008.html NOTE: Cf. https://bugs.debian.org/847666 CVE-2016-9938 (An issue was discovered in Asterisk Open Source 11.x before 11.25.1, 1 ...) - asterisk 1:13.13.1~dfsg-1 (bug #847668) [jessie] - asterisk 1:11.13.1~dfsg-2+deb8u2 [wheezy] - asterisk (Minor issue) NOTE: http://downloads.asterisk.org/pub/security/AST-2016-009.html NOTE: Only applicable if a proxy is in use. CVE-2016-9923 (Quick Emulator (Qemu) built with the 'chardev' backend support is vuln ...) - qemu 1:2.8+dfsg-1 (bug #847957) [jessie] - qemu (Minor issue; too complex to backport) [wheezy] - qemu (Minor issue) - qemu-kvm [wheezy] - qemu-kvm (Minor issue) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg05597.html NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=a4afa548fc6dd9842ed86639b4d37d4d1c4ad480 (v2.8.0-rc0) CVE-2016-9922 (The cirrus_do_copy function in hw/display/cirrus_vga.c in QEMU (aka Qu ...) {DLA-1497-1 DLA-765-1 DLA-764-1} - qemu 1:2.8+dfsg-1 (bug #847960) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-12/msg00442.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1334398 NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=4299b90e9ba9ce5ca9024572804ba751aa1a7e70 (v2.8.0-rc3) NOTE: CVE for the "blit pitch values" issue. NOTE: Should be fixed along with CVE-2014-8106 CVE-2016-9921 (Quick emulator (Qemu) built with the Cirrus CLGD 54xx VGA Emulator sup ...) {DLA-1497-1 DLA-765-1 DLA-764-1} - qemu 1:2.8+dfsg-1 (bug #847960) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-12/msg00442.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1334398 NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=4299b90e9ba9ce5ca9024572804ba751aa1a7e70 (v2.8.0-rc3) NOTE: CVE for the "'cirrus_get_bpp' returns zero(0), which could lead to a divide by zero" issue. CVE-2016-9918 (In BlueZ 5.42, an out-of-bounds read was identified in "packet_hexdump ...) - bluez (unimportant; bug #847837) NOTE: https://www.spinics.net/lists/linux-bluetooth/msg68898.html NOTE: Crash in btmon CLI tool, no security impact CVE-2016-9917 (In BlueZ 5.42, a buffer overflow was observed in "read_n" function in ...) - bluez (unimportant; bug #847837) NOTE: https://www.spinics.net/lists/linux-bluetooth/msg68892.html NOTE: Crash in hcidump CLI tool, no security impact CVE-2016-9906 REJECTED CVE-2016-9905 (A potentially exploitable crash in "EnumerateSubDocuments" while addin ...) {DSA-3757-1 DSA-3734-1 DLA-782-1 DLA-743-1} - firefox (Only affects Firefox 45 ESR series) - firefox-esr 45.6.0esr-1 - icedove 1:45.6.0-2 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-95/#CVE-2016-9905 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-96/#CVE-2016-9905 CVE-2016-9904 (An attacker could use a JavaScript Map/Set timing attack to determine ...) {DSA-3757-1 DSA-3734-1 DLA-782-1 DLA-743-1} - firefox 50.1.0-1 - firefox-esr 45.6.0esr-1 - icedove 1:45.6.0-2 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-95/#CVE-2016-9904 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-96/#CVE-2016-9904 CVE-2016-9903 (Mozilla's add-ons SDK had a world-accessible resource with an HTML inj ...) - firefox 50.1.0-1 - firefox-esr (Only affects Firefox 50.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-94/#CVE-2016-9903 CVE-2016-9902 (The Pocket toolbar button, once activated, listens for events fired fr ...) {DSA-3734-1 DLA-743-1} - firefox 50.1.0-1 - firefox-esr 45.6.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-95/#CVE-2016-9902 CVE-2016-9901 (HTML tags received from the Pocket server will be processed without sa ...) {DSA-3734-1 DLA-743-1} - firefox 50.1.0-1 - firefox-esr 45.6.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-95/#CVE-2016-9901 CVE-2016-9900 (External resources that should be blocked when loaded by SVG images ca ...) {DSA-3757-1 DSA-3734-1 DLA-782-1 DLA-743-1} - firefox 50.1.0-1 - firefox-esr 45.6.0esr-1 - icedove 1:45.6.0-2 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-95/#CVE-2016-9900 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-96/#CVE-2016-9900 CVE-2016-9899 (Use-after-free while manipulating DOM events and removing audio elemen ...) {DSA-3757-1 DSA-3734-1 DLA-782-1 DLA-743-1} - firefox 50.1.0-1 - firefox-esr 45.6.0esr-1 - icedove 1:45.6.0-2 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-95/#CVE-2016-9899 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-96/#CVE-2016-9899 CVE-2016-9898 (Use-after-free resulting in potentially exploitable crash when manipul ...) {DSA-3757-1 DSA-3734-1 DLA-782-1 DLA-743-1} - firefox 50.1.0-1 - firefox-esr 45.6.0esr-1 - icedove 1:45.6.0-2 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-95/#CVE-2016-9898 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-96/#CVE-2016-9898 CVE-2016-9897 (Memory corruption resulting in a potentially exploitable crash during ...) {DSA-3757-1 DSA-3734-1 DLA-782-1 DLA-743-1} - firefox 50.1.0-1 - firefox-esr 45.6.0esr-1 - icedove 1:45.6.0-2 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-95/#CVE-2016-9897 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-96/#CVE-2016-9897 CVE-2016-9896 (Use-after-free while manipulating the "navigator" object within WebVR. ...) - firefox 50.1.0-1 - firefox-esr (Only affects Firefox 50.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-94/#CVE-2016-9896 CVE-2016-9895 (Event handlers on "marquee" elements were executed despite a strict Co ...) {DSA-3757-1 DSA-3734-1 DLA-782-1 DLA-743-1} - firefox 50.1.0-1 - firefox-esr 45.6.0esr-1 - icedove 1:45.6.0-2 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-95/#CVE-2016-9895 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-96/#CVE-2016-9895 CVE-2016-9894 (A buffer overflow in SkiaGl caused when a GrGLBuffer is truncated duri ...) - firefox 50.1.0-1 - firefox-esr (Only affects Firefox 50.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-94/#CVE-2016-9894 CVE-2016-9893 (Memory safety bugs were reported in Thunderbird 45.5. Some of these bu ...) {DSA-3757-1 DSA-3734-1 DLA-782-1 DLA-743-1} - firefox 50.1.0-1 - firefox-esr 45.6.0esr-1 - icedove 1:45.6.0-2 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-95/#CVE-2016-9893 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-96/#CVE-2016-9893 CVE-2017-3729 RESERVED CVE-2017-3728 RESERVED CVE-2017-3727 RESERVED CVE-2017-3726 RESERVED CVE-2017-3725 RESERVED CVE-2017-3724 RESERVED CVE-2017-3723 RESERVED CVE-2017-3722 RESERVED CVE-2017-3721 RESERVED CVE-2017-3720 RESERVED CVE-2017-3719 RESERVED CVE-2017-3718 (Improper setting of device configuration in system firmware for Intel( ...) NOT-FOR-US: Intel CVE-2017-3717 RESERVED CVE-2017-3716 RESERVED CVE-2017-3715 RESERVED CVE-2017-3714 RESERVED CVE-2017-3713 RESERVED CVE-2017-3712 RESERVED CVE-2017-3711 RESERVED CVE-2017-3710 RESERVED CVE-2017-3709 RESERVED CVE-2017-3708 RESERVED CVE-2017-3707 RESERVED CVE-2017-3706 RESERVED CVE-2017-3705 RESERVED CVE-2017-3704 RESERVED CVE-2017-3703 RESERVED CVE-2017-3702 RESERVED CVE-2017-3701 RESERVED CVE-2017-3700 RESERVED CVE-2017-3699 RESERVED CVE-2017-3698 RESERVED CVE-2017-3697 RESERVED CVE-2017-3696 RESERVED CVE-2017-3695 RESERVED CVE-2017-3694 RESERVED CVE-2017-3693 RESERVED CVE-2017-3692 RESERVED CVE-2017-3691 RESERVED CVE-2017-3690 RESERVED CVE-2017-3689 RESERVED CVE-2017-3688 RESERVED CVE-2017-3687 RESERVED CVE-2017-3686 RESERVED CVE-2017-3685 RESERVED CVE-2017-3684 RESERVED CVE-2017-3683 RESERVED CVE-2017-3682 RESERVED CVE-2017-3681 RESERVED CVE-2017-3680 RESERVED CVE-2017-3679 RESERVED CVE-2017-3678 RESERVED CVE-2017-3677 RESERVED CVE-2017-3676 RESERVED CVE-2017-3675 RESERVED CVE-2017-3674 RESERVED CVE-2017-3673 RESERVED CVE-2017-3672 RESERVED CVE-2017-3671 RESERVED CVE-2017-3670 RESERVED CVE-2017-3669 RESERVED CVE-2017-3668 RESERVED CVE-2017-3667 RESERVED CVE-2017-3666 RESERVED CVE-2017-3665 RESERVED CVE-2017-3664 RESERVED CVE-2017-3663 RESERVED CVE-2017-3662 RESERVED CVE-2017-3661 RESERVED CVE-2017-3660 RESERVED CVE-2017-3659 RESERVED CVE-2017-3658 RESERVED CVE-2017-3657 RESERVED CVE-2017-3656 RESERVED CVE-2017-3655 RESERVED CVE-2017-3654 RESERVED CVE-2017-3653 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-3955-1 DSA-3944-1 DSA-3922-1 DLA-1043-1} - mariadb-10.2 (bug #884065) - mariadb-10.1 10.1.26-1 - mariadb-10.0 - mysql-5.7 5.7.20-1 (bug #868798) - mysql-5.5 (bug #868788) CVE-2017-3652 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-3922-1 DLA-1043-1} - mysql-5.7 5.7.20-1 (bug #868798) - mysql-5.5 (bug #868788) CVE-2017-3651 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-3922-1 DLA-1043-1} - mysql-5.7 5.7.20-1 (bug #868798) - mysql-5.5 (bug #868788) CVE-2017-3650 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.20-1 (bug #868798) - mysql-5.5 (Only affects MySQL 5.7) CVE-2017-3649 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.20-1 (bug #868798) - mysql-5.5 (Only affects MySQL 5.6 and 5.7) CVE-2017-3648 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-3922-1 DLA-1043-1} - mysql-5.7 5.7.20-1 (bug #868798) - mysql-5.5 (bug #868788) CVE-2017-3647 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.20-1 (bug #868798) - mysql-5.5 (Only affects MySQL 5.6 and 5.7) CVE-2017-3646 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.17-1 - mysql-5.5 (Only affects MySQL 5.7) CVE-2017-3645 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.20-1 (bug #868798) - mysql-5.5 (Only affects MySQL 5.7) CVE-2017-3644 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.20-1 (bug #868798) - mysql-5.5 (Only affects MySQL 5.7) CVE-2017-3643 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.20-1 (bug #868798) - mysql-5.5 (Only affects MySQL 5.7) CVE-2017-3642 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.20-1 (bug #868798) - mysql-5.5 (Only affects MySQL 5.7) CVE-2017-3641 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-3955-1 DSA-3944-1 DSA-3922-1 DLA-1043-1} - mariadb-10.2 (bug #884065) - mariadb-10.1 10.1.26-1 - mariadb-10.0 - mysql-5.7 5.7.20-1 (bug #868798) - mysql-5.5 (bug #868788) CVE-2017-3640 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.20-1 (bug #868798) - mysql-5.5 (Only affects MySQL 5.7) CVE-2017-3639 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.20-1 (bug #868798) - mysql-5.5 (Only affects MySQL 5.7) CVE-2017-3638 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.20-1 (bug #868798) - mysql-5.5 (Only affects MySQL 5.7) CVE-2017-3637 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.20-1 (bug #868798) - mysql-5.5 (Only affects MySQL 5.7) CVE-2017-3636 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-3955-1 DSA-3944-1 DSA-3922-1 DLA-1043-1} - mariadb-10.2 (bug #884065) - mariadb-10.1 10.1.26-1 - mariadb-10.0 - mysql-5.7 (Only affects MySQL 5.5 and 5.6) - mysql-5.5 (bug #868788) CVE-2017-3635 {DSA-3922-1 DLA-1043-1} - mysql-5.7 5.7.20-1 (bug #868798) - mysql-5.5 (bug #868788) CVE-2017-3634 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.20-1 (bug #868798) - mysql-5.5 (Only affects MySQL 5.6 and 5.7) CVE-2017-3633 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.20-1 (bug #868798) - mysql-5.5 (Only affects MySQL 5.6 and 5.7) CVE-2017-3632 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Oracle Solaris CVE-2017-3631 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Solaris CVE-2017-3630 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Solaris CVE-2017-3629 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Solaris CVE-2017-3628 RESERVED CVE-2017-3627 RESERVED CVE-2017-3626 (Vulnerability in the Oracle GlassFish Server component of Oracle Fusio ...) - glassfish (Only affects 3.x) CVE-2017-3625 (Vulnerability in the Oracle WebCenter Content component of Oracle Fusi ...) NOT-FOR-US: Oracle CVE-2017-3624 RESERVED CVE-2017-3623 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Solaris CVE-2017-3622 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Solaris CVE-2017-3621 (Vulnerability in the Sun ZFS Storage Appliance Kit (AK) component of O ...) NOT-FOR-US: Solaris CVE-2017-3620 (Vulnerability in the Automatic Service Request (ASR) component of Orac ...) NOT-FOR-US: Oracle CVE-2017-3619 (Vulnerability in the Automatic Service Request (ASR) component of Orac ...) NOT-FOR-US: Oracle CVE-2017-3618 (Vulnerability in the Automatic Service Request (ASR) component of Orac ...) NOT-FOR-US: Oracle CVE-2017-3617 (Vulnerability in the Data Store component of Oracle Berkeley DB. The s ...) NOT-FOR-US: Oracle CVE-2017-3616 (Vulnerability in the Data Store component of Oracle Berkeley DB. The s ...) NOT-FOR-US: Oracle CVE-2017-3615 (Vulnerability in the Data Store component of Oracle Berkeley DB. The s ...) NOT-FOR-US: Oracle CVE-2017-3614 (Vulnerability in the Data Store component of Oracle Berkeley DB. The s ...) NOT-FOR-US: Oracle CVE-2017-3613 (Vulnerability in the Data Store component of Oracle Berkeley DB. The s ...) NOT-FOR-US: Oracle CVE-2017-3612 (Vulnerability in the Data Store component of Oracle Berkeley DB. The s ...) NOT-FOR-US: Oracle CVE-2017-3611 (Vulnerability in the Data Store component of Oracle Berkeley DB. The s ...) NOT-FOR-US: Oracle CVE-2017-3610 (Vulnerability in the Data Store component of Oracle Berkeley DB. The s ...) NOT-FOR-US: Oracle CVE-2017-3609 (Vulnerability in the Data Store component of Oracle Berkeley DB. The s ...) NOT-FOR-US: Oracle CVE-2017-3608 (Vulnerability in the Data Store component of Oracle Berkeley DB. The s ...) NOT-FOR-US: Oracle CVE-2017-3607 (Vulnerability in the Data Store component of Oracle Berkeley DB. The s ...) NOT-FOR-US: Oracle CVE-2017-3606 (Vulnerability in the Data Store component of Oracle Berkeley DB. The s ...) NOT-FOR-US: Oracle CVE-2017-3605 (Vulnerability in the Data Store component of Oracle Berkeley DB. The s ...) NOT-FOR-US: Oracle CVE-2017-3604 (Vulnerability in the Data Store component of Oracle Berkeley DB. The s ...) NOT-FOR-US: Oracle CVE-2017-3603 (Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-3602 (Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-3601 (Vulnerability in the Oracle API Gateway component of Oracle Fusion Mid ...) NOT-FOR-US: Oracle CVE-2017-3600 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-3834-1 DLA-916-1} - mariadb-10.1 (Fixed before initial upload to Debian) - mariadb-10.0 10.0.28-1 [jessie] - mariadb-10.0 10.0.28-0+deb8u1 - mysql-5.7 5.7.18-1 (bug #860547) - mysql-5.5 (bug #860544) NOTE: https://blog.tarq.io/cve-2016-5483-backdooring-mysqldump-backups/ NOTE: Affected according to blogpost: MySQL all versions, MariaDB <= 5.5.52 and < 10.1 NOTE: Per MariaDB Security fixed with the following three commits: NOTE: https://github.com/MariaDB/server/commit/5a43a31ee81bc181eeb5ef2bf0704befa6e0594d NOTE: https://github.com/MariaDB/server/commit/01b39b7b0730102b88d8ea43ec719a75e9316a1e NOTE: https://github.com/MariaDB/server/commit/383007c75d6ef5043fa5781956a6a02b24e2b79e CVE-2017-3599 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.18-1 (bug #860547) - mysql-5.5 (ONly affects MySQL 5.6 and 5.7) CVE-2017-3598 (Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-3597 (Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-3596 (Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-3595 (Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-3594 (Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-3593 (Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-3592 (Vulnerability in the Oracle Payables component of Oracle E-Business Su ...) NOT-FOR-US: Oracle CVE-2017-3591 (Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-3590 (Vulnerability in the MySQL Connectors component of Oracle MySQL (subco ...) - mysql-connector-python 2.1.6-1 (bug #861511) [jessie] - mysql-connector-python (Minor issue) [wheezy] - mysql-connector-python (Minor issue, can be fixed along in a future update) CVE-2017-3589 (Vulnerability in the MySQL Connectors component of Oracle MySQL (subco ...) {DSA-3857-1 DLA-945-1} - mysql-connector-java 5.1.42-1 CVE-2017-3588 (Vulnerability in the Solaris Cluster component of Oracle Sun Systems P ...) NOT-FOR-US: Oracle CVE-2017-3587 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.20-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-3586 (Vulnerability in the MySQL Connectors component of Oracle MySQL (subco ...) {DSA-3857-1 DLA-945-1} - mysql-connector-java 5.1.42-1 CVE-2017-3585 (Vulnerability in the Sun ZFS Storage Appliance Kit (AK) component of O ...) NOT-FOR-US: Solaris CVE-2017-3584 (Vulnerability in the Sun ZFS Storage Appliance Kit (AK) component of O ...) NOT-FOR-US: Solaris CVE-2017-3583 (Vulnerability in the Primavera P6 Enterprise Project Portfolio Managem ...) NOT-FOR-US: Oracle CVE-2017-3582 (Vulnerability in the Oracle SuperCluster Specific Software component o ...) NOT-FOR-US: Solaris CVE-2017-3581 (Vulnerability in the Automatic Service Request (ASR) component of Orac ...) NOT-FOR-US: Oracle CVE-2017-3580 (Vulnerability in the Sun ZFS Storage Appliance Kit (AK) component of O ...) NOT-FOR-US: Solaris CVE-2017-3579 (Vulnerability in the Primavera P6 Enterprise Project Portfolio Managem ...) NOT-FOR-US: Oracle CVE-2017-3578 (Vulnerability in the Sun ZFS Storage Appliance Kit (AK) component of O ...) NOT-FOR-US: Solaris CVE-2017-3577 (Vulnerability in the PeopleSoft Enterprise CS Campus Community compone ...) NOT-FOR-US: Oracle CVE-2017-3576 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.20-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-3575 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.20-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-3574 (Vulnerability in the Oracle Hospitality OPERA 5 Property Services comp ...) NOT-FOR-US: Oracle CVE-2017-3573 (Vulnerability in the Oracle Hospitality OPERA 5 Property Services comp ...) NOT-FOR-US: Oracle CVE-2017-3572 (Vulnerability in the Oracle Commerce Guided Search / Oracle Commerce E ...) NOT-FOR-US: Oracle CVE-2017-3571 (Vulnerability in the PeopleSoft Enterprise SCM eBill Payment component ...) NOT-FOR-US: Oracle CVE-2017-3570 (Vulnerability in the PeopleSoft Enterprise FSCM component of Oracle Pe ...) NOT-FOR-US: Oracle CVE-2017-3569 (Vulnerability in the Oracle Hospitality OPERA 5 Property Services comp ...) NOT-FOR-US: Oracle CVE-2017-3568 (Vulnerability in the Oracle Hospitality OPERA 5 Property Services comp ...) NOT-FOR-US: Oracle CVE-2017-3567 (Vulnerability in the OJVM component of Oracle Database Server. Support ...) NOT-FOR-US: Oracle CVE-2017-3566 RESERVED CVE-2017-3565 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Solaris CVE-2017-3564 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Solaris CVE-2017-3563 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.20-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-3562 (Vulnerability in the Oracle Applications DBA component of Oracle E-Bus ...) NOT-FOR-US: Oracle CVE-2017-3561 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.20-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-3560 (Vulnerability in the Oracle Hospitality OPERA 5 Property Services comp ...) NOT-FOR-US: Oracle CVE-2017-3559 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.20-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-3558 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.20-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-3557 (Vulnerability in the Oracle One-to-One Fulfillment component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3556 (Vulnerability in the Oracle Application Object Library component of Or ...) NOT-FOR-US: Oracle CVE-2017-3555 (Vulnerability in the Oracle iReceivables component of Oracle E-Busines ...) NOT-FOR-US: Oracle CVE-2017-3554 (Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-3553 (Vulnerability in the Oracle Identity Manager component of Oracle Fusio ...) NOT-FOR-US: Oracle CVE-2017-3552 (Vulnerability in the Oracle Hospitality OPERA 5 Property Services comp ...) NOT-FOR-US: Oracle CVE-2017-3551 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Solaris CVE-2017-3550 (Vulnerability in the Oracle Customer Interaction History component of ...) NOT-FOR-US: Oracle CVE-2017-3549 (Vulnerability in the Oracle Scripting component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2017-3548 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2017-3547 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2017-3546 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2017-3545 (Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-3544 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-3858-1 DLA-954-1} - openjdk-8 8u131-b11-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-3543 (Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-3542 (Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-3541 (Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-3540 (Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-3539 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-3858-1 DLA-954-1} - openjdk-8 8u131-b11-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-3538 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.16-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-3537 (Vulnerability in the Oracle Real-Time Scheduler component of Oracle Ut ...) NOT-FOR-US: Oracle CVE-2017-3536 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2017-3535 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle CVE-2017-3534 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle CVE-2017-3533 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-3858-1 DLA-954-1} - openjdk-8 8u131-b11-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-3532 (Vulnerability in the Oracle Retail Warehouse Management System compone ...) NOT-FOR-US: Oracle CVE-2017-3531 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-3530 (Vulnerability in the Oracle Transportation Manager component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3529 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.20-1 (bug #868798) - mysql-5.5 (Only affects MySQL 5.7) CVE-2017-3528 (Vulnerability in the Oracle Applications Framework component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3527 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2017-3526 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-3858-1 DLA-954-1} - openjdk-8 8u131-b11-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-3525 (Vulnerability in the PeopleSoft Enterprise SCM Service Procurement com ...) NOT-FOR-US: Oracle CVE-2017-3524 (Vulnerability in the PeopleSoft Enterprise SCM Strategic Sourcing comp ...) NOT-FOR-US: Oracle CVE-2017-3523 (Vulnerability in the MySQL Connectors component of Oracle MySQL (subco ...) {DSA-3840-1 DLA-945-1} - mysql-connector-java 5.1.41-1 NOTE: https://www.computest.nl/advisories/CT-2017-0425_MySQL-Connector-J.txt CVE-2017-3522 (Vulnerability in the PeopleSoft Enterprise SCM eSupplier Connection co ...) NOT-FOR-US: Oracle CVE-2017-3521 (Vulnerability in the PeopleSoft Enterprise SCM Purchasing component of ...) NOT-FOR-US: Oracle CVE-2017-3520 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2017-3519 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2017-3518 (Vulnerability in the Enterprise Manager Base Platform component of Ora ...) NOT-FOR-US: Oracle CVE-2017-3517 (Vulnerability in the JD Edwards EnterpriseOne Tools component of Oracl ...) NOT-FOR-US: Oracle CVE-2017-3516 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Solaris CVE-2017-3515 (Vulnerability in the Oracle User Management component of Oracle E-Busi ...) NOT-FOR-US: Oracle CVE-2017-3514 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...) - openjdk-8 (Windows builds only) - openjdk-7 (Windows builds only) NOTE: Upstream commit: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/95fd1952637b CVE-2017-3513 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.20-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-3512 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...) - openjdk-8 (MacOSX builds only) - openjdk-7 (MacOSX builds only) NOTE: Upstream commit: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/c878d0baff4a CVE-2017-3511 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-3858-1 DLA-954-1} - openjdk-8 8u131-b11-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-3510 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Solaris CVE-2017-3509 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-3858-1 DLA-954-1} - openjdk-8 8u131-b11-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-3508 (Vulnerability in the Primavera Gateway component of Oracle Primavera P ...) NOT-FOR-US: Oracle CVE-2017-3507 (Vulnerability in the Oracle Service Bus component of Oracle Fusion Mid ...) NOT-FOR-US: Oracle CVE-2017-3506 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-3505 (Vulnerability in the Automatic Service Request (ASR) component of Orac ...) NOT-FOR-US: Oracle CVE-2017-3504 (Vulnerability in the Automatic Service Request (ASR) component of Orac ...) NOT-FOR-US: Oracle CVE-2017-3503 (Vulnerability in the Primavera P6 Enterprise Project Portfolio Managem ...) NOT-FOR-US: Oracle CVE-2017-3502 (Vulnerability in the PeopleSoft Enterprise FIN Receivables component o ...) NOT-FOR-US: Oracle CVE-2017-3501 (Vulnerability in the Primavera Unifier component of Oracle Primavera P ...) NOT-FOR-US: Oracle CVE-2017-3500 (Vulnerability in the Primavera Gateway component of Oracle Primavera P ...) NOT-FOR-US: Oracle CVE-2017-3499 (Vulnerability in the Oracle Social Network component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-3498 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Solaris CVE-2017-3497 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Solaris CVE-2017-3496 (Vulnerability in the Oracle FLEXCUBE Enterprise Limits and Collateral ...) NOT-FOR-US: Oracle CVE-2017-3495 (Vulnerability in the Oracle FLEXCUBE Direct Banking component of Oracl ...) NOT-FOR-US: Oracle CVE-2017-3494 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle CVE-2017-3493 (Vulnerability in the Oracle FLEXCUBE Enterprise Limits and Collateral ...) NOT-FOR-US: Oracle CVE-2017-3492 (Vulnerability in the Oracle FLEXCUBE Enterprise Limits and Collateral ...) NOT-FOR-US: Oracle CVE-2017-3491 (Vulnerability in the Oracle FLEXCUBE Enterprise Limits and Collateral ...) NOT-FOR-US: Oracle CVE-2017-3490 (Vulnerability in the Oracle FLEXCUBE Enterprise Limits and Collateral ...) NOT-FOR-US: Oracle CVE-2017-3489 (Vulnerability in the Oracle FLEXCUBE Investor Servicing component of O ...) NOT-FOR-US: Oracle CVE-2017-3488 (Vulnerability in the Oracle FLEXCUBE Investor Servicing component of O ...) NOT-FOR-US: Oracle CVE-2017-3487 (Vulnerability in the Oracle FLEXCUBE Investor Servicing component of O ...) NOT-FOR-US: Oracle CVE-2017-3486 (Vulnerability in the SQL*Plus component of Oracle Database Server. Sup ...) NOT-FOR-US: Oracle CVE-2017-3485 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle CVE-2017-3484 (Vulnerability in the Oracle FLEXCUBE Enterprise Limits and Collateral ...) NOT-FOR-US: Oracle CVE-2017-3483 (Vulnerability in the Oracle FLEXCUBE Enterprise Limits and Collateral ...) NOT-FOR-US: Oracle CVE-2017-3482 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle CVE-2017-3481 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle CVE-2017-3480 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle CVE-2017-3479 (Vulnerability in the Oracle FLEXCUBE Private Banking component of Orac ...) NOT-FOR-US: Oracle CVE-2017-3478 (Vulnerability in the Oracle FLEXCUBE Private Banking component of Orac ...) NOT-FOR-US: Oracle CVE-2017-3477 (Vulnerability in the Oracle FLEXCUBE Private Banking component of Orac ...) NOT-FOR-US: Oracle CVE-2017-3476 (Vulnerability in the Oracle FLEXCUBE Private Banking component of Orac ...) NOT-FOR-US: Oracle CVE-2017-3475 (Vulnerability in the Oracle FLEXCUBE Private Banking component of Orac ...) NOT-FOR-US: Oracle CVE-2017-3474 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Solaris CVE-2017-3473 (Vulnerability in the Oracle FLEXCUBE Private Banking component of Orac ...) NOT-FOR-US: Oracle CVE-2017-3472 (Vulnerability in the Oracle FLEXCUBE Private Banking component of Orac ...) NOT-FOR-US: Oracle CVE-2017-3471 (Vulnerability in the Oracle FLEXCUBE Private Banking component of Orac ...) NOT-FOR-US: Oracle CVE-2017-3470 (Vulnerability in the Oracle Communications Security Gateway component ...) NOT-FOR-US: Oracle CVE-2017-3469 (Vulnerability in the MySQL Workbench component of Oracle MySQL (subcom ...) - mysql-workbench 6.3.10+dfsg-1 (low; bug #861487) [stretch] - mysql-workbench (Minor issue) [jessie] - mysql-workbench (Minor issue) [wheezy] - mysql-workbench (Minor issue) CVE-2017-3468 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.18-1 (bug #860547) - mysql-5.5 (Only affects MySQL 5.7) CVE-2017-3467 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.18-1 (bug #860547) - mysql-5.5 (Only affects MySQL 5.7) CVE-2017-3466 RESERVED CVE-2017-3465 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.18-1 (bug #860547) - mysql-5.5 (Only affects MySQL 5.7) CVE-2017-3464 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-3944-1 DSA-3834-1 DLA-916-1} - mariadb-10.1 10.1.23-1 - mariadb-10.0 - mysql-5.7 5.7.18-1 (bug #860547) - mysql-5.5 (bug #860544) CVE-2017-3463 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-3834-1 DLA-916-1} - mysql-5.7 5.7.18-1 (bug #860547) - mysql-5.5 (bug #860544) CVE-2017-3462 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-3834-1 DLA-916-1} - mysql-5.7 5.7.18-1 (bug #860547) - mysql-5.5 (bug #860544) CVE-2017-3461 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-3834-1 DLA-916-1} - mysql-5.7 5.7.18-1 (bug #860547) - mysql-5.5 (bug #860544) CVE-2017-3460 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.18-1 (bug #860547) - mysql-5.5 (Only affects MySQL 5.7) CVE-2017-3459 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.18-1 (bug #860547) - mysql-5.5 (Only affects MySQL 5.7) CVE-2017-3458 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.18-1 (bug #860547) - mysql-5.5 (Only affects MySQL 5.7) CVE-2017-3457 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.18-1 (bug #860547) - mysql-5.5 (Only affects MySQL 5.7) CVE-2017-3456 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-3944-1 DSA-3834-1 DLA-916-1} - mariadb-10.1 10.1.23-1 - mariadb-10.0 - mysql-5.7 5.7.18-1 (bug #860547) - mysql-5.5 (bug #860544) CVE-2017-3455 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.18-1 (bug #860547) - mysql-5.5 (Only affects MySQL 5.7) CVE-2017-3454 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.18-1 (bug #860547) - mysql-5.5 (Only affects MySQL 5.7) CVE-2017-3453 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-3944-1 DSA-3834-1 DLA-916-1} - mariadb-10.1 10.1.23-1 - mariadb-10.0 - mysql-5.7 5.7.18-1 (bug #860547) - mysql-5.5 (bug #860544) CVE-2017-3452 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 5.6) - mysql-5.5 (Only affects MySQL 5.6) CVE-2017-3451 (Vulnerability in the Oracle Retail Open Commerce Platform component of ...) NOT-FOR-US: Oracle CVE-2017-3450 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.18-1 (bug #860547) - mysql-5.5 (Only affects MySQL 5.6 and 5.7) CVE-2017-3449 RESERVED CVE-2017-3448 RESERVED CVE-2017-3447 REJECTED CVE-2017-3446 (Vulnerability in the Oracle Trade Management component of Oracle E-Bus ...) NOT-FOR-US: Oracle CVE-2017-3445 (Vulnerability in the Oracle Trade Management component of Oracle E-Bus ...) NOT-FOR-US: Oracle CVE-2017-3444 (Vulnerability in the Oracle Trade Management component of Oracle E-Bus ...) NOT-FOR-US: Oracle CVE-2017-3443 (Vulnerability in the Oracle Common Applications component of Oracle E- ...) NOT-FOR-US: Oracle CVE-2017-3442 (Vulnerability in the Oracle Customer Interaction History component of ...) NOT-FOR-US: Oracle CVE-2017-3441 (Vulnerability in the Oracle Customer Interaction History component of ...) NOT-FOR-US: Oracle CVE-2017-3440 (Vulnerability in the Oracle Customer Interaction History component of ...) NOT-FOR-US: Oracle CVE-2017-3439 (Vulnerability in the Oracle One-to-One Fulfillment component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3438 (Vulnerability in the Oracle One-to-One Fulfillment component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3437 (Vulnerability in the Oracle One-to-One Fulfillment component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3436 (Vulnerability in the Oracle One-to-One Fulfillment component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3435 (Vulnerability in the Oracle One-to-One Fulfillment component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3434 (Vulnerability in the Oracle One-to-One Fulfillment component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3433 (Vulnerability in the Oracle One-to-One Fulfillment component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3432 (Vulnerability in the Oracle One-to-One Fulfillment component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3431 (Vulnerability in the Oracle One-to-One Fulfillment component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3430 (Vulnerability in the Oracle One-to-One Fulfillment component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3429 (Vulnerability in the Oracle One-to-One Fulfillment component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3428 (Vulnerability in the Oracle One-to-One Fulfillment component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3427 (Vulnerability in the Oracle One-to-One Fulfillment component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3426 (Vulnerability in the Oracle One-to-One Fulfillment component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3425 (Vulnerability in the Oracle One-to-One Fulfillment component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3424 (Vulnerability in the Oracle One-to-One Fulfillment component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3423 (Vulnerability in the Oracle One-to-One Fulfillment component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3422 (Vulnerability in the Oracle One-to-One Fulfillment component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3421 (Vulnerability in the Oracle One-to-One Fulfillment component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3420 (Vulnerability in the Oracle CRM Technical Foundation component of Orac ...) NOT-FOR-US: Oracle CVE-2017-3419 (Vulnerability in the Oracle CRM Technical Foundation component of Orac ...) NOT-FOR-US: Oracle CVE-2017-3418 (Vulnerability in the Oracle CRM Technical Foundation component of Orac ...) NOT-FOR-US: Oracle CVE-2017-3417 (Vulnerability in the Oracle Universal Work Queue component of Oracle E ...) NOT-FOR-US: Oracle CVE-2017-3416 (Vulnerability in the Oracle Universal Work Queue component of Oracle E ...) NOT-FOR-US: Oracle CVE-2017-3415 (Vulnerability in the Oracle Universal Work Queue component of Oracle E ...) NOT-FOR-US: Oracle CVE-2017-3414 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3413 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3412 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3411 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3410 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3409 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3408 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3407 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3406 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3405 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3404 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3403 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3402 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3401 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3400 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3399 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3398 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3397 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3396 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3395 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3394 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3393 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3392 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3391 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3390 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3389 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3388 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3387 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3386 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3385 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3384 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3383 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3382 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3381 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3380 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3379 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3378 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3377 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3376 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3375 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3374 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3373 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3372 (Vulnerability in the Oracle Interaction Blending component of Oracle E ...) NOT-FOR-US: Oracle CVE-2017-3371 (Vulnerability in the Oracle iSupport component of Oracle E-Business Su ...) NOT-FOR-US: Oracle CVE-2017-3370 (Vulnerability in the Oracle iSupport component of Oracle E-Business Su ...) NOT-FOR-US: Oracle CVE-2017-3369 (Vulnerability in the Oracle iSupport component of Oracle E-Business Su ...) NOT-FOR-US: Oracle CVE-2017-3368 (Vulnerability in the Oracle iStore component of Oracle E-Business Suit ...) NOT-FOR-US: Oracle CVE-2017-3367 (Vulnerability in the Oracle Knowledge Management component of Oracle E ...) NOT-FOR-US: Oracle CVE-2017-3366 (Vulnerability in the Oracle Knowledge Management component of Oracle E ...) NOT-FOR-US: Oracle CVE-2017-3365 (Vulnerability in the Oracle Knowledge Management component of Oracle E ...) NOT-FOR-US: Oracle CVE-2017-3364 (Vulnerability in the Oracle Knowledge Management component of Oracle E ...) NOT-FOR-US: Oracle CVE-2017-3363 (Vulnerability in the Oracle Knowledge Management component of Oracle E ...) NOT-FOR-US: Oracle CVE-2017-3362 (Vulnerability in the Oracle Knowledge Management component of Oracle E ...) NOT-FOR-US: Oracle CVE-2017-3361 (Vulnerability in the Oracle Installed Base component of Oracle E-Busin ...) NOT-FOR-US: Oracle CVE-2017-3360 (Vulnerability in the Oracle Customer Intelligence component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3359 (Vulnerability in the Oracle Customer Intelligence component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3358 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2017-3357 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2017-3356 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2017-3355 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2017-3354 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2017-3353 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2017-3352 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2017-3351 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2017-3350 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2017-3349 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2017-3348 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2017-3347 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2017-3346 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2017-3345 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2017-3344 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2017-3343 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2017-3342 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2017-3341 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2017-3340 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2017-3339 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2017-3338 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2017-3337 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2017-3336 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2017-3335 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2017-3334 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2017-3333 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2017-3332 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.14-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-3331 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.18-1 (bug #860547) - mysql-5.5 (Only affects MySQL 5.7) CVE-2017-3330 (Vulnerability in the Siebel UI Framework component of Oracle Siebel CR ...) NOT-FOR-US: Oracle Siebel CVE-2017-3329 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-3834-1 DLA-916-1} - mysql-5.7 5.7.18-1 (bug #860547) - mysql-5.5 (bug #860544) CVE-2017-3328 (Vulnerability in the Oracle Common Applications component of Oracle E- ...) NOT-FOR-US: Oracle CVE-2017-3327 (Vulnerability in the Oracle Common Applications component of Oracle E- ...) NOT-FOR-US: Oracle CVE-2017-3326 (Vulnerability in the Oracle Common Applications component of Oracle E- ...) NOT-FOR-US: Oracle CVE-2017-3325 (Vulnerability in the Siebel UI Framework component of Oracle Siebel CR ...) NOT-FOR-US: Oracle Siebel CVE-2017-3324 (Vulnerability in the Primavera P6 Enterprise Project Portfolio Managem ...) NOT-FOR-US: Oracle Primavera CVE-2017-3323 (Vulnerability in the MySQL Cluster component of Oracle MySQL (subcompo ...) NOT-FOR-US: MySQL Cluster CVE-2017-3322 (Vulnerability in the MySQL Cluster component of Oracle MySQL (subcompo ...) NOT-FOR-US: MySQL Cluster CVE-2017-3321 (Vulnerability in the MySQL Cluster component of Oracle MySQL (subcompo ...) NOT-FOR-US: MySQL Cluster CVE-2017-3320 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.17-1 (bug #851235) - mysql-5.6 (Only affects MySQL 5.7) - mysql-5.5 (Only affects MySQL 5.7) CVE-2017-3319 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.17-1 (bug #851235) - mysql-5.6 (Only affects MySQL 5.7) - mysql-5.5 (Only affects MySQL 5.7) CVE-2017-3318 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-3770-1 DSA-3767-1 DLA-797-1} - mariadb-10.1 10.1.21-1 (bug #851759) - mariadb-10.0 (bug #851755) - mysql-5.7 5.7.17-1 (bug #851235) - mysql-5.6 5.6.35-1 (bug #851234) - mysql-5.5 (bug #851233) CVE-2017-3317 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-3770-1 DSA-3767-1 DLA-797-1} - mariadb-10.1 10.1.21-1 (bug #851759) - mariadb-10.0 (bug #851755) - mysql-5.7 5.7.17-1 (bug #851235) - mysql-5.6 5.6.35-1 (bug #851234) - mysql-5.5 (bug #851233) CVE-2017-3316 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.14-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-3315 (Vulnerability in the PeopleSoft Enterprise HCM ePerformance component ...) NOT-FOR-US: Oracle PeopleSoft CVE-2017-3314 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle FLEXCUBE CVE-2017-3313 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-3809-1 DSA-3767-1 DLA-797-1} - mariadb-10.1 10.1.23-1 - mariadb-10.0 - mysql-5.7 5.7.17-1 (bug #851235) - mysql-5.6 5.6.35-1 (bug #851234) - mysql-5.5 (bug #851233) CVE-2017-3312 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-3770-1 DSA-3767-1 DLA-797-1} - mariadb-10.1 10.1.21-1 (bug #851759) - mariadb-10.0 (bug #851755) - mysql-5.7 5.7.17-1 (bug #851235) - mysql-5.6 5.6.35-1 (bug #851234) - mysql-5.5 (bug #851233) CVE-2017-3311 (Vulnerability in the Application Testing Suite component of Oracle Ent ...) NOT-FOR-US: Oracle CVE-2017-3310 (Vulnerability in the OJVM component of Oracle Database Server. Support ...) NOT-FOR-US: Oracle CVE-2017-3309 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-3944-1 DSA-3834-1 DLA-916-1} - mariadb-10.1 10.1.23-1 - mariadb-10.0 - mysql-5.7 5.7.18-1 (bug #860547) - mysql-5.5 (bug #860544) CVE-2017-3308 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-3944-1 DSA-3834-1 DLA-916-1} - mariadb-10.1 10.1.23-1 - mariadb-10.0 - mysql-5.7 5.7.18-1 (bug #860547) - mysql-5.5 (bug #860544) CVE-2017-3307 (Vulnerability in the MySQL Enterprise Monitor component of Oracle MySQ ...) NOT-FOR-US: MySQL Enterprise Monitor CVE-2017-3306 (Vulnerability in the MySQL Enterprise Monitor component of Oracle MySQ ...) NOT-FOR-US: MySQL Enterprise Monitor CVE-2017-3305 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-3834-1 DLA-916-1} - mysql-5.7 (Fixed before the initial release to Debian) - mysql-5.5 (bug #860544) NOTE: The issue arises because of an improper fix for the issue known under NOTE: the name BACKRONYM. The CVE CVE-2015-3152 though is explicitly only NOTE: assigned for MariaDB and Percona, thus Oracle MySQL products are not NOTE: tracked below that CVE. Later, Oracle tried to address the corresonding NOTE: issue as well in 5.5 (in 5.5.49) and 5.6 (5.6.30) series resulting in NOTE: opening CVE-2017-3305. NOTE: Cf. https://bugzilla.redhat.com/show_bug.cgi?id=1217506#c22 NOTE: http://www.openwall.com/lists/oss-security/2017/03/17/4 CVE-2017-3304 (Vulnerability in the MySQL Cluster component of Oracle MySQL (subcompo ...) - mysql-cluster (bug #833356) CVE-2017-3303 (Vulnerability in the Oracle XML Gateway component of Oracle E-Business ...) NOT-FOR-US: Oracle CVE-2017-3302 (Crash in libmysqlclient.so in Oracle MySQL before 5.6.21 and 5.7.x bef ...) {DSA-3834-1 DSA-3809-1 DLA-916-1 DLA-819-1} - mariadb-10.1 10.1.23-1 - mariadb-10.0 - mysql-5.7 (Fixed before initial release in Debian) - mysql-5.6 (Fixed before initial release in Debian) - mysql-5.5 (bug #854713; bug #860544) NOTE: Fixed by: https://github.com/mysql/mysql-server/commit/4797ea0b772d5f4c5889bc552424132806f46e93 NOTE: Fixed in Oracle MySQL 5.6.21, 5.7.5 NOTE: https://bugs.mysql.com/bug.php?id=70429 NOTE: https://bugs.mysql.com/bug.php?id=63363 NOTE: http://www.openwall.com/lists/oss-security/2017/01/28/1 CVE-2017-3301 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Solaris CVE-2017-3300 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle PeopleSoft CVE-2017-3299 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle PeopleSoft CVE-2017-3298 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle PeopleSoft CVE-2017-3297 (Vulnerability in the Oracle FLEXCUBE Direct Banking component of Oracl ...) NOT-FOR-US: Oracle FLEXCUBE CVE-2017-3296 (Vulnerability in the Oracle Commerce Platform component of Oracle Comm ...) NOT-FOR-US: Oracle Commerce CVE-2017-3295 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3294 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3293 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3292 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle PeopleSoft CVE-2017-3291 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-3770-1 DSA-3767-1 DLA-797-1} - mariadb-10.1 10.1.21-1 (bug #851759) - mariadb-10.0 (bug #851755) - mysql-5.7 5.7.17-1 (bug #851235) - mysql-5.6 5.6.35-1 (bug #851234) - mysql-5.5 (bug #851233) CVE-2017-3290 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.14-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-3289 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-3782-1 DLA-821-1} - openjdk-8 8u121-b13-1 [experimental] - openjdk-7 7u121-2.6.8-2 - openjdk-7 CVE-2017-3288 (Vulnerability in the Oracle FLEXCUBE Investor Servicing component of O ...) NOT-FOR-US: Oracle CVE-2017-3287 (Vulnerability in the Oracle iStore component of Oracle E-Business Suit ...) NOT-FOR-US: Oracle CVE-2017-3286 (Vulnerability in the Oracle Applications DBA component of Oracle E-Bus ...) NOT-FOR-US: Oracle CVE-2017-3285 (Vulnerability in the Oracle Service Fulfillment Manager component of O ...) NOT-FOR-US: Oracle CVE-2017-3284 (Vulnerability in the Oracle Service Fulfillment Manager component of O ...) NOT-FOR-US: Oracle CVE-2017-3283 (Vulnerability in the Oracle Partner Management component of Oracle E-B ...) NOT-FOR-US: Oracle CVE-2017-3282 (Vulnerability in the Oracle Partner Management component of Oracle E-B ...) NOT-FOR-US: Oracle CVE-2017-3281 (Vulnerability in the Oracle Partner Management component of Oracle E-B ...) NOT-FOR-US: Oracle CVE-2017-3280 (Vulnerability in the Oracle Partner Management component of Oracle E-B ...) NOT-FOR-US: Oracle CVE-2017-3279 (Vulnerability in the Oracle Leads Management component of Oracle E-Bus ...) NOT-FOR-US: Oracle CVE-2017-3278 (Vulnerability in the Oracle One-to-One Fulfillment component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3277 (Vulnerability in the Oracle Applications Manager component of Oracle E ...) NOT-FOR-US: Oracle CVE-2017-3276 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Solaris CVE-2017-3275 (Vulnerability in the Oracle Email Center component of Oracle E-Busines ...) NOT-FOR-US: Oracle CVE-2017-3274 (Vulnerability in the Oracle Email Center component of Oracle E-Busines ...) NOT-FOR-US: Oracle CVE-2017-3273 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.17-1 (bug #851235) - mysql-5.6 5.6.35-1 (bug #851234) - mysql-5.5 (Only affects MySQL 5.6 and 5.7) CVE-2017-3272 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-3782-1 DLA-821-1} - openjdk-8 8u121-b13-1 [experimental] - openjdk-7 7u121-2.6.8-2 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-3271 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3270 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3269 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3268 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3267 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3266 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3265 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-3770-1 DSA-3767-1 DLA-797-1} - mariadb-10.1 10.1.21-1 (bug #851759) - mariadb-10.0 (bug #851755) - mysql-5.7 5.7.17-1 (bug #851235) - mysql-5.6 5.6.35-1 (bug #851234) - mysql-5.5 (bug #851233) CVE-2017-3264 (Vulnerability in the Siebel UI Framework component of Oracle Siebel CR ...) NOT-FOR-US: Oracle Siebel CVE-2017-3263 (Vulnerability in the Primavera P6 Enterprise Project Portfolio Managem ...) NOT-FOR-US: Oracle Primavera CVE-2017-3262 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...) - openjdk-8 (specific to Oracle Java) CVE-2017-3261 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-3782-1 DLA-821-1} - openjdk-8 8u121-b13-1 [experimental] - openjdk-7 7u121-2.6.8-2 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-3260 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...) {DSA-3782-1 DLA-821-1} - openjdk-8 8u121-b13-1 [experimental] - openjdk-7 7u121-2.6.8-2 - openjdk-7 CVE-2017-3259 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...) - openjdk-8 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2017-3258 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-3770-1 DSA-3767-1 DLA-797-1} - mariadb-10.1 10.1.21-1 (bug #851759) - mariadb-10.0 (bug #851755) - mysql-5.7 5.7.17-1 (bug #851235) - mysql-5.6 5.6.35-1 (bug #851234) - mysql-5.5 (bug #851233) CVE-2017-3257 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-3770-1} - mariadb-10.2 (bug #884065) - mariadb-10.1 10.1.21-1 (bug #851759) - mariadb-10.0 (bug #851755) - mysql-5.7 5.7.17-1 (bug #851235) - mysql-5.6 5.6.35-1 (bug #851234) - mysql-5.5 (Only affects MySQL 5.6 and 5.7) CVE-2017-3256 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.17-1 (bug #851235) - mysql-5.6 (Only affects MySQL 5.7) - mysql-5.5 (Only affects MySQL 5.7) CVE-2017-3255 (Vulnerability in the Oracle JDeveloper component of Oracle Fusion Midd ...) NOT-FOR-US: Oracle CVE-2017-3254 (Vulnerability in the Oracle Retail Invoice Matching component of Oracl ...) NOT-FOR-US: Oracle CVE-2017-3253 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-3782-1 DLA-821-1} - openjdk-8 8u121-b13-1 [experimental] - openjdk-7 7u121-2.6.8-2 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-3252 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-3782-1 DLA-821-1} - openjdk-8 8u121-b13-1 [experimental] - openjdk-7 7u121-2.6.8-2 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-3251 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.17-1 (bug #851235) - mysql-5.6 (Only affects MySQL 5.7) - mysql-5.5 (Only affects MySQL 5.7) CVE-2017-3250 (Vulnerability in the Oracle GlassFish Server component of Oracle Fusio ...) - glassfish (Vulnerable code not included, see bug #853998) CVE-2017-3249 (Vulnerability in the Oracle GlassFish Server component of Oracle Fusio ...) - glassfish (Vulnerable code not included, see bug #853998) CVE-2017-3248 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-3247 (Vulnerability in the Oracle GlassFish Server component of Oracle Fusio ...) - glassfish (Vulnerable code not included, see bug #853998) CVE-2017-3246 (Vulnerability in the Oracle Application Object Library component of Or ...) NOT-FOR-US: Oracle CVE-2017-3245 (Vulnerability in the Oracle FLEXCUBE Direct Banking component of Oracl ...) NOT-FOR-US: Oracle FLEXCUBE CVE-2017-3244 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-3770-1 DSA-3767-1 DLA-797-1} - mariadb-10.1 10.1.21-1 (bug #851759) - mariadb-10.0 (bug #851755) - mysql-5.7 5.7.17-1 (bug #851235) - mysql-5.6 5.6.35-1 (bug #851234) - mysql-5.5 (bug #851233) CVE-2017-3243 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-3770-1 DSA-3767-1 DLA-797-1} - mariadb-10.1 10.1.21-1 (bug #851759) - mariadb-10.0 (bug #851755) - mysql-5.7 (Only affects MySQL 5.5) - mysql-5.6 (Only affects MySQL 5.5) - mysql-5.5 (bug #851233) CVE-2017-3242 (Vulnerability in the Oracle VM Server for Sparc component of Oracle Su ...) NOT-FOR-US: Solaris CVE-2017-3241 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-3782-1 DLA-821-1} - openjdk-8 8u121-b13-1 [experimental] - openjdk-7 7u121-2.6.8-2 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-3240 (Vulnerability in the RDBMS Security component of Oracle Database Serve ...) NOT-FOR-US: Oracle CVE-2017-3239 (Vulnerability in the Oracle GlassFish Server component of Oracle Fusio ...) - glassfish (Only affects 3.x) CVE-2017-3238 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-3770-1 DSA-3767-1 DLA-797-1} - mariadb-10.1 10.1.21-1 (bug #851759) - mariadb-10.0 (bug #851755) - mysql-5.7 5.7.17-1 (bug #851235) - mysql-5.6 5.6.35-1 (bug #851234) - mysql-5.5 (bug #851233) CVE-2017-3237 (Vulnerability in the Automatic Service Request (ASR) component of Orac ...) NOT-FOR-US: Oracle CVE-2017-3236 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle FLEXCUBE CVE-2017-3235 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle FLEXCUBE CVE-2017-3234 (Vulnerability in the Automatic Service Request (ASR) component of Orac ...) NOT-FOR-US: Oracle CVE-2017-3233 (Vulnerability in the Automatic Service Request (ASR) component of Orac ...) NOT-FOR-US: Oracle CVE-2017-3232 (Vulnerability in the Automatic Service Request (ASR) component of Orac ...) NOT-FOR-US: Oracle CVE-2017-3231 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-3782-1 DLA-821-1} - openjdk-8 8u121-b13-1 [experimental] - openjdk-7 7u121-2.6.8-2 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-3230 (Vulnerability in the Oracle Fusion Middleware MapViewer component of O ...) NOT-FOR-US: Oracle CVE-2016-9892 (The esets_daemon service in ESET Endpoint Antivirus for macOS before 6 ...) NOT-FOR-US: ESET CVE-2016-9891 (Cross-site scripting (XSS) vulnerability in admin/media.php and admin/ ...) - dotclear CVE-2016-9890 RESERVED CVE-2016-9889 (Some forms with the parameter geo_zoomlevel_to_found_location in Tiki ...) NOT-FOR-US: Tiki Wiki CVE-2016-9888 (An error within the "tar_directory_for_file()" function (gsf-infile-ta ...) {DLA-2183-1 DLA-740-1} - libgsf 1.14.41-1 NOTE: Fixed by: https://github.com/GNOME/libgsf/commit/95a8351a75758cf10b3bf6abae0b6b461f90d9e5 CVE-2016-9887 RESERVED CVE-2016-9886 REJECTED CVE-2016-9885 (An issue was discovered in Pivotal GemFire for PCF 1.6.x versions prio ...) NOT-FOR-US: Pivotal GemFire for PCF CVE-2016-9884 REJECTED CVE-2016-9883 REJECTED CVE-2016-9882 (An issue was discovered in Cloud Foundry Foundation cf-release version ...) NOT-FOR-US: Cloud Foundry Foundation cf-release CVE-2016-9881 REJECTED CVE-2016-9880 (The GemFire broker for Cloud Foundry 1.6.x before 1.6.5 and 1.7.x befo ...) NOT-FOR-US: Cloud Foundry CVE-2016-9879 (An issue was discovered in Pivotal Spring Security before 3.2.10, 4.1. ...) - libspring-security-java (bug #582181) NOTE: https://pivotal.io/security/cve-2016-9879 CVE-2016-9878 (An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2 ...) {DLA-1853-1} - libspring-java 4.3.5-1 (bug #849167) [wheezy] - libspring-java (Minor issue) NOTE: https://pivotal.io/security/cve-2016-9878 NOTE: Fixed by: https://github.com/spring-projects/spring-framework/commit/e2d6e709c3c65a4951eb096843ee75d5200cfcad (4.3.x branch) NOTE: Fixed by: https://github.com/spring-projects/spring-framework/commit/43bf008fbcd0d7945e2fcd5e30039bc4d74c7a98 (4.2.x branch) NOTE: Fixed by: https://github.com/spring-projects/spring-framework/commit/a7dc48534ea501525f11369d369178a60c2f47d0 (3.2.x branch) NOTE: https://jira.spring.io/browse/SPR-14946 CVE-2016-9877 (An issue was discovered in Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x ...) {DSA-3761-1} - rabbitmq-server 3.6.6-1 (bug #849849) [wheezy] - rabbitmq-server (Vulnerable code introduced later) NOTE: https://pivotal.io/security/cve-2016-9877 NOTE: https://github.com/rabbitmq/rabbitmq-mqtt/issues/96 NOTE: https://github.com/rabbitmq/rabbitmq-mqtt/pull/98 CVE-2016-9876 REJECTED CVE-2016-9875 REJECTED CVE-2016-9874 REJECTED CVE-2016-9873 (EMC Documentum D2 version 4.5 and EMC Documentum D2 version 4.6 has a ...) NOT-FOR-US: EMC Documentum CVE-2016-9872 (EMC Documentum D2 version 4.5 and EMC Documentum D2 version 4.6 has Re ...) NOT-FOR-US: EMC Documentum CVE-2016-9871 (EMC Isilon OneFS 7.2.1.0 - 7.2.1.3, EMC Isilon OneFS 7.2.0.x, EMC Isil ...) NOT-FOR-US: EMC Isilon CVE-2016-9870 (EMC Isilon OneFS 8.0.0.0, EMC Isilon OneFS 7.2.1.0 - 7.2.1.2, EMC Isil ...) NOT-FOR-US: EMC CVE-2016-9869 (An issue was discovered in EMC ScaleIO versions before 2.0.1.1. Incorr ...) NOT-FOR-US: EMC ScaleIO CVE-2016-9868 (An issue was discovered in EMC ScaleIO versions before 2.0.1.1. A low- ...) NOT-FOR-US: EMC ScaleIO CVE-2016-9867 (An issue was discovered in EMC ScaleIO versions before 2.0.1.1. A low- ...) NOT-FOR-US: EMC ScaleIO CVE-2016-9919 (The icmp6_send function in net/ipv6/icmp.c in the Linux kernel through ...) - linux 4.8.15-1 [jessie] - linux (Vulnerable code introduced later) [wheezy] - linux (Vulnerable code introduced later) NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=189851 NOTE: Fixed by: https://git.kernel.org/linus/79dc7e3f1cd323be4c81aa1a94faa1b3ed987fb2 (v4.9-rc8) CVE-2016-9912 (Quick Emulator (Qemu) built with the Virtio GPU Device emulator suppor ...) - qemu 1:2.8+dfsg-1 (bug #847391) [jessie] - qemu (Vulnerable code not present) [wheezy] - qemu (Vulnerable code not present) - qemu-kvm (Vulnerable code not present) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-11/msg05043.html NOTE: http://www.openwall.com/lists/oss-security/2016/12/06/12 CVE-2016-9916 (Memory leak in hw/9pfs/9p-proxy.c in QEMU (aka Quick Emulator) allows ...) {DLA-1497-1} - qemu 1:2.8+dfsg-1 (bug #847496) [wheezy] - qemu (Minor issue, virtfs-proxy-helper not present) - qemu-kvm [wheezy] - qemu-kvm (Minor issue, virtfs-proxy-helper not present) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-11/msg03278.html NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=898ae90a44551d25b8e956fd87372d303c82fe68 (v2.8.0-rc2) NOTE: Proxy filesystem driver introduced in: http://git.qemu.org/?p=qemu.git;a=commit;h=4c793dda22213a7aba8e4d9a814e8f368a5f8bf7 (v1.0-rc0) NOTE: http://www.openwall.com/lists/oss-security/2016/12/06/11 CVE-2016-9915 (Memory leak in hw/9pfs/9p-handle.c in QEMU (aka Quick Emulator) allows ...) {DLA-1497-1} - qemu 1:2.8+dfsg-1 (bug #847496) [wheezy] - qemu (handle driver not included during compilation) - qemu-kvm [wheezy] - qemu-kvm (handle driver not included during compilation) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-11/msg03278.html NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=971f406b77a6eb84e0ad27dcc416b663765aee30 (v2.8.0-rc2) NOTE: handle based fs driver introduced in: http://git.qemu.org/?p=qemu.git;a=commit;h=5f5422258e1f50f871bafcc5bfb2b498f414a310 (v1.0-rc0) NOTE: http://www.openwall.com/lists/oss-security/2016/12/06/11 NOTE: proxy driver not included during compilation in wheezy, see debian-lts ML: https://lists.debian.org/debian-lts/2016/12/msg00136.html CVE-2016-9914 (Memory leak in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local ...) {DLA-1497-1} - qemu 1:2.8+dfsg-1 (bug #847496) [wheezy] - qemu (proxy and handle drivers not included during compilation) - qemu-kvm [wheezy] - qemu-kvm (proxy and handle drivers not included during compilation) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-11/msg03278.html NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=702dbcc274e2ca43be20ba64c758c0ca57dab91d (v2.8.0-rc2) NOTE: http://www.openwall.com/lists/oss-security/2016/12/06/11 NOTE: proxy and handle drivers not included during compilation in wheezy, so the cleanup function is never implemented: NOTE: see debian-lts ML: https://lists.debian.org/debian-lts/2016/12/msg00136.html CVE-2016-9913 (Memory leak in the v9fs_device_unrealize_common function in hw/9pfs/9p ...) - qemu 1:2.8+dfsg-1 (bug #847496) [jessie] - qemu (Vulnerable code not present) [wheezy] - qemu (Vulnerable code not present) - qemu-kvm (Vulnerable code not present) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-11/msg03278.html NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=4774718e5c194026ba5ee7a28d9be49be3080e42 (v2.8.0-rc2) NOTE: http://www.openwall.com/lists/oss-security/2016/12/06/11 CVE-2016-9911 (Quick Emulator (Qemu) built with the USB EHCI Emulation support is vul ...) {DLA-1497-1 DLA-765-1 DLA-764-1} - qemu 1:2.8+dfsg-1 (bug #847951) - qemu-kvm NOTE: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=791f97758e223de3290592d169f (v2.8.0-rc0) NOTE: http://www.openwall.com/lists/oss-security/2016/12/06/10 CVE-2016-9907 (Quick Emulator (Qemu) built with the USB redirector usb-guest support ...) {DLA-1497-1} - qemu 1:2.8+dfsg-1 (bug #847953) [wheezy] - qemu (Vulnerable code not present) - qemu-kvm [wheezy] - qemu-kvm (Vulnerable code not present) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-11/msg01379.html NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=07b026fd82d6cf11baf7d7c603c4f5f6070b35bf NOTE: http://www.openwall.com/lists/oss-security/2016/12/06/3 NOTE: Leakage introduced after 1.2.50: http://git.qemu.org/?p=qemu.git;a=commit;h=fc3f6e1b106abcf6b8cf487ac8f8e5fc2fd86776 CVE-2016-9908 (Quick Emulator (Qemu) built with the Virtio GPU Device emulator suppor ...) - qemu 1:2.8+dfsg-1 (bug #847400) [jessie] - qemu (Vulnerable code not present) [wheezy] - qemu (Vulnerable code not present) - qemu-kvm (Vulnerable code not present) NOTE: http://lists.gnu.org/archive/html/qemu-devel/2016-11/msg00059.html NOTE: http://www.openwall.com/lists/oss-security/2016/12/06/2 CVE-2017-3229 REJECTED CVE-2017-3228 REJECTED CVE-2017-3227 RESERVED CVE-2017-3226 (Das U-Boot is a device bootloader that can read its configuration from ...) - u-boot (unimportant) [wheezy] - u-boot (Vulnerable code do not exist) NOTE: jessie+ no built targets use ENV_AES by default, but fw_printenv/fw_setenv NOTE: in u-boot-tools supports it. Upstream has deprecated it and plans to remove NOTE: it in future versions. NOTE: https://www.kb.cert.org/vuls/id/166743 NOTE: Negligible security impact CVE-2017-3225 (Das U-Boot is a device bootloader that can read its configuration from ...) - u-boot (unimportant) [wheezy] - u-boot (Vulnerable code do not exist) NOTE: jessie+ no built targets use ENV_AES by default, but fw_printenv/fw_setenv NOTE: in u-boot-tools supports it. Upstream has deprecated it and plans to remove NOTE: it in future versions. NOTE: https://www.kb.cert.org/vuls/id/166743 NOTE: Negligible security impact CVE-2017-3224 (Open Shortest Path First (OSPF) protocol implementations may improperl ...) - quagga (low; bug #871617) [buster] - quagga (Minor issue) [stretch] - quagga (Minor issue) [jessie] - quagga (Minor issue) [wheezy] - quagga (Minor issue) NOTE: http://www.kb.cert.org/vuls/id/793496 CVE-2017-3223 (Dahua IP camera products using firmware versions prior to V2.400.0000. ...) NOT-FOR-US: Dahua IP camera products CVE-2017-3222 (Hard-coded credentials in AmosConnect 8 allow remote attackers to gain ...) NOT-FOR-US: AmosConnect CVE-2017-3221 (Blind SQL injection in Inmarsat AmosConnect 8 login form allows remote ...) NOT-FOR-US: AmosConnect CVE-2017-3220 RESERVED CVE-2017-3219 (Acronis True Image up to and including version 2017 Build 8053 perform ...) NOT-FOR-US: Acronis True Image CVE-2017-3218 (Samsung Magician 5.0 fails to validate TLS certificates for HTTPS soft ...) NOT-FOR-US: Samsung CVE-2017-3217 (CalAmp LMU 3030 series OBD-II CDMA and GSM devices has an SMS (text me ...) NOT-FOR-US: CalAmp LMU 3030 series OBD-II CDMA and GSM devices CVE-2017-3216 (WiMAX routers based on the MediaTek SDK (libmtk) that use a custom htt ...) NOT-FOR-US: WiMAX routers CVE-2017-3215 (The Milwaukee ONE-KEY Android mobile application uses bearer tokens wi ...) NOT-FOR-US: Milwaukee ONE-KEY Android mobile application CVE-2017-3214 (The Milwaukee ONE-KEY Android mobile application stores the master tok ...) NOT-FOR-US: Milwaukee ONE-KEY Android mobile application CVE-2017-3213 (The Think Mutual Bank Mobile Banking app 3.1.5 for iOS does not verify ...) NOT-FOR-US: Think Mutual Bank Mobile Banking app CVE-2017-3212 (The Space Coast Credit Union Mobile app 2.2 for iOS and 2.1.0.1104 for ...) NOT-FOR-US: Space Coast Credit Union Mobile app CVE-2017-3211 (Yopify, an e-commerce notification plugin, up to April 06, 2017, leaks ...) NOT-FOR-US: Yopify (e-commerce notification plugin) CVE-2017-3210 (Applications developed using the Portrait Display SDK, versions 2.30 t ...) NOT-FOR-US: Portrait Display SDK CVE-2017-3209 (The DBPOWER U818A WIFI quadcopter drone provides FTP access over its o ...) NOT-FOR-US: DBPOWER U818A WIFI quadcopter drone CVE-2017-3208 (The Java implementation of AMF3 deserializers used by WebORB for Java ...) NOT-FOR-US: AMF3 deserialisers CVE-2017-3207 (The Java implementations of AMF3 deserializers in WebORB for Java by M ...) NOT-FOR-US: AMF3 deserialisers CVE-2017-3206 (The Java implementation of AMF3 deserializers used by Flamingo amf-ser ...) NOT-FOR-US: AMF3 deserialisers CVE-2017-3205 RESERVED CVE-2017-3204 (The Go SSH library (x/crypto/ssh) by default does not verify host keys ...) - golang-go.crypto 1:0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1 (bug #859655) [jessie] - golang-go.crypto (In jessie no rdeps using SSH, that version doesn't even support host key validation) NOTE: https://github.com/golang/crypto/commit/e4e2799dd7aab89f583e1d898300d96367750991 NOTE: https://github.com/golang/go/issues/19767 CVE-2017-3203 (The Java implementations of AMF3 deserializers in Pivotal/Spring Sprin ...) NOT-FOR-US: AMF3 deserialisers CVE-2017-3202 (The Java implementation of AMF3 deserializers used in Flamingo amf-ser ...) NOT-FOR-US: AMF3 deserialisers CVE-2017-3201 (The Java implementation of AMF3 deserializers used in Flamingo amf-ser ...) NOT-FOR-US: AMF3 deserialisers CVE-2017-3200 (The Java implementation of AMF3 deserializers used in GraniteDS, versi ...) NOT-FOR-US: AMF3 deserialisers CVE-2017-3199 (The Java implementation of GraniteDS, version 3.1.1.GA, AMF3 deseriali ...) NOT-FOR-US: AMF3 deserialisers CVE-2017-3198 (GIGABYTE BRIX UEFI firmware does not cryptographically validate images ...) NOT-FOR-US: GIGABYTE CVE-2017-3197 (GIGABYTE BRIX UEFI firmware for the GB-BSi7H-6500 (version F6) and GB- ...) NOT-FOR-US: GIGABYTE CVE-2017-3196 (PCAUSA Rawether framework does not properly validate BPF data, allowin ...) NOT-FOR-US: PCAUSA Rawether CVE-2017-3195 (Commvault Edge Communication Service (cvd) prior to version 11 SP7 or ...) NOT-FOR-US: Commvault Edge Communication Service CVE-2017-3194 (Pandora iOS app prior to version 8.3.2 fails to properly validate SSL ...) NOT-FOR-US: Pandora iOS app CVE-2017-3193 (Multiple D-Link devices including the DIR-850L firmware versions 1.14B ...) NOT-FOR-US: D-Link CVE-2017-3192 (D-Link DIR-130 firmware version 1.23 and DIR-330 firmware version 1.12 ...) NOT-FOR-US: D-Link CVE-2017-3191 (D-Link DIR-130 firmware version 1.23 and DIR-330 firmware version 1.12 ...) NOT-FOR-US: D-Link CVE-2017-3190 (Flash Seats Mobile App for Android version 1.7.9 and earlier and for i ...) NOT-FOR-US: Flash Seats Mobile App CVE-2017-3189 (The dotCMS administration panel, versions 3.7.1 and earlier, "Push Pub ...) NOT-FOR-US: dotCMS CVE-2017-3188 (The dotCMS administration panel, versions 3.7.1 and earlier, "Push Pub ...) NOT-FOR-US: dotCMS CVE-2017-3187 (The dotCMS administration panel, versions 3.7.1 and earlier, are vulne ...) NOT-FOR-US: dotCMS CVE-2017-3186 (ACTi cameras including the D, B, I, and E series using firmware versio ...) NOT-FOR-US: ACTi cameras CVE-2017-3185 (ACTi cameras including the D, B, I, and E series using firmware versio ...) NOT-FOR-US: ACTi cameras CVE-2017-3184 (ACTi cameras including the D, B, I, and E series using firmware versio ...) NOT-FOR-US: ACTi cameras CVE-2017-3183 (Sage XRT Treasury, version 3, fails to properly restrict database acce ...) NOT-FOR-US: Sage XRT Treasury CVE-2017-3182 (On the iOS platform, the ThreatMetrix SDK versions prior to 3.2 fail t ...) NOT-FOR-US: ThreatMetrix SDK CVE-2017-3181 (Multiple TIBCO Products are prone to multiple unspecified SQL-injectio ...) NOT-FOR-US: TIBCO CVE-2017-3180 (Multiple TIBCO Products are prone to multiple unspecified cross-site s ...) NOT-FOR-US: TIBCO CVE-2017-3179 REJECTED CVE-2017-3178 REJECTED CVE-2017-3177 REJECTED CVE-2017-3176 REJECTED CVE-2017-3175 REJECTED CVE-2017-3174 REJECTED CVE-2017-3173 REJECTED CVE-2017-3172 REJECTED CVE-2017-3171 REJECTED CVE-2017-3170 REJECTED CVE-2017-3169 (In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_ssl m ...) {DSA-3896-1 DLA-1009-1} - apache2 2.4.25-4 CVE-2017-3168 REJECTED CVE-2017-3167 (In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of th ...) {DSA-3896-1 DLA-1009-1} - apache2 2.4.25-4 CVE-2017-3166 (In Apache Hadoop versions 2.6.1 to 2.6.5, 2.7.0 to 2.7.3, and 3.0.0-al ...) - hadoop (bug #793644) CVE-2017-3165 (In Apache Brooklyn before 0.10.0, the REST server is vulnerable to cro ...) NOT-FOR-US: Apache Brooklyn CVE-2017-3164 (Server Side Request Forgery in Apache Solr, versions 1.3 until 7.6 (in ...) - lucene-solr (unimportant; bug #922242) NOTE: https://issues.apache.org/jira/browse/SOLR-12770 CVE-2017-3163 (When using the Index Replication feature, Apache Solr nodes can pull i ...) {DSA-4124-1 DLA-1046-1} - lucene-solr 3.6.2+dfsg-11 (bug #867712) NOTE: https://issues.apache.org/jira/browse/SOLR-10031 NOTE: https://github.com/apache/lucene-solr/commit/ae789c252687dc8a18bfdb677f2e6cd14570e4db CVE-2017-3162 (HDFS clients interact with a servlet on the DataNode to browse the HDF ...) - hadoop (bug #793644) CVE-2017-3161 (The HDFS web UI in Apache Hadoop before 2.7.0 is vulnerable to a cross ...) - hadoop (bug #793644) CVE-2017-3160 (After the Android platform is added to Cordova the first time, or afte ...) NOT-FOR-US: Apache Cordova CVE-2017-3159 (Apache Camel's camel-snakeyaml component is vulnerable to Java object ...) NOT-FOR-US: Apache Camel CVE-2017-3158 (A race condition in Guacamole's terminal emulator in versions 0.9.5 th ...) - guacamole-client (bug #891798) [stretch] - guacamole-client (Minor issue) [jessie] - guacamole-client (Minor issue) - guacamole [wheezy] - guacamole (Version not vulnerable) CVE-2017-3157 (By exploiting the way Apache OpenOffice before 4.1.4 renders embedded ...) {DSA-3792-1 DLA-910-1} - libreoffice 1:5.2.3-1 NOTE: https://www.libreoffice.org/about-us/security/advisories/cve-2017-3157/ CVE-2017-3156 (The OAuth2 Hawk and JOSE MAC Validation code in Apache CXF prior to 3. ...) NOT-FOR-US: Apache CXF CVE-2017-3155 (Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating were found ...) NOT-FOR-US: Apache Atlas CVE-2017-3154 (Error responses from Apache Atlas versions 0.6.0-incubating and 0.7.0- ...) NOT-FOR-US: Apache Atlas CVE-2017-3153 (Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating were found ...) NOT-FOR-US: Apache Atlas CVE-2017-3152 (Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating were found ...) NOT-FOR-US: Apache Atlas CVE-2017-3151 (Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating were found ...) NOT-FOR-US: Apache Atlas CVE-2017-3150 (Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating use cookie ...) NOT-FOR-US: Apache Atlas CVE-2016-9920 (steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2 ...) {DLA-737-1} - roundcube 1.2.3+dfsg.1-1 (bug #847287) NOTE: https://blog.ripstech.com/2016/roundcube-command-execution-via-email/ NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/f84233785ddeed01445fc855f3ae1e8a62f167e1 NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/aa6bf38843f51a0fc7205acc98a7b84f3c4c9c4f CVE-2016-9910 (The serializer in html5lib before 0.99999999 might allow remote attack ...) - html5lib 0.999999999-1 [jessie] - html5lib (Minor issue) [wheezy] - html5lib (Minor issue) NOTE: Fixed by: https://github.com/html5lib/html5lib-python/commit/9b8d8eb5afbc066b7fac9390f5ec75e5e8a7cab7 NOTE: https://www.sourceclear.com/registry/security/cross-site-scripting-xss-/python/sid-3068 NOTE: http://www.openwall.com/lists/oss-security/2016/12/06/5 CVE-2016-9909 (The serializer in html5lib before 0.99999999 might allow remote attack ...) - html5lib 0.999999999-1 [jessie] - html5lib (Minor issue) [wheezy] - html5lib (Minor issue) NOTE: Fixed by: https://github.com/html5lib/html5lib-python/commit/9b8d8eb5afbc066b7fac9390f5ec75e5e8a7cab7 NOTE: https://www.sourceclear.com/registry/security/cross-site-scripting-xss-/python/sid-3068 NOTE: http://www.openwall.com/lists/oss-security/2016/12/06/5 CVE-2017-3149 REJECTED CVE-2017-3148 REJECTED CVE-2017-3147 REJECTED CVE-2017-3146 REJECTED CVE-2017-3145 (BIND was improperly sequencing cleanup operations on upstream recursio ...) {DSA-4089-1 DLA-1255-1} - bind9 1:9.11.2.P1-1 NOTE: https://kb.isc.org/article/AA-01542 NOTE: Fixed by (master): https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=053b51c4dbd28f6e4de71ce4268a6f606025d76d NOTE: Fixed by (9.10.6-P1): https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=55baf7d7e25c0e6444cb7e415f14d9e0819b5508 CVE-2017-3144 (A vulnerability stemming from failure to properly clean up closed OMAP ...) {DSA-4133-1} - isc-dhcp 4.3.5-3.1 (bug #887413) [wheezy] - isc-dhcp (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1522918 NOTE: https://bugs.isc.org/Public/Bug/Display.html?id=46767 NOTE: https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=commit;h=1a6b62fe17a42b00fa234d06b6dfde3d03451894 NOTE: Fixes for 4.3.6p1: https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=commit;h=99a25aedea02d9c259cb8fabf4be700fb32571a3 CVE-2017-3143 (An attacker who is able to send and receive messages to an authoritati ...) {DSA-3904-1 DLA-1025-1} - bind9 1:9.10.3.dfsg.P4-12.4 (bug #866564) NOTE: https://kb.isc.org/article/AA-01503 NOTE: Fixed by (master): https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=581c1526ab0f74a177980da9ff0514f795ed8669 CVE-2017-3142 (An attacker who is able to send and receive messages to an authoritati ...) {DSA-3904-1 DLA-1025-1} - bind9 1:9.10.3.dfsg.P4-12.4 (bug #866564) NOTE: https://kb.isc.org/article/AA-01504 NOTE: Fixed by (master): https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=581c1526ab0f74a177980da9ff0514f795ed8669 CVE-2017-3141 (The BIND installer on Windows uses an unquoted service path which can ...) - bind9 (Affects only Windows systems) NOTE: https://kb.isc.org/article/AA-01496 CVE-2017-3140 (If named is configured to use Response Policy Zones (RPZ) an error pro ...) - bind9 (Upstream change #4377 not backported/included) NOTE: https://kb.isc.org/article/AA-01495 NOTE: Fixed by (master): https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=2648c49be78568ba9f4123d22122f2a649e2e1b7 NOTE: Introduced by: https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=aabcb1fde0ca255ff30f0a5c10cbd39f798cc5b7 NOTE: CVE-2017-3140 is introduced by the upstream change #4377 NOTE: http://www.openwall.com/lists/oss-security/2017/06/14/4 CVE-2017-3139 (A denial of service flaw was found in the way BIND handled DNSSEC vali ...) - bind9 (RHEL6 specific) CVE-2017-3138 (named contains a feature which allows operators to issue commands to a ...) {DSA-3854-1 DLA-957-1} - bind9 1:9.10.3.dfsg.P4-12.3 (bug #860226) NOTE: https://kb.isc.org/article/AA-01471 NOTE: Fixed by (9.10.x): https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=a636604b20cc0aaabc8edbb7595f7c1c820b7610 NOTE: In practice for any Debian version applying this commit is merely NOTE: hardening, since the feature to allow only a subset of "read only" NOTE: commands was added only in 9.11.0 and before existing commands permitted NOTE: over the control channel were already be given to cause the server to stop. NOTE: The CVE-2017-3138 is barely an issue in practice anyway. CVE-2017-3137 (Mistaken assumptions about the ordering of records in the answer secti ...) {DSA-3854-1 DLA-957-1} - bind9 1:9.10.3.dfsg.P4-12.3 (bug #860225) NOTE: https://kb.isc.org/article/AA-01466 NOTE: Additional information for backporting patch: http://www.openwall.com/lists/oss-security/2017/04/17/5 NOTE: Fixed by (9.10.x): https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=69fd759b4aa02047e42e5cf4227f8257c4547988 NOTE: Fixed by (9.10.x): https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=6841d7b854c15df9ec56cab38da201b315bbcabb (reimplentation) NOTE: Fixed by (9.10.x): https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=7ab9e8e00775782d474522a5b2bffba8daefefa5 (regression fix) CVE-2017-3136 (A query with a specific set of characteristics could cause a server us ...) {DSA-3854-1 DLA-957-1} - bind9 1:9.10.3.dfsg.P4-12.3 (bug #860224) NOTE: https://kb.isc.org/article/AA-01465 NOTE: Fixed by (9.10.x): https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=764240ca07ab1b796226d5402ccd9fbfa77ec32a CVE-2017-3135 (Under some conditions when using both DNS64 and RPZ to rewrite query r ...) {DSA-3795-1 DLA-843-1} - bind9 1:9.10.3.dfsg.P4-12 (bug #855520) NOTE: https://kb.isc.org/article/AA-01453 NOTE: Patch for 9.9.9-P6: ftp://ftp.isc.org/isc/bind9/9.9.9-P6/patches/rt44434 CVE-2017-3134 (An escalation of privilege vulnerability in Fortinet FortiWLC-SD versi ...) NOT-FOR-US: Fortinet FortiWLC-SD CVE-2017-3133 (A Cross-Site Scripting vulnerability in Fortinet FortiOS versions 5.6. ...) NOT-FOR-US: Fortinet FortiOS CVE-2017-3132 (A Cross-Site Scripting vulnerability in Fortinet FortiOS versions 5.6. ...) NOT-FOR-US: Fortinet FortiOS CVE-2017-3131 (A Cross-Site Scripting vulnerability in Fortinet FortiOS versions 5.4. ...) NOT-FOR-US: Fortinet FortiOS CVE-2017-3130 (An information disclosure vulnerability in Fortinet FortiOS 5.6.0, 5.4 ...) NOT-FOR-US: Fortinet CVE-2017-3129 (A Cross-Site Scripting vulnerability in Fortinet FortiWeb versions 5.7 ...) NOT-FOR-US: Fortinet FortiWeb CVE-2017-3128 (A stored XSS (Cross-Site-Scripting) vulnerability in Fortinet FortiOS ...) NOT-FOR-US: Fortinet FortiOS CVE-2017-3127 (A Cross-Site Scripting vulnerability in Fortinet FortiGate 5.2.0 throu ...) NOT-FOR-US: Fortinet CVE-2017-3126 (An Open Redirect vulnerability in Fortinet FortiAnalyzer 5.4.0 through ...) NOT-FOR-US: Fortinet FortiAnalyzer CVE-2017-3125 (An unauthenticated XSS vulnerability with FortiMail 5.0.0 - 5.2.9 and ...) NOT-FOR-US: FortiMail CVE-2017-3124 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3123 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3122 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3121 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3120 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3119 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3118 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3117 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3116 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3115 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3114 (An issue was discovered in Adobe Flash Player 27.0.0.183 and earlier v ...) NOT-FOR-US: Adobe CVE-2017-3113 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3112 (An issue was discovered in Adobe Flash Player 27.0.0.183 and earlier v ...) NOT-FOR-US: Adobe CVE-2017-3111 (An issue was discovered in Adobe Experience Manager 6.3, 6.2, 6.1, 6.0 ...) NOT-FOR-US: Adobe CVE-2017-3110 (Adobe Experience Manager 6.1 and earlier has a sensitive data exposure ...) NOT-FOR-US: Adobe CVE-2017-3109 (An issue was discovered in Adobe Experience Manager 6.3, 6.2, 6.1, 6.0 ...) NOT-FOR-US: Adobe CVE-2017-3108 (Adobe Experience Manager 6.2 and earlier has a malicious file executio ...) NOT-FOR-US: Adobe CVE-2017-3107 (Adobe Experience Manager 6.3 and earlier has a misconfiguration vulner ...) NOT-FOR-US: Adobe CVE-2017-3106 (Adobe Flash Player versions 26.0.0.137 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3105 (Adobe RoboHelp has an Open Redirect vulnerability. This affects versio ...) NOT-FOR-US: Adobe CVE-2017-3104 (Adobe RoboHelp has a cross-site scripting (XSS) vulnerability. This af ...) NOT-FOR-US: Adobe CVE-2017-3103 (Adobe Connect versions 9.6.1 and earlier have a stored cross-site scri ...) NOT-FOR-US: Adobe Connect CVE-2017-3102 (Adobe Connect versions 9.6.1 and earlier have a reflected cross-site s ...) NOT-FOR-US: Adobe Connect CVE-2017-3101 (Adobe Connect versions 9.6.1 and earlier have a clickjacking vulnerabi ...) NOT-FOR-US: Adobe Connect CVE-2017-3100 (Adobe Flash Player versions 26.0.0.131 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3099 (Adobe Flash Player versions 26.0.0.131 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3098 (Adobe Captivate versions 9 and earlier have a remote code execution vu ...) NOT-FOR-US: Adobe CVE-2017-3097 (Adobe Digital Editions versions 4.5.4 and earlier contain an insecure ...) NOT-FOR-US: Adobe CVE-2017-3096 (Adobe Digital Editions versions 4.5.4 and earlier have an exploitable ...) NOT-FOR-US: Adobe CVE-2017-3095 (Adobe Digital Editions versions 4.5.4 and earlier have an exploitable ...) NOT-FOR-US: Adobe CVE-2017-3094 (Adobe Digital Editions versions 4.5.4 and earlier have an exploitable ...) NOT-FOR-US: Adobe CVE-2017-3093 (Adobe Digital Editions versions 4.5.4 and earlier have an exploitable ...) NOT-FOR-US: Adobe CVE-2017-3092 (Adobe Digital Editions versions 4.5.4 and earlier contain an insecure ...) NOT-FOR-US: Adobe CVE-2017-3091 (Adobe Digital Editions 4.5.4 and earlier versions 4.5.4 and earlier ha ...) NOT-FOR-US: Adobe CVE-2017-3090 (Adobe Digital Editions versions 4.5.4 and earlier contain an insecure ...) NOT-FOR-US: Adobe CVE-2017-3089 (Adobe Digital Editions versions 4.5.4 and earlier have an exploitable ...) NOT-FOR-US: Adobe CVE-2017-3088 (Adobe Digital Editions versions 4.5.4 and earlier have an exploitable ...) NOT-FOR-US: Adobe CVE-2017-3087 (Adobe Captivate versions 9 and earlier have an information disclosure ...) NOT-FOR-US: Adobe CVE-2017-3086 (Adobe Shockwave versions 12.2.8.198 and earlier have an exploitable me ...) NOT-FOR-US: Adobe CVE-2017-3085 (Adobe Flash Player versions 26.0.0.137 and earlier have a security byp ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3084 (Adobe Flash Player versions 25.0.0.171 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3083 (Adobe Flash Player versions 25.0.0.171 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3082 (Adobe Flash Player versions 25.0.0.171 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3081 (Adobe Flash Player versions 25.0.0.171 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3080 (Adobe Flash Player versions 26.0.0.131 and earlier have a security byp ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3079 (Adobe Flash Player versions 25.0.0.171 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3078 (Adobe Flash Player versions 25.0.0.171 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3077 (Adobe Flash Player versions 25.0.0.171 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3076 (Adobe Flash Player versions 25.0.0.171 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3075 (Adobe Flash Player versions 25.0.0.171 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3074 (Adobe Flash Player versions 25.0.0.148 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3073 (Adobe Flash Player versions 25.0.0.148 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3072 (Adobe Flash Player versions 25.0.0.148 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3071 (Adobe Flash Player versions 25.0.0.148 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3070 (Adobe Flash Player versions 25.0.0.148 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3069 (Adobe Flash Player versions 25.0.0.148 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3068 (Adobe Flash Player versions 25.0.0.148 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3067 (Adobe Experience Manager Forms versions 6.2, 6.1, 6.0 have an informat ...) NOT-FOR-US: Adobe CVE-2017-3066 (Adobe ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 an ...) NOT-FOR-US: Adobe CVE-2017-3065 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3064 (Adobe Flash Player versions 25.0.0.127 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3063 (Adobe Flash Player versions 25.0.0.127 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3062 (Adobe Flash Player versions 25.0.0.127 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3061 (Adobe Flash Player versions 25.0.0.127 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3060 (Adobe Flash Player versions 25.0.0.127 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3059 (Adobe Flash Player versions 25.0.0.127 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3058 (Adobe Flash Player versions 25.0.0.127 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3057 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3056 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3055 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3054 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3053 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3052 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3051 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3050 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3049 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3048 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3047 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3046 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3045 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3044 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3043 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3042 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3041 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3040 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3039 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3038 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3037 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3036 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3035 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3034 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3033 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3032 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3031 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3030 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3029 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3028 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3027 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3026 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3025 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3024 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3023 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3022 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3021 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3020 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3019 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3018 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3017 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3016 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3015 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3014 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3013 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3012 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3011 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3010 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe CVE-2017-3009 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe CVE-2017-3008 (Adobe ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 an ...) NOT-FOR-US: Adobe CVE-2017-3007 (Adobe Thor versions 3.9.5.353 and earlier have a vulnerability in the ...) NOT-FOR-US: Adobe Thor CVE-2017-3006 (Adobe Thor versions 3.9.5.353 and earlier have a vulnerability related ...) NOT-FOR-US: Adobe Thor CVE-2017-3005 (Adobe Photoshop versions CC 2017 (18.0.1) and earlier, CC 2015.5.1 (17 ...) NOT-FOR-US: Adobe Photoshop CVE-2017-3004 (Adobe Photoshop versions CC 2017 (18.0.1) and earlier, CC 2015.5.1 (17 ...) NOT-FOR-US: Adobe Photoshop CVE-2017-3003 (Adobe Flash Player versions 24.0.0.221 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3002 (Adobe Flash Player versions 24.0.0.221 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3001 (Adobe Flash Player versions 24.0.0.221 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3000 (Adobe Flash Player versions 24.0.0.221 and earlier have a vulnerabilit ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2999 (Adobe Flash Player versions 24.0.0.221 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2998 (Adobe Flash Player versions 24.0.0.221 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2997 (Adobe Flash Player versions 24.0.0.221 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2996 (Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2995 (Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2994 (Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2993 (Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2992 (Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2991 (Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2990 (Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2989 (Adobe Campaign versions Build 8770 and earlier have an input validatio ...) NOT-FOR-US: Adobe CVE-2017-2988 (Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2987 (Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2986 (Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2985 (Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2984 (Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2983 (Adobe Shockwave versions 12.2.7.197 and earlier have an insecure libra ...) NOT-FOR-US: Adobe CVE-2017-2982 (Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2981 (Adobe Digital Editions versions 4.5.3 and earlier have an exploitable ...) NOT-FOR-US: Adobe CVE-2017-2980 (Adobe Digital Editions versions 4.5.3 and earlier have an exploitable ...) NOT-FOR-US: Adobe CVE-2017-2979 (Adobe Digital Editions versions 4.5.3 and earlier have an exploitable ...) NOT-FOR-US: Adobe CVE-2017-2978 (Adobe Digital Editions versions 4.5.3 and earlier have an exploitable ...) NOT-FOR-US: Adobe CVE-2017-2977 (Adobe Digital Editions versions 4.5.3 and earlier have an exploitable ...) NOT-FOR-US: Adobe CVE-2017-2976 (Adobe Digital Editions versions 4.5.3 and earlier have an exploitable ...) NOT-FOR-US: Adobe CVE-2017-2975 (Adobe Digital Editions versions 4.5.3 and earlier have an exploitable ...) NOT-FOR-US: Adobe CVE-2017-2974 (Adobe Digital Editions versions 4.5.3 and earlier have an exploitable ...) NOT-FOR-US: Adobe CVE-2017-2973 (Adobe Digital Editions versions 4.5.3 and earlier have an exploitable ...) NOT-FOR-US: Adobe CVE-2017-2972 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2971 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2970 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2969 (Adobe Campaign versions 16.4 Build 8724 and earlier have a cross-site ...) NOT-FOR-US: Adobe CVE-2017-2968 (Adobe Campaign versions 16.4 Build 8724 and earlier have a code inject ...) NOT-FOR-US: Adobe CVE-2017-2967 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2966 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2965 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2964 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2963 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2962 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2961 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2960 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2959 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2958 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2957 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2956 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2955 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2954 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2953 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2952 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2951 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2950 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2949 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2948 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2947 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2946 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2945 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2944 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2943 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2942 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2941 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2940 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2939 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2938 (Adobe Flash Player versions 24.0.0.186 and earlier have a security byp ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2937 (Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2936 (Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2935 (Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2934 (Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2933 (Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2932 (Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2931 (Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2930 (Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2929 (Adobe Acrobat Chrome extension version 15.1.0.3 and earlier have a DOM ...) NOT-FOR-US: Adobe Acrobat Chrome extension CVE-2017-2928 (Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2927 (Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2926 (Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2925 (Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2016-9839 (In MapServer before 7.0.3, OGR driver error messages are too verbose a ...) {DLA-734-1} - mapserver 7.0.3-1 [jessie] - mapserver 6.4.1-5+deb8u1 NOTE: https://lists.osgeo.org/pipermail/mapserver-dev/2016-December/014979.html NOTE: https://github.com/mapserver/mapserver/pull/4928 NOTE: https://github.com/mapserver/mapserver/pull/5356 CVE-2016-9838 (An issue was discovered in components/com_users/models/registration.ph ...) NOT-FOR-US: Joomla! CVE-2016-9837 (An issue was discovered in templates/beez3/html/com_content/article/de ...) NOT-FOR-US: Joomla! CVE-2016-9836 (The file scanning mechanism of JFilterInput::isFileSafe() in Joomla! C ...) NOT-FOR-US: Joomla! CVE-2016-9835 (Directory traversal vulnerability in file "jcss.php" in Zikula 1.3.x b ...) NOT-FOR-US: Zikula CVE-2016-9834 (An XSS vulnerability allows remote attackers to execute arbitrary clie ...) NOT-FOR-US: Sophos CVE-2016-9833 RESERVED CVE-2016-9832 (PricewaterhouseCoopers (PwC) ACE-ABAP 8.10.304 for SAP Security allows ...) NOT-FOR-US: ACE-ABAP CVE-2016-9805 RESERVED CVE-2016-9796 (Alcatel-Lucent OmniVista 8770 2.0 through 3.0 exposes different ORBs i ...) NOT-FOR-US: Alcatel-Lucent OmniVista CVE-2016-9795 (The casrvc program in CA Common Services, as used in CA Client Automat ...) NOT-FOR-US: CA Common Services CVE-2016-9792 REJECTED CVE-2016-9791 REJECTED CVE-2016-9790 REJECTED CVE-2016-9789 REJECTED CVE-2016-9788 REJECTED CVE-2016-9787 REJECTED CVE-2016-9786 REJECTED CVE-2016-9785 REJECTED CVE-2016-9784 REJECTED CVE-2016-9783 REJECTED CVE-2016-9782 REJECTED CVE-2016-9781 REJECTED CVE-2016-9780 REJECTED CVE-2016-9779 REJECTED CVE-2016-9778 (An error in handling certain queries can cause an assertion failure wh ...) - bind9 (Only Supported Preview Edition/Subscription Edition and 9.11.x) NOTE: https://kb.isc.org/article/AA-01442/0 CVE-2016-9771 REJECTED CVE-2016-9770 REJECTED CVE-2016-9769 REJECTED CVE-2016-9768 REJECTED CVE-2016-9767 REJECTED CVE-2016-9766 REJECTED CVE-2016-9765 REJECTED CVE-2016-9764 REJECTED CVE-2016-9763 REJECTED CVE-2016-9762 REJECTED CVE-2016-9761 REJECTED CVE-2016-9760 REJECTED CVE-2016-9759 REJECTED CVE-2016-9758 REJECTED CVE-2016-9757 (In the Create Tags page of the Rapid7 Nexpose version 6.4.12 user inte ...) NOT-FOR-US: Rapid7 Nexpose CVE-2016-9846 (QEMU (aka Quick Emulator) built with the Virtio GPU Device emulator su ...) - qemu 1:2.8+dfsg-1 (bug #847382) [jessie] - qemu (Vulnerable code not present) [wheezy] - qemu (Vulnerable code not present) - qemu-kvm (Vulnerable code not present) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-11/msg00029.html CVE-2016-9845 (QEMU (aka Quick Emulator) built with the Virtio GPU Device emulator su ...) - qemu 1:2.8+dfsg-1 (bug #847381) [jessie] - qemu (Vulnerable code not present) [wheezy] - qemu (Vulnerable code not present) - qemu-kvm (Vulnerable code not present) NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2016-11/msg00019.html CVE-2016-9843 (The crc32_big function in crc32.c in zlib 1.2.8 might allow context-de ...) {DLA-2085-1 DLA-1725-1} - zlib 1:1.2.8.dfsg-3 (bug #847275) [wheezy] - zlib (Minor issue) - rsync 3.1.3-6 (bug #924509) [stretch] - rsync 3.1.2-1+deb9u2 NOTE: https://github.com/madler/zlib/commit/d1d577490c15a0c6862473d7576352a9f18ef811 NOTE: Report: https://wiki.mozilla.org/images/0/09/Zlib-report.pdf CVE-2016-9842 (The inflateMark function in inflate.c in zlib 1.2.8 might allow contex ...) {DLA-2085-1 DLA-1725-1} - zlib 1:1.2.8.dfsg-3 (bug #847274) [wheezy] - zlib (Minor issue) - rsync 3.1.3-6 (bug #924509) [stretch] - rsync 3.1.2-1+deb9u2 NOTE: https://github.com/madler/zlib/commit/e54e1299404101a5a9d0cf5e45512b543967f958 NOTE: Report: https://wiki.mozilla.org/images/0/09/Zlib-report.pdf CVE-2016-9841 (inffast.c in zlib 1.2.8 might allow context-dependent attackers to hav ...) {DLA-2085-1 DLA-1725-1} - zlib 1:1.2.8.dfsg-4 (bug #847270) [wheezy] - zlib (Minor issue) - rsync 3.1.3-6 (bug #924509) [stretch] - rsync 3.1.2-1+deb9u2 NOTE: https://github.com/madler/zlib/commit/9aaec95e82117c1cb0f9624264c3618fc380cecb NOTE: Report: https://wiki.mozilla.org/images/0/09/Zlib-report.pdf CVE-2016-9840 (inftrees.c in zlib 1.2.8 might allow context-dependent attackers to ha ...) {DLA-2085-1 DLA-1725-1} - zlib 1:1.2.8.dfsg-3 (bug #847270) [wheezy] - zlib (Minor issue) - rsync 3.1.3-6 (bug #924509) [stretch] - rsync 3.1.2-1+deb9u2 NOTE: https://github.com/madler/zlib/commit/6a043145ca6e9c55184013841a67b2fef87e44c0 NOTE: Report: https://wiki.mozilla.org/images/0/09/Zlib-report.pdf CVE-2016-9844 (Buffer overflow in the zi_short function in zipinfo.c in Info-Zip UnZi ...) {DLA-741-1} - unzip 6.0-21 (bug #847486) [jessie] - unzip 6.0-16+deb8u3 NOTE: https://launchpad.net/bugs/1643750 NOTE: http://www.openwall.com/lists/oss-security/2016/12/05/13 NOTE: Proposed patch in http://www.openwall.com/lists/oss-security/2016/12/05/19 CVE-2014-9913 (Buffer overflow in the list_files function in list.c in Info-Zip UnZip ...) {DLA-741-1} - unzip 6.0-21 (bug #847485) [jessie] - unzip 6.0-16+deb8u3 NOTE: Upstream bug: http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450 NOTE: Same reproducer as in https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1643750 NOTE: can be used to verify a fix (which trigger the issue in unzip -l but crash NOTE: in different areas of the unzip codebase) NOTE: http://www.openwall.com/lists/oss-security/2014/11/03/5 CVE-2016-XXXX [tiffcrop: divide-by-zero in readSeparateStripsIntoBuffer when BitsPerSample is missing] - tiff 4.0.7-2 (unimportant; bug #846838) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2619 CVE-2016-9831 (Heap-based buffer overflow in the parseSWF_RGBA function in parser.c i ...) {DLA-799-1} - ming NOTE: https://blogs.gentoo.org/ago/2016/12/01/libming-listswf-heap-based-buffer-overflow-in-parseswf_rgba-parser-c CVE-2016-9830 (The MagickRealloc function in memory.c in Graphicsmagick 1.3.25 allows ...) {DSA-3746-1} - graphicsmagick 1.3.25-6 (bug #847055) [wheezy] - graphicsmagick (fix too intrusive, depends on jan 15th magickresources changes) NOTE: upstream patch requires major refactor from jan 2015, see https://lists.debian.org/87inpe4wgu.fsf@curie.anarc.at NOTE: https://blogs.gentoo.org/ago/2016/12/01/graphicsmagick-memory-allocation-failure-in-magickrealloc-memory-c NOTE: POC: https://github.com/asarubbo/poc/blob/master/00096-graphicsmagick-memalloc-MagickRealloc CVE-2016-9829 (Heap-based buffer overflow in the parseSWF_DEFINEFONT function in pars ...) {DLA-799-1} - ming NOTE: https://blogs.gentoo.org/ago/2016/12/01/libming-listswf-heap-based-buffer-overflow-in-parseswf_definefont-parser-c CVE-2016-9828 (The dumpBuffer function in read.c in the listswf tool in libming 0.4.7 ...) {DLA-799-1} - ming NOTE: https://blogs.gentoo.org/ago/2016/12/01/libming-listswf-null-pointer-dereference-in-dumpbuffer-read-c CVE-2016-9827 (The _iprintf function in outputtxt.c in the listswf tool in libming 0. ...) {DLA-799-1} - ming NOTE: https://blogs.gentoo.org/ago/2016/12/01/libming-listswf-heap-based-buffer-overflow-in-_iprintf-outputtxt-c CVE-2016-9826 (libavcodec/ituh263dec.c in libav 11.8 allows remote attackers to cause ...) - libav (unimportant) NOTE: https://blogs.gentoo.org/ago/2016/12/01/libav-multiple-crashes-from-the-undefined-behavior-sanitizer NOTE: https://github.com/asarubbo/poc/blob/master/00041-libav-leftshift-ituh263dec_c NOTE: https://bugzilla.libav.org/show_bug.cgi?id=985 CVE-2016-9825 (libswscale/utils.c in libav 11.8 allows remote attackers to cause a de ...) - libav (unimportant) NOTE: https://blogs.gentoo.org/ago/2016/12/01/libav-multiple-crashes-from-the-undefined-behavior-sanitizer NOTE: https://github.com/asarubbo/poc/blob/master/00040-libav-leftshift-utils_c NOTE: https://bugzilla.libav.org/show_bug.cgi?id=984 CVE-2016-9824 (Integer overflow in libswscale/x86/swscale.c in libav 11.8 allows remo ...) - libav [jessie] - libav (Minor issue, usan-only no-crash warning, no patch) [wheezy] - libav (Minor issue) NOTE: https://blogs.gentoo.org/ago/2016/12/01/libav-multiple-crashes-from-the-undefined-behavior-sanitizer NOTE: https://github.com/asarubbo/poc/blob/master/00039-libav-signedintoverflow-swscale_c NOTE: https://bugzilla.libav.org/show_bug.cgi?id=983 CVE-2016-9823 (libavcodec/x86/mpegvideo.c in libav 11.8 allows remote attackers to ca ...) - libav [jessie] - libav (Minor issue, usan-only no-crash warning, no patch) [wheezy] - libav (Minor issue) NOTE: https://blogs.gentoo.org/ago/2016/12/01/libav-multiple-crashes-from-the-undefined-behavior-sanitizer NOTE: https://github.com/asarubbo/poc/blob/master/00038-libav-uint8_t64-outofbounds-mpegvideo NOTE: https://bugzilla.libav.org/show_bug.cgi?id=982 CVE-2016-9822 (Integer overflow in libavcodec/mpeg12dec.c in libav 11.8 allows remote ...) {DSA-3833-1 DLA-791-1} - libav NOTE: https://blogs.gentoo.org/ago/2016/12/01/libav-multiple-crashes-from-the-undefined-behavior-sanitizer NOTE: https://github.com/asarubbo/poc/blob/master/00037-libav-signedintoverflow-mpegvideo_parser NOTE: https://bugzilla.libav.org/show_bug.cgi?id=981 NOTE: https://git.libav.org/?p=libav.git;a=commit;h=9f0193c778175cea3fb43f17acf9b90b4d862d33 (pre 11.9) NOTE: https://git.libav.org/?p=libav.git;a=commit;h=15e1af0006354d6bbf0e433c5d1e8ef13c93d6d0 (pre 11.9) CVE-2016-9821 (Integer overflow in libavcodec/mpegvideo_parser.c in libav 11.8 allows ...) {DSA-3833-1 DLA-791-1} - libav NOTE: https://blogs.gentoo.org/ago/2016/12/01/libav-multiple-crashes-from-the-undefined-behavior-sanitizer NOTE: https://github.com/asarubbo/poc/blob/master/00037-libav-signedintoverflow-mpegvideo_parser NOTE: https://bugzilla.libav.org/show_bug.cgi?id=981 NOTE: https://git.libav.org/?p=libav.git;a=commit;h=9f0193c778175cea3fb43f17acf9b90b4d862d33 (pre 11.9) NOTE: https://git.libav.org/?p=libav.git;a=commit;h=15e1af0006354d6bbf0e433c5d1e8ef13c93d6d0 (pre 11.9) CVE-2016-9820 (libavcodec/mpegvideo_motion.c in libav 11.8 allows remote attackers to ...) {DLA-791-1} - libav (unimportant) [jessie] - libav (The fixing patches are included in the upstream version) NOTE: https://blogs.gentoo.org/ago/2016/12/01/libav-multiple-crashes-from-the-undefined-behavior-sanitizer NOTE: https://github.com/asarubbo/poc/blob/master/00036-libav-leftshift-mpegvideo NOTE: https://bugzilla.libav.org/show_bug.cgi?id=980 NOTE: https://git.libav.org/?p=libav.git;a=commit;h=e17bcfbecc268ba00cb55025095d70b1025e6c7d (pre 11.9) NOTE: https://git.libav.org/?p=libav.git;a=commit;h=f106f74206e69e9056130da8bddffc39f3878ac3 (pre 11.9) CVE-2016-9819 (libavcodec/mpegvideo.c in libav 11.8 allows remote attackers to cause ...) {DLA-791-1} - libav (unimportant) [jessie] - libav (The fixing patches are included in the upstream version) NOTE: https://blogs.gentoo.org/ago/2016/12/01/libav-multiple-crashes-from-the-undefined-behavior-sanitizer NOTE: https://github.com/asarubbo/poc/blob/master/00036-libav-leftshift-mpegvideo NOTE: https://bugzilla.libav.org/show_bug.cgi?id=980 NOTE: https://git.libav.org/?p=libav.git;a=commit;h=e17bcfbecc268ba00cb55025095d70b1025e6c7d (pre 11.9) NOTE: https://git.libav.org/?p=libav.git;a=commit;h=f106f74206e69e9056130da8bddffc39f3878ac3 (pre 11.9) CVE-2016-9818 (Xen through 4.7.x allows local ARM guest OS users to cause a denial of ...) - xen 4.8.0-1 [jessie] - xen (Minor issue) [wheezy] - xen (ARM support introduced in 4.4) NOTE: https://xenbits.xen.org/xsa/advisory-201.html NOTE: CVE for fix via patch https://xenbits.xen.org/xsa/xsa201-4.patch CVE-2016-9817 (Xen through 4.7.x allows local ARM guest OS users to cause a denial of ...) - xen 4.8.0-1 [jessie] - xen (Minor issue) [wheezy] - xen (ARM support introduced in 4.4) NOTE: https://xenbits.xen.org/xsa/advisory-201.html NOTE: CVE for fix via patch https://xenbits.xen.org/xsa/xsa201-3.patch NOTE: or https://xenbits.xen.org/xsa/xsa201-3-4.7.patch CVE-2016-9816 (Xen through 4.7.x allows local ARM guest OS users to cause a denial of ...) - xen 4.8.0-1 [jessie] - xen (Minor issue) [wheezy] - xen (ARM support introduced in 4.4) NOTE: https://xenbits.xen.org/xsa/advisory-201.html NOTE: CVE for fix via patch https://xenbits.xen.org/xsa/xsa201-2.patch CVE-2016-9815 (Xen through 4.7.x allows local ARM guest OS users to cause a denial of ...) - xen 4.8.0-1 [jessie] - xen (Minor issue) [wheezy] - xen (ARM support introduced in 4.4) NOTE: https://xenbits.xen.org/xsa/advisory-201.html NOTE: CVE for fix via patch https://xenbits.xen.org/xsa/xsa201-1.patch CVE-2016-9814 (The validateSignature method in the SAML2\Utils class in SimpleSAMLphp ...) {DLA-1298-1} - simplesamlphp 1.14.10-1 (low) [jessie] - simplesamlphp (Minor issue) NOTE: https://simplesamlphp.org/security/201612-01 NOTE: https://github.com/simplesamlphp/saml2/pull/81 NOTE: https://github.com/simplesamlphp/saml2/commit/7008b0916426212c1cc2fc238b38ab9ebff0748c NOTE: only exploitable in hard to achieve conditions NOTE: http://www.openwall.com/lists/oss-security/2016/12/03/5 CVE-2017-2924 (An exploitable heap-based buffer overflow vulnerability exists in the ...) {DSA-3976-1 DLA-1098-1} - freexl 1.0.4-1 (bug #875691) NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0431 NOTE: https://www.gaia-gis.it/fossil/freexl/ci/40c17539ea56f0d8 CVE-2017-2923 (An exploitable heap based buffer overflow vulnerability exists in the ...) {DSA-3976-1 DLA-1098-1} - freexl 1.0.4-1 (bug #875690) NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0430 NOTE: https://www.gaia-gis.it/fossil/freexl/ci/40c17539ea56f0d8 CVE-2017-2922 (An exploitable memory corruption vulnerability exists in the Websocket ...) - smplayer 18.5.0~ds1-1 (bug #898943) [stretch] - smplayer (Vulnerable code not present) [jessie] - smplayer (Vulnerable code not present) [wheezy] - smplayer (Vulnerable code not present) NOTE: 18.5.0~ds1-1 isn't fixed on the source level, but no longer builds the Chromecast support CVE-2017-2921 (An exploitable memory corruption vulnerability exists in the Websocket ...) - smplayer 18.5.0~ds1-1 (bug #898943) [stretch] - smplayer (Vulnerable code not present) [jessie] - smplayer (Vulnerable code not present) [wheezy] - smplayer (Vulnerable code not present) NOTE: 18.5.0~ds1-1 isn't fixed on the source level, but no longer builds the Chromecast support CVE-2017-2920 (An memory corruption vulnerability exists in the .SVG parsing function ...) NOT-FOR-US: Computerinsel Photoline CVE-2017-2919 (An exploitable stack based buffer overflow vulnerability exists in the ...) {DSA-4173-1} - r-cran-readxl 1.0.0-2 (bug #895564) NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0426 CVE-2017-2918 (An exploitable integer overflow exists in the Image loading functional ...) {DSA-4248-1 DLA-1465-1} - blender 2.79.a+dfsg0-1 [wheezy] - blender (Vulnerable but not ignored) NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/d30cc1ea0b9ba64d8a1e22105528b6cb8077692c NOTE: :https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0425 CVE-2017-2917 (An exploitable vulnerability exists in the notifications functionality ...) NOT-FOR-US: Circle with Disney CVE-2017-2916 (An exploitable vulnerability exists in the /api/CONFIG/restore functio ...) NOT-FOR-US: Circle with Disney CVE-2017-2915 (An exploitable vulnerability exists in the WiFi configuration function ...) NOT-FOR-US: Circle with Disney CVE-2017-2914 (An exploitable authentication bypass vulnerability exists in the API d ...) NOT-FOR-US: Circle with Disney CVE-2017-2913 (An exploitable vulnerability exists in the filtering functionality of ...) NOT-FOR-US: Circle with Disney CVE-2017-2912 (An exploitable vulnerability exists in the remote control functionalit ...) NOT-FOR-US: Circle with Disney CVE-2017-2911 (An exploitable vulnerability exists in the remote control functionalit ...) NOT-FOR-US: Circle with Disney CVE-2017-2910 RESERVED CVE-2017-2909 (An infinite loop programming error exists in the DNS server functional ...) - smplayer 18.5.0~ds1-1 (bug #898943) [stretch] - smplayer (Vulnerable code not present) [jessie] - smplayer (Vulnerable code not present) [wheezy] - smplayer (Vulnerable code not present) NOTE: 18.5.0~ds1-1 isn't fixed on the source level, but no longer builds the Chromecast support CVE-2017-2908 (An exploitable integer overflow exists in the thumbnail functionality ...) {DSA-4248-1 DLA-1465-1} - blender 2.79.a+dfsg0-1 [wheezy] - blender (Vulnerable but not ignored) NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/07aed404cfb2759f97c60b9f64d8a9392dabaf1a NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0415 CVE-2017-2907 (An exploitable integer overflow exists in the animation playing functi ...) {DSA-4248-1 DLA-1465-1} - blender 2.79.a+dfsg0-1 [wheezy] - blender (Vulnerable but not ignored) NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/d30cc1ea0b9ba64d8a1e22105528b6cb8077692c NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0414 CVE-2017-2906 (An exploitable integer overflow exists in the animation playing functi ...) {DSA-4248-1 DLA-1465-1} - blender 2.79.a+dfsg0-1 [wheezy] - blender (Vulnerable but not ignored) NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/d30cc1ea0b9ba64d8a1e22105528b6cb8077692c NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0413 CVE-2017-2905 (An exploitable integer overflow exists in the bmp loading functionalit ...) {DSA-4248-1 DLA-1465-1} - blender 2.79.a+dfsg0-1 [wheezy] - blender (Vulnerable but not ignored) NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/d30cc1ea0b9ba64d8a1e22105528b6cb8077692c NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0412 CVE-2017-2904 (An exploitable integer overflow exists in the RADIANCE loading functio ...) {DSA-4248-1 DLA-1465-1} - blender 2.79.a+dfsg0-1 [wheezy] - blender (Vulnerable but not ignored) NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/d30cc1ea0b9ba64d8a1e22105528b6cb8077692c NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0411 CVE-2017-2903 (An exploitable integer overflow exists in the DPX loading functionalit ...) {DSA-4248-1 DLA-1465-1} - blender 2.79.a+dfsg0-1 [wheezy] - blender (Vulnerable but not ignored) NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/d30cc1ea0b9ba64d8a1e22105528b6cb8077692c NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0410 CVE-2017-2902 (An exploitable integer overflow exists in the DPX loading functionalit ...) {DSA-4248-1 DLA-1465-1} - blender 2.79.a+dfsg0-1 [wheezy] - blender (Vulnerable but not ignored) NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/d30cc1ea0b9ba64d8a1e22105528b6cb8077692c NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0409 CVE-2017-2901 (An exploitable integer overflow exists in the IRIS loading functionali ...) {DSA-4248-1 DLA-1465-1} - blender 2.79.a+dfsg0-1 [wheezy] - blender (Vulnerable but not ignored) NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/829916f4e57a2d1580ff3b625f6bb909b9144a20 NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/d30cc1ea0b9ba64d8a1e22105528b6cb8077692c NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0408 CVE-2017-2900 (An exploitable integer overflow exists in the PNG loading functionalit ...) {DSA-4248-1 DLA-1465-1} - blender 2.79.a+dfsg0-1 [wheezy] - blender (Vulnerable but not ignored) NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/d30cc1ea0b9ba64d8a1e22105528b6cb8077692c NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0407 CVE-2017-2899 (An exploitable integer overflow exists in the TIFF loading functionali ...) {DSA-4248-1 DLA-1465-1} - blender 2.79.a+dfsg0-1 [wheezy] - blender (Vulnerable but not ignored) NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/d30cc1ea0b9ba64d8a1e22105528b6cb8077692c NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0406 CVE-2017-2898 (An exploitable vulnerability exists in the signature verification of t ...) NOT-FOR-US: Circle with Disney CVE-2017-2897 (An exploitable out-of-bounds write vulnerability exists in the read_MS ...) {DSA-4173-1} - r-cran-readxl 1.0.0-2 (bug #895564) NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0404 CVE-2017-2896 (An exploitable out-of-bounds write vulnerability exists in the xls_mer ...) {DSA-4173-1} - r-cran-readxl 1.0.0-2 (bug #895564) NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0403 CVE-2017-2895 (An exploitable arbitrary memory read vulnerability exists in the MQTT ...) - smplayer 18.5.0~ds1-1 (bug #898943) [stretch] - smplayer (Vulnerable code not present) [jessie] - smplayer (Vulnerable code not present) [wheezy] - smplayer (Vulnerable code not present) NOTE: 18.5.0~ds1-1 isn't fixed on the source level, but no longer builds the Chromecast support CVE-2017-2894 (An exploitable stack buffer overflow vulnerability exists in the MQTT ...) - smplayer 18.5.0~ds1-1 (bug #898943) [stretch] - smplayer (Vulnerable code not present) [jessie] - smplayer (Vulnerable code not present) [wheezy] - smplayer (Vulnerable code not present) NOTE: 18.5.0~ds1-1 isn't fixed on the source level, but no longer builds the Chromecast support CVE-2017-2893 (An exploitable NULL pointer dereference vulnerability exists in the MQ ...) - smplayer 18.5.0~ds1-1 (bug #898943) [stretch] - smplayer (Vulnerable code not present) [jessie] - smplayer (Vulnerable code not present) [wheezy] - smplayer (Vulnerable code not present) NOTE: 18.5.0~ds1-1 isn't fixed on the source level, but no longer builds the Chromecast support CVE-2017-2892 (An exploitable arbitrary memory read vulnerability exists in the MQTT ...) - smplayer 18.5.0~ds1-1 (bug #898943) [stretch] - smplayer (Vulnerable code not present) [jessie] - smplayer (Vulnerable code not present) [wheezy] - smplayer (Vulnerable code not present) NOTE: 18.5.0~ds1-1 isn't fixed on the source level, but no longer builds the Chromecast support CVE-2017-2891 (An exploitable use-after-free vulnerability exists in the HTTP server ...) - smplayer 18.5.0~ds1-1 (bug #898943) [stretch] - smplayer (Vulnerable code not present) [jessie] - smplayer (Vulnerable code not present) [wheezy] - smplayer (Vulnerable code not present) NOTE: 18.5.0~ds1-1 isn't fixed on the source level, but no longer builds the Chromecast support CVE-2017-2890 (An exploitable vulnerability exists in the /api/CONFIG/restore functio ...) NOT-FOR-US: Circle with Disney CVE-2017-2889 (An exploitable Denial of Service vulnerability exists in the API daemo ...) NOT-FOR-US: Circle with Disney CVE-2017-2888 (An exploitable integer overflow vulnerability exists when creating a n ...) - libsdl2 2.0.6+dfsg1-4 (bug #878264) [stretch] - libsdl2 (Minor issue) [jessie] - libsdl2 (Minor issue) - libsdl1.2 (Issue not present, SDL_CreateRGBSurface contains further check for too large width or height) NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0395 NOTE: https://hg.libsdl.org/SDL/rev/7e0f1498ddb5 NOTE: https://hg.libsdl.org/SDL/rev/81a4950907a0 CVE-2017-2887 (An exploitable buffer overflow vulnerability exists in the XCF propert ...) {DSA-4184-1 DSA-4177-1 DLA-1134-1} - libsdl2-image 2.0.1+dfsg-4 (bug #878266) - sdl-image1.2 1.2.12-7 (bug #878267) NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0394 NOTE: https://hg.libsdl.org/SDL_image/rev/318484db0705 CVE-2017-2886 (A memory corruption vulnerability exists in the .PSD parsing functiona ...) NOT-FOR-US: ACDSee Ultimate CVE-2017-2885 (An exploitable stack based buffer overflow vulnerability exists in the ...) {DSA-3929-1} - libsoup2.4 2.56.1-1 (bug #871650) [wheezy] - libsoup2.4 (Vulnerable code not present) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=785774 CVE-2017-2884 (An exploitable vulnerability exists in the user photo update functiona ...) NOT-FOR-US: Circle with Disney CVE-2017-2883 (An exploitable vulnerability exists in the database update functionali ...) NOT-FOR-US: Circle with Disney CVE-2017-2882 (An exploitable vulnerability exists in the servers update functionalit ...) NOT-FOR-US: Circle with Disney CVE-2017-2881 (An exploitable vulnerability exists in the torlist update functionalit ...) NOT-FOR-US: Circle with Disney CVE-2017-2880 (An memory corruption vulnerability exists in the .GIF parsing function ...) NOT-FOR-US: Computerinsel Photoline CVE-2017-2879 (An exploitable buffer overflow vulnerability exists in the UPnP implem ...) NOT-FOR-US: Foscam CVE-2017-2878 (An exploitable buffer overflow vulnerability exists in the web managem ...) NOT-FOR-US: Foscam CVE-2017-2877 (A missing error check exists in the Multi-Camera interface used by the ...) NOT-FOR-US: Foscam CVE-2017-2876 (An exploitable buffer overflow vulnerability exists in the Multi-Camer ...) NOT-FOR-US: Foscam CVE-2017-2875 (An exploitable buffer overflow vulnerability exists in the Multi-Camer ...) NOT-FOR-US: Foscam CVE-2017-2874 (An information disclosure vulnerability exists in the Multi-Camera int ...) NOT-FOR-US: Foscam CVE-2017-2873 (An exploitable command injection vulnerability exists in the web manag ...) NOT-FOR-US: Foscam CVE-2017-2872 (Insufficient security checks exist in the recovery procedure used by t ...) NOT-FOR-US: Foscam CVE-2017-2871 (Insufficient security checks exist in the recovery procedure used by t ...) NOT-FOR-US: Foscam C1 Indoor HD Camera CVE-2017-2870 (An exploitable integer overflow vulnerability exists in the tiff_image ...) {DLA-2043-1} - gdk-pixbuf 2.36.10-1 (unimportant; bug #873787) NOTE: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=31a6cff3dfc6944aad4612a9668b8ad39122e48b NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=770986 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=780269 NOTE: Built with GCC in Debian, which doesn't remove the check CVE-2017-2869 (An exploitable code execution vulnerability exists in the OpenProducer ...) NOT-FOR-US: Natus Xltek NeuroWorks CVE-2017-2868 (An exploitable code execution vulnerability exists in the NewProducerS ...) NOT-FOR-US: Natus Xltek NeuroWorks CVE-2017-2867 (An exploitable code execution vulnerability exists in the SavePatientM ...) NOT-FOR-US: Natus Xltek NeuroWorks CVE-2017-2866 (An exploitable vulnerability exists in the /api/CONFIG/backup function ...) NOT-FOR-US: Circle with Disney CVE-2017-2865 (An exploitable vulnerability exists in the firmware update functionali ...) NOT-FOR-US: Circle with Disney CVE-2017-2864 (An exploitable vulnerability exists in the generation of authenticatio ...) NOT-FOR-US: Circle with Disney CVE-2017-2863 (An out-of-bounds write vulnerability exists in the PDF parsing functio ...) NOT-FOR-US: Iceni Infix CVE-2017-2862 (An exploitable heap overflow vulnerability exists in the gdk_pixbuf__j ...) {DSA-3978-1 DLA-1100-1} - gdk-pixbuf 2.36.10-1 (bug #874552) NOTE: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=c2a40a92fe3df4111ed9da51fe3368c079b86926 NOTE: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=6dd89e126a277460faafc1f679db44ccf78446fb NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=784866 NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0366 CVE-2017-2861 (An exploitable Denial of Service vulnerability exists in the use of a ...) NOT-FOR-US: Natus Xltek NeuroWorks CVE-2017-2860 (An exploitable denial-of-service vulnerability exists in the lookup en ...) NOT-FOR-US: Natus Xltek NeuroWorks CVE-2017-2859 REJECTED CVE-2017-2858 (An exploitable denial-of-service vulnerability exists in the traversal ...) NOT-FOR-US: Natus Xltek NeuroWorks CVE-2017-2857 (An exploitable buffer overflow vulnerability exists in the DDNS client ...) NOT-FOR-US: Foscam CVE-2017-2856 (An exploitable buffer overflow vulnerability exists in the DDNS client ...) NOT-FOR-US: Foscam CVE-2017-2855 (An exploitable buffer overflow vulnerability exists in the DDNS client ...) NOT-FOR-US: Foscam CVE-2017-2854 (An exploitable buffer overflow vulnerability exists in the DDNS client ...) NOT-FOR-US: Foscam CVE-2017-2853 (An exploitable Code Execution vulnerability exists in the RequestForPa ...) NOT-FOR-US: Natus Xltek NeuroWorks CVE-2017-2852 (An exploitable denial-of-service vulnerability exists in the unseriali ...) NOT-FOR-US: Natus Xltek NeuroWorks CVE-2017-2851 (In the web management interface in Foscam C1 Indoor HD cameras with ap ...) NOT-FOR-US: Foscam C1 Indoor HD cameras CVE-2017-2850 (In the web management interface in Foscam C1 Indoor HD cameras with ap ...) NOT-FOR-US: Foscam C1 Indoor HD cameras CVE-2017-2849 (In the web management interface in Foscam C1 Indoor HD cameras with ap ...) NOT-FOR-US: Foscam C1 Indoor HD cameras CVE-2017-2848 (In the web management interface in Foscam C1 Indoor HD cameras with ap ...) NOT-FOR-US: Foscam C1 Indoor HD cameras CVE-2017-2847 (In the web management interface in Foscam C1 Indoor HD cameras with ap ...) NOT-FOR-US: Foscam C1 Indoor HD cameras CVE-2017-2846 (In the web management interface in Foscam C1 Indoor HD cameras with ap ...) NOT-FOR-US: Foscam C1 Indoor HD cameras CVE-2017-2845 (An exploitable command injection vulnerability exists in the web manag ...) NOT-FOR-US: Foscam C1 Indoor HD cameras CVE-2017-2844 (In the web management interface in Foscam C1 Indoor HD cameras with ap ...) NOT-FOR-US: Foscam C1 Indoor HD cameras CVE-2017-2843 (In the web management interface in Foscam C1 Indoor HD Camera running ...) NOT-FOR-US: Foscam C1 Indoor HD Camera CVE-2017-2842 (In the web management interface in Foscam C1 Indoor HD Camera running ...) NOT-FOR-US: Foscam C1 Indoor HD Camera CVE-2017-2841 (An exploitable command injection vulnerability exists in the web manag ...) NOT-FOR-US: Foscam C1 Indoor HD Camera CVE-2017-2840 (A buffer overflow vulnerability exists in the ISO parsing functionalit ...) NOT-FOR-US: EZB Systems UltraISO CVE-2017-2839 (An exploitable denial of service vulnerability exists within the handl ...) {DSA-3923-1 DLA-1095-1} - freerdp 1.1.0~git20140921.1.440916e+dfsg1-14 (bug #869880) NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0341 NOTE: http://blog.talosintelligence.com/2017/07/vulnerbility-spotlight-freerdp-multiple.html NOTE: https://github.com/FreeRDP/FreeRDP/commit/03ab68318966c3a22935a02838daaea7b7fbe96c (1.1) CVE-2017-2838 (An exploitable denial of service vulnerability exists within the handl ...) {DSA-3923-1 DLA-1095-1} - freerdp 1.1.0~git20140921.1.440916e+dfsg1-14 (bug #869880) NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0340 NOTE: http://blog.talosintelligence.com/2017/07/vulnerbility-spotlight-freerdp-multiple.html NOTE: https://github.com/FreeRDP/FreeRDP/commit/03ab68318966c3a22935a02838daaea7b7fbe96c (1.1) CVE-2017-2837 (An exploitable denial of service vulnerability exists within the handl ...) {DSA-3923-1 DLA-1095-1} - freerdp 1.1.0~git20140921.1.440916e+dfsg1-14 (bug #869880) NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0339 NOTE: http://blog.talosintelligence.com/2017/07/vulnerbility-spotlight-freerdp-multiple.html NOTE: https://github.com/FreeRDP/FreeRDP/commit/03ab68318966c3a22935a02838daaea7b7fbe96c (1.1) CVE-2017-2836 (An exploitable denial of service vulnerability exists within the readi ...) {DSA-3923-1 DLA-1095-1} - freerdp 1.1.0~git20140921.1.440916e+dfsg1-14 (bug #869880) NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0338 NOTE: http://blog.talosintelligence.com/2017/07/vulnerbility-spotlight-freerdp-multiple.html NOTE: https://github.com/FreeRDP/FreeRDP/commit/03ab68318966c3a22935a02838daaea7b7fbe96c (1.1) CVE-2017-2835 (An exploitable code execution vulnerability exists in the RDP receive ...) {DSA-3923-1 DLA-1095-1} - freerdp 1.1.0~git20140921.1.440916e+dfsg1-14 (bug #869880) NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0337 NOTE: http://blog.talosintelligence.com/2017/07/vulnerbility-spotlight-freerdp-multiple.html NOTE: https://github.com/FreeRDP/FreeRDP/commit/03ab68318966c3a22935a02838daaea7b7fbe96c (1.1) CVE-2017-2834 (An exploitable code execution vulnerability exists in the authenticati ...) {DSA-3923-1} - freerdp 1.1.0~git20140921.1.440916e+dfsg1-14 (bug #869880) [wheezy] - freerdp (vulnerable code not present) NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0336 NOTE: http://blog.talosintelligence.com/2017/07/vulnerbility-spotlight-freerdp-multiple.html NOTE: https://github.com/FreeRDP/FreeRDP/commit/03ab68318966c3a22935a02838daaea7b7fbe96c (1.1) CVE-2017-2833 (An exploitable command injection vulnerability exists in the web manag ...) NOT-FOR-US: Foscam C1 Indoor HD Camera CVE-2017-2832 (An exploitable command injection vulnerability exists in the web manag ...) NOT-FOR-US: Foscam C1 Indoor HD Camera CVE-2017-2831 (An exploitable buffer overflow vulnerability exists in the web managem ...) NOT-FOR-US: Foscam C1 Indoor HD Camera CVE-2017-2830 (An exploitable buffer overflow vulnerability exists in the web managem ...) NOT-FOR-US: Foscam C1 Indoor HD Camera CVE-2017-2829 (An exploitable directory traversal vulnerability exists in the web man ...) NOT-FOR-US: Foscam C1 Indoor HD Camera CVE-2017-2828 (An exploitable command injection vulnerability exists in the web manag ...) NOT-FOR-US: Foscam C1 Indoor HD Camera CVE-2017-2827 (An exploitable command injection vulnerability exists in the web manag ...) NOT-FOR-US: Foscam C1 Indoor HD Camera CVE-2017-2826 (An information disclosure vulnerability exists in the iConfig proxy re ...) {DLA-1708-1} - zabbix (low) [buster] - zabbix (Minor issue, workaround exists) [stretch] - zabbix (Minor issue, workaround exists) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2017-0327 NOTE: Relates to the information disclosure as mentioned in (but is not the same issue) NOTE: https://support.zabbix.com/browse/ZBX-12076 NOTE: Workaround for Zabbix 3.0 exists: https://www.zabbix.com/documentation/3.0/manual/distributed_monitoring/proxies#configuration NOTE: using encyrpted connections with the proxy. CVE-2017-2825 (In the trapper functionality of Zabbix Server 2.4.x, specifically craf ...) {DSA-3937-1} - zabbix 1:3.0.7+dfsg-3 (bug #863584) NOTE: http://www.talosintelligence.com/reports/TALOS-2017-0326/ NOTE: https://support.zabbix.com/browse/ZBX-12076 CVE-2017-2824 (An exploitable code execution vulnerability exists in the trapper comm ...) {DSA-3937-1} - zabbix 1:3.0.7+dfsg-3 (bug #863584) NOTE: http://www.talosintelligence.com/reports/TALOS-2017-0325/ NOTE: https://support.zabbix.com/browse/ZBX-12075 CVE-2017-2823 (A use-after-free vulnerability exists in the .ISO parsing functionalit ...) NOT-FOR-US: PowerISO CVE-2017-2822 (An exploitable code execution vulnerability exists in the image render ...) NOT-FOR-US: Lexmark CVE-2017-2821 (An exploitable use-after-free exists in the PDF parsing functionality ...) NOT-FOR-US: Lexmark CVE-2017-2820 (An exploitable integer overflow vulnerability exists in the JPEG 2000 ...) - poppler (unimportant) NOTE: Debian uses openjpeg for processing JPEG 2000 images, this advisory is NOTE: against Ubuntu, which disables openjpeg due to being in universe NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2017-0321 CVE-2017-2819 (An exploitable heap-based buffer overflow exists in the Hangul Word Pr ...) NOT-FOR-US: Hancom Thinkfree Office NEO CVE-2017-2818 (An exploitable heap overflow vulnerability exists in the image renderi ...) - poppler (unimportant) NOTE: Debian links against libjpeg which is unaffected NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2017-0319 CVE-2017-2817 (A stack buffer overflow vulnerability exists in the ISO parsing functi ...) NOT-FOR-US: PowerISO CVE-2017-2816 (An exploitable buffer overflow vulnerability exists in the tag parsing ...) {DLA-1192-1} - libofx 1:0.9.11-4 (bug #875801) [stretch] - libofx 1:0.9.10-2+deb9u1 [jessie] - libofx 1:0.9.10-1+deb8u1 NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0317 NOTE: https://github.com/libofx/libofx/commit/a70934eea95c76a7737b83773bffe8738935082d NOTE: https://github.com/libofx/libofx/issues/9 CVE-2017-2815 (An exploitable XML entity injection vulnerability exists in OpenFire U ...) NOT-FOR-US: OpenFire User Import Export Plugin CVE-2017-2814 (An exploitable heap overflow vulnerability exists in the image renderi ...) - poppler (unimportant) NOTE: Debian links against libjpeg which is unaffected NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2017-0319 CVE-2017-2813 (An exploitable integer overflow vulnerability exists in the JPEG 2000 ...) NOT-FOR-US: IrfanView CVE-2017-2812 (A code execution vulnerability exists in the kdu_buffered_expand funct ...) NOT-FOR-US: Kakadu CVE-2017-2811 (A code execution vulnerability exists in the Kakadu SDK 7.9's parsing ...) NOT-FOR-US: Kakadu CVE-2017-2810 (An exploitable vulnerability exists in the Databook loading functional ...) - python-tablib 0.9.11-3 (bug #864818) [stretch] - python-tablib 0.9.11-2+deb8u1 [jessie] - python-tablib 0.9.11-2+deb8u1 NOTE: Fixed by: https://github.com/kennethreitz/tablib/commit/69abfc3ada5d754cb152119c0b4777043657cb6e NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0307 CVE-2017-2809 (An exploitable vulnerability exists in the yaml loading functionality ...) NOT-FOR-US: Ansible Vault CVE-2017-2808 (An exploitable use-after-free vulnerability exists in the account pars ...) - ledger 3.1.2+dfsg1-1 (low; bug #876659) [stretch] - ledger (Minor issue) [jessie] - ledger (Minor issue) [wheezy] - ledger (Minor issue) NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0304 NOTE: https://github.com/ledger/ledger/issues/1723 NOTE: https://github.com/ledger/ledger/commit/f3bad93db256db07b6cb831d4d24f47543f57e4a CVE-2017-2807 (An exploitable buffer overflow vulnerability exists in the tag parsing ...) - ledger 3.1.2+dfsg1-1 (low; bug #876660) [stretch] - ledger (Minor issue) [jessie] - ledger (Minor issue) [wheezy] - ledger (Minor issue) NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0303 NOTE: https://github.com/ledger/ledger/issues/1722 NOTE: https://github.com/ledger/ledger/commit/5682f377aed5b0db6b6c4a44b1d8868103b7e9f7 CVE-2017-2806 (An exploitable arbitrary read exists in the XLS parsing of the Lexmark ...) NOT-FOR-US: Lexmark Perspective Document Filters conversion functionality CVE-2017-2805 (An exploitable stack-based buffer overflow vulnerability exists in the ...) NOT-FOR-US: Foscam C1 Indoor HD Camera CVE-2017-2804 (A remote out of bound write vulnerability exists in the TIFF parsing f ...) NOT-FOR-US: Core PHOTO-PAINT X8 CVE-2017-2803 (A remote out of bound write vulnerability exists in the TIFF parsing f ...) NOT-FOR-US: Core PHOTO-PAINT X8 CVE-2017-2802 (An exploitable dll hijacking vulnerability exists in the poaService.ex ...) NOT-FOR-US: Dell CVE-2017-2801 (A programming error exists in a way Randombit Botan cryptographic libr ...) {DSA-3939-1 DLA-915-1} - botan1.10 1.10.16-1 (bug #860072) NOTE: https://github.com/randombit/botan/commit/c927101675e5f63fc0bdd93c5a4825adc54323b4 (1.10.16) NOTE: Bug introduced in 1.6.0 or earlier, fixed in 2.1.0 and 1.10.16 CVE-2017-2800 (A specially crafted x509 certificate can cause a single out of bounds ...) - wolfssl 3.12.0+dfsg-1 (bug #862154) NOTE: http://www.talosintelligence.com/reports/TALOS-2017-0293/ CVE-2017-2799 (An exploitable heap corruption vulnerability exists in the AddSst func ...) NOT-FOR-US: Antenna House DMC HTMLFilter CVE-2017-2798 (An exploitable heap corruption vulnerability exists in the GetIndexArr ...) NOT-FOR-US: Antenna House DMC HTMLFilter CVE-2017-2797 (An exploitable heap overflow vulnerability exists in the ParseEnvironm ...) NOT-FOR-US: Antenna House CVE-2017-2796 RESERVED CVE-2017-2795 (An exploitable heap corruption vulnerability exists in the Txo functio ...) NOT-FOR-US: Antenna House CVE-2017-2794 (An exploitable stack-based buffer overflow vulnerability exists in the ...) NOT-FOR-US: Antenna House CVE-2017-2793 (An exploitable heap corruption vulnerability exists in the UnCompressU ...) NOT-FOR-US: Antenna House CVE-2017-2792 (An exploitable heap corruption vulnerability exists in the iBldDirInfo ...) NOT-FOR-US: Antenna House CVE-2017-2791 (JustSystems Ichitaro 2016 Trial contains a vulnerability that exists w ...) NOT-FOR-US: JustSystems Ichitaro 2016 Trial CVE-2017-2790 (When processing a record type of 0x3c from a Workbook stream from an E ...) NOT-FOR-US: JustSystems Ichitaro Office CVE-2017-2789 (When copying filedata into a buffer, JustSystems Ichitaro Office 2016 ...) NOT-FOR-US: JustSystems Ichitaro Office 2016 Trial CVE-2017-2788 (A buffer overflows exists in the psnotifyd application of the Pharos P ...) NOT-FOR-US: Pharos PopUp Printer Client CVE-2017-2787 (A buffer overflows exists in the psnotifyd application of the Pharos P ...) NOT-FOR-US: Pharos PopUp Printer Client CVE-2017-2786 (A denial of service vulnerability exists in the psnotifyd application ...) NOT-FOR-US: Pharos PopUp Printer Client CVE-2017-2785 (An exploitable buffer overflow exists in the psnotifyd application of ...) NOT-FOR-US: Pharos PopUp Printer Client CVE-2017-2784 (An exploitable free of a stack pointer vulnerability exists in the x50 ...) - mbedtls 2.4.2-1 (bug #857560) - polarssl (bug #857561) [jessie] - polarssl 1.3.9-2.1+deb8u2 [wheezy] - polarssl (Vulnerable code not present) NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2017-01 NOTE: Wheezy do not have any elliptic curve functionality. Jessie is affected however. CVE-2017-2783 (An exploitable heap corruption vulnerability exists in the FillRowForm ...) NOT-FOR-US: AntennaHouse CVE-2017-2782 (An integer overflow vulnerability exists in the X509 certificate parsi ...) - matrixssl [wheezy] - matrixssl (not supported in Wheezy) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2017-0278 CVE-2017-2781 (An exploitable heap buffer overflow vulnerability exists in the X509 c ...) - matrixssl [wheezy] - matrixssl (not supported in Wheezy) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2017-0277 CVE-2017-2780 (An exploitable heap buffer overflow vulnerability exists in the X509 c ...) - matrixssl [wheezy] - matrixssl (not supported in Wheezy) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2017-0276 CVE-2017-2779 (An exploitable memory corruption vulnerability exists in the RSRC segm ...) NOT-FOR-US: Labview CVE-2017-2778 REJECTED CVE-2017-2777 (An exploitable heap overflow vulnerability exists in the ipStringCreat ...) NOT-FOR-US: Iceni Argus CVE-2017-2776 REJECTED CVE-2017-2775 (An exploitable memory corruption vulnerability exists in the LvVariant ...) NOT-FOR-US: Labview CVE-2017-2774 REJECTED CVE-2017-2773 (An issue was discovered in Pivotal PCF Elastic Runtime 1.6.x versions ...) NOT-FOR-US: Pivotal PCF Elastic Runtime CVE-2017-2772 REJECTED CVE-2017-2771 REJECTED CVE-2017-2770 REJECTED CVE-2017-2769 REJECTED CVE-2017-2768 (EMC Network Configuration Manager (NCM) 9.3.x, EMC Network Configurati ...) NOT-FOR-US: EMC Network Configuration Manager CVE-2017-2767 (EMC Network Configuration Manager (NCM) 9.3.x, EMC Network Configurati ...) NOT-FOR-US: EMC Network Configuration Manager CVE-2017-2766 (EMC Documentum eRoom version 7.4.4, EMC Documentum eRoom version 7.4.4 ...) NOT-FOR-US: EMC Documentum eRoom CVE-2017-2765 (EMC Isilon InsightIQ 4.1.0, 4.0.1, 4.0.0, 3.2.2, 3.2.1, 3.2.0, 3.1.1, ...) NOT-FOR-US: EMC Isilon InsightIQ CVE-2017-2764 RESERVED CVE-2017-2763 RESERVED CVE-2017-2762 RESERVED CVE-2017-2761 RESERVED CVE-2017-2760 RESERVED CVE-2017-2759 RESERVED CVE-2017-2758 RESERVED CVE-2017-2757 RESERVED CVE-2017-2756 RESERVED CVE-2017-2755 RESERVED CVE-2017-2754 RESERVED CVE-2017-2753 RESERVED CVE-2017-2752 (A potential security vulnerability caused by incomplete obfuscation of ...) NOT-FOR-US: Tommy Hilfiger TH24/7 Android app CVE-2017-2751 (A BIOS password extraction vulnerability has been reported on certain ...) NOT-FOR-US: firmware on HP notebooks CVE-2017-2750 (Insufficient Solution DLL Signature Validation allows potential execut ...) NOT-FOR-US: HP printers CVE-2017-2749 RESERVED CVE-2017-2748 (A potential security vulnerability caused by the use of insecure (http ...) NOT-FOR-US: Isaac Mizrahi Smartwatch mobile app CVE-2017-2747 (HP has identified a potential security vulnerability before IG_11_00_0 ...) NOT-FOR-US: HP printers CVE-2017-2746 (Potential security vulnerabilities have been identified with HP JetAdv ...) NOT-FOR-US: HP JetAdvantage Security Manager CVE-2017-2745 (Potential security vulnerabilities have been identified with HP JetAdv ...) NOT-FOR-US: HP JetAdvantage Security Manager CVE-2017-2744 (The vulnerability allows attacker to extract binaries into protected f ...) NOT-FOR-US: HP Support Assistant CVE-2017-2743 (HP has identified a potential security vulnerability with HP Enterpris ...) NOT-FOR-US: HP printers CVE-2017-2742 (A potential security vulnerability has been identified with HP Web Jet ...) NOT-FOR-US: HP Web JetAdmin CVE-2017-2741 (A potential security vulnerability has been identified with HP PageWid ...) NOT-FOR-US: HP printers CVE-2017-2740 (A potential security vulnerability has been identified with the comman ...) NOT-FOR-US: HP ThinPro CVE-2017-2739 (The upgrade package of Huawei Vmall APP Earlier than HwVmall 1.5.3.0 v ...) NOT-FOR-US: Huawei CVE-2017-2738 (VCM5010 with software versions earlier before V100R002C50SPC100 has an ...) NOT-FOR-US: Huawei CVE-2017-2737 (VCM5010 with software versions earlier before V100R002C50SPC100 has an ...) NOT-FOR-US: Huawei CVE-2017-2736 (VCM5010 with software versions earlier before V100R002C50SPC100 has a ...) NOT-FOR-US: Huawei CVE-2017-2735 (TIT-AL00 smartphones with software versions earlier before TIT-AL00C58 ...) NOT-FOR-US: Huawei CVE-2017-2734 (P9 Plus smartphones with software versions earlier before VIE-AL10BC00 ...) NOT-FOR-US: Huawei CVE-2017-2733 (Honor 6X smartphones with software versions earlier than BLN-AL10C00B3 ...) NOT-FOR-US: Huawei CVE-2017-2732 (Huawei Hilink APP Versions earlier before 5.0.25.306 has an informatio ...) NOT-FOR-US: Huawei CVE-2017-2731 (The vibrator service in P9 Plus smart phones with software versions ea ...) NOT-FOR-US: Huawei CVE-2017-2730 (HUAWEI HiLink APP (for IOS) versions earlier before 5.0.25.306 and HUA ...) NOT-FOR-US: Huawei CVE-2017-2729 (The boot loaders in Honor 5A smart phones with software Versions earli ...) NOT-FOR-US: Huawei CVE-2017-2728 (Some Huawei mobile phones Honor 6X Berlin-L22C636B150 and earlier vers ...) NOT-FOR-US: Huawei CVE-2017-2727 (Huawei P9 smart phones with software versions earlier before EVA-AL00C ...) NOT-FOR-US: Huawei CVE-2017-2726 (Bastet in P10 Plus and P10 smart phones with software earlier than VKY ...) NOT-FOR-US: Huawei CVE-2017-2725 (Bastet in P10 Plus and P10 smart phones with software earlier than VKY ...) NOT-FOR-US: Huawei CVE-2017-2724 (Bastet in P10 Plus and P10 smart phones with software earlier than VKY ...) NOT-FOR-US: Huawei CVE-2017-2723 (The Files APP 7.1.1.308 and earlier versions in some Huawei mobile pho ...) NOT-FOR-US: Huawei CVE-2017-2722 (DP300 V500R002C00,TE60 with software V100R001C01, V100R001C10, V100R00 ...) NOT-FOR-US: Huawei CVE-2017-2721 (Some Huawei smart phones with software Berlin-L21C10B130,Berlin-L21C18 ...) NOT-FOR-US: Huawei CVE-2017-2720 (FusionSphere OpenStack V100R006C00 has an information exposure vulnera ...) NOT-FOR-US: Huawei CVE-2017-2719 (FusionSphere OpenStack with software V100R006C00 and V100R006C10RC2 ha ...) NOT-FOR-US: Huawei CVE-2017-2718 (FusionSphere OpenStack with software V100R006C00 and V100R006C10RC2 ha ...) NOT-FOR-US: Huawei CVE-2017-2717 (honor 8 Pro with software Duke-L09C10B120 and earlier versions,Duke-L0 ...) NOT-FOR-US: Huawei CVE-2017-2716 (The camerafs driver in Mate 9 Versions earlier than MHA-AL00BC00B173 h ...) NOT-FOR-US: Huawei CVE-2017-2715 (The Files APP 7.1.1.309 and earlier versions in some Huawei mobile pho ...) NOT-FOR-US: Huawei CVE-2017-2714 (The GaussDB in FusionSphere OpenStack V100R005C10SPC705 and earlier ve ...) NOT-FOR-US: Huawei CVE-2017-2713 (HUAWEI P9 smartphones with software versions earlier before EVA-L09C43 ...) NOT-FOR-US: Huawei CVE-2017-2712 (S3300 V100R006C05 have an Ethernet in the First Mile (EFM) flapping vu ...) NOT-FOR-US: Huawei CVE-2017-2711 (P9 Plus smartphones with software earlier than VIE-AL10C00B352 version ...) NOT-FOR-US: Huawei CVE-2017-2710 (BTV-W09C229B002CUSTC229D005,BTV-W09C233B029, earlier than BTV-W09C100B ...) NOT-FOR-US: Huawei CVE-2017-2709 (HiGame with software earlier than 7.3.0 versions, SkyTone with softwar ...) NOT-FOR-US: Huawei CVE-2017-2708 (The 'Find Phone' function in Nice smartphones with software versions e ...) NOT-FOR-US: Huawei CVE-2017-2707 (Mate 9 smartphones with software MHA-AL00AC00B125 have a privilege esc ...) NOT-FOR-US: Huawei CVE-2017-2706 (Mate 9 smartphones with software MHA-AL00AC00B125 have a directory tra ...) NOT-FOR-US: Huawei CVE-2017-2705 (Huawei P9 smartphones with software versions earlier before EVA-AL10C0 ...) NOT-FOR-US: Huawei CVE-2017-2704 (Smarthome 1.0.2.364 and earlier versions,HiAPP 7.3.0.303 and earlier v ...) NOT-FOR-US: Huawei CVE-2017-2703 (Phone Finder in versions earlier before MHA-AL00BC00B156,Versions earl ...) NOT-FOR-US: Huawei CVE-2017-2702 (Phone Finder in versions earlier before MHA-AL00C00B170 can be bypass. ...) NOT-FOR-US: Huawei CVE-2017-2701 (Mate 9 with software MHA-AL00AC00B125 has a denial of service (DoS) vu ...) NOT-FOR-US: Huawei CVE-2017-2700 (AC6005 with software V200R006C10, AC6605 with software V200R006C10 hav ...) NOT-FOR-US: Huawei CVE-2017-2699 (The Huawei Themes APP in versions earlier than PLK-UL00C17B385, versio ...) NOT-FOR-US: Huawei CVE-2017-2698 (The ddr_devfreq driver in versions earlier than GRA-UL00C00B197 has bu ...) NOT-FOR-US: Huawei CVE-2017-2697 (The goldeneye driver in NMO-L31C432B120 and earlier versions,NEM-L21C4 ...) NOT-FOR-US: Huawei CVE-2017-2696 (The emerg_data driver in CAM-L21C10B130 and earlier versions, CAM-L21C ...) NOT-FOR-US: Huawei CVE-2017-2695 (TIT-AL00C583B211 has a directory traversal vulnerability which allows ...) NOT-FOR-US: Huawei CVE-2017-2694 (The AlarmService component in HwVmall with software earlier than 1.5.2 ...) NOT-FOR-US: Huawei CVE-2017-2693 (ALE-L02C635B140 and earlier versions,ALE-L02C636B140 and earlier versi ...) NOT-FOR-US: Huawei CVE-2017-2692 (The Keyguard application in ALE-L02C635B140 and earlier versions,ALE-L ...) NOT-FOR-US: Huawei CVE-2017-2691 (Huawei P9 versions earlier before EVA-AL10C00B373, versions earlier be ...) NOT-FOR-US: Huawei CVE-2017-2690 (SoftCo with software V200R003C20,eSpace U1910 with software V200R003C0 ...) NOT-FOR-US: Huawei CVE-2017-2689 (Siemens RUGGEDCOM ROX I (all versions) allow an authenticated user to ...) NOT-FOR-US: Siemens CVE-2017-2688 (The integrated web server in Siemens RUGGEDCOM ROX I (all versions) at ...) NOT-FOR-US: Siemens CVE-2017-2687 (Siemens RUGGEDCOM ROX I (all versions) contain a vulnerability in the ...) NOT-FOR-US: Siemens CVE-2017-2686 (Siemens RUGGEDCOM ROX I (all versions) contain a vulnerability that co ...) NOT-FOR-US: Siemens CVE-2017-2685 (Siemens SINUMERIK Integrate Operate Clients between 2.0.3.00.016 (incl ...) NOT-FOR-US: Siemens CVE-2017-2684 (Siemens SIMATIC Logon prior to V1.5 SP3 Update 2 could allow an attack ...) NOT-FOR-US: Siemens CVE-2017-2683 (A non-privileged user of the Siemens web application RUGGEDCOM NMS < ...) NOT-FOR-US: Siemens CVE-2017-2682 (The Siemens web application RUGGEDCOM NMS < V1.2 on port 8080/TCP a ...) NOT-FOR-US: Siemens CVE-2017-2681 (A vulnerability has been identified in SIMATIC CP 343-1 Std (All versi ...) NOT-FOR-US: Siemens CVE-2017-2680 (SIEMENS SIMATIC CP 343-1 Std, CP 343-1 Lean (All versions), SIMATIC CP ...) NOT-FOR-US: Siemens CVE-2017-2679 REJECTED CVE-2017-2678 REJECTED CVE-2017-2677 REJECTED CVE-2017-2676 REJECTED CVE-2017-2675 (Little Snitch version 3.0 through 3.7.3 suffer from a local privilege ...) NOT-FOR-US: Little Snitch CVE-2017-2674 (JBoss BRMS 6 and BPM Suite 6 before 6.4.3 are vulnerable to a stored X ...) NOT-FOR-US: Red Hat business central CVE-2017-2673 (An authorization-check flaw was discovered in federation configuration ...) - keystone 2:10.0.0-9 (bug #861189) [jessie] - keystone (Vulnerable code not present) [wheezy] - keystone (Vulnerable code not present) NOTE: https://bugs.launchpad.net/keystone/+bug/1677723 CVE-2017-2672 (A flaw was found in foreman before version 1.15 in the logging of addi ...) - foreman (bug #663101) CVE-2017-2671 (The ping_unhash function in net/ipv4/ping.c in the Linux kernel throug ...) {DLA-922-1} - linux 4.9.25-1 [jessie] - linux 3.16.43-1 NOTE: http://www.openwall.com/lists/oss-security/2017/03/24/6 NOTE: Fixed by: https://git.kernel.org/linus/43a6684519ab0a6c52024b5e25322476cabad893 CVE-2017-2670 (It was found in Undertow before 1.3.28 that with non-clean TCP close, ...) {DSA-3906-1} - undertow 1.4.18-1 (bug #864405) NOTE: Fixed by https://github.com/undertow-io/undertow/commit/9bfe9fbbb595d51157b61693f072895f7dbadd1d NOTE: https://issues.jboss.org/browse/UNDERTOW-1035 CVE-2017-2669 (Dovecot before version 2.2.29 is vulnerable to a denial of service. Wh ...) - dovecot 1:2.2.27-3 (bug #860049) [jessie] - dovecot (Vulnerable code not present) [wheezy] - dovecot (Vulnerable code not present) NOTE: Fixed by: https://github.com/dovecot/core/commit/000030feb7a30f193197f1aab8a7b04a26b42735 NOTE: Introduced by: https://github.com/dovecot/core/commit/a3783f8a3c9cd816b51e77a922f82301512fcf22 CVE-2017-2668 (389-ds-base before versions 1.3.5.17 and 1.3.6.10 is vulnerable to an ...) - 389-ds-base 1.3.5.17-1 (bug #860125) [jessie] - 389-ds-base (Vulnerable code not present) NOTE: CentOS fix: https://git.centos.org/raw/rpms!389-ds-base!/c9e5dad69e2b497f118efac56f43cc6c74b6a695/SOURCES!0072-fix-for-cve-2017-2668-simple-return-text-if-suffix-n.patch NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1436575 CVE-2017-2667 (Hammer CLI, a CLI utility for Foreman, before version 0.10.0, did not ...) - foreman (bug #663101) CVE-2017-2666 (It was discovered in Undertow that the code that parsed the HTTP reque ...) {DSA-3906-1} - undertow 1.4.18-1 (bug #864405) NOTE: https://issues.jboss.org/browse/UNDERTOW-1101 NOTE: Fixed by https://github.com/undertow-io/undertow/commit/1e72647818c9fb31b693a953b1ae595a6c82eb7f CVE-2017-2665 (The skyring-setup command creates random password for mongodb skyring ...) NOT-FOR-US: Red Hat Storage / skyring CVE-2017-2664 (CloudForms Management Engine (cfme) before 5.7.3 and 5.8.x before 5.8. ...) NOT-FOR-US: Red Hat CloudForms CVE-2017-2663 (It was found that subscription-manager's DBus interface before 1.19.4 ...) NOT-FOR-US: candlepin / subscription-manager CVE-2017-2662 (A flaw was found in Foreman's katello plugin version 3.4.5. After sett ...) - foreman (bug #663101) CVE-2017-2661 (ClusterLabs pcs before version 0.9.157 is vulnerable to a cross-site s ...) - pcs 0.9.155+dfsg-2 (bug #858379) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1428948 NOTE: https://github.com/ClusterLabs/pcs/commit/1874a769b5720ae5430f10c6cedd234430bc703f NOTE: http://www.openwall.com/lists/oss-security/2017/03/23/2 CVE-2017-2660 REJECTED CVE-2017-2659 (It was found that dropbear before version 2013.59 with GSSAPI leaks wh ...) - dropbear 2013.60-1 NOTE: https://secure.ucc.asn.au/hg/dropbear/rev/d7784616409a#l1.86 CVE-2017-2658 (It was discovered that the Dashbuilder login page as used in Red Hat J ...) NOT-FOR-US: JBoss BPMS CVE-2017-2657 RESERVED CVE-2017-2656 REJECTED CVE-2017-2655 REJECTED CVE-2017-2654 (jenkins-email-ext before version 2.57.1 is vulnerable to an Informatio ...) NOT-FOR-US: jenkins-email-ext CVE-2017-2653 (A number of unused delete routes are present in CloudForms before 5.7. ...) NOT-FOR-US: Red Hat CloudForms CVE-2017-2652 (It was found that there were no permission checks performed in the Dis ...) NOT-FOR-US: Jenkins plugin CVE-2017-2651 (jenkins-mailer-plugin before version 1.20 is vulnerable to an informat ...) NOT-FOR-US: jenkins-mailer-plugin CVE-2017-2650 (It was found that the use of Pipeline: Classpath Step Jenkins plugin e ...) NOT-FOR-US: Jenkins plugin CVE-2017-2649 (It was found that the Active Directory Plugin for Jenkins up to and in ...) NOT-FOR-US: Jenkins plugin CVE-2017-2648 (It was found that jenkins-ssh-slaves-plugin before version 1.15 did no ...) NOT-FOR-US: jenkins-ssh-slaves-plugin CVE-2017-2647 (The KEYS subsystem in the Linux kernel before 3.18 allows local users ...) {DLA-922-1} - linux 4.0.2-1 [jessie] - linux 3.16.43-1 NOTE: Fixed by: https://git.kernel.org/linus/c06cfb08b88dfbe13be44a69ae2fdc3a7c902d81 (v3.18-rc1) CVE-2017-2646 (It was found that when Keycloak before 2.5.5 receives a Logout request ...) NOT-FOR-US: Keycloak CVE-2017-2645 (In Moodle 3.x, XSS can occur via attachments to evidence of prior lear ...) - moodle (Only affects 3.2 to 3.2.1 and 3.1 to 3.1.4) NOTE: https://tracker.moodle.org/browse/MDL-57597 NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-57597 CVE-2017-2644 (In Moodle 3.x, XSS can occur via evidence of prior learning. ...) - moodle (Only affects 3.2 to 3.2.1 and 3.1 to 3.1.4) NOTE: https://tracker.moodle.org/browse/MDL-57596 NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-57596 CVE-2017-2643 (In Moodle 3.2.x, global search displays user names for unauthenticated ...) - moodle (Only affects 3.2 to 3.2.1) NOTE: https://tracker.moodle.org/browse/MDL-56526 NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-56526 CVE-2017-2642 (Moodle 3.x has user fullname disclosure on the user preferences page. ...) - moodle NOTE: https://moodle.org/mod/forum/discuss.php?d=355554 CVE-2017-2641 (In Moodle 2.x and 3.x, SQL injection can occur via user preferences. ...) - moodle 2.7.19+dfsg-1 NOTE: https://tracker.moodle.org/browse/MDL-58010 NOTE: https://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-58010 CVE-2017-2640 (An out-of-bounds write flaw was found in the way Pidgin before 2.12.0 ...) {DSA-3806-1 DLA-853-1} - pidgin 2.12.0-1 (bug #859159) NOTE: https://www.pidgin.im/news/security/?id=109 NOTE: https://bitbucket.org/pidgin/main/commits/b2fc9e774cb9 CVE-2017-2639 (It was found that CloudForms does not verify that the server hostname ...) NOT-FOR-US: Red Hat CloudForms Management Engine CVE-2017-2638 (It was found that the REST API in Infinispan before version 9.0.0 did ...) NOT-FOR-US: infinispan CVE-2017-2637 (A design flaw issue was found in the Red Hat OpenStack Platform direct ...) NOT-FOR-US: Red Hat OpenStack Platform director CVE-2017-2636 (Race condition in drivers/tty/n_hdlc.c in the Linux kernel through 4.1 ...) {DSA-3804-1 DLA-849-1} - linux 4.9.16-1 NOTE: http://www.openwall.com/lists/oss-security/2017/03/07/6 NOTE: Fixed by: https://git.kernel.org/linus/82f2341c94d270421f383641b7cd670e474db56b (v4.11-rc2) NOTE: https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html CVE-2017-2635 (A NULL pointer deference flaw was found in the way libvirt from 2.5.0 ...) - libvirt 3.0.0-3 (bug #856313) [jessie] - libvirt (Vulnerable code introduced later) [wheezy] - libvirt (Vulnerable code introduced later) NOTE: Introduced by: https://libvirt.org/git/?p=libvirt.git;a=commit;h=c5f6151390ff0a8e65014172bb8c0a8d312c3353 (v3.0.0-rc1) NOTE: Fixed by: https://libvirt.org/git/?p=libvirt.git;a=commit;h=c3de387380f6057ee0e46cd9f2f0a092e8070875 (v3.1.0-rc1) CVE-2017-2634 (It was found that the Linux kernel's Datagram Congestion Control Proto ...) - linux (Fixed before initial rename to src:linux) NOTE: Fixed by: https://git.kernel.org/linus/f53dc67c5e7babafe239b93a11678b0e05bead51 (2.6.25-rc1) CVE-2017-2633 (An out-of-bounds memory access issue was found in Quick Emulator (QEMU ...) - qemu 2.1+dfsg-1 [wheezy] - qemu (Can be fixed along when more severe issues are being fixed) - qemu-kvm [wheezy] - qemu-kvm (Can be fixed along when more severe issues are being fixed) NOTE: Upstream patch: http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=bea60dd7679364493a0d7f5b54316c767cf894ef NOTE: Upstream patch: http://git.qemu-project.org/?p=qemu.git;a=commit;h=9f64916da20eea67121d544698676295bbb105a7 CVE-2017-2632 (A logic error in valid_role() in CloudForms role validation before 5.7 ...) NOT-FOR-US: Red Hat CloudForms Management Engine CVE-2017-2631 RESERVED CVE-2017-2630 (A stack buffer overflow flaw was found in the Quick Emulator (QEMU) be ...) - qemu 1:2.8+dfsg-3 (bug #855227) [jessie] - qemu (Vulnerable code introduced in v2.8.0-rc0) [wheezy] - qemu (Vulnerable code introduced in v2.8.0-rc0) - qemu-kvm (Vulnerable code introduced later) NOTE: Upstream patch: https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg01246.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1422415 CVE-2017-2629 (curl before 7.53.0 has an incorrect TLS Certificate Status Request ext ...) - curl 7.52.1-3 [jessie] - curl (Vulnerable code introduced later) [wheezy] - curl (Vulnerable code introduced later) NOTE: https://github.com/curl/curl/commit/ca6ea6d9be5102a2246dff6e17b3ee9ad4ec64d0 NOTE: Patch: https://curl.haxx.se/CVE-2017-2629.patch NOTE: https://curl.haxx.se/docs/adv_20170222.html CVE-2017-2628 (curl, as shipped in Red Hat Enterprise Linux 6 before version 7.19.7-5 ...) - curl (Red Hat specific backport issue) CVE-2017-2627 (A flaw was found in openstack-tripleo-common as shipped with Red Hat O ...) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1421917 NOT-FOR-US: RHEL packaging flaw for openstack CVE-2017-2626 (It was discovered that libICE before 1.0.9-8 used a weak entropy to ge ...) {DLA-2002-1} - libice 2:1.0.9-2 (bug #856400) [wheezy] - libice (Minor issue, can be fixed in a point update or next DSA) NOTE: https://www.x41-dsec.de/lab/advisories/x41-2017-001-xorg/ CVE-2017-2625 (It was discovered that libXdmcp before 1.1.2 including used weak entro ...) {DLA-2006-1} - libxdmcp 1:1.1.2-2 (bug #856399) [wheezy] - libxdmcp (Minor issue, can be fixed in a point update or next DSA) NOTE: https://www.x41-dsec.de/lab/advisories/x41-2017-001-xorg/ CVE-2017-2624 (It was found that xorg-x11-server before 1.19.0 including uses memcmp( ...) {DLA-1186-1} - xorg-server 2:1.19.2-1 (low; bug #856398) [jessie] - xorg-server 2:1.16.4-1+deb8u2 NOTE: https://www.x41-dsec.de/lab/advisories/x41-2017-001-xorg/ CVE-2017-2623 (It was discovered that rpm-ostree and rpm-ostree-client before 2017.3 ...) NOT-FOR-US: Red Hat rpm-ostree CVE-2017-2622 (An accessibility flaw was found in the OpenStack Workflow (mistral) se ...) - mistral (Red Hat-specific) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1420992 NOTE: tracing the installation shows that mkdir -p /var/log/mistral NOTE: is executed, which depending on the umask might end in wrong NOTE: permissions. But for Debian the final permissions seem to end NOTE: to 0750, despite, owned by mistral:adm. Thus might need more NOTE: investigation to determine the affected status. CVE-2017-2621 (An access-control flaw was found in the OpenStack Orchestration (heat) ...) - heat (heat-common postinst chmod's 0750 /var/log/heat) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1420990 CVE-2017-2620 (Quick emulator (QEMU) before 2.8 built with the Cirrus CLGD 54xx VGA E ...) {DLA-1497-1 DLA-1270-1 DLA-845-1 DLA-842-1} - qemu 1:2.8+dfsg-3 (bug #855791) - qemu-kvm - xen 4.4.0-1 NOTE: Xen switched to qemu-system in 4.4.0-1 NOTE: https://xenbits.xen.org/xsa/advisory-209.html NOTE: Qemu upstream patch: https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg04700.html CVE-2017-2619 (Samba before versions 4.6.1, 4.5.7 and 4.4.11 are vulnerable to a mali ...) {DSA-3816-1 DLA-894-1} - samba 2:4.5.6+dfsg-2 NOTE: https://www.samba.org/samba/security/CVE-2017-2619.html CVE-2017-2618 (A flaw was found in the Linux kernel's handling of clearing SELinux at ...) {DSA-3791-1} - linux 4.9.10-1 [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://github.com/torvalds/linux/commit/0c461cb727d146c9ef2d3e86214f498b78b7d125 CVE-2017-2617 (hawtio before version 1.5.5 is vulnerable to remote code execution via ...) NOT-FOR-US: hawtio CVE-2017-2616 (A race condition was found in util-linux before 2.32.1 in the way su h ...) {DSA-3793-1 DLA-838-1} - shadow 1:4.4-4 (bug #855943) NOTE: https://github.com/shadow-maint/shadow/commit/08fd4b69e84364677a10e519ccb25b71710ee686 - util-linux 2.29.2-1 (unimportant) NOTE: https://github.com/karelzak/util-linux/commit/dffab154d29a288aa171ff50263ecc8f2e14a891 - coreutils 8.20-1 (unimportant) NOTE: Coreutils: Removed from source in https://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=928dd737 NOTE: and not installed by default since 2007. CVE-2017-2615 (Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator sup ...) {DLA-1497-1 DLA-845-1 DLA-842-1} - qemu 1:2.8+dfsg-3 (low; bug #854731) NOTE: Introduced with: http://git.qemu.org/?p=qemu.git;a=commit;h=d3532a0db02296e687711b8cdc7791924efccea0 (which was the fix for CVE-2014-8106) NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=62d4c6bd5263bb8413a06c80144fc678df6dfb64 CVE-2017-2614 (When updating a password in the rhvm database the ovirt-aaa-jdbc-tool ...) NOT-FOR-US: Red Hat ovirt-aaa-jdbc-tool tools CVE-2017-2613 (jenkins before versions 2.44, 2.32.2 is vulnerable to a user creation ...) - jenkins NOTE: https://jenkins.io/security/advisory/2017-02-01/ CVE-2017-2612 (In Jenkins before versions 2.44, 2.32.2 low privilege users were able ...) - jenkins NOTE: https://jenkins.io/security/advisory/2017-02-01/ CVE-2017-2611 (Jenkins before versions 2.44, 2.32.2 is vulnerable to an insufficient ...) - jenkins NOTE: https://jenkins.io/security/advisory/2017-02-01/ CVE-2017-2610 (jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cros ...) - jenkins NOTE: https://jenkins.io/security/advisory/2017-02-01/ CVE-2017-2609 (jenkins before versions 2.44, 2.32.2 is vulnerable to an information d ...) - jenkins NOTE: https://jenkins.io/security/advisory/2017-02-01/ CVE-2017-2608 (Jenkins before versions 2.44, 2.32.2 is vulnerable to a remote code ex ...) - jenkins NOTE: https://jenkins.io/security/advisory/2017-02-01/ CVE-2017-2607 (jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cros ...) - jenkins NOTE: https://jenkins.io/security/advisory/2017-02-01/ CVE-2017-2606 (Jenkins before versions 2.44, 2.32.2 is vulnerable to an information e ...) - jenkins NOTE: https://jenkins.io/security/advisory/2017-02-01/ CVE-2017-2605 REJECTED CVE-2017-2604 (In Jenkins before versions 2.44, 2.32.2 low privilege users were able ...) - jenkins NOTE: https://jenkins.io/security/advisory/2017-02-01/ CVE-2017-2603 (Jenkins before versions 2.44, 2.32.2 is vulnerable to a user data leak ...) - jenkins NOTE: https://jenkins.io/security/advisory/2017-02-01/ CVE-2017-2602 (jenkins before versions 2.44, 2.32.2 is vulnerable to an improper blac ...) - jenkins NOTE: https://jenkins.io/security/advisory/2017-02-01/ CVE-2017-2601 (Jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cros ...) - jenkins NOTE: https://jenkins.io/security/advisory/2017-02-01/ CVE-2017-2600 (In jenkins before versions 2.44, 2.32.2 node monitor data could be vie ...) - jenkins NOTE: https://jenkins.io/security/advisory/2017-02-01/ CVE-2017-2599 (Jenkins before versions 2.44 and 2.32.2 is vulnerable to an insufficie ...) - jenkins NOTE: https://jenkins.io/security/advisory/2017-02-01/ CVE-2017-2598 (Jenkins before versions 2.44, 2.32.2 uses AES ECB block cipher mode wi ...) - jenkins NOTE: https://jenkins.io/security/advisory/2017-02-01/ CVE-2017-2597 RESERVED CVE-2017-2596 (The nested_vmx_check_vmptr function in arch/x86/kvm/vmx.c in the Linux ...) {DSA-3791-1} - linux 4.9.13-1 [wheezy] - linux (Vulnerable code not present) NOTE: https://www.spinics.net/lists/kvm/msg144319.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1417812 CVE-2017-2595 (It was found that the log file viewer in Red Hat JBoss Enterprise Appl ...) - wildfly (bug #752018) CVE-2017-2594 (hawtio before versions 2.0-beta-1, 2.0-beta-2 2.0-m1, 2.0-m2, 2.0-m3, ...) NOT-FOR-US: hawtio CVE-2017-2593 RESERVED CVE-2017-2592 (python-oslo-middleware before versions 3.8.1, 3.19.1, 3.23.1 is vulner ...) - python-oslo.middleware 3.19.0-3 (bug #852742) NOTE: https://launchpad.net/bugs/1628031 CVE-2017-2591 (389-ds-base before version 1.3.6 is vulnerable to an improperly NULL t ...) - 389-ds-base 1.3.5.15-2 (bug #851769) [jessie] - 389-ds-base (Only affects 1.3.4.0 and later) NOTE: https://fedorahosted.org/389/changeset/ffda694dd622b31277da07be76d3469fad86150f/ CVE-2017-2590 (A vulnerability was found in ipa before 4.4. IdM's ca-del, ca-disable, ...) - freeipa (ca plugin introduced in 4.4) NOTE: https://pagure.io/freeipa/issue/6713 NOTE: Fixed by (master): https://pagure.io/freeipa/c/b81ac59640f0b76fa9f53cf8be441f085a7089c4?branch=master NOTE: Fixed by (ipa-4.4): https://pagure.io/freeipa/c/1aa314c79648c442473f19344387bfe11ec2141b?branch=ipa-4-4 CVE-2017-2589 (It was discovered that the hawtio servlet 1.4 uses a single HttpClient ...) NOT-FOR-US: hawtio CVE-2017-2588 RESERVED CVE-2017-2587 (A memory allocation vulnerability was found in netpbm before 10.61. A ...) - netpbm-free (vulnerable code not present) NOTE: Debian uses an old fork of netpbm NOTE: Fixed by http://pkgs.fedoraproject.org/cgit/rpms/netpbm.git/commit/?id=c16a8b893ed77fc3f6f2b382d0d47d03621ed328 CVE-2017-2586 (A null pointer dereference vulnerability was found in netpbm before 10 ...) - netpbm-free (vulnerable code not present) NOTE: Debian uses an old fork of netpbm NOTE: Fixed by http://pkgs.fedoraproject.org/cgit/rpms/netpbm.git/commit/?id=c16a8b893ed77fc3f6f2b382d0d47d03621ed328 CVE-2017-2585 (Red Hat Keycloak before version 2.5.1 has an implementation of HMAC ve ...) NOT-FOR-US: Keycloak CVE-2017-2584 (arch/x86/kvm/emulate.c in the Linux kernel through 4.9.3 allows local ...) {DSA-3791-1} - linux 4.9.6-1 [wheezy] - linux (Vulnerable code introduced in 3.6-rc1) NOTE: Upstream patch: https://www.spinics.net/lists/kvm/msg143571.html NOTE: Fixed by: https://git.kernel.org/linus/129a72a0d3c8e139a04512325384fe5ac119e74d CVE-2017-2583 (The load_segment_descriptor implementation in arch/x86/kvm/emulate.c i ...) {DSA-3791-1} - linux 4.9.6-1 [wheezy] - linux (Vulnerable code introduced in 3.6-rc1) NOTE: Fixed by: https://git.kernel.org/linus/33ab91103b3415e12457e3104f0e4517ce12d0f3 CVE-2017-2582 (It was found that while parsing the SAML messages the StaxParserUtil c ...) NOT-FOR-US: Keycloak CVE-2017-2581 (An out-of-bounds write vulnerability was found in netpbm before 10.61. ...) - netpbm-free (bug #854978) NOTE: Debian uses an old fork of netpbm NOTE: http://www.openwall.com/lists/oss-security/2017/02/05/7 NOTE: PoC+report attached to #854978 NOTE: Similar code path seems protected by earlier stricter size checks ("object too large") CVE-2017-2580 (An out-of-bounds write vulnerability was found in netpbm before 10.61. ...) - netpbm-free (bug #854978) [jessie] - netpbm-free (pnm/giftopnm.c and bpm/libpm.c rewritten, PoC triggers clean check "Zero byte allocation" missing in later versions) NOTE: Debian uses an old fork of netpbm NOTE: http://www.openwall.com/lists/oss-security/2017/02/05/7 NOTE: PoC+report attached to #854978 CVE-2017-2579 (An out-of-bounds read vulnerability was found in netpbm before 10.61. ...) - netpbm-free (bug #854978) [jessie] - netpbm-free (pnm/giftopnm.c rewritten, PoC triggers clean application error handling) NOTE: Debian uses an old fork of netpbm NOTE: http://www.openwall.com/lists/oss-security/2017/02/05/7 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1024288 (reproducer) CVE-2017-2577 REJECTED CVE-2017-2575 (A vulnerability was found while fuzzing libbpg 0.9.7. It is a NULL poi ...) NOT-FOR-US: libbpg CVE-2017-2574 RESERVED CVE-2017-2573 RESERVED CVE-2017-2572 RESERVED CVE-2017-2571 RESERVED CVE-2017-2570 RESERVED CVE-2017-2569 RESERVED CVE-2017-2568 RESERVED CVE-2017-2567 RESERVED CVE-2017-2566 RESERVED CVE-2017-2565 RESERVED CVE-2017-2564 RESERVED CVE-2017-2563 RESERVED CVE-2017-2562 RESERVED CVE-2017-2561 RESERVED CVE-2017-2560 RESERVED CVE-2017-2559 RESERVED CVE-2017-2558 RESERVED CVE-2017-2557 RESERVED CVE-2017-2556 RESERVED CVE-2017-2555 RESERVED CVE-2017-2554 RESERVED CVE-2017-2553 RESERVED CVE-2017-2552 RESERVED CVE-2017-2551 (Vulnerability in Wordpress plugin BackWPup before v3.4.2 allows possib ...) NOT-FOR-US: Wordpress plugin BackWPup CVE-2017-2550 (Vulnerability in Easy Joomla Backup v3.2.4. The software creates a cop ...) NOT-FOR-US: Easy Joomla Backup CVE-2017-2549 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2548 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2547 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2546 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2545 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2544 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2543 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2542 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2541 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2540 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2539 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) - webkit2gtk 2.16.3-1 (unimportant) NOTE: Not covered by security support CVE-2017-2538 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) - webkit2gtk 2.16.4-1 (unimportant) [stretch] - webkit2gtk 2.16.6-0+deb9u1 NOTE: Not covered by security support CVE-2017-2537 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2536 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2535 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2534 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2533 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2532 RESERVED CVE-2017-2531 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2530 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2529 RESERVED CVE-2017-2528 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2527 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2526 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2525 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2524 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) NOT-FOR-US: Apple CVE-2017-2523 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) NOT-FOR-US: Apple CVE-2017-2522 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) NOT-FOR-US: Apple CVE-2017-2521 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2520 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) {DLA-1633-1} - sqlite3 3.16.2-1 [wheezy] - sqlite3 (Vulnerable code not present) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=384 NOTE: https://clusterfuzz-external.appspot.com/testcase?key=5694101458518016 NOTE: Fixed by: https://www.sqlite.org/src/info/2dc7eeb5b4d2eaf1 CVE-2017-2519 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) {DLA-1633-1} - sqlite3 3.16.0-1 [wheezy] - sqlite3 (Vulnerable code not present) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=288 NOTE: https://clusterfuzz-external.appspot.com/testcase?key=6739028850245632 NOTE: Fixed by: https://www.sqlite.org/src/info/d08b72c38ff6fae6 CVE-2017-2518 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) {DLA-1633-1} - sqlite3 3.15.2-1 [wheezy] - sqlite3 (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=199 NOTE: https://clusterfuzz-external.appspot.com/testcase?key=4603622180519936 NOTE: Fixed by: https://www.sqlite.org/src/info/0a98c8d76ac86412 CVE-2017-2517 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) NOT-FOR-US: Apple Safari CVE-2017-2516 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2515 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2514 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2513 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) - sqlite3 3.15.2-1 [jessie] - sqlite3 (Vulnerable code not present) [wheezy] - sqlite3 (Vulnerable code not present) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=171 NOTE: https://clusterfuzz-external.appspot.com/testcase?key=5770842466156544 NOTE: Fixed by: https://www.sqlite.org/src/info/c5dbc599b910c02a CVE-2017-2512 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2511 (An issue was discovered in certain Apple products. Safari before 10.1. ...) NOT-FOR-US: Apple Safari CVE-2017-2510 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) - webkit2gtk 2.16.3-1 (unimportant) NOTE: Not covered by security support CVE-2017-2509 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2508 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2507 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) NOT-FOR-US: Apple CVE-2017-2506 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2505 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2504 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2503 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2502 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) NOT-FOR-US: Apple CVE-2017-2501 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) NOT-FOR-US: Apple CVE-2017-2500 (An issue was discovered in certain Apple products. Safari before 10.1. ...) NOT-FOR-US: Apple Safari CVE-2017-2499 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) NOT-FOR-US: Webkit / if anything of this affects Chromium/webkitgtk, the Chrome sec team will know and fix CVE-2017-2498 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) NOT-FOR-US: Apple CVE-2017-2497 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) NOT-FOR-US: Apple CVE-2017-2496 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) - webkit2gtk 2.16.3-1 (unimportant) NOTE: Not covered by security support CVE-2017-2495 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) NOT-FOR-US: Apple Safari CVE-2017-2494 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2493 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple CVE-2017-2492 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple CVE-2017-2491 (Use after free vulnerability in the String.replace method JavaScriptCo ...) NOT-FOR-US: Apple Safari CVE-2017-2490 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple involving Kernel component CVE-2017-2489 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple involving Intel Graphics Driver CVE-2017-2488 RESERVED CVE-2017-2487 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple involving FontParser component CVE-2017-2486 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Webkit / if anything of this affects Chromium/webkitgtk, the Chrome sec team will know and fix CVE-2017-2485 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple involving Security component CVE-2017-2484 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple involving Phone component CVE-2017-2483 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple involving Kernel component CVE-2017-2482 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple involving Kernel component CVE-2017-2481 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.14.6-1 (unimportant) NOTE: Not covered by security support CVE-2017-2480 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Webkit / if anything of this affects Chromium/webkitgtk, the Chrome sec team will know and fix CVE-2017-2479 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Webkit / if anything of this affects Chromium/webkitgtk, the Chrome sec team will know and fix CVE-2017-2478 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple involving Kernel component CVE-2017-2477 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Potentially src:libxslt, but Apple doesn't play by the rules CVE-2017-2476 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.14.6-1 (unimportant) NOTE: Not covered by security support CVE-2017-2475 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.14.6-1 (unimportant) NOTE: Not covered by security support CVE-2017-2474 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple involving Kernel component CVE-2017-2473 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple involving Kernel component CVE-2017-2472 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple involving Kernel component CVE-2017-2471 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.14.6-1 (unimportant) NOTE: Not covered by security support CVE-2017-2470 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.14.6-1 (unimportant) NOTE: Not covered by security support CVE-2017-2469 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2468 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.14.6-1 (unimportant) NOTE: Not covered by security support CVE-2017-2467 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple involving ImageIO component CVE-2017-2466 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.14.6-1 (unimportant) NOTE: Not covered by security support CVE-2017-2465 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.14.6-1 (unimportant) NOTE: Not covered by security support CVE-2017-2464 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2463 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Webkit / if anything of this affects Chromium/webkitgtk, the Chrome sec team will know and fix CVE-2017-2462 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple CVE-2017-2461 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple involving CoreText component CVE-2017-2460 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.14.6-1 (unimportant) NOTE: Not covered by security support CVE-2017-2459 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.14.6-1 (unimportant) NOTE: Not covered by security support CVE-2017-2458 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple CVE-2017-2457 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2456 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple CVE-2017-2455 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2454 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.14.6-1 (unimportant) NOTE: Not covered by security support CVE-2017-2453 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple Safari CVE-2017-2452 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple Siri CVE-2017-2451 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple involving Security component CVE-2017-2450 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple involving CoreText component CVE-2017-2449 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple invovling Bluetooth component CVE-2017-2448 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple involving Keychain component CVE-2017-2447 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2446 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.14.6-1 (unimportant) NOTE: Not covered by security support CVE-2017-2445 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2444 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple involving CoreGraphics component CVE-2017-2443 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple involving Intel Graphics Driver CVE-2017-2442 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.14.6-1 (unimportant) NOTE: Not covered by security support CVE-2017-2441 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple libc++abi component CVE-2017-2440 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple involving Kernel component CVE-2017-2439 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple involving FontParser component CVE-2017-2438 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple involving AppleRAID component CVE-2017-2437 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple involving IOFireWireAVC component CVE-2017-2436 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple involving IOFireWireAVC component CVE-2017-2435 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple involving CoreText component CVE-2017-2434 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple involving HomeKit component CVE-2017-2433 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2432 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple involving ImageIO component CVE-2017-2431 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2430 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple CVE-2017-2429 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2428 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple CVE-2017-2427 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2426 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2425 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2424 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2423 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple CVE-2017-2422 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2421 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2420 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2419 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.14.6-1 (unimportant) NOTE: Not covered by security support CVE-2017-2418 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2417 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple CVE-2017-2416 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple CVE-2017-2415 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.14.6-1 (unimportant) NOTE: Not covered by security support CVE-2017-2414 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple CVE-2017-2413 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2412 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple CVE-2017-2411 (In iOS before 11.2, exchange rates were retrieved from HTTP rather tha ...) NOT-FOR-US: Apple CVE-2017-2410 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2409 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2408 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2407 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple CVE-2017-2406 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple CVE-2017-2405 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2404 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple CVE-2017-2403 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2402 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2401 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple CVE-2017-2400 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple CVE-2017-2399 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple CVE-2017-2398 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple CVE-2017-2397 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple CVE-2017-2396 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2395 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2394 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.14.6-1 (unimportant) NOTE: Not covered by security support CVE-2017-2393 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple CVE-2017-2392 (An issue was discovered in certain Apple products. Safari before 10.1 ...) - webkit2gtk 2.14.6-1 (unimportant) NOTE: Not covered by security support CVE-2017-2391 (An issue was discovered in certain Apple products. Pages before 6.1, N ...) NOT-FOR-US: Apple CVE-2017-2390 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple / libarchive NOTE: Possibly Apple-specific, but noone really knows and Apple doesn't cooperate CVE-2017-2389 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple CVE-2017-2388 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2387 (The Apple Music (aka com.apple.android.music) application before 2.0 f ...) NOT-FOR-US: Apple Music application for Android CVE-2017-2386 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2385 (An issue was discovered in certain Apple products. Safari before 10.1 ...) NOT-FOR-US: Apple CVE-2017-2384 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple CVE-2017-2383 (An issue was discovered in certain Apple products. iCloud before 6.2 o ...) NOT-FOR-US: Apple CVE-2017-2382 (An issue was discovered in certain Apple products. macOS Server before ...) NOT-FOR-US: Apple CVE-2017-2381 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple, that's likely just a broken sudo config CVE-2017-2380 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple CVE-2017-2379 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple CVE-2017-2378 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Webkit / if anything of this affects Chromium/webkitgtk, the Chrome sec team will know and fix CVE-2017-2377 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.14.6-1 (unimportant) NOTE: Not covered by security support CVE-2017-2376 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2375 RESERVED CVE-2017-2374 (An issue was discovered in certain Apple products. GarageBand before 1 ...) NOT-FOR-US: Apple CVE-2017-2373 (An issue was discovered in certain Apple products. iOS before 10.2.1 i ...) - webkit2gtk 2.14.4-1 (unimportant) NOTE: Not covered by security support CVE-2017-2372 (An issue was discovered in certain Apple products. GarageBand before 1 ...) NOT-FOR-US: Apple CVE-2017-2371 (An issue was discovered in certain Apple products. iOS before 10.2.1 i ...) - webkit2gtk 2.14.4-1 (unimportant) NOTE: Not covered by security support CVE-2017-2370 (An issue was discovered in certain Apple products. iOS before 10.2.1 i ...) NOT-FOR-US: Apple CVE-2017-2369 (An issue was discovered in certain Apple products. iOS before 10.2.1 i ...) - webkit2gtk 2.14.4-1 (unimportant) NOTE: Not covered by security support CVE-2017-2368 (An issue was discovered in certain Apple products. iOS before 10.2.1 i ...) NOT-FOR-US: Apple CVE-2017-2367 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkitgtk 2.14.6-1 (unimportant) NOTE: Not covered by security support CVE-2017-2366 (An issue was discovered in certain Apple products. iOS before 10.2.1 i ...) - webkit2gtk 2.14.4-1 (unimportant) NOTE: Not covered by security support CVE-2017-2365 (An issue was discovered in certain Apple products. iOS before 10.2.1 i ...) - webkit2gtk 2.14.4-1 (unimportant) NOTE: Not covered by security support CVE-2017-2364 (An issue was discovered in certain Apple products. iOS before 10.2.1 i ...) - webkit2gtk 2.14.6-1 (unimportant) NOTE: Not covered by security support CVE-2017-2363 (An issue was discovered in certain Apple products. iOS before 10.2.1 i ...) - webkit2gtk 2.14.4-1 (unimportant) NOTE: Not covered by security support CVE-2017-2362 (An issue was discovered in certain Apple products. iOS before 10.2.1 i ...) - webkit2gtk 2.14.4-1 (unimportant) NOTE: Not covered by security support CVE-2017-2361 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2360 (An issue was discovered in certain Apple products. iOS before 10.2.1 i ...) NOT-FOR-US: Apple CVE-2017-2359 (An issue was discovered in certain Apple products. Safari before 10.0. ...) NOT-FOR-US: Apple CVE-2017-2358 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2357 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2356 (An issue was discovered in certain Apple products. iOS before 10.2.1 i ...) - webkit2gtk 2.14.4-1 (unimportant) NOTE: Not covered by security support CVE-2017-2355 (An issue was discovered in certain Apple products. iOS before 10.2.1 i ...) - webkit2gtk 2.14.4-1 (unimportant) NOTE: Not covered by security support CVE-2017-2354 (An issue was discovered in certain Apple products. iOS before 10.2.1 i ...) - webkit2gtk 2.14.4-1 (unimportant) NOTE: Not covered by security support CVE-2017-2353 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2352 (An issue was discovered in certain Apple products. iOS before 10.2.1 i ...) NOT-FOR-US: Apple CVE-2017-2351 (An issue was discovered in certain Apple products. iOS before 10.2.1 i ...) NOT-FOR-US: Apple CVE-2017-2350 (An issue was discovered in certain Apple products. iOS before 10.2.1 i ...) - webkit2gtk 2.14.4-1 (unimportant) NOTE: Not covered by security support CVE-2017-2349 (A command injection vulnerability in the IDP feature of Juniper Networ ...) NOT-FOR-US: Juniper CVE-2017-2348 (The Juniper Enhanced jdhcpd daemon may experience high CPU utilization ...) NOT-FOR-US: Juniper CVE-2017-2347 (A denial of service vulnerability in rpd daemon of Juniper Networks Ju ...) NOT-FOR-US: Juniper CVE-2017-2346 (An MS-MPC or MS-MIC Service PIC may crash when large fragmented packet ...) NOT-FOR-US: Juniper CVE-2017-2345 (On Junos OS devices with SNMP enabled, a network based attacker with u ...) NOT-FOR-US: Juniper CVE-2017-2344 (A routine within an internal Junos OS sockets library is vulnerable to ...) NOT-FOR-US: Juniper CVE-2017-2343 (The Integrated User Firewall (UserFW) feature was introduced in Junos ...) NOT-FOR-US: Juniper CVE-2017-2342 (MACsec feature on Juniper Networks Junos OS 15.1X49 prior to 15.1X49-D ...) NOT-FOR-US: Juniper CVE-2017-2341 (An insufficient authentication vulnerability on platforms where Junos ...) NOT-FOR-US: Juniper CVE-2017-2340 (On Juniper Networks Junos OS 15.1 releases from 15.1R3 to 15.1R4, 16.1 ...) NOT-FOR-US: Juniper CVE-2017-2339 (A persistent cross site scripting vulnerability in NetScreen WebUI of ...) NOT-FOR-US: Juniper CVE-2017-2338 (A persistent cross site scripting vulnerability in NetScreen WebUI of ...) NOT-FOR-US: Juniper CVE-2017-2337 (A persistent cross site scripting vulnerability in NetScreen WebUI of ...) NOT-FOR-US: Juniper CVE-2017-2336 (A reflected cross site scripting vulnerability in NetScreen WebUI of J ...) NOT-FOR-US: Juniper CVE-2017-2335 (A persistent cross site scripting vulnerability in NetScreen WebUI of ...) NOT-FOR-US: Juniper CVE-2017-2334 (An information leak vulnerability in Juniper Networks NorthStar Contro ...) NOT-FOR-US: Juniper CVE-2017-2333 (A persistent denial of service vulnerability in Juniper Networks North ...) NOT-FOR-US: Juniper CVE-2017-2332 (An insufficient authentication vulnerability in Juniper Networks North ...) NOT-FOR-US: Juniper CVE-2017-2331 (A firewall bypass vulnerability in Juniper Networks NorthStar Controll ...) NOT-FOR-US: Juniper CVE-2017-2330 (A denial of service vulnerability in Juniper Networks NorthStar Contro ...) NOT-FOR-US: Juniper CVE-2017-2329 (An insufficient authentication vulnerability in Juniper Networks North ...) NOT-FOR-US: Juniper CVE-2017-2328 (An information leak vulnerability in Juniper Networks NorthStar Contro ...) NOT-FOR-US: Juniper CVE-2017-2327 (A denial of service vulnerability in Juniper Networks NorthStar Contro ...) NOT-FOR-US: Juniper CVE-2017-2326 (An information disclosure vulnerability in Juniper Networks NorthStar ...) NOT-FOR-US: Juniper CVE-2017-2325 (A buffer overflow vulnerability in Juniper Networks NorthStar Controll ...) NOT-FOR-US: Juniper CVE-2017-2324 (A command injection vulnerability in Juniper Networks NorthStar Contro ...) NOT-FOR-US: Juniper CVE-2017-2323 (A denial of service vulnerability in Juniper Networks NorthStar Contro ...) NOT-FOR-US: Juniper CVE-2017-2322 (A denial of service vulnerability in Juniper Networks NorthStar Contro ...) NOT-FOR-US: Juniper CVE-2017-2321 (A vulnerability in Juniper Networks NorthStar Controller Application p ...) NOT-FOR-US: Juniper CVE-2017-2320 (A vulnerability in Juniper Networks NorthStar Controller Application p ...) NOT-FOR-US: Juniper CVE-2017-2319 (A vulnerability in Juniper Networks NorthStar Controller Application p ...) NOT-FOR-US: Juniper CVE-2017-2318 (A vulnerability in Juniper Networks NorthStar Controller Application p ...) NOT-FOR-US: Juniper CVE-2017-2317 (A denial of service vulnerability in Juniper Networks NorthStar Contro ...) NOT-FOR-US: Juniper CVE-2017-2316 (A buffer overflow vulnerability in Juniper Networks NorthStar Controll ...) NOT-FOR-US: Juniper CVE-2017-2315 (On Juniper Networks EX Series Ethernet Switches running affected Junos ...) NOT-FOR-US: Juniper CVE-2017-2314 (Receipt of a malformed BGP OPEN message may cause the routing protocol ...) NOT-FOR-US: Juniper CVE-2017-2313 (Juniper Networks devices running affected Junos OS versions may be imp ...) NOT-FOR-US: Juniper CVE-2017-2312 (On Juniper Networks devices running Junos OS affected versions and wit ...) NOT-FOR-US: Juniper CVE-2017-2311 (On Juniper Networks Junos Space versions prior to 16.1R1, an unauthent ...) NOT-FOR-US: Juniper CVE-2017-2310 (A firewall bypass vulnerability in the host based firewall of Juniper ...) NOT-FOR-US: Juniper CVE-2017-2309 (On Juniper Networks Junos Space versions prior to 16.1R1 when certific ...) NOT-FOR-US: Juniper CVE-2017-2308 (An XML External Entity Injection vulnerability in Juniper Networks Jun ...) NOT-FOR-US: Juniper CVE-2017-2307 (A reflected cross site scripting vulnerability in the administrative i ...) NOT-FOR-US: Juniper CVE-2017-2306 (On Juniper Networks Junos Space versions prior to 16.1R1, due to an in ...) NOT-FOR-US: Juniper CVE-2017-2305 (On Juniper Networks Junos Space versions prior to 16.1R1, due to an in ...) NOT-FOR-US: Juniper CVE-2017-2304 (Juniper Networks QFX3500, QFX3600, QFX5100, QFX5200, EX4300 and EX4600 ...) NOT-FOR-US: Juniper CVE-2017-2303 (On Juniper Networks products or platforms running Junos OS 12.1X46 pri ...) NOT-FOR-US: Juniper CVE-2017-2302 (On Juniper Networks products or platforms running Junos OS 12.1X46 pri ...) NOT-FOR-US: Juniper CVE-2017-2301 (On Juniper Networks products or platforms running Junos OS 11.4 prior ...) NOT-FOR-US: Juniper CVE-2017-2300 (On Juniper Networks SRX Series Services Gateways chassis clusters runn ...) NOT-FOR-US: Juniper CVE-2017-2299 (Versions of the puppetlabs-apache module prior to 1.11.1 and 2.1.0 mak ...) - puppet-module-puppetlabs-apache 3.0.0-1 (bug #875983) [stretch] - puppet-module-puppetlabs-apache (Minor issue) [jessie] - puppet-module-puppetlabs-apache (Minor issue) NOTE: https://puppet.com/security/cve/CVE-2017-2299 NOTE: https://github.com/puppetlabs/puppetlabs-apache/commit/7bb35c2293c12ce52329a4391fe1f20389efef06 CVE-2017-2298 (The mcollective-sshkey-security plugin before 0.5.1 for Puppet uses a ...) NOT-FOR-US: mcollective-sshkey-security plugin CVE-2017-2297 (Puppet Enterprise versions prior to 2016.4.5 and 2017.2.1 did not corr ...) - puppet (Specific to Puppet Enterprise) CVE-2017-2296 (In Puppet Enterprise 2017.1.x and 2017.2.1, using specially formatted ...) - puppet (Specific to Puppet Enterprise) CVE-2017-2295 (Versions of Puppet prior to 4.10.1 will deserialize data off the wire ...) {DSA-3862-1 DLA-1012-1} - puppet 4.8.2-5 (bug #863212) NOTE: https://puppet.com/security/cve/cve-2017-2295 NOTE: https://github.com/puppetlabs/puppet/commit/06d8c51367ca932b9da5d9b01958cfc0adf0f2ea CVE-2017-2294 (Versions of Puppet Enterprise prior to 2016.4.5 or 2017.2.1 failed to ...) - puppet (Doesn't affect Puppet as shipped in Debian) NOTE: Puppet as shipped in Debian doesn't provide puppetdb yet CVE-2017-2293 (Versions of Puppet Enterprise prior to 2016.4.5 or 2017.2.1 shipped wi ...) - puppet (Specific to Puppet Enterprise) CVE-2017-2292 (Versions of MCollective prior to 2.10.4 deserialized YAML from agents ...) - mcollective 2.12.0+dfsg-1 (bug #866711) [jessie] - mcollective (Minor issue) [wheezy] - mcollective (Minor issue) NOTE: https://puppet.com/security/cve/cve-2017-2292 NOTE: https://github.com/puppetlabs/marionette-collective/commit/e0e741889f5adeb8f75387037106b0d28a9099b0 CVE-2017-2291 RESERVED CVE-2017-2290 (On Windows installations of the mcollective-puppet-agent plugin, versi ...) NOT-FOR-US: mcollective-puppet-agent plugin on Windows CVE-2017-2289 (Untrusted search path vulnerability in Installer of Qua station connec ...) NOT-FOR-US: Installer of Qua station connection tool for Windows CVE-2017-2288 (Untrusted search path vulnerability in LhaForge Ver.1.6.5 and earlier ...) NOT-FOR-US: LhaForge CVE-2017-2287 (Untrusted search path vulnerability in NFC Port Software remover Ver.1 ...) NOT-FOR-US: NFC Port Software remover CVE-2017-2286 (Untrusted search path vulnerability in NFC Port Software Version 5.5.0 ...) NOT-FOR-US: NFC Port Software CVE-2017-2285 (Cross-site scripting vulnerability in Simple Custom CSS and JS prior t ...) NOT-FOR-US: Simple Custom CSS and JS CVE-2017-2284 (Cross-site scripting vulnerability in Popup Maker prior to version 1.6 ...) NOT-FOR-US: Popup Maker CVE-2017-2283 (WN-G300R3 firmware version 1.0.2 and earlier uses hardcoded credential ...) NOT-FOR-US: WN-G300R3 firmware CVE-2017-2282 (Buffer overflow in WN-AX1167GR firmware version 3.00 and earlier allow ...) NOT-FOR-US: WN-AX1167GR firmware CVE-2017-2281 (WN-AX1167GR firmware version 3.00 and earlier allows an attacker to ex ...) NOT-FOR-US: WN-AX1167GR firmware CVE-2017-2280 (WN-AX1167GR firmware version 3.00 and earlier uses hardcoded credentia ...) NOT-FOR-US: WN-AX1167GR firmware CVE-2017-2279 (Untrusted search path vulnerability in Tween Ver1.6.6.0 and earlier al ...) NOT-FOR-US: Tween CVE-2017-2278 (The RBB SPEED TEST App for Android version 2.0.3 and earlier, RBB SPEE ...) NOT-FOR-US: RBB SPEED TEST App CVE-2017-2277 (WG-C10 v3.0.79 and earlier allows an attacker to bypass access restric ...) NOT-FOR-US: WG-C10 CVE-2017-2276 (Buffer overflow in WG-C10 v3.0.79 and earlier allows an attacker to ex ...) NOT-FOR-US: WG-C10 CVE-2017-2275 (WG-C10 v3.0.79 and earlier allows an attacker to execute arbitrary OS ...) NOT-FOR-US: WG-C10 CVE-2017-2274 (Cross-site scripting vulnerability in WMR-433 firmware Ver.1.02 and ea ...) NOT-FOR-US: WMR-433* firmware CVE-2017-2273 (Cross-site request forgery (CSRF) vulnerability in WMR-433 firmware Ve ...) NOT-FOR-US: WMR-433* firmware CVE-2017-2272 (Untrusted search path vulnerability in Self-extracting encrypted files ...) NOT-FOR-US: AttacheCase CVE-2017-2271 (Untrusted search path vulnerability in Self-extracting encrypted files ...) NOT-FOR-US: AttacheCase CVE-2017-2270 (Untrusted search path vulnerability in Encrypted files in self-decrypt ...) NOT-FOR-US: FileCapsule Deluxe Portable CVE-2017-2269 (Untrusted search path vulnerability in FileCapsule Deluxe Portable Ver ...) NOT-FOR-US: FileCapsule Deluxe Portable CVE-2017-2268 (Untrusted search path vulnerability in Encrypted files in self-decrypt ...) NOT-FOR-US: FileCapsule Deluxe Portable CVE-2017-2267 (Untrusted search path vulnerability in FileCapsule Deluxe Portable Ver ...) NOT-FOR-US: FileCapsule Deluxe Portable CVE-2017-2266 (Untrusted search path vulnerability in Encrypted files in self-decrypt ...) NOT-FOR-US: FileCapsule Deluxe Portable CVE-2017-2265 (Untrusted search path vulnerability in FileCapsule Deluxe Portable Ver ...) NOT-FOR-US: FileCapsule Deluxe Portable CVE-2017-2264 RESERVED CVE-2017-2263 RESERVED CVE-2017-2262 RESERVED CVE-2017-2261 RESERVED CVE-2017-2260 RESERVED CVE-2017-2259 RESERVED CVE-2017-2258 (Directory traversal vulnerability in Cybozu Garoon 4.2.4 to 4.2.5 allo ...) NOT-FOR-US: Cybozu CVE-2017-2257 (Cross-site scripting vulnerability in Cybozu Garoon 3.0.0 to 4.2.5 all ...) NOT-FOR-US: Cybozu CVE-2017-2256 (Cross-site scripting vulnerability in Cybozu Garoon 3.0.0 to 4.2.5 all ...) NOT-FOR-US: Cybozu CVE-2017-2255 (Cross-site scripting vulnerability in Cybozu Garoon 3.7.0 to 4.2.5 all ...) NOT-FOR-US: Cybozu CVE-2017-2254 (Cybozu Garoon 3.5.0 to 4.2.5 allows an attacker to cause a denial of s ...) NOT-FOR-US: Cybozu CVE-2017-2253 (Untrusted search path vulnerability in Installer of Yahoo! Toolbar (fo ...) NOT-FOR-US: Installer of Yahoo! Toolbar (for Internet explorer) CVE-2017-2252 (Untrusted search path vulnerability in self-extracting archive files c ...) NOT-FOR-US: File Compact CVE-2017-2251 RESERVED CVE-2017-2250 RESERVED CVE-2017-2249 (Untrusted search path vulnerability in Self-extracting archive files c ...) NOT-FOR-US: Lhaz+ CVE-2017-2248 (Untrusted search path vulnerability in Installer of Lhaz+ version 3.4. ...) NOT-FOR-US: Lhaz+ CVE-2017-2247 (Untrusted search path vulnerability in Self-extracting archive files c ...) NOT-FOR-US: Lhaz CVE-2017-2246 (Untrusted search path vulnerability in Installer of Lhaz version 2.4.0 ...) NOT-FOR-US: Lhaz CVE-2017-2245 (Directory traversal vulnerability in Shortcodes Ultimate prior to vers ...) NOT-FOR-US: Shortcodes Ultimate CVE-2017-2244 (Cross-site request forgery (CSRF) vulnerability in MFC-J960DWN firmwar ...) NOT-FOR-US: MFC-J960DWN firmware CVE-2017-2243 (Cross-site scripting vulnerability in Responsive Lightbox prior to ver ...) NOT-FOR-US: Responsive Lightbox CVE-2017-2242 (Untrusted search path vulnerability in Flets Setsuzoku Tool for Window ...) NOT-FOR-US: Flets Setsuzoku Tool for Windows CVE-2017-2241 (SQL injection vulnerability in the AssetView for MacOS Ver.9.2.0 and e ...) NOT-FOR-US: AssetView for MacOS CVE-2017-2240 (Directory traversal vulnerability in AssetView for MacOS Ver.9.2.0 and ...) NOT-FOR-US: AssetView for MacOS CVE-2017-2239 (Marp versions v0.0.10 and earlier may allow an attacker to access loca ...) NOT-FOR-US: Marp CVE-2017-2238 (Cross-site request forgery (CSRF) vulnerability in Toshiba Home gatewa ...) NOT-FOR-US: Toshiba Home gateway HEM-GW16A CVE-2017-2237 (Toshiba Home gateway HEM-GW16A firmware HEM-GW16A-FW-V1.2.0 and earlie ...) NOT-FOR-US: Toshiba Home gateway HEM-GW16A firmware CVE-2017-2236 (Toshiba Home gateway HEM-GW16A firmware HEM-GW16A-FW-V1.2.0 and earlie ...) NOT-FOR-US: Toshiba Home gateway HEM-GW16A firmware CVE-2017-2235 (Toshiba Home gateway HEM-GW16A firmware HEM-GW16A-FW-V1.2.0 and earlie ...) NOT-FOR-US: Toshiba Home gateway HEM-GW16A firmware CVE-2017-2234 (Toshiba Home gateway HEM-GW16A firmware HEM-GW16A-FW-V1.2.0 and earlie ...) NOT-FOR-US: Toshiba Home gateway HEM-GW16A firmware CVE-2017-2233 (Untrusted search path vulnerability in Installer of PDF Digital Signat ...) NOT-FOR-US: PDF Digital Signature Plugin CVE-2017-2232 (Untrusted search path vulnerability in Installer of Shinseiyo Sogo Sof ...) NOT-FOR-US: Installer of Shinseiyo Sogo Soft CVE-2017-2231 (Untrusted search path vulnerability in The installer of MLIT DenshiSei ...) NOT-FOR-US: installer of MLIT DenshiSeikabutsuSakuseiShienKensa system CVE-2017-2230 (Untrusted search path vulnerability in Douro Kouji Kanseizutou Check P ...) NOT-FOR-US: Douro Kouji Kanseizutou Check Program CVE-2017-2229 (Untrusted search path vulnerability in Douroshisetu Kihon Data Sakusei ...) NOT-FOR-US: Douroshisetu Kihon Data Sakusei System CVE-2017-2228 (Untrusted search path vulnerability in Teikihoukokusho Sakuseishien To ...) NOT-FOR-US: Teikihoukokusho Sakuseishien Tool CVE-2017-2227 (Untrusted search path vulnerability in The installer of Charamin OMP V ...) NOT-FOR-US: installer of Charamin OMP CVE-2017-2226 (Untrusted search path vulnerability in Setup file of advance preparati ...) NOT-FOR-US: e-Tax CVE-2017-2225 (Untrusted search path vulnerability in EbidSettingChecker.exe (version ...) NOT-FOR-US: EbidSettingChecker.exe CVE-2017-2224 (Cross-site scripting vulnerability in Event Calendar WD prior to versi ...) NOT-FOR-US: Event Calendar WD CVE-2017-2223 (Cross-site request forgery (CSRF) vulnerability in TS-WPTCAM, TS-PTCAM ...) NOT-FOR-US: TS-WPTCAM CVE-2017-2222 (Cross-site scripting vulnerability in WP-Members prior to version 3.1. ...) NOT-FOR-US: WP-Members CVE-2017-2221 (Untrusted search path vulnerability in Installer of Baidu IME Ver3.6.1 ...) NOT-FOR-US: Installer of Baidu IME CVE-2017-2220 (Untrusted search path vulnerability in Installer of CASL II simulator ...) NOT-FOR-US: Installer of CASL II simulator CVE-2017-2219 (Untrusted search path vulnerability in the [Simeji for Windows] instal ...) NOT-FOR-US: Simeji CVE-2017-2218 (Untrusted search path vulnerability in Installer of QuickTime for Wind ...) NOT-FOR-US: Installer of QuickTime for Windows CVE-2017-2217 (Open redirect vulnerability in WordPress Download Manager prior to ver ...) NOT-FOR-US: WordPress Download Manager CVE-2017-2216 (Cross-site scripting vulnerability in WordPress Download Manager prior ...) NOT-FOR-US: WordPress Download Manager CVE-2017-2215 (Untrusted search path vulnerability in Installer of "Setup file of adv ...) NOT-FOR-US: Installer of "Setup file of advance preparation" CVE-2017-2214 (Untrusted search path vulnerability in AppCheck and AppCheck Pro prior ...) NOT-FOR-US: AppCheck CVE-2017-2213 (Untrusted search path vulnerability in SemiDynaEXE (SemiDynaEXE2008.EX ...) NOT-FOR-US: SemiDynaEXE CVE-2017-2212 (Untrusted search path vulnerability in TKY2JGD (TKY2JGD1379.EXE) ver. ...) NOT-FOR-US: TKY2JGD CVE-2017-2211 (Untrusted search path vulnerability in PatchJGD (Hyoko) (PatchJGDh101. ...) NOT-FOR-US: PatchJGD CVE-2017-2210 (Untrusted search path vulnerability in PatchJGD (PatchJGD101.EXE) ver. ...) NOT-FOR-US: PatchJGD CVE-2017-2209 (Untrusted search path vulnerability in the installer of Houkokusyo Sak ...) NOT-FOR-US: Houkokusyo Sakusei Shien Tool CVE-2017-2208 (Untrusted search path vulnerability in Installer of Electronic tenderi ...) NOT-FOR-US: Installer of Electronic tendering and bid opening system CVE-2017-2207 (Untrusted search path vulnerability in the installer of SaAT Personal ...) NOT-FOR-US: SaAT Personal CVE-2017-2206 (Untrusted search path vulnerability in the installer of SaAT Netizen v ...) NOT-FOR-US: SaAT Netizen CVE-2017-2205 RESERVED CVE-2017-2204 RESERVED CVE-2017-2203 RESERVED CVE-2017-2202 RESERVED CVE-2017-2201 RESERVED CVE-2017-2200 RESERVED CVE-2017-2199 RESERVED CVE-2017-2198 RESERVED CVE-2017-2197 RESERVED CVE-2017-2196 RESERVED CVE-2017-2195 (SQL injection vulnerability in the Multi Feed Reader prior to version ...) NOT-FOR-US: Multi Feed Reader plugin for wordpress CVE-2017-2194 (Cross-site scripting vulnerability in Source code security studying to ...) NOT-FOR-US: iCodeChecker CVE-2017-2193 (Untrusted search path vulnerability in the installer of Tera Term 4.94 ...) NOT-FOR-US: Tera Term CVE-2017-2192 (Untrusted search path vulnerability in RW-5100 tool to verify executio ...) NOT-FOR-US: RW5100 installer CVE-2017-2191 (Untrusted search path vulnerability in RW-5100 driver installer for Wi ...) NOT-FOR-US: RW5100 installer CVE-2017-2190 (Untrusted search path vulnerability in RW-4040 tool to verify executio ...) NOT-FOR-US: RW4040 CVE-2017-2189 (Untrusted search path vulnerability in RW-4040 driver installer for Wi ...) NOT-FOR-US: RW4040 CVE-2017-2188 (Untrusted search path vulnerability in Installer of Denshinouhin Check ...) NOT-FOR-US: Installer of Denshinouhin Check System CVE-2017-2187 (Cross-site scripting vulnerability in WP Live Chat Support prior to ve ...) NOT-FOR-US: WP Live Chat CVE-2017-2186 (HOME SPOT CUBE2 firmware V101 and earlier allows an attacker to bypass ...) NOT-FOR-US: HOME SPOT CUBE2 firmware CVE-2017-2185 (HOME SPOT CUBE2 firmware V101 and earlier allows authenticated attacke ...) NOT-FOR-US: HOME SPOT CUBE2 firmware CVE-2017-2184 (Buffer overflow in HOME SPOT CUBE2 firmware V101 and earlier allows an ...) NOT-FOR-US: HOME SPOT CUBE2 firmware CVE-2017-2183 (HOME SPOT CUBE2 firmware V101 and earlier allows authenticated attacke ...) NOT-FOR-US: HOME SPOT CUBE2 firmware CVE-2017-2182 (Hands-on Vulnerability Learning Tool "AppGoat" for Web Application V3. ...) NOT-FOR-US: Hands-on Vulnerability Learning Tool CVE-2017-2181 (Hands-on Vulnerability Learning Tool "AppGoat" for Web Application V3. ...) NOT-FOR-US: Hands-on Vulnerability Learning Tool CVE-2017-2180 (Hands-on Vulnerability Learning Tool "AppGoat" for Web Application V3. ...) NOT-FOR-US: Hands-on Vulnerability Learning Tool CVE-2017-2179 (Hands-on Vulnerability Learning Tool "AppGoat" for Web Application V3. ...) NOT-FOR-US: Hands-on Vulnerability Learning Tool CVE-2017-2178 (Untrusted search path vulnerability in Installer of electronic tenderi ...) NOT-FOR-US: electronic tendering and bid opening system CVE-2017-2177 (Untrusted search path vulnerability in Installer of Shogyo Touki Densh ...) NOT-FOR-US: Shogyo Touki Denshi Ninsho CVE-2017-2176 (Untrusted search path vulnerability in screensaver installers (jasdf_0 ...) NOT-FOR-US: screensaver installers for Windows CVE-2017-2175 (Untrusted search path vulnerability in Empirical Project Monitor - eXt ...) NOT-FOR-US: Empirical Project Monitor - eXtended CVE-2017-2174 (Cross-site scripting vulnerability in Empirical Project Monitor - eXte ...) NOT-FOR-US: Empirical Project Monitor - eXtended CVE-2017-2173 (Cross-site scripting vulnerability in Empirical Project Monitor - eXte ...) NOT-FOR-US: Empirical Project Monitor - eXtended CVE-2017-2172 (Cross-site scripting vulnerability in Cybozu KUNAI for Android 3.0.0 t ...) NOT-FOR-US: Cybozu CVE-2017-2171 (Cross-site scripting vulnerability in Captcha prior to version 4.3.0, ...) NOT-FOR-US: WordPress plugins provided by BestWebSoft CVE-2017-2170 RESERVED CVE-2017-2169 (Cross-site scripting vulnerability in MaxButtons prior to version 6.19 ...) NOT-FOR-US: MaxButtons plugin for WordPress CVE-2017-2168 (Cross-site scripting vulnerability in WP Booking System Free version p ...) NOT-FOR-US: WP Booking System CVE-2017-2167 (Untrusted search path vulnerability in Installer for PrimeDrive Deskto ...) NOT-FOR-US: PrimeDrive CVE-2017-2166 (Open redirect vulnerability in GroupSession version 4.7.0 and earlier ...) NOT-FOR-US: GroupSession CVE-2017-2165 (GroupSession versions 4.6.4 and earlier allows remote authenticated at ...) NOT-FOR-US: GroupSession CVE-2017-2164 (Cross-site scripting vulnerability in SOY CMS with installer 1.8.12 an ...) NOT-FOR-US: SOY CMS CVE-2017-2163 (Directory traversal vulnerability in SOY CMS Ver.1.8.1 to Ver.1.8.12 a ...) NOT-FOR-US: SOY CMS CVE-2017-2162 (FlashAirTM SDHC Memory Card (SD-WE Series <W-03>) V3.00.02 and e ...) NOT-FOR-US: FlashAirTM CVE-2017-2161 (FlashAirTM SDHC Memory Card (SD-WE Series <W-03>) V3.00.02 and e ...) NOT-FOR-US: FlashAirTM CVE-2017-2160 RESERVED CVE-2017-2159 RESERVED CVE-2017-2158 (Improper verification when expanding ZIP64 archives in Lhaplus version ...) NOT-FOR-US: Lhaplus CVE-2017-2157 (Untrusted search path vulnerability in installers for The Public Certi ...) NOT-FOR-US: The Public Certification Service CVE-2017-2156 (Untrusted search path vulnerability in Vivaldi installer for Windows p ...) NOT-FOR-US: Vivaldi installer Windows CVE-2017-2155 (Buffer overflow in Hoozin Viewer 2, 3, 4.1.5.15 and earlier, 5.1.2.13 ...) NOT-FOR-US: Hoozin Viewer CVE-2017-2154 (Untrusted search path vulnerability in Hanako 2017, Hanako 2016, Hanak ...) NOT-FOR-US: Booking Calendar CVE-2017-2153 (SEIL/x86 Fuji 1.70 to 5.62, SEIL/BPV4 5.00 to 5.62, SEIL/X1 1.30 to 5. ...) NOT-FOR-US: SEIL CVE-2017-2152 (WNC01WH firmware 1.0.0.9 and earlier allows authenticated attackers to ...) NOT-FOR-US: WNC01WH firmware CVE-2017-2151 (Cross-site scripting vulnerability in Booking Calendar version 7.1 and ...) NOT-FOR-US: Booking Calendar CVE-2017-2150 (Directory traversal vulnerability in Booking Calendar version 7.0 and ...) NOT-FOR-US: Booking Calendar CVE-2017-2149 (Untrusted search path vulnerability in installers of the software for ...) NOT-FOR-US: installers of the software for SDHC/SDXC Memory Cards CVE-2017-2148 (Cross-site scripting vulnerability in WN-AC1167GR firmware version 1.0 ...) NOT-FOR-US: WN-AC1167GR firmware CVE-2017-2147 (Cross-site scripting vulnerability in WP Statistics version 12.0.4 and ...) NOT-FOR-US: WP Statistics CVE-2017-2146 (Cross-site scripting vulnerability in Cybozu Garoon 3.0.0 to 4.2.4 all ...) NOT-FOR-US: Cybozu Garoon CVE-2017-2145 (Session fixation vulnerability in Cybozu Garoon 4.0.0 to 4.2.4 allows ...) NOT-FOR-US: Cybozu Garoon CVE-2017-2144 (Cybozu Garoon 3.0.0 to 4.2.4 may allow an attacker to lock another use ...) NOT-FOR-US: Cybozu Garoon CVE-2017-2143 (CS-Cart Japanese Edition v4.3.10-jp-1 and earlier, CS-Cart Multivendor ...) NOT-FOR-US: CS-Cart CVE-2017-2142 (Buffer overflow in WN-G300R3 firmware Ver.1.03 and earlier allows remo ...) NOT-FOR-US: WN-G300R3 firmware CVE-2017-2141 (WN-G300R3 firmware 1.03 and earlier allows attackers with administrato ...) NOT-FOR-US: WN-G300R3 firmware CVE-2017-2140 (Tablacus Explorer 17.3.30 and earlier allows arbitrary scripts to be e ...) NOT-FOR-US: Tablacus Explorer CVE-2017-2139 (CS-Cart Japanese Edition v4.3.10 and earlier (excluding v2 and v3), CS ...) NOT-FOR-US: CS-Cart CVE-2017-2138 (Cross-site request forgery (CSRF) vulnerability in CS-Cart Japanese Ed ...) NOT-FOR-US: CS-Cart CVE-2017-2137 (ProSAFE Plus Configuration Utility prior to 2.3.29 allows remote attac ...) NOT-FOR-US: ProSAFE Plus Configuration Utility CVE-2017-2136 (Cross-site scripting vulnerability in WP Statistics version 12.0.4 and ...) NOT-FOR-US: WP Statistics CVE-2017-2135 (Cross-site scripting vulnerability in WP Statistics version 12.0.1 and ...) NOT-FOR-US: WP Statistics CVE-2017-2134 (Cross-site scripting vulnerability in ASSETBASE 8.0 and earlier allows ...) NOT-FOR-US: ASSETBASE CVE-2017-2133 (SQL injection vulnerability in Panasonic KX-HJB1000 Home unit devices ...) NOT-FOR-US: Panasonic KX-HJB1000 Home unit devices CVE-2017-2132 (Panasonic KX-HJB1000 Home unit devices with firmware GHX1YG 14.50 or H ...) NOT-FOR-US: Panasonic KX-HJB1000 Home unit devices CVE-2017-2131 (Panasonic KX-HJB1000 Home unit devices with firmware GHX1YG 14.50 or H ...) NOT-FOR-US: Panasonic KX-HJB1000 Home unit devices CVE-2017-2130 (Untrusted search path vulnerability in the installer of PhishWall Clie ...) NOT-FOR-US: installer of PhishWall Client Internet Explorer CVE-2017-2129 RESERVED CVE-2017-2128 (Security guide for website operators allows remote attackers to execut ...) NOT-FOR-US: Security guide for website operators CVE-2017-2127 (Cross-site scripting vulnerability in YOP Poll versions prior to 5.8.1 ...) NOT-FOR-US: YOP Poll CVE-2017-2126 (WAPM-1166D firmware Ver.1.2.7 and earlier, WAPM-APG600H firmware Ver.1 ...) NOT-FOR-US: WAPM-* firmware CVE-2017-2125 (Privilege escalation vulnerability in CentreCOM AR260S V2 remote authe ...) NOT-FOR-US: CentreCOM AR260S CVE-2017-2124 (Cross-site scripting vulnerability in OneThird CMS v1.73 Heaven's Door ...) NOT-FOR-US: OneThird CMS CVE-2017-2123 (Cross-site scripting vulnerability in OneThird CMS v1.73 Heaven's Door ...) NOT-FOR-US: OneThird CMS CVE-2017-2122 (Cross-site scripting vulnerability in Nessus versions 6.8.0, 6.8.1, 6. ...) NOT-FOR-US: Nessus CVE-2017-2121 RESERVED CVE-2017-2120 (SQL injection vulnerability in the WBCE CMS 1.1.10 and earlier allows ...) NOT-FOR-US: WBCE CMS CVE-2017-2119 (Directory traversal vulnerability in WBCE CMS 1.1.10 and earlier allow ...) NOT-FOR-US: WBCE CMS CVE-2017-2118 (Cross-site scripting vulnerability in WBCE CMS 1.1.10 and earlier allo ...) NOT-FOR-US: WBCE CMS CVE-2017-2117 (Directory traversal vulnerability in CubeCart versions prior to 6.1.5 ...) NOT-FOR-US: CubeCart CVE-2017-2116 (Cybozu Office 10.0.0 to 10.5.0 allows remote authenticated attackers t ...) NOT-FOR-US: Cybozu CVE-2017-2115 (Cybozu Office 10.0.0 to 10.5.0 allows remote authenticated attackers t ...) NOT-FOR-US: Cybozu CVE-2017-2114 (Cross-site scripting vulnerability in Cybozu Office 10.0.0 to 10.5.0 a ...) NOT-FOR-US: Cybozu CVE-2017-2113 (Buffer overflow in TS-WPTCAM firmware version 1.18 and earlier, TS-WPT ...) NOT-FOR-US: firmware in network cameras by I-O DATA CVE-2017-2112 (TS-WPTCAM firmware version 1.18 and earlier, TS-WPTCAM2 firmware versi ...) NOT-FOR-US: firmware in network cameras by I-O DATA CVE-2017-2111 (HTTP header injection vulnerability in TS-WPTCAM firmware version 1.18 ...) NOT-FOR-US: firmware in network cameras by I-O DATA CVE-2017-2110 (The Access CX App for Android prior to 2.0.0.1 and for iOS prior to 2. ...) NOT-FOR-US: CX App for Android CVE-2017-2109 (Cybozu KUNAI for Android 3.0.4 to 3.0.5.1 allow remote attackers to ob ...) NOT-FOR-US: Cybozu CVE-2017-2108 (Untrusted search path vulnerability in PrimeDrive Desktop Application ...) NOT-FOR-US: PrimeDrive Desktop Application CVE-2017-2107 (Untrusted search path vulnerability in Self-extracting archive files c ...) NOT-FOR-US: 7-ZIP32.DLL CVE-2017-2106 (Multiple cross-site scripting vulnerabilities in Webmin versions prior ...) - webmin CVE-2017-2105 (The TVer App for Android 3.2.7 and earlier does not verify X.509 certi ...) NOT-FOR-US: TVer App for Android CVE-2017-2104 (The Business LaLa Call App for Android 1.4.7 and earlier does not veri ...) NOT-FOR-US: Business LaLa Call App for Android CVE-2017-2103 (The LaLa Call App for Android 2.4.7 and earlier does not verify X.509 ...) NOT-FOR-US: LaLa Call App for Android CVE-2017-2102 (Cross-site request forgery (CSRF) vulnerability in Hands-on Vulnerabil ...) NOT-FOR-US: Hands-on Vulnerability Learning Tool "AppGoat" for Web Application CVE-2017-2101 (Hands-on Vulnerability Learning Tool "AppGoat" for Web Application V3. ...) NOT-FOR-US: Hands-on Vulnerability Learning Tool "AppGoat" for Web Application CVE-2017-2100 (Hands-on Vulnerability Learning Tool "AppGoat" for Web Application V3. ...) NOT-FOR-US: Hands-on Vulnerability Learning Tool "AppGoat" for Web Application CVE-2017-2099 (Hands-on Vulnerability Learning Tool "AppGoat" for Web Application V3. ...) NOT-FOR-US: Hands-on Vulnerability Learning Tool "AppGoat" for Web Application CVE-2017-2098 (Directory traversal vulnerability in CubeCart versions prior to 6.1.4 ...) NOT-FOR-US: CubeCart CVE-2017-2097 (Cross-site request forgery (CSRF) vulnerability in Knowledge versions ...) NOT-FOR-US: Knowledge CVE-2017-2096 (smalruby-editor v0.4.0 and earlier allows remote attackers to execute ...) NOT-FOR-US: smalruby-editor CVE-2017-2095 (Cybozu Garoon 3.0.0 to 4.2.3 allows remote authenticated attackers to ...) NOT-FOR-US: Cybozu CVE-2017-2094 (Cybozu Garoon 3.0.0 to 4.2.3 allows remote authenticated attackers to ...) NOT-FOR-US: Cybozu CVE-2017-2093 (Cybozu Garoon 3.0.0 to 4.2.3 allow remote attackers to obtain tokens u ...) NOT-FOR-US: Cybozu CVE-2017-2092 (Cross-site scripting vulnerability in Cybozu Garoon 3.0.0 to 4.2.3 all ...) NOT-FOR-US: Cybozu CVE-2017-2091 (Cybozu Garoon 3.0.0 to 4.2.3 allows remote authenticated attackers to ...) NOT-FOR-US: Cybozu CVE-2017-2090 (Directory traversal vulnerability in CubeCart versions prior to 6.1.4 ...) NOT-FOR-US: CubeCart CVE-2017-2089 REJECTED CVE-2017-2088 REJECTED CVE-2017-2087 REJECTED CVE-2017-2086 REJECTED CVE-2017-2085 REJECTED CVE-2017-2084 REJECTED CVE-2017-2083 REJECTED CVE-2017-2082 REJECTED CVE-2017-2081 REJECTED CVE-2017-2080 REJECTED CVE-2017-2079 REJECTED CVE-2017-2078 REJECTED CVE-2017-2077 REJECTED CVE-2017-2076 REJECTED CVE-2017-2075 REJECTED CVE-2017-2074 REJECTED CVE-2017-2073 REJECTED CVE-2017-2072 REJECTED CVE-2017-2071 REJECTED CVE-2017-2070 REJECTED CVE-2017-2069 REJECTED CVE-2017-2068 REJECTED CVE-2017-2067 REJECTED CVE-2017-2066 REJECTED CVE-2017-2065 REJECTED CVE-2017-2064 REJECTED CVE-2017-2063 REJECTED CVE-2017-2062 REJECTED CVE-2017-2061 REJECTED CVE-2017-2060 REJECTED CVE-2017-2059 REJECTED CVE-2017-2058 REJECTED CVE-2017-2057 REJECTED CVE-2017-2056 REJECTED CVE-2017-2055 REJECTED CVE-2017-2054 REJECTED CVE-2017-2053 REJECTED CVE-2017-2052 REJECTED CVE-2017-2051 REJECTED CVE-2017-2050 REJECTED CVE-2017-2049 REJECTED CVE-2017-2048 REJECTED CVE-2017-2047 REJECTED CVE-2017-2046 REJECTED CVE-2017-2045 REJECTED CVE-2017-2044 REJECTED CVE-2017-2043 REJECTED CVE-2017-2042 REJECTED CVE-2017-2041 REJECTED CVE-2017-2040 REJECTED CVE-2017-2039 REJECTED CVE-2017-2038 REJECTED CVE-2017-2037 REJECTED CVE-2017-2036 REJECTED CVE-2017-2035 REJECTED CVE-2017-2034 REJECTED CVE-2017-2033 REJECTED CVE-2017-2032 REJECTED CVE-2017-2031 REJECTED CVE-2017-2030 REJECTED CVE-2017-2029 REJECTED CVE-2017-2028 REJECTED CVE-2017-2027 REJECTED CVE-2017-2026 REJECTED CVE-2017-2025 REJECTED CVE-2017-2024 REJECTED CVE-2017-2023 REJECTED CVE-2017-2022 REJECTED CVE-2017-2021 REJECTED CVE-2017-2020 REJECTED CVE-2017-2019 REJECTED CVE-2017-2018 REJECTED CVE-2017-2017 REJECTED CVE-2017-2016 REJECTED CVE-2017-2015 REJECTED CVE-2017-2014 REJECTED CVE-2017-2013 REJECTED CVE-2017-2012 REJECTED CVE-2017-2011 REJECTED CVE-2017-2010 REJECTED CVE-2017-2009 REJECTED CVE-2017-2008 REJECTED CVE-2017-2007 REJECTED CVE-2017-2006 REJECTED CVE-2017-2005 REJECTED CVE-2017-2004 REJECTED CVE-2017-2003 REJECTED CVE-2017-2002 REJECTED CVE-2017-2001 REJECTED CVE-2017-2000 REJECTED CVE-2017-1999 REJECTED CVE-2017-1998 REJECTED CVE-2017-1997 REJECTED CVE-2017-1996 REJECTED CVE-2017-1995 REJECTED CVE-2017-1994 REJECTED CVE-2017-1993 REJECTED CVE-2017-1992 REJECTED CVE-2017-1991 REJECTED CVE-2017-1990 REJECTED CVE-2017-1989 REJECTED CVE-2017-1988 REJECTED CVE-2017-1987 REJECTED CVE-2017-1986 REJECTED CVE-2017-1985 REJECTED CVE-2017-1984 REJECTED CVE-2017-1983 REJECTED CVE-2017-1982 REJECTED CVE-2017-1981 REJECTED CVE-2017-1980 REJECTED CVE-2017-1979 REJECTED CVE-2017-1978 REJECTED CVE-2017-1977 REJECTED CVE-2017-1976 REJECTED CVE-2017-1975 REJECTED CVE-2017-1974 REJECTED CVE-2017-1973 REJECTED CVE-2017-1972 REJECTED CVE-2017-1971 REJECTED CVE-2017-1970 REJECTED CVE-2017-1969 REJECTED CVE-2017-1968 REJECTED CVE-2017-1967 REJECTED CVE-2017-1966 REJECTED CVE-2017-1965 REJECTED CVE-2017-1964 REJECTED CVE-2017-1963 REJECTED CVE-2017-1962 REJECTED CVE-2017-1961 REJECTED CVE-2017-1960 REJECTED CVE-2017-1959 REJECTED CVE-2017-1958 REJECTED CVE-2017-1957 REJECTED CVE-2017-1956 REJECTED CVE-2017-1955 REJECTED CVE-2017-1954 REJECTED CVE-2017-1953 REJECTED CVE-2017-1952 REJECTED CVE-2017-1951 REJECTED CVE-2017-1950 REJECTED CVE-2017-1949 REJECTED CVE-2017-1948 REJECTED CVE-2017-1947 REJECTED CVE-2017-1946 REJECTED CVE-2017-1945 REJECTED CVE-2017-1944 REJECTED CVE-2017-1943 REJECTED CVE-2017-1942 REJECTED CVE-2017-1941 REJECTED CVE-2017-1940 REJECTED CVE-2017-1939 REJECTED CVE-2017-1938 REJECTED CVE-2017-1937 REJECTED CVE-2017-1936 REJECTED CVE-2017-1935 REJECTED CVE-2017-1934 REJECTED CVE-2017-1933 REJECTED CVE-2017-1932 REJECTED CVE-2017-1931 REJECTED CVE-2017-1930 REJECTED CVE-2017-1929 REJECTED CVE-2017-1928 REJECTED CVE-2017-1927 REJECTED CVE-2017-1926 REJECTED CVE-2017-1925 REJECTED CVE-2017-1924 REJECTED CVE-2017-1923 REJECTED CVE-2017-1922 REJECTED CVE-2017-1921 REJECTED CVE-2017-1920 REJECTED CVE-2017-1919 REJECTED CVE-2017-1918 REJECTED CVE-2017-1917 REJECTED CVE-2017-1916 REJECTED CVE-2017-1915 REJECTED CVE-2017-1914 REJECTED CVE-2017-1913 REJECTED CVE-2017-1912 REJECTED CVE-2017-1911 REJECTED CVE-2017-1910 REJECTED CVE-2017-1909 REJECTED CVE-2017-1908 REJECTED CVE-2017-1907 REJECTED CVE-2017-1906 REJECTED CVE-2017-1905 REJECTED CVE-2017-1904 REJECTED CVE-2017-1903 REJECTED CVE-2017-1902 REJECTED CVE-2017-1901 REJECTED CVE-2017-1900 REJECTED CVE-2017-1899 REJECTED CVE-2017-1898 REJECTED CVE-2017-1897 REJECTED CVE-2017-1896 REJECTED CVE-2017-1895 REJECTED CVE-2017-1894 REJECTED CVE-2017-1893 REJECTED CVE-2017-1892 REJECTED CVE-2017-1891 REJECTED CVE-2017-1890 REJECTED CVE-2017-1889 REJECTED CVE-2017-1888 REJECTED CVE-2017-1887 REJECTED CVE-2017-1886 REJECTED CVE-2017-1885 REJECTED CVE-2017-1884 REJECTED CVE-2017-1883 REJECTED CVE-2017-1882 REJECTED CVE-2017-1881 REJECTED CVE-2017-1880 REJECTED CVE-2017-1879 REJECTED CVE-2017-1878 REJECTED CVE-2017-1877 REJECTED CVE-2017-1876 REJECTED CVE-2017-1875 REJECTED CVE-2017-1874 REJECTED CVE-2017-1873 REJECTED CVE-2017-1872 REJECTED CVE-2017-1871 REJECTED CVE-2017-1870 REJECTED CVE-2017-1869 REJECTED CVE-2017-1868 REJECTED CVE-2017-1867 REJECTED CVE-2017-1866 REJECTED CVE-2017-1865 REJECTED CVE-2017-1864 REJECTED CVE-2017-1863 REJECTED CVE-2017-1862 REJECTED CVE-2017-1861 REJECTED CVE-2017-1860 REJECTED CVE-2017-1859 REJECTED CVE-2017-1858 REJECTED CVE-2017-1857 REJECTED CVE-2017-1856 REJECTED CVE-2017-1855 REJECTED CVE-2017-1854 REJECTED CVE-2017-1853 REJECTED CVE-2017-1852 REJECTED CVE-2017-1851 REJECTED CVE-2017-1850 REJECTED CVE-2017-1849 REJECTED CVE-2017-1848 REJECTED CVE-2017-1847 REJECTED CVE-2017-1846 REJECTED CVE-2017-1845 REJECTED CVE-2017-1844 REJECTED CVE-2017-1843 REJECTED CVE-2017-1842 REJECTED CVE-2017-1841 REJECTED CVE-2017-1840 REJECTED CVE-2017-1839 REJECTED CVE-2017-1838 REJECTED CVE-2017-1837 REJECTED CVE-2017-1836 REJECTED CVE-2017-1835 REJECTED CVE-2017-1834 REJECTED CVE-2017-1833 REJECTED CVE-2017-1832 REJECTED CVE-2017-1831 REJECTED CVE-2017-1830 REJECTED CVE-2017-1829 REJECTED CVE-2017-1828 REJECTED CVE-2017-1827 REJECTED CVE-2017-1826 REJECTED CVE-2017-1825 REJECTED CVE-2017-1824 REJECTED CVE-2017-1823 REJECTED CVE-2017-1822 REJECTED CVE-2017-1821 REJECTED CVE-2017-1820 REJECTED CVE-2017-1819 REJECTED CVE-2017-1818 REJECTED CVE-2017-1817 REJECTED CVE-2017-1816 REJECTED CVE-2017-1815 REJECTED CVE-2017-1814 REJECTED CVE-2017-1813 REJECTED CVE-2017-1812 REJECTED CVE-2017-1811 REJECTED CVE-2017-1810 RESERVED CVE-2017-1809 RESERVED CVE-2017-1808 RESERVED CVE-2017-1807 RESERVED CVE-2017-1806 RESERVED CVE-2017-1805 RESERVED CVE-2017-1804 RESERVED CVE-2017-1803 RESERVED CVE-2017-1802 RESERVED CVE-2017-1801 RESERVED CVE-2017-1800 RESERVED CVE-2017-1799 RESERVED CVE-2017-1798 RESERVED CVE-2017-1797 RESERVED CVE-2017-1796 RESERVED CVE-2017-1795 (IBM WebSphere MQ 7.5, 8.0, and 9.0 through 9.0.4 could allow a local u ...) NOT-FOR-US: IBM WebSphere MQ CVE-2017-1794 (IBM Tivoli Monitoring 6.2.3 through 6.2.3.5 and 6.3.0 through 6.3.0.7 ...) NOT-FOR-US: IBM CVE-2017-1793 (IBM Rational Quality Manager 5.0 through 5.0.2 and 6.0 through 6.0.5 a ...) NOT-FOR-US: IBM CVE-2017-1792 (IBM Rational Quality Manager 5.0 through 5.0.2 and 6.0 through 6.0.5 a ...) NOT-FOR-US: IBM CVE-2017-1791 (IBM Rational Quality Manager 5.0 through 5.0.2 and 6.0 through 6.0.5 a ...) NOT-FOR-US: IBM CVE-2017-1790 (IBM DOORS Next Generation (DNG/RRC) 5.0, 5.0.1, 5.0.2, and 6.0 through ...) NOT-FOR-US: IBM DOORS Next Generation CVE-2017-1789 (IBM Tivoli Monitoring V6 6.2.3 and 6.3.0 could allow an unauthenticate ...) NOT-FOR-US: IBM CVE-2017-1788 (IBM WebSphere Application Server 9 installations using Form Login coul ...) NOT-FOR-US: IBM CVE-2017-1787 (IBM Publishing Engine 2.1.2 and 6.0.5 contains an undisclosed vulnerab ...) NOT-FOR-US: IBM Publishing Engine CVE-2017-1786 (IBM WebSphere MQ 8.0 through 8.0.0.8 and 9.0 through 9.0.4 under speci ...) NOT-FOR-US: IBM CVE-2017-1785 (IBM API Connect 5.0.7 and 5.0.8 could allow an authenticated remote us ...) NOT-FOR-US: IBM API Connect CVE-2017-1784 (IBM Cognos Analytics 11.0 could produce results in temporary files tha ...) NOT-FOR-US: IBM Cognos Analytics CVE-2017-1783 (IBM Cognos Analytics 11.0 could allow a local user to change parameter ...) NOT-FOR-US: IBM Cognos Analytics CVE-2017-1782 RESERVED CVE-2017-1781 RESERVED CVE-2017-1780 RESERVED CVE-2017-1779 (IBM Cognos Analytics 11.0 could store cached credentials locally that ...) NOT-FOR-US: IBM Cognos Analytics CVE-2017-1778 RESERVED CVE-2017-1777 RESERVED CVE-2017-1776 RESERVED CVE-2017-1775 RESERVED CVE-2017-1774 (IBM Security Guardium Big Data Intelligence (SonarG) 3.1 discloses sen ...) NOT-FOR-US: IBM Security Guardium Big Data Intelligence CVE-2017-1773 (IBM DataPower Gateways 7.1, 7,2, 7.5, and 7.6 could allow an attacker ...) NOT-FOR-US: IBM DataPower Gateways CVE-2017-1772 (IBM Worklight (IBM MobileFirst Platform Foundation 6.3, 7.0, 7.1, and ...) NOT-FOR-US: IBM CVE-2017-1771 RESERVED CVE-2017-1770 RESERVED CVE-2017-1769 (IBM Business Process Manager 8.6 is vulnerable to cross-site request f ...) NOT-FOR-US: IBM Business Process Manager CVE-2017-1768 (IBM Security Guardium Big Data Intelligence (SonarG) 3.1 generates an ...) NOT-FOR-US: IBM CVE-2017-1767 (IBM Business Process Manager 8.6 is vulnerable to cross-site scripting ...) NOT-FOR-US: IBM CVE-2017-1766 (Due to incorrect authorization in IBM Business Process Manager 8.6 an ...) NOT-FOR-US: IBM CVE-2017-1765 (IBM Business Process Manager 8.6 could allow an authenticated user wit ...) NOT-FOR-US: IBM CVE-2017-1764 (IBM Cognos Business Intelligence 10.2, 10.2.1, 10.2.1.1, and 10.2.2, u ...) NOT-FOR-US: IBM CVE-2017-1763 RESERVED CVE-2017-1762 (IBM Jazz Foundation (IBM Rational Collaborative Lifecycle Management 5 ...) NOT-FOR-US: IBM CVE-2017-1761 (IBM WebSphere Portal 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-sit ...) NOT-FOR-US: IBM WebSphere Portal CVE-2017-1760 (IBM WebSphere MQ 7.5, 8.0, and 9.0 could allow a local user to crash t ...) NOT-FOR-US: IBM WebSphere MQ CVE-2017-1759 RESERVED CVE-2017-1758 (IBM Financial Transaction Manager for ACH Services for Multi-Platform ...) NOT-FOR-US: IBM Financial Transaction Manager for ACH Services for Multi-Platform CVE-2017-1757 (IBM Security Guardium 10.0 is vulnerable to SQL injection. A remote at ...) NOT-FOR-US: IBM Security Guardium CVE-2017-1756 (IBM Business Process Manager 8.6 allows web pages to be stored locally ...) NOT-FOR-US: IBM CVE-2017-1755 (IBM Security Identity Governance Virtual Appliance 5.2 through 5.2.3.2 ...) NOT-FOR-US: IBM CVE-2017-1754 RESERVED CVE-2017-1753 (Multiple IBM Rational products are vulnerable to HTML injection. A rem ...) NOT-FOR-US: IBM CVE-2017-1752 (IBM UrbanCode Deploy 6.1 and 6.2 could allow an authenticated privileg ...) NOT-FOR-US: IBM UrbanCode Deploy CVE-2017-1751 (IBM Robotic Process Automation with Automation Anywhere 10.0.0 is vuln ...) NOT-FOR-US: IBM Robotic Process Automation with Automation Anywhere CVE-2017-1750 (IBM Jazz Reporting Service (JRS) 5.0 through 5.0.2 and 6.0 through 6.0 ...) NOT-FOR-US: IBM Jazz Reporting Service CVE-2017-1749 (IBM UrbanCode Deploy 6.1 through 6.9.6.0 could allow a remote attacker ...) NOT-FOR-US: IBM UrbanCode Deploy CVE-2017-1748 (IBM Connections 5.0, 5.5, and 6.0 could allow a remote attacker to con ...) NOT-FOR-US: IBM CVE-2017-1747 (A specially crafted message could cause a denial of service in IBM Web ...) NOT-FOR-US: IBM CVE-2017-1746 (IBM Jazz for Service Management (IBM Tivoli Components 1.1.3) is vulne ...) NOT-FOR-US: IBM Jazz for Service Management CVE-2017-1745 RESERVED CVE-2017-1744 RESERVED CVE-2017-1743 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a ...) NOT-FOR-US: IBM CVE-2017-1742 RESERVED CVE-2017-1741 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a ...) NOT-FOR-US: IBM CVE-2017-1740 (IBM Curam Social Program Management 6.0.5, 6.1.1, 6.2.0, 7.0.1, and 7. ...) NOT-FOR-US: IBM Curam Social Program Management CVE-2017-1739 (IBM Curam Social Program Management 6.0.5, 6.1.1, 6.2.0, and 7.0.1 is ...) NOT-FOR-US: IBM Curam Social Program Management CVE-2017-1738 (IBM Rational Quality Manager 5.0 through 5.0.2 and 6.0 through 6.0.5 c ...) NOT-FOR-US: IBM CVE-2017-1737 RESERVED CVE-2017-1736 RESERVED CVE-2017-1735 RESERVED CVE-2017-1734 (IBM Jazz Team Server affecting the following IBM Rational Products: Co ...) NOT-FOR-US: IBM CVE-2017-1733 (IBM QRadar 7.3 stores potentially sensitive information in log files t ...) NOT-FOR-US: IBM CVE-2017-1732 (IBM Security Access Manager for Enterprise Single Sign-On 8.2.2 does n ...) NOT-FOR-US: IBM CVE-2017-1731 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could provide ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2017-1730 RESERVED CVE-2017-1729 (IBM Rational Quality Manager 5.0 through 5.0.2 and 6.0 through 6.0.5 a ...) NOT-FOR-US: IBM CVE-2017-1728 RESERVED CVE-2017-1727 (IBM Tivoli Key Lifecycle Manager 2.5, 2.6, and 2.7 discloses sensitive ...) NOT-FOR-US: IBM Tivoli Key Lifecycle Manager CVE-2017-1726 RESERVED CVE-2017-1725 (IBM Jazz Team Server affecting the following IBM Rational Products: Co ...) NOT-FOR-US: IBM CVE-2017-1724 (IBM Security QRadar SIEM 7.2 and 7.3 is vulnerable to cross-site scrip ...) NOT-FOR-US: IBM Security QRadar SIEM CVE-2017-1723 (IBM Security QRadar SIEM 7.2 and 7.3 could allow a remote attacker to ...) NOT-FOR-US: IBM Security QRadar SIEM CVE-2017-1722 (IBM Security QRadar SIEM 7.2 and 7.3 is vulnerable to SQL injection. A ...) NOT-FOR-US: IBM Security QRadar SIEM CVE-2017-1721 (IBM Security QRadar SIEM 7.2 and 7.3 could allow an unauthenticated us ...) NOT-FOR-US: IBM Security QRadar SIEM CVE-2017-1720 (IBM Notes 8.5 and 9.0 could allow a local attacker to execute arbitrar ...) NOT-FOR-US: IBM Notes CVE-2017-1719 RESERVED CVE-2017-1718 RESERVED CVE-2017-1717 (IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle ...) NOT-FOR-US: IBM CVE-2017-1716 (IBM Tivoli Workload Scheduler 8.6.0, 9.1.0, and 9.2.0 could disclose s ...) NOT-FOR-US: IBM Tivoli Workload Scheduler CVE-2017-1715 (IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle ...) NOT-FOR-US: IBM CVE-2017-1714 (IBM Notes and Domino NSD 8.5 and 9.0 could allow an authenticated loca ...) NOT-FOR-US: IBM Notes and Domino NSD CVE-2017-1713 (IBM InfoSphere Streams 4.2.1 uses weaker than expected cryptographic a ...) NOT-FOR-US: IBM CVE-2017-1712 ("A vulnerability in the TLS protocol implementation of the Domino serv ...) TODO: check CVE-2017-1711 (IBM iNotes 8.5 and 9.0 SUService can be misguided into running malicio ...) NOT-FOR-US: IBM iNotes CVE-2017-1710 (A vulnerability in the Service Assistant GUI in IBM Storwize V7000 (20 ...) NOT-FOR-US: IBM CVE-2017-1709 RESERVED CVE-2017-1708 RESERVED CVE-2017-1707 RESERVED CVE-2017-1706 RESERVED CVE-2017-1705 (IBM Security Privileged Identity Manager 2.1.0 contains left-over, sen ...) NOT-FOR-US: IBM CVE-2017-1704 RESERVED CVE-2017-1703 RESERVED CVE-2017-1702 RESERVED CVE-2017-1701 (IBM Team Concert (RTC) 5.0, 5.0.1, 5.0.2, 6.0, 6.0.1, 6.0.2, 6.0.3, 6. ...) NOT-FOR-US: IBM CVE-2017-1700 (IBM Jazz Team Server affecting the following IBM Rational Products: Co ...) NOT-FOR-US: IBM CVE-2017-1699 (IBM MQ Managed File Transfer Agent 8.0 and 9.0 sets insecure permissio ...) NOT-FOR-US: IBM MQ Managed File Transfer Agent CVE-2017-1698 (IBM WebSphere Portal 7.0, 8.0, 8.5, and 9.0 could reveal sensitive inf ...) NOT-FOR-US: IBM WebSphere Portal CVE-2017-1697 RESERVED CVE-2017-1696 (IBM QRadar 7.2 and 7.3 could allow a remote authenticated attacker to ...) NOT-FOR-US: IBM QRadar CVE-2017-1695 (IBM QRadar SIEM 7.2 and 7.3 uses weaker than expected cryptographic al ...) NOT-FOR-US: IBM CVE-2017-1694 (IBM Integration Bus 9.0 and 10.0 transmits user credentials in plain i ...) NOT-FOR-US: IBM Integration Bus CVE-2017-1693 (IBM Integration Bus 9.0 and 10.0 could allow an attacker that has capt ...) NOT-FOR-US: IBM Integration Bus CVE-2017-1692 (IBM AIX 5.3, 6.1, 7.1, and 7.2 contains an unspecified vulnerability t ...) NOT-FOR-US: IBM AIX CVE-2017-1691 (IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle ...) NOT-FOR-US: IBM CVE-2017-1690 (IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle ...) NOT-FOR-US: IBM CVE-2017-1689 (IBM DOORS Next Generation (DNG/RRC) 6.0 is vulnerable to cross-site sc ...) NOT-FOR-US: IBM CVE-2017-1688 (IBM DOORS Next Generation (DNG/RRC) 6.0 is vulnerable to cross-site sc ...) NOT-FOR-US: IBM CVE-2017-1687 RESERVED CVE-2017-1686 RESERVED CVE-2017-1685 RESERVED CVE-2017-1684 RESERVED CVE-2017-1683 (IBM Connections Engagement Center 6.0 is vulnerable to cross-site scri ...) NOT-FOR-US: IBM Connections Engagement Center CVE-2017-1682 (IBM Connections 4.0, 4.5, 5.0, 5.5, and 6.0 is vulnerable to cross-sit ...) NOT-FOR-US: IBM Connections CVE-2017-1681 (IBM WebSphere Application Server (IBM Liberty for Java for Bluemix 3.1 ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2017-1680 RESERVED CVE-2017-1679 (IBM OpenPages GRC Platform 7.2, 7.3, 7.4, and 8.0 could allow an attac ...) NOT-FOR-US: IBM CVE-2017-1678 (IBM DOORS Next Generation (DNG/RRC) 4.0, 5.0, and 6.0 is vulnerable to ...) NOT-FOR-US: IBM CVE-2017-1677 (IBM Data Server Driver for JDBC and SQLJ (IBM DB2 for Linux, UNIX and ...) NOT-FOR-US: IBM CVE-2017-1676 RESERVED CVE-2017-1675 RESERVED CVE-2017-1674 RESERVED CVE-2017-1673 (IBM Tivoli Key Lifecycle Manager 2.5, 2.6, and 2.7 is vulnerable to cr ...) NOT-FOR-US: IBM Tivoli Key Lifecycle Manager CVE-2017-1672 (IBM Tivoli Key Lifecycle Manager 2.6 and 2.7 is vulnerable to cross-si ...) NOT-FOR-US: IBM Tivoli Key Lifecycle Manager CVE-2017-1671 (IBM Tivoli Key Lifecycle Manager 2.5, 2.6, and 2.7 could allow a remot ...) NOT-FOR-US: IBM Tivoli Key Lifecycle Manager CVE-2017-1670 (IBM Tivoli Key Lifecycle Manager 2.5, 2.6, and 2.7 is vulnerable to SQ ...) NOT-FOR-US: IBM Tivoli Key Lifecycle Manager CVE-2017-1669 (IBM Tivoli Key Lifecycle Manager 2.5, 2.6, and 2.7 stores sensitive in ...) NOT-FOR-US: IBM Tivoli Key Lifecycle Manager CVE-2017-1668 (IBM Tivoli Key Lifecycle Manager 2.5, 2.6, and 2.7 could allow a remot ...) NOT-FOR-US: IBM Tivoli Key Lifecycle Manager CVE-2017-1667 RESERVED CVE-2017-1666 (IBM Tivoli Key Lifecycle Manager 2.5, 2.6, and 2.7 is vulnerable to a ...) NOT-FOR-US: IBM Tivoli Key Lifecycle Manager CVE-2017-1665 (IBM Tivoli Key Lifecycle Manager 2.5, 2.6, and 2.7 uses weaker than ex ...) NOT-FOR-US: IBM Tivoli Key Lifecycle Manager CVE-2017-1664 (IBM Tivoli Key Lifecycle Manager 2.5, 2.6, and 2.7 uses weaker than ex ...) NOT-FOR-US: IBM Tivoli Key Lifecycle Manager CVE-2017-1663 RESERVED CVE-2017-1662 RESERVED CVE-2017-1661 RESERVED CVE-2017-1660 RESERVED CVE-2017-1659 ("HCL iNotes is susceptible to a Cross-Site Scripting (XSS) Vulnerabili ...) NOT-FOR-US: HCL iNotes CVE-2017-1658 RESERVED CVE-2017-1657 RESERVED CVE-2017-1656 RESERVED CVE-2017-1655 (IBM Jazz Foundation (IBM Rational Collaborative Lifecycle Management 5 ...) NOT-FOR-US: IBM CVE-2017-1654 (IBM Spectrum Scale 4.1.1 and 4.2.0 - 4.2.3 could allow a local unprivi ...) NOT-FOR-US: IBM CVE-2017-1653 (IBM Jazz Foundation (IBM Rational Collaborative Lifecycle Management 6 ...) NOT-FOR-US: IBM Jazz Foundation CVE-2017-1652 (IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle ...) NOT-FOR-US: IBM CVE-2017-1651 (IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle ...) NOT-FOR-US: IBM CVE-2017-1650 (IBM DOORS Next Generation (DNG/RRC) 6.0 is vulnerable to cross-site sc ...) NOT-FOR-US: IBM CVE-2017-1649 (IBM Rational Quality Manager (RQM) 5.0 through 5.02 and 6.0 through 6. ...) NOT-FOR-US: IBM CVE-2017-1648 RESERVED CVE-2017-1647 RESERVED CVE-2017-1646 RESERVED CVE-2017-1645 RESERVED CVE-2017-1644 RESERVED CVE-2017-1643 RESERVED CVE-2017-1642 RESERVED CVE-2017-1641 RESERVED CVE-2017-1640 RESERVED CVE-2017-1639 RESERVED CVE-2017-1638 RESERVED CVE-2017-1637 RESERVED CVE-2017-1636 RESERVED CVE-2017-1635 (IBM Tivoli Monitoring V6 6.2.2.x could allow a remote attacker to exec ...) NOT-FOR-US: IBM Tivoli Monitoring CVE-2017-1634 RESERVED CVE-2017-1633 (IBM Sterling B2B Integrator 5.2 through 5.2.6 could allow an authentic ...) NOT-FOR-US: IBM CVE-2017-1632 (IBM Sterling File Gateway 2.2 is vulnerable to cross-site scripting. T ...) NOT-FOR-US: IBM Sterling File Gateway CVE-2017-1631 (IBM Jazz for Service Management (IBM Tivoli Components 1.1.3) is vulne ...) NOT-FOR-US: IBM Jazz for Service Management CVE-2017-1630 RESERVED CVE-2017-1629 (IBM Jazz Foundation (IBM Rational Collaborative Lifecycle Management 5 ...) NOT-FOR-US: IBM CVE-2017-1628 (IBM Business Process Manager 8.6.0.0 allows authenticated users to sto ...) NOT-FOR-US: IBM CVE-2017-1627 RESERVED CVE-2017-1626 RESERVED CVE-2017-1625 (IBM Pulse for QRadar 1.0.0 - 1.0.3 discloses sensitive information to ...) NOT-FOR-US: IBM CVE-2017-1624 (IBM QRadar 7.3 and 7.3.1 specifies permissions for a security-critical ...) NOT-FOR-US: IBM CVE-2017-1623 (IBM QRadar 7.2 and 7.3 is vulnerable to cross-site scripting. This vul ...) NOT-FOR-US: IBM QRadar CVE-2017-1622 (IBM QRadar SIEM 7.2.8 and 7.3 does not validate, or incorrectly valida ...) NOT-FOR-US: IBM CVE-2017-1621 (IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle ...) NOT-FOR-US: IBM CVE-2017-1620 RESERVED CVE-2017-1619 RESERVED CVE-2017-1618 RESERVED CVE-2017-1617 RESERVED CVE-2017-1616 RESERVED CVE-2017-1615 RESERVED CVE-2017-1614 RESERVED CVE-2017-1613 (IBM Connections 6.0 could allow an unauthenticated remote attacker to ...) NOT-FOR-US: IBM Connections CVE-2017-1612 (IBM WebSphere MQ 7.0, 7.1, 7.5, 8.0, and 9.0 service trace module coul ...) NOT-FOR-US: IBM WebSphere MQ CVE-2017-1611 RESERVED CVE-2017-1610 RESERVED CVE-2017-1609 (IBM Quality Manager (RQM) 5.0 through 5.0.2 and 6.0 through 6.0.6 are ...) NOT-FOR-US: IBM CVE-2017-1608 (IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle ...) NOT-FOR-US: IBM CVE-2017-1607 (IBM DOORS Next Generation (DNG/RRC) 6.0 is vulnerable to cross-site sc ...) NOT-FOR-US: IBM CVE-2017-1606 (IBM Financial Transaction Manager (FTM) for Multi-Platform (MP) 3.0.0. ...) NOT-FOR-US: IBM Financial Transaction Manager CVE-2017-1605 RESERVED CVE-2017-1604 (IBM Maximo Anywhere 7.5 and 7.6 is vulnerable to cross-site scripting. ...) NOT-FOR-US: IBM Maximo Anywhere CVE-2017-1603 RESERVED CVE-2017-1602 (IBM RSA DM (IBM Rational Collaborative Lifecycle Management 5.0 and 6. ...) NOT-FOR-US: IBM CVE-2017-1601 (IBM Security Guardium 10.0, 10.0.1, and 10.1 through 10.1.4 Database A ...) NOT-FOR-US: IBM Security Guardium CVE-2017-1600 (IBM Security Guardium 10.0 Database Activity Monitor is vulnerable to ...) NOT-FOR-US: IBM Security Guardium CVE-2017-1599 RESERVED CVE-2017-1598 (IBM Security Guardium 10.0 Database Activity Monitor uses weaker than ...) NOT-FOR-US: IBM Security Guardium CVE-2017-1597 (IBM Security Guardium 10.0, 10.0.1, 10.1, 10.1.2, 10.1.3, 10.1.4, and ...) NOT-FOR-US: IBM CVE-2017-1596 (IBM Security Guardium 10.0 Database Activity Monitor could allow a loc ...) NOT-FOR-US: IBM Security Guardium CVE-2017-1595 (IBM Security Guardium 10.0 Database Activity Monitor could allow a loc ...) NOT-FOR-US: IBM Security Guardium CVE-2017-1594 RESERVED CVE-2017-1593 (IBM DOORS Next Generation (DNG/RRC) 4.0, 5.0, and 6.0 is vulnerable to ...) NOT-FOR-US: IBM CVE-2017-1592 (IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle ...) NOT-FOR-US: IBM CVE-2017-1591 (IBM WebSphere DataPower Appliances 7.0.0 through 7.6 is vulnerable to ...) NOT-FOR-US: IBM CVE-2017-1590 RESERVED CVE-2017-1589 RESERVED CVE-2017-1588 RESERVED CVE-2017-1587 RESERVED CVE-2017-1586 RESERVED CVE-2017-1585 RESERVED CVE-2017-1584 RESERVED CVE-2017-1583 (IBM WebSphere Application Server (IBM Liberty for Java for Bluemix 3.1 ...) NOT-FOR-US: IBM CVE-2017-1582 RESERVED CVE-2017-1581 RESERVED CVE-2017-1580 RESERVED CVE-2017-1579 RESERVED CVE-2017-1578 RESERVED CVE-2017-1577 (IBM WebSphere Portal 7.0, 8.0, 8.5, and 9.0 could allow a remote attac ...) NOT-FOR-US: IBM CVE-2017-1576 RESERVED CVE-2017-1575 (IBM Sterling B2B Integrator Standard Edition (IBM Sterling File Gatewa ...) NOT-FOR-US: IBM CVE-2017-1574 RESERVED CVE-2017-1573 RESERVED CVE-2017-1572 RESERVED CVE-2017-1571 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, ...) NOT-FOR-US: IBM CVE-2017-1570 (IBM Jazz Foundation products could allow an authenticated user to obta ...) NOT-FOR-US: IBM CVE-2017-1569 (IBM WebSphere Commerce 7.0 and 8.0 contains an unspecified vulnerabili ...) NOT-FOR-US: IBM CVE-2017-1568 (IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle ...) NOT-FOR-US: IBM CVE-2017-1567 (IBM Doors Web Access 9.5 and 9.6 is vulnerable to cross-site scripting ...) NOT-FOR-US: IBM Doors Web Access CVE-2017-1566 RESERVED CVE-2017-1565 (IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle ...) NOT-FOR-US: IBM CVE-2017-1564 (IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle ...) NOT-FOR-US: IBM CVE-2017-1563 (IBM Doors Web Access 9.5 and 9.6 is vulnerable to cross-site scripting ...) NOT-FOR-US: IBM Doors Web Access CVE-2017-1562 (IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle ...) NOT-FOR-US: IBM CVE-2017-1561 (IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle ...) NOT-FOR-US: IBM CVE-2017-1560 (IBM DOORS Next Generation (DNG/RRC) 4.0, 5.0, and 6.0 is vulnerable to ...) NOT-FOR-US: IBM CVE-2017-1559 (Multiple IBM Rational products could disclose sensitive information by ...) NOT-FOR-US: IBM CVE-2017-1558 (IBM Maximo Asset Management 7.5 and 7.6 could allow a remote attacker ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2017-1557 (IBM WebSphere MQ 8.0 and 9.0 could allow an authenticated user with au ...) NOT-FOR-US: IBM WebSphere MQ CVE-2017-1556 (IBM API Connect 5.0.7.0 through 5.0.7.2 is vulnerable to a regular exp ...) NOT-FOR-US: IBM CVE-2017-1555 (IBM API Connect 5.0.0.0 through 5.0.7.2 could allow an authenticated u ...) NOT-FOR-US: IBM CVE-2017-1554 (IBM Infosphere BigInsights 4.2.0 and 4.2.5 could allow a remote attack ...) NOT-FOR-US: IBM CVE-2017-1553 (IBM Infosphere BigInsights 4.2.0 and 4.2.5 is vulnerable to cross-site ...) NOT-FOR-US: IBM CVE-2017-1552 (IBM Infosphere BigInsights 4.2.0 and 4.2.5 is vulnerable to link injec ...) NOT-FOR-US: IBM CVE-2017-1551 (IBM API Connect 5.0.0.0 through 5.0.7.2 could allow a remote attacker ...) NOT-FOR-US: IBM CVE-2017-1550 (IBM Sterling File Gateway 2.2 could allow an authenticated user to cha ...) NOT-FOR-US: IBM Sterling File Gateway CVE-2017-1549 (IBM Sterling File Gateway 2.2 is vulnerable to cross-site scripting. T ...) NOT-FOR-US: IBM Sterling File Gateway CVE-2017-1548 (IBM Sterling File Gateway 2.2 could allow a remote attacker to travers ...) NOT-FOR-US: IBM Sterling File Gateway CVE-2017-1547 RESERVED CVE-2017-1546 (IBM DOORS Next Generation (DNG/RRC) 4.07, 5.0, and 6.0 is vulnerable t ...) NOT-FOR-US: IBM DOORS Next Generation CVE-2017-1545 (IBM Doors Web Access 9.5 and 9.6 could allow an attacker with physical ...) NOT-FOR-US: IBM Doors Web Access CVE-2017-1544 (IBM Sterling B2B Integrator Standard Edition (IBM Sterling File Gatewa ...) NOT-FOR-US: IBM CVE-2017-1543 RESERVED CVE-2017-1542 RESERVED CVE-2017-1541 (A flaw in the AIX 5.3, 6.1, 7.1, and 7.2 JRE/SDK installp and updatep ...) NOT-FOR-US: IBM CVE-2017-1540 (IBM Doors Web Access 9.5 and 9.6 is vulnerable to cross-site scripting ...) NOT-FOR-US: IBM Doors Web Access CVE-2017-1539 (IBM Business Process Manager 7.5, 8.0, and 8.5 is vulnerable to privil ...) NOT-FOR-US: IBM CVE-2017-1538 (IBM Financial Transaction Manager for ACH Services for Multi-Platform ...) NOT-FOR-US: IBM CVE-2017-1537 RESERVED CVE-2017-1536 (IBM Support Tools for Lotus WCM (IBM WebSphere Portal 7.0, 8.0, 8.5 an ...) NOT-FOR-US: IBM Support Tools for Lotus WCM CVE-2017-1535 (IBM Cognos Analytics 11.0 is vulnerable to cross-site scripting. This ...) NOT-FOR-US: IBM CVE-2017-1534 (IBM Security Access Manager Appliance 8.0.0 and 9.0.0 could allow a re ...) NOT-FOR-US: IBM Security Access Manager Appliance CVE-2017-1533 (IBM Security Access Manager Appliance 9.0.3 is vulnerable to cross-sit ...) NOT-FOR-US: IBM Security Access Manager Appliance CVE-2017-1532 (IBM DOORS 9.5 and 9.6 is vulnerable to cross-site scripting. This vuln ...) NOT-FOR-US: IBM DOORS CVE-2017-1531 (IBM Business Process Manager 7.5, 8.0, and 8.5 is vulnerable to cross- ...) NOT-FOR-US: IBM CVE-2017-1530 (IBM Business Process Manager 7.5, 8.0, and 8.5 is vulnerable to cross- ...) NOT-FOR-US: IBM CVE-2017-1529 RESERVED CVE-2017-1528 RESERVED CVE-2017-1527 (IBM Business Process Manager 7.5, 8.0, and 8.5 is vulnerable to a XML ...) NOT-FOR-US: IBM CVE-2017-1526 RESERVED CVE-2017-1525 RESERVED CVE-2017-1524 (IBM Jazz Foundation (IBM Rational Collaborative Lifecycle Management 5 ...) NOT-FOR-US: IBM CVE-2017-1523 (IBM InfoSphere Master Data Management - Collaborative Edition 11.5 cou ...) NOT-FOR-US: IBM CVE-2017-1522 (IBM Content Navigator & CMIS 2.0.3, 3.0.0, and 3.0.1 is vulnerable ...) NOT-FOR-US: IBM CVE-2017-1521 (IBM Tivoli Endpoint Manager (for Lifecycle/Power/Patch) Platform and A ...) NOT-FOR-US: IBM Tivoli Endpoint Manager CVE-2017-1520 (IBM DB2 9.7, 10,1, 10.5, and 11.1 is vulnerable to an unauthorized com ...) NOT-FOR-US: IBM CVE-2017-1519 (IBM DB2 10.5 and 11.1 contains a denial of service vulnerability. A re ...) NOT-FOR-US: IBM CVE-2017-1518 RESERVED CVE-2017-1517 RESERVED CVE-2017-1516 (IBM Doors Web Access 9.5 and 9.6 could allow a remote attacker to hija ...) NOT-FOR-US: IBM Doors Web Access CVE-2017-1515 (IBM Doors Web Access 9.5 and 9.6 could allow an authenticated user to ...) NOT-FOR-US: IBM Doors Web Access CVE-2017-1514 RESERVED CVE-2017-1513 RESERVED CVE-2017-1512 RESERVED CVE-2017-1511 RESERVED CVE-2017-1510 RESERVED CVE-2017-1509 (IBM Jazz Foundation products could allow an authenticated user to obta ...) NOT-FOR-US: IBM CVE-2017-1508 (IBM Informix Dynamic Server 12.1 could allow a local user logged in wi ...) NOT-FOR-US: IBM CVE-2017-1507 (IBM Jazz Foundation Products could disclose sensitive information duri ...) NOT-FOR-US: IBM Jazz Foundation Products CVE-2017-1506 (IBM Cognos TM1 10.2 and 10.2.2 is vulnerable to cross-site scripting. ...) NOT-FOR-US: IBM Cognos TM1 CVE-2017-1505 RESERVED CVE-2017-1504 (IBM WebSphere Application Server version 9.0.0.4 could provide weaker ...) NOT-FOR-US: IBM CVE-2017-1503 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable ...) NOT-FOR-US: IBM CVE-2017-1502 (IBM Content Navigator & CMIS 2.0.3, 3.0.0, and 3.0.1 is vulnerable ...) NOT-FOR-US: IBM CVE-2017-1501 (IBM WebSphere Application Server 8.0, 8.5, and 9.0 could provide weake ...) NOT-FOR-US: IBM CVE-2017-1500 (A Reflected Cross Site Scripting (XSS) vulnerability exists in the aut ...) NOT-FOR-US: IBM CVE-2017-1499 (IBM Maximo Asset Management 7.5 and 7.6 could allow a remote attacker ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2017-1498 (IBM Connections 5.5 is vulnerable to cross-site scripting. This vulner ...) NOT-FOR-US: IBM CVE-2017-1497 (IBM Sterling File Gateway 2.2 could allow an unauthorized user to view ...) NOT-FOR-US: IBM CVE-2017-1496 (IBM Sterling B2B Integrator Standard Edition 5.2.x is vulnerable to cr ...) NOT-FOR-US: IBM CVE-2017-1495 (IBM InfoSphere Information Server 9.1, 11.3, and 11.5 could allow a pr ...) NOT-FOR-US: IBM CVE-2017-1494 (IBM Business Process Manager 8.5 is vulnerable to cross-site scripting ...) NOT-FOR-US: IBM Business Process Manager CVE-2017-1493 (IBM UrbanCode Deploy (UCD) 6.1 and 6.2 could allow an authenticated us ...) NOT-FOR-US: IBM UrbanCode Deploy CVE-2017-1492 RESERVED CVE-2017-1491 (IBM QRadar Network Security 5.4 supports interaction between multiple ...) NOT-FOR-US: IBM CVE-2017-1490 (An unspecified vulnerability in the Lifecycle Query Engine of Jazz Rep ...) NOT-FOR-US: IBM CVE-2017-1489 (IBM Security Access Manager 6.1, 7.0, 8.0, and 9.0 e-community configu ...) NOT-FOR-US: IBM CVE-2017-1488 (An undisclosed vulnerability in Jazz common products exists with poten ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-1487 (IBM Sterling File Gateway 2.2 could allow an authenticated attacker to ...) NOT-FOR-US: IBM CVE-2017-1486 (IBM Cognos Business Intelligence 10.2, 10.2.1, 10.2.1.1, and 10.2.2 is ...) NOT-FOR-US: IBM CVE-2017-1485 (IBM Cognos Analytics 11.0 is vulnerable to cross-site scripting. This ...) NOT-FOR-US: IBM CVE-2017-1484 (IBM WebSphere Commerce Enterprise, Professional, Express, and Develope ...) NOT-FOR-US: IBM CVE-2017-1483 (IBM Security Identity Manager Adapters 6.0 and 7.0 does not perform an ...) NOT-FOR-US: IBM CVE-2017-1482 (IBM Sterling B2B Integrator Standard Edition 5.2 is vulnerable to cros ...) NOT-FOR-US: IBM CVE-2017-1481 (IBM Sterling B2B Integrator Standard Edition 5.2 allows a user to view ...) NOT-FOR-US: IBM CVE-2017-1480 (IBM Security Access Manager Appliance 8.0.0 through 8.0.1.6, and 9.0.0 ...) NOT-FOR-US: IBM Security Access Manager Appliance CVE-2017-1479 RESERVED CVE-2017-1478 (IBM Security Access Manager Appliance 9.0.0 allows web pages to be sto ...) NOT-FOR-US: IBM Security Access Manager Appliance CVE-2017-1477 (IBM Security Access Manager Appliance 9.0.3 is vulnerable to a XML Ext ...) NOT-FOR-US: IBM CVE-2017-1476 (IBM Security Access Manager Appliance 7.0.0, 8.0.0 through 8.0.1.6, an ...) NOT-FOR-US: IBM Security Access Manager Appliance CVE-2017-1475 RESERVED CVE-2017-1474 (IBM Security Access Manager Appliance 7.0.0, 8.0.0 through 8.0.1.6, an ...) NOT-FOR-US: IBM Security Access Manager Appliance CVE-2017-1473 (IBM Security Access Manager Appliance 8.0.0 through 8.0.1.6 and 9.0.0 ...) NOT-FOR-US: IBM CVE-2017-1472 RESERVED CVE-2017-1471 RESERVED CVE-2017-1470 RESERVED CVE-2017-1469 (IBM InfoSphere Information Server 9.1, 11.3, and 11.5 could allow a lo ...) NOT-FOR-US: IBM CVE-2017-1468 (IBM InfoSphere Information Server 9.1, 11.3, and 11.5 could allow a lo ...) NOT-FOR-US: IBM CVE-2017-1467 (A network layer security vulnerability in InfoSphere Information Serve ...) NOT-FOR-US: IBM CVE-2017-1466 RESERVED CVE-2017-1465 (IBM TRIRIGA 3.2, 3.3, 3.4, and 3.5 could allow a remote attacker to hi ...) NOT-FOR-US: IBM CVE-2017-1464 RESERVED CVE-2017-1463 RESERVED CVE-2017-1462 (IBM Rhapsody DM 5.0 and 6.0 is vulnerable to cross-site scripting. Thi ...) NOT-FOR-US: IBM Rhapsody DM CVE-2017-1461 (IBM DOORS Next Generation (DNG/RRC) 4.0, 5.0, and 6.0 is vulnerable to ...) NOT-FOR-US: IBM CVE-2017-1460 (IBM i OSPF 6.1, 7.1, 7.2, and 7.3 is vulnerable when a rogue router sp ...) NOT-FOR-US: IBM CVE-2017-1459 (IBM Security Access Manager Appliance 8.0.0 and 9.0.0 specifies permis ...) NOT-FOR-US: IBM Security Access Manager Appliance CVE-2017-1458 (IBM QRadar Network Security 5.4 is vulnerable to a XML External Entity ...) NOT-FOR-US: IBM CVE-2017-1457 (IBM QRadar Network Security 5.4 is vulnerable to cross-site scripting. ...) NOT-FOR-US: IBM CVE-2017-1456 RESERVED CVE-2017-1455 RESERVED CVE-2017-1454 RESERVED CVE-2017-1453 (IBM Security Access Manager Appliance 9.0.3 could allow a remote authe ...) NOT-FOR-US: IBM CVE-2017-1452 (IBM DB2 for Linux, UNIX and Windows 9.7, 10,1, 10.5, and 11.1 (include ...) NOT-FOR-US: IBM CVE-2017-1451 (IBM DB2 for Linux, UNIX and Windows 9.7, 10,1, 10.5, and 11.1 (include ...) NOT-FOR-US: IBM CVE-2017-1450 (IBM Emptoris Sourcing 9.5 - 10.1.3 could allow a remote attacker to co ...) NOT-FOR-US: IBM CVE-2017-1449 (IBM Emptoris Sourcing 9.5 - 10.1.3 could allow a remote attacker to co ...) NOT-FOR-US: IBM CVE-2017-1448 (IBM Emptoris Supplier Lifecycle Management 10.0.x and 10.1.x could all ...) NOT-FOR-US: IBM CVE-2017-1447 (IBM Emptoris Sourcing 9.5 - 10.1.3 is vulnerable to cross-site scripti ...) NOT-FOR-US: IBM CVE-2017-1446 (IBM Emptoris Spend Analysis 9.5.0.0 through 10.1.1 is vulnerable to cr ...) NOT-FOR-US: IBM CVE-2017-1445 (IBM Emptoris Spend Analysis 9.5.0.0 through 10.1.1 is vulnerable to cr ...) NOT-FOR-US: IBM CVE-2017-1444 (IBM Emptoris Sourcing 9.5 - 10.1.3 is vulnerable to cross-site scripti ...) NOT-FOR-US: IBM CVE-2017-1443 (IBM Emptoris Services Procurement 10.0.0.5 is vulnerable to cross-site ...) NOT-FOR-US: IBM CVE-2017-1442 (IBM Emptoris Services Procurement 10.0.0.5 is vulnerable to cross-site ...) NOT-FOR-US: IBM CVE-2017-1441 (IBM Emptoris Services Procurement 10.0.0.5 could allow a local user to ...) NOT-FOR-US: IBM CVE-2017-1440 (IBM Emptoris Services Procurement 10.0.0.5 could allow a remote attack ...) NOT-FOR-US: IBM CVE-2017-1439 (IBM DB2 for Linux, UNIX and Windows 9.7, 10,1, 10.5, and 11.1 (include ...) NOT-FOR-US: IBM CVE-2017-1438 (IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, and 11.1 (include ...) NOT-FOR-US: IBM CVE-2017-1437 RESERVED CVE-2017-1436 RESERVED CVE-2017-1435 RESERVED CVE-2017-1434 (IBM DB2 for Linux, UNIX and Windows 11.1 (includes DB2 Connect Server) ...) NOT-FOR-US: IBM CVE-2017-1433 (IBM WebSphere MQ 7.5, 8.0, and 9.0 could allow an authenticated user t ...) NOT-FOR-US: IBM CVE-2017-1432 RESERVED CVE-2017-1431 (IBM InfoSphere Streams 4.0, 4.1, and 4.2 is vulnerable to cross-site s ...) NOT-FOR-US: IBM CVE-2017-1430 RESERVED CVE-2017-1429 (IBM RELM 4.0, 5.0, and 6.0 is vulnerable to cross-site scripting. This ...) NOT-FOR-US: IBM CVE-2017-1428 (IBM Cognos Analytics 11.0 could allow a remote attacker to hijack the ...) NOT-FOR-US: IBM CVE-2017-1427 (IBM Cognos Analytics 11.0 is vulnerable to cross-site scripting. This ...) NOT-FOR-US: IBM CVE-2017-1426 RESERVED CVE-2017-1425 (IBM Business Process Manager 8.0.1.1 and 8.5.7 is vulnerable to cross- ...) NOT-FOR-US: IBM CVE-2017-1424 (IBM Business Process Manager 8.5.7 is vulnerable to cross-site scripti ...) NOT-FOR-US: IBM CVE-2017-1423 (IBM WebSphere Portal 8.5 and 9.0 exposes backend server URLs that are ...) NOT-FOR-US: IBM WebSphere Portal CVE-2017-1422 (IBM MaaS360 DTM all versions up to 3.81 does not perform proper verifi ...) NOT-FOR-US: IBM CVE-2017-1421 (IBM iNotes is vulnerable to cross-site scripting. This vulnerability a ...) NOT-FOR-US: IBM iNotes CVE-2017-1420 RESERVED CVE-2017-1419 RESERVED CVE-2017-1418 (IBM Integration Bus 9.0.0.0, 9.0.0.11, 10.0.0.0, and 10.0.0.14 (includ ...) NOT-FOR-US: IBM CVE-2017-1417 RESERVED CVE-2017-1416 RESERVED CVE-2017-1415 RESERVED CVE-2017-1414 RESERVED CVE-2017-1413 RESERVED CVE-2017-1412 (IBM Security Identity Governance Virtual Appliance 5.2 through 5.2.3.2 ...) NOT-FOR-US: IBM CVE-2017-1411 (IBM Security Identity Governance Virtual Appliance 5.2 through 5.2.3.2 ...) NOT-FOR-US: IBM CVE-2017-1410 RESERVED CVE-2017-1409 (IBM Security Identity Governance Virtual Appliance 5.2 through 5.2.3.2 ...) NOT-FOR-US: IBM CVE-2017-1408 RESERVED CVE-2017-1407 (IBM Security Identity Manager Virtual Appliance 6.0 and 7.0 could allo ...) NOT-FOR-US: IBM CVE-2017-1406 RESERVED CVE-2017-1405 (IBM Security Identity Manager Virtual Appliance 7.0 processes patches, ...) NOT-FOR-US: IBM Security Identity Manager Virtual Appliance CVE-2017-1404 RESERVED CVE-2017-1403 RESERVED CVE-2017-1402 RESERVED CVE-2017-1401 RESERVED CVE-2017-1400 RESERVED CVE-2017-1399 RESERVED CVE-2017-1398 (IBM WebSphere Commerce Enterprise, Professional, Express, and Develope ...) NOT-FOR-US: IBM CVE-2017-1397 RESERVED CVE-2017-1396 (IBM Security Identity Governance Virtual Appliance 5.2 through 5.2.3.2 ...) NOT-FOR-US: IBM CVE-2017-1395 (IBM Security Identity Governance and Intelligence Virtual Appliance 5. ...) NOT-FOR-US: IBM CVE-2017-1394 RESERVED CVE-2017-1393 RESERVED CVE-2017-1392 RESERVED CVE-2017-1391 RESERVED CVE-2017-1390 RESERVED CVE-2017-1389 RESERVED CVE-2017-1388 RESERVED CVE-2017-1387 RESERVED CVE-2017-1386 (IBM API Connect 5.0.0.0 could allow a user to bypass policy restrictio ...) NOT-FOR-US: IBM CVE-2017-1385 RESERVED CVE-2017-1384 RESERVED CVE-2017-1383 (IBM InfoSphere Information Server 9.1, 11.3, and 11.5 is vulnerable to ...) NOT-FOR-US: IBM CVE-2017-1382 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 might create f ...) NOT-FOR-US: IBM CVE-2017-1381 (IBM WebSphere Application Server Proxy Server or On-demand-router (ODR ...) NOT-FOR-US: IBM CVE-2017-1380 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable ...) NOT-FOR-US: IBM CVE-2017-1379 (IBM API Connect 5.0.0.0 could allow a remote attacker to obtain sensit ...) NOT-FOR-US: IBM CVE-2017-1378 (IBM Spectrum Protect 7.1 and 8.1 (formerly Tivoli Storage Manager) dis ...) NOT-FOR-US: IBM CVE-2017-1377 (IBM Runbook Automation reveals sensitive information in error messages ...) NOT-FOR-US: IBM CVE-2017-1376 (A flaw in the IBM J9 VM class verifier allows untrusted code to disabl ...) NOT-FOR-US: IBM JDK CVE-2017-1375 (IBM System Storage Storwize V7000 Unified (V7000U) 1.5 and 1.6 uses we ...) NOT-FOR-US: IBM CVE-2017-1374 (Sensitive data can be exposed in the IBM TRIRIGA Application Platform ...) NOT-FOR-US: IBM CVE-2017-1373 (Reports executed in the IBM TRIRIGA Application Platform 3.3, 3.4, and ...) NOT-FOR-US: IBM CVE-2017-1372 (IBM TRIRIGA Application Platform 3.3, 3.4, and 3.5 is vulnerable to cr ...) NOT-FOR-US: IBM CVE-2017-1371 (Builder tools running in the IBM TRIRIGA Application Platform 3.3, 3.4 ...) NOT-FOR-US: IBM CVE-2017-1370 (IBM Jazz Reporting Service (JRS) 5.0 and 6.0 could disclose sensitive ...) NOT-FOR-US: IBM CVE-2017-1369 (IBM RELM 4.0, 5.0, and 6.0 is vulnerable to cross-site scripting. This ...) NOT-FOR-US: IBM CVE-2017-1368 (IBM Security Identity Governance Virtual Appliance 5.2 through 5.2.3.2 ...) NOT-FOR-US: IBM CVE-2017-1367 (IBM Security Identity Governance and Intelligence Virtual Appliance 5. ...) NOT-FOR-US: IBM CVE-2017-1366 (IBM Security Identity Governance Virtual Appliance 5.2 through 5.2.3.2 ...) NOT-FOR-US: IBM CVE-2017-1365 (IBM Team Concert (RTC including IBM Rational Collaborative Lifecycle M ...) NOT-FOR-US: IBM Team Concert CVE-2017-1364 (IBM RELM 4.0, 5.0, and 6.0 is vulnerable to cross-site scripting. This ...) NOT-FOR-US: IBM CVE-2017-1363 (IBM Team Concert (RTC) is vulnerable to cross-site scripting. This vul ...) NOT-FOR-US: IBM CVE-2017-1362 (IBM Security Identity Manager Adapters 6.0 and 7.0 stores user credent ...) NOT-FOR-US: IBM CVE-2017-1361 RESERVED CVE-2017-1360 RESERVED CVE-2017-1359 (IBM RELM 4.0, 5.0, and 6.0 is vulnerable to cross-site scripting. This ...) NOT-FOR-US: IBM CVE-2017-1358 RESERVED CVE-2017-1357 (IBM Maximo Asset Management 7.5 and 7.6 could allow an authenticated u ...) NOT-FOR-US: IBM CVE-2017-1356 (IBM Atlas eDiscovery Process Management 6.0.3 is vulnerable to SQL inj ...) NOT-FOR-US: IBM CVE-2017-1355 (IBM Atlas eDiscovery Process Management 6.0.3 stores sensitive informa ...) NOT-FOR-US: IBM CVE-2017-1354 (IBM Atlas eDiscovery Process Management 6.0.3 is vulnerable to cross-s ...) NOT-FOR-US: IBM CVE-2017-1353 (IBM Atlas eDiscovery Process Management 6.0.3 could allow an authentic ...) NOT-FOR-US: IBM CVE-2017-1352 (IBM Maximo Asset Management 7.5 and 7.6 could allow an authenticated u ...) NOT-FOR-US: IBM CVE-2017-1351 RESERVED CVE-2017-1350 (IBM InfoSphere Information Server 9.1, 11.3, 11.5, and 11.7 could allo ...) NOT-FOR-US: IBM InfoSphere Information Server CVE-2017-1349 (IBM Sterling B2B Integrator Standard Edition 5.2 stores potentially se ...) NOT-FOR-US: IBM CVE-2017-1348 (IBM Sterling B2B Integrator Standard Edition 5.2 is vulnerable to cros ...) NOT-FOR-US: IBM CVE-2017-1347 (IBM Sterling B2B Integrator Standard Edition 5.2 is vulnerable to SQL ...) NOT-FOR-US: IBM CVE-2017-1346 (IBM Business Process Manager 7.5, 8.0, and 8.5 temporarily stores file ...) NOT-FOR-US: IBM CVE-2017-1345 (IBM Insights Foundation for Energy 2.0 is vulnerable to cross-site scr ...) NOT-FOR-US: IBM CVE-2017-1344 RESERVED CVE-2017-1343 RESERVED CVE-2017-1342 (IBM Insights Foundation for Energy 2.0 could reveal sensitive informat ...) NOT-FOR-US: IBM CVE-2017-1341 (IBM WebSphere MQ 8.0 and 9.0 could allow, under special circumstances, ...) NOT-FOR-US: IBM CVE-2017-1340 (IBM Jazz Reporting Service (JRS) 6.0.4 could allow an authenticated us ...) NOT-FOR-US: IBM CVE-2017-1339 (IBM Spectrum Protect 7.1 and 8.1 (formerly Tivoli Storage Manager) Ser ...) NOT-FOR-US: IBM CVE-2017-1338 (IBM DOORS Next Generation (DNG/RRC) 4.0, 5.0, and 6.0 is vulnerable to ...) NOT-FOR-US: IBM CVE-2017-1337 (IBM WebSphere MQ 9.0.1 and 9.0.2 Java/JMS application can incorrectly ...) NOT-FOR-US: IBM CVE-2017-1336 (IBM Infosphere BigInsights 4.2.0 could allow an attacker to inject cod ...) NOT-FOR-US: IBM CVE-2017-1335 (IBM RELM 4.0, 5.0, and 6.0 is vulnerable to cross-site scripting. This ...) NOT-FOR-US: IBM CVE-2017-1334 (IBM RELM 4.0, 5.0, and 6.0 is vulnerable to cross-site scripting. This ...) NOT-FOR-US: IBM CVE-2017-1333 (IBM OpenPages GRC Platform 7.1, 7.2, and 7.3 could allow an unauthenti ...) NOT-FOR-US: IBM CVE-2017-1332 (IBM iNotes 8.5 and 9.0 is vulnerable to cross-site scripting. This vul ...) NOT-FOR-US: IBM CVE-2017-1331 (IBM Content Navigator 2.0.3 and 3.0.0 is vulnerable to cross-site scri ...) NOT-FOR-US: IBM CVE-2017-1330 RESERVED CVE-2017-1329 (IBM Quality Manager (RQM) 5.0.x and 6.0 through 6.0.5 are vulnerable t ...) NOT-FOR-US: IBM Quality Manager CVE-2017-1328 (IBM API Connect 5.0.0.0 - 5.0.6.0 could allow a remote attacker to byp ...) NOT-FOR-US: IBM CVE-2017-1327 (IBM iNotes 8.5 and 9.0 is vulnerable to cross-site scripting. This vul ...) NOT-FOR-US: IBM CVE-2017-1326 (IBM Sterling File Gateway does not properly restrict user requests bas ...) NOT-FOR-US: IBM CVE-2017-1325 (IBM iNotes 8.5 and 9.0 is vulnerable to cross-site scripting. This vul ...) NOT-FOR-US: IBM CVE-2017-1324 (IBM RELM 4.0, 5.0, and 6.0 is vulnerable to cross-site scripting. This ...) NOT-FOR-US: IBM CVE-2017-1323 RESERVED CVE-2017-1322 (IBM API Connect 5.0.6.0 is vulnerable to an XML External Entity Inject ...) NOT-FOR-US: IBM CVE-2017-1321 (IBM InfoSphere Information Server 9.1, 11.3, and 11.5 is vulnerable to ...) NOT-FOR-US: IBM CVE-2017-1320 (IBM Tivoli Federated Identity Manager 6.2 is vulnerable to cross-site ...) NOT-FOR-US: IBM CVE-2017-1319 (IBM Tivoli Federated Identity Manager 6.2 is affected by a vulnerabili ...) NOT-FOR-US: IBM CVE-2017-1318 (IBM MQ Appliance 8.0 and 9.0 could allow an authenticated messaging ad ...) NOT-FOR-US: IBM CVE-2017-1317 (IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle ...) NOT-FOR-US: IBM CVE-2017-1316 (IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle ...) NOT-FOR-US: IBM CVE-2017-1315 (IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle ...) NOT-FOR-US: IBM CVE-2017-1314 (IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle ...) NOT-FOR-US: IBM CVE-2017-1313 (IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle ...) NOT-FOR-US: IBM CVE-2017-1312 (IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle ...) NOT-FOR-US: IBM CVE-2017-1311 (IBM Insights Foundation for Energy 2.0 is vulnerable to SQL injection. ...) NOT-FOR-US: IBM CVE-2017-1310 (IBM Informix Dynamic Server 12.1 could allow an authenticated user to ...) NOT-FOR-US: IBM CVE-2017-1309 (IBM InfoSphere Master Data Management Server 11.0 - 11.6 stores user c ...) NOT-FOR-US: IBM CVE-2017-1308 (IBM Daeja ViewONE Professional, Standard & Virtual 4.1.5.1 and 5.0 ...) NOT-FOR-US: IBM CVE-2017-1307 RESERVED CVE-2017-1306 (IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle ...) NOT-FOR-US: IBM CVE-2017-1305 (IBM DOORS Next Generation (DNG/RRC) 6.0.2 and 6.0.3 is vulnerable to c ...) NOT-FOR-US: IBM CVE-2017-1304 (IBM has identified a vulnerability with IBM Spectrum Scale/GPFS utiliz ...) NOT-FOR-US: IBM CVE-2017-1303 (IBM WebSphere Portal and Web Content Manager 7.0, 8.0, 8.5, and 9.0 is ...) NOT-FOR-US: IBM CVE-2017-1302 (IBM Sterling B2B Integrator Standard Edition 5.2 could allow a local u ...) NOT-FOR-US: IBM CVE-2017-1301 (IBM Spectrum Protect 7.1 and 8.1 could allow a local attacker to launc ...) NOT-FOR-US: IBM CVE-2017-1300 (IBM OpenPages GRC Platform 7.1, 7.2, and 7.3 is vulnerable to cross-si ...) NOT-FOR-US: IBM CVE-2017-1299 (IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle ...) NOT-FOR-US: IBM CVE-2017-1298 REJECTED CVE-2017-1297 (IBM DB2 for Linux, UNIX and Windows 9.2, 10.1, 10.5, and 11.1 (include ...) NOT-FOR-US: IBM CVE-2017-1296 RESERVED CVE-2017-1295 (IBM RSA DM contains unspecified vulnerability in CLM Applications with ...) NOT-FOR-US: IBM CVE-2017-1294 (IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle ...) NOT-FOR-US: IBM CVE-2017-1293 (IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle ...) NOT-FOR-US: IBM CVE-2017-1292 (IBM Maximo Asset Management 7.5 and 7.6 generates error messages that ...) NOT-FOR-US: IBM CVE-2017-1291 (IBM Maximo Asset Management 7.5 and 7.6 is vulnerable to HTTP response ...) NOT-FOR-US: IBM CVE-2017-1290 (IBM OpenPages GRC Platform 7.1, 7.2, and 7.3 is vulnerable to cross-si ...) NOT-FOR-US: IBM CVE-2017-1289 (IBM SDK, Java Technology Edition is vulnerable XML External Entity Inj ...) NOT-FOR-US: IBM JDK CVE-2017-1288 RESERVED CVE-2017-1287 (IBM Rhapsody DM 5.0 and 6.0 could allow a remote attacker to conduct p ...) NOT-FOR-US: IBM CVE-2017-1286 (Sensitive information about the configuration of the IBM UrbanCode Dep ...) NOT-FOR-US: IBM UrbanCode Deploy CVE-2017-1285 (IBM WebSphere MQ 9.0.1 and 9.0.2 could allow an authenticated user wit ...) NOT-FOR-US: IBM CVE-2017-1284 (IBM WebSphere MQ 9.0.1 and 9.0.2 could allow a local user with ability ...) NOT-FOR-US: IBM CVE-2017-1283 (IBM WebSphere MQ 8.0 and 9.0 could allow an authenticated user to caus ...) NOT-FOR-US: IBM CVE-2017-1282 (IBM Content Navigator & CMIS 2.0 and 3.0 is vulnerable to cross-si ...) NOT-FOR-US: IBM CVE-2017-1281 (IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle ...) NOT-FOR-US: IBM CVE-2017-1280 (IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle ...) NOT-FOR-US: IBM CVE-2017-1279 (IBM Tealeaf Customer Experience 8.7, 8.8, and 9.0.2 could allow a remo ...) NOT-FOR-US: IBM Tealeaf Customer Experience CVE-2017-1278 (IBM DOORS Next Generation (DNG/RRC) 4.0, 5.0 and 6.0 is vulnerable to ...) NOT-FOR-US: IBM CVE-2017-1277 (IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle ...) NOT-FOR-US: IBM CVE-2017-1276 (IBM DOORS Next Generation (DNG/RRC) 4.0, 5.0 and 6.0 is vulnerable to ...) NOT-FOR-US: IBM CVE-2017-1275 (IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle ...) NOT-FOR-US: IBM CVE-2017-1274 (IBM Domino 8.5.3, and 9.0 is vulnerable to a stack based overflow in t ...) NOT-FOR-US: IBM CVE-2017-1273 RESERVED CVE-2017-1272 (IBM Security Guardium 10.0 and 10.5 stores sensitive information in UR ...) NOT-FOR-US: IBM CVE-2017-1271 (IBM Security Guardium 9.0, 9.1, and 9.5 supports interaction between m ...) NOT-FOR-US: IBM CVE-2017-1270 (IBM Security Guardium 10.0 does not renew a session variable after a s ...) NOT-FOR-US: IBM Security Guardium CVE-2017-1269 (IBM Security Guardium 10.0 and 10.1 is vulnerable to SQL injection. A ...) NOT-FOR-US: IBM CVE-2017-1268 (IBM Security Guardium 10 and 10.5 uses a one-way cryptographic hash ag ...) NOT-FOR-US: IBM CVE-2017-1267 (IBM Security Guardium 10.0 and 10.1 processes patches, image backups a ...) NOT-FOR-US: IBM CVE-2017-1266 (IBM Security Guardium 10.0 specifies permissions for a security-critic ...) NOT-FOR-US: IBM Security Guardium CVE-2017-1265 (IBM Security Guardium 10.0, 10.0.1, 10.1, 10.1.2, 10.1.3, 10.1.4, and ...) NOT-FOR-US: IBM CVE-2017-1264 (IBM Security Guardium 10.0 does not prove or insufficiently proves tha ...) NOT-FOR-US: IBM CVE-2017-1263 RESERVED CVE-2017-1262 (IBM Security Guardium 10.0 is vulnerable to HTTP response splitting at ...) NOT-FOR-US: IBM Security Guardium CVE-2017-1261 (IBM Security Guardium 10.0 stores potentially sensitive information in ...) NOT-FOR-US: IBM Security Guardium CVE-2017-1260 RESERVED CVE-2017-1259 RESERVED CVE-2017-1258 (IBM Security Guardium 10.0 and 10.1 does not perform an authentication ...) NOT-FOR-US: IBM Security Guardium CVE-2017-1257 (IBM Security Guardium 10.0 discloses sensitive information to unauthor ...) NOT-FOR-US: IBM Security Guardium CVE-2017-1256 (IBM Security Guardium 10.0, 10.1 is vulnerable to cross-site scripting ...) NOT-FOR-US: IBM Security Guardium CVE-2017-1255 (IBM Security Guardium 10.0, 10.0.1, and 10.1 through 10.1.4 uses weake ...) NOT-FOR-US: IBM Security Guardium CVE-2017-1254 (IBM Security Guardium 10.0 is vulnerable to a XML External Entity Inje ...) NOT-FOR-US: IBM Security Guardium CVE-2017-1253 (IBM Security Guardium 10.0 could allow a remote authenticated attacker ...) NOT-FOR-US: IBM Security Guardium CVE-2017-1252 RESERVED CVE-2017-1251 (An undisclosed vulnerability in CLM applications may result in some ad ...) NOT-FOR-US: IBM CVE-2017-1250 (IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle ...) NOT-FOR-US: IBM CVE-2017-1249 (IBM Rhapsody DM 5.0 and 6.0 is vulnerable to cross-site scripting. Thi ...) NOT-FOR-US: IBM CVE-2017-1248 (IBM Quality Manager (RQM) 5.0.x and 6.0 through 6.0.5 are vulnerable t ...) NOT-FOR-US: IBM Quality Manager CVE-2017-1247 (IBM DOORS Next Generation (DNG/RRC) 4.0, 5.0 and 6.0 is vulnerable to ...) NOT-FOR-US: IBM CVE-2017-1246 RESERVED CVE-2017-1245 (IBM Rational Software Architect Design Manager 5.0 and 6.0 is vulnerab ...) NOT-FOR-US: IBM CVE-2017-1244 RESERVED CVE-2017-1243 RESERVED CVE-2017-1242 (IBM Quality Manager (RQM) 5.0.x and 6.0 through 6.0.5 are vulnerable t ...) NOT-FOR-US: IBM Quality Manager CVE-2017-1241 (An unspecified vulnerability in IBM Jazz Foundation based applications ...) NOT-FOR-US: IBM CVE-2017-1240 (IBM Rhapsody DM products could reveal sensitive information in HTTP 50 ...) NOT-FOR-US: IBM CVE-2017-1239 (IBM Quality Manager (RQM) 5.0.x and 6.0 through 6.0.5 could reveal sen ...) NOT-FOR-US: IBM Quality Manager CVE-2017-1238 (IBM Quality Manager (RQM) 5.0.x and 6.0 through 6.0.5 are vulnerable t ...) NOT-FOR-US: IBM Quality Manager CVE-2017-1237 (IBM Jazz based applications are vulnerable to cross-site scripting. Th ...) NOT-FOR-US: IBM CVE-2017-1236 (IBM WebSphere MQ 9.0.2 could allow an authenticated user to potentiall ...) NOT-FOR-US: IBM CVE-2017-1235 (IBM WebSphere MQ 8.0 could allow an authenticated user to cause a prem ...) NOT-FOR-US: IBM CVE-2017-1234 (IBM QRadar 7.2 and 7.3 is vulnerable to cross-site scripting. This vul ...) NOT-FOR-US: IBM CVE-2017-1233 (IBM Remote Control v9 could allow a local user to use the component to ...) NOT-FOR-US: IBM Remote Control CVE-2017-1232 (IBM Tivoli Endpoint Manager (IBM BigFix Platform 9.2 and 9.5) transmit ...) NOT-FOR-US: IBM Tivoli Endpoint Manager CVE-2017-1231 (IBM BigFix Platform 9.5 - 9.5.9 stores user credentials in plain in cl ...) NOT-FOR-US: IBM CVE-2017-1230 (IBM Tivoli Endpoint Manager (IBM BigFix Platform 9.2 and 9.5) uses ins ...) NOT-FOR-US: IBM Tivoli Endpoint Manager CVE-2017-1229 (IBM Tivoli Endpoint Manager (IBM BigFix 9.2 and 9.5) could allow a rem ...) NOT-FOR-US: IBM CVE-2017-1228 (IBM Tivoli Endpoint Manager (IBM BigFix Platform 9.2 and 9.5) could al ...) NOT-FOR-US: IBM Tivoli Endpoint Manager CVE-2017-1227 (IBM Tivoli Endpoint Manager could allow a unauthorized user to consume ...) NOT-FOR-US: IBM CVE-2017-1226 (IBM Tivoli Endpoint Manager (IBM BigFix Platform 9.2 and 9.5) generate ...) NOT-FOR-US: IBM Tivoli Endpoint Manager CVE-2017-1225 (IBM Tivoli Endpoint Manager (IBM BigFix Platform 9.2 and 9.5) stores s ...) NOT-FOR-US: IBM Tivoli Endpoint Manager CVE-2017-1224 (IBM Tivoli Endpoint Manager uses weaker than expected cryptographic al ...) NOT-FOR-US: IBM CVE-2017-1223 (IBM Tivoli Endpoint Manager could allow a remote attacker to conduct p ...) NOT-FOR-US: IBM CVE-2017-1222 (IBM Tivoli Endpoint Manager (IBM BigFix Platform 9.2 and 9.5) does not ...) NOT-FOR-US: IBM Tivoli Endpoint Manager CVE-2017-1221 (IBM Tivoli Endpoint Manager (IBM BigFix 9.2 and 9.5) does not require ...) NOT-FOR-US: IBM CVE-2017-1220 (IBM Tivoli Endpoint Manager (IBM BigFix Platform 9.2 and 9.5) disclose ...) NOT-FOR-US: IBM Tivoli Endpoint Manager CVE-2017-1219 (IBM Tivoli Endpoint Manager is vulnerable to a XML External Entity Inj ...) NOT-FOR-US: IBM CVE-2017-1218 (IBM Tivoli Endpoint Manager is vulnerable to cross-site request forger ...) NOT-FOR-US: IBM CVE-2017-1217 (IBM WebSphere Portal 8.5 and 9.0 is vulnerable to cross-site scripting ...) NOT-FOR-US: IBM CVE-2017-1216 RESERVED CVE-2017-1215 RESERVED CVE-2017-1214 (IBM iNotes 8.5 and 9.0 could allow a remote attacker to send a malform ...) NOT-FOR-US: IBM CVE-2017-1213 RESERVED CVE-2017-1212 (IBM Daeja ViewONE Professional, Standard & Virtual 4.1.5.1 and 5.0 ...) NOT-FOR-US: IBM CVE-2017-1211 (IBM Daeja ViewONE Professional, Standard & Virtual 4.1.5.1 and 5.0 ...) NOT-FOR-US: IBM CVE-2017-1210 (IBM Daeja ViewONE Professional, Standard & Virtual 4.1.5.1 and 5.0 ...) NOT-FOR-US: IBM CVE-2017-1209 (IBM Daeja ViewONE Professional, Standard & Virtual 4.1.5.1 and 5.0 ...) NOT-FOR-US: IBM CVE-2017-1208 (IBM Maximo Asset Management 7.1, 7.5, and 7.6 is vulnerable to cross-s ...) NOT-FOR-US: IBM CVE-2017-1207 (IBM WebSphere Message Broker stores user credentials in plain in clear ...) NOT-FOR-US: IBM CVE-2017-1206 RESERVED CVE-2017-1205 (IBM Platform LSF 10.1 contains an unspecified vulnerability that could ...) NOT-FOR-US: IBM CVE-2017-1204 (IBM Tealeaf Customer Experience 8.7, 8.8, and 9.0.2 contains hard-code ...) NOT-FOR-US: IBM Tealeaf Customer Experience CVE-2017-1203 (IBM Tivoli Endpoint Manager (for Lifecycle/Power/Patch) Platform and A ...) NOT-FOR-US: IBM CVE-2017-1202 (IBM BigFix Compliance 1.7 through 1.9.91 (TEMA SUAv1 SCA SCM) is vulne ...) NOT-FOR-US: IBM CVE-2017-1201 (IBM BigFix Compliance Analytics 1.9.79 (TEMA SUAv1 SCA SCM) stores use ...) NOT-FOR-US: IBM CVE-2017-1200 (IBM BigFix Compliance 1.7 through 1.9.91 (TEMA SUAv1 SCA SCM) does not ...) NOT-FOR-US: IBM CVE-2017-1199 (IBM InfoSphere Master Data Management Server 10.0, 11.0, 11.3, 11.4, 1 ...) NOT-FOR-US: IBM CVE-2017-1198 (IBM BigFix Compliance 1.7 through 1.9.91 (TEMA SUAv1 SCA SCM) stores s ...) NOT-FOR-US: IBM CVE-2017-1197 (IBM BigFix Compliance (TEMA SUAv1 SCA SCM) uses an inadequate account ...) NOT-FOR-US: IBM CVE-2017-1196 (IBM BigFix Compliance (TEMA SUAv1 SCA SCM) 1.9.70 does not require tha ...) NOT-FOR-US: IBM CVE-2017-1195 (IBM Curam Social Program Management 6.0, 6.1, 6.2, and 7.0 could allow ...) NOT-FOR-US: IBM CVE-2017-1194 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable ...) NOT-FOR-US: IBM CVE-2017-1193 (IBM Sterling B2B Integrator Standard Edition 5.2 could allow user to o ...) NOT-FOR-US: IBM CVE-2017-1192 (IBM Sterling B2B Integrator 5.2 is vulnerable to an XML External Entit ...) NOT-FOR-US: IBM CVE-2017-1191 (An undisclosed vulnerability in CLM applications (including IBM Ration ...) NOT-FOR-US: IBM Rational Collaborative Lifecycle Management CVE-2017-1190 (IBM Emptoris Strategic Supply Management Platform 10.x and 10.1 could ...) NOT-FOR-US: IBM CVE-2017-1189 (IBM WebSphere Portal and Web Content Manager 6.1, 7.0, and 8.0 is vuln ...) NOT-FOR-US: IBM CVE-2017-1188 RESERVED CVE-2017-1187 RESERVED CVE-2017-1186 RESERVED CVE-2017-1185 RESERVED CVE-2017-1184 RESERVED CVE-2017-1183 (IBM Tivoli Monitoring Portal v6 could allow a local (network adjacent) ...) NOT-FOR-US: IBM CVE-2017-1182 (IBM Tivoli Monitoring Portal v6 could allow a local (network adjacent) ...) NOT-FOR-US: Oracle Primavera CVE-2017-1181 (IBM Tivoli Monitoring Portal V6 client could allow a local attacker to ...) NOT-FOR-US: IBM CVE-2017-1180 (The IBM TRIRIGA Document Manager contains a vulnerability that could a ...) NOT-FOR-US: IBM TRIRIGA Document Manager CVE-2017-1179 (IBM BigFix Compliance Analytics 1.9.79 uses weaker than expected crypt ...) NOT-FOR-US: IBM CVE-2017-1178 (IBM Endpoint Manager for Security and Compliance 1.9.70 is vulnerable ...) NOT-FOR-US: IBM CVE-2017-1177 (IBM BigFix Compliance 1.7 through 1.9.91 discloses sensitive informati ...) NOT-FOR-US: IBM CVE-2017-1176 (IBM Maximo Asset Management 7.1, 7.5, and 7.6 could allow a local user ...) NOT-FOR-US: IBM CVE-2017-1175 (IBM Maximo Asset Management 7.1, 7.5, and 7.6 is vulnerable to SQL inj ...) NOT-FOR-US: IBM CVE-2017-1174 (IBM Sterling B2B Integrator Standard Edition 5.2 is vulnerable to SQL ...) NOT-FOR-US: IBM CVE-2017-1173 RESERVED CVE-2017-1172 RESERVED CVE-2017-1171 (The IBM TRIRIGA Application Platform 3.3, 3,4, and 3,5 contain a vulne ...) NOT-FOR-US: IBM CVE-2017-1170 (IBM WebSphere Commerce Enterprise, Professional, Express, and Develope ...) NOT-FOR-US: IBM CVE-2017-1169 (IBM DOORS next Generation (DNG/RRC) is vulnerable to cross-site script ...) NOT-FOR-US: IBM CVE-2017-1168 (IBM Rational Engineering Lifecycle Manager 4.0, 5.0, and 6.0 is vulner ...) NOT-FOR-US: IBM CVE-2017-1167 RESERVED CVE-2017-1166 RESERVED CVE-2017-1165 RESERVED CVE-2017-1164 (IBM Jazz Foundation is vulnerable to cross-site scripting. This vulner ...) NOT-FOR-US: IBM CVE-2017-1163 RESERVED CVE-2017-1162 (IBM QRadar 7.2 and 7.3 discloses sensitive information to unauthorized ...) NOT-FOR-US: IBM CVE-2017-1161 (IBM API Connect 5.0.6.0 could allow a remote attacker to execute arbit ...) NOT-FOR-US: IBM CVE-2017-1160 (IBM Financial Transaction Manager for ACH Services for Multi-Platform ...) NOT-FOR-US: IBM CVE-2017-1159 (IBM Business Process Manager 8.0 and 8.5 could allow a remote attacker ...) NOT-FOR-US: IBM CVE-2017-1158 RESERVED CVE-2017-1157 (IBM Jazz Reporting Service (JRS) 5.0 and 6.0 could allow an authentica ...) NOT-FOR-US: IBM CVE-2017-1156 (IBM WebSphere Portal 8.5 and 9.0 could allow a remote attacker to cond ...) NOT-FOR-US: IBM CVE-2017-1155 (IBM Algorithmics One-Algo Risk Application 4.9.1, 5.0, and 5.1.0 could ...) NOT-FOR-US: IBM CVE-2017-1154 (IBM Algorithmics One-Algo Risk Application 4.9.1, 5.0, and 5.1.0 could ...) NOT-FOR-US: IBM CVE-2017-1153 (IBM TRIRIGA Report Manager 3.2 through 3.5 contains a vulnerability th ...) NOT-FOR-US: IBM CVE-2017-1152 (IBM Financial Transaction Manager 3.0.1 and 3.0.2 does not properly up ...) NOT-FOR-US: IBM CVE-2017-1151 (IBM WebSphere Application Server 8.0, 8.5, 8.5.5, and 9.0 using OpenID ...) NOT-FOR-US: IBM CVE-2017-1150 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 10.1 ...) NOT-FOR-US: IBM CVE-2017-1149 (IBM UrbanCode Deploy (UCD) 6.0, 6.1, and 6.2 is vulnerable to a denial ...) NOT-FOR-US: IBM CVE-2017-1148 (IBM OpenPages GRC Platform 7.2 and 7.3 with OpenPages Loss Event Entry ...) NOT-FOR-US: IBM CVE-2017-1147 (IBM OpenPages GRC Platform 7.1, 7.2, and 7.3 is vulnerable to cross-si ...) NOT-FOR-US: IBM CVE-2017-1146 (IBM Content Navigator 2.0.3 and 3.0.0 are vulnerable to cross-site scr ...) NOT-FOR-US: IBM CVE-2017-1145 (IBM WebSphere MQ 8.0.0.6 does not properly terminate channel agents wh ...) NOT-FOR-US: IBM CVE-2017-1144 (IBM WebSphere Message Broker could allow a local user with specialized ...) NOT-FOR-US: IBM CVE-2017-1143 (IBM Kenexa LCMS Premier on Cloud 9.x and 10.0 could allow a remote att ...) NOT-FOR-US: IBM CVE-2017-1142 (IBM Kenexa LCMS Premier on Cloud 9.x and 10.0 could allow a remote att ...) NOT-FOR-US: IBM CVE-2017-1141 (IBM Insights Foundation for Energy 1.0, 1.5, and 1.6 could allow an au ...) NOT-FOR-US: IBM CVE-2017-1140 (IBM Business Process Manager 8.0 and 8.5 are vulnerable to cross-site ...) NOT-FOR-US: IBM CVE-2017-1139 RESERVED CVE-2017-1138 RESERVED CVE-2017-1137 (IBM WebSphere Application Server 8.0 and 8.5.5 could provide weaker th ...) NOT-FOR-US: IBM CVE-2017-1136 RESERVED CVE-2017-1135 RESERVED CVE-2017-1134 (IBM Reliable Scalable Cluster Technology could allow a local user to e ...) NOT-FOR-US: IBM CVE-2017-1133 (IBM QRadar 7.2 is vulnerable to cross-site scripting. This vulnerabili ...) NOT-FOR-US: IBM CVE-2017-1132 (IBM Sterling B2B Integrator Standard Edition 5.2 is vulnerable to cros ...) NOT-FOR-US: IBM CVE-2017-1131 (IBM Sterling B2B Integrator Standard Edition 5.2 could allow an authen ...) NOT-FOR-US: IBM CVE-2017-1130 (IBM Notes 8.5 and 9.0 is vulnerable to a denial of service. If a user ...) NOT-FOR-US: IBM CVE-2017-1129 (IBM Notes 8.5 and 9.0 is vulnerable to a denial of service. If a user ...) NOT-FOR-US: IBM CVE-2017-1128 (IBM Rational DOORS Next Generation 4.0, 5.0, and 6.0 is vulnerable to ...) NOT-FOR-US: IBM CVE-2017-1127 (IBM Rational DOORS Next Generation 4.0, 5.0 and 6.0 is vulnerable to c ...) NOT-FOR-US: IBM CVE-2017-1126 (IBM WebSphere Message Broker (IBM Integration Bus 9.0 and 10.0) could ...) NOT-FOR-US: IBM CVE-2017-1125 (IBM Cognos Analytics 10.1 and 10.2 could allow a local user to craft a ...) NOT-FOR-US: IBM CVE-2017-1124 (IBM Maximo Asset Management 7.1, 7.5, and 7.6 could allow a local atta ...) NOT-FOR-US: IBM CVE-2017-1123 RESERVED CVE-2017-1122 (IBM Security Guardium 8.2, 9.0, and 10.0 contains a vulnerability that ...) NOT-FOR-US: IBM CVE-2017-1121 (IBM WebSphere Application Server 7.0, 8.0, and 9.0 is vulnerable to cr ...) NOT-FOR-US: IBM CVE-2017-1120 (IBM WebSphere Portal 8.5 and 9.0 is vulnerable to cross-site scripting ...) NOT-FOR-US: IBM CVE-2017-1119 (IBM Marketing Operations 9.1.0, 9.1.2, and 10.1 could allow a remote a ...) NOT-FOR-US: IBM CVE-2017-1118 (IBM WebSphere MQ Internet Pass-Thru 2.0 and 2.1 could allow n attacker ...) NOT-FOR-US: IBM CVE-2017-1117 (IBM WebSphere MQ 8.0 and 9.0 could allow an authenticated user to caus ...) NOT-FOR-US: IBM CVE-2017-1116 (IBM Campaign 8.6, 9.0, 9.1, 9.1.1, 9.1.2, and 10.0 contains excessive ...) NOT-FOR-US: IBM CVE-2017-1115 (IBM Campaign 9.1, 9.1.2, and 10 is vulnerable to HTML injection. A rem ...) NOT-FOR-US: IBM CVE-2017-1114 (IBM Campaign 9.1, 9.1.2, and 10 is vulnerable to cross-site scripting. ...) NOT-FOR-US: IBM CVE-2017-1113 (IBM Rational Team Concert (RTC) 4.0, 5.0 and 6.0 is vulnerable to cros ...) NOT-FOR-US: IBM CVE-2017-1112 RESERVED CVE-2017-1111 RESERVED CVE-2017-1110 (IBM Curam Social Program Management 6.0, 6.1, 6.2, and 7.0 contains an ...) NOT-FOR-US: IBM CVE-2017-1109 RESERVED CVE-2017-1108 RESERVED CVE-2017-1107 (IBM Marketing Platform 9.1.0, 9.1.2, 10.0, and 10.1 exposes sensitive ...) NOT-FOR-US: IBM CVE-2017-1106 (IBM Curam Social Program Management 5.2, 6.0, and 7.0 is vulnerable to ...) NOT-FOR-US: IBM CVE-2017-1105 (IBM DB2 for Linux, UNIX and Windows 9.2, 10.1, 10.5, and 11.1 (include ...) NOT-FOR-US: IBM CVE-2017-1104 (IBM Quality Manager (RQM) 4.0, 5.0, and 6.0 is vulnerable to cross-sit ...) NOT-FOR-US: IBM CVE-2017-1103 (IBM Team Concert (RTC) is vulnerable to a denial of service, caused by ...) NOT-FOR-US: IBM CVE-2017-1102 (IBM Quality Manager (RQM) 4.0, 5.0, and 6.0 is vulnerable to cross-sit ...) NOT-FOR-US: IBM CVE-2017-1101 (IBM Quality Manager (RQM) 4.0, 5.0, and 6.0 is vulnerable to cross-sit ...) NOT-FOR-US: IBM CVE-2017-1100 (IBM Quality Manager (RQM) 4.0, 5.0, and 6.0 is vulnerable to cross-sit ...) NOT-FOR-US: IBM CVE-2017-1099 (IBM Jazz Foundation could expose potentially sensitive information to ...) NOT-FOR-US: IBM CVE-2017-1098 (IBM Emptoris Supplier Lifecycle Management 10.1.0.x is vulnerable to c ...) NOT-FOR-US: IBM CVE-2017-1097 (IBM Emptoris Strategic Supply Management Platform 10.0.0.x through 10. ...) NOT-FOR-US: IBM CVE-2017-1096 (IBM Jazz Reporting Service (JRS) 5.0 and 6.0 is vulnerable to cross-si ...) NOT-FOR-US: IBM CVE-2017-1095 RESERVED CVE-2017-1094 RESERVED CVE-2017-1093 (IBM AIX 6.1, 7.1, and 7.2 could allow a local user to exploit a vulner ...) NOT-FOR-US: IBM AIX CVE-2017-1092 (IBM Informix Open Admin Tool 11.5, 11.7, and 12.1 could allow an unaut ...) NOT-FOR-US: IBM CVE-2017-1091 RESERVED CVE-2017-1090 REJECTED CVE-2017-1089 REJECTED CVE-2017-1088 (In FreeBSD before 11.1-STABLE, 11.1-RELEASE-p4, 11.0-RELEASE-p15, 10.4 ...) - kfreebsd-10 (unimportant) NOTE: kfreebsd not covered by security support CVE-2017-1087 (In FreeBSD 10.x before 10.4-STABLE, 10.4-RELEASE-p3, and 10.3-RELEASE- ...) - kfreebsd-10 (unimportant) NOTE: kfreebsd not covered by security support CVE-2017-1086 (In FreeBSD before 11.1-STABLE, 11.1-RELEASE-p4, 11.0-RELEASE-p15, 10.4 ...) - kfreebsd-10 (unimportant) NOTE: kfreebsd not covered by security support CVE-2017-1085 (In FreeBSD before 11.2-RELEASE, an application which calls setrlimit() ...) - kfreebsd-10 (unimportant) NOTE: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt NOTE: kfreebsd not covered by security support CVE-2017-1084 (In FreeBSD before 11.2-RELEASE, multiple issues with the implementatio ...) - kfreebsd-10 (unimportant) NOTE: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt NOTE: kfreebsd not covered by security support CVE-2017-1083 (In FreeBSD before 11.2-RELEASE, a stack guard-page is available but is ...) - kfreebsd-10 (unimportant) NOTE: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt NOTE: kfreebsd not covered by security support CVE-2017-1082 (In FreeBSD 11.x before 11.1-RELEASE and 10.x before 10.4-RELEASE, the ...) - kfreebsd-10 (unimportant) NOTE: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt NOTE: kfreebsd not covered by security support CVE-2017-1081 (In FreeBSD before 11.0-STABLE, 11.0-RELEASE-p10, 10.3-STABLE, and 10.3 ...) - kfreebsd-10 (unimportant) NOTE: https://www.freebsd.org/security/advisories/FreeBSD-SA-17:04.ipfilter.asc NOTE: kfreebsd not covered by security support CVE-2017-1080 RESERVED CVE-2017-1079 RESERVED CVE-2017-1078 RESERVED CVE-2017-1077 RESERVED CVE-2017-1076 RESERVED CVE-2017-1075 RESERVED CVE-2017-1074 RESERVED CVE-2017-1073 RESERVED CVE-2017-1072 RESERVED CVE-2017-1071 RESERVED CVE-2017-1070 RESERVED CVE-2017-1069 RESERVED CVE-2017-1068 RESERVED CVE-2017-1067 RESERVED CVE-2017-1066 RESERVED CVE-2017-1065 RESERVED CVE-2017-1064 RESERVED CVE-2017-1063 RESERVED CVE-2017-1062 RESERVED CVE-2017-1061 RESERVED CVE-2017-1060 RESERVED CVE-2017-1059 RESERVED CVE-2017-1058 RESERVED CVE-2017-1057 RESERVED CVE-2017-1056 RESERVED CVE-2017-1055 RESERVED CVE-2017-1054 RESERVED CVE-2017-1053 RESERVED CVE-2017-1052 RESERVED CVE-2017-1051 RESERVED CVE-2017-1050 RESERVED CVE-2017-1049 RESERVED CVE-2017-1048 RESERVED CVE-2017-1047 RESERVED CVE-2017-1046 RESERVED CVE-2017-1045 RESERVED CVE-2017-1044 RESERVED CVE-2017-1043 RESERVED CVE-2017-1042 RESERVED CVE-2017-1041 RESERVED CVE-2017-1040 RESERVED CVE-2017-1039 RESERVED CVE-2017-1038 RESERVED CVE-2017-1037 RESERVED CVE-2017-1036 RESERVED CVE-2017-1035 RESERVED CVE-2017-1034 RESERVED CVE-2017-1033 RESERVED CVE-2017-1032 RESERVED CVE-2017-1031 RESERVED CVE-2017-1030 RESERVED CVE-2017-1029 RESERVED CVE-2017-1028 RESERVED CVE-2017-1027 RESERVED CVE-2017-1026 RESERVED CVE-2017-1025 RESERVED CVE-2017-1024 RESERVED CVE-2017-1023 RESERVED CVE-2017-1022 RESERVED CVE-2017-1021 RESERVED CVE-2017-1020 RESERVED CVE-2017-1019 RESERVED CVE-2017-1018 RESERVED CVE-2017-1017 RESERVED CVE-2017-1016 RESERVED CVE-2017-1015 RESERVED CVE-2017-1014 RESERVED CVE-2017-1013 RESERVED CVE-2017-1012 RESERVED CVE-2017-1011 RESERVED CVE-2017-1010 RESERVED CVE-2017-1009 RESERVED CVE-2017-1008 RESERVED CVE-2017-1007 RESERVED CVE-2017-1006 RESERVED CVE-2017-1005 RESERVED CVE-2017-1004 RESERVED CVE-2017-1003 RESERVED CVE-2017-1002 RESERVED CVE-2017-1001 RESERVED CVE-2017-1000 RESERVED - linux 4.12.6-1 [stretch] - linux 4.9.30-2+deb9u4 [jessie] - linux 3.16.43-2+deb8u4 NOTE: https://git.kernel.org/linus/85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa NOTE: Same commit as for CVE-2017-1000112 and thus probably should be treated NOTE: as duplicate. Defer decision to MITRE. CVE-2017-0999 RESERVED CVE-2017-0998 RESERVED CVE-2017-0997 RESERVED CVE-2017-0996 RESERVED CVE-2017-0995 RESERVED CVE-2017-0994 RESERVED CVE-2017-0993 RESERVED CVE-2017-0992 RESERVED CVE-2017-0991 RESERVED CVE-2017-0990 RESERVED CVE-2017-0989 RESERVED CVE-2017-0988 RESERVED CVE-2017-0987 RESERVED CVE-2017-0986 RESERVED CVE-2017-0985 RESERVED CVE-2017-0984 RESERVED CVE-2017-0983 RESERVED CVE-2017-0982 RESERVED CVE-2017-0981 RESERVED CVE-2017-0980 RESERVED CVE-2017-0979 RESERVED CVE-2017-0978 RESERVED CVE-2017-0977 RESERVED CVE-2017-0976 RESERVED CVE-2017-0975 RESERVED CVE-2017-0974 RESERVED CVE-2017-0973 RESERVED CVE-2017-0972 RESERVED CVE-2017-0971 RESERVED CVE-2017-0970 RESERVED CVE-2017-0969 RESERVED CVE-2017-0968 RESERVED CVE-2017-0967 RESERVED CVE-2017-0966 RESERVED CVE-2017-0965 RESERVED CVE-2017-0964 RESERVED CVE-2017-0963 RESERVED CVE-2017-0962 RESERVED CVE-2017-0961 RESERVED CVE-2017-0960 RESERVED CVE-2017-0959 RESERVED CVE-2017-0958 RESERVED CVE-2017-0957 RESERVED CVE-2017-0956 RESERVED CVE-2017-0955 RESERVED CVE-2017-0954 RESERVED CVE-2017-0953 RESERVED CVE-2017-0952 RESERVED CVE-2017-0951 RESERVED CVE-2017-0950 RESERVED CVE-2017-0949 RESERVED CVE-2017-0948 RESERVED CVE-2017-0947 RESERVED CVE-2017-0946 RESERVED CVE-2017-0945 RESERVED CVE-2017-0944 RESERVED CVE-2017-0943 RESERVED CVE-2017-0942 RESERVED CVE-2017-0941 RESERVED CVE-2017-0940 RESERVED CVE-2017-0939 RESERVED CVE-2017-0938 (Denial of Service attack in airMAX < 8.3.2 , airMAX < 6.0.7 and ...) NOT-FOR-US: airMAX CVE-2017-0937 RESERVED CVE-2017-0936 (Nextcloud Server before 11.0.7 and 12.0.5 suffers from an Authorizatio ...) - nextcloud (bug #835086) CVE-2017-0935 (Ubiquiti Networks EdgeOS version 1.9.1.1 and prior suffer from an Impr ...) NOT-FOR-US: Ubiquiti Networks EdgeOS CVE-2017-0934 (Ubiquiti Networks EdgeOS version 1.9.1 and prior suffer from an Improp ...) NOT-FOR-US: Ubiquiti Networks EdgeOS CVE-2017-0933 (Ubiquiti Networks EdgeOS version 1.9.1 and prior suffer from a Cross-S ...) NOT-FOR-US: Ubiquiti Networks EdgeOS CVE-2017-0932 (Ubiquiti Networks EdgeOS version 1.9.1.1 and prior suffer from an Impr ...) NOT-FOR-US: Ubiquiti Networks EdgeOS CVE-2017-0931 (html-janitor node module suffers from a Cross-Site Scripting (XSS) vul ...) NOT-FOR-US: html-janitor node module CVE-2017-0930 (augustine node module suffers from a Path Traversal vulnerability due ...) NOT-FOR-US: augustine node module CVE-2017-0929 (DNN (aka DotNetNuke) before 9.2.0 suffers from a Server-Side Request F ...) NOT-FOR-US: DNN (aka DotNetNuke) CVE-2017-0928 (html-janitor node module suffers from an External Control of Critical ...) NOT-FOR-US: html-janitor node module CVE-2017-0927 (Gitlab Community Edition version 10.3 is vulnerable to an improper aut ...) - gitlab 10.5.5+dfsg-1 (bug #888508) [stretch] - gitlab (Doesn't affect 8.x) NOTE: https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/ CVE-2017-0926 (Gitlab Community Edition version 10.3 is vulnerable to an improper aut ...) {DSA-4145-1} - gitlab 10.5.5+dfsg-1 (bug #888508) NOTE: https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/ CVE-2017-0925 (Gitlab Enterprise Edition version 10.1.0 is vulnerable to an insuffici ...) {DSA-4145-1} - gitlab 10.5.5+dfsg-1 (bug #888508) NOTE: https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/ CVE-2017-0924 (Gitlab Community Edition version 10.2.4 is vulnerable to lack of input ...) - gitlab 10.5.5+dfsg-1 [stretch] - gitlab (Only affects 9.0 and later) NOTE: https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/ CVE-2017-0923 (Gitlab Community Edition version 9.1 is vulnerable to lack of input va ...) - gitlab 10.5.5+dfsg-1 (bug #888508) [stretch] - gitlab (Doesn't affect 8.x) NOTE: https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/ CVE-2017-0922 (Gitlab Enterprise Edition version 10.3 is vulnerable to an authorizati ...) - gitlab 10.5.5+dfsg-1 [stretch] - gitlab (Only affects 9.1 and later) NOTE: https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/ CVE-2017-0920 (GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10 ...) {DSA-4206-1} - gitlab 10.5.5+dfsg-1 NOTE: https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/ CVE-2017-0919 (GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10 ...) - gitlab 10.5.5+dfsg-1 NOTE: https://hackerone.com/reports/301137 NOTE: Fixed in 10.1.6, 10.2.6, and 10.3.4 CVE-2017-0918 (Gitlab Community Edition version 10.3 is vulnerable to a path traversa ...) {DSA-4145-1} - gitlab 10.5.5+dfsg-1 (bug #888508) NOTE: https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/ CVE-2017-0917 (Gitlab Community Edition version 10.2.4 is vulnerable to lack of input ...) {DSA-4145-1} - gitlab 10.5.5+dfsg-1 (bug #888508) NOTE: https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/ CVE-2017-0916 (Gitlab Community Edition version 10.3 is vulnerable to a lack of input ...) {DSA-4145-1} - gitlab 10.5.5+dfsg-1 (bug #888508) NOTE: https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/ NOTE: https://gitlab.com/gitlab-org/gitlab-ce/commit/7fc0a6fc096768a5604d6dd24d7d952e53300c82 CVE-2017-0915 (Gitlab Community Edition version 10.2.4 is vulnerable to a lack of inp ...) {DSA-4145-1} - gitlab 10.5.5+dfsg-1 (bug #888508) NOTE: https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/ CVE-2017-0914 (Gitlab Community and Enterprise Editions version 10.1, 10.2, and 10.2. ...) - gitlab 10.5.5+dfsg-1 [stretch] - gitlab (Only affects 9.4 and later) NOTE: https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/ CVE-2017-0913 (Ubiquiti UCRM versions 2.3.0 to 2.7.7 allow an authenticated user to r ...) NOT-FOR-US: Ubiquiti UCRM CVE-2017-0912 (Ubiquiti UCRM versions 2.5.0 to 2.7.7 are vulnerable to Stored Cross-s ...) NOT-FOR-US: Ubiquiti UCRM CVE-2017-0911 (Twitter Kit for iOS versions 3.0 to 3.2.1 is vulnerable to a callback ...) NOT-FOR-US: Twitter Kit for iOS CVE-2017-0910 (In Zulip Server before 1.7.1, on a server with multiple realms, a vuln ...) - zulip-server (bug #800052) CVE-2017-0909 (The private_address_check ruby gem before 0.4.1 is vulnerable to a byp ...) NOT-FOR-US: private_address_check ruby gem CVE-2017-0908 REJECTED CVE-2017-0907 (The Recurly Client .NET Library before 1.0.1, 1.1.10, 1.2.8, 1.3.2, 1. ...) NOT-FOR-US: Recurly Client .NET Library CVE-2017-0906 (The Recurly Client Python Library before 2.0.5, 2.1.16, 2.2.22, 2.3.1, ...) NOT-FOR-US: Recurly Client Python Library CVE-2017-0905 (The Recurly Client Ruby Library before 2.0.13, 2.1.11, 2.2.5, 2.3.10, ...) NOT-FOR-US: Recurly Client Ruby Library CVE-2017-0904 (The private_address_check ruby gem before 0.4.0 is vulnerable to a byp ...) NOT-FOR-US: private_address_check ruby gem CVE-2017-0903 (RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possibl ...) {DSA-4031-1 DLA-1421-1} - ruby2.3 2.3.5-1 (bug #879231) - ruby2.1 - ruby1.9.1 [wheezy] - ruby1.9.1 (Vulnerable code introduced later) - rubygems [wheezy] - rubygems (Vulnerable code introduced later) NOTE: http://www.openwall.com/lists/oss-security/2017/10/10/2 NOTE: https://justi.cz/security/2017/10/07/rubygems-org-rce.html NOTE: Fixed by: https://github.com/rubygems/rubygems/commit/510b1638ac9bba3ceb7a5d73135dafff9e5bab49 CVE-2017-0902 (RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking v ...) {DSA-3966-1 DLA-1421-1} - ruby2.3 2.3.3-1+deb9u1 (bug #873802) - ruby2.1 - ruby1.9.1 [wheezy] - ruby1.9.1 (Vulnerable code introduced later) - rubygems [wheezy] - rubygems (Vulnerable code introduced later) NOTE: https://www.ruby-lang.org/en/news/2017/08/29/multiple-vulnerabilities-in-rubygems/ NOTE: http://blog.rubygems.org/2017/08/27/2.6.13-released.html NOTE: For Ruby 2.3.4: https://bugs.ruby-lang.org/attachments/download/6691/rubygems-2613-ruby23.patch NOTE: For Ruby 2.2.7: https://bugs.ruby-lang.org/attachments/download/6690/rubygems-2613-ruby22.patch CVE-2017-0901 (RubyGems version 2.6.12 and earlier fails to validate specification na ...) {DSA-3966-1 DLA-1421-1 DLA-1114-1 DLA-1112-1} - ruby2.3 2.3.3-1+deb9u1 (bug #873802) - ruby2.1 - ruby1.9.1 - rubygems NOTE: https://www.ruby-lang.org/en/news/2017/08/29/multiple-vulnerabilities-in-rubygems/ NOTE: http://blog.rubygems.org/2017/08/27/2.6.13-released.html NOTE: For Ruby 2.3.4: https://bugs.ruby-lang.org/attachments/download/6691/rubygems-2613-ruby23.patch NOTE: For Ruby 2.2.7: https://bugs.ruby-lang.org/attachments/download/6690/rubygems-2613-ruby22.patch CVE-2017-0900 (RubyGems version 2.6.12 and earlier is vulnerable to maliciously craft ...) {DSA-3966-1 DLA-1421-1 DLA-1114-1 DLA-1112-1} - ruby2.3 2.3.3-1+deb9u1 (bug #873802) - ruby2.1 - ruby1.9.1 - rubygems NOTE: https://www.ruby-lang.org/en/news/2017/08/29/multiple-vulnerabilities-in-rubygems/ NOTE: http://blog.rubygems.org/2017/08/27/2.6.13-released.html NOTE: For Ruby 2.3.4: https://bugs.ruby-lang.org/attachments/download/6691/rubygems-2613-ruby23.patch NOTE: For Ruby 2.2.7: https://bugs.ruby-lang.org/attachments/download/6690/rubygems-2613-ruby22.patch CVE-2017-0899 (RubyGems version 2.6.12 and earlier is vulnerable to maliciously craft ...) {DSA-3966-1 DLA-1421-1 DLA-1114-1} - ruby2.3 2.3.3-1+deb9u1 (unimportant; bug #873802) - ruby2.1 (unimportant) - ruby1.9.1 (unimportant) - rubygems (unimportant) NOTE: https://www.ruby-lang.org/en/news/2017/08/29/multiple-vulnerabilities-in-rubygems/ NOTE: http://blog.rubygems.org/2017/08/27/2.6.13-released.html NOTE: For Ruby 2.3.4: https://bugs.ruby-lang.org/attachments/download/6691/rubygems-2613-ruby23.patch NOTE: For Ruby 2.2.7: https://bugs.ruby-lang.org/attachments/download/6690/rubygems-2613-ruby22.patch NOTE: Not considered a vulnerability per se, if this affects a terminal emulator it's a bug there CVE-2017-0898 (Ruby before 2.4.2, 2.3.5, and 2.2.8 is vulnerable to a malicious forma ...) {DSA-4031-1 DLA-1421-1 DLA-1114-1 DLA-1113-1} - ruby2.3 2.3.5-1 (bug #875936) - ruby2.1 - ruby1.9.1 - ruby1.8 NOTE: https://github.com/mruby/mruby/issues/3722 NOTE: https://www.ruby-lang.org/en/news/2017/09/14/sprintf-buffer-underrun-cve-2017-0898/ NOTE: https://bugs.ruby-lang.org/issues/13499 CVE-2017-0897 (ExpressionEngine version 2.x < 2.11.8 and version 3.x < 3.5.5 cr ...) NOT-FOR-US: ExpressionEngine CVE-2017-0896 (Zulip Server 1.5.1 and below suffer from an error in the implementatio ...) - zulip-server (bug #800052) CVE-2017-0895 (Nextcloud Server before 10.0.4 and 11.0.2 are vulnerable to disclosure ...) - nextcloud (bug #835086) CVE-2017-0894 (Nextcloud Server before 11.0.3 is vulnerable to disclosure of valid sh ...) - nextcloud (bug #835086) CVE-2017-0893 (Nextcloud Server before 9.0.58 and 10.0.5 and 11.0.3 are shipping a vu ...) - nextcloud (bug #835086) CVE-2017-0892 (Nextcloud Server before 11.0.3 is vulnerable to an improper session ha ...) - nextcloud (bug #835086) CVE-2017-0891 (Nextcloud Server before 9.0.58 and 10.0.5 and 11.0.3 are vulnerable to ...) - nextcloud (bug #835086) CVE-2017-0890 (Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping ...) - nextcloud (bug #835086) CVE-2017-0889 (Paperclip ruby gem version 3.1.4 and later suffers from a Server-SIde ...) NOT-FOR-US: paperclip ruby gem CVE-2017-0888 (Nextcloud Server before 9.0.55 and 10.0.2 suffers from a Content-Spoof ...) - nextcloud (bug #835086) CVE-2017-0886 (Nextcloud Server before 9.0.55 and 10.0.2 suffers from a Denial of Ser ...) - nextcloud (bug #835086) CVE-2017-0885 (Nextcloud Server before 9.0.55 and 10.0.2 suffers from a error message ...) - nextcloud (bug #835086) CVE-2017-0884 (Nextcloud Server before 9.0.55 and 10.0.2 suffers from a creation of f ...) - nextcloud (bug #835086) CVE-2017-0883 (Nextcloud Server before 9.0.55 and 10.0.2 suffers from a permission in ...) - nextcloud (bug #835086) CVE-2017-0882 (Multiple versions of GitLab expose sensitive user credentials when ass ...) - gitlab 8.13.11+dfsg-7 (bug #858410) NOTE: https://gitlab.com/gitlab-org/gitlab-ce/issues/29661 NOTE: https://about.gitlab.com/2017/03/20/gitlab-8-dot-17-dot-4-security-release/ CVE-2017-0881 (An error in the implementation of an autosubscribe feature in the chec ...) NOT-FOR-US: Zulip CVE-2016-9754 (The ring_buffer_resize function in kernel/trace/ring_buffer.c in the p ...) - linux 4.6.1-1 [jessie] - linux 3.16.39-1 [wheezy] - linux (Vulnerable code introduced later) NOTE: Fixed by: https://git.kernel.org/linus/59643d1535eb220668692a5359de22545af579f6 (v4.7-rc1) CVE-2016-9753 RESERVED CVE-2016-9752 (In Serendipity before 2.0.5, an attacker can bypass SSRF protection by ...) - serendipity CVE-2016-9751 (Cross-site scripting (XSS) vulnerability in the search results front e ...) - piwigo [squeeze] - piwigo (Unsupported in squeeze-lts) NOTE: Request to mark the package as unsupported in #779104 CVE-2016-9750 (IBM QRadar 7.2 and 7.3 stores user credentials in plain in clear text ...) NOT-FOR-US: IBM CVE-2016-9749 (IBM Campaign 9.1.0, 9.1.2, 10.0, and 10.1 could allow an authenticated ...) NOT-FOR-US: IBM CVE-2016-9748 (IBM Rational DOORS Next Generation 5.0 and 6.0 discloses sensitive inf ...) NOT-FOR-US: IBM CVE-2016-9747 (IBM RELM 4.0, 5.0 and 6.0 is vulnerable to cross-site scripting. This ...) NOT-FOR-US: IBM CVE-2016-9746 (IBM Team Concert (RTC) 4.0, 5.0 and 6.0 is vulnerable to cross-site sc ...) NOT-FOR-US: IBM CVE-2016-9745 RESERVED CVE-2016-9744 RESERVED CVE-2016-9743 RESERVED CVE-2016-9742 RESERVED CVE-2016-9741 RESERVED CVE-2016-9740 (IBM QRadar 7.2 could allow a remote attacker to consume all resources ...) NOT-FOR-US: IBM CVE-2016-9739 (IBM Security Identity Manager Virtual Appliance stores user credential ...) NOT-FOR-US: IBM CVE-2016-9738 (IBM QRadar 7.2 and 7.3 does not require that users should have strong ...) NOT-FOR-US: IBM CVE-2016-9737 (IBM TRIRIGA 3.3, 3.4, and 3.5 is vulnerable to cross-site scripting. T ...) NOT-FOR-US: IBM CVE-2016-9736 (IBM WebSphere Application Server using malformed SOAP requests could a ...) NOT-FOR-US: IBM CVE-2016-9735 (IBM Jazz Foundation could allow an authenticated user to obtain sensit ...) NOT-FOR-US: IBM CVE-2016-9734 RESERVED CVE-2016-9733 (IBM Team Concert (RTC) 4.0, 5.0 and 6.0 is vulnerable to cross-site sc ...) NOT-FOR-US: IBM CVE-2016-9732 (IBM Curam Social Program Management 6.0, 6.1, 6.2 and 7.0 is vulnerabl ...) NOT-FOR-US: IBM CVE-2016-9731 (IBM Business Process Manager is vulnerable to cross-site scripting. Th ...) NOT-FOR-US: IBM CVE-2016-9730 (IBM QRadar Incident Forensics 7.2 is vulnerable to cross-site request ...) NOT-FOR-US: IBM CVE-2016-9729 (IBM QRadar 7.2 does not perform an authentication check for a critical ...) NOT-FOR-US: IBM CVE-2016-9728 (IBM Qradar 7.2 is vulnerable to SQL injection. A remote attacker could ...) NOT-FOR-US: IBM CVE-2016-9727 (IBM QRadar 7.2 could allow a remote authenticated attacker to execute ...) NOT-FOR-US: IBM CVE-2016-9726 (IBM QRadar Incident Forensics 7.2 could allow a remote authenticated a ...) NOT-FOR-US: IBM CVE-2016-9725 (IBM QRadar Incident Forensics 7.2 allows for Cross-Origin Resource Sha ...) NOT-FOR-US: IBM CVE-2016-9724 (IBM QRadar 7.2 is vulnerable to a denial of service, caused by an XML ...) NOT-FOR-US: IBM CVE-2016-9723 (IBM QRadar 7.2 is vulnerable to cross-site scripting. This vulnerabili ...) NOT-FOR-US: IBM CVE-2016-9722 (IBM QRadar 7.2 and 7.3 specifies permissions for a security-critical r ...) NOT-FOR-US: IBM QRadar CVE-2016-9721 RESERVED CVE-2016-9720 (IBM QRadar 7.2 discloses sensitive information to unauthorized users. ...) NOT-FOR-US: IBM CVE-2016-9719 (IBM InfoSphere Master Data Management Server 10.1. 11.0. 11.3, 11.4, 1 ...) NOT-FOR-US: IBM CVE-2016-9718 (IBM InfoSphere Master Data Management Server 10.1. 11.0. 11.3, 11.4, 1 ...) NOT-FOR-US: IBM CVE-2016-9717 (HTTP Parameter Override is identified in the IBM Infosphere Master Dat ...) NOT-FOR-US: IBM CVE-2016-9716 (IBM InfoSphere Master Data Management Server 11.0, 11.3, 11.4, 11.5, a ...) NOT-FOR-US: IBM CVE-2016-9715 (IBM InfoSphere Master Data Management Server 11.0, 11.3, 11.4, 11.5, a ...) NOT-FOR-US: IBM CVE-2016-9714 (IBM InfoSphere Master Data Management Server 10.1, 11.0, 11.3, 11.4, 1 ...) NOT-FOR-US: IBM CVE-2016-9713 RESERVED CVE-2016-9712 RESERVED CVE-2016-9711 (IBM Predictive Solutions Foundation (IBM Cognos Analytics 11.0) reveal ...) NOT-FOR-US: IBM CVE-2016-9710 (IBM Predictive Solutions Foundation (formerly PMQ) could allow a remot ...) NOT-FOR-US: IBM CVE-2016-9709 RESERVED CVE-2016-9708 RESERVED CVE-2016-9707 (IBM Jazz Foundation is vulnerable to a denial of service, caused by an ...) NOT-FOR-US: IBM CVE-2016-9706 (IBM Integration Bus 9.0 and 10.0 and WebSphere Message Broker SOAP FLO ...) NOT-FOR-US: IBM CVE-2016-9705 RESERVED CVE-2016-9704 (IBM Security Identity Manager Virtual Appliance is vulnerable to cross ...) NOT-FOR-US: IBM CVE-2016-9703 (IBM Security Identity Manager Virtual Appliance does not invalidate se ...) NOT-FOR-US: IBM CVE-2016-9702 RESERVED CVE-2016-9701 (IBM Team Concert 4.0, 5.0 and 6.0 is vulnerable to cross-site scriptin ...) NOT-FOR-US: IBM CVE-2016-9700 (IBM Jazz Foundation could allow an authenticated attacker to obtain se ...) NOT-FOR-US: IBM CVE-2016-9699 RESERVED CVE-2016-9698 (IBM Rhapsody DM 4.0, 5.0, and 6.0 is vulnerable to a denial of service ...) NOT-FOR-US: IBM CVE-2016-9697 (An unspecified vulnerability in IBM Rhapsody DM 4.0, 5.0, and 6.0 coul ...) NOT-FOR-US: IBM CVE-2016-9696 (IBM Rhapsody DM 4.0, 5.0, and 6.0 is vulnerable to HTML injection. A r ...) NOT-FOR-US: IBM CVE-2016-9695 RESERVED CVE-2016-9694 (IBM Rhapsody DM 4.0, 5.0, and 6.0 is vulnerable to cross-site scriptin ...) NOT-FOR-US: IBM CVE-2016-9693 (IBM Business Process Manager 7.5, 8.0, and 8.5 has a file download cap ...) NOT-FOR-US: IBM CVE-2016-9692 (IBM WebSphere Cast Iron Solution 7.0.0 and 7.5.0.0 is vulnerable to Ex ...) NOT-FOR-US: IBM CVE-2016-9691 (IBM WebSphere Cast Iron Solution 7.0.0 and 7.5.0.0 is vulnerable to a ...) NOT-FOR-US: IBM CVE-2016-9690 REJECTED CVE-2016-9689 REJECTED CVE-2016-9688 REJECTED CVE-2016-9687 REJECTED CVE-2016-9686 (The Puppet Communications Protocol (PCP) Broker incorrectly validates ...) - puppet (Only affects Puppet Enterprise) CVE-2017-0880 (A denial of service vulnerability in the Android media framework (libs ...) - skia (bug #818180) CVE-2017-0879 (An information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android Media Framework CVE-2017-0878 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android Media Framework CVE-2017-0877 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android Media Framework CVE-2017-0876 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android Media Framework CVE-2017-0875 RESERVED CVE-2017-0874 (A denial of service vulnerability in the Android media framework (liba ...) NOT-FOR-US: Android Media Framework CVE-2017-0873 (A denial of service vulnerability in the Android media framework (libm ...) NOT-FOR-US: Android Media Framework CVE-2017-0872 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android Media Framework CVE-2017-0871 (An elevation of privilege vulnerability in the Android framework (fram ...) NOT-FOR-US: Android CVE-2017-0870 (An elevation of privilege vulnerability in the Android framework (libm ...) NOT-FOR-US: Android CVE-2017-0869 (NVIDIA driver contains an integer overflow vulnerability which could c ...) NOT-FOR-US: NVIDIA components for Android CVE-2017-0868 RESERVED CVE-2017-0867 RESERVED CVE-2017-0866 (An elevation of privilege vulnerability in the Direct rendering infras ...) NOT-FOR-US: NVIDIA components for Android CVE-2017-0865 (An elevation of privilege vulnerability in the MediaTek soc driver. Pr ...) NOT-FOR-US: MediaTek driver for Android CVE-2017-0864 (An elevation of privilege vulnerability in the MediaTek ioctl (flashli ...) NOT-FOR-US: MediaTek driver for Android CVE-2017-0863 (An elevation of privilege vulnerability in the Upstream kernel video d ...) NOT-FOR-US: Android driver (proprietary, not part of upstream kernel) CVE-2017-0862 (An elevation of privilege vulnerability in the Upstream kernel kernel. ...) NOT-FOR-US: Android driver (proprietary, not part of upstream kernel) CVE-2017-0861 (Use-after-free vulnerability in the snd_pcm_info function in the ALSA ...) {DSA-4187-1 DLA-1369-1} - linux 4.13.4-1 [stretch] - linux 4.9.80-1 NOTE: https://git.kernel.org/linus/362bca57f5d78220f8b5907b875961af9436e229 NOTE: UAF actually already removed in https://git.kernel.org/linus/e11f0f90a626f93899687b1cc909ee37dd6c5809 CVE-2017-0860 (An elevation of privilege vulnerability in the Android system (inputdi ...) NOT-FOR-US: Android CVE-2017-0859 (Another vulnerability in the Android media framework (n/a). Product: A ...) NOT-FOR-US: Android media framework CVE-2017-0858 (Another vulnerability in the Android media framework (n/a). Product: A ...) NOT-FOR-US: Android media framework CVE-2017-0857 (Another vulnerability in the Android media framework (n/a). Product: A ...) NOT-FOR-US: Android media framework CVE-2017-0856 RESERVED CVE-2017-0855 (In MPEG4Extractor.cpp, there are several places where functions return ...) NOT-FOR-US: Android media framework CVE-2017-0854 (An information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-0853 (An information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-0852 (A denial of service vulnerability in the Android media framework (libh ...) NOT-FOR-US: Android media framework CVE-2017-0851 (An information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-0850 (An information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-0849 (An information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-0848 (An information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-0847 (An elevation of privilege vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-0846 (An information disclosure vulnerability in the Android framework (clip ...) NOT-FOR-US: Android CVE-2017-0845 (A denial of service vulnerability in the Android framework (syncstorag ...) NOT-FOR-US: Android CVE-2017-0844 RESERVED CVE-2017-0843 (An elevation of privilege vulnerability in the MediaTek ccci. Product: ...) NOT-FOR-US: MediaTek component for Android CVE-2017-0842 (An elevation of privilege vulnerability in the Android system (bluetoo ...) NOT-FOR-US: Fluoride Bluetooth stack in Android CVE-2017-0841 (A remote code execution vulnerability in the Android system (libutils) ...) - android-platform-system-core (unimportant) NOTE: Fixed by https://android.googlesource.com/platform/system/core/+/47efc676c849e3abf32001d66e2d6eb887e83c48%5E!/ CVE-2017-0840 (An information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-0839 (An information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-0838 (An elevation of privilege vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-0837 (An elevation of privilege vulnerability in the Android media framework ...) NOT-FOR-US: Android Media Framework CVE-2017-0836 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android media framework CVE-2017-0835 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android media framework CVE-2017-0834 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android media framework CVE-2017-0833 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android media framework CVE-2017-0832 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android media framework CVE-2017-0831 (An elevation of privilege vulnerability in the Android framework (wind ...) NOT-FOR-US: Android CVE-2017-0830 (An elevation of privilege vulnerability in the Android framework (devi ...) NOT-FOR-US: Android CVE-2017-0829 (An elevation of privilege vulnerability in the Motorola bootloader. Pr ...) NOT-FOR-US: Motorola bootloader CVE-2017-0828 (An elevation of privilege vulnerability in the Huawei bootloader. Prod ...) NOT-FOR-US: Huawei bootloader CVE-2017-0827 (An elevation of privilege vulnerability in the MediaTek soc driver. Pr ...) NOT-FOR-US: MediaTek driver for Android CVE-2017-0826 (An elevation of privilege vulnerability in the HTC bootloader. Product ...) NOT-FOR-US: HTC bootloader CVE-2017-0825 (An information disclosure vulnerability in the Broadcom wifi driver. P ...) NOT-FOR-US: Broadcom driver for Android CVE-2017-0824 (An elevation of privilege vulnerability in the Broadcom wifi driver. P ...) NOT-FOR-US: Broadcom driver for Android CVE-2017-0823 (An information disclosure vulnerability in the Android system (rild). ...) NOT-FOR-US: Android (rild) CVE-2017-0822 (An elevation of privilege vulnerability in the Android system (camera) ...) - android-framework-23 (unimportant) NOTE: Fixed by https://android.googlesource.com/platform/frameworks/base/+/c574568aaede7f652432deb7707f20ae54bbdf9a CVE-2017-0821 RESERVED CVE-2017-0820 (A vulnerability in the Android media framework (n/a). Product: Android ...) NOT-FOR-US: Android media framework CVE-2017-0819 (A vulnerability in the Android media framework (n/a). Product: Android ...) NOT-FOR-US: Android media framework CVE-2017-0818 (A vulnerability in the Android media framework (n/a). Product: Android ...) NOT-FOR-US: Android media framework CVE-2017-0817 (An information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-0816 (An information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-0815 (An information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-0814 (An information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-0813 (A denial of service vulnerability in the Android media framework (libs ...) NOT-FOR-US: Android media framework CVE-2017-0812 (An elevation of privilege vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-0811 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android media framework CVE-2017-0810 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android media framework CVE-2017-0809 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android media framework CVE-2017-0808 (An information disclosure vulnerability in the Android framework (file ...) NOT-FOR-US: Android CVE-2017-0807 (An elevation of privilege vulnerability in the Android framework (ui f ...) NOT-FOR-US: Android CVE-2017-0806 (An elevation of privilege vulnerability in the Android framework (gate ...) NOT-FOR-US: Android CVE-2017-0805 (A elevation of privilege vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-0804 (A elevation of privilege vulnerability in the MediaTek mmc driver. Pro ...) NOT-FOR-US: Mediatek driver for Android CVE-2017-0803 (A elevation of privilege vulnerability in the MediaTek accessory detec ...) NOT-FOR-US: Mediatek driver for Android CVE-2017-0802 (A elevation of privilege vulnerability in the MediaTek kernel. Product ...) NOT-FOR-US: Mediatek driver for Android CVE-2017-0801 (A elevation of privilege vulnerability in the MediaTek libmtkomxvdec. ...) NOT-FOR-US: Mediatek driver for Android CVE-2017-0800 (A elevation of privilege vulnerability in the MediaTek teei. Product: ...) NOT-FOR-US: Mediatek driver for Android CVE-2017-0799 (A elevation of privilege vulnerability in the MediaTek lastbus. Produc ...) NOT-FOR-US: Mediatek driver for Android CVE-2017-0798 (A elevation of privilege vulnerability in the MediaTek kernel. Product ...) NOT-FOR-US: Mediatek driver for Android CVE-2017-0797 (A elevation of privilege vulnerability in the MediaTek accessory detec ...) NOT-FOR-US: Mediatek driver for Android CVE-2017-0796 (A elevation of privilege vulnerability in the MediaTek auxadc driver. ...) NOT-FOR-US: Mediatek driver for Android CVE-2017-0795 (A elevation of privilege vulnerability in the MediaTek accessory detec ...) NOT-FOR-US: Mediatek driver for Android CVE-2017-0794 (A elevation of privilege vulnerability in the Upstream kernel scsi dri ...) NOT-FOR-US: Android kernel on Nexus (probably) NOTE: https://source.android.com/security/bulletin/2017-09-01 doesn't link a public patch, so probably related to some binary-only component on Nexus CVE-2017-0793 (A information disclosure vulnerability in the N/A memory subsystem. Pr ...) NOT-FOR-US: Imagetech driver for Android CVE-2017-0792 (A information disclosure vulnerability in the Broadcom wi-fi driver. P ...) NOT-FOR-US: Broadcom driver for Android CVE-2017-0791 (A elevation of privilege vulnerability in the Broadcom wi-fi driver. P ...) NOT-FOR-US: Broadcom driver for Android CVE-2017-0790 (A elevation of privilege vulnerability in the Broadcom wi-fi driver. P ...) NOT-FOR-US: Broadcom driver for Android CVE-2017-0789 (A elevation of privilege vulnerability in the Broadcom wi-fi driver. P ...) NOT-FOR-US: Broadcom driver for Android CVE-2017-0788 (A elevation of privilege vulnerability in the Broadcom wi-fi driver. P ...) NOT-FOR-US: Broadcom driver for Android CVE-2017-0787 (A elevation of privilege vulnerability in the Broadcom wi-fi driver. P ...) NOT-FOR-US: Broadcom driver for Android CVE-2017-0786 (A elevation of privilege vulnerability in the Broadcom wi-fi driver. P ...) - linux 4.13.4-2 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.51-1 [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/17df6453d4be17910456e99c5a85025aa1b7a246 (v4.14-rc4) CVE-2017-0785 (A information disclosure vulnerability in the Android system (bluetoot ...) NOT-FOR-US: Android NOTE: https://www.armis.com/blueborne/ CVE-2017-0784 (A elevation of privilege vulnerability in the Android system (nfc). Pr ...) NOT-FOR-US: Android CVE-2017-0783 (A information disclosure vulnerability in the Android system (bluetoot ...) NOT-FOR-US: Android NOTE: https://www.armis.com/blueborne/ CVE-2017-0782 (A remote code execution vulnerability in the Android system (bluetooth ...) NOT-FOR-US: Android NOTE: https://www.armis.com/blueborne/ CVE-2017-0781 (A remote code execution vulnerability in the Android system (bluetooth ...) NOT-FOR-US: Android NOTE: https://www.armis.com/blueborne/ CVE-2017-0780 (A denial of service vulnerability in the Android runtime (android mess ...) NOT-FOR-US: Android messaging CVE-2017-0779 (A information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android Media Framework CVE-2017-0778 (A information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android Media Framework CVE-2017-0777 (A information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android Media Framework CVE-2017-0776 (A information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android Media Framework CVE-2017-0775 (A denial of service vulnerability in the Android media framework (libs ...) NOT-FOR-US: Android Media Framework CVE-2017-0774 (A denial of service vulnerability in the Android media framework (libs ...) NOT-FOR-US: Android Media Framework CVE-2017-0773 (A denial of service vulnerability in the Android media framework (libh ...) NOT-FOR-US: Android Media Framework CVE-2017-0772 (A denial of service vulnerability in the Android media framework (liba ...) NOT-FOR-US: Android Media Framework CVE-2017-0771 (A denial of service vulnerability in the Android media framework (libs ...) NOT-FOR-US: Android Media Framework CVE-2017-0770 (A elevation of privilege vulnerability in the Android media framework ...) NOT-FOR-US: Android Media Framework CVE-2017-0769 (A elevation of privilege vulnerability in the Android media framework ...) NOT-FOR-US: Android Media Framework CVE-2017-0768 (A elevation of privilege vulnerability in the Android media framework ...) NOT-FOR-US: Android Media Framework CVE-2017-0767 (A elevation of privilege vulnerability in the Android media framework ...) NOT-FOR-US: Android Media Framework CVE-2017-0766 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android Media Framework CVE-2017-0765 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android Media Framework CVE-2017-0764 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android Media Framework CVE-2017-0763 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android Media Framework CVE-2017-0762 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android Media Framework CVE-2017-0761 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android Media Framework CVE-2017-0760 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android Media Framework CVE-2017-0759 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android Media Framework CVE-2017-0758 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android Media Framework CVE-2017-0757 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android Media Framework CVE-2017-0756 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android Media Framework CVE-2017-0755 (A elevation of privilege vulnerability in the Android libraries (libmi ...) NOT-FOR-US: Android CVE-2017-0754 RESERVED CVE-2017-0753 (A remote code execution vulnerability in the Android libraries (libgdx ...) NOT-FOR-US: Android (libgdx) CVE-2017-0752 (A elevation of privilege vulnerability in the Android framework (windo ...) - android-framework-23 (unimportant) NOTE: Fixed by https://android.googlesource.com/platform/frameworks/base/+/6ca2eccdbbd4f11698bd5312812b4d171ff3c8ce%5E%21/ CVE-2017-0751 (An elevation of privilege vulnerability in the Qualcomm QCE driver. Pr ...) NOT-FOR-US: Google drivers for Android CVE-2017-0750 (A elevation of privilege vulnerability in the Upstream Linux file syst ...) - linux (Android-specific change) NOTE: https://source.android.com/security/bulletin/2017-08-01 CVE-2017-0749 (A elevation of privilege vulnerability in the Upstream Linux linux ker ...) - linux (Android-specific change) NOTE: https://source.android.com/security/bulletin/2017-08-01 CVE-2017-0748 (An information disclosure vulnerability in the Qualcomm audio driver. ...) NOT-FOR-US: Google drivers for Android CVE-2017-0747 (A elevation of privilege vulnerability in the Qualcomm proprietary com ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0746 (A elevation of privilege vulnerability in the Qualcomm ipa driver. Pro ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0745 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: libstagefright CVE-2017-0744 (An elevation of privilege vulnerability in the NVIDIA firmware process ...) NOT-FOR-US: Google drivers for Android CVE-2017-0743 RESERVED CVE-2017-0742 (A elevation of privilege vulnerability in the MediaTek video driver. P ...) NOT-FOR-US: Mediatek driver for Android CVE-2017-0741 (A elevation of privilege vulnerability in the MediaTek gpu driver. Pro ...) NOT-FOR-US: Mediatek driver for Android CVE-2017-0740 (A remote code execution vulnerability in the Broadcom networking drive ...) NOT-FOR-US: Broadcom driver for Android CVE-2017-0739 (A information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-0738 (A information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-0737 (A elevation of privilege vulnerability in the Android media framework ...) NOT-FOR-US: libstagefright CVE-2017-0736 (A denial of service vulnerability in the Android media framework (liba ...) NOT-FOR-US: Android media framework CVE-2017-0735 (A denial of service vulnerability in the Android media framework (liba ...) NOT-FOR-US: Android media framework CVE-2017-0734 (A denial of service vulnerability in the Android media framework (liba ...) NOT-FOR-US: Android media framework CVE-2017-0733 (A denial of service vulnerability in the Android media framework (libm ...) NOT-FOR-US: Android media framework CVE-2017-0732 (A elevation of privilege vulnerability in the Android media framework ...) NOT-FOR-US: libstagefright CVE-2017-0731 (A elevation of privilege vulnerability in the Android media framework ...) NOT-FOR-US: libstagefright CVE-2017-0730 (A denial of service vulnerability in the Android media framework (h264 ...) NOT-FOR-US: Android media framework CVE-2017-0729 (A elevation of privilege vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-0728 (A denial of service vulnerability in the Android media framework (hevc ...) NOT-FOR-US: Android media framework CVE-2017-0727 (A elevation of privilege vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-0726 (A denial of service vulnerability in the Android media framework (libs ...) NOT-FOR-US: libstagefright CVE-2017-0725 (A denial of service vulnerability in the Android media framework (libs ...) NOT-FOR-US: Android media framework CVE-2017-0724 (A denial of service vulnerability in the Android media framework (libm ...) NOT-FOR-US: Android media framework CVE-2017-0723 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android media framework CVE-2017-0722 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: libstagefright CVE-2017-0721 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android media framework CVE-2017-0720 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android media framework CVE-2017-0719 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android media framework CVE-2017-0718 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android media framework CVE-2017-0717 RESERVED CVE-2017-0716 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android media framework CVE-2017-0715 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android media framework CVE-2017-0714 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android media framework CVE-2017-0713 (A remote code execution vulnerability in the Android libraries (sfntly ...) NOT-FOR-US: Android CVE-2017-0712 (A elevation of privilege vulnerability in the Android framework (wi-fi ...) NOT-FOR-US: Android CVE-2017-0711 (A elevation of privilege vulnerability in the MediaTek networking driv ...) NOT-FOR-US: MediaTek driver for Android CVE-2017-0710 (A elevation of privilege vulnerability in the Upstream Linux tcb. Prod ...) NOT-FOR-US: Android Trusted Computing Base CVE-2017-0709 (A information disclosure vulnerability in the HTC sensor hub driver. P ...) NOT-FOR-US: HTC driver for Android CVE-2017-0708 (A information disclosure vulnerability in the HTC sound driver. Produc ...) NOT-FOR-US: HTC driver for Android CVE-2017-0707 (A elevation of privilege vulnerability in the HTC led driver. Product: ...) NOT-FOR-US: HTC driver for Android CVE-2017-0706 (A elevation of privilege vulnerability in the Broadcom wi-fi driver. P ...) NOT-FOR-US: Broadcom driver for Android CVE-2017-0705 (A elevation of privilege vulnerability in the Broadcom wi-fi driver. P ...) NOT-FOR-US: Broadcom driver for Android CVE-2017-0704 (A elevation of privilege vulnerability in the Android system ui. Produ ...) NOT-FOR-US: Android CVE-2017-0703 (A elevation of privilege vulnerability in the Android system ui. Produ ...) NOT-FOR-US: Android CVE-2017-0702 (A remote code execution vulnerability in the Android system ui. Produc ...) NOT-FOR-US: Android CVE-2017-0701 (A remote code execution vulnerability in the Android system ui. Produc ...) NOT-FOR-US: Android CVE-2017-0700 (A remote code execution vulnerability in the Android system ui. Produc ...) NOT-FOR-US: Android CVE-2017-0699 (A information disclosure vulnerability in the Android media framework. ...) NOT-FOR-US: Android media framework CVE-2017-0698 (A information disclosure vulnerability in the Android media framework. ...) NOT-FOR-US: Android media framework CVE-2017-0697 (A denial of service vulnerability in the Android media framework. Prod ...) NOT-FOR-US: Android media framework CVE-2017-0696 (A denial of service vulnerability in the Android media framework. Prod ...) NOT-FOR-US: Android media framework CVE-2017-0695 (A denial of service vulnerability in the Android media framework. Prod ...) NOT-FOR-US: Android media framework CVE-2017-0694 (A denial of service vulnerability in the Android media framework. Prod ...) NOT-FOR-US: Android media framework CVE-2017-0693 (A denial of service vulnerability in the Android media framework. Prod ...) NOT-FOR-US: Android media framework CVE-2017-0692 (A denial of service vulnerability in the Android media framework. Prod ...) NOT-FOR-US: Android media framework CVE-2017-0691 (A denial of service vulnerability in the Android media framework. Prod ...) NOT-FOR-US: Android media framework CVE-2017-0690 (A denial of service vulnerability in the Android media framework. Prod ...) NOT-FOR-US: Android media framework CVE-2017-0689 (A denial of service vulnerability in the Android media framework. Prod ...) NOT-FOR-US: Android media framework CVE-2017-0688 (A denial of service vulnerability in the Android media framework. Prod ...) NOT-FOR-US: Android media framework CVE-2017-0687 (A denial of service vulnerability in the Android media framework (liba ...) NOT-FOR-US: Android media framework CVE-2017-0686 (A denial of service vulnerability in the Android media framework. Prod ...) NOT-FOR-US: Android media framework CVE-2017-0685 (A denial of service vulnerability in the Android media framework. Prod ...) NOT-FOR-US: Android media framework CVE-2017-0684 (A elevation of privilege vulnerability in the Android media framework. ...) NOT-FOR-US: Android media framework CVE-2017-0683 (A remote code execution vulnerability in the Android media framework. ...) NOT-FOR-US: Android media framework CVE-2017-0682 (A remote code execution vulnerability in the Android media framework. ...) NOT-FOR-US: Android media framework CVE-2017-0681 (A remote code execution vulnerability in the Android media framework. ...) NOT-FOR-US: Android media framework CVE-2017-0680 (A remote code execution vulnerability in the Android media framework. ...) NOT-FOR-US: Android media framework CVE-2017-0679 (A remote code execution vulnerability in the Android media framework. ...) NOT-FOR-US: Android media framework CVE-2017-0678 (A remote code execution vulnerability in the Android media framework. ...) NOT-FOR-US: Android media framework CVE-2017-0677 (A remote code execution vulnerability in the Android media framework. ...) NOT-FOR-US: Android media framework CVE-2017-0676 (A remote code execution vulnerability in the Android media framework. ...) NOT-FOR-US: Android media framework CVE-2017-0675 (A remote code execution vulnerability in the Android media framework. ...) NOT-FOR-US: Android media framework CVE-2017-0674 (A remote code execution vulnerability in the Android media framework. ...) NOT-FOR-US: Android media framework CVE-2017-0673 (A remote code execution vulnerability in the Android media framework. ...) NOT-FOR-US: Android media framework CVE-2017-0672 (A denial of service vulnerability in the Android libraries. Product: A ...) NOT-FOR-US: Android CVE-2017-0671 (A remote code execution vulnerability in the Android libraries. Produc ...) NOT-FOR-US: Android NOTE: Not publicly available CVE-2017-0670 (A denial of service vulnerability in the Android framework. Product: A ...) NOT-FOR-US: Android CVE-2017-0669 (A information disclosure vulnerability in the Android framework. Produ ...) NOT-FOR-US: Android CVE-2017-0668 (A information disclosure vulnerability in the Android framework. Produ ...) NOT-FOR-US: Android CVE-2017-0667 (A elevation of privilege vulnerability in the Android framework. Produ ...) NOT-FOR-US: Android CVE-2017-0666 (A elevation of privilege vulnerability in the Android framework. Produ ...) NOT-FOR-US: Android CVE-2017-0665 (A elevation of privilege vulnerability in the Android framework. Produ ...) NOT-FOR-US: Android CVE-2017-0664 (A elevation of privilege vulnerability in the Android framework. Produ ...) NOT-FOR-US: Android CVE-2017-0663 (A remote code execution vulnerability in libxml2 could enable an attac ...) {DSA-3952-1 DLA-1060-1} - libxml2 2.9.4+dfsg1-3.1 (bug #870870) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=780228 (not yet public) NOTE: https://android.googlesource.com/platform/external/libxml2/+/521b88fbb6d18312923f0df653d045384b500ffc NOTE: Fixed by: https://git.gnome.org/browse/libxml2/commit/?id=92b9e8c8b3787068565a1820ba575d042f9eec66 CVE-2017-0662 RESERVED CVE-2017-0661 RESERVED CVE-2017-0660 RESERVED CVE-2017-0659 RESERVED CVE-2017-0658 RESERVED CVE-2017-0657 RESERVED CVE-2017-0656 RESERVED CVE-2017-0655 RESERVED CVE-2017-0654 RESERVED CVE-2017-0653 RESERVED CVE-2017-0652 RESERVED CVE-2017-0651 (An information disclosure vulnerability in the kernel ION subsystem co ...) NOT-FOR-US: Android CVE-2017-0650 (An information disclosure vulnerability in the Synaptics touchscreen d ...) NOT-FOR-US: Synaptics driver for Android CVE-2017-0649 (An elevation of privilege vulnerability in the MediaTek sound driver c ...) NOT-FOR-US: MediaTek driver for Android CVE-2017-0648 (An elevation of privilege vulnerability in the kernel FIQ debugger cou ...) NOT-FOR-US: Android CVE-2017-0647 (An information disclosure vulnerability in libziparchive could enable ...) - android-platform-system-core 1:7.0.0+r33-2 (unimportant; bug #867229) [jessie] - android-platform-system-core (Vulnerable code not present) NOTE: No impact on SDK usage CVE-2017-0646 (An information disclosure vulnerability in Bluetooth component could e ...) NOT-FOR-US: Android CVE-2017-0645 (An elevation of privilege vulnerability in Bluetooth could enable a lo ...) NOT-FOR-US: Android CVE-2017-0644 (A remote denial of service vulnerability in Mediaserver could enable a ...) NOT-FOR-US: Android Mediaserver CVE-2017-0643 (A remote denial of service vulnerability in Mediaserver could enable a ...) NOT-FOR-US: Android Mediaserver CVE-2017-0642 (A remote denial of service vulnerability in libhevc in Mediaserver cou ...) NOT-FOR-US: Android Mediaserver CVE-2017-0641 (A remote denial of service vulnerability in libvpx in Mediaserver coul ...) - libvpx (unimportant; bug #871931) NOTE: https://android.googlesource.com/platform/external/libvpx/+/698796fc930baecf5c3fdebef17e73d5d9a58bcb NOTE: Debian builds configures with --size-limit=16384x16384, Android lowered NOTE: the limit to something more aligned for smart phones CVE-2017-0640 (A remote denial of service vulnerability in Mediaserver could enable a ...) NOT-FOR-US: Android Mediaserver CVE-2017-0639 (An information disclosure vulnerability in Bluetooth component could e ...) NOT-FOR-US: Android CVE-2017-0638 (A remote code execution vulnerability in System UI component could ena ...) NOT-FOR-US: Android CVE-2017-0637 (A remote code execution vulnerability in libhevc in Mediaserver could ...) NOT-FOR-US: Android Mediaserver CVE-2017-0636 (An elevation of privilege vulnerability in the MediaTek command queue ...) NOT-FOR-US: MediaTek driver for Android CVE-2017-0635 (A remote denial of service vulnerability in HevcUtils.cpp in libstagef ...) NOT-FOR-US: libstagefright CVE-2017-0634 (An information disclosure vulnerability in the Synaptics touchscreen d ...) NOT-FOR-US: Synaptics driver for Android CVE-2017-0633 (An information disclosure vulnerability in the Broadcom Wi-Fi driver c ...) NOT-FOR-US: Broadcom driver for Android CVE-2017-0632 (An information disclosure vulnerability in the Qualcomm sound codec dr ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0631 (An information disclosure vulnerability in the Qualcomm camera driver ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0630 (An information disclosure vulnerability in the kernel trace subsystem ...) - linux NOTE: https://lore.kernel.org/lkml/20180725202238.165314-1-salyzyn@android.com/ CVE-2017-0629 (An information disclosure vulnerability in the Qualcomm camera driver ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0628 (An information disclosure vulnerability in the Qualcomm camera driver ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0627 (An information disclosure vulnerability in the kernel UVC driver could ...) NOT-FOR-US: Android kernel CVE-2017-0626 (An information disclosure vulnerability in the Qualcomm crypto engine ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0625 (An information disclosure vulnerability in the MediaTek command queue ...) NOT-FOR-US: Mediatek driver for Android CVE-2017-0624 (An information disclosure vulnerability in the Qualcomm Wi-Fi driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0623 (An elevation of privilege vulnerability in the HTC bootloader could en ...) NOT-FOR-US: HTC driver for Android CVE-2017-0622 (An elevation of privilege vulnerability in the Goodix touchscreen driv ...) NOT-FOR-US: Goodix driver for Android CVE-2017-0621 (An elevation of privilege vulnerability in the Qualcomm camera driver ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0620 (An elevation of privilege vulnerability in the Qualcomm Secure Channel ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0619 (An elevation of privilege vulnerability in the Qualcomm pin controller ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0618 (An elevation of privilege vulnerability in the MediaTek command queue ...) NOT-FOR-US: Mediatek driver for Android CVE-2017-0617 (An elevation of privilege vulnerability in the MediaTek video driver c ...) NOT-FOR-US: Mediatek driver for Android CVE-2017-0616 (An elevation of privilege vulnerability in the MediaTek system managem ...) NOT-FOR-US: Mediatek driver for Android CVE-2017-0615 (An elevation of privilege vulnerability in the MediaTek power driver c ...) NOT-FOR-US: Mediatek driver for Android CVE-2017-0614 (An elevation of privilege vulnerability in the Qualcomm Secure Executi ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0613 (An elevation of privilege vulnerability in the Qualcomm Secure Executi ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0612 (An elevation of privilege vulnerability in the Qualcomm Secure Executi ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0611 (An elevation of privilege vulnerability in the Qualcomm sound driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0610 (An elevation of privilege vulnerability in the Qualcomm sound driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0609 (An elevation of privilege vulnerability in the Qualcomm sound driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0608 (An elevation of privilege vulnerability in the Qualcomm sound driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0607 (An elevation of privilege vulnerability in the Qualcomm sound driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0606 (An elevation of privilege vulnerability in the Qualcomm sound driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0605 REJECTED CVE-2017-0604 (An elevation of privilege vulnerability in the kernel Qualcomm power d ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0603 (A denial of service vulnerability in libstagefright in Mediaserver cou ...) NOT-FOR-US: libstagefright CVE-2017-0602 (An information disclosure vulnerability in Bluetooth could allow a loc ...) NOT-FOR-US: Android CVE-2017-0601 (An Elevation of Privilege vulnerability in Bluetooth could potentially ...) NOT-FOR-US: Android CVE-2017-0600 (A remote denial of service vulnerability in libstagefright in Mediaser ...) NOT-FOR-US: libstagefright CVE-2017-0599 (A remote denial of service vulnerability in libhevc in Mediaserver cou ...) NOT-FOR-US: Android Mediaserver CVE-2017-0598 (An information disclosure vulnerability in the Framework APIs could en ...) NOT-FOR-US: Android CVE-2017-0597 (An elevation of privilege vulnerability in Audioserver could enable a ...) NOT-FOR-US: Android Audioserver CVE-2017-0596 (An elevation of privilege vulnerability in libstagefright in Mediaserv ...) NOT-FOR-US: libstagefright CVE-2017-0595 (An elevation of privilege vulnerability in libstagefright in Mediaserv ...) NOT-FOR-US: libstagefright CVE-2017-0594 (An elevation of privilege vulnerability in codecs/aacenc/SoftAACEncode ...) NOT-FOR-US: libstagefright CVE-2017-0593 (An elevation of privilege vulnerability in the Framework APIs could en ...) NOT-FOR-US: Android CVE-2017-0592 (A remote code execution vulnerability in FLACExtractor.cpp in libstage ...) NOT-FOR-US: Android CVE-2017-0591 (A remote code execution vulnerability in libavc in Mediaserver could e ...) NOT-FOR-US: Android Mediaserver CVE-2017-0590 (A remote code execution vulnerability in libhevc in Mediaserver could ...) NOT-FOR-US: Android Mediaserver CVE-2017-0589 (A remote code execution vulnerability in libhevc in Mediaserver could ...) NOT-FOR-US: Android Mediaserver CVE-2017-0588 (A remote code execution vulnerability in id3/ID3.cpp in libstagefright ...) NOT-FOR-US: libstagefright CVE-2017-0587 (A remote code execution vulnerability in libmpeg2 in Mediaserver could ...) NOT-FOR-US: libstagefright CVE-2017-0586 (An information disclosure vulnerability in the Qualcomm sound driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0585 (An information disclosure vulnerability in the Broadcom Wi-Fi driver c ...) NOT-FOR-US: Broadcom driver for Android CVE-2017-0584 (An information disclosure vulnerability in the Qualcomm Wi-Fi driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0583 (An elevation of privilege vulnerability in the Qualcomm CP access driv ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0582 (An elevation of privilege vulnerability in the HTC OEM fastboot comman ...) NOT-FOR-US: HTC driver for Android CVE-2017-0581 (An elevation of privilege vulnerability in the Synaptics Touchscreen d ...) NOT-FOR-US: Synaptics driver for Android CVE-2017-0580 (An elevation of privilege vulnerability in the Synaptics Touchscreen d ...) NOT-FOR-US: Synaptics driver for Android CVE-2017-0579 (An elevation of privilege vulnerability in the Qualcomm video driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0578 (An elevation of privilege vulnerability in the DTS sound driver could ...) NOT-FOR-US: DTS driver for Android CVE-2017-0577 (An elevation of privilege vulnerability in the HTC touchscreen driver ...) NOT-FOR-US: HTC driver for Android CVE-2017-0576 (An elevation of privilege vulnerability in the Qualcomm crypto engine ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0575 (An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0574 (An elevation of privilege vulnerability in the Broadcom Wi-Fi driver c ...) NOT-FOR-US: Broadcom driver for Android CVE-2017-0573 (An elevation of privilege vulnerability in the Broadcom Wi-Fi driver c ...) NOT-FOR-US: Broadcom driver for Android CVE-2017-0572 (An elevation of privilege vulnerability in the Broadcom Wi-Fi driver c ...) NOT-FOR-US: Broadcom driver for Android CVE-2017-0571 (An elevation of privilege vulnerability in the Broadcom Wi-Fi driver c ...) NOT-FOR-US: Broadcom driver for Android CVE-2017-0570 (An elevation of privilege vulnerability in the Broadcom Wi-Fi driver c ...) NOT-FOR-US: Broadcom driver for Android CVE-2017-0569 (An elevation of privilege vulnerability in the Broadcom Wi-Fi driver c ...) NOT-FOR-US: Broadcom driver for Android CVE-2017-0568 (An elevation of privilege vulnerability in the Broadcom Wi-Fi driver c ...) NOT-FOR-US: Broadcom driver for Android CVE-2017-0567 (An elevation of privilege vulnerability in the Broadcom Wi-Fi driver c ...) NOT-FOR-US: Broadcom driver for Android CVE-2017-0566 (An elevation of privilege vulnerability in the MediaTek camera driver ...) NOT-FOR-US: MediaTek driver for Android CVE-2017-0565 (An elevation of privilege vulnerability in the MediaTek thermal driver ...) NOT-FOR-US: MediaTek driver for Android CVE-2017-0564 (An elevation of privilege vulnerability in the kernel ION subsystem co ...) NOT-FOR-US: Android ION subsystem NOTE: Linux mainline contains a copy in drivers/staging/android/ion, but since no NOTE: patch has been made available it's likely some closed-source addon CVE-2017-0563 (An elevation of privilege vulnerability in the HTC touchscreen driver ...) NOT-FOR-US: HTC driver for Android CVE-2017-0562 (An elevation of privilege vulnerability in the MediaTek touchscreen dr ...) NOT-FOR-US: MediaTek driver for Android CVE-2017-0561 (A remote code execution vulnerability in the Broadcom Wi-Fi firmware c ...) {DLA-1573-1} - firmware-nonfree 20180518-1 (bug #869639) [stretch] - firmware-nonfree 20161130-4 [jessie] - firmware-nonfree (non-free not supported) CVE-2017-0560 (An information disclosure vulnerability in the factory reset process c ...) NOT-FOR-US: Android CVE-2017-0559 (An information disclosure vulnerability in libskia could enable a loca ...) - skia (bug #818180) CVE-2017-0558 (An information disclosure vulnerability in Mediaserver could enable a ...) NOT-FOR-US: Android Mediaserver CVE-2017-0557 (An information disclosure vulnerability in libmpeg2 in Mediaserver cou ...) NOT-FOR-US: Android Mediaserver CVE-2017-0556 (An information disclosure vulnerability in libmpeg2 in Mediaserver cou ...) NOT-FOR-US: Android Mediaserver CVE-2017-0555 (An information disclosure vulnerability in libavc in Mediaserver could ...) NOT-FOR-US: Android Mediaserver/ libavc CVE-2017-0554 (An elevation of privilege vulnerability in the Telephony component cou ...) NOT-FOR-US: Android CVE-2017-0553 (An elevation of privilege vulnerability in libnl could enable a local ...) {DLA-892-1 DLA-891-1} - libnl3 3.2.27-2 (unimportant; bug #859948) - libnl (unimportant) NOTE: Fixed by: http://git.infradead.org/users/tgr/libnl.git/commit/3e18948f17148e6a3c4255bdeaaf01ef6081ceeb NOTE: Fix via Android: https://android.googlesource.com/platform/external/libnl/+/f83d9c1c67b6be69a96995e384f50b572b667df0 NOTE: Not a security issue by itself, the upstream patch protects against API misuse, NOTE: this still requires missing input validation in the application using libnl CVE-2017-0552 (A remote denial of service vulnerability in libavc in Mediaserver coul ...) NOT-FOR-US: Android Mediaserver / libavc CVE-2017-0551 (A remote denial of service vulnerability in libavc in Mediaserver coul ...) NOT-FOR-US: Android Mediaserver / libavc CVE-2017-0550 (A remote denial of service vulnerability in libavc in Mediaserver coul ...) NOT-FOR-US: Android Mediaserver / libavc CVE-2017-0549 (A remote denial of service vulnerability in libavc in Mediaserver coul ...) NOT-FOR-US: Android Mediaserver / libavc CVE-2017-0548 (A remote denial of service vulnerability in libskia could enable an at ...) - skia (bug #818180) CVE-2017-0547 (An information disclosure vulnerability in libmedia in Mediaserver cou ...) NOT-FOR-US: Android Mediaserver CVE-2017-0546 (An elevation of privilege vulnerability in SurfaceFlinger could enable ...) NOT-FOR-US: Android CVE-2017-0545 (An elevation of privilege vulnerability in Audioserver could enable a ...) NOT-FOR-US: Android CVE-2017-0544 (An elevation of privilege vulnerability in CameraBase could enable a l ...) NOT-FOR-US: Android CVE-2017-0543 (A remote code execution vulnerability in libavc in Mediaserver could e ...) NOT-FOR-US: Android Mediaserver/ libavc CVE-2017-0542 (A remote code execution vulnerability in libavc in Mediaserver could e ...) NOT-FOR-US: Android Mediaserver/ libavc CVE-2017-0541 (A remote code execution vulnerability in sonivox in Mediaserver could ...) NOT-FOR-US: Android Mediaserver CVE-2017-0540 (A remote code execution vulnerability in libhevc in Mediaserver could ...) NOT-FOR-US: Android Mediaserver CVE-2017-0539 (A remote code execution vulnerability in libhevc in Mediaserver could ...) NOT-FOR-US: Android Mediaserver CVE-2017-0538 (A remote code execution vulnerability in libavc in Mediaserver could e ...) NOT-FOR-US: Android Mediaserver / libavc CVE-2017-0537 (An information disclosure vulnerability in the kernel USB gadget drive ...) NOT-FOR-US: Nvidia driver for Android NOTE: https://source.android.com/security/bulletin/2017-03-01.html NOTE: Android bulletin lists as affecting only Pixel C (Tegra X1) and Tegra USB gadget mode is not in mainline Linux CVE-2017-0536 (An information disclosure vulnerability in the Synaptics touchscreen d ...) NOT-FOR-US: Synaptics driver for Android CVE-2017-0535 (An information disclosure vulnerability in the HTC sound codec driver ...) NOT-FOR-US: HTC driver for Android CVE-2017-0534 (An information disclosure vulnerability in the Qualcomm video driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0533 (An information disclosure vulnerability in the Qualcomm video driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0532 (An information disclosure vulnerability in the MediaTek video codec dr ...) NOT-FOR-US: MediaTek driver for Android CVE-2017-0531 (An information disclosure vulnerability in the Qualcomm Wi-Fi driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0530 RESERVED CVE-2017-0529 (An information disclosure vulnerability in the MediaTek driver could e ...) NOT-FOR-US: MediaTek driver for Android CVE-2017-0528 (An elevation of privilege vulnerability in the kernel security subsyst ...) NOT-FOR-US: Android bulletin lists as affecting only Pixel and Pixel XL (Qualcomm Snapdragon) so probably relates to Qualcomm driver NOTE: https://source.android.com/security/bulletin/2017-03-01.html CVE-2017-0527 (An elevation of privilege vulnerability in the HTC Sensor Hub Driver c ...) NOT-FOR-US: HTC driver for Android CVE-2017-0526 (An elevation of privilege vulnerability in the HTC Sensor Hub Driver c ...) NOT-FOR-US: HTC driver for Android CVE-2017-0525 (An elevation of privilege vulnerability in the Qualcomm IPA driver cou ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0524 (An elevation of privilege vulnerability in the Synaptics touchscreen d ...) NOT-FOR-US: Synaptics driver for Android CVE-2017-0523 (An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0522 (An elevation of privilege vulnerability in a MediaTek APK could enable ...) NOT-FOR-US: MediaTek driver for Android CVE-2017-0521 (An elevation of privilege vulnerability in the Qualcomm camera driver ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0520 (An elevation of privilege vulnerability in the Qualcomm crypto engine ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0519 (An elevation of privilege vulnerability in the Qualcomm fingerprint se ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0518 (An elevation of privilege vulnerability in the Qualcomm fingerprint se ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0517 (An elevation of privilege vulnerability in the MediaTek hardware senso ...) NOT-FOR-US: MediaTek driver for Android CVE-2017-0516 (An elevation of privilege vulnerability in the Qualcomm input hardware ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0515 RESERVED CVE-2017-0514 RESERVED CVE-2017-0513 RESERVED CVE-2017-0512 RESERVED CVE-2017-0511 RESERVED CVE-2017-0510 (An elevation of privilege vulnerability in the kernel FIQ debugger cou ...) - linux (Android-specific patch) CVE-2017-0509 (An elevation of privilege vulnerability in the Broadcom Wi-Fi driver c ...) NOT-FOR-US: Broadcom driver for Android CVE-2017-0508 (An elevation of privilege vulnerability in the kernel ION subsystem co ...) NOT-FOR-US: Android ION subsystem NOTE: Linux mainline contains a copy in drivers/staging/android/ion, but since no NOTE: patch has been made available it's likely some closed-source addon CVE-2017-0507 (An elevation of privilege vulnerability in the kernel ION subsystem co ...) NOT-FOR-US: Android ION subsystem NOTE: Linux mainline contains a copy in drivers/staging/android/ion, but since no NOTE: patch has been made available it's likely some closed-source addon CVE-2017-0506 (An elevation of privilege vulnerability in MediaTek components, includ ...) NOT-FOR-US: MediaTek driver for Android CVE-2017-0505 (An elevation of privilege vulnerability in MediaTek components, includ ...) NOT-FOR-US: MediaTek driver for Android CVE-2017-0504 (An elevation of privilege vulnerability in MediaTek components, includ ...) NOT-FOR-US: MediaTek driver for Android CVE-2017-0503 (An elevation of privilege vulnerability in MediaTek components, includ ...) NOT-FOR-US: MediaTek driver for Android CVE-2017-0502 (An elevation of privilege vulnerability in MediaTek components, includ ...) NOT-FOR-US: MediaTek driver for Android CVE-2017-0501 (An elevation of privilege vulnerability in MediaTek components, includ ...) NOT-FOR-US: MediaTek driver for Android CVE-2017-0500 (An elevation of privilege vulnerability in MediaTek components, includ ...) NOT-FOR-US: MediaTek driver for Android CVE-2017-0499 (A denial of service vulnerability in Audioserver could enable a local ...) NOT-FOR-US: Android Audioserver CVE-2017-0498 (A denial of service vulnerability in Setup Wizard could allow a local ...) NOT-FOR-US: Android CVE-2017-0497 (A denial of service vulnerability in Mediaserver could enable an attac ...) NOT-FOR-US: Android Mediaserver CVE-2017-0496 (A denial of service vulnerability in Setup Wizard could allow a local ...) NOT-FOR-US: Android CVE-2017-0495 (An information disclosure vulnerability in Mediaserver could enable a ...) NOT-FOR-US: Android Mediaserver CVE-2017-0494 (An information disclosure vulnerability in AOSP Messaging could enable ...) NOT-FOR-US: Android CVE-2017-0493 (An information disclosure vulnerability in File-Based Encryption could ...) NOT-FOR-US: Android CVE-2017-0492 (An elevation of privilege vulnerability in the System UI could enable ...) NOT-FOR-US: Android CVE-2017-0491 (An elevation of privilege vulnerability in Package Manager could enabl ...) NOT-FOR-US: Android CVE-2017-0490 (An elevation of privilege vulnerability in Wi-Fi could enable a local ...) NOT-FOR-US: Android CVE-2017-0489 (An elevation of privilege vulnerability in Location Manager could enab ...) NOT-FOR-US: Android CVE-2017-0488 (A denial of service vulnerability in Mediaserver could enable an attac ...) NOT-FOR-US: Android Mediaserver CVE-2017-0487 (A denial of service vulnerability in Mediaserver could enable an attac ...) NOT-FOR-US: Android Mediaserver CVE-2017-0486 (A denial of service vulnerability in Mediaserver could enable an attac ...) NOT-FOR-US: Android Mediaserver CVE-2017-0485 (A denial of service vulnerability in Mediaserver could enable an attac ...) NOT-FOR-US: Android Mediaserver CVE-2017-0484 (A denial of service vulnerability in Mediaserver could enable an attac ...) NOT-FOR-US: Android Mediaserver CVE-2017-0483 (A denial of service vulnerability in Mediaserver could enable an attac ...) NOT-FOR-US: Android Mediaserver CVE-2017-0482 (A denial of service vulnerability in Mediaserver could enable an attac ...) NOT-FOR-US: Android Mediaserver CVE-2017-0481 (An elevation of privilege vulnerability in NFC could enable a proximat ...) NOT-FOR-US: Android CVE-2017-0480 (An elevation of privilege vulnerability in Audioserver could enable a ...) NOT-FOR-US: Android Audioserver CVE-2017-0479 (An elevation of privilege vulnerability in Audioserver could enable a ...) NOT-FOR-US: Android Audioserver CVE-2017-0478 (A remote code execution vulnerability in the Framesequence library cou ...) NOT-FOR-US: Framesequence library CVE-2017-0477 (A remote code execution vulnerability in libgdx could enable an attack ...) - libgdx (bug #686673) CVE-2017-0476 (A remote code execution vulnerability in AOSP Messaging could enable a ...) NOT-FOR-US: Android CVE-2017-0475 (An elevation of privilege vulnerability in the recovery verifier could ...) NOT-FOR-US: Android CVE-2017-0474 (A remote code execution vulnerability in Mediaserver could enable an a ...) NOT-FOR-US: Android Mediaserver CVE-2017-0473 (A remote code execution vulnerability in Mediaserver could enable an a ...) NOT-FOR-US: Android Mediaserver CVE-2017-0472 (A remote code execution vulnerability in Mediaserver could enable an a ...) NOT-FOR-US: Android Mediaserver CVE-2017-0471 (A remote code execution vulnerability in Mediaserver could enable an a ...) NOT-FOR-US: Android Mediaserver CVE-2017-0470 (A remote code execution vulnerability in Mediaserver could enable an a ...) NOT-FOR-US: Android Mediaserver CVE-2017-0469 (A remote code execution vulnerability in Mediaserver could enable an a ...) NOT-FOR-US: Android Mediaserver CVE-2017-0468 (A remote code execution vulnerability in Mediaserver could enable an a ...) NOT-FOR-US: Android Mediaserver CVE-2017-0467 (A remote code execution vulnerability in Mediaserver could enable an a ...) NOT-FOR-US: Android Mediaserver CVE-2017-0466 (A remote code execution vulnerability in Mediaserver could enable an a ...) NOT-FOR-US: Android Mediaserver CVE-2017-0465 (An elevation of privilege vulnerability in the Qualcomm ADSPRPC driver ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0464 (An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0463 (An elevation of privilege vulnerability in the Qualcomm networking dri ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0462 (An elevation of privilege vulnerability in the Qualcomm Seemp driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0461 (An information disclosure vulnerability in the Qualcomm Wi-Fi driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0460 (An elevation of privilege vulnerability in the Qualcomm networking dri ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0459 (An information disclosure vulnerability in the Qualcomm Wi-Fi driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0458 (An elevation of privilege vulnerability in the Qualcomm camera driver ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0457 (An elevation of privilege vulnerability in the Qualcomm ADSPRPC driver ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0456 (An elevation of privilege vulnerability in the Qualcomm IPA driver cou ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0455 (An information disclosure vulnerability in the Qualcomm bootloader cou ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0454 (An elevation of privilege vulnerability in the Qualcomm audio driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0453 (An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0452 (An information disclosure vulnerability in the Qualcomm camera driver ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0451 (An information disclosure vulnerability in the Qualcomm sound driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0450 (An elevation of privilege vulnerability in Audioserver could enable a ...) NOT-FOR-US: Android Audioserver CVE-2017-0449 (An elevation of privilege vulnerability in the Broadcom Wi-Fi driver c ...) NOT-FOR-US: Broadcom driver for Android CVE-2017-0448 (An information disclosure vulnerability in the NVIDIA video driver cou ...) NOT-FOR-US: NVIDIA driver for Android CVE-2017-0447 (An elevation of privilege vulnerability in the HTC touchscreen driver ...) NOT-FOR-US: HTC driver for Android CVE-2017-0446 (An elevation of privilege vulnerability in the HTC touchscreen driver ...) NOT-FOR-US: HTC driver for Android CVE-2017-0445 (An elevation of privilege vulnerability in the HTC touchscreen driver ...) NOT-FOR-US: HTC driver for Android CVE-2017-0444 (An elevation of privilege vulnerability in the Realtek sound driver co ...) NOT-FOR-US: Realtek driver for Android CVE-2017-0443 (An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0442 (An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0441 (An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0440 (An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0439 (An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0438 (An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0437 (An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0436 (An elevation of privilege vulnerability in the Qualcomm sound driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0435 (An elevation of privilege vulnerability in the Qualcomm sound driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0434 (An elevation of privilege vulnerability in the Synaptics touchscreen d ...) NOT-FOR-US: Synaptics driver for Android CVE-2017-0433 (An elevation of privilege vulnerability in the Synaptics touchscreen d ...) NOT-FOR-US: Synaptics driver for Android CVE-2017-0432 (An elevation of privilege vulnerability in the MediaTek driver could e ...) NOT-FOR-US: Mediatek driver for Android CVE-2017-0431 (An elevation of privilege vulnerability in Qualcomm closed source comp ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-0430 (An elevation of privilege vulnerability in the Broadcom Wi-Fi driver c ...) NOT-FOR-US: Broadcom driver for Android CVE-2017-0429 (An elevation of privilege vulnerability in the NVIDIA GPU driver could ...) NOT-FOR-US: NVIDIA driver for Android CVE-2017-0428 (An elevation of privilege vulnerability in the NVIDIA GPU driver could ...) NOT-FOR-US: NVIDIA driver for Android CVE-2017-0427 (An elevation of privilege vulnerability in the kernel file system coul ...) NOT-FOR-US: Unspecified Android filesystem, apparently not in mainline NOTE: https://source.android.com/security/bulletin/2017-02-01.html NOTE: Android bulletin lists all recent devices as affected. NOTE: No source patch available, so may relate to Apache-licensed sdcardfs. CVE-2017-0426 (An information disclosure vulnerability in the Filesystem could enable ...) NOT-FOR-US: Android filesystem layout CVE-2017-0425 (An information disclosure vulnerability in Audioserver could enable a ...) NOT-FOR-US: Android Audioserver CVE-2017-0424 (An information disclosure vulnerability in AOSP Messaging could enable ...) NOT-FOR-US: Android CVE-2017-0423 (An elevation of privilege vulnerability in Bluetooth could enable a pr ...) NOT-FOR-US: Android CVE-2017-0422 (A denial of service vulnerability in Bionic DNS could enable a remote ...) NOT-FOR-US: Android CVE-2017-0421 (An information disclosure vulnerability in the Framework APIs could en ...) NOT-FOR-US: Android CVE-2017-0420 (An information disclosure vulnerability in AOSP Mail could enable a lo ...) NOT-FOR-US: Android CVE-2017-0419 (An elevation of privilege vulnerability in Audioserver could enable a ...) NOT-FOR-US: Android Audioserver CVE-2017-0418 (An elevation of privilege vulnerability in Audioserver could enable a ...) NOT-FOR-US: Android Audioserver CVE-2017-0417 (An elevation of privilege vulnerability in Audioserver could enable a ...) NOT-FOR-US: Android Audioserver CVE-2017-0416 (An elevation of privilege vulnerability in Audioserver could enable a ...) NOT-FOR-US: Android Audioserver CVE-2017-0415 (An elevation of privilege vulnerability in Mediaserver could enable a ...) NOT-FOR-US: Android Mediaserver CVE-2017-0414 (An information disclosure vulnerability in AOSP Messaging could enable ...) NOT-FOR-US: Android CVE-2017-0413 (An information disclosure vulnerability in AOSP Messaging could enable ...) NOT-FOR-US: Android CVE-2017-0412 (An elevation of privilege vulnerability in the Framework APIs could en ...) NOT-FOR-US: Android CVE-2017-0411 (An elevation of privilege vulnerability in the Framework APIs could en ...) NOT-FOR-US: Android CVE-2017-0410 (An elevation of privilege vulnerability in the Framework APIs could en ...) NOT-FOR-US: Android CVE-2017-0409 (A remote code execution vulnerability in libstagefright could enable a ...) NOT-FOR-US: libstagefright CVE-2017-0408 (A remote code execution vulnerability in libgdx could enable an attack ...) - libgdx (bug #686673) CVE-2017-0407 (A remote code execution vulnerability in Mediaserver could enable an a ...) NOT-FOR-US: Android Mediaserver CVE-2017-0406 (A remote code execution vulnerability in Mediaserver could enable an a ...) NOT-FOR-US: Android Mediaserver CVE-2017-0405 (A remote code execution vulnerability in Surfaceflinger could enable a ...) NOT-FOR-US: Android CVE-2017-0404 (An elevation of privilege vulnerability in the kernel sound subsystem ...) - linux (Android-specific sound system) CVE-2017-0403 (An elevation of privilege vulnerability in the kernel performance subs ...) - linux (Android-specific performance subsystem) CVE-2017-0402 (An information disclosure vulnerability in lvm/wrapper/Bundle/EffectBu ...) NOT-FOR-US: Android Audioserver CVE-2017-0401 (An information disclosure vulnerability in lvm/wrapper/Bundle/EffectBu ...) NOT-FOR-US: Android Qualcomm audio post processor CVE-2017-0400 (An information disclosure vulnerability in lvm/wrapper/Bundle/EffectBu ...) NOT-FOR-US: Android Audioserver CVE-2017-0399 (An information disclosure vulnerability in lvm/wrapper/Bundle/EffectBu ...) NOT-FOR-US: Android Qualcomm audio post processor CVE-2017-0398 (An information disclosure vulnerability in Audioserver could enable a ...) NOT-FOR-US: Android Audioserver CVE-2017-0397 (An information disclosure vulnerability in id3/ID3.cpp in libstagefrig ...) NOT-FOR-US: Android Mediaserver CVE-2017-0396 (An information disclosure vulnerability in visualizer/EffectVisualizer ...) NOT-FOR-US: Android Mediaserver CVE-2017-0395 (An elevation of privilege vulnerability in Contacts could enable a loc ...) NOT-FOR-US: Android Contacts CVE-2017-0394 (A denial of service vulnerability in Telephony could enable a remote a ...) NOT-FOR-US: Android Telephony CVE-2017-0393 (A denial of service vulnerability in libvpx in Mediaserver could enabl ...) - libvpx 1.6.1-1 [jessie] - libvpx (Minor issue) [wheezy] - libvpx (Minor issue) NOTE: probably fixed earlier, but this was the version checked NOTE: The wheezy source is confirmed (by code inspection) to be vulnerable. NOTE: https://android.googlesource.com/platform/external/libvpx/+/6886e8e0a9db2dbad723dc37a548233e004b33bc CVE-2017-0392 (A denial of service vulnerability in VBRISeeker.cpp in libstagefright ...) NOT-FOR-US: libstagefright CVE-2017-0391 (A denial of service vulnerability in decoder/ihevcd_decode.c in libhev ...) NOT-FOR-US: Android Mediaserver CVE-2017-0390 (A denial of service vulnerability in Tremolo/dpen.s in Mediaserver cou ...) NOT-FOR-US: Android Mediaserver CVE-2017-0389 (A denial of service vulnerability in core networking could enable a re ...) NOT-FOR-US: Android CVE-2017-0388 (An elevation of privilege vulnerability in the External Storage Provid ...) NOT-FOR-US: Android CVE-2017-0387 (An elevation of privilege vulnerability in Mediaserver could enable a ...) NOT-FOR-US: Android Mediaserver CVE-2017-0386 (An elevation of privilege vulnerability in the libnl library could ena ...) - libnl3 (Specific to Android's use of libnl) NOTE: https://github.com/thom311/libnl/issues/124 CVE-2017-0385 (An elevation of privilege vulnerability in Audioserver could enable a ...) NOT-FOR-US: Android Audioserver CVE-2017-0384 (An elevation of privilege vulnerability in lvm/wrapper/Bundle/EffectBu ...) NOT-FOR-US: Android Audioserver CVE-2017-0383 (An elevation of privilege vulnerability in the Framework APIs could en ...) NOT-FOR-US: Android CVE-2017-0382 (A remote code execution vulnerability in the Framesequence library cou ...) NOT-FOR-US: Android CVE-2017-0381 (An information disclosure vulnerability in silk/NLSF_stabilize.c in li ...) {DLA-793-1} - opus 1.2~alpha2-1 (bug #851612) [jessie] - opus (Minor issue, https://bugs.debian.org/851612#10) NOTE: Fixed by: https://github.com/xiph/opus/commit/79e8f527b0344b0897a65be35e77f7885bd99409 (v1.2-alpha) NOTE: https://git.xiph.org/?p=opus.git;a=commitdiff;h=70a3d641b CVE-2016-9804 (In BlueZ 5.42, a buffer overflow was observed in "commands_dump" funct ...) - bluez (unimportant; bug #847837) NOTE: https://www.spinics.net/lists/linux-bluetooth/msg68892.html NOTE: Crash in hcidump CLI tool, no security impact CVE-2016-9803 (In BlueZ 5.42, an out-of-bounds read was observed in "le_meta_ev_dump" ...) - bluez (unimportant; bug #847837) NOTE: https://www.spinics.net/lists/linux-bluetooth/msg68892.html NOTE: Crash in CLI tools, no security impact CVE-2016-9802 (In BlueZ 5.42, a buffer over-read was identified in "l2cap_packet" fun ...) - bluez (unimportant; bug #847837) NOTE: https://www.spinics.net/lists/linux-bluetooth/msg68898.html NOTE: Crash in btmon CLI tool, no security impact CVE-2016-9801 (In BlueZ 5.42, a buffer overflow was observed in "set_ext_ctrl" functi ...) - bluez (unimportant; bug #847837) NOTE: https://www.spinics.net/lists/linux-bluetooth/msg68892.html NOTE: Crash in CLI tools, no security impact CVE-2016-9800 (In BlueZ 5.42, a buffer overflow was observed in "pin_code_reply_dump" ...) - bluez (unimportant; bug #847837) NOTE: https://www.spinics.net/lists/linux-bluetooth/msg68892.html NOTE: Crash in CLI tools, no security impact CVE-2016-9799 (In BlueZ 5.42, a buffer overflow was observed in "pklg_read_hci" funct ...) - bluez (unimportant; bug #847837) NOTE: https://www.spinics.net/lists/linux-bluetooth/msg68898.html NOTE: Crash in btmon CLI tool, no security impact CVE-2016-9798 (In BlueZ 5.42, a use-after-free was identified in "conf_opt" function ...) - bluez (unimportant; bug #847837) NOTE: https://www.spinics.net/lists/linux-bluetooth/msg68892.html NOTE: Crash in hcidump CLI tool, no security impact CVE-2016-9797 (In BlueZ 5.42, a buffer over-read was observed in "l2cap_dump" functio ...) - bluez (unimportant; bug #847837) NOTE: https://www.spinics.net/lists/linux-bluetooth/msg68892.html NOTE: Crash in hcidump CLI tool, no security impact CVE-2016-9794 (Race condition in the snd_pcm_period_elapsed function in sound/core/pc ...) {DLA-772-1} - linux 4.7.2-1 [jessie] - linux 3.16.39-1 NOTE: https://patchwork.kernel.org/patch/8752621/ NOTE: Fixed by: https://git.kernel.org/linus/3aa02cb664c5fb1042958c8d1aa8c35055a2ebc4 (v4.7-rc1) NOTE: http://seclists.org/oss-sec/2016/q4/576 CVE-2016-9793 (The sock_setsockopt function in net/core/sock.c in the Linux kernel be ...) {DLA-772-1} - linux 4.8.15-1 [jessie] - linux 3.16.39-1 NOTE: Fixed by: https://git.kernel.org/linus/b98b0bc8c431e3ceb4b26b0dfc8db509518fb290 CVE-2016-9775 (The postrm script in the tomcat6 package before 6.0.45+dfsg-1~deb7u3 o ...) {DSA-3739-1 DSA-3738-1 DLA-729-1 DLA-728-1} - tomcat8 8.5.8-2 (bug #845385) - tomcat7 7.0.72-3 NOTE: Since 7.0.72-3, src:tomcat7 only builds the Servlet API - tomcat6 6.0.41-3 NOTE: Since 6.0.41-3, src:tomcat6 only builds a servlet and docs in Jessie NOTE: http://www.openwall.com/lists/oss-security/2016/12/02/5 CVE-2016-9774 (The postinst script in the tomcat6 package before 6.0.45+dfsg-1~deb7u4 ...) {DSA-3739-1 DSA-3738-1 DLA-753-1 DLA-746-1} - tomcat8 8.5.8-2 (bug #845393) - tomcat7 7.0.72-3 NOTE: Since 7.0.72-3, src:tomcat7 only builds the Servlet API - tomcat6 6.0.41-3 NOTE: Since 6.0.41-3, src:tomcat6 only builds a servlet and docs in Jessie NOTE: http://www.openwall.com/lists/oss-security/2016/12/02/5 CVE-2016-9777 (KVM in the Linux kernel before 4.8.12, when I/O APIC is enabled, does ...) - linux 4.8.15-1 [jessie] - linux (Vulnerable code introduced later) [wheezy] - linux (Vulnerable code introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1400804 NOTE: Fixed by: https://git.kernel.org/linus/81cdb259fb6d8c1c4ecfeea389ff5a73c07f5755 (v4.9-rc7) NOTE: Introduced in: https://git.kernel.org/linus/af1bae5497b98cb99d6b0492e6981f060420a00c (v4.8-rc1) NOTE: http://www.openwall.com/lists/oss-security/2016/12/02/2 CVE-2016-9776 (QEMU (aka Quick Emulator) built with the ColdFire Fast Ethernet Contro ...) {DLA-1497-1} - qemu 1:2.8+dfsg-1 (bug #846797) [wheezy] - qemu (Minor issue) - qemu-kvm [wheezy] - qemu-kvm (Coldfire is not emulated by kvm) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-11/msg05324.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1400829 CVE-2016-9756 (arch/x86/kvm/emulate.c in the Linux kernel before 4.8.12 does not prop ...) {DLA-772-1} - linux 4.8.15-1 [jessie] - linux 3.16.39-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1400468 NOTE: Fixed by: https://git.kernel.org/linus/2117d5398c81554fbf803f5fd1dc55eb78216c0c CVE-2016-9755 (The netfilter subsystem in the Linux kernel before 4.9 mishandles IPv6 ...) - linux 4.8.15-1 [jessie] - linux (Vulnerable code introduced later) [wheezy] - linux (Vulnerable code introduced later) NOTE: Fixed by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9b57da0630c9fd36ed7a20fc0f98dc82cc0777fa (v4.9-rc8) NOTE: https://groups.google.com/forum/#!topic/syzkaller/GFbGpX7nTEo CVE-2016-9684 (The SonicWall Secure Remote Access server (version 8.1.0.2-14sv) is vu ...) NOT-FOR-US: SonicWall CVE-2016-9683 (The SonicWall Secure Remote Access server (version 8.1.0.2-14sv) is vu ...) NOT-FOR-US: SonicWall CVE-2016-9682 (The SonicWall Secure Remote Access server (version 8.1.0.2-14sv) is vu ...) NOT-FOR-US: SonicWall CVE-2016-9681 (Multiple cross-site scripting (XSS) vulnerabilities in Serendipity bef ...) - serendipity CVE-2016-9680 (Citrix Provisioning Services before 7.12 allows attackers to obtain se ...) NOT-FOR-US: Citrix CVE-2016-9679 (Citrix Provisioning Services before 7.12 allows attackers to execute a ...) NOT-FOR-US: Citrix CVE-2016-9678 (Use-after-free vulnerability in Citrix Provisioning Services before 7. ...) NOT-FOR-US: Citrix CVE-2016-9677 (Citrix Provisioning Services before 7.12 allows attackers to obtain se ...) NOT-FOR-US: Citrix CVE-2016-9676 (Buffer overflow in Citrix Provisioning Services before 7.12 allows att ...) NOT-FOR-US: Citrix CVE-2016-9674 REJECTED CVE-2016-9673 REJECTED CVE-2016-9672 REJECTED CVE-2016-9671 REJECTED CVE-2016-9670 REJECTED CVE-2016-9669 REJECTED CVE-2016-9668 REJECTED CVE-2016-9667 REJECTED CVE-2016-9666 REJECTED CVE-2016-9665 REJECTED CVE-2016-9664 REJECTED CVE-2016-9663 REJECTED CVE-2016-9662 REJECTED CVE-2016-9661 REJECTED CVE-2016-9660 REJECTED CVE-2016-9659 REJECTED CVE-2016-9658 REJECTED CVE-2016-9657 REJECTED CVE-2016-9656 REJECTED CVE-2016-9655 REJECTED CVE-2016-9654 REJECTED CVE-2016-9653 REJECTED CVE-2016-9652 (Multiple unspecified vulnerabilities in Google Chrome before 55.0.2883 ...) {DSA-3731-1} - chromium-browser 55.0.2883.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-9651 (A missing check for whether a property of a JS object is private in V8 ...) {DSA-3731-1} - chromium-browser 55.0.2883.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2016-9650 (Blink in Google Chrome prior to 55.0.2883.75 for Mac, Windows and Linu ...) {DSA-3731-1} - chromium-browser 55.0.2883.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-0380 (The rend_service_intro_established function in or/rendservice.c in Tor ...) {DSA-3993-1} - tor 0.3.1.7-1 (bug #876221) [jessie] - tor (Issue introduced in 0.2.7.2-alpha) [wheezy] - tor (Issue introduced in 0.2.7.2-alpha) NOTE: https://trac.torproject.org/projects/tor/ticket/23490 NOTE: https://gitweb.torproject.org/tor.git/commit/?id=09ea89764a4d3a907808ed7d4fe42abfe64bd486 CVE-2017-0379 (Libgcrypt before 1.8.1 does not properly consider Curve25519 side-chan ...) {DSA-3959-1} - libgcrypt20 1.7.9-1 (bug #873383) [jessie] - libgcrypt20 (Vulnerable code not present, no Curve25519 support) - libgcrypt11 (Vulnerable code not present, no Curve25519 support) NOTE: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commitdiff;h=da780c8183cccc8f533c8ace8211ac2cb2bdee7b NOTE: https://eprint.iacr.org/2017/806 CVE-2017-0378 (XSS exists in the login_form function in views/helpers.php in Phamm be ...) - phamm 0.6.8-1 (bug #868988) [stretch] - phamm (Minor issue) [jessie] - phamm (Minor issue) [wheezy] - phamm (Minor issue) NOTE: https://github.com/lota/phamm/issues/21 NOTE: https://github.com/lota/phamm/commit/331bdbf0e79632385495fa62e087a6b4cf78857e CVE-2017-0377 (Tor 0.3.x before 0.3.0.9 has a guard-selection algorithm that only con ...) - tor (Affects only 0.3.x series) NOTE: https://trac.torproject.org/projects/tor/ticket/22753 NOTE: https://blog.torproject.org/blog/tor-0309-released-security-update-clients CVE-2017-0376 (The hidden-service feature in Tor before 0.3.0.8 allows a denial of se ...) {DSA-3877-1 DLA-982-1} - tor 0.2.9.11-1 (bug #864424) NOTE: https://trac.torproject.org/22494 NOTE: Fixed by: https://gitweb.torproject.org/tor.git/commit/?id=56a7c5bc15e0447203a491c1ee37de9939ad1dcd NOTE: Introduced in 0.2.2.1-alpha; fixed in 0.2.4.29, 0.2.5.14, 0.2.6.12, 0.2.7.8, 0.2.8.14, 0.2.9.11 0.3.0.8, 0.3.1.3-alpha CVE-2017-0375 (The hidden-service feature in Tor before 0.3.0.8 allows a denial of se ...) - tor (Introduced in 0.3.0.1-alpha) NOTE: https://trac.torproject.org/22493 NOTE: Fixed by: https://gitweb.torproject.org/tor.git/commit/?id=79b59a2dfcb68897ee89d98587d09e55f07e68d7 NOTE: Introduced in 0.3.0.1-alpha; fixed in 0.3.0.8, 0.3.1.3-alpha CVE-2017-0374 (lib/Config/Model.pm in Config-Model (aka libconfig-model-perl) before ...) - libconfig-model-perl 2.097-2 [jessie] - libconfig-model-perl (Minor issue) [wheezy] - libconfig-model-perl (Minor issue. Perl itself has to fix this and this can not be done easily) NOTE: https://anonscm.debian.org/cgit/pkg-perl/packages/libconfig-model-perl.git/commit/?h=stretch&id=0de8471e5a8958ad37446dfcd0362a269e3ec573 CVE-2017-0373 (The gen_class_pod implementation in lib/Config/Model/Utils/GenClassPod ...) - libconfig-model-perl 2.097-2 [jessie] - libconfig-model-perl (Minor issue) [wheezy] - libconfig-model-perl (Vulnerable code do not exist) NOTE: https://anonscm.debian.org/cgit/pkg-perl/packages/libconfig-model-perl.git/commit/?h=stretch&id=e7e5dd1a650939a0e021d1d5b311dbb3c4884773 CVE-2017-0372 (Parameters injection in the SyntaxHighlight extension of Mediawiki bef ...) - mediawiki 1:1.27.3-1 (bug #861585) [wheezy] - mediawiki (Not supported in Wheezy LTS) NOTE: https://phabricator.wikimedia.org/T158689 NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000209.html CVE-2017-0371 RESERVED - mediawiki 1:1.27.2-1 [wheezy] - mediawiki (Not supported in Wheezy LTS) NOTE: https://phabricator.wikimedia.org/T68404 CVE-2017-0370 (Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw were Spam b ...) - mediawiki 1:1.27.2-1 [wheezy] - mediawiki (Not supported in Wheezy LTS) NOTE: https://phabricator.wikimedia.org/T48143 NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html CVE-2017-0369 (Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw, allowing a ...) - mediawiki 1:1.27.2-1 [wheezy] - mediawiki (Not supported in Wheezy LTS) NOTE: https://phabricator.wikimedia.org/T108138 NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html CVE-2017-0368 (Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw making rawH ...) - mediawiki 1:1.27.2-1 [wheezy] - mediawiki (Not supported in Wheezy LTS) NOTE: https://phabricator.wikimedia.org/T156184 NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html CVE-2017-0367 (Mediawiki before 1.28.1 / 1.27.2 contains an unsafe use of temporary d ...) - mediawiki 1:1.27.2-1 [wheezy] - mediawiki (Vulnerable code not present) NOTE: https://phabricator.wikimedia.org/T161453 NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html CVE-2017-0366 (Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw allowing to ...) - mediawiki 1:1.27.2-1 [wheezy] - mediawiki (Not supported in Wheezy LTS) NOTE: https://phabricator.wikimedia.org/T151735 NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html CVE-2017-0365 (Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a XSS vulnerabilit ...) - mediawiki 1:1.27.2-1 [wheezy] - mediawiki (Not supported in Wheezy LTS) NOTE: https://phabricator.wikimedia.org/T144845 NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html CVE-2017-0364 (Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw where Speci ...) - mediawiki 1:1.27.2-1 [wheezy] - mediawiki (Not supported in Wheezy LTS) NOTE: https://phabricator.wikimedia.org/T122209 NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html CVE-2017-0363 (Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 has a flaw where Special:Us ...) - mediawiki 1:1.27.2-1 [wheezy] - mediawiki (Not supported in Wheezy LTS) NOTE: https://phabricator.wikimedia.org/T109140 NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html CVE-2017-0362 (Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw where the " ...) - mediawiki 1:1.27.2-1 [wheezy] - mediawiki (Not supported in Wheezy LTS) NOTE: https://phabricator.wikimedia.org/T150044 NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html CVE-2017-0361 (Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains an information dis ...) - mediawiki 1:1.27.2-1 [wheezy] - mediawiki (Not supported in Wheezy LTS) NOTE: https://phabricator.wikimedia.org/T125177 NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html CVE-2017-0360 (file_open in Tryton 3.x and 4.x through 4.2.2 allows remote authentica ...) {DSA-3826-1 DLA-882-1} - tryton-server 4.2.1-2 NOTE: Fixed by: http://hg.tryton.org/trytond?cmd=changeset;node=472510fdc6f8 (4.2.x) CVE-2017-0359 (diffoscope before 77 writes to arbitrary locations on disk based on th ...) - diffoscope 77 (bug #854723) CVE-2017-0358 (Jann Horn of Google Project Zero discovered that NTFS-3G, a read-write ...) {DSA-3780-1 DLA-815-1} - ntfs-3g 1:2016.2.22AR.1-4 NOTE: PoC http://www.openwall.com/lists/oss-security/2017/02/04/1 CVE-2017-0357 (A heap-overflow flaw exists in the -tr loader of iucode-tool starting ...) - iucode-tool 2.1.1-1 [jessie] - iucode-tool (Vulnerable code not present) [wheezy] - iucode-tool (Vulnerable code not present) NOTE: https://gitlab.com/iucode-tool/iucode-tool/issues/3 CVE-2017-0356 (A flaw, similar to to CVE-2016-9646, exists in ikiwiki before 3.201701 ...) {DSA-3760-1 DLA-812-1} - ikiwiki 3.20170111 NOTE: https://ikiwiki.info/security/#cve-2017-0356 CVE-2016-9772 (OpenAFS 1.6.19 and earlier allows remote attackers to obtain sensitive ...) {DLA-733-1} - openafs 1.6.20-1 (bug #846922) [jessie] - openafs 1.6.9-2+deb8u6 NOTE: https://www.openafs.org/pages/security/OPENAFS-SA-2016-003.txt NOTE: Upstream patch: https://www.openafs.org/pages/security/openafs-sa-2016-003-master.patch (master) NOTE: Upstream patch: https://www.openafs.org/pages/security/openafs-sa-2016-003.patch NOTE: http://www.openwall.com/lists/oss-security/2016/12/01/12 CVE-2016-9685 (Multiple memory leaks in error paths in fs/xfs/xfs_attr_list.c in the ...) - linux 4.5.1-1 [jessie] - linux 3.16.36-1 [wheezy] - linux 3.2.81-1 NOTE: Fixed by: https://git.kernel.org/linus/2e83b79b2d6c78bf1b4aa227938a214dcbddc83f (v4.6-rc1) CVE-2016-9649 REJECTED CVE-2016-9648 REJECTED CVE-2016-9647 REJECTED CVE-2016-9646 (ikiwiki before 3.20161229 incorrectly called the CGI::FormBuilder-> ...) {DSA-3760-1 DLA-812-1} - ikiwiki 3.20161229 NOTE: https://ikiwiki.info/security/#cve-2016-9646 CVE-2016-9643 (The regex code in Webkit 2.4.11 allows remote attackers to cause a den ...) - webkitgtk 2.14.6-1 (unimportant) NOTE: Not covered by security support NOTE: http://www.openwall.com/lists/oss-security/2016/11/26/2 CVE-2016-9642 (JavaScriptCore in WebKit allows attackers to cause a denial of service ...) - webkitgtk (unimportant) NOTE: Not covered by security support CVE-2016-9641 RESERVED CVE-2016-9640 RESERVED CVE-2017-0355 (All versions of the NVIDIA Windows GPU Display Driver contain a vulner ...) NOT-FOR-US: NVIDIA Windows drivers CVE-2017-0354 (All versions of the NVIDIA Windows GPU Display Driver contain a vulner ...) NOT-FOR-US: NVIDIA Windows drivers CVE-2017-0353 (All versions of the NVIDIA GPU Display Driver contain a vulnerability ...) NOT-FOR-US: NVIDIA Windows drivers CVE-2017-0352 (All versions of the NVIDIA GPU Display Driver contain a vulnerability ...) - nvidia-graphics-drivers 375.66-1 (bug #863515) [jessie] - nvidia-graphics-drivers (Non-free not supported) [wheezy] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx (Only affects later driver series) - nvidia-graphics-drivers-legacy-304xx (Only affects later driver series) CVE-2017-0351 (All versions of the NVIDIA GPU Display Driver contain a vulnerability ...) - nvidia-graphics-drivers 375.66-1 (bug #863515) [jessie] - nvidia-graphics-drivers (Non-free not supported) [wheezy] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx (Only affects later driver series) - nvidia-graphics-drivers-legacy-304xx (Only affects later driver series) CVE-2017-0350 (All versions of the NVIDIA GPU Display Driver contain a vulnerability ...) - nvidia-graphics-drivers 375.66-1 (bug #863515) [jessie] - nvidia-graphics-drivers (Non-free not supported) [wheezy] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx (Only affects later driver series) - nvidia-graphics-drivers-legacy-304xx (Only affects later driver series) CVE-2017-0349 (All versions of the NVIDIA Windows GPU Display Driver contain a vulner ...) NOT-FOR-US: NVIDIA Windows drivers CVE-2017-0348 (All versions of the NVIDIA Windows GPU Display Driver contain a vulner ...) NOT-FOR-US: NVIDIA Windows drivers CVE-2017-0347 (All versions of the NVIDIA Windows GPU Display Driver contain a vulner ...) NOT-FOR-US: NVIDIA Windows drivers CVE-2017-0346 (All versions of the NVIDIA Windows GPU Display Driver contain a vulner ...) NOT-FOR-US: NVIDIA Windows drivers CVE-2017-0345 (All versions of the NVIDIA Windows GPU Display Driver contain a vulner ...) NOT-FOR-US: NVIDIA Windows drivers CVE-2017-0344 (All versions of the NVIDIA Windows GPU Display Driver contain a vulner ...) NOT-FOR-US: NVIDIA Windows drivers CVE-2017-0343 (All versions of the NVIDIA Windows GPU Display Driver contain a vulner ...) NOT-FOR-US: NVIDIA Windows drivers CVE-2017-0342 (All versions of the NVIDIA Windows GPU Display Driver contain a vulner ...) NOT-FOR-US: NVIDIA Windows drivers CVE-2017-0341 (All versions of the NVIDIA Windows GPU Display Driver contain a vulner ...) NOT-FOR-US: NVIDIA Windows drivers CVE-2017-0340 (An elevation of privilege vulnerability in the NVIDIA Libnvparser comp ...) NOT-FOR-US: NVIDIA driver for Android CVE-2017-0339 (An elevation of privilege vulnerability in the NVIDIA crypto driver co ...) NOT-FOR-US: NVIDIA driver for Android CVE-2017-0338 (An elevation of privilege vulnerability in the NVIDIA GPU driver could ...) NOT-FOR-US: NVIDIA driver for Android CVE-2017-0337 (An elevation of privilege vulnerability in the NVIDIA GPU driver could ...) NOT-FOR-US: NVIDIA driver for Android CVE-2017-0336 (An information disclosure vulnerability in the NVIDIA GPU driver could ...) NOT-FOR-US: NVIDIA driver for Android CVE-2017-0335 (An elevation of privilege vulnerability in the NVIDIA GPU driver could ...) NOT-FOR-US: NVIDIA driver for Android CVE-2017-0334 (An information disclosure vulnerability in the NVIDIA GPU driver could ...) NOT-FOR-US: NVIDIA driver for Android CVE-2017-0333 (An elevation of privilege vulnerability in the NVIDIA GPU driver could ...) NOT-FOR-US: NVIDIA driver for Android CVE-2017-0332 (An elevation of privilege vulnerability in the NVIDIA crypto driver co ...) NOT-FOR-US: NVIDIA driver for Android CVE-2017-0331 (An elevation of privilege vulnerability in the NVIDIA video driver cou ...) NOT-FOR-US: NVIDIA driver for Android CVE-2017-0330 (An information disclosure vulnerability in the NVIDIA crypto driver co ...) NOT-FOR-US: NVIDIA driver for Android CVE-2017-0329 (An elevation of privilege vulnerability in the NVIDIA boot and power m ...) NOT-FOR-US: NVIDIA driver for Android CVE-2017-0328 (An information disclosure vulnerability in the NVIDIA crypto driver co ...) NOT-FOR-US: NVIDIA driver for Android CVE-2017-0327 (An elevation of privilege vulnerability in the NVIDIA crypto driver co ...) NOT-FOR-US: NVIDIA driver for Android CVE-2017-0326 (An information disclosure vulnerability in the NVIDIA Video Driver due ...) NOT-FOR-US: NVIDIA driver for Android CVE-2017-0325 (An elevation of privilege vulnerability in the NVIDIA I2C HID driver c ...) NOT-FOR-US: NVIDIA driver for Android CVE-2017-0324 (All versions of NVIDIA Windows GPU Display Driver contain a vulnerabil ...) NOT-FOR-US: NVIDIA drivers for Windows CVE-2017-0323 (All versions of NVIDIA Windows GPU Display Driver contain a vulnerabil ...) NOT-FOR-US: NVIDIA drivers for Windows CVE-2017-0322 (All versions of NVIDIA Windows GPU Display Driver contain a vulnerabil ...) NOT-FOR-US: NVIDIA drivers for Windows CVE-2017-0321 (All versions of NVIDIA GPU Display Driver contain a vulnerability in t ...) - nvidia-graphics-drivers 375.39-1 (bug #855277) [jessie] - nvidia-graphics-drivers 340.102-1 [wheezy] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx 340.102-1 (bug #855278) - nvidia-graphics-drivers-legacy-304xx 304.135-2 (bug #855279) [jessie] - nvidia-graphics-drivers-legacy-304xx 304.135-1 CVE-2017-0320 (All versions of NVIDIA Windows GPU Display Driver contain a vulnerabil ...) NOT-FOR-US: NVIDIA drivers for Windows CVE-2017-0319 (All versions of NVIDIA Windows GPU Display Driver contain a vulnerabil ...) NOT-FOR-US: NVIDIA drivers for Windows CVE-2017-0318 (All versions of NVIDIA Linux GPU Display Driver contain a vulnerabilit ...) - nvidia-graphics-drivers 375.39-1 (bug #855277) [jessie] - nvidia-graphics-drivers 340.102-1 [wheezy] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx 340.102-1 (bug #855278) - nvidia-graphics-drivers-legacy-304xx 304.135-2 (bug #855279) [jessie] - nvidia-graphics-drivers-legacy-304xx 304.135-1 CVE-2017-0317 (All versions of NVIDIA GPU and GeForce Experience installer contain a ...) NOT-FOR-US: NVIDIA drivers for Windows CVE-2017-0316 (In GeForce Experience (GFE) 3.x before 3.10.0.55, NVIDIA Installer Fra ...) NOT-FOR-US: NVIDIA Installer Framework CVE-2017-0315 (All versions of NVIDIA Windows GPU Display Driver contain a vulnerabil ...) NOT-FOR-US: NVIDIA drivers for Windows CVE-2017-0314 (All versions of NVIDIA Windows GPU Display Driver contain a vulnerabil ...) NOT-FOR-US: NVIDIA drivers for Windows CVE-2017-0313 (All versions of NVIDIA Windows GPU Display Driver contain a vulnerabil ...) NOT-FOR-US: NVIDIA drivers for Windows CVE-2017-0312 (All versions of NVIDIA Windows GPU Display Driver contain a vulnerabil ...) NOT-FOR-US: NVIDIA drivers for Windows CVE-2017-0311 (NVIDIA GPU Display Driver R378 contains a vulnerability in the kernel ...) - nvidia-graphics-drivers 375.39-1 (bug #855277) [jessie] - nvidia-graphics-drivers 340.102-1 [wheezy] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx 340.102-1 (bug #855278) - nvidia-graphics-drivers-legacy-304xx 304.135-2 (bug #855279) [jessie] - nvidia-graphics-drivers-legacy-304xx 304.135-1 CVE-2017-0310 (All versions of NVIDIA GPU Display Driver contain a vulnerability in t ...) - nvidia-graphics-drivers 375.39-1 (bug #855277) [jessie] - nvidia-graphics-drivers 340.102-1 [wheezy] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx 340.102-1 (bug #855278) - nvidia-graphics-drivers-legacy-304xx 304.135-2 (bug #855279) [jessie] - nvidia-graphics-drivers-legacy-304xx 304.135-1 CVE-2017-0309 (All versions of NVIDIA GPU Display Driver contain a vulnerability in t ...) - nvidia-graphics-drivers 375.39-1 (bug #855277) [jessie] - nvidia-graphics-drivers 340.102-1 [wheezy] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx 340.102-1 (bug #855278) - nvidia-graphics-drivers-legacy-304xx 304.135-2 (bug #855279) [jessie] - nvidia-graphics-drivers-legacy-304xx 304.135-1 CVE-2017-0308 (All versions of NVIDIA Windows GPU Display Driver contain a vulnerabil ...) NOT-FOR-US: NVIDIA drivers for Windows CVE-2017-0307 (An elevation of privilege vulnerability in the NVIDIA GPU driver could ...) NOT-FOR-US: NVIDIA driver for Android CVE-2017-0306 (An elevation of privilege vulnerability in the NVIDIA GPU driver could ...) NOT-FOR-US: NVIDIA driver for Android CVE-2016-9638 (In BMC Patrol before 9.13.10.02, the binary "listguests64" is configur ...) NOT-FOR-US: BMC Patrol CVE-2016-9637 (The (1) ioport_read and (2) ioport_write functions in Xen, when qemu i ...) {DLA-1270-1} - qemu (Vulnerability specific to Xen) - qemu-kvm (Vulnerability specific to Xen) - xen 4.4.0-1 NOTE: Xen switched to qemu-system in 4.4.0-1 NOTE: https://xenbits.xen.org/xsa/advisory-199.html CVE-2016-9620 REJECTED CVE-2016-9619 REJECTED CVE-2016-9618 REJECTED CVE-2016-9617 REJECTED CVE-2016-9616 REJECTED CVE-2016-9615 REJECTED CVE-2016-9614 REJECTED CVE-2016-9613 REJECTED CVE-2016-9612 REJECTED CVE-2016-9611 REJECTED CVE-2016-9610 REJECTED CVE-2016-9609 REJECTED CVE-2016-9608 REJECTED CVE-2016-9607 REJECTED CVE-2016-9606 (JBoss RESTEasy before version 3.1.2 could be forced into parsing a req ...) - resteasy 3.1.4-1 (bug #851430) [jessie] - resteasy (Minor issue) - resteasy3.0 3.0.26-1 NOTE: See CVE-2018-1051 to address original incomplete fix for CVE-2016-9606 CVE-2016-9605 (A flaw was found in cobbler software component version 2.6.11-1. It su ...) - cobbler (bug #858844) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1433950 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1399333 CVE-2016-9604 (It was discovered in the Linux kernel before 4.11-rc8 that root can ga ...) {DLA-922-1} - linux 4.9.25-1 [jessie] - linux 3.16.43-1 NOTE: Fixed by: https://git.kernel.org/linus/ee8f844e3c5a73b999edf733df1c529d6503ec2f CVE-2016-9603 (A heap buffer overflow flaw was found in QEMU's Cirrus CLGD 54xx VGA e ...) {DLA-1497-1 DLA-1270-1 DLA-1035-1 DLA-939-1} - qemu 1:2.8+dfsg-4 (bug #857744) - qemu-kvm - xen 4.4.0-1 NOTE: Xen switched to qemu-system in 4.4.0-1 NOTE: https://xenbits.xen.org/xsa/advisory-211.html NOTE: http://www.openwall.com/lists/oss-security/2017/03/14/2 NOTE: Upstream patch http://git.qemu-project.org/?p=qemu.git;a=commit;h=50628d3479e4f9aa97e323506856e394fe7ad7a6 CVE-2016-9602 (Qemu before version 2.9 is vulnerable to an improper link following wh ...) {DLA-1497-1 DLA-1035-1 DLA-965-1} - qemu 1:2.8+dfsg-3 (bug #853006) - qemu-kvm NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1413929 NOTE: The original proposed patch does not fix the issue, cf. NOTE: http://www.openwall.com/lists/oss-security/2017/01/17/14 NOTE: Upstream patchset: https://lists.gnu.org/archive/html/qemu-devel/2017-01/msg06225.html NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1035 NOTE: If fixing this issue for older suites, then make sure not to open the NOTE: CVE-2017-7471 vulnerability and apply as well 9c6b899f7a46893ab3b671e341a2234e9c0c060e NOTE: See further details in the CVE-2017-7471 tracker entry. CVE-2016-9601 (ghostscript before version 9.21 is vulnerable to a heap based buffer o ...) {DSA-3817-1 DLA-874-1} - jbig2dec 0.13-4 (bug #850497) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697457 NOTE: Patch: http://git.ghostscript.com/?p=jbig2dec.git;a=commitdiff;h=e698d5c11d27212aa1098bc5b1673a3378563092 CVE-2016-9600 (JasPer before version 2.0.10 is vulnerable to a null pointer dereferen ...) - jasper (unimportant) NOTE: https://github.com/mdadams/jasper/issues/109 NOTE: Fixed by: https://github.com/mdadams/jasper/commit/a632c6b54bd4ffc3bebab420e00b7e7688aa3846 NOTE: Not suitable for code injection, hardly denial of service CVE-2016-9599 (puppet-tripleo before versions 5.5.0, 6.2.0 is vulnerable to an access ...) NOT-FOR-US: puppet-tripleo CVE-2016-9598 (libxml2, as used in Red Hat JBoss Core Services, allows context-depend ...) - libxml2 (Red Hat specific security regressions) CVE-2016-9597 (It was found that Red Hat JBoss Core Services erratum RHSA-2016:2957 f ...) - libxml2 (Red Hat specific security regressions) CVE-2016-9596 (libxml2, as used in Red Hat JBoss Core Services and when in recovery m ...) - libxml2 (Red Hat specific security regressions) CVE-2016-9595 (A flaw was found in katello-debug before 3.4.0 where certain scripts a ...) NOT-FOR-US: Katello CVE-2016-9594 (curl before version 7.52.1 is vulnerable to an uninitialized random in ...) - curl (Only affects 7.52.0) NOTE: https://curl.haxx.se/docs/adv_20161223.html CVE-2016-9593 (foreman-debug before version 1.15.0 is vulnerable to a flaw in foreman ...) - foreman (bug #663101) CVE-2016-9592 (openshift before versions 3.3.1.11, 3.2.1.23, 3.4 is vulnerable to a f ...) NOT-FOR-US: OpenShift CVE-2016-9591 (JasPer before version 2.0.12 is vulnerable to a use-after-free in the ...) {DSA-3827-1 DLA-920-1} - jasper NOTE: https://github.com/mdadams/jasper/issues/105 NOTE: Fixed by: https://github.com/mdadams/jasper/commit/03fe49ab96bf65fea784cdc256507ea88267fc7c CVE-2016-9590 (puppet-swift before versions 8.2.1, 9.4.4 is vulnerable to an informat ...) - puppet-module-swift 9.4.4-1 (bug #851293) CVE-2016-9589 (Undertow in Red Hat wildfly before version 11.0.0.Beta1 is vulnerable ...) NOT-FOR-US: Red Hat specific use of undertow in Wildfly CVE-2016-9588 (arch/x86/kvm/vmx.c in the Linux kernel through 4.9 mismanages the #BP ...) {DSA-3804-1 DLA-849-1} - linux 4.8.15-2 NOTE: https://www.spinics.net/lists/kvm/msg142495.html NOTE: Fixed by: https://git.kernel.org/linus/ef85b67385436ddc1998f45f1d6a210f935b3388 CVE-2016-9587 (Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper inpu ...) - ansible 2.2.0.0-3 (bug #850846) [jessie] - ansible (Vulnerable code not present, way ssh commands was reworked in 2.x branch) NOTE: Fixed by: https://github.com/ansible/ansible/commit/ec84ff6de6eca9224bf3f22b752bb8da806611ed (v2.2.1.0-0.3.rc3) NOTE: Fixed by: https://github.com/ansible/ansible/commit/eb8c26c105e8457b86324b64a13fac37d8862d47 (v2.2.1.0-0.4.rc4) NOTE: Fixed by: https://github.com/ansible/ansible/commit/cc4634a5e73c06c6b4581f11171289ca9228391e (v2.2.1.0-0.4.rc4) NOTE: Fix in 2.2.0.0-2 only partially addressed the issues, and needed a follow-up, 2.2.0.0-3 CVE-2016-9586 (curl before version 7.52.0 is vulnerable to a buffer overflow when doi ...) {DLA-1568-1 DLA-767-1} - curl 7.52.1-1 (bug #848958) NOTE: https://curl.haxx.se/docs/adv_20161221A.html NOTE: Fixed by: https://github.com/curl/curl/commit/3ab3c16db6a5674f53cf23d56512a405fde0b2c9 NOTE: There are no known vulnerable applications but as this is a NOTE: library it should be fixed as we do not know the full impact. CVE-2016-9585 (Red Hat JBoss EAP version 5 is vulnerable to a deserialization of untr ...) NOT-FOR-US: JMX endpoint of Red Hat JBoss EAP 5 CVE-2016-9584 (libical allows remote attackers to cause a denial of service (use-afte ...) {DLA-959-1} - libical3 3.0.1-1 - libical (bug #852034) [stretch] - libical (Minor issue) [jessie] - libical (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2016/12/15/5 NOTE: Upstream ticket: https://github.com/libical/libical/issues/253 CVE-2016-9583 (An out-of-bounds heap read vulnerability was found in the jpc_pi_nextp ...) - jasper (unimportant) NOTE: https://github.com/mdadams/jasper/issues/103 NOTE: Fixed by https://github.com/mdadams/jasper/commit/99a50593254d1b53002719bbecfc946c84b23d27 NOTE: The issue exists due to an overflow check which is not present NOTE: in Wheezy and Jessie. However it makes sense to implement this check. NOTE: This can be done when more important issues are found [wheezy]. NOTE: Not suitable for code injection, hardly denial of service CVE-2016-9582 REJECTED CVE-2016-9581 (An infinite loop vulnerability in tiftoimage that results in heap buff ...) - openjpeg2 (unimportant) NOTE: https://github.com/uclouvain/openjpeg/issues/872 NOTE: Fixed by: https://github.com/szukw000/openjpeg/commit/cadff5fb6e73398de26a92e96d3d7cac893af255 NOTE: not built into the binary packages CVE-2016-9580 (An integer overflow vulnerability was found in tiftoimage function in ...) - openjpeg2 (unimportant) NOTE: https://github.com/uclouvain/openjpeg/issues/871 NOTE: Fixed by: https://github.com/szukw000/openjpeg/commit/cadff5fb6e73398de26a92e96d3d7cac893af255 NOTE: not built into the binary packages CVE-2016-9579 (A flaw was found in the way Ceph Object Gateway would process cross-or ...) - ceph 10.2.5-2 (bug #849048) [jessie] - ceph 0.80.7-2+deb8u2 NOTE: http://tracker.ceph.com/issues/18187 CVE-2016-9578 (A vulnerability was discovered in SPICE before 0.13.90 in the server's ...) {DSA-3790-1 DLA-825-1} - spice 0.12.8-2.1 (bug #854336) NOTE: Fixed by: https://cgit.freedesktop.org/spice/spice/commit/?h=0.12&id=1c6517973095a67c8cb57f3550fc1298404ab556 (0.12.x) NOTE: Fixed by: https://cgit.freedesktop.org/spice/spice/commit/?h=0.12&id=f66dc643635518e53dfbe5262f814a64eec54e4a (0.12.x) CVE-2016-9577 (A vulnerability was discovered in SPICE before 0.13.90 in the server's ...) {DSA-3790-1 DLA-825-1} - spice 0.12.8-2.1 (bug #854336) NOTE: Fixed by: https://cgit.freedesktop.org/spice/spice/commit/?h=0.12&id=5f96b596353d73bdf4bb3cd2de61e48a7fd5b4c3 (0.12.x) CVE-2016-10088 (The sg implementation in the Linux kernel through 4.9 does not properl ...) {DLA-772-1} - linux 4.8.15-2 [jessie] - linux 3.16.39-1 NOTE: Fixed by: https://git.kernel.org/linus/128394eff343fc6d2f32172f03e24829539c5835 (v4.10-rc1) CVE-2016-9576 (The blk_rq_map_user_iov function in block/blk-map.c in the Linux kerne ...) {DLA-772-1} - linux 4.8.15-1 [jessie] - linux 3.16.39-1 NOTE: https://marc.info/?l=linux-scsi&m=148010092224801&w=2 NOTE: https://gist.githubusercontent.com/dvyukov/80cd94b4e4c288f16ee4c787d404118b/raw/10536069562444da51b758bb39655b514ff93b45/gistfile1.txt NOTE: Fixed by: https://git.kernel.org/linus/a0ac402cfcdc904f9772e1762b3fda112dcc56a0 (v4.9) CVE-2016-9575 (Ipa versions 4.2.x, 4.3.x before 4.3.3 and 4.4.x before 4.4.3 did not ...) - freeipa 4.4.4-1 (bug #849950) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1395311 NOTE: https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=fec4c32ff15 NOTE: https://fedorahosted.org/freeipa/ticket/6560 CVE-2016-9574 (nss before version 3.30 is vulnerable to a remote denial of service du ...) - nss 2:3.25-1 NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1320695 NOTE: The CVE is specific to the segfault resulting from the reproducing steps NOTE: as per buzilla entry, and https://bugzilla.redhat.com/show_bug.cgi?id=1397482 NOTE: https://hg.mozilla.org/projects/nss/rev/7385cd821735 CVE-2016-9573 (An out-of-bounds read vulnerability was found in OpenJPEG 2.1.2, in th ...) {DSA-3768-1} - openjpeg2 2.1.2-1.1 (bug #851422) NOTE: https://github.com/uclouvain/openjpeg/issues/863 NOTE: https://github.com/szukw000/openjpeg/commit/7b28bd2b723df6be09fe7791eba33147c1c47d0d CVE-2016-9572 (A NULL pointer dereference flaw was found in the way openjpeg 2.1.2 de ...) {DSA-3768-1} - openjpeg2 2.1.2-1.1 (bug #851422) NOTE: https://github.com/uclouvain/openjpeg/issues/863 NOTE: https://github.com/szukw000/openjpeg/commit/7b28bd2b723df6be09fe7791eba33147c1c47d0d CVE-2016-9571 REJECTED CVE-2016-9570 (cb.exe in Carbon Black 5.1.1.60603 allows attackers to cause a denial ...) NOT-FOR-US: Carbon Black CVE-2016-9569 (The cbstream.sys driver in Carbon Black 5.1.1.60603 allows local users ...) NOT-FOR-US: Carbon Black CVE-2016-9568 (A security design issue can allow an unprivileged user to interact wit ...) NOT-FOR-US: Carbon Black CVE-2016-9567 (The mDNIe system service on Samsung Mobile S7 devices with M(6.0) soft ...) NOT-FOR-US: Samsung CVE-2016-9566 (base/logging.c in Nagios Core before 4.2.4 allows local users with acc ...) {DLA-1615-1 DLA-751-1} - nagios3 [wheezy] - nagios3 (Minor issue) NOTE: https://github.com/NagiosEnterprises/nagioscore/commit/c29557dec91eba2306f5fb11b8da4474ba63f8c4 NOTE: https://legalhackers.com/advisories/Nagios-Exploit-Root-PrivEsc-CVE-2016-9566.html NOTE: nagios < 3.5 is not vulnerable through the regular logfile, but through the debug logfile - icinga 1.13.4-1 [jessie] - icinga (Minor issue) [wheezy] - icinga (Minor issue) NOTE: https://dev.icinga.com/issues/13709 NOTE: https://github.com/Icinga/icinga-core/commit/a0eb8471673b6b1e9b37e1b7b91151aa00bedb65 NOTE: https://github.com/Icinga/icinga-core/commit/e0f55bc9b17ef1db9aed7393fc34576a5b9501f0 CVE-2016-9565 (MagpieRSS, as used in the front-end component in Nagios Core before 4. ...) {DLA-751-1} - nagios3 3.5.1-1 NOTE: https://legalhackers.com/advisories/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html NOTE: The RSS feed and call-home was removed in src:nagios3 3.5.1-1 where the affected NOTE: function was removed. NOTE: The scope of the CVE is specific to Nagios. NOTE: impact lessened by the hardened permissions in Debian: files can be extracted, but no backdoor can be installed as the web root is not writable CVE-2016-9564 (Buffer overflow in send_redirect() in Boa Webserver 0.92r allows remot ...) - boa (the vuln was removed in 0.93.14) NOTE: http://www.ljcusack.io/cve-2016-9564-stack-based-buffer-overflow-in-boa-0-dot-92r CVE-2016-9563 (BC-BMT-BPM-DSK in SAP NetWeaver AS JAVA 7.5 allows remote authenticate ...) NOT-FOR-US: SAP CVE-2016-9562 (SAP NetWeaver AS JAVA 7.4 allows remote attackers to cause a Denial of ...) NOT-FOR-US: SAP CVE-2016-9561 (The che_configure function in libavcodec/aacdec_template.c in FFmpeg b ...) - ffmpeg 7:3.2.4-1 (unimportant) NOTE: http://www.openwall.com/lists/oss-security/2016/12/08/1 NOTE: non-issue, legitimate media file. If a server application uses libav* on untrusted media NOTE: files, it needs to set resource limits CVE-2016-9554 (The Sophos Web Appliance Remote / Secure Web Gateway server (version 4 ...) NOT-FOR-US: Sophos CVE-2016-9553 (The Sophos Web Appliance (version 4.2.1.3) is vulnerable to two Remote ...) NOT-FOR-US: Sophos CVE-2016-9552 RESERVED CVE-2016-9551 RESERVED CVE-2016-9550 RESERVED CVE-2016-9549 RESERVED CVE-2016-9548 RESERVED CVE-2016-9547 RESERVED CVE-2016-9546 RESERVED CVE-2016-9545 RESERVED CVE-2016-9544 RESERVED CVE-2016-9543 RESERVED CVE-2016-9542 RESERVED CVE-2016-9541 RESERVED CVE-2016-9531 REJECTED CVE-2016-9530 REJECTED CVE-2016-9529 REJECTED CVE-2016-9528 REJECTED CVE-2016-9527 REJECTED CVE-2016-9526 REJECTED CVE-2016-9525 REJECTED CVE-2016-9524 REJECTED CVE-2016-9523 REJECTED CVE-2016-9522 REJECTED CVE-2016-9521 REJECTED CVE-2016-9520 REJECTED CVE-2016-9519 REJECTED CVE-2016-9518 REJECTED CVE-2016-9517 REJECTED CVE-2016-9516 REJECTED CVE-2016-9515 REJECTED CVE-2016-9514 REJECTED CVE-2016-9513 REJECTED CVE-2016-9512 REJECTED CVE-2016-9511 REJECTED CVE-2016-9510 REJECTED CVE-2016-9509 REJECTED CVE-2016-9508 REJECTED CVE-2016-9507 REJECTED CVE-2016-9506 REJECTED CVE-2016-9505 REJECTED CVE-2016-9504 REJECTED CVE-2016-9503 REJECTED CVE-2016-9502 REJECTED CVE-2016-9501 REJECTED CVE-2016-9500 (Accellion FTP server prior to version FTA_9_12_220 uses the Accusoft P ...) NOT-FOR-US: Accellion CVE-2016-9499 (Accellion FTP server prior to version FTA_9_12_220 only returns the us ...) NOT-FOR-US: Accellion CVE-2016-9498 (ManageEngine Applications Manager 12 and 13 before build 13200, allows ...) NOT-FOR-US: ManageEngine CVE-2016-9497 (Hughes high-performance broadband satellite modems, models HN7740S DW7 ...) NOT-FOR-US: Hughes CVE-2016-9496 (Hughes high-performance broadband satellite modems, models HN7740S DW7 ...) NOT-FOR-US: Hughes CVE-2016-9495 (Hughes high-performance broadband satellite modems, models HN7740S DW7 ...) NOT-FOR-US: Hughes CVE-2016-9494 (Hughes high-performance broadband satellite modems, models HN7740S DW7 ...) NOT-FOR-US: Hughes CVE-2016-9493 (The code generated by PHP FormMail Generator prior to 17 December 2016 ...) NOT-FOR-US: PHP FormMail Generator CVE-2016-9492 (The code generated by PHP FormMail Generator prior to 17 December 2016 ...) NOT-FOR-US: PHP FormMail Generator CVE-2016-9491 (ManageEngine Applications Manager 12 and 13 before build 13690 allows ...) NOT-FOR-US: ManageEngine CVE-2016-9490 (ManageEngine Applications Manager versions 12 and 13 before build 1320 ...) NOT-FOR-US: ManageEngine Applications Manager CVE-2016-9489 (In ManageEngine Applications Manager 12 and 13 before build 13200, an ...) NOT-FOR-US: ManageEngine CVE-2016-9488 (ManageEngine Applications Manager versions 12 and 13 before build 1320 ...) NOT-FOR-US: ManageEngine Applications Manager CVE-2016-9487 (EpubCheck 4.0.1 does not properly restrict resolving external entities ...) NOT-FOR-US: EpubCheck CVE-2016-9486 (On Windows endpoints, the SecureConnector agent must run under the loc ...) NOT-FOR-US: SecureConnector agent CVE-2016-9485 (On Windows endpoints, the SecureConnector agent must run under the loc ...) NOT-FOR-US: SecureConnector agent CVE-2016-9484 (The generated PHP form code does not properly validate user input fold ...) NOT-FOR-US: PHP FormMail Generator CVE-2016-9483 (The PHP form code generated by PHP FormMail Generator deserializes unt ...) NOT-FOR-US: PHP FormMail Generator CVE-2016-9482 (Code generated by PHP FormMail Generator may allow a remote unauthenti ...) NOT-FOR-US: PHP FormMail Generator CVE-2014-9912 (The get_icu_disp_value_src_php function in ext/intl/locale/locale_meth ...) - php5 5.6.0+dfsg-1 [wheezy] - php5 5.4.34-0+deb7u1 NOTE: Fixed in 5.6.0, 5.5.14, 5.4.30, 5.3.29 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=67397 NOTE: Upstream patch: https://bugs.php.net/patch-display.php?bug_id=67397&patch=bug67397-patch&revision=latest NOTE: PHP workaround for CVE-2014-9911 in icu CVE-2016-4412 (An issue was discovered in phpMyAdmin. A user can be tricked into foll ...) {DLA-757-1} - phpmyadmin 4:4.1.7-1 NOTE: https://www.phpmyadmin.net/security/PMASA-2016-57/ NOTE: may affect wheezy only. CVE-2016-9847 (An issue was discovered in phpMyAdmin. When the user does not specify ...) - phpmyadmin 4:4.6.5.1-1 (unimportant) NOTE: https://www.phpmyadmin.net/security/PMASA-2016-58/ NOTE: Debian packaging generates blowfish secret CVE-2016-9848 (An issue was discovered in phpMyAdmin. phpinfo (phpinfo.php) shows PHP ...) - phpmyadmin 4:4.6.5.1-1 (unimportant) NOTE: https://www.phpmyadmin.net/security/PMASA-2016-59/ NOTE: disabled by default, debugging setting required CVE-2016-9849 (An issue was discovered in phpMyAdmin. It is possible to bypass AllowR ...) {DLA-1821-1 DLA-757-1} - phpmyadmin 4:4.6.5.1-1 NOTE: https://www.phpmyadmin.net/security/PMASA-2016-60/ CVE-2016-9850 (An issue was discovered in phpMyAdmin. Username matching for the allow ...) {DLA-1821-1 DLA-757-1} - phpmyadmin 4:4.6.5.1-1 (low) NOTE: https://www.phpmyadmin.net/security/PMASA-2016-61/ CVE-2016-9851 (An issue was discovered in phpMyAdmin. With a crafted request paramete ...) - phpmyadmin 4:4.6.5.1-1 (unimportant) [jessie] - phpmyadmin (Vulnerable code not present) [wheezy] - phpmyadmin (Vulnerable code not present) NOTE: https://www.phpmyadmin.net/security/PMASA-2016-62/ CVE-2016-9852 (An issue was discovered in phpMyAdmin. By calling some scripts that ar ...) - phpmyadmin 4:4.6.5.1-1 (unimportant) NOTE: https://www.phpmyadmin.net/security/PMASA-2016-63/ NOTE: path disclosure not relevant in Debian CVE-2016-9853 (An issue was discovered in phpMyAdmin. By calling some scripts that ar ...) - phpmyadmin 4:4.6.5.1-1 (unimportant) NOTE: https://www.phpmyadmin.net/security/PMASA-2016-63/ NOTE: path disclosure not relevant in Debian CVE-2016-9854 (An issue was discovered in phpMyAdmin. By calling some scripts that ar ...) - phpmyadmin 4:4.6.5.1-1 (unimportant) NOTE: https://www.phpmyadmin.net/security/PMASA-2016-63/ NOTE: path disclosure not relevant in Debian CVE-2016-9855 (An issue was discovered in phpMyAdmin. By calling some scripts that ar ...) - phpmyadmin 4:4.6.5.1-1 (unimportant) NOTE: https://www.phpmyadmin.net/security/PMASA-2016-63/ NOTE: path disclosure not relevant in Debian CVE-2016-9856 (An XSS issue was discovered in phpMyAdmin because of an improper fix f ...) - phpmyadmin 4:4.6.5.1-1 (unimportant) NOTE: https://www.phpmyadmin.net/security/PMASA-2016-64/ CVE-2016-9857 (An issue was discovered in phpMyAdmin. XSS is possible because of a we ...) - phpmyadmin 4:4.6.5.1-1 (unimportant) NOTE: https://www.phpmyadmin.net/security/PMASA-2016-64/ CVE-2016-9858 (An issue was discovered in phpMyAdmin. With a crafted request paramete ...) - phpmyadmin 4:4.6.5.1-1 (unimportant) NOTE: https://www.phpmyadmin.net/security/PMASA-2016-65/ CVE-2016-9859 (An issue was discovered in phpMyAdmin. With a crafted request paramete ...) - phpmyadmin 4:4.6.5.1-1 (unimportant) NOTE: https://www.phpmyadmin.net/security/PMASA-2016-65/ CVE-2016-9860 (An issue was discovered in phpMyAdmin. An unauthenticated user can exe ...) - phpmyadmin 4:4.6.5.1-1 (unimportant) NOTE: https://www.phpmyadmin.net/security/PMASA-2016-65/ CVE-2016-9861 (An issue was discovered in phpMyAdmin. Due to the limitation in URL ma ...) {DLA-1821-1 DLA-757-1} - phpmyadmin 4:4.6.5.1-1 (low) NOTE: https://www.phpmyadmin.net/security/PMASA-2016-66/ CVE-2016-9862 (An issue was discovered in phpMyAdmin. With a crafted login request it ...) - phpmyadmin 4:4.6.5.1-1 [jessie] - phpmyadmin (Vulnerable code not present) [wheezy] - phpmyadmin (Vulnerable code not present) NOTE: https://www.phpmyadmin.net/security/PMASA-2016-67/ CVE-2016-9863 (An issue was discovered in phpMyAdmin. With a very large request to ta ...) - phpmyadmin 4:4.6.5.1-1 (unimportant) [jessie] - phpmyadmin (Vulnerable code not present) [wheezy] - phpmyadmin (Vulnerable code not present) NOTE: https://www.phpmyadmin.net/security/PMASA-2016-68/ CVE-2016-9864 (An issue was discovered in phpMyAdmin. With a crafted username or a ta ...) {DLA-1821-1 DLA-757-1} - phpmyadmin 4:4.6.5.1-1 NOTE: https://www.phpmyadmin.net/security/PMASA-2016-69/ CVE-2016-9865 (An issue was discovered in phpMyAdmin. Due to a bug in serialized stri ...) {DLA-1415-1 DLA-757-1} - phpmyadmin 4:4.6.5.1-1 NOTE: https://www.phpmyadmin.net/security/PMASA-2016-70/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/17b34be (RELEASE_4_6_5) NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/1fc004d (MAINT_4_4_15) CVE-2016-9866 (An issue was discovered in phpMyAdmin. When the arg_separator is diffe ...) - phpmyadmin 4:4.6.5.1-1 (unimportant) NOTE: https://www.phpmyadmin.net/security/PMASA-2016-71/ NOTE: unlikely PHP configuration required, unclear impact CVE-2014-9911 (Stack-based buffer overflow in the ures_getByKeyWithFallback function ...) {DSA-3725-1 DLA-744-1} - icu 55.1-3 NOTE: http://bugs.icu-project.org/trac/ticket/10891 NOTE: Fixed by: http://bugs.icu-project.org/trac/changeset/35699 NOTE: The patch addressing CVE-2014-9911 is applied in 54.1 , but the NOTE: first fixed package version uploaded to unstable is 55.1-3 . CVE-2016-9639 (Salt before 2015.8.11 allows deleted minions to read or write to minio ...) - salt 2016.3.0+ds-1 [jessie] - salt (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2016/11/25/2 CVE-2016-9813 (The _parse_pat function in the mpegts parser in GStreamer before 1.10. ...) {DSA-3818-1} - gst-plugins-bad1.0 1.10.2-1 (low) - gst-plugins-bad0.10 (Vulnerable code introduced in 1.1.1 of 1.0 series) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=775120 CVE-2016-9812 (The gst_mpegts_section_new function in the mpegts decoder in GStreamer ...) {DSA-3818-1} - gst-plugins-bad1.0 1.10.2-1 (low) - gst-plugins-bad0.10 (Vulnerable code introduced in 1.1.1 of 1.0 series) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=775048 CVE-2016-9811 (The windows_icon_typefind function in gst-plugins-base in GStreamer be ...) {DSA-3819-1 DLA-2126-1 DLA-735-1} - gst-plugins-base1.0 1.10.2-1 - gst-plugins-base0.10 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=774902 CVE-2016-9810 (The gst_decode_chain_free_internal function in the flxdex decoder in g ...) - gst-plugins-good1.0 1.10.1-2 [jessie] - gst-plugins-good1.0 1.4.4-2+deb8u2 - gst-plugins-good0.10 [jessie] - gst-plugins-good0.10 0.10.31-3+nmu4+deb8u2 [wheezy] - gst-plugins-good0.10 0.10.31-3+nmu1+deb7u1 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=774897 CVE-2016-9809 (Off-by-one error in the gst_h264_parse_set_caps function in GStreamer ...) {DSA-3818-1 DLA-2164-1 DLA-736-1} - gst-plugins-bad1.0 1.10.2-1 - gst-plugins-bad0.10 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=774896 CVE-2016-9808 (The FLIC decoder in GStreamer before 1.10.2 allows remote attackers to ...) - gst-plugins-good1.0 1.10.1-2 [jessie] - gst-plugins-good1.0 1.4.4-2+deb8u2 - gst-plugins-good0.10 [jessie] - gst-plugins-good0.10 0.10.31-3+nmu4+deb8u2 [wheezy] - gst-plugins-good0.10 0.10.31-3+nmu1+deb7u1 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=774859 NOTE: https://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=153a8ae752c90d07190ef45803422a4f71ea8bff NOTE: https://scarybeastsecurity.blogspot.dk/2016/11/0day-poc-incorrect-fix-for-gstreamer.html CVE-2016-9807 (The flx_decode_chunks function in gst/flx/gstflxdec.c in GStreamer bef ...) - gst-plugins-good1.0 1.10.1-2 [jessie] - gst-plugins-good1.0 1.4.4-2+deb8u2 - gst-plugins-good0.10 [jessie] - gst-plugins-good0.10 0.10.31-3+nmu4+deb8u2 [wheezy] - gst-plugins-good0.10 0.10.31-3+nmu1+deb7u1 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=774859 NOTE: https://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=153a8ae752c90d07190ef45803422a4f71ea8bff CVE-2016-9806 (Race condition in the netlink_dump function in net/netlink/af_netlink. ...) - linux 4.6.3-1 [jessie] - linux 3.16.39-1 [wheezy] - linux (Introduced in 3.12) NOTE: Fixed by: https://git.kernel.org/linus/92964c79b357efd980812c4de5c1fd2ec8bb5520 (v4.7-rc1) CVE-2016-9636 (Heap-based buffer overflow in the flx_decode_delta_fli function in gst ...) {DSA-3724-1 DSA-3723-1 DLA-727-1} - gst-plugins-good1.0 1.10.1-2 (bug #845375) - gst-plugins-good0.10 NOTE: https://scarybeastsecurity.blogspot.ch/2016/11/0day-exploit-advancing-exploitation.html NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=774834 NOTE: Fixed by: https://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=bf43f44fcfada5ec4a3ce60cb374340486fe9fac NOTE: Fixed by: https://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=fec77de8cbb0c8192b77aff2e563705ba421f2f2 NOTE: Fixed by (later followed up): https://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=45dcd0b9ccf33ed85cdafeb871a3781f5be57fd9 NOTE: Fixed by (later followed up): https://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=153a8ae752c90d07190ef45803422a4f71ea8bff CVE-2016-9635 (Heap-based buffer overflow in the flx_decode_delta_fli function in gst ...) {DSA-3724-1 DSA-3723-1 DLA-727-1} - gst-plugins-good1.0 1.10.1-2 (bug #845375) - gst-plugins-good0.10 NOTE: https://scarybeastsecurity.blogspot.ch/2016/11/0day-exploit-advancing-exploitation.html NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=774834 NOTE: Fixed by: https://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=bf43f44fcfada5ec4a3ce60cb374340486fe9fac NOTE: Fixed by: https://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=fec77de8cbb0c8192b77aff2e563705ba421f2f2 NOTE: Fixed by (later followed up): https://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=45dcd0b9ccf33ed85cdafeb871a3781f5be57fd9 NOTE: Fixed by (later followed up): https://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=153a8ae752c90d07190ef45803422a4f71ea8bff CVE-2016-9634 (Heap-based buffer overflow in the flx_decode_delta_fli function in gst ...) {DSA-3724-1 DSA-3723-1 DLA-727-1} - gst-plugins-good1.0 1.10.1-2 (bug #845375) - gst-plugins-good0.10 NOTE: https://scarybeastsecurity.blogspot.ch/2016/11/0day-exploit-advancing-exploitation.html NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=774834 NOTE: Fixed by: https://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=bf43f44fcfada5ec4a3ce60cb374340486fe9fac NOTE: Fixed by: https://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=fec77de8cbb0c8192b77aff2e563705ba421f2f2 NOTE: Fixed by (later followed up): https://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=45dcd0b9ccf33ed85cdafeb871a3781f5be57fd9 NOTE: Fixed by (later followed up): https://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=153a8ae752c90d07190ef45803422a4f71ea8bff CVE-2016-9633 (An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3 ...) - w3m 0.5.3-33 [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/issues/23 CVE-2016-9632 (An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3 ...) - w3m 0.5.3-33 [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/issues/43 CVE-2016-9631 (An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3 ...) - w3m 0.5.3-33 [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/issues/42 CVE-2016-9630 (An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3 ...) - w3m 0.5.3-33 [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/issues/41 CVE-2016-9629 (An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3 ...) - w3m 0.5.3-33 [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/issues/40 CVE-2016-9628 (An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3 ...) - w3m 0.5.3-33 [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/issues/39 CVE-2016-9627 (An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3 ...) - w3m 0.5.3-33 [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/issues/38 NOTE: https://github.com/tats/w3m/commit/0c3f5d0e0d9269ad47b8f4b061d7818993913189 CVE-2016-9626 (An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3 ...) - w3m 0.5.3-33 [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/issues/37 CVE-2016-9625 (An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3 ...) - w3m 0.5.3-33 [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/issues/36 CVE-2016-9624 (An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3 ...) - w3m 0.5.3-33 [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/issues/35 CVE-2016-9623 (An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3 ...) - w3m 0.5.3-33 [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/issues/33 CVE-2016-9622 (An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3 ...) - w3m 0.5.3-33 [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/issues/32 CVE-2016-9621 REJECTED CVE-2016-9560 (Stack-based buffer overflow in the jpc_tsfb_getbands2 function in jpc_ ...) {DSA-3785-1 DLA-739-1} - jasper NOTE: https://blogs.gentoo.org/ago/2016/11/20/jasper-stack-based-buffer-overflow-in-jpc_tsfb_getbands2-jpc_tsfb-c NOTE: Fixed by: https://github.com/mdadams/jasper/commit/1abc2e5a401a4bf1d5ca4df91358ce5df111f495 CVE-2016-9558 ((1) libdwarf/dwarf_leb.c and (2) dwarfdump/print_frames.c in libdwarf ...) - dwarfutils 20161124-1 (bug #845408) [jessie] - dwarfutils (Minor issue) [wheezy] - dwarfutils (Minor issue) NOTE: https://blogs.gentoo.org/ago/2016/11/19/libdwarf-negation-overflow-in-dwarf_leb-c NOTE: Fixed by: https://sourceforge.net/p/libdwarf/code/ci/4f19e1050cd8e9ddf2cb6caa061ff2fec4c9b5f9/#diff-5 CVE-2016-9557 (Integer overflow in jas_image.c in JasPer before 1.900.25 allows remot ...) - jasper [jessie] - jasper (There is no application crash unless jasper is built with ASAN) [wheezy] - jasper (the fix is too invasive) NOTE: https://blogs.gentoo.org/ago/2016/11/19/jasper-signed-integer-overflow-in-jas_image-c NOTE: Fixed by: https://github.com/mdadams/jasper/commit/d42b2388f7f8e0332c846675133acea151fc557a CVE-2016-9555 (The sctp_sf_ootb function in net/sctp/sm_statefuns.c in the Linux kern ...) {DLA-772-1} - linux 4.8.11-1 [jessie] - linux 3.16.39-1 NOTE: Fixed by: https://git.kernel.org/linus/bf911e985d6bbaa328c20c3e05f4eb03de11fdd6 (4.9-rc4) CVE-2016-9481 (In framework/modules/core/controllers/expCommentController.php of Expo ...) NOT-FOR-US: Exponent CMS CVE-2016-9480 (libdwarf 2016-10-21 allows context-dependent attackers to obtain sensi ...) - dwarfutils 20161124-1 [jessie] - dwarfutils (Minor issue) [wheezy] - dwarfutils (Minor issue) NOTE: https://www.prevanders.net/dwarfbug.html#DW201611-006 NOTE: https://sourceforge.net/p/libdwarf/bugs/5/ NOTE: https://sourceforge.net/p/libdwarf/code/ci/5dd64de047cd5ec479fb11fe7ff2692fd819e5e5/ NOTE: The code has substantially changed in libdwarf/dwarf_util.c from older NOTE: versions, but there seem to be still back then an unchecked dereference NOTE: of val_ptr. CVE-2016-9479 (The "lost password" functionality in b2evolution before 6.7.9 allows r ...) - b2evolution CVE-2016-9478 REJECTED CVE-2016-9477 REJECTED CVE-2016-9476 REJECTED CVE-2016-9475 REJECTED CVE-2016-9474 REJECTED CVE-2016-9473 (Brave Browser iOS before 1.2.18 and Brave Browser Android 1.9.56 and e ...) - brave-browser (bug #864795) CVE-2016-9472 (Revive Adserver before 3.2.5 and 4.0.0 suffers from Reflected XSS. The ...) NOT-FOR-US: Revive Adserver CVE-2016-9471 (Revive Adserver before 3.2.5 and 4.0.0 suffers from Special Element In ...) NOT-FOR-US: Revive Adserver CVE-2016-9470 (Revive Adserver before 3.2.5 and 4.0.0 suffers from Reflected File Dow ...) NOT-FOR-US: Revive Adserver CVE-2016-9469 (Multiple versions of GitLab expose a dangerous method to any authentic ...) - gitlab 8.13.6+dfsg2-2 (bug #847157) NOTE: https://about.gitlab.com/2016/12/05/cve-2016-9469/ NOTE: https://gitlab.com/gitlab-org/gitlab-ce/issues/25064 CVE-2016-9468 (Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before ...) - nextcloud (bug #835086) CVE-2016-9467 (Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before ...) - nextcloud (bug #835086) CVE-2016-9466 (Nextcloud Server before 10.0.1 & ownCloud Server before 9.0.6 and ...) - nextcloud (bug #835086) CVE-2016-9465 (Nextcloud Server before 10.0.1 & ownCloud Server before 9.0.6 and ...) - nextcloud (bug #835086) CVE-2016-9464 (Nextcloud Server before 9.0.54 and 10.0.0 suffers from an improper aut ...) - nextcloud (bug #835086) CVE-2016-9463 (Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before ...) - nextcloud (bug #835086) CVE-2016-9462 (Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are ...) - nextcloud (bug #835086) CVE-2016-9461 (Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are ...) - nextcloud (bug #835086) CVE-2016-9460 (Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are ...) - nextcloud (bug #835086) CVE-2016-9459 (Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are ...) - nextcloud (bug #835086) CVE-2016-9458 REJECTED CVE-2016-9457 (Revive Adserver before 3.2.3 suffers from Reflected XSS. `www/admin/st ...) NOT-FOR-US: Revive Adserver CVE-2016-9456 (Revive Adserver before 3.2.3 suffers from Cross-Site Request Forgery ( ...) NOT-FOR-US: Revive Adserver CVE-2016-9455 (Revive Adserver before 3.2.3 suffers from Cross-Site Request Forgery ( ...) NOT-FOR-US: Revive Adserver CVE-2016-9454 (Revive Adserver before 3.2.3 suffers from Persistent XSS. A vector for ...) NOT-FOR-US: Revive Adserver CVE-2016-9444 (named in ISC BIND 9.x before 9.9.9-P5, 9.10.x before 9.10.4-P5, and 9. ...) {DSA-3758-1 DLA-805-1} [experimental] - bind9 1:9.10.4-P5-1 - bind9 1:9.10.3.dfsg.P4-11 (bug #851062) NOTE: https://kb.isc.org/article/AA-01441/0 CVE-2016-9928 (MCabber before 1.0.4 is vulnerable to roster push attacks, which allow ...) {DLA-2260-1 DLA-724-1} - mcabber 0.10.2-1.1 (bug #845258) NOTE: https://bitbucket.org/McKael/mcabber-crew/commits/6e1ead98930d7dd0a520ad17c720ae4908429033/raw NOTE: Similar issue for mcabber as for gajim in CVE-2015-8688 NOTE: http://www.openwall.com/lists/oss-security/2016/12/09/5 CVE-2016-XXXX [Rorster vulnerability similar to CVE-2015-8688] - slixmpp 1.2.2-1 NOTE: Similar issue for mcabber as for gajim in CVE-2015-8688 (but should get a seprate CVE) CVE-2016-XXXX [TOCTOU race condition in initscript on chown'ing JVM_TMP temporary directory] - tomcat8 8.0.38-1 (bug #840685) [jessie] - tomcat8 8.0.14-1+deb8u4 NOTE: Workaround entry for DSA-3720-1 since no CVE assinged - tomcat7 7.0.72-3 (bug #841655) [jessie] - tomcat7 7.0.56-3+deb8u5 [wheezy] - tomcat7 7.0.28-4+deb7u7 NOTE: Workaround entry for DSA-3721-1 since no CVE assinged NOTE: Since 7.0.72-3, src:tomcat7 only builds the Servlet API - tomcat6 6.0.41-3 NOTE: Since 6.0.41-3, src:tomcat6 only builds a servlet and docs in Jessie CVE-2016-10071 (coders/mat.c in ImageMagick before 6.9.4-0 allows remote attackers to ...) {DSA-3726-1 DLA-756-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #845246) NOTE: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1545366 NOTE: https://github.com/ImageMagick/ImageMagick/issues/131 NOTE: https://github.com/ImageMagick/ImageMagick/commit/f3b483e8b054c50149912523b4773687e18afe25 NOTE: http://www.openwall.com/lists/oss-security/2016/12/20/3 CVE-2016-10070 (Heap-based buffer overflow in the CalcMinMax function in coders/mat.c ...) {DSA-3726-1 DLA-756-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #845246) NOTE: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1545366 NOTE: https://github.com/ImageMagick/ImageMagick/issues/131 NOTE: https://github.com/ImageMagick/ImageMagick/commit/b173a352397877775c51c9a0e9d59eb6ce24c455 NOTE: http://www.openwall.com/lists/oss-security/2016/12/20/3 CVE-2016-10069 (coders/mat.c in ImageMagick before 6.9.4-5 allows remote attackers to ...) {DSA-3726-1 DLA-756-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #845244) NOTE: https://github.com/ImageMagick/ImageMagick/commit/8a370f9ab120faf182aa160900ba692ba8e2bcf0 NOTE: http://www.openwall.com/lists/oss-security/2016/12/20/3 CVE-2016-9559 (coders/tiff.c in ImageMagick before 7.0.3.7 allows remote attackers to ...) {DSA-3726-1 DLA-756-1} - imagemagick 8:6.9.6.5+dfsg-1 (bug #845243) NOTE: https://github.com/ImageMagick/ImageMagick/commit/1c795ce9fe1d6feac8bc36c2e6c5ba7110b671b1 NOTE: https://github.com/ImageMagick/ImageMagick/commit/b61d35eaccc0a7ddeff8a1c3abfcd0a43ccf210b (master) NOTE: https://github.com/ImageMagick/ImageMagick/issues/298 CVE-2016-9773 (Heap-based buffer overflow in the IsPixelGray function in MagickCore/p ...) - imagemagick (Affects only the ImageMagick-7 branch, cf. NOTE) NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick/commit/4e8c2ed53fcb54a34b3a6185b2584f26cf6874a3 NOTE: https://blogs.gentoo.org/ago/2016/12/01/imagemagick-heap-based-buffer-overflow-in-ispixelgray-pixel-accessor-h-incomplete-fix-for-cve-2016-9556/ NOTE: https://github.com/ImageMagick/ImageMagick/issues/312 NOTE: Upstream statement: https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=31045 CVE-2016-9556 (The IsPixelGray function in MagickCore/pixel-accessor.h in ImageMagick ...) {DSA-3726-1 DLA-756-1} - imagemagick 8:6.9.6.5+dfsg-1 (bug #845242) NOTE: https://github.com/ImageMagick/ImageMagick/issues/301 NOTE: https://github.com/ImageMagick/ImageMagick/commit/174de08d7c81ce147689f3b1c73fadd6bf1c023c NOTE: https://github.com/ImageMagick/ImageMagick/commit/ce98a7acbcfca7f0a178f4b1e7b957e419e0cc99 (master) CVE-2016-10068 (The MSL interpreter in ImageMagick before 6.9.6-4 allows remote attack ...) {DSA-3726-1 DLA-756-1} - imagemagick 8:6.9.6.5+dfsg-1 (bug #845241) NOTE: https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=30797 NOTE: https://github.com/ImageMagick/ImageMagick/commit/56d6e20de489113617cbbddaf41e92600a34db22 NOTE: http://www.openwall.com/lists/oss-security/2016/12/20/3 CVE-2016-10058 (Memory leak in the ReadPSDLayers function in coders/psd.c in ImageMagi ...) - imagemagick 8:6.9.6.5+dfsg-1 (bug #845239) [jessie] - imagemagick (Vulnerable code using layer_info[i].info introduced later) [wheezy] - imagemagick (Vulnerable code using layer_info[i].info introduced later) NOTE: https://github.com/ImageMagick/ImageMagick/commit/4ec444f4eab88cf4bec664fafcf9cab50bc5ff6a NOTE: http://www.openwall.com/lists/oss-security/2016/12/20/3 CVE-2016-10067 (magick/memory.c in ImageMagick before 6.9.4-5 allows remote attackers ...) {DSA-3726-1 DLA-756-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #845213) NOTE: https://github.com/ImageMagick/ImageMagick/commit/0474237508f39c4f783208123431815f1ededb76 NOTE: http://www.openwall.com/lists/oss-security/2016/12/20/3 CVE-2016-10066 (Buffer overflow in the ReadVIFFImage function in coders/viff.c in Imag ...) {DSA-3726-1 DLA-756-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #845213) NOTE: https://github.com/ImageMagick/ImageMagick/commit/0474237508f39c4f783208123431815f1ededb76 NOTE: http://www.openwall.com/lists/oss-security/2016/12/20/3 CVE-2016-10065 (The ReadVIFFImage function in coders/viff.c in ImageMagick before 7.0. ...) {DSA-3726-1 DLA-756-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #845212) NOTE: https://github.com/ImageMagick/ImageMagick/issues/129 NOTE: https://github.com/ImageMagick/ImageMagick/commit/134463b926fa965571aa4febd61b810be5e7da05 NOTE: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1545183 NOTE: http://www.openwall.com/lists/oss-security/2016/12/20/3 CVE-2016-10064 (Buffer overflow in coders/tiff.c in ImageMagick before 6.9.5-1 allows ...) {DSA-3726-1 DLA-756-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #845202) NOTE: https://github.com/ImageMagick/ImageMagick/commit/f8877abac8e568b2f339cca70c2c3c1b6eaec288 NOTE: http://www.openwall.com/lists/oss-security/2016/12/20/3 CVE-2016-10063 (Buffer overflow in coders/tiff.c in ImageMagick before 6.9.5-1 allows ...) {DSA-3726-1 DLA-756-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #845198) NOTE: https://github.com/ImageMagick/ImageMagick/commit/2bb6941a2d557f26a2f2049ade466e118eeaab91 NOTE: http://www.openwall.com/lists/oss-security/2016/12/20/3 CVE-2016-10062 (The ReadGROUP4Image function in coders/tiff.c in ImageMagick does not ...) {DSA-3799-1 DLA-868-1} - imagemagick 8:6.9.7.4+dfsg-1 (bug #849439) NOTE: https://github.com/ImageMagick/ImageMagick/issues/196 NOTE: https://github.com/ImageMagick/ImageMagick/issues/352 NOTE: http://www.openwall.com/lists/oss-security/2016/12/20/3 NOTE: CVE is for the fwrite issue in ReadGROUP4Image. This was NOTE: specifically noted at the beginning of issues/196, but not fixed in NOTE: either of these commits 933e96f01a8c889c7bf5ffd30020e86a02a046e7 nor NOTE: 4e914bbe371433f0590cefdf3bd5f3a5710069f9 upstream. It is not the same NOTE: as the fputc issue in ReadGROUP4Image. NOTE: https://github.com/ImageMagick/ImageMagick/commit/41e955984b034777903cfa61e500a0b922eb9cbd CVE-2016-10061 (The ReadGROUP4Image function in coders/tiff.c in ImageMagick before 7. ...) {DSA-3726-1 DLA-756-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #845196) NOTE: https://github.com/ImageMagick/ImageMagick/commit/4e914bbe371433f0590cefdf3bd5f3a5710069f9 NOTE: https://github.com/ImageMagick/ImageMagick/issues/196 NOTE: http://www.openwall.com/lists/oss-security/2016/12/20/3 CVE-2016-10060 (The ConcatenateImages function in MagickWand/magick-cli.c in ImageMagi ...) {DLA-756-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #845196) [jessie] - imagemagick (Vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/commit/933e96f01a8c889c7bf5ffd30020e86a02a046e7 NOTE: https://github.com/ImageMagick/ImageMagick/issues/196 NOTE: http://www.openwall.com/lists/oss-security/2016/12/20/3 CVE-2016-10059 (Buffer overflow in coders/tiff.c in ImageMagick before 6.9.4-1 allows ...) {DSA-3726-1 DLA-756-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #845195) NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick/commit/58cf5bf4fade82e3b510e8f3463a967278a3e410 NOTE: http://www.openwall.com/lists/oss-security/2016/12/20/3 CVE-2016-9448 (The TIFFFetchNormalTag function in LibTiff 4.0.6 allows remote attacke ...) - tiff (Vulnerable code introduced by fix for CVE-2016-9297) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2593 NOTE: Regression introduced by previous fix done on 2016-11-11 for CVE-2016-9297 CVE-2016-9421 (Cross-site scripting (XSS) vulnerability in the Users module in the Ad ...) NOT-FOR-US: MyBB CVE-2016-9420 (MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1 ...) NOT-FOR-US: MyBB CVE-2016-9419 (Cross-site scripting (XSS) vulnerability in the Admin control panel in ...) NOT-FOR-US: MyBB CVE-2016-9418 (MyBB (aka MyBulletinBoard) before 1.8.8 on Windows and MyBB Merge Syst ...) NOT-FOR-US: MyBB CVE-2016-9417 (The fetch_remote_file function in MyBB (aka MyBulletinBoard) before 1. ...) NOT-FOR-US: MyBB CVE-2016-9416 (SQL injection vulnerability in the users data handler in MyBB (aka MyB ...) NOT-FOR-US: MyBB CVE-2016-9415 (MyBB (aka MyBulletinBoard) before 1.8.8 on Windows and MyBB Merge Syst ...) NOT-FOR-US: MyBB CVE-2016-9414 (MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1 ...) NOT-FOR-US: MyBB CVE-2016-9413 (The Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and ...) NOT-FOR-US: MyBB CVE-2016-9412 (MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1 ...) NOT-FOR-US: MyBB CVE-2016-9411 (The Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and ...) NOT-FOR-US: MyBB CVE-2016-9410 (MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1 ...) NOT-FOR-US: MyBB CVE-2016-9409 (Cross-site scripting (XSS) vulnerability in the Admin control panel in ...) NOT-FOR-US: MyBB CVE-2016-9408 (Cross-site scripting (XSS) vulnerability in the Mod control panel in M ...) NOT-FOR-US: MyBB CVE-2016-9407 (Cross-site scripting (XSS) vulnerability in MyBB (aka MyBulletinBoard) ...) NOT-FOR-US: MyBB CVE-2016-9406 (Cross-site scripting (XSS) vulnerability in the User control panel in ...) NOT-FOR-US: MyBB CVE-2016-9405 (Cross-site scripting (XSS) vulnerability in member validation in MyBB ...) NOT-FOR-US: MyBB CVE-2016-9404 (Cross-site scripting (XSS) vulnerability in MyBB (aka MyBulletinBoard) ...) NOT-FOR-US: MyBB CVE-2016-9403 (newreply.php in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge ...) NOT-FOR-US: MyBB CVE-2016-9402 (SQL injection vulnerability in the moderation tool in MyBB (aka MyBull ...) NOT-FOR-US: MyBB CVE-2016-9386 (The x86 emulator in Xen does not properly treat x86 NULL segments as u ...) {DSA-3729-1 DLA-720-1} - xen 4.8.0-1 (bug #845663) NOTE: https://xenbits.xen.org/xsa/advisory-191.html CVE-2016-9385 (The x86 segment base write emulation functionality in Xen 4.4.x throug ...) {DSA-3729-1} - xen 4.8.0-1 (bug #845665) [wheezy] - xen (Only affects Xen >= 4.4) NOTE: https://xenbits.xen.org/xsa/advisory-193.html CVE-2016-9384 (Xen 4.7 allows local guest OS users to obtain sensitive host informati ...) - xen 4.8.0-1 (bug #845667) [jessie] - xen (Only affects Xen >= 4.7) [wheezy] - xen (Only affects Xen >= 4.7) NOTE: https://xenbits.xen.org/xsa/advisory-194.html CVE-2016-9383 (Xen, when running on a 64-bit hypervisor, allows local x86 guest OS us ...) {DSA-3729-1 DLA-720-1} - xen 4.8.0-1 (bug #845668) NOTE: https://xenbits.xen.org/xsa/advisory-195.html CVE-2016-9382 (Xen 4.0.x through 4.7.x mishandle x86 task switches to VM86 mode, whic ...) {DSA-3729-1 DLA-720-1} - xen 4.8.0-1 (bug #845664) NOTE: https://xenbits.xen.org/xsa/advisory-192.html CVE-2016-9381 (Race condition in QEMU in Xen allows local x86 HVM guest OS administra ...) {DLA-720-1} - xen 4.4.0-1 NOTE: Xen switched to qemu-system in 4.4.0-1 NOTE: https://xenbits.xen.org/xsa/advisory-197.html CVE-2016-9380 (The pygrub boot loader emulator in Xen, when nul-delimited output form ...) {DSA-3729-1 DLA-720-1} - xen 4.8.0-1 (bug #845670) NOTE: https://xenbits.xen.org/xsa/advisory-198.html CVE-2016-9379 (The pygrub boot loader emulator in Xen, when S-expression output forma ...) {DSA-3729-1 DLA-720-1} - xen 4.8.0-1 (bug #845670) NOTE: https://xenbits.xen.org/xsa/advisory-198.html CVE-2016-9378 (Xen 4.5.x through 4.7.x on AMD systems without the NRip feature, when ...) - xen 4.8.0-1 (bug #845669) [jessie] - xen (Only 4.5 onwards vulnerable) [wheezy] - xen (Only 4.5 onwards vulnerable) NOTE: https://xenbits.xen.org/xsa/advisory-196.html CVE-2016-9377 (Xen 4.5.x through 4.7.x on AMD systems without the NRip feature, when ...) - xen 4.8.0-1 (bug #845669) [jessie] - xen (Only 4.5 onwards vulnerable) [wheezy] - xen (Only 4.5 onwards vulnerable) NOTE: https://xenbits.xen.org/xsa/advisory-196.html CVE-2016-9371 (An issue was discovered in Moxa NPort 5110 versions prior to 2.6, NPor ...) NOT-FOR-US: Moxa CVE-2016-9370 REJECTED CVE-2016-9369 (An issue was discovered in Moxa NPort 5110 versions prior to 2.6, NPor ...) NOT-FOR-US: Moxa CVE-2016-9368 (An issue was discovered in Eaton xComfort Ethernet Communication Inter ...) NOT-FOR-US: Eaton xComfort Ethernet Communication Interface CVE-2016-9367 (An issue was discovered in Moxa NPort 5110 versions prior to 2.6, NPor ...) NOT-FOR-US: Moxa CVE-2016-9366 (An issue was discovered in Moxa NPort 5110 versions prior to 2.6, NPor ...) NOT-FOR-US: Moxa CVE-2016-9365 (An issue was discovered in Moxa NPort 5110 versions prior to 2.6, NPor ...) NOT-FOR-US: Moxa CVE-2016-9364 (An issue was discovered in Fidelix FX-20 series controllers, versions ...) NOT-FOR-US: Moxa CVE-2016-9363 (An issue was discovered in Moxa NPort 5110 versions prior to 2.6, NPor ...) NOT-FOR-US: Moxa CVE-2016-9362 (An issue was discovered in WAGO 750-8202/PFC200 prior to FW04 (release ...) NOT-FOR-US: WAGO CVE-2016-9361 (An issue was discovered in Moxa NPort 5110 versions prior to 2.6, NPor ...) NOT-FOR-US: Moxa CVE-2016-9360 (An issue was discovered in General Electric (GE) Proficy HMI/SCADA iFI ...) NOT-FOR-US: General Electric CVE-2016-9359 REJECTED CVE-2016-9358 (A Hard-Coded Passwords issue was discovered in Marel Food Processing S ...) NOT-FOR-US: Marel CVE-2016-9357 (An issue was discovered in certain legacy Eaton ePDUs -- the affected ...) NOT-FOR-US: legacy Eaton ePDUs CVE-2016-9356 (An issue was discovered in Moxa DACenter Versions 1.4 and older. The a ...) NOT-FOR-US: Moxa CVE-2016-9355 (An issue was discovered in Becton, Dickinson and Company (BD) Alaris 8 ...) NOT-FOR-US: Alaris 8015 Point of Care CVE-2016-9354 (An issue was discovered in Moxa DACenter Versions 1.4 and older. A spe ...) NOT-FOR-US: Moxa CVE-2016-9353 (An issue was discovered in Advantech SUISAccess Server Version 3.0 and ...) NOT-FOR-US: Advantech SUISAccess Server CVE-2016-9352 REJECTED CVE-2016-9351 (An issue was discovered in Advantech SUISAccess Server Version 3.0 and ...) NOT-FOR-US: Advantech SUISAccess Server CVE-2016-9350 REJECTED CVE-2016-9349 (An issue was discovered in Advantech SUISAccess Server Version 3.0 and ...) NOT-FOR-US: Advantech SUISAccess Server CVE-2016-9348 (An issue was discovered in Moxa NPort 5110 versions prior to 2.6, NPor ...) NOT-FOR-US: Moxa CVE-2016-9347 (An issue was discovered in Emerson SE4801T0X Redundant Wireless I/O Ca ...) NOT-FOR-US: Emerson CVE-2016-9346 (An issue was discovered in Moxa MiiNePort E1 versions prior to 1.8, E2 ...) NOT-FOR-US: Moxa CVE-2016-9345 (An issue was discovered in Emerson DeltaV Easy Security Management Del ...) NOT-FOR-US: Emerson CVE-2016-9344 (An issue was discovered in Moxa MiiNePort E1 versions prior to 1.8, E2 ...) NOT-FOR-US: Moxa CVE-2016-9343 (An issue was discovered in Rockwell Automation Logix5000 Programmable ...) NOT-FOR-US: Rockwell CVE-2016-9342 REJECTED CVE-2016-9341 REJECTED CVE-2016-9340 REJECTED CVE-2016-9339 (An issue was discovered in INTERSCHALT Maritime Systems VDR G4e Versio ...) NOT-FOR-US: INTERSCHALT Maritime Systems CVE-2016-9338 (An issue was discovered in Rockwell Automation Allen-Bradley MicroLogi ...) NOT-FOR-US: Rockwell CVE-2016-9337 (An issue was discovered in Tesla Motors Model S automobile, all firmwa ...) NOT-FOR-US: Tesla car CVE-2016-9336 REJECTED CVE-2016-9335 (A hard-coded cryptographic key vulnerability was identified in Red Lio ...) NOT-FOR-US: Red Lion Controls Sixnet-Managed Industrial Switches CVE-2016-9334 (An issue was discovered in Rockwell Automation Allen-Bradley MicroLogi ...) NOT-FOR-US: Rockwell CVE-2016-9333 (An issue was discovered in Moxa SoftCMS versions prior to Version 1.6. ...) NOT-FOR-US: Moxa CVE-2016-9332 (An issue was discovered in Moxa SoftCMS versions prior to Version 1.6. ...) NOT-FOR-US: Moxa CVE-2015-8978 (In Soap Lite (aka the SOAP::Lite extension for Perl) 1.14 and earlier, ...) {DLA-723-1} - libsoap-lite-perl 1.19-1 [jessie] - libsoap-lite-perl (Minor issue) NOTE: https://github.com/redhotpenguin/soaplite/pull/21 NOTE: https://github.com/redhotpenguin/soaplite/commit/6942fe0d281be1c32c5117605f9c4e8d44f51124 CVE-2015-8977 (MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and My ...) NOT-FOR-US: MyBB CVE-2015-8976 (Cross-site scripting (XSS) vulnerability in MyBB (aka MyBulletinBoard) ...) NOT-FOR-US: MyBB CVE-2015-8975 (Cross-site scripting (XSS) vulnerability in the error handler in MyBB ...) NOT-FOR-US: MyBB CVE-2015-8974 (SQL injection vulnerability in the Group Promotions module in the admi ...) NOT-FOR-US: MyBB CVE-2015-8973 (xmlhttp.php in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x befo ...) NOT-FOR-US: MyBB CVE-2016-9453 (The t2p_readwrite_pdf_image_tile function in LibTIFF allows remote att ...) {DSA-3762-1} - tiff 4.0.6-3 [wheezy] - tiff 4.0.2-6+deb7u7 NOTE: CVE-2016-9453 for wheezy fixed via CVE-2016-5652 - tiff3 [wheezy] - tiff3 (Tools not shipped by tiff3) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2579 NOTE: https://github.com/vadz/libtiff/commit/d2955714a4a0b8ca10941550cfbf64c7e111fbf1 NOTE: For unstable this fix was included in the fix for TALOS-CAN-0187 / CVE-2016-5652 NOTE: and included in patches/09-CVE-2016-5652.patch NOTE: Problem not reproducible in wheezy with 4.0.2-6+deb7u7, in jessie with 4.0.3-12.3+deb8u1, in both cases I get this output (but no segfault or error with valgrind): NOTE: TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. NOTE: TIFFReadDirectory: Warning, Unknown field with tag 1 (0x1) encountered. NOTE: TIFFReadDirectory: Warning, Unknown field with tag 3 (0x3) encountered. NOTE: TIFFReadDirectory: IO error during reading of "BitsPerSample". NOTE: tiff2pdf: Can't open input file ./CVE-2016-9453.tiff for reading. CVE-2016-9446 (The vmnc decoder in the gstreamer does not initialize the render canva ...) {DSA-3717-1 DLA-712-1} - gst-plugins-bad0.10 - gst-plugins-bad1.0 1.10.1-1 NOTE: http://scarybeastsecurity.blogspot.de/2016/11/0day-poc-risky-design-decisions-in.html NOTE: Upstream Bug: https://bugzilla.gnome.org/show_bug.cgi?id=774533 NOTE: Fixed by: https://cgit.freedesktop.org/gstreamer/gst-plugins-bad/commit/?id=4cb1bcf1422bbcd79c0f683edb7ee85e3f7a31fe CVE-2016-9445 (Integer overflow in the vmnc decoder in the gstreamer allows remote at ...) {DSA-3717-1 DLA-712-1} - gst-plugins-bad0.10 - gst-plugins-bad1.0 1.10.1-1 NOTE: http://scarybeastsecurity.blogspot.de/2016/11/0day-poc-risky-design-decisions-in.html NOTE: Upstream Bug: https://bugzilla.gnome.org/show_bug.cgi?id=774533 NOTE: Fixed by: https://cgit.freedesktop.org/gstreamer/gst-plugins-bad/commit/?id=4cb1bcf1422bbcd79c0f683edb7ee85e3f7a31fe CVE-2016-9452 (The transliterate mechanism in Drupal 8.x before 8.2.3 allows remote a ...) - drupal8 (bug #756305) - drupal7 (Only affects Drupal 8) NOTE: https://www.drupal.org/SA-CORE-2016-005 NOTE: http://www.openwall.com/lists/oss-security/2016/11/18/8 CVE-2016-9451 (Confirmation forms in Drupal 7.x before 7.52 make it easier for remote ...) {DSA-3718-1 DLA-715-1} - drupal7 7.52-1 NOTE: https://www.drupal.org/SA-CORE-2016-005 NOTE: http://www.openwall.com/lists/oss-security/2016/11/18/8 CVE-2016-9450 (The user password reset form in Drupal 8.x before 8.2.3 allows remote ...) - drupal8 (bug #756305) - drupal7 (Only affects Drupal 8) NOTE: https://www.drupal.org/SA-CORE-2016-005 NOTE: http://www.openwall.com/lists/oss-security/2016/11/18/8 CVE-2016-9449 (The taxonomy module in Drupal 7.x before 7.52 and 8.x before 8.2.3 mig ...) {DSA-3718-1 DLA-715-1} - drupal8 (bug #756305) - drupal7 7.52-1 NOTE: https://www.drupal.org/SA-CORE-2016-005 NOTE: http://www.openwall.com/lists/oss-security/2016/11/18/8 CVE-2016-9443 (An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3 ...) - w3m 0.5.3-30 [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/issues/28 CVE-2016-9442 (An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3 ...) - w3m 0.5.3-30 [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/commit/d43527cfa0dbb3ccefec4a6f7b32c1434739aa29 CVE-2016-9441 (An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3 ...) - w3m 0.5.3-30 [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/issues/24 CVE-2016-9440 (An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3 ...) - w3m 0.5.3-30 [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/issues/22 CVE-2016-9439 (An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3 ...) - w3m 0.5.3-33 (bug #844726) [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/issues/20 CVE-2016-9438 (An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3 ...) - w3m 0.5.3-30 [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/issues/18 CVE-2016-9437 (An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3 ...) - w3m 0.5.3-30 [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/issues/17 CVE-2016-9436 (parsetagx.c in w3m before 0.5.3+git20161009 does not properly initiali ...) - w3m 0.5.3-30 [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/issues/16 NOTE: Fixed by: https://github.com/tats/w3m/commit/33509cc81ec5f2ba44eb6fd98bd5c1b5873e46bd CVE-2016-9435 (The HTMLtagproc1 function in file.c in w3m before 0.5.3+git20161009 do ...) - w3m 0.5.3-30 [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/issues/16 NOTE: Fixed by: https://github.com/tats/w3m/commit/33509cc81ec5f2ba44eb6fd98bd5c1b5873e46bd CVE-2016-9434 (An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3 ...) - w3m 0.5.3-30 [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/issues/15 CVE-2016-9433 (An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3 ...) - w3m 0.5.3-30 [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/issues/14 CVE-2016-9432 (An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3 ...) - w3m 0.5.3-30 [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/issues/13 CVE-2016-9431 (An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3 ...) - w3m 0.5.3-30 [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/issues/10 CVE-2016-9430 (An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3 ...) - w3m 0.5.3-30 [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/issues/7 CVE-2016-9429 (An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3 ...) - w3m 0.5.3-30 [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/issues/29 CVE-2016-9428 (An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3 ...) - w3m 0.5.3-30 [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/issues/26 CVE-2016-9427 (Integer overflow vulnerability in bdwgc before 2016-09-27 allows attac ...) {DLA-721-1} [experimental] - libgc 1:7.4.4-1 - libgc 1:7.6.4-0.3 (bug #844771) [stretch] - libgc (Minor issue) [jessie] - libgc (Minor issue) NOTE: https://github.com/ivmai/bdwgc/issues/135 NOTE: Fixed by https://github.com/ivmai/bdwgc/commit/4e1a6f9d8f2a49403bbd00b8c8e5324048fb84d4 NOTE: Fixed by https://github.com/ivmai/bdwgc/commit/7292c02fac2066d39dd1bcc37d1a7054fd1e32ee NOTE: Fixed by https://github.com/ivmai/bdwgc/commit/552ad0834672fed86ada6430150ef9ebdd3f54d7 CVE-2016-9426 (An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3 ...) - w3m 0.5.3-30 [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/issues/25 CVE-2016-9425 (An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3 ...) - w3m 0.5.3-30 [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/issues/21 CVE-2016-9424 (An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3 ...) - w3m 0.5.3-30 [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/issues/12 CVE-2016-9423 (An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3 ...) - w3m 0.5.3-30 [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/issues/9 CVE-2016-9422 (An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3 ...) - w3m 0.5.3-30 [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/issues/8 CVE-2016-9401 (popd in bash might allow local users to bypass the restricted shell an ...) {DLA-1726-1} - bash 4.4-3 (bug #844727) [wheezy] - bash (Minor issue) NOTE: Upstream bash considers this issue only to be a bug. NOTE: Proposed patch: https://lists.gnu.org/archive/html/bug-bash/2016-11/msg00116.html NOTE: Fixed by (4.4): https://ftp.gnu.org/pub/gnu/bash/bash-4.4-patches/bash44-006 CVE-2016-9399 (The calcstepsizes function in jpc_dec.c in JasPer 1.900.22 allows remo ...) - jasper (unimportant) NOTE: Testcase: https://github.com/asarubbo/poc/blob/master/00044-jasper-assert-calcstepsizes NOTE: Negligible security impact CVE-2016-9398 (The jpc_floorlog2 function in jpc_math.c in JasPer before 1.900.17 all ...) - jasper (unimportant) NOTE: Testcase: https://github.com/asarubbo/poc/blob/master/00023-jasper-assert-jpc_floorlog2 NOTE: Negligible security impact CVE-2016-9397 (The jpc_dequantize function in jpc_dec.c in JasPer 1.900.13 allows rem ...) - jasper (unimportant) NOTE: Testcase: https://github.com/asarubbo/poc/blob/master/00010-jasper-assert-jpc_dequantize NOTE: Negligible security impact CVE-2016-9396 (The JPC_NOMINALGAIN function in jpc/jpc_t1cod.c in JasPer through 2.0. ...) - jasper (unimportant) NOTE: Testcase: https://github.com/asarubbo/poc/blob/master/00004-jasper-assert-JPC_NOMINALGAIN NOTE: Negligible security impact CVE-2016-9395 (The jas_seq2d_create function in jas_seq.c in JasPer before 1.900.25 a ...) - jasper (unimportant) NOTE: Fix: https://github.com/mdadams/jasper/commit/d42b2388f7f8e0332c846675133acea151fc557a NOTE: Testcase: https://github.com/asarubbo/poc/blob/master/00043-jasper-assert-jas_matrix_t NOTE: Negligible security impact CVE-2016-9394 (The jas_seq2d_create function in jas_seq.c in JasPer before 1.900.17 a ...) - jasper (unimportant) NOTE: Fix: https://github.com/mdadams/jasper/commit/f7038068550fba0e41e1d0c355787f1dcd5bf330 NOTE: Testcase: https://github.com/asarubbo/poc/blob/master/00016-jasper-assert-jas_matrix_t NOTE: Negligible security impact CVE-2016-9393 (The jpc_pi_nextrpcl function in jpc_t2cod.c in JasPer before 1.900.17 ...) - jasper (unimportant) NOTE: Fix: https://github.com/mdadams/jasper/commit/f7038068550fba0e41e1d0c355787f1dcd5bf330 NOTE: Testcase: https://github.com/asarubbo/poc/blob/master/00013-jasper-assert-jpc_pi_nextrpcl NOTE: Negligible security impact CVE-2016-9392 (The calcstepsizes function in jpc_dec.c in JasPer before 1.900.17 allo ...) - jasper (unimportant) NOTE: Fix: https://github.com/mdadams/jasper/commit/f7038068550fba0e41e1d0c355787f1dcd5bf330 NOTE: Testcase: https://github.com/asarubbo/poc/blob/master/00012-jasper-assert-calcstepsizes NOTE: Negligible security impact CVE-2016-9391 (The jpc_bitstream_getbits function in jpc_bs.c in JasPer before 2.0.10 ...) - jasper (unimportant) NOTE: Fix: https://github.com/mdadams/jasper/commit/1e84674d95353c64e5c4c0e7232ae86fd6ea813b NOTE: Testcase: https://github.com/asarubbo/poc/blob/master/00014-jasper-assert-jpc_bitstream_getbits NOTE: Negligible security impact CVE-2016-9390 (The jas_seq2d_create function in jas_seq.c in JasPer before 1.900.14 a ...) - jasper (unimportant) NOTE: Fix: https://github.com/mdadams/jasper/commit/ba2b9d000660313af7b692542afbd374c5685865 NOTE: Testcase: https://github.com/asarubbo/poc/blob/master/00007-jasper-assert-jas_matrix_t NOTE: Negligible security impact CVE-2016-9389 (The jpc_irct and jpc_iict functions in jpc_mct.c in JasPer before 1.90 ...) - jasper (unimportant) NOTE: Fix: https://github.com/mdadams/jasper/commit/dee11ec440d7908d1daf69f40a3324b27cf213ba NOTE: Testcase: https://github.com/asarubbo/poc/blob/master/00006-jasper-assert-jpc_irct NOTE: Testcase: https://github.com/asarubbo/poc/blob/master/00008-jasper-assert-jpc_iict NOTE: Negligible security impact CVE-2016-9388 (The ras_getcmap function in ras_dec.c in JasPer before 1.900.14 allows ...) - jasper (unimportant) NOTE: Fix: https://github.com/mdadams/jasper/commit/411a4068f8c464e883358bf403a3e25158863823 NOTE: Testcase: https://github.com/asarubbo/poc/blob/master/00005-jasper-assert-ras_getcmap NOTE: Negligible security impact CVE-2016-9387 (Integer overflow in the jpc_dec_process_siz function in libjasper/jpc/ ...) - jasper (unimportant) NOTE: Fix: https://github.com/mdadams/jasper/commit/d91198abd00fc435a397fe6bad906a4c1748e9cf NOTE: Testcase: https://github.com/asarubbo/poc/blob/master/00003-jasper-assert-jas_matrix_t NOTE: Negligible security impact CVE-2016-9372 (In Wireshark 2.2.0 to 2.2.1, the Profinet I/O dissector could loop exc ...) - wireshark 2.2.2+g9c5aae3-1 [jessie] - wireshark (Only affects 2.2.x) [wheezy] - wireshark (Only affects 2.2.x) NOTE: https://www.wireshark.org/docs/relnotes/wireshark-2.2.2.html NOTE: https://www.wireshark.org/security/wnpa-sec-2016-58.html CVE-2016-9373 (In Wireshark 2.2.0 to 2.2.1 and 2.0.0 to 2.0.7, the DCERPC dissector c ...) {DSA-3719-1 DLA-714-1} - wireshark 2.2.2+g9c5aae3-1 NOTE: https://www.wireshark.org/docs/relnotes/wireshark-2.2.2.html NOTE: https://www.wireshark.org/security/wnpa-sec-2016-61.html CVE-2016-9374 (In Wireshark 2.2.0 to 2.2.1 and 2.0.0 to 2.0.7, the AllJoyn dissector ...) {DSA-3719-1 DLA-714-1} - wireshark 2.2.2+g9c5aae3-1 NOTE: https://www.wireshark.org/docs/relnotes/wireshark-2.2.2.html NOTE: https://www.wireshark.org/security/wnpa-sec-2016-59.html CVE-2016-9375 (In Wireshark 2.2.0 to 2.2.1 and 2.0.0 to 2.0.7, the DTN dissector coul ...) {DSA-3719-1 DLA-714-1} - wireshark 2.2.2+g9c5aae3-1 NOTE: https://www.wireshark.org/docs/relnotes/wireshark-2.2.2.html NOTE: https://www.wireshark.org/security/wnpa-sec-2016-62.html CVE-2016-9376 (In Wireshark 2.2.0 to 2.2.1 and 2.0.0 to 2.0.7, the OpenFlow dissector ...) {DSA-3719-1 DLA-714-1} - wireshark 2.2.2+g9c5aae3-1 NOTE: https://www.wireshark.org/docs/relnotes/wireshark-2.2.2.html NOTE: https://www.wireshark.org/security/wnpa-sec-2016-60.html CVE-2016-9331 REJECTED CVE-2016-9330 REJECTED CVE-2016-9329 REJECTED CVE-2016-9328 REJECTED CVE-2016-9327 REJECTED CVE-2016-9326 REJECTED CVE-2016-9325 REJECTED CVE-2016-9324 REJECTED CVE-2016-9323 REJECTED CVE-2016-9322 REJECTED CVE-2016-9400 (The CClient::ProcessServerPacket method in engine/client/client.cpp in ...) - teeworlds 0.6.4+dfsg-1 (bug #844546) [jessie] - teeworlds (Minor issue; can be fixed via point release) [wheezy] - teeworlds (Games are not supported in Wheezy) NOTE: https://www.teeworlds.com/?page=news&id=12086 NOTE: https://github.com/teeworlds/teeworlds/commit/ff254722a2683867fcb3e67569ffd36226c4bc62 (0.6.4-release) NOTE: http://www.openwall.com/lists/oss-security/2016/11/16/8 CVE-2016-9321 RESERVED CVE-2016-9320 RESERVED CVE-2016-9319 (There is Missing SSL Certificate Validation in the Trend Micro Enterpr ...) NOT-FOR-US: Trend Micro CVE-2016-9318 (libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and ot ...) [experimental] - libxml2 2.9.8+dfsg-1 - libxml2 2.9.10+dfsg-2 (bug #844581) [buster] - libxml2 (Minor issue; intrusive to backport) [stretch] - libxml2 (Minor issue; intrusive to backport) [jessie] - libxml2 (Minor issue; intrusive to backport) [wheezy] - libxml2 (Minor issue) NOTE: Upstream Bug: https://bugzilla.gnome.org/show_bug.cgi?id=772726 NOTE: Fixed by: https://git.gnome.org/browse/libxml2/commit/?id=2304078555896cf1638c628f50326aeef6f0e0d0 NOTE: The patch introduces a new option that can be specified if this NOTE: behaviour is wanted. Not enforced by default. NOTE: The option though was reverted in https://git.gnome.org/browse/libxml2/commit/?id=030b1f7a27c22f9237eddca49ec5e620b6258d7d NOTE: New proposed/commited fix: https://git.gnome.org/browse/libxml2/commit/?id=ad88b54f1a28a8565964a370b5d387927b633c0d CVE-2016-9317 (The gdImageCreate function in the GD Graphics Library (aka libgd) befo ...) {DSA-3777-1 DLA-804-1} - libgd2 2.2.4-1 NOTE: https://github.com/libgd/libgd/commit/6944ea10cb730d5071620439c6c2e823e6caeff1 NOTE: https://github.com/libgd/libgd/issues/340 CVE-2016-9316 (Multiple stored Cross-Site-Scripting (XSS) vulnerabilities in com.tren ...) NOT-FOR-US: Trend Micro CVE-2016-9315 (Privilege Escalation Vulnerability in com.trend.iwss.gui.servlet.updat ...) NOT-FOR-US: Trend Micro CVE-2016-9314 (Sensitive Information Disclosure in com.trend.iwss.gui.servlet.ConfigB ...) NOT-FOR-US: Trend Micro CVE-2016-9313 (security/keys/big_key.c in the Linux kernel before 4.8.7 mishandles un ...) - linux 4.8.7-1 [jessie] - linux (Vulnerable code introduced later) [wheezy] - linux (Vulnerable code introduced later) NOTE: Fixed by: https://git.kernel.org/linus/7df3e59c3d1df4f87fe874c7956ef7a3d2f4d5fb (v4.9-rc3) NOTE: Introduced by: https://git.kernel.org/linus/13100a72f40f5748a04017e0ab3df4cf27c809ef (v4.7-rc1) CVE-2016-9312 (ntpd in NTP before 4.2.8p9, when running on Windows, allows remote att ...) - ntp (Only ntpd on Windows) NOTE: http://support.ntp.org/bin/view/Main/NtpBug3110 NOTE: Only relevant for ntpd on Windows, but fixed source-wise in 1:4.2.8p9+dfsg-1 CVE-2016-9311 (ntpd in NTP before 4.2.8p9, when the trap service is enabled, allows r ...) - ntp 1:4.2.8p9+dfsg-1 [jessie] - ntp (Minor issue) [wheezy] - ntp (Minor issue, not vulnerable by default) NOTE: http://support.ntp.org/bin/view/Main/NtpBug3119 NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0204/ NOTE: Only affects configurations that do not have "restrict noquery", Debian's default config does have that restriction. CVE-2016-9310 (The control mode (mode 6) functionality in ntpd in NTP before 4.2.8p9 ...) - ntp 1:4.2.8p9+dfsg-1 [jessie] - ntp (Minor issue) [wheezy] - ntp (Minor issue, not vulnerable by default) NOTE: http://support.ntp.org/bin/view/Main/NtpBug3118 NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0203/ NOTE: Only affects configurations that do not have "restrict noquery", Debian's default config does have that restriction. CVE-2016-9309 RESERVED CVE-2016-9308 RESERVED CVE-2016-9307 (Multiple buffer overflows in the Autodesk FBX-SDK before 2017.1 can al ...) NOT-FOR-US: Autodesk CVE-2016-9306 (Multiple buffer overflows in the Autodesk FBX-SDK before 2017.1 can al ...) NOT-FOR-US: Autodesk CVE-2016-9305 (Improper handling in the Autodesk FBX-SDK before 2017.1 of type mismat ...) NOT-FOR-US: Autodesk CVE-2016-9304 (Multiple buffer overflows in the Autodesk FBX-SDK before 2017.1 can al ...) NOT-FOR-US: Autodesk CVE-2016-9303 (Multiple buffer overflows in the Autodesk FBX-SDK before 2017.1 can al ...) NOT-FOR-US: Autodesk CVE-2016-9295 RESERVED CVE-2016-9293 RESERVED CVE-2016-9292 RESERVED CVE-2016-9291 RESERVED CVE-2016-9290 RESERVED CVE-2016-9289 RESERVED CVE-2016-9288 (In framework/modules/navigation/controllers/navigationController.php i ...) NOT-FOR-US: Exponent CMS CVE-2016-9287 (In /framework/modules/notfound/controllers/notfoundController.php of E ...) NOT-FOR-US: Exponent CMS CVE-2016-9286 (framework/modules/users/controllers/usersController.php in Exponent CM ...) NOT-FOR-US: Exponent CMS CVE-2016-9285 (framework/modules/addressbook/controllers/addressController.php in Exp ...) NOT-FOR-US: Exponent CMS CVE-2016-9284 (getUsersByJSON in framework/modules/users/controllers/usersController. ...) NOT-FOR-US: Exponent CMS CVE-2016-9283 (SQL Injection in framework/core/subsystems/expRouter.php in Exponent C ...) NOT-FOR-US: Exponent CMS CVE-2016-9282 (SQL Injection in framework/modules/search/controllers/searchController ...) NOT-FOR-US: Exponent CMS CVE-2016-9281 RESERVED CVE-2016-9280 RESERVED CVE-2016-9277 (Integer overflow in SystemUI in KK(4.4) and L(5.0/5.1) on Samsung Note ...) NOT-FOR-US: Samsung CVE-2016-9274 (Untrusted search path vulnerability in Git 1.x for Windows allows loca ...) NOT-FOR-US: Git-for-Windows (Git fork containing Windows-specific patches) CVE-2016-9272 (A Blind SQL Injection Vulnerability in Exponent CMS through 2.4.0, wit ...) NOT-FOR-US: Exponent CMS CVE-2016-9271 (Cloudera Manager 5.7.x before 5.7.6, 5.8.x before 5.8.4, and 5.9.x bef ...) NOT-FOR-US: Cloudera CVE-2016-9270 RESERVED CVE-2016-9269 (Remote Command Execution in com.trend.iwss.gui.servlet.ManagePatches i ...) NOT-FOR-US: Trend Micro CVE-2016-9268 (Unrestricted file upload vulnerability in the Blog appearance in the " ...) - dotclear NOTE: http://dev.dotclear.org/2.0/changeset/445e9ff79a1fa81033591761d6a340e219d159b2 NOTE: http://dev.dotclear.org/2.0/ticket/2214 CVE-2016-9267 RESERVED CVE-2016-9263 (WordPress through 4.8.2, when domain-based flashmediaelement.swf sandb ...) {DLA-1151-1} - wordpress 4.1+dfsg-1 NOTE: https://opnsec.com/2017/10/cve-2016-9263-unpatched-xsf-vulnerability-in-wordpress/ NOTE: flashmediaelement.swf removed from source tree starting in 4.1+dfsg-1 CVE-2016-9447 (The ROM mappings in the NSF decoder in gstreamer 0.10.x allow remote a ...) {DSA-3713-1 DLA-712-1} - gst-plugins-bad0.10 NOTE: http://scarybeastsecurity.blogspot.de/2016/11/0day-exploit-compromising-linux-desktop.html CVE-2016-9299 (The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allow ...) - jenkins NOTE: http://www.openwall.com/lists/oss-security/2016/11/12/4 CVE-2016-9298 (Heap overflow in the WaveletDenoiseImage function in MagickCore/fx.c i ...) - imagemagick 8:6.9.6.5+dfsg-1 (bug #844211) [jessie] - imagemagick (Vulnerable code not present) [wheezy] - imagemagick (Vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/296 NOTE: http://www.openwall.com/lists/oss-security/2016/11/13/1 CVE-2016-9300 REJECTED CVE-2016-9301 REJECTED CVE-2016-9302 REJECTED CVE-2016-9297 (The TIFFFetchNormalTag function in LibTiff 4.0.6 allows remote attacke ...) {DSA-3762-1 DLA-716-1} - tiff 4.0.7-1 (bug #844226) - tiff3 [wheezy] - tiff3 (Unreproducible) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2590 NOTE: http://www.openwall.com/lists/oss-security/2016/11/12/2 NOTE: Patch https://github.com/vadz/libtiff/commit/30c9234c7fd0dd5e8b1e83ad44370c875a0270ed NOTE: Reproducible with valgrind in wheezy with 4.0.2-6+deb7u7 NOTE: Reproducible with valgrind in jessie with 4.0.3-12.3+deb8u1 NOTE: When fixing this CVE make sure to make the fix complete and not NOTE: introduce CVE-2016-9448 / http://bugzilla.maptools.org/show_bug.cgi?id=2593 NOTE: Fix in 4.0.7 is complete. NOTE: Patch CVE-2016-9448: https://github.com/vadz/libtiff/commit/89406285f318ffad27af4b200204394b2ee6ba5e CVE-2016-9540 (tools/tiffcp.c in libtiff 4.0.6 has an out-of-bounds write on tiled im ...) {DSA-3762-1 DLA-795-1} - tiff 4.0.7-1 - tiff3 (tiff3 not shipping tools) NOTE: https://github.com/vadz/libtiff/commit/5ad9d8016fbb60109302d558f7edb2cb2a3bb8e3 CVE-2016-9539 (tools/tiffcrop.c in libtiff 4.0.6 has an out-of-bounds read in readCon ...) - tiff 4.0.7-1 (unimportant) - tiff3 (tiff3 not shipping tools) NOTE: https://github.com/vadz/libtiff/commit/ae9365db1b271b62b35ce018eac8799b1d5e8a53 NOTE: Crash in CLI tool, no security impact CVE-2016-9538 (tools/tiffcrop.c in libtiff 4.0.6 reads an undefined buffer in readCon ...) {DSA-3762-1 DLA-795-1} - tiff 4.0.7-1 - tiff3 (tiff3 not shipping tools) NOTE: https://github.com/vadz/libtiff/commit/43c0b81a818640429317c80fea1e66771e85024b#diff-c8b4b355f9b5c06d585b23138e1c185f CVE-2016-9537 (tools/tiffcrop.c in libtiff 4.0.6 has out-of-bounds write vulnerabilit ...) {DSA-3762-1 DLA-795-1} - tiff 4.0.7-1 - tiff3 (tiff3 not shipping tools) NOTE: https://github.com/vadz/libtiff/commit/83a4b92815ea04969d494416eaae3d4c6b338e4a#diff-c8b4b355f9b5c06d585b23138e1c185f CVE-2016-9536 (tools/tiff2pdf.c in libtiff 4.0.6 has out-of-bounds write vulnerabilit ...) {DSA-3762-1 DLA-795-1} - tiff 4.0.7-1 - tiff3 (tiff3 not shipping tools) NOTE: https://github.com/vadz/libtiff/commit/83a4b92815ea04969d494416eaae3d4c6b338e4a#diff-5173a9b3b48146e4fd86d7b9b346115e CVE-2016-9535 (tif_predict.h and tif_predict.c in libtiff 4.0.6 have assertions that ...) {DSA-3844-1 DLA-880-1 DLA-795-1} - tiff 4.0.7-1 - tiff3 NOTE: https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1 NOTE: https://github.com/vadz/libtiff/commit/6a984bf7905c6621281588431f384e79d11a2e33 CVE-2016-9534 (tif_write.c in libtiff 4.0.6 has an issue in the error code path of TI ...) {DSA-3762-1 DLA-880-1 DLA-795-1} - tiff 4.0.7-1 - tiff3 NOTE: https://github.com/vadz/libtiff/commit/83a4b92815ea04969d494416eaae3d4c6b338e4a#diff-5be5ce02d0dea67050d5b2a10102d1ba CVE-2016-9533 (tif_pixarlog.c in libtiff 4.0.6 has out-of-bounds write vulnerabilitie ...) {DSA-3762-1 DLA-880-1 DLA-795-1} - tiff 4.0.7-1 - tiff3 NOTE: https://github.com/vadz/libtiff/commit/83a4b92815ea04969d494416eaae3d4c6b338e4a#diff-bdc795f6afeb9558c1012b3cfae729ef CVE-2016-9532 (Integer overflow in the writeBufferToSeparateStrips function in tiffcr ...) {DSA-3762-1 DLA-716-1} - tiff 4.0.7-1 (bug #844057) - tiff3 [wheezy] - tiff3 (Tools not shipped by tiff3) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2592 NOTE: Patch: https://github.com/vadz/libtiff/commit/21d39de1002a5e69caa0574b2cc05d795d6fbfad NOTE: http://www.openwall.com/lists/oss-security/2016/11/11/14 CVE-2016-9296 (A null pointer dereference bug affects the 16.02 and many old versions ...) - p7zip 16.02+dfsg-2 (unimportant; bug #844344) [jessie] - p7zip (Vulnerable code with potential NULL pointer dereference introduced later) [wheezy] - p7zip (Vulnerable code with potential NULL pointer dereference introduced later) NOTE: https://sourceforge.net/p/p7zip/bugs/185/ NOTE: no security impact CVE-2016-9294 (Artifex Software, Inc. MuJS before 5008105780c0b0182ea6eda83ad5598f225 ...) NOT-FOR-US: MuJS CVE-2016-9279 (Use-after-free vulnerability in the Samsung Exynos fimg2d driver for A ...) NOT-FOR-US: Samsung Exynos fimg2d driver for Android CVE-2016-9278 (The Samsung Exynos fimg2d driver for Android with Exynos 5433, 54xx, o ...) NOT-FOR-US: Samsung Exynos fimg2d driver for Android CVE-2016-9276 (The dwarf_get_aranges_list function in dwarf_arrange.c in Libdwarf bef ...) - dwarfutils 20161124-1 (bug #844011) [jessie] - dwarfutils (Minor issue) [wheezy] - dwarfutils (Minor issue) NOTE: https://sourceforge.net/p/libdwarf/code/ci/583f8834083b5ef834c497f5b47797e16101a9a6/ NOTE: https://blogs.gentoo.org/ago/2016/11/07/libdwarf-heap-based-buffer-overflow-in-dwarf_get_aranges_list-dwarf_arange-c NOTE: Same commit as for CVE-2016-9275. Needs the dwarf_arange.c part of the commit. CVE-2016-9275 (Heap-based buffer overflow in the _dwarf_skim_forms function in libdwa ...) - dwarfutils 20161124-1 (bug #844012) [jessie] - dwarfutils (Vulnerable code not present) [wheezy] - dwarfutils (Vulnerable code not present) NOTE: https://sourceforge.net/p/libdwarf/code/ci/583f8834083b5ef834c497f5b47797e16101a9a6/ NOTE: https://blogs.gentoo.org/ago/2016/11/07/libdwarf-heap-based-buffer-overflow-in-_dwarf_skim_forms-dwarf_macro5-c NOTE: Same commit as for CVE-2016-9276. Needs the dwarf_macro5.c part of the commit. CVE-2016-9273 (tiffsplit in libtiff 4.0.6 allows remote attackers to cause a denial o ...) {DSA-3762-1 DLA-716-1} - tiff 4.0.7-1 (bug #844013) - tiff3 [wheezy] - tiff3 (Unreproducible) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2587 NOTE: Patch: https://github.com/vadz/libtiff/commit/d651abc097d91fac57f33b5f9447d0a9183f58e7 NOTE: Can be reproduced with valgrind in wheezy with libtiff 4.0.2-6+deb7u7 NOTE: Can be reproduced with valgrind in jessie with libtiff 4.0.3-12.3+deb8u1 CVE-2016-9261 (Cross-site scripting (XSS) vulnerability in Tenable Log Correlation En ...) NOT-FOR-US: Tenable Log Correlation Engine CVE-2016-9260 (Cross-site scripting (XSS) vulnerability in Tenable Nessus before 6.9 ...) NOT-FOR-US: Nessus CVE-2016-9259 (Cross-site scripting (XSS) vulnerability in Tenable Nessus before 6.9. ...) NOT-FOR-US: Nessus CVE-2017-0305 (F5 SSL Intercept iApp version 1.5.0 - 1.5.7 is vulnerable to an unauth ...) NOT-FOR-US: F5 CVE-2017-0304 (A SQL injection vulnerability exists in the BIG-IP AFM management UI o ...) NOT-FOR-US: F5 BIG-IP CVE-2017-0303 (In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, GTM, Link Contro ...) NOT-FOR-US: F5 CVE-2017-0302 (In F5 BIG-IP APM 12.0.0 through 12.1.2 and 13.0.0, an authenticated us ...) NOT-FOR-US: F5 CVE-2017-0301 (In F5 BIG-IP APM software versions 11.5.0, 11.5.1, 11.5.2, 11.5.3, 11. ...) NOT-FOR-US: F5 BIG-IP CVE-2016-9266 (listmp3.c in libming 0.4.7 allows remote attackers to unspecified impa ...) {DLA-799-1} - ming (bug #843928) NOTE: https://blogs.gentoo.org/ago/2016/11/09/libming-listmp3-left-shift-in-listmp3-c NOTE: https://github.com/libming/libming/issues/53 CVE-2016-9265 (The printMP3Headers function in listmp3.c in Libming 0.4.7 allows remo ...) {DLA-799-1} - ming (bug #843928) NOTE: https://blogs.gentoo.org/ago/2016/11/09/libming-listmp3-divide-by-zero-in-printmp3headers-list NOTE: https://github.com/libming/libming/issues/52 CVE-2016-9264 (Buffer overflow in the printMP3Headers function in listmp3.c in Libmin ...) {DLA-799-1} - ming (bug #843928) NOTE: https://blogs.gentoo.org/ago/2016/11/07/libming-listmp3-global-buffer-overflow-in-printmp3headers-listmp3-c NOTE: https://github.com/libming/libming/issues/51 CVE-2016-9262 (Multiple integer overflows in the (1) jas_realloc function in base/jas ...) - jasper [jessie] - jasper (Vulnerable code introduced later) [wheezy] - jasper (Vulnerable code introduced later) NOTE: Fixed by: https://github.com/mdadams/jasper/commit/634ce8e8a5accc0fa05dd2c20d42b4749d4b2735 NOTE: The use-afer-free seems to be introduced in a version later tha 1.900.1 but the NOTE: CVE is assigned for everything fixed in the above commit, a such seems till NOTE: present in the 1.900.1 based versions. Still ok to mark as not-affected NOTE: https://blogs.gentoo.org/ago/2016/11/07/jasper-use-after-free-in-jas_realloc-jas_malloc-c CVE-2016-9258 REJECTED CVE-2016-9257 (In F5 BIG-IP APM 12.0.0 through 12.1.2, non-authenticated users may be ...) NOT-FOR-US: F5 CVE-2016-9256 (In F5 BIG-IP 12.1.0 through 12.1.2, permissions enforced by iControl c ...) NOT-FOR-US: F5 CVE-2016-9255 REJECTED CVE-2016-9254 REJECTED CVE-2016-9253 (In F5 BIG-IP 12.1.0 through 12.1.2, specific websocket traffic pattern ...) NOT-FOR-US: F5 CVE-2016-9252 (The Traffic Management Microkernel (TMM) in F5 BIG-IP before 11.5.4 HF ...) NOT-FOR-US: F5 BIG-IP CVE-2016-9251 (In F5 BIG-IP 12.0.0 through 12.1.2, an authenticated attacker may be a ...) NOT-FOR-US: F5 CVE-2016-9250 (In F5 BIG-IP 11.2.1, 11.4.0 through 11.6.1, and 12.0.0 through 12.1.2, ...) NOT-FOR-US: F5 CVE-2016-9249 (An undisclosed traffic pattern received by a BIG-IP Virtual Server wit ...) NOT-FOR-US: F5 CVE-2016-9248 REJECTED CVE-2016-9247 (Under certain conditions for BIG-IP systems using a virtual server wit ...) NOT-FOR-US: F5 CVE-2016-9246 REJECTED CVE-2016-9245 (In F5 BIG-IP systems 12.1.0 - 12.1.2, malicious requests made to virtu ...) NOT-FOR-US: F5 CVE-2016-9244 (A BIG-IP virtual server configured with a Client SSL profile that has ...) NOT-FOR-US: F5 TLS stack NOTE: https://ticketbleed.com/ CVE-2016-9243 (HKDF in cryptography before 1.5.2 returns an empty byte-string if used ...) - python-cryptography 1.5.3-1 [jessie] - python-cryptography 0.6.1-1+deb8u1 NOTE: Upstream bug: https://github.com/pyca/cryptography/issues/3211 NOTE: Upstream commit: https://github.com/pyca/cryptography/commit/b924696b2e8731f39696584d12cceeb3aeb2d874 NOTE: http://www.openwall.com/lists/oss-security/2016/11/08/6 CVE-2016-9242 (Multiple SQL injection vulnerabilities in the update method in framewo ...) NOT-FOR-US: Exponent CMS CVE-2016-9241 REJECTED CVE-2016-9240 REJECTED CVE-2016-9239 REJECTED CVE-2016-9238 REJECTED CVE-2016-9237 REJECTED CVE-2016-9236 REJECTED CVE-2016-9235 REJECTED CVE-2016-9234 REJECTED CVE-2016-9233 REJECTED CVE-2016-9232 REJECTED CVE-2016-9231 REJECTED CVE-2016-9230 REJECTED CVE-2016-9229 REJECTED CVE-2016-9228 REJECTED CVE-2016-9227 REJECTED CVE-2016-9226 REJECTED CVE-2016-9225 (A vulnerability in the data plane IP fragment handler of the Cisco Ada ...) NOT-FOR-US: Cisco Adaptive Security Appliance CVE-2016-9224 (A vulnerability in the Cisco Jabber Guest Server could allow an unauth ...) NOT-FOR-US: Cisco CVE-2016-9223 (A vulnerability in the Docker Engine configuration of Cisco CloudCente ...) NOT-FOR-US: Cisco CVE-2016-9222 (A vulnerability in the web-based management interface of Cisco NetFlow ...) NOT-FOR-US: Cisco CVE-2016-9221 (A Denial of Service Vulnerability in 802.11 ingress connection authent ...) NOT-FOR-US: Cisco CVE-2016-9220 (A Denial of Service Vulnerability in 802.11 ingress packet processing ...) NOT-FOR-US: Cisco CVE-2016-9219 (A vulnerability with IPv6 UDP ingress packet processing in Cisco Wirel ...) NOT-FOR-US: Cisco CVE-2016-9218 (A vulnerability in Cisco Hybrid Meeting Server could allow an unauthen ...) NOT-FOR-US: Cisco CVE-2016-9217 (A vulnerability in Cisco Intercloud Fabric for Business and Cisco Inte ...) NOT-FOR-US: Cisco CVE-2016-9216 (An IKE Packet Parsing Denial of Service Vulnerability in the ipsecmgr ...) NOT-FOR-US: Cisco ASR 5000 CVE-2016-9215 (A vulnerability in Cisco IOS XR Software could allow an authenticated, ...) NOT-FOR-US: Cisco CVE-2016-9214 (Cisco Identity Services Engine (ISE) contains a vulnerability that cou ...) NOT-FOR-US: Cisco CVE-2016-9213 REJECTED CVE-2016-9212 (A vulnerability in the Decrypt for End-User Notification configuration ...) NOT-FOR-US: Cisco CVE-2016-9211 (A vulnerability in TCP port management in Cisco ONS 15454 Series Multi ...) NOT-FOR-US: Cisco CVE-2016-9210 (A vulnerability in the Cisco Unified Reporting upload tool accessed vi ...) NOT-FOR-US: Cisco CVE-2016-9209 (A vulnerability in TCP processing in Cisco FirePOWER system software c ...) NOT-FOR-US: Cisco CVE-2016-9208 (A vulnerability in the File Management Utility, the Download File form ...) NOT-FOR-US: Cisco CVE-2016-9207 (A vulnerability in the HTTP traffic server component of Cisco Expressw ...) NOT-FOR-US: Cisco CVE-2016-9206 (A vulnerability in the ccmadmin page of Cisco Unified Communications M ...) NOT-FOR-US: Cisco CVE-2016-9205 (A vulnerability in the HTTP 2.0 request handling code of Cisco IOS XR ...) NOT-FOR-US: Cisco CVE-2016-9204 (A vulnerability in the Cisco Intercloud Fabric (ICF) Director could al ...) NOT-FOR-US: Cisco CVE-2016-9203 (A vulnerability in the Internet Key Exchange Version 2 (IKEv2) feature ...) NOT-FOR-US: Cisco CVE-2016-9202 (A vulnerability in the web-based management interface of Cisco Email S ...) NOT-FOR-US: Cisco CVE-2016-9201 (A vulnerability in the Zone-Based Firewall feature of Cisco IOS and Ci ...) NOT-FOR-US: Cisco CVE-2016-9200 (A vulnerability in the web framework code of Cisco Prime Collaboration ...) NOT-FOR-US: Cisco CVE-2016-9199 (A vulnerability in the Cisco application-hosting framework (CAF) of Ci ...) NOT-FOR-US: Cisco CVE-2016-9198 (A vulnerability in the Active Directory integration component of Cisco ...) NOT-FOR-US: Cisco CVE-2016-9197 (A vulnerability in the CLI command parser of the Cisco Mobility Expres ...) NOT-FOR-US: Cisco CVE-2016-9196 (A vulnerability in login authentication management in Cisco Aironet 18 ...) NOT-FOR-US: Cisco CVE-2016-9195 (A vulnerability in RADIUS Change of Authorization (CoA) request proces ...) NOT-FOR-US: Cisco CVE-2016-9194 (A vulnerability in 802.11 Wireless Multimedia Extensions (WME) action ...) NOT-FOR-US: Cisco CVE-2016-9193 (A vulnerability in the malicious file detection and blocking features ...) NOT-FOR-US: Cisco CVE-2016-9192 (A vulnerability in Cisco AnyConnect Secure Mobility Client for Windows ...) NOT-FOR-US: Cisco CVE-2015-8972 (Stack-based buffer overflow in the ValidateMove function in frontend/m ...) - gnuchess 6.2.4-1 (unimportant) NOTE: Built with hardening flags, no security impact NOTE: http://lists.gnu.org/archive/html/bug-gnu-chess/2015-10/msg00002.html NOTE: http://svn.savannah.gnu.org/viewvc?view=rev&root=chess&revision=134 CVE-2015-8971 (Terminology 0.7.0 allows remote attackers to execute arbitrary command ...) {DSA-3712-1} - terminology 0.7.0-2 (bug #843434) NOTE: https://git.enlightenment.org/apps/terminology.git/commit/?id=b80bedc7c21ecffe99d8d142930db696eebdd6a5 NOTE: http://www.openwall.com/lists/oss-security/2016/11/04/12 CVE-2016-9191 (The cgroup offline implementation in the Linux kernel through 4.8.11 m ...) {DSA-3791-1} - linux 4.9.6-1 [wheezy] - linux (Vulnerable code introduced in 3.11-rc1) NOTE: Fixed by: https://git.kernel.org/linus/93362fa47fe98b62e4a34ab408c4a418432e7939 (v4.10-rc4) NOTE: Introduced by: https://git.kernel.org/linus/f0c3b5093addc8bfe9fe3a5b01acb7ec7969eafa (v3.11-rc1) CVE-2016-9190 (Pillow before 3.3.2 allows context-dependent attackers to execute arbi ...) {DSA-3710-1 DLA-705-1} - pillow 3.4.2-1 - python-imaging NOTE: https://github.com/python-pillow/Pillow/issues/2105 NOTE: https://github.com/python-pillow/Pillow/pull/2146/commits/5d8a0be45aad78c5a22c8d099118ee26ef8144af CVE-2016-9189 (Pillow before 3.3.2 allows context-dependent attackers to obtain sensi ...) {DSA-3710-1 DLA-705-1} - pillow 3.4.2-1 - python-imaging NOTE: https://github.com/python-pillow/Pillow/issues/2105 NOTE: https://github.com/python-pillow/Pillow/pull/2146/commits/c50ebe6459a131a1ea8ca531f10da616d3ceaa0f CVE-2016-9188 (Cross-site scripting (XSS) vulnerabilities in Moodle CMS on or before ...) NOTE: Moodle upstream does not believe it is a security vulnerability and the reporter NOTE: did not followed up on requests from upstream to provide clarification, cf. #851405 CVE-2016-9187 (Unrestricted file upload vulnerability in the double extension support ...) NOTE: Moodle upstream does not believe it is a security vulnerability and the reporter NOTE: did not followed up on requests from upstream to provide clarification, cf. #851405 CVE-2016-9186 (Unrestricted file upload vulnerability in the "legacy course files" an ...) NOTE: Moodle upstream does not believe it is a security vulnerability and the reporter NOTE: did not followed up on requests from upstream to provide clarification, cf. #851405 CVE-2016-9185 (In OpenStack Heat, by launching a new Heat stack with a local URL an a ...) - heat 1:7.0.0-2 (bug #843232) [jessie] - heat (Minor issue) NOTE: https://bugs.launchpad.net/ossa/+bug/1606500 CVE-2016-9184 (In /framework/modules/core/controllers/expHTMLEditorController.php of ...) NOT-FOR-US: Exponent CMS CVE-2016-9183 (In /framework/modules/ecommerce/controllers/orderController.php of Exp ...) NOT-FOR-US: Exponent CMS CVE-2016-9182 (Exponent CMS 2.4 uses PHP reflection to call a method of a controller ...) NOT-FOR-US: Exponent CMS CVE-2016-9177 (Directory traversal vulnerability in Spark 2.5 allows remote attackers ...) NOT-FOR-US: Spark (sparkjava) CVE-2016-9176 (Stack buffer overflow in the send.exe and receive.exe components of Mi ...) NOT-FOR-US: Micro Focus Rumba CVE-2016-9175 REJECTED CVE-2016-9174 REJECTED CVE-2016-9173 REJECTED CVE-2016-9172 REJECTED CVE-2016-9171 REJECTED CVE-2016-9170 REJECTED CVE-2016-9169 (A reflected XSS vulnerability exists in the web console of the Documen ...) NOT-FOR-US: Novell CVE-2016-9168 (A missing X-Frame-Options header in the NDS Utility Monitor in NDSD in ...) NOT-FOR-US: Novell CVE-2016-9167 (NDSD in Novell eDirectory before 9.0.2 did not calculate ACLs on LDAP ...) NOT-FOR-US: Novell CVE-2016-9166 (NetIQ eDirectory versions prior to 9.0.2, under some circumstances, co ...) NOT-FOR-US: Novell CVE-2016-9165 (The get_sessions servlet in CA Unified Infrastructure Management (form ...) NOT-FOR-US: CA Unified Infrastructure Management CVE-2016-9164 (Directory traversal vulnerability in diag.jsp file in CA Unified Infra ...) NOT-FOR-US: CA Unified Infrastructure Management CVE-2016-9163 REJECTED CVE-2016-9162 REJECTED CVE-2016-9161 REJECTED CVE-2016-9160 (A vulnerability in SIEMENS SIMATIC WinCC (All versions < SIMATIC Wi ...) NOT-FOR-US: Siemens SIMATIC WinCC CVE-2016-9159 (A vulnerability has been identified in SIMATIC S7-300 CPU family (All ...) NOT-FOR-US: Siemens SIMATIC CVE-2016-9158 (A vulnerability has been identified in SIMATIC S7-300 CPU family (All ...) NOT-FOR-US: Siemens SIMATIC CVE-2016-9157 (A vulnerability in Siemens SICAM PAS (all versions before V8.09) could ...) NOT-FOR-US: Siemens SICAM PAS CVE-2016-9156 (A vulnerability in Siemens SICAM PAS (all versions before V8.09) could ...) NOT-FOR-US: Siemens SICAM PAS CVE-2016-9155 (The following SIEMENS branded IP Camera Models CCMW3025, CVMW3025-IR, ...) NOT-FOR-US: Siemens CVE-2016-9154 (Siemens Desigo PX Web modules PXA40-W0, PXA40-W1, PXA40-W2 for Desigo ...) NOT-FOR-US: Siemens Desigo PX CVE-2016-9153 RESERVED CVE-2016-9152 (Cross-site scripting (XSS) vulnerability in ecrire/exec/plonger.php in ...) {DLA-738-1} - spip 3.1.4-2 (bug #847156) [jessie] - spip 3.0.17-2+deb8u3 NOTE: https://core.spip.net/projects/spip/repository/revisions/23290 CVE-2016-9151 (Palo Alto Networks PAN-OS before 5.0.20, 5.1.x before 5.1.13, 6.0.x be ...) NOT-FOR-US: PAN-OS CVE-2016-9150 (Buffer overflow in the management web interface in Palo Alto Networks ...) NOT-FOR-US: PAN-OS CVE-2016-9149 (The Addresses Object parser in Palo Alto Networks PAN-OS before 5.0.20 ...) NOT-FOR-US: PAN-OS CVE-2016-9148 (Cross-site scripting (XSS) vulnerability in CA Service Desk Manager (f ...) NOT-FOR-US: CA Service Desk Manager CVE-2016-9147 (named in ISC BIND 9.9.9-P4, 9.9.9-S6, 9.10.4-P4, and 9.11.0-P1 allows ...) {DSA-3758-1 DLA-805-1} [experimental] - bind9 1:9.10.4-P5-1 - bind9 1:9.10.3.dfsg.P4-11 (bug #851063) NOTE: https://kb.isc.org/article/AA-01440/0 CVE-2015-8969 (git-fastclone before 1.0.5 passes user modifiable strings directly to ...) NOT-FOR-US: git-fastclone CVE-2015-8968 (git-fastclone before 1.0.1 permits arbitrary shell command execution f ...) NOT-FOR-US: git-fastclone CVE-2015-8970 (crypto/algif_skcipher.c in the Linux kernel before 4.4.2 does not veri ...) - linux 4.4.2-1 [jessie] - linux 3.16.7-ckt25-1 [wheezy] - linux 3.2.78-1 NOTE: https://groups.google.com/forum/#!msg/syzkaller/frb2XrB5aWk/xCXzkIBcDAAJ NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1386286 NOTE: Fixed by: https://git.kernel.org/linus/dd504589577d8e8e70f51f997ad487a4cb6c026f (v4.5-rc1) NOTE: Followed by a complete set of related upstrema commits. See kernel-sec NOTE: triage for details. NOTE: http://www.openwall.com/lists/oss-security/2016/11/03/6 CVE-2016-9179 (lynx: It was found that Lynx doesn't parse the authority component of ...) {DLA-719-1} - lynx 2.8.9dev11-1 (bug #843258) - lynx-cur [jessie] - lynx-cur (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2016/11/03/4 NOTE: Slight mitigation and documentation improvement was done in 2.8.9dev.10 upstream NOTE: the uplaod to unstable as 2.8.9dev10-1 CVE-2016-9644 (The __get_user_asm_ex macro in arch/x86/include/asm/uaccess.h in the L ...) - linux (Vulnerable code not present) NOTE: No incorrect backport of CVE-2016-9178 done in Debian NOTE: This is only an issue if 1c109fabbd51863475cd12ac206bdd249aee35af NOTE: (added in 4.8) is backported without also backporting NOTE: 548acf19234dbda5a52d5a8e7e205af46e9da840 (added in 4.6), as such NOTE: src:linux was never affected. 1c109fabbd5 also wasn't backported to NOTE: the 3.2 and 3.16 LTS series NOTE: http://www.openwall.com/lists/oss-security/2016/11/03/2 CVE-2016-9178 (The __get_user_asm_ex macro in arch/x86/include/asm/uaccess.h in the L ...) {DLA-772-1} - linux 4.7.5-1 [jessie] - linux 3.16.39-1 NOTE: Fixed by: https://git.kernel.org/linus/1c109fabbd51863475cd12ac206bdd249aee35af (4.8-rc7) NOTE: If this issue is fixed for older versions be careful to not open same issue as CVE-2016-9644 CVE-2016-9146 RESERVED CVE-2016-9145 REJECTED CVE-2016-9144 REJECTED CVE-2016-9143 REJECTED CVE-2016-9142 REJECTED CVE-2016-9141 REJECTED CVE-2016-9181 (perl-Image-Info: When parsing an SVG file, external entity expansion ( ...) - libimage-info-perl 1.39-1 (bug #842891) [jessie] - libimage-info-perl (Minor issue) [wheezy] - libimage-info-perl (Minor issue) NOTE: https://rt.cpan.org/Public/Bug/Display.html?id=118099 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1379556 NOTE: Upstream commit: https://github.com/eserte/image-info/commit/781625b643bc05ba92127a4554de7910f3f2f8e6 NOTE: http://www.openwall.com/lists/oss-security/2016/11/02/1 NOTE: Older versions of libimage-info-perl only can use XML::Simple. NOTE: Controlling XXE processing behavior in XML::Simple is not really NOTE: possible (see https://rt.cpan.org/Ticket/Display.html?id=83794), NOTE: so as a workaround the underlying SAX parser is fixed to NOTE: XML::SAX::PurePerl which is uncapable of processing external entities NOTE: but unfortunately it is also a slow parser. CVE-2016-9180 (perl-XML-Twig: The option to `expand_external_ents`, documented as con ...) - libxml-twig-perl 1:3.50-1.1 (low; bug #842893) [stretch] - libxml-twig-perl (Minor issue; can be fixed via point release) [jessie] - libxml-twig-perl (Minor issue; can be fixed via point release) [wheezy] - libxml-twig-perl (Minor issue, new flag would require changes to applications too, not worth the effort) NOTE: https://rt.cpan.org/Public/Bug/Display.html?id=118097 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1379553 NOTE: http://www.openwall.com/lists/oss-security/2016/11/02/1 NOTE: Release 3.50 adds a no_xxe flag which will fail to parse files with external entities. NOTE: 2016-12-13: The corresponding changes is not in the public git repository yet: https://github.com/mirod/xmltwig/commits/master CVE-2016-9136 (Artifex Software, Inc. MuJS before a0ceaf5050faf419401fe1b83acfa950ec8 ...) NOT-FOR-US: MuJS CVE-2016-9135 (Exponent CMS 2.3.9 suffers from a SQL injection vulnerability in "/fra ...) NOT-FOR-US: Exponent CMS CVE-2016-9134 (Exponent CMS 2.3.9 suffers from a SQL injection vulnerability in "/exp ...) NOT-FOR-US: Exponent CMS CVE-2016-9133 RESERVED CVE-2016-9132 (In Botan 1.8.0 through 1.11.33, when decoding BER data an integer over ...) {DLA-786-1} - botan1.10 1.10.14-1 [jessie] - botan1.10 (Minor issue, not believed to be exploitable in practice) NOTE: Fixed in 1.10.14 and 1.11.34, all prior versions affected. NOTE: Fixed by: https://github.com/randombit/botan/commit/987ad747db6d0d7e36f840398f3cf02e2fbfd90f CVE-2016-9131 (named in ISC BIND 9.x before 9.9.9-P5, 9.10.x before 9.10.4-P5, and 9. ...) {DSA-3758-1 DLA-805-1} [experimental] - bind9 1:9.10.4-P5-1 - bind9 1:9.10.3.dfsg.P4-11 (bug #851065) NOTE: https://kb.isc.org/article/AA-01439/0 CVE-2016-9130 (Revive Adserver before 3.2.3 suffers from Persistent XSS. A vector for ...) NOT-FOR-US: Revive Adserver CVE-2016-9129 (Revive Adserver before 3.2.3 suffers from Information Exposure Through ...) NOT-FOR-US: Revive Adserver CVE-2016-9128 (Revive Adserver before 3.2.3 suffers from reflected XSS. The affiliate ...) NOT-FOR-US: Revive Adserver CVE-2016-9127 (Revive Adserver before 3.2.3 suffers from Cross-Site Request Forgery ( ...) NOT-FOR-US: Revive Adserver CVE-2016-9126 (Revive Adserver before 3.2.3 suffers from persistent XSS. Usernames ar ...) NOT-FOR-US: Revive Adserver CVE-2016-9125 (Revive Adserver before 3.2.3 suffers from session fixation, by allowin ...) NOT-FOR-US: Revive Adserver CVE-2016-9124 (Revive Adserver before 3.2.3 suffers from Improper Restriction of Exce ...) NOT-FOR-US: Revive Adserver CVE-2016-9123 (go-jose before 1.0.5 suffers from a CBC-HMAC integer overflow on 32-bi ...) - golang-gopkg-square-go-jose.v1 1.0.5-1 CVE-2016-9122 (go-jose before 1.0.4 suffers from multiple signatures exploitation. Th ...) - golang-gopkg-square-go-jose.v1 1.0.5-1 CVE-2016-9121 (go-jose before 1.0.4 suffers from an invalid curve attack for the ECDH ...) - golang-gopkg-square-go-jose.v1 1.0.5-1 CVE-2016-9140 REJECTED CVE-2016-9139 (Cross-site scripting (XSS) vulnerability in Open Ticket Request System ...) {DLA-787-1} - otrs2 5.0.14-1 (bug #843091) [jessie] - otrs2 3.3.18-1+deb8u1 NOTE: https://community.otrs.com/security-advisory-2016-02-security-update-otrs NOTE: http://www.openwall.com/lists/oss-security/2016/11/01/5 NOTE: upstream fix likely https://github.com/OTRS/otrs/commit/6578a8bcf82529461302291ab3fcb500363b005a CVE-2016-9120 (Race condition in the ion_ioctl function in drivers/staging/android/io ...) - linux 4.6.1-1 (unimportant) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/9590232bb4f4cc824f3425a6e1349afbe6d6d2b7 (v4.6-rc1) CVE-2016-9119 (Cross-site scripting (XSS) vulnerability in the link dialogue in GUI e ...) {DSA-3715-1 DLA-717-1} - moin 1.9.9-1 (bug #844338) NOTE: Fixed by: http://hg.moinmo.in/moin/1.9/rev/3bddf075fdbd CVE-2016-9118 (Heap Buffer Overflow (WRITE of size 4) in function pnmtoimage of conve ...) {DSA-4013-1} - openjpeg2 2.1.2-1.2 (bug #844557) NOTE: https://github.com/uclouvain/openjpeg/issues/861 NOTE: https://github.com/uclouvain/openjpeg/commit/c22cbd8bdf8ff2ae372f94391a4be2d322b36b41 CVE-2016-9117 (NULL Pointer Access in function imagetopnm of convert.c(jp2):1289 in O ...) - openjpeg2 (unimportant; bug #844556) NOTE: https://github.com/uclouvain/openjpeg/issues/860 NOTE: No code injection, function only exposed in the CLI tool CVE-2016-9116 (NULL Pointer Access in function imagetopnm of convert.c:2226(jp2) in O ...) - openjpeg2 (unimportant; bug #844555) NOTE: https://github.com/uclouvain/openjpeg/issues/859 NOTE: No code injection, function only exposed in the CLI tool CVE-2016-9115 (Heap Buffer Over-read in function imagetotga of convert.c(jp2):942 in ...) - openjpeg2 (unimportant; bug #844554) NOTE: https://github.com/uclouvain/openjpeg/issues/858 NOTE: No code injection, function only exposed in the CLI tool CVE-2016-9114 (There is a NULL Pointer Access in function imagetopnm of convert.c:194 ...) - openjpeg2 (unimportant; bug #844553) NOTE: https://github.com/uclouvain/openjpeg/issues/857 NOTE: No code injection, function only exposed in the CLI tool CVE-2016-9113 (There is a NULL pointer dereference in function imagetobmp of convertb ...) - openjpeg2 (unimportant; bug #844552) NOTE: https://github.com/uclouvain/openjpeg/issues/856 NOTE: No code injection, function only exposed in the CLI tool CVE-2016-9112 (Floating Point Exception (aka FPE or divide by zero) in opj_pi_next_cp ...) {DLA-1851-1} - openjpeg2 2.1.2-1.2 (bug #844551) [stretch] - openjpeg2 2.1.2-1.1+deb9u4 NOTE: https://github.com/uclouvain/openjpeg/commit/d27ccf01c68a31ad62b33d2dc1ba2bb1eeaafe7b NOTE: https://github.com/uclouvain/openjpeg/issues/855 CVE-2016-9111 (Incorrect access control mechanisms in Citrix Receiver Desktop Lock 4. ...) NOT-FOR-US: Citrix CVE-2016-9110 RESERVED CVE-2016-9100 (Symantec Advanced Secure Gateway (ASG) 6.6 prior to 6.6.5.13, ASG 6.7 ...) NOT-FOR-US: Symantec CVE-2016-9099 (Symantec Advanced Secure Gateway (ASG) 6.6, ASG 6.7 prior to 6.7.2.1, ...) NOT-FOR-US: Symantec CVE-2016-9098 REJECTED CVE-2016-9097 (The Symantec Advanced Secure Gateway (ASG) 6.6 prior to 6.6.5.8, Proxy ...) NOT-FOR-US: Symantec CVE-2016-9096 REJECTED CVE-2016-9095 REJECTED CVE-2016-9094 (Symantec Endpoint Protection clients place detected malware in quarant ...) NOT-FOR-US: Symantec CVE-2016-9093 (A version of the SymEvent Driver that shipped with Symantec Endpoint P ...) NOT-FOR-US: Symantec CVE-2016-9092 (The Symantec Content Analysis (CA) 1.3, 2.x prior to 2.2.1.1, and Mail ...) NOT-FOR-US: Symantec CVE-2016-9091 (Blue Coat Advanced Secure Gateway (ASG) 6.6 before 6.6.5.4 and Content ...) NOT-FOR-US: Blue Coat Advanced Secure Gateway CVE-2016-9090 RESERVED CVE-2016-9089 RESERVED CVE-2015-8967 (arch/arm64/kernel/sys.c in the Linux kernel before 4.0 allows local us ...) - linux 4.0.2-1 (unimportant) NOTE: Fixed by: https://git.kernel.org/linus/c623b33b4e9599c6ac5076f7db7369eb9869aa04 (v4.0-rc1) NOTE: Missing security mitigation, not a vulnerability per se CVE-2015-8966 (arch/arm/kernel/sys_oabi-compat.c in the Linux kernel before 4.4 allow ...) - linux 4.4.2-1 [jessie] - linux 3.16.7-ckt25-1 [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/76cc404bfdc0d419c720de4daaf2584542734f42 (v4.4-rc8) CVE-2016-9109 (Artifex Software MuJS allows attackers to cause a denial of service (c ...) NOT-FOR-US: MuJS CVE-2016-9108 (Integer overflow in the js_regcomp function in regexp.c in Artifex Sof ...) NOT-FOR-US: MuJS CVE-2016-9107 (The OTR plugin for Gajim sends information in cleartext when using XHT ...) - gajim-otr (bug #722130) NOTE: Upstream bug: https://trac-plugins.gajim.org/ticket/145 NOTE: Upstream fix: https://trac-plugins.gajim.org/changeset/c7c2e519ed63377bc943dd01c4661b0fe49321ae NOTE: http://www.openwall.com/lists/oss-security/2016/10/30/2 CVE-2014-9910 (An elevation of privilege vulnerability in the Broadcom Wi-Fi driver c ...) NOT-FOR-US: Android Broadcom driver CVE-2014-9909 (An elevation of privilege vulnerability in the Broadcom Wi-Fi driver c ...) NOT-FOR-US: Android Broadcom driver CVE-2016-9106 (Memory leak in the v9fs_write function in hw/9pfs/9p.c in QEMU (aka Qu ...) {DLA-1599-1 DLA-698-1 DLA-689-1} - qemu 1:2.8+dfsg-1 (bug #842463) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg02623.html NOTE: http://www.openwall.com/lists/oss-security/2016/10/28/4 NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=fdfcc9aeea1492f4b819a24c94dfb678145b1bf9 CVE-2016-9105 (Memory leak in the v9fs_link function in hw/9pfs/9p.c in QEMU (aka Qui ...) {DLA-1599-1 DLA-698-1 DLA-689-1} - qemu 1:2.8+dfsg-1 (bug #842463) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg02608.html NOTE: http://www.openwall.com/lists/oss-security/2016/10/28/3 NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=4c1586787ff43c9acd18a56c12d720e3e6be9f7c CVE-2016-9104 (Multiple integer overflows in the (1) v9fs_xattr_read and (2) v9fs_xat ...) {DLA-1599-1 DLA-698-1 DLA-689-1} - qemu 1:2.8+dfsg-1 (bug #842463) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg02942.html NOTE: http://www.openwall.com/lists/oss-security/2016/10/28/2 CVE-2016-9103 (The v9fs_xattrcreate function in hw/9pfs/9p.c in QEMU (aka Quick Emula ...) {DLA-1599-1 DLA-698-1 DLA-689-1} - qemu 1:2.8+dfsg-1 (bug #842463) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg01790.html NOTE: http://www.openwall.com/lists/oss-security/2016/10/28/1 NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=eb687602853b4ae656e9236ee4222609f3a6887d CVE-2016-9102 (Memory leak in the v9fs_xattrcreate function in hw/9pfs/9p.c in QEMU ( ...) {DLA-1599-1 DLA-698-1 DLA-689-1} - qemu 1:2.8+dfsg-1 (bug #842463) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg01861.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1389550 NOTE: http://www.openwall.com/lists/oss-security/2016/10/27/15 NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=ff55e94d23ae94c8628b0115320157c763eb3e06 CVE-2016-9101 (Memory leak in hw/net/eepro100.c in QEMU (aka Quick Emulator) allows l ...) {DLA-1599-1 DLA-698-1 DLA-689-1} - qemu 1:2.8+dfsg-1 (bug #842455) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg03024.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1389538 NOTE: http://www.openwall.com/lists/oss-security/2016/10/27/14 NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=2634ab7fe29b3f75d0865b719caf8f310d634aae (v2.8.0-rc0) CVE-2016-9088 RESERVED CVE-2016-9087 (SQL injection vulnerability in framework/modules/filedownloads/control ...) NOT-FOR-US: Exponent CMS CVE-2016-9086 (GitLab versions 8.9.x and above contain a critical security flaw in th ...) - gitlab 8.13.3+dfsg1-2 (bug #843519) NOTE: https://hackerone.com/reports/178152 NOTE: https://about.gitlab.com/2016/11/02/cve-2016-9086-patches/ CVE-2016-9081 (Joomla! 3.4.4 through 3.6.3 allows attackers to reset username, passwo ...) NOT-FOR-US: Joomla! CVE-2016-9080 (Memory safety bugs were reported in Firefox 50.0.2. Some of these bugs ...) - firefox 50.1.0-1 - firefox-esr (Only affects Firefox 50.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-94/#CVE-2016-9080 CVE-2016-9079 (A use-after-free vulnerability in SVG Animation has been discovered. A ...) {DSA-3730-1 DSA-3728-1 DLA-752-1 DLA-730-1} - firefox 50.0.2-1 - firefox-esr 45.5.1esr-1 - icedove 1:45.5.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-92/#CVE-2016-9079 CVE-2016-9078 (Redirection from an HTTP connection to a "data:" URL assigns the refer ...) - firefox 50.0.2-1 - firefox-esr (Does not affect Firefox 45 ESR release) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-91/ CVE-2016-9077 (Canvas allows the use of the "feDisplacementMap" filter on images load ...) - firefox 50.0-1 - firefox-esr (Does not affect Firefox 45 ESR release) CVE-2016-9076 (An issue where a "<select>" dropdown menu can be used to cover l ...) - firefox 50.0-1 - firefox-esr (Does not affect Firefox 45 ESR release) CVE-2016-9075 (An issue where WebExtensions can use the mozAddonManager API to elevat ...) - firefox 50.0-1 - firefox-esr (Does not affect Firefox 45 ESR release) CVE-2016-9074 (An existing mitigation of timing side-channel attacks is insufficient ...) {DSA-3730-1 DSA-3716-1 DLA-759-1 DLA-752-1} - nss 2:3.26.2-1 [jessie] - nss 2:3.26-1+debu8u5 NOTE: Fixed by (3_26_BRANCH): https://hg.mozilla.org/projects/nss/rev/d38536fcc726 (3.26.1) - firefox-esr 45.5.0esr-1 - icedove 1:45.5.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-90/#CVE-2016-9074 CVE-2016-9073 (WebExtensions can bypass security checks to load privileged URLs and p ...) - firefox 50.0-1 - firefox-esr (Does not affect Firefox 45 ESR release) CVE-2016-9072 (When a new Firefox profile is created on 64-bit Windows installations, ...) - firefox (Only affects Firefox on Windows 64bit) - firefox-esr (Does not affect Firefox 45 ESR release) CVE-2016-9071 (Content Security Policy combined with HTTP to HTTPS redirection can be ...) - firefox 50.0-1 - firefox-esr (Does not affect Firefox 45 ESR release) CVE-2016-9070 (A maliciously crafted page loaded to the sidebar through a bookmark ca ...) - firefox 50.0-1 - firefox-esr (Does not affect Firefox 45 ESR release) CVE-2016-9069 (A use-after-free in nsINode::ReplaceOrInsertBefore during DOM operatio ...) - firefox 50.0-1 CVE-2016-9068 (A use-after-free during web animations when working with timelines res ...) - firefox 50.0-1 - firefox-esr (Does not affect Firefox 45 ESR release) CVE-2016-9067 (Two use-after-free errors during DOM operations resulting in potential ...) - firefox 50.0-1 - firefox-esr (Does not affect Firefox 45 ESR release) CVE-2016-9066 (A buffer overflow resulting in a potentially exploitable crash due to ...) {DSA-3730-1 DSA-3716-1 DLA-752-1 DLA-730-1} - firefox 50.0-1 - firefox-esr 45.5.0esr-1 - icedove 1:45.5.0-1 CVE-2016-9065 (The location bar in Firefox for Android can be spoofed by forcing a us ...) - firefox (Only affects Firefox on Android) CVE-2016-9064 (Add-on updates failed to verify that the add-on ID inside the signed p ...) {DSA-3716-1 DLA-730-1} - firefox 50.0-1 - firefox-esr 45.5.0esr-1 CVE-2016-9063 (An integer overflow during the parsing of XML using the Expat library. ...) - firefox 50.0-1 - firefox-esr (Does not affect Firefox 45 ESR release) - expat 2.2.0-2 [jessie] - expat 2.1.0-6+deb8u4 [wheezy] - expat (Minor issue) NOTE: Expat upstream fix: https://github.com/libexpat/libexpat/commit/d4f735b88d9932bd5039df2335eefdd0723dbe20 CVE-2016-9062 (Private browsing mode leaves metadata information, such as URLs, for s ...) - firefox (Only affects Firefox on Android) CVE-2016-9061 (A previously installed malicious Android application which defines a s ...) - firefox (Only affects Firefox on Android) CVE-2016-9060 REJECTED CVE-2016-9059 REJECTED CVE-2016-9058 REJECTED CVE-2016-9057 REJECTED CVE-2016-9056 REJECTED CVE-2016-9055 REJECTED CVE-2016-9054 (An exploitable stack-based buffer overflow vulnerability exists in the ...) NOT-FOR-US: Aerospike Database CVE-2016-9053 (An exploitable out-of-bounds indexing vulnerability exists within the ...) NOT-FOR-US: Aerospike Database CVE-2016-9052 (An exploitable stack-based buffer overflow vulnerability exists in the ...) NOT-FOR-US: Aerospike Database CVE-2016-9051 (An exploitable out-of-bounds write vulnerability exists in the batch t ...) NOT-FOR-US: Aerospike Database CVE-2016-9050 (An exploitable out-of-bounds read vulnerability exists in the client m ...) NOT-FOR-US: Aerospike Database CVE-2016-9049 (An exploitable denial-of-service vulnerability exists in the fabric-wo ...) NOT-FOR-US: Aerospike Database CVE-2016-9048 (Multiple exploitable SQL Injection vulnerabilities exists in ProcessMa ...) NOT-FOR-US: ProcessMaker Enterprise Core CVE-2016-9047 REJECTED CVE-2016-9046 REJECTED CVE-2016-9045 (A code execution vulnerability exists in ProcessMaker Enterprise Core ...) NOT-FOR-US: ProcessMaker Enterprise Core CVE-2016-9044 (An exploitable command execution vulnerability exists in Information B ...) NOT-FOR-US: Information Builders WebFOCUS Business Intelligence Porta CVE-2016-9043 (An out of bound write vulnerability exists in the EMF parsing function ...) NOT-FOR-US: CorelDRAW X8 CVE-2016-9042 (An exploitable denial of service vulnerability exists in the origin ti ...) - ntp 1:4.2.8p10+dfsg-1 [jessie] - ntp (Doesn't use the affected upstream patch) [wheezy] - ntp (Doesn't use the affected upstream patch) NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0260/ NOTE: http://support.ntp.org/bin/view/Main/NtpBug3361 NOTE: This vulnerability affects the upstream fix for CVE-2015-8138, but Debian NOTE: jessie and wheezy use a less invasive patch by Miroslav Lichvar NOTE: of Red Hat, as available here: NOTE: http://pkgs.fedoraproject.org/cgit/rpms/ntp.git/tree/ntp-4.2.6p5-cve-2015-8138.patch?h=f24 CVE-2016-9041 REJECTED CVE-2016-9040 (An exploitable denial of service exists in the the Joyent SmartOS OS 2 ...) NOT-FOR-US: Joyent CVE-2016-9039 (An exploitable denial of service exists in the Joyent SmartOS 20161110 ...) NOT-FOR-US: Joyent CVE-2016-9038 (An exploitable double fetch vulnerability exists in the SboxDrv.sys dr ...) NOT-FOR-US: Invincea-X CVE-2016-9037 (An exploitable out-of-bounds array access vulnerability exists in the ...) - tarantool 1.7.2.385.g952d79e-1 [jessie] - tarantool (Vulnerable code not present) [wheezy] - tarantool (Not vulnerable) NOTE: https://github.com/tarantool/tarantool/issues/1992 NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0255/ CVE-2016-9036 (An exploitable incorrect return value vulnerability exists in the mp_c ...) - msgpuck 1.0.3-1.1 (bug #849212) NOTE: https://github.com/rtsisyk/msgpuck/issues/12 - tarantool 1.7.2.385.g952d79e-1 [jessie] - tarantool (Vulnerable code not present) [wheezy] - tarantool (Not vulnerable) NOTE: https://github.com/tarantool/tarantool/issues/1991 NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0254/ CVE-2016-9035 (An exploitable buffer overflow exists in the Joyent SmartOS 20161110T0 ...) NOT-FOR-US: Joyent SmartOS CVE-2016-9034 (An exploitable buffer overflow exists in the Joyent SmartOS 20161110T0 ...) NOT-FOR-US: Joyent SmartOS CVE-2016-9033 (An exploitable buffer overflow exists in the Joyent SmartOS 20161110T0 ...) NOT-FOR-US: Joyent SmartOS CVE-2016-9032 (An exploitable buffer overflow exists in the Joyent SmartOS 20161110T0 ...) NOT-FOR-US: Joyent SmartOS CVE-2016-9031 (An exploitable integer overflow exists in the Joyent SmartOS 20161110T ...) NOT-FOR-US: Joyent SmartOS CVE-2016-9085 (Multiple integer overflows in libwebp allows attackers to have unspeci ...) - libwebp (unimportant; bug #842714) [wheezy] - libwebp (vulnerable code not present) NOTE: https://chromium.googlesource.com/webm/libwebp/+/e2affacc35f1df6cc3b1a9fa0ceff5ce2d0cce83 NOTE: Report: https://bugs.chromium.org/p/webp/issues/detail?id=314 (private) NOTE: For libwebp only in examples, but other projects seem to use the gifdec.c NOTE: Origin of the file seems to be from libav NOTE: 0.5.1-3 claims the upload fixed CVE-2016-8888 and CVE-2016-9085 but the taken patches NOTE: look different, needs further investigation before marking as fixed CVE-2016-9084 (drivers/vfio/pci/vfio_pci_intrs.c in the Linux kernel through 4.8.11 m ...) - linux 4.8.11-1 [jessie] - linux 3.16.39-1 [wheezy] - linux (Vulnerable code not present) NOTE: https://patchwork.kernel.org/patch/9373631/ NOTE: Fixed by: https://git.kernel.org/linus/05692d7005a364add85c6e25a6c4447ce08f913a (v4.9-rc4) CVE-2016-9083 (drivers/vfio/pci/vfio_pci.c in the Linux kernel through 4.8.11 allows ...) - linux 4.8.11-1 [jessie] - linux 3.16.39-1 [wheezy] - linux (Vulnerable code not present) NOTE: https://patchwork.kernel.org/patch/9373631/ NOTE: Fixed by: https://git.kernel.org/linus/05692d7005a364add85c6e25a6c4447ce08f913a (v4.9-rc4) CVE-2016-9082 (Integer overflow in the write_png function in cairo 1.14.6 allows remo ...) {DLA-688-1} - cairo 1.14.6-1.1 (bug #842289) [jessie] - cairo 1.14.0-2.1+deb8u2 NOTE: Upstream bug: https://bugs.freedesktop.org/show_bug.cgi?id=98165 NOTE: Proposed patch upstream: https://bugs.freedesktop.org/attachment.cgi?id=127421 CVE-2016-9030 RESERVED CVE-2016-9029 RESERVED CVE-2016-9028 (Unauthorized redirect vulnerability in Citrix NetScaler ADC before 10. ...) NOT-FOR-US: Citrix CVE-2016-9027 RESERVED CVE-2016-9026 RESERVED CVE-2016-9025 RESERVED CVE-2016-9024 RESERVED CVE-2016-9023 RESERVED CVE-2016-9022 RESERVED CVE-2016-9021 RESERVED CVE-2016-9020 (SQL injection vulnerability in framework/modules/help/controllers/help ...) NOT-FOR-US: Exponent CMS CVE-2016-9019 (SQL injection vulnerability in the activate_address function in framew ...) NOT-FOR-US: Exponent CMS CVE-2016-9018 (Improper handling of a repeating VRAT chunk in qcpfformat.dll allows a ...) NOT-FOR-US: RealPlayer CVE-2016-9017 (Artifex Software, Inc. MuJS before a5c747f1d40e8d6659a37a8d25f13fb5acf ...) NOT-FOR-US: MuJS CVE-2016-9015 (Versions 1.17 and 1.18 of the Python urllib3 library suffer from a vul ...) - python-urllib3 (Issue only present in 1.17 and 1.18 releases) CVE-2016-9014 (Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x bef ...) {DSA-3835-1 DLA-706-1} - python-django 1:1.10.3-1 (bug #842856) NOTE: https://www.djangoproject.com/weblog/2016/nov/01/security-releases/ NOTE: https://github.com/django/django/commit/7fe2d8d940fdddd1a02c4754008a27060c4a03e9 CVE-2016-9013 (Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.1 ...) {DSA-3835-1} - python-django 1:1.10.3-1 (bug #842856) [wheezy] - python-django (Minor issue; specific to Oracle) NOTE: https://www.djangoproject.com/weblog/2016/nov/01/security-releases/ NOTE: https://github.com/django/django/commit/da7910d4834726eca596af0a830762fa5fb2dfd9 CVE-2016-9012 (CloudVision Portal (CVP) before 2016.1.2.1 allows remote authenticated ...) NOT-FOR-US: CloudVision Portal CVE-2016-9010 (IBM WebSphere Message Broker 9.0 and 10.0 could allow a remote attacke ...) NOT-FOR-US: IBM CVE-2016-9009 (IBM WebSphere MQ 8.0 could allow an authenticated user with authority ...) NOT-FOR-US: IBM CVE-2016-9008 (IBM UrbanCode Deploy could allow a malicious user to access the Agent ...) NOT-FOR-US: IBM CVE-2016-9007 RESERVED CVE-2016-9006 (IBM UrbanCode Deploy 6.1 and 6.2 is vulnerable to cross-site scripting ...) NOT-FOR-US: IBM CVE-2016-9005 (IBM System Storage TS3100-TS3200 Tape Library could allow an unauthent ...) NOT-FOR-US: IBM CVE-2016-9004 RESERVED CVE-2016-9003 RESERVED CVE-2016-9002 RESERVED CVE-2016-9001 RESERVED CVE-2016-9000 (IBM InfoSphere DataStage is vulnerable to cross-frame scripting, cause ...) NOT-FOR-US: IBM CVE-2016-8999 (IBM InfoSphere Information Server contains a Path-relative stylesheet ...) NOT-FOR-US: IBM CVE-2016-8998 (IBM Tivoli Storage Manager Server 7.1 could allow an authenticated use ...) NOT-FOR-US: IBM CVE-2016-8997 RESERVED CVE-2016-8996 RESERVED CVE-2016-8995 RESERVED CVE-2016-8994 RESERVED CVE-2016-8993 RESERVED CVE-2016-8992 RESERVED CVE-2016-8991 RESERVED CVE-2016-8990 RESERVED CVE-2016-8989 RESERVED CVE-2016-8988 RESERVED CVE-2016-8987 (IBM Maximo Asset Management 7.1, 7.5, and 7.6 could allow an authentic ...) NOT-FOR-US: IBM CVE-2016-8986 (IBM WebSphere MQ 8.0 could allow an authenticated user with access to ...) NOT-FOR-US: IBM CVE-2016-8985 RESERVED CVE-2016-8984 RESERVED CVE-2016-8983 RESERVED CVE-2016-8982 (IBM InfoSphere Information Server stores sensitive information in URL ...) NOT-FOR-US: IBM CVE-2016-8981 (IBM BigFix Inventory v9 allows web pages to be stored locally which ca ...) NOT-FOR-US: IBM CVE-2016-8980 (IBM BigFix Inventory v9 is vulnerable to a denial of service, caused b ...) NOT-FOR-US: IBM CVE-2016-8979 RESERVED CVE-2016-8978 RESERVED CVE-2016-8977 (IBM BigFix Inventory v9 could disclose sensitive information to an una ...) NOT-FOR-US: IBM CVE-2016-8976 RESERVED CVE-2016-8975 (IBM Rhapsody DM 5.0 and 6.0 is vulnerable to cross-site scripting. Thi ...) NOT-FOR-US: IBM CVE-2016-8974 (IBM Rhapsody DM 4.0, 5.0 and 6.0 is vulnerable to a denial of service, ...) NOT-FOR-US: IBM CVE-2016-8973 (IBM Rhapsody DM 4.0, 5.0 and 6.0 contains an undisclosed vulnerability ...) NOT-FOR-US: IBM CVE-2016-8972 (IBM AIX 6.1, 7.1, and 7.2 could allow a local user to gain root privil ...) NOT-FOR-US: IBM CVE-2016-8971 (IBM WebSphere MQ 8.0 could allow an authenticated user with queue mana ...) NOT-FOR-US: IBM CVE-2016-8970 RESERVED CVE-2016-8969 RESERVED CVE-2016-8968 (IBM Jazz Foundation is vulnerable to cross-site scripting. This vulner ...) NOT-FOR-US: IBM CVE-2016-8967 (IBM BigFix Inventory v9 9.2 stores user credentials in plain in clear ...) NOT-FOR-US: IBM CVE-2016-8966 (IBM BigFix Inventory v9 could allow a remote attacker to obtain sensit ...) NOT-FOR-US: IBM CVE-2016-8965 RESERVED CVE-2016-8964 (IBM BigFix Inventory v9 9.2 uses an inadequate account lockout setting ...) NOT-FOR-US: IBM CVE-2016-8963 (IBM BigFix Inventory v9 stores potentially sensitive information in lo ...) NOT-FOR-US: IBM CVE-2016-8962 (IBM BigFix Inventory 9.2 does not require that users should have stron ...) NOT-FOR-US: IBM CVE-2016-8961 (IBM BigFix Inventory v9 could allow a remote attacker to conduct phish ...) NOT-FOR-US: IBM CVE-2016-8960 (IBM Cognos Business Intelligence 10.2 could allow a user with lower pr ...) NOT-FOR-US: IBM Cognos Business Intelligence CVE-2016-8959 RESERVED CVE-2016-8958 RESERVED CVE-2016-8957 RESERVED CVE-2016-8956 RESERVED CVE-2016-8955 RESERVED CVE-2016-8954 (IBM dashDB Local uses hard-coded credentials that could allow a remote ...) NOT-FOR-US: IBM CVE-2016-8953 (IBM Emptoris Sourcing 9.5.x through 10.1.x could allow a remote attack ...) NOT-FOR-US: IBM CVE-2016-8952 (IBM Emptoris Strategic Supply Management Platform 10.0.0.x through 10. ...) NOT-FOR-US: IBM CVE-2016-8951 (IBM Emptoris Strategic Supply Management Platform 10.0.0.x through 10. ...) NOT-FOR-US: IBM CVE-2016-8950 (IBM Emptoris Sourcing 9.5.x through 10.1.x is vulnerable to cross-site ...) NOT-FOR-US: IBM CVE-2016-8949 (IBM Emptoris Supplier Lifecycle Management 10.0.x and 10.1.x could all ...) NOT-FOR-US: IBM CVE-2016-8948 (IBM Emptoris Sourcing 9.5.x through 10.1.x is vulnerable to cross-site ...) NOT-FOR-US: IBM CVE-2016-8947 (IBM Emptoris Sourcing 9.5.x through 10.1.x could allow a remote attack ...) NOT-FOR-US: IBM CVE-2016-8946 (IBM Emptoris Sourcing 9.5.x through 10.1.x is vulnerable to cross-site ...) NOT-FOR-US: IBM CVE-2016-8945 RESERVED CVE-2016-8944 (IBM AIX 7.1 and 7.2 allows a local user to open a file with a speciall ...) NOT-FOR-US: IBM CVE-2016-8943 (IBM Tivoli Storage Productivity Center is vulnerable to cross-site scr ...) NOT-FOR-US: IBM CVE-2016-8942 (IBM Tivoli Storage Productivity Center could allow an authenticated us ...) NOT-FOR-US: IBM CVE-2016-8941 (IBM Tivoli Storage Productivity Center is vulnerable to cross-site req ...) NOT-FOR-US: IBM CVE-2016-8940 (IBM Tivoli Storage Manager (IBM Spectrum Protect) 6.1, 6.2, 6.3, and 7 ...) NOT-FOR-US: IBM CVE-2016-8939 (IBM Tivoli Storage Manager (IBM Spectrum Protect 7.1 and 8.1) clients/ ...) NOT-FOR-US: IBM CVE-2016-8938 (IBM UrbanCode Deploy could allow a user to execute code using a specia ...) NOT-FOR-US: IBM CVE-2016-8937 (The IBM Tivoli Storage Manager (IBM Spectrum Protect 7.1 and 8.1) defa ...) NOT-FOR-US: IBM CVE-2016-8936 (IBM Social Rendering Templates for Digital Data Connector is vulnerabl ...) NOT-FOR-US: IBM CVE-2016-8935 (IBM Kenexa LMS on Cloud 13.1, 13.2, 13.2.2, 13.2.3, 13.2.4 and 14.0.0 ...) NOT-FOR-US: IBM CVE-2016-8934 (IBM WebSphere Application Server is vulnerable to cross-site scripting ...) NOT-FOR-US: IBM CVE-2016-8933 (IBM Kenexa LMS on Cloud could allow a remote attacker to traverse dire ...) NOT-FOR-US: IBM CVE-2016-8932 (IBM Kenexa LMS on Cloud could allow a remote attacker to upload arbitr ...) NOT-FOR-US: IBM CVE-2016-8931 (IBM Kenexa LMS on Cloud could allow a remote attacker to upload arbitr ...) NOT-FOR-US: IBM CVE-2016-8930 (IBM Kenexa LMS on Cloud is vulnerable to SQL injection. A remote attac ...) NOT-FOR-US: IBM CVE-2016-8929 (IBM Kenexa LMS on Cloud is vulnerable to SQL injection. A remote attac ...) NOT-FOR-US: IBM CVE-2016-8928 (IBM Kenexa LMS on Cloud is vulnerable to SQL injection. A remote attac ...) NOT-FOR-US: IBM CVE-2016-8927 (IBM Tivoli Application Dependency Discovery Manager 7.2.2 and 7.3 is v ...) NOT-FOR-US: IBM CVE-2016-8926 (IBM Tivoli Application Dependency Discovery Manager 7.2.2 and 7.3 coul ...) NOT-FOR-US: IBM CVE-2016-8925 (IBM Tivoli Application Dependency Discovery Manager 7.2.2 and 7.3 coul ...) NOT-FOR-US: IBM CVE-2016-8924 (IBM Maximo Asset Management 7.1, 7.5 and 7.6 could allow a remote atta ...) NOT-FOR-US: IBM CVE-2016-8923 (IBM Curam Social Program Management 5.2, 6.0, and 7.0 contains a vulne ...) NOT-FOR-US: IBM CVE-2016-8922 (Exphox WebRadar is vulnerable to cross-site scripting. This vulnerabil ...) NOT-FOR-US: Exphox WebRadar CVE-2016-8921 (IBM FileNet WorkPlace XT could allow a remote attacker to upload arbit ...) NOT-FOR-US: IBM CVE-2016-8920 (IBM Kenexa LMS on Cloud 13.1 and 13.2 - 13.2.4 is vulnerable to cross- ...) NOT-FOR-US: IBM CVE-2016-8919 (IBM WebSphere Application Server may be vulnerable to a denial of serv ...) NOT-FOR-US: IBM CVE-2016-8918 (IBM Integration Bus, under non default configurations, could allow a r ...) NOT-FOR-US: IBM CVE-2016-8917 (IBM Sterling Order Management 9.2 - 9.5 is vulnerable to cross-site re ...) NOT-FOR-US: IBM CVE-2016-8916 (IBM Tivoli Storage Manager 5.5, 6.1-6.4, and 7.1 stores password infor ...) NOT-FOR-US: IBM CVE-2016-8915 (IBM WebSphere MQ 8.0 could allow an authenticated user with access to ...) NOT-FOR-US: IBM CVE-2016-8914 RESERVED CVE-2016-8913 (IBM Kenexa LMS on Cloud 13.1 and 13.2 - 13.2.4 could allow a remote at ...) NOT-FOR-US: IBM CVE-2016-8912 (IBM Kenexa LMS on Cloud 13.1 and 13.2 - 13.2.4 stores potentially sens ...) NOT-FOR-US: IBM CVE-2016-8911 (IBM Kenexa LMS on Cloud 13.1 and 13.2 - 13.2.4 could allow a remote at ...) NOT-FOR-US: IBM CVE-2016-9016 (Firejail 0.9.38.4 allows local users to execute arbitrary commands out ...) - firejail 0.9.44-1 NOTE: https://github.com/netblue30/firejail/commit/46dc2b34f1fbbc4597b4ff9f6a3cb28b2d500d1b NOTE: http://www.openwall.com/lists/oss-security/2016/10/25/3 CVE-2016-9011 (The wmf_malloc function in api.c in libwmf 0.2.8.4 allows remote attac ...) {DLA-694-1} - libwmf 0.2.8.4-10.6 (bug #842090) [jessie] - libwmf 0.2.8.4-10.3+deb8u2 NOTE: http://www.openwall.com/lists/oss-security/2016/10/18/9 NOTE: https://blogs.gentoo.org/ago/2016/10/18/libwmf-memory-allocation-failure-in-wmf_malloc-api-c NOTE: Reproducer: https://github.com/asarubbo/poc/blob/master/00015-libwmf-memalloc-wmf_malloc NOTE: Proposed patch: https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=842090;filename=libwmf-0.2.8.4-CVE-2016-9011-debian.patch;msg=10 CVE-2016-8908 (SQL injection vulnerability in the "Site Browser > HTML pages" scre ...) NOT-FOR-US: dotCMS CVE-2016-8907 (SQL injection vulnerability in the "Content Types > Content Types" ...) NOT-FOR-US: dotCMS CVE-2016-8906 (SQL injection vulnerability in the "Site Browser > Links pages" scr ...) NOT-FOR-US: dotCMS CVE-2016-8905 (SQL injection vulnerability in the JSONTags servlet in dotCMS before 3 ...) NOT-FOR-US: dotCMS CVE-2016-8904 (SQL injection vulnerability in the "Site Browser > Containers pages ...) NOT-FOR-US: dotCMS CVE-2016-8903 (SQL injection vulnerability in the "Site Browser > Templates pages" ...) NOT-FOR-US: dotCMS CVE-2016-8902 (SQL injection vulnerability in the categoriesServlet servlet in dotCMS ...) NOT-FOR-US: dotCMS CVE-2016-8901 (b2evolution 6.7.6 suffer from an Object Injection vulnerability in /ht ...) - b2evolution CVE-2016-8900 (Exponent CMS version 2.3.9 suffers from a Object Injection vulnerabili ...) NOT-FOR-US: Exponent CMS CVE-2016-8899 (Exponent CMS version 2.3.9 suffers from a Object Injection vulnerabili ...) NOT-FOR-US: Exponent CMS CVE-2016-8898 (Exponent CMS version 2.3.9 suffers from a sql injection vulnerability ...) NOT-FOR-US: Exponent CMS CVE-2016-8897 (Exponent CMS version 2.3.9 suffers from a sql injection vulnerability ...) NOT-FOR-US: Exponent CMS CVE-2016-8896 RESERVED CVE-2016-8895 RESERVED CVE-2016-8894 RESERVED CVE-2016-8893 RESERVED CVE-2016-8892 RESERVED CVE-2016-8891 RESERVED CVE-2016-8890 RESERVED CVE-2016-8889 (In Bitcoin Knots v0.11.0.ljr20150711 through v0.13.0.knots20160814 (fi ...) NOT-FOR-US: Bitcoin Knots CVE-2016-8888 RESERVED CVE-2016-8879 (The thumbnail shell extension plugin (FoxitThumbnailHndlr_x86.dll) in ...) NOT-FOR-US: Foxit CVE-2016-8878 (Out-of-Bounds read vulnerability in Foxit Reader and PhantomPDF before ...) NOT-FOR-US: Foxit CVE-2016-8877 (Heap buffer overflow (Out-of-Bounds write) vulnerability in Foxit Read ...) NOT-FOR-US: Foxit CVE-2016-8876 (Out-of-Bounds read vulnerability in Foxit Reader and PhantomPDF before ...) NOT-FOR-US: Foxit CVE-2016-8875 (The ConvertToPDF plugin in Foxit Reader and PhantomPDF before 8.1 on W ...) NOT-FOR-US: Foxit CVE-2016-8874 RESERVED CVE-2016-8873 RESERVED CVE-2016-8872 RESERVED CVE-2016-8871 (In Botan 1.11.29 through 1.11.32, RSA decryption with certain padding ...) - botan1.10 (Only affects 1.11.29 through 1.11.32) CVE-2016-8870 (The register method in the UsersModelRegistration class in controllers ...) NOT-FOR-US: Joomla! CVE-2016-8869 (The register method in the UsersModelRegistration class in controllers ...) NOT-FOR-US: Joomla! CVE-2016-8868 RESERVED CVE-2016-8867 (Docker Engine 1.12.2 enabled ambient capabilities with misconfigured c ...) - docker.io (Not built from/with a runc with "ambient capabilities") - runc ("ambient capabilities" introduced later, cf bug #853240) NOTE: https://github.com/docker/docker/issues/27590 NOTE: docker: https://github.com/docker/docker/pull/27610/commits/d60a3418d0268745dff38947bc8c929fbd24f837 (1.12.3) NOTE: runc: https://github.com/opencontainers/runc/commit/a83f5bac28554fa0fd49bc1559a3c79f5907348f NOTE: docker.io not directly affected but will need to be updated to include new runc version NOTE: runc: "ambient capabilities" functionality added upstream with https://github.com/opencontainers/runc/pull/1086 NOTE: and later changes. NOTE: The actual fix seem to be to revert the commit which introduced ambient capabilities NOTE: in runc. CVE-2016-8865 RESERVED CVE-2016-8864 (named in ISC BIND 9.x before 9.9.9-P4, 9.10.x before 9.10.4-P4, and 9. ...) {DSA-3703-1 DLA-696-1} [experimental] - bind9 1:9.10.4-P5-1 - bind9 1:9.10.3.dfsg.P4-11 (bug #842858) NOTE: https://kb.isc.org/article/AA-01434 NOTE: upstream fix https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=8bd0c12d53bea6f299e92d20ee0a23b16a7f65bc CVE-2016-8863 (Heap-based buffer overflow in the create_url_list function in gena/gen ...) {DSA-3736-1 DLA-748-1 DLA-747-1} - libupnp 1:1.6.19+git20160116-1.2 (bug #842093) - libupnp4 NOTE: https://sourceforge.net/p/pupnp/bugs/133/ NOTE: Patch: https://sourceforge.net/p/pupnp/bugs/_discuss/thread/f2781a77/d8a2/attachment/0001-Fix-out-of-bound-access-in-create_url_list-CVE-2016-.patch CVE-2016-8861 RESERVED CVE-2016-8857 RESERVED CVE-2016-8856 (Foxit Reader for Mac 2.1.0.0804 and earlier and Foxit Reader for Linux ...) NOT-FOR-US: Foxit CVE-2016-8855 (Cross-Site Scripting (XSS) in "/sitecore/client/Applications/List Mana ...) NOT-FOR-US: Sitecore Experience Platform CVE-2016-8854 REJECTED CVE-2016-8853 REJECTED CVE-2016-8852 REJECTED CVE-2016-8851 REJECTED CVE-2016-8850 REJECTED CVE-2016-8849 REJECTED CVE-2016-8848 REJECTED CVE-2016-8847 REJECTED CVE-2016-8846 REJECTED CVE-2016-8845 REJECTED CVE-2016-8844 REJECTED CVE-2016-8843 REJECTED CVE-2016-8842 REJECTED CVE-2016-8841 REJECTED CVE-2016-8840 REJECTED CVE-2016-8839 REJECTED CVE-2016-8838 REJECTED CVE-2016-8837 REJECTED CVE-2016-8836 REJECTED CVE-2016-8835 REJECTED CVE-2016-8834 REJECTED CVE-2016-8833 REJECTED CVE-2016-8832 REJECTED CVE-2016-8831 REJECTED CVE-2016-8830 REJECTED CVE-2016-8829 REJECTED CVE-2016-8828 REJECTED CVE-2016-8827 (NVIDIA GeForce Experience 3.x before GFE 3.1.0.52 contains a vulnerabi ...) NOT-FOR-US: NVIDIA GeForce Experience CVE-2016-8826 (All versions of NVIDIA GPU Display Driver contain a vulnerability in t ...) - nvidia-graphics-drivers 375.26-1 (bug #848195) [jessie] - nvidia-graphics-drivers 340.101-1 [wheezy] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx 340.101-1 (bug #848196) - nvidia-graphics-drivers-legacy-304xx 304.134-1 (bug #848197) [jessie] - nvidia-graphics-drivers-legacy-304xx 304.134-0~deb8u1 NOTE: http://nvidia.custhelp.com/app/answers/detail/a_id/4278 CVE-2016-8825 (All versions of NVIDIA Windows GPU Display Driver contain a vulnerabil ...) NOT-FOR-US: Nvidia Windows driver CVE-2016-8824 (All versions of NVIDIA Windows GPU Display Driver contain a vulnerabil ...) NOT-FOR-US: Nvidia Windows driver CVE-2016-8823 (All versions of NVIDIA Windows GPU Display Driver contain a vulnerabil ...) NOT-FOR-US: Nvidia Windows driver CVE-2016-8822 (All versions of NVIDIA Windows GPU Display Driver contain a vulnerabil ...) NOT-FOR-US: Nvidia Windows driver CVE-2016-8821 (All versions of NVIDIA Windows GPU Display Driver contain a vulnerabil ...) NOT-FOR-US: Nvidia Windows driver CVE-2016-8820 (All versions of NVIDIA Windows GPU Display Driver contain a vulnerabil ...) NOT-FOR-US: Nvidia Windows driver CVE-2016-8819 (All versions of NVIDIA Windows GPU Display Driver contain a vulnerabil ...) NOT-FOR-US: Nvidia Windows driver CVE-2016-8818 (All versions of NVIDIA Windows GPU Display contain a vulnerability in ...) NOT-FOR-US: Nvidia Windows driver CVE-2016-8817 (All versions of NVIDIA Windows GPU Display Driver contain a vulnerabil ...) NOT-FOR-US: Nvidia Windows driver CVE-2016-8816 (All versions of NVIDIA Windows GPU Display Driver contain a vulnerabil ...) NOT-FOR-US: Nvidia Windows driver CVE-2016-8815 (All versions of NVIDIA Windows GPU Display Driver contain a vulnerabil ...) NOT-FOR-US: Nvidia Windows driver CVE-2016-8814 (All versions of NVIDIA Windows GPU Display Driver contain a vulnerabil ...) NOT-FOR-US: Nvidia Windows driver CVE-2016-8813 (All versions of NVIDIA Windows GPU Display Driver contain a vulnerabil ...) NOT-FOR-US: Nvidia Windows driver CVE-2016-8812 (For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA GeForce Exper ...) NOT-FOR-US: Nvidia Windows driver CVE-2016-8811 (For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA Windows GPU D ...) NOT-FOR-US: Nvidia Windows driver CVE-2016-8810 (For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA Windows GPU D ...) NOT-FOR-US: Nvidia Windows driver CVE-2016-8809 (For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA Windows GPU D ...) NOT-FOR-US: Nvidia Windows driver CVE-2016-8808 (For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA Windows GPU D ...) NOT-FOR-US: Nvidia Windows driver CVE-2016-8807 (For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA Windows GPU D ...) NOT-FOR-US: Nvidia Windows driver CVE-2016-8806 (For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA Windows GPU D ...) NOT-FOR-US: Nvidia Windows driver CVE-2016-8805 (For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA Windows GPU D ...) NOT-FOR-US: Nvidia Windows driver CVE-2016-8804 RESERVED CVE-2016-8803 (The maintenance module in Huawei FusionStorage V100R003C30U1 allows at ...) NOT-FOR-US: Huawei CVE-2016-8802 (The security policy processing module in Huawei Secospace USG6300 with ...) NOT-FOR-US: Huawei CVE-2016-8801 (Huawei OceanStor 5600 V3 with V300R003C00C10 and earlier versions allo ...) NOT-FOR-US: Huawei CVE-2016-8800 REJECTED CVE-2016-8799 REJECTED CVE-2016-8798 (Huawei USG5500 with software V300R001C00 and V300R001C00 allows attack ...) NOT-FOR-US: Huawei CVE-2016-8797 (Huawei AR3200 with software V200R007C00, V200R005C32, V200R005C20; S12 ...) NOT-FOR-US: Huawei CVE-2016-8796 (Huawei USG9520 V300R001C01, USG9560 V300R001C01, and USG9580 V300R001C ...) NOT-FOR-US: Huawei CVE-2016-8795 (Huawei CloudEngine 12800 with software V100R002C00, V100R003C00, V100R ...) NOT-FOR-US: Huawei CVE-2016-8794 (Huawei Mate 8 phones with software Versions before NXT-AL10C00B386, Ve ...) NOT-FOR-US: Huawei CVE-2016-8793 (Huawei Mate 8 phones with software Versions before NXT-AL10C00B386, Ve ...) NOT-FOR-US: Huawei CVE-2016-8792 (Huawei Mate 8 phones with software Versions before NXT-AL10C00B386, Ve ...) NOT-FOR-US: Huawei CVE-2016-8791 (Huawei Mate 8 phones with software Versions before NXT-AL10C00B386, Ve ...) NOT-FOR-US: Huawei CVE-2016-8790 (Huawei CloudEngine 5800 with software before V200R001C00SPC700, CloudE ...) NOT-FOR-US: Huawei CVE-2016-8789 (Huawei eSpace Integrated Access Device (IAD) with software V300R001C03 ...) NOT-FOR-US: Huawei CVE-2016-8788 REJECTED CVE-2016-8787 REJECTED CVE-2016-8786 (Huawei S12700 V200R005C00, V200R006C00, V200R007C00, V200R008C00, S570 ...) NOT-FOR-US: Huawei CVE-2016-8785 (Huawei S12700 V200R007C00, V200R008C00, S5700 V200R007C00, S7700 V200R ...) NOT-FOR-US: Huawei CVE-2016-8784 (Huawei CloudEngine 12800 V100R003C00, V100R003C10, V100R005C00, V100R0 ...) NOT-FOR-US: Huawei CVE-2016-8783 (Touchscreen drive in Huawei H60 (Honor 6) Versions earlier than H60-L0 ...) NOT-FOR-US: Huawei CVE-2016-8782 (Huawei CloudEngine 12800 V100R003C00, V100R003C10, V100R005C00, V100R0 ...) NOT-FOR-US: Huawei CVE-2016-8781 (Huawei Secospace USG6300 with software V500R001C20 and V500R001C20SPC2 ...) NOT-FOR-US: Huawei CVE-2016-8780 (Huawei CloudEngine 6800 V100R006C00, CloudEngine 7800 V100R006C00, Clo ...) NOT-FOR-US: Huawei CVE-2016-8779 (Huawei FusionAccess with software V100R005C10 and V100R005C20 could al ...) NOT-FOR-US: Huawei CVE-2016-8778 REJECTED CVE-2016-8777 REJECTED CVE-2016-8776 (Huawei P9 phones with software EVA-AL10C00,EVA-CL10C00,EVA-DL10C00,EVA ...) NOT-FOR-US: Huawei CVE-2016-8775 (Touch Panel (TP) driver in Huawei NEM phones with software Versions be ...) NOT-FOR-US: Huawei CVE-2016-8774 (The HIFI driver in Huawei Mate 8 phones with software versions before ...) NOT-FOR-US: Huawei CVE-2016-8773 (Huawei S5300 with software V200R003C00, V200R007C00, V200R008C00, V200 ...) NOT-FOR-US: Huawei CVE-2016-8772 REJECTED CVE-2016-8771 REJECTED CVE-2016-8770 REJECTED CVE-2016-8769 (Huawei UTPS earlier than UTPS-V200R003B015D16SPC00C983 has an unquoted ...) NOT-FOR-US: Huawei CVE-2016-8768 (Huawei Honor 6, Honor 6 Plus, Honor 7 phones with software versions ea ...) NOT-FOR-US: Huawei CVE-2016-8767 REJECTED CVE-2016-8766 REJECTED CVE-2016-8765 REJECTED CVE-2016-8764 (The TrustZone driver in Huawei P9 phones with software Versions earlie ...) NOT-FOR-US: Huawei CVE-2016-8763 (The TrustZone driver in Huawei P9 phones with software Versions earlie ...) NOT-FOR-US: Huawei CVE-2016-8762 (The TrustZone driver in Huawei P9 phones with software Versions earlie ...) NOT-FOR-US: Huawei CVE-2016-8761 (Video driver in Huawei P9 phones with software versions before EVA-AL1 ...) NOT-FOR-US: Huawei CVE-2016-8760 (Touchscreen driver in Huawei P9 phones with software versions before E ...) NOT-FOR-US: Huawei CVE-2016-8759 (Video driver in Huawei P9 phones with software versions before EVA-AL1 ...) NOT-FOR-US: Huawei CVE-2016-8758 (ION memory management module in Huawei Mate8 phones with software NXT- ...) NOT-FOR-US: Huawei CVE-2016-8757 (ION memory management module in Huawei P9 phones with software EVA-AL1 ...) NOT-FOR-US: Huawei CVE-2016-8756 (ION memory management module in Huawei Mate 8 phones with software NXT ...) NOT-FOR-US: Huawei CVE-2016-8755 REJECTED CVE-2016-8754 (Huawei OceanStor 5600 V3 V300R003C00 has a hardcoded SSH key vulnerabi ...) NOT-FOR-US: Huawei CVE-2016-8753 REJECTED CVE-2016-8752 (Apache Atlas versions 0.6.0 (incubating), 0.7.0 (incubating), and 0.7. ...) NOT-FOR-US: Apache Atlas CVE-2016-8751 (Apache Ranger before 0.6.3 is vulnerable to a Stored Cross-Site Script ...) NOT-FOR-US: Apache Ranger CVE-2016-8750 (Apache Karaf prior to 4.0.8 used the LDAPLoginModule to authenticate u ...) - apache-karaf (bug #881297) CVE-2016-8749 (Apache Camel's Jackson and JacksonXML unmarshalling operation are vuln ...) NOT-FOR-US: Apache Camel CVE-2016-8748 (In Apache NiFi before 1.0.1 and 1.1.x before 1.1.1, there is a cross-s ...) NOT-FOR-US: Apache NiFi CVE-2016-8747 (An information disclosure issue was discovered in Apache Tomcat 8.5.7 ...) - tomcat8 8.5.9-1 [jessie] - tomcat8 (Only affects 8.5.7 to 8.5.9) NOTE: http://svn.apache.org/r1774166 CVE-2016-8746 (Apache Ranger before 0.6.3 policy engine incorrectly matches paths in ...) NOT-FOR-US: Apache Ranger CVE-2016-8745 (A bug in the error handling of the send file code for the NIO HTTP con ...) {DSA-3755-1 DSA-3754-1 DLA-779-1} - tomcat9 (Fixed before initial upload to Debian) - tomcat8 8.5.9-1 - tomcat7 7.0.72-3 NOTE: Since 7.0.72-3, src:tomcat7 only builds the Servlet API - tomcat6 6.0.41-3 NOTE: Since 6.0.41-3, src:tomcat6 only builds a servlet and docs in Jessie NOTE: https://bz.apache.org/bugzilla/show_bug.cgi?id=60409 NOTE: Fixed by: http://svn.apache.org/r1777469 (8.0.x) NOTE: Fixed by: http://svn.apache.org/r1777471 (7.0.x) NOTE: Fixed by: http://svn.apache.org/r1777472 (6.0.x) CVE-2016-8744 (Apache Brooklyn uses the SnakeYAML library for parsing YAML inputs. Sn ...) NOT-FOR-US: Apache Brooklyn CVE-2016-8743 (Apache HTTP Server, in all releases prior to 2.2.32 and 2.4.25, was li ...) {DSA-3796-1 DLA-841-2 DLA-841-1} - apache2 2.4.25-1 NOTE: https://lists.apache.org/thread.html/139862b41c0dfd5e6e00ad89c00119f9faf0dd41a2f927da9c9a4076@%3Cannounce.httpd.apache.org%3E NOTE: https://httpd.apache.org/security/vulnerabilities_24.html NOTE: The fix is not fully backwards compatible so upstream have NOTE: created a new option to control this behaviour. This means that NOTE: if this is fixed the security advisory need to mention this. NOTE: The fix is invasive and should require some extra testing before reaching NOTE: stable and old-stable. NOTE: Affects: 2.2.0 to 2.4.23. NOTE: Fixed in 2.4.25. NOTE: For 2.2 preparation is done in http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x-merge-http-strict/ CVE-2016-8742 (The Windows installer that the Apache CouchDB team provides was vulner ...) NOT-FOR-US: Windows installer for Apache CouchDB CVE-2016-8741 (The Apache Qpid Broker for Java can be configured to use different so ...) - qpid-java (bug #840131) CVE-2016-8740 (The mod_http2 module in the Apache HTTP Server 2.4.17 through 2.4.23, ...) - apache2 2.4.25-1 (bug #847124) [jessie] - apache2 (Vulnerable code not present) [wheezy] - apache2 (Vulnerable code not present) NOTE: HTTP/2 support introduced in 2.4.17 CVE-2016-8739 (The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1 ...) NOT-FOR-US: Apache CXF CVE-2016-8738 (In Apache Struts 2.5 through 2.5.5, if an application allows entering ...) - libstruts1.2-java [wheezy] - libstruts1.2-java (no longer supported) NOTE: https://struts.apache.org/docs/s2-044.html CVE-2016-8737 (In Apache Brooklyn before 0.10.0, the REST server is vulnerable to cro ...) NOT-FOR-US: Apache Brooklyn CVE-2016-8736 (Apache OpenMeetings before 3.1.2 is vulnerable to Remote Code Executio ...) NOT-FOR-US: Apache OpenMeetings CVE-2016-8735 (Remote code execution is possible with Apache Tomcat before 6.0.48, 7. ...) {DSA-3739-1 DSA-3738-1 DLA-729-1 DLA-728-1} - tomcat9 (Fixed before initial upload to Debian) - tomcat8 8.0.39-1 - tomcat7 7.0.72-3 NOTE: Since 7.0.72-3, src:tomcat7 only builds the Servlet API - tomcat6 6.0.41-3 (low) NOTE: Since 6.0.41-3, src:tomcat6 only builds a servlet and docs in Jessie NOTE: Fixed by: http://svn.apache.org/r1767656 (8.0.x) NOTE: Fixed by: http://svn.apache.org/r1767676 (7.0.x) NOTE: Fixed by: http://svn.apache.org/r1767684 (6.0.x) CVE-2016-8734 (Apache Subversion's mod_dontdothat module and HTTP clients 1.4.0 throu ...) - subversion 1.9.5-1 (low) [jessie] - subversion 1.8.10-6+deb8u5 [wheezy] - subversion (Minor issue, binary packages not affected since built against Neon as HTTP library) NOTE: Above wheezy entry workarounded; binary packages not affected (since in wheezy build against Neon as HTTP NOTE: library), though source is. (unimporant) for individual lines is not supported, thus workaround by marking NOTE: as no-dsa. NOTE: https://subversion.apache.org/security/CVE-2016-8734-advisory.txt CVE-2016-8733 (An exploitable integer overflow exists in the Joyent SmartOS 20161110T ...) NOT-FOR-US: Joyent SmartOS CVE-2016-8732 (Multiple security flaws exists in InvProtectDrv.sys which is a part of ...) NOT-FOR-US: Invincea Dell Protected Workspace CVE-2016-8731 (Hard-coded FTP credentials (r:r) are included in the Foscam C1 running ...) NOT-FOR-US: Foscam C1 CVE-2016-8730 (An of bound write / memory corruption vulnerability exists in the GIF ...) NOT-FOR-US: Core PHOTO-PAINT X8 CVE-2016-8729 (An exploitable memory corruption vulnerability exists in the JBIG2 par ...) {DSA-3817-1 DLA-874-1} - jbig2dec 0.13-4 (bug #863886) NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0243 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698438 NOTE: http://git.ghostscript.com/?p=jbig2dec.git;h=e698d5c11d27212aa1098bc5b1673a3378563092 CVE-2016-8728 (An exploitable heap out of bounds write vulnerability exists in the Fi ...) - mupdf (Vulnerable code introduced in 1.10, cf. #863545) NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0242%20 CVE-2016-8727 (An exploitable information disclosure vulnerability exists in the Web ...) NOT-FOR-US: Moxa CVE-2016-8726 (An exploitable null pointer dereference vulnerability exists in the We ...) NOT-FOR-US: Moxa CVE-2016-8725 (An exploitable information disclosure vulnerability exists in the Web ...) NOT-FOR-US: Moxa CVE-2016-8724 (An exploitable information disclosure vulnerability exists in the serv ...) NOT-FOR-US: Moxa CVE-2016-8723 (An exploitable null pointer dereference exists in the Web Application ...) NOT-FOR-US: Moxa CVE-2016-8722 (An exploitable Information Disclosure vulnerability exists in the Web ...) NOT-FOR-US: Moxa CVE-2016-8721 (An exploitable OS Command Injection vulnerability exists in the web ap ...) NOT-FOR-US: Moxa CVE-2016-8720 (An exploitable HTTP Header Injection vulnerability exists in the Web A ...) NOT-FOR-US: Moxa CVE-2016-8719 (An exploitable reflected Cross-Site Scripting vulnerability exists in ...) NOT-FOR-US: Moxa CVE-2016-8718 (An exploitable Cross-Site Request Forgery vulnerability exists in the ...) NOT-FOR-US: Moxa CVE-2016-8717 (An exploitable Use of Hard-coded Credentials vulnerability exists in t ...) NOT-FOR-US: Moxa CVE-2016-8716 (An exploitable Cleartext Transmission of Password vulnerability exists ...) NOT-FOR-US: Moxa CVE-2016-8715 (An exploitable heap corruption vulnerability exists in the loadTrailer ...) NOT-FOR-US: Iceni Argus CVE-2016-8714 (An exploitable buffer overflow vulnerability exists in the LoadEncodin ...) {DSA-3813-1 DLA-861-1} - r-base 3.3.3-1 (bug #857466) NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0227/ CVE-2016-8713 (A remote out of bound write / memory corruption vulnerability exists i ...) NOT-FOR-US: Nitro Pro CVE-2016-8712 (An exploitable nonce reuse vulnerability exists in the Web Application ...) NOT-FOR-US: Moxa CVE-2016-8711 (A potential remote code execution vulnerability exists in the PDF pars ...) NOT-FOR-US: Nitro Pro CVE-2016-8710 (An exploitable heap write out of bounds vulnerability exists in the de ...) - ffmpeg (Vulnerable code wasn't part of ffmpeg according to upstream) NOTE: The libbpg library is not packaged in Debian but seem embedded in ffmpeg NOTE: http://blog.talosintel.com/2017/01/vulnerability-spotlight-libbpg-image.html NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0223/ CVE-2016-8709 (A remote out of bound write / memory corruption vulnerability exists i ...) NOT-FOR-US: Nitro Pro CVE-2016-8708 REJECTED CVE-2016-8707 (An exploitable out of bounds write exists in the handling of compresse ...) {DSA-3799-1 DLA-756-1} - imagemagick 8:6.9.7.0+dfsg-2 (bug #848139) NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0216/ NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick/commit/e5fd9ab1b70b2edd06de8efb606e04482cb9a2f0 (7.0.3-9) NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick/commit/fde5f55af94f189f16958535a9c22b439d71ac93 (6.9.6-7) NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick/commit/e5dc6d628a1c6049dc95adcea5e49aaa7ef2c778 (6.9.6-7) CVE-2016-8706 (An integer overflow in process_bin_sasl_auth function in Memcached, wh ...) {DSA-3704-1 DLA-701-1} - memcached 1.4.33-1 (bug #842814) NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0221/ NOTE: upstream fix https://github.com/memcached/memcached/commit/bd578fc34b96abe0f8d99c1409814a09f51ee71c CVE-2016-8705 (Multiple integer overflows in process_bin_update function in Memcached ...) {DSA-3704-1 DLA-701-1} - memcached 1.4.33-1 (bug #842812) NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0220/ NOTE: upstream fix https://github.com/memcached/memcached/commit/bd578fc34b96abe0f8d99c1409814a09f51ee71c CVE-2016-8704 (An integer overflow in the process_bin_append_prepend function in Memc ...) {DSA-3704-1 DLA-701-1} - memcached 1.4.33-1 (bug #842811) NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0219/ NOTE: upstream fix https://github.com/memcached/memcached/commit/bd578fc34b96abe0f8d99c1409814a09f51ee71c CVE-2016-1000036 RESERVED CVE-2016-1000035 RESERVED CVE-2016-1000034 RESERVED CVE-2016-1000032 (TGCaptcha2 version 0.3.0 is vulnerable to a replay attack due to a mis ...) NOT-FOR-US: TGCaptcha2 CVE-2016-8910 (The rtl8139_cplus_transmit function in hw/net/rtl8139.c in QEMU (aka Q ...) {DLA-1599-1 DLA-698-1 DLA-689-1} - qemu 1:2.8+dfsg-1 (bug #841955) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg05495.html NOTE: http://www.openwall.com/lists/oss-security/2016/10/24/2 CVE-2016-8909 (The intel_hda_xfer function in hw/audio/intel-hda.c in QEMU (aka Quick ...) {DLA-1599-1 DLA-698-1 DLA-689-1} - qemu 1:2.8+dfsg-1 (bug #841950) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg04717.html NOTE: http://www.openwall.com/lists/oss-security/2016/10/24/1 CVE-2016-XXXX [Privilege escalation possible to other user than root] - bash (unimportant; bug #841856) NOTE: This is strongly related to the problem described in CVE-2016-7543 and the correction NOTE: is very similar. NOTE: https://lists.gnu.org/archive/html/bug-bash/2015-12/msg00112.html CVE-2016-10249 (Integer overflow in the jpc_dec_tiledecode function in jpc_dec.c in Ja ...) {DSA-3827-1 DLA-739-1} - jasper NOTE: Fixed by: https://github.com/mdadams/jasper/commit/988f8365f7d8ad8073b6786e433d34c553ecf568 (version-1.900.12) NOTE: https://blogs.gentoo.org/ago/2016/10/23/jasper-heap-based-buffer-overflow-in-jpc_dec_tiledecode-jpc_dec-c/ NOTE: Reproducer: https://github.com/asarubbo/poc/blob/master/00001-jasper-heapoverflow-jpc_dec_tiledecode NOTE: http://www.openwall.com/lists/oss-security/2016/10/23/7 CVE-2016-10250 (The jp2_colr_destroy function in jp2_cod.c in JasPer before 1.900.13 a ...) - jasper (Incomplete fix for CVE-206-8887 not applied) NOTE: Reproducer: https://github.com/asarubbo/poc/blob/master/00002-jasper-NULLptr-jp2_colr_destroy NOTE: https://blogs.gentoo.org/ago/2016/10/23/jasper-null-pointer-dereference-in-jp2_colr_destroy-jp2_cod-c-incomplete-fix-for-cve-2016-8887 CVE-2016-8887 (The jp2_colr_destroy function in libjasper/jp2/jp2_cod.c in JasPer bef ...) {DLA-739-1} - jasper (unimportant) NOTE: https://blogs.gentoo.org/ago/2016/10/18/jasper-null-pointer-dereference-in-jp2_colr_destroy-jp2_cod-c NOTE: Fixed by: https://github.com/mdadams/jasper/commit/e24bdc716c3327b067c551bc6cfb97fd2370358d (version-1.900.10) NOTE: When fixing this issue look at the followup report NOTE: https://blogs.gentoo.org/ago/2016/10/23/jasper-null-pointer-dereference-in-jp2_colr_destroy-jp2_cod-c-incomplete-fix-for-cve-2016-8887 NOTE: and include the fix to not make jasper vulnerable to the incomplete fix. NOTE: Not suitable for code injection, hardly denial of service CVE-2016-8886 (The jas_malloc function in libjasper/base/jas_malloc.c in JasPer befor ...) - jasper (low) [jessie] - jasper (Minor issue) [wheezy] - jasper (Minor issue) NOTE: https://blogs.gentoo.org/ago/2016/10/18/jasper-memory-allocation-failure-in-jas_malloc-jas_malloc-c NOTE: The memory exhaustion has no real impact unless when jasper is compiled with ASAN. NOTE: Without ASAN the failure is handled gracefully. In addition the fix is marked as experimental NOTE: and not suitable for a backport. CVE-2016-XXXX [sendmail: Privilege escalation from group smmsp to root] - sendmail 8.15.2-7 (bug #841257) [jessie] - sendmail 8.14.4-8+deb8u2 [wheezy] - sendmail (Minor issue) NOTE: no unprivileged user should be in smmsp group and there is no known vulnerability to gain smmsp group membership CVE-2016-8885 (The bmp_getdata function in libjasper/bmp/bmp_dec.c in JasPer before 1 ...) - jasper (Incomplete fix for CVE-2016-8690 not applied) NOTE: https://blogs.gentoo.org/ago/2016/10/18/jasper-two-null-pointer-dereference-in-bmp_getdata-bmp_dec-c-incomplete-fix-for-cve-2016-8690 NOTE: Fixed by https://github.com/mdadams/jasper/commit/5d66894d2313e3f3469f19066e149e08ff076698 CVE-2016-8884 (The bmp_getdata function in libjasper/bmp/bmp_dec.c in JasPer 1.900.5 ...) - jasper (Incomplete fix for CVE-2016-8690 not applied) NOTE: https://blogs.gentoo.org/ago/2016/10/18/jasper-two-null-pointer-dereference-in-bmp_getdata-bmp_dec-c-incomplete-fix-for-cve-2016-8690 NOTE: Fixed by https://github.com/mdadams/jasper/commit/5d66894d2313e3f3469f19066e149e08ff076698 CVE-2016-8883 (The jpc_dec_tiledecode function in jpc_dec.c in JasPer before 1.900.8 ...) {DLA-739-1} - jasper (unimportant) NOTE: https://github.com/mdadams/jasper/issues/32 NOTE: https://github.com/mdadams/jasper/commit/33cc2cfa51a8d0fc3116d16cc1d8fc581b3f9e8d NOTE: Not suitable for code injection, hardly denial of service CVE-2016-8882 (The jpc_dec_tilefini function in libjasper/jpc/jpc_dec.c in JasPer bef ...) {DSA-3785-1 DLA-739-1} - jasper (unimportant) NOTE: https://github.com/mdadams/jasper/issues/30 NOTE: https://github.com/mdadams/jasper/commit/69a1439a5381e42b06ec6a06ed2675eb793babee (version-1.900.8) NOTE: Not suitable for code injection, hardly denial of service CVE-2016-8881 REJECTED CVE-2016-8880 REJECTED CVE-2016-8866 (The AcquireMagickMemory function in MagickCore/memory.c in ImageMagick ...) {DLA-756-1} - imagemagick NOTE: For incomplete fix of CVE-2016-8862 NOTE: https://blogs.gentoo.org/ago/2016/10/20/imagemagick-memory-allocation-failure-in-acquiremagickmemory-memory-c-incomplete-fix-for-cve-2016-8862/ NOTE: This is not a real problem in imagemagick but caused by the "observer" (the address sanitizer), cf. NOTE: https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=30908#p140255 . CVE-2016-8859 (Multiple integer overflows in the TRE library and musl libc allow atta ...) {DLA-687-1} - tre 0.8.0-5 (bug #842169) [jessie] - tre 0.8.0-4+deb8u1 - musl 1.1.15-2 (bug #842171) [jessie] - musl 1.1.5-2+deb8u1 NOTE: http://www.openwall.com/lists/oss-security/2016/10/19/1 NOTE: other issues may still be present in tre after this: https://github.com/laurikari/tre/issues/37 NOTE: musl patch: http://git.musl-libc.org/cgit/musl/commit/?id=c3edc06d1e1360f3570db9155d6b318ae0d0f0f7, not released yet CVE-2016-8858 (** DISPUTED ** The kex_input_kexinit function in kex.c in OpenSSH 6.x ...) - openssh 1:7.3p1-2 (bug #841884) [jessie] - openssh (Minor issue) [wheezy] - openssh (Minor issue) NOTE: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/kex.c?rev=1.127&content-type=text/x-cvsweb-markup NOTE: Only thing the attacker could do here is self-dos own connection CVE-2016-8862 (The AcquireMagickMemory function in MagickCore/memory.c in ImageMagick ...) {DSA-3726-1 DLA-756-1} - imagemagick 8:6.9.6.6+dfsg-1 (bug #845634) NOTE: https://blogs.gentoo.org/ago/2016/10/17/imagemagick-memory-allocation-failure-in-acquiremagickmemory-memory-c/ NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick/commit/aea6c6507f55632829e6432f8177a084a57c9fcc NOTE: The initial patch was initiall meant to be incomplete and resulted in CVE-2016-8866. So when fixing NOTE: this CVE make sure to fix it completely to not open up CVE-2016-8866. NOTE: The "incomplete fix" though is not a real problem, cf. https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=30908#p140255 NOTE: http://www.openwall.com/lists/oss-security/2016/10/17/4 CVE-2016-8860 (Tor before 0.2.8.9 and 0.2.9.x before 0.2.9.4-alpha had internal funct ...) {DSA-3694-1 DLA-663-1} - tor 0.2.8.9-1 NOTE: https://trac.torproject.org/projects/tor/ticket/20384 NOTE: https://blog.torproject.org/blog/tor-0289-released-important-fixes NOTE: https://gitweb.torproject.org/tor.git/commit/?id=3cea86eb2fbb65949673eb4ba8ebb695c87a57ce NOTE: http://www.openwall.com/lists/oss-security/2016/10/18/11 CVE-2016-9138 (PHP through 5.6.27 and 7.x through 7.0.12 mishandles property modifica ...) {DSA-3732-1} - php7.0 7.0.12-1 - php5 [wheezy] - php5 (Vulnerable code not present in version 5.4.45) NOTE: PHP Bug: https://bugs.php.net/bug.php?id=73147 NOTE: http://www.openwall.com/lists/oss-security/2016/11/01/7 CVE-2016-9137 (Use-after-free vulnerability in the CURLFile implementation in ext/cur ...) {DSA-3698-1} - php7.0 7.0.12-1 - php5 [wheezy] - php5 (Vulnerable code not present in version 5.4.45) NOTE: PHP Bug: https://bugs.php.net/bug.php?id=73147 NOTE: http://git.php.net/?p=php-src.git;a=commit;h=0e6fe3a4c96be2d3e88389a5776f878021b4c59f NOTE: Fixed in 7.0.12, 5.6.27 NOTE: http://www.openwall.com/lists/oss-security/2016/10/18/1 CVE-2016-8673 (A vulnerability has been identified in SIMATIC CP 343-1 Advanced (incl ...) NOT-FOR-US: Siemens SIMATIC CP CVE-2016-8672 (A vulnerability has been identified in SIMATIC CP 343-1 Advanced (incl ...) NOT-FOR-US: Siemens SIMATIC CP CVE-2005-4900 (SHA-1 is not collision resistant, which makes it easier for context-de ...) NOT-FOR-US: Generic protocol issue CVE-2005-4899 RESERVED CVE-2005-4898 RESERVED CVE-2005-4897 RESERVED CVE-2005-4896 RESERVED CVE-2016-6911 (The dynamicGetbuf function in the GD Graphics Library (aka libgd) befo ...) {DSA-3693-1 DLA-665-1} - libgd2 2.2.3-87-gd0fec80-2 (bug #840806) NOTE: Corresponds to the 0020-Fix-invalid-read-in-gdImageCreateFromTiffPtr.patch patch NOTE: https://github.com/libgd/libgd/commit/4859d69e07504d4b0a4bdf9bcb4d9e3769ca35ae CVE-2016-8703 (Heap-based buffer overflow in the bm_readbody_bmp function in bitmap_i ...) {DLA-675-1} - potrace 1.13-1 [jessie] - potrace 1.12-1+deb8u1 NOTE: https://blogs.gentoo.org/ago/2016/08/08/potrace-multiplesix-heap-based-buffer-overflow-in-bm_readbody_bmp-bitmap_io-c/ CVE-2016-8702 (Heap-based buffer overflow in the bm_readbody_bmp function in bitmap_i ...) {DLA-675-1} - potrace 1.13-1 [jessie] - potrace 1.12-1+deb8u1 NOTE: https://blogs.gentoo.org/ago/2016/08/08/potrace-multiplesix-heap-based-buffer-overflow-in-bm_readbody_bmp-bitmap_io-c/ CVE-2016-8701 (Heap-based buffer overflow in the bm_readbody_bmp function in bitmap_i ...) {DLA-675-1} - potrace 1.13-1 [jessie] - potrace 1.12-1+deb8u1 NOTE: https://blogs.gentoo.org/ago/2016/08/08/potrace-multiplesix-heap-based-buffer-overflow-in-bm_readbody_bmp-bitmap_io-c/ CVE-2016-8700 (Heap-based buffer overflow in the bm_readbody_bmp function in bitmap_i ...) {DLA-675-1} - potrace 1.13-1 [jessie] - potrace 1.12-1+deb8u1 NOTE: https://blogs.gentoo.org/ago/2016/08/08/potrace-multiplesix-heap-based-buffer-overflow-in-bm_readbody_bmp-bitmap_io-c/ CVE-2016-8699 (Heap-based buffer overflow in the bm_readbody_bmp function in bitmap_i ...) {DLA-675-1} - potrace 1.13-1 [jessie] - potrace 1.12-1+deb8u1 NOTE: https://blogs.gentoo.org/ago/2016/08/08/potrace-multiplesix-heap-based-buffer-overflow-in-bm_readbody_bmp-bitmap_io-c/ CVE-2016-8698 (Heap-based buffer overflow in the bm_readbody_bmp function in bitmap_i ...) {DLA-675-1} - potrace 1.13-1 [jessie] - potrace 1.12-1+deb8u1 NOTE: https://blogs.gentoo.org/ago/2016/08/08/potrace-multiplesix-heap-based-buffer-overflow-in-bm_readbody_bmp-bitmap_io-c/ CVE-2016-8697 (The bm_new function in bitmap.h in potrace before 1.13 allows remote a ...) {DLA-675-1} - potrace 1.13-1 [jessie] - potrace 1.12-1+deb8u1 NOTE: https://blogs.gentoo.org/ago/2016/08/08/potrace-divide-by-zero-in-bm_new-bitmap-h/ CVE-2016-8696 (The bm_readbody_bmp function in bitmap_io.c in potrace before 1.13 all ...) {DLA-675-1} - potrace 1.13-1 [jessie] - potrace 1.12-1+deb8u1 NOTE: https://blogs.gentoo.org/ago/2016/08/08/potrace-multiple-three-null-pointer-dereference-in-bm_readbody_bmp-bitmap_io-c/ CVE-2016-8695 (The bm_readbody_bmp function in bitmap_io.c in potrace before 1.13 all ...) {DLA-675-1} - potrace 1.13-1 [jessie] - potrace 1.12-1+deb8u1 NOTE: https://blogs.gentoo.org/ago/2016/08/08/potrace-multiple-three-null-pointer-dereference-in-bm_readbody_bmp-bitmap_io-c/ CVE-2016-8694 (The bm_readbody_bmp function in bitmap_io.c in potrace before 1.13 all ...) {DLA-675-1} - potrace 1.13-1 [jessie] - potrace 1.12-1+deb8u1 NOTE: https://blogs.gentoo.org/ago/2016/08/08/potrace-multiple-three-null-pointer-dereference-in-bm_readbody_bmp-bitmap_io-c/ CVE-2016-8693 (Double free vulnerability in the mem_close function in jas_stream.c in ...) {DSA-3785-1 DLA-739-1} - jasper (bug #841110) NOTE: https://blogs.gentoo.org/ago/2016/10/16/jasper-double-free-in-mem_close-jas_stream-c/ NOTE: https://github.com/mdadams/jasper/commit/44a524e367597af58d6265ae2014468b334d0309 CVE-2016-8692 (The jpc_dec_process_siz function in libjasper/jpc/jpc_dec.c in JasPer ...) {DSA-3785-1 DLA-739-1} - jasper (unimportant; bug #841111) NOTE: https://blogs.gentoo.org/ago/2016/10/16/jasper-two-divide-by-zero-in-jpc_dec_process_siz-jpc_dec-c/ NOTE: Fixed by: https://github.com/mdadams/jasper/commit/d8c2604cd438c41ec72aff52c16ebd8183068020 (version-1.900.4) NOTE: Not suitable for code injection, hardly denial of service CVE-2016-8691 (The jpc_dec_process_siz function in libjasper/jpc/jpc_dec.c in JasPer ...) {DSA-3785-1 DLA-739-1} - jasper (unimportant; bug #841111) NOTE: https://blogs.gentoo.org/ago/2016/10/16/jasper-two-divide-by-zero-in-jpc_dec_process_siz-jpc_dec-c/ NOTE: Fixed by: https://github.com/mdadams/jasper/commit/d8c2604cd438c41ec72aff52c16ebd8183068020 (version-1.900.4) NOTE: Not suitable for code injection, hardly denial of service CVE-2016-8690 (The bmp_getdata function in libjasper/bmp/bmp_dec.c in JasPer before 1 ...) {DLA-1583-1} - jasper (low; bug #841112) [wheezy] - jasper (Minor issue) NOTE: CVE ID for the first and fifth items of http://www.openwall.com/lists/oss-security/2016/08/23/6 post NOTE: https://blogs.gentoo.org/ago/2016/10/16/jasper-two-null-pointer-dereference-in-bmp_getdata-bmp_dec-c/ NOTE: The original fix is incomplete resulting in two follow ups CVE-2016-8884 and NOTE: CVE-2016-8885. CVE-2016-8689 (The read_Header function in archive_read_support_format_7zip.c in liba ...) {DLA-1600-1 DLA-661-1} - libarchive 3.2.1-5 (bug #840934) NOTE: https://blogs.gentoo.org/ago/2016/09/11/libarchive-bsdtar-heap-based-buffer-overflow-in-read_header-archive_read_support_format_7zip-c/ NOTE: https://github.com/libarchive/libarchive/issues/761 NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/7f17c791dcfd8c0416e2cd2485b19410e47ef126 CVE-2016-8688 (The mtree bidder in libarchive 3.2.1 does not keep track of line sizes ...) {DLA-1600-1 DLA-661-1} - libarchive 3.2.1-5 (bug #840935) NOTE: https://blogs.gentoo.org/ago/2016/09/11/libarchive-bsdtar-heap-based-buffer-overflow-in-detect_form-archive_read_support_format_mtree-c/ NOTE: https://blogs.gentoo.org/ago/2016/09/11/libarchive-bsdtar-memory-corruptionunknown-crash-in-bid_entry-archive_read_support_format_mtree-c/ NOTE: https://blogs.gentoo.org/ago/2016/09/11/libarchive-bsdtar-heap-based-buffer-overflow-in-bid_entry-archive_read_support_format_mtree-c/ NOTE: https://blogs.gentoo.org/ago/2016/09/11/libarchive-bsdtar-use-after-free-in-bid_entry-archive_read_support_format_mtree-c/ NOTE: https://blogs.gentoo.org/ago/2016/09/11/libarchive-bsdtar-use-after-free-in-detect_form-archive_read_support_format_mtree-c/ NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/eec077f52bfa2d3f7103b4b74d52572ba8a15aca CVE-2016-8687 (Stack-based buffer overflow in the safe_fprintf function in tar/util.c ...) {DLA-1600-1 DLA-661-1} - libarchive 3.2.1-5 (bug #840936) NOTE: https://blogs.gentoo.org/ago/2016/09/11/libarchive-bsdtar-stack-based-buffer-overflow-in-bsdtar_expand_char-util-c/ NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/e37b620fe8f14535d737e89a4dcabaed4517bf1a NOTE: https://github.com/libarchive/libarchive/issues/767 CVE-2016-8678 (The IsPixelMonochrome function in MagickCore/pixel-accessor.h in Image ...) - imagemagick (unimportant; bug #845204) NOTE: https://blogs.gentoo.org/ago/2016/10/07/imagemagick-heap-based-buffer-overflow-in-ispixelmonochrome-pixel-accessor-h/ NOTE: unimportant: Only an issue with a QuantumDepth=64 build, thus not affecting the binary packages NOTE: https://github.com/ImageMagick/ImageMagick/issues/272 CVE-2016-8677 (The AcquireQuantumPixels function in MagickCore/quantum.c in ImageMagi ...) {DSA-3726-1 DLA-756-1} - imagemagick 8:6.9.6.2+dfsg-1 (bug #845206) NOTE: https://blogs.gentoo.org/ago/2016/10/07/imagemagick-memory-allocate-failure-in-acquirequantumpixels-quantum-c/ NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick/commit/6e48aa92ff4e6e95424300ecd52a9ea453c19c60 CVE-2016-8676 (The get_vlc2 function in get_bits.h in Libav 11.9 allows remote attack ...) - libav (unimportant) NOTE: https://blogs.gentoo.org/ago/2016/09/07/libav-null-pointer-dereference-in-get_vlc2_get_bits_h/ CVE-2016-8675 (The get_vlc2 function in get_bits.h in Libav before 11.9 allows remote ...) - libav [jessie] - libav 6:11.9-1~deb8u1 NOTE: https://blogs.gentoo.org/ago/2016/09/07/libav-null-pointer-dereference-in-get_vlc2_get_bits_h/ NOTE: Fixed by: https://github.com/libav/libav/commit/e5b019725f53b79159931d3a7317107cbbfd0860 NOTE: Cf. CVE-2016-8676 as well which remain unfixed after e5b019725f53b79159931d3a7317107cbbfd0860 CVE-2016-8674 (The pdf_to_num function in pdf-object.c in MuPDF before 1.10 allows re ...) {DSA-3797-1} - mupdf 1.9a+ds1-2 (bug #840957) [wheezy] - mupdf (Crash is not reproducible with reprocuder. Needs clarification from upstream.) NOTE: Fixed by: http://git.ghostscript.com/?p=mupdf.git;h=1e03c06456d997435019fb3526fa2d4be7dbc6ec NOTE: http://bugs.ghostscript.com/show_bug.cgi?id=697015 NOTE: http://bugs.ghostscript.com/show_bug.cgi?id=697019 CVE-2016-8670 (Integer signedness error in the dynamicGetbuf function in gd_io_dp.c i ...) {DSA-3693-1 DLA-665-1} - libgd2 2.2.3-87-gd0fec80-1 (bug #840805) NOTE: PHP Bug: https://bugs.php.net/bug.php?id=73280 NOTE: https://github.com/libgd/libgd/commit/53110871935244816bbb9d131da0bccff734bfe9 NOTE: http://www.openwall.com/lists/oss-security/2016/10/15/1 CVE-2016-8671 (The pstm_exptmod function in MatrixSSL 3.8.6 and earlier does not prop ...) - matrixssl (Incomplete fix for CVE-2016-6887 not applied) NOTE: https://blog.fuzzing-project.org/54-Update-on-MatrixSSL-miscalculation-incomplete-fix-for-CVE-2016-6887.html CVE-2016-8669 (The serial_update_parameters function in hw/char/serial.c in QEMU (aka ...) {DLA-1497-1 DLA-679-1 DLA-678-1} - qemu 1:2.8+dfsg-1 (bug #840945) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg02461.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1384909 NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=3592fe0c919cf27a81d8e9f9b4f269553418bb01 CVE-2016-8668 (The rocker_io_writel function in hw/net/rocker/rocker.c in QEMU (aka Q ...) - qemu 1:2.8+dfsg-1 (bug #840948) [jessie] - qemu (Vulnerable code introduced after v2.4.0-rc0) [wheezy] - qemu (Vulnerable code introduced after v2.4.0-rc0) - qemu-kvm (Vulnerable code introduced later) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg02501.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1384896 CVE-2016-8667 (The rc4030_write function in hw/dma/rc4030.c in QEMU (aka Quick Emulat ...) {DLA-1497-1} - qemu 1:2.8+dfsg-4 (bug #840950) [wheezy] - qemu (minor issue) - qemu-kvm [wheezy] - qemu-kvm (Code only affects mips platform) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg02577.html CVE-2016-8665 REJECTED CVE-2016-8664 REJECTED CVE-2016-8663 REJECTED CVE-2016-8662 REJECTED CVE-2016-8661 (Little Snitch version 3.0 through 3.6.1 suffer from a buffer overflow ...) NOT-FOR-US: Little Snitch CVE-2016-8657 (It was discovered that EAP packages in certain versions of Red Hat Ent ...) NOT-FOR-US: Red Hat JBoss; jbossas Red Hat configuration file permissions and init script CVE-2016-8656 (Jboss jbossas before versions 5.2.0-23, 6.4.13, 7.0.5 is vulnerable to ...) NOT-FOR-US: Red Hat JBoss; jbossas init script CVE-2016-8655 (Race condition in net/packet/af_packet.c in the Linux kernel through 4 ...) {DLA-772-1} - linux 4.8.15-1 [jessie] - linux 3.16.39-1 NOTE: http://seclists.org/oss-sec/2016/q4/607 NOTE: Introduced by: https://git.kernel.org/linus/f6fb8f100b807378fda19e83e5ac6828b638603a (v3.2-rc1) NOTE: Fixed by: https://git.kernel.org/linus/84ac7260236a49c79eede91617700174c2c19b0c (v4.9-rc8) NOTE: Non-privileged user namespaces disabled by default, only exploitable by arbitrary user if sysctl kernel.unprivileged_userns_clone=1 CVE-2016-8654 (A heap-buffer overflow vulnerability was found in QMFB code in JPC cod ...) {DSA-3785-1 DLA-739-1} - jasper NOTE: Upstream bug: https://github.com/mdadams/jasper/issues/93 NOTE: Upstream bug: https://github.com/mdadams/jasper/issues/94 NOTE: https://github.com/mdadams/jasper/commit/4a59cfaf9ab3d48fca4a15c0d2674bf7138e3d1a CVE-2016-8653 (It was found that the JMX endpoint of Red Hat JBoss Fuse 6, and Red Ha ...) NOT-FOR-US: JMX endpoint of Red Hat JBoss Fuse 6 and Red Hat A-MQ 6 CVE-2016-8652 (The auth component in Dovecot before 2.2.27, when auth-policy is confi ...) - dovecot 1:2.2.27-1 (bug #846605) [jessie] - dovecot (Only affects 2.2.25 up and including 2.2.26.1) [wheezy] - dovecot (Only affects 2.2.25 up and including 2.2.26.1) CVE-2016-8651 (An input validation flaw was found in the way OpenShift 3 handles requ ...) NOT-FOR-US: OpenShift Enterprise CVE-2016-8650 (The mpi_powm function in lib/mpi/mpi-pow.c in the Linux kernel through ...) - linux 4.8.11-1 [jessie] - linux 3.16.39-1 [wheezy] - linux (Vulnerable code introduced later) NOTE: http://seclists.org/fulldisclosure/2016/Nov/76 NOTE: Proposed fix: https://lkml.org/lkml/2016/11/23/477 NOTE: Fixed by: https://git.kernel.org/linus/f5527fffff3f002b0a6b376163613b82f69de073 NOTE: Introduced by https://git.kernel.org/linus/cdec9cb5167ab1113ba9c58e395f664d9d3f9acb (v3.3-rc1) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1343162 (not yet opened) CVE-2016-8649 (lxc-attach in LXC before 1.0.9 and 2.x before 2.0.6 allows an attacker ...) - lxc 1:2.0.6-1 (bug #845465) [jessie] - lxc 1:1.0.6-6+deb8u5 [wheezy] - lxc (Minor issue) NOTE: Fixed by: https://github.com/lxc/lxc/commit/81f466d05f2a89cb4f122ef7f593ff3f279b165c NOTE: Details: https://launchpad.net/bugs/1639345 NOTE: To be complete this needs as well changes to src:linux CVE-2016-8648 (It was found that the Karaf container used by Red Hat JBoss Fuse 6.x, ...) NOT-FOR-US: Karaf container uses by Red Hat products CVE-2016-8647 (An input validation vulnerability was found in Ansible's mysql_user mo ...) - ansible 2.2.0.0-4 (bug #844691) [jessie] - ansible (Vulnerable code not present) NOTE: https://github.com/ansible/ansible-modules-core/pull/5388 CVE-2016-8646 (The hash_accept function in crypto/algif_hash.c in the Linux kernel be ...) - linux 4.4.2-1 [jessie] - linux 3.16.7-ckt25-1 [wheezy] - linux 3.2.78-1 NOTE: https://lkml.org/lkml/2016/10/12/198 NOTE: Fixed by: https://git.kernel.org/linus/4afa5f9617927453ac04b24b584f6c718dfb4f45 (v4.4-rc2) CVE-2016-8645 (The TCP stack in the Linux kernel before 4.8.10 mishandles skb truncat ...) {DLA-772-1} - linux 4.8.11-1 [jessie] - linux 3.16.39-1 NOTE: Fixed by: https://git.kernel.org/linus/ac6e780070e30e4c35bd395acfe9191e6268bdd3 (v4.9-rc6) CVE-2016-8644 (In Moodle 2.x and 3.x, the capability to view course notes is checked ...) - moodle 2.7.17+dfsg-1 NOTE: https://moodle.org/mod/forum/discuss.php?d=343277 CVE-2016-8643 (In Moodle 2.x and 3.x, non-admin site managers may accidentally edit a ...) - moodle 2.7.17+dfsg-1 NOTE: https://moodle.org/mod/forum/discuss.php?d=343276 CVE-2016-8642 (In Moodle 2.x and 3.x, the question engine allows access to files that ...) - moodle 2.7.17+dfsg-1 NOTE: https://moodle.org/mod/forum/discuss.php?d=343275 CVE-2016-10089 (Nagios 4.3.2 and earlier allows local users to gain root privileges vi ...) - nagios3 (Vulnerable code not present) NOTE: Flaw in upstream damon-init.in. Debian package installs an own init-skript. CVE-2016-8641 (A privilege escalation vulnerability was found in nagios 4.2.x that oc ...) - nagios3 (Vulnerable code not present) NOTE: Flaw in upstream damon-init.in. Debian package installs an own init-skript. CVE-2016-8640 (A SQL injection vulnerability in pycsw all versions before 2.0.2, 1.10 ...) - pycsw 2.0.2+dfsg-1 NOTE: https://github.com/geopython/pycsw/pull/474/files NOTE: https://patch-diff.githubusercontent.com/raw/geopython/pycsw/pull/474.patch CVE-2016-8639 (It was found that foreman before 1.13.0 is vulnerable to a stored XSS ...) - foreman (bug #663101) NOTE: http://projects.theforeman.org/issues/15037 NOTE: https://github.com/theforeman/foreman/pull/3523 CVE-2016-8638 (A vulnerability in ipsilon 2.0 before 2.0.2, 1.2 before 1.2.1, 1.1 bef ...) - ipsilon (bug #826838) NOTE: https://ipsilon-project.org/advisory/CVE-2016-8638.txt NOTE: https://pagure.io/ipsilon/c/511fa8b7001c2f9a42301aa1d4b85aaf170a461c CVE-2016-8637 (A local information disclosure issue was found in dracut before 045 wh ...) - dracut 044+189-1 (low; bug #843697) [jessie] - dracut (Minor issue) [wheezy] - dracut (Introduced in 030 upstream) NOTE: Fixed by: http://git.kernel.org/cgit/boot/dracut/dracut.git/commit/?id=0db98910a11c12a454eac4c8e86dc7a7bbc764a4 NOTE: Introduced by: http://git.kernel.org/cgit/boot/dracut/dracut.git/commit/?id=5f2c30d9bcd614d546d5c55c6897e33f88b9ab90 (030) CVE-2016-8636 (Integer overflow in the mem_check_range function in drivers/infiniband ...) - linux 4.9.10-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: Fix https://github.com/torvalds/linux/commit/647bf3d8a8e5777319da92af672289b2a6c4dc66 CVE-2016-8635 (It was found that Diffie Hellman Client key exchange handling in NSS 3 ...) - nss 2:3.25-1 NOTE: Patch as applied in CentOS (but contains other changes): NOTE: https://git.centos.org/blob/rpms!nss!/aada6b10b73091276397404059605d13e7548462/SOURCES!moz-1314604.patch NOTE: Further info: https://bugzilla.redhat.com/show_bug.cgi?id=1391818 NOTE: Upstream bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1314604 CVE-2016-8634 (A vulnerability was found in foreman 1.14.0. When creating an organiza ...) - foreman (bug #663101) NOTE: http://projects.theforeman.org/issues/17195 CVE-2016-8633 (drivers/firewire/net.c in the Linux kernel before 4.8.7, in certain un ...) {DLA-772-1} - linux 4.8.7-1 [jessie] - linux 3.16.39-1 NOTE: https://git.kernel.org/linus/667121ace9dbafb368618dbabcf07901c962ddac NOTE: https://eyalitkin.wordpress.com/2016/11/06/cve-publication-cve-2016-8633/ CVE-2016-8632 (The tipc_msg_build function in net/tipc/msg.c in the Linux kernel thro ...) - linux 4.8.15-1 [jessie] - linux (Vulnerable code introduced in 3.17-rc1) [wheezy] - linux (Vulnerable code introduced in 3.17-rc1) NOTE: https://www.mail-archive.com/netdev@vger.kernel.org/msg133205.html NOTE: Fixed by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=3de81b758853f0b29c61e246679d20b513c4cfec (v4.9-rc8) CVE-2016-8631 (The OpenShift Enterprise 3 router does not properly sort routes when p ...) NOT-FOR-US: OpenShift Enterprise CVE-2016-8630 (The x86_decode_insn function in arch/x86/kvm/emulate.c in the Linux ke ...) - linux 4.8.7-1 [jessie] - linux (Vulnerable code introduced later) [wheezy] - linux (Vulnerable code introduced later) NOTE: Fixed by: https://git.kernel.org/linus/d9092f52d7e61dd1557f2db2400ddb430e85937e (v4.9-rc4) NOTE: Introduced by: https://git.kernel.org/linus/41061cdb98a0bec464278b4db8e894a3121671f5 (v3.17-rc1) CVE-2016-8629 (Red Hat Keycloak before version 2.4.0 did not correctly check permissi ...) NOT-FOR-US: Keycloak CVE-2016-8628 (Ansible before version 2.2.0 fails to properly sanitize fact variables ...) - ansible 2.2.0.0-1 (bug #842985) [jessie] - ansible (Vulnerable code not present) NOTE: Fixed upstream in v2.2.0.0-1 NOTE: Needs an attacker to compromise a controlled server. CVE-2016-8627 (admin-cli before versions 3.0.0.alpha25, 2.2.1.cr2 is vulnerable to an ...) NOT-FOR-US: Red Hat JBoss EAP CVE-2016-8626 (A flaw was found in Red Hat Ceph before 0.94.9-8. The way Ceph Object ...) - ceph 10.2.5-1 (bug #844200) [jessie] - ceph 0.80.7-2+deb8u2 NOTE: http://tracker.ceph.com/issues/17635 CVE-2016-8625 (curl before version 7.51.0 uses outdated IDNA 2003 standard to handle ...) - curl 7.51.0-1 [jessie] - curl (the fix is too invasive) [wheezy] - curl (the fix is too invasive) NOTE: https://github.com/curl/curl/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece NOTE: https://curl.haxx.se/docs/adv_20161102K.html NOTE: https://curl.haxx.se/CVE-2016-8625.patch CVE-2016-8624 (curl before version 7.51.0 doesn't parse the authority component of th ...) {DSA-3705-1 DLA-711-1} - curl 7.51.0-1 NOTE: https://github.com/curl/curl/commit/3bb273db7e40ebc284cff45f3ce3f0475c8339c2 NOTE: https://curl.haxx.se/docs/adv_20161102J.html NOTE: https://curl.haxx.se/CVE-2016-8624.patch CVE-2016-8623 (A flaw was found in curl before version 7.51.0. The way curl handles c ...) {DSA-3705-1 DLA-711-1} - curl 7.51.0-1 NOTE: https://github.com/curl/curl/commit/c5be3d7267c725dbd093ff3a883e07ee8cf2a1d5 NOTE: https://curl.haxx.se/docs/adv_20161102I.html NOTE: https://curl.haxx.se/CVE-2016-8623.patch CVE-2016-8622 (The URL percent-encoding decode function in libcurl before 7.51.0 is c ...) {DSA-3705-1 DLA-711-1} - curl 7.51.0-1 NOTE: https://github.com/curl/curl/commit/53e71e47d6b81650d26ec33a58d0dca24c7ffb2c NOTE: https://curl.haxx.se/docs/adv_20161102H.html NOTE: https://curl.haxx.se/CVE-2016-8622.patch CVE-2016-8621 (The `curl_getdate` function in curl before version 7.51.0 is vulnerabl ...) {DSA-3705-1 DLA-711-1} - curl 7.51.0-1 NOTE: https://github.com/curl/curl/commit/96a80b5a262fb6dd2ddcea7987296f3b9a405618 NOTE: https://curl.haxx.se/docs/adv_20161102G.html NOTE: https://curl.haxx.se/CVE-2016-8621.patch CVE-2016-8620 (The 'globbing' feature in curl before version 7.51.0 has a flaw that l ...) {DSA-3705-1} - curl 7.51.0-1 [wheezy] - curl (Vulnerable code introduced in 7.34.0) NOTE: https://github.com/curl/curl/commit/fbb5f1aa0326d485d5a7ac643b48481897ca667f NOTE: https://curl.haxx.se/docs/adv_20161102F.html NOTE: https://curl.haxx.se/CVE-2016-8620.patch CVE-2016-8619 (The function `read_data()` in security.c in curl before version 7.51.0 ...) {DSA-3705-1 DLA-711-1} - curl 7.51.0-1 NOTE: https://github.com/curl/curl/commit/3d6460edeee21d7d790ec570d0887bed1f4366dd NOTE: https://curl.haxx.se/docs/adv_20161102E.html NOTE: https://curl.haxx.se/CVE-2016-8619.patch CVE-2016-8618 (The libcurl API function called `curl_maprintf()` before version 7.51. ...) {DSA-3705-1 DLA-711-1} - curl 7.51.0-1 NOTE: https://github.com/curl/curl/commit/8732ec40db652c53fa58cd13e2acb8eab6e40874 NOTE: https://curl.haxx.se/docs/adv_20161102D.html NOTE: https://curl.haxx.se/CVE-2016-8618.patch CVE-2016-8617 (The base64 encode function in curl before version 7.51.0 is prone to a ...) {DSA-3705-1 DLA-711-1} - curl 7.51.0-1 NOTE: https://github.com/curl/curl/commit/efd24d57426bd77c9b5860e6b297904703750412 NOTE: https://curl.haxx.se/docs/adv_20161102C.html NOTE: https://curl.haxx.se/CVE-2016-8617.patch CVE-2016-8616 (A flaw was found in curl before version 7.51.0 When re-using a connect ...) {DSA-3705-1 DLA-711-1} - curl 7.51.0-1 NOTE: https://github.com/curl/curl/commit/b3ee26c5df75d97f6895e6ec4538894ebaf76e48 NOTE: https://curl.haxx.se/docs/adv_20161102B.html NOTE: https://curl.haxx.se/CVE-2016-8616.patch CVE-2016-8615 (A flaw was found in curl before version 7.51. If cookie state is writt ...) {DSA-3705-1 DLA-711-1} - curl 7.51.0-1 NOTE: https://github.com/curl/curl/commit/cff89bc088b7884098ea0c5378bbda3d49c437bc NOTE: https://curl.haxx.se/docs/adv_20161102A.html NOTE: https://curl.haxx.se/CVE-2016-8615.patch CVE-2016-8614 (A flaw was found in Ansible before version 2.2.0. The apt_key module d ...) - ansible 2.2.0.0-1 (bug #842984) [jessie] - ansible (Vulnerable code introduced later) NOTE: Fixed upstream in v2.2.0.0-1 NOTE: https://github.com/ansible/ansible-modules-core/issues/5237 NOTE: https://github.com/ansible/ansible-modules-core/pull/5353 NOTE: https://github.com/ansible/ansible-modules-core/pull/5357 CVE-2016-8613 (A flaw was found in foreman 1.5.1. The remote execution plugin runs co ...) - foreman (bug #663101) NOTE: http://projects.theforeman.org/issues/17066/ NOTE: https://github.com/theforeman/foreman_remote_execution/pull/208 CVE-2016-8612 (Apache HTTP Server mod_cluster before version httpd 2.4.23 is vulnerab ...) - libapache2-mod-cluster (bug #731410) CVE-2016-8611 (A vulnerability was found in Openstack Glance. No limits are enforced ...) - glance (unimportant) NOTE: http://www.openwall.com/lists/oss-security/2016/10/27/16 CVE-2016-8610 (A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 thro ...) {DSA-3773-1 DLA-814-1} - openssl 1.0.2j-1 NOTE: http://www.openwall.com/lists/oss-security/2016/10/24/3 NOTE: Fixed by: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=af58be768ebb690f78530f796e92b8ae5c9a4401 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1384743 mentions countermeasures in gnutls NOTE: https://gitlab.com/gnutls/gnutls/commit/1ffb827e45721ef56982d0ffd5c5de52376c428e CVE-2016-8609 (It was found that the keycloak before 2.3.0 did not implement authenti ...) NOT-FOR-US: Keycloak CVE-2016-8608 (JBoss BRMS 6 and BPM Suite 6 are vulnerable to a stored XSS via busine ...) NOT-FOR-US: JBoss BPMS CVE-2016-8607 RESERVED CVE-2016-8604 RESERVED CVE-2016-8603 RESERVED CVE-2016-8600 (In dotCMS 3.2.1, attacker can load captcha once, fill it with correct ...) NOT-FOR-US: dotCMS CVE-2016-8599 RESERVED CVE-2016-8598 (Buffer overflow in the zmq interface in csp_if_zmqhub.c in the libcsp ...) - libcsp (bug #843012) NOTE: https://github.com/GomSpace/libcsp/pull/81/commits/4435fbed4090ff3cd090a61517430fe8a3924cd8 CVE-2016-8597 (Buffer overflow in the csp_sfp_recv_fp in csp_sfp.c in the libcsp libr ...) - libcsp (bug #843012) NOTE: https://github.com/GomSpace/libcsp/pull/81/commits/4435fbed4090ff3cd090a61517430fe8a3924cd8 CVE-2016-8596 (Buffer overflow in the csp_can_process_frame in csp_if_can.c in the li ...) - libcsp (bug #843012) NOTE: https://github.com/GomSpace/libcsp/pull/81/commits/4435fbed4090ff3cd090a61517430fe8a3924cd8 CVE-2016-8595 (The gsm_parse function in libavcodec/gsm_parser.c in FFmpeg before 3.1 ...) - ffmpeg 7:3.1.5-1 NOTE: http://www.openwall.com/lists/oss-security/2016/12/08/2 NOTE: https://github.com/FFmpeg/FFmpeg/commit/987690799dd86433bf98b897aaa4c8d93ade646d CVE-2016-8594 RESERVED CVE-2016-8666 (The IP stack in the Linux kernel before 4.6 allows remote attackers to ...) - linux 4.6.1-1 [jessie] - linux 3.6.36-1 [wheezy] - linux (Vulnerable code introduced later) NOTE: Fixed by: https://git.kernel.org/linus/fac8e0f579695a3ecbc4d3cac369139d7f819971 NOTE: Introduced by: htttps://git.kernel.org/linus/bf5a755f5e9186406bbf50f4087100af5bd68e40 NOTE: http://www.openwall.com/lists/oss-security/2016/10/13/11 CVE-2016-8660 (The XFS subsystem in the Linux kernel through 4.8.2 allows local users ...) - linux (low) [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) - linux-4.9 (low) CVE-2016-8659 (Bubblewrap before 0.1.3 sets the PR_SET_DUMPABLE flag, which might all ...) - bubblewrap 0.1.2-2 (bug #840605) NOTE: https://github.com/projectatomic/bubblewrap/issues/107 CVE-2016-8658 (Stack-based buffer overflow in the brcmf_cfg80211_start_ap function in ...) - linux 4.7.5-1 [jessie] - linux 3.16.39-1 [wheezy] - linux (Vulnerable code introduced later in 3.7) NOTE: Fixed by: https://git.kernel.org/linus/ded89912156b1a47d940a0c954c43afbabd0c42c (v4.8-rc8) CVE-2016-8606 (The REPL server (--listen) in GNU Guile 2.0.12 allows an attacker to e ...) {DLA-666-1} - guile-2.0 2.0.13+1-1 (low; bug #840555) [jessie] - guile-2.0 2.0.11+1-9+deb8u1 - guile-1.8 (repl server introduced in 2.0) NOTE: Patch: http://git.savannah.gnu.org/cgit/guile.git/commit/?h=stable-2.0&id=08c021916dbd3a235a9f9cc33df4c418c0724e03 CVE-2016-8605 (The mkdir procedure of GNU Guile temporarily changed the process' umas ...) {DLA-666-1} - guile-2.0 2.0.13+1-1 (low; bug #840556) [jessie] - guile-2.0 2.0.11+1-9+deb8u1 - guile-1.8 (low; bug #841494) [jessie] - guile-1.8 (Minor issue) [wheezy] - guile-1.8 (Minor issue) NOTE: http://bugs.gnu.org/24659 NOTE: Patch: http://git.savannah.gnu.org/cgit/guile.git/commit/?h=stable-2.0&id=245608911698adb3472803856019bdd5670b6614 CVE-2016-8593 (Directory traversal vulnerability in upload.cgi in Trend Micro Threat ...) NOT-FOR-US: Trend Micro CVE-2016-8592 (log_query_system.cgi in Trend Micro Threat Discovery Appliance 2.6.106 ...) NOT-FOR-US: Trend Micro CVE-2016-8591 (log_query.cgi in Trend Micro Threat Discovery Appliance 2.6.1062r1 and ...) NOT-FOR-US: Trend Micro CVE-2016-8590 (log_query_dlp.cgi in Trend Micro Threat Discovery Appliance 2.6.1062r1 ...) NOT-FOR-US: Trend Micro CVE-2016-8589 (log_query_dae.cgi in Trend Micro Threat Discovery Appliance 2.6.1062r1 ...) NOT-FOR-US: Trend Micro CVE-2016-8588 (The hotfix_upload.cgi in Trend Micro Threat Discovery Appliance 2.6.10 ...) NOT-FOR-US: Trend Micro CVE-2016-8587 (dlp_policy_upload.cgi in Trend Micro Threat Discovery Appliance 2.6.10 ...) NOT-FOR-US: Trend Micro CVE-2016-8586 (detected_potential_files.cgi in Trend Micro Threat Discovery Appliance ...) NOT-FOR-US: Trend Micro CVE-2016-8585 (admin_sys_time.cgi in Trend Micro Threat Discovery Appliance 2.6.1062r ...) NOT-FOR-US: Trend Micro CVE-2016-8584 (Trend Micro Threat Discovery Appliance 2.6.1062r1 and earlier uses pre ...) NOT-FOR-US: Trend Micro CVE-2016-8583 (Multiple GET parameters in the vulnerability scan scheduler of AlienVa ...) NOT-FOR-US: AlienVault CVE-2016-8582 (A vulnerability exists in gauge.php of AlienVault OSSIM and USM before ...) NOT-FOR-US: AlienVault CVE-2016-8581 (A persistent XSS vulnerability exists in the User-Agent header of the ...) NOT-FOR-US: AlienVault CVE-2016-8580 (PHP object injection vulnerabilities exist in multiple widget files in ...) NOT-FOR-US: AlienVault CVE-2016-8579 (docker2aci <= 0.12.3 has an infinite loop when handling local image ...) - golang-github-appc-docker2aci 0.12.3+dfsg-2 (bug #840711) NOTE: https://github.com/appc/docker2aci/issues/203 NOTE: https://github.com/lucab/docker2aci/commit/54331ec7020e102935c31096f336d31f6400064f CVE-2016-8575 (The Q.933 parser in tcpdump before 4.9.0 has a buffer overflow in prin ...) {DSA-3775-1 DLA-809-1} - tcpdump 4.9.0-1 CVE-2016-8574 (The FRF.15 parser in tcpdump before 4.9.0 has a buffer overflow in pri ...) {DSA-3775-1 DLA-809-1} - tcpdump 4.9.0-1 CVE-2016-8573 RESERVED CVE-2016-8572 RESERVED CVE-2016-8571 RESERVED CVE-2016-8570 RESERVED CVE-2016-8567 (An issue was discovered in Siemens SICAM PAS before 8.00. A factory ac ...) NOT-FOR-US: Siemens CVE-2016-8566 (An issue was discovered in Siemens SICAM PAS before 8.00. Because of S ...) NOT-FOR-US: Siemens CVE-2016-8565 (Siemens Automation License Manager (ALM) before 5.3 SP3 allows remote ...) NOT-FOR-US: Siemens Automation License Manager CVE-2016-8564 (SQL injection vulnerability in Siemens Automation License Manager (ALM ...) NOT-FOR-US: Siemens Automation License Manager CVE-2016-8563 (Siemens Automation License Manager (ALM) before 5.3 SP3 Update 1 allow ...) NOT-FOR-US: Siemens Automation License Manager CVE-2016-8562 (Siemens SIMATIC CP 1543-1 before 2.0.28, when SNMPv3 write access or S ...) NOT-FOR-US: Siemens SIMATIC CP CVE-2016-8561 (Siemens SIMATIC CP 1543-1 before 2.0.28 allows remote authenticated us ...) NOT-FOR-US: Siemens SIMATIC CP CVE-2016-8560 REJECTED CVE-2016-8559 REJECTED CVE-2016-8558 REJECTED CVE-2016-8557 REJECTED CVE-2016-8556 REJECTED CVE-2016-8555 REJECTED CVE-2016-8554 REJECTED CVE-2016-8553 REJECTED CVE-2016-8552 REJECTED CVE-2016-8551 REJECTED CVE-2016-8550 REJECTED CVE-2016-8549 REJECTED CVE-2016-8548 REJECTED CVE-2016-8547 REJECTED CVE-2016-8546 REJECTED CVE-2016-8545 REJECTED CVE-2016-8544 REJECTED CVE-2016-8543 REJECTED CVE-2016-8542 REJECTED CVE-2016-8541 REJECTED CVE-2016-8540 REJECTED CVE-2016-8539 REJECTED CVE-2016-8538 REJECTED CVE-2016-8537 REJECTED CVE-2016-8536 REJECTED CVE-2016-8535 (A remote HTTP parameter Pollution vulnerability in HPE Matrix Operatin ...) NOT-FOR-US: HPE Matrix Operating Environment CVE-2016-8534 (A remote privilege elevation vulnerability in HPE Matrix Operating Env ...) NOT-FOR-US: HPE Matrix Operating Environment CVE-2016-8533 (A remote priviledge escalation vulnerability in HPE Matrix Operating E ...) NOT-FOR-US: HPE Matrix Operating Environment CVE-2016-8532 (A cross site scripting vulnerability in HPE Matrix Operating Environme ...) NOT-FOR-US: HPE Matrix Operating Environment CVE-2016-8531 (A remote information disclosure vulnerability in HPE Matrix Operating ...) NOT-FOR-US: HPE Matrix Operating Environment CVE-2016-8530 (A remote denial of service vulnerability in HPE iMC PLAT version v7.2 ...) NOT-FOR-US: HPE iMC PLAT CVE-2016-8529 (A Remote Arbitrary Command Execution vulnerability in HPE StoreVirtual ...) NOT-FOR-US: HPE StoreVirtual CVE-2016-8528 (A Remote Escalation of Privilege vulnerability in HPE Helion Eucalyptu ...) NOT-FOR-US: HPE Helion Eucalyptus CVE-2016-8527 (Aruba Airwave all versions up to, but not including, 8.2.3.1 is vulner ...) NOT-FOR-US: Aruba CVE-2016-8526 (Aruba Airwave all versions up to, but not including, 8.2.3.1 is vulner ...) NOT-FOR-US: Aruba CVE-2016-8525 (A Remote Disclosure of Information vulnerability in HPE iMC PLAT versi ...) NOT-FOR-US: HPE iMC PLAT CVE-2016-8524 REJECTED CVE-2016-8523 (A Remote Arbitrary Code Execution vulnerability in HPE Smart Storage A ...) NOT-FOR-US: HP Smart Storage Administrator CVE-2016-8522 (A cross-site scripting vulnerability in HPE Diagnostics version 9.24 I ...) NOT-FOR-US: HPE Diagnostics CVE-2016-8521 (A Remote click jacking vulnerability in HPE Diagnostics version 9.24 I ...) NOT-FOR-US: HPE Diagnostics CVE-2016-8520 (HPE Helion Eucalyptus v4.3.0 and earlier does not correctly check IAM ...) - eucalyptus CVE-2016-8519 (A remote code execution vulnerability in HPE Operations Orchestration ...) NOT-FOR-US: HPE Operations Orchestration CVE-2016-8518 (A remote denial of service vulnerability in HPE Systems Insight Manage ...) NOT-FOR-US: HPE CVE-2016-8517 (A cross site scripting vulnerability in HPE Systems Insight Manager in ...) NOT-FOR-US: HPE CVE-2016-8516 (A remote denial of service vulnerability in HPE Systems Insight Manage ...) NOT-FOR-US: HPE CVE-2016-8515 (A remote malicious file upload vulnerability in HPE Version Control Re ...) NOT-FOR-US: HPE Version Control Repository Manager CVE-2016-8514 (A remote information disclosure in HPE Version Control Repository Mana ...) NOT-FOR-US: HPE Version Control Repository Manager CVE-2016-8513 (A Cross-Site Request Forgery (CSRF) vulnerability in HPE Version Contr ...) NOT-FOR-US: HPE Version Control Repository Manager CVE-2016-8512 (A Remote Code Execution vulnerability in all versions of HPE LoadRunne ...) NOT-FOR-US: HPE CVE-2016-8511 (A Remote Code Execution vulnerability in HPE Network Automation using ...) NOT-FOR-US: HPE CVE-2016-8510 REJECTED CVE-2016-8509 REJECTED CVE-2016-8508 (Yandex Browser for desktop before 17.1.1.227 does not show Protect (si ...) NOT-FOR-US: Yandex Browser CVE-2016-8507 (Yandex Browser for iOS before 16.10.0.2357 does not properly restrict ...) NOT-FOR-US: Yandex Browser CVE-2016-8506 (XSS in Yandex Browser Translator in Yandex browser for desktop for ver ...) NOT-FOR-US: Yandex Browser CVE-2016-8505 (XSS in Yandex Browser BookReader in Yandex browser for desktop for ver ...) NOT-FOR-US: Yandex Browser CVE-2016-8504 (CSRF of synchronization form in Yandex Browser for desktop before vers ...) NOT-FOR-US: Yandex Browser CVE-2016-8503 (Yandex Protect Anti-phishing warning in Yandex Browser for desktop fro ...) NOT-FOR-US: Yandex Browser CVE-2016-8502 (Yandex Protect Anti-phishing warning in Yandex Browser for desktop fro ...) NOT-FOR-US: Yandex Browser CVE-2016-8501 (Security WiFi bypass in Yandex Browser from version 15.10 to 15.12 all ...) NOT-FOR-US: Yandex Browser CVE-2016-8500 REJECTED CVE-2016-8499 REJECTED CVE-2016-8498 REJECTED CVE-2016-8497 REJECTED CVE-2016-8496 REJECTED CVE-2016-8495 (An improper certificate validation vulnerability in Fortinet FortiMana ...) NOT-FOR-US: FortiManager CVE-2016-8494 (Insufficient verification of uploaded files allows attackers with webu ...) NOT-FOR-US: Fortiguard CVE-2016-8493 (In FortiClientWindows 5.4.1 and 5.4.2, an attacker may escalate privil ...) NOT-FOR-US: Fortiguard CVE-2016-8492 (The implementation of an ANSI X9.31 RNG in Fortinet FortiGate allows a ...) NOT-FOR-US: Fortinet FortiWLC CVE-2016-8491 (The presence of a hardcoded account named 'core' in Fortinet FortiWLC ...) NOT-FOR-US: Fortinet FortiWLC CVE-2015-8965 (Rogue Wave JViews before 8.8 patch 21 and 8.9 before patch 1 allows re ...) NOT-FOR-US: Rogue Wave JViews CVE-2016-XXXX [dbus format string vulnerability] - dbus 1.10.12-1 [jessie] - dbus 1.8.22-0+deb8u1 [wheezy] - dbus (Minor issue) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=98157 NOTE: Versions affected: dbus >= 1.4.0 NOTE: Fixed in: dbus >= 1.11.6, 1.10.x >= 1.10.12, 1.8.x >= 1.8.22 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/10/10/9 NOTE: In Debian CVE-2015-0245 was already fixed, and this issue is NOTE: not believed to be exploitable in practice, because the relevant NOTE: message is ignored unless it comes from the owner of the bus name NOTE: org.freedesktop.systemd1. On the system bus, this bus name is only NOTE: allowed to be owned by uid 0; it is intended to be owned by systemd, NOTE: and no mechanism is currently known by which an attacker who does not NOTE: already have root privileges could induce systemd to send messages NOTE: that would trigger the format string vulnerability. CVE-2016-8686 (The bm_new function in bitmap.h in potrace 1.13 allows remote attacker ...) - potrace 1.14-1 (low; bug #850595) [stretch] - potrace (Minor issue) [jessie] - potrace (Minor issue) [wheezy] - potrace (Minor issue) NOTE: https://blogs.gentoo.org/ago/2016/08/29/potrace-memory-allocation-failure NOTE: http://potrace.sourceforge.net/ChangeLog claims that it's fixed in 1.14 NOTE: but see https://lists.debian.org/debian-lts/2017/05/msg00032.html CVE-2016-8685 (The findnext function in decompose.c in potrace 1.13 allows remote att ...) {DLA-889-1} - potrace 1.13-3 (bug #843861) [jessie] - potrace (Minor issue) NOTE: https://blogs.gentoo.org/ago/2016/08/29/potrace-invalid-memory-access-in-findnext-decompose-c/ CVE-2016-8684 (The MagickMalloc function in magick/memory.c in GraphicsMagick 1.3.25 ...) {DSA-3746-1 DLA-683-1} - graphicsmagick 1.3.25-5 NOTE: https://blogs.gentoo.org/ago/2016/09/15/graphicsmagick-memory-allocation-failure-in-magickmalloc-memory-c/ NOTE: Fixed by: http://hg.code.sf.net/p/graphicsmagick/code/rev/c53725cb5449 CVE-2016-8683 (The ReadPCXImage function in coders/pcx.c in GraphicsMagick 1.3.25 all ...) {DSA-3746-1 DLA-683-1} - graphicsmagick 1.3.25-5 NOTE: https://blogs.gentoo.org/ago/2016/09/15/graphicsmagick-memory-allocation-failure-in-readpcximage-pcx-c/ NOTE: Fixed by: http://hg.code.sf.net/p/graphicsmagick/code/rev/b9edafd479b9 CVE-2016-8682 (The ReadSCTImage function in coders/sct.c in GraphicsMagick 1.3.25 all ...) {DSA-3746-1 DLA-683-1} - graphicsmagick 1.3.25-5 NOTE: https://blogs.gentoo.org/ago/2016/09/15/graphicsmagick-stack-based-buffer-overflow-in-readsctimage-sct-c/ NOTE: Fixed by: http://hg.code.sf.net/p/graphicsmagick/code/rev/0a0dfa81906d CVE-2016-8679 (The _dwarf_get_size_of_val function in libdwarf/dwarf_util.c in Libdwa ...) - dwarfutils 20161001-2 (bug #840958) [jessie] - dwarfutils (Minor issue) [wheezy] - dwarfutils (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2016/10/08/11 NOTE: https://sourceforge.net/p/libdwarf/code/ci/2d14a7792889e33bc542c28d0f3792964c46214f/#diff-13 NOTE: https://sourceforge.net/p/libdwarf/code/ci/efe48cad0693d6994d9a7b561e1c3833b073a624/#diff-2 NOTE: Same fix as CVE-2016-8681 but different issue CVE-2016-8680 (The _dwarf_get_abbrev_for_code function in dwarf_util.c in libdwarf 20 ...) - dwarfutils 20161001-2 (bug #840960) [jessie] - dwarfutils (Minor issue) [wheezy] - dwarfutils (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2016/10/08/12 NOTE: https://sourceforge.net/p/libdwarf/code/ci/268c1f18d1d28612af3b72d7c670076b1b88e51c/tree/libdwarf/dwarf_util.c?diff=0b28b923c3bd9827d1d904feed2abadde4fa5de2 CVE-2016-8681 (The _dwarf_get_abbrev_for_code function in dwarf_util.c in libdwarf 20 ...) - dwarfutils 20161001-2 (bug #840961) [jessie] - dwarfutils (Minor issue) [wheezy] - dwarfutils (Minor issue) NOTE: https://sourceforge.net/p/libdwarf/code/ci/2d14a7792889e33bc542c28d0f3792964c46214f/#diff-13 NOTE: https://sourceforge.net/p/libdwarf/code/ci/efe48cad0693d6994d9a7b561e1c3833b073a624/#diff-2 NOTE: http://www.openwall.com/lists/oss-security/2016/10/08/13 CVE-2016-8602 (The .sethalftone5 function in psi/zht2.c in Ghostscript before 9.21 al ...) {DSA-3691-1 DLA-674-1} - ghostscript 9.19~dfsg-3.1 (bug #840451) NOTE: http://bugs.ghostscript.com/show_bug.cgi?id=697203 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=f5c7555c30393e64ec1f5ab0dfae5b55b3b3fc78 CVE-2016-8601 REJECTED CVE-2016-8578 (The v9fs_iov_vunmarshal function in fsdev/9p-iov-marshal.c in QEMU (ak ...) {DLA-1599-1 DLA-679-1 DLA-678-1} - qemu 1:2.8+dfsg-1 (bug #840340) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg07143.html NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=ba42ebb863ab7d40adc79298422ed9596df8f73a CVE-2016-8577 (Memory leak in the v9fs_read function in hw/9pfs/9p.c in QEMU (aka Qui ...) {DLA-1599-1 DLA-679-1 DLA-678-1} - qemu 1:2.8+dfsg-1 (bug #840341) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg07127.html NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=e95c9a493a5a8d6f969e86c9f19f80ffe6587e19 CVE-2016-8576 (The xhci_ring_fetch function in hw/usb/hcd-xhci.c in QEMU (aka Quick E ...) {DLA-1497-1 DLA-679-1 DLA-678-1} - qemu 1:2.8+dfsg-1 (bug #840343) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg01265.html NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=05f43d44e4bc26611ce25fd7d726e483f73363ce CVE-2016-8569 (The git_oid_nfmt function in commit.c in libgit2 before 0.24.3 allows ...) - libgit2 0.24.2-2 (bug #840227) [jessie] - libgit2 (Minor issue) [experimental] - cargo 0.17.0-1~exp1 - cargo 0.17.0-1 (bug #860989) NOTE: https://github.com/libgit2/libgit2/issues/3937 CVE-2016-8568 (The git_commit_message function in oid.c in libgit2 before 0.24.3 allo ...) - libgit2 0.24.5-1 (bug #840227) [jessie] - libgit2 (Minor issue) [experimental] - cargo 0.17.0-1~exp1 - cargo 0.17.0-1 (bug #860989) NOTE: https://github.com/libgit2/libgit2/issues/3936 CVE-2016-8490 RESERVED CVE-2016-8489 REJECTED CVE-2016-8488 (An elevation of privilege vulnerability in Qualcomm closed source comp ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-8487 (An elevation of privilege vulnerability in Qualcomm closed source comp ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-8486 (An information disclosure vulnerability in Qualcomm closed source comp ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-8485 (An information disclosure vulnerability in Qualcomm closed source comp ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-8484 (An elevation of privilege vulnerability in Qualcomm closed source comp ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-8483 (An information disclosure vulnerability in the Qualcomm power driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-8482 (An elevation of privilege vulnerability in the NVIDIA GPU driver. Prod ...) NOT-FOR-US: NVIDIA driver for Android CVE-2016-8481 (An elevation of privilege vulnerability in the Qualcomm sound driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-8480 (An elevation of privilege vulnerability in the Qualcomm Secure Executi ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-8479 (An elevation of privilege vulnerability in the Qualcomm GPU driver cou ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-8478 (An information disclosure vulnerability in the Qualcomm video driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-8477 (An information disclosure vulnerability in the Qualcomm camera driver ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-8476 (An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-8475 (An information disclosure vulnerability in the HTC input driver could ...) NOT-FOR-US: HTC driver for Android CVE-2016-8474 (An information disclosure vulnerability in the STMicroelectronics driv ...) NOT-FOR-US: STMicroelectronics driver for Android CVE-2016-8473 (An information disclosure vulnerability in the STMicroelectronics driv ...) NOT-FOR-US: STMicroelectronics driver for Android CVE-2016-8472 (An information disclosure vulnerability in the MediaTek driver could e ...) NOT-FOR-US: Mediatek driver for Android CVE-2016-8471 (An information disclosure vulnerability in the MediaTek driver could e ...) NOT-FOR-US: Mediatek driver for Android CVE-2016-8470 (An information disclosure vulnerability in the MediaTek driver could e ...) NOT-FOR-US: Mediatek driver for Android CVE-2016-8469 (An information disclosure vulnerability in the camera driver could ena ...) NOT-FOR-US: camera driver for Android CVE-2016-8468 (An elevation of privilege vulnerability in Binder could enable a local ...) NOT-FOR-US: Android Binder CVE-2016-8467 (An elevation of privilege vulnerability in the bootloader could enable ...) NOT-FOR-US: Android bootloader CVE-2016-8466 (An elevation of privilege vulnerability in the Broadcom Wi-Fi driver c ...) NOT-FOR-US: Broadcom Wi-Fi driver for Android CVE-2016-8465 (An elevation of privilege vulnerability in the Broadcom Wi-Fi driver c ...) NOT-FOR-US: Broadcom Wi-Fi driver for Android CVE-2016-8464 (An elevation of privilege vulnerability in the Broadcom Wi-Fi driver c ...) NOT-FOR-US: Broadcom Wi-Fi driver for Android CVE-2016-8463 (A denial of service vulnerability in the Qualcomm FUSE file system cou ...) NOT-FOR-US: Qualcomm file system for Android CVE-2016-8462 (An information disclosure vulnerability in the bootloader could enable ...) NOT-FOR-US: Android bootloader CVE-2016-8461 (An information disclosure vulnerability in the bootloader could enable ...) NOT-FOR-US: Android bootloader CVE-2016-8460 (An information disclosure vulnerability in the NVIDIA video driver cou ...) NOT-FOR-US: Nvidia driver for Android CVE-2016-8459 (Possible buffer overflow in storage subsystem. Bad parameters as part ...) NOT-FOR-US: Qualcomm component for Android CVE-2016-8458 (An elevation of privilege vulnerability in the Synaptics touchscreen d ...) NOT-FOR-US: Synaptics driver for Android CVE-2016-8457 (An elevation of privilege vulnerability in the Broadcom Wi-Fi driver c ...) NOT-FOR-US: Broadcom Wi-Fi driver for Android CVE-2016-8456 (An elevation of privilege vulnerability in the Broadcom Wi-Fi driver c ...) NOT-FOR-US: Broadcom Wi-Fi driver for Android CVE-2016-8455 (An elevation of privilege vulnerability in the Broadcom Wi-Fi driver c ...) NOT-FOR-US: Broadcom Wi-Fi driver for Android CVE-2016-8454 (An elevation of privilege vulnerability in the Broadcom Wi-Fi driver c ...) NOT-FOR-US: Broadcom Wi-Fi driver for Android CVE-2016-8453 (An elevation of privilege vulnerability in the Broadcom Wi-Fi driver c ...) NOT-FOR-US: Broadcom Wi-Fi driver for Android CVE-2016-8452 (An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-8451 (An elevation of privilege vulnerability in the Synaptics touchscreen d ...) NOT-FOR-US: Synaptics driver for Android CVE-2016-8450 (An elevation of privilege vulnerability in the Qualcomm sound driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-8449 (An elevation of privilege vulnerability in the NVIDIA GPU driver could ...) NOT-FOR-US: Nvidia driver for Android CVE-2016-8448 (An elevation of privilege vulnerability in MediaTek components, includ ...) NOT-FOR-US: MediaTek component for Android CVE-2016-8447 (An elevation of privilege vulnerability in MediaTek components, includ ...) NOT-FOR-US: MediaTek component for Android CVE-2016-8446 (An elevation of privilege vulnerability in MediaTek components, includ ...) NOT-FOR-US: MediaTek component for Android CVE-2016-8445 (An elevation of privilege vulnerability in MediaTek components, includ ...) NOT-FOR-US: MediaTek component for Android CVE-2016-8444 (An elevation of privilege vulnerability in the Qualcomm camera could e ...) NOT-FOR-US: Qualcomm component for Android CVE-2016-8443 (Possible unauthorized memory access in the hypervisor. Incorrect confi ...) NOT-FOR-US: Qualcomm component for Android CVE-2016-8442 (Possible unauthorized memory access in the hypervisor. Lack of input v ...) NOT-FOR-US: Qualcomm component for Android CVE-2016-8441 (Possible buffer overflow in the hypervisor. Inappropriate usage of a s ...) NOT-FOR-US: Qualcomm component for Android CVE-2016-8440 (Possible buffer overflow in SMMU system call. Improper input validatio ...) NOT-FOR-US: Qualcomm component for Android CVE-2016-8439 (Possible buffer overflow in trust zone access control API. Buffer over ...) NOT-FOR-US: Qualcomm component for Android CVE-2016-8438 (Integer overflow leading to a TOCTOU condition in hypervisor PIL. An i ...) NOT-FOR-US: Qualcomm component for Android CVE-2016-8437 (Improper input validation in Access Control APIs. Access control API m ...) NOT-FOR-US: Qualcomm component for Android CVE-2016-8436 (An elevation of privilege vulnerability in the Qualcomm video driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-8435 (An elevation of privilege vulnerability in the NVIDIA GPU driver could ...) NOT-FOR-US: Nvidia driver for Android CVE-2016-8434 (An elevation of privilege vulnerability in the Qualcomm GPU driver cou ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-8433 (An elevation of privilege vulnerability in the MediaTek driver could e ...) NOT-FOR-US: MediaTek driver for Android CVE-2016-8432 (An elevation of privilege vulnerability in the NVIDIA GPU driver could ...) NOT-FOR-US: Nvidia driver for Android CVE-2016-8431 (An elevation of privilege vulnerability in the NVIDIA GPU driver could ...) NOT-FOR-US: Nvidia driver for Android CVE-2016-8430 (An elevation of privilege vulnerability in the NVIDIA GPU driver could ...) NOT-FOR-US: Nvidia driver for Android CVE-2016-8429 (An elevation of privilege vulnerability in the NVIDIA GPU driver could ...) NOT-FOR-US: Nvidia driver for Android CVE-2016-8428 (An elevation of privilege vulnerability in the NVIDIA GPU driver could ...) NOT-FOR-US: Nvidia driver for Android CVE-2016-8427 (An elevation of privilege vulnerability in the NVIDIA GPU driver could ...) NOT-FOR-US: Nvidia driver for Android CVE-2016-8426 (An elevation of privilege vulnerability in the NVIDIA GPU driver could ...) NOT-FOR-US: Nvidia driver for Android CVE-2016-8425 (An elevation of privilege vulnerability in the NVIDIA GPU driver could ...) NOT-FOR-US: Nvidia driver for Android CVE-2016-8424 (An elevation of privilege vulnerability in the NVIDIA GPU driver could ...) NOT-FOR-US: Nvidia driver for Android CVE-2016-8423 (An elevation of privilege vulnerability in the Qualcomm bootloader cou ...) NOT-FOR-US: Qualcomm bootloader for Android CVE-2016-8422 (An elevation of privilege vulnerability in the Qualcomm bootloader cou ...) NOT-FOR-US: Qualcomm bootloader for Android CVE-2016-8421 (An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-8420 (An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-8419 (An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-8418 (A remote code execution vulnerability in the Qualcomm crypto driver co ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-8417 (An elevation of privilege vulnerability in the Qualcomm camera driver ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-8416 (An information disclosure vulnerability in the Qualcomm video driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-8415 (An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-8414 (An information disclosure vulnerability in the Qualcomm Secure Executi ...) NOT-FOR-US: Qualcomm Secure Execution Environment Communicator CVE-2016-8413 (An information disclosure vulnerability in the Qualcomm camera driver ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-8412 (An elevation of privilege vulnerability in the Qualcomm camera could e ...) NOT-FOR-US: Qualcomm component for Android CVE-2016-8411 (Buffer overflow vulnerability while processing QMI QOS TLVs. Product: ...) NOT-FOR-US: Android CVE-2016-8410 (An information disclosure vulnerability in the Qualcomm sound driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-8409 (An information disclosure vulnerability in the NVIDIA video driver cou ...) NOT-FOR-US: NVIDIA driver for Android CVE-2016-8408 (An information disclosure vulnerability in the NVIDIA video driver cou ...) NOT-FOR-US: NVIDIA driver for Android CVE-2016-8407 (An information disclosure vulnerability in kernel components including ...) - linux (Android-specific Linux components) CVE-2016-8406 (An information disclosure vulnerability in kernel components including ...) - linux (Android-specific Linux components) CVE-2016-8405 (An information disclosure vulnerability in kernel components including ...) {DSA-3791-1 DLA-833-1} - linux 4.9.6-1 NOTE: Fixed by: https://git.kernel.org/linus/2dc705a9930b4806250fbf5a76e55266e59389f2 CVE-2016-8404 (An information disclosure vulnerability in kernel components including ...) - linux (Android-specific Linux components) CVE-2016-8403 (An information disclosure vulnerability in kernel components including ...) - linux (Android-specific Linux components) CVE-2016-8402 (An information disclosure vulnerability in kernel components including ...) - linux (Android-specific Linux components) CVE-2016-8401 (An information disclosure vulnerability in kernel components including ...) - linux (Android-specific Linux components) CVE-2016-8400 (An information disclosure vulnerability in the NVIDIA librm library (l ...) NOT-FOR-US: NVIDIA driver for Android CVE-2016-8399 (An elevation of privilege vulnerability in the kernel networking subsy ...) {DLA-772-1} - linux 4.8.15-1 [jessie] - linux 3.16.39-1 NOTE: Fixed by: https://git.kernel.org/linus/0eab121ef8750a5c8637d51534d5e9143fb0633f CVE-2016-8398 (Unauthenticated messages processed by the UE. Certain NAS messages are ...) NOT-FOR-US: Qualcomm component for Android CVE-2016-8397 (An information disclosure vulnerability in the NVIDIA video driver cou ...) NOT-FOR-US: NVIDIA driver for Android CVE-2016-8396 (An information disclosure vulnerability in the MediaTek video driver c ...) NOT-FOR-US: Mediatek driver for Android CVE-2016-8395 (A denial of service vulnerability in the NVIDIA camera driver could en ...) NOT-FOR-US: NVIDIA driver for Android CVE-2016-8394 (An elevation of privilege vulnerability in the Synaptics touchscreen d ...) NOT-FOR-US: Synaptics driver for Android CVE-2016-8393 (An elevation of privilege vulnerability in the Synaptics touchscreen d ...) NOT-FOR-US: Synaptics driver for Android CVE-2016-8392 (An elevation of privilege vulnerability in the Qualcomm sound driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-8391 (An elevation of privilege vulnerability in the Qualcomm sound driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-1000246 RESERVED CVE-2017-1000245 (The SSH Plugin stores credentials which allow jobs to access remote se ...) NOT-FOR-US: Jenkins SSH plugin CVE-2016-7979 (Ghostscript before 9.21 might allow remote attackers to bypass the SAF ...) {DSA-3691-1 DLA-674-1} - ghostscript 9.19~dfsg-3.1 (bug #839846) NOTE: Upstream bug: http://bugs.ghostscript.com/show_bug.cgi?id=697190 NOTE: Reproducer: http://bugs.ghostscript.com/show_bug.cgi?id=697190#c0 NOTE: Patch: http://git.ghostscript.com/?p=ghostpdl.git;h=875a0095f37626a721c7ff57d606a0f95af03913 NOTE: http://www.openwall.com/lists/oss-security/2016/10/05/7 NOTE: http://www.openwall.com/lists/oss-security/2016/10/05/19 CVE-2016-7978 (Use-after-free vulnerability in Ghostscript 9.20 might allow remote at ...) {DSA-3691-1 DLA-674-1} - ghostscript 9.19~dfsg-3.1 (bug #839845) NOTE: Upstream bug: http://bugs.ghostscript.com/show_bug.cgi?id=697179 NOTE: Reproducer: http://bugs.ghostscript.com/show_bug.cgi?id=697179#c0 NOTE: Patch: http://git.ghostscript.com/?p=ghostpdl.git;h=6f749c0c44e7b9e09737b9f29edf29925a34f0cf NOTE: http://www.openwall.com/lists/oss-security/2016/10/05/7 CVE-2016-7977 (Ghostscript before 9.21 might allow remote attackers to bypass the SAF ...) {DSA-3691-1 DLA-674-1} - ghostscript 9.19~dfsg-3.1 (high; bug #839841) NOTE: Upstream bug: http://bugs.ghostscript.com/show_bug.cgi?id=697169 NOTE: Reproducer: http://www.openwall.com/lists/oss-security/2016/09/29/28 NOTE: Patch: http://git.ghostscript.com/?p=ghostpdl.git;h=8abd22010eb4db0fb1b10e430d5f5d83e015ef70 NOTE: http://www.openwall.com/lists/oss-security/2016/10/05/7 CVE-2016-7976 (The PS Interpreter in Ghostscript 9.18 and 9.20 allows remote attacker ...) {DSA-3691-1 DLA-674-1} - ghostscript 9.19~dfsg-3.1 (high; bug #839260) NOTE: Upstream bug: http://bugs.ghostscript.com/show_bug.cgi?id=697178 NOTE: Reproducer: http://www.openwall.com/lists/oss-security/2016/09/30/8 NOTE: Patch: http://git.ghostscript.com/?p=ghostpdl.git;h=6d444c273da5499a4cd72f21cb6d4c9a5256807d NOTE: http://www.openwall.com/lists/oss-security/2016/10/05/7 CVE-2015-8964 (The tty_set_termios_ldisc function in drivers/tty/tty_ldisc.c in the L ...) {DLA-772-1} - linux 4.5.1-1 [jessie] - linux 3.16.39-1 NOTE: Fixed by: https://git.kernel.org/linus/dd42bf1197144ede075a9d4793123f7689e164bc (v4.5-rc1) CVE-2015-8963 (Race condition in kernel/events/core.c in the Linux kernel before 4.4 ...) {DLA-772-1} - linux 4.4.2-1 [jessie] - linux 3.16.39-1 NOTE: Fixed by: https://git.kernel.org/linus/12ca6ad2e3a896256f086497a7c7406a547ee373 (v4.4) CVE-2015-8962 (Double free vulnerability in the sg_common_write function in drivers/s ...) {DLA-772-1} - linux 4.4.2-1 [jessie] - linux 3.16.39-1 NOTE: Fixed by: https://git.kernel.org/linus/f3951a3709ff50990bf3e188c27d346792103432 (v4.4-rc1) CVE-2015-8961 (The __ext4_journal_stop function in fs/ext4/ext4_jbd2.c in the Linux k ...) - linux 4.3.3-1 [jessie] - linux 3.16.7-ckt25-1 [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/6934da9238da947628be83635e365df41064b09b (v4.4-rc5) CVE-2014-9908 (A Denial of Service vulnerability exists in Google Android 4.4.4, 5.0. ...) NOT-FOR-US: Android CVE-2016-1000247 [mpg123 memory overread] {DLA-655-1} - mpg123 1.23.8-1 (low; bug #838960) [jessie] - mpg123 1.20.1-2+deb8u1 NOTE: http://mpg123.org/bugs/240 CVE-2016-XXXX [nspr, nss: unprotected environment variables] - nspr 2:4.12-1 (low) [jessie] - nspr 2:4.12-1+debu8u1 [wheezy] - nspr 2:4.12-1+deb7u1 NOTE: Workaround entry for DSA-3687-1/DLA-676-1 until CVE is assigned - nss 2:3.23-1 (low) [jessie] - nss 2:3.26-1+debu8u1 [wheezy] - nss 2:3.26-1+debu7u1 NOTE: Workaround entry for DSA-3688-1/DLA-677-1 until CVE is assigned NOTE: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.22.1_release_notes NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/10/02/4 CVE-2016-8390 (An exploitable out of bounds write vulnerability exists in the parsing ...) NOT-FOR-US: Hopper Disassembler CVE-2016-8389 (An exploitable integer-overflow vulnerability exists within Iceni Argu ...) NOT-FOR-US: Iceni Argus CVE-2016-8388 (An exploitable arbitrary heap-overwrite vulnerability exists within Ic ...) NOT-FOR-US: Iceni Argus CVE-2016-8387 (An exploitable heap-based buffer overflow exists in Iceni Argus. When ...) NOT-FOR-US: Iceni Argus CVE-2016-8386 (An exploitable heap-based buffer overflow exists in Iceni Argus. When ...) NOT-FOR-US: Iceni Argus CVE-2016-8385 (An exploitable uninitialized variable vulnerability which leads to a s ...) NOT-FOR-US: Iceni Argus CVE-2016-8384 (An exploitable heap corruption vulnerability exists in the DHFSummary ...) NOT-FOR-US: AntennaHouse CVE-2016-8383 (An exploitable heap corruption vulnerability exists in the Doc_GetFont ...) NOT-FOR-US: AntennaHouse CVE-2016-8382 (An exploitable heap corruption vulnerability exists in the Doc_SetSumm ...) NOT-FOR-US: AntennaHouse CVE-2016-8381 REJECTED CVE-2016-8380 (The web server in Phoenix Contact ILC PLCs allows access to read and w ...) NOT-FOR-US: web server in Phoenix Contact ILC PLCs CVE-2016-8379 (An issue was discovered in Moxa ioLogik E1210, firmware Version V2.4 a ...) NOT-FOR-US: Moxa CVE-2016-8378 (An issue was discovered in Lynxspring JENEsys BAS Bridge versions 1.1. ...) NOT-FOR-US: Lynxspring CVE-2016-8377 (An issue was discovered in Fatek Automation PLC WinProladder Version 3 ...) NOT-FOR-US: Fatek CVE-2016-8376 (An issue was discovered in Kabona AB WebDatorCentral (WDC) application ...) NOT-FOR-US: Kabona AB WebDatorCentral CVE-2016-8375 (An issue was discovered in Becton, Dickinson and Company (BD) Alaris 8 ...) NOT-FOR-US: Alaris 8015 Point of Care CVE-2016-8374 (An issue was discovered in Schneider Electric Magelis HMI Magelis GTO ...) NOT-FOR-US: Schneider CVE-2016-8373 RESERVED CVE-2016-8372 (An issue was discovered in Moxa ioLogik E1210, firmware Version V2.4 a ...) NOT-FOR-US: Moxa CVE-2016-8371 (The web server in Phoenix Contact ILC PLCs can be accessed without aut ...) NOT-FOR-US: web server in Phoenix Contact ILC PLCs CVE-2016-8370 (An issue was discovered in Mitsubishi Electric Automation MELSEC-Q ser ...) NOT-FOR-US: Mitsubishi CVE-2016-8369 (An issue was discovered in Lynxspring JENEsys BAS Bridge versions 1.1. ...) NOT-FOR-US: Lynxspring CVE-2016-8368 (An issue was discovered in Mitsubishi Electric Automation MELSEC-Q ser ...) NOT-FOR-US: Mitsubishi CVE-2016-8367 (An issue was discovered in Schneider Electric Magelis HMI Magelis GTO ...) NOT-FOR-US: Schneider CVE-2016-8366 (Webvisit in Phoenix Contact ILC PLCs offers a password macro to protec ...) NOT-FOR-US: Phoenix Contact ILC PLCs CVE-2016-8365 (OSIsoft PI System software (Applications using PI Asset Framework (AF) ...) NOT-FOR-US: OSIsoft PI CVE-2016-8364 (An issue was discovered in IBHsoftec S7-SoftPLC prior to 4.12b. Object ...) NOT-FOR-US: IBHsoftec CVE-2016-8363 (An issue was discovered in Moxa OnCell OnCellG3470A-LTE, AWK-1131A/313 ...) NOT-FOR-US: Moxa CVE-2016-8362 (An issue was discovered in Moxa OnCell OnCellG3470A-LTE, AWK-1131A/313 ...) NOT-FOR-US: Moxa CVE-2016-8361 (An issue was discovered in Lynxspring JENEsys BAS Bridge versions 1.1. ...) NOT-FOR-US: Lynxspring CVE-2016-8360 (An issue was discovered in Moxa SoftCMS versions prior to Version 1.6. ...) NOT-FOR-US: Moxa CVE-2016-8359 (An issue was discovered in Moxa ioLogik E1210, firmware Version V2.4 a ...) NOT-FOR-US: Moxa CVE-2016-8358 (An issue was discovered in Smiths-Medical CADD-Solis Medication Safety ...) NOT-FOR-US: Smiths-Medical CVE-2016-8357 (An issue was discovered in Lynxspring JENEsys BAS Bridge versions 1.1. ...) NOT-FOR-US: Lynxspring CVE-2016-8356 (An issue was discovered in Kabona AB WebDatorCentral (WDC) application ...) NOT-FOR-US: Kabona CVE-2016-8355 (An issue was discovered in Smiths-Medical CADD-Solis Medication Safety ...) NOT-FOR-US: Smiths-Medical CVE-2016-8354 (An issue was discovered in Schneider Electric Unity PRO prior to V11.1 ...) NOT-FOR-US: Schneider CVE-2016-8353 (An issue was discovered in OSIsoft PI Web API 2015 R2 (Version 1.5.1). ...) NOT-FOR-US: OSISoft PI Web API CVE-2016-8352 (An issue was discovered in Schneider Electric ConneXium firewalls TCSE ...) NOT-FOR-US: Schneider CVE-2016-8351 RESERVED CVE-2016-8350 (An issue was discovered in Moxa ioLogik E1210, firmware Version V2.4 a ...) NOT-FOR-US: Moxa CVE-2016-8349 REJECTED CVE-2016-8348 (An XML External Entity (XXE) issue was discovered in Emerson Liebert S ...) NOT-FOR-US: Emerson CVE-2016-8347 (An issue was discovered in Kabona AB WebDatorCentral (WDC) application ...) NOT-FOR-US: Kabona CVE-2016-8346 (An issue was discovered in Moxa EDR-810 Industrial Secure Router. By a ...) NOT-FOR-US: Moxa CVE-2016-8345 REJECTED CVE-2016-8344 (An issue was discovered in Honeywell Experion Process Knowledge System ...) NOT-FOR-US: Honeywell CVE-2016-8343 (Directory traversal vulnerability in INDAS Web SCADA before 3 allows r ...) NOT-FOR-US: INDAS Web SCADA CVE-2016-8342 REJECTED CVE-2016-8341 (An issue was discovered in Ecava IntegraXor Version 5.0.413.0. The Eca ...) NOT-FOR-US: Ecava CVE-2016-8340 RESERVED CVE-2016-8339 (A buffer overflow in Redis 3.2.x prior to 3.2.4 causes arbitrary code ...) - redis 3:3.2.4-1 [jessie] - redis (Vulnerable code introduced later) [wheezy] - redis (Vulnerable code not present) NOTE: Fixed by: https://github.com/antirez/redis/commit/6d9f8e2462fc2c426d48c941edeb78e5df7d2977 NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0206/ NOTE: CLIENT_MASTER introduced within 3.2-rc1 CVE-2016-8338 REJECTED CVE-2016-8337 RESERVED CVE-2016-8336 RESERVED CVE-2016-8335 (An exploitable stack based buffer overflow vulnerability exists in the ...) NOT-FOR-US: Iceni Argus CVE-2016-8334 (A large out-of-bounds read on the heap vulnerability in Foxit PDF Read ...) NOT-FOR-US: Foxit PDF CVE-2016-8333 (An exploitable stack-based buffer overflow vulnerability exists in the ...) NOT-FOR-US: Iceni Argus CVE-2016-8332 (A buffer overflow in OpenJPEG 2.1.1 causes arbitrary code execution wh ...) {DSA-3768-1} - openjpeg2 2.1.2-1 NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0193/ NOTE: https://github.com/uclouvain/openjpeg/pull/820 CVE-2016-8331 (An exploitable remote code execution vulnerability exists in the handl ...) {DLA-693-1} - tiff 4.0.6-3 - tiff3 [jessie] - tiff 4.0.3-12.3+deb8u2 [wheezy] - tiff3 (Does not ship libtiff tools) NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0190/ NOTE: thumbnail(1) was removed in 4.0.6-3 and DSA 3762, marking as fixed although technically still present in the source package NOTE: From the backtrace shared in the report, we can see that the crash is triggered though the thumbnail tool which has been dropped upstream. CVE-2016-8330 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Solaris CVE-2016-8329 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle PeopleSoft CVE-2016-8328 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...) - openjdk-8 (specific to Oracle Java) CVE-2016-8327 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.17-1 (bug #851235) - mysql-5.6 5.6.35-1 (bug #851234) - mysql-5.5 (Only affects MySQL 5.6 and 5.7) CVE-2016-8326 RESERVED CVE-2016-8325 (Vulnerability in the Oracle One-to-One Fulfillment component of Oracle ...) NOT-FOR-US: Oracle CVE-2016-8324 (Vulnerability in the Oracle FLEXCUBE Core Banking component of Oracle ...) NOT-FOR-US: Oracle FLEXCUBE CVE-2016-8323 (Vulnerability in the Oracle FLEXCUBE Core Banking component of Oracle ...) NOT-FOR-US: Oracle FLEXCUBE CVE-2016-8322 (Vulnerability in the Oracle FLEXCUBE Core Banking component of Oracle ...) NOT-FOR-US: Oracle FLEXCUBE CVE-2016-8321 REJECTED CVE-2016-8320 (Vulnerability in the Oracle FLEXCUBE Enterprise Limits and Collateral ...) NOT-FOR-US: Oracle FLEXCUBE CVE-2016-8319 (Vulnerability in the Oracle FLEXCUBE Investor Servicing component of O ...) NOT-FOR-US: Oracle FLEXCUBE CVE-2016-8318 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.17-1 (bug #851235) - mysql-5.6 5.6.35-1 (bug #851234) - mysql-5.5 (Only affects MySQL 5.6 and 5.7) CVE-2016-8317 (Vulnerability in the Oracle FLEXCUBE Investor Servicing component of O ...) NOT-FOR-US: Oracle FLEXCUBE CVE-2016-8316 (Vulnerability in the Oracle FLEXCUBE Investor Servicing component of O ...) NOT-FOR-US: Oracle FLEXCUBE CVE-2016-8315 (Vulnerability in the Oracle FLEXCUBE Investor Servicing component of O ...) NOT-FOR-US: Oracle FLEXCUBE CVE-2016-8314 (Vulnerability in the Oracle FLEXCUBE Core Banking component of Oracle ...) NOT-FOR-US: Oracle FLEXCUBE CVE-2016-8313 (Vulnerability in the Oracle FLEXCUBE Private Banking component of Orac ...) NOT-FOR-US: Oracle FLEXCUBE CVE-2016-8312 (Vulnerability in the Oracle FLEXCUBE Private Banking component of Orac ...) NOT-FOR-US: Oracle FLEXCUBE CVE-2016-8311 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle FLEXCUBE CVE-2016-8310 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle FLEXCUBE CVE-2016-8309 (Vulnerability in the Oracle FLEXCUBE Investor Servicing component of O ...) NOT-FOR-US: Oracle FLEXCUBE CVE-2016-8308 (Vulnerability in the Oracle FLEXCUBE Private Banking component of Orac ...) NOT-FOR-US: Oracle FLEXCUBE CVE-2016-8307 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle FLEXCUBE CVE-2016-8306 (Vulnerability in the Oracle FLEXCUBE Investor Servicing component of O ...) NOT-FOR-US: Oracle FLEXCUBE CVE-2016-8305 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle FLEXCUBE CVE-2016-8304 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle FLEXCUBE CVE-2016-8303 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle FLEXCUBE CVE-2016-8302 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle FLEXCUBE CVE-2016-8301 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle FLEXCUBE CVE-2016-8300 (Vulnerability in the Oracle FLEXCUBE Private Banking component of Orac ...) NOT-FOR-US: Oracle FLEXCUBE CVE-2016-8299 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle FLEXCUBE CVE-2016-8298 (Vulnerability in the Oracle FLEXCUBE Private Banking component of Orac ...) NOT-FOR-US: Oracle FLEXCUBE CVE-2016-8297 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle FLEXCUBE CVE-2016-8296 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: PeopleSoft CVE-2016-8295 (Unspecified vulnerability in the PeopleSoft Enterprise HCM component i ...) NOT-FOR-US: PeopleSoft CVE-2016-8294 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: PeopleSoft CVE-2016-8293 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: PeopleSoft CVE-2016-8292 (Unspecified vulnerability in the PeopleSoft Enterprise HCM component i ...) NOT-FOR-US: PeopleSoft CVE-2016-8291 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: PeopleSoft CVE-2016-8290 (Unspecified vulnerability in Oracle MySQL 5.7.13 and earlier allows re ...) - mysql-5.7 5.7.15-1 - mysql-5.6 (Only affects MySQL 5.7) - mysql-5.5 (Only affects MySQL 5.7) CVE-2016-8289 (Unspecified vulnerability in Oracle MySQL 5.7.13 and earlier allows lo ...) - mysql-5.7 5.7.15-1 - mysql-5.6 (Only affects MySQL 5.7) - mysql-5.5 (Only affects MySQL 5.7) CVE-2016-8288 (Unspecified vulnerability in Oracle MySQL 5.6.30 and earlier and 5.7.1 ...) - mysql-5.7 5.7.15-1 - mysql-5.6 5.6.34-1 - mysql-5.5 (Only affects MySQL 5.6 and 5.7) CVE-2016-8287 (Unspecified vulnerability in Oracle MySQL 5.7.13 and earlier allows re ...) - mysql-5.7 5.7.15-1 - mysql-5.6 (Only affects MySQL 5.7) - mysql-5.5 (Only affects MySQL 5.7) CVE-2016-8286 (Unspecified vulnerability in Oracle MySQL 5.7.14 and earlier allows re ...) - mysql-5.7 5.7.15-1 - mysql-5.6 (Only affects MySQL 5.7) - mysql-5.5 (Only affects MySQL 5.7) CVE-2016-8285 (Unspecified vulnerability in the PeopleSoft Enterprise HCM component i ...) NOT-FOR-US: Oracle CVE-2016-8284 (Unspecified vulnerability in Oracle MySQL 5.6.31 and earlier and 5.7.1 ...) - mysql-5.7 5.7.15-1 - mysql-5.6 5.6.34-1 (bug #841049) - mysql-5.5 (Only affects MySQL 5.6 and 5.7) CVE-2016-8283 (Unspecified vulnerability in Oracle MySQL 5.5.51 and earlier, 5.6.32 a ...) {DSA-3711-1} - mariadb-10.0 10.0.28-1 - mysql-5.7 5.7.15-1 - mysql-5.6 5.6.34-1 (bug #841049) - mysql-5.5 [jessie] - mysql-5.5 5.5.52-0+deb8u1 [wheezy] - mysql-5.5 5.5.52-0+deb7u1 NOTE: Fixed in MariaDB 5.5.52, MariaDB 10.1.18, MariaDB 10.0.28 CVE-2016-8282 (Vulnerability in the Oracle FLEXCUBE Private Banking component of Orac ...) NOT-FOR-US: Oracle FLEXCUBE CVE-2016-8281 (Unspecified vulnerability in the Oracle Platform Security for Java com ...) NOT-FOR-US: Oracle CVE-2016-1000244 RESERVED CVE-2016-1000243 RESERVED CVE-2016-7553 (The buf.pl script before 2.20 in Irssi before 0.8.20 uses weak permiss ...) {DLA-722-1} - irssi 0.8.20-2 (bug #838762) [jessie] - irssi 0.8.17-1+deb8u2 NOTE: Fixed by: https://github.com/irssi/scripts.irssi.org/commit/f1b1eb154baa684fad5d65bf4dff79c8ded8b65a NOTE: https://irssi.org/2016/09/22/buf.pl-update/ NOTE: http://www.openwall.com/lists/oss-security/2016/09/24/1 CVE-2016-1000242 RESERVED CVE-2016-1000241 RESERVED CVE-2016-1000240 RESERVED CVE-2016-1000239 RESERVED CVE-2016-1000238 RESERVED CVE-2016-1000237 (sanitize-html before 1.4.3 has XSS. ...) NOT-FOR-US: sanitize-html CVE-2016-1000236 (Node-cookie-signature before 1.0.6 is affected by a timing attack due ...) - node-cookie-signature 1.1.0-1 (unimportant; bug #838618) NOTE: https://nodesecurity.io/advisories/134 NOTE: https://github.com/tj/node-cookie-signature/commit/39791081692e9e14aa62855369e1c7f80fbfd50e NOTE: nodejs not covered by security support CVE-2016-1000235 RESERVED CVE-2016-1000234 RESERVED CVE-2016-1000233 RESERVED CVE-2016-1000232 (NodeJS Tough-Cookie version 2.2.2 contains a Regular Expression Parsin ...) NOT-FOR-US: nodejs tough-cookie NOTE: https://nodesecurity.io/advisories/130 CVE-2016-1000231 RESERVED CVE-2016-1000230 RESERVED CVE-2016-1000229 (swagger-ui has XSS in key names ...) NOT-FOR-US: nodejs swagger-ui NOTE: https://github.com/swagger-api/swagger-ui/issues/1865 CVE-2016-1000228 RESERVED CVE-2016-1000227 RESERVED CVE-2016-1000226 RESERVED CVE-2016-1000225 RESERVED CVE-2016-1000224 RESERVED CVE-2016-1000223 RESERVED CVE-2016-1000031 (Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation ...) - libcommons-fileupload-java (unimportant) NOTE: https://www.tenable.com/security/research/tra-2016-12 NOTE: Marked as unimportant since even though the CVE is assigned for Apache Commons FileUpload NOTE: Apache say that issue needs to be fixed in any vendor/product using Apache Commons FileUpload NOTE: DiskFileItem as described in the given advisory. NOTE: Thus we are not going to diverge from Apache upstream here. CVE-2016-7466 (Memory leak in the usb_xhci_exit function in hw/usb/hcd-xhci.c in QEMU ...) - qemu 1:2.7+dfsg-1 (bug #838687) [jessie] - qemu (Vulnerable code not present. Introduced in 2.2.x) [wheezy] - qemu (Minor issue, needs qemu monitor access to unplug nec-xhci controller) - qemu-kvm [wheezy] - qemu-kvm (Minor issue, needs qemu monitor access to unplug nec-xhci controller) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg02773.html NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=b53dd4495ced2432a0b652ea895e651d07336f7e NOTE: The usb_xhci_exit and thus the patched code was introduced in: NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=53c30545fb34c43c84d62ea1c2b0dc6b53303c34 (v2.2.0-rc0) NOTE: http://www.openwall.com/lists/oss-security/2016/09/19/8 CVE-2016-8280 (Directory traversal vulnerability in Huawei eSight before V300R003C20S ...) NOT-FOR-US: Huawei eSight UMS CVE-2016-8279 (The video driver in Huawei Mate S smartphones with software CRR-TL00 b ...) NOT-FOR-US: Huawei CVE-2016-8278 (Huawei USG9520, USG9560, and USG9580 unified security gateways with so ...) NOT-FOR-US: Huawei Firewalls CVE-2016-8277 (Huawei USG9520, USG9560, and USG9580 unified security gateways with so ...) NOT-FOR-US: Huawei Firewalls CVE-2016-8276 (Buffer overflow in the Point-to-Point Protocol over Ethernet (PPPoE) m ...) NOT-FOR-US: Huawei CVE-2016-8275 (Huawei AnyOffice V200R006C00 could allow an authenticated, remote atta ...) NOT-FOR-US: Huawei CVE-2016-8274 (Huawei PC client software HiSuite 4.0.5.300_OVE has a dynamic link lib ...) NOT-FOR-US: Huawei CVE-2016-8273 (Huawei PC client software HiSuite 4.0.5.300_OVE uses insecure HTTP for ...) NOT-FOR-US: Huawei CVE-2016-8272 (Huawei PC client software HiSuite 4.0.5.300_OVE has an information lea ...) NOT-FOR-US: Huawei CVE-2016-8271 (Huawei eSpace IAD V300R002C01SPC100 and earlier versions have an infor ...) NOT-FOR-US: Huawei CVE-2016-8270 REJECTED CVE-2016-8269 REJECTED CVE-2016-8268 REJECTED CVE-2016-8267 REJECTED CVE-2016-8266 REJECTED CVE-2016-8265 REJECTED CVE-2016-8264 REJECTED CVE-2016-8263 REJECTED CVE-2016-8262 REJECTED CVE-2016-8261 REJECTED CVE-2016-8260 REJECTED CVE-2016-8259 REJECTED CVE-2016-8258 REJECTED CVE-2016-8257 REJECTED CVE-2016-8256 REJECTED CVE-2016-8255 REJECTED CVE-2016-8254 REJECTED CVE-2016-8253 REJECTED CVE-2016-8252 REJECTED CVE-2016-8251 REJECTED CVE-2016-8250 REJECTED CVE-2016-8249 REJECTED CVE-2016-8248 REJECTED CVE-2016-8247 REJECTED CVE-2016-8246 REJECTED CVE-2016-8245 REJECTED CVE-2016-8244 REJECTED CVE-2016-8243 REJECTED CVE-2016-8242 REJECTED CVE-2016-8241 REJECTED CVE-2016-8240 REJECTED CVE-2016-8239 REJECTED CVE-2016-8238 REJECTED CVE-2016-8237 (Remote code execution in Lenovo Updates (not Lenovo System Update) all ...) NOT-FOR-US: Lenovo CVE-2016-8236 (Reset to default settings may occur in Lenovo ThinkServer TSM RD350, R ...) NOT-FOR-US: Lenovo CVE-2016-8235 (Privilege escalation in Lenovo Customer Care Software Development Kit ...) NOT-FOR-US: Lenovo CVE-2016-8234 REJECTED CVE-2016-8233 (Log files generated by Lenovo XClarity Administrator (LXCA) versions e ...) NOT-FOR-US: Lenovo CVE-2016-8232 (Document Object Model-(DOM) based cross-site scripting vulnerability i ...) NOT-FOR-US: Lenovo CVE-2016-8231 (In Lenovo Service Bridge before version 4, a bug found in the signatur ...) NOT-FOR-US: Lenovo CVE-2016-8230 (In Lenovo Service Bridge before version 4, an insecure HTTP connection ...) NOT-FOR-US: Lenovo CVE-2016-8229 (A cross-site request forgery vulnerability in Lenovo Service Bridge be ...) NOT-FOR-US: Lenovo CVE-2016-8228 (In Lenovo Service Bridge before version 4, a user with local privilege ...) NOT-FOR-US: Lenovo CVE-2016-8227 (Privilege escalation vulnerability in Lenovo Transition application us ...) NOT-FOR-US: Lenovo CVE-2016-8226 (The BIOS in Lenovo System X M5, M6, and X6 systems allows administrato ...) NOT-FOR-US: Lenovo CVE-2016-8225 (Unquoted service path vulnerability in Lenovo Edge and Lenovo Slim USB ...) NOT-FOR-US: Lenovo CVE-2016-8224 (A vulnerability has been identified in some Lenovo Notebook and ThinkS ...) NOT-FOR-US: Lenovo CVE-2016-8223 (During an internal security review, Lenovo identified a local privileg ...) NOT-FOR-US: Lenovo CVE-2016-8222 (A vulnerability has been identified in a signed kernel driver for the ...) NOT-FOR-US: Lenovo CVE-2016-8221 (Privilege Escalation in Lenovo XClarity Administrator earlier than 1.2 ...) NOT-FOR-US: Lenovo CVE-2016-7423 (The mptsas_process_scsi_io_request function in QEMU (aka Quick Emulato ...) - qemu 1:2.7+dfsg-1 (bug #838145) [jessie] - qemu (Vulnerable code introduced later) [wheezy] - qemu (Vulnerable code introduced later) - qemu-kvm (Vulnerable code introduced later) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg03604.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1376776 NOTE: http://www.openwall.com/lists/oss-security/2016/09/16/5 NOTE: LSI SAS1068 (mptsas) device support added in NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=e351b82611293683c4cabe4b69b7552bde5d4e2a (v2.6.0-rc0) NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=670e56d3ed2918b3861d9216f2c0540d9e9ae0d5 CVE-2016-7422 (The virtqueue_map_desc function in hw/virtio/virtio.c in QEMU (aka Qui ...) - qemu 1:2.7+dfsg-1 (bug #838146) [jessie] - qemu (Vulnerable code introduced later) [wheezy] - qemu (Vulnerable code introduced later) - qemu-kvm (Vulnerable code introduced later) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg03546.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1376755 NOTE: Introduced by: http://git.qemu.org/?p=qemu.git;a=commit;h=3b3b0628217e2726069990ff9942a5d6d9816bd7 (v2.6.0-rc0) NOTE: http://www.openwall.com/lists/oss-security/2016/09/16/4 CVE-2016-7421 (The pvscsi_ring_pop_req_descr function in hw/scsi/vmw_pvscsi.c in QEMU ...) {DLA-1599-1} - qemu 1:2.7+dfsg-1 (bug #838147) [wheezy] - qemu (Vulnerable code not present, introduced after 1.5) - qemu-kvm (Vulnerable code not present, introduced after 1.5) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg03609.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1376731 NOTE: http://www.openwall.com/lists/oss-security/2016/09/16/3 NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=d251157ac1928191af851d199a9ff255d330bec9 CVE-2016-8220 (Pivotal Gemfire for PCF, versions 1.6.x prior to 1.6.5.0 and 1.7.x pri ...) NOT-FOR-US: Pivotal CVE-2016-8219 (An issue was discovered in Cloud Foundry Foundation cf-release version ...) NOT-FOR-US: Cloud Foundry CVE-2016-8218 (An issue was discovered in Cloud Foundry Foundation routing-release ve ...) NOT-FOR-US: Cloud Foundry CVE-2016-8217 (EMC RSA BSAFE Crypto-J versions prior to 6.2.2 has a PKCS#12 Timing At ...) NOT-FOR-US: EMC RSA CVE-2016-8216 (EMC Data Domain OS (DD OS) 5.4 all versions, EMC Data Domain OS (DD OS ...) NOT-FOR-US: EMC CVE-2016-8215 (EMC RSA Security Analytics 10.5.3 and 10.6.2 contains fixes for a Refl ...) NOT-FOR-US: RSA Security Analytics CVE-2016-8214 (EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) versions ...) NOT-FOR-US: EMC Avamar CVE-2016-8213 (EMC Documentum WebTop Version 6.8, prior to P18 and Version 6.8.1, pri ...) NOT-FOR-US: EMC Documentum CVE-2016-8212 (An issue was discovered in EMC RSA BSAFE Crypto-J versions prior to 6. ...) NOT-FOR-US: EMC RSA CVE-2016-8211 (EMC Data Protection Advisor 6.1.x, EMC Data Protection Advisor 6.2, EM ...) NOT-FOR-US: EMC Data Protection Advisor CVE-2016-8210 RESERVED CVE-2016-8209 (Improper checks for unusual or exceptional conditions in Brocade NetIr ...) NOT-FOR-US: Brocade CVE-2016-8208 RESERVED CVE-2016-8207 (A Directory Traversal vulnerability in CliMonitorReportServlet in the ...) NOT-FOR-US: Brocade Network Advisor CVE-2016-8206 (A Directory Traversal vulnerability in servlet SoftwareImageUpload in ...) NOT-FOR-US: Brocade Network Advisor CVE-2016-8205 (A Directory Traversal vulnerability in DashboardFileReceiveServlet in ...) NOT-FOR-US: Brocade Network Advisor CVE-2016-8204 (A Directory Traversal vulnerability in FileReceiveServlet in the Broca ...) NOT-FOR-US: Brocade Network Advisor CVE-2016-8203 (A memory corruption in the IPsec code path of Brocade NetIron OS on Br ...) NOT-FOR-US: Brocade CVE-2016-8202 (A privilege escalation vulnerability in Brocade Fibre Channel SAN prod ...) NOT-FOR-US: Brocade CVE-2016-8201 (A CSRF vulnerability in Brocade Virtual Traffic Manager versions relea ...) NOT-FOR-US: Brocade CVE-2016-7444 (The gnutls_ocsp_resp_check_crt function in lib/x509/ocsp.c in GnuTLS b ...) - gnutls28 3.5.3-4 [jessie] - gnutls28 3.3.8-6+deb8u4 NOTE: https://gnutls.org/security.html#GNUTLS-SA-2016-3 NOTE: http://lists.gnutls.org/pipermail/gnutls-devel/2016-September/008146.html NOTE: Upstream fix: https://gitlab.com/gnutls/gnutls/commit/964632f37dfdfb914ebc5e49db4fa29af35b1de9 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1374266 NOTE: http://www.openwall.com/lists/oss-security/2016/09/18/3 CVE-2017-0300 (The kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 ...) NOT-FOR-US: Microsoft CVE-2017-0299 (The kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 ...) NOT-FOR-US: Microsoft CVE-2017-0298 (A DCOM object in Helppane.exe in Microsoft Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0297 (The kernel in Microsoft Windows Server 2008 R2 SP1, Windows 7 SP1, Win ...) NOT-FOR-US: Microsoft CVE-2017-0296 (Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8 ...) NOT-FOR-US: Microsoft CVE-2017-0295 (Microsoft Windows 10 1607 and 1703, and Windows Server 2016 allow an a ...) NOT-FOR-US: Microsoft CVE-2017-0294 (Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8 ...) NOT-FOR-US: Microsoft CVE-2017-0293 (Microsoft Windows PDF Library in Windows Server 2008 R2 SP1, Windows 8 ...) NOT-FOR-US: Microsoft CVE-2017-0292 (Windows PDF in Windows 8.1, Windows Server 2012 Gold and R2, Windows R ...) NOT-FOR-US: Microsoft CVE-2017-0291 (Windows PDF in Windows 8.1, Windows Server 2012 Gold and R2, Windows R ...) NOT-FOR-US: Microsoft CVE-2017-0290 (The Microsoft Malware Protection Engine running on Microsoft Forefront ...) NOT-FOR-US: Microsoft CVE-2017-0289 (Graphics in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows ...) NOT-FOR-US: Microsoft CVE-2017-0288 (Graphics in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows ...) NOT-FOR-US: Microsoft CVE-2017-0287 (Graphics in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows ...) NOT-FOR-US: Microsoft CVE-2017-0286 (Graphics in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows ...) NOT-FOR-US: Microsoft CVE-2017-0285 (Uniscribe in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Window ...) NOT-FOR-US: Microsoft CVE-2017-0284 (Uniscribe in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Window ...) NOT-FOR-US: Microsoft CVE-2017-0283 (Uniscribe in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Window ...) NOT-FOR-US: Microsoft CVE-2017-0282 (Uniscribe in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Window ...) NOT-FOR-US: Microsoft CVE-2017-0281 (Microsoft Office 2007 SP3, Office 2010 SP2, Office 2013 SP1, Office 20 ...) NOT-FOR-US: Microsoft CVE-2017-0280 (The Microsoft Server Message Block 1.0 (SMBv1) allows denial of servic ...) NOT-FOR-US: Microsoft CVE-2017-0279 (The Microsoft Server Message Block 1.0 (SMBv1) server on Microsoft Win ...) NOT-FOR-US: Microsoft CVE-2017-0278 (The Microsoft Server Message Block 1.0 (SMBv1) server on Microsoft Win ...) NOT-FOR-US: Microsoft CVE-2017-0277 (The Microsoft Server Message Block 1.0 (SMBv1) server on Microsoft Win ...) NOT-FOR-US: Microsoft CVE-2017-0276 (Microsoft Server Message Block 1.0 (SMBv1) allows an information discl ...) NOT-FOR-US: Microsoft CVE-2017-0275 (Microsoft Server Message Block 1.0 (SMBv1) allows an information discl ...) NOT-FOR-US: Microsoft CVE-2017-0274 (Microsoft Server Message Block 1.0 (SMBv1) allows an information discl ...) NOT-FOR-US: Microsoft CVE-2017-0273 (The Microsoft Server Message Block 1.0 (SMBv1) allows denial of servic ...) NOT-FOR-US: Microsoft CVE-2017-0272 (The Microsoft Server Message Block 1.0 (SMBv1) server on Microsoft Win ...) NOT-FOR-US: Microsoft CVE-2017-0271 (Microsoft Server Message Block 1.0 (SMBv1) allows an information discl ...) NOT-FOR-US: Microsoft CVE-2017-0270 (Microsoft Server Message Block 1.0 (SMBv1) allows an information discl ...) NOT-FOR-US: Microsoft CVE-2017-0269 (The Microsoft Server Message Block 1.0 (SMBv1) allows denial of servic ...) NOT-FOR-US: Microsoft CVE-2017-0268 (Microsoft Server Message Block 1.0 (SMBv1) allows an information discl ...) NOT-FOR-US: Microsoft CVE-2017-0267 (Microsoft Server Message Block 1.0 (SMBv1) allows an information discl ...) NOT-FOR-US: Microsoft CVE-2017-0266 (A remote code execution vulnerability exists in Microsoft Edge in the ...) NOT-FOR-US: Microsoft CVE-2017-0265 (Microsoft PowerPoint for Mac 2011 allows a remote code execution vulne ...) NOT-FOR-US: Microsoft CVE-2017-0264 (Microsoft PowerPoint for Mac 2011 allows a remote code execution vulne ...) NOT-FOR-US: Microsoft CVE-2017-0263 (The kernel-mode drivers in Microsoft Windows Server 2008 SP2 and R2 SP ...) NOT-FOR-US: Microsoft CVE-2017-0262 (Microsoft Office 2010 SP2, Office 2013 SP1, and Office 2016 allow a re ...) NOT-FOR-US: Microsoft CVE-2017-0261 (Microsoft Office 2010 SP2, Office 2013 SP1, and Office 2016 allow a re ...) NOT-FOR-US: Microsoft CVE-2017-0260 (A remote code execution vulnerability exists in Microsoft Office when ...) NOT-FOR-US: Microsoft CVE-2017-0259 (The Windows kernel in Microsoft Windows 8.1, Windows Server 2012 R2, W ...) NOT-FOR-US: Microsoft CVE-2017-0258 (The Windows kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Wi ...) NOT-FOR-US: Microsoft CVE-2017-0257 RESERVED CVE-2017-0256 (A spoofing vulnerability exists when the ASP.NET Core fails to properl ...) NOT-FOR-US: Microsoft CVE-2017-0255 (Microsoft SharePoint Foundation 2013 SP1 allows an elevation of privil ...) NOT-FOR-US: Microsoft CVE-2017-0254 (Microsoft Word 2007, Office 2010 SP2, Word 2010 SP2, Office Compatibil ...) NOT-FOR-US: Microsoft CVE-2017-0253 RESERVED CVE-2017-0252 (A remote code execution vulnerability exists in Microsoft Chakra Core ...) NOT-FOR-US: Microsoft CVE-2017-0251 RESERVED CVE-2017-0250 (Microsoft JET Database Engine in Windows Server 2008 SP2 and R2 SP1, W ...) NOT-FOR-US: Microsoft CVE-2017-0249 (An elevation of privilege vulnerability exists when the ASP.NET Core f ...) NOT-FOR-US: Microsoft CVE-2017-0248 (Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and ...) NOT-FOR-US: Microsoft CVE-2017-0247 (A denial of service vulnerability exists when the ASP.NET Core fails t ...) NOT-FOR-US: Microsoft CVE-2017-0246 (The Graphics Component in the kernel-mode drivers in Windows Server 20 ...) NOT-FOR-US: Microsoft CVE-2017-0245 (The kernel-mode drivers in Windows Server 2008 SP2 and R2 SP1, Windows ...) NOT-FOR-US: Microsoft CVE-2017-0244 (The kernel in Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 al ...) NOT-FOR-US: Microsoft CVE-2017-0243 (Microsoft Office allows a remote code execution vulnerability due to t ...) NOT-FOR-US: Microsoft CVE-2017-0242 (An information disclosure vulnerability exists in the way some ActiveX ...) NOT-FOR-US: Microsoft CVE-2017-0241 (An elevation of privilege vulnerability exists when Microsoft Edge ren ...) NOT-FOR-US: Microsoft CVE-2017-0240 (A remote code execution vulnerability exists in Microsoft Edge in the ...) NOT-FOR-US: Microsoft CVE-2017-0239 RESERVED CVE-2017-0238 (A remote code execution vulnerability exists in Microsoft browsers in ...) NOT-FOR-US: Microsoft CVE-2017-0237 RESERVED CVE-2017-0236 (A remote code execution vulnerability exists in Microsoft Edge in the ...) NOT-FOR-US: Microsoft CVE-2017-0235 (A remote code execution vulnerability exists in Microsoft Edge in the ...) NOT-FOR-US: Microsoft CVE-2017-0234 (A remote code execution vulnerability exists in Microsoft Edge in the ...) NOT-FOR-US: Microsoft CVE-2017-0233 (An elevation of privilege vulnerability exists in Microsoft Edge that ...) NOT-FOR-US: Microsoft CVE-2017-0232 RESERVED CVE-2017-0231 (A spoofing vulnerability exists when Microsoft browsers render SmartSc ...) NOT-FOR-US: Microsoft CVE-2017-0230 (A remote code execution vulnerability exists in Microsoft Edge in the ...) NOT-FOR-US: Microsoft CVE-2017-0229 (A remote code execution vulnerability exists in Microsoft Edge in the ...) NOT-FOR-US: Microsoft CVE-2017-0228 (A remote code execution vulnerability exists in Microsoft browsers in ...) NOT-FOR-US: Microsoft CVE-2017-0227 (A remote code execution vulnerability exists in Microsoft Edge in the ...) NOT-FOR-US: Microsoft CVE-2017-0226 (A remote code execution vulnerability exists when Internet Explorer im ...) NOT-FOR-US: Microsoft CVE-2017-0225 RESERVED CVE-2017-0224 (A remote code execution vulnerability exists in the way JavaScript eng ...) NOT-FOR-US: Microsoft CVE-2017-0223 (A remote code execution vulnerability exists in Microsoft Chakra Core ...) NOT-FOR-US: Microsoft CVE-2017-0222 (A remote code execution vulnerability exists when Internet Explorer im ...) NOT-FOR-US: Microsoft CVE-2017-0221 (A vulnerability exists when Microsoft Edge improperly accesses objects ...) NOT-FOR-US: Microsoft CVE-2017-0220 (The Windows kernel in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP ...) NOT-FOR-US: Microsoft CVE-2017-0219 (Microsoft Windows 10 Gold, Windows 10 1511, Windows 10 1607, and Windo ...) NOT-FOR-US: Microsoft CVE-2017-0218 (Microsoft Windows 10 Gold, Windows 10 1511, Windows 10 1607, and Windo ...) NOT-FOR-US: Microsoft CVE-2017-0217 RESERVED CVE-2017-0216 (Microsoft Windows 10 1511, Windows 10 1607, and Windows Server 2016 al ...) NOT-FOR-US: Microsoft CVE-2017-0215 (Microsoft Windows 10 1607 and Windows Server 2016 allow an attacker to ...) NOT-FOR-US: Microsoft CVE-2017-0214 (Windows COM in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 ...) NOT-FOR-US: Microsoft CVE-2017-0213 (Windows COM Aggregate Marshaler in Microsoft Windows Server 2008 SP2 a ...) NOT-FOR-US: Microsoft CVE-2017-0212 (Windows Hyper-V allows an elevation of privilege vulnerability when Mi ...) NOT-FOR-US: Microsoft CVE-2017-0211 (An elevation of privilege vulnerability exists in Windows 10, Windows ...) NOT-FOR-US: Microsoft CVE-2017-0210 (An elevation of privilege vulnerability exists when Internet Explorer ...) NOT-FOR-US: Microsoft CVE-2017-0209 RESERVED CVE-2017-0208 (An information disclosure vulnerability exists in Microsoft Edge when ...) NOT-FOR-US: Microsoft CVE-2017-0207 (Microsoft Outlook for Mac 2011 allows remote attackers to spoof web co ...) NOT-FOR-US: Microsoft CVE-2017-0206 RESERVED CVE-2017-0205 (A remote code execution vulnerability exists when Microsoft Edge impro ...) NOT-FOR-US: Microsoft CVE-2017-0204 (Microsoft Outlook 2007 SP3, Microsoft Outlook 2010 SP2, Microsoft Outl ...) NOT-FOR-US: Microsoft CVE-2017-0203 (A vulnerability exists in Microsoft Edge when the Edge Content Securit ...) NOT-FOR-US: Microsoft CVE-2017-0202 (A remote code execution vulnerability exists when Internet Explorer im ...) NOT-FOR-US: Microsoft CVE-2017-0201 (A remote code execution vulnerability exists in Internet Explorer in t ...) NOT-FOR-US: Microsoft CVE-2017-0200 (A remote code execution vulnerability exists when Microsoft Edge impro ...) NOT-FOR-US: Microsoft CVE-2017-0199 (Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office ...) NOT-FOR-US: Microsoft CVE-2017-0198 RESERVED CVE-2017-0197 (Microsoft OneNote 2007 SP3 and Microsoft OneNote 2010 SP2 allow remote ...) NOT-FOR-US: Microsoft CVE-2017-0196 (An information disclosure vulnerability in Microsoft scripting engine ...) NOT-FOR-US: Microsoft CVE-2017-0195 (Microsoft Excel Services on Microsoft SharePoint Server 2010 SP1 and S ...) NOT-FOR-US: Microsoft CVE-2017-0194 (Microsoft Excel 2007 SP3, Microsoft Excel 2010 SP2, and Office Compati ...) NOT-FOR-US: Microsoft CVE-2017-0193 (Windows Hyper-V in Microsoft Windows Server 2008 SP2 and R2 SP1, Windo ...) NOT-FOR-US: Microsoft CVE-2017-0192 (The Adobe Type Manager Font Driver (ATMFD.dll) in Microsoft Windows Vi ...) NOT-FOR-US: Microsoft CVE-2017-0191 (A denial of service vulnerability exists in the way that Windows 7, Wi ...) NOT-FOR-US: Microsoft CVE-2017-0190 (The GDI component in Microsoft Windows Server 2008 SP2 and R2 SP1, Win ...) NOT-FOR-US: Microsoft CVE-2017-0189 (An elevation of privilege vulnerability exists in Windows 10 when the ...) NOT-FOR-US: Microsoft CVE-2017-0188 (A Win32k information disclosure vulnerability exists in Windows 8.1, W ...) NOT-FOR-US: Microsoft CVE-2017-0187 RESERVED CVE-2017-0186 (A denial of service vulnerability exists when Microsoft Hyper-V Networ ...) NOT-FOR-US: Microsoft CVE-2017-0185 (A denial of service vulnerability exists when Microsoft Hyper-V Networ ...) NOT-FOR-US: Microsoft CVE-2017-0184 (A denial of service vulnerability exists when Microsoft Hyper-V runnin ...) NOT-FOR-US: Microsoft CVE-2017-0183 (A denial of service vulnerability exists when Microsoft Hyper-V Networ ...) NOT-FOR-US: Microsoft CVE-2017-0182 (A denial of service vulnerability exists when Microsoft Hyper-V Networ ...) NOT-FOR-US: Microsoft CVE-2017-0181 (A remote code execution vulnerability exists when Windows Hyper-V Netw ...) NOT-FOR-US: Microsoft CVE-2017-0180 (A remote code execution vulnerability exists when Windows Hyper-V Netw ...) NOT-FOR-US: Microsoft CVE-2017-0179 (A denial of service vulnerability exists when Microsoft Hyper-V runnin ...) NOT-FOR-US: Microsoft CVE-2017-0178 (A denial of service vulnerability exists when Microsoft Hyper-V runnin ...) NOT-FOR-US: Microsoft CVE-2017-0177 RESERVED CVE-2017-0176 (A buffer overflow in Smart Card authentication code in gpkcsp.dll in M ...) NOT-FOR-US: Microsoft CVE-2017-0175 (The Windows kernel in Windows Server 2008 SP2 and R2 SP1, and Windows ...) NOT-FOR-US: Microsoft CVE-2017-0174 (Windows NetBIOS in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, ...) NOT-FOR-US: Microsoft CVE-2017-0173 (Microsoft Windows 10 1607 and Windows Server 2016 allow an attacker to ...) NOT-FOR-US: Microsoft CVE-2017-0172 RESERVED CVE-2017-0171 (Windows DNS Server allows a denial of service vulnerability when Micro ...) NOT-FOR-US: Microsoft CVE-2017-0170 (Windows Performance Monitor in Windows Server 2008 SP2 and R2 SP1, Win ...) NOT-FOR-US: Microsoft CVE-2017-0169 (An information disclosure vulnerability exists when Windows Hyper-V ru ...) NOT-FOR-US: Microsoft CVE-2017-0168 (An information disclosure vulnerability exists when the Windows Hyper- ...) NOT-FOR-US: Microsoft CVE-2017-0167 (An information disclosure vulnerability exists in Windows 8.1, Windows ...) NOT-FOR-US: Microsoft CVE-2017-0166 (An elevation of privilege vulnerability exists in Windows when LDAP re ...) NOT-FOR-US: Microsoft CVE-2017-0165 (An elevation of privilege vulnerability exists when Microsoft Windows ...) NOT-FOR-US: Microsoft CVE-2017-0164 (A denial of service vulnerability exists in Windows 10 1607 and Window ...) NOT-FOR-US: Microsoft CVE-2017-0163 (A remote code execution vulnerability exists when Windows Hyper-V Netw ...) NOT-FOR-US: Microsoft CVE-2017-0162 (A remote code execution vulnerability exists when Windows Hyper-V Netw ...) NOT-FOR-US: Microsoft CVE-2017-0161 (The Windows NetBT Session Services component on Microsoft Windows Serv ...) NOT-FOR-US: Microsoft CVE-2017-0160 (Microsoft .NET Framework 2.0, 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7 al ...) NOT-FOR-US: Microsoft CVE-2017-0159 (A security feature bypass vulnerability exists in Windows 10 1607, Win ...) NOT-FOR-US: Microsoft CVE-2017-0158 (An elevation of privilege vulnerability exists when Microsoft Windows ...) NOT-FOR-US: Microsoft CVE-2017-0157 RESERVED CVE-2017-0156 (An elevation of privilege vulnerability exists in Windows 7, Windows 8 ...) NOT-FOR-US: Microsoft CVE-2017-0155 (The Graphics component in the kernel in Microsoft Windows Vista SP2; W ...) NOT-FOR-US: Microsoft CVE-2017-0154 (Microsoft Internet Explorer 11 on Windows 10, 1511, and 1606 and Windo ...) NOT-FOR-US: Microsoft CVE-2017-0153 RESERVED CVE-2017-0152 (A remote code execution vulnerability exists in the way affected Micro ...) NOT-FOR-US: Microsoft CVE-2017-0151 (A remote code execution vulnerability exists in the way affected Micro ...) NOT-FOR-US: Microsoft CVE-2017-0150 (A remote code execution vulnerability exists in the way affected Micro ...) NOT-FOR-US: Microsoft CVE-2017-0149 (Microsoft Internet Explorer 9 through 11 allow remote attackers to exe ...) NOT-FOR-US: Microsoft CVE-2017-0148 (The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 S ...) NOT-FOR-US: Microsoft CVE-2017-0147 (The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 S ...) NOT-FOR-US: Microsoft CVE-2017-0146 (The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 S ...) NOT-FOR-US: Microsoft CVE-2017-0145 (The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 S ...) NOT-FOR-US: Microsoft CVE-2017-0144 (The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 S ...) NOT-FOR-US: Microsoft CVE-2017-0143 (The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 S ...) NOT-FOR-US: Microsoft CVE-2017-0142 RESERVED CVE-2017-0141 (A remote code execution vulnerability exists in the way affected Micro ...) NOT-FOR-US: Microsoft CVE-2017-0140 (Microsoft Edge allows remote attackers to bypass the Same Origin Polic ...) NOT-FOR-US: Microsoft CVE-2017-0139 RESERVED CVE-2017-0138 (A remote code execution vulnerability exists in the way affected Micro ...) NOT-FOR-US: Microsoft CVE-2017-0137 (A remote code execution vulnerability exists in the way affected Micro ...) NOT-FOR-US: Microsoft CVE-2017-0136 (A remote code execution vulnerability exists in the way affected Micro ...) NOT-FOR-US: Microsoft CVE-2017-0135 (Microsoft Edge allows remote attackers to bypass the Same Origin Polic ...) NOT-FOR-US: Microsoft CVE-2017-0134 (A remote code execution vulnerability exists in the way affected Micro ...) NOT-FOR-US: Microsoft CVE-2017-0133 (A remote code execution vulnerability exists in the way affected Micro ...) NOT-FOR-US: Microsoft CVE-2017-0132 (A remote code execution vulnerability exists in the way affected Micro ...) NOT-FOR-US: Microsoft CVE-2017-0131 (A remote code execution vulnerability exists in the way affected Micro ...) NOT-FOR-US: Microsoft CVE-2017-0130 (The scripting engine in Microsoft Internet Explorer 9 through 11 allow ...) NOT-FOR-US: Microsoft CVE-2017-0129 (Microsoft Lync for Mac 2011 fails to properly validate certificates, a ...) NOT-FOR-US: Microsoft CVE-2017-0128 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0127 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0126 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0125 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0124 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0123 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0122 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0121 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0120 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0119 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0118 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0117 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0116 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0115 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0114 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0113 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0112 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0111 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0110 (Cross-site scripting (XSS) vulnerability in Microsoft Exchange Outlook ...) NOT-FOR-US: Microsoft CVE-2017-0109 (Hyper-V in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 ...) NOT-FOR-US: Microsoft CVE-2017-0108 (The Windows Graphics Component in Microsoft Office 2007 SP3; 2010 SP2; ...) NOT-FOR-US: Microsoft CVE-2017-0107 (Microsoft SharePoint Server fails to sanitize crafted web requests, al ...) NOT-FOR-US: Microsoft CVE-2017-0106 (Microsoft Excel 2007 SP3, Microsoft Outlook 2010 SP2, Microsoft Outloo ...) NOT-FOR-US: Microsoft CVE-2017-0105 (Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word for Mac ...) NOT-FOR-US: Microsoft CVE-2017-0104 (The iSNS Server service in Microsoft Windows Server 2008 SP2 and R2, W ...) NOT-FOR-US: Microsoft CVE-2017-0103 (The kernel API in Microsoft Windows Vista SP2, Windows Server 2008 SP2 ...) NOT-FOR-US: Microsoft CVE-2017-0102 (Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2; Windows 7 ...) NOT-FOR-US: Microsoft CVE-2017-0101 (The kernel-mode drivers in Transaction Manager in Microsoft Windows Vi ...) NOT-FOR-US: Microsoft CVE-2017-0100 (A DCOM object in Helppane.exe in Microsoft Windows 7 SP1; Windows Serv ...) NOT-FOR-US: Microsoft CVE-2017-0099 (Hyper-V in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and 20 ...) NOT-FOR-US: Microsoft CVE-2017-0098 (Hyper-V in Microsoft Windows 10 Gold, 1511, and 1607; and Windows Serv ...) NOT-FOR-US: Microsoft CVE-2017-0097 (Hyper-V in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and 20 ...) NOT-FOR-US: Microsoft CVE-2017-0096 (Hyper-V in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 ...) NOT-FOR-US: Microsoft CVE-2017-0095 (Hyper-V in Microsoft Windows 10 Gold, 1511, and 1607 and Windows Serve ...) NOT-FOR-US: Microsoft CVE-2017-0094 (A remote code execution vulnerability exists in the way affected Micro ...) NOT-FOR-US: Microsoft CVE-2017-0093 (A remote code execution vulnerability in Microsoft Edge exists in the ...) NOT-FOR-US: Microsoft CVE-2017-0092 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0091 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0090 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0089 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0088 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0087 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0086 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0085 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0084 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0083 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0082 (The kernel-mode drivers in Microsoft Windows 10 Gold and 1511 allow lo ...) NOT-FOR-US: Microsoft CVE-2017-0081 (The kernel-mode drivers in Microsoft Windows 8.1; Windows Server 2012 ...) NOT-FOR-US: Microsoft CVE-2017-0080 (The kernel-mode drivers in Microsoft Windows 10 Gold, 1511, and 1607 a ...) NOT-FOR-US: Microsoft CVE-2017-0079 (The kernel-mode drivers in Windows 8.1; Windows Server 2012 R2; Window ...) NOT-FOR-US: Microsoft CVE-2017-0078 (The kernel-mode drivers in Microsoft Windows 8.1; Windows Server 2012 ...) NOT-FOR-US: Microsoft CVE-2017-0077 (The kernel-mode drivers in Windows Server 2008 SP2 and R2 SP1, Windows ...) NOT-FOR-US: Microsoft CVE-2017-0076 (Hyper-V in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and 20 ...) NOT-FOR-US: Microsoft CVE-2017-0075 (Hyper-V in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 ...) NOT-FOR-US: Microsoft CVE-2017-0074 (Hyper-V in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and 20 ...) NOT-FOR-US: Microsoft CVE-2017-0073 (The Graphics Device Interface (GDI) in Microsoft Windows Vista SP2; Wi ...) NOT-FOR-US: Microsoft CVE-2017-0072 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0071 (A remote code execution vulnerability exists in the way affected Micro ...) NOT-FOR-US: Microsoft CVE-2017-0070 (A remote code execution vulnerability exists in the way affected Micro ...) NOT-FOR-US: Microsoft CVE-2017-0069 (Microsoft Edge allows remote attackers to spoof web content via a craf ...) NOT-FOR-US: Microsoft CVE-2017-0068 (Browsers in Microsoft Edge allow remote attackers to obtain sensitive ...) NOT-FOR-US: Microsoft CVE-2017-0067 (A remote code execution vulnerability exists in the way affected Micro ...) NOT-FOR-US: Microsoft CVE-2017-0066 (Microsoft Edge allows remote attackers to bypass the Same Origin Polic ...) NOT-FOR-US: Microsoft CVE-2017-0065 (Microsoft Edge allows remote attackers to obtain sensitive information ...) NOT-FOR-US: Microsoft CVE-2017-0064 (A security feature bypass vulnerability exists in Internet Explorer th ...) NOT-FOR-US: Microsoft CVE-2017-0063 (The Color Management Module (ICM32.dll) memory handling functionality ...) NOT-FOR-US: Microsoft CVE-2017-0062 (The Graphics Device Interface (GDI) in Microsoft Windows Vista SP2; Wi ...) NOT-FOR-US: Microsoft CVE-2017-0061 (The Color Management Module (ICM32.dll) memory handling functionality ...) NOT-FOR-US: Microsoft CVE-2017-0060 (The Graphics Device Interface (GDI) in Microsoft Windows Vista SP2; Wi ...) NOT-FOR-US: Microsoft CVE-2017-0059 (Microsoft Internet Explorer 9 through 11 allow remote attackers to obt ...) NOT-FOR-US: Microsoft CVE-2017-0058 (A Win32k information disclosure vulnerability exists in Microsoft Wind ...) NOT-FOR-US: Microsoft CVE-2017-0057 (DNS client in Microsoft Windows 8.1; Windows Server 2012 R2, Windows R ...) NOT-FOR-US: Microsoft CVE-2017-0056 (The kernel-mode drivers in Microsoft Windows Vista SP2; Windows Server ...) NOT-FOR-US: Microsoft CVE-2017-0055 (Microsoft Internet Information Server (IIS) in Windows Vista SP2; Wind ...) NOT-FOR-US: Microsoft CVE-2017-0054 RESERVED CVE-2017-0053 (Microsoft Office 2010 SP2, Office Compatibility Pack SP3, Word 2007 SP ...) NOT-FOR-US: Microsoft CVE-2017-0052 (Microsoft Office Compatibility Pack SP3, Excel 2007 SP3, Excel Viewer, ...) NOT-FOR-US: Microsoft CVE-2017-0051 (Microsoft Windows 10 1607 and Windows Server 2016 allow remote attacke ...) NOT-FOR-US: Microsoft CVE-2017-0050 (The kernel API in Microsoft Windows Vista SP2; Windows Server 2008 SP2 ...) NOT-FOR-US: Microsoft CVE-2017-0049 (The VBScript engine in Microsoft Internet Explorer 11 allows remote at ...) NOT-FOR-US: Microsoft CVE-2017-0048 RESERVED CVE-2017-0047 (The Graphics Device Interface (GDI) in Microsoft Windows Vista SP2; Wi ...) NOT-FOR-US: Microsoft CVE-2017-0046 RESERVED CVE-2017-0045 (Windows DVD Maker in Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1 ...) NOT-FOR-US: Microsoft CVE-2017-0044 RESERVED CVE-2017-0043 (Active Directory Federation Services in Microsoft Windows 10 1607, Win ...) NOT-FOR-US: Microsoft CVE-2017-0042 (Windows Media Player in Microsoft Windows 8.1; Windows Server 2012 R2; ...) NOT-FOR-US: Microsoft CVE-2017-0041 RESERVED CVE-2017-0040 (The scripting engine in Microsoft Internet Explorer 9 through 11 allow ...) NOT-FOR-US: Microsoft CVE-2017-0039 (Microsoft Windows Vista SP2 and Server 2008 SP2 mishandle dynamic link ...) NOT-FOR-US: Microsoft CVE-2017-0038 (gdi32.dll in Graphics Device Interface (GDI) in Microsoft Windows Vist ...) NOT-FOR-US: Microsoft CVE-2017-0037 (Microsoft Internet Explorer 10 and 11 and Microsoft Edge have a type c ...) NOT-FOR-US: Microsoft CVE-2017-0036 RESERVED CVE-2017-0035 (A remote code execution vulnerability exists in the way affected Micro ...) NOT-FOR-US: Microsoft CVE-2017-0034 (A remote code execution vulnerability exists when Microsoft Edge impro ...) NOT-FOR-US: Microsoft CVE-2017-0033 (Microsoft Internet Explorer 11 and Microsoft Edge allow remote attacke ...) NOT-FOR-US: Microsoft CVE-2017-0032 (A remote code execution vulnerability exists in the way affected Micro ...) NOT-FOR-US: Microsoft CVE-2017-0031 (Microsoft Office 2010 SP2, Office Compatibility Pack SP3, Word 2007 SP ...) NOT-FOR-US: Microsoft CVE-2017-0030 (Microsoft Office 2010 SP2, Office Compatibility Pack SP3, Office Web A ...) NOT-FOR-US: Microsoft CVE-2017-0029 (Microsoft Office 2010 SP2, Word 2010 SP2, Word 2013 RT SP1, and Word 2 ...) NOT-FOR-US: Microsoft CVE-2017-0028 (A remote code execution vulnerability exists when Microsoft scripting ...) NOT-FOR-US: Microsoft CVE-2017-0027 (Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 RT SP1, Excel 201 ...) NOT-FOR-US: Microsoft CVE-2017-0026 (The kernel-mode drivers in Microsoft Windows 10 Gold, 1511, and 1607 a ...) NOT-FOR-US: Microsoft CVE-2017-0025 (The kernel-mode drivers in Microsoft Windows Vista; Windows Server 200 ...) NOT-FOR-US: Microsoft CVE-2017-0024 (The kernel-mode drivers in Microsoft Windows 10 1607 and Windows Serve ...) NOT-FOR-US: Microsoft CVE-2017-0023 (The PDF library in Microsoft Edge; Windows 8.1; Windows Server 2012 an ...) NOT-FOR-US: Microsoft CVE-2017-0022 (Microsoft XML Core Services (MSXML) in Windows 10 Gold, 1511, and 1607 ...) NOT-FOR-US: Microsoft CVE-2017-0021 (Hyper-V in Microsoft Windows 10 1607 and Windows Server 2016 does not ...) NOT-FOR-US: Microsoft CVE-2017-0020 (Microsoft Excel 2016, Excel 2010 SP2, Excel 2013 RT SP1, and Office We ...) NOT-FOR-US: Microsoft CVE-2017-0019 (Microsoft Word 2016 allows remote attackers to execute arbitrary code ...) NOT-FOR-US: Microsoft CVE-2017-0018 (Microsoft Internet Explorer 10 and 11 allow remote attackers to execut ...) NOT-FOR-US: Microsoft CVE-2017-0017 (The RegEx class in the XSS filter in Microsoft Edge allows remote atta ...) NOT-FOR-US: Microsoft CVE-2017-0016 (Microsoft Windows 10 Gold, 1511, and 1607; Windows 8.1; Windows RT 8.1 ...) NOT-FOR-US: Microsoft CVE-2017-0015 (A remote code execution vulnerability exists in the way affected Micro ...) NOT-FOR-US: Microsoft CVE-2017-0014 (The Windows Graphics Component in Microsoft Office 2010 SP2; Windows S ...) NOT-FOR-US: Microsoft CVE-2017-0013 RESERVED CVE-2017-0012 (Microsoft Internet Explorer 11 and Microsoft Edge allow remote attacke ...) NOT-FOR-US: Microsoft CVE-2017-0011 (Microsoft Edge allows remote attackers to obtain sensitive information ...) NOT-FOR-US: Microsoft CVE-2017-0010 (A remote code execution vulnerability exists in the way affected Micro ...) NOT-FOR-US: Microsoft CVE-2017-0009 (Microsoft Internet Explorer 9 through 11 allow remote attackers to obt ...) NOT-FOR-US: Microsoft CVE-2017-0008 (Microsoft Internet Explorer 9 through 11 allow remote attackers to obt ...) NOT-FOR-US: Microsoft CVE-2017-0007 (Device Guard in Microsoft Windows 10 Gold, 1511, 1607, and Windows Ser ...) NOT-FOR-US: Microsoft CVE-2017-0006 (Microsoft Excel 2007 SP3, Office Compatibility Pack SP3, Excel Viewer, ...) NOT-FOR-US: Microsoft CVE-2017-0005 (The Graphics Device Interface (GDI) in Microsoft Windows Vista SP2; Wi ...) NOT-FOR-US: Microsoft CVE-2017-0004 (The Local Security Authority Subsystem Service (LSASS) in Microsoft Wi ...) NOT-FOR-US: Microsoft CVE-2017-0003 (Microsoft Word 2016 and SharePoint Enterprise Server 2016 allow remote ...) NOT-FOR-US: Microsoft CVE-2017-0002 (Microsoft Edge allows remote attackers to bypass the Same Origin Polic ...) NOT-FOR-US: Microsoft CVE-2017-0001 (The Graphics Device Interface (GDI) in Microsoft Windows Vista SP2; Wi ...) NOT-FOR-US: Microsoft CVE-2016-8200 RESERVED CVE-2016-8199 RESERVED CVE-2016-8198 RESERVED CVE-2016-8197 RESERVED CVE-2016-8196 RESERVED CVE-2016-8195 RESERVED CVE-2016-8194 RESERVED CVE-2016-8193 RESERVED CVE-2016-8192 RESERVED CVE-2016-8191 RESERVED CVE-2016-8190 RESERVED CVE-2016-8189 RESERVED CVE-2016-8188 RESERVED CVE-2016-8187 RESERVED CVE-2016-8186 RESERVED CVE-2016-8185 RESERVED CVE-2016-8184 RESERVED CVE-2016-8183 RESERVED CVE-2016-8182 RESERVED CVE-2016-8181 RESERVED CVE-2016-8180 RESERVED CVE-2016-8179 RESERVED CVE-2016-8178 RESERVED CVE-2016-8177 RESERVED CVE-2016-8176 RESERVED CVE-2016-8175 RESERVED CVE-2016-8174 RESERVED CVE-2016-8173 RESERVED CVE-2016-8172 RESERVED CVE-2016-8171 RESERVED CVE-2016-8170 RESERVED CVE-2016-8169 RESERVED CVE-2016-8168 RESERVED CVE-2016-8167 RESERVED CVE-2016-8166 RESERVED CVE-2016-8165 RESERVED CVE-2016-8164 RESERVED CVE-2016-8163 RESERVED CVE-2016-8162 RESERVED CVE-2016-8161 RESERVED CVE-2016-8160 RESERVED CVE-2016-8159 RESERVED CVE-2016-8158 RESERVED CVE-2016-8157 RESERVED CVE-2016-8156 RESERVED CVE-2016-8155 RESERVED CVE-2016-8154 RESERVED CVE-2016-8153 RESERVED CVE-2016-8152 RESERVED CVE-2016-8151 RESERVED CVE-2016-8150 RESERVED CVE-2016-8149 RESERVED CVE-2016-8148 RESERVED CVE-2016-8147 RESERVED CVE-2016-8146 RESERVED CVE-2016-8145 RESERVED CVE-2016-8144 RESERVED CVE-2016-8143 RESERVED CVE-2016-8142 RESERVED CVE-2016-8141 RESERVED CVE-2016-8140 RESERVED CVE-2016-8139 RESERVED CVE-2016-8138 RESERVED CVE-2016-8137 RESERVED CVE-2016-8136 RESERVED CVE-2016-8135 RESERVED CVE-2016-8134 RESERVED CVE-2016-8133 RESERVED CVE-2016-8132 RESERVED CVE-2016-8131 RESERVED CVE-2016-8130 RESERVED CVE-2016-8129 RESERVED CVE-2016-8128 RESERVED CVE-2016-8127 RESERVED CVE-2016-8126 RESERVED CVE-2016-8125 RESERVED CVE-2016-8124 RESERVED CVE-2016-8123 RESERVED CVE-2016-8122 RESERVED CVE-2016-8121 RESERVED CVE-2016-8120 RESERVED CVE-2016-8119 RESERVED CVE-2016-8118 RESERVED CVE-2016-8117 RESERVED CVE-2016-8116 RESERVED CVE-2016-8115 RESERVED CVE-2016-8114 RESERVED CVE-2016-8113 RESERVED CVE-2016-8112 RESERVED CVE-2016-8111 RESERVED CVE-2016-8110 RESERVED CVE-2016-8109 RESERVED CVE-2016-8108 RESERVED CVE-2016-8107 RESERVED CVE-2016-8106 (A Denial of Service in Intel Ethernet Controller's X710/XL710 with Non ...) NOT-FOR-US: Intel driver CVE-2016-8105 (Drivers for the Intel Ethernet Controller X710 and Intel Ethernet Cont ...) NOT-FOR-US: Intel driver CVE-2016-8104 (Buffer overflow in Intel PROSet/Wireless Software and Drivers in versi ...) NOT-FOR-US: Intel driver CVE-2016-8103 (SMM call out in all Intel Branded NUC Kits allows a local privileged u ...) NOT-FOR-US: Intel driver CVE-2016-8102 (Unquoted service path vulnerability in Intel Wireless Bluetooth Driver ...) NOT-FOR-US: Intel driver CVE-2016-8101 (The updater subsystem in Intel SSD Toolbox before 3.3.7 allows local u ...) NOT-FOR-US: Intel SSD Toolbox CVE-2016-8100 (Intel Integrated Performance Primitives (aka IPP) Cryptography before ...) NOT-FOR-US: Intel CVE-2016-8099 REJECTED CVE-2016-8098 REJECTED CVE-2016-8097 REJECTED CVE-2016-8096 REJECTED CVE-2016-8095 REJECTED CVE-2016-8094 REJECTED CVE-2016-8093 REJECTED CVE-2016-8092 REJECTED CVE-2016-8091 REJECTED CVE-2016-8090 REJECTED CVE-2016-8089 REJECTED CVE-2016-8088 REJECTED CVE-2016-8087 REJECTED CVE-2016-8086 REJECTED CVE-2016-8085 REJECTED CVE-2016-8084 REJECTED CVE-2016-8083 REJECTED CVE-2016-8082 REJECTED CVE-2016-8081 REJECTED CVE-2016-8080 REJECTED CVE-2016-8079 REJECTED CVE-2016-8078 REJECTED CVE-2016-8077 REJECTED CVE-2016-8076 REJECTED CVE-2016-8075 REJECTED CVE-2016-8074 REJECTED CVE-2016-8073 REJECTED CVE-2016-8072 REJECTED CVE-2016-8071 REJECTED CVE-2016-8070 REJECTED CVE-2016-8069 REJECTED CVE-2016-8068 REJECTED CVE-2016-8067 REJECTED CVE-2016-8066 REJECTED CVE-2016-8065 REJECTED CVE-2016-8064 REJECTED CVE-2016-8063 REJECTED CVE-2016-8062 REJECTED CVE-2016-8061 REJECTED CVE-2016-8060 REJECTED CVE-2016-8059 REJECTED CVE-2016-8058 REJECTED CVE-2016-8057 REJECTED CVE-2016-8056 REJECTED CVE-2016-8055 REJECTED CVE-2016-8054 REJECTED CVE-2016-8053 REJECTED CVE-2016-8052 REJECTED CVE-2016-8051 REJECTED CVE-2016-8050 REJECTED CVE-2016-8049 RESERVED CVE-2016-8048 RESERVED CVE-2016-8047 RESERVED CVE-2016-8046 RESERVED CVE-2016-8045 RESERVED CVE-2016-8044 RESERVED CVE-2016-8043 RESERVED CVE-2016-8042 RESERVED CVE-2016-8041 RESERVED CVE-2016-8040 RESERVED CVE-2016-8039 REJECTED CVE-2016-8038 REJECTED CVE-2016-8037 REJECTED CVE-2016-8036 REJECTED CVE-2016-8035 REJECTED CVE-2016-8034 REJECTED CVE-2016-8033 REJECTED CVE-2016-8032 (Software Integrity Attacks vulnerability in Intel Security Anti-Virus ...) NOT-FOR-US: Intel Security Anti-Virus CVE-2016-8031 (Software Integrity Attacks vulnerability in Intel Security Anti-Virus ...) NOT-FOR-US: Intel antivirus CVE-2016-8030 (A memory corruption vulnerability in Scriptscan COM Object in McAfee V ...) NOT-FOR-US: Intel antivirus CVE-2016-8029 REJECTED CVE-2016-8028 RESERVED CVE-2016-8027 (SQL injection vulnerability in core services in Intel Security McAfee ...) NOT-FOR-US: Intel antivirus CVE-2016-8026 (Arbitrary command execution vulnerability in Intel Security McAfee Sec ...) NOT-FOR-US: Intel antivirus CVE-2016-8025 (SQL injection vulnerability in Intel Security VirusScan Enterprise Lin ...) NOT-FOR-US: Intel antivirus CVE-2016-8024 (Improper neutralization of CRLF sequences in HTTP headers vulnerabilit ...) NOT-FOR-US: Intel antivirus CVE-2016-8023 (Authentication bypass by assumed-immutable data vulnerability in Intel ...) NOT-FOR-US: Intel antivirus CVE-2016-8022 (Authentication bypass by spoofing vulnerability in Intel Security Viru ...) NOT-FOR-US: Intel antivirus CVE-2016-8021 (Improper verification of cryptographic signature vulnerability in Inte ...) NOT-FOR-US: Intel antivirus CVE-2016-8020 (Improper control of generation of code vulnerability in Intel Security ...) NOT-FOR-US: Intel antivirus CVE-2016-8019 (Cross-site scripting (XSS) vulnerability in attributes in Intel Securi ...) NOT-FOR-US: Intel antivirus CVE-2016-8018 (Cross-site request forgery (CSRF) vulnerability in Intel Security Viru ...) NOT-FOR-US: Intel antivirus CVE-2016-8017 (Special element injection vulnerability in Intel Security VirusScan En ...) NOT-FOR-US: Intel antivirus CVE-2016-8016 (Information exposure in Intel Security VirusScan Enterprise Linux (VSE ...) NOT-FOR-US: Intel antivirus CVE-2016-8015 RESERVED CVE-2016-8014 RESERVED CVE-2016-8013 RESERVED CVE-2016-8012 (Access control vulnerability in Intel Security Data Loss Prevention En ...) NOT-FOR-US: Intel antivirus CVE-2016-8011 (Cross-site scripting vulnerability in Intel Security McAfee Endpoint S ...) NOT-FOR-US: Intel antivirus CVE-2016-8010 (Application protections bypass vulnerability in Intel Security McAfee ...) NOT-FOR-US: Intel antivirus CVE-2016-8009 (Privilege escalation vulnerability in Intel Security McAfee Applicatio ...) NOT-FOR-US: Intel antivirus CVE-2016-8008 (Privilege escalation vulnerability in Windows 7 and Windows 10 in McAf ...) NOT-FOR-US: Intel antivirus CVE-2016-8007 (Authentication bypass vulnerability in McAfee Host Intrusion Preventio ...) NOT-FOR-US: Intel antivirus CVE-2016-8006 (Authentication bypass vulnerability in Enterprise Security Manager (ES ...) NOT-FOR-US: Intel Security McAfee Security Information and Event Management CVE-2016-8005 (File extension filtering vulnerability in Intel Security McAfee Email ...) NOT-FOR-US: Intel antivirus CVE-2016-8004 RESERVED CVE-2016-8003 RESERVED CVE-2016-8002 REJECTED CVE-2016-8001 RESERVED CVE-2016-7999 (ecrire/exec/valider_xml.php in SPIP 3.1.2 and earlier allows remote at ...) {DLA-695-1} - spip 3.1.3-1 [jessie] - spip 3.0.17-2+deb8u3 NOTE: http://seclists.org/fulldisclosure/2016/Oct/78 NOTE: https://core.spip.net/projects/spip/repository/revisions/23180 (master) NOTE: https://core.spip.net/projects/spip/repository/revisions/23182 (3.1) NOTE: https://core.spip.net/projects/spip/repository/revisions/23184 (3.0) NOTE: reproducible in Wheezy (2.1.17-1+deb7u5) and Jessie (3.0.17-2+deb8u2) CVE-2016-7998 (The SPIP template composer/compiler in SPIP 3.1.2 and earlier allows r ...) {DLA-695-1} - spip 3.1.3-1 [jessie] - spip 3.0.17-2+deb8u3 NOTE: http://seclists.org/fulldisclosure/2016/Oct/76 NOTE: https://core.spip.net/projects/spip/repository/revisions/23186 (master) NOTE: https://core.spip.net/projects/spip/repository/revisions/23189 (3.1) NOTE: https://core.spip.net/projects/spip/repository/revisions/23192 (3.0) NOTE: reproducible in Jessie (3.0.17-2+deb8u2) CVE-2016-7997 (The WPG format reader in GraphicsMagick 1.3.25 and earlier allows remo ...) {DSA-3746-1 DLA-683-1} - graphicsmagick 1.3.25-4 NOTE: patch for this and CVE-2016-7996 at: http://openwall.com/lists/oss-security/2016/10/07/4 CVE-2016-7996 (Heap-based buffer overflow in the WPG format reader in GraphicsMagick ...) {DSA-3746-1 DLA-683-1} - graphicsmagick 1.3.21-2 NOTE: The patch addressing CVE-2016-7996 applied is in 1.3.25-4, but in NOTE: the experimental upload 1.3.20-4 and later uploaded to unstable as NOTE: 1.3.21-2 the build is done with --with-quantum-depth=16 switching NOTE: away from the default with QuantumDepth=8 NOTE: patch for this and CVE-2016-7997 at: http://openwall.com/lists/oss-security/2016/10/07/4 CVE-2016-7995 (Memory leak in the ehci_process_itd function in hw/usb/hcd-ehci.c in Q ...) - qemu 1:2.8+dfsg-1 (bug #840236) [jessie] - qemu (Vulnerable code introduced in v2.6.0-rc0) [wheezy] - qemu (Vulnerable code introduced in v2.6.0-rc0) - qemu-kvm (Vulnerable code introduced in v2.6.0-rc0) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg06609.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1382668 NOTE: Vulnerable code introduced in 49d925ce50383a286278143c05511d30ec41a36e NOTE: Though this commit fixed an OOB read access issue which might need NOTE: potentially a new separate CVE id if it does not have one yet. CVE-2016-7994 (Memory leak in the virtio_gpu_resource_create_2d function in hw/displa ...) - qemu 1:2.8+dfsg-1 (bug #840228) [jessie] - qemu (Vulnerable code introduced in 2.4.0-rc0) [wheezy] - qemu (Vulnerable code introduced in 2.4.0-rc0) - qemu-kvm (Vulnerable code introduced in 2.4.0-rc0) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg04129.html CVE-2016-7993 (A bug in util-print.c:relts_print() in tcpdump before 4.9.0 could caus ...) {DSA-3775-1 DLA-809-1} - tcpdump 4.9.0-1 CVE-2016-7992 (The Classical IP over ATM parser in tcpdump before 4.9.0 has a buffer ...) {DSA-3775-1 DLA-809-1} - tcpdump 4.9.0-1 CVE-2016-7991 (On Samsung Galaxy S4 through S7 devices, the "omacp" app ignores secur ...) NOT-FOR-US: Samsung CVE-2016-7990 (On Samsung Galaxy S4 through S7 devices, an integer overflow condition ...) NOT-FOR-US: Samsung CVE-2016-7989 (On Samsung Galaxy S4 through S7 devices, a malformed OTA WAP PUSH SMS ...) NOT-FOR-US: Samsung CVE-2016-7988 (On Samsung Galaxy S4 through S7 devices, absence of permissions on the ...) NOT-FOR-US: Samsung CVE-2016-7987 (An issue was discovered in Siemens ETA4 firmware (all versions prior t ...) NOT-FOR-US: Siemens CVE-2016-7986 (The GeoNetworking parser in tcpdump before 4.9.0 has a buffer overflow ...) {DSA-3775-1 DLA-809-1} - tcpdump 4.9.0-1 CVE-2016-7985 (The CALM FAST parser in tcpdump before 4.9.0 has a buffer overflow in ...) {DSA-3775-1 DLA-809-1} - tcpdump 4.9.0-1 CVE-2016-7984 (The TFTP parser in tcpdump before 4.9.0 has a buffer overflow in print ...) {DSA-3775-1 DLA-809-1} - tcpdump 4.9.0-1 CVE-2016-7983 (The BOOTP parser in tcpdump before 4.9.0 has a buffer overflow in prin ...) {DSA-3775-1 DLA-809-1} - tcpdump 4.9.0-1 CVE-2016-7982 (Directory traversal vulnerability in ecrire/exec/valider_xml.php in SP ...) {DLA-695-1} - spip 3.1.3-1 [jessie] - spip 3.0.17-2+deb8u3 NOTE: http://seclists.org/fulldisclosure/2016/Oct/73 NOTE: https://core.spip.net/projects/spip/repository/revisions/23180 (master) NOTE: https://core.spip.net/projects/spip/repository/revisions/23182 (3.1) NOTE: https://core.spip.net/projects/spip/repository/revisions/23184 (3.0) NOTE: https://core.spip.net/projects/spip/repository/revisions/23185 (master) NOTE: https://core.spip.net/projects/spip/repository/revisions/23188 (3.1) NOTE: https://core.spip.net/projects/spip/repository/revisions/23191 (3.0) NOTE: https://core.spip.net/projects/spip/repository/revisions/23187 (master) NOTE: https://core.spip.net/projects/spip/repository/revisions/23190 (3.1) NOTE: https://core.spip.net/projects/spip/repository/revisions/23193 (3.0) NOTE: https://core.spip.net/projects/spip/repository/revisions/23200 (master) NOTE: https://core.spip.net/projects/spip/repository/revisions/23201 (3.1) NOTE: https://core.spip.net/projects/spip/repository/revisions/23202 (3.0) NOTE: https://core.spip.net/projects/spip/repository/revisions/23206 (master) NOTE: https://core.spip.net/projects/spip/repository/revisions/23207 (3.1) NOTE: https://core.spip.net/projects/spip/repository/revisions/23208 (3.0) NOTE: reproducible in Wheezy (2.1.17-1+deb7u5) and Jessie (3.0.17-2+deb8u2) CVE-2016-7981 (Cross-site scripting (XSS) vulnerability in valider_xml.php in SPIP 3. ...) {DLA-695-1} - spip 3.1.3-1 [jessie] - spip 3.0.17-2+deb8u3 NOTE: http://seclists.org/fulldisclosure/2016/Oct/68 NOTE: https://core.spip.net/projects/spip/repository/revisions/23200 (master) NOTE: https://core.spip.net/projects/spip/repository/revisions/23201 (3.1.x) NOTE: https://core.spip.net/projects/spip/repository/revisions/23202 (3.0.x) NOTE: reproducible in Wheezy (2.1.17-1+deb7u5) and Jessie (3.0.17-2+deb8u2) CVE-2016-7980 (Cross-site request forgery (CSRF) vulnerability in ecrire/exec/valider ...) {DLA-695-1} - spip 3.1.3-1 [jessie] - spip 3.0.17-2+deb8u3 NOTE: http://seclists.org/fulldisclosure/2016/Oct/67 NOTE: https://core.spip.net/projects/spip/repository/revisions/23200 (master) NOTE: https://core.spip.net/projects/spip/repository/revisions/23201 (3.1) NOTE: https://core.spip.net/projects/spip/repository/revisions/23202 (3.0) NOTE: reproducible in Wheezy (2.1.17-1+deb7u5) and Jessie (3.0.17-2+deb8u2) CVE-2016-7975 (The TCP parser in tcpdump before 4.9.0 has a buffer overflow in print- ...) {DSA-3775-1 DLA-809-1} - tcpdump 4.9.0-1 CVE-2016-7974 (The IP parser in tcpdump before 4.9.0 has a buffer overflow in print-i ...) {DSA-3775-1 DLA-809-1} - tcpdump 4.9.0-1 CVE-2016-7973 (The AppleTalk parser in tcpdump before 4.9.0 has a buffer overflow in ...) {DSA-3775-1 DLA-809-1} - tcpdump 4.9.0-1 CVE-2016-7972 (The check_allocations function in libass/ass_shaper.c in libass before ...) {DLA-668-1} - libass 0.13.4-1 [jessie] - libass (Minor issue) NOTE: https://github.com/libass/libass/pull/240/commits/aa54e0b59200a994d50a346b5d7ac818ebcf2d4b CVE-2016-7971 REJECTED CVE-2016-7970 (Buffer overflow in the calc_coeff function in libass/ass_blur.c in lib ...) - libass 0.13.4-1 [jessie] - libass (Vulnerable code introduced later) [wheezy] - libass (Vulnerable code first introduced in July 2015) NOTE: Fixed by: https://github.com/libass/libass/pull/240/commits/08e754612019ed84d1db0d1fc4f5798248decd75 NOTE: Vulnerable function calc_coeff introduced in: https://github.com/libass/libass/commit/d787615845d78d8f8e6d1a4ffc3dc3eecd8a92f6 (0.13.0) CVE-2016-7969 (The wrap_lines_smart function in ass_render.c in libass before 0.13.4 ...) {DLA-668-1} - libass 0.13.4-1 [jessie] - libass (Minor issue) NOTE: https://github.com/libass/libass/pull/240/commits/b72b283b936a600c730e00875d7d067bded3fc26 CVE-2016-7968 (KMail since version 5.3.0 used a QWebEngine based viewer that had Java ...) - kf5-messagelib (Doesn't use qtwebengine, see bug #853241) NOTE: https://www.kde.org/info/security/advisory-20161006-3.txt NOTE: Would by fixed by: https://cgit.kde.org/messagelib.git/commit/?id=f601f9ffb706f7d3a5893b04f067a1f75da62c99 NOTE: and building with Qt 5.7.0. NOTE: Following patches partly sanitize mails but still make it possible to inject code: NOTE: https://cgit.kde.org/messagelib.git/commit/?id=3503b75e9c79c3861e182588a0737baf165abd23 (v16.08.2) NOTE: https://cgit.kde.org/messagelib.git/commit/?id=a8744798dfdf8e41dd6a378e48662c66302b0019 (v16.08.2) NOTE: https://cgit.kde.org/messagelib.git/commit/?id=77976584a4ed2797437a2423704abdd7ece7834a (v16.08.2) NOTE: https://cgit.kde.org/messagelib.git/commit/?id=fb1be09360c812d24355076da544030a67b736fc (v16.08.2) NOTE: https://cgit.kde.org/messagelib.git/commit/?id=0402c17a8ead92188971cb604d905b3072d56a73 (v16.08.2) NOTE: The issue is mitigated with the fixes applied for CVE-2016-7966, and a NOTE: user protected from this CVE by only viewing plain text mails. CVE-2016-7967 (KMail since version 5.3.0 used a QWebEngine based viewer that had Java ...) - kf5-messagelib (Doesn't use qtwebengine, see bug #853241) NOTE: https://www.kde.org/info/security/advisory-20161006-2.txt NOTE: Fixed by: https://cgit.kde.org/messagelib.git/commit/?id=dfc6a86f1b25f1da04b8f1df5320fcdd7085bcc1 (16.11.80) NOTE: The issue is mitigated with the fixes applied for CVE-2016-7966, and a NOTE: user protected from this CVE by only viewing plain text mails. CVE-2016-7966 (Through a malicious URL that contained a quote character it was possib ...) {DSA-3697-1 DLA-673-1} - kdepimlibs 4:4.14.10-7 (bug #840546) - kcoreaddons 5.26.0-3 (bug #840547) NOTE: https://www.kde.org/info/security/advisory-20161006-1.txt CVE-2016-7965 (DokuWiki 2016-06-26a and older uses $_SERVER[HTTP_HOST] instead of the ...) - dokuwiki (bug #844732; unimportant) NOTE: https://github.com/splitbrain/dokuwiki/issues/1709 NOTE: Can be adresesd by properly configure dokuwiki as per NOTE: https://github.com/splitbrain/dokuwiki/issues/1709#issuecomment-262337572 CVE-2016-7964 (The sendRequest method in HTTPClient Class in file /inc/HTTPClient.php ...) - dokuwiki (low; bug #844731) [buster] - dokuwiki (Minor issue) [jessie] - dokuwiki (Minor issue) [wheezy] - dokuwiki (Minor issue) NOTE: https://github.com/splitbrain/dokuwiki/issues/1708 CVE-2016-7963 RESERVED CVE-2016-7962 RESERVED CVE-2016-7961 RESERVED CVE-2016-7960 (Siemens SIMATIC STEP 7 (TIA Portal) before 14 uses an improper format ...) NOT-FOR-US: Siemens CVE-2016-7959 (Siemens SIMATIC STEP 7 (TIA Portal) before 14 improperly stores pre-sh ...) NOT-FOR-US: Siemens CVE-2016-7958 (In Wireshark 2.2.0, the NCP dissector could crash, triggered by packet ...) - wireshark 2.2.1+ga6fbd27-1 [jessie] - wireshark (Introduced with "Add checkAPI calls to CMake") [wheezy] - wireshark (Introduced with "Add checkAPI calls to CMake") NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12945 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=67597cb2457fb843fa97d3f2c87b82dad6f0de07 NOTE: https://www.wireshark.org/security/wnpa-sec-2016-57.html CVE-2016-7957 (In Wireshark 2.2.0, the Bluetooth L2CAP dissector could crash, trigger ...) - wireshark 2.2.1+ga6fbd27-1 [jessie] - wireshark (Vulnerable code not present) [wheezy] - wireshark (Vulnerable code not present) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12825 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=355b56b1c6c545072ac0c1225730b526c6749f0a NOTE: https://www.wireshark.org/security/wnpa-sec-2016-56.html CVE-2016-7956 RESERVED CVE-2016-7955 (The logcheck function in session.inc in AlienVault OSSIM before 5.3.1, ...) NOT-FOR-US: AlienVault OSSIM CVE-2016-7954 (Bundler 1.x might allow remote attackers to inject arbitrary Ruby code ...) - bundler 2.1.4-1 (bug #842504) [buster] - bundler (Minor issue, too intrusive to backport) [stretch] - bundler (Minor issue, too intrusive to backport) [jessie] - bundler (Minor issue, too intrusive to backport) [wheezy] - bundler (Minor issue, too intrusive to backport) NOTE: http://www.openwall.com/lists/oss-security/2016/10/04/5 NOTE: There is no plan from upstream to address this for bundler 1.x NOTE: due to lockfile format. CVE-2016-7953 (Buffer underflow in X.org libXvMC before 1.0.10 allows remote X server ...) {DLA-671-1} - libxvmc 2:1.0.10-1 (low; bug #840445) [jessie] - libxvmc 2:1.0.8-2+deb8u1 NOTE: https://cgit.freedesktop.org/xorg/lib/libXvMC/commit/?id=2cd95e7da8367cccdcdd5c9b160012d1dec5cbdb CVE-2016-7952 (X.org libXtst before 1.2.3 allows remote X servers to cause a denial o ...) {DLA-686-1} - libxtst 2:1.2.3-1 (low; bug #840444) [jessie] - libxtst 2:1.2.2-1+deb8u1 NOTE: https://cgit.freedesktop.org/xorg/lib/libXtst/commit/?id=9556ad67af3129ec4a7a4f4b54a0d59701beeae3 CVE-2016-7951 (Multiple integer overflows in X.org libXtst before 1.2.3 allow remote ...) {DLA-686-1} - libxtst 2:1.2.3-1 (low; bug #840444) [jessie] - libxtst 2:1.2.2-1+deb8u1 NOTE: https://cgit.freedesktop.org/xorg/lib/libXtst/commit/?id=9556ad67af3129ec4a7a4f4b54a0d59701beeae3 CVE-2016-7950 (The XRenderQueryFilters function in X.org libXrender before 0.9.10 all ...) {DLA-664-1} - libxrender 1:0.9.10-1 (low; bug #840443) [jessie] - libxrender (Minor issue, will be fixed in a point release) NOTE: https://cgit.freedesktop.org/xorg/lib/libXrender/commit/?id=8fad00b0b647ee662ce4737ca15be033b7a21714 CVE-2016-7949 (Multiple buffer overflows in the (1) XvQueryAdaptors and (2) XvQueryEn ...) {DLA-664-1} - libxrender 1:0.9.10-1 (low; bug #840443) [jessie] - libxrender (Minor issue, will be fixed in a point release) NOTE: https://cgit.freedesktop.org/xorg/lib/libXrender/commit/?id=9362c7ddd1af3b168953d0737877bc52d79c94f4 CVE-2016-7948 (X.org libXrandr before 1.5.1 allows remote X servers to trigger out-of ...) {DLA-660-1} - libxrandr 2:1.5.1-1 (low; bug #840441) [jessie] - libxrandr 2:1.4.2-1+deb8u1 NOTE: https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6 CVE-2016-7947 (Multiple integer overflows in X.org libXrandr before 1.5.1 allow remot ...) {DLA-660-1} - libxrandr 2:1.5.1-1 (low; bug #840441) [jessie] - libxrandr 2:1.4.2-1+deb8u1 NOTE: https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6 CVE-2016-7946 (X.org libXi before 1.7.7 allows remote X servers to cause a denial of ...) {DLA-685-1} - libxi 2:1.7.8-1 (low; bug #840440) [jessie] - libxi 2:1.7.4-1+deb8u1 NOTE: https://cgit.freedesktop.org/xorg/lib/libXi/commit/?id=19a9cd607de73947fcfb104682f203ffe4e1f4e5 NOTE: Regression: https://bugs.freedesktop.org/98204 CVE-2016-7945 (Multiple integer overflows in X.org libXi before 1.7.7 allow remote X ...) {DLA-685-1} - libxi 2:1.7.8-1 (low; bug #840440) [jessie] - libxi 2:1.7.4-1+deb8u1 NOTE: https://cgit.freedesktop.org/xorg/lib/libXi/commit/?id=19a9cd607de73947fcfb104682f203ffe4e1f4e5 NOTE: Regression: https://bugs.freedesktop.org/98204 CVE-2016-7944 (Integer overflow in X.org libXfixes before 5.0.3 on 32-bit platforms m ...) {DLA-654-1} - libxfixes 1:5.0.3-1 (low; bug #840442) [jessie] - libxfixes 1:5.0.1-2+deb8u1 NOTE: https://cgit.freedesktop.org/xorg/lib/libXfixes/commit/?id=61c1039ee23a2d1de712843bed3480654d7ef42e CVE-2016-7943 (The XListFonts function in X.org libX11 before 1.6.4 might allow remot ...) {DLA-684-1} - libx11 2:1.6.4-1 (low; bug #840439) [jessie] - libx11 2:1.6.2-3+deb8u1 NOTE: https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=8c29f1607a31dac0911e45a0dd3d74173822b3c9 CVE-2016-7942 (The XGetImage function in X.org libX11 before 1.6.4 might allow remote ...) {DLA-684-1} - libx11 2:1.6.4-1 (low; bug #840439) [jessie] - libx11 2:1.6.2-3+deb8u1 NOTE: https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=8ea762f94f4c942d898fdeb590a1630c83235c17 CVE-2016-7941 RESERVED CVE-2016-7940 (The STP parser in tcpdump before 4.9.0 has a buffer overflow in print- ...) {DSA-3775-1 DLA-809-1} - tcpdump 4.9.0-1 CVE-2016-7939 (The GRE parser in tcpdump before 4.9.0 has a buffer overflow in print- ...) {DSA-3775-1 DLA-809-1} - tcpdump 4.9.0-1 CVE-2016-7938 (The ZeroMQ parser in tcpdump before 4.9.0 has an integer overflow in p ...) {DSA-3775-1 DLA-809-1} - tcpdump 4.9.0-1 CVE-2016-7937 (The VAT parser in tcpdump before 4.9.0 has a buffer overflow in print- ...) {DSA-3775-1 DLA-809-1} - tcpdump 4.9.0-1 CVE-2016-7936 (The UDP parser in tcpdump before 4.9.0 has a buffer overflow in print- ...) {DSA-3775-1 DLA-809-1} - tcpdump 4.9.0-1 CVE-2016-7935 (The RTP parser in tcpdump before 4.9.0 has a buffer overflow in print- ...) {DSA-3775-1 DLA-809-1} - tcpdump 4.9.0-1 CVE-2016-7934 (The RTCP parser in tcpdump before 4.9.0 has a buffer overflow in print ...) {DSA-3775-1 DLA-809-1} - tcpdump 4.9.0-1 CVE-2016-7933 (The PPP parser in tcpdump before 4.9.0 has a buffer overflow in print- ...) {DSA-3775-1 DLA-809-1} - tcpdump 4.9.0-1 CVE-2016-7932 (The PIM parser in tcpdump before 4.9.0 has a buffer overflow in print- ...) {DSA-3775-1 DLA-809-1} - tcpdump 4.9.0-1 CVE-2016-7931 (The MPLS parser in tcpdump before 4.9.0 has a buffer overflow in print ...) {DSA-3775-1 DLA-809-1} - tcpdump 4.9.0-1 CVE-2016-7930 (The LLC/SNAP parser in tcpdump before 4.9.0 has a buffer overflow in p ...) {DSA-3775-1 DLA-809-1} - tcpdump 4.9.0-1 CVE-2016-7929 (The Juniper PPPoE ATM parser in tcpdump before 4.9.0 has a buffer over ...) {DSA-3775-1 DLA-809-1} - tcpdump 4.9.0-1 CVE-2016-7928 (The IPComp parser in tcpdump before 4.9.0 has a buffer overflow in pri ...) {DSA-3775-1 DLA-809-1} - tcpdump 4.9.0-1 CVE-2016-7927 (The IEEE 802.11 parser in tcpdump before 4.9.0 has a buffer overflow i ...) {DSA-3775-1 DLA-809-1} - tcpdump 4.9.0-1 CVE-2016-7926 (The Ethernet parser in tcpdump before 4.9.0 has a buffer overflow in p ...) {DSA-3775-1 DLA-809-1} - tcpdump 4.9.0-1 CVE-2016-7925 (The compressed SLIP parser in tcpdump before 4.9.0 has a buffer overfl ...) {DSA-3775-1 DLA-809-1} - tcpdump 4.9.0-1 CVE-2016-7924 (The ATM parser in tcpdump before 4.9.0 has a buffer overflow in print- ...) {DSA-3775-1 DLA-809-1} - tcpdump 4.9.0-1 CVE-2016-7923 (The ARP parser in tcpdump before 4.9.0 has a buffer overflow in print- ...) {DSA-3775-1 DLA-809-1} - tcpdump 4.9.0-1 CVE-2016-7922 (The AH parser in tcpdump before 4.9.0 has a buffer overflow in print-a ...) {DSA-3775-1 DLA-809-1} - tcpdump 4.9.0-1 CVE-2016-7920 RESERVED CVE-2016-7919 (** DISPUTED ** Moodle 3.1.2 allows remote attackers to obtain sensitiv ...) NOTE: Disputed moodle non-issue CVE-2016-7918 RESERVED CVE-2016-7917 (The nfnetlink_rcv_batch function in net/netfilter/nfnetlink.c in the L ...) - linux 4.5.1-1 (low) [jessie] - linux 3.16.39-1 [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/c58d6c93680f28ac58984af61d0a7ebf4319c241 (v4.5-rc6) CVE-2016-7916 (Race condition in the environ_read function in fs/proc/base.c in the L ...) - linux 4.5.4-1 [jessie] - linux 3.16.36-1 [wheezy] - linux 3.2.81-1 NOTE: Fixed by: https://git.kernel.org/linus/8148a73c9901a8794a50f950083c00ccf97d43b3 (v4.6-rc7) CVE-2016-7915 (The hid_input_field function in drivers/hid/hid-core.c in the Linux ke ...) {DLA-772-1} - linux 4.6.1-1 [jessie] - linux 3.16.39-1 NOTE: Fixed by: https://git.kernel.org/linus/50220dead1650609206efe91f0cc116132d59b3f (v4.6-rc1) CVE-2016-7914 (The assoc_array_insert_into_terminal_node function in lib/assoc_array. ...) - linux 4.5.3-1 [jessie] - linux 3.16.36-1 [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/8d4a2ec1e0b41b0cf9a0c5cd4511da7f8e4f3de2 (v4.6-rc4) CVE-2016-7913 (The xc2028_set_config function in drivers/media/tuners/tuner-xc2028.c ...) - linux 4.6.1-1 [jessie] - linux 3.16.36-1 [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/8dfbcc4351a0b6d2f2d77f367552f48ffefafe18 (v4.6-rc1) CVE-2016-7912 (Use-after-free vulnerability in the ffs_user_copy_worker function in d ...) - linux 4.5.3-1 [jessie] - linux 3.16.39-1 [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/38740a5b87d53ceb89eb2c970150f6e94e00373a (v4.6-rc5) CVE-2016-7911 (Race condition in the get_task_ioprio function in block/ioprio.c in th ...) {DLA-772-1} - linux 4.7.2-1 [jessie] - linux 3.16.39-1 NOTE: Fixed by: https://git.kernel.org/linus/8ba8682107ee2ca3347354e018865d8e1967c5f4 (v4.7-rc7) CVE-2016-7910 (Use-after-free vulnerability in the disk_seqf_stop function in block/g ...) {DLA-772-1} - linux 4.7.2-1 [jessie] - linux 3.16.39-1 NOTE: Fixed by: https://git.kernel.org/linus/77da160530dd1dc94f6ae15a981f24e5f0021e84 (v4.8-rc1) CVE-2016-7909 (The pcnet_rdra_addr function in hw/net/pcnet.c in QEMU (aka Quick Emul ...) {DLA-1599-1 DLA-698-1 DLA-689-1} - qemu 1:2.8+dfsg-1 (bug #839834) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg07942.html CVE-2016-7908 (The mcf_fec_do_tx function in hw/net/mcf_fec.c in QEMU (aka Quick Emul ...) {DLA-1599-1 DLA-653-1 DLA-652-1} - qemu 1:2.8+dfsg-1 (bug #839835) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg05557.html NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=070c4b92b8cd5390889716677a0b92444d6e087a CVE-2016-7907 (The imx_fec_do_tx function in hw/net/imx_fec.c in QEMU (aka Quick Emul ...) - qemu 1:2.8+dfsg-3 (bug #839986) [jessie] - qemu (Vulnerable code introduced after v2.5.0-rc0) [wheezy] - qemu (Vulnerable code introduced after v2.5.0-rc0) - qemu-kvm (Vulnerable code introduced after v2.5.0-rc0) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg05556.html NOTE: i.MX Fast Ethernet Controller emulation introduced in v2.5.0-rc0 with NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=fcbd8018e645f3ab1ef9af94dc88a0d3272926d3 (v2.5.0-rc0) CVE-2016-7906 (magick/attribute.c in ImageMagick 7.0.3-2 allows remote attackers to c ...) {DSA-3726-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #840435) [wheezy] - imagemagick (Vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/281 NOTE: https://github.com/ImageMagick/ImageMagick/commit/d63a3c5729df59f183e9e110d5d8385d17caaad0 CVE-2016-7905 (The read_gab2_sub function in libavformat/avidec.c in FFmpeg before 3. ...) - ffmpeg 7:3.1.4-1 (bug #840434) NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/622ccbd8ab894e3ac6cdf607e3d4f39e406786e9 (n3.1.4) CVE-2016-7904 (Cross-site request forgery (CSRF) vulnerability in CMS Made Simple bef ...) NOT-FOR-US: CMS Made Simple CVE-2016-7903 (Dotclear before 2.10.3, when the Host header is not part of the web se ...) - dotclear NOTE: Fixed by: https://hg.dotclear.org/dotclear/rev/bb06343f4247 CVE-2016-7902 (Unrestricted file upload vulnerability in the fileUnzip->unzip meth ...) - dotclear NOTE: Fixed by: https://hg.dotclear.org/dotclear/rev/a9db771a5a70 CVE-2016-7901 REJECTED CVE-2016-7900 REJECTED CVE-2016-7899 REJECTED CVE-2016-7898 REJECTED CVE-2016-7897 REJECTED CVE-2016-7896 REJECTED CVE-2016-7895 REJECTED CVE-2016-7894 REJECTED CVE-2016-7893 REJECTED CVE-2016-7892 (Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and e ...) NOT-FOR-US: Adobe Flash Player CVE-2016-7891 (Adobe RoboHelp version 2015.0.3 and earlier, RoboHelp 11 and earlier h ...) NOT-FOR-US: Adobe CVE-2016-7890 (Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and e ...) NOT-FOR-US: Adobe Flash Player CVE-2016-7889 (Adobe Digital Editions versions 4.5.2 and earlier has an issue with pa ...) NOT-FOR-US: Adobe CVE-2016-7888 (Adobe Digital Editions versions 4.5.2 and earlier has an important vul ...) NOT-FOR-US: Adobe CVE-2016-7887 (Adobe ColdFusion Builder versions 2016 update 2 and earlier, 3.0.3 and ...) NOT-FOR-US: Adobe CVE-2016-7886 (Adobe InDesign version 11.4.1 and earlier, Adobe InDesign Server 11.0. ...) NOT-FOR-US: Adobe CVE-2016-7885 (Adobe Experience Manager versions 6.2 and earlier have a vulnerability ...) NOT-FOR-US: Adobe CVE-2016-7884 (Adobe Experience Manager versions 6.1 and earlier have an input valida ...) NOT-FOR-US: Adobe CVE-2016-7883 (Adobe Experience Manager version 6.2 has an input validation issue in ...) NOT-FOR-US: Adobe CVE-2016-7882 (Adobe Experience Manager versions 6.2 and earlier have an input valida ...) NOT-FOR-US: Adobe CVE-2016-7881 (Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and e ...) NOT-FOR-US: Adobe Flash Player CVE-2016-7880 (Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and e ...) NOT-FOR-US: Adobe Flash Player CVE-2016-7879 (Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and e ...) NOT-FOR-US: Adobe Flash Player CVE-2016-7878 (Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and e ...) NOT-FOR-US: Adobe Flash Player CVE-2016-7877 (Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and e ...) NOT-FOR-US: Adobe Flash Player CVE-2016-7876 (Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and e ...) NOT-FOR-US: Adobe Flash Player CVE-2016-7875 (Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and e ...) NOT-FOR-US: Adobe Flash Player CVE-2016-7874 (Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and e ...) NOT-FOR-US: Adobe Flash Player CVE-2016-7873 (Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and e ...) NOT-FOR-US: Adobe Flash Player CVE-2016-7872 (Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and e ...) NOT-FOR-US: Adobe Flash Player CVE-2016-7871 (Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and e ...) NOT-FOR-US: Adobe Flash Player CVE-2016-7870 (Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and e ...) NOT-FOR-US: Adobe Flash Player CVE-2016-7869 (Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and e ...) NOT-FOR-US: Adobe Flash Player CVE-2016-7868 (Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and e ...) NOT-FOR-US: Adobe Flash Player CVE-2016-7867 (Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and e ...) NOT-FOR-US: Adobe Flash Player CVE-2016-7866 (Adobe Animate versions 15.2.1.95 and earlier have an exploitable memor ...) NOT-FOR-US: Adobe Animate CVE-2016-7865 (Adobe Flash Player versions 23.0.0.205 and earlier, 11.2.202.643 and e ...) NOT-FOR-US: Adobe Flash Player CVE-2016-7864 (Adobe Flash Player versions 23.0.0.205 and earlier, 11.2.202.643 and e ...) NOT-FOR-US: Adobe Flash Player CVE-2016-7863 (Adobe Flash Player versions 23.0.0.205 and earlier, 11.2.202.643 and e ...) NOT-FOR-US: Adobe Flash Player CVE-2016-7862 (Adobe Flash Player versions 23.0.0.205 and earlier, 11.2.202.643 and e ...) NOT-FOR-US: Adobe Flash Player CVE-2016-7861 (Adobe Flash Player versions 23.0.0.205 and earlier, 11.2.202.643 and e ...) NOT-FOR-US: Adobe Flash Player CVE-2016-7860 (Adobe Flash Player versions 23.0.0.205 and earlier, 11.2.202.643 and e ...) NOT-FOR-US: Adobe Flash Player CVE-2016-7859 (Adobe Flash Player versions 23.0.0.205 and earlier, 11.2.202.643 and e ...) NOT-FOR-US: Adobe Flash Player CVE-2016-7858 (Adobe Flash Player versions 23.0.0.205 and earlier, 11.2.202.643 and e ...) NOT-FOR-US: Adobe Flash Player CVE-2016-7857 (Adobe Flash Player versions 23.0.0.205 and earlier, 11.2.202.643 and e ...) NOT-FOR-US: Adobe Flash Player CVE-2016-7856 (Adobe DNG Converter versions 9.7 and earlier have an exploitable memor ...) NOT-FOR-US: Adobe DNG Converter CVE-2016-7855 (Use-after-free vulnerability in Adobe Flash Player before 23.0.0.205 o ...) NOT-FOR-US: Adobe Flash Player CVE-2016-7854 (Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-7853 (Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-7852 (Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-7851 (Adobe Connect version 9.5.6 and earlier does not adequately validate i ...) NOT-FOR-US: Adobe CVE-2016-7850 REJECTED CVE-2016-7849 REJECTED CVE-2016-7848 REJECTED CVE-2016-7847 REJECTED CVE-2016-7846 REJECTED CVE-2016-7845 (GigaCC OFFICE ver.2.3 and earlier allows remote attackers to upload ar ...) NOT-FOR-US: GigaCC OFFICE CVE-2016-7844 (GigaCC OFFICE ver.2.3 and earlier allows remote attackers to execute a ...) NOT-FOR-US: GigaCC OFFICE CVE-2016-7843 (Directory traversal vulnerability in AttacheCase for Java 0.60 and ear ...) NOT-FOR-US: AttacheCase CVE-2016-7842 (Directory traversal vulnerability in AttacheCase 2.8.2.8 and earlier a ...) NOT-FOR-US: AttacheCase CVE-2016-7841 (Cross-site scripting vulnerability in Olive Diary DX allows remote att ...) NOT-FOR-US: Olive Diary DX CVE-2016-7840 (Cross-site scripting vulnerability in WEB SCHEDULE allows remote attac ...) NOT-FOR-US: WEB SCHEDULE CVE-2016-7839 (Cross-site scripting vulnerability in Olive Blog allows remote attacke ...) NOT-FOR-US: Olive Blog CVE-2016-7838 (Untrusted search path vulnerability in WinSparkle versions prior to 0. ...) NOT-FOR-US: WinSparkle CVE-2016-7837 (Buffer overflow in BlueZ 5.41 and earlier allows an attacker to execut ...) - bluez 5.43-1 [wheezy] - bluez (Minor issue) NOTE: Fixed by: http://git.kernel.org/cgit/bluetooth/bluez.git/commit/?id=8514068150759c1d6a46d4605d2351babfde1601 (5.42) CVE-2016-7836 (SKYSEA Client View Ver.11.221.03 and earlier allows remote code execut ...) NOT-FOR-US: SKYSEA Client View CVE-2016-7835 (Use-after-free vulnerability in H2O allows remote attackers to cause a ...) - h2o (Fixed before initial upload to Debian) NOTE: https://github.com/h2o/h2o/issues/1144 CVE-2016-7834 (SONY SNC-CH115, SNC-CH120, SNC-CH160, SNC-CH220, SNC-CH260, SNC-DH120, ...) NOT-FOR-US: SONY CVE-2016-7833 (Cybozu Dezie 8.0.0 to 8.1.1 allows remote attackers to bypass access r ...) NOT-FOR-US: Cybozu CVE-2016-7832 (Cybozu Dezie 8.0.0 to 8.1.1 allows remote attackers to bypass access r ...) NOT-FOR-US: Cybozu CVE-2016-7831 (Sleipnir 4 Black Edition for Mac 4.5.3 and earlier and Sleipnir 4 for ...) NOT-FOR-US: Sleipnir CVE-2016-7830 (Sony PCS-XG100, PCS-XG100S, PCS-XG100C, PCS-XG77, PCS-XG77S, PCS-XG77C ...) NOT-FOR-US: Sony CVE-2016-7829 REJECTED CVE-2016-7828 REJECTED CVE-2016-7827 REJECTED CVE-2016-7826 (Directory traversal vulnerability in Buffalo WNC01WH devices with firm ...) NOT-FOR-US: Buffalo CVE-2016-7825 (Directory traversal vulnerability in Buffalo WNC01WH devices with firm ...) NOT-FOR-US: Buffalo CVE-2016-7824 (Buffalo NC01WH devices with firmware version 1.0.0.8 and earlier allow ...) NOT-FOR-US: Buffalo CVE-2016-7823 (Cross-site scripting vulnerability in Buffalo WNC01WH devices with fir ...) NOT-FOR-US: Buffalo CVE-2016-7822 (Cross-site request forgery (CSRF) vulnerability in Buffalo WNC01WH dev ...) NOT-FOR-US: Buffalo CVE-2016-7821 (Buffalo WNC01WH devices with firmware version 1.0.0.8 and earlier allo ...) NOT-FOR-US: Buffalo CVE-2016-7820 (Buffer overflow in I-O DATA DEVICE TS-WRLP firmware version 1.01.02 an ...) NOT-FOR-US: I-O DATA DEVICE CVE-2016-7819 (I-O DATA DEVICE TS-WRLP firmware version 1.01.02 and earlier and TS-WR ...) NOT-FOR-US: I-O DATA DEVICE CVE-2016-7818 (Untrusted search path vulnerability in Installers for Specification ch ...) NOT-FOR-US: Untrusted search path vulnerability in various installers CVE-2016-7817 (Cross-site scripting vulnerability in Simple keitai chat 2.0 and earli ...) NOT-FOR-US: Simple keitai chat CVE-2016-7816 (The Cybozu kintone mobile for Android 1.0.6 and earlier does not verif ...) NOT-FOR-US: Cybozu CVE-2016-7815 (Remote Service Manager 3.0.0 to 3.1.4 fails to verify client certifica ...) NOT-FOR-US: Remote Service Manager provided by Cybozu CVE-2016-7814 (I-O DATA DEVICE TS-WRLP firmware version 1.00.01 and earlier and TS-WR ...) NOT-FOR-US: I-O DATA DEVICE CVE-2016-7813 (Cross-site scripting vulnerability in DERAEMON-CMS version 0.8.9 and e ...) NOT-FOR-US: DERAEMON-CMS CVE-2016-7812 (The Bank of Tokyo-Mitsubishi UFJ, Ltd. App for Android ver5.3.1, ver5. ...) NOT-FOR-US: Bank of Tokyo-Mitsubishi UFJ, Ltd. App CVE-2016-7811 (Corega CG-WLR300NX firmware Ver. 1.20 and earlier allows an attacker o ...) NOT-FOR-US: Corega CVE-2016-7810 (Cross-site scripting vulnerability in Corega CG-WLR300NX firmware Ver. ...) NOT-FOR-US: Corega CVE-2016-7809 (Cross-site request forgery (CSRF) vulnerability in Corega CG-WLR300NX ...) NOT-FOR-US: Corega CVE-2016-7808 (Cross-site scripting vulnerability in Corega CG-WLBARGMH and CG-WLBARG ...) NOT-FOR-US: Corega CVE-2016-7807 (I-O DATA DEVICE WFS-SR01 firmware version 1.10 and earlier allow remot ...) NOT-FOR-US: I-O DATA DEVICE CVE-2016-7806 (I-O DATA DEVICE WFS-SR01 firmware version 1.10 and earlier allow remot ...) NOT-FOR-US: I-O DATA DEVICE CVE-2016-7805 (The mobiGate App for Android version 2.2.1.2 and earlier and mobiGate ...) NOT-FOR-US: mobiGate App CVE-2016-7804 (Untrusted search path vulnerability in 7 Zip for Windows 16.02 and ear ...) NOT-FOR-US: 7 Zip for Windows CVE-2016-7803 (SQL injection vulnerability in the Cybozu Garoon 3.0.0 to 4.2.2 allows ...) NOT-FOR-US: Cybozu CVE-2016-7802 (Directory traversal vulnerability in Cybozu Garoon 3.0.0 to 4.2.2 allo ...) NOT-FOR-US: Cybozu CVE-2016-7801 (Cybozu Garoon 3.0.0 to 4.2.2 allows remote attackers to bypass access ...) NOT-FOR-US: Cybozu CVE-2016-7800 (Integer underflow in the parse8BIM function in coders/meta.c in Graphi ...) {DSA-3746-1 DLA-651-1} - graphicsmagick 1.3.25-3 NOTE: https://sourceforge.net/p/graphicsmagick/code/ci/5c7b6d6094a25e99c57f8b18343914ebfd8213ef/ CVE-2016-7799 (MagickCore/profile.c in ImageMagick before 7.0.3-2 allows remote attac ...) {DSA-3726-1 DLA-756-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #840437) NOTE: https://github.com/ImageMagick/ImageMagick/issues/280 NOTE: https://github.com/ImageMagick/ImageMagick/commit/a7bb158b7bedd1449a34432feb3a67c8f1873bfa CVE-2016-7798 (The openssl gem for Ruby uses the same initialization vector (IV) in G ...) {DSA-3966-1 DLA-1421-1} - ruby2.3 2.3.3-1+deb9u1 (bug #842432) - ruby2.1 (bug #842544) NOTE: https://github.com/ruby/openssl/issues/49 NOTE: https://github.com/ruby/openssl/commit/8108e0a6db133f3375608303fdd2083eb5115062 - ruby-attr-encrypted 3.0.1-2 NOTE: https://github.com/attr-encrypted/attr_encrypted/issues/203 - ruby-encryptor 3.0.0-1 NOTE: https://github.com/attr-encrypted/encryptor/pull/22 CVE-2016-7797 (Pacemaker before 1.1.15, when using pacemaker remote, might allow remo ...) - pacemaker 1.1.15~rc3-1 [wheezy] - pacemaker (Vulnerable code introduced after 1.1.10) NOTE: http://bugs.clusterlabs.org/show_bug.cgi?id=5269 NOTE: Fixed by: https://github.com/ClusterLabs/pacemaker/commit/5ec24a2642bd0854b884d1a9b51d12371373b410 (Pacemaker-1.1.15-rc1) NOTE: Vulnerable code introduced in: https://github.com/ClusterLabs/pacemaker/commit/87f40917feb5109f827d83765c924acbbd824379 (Pacemaker-1.1.12-rc1) CVE-2016-7796 (The manager_dispatch_notify_fd function in systemd allows local users ...) {DLA-659-1} - systemd 231-9 (bug #839607) [jessie] - systemd 215-17+deb8u6 NOTE: https://github.com/systemd/systemd/issues/4234#issuecomment-250441246 NOTE: Fixed by: https://github.com/systemd/systemd/pull/4240 CVE-2016-7795 (The manager_invoke_notify_message function in systemd 231 and earlier ...) - systemd 231-9 (bug #839171) [jessie] - systemd (Introduced in 219) [wheezy] - systemd (Introduced in 219) NOTE: https://github.com/systemd/systemd/issues/4234 NOTE: https://github.com/systemd/systemd/commit/531ac2b2349da02acc9c382849758e07eb92b020 NOTE: Originally fixed in 231-8 but caused a regression fixed in 231-9 NOTE: https://www.agwa.name/blog/post/how_to_crash_systemd_in_one_tweet CVE-2016-7794 (sociomantic-tsunami git-hub before 0.10.3 allows remote attackers to e ...) - git-hub 0.10.2-2 (bug #839284) CVE-2016-7793 (sociomantic-tsunami git-hub before 0.10.3 allows remote attackers to e ...) - git-hub 0.10.2-2 (bug #839284) CVE-2016-7792 (Ubiquiti Networks UniFi 5.2.7 does not restrict access to the database ...) NOT-FOR-US: Ubiquiti Networks UniFi CVE-2016-7791 (Exponent CMS 2.3.9 suffers from a remote code execution vulnerability ...) NOT-FOR-US: Exponent CMS CVE-2016-7790 (Exponent CMS 2.3.9 suffers from a remote code execution vulnerability ...) NOT-FOR-US: Exponent CMS CVE-2016-7789 (SQL injection vulnerability in framework/core/models/expConfig.php in ...) NOT-FOR-US: Exponent CMS CVE-2016-7788 (SQL injection vulnerability in framework/modules/users/models/user.php ...) NOT-FOR-US: Exponent CMS CVE-2016-7787 (A maliciously crafted command line for kdesu can result in the user on ...) - kde-cli-tools 4:5.8.0-1 (bug #839865) - kde-runtime 4:16.08.3-2 (bug #842498) [jessie] - kde-runtime (Minor issue) [wheezy] - kde-runtime (Unicode string terminator is not interpreted) - kdesudo (bug #843790) [stretch] - kdesudo (Minor issue) [jessie] - kdesudo (Minor issue) [wheezy] - kdesudo (Unicode string terminator is not interpreted) NOTE: https://www.kde.org/info/security/advisory-20160930-1.txt NOTE: https://github.com/KDE/kde-cli-tools/commit/5eda179a099ba68a20dc21dc0da63e85a565a171 NOTE: For kde-cli-tools fixed in 5.7.5 upstream NOTE: kde-runtime's affected binary is /usr/lib/kde4/libexec/kdesu-distrib/kdesu NOTE: kdesudo's affected binary is /usr/bin/kdesudo CVE-2016-7786 (Sophos Cyberoam UTM CR25iNG 10.6.3 MR-5 allows remote authenticated us ...) NOT-FOR-US: Sophos CVE-2016-7785 (The avi_read_seek function in libavformat/avidec.c in FFmpeg before 3. ...) - ffmpeg 7:3.1.4-1 (bug #840434) NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/c8c5f66b42edc37474baa5cb51460cbf6f33075b (n3.1.4) CVE-2016-7784 (SQL injection vulnerability in the getSection function in framework/co ...) NOT-FOR-US: Exponent CMS CVE-2016-7783 (SQL injection vulnerability in framework/core/models/expRecord.php in ...) NOT-FOR-US: Exponent CMS CVE-2016-7782 (SQL injection vulnerability in framework/core/models/expConfig.php in ...) NOT-FOR-US: Exponent CMS CVE-2016-7781 (SQL injection vulnerability in framework/modules/blog/controllers/blog ...) NOT-FOR-US: Exponent CMS CVE-2016-7780 (SQL injection vulnerability in cron/find_help.php in Exponent CMS 2.3. ...) NOT-FOR-US: Exponent CMS CVE-2016-7779 RESERVED CVE-2016-7778 RESERVED CVE-2016-7777 (Xen 4.7.x and earlier does not properly honor CR0.TS and CR0.EM, which ...) {DSA-3729-1 DLA-699-1} - xen 4.8.0~rc3-1 NOTE: http://xenbits.xen.org/xsa/advisory-190.html CVE-2016-7776 RESERVED CVE-2016-7775 REJECTED CVE-2016-7774 REJECTED CVE-2016-7773 REJECTED CVE-2016-7772 REJECTED CVE-2016-7771 REJECTED CVE-2016-7770 REJECTED CVE-2016-7769 REJECTED CVE-2016-7768 REJECTED CVE-2016-7767 REJECTED CVE-2016-7766 REJECTED CVE-2016-7765 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) NOT-FOR-US: Apple CVE-2016-7764 REJECTED CVE-2016-7763 REJECTED CVE-2016-7762 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) NOT-FOR-US: Apple CVE-2016-7761 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2016-7760 REJECTED CVE-2016-7759 (An issue was discovered in certain Apple products. iOS before 10 is af ...) NOT-FOR-US: Apple CVE-2016-7758 REJECTED CVE-2016-7757 REJECTED CVE-2016-7756 REJECTED CVE-2016-7755 REJECTED CVE-2016-7754 REJECTED CVE-2016-7753 REJECTED CVE-2016-7752 REJECTED CVE-2016-7751 REJECTED CVE-2016-7750 REJECTED CVE-2016-7749 REJECTED CVE-2016-7748 REJECTED CVE-2016-7747 REJECTED CVE-2016-7746 REJECTED CVE-2016-7745 REJECTED CVE-2016-7744 REJECTED CVE-2016-7743 REJECTED CVE-2016-7742 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2016-7741 REJECTED CVE-2016-7740 REJECTED CVE-2016-7739 REJECTED CVE-2016-7738 REJECTED CVE-2016-7737 REJECTED CVE-2016-7736 REJECTED CVE-2016-7735 REJECTED CVE-2016-7734 REJECTED CVE-2016-7733 REJECTED CVE-2016-7732 REJECTED CVE-2016-7731 REJECTED CVE-2016-7730 REJECTED CVE-2016-7729 REJECTED CVE-2016-7728 REJECTED CVE-2016-7727 REJECTED CVE-2016-7726 REJECTED CVE-2016-7725 REJECTED CVE-2016-7724 REJECTED CVE-2016-7723 REJECTED CVE-2016-7722 REJECTED CVE-2016-7721 REJECTED CVE-2016-7720 REJECTED CVE-2016-7719 REJECTED CVE-2016-7718 REJECTED CVE-2016-7717 REJECTED CVE-2016-7716 REJECTED CVE-2016-7715 REJECTED CVE-2016-7714 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) NOT-FOR-US: Apple CVE-2016-7713 REJECTED CVE-2016-7712 REJECTED CVE-2016-7711 REJECTED CVE-2016-7710 REJECTED CVE-2016-7709 REJECTED CVE-2016-7708 REJECTED CVE-2016-7707 REJECTED CVE-2016-7706 REJECTED CVE-2016-7705 REJECTED CVE-2016-7704 RESERVED CVE-2016-7703 REJECTED CVE-2016-7702 REJECTED CVE-2016-7701 REJECTED CVE-2016-7700 REJECTED CVE-2016-7699 REJECTED CVE-2016-7698 REJECTED CVE-2016-7697 REJECTED CVE-2016-7696 REJECTED CVE-2016-7695 REJECTED CVE-2016-7694 REJECTED CVE-2016-7693 REJECTED CVE-2016-7692 REJECTED CVE-2016-7691 REJECTED CVE-2016-7690 REJECTED CVE-2016-7689 REJECTED CVE-2016-7688 REJECTED CVE-2016-7687 REJECTED CVE-2016-7686 REJECTED CVE-2016-7685 REJECTED CVE-2016-7684 REJECTED CVE-2016-7683 REJECTED CVE-2016-7682 REJECTED CVE-2016-7681 REJECTED CVE-2016-7680 REJECTED CVE-2016-7679 REJECTED CVE-2016-7678 REJECTED CVE-2016-7677 REJECTED CVE-2016-7676 REJECTED CVE-2016-7675 REJECTED CVE-2016-7674 REJECTED CVE-2016-7673 REJECTED CVE-2016-7672 REJECTED CVE-2016-7671 REJECTED CVE-2016-7670 REJECTED CVE-2016-7669 REJECTED CVE-2016-7668 REJECTED CVE-2016-7667 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) NOT-FOR-US: Apple CVE-2016-7666 (An issue was discovered in certain Apple products. Transporter before ...) NOT-FOR-US: Apple CVE-2016-7665 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) NOT-FOR-US: Apple CVE-2016-7664 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) NOT-FOR-US: Apple CVE-2016-7663 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) NOT-FOR-US: Apple CVE-2016-7662 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) NOT-FOR-US: Apple CVE-2016-7661 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) NOT-FOR-US: Apple CVE-2016-7660 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) NOT-FOR-US: Apple CVE-2016-7659 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) NOT-FOR-US: Apple CVE-2016-7658 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) NOT-FOR-US: Apple CVE-2016-7657 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) NOT-FOR-US: Apple CVE-2016-7656 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) - webkit2gtk 2.14.3-1 (unimportant) NOTE: Not covered by security support CVE-2016-7655 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) NOT-FOR-US: Apple CVE-2016-7654 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) - webkit2gtk 2.14.3-1 (unimportant) NOTE: Not covered by security support CVE-2016-7653 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) NOT-FOR-US: Apple CVE-2016-7652 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) - webkit2gtk 2.14.3-1 (unimportant) NOTE: Not covered by security support CVE-2016-7651 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) NOT-FOR-US: Apple CVE-2016-7650 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) NOT-FOR-US: Apple CVE-2016-7649 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) - webkit2gtk 2.14.3-1 (unimportant) NOTE: Not covered by security support CVE-2016-7648 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) - webkit2gtk 2.14.3-1 (unimportant) NOTE: Not covered by security support CVE-2016-7647 REJECTED CVE-2016-7646 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) - webkit2gtk 2.14.3-1 (unimportant) NOTE: Not covered by security support CVE-2016-7645 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) - webkit2gtk 2.14.3-1 (unimportant) NOTE: Not covered by security support CVE-2016-7644 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) NOT-FOR-US: Apple CVE-2016-7643 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) NOT-FOR-US: Apple CVE-2016-7642 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) - webkit2gtk 2.14.3-1 (unimportant) NOTE: Not covered by security support CVE-2016-7641 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) - webkit2gtk 2.14.3-1 (unimportant) NOTE: Not covered by security support CVE-2016-7640 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) - webkit2gtk 2.14.3-1 (unimportant) NOTE: Not covered by security support CVE-2016-7639 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) - webkit2gtk 2.14.3-1 (unimportant) NOTE: Not covered by security support CVE-2016-7638 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) NOT-FOR-US: Apple CVE-2016-7637 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) NOT-FOR-US: Apple CVE-2016-7636 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) NOT-FOR-US: Apple CVE-2016-7635 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) - webkit2gtk 2.14.3-1 (unimportant) NOTE: Not covered by security support CVE-2016-7634 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) NOT-FOR-US: Apple CVE-2016-7633 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2016-7632 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) - webkit2gtk 2.14.3-1 (unimportant) NOTE: Not covered by security support CVE-2016-7631 REJECTED CVE-2016-7630 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) NOT-FOR-US: Apple CVE-2016-7629 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2016-7628 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2016-7627 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) NOT-FOR-US: Apple CVE-2016-7626 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) NOT-FOR-US: Apple CVE-2016-7625 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2016-7624 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2016-7623 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) - webkit2gtk 2.14.3-1 (unimportant) NOTE: Not covered by security support CVE-2016-7622 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2016-7621 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) NOT-FOR-US: Apple CVE-2016-7620 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2016-7619 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) NOT-FOR-US: Apple CVE-2016-7618 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2016-7617 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2016-7616 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) NOT-FOR-US: Apple CVE-2016-7615 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) NOT-FOR-US: Apple CVE-2016-7614 (An issue was discovered in certain Apple products. iCloud before 6.1 i ...) NOT-FOR-US: Apple CVE-2016-7613 (An issue was discovered in certain Apple products. iOS before 10.1 is ...) NOT-FOR-US: Apple CVE-2016-7612 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) NOT-FOR-US: Apple CVE-2016-7611 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) - webkit2gtk 2.14.3-1 (unimportant) NOTE: Not covered by security support CVE-2016-7610 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) - webkit2gtk 2.14.3-1 (unimportant) NOTE: Not covered by security support CVE-2016-7609 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2016-7608 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2016-7607 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) NOT-FOR-US: Apple CVE-2016-7606 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) NOT-FOR-US: Apple CVE-2016-7605 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2016-7604 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2016-7603 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2016-7602 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2016-7601 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) NOT-FOR-US: Apple CVE-2016-7600 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2016-7599 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) - webkit2gtk 2.14.3-1 (unimportant) NOTE: Not covered by security support CVE-2016-7598 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) - webkit2gtk 2.14.3-1 (unimportant) NOTE: Not covered by security support CVE-2016-7597 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) NOT-FOR-US: Apple CVE-2016-7596 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2016-7595 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) NOT-FOR-US: Apple CVE-2016-7594 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) NOT-FOR-US: Apple CVE-2016-7593 REJECTED CVE-2016-7592 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) - webkit2gtk 2.14.3-1 (unimportant) NOTE: Not covered by security support CVE-2016-7591 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) NOT-FOR-US: Apple CVE-2016-7590 REJECTED CVE-2016-7589 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) - webkit2gtk 2.14.3-1 (unimportant) NOTE: Not covered by security support CVE-2016-7588 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) NOT-FOR-US: Apple CVE-2016-7587 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) - webkit2gtk 2.14.3-1 (unimportant) NOTE: Not covered by security support CVE-2016-7586 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) - webkit2gtk 2.14.3-1 (unimportant) NOTE: Not covered by security support CVE-2016-7585 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2016-7584 (An issue was discovered in certain Apple products. iOS before 10.1 is ...) NOT-FOR-US: Apple CVE-2016-7583 (An issue was discovered in certain Apple products. iCloud before 6.0.1 ...) NOT-FOR-US: Apple CVE-2016-7582 (An issue was discovered in certain Apple products. macOS before 10.12 ...) NOT-FOR-US: Apple CVE-2016-7581 (An issue was discovered in certain Apple products. iOS before 10.1 is ...) NOT-FOR-US: Apple CVE-2016-7580 (An issue was discovered in certain Apple products. macOS before 10.12 ...) NOT-FOR-US: Apple CVE-2016-7579 (An issue was discovered in certain Apple products. iOS before 10.1 is ...) NOT-FOR-US: Apple CVE-2016-7578 (An issue was discovered in certain Apple products. iOS before 10.1 is ...) NOT-FOR-US: Apple CVE-2016-7577 (An issue was discovered in certain Apple products. iOS before 10.1 is ...) NOT-FOR-US: Apple CVE-2016-7576 (In iOS before 9.3.3, a memory corruption issue existed in the kernel. ...) NOT-FOR-US: Apple CVE-2016-7574 RESERVED CVE-2016-7573 RESERVED CVE-2016-7572 (The system.temporary route in Drupal 8.x before 8.1.10 does not proper ...) - drupal7 (Only affects Drupal 8) CVE-2016-7571 (Cross-site scripting (XSS) vulnerability in Drupal 8.x before 8.1.10 a ...) - drupal7 (Only affects Drupal 8) CVE-2016-7570 (Drupal 8.x before 8.1.10 does not properly check for "Administer comme ...) - drupal7 (Only affects Drupal 8) CVE-2016-7569 (Directory traversal vulnerability in docker2aci before 0.13.0 allows r ...) - golang-github-appc-docker2aci 0.14.0+dfsg-1 (bug #839282) NOTE: https://github.com/appc/docker2aci/issues/201 CVE-2016-7568 (Integer overflow in the gdImageWebpCtx function in gd_webp.c in the GD ...) {DSA-3693-1} - libgd2 2.2.3-87-gd0fec80-1 (bug #839659) [wheezy] - libgd2 (Vulnerable code not present) NOTE: libgd bug: https://github.com/libgd/libgd/issues/308 NOTE: Fixed by: https://github.com/libgd/libgd/commit/2806adfdc27a94d333199345394d7c302952b95f - php7.0 7.0.12-1 (unimportant) - php5 (unimportant) [jessie] - php5 5.6.27+dfsg-0+deb8u1 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=73003 NOTE: https://github.com/php/php-src/commit/c18263e0e0769faee96a5d0ee04b750c442783c6 CVE-2016-7567 (Buffer overflow in the SLPFoldWhiteSpace function in common/slp_compar ...) - openslp-dfsg (Only affects openslp 2) NOTE: https://sourceforge.net/p/openslp/mercurial/ci/34fb3aa5e6b4997fa21cb614e480de36da5dbc9a/ CVE-2016-7566 RESERVED CVE-2016-7565 (install/index.php in Exponent CMS 2.3.9 allows remote attackers to exe ...) NOT-FOR-US: Exponent CMS CVE-2016-7564 (Heap-based buffer overflow in the Fp_toString function in jsfunction.c ...) NOT-FOR-US: MuJS CVE-2016-7563 (The chartorune function in Artifex Software MuJS allows attackers to c ...) NOT-FOR-US: MuJS CVE-2016-7562 (The ff_draw_pc_font function in libavcodec/cga_data.c in FFmpeg before ...) - ffmpeg 7:3.1.4-1 (bug #840434) NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/496267f8e9ec218351e4359e1fde48722d4fc804 (n3.1.4) CVE-2016-7561 (Fortinet FortiWLC 6.1-2-29 and earlier, 7.0-9-1, 7.0-10-0, 8.0-5-0, 8. ...) NOT-FOR-US: Fortinet FortiWLC CVE-2016-7560 (The rsyncd server in Fortinet FortiWLC 6.1-2-29 and earlier, 7.0-9-1, ...) NOT-FOR-US: Fortinet FortiWLC CVE-2016-7559 RESERVED CVE-2016-7558 RESERVED CVE-2016-7557 RESERVED CVE-2016-7556 RESERVED CVE-2016-7555 (The avi_read_header function in libavformat/avidec.c in FFmpeg before ...) - ffmpeg 7:3.1.4-1 (bug #840434) NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/8834e080c20d3d23c3ffe779371359f9b9b835ec (n3.1.4) CVE-2016-7554 REJECTED CVE-2016-7552 (On the Trend Micro Threat Discovery Appliance 2.6.1062r1, directory tr ...) NOT-FOR-US: Trend Micro Threat Discovery Appliance CVE-2016-7549 (Google Chrome before 53.0.2785.113 does not ensure that the recipient ...) {DSA-3667-1} - chromium-browser 53.0.2785.113-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-7548 RESERVED CVE-2016-7547 (A command execution flaw on the Trend Micro Threat Discovery Appliance ...) NOT-FOR-US: Trend Micro Threat Discovery Appliance CVE-2016-7546 RESERVED CVE-2016-7545 (SELinux policycoreutils allows local users to execute arbitrary comman ...) {DLA-638-1} - policycoreutils 2.5-3 (bug #838599) [jessie] - policycoreutils ("sandbox" executable not packaged in this version) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1378577 NOTE: Upstream mailing list discussion: https://marc.info/?t=147463464400001&r=1&w=2 NOTE: Upstream fix: https://github.com/SELinuxProject/selinux/commit/acca96a135a4d2a028ba9b636886af99c0915379 NOTE: Marked as exception as not-affected, although the source is affected but the built NOTE: binary packages do not contain the sandbox binary. We cannot use 'unimportant' NOTE: severity here since the unstable version builts a binary package which contains it. CVE-2016-7544 (Crypto++ 5.6.4 incorrectly uses Microsoft's stack-based _malloca and _ ...) - libcrypto++ (Vulnerable code intorduced in 5.6.4, only affects Windows and Microsoft compilers) CVE-2016-7543 (Bash before 4.4 allows local users to execute arbitrary commands with ...) {DLA-680-1} - bash 4.4-1 [jessie] - bash 4.3-11+deb8u1 NOTE: http://www.openwall.com/lists/oss-security/2016/09/26/9 NOTE: Default shell is dash which is not vulnerable, but bash in Jessie and NOTE: Wheezy are affected. NOTE: Fixed by (4.3): https://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/bash43-048 CVE-2016-7542 (A read-only administrator on Fortinet devices with FortiOS 5.2.x befor ...) NOT-FOR-US: FortiOS CVE-2016-7541 (Long lived sessions in Fortinet FortiGate devices with FortiOS 5.x bef ...) NOT-FOR-US: FortiOS CVE-2016-7512 RESERVED CVE-2016-7511 (Integer overflow in the dwarf_die_deliv.c in libdwarf 20160613 allows ...) {DLA-635-1} - dwarfutils 20160923-1 (bug #838757) [jessie] - dwarfutils (Minor issue, can be fixed in point release) NOTE: https://sourceforge.net/p/libdwarf/bugs/3/ NOTE: https://www.prevanders.net/dwarfbug.html#DW201609-002 NOTE: Fixed by: https://sourceforge.net/p/libdwarf/code/ci/3767305debcba8bd7e1c483ae48c509d25399252 NOTE: See though notes for CVE-2016-7410, the 3767305debcba8bd7e1c483ae48c509d25399252 NOTE: seem to be the ultimate fix upstream, introducing commit should as well still be NOTE: found. CVE-2016-7510 (The read_line_table_program function in dwarf_line_table_reader_common ...) {DLA-635-1} - dwarfutils 20160923-1 (bug #838756) [jessie] - dwarfutils (Minor issue, can be fixed in point release) NOTE: https://sourceforge.net/p/libdwarf/bugs/4/ NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1377015 NOTE: https://www.prevanders.net/dwarfbug.html#DW201609-004 NOTE: Fixed by: https://sourceforge.net/p/libdwarf/code/ci/3767305debcba8bd7e1c483ae48c509d25399252 NOTE: See though notes for CVE-2016-7410, the 3767305debcba8bd7e1c483ae48c509d25399252 NOTE: seem to be the ultimate fix upstream, introducing commit should as well still be NOTE: found. CVE-2016-7509 (Cross-site scripting (XSS) vulnerability in GLPI 0.90.4 allows remote ...) - glpi (unimportant) NOTE: Only supported behind an authenticated HTTP zone CVE-2016-7508 (Multiple SQL injection vulnerabilities in GLPI 0.90.4 allow an authent ...) - glpi (unimportant) NOTE: https://github.com/glpi-project/glpi/issues/1047 NOTE: Only supported behind an authenticated HTTP zone CVE-2016-7507 (Cross-Site Request Forgery (CSRF) vulnerability in GLPI 0.90.4 allows ...) - glpi (unimportant) NOTE: Only supported behind an authenticated HTTP zone CVE-2016-7506 (An out-of-bounds read vulnerability was observed in Sp_replace_regexp ...) NOT-FOR-US: MuJS CVE-2016-7505 (A buffer overflow vulnerability was observed in divby function of Arti ...) NOT-FOR-US: MuJS CVE-2016-7504 (A use-after-free vulnerability was observed in Rp_toString function of ...) NOT-FOR-US: MuJS CVE-2016-7503 RESERVED CVE-2016-7502 (The cavs_idct8_add_c function in libavcodec/cavsdsp.c in FFmpeg before ...) - ffmpeg 7:3.1.4-1 (bug #840434) NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/9d738e6968757d4e70c8e07e0b720ac0004accc4 (n3.1.4) CVE-2016-7501 RESERVED NOT-FOR-US: Oracle CVE-2016-7500 RESERVED CVE-2016-7499 (The sbr_make_f_master function in aacsbr.c in Libav 11.7 allows remote ...) - libav (unimportant) NOTE: https://blogs.gentoo.org/ago/2016/09/21/libav-divide-by-zero-in-sbr_make_f_master-aacsbr-c/ CVE-2016-7498 (OpenStack Compute (nova) 13.0.0 does not properly delete instances fro ...) - nova 2:13.1.0-1 [jessie] - nova (Vulnerable code (re)introduced later) [wheezy] - nova (Vulnerable code (re)introduced later) NOTE: Relates to OSSA-2015-017 (CVE-2015-3280) which was previously fixed NOTE: and then reintroduced with 13.0.0 and refixed in 13.1.0. CVE-2016-7497 REJECTED CVE-2016-7496 REJECTED CVE-2016-7495 REJECTED CVE-2016-7494 REJECTED CVE-2016-7493 REJECTED CVE-2016-7492 REJECTED CVE-2016-7491 REJECTED CVE-2016-7490 (The installation script studioexpressinstall for Teradata Studio Expre ...) NOT-FOR-US: Teradata Studio Express CVE-2016-7489 (Teradata Virtual Machine Community Edition v15.10's perl script /opt/t ...) NOT-FOR-US: Teradata Virtual Machine Community Edition CVE-2016-7488 (Teradata Virtual Machine Community Edition v15.10 has insecure file pe ...) NOT-FOR-US: Teradata Virtual Machine Community Edition CVE-2016-7487 REJECTED CVE-2016-7486 REJECTED CVE-2016-7485 REJECTED CVE-2016-7484 REJECTED CVE-2016-7483 REJECTED CVE-2016-7482 REJECTED CVE-2016-7481 REJECTED CVE-2016-7480 (The SplObjectStorage unserialize implementation in ext/spl/spl_observe ...) - php7.0 7.0.12-1 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=73257 NOTE: Fixed in 7.0.12 CVE-2016-7479 (In all versions of PHP 7, during the unserialization process, resizing ...) {DSA-3783-1 DLA-875-1} - php7.1 7.1.1-1 - php7.0 7.0.15-1 - php5 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=72610 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=73092 NOTE: Fixed in 7.0.15 NOTE: PHP 5.x/7.x: http://git.php.net/?p=php-src.git;a=commit;h=0426b916df396a23e5c34514e4f2f0627efdcdf0 NOTE: PHP 7.x: http://git.php.net/?p=php-src.git;a=commit;h=b47c49d7a00bc34d7e0f3d72732f66e904da6fa7 NOTE: The change is in 5.6+, even though the property table issue only affects NOTE: PHP 7, because this also prevents a wide range of other __wakeup() based NOTE: attacks. CVE-2016-7478 (Zend/zend_exceptions.c in PHP, possibly 5.x before 5.6.28 and 7.x befo ...) {DSA-3732-1 DLA-875-1} - php7.1 (Fixed before initial upload to Debian) - php7.0 7.0.13-1 - php5 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=73093 NOTE: Patch for 5.6.x: http://git.php.net/?p=php-src.git;a=commit;h=40e7baab3c90001beee4c8f0ed0ef79ad18ee0d6 (5.6.28) NOTE: backported patch for 5.4: https://lists.debian.org/87efysy07p.fsf@curie.anarc.at CVE-2016-7477 (The ff_put_pixels8_xy2_mmx function in rnd_template.c in Libav 11.7 al ...) - libav (unimportant) NOTE: https://blogs.gentoo.org/ago/2016/09/20/libav-null-pointer-dereference-in-ff_put_pixels8_xy2_mmx-rnd_template-c/ CVE-2016-7476 (The Traffic Management Microkernel (TMM) in F5 BIG-IP LTM, AAM, AFM, A ...) NOT-FOR-US: F5 BIG-IP CVE-2016-7475 (Under some circumstances on BIG-IP 12.0.0-12.1.0, 11.6.0-11.6.1, or 11 ...) NOT-FOR-US: F5 BIG-IP CVE-2016-7474 (In some cases the MCPD binary cache in F5 BIG-IP devices may allow a u ...) NOT-FOR-US: F5 BIG-IP CVE-2016-7473 REJECTED CVE-2016-7472 (F5 BIG-IP ASM version 12.1.0 - 12.1.1 may allow remote attackers to ca ...) NOT-FOR-US: F5 BIG-IP CVE-2016-7471 REJECTED CVE-2016-7470 REJECTED CVE-2016-7469 (A stored cross-site scripting (XSS) vulnerability in the Configuration ...) NOT-FOR-US: BIG-IP CVE-2016-7468 (An unauthenticated remote attacker may be able to disrupt services on ...) NOT-FOR-US: F5 CVE-2016-7467 (The TMM SSO plugin in F5 BIG-IP APM 12.0.0 - 12.1.1, 11.6.0 - 11.6.1 H ...) NOT-FOR-US: F5 CVE-2016-7465 REJECTED CVE-2016-7464 REJECTED CVE-2016-7463 (Cross-site scripting (XSS) vulnerability in the Host Client in VMware ...) NOT-FOR-US: VMware CVE-2016-7462 (The Suite REST API in VMware vRealize Operations (aka vROps) 6.x befor ...) NOT-FOR-US: VMware CVE-2016-7461 (The drag-and-drop (aka DnD) function in VMware Workstation Pro 12.x be ...) NOT-FOR-US: VMware CVE-2016-7460 (The Single Sign-On feature in VMware vCenter Server 5.5 before U3e and ...) NOT-FOR-US: VMware CVE-2016-7459 (VMware vCenter Server 5.5 before U3e and 6.0 before U2a allows remote ...) NOT-FOR-US: VMware CVE-2016-7458 (VMware vSphere Client 5.5 before U3e and 6.0 before U2a allows remote ...) NOT-FOR-US: VMware CVE-2016-7457 (VMware vRealize Operations (aka vROps) 6.x before 6.4.0 allows remote ...) NOT-FOR-US: VMware CVE-2016-7456 (VMware vSphere Data Protection (VDP) 5.5.x though 6.1.x has an SSH pri ...) NOT-FOR-US: VMware CVE-2016-7455 RESERVED CVE-2016-7454 (CSRF vulnerability on Technicolor TC dpc3941T (formerly Cisco dpc3941T ...) NOT-FOR-US: Technicolor TC dpc3941T CVE-2016-7453 (The Pixidou Image Editor in Exponent CMS prior to v2.3.9 patch 2 could ...) NOT-FOR-US: Exponent CMS CVE-2016-7452 (The Pixidou Image Editor in Exponent CMS prior to v2.3.9 patch 2 could ...) NOT-FOR-US: Exponent CMS CVE-2016-7451 RESERVED CVE-2016-7450 (The ff_log2_16bit_c function in libavutil/intmath.h in FFmpeg before 3 ...) - ffmpeg 7:3.1.4-1 (bug #840434) NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/ac8ac46641adef208485baebc3734463bf0bd266 (n3.1.4) CVE-2016-7449 (The TIFFGetField function in coders/tiff.c in GraphicsMagick 1.3.24 al ...) {DLA-1401-1 DLA-651-1} - graphicsmagick 1.3.25-1 NOTE: The scope of the CVE is for all of these reported TIFF problems. NOTE: The ultimate vulnerability was use of: NOTE: strlcpy(attribute,text,Min(sizeof(attribute),(count+1))); NOTE: three times in coders/tiff.c, where strlcpy is not an appropriate NOTE: function choice for this type of scenario of untrusted-data copying. NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/eb58028dacf5 NOTE: https://blogs.gentoo.org/ago/2016/08/23/graphicsmagick-two-heap-based-buffer-overflow-in-readtiffimage-tiff-c/ NOTE: https://blogs.gentoo.org/ago/2016/09/07/graphicsmagick-null-pointer-dereference-in-magickstrlcpy-utility-c/ NOTE: Fixed by http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/eb58028dacf5 CVE-2016-7448 (The Utah RLE reader in GraphicsMagick before 1.3.25 allows remote atta ...) {DLA-1401-1 DLA-683-1} - graphicsmagick 1.3.25-1 NOTE: Fixed by http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/30043afadb10 NOTE: Fixed by http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/d972c761b55d CVE-2016-7447 (Heap-based buffer overflow in the EscapeParenthesis function in Graphi ...) {DLA-1401-1 DLA-651-1} - graphicsmagick 1.3.25-1 NOTE: Fixed by http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/d580e3c3c034 CVE-2016-7446 (Buffer overflow in the MVG and SVG rendering code in GraphicsMagick 1. ...) {DLA-1401-1 DLA-651-1} - graphicsmagick 1.3.25-1 NOTE: For the http://www.graphicsmagick.org/NEWS.html#september-5-2016 case NOTE: which remained present in the 1.3.24 release (and was not fixed until 1.3.25) NOTE: Fixed by http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/6071b5820215 CVE-2016-7445 (convert.c in OpenJPEG before 2.1.2 allows remote attackers to cause a ...) - openjpeg2 2.1.2-1 (unimportant; bug #838690) NOTE: https://github.com/uclouvain/openjpeg/issues/843 NOTE: PoC: https://github.com/STARLABSEC/pocs/raw/master/openjpeg-nullptr-github-issue-842.ppm NOTE: No code injection, function only exposed in the CLI tool CVE-2017-7443 (apt-cacher before 1.7.15 and apt-cacher-ng before 3.4 allow HTTP respo ...) {DLA-873-1} - apt-cacher-ng 3-1 (bug #858833) [buster] - apt-cacher-ng 2-2 [stretch] - apt-cacher-ng 2-2 [jessie] - apt-cacher-ng (Minor issue) [wheezy] - apt-cacher-ng (Minor issue) - apt-cacher 1.7.15 (bug #858739) [buster] - apt-cacher 1.7.13+deb9u1 [stretch] - apt-cacher 1.7.13+deb9u1 [jessie] - apt-cacher 1.7.10+deb8u1 CVE-2016-7442 (The Frontend component in Sophos UTM with firmware 9.405-5 and earlier ...) NOT-FOR-US: Sophos UTM CVE-2016-7441 RESERVED CVE-2016-7440 (The C software implementation of AES Encryption and Decryption in wolf ...) {DSA-3711-1 DSA-3706-1 DLA-708-1} - mariadb-10.0 10.0.28-1 - mysql-5.7 5.7.16-1 (bug #841163) - mysql-5.6 5.6.34-1 (bug #841049) - mysql-5.5 (bug #841050) NOTE: Fixed in MariaDB 5.5.53, MariaDB 10.0.28 - wolfssl 3.9.10+dfsg-1 CVE-2016-7439 (The C software implementation of RSA in wolfSSL (formerly CyaSSL) befo ...) - wolfssl 3.9.10+dfsg-1 CVE-2016-7438 (The C software implementation of ECC in wolfSSL (formerly CyaSSL) befo ...) - wolfssl 3.9.10+dfsg-1 CVE-2016-7437 (SAP Netweaver 7.40 improperly logs (1) DUI and (2) DUJ events in the S ...) NOT-FOR-US: SAP Netweaver CVE-2016-7436 RESERVED CVE-2016-7435 (The (1) SCTC_REFRESH_EXPORT_TAB_COMP, (2) SCTC_REFRESH_CHECK_ENV, and ...) NOT-FOR-US: SAP Netweaver CVE-2016-7434 (The read_mru_list function in NTP before 4.2.8p9 allows remote attacke ...) - ntp 1:4.2.8p9+dfsg-1 [jessie] - ntp (mrulist introduced in ntp-4.2.7p22, vulnerable code not present) [wheezy] - ntp (mrulist introduced in ntp-4.2.7p22, vulnerable code not present) NOTE: http://support.ntp.org/bin/view/Main/NtpBug3082 NOTE: Only possible to trigger from hosts in allow mrulist query. CVE-2016-7433 (NTP before 4.2.8p9 does not properly perform the initial sync calculat ...) - ntp 1:4.2.8p9+dfsg-1 [jessie] - ntp (Vulnerable code introduced in ntp-4.2.7p385) [wheezy] - ntp (Vulnerable code introduced in ntp-4.2.7p385) NOTE: http://support.ntp.org/bin/view/Main/NtpBug3067 NOTE: Although the CVE is only for the issue introduced by the fix for NOTE: http://bugs.ntp.org/show_bug.cgi?id=2085, he root-distance calculation NOTE: itself in general is incorrect in all version of ntp-4 until ntp-4.2.8p9 CVE-2016-7432 RESERVED CVE-2016-7431 (NTP before 4.2.8p9 allows remote attackers to bypass the origin timest ...) - ntp 1:4.2.8p9+dfsg-1 [jessie] - ntp (Vulnerable code not present) [wheezy] - ntp (Vulnerable code introduced later) NOTE: http://support.ntp.org/bin/view/Main/NtpBug3102 CVE-2016-7430 RESERVED CVE-2016-7429 (NTP before 4.2.8p9 changes the peer structure to the interface it rece ...) - ntp 1:4.2.8p9+dfsg-1 [jessie] - ntp (Minor issue) [wheezy] - ntp (Minor issue, only possible if rp_filter is 0) NOTE: http://support.ntp.org/bin/view/Main/NtpBug3072 CVE-2016-7428 (ntpd in NTP before 4.2.8p9 allows remote attackers to cause a denial o ...) - ntp 1:4.2.8p9+dfsg-1 [jessie] - ntp (Vulnerable code not present) [wheezy] - ntp (Vulnerable code not present) NOTE: http://support.ntp.org/bin/view/Main/NtpBug3113 NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0130/ NOTE: The fixes for CVE-2015-7973 have added several new integrity checks on incoming NOTE: broadcast mode packets and issue got introduced with code changes to fix that NOTE: issue. CVE-2016-7427 (The broadcast mode replay prevention functionality in ntpd in NTP befo ...) - ntp 1:4.2.8p9+dfsg-1 [jessie] - ntp (Vulnerable code not present) [wheezy] - ntp (Vulnerable code not present) NOTE: http://support.ntp.org/bin/view/Main/NtpBug3114 NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0131/ NOTE: The fixes for CVE-2015-7973 have added several new integrity checks on incoming NOTE: broadcast mode packets and issue got introduced with code changes to fix that NOTE: issue. CVE-2016-7426 (NTP before 4.2.8p9 rate limits responses received from the configured ...) - ntp 1:4.2.8p9+dfsg-1 [jessie] - ntp (Minor issue) [wheezy] - ntp (Minor issue) NOTE: http://support.ntp.org/bin/view/Main/NtpBug3071 CVE-2016-7425 (The arcmsr_iop_message_xfer function in drivers/scsi/arcmsr/arcmsr_hba ...) {DSA-3696-1 DLA-670-1} - linux 4.7.8-1 NOTE: http://marc.info/?l=linux-scsi&m=147394713328707&w=2 NOTE: Upstream commit: https://git.kernel.org/linus/7bc2b55a5c030685b399bb65b6baa9ccc3d1f167 CVE-2016-7424 (The put_no_rnd_pixels8_xy2_mmx function in x86/rnd_template.c in libav ...) {DSA-3685-1 DLA-780-1} - libav - ffmpeg (Fixed before introduction into the archive) NOTE: Fixed by: https://git.libav.org/?p=libav.git;a=commit;h=136f55207521f0b03194ef5b55ba70f1635d6aee NOTE: https://blogs.gentoo.org/ago/2016/09/17/libav-null-pointer-dereference-in-put_no_rnd_pixels8_xy2_mmx-rnd_template-c/ CVE-2016-7420 (Crypto++ (aka cryptopp) through 5.6.4 does not document the requiremen ...) - libcrypto++ (unimportant) NOTE: https://github.com/weidai11/cryptopp/issues/277 NOTE: The scope of this CVE is the documentation bug, lacking treatment of NOTE: -DNDEBUG and Static Initialization NOTE: Documentation added in https://github.com/weidai11/cryptopp/commit/553049ba297d89d9e8fbf2204acb40a8a53f5cd6 CVE-2016-7419 (Cross-site scripting (XSS) vulnerability in share.js in the gallery ap ...) - nextcloud (bug #835086) - owncloud (Vulnerable code introduced later) NOTE: up to version which was removed, not included, as the vulnerable code was NOTE: introduced later in a migration of the Gallery app to a new sharing endpoint NOTE: where a parameter changed from an interger to a string value, and that value NOTE: not beeing sanitized. NOTE: https://owncloud.org/security/advisory/?id=oc-sa-2016-011 NOTE: https://github.com/owncloud/gallery/commit/6933d27afe518967bd1b60e6a7eacd88288929fc NOTE: https://hackerone.com/reports/145355 CVE-2016-7418 (The php_wddx_push_element function in ext/wddx/wddx.c in PHP before 5. ...) {DSA-3689-1 DLA-749-1} - php7.0 7.0.11-1 - php5 5.6.26+dfsg-1 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=73065 NOTE: Fixed in 7.0.11, 5.6.26 NOTE: https://github.com/php/php-src/commit/c4cca4c20e75359c9a13a1f9a36cb7b4e9601d29?w=1 NOTE: The scope of this CVE also includes all of the "other four similar issues" NOTE: in the "[2016-09-12 06:44 UTC]" comment. CVE-2016-7417 (ext/spl/spl_array.c in PHP before 5.6.26 and 7.x before 7.0.11 proceed ...) {DSA-3689-1 DLA-749-1} - php7.0 7.0.11-1 - php5 5.6.26+dfsg-1 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=73029 NOTE: Fixed in 7.0.11, 5.6.26 NOTE: https://github.com/php/php-src/commit/ecb7f58a069be0dec4a6131b6351a761f808f22e?w=1 CVE-2016-7416 (ext/intl/msgformat/msgformat_format.c in PHP before 5.6.26 and 7.x bef ...) {DSA-3689-1 DLA-749-1} - php7.0 7.0.11-1 - php5 5.6.26+dfsg-1 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=73007 NOTE: Fixed in 7.0.11, 5.6.26 NOTE: https://github.com/php/php-src/commit/6d55ba265637d6adf0ba7e9c9ef11187d1ec2f5b?w=1 CVE-2016-7415 (Stack-based buffer overflow in the Locale class in common/locid.cpp in ...) {DSA-3725-1 DLA-744-1} [experimental] - icu 58.1-1 - icu 57.1-5 (bug #838694) NOTE: Related code in http://source.icu-project.org/repos/icu/icu/trunk/source/common/locid.cpp file NOTE: PHP Bug: https://bugs.php.net/bug.php?id=73007 NOTE: PHP fix: https://github.com/php/php-src/commit/6d55ba265637d6adf0ba7e9c9ef11187d1ec2f5b?w=1 NOTE: Upstream bug: http://bugs.icu-project.org/trac/ticket/12745 CVE-2016-7414 (The ZIP signature-verification feature in PHP before 5.6.26 and 7.x be ...) {DSA-3689-1 DLA-749-1} - php7.0 7.0.11-1 - php5 5.6.26+dfsg-1 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=72928 NOTE: Fixed in 7.0.11, 5.6.26 NOTE: https://github.com/php/php-src/commit/0bfb970f43acd1e81d11be1154805f86655f15d5?w=1 CVE-2016-7413 (Use-after-free vulnerability in the wddx_stack_destroy function in ext ...) {DSA-3689-1 DLA-749-1} - php7.0 7.0.11-1 - php5 5.6.26+dfsg-1 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=72860 NOTE: Fixed in 7.0.11, 5.6.26 NOTE: https://github.com/php/php-src/commit/b88393f08a558eec14964a55d3c680fe67407712?w=1 CVE-2016-7412 (ext/mysqlnd/mysqlnd_wireprotocol.c in PHP before 5.6.26 and 7.x before ...) {DSA-3689-1 DLA-749-1} - php7.0 7.0.11-1 - php5 5.6.26+dfsg-1 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=72293 NOTE: Fixed in 7.0.11, 5.6.26 NOTE: https://github.com/php/php-src/commit/28f80baf3c53e267c9ce46a2a0fadbb981585132?w=1 CVE-2016-7411 (ext/standard/var_unserializer.re in PHP before 5.6.26 mishandles objec ...) {DSA-3689-1 DLA-749-1} - php7.0 (Only affects 5.x) - php5 5.6.26+dfsg-1 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=73052 NOTE: Fixed in 5.6.26 NOTE: https://github.com/php/php-src/commit/6a7cc8ff85827fa9ac715b3a83c2d9147f33cd43?w=1 CVE-2016-7410 (The _dwarf_read_loc_section function in dwarf_loc.c in libdwarf 201606 ...) - dwarfutils 20160923-1 (bug #838019) [jessie] - dwarfutils (Vulnerable code introduced in later version) [wheezy] - dwarfutils (Vulnerable code introduced in later version) NOTE: https://www.prevanders.net/dwarfbug.html#DW201609-003 NOTE: http://seclists.org/oss-sec/2016/q3/490 NOTE: Initial addressed upstream in refactoring in: NOTE: https://sourceforge.net/p/libdwarf/code/ci/e12f6c0b69c20f58dccc4505309cf7f974c34dc2 NOTE: with final fix/follow up: https://sourceforge.net/p/libdwarf/code/ci/3767305debcba8bd7e1c483ae48c509d25399252 NOTE: Introduced by (as confirmed by upstream): https://sourceforge.net/p/libdwarf/code/ci/b446e23dc21704ccd3b76d8945aaf39e4aca8c27 CVE-2016-7409 (The dbclient and server in Dropbear SSH before 2016.74, when compiled ...) - dropbear 2016.74-1 (unimportant) NOTE: https://secure.ucc.asn.au/hg/dropbear/rev/6a14b1f6dc04 NOTE: Not an issue for the the Debian binary package since we do not NOTE: compile with DEBUG_TRACE. CVE-2016-7408 (The dbclient in Dropbear SSH before 2016.74 allows remote attackers to ...) - dropbear 2016.74-1 [jessie] - dropbear 2014.65-1+deb8u1 [wheezy] - dropbear (Vulnerable code not present) NOTE: https://secure.ucc.asn.au/hg/dropbear/rev/eed9376a4ad6 CVE-2016-7407 (The dropbearconvert command in Dropbear SSH before 2016.74 allows atta ...) {DLA-634-1} - dropbear 2016.74-1 [jessie] - dropbear 2014.65-1+deb8u1 NOTE: https://secure.ucc.asn.au/hg/dropbear/rev/34e6127ef02e CVE-2016-7406 (Format string vulnerability in Dropbear SSH before 2016.74 allows remo ...) {DLA-634-1} - dropbear 2016.74-1 [jessie] - dropbear 2014.65-1+deb8u1 NOTE: https://secure.ucc.asn.au/hg/dropbear/rev/b66a483f3dcb CVE-2016-7404 (OpenStack Magnum passes OpenStack credentials into the Heat templates ...) - magnum 3.1.1-5 (bug #863547) NOTE: https://git.openstack.org/cgit/openstack/magnum/commit/?id=0bb0d6486d6771ee21bbf897a091b1aa59e01b22 CVE-2016-7403 RESERVED CVE-2016-7402 (SAP ASE 16.0 SP02 PL03 and prior versions allow attackers who own Sour ...) NOT-FOR-US: SAP ASE CVE-2016-7401 (The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.1 ...) {DSA-3678-1 DLA-649-1} - python-django 1:1.10-1 (low) NOTE: https://www.djangoproject.com/weblog/2016/sep/26/security-releases/ CVE-2016-7400 (Multiple SQL injection vulnerabilities in Exponent CMS before 2.4.0 al ...) NOT-FOR-US: Exponent CMS CVE-2016-7399 (scripts/license.pl in Veritas NetBackup Appliance 2.6.0.x through 2.6. ...) NOT-FOR-US: Veritas NetBackup Applianc CVE-2016-7398 (A type confusion vulnerability in the merge_param() function of php_ht ...) {DLA-1929-1} - php-pecl-http 3.1.0+2.6.0-1 NOTE: https://bugs.php.net/bug.php?id=73055 NOTE: https://github.com/m6w6/ext-http/commit/17137d4ab1ce81a2cee0fae842340a344ef3da83 CVE-2016-7397 (The Frontend component in Sophos UTM with firmware 9.405-5 and earlier ...) NOT-FOR-US: Sophos UTM CVE-2016-7396 RESERVED CVE-2016-7395 (SkPath.cpp in Skia, as used in Google Chrome before 53.0.2785.89 on Wi ...) {DSA-3667-1} - chromium-browser 53.0.2785.92-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-7394 (tiki wiki cms groupware <=15.2 has a xss vulnerability, allow attac ...) - tikiwiki NOTE: https://sourceforge.net/p/tikiwiki/code/59653/ CVE-2016-7391 (For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA Windows GPU D ...) NOT-FOR-US: Nvidia Windows driver CVE-2016-7390 (For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA Windows GPU D ...) NOT-FOR-US: Nvidia Windows driver CVE-2016-7389 (For the NVIDIA Quadro, NVS, GeForce, and Tesla products, NVIDIA GPU Di ...) - nvidia-graphics-drivers 367.57-1 (bug #846331) [jessie] - nvidia-graphics-drivers 340.101-1 [wheezy] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx 340.98-1 (bug #846332) - nvidia-graphics-drivers-legacy-304xx 304.132-1 (bug #846333) [jessie] - nvidia-graphics-drivers-legacy-304xx 304.134-0~deb8u1 NOTE: http://nvidia.custhelp.com/app/answers/detail/a_id/4246 CVE-2016-7388 (For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA Windows GPU D ...) NOT-FOR-US: Nvidia Windows driver CVE-2016-7387 (For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA Windows GPU D ...) NOT-FOR-US: Nvidia Windows driver CVE-2016-7386 (For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA Windows GPU D ...) NOT-FOR-US: Nvidia Windows driver CVE-2016-7385 (For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA Windows GPU D ...) NOT-FOR-US: Nvidia Windows driver CVE-2016-7384 (For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA Windows GPU D ...) NOT-FOR-US: Nvidia Windows driver CVE-2016-7383 (For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA Windows GPU D ...) NOT-FOR-US: Nvidia Windows driver CVE-2016-7382 (For the NVIDIA Quadro, NVS, GeForce, and Tesla products, NVIDIA GPU Di ...) - nvidia-graphics-drivers 367.57-1 (bug #846331) [jessie] - nvidia-graphics-drivers 340.101-1 [wheezy] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx 340.98-1 (bug #846332) - nvidia-graphics-drivers-legacy-304xx 304.132-1 (bug #846333) [jessie] - nvidia-graphics-drivers-legacy-304xx 304.134-0~deb8u1 NOTE: http://nvidia.custhelp.com/app/answers/detail/a_id/4246 CVE-2016-7381 (For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA Windows GPU D ...) NOT-FOR-US: Nvidia Windows driver CVE-2016-7380 RESERVED CVE-2016-7379 RESERVED CVE-2016-7378 RESERVED CVE-2016-7377 RESERVED CVE-2016-7376 RESERVED CVE-2016-7375 RESERVED CVE-2016-7374 RESERVED CVE-2016-7373 RESERVED CVE-2016-7372 RESERVED CVE-2016-7371 RESERVED CVE-2016-7370 RESERVED CVE-2016-7369 RESERVED CVE-2016-7368 RESERVED CVE-2016-7367 REJECTED CVE-2016-7366 REJECTED CVE-2016-7365 REJECTED CVE-2016-7364 REJECTED CVE-2016-7363 REJECTED CVE-2016-7362 REJECTED CVE-2016-7361 REJECTED CVE-2016-7360 REJECTED CVE-2016-7359 REJECTED CVE-2016-7358 REJECTED CVE-2016-7357 REJECTED CVE-2016-7356 REJECTED CVE-2016-7355 REJECTED CVE-2016-7354 REJECTED CVE-2016-7353 REJECTED CVE-2016-7352 REJECTED CVE-2016-7351 REJECTED CVE-2016-7350 REJECTED CVE-2016-7349 REJECTED CVE-2016-7348 REJECTED CVE-2016-7347 REJECTED CVE-2016-7346 REJECTED CVE-2016-7345 REJECTED CVE-2016-7344 REJECTED CVE-2016-7343 REJECTED CVE-2016-7342 REJECTED CVE-2016-7341 REJECTED CVE-2016-7340 REJECTED CVE-2016-7339 REJECTED CVE-2016-7338 REJECTED CVE-2016-7337 REJECTED CVE-2016-7336 REJECTED CVE-2016-7335 REJECTED CVE-2016-7334 REJECTED CVE-2016-7333 REJECTED CVE-2016-7332 REJECTED CVE-2016-7331 REJECTED CVE-2016-7330 REJECTED CVE-2016-7329 REJECTED CVE-2016-7328 REJECTED CVE-2016-7327 REJECTED CVE-2016-7326 REJECTED CVE-2016-7325 REJECTED CVE-2016-7324 REJECTED CVE-2016-7323 REJECTED CVE-2016-7322 REJECTED CVE-2016-7321 REJECTED CVE-2016-7320 REJECTED CVE-2016-7319 REJECTED CVE-2016-7318 REJECTED CVE-2016-7317 REJECTED CVE-2016-7316 REJECTED CVE-2016-7315 REJECTED CVE-2016-7314 REJECTED CVE-2016-7313 REJECTED CVE-2016-7312 REJECTED CVE-2016-7311 REJECTED CVE-2016-7310 REJECTED CVE-2016-7309 REJECTED CVE-2016-7308 REJECTED CVE-2016-7307 REJECTED CVE-2016-7306 REJECTED CVE-2016-7305 REJECTED CVE-2016-7304 REJECTED CVE-2016-7303 REJECTED CVE-2016-7302 REJECTED CVE-2016-7301 REJECTED CVE-2016-7300 (Untrusted search path vulnerability in Microsoft Auto Updater for Mac ...) NOT-FOR-US: Microsoft Auto Updater for Mac CVE-2016-7299 REJECTED CVE-2016-7298 (Microsoft Office 2007 SP3, Office 2010 SP2, Word Viewer, Office for Ma ...) NOT-FOR-US: Microsoft CVE-2016-7297 (The scripting engines in Microsoft Edge allow remote attackers to exec ...) NOT-FOR-US: Microsoft CVE-2016-7296 (The scripting engines in Microsoft Edge allow remote attackers to exec ...) NOT-FOR-US: Microsoft CVE-2016-7295 (The Common Log File System (CLFS) driver in Microsoft Windows Vista SP ...) NOT-FOR-US: Microsoft CVE-2016-7294 REJECTED CVE-2016-7293 REJECTED CVE-2016-7292 (The Installer in Microsoft Windows Vista SP2, Windows Server 2008 SP2 ...) NOT-FOR-US: Microsoft Windows CVE-2016-7291 (Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Office Compat ...) NOT-FOR-US: Microsoft CVE-2016-7290 (Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Office Compat ...) NOT-FOR-US: Microsoft CVE-2016-7289 (Microsoft Publisher 2010 SP2 allows remote attackers to execute arbitr ...) NOT-FOR-US: Microsoft CVE-2016-7288 (The scripting engines in Microsoft Edge allow remote attackers to exec ...) NOT-FOR-US: Microsoft CVE-2016-7287 (The scripting engines in Microsoft Internet Explorer 11 and Microsoft ...) NOT-FOR-US: Microsoft CVE-2016-7286 (The scripting engines in Microsoft Edge allow remote attackers to exec ...) NOT-FOR-US: Microsoft CVE-2016-7285 REJECTED CVE-2016-7284 (Microsoft Internet Explorer 10 and 11 allows remote attackers to obtai ...) NOT-FOR-US: Microsoft CVE-2016-7283 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft CVE-2016-7282 (Cross-site scripting (XSS) vulnerability in Microsoft Internet Explore ...) NOT-FOR-US: Microsoft CVE-2016-7281 (The Web Workers implementation in Microsoft Internet Explorer 10 and 1 ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2016-7280 (Cross-site scripting (XSS) vulnerability in Microsoft Edge allows remo ...) NOT-FOR-US: Microsoft CVE-2016-7279 (Microsoft Internet Explorer 9 through 11 and Microsoft Edge allow remo ...) NOT-FOR-US: Microsoft CVE-2016-7278 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ob ...) NOT-FOR-US: Microsoft CVE-2016-7277 (Microsoft Office 2016 allows remote attackers to execute arbitrary cod ...) NOT-FOR-US: Microsoft CVE-2016-7276 (Microsoft Office 2007 SP3, Office 2010 SP2, Office 2013 SP1, Office fo ...) NOT-FOR-US: Microsoft CVE-2016-7275 (Microsoft Office 2010 SP2, 2013 SP1, 2013 RT SP1, and 2016 mishandles ...) NOT-FOR-US: Microsoft CVE-2016-7274 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2016-7273 (The Graphics component in Microsoft Windows 10 Gold, 1511, and 1607 an ...) NOT-FOR-US: Microsoft CVE-2016-7272 (The Graphics component in Microsoft Windows Vista SP2, Windows Server ...) NOT-FOR-US: Microsoft CVE-2016-7271 (The Secure Kernel Mode implementation in Microsoft Windows 10 Gold, 15 ...) NOT-FOR-US: Microsoft Windows CVE-2016-7270 (The Data Provider for SQL Server in Microsoft .NET Framework 4.6.2 mis ...) NOT-FOR-US: Microsoft .NET Framework CVE-2016-7269 REJECTED CVE-2016-7268 (Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Office Compat ...) NOT-FOR-US: Microsoft CVE-2016-7267 (Microsoft Excel 2010 SP2, 2013 SP1, 2013 RT SP1, and 2016 misparses fi ...) NOT-FOR-US: Microsoft CVE-2016-7266 (Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 SP1, Excel 2013 R ...) NOT-FOR-US: Microsoft CVE-2016-7265 (Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 SP1, Excel 2013 R ...) NOT-FOR-US: Microsoft CVE-2016-7264 (Microsoft Excel 2007 SP3, Office Compatibility Pack SP3, Excel Viewer, ...) NOT-FOR-US: Microsoft CVE-2016-7263 (Microsoft Excel for Mac 2011 and Excel 2016 for Mac allow remote attac ...) NOT-FOR-US: Microsoft CVE-2016-7262 (Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 SP1, Excel 2013 R ...) NOT-FOR-US: Microsoft CVE-2016-7261 REJECTED CVE-2016-7260 (The kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server ...) NOT-FOR-US: Microsoft Windows CVE-2016-7259 (The Graphics Component in the kernel-mode drivers in Microsoft Windows ...) NOT-FOR-US: Microsoft Windows CVE-2016-7258 (The kernel in Microsoft Windows 10 Gold, 1511, and 1607 and Windows Se ...) NOT-FOR-US: Microsoft Windows CVE-2016-7257 (The GDI component in Microsoft Windows Vista SP2, Windows Server 2008 ...) NOT-FOR-US: Microsoft Windows CVE-2016-7256 (atmfd.dll in the Windows font library in Microsoft Windows Vista SP2, ...) NOT-FOR-US: Microsoft CVE-2016-7255 (The kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server ...) NOT-FOR-US: Microsoft CVE-2016-7254 (Microsoft SQL Server 2012 SP2 and 2012 SP3 does not properly perform a ...) NOT-FOR-US: Microsoft CVE-2016-7253 (The agent in Microsoft SQL Server 2012 SP2, 2012 SP3, 2014 SP1, 2014 S ...) NOT-FOR-US: Microsoft CVE-2016-7252 (Microsoft SQL Server 2016 mishandles the FILESTREAM path, which allows ...) NOT-FOR-US: Microsoft CVE-2016-7251 (Cross-site scripting (XSS) vulnerability in the MDS API in Microsoft S ...) NOT-FOR-US: Microsoft CVE-2016-7250 (Microsoft SQL Server 2014 SP1, 2014 SP2, and 2016 does not properly pe ...) NOT-FOR-US: Microsoft CVE-2016-7249 (Microsoft SQL Server 2016 does not properly perform a cast of an unspe ...) NOT-FOR-US: Microsoft CVE-2016-7248 (Microsoft Video Control in Microsoft Windows Vista SP2, Windows 7 SP1, ...) NOT-FOR-US: Microsoft CVE-2016-7247 (Microsoft Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1 ...) NOT-FOR-US: Microsoft CVE-2016-7246 (The kernel-mode drivers in Microsoft Windows Server 2008 R2 SP1, Windo ...) NOT-FOR-US: Microsoft CVE-2016-7245 (Microsoft Office 2007 SP3, Office 2010 SP2, Office 2013 SP1, Office 20 ...) NOT-FOR-US: Microsoft CVE-2016-7244 (Microsoft Office 2007 SP3 allows remote attackers to cause a denial of ...) NOT-FOR-US: Microsoft CVE-2016-7243 (The Chakra JavaScript scripting engine in Microsoft Edge allows remote ...) NOT-FOR-US: Microsoft CVE-2016-7242 (The Chakra JavaScript scripting engine in Microsoft Edge allows remote ...) NOT-FOR-US: Microsoft CVE-2016-7241 (Microsoft Internet Explorer 11 and Microsoft Edge allow remote attacke ...) NOT-FOR-US: Microsoft CVE-2016-7240 (The Chakra JavaScript scripting engine in Microsoft Edge allows remote ...) NOT-FOR-US: Microsoft CVE-2016-7239 (The RegEx class in the XSS filter in Microsoft Internet Explorer 9 thr ...) NOT-FOR-US: Microsoft CVE-2016-7238 (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windo ...) NOT-FOR-US: Microsoft CVE-2016-7237 (Local Security Authority Subsystem Service (LSASS) in Microsoft Window ...) NOT-FOR-US: Microsoft CVE-2016-7236 (Microsoft Excel 2010 SP2, Excel for Mac 2011, Excel 2016 for Mac, and ...) NOT-FOR-US: Microsoft CVE-2016-7235 (Microsoft Word 2007, Office 2010 SP2, Word 2010 SP2, Word for Mac 2011 ...) NOT-FOR-US: Microsoft CVE-2016-7234 (Microsoft Word 2007, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1, Wo ...) NOT-FOR-US: Microsoft CVE-2016-7233 (Microsoft Word 2007, Office 2010 SP2, Word 2010 SP2, Word for Mac 2011 ...) NOT-FOR-US: Microsoft CVE-2016-7232 (Microsoft Word 2007, Office 2010 SP2, Word 2010 SP2, Word for Mac 2011 ...) NOT-FOR-US: Microsoft CVE-2016-7231 (Microsoft Excel 2007 SP3, Excel for Mac 2011, Office Compatibility Pac ...) NOT-FOR-US: Microsoft CVE-2016-7230 (Microsoft PowerPoint 2010 SP2, PowerPoint Viewer, and Office Web Apps ...) NOT-FOR-US: Microsoft CVE-2016-7229 (Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 SP1, Excel 2013 R ...) NOT-FOR-US: Microsoft CVE-2016-7228 (Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 SP1, Excel 2013 R ...) NOT-FOR-US: Microsoft CVE-2016-7227 (The scripting engines in Microsoft Internet Explorer 9 through 11 and ...) NOT-FOR-US: Microsoft CVE-2016-7226 (Virtual Hard Disk Driver in Windows 10 Gold, 1511, and 1607 and Window ...) NOT-FOR-US: Microsoft CVE-2016-7225 (Virtual Hard Disk Driver in Windows 10 Gold, 1511, and 1607 and Window ...) NOT-FOR-US: Microsoft CVE-2016-7224 (Virtual Hard Disk Driver in Microsoft Windows 8.1, Windows Server 2012 ...) NOT-FOR-US: Microsoft CVE-2016-7223 (Virtual Hard Disk Driver in Microsoft Windows 8.1, Windows Server 2012 ...) NOT-FOR-US: Microsoft CVE-2016-7222 (Task Scheduler in Microsoft Windows 10 Gold, 1511, and 1607 and Window ...) NOT-FOR-US: Microsoft CVE-2016-7221 (Input Method Editor (IME) in Microsoft Windows Vista SP2, Windows Serv ...) NOT-FOR-US: Microsoft CVE-2016-7220 (Virtual Secure Mode in Microsoft Windows 10 allows local users to obta ...) NOT-FOR-US: Microsoft CVE-2016-7219 (The Crypto driver in Microsoft Windows Vista SP2, Windows Server 2008 ...) NOT-FOR-US: Microsoft CVE-2016-7218 (Bowser.sys in the kernel-mode drivers in Microsoft Windows Vista SP2, ...) NOT-FOR-US: Microsoft CVE-2016-7217 (Media Foundation in Microsoft Windows 8.1, Windows Server 2012 Gold an ...) NOT-FOR-US: Microsoft CVE-2016-7216 (The kernel API in Microsoft Windows Vista SP2, Windows Server 2008 SP2 ...) NOT-FOR-US: Microsoft CVE-2016-7215 (The kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server ...) NOT-FOR-US: Microsoft CVE-2016-7214 (The kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server ...) NOT-FOR-US: Microsoft CVE-2016-7213 (Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 SP1, Excel 2013 R ...) NOT-FOR-US: Microsoft CVE-2016-7212 (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windo ...) NOT-FOR-US: Microsoft CVE-2016-7211 (The kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server ...) NOT-FOR-US: Microsoft CVE-2016-7210 (atmfd.dll in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2016-7209 (Microsoft Edge allows remote attackers to spoof web content via a craf ...) NOT-FOR-US: Mircosoft CVE-2016-7208 (The Chakra JavaScript scripting engine in Microsoft Edge allows remote ...) NOT-FOR-US: Microsoft CVE-2016-7207 REJECTED CVE-2016-7206 (Cross-site scripting (XSS) vulnerability in Microsoft Edge allows remo ...) NOT-FOR-US: Microsoft CVE-2016-7205 (Animation Manager in Microsoft Windows Server 2008 R2 SP1, Windows 7 S ...) NOT-FOR-US: Microsoft CVE-2016-7204 (Microsoft Edge allows remote attackers to access arbitrary "My Documen ...) NOT-FOR-US: Microsoft CVE-2016-7203 (The Chakra JavaScript scripting engine in Microsoft Edge allows remote ...) NOT-FOR-US: Microsoft CVE-2016-7202 (The scripting engines in Microsoft Internet Explorer 9 through 11 and ...) NOT-FOR-US: Microsoft CVE-2016-7201 (The Chakra JavaScript scripting engine in Microsoft Edge allows remote ...) NOT-FOR-US: Microsoft CVE-2016-7200 (The Chakra JavaScript scripting engine in Microsoft Edge allows remote ...) NOT-FOR-US: Microsoft CVE-2016-7199 (Microsoft Internet Explorer 9 through 11 and Microsoft Edge allow remo ...) NOT-FOR-US: Microsoft CVE-2016-7198 (Microsoft Internet Explorer 9 through 11 and Microsoft Edge allow remo ...) NOT-FOR-US: Microsoft CVE-2016-7197 REJECTED CVE-2016-7196 (Microsoft Internet Explorer 10 and 11 and Microsoft Edge allow remote ...) NOT-FOR-US: Microsoft CVE-2016-7195 (Microsoft Internet Explorer 9 through 11 and Microsoft Edge allow remo ...) NOT-FOR-US: Microsoft CVE-2016-7194 (The Chakra JavaScript engine in Microsoft Edge allows remote attackers ...) NOT-FOR-US: Microsoft CVE-2016-7193 (Microsoft Word 2007 SP2, Office 2010 SP2, Word 2013 SP1, Word 2013 RT ...) NOT-FOR-US: Microsoft CVE-2016-7192 REJECTED CVE-2016-7191 (The Microsoft Azure Active Directory Passport (aka Passport-Azure-AD) ...) NOT-FOR-US: Microsoft Azure Active Directory Passport CVE-2016-7190 (The Chakra JavaScript engine in Microsoft Edge allows remote attackers ...) NOT-FOR-US: Microsoft CVE-2016-7189 (The Chakra JavaScript engine in Microsoft Edge allows remote attackers ...) NOT-FOR-US: Microsoft CVE-2016-7188 (The Standard Collector Service in Windows Diagnostics Hub in Microsoft ...) NOT-FOR-US: Microsoft CVE-2016-7187 REJECTED CVE-2016-7186 REJECTED CVE-2016-7185 (The kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server ...) NOT-FOR-US: Microsoft CVE-2016-7184 (The Common Log File System (CLFS) driver in Microsoft Windows Vista SP ...) NOT-FOR-US: Microsoft CVE-2016-7183 REJECTED CVE-2016-7182 (The Graphics component in Microsoft Windows Vista SP2; Windows Server ...) NOT-FOR-US: Microsoft CVE-2016-7181 (Microsoft Edge allows remote attackers to execute arbitrary code or ca ...) NOT-FOR-US: Microsoft CVE-2016-7393 (Stack-based buffer overflow in the aac_sync function in aac_parser.c i ...) {DLA-644-1} - ffmpeg 7:2.4-1 - libav [jessie] - libav 6:11.6-1~deb8u1 NOTE: https://blogs.gentoo.org/ago/2016/08/20/libav-stack-based-buffer-overflow-in-aac_sync-aac_parser-c/ NOTE: https://git.libav.org/?p=libav.git;a=commit;h=fb1473080223a634b8ac2cca48a632d037a0a69d CVE-2016-7392 (Heap-based buffer overflow in the pstoedit_suffix_table_init function ...) {DLA-621-1} - autotrace 0.31.1-17 (bug #837599) NOTE: https://blogs.gentoo.org/ago/2016/09/10/autotrace-heap-based-buffer-overflow-in-pstoedit_suffix_table_init-output-pstoedit-c/ NOTE: Also reproducible with valgrind CVE-2016-7180 (epan/dissectors/packet-ipmi-trace.c in the IPMI trace dissector in Wir ...) {DSA-3671-1 DLA-632-1} - wireshark 2.2.0~rc1+g438c022-1 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=5213496250aceff086404c568e3718ebc0060934 NOTE: https://www.wireshark.org/security/wnpa-sec-2016-55.html NOTE: https://code.wireshark.org/review/17289 NOTE: Affected versions: 2.0.0 to 2.0.5 NOTE: Fixed versions: 2.0.6 CVE-2016-7179 (Stack-based buffer overflow in epan/dissectors/packet-catapult-dct2000 ...) {DSA-3671-1 DLA-632-1} - wireshark 2.2.0~rc1+g438c022-1 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=3b97fbddc23c065727b0147aab52a27c4aadffe7 NOTE: https://www.wireshark.org/security/wnpa-sec-2016-54.html NOTE: https://code.wireshark.org/review/17095 NOTE: Affected versions: 2.0.0 to 2.0.5 NOTE: Fixed versions: 2.0.6 CVE-2016-7178 (epan/dissectors/packet-umts_fp.c in the UMTS FP dissector in Wireshark ...) {DSA-3671-1 DLA-632-1} - wireshark 2.2.0~rc1+g438c022-1 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=315bba7c645b75af24215c6303d187b188610bba NOTE: https://www.wireshark.org/security/wnpa-sec-2016-53.html NOTE: https://code.wireshark.org/review/17094 NOTE: Affected versions: 2.0.0 to 2.0.5 NOTE: Fixed versions: 2.0.6 CVE-2016-7177 (epan/dissectors/packet-catapult-dct2000.c in the Catapult DCT2000 diss ...) {DSA-3671-1 DLA-632-1} - wireshark 2.2.0~rc1+g438c022-1 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=2e37b271c473e1cbd01d62ebe1f3b011fc9fe638 NOTE: https://www.wireshark.org/security/wnpa-sec-2016-52.html NOTE: https://code.wireshark.org/review/17096 NOTE: Affected versions: 2.0.0 to 2.0.5 NOTE: Fixed versions: 2.0.6 CVE-2016-7176 (epan/dissectors/packet-h225.c in the H.225 dissector in Wireshark 2.x ...) {DSA-3671-1 DLA-632-1} - wireshark 2.2.0~rc1+g438c022-1 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=6d8261994bb928b7e80e3a2478a3d939ea1ef373 NOTE: https://www.wireshark.org/security/wnpa-sec-2016-51.html NOTE: https://code.wireshark.org/review/16852 NOTE: Affected versions: 2.0.0 to 2.0.5 NOTE: Fixed versions: 2.0.6 CVE-2016-7175 (epan/dissectors/packet-qnet6.c in the QNX6 QNET dissector in Wireshark ...) - wireshark 2.2.0~rc1+g438c022-1 [jessie] - wireshark (Vulnerable code not present) [wheezy] - wireshark (Vulnerable code not present) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=1396f6ad555178f6b81cc1a65f9cb37b2d99aebf NOTE: https://www.wireshark.org/security/wnpa-sec-2016-50.html NOTE: https://code.wireshark.org/review/16965 NOTE: Affected versions: 2.0.0 to 2.0.5 NOTE: Fixed versions: 2.0.6 CVE-2016-1000222 (Logstash prior to version 2.1.2, the CSV output can be attacked via en ...) - logstash (bug #664841) CVE-2016-1000221 (Logstash prior to version 2.3.4, Elasticsearch Output plugin would log ...) - logstash (bug #664841) CVE-2016-1000220 (Kibana before 4.5.4 and 4.1.11 are vulnerable to an XSS attack that wo ...) - kibana (bug #700337) CVE-2016-1000219 (Kibana before 4.5.4 and 4.1.11 when a custom output is configured for ...) - kibana (bug #700337) CVE-2016-1000217 (Zotpress plugin for WordPress SQLi in zp_get_account() ...) NOT-FOR-US: WordPress plugin zotpress CVE-2016-1000216 (Ruckus Wireless H500 web management interface authenticated command in ...) NOT-FOR-US: Ruckus Wireless H500 CVE-2016-1000215 (Ruckus Wireless H500 web management interface denial of service ...) NOT-FOR-US: Ruckus Wireless H500 CVE-2016-1000214 (Ruckus Wireless H500 web management interface authentication bypass ...) NOT-FOR-US: Ruckus Wireless H500 CVE-2016-1000213 (Ruckus Wireless H500 web management interface CSRF ...) NOT-FOR-US: Ruckus Wireless H500 CVE-2010-5328 (include/linux/init_task.h in the Linux kernel before 2.6.35 does not p ...) - linux (Fixed before the src:linux-2.6 -> src:linux rename) - linux-2.6 2.6.37-1 CVE-2010-5327 (Liferay Portal through 6.2.10 allows remote authenticated users to exe ...) NOT-FOR-US: Liferay Portal CVE-2016-7551 (chain_sip in Asterisk Open Source 11.x before 11.23.1 and 13.x 13.11.1 ...) {DSA-3700-1 DLA-781-1} - asterisk 1:13.11.2~dfsg-1 (bug #838832) NOTE: http://downloads.asterisk.org/pub/security/AST-2016-007.html CVE-2016-7550 (asterisk 13.10.0 is affected by: denial of service issues in asterisk. ...) - asterisk 1:13.11.2~dfsg-1 (bug #838833) [jessie] - asterisk (Issue introduced in 13.10.0 release) [wheezy] - asterisk (Issue introduced in 13.10.0 release) NOTE: http://downloads.asterisk.org/pub/security/AST-2016-006.html CVE-2016-7174 RESERVED CVE-2016-7173 RESERVED CVE-2016-7172 (NetApp Snap Creator Framework before 4.3.1 discloses sensitive informa ...) NOT-FOR-US: NetApp CVE-2016-7171 (NetApp Plug-in for Symantec NetBackup prior to version 2.0.1 makes use ...) NOT-FOR-US: NetApp CVE-2016-7170 (The vmsvga_fifo_run function in hw/display/vmware_vga.c in QEMU (aka Q ...) {DLA-1599-1 DLA-653-1 DLA-652-1} - qemu 1:2.8+dfsg-1 (bug #837316) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg01764.html NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=167d97a3def77ee2dbf6e908b0ecbfe2103977db CVE-2016-7169 (Directory traversal vulnerability in the File_Upload_Upgrader class in ...) {DSA-3681-1 DLA-633-1} - wordpress 4.6.1+dfsg-1 NOTE: https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/ NOTE: Fixed in 4.6.1 release upstream NOTE: Fixed by: https://core.trac.wordpress.org/changeset/38524 CVE-2016-7168 (Cross-site scripting (XSS) vulnerability in the media_handle_upload fu ...) {DSA-3681-1 DLA-633-1} - wordpress 4.6.1+dfsg-1 NOTE: https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/ NOTE: Fixed in 4.6.1 release upstream NOTE: Fixed by: https://core.trac.wordpress.org/changeset/38538 CVE-2016-7167 (Multiple integer overflows in the (1) curl_escape, (2) curl_easy_escap ...) {DLA-1568-1 DLA-625-1} - curl 7.51.0-1 (bug #837945) NOTE: Upstream advisory: https://curl.haxx.se/docs/adv_20160914.html NOTE: Upstream patch: https://curl.haxx.se/CVE-2016-7167.patch NOTE: Affected versions: libcurl 7.11.1 to and including 7.50.2 NOTE: Not affected versions: libcurl < 7.11.1 and libcurl >= 7.50.3 CVE-2016-7165 (A vulnerability has been identified in Primary Setup Tool (PST) (All v ...) NOT-FOR-US: Microsoft CVE-2016-7162 (The _g_file_remove_directory function in file-utils.c in File Roller 3 ...) - file-roller 3.20.3-1 [jessie] - file-roller (Minor issue) [wheezy] - file-roller (Vulnerable code introduced in 3.5.4) NOTE: Ubuntu Bug: https://launchpad.net/bugs/1171236 NOTE: Upstream bug: https://bugzilla.gnome.org/show_bug.cgi?id=698554 NOTE: Introduced by: https://git.gnome.org/browse/file-roller/commit/?id=34b64f3a897c4b4e8e180c028f326bc921eb08ec (3.5.4) NOTE: Fixed by: https://git.gnome.org/browse/file-roller/commit/?id=f70be1f41688859ec8dbe266df35a1839ceb96c5 (3.20.3) CVE-2016-7161 (Heap-based buffer overflow in the .receive callback of xlnx.xps-ethern ...) {DLA-1599-1 DLA-653-1 DLA-652-1} - qemu 1:2.7+dfsg-1 (bug #838850) - qemu-kvm NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=a0d1cbdacff5df4ded16b753b38fdd9da6092968 (2.7.0-rc3) NOTE: http://patchwork.ozlabs.org/patch/657076/ CVE-2016-7160 (A vulnerability on Samsung Mobile M(6.0) devices exists because extern ...) NOT-FOR-US: Samsumg CVE-2016-7159 RESERVED CVE-2016-7158 RESERVED CVE-2016-7405 (The qstr method in the PDO driver in the ADOdb Library for PHP before ...) {DLA-620-1} - libphp-adodb 5.20.6-1 (bug #837211) [jessie] - libphp-adodb 5.15-1+deb8u1 NOTE: https://github.com/ADOdb/ADOdb/issues/226 NOTE: https://github.com/ADOdb/ADOdb/commit/bd9eca9 NOTE: Issue only with the PDO driver and only if queries built by inlining NOTE: the quoted string (not recommended). NOTE: http://www.openwall.com/lists/oss-security/2016/09/07/8 CVE-2016-7154 (Use-after-free vulnerability in the FIFO event channel code in Xen 4.4 ...) {DSA-3663-1} - xen 4.6.0-1 [wheezy] - xen (Versions 4.3 and earlier are not vulnerable) NOTE: http://xenbits.xen.org/xsa/advisory-188.html NOTE: Only affects Xen 4.4, as workaround it is marked as fixed in the first xen version entering unstable NOTE: after the 4.4 series. CVE-2016-7166 (libarchive before 3.2.0 does not limit the number of recursive decompr ...) {DSA-3677-1 DLA-617-1} - libarchive 3.2.0-2 NOTE: https://github.com/libarchive/libarchive/issues/660 NOTE: (with reproducer) https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207362 NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/6e06b1c89dd0d16f74894eac4cfc1327a06ee4a0 NOTE: Fix improved by: https://github.com/libarchive/libarchive/commit/37649d274867edd2dd25d8a3057c3b6cd81ce83e CVE-2016-7164 (The construct function in puff.cpp in Libtorrent 1.1.0 allows remote t ...) - libtorrent-rasterbar 1.1.1-1 (bug #837338) [jessie] - libtorrent-rasterbar (Minor issue) [wheezy] - libtorrent-rasterbar (Vulnerable code not present, reproducer does not crash) NOTE: https://github.com/arvidn/libtorrent/issues/1021 NOTE: https://github.com/arvidn/libtorrent/pull/1022 NOTE: https://github.com/arvidn/libtorrent/commit/debf3c6e3688aab8394fe5c47737625faffe6f9e NOTE: Fixed upstream in 1.1.1. CVE-2016-7163 (Integer overflow in the opj_pi_create_decode function in pi.c in OpenJ ...) {DSA-3665-1} - openjpeg2 2.1.2-1 (bug #837604) NOTE: https://github.com/uclouvain/openjpeg/commit/c16bc057ba3f125051c9966cf1f5b68a05681de4 NOTE: https://github.com/uclouvain/openjpeg/commit/ef01f18dfc6780b776d0674ed3e7415c6ef54d24 CVE-2016-7153 (The HTTP/2 protocol does not consider the role of the TCP congestion w ...) NOTE: CVE assigned for the HTTP/2 protocol issue CVE-2016-7152 (The HTTPS protocol does not consider the role of the TCP congestion wi ...) NOTE: CVE assigned for the HTTP/2 protocol issue CVE-2016-7151 (Capstone 3.0.4 has an out-of-bounds vulnerability (SEGV caused by a re ...) - capstone (low; bug #930002) [buster] - capstone (Minor issue) [stretch] - capstone (Minor issue) [jessie] - capstone (Vulnerable code not present) NOTE: https://github.com/aquynh/capstone/commit/87a25bb543c8e4c09b48d4b4a6c7db31ce58df06 (4.0-alpha4) NOTE: https://github.com/aquynh/capstone/pull/725 CVE-2016-7150 (Cross-site scripting (XSS) vulnerability in b2evolution 6.7.5 and earl ...) NOT-FOR-US: b2evolution CVE-2016-7149 (Cross-site scripting (XSS) vulnerability in b2evolution 6.7.5 and earl ...) NOT-FOR-US: b2evolution CVE-2016-7148 (MoinMoin 1.9.8 allows remote attackers to conduct "JavaScript injectio ...) {DSA-3715-1} - moin 1.9.9-1 (bug #844341) [wheezy] - moin (vulnerable code not present) NOTE: Fixed by: http://hg.moinmo.in/moin/1.9/rev/eceb70c41ecc NOTE: https://www.curesec.com/blog/article/blog/MoinMoin-198-XSS-175.html CVE-2016-7147 (Cross-site scripting (XSS) vulnerability in the manage_findResult comp ...) NOT-FOR-US: Plone CVE-2016-7146 (MoinMoin 1.9.8 allows remote attackers to conduct "JavaScript injectio ...) {DSA-3715-1 DLA-717-1} - moin 1.9.9-1 (bug #844340) NOTE: Fixed by: http://hg.moinmo.in/moin/1.9/rev/1563d6db198c NOTE: https://www.curesec.com/blog/article/blog/MoinMoin-198-XSS-175.html CVE-2016-7122 (The avi_read_nikon function in libavformat/avidec.c in FFmpeg before 3 ...) - ffmpeg 7:3.1.4-1 (bug #840434) NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/ed38046c5c2e3b310980be32287179895c83e0d8 (n3.1.4) CVE-2016-7121 RESERVED CVE-2016-7155 (hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest O ...) {DLA-1599-1} - qemu 1:2.6+dfsg-3.1 (bug #837174) [wheezy] - qemu (Vulnerable code not present, introduced after v1.5) - qemu-kvm [wheezy] - qemu-kvm (Vulnerable code not present) NOTE: Upstream patch: https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg00050.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1373462 NOTE: http://www.openwall.com/lists/oss-security/2016/09/06/2 NOTE: Vulnerable code introduced after version 1.5: http://wiki.qemu.org/ChangeLog/1.5 CVE-2016-7156 (The pvscsi_convert_sglist function in hw/scsi/vmw_pvscsi.c in QEMU (ak ...) {DLA-1599-1} - qemu 1:2.6+dfsg-3.1 (bug #837339) [wheezy] - qemu (Vulnerable code not present, introduced after v1.5) - qemu-kvm [wheezy] - qemu-kvm (Vulnerable code not present) NOTE: Upstream patch: https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg00772.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1373478 NOTE: http://www.openwall.com/lists/oss-security/2016/09/06/3 NOTE: Vulnerable code introduced after version 1.5: http://wiki.qemu.org/ChangeLog/1.5 CVE-2016-7157 (The (1) mptsas_config_manufacturing_1 and (2) mptsas_config_ioc_0 func ...) - qemu 1:2.6+dfsg-3.1 (bug #837603) [jessie] - qemu (Vulnerable code not present, introduced after v2.6) [wheezy] - qemu (Vulnerable code not present, introduced after v2.6) - qemu-kvm [wheezy] - qemu-kvm (Vulnerable code not present) NOTE: Upstream patches: https://lists.gnu.org/archive/html/qemu-devel/2016-08/msg04295.html NOTE: Upstream patches: https://lists.gnu.org/archive/html/qemu-devel/2016-08/msg04296.html NOTE: http://www.openwall.com/lists/oss-security/2016/09/06/4 NOTE: Vulnerable code introduced after version 2.6: http://wiki.qemu.org/ChangeLog/2.6 CVE-2016-7140 (Multiple cross-site scripting (XSS) vulnerabilities in the ZMI page in ...) NOT-FOR-US: Plone CVE-2016-7139 (Cross-site scripting (XSS) vulnerability in an unspecified page templa ...) NOT-FOR-US: Plone CVE-2016-7138 (Cross-site scripting (XSS) vulnerability in the URL checking infrastru ...) NOT-FOR-US: Plone CVE-2016-7137 (Multiple open redirect vulnerabilities in Plone CMS 5.x through 5.0.6, ...) NOT-FOR-US: Plone CVE-2016-7136 (z3c.form in Plone CMS 5.x through 5.0.6 and 4.x through 4.3.11 allows ...) NOT-FOR-US: Plone CVE-2016-7135 (Directory traversal vulnerability in Plone CMS 5.x through 5.0.6 and 4 ...) NOT-FOR-US: Plone CVE-2016-7141 (curl and libcurl before 7.50.2, when built with NSS and the libnsspem. ...) {DLA-1568-1 DLA-616-1} - curl 7.51.0-1 (bug #836918) NOTE: Only affects libcurl3-nss NOTE: http://seclists.org/oss-sec/2016/q3/419 NOTE: https://curl.haxx.se/docs/adv_20160907.html CVE-2016-7145 (The m_authenticate function in ircd/m_authenticate.c in nefarious2 all ...) NOT-FOR-US: Nefarious 2 CVE-2016-7144 (The m_authenticate function in modules/m_sasl.c in UnrealIRCd before 3 ...) - unrealircd (bug #515130) NOTE: http://www.openwall.com/lists/oss-security/2016/09/04/3 NOTE: unrealircd reportedly vulnerable, and ircd-seven reportedly not vulnerable CVE-2016-7143 (The m_authenticate function in modules/m_sasl.c in Charybdis before 3. ...) {DSA-3661-1} - charybdis 3.5.3-1 (bug #836714) [wheezy] - charybdis (unsupported) NOTE: charybdis patch: https://github.com/charybdis-ircd/charybdis/commit/818a3fda944b26d4814132cee14cfda4ea4aa824 NOTE: http://www.openwall.com/lists/oss-security/2016/09/04/3 CVE-2016-7142 (The m_sasl module in InspIRCd before 2.0.23, when used with a service ...) {DSA-3662-1} - inspircd 2.0.23-1 (bug #836706) [wheezy] - inspircd (not supported in Wheezy) NOTE: http://www.inspircd.org/2016/09/03/v2023-released.html NOTE: http://www.openwall.com/lists/oss-security/2016/09/04/3 CVE-2016-7120 RESERVED CVE-2016-7134 (ext/curl/interface.c in PHP 7.x before 7.0.10 does not work around a l ...) - php7.0 7.0.10-1 - php5 (Only affects PHP 7) NOTE: PHP Bug: https://bugs.php.net/bug.php?id=72674 NOTE: Fixed in 7.0.10 NOTE: http://www.openwall.com/lists/oss-security/2016/09/02/5 NOTE: https://github.com/php/php-src/commit/72dbb7f416160f490c4e9987040989a10ad431c7?w=1 CVE-2016-7133 (Zend/zend_alloc.c in PHP 7.x before 7.0.10, when open_basedir is enabl ...) - php7.0 7.0.10-1 - php5 (Only affects PHP 7) NOTE: PHP Bug: https://bugs.php.net/bug.php?id=72742 NOTE: Fixed in 7.0.10 NOTE: http://www.openwall.com/lists/oss-security/2016/09/02/5 NOTE: https://github.com/php/php-src/commit/c2a13ced4272f2e65d2773e2ea6ca11c1ce4a911?w=1 CVE-2016-7132 (ext/wddx/wddx.c in PHP before 5.6.25 and 7.x before 7.0.10 allows remo ...) {DSA-3689-1 DLA-749-1} - php7.0 7.0.10-1 - php5 5.6.26+dfsg-1 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=72799 NOTE: Fixed in 7.0.10, 5.6.25 NOTE: http://www.openwall.com/lists/oss-security/2016/09/02/5 NOTE: https://github.com/php/php-src/commit/a14fdb9746262549bbbb96abb87338bacd147e1b?w=1 NOTE: 72790 and 72799 are associated with the same commit. Not all of the NOTE: commit is about the pop issue in 72799. CVE-2016-7131 (ext/wddx/wddx.c in PHP before 5.6.25 and 7.x before 7.0.10 allows remo ...) {DSA-3689-1 DLA-749-1} - php7.0 7.0.10-1 - php5 5.6.26+dfsg-1 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=72790 NOTE: Fixed in 7.0.10, 5.6.25 NOTE: http://www.openwall.com/lists/oss-security/2016/09/02/5 NOTE: https://github.com/php/php-src/commit/a14fdb9746262549bbbb96abb87338bacd147e1b?w=1 NOTE: Cf. as well https://bugs.php.net/bug.php?id=72799 NOTE: 72790 and 72799 are associated with the same commit. Not all of the NOTE: commit is about the pop issue in 72799. CVE-2016-7130 (The php_wddx_pop_element function in ext/wddx/wddx.c in PHP before 5.6 ...) {DSA-3689-1 DLA-749-1} - php7.0 7.0.10-1 - php5 5.6.26+dfsg-1 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=72750 NOTE: Fixed in 7.0.10, 5.6.25 NOTE: http://www.openwall.com/lists/oss-security/2016/09/02/5 NOTE: https://github.com/php/php-src/commit/698a691724c0a949295991e5df091ce16f899e02?w=1 CVE-2016-7129 (The php_wddx_process_data function in ext/wddx/wddx.c in PHP before 5. ...) {DSA-3689-1 DLA-749-1} - php7.0 7.0.10-1 - php5 5.6.26+dfsg-1 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=72749 NOTE: Fixed in 7.0.10, 5.6.25 NOTE: http://www.openwall.com/lists/oss-security/2016/09/02/5 NOTE: https://github.com/php/php-src/commit/426aeb2808955ee3d3f52e0cfb102834cdb836a5?w=1 CVE-2016-7128 (The exif_process_IFD_in_TIFF function in ext/exif/exif.c in PHP before ...) {DSA-3689-1 DLA-749-1} - php7.0 7.0.10-1 - php5 5.6.26+dfsg-1 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=72627 NOTE: Fixed in 7.0.10, 5.6.25 NOTE: http://www.openwall.com/lists/oss-security/2016/09/02/5 NOTE: https://github.com/php/php-src/commit/6dbb1ee46b5f4725cc6519abf91e512a2a10dfed?w=1 CVE-2016-7127 (The imagegammacorrect function in ext/gd/gd.c in PHP before 5.6.25 and ...) {DSA-3689-1} - libgd2 (gamma correction is only implemented in PHP) - php7.0 7.0.10-1 (unimportant) - php5 5.6.26+dfsg-1 (unimportant) NOTE: PHP Bug: https://bugs.php.net/bug.php?id=72730 NOTE: Fixed in 7.0.10, 5.6.25 NOTE: http://www.openwall.com/lists/oss-security/2016/09/02/5 NOTE: https://github.com/php/php-src/commit/1bd103df00f49cf4d4ade2cfe3f456ac058a4eae?w=1 CVE-2016-7126 (The imagetruecolortopalette function in ext/gd/gd.c in PHP before 5.6. ...) {DSA-3689-1} - libgd2 (libgd upstream not affected, overflow2 function check prevents the issue) - php7.0 7.0.10-1 (unimportant) - php5 5.6.26+dfsg-1 (unimportant) NOTE: PHP Bug: https://bugs.php.net/bug.php?id=72697 NOTE: Fixed in 7.0.10, 5.6.25 NOTE: http://www.openwall.com/lists/oss-security/2016/09/02/5 NOTE: https://github.com/php/php-src/commit/b6f13a5ef9d6280cf984826a5de012a32c396cd4?w=1 CVE-2016-7125 (ext/session/session.c in PHP before 5.6.25 and 7.x before 7.0.10 skips ...) {DSA-3689-1 DLA-628-1} - php7.0 7.0.10-1 - php5 5.6.26+dfsg-1 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=72681 NOTE: Fixed in 7.0.10, 5.6.25 NOTE: http://www.openwall.com/lists/oss-security/2016/09/02/5 NOTE: https://github.com/php/php-src/commit/8763c6090d627d8bb0ee1d030c30e58f406be9ce?w=1 NOTE: Scope of CVE also includes the "The similar issue also exist in session php_binary NOTE: handler" part of 72681. CVE-2016-7124 (ext/standard/var_unserializer.c in PHP before 5.6.25 and 7.x before 7. ...) {DSA-3689-1 DLA-749-1} - php7.0 7.0.10-1 - php5 5.6.26+dfsg-1 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=72663 NOTE: Fixed in 7.0.10, 5.6.25 NOTE: http://www.openwall.com/lists/oss-security/2016/09/02/5 NOTE: https://github.com/php/php-src/commit/20ce2fe8e3c211a42fee05a461a5881be9a8790e?w=1 CVE-2016-7123 (Cross-site request forgery (CSRF) vulnerability in the admin web inter ...) - mailman 2.1.15-1 NOTE: https://bugs.launchpad.net/mailman/+bug/1614841/comments/8 NOTE: https://bugs.launchpad.net/mailman/+bug/775294 CVE-2016-7119 (Cross-site scripting (XSS) vulnerability in the user-profile biography ...) NOT-FOR-US: DotNetNuke CVE-2016-7117 (Use-after-free vulnerability in the __sys_recvmmsg function in net/soc ...) - linux 4.5.2-1 [jessie] - linux 3.16.36-1 [wheezy] - linux 3.2.81-1 NOTE: Fixed by: https://git.kernel.org/linus/34b88a68f26a75e4fded796f1a49c40f82234b7d (4.6-rc1) CVE-2016-7115 (Buffer overflow in the handle_packet function in mactelnet.c in the cl ...) {DLA-639-1} - mactelnet 0.4.4-4 (bug #836320) [jessie] - mactelnet 0.4.0-1+deb8u1 NOTE: https://github.com/haakonnessjoen/MAC-Telnet/commit/b69d11727d4f0f8cf719c79e3fb700f55ca03e9a CVE-2016-7114 (A vulnerability has been identified in Firmware variant PROFINET IO fo ...) NOT-FOR-US: Siemens CVE-2016-7113 (A vulnerability has been identified in Firmware variant PROFINET IO fo ...) NOT-FOR-US: Siemens CVE-2016-7112 (A vulnerability has been identified in Firmware variant PROFINET IO fo ...) NOT-FOR-US: Siemens CVE-2015-8960 (The TLS protocol 1.2 and earlier supports the rsa_fixed_dh, dss_fixed_ ...) NOTE: Vulnerability "in the TLS documentation", not assigned to a specific source/implentation NOTE: https://www.usenix.org/system/files/conference/woot15/woot15-paper-hlauschek.pdf CVE-2015-8956 (The rfcomm_sock_bind function in net/bluetooth/rfcomm/sock.c in the Li ...) {DSA-3696-1 DLA-670-1} - linux 4.2.1-1 NOTE: Fixed by: https://git.kernel.org/linus/951b6a0717db97ce420547222647bcc40bf1eacd (4.2-rc1) CVE-2015-8955 (arch/arm64/kernel/perf_event.c in the Linux kernel before 4.1 on arm64 ...) - linux 4.1.3-1 [jessie] - linux 3.16.39-1 [wheezy] - linux (Vulnerable code not present; arm64 introduced in 3.7) NOTE: Fixed by: https://git.kernel.org/linus/8fff105e13041e49b82f92eef034f363a6b1c071 (4.1-rc1) CVE-2016-10057 (Buffer overflow in the WriteGROUP4Image function in coders/tiff.c in I ...) {DSA-3675-1 DLA-731-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #836172) NOTE: https://github.com/ImageMagick/ImageMagick/commit/10b3823a7619ed22d42764733eb052c4159bc8c1 NOTE: http://www.openwall.com/lists/oss-security/2016/12/20/3 CVE-2016-10056 (Buffer overflow in the sixel_decode function in coders/sixel.c in Imag ...) {DSA-3675-1 DLA-731-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #836172) NOTE: https://github.com/ImageMagick/ImageMagick/commit/10b3823a7619ed22d42764733eb052c4159bc8c1 NOTE: http://www.openwall.com/lists/oss-security/2016/12/20/3 CVE-2016-10055 (Buffer overflow in the WritePDBImage function in coders/pdb.c in Image ...) {DSA-3675-1 DLA-731-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #836172) NOTE: https://github.com/ImageMagick/ImageMagick/commit/10b3823a7619ed22d42764733eb052c4159bc8c1 NOTE: http://www.openwall.com/lists/oss-security/2016/12/20/3 CVE-2016-10054 (Buffer overflow in the WriteMAPImage function in coders/map.c in Image ...) {DSA-3675-1 DLA-731-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #836172) NOTE: https://github.com/ImageMagick/ImageMagick/commit/10b3823a7619ed22d42764733eb052c4159bc8c1 NOTE: http://www.openwall.com/lists/oss-security/2016/12/20/3 CVE-2016-10053 (The WriteTIFFImage function in coders/tiff.c in ImageMagick before 6.9 ...) {DSA-3675-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #836171) [wheezy] - imagemagick (Vulnerability likely introduced in a version after 6.7.7.10) NOTE: https://github.com/ImageMagick/ImageMagick/commit/f983dcdf9c178e0cbc49608a78713c5669aa1bb5 NOTE: http://www.openwall.com/lists/oss-security/2016/12/20/3 CVE-2016-7118 (fs/fcntl.c in the "aufs 3.2.x+setfl-debian" patch in the linux-image p ...) {DLA-609-1} - linux NOTE: Bit of complicated tracking information. For jessie the affected version is not in any yet NOTE: released version, thus should be n/a. wheezy OTOH, has already the issue in a released version. Issue then was fixed in 3.2.81-2 in DLA-609-1 NOTE: http://www.openwall.com/lists/oss-security/2016/08/31/1 CVE-2016-7116 (Directory traversal vulnerability in hw/9pfs/9p.c in QEMU (aka Quick E ...) {DLA-1599-1 DLA-619-1 DLA-618-1} - qemu 1:2.6+dfsg-3.1 (bug #836502) - qemu-kvm NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=56f101ecce0eafd09e2daf1c4eeb1377d6959261 NOTE: May as well need: http://git.qemu.org/?p=qemu.git;a=commit;h=fff39a7ad09da07ef490de05c92c91f22f8002f2 CVE-2016-7110 (Huawei Unified Maintenance Audit (UMA) before V200R001C00SPC200 allows ...) NOT-FOR-US: Huawei UMA CVE-2016-7109 (Huawei Unified Maintenance Audit (UMA) before V200R001C00SPC200 allows ...) NOT-FOR-US: Huawei UMA CVE-2016-7108 (Huawei Unified Maintenance Audit (UMA) before V200R001C00SPC200 SPH206 ...) NOT-FOR-US: Huawei UMA CVE-2016-7107 (Huawei Unified Maintenance Audit (UMA) before V200R001C00SPC200 SPH206 ...) NOT-FOR-US: Huawei UMA CVE-2016-7106 RESERVED CVE-2016-7105 RESERVED CVE-2016-7104 RESERVED CVE-2016-7102 (ownCloud Desktop before 2.2.3 allows local users to execute arbitrary ...) NOT-FOR-US: ownCloud Desktop CVE-2016-7101 (The SGI coder in ImageMagick before 7.0.2-10 allows remote attackers t ...) {DLA-731-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #836776) [jessie] - imagemagick 8:6.8.9.9-5+deb8u5 CVE-2016-7100 RESERVED CVE-2016-7099 (The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, ...) - nodejs 4.6.0~dfsg-1 (bug #839714; unimportant) NOTE: https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/ NOTE: 0.10.x: https://github.com/nodejs/node/commit/0d7e21ee7bcc79046f898f8c202d2ec87d23d711 NOTE: 4.x: https://github.com/nodejs/node/commit/3ff82deb2c3bd580d64be75dbafe460393c952fb CVE-2016-7096 RESERVED CVE-2016-7095 (Exponent CMS before 2.3.9 is vulnerable to an attacker uploading a mal ...) NOT-FOR-US: Exponent CMS CVE-2016-7111 (MantisBT before 1.3.1 and 2.x before 2.0.0-beta.2 uses a weak Content ...) - mantis (Vulnerable code introduced in 1.3.0-rc.2) NOTE: https://github.com/mantisbt/mantisbt/commit/b3511d2feb47eaee41feb5f69cf3c8a2c9acd229 NOTE: https://mantisbt.org/bugs/view.php?id=21263 CVE-2016-7103 (Cross-site scripting (XSS) vulnerability in jQuery UI before 1.12.0 mi ...) - jqueryui 1.12.1+dfsg-1 [jessie] - jqueryui (Minor issue) [wheezy] - jqueryui (Minor issue) NOTE: https://nodesecurity.io/advisories/127 NOTE: https://github.com/jquery/jquery-ui/pull/1622 NOTE: https://github.com/jquery/jquery-ui/pull/1632 NOTE: https://github.com/jquery/api.jqueryui.com/issues/281 CVE-2016-7094 (Buffer overflow in Xen 4.7.x and earlier allows local x86 HVM guest OS ...) {DSA-3663-1 DLA-614-1} - xen 4.8.0~rc3-1 NOTE: http://xenbits.xen.org/xsa/advisory-187.html CVE-2016-7093 (Xen 4.5.3, 4.6.3, and 4.7.x allow local HVM guest OS administrators to ...) - xen (Affects only 4.7.0 and later; 4.6.3 and 4.5.3) NOTE: http://xenbits.xen.org/xsa/advisory-186.html CVE-2016-7092 (The get_page_from_l3e function in arch/x86/mm.c in Xen allows local 32 ...) {DSA-3663-1 DLA-614-1} - xen 4.8.0~rc3-1 NOTE: http://xenbits.xen.org/xsa/advisory-185.html CVE-2016-7090 (The integrated web server on Siemens SCALANCE M-800 and S615 modules w ...) NOT-FOR-US: Siemens CVE-2016-7098 (Race condition in wget 1.17 and earlier, when used in recursive or mir ...) {DLA-2086-1} - wget 1.18-4 (low; bug #836503) [wheezy] - wget (Minor issue) NOTE: http://git.savannah.gnu.org/cgit/wget.git/commit/?id=9ffb64ba6a8121909b01e984deddce8d096c498d NOTE: http://git.savannah.gnu.org/cgit/wget.git/commit/?id=690c47e3b18c099843cdf557a0425d701fca4957 CVE-2016-7097 (The filesystem implementation in the Linux kernel through 4.8.2 preser ...) {DLA-772-1} - linux 4.7.8-1 [jessie] - linux 3.16.39-1 NOTE: http://www.spinics.net/lists/linux-fsdevel/msg98328.html NOTE: http://marc.info/?l=linux-fsdevel&m=147162313630259&w=2 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1368938 NOTE: Fixed by: https://git.kernel.org/linus/073931017b49d9458aa351605b43a7e34598caef CVE-2016-7091 (sudo: It was discovered that the default sudo configuration on Red Hat ...) - sudo (Debian not including INPUTRC in /etc/sudoers) NOTE: Cf. https://bugzilla.redhat.com/show_bug.cgi?id=1339935 NOTE: The scope of this CVE is the entire 'INPUTRC should NOTE: not be included in "env_keep" at all, or else somehow restricted' NOTE: problem, which has both the information disclosure and segmentation NOTE: fault outcomes. NOTE: Debian does not include INPUTRC by default in /etc/sudoers CVE-2016-7089 (WatchGuard RapidStream appliances allow local users to gain privileges ...) NOT-FOR-US: WatchGuard CVE-2016-7088 RESERVED CVE-2016-7087 (Directory traversal vulnerability in the Connection Server in VMware H ...) NOT-FOR-US: VMware CVE-2016-7086 (The installer in VMware Workstation Pro 12.x before 12.5.0 and VMware ...) NOT-FOR-US: VMware CVE-2016-7085 (Untrusted search path vulnerability in the installer in VMware Worksta ...) NOT-FOR-US: VMware CVE-2016-7084 (tpview.dll in VMware Workstation Pro 12.x before 12.5.0 and VMware Wor ...) NOT-FOR-US: VMware CVE-2016-7083 (VMware Workstation Pro 12.x before 12.5.0 and VMware Workstation Playe ...) NOT-FOR-US: VMware CVE-2016-7082 (VMware Workstation Pro 12.x before 12.5.0 and VMware Workstation Playe ...) NOT-FOR-US: VMware CVE-2016-7081 (Multiple heap-based buffer overflows in VMware Workstation Pro 12.x be ...) NOT-FOR-US: VMware CVE-2016-7080 (The graphic acceleration functions in VMware Tools 9.x and 10.x before ...) NOT-FOR-US: VMware CVE-2016-7079 (The graphic acceleration functions in VMware Tools 9.x and 10.x before ...) NOT-FOR-US: VMware CVE-2016-7078 (foreman before version 1.15.0 is vulnerable to an information leak thr ...) - foreman (bug #663101) NOTE: http://projects.theforeman.org/issues/16982 CVE-2016-7077 (foreman before 1.14.0 is vulnerable to an information leak. It was fou ...) - foreman (bug #663101) NOTE: http://projects.theforeman.org/issues/16971 CVE-2016-7076 (sudo before version 1.8.18p1 is vulnerable to a bypass in the sudo noe ...) {DLA-707-1} - sudo 1.8.18p1-1 (bug #842507) [jessie] - sudo (Minor issue) NOTE: https://www.sudo.ws/alerts/noexec_wordexp.html NOTE: https://www.sudo.ws/repos/sudo/rev/e7d09243e51b NOTE: https://www.sudo.ws/repos/sudo/rev/7b8357b0a358 NOTE: https://www.sudo.ws/repos/sudo/rev/167a518d8129 NOTE: Might need as well: https://bugzilla.sudo.ws/show_bug.cgi?id=761 CVE-2016-7075 (It was found that Kubernetes as used by Openshift Enterprise 3 did not ...) - kubernetes 1.5.5+dfsg-1 (bug #795652) NOTE: https://github.com/kubernetes/kubernetes/issues/34517 CVE-2016-7074 (An issue has been found in PowerDNS before 3.4.11 and 4.0.2, and Power ...) {DSA-3764-1 DLA-798-1} - pdns 4.0.2-1 - pdns-recursor 4.0.4-1 [jessie] - pdns-recursor (Only >= 4.0.0 affected) [wheezy] - pdns-recursor (Only >= 4.0.0 affected) NOTE: https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/ CVE-2016-7073 (An issue has been found in PowerDNS before 3.4.11 and 4.0.2, and Power ...) {DSA-3764-1 DLA-798-1} - pdns 4.0.2-1 - pdns-recursor 4.0.4-1 [jessie] - pdns-recursor (Only >= 4.0.0 affected) [wheezy] - pdns-recursor (Only >= 4.0.0 affected) NOTE: https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/ CVE-2016-7072 (An issue has been found in PowerDNS Authoritative Server before 3.4.11 ...) {DSA-3764-1 DLA-798-1} - pdns 4.0.2-1 NOTE: https://doc.powerdns.com/md/security/powerdns-advisory-2016-03/ CVE-2016-7071 (It was found that the CloudForms before 5.6.2.2, and 5.7.0.7 did not p ...) NOT-FOR-US: Red Hat CloudForms CVE-2016-7070 (A privilege escalation flaw was found in the Ansible Tower. When Tower ...) NOT-FOR-US: Ansible Tower CVE-2016-7069 (An issue has been found in dnsdist before 1.2.0 in the way EDNS0 OPT r ...) - dnsdist 1.2.0-1 (low; bug #872854) [stretch] - dnsdist 1.1.0-2+deb9u1 NOTE: https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2017-01.html NOTE: https://downloads.powerdns.com/patches/2017-01 CVE-2016-7068 (An issue has been found in PowerDNS before 3.4.11 and 4.0.2, and Power ...) {DSA-3764-1 DSA-3763-1 DLA-798-1 DLA-788-1} - pdns 4.0.2-1 - pdns-recursor 4.0.4-1 NOTE: https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ CVE-2016-7067 (Monit before version 5.20.0 is vulnerable to a cross site request forg ...) {DLA-732-1} - monit 1:5.20.0-1 [jessie] - monit (Minor issue) NOTE: https://bitbucket.org/tildeslash/monit/commits/c6ec3820e627f85417053e6336de2987f2d863e3?at=master NOTE: Although configured only on localhost, the httpd service is started by NOTE: default and accessible. CVE-2016-7066 (It was found that the improper default permissions on /tmp/auth direct ...) NOT-FOR-US: admin-cli / jboss-cli in Red Hat CVE-2016-7065 (The JMX servlet in Red Hat JBoss Enterprise Application Platform (EAP) ...) NOT-FOR-US: Red Hat JBoss EAP CVE-2016-7064 RESERVED CVE-2016-7063 RESERVED CVE-2016-7062 (rhscon-ceph in Red Hat Storage Console 2 x86_64 and Red Hat Storage Co ...) NOT-FOR-US: Red Hat rhscon-core CVE-2016-7061 (An information disclosure vulnerability was found in JBoss Enterprise ...) NOT-FOR-US: Red Hat JBoss Enterprise Application Platform CVE-2016-7060 (The web interface in Red Hat QuickStart Cloud Installer (QCI) 1.0 does ...) NOT-FOR-US: Red Hat QCI CVE-2016-7059 REJECTED CVE-2016-7058 REJECTED CVE-2016-7057 REJECTED CVE-2016-7056 (A timing attack flaw was found in OpenSSL 1.0.1u and before that could ...) {DSA-3773-1 DLA-814-1} - openssl 1.0.2a-1 - openssl1.0 (Fixed before initial upload to Debian) NOTE: https://eprint.iacr.org/2016/1195.pdf NOTE: Fixed by: https://git.openssl.org/?p=openssl.git;a=commit;h=f54be179aa4cbbd944728771d7d59ed588158a12 NOTE: Fixed by: https://git.openssl.org/?p=openssl.git;a=commit;h=8aed2a7548362e88e84a7feb795a3a97e8395008 (OpenSSL_1_0_2-beta3) CVE-2016-7055 (There is a carry propagating bug in the Broadwell-specific Montgomery ...) - openssl 1.1.0c-1 (low) [jessie] - openssl (Only affects 1.0.2 and 1.1.0) [wheezy] - openssl (Only affects 1.0.2 and 1.1.0) - openssl1.0 1.0.2k-1 (low) NOTE: https://www.openssl.org/news/secadv/20161110.txt NOTE: https://git.openssl.org/?p=openssl.git;a=commit;h=2fac86d9abeaa643677d1ffd0a139239fdf9406a CVE-2016-7054 (In OpenSSL 1.1.0 before 1.1.0c, TLS connections using *-CHACHA20-POLY1 ...) - openssl 1.1.0c-1 [jessie] - openssl (Only affects 1.1.0) [wheezy] - openssl (Only affects 1.1.0) - openssl1.0 (Only affects 1.1.0) NOTE: https://www.openssl.org/news/secadv/20161110.txt CVE-2016-7053 (In OpenSSL 1.1.0 before 1.1.0c, applications parsing invalid CMS struc ...) - openssl 1.1.0c-1 [jessie] - openssl (Only affects 1.1.0) [wheezy] - openssl (Only affects 1.1.0) - openssl1.0 (Only affects 1.1.0) NOTE: https://www.openssl.org/news/secadv/20161110.txt CVE-2016-7052 (crypto/x509/x509_vfy.c in OpenSSL 1.0.2i allows remote attackers to ca ...) - openssl 1.0.2j-1 [jessie] - openssl (Introduced in 1.0.2i) [wheezy] - openssl (Introduced in 1.0.2i) NOTE: https://www.openssl.org/news/secadv/20160926.txt CVE-2016-7051 (XmlMapper in the Jackson XML dataformat component (aka jackson-datafor ...) - jackson-dataformat-xml 2.8.5-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1378673#c7 NOTE: https://github.com/FasterXML/jackson-dataformat-xml/issues/211 NOTE: https://github.com/FasterXML/jackson-dataformat-xml/commit/eeff2c312e9d4caa8c9f27b8f740c7529d00524a (2.7.8) CVE-2016-7050 (SerializableProvider in RESTEasy in Red Hat Enterprise Linux Desktop 7 ...) - resteasy 3.0.18-1 [jessie] - resteasy (Minor issue) - resteasy3.0 (Fixed before initial release to Debian) NOTE: The SerializableProvider has been disabled by default in 3.0.17 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1378613 CVE-2016-7049 RESERVED CVE-2016-7048 (The interactive installer in PostgreSQL before 9.3.15, 9.4.x before 9. ...) NOT-FOR-US: interactive installer used in EnterpriseDB-supplied PostgreSQL packages CVE-2016-7047 (A flaw was found in the CloudForms API before 5.6.3.0, 5.7.3.1 and 5.8 ...) NOT-FOR-US: Red Hat CloudForms Management Engine CVE-2016-7046 (Red Hat JBoss Enterprise Application Platform (EAP) 7, when operating ...) - undertow 1.4.3-1 (bug #838600) NOTE: https://github.com/undertow-io/undertow/commit/c518b5a1784061d807efedcef0a03fcd35a53de2 CVE-2016-7045 (The format_send_to_gui function in the format parsing code in Irssi be ...) {DSA-3672-1} - irssi 0.8.20-1 [wheezy] - irssi (Introduced in 0.8.17-beta) NOTE: http://irssi.org/security/irssi_sa_2016.txt CVE-2016-7044 (The unformat_24bit_color function in the format parsing code in Irssi ...) {DSA-3672-1} - irssi 0.8.20-1 [wheezy] - irssi (Introduced in 0.8.17-beta) NOTE: http://irssi.org/security/irssi_sa_2016.txt CVE-2016-7043 (It has been reported that KIE server and Busitess Central before versi ...) NOT-FOR-US: Kie server CVE-2016-7042 (The proc_keys_show function in security/keys/proc.c in the Linux kerne ...) {DSA-3696-1 DLA-670-1} - linux 4.7.8-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1373966 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1373499 NOTE: https://git.kernel.org/linus/03dab869b7b239c4e013ec82aea22e181e441cfc CVE-2016-7041 (Drools Workbench contains a path traversal vulnerability. The vulnerab ...) NOT-FOR-US: JBoss Drolls Workbench CVE-2016-7040 (Red Hat CloudForms Management Engine 4.1 does not properly handle regu ...) NOT-FOR-US: Red Hat CloudForms CVE-2016-7039 (The IP stack in the Linux kernel through 4.8.2 allows remote attackers ...) - linux 4.7.8-1 [jessie] - linux (Vulnerable code introduced later) [wheezy] - linux (Vulnerable code introduced later) NOTE: Fixed by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=fcd91dd449867c6bfe56a81cabba76b829fd05cd NOTE: Introduced by: https://git.kernel.org/linus/9b174d88c257150562b0101fcc6cb6c3cb74275c (v4.0-rc1) NOTE: Intorduced by: https://git.kernel.org/linus/66e5133f19e901a044fa5eaeeb6ecff4545839e5 (v4.2-rc1) CVE-2016-7038 (In Moodle 2.x and 3.x, web service tokens are not invalidated when the ...) - moodle 2.7.16+dfsg-1 CVE-2016-7037 (The verify function in Encryption/Symmetric.php in Malcolm Fell jwt be ...) NOT-FOR-US: Malcolm Fell jwt CVE-2016-7036 (python-jose before 1.3.2 allows attackers to have unspecified impact b ...) NOT-FOR-US: Python jose CVE-2016-7035 (An authorization flaw was found in Pacemaker before 1.1.16, where it d ...) - pacemaker 1.1.15-3 (bug #843041) [wheezy] - pacemaker (Vulnerable code introduced later) NOTE: https://github.com/ClusterLabs/pacemaker/pull/1166/commits/5a20855d6054ebaae590c09262b328d957cc1fc2 CVE-2016-7034 (The dashbuilder in Red Hat JBoss BPM Suite 6.3.2 does not properly han ...) NOT-FOR-US: JBoss BPMS CVE-2016-7033 (Multiple cross-site scripting (XSS) vulnerabilities in the admin pages ...) NOT-FOR-US: JBoss BPMS CVE-2016-7032 (sudo_noexec.so in Sudo before 1.8.15 on Linux might allow local users ...) {DLA-707-1} - sudo 1.8.15-1 [jessie] - sudo (Minor issue) NOTE: https://www.sudo.ws/alerts/noexec_bypass.html NOTE: This CVE is for the bypass via system() and popen(). The wordpexp() bypass NOTE: is tracked under CVE-2016-7076. NOTE: https://www.sudo.ws/devel.html#1.8.15rc1 NOTE: https://www.sudo.ws/repos/sudo/rev/58a5c06b5257 NOTE: https://www.sudo.ws/repos/sudo/rev/a826cd7787e9 CVE-2016-7031 (The RGW code in Ceph before 10.0.1, when authenticated-read ACL is app ...) - ceph 10.2.5-1 (bug #838026) [jessie] - ceph 0.80.7-2+deb8u2 NOTE: http://tracker.ceph.com/issues/13207 NOTE: https://github.com/ceph/ceph/pull/6057 NOTE: https://github.com/ceph/ceph/pull/11045 CVE-2016-7030 (FreeIPA uses a default password policy that locks an account after 5 u ...) - freeipa 4.4.4-1 (bug #849970) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1370493 NOTE: https://fedorahosted.org/freeipa/ticket/6561 NOTE: Upstream patch: https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=6f1d92746 NOTE: Additional dependency: https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=73f33569c CVE-2016-7029 RESERVED CVE-2016-7027 REJECTED CVE-2016-7026 REJECTED CVE-2016-7025 REJECTED CVE-2016-7024 REJECTED CVE-2016-7023 REJECTED CVE-2016-7022 REJECTED CVE-2016-7021 REJECTED CVE-2016-7020 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.366 a ...) NOT-FOR-US: Adobe Flash Player CVE-2016-7019 (Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-7018 (Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-7017 (Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-7016 (Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-7015 (Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-7014 (Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-7013 (Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-7012 (Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-7011 (Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-7010 (Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-7009 (Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-7008 (Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-7007 (Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-7006 (Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-7005 (Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-7004 (Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-7003 (Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-7002 (Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-7001 (Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-7000 (Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-6999 (Integer overflow in Adobe Reader and Acrobat before 11.0.18, Acrobat a ...) NOT-FOR-US: Adobe CVE-2016-6998 (Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-6997 (Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-6996 (Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-6995 (Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-6994 (Heap-based buffer overflow in Adobe Reader and Acrobat before 11.0.18, ...) NOT-FOR-US: Adobe CVE-2016-6993 (Use-after-free vulnerability in Adobe Reader and Acrobat before 11.0.1 ...) NOT-FOR-US: Adobe CVE-2016-6992 (Adobe Flash Player before 18.0.0.382 and 19.x through 23.x before 23.0 ...) NOT-FOR-US: Adobe CVE-2016-6991 REJECTED CVE-2016-6990 (Adobe Flash Player before 18.0.0.382 and 19.x through 23.x before 23.0 ...) NOT-FOR-US: Adobe CVE-2016-6989 (Adobe Flash Player before 18.0.0.382 and 19.x through 23.x before 23.0 ...) NOT-FOR-US: Adobe CVE-2016-6988 (Use-after-free vulnerability in Adobe Reader and Acrobat before 11.0.1 ...) NOT-FOR-US: Adobe CVE-2016-6987 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.382 a ...) NOT-FOR-US: Adobe CVE-2016-6986 (Adobe Flash Player before 18.0.0.382 and 19.x through 23.x before 23.0 ...) NOT-FOR-US: Adobe CVE-2016-6985 (Adobe Flash Player before 18.0.0.382 and 19.x through 23.x before 23.0 ...) NOT-FOR-US: Adobe CVE-2016-6984 (Adobe Flash Player before 18.0.0.382 and 19.x through 23.x before 23.0 ...) NOT-FOR-US: Adobe CVE-2016-6983 (Adobe Flash Player before 18.0.0.382 and 19.x through 23.x before 23.0 ...) NOT-FOR-US: Adobe CVE-2016-6982 (Adobe Flash Player before 18.0.0.382 and 19.x through 23.x before 23.0 ...) NOT-FOR-US: Adobe CVE-2016-6981 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.382 a ...) NOT-FOR-US: Adobe CVE-2016-6980 (Use-after-free vulnerability in Adobe Digital Editions before 4.5.2 al ...) NOT-FOR-US: Adobe CVE-2016-6979 (Use-after-free vulnerability in Adobe Reader and Acrobat before 11.0.1 ...) NOT-FOR-US: Adobe CVE-2016-6978 (Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-6977 (Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-6976 (Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-6975 (Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-6974 (Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-6973 (Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-6972 (Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-6971 (Use-after-free vulnerability in Adobe Reader and Acrobat before 11.0.1 ...) NOT-FOR-US: Adobe CVE-2016-6970 (Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-6969 (Use-after-free vulnerability in Adobe Reader and Acrobat before 11.0.1 ...) NOT-FOR-US: Adobe CVE-2016-6968 (Use-after-free vulnerability in Adobe Reader and Acrobat before 11.0.1 ...) NOT-FOR-US: Adobe CVE-2016-6967 (Use-after-free vulnerability in Adobe Reader and Acrobat before 11.0.1 ...) NOT-FOR-US: Adobe CVE-2016-6966 (Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-6965 (Use-after-free vulnerability in Adobe Reader and Acrobat before 11.0.1 ...) NOT-FOR-US: Adobe CVE-2016-6964 (Use-after-free vulnerability in Adobe Reader and Acrobat before 11.0.1 ...) NOT-FOR-US: Adobe CVE-2016-6963 (Use-after-free vulnerability in Adobe Reader and Acrobat before 11.0.1 ...) NOT-FOR-US: Adobe CVE-2016-6962 (Use-after-free vulnerability in Adobe Reader and Acrobat before 11.0.1 ...) NOT-FOR-US: Adobe CVE-2016-6961 (Use-after-free vulnerability in Adobe Reader and Acrobat before 11.0.1 ...) NOT-FOR-US: Adobe CVE-2016-6960 (Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-6959 (Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-6958 (Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-6957 (Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-6956 (Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-6955 (Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-6954 (Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-6953 (Use-after-free vulnerability in Adobe Reader and Acrobat before 11.0.1 ...) NOT-FOR-US: Adobe CVE-2016-6952 (Use-after-free vulnerability in Adobe Reader and Acrobat before 11.0.1 ...) NOT-FOR-US: Adobe CVE-2016-6951 (Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-6950 (Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-6949 (Use-after-free vulnerability in Adobe Reader and Acrobat before 11.0.1 ...) NOT-FOR-US: Adobe CVE-2016-6948 (Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-6947 (Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-6946 (Use-after-free vulnerability in Adobe Reader and Acrobat before 11.0.1 ...) NOT-FOR-US: Adobe CVE-2016-6945 (Use-after-free vulnerability in Adobe Reader and Acrobat before 11.0.1 ...) NOT-FOR-US: Adobe CVE-2016-6944 (Use-after-free vulnerability in Adobe Reader and Acrobat before 11.0.1 ...) NOT-FOR-US: Adobe CVE-2016-6943 (Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-6942 (Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-6941 (Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-6940 (Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-6939 (Heap-based buffer overflow in Adobe Reader and Acrobat before 11.0.18, ...) NOT-FOR-US: Adobe CVE-2016-6938 (Use-after-free vulnerability in Adobe Reader and Acrobat before 11.0.1 ...) NOT-FOR-US: Adobe CVE-2016-6937 (Adobe Reader and Acrobat before 11.0.17, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-6936 (Adobe AIR SDK & Compiler before 23.0.0.257 on Windows does not sup ...) NOT-FOR-US: Adobe CVE-2016-6935 (Unquoted Windows search path vulnerability in Adobe Creative Cloud Des ...) NOT-FOR-US: Adobe CVE-2016-6934 (Adobe Experience Manager Forms versions 6.2 and earlier, LiveCycle 11. ...) NOT-FOR-US: Adobe CVE-2016-6933 (Adobe Experience Manager Forms versions 6.2 and earlier, LiveCycle 11. ...) NOT-FOR-US: Adobe CVE-2016-6932 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.375 a ...) NOT-FOR-US: Adobe Flash Player CVE-2016-6931 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.375 a ...) NOT-FOR-US: Adobe Flash Player CVE-2016-6930 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.375 a ...) NOT-FOR-US: Adobe Flash Player CVE-2016-6929 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.375 a ...) NOT-FOR-US: Adobe Flash Player CVE-2016-6928 REJECTED CVE-2016-6927 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.375 a ...) NOT-FOR-US: Adobe Flash Player CVE-2016-6926 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.375 a ...) NOT-FOR-US: Adobe Flash Player CVE-2016-6925 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.375 a ...) NOT-FOR-US: Adobe Flash Player CVE-2016-6924 (Adobe Flash Player before 18.0.0.375 and 19.x through 23.x before 23.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2016-6923 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.375 a ...) NOT-FOR-US: Adobe Flash Player CVE-2016-6922 (Adobe Flash Player before 18.0.0.375 and 19.x through 23.x before 23.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2016-6921 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.375 a ...) NOT-FOR-US: Adobe Flash Player CVE-2016-6920 (Heap-based buffer overflow in the decode_block function in libavcodec/ ...) - ffmpeg 7:3.1.3-1 - libav NOTE: Vulnerable code not present in any Libav version. CVE-2016-6919 RESERVED CVE-2016-6918 (Lexmark Markvision Enterprise (MVE) before 2.4.1 allows remote attacke ...) NOT-FOR-US: Lexmark CVE-2016-6917 (Buffer overflow in nvhost_job.c in the NVIDIA video driver for Android ...) NOT-FOR-US: Nvidia driver for Android CVE-2016-6916 (Integer overflow in nvhost_job.c in the NVIDIA video driver for Androi ...) NOT-FOR-US: Nvidia driver for Android CVE-2016-6915 (Stack-based buffer overflow in nvhost_job.c in the NVIDIA video driver ...) NOT-FOR-US: Nvidia driver for Android CVE-2016-6914 (Ubiquiti UniFi Video before 3.8.0 for Windows uses weak permissions fo ...) NOT-FOR-US: Ubiquiti UniFi Video CVE-2016-6913 (Cross-site scripting (XSS) vulnerability in AlienVault OSSIM before 5. ...) NOT-FOR-US: OSSIM CVE-2016-6912 (Double free vulnerability in the gdImageWebPtr function in the GD Grap ...) {DSA-3777-1} - libgd2 2.2.4-1 [wheezy] - libgd2 (Vulnerable code introduced later) NOTE: https://github.com/libgd/libgd/commit/a49feeae76d41959d85ee733925a4cf40bac61b2 CVE-2016-6910 (The non-existent notification listener vulnerability was introduced in ...) NOT-FOR-US: Android build by Samsung CVE-2016-6909 (Buffer overflow in the Cookie parser in Fortinet FortiOS 4.x before 4. ...) NOT-FOR-US: Fortinet CVE-2016-6908 (Characters from languages are such as Arabic, Hebrew are displayed fro ...) NOT-FOR-US: Opera CVE-2016-6907 RESERVED CVE-2016-6906 (The read_image_tga function in gd_tga.c in the GD Graphics Library (ak ...) {DSA-3777-1} - libgd2 2.2.4-1 [wheezy] - libgd2 (Vulnerable code introduced later) NOTE: Fixed by: https://github.com/libgd/libgd/commit/fb0e0cce0b9f25389ab56604c3547351617e1415 NOTE: Fixed by: https://github.com/libgd/libgd/commit/58b6dde319c301b0eae27d12e2a659e067d80558 CVE-2016-6904 (Versions of VASA Provider for Clustered Data ONTAP prior to 7.0P1 cont ...) NOT-FOR-US: NetAPP CVE-2016-6901 (Format string vulnerability in Huawei AR100, AR120, AR150, AR200, AR50 ...) NOT-FOR-US: Huawei Routers CVE-2016-6900 (The Intelligent Baseboard Management Controller (iBMC) in Huawei RH128 ...) NOT-FOR-US: Huawei FusionServer CVE-2016-6899 (The Intelligent Baseboard Management Controller (iBMC) in Huawei RH128 ...) NOT-FOR-US: Huawei FusionServer CVE-2016-6898 (XML external entity (XXE) vulnerability in the Hyper Management Module ...) NOT-FOR-US: Huawei FusionServer CVE-2016-6895 REJECTED CVE-2016-6894 (Arista EOS 4.15 before 4.15.8M, 4.16 before 4.16.7M, and 4.17 before 4 ...) NOT-FOR-US: Arista EOS CVE-2016-6892 (The x509FreeExtensions function in MatrixSSL before 3.8.6 allows remot ...) - matrixssl [wheezy] - matrixssl (not supported in Wheezy) NOTE: https://www.kb.cert.org/vuls/id/396440 CVE-2016-6891 (MatrixSSL before 3.8.6 allows remote attackers to cause a denial of se ...) - matrixssl [wheezy] - matrixssl (not supported in Wheezy) NOTE: https://www.kb.cert.org/vuls/id/396440 CVE-2016-6890 (Heap-based buffer overflow in MatrixSSL before 3.8.6 allows remote att ...) - matrixssl [wheezy] - matrixssl (not supported in Wheezy) NOTE: https://www.kb.cert.org/vuls/id/396440 CVE-2016-6889 RESERVED CVE-2016-6881 (The zlib_refill function in libavformat/swfdec.c in FFmpeg before 3.1. ...) - ffmpeg 7:3.1.3-1 (unimportant) - libav NOTE: http://www.openwall.com/lists/oss-security/2016/09/26/6 NOTE: https://github.com/FFmpeg/FFmpeg/commit/4770eac6 NOTE: Vulnerable code not present in any Libav version. CVE-2016-6902 (lshell 0.9.16 allows remote authenticated users to break out of a limi ...) - lshell (bug #834949) [wheezy] - lshell (Vulnerable code not present) NOTE: https://github.com/ghantoos/lshell/issues/147 NOTE: http://www.openwall.com/lists/oss-security/2016/08/22/15 NOTE: As for 2016-08-23 https://github.com/ghantoos/lshell/issues/147#issuecomment-241366750 ist still NOTE: as well under the scope of CVE-2016-6902, until "there is further vendor followup NOTE: about issues/147" and possibly a new/additional CVE assignment. CVE-2016-6903 (lshell 0.9.16 allows remote authenticated users to break out of a limi ...) - lshell (bug #834946) [wheezy] - lshell (Vulnerable code not present) NOTE: https://github.com/ghantoos/lshell/issues/149 NOTE: http://www.openwall.com/lists/oss-security/2016/08/22/15 CVE-2016-6897 (Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_ ...) - wordpress 4.6.1+dfsg-1 (bug #837090) [jessie] - wordpress (wp_ajax_update_plugin function introduced in 4.2) [wheezy] - wordpress (wp_ajax_update_plugin function introduced in 4.2) NOTE: http://seclists.org/oss-sec/2016/q3/347 NOTE: https://sumofpwn.nl/advisory/2016/path_traversal_vulnerability_in_wordpress_core_ajax_handlers.html NOTE: https://core.trac.wordpress.org/changeset/38168 CVE-2016-6896 (Directory traversal vulnerability in the wp_ajax_update_plugin functio ...) - wordpress 4.6.1+dfsg-1 (bug #837090) [jessie] - wordpress (wp_ajax_update_plugin function introduced in 4.2) [wheezy] - wordpress (wp_ajax_update_plugin function introduced in 4.2) NOTE: http://seclists.org/oss-sec/2016/q3/347 NOTE: https://sumofpwn.nl/advisory/2016/path_traversal_vulnerability_in_wordpress_core_ajax_handlers.html NOTE: https://core.trac.wordpress.org/changeset/38168 CVE-2016-6893 (Cross-site request forgery (CSRF) vulnerability in the user options pa ...) {DSA-3668-1 DLA-608-1} - mailman 1:2.1.23-1 (bug #835970) NOTE: https://mail.python.org/pipermail/mailman-announce/2016-August/000225.html NOTE: https://bugs.launchpad.net/mailman/+bug/1614841 NOTE: https://mail.python.org/pipermail/mailman-announce/2016-August/000226.html CVE-2016-6880 RESERVED CVE-2016-6879 (The X509_Certificate::allowed_usage function in botan 1.11.x before 1. ...) - botan1.10 (Introduced in 1.11.0) NOTE: Introduced in 1.11.0, fixed in 1.11.31 CVE-2016-6878 (The Curve25519 code in botan before 1.11.31, on systems without a nati ...) - botan1.10 (Introduced in 1.11.12) NOTE: Introduced in 1.11.12, fixed in 1.11.31 CVE-2016-6877 (** DISPUTED ** Citrix XenMobile Server before 10.5.0.24 allows man-in- ...) NOT-FOR-US: Citrix CVE-2016-6876 (The RESOLV::lookup iRule command in F5 BIG-IP LTM, APM, ASM, and Link ...) NOT-FOR-US: F5 CVE-2016-6869 RESERVED CVE-2016-6868 RESERVED CVE-2016-6867 RESERVED CVE-2016-6865 RESERVED CVE-2016-6864 RESERVED CVE-2016-6863 RESERVED CVE-2016-6862 RESERVED CVE-2016-6861 RESERVED CVE-2016-6860 RESERVED CVE-2016-6859 (Hybris Management Console (HMC) in SAP Hybris before 6.0 allows remote ...) NOT-FOR-US: SAP Hybris CVE-2016-6858 (Cross-site scripting (XSS) vulnerability in the Create Employee featur ...) NOT-FOR-US: SAP Hybris CVE-2016-6857 (Cross-site scripting (XSS) vulnerability in the Create Catalogue featu ...) NOT-FOR-US: SAP Hybris CVE-2016-6856 (Cross-site scripting (XSS) vulnerability in the Inbox Search feature i ...) NOT-FOR-US: SAP Hybris CVE-2016-6855 (Eye of GNOME (aka eog) 3.16.5, 3.17.x, 3.18.x before 3.18.3, 3.19.x, a ...) {DLA-2185-1 DLA-605-1} - eog 3.20.4-1 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=770143 NOTE: https://git.gnome.org/browse/eog/commit/?id=e99a8c00f959652fe7c10e2fa5a3a7a5c25e6af4 CVE-2016-6854 (An issue was discovered in Open-Xchange OX Guard before 2.4.2-rev5. Sc ...) NOT-FOR-US: Open-Xchange CVE-2016-6853 (An issue was discovered in Open-Xchange OX Guard before 2.4.2-rev5. Sc ...) NOT-FOR-US: Open-Xchange CVE-2016-6852 (An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8 ...) NOT-FOR-US: Open-Xchange CVE-2016-6851 (An issue was discovered in Open-Xchange OX Guard before 2.4.2-rev5. Sc ...) NOT-FOR-US: Open-Xchange CVE-2016-6850 (An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8 ...) NOT-FOR-US: Open-Xchange CVE-2016-6849 RESERVED CVE-2016-6848 (An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8 ...) NOT-FOR-US: Open-Xchange CVE-2016-6847 (An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8 ...) NOT-FOR-US: Open-Xchange CVE-2016-6846 (Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite ...) NOT-FOR-US: Open-Xchange CVE-2016-6845 (An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8 ...) NOT-FOR-US: Open-Xchange CVE-2016-6844 (An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8 ...) NOT-FOR-US: Open-Xchange CVE-2016-6843 (An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8 ...) NOT-FOR-US: Open-Xchange CVE-2016-6842 (An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8 ...) NOT-FOR-US: Open-Xchange CVE-2016-6841 RESERVED CVE-2016-6840 (Cross-site scripting (XSS) vulnerability in the management interface i ...) NOT-FOR-US: Huawei CVE-2016-6839 (CRLF injection vulnerability in Huawei FusionAccess before V100R006C00 ...) NOT-FOR-US: Huawei FusionAccess CVE-2016-6838 (Huawei X6800 and XH620 V3 servers with software before V100R003C00SPC6 ...) NOT-FOR-US: Huawei FusionServer CVE-2016-6829 (The trove service user in (1) Openstack deployment (aka crowbar-openst ...) NOT-FOR-US: Crowbar Framework CVE-2016-6827 (Huawei FusionCompute before V100R005C10CP7002 stores cleartext AES key ...) NOT-FOR-US: Huawei FusionCompute CVE-2016-6826 (Huawei AnyMail before 2.6.0301.0060 allows remote attackers to cause a ...) NOT-FOR-US: Huawei AnyMail CVE-2016-6825 (Huawei XH620 V3, XH622 V3, and XH628 V3 servers with software before V ...) NOT-FOR-US: Huawei FusionServer Node CVE-2016-6824 (Huawei AC6003, AC6005, AC6605, and ACU2 access controllers with softwa ...) NOT-FOR-US: Huawei Campus Switch CVE-2016-6888 (Integer overflow in the net_tx_pkt_init function in hw/net/net_tx_pkt. ...) {DLA-1599-1} - qemu 1:2.6+dfsg-3.1 (bug #834902) [wheezy] - qemu (Vulnerable code not present, vmxnet3 introduced in 1.5) - qemu-kvm [wheezy] - qemu-kvm (Vulnerable code not present, vmxnet3 introduced in 1.5) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-08/msg03176.html NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=47882fa4975bf0b58dd74474329fdd7154e8f04c CVE-2016-6875 (Infinite recursion in wddx in Facebook HHVM before 3.15.0 allows attac ...) - hhvm 3.12.11+dfsg-1 (bug #835032) NOTE: https://github.com/facebook/hhvm/commit/1888810e77b446a79a7674784d5f139fcfa605e2 CVE-2016-6874 (The array_*_recursive functions in Facebook HHVM before 3.15.0 allows ...) - hhvm 3.12.11+dfsg-1 (bug #835032) NOTE: https://github.com/facebook/hhvm/commit/05e706d98f748f609b19d8697e490eaab5007d69 CVE-2016-6873 (Self recursion in compact in Facebook HHVM before 3.15.0 allows attack ...) - hhvm 3.12.11+dfsg-1 (bug #835032) NOTE: https://github.com/facebook/hhvm/commit/e264f04ae825a5d97758130cf8eec99862517e7e CVE-2016-6872 (Integer overflow in StringUtil::implode in Facebook HHVM before 3.15.0 ...) - hhvm 3.12.11+dfsg-1 (bug #835032) NOTE: https://github.com/facebook/hhvm/commit/2c9a8fcc73a151608634d3e712973d192027c271 CVE-2016-6871 (Integer overflow in bcmath in Facebook HHVM before 3.15.0 allows attac ...) - hhvm 3.12.11+dfsg-1 (bug #835032) NOTE: https://github.com/facebook/hhvm/commit/c00fc9d3003eb06226b58b6a48555f1456ee2475 CVE-2016-6870 (Out-of-bounds write in the (1) mb_detect_encoding, (2) mb_send_mail, a ...) - hhvm 3.12.11+dfsg-1 (bug #835032) NOTE: https://github.com/facebook/hhvm/commit/365abe807cab2d60dc9ec307292a06181f77a9c2 CVE-2016-6866 (slock allows attackers to bypass the screen lock via vectors involving ...) {DLA-598-1} - suckless-tools 41-1 [jessie] - suckless-tools 40-1+deb8u2 NOTE: http://www.openwall.com/lists/oss-security/2016/08/18/22 NOTE: http://s1m0n.dft-labs.eu/files/slock/ NOTE: Starting with 41-1 slock.c got patched to use PAM, cf. #739629 NOTE: and with the patch readpw(dpy, pws) is not called anymore, and NOTE: thus in readpw, not calling crypt(passwd, pws) with a possibly NOTE: empty pws. CVE-2016-6837 (Cross-site scripting (XSS) vulnerability in MantisBT Filter API in Man ...) - mantis [wheezy] - mantis (unsupported) NOTE: https://mantisbt.org/bugs/view.php?id=21611 NOTE: https://github.com/mantisbt/mantisbt/commit/7086c2d8b4b20ac14013b36761ac04f0abf21a4e CVE-2016-6832 (Heap-based buffer overflow in the ff_audio_resample function in resamp ...) - libav 6:11.4-1 [wheezy] - libav (Vulnerable code not present) NOTE: https://blogs.gentoo.org/ago/2016/08/07/libav-heap-based-buffer-overflow-in-ff_audio_resample-resample-c/ NOTE: https://git.libav.org/?p=libav.git;a=commit;h=0ac8ff618c5e6d878c547a8877e714ed728950ce NOTE: Claimed to not affect ffmpeg CVE-2016-6831 (The "process-execute" and "process-spawn" procedures did not free memo ...) {DLA-643-1} - chicken 4.12.0-0.2 (bug #834845) [stretch] - chicken (Minor issue) [jessie] - chicken (Minor issue) NOTE: Fixed in the same upstream patch which is provided for CVE-2016-6830 CVE-2016-6830 (The "process-execute" and "process-spawn" procedures in CHICKEN Scheme ...) {DLA-643-1} - chicken 4.12.0-0.2 (bug #834845) [stretch] - chicken (Minor issue) [jessie] - chicken (Minor issue) NOTE: http://lists.nongnu.org/archive/html/chicken-announce/2016-08/msg00001.html NOTE: https://lists.nongnu.org/archive/html/chicken-hackers/2016-07/txtSWHYeFeG0R.txt NOTE: http://bugs.call-cc.org/ticket/1308 CVE-2016-6828 (The tcp_check_send_head function in include/net/tcp.h in the Linux ker ...) {DSA-3659-1 DLA-609-1} - linux 4.7.2-1 NOTE: Fixed by: https://github.com/torvalds/linux/commit/bb1fceca22492109be12640d49f5ea5a544c6bb4 CVE-2016-6822 RESERVED CVE-2016-6821 RESERVED CVE-2016-6820 (MetroCluster Tiebreaker for clustered Data ONTAP in versions before 1. ...) NOT-FOR-US: MetroCluster Tiebreaker CVE-2016-6819 RESERVED CVE-2016-6818 (SQL injection vulnerability in SAP Business Intelligence platform befo ...) NOT-FOR-US: SAP CVE-2016-6817 (The HTTP/2 header parser in Apache Tomcat 9.0.0.M1 to 9.0.0.M11 and 8. ...) - tomcat9 (Fixed before initial upload to Debian) - tomcat8 (Only affects 9.x and 8.5.x) - tomcat7 (Only affects 9.x and 8.5.x) - tomcat6 (Only affects 9.x and 8.5.x) CVE-2016-6816 (The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0 ...) {DSA-3739-1 DSA-3738-1 DLA-729-1 DLA-728-1} - tomcat9 (Fixed before initial upload to Debian) - tomcat8 8.0.39-1 - tomcat7 7.0.72-3 NOTE: Since 7.0.72-3, src:tomcat7 only builds the Servlet API - tomcat6 6.0.41-3 (low) NOTE: Since 6.0.41-3, src:tomcat6 only builds a servlet and docs in Jessie NOTE: Fixed by: http://svn.apache.org/r1767653 (8.0.x) NOTE: Fixed by: http://svn.apache.org/r1767675 (7.0.x) NOTE: Fixed by: http://svn.apache.org/r1767683 (6.0.x) CVE-2016-6815 (In Apache Ranger before 0.6.2, users with "keyadmin" role should not b ...) NOT-FOR-US: Apache Ranger CVE-2016-6814 (When an application with unsupported Codehaus versions of Groovy from ...) {DLA-794-1} - groovy 2.4.8-1 (bug #851408) [jessie] - groovy 1.8.6-4+deb8u2 - groovy2 [jessie] - groovy2 2.2.2+dfsg-3+deb8u2 CVE-2016-6813 (Apache CloudStack 4.1 to 4.8.1.0 and 4.9.0.0 contain an API call desig ...) NOT-FOR-US: Apache CloudStack CVE-2016-6812 (The HTTP transport module in Apache CXF prior to 3.0.12 and 3.1.x prio ...) NOT-FOR-US: Apache CXF CVE-2016-6811 (In Apache Hadoop 2.x before 2.7.4, a user who can escalate to yarn use ...) - hadoop (bug #793644) NOTE: http://www.openwall.com/lists/oss-security/2018/05/01/2 CVE-2016-6810 (In Apache ActiveMQ 5.x before 5.14.2, an instance of a cross-site scri ...) - activemq 5.14.2+dfsg-1 (unimportant) NOTE: Admin console not enabled in the Debian package, see #702670 NOTE: http://activemq.apache.org/security-advisories.data/CVE-2016-6810-announcement.txt NOTE: http://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000245.html NOTE: https://jvn.jp/en/jp/JVN78980598/index.html CVE-2016-6809 (Apache Tika before 1.14 allows Java code execution for serialized obje ...) - tika 1.18-1 [jessie] - tika (Matlab file parser introduced in 1.6) NOTE: http://seclists.org/bugtraq/2016/Nov/40 CVE-2016-6808 (Buffer overflow in Apache Tomcat Connectors (mod_jk) before 1.2.42. ...) - libapache-mod-jk (Windows/IIS vhost handling specific issue) NOTE: Fixed by: http://svn.apache.org/r1762057 NOTE: https://tomcat.apache.org/security-jk.html#Fixed_in_Apache_Tomcat_JK_Connector_1.2.42 NOTE: This is though only Windows/IIS specific, thus marked as not-affected, cf. #840000 CVE-2016-6807 (Custom commands may be executed on Ambari Agent (2.4.x, before 2.4.2) ...) NOT-FOR-US: Ambari Agent CVE-2016-6806 (Apache Wicket 6.x before 6.25.0, 7.x before 7.5.0, and 8.0.0-M1 provid ...) NOT-FOR-US: Apache Wicket CVE-2016-6805 (Apache Ignite before 1.9 allows man-in-the-middle attackers to read ar ...) NOT-FOR-US: Apache Ignite CVE-2016-6804 (The Apache OpenOffice installer (versions prior to 4.1.3, including so ...) NOT-FOR-US: Apache OpenOffice installer for Windows CVE-2016-6803 (An installer defect known as an "unquoted Windows search path vulnerab ...) NOT-FOR-US: Apache OpenOffice installer for Windows CVE-2016-6802 (Apache Shiro before 1.3.2 allows attackers to bypass intended servlet ...) - shiro 1.3.2-1 [jessie] - shiro (Minor issue) CVE-2016-6801 (Cross-site request forgery (CSRF) vulnerability in the CSRF content-ty ...) {DSA-3679-1 DLA-629-1} - jackrabbit 2.12.4-1 (bug #838204) NOTE: http://svn.apache.org/r1758791 (2.4.x) NOTE: http://svn.apache.org/r1758771 (2.6.x) NOTE: http://svn.apache.org/r1758764 (2.8.x) CVE-2016-6800 (The default configuration of the Apache OFBiz framework offers a blog ...) NOT-FOR-US: Apache OFBiz CVE-2016-6799 (Product: Apache Cordova Android 5.2.2 and earlier. The application cal ...) NOT-FOR-US: Apache Cordova CVE-2016-6798 (In the XSS Protection API module before 1.0.12 in Apache Sling, the me ...) NOT-FOR-US: Apache Sling CVE-2016-6797 (The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9. ...) {DSA-3721-1 DSA-3720-1 DLA-729-1 DLA-728-1} - tomcat8 8.0.37-1 (low) - tomcat7 7.0.72-1 (low; bug #842666) - tomcat6 6.0.41-3 (low) NOTE: Since 6.0.41-3, src:tomcat6 only builds a servlet and docs in Jessie NOTE: http://markmail.org/message/wrku5orwxfpt5mzl?q=list:org.apache.tomcat.announce/ NOTE: Fixed by: http://svn.apache.org/r1757273 (8.0.x) NOTE: Fixed by: http://svn.apache.org/r1757275 (7.0.x) NOTE: Fixed by: https://svn.apache.org/viewvc?view=revision&revision=1757285 (6.0.x) CVE-2016-6796 (A malicious web application running on Apache Tomcat 9.0.0.M1 to 9.0.0 ...) {DSA-3721-1 DSA-3720-1 DLA-729-1 DLA-728-1} - tomcat8 8.0.37-1 (low) - tomcat7 7.0.72-1 (low; bug #842665) - tomcat6 6.0.41-3 (low) NOTE: Since 6.0.41-3, src:tomcat6 only builds a servlet and docs in Jessie NOTE: http://markmail.org/message/hynaeawxxhpvvctu?q=list:org.apache.tomcat.announce/ NOTE: Fixed by: http://svn.apache.org/r1758494 (8.0.x) NOTE: Fixed by: http://svn.apache.org/r1758495 (7.0.x) NOTE: Fixed by: https://svn.apache.org/viewvc?view=revision&revision=1758496 (6.0.x) CVE-2016-6795 (In the Convention plugin in Apache Struts 2.3.x before 2.3.31, and 2.5 ...) - libstruts1.2-java [wheezy] - libstruts1.2-java (no longer supported) NOTE: https://struts.apache.org/docs/s2-042.html CVE-2016-6794 (When a SecurityManager is configured, a web application's ability to r ...) {DSA-3721-1 DSA-3720-1 DLA-729-1 DLA-728-1} - tomcat8 8.0.37-1 (low) - tomcat7 7.0.72-1 (low; bug #842664) - tomcat6 6.0.41-3 (low) NOTE: Since 6.0.41-3, src:tomcat6 only builds a servlet and docs in Jessie NOTE: http://markmail.org/message/zk7w6yly5mviocci?q=list:org.apache.tomcat.announce/ NOTE: Fixed by: http://svn.apache.org/r1754727 (8.0.x) NOTE: Fixed by: http://svn.apache.org/r1754728 (7.0.x) NOTE: Fixed by: https://svn.apache.org/viewvc?view=revision&revision=1754733 (6.0.x) CVE-2016-6793 (The DiskFileItem class in Apache Wicket 6.x before 6.25.0 and 1.5.x be ...) NOT-FOR-US: Apache Wicket CVE-2015-8954 (The MemcmpLowercase function in Suricata before 2.0.6 improperly exclu ...) - suricata 2.0.6-1 (bug #777523) [wheezy] - suricata (Minor issue) [squeeze] - suricata (Minor issue) NOTE: https://redmine.openinfosecfoundation.org/issues/1364 NOTE: https://github.com/OISF/suricata/commit/17dfd59bc31a21e103e2f1216443cd1418398aa9 CVE-2015-8953 (fs/overlayfs/copy_up.c in the Linux kernel before 4.2.6 uses an incorr ...) - linux 4.2.6-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/ab79efab0a0ba01a74df782eb7fa44b044dae8b5 (v4.3) CVE-2015-8952 (The mbcache feature in the ext2 and ext4 filesystem implementations in ...) - linux 4.6.1-1 (low) [jessie] - linux (Minor issue and too intrusive to backport, workaround exists with the no_mbcache mount flag) [wheezy] - linux (Minor issue and too intrusive to backport) NOTE: https://git.kernel.org/linus/f9a61eb4e2471c56a63cd804c7474128138c38ac (v4.6-rc1) NOTE: https://git.kernel.org/linus/82939d7999dfc1f1998c4b1c12e2f19edbdff272 (v4.6-rc1) NOTE: https://git.kernel.org/linus/be0726d33cb8f411945884664924bed3cb8c70ee (v4.6-rc1) CVE-2015-8951 (Multiple use-after-free vulnerabilities in sound/soc/msm/qdsp6v2/msm-l ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-6823 (Integer overflow in the BMP coder in ImageMagick before 7.0.2-10 allow ...) {DSA-3652-1 DLA-731-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #834504) NOTE: https://github.com/ImageMagick/ImageMagick/commit/4cc6ec8a4197d4c008577127736bf7985d632323 CVE-2016-10052 (Buffer overflow in the WriteProfile function in coders/jpeg.c in Image ...) {DSA-3652-1 DLA-731-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #834501) NOTE: https://github.com/ImageMagick/ImageMagick/commit/9e187b73a8a1290bb0e1a1c878f8be1917aa8742 NOTE: http://www.openwall.com/lists/oss-security/2016/12/20/3 CVE-2016-6792 RESERVED CVE-2016-6791 (An elevation of privilege vulnerability in the Qualcomm sound driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-6790 (An elevation of privilege vulnerability in the NVIDIA libomx library ( ...) NOT-FOR-US: Nvidia driver for Android CVE-2016-6789 (An elevation of privilege vulnerability in the NVIDIA libomx library ( ...) NOT-FOR-US: Nvidia driver for Android CVE-2016-6788 (An elevation of privilege vulnerability in the MediaTek I2C driver cou ...) NOT-FOR-US: MediaTek driver for Android CVE-2016-6787 (kernel/events/core.c in the performance subsystem in the Linux kernel ...) {DSA-3791-1 DLA-833-1} - linux 4.0.2-1 NOTE: Fixed by: https://git.kernel.org/linus/f63a8daa5812afef4f06c962351687e1ff9ccb2b (v4.0-rc1) CVE-2016-6786 (kernel/events/core.c in the performance subsystem in the Linux kernel ...) {DSA-3791-1 DLA-833-1} - linux 4.0.2-1 NOTE: Fixed by: https://git.kernel.org/linus/f63a8daa5812afef4f06c962351687e1ff9ccb2b (v4.0-rc1) CVE-2016-6785 (An elevation of privilege vulnerability in the MediaTek driver could e ...) NOT-FOR-US: MediaTek driver for Android CVE-2016-6784 (An elevation of privilege vulnerability in the MediaTek driver could e ...) NOT-FOR-US: MediaTek driver for Android CVE-2016-6783 (An elevation of privilege vulnerability in the MediaTek driver could e ...) NOT-FOR-US: MediaTek driver for Android CVE-2016-6782 (An elevation of privilege vulnerability in the MediaTek driver could e ...) NOT-FOR-US: MediaTek driver for Android CVE-2016-6781 (An elevation of privilege vulnerability in the MediaTek driver could e ...) NOT-FOR-US: MediaTek driver for Android CVE-2016-6780 (An elevation of privilege vulnerability in the HTC sound codec driver ...) NOT-FOR-US: HTC driver for Android CVE-2016-6779 (An elevation of privilege vulnerability in the HTC sound codec driver ...) NOT-FOR-US: HTC driver for Android CVE-2016-6778 (An elevation of privilege vulnerability in the HTC sound codec driver ...) NOT-FOR-US: HTC driver for Android CVE-2016-6777 (An elevation of privilege vulnerability in the NVIDIA GPU driver could ...) NOT-FOR-US: Nvidia driver for Android CVE-2016-6776 (An elevation of privilege vulnerability in the NVIDIA GPU driver could ...) NOT-FOR-US: Nvidia driver for Android CVE-2016-6775 (An elevation of privilege vulnerability in the NVIDIA GPU driver could ...) NOT-FOR-US: Nvidia driver for Android CVE-2016-6774 (An information disclosure vulnerability in Package Manager could enabl ...) NOT-FOR-US: Android CVE-2016-6773 (An information disclosure vulnerability in the ih264d decoder in Media ...) NOT-FOR-US: Android Mediaserver CVE-2016-6772 (An elevation of privilege vulnerability in Wi-Fi could enable a local ...) NOT-FOR-US: Android CVE-2016-6771 (An elevation of privilege vulnerability in Telephony could enable a lo ...) NOT-FOR-US: Android CVE-2016-6770 (An elevation of privilege vulnerability in the Framework API could ena ...) NOT-FOR-US: Android CVE-2016-6769 (An elevation of privilege vulnerability in Smart Lock could enable a l ...) NOT-FOR-US: Android CVE-2016-6768 (A remote code execution vulnerability in the Framesequence library cou ...) NOT-FOR-US: Android CVE-2016-6767 (A denial of service vulnerability in Mediaserver could enable an attac ...) NOT-FOR-US: Android Mediaserver CVE-2016-6766 (A denial of service vulnerability in libmedia and libstagefright in Me ...) NOT-FOR-US: libstagefright CVE-2016-6765 (A denial of service vulnerability in libstagefright in Mediaserver cou ...) NOT-FOR-US: libstagefright CVE-2016-6764 (A denial of service vulnerability in Mediaserver could enable an attac ...) NOT-FOR-US: Android Mediaserver CVE-2016-6763 (A denial of service vulnerability in Telephony could enable a local ma ...) NOT-FOR-US: Android CVE-2016-6762 (An elevation of privilege vulnerability in the libziparchive library c ...) - android-platform-system-core 1:7.0.0+r1-1 [jessie] - android-platform-system-core (Vulnerable code not present) CVE-2016-6761 (An elevation of privilege vulnerability in Qualcomm media codecs could ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-6760 (An elevation of privilege vulnerability in Qualcomm media codecs could ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-6759 (An elevation of privilege vulnerability in Qualcomm media codecs could ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-6758 (An elevation of privilege vulnerability in Qualcomm media codecs could ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-6757 (An information disclosure vulnerability in Qualcomm components includi ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-6756 (An information disclosure vulnerability in Qualcomm components includi ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-6755 (An elevation of privilege vulnerability in the Qualcomm camera driver ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-6754 (A remote code execution vulnerability in Webview in Android 5.0.x befo ...) NOT-FOR-US: Webview for Android CVE-2016-6753 (An information disclosure vulnerability in kernel components, includin ...) NOT-FOR-US: Android kernel NOTE: https://source.android.com/security/bulletin/2016-11-01.html CVE-2016-6752 (An information disclosure vulnerability in Qualcomm components includi ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-6751 (An information disclosure vulnerability in Qualcomm components includi ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-6750 (An information disclosure vulnerability in Qualcomm components includi ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-6749 (An information disclosure vulnerability in Qualcomm components includi ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-6748 (An information disclosure vulnerability in Qualcomm components includi ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-6747 (A denial of service vulnerability in Mediaserver in Android before 201 ...) NOT-FOR-US: Android Mediaserver CVE-2016-6746 (An information disclosure vulnerability in the NVIDIA GPU driver in An ...) NOT-FOR-US: Nvidia driver for Android CVE-2016-6745 (An elevation of privilege vulnerability in the Synaptics touchscreen d ...) NOT-FOR-US: Synaptics driver for Android CVE-2016-6744 (An elevation of privilege vulnerability in the Synaptics touchscreen d ...) NOT-FOR-US: Synaptics driver for Android CVE-2016-6743 (An elevation of privilege vulnerability in the Synaptics touchscreen d ...) NOT-FOR-US: Synaptics driver for Android CVE-2016-6742 (An elevation of privilege vulnerability in the Synaptics touchscreen d ...) NOT-FOR-US: Synaptics driver for Android CVE-2016-6741 (An elevation of privilege vulnerability in the Qualcomm camera driver ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-6740 (An elevation of privilege vulnerability in the Qualcomm camera driver ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-6739 (An elevation of privilege vulnerability in the Qualcomm camera driver ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-6738 (An elevation of privilege vulnerability in the Qualcomm crypto engine ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-6737 (An elevation of privilege vulnerability in the kernel ION subsystem in ...) NOT-FOR-US: Nvidia driver for Android CVE-2016-6736 (An elevation of privilege vulnerability in the NVIDIA GPU driver in An ...) NOT-FOR-US: Nvidia driver for Android CVE-2016-6735 (An elevation of privilege vulnerability in the NVIDIA GPU driver in An ...) NOT-FOR-US: Nvidia driver for Android CVE-2016-6734 (An elevation of privilege vulnerability in the NVIDIA GPU driver in An ...) NOT-FOR-US: Nvidia driver for Android CVE-2016-6733 (An elevation of privilege vulnerability in the NVIDIA GPU driver in An ...) NOT-FOR-US: Nvidia driver for Android CVE-2016-6732 (An elevation of privilege vulnerability in the NVIDIA GPU driver in An ...) NOT-FOR-US: Nvidia driver for Android CVE-2016-6731 (An elevation of privilege vulnerability in the NVIDIA GPU driver in An ...) NOT-FOR-US: Nvidia driver for Android CVE-2016-6730 (An elevation of privilege vulnerability in the NVIDIA GPU driver in An ...) NOT-FOR-US: Nvidia driver for Android CVE-2016-6729 (An elevation of privilege vulnerability in the Qualcomm bootloader in ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-6728 (An elevation of privilege vulnerability in the kernel ION subsystem in ...) NOT-FOR-US: Rowhammer hardware vulnerability on Android devices NOTE: https://www.vusec.net/projects/drammer/ CVE-2016-6727 (The Qualcomm GPS subsystem in Android on Android One devices allows re ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-6726 (Unspecified vulnerability in Qualcomm components in Android on Nexus 6 ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-6725 (A remote code execution vulnerability in the Qualcomm crypto driver in ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-6724 (A denial of service vulnerability in the Input Manager Service in Andr ...) NOT-FOR-US: Android CVE-2016-6723 (A denial of service vulnerability in Proxy Auto Config in Android 4.x ...) NOT-FOR-US: Android CVE-2016-6722 (An information disclosure vulnerability in libstagefright in Mediaserv ...) NOT-FOR-US: libstagefright CVE-2016-6721 (An information disclosure vulnerability in Mediaserver in Android 6.x ...) NOT-FOR-US: Android Mediaserver CVE-2016-6720 (An information disclosure vulnerability in libstagefright in Mediaserv ...) NOT-FOR-US: libstagefright CVE-2016-6719 (An elevation of privilege vulnerability in the Bluetooth component in ...) NOT-FOR-US: Android CVE-2016-6718 (An elevation of privilege vulnerability in the Account Manager Service ...) NOT-FOR-US: Android CVE-2016-6717 (An elevation of privilege vulnerability in Mediaserver in Android 4.x ...) NOT-FOR-US: Android Mediaserver CVE-2016-6716 (An elevation of privilege vulnerability in the AOSP Launcher in Androi ...) NOT-FOR-US: Android CVE-2016-6715 (An elevation of privilege vulnerability in the Framework APIs in Andro ...) NOT-FOR-US: Android CVE-2016-6714 (A remote denial of service vulnerability in Mediaserver in Android 6.x ...) NOT-FOR-US: Android Mediaserver CVE-2016-6713 (A remote denial of service vulnerability in Mediaserver in Android 6.x ...) NOT-FOR-US: Android Mediaserver CVE-2016-6712 (A remote denial of service vulnerability in libvpx in Mediaserver in A ...) - libvpx 1.6.1-1 [jessie] - libvpx (Minpr issue) [wheezy] - libvpx (Vulnerable code not present) NOTE: probably fixed earlier, but this was the version checked NOTE: https://android.googlesource.com/platform/external/libvpx/+/fdb1b40e7bb147c07bda988c9501ad223795d12d CVE-2016-6711 (A remote denial of service vulnerability in libvpx in Mediaserver in A ...) - libvpx 1.6.1-1 [jessie] - libvpx (Minpr issue) [wheezy] - libvpx (Minor issue) NOTE: probably fixed earlier, but this was the version checked NOTE: Wheezy is confirmed (by code inspection) to have vulnerable source. NOTE: https://android.googlesource.com/platform/external/libvpx/+/063be1485e0099bc81ace3a08b0ec9186dcad693 CVE-2016-6710 (An information disclosure vulnerability in the download manager in And ...) NOT-FOR-US: Android CVE-2016-6709 (An information disclosure vulnerability in Conscrypt and BoringSSL in ...) NOT-FOR-US: Android CVE-2016-6708 (An elevation of privilege in the System UI in Android 7.0 before 2016- ...) NOT-FOR-US: Android CVE-2016-6707 (An elevation of privilege vulnerability in System Server in Android 6. ...) NOT-FOR-US: Android CVE-2016-6706 (An elevation of privilege vulnerability in libstagefright in Mediaserv ...) NOT-FOR-US: libstagefright CVE-2016-6705 (An elevation of privilege vulnerability in Mediaserver in Android 5.0. ...) NOT-FOR-US: Android Mediaserver CVE-2016-6704 (An elevation of privilege vulnerability in Mediaserver in Android 4.x ...) NOT-FOR-US: Android Mediaserver CVE-2016-6703 (A remote code execution vulnerability in an Android runtime library in ...) NOT-FOR-US: Android CVE-2016-6702 (A remote code execution vulnerability in libjpeg in Android 4.x before ...) - libjpeg-turbo (Android-specific patch, jpeg_open_backing_store in standard releases is just a stub) CVE-2016-6701 (A remote code execution vulnerability in libskia in Android 7.0 before ...) - skia (bug #818180) CVE-2016-6700 (An elevation of privilege vulnerability in libzipfile in Android 4.x b ...) NOT-FOR-US: Android CVE-2016-6699 (A remote code execution vulnerability in libstagefright in Mediaserver ...) NOT-FOR-US: libstagefright CVE-2016-6698 (An information disclosure vulnerability in Qualcomm components includi ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-6697 RESERVED CVE-2016-6696 (sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c in a Qualcomm QDSP6v2 drive ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-6695 (sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c in a Qualcomm QDSP6v2 drive ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-6694 (sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c in a Qualcomm QDSP6v2 drive ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-6693 (sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c in a Qualcomm QDSP6v2 drive ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-6692 (drivers/video/msm/mdss/mdss_mdp_pp.c in the Qualcomm MDSS driver in An ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-6691 (service/jni/com_android_server_wifi_Gbk2Utf.cpp in the Qualcomm Wi-Fi ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-6690 (The sound driver in the kernel in Android before 2016-10-05 on Nexus 5 ...) NOT-FOR-US: Sound driver for Android CVE-2016-6689 (Binder in the kernel in Android before 2016-10-05 on Nexus devices all ...) NOT-FOR-US: Android Binder CVE-2016-6688 (The NVIDIA profiler in Android before 2016-10-05 on Nexus 9 devices al ...) NOT-FOR-US: Nvidia driver for Android CVE-2016-6687 (The NVIDIA profiler in Android before 2016-10-05 on Nexus 9 devices al ...) NOT-FOR-US: Nvidia driver for Android CVE-2016-6686 (The NVIDIA profiler in Android before 2016-10-05 on Nexus 9 devices al ...) NOT-FOR-US: Nvidia driver for Android CVE-2016-6685 (The kernel in Android before 2016-10-05 on Nexus 6P devices allows att ...) NOT-FOR-US: Android kernel for Nexus devices CVE-2016-6684 (The kernel in Android before 2016-10-05 on Nexus 5, Nexus 5X, Nexus 6, ...) NOT-FOR-US: Android kernel for Nexus devices CVE-2016-6683 (The kernel in Android before 2016-10-05 on Nexus devices allows attack ...) NOT-FOR-US: Android kernel for Nexus devices CVE-2016-6682 (drivers/misc/qcom/qdsp6v2/audio_utils.c in a Qualcomm QDSP6v2 driver i ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-6681 (drivers/misc/qcom/qdsp6v2/audio_utils.c in a Qualcomm QDSP6v2 driver i ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-6680 (CORE/HDD/src/wlan_hdd_wext.c in the Qualcomm Wi-Fi driver in Android b ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-6679 (CORE/HDD/src/wlan_hdd_hostapd.c in the Qualcomm Wi-Fi driver in Androi ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-6678 (The Motorola USBNet driver in Android before 2016-10-05 on Nexus 6 dev ...) NOT-FOR-US: Motorola driver for Android CVE-2016-6677 (The NVIDIA GPU driver in Android before 2016-10-05 on Nexus 9 devices ...) NOT-FOR-US: Nvidia driver for Android CVE-2016-6676 (Off-by-one error in CORE/HDD/src/wlan_hdd_cfg.c in the Qualcomm Wi-Fi ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-6675 (Off-by-one error in CORE/HDD/src/wlan_hdd_hostapd.c in the Qualcomm Wi ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-6674 (system_server in Android before 2016-10-05 on Nexus devices allows att ...) NOT-FOR-US: Android CVE-2016-6673 (The NVIDIA camera driver in Android before 2016-10-05 on Nexus 9 devic ...) NOT-FOR-US: Nvidia driver for Android CVE-2016-6672 (The Synaptics touchscreen driver in Android before 2016-10-05 on Nexus ...) NOT-FOR-US: Synaptics driver for Android CVE-2015-8950 (arch/arm64/mm/dma-mapping.c in the Linux kernel before 4.0.3, as used ...) - linux 4.0.4-1 [jessie] - linux 3.16.7-ckt17-1 [wheezy] - linux (Vulnerable code not present; arm64 introduced in 3.7) NOTE: Fixed by: https://git.kernel.org/linus/6829e274a623187c24f7cfc0e3d35f25d087fcc5 (4.1-rc2) CVE-2016-10051 (Use-after-free vulnerability in the ReadPWPImage function in coders/pw ...) {DSA-3652-1 DLA-731-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #834183) NOTE: https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=30245 NOTE: https://github.com/ImageMagick/ImageMagick/commit/ecc03a2518c2b7dd375fde3a040fdae0bdf6a521 NOTE: http://www.openwall.com/lists/oss-security/2016/12/20/3 CVE-2016-6833 (Use-after-free vulnerability in the vmxnet3_io_bar0_write function in ...) {DLA-1497-1} - qemu 1:2.6+dfsg-3.1 (bug #834904) [wheezy] - qemu (Vulnerable code not present, vmxnet3 introduced in 1.5) - qemu-kvm [wheezy] - qemu-kvm (Vulnerable code not present, vmxnet3 introduced in 1.5) NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=6c352ca9b4ee3e1e286ea9e8434bd8e69ac7d0d8 NOTE: Upstream patch: https://lists.gnu.org/archive/html/qemu-devel/2016-08/msg01602.html NOTE: http://www.openwall.com/lists/oss-security/2016/08/12/1 CVE-2016-6834 (The net_tx_pkt_do_sw_fragmentation function in hw/net/net_tx_pkt.c in ...) {DLA-1599-1} - qemu 1:2.6+dfsg-3.1 (bug #834905) [wheezy] - qemu (Vulnerable code not present, packet abstraction introduced in 1.5) - qemu-kvm [wheezy] - qemu-kvm (Vulnerable code not present, packet abstraction introduced in 1.5) NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=ead315e43ea0c2ca3491209c6c8db8ce3f2bbe05 NOTE: Upstream patch: https://lists.gnu.org/archive/html/qemu-devel/2016-08/msg01601.html NOTE: http://www.openwall.com/lists/oss-security/2016/08/11/8 CVE-2016-6835 (The vmxnet_tx_pkt_parse_headers function in hw/net/vmxnet_tx_pkt.c in ...) {DLA-1497-1} - qemu 1:2.6+dfsg-3.1 (bug #835031) [wheezy] - qemu (Vulnerable code not present, vmxnet3 introduced in 1.5) - qemu-kvm [wheezy] - qemu-kvm (Vulnerable code not present, vmxnet3 introduced in 1.5) NOTE: Upstream patch: https://lists.gnu.org/archive/html/qemu-stable/2016-08/msg00077.html NOTE: http://www.openwall.com/lists/oss-security/2016/08/11/7 CVE-2016-6836 (The vmxnet3_complete_packet function in hw/net/vmxnet3.c in QEMU (aka ...) {DLA-1599-1} - qemu 1:2.6+dfsg-3.1 (bug #834944) [wheezy] - qemu (Vulnerable code not present, vmxnet3 introduced in 1.5) - qemu-kvm [wheezy] - qemu-kvm (Vulnerable code not present, vmxnet3 introduced in 1.5) NOTE: Upstream patch: https://lists.gnu.org/archive/html/qemu-devel/2016-08/msg02108.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1366369 NOTE: http://www.openwall.com/lists/oss-security/2016/08/11/5 CVE-2016-6671 (The raw_decode function in libavcodec/rawdec.c in FFmpeg before 3.1.2 ...) - ffmpeg 7:3.1.2-1 CVE-2016-6670 (Huawei S7700, S9300, S9700, and S12700 devices with software before V2 ...) NOT-FOR-US: Huawei CVE-2016-6669 (Buffer overflow in the Authentication, Authorization and Accounting (A ...) NOT-FOR-US: Huawei CVE-2016-6668 (The Atlassian Hipchat Integration Plugin for Bitbucket Server 6.26.0 b ...) NOT-FOR-US: Atlassian Hipchat Integration Plugin for Bitbucket Server CVE-2016-6667 (NetApp OnCommand Unified Manager for Clustered Data ONTAP 6.3 through ...) NOT-FOR-US: NetApp CVE-2016-6666 RESERVED CVE-2016-6665 RESERVED CVE-2016-6664 (mysqld_safe in Oracle MySQL through 5.5.51, 5.6.x through 5.6.32, and ...) {DSA-3770-1} - mariadb-10.1 10.1.21-1 (bug #849435; bug #851759) - mariadb-10.0 (bug #842895; bug #851755) - mysql-5.7 5.7.15-1 - mysql-5.6 5.6.34-1 (bug #841049) - mysql-5.5 [jessie] - mysql-5.5 5.5.52-0+deb8u1 [wheezy] - mysql-5.5 5.5.52-0+deb7u1 NOTE: http://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html NOTE: Possible fixed by: https://github.com/MariaDB/server/commit/684a165f28b3718160a3e4c5ebd18a465d85e97c NOTE: https://mariadb.com/blog/update-security-vulnerabilities-cve-2016-6663-and-cve-2016-6664-related-mariadb-server CVE-2016-6663 (Race condition in Oracle MySQL before 5.5.52, 5.6.x before 5.6.33, 5.7 ...) {DSA-3711-1} - mariadb-10.0 10.0.28-1 - mysql-5.7 5.7.15-1 - mysql-5.6 5.6.34-1 (bug #841049) - mysql-5.5 [jessie] - mysql-5.5 5.5.52-0+deb8u1 [wheezy] - mysql-5.5 5.5.52-0+deb7u1 NOTE: Fixed by: https://github.com/MariaDB/server/commit/347eeefbfc658c8531878218487d729f4e020805 NOTE: Fixed by: https://github.com/mysql/mysql-server/commit/4e5473862e6852b0f3802b0cd0c6fa10b5253291 NOTE: Fixed in MariaDB 5.5.52, MariaDB 10.1.18, MariaDB 10.0.28 NOTE: Fixed in Oracle MySQL: 5.5.52, 5.6.33, and 5.7.15. NOTE: http://legalhackers.com/advisories/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-OCVE-2016-5616-Exploit.html CVE-2016-6662 (Oracle MySQL through 5.5.52, 5.6.x through 5.6.33, and 5.7.x through 5 ...) {DSA-3666-1 DLA-624-1} - mariadb-10.0 10.0.27-1 [jessie] - mariadb-10.0 10.0.27-0+deb8u1 - mysql-5.7 5.7.15-1 - mysql-5.6 5.6.34-1 - mysql-5.5 NOTE: This will likely be split by MITRE, unclear what precisely maps to CVE-2016-6662 NOTE: As well unclear which commits from https://bugzilla.redhat.com/show_bug.cgi?id=1375198#c5 are associated NOTE: yet to which CVE; those will unlikely made public before the next Oracle CPU. NOTE: https://marc.info/?l=oss-security&m=147367658314062&w=2 NOTE: http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html NOTE: https://bugzilla.suse.com/show_bug.cgi?id=998309 NOTE: Fixed in upstream Oracle MySQL 5.5.52, 5.6.33 and 5.7.15 NOTE: MariaDB: https://jira.mariadb.org/browse/MDEV-10465 NOTE: Fixed in upstream MariaDB 5.5.51, 10.0.27, 10.1.17 NOTE: PerconaDB: https://www.percona.com/blog/2016/09/12/database-affected-cve-2016-6662/ NOTE: Although Oracle mentions this CVE only to be fixed in 5.5.53 this is not NOTE: true for src:mysql-5.5 as in Debian and other Linux distributions, so NOTE: this CVE should not be listed for a DSA/DLA based on 5.5.53, cf #841050 CVE-2016-6661 RESERVED CVE-2016-6660 REJECTED CVE-2016-6659 (Cloud Foundry before 248; UAA 2.x before 2.7.4.12, 3.x before 3.6.5, a ...) NOT-FOR-US: Pivotal CVE-2016-6658 (Applications in cf-release before 245 can be configured and pushed wit ...) NOT-FOR-US: cf-release CVE-2016-6657 (An open redirect vulnerability has been detected with some Pivotal Clo ...) NOT-FOR-US: Pivotal CVE-2016-6656 (An issue was discovered in Pivotal Greenplum before 4.3.10.0. Creation ...) NOT-FOR-US: Pivotal CVE-2016-6655 (An issue was discovered in Cloud Foundry Foundation Cloud Foundry rele ...) NOT-FOR-US: Cloud Foundry CVE-2016-6654 REJECTED CVE-2016-6653 (The MariaDB audit_plugin component in Pivotal Cloud Foundry (PCF) cf-m ...) NOT-FOR-US: Pivotal CVE-2016-6652 (SQL injection vulnerability in Pivotal Spring Data JPA before 1.9.6 (G ...) NOT-FOR-US: Pivotal Spring Data CVE-2016-6651 (The UAA /oauth/token endpoint in Pivotal Cloud Foundry (PCF) before 24 ...) NOT-FOR-US: Pivotal CVE-2016-6650 (EMC RecoverPoint versions prior to 5.0 and EMC RecoverPoint for Virtua ...) NOT-FOR-US: EMC CVE-2016-6649 (EMC RecoverPoint versions before 4.4.1.1 and EMC RecoverPoint for Virt ...) NOT-FOR-US: EMC CVE-2016-6648 (EMC RecoverPoint versions before 4.4.1.1 and EMC RecoverPoint for Virt ...) NOT-FOR-US: EMC CVE-2016-6647 (Cross-site scripting (XSS) vulnerability in EMC ViPR SRM before 4.0.1 ...) NOT-FOR-US: EMC CVE-2016-6646 (The vApp Managers web application in EMC Unisphere for VMAX Virtual Ap ...) NOT-FOR-US: VMAX CVE-2016-6645 (The vApp Managers web application in EMC Unisphere for VMAX Virtual Ap ...) NOT-FOR-US: VMAX CVE-2016-6644 (EMC Documentum D2 4.5 before patch 15 and 4.6 before patch 03 allows r ...) NOT-FOR-US: EMC CVE-2016-6643 (Cross-site scripting (XSS) vulnerability in EMC ViPR SRM before 3.7.2 ...) NOT-FOR-US: EMC CVE-2016-6642 (Cross-site request forgery (CSRF) vulnerability in EMC ViPR SRM before ...) NOT-FOR-US: EMC CVE-2016-6641 (Cross-site scripting (XSS) vulnerability in EMC ViPR SRM before 3.7.2 ...) NOT-FOR-US: EMC CVE-2016-6640 REJECTED CVE-2016-6639 (Cloud Foundry PHP Buildpack (aka php-buildpack) before 4.3.18 and PHP ...) NOT-FOR-US: Pivotal CVE-2016-6638 REJECTED CVE-2016-6637 (Multiple cross-site request forgery (CSRF) vulnerabilities in Pivotal ...) NOT-FOR-US: Pivotal CVE-2016-6636 (The OAuth authorization implementation in Pivotal Cloud Foundry (PCF) ...) NOT-FOR-US: Pivotal CVE-2016-1000038 RESERVED CVE-2016-10050 (Heap-based buffer overflow in the ReadRLEImage function in coders/rle. ...) {DSA-3652-1 DLA-731-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #833744) NOTE: https://github.com/ImageMagick/ImageMagick/commit/73fb0aac5b958521e1511e179ecc0ad49f70ebaf NOTE: http://www.openwall.com/lists/oss-security/2016/12/20/3 CVE-2016-10049 (Buffer overflow in the ReadRLEImage function in coders/rle.c in ImageM ...) {DSA-3652-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #833743) [wheezy] - imagemagick (Vulnerability likely introduced in a version after 6.7.7.10) NOTE: https://github.com/ImageMagick/ImageMagick/commit/3e9165285eda6e1bb71172031d3048b51bb443a4 NOTE: https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=29710 NOTE: http://www.openwall.com/lists/oss-security/2016/12/20/3 CVE-2016-10048 (Directory traversal vulnerability in magick/module.c in ImageMagick 6. ...) {DSA-3652-1 DLA-731-1} - imagemagick 8:6.9.5.7+dfsg-1 (bug #833735) NOTE: https://github.com/ImageMagick/ImageMagick/commit/fc6080f1321fd21e86ef916195cc110b05d9effb NOTE: http://www.openwall.com/lists/oss-security/2016/12/20/3 CVE-2016-10047 (Memory leak in the NewXMLTree function in magick/xml-tree.c in ImageMa ...) {DSA-3652-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #833732) [wheezy] - imagemagick (Vulnerable code not present in version 6.7.7.10) NOTE: https://github.com/ImageMagick/ImageMagick/commit/fc6080f1321fd21e86ef916195cc110b05d9effb NOTE: http://www.openwall.com/lists/oss-security/2016/12/20/3 CVE-2016-10046 (Heap-based buffer overflow in the DrawImage function in magick/draw.c ...) {DSA-3652-1 DLA-731-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #833730) NOTE: https://github.com/ImageMagick/ImageMagick/commit/989f9f88ea6db09b99d25586e912c921c0da8d3f NOTE: http://www.openwall.com/lists/oss-security/2016/12/20/3 CVE-2016-6887 (The pstm_exptmod function in MatrixSSL 3.8.6 and earlier does not prop ...) - matrixssl [wheezy] - matrixssl (not supported in Wheezy) CVE-2016-6886 (The pstm_reverse function in MatrixSSL before 3.8.4 allows remote atta ...) - matrixssl [wheezy] - matrixssl (not supported in Wheezy) CVE-2016-6885 (The pstm_exptmod function in MatrixSSL before 3.8.4 allows remote atta ...) - matrixssl [wheezy] - matrixssl (not supported in Wheezy) CVE-2016-6884 (TLS cipher suites with CBC mode in TLS 1.1 and 1.2 in MatrixSSL before ...) - matrixssl [wheezy] - matrixssl (not supported in Wheezy) CVE-2016-6883 (MatrixSSL before 3.8.3 configured with RSA Cipher Suites allows remote ...) - matrixssl [wheezy] - matrixssl (not supported in Wheezy) NOTE: Fixed in 3.8.3 https://github.com/matrixssl/matrixssl/blob/master/doc/CHANGES.md#changes-in-383 NOTE: https://robotattack.org/ CVE-2016-6882 (MatrixSSL before 3.8.7, when the DHE_RSA based cipher suite is support ...) - matrixssl [wheezy] - matrixssl (not supported in Wheezy) CVE-2016-6635 (Cross-site request forgery (CSRF) vulnerability in the wp_ajax_wp_comp ...) {DSA-3681-1 DLA-633-1} - wordpress 4.5+dfsg-1 NOTE: https://github.com/WordPress/WordPress/commit/9b7a7754133c50b82bd9d976fb5b24094f658aab NOTE: Fixed by: https://core.trac.wordpress.org/changeset/37143 CVE-2016-6634 (Cross-site scripting (XSS) vulnerability in the network settings page ...) {DSA-3681-1 DLA-633-1} - wordpress 4.5+dfsg-1 NOTE: http://codex.wordpress.org/Version_4.5 NOTE: Fixed by: https://core.trac.wordpress.org/changeset/37124 NOTE: Fixed by: https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9 CVE-2016-6633 (An issue was discovered in phpMyAdmin. phpMyAdmin can be used to trigg ...) - phpmyadmin 4:4.6.4+dfsg1-1 (unimportant) [wheezy] - phpmyadmin (Vulnerable code not present) NOTE: dbase extension not available in Debian CVE-2016-6632 (An issue was discovered in phpMyAdmin where, under certain conditions, ...) {DLA-1821-1} - phpmyadmin 4:4.6.4+dfsg1-1 [wheezy] - phpmyadmin (Vulnerable code not present) NOTE: https://www.phpmyadmin.net/security/PMASA-2016-55/ CVE-2016-6631 (An issue was discovered in phpMyAdmin. A user can execute a remote cod ...) {DLA-1821-1 DLA-626-1} - phpmyadmin 4:4.6.4+dfsg1-1 NOTE: https://www.phpmyadmin.net/security/PMASA-2016-54/ CVE-2016-6630 (An issue was discovered in phpMyAdmin. An authenticated user can trigg ...) {DLA-1821-1 DLA-626-1} - phpmyadmin 4:4.6.4+dfsg1-1 NOTE: https://www.phpmyadmin.net/security/PMASA-2016-53/ CVE-2016-6629 (An issue was discovered in phpMyAdmin involving the $cfg['ArbitrarySer ...) - phpmyadmin 4:4.6.4+dfsg1-1 [jessie] - phpmyadmin (probably not affected, needs more investigation) [wheezy] - phpmyadmin (Vulnerable code not present) NOTE: https://www.phpmyadmin.net/security/PMASA-2016-52/ CVE-2016-6628 (An issue was discovered in phpMyAdmin. An attacker may be able to trig ...) {DLA-1821-1} - phpmyadmin 4:4.6.4+dfsg1-1 [wheezy] - phpmyadmin (Vulnerable code not present) NOTE: https://www.phpmyadmin.net/security/PMASA-2016-51/ CVE-2016-6627 (An issue was discovered in phpMyAdmin. An attacker can determine the p ...) {DLA-1821-1} - phpmyadmin 4:4.6.4+dfsg1-1 [wheezy] - phpmyadmin (Not critical enough) NOTE: https://www.phpmyadmin.net/security/PMASA-2016-50/ CVE-2016-6626 (An issue was discovered in phpMyAdmin. An attacker could redirect a us ...) {DLA-1821-1 DLA-757-1} - phpmyadmin 4:4.6.4+dfsg1-1 [wheezy] - phpmyadmin (Vulnerable code not present) NOTE: https://www.phpmyadmin.net/security/PMASA-2016-49/ CVE-2016-6625 (An issue was discovered in phpMyAdmin. An attacker can determine wheth ...) - phpmyadmin 4:4.6.4+dfsg1-1 (unimportant) NOTE: https://www.phpmyadmin.net/security/PMASA-2016-48/ NOTE: The solution is to remove a configuration option. This option NOTE: is by default disabled so a default installation is not NOTE: vulnerable. It should be fairly obvious that enabling phpinfo NOTE: printing can show more information than what should be used in NOTE: a production environment. This is the motivation that it is not NOTE: solved for wheezy. CVE-2016-6624 (An issue was discovered in phpMyAdmin involving improper enforcement o ...) {DLA-1821-1 DLA-626-1} - phpmyadmin 4:4.6.4+dfsg1-1 NOTE: https://www.phpmyadmin.net/security/PMASA-2016-47/ CVE-2016-6623 (An issue was discovered in phpMyAdmin. An authorized user can cause a ...) {DLA-626-1} - phpmyadmin 4:4.6.4+dfsg1-1 [jessie] - phpmyadmin (Minor issue) NOTE: https://www.phpmyadmin.net/security/PMASA-2016-46/ CVE-2016-6622 (An issue was discovered in phpMyAdmin. An unauthenticated user is able ...) {DLA-1415-1 DLA-626-1} - phpmyadmin 4:4.6.4+dfsg1-1 NOTE: https://www.phpmyadmin.net/security/PMASA-2016-45/ CVE-2016-6621 (The setup script for phpMyAdmin before 4.0.10.19, 4.4.x before 4.4.15. ...) {DLA-1415-1 DLA-834-1} - phpmyadmin 4:4.6.6-1 NOTE: https://www.phpmyadmin.net/security/PMASA-2016-44/ NOTE: https://github.com/phpmyadmin/phpmyadmin/issues/12481 CVE-2016-6620 (An issue was discovered in phpMyAdmin. Some data is passed to the PHP ...) {DLA-1415-1 DLA-626-1} - phpmyadmin 4:4.6.4+dfsg1-1 NOTE: https://www.phpmyadmin.net/security/PMASA-2016-43/ CVE-2016-6619 (An issue was discovered in phpMyAdmin. In the user interface preferenc ...) {DLA-1415-1} - phpmyadmin 4:4.6.4+dfsg1-1 [wheezy] - phpmyadmin (Vulnerable code not present) NOTE: https://www.phpmyadmin.net/security/PMASA-2016-42/ CVE-2016-6618 (An issue was discovered in phpMyAdmin. The transformation feature allo ...) {DLA-1415-1} - phpmyadmin 4:4.6.4+dfsg1-1 [wheezy] - phpmyadmin (Vulnerable code not present) NOTE: https://www.phpmyadmin.net/security/PMASA-2016-41/ CVE-2016-6617 (An issue was discovered in phpMyAdmin. A specially crafted database an ...) - phpmyadmin 4:4.6.4+dfsg1-1 [jessie] - phpmyadmin (Only affects 4.6.x) [wheezy] - phpmyadmin (Only affects 4.6.x) CVE-2016-6616 (An issue was discovered in phpMyAdmin. In the "User group" and "Design ...) {DLA-1415-1} - phpmyadmin 4:4.6.4+dfsg1-1 [wheezy] - phpmyadmin (Only affects 4.4.x onward) NOTE: https://www.phpmyadmin.net/security/PMASA-2016-39/ CVE-2016-6615 (XSS issues were discovered in phpMyAdmin. This affects navigation pane ...) {DLA-1415-1} - phpmyadmin 4:4.6.4+dfsg1-1 [wheezy] - phpmyadmin (Vulnerable code not present) NOTE: https://www.phpmyadmin.net/security/PMASA-2016-38/ CVE-2016-6614 (An issue was discovered in phpMyAdmin involving the %u username replac ...) {DLA-1415-1 DLA-626-1} - phpmyadmin 4:4.6.4+dfsg1-1 NOTE: https://www.phpmyadmin.net/security/PMASA-2016-37/ CVE-2016-6613 (An issue was discovered in phpMyAdmin. A user can specially craft a sy ...) {DLA-1821-1 DLA-626-1} - phpmyadmin 4:4.6.4+dfsg1-1 NOTE: https://www.phpmyadmin.net/security/PMASA-2016-36/ CVE-2016-6612 (An issue was discovered in phpMyAdmin. A user can exploit the LOAD LOC ...) {DLA-1821-1 DLA-626-1} - phpmyadmin 4:4.6.4+dfsg1-1 NOTE: https://www.phpmyadmin.net/security/PMASA-2016-35/ CVE-2016-6611 (An issue was discovered in phpMyAdmin. A specially crafted database an ...) {DLA-1821-1 DLA-626-1} - phpmyadmin 4:4.6.4+dfsg1-1 NOTE: https://www.phpmyadmin.net/security/PMASA-2016-34/ CVE-2016-6610 (A full path disclosure vulnerability was discovered in phpMyAdmin wher ...) - phpmyadmin 4:4.6.4+dfsg1-1 (unimportant) [wheezy] - phpmyadmin (Vulnerable code not present) NOTE: https://www.phpmyadmin.net/security/PMASA-2016-33/ NOTE: Not relevant to packaged version in Debian CVE-2016-6609 (An issue was discovered in phpMyAdmin. A specially crafted database na ...) {DLA-1415-1 DLA-626-1} - phpmyadmin 4:4.6.4+dfsg1-1 NOTE: https://www.phpmyadmin.net/security/PMASA-2016-32/ CVE-2016-6608 (XSS issues were discovered in phpMyAdmin. This affects the database pr ...) - phpmyadmin 4:4.6.4+dfsg1-1 [jessie] - phpmyadmin (Only affects 4.6.x) [wheezy] - phpmyadmin (Only affects 4.6.x) CVE-2016-6607 (XSS issues were discovered in phpMyAdmin. This affects Zoom search (sp ...) {DLA-1821-1 DLA-626-1} - phpmyadmin 4:4.6.4+dfsg1-1 NOTE: https://www.phpmyadmin.net/security/PMASA-2016-30/ CVE-2016-6606 (An issue was discovered in cookie encryption in phpMyAdmin. The decryp ...) {DLA-1821-1 DLA-626-1} - phpmyadmin 4:4.6.4+dfsg1-1 NOTE: https://www.phpmyadmin.net/security/PMASA-2016-29/ CVE-2016-6605 (Impala in CDH 5.2.0 through 5.7.2 and 5.8.0 allows remote attackers to ...) NOT-FOR-US: Impala CVE-2016-6604 (NULL pointer dereference in Samsung Exynos fimg2d driver for Android L ...) NOT-FOR-US: Samsung CVE-2016-7513 (Off-by-one error in magick/cache.c in ImageMagick allows remote attack ...) {DSA-3652-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #832455) [wheezy] - imagemagick (Affected code does not exist in version 6.7.7.10) NOTE: https://github.com/ImageMagick/ImageMagick/commit/a54fe0e8600eaf3dc6fe717d3c0398001507f723 CVE-2016-7514 (The ReadPSDChannelPixels function in coders/psd.c in ImageMagick allow ...) {DSA-3652-1 DLA-731-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #832457) NOTE: https://bugs.launchpad.net/bugs/1533442 NOTE: https://github.com/ImageMagick/ImageMagick/issues/83 NOTE: https://github.com/ImageMagick/ImageMagick/commit/198fffab4daf8aea88badd9c629350e5b26ec32f NOTE: https://github.com/ImageMagick/ImageMagick/commit/6f1879d498bcc5cce12fe0c5decb8dbc0f608e5d NOTE: https://github.com/ImageMagick/ImageMagick/commit/e14fd0a2801f73bdc123baf4fbab97dec55919eb NOTE: https://github.com/ImageMagick/ImageMagick/commit/280215b9936d145dd5ee91403738ccce1333cab1 NOTE: http://www.openwall.com/lists/oss-security/2016/08/07/1 CVE-2016-7515 (The ReadRLEImage function in coders/rle.c in ImageMagick allows remote ...) {DSA-3652-1 DLA-731-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #832461) NOTE: https://bugs.launchpad.net/bugs/1533445 NOTE: https://github.com/ImageMagick/ImageMagick/issues/82 NOTE: https://github.com/ImageMagick/ImageMagick/commit/2ad6d33493750a28a5a655d319a8e0b16c392de1 NOTE: http://www.openwall.com/lists/oss-security/2016/08/07/1 CVE-2015-8957 (Buffer overflow in ImageMagick before 6.9.0-4 Beta allows remote attac ...) {DSA-3652-1 DLA-731-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #832464) NOTE: http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26838 NOTE: https://github.com/ImageMagick/ImageMagick/commit/78f82d9d1c2944725a279acd573a22168dc6e22a NOTE: https://github.com/ImageMagick/ImageMagick/commit/bd96074b254c6607a0f7731e59f923ad19d5a46d NOTE: https://github.com/ImageMagick/ImageMagick/commit/450bd716ed3b9186dd10f9e60f630a3d9eeea2a4 NOTE: http://www.openwall.com/lists/oss-security/2016/08/07/1 CVE-2015-8958 (coders/sun.c in ImageMagick before 6.9.0-4 Beta allows remote attacker ...) {DSA-3652-1 DLA-731-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #832465) NOTE: http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26857 NOTE: https://github.com/ImageMagick/ImageMagick/commit/b8f17d08b7418204bf8a05a5c24e87b2fc395b75 NOTE: https://github.com/ImageMagick/ImageMagick/commit/1aa0c6dab6dcef4d9bc3571866ae1c1ddbec7d8f NOTE: https://github.com/ImageMagick/ImageMagick/commit/6b4aff0f117b978502ee5bcd6e753c17aec5a961 NOTE: https://github.com/ImageMagick/ImageMagick/commit/8ea44b48a182dd46d018f4b4f09a5e2ee9638105 NOTE: http://www.openwall.com/lists/oss-security/2016/08/07/1 CVE-2016-7516 (The ReadVIFFImage function in coders/viff.c in ImageMagick allows remo ...) {DSA-3652-1 DLA-731-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #832467) NOTE: https://bugs.launchpad.net/bugs/1533452 NOTE: https://github.com/ImageMagick/ImageMagick/issues/77 NOTE: http://www.openwall.com/lists/oss-security/2016/08/07/1 CVE-2016-7517 (The EncodeImage function in coders/pict.c in ImageMagick allows remote ...) {DSA-3652-1 DLA-731-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #832467) NOTE: https://bugs.launchpad.net/bugs/1533449 NOTE: https://github.com/ImageMagick/ImageMagick/issues/80 NOTE: http://www.openwall.com/lists/oss-security/2016/08/07/1 CVE-2016-7518 (The ReadSUNImage function in coders/sun.c in ImageMagick allows remote ...) {DSA-3652-1 DLA-731-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #832467) NOTE: https://bugs.launchpad.net/bugs/1533447 NOTE: https://github.com/ImageMagick/ImageMagick/issues/81 NOTE: http://www.openwall.com/lists/oss-security/2016/08/07/1 CVE-2016-7519 (The ReadRLEImage function in coders/rle.c in ImageMagick allows remote ...) {DSA-3652-1 DLA-731-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #832467) NOTE: https://bugs.launchpad.net/bugs/1533445 NOTE: https://github.com/ImageMagick/ImageMagick/issues/82 NOTE: http://www.openwall.com/lists/oss-security/2016/08/07/1 CVE-2016-7520 (Heap-based buffer overflow in coders/hdr.c in ImageMagick allows remot ...) {DSA-3652-1 DLA-731-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #832469) NOTE: https://bugs.launchpad.net/bugs/1537213 NOTE: https://github.com/ImageMagick/ImageMagick/issues/90 NOTE: https://github.com/ImageMagick/ImageMagick/commit/14e606db148d6ebcaae20f1e1d6d71903ca4a556 NOTE: http://www.openwall.com/lists/oss-security/2016/08/07/1 CVE-2016-7521 (Heap-based buffer overflow in coders/psd.c in ImageMagick allows remot ...) {DSA-3652-1 DLA-731-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #832474) NOTE: https://bugs.launchpad.net/bugs/1537418 NOTE: https://github.com/ImageMagick/ImageMagick/issues/92 NOTE: https://github.com/ImageMagick/ImageMagick/commit/30eec879c8b446b0ea9a3bb0da1a441cc8482bc4 NOTE: http://www.openwall.com/lists/oss-security/2016/08/07/1 CVE-2016-7522 (The ReadPSDImage function in MagickCore/locale.c in ImageMagick allows ...) {DSA-3652-1 DLA-731-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #832475) NOTE: https://bugs.launchpad.net/bugs/1537419 NOTE: https://github.com/ImageMagick/ImageMagick/issues/93 NOTE: https://github.com/ImageMagick/ImageMagick/commit/4b1b9c0522628887195bad3a6723f7000b0c9a58 NOTE: http://www.openwall.com/lists/oss-security/2016/08/07/1 CVE-2016-7523 (coders/meta.c in ImageMagick allows remote attackers to cause a denial ...) {DSA-3652-1 DLA-731-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #832478) NOTE: https://bugs.launchpad.net/bugs/1537420 NOTE: https://github.com/ImageMagick/ImageMagick/issues/94 NOTE: http://www.openwall.com/lists/oss-security/2016/08/07/1 CVE-2016-7524 (coders/meta.c in ImageMagick allows remote attackers to cause a denial ...) {DSA-3652-1 DLA-731-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #832478) NOTE: https://bugs.launchpad.net/bugs/1537422 NOTE: https://github.com/ImageMagick/ImageMagick/issues/96 CVE-2016-7525 (Heap-based buffer overflow in coders/psd.c in ImageMagick allows remot ...) {DSA-3652-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #832480) [wheezy] - imagemagick (The affected function, GetPSDRowSize, does not exist in version 6.7.7.10) NOTE: https://bugs.launchpad.net/bugs/1537424 NOTE: https://github.com/ImageMagick/ImageMagick/issues/98 NOTE: https://github.com/ImageMagick/ImageMagick/commit/5f16640725b1225e6337c62526e6577f0f88edb8 NOTE: http://www.openwall.com/lists/oss-security/2016/08/07/1 CVE-2016-7526 (coders/wpg.c in ImageMagick allows remote attackers to cause a denial ...) {DSA-3652-1 DLA-731-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #832482) NOTE: https://bugs.launchpad.net/bugs/1539050 NOTE: https://github.com/ImageMagick/ImageMagick/issues/102 NOTE: https://github.com/ImageMagick/ImageMagick/commit/b6ae2f9e0ab13343c0281732d479757a8e8979c7 NOTE: https://github.com/ImageMagick/ImageMagick/commit/d9b2209a69ee90d8df81fb124eb66f593eb9f599 NOTE: http://www.openwall.com/lists/oss-security/2016/08/07/1 CVE-2016-7527 (coders/wpg.c in ImageMagick allows remote attackers to cause a denial ...) {DSA-3652-1 DLA-731-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #832482) NOTE: https://bugs.launchpad.net/bugs/1542115 NOTE: https://github.com/ImageMagick/ImageMagick/issues/122 NOTE: https://github.com/ImageMagick/ImageMagick/commit/a251039393f423c7858e63cab6aa98d17b8b7a41 NOTE: http://www.openwall.com/lists/oss-security/2016/08/07/1 CVE-2016-7528 (The ReadVIFFImage function in coders/viff.c in ImageMagick allows remo ...) {DSA-3652-1 DLA-731-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #832483) NOTE: https://bugs.launchpad.net/bugs/1537425 NOTE: https://github.com/ImageMagick/ImageMagick/issues/99 NOTE: https://github.com/ImageMagick/ImageMagick/commit/ca0c886abd6d3ef335eb74150cd23b89ebd17135 NOTE: http://www.openwall.com/lists/oss-security/2016/08/07/1 CVE-2016-7529 (coders/xcf.c in ImageMagick allows remote attackers to cause a denial ...) {DSA-3652-1 DLA-731-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #832504) NOTE: https://bugs.launchpad.net/bugs/1539051 NOTE: https://bugs.launchpad.net/bugs/1539052 NOTE: https://github.com/ImageMagick/ImageMagick/issues/104 NOTE: https://github.com/ImageMagick/ImageMagick/issues/103 NOTE: https://github.com/ImageMagick/ImageMagick/commit/a2e1064f288a353bc5fef7f79ccb7683759e775c NOTE: http://www.openwall.com/lists/oss-security/2016/08/07/1 CVE-2016-7530 (The quantum handling code in ImageMagick allows remote attackers to ca ...) {DSA-3652-1 DLA-731-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #832506) NOTE: https://bugs.launchpad.net/bugs/1539067 NOTE: https://bugs.launchpad.net/bugs/1539053 NOTE: https://github.com/ImageMagick/ImageMagick/issues/105 NOTE: https://github.com/ImageMagick/ImageMagick/commit/63346f34f9d19179599b5b256e5e8d3dda46435c NOTE: https://github.com/ImageMagick/ImageMagick/commit/c4e63ad30bc42da691f2b5f82a24516dd6b4dc70 NOTE: https://github.com/ImageMagick/ImageMagick/issues/110 NOTE: https://github.com/ImageMagick/ImageMagick/commit/b5ed738f8060266bf4ae521f7e3ed145aa4498a3 NOTE: http://www.openwall.com/lists/oss-security/2016/08/07/1 CVE-2016-7531 (MagickCore/memory.c in ImageMagick allows remote attackers to cause a ...) {DSA-3652-1 DLA-731-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #832633) NOTE: https://bugs.launchpad.net/bugs/1539061 NOTE: https://bugs.launchpad.net/bugs/1542112 NOTE: https://github.com/ImageMagick/ImageMagick/issues/107 NOTE: http://www.openwall.com/lists/oss-security/2016/08/07/1 CVE-2016-7532 (coders/psd.c in ImageMagick allows remote attackers to cause a denial ...) {DSA-3652-1 DLA-731-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #832776) NOTE: https://bugs.launchpad.net/bugs/1539066 NOTE: https://github.com/ImageMagick/ImageMagick/issues/109 NOTE: http://www.openwall.com/lists/oss-security/2016/08/07/1 CVE-2016-7533 (The ReadWPGImage function in coders/wpg.c in ImageMagick allows remote ...) {DSA-3652-1 DLA-731-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #832780) NOTE: https://bugs.launchpad.net/bugs/1542114 NOTE: https://github.com/ImageMagick/ImageMagick/issues/120 NOTE: https://github.com/ImageMagick/ImageMagick/commit/bef1e4f637d8f665bc133a9c6d30df08d983bc3a NOTE: http://www.openwall.com/lists/oss-security/2016/08/07/1 CVE-2016-7534 (The generic decoder in ImageMagick allows remote attackers to cause a ...) {DSA-3652-1 DLA-731-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #832785) NOTE: https://bugs.launchpad.net/bugs/1542785 NOTE: https://github.com/ImageMagick/ImageMagick/issues/126 NOTE: https://github.com/ImageMagick/ImageMagick/commit/430403b0029b37decf216d57f810899cab2317dd NOTE: http://www.openwall.com/lists/oss-security/2016/08/07/1 CVE-2016-7535 (coders/psd.c in ImageMagick allows remote attackers to cause a denial ...) {DSA-3652-1 DLA-731-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #832787) NOTE: https://bugs.launchpad.net/bugs/1545180 NOTE: https://github.com/ImageMagick/ImageMagick/issues/128 NOTE: http://www.openwall.com/lists/oss-security/2016/08/07/1 CVE-2016-7536 (magick/profile.c in ImageMagick allows remote attackers to cause a den ...) {DSA-3652-1 DLA-731-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #832789) NOTE: https://bugs.launchpad.net/bugs/1545367 NOTE: https://github.com/ImageMagick/ImageMagick/issues/130 NOTE: https://github.com/ImageMagick/ImageMagick/commit/478cce544fdf1de882d78381768458f397964453 NOTE: http://www.openwall.com/lists/oss-security/2016/08/07/1 CVE-2016-7537 (MagickCore/memory.c in ImageMagick allows remote attackers to cause a ...) {DSA-3652-1 DLA-731-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #832791) NOTE: https://bugs.launchpad.net/bugs/1553366 NOTE: https://github.com/ImageMagick/ImageMagick/issues/143 NOTE: https://github.com/ImageMagick/ImageMagick/commit/424d40ebfcde48bb872eba75179d3d73704fdf1f NOTE: http://www.openwall.com/lists/oss-security/2016/08/07/1 CVE-2016-7538 (coders/psd.c in ImageMagick allows remote attackers to cause a denial ...) {DSA-3652-1 DLA-731-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #832793) NOTE: https://bugs.launchpad.net/bugs/1556273 NOTE: https://github.com/ImageMagick/ImageMagick/issues/148 NOTE: https://github.com/ImageMagick/ImageMagick/commit/53c1dcd34bed85181b901bfce1a2322f85a59472 NOTE: http://www.openwall.com/lists/oss-security/2016/08/07/1 CVE-2015-8959 (coders/dds.c in ImageMagick before 6.9.0-4 Beta allows remote attacker ...) {DSA-3652-1 DLA-731-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #832944) NOTE: http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26861 NOTE: https://github.com/ImageMagick/ImageMagick/commit/3ab016764c7f787829d9065440d86f5609765110 NOTE: https://github.com/ImageMagick/ImageMagick/commit/9b428b7af688fe319320aed15f2b94281d1e37b4 NOTE: http://www.openwall.com/lists/oss-security/2016/08/07/1 CVE-2014-9907 (coders/dds.c in ImageMagick allows remote attackers to cause a denial ...) {DSA-3652-1 DLA-731-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #832942) NOTE: https://github.com/ImageMagick/ImageMagick/commit/21eae25a8db5fdcd112dbcfcd9e5c37e32d32e2f NOTE: https://github.com/ImageMagick/ImageMagick/commit/d7325bac173492b358417a0ad49fabad44447d52 NOTE: https://github.com/ImageMagick/ImageMagick/commit/504ada82b6fa38a30c846c1c29116af7290decb2 NOTE: http://www.openwall.com/lists/oss-security/2016/08/07/1 CVE-2016-7539 (Memory leak in AcquireVirtualMemory in ImageMagick before 7 allows rem ...) {DSA-3652-1 DLA-731-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #833101) NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick/commit/4e81ce8b07219c69a9aeccb0f7f7b927ca6db74c NOTE: http://www.imagemagick.org/discourse-server/viewtopic.php?f=2&t=28946 NOTE: http://www.openwall.com/lists/oss-security/2016/08/07/1 CVE-2016-7540 (coders/rgf.c in ImageMagick before 6.9.4-10 allows remote attackers to ...) {DSA-3652-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #827643) [wheezy] - imagemagick (RGF coder is not present in version 6.7.7.10) NOTE: https://bugs.launchpad.net/bugs/1594060 NOTE: https://github.com/ImageMagick/ImageMagick/pull/223 NOTE: http://www.openwall.com/lists/oss-security/2016/08/07/1 CVE-2016-6603 (ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to bypas ...) NOT-FOR-US: ZOHO WebNMS CVE-2016-6602 (ZOHO WebNMS Framework 5.2 and 5.2 SP1 use a weak obfuscation algorithm ...) NOT-FOR-US: ZOHO WebNMS CVE-2016-6601 (Directory traversal vulnerability in the file download functionality i ...) NOT-FOR-US: ZOHO WebNMS CVE-2016-6600 (Directory traversal vulnerability in the file upload functionality in ...) NOT-FOR-US: ZOHO WebNMS CVE-2016-6599 (BMC Track-It! 11.4 before Hotfix 3 exposes an unauthenticated .NET rem ...) NOT-FOR-US: BMC Track-It! CVE-2016-6598 (BMC Track-It! 11.4 before Hotfix 3 exposes an unauthenticated .NET rem ...) NOT-FOR-US: BMC Track-It! CVE-2016-6597 (Sophos EAS Proxy before 6.2.0 for Sophos Mobile Control, when Lotus Tr ...) NOT-FOR-US: Sophos EAS Proxy NOTE: https://www.pallas.com/advisories/sophos_eas_open_reverse_proxy_vulnerability CVE-2016-6596 RESERVED CVE-2016-6594 (Blue Coat Advanced Secure Gateway 6.6, CacheFlow 3.4, ProxySG 6.5 and ...) NOT-FOR-US: Blue Coat CVE-2016-6593 (A code-execution vulnerability exists during startup in jhi.dll and ot ...) NOT-FOR-US: Symantec VIP Access CVE-2016-6592 (A vulnerability was found in Symantec Norton Download Manager versions ...) NOT-FOR-US: Symantec CVE-2016-6591 (A security bypass vulnerability exists in Symantec Norton App Lock 1.0 ...) NOT-FOR-US: Symantec CVE-2016-6590 (A privilege escalation vulnerability exists when loading DLLs during b ...) NOT-FOR-US: Symantec CVE-2016-6589 (A Denial of Service vulnerability exists in the ITMS workflow process ...) NOT-FOR-US: Symantec CVE-2016-6588 (A Cross-Site Scripting (XSS) vulnerability exists in the ITMS workflow ...) NOT-FOR-US: Symantec CVE-2016-6587 (An Information Disclosure vulnerability exists in the mid.dat file sto ...) NOT-FOR-US: Symantec CVE-2016-6586 (A security bypass vulnerability exists in Symantec Norton Mobile Secur ...) NOT-FOR-US: Symantec CVE-2016-6585 (A Denial of Service vulnerability exists in Symantec Norton Mobile Sec ...) NOT-FOR-US: Symantec CVE-2016-6584 RESERVED CVE-2016-6583 RESERVED CVE-2016-6582 (The Doorkeeper gem before 4.2.0 for Ruby might allow remote attackers ...) - ruby-doorkeeper 4.2.0-3 (bug #834843) NOTE: https://github.com/doorkeeper-gem/doorkeeper/commit/fb938051777a3c9cb071e96fc66458f8f615bd53 NOTE: https://github.com/doorkeeper-gem/doorkeeper/issues/875 CVE-2016-6579 REJECTED CVE-2016-6578 (CodeLathe FileCloud, version 13.0.0.32841 and earlier, contains a glob ...) NOT-FOR-US: CodeLathe FileCloud CVE-2016-6577 RESERVED CVE-2016-6576 RESERVED CVE-2016-6575 RESERVED CVE-2016-6574 RESERVED CVE-2016-6573 RESERVED CVE-2016-6572 RESERVED CVE-2016-6571 RESERVED CVE-2016-6570 RESERVED CVE-2016-6569 RESERVED CVE-2016-6568 RESERVED CVE-2016-6567 (SHDesigns' Resident Download Manager provides firmware update capabili ...) NOT-FOR-US: SHDesigns CVE-2016-6566 (The valueAsString parameter inside the JSON payload contained by the u ...) NOT-FOR-US: Sungard CVE-2016-6565 (The Imagely NextGen Gallery plugin for Wordpress prior to version 2.1. ...) NOT-FOR-US: Wordpress plugin CVE-2016-6564 (Android devices with code from Ragentek contain a privileged binary th ...) NOT-FOR-US: Ragentek CVE-2016-6563 (Processing malformed SOAP messages when performing the HNAP Login acti ...) NOT-FOR-US: HNAP CVE-2016-6562 (On iOS and Android devices, the ShoreTel Mobility Client app version 9 ...) NOT-FOR-US: ShoreTel Mobility Client CVE-2016-6561 (illumos smbsrv NULL pointer dereference allows system crash. ...) NOT-FOR-US: illumos CVE-2016-6560 (illumos osnet-incorporation bcopy() and bzero() implementations make s ...) NOT-FOR-US: illumos CVE-2016-6559 (Improper bounds checking of the obuf variable in the link_ntoa() funct ...) NOT-FOR-US: freebsd libc CVE-2016-6558 (A command injection vulnerability exists in apply.cgi on the ASUS RP-A ...) NOT-FOR-US: ASUS CVE-2016-6557 (In ASUS RP-AC52 access points with firmware version 1.0.1.1s and possi ...) NOT-FOR-US: ASUS RP-AC52 access points CVE-2016-6556 RESERVED CVE-2016-6555 RESERVED CVE-2016-6554 (Synology NAS servers DS107, firmware version 3.1-1639 and prior, and D ...) NOT-FOR-US: Synology CVE-2016-6553 (Nuuo NT-4040 Titan, firmware NT-4040_01.07.0000.0015_1120, uses non-ra ...) NOT-FOR-US: Nuuo NT-4040 Titan CVE-2016-6552 (Green Packet DX-350 uses non-random default credentials of: root:wimax ...) NOT-FOR-US: Green Packet DX-350 CVE-2016-6551 (Intellian Satellite TV antennas t-Series and v-Series, firmware versio ...) NOT-FOR-US: Intellian CVE-2016-6550 (The U by BB&T app 1.5.4 and earlier for iOS does not properly veri ...) NOT-FOR-US: BB&T CVE-2016-6549 (The Zizai Tech Nut device allows unauthenticated Bluetooth pairing, wh ...) NOT-FOR-US: Zizai Tech Nut device CVE-2016-6548 (The Zizai Tech Nut mobile app makes requests via HTTP instead of HTTPS ...) NOT-FOR-US: Zizai Tech Nut mobile app CVE-2016-6547 (The Zizai Tech Nut mobile app stores the account password used to auth ...) NOT-FOR-US: Zizai Tech Nut mobile app CVE-2016-6546 (The iTrack Easy mobile application stores the account password used to ...) NOT-FOR-US: iTrack CVE-2016-6545 (Session cookies are not used for maintaining valid sessions in iTrack ...) NOT-FOR-US: iTrack CVE-2016-6544 (getgps data in iTrack Easy can be modified without authentication by s ...) NOT-FOR-US: iTrack CVE-2016-6543 (A captured MAC/device ID of an iTrack Easy can be registered under mul ...) NOT-FOR-US: iTrack CVE-2016-6542 (The iTrack device tracking ID number, also called "LosserID" in the we ...) NOT-FOR-US: iTrack CVE-2016-6541 (TrackR Bravo device allows unauthenticated pairing, which enables unau ...) NOT-FOR-US: TrackR CVE-2016-6540 (Unauthenticated access to the cloud-based service maintained by TrackR ...) NOT-FOR-US: TrackR CVE-2016-6539 (The Trackr device ID is constructed of a manufacturer identifier of fo ...) NOT-FOR-US: TrackR CVE-2016-6538 (The TrackR Bravo mobile app stores the account password used to authen ...) NOT-FOR-US: TrackR CVE-2016-6537 (AVer Information EH6108H+ devices with firmware X9.03.24.00.07l store ...) NOT-FOR-US: AVer CVE-2016-6536 (The /setup URI on AVer Information EH6108H+ devices with firmware X9.0 ...) NOT-FOR-US: AVer CVE-2016-6535 (AVer Information EH6108H+ devices with firmware X9.03.24.00.07l have h ...) NOT-FOR-US: AVer CVE-2016-6534 (Opmantek NMIS before 4.3.7c has command injection via man, finger, pin ...) NOT-FOR-US: Opmantek NMIS CVE-2016-6533 RESERVED CVE-2016-6532 (DEXIS Imaging Suite 10 has a hardcoded password for the sa account, wh ...) NOT-FOR-US: DEXIS CVE-2016-6531 (** DISPUTED ** Open Dental 16.1 and earlier has a hardcoded MySQL root ...) NOT-FOR-US: Open Dental CVE-2016-6530 (Dentsply Sirona (formerly Schick) CDR Dicom 5 and earlier has default ...) NOT-FOR-US: Dentsply Sirona CVE-2016-6529 RESERVED CVE-2016-6528 RESERVED CVE-2016-6524 RESERVED CVE-2008-7318 RESERVED CVE-2008-7317 RESERVED CVE-2016-6527 (The SmartCall Activity component in Telecom application on Samsung Not ...) NOT-FOR-US: Samsung NOTE: http://security.samsungmobile.com/smrupdate.html#SMR-AUG-2016 CVE-2016-6526 (The SpamCall Activity component in Telecom application on Samsung Note ...) NOT-FOR-US: Samsung NOTE: http://security.samsungmobile.com/smrupdate.html#SMR-AUG-2016 CVE-2016-6595 (** DISPUTED ** The SwarmKit toolkit 1.12.0 for Docker allows remote au ...) - docker.io (Only affects Docker 1.12) NOTE: http://seclists.org/oss-sec/2016/q3/198 CVE-2016-6581 (A HTTP/2 implementation built using any version of the Python HPACK li ...) - python-hpack 2.3.0-1 (bug #833467) NOTE: https://github.com/python-hyper/hpack/pull/56 CVE-2016-6580 (A HTTP/2 implementation built using any version of the Python priority ...) NOT-FOR-US: Python Priority NOTE: https://github.com/python-hyper/priority/pull/23 CVE-2016-6519 (Cross-site scripting (XSS) vulnerability in the "Shares" overview in O ...) - manila-ui 2.5.1-0 (bug #838017) CVE-2016-6518 (Memory leak in Huawei S9300, S5300, S5700, S6700, S7700, S9700, and S1 ...) NOT-FOR-US: Huawei CVE-2016-6517 (Directory traversal vulnerability in Liferay 5.1.0 allows remote attac ...) NOT-FOR-US: Liferay CVE-2016-6515 (The auth_password function in auth-passwd.c in sshd in OpenSSH before ...) {DLA-1500-1 DLA-594-1} - openssh 1:7.3p1-1 (bug #833823) NOTE: Fixed by: https://anongit.mindrot.org/openssh.git/commit/?id=fcd135c9df440bcd2d5870405ad3311743d78d97 CVE-2016-6514 RESERVED CVE-2016-6502 RESERVED CVE-2016-6501 (JFrog Artifactory before 4.11 allows remote attackers to execute arbit ...) NOT-FOR-US: JFrog Artifactory CVE-2016-6500 (Unspecified methods in the RACF Connector component before 1.1.1.0 in ...) NOT-FOR-US: ForgeRock CVE-2016-6499 RESERVED CVE-2016-6498 RESERVED CVE-2016-6497 (main/java/org/apache/directory/groovyldap/LDAP.java in the Groovy LDAP ...) NOT-FOR-US: Groovy LDAP extension CVE-2016-6496 (The LDAP directory connector in Atlassian Crowd before 2.8.8 and 2.9.x ...) NOT-FOR-US: Atlassian Crowd CVE-2016-6525 (Heap-based buffer overflow in the pdf_load_mesh_params function in pdf ...) {DSA-3655-1 DLA-589-1} - mupdf 1.9a+ds1-1.2 (bug #833417) NOTE: http://bugs.ghostscript.com/show_bug.cgi?id=696954 NOTE: Fixed by: http://git.ghostscript.com/?p=mupdf.git;h=39b0f07dd960f34e7e6bf230ffc3d87c41ef0f2e CVE-2016-6523 (Multiple cross-site scripting (XSS) vulnerabilities in the media manag ...) - dotclear NOTE: Fixed by: https://hg.dotclear.org/dotclear/rev/40d0207e520d CVE-2016-6522 (Integer overflow in the uvm_map_isavail function in uvm/uvm_map.c in O ...) NOT-FOR-US: OpenBSD CVE-2016-6521 (Cross-site request forgery (CSRF) vulnerability in Grails console (aka ...) - grails (bug #473213) CVE-2016-6520 (Buffer overflow in MagickCore/enhance.c in ImageMagick before 7.0.2-7 ...) - imagemagick (Only affects imagemagick 7, which isn't packaged yet, bug #833485) NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick/commit/76401e172ea3a55182be2b8e2aca4d07270f6da6 NOTE: https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=30259&p=136359#p136359 CVE-2016-6516 (Race condition in the ioctl_file_dedupe_range function in fs/ioctl.c i ...) - linux 4.7.2-1 [jessie] - linux (Vulnerable code introduced later) [wheezy] - linux (Vulnerable code introduced later) NOTE: Introduced by: https://git.kernel.org/linus/54dbc15172375641ef03399e8f911d7165eb90fb (v4.5-rc1) NOTE: Fixed by: https://git.kernel.org/linus/10eec60ce79187686e052092e5383c99b4420a20 CVE-2016-6495 (NetApp Data ONTAP before 8.2.4P5, when operating in 7-Mode, allows rem ...) NOT-FOR-US: NetApp CVE-2016-6493 (Citrix XenApp 6.x before 6.5 HRP07 and 7.x before 7.9 and Citrix XenDe ...) NOT-FOR-US: Citrix CVE-2016-XXXX [bruteforcable challenge responses in unprotected logfile] - mongodb 1:2.6.12-1 (bug #833087) [jessie] - mongodb 1:2.4.10-5+deb8u1 [wheezy] - mongodb 1:2.0.6-1.1+deb7u1 NOTE: Fixed in experimental 1:2.6.11-1, first version in unstable 1:2.6.12-1 NOTE: https://jira.mongodb.org/browse/SERVER-9476 NOTE: Fixed by: https://github.com/mongodb/mongo/commit/f85ceb17b37210eef71e8113162c41368bfd5c12 CVE-2016-6492 (The MT6573FDVT_SetRegHW function in camera_fdvt.c in the MediaTek driv ...) NOT-FOR-US: Out of tree driver from https://github.com/jawad6233/MT6795.kernel CVE-2016-6488 RESERVED CVE-2016-6487 RESERVED CVE-2016-6486 (Siemens SINEMA Server uses weak permissions for the application folder ...) NOT-FOR-US: Siemens Sinema Server NOTE: http://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-321174.pdf CVE-2016-6494 (The client in MongoDB uses world-readable permissions on .dbshell hist ...) {DLA-588-1} - mongodb 1:2.6.12-3 (bug #832908) [jessie] - mongodb 1:2.4.10-5+deb8u1 NOTE: http://www.openwall.com/lists/oss-security/2016/07/29/4 CVE-2016-6491 (Buffer overflow in the Get8BIMProperty function in MagickCore/property ...) {DSA-3652-1 DLA-731-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #833099) NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick/commit/dd84447b63a71fa8c3f47071b09454efc667767b CVE-2016-6489 (The RSA and DSA decryption code in Nettle makes it easier for attacker ...) {DLA-593-1} - nettle 3.3-1 (bug #832983) [jessie] - nettle 2.7.1-5+deb8u2 NOTE: https://lists.lysator.liu.se/pipermail/nettle-bugs/2016/003093.html NOTE: https://git.lysator.liu.se/nettle/nettle/commit/3fe1d6549765ecfb24f0b80b2ed086fdc818bff3 NOTE: Original patch had some unintended side effects: https://lists.lysator.liu.se/pipermail/nettle-bugs/2016/003104.html NOTE: Cf. http://www.openwall.com/lists/oss-security/2016/07/30/2 NOTE: Additionally needed: https://git.lysator.liu.se/nettle/nettle/commit/52b9223126b3f997c00d399166c006ae28669068 NOTE: GnuTLS needs an update when/before src:nettle is fixed to continue working with patched src:nettle for CVE-2016-6489 NOTE: but not a vulnerability in GnuTLS. Needs https://gitlab.com/gnutls/gnutls/commit/186dc9c2012003587a38d7f4d03edd8da5fe989f CVE-2016-6485 (The __construct function in Framework/Encryption/Crypt.php in Magento ...) NOT-FOR-US: Magento CVE-2016-6484 (CRLF injection vulnerability in Infoblox Network Automation NetMRI bef ...) NOT-FOR-US: Infoblox Network Automation NetMR CVE-2016-6513 (epan/dissectors/packet-wbxml.c in the WBXML dissector in Wireshark 2.x ...) - wireshark 2.0.5+ga3be9c6-1 [jessie] - wireshark (Only affects 2.x) [wheezy] - wireshark (Only affects 2.x) NOTE: Affects 2.0.0 to 2.0.4, fixed in 2.0.5 NOTE: https://www.wireshark.org/security/wnpa-sec-2016-49.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12663 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=347f071f1b9180563c28b0f3d0627b91eb456c72 NOTE: http://www.openwall.com/lists/oss-security/2016/07/28/3 CVE-2016-6512 (epan/dissectors/packet-wap.c in Wireshark 2.x before 2.0.5 omits an ov ...) - wireshark 2.0.5+ga3be9c6-1 [jessie] - wireshark (Only affects 2.x) [wheezy] - wireshark (Only affects 2.x) NOTE: Affects 2.0.0 to 2.0.4, fixed in 2.0.5. NOTE: https://www.wireshark.org/security/wnpa-sec-2016-48.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12661 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=2193bea3212d74e2a907152055e27d409b59485e NOTE: http://www.openwall.com/lists/oss-security/2016/07/28/3 CVE-2016-6511 (epan/proto.c in Wireshark 1.12.x before 1.12.13 and 2.x before 2.0.5 a ...) {DSA-3648-1 DLA-595-1} - wireshark 2.0.5+ga3be9c6-1 NOTE: Affects 2.0.0 to 2.0.4, 1.12.0 to 1.12.12, fixed in 2.0.5, 1.12.13. NOTE: https://www.wireshark.org/security/wnpa-sec-2016-47.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12659 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=56706427f53cc64793870bf072c2c06248ae88f3 NOTE: http://www.openwall.com/lists/oss-security/2016/07/28/3 CVE-2016-6510 (Off-by-one error in epan/dissectors/packet-rlc.c in the RLC dissector ...) {DSA-3648-1 DLA-595-1} - wireshark 2.0.5+ga3be9c6-1 NOTE: Affects 2.0.0 to 2.0.4, 1.12.0 to 1.12.12, fixed in 2.0.5, 1.12.13. NOTE: https://www.wireshark.org/security/wnpa-sec-2016-46.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12664 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=47a5fa850b388fcf4ea762073806f01b459820fe NOTE: http://www.openwall.com/lists/oss-security/2016/07/28/3 CVE-2016-6509 (epan/dissectors/packet-ldss.c in the LDSS dissector in Wireshark 1.12. ...) {DSA-3648-1 DLA-595-1} - wireshark 2.0.5+ga3be9c6-1 NOTE: Affects 2.0.0 to 2.0.4, 1.12.0 to 1.12.12, fixed in 2.0.5, 1.12.13. NOTE: https://www.wireshark.org/security/wnpa-sec-2016-45.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12662 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=5a469ddc893f7c1912d0e15cc73bd3011e6cc2fb NOTE: http://www.openwall.com/lists/oss-security/2016/07/28/3 CVE-2016-6508 (epan/dissectors/packet-rlc.c in the RLC dissector in Wireshark 1.12.x ...) {DSA-3648-1 DLA-595-1} - wireshark 2.0.5+ga3be9c6-1 NOTE: https://www.wireshark.org/security/wnpa-sec-2016-44.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12660 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=6cf9616df68a4db7e436bb77392586ff9ad84feb NOTE: Affects 2.0.0 to 2.0.4, 1.12.0 to 1.12.12, fixed in 2.0.5, 1.12.13. NOTE: http://www.openwall.com/lists/oss-security/2016/07/28/3 CVE-2016-6507 (epan/dissectors/packet-mmse.c in the MMSE dissector in Wireshark 1.12. ...) {DSA-3648-1 DLA-595-1} - wireshark 2.0 NOTE: Only affects 1.12, marking 2.0 as fixed NOTE: https://www.wireshark.org/security/wnpa-sec-2016-43.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12624 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=b5a10743258bd016c07ebf6479137fda3d172a0f NOTE: Affects 1.12.0 to 1.12.12, fixed 1.12.13 NOTE: http://www.openwall.com/lists/oss-security/2016/07/28/3 CVE-2016-6506 (epan/dissectors/packet-wsp.c in the WSP dissector in Wireshark 1.12.x ...) {DSA-3648-1 DLA-595-1} - wireshark 2.0.5+ga3be9c6-1 NOTE: https://www.wireshark.org/security/wnpa-sec-2016-42.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12594 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=a9d5256890c9189c7461bfce6ed6edce5d861499 NOTE: Affects 2.0.0 to 2.0.4, 1.12.0 to 1.12.12 , fixed in 2.0.5, 1.12.13 NOTE: http://www.openwall.com/lists/oss-security/2016/07/28/3 CVE-2016-6505 (epan/dissectors/packet-packetbb.c in the PacketBB dissector in Wiresha ...) {DSA-3648-1 DLA-595-1} - wireshark 2.0.5+ga3be9c6-1 NOTE: https://www.wireshark.org/security/wnpa-sec-2016-41.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12577 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=94e97e45cf614c7bb8fe90c23df52910246b2c95 NOTE: Affects 2.0.0 to 2.0.4, 1.12.0 to 1.12.12, fixed in 2.0.5, 1.12.13. NOTE: http://www.openwall.com/lists/oss-security/2016/07/28/3 CVE-2016-6504 (epan/dissectors/packet-ncp2222.inc in the NDS dissector in Wireshark 1 ...) {DSA-3648-1 DLA-595-1} - wireshark 2.0 NOTE: Only affects 1.12, marking 2.0 as fixed NOTE: https://www.wireshark.org/security/wnpa-sec-2016-40.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12576 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=9eacbb4d48df647648127b9258f9e5aeeb0c7d99 NOTE: Affects 1.12.0 to 1.12.12, fixed in 1.12.13. NOTE: http://www.openwall.com/lists/oss-security/2016/07/28/3 CVE-2016-6503 (The CORBA IDL dissectors in Wireshark 2.x before 2.0.5 on 64-bit Windo ...) - wireshark (Only affects Wireshark on Windows) NOTE: https://www.wireshark.org/security/wnpa-sec-2016-39.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12495 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=581a17af40b84ef0c9e7f41ed0795af345b61ce1 NOTE: http://www.openwall.com/lists/oss-security/2016/07/28/3 CVE-2016-6490 (The virtqueue_map_desc function in hw/virtio/virtio.c in QEMU (aka Qui ...) - qemu 1:2.6+dfsg-3.1 (bug #832767) [jessie] - qemu (Vulnerable code not present) [wheezy] - qemu (Issue introduced later) - qemu-kvm [wheezy] - qemu-kvm (Issue introduced later) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-07/msg06246.html NOTE: Introduced by: http://git.qemu.org/?p=qemu.git;a=commit;h=3b3b0628217e2726069990ff9942a5d6d9816bd7 (v2.6.0-rc0) CVE-2016-6483 (The media-file upload feature in vBulletin before 3.8.7 Patch Level 6, ...) NOT-FOR-US: vBulletin CVE-2016-6482 RESERVED CVE-2016-6481 RESERVED CVE-2013-7459 (Heap-based buffer overflow in the ALGnew function in block_templace.c ...) {DLA-773-1} - python-crypto 2.6.1-7 (bug #849495) [jessie] - python-crypto 2.6.1-5+deb8u1 NOTE: https://github.com/dlitz/pycrypto/issues/176 NOTE: Fixed by: https://github.com/dlitz/pycrypto/commit/8dbe0dc3eea5c689d4f76b37b93fe216cf1f00d4 NOTE: All users of pycrypto's AES module in Debian that allow the mode NOTE: of operation to be specified from outside check for ECB explicitly NOTE: and create the objects without specifying an IV. CVE-2013-7458 (linenoise, as used in Redis before 3.2.3, uses world-readable permissi ...) {DSA-3634-1 DLA-577-1} - redis 2:3.2.1-4 (bug #832460) NOTE: http://www.openwall.com/lists/oss-security/2016/07/28/1 CVE-2016-6480 (Race condition in the ioctl_send_fib function in drivers/scsi/aacraid/ ...) {DSA-3659-1 DLA-609-1} - linux 4.7.2-1 NOTE: Fixed by: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=fa00c437eef8dc2e7b25f8cd868cfa405fcc2bb3 CVE-2016-6478 RESERVED CVE-2016-6477 RESERVED CVE-2016-6476 RESERVED CVE-2016-6475 RESERVED CVE-2016-6474 (A vulnerability in the implementation of X.509 Version 3 for SSH authe ...) NOT-FOR-US: Cisco CVE-2016-6473 (A vulnerability in Cisco IOS on Catalyst Switches and Nexus 9300 Serie ...) NOT-FOR-US: Cisco CVE-2016-6472 (A vulnerability in several parameters of the ccmivr page of Cisco Unif ...) NOT-FOR-US: Cisco CVE-2016-6471 (A vulnerability in the web-based management interface of Cisco Firepow ...) NOT-FOR-US: Cisco CVE-2016-6470 (A vulnerability in the installation procedure of the Cisco Hybrid Medi ...) NOT-FOR-US: Cisco CVE-2016-6469 (A vulnerability in HTTP URL parsing of Cisco AsyncOS for Cisco Web Sec ...) NOT-FOR-US: Cisco CVE-2016-6468 (A vulnerability in the web-based management interface of Cisco Emergen ...) NOT-FOR-US: Cisco CVE-2016-6467 (A vulnerability in IPv6 packet fragment reassembly of StarOS for Cisco ...) NOT-FOR-US: Cisco CVE-2016-6466 (A vulnerability in the IPsec component of StarOS for Cisco ASR 5000 Se ...) NOT-FOR-US: Cisco CVE-2016-6465 (A vulnerability in the content filtering functionality of Cisco AsyncO ...) NOT-FOR-US: Cisco CVE-2016-6464 (A vulnerability in the web management interface of the Cisco Unified C ...) NOT-FOR-US: Cisco CVE-2016-6463 (A vulnerability in the email filtering functionality of Cisco AsyncOS ...) NOT-FOR-US: Cisco CVE-2016-6462 (A vulnerability in the email filtering functionality of Cisco AsyncOS ...) NOT-FOR-US: Cisco CVE-2016-6461 (A vulnerability in the HTTP web-based management interface of the Cisc ...) NOT-FOR-US: Cisco CVE-2016-6460 (A vulnerability in the FTP Representational State Transfer Application ...) NOT-FOR-US: Cisco CVE-2016-6459 (Cisco TelePresence endpoints running either CE or TC software contain ...) NOT-FOR-US: Cisco CVE-2016-6458 (A vulnerability in the content filtering functionality of Cisco AsyncO ...) NOT-FOR-US: Cisco CVE-2016-6457 (A vulnerability in the Cisco Nexus 9000 Series Platform Leaf Switches ...) NOT-FOR-US: Cisco CVE-2016-6456 RESERVED CVE-2016-6455 (A vulnerability in the Slowpath of StarOS for Cisco ASR 5500 Series ro ...) NOT-FOR-US: Cisco CVE-2016-6454 (A cross-site request forgery (CSRF) vulnerability in the web interface ...) NOT-FOR-US: Cisco CVE-2016-6453 (A vulnerability in the web framework code of Cisco Identity Services E ...) NOT-FOR-US: Cisco CVE-2016-6452 (A vulnerability in the web-based graphical user interface (GUI) of Cis ...) NOT-FOR-US: Cisco CVE-2016-6451 (Multiple vulnerabilities in the web framework code of the Cisco Prime ...) NOT-FOR-US: Cisco CVE-2016-6450 (A vulnerability in the package unbundle utility of Cisco IOS XE Softwa ...) NOT-FOR-US: Cisco CVE-2016-6449 (A vulnerability in the system management of certain FireAMP system pro ...) NOT-FOR-US: Cisco CVE-2016-6448 (A vulnerability in the Session Description Protocol (SDP) parser of Ci ...) NOT-FOR-US: Cisco CVE-2016-6447 (A vulnerability in Cisco Meeting Server and Meeting App could allow an ...) NOT-FOR-US: Cisco Meeting Server and Meeting App CVE-2016-6446 (A vulnerability in Web Bridge for Cisco Meeting Server could allow an ...) NOT-FOR-US: Cisco CVE-2016-6445 (A vulnerability in the Extensible Messaging and Presence Protocol (XMP ...) NOT-FOR-US: Cisco CVE-2016-6444 (A vulnerability in Cisco Meeting Server could allow an unauthenticated ...) NOT-FOR-US: Cisco CVE-2016-6443 (A vulnerability in the Cisco Prime Infrastructure and Evolved Programm ...) NOT-FOR-US: Cisco CVE-2016-6442 (A vulnerability in Cisco Finesse Agent and Supervisor Desktop Software ...) NOT-FOR-US: Cisco CVE-2016-6441 (A vulnerability in the Transaction Language 1 (TL1) code of Cisco ASR ...) NOT-FOR-US: Cisco ASR 900 Series Aggregation Services Routers CVE-2016-6440 (The Cisco Unified Communications Manager (CUCM) may be vulnerable to d ...) NOT-FOR-US: Cisco CVE-2016-6439 (A vulnerability in the detection engine reassembly of HTTP packets for ...) NOT-FOR-US: Cisco CVE-2016-6438 (A vulnerability in Cisco IOS XE Software running on Cisco cBR-8 Conver ...) NOT-FOR-US: Cisco CVE-2016-6437 (A vulnerability in the SSL session cache management of Cisco Wide Area ...) NOT-FOR-US: Cisco CVE-2016-6436 (Cross-site scripting (XSS) vulnerability in HostScan Engine 3.0.08062 ...) NOT-FOR-US: Cisco CVE-2016-6435 (The web console in Cisco Firepower Management Center 6.0.1 allows remo ...) NOT-FOR-US: Cisco CVE-2016-6434 (Cisco Firepower Management Center 6.0.1 has hardcoded database credent ...) NOT-FOR-US: Cisco CVE-2016-6433 (The Threat Management Console in Cisco Firepower Management Center 5.2 ...) NOT-FOR-US: Cisco CVE-2016-6432 (A vulnerability in the Identity Firewall feature of Cisco ASA Software ...) NOT-FOR-US: Cisco CVE-2016-6431 (A vulnerability in the local Certificate Authority (CA) feature of Cis ...) NOT-FOR-US: Cisco CVE-2016-6430 (A vulnerability in the command-line interface of the Cisco IP Interope ...) NOT-FOR-US: Cisco CVE-2016-6429 (A vulnerability in the web framework code of the Cisco IP Interoperabi ...) NOT-FOR-US: Cisco CVE-2016-6428 (Cisco IOS XR 6.1.1 allows local users to execute arbitrary OS commands ...) NOT-FOR-US: Cisco CVE-2016-6427 (Cross-site request forgery (CSRF) vulnerability in Cisco Unified Intel ...) NOT-FOR-US: Cisco CVE-2016-6426 (The j_spring_security_switch_user function in Cisco Unified Intelligen ...) NOT-FOR-US: Cisco CVE-2016-6425 (Cross-site scripting (XSS) vulnerability in Cisco Unified Intelligence ...) NOT-FOR-US: Cisco CVE-2016-6424 (The DHCP Relay implementation in Cisco Adaptive Security Appliance (AS ...) NOT-FOR-US: Cisco CVE-2016-6423 (The IKEv2 client and initiator implementations in Cisco IOS 15.5(3)M a ...) NOT-FOR-US: Cisco CVE-2016-6422 (Cisco IOS 12.2(33)SXJ9 on Supervisor Engine 32 and 720 modules for 650 ...) NOT-FOR-US: Cisco CVE-2016-6421 (Cisco IOS XR 5.2.2 allows remote attackers to cause a denial of servic ...) NOT-FOR-US: Cisco CVE-2016-6420 (Cisco FireSIGHT System Software 4.10.3 through 5.4.0 in Firepower Mana ...) NOT-FOR-US: Cisco CVE-2016-6419 (SQL injection vulnerability in Cisco Firepower Management Center 4.10. ...) NOT-FOR-US: Cisco CVE-2016-6418 (Cross-site scripting (XSS) vulnerability in Cisco Videoscape Distribut ...) NOT-FOR-US: Cisco CVE-2016-6417 (Cross-site request forgery (CSRF) vulnerability in Cisco FireSIGHT Sys ...) NOT-FOR-US: Cisco CVE-2016-6416 (The FTP service in Cisco AsyncOS on Email Security Appliance (ESA) dev ...) NOT-FOR-US: Cisco CVE-2016-6415 (The server IKEv1 implementation in Cisco IOS 12.2 through 12.4 and 15. ...) NOT-FOR-US: Cisco CVE-2016-6414 (iox in Cisco IOS, possibly 15.6 and earlier, and IOS XE, possibly 3.18 ...) NOT-FOR-US: Cisco CVE-2016-6413 (The installation procedure on Cisco Application Policy Infrastructure ...) NOT-FOR-US: Cisco CVE-2016-6412 (The Cisco Application-hosting Framework (CAF) component in Cisco IOS 1 ...) NOT-FOR-US: Cisco CVE-2016-6411 (Cisco Firepower Management Center and FireSIGHT System Software 6.0.1 ...) NOT-FOR-US: Cisco CVE-2016-6410 (The Cisco Application-hosting Framework (CAF) component in Cisco IOS 1 ...) NOT-FOR-US: Cisco CVE-2016-6409 (The Data in Motion (DMo) component in Cisco IOS 15.6(1)T and IOS XE, w ...) NOT-FOR-US: Cisco CVE-2016-6408 (Cisco Prime Home 5.2.0 allows remote attackers to read arbitrary files ...) NOT-FOR-US: Cisco CVE-2016-6407 (Cisco AsyncOS through 9.5.0-444 on Web Security Appliance (WSA) device ...) NOT-FOR-US: Cisco CVE-2016-6406 (Cisco IronPort AsyncOS 9.1.2-023, 9.1.2-028, 9.1.2-036, 9.7.2-046, 9.7 ...) NOT-FOR-US: Cisco CVE-2016-6405 (Cisco Fog Director 1.0(0) for IOx allows remote authenticated users to ...) NOT-FOR-US: Cisco CVE-2016-6404 (Cross-site scripting (XSS) vulnerability in the web framework in Cisco ...) NOT-FOR-US: Cisco CVE-2016-6403 (The Data in Motion (DMo) application in Cisco IOS 15.6(1)T and IOS XE, ...) NOT-FOR-US: Cisco CVE-2016-6402 (UCS Manager and UCS 6200 Fabric Interconnects in Cisco Unified Computi ...) NOT-FOR-US: Cisco CVE-2016-6401 (Cisco Carrier Routing System (CRS) 5.1 and 5.1.4, as used in CRS Carri ...) NOT-FOR-US: Cisco CVE-2016-6400 RESERVED CVE-2016-6399 (Cisco ACE30 Application Control Engine Module through A5 3.3 and ACE 4 ...) NOT-FOR-US: Cisco CVE-2016-6398 (The PPTP server in Cisco IOS 15.5(3)M does not properly initialize pac ...) NOT-FOR-US: Cisco CVE-2016-6397 (A vulnerability in the interdevice communications interface of the Cis ...) NOT-FOR-US: Cisco CVE-2016-6396 (Cisco Firepower Management Center before 6.1 and FireSIGHT System Soft ...) NOT-FOR-US: Cisco CVE-2016-6395 (Cross-site scripting (XSS) vulnerability in the web-based management i ...) NOT-FOR-US: Cisco CVE-2016-6394 (Session fixation vulnerability in Cisco Firepower Management Center an ...) NOT-FOR-US: Cisco CVE-2016-6393 (The AAA service in Cisco IOS 12.0 through 12.4 and 15.0 through 15.6 a ...) NOT-FOR-US: Cisco CVE-2016-6392 (Cisco IOS 12.2 and 15.0 through 15.3 and IOS XE 3.1 through 3.9 allow ...) NOT-FOR-US: Cisco CVE-2016-6391 (Cisco IOS 12.2 and 15.0 through 15.3 allows remote attackers to cause ...) NOT-FOR-US: Cisco CVE-2016-6390 REJECTED CVE-2016-6389 REJECTED CVE-2016-6388 REJECTED CVE-2016-6387 REJECTED CVE-2016-6386 (Cisco IOS XE 3.1 through 3.17 and 16.1 on 64-bit platforms allows remo ...) NOT-FOR-US: Cisco CVE-2016-6385 (Memory leak in the Smart Install client implementation in Cisco IOS 12 ...) NOT-FOR-US: Cisco CVE-2016-6384 (Cisco IOS 12.2 through 12.4 and 15.0 through 15.6 and IOS XE 3.1 throu ...) NOT-FOR-US: Cisco CVE-2016-6383 REJECTED CVE-2016-6382 (Cisco IOS 15.2 through 15.6 and IOS XE 3.6 through 3.17 and 16.1 allow ...) NOT-FOR-US: Cisco CVE-2016-6381 (Cisco IOS 12.4 and 15.0 through 15.6 and IOS XE 3.1 through 3.18 and 1 ...) NOT-FOR-US: Cisco CVE-2016-6380 (The DNS forwarder in Cisco IOS 12.0 through 12.4 and 15.0 through 15.6 ...) NOT-FOR-US: Cisco CVE-2016-6379 (Cisco IOS 12.2 and IOS XE 3.14 through 3.16 and 16.1 allow remote atta ...) NOT-FOR-US: Cisco CVE-2016-6378 (Cisco IOS XE 3.1 through 3.17 and 16.1 through 16.2 allows remote atta ...) NOT-FOR-US: Cisco CVE-2016-6377 (Media Origination System Suite Software 2.6 and earlier in Cisco Virtu ...) NOT-FOR-US: Cisco CVE-2016-6376 (The Adaptive Wireless Intrusion Prevention System (wIPS) feature on Ci ...) NOT-FOR-US: Cisco CVE-2016-6375 (Cisco Wireless LAN Controller (WLC) devices before 8.0.140.0, 8.1.x an ...) NOT-FOR-US: Cisco CVE-2016-6374 (Cisco Cloud Services Platform (CSP) 2100 2.0 allows remote attackers t ...) NOT-FOR-US: Cisco Cloud Services Platform 2100 CVE-2016-6373 (The web-based GUI in Cisco Cloud Services Platform (CSP) 2100 2.0 allo ...) NOT-FOR-US: Cisco Cloud Services Platform 2100 CVE-2016-6372 (A vulnerability in the email message and content filtering for malform ...) NOT-FOR-US: Cisco CVE-2016-6371 (Directory traversal vulnerability in the web interface in Cisco Hosted ...) NOT-FOR-US: Cisco CVE-2016-6370 (Directory traversal vulnerability in the web interface in Cisco Hosted ...) NOT-FOR-US: Cisco CVE-2016-6369 (Cisco AnyConnect Secure Mobility Client before 4.2.05015 and 4.3.x bef ...) NOT-FOR-US: Cisco CVE-2016-6368 (A vulnerability in the detection engine parsing of Pragmatic General M ...) NOT-FOR-US: Cisco CVE-2016-6367 (Cisco Adaptive Security Appliance (ASA) Software before 8.4(1) on ASA ...) NOT-FOR-US: Cisco CVE-2016-6366 (Buffer overflow in Cisco Adaptive Security Appliance (ASA) Software th ...) NOT-FOR-US: Cisco CVE-2016-6365 (Cross-site scripting (XSS) vulnerability in Cisco Firepower Management ...) NOT-FOR-US: Cisco CVE-2016-6364 (The User Data Services (UDS) API implementation in Cisco Unified Commu ...) NOT-FOR-US: Cisco CVE-2016-6363 (The rate-limit feature in the 802.11 protocol implementation on Cisco ...) NOT-FOR-US: Cisco CVE-2016-6362 (Cisco Aironet 1800, 2800, and 3800 devices with software before 8.2.11 ...) NOT-FOR-US: Cisco CVE-2016-6361 (The Aggregated MAC Protocol Data Unit (AMPDU) implementation on Cisco ...) NOT-FOR-US: Cisco CVE-2016-6360 (A vulnerability in Advanced Malware Protection (AMP) for Cisco Email S ...) NOT-FOR-US: Cisco CVE-2016-6359 (Cross-site scripting (XSS) vulnerability in Cisco Transport Gateway In ...) NOT-FOR-US: Cisco CVE-2016-6358 (A vulnerability in local FTP to the Cisco Email Security Appliance (ES ...) NOT-FOR-US: Cisco CVE-2016-6357 (A vulnerability in the configured security policies, including drop em ...) NOT-FOR-US: Cisco CVE-2016-6356 (A vulnerability in the email message filtering feature of Cisco AsyncO ...) NOT-FOR-US: Cisco CVE-2016-6355 (Memory leak in Cisco IOS XR 5.1.x through 5.1.3, 5.2.x through 5.2.5, ...) NOT-FOR-US: Cisco CVE-2016-6353 (Cloudera Search in CDH before 5.7.0 allows unauthorized document acces ...) NOT-FOR-US: Cloudera CVE-2016-6348 (JacksonJsonpInterceptor in RESTEasy might allow remote attackers to co ...) - resteasy (low; bug #837170) [jessie] - resteasy (Minor issue) - resteasy3.0 CVE-2016-6347 (Cross-site scripting (XSS) vulnerability in the default exception hand ...) - resteasy (low; bug #837170) [jessie] - resteasy (Minor issue) - resteasy3.0 CVE-2016-6346 (RESTEasy enables GZIPInterceptor, which allows remote attackers to cau ...) - resteasy (low; bug #837170) [jessie] - resteasy (Minor issue) - resteasy3.0 CVE-2016-6345 (RESTEasy allows remote authenticated users to obtain sensitive informa ...) - resteasy (low; bug #837170) [jessie] - resteasy (Minor issue) - resteasy3.0 CVE-2016-6344 (Red Hat JBoss BPM Suite 6.3.x does not include the HTTPOnly flag in a ...) NOT-FOR-US: Red Hat JBoss bpm Suite CVE-2016-6343 (JBoss BPM Suite 6 is vulnerable to a reflected XSS via dashbuilder. Re ...) NOT-FOR-US: JBoss BPMS CVE-2016-6342 (elog 3.1.1 allows remote attackers to post data as any username in the ...) - elog 3.1.2-1-1 (bug #836505) [jessie] - elog 2.9.2+2014.05.11git44800a7-2+deb8u1 NOTE: https://bitbucket.org/ritt/elog/commits/2f6a300572bd6048351af8c45394ae62230c83d9 NOTE: https://bitbucket.org/ritt/elog/commits/9ca611aca2b1860efac15f806bf907cc2e6f870a/ CVE-2016-6341 (oVirt Engine before 4.0.3 does not include DWH_DB_PASSWORD in the list ...) NOT-FOR-US: ovirt-engine CVE-2016-6340 (The kickstart file in Red Hat QuickStart Cloud Installer (QCI) forces ...) NOT-FOR-US: Red Hat QCI CVE-2016-6339 REJECTED CVE-2016-6338 (ovirt-engine-webadmin, as used in Red Hat Enterprise Virtualization Ma ...) NOT-FOR-US: ovirt-engine CVE-2016-6337 (MediaWiki 1.27.x before 1.27.1 might allow remote attackers to bypass ...) - mediawiki 1:1.27.1-1 [wheezy] - mediawiki (not supported in Wheezy LTS) NOTE: https://lists.wikimedia.org/pipermail/wikitech-l/2016-August/086342.html CVE-2016-6336 (MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27 ...) - mediawiki 1:1.27.1-1 [wheezy] - mediawiki (not supported in Wheezy LTS) NOTE: https://lists.wikimedia.org/pipermail/wikitech-l/2016-August/086342.html CVE-2016-6335 (MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27 ...) - mediawiki 1:1.27.1-1 [wheezy] - mediawiki (not supported in Wheezy LTS) NOTE: https://lists.wikimedia.org/pipermail/wikitech-l/2016-August/086342.html CVE-2016-6334 (Cross-site scripting (XSS) vulnerability in the Parser::replaceInterna ...) [wheezy] - mediawiki (not supported in Wheezy LTS) - mediawiki 1:1.27.1-1 NOTE: https://lists.wikimedia.org/pipermail/wikitech-l/2016-August/086342.html CVE-2016-6333 (Cross-site scripting (XSS) vulnerability in the CSS user subpage previ ...) [wheezy] - mediawiki (not supported in Wheezy LTS) - mediawiki 1:1.27.1-1 NOTE: https://lists.wikimedia.org/pipermail/wikitech-l/2016-August/086342.html CVE-2016-6332 (MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27 ...) [wheezy] - mediawiki (not supported in Wheezy LTS) - mediawiki 1:1.27.1-1 NOTE: https://lists.wikimedia.org/pipermail/wikitech-l/2016-August/086342.html CVE-2016-6331 (ApiParse in MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x ...) - mediawiki 1:1.27.1-1 [wheezy] - mediawiki (not supported in Wheezy LTS) NOTE: https://lists.wikimedia.org/pipermail/wikitech-l/2016-August/086342.html CVE-2016-6330 (The server in Red Hat JBoss Operations Network (JON), when SSL authent ...) NOT-FOR-US: Red Hat / JBoss Operations Network server CVE-2016-6329 (OpenVPN, when using a 64-bit block cipher, makes it easier for remote ...) - openvpn (unimportant) NOTE: https://community.openvpn.net/openvpn/wiki/SWEET32 NOTE: This is a generic cryptographic weakness, not a vulnerability in OpenVPN per se CVE-2016-6328 (A vulnerability was found in libexif. An integer overflow when parsing ...) {DLA-2214-1} - libexif 0.6.21-2.1 (bug #873022) [stretch] - libexif (Minor issue) [wheezy] - libexif (Minor issue) NOTE: http://libexif.cvs.sourceforge.net/viewvc/libexif/libexif/libexif/pentax/mnote-pentax-entry.c?r1=1.26&r2=1.27 CVE-2016-6327 (drivers/infiniband/ulp/srpt/ib_srpt.c in the Linux kernel before 4.5.1 ...) - linux 4.6.1-1 [jessie] - linux 3.16.36-1 [wheezy] - linux (Vulnerable code introduced later) NOTE: Fixed by: https://git.kernel.org/linus/51093254bf879bc9ce96590400a87897c7498463 (4.6-rc1) NOTE: Introduced by: https://git.kernel.org/linus/3e4f574857eebce60bb56d7524f3f9eaa2a126d0 (v3.8-rc1) CVE-2016-6326 RESERVED CVE-2016-6325 (The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBo ...) - tomcat8 (Red Hat and derivatives packaging specific) - tomcat7 (Red Hat and derivatives packaging specific) - tomcat6 (Red Hat and derivatives packaging specific) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1367447 CVE-2016-6324 RESERVED CVE-2016-6323 (The makecontext function in the GNU C Library (aka glibc or libc6) bef ...) - glibc 2.24-1 (bug #834752) [jessie] - glibc 2.19-18+deb8u6 - eglibc [wheezy] - eglibc (Vulnerable code not present) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=20435 NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9e2ff6c9cc54c0b4402b8d49e4abe7000fde7617 CVE-2016-6322 (Red Hat QuickStart Cloud Installer (QCI) uses world-readable permissio ...) NOT-FOR-US: ovirt-engine CVE-2016-6321 (Directory traversal vulnerability in the safer_name_suffix function in ...) {DSA-3702-1 DLA-690-1} - tar 1.29b-1.1 (bug #842339) NOTE: https://sintonen.fi/advisories/tar-extract-pathname-bypass.txt NOTE: POC in https://sintonen.fi/advisories/tar-poc.tar (etc/shadow should not be extracted when asking for etc/motd) NOTE: Proposed patch by Antoine Beaupre: https://lists.debian.org/debian-lts/2016/10/msg00206.html NOTE: Proposed patch upstream: http://git.savannah.gnu.org/cgit/tar.git/commit/?id=7340f67b9860ea0531c1450e5aa261c50f67165d CVE-2016-6320 (Cross-site scripting (XSS) vulnerability in app/assets/javascripts/hos ...) - foreman (bug #663101) CVE-2016-6319 (Cross-site scripting (XSS) vulnerability in app/helpers/form_helper.rb ...) - foreman (bug #663101) CVE-2016-6318 (Stack-based buffer overflow in the FascistGecosUser function in lib/fa ...) {DLA-2220-1 DLA-599-1} - cracklib2 2.9.2-2 (bug #834502) NOTE: https://bugzilla.redhat.com/attachment.cgi?id=1188599 NOTE: In Debian compiled with CPPFLAGS="-D_FORTIFY_SOURCE=2" so, at most application crash CVE-2016-6317 (Action Record in Ruby on Rails 4.2.x before 4.2.7.1 does not properly ...) - rails 2:4.2.7.1-1 (bug #834154) [jessie] - rails (Vulnerable code not present, introduced in 4.2) [wheezy] - rails (Vulnerable code not present, is only a transitional package and introduced in 4.2 anyway) CVE-2016-6316 (Cross-site scripting (XSS) vulnerability in Action View in Ruby on Rai ...) {DSA-3651-1 DLA-604-1} - rails 2:4.2.7.1-1 (low; bug #834155) [wheezy] - rails (Vulnerable code not present, is only a transitional package) - ruby-actionpack-3.2 NOTE: https://github.com/rails/rails/commit/4bcccf5ecd81a6272479537911b7d9760c5be164 CVE-2016-6315 RESERVED CVE-2016-6314 RESERVED CVE-2016-6313 (The mixing functions in the random number generator in Libgcrypt befor ...) {DSA-3650-1 DSA-3649-1 DLA-602-1 DLA-600-1} - gnupg2 (Uses system libgcrypt) - gnupg1 1.4.21-1 (bug #834894) - gnupg (bug #834893) NOTE: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=e23eec8c9a602eee0a09851a54db0f5d611f125c NOTE: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=c6dbfe89903d0c8191cf50ecf1abb3c8458b427a - libgcrypt20 1.7.3-1 NOTE: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=2f62103b4bb6d6f9ce806e01afb7fdc58aa33513 (1.7) NOTE: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=8dd45ad957b54b939c288a68720137386c7f6501 (1.7) NOTE: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=190b0429b70eb4a3573377e95755d9cc13c38461 (1.6) NOTE: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=c748f87436d693f092a4484571a3cc7f650b5c81 (1.6) - libgcrypt11 NOTE: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=98980e2fd29ad62903c78fa6521489fce651cdda NOTE: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=6199cd963d1fba86e0b7b9e2de4b6c00b945193a NOTE: https://lists.gnupg.org/pipermail/gnupg-announce/2016q3/000395.html CVE-2016-6312 (The mod_dontdothat component of the mod_dav_svn Apache module in Subve ...) - apr-util (RHEL-5.11 specific regression) CVE-2016-6311 (Get requests in JBoss Enterprise Application Platform (EAP) 7 disclose ...) NOT-FOR-US: WildFly / Red Hat JBoss EAP CVE-2016-6310 (oVirt Engine discloses the ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD in /v ...) NOT-FOR-US: ovirt-engine CVE-2016-6309 (statem/statem.c in OpenSSL 1.1.0a does not consider memory-block movem ...) [experimental] - openssl 1.1.0b-1 - openssl (Only affects 1.1) NOTE: https://www.openssl.org/news/secadv/20160926.txt CVE-2016-6308 (statem/statem_dtls.c in the DTLS implementation in OpenSSL 1.1.0 befor ...) [experimental] - openssl 1.1.0a-1 - openssl (Only affects 1.1) NOTE: https://git.openssl.org/?p=openssl.git;a=commit;h=48c054fec3506417b2598837b8062aae7114c200 NOTE: https://www.openssl.org/news/secadv/20160922.txt CVE-2016-6307 (The state-machine implementation in OpenSSL 1.1.0 before 1.1.0a alloca ...) [experimental] - openssl 1.1.0a-1 - openssl (Only affects 1.1) NOTE: https://git.openssl.org/?p=openssl.git;a=commit;h=c1ef7c971d0bbf117c3c80f65b5875e2e7b024b1 NOTE: https://www.openssl.org/news/secadv/20160922.txt CVE-2016-6306 (The certificate parser in OpenSSL before 1.0.1u and 1.0.2 before 1.0.2 ...) {DSA-3673-1 DLA-637-1} - openssl 1.0.2i-1 NOTE: https://git.openssl.org/?p=openssl.git;a=commit;h=ff553f837172ecb2b5c8eca257ec3c5619a4b299 NOTE: https://www.openssl.org/news/secadv/20160922.txt NOTE: Fixed in 1.0.2i, 1.0.1u CVE-2016-6305 (The ssl3_read_bytes function in record/rec_layer_s3.c in OpenSSL 1.1.0 ...) [experimental] - openssl 1.1.0a-1 - openssl (Only affects 1.1) NOTE: https://www.openssl.org/news/secadv/20160922.txt NOTE: Fixed in 1.1.0a CVE-2016-6304 (Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 befo ...) {DSA-3673-1 DLA-637-1} [experimental] - openssl 1.1.0a-1 - openssl 1.0.2i-1 NOTE: https://www.openssl.org/news/secadv/20160922.txt NOTE: Fixed in 1.1.0a, 1.0.2i, 1.0.1u CVE-2016-6303 (Integer overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c ...) {DSA-3673-1 DLA-637-1} - openssl 1.0.2i-1 NOTE: https://git.openssl.org/?p=openssl.git;a=commit;h=55d83bf7c10c7b205fffa23fa7c3977491e56c07 NOTE: https://www.openssl.org/news/secadv/20160922.txt NOTE: Fixed in 1.0.2i, 1.0.1u CVE-2016-6302 (The tls_decrypt_ticket function in ssl/t1_lib.c in OpenSSL before 1.1. ...) {DSA-3673-1 DLA-637-1} - openssl 1.0.2i-1 NOTE: https://git.openssl.org/?p=openssl.git;a=commit;h=e97763c92c655dcf4af2860b3abd2bc4c8a267f9 NOTE: https://www.openssl.org/news/secadv/20160922.txt NOTE: Fixed in 1.0.2i, 1.0.1u CVE-2016-6301 (The recv_and_process_client_pkt function in networking/ntpd.c in busyb ...) - busybox 1:1.27.2-1 (unimportant; bug #833442) NOTE: NTP server not enabled by default in debian/config/pkg/* via CONFIG_NTPD NOTE: Fixed by: https://git.busybox.net/busybox/commit/?id=150dc7a2b483b8338a3e185c478b4b23ee884e71 CVE-2016-6300 REJECTED CVE-2016-6299 (The scm plug-in in mock might allow attackers to bypass the intended c ...) - mock 1.3.2-1 (bug #850320) [jessie] - mock (Parsing is done before, after temporarily dropping super-user privileges at startup) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1375490 NOTE: https://github.com/rpm-software-management/mock/commit/8b02f43beadacf6911200b48d94e39e891a41da9 (mock-1.2.21) CVE-2016-6298 (The _Rsa15 class in the RSA 1.5 algorithm implementation in jwa.py in ...) - python-jwcrypto 0.3.2-1 NOTE: https://github.com/latchset/jwcrypto/issues/65 NOTE: https://github.com/latchset/jwcrypto/pull/66 NOTE: https://github.com/latchset/jwcrypto/commit/eb5be5bd94c8cae1d7f3ba9801377084d8e5a7ba NOTE: Code moved around in git, for 0.3.2 it is in jwe.py CVE-2016-6354 (Heap-based buffer overflow in the yy_get_next_buffer function in Flex ...) {DSA-3653-2 DSA-3653-1} - flex 2.6.1-1 (bug #832768) [wheezy] - flex (Issue introduced with 2.5.36) NOTE: Intorduced by: https://github.com/westes/flex/commit/9ba3187a537d6a58d345f2874d06087fd4050399 (flex-2-5-36) NOTE: Fixed by: https://github.com/westes/flex/commit/a5cbe929ac3255d371e698f62dc256afe7006466 (v2.6.1) CVE-2016-6351 (The esp_do_dma function in hw/scsi/esp.c in QEMU (aka Quick Emulator), ...) {DLA-1599-1 DLA-574-1 DLA-573-1} - qemu 1:2.6+dfsg-3.1 (bug #832621) - qemu-kvm NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=926cde5f3e4d2504ed161ed0cb771ac7cad6fd11 (v2.7.0-rc0) NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=cc96677469388bad3d66479379735cf75db069e3 (v2.7.0-rc0) NOTE: http://www.openwall.com/lists/oss-security/2016/07/25/14 NOTE: According to maintainer the fix relies on the fix for CVE-2016-4439 CVE-2016-6350 (OpenBSD 5.8 and 5.9 allows local users to cause a denial of service (N ...) NOT-FOR-US: OpenBSD CVE-2016-6349 (The machinectl command in oci-register-machine allows local users to l ...) NOT-FOR-US: oci-register-machine NOTE: http://www.openwall.com/lists/oss-security/2016/07/26/5 NOTE: Requirement is that docker containers would register themselves to NOTE: to systemd-machined by oci-register-machine (not packaged in Debian, NOTE: and https://github.com/projectatomic/docker/commit/a307e90141ba31b378bc31bb7720ed141f47cd9b NOTE: not applied to docker.io). NOTE: https://github.com/systemd/systemd/issues/3815 NOTE: The problem as well only arises with docker fork in RedHat, not with upstream docker NOTE: https://github.com/projectatomic/oci-register-machine/pull/22 CVE-2016-6287 (The "http-client" egg always used a HTTP_PROXY environment variable to ...) NOT-FOR-US: Addons for Chicken CVE-2016-6286 (The "spiffy-cgi-handlers" egg would convert a nonexistent "Proxy" head ...) NOT-FOR-US: Addons for Chicken CVE-2016-6285 (Cross-site scripting (XSS) vulnerability in includes/decorators/global ...) NOT-FOR-US: Atlassian JIRA CVE-2016-6284 RESERVED CVE-2016-6283 (Cross-site scripting (XSS) vulnerability in Atlassian Confluence befor ...) NOT-FOR-US: Atlassian Confluence CVE-2016-6282 RESERVED CVE-2016-6281 RESERVED CVE-2016-6280 RESERVED CVE-2016-6279 RESERVED CVE-2016-6278 RESERVED CVE-2016-6277 (NETGEAR R6250 before 1.0.4.6.Beta, R6400 before 1.0.1.18.Beta, R6700 b ...) NOT-FOR-US: Netgear routers CVE-2016-6276 (Citrix Linux Virtual Delivery Agent (aka VDA, formerly Linux Virtual D ...) NOT-FOR-US: Citrix CVE-2016-6275 RESERVED CVE-2016-6274 RESERVED CVE-2016-6273 (The lmadmin component in Flexera FlexNet Publisher (aka Flex License M ...) NOT-FOR-US: Flexera CVE-2016-6272 (XPath injection vulnerability in Epic MyChart allows remote attackers ...) NOT-FOR-US: EPIC MyChart CVE-2016-6297 (Integer overflow in the php_stream_zip_opener function in ext/zip/zip_ ...) {DSA-3631-1 DLA-628-1} - php7.0 7.0.9-1 - php5 5.6.24+dfsg-1 NOTE: PHP Bug: https://bugs.php.net/72520 NOTE: http://git.php.net/?p=php-src.git;a=commit;h=81406c0c1d45f75fcc7972ed974d2597abb0b9e9 NOTE: Fixed in 7.0.9, 5.6.24, 5.5.38 CVE-2016-6296 (Integer signedness error in the simplestring_addn function in simplest ...) {DSA-3631-1 DLA-2011-1 DLA-628-1 DLA-569-1} - php7.0 7.0.9-1 - php5 5.6.24+dfsg-1 NOTE: PHP Bug: https://bugs.php.net/72606 NOTE: http://git.php.net/?p=php-src.git;a=commit;h=e6c48213c22ed50b2b987b479fcc1ac709394caa NOTE: Fixed in 7.0.9, 5.6.24, 5.5.38 - xmlrpc-epi 0.54.2-1.2 (bug #832959) NOTE: In stretch/sid php7.0 is using the system library not the embedded one. CVE-2016-6295 (ext/snmp/snmp.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x bef ...) {DSA-3631-1 DLA-628-1} - php7.0 7.0.9-1 - php5 5.6.24+dfsg-1 NOTE: PHP Bug: https://bugs.php.net/72479 NOTE: http://git.php.net/?p=php-src.git;a=commit;h=cab1c3b3708eead315e033359d07049b23b147a3 NOTE: Fixed in 7.0.9, 5.6.24, 5.5.38 CVE-2016-6294 (The locale_accept_from_http function in ext/intl/locale/locale_methods ...) {DSA-3631-1 DLA-628-1} - php7.0 7.0.9-1 - php5 5.6.24+dfsg-1 NOTE: PHP Bug: https://bugs.php.net/72533 NOTE: http://git.php.net/?p=php-src.git;a=commit;h=aa82e99ed8003c01f1ef4f0940e56b85c5b032d4 NOTE: Fixed in 7.0.9, 5.6.24, 5.5.38 CVE-2016-6293 (The uloc_acceptLanguageFromHTTP function in common/uloc.cpp in Interna ...) {DSA-3725-1 DLA-615-1} - icu 57.1-4 NOTE: http://bugs.icu-project.org/trac/changeset/39109 NOTE: http://bugs.icu-project.org/trac/ticket/12652 NOTE: And possibly needs some more follow-up fixes, cf. with upstream changes NOTE: around/later than changeset 39109. CVE-2016-6292 (The exif_process_user_comment function in ext/exif/exif.c in PHP befor ...) {DSA-3631-1 DLA-628-1} - php7.0 7.0.9-1 - php5 5.6.24+dfsg-1 NOTE: PHP Bug: https://bugs.php.net/72618 NOTE: http://git.php.net/?p=php-src.git;a=commit;h=41131cd41d2fd2e0c2f332a27988df75659c42e4 NOTE: Fixed in 7.0.9, 5.6.24, 5.5.38 CVE-2016-6291 (The exif_process_IFD_in_MAKERNOTE function in ext/exif/exif.c in PHP b ...) {DSA-3631-1 DLA-628-1} - php7.0 7.0.9-1 - php5 5.6.24+dfsg-1 NOTE: PHP Bug: https://bugs.php.net/72603 NOTE: http://git.php.net/?p=php-src.git;a=commit;h=eebcbd5de38a0f1c2876035402cb770e37476519 NOTE: Fixed in 7.0.9, 5.6.24, 5.5.38 CVE-2016-6290 (ext/session/session.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7 ...) {DSA-3631-1 DLA-628-1} - php7.0 7.0.9-1 - php5 5.6.24+dfsg-1 NOTE: PHP Bug: https://bugs.php.net/72562 NOTE: http://git.php.net/?p=php-src.git;a=commit;h=3798eb6fd5dddb211b01d41495072fd9858d4e32 NOTE: Fixed in 7.0.9, 5.6.24, 5.5.38 CVE-2016-6289 (Integer overflow in the virtual_file_ex function in TSRM/tsrm_virtual_ ...) {DSA-3631-1 DLA-628-1} - php7.0 7.0.9-1 - php5 5.6.24+dfsg-1 NOTE: PHP Bug: https://bugs.php.net/72513 NOTE: http://git.php.net/?p=php-src.git;a=commit;h=0218acb7e756a469099c4ccfb22bce6c2bd1ef87 NOTE: Fixed in 7.0.9, 5.6.24, 5.5.38 CVE-2016-6271 (The Bzrtp library (aka libbzrtp) 1.0.x before 1.0.4 allows man-in-the- ...) - bzrtp 1.0.2-1.2 (bug #859277) NOTE: Fixed by: https://github.com/BelledonneCommunications/bzrtp/commit/bbb1e6e2f467ee4bd7b9a8c800e4f07343d7d99b CVE-2016-6270 (The handle_certificate function in /vmi/manager/engine/management/comm ...) NOT-FOR-US: Trend Micro CVE-2016-6269 (Multiple directory traversal vulnerabilities in Trend Micro Smart Prot ...) NOT-FOR-US: Trend Micro CVE-2016-6268 (Trend Micro Smart Protection Server 2.5 before build 2200, 2.6 before ...) NOT-FOR-US: Trend Micro CVE-2016-6267 (SnmpUtils in Trend Micro Smart Protection Server 2.5 before build 2200 ...) NOT-FOR-US: Trend Micro CVE-2016-6266 (ccca_ajaxhandler.php in Trend Micro Smart Protection Server 2.5 before ...) NOT-FOR-US: Trend Micro CVE-2016-6260 RESERVED CVE-2016-6259 (Xen 4.5.x through 4.7.x do not implement Supervisor Mode Access Preven ...) - xen 4.8.0~rc3-1 [jessie] - xen (Only affects 4.5 and later) [wheezy] - xen (Only affects 4.5 and later) NOTE: http://xenbits.xen.org/xsa/advisory-183.html CVE-2016-6258 (The PV pagetable code in arch/x86/mm.c in Xen 4.7.x and earlier allows ...) {DSA-3633-1 DLA-571-1} - xen 4.8.0~rc3-1 NOTE: http://xenbits.xen.org/xsa/advisory-182.html CVE-2016-6257 (The firmware in Lenovo Ultraslim dongles, as used with Lenovo Liteon S ...) NOT-FOR-US: Lenovo CVE-2016-6256 (SAP Business One for Android 1.2.3 allows remote attackers to conduct ...) NOT-FOR-US: SAP CVE-2016-6254 (Heap-based buffer overflow in the parse_packet function in network.c i ...) {DSA-3636-1 DLA-575-1} - collectd 5.5.2-1 (bug #832507) NOTE: https://github.com/collectd/collectd/commit/b589096f907052b3a4da2b9ccc9b0e2e888dfc18 NOTE: https://github.com/collectd/collectd/commit/8b4fed9940e02138b7e273e56863df03d1a39ef7 CVE-2016-6253 (mail.local in NetBSD versions 6.0 through 6.0.6, 6.1 through 6.1.5, an ...) NOT-FOR-US: mail.local in NetBSD CVE-2016-1000218 (Kibana Reporting plugin version 2.4.0 is vulnerable to a CSRF vulnerab ...) - kibana (bug #700337) CVE-2016-1000212 [Mitigation for HTTPoxy vulnerability] {DSA-3642-1 DLA-583-1} - lighttpd 1.4.43-1 (bug #832571) NOTE: https://redmine.lighttpd.net/projects/lighttpd/repository/revisions/779c133c16f9af168b004dce7a2a64f16c1cb3a4/diff NOTE: CVE assigned for the mitigation to identify the fix. But it is not a vulnerability in lighttpd itself. CVE-2016-1000211 RESERVED CVE-2016-1000210 RESERVED CVE-2016-1000209 RESERVED CVE-2016-1000208 RESERVED CVE-2016-1000207 RESERVED CVE-2016-1000206 RESERVED CVE-2016-1000205 RESERVED CVE-2016-1000204 RESERVED CVE-2016-1000203 RESERVED CVE-2016-1000202 RESERVED CVE-2016-1000201 RESERVED CVE-2016-1000200 RESERVED CVE-2016-1000199 RESERVED CVE-2016-1000198 RESERVED CVE-2016-1000197 RESERVED CVE-2016-1000196 RESERVED CVE-2016-1000195 RESERVED CVE-2016-1000194 RESERVED CVE-2016-1000193 RESERVED CVE-2016-1000192 RESERVED CVE-2016-1000191 RESERVED CVE-2016-1000190 RESERVED CVE-2016-1000189 RESERVED CVE-2016-1000188 RESERVED CVE-2016-1000187 RESERVED CVE-2016-1000186 RESERVED CVE-2016-1000185 RESERVED CVE-2016-1000184 RESERVED CVE-2016-1000183 RESERVED CVE-2016-1000182 RESERVED CVE-2016-1000181 RESERVED CVE-2016-1000180 RESERVED CVE-2016-1000179 RESERVED CVE-2016-1000178 RESERVED CVE-2016-1000177 RESERVED CVE-2016-1000176 RESERVED CVE-2016-1000175 RESERVED CVE-2016-1000174 RESERVED CVE-2016-1000173 RESERVED CVE-2016-1000172 RESERVED CVE-2016-1000171 RESERVED CVE-2016-1000170 RESERVED CVE-2016-1000169 RESERVED CVE-2016-1000168 RESERVED CVE-2016-1000167 RESERVED CVE-2016-1000166 RESERVED CVE-2016-1000165 RESERVED CVE-2016-1000164 RESERVED CVE-2016-1000163 RESERVED CVE-2016-1000162 RESERVED CVE-2016-1000161 RESERVED CVE-2016-1000160 RESERVED CVE-2016-1000159 RESERVED CVE-2016-1000158 RESERVED CVE-2016-1000157 RESERVED CVE-2016-1000156 (Mailcwp remote file upload vulnerability incomplete fix v1.100 ...) NOT-FOR-US: WordPress plugin mailcwp CVE-2016-1000155 (Reflected XSS in wordpress plugin wpsolr-search-engine v7.6 ...) NOT-FOR-US: Wordpress plugin wpsolr-search-engine CVE-2016-1000154 (Reflected XSS in wordpress plugin whizz v1.0.7 ...) NOT-FOR-US: Wordpress plugin whizz CVE-2016-1000153 (Reflected XSS in wordpress plugin tidio-gallery v1.1 ...) NOT-FOR-US: Wordpress plugin tidio-gallery CVE-2016-1000152 (Reflected XSS in wordpress plugin tidio-form v1.0 ...) NOT-FOR-US: Wordpress plugin tidio-form CVE-2016-1000151 (Reflected XSS in wordpress plugin tera-charts v1.0 ...) NOT-FOR-US: Wordpress plugin tera-charts CVE-2016-1000150 (Reflected XSS in wordpress plugin simplified-content v1.0.0 ...) NOT-FOR-US: Wordpress plugin simplified-content CVE-2016-1000149 (Reflected XSS in wordpress plugin simpel-reserveren v3.5.2 ...) NOT-FOR-US: Wordpress plugin simpel-reserveren CVE-2016-1000148 (Reflected XSS in wordpress plugin s3-video v0.983 ...) NOT-FOR-US: Wordpress plugin s3-video CVE-2016-1000147 (Reflected XSS in wordpress plugin recipes-writer v1.0.4 ...) NOT-FOR-US: Wordpress plugin recipes-writer CVE-2016-1000146 (Reflected XSS in wordpress plugin pondol-formmail v1.1 ...) NOT-FOR-US: Wordpress plugin pondol-formmail CVE-2016-1000145 (Reflected XSS in wordpress plugin pondol-carousel v1.0 ...) NOT-FOR-US: Wordpress plugin pondol-carousel CVE-2016-1000144 (Reflected XSS in wordpress plugin photoxhibit v2.1.8 ...) NOT-FOR-US: Wordpress plugin photoxhibit CVE-2016-1000143 (Reflected XSS in wordpress plugin photoxhibit v2.1.8 ...) NOT-FOR-US: Wordpress plugin photoxhibit CVE-2016-1000142 (Reflected XSS in wordpress plugin parsi-font v4.2.5 ...) NOT-FOR-US: Wordpress plugin parsi-font CVE-2016-1000141 (Reflected XSS in wordpress plugin page-layout-builder v1.9.3 ...) NOT-FOR-US: Wordpress plugin page-layout-builder CVE-2016-1000140 (Reflected XSS in wordpress plugin new-year-firework v1.1.9 ...) NOT-FOR-US: Wordpress plugin new-year-firework CVE-2016-1000139 (Reflected XSS in wordpress plugin infusionsoft v1.5.11 ...) NOT-FOR-US: Wordpress plugin infusionsoft CVE-2016-1000138 (Reflected XSS in wordpress plugin indexisto v1.0.5 ...) NOT-FOR-US: Wordpress plugin indexisto CVE-2016-1000137 (Reflected XSS in wordpress plugin hero-maps-pro v2.1.0 ...) NOT-FOR-US: Wordpress plugin hero-maps-pro CVE-2016-1000136 (Reflected XSS in wordpress plugin heat-trackr v1.0 ...) NOT-FOR-US: Wordpress plugin heat-trackr CVE-2016-1000135 (Reflected XSS in wordpress plugin hdw-tube v1.2 ...) NOT-FOR-US: Wordpress plugin hdw-tube CVE-2016-1000134 (Reflected XSS in wordpress plugin hdw-tube v1.2 ...) NOT-FOR-US: Wordpress plugin hdw-tube CVE-2016-1000133 (Reflected XSS in wordpress plugin forget-about-shortcode-buttons v1.1. ...) NOT-FOR-US: Wordpress plugin forget-about-shortcode-buttons CVE-2016-1000132 (Reflected XSS in wordpress plugin enhanced-tooltipglossary v3.2.8 ...) NOT-FOR-US: Wordpress plugin enhanced-tooltipglossary CVE-2016-1000131 (Reflected XSS in wordpress plugin e-search v1.0 ...) NOT-FOR-US: Wordpress plugin e-search CVE-2016-1000130 (Reflected XSS in wordpress plugin e-search v1.0 ...) NOT-FOR-US: Wordpress plugin e-search CVE-2016-1000129 (Reflected XSS in wordpress plugin defa-online-image-protector v3.3 ...) NOT-FOR-US: Wordpress plugin defa-online-image-protector CVE-2016-1000128 (Reflected XSS in wordpress plugin anti-plagiarism v3.60 ...) NOT-FOR-US: Wordpress plugin anti-plagiarism CVE-2016-1000127 (Reflected XSS in wordpress plugin ajax-random-post v2.00 ...) NOT-FOR-US: Wordpress plugin ajax-random-post CVE-2016-1000126 (Reflected XSS in wordpress plugin admin-font-editor v1.8 ...) NOT-FOR-US: Wordpress plugin admin-font-editor CVE-2016-1000125 (Unauthenticated SQL Injection in Huge-IT Catalog v1.0.7 for Joomla ...) NOT-FOR-US: Joomla component Huge-IT Catalog CVE-2016-1000124 (Unauthenticated SQL Injection in Huge-IT Portfolio Gallery Plugin v1.0 ...) NOT-FOR-US: Joomla component Huge-IT Portfolio Gallery CVE-2016-1000123 (Unauthenticated SQL Injection in Huge-IT Video Gallery v1.0.9 for Joom ...) NOT-FOR-US: Joomla component Huge-IT Video Gallery CVE-2016-1000122 (XSS and SQLi in Huge IT Joomla Slider v1.0.9 extension ...) NOT-FOR-US: Joomla extension Huge IT Joomla Slider CVE-2016-1000121 (XSS and SQLi in Huge IT Joomla Slider v1.0.9 extension ...) NOT-FOR-US: Joomla extension Huge IT Joomla Slider CVE-2016-1000120 (SQLi and XSS in Huge IT catalog extension v1.0.4 for Joomla ...) NOT-FOR-US: Joomla extension Huge IT catalog CVE-2016-1000119 (SQLi and XSS in Huge IT catalog extension v1.0.4 for Joomla ...) NOT-FOR-US: Joomla extension Huge IT catalog CVE-2016-1000118 (XSS & SQLi in HugeIT slideshow v1.0.4 ...) NOT-FOR-US: Joomla extension HugeIT slideshow CVE-2016-1000117 (XSS & SQLi in HugeIT slideshow v1.0.4 ...) NOT-FOR-US: Joomla extension HugeIT slideshow CVE-2016-1000116 (Huge-IT Portfolio Gallery manager v1.1.0 SQL Injection and XSS ...) NOT-FOR-US: Joomla extension Huge-IT Portfolio Gallery manager CVE-2016-1000115 (Huge-IT Portfolio Gallery manager v1.1.0 SQL Injection and XSS ...) NOT-FOR-US: Joomla extension Huge-IT Portfolio Gallery manager CVE-2016-1000114 (XSS in huge IT gallery v1.1.5 for Joomla ...) NOT-FOR-US: Joomla extension huge IT gallery CVE-2016-1000113 (XSS and SQLi in huge IT gallery v1.1.5 for Joomla ...) NOT-FOR-US: Joomla extension huge IT gallery CVE-2016-1000112 (Unauthenticated remote .jpg file upload in contus-video-comments v1.0 ...) NOT-FOR-US: WordPress plugin contus-video-comments CVE-2016-6265 (Use-after-free vulnerability in the pdf_load_xref function in pdf/pdf- ...) {DSA-3655-1} - mupdf 1.9a+ds1-1.1 (bug #832031) [wheezy] - mupdf (vulnerable code not present, no segfault) NOTE: http://bugs.ghostscript.com/show_bug.cgi?id=696941 NOTE: Fixed by: http://git.ghostscript.com/?p=mupdf.git;h=fa1936405b6a84e5c9bb440912c23d532772f958 NOTE: Possibly introduced with: http://git.ghostscript.com/?p=mupdf.git;h=e767bd783d91ae88cd79da19e79afb2c36bcf32a (1.7-rc1) NOTE: Although the e767bd783d91ae88cd79da19e79afb2c36bcf32a introduced the solid xrefs, NOTE: that part of the code went trough several iterations before it settled down, and NOTE: thus the issue could possibly be presend already before. The code in 1.5-1 looks NOTE: quite similar, although the reproducer does not lead to a heap-use-after-free in NOTE: the 1.5-1 case. CVE-2016-6264 (Integer signedness error in libc/string/arm/memset.S in uClibc and uCl ...) {DLA-561-1} - uclibc-ng (bug #811275) - uclibc (unimportant) NOTE: Just for cross-compiling, not used for actual packages NOTE: http://repo.or.cz/uclibc-ng.git/commit/e3848e3dd64a8d6437531488fe341354bc02eaed NOTE: http://mailman.uclibc-ng.org/pipermail/devel/2016-July/001067.html NOTE: Fixed in 1.0.16 of uClibc-ng CVE-2016-6263 (The stringprep_utf8_nfkc_normalize function in lib/nfkc.c in libidn be ...) {DSA-3658-1 DLA-582-1} - libidn 1.33-1 NOTE: https://lists.gnu.org/archive/html/help-libidn/2016-07/msg00009.html NOTE: Test / Fix: http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=1fbee57ef3c72db2206dd87e4162108b2f425555 (libidn-1-33) NOTE: http://www.openwall.com/lists/oss-security/2016/07/20/6 CVE-2015-8949 (Use-after-free vulnerability in the my_login function in DBD::mysql be ...) {DSA-3635-1 DLA-576-1} - libdbd-mysql-perl 4.035-1 NOTE: https://github.com/perl5-dbi/DBD-mysql/pull/45 NOTE: https://github.com/perl5-dbi/DBD-mysql/commit/cf0aa7751f6ef8445e9310a64b14dc81460ca156 CVE-2015-8948 (idn in GNU libidn before 1.33 might allow remote attackers to obtain s ...) {DSA-3658-1 DLA-582-1} - libidn 1.33-1 NOTE: Fix: http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=570e68886c41c2e765e6218cb317d9a9a447a041 (libidn-1-33) NOTE: When fixing this issue, the followup fix http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=5e3cb9c7b5bf0ce665b9d68f5ddf095af5c9ba60 NOTE: is required to fix the problem. (Resultet in followup CVE, CVE-2016-6262 NOTE: if not applied completely). CVE-2016-6262 (idn in libidn before 1.33 might allow remote attackers to obtain sensi ...) - libidn (Incomplete fix for CVE-2015-8948 not applied) NOTE: Follow-up fix for CVE-2015-8948: http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=5e3cb9c7b5bf0ce665b9d68f5ddf095af5c9ba60 (libidn-1-33) NOTE: http://www.openwall.com/lists/oss-security/2016/07/20/6 CVE-2016-6261 (The idna_to_ascii_4i function in lib/idna.c in libidn before 1.33 allo ...) {DSA-3658-1 DLA-582-1} - libidn 1.33-1 NOTE: https://lists.gnu.org/archive/html/help-libidn/2016-07/msg00009.html NOTE: Test: http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=9a1a7e15d0706634971364493fbb06e77e74726c (libidn-1-33) NOTE: Fix: http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=f20ce1128fb7f4d33297eee307dddaf0f92ac72d (libidn-1-33) NOTE: Follow-up memory leak fix: http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=11abd0e02c16f9e0b6944aea4ef0f2df44b42dd4 (libidn-1-33) NOTE: http://www.openwall.com/lists/oss-security/2016/07/20/6 CVE-2016-6249 (F5 BIG-IP 12.0.0 and 11.5.0 - 11.6.1 REST requests which timeout durin ...) NOT-FOR-US: F5 CVE-2016-1000037 (Pagure: XSS possible in file attachment endpoint ...) - pagure (Fixed before initial upload to the archive) CVE-2016-1000030 (Pidgin version <2.11.0 contains a vulnerability in X.509 Certificat ...) - pidgin 2.11.0-1 (unimportant) [jessie] - pidgin 2.11.0-0+deb8u1 NOTE: http://www.pidgin.im/news/security/?id=91 NOTE: https://bitbucket.org/pidgin/main/commits/d6fc1ce76ffe NOTE: Furthermore pidgin in Debian is not compiled to use GnuTLS (--enable-gnutls=no) CVE-2016-XXXX [insecure default PATH] - dietlibc 0.34~cvs20160606-2 (bug #832169) [jessie] - dietlibc 0.33~cvs20120325-6+deb8u1 [wheezy] - dietlibc 0.33~cvs20120325-4+deb7u1 NOTE: Workaround entry for DLA-557-1 until CVE is assigned NOTE: Following reverse dependencies need to be recompiled: minit (wheezy, jessie), NOTE: util-vserver (jessie, sid), mksh (sid, experimental) NOTE: http://news.gmane.org/find-root.php?message_id=alpine.DEB.2.20.1607181048300.24083%40tglase.lan.tarent.de CVE-2016-6250 (Integer overflow in the ISO9660 writer in libarchive before 3.2.1 allo ...) {DSA-3677-1 DLA-554-1} - libarchive 3.2.1-1 (low) NOTE: https://github.com/libarchive/libarchive/issues/711 NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/3014e19820ea53c15c90f9d447ca3e668a0b76c6 (v3.2.1) NOTE: http://www.openwall.com/lists/oss-security/2016/07/20/1 CVE-2016-6252 (Integer overflow in shadow 4.2.1 allows local users to gain privileges ...) {DSA-3793-1} - shadow 1:4.4-1 (bug #832170) [wheezy] - shadow (Vulnerable code not present) NOTE: https://github.com/shadow-maint/shadow/issues/27 NOTE: Fixed by: https://github.com/shadow-maint/shadow/commit/1d5a926cc2d6078d23a96222b1ef3e558724dad1 (4.3.1) CVE-2016-6251 REJECTED CVE-2016-6248 RESERVED CVE-2016-1000029 (Tenable Nessus before 6.8 has a stored XSS issue that requires admin-l ...) NOT-FOR-US: Nessus CVE-2016-1000028 (Tenable Nessus before 6.8 has a stored XSS issue that requires admin-l ...) NOT-FOR-US: Nessus CVE-2016-6247 (OpenBSD 5.8 and 5.9 allows certain local users to cause a denial of se ...) NOT-FOR-US: OpenBSD kernel CVE-2016-6246 (OpenBSD 5.8 and 5.9 allows certain local users with kern.usermount pri ...) NOT-FOR-US: OpenBSD kernel CVE-2016-6245 (OpenBSD 5.8 and 5.9 allows local users to cause a denial of service (k ...) NOT-FOR-US: OpenBSD kernel CVE-2016-6244 (The sys_thrsigdivert function in kern/kern_sig.c in the OpenBSD kernel ...) NOT-FOR-US: OpenBSD kernel CVE-2016-6243 (thrsleep in kern/kern_synch.c in OpenBSD 5.8 and 5.9 allows local user ...) NOT-FOR-US: OpenBSD kernel CVE-2016-6242 (OpenBSD 5.8 and 5.9 allows local users to cause a denial of service (a ...) NOT-FOR-US: OpenBSD kernel CVE-2016-6241 (Integer overflow in the amap_alloc1 function in OpenBSD 5.8 and 5.9 al ...) NOT-FOR-US: OpenBSD kernel CVE-2016-6240 (Integer truncation error in the amap_alloc function in OpenBSD 5.8 and ...) NOT-FOR-US: OpenBSD kernel CVE-2016-6239 (The mmap extension __MAP_NOFAULT in OpenBSD 5.8 and 5.9 allows attacke ...) NOT-FOR-US: OpenBSD kernel CVE-2016-6238 (The write_ujpg function in lepton/jpgcoder.cc in Dropbox lepton 1.0 al ...) - lepton 1.2.1-1 (bug #831814) CVE-2016-6237 (The build_huffcodes function in lepton/jpgcoder.cc in Dropbox lepton 1 ...) - lepton 1.2.1-1 (bug #831814) CVE-2016-6236 (The setup_imginfo_jpg function in lepton/jpgcoder.cc in Dropbox lepton ...) - lepton 1.2.1-1 (bug #831814) CVE-2016-6235 (The setup_imginfo_jpg function in lepton/jpgcoder.cc in Dropbox lepton ...) - lepton 1.2.1-1 (bug #831814) CVE-2016-6234 (The process_file function in lepton/jpgcoder.cc in Dropbox lepton 1.0 ...) - lepton 1.2.1-1 (bug #831814) CVE-2016-6231 (Kaspersky Safe Browser iOS before 1.7.0 does not verify X.509 certific ...) NOT-FOR-US: Kaspersky CVE-2016-6230 RESERVED CVE-2016-6229 RESERVED CVE-2016-6228 RESERVED CVE-2016-6227 RESERVED CVE-2016-6226 RESERVED CVE-2016-6225 (xbcrypt in Percona XtraBackup before 2.3.6 and 2.4.x before 2.4.5 does ...) - percona-xtrabackup (bug #851244) [jessie] - percona-xtrabackup (Minor issue) NOTE: https://www.percona.com/blog/2017/01/12/cve-2016-6225-percona-xtrabackup-encryption-iv-not-set-properly NOTE: https://github.com/percona/percona-xtrabackup/pull/266 NOTE: https://github.com/percona/percona-xtrabackup/pull/267 CVE-2016-6222 RESERVED CVE-2016-6221 RESERVED CVE-2016-6220 (Information Disclosure vulnerability in the Dashboard and Error Pages ...) NOT-FOR-US: Trend Micro Control Manager CVE-2016-6219 RESERVED CVE-2016-6218 RESERVED CVE-2016-1000110 (The CGIHandler class in Python before 2.7.12 does not protect against ...) - python3.5 3.5.2-3 (unimportant) - python3.4 (unimportant) - python3.2 (unimportant) - python2.7 2.7.12-2 (unimportant) - python2.6 (unimportant) NOTE: https://bugs.python.org/issue27568 NOTE: https://github.com/python/cpython/commit/436fe5a447abb69e5e5a4f453325c422af02dcaa (3.4) NOTE: No part of Python does set HTTP_PROXY based on a Proxy: header, the Python bug NOTE: just provides a hardening to discard HTTP_PROXY if it thinks a Python script is NOTE: running as a CGI script CVE-2016-1000109 (HHVM does not attempt to address RFC 3875 section 4.1.18 namespace con ...) - hhvm 3.12.11+dfsg-1 (unimportant) CVE-2016-1000107 (inets in Erlang possibly 22.1 and earlier follows RFC 3875 section 4.1 ...) - erlang (unimportant) NOTE: https://bugs.erlang.org/browse/ERL-198 NOTE: No part of Erlang does set HTTP_PROXY based on a Proxy: header, just hardening CVE-2016-1000106 REJECTED CVE-2016-1000105 REJECTED CVE-2016-1000103 REJECTED CVE-2016-1000102 REJECTED CVE-2016-1000027 (Pivotal Spring Framework 4.1.4 suffers from a potential remote code ex ...) - libspring-java 4.2.7-1 (unimportant) NOTE: https://www.tenable.com/security/research/tra-2016-20 NOTE: This is not a vulnerability in Spring itself, just how applications are using it CVE-2016-6255 (Portable UPnP SDK (aka libupnp) before 1.6.21 allows remote attackers ...) {DSA-3736-1 DLA-597-1} - libupnp 1:1.6.19+git20160116-1.1 (bug #831857) NOTE: https://twitter.com/mjg59/status/755062278513319936 NOTE: Proposed fix: https://github.com/mjg59/pupnp-code/commit/be0a01bdb83395d9f3a5ea09c1308a4f1a972cbd NOTE: http://www.openwall.com/lists/oss-security/2016/07/18/13 CVE-2016-6233 (The (1) order and (2) group methods in Zend_Db_Select in the Zend Fram ...) - zendframework 1.12.19+dfsg-1 [jessie] - zendframework (introduced after 1.12.9) [wheezy] - zendframework (introduced after 1.12.9) NOTE: http://framework.zend.com/security/advisory/ZF2016-02 NOTE: https://github.com/zendframework/zf1/commit/bf3f40605be3d8f136a07ae991079a7dcb34d967 CVE-2016-6232 (Directory traversal vulnerability in KArchive before 5.24, as used in ...) {DSA-3643-1 DLA-570-1} - karchive 5.24.0-1 - kde4libs 4:4.14.22-2 (bug #832620) NOTE: The fix for 4:4.14.22-1 was incomplete, cf. NOTE: https://lists.debian.org/debian-lts/2016/07/msg00144.html NOTE: Fix: https://git.reviewboard.kde.org/r/128185/ CVE-2016-6217 (Cross-site scripting (XSS) vulnerability in Sophos PureMessage for UNI ...) NOT-FOR-US: Sophos CVE-2016-6216 RESERVED CVE-2016-6215 RESERVED CVE-2016-6212 (The Views module 7.x-3.x before 7.x-3.14 in Drupal 7.x and the Views m ...) - drupal8 (bug #756305) CVE-2016-6210 (sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user pa ...) {DSA-3626-1 DLA-578-1} - openssh 1:7.2p2-6 (bug #831902) NOTE: http://seclists.org/fulldisclosure/2016/Jul/51 NOTE: https://anongit.mindrot.org/openssh.git/commit/?id=9286875a73b2de7736b5e50692739d314cd8d9dc NOTE: https://anongit.mindrot.org/openssh.git/commit/?id=283b97ff33ea2c641161950849931bd578de6946 NOTE: Suggested to cherry-pick as well: https://anongit.mindrot.org/openssh.git/commit/?id=dbf788b4d9d9490a5fff08a7b09888272bb10fcc NOTE: otherwise the mitigiation isn't very effective for systems with a locked root account. CVE-2016-6208 RESERVED CVE-2016-6207 (Integer overflow in the _gdContributionsAlloc function in gd_interpola ...) {DSA-3630-1} - libgd2 2.2.2-43-g22cba39-1 [wheezy] - libgd2 (Vulnerable code not present) NOTE: https://github.com/libgd/libgd/commit/0dd40abd6d5b3e53a6b745dd4d6cf94b70010989 NOTE: https://github.com/libgd/libgd/commit/d325888a9fe3c9681e4a9aad576de2c5cd5df2ef NOTE: https://github.com/libgd/libgd/commit/ff9113c80a32205d45205d3ea30965b25480e0fb NOTE: https://github.com/libgd/libgd/commit/f60ec7a546499f9446063a4dbe755be9523d8232 NOTE: https://github.com/libgd/libgd/commit/7a28c235890c95e6010e7b0d0f7c7369367168ef - php7.0 7.0.9-1 (unimportant) - php5 5.6.24+dfsg-1 (unimportant) [jessie] - php5 5.6.24+dfsg-0+deb8u1 [wheezy] - php5 (Vulnerable code not present) NOTE: Fixed in 7.0.9, 5.6.24, 5.5.38 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=72558 NOTE: Starting with 5.4.0-1 Debian uses the system copy of libgd CVE-2016-6209 (Cross-site scripting (XSS) vulnerability in Nagios. ...) - nagios3 (bug #831698) [jessie] - nagios3 (Minor issue) [wheezy] - nagios3 (Minor issue) - icinga (Vulnerable code not present) NOTE: http://seclists.org/fulldisclosure/2016/Jun/20 NOTE: https://github.com/NagiosEnterprises/nagioscore/issues/297 NOTE: Fixed by https://github.com/NagiosEnterprises/nagioscore/commit/78b7bdde3ab4dec265879ff1b4d49a398bf3ba9c CVE-2016-6206 (Huawei AR3200 routers with software before V200R007C00SPC600 allow rem ...) NOT-FOR-US: Huawei CVE-2016-6205 RESERVED CVE-2016-6204 (Cross-site scripting (XSS) vulnerability in the integrated web server ...) NOT-FOR-US: Siemens CVE-2016-6203 RESERVED CVE-2016-6202 RESERVED CVE-2016-6201 (Cross-site scripting (XSS) vulnerability in Ektron Content Management ...) NOT-FOR-US: Ektron Content Management System CVE-2016-6200 RESERVED CVE-2016-6199 (ObjectSocketWrapper.java in Gradle 2.12 allows remote attackers to exe ...) - gradle 2.13-1 [jessie] - gradle (Minor issue) NOTE: Starting from 2.13-1 it uses commons-collections:commons-collections:3.2.2 NOTE: https://philwantsfish.github.io/security/java-deserialization-github NOTE: https://discuss.gradle.org/t/a-security-issue-about-gradle-rce/17726 NOTE: ObjectSocketWrapper only used by Gradle UI, which was removed in current releases (4.x) CVE-2016-6196 RESERVED CVE-2016-6195 (SQL injection vulnerability in forumrunner/includes/moderation.php in ...) NOT-FOR-US: vBulletin CVE-2016-6194 RESERVED CVE-2016-6193 (Buffer overflow in the Wi-Fi driver in Huawei P8 smartphones with soft ...) NOT-FOR-US: Huawei CVE-2016-6192 (Buffer overflow in the Wi-Fi driver in Huawei P8 smartphones with soft ...) NOT-FOR-US: Huawei CVE-2016-1000026 RESERVED CVE-2016-1000025 REJECTED CVE-2016-1000024 RESERVED CVE-2016-1000022 REJECTED CVE-2016-1000021 REJECTED CVE-2016-1000020 RESERVED CVE-2016-1000019 RESERVED CVE-2016-1000018 RESERVED CVE-2016-1000017 RESERVED CVE-2016-1000016 RESERVED CVE-2016-1000015 RESERVED CVE-2016-1000014 REJECTED CVE-2016-1000013 REJECTED CVE-2016-1000012 RESERVED CVE-2016-1000011 RESERVED CVE-2016-1000010 RESERVED CVE-2016-6905 (The read_image_tga function in gd_tga.c in the GD Graphics Library (ak ...) {DSA-3619-1} - libgd2 2.2.2-29-g3c2b605-1 [wheezy] - libgd2 (Vulnerable code not present) NOTE: https://github.com/libgd/libgd/issues/248 NOTE: https://github.com/libgd/libgd/pull/251 NOTE: https://github.com/libgd/libgd/commit/5a3f19e962b507560c9206965087db4dc0ad107f NOTE: Fixed by: https://github.com/libgd/libgd/commit/3c2b605d72e8b080dace1d98a6e50b46c1d12186 NOTE: followed by: https://github.com/libgd/libgd/commit/01c61f8ab110a77ae64b5ca67c244c728c506f03 NOTE: http://www.openwall.com/lists/oss-security/2016/07/12/4 CVE-2016-6352 (The OneLine32 function in io-ico.c in gdk-pixbuf before 2.35.3 allows ...) {DLA-2043-1} - gdk-pixbuf 2.35.4-1 (bug #832496) [wheezy] - gdk-pixbuf (Fails with ENOMEM, no crash) NOTE: http://www.openwall.com/lists/oss-security/2016/07/13/11 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=769170 NOTE: Fixed by: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=88af50a864195da1a4f7bda5f02539704fbda599 CVE-2016-6224 (ecryptfs-setup-swap in eCryptfs does not prevent the unencrypted swap ...) - ecryptfs-utils (Broken code not present; incomplete fix for CVE-2015-8946 not applied) NOTE: Actually due to an incomplete fix of LP#1447282 NOTE: https://launchpad.net/bugs/1597154 NOTE: https://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/revision/882 NOTE: http://www.openwall.com/lists/oss-security/2016/07/13/2 CVE-2015-8947 (hb-ot-layout-gpos-table.hh in HarfBuzz before 1.0.5 allows remote atta ...) {DLA-2040-1} - harfbuzz 1.2.6-1 NOTE: https://cgit.freedesktop.org/harfbuzz/commit/?id=f96664974774bfeb237a7274f512f64aaafb201e (1.0.5) CVE-2015-8946 (ecryptfs-setup-swap in eCryptfs before 111 does not prevent the unencr ...) - ecryptfs-utils 111-1 [jessie] - ecryptfs-utils (Minor issue) [wheezy] - ecryptfs-utils (Only happens if using systemd v207 onward) NOTE: https://launchpad.net/bugs/1447282 NOTE: Fixed by: https://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/revision/857 NOTE: http://www.openwall.com/lists/oss-security/2016/07/13/2 CVE-2016-6214 (gd_tga.c in the GD Graphics Library (aka libgd) before 2.2.3 allows re ...) {DSA-3619-1} - libgd2 2.2.2-29-g3c2b605-1 [wheezy] - libgd2 (Vulnerable code not present) NOTE: https://github.com/libgd/libgd/issues/247#issuecomment-232084241 NOTE: https://github.com/libgd/libgd/commit/10ef1dca63d62433fda13309b4a228782db823f7 NOTE: Different issue than CVE-2016-6132 NOTE: http://www.openwall.com/lists/oss-security/2016/07/13/5 CVE-2016-6223 (The TIFFReadRawStrip1 and TIFFReadRawTile1 functions in tif_read.c in ...) {DSA-3762-1 DLA-693-1 DLA-610-1} - tiff 4.0.6-2 (bug #842270) - tiff3 NOTE: http://www.openwall.com/lists/oss-security/2016/07/13/3 NOTE: Upstream patch: https://github.com/vadz/libtiff/commit/0ba5d8814a17a64bdb8d9035f4c533f3f3f4b496 CVE-2016-1000023 REJECTED CVE-2016-6213 (fs/namespace.c in the Linux kernel before 4.9 does not restrict how ma ...) - linux 4.8.11-1 [jessie] - linux 3.16.43-1 [wheezy] - linux (Only exploitable by privileged user; too many changes to backport) NOTE: https://lkml.org/lkml/2016/8/28/269 NOTE: Fixed by: https://git.kernel.org/linus/d29216842a85c7970c536108e093963f02714498 (v4.9-rc1) CVE-2016-6186 (Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedOb ...) {DSA-3622-1 DLA-555-1} - python-django 1:1.9.8-1 (bug #831799) NOTE: https://www.djangoproject.com/weblog/2016/jul/18/security-releases/ CVE-2016-1000009 (TP-LINK lost control of two domains, www.tplinklogin.net and tplinkext ...) NOT-FOR-US: TP-LINK CVE-2016-XXXX [Insecure use of /tmp] - leptonlib 1.73-5 (unimportant; bug #830660) NOTE: Neutralised by kernel hardening CVE-2016-6198 (The filesystem layer in the Linux kernel before 4.5.5 proceeds with po ...) - linux 4.5.5-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/54d5ca871e72f2bb172ec9323497f01cd5091ec7 (v4.6) NOTE: https://git.kernel.org/linus/9409e22acdfc9153f88d9b1ed2bd2a5b34d2d3ca (v4.6) CVE-2016-6197 (fs/overlayfs/dir.c in the OverlayFS filesystem implementation in the L ...) - linux 4.6.1-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/11f3710417d026ea2f4fcf362d866342c5274185 (v4.6-rc1) CVE-2016-6191 (Multiple cross-site scripting (XSS) vulnerabilities in the View Raw So ...) - sogo 3.2.4-0.2 [wheezy] - sogo (not supported in Wheezy LTS) NOTE: https://sogo.nu/bugs/view.php?id=3718 NOTE: http://github.com/inverse-inc/sogo/commit/64ce3c9c22fd9a28caabf11e76216cd53d0245aa (SOGo-3.1.3) CVE-2016-6190 (SOGo before 2.3.12 and 3.x before 3.1.1 does not restrict access to th ...) - sogo 3.2.4-0.2 [wheezy] - sogo (not supported in Wheezy LTS) NOTE: Fix SOGo v2: https://github.com/inverse-inc/sogo/commit/717f45f640a2866b76a8984139391fae64339225 (SOGo-2.3.12) NOTE: Fix SOGo v3: https://github.com/inverse-inc/sogo/commit/875a4aca3218340fd4d3141950c82c2ff45b343d (SOGo-3.1.1) NOTE: https://sogo.nu/bugs/view.php?id=3696 CVE-2016-6189 (Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allows ...) - sogo 3.2.4-0.2 [wheezy] - sogo (not supported in Wheezy LTS) NOTE: Fix SOGo v2: https://github.com/inverse-inc/sogo/commit/717f45f640a2866b76a8984139391fae64339225 (SOGo-2.3.12) NOTE: Fix SOGo v3: https://github.com/inverse-inc/sogo/commit/875a4aca3218340fd4d3141950c82c2ff45b343d (SOGo-3.1.1) NOTE: https://sogo.nu/bugs/view.php?id=3695 CVE-2016-6188 (Memory leak in SOGo 2.3.7 allows remote attackers to cause a denial of ...) - sogo 3.2.4-0.2 [wheezy] - sogo (not supported in Wheezy LTS) NOTE: http://github.com/inverse-inc/sogo/commit/32bb1456e23a32c7f45079c3985bf732dd0d276d (SOGo-2.3.9) NOTE: https://sogo.nu/bugs/view.php?id=3510 CVE-2016-6187 (The apparmor_setprocattr function in security/apparmor/lsm.c in the Li ...) - linux 4.6.4-1 [jessie] - linux (Vulnerable code introduced later) [wheezy] - linux (Vulnerable code introduced later) NOTE: Introduced by: https://git.kernel.org/linus/bb646cdb12e75d82258c2f2e7746d5952d3e321a (v4.5-rc1) NOTE: Fixed by: https://git.kernel.org/linus/30a46a4647fd1df9cf52e43bf467f0d9265096ca (v4.7-rc7) NOTE: http://www.openwall.com/lists/oss-security/2016/07/09/1 CVE-2016-XXXX [GNUTLS-SA-2016-2: certificate verification issue] - gnutls28 3.4.14-1 (unimportant) NOTE: http://gnutls.org/security.html#GNUTLS-SA-2016-2 NOTE: Unimportant since Debian's binary packages are not built NOTE: with --with-default-trust-store-pkcs11= CVE-2016-6184 (The Camera driver in Huawei Honor 4C smartphones with software CHM-UL0 ...) NOT-FOR-US: Huawei Honor CVE-2016-6183 (The Camera driver in Huawei Honor 4C smartphones with software CHM-UL0 ...) NOT-FOR-US: Huawei Honor CVE-2016-6182 (The Camera driver in Huawei Honor 4C smartphones with software CHM-UL0 ...) NOT-FOR-US: Huawei Honor CVE-2016-6181 (The Camera driver in Huawei Honor 4C smartphones with software CHM-UL0 ...) NOT-FOR-US: Huawei Honor CVE-2016-6180 (The Camera driver in Huawei Honor 4C smartphones with software CHM-UL0 ...) NOT-FOR-US: Huawei Honor CVE-2016-6179 (The WiFi driver in Huawei Honor 6 smartphones with software H60-L01 be ...) NOT-FOR-US: Huawei Honor CVE-2016-6178 (Huawei NE40E and CX600 devices with software before V800R007SPH017; PT ...) NOT-FOR-US: Huawei CVE-2016-6177 (The Huawei OceanStor 5800 V300R003C00 has an integer overflow vulnerab ...) NOT-FOR-US: Huawei CVE-2016-6176 RESERVED CVE-2016-6185 (The XSLoader::load method in XSLoader in Perl does not properly locate ...) {DSA-3628-1 DLA-565-1} - perl 5.22.2-2 (bug #829578) CVE-2016-6175 (Eval injection vulnerability in php-gettext 1.0.12 and earlier allows ...) - php-gettext (bug #851771) [buster] - php-gettext (Minor issue) [stretch] - php-gettext (Minor issue) [jessie] - php-gettext (Minor issue) [wheezy] - php-gettext (Minor issue) NOTE: https://bugs.launchpad.net/php-gettext/+bug/1606184 NOTE: https://kmkz-web-blog.blogspot.cz/2016/07/advisory-cve-2016-6175.html CVE-2016-6174 (applications/core/modules/front/system/content.php in Invision Power S ...) NOT-FOR-US: Inivision CVE-2016-6169 (Heap-based buffer overflow in Foxit Reader and PhantomPDF 7.3.4.311 an ...) NOT-FOR-US: Foxit Reader CVE-2016-6168 (Use-after-free vulnerability in Foxit Reader and PhantomPDF 7.3.4.311 ...) NOT-FOR-US: Foxit Reader CVE-2016-6167 (Multiple untrusted search path vulnerabilities in Putty beta 0.67 allo ...) - putty (Windows-specific) CVE-2016-6166 RESERVED CVE-2016-6165 RESERVED CVE-2016-6164 (Integer overflow in the mov_build_index function in libavformat/mov.c ...) - ffmpeg 7:3.1.1-1 NOTE: http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8a3221cc67a516dfc1700bdae3566ec52c7ee823 CVE-2016-1000101 REJECTED CVE-2016-1000100 REJECTED CVE-2016-1000008 RESERVED CVE-2016-1000006 (hhvm before 3.12.11 has a use-after-free in the serialize_memoize_para ...) - hhvm 3.12.11+dfsg-1 CVE-2016-1000005 (mcrypt_get_block_size did not enforce that the provided "module" param ...) - hhvm 3.12.11+dfsg-1 CVE-2016-1000004 (Insufficient type checks were employed prior to casting input data in ...) - hhvm 3.12.11+dfsg-1 CVE-2016-6173 (NSD before 4.1.11 allows remote DNS master servers to cause a denial o ...) - nsd 4.1.11-1 (unimportant; bug #830806) NOTE: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=790 NOTE: Not considered a security issue due to trust relationship, see #830806 CVE-2016-6172 (PowerDNS (aka pdns) Authoritative Server before 4.0.1 allows remote pr ...) {DSA-3664-1 DLA-627-1} - pdns 4.0.1-1 (bug #830808) NOTE: https://github.com/PowerDNS/pdns/issues/4128 NOTE: Master: https://github.com/PowerDNS/pdns/pull/4133 NOTE: 3.4.x: https://github.com/PowerDNS/pdns/pull/4134 CVE-2016-6171 (Knot DNS before 2.3.0 allows remote DNS servers to cause a denial of s ...) - knot 2.3.0-1 (bug #830809) [jessie] - knot (Minor issue) NOTE: https://gitlab.labs.nic.cz/labs/knot/merge_requests/541 NOTE: https://gitlab.labs.nic.cz/labs/knot/issues/464 CVE-2016-6170 (ISC BIND through 9.9.9-P1, 9.10.x through 9.10.4-P1, and 9.11.x throug ...) - bind9 1:9.10.6+dfsg-1 (unimportant; bug #830810) NOTE: Not fixed upstream, proposed patches below are unofficial: NOTE: Fixed by https://github.com/sischkg/xfer-limit/blob/master/bind-9.10.3-xfer-limit-0.0.1.patch NOTE: Fixed by https://github.com/sischkg/xfer-limit/blob/master/bind-9.9.9-P1-xfer-limit-0.0.1.patch NOTE: Negligible security impact CVE-2016-6163 (The rsvg_pattern_fix_fallback function in rsvg-paint_server.c in librs ...) - librsvg 2.40.9-2 [jessie] - librsvg (Minor issue) [wheezy] - librsvg (vulnerable code not present, no segfault) NOTE: Fixed by: https://git.gnome.org/browse/librsvg/commit/?id=0035e95118a60c0cd3949c2300472d805e16a022 (2.40.7) NOTE: Reproducer attached in http://seclists.org/oss-sec/2016/q3/7 CVE-2016-6162 (net/core/skbuff.c in the Linux kernel 4.7-rc6 allows local users to ca ...) - linux (Vulnerable code introduced in 4.7-rc1) CVE-2016-6161 (The output function in gd_gif_out.c in the GD Graphics Library (aka li ...) {DSA-3619-1 DLA-563-1} - libgd2 2.2.1-1 NOTE: https://github.com/libgd/libgd/issues/209 NOTE: https://github.com/libgd/libgd/commit/82b80dcb70a7ca8986125ff412bceddafc896842 (gd-2.2.0) CVE-2016-6159 (The management interface of Huawei WS331a routers with software before ...) NOT-FOR-US: Huawei CVE-2016-6158 (Multiple cross-site request forgery (CSRF) vulnerabilities in Huawei W ...) NOT-FOR-US: Huawei CVE-2016-6157 RESERVED CVE-2016-6156 (Race condition in the ec_device_ioctl_xcmd function in drivers/platfor ...) - linux 4.7.2-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/096cdc6f52225835ff503f987a0d68ef770bb78e NOTE: Introduced by: https://git.kernel.org/linus/a841178445bb72a3d566b4e6ab9d19e9b002eb47 (v4.2-rc1) CVE-2016-6155 RESERVED CVE-2016-6154 (The authentication applet in Watchguard Fireware 11.11 Operating Syste ...) NOT-FOR-US: Watchguard CVE-2016-6152 (CA eHealth 6.2.x and 6.3.x before 6.3.2.13 allows remote authenticated ...) NOT-FOR-US: eHealth CVE-2016-6151 (CA eHealth 6.2.x allows remote authenticated users to cause a denial o ...) NOT-FOR-US: eHealth CVE-2016-6150 (The multi-tenant database container feature in SAP HANA does not prope ...) NOT-FOR-US: SAP HANA CVE-2016-6149 (SAP HANA SPS09 1.00.091.00.14186593 allows local users to obtain sensi ...) NOT-FOR-US: SAP HANA CVE-2016-6148 (SAP HANA DB 1.00.73.00.389160 allows remote attackers to cause a denia ...) NOT-FOR-US: SAP HANA CVE-2016-6147 (An unspecified interface in SAP TREX 7.10 Revision 63 allows remote at ...) NOT-FOR-US: SAP TREX CVE-2016-6146 (The NameServer in SAP TREX 7.10 Revision 63 allows remote attackers to ...) NOT-FOR-US: SAP CVE-2016-6145 (The SQL interface in SAP HANA DB 1.00.091.00.1418659308 provides diffe ...) NOT-FOR-US: SAP HANA CVE-2016-6144 (The SQL interface in SAP HANA before Revision 102 does not limit the n ...) NOT-FOR-US: SAP HANA CVE-2016-6143 (SAP HANA DB 1.00.73.00.389160 allows remote attackers to execute arbit ...) NOT-FOR-US: SAP HANA CVE-2016-6142 (SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote attackers t ...) NOT-FOR-US: SAP CVE-2016-6141 RESERVED CVE-2016-6140 (SAP TREX 7.10 Revision 63 allows remote attackers to write to arbitrar ...) NOT-FOR-US: SAP TREX CVE-2016-6139 (SAP TREX 7.10 Revision 63 allows remote attackers to read arbitrary fi ...) NOT-FOR-US: SAP TREX CVE-2016-6138 (Directory traversal vulnerability in SAP TREX 7.10 Revision 63 allows ...) NOT-FOR-US: SAP TREX CVE-2016-6137 (An unspecified function in SAP TREX 7.10 Revision 63 allows remote att ...) NOT-FOR-US: SAP CVE-2016-6136 (Race condition in the audit_log_single_execve_arg function in kernel/a ...) {DSA-3659-1 DLA-609-1} - linux 4.7.2-1 NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=120681 NOTE: https://github.com/linux-audit/audit-kernel/issues/18 NOTE: Fixed by: https://git.kernel.org/linus/43761473c254b45883a64441dd0bc85a42f3645c (4.8-rc1) CVE-2016-6135 RESERVED CVE-2016-6134 RESERVED CVE-2016-1000007 (Pagure 2.2.1 XSS in raw file endpoint ...) - pagure (Fixed before initial upload to the archive) NOTE: https://pagure.io/pagure/c/070d63983fe5daef92005ea33d3b8c693c224c77 CVE-2016-6160 (tcprewrite in tcpreplay before 4.1.2 allows remote attackers to cause ...) {DLA-544-1} - tcpreplay 3.4.4-3 (bug #829350) [jessie] - tcpreplay 3.4.4-2+deb8u1 CVE-2016-6133 (Cross-site scripting (XSS) vulnerability in Ektron Content Management ...) NOT-FOR-US: Ektron CVE-2016-6153 (os_unix.c in SQLite before 3.13.0 improperly implements the temporary ...) {DLA-543-1} - sqlite3 3.13.0-1 [jessie] - sqlite3 3.8.7.1-1+deb8u2 NOTE: http://www.sqlite.org/cgi/src/info/67985761aa93fb61 NOTE: http://www.sqlite.org/cgi/src/info/b38fe522cfc971b3 NOTE: and possibly http://www.sqlite.org/cgi/src/info/614bb709d34e1148 NOTE: https://www.korelogic.com/Resources/Advisories/KL-001-2016-003.txt CVE-2016-6129 (The rsa_verify_hash_ex function in rsa_verify_hash.c in LibTomCrypt, a ...) {DLA-612-1} - libtomcrypt 1.17-8 (bug #837042) [jessie] - libtomcrypt (Minor issue) NOTE: https://github.com/OP-TEE/optee_os/commit/30d13250c390c4f56adefdcd3b64b7cc672f9fe2 NOTE: libtomcrypt ship the corresponding patch in NOTE: https://github.com/libtom/libtomcrypt/commit/5eb9743410ce4657e9d54fef26a2ee31a1b5dd09 NOTE: The CVE is originally assigend to OP-TEE, but the underlying issue seems to be in NOTE: libtomcrypt, thus keep that source package as well for now associated. CVE-2016-6127 (Cross-site scripting (XSS) vulnerability in Request Tracker (RT) 4.x b ...) {DSA-3882-1 DLA-987-1} - request-tracker4 4.4.1-4 CVE-2016-6126 (IBM Kenexa LMS on Cloud 13.1 and 13.2 - 13.2.4 could allow a remote at ...) NOT-FOR-US: IBM CVE-2016-6125 (IBM Kenexa LMS on Cloud 13.1 and 13.2 - 13.2.4 is vulnerable to cross- ...) NOT-FOR-US: IBM CVE-2016-6124 (IBM Kenexa LMS on Cloud 13.1 and 13.2 - 13.2.4 could allow a remote at ...) NOT-FOR-US: IBM CVE-2016-6123 (IBM Kenexa LMS on Cloud 13.1 and 13.2 - 13.2.4 is vulnerable to cross- ...) NOT-FOR-US: IBM CVE-2016-6122 (IBM Kenexa LMS on Cloud 13.1 and 13.2 - 13.2.4 discloses answers to se ...) NOT-FOR-US: IBM CVE-2016-6121 (IBM Emptoris Supplier Lifecycle Management 10.0.x and 10.1.x is vulner ...) NOT-FOR-US: IBM CVE-2016-6120 RESERVED CVE-2016-6119 RESERVED CVE-2016-6118 (IBM Emptoris Supplier Lifecycle Management 10.1.0.x is vulnerable to c ...) NOT-FOR-US: IBM CVE-2016-6117 (IBM Tivoli Key Lifecycle Manager 2.5 and 2.6 can be deployed with acti ...) NOT-FOR-US: IBM CVE-2016-6116 (IBM Tivoli Key Lifecycle Manager 2.5 and 2.6 could allow a remote atta ...) NOT-FOR-US: IBM CVE-2016-6115 (IBM General Parallel File System is vulnerable to a buffer overflow. A ...) NOT-FOR-US: IBM CVE-2016-6114 (IBM Emptoris Sourcing 9.5.x through 10.1.x is vulnerable to cross-site ...) NOT-FOR-US: IBM CVE-2016-6113 (IBM Verse is vulnerable to cross-site scripting. This vulnerability al ...) NOT-FOR-US: IBM CVE-2016-6112 (IBM Distributed Marketing and Marketing Platform 8.6, 9.0, 9.1, and 10 ...) NOT-FOR-US: IBM CVE-2016-6111 (IBM Curam Social Program Management 6.0 and 7.0 are vulnerable to a de ...) NOT-FOR-US: IBM CVE-2016-6110 (IBM Tivoli Storage Manager discloses unencrypted login credentials to ...) NOT-FOR-US: IBM CVE-2016-6109 RESERVED CVE-2016-6108 RESERVED CVE-2016-6107 RESERVED CVE-2016-6106 RESERVED CVE-2016-6105 (IBM Tivoli Key Lifecycle Manager 2.5 and 2.6 do not perform an authent ...) NOT-FOR-US: IBM CVE-2016-6104 (IBM Tivoli Key Lifecycle Manager 2.5, and 2.6 could allow a remote att ...) NOT-FOR-US: IBM CVE-2016-6103 (IBM Tivoli Key Lifecycle Manager 2.5 and 2.6 is vulnerable to cross-si ...) NOT-FOR-US: IBM CVE-2016-6102 (IBM Tivoli Key Lifecycle Manager 2.5 and 2.6 stores sensitive informat ...) NOT-FOR-US: IBM Tivoli Key Lifecycle Manager CVE-2016-6101 RESERVED CVE-2016-6100 (IBM Disposal and Governance Management for IT and IBM Global Retention ...) NOT-FOR-US: IBM CVE-2016-6099 (IBM Tivoli Key Lifecycle Manager 2.5 and 2.6 discloses sensitive infor ...) NOT-FOR-US: IBM CVE-2016-6098 (IBM Tivoli Key Lifecycle Manager 2.0.1, 2.5, and 2.6 specifies permiss ...) NOT-FOR-US: IBM CVE-2016-6097 (IBM Tivoli Key Lifecycle Manager 2.0.1, 2.5, and 2.6 allows web pages ...) NOT-FOR-US: IBM CVE-2016-6096 (IBM Tivoli Key Lifecycle Manager 2.0.1, 2.5, and 2.6 is vulnerable to ...) NOT-FOR-US: IBM CVE-2016-6095 (IBM Tivoli Key Lifecycle Manager 2.5 and 2.6 uses an inadequate accoun ...) NOT-FOR-US: IBM CVE-2016-6094 (IBM Tivoli Key Lifecycle Manager 2.0.1, 2.5, and 2.6 generates an erro ...) NOT-FOR-US: IBM CVE-2016-6093 (IBM Tivoli Key Lifecycle Manager does not require that users should ha ...) NOT-FOR-US: IBM CVE-2016-6092 (IBM Tivoli Key Lifecycle Manager 2.0.1, 2.5, and 2.6 stores user crede ...) NOT-FOR-US: IBM CVE-2016-6091 REJECTED CVE-2016-6090 (IBM WebSphere Commerce contains an unspecified vulnerability that coul ...) NOT-FOR-US: IBM CVE-2016-6089 (IBM WebSphere MQ 9.0.0.1 and 9.0.2 could allow a local user to write t ...) NOT-FOR-US: IBM CVE-2016-6088 RESERVED CVE-2016-6087 (IBM Domino 8.5 and 9.0 could allow an attacker to steal credentials us ...) NOT-FOR-US: IBM CVE-2016-6086 RESERVED CVE-2016-6085 (IBM BigFix Platform could allow an attacker on the local network to cr ...) NOT-FOR-US: IBM CVE-2016-6084 (IBM BigFix Platform could allow an attacker on the local network to cr ...) NOT-FOR-US: IBM CVE-2016-6083 (IBM Tivoli Monitoring V6 could allow an unauthenticated user to access ...) NOT-FOR-US: IBM CVE-2016-6082 (IBM BigFix Platform could allow a remote attacker to execute arbitrary ...) NOT-FOR-US: IBM CVE-2016-6081 RESERVED CVE-2016-6080 (The WebAdmin context for WebSphere Message Broker allows directory lis ...) NOT-FOR-US: IBM CVE-2016-6079 (IBM AIX 5.3, 6.1, 7.1, and 7.2 contains an unspecified vulnerability t ...) NOT-FOR-US: IBM CVE-2016-6078 RESERVED CVE-2016-6077 (IBM Cognos Disclosure Management 10.2 could allow a malicious attacker ...) NOT-FOR-US: IBM CVE-2016-6076 RESERVED CVE-2016-6075 RESERVED CVE-2016-6074 RESERVED CVE-2016-6073 RESERVED CVE-2016-6072 (IBM Maximo Asset Management is vulnerable to cross-site scripting. Thi ...) NOT-FOR-US: IBM CVE-2016-6071 RESERVED CVE-2016-6070 RESERVED CVE-2016-6069 RESERVED CVE-2016-6068 (IBM UrbanCode Deploy could allow an authenticated user with access to ...) NOT-FOR-US: IBM CVE-2016-6067 RESERVED CVE-2016-6066 RESERVED CVE-2016-6065 (IBM Security Guardium Database Activity Monitor appliance could allow ...) NOT-FOR-US: IBM CVE-2016-6064 RESERVED CVE-2016-6063 RESERVED CVE-2016-6062 (IBM Resilient v26.0, v26.1, and v26.2 is vulnerable to cross-site scri ...) NOT-FOR-US: IBM CVE-2016-6061 (IBM Jazz Foundation is vulnerable to cross-site scripting. This vulner ...) NOT-FOR-US: IBM CVE-2016-6060 (An undisclosed vulnerability in IBM Rational DOORS Next Generation 4.0 ...) NOT-FOR-US: IBM CVE-2016-6059 (IBM InfoSphere Information Server is vulnerable to a denial of service ...) NOT-FOR-US: IBM CVE-2016-6058 RESERVED CVE-2016-6057 RESERVED CVE-2016-6056 (IBM Call Center for Commerce 9.3 and 9.4 is vulnerable to cross-site s ...) NOT-FOR-US: IBM Call Center for Commerce CVE-2016-6055 (IBM Rational DOORS Next Generation 4.0, 5.0, and 6.0 is vulnerable to ...) NOT-FOR-US: IBM CVE-2016-6054 (IBM Jazz Foundation is vulnerable to cross-site scripting. This vulner ...) NOT-FOR-US: IBM CVE-2016-6053 RESERVED CVE-2016-6052 RESERVED CVE-2016-6051 RESERVED CVE-2016-6050 RESERVED CVE-2016-6049 RESERVED CVE-2016-6048 RESERVED CVE-2016-6047 (IBM Jazz Reporting Service (JRS) is vulnerable to cross-site scripting ...) NOT-FOR-US: IBM CVE-2016-6046 (IBM Tivoli Storage Manager Operations Center is vulnerable to cross-si ...) NOT-FOR-US: IBM CVE-2016-6045 (IBM Tivoli Storage Manager Operations Center is vulnerable to cross-si ...) NOT-FOR-US: IBM CVE-2016-6044 (IBM Tivoli Storage Manager Operations Center could allow an authentica ...) NOT-FOR-US: IBM CVE-2016-6043 (Tivoli Storage Manager Operations Center could allow a local user to t ...) NOT-FOR-US: IBM CVE-2016-6042 (IBM AppScan Enterprise Edition could allow a remote attacker to execut ...) NOT-FOR-US: IBM CVE-2016-6041 RESERVED CVE-2016-6040 (IBM Jazz Foundation could allow an authenticated user to take over a p ...) NOT-FOR-US: IBM CVE-2016-6039 (IBM Jazz Reporting Service (JRS) is vulnerable to cross-site scripting ...) NOT-FOR-US: IBM CVE-2016-6038 (Directory traversal vulnerability in Eclipse Help in IBM Tivoli Lightw ...) NOT-FOR-US: Tivoli CVE-2016-6037 (IBM Rational Team Concert (RTC) is vulnerable to HTML injection. A rem ...) NOT-FOR-US: IBM CVE-2016-6036 (IBM Rational Quality Manager (RQM) 4.0, 5.0, and 6.0 are vulnerable to ...) NOT-FOR-US: IBM CVE-2016-6035 (IBM Rational Quality Manager is vulnerable to cross-site scripting. Th ...) NOT-FOR-US: IBM CVE-2016-6034 (IBM Tivoli Storage Manager for Virtual Environments (VMware) could dis ...) NOT-FOR-US: IBM CVE-2016-6033 (IBM Tivoli Storage Manager for Virtual Environments 7.1 (VMware) is vu ...) NOT-FOR-US: IBM CVE-2016-6032 (IBM Rational Team Concert 4.0, 5.0 and 6.0 is vulnerable to cross-site ...) NOT-FOR-US: IBM CVE-2016-6031 (IBM Rational Quality Manager 4.0, 5.0, and 6.0 are vulnerable to cross ...) NOT-FOR-US: IBM CVE-2016-6030 (IBM Jazz Foundation is vulnerable to cross-site scripting. This vulner ...) NOT-FOR-US: IBM CVE-2016-6029 (IBM Emptoris Strategic Supply Management Platform 10.0 and 10.1 could ...) NOT-FOR-US: IBM CVE-2016-6028 (IBM Jazz technology based products might allow an attacker to view wor ...) NOT-FOR-US: IBM CVE-2016-6027 (The Configuration Manager in IBM Sterling Secure Proxy (SSP) 3.4.2 bef ...) NOT-FOR-US: IBM CVE-2016-6026 (The Configuration Manager in IBM Sterling Secure Proxy (SSP) 3.4.2 bef ...) NOT-FOR-US: IBM CVE-2016-6025 (The Configuration Manager in IBM Sterling Secure Proxy (SSP) 3.4.2 bef ...) NOT-FOR-US: IBM CVE-2016-6024 (IBM Jazz technology based products might divulge information that migh ...) NOT-FOR-US: IBM CVE-2016-6023 (Directory traversal vulnerability in the Configuration Manager in IBM ...) NOT-FOR-US: IBM CVE-2016-6022 (IBM Quality Manager (RQM) 4.0, 5.0, and 6.0 are vulnerable to cross-si ...) NOT-FOR-US: IBM CVE-2016-6021 (IBM Emptoris Strategic Supply Management Platform 10.0 and 10.1 is vul ...) NOT-FOR-US: IBM CVE-2016-6020 (IBM Sterling B2B Integrator Standard Edition could allow a remote atta ...) NOT-FOR-US: IBM CVE-2016-6019 (IBM Emptoris Strategic Supply Management Platform 10.0.0.x through 10. ...) NOT-FOR-US: IBM CVE-2016-6018 (IBM Emptoris Contract Management 10.0 and 10.1 reveals detailed error ...) NOT-FOR-US: IBM CVE-2016-6017 RESERVED CVE-2016-6016 RESERVED CVE-2016-6015 RESERVED CVE-2016-6014 RESERVED CVE-2016-6013 RESERVED CVE-2016-6012 RESERVED CVE-2016-6011 RESERVED CVE-2016-6010 RESERVED CVE-2016-6009 RESERVED CVE-2016-6008 RESERVED CVE-2016-6007 RESERVED CVE-2016-6006 RESERVED CVE-2016-6005 RESERVED CVE-2016-6004 RESERVED CVE-2016-6003 RESERVED CVE-2016-6002 RESERVED CVE-2016-6001 (IBM Forms Experience Builder could be susceptible to a server-side req ...) NOT-FOR-US: IBM CVE-2016-6000 (IBM TRIRIGA Application Platform is vulnerable to cross-site scripting ...) NOT-FOR-US: IBM CVE-2016-5999 RESERVED CVE-2016-5998 RESERVED CVE-2016-5997 (The web portal in IBM Tealeaf Customer Experience before 8.7.1.8847 FP ...) NOT-FOR-US: IBM Tealeaf Customer Experience CVE-2016-5996 (The web portal in IBM Tealeaf Customer Experience before 8.7.1.8847 FP ...) NOT-FOR-US: IBM Tealeaf Customer Experience CVE-2016-5995 (Untrusted search path vulnerability in IBM DB2 9.7 through FP11, 10.1 ...) NOT-FOR-US: IBM CVE-2016-5994 (IBM InfoSphere Information Server contains a vulnerability that would ...) NOT-FOR-US: IBM CVE-2016-5993 RESERVED CVE-2016-5992 (IBM Sterling Connect:Direct 4.5.00, 4.5.01, 4.6.0 before 4.6.0.6 iFix0 ...) NOT-FOR-US: IBM CVE-2016-5991 (IBM Sterling Connect:Direct 4.5.00, 4.5.01, 4.6.0 before 4.6.0.6 iFix0 ...) NOT-FOR-US: IBM CVE-2016-5990 (IBM Security Privileged Identity Manager Virtual Appliance allows an a ...) NOT-FOR-US: IBM CVE-2016-5989 RESERVED CVE-2016-5988 (IBM Security Privileged Identity Manager Virtual Appliance could discl ...) NOT-FOR-US: IBM CVE-2016-5987 (IBM Maximo Asset Management 7.1 through 7.1.1.13, 7.5 before 7.5.0.10 ...) NOT-FOR-US: IBM CVE-2016-5986 (IBM WebSphere Application Server (WAS) 7.x before 7.0.0.43, 8.0.x befo ...) NOT-FOR-US: IBM CVE-2016-5985 (The IBM Tivoli Storage Manager (IBM Spectrum Protect) AIX client is vu ...) NOT-FOR-US: IBM CVE-2016-5984 (IBM InfoSphere Information Server is vulnerable to cross-frame scripti ...) NOT-FOR-US: IBM CVE-2016-5983 (IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.43, 8.0 before ...) NOT-FOR-US: IBM CVE-2016-5982 RESERVED CVE-2016-5981 (Cross-site scripting (XSS) vulnerability in IBM FileNet Workplace XT t ...) NOT-FOR-US: IBM CVE-2016-5980 (IBM TRIRIGA Application Platform is vulnerable to cross-site scripting ...) NOT-FOR-US: IBM CVE-2016-5979 (IBM Distributed Marketing 8.6, 9.0, and 10.0 could allow a privileged ...) NOT-FOR-US: IBM CVE-2016-5978 (Cross-site scripting (XSS) vulnerability in the Web UI in the web port ...) NOT-FOR-US: IBM CVE-2016-5977 (Open redirect vulnerability in the web portal in IBM Tealeaf Customer ...) NOT-FOR-US: IBM Tealeaf Customer Experience CVE-2016-5976 (The web portal in IBM Tealeaf Customer Experience before 8.7.1.8847 FP ...) NOT-FOR-US: IBM Tealeaf Customer Experience CVE-2016-5975 (Cross-site scripting (XSS) vulnerability in the Web UI in the web port ...) NOT-FOR-US: IBM CVE-2016-5974 (Cross-site scripting (XSS) vulnerability in the Web UI in IBM Security ...) NOT-FOR-US: IBM CVE-2016-5973 RESERVED CVE-2016-5972 (IBM Security Privileged Identity Manager (ISPIM) Virtual Appliance 2.x ...) NOT-FOR-US: IBM Security Privileged Identity Manager CVE-2016-5971 (IBM Security Privileged Identity Manager (ISPIM) Virtual Appliance 2.x ...) NOT-FOR-US: IBM Security Privileged Identity Manager CVE-2016-5970 (Directory traversal vulnerability in IBM Security Privileged Identity ...) NOT-FOR-US: IBM Security Privileged Identity Manager CVE-2016-5969 RESERVED CVE-2016-5968 (The Replay Server in IBM Tealeaf Customer Experience 8.x before 8.7.1. ...) NOT-FOR-US: IBM CVE-2016-5967 (The installation component in IBM Rational Asset Analyzer (RAA) 6.1.0 ...) NOT-FOR-US: IBM CVE-2016-5966 (IBM Security Privileged Identity Manager Virtual Appliance could allow ...) NOT-FOR-US: IBM CVE-2016-5965 RESERVED CVE-2016-5964 (IBM Security Privileged Identity Manager Virtual Appliance version 2.0 ...) NOT-FOR-US: IBM CVE-2016-5963 (IBM Security Privileged Identity Manager (ISPIM) Virtual Appliance 2.x ...) NOT-FOR-US: IBM CVE-2016-5962 RESERVED CVE-2016-5961 RESERVED CVE-2016-5960 (IBM Security Privileged Identity Manager 2.0.2 and 2.1.0 stores user c ...) NOT-FOR-US: IBM CVE-2016-5959 (IBM Security Privileged Identity Manager 2.0.2 and 2.1.0 stores sensit ...) NOT-FOR-US: IBM CVE-2016-5958 (IBM Security Privileged Identity Manager could allow a remote attacker ...) NOT-FOR-US: IBM CVE-2016-5957 (IBM Security Privileged Identity Manager (ISPIM) Virtual Appliance 2.x ...) NOT-FOR-US: IBM CVE-2016-5956 RESERVED CVE-2016-5955 (Cross-site scripting (XSS) vulnerability in IBM Rational DOORS Next Ge ...) NOT-FOR-US: IBM CVE-2016-5954 (IBM WebSphere Portal 6.1.0 through 6.1.0.6 CF27, 6.1.5 through 6.1.5.3 ...) NOT-FOR-US: IBM CVE-2016-5953 (IBM Sterling Order Management transmits the session identifier within ...) NOT-FOR-US: IBM CVE-2016-5952 (IBM Kenexa LCMS Premier on Cloud is vulnerable to SQL injection. A rem ...) NOT-FOR-US: IBM CVE-2016-5951 (IBM Kenexa LCMS Premier on Cloud is vulnerable to cross-site scripting ...) NOT-FOR-US: IBM CVE-2016-5950 (IBM Kenexa LCMS Premier on Cloud stores user credentials in plain in c ...) NOT-FOR-US: IBM CVE-2016-5949 (IBM Kenexa LCMS Premier on Cloud could allow an authenticated user to ...) NOT-FOR-US: IBM CVE-2016-5948 (IBM Kenexa LCMS Premier on Cloud is vulnerable to cross-site scripting ...) NOT-FOR-US: IBM CVE-2016-5947 (IBM Spectrum Control (formerly Tivoli Storage Productivity Center) 5.2 ...) NOT-FOR-US: IBM CVE-2016-5946 (Directory traversal vulnerability in IBM Spectrum Control (formerly Ti ...) NOT-FOR-US: IBM CVE-2016-5945 (IBM Spectrum Control (formerly Tivoli Storage Productivity Center) 5.2 ...) NOT-FOR-US: IBM CVE-2016-5944 (Cross-site scripting (XSS) vulnerability in the Web UI in IBM Spectrum ...) NOT-FOR-US: IBM CVE-2016-5943 (IBM Spectrum Control (formerly Tivoli Storage Productivity Center) 5.2 ...) NOT-FOR-US: IBM CVE-2016-5942 (IBM Kenexa LMS on Cloud is vulnerable to cross-site scripting. This vu ...) NOT-FOR-US: IBM CVE-2016-5941 (IBM Kenexa LMS on Cloud could allow a remote attacker to traverse dire ...) NOT-FOR-US: IBM CVE-2016-5940 (IBM Kenexa LMS on Cloud is vulnerable to cross-site scripting. This vu ...) NOT-FOR-US: IBM CVE-2016-5939 (IBM Kenexa LMS on Cloud is vulnerable to SQL injection. A remote attac ...) NOT-FOR-US: IBM CVE-2016-5938 (IBM Kenexa LMS on Cloud allows web pages to be stored locally which ca ...) NOT-FOR-US: IBM CVE-2016-5937 (IBM Kenexa LCMS Premier on Cloud is vulnerable to cross-site request f ...) NOT-FOR-US: IBM CVE-2016-5936 RESERVED CVE-2016-5935 (IBM Jazz for Service Management could allow a remote attacker to obtai ...) NOT-FOR-US: IBM CVE-2016-5934 (IBM Tivoli Storage Manager FastBack installer could allow a remote att ...) NOT-FOR-US: IBM CVE-2016-5933 (IBM Tivoli Monitoring 6.2 and 6.3 is vulnerable to possible host heade ...) NOT-FOR-US: IBM CVE-2016-5932 (IBM Connections 4.0, 4.5, 5.0, and 5.5 is vulnerable to cross-site scr ...) NOT-FOR-US: IBM CVE-2016-5931 RESERVED CVE-2016-5930 RESERVED CVE-2016-5929 RESERVED CVE-2016-5928 RESERVED CVE-2016-5927 (IBM Tivoli Storage Manager for Space Management (aka Spectrum Protect ...) NOT-FOR-US: IBM CVE-2016-5926 RESERVED CVE-2016-5925 RESERVED CVE-2016-5924 RESERVED CVE-2016-5923 RESERVED CVE-2016-5922 RESERVED CVE-2016-5921 RESERVED CVE-2016-5920 (Cross-site scripting (XSS) vulnerability in the Web UI in IBM Financia ...) NOT-FOR-US: IBM CVE-2016-5919 (IBM Security Access Manager for Web 7.0.0, 8.0.0, and 9.0.0 uses weake ...) NOT-FOR-US: IBM CVE-2016-5918 (IBM Tivoli Storage Manager HSM for Windows displays the encrypted Tivo ...) NOT-FOR-US: IBM CVE-2016-5917 RESERVED CVE-2016-5916 RESERVED CVE-2016-5915 RESERVED CVE-2016-5914 RESERVED CVE-2016-5913 RESERVED CVE-2016-5912 RESERVED CVE-2016-5911 RESERVED CVE-2016-5910 RESERVED CVE-2016-5909 RESERVED CVE-2016-5908 RESERVED CVE-2016-5907 RESERVED CVE-2016-5906 RESERVED CVE-2016-5905 (Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Managemen ...) NOT-FOR-US: IBM CVE-2016-5904 RESERVED CVE-2016-5903 RESERVED CVE-2016-5902 (IBM Maximo Asset Management is vulnerable to cross-site scripting. Thi ...) NOT-FOR-US: IBM CVE-2016-5901 (Cross-site scripting (XSS) vulnerability in a test page in IBM Busines ...) NOT-FOR-US: IBM CVE-2016-5900 (IBM Tealeaf Customer Experience on Cloud Network Capture Add-On could ...) NOT-FOR-US: IBM CVE-2016-5899 (IBM Jazz Reporting Service (JRS) is vulnerable to cross-site scripting ...) NOT-FOR-US: IBM CVE-2016-5898 (IBM Jazz Reporting Service (JRS) could allow a remote attacker to obta ...) NOT-FOR-US: IBM CVE-2016-5897 (IBM Jazz Reporting Service (JRS) is vulnerable to HTML injection. A re ...) NOT-FOR-US: IBM CVE-2016-5896 (IBM Maximo Asset Management could disclose sensitive information from ...) NOT-FOR-US: IBM CVE-2016-5895 RESERVED CVE-2016-5894 (IBM WebSphere Commerce Enterprise, Professional, Express, and Develope ...) NOT-FOR-US: IBM CVE-2016-5893 (IBM Sterling B2B Integrator Standard Edition 5.2 allows web pages to b ...) NOT-FOR-US: IBM CVE-2016-5892 (Cross-site scripting (XSS) vulnerability in IBM 10x, as used in Multi- ...) NOT-FOR-US: IBM CVE-2016-5891 RESERVED CVE-2016-5890 (IBM Sterling B2B Integrator 5.2 before 5020500_14 and 5.2 06 before 50 ...) NOT-FOR-US: IBM CVE-2016-5889 (IBM Interact 8.6, 9.0, 9.1, and 10.0 is vulnerable to cross-site reque ...) NOT-FOR-US: IBM CVE-2016-5888 (IBM Interact 8.6, 9.0, 9.1, and 10.0 is vulnerable to cross-site scrip ...) NOT-FOR-US: IBM CVE-2016-5887 RESERVED CVE-2016-5886 RESERVED CVE-2016-5885 RESERVED CVE-2016-5884 (IBM iNotes is vulnerable to cross-site scripting. This vulnerability a ...) NOT-FOR-US: IBM CVE-2016-5883 (IBM iNotes 8.5 and 9.0 is vulnerable to cross-site scripting. This vul ...) NOT-FOR-US: IBM CVE-2016-5882 (IBM iNotes is vulnerable to cross-site scripting. This vulnerability a ...) NOT-FOR-US: IBM CVE-2016-5881 (IBM iNotes is vulnerable to cross-site scripting. This vulnerability a ...) NOT-FOR-US: IBM CVE-2016-5880 (IBM iNotes is vulnerable to cross-site scripting. This vulnerability a ...) NOT-FOR-US: IBM CVE-2016-5879 (MQCLI on IBM MQ Appliance M2000 and M2001 devices allows local users t ...) NOT-FOR-US: IBM CVE-2016-5878 (Open redirect vulnerability in IBM FileNet Workplace 4.0.2 before 4.0. ...) NOT-FOR-US: IBM CVE-2016-5877 RESERVED CVE-2016-6132 (The gdImageCreateFromTgaCtx function in the GD Graphics Library (aka l ...) {DSA-3619-1} - libgd2 2.2.2-29-g3c2b605-1 (bug #829694) [wheezy] - libgd2 (Vulnerable code not present) NOTE: https://github.com/libgd/libgd/issues/247 NOTE: https://github.com/libgd/libgd/commit/ead349e99868303b37f5e6e9d9d680c9dc71ff8d CVE-2016-6131 (The demangler in GNU Libiberty allows remote attackers to cause a deni ...) {DLA-552-1} - libiberty 20161017-1 (low; bug #840889) [jessie] - libiberty (Minor issue) - ht 2.1.0+repack1-2 (low) [jessie] - ht (Minor issue) [wheezy] - ht (Minor issue) - binutils 2.27.51.20161102-1 (low) [jessie] - binutils (Minor issue) NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=71696 NOTE: https://gcc.gnu.org/viewcvs/gcc?view=revision&revision=239143 CVE-2016-6130 (Race condition in the sclp_ctl_ioctl_sccb function in drivers/s390/cha ...) {DSA-3616-1} - linux 4.6.1-1 [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/532c34b5fbf1687df63b3fcd5b2846312ac943c6 CVE-2016-6128 (The gdImageCropThreshold function in gd_crop.c in the GD Graphics Libr ...) {DSA-3619-1} - libgd2 2.2.2-29-g3c2b605-1 (bug #829062) [wheezy] - libgd2 (Vulnerable code not present) NOTE: https://github.com/libgd/libgd/compare/3fe0a7128bac5000fdcfab888bd2a75ec0c9447d...fd623025505e87bba7ec8555eeb72dae4fb0afd NOTE: Crop support introduced in https://github.com/libgd/libgd/commit/f67452e1f82f1c2496e0859d638172bee74b43a0 (gd-2.1.0-alpha1) - php7.0 7.0.9-1 (unimportant) - php5 5.6.26+dfsg-1 (unimportant) [jessie] - php5 5.6.26+dfsg-0+deb8u1 [wheezy] - php5 (Vulnerable code not present) NOTE: PHP bug: https://bugs.php.net/bug.php?id=72494 NOTE: Starting with 5.4.0-1 Debian uses the system copy of libgd CVE-2016-5876 (ownCloud server before 8.2.6 and 9.x before 9.0.3, when the gallery ap ...) - owncloud NOTE: https://owncloud.org/security/advisory/?id=oc-sa-2016-010 CVE-2016-5875 REJECTED CVE-2016-5874 (Siemens SIMATIC NET PC-Software before 13 SP2 allows remote attackers ...) NOT-FOR-US: Siemens CVE-2016-5872 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-5871 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-5870 (The msm_ipc_router_close function in net/ipc_router/ipc_router_socket. ...) - linux (Qualcomm-specific kernel patch) CVE-2016-5869 RESERVED CVE-2016-5868 (drivers/net/ethernet/msm/rndis_ipa.c in the Qualcomm networking driver ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-5867 (In a sound driver in Android for MSM, Firefox OS for MSM, QRD Android, ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-5866 RESERVED CVE-2016-5865 RESERVED CVE-2016-5864 (In an audio driver function in all Qualcomm products with Android for ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-5863 (In an ioctl handler in all Qualcomm products with Android for MSM, Fir ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-5862 (When a control related to codec is issued from userspace in all Qualco ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-5861 (In a display driver in all Qualcomm products with Android for MSM, Fir ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-5860 (In an audio driver in all Qualcomm products with Android for MSM, Fire ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-5859 (In a sound driver in all Qualcomm products with Android for MSM, Firef ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-5858 (In an ioctl handler in all Qualcomm products with Android for MSM, Fir ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-5857 (The Qualcomm SPCom driver in Android before 7.0 allows local users to ...) NOTE: Red Hat seem to have typoed the CVE, which should be CVE-2016-5875, asked to confirm CVE-2016-5856 (Drivers/soc/qcom/spcom.c in the Qualcomm SPCom driver in the Android k ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-5855 (In a driver in all Qualcomm products with Android for MSM, Firefox OS ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-5854 (In a driver in all Qualcomm products with Android for MSM, Firefox OS ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-5853 (In an audio driver in all Qualcomm products with Android releases from ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-5852 (For the NVIDIA Quadro, NVS, and GeForce products, GFE GameStream and N ...) NOT-FOR-US: NVIDIA drivers for Windows CVE-2016-5850 (Cross-site scripting (XSS) vulnerability in the volume backup service ...) NOT-FOR-US: Huawei CVE-2016-5873 (Buffer overflow in the HTTP URL parsing functions in pecl_http before ...) - php-pecl-http 3.0.1-0.1 [jessie] - php-pecl-http (Vulnerable code not present) NOTE: https://bugs.php.net/bug.php?id=71719 NOTE: https://github.com/m6w6/ext-http/commit/3724cd76a28be1d6049b5537232e97ac567ae1f5/def CVE-2016-5851 (python-docx before 0.8.6 allows context-dependent attackers to conduct ...) NOT-FOR-US: python-docx CVE-2016-5849 (Siemens SICAM PAS through 8.07 allows local users to obtain sensitive ...) NOT-FOR-US: Siemens SICAM PAS CVE-2016-5848 (Siemens SICAM PAS before 8.07 does not properly restrict password data ...) NOT-FOR-US: Siemens SICAM PAS CVE-2016-5847 (SAP SAPCAR allows local users to change the permissions of arbitrary f ...) NOT-FOR-US: SAP SAPCAR CVE-2016-5846 RESERVED CVE-2016-5845 (SAP SAPCAR does not check the return value of file operations when ext ...) NOT-FOR-US: SAP SAPCAR CVE-2016-5843 (Multiple SQL injection vulnerabilities in the FAQ package 2.x before 2 ...) NOT-FOR-US: OTRS addon CVE-2016-5840 (hotfix_upload.cgi in Trend Micro Deep Discovery Inspector (DDI) 3.7, 3 ...) NOT-FOR-US: Trend Micro Deep Discovery Inspector CVE-2016-5831 RESERVED CVE-2016-5830 RESERVED CVE-2016-5822 (Huawei Oceanstor 5800 before V300R002C10SPC100 allows remote attackers ...) NOT-FOR-US: Huawei CVE-2016-5821 (Huawei HiSuite before 4.0.4.204_ove (Out of China) and before 4.0.4.30 ...) NOT-FOR-US: Huawei HiSuite CVE-2016-5820 REJECTED CVE-2016-5819 (Moxa G3100V2 Series, editions prior to Version 2.8, and OnCell G3111/G ...) NOT-FOR-US: Moxa CVE-2016-5818 (An issue was discovered in Schneider Electric PowerLogic PM8ECC device ...) NOT-FOR-US: Schneider CVE-2016-5817 (SQL injection vulnerability in news pages in Cargotec Navis WebAccess ...) NOT-FOR-US: Cargotec CVE-2016-5816 (A Use of Hard-Coded Cryptographic Key issue was discovered in MRD-305- ...) NOT-FOR-US: Westermo CVE-2016-5815 (An issue was discovered on Schneider Electric IONXXXX series power met ...) NOT-FOR-US: Schneider CVE-2016-5814 (Buffer overflow in Rockwell Automation RSLogix Micro Starter Lite, RSL ...) NOT-FOR-US: Rockwell CVE-2016-5813 (An issue was discovered in Visonic PowerLink2, all versions prior to O ...) NOT-FOR-US: Visonic PowerLink CVE-2016-5812 (Moxa OnCell G3100V2 devices before 2.8 and G3111, G3151, G3211, and G3 ...) NOT-FOR-US: Moxa CVE-2016-5811 (An issue was discovered in Visonic PowerLink2, all versions prior to O ...) NOT-FOR-US: Visonic PowerLink CVE-2016-5810 (upAdminPg.asp in Advantech WebAccess before 8.1_20160519 allows remote ...) NOT-FOR-US: Advantech WebAccess CVE-2016-5809 (An issue was discovered on Schneider Electric IONXXXX series power met ...) NOT-FOR-US: Schneider CVE-2016-5808 REJECTED CVE-2016-5807 (Tollgrade LightHouse SMS before 5.1 patch 3 allows remote authenticate ...) NOT-FOR-US: Tollgrade CVE-2016-5806 REJECTED CVE-2016-5805 (An issue was discovered in Delta Electronics WPLSoft, Versions prior t ...) NOT-FOR-US: Delta Electronics WPLSoft CVE-2016-5804 (Moxa MGate MB3180 before 1.8, MGate MB3280 before 2.7, MGate MB3480 be ...) NOT-FOR-US: Moxa CVE-2016-5803 (An issue was discovered in CA Unified Infrastructure Management Versio ...) NOT-FOR-US: CA Unified Infrastructure Management CVE-2016-5802 (An issue was discovered in Delta Electronics WPLSoft, Versions prior t ...) NOT-FOR-US: Delta Electronics WPLSoft CVE-2016-5801 (An issue was discovered in OmniMetrix OmniView, Version 1.2. Insuffici ...) NOT-FOR-US: OmniMetrix OmniView CVE-2016-5800 (A malicious attacker can trigger a remote buffer overflow in the Commu ...) NOT-FOR-US: Fatek CVE-2016-5799 (Moxa OnCell G3100V2 devices before 2.8 and G3111, G3151, G3211, and G3 ...) NOT-FOR-US: Moxa CVE-2016-5798 (An issue was discovered in Fatek Automation PM Designer V3 Version 2.1 ...) NOT-FOR-US: Fatek Automation PM Designer CVE-2016-5797 (Tollgrade LightHouse SMS before 5.1 patch 3 provides different error m ...) NOT-FOR-US: Tollgrade CVE-2016-5796 (An issue was discovered in Fatek Automation PM Designer V3 Version 2.1 ...) NOT-FOR-US: Fatek Automation PM Designer CVE-2016-5795 (An XXE issue was discovered in Automated Logic Corporation (ALC) Liebe ...) NOT-FOR-US: Automated Logic Corporation (ALC) CVE-2016-5794 REJECTED CVE-2016-5793 (Unquoted Windows search path vulnerability in Moxa Active OPC Server b ...) NOT-FOR-US: Moxa CVE-2016-5792 (SQL injection vulnerability in Moxa SoftCMS before 1.5 allows remote a ...) NOT-FOR-US: Moxa CVE-2016-5791 (An Improper Authentication issue was discovered in JanTek JTC-200, all ...) NOT-FOR-US: JanTek JTC-200 CVE-2016-5790 (Tollgrade LightHouse SMS before 5.1 patch 3 allows remote attackers to ...) NOT-FOR-US: Tollgrade CVE-2016-5789 (A Cross-site Request Forgery issue was discovered in JanTek JTC-200, a ...) NOT-FOR-US: JanTek JTC-200 CVE-2016-5788 (General Electric (GE) Bently Nevada 3500/22M USB with firmware before ...) NOT-FOR-US: General Electric (GE) Bently Nevada CVE-2016-5787 (General Electric (GE) Digital Proficy HMI/SCADA - CIMPLICITY before 8. ...) NOT-FOR-US: CIMPLICITY CVE-2016-5786 (An issue was discovered in OmniMetrix OmniView, Version 1.2. The OmniV ...) NOT-FOR-US: OmniMetrix OmniView CVE-2016-5785 RESERVED CVE-2016-5784 RESERVED CVE-2016-5783 RESERVED CVE-2016-5782 (An issue was discovered in Locus Energy LGate prior to 1.05H, LGate 50 ...) NOT-FOR-US: Locus Energy LGate CVE-2016-5781 (Stack-based buffer overflow in WECON LeviStudio allows remote attacker ...) NOT-FOR-US: LeviStudio CVE-2016-5780 RESERVED CVE-2016-5779 RESERVED CVE-2016-5778 RESERVED CVE-2016-5777 RESERVED CVE-2016-5776 RESERVED CVE-2016-5775 RESERVED CVE-2016-5774 (The HTTPS server in Blue Coat PacketShaper S-Series 11.5.x before 11.5 ...) NOT-FOR-US: Blue Coat CVE-2016-5765 (Administrative Server in Micro Focus Host Access Management and Securi ...) NOT-FOR-US: Micro Focus CVE-2016-5764 (Micro Focus Rumba FTP 4.X client buffer overflow makes it possible to ...) NOT-FOR-US: Micro Focus Rumba CVE-2016-5763 (Vulnerability in Novell Open Enterprise Server (OES2015 SP1 before Sch ...) NOT-FOR-US: Novell Open Enterprise Server CVE-2016-5762 (Integer overflow in the Post Office Agent in Novell GroupWise before 2 ...) NOT-FOR-US: Novell GroupWise CVE-2016-5761 (Cross-site scripting (XSS) vulnerability in Novell GroupWise before 20 ...) NOT-FOR-US: Novell GroupWise CVE-2016-5760 (Multiple cross-site scripting (XSS) vulnerabilities in the administrat ...) NOT-FOR-US: Novell GroupWise CVE-2016-5759 (The mkdumprd script called "dracut" in the current working directory " ...) NOT-FOR-US: SuSE-specific Dracut script mkdumprd CVE-2016-5758 (A cross site request forgery protection mechanism in NetIQ Access Mana ...) NOT-FOR-US: NetIQ CVE-2016-5757 (iManager Admin Console in NetIQ Access Manager 4.1 before 4.1.2 Hot Fi ...) NOT-FOR-US: NetIQ CVE-2016-5756 (Multiple components of the web tools in NetIQ Access Manager 4.1 befor ...) NOT-FOR-US: NetIQ CVE-2016-5755 (NetIQ Access Manager 4.1 before 4.1.2 Hot Fix 1 and 4.2 before 4.2.2 w ...) NOT-FOR-US: NetIQ CVE-2016-5754 (Presence of a .htaccess file could leak information in NetIQ Access Ma ...) NOT-FOR-US: NetIQ CVE-2016-5753 RESERVED CVE-2016-5752 (The SAML2 implementation in Identity Server in NetIQ Access Manager 4. ...) NOT-FOR-US: NetIQ CVE-2016-5751 (An unfiltered finalizer target URL in the SAML processing feature in I ...) NOT-FOR-US: NetIQ CVE-2016-5750 (The certificate upload feature in iManager in NetIQ Access Manager 4.1 ...) NOT-FOR-US: NetIQ CVE-2016-5749 (NetIQ Access Manager 4.1 before 4.1.2 HF 1 and 4.2 before 4.2.2 was pa ...) NOT-FOR-US: NetIQ CVE-2016-5748 (External Entity Processing (XXE) vulnerability in the "risk score" app ...) NOT-FOR-US: NetIQ CVE-2016-5747 (A security vulnerability in cookie handling in the http stack implemen ...) NOT-FOR-US: Novell CVE-2016-5746 (libstorage, libstorage-ng, and yast-storage improperly store passphras ...) NOT-FOR-US: libstorage CVE-2016-5745 (F5 BIG-IP LTM systems 11.x before 11.2.1 HF16, 11.3.x, 11.4.x before 1 ...) NOT-FOR-US: F5 BIG-IP CVE-2015-8945 (openshift-node in OpenShift Origin 1.1.6 and earlier improperly stores ...) NOT-FOR-US: OpenShift CVE-2015-8944 (The ioresources_init function in kernel/resource.c in the Linux kernel ...) - linux (Android-specific patch, /proc/iomem is root-restricted already) CVE-2015-8943 (drivers/video/msm/mdss/mdss_mdp_util.c in the Qualcomm components in A ...) - linux (Android-specific patch) CVE-2015-8942 (drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c in the Qualco ...) - linux (Android-specific patch) CVE-2015-8941 (drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c in the Qua ...) - linux (Android-specific patch) CVE-2015-8940 (Integer overflow in sound/soc/msm/qdsp6v2/q6lsm.c in the Qualcomm comp ...) - linux (Android-specific patch) CVE-2015-8939 (drivers/video/msm/mdp4_util.c in the Qualcomm components in Android be ...) - linux (Android-specific patch) CVE-2015-8938 (The MSM camera driver in the Qualcomm components in Android before 201 ...) - linux (Android-specific patch) CVE-2015-8937 (drivers/char/diag/diagchar_core.c in the Qualcomm components in Androi ...) - linux (Android-specific patch) CVE-2014-9906 (Use-after-free vulnerability in DBD::mysql before 4.029 allows attacke ...) {DSA-3635-1 DLA-576-1} - libdbd-mysql-perl 4.033-1 NOTE: https://rt.cpan.org/Public/Bug/Display.html?id=97625 NOTE: https://github.com/perl5-dbi/DBD-mysql/pull/27 NOTE: https://github.com/perl5-dbi/DBD-mysql/commit/a56ae87a4c1c1fead7d09c3653905841ccccf1cc CVE-2014-9905 (Multiple cross-site scripting (XSS) vulnerabilities in the Web Calenda ...) - sogo 2.2.5-1 [wheezy] - sogo (not supported in Wheezy LTS) NOTE: https://github.com/inverse-inc/sogo/commit/1a7fc2a0e90a19dfb1fce292ae5ff53aa513ade9 (SOGo-2.2.0) NOTE: https://github.com/inverse-inc/sogo/commit/80a09407652ec04e8c9fb6cb48e1029e69a15765 (SOGo-2.2.0) NOTE: https://github.com/inverse-inc/sogo/commit/3a5e44e7eb8b390b67a8f8a83030b49606956501 (SOGo-2.2.0) NOTE: https://github.com/inverse-inc/sogo/commit/c94595ea7f0f843c2d7abf25df039b2bbe707625 (SOGo-2.2.0) NOTE: https://sogo.nu/bugs/view.php?id=2598 CVE-2014-9904 (The snd_compress_check_input function in sound/core/compress_offload.c ...) {DSA-3616-1} - linux 4.0.2-1 [wheezy] - linux (Vulnerable code not present) NOTE: 4.0.2-1 the first version in unstable after 3.17-rc1 NOTE: Fixed by: https://git.kernel.org/linus/6217e5ede23285ddfee10d2e4ba0cc2d4c046205 (3.17-rc1) NOTE: Introduced by: https://git.kernel.org/linus/b35cc8225845112a616e3a2266d2fde5ab13d3ab (3.7-rc1) CVE-2014-9903 (The sched_read_attr function in kernel/sched/core.c in the Linux kerne ...) - linux NOTE: vulnerable code between 3.14-rc1 and 3.14-rc4 CVE-2014-9902 (Buffer overflow in CORE/SYS/legacy/src/utils/src/dot11f.c in the Qualc ...) NOT-FOR-US: Qualcomm driver for Android CVE-2014-9901 (The Qualcomm Wi-Fi driver in Android before 2016-08-05 on Nexus 7 (201 ...) NOT-FOR-US: Qualcomm driver for Android CVE-2014-9900 (The ethtool_get_wol function in net/core/ethtool.c in the Linux kernel ...) - linux (unimportant) CVE-2014-9899 (drivers/usb/host/ehci-msm2.c in the Qualcomm components in Android bef ...) - linux (Android-specific driver) CVE-2014-9898 (arch/arm/mach-msm/qdsp6v2/ultrasound/usf.c in the Qualcomm components ...) - linux (Android-specific driver) CVE-2014-9897 (sound/soc/msm/qdsp6v2/msm-lsm-client.c in the Qualcomm components in A ...) - linux (Android-specific driver) CVE-2014-9896 (drivers/char/adsprpc.c in the Qualcomm components in Android before 20 ...) - linux (Android-specific driver) CVE-2014-9895 (drivers/media/media-device.c in the Linux kernel before 3.11, as used ...) {DLA-833-1} - linux 3.11.5-1 CVE-2014-9894 (drivers/misc/qseecom.c in the Qualcomm components in Android before 20 ...) - linux (Android-specific driver) CVE-2014-9893 (drivers/video/msm/mdss/mdss_mdp_pp.c in the Qualcomm components in And ...) - linux (Android-specific driver) CVE-2014-9892 (The snd_compr_tstamp function in sound/core/compress_offload.c in the ...) - linux (unimportant) NOTE: Not considered a security issue/invalid issue by the Debian kernel team CVE-2014-9891 (drivers/misc/qseecom.c in the Qualcomm components in Android before 20 ...) - linux (Android-specific driver) CVE-2014-9890 (Off-by-one error in drivers/media/platform/msm/camera_v2/sensor/cci/ms ...) - linux (Android-specific driver) CVE-2014-9889 (drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c in the Qualco ...) - linux (Android-specific driver) CVE-2014-9888 (arch/arm/mm/dma-mapping.c in the Linux kernel before 3.13 on ARM platf ...) {DLA-833-1} - linux 3.13.4-1 CVE-2014-9887 (drivers/misc/qseecom.c in the Qualcomm components in Android before 20 ...) - linux (Android-specific driver) CVE-2014-9886 (arch/arm/mach-msm/qdsp6v2/ultrasound/usf.c in the Qualcomm components ...) - linux (Android-specific driver) CVE-2014-9885 (Format string vulnerability in drivers/thermal/qpnp-adc-tm.c in the Qu ...) - linux (Android-specific driver) CVE-2014-9884 (drivers/misc/qseecom.c in the Qualcomm components in Android before 20 ...) - linux (Android-specific driver) CVE-2014-9883 (Integer overflow in drivers/char/diag/diag_dci.c in the Qualcomm compo ...) - linux (Android-specific driver) CVE-2014-9882 (Buffer overflow in drivers/media/radio/radio-iris.c in the Qualcomm co ...) - linux (Android-specific driver) CVE-2014-9881 (drivers/media/radio/radio-iris.c in the Qualcomm components in Android ...) - linux (Android-specific driver) CVE-2014-9880 (drivers/video/msm/vidc/common/enc/venc.c in the Qualcomm components in ...) - linux (Android-specific driver) CVE-2014-9879 (The mdss mdp3 driver in the Qualcomm components in Android before 2016 ...) - linux (Android-specific driver) CVE-2014-9878 (drivers/mmc/card/mmc_block_test.c in the Qualcomm components in Androi ...) - linux (Android-specific driver) CVE-2014-9877 (drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c in ...) - linux (Android-specific driver) CVE-2014-9876 (drivers/char/diag/diagfwd.c in the Qualcomm components in Android befo ...) - linux (Android-specific driver) CVE-2014-9875 (drivers/char/diag/diag_dci.c in the Qualcomm components in Android bef ...) - linux (Android-specific driver) CVE-2014-9874 (Buffer overflow in the Qualcomm components in Android before 2016-08-0 ...) - linux (Android-specific driver) CVE-2014-9873 (Integer underflow in drivers/char/diag/diag_dci.c in the Qualcomm comp ...) - linux (Android-specific driver) CVE-2014-9872 (The diag driver in the Qualcomm components in Android before 2016-08-0 ...) - linux (Android-specific driver) CVE-2014-9871 (Multiple buffer overflows in drivers/media/platform/msm/camera_v2/isp/ ...) - linux (Android-specific driver) CVE-2014-9870 (The Linux kernel before 3.11 on ARM platforms, as used in Android befo ...) - linux 3.11.5-1 [wheezy] - linux (Minor issue, hardly a security impact, cf. kernel-sec) CVE-2014-9869 (drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c in the Q ...) - linux (Android-specific driver) CVE-2014-9868 (drivers/media/platform/msm/camera_v2/sensor/csiphy/msm_csiphy.c in the ...) - linux (Android-specific driver) CVE-2014-9867 (drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c in the Qua ...) - linux (Android-specific driver) CVE-2014-9866 (drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c in the Qua ...) - linux (Android-specific driver) CVE-2014-9865 (drivers/misc/qseecom.c in the Qualcomm components in Android before 20 ...) - linux (Android-specific driver) CVE-2014-9864 (drivers/misc/qseecom.c in the Qualcomm components in Android before 20 ...) - linux (Android-specific driver) CVE-2014-9863 (Integer underflow in the diag driver in the Qualcomm components in And ...) - linux (Android-specific driver) CVE-2016-5844 (Integer overflow in the ISO parser in libarchive before 3.2.1 allows r ...) {DSA-3657-1 DLA-554-1} - libarchive 3.2.1-1 NOTE: Upstream ticket: https://github.com/libarchive/libarchive/issues/717 NOTE: Upstream fix: https://github.com/libarchive/libarchive/commit/3ad08e01b4d253c66ae56414886089684155af22 (v3.2.1) CVE-2016-5842 (MagickCore/property.c in ImageMagick before 7.0.2-1 allows remote atta ...) {DSA-3652-1 DLA-731-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #831034) NOTE: Details: http://www.openwall.com/lists/oss-security/2016/06/23/1 NOTE: https://github.com/ImageMagick/ImageMagick/commit/d8ab7f046587f2e9f734b687ba7e6e10147c294b NOTE: Reproducer http://bugs.fi/media/afl/imagemagick/CVE-2016-5842.jpg CVE-2016-5841 (Integer overflow in MagickCore/profile.c in ImageMagick before 7.0.2-1 ...) {DSA-3652-1 DLA-731-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #831034) NOTE: Details: http://www.openwall.com/lists/oss-security/2016/06/23/1 NOTE: https://github.com/ImageMagick/ImageMagick/commit/d8ab7f046587f2e9f734b687ba7e6e10147c294b NOTE: Reproducer http://bugs.fi/media/afl/imagemagick/CVE-2016-5841.jpg CVE-2016-5829 (Multiple heap-based buffer overflows in the hiddev_ioctl_usage functio ...) {DSA-3616-1 DLA-609-1} - linux 4.6.3-1 NOTE: Fixed by: https://git.kernel.org/linus/93a2001bdfd5376c3dc2158653034c20392d15c5 CVE-2016-5828 (The start_thread function in arch/powerpc/kernel/process.c in the Linu ...) {DSA-3616-1} - linux 4.6.3-1 [wheezy] - linux (Introduced in v3.10-rc1) NOTE: https://patchwork.ozlabs.org/patch/636776/ NOTE: Introduced in https://git.kernel.org/linus/bc2a9408fa65195288b41751016c36fd00a75a85 (v3.10-rc1) CVE-2016-5827 (The icaltime_from_string function in libical 0.47 and 1.0 allows remot ...) - libical [stretch] - libical (Minor issue) [jessie] - libical (Minor issue) [wheezy] - libical (Low prio according to upstream) NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1281043 NOTE: This issue fixed by the commits referenced via https://github.com/libical/libical/issues/251 NOTE: https://github.com/libical/libical/commit/38757abb495ea6cb40faa5418052278bf75040f7 NOTE: https://github.com/libical/libical/commit/04d84749e53db08c71ed0ce8b6ba5c11082743cd NOTE: https://github.com/libical/libical/commit/830d9530817516377c2bc3b532798ce2c6b4765a CVE-2016-5826 (The parser_get_next_char function in libical 0.47 and 1.0 allows remot ...) - libical [stretch] - libical (Minor issue) [jessie] - libical (Minor issue) [wheezy] - libical (Low prio according to upstream) NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1281041 CVE-2016-5825 (The icalparser_parse_string function in libical 0.47 and 1.0 allows re ...) - libical [stretch] - libical (Minor issue) [jessie] - libical (Minor issue) [wheezy] - libical (Low prio according to upstream) NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1280832 CVE-2016-5824 (libical 1.0 allows remote attackers to cause a denial of service (use- ...) {DLA-959-1} - libical (bug #860451) [stretch] - libical (Minor issue) [jessie] - libical (Minor issue) - thunderbird 1:60.5.0-1 NOTE: Original report: https://github.com/libical/libical/issues/235 NOTE: Reopened at: https://bugzilla.mozilla.org/show_bug.cgi?id=1275400 NOTE: Reproducer: https://bugzilla.mozilla.org/attachment.cgi?id=8757553 NOTE: Related upstream ticket: https://github.com/libical/libical/issues/286 NOTE: Related upstream ticket: https://github.com/libical/libical/issues/251 NOTE: Whilst the upstream commits in issues/251 fix the issue of #251 itself NOTE: they do not fix the bugzilla.mozilla.org case 1275400 which was assigned NOTE: in http://www.openwall.com/lists/oss-security/2016/06/25/4 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-03/#CVE-2016-5824 NOTE: thunderbird uses embedded libical copy CVE-2016-5823 (The icalproperty_new_clone function in libical 0.47 and 1.0 allows rem ...) - libical 1.0-1 [wheezy] - libical (Only possible denial of service, not severe enough to solve) NOTE: possibly correct upstream bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1275787 NOTE: Exact fixing commit unfortunately not bisected, need more investigation CVE-2016-5744 (Siemens SIMATIC WinCC 7.0 through SP3 and 7.2 allows remote attackers ...) NOT-FOR-US: Siemens CVE-2016-5743 (Siemens SIMATIC WinCC before 7.3 Update 10 and 7.4 before Update 1, SI ...) NOT-FOR-US: Siemens CVE-2016-5839 (WordPress before 4.5.3 allows remote attackers to bypass the sanitize_ ...) {DSA-3639-1 DLA-568-1} - wordpress 4.5.3+dfsg-1 NOTE: https://wordpress.org/news/2016/06/wordpress-4-5-3/ NOTE: https://core.trac.wordpress.org/ticket/37111 NOTE: https://core.trac.wordpress.org/changeset/37818 CVE-2016-5838 (WordPress before 4.5.3 allows remote attackers to bypass intended pass ...) {DSA-3639-1 DLA-568-1} - wordpress 4.5.3+dfsg-1 NOTE: https://core.trac.wordpress.org/changeset/37762/ NOTE: https://core.trac.wordpress.org/ticket/37047 NOTE: https://wordpress.org/news/2016/06/wordpress-4-5-3/ CVE-2016-5837 (WordPress before 4.5.3 allows remote attackers to bypass intended acce ...) {DSA-3639-1 DLA-568-1} - wordpress 4.5.3+dfsg-1 NOTE: https://wordpress.org/news/2016/06/wordpress-4-5-3/ NOTE: Upstream bug: https://core.trac.wordpress.org/ticket/36379 NOTE: Fixed by: https://core.trac.wordpress.org/changeset/37781 CVE-2016-5836 (The oEmbed protocol implementation in WordPress before 4.5.3 allows re ...) {DLA-1452-1 DLA-633-1} - wordpress 4.5.3+dfsg-1 NOTE: https://wordpress.org/news/2016/06/wordpress-4-5-3/ NOTE: Upstream ticket: https://core.trac.wordpress.org/ticket/36767 NOTE: Fixed by (Branch 4.4): https://core.trac.wordpress.org/changeset/37798 CVE-2016-5835 (WordPress before 4.5.3 allows remote attackers to obtain sensitive rev ...) {DSA-3639-1 DLA-568-1} - wordpress 4.5.3+dfsg-1 NOTE: https://wordpress.org/news/2016/06/wordpress-4-5-3/ NOTE: https://core.trac.wordpress.org/changeset/37800 CVE-2016-5834 (Cross-site scripting (XSS) vulnerability in the wp_get_attachment_link ...) {DSA-3639-1 DLA-568-1} - wordpress 4.5.3+dfsg-1 NOTE: https://wordpress.org/news/2016/06/wordpress-4-5-3/ NOTE: https://core.trac.wordpress.org/changeset/37790/ CVE-2016-5833 (Cross-site scripting (XSS) vulnerability in the column_title function ...) - wordpress 4.5.3+dfsg-1 [jessie] - wordpress (vulnerable code not present) [wheezy] - wordpress (vulnerable code not present) NOTE: https://wordpress.org/news/2016/06/wordpress-4-5-3/ CVE-2016-5832 (The customizer in WordPress before 4.5.3 allows remote attackers to by ...) {DSA-3639-1 DLA-568-1} - wordpress 4.5.3+dfsg-1 NOTE: https://wordpress.org/news/2016/06/wordpress-4-5-3/ NOTE: Fixed by: https://core.trac.wordpress.org/changeset/37773/ CVE-2016-5773 (php_zip.c in the zip extension in PHP before 5.5.37, 5.6.x before 5.6. ...) {DSA-3618-1 DLA-628-1} - php7.0 7.0.8-1 - php5 5.6.23+dfsg-1 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=72434 NOTE: http://git.php.net/?p=php-src.git;a=commitdiff;h=f6aef68089221c5ea047d4a74224ee3deead99a6 NOTE: Fixed in 5.5.37, 5.6.23, 7.0.8 CVE-2016-5772 (Double free vulnerability in the php_wddx_process_data function in wdd ...) {DSA-3618-1 DLA-628-1} - php7.0 7.0.8-1 - php5 5.6.23+dfsg-1 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=72340 NOTE: http://git.php.net/?p=php-src.git;a=commitdiff;h=a44c89e8af7c2410f4bfc5e097be2a5d0639a60c NOTE: Fixed in 5.5.37, 5.6.23, 7.0.8 CVE-2016-5771 (spl_array.c in the SPL extension in PHP before 5.5.37 and 5.6.x before ...) {DSA-3618-1 DLA-628-1} - php7.0 (Does not affect PHP 7.x) - php5 5.6.23+dfsg-1 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=72433 NOTE: http://git.php.net/?p=php-src.git;a=commitdiff;h=a44c89e8af7c2410f4bfc5e097be2a5d0639a60c NOTE: Fixed in 5.5.37, 5.6.23 CVE-2016-5770 (Integer overflow in the SplFileObject::fread function in spl_directory ...) {DSA-3618-1 DLA-628-1} - php7.0 7.0.8-1 - php5 5.6.23+dfsg-1 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=72262 NOTE: http://git.php.net/?p=php-src.git;a=commitdiff;h=7245bff300d3fa8bacbef7897ff080a6f1c23eba NOTE: Fixed in 5.5.37, 5.6.23, 7.0.8 CVE-2016-5769 (Multiple integer overflows in mcrypt.c in the mcrypt extension in PHP ...) {DSA-3618-1 DLA-628-1} - php7.0 7.0.8-1 - php5 5.6.23+dfsg-1 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=72455 NOTE: http://git.php.net/?p=php-src.git;a=commitdiff;h=6c5211a0cef0cc2854eaa387e0eb036e012904d0 NOTE: Fixed in 5.5.37, 5.6.23, 7.0.8 CVE-2016-5768 (Double free vulnerability in the _php_mb_regex_ereg_replace_exec funct ...) {DSA-3618-1 DLA-628-1} - php7.0 7.0.8-1 - php5 5.6.23+dfsg-1 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=72402 NOTE: http://git.php.net/?p=php-src.git;a=commitdiff;h=5b597a2e5b28e2d5a52fc1be13f425f08f47cb62 NOTE: Fixed in 5.5.37, 5.6.23, 7.0.8 CVE-2016-5767 (Integer overflow in the gdImageCreate function in gd.c in the GD Graph ...) - php7.0 7.0.8-1 (unimportant) - php5 5.6.23+dfsg-1 (unimportant) [jessie] - php5 5.6.23+dfsg-0+deb8u1 NOTE: Starting with 5.4.0-1 Debian uses the system copy of libgd NOTE: PHP Bug: https://bugs.php.net/bug.php?id=72446 NOTE: http://git.php.net/?p=php-src.git;a=commitdiff;h=c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6 NOTE: Fixed in 5.5.37, 5.6.23, 7.0.8 - libgd2 2.0.34~rc1-1 NOTE: Fixed by: https://github.com/libgd/libgd/commit/cfee163a5e848fc3e3fb1d05a30d7557cdd36457 (GD_2_0_34RC1) CVE-2016-5766 (Integer overflow in the _gd2GetHeader function in gd_gd2.c in the GD G ...) {DSA-3619-1 DLA-534-1} - php7.0 7.0.8-1 (unimportant) - php5 5.6.23+dfsg-1 (unimportant) [jessie] - php5 5.6.23+dfsg-0+deb8u1 NOTE: Starting with 5.4.0-1 Debian uses the system copy of libgd NOTE: PHP Bug: https://bugs.php.net/bug.php?id=72339 NOTE: http://git.php.net/?p=php-src.git;a=commitdiff;h=7722455726bec8c53458a32851d2a87982cf0eac NOTE: Fixed in 5.5.37, 5.6.23, 7.0.8 - libgd2 2.2.2-29-g3c2b605-1 (bug #829014) NOTE: https://github.com/libgd/libgd/issues/243 NOTE: https://github.com/libgd/libgd/commit/aba3db8ba159465ecec1089027a24835a6da9cc0 CVE-2016-5741 RESERVED CVE-2016-5740 (An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev5 ...) NOT-FOR-US: Open-Xchange CVE-2016-5739 (The Transformation implementation in phpMyAdmin 4.0.x before 4.0.10.16 ...) {DSA-3627-1 DLA-551-1} - phpmyadmin 4:4.6.3-1 CVE-2016-5738 RESERVED CVE-2016-5736 (The default configuration of the IPsec IKE peer listener in F5 BIG-IP ...) NOT-FOR-US: BIG-IP CVE-2016-5735 (Integer overflow in the rwpng_read_image24_libpng function in rwpng.c ...) {DLA-2257-1 DLA-966-1} - pngquant 2.5.0-2 (bug #863469) NOTE: https://github.com/pornel/pngquant/commit/b7c217680cda02dddced245d237ebe8c383be285 CVE-2016-5734 (phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x be ...) - phpmyadmin 4:4.6.3-1 [jessie] - phpmyadmin (Vulnerable only with a php version earlier than the one in jessie) [wheezy] - phpmyadmin (Vulnerable only with a php version earlier than the one in wheezy) CVE-2016-5733 (Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0. ...) {DSA-3627-1 DLA-551-1} - phpmyadmin 4:4.6.3-1 CVE-2016-5732 (Multiple cross-site scripting (XSS) vulnerabilities in the partition-r ...) - phpmyadmin 4:4.6.3-1 [jessie] - phpmyadmin (Vulnerable code not present) [wheezy] - phpmyadmin (Vulnerable code not present) CVE-2016-5731 (Cross-site scripting (XSS) vulnerability in examples/openid.php in php ...) {DSA-3627-1 DLA-551-1} - phpmyadmin 4:4.6.3-1 (low) CVE-2016-5730 (phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x be ...) - phpmyadmin 4:4.6.3-1 (unimportant) NOTE: path disclosure irrelevant in Debian CVE-2016-5742 (SQL injection vulnerability in the XML-RPC interface in Movable Type P ...) {DLA-532-1} - movabletype-opensource NOTE: https://movabletype.org/news/2016/06/movable_type_626_and_613_released.html NOTE: http://www.openwall.com/lists/oss-security/2016/06/22/3 NOTE: https://github.com/movabletype/movabletype/commit/42113544e7d8ebf6064b7b01b921734b667a1682 CVE-2016-5737 (The Gerrit configuration in the Openstack Puppet module for Gerrit (ak ...) NOT-FOR-US: Openstack-infra puppet-gerrit module CVE-2016-5729 (Lenovo BIOS EFI Driver allows local administrators to execute arbitrar ...) NOT-FOR-US: Lenovo CVE-2016-5728 (Race condition in the vop_ioctl function in drivers/misc/mic/vop/vop_v ...) {DSA-3616-1} - linux 4.6.1-1 [wheezy] - linux (Vulnerable code not present) NOTE: Upstream fix: https://git.kernel.org/linus/9bf292bfca94694a721449e3fd752493856710f6 (v4.7-rc1) NOTE: Introduced in: https://git.kernel.org/linus/f69bcbf3b4c4b333dcd7a48eaf868bf0c88edab5 (v3.13-rc1) CVE-2015-8936 (Cross-site scripting (XSS) vulnerability in squidGuard.cgi in squidGua ...) {DLA-524-1} - squidguard 1.5-5 (unimportant) NOTE: Only affects an example script NOTE: Fix applied: 16_XSS-security-bugfix.patch in 1.5-5 NOTE: http://www.openwall.com/lists/oss-security/2016/06/20/2 CVE-2016-5725 (Directory traversal vulnerability in JCraft JSch before 0.1.54 on Wind ...) {DLA-2184-1 DLA-611-1} - jsch 0.1.54-1 (low) NOTE: https://sourceforge.net/p/jsch/mailman/message/35318093/ CVE-2016-5724 (Cloudera CDH before 5.9 has Potentially Sensitive Information in Diagn ...) NOT-FOR-US: Cloudera CVE-2016-5723 (Huawei FusionInsight HD before V100R002C60SPC200 allows local users to ...) NOT-FOR-US: Huawei CVE-2016-5722 (Huawei OceanStor 5300 V3, 5500 V3, 5600 V3, 5800 V3, 6800 V3, 18800 V3 ...) NOT-FOR-US: OceanStor CVE-2016-5721 (Multiple cross-site scripting (XSS) vulnerabilities in Zimbra Collabor ...) NOT-FOR-US: Zimbra CVE-2016-5720 (Multiple untrusted search path vulnerabilities in Microsoft Skype allo ...) NOT-FOR-US: Skype CVE-2016-5719 RESERVED CVE-2016-5718 RESERVED CVE-2016-5717 RESERVED CVE-2016-5716 (The console in Puppet Enterprise 2015.x and 2016.x prior to 2016.4.0 i ...) - puppet (Limited to Puppet Enterprise) CVE-2016-5715 (Open redirect vulnerability in the Console in Puppet Enterprise 2015.x ...) - puppet (Limited to Puppet Enterprise) CVE-2016-5714 (Puppet Enterprise 2015.3.3 and 2016.x before 2016.4.0, and Puppet Agen ...) - puppet 4.8.0-1 [jessie] - puppet (Vulnerable code introduced later) [wheezy] - puppet (Vulnerable code introduced later) NOTE: https://puppet.com/security/cve/pxp-agent-oct-2016 NOTE: triaged away in Ubuntu: "Default configurations of FOSS Puppet Agent are not vulnerable." NOTE: gentoo released a fix: https://security.gentoo.org/glsa/201710-12 NOTE: rosetta stone for puppet version numbers: https://puppet.com/docs/puppet/4.10/about_agent.html CVE-2016-5713 (Versions of Puppet Agent prior to 1.6.0 included a version of the Pupp ...) - puppet 4.7.0-1 [jessie] - puppet (Vulnerable code introduced later) [wheezy] - puppet (Vulnerable code introduced later) NOTE: Puppet Agent 1.3.0 (puppet: 4.3.0) - 1.5.x affected NOTE: Resolved in Puppet Agent 1.6.0 (4.6.0) NOTE: https://puppet.com/security/cve/cve-2016-5713 CVE-2016-5712 RESERVED CVE-2016-5711 (NetApp Virtual Storage Console for VMware vSphere before 6.2.1 uses a ...) NOT-FOR-US: NetApp CVE-2016-5710 (NetApp Snap Creator Framework before 4.3P1 allows remote authenticated ...) NOT-FOR-US: NetApp Snap Creator Framework CVE-2016-5709 (SolarWinds Virtualization Manager 6.3.1 and earlier uses weak encrypti ...) NOT-FOR-US: SolarWinds CVE-2016-5708 RESERVED CVE-2016-5707 RESERVED CVE-2016-5706 (js/get_scripts.js.php in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x befo ...) {DSA-3627-1} - phpmyadmin 4:4.6.3-1 (low) [wheezy] - phpmyadmin (Vulnerable code not present) CVE-2016-5705 (Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.4. ...) {DSA-3627-1} - phpmyadmin 4:4.6.3-1 [wheezy] - phpmyadmin (Vulnerable code not present) CVE-2016-5704 (Cross-site scripting (XSS) vulnerability in the table-structure page i ...) - phpmyadmin 4:4.6.3-1 [jessie] - phpmyadmin (Vulnerable code not present) [wheezy] - phpmyadmin (Vulnerable code not present) CVE-2016-5703 (SQL injection vulnerability in libraries/central_columns.lib.php in ph ...) - phpmyadmin 4:4.6.3-1 [jessie] - phpmyadmin (Vulnerable code not present) [wheezy] - phpmyadmin (Vulnerable code not present) CVE-2016-5702 (phpMyAdmin 4.6.x before 4.6.3, when the environment lacks a PHP_SELF v ...) - phpmyadmin 4:4.6.3-1 (low) [jessie] - phpmyadmin (Minor issue) [wheezy] - phpmyadmin (Minor issue) CVE-2016-5701 (setup/frames/index.inc.php in phpMyAdmin 4.0.10.x before 4.0.10.16, 4. ...) {DSA-3627-1} - phpmyadmin 4:4.6.3-1 [wheezy] - phpmyadmin (Minor issue) CVE-2016-5700 (Virtual servers in F5 BIG-IP systems 11.5.0, 11.5.1 before HF11, 11.5. ...) NOT-FOR-US: F5 BIG-IP CVE-2016-5698 RESERVED CVE-2016-5697 (Ruby-saml before 1.3.0 allows attackers to perform XML signature wrapp ...) - ruby-saml 1.3.0-1 (bug #828076) NOTE: https://github.com/onelogin/ruby-saml/commit/a571f52171e6bfd87db59822d1d9e8c38fb3b995 CVE-2016-5695 RESERVED CVE-2016-5694 RESERVED CVE-2016-5693 RESERVED CVE-2016-5692 RESERVED CVE-2016-5686 (Johnson & Johnson Animas OneTouch Ping devices mishandle acknowled ...) NOT-FOR-US: Animas OneTouch Ping CVE-2016-5685 (Dell iDRAC7 and iDRAC8 devices with firmware before 2.40.40.40 allow a ...) NOT-FOR-US: Dell CVE-2016-5684 (An exploitable out-of-bounds write vulnerability exists in the XMP ima ...) {DSA-3692-1 DLA-647-1} - freeimage 3.17.0+ds1-3 (bug #839827) NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0189/ NOTE: http://freeimage.cvs.sourceforge.net/viewvc/freeimage/FreeImage/Source/FreeImage/PluginXPM.cpp?r1=1.17&r2=1.18 NOTE: http://freeimage.cvs.sourceforge.net/viewvc/freeimage/FreeImage/Source/FreeImage/PluginXPM.cpp?r1=1.18&r2=1.19 CVE-2016-5683 (ReadyDesk 9.1 allows local users to determine cleartext SQL Server cre ...) NOT-FOR-US: ReadyDesk CVE-2016-5682 (Swagger-UI before 2.2.1 has XSS via the Default field in the Definitio ...) - node-swagger-ui (bug #871461) - swagger-ui (bug #895422) CVE-2016-5681 (Stack-based buffer overflow in dws/api/Login on D-Link DIR-850L B1 2.0 ...) NOT-FOR-US: D-Link CVE-2016-5680 (Stack-based buffer overflow in cgi-bin/cgi_main in NUUO NVRmini 2 1.7. ...) NOT-FOR-US: NUUO and NETGEAR NAS devices CVE-2016-5679 (cgi-bin/cgi_main in NUUO NVRmini 2 1.7.6 through 3.0.0 and NETGEAR Rea ...) NOT-FOR-US: NUUO and NETGEAR NAS devices CVE-2016-5678 (NUUO NVRmini 2 1.0.0 through 3.0.0 and NUUO NVRsolo 1.0.0 through 3.0. ...) NOT-FOR-US: NUUO and NETGEAR NAS devices CVE-2016-5677 (NUUO NVRmini 2 1.7.5 through 3.0.0, NUUO NVRsolo 1.0.0 through 3.0.0, ...) NOT-FOR-US: NUUO and NETGEAR NAS devices CVE-2016-5676 (cgi-bin/cgi_system in NUUO NVRmini 2 1.7.5 through 2.x, NUUO NVRsolo 1 ...) NOT-FOR-US: NUUO and NETGEAR NAS devices CVE-2016-5675 (handle_daylightsaving.php in NUUO NVRmini 2 1.7.5 through 3.0.0, NUUO ...) NOT-FOR-US: NUUO and NETGEAR NAS devices CVE-2016-5674 (__debugging_center_utils___.php in NUUO NVRmini 2 1.7.5 through 3.0.0, ...) NOT-FOR-US: NUUO and NETGEAR NAS devices CVE-2016-5673 (UltraVNC Repeater before 1300 does not restrict destination IP address ...) NOT-FOR-US: UltraVNC CVE-2016-5672 (Intel Crosswalk before 19.49.514.5, 20.x before 20.50.533.11, 21.x bef ...) - crosswalk (bug #775876) CVE-2016-5671 (Multiple cross-site request forgery (CSRF) vulnerabilities on Crestron ...) NOT-FOR-US: Creston CVE-2016-5670 (Crestron Electronics DM-TXRX-100-STR devices with firmware before 1.30 ...) NOT-FOR-US: Creston CVE-2016-5669 (Crestron Electronics DM-TXRX-100-STR devices with firmware before 1.30 ...) NOT-FOR-US: Creston CVE-2016-5668 (Crestron Electronics DM-TXRX-100-STR devices with firmware before 1.30 ...) NOT-FOR-US: Creston CVE-2016-5667 (Crestron Electronics DM-TXRX-100-STR devices with firmware before 1.30 ...) NOT-FOR-US: Creston CVE-2016-5666 (Crestron Electronics DM-TXRX-100-STR devices with firmware before 1.30 ...) NOT-FOR-US: Creston CVE-2016-5665 RESERVED CVE-2016-5664 (Directory traversal vulnerability on Accellion Kiteworks appliances be ...) NOT-FOR-US: Accellion Kiteworks CVE-2016-5663 (Multiple cross-site scripting (XSS) vulnerabilities in oauth_callback. ...) NOT-FOR-US: Accellion Kiteworks CVE-2016-5662 (Accellion Kiteworks appliances before kw2016.03.00 use setuid-root per ...) NOT-FOR-US: Accellion Kiteworks CVE-2016-5661 (Accela Civic Platform Citizen Access portal relies on the client to re ...) NOT-FOR-US: Accela CVE-2016-5660 (Cross-site scripting (XSS) vulnerability in AttachmentsList.aspx in Ac ...) NOT-FOR-US: Accela CVE-2016-5659 RESERVED CVE-2016-5658 RESERVED CVE-2016-5657 RESERVED NOT-FOR-US: Apache Archiva CVE-2016-5656 RESERVED CVE-2016-5655 (Misys FusionCapital Opics Plus does not verify X.509 certificates from ...) NOT-FOR-US: Misys CVE-2016-5654 (Misys FusionCapital Opics Plus allows remote authenticated users to ga ...) NOT-FOR-US: Misys CVE-2016-5653 (Multiple SQL injection vulnerabilities in Misys FusionCapital Opics Pl ...) NOT-FOR-US: Misys CVE-2016-5652 (An exploitable heap-based buffer overflow exists in the handling of TI ...) {DSA-3762-1 DLA-693-1} - tiff 4.0.6-3 (bug #842361) - tiff3 [wheezy] - tiff3 (Does not ship libtiff tools) NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0187/ NOTE: https://github.com/vadz/libtiff/commit/b5d6803f0898e931cf772d3d0755704ab8488e63 CVE-2016-5651 RESERVED CVE-2016-5650 (ZModo ZP-NE14-S and ZP-IBH-13W devices do not enforce a WPA2 configura ...) NOT-FOR-US: ZModo CVE-2016-5649 (A vulnerability is in the 'BSW_cxttongr.htm' page of the Netgear DGN22 ...) NOT-FOR-US: Netgear CVE-2016-5648 (Acer Portal app before 3.9.4.2000 for Android does not properly valida ...) NOT-FOR-US: Acer Portal Android application CVE-2016-5647 (The igdkmd64 module in the Intel Graphics Driver through 15.33.42.435, ...) NOT-FOR-US: Intel Windows drivers CVE-2016-5646 (An exploitable heap overflow vulnerability exists in the Compound Bina ...) NOT-FOR-US: Lexmark CVE-2016-5645 (Rockwell Automation MicroLogix 1400 PLC 1766-L32BWA, 1766-L32AWA, 1766 ...) NOT-FOR-US: Rockwell CVE-2016-5644 RESERVED CVE-2016-5643 RESERVED CVE-2016-5642 (Opmantek NMIS before 8.5.12G has XSS via SNMP. ...) NOT-FOR-US: Opmantek NMIS CVE-2016-5641 RESERVED CVE-2016-5640 (Directory traversal vulnerability in cgi-bin/rftest.cgi on Crestron Ai ...) NOT-FOR-US: Creston CVE-2016-5639 (Directory traversal vulnerability in cgi-bin/login.cgi on Crestron Air ...) NOT-FOR-US: Creston CVE-2016-5638 (There are few web pages associated with the genie app on the Netgear W ...) NOT-FOR-US: Netgear CVE-2016-5637 (The restore_tqb_pixels function in libbpg 0.9.5 through 0.9.7 mishandl ...) NOTE: https://www.kb.cert.org/vuls/id/123799 NOTE: No further information provided, but this is very likely a dupe of CVE-2016-8710 CVE-2016-1000003 (Mirror Manager version 0.7.2 and older is vulnerable to remote code ex ...) NOT-FOR-US: Fedora Mirror Manager CVE-2016-5727 (LogInOut.php in Simple Machines Forum (SMF) 2.1 allows remote attacker ...) NOT-FOR-US: Simple Machines Forum CVE-2016-5726 (Packages.php in Simple Machines Forum (SMF) 2.1 allows remote attacker ...) NOT-FOR-US: Simple Machines Forum CVE-2016-5691 (The DCM reader in ImageMagick before 6.9.4-5 and 7.x before 7.0.1-7 al ...) {DSA-3652-1 DLA-731-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #833044) NOTE: https://github.com/ImageMagick/ImageMagick/commit/5511ef530576ed18fd636baa3bb4eda3d667665d CVE-2016-5690 (The ReadDCMImage function in DCM reader in ImageMagick before 6.9.4-5 ...) {DSA-3652-1 DLA-731-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #833043) NOTE: https://github.com/ImageMagick/ImageMagick/commit/5511ef530576ed18fd636baa3bb4eda3d667665d CVE-2016-5689 (The DCM reader in ImageMagick before 6.9.4-5 and 7.x before 7.0.1-7 al ...) {DSA-3652-1 DLA-731-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #833042) NOTE: https://github.com/ImageMagick/ImageMagick/commit/5511ef530576ed18fd636baa3bb4eda3d667665d NOTE: Will be fixed in a 6.9.4-3 based version CVE-2016-5688 (The WPG parser in ImageMagick before 6.9.4-4 and 7.x before 7.0.1-5, w ...) {DSA-3652-1 DLA-731-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #833003) NOTE: https://github.com/ImageMagick/ImageMagick/commit/fc43974d34318c834fbf78570ca1a3764ed8c7d7 NOTE: https://github.com/ImageMagick/ImageMagick/commit/aecd0ada163a4d6c769cec178955d5f3e9316f2f CVE-2016-5687 (The VerticalFilter function in the DDS coder in ImageMagick before 6.9 ...) {DSA-3652-1 DLA-731-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #832890) NOTE: https://blog.fuzzing-project.org/46-Various-invalid-memory-reads-in-ImageMagick-WPG,-DDS,-DCM.html NOTE: https://github.com/ImageMagick/ImageMagick/commit/0b7172f2ba2c9e664d4df148e7d6e14a50edb57a CVE-2016-5699 (CRLF injection vulnerability in the HTTPConnection.putheader function ...) {DLA-1663-1 DLA-522-1} - python3.5 (Fixed with initial upload to Debian) - python3.4 3.4.4~rc1-1 - python2.7 2.7.10~rc1-1 [jessie] - python2.7 2.7.9-2+deb8u1 NOTE: https://bugs.python.org/issue22928 NOTE: Fixed in 3.4 / 3.5: revision 94952: https://hg.python.org/cpython/rev/bf3e1c9b80e9 NOTE: Fixed in 2.7: revision 94951: https://hg.python.org/cpython/rev/1c45047c5102 CVE-2016-5635 (Unspecified vulnerability in Oracle MySQL 5.7.13 and earlier allows re ...) - mysql-5.7 5.7.15-1 - mysql-5.6 (Only affects MySQL 5.7) - mysql-5.5 (Only affects MySQL 5.7) CVE-2016-5634 (Unspecified vulnerability in Oracle MySQL 5.7.13 and earlier allows re ...) - mysql-5.7 5.7.15-1 - mysql-5.6 (Only affects MySQL 5.7) - mysql-5.5 (Only affects MySQL 5.7) CVE-2016-5633 (Unspecified vulnerability in Oracle MySQL 5.7.13 and earlier allows re ...) - mysql-5.7 5.7.15-1 - mysql-5.6 (Only affects MySQL 5.7) - mysql-5.5 (Only affects MySQL 5.7) CVE-2016-5632 (Unspecified vulnerability in Oracle MySQL 5.7.14 and earlier allows re ...) - mysql-5.7 5.7.15-1 - mysql-5.6 (Only affects MySQL 5.7) - mysql-5.5 (Only affects MySQL 5.7) CVE-2016-5631 (Unspecified vulnerability in Oracle MySQL 5.7.13 and earlier allows re ...) - mysql-5.7 5.7.15-1 - mysql-5.6 (Only affects MySQL 5.7) - mysql-5.5 (Only affects MySQL 5.7) CVE-2016-5630 (Unspecified vulnerability in Oracle MySQL 5.6.31 and earlier and 5.7.1 ...) - mariadb-10.0 10.0.27-1 [jessie] - mariadb-10.0 10.0.27-0+deb8u1 - mysql-5.7 5.7.15-1 - mysql-5.6 5.6.34-1 (bug #841049) - mysql-5.5 (Only affects MySQL 5.6 and 5.7) CVE-2016-5629 (Unspecified vulnerability in Oracle MySQL 5.5.51 and earlier, 5.6.32 a ...) {DSA-3711-1} - mariadb-10.0 10.0.28-1 - mysql-5.7 5.7.15-1 - mysql-5.6 5.6.34-1 (bug #841049) - mysql-5.5 [jessie] - mysql-5.5 5.5.52-0+deb8u1 [wheezy] - mysql-5.5 5.5.52-0+deb7u1 NOTE: Fixed in MariaDB 5.5.52, MariaDB 10.1.18, MariaDB 10.0.28 CVE-2016-5628 (Unspecified vulnerability in Oracle MySQL 5.7.13 and earlier allows re ...) - mysql-5.7 5.7.15-1 - mysql-5.6 (Only affects MySQL 5.7) - mysql-5.5 (Only affects MySQL 5.7) CVE-2016-5627 (Unspecified vulnerability in Oracle MySQL 5.6.31 and earlier and 5.7.1 ...) - mysql-5.7 5.7.15-1 - mysql-5.6 5.6.34-1 (bug #841049) - mysql-5.5 (Only affects MySQL 5.6 and 5.7) CVE-2016-5626 (Unspecified vulnerability in Oracle MySQL 5.5.51 and earlier, 5.6.32 a ...) {DSA-3711-1} - mariadb-10.0 10.0.28-1 - mysql-5.7 5.7.15-1 - mysql-5.6 5.6.34-1 (bug #841049) - mysql-5.5 [jessie] - mysql-5.5 5.5.52-0+deb8u1 [wheezy] - mysql-5.5 5.5.52-0+deb7u1 NOTE: Fixed in MariaDB 5.5.52, MariaDB 10.1.18, MariaDB 10.0.28 CVE-2016-5625 (Unspecified vulnerability in Oracle MySQL 5.7.14 and earlier allows lo ...) - mysql-5.7 5.7.15-1 - mysql-5.6 (Only affects MySQL 5.7) - mysql-5.5 (Only affects MySQL 5.7) CVE-2016-5624 (Unspecified vulnerability in Oracle MySQL 5.5.51 and earlier allows re ...) {DSA-3711-1} - mariadb-10.0 10.0.28-1 - mysql-5.7 (Only affects MySQL 5.5) - mysql-5.6 (Only affects MySQL 5.5) - mysql-5.5 [jessie] - mysql-5.5 5.5.52-0+deb8u1 [wheezy] - mysql-5.5 5.5.52-0+deb7u1 NOTE: Fixed in MariaDB 5.5.52, MariaDB 10.1.18, MariaDB 10.0.28 CVE-2016-5623 (Vulnerability in the Oracle FLEXCUBE Private Banking component of Orac ...) NOT-FOR-US: Oracle FLEXCUBE CVE-2016-5622 (Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking com ...) NOT-FOR-US: Oracle FLEXCUBE CVE-2016-5621 (Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking com ...) NOT-FOR-US: Oracle FLEXCUBE CVE-2016-5620 (Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking com ...) NOT-FOR-US: Oracle FLEXCUBE CVE-2016-5619 (Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking com ...) NOT-FOR-US: Oracle FLEXCUBE CVE-2016-5618 (Unspecified vulnerability in the Oracle Data Integrator component in O ...) NOT-FOR-US: Oracle CVE-2016-5617 REJECTED CVE-2016-5616 REJECTED CVE-2016-5615 (Unspecified vulnerability in Oracle Sun Solaris 11.3 allows local user ...) NOT-FOR-US: Solaris CVE-2016-5614 (Vulnerability in the Oracle FLEXCUBE Private Banking component of Orac ...) NOT-FOR-US: Oracle FLEXCUBE CVE-2016-5613 (Unspecified vulnerability in the Oracle VM VirtualBox component before ...) - virtualbox 5.1.8-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2016-5612 (Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 a ...) - mariadb-10.0 10.0.27-1 [jessie] - mariadb-10.0 10.0.27-0+deb8u1 - mysql-5.7 5.7.15-1 - mysql-5.6 5.6.34-1 (bug #841049) - mysql-5.5 [jessie] - mysql-5.5 5.5.52-0+deb8u1 [wheezy] - mysql-5.5 5.5.52-0+deb7u1 CVE-2016-5611 (Unspecified vulnerability in the Oracle VM VirtualBox component before ...) - virtualbox 5.1.8-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2016-5610 (Unspecified vulnerability in the Oracle VM VirtualBox component before ...) - virtualbox 5.1.8-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2016-5609 (Unspecified vulnerability in Oracle MySQL 5.6.31 and earlier and 5.7.1 ...) - mysql-5.7 5.7.15-1 - mysql-5.6 5.6.34-1 (bug #841049) - mysql-5.5 (Only affects MySQL 5.6 and 5.7) CVE-2016-5608 (Unspecified vulnerability in the Oracle VM VirtualBox component before ...) - virtualbox 5.1.8-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2016-5607 (Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking com ...) NOT-FOR-US: Oracle FLEXCUBE CVE-2016-5606 (Unspecified vulnerability in Oracle Sun Solaris 11.3 allows local user ...) NOT-FOR-US: Solaris CVE-2016-5605 (Unspecified vulnerability in the Oracle VM VirtualBox component before ...) - virtualbox 5.1.4-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2016-5604 (Unspecified vulnerability in the Enterprise Manager Base Platform comp ...) NOT-FOR-US: Oracle CVE-2016-5603 (Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking com ...) NOT-FOR-US: Oracle CVE-2016-5602 (Unspecified vulnerability in the Oracle Data Integrator component in O ...) NOT-FOR-US: Oracle CVE-2016-5601 (Unspecified vulnerability in the Oracle WebLogic Server component in O ...) NOT-FOR-US: Oracle CVE-2016-5600 (Unspecified vulnerability in the PeopleSoft Enterprise SCM Services Pr ...) NOT-FOR-US: Oracle CVE-2016-5599 (Unspecified vulnerability in the Oracle Advanced Supply Chain Planning ...) NOT-FOR-US: Oracle CVE-2016-5598 (Unspecified vulnerability in the MySQL Connector component 2.1.3 and e ...) - mysql-connector-python 2.1.5-1 (bug #841677) [jessie] - mysql-connector-python (Vulnerable code not present) [wheezy] - mysql-connector-python (Only the Python 3 code is affected which is not shipped in binary package) NOTE: https://blog.qualys.com/laws-of-vulnerabilities/2016/10/18/oracle-october-2016-critical-patch-update CVE-2016-5597 (Unspecified vulnerability in Oracle Java SE 6u121, 7u111, 8u102; and J ...) {DSA-3707-1 DLA-704-1} - openjdk-8 8u111-b14-1 [experimental] - openjdk-7 7u111-2.6.7-2 - openjdk-7 NOTE: #841692 tracks openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2016-5596 (Unspecified vulnerability in the Oracle CRM Technical Foundation compo ...) NOT-FOR-US: Oracle CVE-2016-5595 (Unspecified vulnerability in the Oracle Customer Interaction History c ...) NOT-FOR-US: Oracle CVE-2016-5594 (Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking com ...) NOT-FOR-US: Oracle CVE-2016-5593 (Unspecified vulnerability in the Oracle Customer Interaction History c ...) NOT-FOR-US: Oracle CVE-2016-5592 (Unspecified vulnerability in the Oracle Customer Interaction History c ...) NOT-FOR-US: Oracle CVE-2016-5591 (Unspecified vulnerability in the Oracle Customer Interaction History c ...) NOT-FOR-US: Oracle CVE-2016-5590 (Vulnerability in the MySQL Enterprise Monitor component of Oracle MySQ ...) NOT-FOR-US: MySQL Enterprise Monitor CVE-2016-5589 (Unspecified vulnerability in the Oracle CRM Technical Foundation compo ...) NOT-FOR-US: Oracle CVE-2016-5588 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle CVE-2016-5587 (Unspecified vulnerability in the Oracle Customer Interaction History c ...) NOT-FOR-US: Oracle CVE-2016-5586 (Unspecified vulnerability in the Oracle Email Center component in Orac ...) NOT-FOR-US: Oracle CVE-2016-5585 (Unspecified vulnerability in the Oracle Interaction Center Intelligenc ...) NOT-FOR-US: Oracle CVE-2016-5584 (Unspecified vulnerability in Oracle MySQL 5.5.52 and earlier, 5.6.33 a ...) {DSA-3711-1 DSA-3706-1 DLA-708-1} - mariadb-10.0 10.0.28-1 - mysql-5.7 5.7.16-1 (bug #841163) - mysql-5.6 5.6.34-1 (bug #841049) - mysql-5.5 (bug #841050) NOTE: Fixed in MariaDB 5.5.53, MariaDB 10.0.28 CVE-2016-5583 (Unspecified vulnerability in the Oracle One-to-One Fulfillment compone ...) NOT-FOR-US: Oracle CVE-2016-5582 (Unspecified vulnerability in Oracle Java SE 6u121, 7u111, 8u102; and J ...) {DSA-3707-1 DLA-704-1} - openjdk-8 8u111-b14-1 [experimental] - openjdk-7 7u111-2.6.7-2 - openjdk-7 NOTE: #841692 tracks openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2016-5581 (Unspecified vulnerability in the Oracle iRecruitment component in Orac ...) NOT-FOR-US: Oracle CVE-2016-5580 (Unspecified vulnerability in the Secure Global Desktop component in Or ...) NOT-FOR-US: Secure Global Desktop CVE-2016-5579 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle CVE-2016-5578 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle CVE-2016-5577 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle CVE-2016-5576 (Unspecified vulnerability in Oracle Sun Solaris 11.3 allows local user ...) NOT-FOR-US: Solaris CVE-2016-5575 (Unspecified vulnerability in the Oracle Common Applications Calendar c ...) NOT-FOR-US: Oracle CVE-2016-5574 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle CVE-2016-5573 (Unspecified vulnerability in Oracle Java SE 6u121, 7u111, 8u102; and J ...) {DSA-3707-1 DLA-704-1} - openjdk-8 8u111-b14-1 [experimental] - openjdk-7 7u111-2.6.7-2 - openjdk-7 NOTE: #841692 tracks openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2016-5572 (Unspecified vulnerability in the Kernel PDB component in Oracle Databa ...) NOT-FOR-US: Oracle CVE-2016-5571 (Unspecified vulnerability in the Oracle Applications DBA component in ...) NOT-FOR-US: Oracle CVE-2016-5570 (Unspecified vulnerability in the Oracle Applications DBA component in ...) NOT-FOR-US: Oracle CVE-2016-5569 (Unspecified vulnerability in the Oracle FLEXCUBE Enterprise Limits and ...) NOT-FOR-US: Oracle CVE-2016-5568 (Unspecified vulnerability in Oracle Java SE 6u121, 7u111, and 8u102 al ...) - openjdk-8 (Only affects Windows) - openjdk-7 (Only affects Windows) - openjdk-6 (Only affects Windows) CVE-2016-5567 (Unspecified vulnerability in the Oracle Applications DBA component in ...) NOT-FOR-US: Oracle CVE-2016-5566 (Unspecified vulnerability in Oracle Sun Solaris 11.3 allows remote att ...) NOT-FOR-US: Solaris CVE-2016-5565 (Unspecified vulnerability in the Oracle Hospitality OPERA 5 Property S ...) NOT-FOR-US: Oracle CVE-2016-5564 (Unspecified vulnerability in the Oracle Hospitality OPERA 5 Property S ...) NOT-FOR-US: Oracle CVE-2016-5563 (Unspecified vulnerability in the Oracle Hospitality OPERA 5 Property S ...) NOT-FOR-US: Oracle CVE-2016-5562 (Unspecified vulnerability in the Oracle iProcurement component in Orac ...) NOT-FOR-US: Oracle CVE-2016-5561 (Unspecified vulnerability in Oracle Sun Solaris 11.3 allows remote att ...) NOT-FOR-US: Solaris CVE-2016-5560 (Unspecified vulnerability in the Siebel UI Framework component in Orac ...) NOT-FOR-US: Oracle Siebel CVE-2016-5559 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11.3 allows loc ...) NOT-FOR-US: Solaris CVE-2016-5558 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle CVE-2016-5557 (Unspecified vulnerability in the Oracle Advanced Pricing component in ...) NOT-FOR-US: Oracle CVE-2016-5556 (Unspecified vulnerability in Oracle Java SE 6u121, 7u111, and 8u102 al ...) - openjdk-6 (specific to Oracle Java) - openjdk-7 (specific to Oracle Java) - openjdk-8 (specific to Oracle Java) CVE-2016-5555 (Unspecified vulnerability in the OJVM component in Oracle Database Ser ...) NOT-FOR-US: Oracle CVE-2016-5554 (Unspecified vulnerability in Oracle Java SE 6u121, 7u111, 8u102; and J ...) {DSA-3707-1 DLA-704-1} - openjdk-8 8u111-b14-1 [experimental] - openjdk-7 7u111-2.6.7-2 - openjdk-7 NOTE: #841692 tracks openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2016-5553 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11.3 allows loc ...) NOT-FOR-US: Solaris CVE-2016-5552 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-3782-1 DLA-821-1} - openjdk-8 8u121-b13-1 [experimental] - openjdk-7 7u121-2.6.8-2 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2016-5551 (Vulnerability in the Solaris Cluster component of Oracle Sun Systems P ...) NOT-FOR-US: Solaris CVE-2016-5550 REJECTED CVE-2016-5549 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) - openjdk-8 8u121-b13-1 - openjdk-7 (In the Debian package, the code is removed during build time) CVE-2016-5548 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-3782-1 DLA-821-1} - openjdk-8 8u121-b13-1 [experimental] - openjdk-7 7u121-2.6.8-2 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2016-5547 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-3782-1 DLA-821-1} - openjdk-8 8u121-b13-1 [experimental] - openjdk-7 7u121-2.6.8-2 - openjdk-7 CVE-2016-5546 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-3782-1 DLA-821-1} - openjdk-8 8u121-b13-1 [experimental] - openjdk-7 7u121-2.6.8-2 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2016-5545 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.14-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2016-5544 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11.3 allows loc ...) NOT-FOR-US: Solaris CVE-2016-5543 (Unspecified vulnerability in the Oracle FLEXCUBE Enterprise Limits and ...) NOT-FOR-US: Oracle CVE-2016-5542 (Unspecified vulnerability in Oracle Java SE 6u121, 7u111, 8u102; and J ...) {DSA-3707-1 DLA-704-1} - openjdk-8 8u111-b14-1 [experimental] - openjdk-7 7u111-2.6.7-2 - openjdk-7 NOTE: #841692 tracks openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2016-5541 (Vulnerability in the MySQL Cluster component of Oracle MySQL (subcompo ...) NOT-FOR-US: MySQL Cluster CVE-2016-5540 (Unspecified vulnerability in the Oracle Retail Xstore Payment componen ...) NOT-FOR-US: Oracle CVE-2016-5539 (Unspecified vulnerability in the Oracle Retail Xstore Payment componen ...) NOT-FOR-US: Oracle CVE-2016-5538 (Unspecified vulnerability in the Oracle VM VirtualBox component before ...) - virtualbox 5.1.8-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2016-5537 (Unspecified vulnerability in the NetBeans component in Oracle Fusion M ...) [experimental] - netbeans 8.2+dfsg1-1 - netbeans 10.0-1 (bug #852029) [stretch] - netbeans (No details about affected code, backport of Netbeans 8.2 too intrusive) [wheezy] - netbeans (No details about affected code, backport of Netbeans 8.2 too intrusive) CVE-2016-5536 (Unspecified vulnerability in the Oracle Platform Security for Java com ...) NOT-FOR-US: Oracle CVE-2016-5535 (Unspecified vulnerability in the Oracle WebLogic Server component in O ...) NOT-FOR-US: Oracle CVE-2016-5534 (Unspecified vulnerability in the Siebel Apps - Customer Order Manageme ...) NOT-FOR-US: Oracle Siebel CVE-2016-5533 (Unspecified vulnerability in the Primavera P6 Enterprise Project Portf ...) NOT-FOR-US: Oracle CVE-2016-5532 (Unspecified vulnerability in the Oracle Shipping Execution component i ...) NOT-FOR-US: Oracle CVE-2016-5531 (Unspecified vulnerability in the Oracle WebLogic Server component in O ...) NOT-FOR-US: Oracle CVE-2016-5530 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft CVE-2016-5529 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft CVE-2016-5528 (Vulnerability in the Oracle GlassFish Server component of Oracle Fusio ...) - glassfish (Vulnerable code not included, see bug #853998) CVE-2016-5527 (Unspecified vulnerability in the Oracle Agile PLM component in Oracle ...) NOT-FOR-US: Oracle CVE-2016-5526 (Unspecified vulnerability in the Oracle Agile PLM component in Oracle ...) NOT-FOR-US: Oracle CVE-2016-5525 (Unspecified vulnerability in the Solaris Cluster component in Oracle S ...) NOT-FOR-US: Oracle CVE-2016-5524 (Unspecified vulnerability in the Oracle Agile PLM component in Oracle ...) NOT-FOR-US: Oracle CVE-2016-5523 (Unspecified vulnerability in the Oracle Agile PLM component in Oracle ...) NOT-FOR-US: Oracle CVE-2016-5522 (Unspecified vulnerability in the Oracle Agile PLM component in Oracle ...) NOT-FOR-US: Oracle CVE-2016-5521 (Unspecified vulnerability in the Oracle Agile PLM component in Oracle ...) NOT-FOR-US: Oracle CVE-2016-5520 REJECTED CVE-2016-5519 (Unspecified vulnerability in the Oracle GlassFish Server component in ...) - glassfish (Vulnerable code not included, see bug #853998) CVE-2016-5518 (Unspecified vulnerability in the Oracle Agile Engineering Data Managem ...) NOT-FOR-US: Oracle CVE-2016-5517 (Unspecified vulnerability in the Oracle Applications DBA component in ...) NOT-FOR-US: Oracle CVE-2016-5516 (Unspecified vulnerability in the Kernel PDB component in Oracle Databa ...) NOT-FOR-US: Oracle CVE-2016-5515 (Unspecified vulnerability in the Oracle Agile PLM component in Oracle ...) NOT-FOR-US: Oracle CVE-2016-5514 (Unspecified vulnerability in the Oracle Agile PLM component in Oracle ...) NOT-FOR-US: Oracle CVE-2016-5513 (Unspecified vulnerability in the Oracle Agile PLM component in Oracle ...) NOT-FOR-US: Oracle CVE-2016-5512 (Unspecified vulnerability in the Oracle Agile PLM component in Oracle ...) NOT-FOR-US: Oracle CVE-2016-5511 (Unspecified vulnerability in the Oracle WebCenter Sites component in O ...) NOT-FOR-US: Oracle CVE-2016-5510 (Unspecified vulnerability in the Oracle Agile PLM component in Oracle ...) NOT-FOR-US: Oracle CVE-2016-5509 (Vulnerability in the Oracle FLEXCUBE Investor Servicing component of O ...) NOT-FOR-US: Oracle FLEXCUBE CVE-2016-5508 (Unspecified vulnerability in the Solaris Cluster component in Oracle S ...) NOT-FOR-US: Solaris CVE-2016-5507 (Unspecified vulnerability in Oracle MySQL 5.6.32 and earlier and 5.7.1 ...) - mysql-5.7 5.7.15-1 - mysql-5.6 5.6.34-1 (bug #841049) - mysql-5.5 (Only affects MySQL 5.6 and 5.7) CVE-2016-5506 (Unspecified vulnerability in the Oracle Identity Manager component in ...) NOT-FOR-US: Oracle CVE-2016-5505 (Unspecified vulnerability in the RDBMS Programmable Interface componen ...) NOT-FOR-US: Oracle CVE-2016-5504 (Unspecified vulnerability in the Oracle Agile Product Lifecycle Manage ...) NOT-FOR-US: Oracle CVE-2016-5503 (Unspecified vulnerability in the Sun ZFS Storage Appliance Kit (AK) co ...) NOT-FOR-US: Oracle CVE-2016-5502 (Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking com ...) NOT-FOR-US: Oracle CVE-2016-5501 (Unspecified vulnerability in the Oracle VM VirtualBox component before ...) - virtualbox 5.1.8-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2016-5500 (Unspecified vulnerability in the Oracle Discoverer component in Oracle ...) NOT-FOR-US: Oracle CVE-2016-5499 (Unspecified vulnerability in the RDBMS Security component in Oracle Da ...) NOT-FOR-US: Oracle CVE-2016-5498 (Unspecified vulnerability in the RDBMS Security component in Oracle Da ...) NOT-FOR-US: Oracle CVE-2016-5497 (Unspecified vulnerability in the RDBMS Security component in Oracle Da ...) NOT-FOR-US: Oracle CVE-2016-5496 REJECTED CVE-2016-5495 (Unspecified vulnerability in the Oracle Discoverer component in Oracle ...) NOT-FOR-US: Oracle CVE-2016-5494 REJECTED CVE-2016-5493 (Unspecified vulnerability in the Oracle FLEXCUBE Private Banking compo ...) NOT-FOR-US: Oracle CVE-2016-5492 (Unspecified vulnerability in the Sun ZFS Storage Appliance Kit (AK) co ...) NOT-FOR-US: Oracle CVE-2016-5491 (Unspecified vulnerability in the Oracle Commerce Service Center compon ...) NOT-FOR-US: Oracle CVE-2016-5490 (Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking com ...) NOT-FOR-US: Oracle CVE-2016-5489 (Unspecified vulnerability in the Oracle iStore component in Oracle E-B ...) NOT-FOR-US: Oracle CVE-2016-5488 (Unspecified vulnerability in the Oracle WebLogic Server component in O ...) NOT-FOR-US: Oracle CVE-2016-5487 (Unspecified vulnerability in Oracle Sun Solaris 11.3 allows local user ...) NOT-FOR-US: Solaris CVE-2016-5486 (Unspecified vulnerability in the Sun ZFS Storage Appliance Kit (AK) co ...) NOT-FOR-US: Oracle CVE-2016-5485 REJECTED CVE-2016-5484 REJECTED CVE-2016-5483 REJECTED CVE-2016-5482 (Unspecified vulnerability in the Oracle Commerce Guided Search compone ...) NOT-FOR-US: Oracle CVE-2016-5481 (Unspecified vulnerability in the Sun ZFS Storage Appliance Kit (AK) co ...) NOT-FOR-US: Oracle CVE-2016-5480 (Unspecified vulnerability in Oracle Sun Solaris 10 allows local users ...) NOT-FOR-US: Solaris CVE-2016-5479 (Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking com ...) NOT-FOR-US: Oracle CVE-2016-5478 REJECTED CVE-2016-5477 (Unspecified vulnerability in the Oracle GlassFish Server component in ...) - glassfish (Full application server not packaged) CVE-2016-5476 (Unspecified vulnerability in the Oracle Retail Integration Bus compone ...) NOT-FOR-US: Oracle CVE-2016-5475 (Unspecified vulnerability in the Oracle Retail Service Backbone compon ...) NOT-FOR-US: Oracle CVE-2016-5474 (Unspecified vulnerability in the Oracle Retail Service Backbone compon ...) NOT-FOR-US: Oracle CVE-2016-5473 (Unspecified vulnerability in the Oracle Agile PLM component in Oracle ...) NOT-FOR-US: Oracle CVE-2016-5472 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle CVE-2016-5471 (Unspecified vulnerability in Oracle Sun Solaris 11.3 allows local user ...) NOT-FOR-US: Solaris CVE-2016-5470 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle CVE-2016-5469 (Unspecified vulnerability in Oracle Sun Solaris 11.3 allows local user ...) NOT-FOR-US: Oracle CVE-2016-5468 (Unspecified vulnerability in the Siebel UI Framework component in Orac ...) NOT-FOR-US: Oracle Siebel CRM CVE-2016-5467 (Unspecified vulnerability in the PeopleSoft Enterprise FSCM component ...) NOT-FOR-US: Oracle CVE-2016-5466 (Unspecified vulnerability in the Siebel Core - Server Framework compon ...) NOT-FOR-US: Oracle Siebel CRM CVE-2016-5465 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle CVE-2016-5464 (Unspecified vulnerability in the Siebel UI Framework component in Orac ...) NOT-FOR-US: Oracle Siebel CRM CVE-2016-5463 (Unspecified vulnerability in the Siebel UI Framework component in Orac ...) NOT-FOR-US: Oracle Siebel CRM CVE-2016-5462 (Unspecified vulnerability in the Siebel Core - Server Framework compon ...) NOT-FOR-US: Oracle Siebel CRM CVE-2016-5461 (Unspecified vulnerability in the Siebel Core - Server Framework compon ...) NOT-FOR-US: Oracle Siebel CRM CVE-2016-5460 (Unspecified vulnerability in the Siebel Core - Server Framework compon ...) NOT-FOR-US: Oracle Siebel CRM CVE-2016-5459 (Unspecified vulnerability in the Siebel Core - Common Components compo ...) NOT-FOR-US: Oracle Siebel CRM CVE-2016-5458 (Unspecified vulnerability in the Oracle Communications EAGLE Applicati ...) NOT-FOR-US: Oracle CVE-2016-5457 (Unspecified vulnerability in the ILOM component in Oracle Sun Systems ...) NOT-FOR-US: Oracle CVE-2016-5456 (Unspecified vulnerability in the Siebel Core - Server Framework compon ...) NOT-FOR-US: Oracle Siebel CRM CVE-2016-5455 (Unspecified vulnerability in the Oracle Communications Messaging Serve ...) NOT-FOR-US: Oracle CVE-2016-5454 (Unspecified vulnerability in Oracle Sun Solaris 11.3 allows local user ...) NOT-FOR-US: Oracle CVE-2016-5453 (Unspecified vulnerability in the ILOM component in Oracle Sun Systems ...) NOT-FOR-US: Oracle CVE-2016-5452 (Unspecified vulnerability in Oracle Sun Solaris 11.3 allows local user ...) NOT-FOR-US: Oracle CVE-2016-5451 (Unspecified vulnerability in the Siebel UI Framework component in Orac ...) NOT-FOR-US: Oracle Siebel CRM CVE-2016-5450 (Unspecified vulnerability in the Siebel UI Framework component in Orac ...) NOT-FOR-US: Oracle Siebel CRM CVE-2016-5449 (Unspecified vulnerability in the ILOM component in Oracle Sun Systems ...) NOT-FOR-US: Oracle CVE-2016-5448 (Unspecified vulnerability in the ILOM component in Oracle Sun Systems ...) NOT-FOR-US: Oracle CVE-2016-5447 (Unspecified vulnerability in the ILOM component in Oracle Sun Systems ...) NOT-FOR-US: Oracle CVE-2016-5446 (Unspecified vulnerability in the ILOM component in Oracle Sun Systems ...) NOT-FOR-US: Oracle CVE-2016-5445 (Unspecified vulnerability in the ILOM component in Oracle Sun Systems ...) NOT-FOR-US: Oracle CVE-2016-5444 (Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 a ...) - mariadb-10.0 10.0.25-1 [jessie] - mariadb-10.0 10.0.25-0+deb8u1 - mysql-5.6 5.6.30-1 - mysql-5.5 [jessie] - mysql-5.5 5.5.49-0+deb8u1 [wheezy] - mysql-5.5 5.5.49-0+deb7u1 NOTE: http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html#AppendixMSQL CVE-2016-5443 (Unspecified vulnerability in Oracle MySQL 5.7.12 and earlier allows lo ...) - mysql-5.6 (Only affects MySQL 5.7) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html#AppendixMSQL CVE-2016-5442 (Unspecified vulnerability in Oracle MySQL 5.7.12 and earlier allows re ...) - mysql-5.6 (Only affects MySQL 5.7) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html#AppendixMSQL CVE-2016-5441 (Unspecified vulnerability in Oracle MySQL 5.7.12 and earlier allows re ...) - mysql-5.6 (Only affects MySQL 5.7) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html#AppendixMSQL CVE-2016-5440 (Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier, 5.6.30 a ...) {DSA-3632-1 DSA-3624-1 DLA-567-1} - mariadb-10.0 10.0.26-1 - mysql-5.6 5.6.34-1 (bug #831844) - mysql-5.5 NOTE: http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html#AppendixMSQL CVE-2016-5439 (Unspecified vulnerability in Oracle MySQL 5.6.30 and earlier and 5.7.1 ...) - mysql-5.6 5.6.34-1 (bug #831844) - mysql-5.5 (Only affects MySQL 5.6 and 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html#AppendixMSQL CVE-2016-5438 REJECTED CVE-2016-5437 (Unspecified vulnerability in Oracle MySQL 5.7.12 and earlier allows re ...) - mysql-5.6 (Only affects MySQL 5.7) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html#AppendixMSQL CVE-2016-5436 (Unspecified vulnerability in Oracle MySQL 5.7.12 and earlier allows re ...) - mysql-5.6 (Only affects MySQL 5.7) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html#AppendixMSQL CVE-2016-5435 (Memory leak in Huawei IPS Module, NGFW Module, NIP6300, NIP6600, and S ...) NOT-FOR-US: Huawei CVE-2016-6211 (The User module in Drupal 7.x before 7.44 allows remote authenticated ...) {DSA-3604-1 DLA-550-1} - drupal7 7.44-1 NOTE: https://www.drupal.org/SA-CORE-2016-002 NOTE: http://www.openwall.com/lists/oss-security/2016/07/13/4 NOTE: https://gist.github.com/lamby/4697fea399f3f01ca6de3ce9ed79fce7 tarball diff NOTE: https://gist.github.com/lamby/dbeda4d49f48a32aa0dd4b3ed7f06a13 filtered diff CVE-2016-5636 (Integer overflow in the get_data function in zipimport.c in CPython (a ...) {DLA-1663-1 DLA-522-1} - python3.5 3.5.2~rc1-1 - python3.4 - python2.7 2.7.12~rc1-1 [jessie] - python2.7 2.7.9-2+deb8u1 NOTE: https://bugs.python.org/issue26171 NOTE: 2.7: https://hg.python.org/cpython/rev/985fc64c60d6 NOTE: 3.5: https://hg.python.org/cpython/rev/2df462852464 CVE-2016-5433 (Citrix iOS Receiver before 7.0 allows attackers to cause TLS certifica ...) NOT-FOR-US: Citrix CVE-2016-5434 (libalpm, as used in pacman 5.0.1, allows remote attackers to cause a d ...) NOT-FOR-US: libalpm (Arch Linux Package Management (ALPM) library) CVE-2016-5432 (The ovirt-engine-provisiondb utility in Red Hat Enterprise Virtualizat ...) NOT-FOR-US: ovirt-engine CVE-2016-5431 (The PHP JOSE Library by Gree Inc. before version 2.2.1 is vulnerable t ...) NOT-FOR-US: jose-php CVE-2016-5430 (The RSA 1.5 algorithm implementation in the JOSE_JWE class in JWE.php ...) NOT-FOR-US: jose-php CVE-2016-5429 (jose-php before 2.2.1 does not use constant-time operations for HMAC c ...) NOT-FOR-US: jose-php CVE-2016-5428 RESERVED CVE-2016-5427 (PowerDNS (aka pdns) Authoritative Server before 3.4.10 does not proper ...) {DSA-3664-1 DLA-627-1} - pdns 4.0.0~alpha1-1 NOTE: Only affects PowerDNS Authoritative Server up to and including 3.4.9, 4.x not affected NOTE: Added workaround to mark first 4.x version in unstable as fixed. NOTE: https://doc.powerdns.com/md/security/powerdns-advisory-2016-01/ NOTE: https://github.com/PowerDNS/pdns/commit/881b5b03a590198d03008e4200dd00cc537712f3 CVE-2016-5426 (PowerDNS (aka pdns) Authoritative Server before 3.4.10 allows remote a ...) {DSA-3664-1 DLA-627-1} - pdns 4.0.0~alpha1-1 NOTE: Only affects PowerDNS Authoritative Server up to and including 3.4.9, 4.x not affected NOTE: Added workaround to mark first 4.x version in unstable as fixed. NOTE: https://doc.powerdns.com/md/security/powerdns-advisory-2016-01/ NOTE: https://github.com/PowerDNS/pdns/commit/881b5b03a590198d03008e4200dd00cc537712f3 CVE-2016-5425 (The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentO ...) - tomcat8 (Red Hat and derivatives packaging specific) - tomcat7 (Red Hat and derivatives packaging specific) - tomcat6 (Red Hat and derivatives packaging specific) NOTE: http://legalhackers.com/advisories/Tomcat-RedHat-Pkgs-Root-PrivEsc-Exploit-CVE-2016-5425.html CVE-2016-5424 (PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9. ...) {DSA-3646-1 DLA-592-1} - postgresql-9.5 9.5.4-1 - postgresql-9.4 - postgresql-9.1 [jessie] - postgresql-9.1 (postgresql-9.1 in jessie only provides PL/Perl) NOTE: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=fcd15f13581f6d75c63d213220d5a94889206c1b NOTE: https://www.postgresql.org/about/news/1688/ CVE-2016-5423 (PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9. ...) {DSA-3646-1 DLA-592-1} - postgresql-9.5 9.5.4-1 - postgresql-9.4 - postgresql-9.1 [jessie] - postgresql-9.1 (postgresql-9.1 in jessie only provides PL/Perl) NOTE: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=f0c7b789ab12fbc8248b671c7882dd96ac932ef4 NOTE: https://www.postgresql.org/about/news/1688/ CVE-2016-5422 (The web console in Red Hat JBoss Operations Network (JON) before 3.3.7 ...) NOT-FOR-US: Red Hat JBoss Operations Network CVE-2016-5421 (Use-after-free vulnerability in libcurl before 7.50.1 allows attackers ...) {DSA-3638-1} - curl 7.50.1-1 [wheezy] - curl (introduced in 7.32.0) NOTE: https://curl.haxx.se/docs/adv_20160803C.html NOTE: Fixed by https://curl.haxx.se/CVE-2016-5421.patch CVE-2016-5420 (curl and libcurl before 7.50.1 do not check the client certificate whe ...) {DSA-3638-1 DLA-586-1} - curl 7.50.1-1 NOTE: https://curl.haxx.se/docs/adv_20160803B.html NOTE: Fixed by https://curl.haxx.se/CVE-2016-5420.patch NOTE: Wheezy: vulnerable code is in lib/sslgen.c CVE-2016-5419 (curl and libcurl before 7.50.1 do not prevent TLS session resumption w ...) {DSA-3638-1 DLA-586-1} - curl 7.50.1-1 NOTE: https://curl.haxx.se/docs/adv_20160803A.html NOTE: Fixed by https://curl.haxx.se/CVE-2016-5419.patch NOTE: Wheezy: vulnerable code is in lib/sslgen.c CVE-2016-5418 (The sandboxing code in libarchive 3.2.0 and earlier mishandles hardlin ...) {DSA-3677-1 DLA-657-1} - libarchive 3.2.1-4 (bug #837714) NOTE: Centos patch: https://git.centos.org/blob/rpms!libarchive.git/9952851f8b327a8c93d26a5873c190c1fb09ae6c/SOURCES!libarchive-3.1.2-CVE-2016-5418.patch;jsessionid=1dexz8h9qdewibih5aonbu3 NOTE: Centos additional patch: https://git.centos.org/blob/rpms!libarchive.git/9952851f8b327a8c93d26a5873c190c1fb09ae6c/SOURCES!libarchive-3.1.2-CVE-2016-5418-variation.patch;jsessionid=1dexz8h9qdewibih5aonbu3 NOTE: Fixed by (for #744): https://github.com/libarchive/libarchive/commit/1fa9c7bf90f0862036a99896b0501c381584451a NOTE: Fixed by (for #745 and #746): https://github.com/libarchive/libarchive/commit/dfd6b54ce33960e420fb206d8872fb759b577ad9 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1362601, relates to upstream bugs #744, #745 and #746 NOTE: https://github.com/libarchive/libarchive/issues/743 (umbrella report) NOTE: https://github.com/libarchive/libarchive/issues/744 NOTE: https://github.com/libarchive/libarchive/issues/745 NOTE: https://github.com/libarchive/libarchive/issues/746 NOTE: Testcase: https://github.com/libarchive/libarchive/commit/063ea3ea3fcb569a380b2ebe9c9ddd8bd6ce0d49 NOTE: Fix for testcase: https://github.com/libarchive/libarchive/commit/50952acd22df3326c49771f5e5ba48630899468c CVE-2016-5417 (Memory leak in the __res_vinit function in the IPv6 name server manage ...) - glibc 2.22-4 (bug #833302) [jessie] - glibc (Introduced in 2.22) - eglibc (Introduced in 2.22) NOTE: Introduced by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=2212c1420c92a33b0e0bd9a34938c9814a56c0f7 (glibc-2.22) NOTE: Fixed by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5e7fdabd7df1fc6c56d104e61390bf5a6b526c38 (glibc-2.24) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=19257 CVE-2016-5416 (389 Directory Server in Red Hat Enterprise Linux Desktop 6 through 7, ...) - 389-ds-base (bug #834233) [buster] - 389-ds-base (Minor issue) [stretch] - 389-ds-base (Minor issue) [jessie] - 389-ds-base (Minor issue) NOTE: https://fedorahosted.org/389/ticket/48852 NOTE: Potentially related: https://fedorahosted.org/389/ticket/48354 CVE-2016-5415 RESERVED CVE-2016-5414 (FreeIPA 4.4.0 allows remote attackers to request an arbitrary SAN name ...) - freeipa (Vulnerable code introduced in the 4.4.0 release) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1360757 NOTE: https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=25ed36fda14b30d6a50746a536939e3b428993cb CVE-2016-5413 RESERVED CVE-2016-5412 (arch/powerpc/kvm/book3s_hv_rmhandlers.S in the Linux kernel through 4. ...) - linux 4.7.2-1 [jessie] - linux 3.16.39-1 [wheezy] - linux (Transactional memory not supported) NOTE: https://marc.info/?l=kvm&m=146968629127349&w=2 NOTE: https://git.kernel.org/linus/93d17397e4e2182fdaad503e2f9da46202c0f1c3 (v4.8-rc1) CVE-2016-5411 (/var/lib/ovirt-engine/setup/engine-DC-config.py in Red Hat QuickStart ...) NOT-FOR-US: ovirt engine CVE-2016-5410 (firewalld.py in firewalld before 0.4.3.3 allows local users to bypass ...) - firewalld 0.4.3.3-1 (bug #834529) [jessie] - firewalld (Minor issue) NOTE: Introduced by: https://github.com/t-woerner/firewalld/commit/6b9867cd5c5e2c83adeec42666521a420e59ef11 CVE-2016-5409 (Red Hat OpenShift Enterprise 2 does not include the HTTPOnly flag in a ...) NOT-FOR-US: OpenShift Enterprise CVE-2016-5408 (Stack-based buffer overflow in the munge_other_line function in cachem ...) {DLA-556-1} - squid3 (Incomplete fix for CVE-2016-4051 not applied) NOTE: CVE is specific for the incomplete fix of CVE-2016-4051 as applied NOTE: by some vendors. CVE-2016-5407 (The (1) XvQueryAdaptors and (2) XvQueryEncodings functions in X.org li ...) {DLA-667-1} - libxv 2:1.0.11-1 (low; bug #840438) [jessie] - libxv 2:1.0.10-1+deb8u1 NOTE: https://cgit.freedesktop.org/xorg/lib/libXv/commit/?id=d9da580b46a28ab497de2e94fdc7b9ff953dab17 CVE-2016-5406 (The domain controller in Red Hat JBoss Enterprise Application Platform ...) NOT-FOR-US: JBoss EAP CVE-2016-5405 (389 Directory Server in Red Hat Enterprise Linux Desktop 6 through 7, ...) - 389-ds-base 1.3.5.15-1 (bug #842121) [jessie] - 389-ds-base (minor issue) NOTE: This affects systems storing passwords in plain text. NOTE: Systems using unsalted hashes might be unsafe as well if using weak NOTE: hash algorithms, however the attack would be very time-consuming. NOTE: the patch for this CVE causes CVE-2017-15135 CVE-2016-5404 (The cert_revoke command in FreeIPA does not check for the "revoke cert ...) - freeipa 4.3.2-5 (bug #835131) NOTE: https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=cf74584d0f772f3f5eccc1d30c001e4212a104fd (master) NOTE: https://fedorahosted.org/freeipa/ticket/6232 CVE-2016-5403 (The virtqueue_pop function in hw/virtio/virtio.c in QEMU allows local ...) {DLA-1927-1 DLA-574-1 DLA-573-1} - qemu 1:2.6+dfsg-3.1 (bug #832619) - qemu-kvm CVE-2016-5402 (A code injection flaw was found in the way capacity and utilization im ...) NOT-FOR-US: Red Hat CloudForms CVE-2016-5401 (Cross-site request forgery (CSRF) vulnerability in Red Hat JBoss BRMS ...) NOT-FOR-US: JBoss BPMS business-central CVE-2016-5400 (Memory leak in the airspy_probe function in drivers/media/usb/airspy/a ...) - linux 4.7.2-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/aa93d1fee85c890a34f2510a310e55ee76a27848 (4.7) CVE-2016-5399 (The bzread function in ext/bz2/bz2.c in PHP before 5.5.38, 5.6.x befor ...) {DSA-3631-1 DLA-628-1} - php7.0 7.0.9-1 - php5 5.6.24+dfsg-1 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=72613 NOTE: Partial fixes in 7.0.9, 5.6.24, 5.5.38 NOTE: CVE is assigned for the issue in PHP in adequate error handling in the NOTE: bzread() function. Disputed by PHP upstream, which considers that the NOTE: underlying bzip2 library is at fault. CVE-2016-5398 (Cross-site scripting (XSS) vulnerability in Business Process Editor in ...) NOT-FOR-US: JBoss BPMS CVE-2016-5397 (The Apache Thrift Go client library exposed the potential during code ...) - thrift-compiler (unimportant; bug #894577) [experimental] - thrift 0.10.0-1 (unimportant) - thrift 0.11.0-3 (unimportant) NOTE: https://issues.apache.org/jira/browse/THRIFT-3893 NOTE: https://github.com/apache/thrift/commit/2007783e874d524a46b818598a45078448ecc53e NOTE: Fixed in 0.10.0 upstream, and in experimental src:thrift/0.10.0-1 is present NOTE: src:thrift only present in experimental NOTE: Go bindings only enabled in 0.9.3-2 (not yet in unstable) NOTE: Only ever affected src:thrift in experimental, and fixed in src:thrift/0.10.0-1 NOTE: so any future upload of thrift to unstable can mark this item as NOTE: (fixed before the initial upload to Debian unstable) CVE-2016-5396 (Apache Traffic Server 6.0.0 to 6.2.0 are affected by an HPACK Bomb Att ...) - trafficserver 7.0.0-1 [wheezy] - trafficserver (Vulnerable code not present) NOTE: https://issues.apache.org/jira/browse/TS-5019 CVE-2016-5395 (Cross-site scripting (XSS) vulnerability in the create user functional ...) NOT-FOR-US: Apache Ranger CVE-2016-5394 (In the XSS Protection API module before 1.0.12 in Apache Sling, the en ...) NOT-FOR-US: Apache Sling CVE-2016-5393 (In Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3, a remote u ...) - hadoop (bug #793644) CVE-2016-5392 (The API server in Kubernetes, as used in Red Hat OpenShift Enterprise ...) NOT-FOR-US: OpenShift CVE-2016-5391 (libreswan before 3.18 allows remote attackers to cause a denial of ser ...) - libreswan (Fixed before the initial upload to Debian) NOTE: https://libreswan.org/security/CVE-2016-5391/CVE-2016-5391.txt CVE-2016-5390 (Foreman before 1.11.4 and 1.12.x before 1.12.1 allow remote authentica ...) - foreman (bug #663101) CVE-2016-5696 (net/ipv4/tcp_input.c in the Linux kernel before 4.7 does not properly ...) {DSA-3659-1 DLA-609-1} - linux 4.7.2-1 NOTE: Introduced by: https://github.com/torvalds/linux/commit/282f23c6ee343126156dd41218b22ece96d747e3 NOTE: Fixed by: https://github.com/torvalds/linux/commit/75ff39ccc1bd5d3c455b6822ab09e533c551f758 CVE-2016-5389 REJECTED CVE-2016-5388 (Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI S ...) {DLA-1883-1} - tomcat9 (Fixed before initial upload to Debian) - tomcat8 8.0.37-1 - tomcat7 7.0.72-1 [jessie] - tomcat7 7.0.56-3+really7.0.88-1 - tomcat6 6.0.41-3 NOTE: Since 6.0.41-3, src:tomcat6 only builds a servlet and docs NOTE: The Tomcat CGI servlet sets HTTP_PROXY based on a Proxy: header. NOTE: This CVE was special since not assigned to a vulnerability but for a mitigation NOTE: thus marking as fixed for 8.0.37 and 7.0.71 (upstream) and with according NOTE: versions in Debian. NOTE: https://svn.apache.org/r1756941 (8.0.x) NOTE: https://svn.apache.org/r1756942 (7.0.x) CVE-2016-1000111 (Twisted before 16.3.1 does not attempt to address RFC 3875 section 4.1 ...) - twisted 16.4.0-1 (unimportant) [wheezy] - twisted (For wheezy affected file twcgi.py is in src:twisted-web) - twisted-web [wheezy] - twisted-web (Minor issue) NOTE: https://twistedmatrix.com/trac/ticket/8623 NOTE: https://github.com/twisted/twisted/commit/bcac75e6180c9eee4337322c109eb5d1cac51165 NOTE: No part of Twisted does set HTTP_PROXY based on a Proxy: header, upstream plans NOTE: to drop related CGI code in future release CVE-2016-1000108 (yaws before 2.0.4 does not attempt to address RFC 3875 section 4.1.18 ...) - yaws 2.0.3-2 (bug #832433) [jessie] - yaws 1.98-4+deb8u1 [wheezy] - yaws (Minor issue; can be fixed along with a future DSA) NOTE: https://github.com/klacke/yaws/commit/9d8fb070e782c95821c90d0ca7372fc6d7316c78#diff-54053c47eb173a90c26ed19bd9d106c1 CVE-2016-1000104 (A security Bypass vulnerability exists in the FcgidPassHeader Proxy in ...) NOTE: libapache2-mod-fcgid does not set HTTP_PROXY based on Proxy: header unless NOTE: explicitly configured so and mitigations for Apache in CVE-2016-5387 prevent NOTE: exploitation anyway CVE-2016-5387 (The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 ...) {DSA-3623-1 DLA-553-1} - apache2 2.4.23-2 NOTE: https://www.apache.org/security/asf-httpoxy-response.txt NOTE: https://httpoxy.org CVE-2016-5386 (The net/http package in Go through 1.6 does not attempt to address RFC ...) - golang (unimportant) NOTE: No part of Go does set HTTP_PROXY based on a Proxy: header, 1.6.3 and 1.7 NOTE: provide hardening to discard HTTP_PROXY CVE-2016-5385 (PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 ...) {DSA-3631-1 DLA-749-1} - php7.0 7.0.9-1 - php5 5.6.24+dfsg-1 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=72573 NOTE: Fixed in 7.0.9, 5.6.24, 5.5.38 CVE-2016-5384 (fontconfig before 2.12.1 does not validate offsets, which allows local ...) {DSA-3644-1 DLA-587-1} - fontconfig 2.11.0-6.5 (bug #833570) NOTE: https://lists.freedesktop.org/archives/fontconfig/2016-August/005792.html NOTE: Fixed by: https://cgit.freedesktop.org/fontconfig/commit/?id=7a4a5bd7897d216f0794ca9dbce0a4a5c9d14940 (2.12.1) CVE-2016-5383 (The web UI in Red Hat CloudForms 4.1 allows remote authenticated users ...) NOT-FOR-US: Red Hat CloudForms CVE-2016-5382 RESERVED CVE-2016-5381 RESERVED CVE-2016-5380 RESERVED CVE-2016-5379 RESERVED CVE-2016-5378 RESERVED CVE-2016-5377 RESERVED CVE-2016-5376 RESERVED CVE-2016-5375 RESERVED CVE-2016-5374 (NetApp Data ONTAP 9.0 and 9.1 before 9.1P1 allows remote authenticated ...) NOT-FOR-US: NetApp CVE-2016-5373 RESERVED CVE-2016-5372 (Cross-site request forgery (CSRF) vulnerability in NetApp Snap Creator ...) NOT-FOR-US: NetApp CVE-2016-5371 RESERVED CVE-2016-5370 RESERVED CVE-2016-5369 RESERVED CVE-2016-5368 (Memory leak in Huawei AR3200 before V200R007C00SPC900 allows remote at ...) NOT-FOR-US: Huawei CVE-2016-5367 (Huawei Honor WS851 routers with software 1.1.21.1 and earlier allow re ...) NOT-FOR-US: Huawei CVE-2016-5366 (Huawei Honor WS851 routers with software 1.1.21.1 and earlier allow re ...) NOT-FOR-US: Huawei CVE-2016-5365 (Stack-based buffer overflow in Huawei Honor WS851 routers with softwar ...) NOT-FOR-US: Huawei CVE-2016-5364 (Cross-site scripting (XSS) vulnerability in manage_custom_field_edit_p ...) {DLA-512-1} - mantis NOTE: http://github.com/mantisbt/mantisbt/commit/5068df2d (1.2.x) NOTE: https://mantisbt.org/bugs/view.php?id=20956 CVE-2016-5363 (The IPTables firewall in OpenStack Neutron before 7.0.4 and 8.0.0 thro ...) - neutron 2:8.1.2-1 [jessie] - neutron (Minor issue) NOTE: https://bugs.launchpad.net/bugs/1558658 CVE-2016-5362 (The IPTables firewall in OpenStack Neutron before 7.0.4 and 8.0.0 thro ...) - neutron 2:8.1.2-1 [jessie] - neutron (Minor issue) NOTE: https://bugs.launchpad.net/bugs/1558658 CVE-2016-5349 (The high level operating systems (HLOS) was not providing sufficient m ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-5348 (The GPS component in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1 ...) NOT-FOR-US: Android CVE-2016-5347 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-5346 (An Information Disclosure vulnerability exists in the Google Pixel/Pix ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-5345 (Buffer overflow in the Qualcomm radio driver in Android before 2017-01 ...) NOT-FOR-US: Qualcomm radio driver for Android CVE-2016-5344 (Multiple integer overflows in the MDSS driver for the Linux kernel 3.x ...) - linux (Android-specific kernel patch) CVE-2016-5343 (drivers/soc/qcom/qdsp6v2/voice_svc.c in the QDSP6v2 Voice Service driv ...) - linux (Android-specific kernel patch) CVE-2016-5342 (Heap-based buffer overflow in the wcnss_wlan_write function in drivers ...) - linux (Android-specific kernel patch) CVE-2016-5341 (The GPS component in Android before 2016-12-05 allows man-in-the-middl ...) NOT-FOR-US: Android CVE-2016-5340 (The is_ashmem_file function in drivers/staging/android/ashmem.c in a c ...) - linux (Android-specific kernel patch, is_ashmem_file/put_ashmem_file not present in mainline kernel) CVE-2016-5339 RESERVED CVE-2014-9862 (Integer signedness error in bspatch.c in bspatch in bsdiff, as used in ...) {DLA-2010-1 DLA-697-1} - bsdiff 4.3-17 NOTE: https://bugs.chromium.org/p/chromium/issues/detail?id=372525 CVE-2016-5361 (programs/pluto/ikev1.c in libreswan before 3.17 retransmits in initial ...) - libreswan (Fixed before initial upload to Debian) NOTE: Possibly the CVE should be rejected: http://www.openwall.com/lists/oss-security/2016/06/13/1 NOTE: MITRE has not assigned the CVE to the protocol flaw, but specific to libreswan, but as NOTE: Huzaifa Sidhpurwala pointed out that is not a libreswan issue, rather NOTE: the protocol is flawed. CVE-2016-5360 (HAproxy 1.6.x before 1.6.6, when a deny comes from a reqdeny rule, all ...) - haproxy 1.6.5-2 (bug #826869) [jessie] - haproxy (Issue introduced in 1.6.0) NOTE: Fixed by: http://git.haproxy.org/?p=haproxy-1.6.git;a=commit;h=60f01f8c89e4fb2723d5a9f2046286e699567e0b CVE-2016-5338 (The (1) esp_reg_read and (2) esp_reg_write functions in hw/scsi/esp.c ...) {DLA-1599-1} - qemu 1:2.6+dfsg-2 (bug #827024) [wheezy] - qemu (Minor issue) - qemu-kvm [wheezy] - qemu-kvm (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1343323 NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-06/msg01507.html NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=ff589551c8e8e9e95e211b9d8daafb4ed39f1aec CVE-2016-5337 (The megasas_ctrl_get_info function in hw/scsi/megasas.c in QEMU allows ...) {DLA-1599-1} - qemu 1:2.6+dfsg-2 (bug #827026) [wheezy] - qemu (Vulnerable code not present) - qemu-kvm (Vulnerable code not present) NOTE: Xen switched to qemu-system in 4.4.0-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1343909 NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-06/msg01969.html NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=844864fbae66935951529408831c2f22367a57b6 CVE-2016-5336 (VMware vRealize Automation 7.0.x before 7.1 allows remote attackers to ...) NOT-FOR-US: VMware CVE-2016-5335 (VMware Identity Manager 2.x before 2.7 and vRealize Automation 7.0.x b ...) NOT-FOR-US: VMware CVE-2016-5334 (VMware Identity Manager 2.x before 2.7.1 and vRealize Automation 7.x b ...) NOT-FOR-US: VMware CVE-2016-5333 (VMware Photos OS OVA 1.0 before 2016-08-14 has a default SSH public ke ...) NOT-FOR-US: VMware CVE-2016-5332 (Directory traversal vulnerability in VMware vRealize Log Insight 2.x a ...) NOT-FOR-US: vRealize Log Insight CVE-2016-5331 (CRLF injection vulnerability in VMware vCenter Server 6.0 before U2 an ...) NOT-FOR-US: VMware CVE-2016-5330 (Untrusted search path vulnerability in the HGFS (aka Shared Folders) f ...) NOT-FOR-US: VMware CVE-2016-5329 (VMware Fusion 8.x before 8.5 on OS X, when System Integrity Protection ...) NOT-FOR-US: VMware CVE-2016-5328 (VMware Tools 9.x and 10.x before 10.1.0 on OS X, when System Integrity ...) NOT-FOR-US: VMware CVE-2016-5327 RESERVED CVE-2016-5326 RESERVED CVE-2016-5325 (CRLF injection vulnerability in the ServerResponse#writeHead function ...) - nodejs 4.6.0~dfsg-1 (bug #839714; unimportant) NOTE: libv8 is not covered by security support NOTE: https://nodejs.org/en/blog/vulnerability/june-2016-security-releases/ CVE-2016-5359 (epan/dissectors/packet-wbxml.c in the WBXML dissector in Wireshark 1.1 ...) {DSA-3615-1 DLA-538-1} - wireshark 2.0 NOTE: Only affects 1.12, marking 2.0 as fixed NOTE: https://www.wireshark.org/security/wnpa-sec-2016-38.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12408 NOTE: https://github.com/wireshark/wireshark/commit/b8e0d416898bb975a02c1b55883342edc5b4c9c0 CVE-2016-5358 (epan/dissectors/packet-pktap.c in the Ethernet dissector in Wireshark ...) - wireshark 2.0.4+gdd7746e-1 [jessie] - wireshark (Only affects 2.0) [wheezy] - wireshark (Only affects 2.0) NOTE: https://www.wireshark.org/security/wnpa-sec-2016-37.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12440 NOTE: https://github.com/wireshark/wireshark/commit/2c13e97d656c1c0ac4d76eb9d307664aae0e0cf7 CVE-2016-5357 (wiretap/netscreen.c in the NetScreen file parser in Wireshark 1.12.x b ...) {DSA-3615-1 DLA-538-1} - wireshark 2.0.4+gdd7746e-1 NOTE: https://www.wireshark.org/security/wnpa-sec-2016-36.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12396 NOTE: https://github.com/wireshark/wireshark/commit/11edc83b98a61e890d7bb01855389d40e984ea82 NOTE: https://github.com/wireshark/wireshark/commit/6a140eca7b78b230f1f90a739a32257476513c78 CVE-2016-5356 (wiretap/cosine.c in the CoSine file parser in Wireshark 1.12.x before ...) {DSA-3615-1 DLA-538-1} - wireshark 2.0.4+gdd7746e-1 NOTE: https://www.wireshark.org/security/wnpa-sec-2016-35.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12395 NOTE: https://github.com/wireshark/wireshark/commit/a66628e425db725df1ac52a3c573a03357060ddd NOTE: https://github.com/wireshark/wireshark/commit/f5ec0afb766f19519ea9623152cca3bbe2229500 CVE-2016-5355 (wiretap/toshiba.c in the Toshiba file parser in Wireshark 1.12.x befor ...) {DSA-3615-1 DLA-538-1} - wireshark 2.0.4+gdd7746e-1 NOTE: https://www.wireshark.org/security/wnpa-sec-2016-34.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12394 NOTE: https://github.com/wireshark/wireshark/commit/3270dfac43da861c714df76513456b46765ff47f NOTE: https://github.com/wireshark/wireshark/commit/5efb45231671baa2db2011d8f67f9d6e72bc455b CVE-2016-5354 (The USB subsystem in Wireshark 1.12.x before 1.12.12 and 2.x before 2. ...) {DSA-3615-1 DLA-538-1} - wireshark 2.0.4+gdd7746e-1 NOTE: https://www.wireshark.org/security/wnpa-sec-2016-33.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12356 NOTE: https://github.com/wireshark/wireshark/commit/2cb5985bf47bdc8bea78d28483ed224abdd33dc6 CVE-2016-5353 (epan/dissectors/packet-umts_fp.c in the UMTS FP dissector in Wireshark ...) {DSA-3615-1 DLA-538-1} - wireshark 2.0.4+gdd7746e-1 NOTE: https://www.wireshark.org/security/wnpa-sec-2016-32.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12191 NOTE: https://github.com/wireshark/wireshark/commit/7d7190695ce2ff269fdffb04e87139995cde21f4 CVE-2016-5352 (epan/crypt/airpdcap.c in the IEEE 802.11 dissector in Wireshark 2.x be ...) - wireshark 2.0.4+gdd7746e-1 [jessie] - wireshark (Only affects 2.0) [wheezy] - wireshark (Only affects 2.0) NOTE: https://www.wireshark.org/security/wnpa-sec-2016-31.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12175 NOTE: https://github.com/wireshark/wireshark/commit/b6d838eebf4456192360654092e5587c5207f185 CVE-2016-5351 (epan/crypt/airpdcap.c in the IEEE 802.11 dissector in Wireshark 1.12.x ...) {DSA-3615-1 DLA-538-1} - wireshark 2.0.4+gdd7746e-1 NOTE: https://www.wireshark.org/security/wnpa-sec-2016-30.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11585 NOTE: https://github.com/wireshark/wireshark/commit/9b0b20b8d5f8c9f7839d58ff6c5900f7e19283b4 CVE-2016-5350 (epan/dissectors/packet-dcerpc-spoolss.c in the SPOOLS component in Wir ...) {DSA-3615-1 DLA-538-1} - wireshark 2.0.4+gdd7746e-1 NOTE: https://www.wireshark.org/security/wnpa-sec-2016-29.html NOTE: https://github.com/wireshark/wireshark/commit/b4d16b4495b732888e12baf5b8a7e9bf2665e22b CVE-2016-5324 RESERVED CVE-2016-5323 (The _TIFFFax3fillruns function in libtiff before 4.0.6 allows remote a ...) {DSA-3762-1 DLA-610-1 DLA-606-1} - tiff 4.0.6-2 (unimportant) - tiff3 (unimportant) NOTE: Upstream fix http://bugzilla.maptools.org/show_bug.cgi?id=2559#c3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2559 NOTE: Reproducer http://bugzilla.maptools.org/attachment.cgi?id=659 NOTE: No security impact, just a crash in a CLI tool CVE-2016-5322 (The setByteArray function in tif_dir.c in libtiff 4.0.6 and earlier al ...) {DSA-3762-1 DLA-610-1 DLA-606-1} - tiff 4.0.7-1 - tiff3 (unimportant) NOTE: src:tiff3: built binary packages do not contain the TIFF tools NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2560 NOTE: Reproducer http://bugzilla.maptools.org/attachment.cgi?id=658 CVE-2016-5321 (The DumpModeDecode function in libtiff 4.0.6 and earlier allows attack ...) {DSA-3762-1 DLA-610-1 DLA-606-1} - tiff 4.0.6-2 - tiff3 NOTE: Upstream fix http://bugzilla.maptools.org/show_bug.cgi?id=2558#c2 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2558 NOTE: Reproducer http://bugzilla.maptools.org/attachment.cgi?id=657 CVE-2016-5320 REJECTED CVE-2016-5317 (Buffer overflow in the PixarLogDecode function in libtiff.so in the Pi ...) {DSA-3762-1 DLA-610-1 DLA-606-1} - tiff 4.0.6-2 (bug #830700) - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2557 NOTE: Reproducer http://bugzilla.maptools.org/attachment.cgi?id=653 NOTE: Upstream marked this duplicate of bug http://bugzilla.maptools.org/show_bug.cgi?id=2554 CVE-2016-5316 (Out-of-bounds read in the PixarLogCleanup function in tif_pixarlog.c i ...) {DSA-3762-1 DLA-610-1 DLA-606-1} - tiff 4.0.6-2 (bug #830700) - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2556 NOTE: Reproducer http://bugzilla.maptools.org/attachment.cgi?id=656 NOTE: Upstream marked this duplicate of bug http://bugzilla.maptools.org/show_bug.cgi?id=2554 CVE-2016-5315 (The setByteArray function in tif_dir.c in libtiff 4.0.6 and earlier al ...) {DSA-3762-1 DLA-610-1 DLA-606-1} - tiff 4.0.6-2 (bug #830700) - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2555 NOTE: Reproducer http://bugzilla.maptools.org/attachment.cgi?id=655 NOTE: Possible duplicate with PixarLogDecode() issue NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2555#c2 NOTE: Upstream marked this duplicate of http://bugzilla.maptools.org/show_bug.cgi?id=2554 CVE-2016-5314 (Buffer overflow in the PixarLogDecode function in tif_pixarlog.c in Li ...) {DSA-3762-1 DLA-610-1 DLA-606-1} - tiff 4.0.6-2 (bug #830700) - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2554 NOTE: Reproducer http://bugzilla.maptools.org/attachment.cgi?id=654 NOTE: Upstream fix https://github.com/vadz/libtiff/commit/391e77fcd217e78b2c51342ac3ddb7100ecacdd2 CVE-2016-5313 (Symantec Web Gateway (SWG) before 5.2.5 allows remote authenticated us ...) NOT-FOR-US: Symantec CVE-2016-5312 (Directory traversal vulnerability in the charting component in Symante ...) NOT-FOR-US: Symantec CVE-2016-5311 (A Privilege Escalation vulnerability exists in Symantec Norton Antivir ...) NOT-FOR-US: Symantec CVE-2016-5310 (The RAR file parser component in the AntiVirus Decomposer engine in Sy ...) NOT-FOR-US: Symantec CVE-2016-5309 (The RAR file parser component in the AntiVirus Decomposer engine in Sy ...) NOT-FOR-US: Symantec CVE-2016-5308 (The Client Intrusion Detection System (CIDS) driver before 15.0.6 in S ...) NOT-FOR-US: Norton CVE-2016-5307 (Directory traversal vulnerability in Symantec Endpoint Protection Mana ...) NOT-FOR-US: Symantec CVE-2016-5306 (Symantec Endpoint Protection Manager (SEPM) 12.1 before RU6 MP5 does n ...) NOT-FOR-US: Symantec CVE-2016-5305 (Multiple cross-site scripting (XSS) vulnerabilities in management scri ...) NOT-FOR-US: Symantec CVE-2016-5304 (Open redirect vulnerability in a report-routing component in Symantec ...) NOT-FOR-US: Symantec CVE-2016-5303 (Cross-site scripting (XSS) vulnerability in the Horde Text Filter API ...) - php-horde-text-filter 2.3.5-1 (bug #837150) [jessie] - php-horde-text-filter (Minor issue) CVE-2016-5302 (Citrix XenServer 7.0 before Hotfix XS70E003, when a deployment has bee ...) NOT-FOR-US: Citrix CVE-2015-8935 (The sapi_header_op function in main/SAPI.c in PHP before 5.4.38, 5.5.x ...) - php5 5.6.6+dfsg-1 [wheezy] - php5 5.4.38-0+deb7u1 NOTE: https://bugs.php.net/bug.php?id=68978 NOTE: https://github.com/php/php-src/commit/996faf964bba1aec06b153b370a7f20d3dd2bb8b NOTE: Fixed in 5.6.6, 5.5.22 and 5.4.38 CVE-2015-8934 (The copy_from_lzss_window function in archive_read_support_format_rar. ...) {DSA-3657-1 DLA-554-1} - libarchive 3.2.1-1 NOTE: https://github.com/libarchive/libarchive/issues/521 NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/603454ec03040c29bd051fcc749e3c1433c11a8e (v3.2.1) CVE-2015-8933 (Integer overflow in the archive_read_format_tar_skip function in archi ...) {DSA-3657-1 DLA-554-1} - libarchive 3.2.0-2 NOTE: https://github.com/libarchive/libarchive/issues/548 NOTE: https://github.com/libarchive/libarchive/issues/582 NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/3c7a6dc6694d9b26400d2bd672e04d09ed8a4276 (v3.1.900a) CVE-2015-8932 (The compress_bidder_init function in archive_read_support_filter_compr ...) {DSA-3657-1 DLA-554-1} - libarchive 3.2.0-2 NOTE: https://github.com/libarchive/libarchive/issues/547 NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/f0b1dbbc325a2d922015eee402b72edd422cb9ea (v3.1.900a) NOTE: and part of https://github.com/libarchive/libarchive/commit/55ce98e829eda3a4356c2be64a778d8740c2cf6c (v3.1.900a) NOTE: and https://github.com/libarchive/libarchive/commit/618618c8a6be453f79e0bdbdeab6e1dd8bf429b3 (v3.1.900a) NOTE: Part of the problematic code was introduced with commit bf4f6ec64ef3edefbc41172692868fb8df514805 NOTE: to fix https://github.com/libarchive/libarchive/issues/356 CVE-2015-8931 (Multiple integer overflows in the (1) get_time_t_max and (2) get_time_ ...) {DSA-3657-1 DLA-554-1} - libarchive 3.2.0-2 NOTE: https://github.com/libarchive/libarchive/issues/539 NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/b31744df71084a8734f97199e42418f55d08c6c5 (v3.1.900a) NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/c0c52e9aaafb0860c4151c5374372051e9354301 (v3.1.900a) CVE-2015-8930 (bsdtar in libarchive before 3.2.0 allows remote attackers to cause a d ...) {DSA-3657-1 DLA-554-1} - libarchive 3.2.0-2 NOTE: https://github.com/libarchive/libarchive/issues/522 NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/39fc59391b7cf2a007bffce280c1e3e66674258f (v3.1.900a) NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/01cfbca4fdae1492a8a09c001b61bbca46f869f2 (v3.1.900a) CVE-2015-8929 (Memory leak in the __archive_read_get_extract function in archive_read ...) - libarchive 3.2.0-2 [jessie] - libarchive (Introduced in 3.2.0) [wheezy] - libarchive (Introduced in 3.2.0) NOTE: https://github.com/libarchive/libarchive/issues/517 NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/d24e79e8f9547ae475a3a0c9516e079a14010838 CVE-2015-8928 (The process_add_entry function in archive_read_support_format_mtree.c ...) {DSA-3657-1} - libarchive 3.2.0-2 [wheezy] - libarchive (vulnerable code not present) NOTE: https://github.com/libarchive/libarchive/issues/550 NOTE: Fixed by https://github.com/libarchive/libarchive/commit/64d5628 CVE-2015-8927 (The trad_enc_decrypt_update function in archive_read_support_format_zi ...) - libarchive 3.2.0-2 [jessie] - libarchive (vulnerable code not present) [wheezy] - libarchive (vulnerable code not present) NOTE: https://github.com/libarchive/libarchive/issues/523 NOTE: Fixed by https://github.com/libarchive/libarchive/commit/eff35d4 CVE-2015-8926 (The archive_read_format_rar_read_data function in archive_read_support ...) {DSA-3657-1 DLA-554-1} - libarchive 3.2.0-2 NOTE: https://github.com/libarchive/libarchive/issues/518 NOTE: Fixed by https://github.com/libarchive/libarchive/commit/aab73938 CVE-2015-8925 (The readline function in archive_read_support_format_mtree.c in libarc ...) {DSA-3657-1 DLA-554-1} - libarchive 3.2.0-2 NOTE: https://github.com/libarchive/libarchive/issues/516 NOTE: Fixed by https://github.com/libarchive/libarchive/commit/1e18cbb71 CVE-2015-8924 (The archive_read_format_tar_read_header function in archive_read_suppo ...) {DSA-3657-1 DLA-554-1} - libarchive 3.2.0-2 NOTE: https://github.com/libarchive/libarchive/issues/515 NOTE: Fixed by https://github.com/libarchive/libarchive/commit/bb9b157 CVE-2015-8923 (The process_extra function in libarchive before 3.2.0 uses the size fi ...) {DSA-3657-1 DLA-554-1} - libarchive 3.2.0-2 NOTE: https://github.com/libarchive/libarchive/issues/514 NOTE: Fixed by https://github.com/libarchive/libarchive/commit/9e0689c CVE-2015-8922 (The read_CodersInfo function in archive_read_support_format_7zip.c in ...) {DSA-3657-1 DLA-554-1} - libarchive 3.2.0-2 NOTE: https://github.com/libarchive/libarchive/issues/513 NOTE: Fixed by https://github.com/libarchive/libarchive/commit/d094dc CVE-2015-8921 (The ae_strtofflags function in archive_entry.c in libarchive before 3. ...) {DSA-3657-1 DLA-554-1} - libarchive 3.2.0-2 NOTE: https://github.com/libarchive/libarchive/issues/512 NOTE: Fixed by https://github.com/libarchive/libarchive/commit/1cbc76f NOTE: Fixed by https://github.com/libarchive/libarchive/commit/05a875fdb876e7a2f56a2937f756927cbed919e0 CVE-2015-8920 (The _ar_read_header function in archive_read_support_format_ar.c in li ...) {DSA-3657-1 DLA-554-1} - libarchive 3.2.0-2 NOTE: https://github.com/libarchive/libarchive/issues/511 NOTE: Fixed by https://github.com/libarchive/libarchive/commit/97f964e CVE-2015-8919 (The lha_read_file_extended_header function in archive_read_support_for ...) {DSA-3657-1 DLA-554-1} - libarchive 3.2.0-2 NOTE: https://github.com/libarchive/libarchive/issues/510 NOTE: Fixed by https://github.com/libarchive/libarchive/commit/e8a2e4d CVE-2015-8918 (The archive_string_append function in archive_string.c in libarchive b ...) - libarchive (Vulnerable code not in a released version) NOTE: Introduced in https://github.com/libarchive/libarchive/commit/cf8e67ffc8a2227b63fc6d3d1569b0214f160f54 NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/b6ba56037f0da44efebfa271cc4b1a736a74c62f NOTE: https://github.com/libarchive/libarchive/issues/506 CVE-2015-8917 (bsdtar in libarchive before 3.2.0 allows remote attackers to cause a d ...) {DSA-3657-1 DLA-554-1} - libarchive 3.2.0-2 NOTE: https://github.com/libarchive/libarchive/issues/505 NOTE: Fixed by https://github.com/libarchive/libarchive/commit/b2e2abb CVE-2015-8916 (bsdtar in libarchive before 3.2.0 returns a success code without filli ...) {DSA-3657-1} - libarchive 3.2.0-2 [wheezy] - libarchive (no segfault, not reproducible with reproducer) NOTE: https://github.com/libarchive/libarchive/issues/504 NOTE: Fixed by https://github.com/libarchive/libarchive/commit/b2e2abb CVE-2015-8915 (bsdcpio in libarchive before 3.2.0 allows remote attackers to cause a ...) {DLA-1600-1 DLA-617-1} - libarchive 3.2.0-2 (low; bug #784213) [squeeze] - libarchive (Minor issue) NOTE: https://github.com/libarchive/libarchive/issues/503 NOTE: https://github.com/libarchive/libarchive/issues/502 NOTE: 502 is a duplicate of https://github.com/libarchive/libarchive/issues/503 NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/e6c9668f3202215ddb71617b41c19b6f05acf008 NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/3865cf2bcb0eebc1baef28a7841b1cadae6e0f7c CVE-2015-8914 (The IPTables firewall in OpenStack Neutron before 7.0.4 and 8.0.0 thro ...) - neutron 2:8.1.2-1 [jessie] - neutron (Minor issue) NOTE: https://bugs.launchpad.net/bugs/1502933 CVE-2015-8913 REJECTED CVE-2015-8912 REJECTED CVE-2015-8911 REJECTED CVE-2015-8910 REJECTED CVE-2015-8909 REJECTED CVE-2015-8908 REJECTED CVE-2015-8907 REJECTED CVE-2015-8906 REJECTED CVE-2015-8905 REJECTED CVE-2015-8904 REJECTED CVE-2015-1000013 (Remote file upload vulnerability in wordpress plugin csv2wpec-coupon v ...) NOT-FOR-US: WordPress plugin csv2wpec-coupon CVE-2015-1000012 (Local File Inclusion Vulnerability in mypixs v0.3 wordpress plugin ...) NOT-FOR-US: WordPress plugin mypixs CVE-2015-1000011 (Blind SQL Injection in wordpress plugin dukapress v2.5.9 ...) NOT-FOR-US: WordPress plugin dukapress CVE-2015-1000010 (Remote file download in simple-image-manipulator v1.0 wordpress plugin ...) NOT-FOR-US: WordPress plugin simple-image-manipulator CVE-2015-1000009 (Open proxy in Wordpress plugin google-adsense-and-hotel-booking v1.05 ...) NOT-FOR-US: WordPress plugin google-adsense-and-hotel-booking CVE-2015-1000008 (Path Disclosure Vulnerability in wordpress plugin MP3-jPlayer v2.3.2 ...) NOT-FOR-US: WordPress plugin MP3-jPlayer CVE-2015-1000007 (Remote file download vulnerability in wptf-image-gallery v1.03 ...) NOT-FOR-US: WordPress plugin wptf-image-gallery CVE-2015-1000006 (Remote file download vulnerability in recent-backups v0.7 wordpress pl ...) NOT-FOR-US: WordPress plugin recent-backups CVE-2015-1000005 (Remote file download vulnerability in candidate-application-form v1.0 ...) NOT-FOR-US: WordPress plugin candidate-application-form CVE-2015-1000004 (XSS in filedownload v1.4 wordpress plugin ...) NOT-FOR-US: WordPress plugin filedownload CVE-2015-1000003 (Blind SQL Injection in filedownload v1.4 wordpress plugin ...) NOT-FOR-US: WordPress plugin filedownload CVE-2015-1000002 (Open Proxy in filedownload v1.4 wordpress plugin ...) NOT-FOR-US: WordPress plugin filedownload CVE-2015-1000001 (Remote file upload vulnerability in fast-image-adder v1.1 Wordpress pl ...) NOT-FOR-US: WordPress plugin fast-image-adder CVE-2015-1000000 (Remote file upload vulnerability in mailcwp v1.99 wordpress plugin ...) NOT-FOR-US: WordPress plugin mailcwp CVE-2016-5299 (A previously installed malicious Android application with same signatu ...) - firefox (Only affects Firefox on Android) CVE-2016-5298 (A mechanism where disruption of the loading of a new web page can caus ...) - firefox (Only affects Firefox on Android) CVE-2016-5297 (An error in argument length checking in JavaScript, leading to potenti ...) {DSA-3730-1 DSA-3716-1 DLA-752-1 DLA-730-1} - firefox 50.0-1 - firefox-esr 45.5.0esr-1 - icedove 1:45.5.0-1 CVE-2016-5296 (A heap-buffer-overflow in Cairo when processing SVG content caused by ...) {DSA-3730-1 DSA-3716-1 DLA-752-1 DLA-730-1} - firefox 50.0-1 - firefox-esr 45.5.0esr-1 - icedove 1:45.5.0-1 CVE-2016-5295 (This vulnerability allows an attacker to use the Mozilla Maintenance S ...) - firefox (Only affects Firefox on Windows) CVE-2016-5294 (The Mozilla Updater can be made to choose an arbitrary target working ...) - firefox (Only affects Firefox on Windows) - firefox-esr (Only affects Firefox on Windows) - icedove (Only affects Thunderbird on Windows) CVE-2016-5293 (When the Mozilla Updater is run, if the Updater's log file in the work ...) - firefox (Only affects Firefox on Windows) - firefox-esr (Only affects Firefox on Windows) CVE-2016-5292 (During URL parsing, a maliciously crafted URL can cause a potentially ...) - firefox 50.0-1 - firefox-esr (Does not affect Firefox 45 ESR release) CVE-2016-5291 (A same-origin policy bypass with local shortcut files to load arbitrar ...) {DSA-3730-1 DSA-3716-1 DLA-752-1 DLA-730-1} - firefox 50.0-1 - firefox-esr 45.5.0esr-1 - icedove 1:45.5.0-1 CVE-2016-5290 (Memory safety bugs were reported in Firefox 49 and Firefox ESR 45.4. S ...) {DSA-3730-1 DSA-3716-1 DLA-752-1 DLA-730-1} - firefox 50.0-1 - firefox-esr 45.5.0esr-1 - icedove 1:45.5.0-1 CVE-2016-5289 (Memory safety bugs were reported in Firefox 49. Some of these bugs sho ...) - firefox 50.0-1 - firefox-esr (Does not affect Firefox 45 ESR release) CVE-2016-5288 (Web content could access information in the HTTP cache if e10s is disa ...) - firefox 50.0-1 - firefox-esr (Does not affect Firefox releases < 48) NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1310183 (not yet public) CVE-2016-5287 (A potentially exploitable use-after-free crash during actor destructio ...) - firefox 50.0-1 - firefox-esr (Does not affect Firefox releases < 49) NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1309823 CVE-2016-5286 RESERVED CVE-2016-5285 (A Null pointer dereference vulnerability exists in Mozilla Network Sec ...) - nss 2:3.25-1 NOTE: Fixed by https://hg.mozilla.org/projects/nss/rev/45c047d18ac4 NOTE: Upstream bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1306103 CVE-2016-5284 (Mozilla Firefox before 49.0, Firefox ESR 45.x before 45.4, and Thunder ...) {DSA-3674-1 DLA-636-1} - firefox 49.0-1 - firefox-esr 45.4.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-86/ NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-87/ CVE-2016-5283 (Mozilla Firefox before 49.0 allows remote attackers to bypass the Same ...) - firefox 49.0-1 - firefox-esr (Doesn't affect ESR) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-86/ NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-87/ CVE-2016-5282 (Mozilla Firefox before 49.0 does not properly restrict the scheme in f ...) - firefox 49.0-1 - firefox-esr (Doesn't affect ESR) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-86/ NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-87/ CVE-2016-5281 (Use-after-free vulnerability in the DOMSVGLength class in Mozilla Fire ...) {DSA-3674-1 DLA-636-1} - firefox 49.0-1 - firefox-esr 45.4.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-86/ NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-87/ CVE-2016-5280 (Use-after-free vulnerability in the mozilla::nsTextNodeDirectionalityM ...) {DSA-3674-1 DLA-636-1} - firefox 49.0-1 - firefox-esr 45.4.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-86/ NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-87/ CVE-2016-5279 (Mozilla Firefox before 49.0 allows user-assisted remote attackers to o ...) - firefox 49.0-1 - firefox-esr (Doesn't affect ESR) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-86/ NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-87/ CVE-2016-5278 (Heap-based buffer overflow in the nsBMPEncoder::AddImageFrame function ...) {DSA-3674-1 DLA-636-1} - firefox 49.0-1 - firefox-esr 45.4.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-86/ NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-87/ CVE-2016-5277 (Use-after-free vulnerability in the nsRefreshDriver::Tick function in ...) {DSA-3674-1 DLA-636-1} - firefox 49.0-1 - firefox-esr 45.4.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-86/ NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-87/ CVE-2016-5276 (Use-after-free vulnerability in the mozilla::a11y::DocAccessible::Proc ...) {DSA-3674-1 DLA-636-1} - firefox 49.0-1 - firefox-esr 45.4.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-86/ NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-87/ CVE-2016-5275 (Buffer overflow in the mozilla::gfx::FilterSupport::ComputeSourceNeede ...) - firefox 49.0-1 - firefox-esr (Doesn't affect ESR) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-86/ NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-87/ CVE-2016-5274 (Use-after-free vulnerability in the nsFrameManager::CaptureFrameState ...) {DSA-3674-1 DLA-636-1} - firefox 49.0-1 - firefox-esr 45.4.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-86/ NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-87/ CVE-2016-5273 (The mozilla::a11y::HyperTextAccessible::GetChildOffset function in the ...) - firefox 49.0-1 - firefox-esr (Doesn't affect ESR) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-86/ NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-87/ CVE-2016-5272 (The nsImageGeometryMixin class in Mozilla Firefox before 49.0, Firefox ...) {DSA-3674-1 DLA-636-1} - firefox 49.0-1 - firefox-esr 45.4.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-86/ NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-87/ CVE-2016-5271 (The PropertyProvider::GetSpacingInternal function in Mozilla Firefox b ...) - firefox 49.0-1 - firefox-esr (Doesn't affect ESR) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-86/ NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-87/ CVE-2016-5270 (Heap-based buffer overflow in the nsCaseTransformTextRunFactory::Trans ...) {DSA-3674-1 DLA-636-1} - firefox 49.0-1 - firefox-esr 45.4.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-86/ NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-87/ CVE-2016-5269 RESERVED CVE-2016-5268 (Mozilla Firefox before 48.0 does not properly set the LINKABLE and URI ...) - firefox 48.0-1 - firefox-esr (Doesn't affect Firefox ESR) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-83/ CVE-2016-5267 (Mozilla Firefox before 48.0 on Android allows remote attackers to spoo ...) - firefox (Android-specific) - firefox-esr (Android-specific) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-82/ CVE-2016-5266 (Mozilla Firefox before 48.0 does not properly restrict drag-and-drop ( ...) - firefox 48.0-1 - firefox-esr (Doesn't affect Firefox ESR) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-81/ CVE-2016-5265 (Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 allow use ...) {DSA-3640-1 DLA-585-1} - firefox 48.0-1 - firefox-esr 45.3.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-80/ CVE-2016-5264 (Use-after-free vulnerability in the nsNodeUtils::NativeAnonymousChildL ...) {DSA-3640-1 DLA-585-1} - firefox 48.0-1 - firefox-esr 45.3.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-79/ CVE-2016-5263 (The nsDisplayList::HitTest function in Mozilla Firefox before 48.0 and ...) {DSA-3640-1 DLA-585-1} - firefox 48.0-1 - firefox-esr 45.3.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-78/ CVE-2016-5262 (Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 process J ...) {DSA-3640-1 DLA-585-1} - firefox 48.0-1 - firefox-esr 45.3.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-76/ CVE-2016-5261 (Integer overflow in the WebSocketChannel class in the WebSockets subsy ...) {DSA-3674-1 DLA-636-1} - firefox 48.0-1 - firefox-esr 45.4.0esr-1 NOTE: For Firefox: https://www.mozilla.org/en-US/security/advisories/mfsa2016-75/ NOTE: For Firefox https://www.mozilla.org/security/advisories/mfsa2016-86/ CVE-2016-5260 (Mozilla Firefox before 48.0 mishandles changes from 'INPUT type="passw ...) - firefox 48.0-1 - firefox-esr (Doesn't affect Firefox ESR) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-74/ CVE-2016-5259 (Use-after-free vulnerability in the CanonicalizeXPCOMParticipant funct ...) {DSA-3640-1 DLA-585-1} - firefox 48.0-1 - firefox-esr 45.3.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-73/ CVE-2016-5258 (Use-after-free vulnerability in the WebRTC socket thread in Mozilla Fi ...) {DSA-3640-1 DLA-585-1} - firefox 48.0-1 - firefox-esr 45.3.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-72/ CVE-2016-5257 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-3690-1 DSA-3674-1 DLA-658-1 DLA-636-1} - firefox 49.0-1 - firefox-esr 45.4.0esr-1 - icedove 1:45.4.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-85/ NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-86/ CVE-2016-5256 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - firefox 49.0-1 - firefox-esr (Doesn't affect Firefox ESR) CVE-2016-5255 (Use-after-free vulnerability in the js::PreliminaryObjectArray::sweep ...) - firefox 48.0-1 - firefox-esr (Doesn't affect Firefox ESR) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-71/ CVE-2016-5254 (Use-after-free vulnerability in the nsXULPopupManager::KeyDown functio ...) {DSA-3640-1 DLA-585-1} - firefox 48.0-1 - firefox-esr 45.3.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-70/ CVE-2016-5253 (The Updater in Mozilla Firefox before 48.0 on Windows allows local use ...) - firefox (Only affects Windows) - firefox-esr (Only affects Windows) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-69/ CVE-2016-5252 (Stack-based buffer underflow in the mozilla::gfx::BasePoint4d function ...) {DSA-3640-1 DLA-585-1} - firefox 48.0-1 - firefox-esr 45.3.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-67/ CVE-2016-5251 (Mozilla Firefox before 48.0 allows remote attackers to spoof the locat ...) - firefox 48.0-1 - firefox-esr (Doesn't affect Firefox ESR) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-66/ CVE-2016-5250 (Mozilla Firefox before 48.0, Firefox ESR < 45.4 and Thunderbird < ...) {DSA-3674-1 DLA-636-1} - firefox 48.0-1 - firefox-esr 45.4.0esr-1 NOTE: For Firefox: https://www.mozilla.org/en-US/security/advisories/mfsa2016-84/ NOTE: For Firefox ESR: https://www.mozilla.org/en-US/security/advisories/mfsa2016-86/ CVE-2016-5249 (Lenovo Solution Center (LSC) before 3.3.003 allows local users to exec ...) NOT-FOR-US: Lenovo CVE-2016-5248 (The StopProxy command in LSC.Services.SystemService in Lenovo Solution ...) NOT-FOR-US: Lenovo CVE-2016-5247 (The BIOS for Lenovo ThinkCentre E93, M6500t/s, M6600, M6600q, M6600t/s ...) NOT-FOR-US: Lenovo CVE-2016-5246 RESERVED CVE-2016-5245 RESERVED CVE-2016-4456 (The "GNUTLS_KEYLOGFILE" environment variable in gnutls 3.4.12 allows r ...) - gnutls28 3.4.13-1 [jessie] - gnutls28 (Introduced in 3.4.12) NOTE: http://gnutls.org/security.html#GNUTLS-SA-2016-1 NOTE: http://www.openwall.com/lists/oss-security/2016/06/07/2 CVE-2016-1000002 (gdm3 3.14.2 and possibly later has an information leak before screen l ...) - gdm3 (low; bug #849432) [buster] - gdm3 (Minor issue) [stretch] - gdm3 (Minor issue) [jessie] - gdm3 (Minor issue) [wheezy] - gdm3 (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1391126 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=753678 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=776051 CVE-2014-9861 RESERVED CVE-2014-9860 RESERVED CVE-2014-9859 RESERVED CVE-2014-9858 RESERVED CVE-2014-9857 RESERVED CVE-2014-9856 RESERVED CVE-2014-9855 RESERVED CVE-2016-5319 (Heap-based buffer overflow in tif_packbits.c in libtiff 4.0.6 and earl ...) {DLA-693-1} - tiff 4.0.6-3 (bug #842046) [jessie] - tiff 4.0.3-12.3+deb8u2 - tiff3 [wheezy] - tiff3 (tools like bmp2tiff not shipped by tiff3 source package) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2562 NOTE: Reproducer http://bugzilla.maptools.org/attachment.cgi?id=652 NOTE: Utility bmp2tiff has been removed from upstream LibTIFF NOTE: No patch available. Marked as wontfix by upstream. NOTE: bmp2tiff was removed in 4.0.6-3 and DSA 3762, marking as fixed although technically still present in the source package CVE-2016-5318 (Stack-based buffer overflow in the _TIFFVGetField function in libtiff ...) {DLA-693-1 DLA-692-1} - tiff 4.0.6-3 [jessie] - tiff 4.0.3-12.3+deb8u2 - tiff3 NOTE: thumbnail(1) was removed in 4.0.6-3 and DSA 3762, marking as fixed although technically still present in the source package NOTE: _TIFFVGetField isn't specific to thumbnail tool, there's http://bugzilla.maptools.org/show_bug.cgi?id=2580 to enhance that, NOTE: but treating this bug (as related to thumbmail) as fixed. NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2561 NOTE: This seems a duplicate of CVE-2015-7554 ( http://bugzilla.maptools.org/show_bug.cgi?id=2564 ). At the very least, a generic fix for CVE-2015-7554 would also fix this one as the illegal write is at the exact same location in the code. NOTE: Reproducer file here: http://bugzilla.maptools.org/attachment.cgi?id=671 NOTE: With 4.0.6-2 (sid), I get a segfault. NOTE: With 4.0.3-12.3+deb8u1 (jessie), I get a segfault. NOTE: With 3.9.6-11+deb7u1 (wheezy), I get a failure: MissingRequired: ../CVE-2016-5318.tiff: TIFF directory is missing required "StripOffsets" field. CVE-2016-5301 (The parse_chunk_header function in libtorrent before 1.1.1 allows remo ...) {DLA-511-1} - libtorrent-rasterbar 1.1.0-1 (bug #826380) [jessie] - libtorrent-rasterbar (Minor issue) NOTE: https://github.com/arvidn/libtorrent/issues/780 NOTE: https://github.com/arvidn/libtorrent/pull/782 CVE-2016-5300 (The XML parser in Expat does not use sufficient entropy for hash initi ...) {DSA-3597-1 DLA-508-1} - expat 2.1.1-3 CVE-2016-5244 (The rds_inc_info_copy function in net/rds/recv.c in the Linux kernel t ...) {DSA-3607-1 DLA-516-1} - linux 4.6.2-1 NOTE: Fixed by: https://github.com/torvalds/linux/commit/4116def2337991b39919f3b448326e21c40e0dbb CVE-2016-5243 (The tipc_nl_compat_link_dump function in net/tipc/netlink_compat.c in ...) {DSA-3607-1 DLA-516-1} - linux 4.6.2-1 NOTE: Fixed by: https://github.com/torvalds/linux/commit/5d2be1422e02ccd697ccfcd45c85b4a26e6178e2 CVE-2016-5242 (The p2m_teardown function in arch/arm/p2m.c in Xen 4.4.x through 4.6.x ...) {DSA-3633-1} - xen 4.8.0~rc3-1 [wheezy] - xen (arm not supported) NOTE: http://xenbits.xen.org/xsa/advisory-181.html CVE-2016-5241 (magick/render.c in GraphicsMagick before 1.3.24 allows remote attacker ...) {DLA-1401-1 DLA-547-1} - graphicsmagick 1.3.24-1 NOTE: Fixed by: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/8d175c4edfe7 CVE-2016-5240 (The DrawDashPolygon function in magick/render.c in GraphicsMagick befo ...) {DSA-3746-1 DLA-547-1} - graphicsmagick 1.3.24-1 NOTE: Fixed by: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/ddc999ec896c NOTE: DLA-547-1 didn't fix this properly CVE-2016-5237 (Valve Steam 3.42.16.13 uses weak permissions for the files in the Stea ...) NOT-FOR-US: Valve Steam CVE-2016-5236 (Cross-Site-Scripting (XSS) vulnerabilities in F5 WebSafe Dashboard 3.9 ...) NOT-FOR-US: F5 WebSafe CVE-2016-5235 (A Cross Site Scripting (XSS) vulnerability in versions of F5 WebSafe D ...) NOT-FOR-US: F5 WebSafe CVE-2014-9803 (arch/arm64/include/asm/pgtable.h in the Linux kernel before 3.15-rc5-n ...) - linux (Vulnerable code never present, introduced and fixed in 3.16 development cycle) NOTE: Introduced by: https://git.kernel.org/linus/bc07c2c6e9ed125d362af0214b6313dca180cb08 (v3.16-rc1) NOTE: Fixed by (revert of commit): https://git.kernel.org/linus/5a0fdfada3a2aa50d7b947a2e958bf00cbe0d830 (v3.16-rc1) CVE-2014-9804 (vision.c in ImageMagick allows remote attackers to cause a denial of s ...) - imagemagick 8:6.8.9.9-4 (bug #773834) [wheezy] - imagemagick (Vulnerable code introduced later) CVE-2014-9805 (ImageMagick allows remote attackers to cause a denial of service (segm ...) {DLA-731-1} - imagemagick 8:6.8.9.9-4 (bug #773834) CVE-2014-9806 (ImageMagick allows remote attackers to cause a denial of service (file ...) {DLA-731-1} - imagemagick 8:6.8.9.9-4 (bug #773834) CVE-2014-9807 (The pdb coder in ImageMagick allows remote attackers to cause a denial ...) {DLA-731-1} - imagemagick 8:6.8.9.9-4 (bug #773834) CVE-2014-9808 (ImageMagick allows remote attackers to cause a denial of service (segm ...) {DLA-731-1} - imagemagick 8:6.8.9.9-4 (bug #773834) CVE-2014-9809 (ImageMagick allows remote attackers to cause a denial of service (segm ...) {DLA-731-1} - imagemagick 8:6.8.9.9-4 (bug #773834) CVE-2014-9810 (The dpx file handler in ImageMagick allows remote attackers to cause a ...) {DLA-731-1} - imagemagick 8:6.8.9.9-4 (bug #773834) CVE-2014-9811 (The xwd file handler in ImageMagick allows remote attackers to cause a ...) {DLA-731-1} - imagemagick 8:6.8.9.9-4 (bug #773834) CVE-2014-9812 (ImageMagick allows remote attackers to cause a denial of service (NULL ...) {DLA-731-1} - imagemagick 8:6.8.9.9-4 (bug #773834) CVE-2014-9813 (ImageMagick allows remote attackers to cause a denial of service (appl ...) {DLA-731-1} - imagemagick 8:6.8.9.9-4 (bug #773834) CVE-2014-9814 (ImageMagick allows remote attackers to cause a denial of service (NULL ...) {DLA-731-1} - imagemagick 8:6.8.9.9-4 (bug #773834) CVE-2014-9815 (ImageMagick allows remote attackers to cause a denial of service (appl ...) {DLA-731-1} - imagemagick 8:6.8.9.9-4 (bug #773834) CVE-2014-9816 (ImageMagick allows remote attackers to cause a denial of service (out- ...) {DLA-731-1} - imagemagick 8:6.8.9.9-4 (bug #773834) CVE-2014-9817 (Heap-based buffer overflow in ImageMagick allows remote attackers to h ...) {DLA-731-1} - imagemagick 8:6.8.9.9-4 (bug #773834) CVE-2014-9818 (ImageMagick allows remote attackers to cause a denial of service (out- ...) {DLA-731-1} - imagemagick 8:6.8.9.9-4 (bug #773834) CVE-2014-9819 (Heap-based buffer overflow in ImageMagick allows remote attackers to h ...) {DLA-731-1} - imagemagick 8:6.8.9.9-4 (bug #773834) CVE-2014-9820 (Heap-based buffer overflow in ImageMagick allows remote attackers to h ...) - imagemagick 8:6.8.9.9-4 (bug #773834) [wheezy] - imagemagick (Vulnerable code not present) CVE-2014-9821 (Heap-based buffer overflow in ImageMagick allows remote attackers to h ...) {DLA-731-1} - imagemagick 8:6.8.9.9-4 (bug #773834) CVE-2014-9822 (Heap-based buffer overflow in ImageMagick allows remote attackers to h ...) {DLA-731-1} - imagemagick 8:6.8.9.9-4 (bug #773834) CVE-2014-9823 (Heap-based buffer overflow in ImageMagick allows remote attackers to h ...) {DLA-731-1} - imagemagick 8:6.8.9.9-4 (bug #773834) CVE-2014-9824 (Heap-based buffer overflow in ImageMagick allows remote attackers to h ...) {DLA-731-1} - imagemagick 8:6.8.9.9-4 (bug #773834) CVE-2014-9825 (Heap-based buffer overflow in ImageMagick allows remote attackers to h ...) - imagemagick 8:6.8.9.9-4 (bug #773834) [wheezy] - imagemagick (Vulnerable code not present) CVE-2014-9826 (ImageMagick allows remote attackers to have unspecified impact via vec ...) {DLA-731-1} - imagemagick 8:6.8.9.9-4 (bug #773834) [wheezy] - imagemagick (No apparent security impact) CVE-2014-9827 (coders/xpm.c in ImageMagick allows remote attackers to have unspecifie ...) - imagemagick 8:6.8.9.9-4 (bug #773834) [wheezy] - imagemagick (Vulnerable code not present) CVE-2014-9828 (coders/psd.c in ImageMagick allows remote attackers to have unspecifie ...) {DLA-731-1} - imagemagick 8:6.8.9.9-4 (bug #773834) CVE-2014-9829 (coders/sun.c in ImageMagick allows remote attackers to cause a denial ...) {DLA-731-1} - imagemagick 8:6.8.9.9-4 (bug #773834) CVE-2014-9830 (coders/sun.c in ImageMagick allows remote attackers to have unspecifie ...) {DLA-731-1} - imagemagick 8:6.8.9.9-4 (bug #773834) CVE-2014-9831 (coders/wpg.c in ImageMagick allows remote attackers to have unspecifie ...) {DLA-731-1} - imagemagick 8:6.8.9.9-4 (bug #773834) CVE-2014-9832 (Heap overflow in ImageMagick 6.8.9-9 via a crafted pcx file. ...) {DLA-731-1} - imagemagick 8:6.8.9.9-4 (bug #773834) CVE-2014-9833 (Heap overflow in ImageMagick 6.8.9-9 via a crafted psd file. ...) {DLA-731-1} - imagemagick 8:6.8.9.9-4 (bug #773834) CVE-2014-9834 (Heap overflow in ImageMagick 6.8.9-9 via a crafted pict file. ...) {DLA-731-1} - imagemagick 8:6.8.9.9-4 (bug #773834) CVE-2014-9835 (Heap overflow in ImageMagick 6.8.9-9 via a crafted wpf file. ...) {DLA-731-1} - imagemagick 8:6.8.9.9-4 (bug #773834) CVE-2014-9836 (ImageMagick 6.8.9-9 allows remote attackers to cause a denial of servi ...) {DLA-731-1} - imagemagick 8:6.8.9.9-4 (bug #773834) CVE-2014-9837 (coders/pnm.c in ImageMagick 6.9.0-1 Beta and earlier allows remote att ...) {DLA-731-1} - imagemagick 8:6.8.9.9-4 (bug #773834) CVE-2014-9838 (magick/cache.c in ImageMagick 6.8.9-9 allows remote attackers to cause ...) {DLA-731-1} - imagemagick 8:6.8.9.9-4 (bug #773834) CVE-2014-9839 (magick/colormap-private.h in ImageMagick 6.8.9-9 allows remote attacke ...) {DLA-731-1} - imagemagick 8:6.8.9.9-4 (bug #773834) CVE-2014-9840 (ImageMagick 6.8.9-9 allows remote attackers to cause a denial of servi ...) {DLA-731-1} - imagemagick 8:6.8.9.9-4 (bug #773834) CVE-2014-9841 (The ReadPSDLayers function in coders/psd.c in ImageMagick 6.8.9.9 allo ...) {DLA-960-1} - imagemagick 8:6.8.9.9-4 (bug #773834) CVE-2014-9842 (Memory leak in the ReadPSDLayers function in coders/psd.c in ImageMagi ...) - imagemagick 8:6.8.9.9-4 (bug #773834) [wheezy] - imagemagick (Leak in a code path that does not exist in this version) CVE-2014-9843 (The DecodePSDPixels function in coders/psd.c in ImageMagick 6.8.9.9 al ...) {DLA-731-1} - imagemagick 8:6.8.9.9-4 (bug #773834) CVE-2014-9844 (The ReadRLEImage function in coders/rle.c in ImageMagick 6.8.9.9 allow ...) {DLA-731-1} - imagemagick 8:6.8.9.9-4 (bug #773834) CVE-2014-9845 (The ReadDIBImage function in coders/dib.c in ImageMagick allows remote ...) {DLA-731-1} - imagemagick 8:6.8.9.9-4 (bug #773834) CVE-2014-9846 (Buffer overflow in the ReadRLEImage function in coders/rle.c in ImageM ...) {DLA-731-1} - imagemagick 8:6.8.9.9-4 (bug #773834) CVE-2014-9847 (The jng decoder in ImageMagick 6.8.9.9 allows remote attackers to have ...) {DLA-731-1} - imagemagick 8:6.8.9.9-4 (bug #773834) CVE-2014-9848 (Memory leak in ImageMagick allows remote attackers to cause a denial o ...) {DLA-731-1} - imagemagick 8:6.8.9.9-4 (bug #773834) CVE-2014-9849 (The png coder in ImageMagick allows remote attackers to cause a denial ...) {DLA-731-1} - imagemagick 8:6.8.9.9-4 (bug #773834) CVE-2014-9850 (Logic error in ImageMagick 6.8.9.9 allows remote attackers to cause a ...) - imagemagick 8:6.8.9.9-4 (bug #773834) [wheezy] - imagemagick (Affected section of code not present in wheezy; examine diff introduced by commit 2257d1eadd02d89d225fce21013a1219d221dc7d with context of 20) NOTE: patch supposed to be https://anonscm.debian.org/cgit/collab-maint/imagemagick.git/patch/?id=2257d1eadd02d89d225fce21013a1219d221dc7d CVE-2014-9851 (ImageMagick 6.8.9.9 allows remote attackers to cause a denial of servi ...) {DLA-731-1} - imagemagick 8:6.8.9.9-4 (bug #773834) NOTE: https://anonscm.debian.org/cgit/collab-maint/imagemagick.git/patch/?id=33b2d377b94eb738011bc7d5e90ca0a16ce4d471 CVE-2014-9852 (distribute-cache.c in ImageMagick re-uses objects after they have been ...) - imagemagick 8:6.8.9.9-4 (bug #773834) [wheezy] - imagemagick (distribute-cache.c does not exist in 6.7.7.10) CVE-2014-9853 (Memory leak in coders/rle.c in ImageMagick allows remote attackers to ...) {DLA-731-1} - imagemagick 8:6.8.9.9-4 (bug #773834) CVE-2014-9854 (coders/tiff.c in ImageMagick allows remote attackers to cause a denial ...) {DLA-731-1} - imagemagick 8:6.8.9.9-4 (bug #773834) CVE-2016-XXXX [doesn't remove metadata in embedded images in PDFs] - mat 0.6.1-3 (bug #826101) [jessie] - mat 0.5.2-3+deb8u1 [wheezy] - mat 0.3.2-1+deb7u1 NOTE: Workaround entry for DLA-650-1/DSA-3708-1 until/if CVE is assigned NOTE: https://0xacab.org/mat/mat/issues/11067 NOTE: Patch in 0.6.1-3 disabled PDF support NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/06/02/5 CVE-2016-5239 (The gnuplot delegate functionality in ImageMagick before 6.9.4-0 and G ...) {DSA-3580-1 DLA-1456-1 DLA-486-1 DLA-484-1} - graphicsmagick 1.3.24-1 - imagemagick 8:6.9.6.2+dfsg-2 NOTE: http://git.imagemagick.org/repos/ImageMagick/commit/70a2cf326ed32bedee144b961005c63846541a16 NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/e38b4f74ca19 CVE-2016-5238 (The get_cmd function in hw/scsi/esp.c in QEMU might allow local guest ...) {DLA-1599-1} - qemu 1:2.6+dfsg-3 (bug #826152) [wheezy] - qemu (Minor issue) - qemu-kvm [wheezy] - qemu-kvm (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1341931 NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-06/msg00150.html CVE-2016-5234 (Buffer overflow in Huawei VP9660, VP9650, and VP9630 multipoint contro ...) NOT-FOR-US: Huawei CVE-2016-5233 (Huawei Mate 8 smartphones with software NXT-AL10 before NXT-AL10C00B18 ...) NOT-FOR-US: Huawei CVE-2016-5232 (Buffer overflow in Huawei Mate8 NXT-AL before NXT-AL10C00B182, NXT-CL ...) NOT-FOR-US: Huawei CVE-2016-5231 (Huawei Mate8 NXT-AL before NXT-AL10C00B182, NXT-CL before NXT-CL00C92B ...) NOT-FOR-US: Huawei CVE-2016-5230 (Huawei Mate8 NXT-AL before NXT-AL10C00B182, NXT-CL before NXT-CL00C92B ...) NOT-FOR-US: Huawei CVE-2016-5229 (Atlassian Bamboo before 5.11.4.1 and 5.12.x before 5.12.3.1 does not p ...) NOT-FOR-US: Atlassian CVE-2016-5228 (Stack-based buffer overflow in the PlayMacro function in ObjectXMacro. ...) NOT-FOR-US: Rumba CVE-2016-5227 RESERVED CVE-2016-5226 (Blink in Google Chrome prior to 55.0.2883.75 for Linux, Windows and Ma ...) {DSA-3731-1} - chromium-browser 55.0.2883.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5225 (Blink in Google Chrome prior to 55.0.2883.75 for Mac, Windows and Linu ...) {DSA-3731-1} - chromium-browser 55.0.2883.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5224 (A timing attack on denormalized floating point arithmetic in SVG filte ...) {DSA-3731-1} - chromium-browser 55.0.2883.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5223 (Integer overflow in PDFium in Google Chrome prior to 55.0.2883.75 for ...) {DSA-3731-1} - chromium-browser 55.0.2883.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5222 (Incorrect handling of invalid URLs in Google Chrome prior to 55.0.2883 ...) {DSA-3731-1} - chromium-browser 55.0.2883.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5221 (Type confusion in libGLESv2 in ANGLE in Google Chrome prior to 55.0.28 ...) {DSA-3731-1} - chromium-browser 55.0.2883.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5220 (PDFium in Google Chrome prior to 55.0.2883.75 for Mac, Windows and Lin ...) {DSA-3731-1} - chromium-browser 55.0.2883.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5219 (A heap use after free in V8 in Google Chrome prior to 55.0.2883.75 for ...) {DSA-3731-1} - chromium-browser 55.0.2883.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2016-5218 (The extensions API in Google Chrome prior to 55.0.2883.75 for Mac, Win ...) {DSA-3731-1} - chromium-browser 55.0.2883.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5217 (The extensions API in Google Chrome prior to 55.0.2883.75 for Mac, Win ...) {DSA-3731-1} - chromium-browser 55.0.2883.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5216 (A use after free in PDFium in Google Chrome prior to 55.0.2883.75 for ...) {DSA-3731-1} - chromium-browser 55.0.2883.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5215 (A use after free in webaudio in Google Chrome prior to 55.0.2883.75 fo ...) {DSA-3731-1} - chromium-browser 55.0.2883.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5214 (Google Chrome prior to 55.0.2883.75 for Windows mishandled downloaded ...) {DSA-3731-1} - chromium-browser 55.0.2883.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5213 (A use after free in V8 in Google Chrome prior to 55.0.2883.75 for Mac, ...) {DSA-3731-1} - chromium-browser 55.0.2883.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2016-5212 (Google Chrome prior to 55.0.2883.75 for Mac, Windows and Linux, and 55 ...) {DSA-3731-1} - chromium-browser 55.0.2883.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5211 (A use after free in PDFium in Google Chrome prior to 55.0.2883.75 for ...) {DSA-3731-1} - chromium-browser 55.0.2883.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5210 (Heap buffer overflow during TIFF image parsing in PDFium in Google Chr ...) {DSA-3731-1} - chromium-browser 55.0.2883.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5209 (Bad casting in bitmap manipulation in Blink in Google Chrome prior to ...) {DSA-3731-1} - chromium-browser 55.0.2883.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5208 (Blink in Google Chrome prior to 55.0.2883.75 for Linux and Windows, an ...) {DSA-3731-1} - chromium-browser 55.0.2883.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5207 (In Blink in Google Chrome prior to 55.0.2883.75 for Mac, Windows and L ...) {DSA-3731-1} - chromium-browser 55.0.2883.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5206 (The PDF plugin in Google Chrome prior to 55.0.2883.75 for Mac, Windows ...) {DSA-3731-1} - chromium-browser 55.0.2883.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5205 (Blink in Google Chrome prior to 55.0.2883.75 for Linux, Windows and Ma ...) {DSA-3731-1} - chromium-browser 55.0.2883.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5204 (Leaking of an SVG shadow tree leading to corruption of the DOM tree in ...) {DSA-3731-1} - chromium-browser 55.0.2883.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5203 (A use after free in PDFium in Google Chrome prior to 55.0.2883.75 for ...) {DSA-3731-1} - chromium-browser 55.0.2883.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5202 (browser/extensions/api/dial/dial_registry.cc in Google Chrome before 5 ...) {DSA-3731-1} - chromium-browser 54.0.2840.101-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5201 (A leak of privateClass in the extensions API in Google Chrome prior to ...) {DSA-3731-1} - chromium-browser 54.0.2840.101-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5200 (V8 in Google Chrome prior to 54.0.2840.98 for Mac, and 54.0.2840.99 fo ...) {DSA-3731-1} - chromium-browser 54.0.2840.101-1 [wheezy] - chromium-browser (Not supported in Wheezy) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2016-5199 (An off by one error resulting in an allocation of zero size in FFmpeg ...) {DSA-3731-1} - chromium-browser 44.0.2403.157-1 [wheezy] - chromium-browser (Not supported in Wheezy) - ffmpeg 7:3.2-1 - libav [jessie] - libav (Vulnerable code not present) NOTE: https://chromium-review.googlesource.com/383956 NOTE: https://github.com/FFmpeg/FFmpeg/commit/347cb14b7cba7560e53f4434b419b9d8800253e7 CVE-2016-5198 (V8 in Google Chrome prior to 54.0.2840.90 for Linux, and 54.0.2840.85 ...) {DSA-3731-1} - chromium-browser 54.0.2840.101-1 [wheezy] - chromium-browser (Not supported in Wheezy) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2016-5197 (The content view client in Google Chrome prior to 54.0.2840.85 for And ...) - chromium-browser (Only affects Chrome on Android) CVE-2016-5196 (The content renderer client in Google Chrome prior to 54.0.2840.85 for ...) - chromium-browser (Only affects Chrome on Android) CVE-2016-5195 (Race condition in mm/gup.c in the Linux kernel 2.x through 4.x before ...) {DSA-3696-1 DLA-670-1} - linux 4.7.8-1 NOTE: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails NOTE: Fixed by: https://git.kernel.org/linus/19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619 CVE-2016-5194 (Unspecified vulnerabilities in Google Chrome before 54.0.2840.59. ...) {DSA-3731-1} - chromium-browser 54.0.2840.101-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5193 (Google Chrome prior to 54.0 for iOS had insufficient validation of URL ...) {DSA-3731-1} - chromium-browser 54.0.2840.101-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5192 (Blink in Google Chrome prior to 54.0.2840.59 for Windows missed a CORS ...) {DSA-3731-1} - chromium-browser 54.0.2840.101-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5191 (Bookmark handling in Google Chrome prior to 54.0.2840.59 for Windows, ...) {DSA-3731-1} - chromium-browser 54.0.2840.101-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5190 (Google Chrome prior to 54.0.2840.59 for Windows, Mac, and Linux; 54.0. ...) {DSA-3731-1} - chromium-browser 54.0.2840.101-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5189 (Google Chrome prior to 54.0.2840.59 for Windows, Mac, and Linux; 54.0. ...) {DSA-3731-1} - chromium-browser 54.0.2840.101-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5188 (Multiple issues in Blink in Google Chrome prior to 54.0.2840.59 for Wi ...) {DSA-3731-1} - chromium-browser 54.0.2840.101-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5187 (Google Chrome prior to 54.0.2840.85 for Android incorrectly handled ra ...) {DSA-3731-1} - chromium-browser 54.0.2840.101-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5186 (Devtools in Google Chrome prior to 54.0.2840.59 for Windows, Mac, and ...) {DSA-3731-1} - chromium-browser 54.0.2840.101-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5185 (Blink in Google Chrome prior to 54.0.2840.59 for Windows, Mac, and Lin ...) {DSA-3731-1} - chromium-browser 54.0.2840.101-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5184 (PDFium in Google Chrome prior to 54.0.2840.59 for Windows, Mac, and Li ...) {DSA-3731-1} - chromium-browser 54.0.2840.101-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5183 (A heap use after free in PDFium in Google Chrome prior to 54.0.2840.59 ...) {DSA-3731-1} - chromium-browser 54.0.2840.101-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5182 (Blink in Google Chrome prior to 54.0.2840.59 for Windows, Mac, and Lin ...) {DSA-3731-1} - chromium-browser 54.0.2840.101-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5181 (Blink in Google Chrome prior to 54.0.2840.59 for Windows, Mac, and Lin ...) {DSA-3731-1} - chromium-browser 54.0.2840.101-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5180 (Heap-based buffer overflow in the ares_create_query function in c-ares ...) {DSA-3682-1 DLA-648-1} - c-ares 1.12.0-1 (medium; bug #839151) NOTE: https://c-ares.haxx.se/adv_20160929.html NOTE: https://c-ares.haxx.se/CVE-2016-5180.patch CVE-2016-5179 (Chrome OS before 53.0.2785.144 allows remote attackers to execute arbi ...) NOT-FOR-US: Chrome OS CVE-2016-5178 (Multiple unspecified vulnerabilities in Google Chrome before 53.0.2785 ...) {DSA-3683-1} - chromium-browser 53.0.2785.143-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5177 (Use-after-free vulnerability in V8 in Google Chrome before 53.0.2785.1 ...) {DSA-3683-1} - chromium-browser 53.0.2785.143-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5176 (Google Chrome before 53.0.2785.113 allows remote attackers to bypass t ...) {DSA-3667-1} - chromium-browser 53.0.2785.113-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5175 (Multiple unspecified vulnerabilities in Google Chrome before 53.0.2785 ...) {DSA-3667-1} - chromium-browser 53.0.2785.113-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5174 (browser/ui/cocoa/browser_window_controller_private.mm in Google Chrome ...) {DSA-3667-1} - chromium-browser 53.0.2785.113-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5173 (The extensions subsystem in Google Chrome before 53.0.2785.113 does no ...) {DSA-3667-1} - chromium-browser 53.0.2785.113-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5172 (The parser in Google V8, as used in Google Chrome before 53.0.2785.113 ...) {DSA-3667-1} - chromium-browser 53.0.2785.113-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5171 (WebKit/Source/bindings/templates/interface.cpp in Blink, as used in Go ...) {DSA-3667-1} - chromium-browser 53.0.2785.113-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5170 (WebKit/Source/bindings/modules/v8/V8BindingForModules.cpp in Blink, as ...) {DSA-3667-1} - chromium-browser 53.0.2785.113-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5169 (Format string vulnerability in Google Chrome OS before 53.0.2785.103 a ...) NOT-FOR-US: Google Chrome OS CVE-2016-5168 (Skia, as used in Google Chrome before 50.0.2661.94, allows remote atta ...) - chromium-browser 50.0.2661.94-1 [wheezy] - chromium-browser (Not supported in Wheezy) - skia (bug #818180) CVE-2016-5167 (Multiple unspecified vulnerabilities in Google Chrome before 53.0.2785 ...) {DSA-3660-1} - chromium-browser 53.0.2785.89-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5166 (The download implementation in Google Chrome before 53.0.2785.89 on Wi ...) {DSA-3660-1} - chromium-browser 53.0.2785.89-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5165 (Cross-site scripting (XSS) vulnerability in the Developer Tools (aka D ...) {DSA-3660-1} - chromium-browser 53.0.2785.89-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5164 (Cross-site scripting (XSS) vulnerability in WebKit/Source/platform/v8_ ...) {DSA-3660-1} - chromium-browser 53.0.2785.89-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5163 (The bidirectional-text implementation in Google Chrome before 53.0.278 ...) {DSA-3660-1} - chromium-browser 53.0.2785.89-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5162 (The AllowCrossRendererResourceLoad function in extensions/browser/url_ ...) {DSA-3660-1} - chromium-browser 53.0.2785.89-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5161 (The EditingStyle::mergeStyle function in WebKit/Source/core/editing/Ed ...) {DSA-3660-1} - chromium-browser 53.0.2785.89-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5160 (The AllowCrossRendererResourceLoad function in extensions/browser/url_ ...) {DSA-3660-1} - chromium-browser 53.0.2785.89-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5159 (Multiple integer overflows in OpenJPEG, as used in PDFium in Google Ch ...) {DSA-3768-1 DSA-3660-1} - openjpeg2 2.1.2-1 - chromium-browser 53.0.2785.89-1 [wheezy] - chromium-browser (Not supported in Wheezy) NOTE: https://github.com/uclouvain/openjpeg/commit/9a07ccb3d0f076388e4da684a3bfd4327125c721 CVE-2016-5158 (Multiple integer overflows in the opj_tcd_init_tile function in tcd.c ...) {DSA-3768-1 DSA-3660-1} - openjpeg2 2.1.2-1 - chromium-browser 53.0.2785.89-1 [wheezy] - chromium-browser (Not supported in Wheezy) NOTE: https://github.com/uclouvain/openjpeg/commit/9a07ccb3d0f076388e4da684a3bfd4327125c721 NOTE: https://github.com/uclouvain/openjpeg/issues/854 CVE-2016-5157 (Heap-based buffer overflow in the opj_dwt_interleave_v function in dwt ...) {DSA-3660-1} - openjpeg2 2.1.2-1 [jessie] - openjpeg2 2.1.0-2+deb8u3 - chromium-browser 53.0.2785.89-1 [wheezy] - chromium-browser (Not supported in Wheezy) NOTE: http://www.openwall.com/lists/oss-security/2016/09/08/8 NOTE: https://github.com/uclouvain/openjpeg/pull/823 CVE-2016-5156 (extensions/renderer/event_bindings.cc in the event bindings in Google ...) {DSA-3660-1} - chromium-browser 53.0.2785.89-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5155 (Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0. ...) {DSA-3660-1} - chromium-browser 53.0.2785.89-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5154 (Multiple heap-based buffer overflows in PDFium, as used in Google Chro ...) {DSA-3660-1} - chromium-browser 53.0.2785.89-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5153 (The Web Animations implementation in Blink, as used in Google Chrome b ...) {DSA-3660-1} - chromium-browser 53.0.2785.89-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5152 (Integer overflow in the opj_tcd_get_decoded_tile_size function in tcd. ...) {DSA-4013-1 DSA-3660-1} - openjpeg2 2.1.2-1.2 - chromium-browser 53.0.2785.89-1 [wheezy] - chromium-browser (Not supported in Wheezy) NOTE: https://github.com/uclouvain/openjpeg/commit/3fbe71369019df0b47c7a2be4fab8c05768f2f32 NOTE: https://github.com/uclouvain/openjpeg/issues/854 CVE-2016-5151 (PDFium in Google Chrome before 53.0.2785.89 on Windows and OS X and be ...) {DSA-3660-1} - chromium-browser 53.0.2785.89-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5150 (WebKit/Source/bindings/modules/v8/V8BindingForModules.cpp in Blink, as ...) {DSA-3660-1} - chromium-browser 53.0.2785.89-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5149 (The extensions subsystem in Google Chrome before 53.0.2785.89 on Windo ...) {DSA-3660-1} - chromium-browser 53.0.2785.89-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5148 (Cross-site scripting (XSS) vulnerability in Blink, as used in Google C ...) {DSA-3660-1} - chromium-browser 53.0.2785.89-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5147 (Blink, as used in Google Chrome before 53.0.2785.89 on Windows and OS ...) {DSA-3660-1} - chromium-browser 53.0.2785.89-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5146 (Multiple unspecified vulnerabilities in Google Chrome before 52.0.2743 ...) {DSA-3645-1} - chromium-browser 52.0.2743.116-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5145 (Blink, as used in Google Chrome before 52.0.2743.116, does not ensure ...) {DSA-3645-1} - chromium-browser 52.0.2743.116-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5144 (The Developer Tools (aka DevTools) subsystem in Blink, as used in Goog ...) {DSA-3645-1} - chromium-browser 52.0.2743.116-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5143 (The Developer Tools (aka DevTools) subsystem in Blink, as used in Goog ...) {DSA-3645-1} - chromium-browser 52.0.2743.116-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5142 (The Web Cryptography API (aka WebCrypto) implementation in Blink, as u ...) {DSA-3645-1} - chromium-browser 52.0.2743.116-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5141 (Blink, as used in Google Chrome before 52.0.2743.116, allows remote at ...) {DSA-3645-1} - chromium-browser 52.0.2743.116-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5140 (Heap-based buffer overflow in the opj_j2k_read_SQcd_SQcc function in j ...) {DSA-3645-1} - chromium-browser 52.0.2743.116-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5139 (Multiple integer overflows in the opj_tcd_init_tile function in tcd.c ...) {DSA-3645-1 DLA-1433-1} - openjpeg2 2.1.2-1 - chromium-browser 52.0.2743.116-1 [wheezy] - chromium-browser (Not supported in Wheezy) NOTE: Fixed in Google with: https://pdfium.googlesource.com/pdfium.git/+/2f6d1480a1be2b1f82c94219c2d99e67d7e0660d NOTE: https://github.com/uclouvain/openjpeg/pull/819 CVE-2016-5138 (Integer overflow in the kbasep_vinstr_attach_client function in midgar ...) - chromium-browser (Chrome on Chrome OS) CVE-2016-5137 (The CSPSource::schemeMatches function in WebKit/Source/core/frame/csp/ ...) {DSA-3637-1} - chromium-browser 52.0.2743.82-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5136 (Use-after-free vulnerability in extensions/renderer/user_script_inject ...) {DSA-3637-1} - chromium-browser 52.0.2743.82-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5135 (WebKit/Source/core/html/parser/HTMLPreloadScanner.cpp in Blink, as use ...) {DSA-3637-1} - chromium-browser 52.0.2743.82-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5134 (net/proxy/proxy_service.cc in the Proxy Auto-Config (PAC) feature in G ...) {DSA-3637-1} - chromium-browser 52.0.2743.82-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5133 (Google Chrome before 52.0.2743.82 mishandles origin information during ...) {DSA-3637-1} - chromium-browser 52.0.2743.82-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5132 (The Service Workers subsystem in Google Chrome before 52.0.2743.82 doe ...) {DSA-3637-1} - chromium-browser 52.0.2743.82-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5131 (Use-after-free vulnerability in libxml2 through 2.9.4, as used in Goog ...) {DSA-3744-1 DSA-3637-1 DLA-691-1} - chromium-browser 52.0.2743.82-1 [wheezy] - chromium-browser (Not supported in Wheezy) - libxml2 2.9.4+dfsg1-2.1 (bug #840554) NOTE: Google fix: https://codereview.chromium.org/2127493002 NOTE: Fixed by: https://git.gnome.org/browse/libxml2/commit/?id=9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e NOTE: Requisite for the test: https://git.gnome.org/browse/libxml2/commit/?id=a005199330b86dada19d162cae15ef9bdcb6baa8 CVE-2016-5130 (content/renderer/history_controller.cc in Google Chrome before 52.0.27 ...) {DSA-3637-1} - chromium-browser 52.0.2743.82-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5129 (Google V8 before 5.2.361.32, as used in Google Chrome before 52.0.2743 ...) {DSA-3637-1} - chromium-browser 52.0.2743.82-1 [wheezy] - chromium-browser (Not supported in Wheezy) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2016-5128 (objects.cc in Google V8 before 5.2.361.27, as used in Google Chrome be ...) {DSA-3637-1} - chromium-browser 52.0.2743.82-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5127 (Use-after-free vulnerability in WebKit/Source/core/editing/VisibleUnit ...) {DSA-3637-1} - chromium-browser 52.0.2743.82-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2015-8899 (Dnsmasq before 2.76 allows remote servers to cause a denial of service ...) - dnsmasq 2.76-1 [jessie] - dnsmasq (Vulnerable code introduced later) [wheezy] - dnsmasq (Vulnerable code introduced later) NOTE: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2016q2/010479.html NOTE: Fixed by: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=41a8d9e99be9f2cc8b02051dd322cb45e0faac87 (v2.76rc1) NOTE: Introduced by: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=cbc652423403e3cef00e00240f6beef713142246 (v2.73rc1) NOTE: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1581181 CVE-2015-8898 (The WriteImages function in magick/constitute.c in ImageMagick before ...) - imagemagick 8:6.8.9.9-7 [jessie] - imagemagick 8:6.8.9.9-5+deb8u1 [wheezy] - imagemagick 8:6.7.7.10-5+deb7u4 NOTE: https://github.com/ImageMagick/ImageMagick/pull/34 NOTE: https://github.com/ImageMagick/ImageMagick/commit/5b4bebaa91849c592a8448bc353ab25a54ff8c44 CVE-2015-8897 (The SpliceImage function in MagickCore/transform.c in ImageMagick befo ...) - imagemagick 8:6.8.9.9-7 [jessie] - imagemagick 8:6.8.9.9-5+deb8u1 [wheezy] - imagemagick 8:6.7.7.10-5+deb7u4 NOTE: http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=28466 NOTE: https://github.com/ImageMagick/ImageMagick/commit/7b1cf5784b5bcd85aa9293ecf56769f68c037231 CVE-2015-8896 (Integer truncation issue in coders/pict.c in ImageMagick before 7.0.5- ...) {DLA-353-1} - imagemagick 8:6.8.9.9-7 (bug #806441) [jessie] - imagemagick 8:6.8.9.9-5+deb8u1 [wheezy] - imagemagick 8:6.7.7.10-5+deb7u4 NOTE: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1448803 NOTE: https://github.com/ImageMagick/ImageMagick/commit/0f6fc2d5bf8f500820c3dbcf0d23ee14f2d9f734 NOTE: http://www.openwall.com/lists/oss-security/2015/10/07/2 NOTE: http://www.openwall.com/lists/oss-security/2016/02/22/4 CVE-2015-8895 (Integer overflow in coders/icon.c in ImageMagick 6.9.1-3 and later all ...) {DLA-353-1} - imagemagick 8:6.8.9.9-7 (bug #806441) [jessie] - imagemagick 8:6.8.9.9-5+deb8u1 [wheezy] - imagemagick 8:6.7.7.10-5+deb7u4 NOTE: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1459747 NOTE: https://github.com/ImageMagick/ImageMagick/commit/0f6fc2d5bf8f500820c3dbcf0d23ee14f2d9f734 NOTE: http://www.openwall.com/lists/oss-security/2015/10/07/2 NOTE: http://www.openwall.com/lists/oss-security/2016/02/22/4 NOTE: The issue is only exploitable on 32 bit architectures. CVE-2015-8894 (Double free vulnerability in coders/tga.c in ImageMagick 7.0.0 and lat ...) - imagemagick 8:6.8.9.9-6 (bug #806442; bug #799524) [jessie] - imagemagick (Can't reproduce crash with file) [wheezy] - imagemagick (Can't reproduce crash with file) [squeeze] - imagemagick (Can't reproduce crash with file) NOTE: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1490362 NOTE: https://github.com/ImageMagick/ImageMagick/commit/4f68e9661518463fca523c9726bb5d940a2aa6d8 NOTE: http://www.openwall.com/lists/oss-security/2015/10/07/2 NOTE: http://www.openwall.com/lists/oss-security/2016/02/22/4 NOTE: The problem can only be triggered with recent versions of ImageMagick (8:6.9.1.2-1 in experimental is vulnerable, 8:6.8.9.9-6 in sid is not vulnerable, older versions are not vulnerable) CVE-2015-8893 (app/aboot/aboot.c in the Qualcomm bootloader in Android before 2016-07 ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-8892 (platform/msm_shared/boot_verifier.c in the Qualcomm components in Andr ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-8891 (Multiple integer overflows in app/aboot/aboot.c in the Qualcomm compon ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-8890 (platform/msm_shared/partition_parser.c in the Qualcomm components in A ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-8889 (The aboot implementation in the Qualcomm components in Android before ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-8888 (Integer overflow in app/aboot/aboot.c in the Qualcomm components in An ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-9802 (Multiple integer overflows in lib/libfdt/fdt.c in the Qualcomm compone ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-9801 (Multiple integer overflows in lib/libfdt/fdt_rw.c in the Qualcomm comp ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-9800 (Integer overflow in lib/heap/heap.c in the Qualcomm components in Andr ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-9799 (The makefile in the Qualcomm components in Android before 2016-07-05 o ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-9798 (platform/msm_shared/dev_tree.c in the Qualcomm bootloader in Android b ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-9797 REJECTED CVE-2014-9796 (app/aboot/aboot.c in the Qualcomm components in Android before 2016-07 ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-9795 (app/aboot/aboot.c in the Qualcomm components in Android before 2016-07 ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-9794 REJECTED CVE-2014-9793 (platform/msm_shared/mmc.c in the Qualcomm components in Android before ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-9792 (arch/arm/mach-msm/ipc_router.c in the Qualcomm components in Android b ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-9791 REJECTED CVE-2014-9790 (drivers/mmc/core/debugfs.c in the Qualcomm components in Android befor ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-9789 (The (1) alloc and (2) free APIs in arch/arm/mach-msm/qdsp6v2/msm_audio ...) - linux (Android-specific) CVE-2014-9788 (Multiple buffer overflows in the voice drivers in the Qualcomm compone ...) - linux (Android-specific) CVE-2014-9787 (Integer overflow in drivers/misc/qseecom.c in the Qualcomm components ...) - linux (Android-specific) CVE-2014-9786 (Heap-based buffer overflow in drivers/media/platform/msm/camera_v2/sen ...) - linux (Android-specific) CVE-2014-9785 (drivers/misc/qseecom.c in the Qualcomm components in Android before 20 ...) - linux (Android-specific) CVE-2014-9784 (Multiple buffer overflows in drivers/char/diag/diag_debugfs.c in the Q ...) - linux (Android-specific) CVE-2014-9783 (drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c in the Qualc ...) - linux (Android-specific) CVE-2014-9782 (drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c in ...) - linux (Android-specific) CVE-2014-9781 (Buffer overflow in drivers/video/fbcmap.c in the Qualcomm components i ...) - linux (Android-specific) CVE-2014-9780 (drivers/video/msm/mdss/mdp3_ctrl.c in the Qualcomm components in Andro ...) - linux (Android-specific) CVE-2014-9779 (arch/arm/mach-msm/qdsp6v2/msm_audio_ion.c in the Qualcomm components i ...) - linux (Android-specific) CVE-2014-9778 (The vid_dec_set_h264_mv_buffers function in drivers/video/msm/vidc/com ...) - linux (Android-specific) CVE-2014-9777 (The vid_dec_set_meta_buffers function in drivers/video/msm/vidc/common ...) - linux (Android-specific) CVE-2013-7457 (Unspecified vulnerability in the Qualcomm components in Android before ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-5125 REJECTED CVE-2016-5124 (An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev1 ...) NOT-FOR-US: Open-Xchange CVE-2016-5123 RESERVED CVE-2016-5122 RESERVED CVE-2016-5121 RESERVED CVE-2016-5120 RESERVED CVE-2016-5119 (The automatic update feature in KeePass 2.33 and earlier allows man-in ...) - keepass2 2.18+dfsg-1 NOTE: autoupdate dialog disabled in Debian via patch, but basically not-affected CVE-2016-5113 RESERVED CVE-2016-5112 RESERVED CVE-2016-5111 RESERVED CVE-2016-5110 RESERVED CVE-2016-5109 (Citrix Worx Home for iOS before 10.3.6 and XenMobile MDX Toolkit for i ...) NOT-FOR-US: Citrix CVE-2015-8887 RESERVED CVE-2015-8886 RESERVED CVE-2015-8885 RESERVED CVE-2015-8884 RESERVED CVE-2015-8883 RESERVED CVE-2015-8882 RESERVED CVE-2015-8881 RESERVED CVE-2016-5126 (Heap-based buffer overflow in the iscsi_aio_ioctl function in block/is ...) {DLA-1927-1} - qemu 1:2.6+dfsg-2 (bug #826151) [wheezy] - qemu (Vulnerable code not present) - qemu-kvm [wheezy] - qemu-kvm (Vulnerable code not present) NOTE: https://lists.gnu.org/archive/html/qemu-block/2016-05/msg00779.html NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=a6b3167fa0e825aebb5a7cd8b437b6d41584a196 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1340924 NOTE: http://www.openwall.com/lists/oss-security/2016/05/30/6 CVE-2016-XXXX [CSRF protection for POST requests] - postfixadmin 2.93-2 (bug #825151) [jessie] - postfixadmin (Minor issue) [wheezy] - postfixadmin (Minor issue) NOTE: http://seclists.org/fulldisclosure/2016/May/59 NOTE: https://sourceforge.net/p/postfixadmin/bugs/372/ NOTE: Fixed by: https://sourceforge.net/p/postfixadmin/code/1842 CVE-2016-5118 (The OpenBlob function in blob.c in GraphicsMagick before 1.3.24 and Im ...) {DSA-3746-1 DSA-3591-1 DLA-502-1 DLA-500-1} - imagemagick 8:6.8.9.9-7.1 (bug #825799) - graphicsmagick 1.3.24-1 (bug #825800) NOTE: fixed by http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/ae3928faa858 NOTE: patch available at http://www.openwall.com/lists/oss-security/2016/05/29/7 CVE-2016-5116 (gd_xbm.c in the GD Graphics Library (aka libgd) before 2.2.0, as used ...) {DSA-3619-1} - libgd2 2.2.1-1 [wheezy] - libgd2 (Vulnerable code not present) NOTE: Fixed by: https://github.com/libgd/libgd/commit/4dc1a2d7931017d3625f2d7cff70a17ce58b53b4 (gd-2.2.0) NOTE: Introduced by: https://github.com/libgd/libgd/commit/decf4407d41230fc54dea8058bf887a2696fd4c2 (gd-2.1.0-alpha1) NOTE: https://github.com/libgd/libgd/issues/211 - php5 (unimportant) NOTE: PHP bug: https://bugs.php.net/bug.php?id=72115 NOTE: Starting with 5.4.0-1 Debian uses the system copy of libgd NOTE: http://www.openwall.com/lists/oss-security/2016/05/29/3 CVE-2016-5115 (The avcodec_decode_audio4 function in libavcodec in libavformat 57.34. ...) - libav (low) [jessie] - libav (Minor issue) [wheezy] - libav (Minor issue) NOTE: This is an issue in ffmpeg/libav, which is fixed in stretch's ffmpeg, but it's unclear when it was fixed exactly NOTE: https://trac.mplayerhq.hu/ticket/2298 CVE-2016-5102 (Buffer overflow in the readgifimage function in gif2tiff.c in the gif2 ...) {DLA-693-1} - tiff 4.0.6-3 [jessie] - tiff 4.0.3-12.3+deb8u2 - tiff3 (unimportant) [wheezy] - tiff3 (Does not ship libtiff-tools) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2552 NOTE: confirmed this still crashes with latest CVS, version v4.0.6 NOTE: also confirmed this crashes v4.0.2 in wheezy NOTE: Upstream will remove gif2tiff from 4.0.7 release NOTE: No patch available. Marked as wontfix by upstream NOTE: Reproducer http://bugs.fi/media/afl/libtiff/CVE-2016-5102.gif NOTE: gif2tiff was removed in 4.0.6-3 and DSA 3762, marking as fixed although technically still present in the source package CVE-2016-5101 (Unspecified vulnerability in Opera Mail before 2016-02-16 on Windows a ...) NOT-FOR-US: Opera CVE-2016-5100 (Froxlor before 0.9.35 uses the PHP rand function for random number gen ...) NOT-FOR-US: Froxlor CVE-2016-5099 (Cross-site scripting (XSS) vulnerability in phpMyAdmin 4.4.x before 4. ...) {DSA-3627-1} - phpmyadmin 4:4.6.2-1 (low) [jessie] - phpmyadmin (Minor issue) [wheezy] - phpmyadmin (Minor issue) NOTE: https://www.phpmyadmin.net/security/PMASA-2016-16/ CVE-2016-5098 (Directory traversal vulnerability in libraries/error_report.lib.php in ...) - phpmyadmin (Only affected git versions but not released versions, cf. PMASA-2016-15) NOTE: https://www.phpmyadmin.net/security/PMASA-2016-15/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/d2dc9481d2af25b035778c67eaf0bfd2d2c59dd8 CVE-2016-5097 (phpMyAdmin before 4.6.2 places tokens in query strings and does not ar ...) - phpmyadmin 4:4.6.2-1 (low) [jessie] - phpmyadmin (Minor issue) [wheezy] - phpmyadmin (Minor issue) NOTE: https://www.phpmyadmin.net/security/PMASA-2016-14/ CVE-2016-5092 (Directory traversal vulnerability in Fortinet FortiWeb before 5.5.3 al ...) NOT-FOR-US: Fortinet CVE-2016-5108 (Buffer overflow in the DecodeAdpcmImaQT function in modules/codec/adpc ...) {DSA-3598-1} - vlc 2.2.3-2 (bug #825728) [wheezy] - vlc (Unsupported in wheezy-lts) NOTE: Details: http://www.openwall.com/lists/oss-security/2016/05/27/3 NOTE: https://git.videolan.org/?p=vlc.git;a=commit;h=458ed62bbeb9d1bddf7b8df104e14936408a3db9 CVE-2016-5090 RESERVED CVE-2016-5089 RESERVED CVE-2016-5088 RESERVED CVE-2016-5087 (Alertus Desktop Notification before 2.9.31.1710 on OS X uses weak perm ...) NOT-FOR-US: Alertus CVE-2016-5086 (Johnson & Johnson Animas OneTouch Ping devices allow remote attack ...) NOT-FOR-US: Animas OneTouch Ping CVE-2016-5085 (Johnson & Johnson Animas OneTouch Ping devices do not properly gen ...) NOT-FOR-US: Animas OneTouch Ping CVE-2016-5084 (Johnson & Johnson Animas OneTouch Ping devices do not use encrypti ...) NOT-FOR-US: Animas OneTouch Ping CVE-2016-5083 RESERVED CVE-2016-5082 RESERVED CVE-2016-5081 (ZModo ZP-NE14-S and ZP-IBH-13W devices have a hardcoded root password, ...) NOT-FOR-US: ZModo CVE-2016-5080 (Integer overflow in the rtxMemHeapAlloc function in asn1rt_a.lib in Ob ...) NOT-FOR-US: Objective Systems Inc. ASN1C compiler NOTE: https://github.com/programa-stic/security-advisories/tree/master/ObjSys/CVE-2016-5080 CVE-2016-5079 RESERVED CVE-2016-5078 (Paessler PRTG before 16.2.24.4045 has XSS via SNMP. ...) NOT-FOR-US: Paessler PRTG CVE-2016-5077 (Netikus EventSentry before 3.2.1.44 has XSS via SNMP. ...) NOT-FOR-US: Netikus EventSentry CVE-2016-5076 (CloudView NMS before 2.10a allows remote attackers to obtain sensitive ...) NOT-FOR-US: CloudView NMS CVE-2016-5075 (CloudView NMS before 2.10a has XSS via a TELNET login. ...) NOT-FOR-US: CloudView NMS CVE-2016-5074 (CloudView NMS before 2.10a has a format string issue exploitable over ...) NOT-FOR-US: CloudView NMS CVE-2016-5073 (CloudView NMS before 2.10a has XSS via SNMP. ...) NOT-FOR-US: CloudView NMS CVE-2016-5072 (OXID eShop before 2016-06-13 allows remote attackers to execute arbitr ...) NOT-FOR-US: OXID eShop CVE-2016-5071 (Sierra Wireless GX 440 devices with ALEOS firmware 4.3.2 execute the m ...) NOT-FOR-US: Sierra Wireless GX 440 devices with ALEOS firmware CVE-2016-5070 (Sierra Wireless GX 440 devices with ALEOS firmware 4.3.2 store passwor ...) NOT-FOR-US: Sierra Wireless GX 440 devices with ALEOS firmware CVE-2016-5069 (Sierra Wireless GX 440 devices with ALEOS firmware 4.3.2 use guessable ...) NOT-FOR-US: Sierra Wireless GX 440 devices with ALEOS firmware CVE-2016-5068 (Sierra Wireless GX 440 devices with ALEOS firmware 4.3.2 do not requir ...) NOT-FOR-US: Sierra Wireless GX 440 devices with ALEOS firmware CVE-2016-5067 (Sierra Wireless GX 440 devices with ALEOS firmware 4.3.2 allow Hayes A ...) NOT-FOR-US: Sierra Wireless GX 440 devices with ALEOS firmware CVE-2016-5066 (Sierra Wireless GX 440 devices with ALEOS firmware 4.3.2 have weak pas ...) NOT-FOR-US: Sierra Wireless GX 440 devices with ALEOS firmware CVE-2016-5065 (Sierra Wireless GX 440 devices with ALEOS firmware 4.3.2 allow Embedde ...) NOT-FOR-US: Sierra Wireless GX 440 devices with ALEOS firmware CVE-2016-5064 RESERVED CVE-2016-5063 (The RSCD agent in BMC Server Automation before 8.6 SP1 Patch 2 and 8.7 ...) NOT-FOR-US: BMC Server Automation CVE-2016-5062 (The web server in Aternity before 9.0.1 does not require authenticatio ...) NOT-FOR-US: Aternity CVE-2016-5061 (Multiple cross-site scripting (XSS) vulnerabilities in the web server ...) NOT-FOR-US: Aternity CVE-2016-5060 (Multiple cross-site scripting (XSS) vulnerabilities in nGrinder before ...) NOT-FOR-US: nGrinder CVE-2016-5059 (OSRAM SYLVANIA Osram Lightify Pro before 2016-07-26 allows attackers t ...) NOT-FOR-US: OSRAM SYLVANIA Osram Lightify Pro CVE-2016-5058 (OSRAM SYLVANIA Osram Lightify Pro through 2016-07-26 allows Zigbee rep ...) NOT-FOR-US: OSRAM SYLVANIA Osram Lightify Pro CVE-2016-5057 (OSRAM SYLVANIA Osram Lightify Pro through 2016-07-26 does not use SSL ...) NOT-FOR-US: OSRAM SYLVANIA Osram Lightify Pro CVE-2016-5056 (OSRAM SYLVANIA Osram Lightify Pro before 2016-07-26 uses only 8 hex di ...) NOT-FOR-US: OSRAM SYLVANIA Osram Lightify Pro CVE-2016-5055 (OSRAM SYLVANIA Osram Lightify Pro before 2016-07-26 has XSS in the use ...) NOT-FOR-US: OSRAM SYLVANIA Osram Lightify Pro CVE-2016-5054 (OSRAM SYLVANIA Osram Lightify Home through 2016-07-26 allows Zigbee re ...) NOT-FOR-US: OSRAM SYLVANIA Osram Lightify Home CVE-2016-5053 (OSRAM SYLVANIA Osram Lightify Home before 2016-07-26 allows remote att ...) NOT-FOR-US: OSRAM SYLVANIA Osram Lightify Home CVE-2016-5052 (OSRAM SYLVANIA Osram Lightify Home through 2016-07-26 does not use SSL ...) NOT-FOR-US: OSRAM SYLVANIA Osram Lightify Home CVE-2016-5051 (OSRAM SYLVANIA Osram Lightify Home before 2016-07-26 stores a PSK in c ...) NOT-FOR-US: OSRAM SYLVANIA Osram Lightify Home CVE-2016-5050 (Unrestricted file upload vulnerability in chat/sendfile.aspx in ReadyD ...) NOT-FOR-US: ReadyDesk CVE-2016-5049 (Directory traversal vulnerability in chat/openattach.aspx in ReadyDesk ...) NOT-FOR-US: ReadyDesk CVE-2016-5048 (SQL injection vulnerability in chat/staff/default.aspx in ReadyDesk 9. ...) NOT-FOR-US: ReadyDesk CVE-2016-5047 (NetApp OnCommand System Manager 8.3.x before 8.3.2P5 allows remote aut ...) NOT-FOR-US: NetApp OnCommand System Manager CVE-2016-5046 RESERVED CVE-2016-5045 (NetApp OnCommand System Manager before 9.0 allows remote attackers to ...) NOT-FOR-US: NetApp OnCommand System Manager CVE-2016-5025 (For the NVIDIA Quadro, NVS, and GeForce products, improper sanitizatio ...) NOT-FOR-US: NVIDIA Quadro, NVS, and GeForce product CVE-2016-5024 (Virtual servers in F5 BIG-IP systems 11.6.1 before 11.6.1 HF1 and 12.1 ...) NOT-FOR-US: BIG-IP CVE-2016-5023 (Virtual servers in F5 BIG-IP systems 11.2.1 HF11 through HF15, 11.4.1 ...) NOT-FOR-US: BIG-IP CVE-2016-5022 (F5 BIG-IP LTM, Analytics, APM, ASM, and Link Controller 11.2.x before ...) NOT-FOR-US: F5 BIG-IP CVE-2016-5021 (The iControl REST service in F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ...) NOT-FOR-US: BIG-IP CVE-2016-5020 (F5 BIG-IP before 12.0.0 HF3 allows remote authenticated users to modif ...) NOT-FOR-US: BIG-IP CVE-2016-5019 (CoreResponseStateManager in Apache MyFaces Trinidad 1.0.0 through 1.0. ...) NOT-FOR-US: Apache MyFaces Trinidad CVE-2016-5018 (In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8. ...) {DSA-3721-1 DSA-3720-1 DLA-729-1 DLA-728-1} - tomcat8 8.0.37-1 (low) - tomcat7 7.0.72-1 (low; bug #842663) - tomcat6 6.0.41-3 (low) NOTE: Since 6.0.41-3, src:tomcat6 only builds a servlet and docs in Jessie NOTE: http://markmail.org/message/lixw6iyojoxwfizv?q=list:org.apache.tomcat.announce/ NOTE: Fixed by: http://svn.apache.org/r1754901 (8.0.x) NOTE: Fixed by: http://svn.apache.org/r1754902 (7.0.x) NOTE: Fixed by: https://svn.apache.org/viewvc?view=revision&revision=1754904 CVE-2016-5017 (Buffer overflow in the C cli shell in Apache Zookeeper before 3.4.9 an ...) {DLA-630-1} - zookeeper 3.4.9-1 [jessie] - zookeeper 3.4.5+dfsg-2+deb8u1 NOTE: The C cli shell is intended as a sample/example of how to use the C NOTE: client interface, not as a production tool NOTE: https://zookeeper.apache.org/security.html#CVE-2016-5017 NOTE: Fixed by https://git-wip-us.apache.org/repos/asf?p=zookeeper.git;a=commitdiff;h=27ecf981a15554dc8e64a28630af7a5c9e2bdf4f CVE-2016-5016 (Pivotal Cloud Foundry 239 and earlier, UAA (aka User Account and Authe ...) NOT-FOR-US: Pivotal Cloud Foundry CVE-2016-5015 REJECTED CVE-2016-5014 (In Moodle 2.x and 3.x, an unenrolled user still receives event monitor ...) - moodle (Only affects 2.8 and later) NOTE: https://moodle.org/mod/forum/discuss.php?d=336699 CVE-2016-5013 (In Moodle 2.x and 3.x, text injection can occur in email headers, pote ...) - moodle 2.7.15+dfsg-1 CVE-2016-5012 (In Moodle 3.x, glossary search displays entries without checking user ...) - moodle (Only affects 3.1) NOTE: https://moodle.org/mod/forum/discuss.php?d=336697 CVE-2016-5011 (The parse_dos_extended function in partitions/dos.c in the libblkid li ...) - util-linux 2.28.1-1 (bug #830802) [jessie] - util-linux (Minor issue) [wheezy] - util-linux (Minor issue) NOTE: https://git.kernel.org/cgit/utils/util-linux/util-linux.git/commit/?id=7164a1c34d18831ac61c6744ad14ce916d389b3f NOTE: https://git.kernel.org/cgit/utils/util-linux/util-linux.git/commit/?id=50d1594c2e6142a3b51d2143c74027480df082e0 CVE-2016-5010 (coders/tiff.c in ImageMagick before 6.9.5-3 allows remote attackers to ...) {DSA-3652-1 DLA-731-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #832968) NOTE: Fixed by: http://git.imagemagick.org/repos/ImageMagick/commit/c20de102cc57f3739a8870f79e728e3b0bea18c0 CVE-2016-5009 (The handle_command function in mon/Monitor.cc in Ceph allows remote au ...) - ceph 10.2.5-1 (bug #829661) [jessie] - ceph 0.80.7-2+deb8u2 NOTE: http://tracker.ceph.com/issues/16297 NOTE: https://github.com/ceph/ceph/pull/9700 NOTE: https://github.com/ceph/ceph/commit/957ece7e95d8f8746191fd9629622d4457d690d6 CVE-2016-5008 (libvirt before 2.0.0 improperly disables password checking when the pa ...) {DSA-3613-1 DLA-541-1} - libvirt 2.0.0-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1180092 NOTE: Fixed by: https://libvirt.org/git/?p=libvirt.git;a=commit;h=bb848feec0f3f10e92dd8e5231ae7aa89b5598f3 (v2.0.0) NOTE: Fixed by: https://libvirt.org/git/?p=libvirt.git;a=commit;h=f32441c69bf450d6ac593c3acd621c37e120cdaf (v1.2.9-maint) NOTE: http://security.libvirt.org/2016/0001.html CVE-2016-5007 (Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2. ...) - libspring-java 4.3.2-1 [jessie] - libspring-java (Minor issue) [wheezy] - libspring-java (Vulnerable code not present) NOTE: https://pivotal.io/security/cve-2016-5007 NOTE: https://github.com/spring-projects/spring-framework/commit/a30ab30 (v4.3.1.RELEASE) NOTE: https://github.com/spring-projects/spring-security/commit/e4c13e NOTE: Upstream bug: https://github.com/spring-projects/spring-security/issues/3964 NOTE: Upstream bug: https://github.com/spring-projects/spring-framework/issues/18893 NOTE: Mitigations exists in https://pivotal.io/security/cve-2016-5007 NOTE: Other (already unsupported) versions are affected as well by the issue; the NOTE: fix introduces a new API, so jessie and older should instead rely on mitigations CVE-2016-5006 (The Cloud Controller in Cloud Foundry before 239 logs user-provided se ...) NOT-FOR-US: Cloud Foundry CVE-2016-5005 (Cross-site scripting (XSS) vulnerability in Apache Archiva 1.3.9 and e ...) NOT-FOR-US: Apache Archiva CVE-2016-5004 (The Content-Encoding HTTP header feature in ws-xmlrpc 3.1.3 as used in ...) NOT-FOR-US: Apache Archiva CVE-2016-5003 (The Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Ar ...) NOT-FOR-US: Apache Archiva CVE-2016-5002 (XML external entity (XXE) vulnerability in the Apache XML-RPC (aka ws- ...) NOT-FOR-US: Apache Archiva CVE-2016-5001 (This is an information disclosure vulnerability in Apache Hadoop befor ...) - hadoop (bug #793644) CVE-2016-5000 (The XLSX2CSV example in Apache POI before 3.14 allows remote attackers ...) - libapache-poi-java (unimportant) NOTE: Versions affected: POI 3.5-3.13; Fixed in 3.14 NOTE: XLSX2CSV example is not installed CVE-2016-4999 (SQL injection vulnerability in the getStringParameterSQL method in mai ...) NOT-FOR-US: JBoss dashbuilder CVE-2016-4998 (The IPT_SO_SET_REPLACE setsockopt implementation in the netfilter subs ...) {DSA-3607-1} - linux 4.6.2-2 [wheezy] - linux (Only exploitable by privileged user; too many changes to backport) NOTE: Non-privileged user namespaces disabled by default, only vulnerable with sysctl kernel.unprivileged_userns_clone=1 CVE-2016-4997 (The compat IPT_SO_SET_REPLACE and IP6T_SO_SET_REPLACE setsockopt imple ...) {DSA-3607-1} - linux 4.6.2-2 [wheezy] - linux (Only exploitable by privileged user; too many changes to backport) NOTE: Non-privileged user namespaces disabled by default, only vulnerable with sysctl kernel.unprivileged_userns_clone=1 CVE-2016-4996 (discovery-debug in Foreman before 6.2 when the ssh service has been en ...) - foreman (bug #663101) CVE-2016-4995 (Foreman before 1.11.4 and 1.12.x before 1.12.1 does not properly restr ...) - foreman (bug #663101) CVE-2016-4994 (Use-after-free vulnerability in the xcf_load_image function in app/xcf ...) {DSA-3612-1 DLA-525-1} - gimp 2.8.16-2.2 (bug #828179) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=767873 CVE-2016-4993 (CRLF injection vulnerability in the Undertow web server in WildFly 10. ...) - undertow 1.4.3-1 NOTE: https://issues.jboss.org/browse/UNDERTOW-827 CVE-2016-4992 (389 Directory Server in Red Hat Enterprise Linux Desktop 6 through 7, ...) - 389-ds-base 1.3.5.13-1 [jessie] - 389-ds-base (Minor issue) NOTE: http://directory.fedoraproject.org/docs/389ds/releases/release-1-3-5-13.html CVE-2016-4991 RESERVED CVE-2016-4990 REJECTED CVE-2016-4989 (setroubleshoot allows local users to bypass an intended container prot ...) NOT-FOR-US: setroubleshoot CVE-2016-4988 (Cross-site scripting (XSS) vulnerability in the Build Failure Analyzer ...) NOT-FOR-US: Jenkins plugin NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-06-20 CVE-2016-4987 (Directory traversal vulnerability in the Image Gallery plugin before 1 ...) NOT-FOR-US: Jenkins plugin NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-06-20 CVE-2016-4986 (Directory traversal vulnerability in the TAP plugin before 1.25 in Jen ...) NOT-FOR-US: Jenkins plugin NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-06-20 CVE-2016-4985 (The ironic-api service in OpenStack Ironic before 4.2.5 (Liberty) and ...) - ironic 1:5.1.2-1 (bug #827886) NOTE: Affects >=2014.2, >=4.0.0 <=4.2.4, >=4.3.0 <=5.1.1 CVE-2016-4984 (/usr/libexec/openldap/generate-server-cert.sh in openldap-servers sets ...) - openldap (Red Hat-specific) CVE-2016-4983 (A postinstall script in the dovecot rpm allows local users to read the ...) - dovecot (Specific to Red Hat packaging) CVE-2016-4982 (authd sets weak permissions for /etc/ident.key, which allows local use ...) NOT-FOR-US: authd CVE-2016-4981 RESERVED CVE-2016-4980 (A password generation weakness exists in xquest through 2016-06-13. ...) NOT-FOR-US: Red Hat xguest kiosk mode CVE-2016-4979 (The Apache HTTP Server 2.4.18 through 2.4.20, when mod_http2 and mod_s ...) - apache2 2.4.23-1 [jessie] - apache2 (Vulnerable code not present) [wheezy] - apache2 (Vulnerable code not present) NOTE: HTTP/2 support introduced in 2.4.17 NOTE: Upstream fix: https://svn.apache.org/r1750779 CVE-2016-4978 (The getObject method of the javax.jms.ObjectMessage class in the (1) J ...) NOT-FOR-US: ApacheMQ Artemis CVE-2016-4977 (When processing authorization requests using the whitelabel views in S ...) NOT-FOR-US: Spring Security OAuth CVE-2016-4976 (Apache Ambari 2.x before 2.4.0 includes KDC administrator passwords on ...) NOT-FOR-US: Apache Ambari CVE-2016-4975 (Possible CRLF injection allowing HTTP response splitting attacks for s ...) - apache2 2.4.25-1 (low) [jessie] - apache2 2.4.10-10+deb8u8 NOTE: https://svn.apache.org/r1772678 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2016-4975 CVE-2016-4974 (Apache Qpid AMQP 0-x JMS client before 6.0.4 and JMS (AMQP 1.0) before ...) - qpid-java (bug #840131) CVE-2016-4973 (Binaries compiled against targets that use the libssp library in GCC f ...) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1324759 - gcc-6 (Uses glibc-internal SSP) - gcc-5 (Uses glibc-internal SSP) - gcc-4.9 (Uses glibc-internal SSP) - gcc-mingw-w64 (unimportant; bug #848704) - mingw32 [wheezy] - mingw32 (Minor issue) NOTE: Missing security feature, not a direct vulnerability CVE-2016-4972 (OpenStack Murano before 1.0.3 (liberty) and 2.x before 2.0.1 (mitaka), ...) - murano 1:2.0.1-1 (bug #828062) NOTE: Affects: Murano: <=2015.1.1; <=1.0.2; ==2.0.0 - murano-dashboard 1:2.0.0-5 (bug #828064) NOTE: Affects: Murano-dashboard: <=2015.1.1; <=1.0.2; ==2.0.0 - python-muranoclient 0.8.3-4 (bug #828063) NOTE: Affects: Python-muranoclient: <=0.7.2; >=0.8.0<=0.8.4 CVE-2016-4971 (GNU wget before 1.18 allows remote servers to write to arbitrary files ...) {DLA-536-1} - wget 1.18-1 (bug #827003) [jessie] - wget 1.16-1+deb8u1 NOTE: http://lists.gnu.org/archive/html/info-gnu/2016-06/msg00004.html NOTE: http://git.savannah.gnu.org/cgit/wget.git/commit/?id=e996e322ffd42aaa051602da182d03178d0f13e1 (v1.18) CVE-2016-4970 (handler/ssl/OpenSslEngine.java in Netty 4.0.x before 4.0.37.Final and ...) - netty 1:4.0.37-1 (bug #827620) [jessie] - netty (Vulnerable code not present) [wheezy] - netty (Vulnerable code not present) NOTE: Versions affected: Netty 4.0.0.Final - 4.0.36.Final and 4.1.0.Final CVE-2016-4969 (Cross-site scripting (XSS) vulnerability in Fortinet FortiWan (formerl ...) NOT-FOR-US: Fortinet CVE-2016-4968 (The linkreport/tmp/admin_global page in Fortinet FortiWan (formerly As ...) NOT-FOR-US: Fortinet CVE-2016-4967 (Fortinet FortiWan (formerly AscernLink) before 4.2.5 allows remote aut ...) NOT-FOR-US: Fortinet CVE-2016-4966 (The diagnosis_control.php page in Fortinet FortiWan (formerly AscernLi ...) NOT-FOR-US: Fortinet CVE-2016-4965 (Fortinet FortiWan (formerly AscernLink) before 4.2.5 allows remote aut ...) NOT-FOR-US: Fortinet CVE-2016-XXXX [AST-2016-005] - asterisk 1:13.8.2~dfsg-1 [jessie] - asterisk (Only affects 13.x) [wheezy] - asterisk (Only affects 13.x) NOTE: http://downloads.asterisk.org/pub/security/AST-2016-005.html CVE-2016-5107 (The megasas_lookup_frame function in QEMU, when built with MegaRAID SA ...) {DLA-1599-1} - qemu 1:2.6+dfsg-2 (bug #825616) [wheezy] - qemu (Vulnerable code not present) - qemu-kvm (Vulnerable code not present) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-05/msg04424.html NOTE: Introduced after: http://git.qemu.org/?p=qemu.git;a=commit;h=e8f943c3bcc2a578bfd30b825f2ebaf345c63a09 (v1.2.0-rc0) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1336461 CVE-2016-5106 (The megasas_dcmd_set_properties function in hw/scsi/megasas.c in QEMU, ...) {DLA-1599-1} - qemu 1:2.6+dfsg-2 (bug #825615) [wheezy] - qemu (Vulnerable code not present) - qemu-kvm (Vulnerable code not present) NOTE: Introduced after: http://git.qemu.org/?p=qemu.git;a=commit;h=e8f943c3bcc2a578bfd30b825f2ebaf345c63a09 (v1.2.0-rc0) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-05/msg04340.html CVE-2016-5105 (The megasas_dcmd_cfg_read function in hw/scsi/megasas.c in QEMU, when ...) {DLA-1599-1} - qemu 1:2.6+dfsg-2 (bug #825614) [wheezy] - qemu (Vulnerable code not present) - qemu-kvm (Vulnerable code not present) NOTE: Introduced after: http://git.qemu.org/?p=qemu.git;a=commit;h=e8f943c3bcc2a578bfd30b825f2ebaf345c63a09 (v1.2.0-rc0) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-05/msg04419.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1339583 CVE-2016-5104 (The socket_create function in common/socket.c in libimobiledevice and ...) {DLA-2122-1 DLA-2121-1} - libimobiledevice 1.2.0+dfsg-3 (bug #825553) [wheezy] - libimobiledevice (Vulnerable code not present) NOTE: https://github.com/libimobiledevice/libimobiledevice/commit/df1f5c4d70d0c19ad40072f5246ca457e7f9849e - libusbmuxd 1.0.10-3 (bug #825554) NOTE: https://github.com/libimobiledevice/libusbmuxd/commit/4397b3376dc4e4cb1c991d0aed61ce6482614196 CVE-2016-4552 (Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1 ...) - roundcube 1.2.0+dfsg.1-1 [wheezy] - roundcube (vulnerable code not present) NOTE: https://github.com/roundcube/roundcubemail/issues/5240 NOTE: https://github.com/roundcube/roundcubemail/pull/5241 NOTE: http://www.openwall.com/lists/oss-security/2016/05/25/8 CVE-2016-5096 (Integer overflow in the fread function in ext/standard/file.c in PHP b ...) {DSA-3602-1 DLA-533-1} - php5 5.6.22+dfsg-1 NOTE: PHP bug: https://bugs.php.net/bug.php?id=72114 NOTE: Fixed in 5.6.22, 5.5.36 NOTE: http://www.openwall.com/lists/oss-security/2016/05/25/3 CVE-2016-5095 (Integer overflow in the php_escape_html_entities_ex function in ext/st ...) {DSA-3602-1 DLA-533-1} - php5 5.6.22+dfsg-1 NOTE: PHP bug: https://bugs.php.net/bug.php?id=72135 NOTE: Fixed in 5.6.22, 5.5.36 NOTE: http://www.openwall.com/lists/oss-security/2016/05/25/3 NOTE: For the additional issue reported in the "[2016-05-17 12:55 UTC]" comment CVE-2016-5094 (Integer overflow in the php_html_entities function in ext/standard/htm ...) {DSA-3602-1 DLA-533-1} - php5 5.6.22+dfsg-1 NOTE: PHP bug: https://bugs.php.net/bug.php?id=72135 NOTE: Fixed in 5.6.22, 5.5.36 NOTE: http://www.openwall.com/lists/oss-security/2016/05/25/3 CVE-2016-5093 (The get_icu_value_internal function in ext/intl/locale/locale_methods. ...) {DSA-3602-1 DLA-533-1} - php7.0 7.0.7-1 - php5 5.6.22+dfsg-1 NOTE: PHP bug: https://bugs.php.net/bug.php?id=72241 NOTE: Fixed in 7.0.7, 5.6.22, 5.5.36 NOTE: http://www.openwall.com/lists/oss-security/2016/05/25/3 CVE-2013-7456 (gd_interpolation.c in the GD Graphics Library (aka libgd) before 2.1.1 ...) {DSA-3602-1 DSA-3587-1} - libgd2 2.1.1-1 [wheezy] - libgd2 (Vulnerable code not present) NOTE: https://github.com/libgd/libgd/commit/4f65a3e4eedaffa1efcf9ee1eb08f0b504fbc31a (gd-2.1.1) - php7.0 7.0.7-1 (unimportant) - php5 5.6.22+dfsg-1 (unimportant) NOTE: Starting with 5.4.0-1 Debian uses the system copy of libgd NOTE: PHP bug: https://bugs.php.net/bug.php?id=72227 NOTE: Fixed in 7.0.7, 5.6.22, 5.5.36 NOTE: http://www.openwall.com/lists/oss-security/2016/05/25/3 CVE-2016-5091 (Extbase in TYPO3 4.3.0 before 6.2.24, 7.x before 7.6.8, and 8.1.1 allo ...) - typo3-src [wheezy] - typo3-src (Not supported in Wheezy LTS) CVE-2016-5044 (The WRITE_UNALIGNED function in dwarf_elf_access.c in libdwarf before ...) - dwarfutils 20160507-1 [jessie] - dwarfutils (Minor issue) [wheezy] - dwarfutils (Minor issue) NOTE: https://sourceforge.net/p/libdwarf/code/ci/98a3da1e8237fe0d45b67ef77f3fa5ed9ff0215f/ CVE-2016-5043 (The dwarf_dealloc function in libdwarf before 20160923 allows remote a ...) - dwarfutils 20160507-1 [jessie] - dwarfutils (Minor issue) [wheezy] - dwarfutils (Minor issue) NOTE: https://sourceforge.net/p/libdwarf/code/ci/98a3da1e8237fe0d45b67ef77f3fa5ed9ff0215f/ CVE-2016-5042 (The dwarf_get_aranges_list function in libdwarf before 20160923 allows ...) {DLA-669-1} - dwarfutils 20160507-1 [jessie] - dwarfutils 20120410-2+deb8u1 NOTE: https://sourceforge.net/p/libdwarf/code/ci/98a3da1e8237fe0d45b67ef77f3fa5ed9ff0215f/ CVE-2016-5041 (dwarf_macro5.c in libdwarf before 20160923 allows remote attackers to ...) - dwarfutils 20160507-1 [jessie] - dwarfutils (Minor issue) [wheezy] - dwarfutils (Minor issue) NOTE: https://sourceforge.net/p/libdwarf/code/ci/98a3da1e8237fe0d45b67ef77f3fa5ed9ff0215f/ CVE-2016-5040 (libdwarf before 20160923 allows remote attackers to cause a denial of ...) - dwarfutils 20160507-1 [jessie] - dwarfutils (Minor issue) [wheezy] - dwarfutils (Minor issue) NOTE: https://sourceforge.net/p/libdwarf/code/ci/98a3da1e8237fe0d45b67ef77f3fa5ed9ff0215f/ CVE-2016-5039 (The get_attr_value function in libdwarf before 20160923 allows remote ...) {DLA-669-1} - dwarfutils 20160507-1 [jessie] - dwarfutils 20120410-2+deb8u1 NOTE: https://sourceforge.net/p/libdwarf/code/ci/eb1472afac95031d0c9dd8c11d527b865fe7deb8/ CVE-2016-5038 (The dwarf_get_macro_startend_file function in dwarf_macro5.c in libdwa ...) {DLA-669-1} - dwarfutils 20160507+git20160523.9086738-1 [jessie] - dwarfutils 20120410-2+deb8u1 NOTE: https://sourceforge.net/p/libdwarf/code/ci/82d8e007851805af0dcaaff41f49a2d48473334b/ CVE-2016-5037 (The _dwarf_load_section function in libdwarf before 20160923 allows re ...) - dwarfutils 20160507-1 [jessie] - dwarfutils (Minor issue) [wheezy] - dwarfutils (Minor issue) NOTE: https://sourceforge.net/p/libdwarf/code/ci/b6ec2dfd850929821626ea63fb0a752076a3c08a/ CVE-2016-5036 (The dump_block function in print_sections.c in libdwarf before 2016092 ...) {DLA-669-1} - dwarfutils 20160507+git20160523.9086738-1 [jessie] - dwarfutils 20120410-2+deb8u1 NOTE: https://sourceforge.net/p/libdwarf/code/ci/82d8e007851805af0dcaaff41f49a2d48473334b/ CVE-2016-5035 (The _dwarf_read_line_table_header function in dwarf_line_table_reader. ...) - dwarfutils 20160507+git20160523.9086738-1 [jessie] - dwarfutils (Minor issue) [wheezy] - dwarfutils (Minor issue) NOTE: https://sourceforge.net/p/libdwarf/code/ci/82d8e007851805af0dcaaff41f49a2d48473334b/ CVE-2016-5034 (dwarf_elf_access.c in libdwarf before 20160923 allows remote attackers ...) {DLA-669-1} - dwarfutils 20160507+git20160523.9086738-1 [jessie] - dwarfutils 20120410-2+deb8u1 NOTE: https://sourceforge.net/p/libdwarf/code/ci/10ca310f64368dc083efacac87732c02ef560a92/ CVE-2016-5033 (The print_exprloc_content function in libdwarf before 20160923 allows ...) - dwarfutils 20160507+git20160523.9086738-1 [jessie] - dwarfutils (Minor issue) [wheezy] - dwarfutils (Minor issue) NOTE: https://sourceforge.net/p/libdwarf/code/ci/ac6673e32f3443a5d36c2217cb814000930b2c54/ CVE-2016-5032 (The dwarf_get_xu_hash_entry function in libdwarf before 20160923 allow ...) - dwarfutils 20160507+git20160523.9086738-1 [jessie] - dwarfutils (Minor issue) [wheezy] - dwarfutils (Minor issue) NOTE: https://sourceforge.net/p/libdwarf/code/ci/ac6673e32f3443a5d36c2217cb814000930b2c54/ CVE-2016-5031 (The print_frame_inst_bytes function in libdwarf before 20160923 allows ...) - dwarfutils 20160507+git20160523.9086738-1 [jessie] - dwarfutils (Minor issue) [wheezy] - dwarfutils (Minor issue) NOTE: https://sourceforge.net/p/libdwarf/code/ci/ac6673e32f3443a5d36c2217cb814000930b2c54/ CVE-2016-5030 (The _dwarf_calculate_info_section_end_ptr function in libdwarf before ...) - dwarfutils 20160507+git20160523.9086738-1 [jessie] - dwarfutils (Minor issue) [wheezy] - dwarfutils (Minor issue) NOTE: https://sourceforge.net/p/libdwarf/code/ci/6fa3f710ee6f21bba7966b963033a91d77c952bd/ CVE-2016-5029 (The create_fullest_file_path function in libdwarf before 20160923 allo ...) - dwarfutils 20160507+git20160523.9086738-1 [jessie] - dwarfutils (Minor issue) [wheezy] - dwarfutils (Minor issue) NOTE: https://sourceforge.net/p/libdwarf/code/ci/acae971371daa23a19358bc62204007d258fbc5e/ CVE-2016-5028 (The print_frame_inst_bytes function in libdwarf before 20160923 allows ...) - dwarfutils 20160507+git20160523.9086738-1 [jessie] - dwarfutils (Minor issue) [wheezy] - dwarfutils (Minor issue) NOTE: https://sourceforge.net/p/libdwarf/code/ci/a55b958926cc67f89a512ed30bb5a22b0adb10f4/ CVE-2016-5027 (dwarf_form.c in libdwarf 20160115 allows remote attackers to cause a d ...) - dwarfutils 20160507+git20160523.9086738-1 [jessie] - dwarfutils (Minor issue) [wheezy] - dwarfutils (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1330237 CVE-2016-5026 (hs.py in OnionShare before 0.9.1 allows local users to modify the hidd ...) - onionshare 0.8.1-2 (unimportant) [jessie] - onionshare (Vulnerable code not present) NOTE: Neutralised by kernel hardening (also contrib and non-free not supported) CVE-2016-4963 (The libxl device-handling in Xen through 4.6.x allows local guest OS u ...) {DLA-1493-1} - xen 4.8.0~rc3-1 [wheezy] - xen (Minor issue, too intrusive to backport, libvirt doesn't have libxl driver enabled) NOTE: http://xenbits.xen.org/xsa/advisory-178.html CVE-2016-4962 (The libxl device-handling in Xen 4.6.x and earlier allows local OS gue ...) {DSA-3633-1} - xen 4.8.0~rc3-1 [wheezy] - xen (Too intrusive to backport, libvirt doesn't have libxl driver enabled) NOTE: http://xenbits.xen.org/xsa/advisory-175.html CVE-2016-4961 (For the NVIDIA Quadro, NVS, and GeForce products, improper sanitizatio ...) NOT-FOR-US: NVIDIA Windows drivers CVE-2016-4960 (For the NVIDIA Quadro, NVS, and GeForce products, the NVIDIA NVStreamK ...) NOT-FOR-US: NVIDIA Windows drivers CVE-2016-4959 (For the NVIDIA Quadro, NVS, and GeForce products, there is a Remote De ...) NOT-FOR-US: NVIDIA Windows drivers CVE-2016-4958 RESERVED CVE-2016-4957 (ntpd in NTP before 4.2.8p8 allows remote attackers to cause a denial o ...) - ntp 1:4.2.8p8+dfsg-1 [jessie] - ntp (Fix for CVE-2016-1547 wasn't backported) [wheezy] - ntp (Fix for CVE-2016-1547 wasn't backported) NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#June_2016_ntp_4_2_8p8_NTP_Securi NOTE: http://support.ntp.org/bin/view/Main/NtpBug3046 CVE-2016-4956 (ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a deni ...) - ntp 1:4.2.8p8+dfsg-1 [jessie] - ntp (Fix for CVE-2016-1548 wasn't backported) [wheezy] - ntp (Fix for CVE-2016-1548 wasn't backported) NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#June_2016_ntp_4_2_8p8_NTP_Securi NOTE: http://support.ntp.org/bin/view/Main/NtpBug3042 CVE-2016-4955 (ntpd in NTP 4.x before 4.2.8p8, when autokey is enabled, allows remote ...) - ntp 1:4.2.8p8+dfsg-1 [jessie] - ntp (Minor issue) [wheezy] - ntp (Minor issue) NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#June_2016_ntp_4_2_8p8_NTP_Securi NOTE: http://support.ntp.org/bin/view/Main/NtpBug3043 CVE-2016-4954 (The process_packet function in ntp_proto.c in ntpd in NTP 4.x before 4 ...) - ntp 1:4.2.8p8+dfsg-1 [jessie] - ntp (Minor issue) [wheezy] - ntp (Minor issue) NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#June_2016_ntp_4_2_8p8_NTP_Securi NOTE: http://support.ntp.org/bin/view/Main/NtpBug3044 CVE-2016-4953 (ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a deni ...) - ntp 1:4.2.8p8+dfsg-1 [jessie] - ntp (Upstream fix for CVE-2016-1547 or CVE-2015-7979 wasn't backported) [wheezy] - ntp (Fix for CVE-2016-1547 or CVE-2015-7979 wasn't backported) NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#June_2016_ntp_4_2_8p8_NTP_Securi NOTE: http://support.ntp.org/bin/view/Main/NtpBug3045 CVE-2016-5117 (OpenNTPD before 6.0p1 does not validate the CN for HTTPS constraint re ...) - openntpd 1:6.0p1-1 (bug #825856; unimportant) [jessie] - openntpd (Vulnerable code introduced later) [wheezy] - openntpd (Vulnerable code introduced later) NOTE: http://www.openwall.com/lists/oss-security/2016/05/23/2 NOTE: Authenticated TLS "contraints" introduced in 2015-03-24 OpenNTPD 5.7p4 NOTE: Option is not enabled at buildtime. CVE-2016-4964 (The mptsas_fetch_requests function in hw/scsi/mptsas.c in QEMU (aka Qu ...) - qemu 1:2.6+dfsg-2 (bug #825207) [jessie] - qemu (LSI SAS1068 (mptsas) device support added later) [wheezy] - qemu (LSI SAS1068 (mptsas) device support added later) - qemu-kvm (LSI SAS1068 (mptsas) device support added later) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-05/msg04027.html NOTE: Introduced by: http://git.qemu.org/?p=qemu.git;a=commit;h=e351b82611293683c4cabe4b69b7552bde5d4e2a (v2.6.0-rc0) CVE-2016-4950 (Cloudera Manager 5.5 and earlier allows remote attackers to enumerate ...) NOT-FOR-US: Cloudera Manager CVE-2016-4949 (Cloudera Manager 5.5 and earlier allows remote attackers to obtain sen ...) NOT-FOR-US: Cloudera Manager CVE-2016-4948 (Multiple cross-site scripting (XSS) vulnerabilities in Cloudera Manage ...) NOT-FOR-US: Cloudera Manager CVE-2016-4947 (Cloudera HUE 3.9.0 and earlier allows remote attackers to enumerate us ...) NOT-FOR-US: Cloudera HUE CVE-2016-4946 (Multiple cross-site scripting (XSS) vulnerabilities in Cloudera HUE 3. ...) NOT-FOR-US: Cloudera HUE CVE-2016-4945 (Cross-site scripting (XSS) vulnerability in vpn/js/gateway_login_form_ ...) NOT-FOR-US: Citrix NetScaler Gateway CVE-2015-8880 (Double free vulnerability in the format printer in PHP 7.x before 7.0. ...) - php7.0 7.0.1-1 CVE-2015-8879 (The odbc_bindcols function in ext/odbc/php_odbc.c in PHP before 5.6.12 ...) {DLA-499-1} - php5 5.6.12+dfsg-1 [jessie] - php5 5.6.12+dfsg-0+deb8u1 - php7.0 7.0.0-1 NOTE: Fixed in PHP 5.6.12, 7.0.0 NOTE: PHP bug: https://bugs.php.net/bug.php?id=69975 CVE-2015-8878 (main/php_open_temporary_file.c in PHP before 5.5.28 and 5.6.x before 5 ...) {DLA-499-1} - php5 5.6.12+dfsg-1 [jessie] - php5 5.6.12+dfsg-0+deb8u1 NOTE: Fixed in PHP 5.6.12, 5.5.28 NOTE: PHP bug: https://bugs.php.net/bug.php?id=70002 CVE-2015-8877 (The gdImageScaleTwoPass function in gd_interpolation.c in the GD Graph ...) {DSA-3587-1} - libgd2 2.2.1-1 [wheezy] - libgd2 (Vulnerable code not present) NOTE: https://github.com/libgd/libgd/commit/4751b606fa38edc456d627140898a7ec679fcc24 (gd-2.2.0) NOTE: https://github.com/libgd/libgd/issues/173 - php5 5.6.12+dfsg-1 (unimportant) [jessie] - php5 5.6.12+dfsg-0+deb8u1 - php7.0 7.0.0-1 (unimportant) NOTE: PHP bug: https://bugs.php.net/bug.php?id=70064 NOTE: Fixed in PHP 5.6.12, 7.0.0 NOTE: Starting with 5.4.0-1 Debian uses the system copy of libgd CVE-2015-8876 (Zend/zend_exceptions.c in PHP before 5.4.44, 5.5.x before 5.5.28, and ...) - php5 5.6.12+dfsg-1 [jessie] - php5 5.6.12+dfsg-0+deb8u1 [wheezy] - php5 5.4.44-0+deb7u1 - php7.0 7.0.0-1 NOTE: Fixed in PHP 7.0.0, 5.6.12, 5.5.28, 5.4.44 NOTE: PHP bug: https://bugs.php.net/bug.php?id=70121 CVE-2016-XXXX [mediawiki issues from 1.26.3, 1.25.6 and 1.23.14] - mediawiki 1:1.27.0-1 [wheezy] - mediawiki (Not supported in Wheezy LTS) NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2016-May/000188.html CVE-2016-4952 (QEMU (aka Quick Emulator), when built with VMWARE PVSCSI paravirtual S ...) {DLA-1599-1} - qemu 1:2.6+dfsg-2 (bug #825210) [wheezy] - qemu (VMWare PVSCSI paravirtual device implementation introduced later) - qemu-kvm (VMWare PVSCSI paravirtual device implementation introduced later) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-05/msg03774.html NOTE: Introduced in: http://git.qemu.org/?p=qemu.git;a=commit;h=881d588a98bf0dce98ddb65c15aa0854c0ac41ed (v1.5.0-rc0) CVE-2016-4951 (The tipc_nl_publ_dump function in net/tipc/socket.c in the Linux kerne ...) - linux 4.5.5-1 [jessie] - linux (Introduced in 3.19) [wheezy] - linux (Introduced in 3.19) NOTE: http://lists.openwall.net/netdev/2016/05/14/28 NOTE: Fixed by: https://git.kernel.org/linus/45e093ae2830cd1264677d47ff9a95a71f5d9f9c NOTE: Introduced by: https://git.kernel.org/linus/1a1a143daf84db95dd7212086042004a3abb7bc2 (v3.19-rc1) CVE-2016-4944 RESERVED CVE-2016-4943 RESERVED CVE-2016-4942 RESERVED CVE-2016-4941 REJECTED CVE-2016-4940 REJECTED CVE-2016-4939 REJECTED CVE-2016-4938 REJECTED CVE-2016-4937 REJECTED CVE-2016-4936 REJECTED CVE-2016-4935 REJECTED CVE-2016-4934 REJECTED CVE-2016-4933 REJECTED CVE-2016-4932 REJECTED CVE-2016-4931 (XML entity injection in Junos Space before 15.2R2 allows attackers to ...) NOT-FOR-US: Juniper CVE-2016-4930 (Cross-site scripting (XSS) vulnerability in Junos Space before 15.2R2 ...) NOT-FOR-US: Juniper CVE-2016-4929 (Command injection vulnerability in Junos Space before 15.2R2 allows at ...) NOT-FOR-US: Juniper CVE-2016-4928 (Cross site request forgery vulnerability in Junos Space before 15.2R2 ...) NOT-FOR-US: Juniper CVE-2016-4927 (Insufficient validation of SSH keys in Junos Space before 15.2R2 allow ...) NOT-FOR-US: Juniper CVE-2016-4926 (Insufficient authentication vulnerability in Junos Space before 15.2R2 ...) NOT-FOR-US: Juniper CVE-2016-4925 (Receipt of a specifically malformed IPv6 packet processed by the route ...) NOT-FOR-US: Juniper CVE-2016-4924 (An incorrect permissions vulnerability in Juniper Networks Junos OS on ...) NOT-FOR-US: Juniper CVE-2016-4923 (Insufficient cross site scripting protection in J-Web component in Jun ...) NOT-FOR-US: Juniper CVE-2016-4922 (Certain combinations of Junos OS CLI commands and arguments have been ...) NOT-FOR-US: Juniper CVE-2016-4921 (By flooding a Juniper Networks router running Junos OS with specially ...) NOT-FOR-US: Juniper CVE-2016-4920 RESERVED CVE-2016-4919 RESERVED CVE-2016-4918 RESERVED CVE-2016-4917 RESERVED CVE-2016-4916 RESERVED CVE-2016-4915 RESERVED CVE-2016-4914 RESERVED CVE-2016-1000001 (flask-oidc version 0.1.2 and earlier is vulnerable to an open redirect ...) NOT-FOR-US: flask-oidc CVE-2016-1000000 (Ipswitch WhatsUp Gold 16.4.1 WrFreeFormText.asp sUniqueID Parameter Bl ...) NOT-FOR-US: Ipswitch CVE-2016-4910 (Cybozu Garoon 3.0.0 to 4.2.2 allows remote authenticated attackers to ...) NOT-FOR-US: Cybozu CVE-2016-4909 (Cross-site request forgery (CSRF) vulnerability in Cybozu Garoon 3.0.0 ...) NOT-FOR-US: Cybozu CVE-2016-4908 (Cybozu Garoon 3.0.0 to 4.2.2 allows remote authenticated attackers to ...) NOT-FOR-US: Cybozu CVE-2016-4907 (Cybozu Garoon 3.0.0 to 4.2.2 allow remote attackers to obtain CSRF tok ...) NOT-FOR-US: Cybozu CVE-2016-4906 (Cross-site scripting vulnerability in Cybozu Garoon 3.0.0 to 4.2.2 all ...) NOT-FOR-US: Cybozu CVE-2016-4905 (SQL injection vulnerability in the WP-OliveCart versions prior to 3.1. ...) NOT-FOR-US: WP-OliveCart CVE-2016-4904 (Cross-site request forgery (CSRF) vulnerability in WP-OliveCart versio ...) NOT-FOR-US: WP-OliveCart CVE-2016-4903 (Cross-site scripting vulnerability in WP-OliveCart versions prior to 3 ...) NOT-FOR-US: WP-OliveCart CVE-2016-4902 (Untrusted search path vulnerability in The Public Certification Servic ...) NOT-FOR-US: Public Certification Service for Individuals CVE-2016-4901 (Untrusted search path vulnerability in The installer of e-Tax Software ...) NOT-FOR-US: e-Tax CVE-2016-4900 (Untrusted search path vulnerability in Evernote for Windows versions p ...) NOT-FOR-US: Evernote CVE-2016-4899 (The datamover module in the Linux version of NovaBACKUP DataCenter bef ...) NOT-FOR-US: NovaBACKUP CVE-2016-4898 (The datamover module in the Linux version of NovaBACKUP DataCenter bef ...) NOT-FOR-US: NovaBACKUP CVE-2016-4897 (Multiple cross-site scripting (XSS) vulnerabilities in (1) filter/save ...) NOT-FOR-US: Usermin CVE-2016-4896 (SetsucoCMS all versions does not properly manage sessions, which allow ...) NOT-FOR-US: SetucoCMS CVE-2016-4895 (SetsucoCMS all versions allows remote authenticated attackers to condu ...) NOT-FOR-US: SetucoCMS CVE-2016-4894 (SetsucoCMS all versions allows remote attackers to cause a denial of s ...) NOT-FOR-US: SetucoCMS CVE-2016-4893 (SQL injection vulnerability in the SetsucoCMS all versions allows remo ...) NOT-FOR-US: SetucoCMS CVE-2016-4892 (Cross-site scripting vulnerability in SetsucoCMS all versions allows r ...) NOT-FOR-US: SetucoCMS CVE-2016-4891 (Cross-site request forgery (CSRF) vulnerability in SetsucoCMS all vers ...) NOT-FOR-US: SetucoCMS CVE-2016-4890 (ZOHO ManageEngine ServiceDesk Plus before 9.2 uses an insecure method ...) NOT-FOR-US: ZOHO ManageEngine ServiceDesk Plus CVE-2016-4889 (ZOHO ManageEngine ServiceDesk Plus before 9.0 allows remote authentica ...) NOT-FOR-US: ZOHO ManageEngine ServiceDesk Plus CVE-2016-4888 (Cross-site scripting (XSS) vulnerability in ZOHO ManageEngine ServiceD ...) NOT-FOR-US: ZOHO ManageEngine ServiceDesk Plus CVE-2016-4887 (Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Upl ...) NOT-FOR-US: baserCMS CVE-2016-4886 (Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Mai ...) NOT-FOR-US: baserCMS CVE-2016-4885 (Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Fee ...) NOT-FOR-US: baserCMS CVE-2016-4884 (Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Blo ...) NOT-FOR-US: baserCMS CVE-2016-4883 (Cross-site scripting vulnerability in baserCMS version 3.0.10 and earl ...) NOT-FOR-US: baserCMS CVE-2016-4882 (Cross-site request forgery (CSRF) vulnerability in baserCMS version 3. ...) NOT-FOR-US: baserCMS CVE-2016-4881 (Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Blo ...) NOT-FOR-US: baserCMS CVE-2016-4880 (Cross-site scripting vulnerability in baserCMS plugin Blog version 3.0 ...) NOT-FOR-US: baserCMS CVE-2016-4879 (Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Mai ...) NOT-FOR-US: baserCMS CVE-2016-4878 (Cross-site request forgery (CSRF) vulnerability in baserCMS version 3. ...) NOT-FOR-US: baserCMS CVE-2016-4877 (Cross-site scripting vulnerability in baserCMS plugin Mail version 3.0 ...) NOT-FOR-US: baserCMS CVE-2016-4876 (Cross-site request forgery (CSRF) vulnerability in baserCMS version 3. ...) NOT-FOR-US: baserCMS CVE-2016-4875 (Multiple cross-site scripting (XSS) vulnerabilities in the IVYWE (1) A ...) NOT-FOR-US: IVYWE CVE-2016-4874 (Cybozu Office 9.0.0 through 10.4.0 allows remote attackers to conduct ...) NOT-FOR-US: Cybozu CVE-2016-4873 (Cybozu Office 9.0.0 to 10.4.0 allows remote authenticated attackers to ...) NOT-FOR-US: Cybozu CVE-2016-4872 (Cybozu Office 9.0.0 to 10.4.0 allows remote authenticated attackers to ...) NOT-FOR-US: Cybozu CVE-2016-4871 (Cybozu Office 9.0.0 through 10.4.0 allows remote attackers to cause a ...) NOT-FOR-US: Cybozu CVE-2016-4870 (Cross-site scripting vulnerability in Cybozu Office 9.0.0 to 10.4.0 al ...) NOT-FOR-US: Cybozu CVE-2016-4869 (Cybozu Office 9.0.0 to 10.4.0 allow remote attackers to obtain session ...) NOT-FOR-US: Cybozu CVE-2016-4868 (Email header injection vulnerability in Cybozu Office 9.0.0 to 10.4.0 ...) NOT-FOR-US: Cybozu CVE-2016-4867 (Cybozu Office 9.0.0 to 10.4.0 allows remote authenticated attackers to ...) NOT-FOR-US: Cybozu CVE-2016-4866 (Cross-site scripting vulnerability in Cybozu Office 9.0.0 to 10.4.0 al ...) NOT-FOR-US: Cybozu CVE-2016-4865 (Cross-site scripting vulnerability in Cybozu Office 9.0.0 to 10.4.0 al ...) NOT-FOR-US: Cybozu CVE-2016-4864 (H2O versions 2.0.3 and earlier and 2.1.0-beta2 and earlier allows remo ...) - h2o (Fixed before initial upload to Debian) NOTE: https://github.com/h2o/h2o/issues/1077 CVE-2016-4863 (The Toshiba FlashAir SD-WD/WC series Class 6 model with firmware versi ...) NOT-FOR-US: Toshiba FlashAir CVE-2016-4862 (Twigmo bundled with CS-Cart 4.3.9 and earlier and Twigmo bundled with ...) NOT-FOR-US: Twigmo CVE-2016-4861 (The (1) order and (2) group methods in Zend_Db_Select in the Zend Fram ...) {DLA-1403-1 DLA-646-1} - zendframework 1.12.20+dfsg-1 NOTE: http://framework.zend.com/security/advisory/ZF2016-03 NOTE: This security fix can be considered an improvement of the previous ZF2016-02 NOTE: and ZF2014-04 advisories. NOTE: Fixed by: https://github.com/zendframework/zf1/commit/b1c71dd94296d9000127720c85a7ea9e3b35af4b (1.12.20) CVE-2016-4860 (Yokogawa STARDOM FCN/FCJ controller R1.01 through R4.01 does not requi ...) NOT-FOR-US: Yokogawa STARDOM CVE-2016-4859 (Open redirect vulnerability in Splunk Enterprise 6.4.x prior to 6.4.3, ...) NOT-FOR-US: Splunk CVE-2016-4858 (Cross-site scripting vulnerability in Splunk Enterprise 6.4.x prior to ...) NOT-FOR-US: Splunk CVE-2016-4857 (Open redirect vulnerability in Splunk Enterprise 6.4.x prior to 6.4.2, ...) NOT-FOR-US: Splunk CVE-2016-4856 (Cross-site scripting vulnerability in Splunk Enterprise 6.3.x prior to ...) NOT-FOR-US: Splunk CVE-2016-4855 (Cross-site scripting vulnerability in ADOdb versions prior to 5.20.6 a ...) {DLA-620-1} - libphp-adodb 5.20.6-1 (unimportant; bug #837418) [jessie] - libphp-adodb 5.15-1+deb8u1 NOTE: https://github.com/ADOdb/ADOdb/issues/274 NOTE: https://jvn.jp/en/jp/JVN48237713/ NOTE: https://github.com/ADOdb/ADOdb/commit/ecb93d8c1 NOTE: Vulnerable file is shipped as an example only CVE-2016-4854 (Cross-site request forgery (CSRF) vulnerability in L-04D firmware vers ...) NOT-FOR-US: L-04D firmware CVE-2016-4853 (AKABEi SOFT2 games allow remote attackers to execute arbitrary OS comm ...) NOT-FOR-US: AKABEi SOFT2 CVE-2016-4852 (YoruFukurou (NightOwl) before 2.85 relies on support for emoji skin-to ...) NOT-FOR-US: YoruFukurou CVE-2016-4851 (Cross-site scripting (XSS) vulnerability in Let's PHP! simple chat bef ...) NOT-FOR-US: Let's PHP! simple chat CVE-2016-4850 (LINE for Windows before 4.8.3 allows man-in-the-middle attackers to ex ...) NOT-FOR-US: LINE for Windows CVE-2016-4849 (Multiple cross-site scripting (XSS) vulnerabilities in Geeklog IVYWE e ...) NOT-FOR-US: Geeklog CVE-2016-4848 (Cross-site scripting (XSS) vulnerability in ClipBucket before 2.8.1 RC ...) NOT-FOR-US: ClipBucket CVE-2016-4847 (Cross-site scripting (XSS) vulnerability in site/search.php in OSSEC W ...) NOT-FOR-US: OSSEC Web UI CVE-2016-4846 (Untrusted search path vulnerability in the installer of PhishWall Clie ...) NOT-FOR-US: PhishWall Client Internet Explorer CVE-2016-4845 (Cross-site request forgery (CSRF) vulnerability on I-O DATA DEVICE HVL ...) NOT-FOR-US: I-O DATA CVE-2016-4844 (Cybozu Mailwise before 5.4.0 allows remote attackers to conduct clickj ...) NOT-FOR-US: Cybozu CVE-2016-4843 (Cybozu Mailwise before 5.4.0 allows remote attackers to obtain sensiti ...) NOT-FOR-US: Cybozu CVE-2016-4842 (Cybozu Mailwise before 5.4.0 allows remote attackers to obtain informa ...) NOT-FOR-US: Cybozu CVE-2016-4841 (Cybozu Mailwise before 5.4.0 allows remote attackers to inject arbitra ...) NOT-FOR-US: Cybozu CVE-2016-4840 (Coordinate Plus App for Android 1.0.2 and earlier and Coordinate Plus ...) NOT-FOR-US: Coordinate Plus App for Android CVE-2016-4839 (The Android Apps Money Forward (prior to v7.18.0), Money Forward for T ...) NOT-FOR-US: Money Forward CVE-2016-4838 (The Android Apps Money Forward (prior to v7.18.0), Money Forward for T ...) NOT-FOR-US: Money Forward CVE-2016-4837 (SQL injection vulnerability in the Seed Coupon plugin before 1.6 for E ...) NOT-FOR-US: EC-CUBE CVE-2016-4836 REJECTED CVE-2016-4835 REJECTED CVE-2016-4834 (modules/Users/actions/Save.php in Vtiger CRM 6.4.0 and earlier does no ...) NOT-FOR-US: Vtiger CVE-2016-4833 (Cross-site scripting (XSS) vulnerability in the Nofollow Links plugin ...) NOT-FOR-US: Nofollow Links plugin for WordPress CVE-2016-4832 (WAON "Service Application" for Android 1.4.1 and earlier does not veri ...) NOT-FOR-US: WAON "Service Application" for Android CVE-2016-4831 (Untrusted search path vulnerability in LINE and LINE Installer 4.7.0 a ...) NOT-FOR-US: LINE CVE-2016-4830 (Sushiro App for iOS 2.1.16 and earlier and Sushiro App for Android 2.1 ...) NOT-FOR-US: Sushiro App CVE-2016-4829 (DMM Movie Player App for Android before 1.2.1, and DMM Movie Player Ap ...) NOT-FOR-US: DMM Movie Player App CVE-2016-4828 (The Collne Welcart e-Commerce plugin before 1.8.3 for WordPress mishan ...) NOT-FOR-US: Collne Welcart e-Commerce plugin for WordPress CVE-2016-4827 (Cross-site scripting (XSS) vulnerability in the Collne Welcart e-Comme ...) NOT-FOR-US: Collne Welcart e-Commerce plugin for WordPress CVE-2016-4826 (Cross-site scripting (XSS) vulnerability in the Collne Welcart e-Comme ...) NOT-FOR-US: Collne Welcart e-Commerce plugin for WordPress CVE-2016-4825 (The Collne Welcart e-Commerce plugin before 1.8.3 for WordPress allows ...) NOT-FOR-US: Collne Welcart e-Commerce plugin for WordPress CVE-2016-4824 (The Wi-Fi Protected Setup (WPS) implementation on Corega CG-WLR300GNV ...) NOT-FOR-US: Corega CVE-2016-4823 (Corega CG-WLBARAGM devices allow remote attackers to cause a denial of ...) NOT-FOR-US: Corega CVE-2016-4822 (Corega CG-WLBARGL devices allow remote authenticated users to execute ...) NOT-FOR-US: Corega CVE-2016-4821 (I-O DATA DEVICE ETX-R devices allow remote attackers to cause a denial ...) NOT-FOR-US: I-O DATA CVE-2016-4820 (Cross-site request forgery (CSRF) vulnerability on I-O DATA DEVICE ETX ...) NOT-FOR-US: I-O DATA CVE-2016-4819 (The printfDx function in Takumi Yamada DX Library for Borland C++ 3.13 ...) NOT-FOR-US: Borland CVE-2016-4818 (DMMFX Trade for Android 1.5.0 and earlier, DMMFX DEMO Trade for Androi ...) NOT-FOR-US: DMMFX CVE-2016-4817 (lib/http2/connection.c in H2O before 1.7.3 and 2.x before 2.0.0-beta5 ...) - h2o (Fixed before initial upload to Debian) NOTE: https://github.com/h2o/h2o/pull/920 NOTE: https://github.com/h2o/h2o/commit/1c0808d580da09fdec5a9a74ff09e103ea058dd4 CVE-2016-4816 (BUFFALO WZR-600DHP3 devices with firmware 2.16 and earlier and WZR-S60 ...) NOT-FOR-US: BUFFALO CVE-2016-4815 (Directory traversal vulnerability on BUFFALO WZR-600DHP3 devices with ...) NOT-FOR-US: BUFFALO CVE-2016-4814 (Directory traversal vulnerability in kml2jsonp.php in Geospatial Infor ...) NOT-FOR-US: Old_GSI_Maps CVE-2016-4813 (NetCommons 2.4.2.1 and earlier allows remote authenticated secretariat ...) NOT-FOR-US: NetCommons CVE-2016-4812 (Cross-site scripting (XSS) vulnerability in the Markdown on Save Impro ...) NOT-FOR-US: Markdown on Save Improved plugin for WordPress CVE-2016-4811 (The NTT Broadband Platform Japan Connected-free Wi-Fi application 1.15 ...) NOT-FOR-US: NTT CVE-2016-4810 (Citrix Studio before 7.6.1000, Citrix XenDesktop 7.x before 7.6 LTSR C ...) NOT-FOR-US: Citrix CVE-2016-4913 (The get_rock_ridge_filename function in fs/isofs/rock.c in the Linux k ...) {DSA-3607-1 DLA-516-1} - linux 4.5.4-1 NOTE: Fixed by: https://git.kernel.org/linus/99d825822eade8d827a1817357cbf3f889a552d6 (v4.6) CVE-2016-4912 (The _xrealloc function in xlsp_xmalloc.c in OpenSLP 2.0.0 allows remot ...) - openslp-dfsg (Vulnerable code not present) NOTE: Issue present only in OpenSLP 2.x where the return from malloc isn't checked. CVE-2016-4911 (The Fernet Token Provider in OpenStack Identity (Keystone) 9.0.x befor ...) - keystone 2:9.0.0-2 (bug #824683) [jessie] - keystone (affects only 9.0.0) [wheezy] - keystone (affects only 9.0.0) NOTE: https://launchpad.net/bugs/1577558 CVE-2016-4809 (The archive_read_format_cpio_read_header function in archive_read_supp ...) {DSA-3657-1 DLA-554-1} - libarchive 3.2.1-1 NOTE: https://github.com/libarchive/libarchive/issues/705 NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/fd7e0c02e272913a0a8b6d492c7260dfca0b1408 (v3.2.1) CVE-2016-10321 (web2py before 2.14.6 does not properly check if a host is denied befor ...) - web2py (bug #860038) [jessie] - web2py (Minor issue; issue in web admin interface which has no need to be used in production) [wheezy] - web2py (Minor issue; issue in web admin interface which has no need to be used in production) NOTE: https://github.com/web2py/web2py/issues/1585#issuecomment-284317919 NOTE: https://github.com/web2py/web2py/commit/944d8bd8f3c5cf8ae296fc03d149056c65358426 CVE-2016-4808 (Web2py versions 2.14.5 and below was affected by CSRF (Cross Site Requ ...) - web2py (bug #856127) [jessie] - web2py (Minor issue; issue in web admin interface which has no need to be used in production) [wheezy] - web2py (Minor issue; issue in web admin interface which has no need to be used in production) NOTE: https://github.com/web2py/web2py/issues/1585 NOTE: https://github.com/web2py/web2py/commit/4bd002aee978813bc664cf186ef38ff4e8bbe1cd CVE-2016-4807 (Web2py versions 2.14.5 and below was affected by Reflected XSS vulnera ...) - web2py (bug #856127) [jessie] - web2py (Minor issue; issue in web admin interface which has no need to be used in production) [wheezy] - web2py (Minor issue; issue in web admin interface which has no need to be used in production) NOTE: https://github.com/web2py/web2py/issues/1585 NOTE: https://github.com/web2py/web2py/commit/51c3b633fe7ad647bc3013e899c1e3a910362dd1 CVE-2016-4806 (Web2py versions 2.14.5 and below was affected by Local File Inclusion ...) - web2py (bug #856127) [jessie] - web2py (Minor issue; issue in web admin interface which has no need to be used in production) [wheezy] - web2py (Minor issue; issue in web admin interface which has no need to be used in production) NOTE: https://github.com/web2py/web2py/issues/1585 NOTE: https://github.com/web2py/web2py/issues/1316 NOTE: https://github.com/web2py/web2py/commit/1b42fe65472930668435007cfcb077207051ba34 CVE-2016-4803 (CRLF injection vulnerability in the send email functionality in dotCMS ...) NOT-FOR-US: dotCMS CVE-2016-4802 (Multiple untrusted search path vulnerabilities in cURL and libcurl bef ...) - curl (Windows only) CVE-2016-4801 RESERVED CVE-2016-4800 (The path normalization mechanism in PathResource class in Eclipse Jett ...) - jetty9 (Only affects Jetty >= 9.3.0, Jetty <= 9.3.8) - jetty8 (Only affects 9.3.x) - jetty (Only affects 9.3.x) NOTE: http://www.ocert.org/advisories/ocert-2016-001.html CVE-2015-8874 (Stack consumption vulnerability in GD in PHP before 5.6.12 allows remo ...) {DSA-3587-1 DLA-482-1} - libgd2 2.2.1-1 (bug #824627) NOTE: https://github.com/libgd/libgd/commit/38241013cc048af7c03daf6e9a75b4f42bffb200 - php5 5.6.12+dfsg-1 (unimportant) [jessie] - php5 5.6.12+dfsg-0+deb8u1 - php7.0 7.0.0-1 (unimportant) NOTE: PHP bug: https://bugs.php.net/bug.php?id=66387 NOTE: Fixed in 5.6.12, 7.0.0 NOTE: Starting with 5.4.0-1 Debian uses the system copy of libgd CVE-2015-8873 (Stack consumption vulnerability in Zend/zend_exceptions.c in PHP befor ...) - php5 5.6.12+dfsg-1 [jessie] - php5 5.6.12+dfsg-0+deb8u1 [wheezy] - php5 5.4.44-0+deb7u1 NOTE: Fixed in 5.6.12, 5.5.28, 5.4.44 NOTE: PHP bug: https://bugs.php.net/bug.php?id=69793 CVE-2016-4805 (Use-after-free vulnerability in drivers/net/ppp/ppp_generic.c in the L ...) {DSA-3607-1} - linux 4.5.2-1 [wheezy] - linux 3.2.81-1 NOTE: Fixed by: https://git.kernel.org/linus/1f461dcdd296eecedaffffc6bae2bfa90bd7eb89 (v4.6-rc1) NOTE: Introduced by: https://git.kernel.org/linus/273ec51dd7ceaa76e038875d85061ec856d8905e (v2.6.30) CVE-2016-4804 (The read_boot function in boot.c in dosfstools before 4.0 allows attac ...) {DLA-2224-1 DLA-474-1} - dosfstools 4.0-1 NOTE: https://github.com/dosfstools/dosfstools/issues/25 NOTE: https://github.com/dosfstools/dosfstools/issues/26 NOTE: https://github.com/dosfstools/dosfstools/commit/e8eff147e9da1185f9afd5b25948153a3b97cf52 CVE-2016-4799 RESERVED CVE-2016-4798 RESERVED CVE-2016-4795 RESERVED CVE-2016-4793 (The clientIp function in CakePHP 3.2.4 and earlier allows remote attac ...) {DLA-835-1} - cakephp 2.8.3-1 [jessie] - cakephp (Minor issue) NOTE: http://legalhackers.com/advisories/CakePHP-IP-Spoofing-Vulnerability.txt NOTE: https://bakery.cakephp.org/2016/03/13/cakephp_2613_2711_282_3017_3112_325_released.html NOTE: Fixed by https://github.com/cakephp/cakephp/commit/48af49ddde16c8b99edb701f1c31283455b2b0b6 CVE-2016-4792 (Pulse Connect Secure (PCS) 8.2 before 8.2r1 allows remote attackers to ...) NOT-FOR-US: Pulse Connect Secure CVE-2016-4791 (The administrative user interface in Pulse Connect Secure (PCS) 8.2 be ...) NOT-FOR-US: Pulse Connect Secure CVE-2016-4790 (Cross-site scripting (XSS) vulnerability in the administrative user in ...) NOT-FOR-US: Pulse Connect Secure CVE-2016-4789 (Cross-site scripting (XSS) vulnerability in the system configuration s ...) NOT-FOR-US: Pulse Connect Secure CVE-2016-4788 (Pulse Connect Secure (PCS) 8.2 before 8.2r1, 8.1 before 8.1r2, 8.0 bef ...) NOT-FOR-US: Pulse Connect Secure CVE-2016-4787 (Pulse Connect Secure (PCS) 8.2 before 8.2r1, 8.1 before 8.1r2, 8.0 bef ...) NOT-FOR-US: Pulse Connect Secure CVE-2016-4786 (Pulse Connect Secure (PCS) 8.2 before 8.2r1, 8.1 before 8.1r3, 8.0 bef ...) NOT-FOR-US: Pulse Connect Secure CVE-2014-9776 RESERVED CVE-2014-9775 RESERVED CVE-2014-9774 RESERVED CVE-2010-5326 (The Invoker Servlet on SAP NetWeaver Application Server Java platforms ...) NOT-FOR-US: SAP CVE-2016-4785 (A vulnerability has been identified in Firmware variant PROFINET IO fo ...) NOT-FOR-US: Siemens CVE-2016-4784 (A vulnerability has been identified in firmware variant PROFINET IO fo ...) NOT-FOR-US: Siemens CVE-2016-4783 (Cross-site scripting (XSS) vulnerability in Lenovo SHAREit before 3.5. ...) NOT-FOR-US: Lenovo CVE-2016-4782 (Lenovo SHAREit before 3.5.98_ww on Android before 4.2 allows remote at ...) NOT-FOR-US: Lenovo CVE-2016-4781 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) NOT-FOR-US: Apple CVE-2016-4780 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2016-4779 (Apple Type Services (ATS) in Apple OS X before 10.12 allows remote att ...) NOT-FOR-US: Apple CVE-2016-4778 (The kernel in Apple iOS before 10, OS X before 10.12, tvOS before 10, ...) NOT-FOR-US: Apple CVE-2016-4777 (The kernel in Apple iOS before 10, OS X before 10.12, tvOS before 10, ...) NOT-FOR-US: Apple CVE-2016-4776 (The kernel in Apple iOS before 10, OS X before 10.12, tvOS before 10, ...) NOT-FOR-US: Apple CVE-2016-4775 (The kernel in Apple OS X before 10.12, tvOS before 10, and watchOS bef ...) NOT-FOR-US: Apple CVE-2016-4774 (The kernel in Apple iOS before 10, OS X before 10.12, tvOS before 10, ...) NOT-FOR-US: Apple CVE-2016-4773 (The kernel in Apple iOS before 10, OS X before 10.12, tvOS before 10, ...) NOT-FOR-US: Apple CVE-2016-4772 (The kernel in Apple iOS before 10, OS X before 10.12, tvOS before 10, ...) NOT-FOR-US: Apple CVE-2016-4771 (The kernel in Apple iOS before 10 and OS X before 10.12 allows local u ...) NOT-FOR-US: Apple CVE-2016-4770 REJECTED CVE-2016-4769 (WebKit in Apple iTunes before 12.5.1 on Windows and Safari before 10 a ...) NOT-FOR-US: Webkit as used by Apple CVE-2016-4768 (WebKit in Apple iOS before 10, tvOS before 10, iTunes before 12.5.1 on ...) NOT-FOR-US: Webkit as used by Apple CVE-2016-4767 (WebKit in Apple iOS before 10, tvOS before 10, iTunes before 12.5.1 on ...) NOT-FOR-US: Webkit as used by Apple CVE-2016-4766 (WebKit in Apple iOS before 10, tvOS before 10, iTunes before 12.5.1 on ...) NOT-FOR-US: Webkit as used by Apple CVE-2016-4765 (WebKit in Apple iOS before 10, tvOS before 10, iTunes before 12.5.1 on ...) NOT-FOR-US: Webkit as used by Apple CVE-2016-4764 (An issue was discovered in certain Apple products. iOS before 10 is af ...) NOT-FOR-US: Apple CVE-2016-4763 (WKWebView in WebKit in Apple iOS before 10, iTunes before 12.5.1 on Wi ...) NOT-FOR-US: Webkit as used by Apple CVE-2016-4762 (WebKit in Apple iOS before 10, iTunes before 12.5.1 on Windows, iCloud ...) NOT-FOR-US: Webkit as used by Apple CVE-2016-4761 (WebKitGTK+ before 2.14.0: A use-after-free vulnerability can allow rem ...) - webkitgtk (unimportant) NOTE: http://www.openwall.com/lists/oss-security/2016/11/04/14 NOTE: Not covered by security support CVE-2016-4760 (WebKit in Apple iOS before 10, iTunes before 12.5.1 on Windows, and Sa ...) NOT-FOR-US: Webkit as used by Apple CVE-2016-4759 (WebKit in Apple iOS before 10, tvOS before 10, iTunes before 12.5.1 on ...) NOT-FOR-US: Webkit as used by Apple CVE-2016-4758 (WebKit in Apple iOS before 10, iTunes before 12.5.1 on Windows, and Sa ...) NOT-FOR-US: Webkit as used by Apple CVE-2016-4757 REJECTED CVE-2016-4756 REJECTED CVE-2016-4755 (Terminal in Apple OS X before 10.12 uses weak permissions for the .bas ...) NOT-FOR-US: Apple CVE-2016-4754 (ServerDocs Server in Apple OS X Server before 5.2 supports the RC4 cip ...) NOT-FOR-US: Apple CVE-2016-4753 (Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS be ...) NOT-FOR-US: Apple CVE-2016-4752 (The SecKeyDeriveFromPassword function in Apple OS X before 10.12 does ...) NOT-FOR-US: Apple CVE-2016-4751 (The Safari Tabs component in Apple Safari before 10 allows remote atta ...) NOT-FOR-US: Apple CVE-2016-4750 (S2 Camera in Apple iOS before 10 and OS X before 10.12 allows attacker ...) NOT-FOR-US: Apple CVE-2016-4749 (Printing UIKit in Apple iOS before 10 mishandles environment variables ...) NOT-FOR-US: Apple CVE-2016-4748 (Perl in Apple OS X before 10.12 allows local users to bypass the taint ...) NOT-FOR-US: Apple CVE-2016-4747 (Mail in Apple iOS before 10 mishandles certificates, which makes it ea ...) NOT-FOR-US: Apple CVE-2016-4746 (The Keyboards component in Apple iOS before 10 does not properly use a ...) NOT-FOR-US: Apple CVE-2016-4745 (The Kerberos 5 (aka krb5) PAM module in Apple OS X before 10.12 does n ...) NOT-FOR-US: Apple CVE-2016-4744 REJECTED CVE-2016-4743 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) - webkit2gtk 2.14.3-1 (unimportant) NOTE: Not covered by security support CVE-2016-4742 (NSSecureTextField in Apple OS X before 10.12 does not enable Secure In ...) NOT-FOR-US: Apple CVE-2016-4741 (The Assets component in Apple iOS before 10 allows man-in-the-middle a ...) NOT-FOR-US: Apple CVE-2016-4740 (Apple iOS before 10, when Handoff for Messages is used, does not ensur ...) NOT-FOR-US: Apple CVE-2016-4739 (mDNSResponder in Apple OS X before 10.12, when VMnet.framework is used ...) NOT-FOR-US: Apple CVE-2016-4738 (libxslt in Apple iOS before 10, OS X before 10.12, tvOS before 10, and ...) {DSA-3709-1 DLA-700-1} - libxslt 1.1.29-2 (bug #842570) NOTE: https://git.gnome.org/browse/libxslt/commit/?id=eb1030de31165b68487f288308f9d1810fed6880 NOTE: https://bugs.chromium.org/p/chromium/issues/detail?id=619006 CVE-2016-4737 (WebKit in Apple iOS before 10, Safari before 10, tvOS before 10, and w ...) NOT-FOR-US: Webkit as used by Apple CVE-2016-4736 (libarchive in Apple OS X before 10.12 allows remote attackers to cause ...) NOT-FOR-US: Apple / libarchive NOTE: Possibly Apple-specific, but noone really knows and Apple doesn't cooperate CVE-2016-4735 (WebKit in Apple iOS before 10, Safari before 10, and tvOS before 10 al ...) NOT-FOR-US: Webkit as used by Apple CVE-2016-4734 (WebKit in Apple iOS before 10, Safari before 10, and tvOS before 10 al ...) NOT-FOR-US: Webkit as used by Apple CVE-2016-4733 (WebKit in Apple iOS before 10, Safari before 10, and tvOS before 10 al ...) NOT-FOR-US: Webkit as used by Apple CVE-2016-4732 REJECTED CVE-2016-4731 (WebKit in Apple iOS before 10 and Safari before 10 allows remote attac ...) NOT-FOR-US: Webkit as used by Apple CVE-2016-4730 (WebKit in Apple iOS before 10, Safari before 10, and tvOS before 10 al ...) NOT-FOR-US: Webkit as used by Apple CVE-2016-4729 (WebKit in Apple iOS before 10 and Safari before 10 allows remote attac ...) NOT-FOR-US: Webkit as used by Apple CVE-2016-4728 (WebKit in Apple iOS before 10, tvOS before 10, iTunes before 12.5.1 on ...) NOT-FOR-US: Webkit as used by Apple CVE-2016-4727 (IOThunderboltFamily in Apple OS X before 10.12 allows attackers to exe ...) NOT-FOR-US: Apple CVE-2016-4726 (IOAcceleratorFamily in Apple iOS before 10, OS X before 10.12, tvOS be ...) NOT-FOR-US: Apple CVE-2016-4725 (IOAcceleratorFamily in Apple iOS before 10, OS X before 10.12, tvOS be ...) NOT-FOR-US: Apple CVE-2016-4724 (IOAcceleratorFamily in Apple iOS before 10 and OS X before 10.12 allow ...) NOT-FOR-US: Apple CVE-2016-4723 (Intel Graphics Driver in Apple OS X before 10.12 allows attackers to e ...) NOT-FOR-US: Intel driver for OS X CVE-2016-4722 (The IDS - Connectivity component in Apple iOS before 10 and OS X befor ...) NOT-FOR-US: Apple CVE-2016-4721 (An issue was discovered in certain Apple products. iOS before 10.1 is ...) NOT-FOR-US: Apple CVE-2016-4720 REJECTED CVE-2016-4719 (The GeoServices component in Apple iOS before 10 and watchOS before 3 ...) NOT-FOR-US: Apple CVE-2016-4718 (Buffer overflow in FontParser in Apple iOS before 10, OS X before 10.1 ...) NOT-FOR-US: Apple CVE-2016-4717 (The File Bookmark component in Apple OS X before 10.12 mishandles scop ...) NOT-FOR-US: Apple CVE-2016-4716 (diskutil in DiskArbitration in Apple OS X before 10.12 allows local us ...) NOT-FOR-US: Apple CVE-2016-4715 (The Date & Time Pref Pane component in Apple OS X before 10.12 mis ...) NOT-FOR-US: Apple CVE-2016-4714 REJECTED CVE-2016-4713 (CoreDisplay in Apple OS X before 10.12 allows attackers to view arbitr ...) NOT-FOR-US: Apple CVE-2016-4712 (CoreCrypto in Apple iOS before 10, OS X before 10.12, tvOS before 10, ...) NOT-FOR-US: Apple CVE-2016-4711 (CCrypt in corecrypto in CommonCrypto in Apple iOS before 10 and OS X b ...) NOT-FOR-US: Apple CVE-2016-4710 (WindowServer in Apple OS X before 10.12 allows local users to obtain r ...) NOT-FOR-US: Apple CVE-2016-4709 (WindowServer in Apple OS X before 10.12 allows local users to obtain r ...) NOT-FOR-US: Apple CVE-2016-4708 (CFNetwork in Apple iOS before 10, OS X before 10.12, tvOS before 10, a ...) NOT-FOR-US: Apple CVE-2016-4707 (CFNetwork in Apple iOS before 10 and OS X before 10.12 mishandles Loca ...) NOT-FOR-US: Apple CVE-2016-4706 (cd9660 in Apple OS X before 10.12 allows local users to cause a denial ...) NOT-FOR-US: Apple CVE-2016-4705 (otool in Apple Xcode before 8 allows local users to gain privileges or ...) NOT-FOR-US: Apple CVE-2016-4704 (otool in Apple Xcode before 8 allows local users to gain privileges or ...) NOT-FOR-US: Apple CVE-2016-4703 (Bluetooth in Apple OS X before 10.12 allows attackers to execute arbit ...) NOT-FOR-US: Apple CVE-2016-4702 (Audio in Apple iOS before 10, OS X before 10.12, tvOS before 10, and w ...) NOT-FOR-US: Apple CVE-2016-4701 (Application Firewall in Apple OS X before 10.12 allows local users to ...) NOT-FOR-US: Apple CVE-2016-4700 (AppleUUC in Apple OS X before 10.12 allows attackers to execute arbitr ...) NOT-FOR-US: Apple CVE-2016-4699 (AppleUUC in Apple OS X before 10.12 allows attackers to execute arbitr ...) NOT-FOR-US: Apple CVE-2016-4698 (AppleMobileFileIntegrity in Apple iOS before 10 and OS X before 10.12 ...) NOT-FOR-US: Apple CVE-2016-4697 (Apple HSSPI Support in Apple OS X before 10.12 allows attackers to exe ...) NOT-FOR-US: Apple CVE-2016-4696 (AppleEFIRuntime in Apple OS X before 10.12 allows attackers to execute ...) NOT-FOR-US: Apple CVE-2016-4695 REJECTED CVE-2016-4694 (The Apache HTTP Server in Apple OS X before 10.12 and OS X Server befo ...) NOT-FOR-US: Apple CVE assignment to the equivalent of CVE-2016-5387 CVE-2016-4693 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) NOT-FOR-US: Apple CVE-2016-4692 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) - webkit2gtk 2.14.3-1 (unimportant) NOTE: Not covered by security support CVE-2016-4691 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) NOT-FOR-US: Apple CVE-2016-4690 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) NOT-FOR-US: Apple CVE-2016-4689 (An issue was discovered in certain Apple products. iOS before 10.2 is ...) NOT-FOR-US: Apple CVE-2016-4688 (An issue was discovered in certain Apple products. iOS before 10.1 is ...) NOT-FOR-US: Apple CVE-2016-4687 REJECTED CVE-2016-4686 (An issue was discovered in certain Apple products. iOS before 10.1 is ...) NOT-FOR-US: Apple CVE-2016-4685 (An issue was discovered in certain Apple products. iOS before 10.1 is ...) NOT-FOR-US: Apple CVE-2016-4684 REJECTED CVE-2016-4683 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2016-4682 (An issue was discovered in certain Apple products. macOS before 10.12 ...) NOT-FOR-US: Apple CVE-2016-4681 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2016-4680 (An issue was discovered in certain Apple products. iOS before 10.1 is ...) NOT-FOR-US: Apple CVE-2016-4679 (An issue was discovered in certain Apple products. iOS before 10.1 is ...) NOT-FOR-US: Apple CVE-2016-4678 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2016-4677 (An issue was discovered in certain Apple products. iOS before 10.1 is ...) NOT-FOR-US: Apple CVE-2016-4676 (A Cross-origin vulnerability exists in WebKit in Apple Safari before 1 ...) NOT-FOR-US: Apple CVE-2016-4675 (An issue was discovered in certain Apple products. iOS before 10.1 is ...) NOT-FOR-US: Apple CVE-2016-4674 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2016-4673 (An issue was discovered in certain Apple products. iOS before 10.1 is ...) NOT-FOR-US: Apple CVE-2016-4672 REJECTED CVE-2016-4671 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2016-4670 (An issue was discovered in certain Apple products. iOS before 10.1 is ...) NOT-FOR-US: Apple CVE-2016-4669 (An issue was discovered in certain Apple products. iOS before 10.1 is ...) NOT-FOR-US: Apple CVE-2016-4668 REJECTED CVE-2016-4667 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2016-4666 (An issue was discovered in certain Apple products. iOS before 10.1 is ...) NOT-FOR-US: Apple CVE-2016-4665 (An issue was discovered in certain Apple products. iOS before 10.1 is ...) NOT-FOR-US: Apple CVE-2016-4664 (An issue was discovered in certain Apple products. iOS before 10.1 is ...) NOT-FOR-US: Apple CVE-2016-4663 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2016-4662 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2016-4661 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2016-4660 (An issue was discovered in certain Apple products. iOS before 10.1 is ...) NOT-FOR-US: Apple CVE-2016-4659 REJECTED CVE-2016-4658 (xpointer.c in libxml2 before 2.9.5 (as used in Apple iOS before 10, OS ...) {DSA-3744-1 DLA-691-1} - libxml2 2.9.4+dfsg1-2.1 (bug #840553) NOTE: Fixed by: https://git.gnome.org/browse/libxml2/commit/?id=c1d1f7121194036608bf555f08d3062a36fd344b CVE-2016-4657 (WebKit in Apple iOS before 9.3.5 allows remote attackers to execute ar ...) - webkitgtk (unimportant) NOTE: https://www.youtube.com/watch?v=xkdPjbaLngE NOTE: Not covered by security support CVE-2016-4656 (The kernel in Apple iOS before 9.3.5 allows attackers to execute arbit ...) NOT-FOR-US: Apple CVE-2016-4655 (The kernel in Apple iOS before 9.3.5 allows attackers to obtain sensit ...) NOT-FOR-US: Apple CVE-2016-4654 (IOMobileFrameBuffer in Apple iOS before 9.3.4 allows attackers to exec ...) NOT-FOR-US: Apple CVE-2016-4653 (The kernel in Apple iOS before 9.3.3, OS X before 10.11.6, tvOS before ...) NOT-FOR-US: Apple CVE-2016-4652 (CoreGraphics in Apple OS X before 10.11.6 allows local users to obtain ...) NOT-FOR-US: Apple CVE-2016-4651 (Cross-site scripting (XSS) vulnerability in the WebKit JavaScript bind ...) NOT-FOR-US: Webkit as used by Apple CVE-2016-4650 (Heap-based buffer overflow in IOHIDFamily in Apple iOS before 9.3.2, O ...) NOT-FOR-US: Apple CVE-2016-4649 (Audio in Apple OS X before 10.11.6 allows local users to cause a denia ...) NOT-FOR-US: Apple CVE-2016-4648 (Audio in Apple OS X before 10.11.6 allows local users to obtain sensit ...) NOT-FOR-US: Apple CVE-2016-4647 (Audio in Apple OS X before 10.11.6 allows local users to gain privileg ...) NOT-FOR-US: Apple CVE-2016-4646 (Audio in Apple OS X before 10.11.6 mishandles a size value, which allo ...) NOT-FOR-US: Apple CVE-2016-4645 (CFNetwork in Apple OS X before 10.11.6 uses weak permissions for web-b ...) NOT-FOR-US: Apple CVE-2016-4644 (In iOS before 9.3.3, tvOS before 9.2.2, and OS X El Capitan before v10 ...) NOT-FOR-US: Apple CVE-2016-4643 (In iOS before 9.3.3, tvOS before 9.2.2, and OS X El Capitan before v10 ...) NOT-FOR-US: Apple CVE-2016-4642 (In iOS before 9.3.3, tvOS before 9.2.2, and OS X El Capitan before v10 ...) NOT-FOR-US: Apple CVE-2016-4641 (Login Window in Apple OS X before 10.11.6 allows attackers to execute ...) NOT-FOR-US: Apple CVE-2016-4640 (Login Window in Apple OS X before 10.11.6 allows attackers to execute ...) NOT-FOR-US: Apple CVE-2016-4639 (Login Window in Apple OS X before 10.11.6 does not properly initialize ...) NOT-FOR-US: Apple CVE-2016-4638 (Login Window in Apple OS X before 10.11.6 allows attackers to gain pri ...) NOT-FOR-US: Apple CVE-2016-4637 (CoreGraphics in Apple iOS before 9.3.3, OS X before 10.11.6, tvOS befo ...) NOT-FOR-US: Apple CVE-2016-4636 REJECTED CVE-2016-4635 (FaceTime in Apple iOS before 9.3.3 and OS X before 10.11.6 allows man- ...) NOT-FOR-US: Apple CVE-2016-4634 (The Graphics Drivers subsystem in Apple OS X before 10.11.6 allows loc ...) NOT-FOR-US: Apple CVE-2016-4633 (Intel Graphics Driver in Apple OS X before 10.11.6 allows attackers to ...) NOT-FOR-US: Apple CVE-2016-4632 (ImageIO in Apple iOS before 9.3.3, OS X before 10.11.6, tvOS before 9. ...) NOT-FOR-US: Apple CVE-2016-4631 (ImageIO in Apple iOS before 9.3.3, OS X before 10.11.6, tvOS before 9. ...) NOT-FOR-US: Apple CVE-2016-4630 (ImageIO in Apple OS X before 10.11.6 allows remote attackers to execut ...) NOT-FOR-US: Apple CVE-2016-4629 (ImageIO in Apple OS X before 10.11.6 allows remote attackers to execut ...) NOT-FOR-US: Apple CVE-2016-4628 (IOAcceleratorFamily in Apple iOS before 9.3.3 and watchOS before 2.2.2 ...) NOT-FOR-US: Apple CVE-2016-4627 (IOAcceleratorFamily in Apple iOS before 9.3.3, tvOS before 9.2.2, and ...) NOT-FOR-US: Apple CVE-2016-4626 (IOHIDFamily in Apple iOS before 9.3.3, OS X before 10.11.6, tvOS befor ...) NOT-FOR-US: Apple CVE-2016-4625 (Use-after-free vulnerability in IOSurface in Apple OS X before 10.11.6 ...) NOT-FOR-US: Apple CVE-2016-4624 (WebKit in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS before ...) - webkit2gtk 2.12.4-1 (unimportant) CVE-2016-4623 (WebKit in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS before ...) NOT-FOR-US: Webkit as used by Apple CVE-2016-4622 (WebKit in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS before ...) - webkit2gtk 2.12.4-1 (unimportant) CVE-2016-4621 (libc++abi in Apple OS X before 10.11.6 allows attackers to execute arb ...) NOT-FOR-US: Apple CVE-2016-4620 (The Sandbox Profiles component in Apple iOS before 10 does not properl ...) NOT-FOR-US: Apple CVE-2016-4619 REJECTED CVE-2016-4618 (Cross-site scripting (XSS) vulnerability in Safari Reader in Apple iOS ...) NOT-FOR-US: Apple CVE-2016-4617 (An issue was discovered in certain Apple products. macOS before 10.12 ...) NOT-FOR-US: Apple CVE-2016-4616 (libxml2 in Apple iOS before 9.3.3, OS X before 10.11.6, iTunes before ...) NOT-FOR-US: Possibly Apple-specific CVE ID for libxml2 NOTE: contacted Apple for more information, but no reply for quite a while CVE-2016-4615 (libxml2 in Apple iOS before 9.3.3, OS X before 10.11.6, iTunes before ...) NOT-FOR-US: Possibly Apple-specific CVE ID for libxml2 NOTE: contacted Apple for more information, but no reply for quite a while CVE-2016-4614 (libxml2 in Apple iOS before 9.3.3, OS X before 10.11.6, iTunes before ...) NOT-FOR-US: Possibly Apple-specific CVE ID for libxml2 NOTE: contacted Apple for more information, but no reply for quite a while CVE-2016-4613 (An issue was discovered in certain Apple products. Safari before 10.0. ...) NOT-FOR-US: Apple CVE-2016-4612 REJECTED CVE-2016-4611 (WebKit in Apple iOS before 10, Safari before 10, and tvOS before 10 al ...) NOT-FOR-US: Webkit as used by Apple CVE-2016-4610 (libxslt in Apple iOS before 9.3.3, OS X before 10.11.6, iTunes before ...) {DLA-1860-1} - libxslt 1.1.29-1 NOTE: https://gitlab.gnome.org/GNOME/libxslt/commit/93bb314768aafaffad1df15bbee10b7c5423e283 (v1.1.29-rc1) CVE-2016-4609 (libxslt in Apple iOS before 9.3.3, OS X before 10.11.6, iTunes before ...) {DLA-1860-1} - libxslt 1.1.29-1 NOTE: https://gitlab.gnome.org/GNOME/libxslt/commit/8b90c9a699e0eaa98bbeec63a473ddc73aaa238c (v1.1.29-rc1) CVE-2016-4608 (libxslt in Apple iOS before 9.3.3, OS X before 10.11.6, iTunes before ...) - libxslt 1.1.29-1 [jessie] - libxslt 1.1.28-2+deb8u1 NOTE: https://gitlab.gnome.org/GNOME/libxslt/commit/5d0c6565bab5b9b7efceb33b626916d22b4101a7 (v1.1.29-rc1) CVE-2016-4607 (libxslt in Apple iOS before 9.3.3, OS X before 10.11.6, iTunes before ...) NOT-FOR-US: Potentially src:libxslt, but Apple doesn't play by the rules NOTE: contacted Apple for more information, but no reply for quite a while. NOTE: Apple still does not provide information on this CVE, although it is NOTE: possible that it's fixed in 1.1.29 upstream. CVE-2016-4606 (Curl before 7.49.1 in Apple OS X before macOS Sierra prior to 10.12 al ...) - curl (Only applies to Curl on Mac OS) CVE-2016-4605 (Calendar in Apple iOS before 9.3.3 allows remote attackers to cause a ...) NOT-FOR-US: Apple CVE-2016-4604 (Safari in Apple iOS before 9.3.3 allows remote attackers to spoof the ...) NOT-FOR-US: Apple CVE-2016-4603 (Web Media in Apple iOS before 9.3.3 allows attackers to bypass the Pri ...) NOT-FOR-US: Apple CVE-2016-4602 (QuickTime in Apple OS X before 10.11.6 allows remote attackers to exec ...) NOT-FOR-US: Apple CVE-2016-4601 (QuickTime in Apple OS X before 10.11.6 allows remote attackers to exec ...) NOT-FOR-US: Apple CVE-2016-4600 (QuickTime in Apple OS X before 10.11.6 allows remote attackers to exec ...) NOT-FOR-US: Apple CVE-2016-4599 (QuickTime in Apple OS X before 10.11.6 allows remote attackers to exec ...) NOT-FOR-US: Apple CVE-2016-4598 (QuickTime in Apple OS X before 10.11.6 allows remote attackers to exec ...) NOT-FOR-US: Apple CVE-2016-4597 (QuickTime in Apple OS X before 10.11.6 allows remote attackers to exec ...) NOT-FOR-US: Apple CVE-2016-4596 (QuickTime in Apple OS X before 10.11.6 allows remote attackers to exec ...) NOT-FOR-US: Apple CVE-2016-4595 (Safari Login AutoFill in Apple OS X before 10.11.6 allows physically p ...) NOT-FOR-US: Apple CVE-2016-4594 (The Sandbox Profiles component in Apple iOS before 9.3.3, OS X before ...) NOT-FOR-US: Apple CVE-2016-4593 (The Siri Contacts component in Apple iOS before 9.3.3 allows physicall ...) NOT-FOR-US: Apple CVE-2016-4592 (WebKit in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS before ...) NOT-FOR-US: Webkit as used by Apple CVE-2016-4591 (WebKit in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS before ...) - webkit2gtk 2.12.4-1 (unimportant) CVE-2016-4590 (WebKit in Apple iOS before 9.3.3 and Safari before 9.1.2 mishandles ab ...) - webkit2gtk 2.12.4-1 (unimportant) CVE-2016-4589 (WebKit in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS before ...) NOT-FOR-US: Webkit as used by Apple CVE-2016-4588 (WebKit in Apple tvOS before 9.2.2 allows remote attackers to execute a ...) NOT-FOR-US: Webkit as used by Apple CVE-2016-4587 (WebKit in Apple iOS before 9.3.3 and tvOS before 9.2.2 allows remote a ...) NOT-FOR-US: Webkit as used by Apple CVE-2016-4586 (WebKit in Apple Safari before 9.1.2 and tvOS before 9.2.2 allows remot ...) NOT-FOR-US: Webkit as used by Apple CVE-2016-4585 (Cross-site scripting (XSS) vulnerability in the WebKit Page Loading im ...) NOT-FOR-US: Webkit as used by Apple CVE-2016-4584 (The WebKit Page Loading implementation in Apple iOS before 9.3.3, Safa ...) NOT-FOR-US: Webkit as used by Apple CVE-2016-4583 (WebKit in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS before ...) NOT-FOR-US: Webkit as used by Apple CVE-2016-4582 (The kernel in Apple iOS before 9.3.3, OS X before 10.11.6, tvOS before ...) NOT-FOR-US: Apple CVE-2016-4580 (The x25_negotiate_facilities function in net/x25/x25_facilities.c in t ...) {DSA-3607-1 DLA-516-1} - linux 4.5.5-1 NOTE: Fixed by: https://git.kernel.org/linus/79e48650320e6fba48369fccf13fd045315b19b8 (v4.6) CVE-2016-4577 (Buffer overflow in the Smart DNS functionality in the Huawei NGFW Modu ...) NOT-FOR-US: Huawei CVE-2016-4576 (Buffer overflow in the Application Specific Packet Filtering (ASPF) fu ...) NOT-FOR-US: Huawei CVE-2016-4575 (Cross-site scripting (XSS) vulnerability in the email APP in Huawei PL ...) NOT-FOR-US: Huawei CVE-2016-4796 (Heap-based buffer overflow in the color_cmyk_to_rgb in common/color.c ...) - openjpeg2 2.1.1-1 [jessie] - openjpeg2 (Vulnerable code not yet present in 2.1.0) - openjpeg [jessie] - openjpeg (Vulnerable code not present) [wheezy] - openjpeg (Vulnerable code not present) NOTE: https://github.com/uclouvain/openjpeg/commit/162f6199c0cd3ec1c6c6dc65e41b2faab92b2d91 CVE-2016-4797 (Divide-by-zero vulnerability in the opj_tcd_init_tile function in tcd. ...) - openjpeg2 2.1.1-1 [jessie] - openjpeg2 (Vulnerable code not yet present in 2.1.0) NOTE: https://github.com/uclouvain/openjpeg/commit/8f9cc62b3f9a1da9712329ddcedb9750d585505c NOTE: CVE-2016-4797 exists because of an incorrect fix for CVE-2014-7947 CVE-2016-4794 (Use-after-free vulnerability in mm/percpu.c in the Linux kernel throug ...) - linux 4.6.2-2 [jessie] - linux (Introduced in v3.18-rc1) [wheezy] - linux (Introduced in v3.18-rc1) NOTE: https://git.kernel.org/linus/4f996e234dad488e5d9ba0858bc1bae12eff82c3 NOTE: https://git.kernel.org/linus/6710e594f71ccaad8101bc64321152af7cd9ea28 CVE-2016-4573 (Fortinet FortiSwitch FSW-108D-POE, FSW-124D, FSW-124D-POE, FSW-224D-PO ...) NOT-FOR-US: Fortinet CVE-2016-4581 (fs/pnode.c in the Linux kernel before 4.5.4 does not properly traverse ...) {DSA-3607-1} - linux 4.5.4-1 [wheezy] - linux (Vulnerable code introduced later) NOTE: Fixed by: https://git.kernel.org/linus/5ec0811d30378ae104f250bfc9b3640242d81e3f (v4.6-rc7) NOTE: Introduced by: https://git.kernel.org/linus/f2ebb3a921c1ca1e2ddd9242e95a1989a50c4c68 (v3.15-rc1) CVE-2016-4579 (Libksba before 1.3.4 allows remote attackers to cause a denial of serv ...) {DLA-470-1} - libksba 1.3.4-3 [jessie] - libksba 1.3.2-1+deb8u1 NOTE: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=a7eed17a0b2a1c09ef986f3b4b323cd31cea2b64 CVE-2016-4572 (In Cloudera CDH before 5.7.1, Impala REVOKE ALL ON SERVER commands do ...) NOT-FOR-US: Cloudera CVE-2016-4574 (Off-by-one error in the append_utf8_value function in the DN decoder ( ...) - libksba 1.3.4-3 [jessie] - libksba (Incomplete fix not applied) [wheezy] - libksba (Incomplete fix not applied) NOTE: Fixed by: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=6be61daac047d8e6aa941eb103f8e71a1d4e3c75 NOTE: Introduced by: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=243d12fdec66a4360fbb3e307a046b39b5b4ffc3 CVE-2016-4578 (sound/core/timer.c in the Linux kernel through 4.6 does not initialize ...) {DSA-3607-1 DLA-516-1} - linux 4.5.5-1 NOTE: https://github.com/torvalds/linux/commit/9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6 NOTE: https://github.com/torvalds/linux/commit/e4ec8cc8039a7063e24204299b462bd1383184a5 CVE-2016-4569 (The snd_timer_user_params function in sound/core/timer.c in the Linux ...) {DSA-3607-1 DLA-516-1} - linux 4.5.5-1 NOTE: http://comments.gmane.org/gmane.linux.kernel/2214250 NOTE: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=cec8f96e49d9be372fdb0c3836dcf31ec71e457e CVE-2016-4564 (The DrawImage function in MagickCore/draw.c in ImageMagick before 6.9. ...) {DSA-3652-1 DLA-731-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #832888) NOTE: https://github.com/ImageMagick/ImageMagick/commit/726812fa2fa7ce16bcf58f6e115f65427a1c0950 CVE-2016-4563 (The TraceStrokePolygon function in MagickCore/draw.c in ImageMagick be ...) {DSA-3652-1 DLA-517-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #832887) NOTE: https://github.com/ImageMagick/ImageMagick/commit/726812fa2fa7ce16bcf58f6e115f65427a1c0950 CVE-2016-4562 (The DrawDashPolygon function in MagickCore/draw.c in ImageMagick befor ...) {DSA-3652-1 DLA-731-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #832885) NOTE: https://github.com/ImageMagick/ImageMagick/commit/726812fa2fa7ce16bcf58f6e115f65427a1c0950 CVE-2016-4560 (Untrusted search path vulnerability in Flexera InstallAnywhere allows ...) NOT-FOR-US: Flexera CVE-2016-4559 RESERVED CVE-2016-4567 (Cross-site scripting (XSS) vulnerability in flash/FlashMediaElement.as ...) - mediaelement (unimportant; bug #823649) NOTE: https://core.trac.wordpress.org/changeset/37370 NOTE: Fixed by: https://github.com/johndyer/mediaelement/commit/34834eef8ac830b9145df169ec22016a4350f06e NOTE: Vulnerable code present, but Flash Player disabled in Debian NOTE: See 0004-Deactivate-Flash-and-Silverlight.patch NOTE: http://www.openwall.com/lists/oss-security/2016/05/07/2 CVE-2016-4566 (Cross-site scripting (XSS) vulnerability in plupload.flash.swf in Plup ...) - wordpress 4.5.2+dfsg-1 (bug #823640) [jessie] - wordpress (Vulnerable code not present) [wheezy] - wordpress (Vulnerable code not present) NOTE: https://wordpress.org/news/2016/05/wordpress-4-5-2/ NOTE: Fixed by: https://core.trac.wordpress.org/changeset/37382 NOTE: http://www.openwall.com/lists/oss-security/2016/05/07/2 CVE-2016-4568 (drivers/media/v4l2-core/videobuf2-v4l2.c in the Linux kernel before 4. ...) - linux 4.5.3-1 [jessie] - linux (Vulnerable code introduced in 4.4) [wheezy] - linux (Vulnerable code introduced in 4.4) NOTE: Fixed by: https://git.kernel.org/linus/2c1f6951a8a82e6de0d82b1158b5e493fc6c54ab (v4.6-rc6) NOTE: Introduced by: https://git.kernel.org/linus/b0e0e1f83de31aa0428c38b692c590cc0ecd3f03 (v4.4-rc1) CVE-2016-4565 (The InfiniBand (aka IB) stack in the Linux kernel before 4.5.3 incorre ...) {DSA-3607-1 DLA-516-1} - linux 4.5.3-1 NOTE: Fixed by: https://git.kernel.org/linus/e6bd18f57aad1a2d1ef40e646d03ed0f2515c9e3 (v4.6-rc6) CVE-2016-4551 (The (1) SAP_BASIS and (2) SAP_ABA components 7.00 SP Level 0031 in SAP ...) NOT-FOR-US: SAP CVE-2016-4550 RESERVED CVE-2016-4549 RESERVED CVE-2016-4548 RESERVED CVE-2016-4545 (Virtual servers in F5 BIG-IP 11.5.4, when SSL profiles are enabled, al ...) NOT-FOR-US: F5 BIG-IP CVE-2016-4561 (Cross-site scripting (XSS) vulnerability in the cgierror function in C ...) {DSA-3571-1 DLA-463-1} - ikiwiki 3.20160506 NOTE: http://source.ikiwiki.branchable.com/?p=source.git;a=commitdiff;h=32ef584dc5abb6ddb9f794f94ea0b2934967bba7 NOTE: http://www.openwall.com/lists/oss-security/2016/05/06/8 CVE-2016-4547 (Samsung devices with Android KK(4.4), L(5.0/5.1), or M(6.0) allow atta ...) NOT-FOR-US: Samsung Android component CVE-2016-4546 (Samsung devices with Android KK(4.4) or L(5.0/5.1) allow local users t ...) NOT-FOR-US: Samsung Android component CVE-2016-4570 (The mxmlDelete function in mxml-node.c in mxml 2.9, 2.7, and possibly ...) {DLA-1641-1} - mxml 2.9-1 (bug #825855) [wheezy] - mxml (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2016/05/07/8 NOTE: https://github.com/michaelrsweet/mxml/commit/d8c0ba900728d47523d76ba4acf33176cd04647c CVE-2016-4571 (The mxml_write_node function in mxml-file.c in mxml 2.9, 2.7, and poss ...) {DLA-1641-1} - mxml 2.9-2 (bug #825855) [wheezy] - mxml (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2016/05/07/8 NOTE: https://github.com/michaelrsweet/mxml/commit/5f74dc212497332d05882660db130a37d2f458eb CVE-2016-4558 (The BPF subsystem in the Linux kernel before 4.5.5 mishandles referenc ...) - linux 4.5.3-1 [jessie] - linux (Issue introduced later) [wheezy] - linux (Issue introduced later) NOTE: Fixed by: https://git.kernel.org/linus/92117d8443bc5afacc8d5ba82e541946310f106e NOTE: Introduced by: https://git.kernel.org/linus/1be7f75d1668d6296b80bf35dcf6762393530afc(v4.4-rc1) NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=809 CVE-2016-4557 (The replace_map_fd_with_map_ptr function in kernel/bpf/verifier.c in t ...) - linux 4.5.3-1 (bug #823603) [jessie] - linux (Issue introduced later) [wheezy] - linux (Issue introduced later) NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=808 NOTE: Fixed by: https://git.kernel.org/linus/8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7 (v4.6-rc6) NOTE: Introduced by: https://git.kernel.org/linus/0246e64d9a5fcd4805198de59b9b5cf1f974eb41 (v3.18-rc1) NOTE: Exploitable since: https://git.kernel.org/linus/1be7f75d1668d6296b80bf35dcf6762393530afc (v4.4-rc1) NOTE: http://www.openwall.com/lists/oss-security/2016/05/06/4 CVE-2016-4556 (Double free vulnerability in Esi.cc in Squid 3.x before 3.5.18 and 4.x ...) {DSA-3625-1 DLA-478-1} - squid3 3.5.19-1 (bug #823968) - squid (Does not affect 2.x) NOTE: http://www.squid-cache.org/Advisories/SQUID-2016_9.txt NOTE: http://www.squid-cache.org/Versions/v3/3.4/changesets/SQUID-2016_9.patch NOTE: http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2016_9.patch CVE-2016-4555 (client_side_request.cc in Squid 3.x before 3.5.18 and 4.x before 4.0.1 ...) {DSA-3625-1 DLA-478-1} - squid3 3.5.19-1 (bug #823968) [wheezy] - squid3 (3.1 not vulnerable) - squid (Does not affect 2.x) NOTE: http://www.squid-cache.org/Advisories/SQUID-2016_9.txt NOTE: http://www.squid-cache.org/Versions/v3/3.4/changesets/SQUID-2016_9.patch NOTE: http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2016_9.patch CVE-2016-4554 (mime_header.cc in Squid before 3.5.18 allows remote attackers to bypas ...) {DSA-3625-1 DLA-558-1 DLA-478-1} - squid3 3.5.19-1 (bug #823968) - squid 4.1-1 NOTE: http://www.squid-cache.org/Advisories/SQUID-2016_8.txt NOTE: http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10496.patch NOTE: http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11842.patch NOTE: http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12698.patch NOTE: http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13236.patch NOTE: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14038.patch NOTE: Regression and fix: http://bugs.squid-cache.org/show_bug.cgi?id=4515 NOTE: Complete patch for 3.4 branch: http://www.squid-cache.org/Versions/v3/3.4/changesets/SQUID-2016_8.patch CVE-2016-4553 (client_side.cc in Squid before 3.5.18 and 4.x before 4.0.10 does not p ...) {DSA-3625-1} - squid3 3.5.19-1 (bug #823968) [wheezy] - squid3 (issue introduced by CVE-2009-0801 fix, not applied in wheezy) - squid (Does not affect 2.x) NOTE: http://www.squid-cache.org/Advisories/SQUID-2016_7.txt NOTE: Fix for 3.5.x: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14039.patch NOTE: Fix for 3.5 relies on SBuf. NOTE: Fix for 3.4.x: http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13240.patch CVE-2016-4535 (Integer signedness error in the AV engine before DAT 8145, as used in ...) NOT-FOR-US: McAfee / AV engine CVE-2016-4534 (The McAfee VirusScan Console (mcconsol.exe) in McAfee VirusScan Enterp ...) NOT-FOR-US: McAfee VirusScan Console CVE-2016-4533 (Heap-based buffer overflow in WECON LeviStudio allows remote attackers ...) NOT-FOR-US: LeviStudio CVE-2016-4532 (Directory traversal vulnerability in the WAP interface in Trihedral VT ...) NOT-FOR-US: Trihedral CVE-2016-4531 (Rockwell Automation FactoryTalk EnergyMetrix before 2.20.00 does not i ...) NOT-FOR-US: Rockwell CVE-2016-4530 (OSIsoft PI SQL Data Access Server (aka OLE DB) 2016 1.5 allows remote ...) NOT-FOR-US: OSISoft CVE-2016-4529 (An unspecified ActiveX control in Schneider Electric SoMachine HVAC Pr ...) NOT-FOR-US: Schneider CVE-2016-4528 (Buffer overflow in Advantech WebAccess before 8.1_20160519 allows loca ...) NOT-FOR-US: Advantech WebAccess CVE-2016-4527 (ABB PCM600 before 2.7 improperly stores PCM600 authentication credenti ...) NOT-FOR-US: ABB PCM600 CVE-2016-4526 (ABB DataManagerPro 1.x before 1.7.1 allows local users to gain privile ...) NOT-FOR-US: ABB DataManagerPro CVE-2016-4525 (Unspecified ActiveX controls in Advantech WebAccess before 8.1_2016051 ...) NOT-FOR-US: Advantech WebAccess CVE-2016-4524 (ABB PCM600 before 2.7 improperly stores OPC Server IEC61850 passwords ...) NOT-FOR-US: ABB PCM600 CVE-2016-4523 (The WAP interface in Trihedral VTScada (formerly VTS) 8.x through 11.x ...) NOT-FOR-US: Trihedral CVE-2016-4522 (SQL injection vulnerability in Rockwell Automation FactoryTalk EnergyM ...) NOT-FOR-US: Rockwell CVE-2016-4521 (Sixnet BT-5xxx and BT-6xxx M2M devices before 3.8.21 and 3.9.x before ...) NOT-FOR-US: Sixnet CVE-2016-4520 (Schneider Electric Pelco Digital Sentry Video Management System with f ...) NOT-FOR-US: Schneider CVE-2016-4519 (Stack-based buffer overflow in Unitronics VisiLogic OPLC IDE before 9. ...) NOT-FOR-US: Unitronics VisiLogic CVE-2016-4518 (OSIsoft PI AF Server before 2016 2.8.0 allows remote authenticated use ...) NOT-FOR-US: OSIsoft PI AF Server CVE-2016-4517 RESERVED CVE-2016-4516 (ABB PCM600 before 2.7 improperly stores the main application password ...) NOT-FOR-US: ABB PCM600 CVE-2016-4515 REJECTED CVE-2016-4514 (Moxa PT-7728 devices with software 3.4 build 15081113 allow remote aut ...) NOT-FOR-US: Moxa CVE-2016-4513 (Cross-site scripting (XSS) vulnerability in the Schneider Electric Pow ...) NOT-FOR-US: Schneider CVE-2016-4512 (Stack-based buffer overflow in ELCSimulator in Eaton ELCSoft 2.4.01 an ...) NOT-FOR-US: Eaton ELCSoft CVE-2016-4511 (ABB PCM600 before 2.7 uses an improper hash algorithm for the main app ...) NOT-FOR-US: ABB PCM600 CVE-2016-4510 (The WAP interface in Trihedral VTScada (formerly VTS) 8.x through 11.x ...) NOT-FOR-US: Trihedral VTScada CVE-2016-4509 (Heap-based buffer overflow in elcsoft.exe in Eaton ELCSoft 2.4.01 and ...) NOT-FOR-US: Eaton ELCSoft CVE-2016-4508 (Cross-site scripting (XSS) vulnerability in Rexroth Bosch BLADEcontrol ...) NOT-FOR-US: Rexroth Bosch CVE-2016-4507 (SQL injection vulnerability in Rexroth Bosch BLADEcontrol-WebVIS 3.0.2 ...) NOT-FOR-US: Rexroth Bosch CVE-2016-4506 (Cross-site request forgery (CSRF) vulnerability on Resource Data Manag ...) NOT-FOR-US: Resource Data Management CVE-2016-4505 (Resource Data Management (RDM) Intuitive 650 TDB Controller devices be ...) NOT-FOR-US: Resource Data Management CVE-2016-4504 (A Cross-Site Request Forgery issue was discovered in Meteocontrol WEB' ...) NOT-FOR-US: Meteocontrol WEB'log CVE-2016-4503 (Moxa Device Server Web Console 5232-N allows remote attackers to bypas ...) NOT-FOR-US: Moxa CVE-2016-4502 (Environmental Systems Corporation (ESC) 8832 Data Controller 3.02 and ...) NOT-FOR-US: Environmental Systems Corporation CVE-2016-4501 (Environmental Systems Corporation (ESC) 8832 Data Controller 3.02 and ...) NOT-FOR-US: Environmental Systems Corporation CVE-2016-4500 (Moxa UC-7408 LX-Plus devices allow remote authenticated users to write ...) NOT-FOR-US: Moxa CVE-2016-4499 (Heap-based buffer overflow in Panasonic FPWIN Pro 5.x through 7.x befo ...) NOT-FOR-US: Panasonic FPWIN Pro CVE-2016-4498 (Panasonic FPWIN Pro 5.x through 7.x before 7.130 accesses an uninitial ...) NOT-FOR-US: Panasonic FPWIN Pro CVE-2016-4497 (Panasonic FPWIN Pro 5.x through 7.x before 7.130 allows local users to ...) NOT-FOR-US: Panasonic FPWIN Pro CVE-2016-4496 (Panasonic FPWIN Pro 5.x through 7.x before 7.130 allows local users to ...) NOT-FOR-US: Panasonic FPWIN Pro CVE-2016-4495 (KMC Controls BAC-5051E devices with firmware before E0.2.0.2 allow rem ...) NOT-FOR-US: KMC CVE-2016-4494 (Cross-site request forgery (CSRF) vulnerability on KMC Controls BAC-50 ...) NOT-FOR-US: KMC CVE-2016-4493 (The demangle_template_value_parm and do_hpacc_template_literal functio ...) {DLA-552-1} - ht 2.1.0+repack1-1 (low; bug #840358) [jessie] - ht (Minor issue) [wheezy] - ht (Minor issue) - binutils 2.27.51.20161102-1 (low) [jessie] - binutils (Minor issue) - libiberty 20161011-1 (low; bug #840360) [jessie] - libiberty (Minor issue) [wheezy] - libiberty (Minor issue) NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70926 NOTE: https://gcc.gnu.org/viewcvs/gcc?view=revision&revision=238313 CVE-2016-4492 (Buffer overflow in the do_type function in cplus-dem.c in libiberty al ...) {DLA-552-1} - ht 2.1.0+repack1-1 (low; bug #840358) [jessie] - ht (Minor issue) [wheezy] - ht (Minor issue) - binutils 2.27.51.20161102-1 (low) [jessie] - binutils (Minor issue) - libiberty 20161011-1 (low; bug #840360) [jessie] - libiberty (Minor issue) [wheezy] - libiberty (Minor issue) NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70926 NOTE: https://gcc.gnu.org/viewcvs/gcc?view=revision&revision=238313 CVE-2016-4491 (The d_print_comp function in cp-demangle.c in libiberty allows remote ...) - binutils 2.28-3 (low) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) - libiberty 20170627-1 (low) [stretch] - libiberty (Minor issue) [jessie] - libiberty (Minor issue) [wheezy] - libiberty (Minor issue) NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70909 NOTE: https://gcc.gnu.org/ml/gcc-patches/2016-05/msg00105.html NOTE: https://gcc.gnu.org/viewcvs?rev=247056&root=gcc&view=rev CVE-2016-4490 (Integer overflow in cp-demangle.c in libiberty allows remote attackers ...) {DLA-552-1} - ht 2.1.0+repack1-1 (low; bug #840358) [jessie] - ht (Minor issue) [wheezy] - ht (Minor issue) - binutils 2.27.51.20161102-1 (low) [jessie] - binutils (Minor issue) - libiberty 20161011-1 (low; bug #840360) [jessie] - libiberty (Minor issue) [wheezy] - libiberty (Minor issue) NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70498 NOTE: https://gcc.gnu.org/viewcvs/gcc?view=revision&revision=235767 CVE-2016-4489 (Integer overflow in the gnu_special function in libiberty allows remot ...) {DLA-552-1} - ht 2.1.0+repack1-1 (low; bug #840358) [jessie] - ht (Minor issue) [wheezy] - ht (Minor issue) - binutils 2.27.51.20161102-1 (low) [jessie] - binutils (Minor issue) - libiberty 20161011-1 (low; bug #840360) [jessie] - libiberty (Minor issue) [wheezy] - libiberty (Minor issue) NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70492 NOTE: https://gcc.gnu.org/viewcvs/gcc?view=revision&revision=234828 CVE-2016-4488 (Use-after-free vulnerability in libiberty allows remote attackers to c ...) {DLA-552-1} - ht 2.1.0+repack1-1 (low; bug #840358) [jessie] - ht (Minor issue) [wheezy] - ht (Minor issue) - binutils 2.27.51.20161102-1 (low) [jessie] - binutils (Minor issue) - libiberty 20161011-1 (low; bug #840360) [jessie] - libiberty (Minor issue) [wheezy] - libiberty (Minor issue) NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70481 NOTE: https://gcc.gnu.org/ml/gcc-patches/2016-03/msg01687.html CVE-2016-4487 (Use-after-free vulnerability in libiberty allows remote attackers to c ...) {DLA-552-1} - ht 2.1.0+repack1-1 (low; bug #840358) [jessie] - ht (Minor issue) [wheezy] - ht (Minor issue) - binutils 2.27.51.20161102-1 (low) [jessie] - binutils (Minor issue) - libiberty 20161011-1 (low; bug #840360) [jessie] - libiberty (Minor issue) [wheezy] - libiberty (Minor issue) NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70481 NOTE: https://gcc.gnu.org/ml/gcc-patches/2016-03/msg01687.html CVE-2016-4539 (The xml_parse_into_struct function in ext/xml/xml.c in PHP before 5.5. ...) {DSA-3602-1 DLA-499-1} - php7.0 7.0.6-1 - php5 5.6.21+dfsg-1 - hhvm 3.12.11+dfsg-1 (bug #835032) NOTE: https://bugs.php.net/bug.php?id=72099 NOTE: https://git.php.net/?p=php-src.git;a=commit;h=dccda88f27a084bcbbb30198ace12b4e7ae961cc NOTE: Fixed in 7.0.6, 5.6.21, 5.5.35 NOTE: http://www.openwall.com/lists/oss-security/2016/05/05/21 NOTE: HHVM fix: https://github.com/facebook/hhvm/commit/7290b3bbcaa1e10a8d807fab3242204e9ec3a015 CVE-2016-4537 (The bcpowmod function in ext/bcmath/bcmath.c in PHP before 5.5.35, 5.6 ...) {DSA-3602-1 DLA-499-1} - php7.0 7.0.6-1 - php5 5.6.21+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=72093 NOTE: https://git.php.net/?p=php-src.git;a=commit;h=d650063a0457aec56364e4005a636dc6c401f9cd NOTE: Fixed in 7.0.6, 5.6.21, 5.5.35 NOTE: http://www.openwall.com/lists/oss-security/2016/05/05/21 CVE-2016-4538 (The bcpowmod function in ext/bcmath/bcmath.c in PHP before 5.5.35, 5.6 ...) {DSA-3602-1 DLA-628-1} - php7.0 7.0.6-1 - php5 5.6.21+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=72093 NOTE: https://git.php.net/?p=php-src.git;a=commit;h=d650063a0457aec56364e4005a636dc6c401f9cd NOTE: Fixed in 7.0.6, 5.6.21, 5.5.35 NOTE: http://www.openwall.com/lists/oss-security/2016/05/05/21 CVE-2016-4540 (The grapheme_stripos function in ext/intl/grapheme/grapheme_string.c i ...) {DSA-3602-1 DLA-499-1} - php7.0 7.0.6-1 - php5 5.6.21+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=72061 NOTE: https://git.php.net/?p=php-src.git;a=commit;h=fd9689745c44341b1bd6af4756f324be8abba2fb NOTE: Fixed in 7.0.6, 5.6.21, 5.5.35 NOTE: http://www.openwall.com/lists/oss-security/2016/05/05/21 CVE-2016-4541 (The grapheme_strpos function in ext/intl/grapheme/grapheme_string.c in ...) {DSA-3602-1 DLA-499-1} - php7.0 7.0.6-1 - php5 5.6.21+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=72061 NOTE: https://git.php.net/?p=php-src.git;a=commit;h=fd9689745c44341b1bd6af4756f324be8abba2fb NOTE: Fixed in 7.0.6, 5.6.21, 5.5.35 NOTE: http://www.openwall.com/lists/oss-security/2016/05/05/21 CVE-2016-4542 (The exif_process_IFD_TAG function in ext/exif/exif.c in PHP before 5.5 ...) {DSA-3602-1 DLA-499-1} - php7.0 7.0.6-1 - php5 5.6.21+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=72094 NOTE: https://git.php.net/?p=php-src.git;a=commit;h=082aecfc3a753ad03be82cf14f03ac065723ec92 NOTE: Fixed in 7.0.6, 5.6.21, 5.5.35 NOTE: http://www.openwall.com/lists/oss-security/2016/05/05/21 CVE-2016-4543 (The exif_process_IFD_in_JPEG function in ext/exif/exif.c in PHP before ...) {DSA-3602-1 DLA-499-1} - php7.0 7.0.6-1 - php5 5.6.21+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=72094 NOTE: https://git.php.net/?p=php-src.git;a=commit;h=082aecfc3a753ad03be82cf14f03ac065723ec92 NOTE: Fixed in 7.0.6, 5.6.21, 5.5.35 NOTE: http://www.openwall.com/lists/oss-security/2016/05/05/21 CVE-2016-4544 (The exif_process_TIFF_in_JPEG function in ext/exif/exif.c in PHP befor ...) {DSA-3602-1 DLA-499-1} - php7.0 7.0.6-1 - php5 5.6.21+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=72094 NOTE: https://git.php.net/?p=php-src.git;a=commit;h=082aecfc3a753ad03be82cf14f03ac065723ec92 NOTE: Fixed in 7.0.6, 5.6.21, 5.5.35 NOTE: http://www.openwall.com/lists/oss-security/2016/05/05/21 CVE-2016-4536 (The client in OpenAFS before 1.6.17 does not properly initialize the ( ...) {DLA-493-1} - openafs 1.6.17-1 [jessie] - openafs 1.6.9-2+deb8u6 NOTE: https://www.openafs.org/pages/security/OPENAFS-SA-2016-002.txt CVE-2016-4486 (The rtnl_fill_link_ifmap function in net/core/rtnetlink.c in the Linux ...) {DSA-3607-1 DLA-516-1} - linux 4.5.4-1 NOTE: https://git.kernel.org/linus/5f8e44741f9f216e33736ea4ec65ca9ac03036e6 CVE-2016-4485 (The llc_cmsg_rcv function in net/llc/af_llc.c in the Linux kernel befo ...) {DSA-3607-1 DLA-516-1} - linux 4.5.4-1 NOTE: https://git.kernel.org/linus/b8670c09f37bdf2847cc44f36511a53afc6161fd CVE-2016-4484 (The Debian initrd script for the cryptsetup package 2:1.7.3-2 and earl ...) - cryptsetup 2:1.7.3-2 (unimportant) NOTE: http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html NOTE: Negligible security impact NOTE: in #860981 claimed to still be unresolved as per 2:1.7.3-3 CVE-2016-4481 RESERVED CVE-2016-4480 (The guest_walk_tables function in arch/x86/mm/guest_walk.c in Xen 4.6. ...) {DSA-3633-1 DLA-571-1} - xen 4.8.0~rc3-1 NOTE: http://xenbits.xen.org/xsa/advisory-176.html CVE-2016-4479 RESERVED CVE-2016-4475 (The (1) Organization and (2) Locations APIs and UIs in Foreman before ...) - foreman (bug #663101) CVE-2016-4474 (The image build process for the overcloud images in Red Hat OpenStack ...) NOT-FOR-US: Red Hat OpenStack Overcloud image CVE-2016-4473 (/ext/phar/phar_object.c in PHP 7.0.7 and 5.6.x allows remote attackers ...) {DLA-628-1} - php5 5.6.23+dfsg-1 [jessie] - php5 5.6.23+dfsg-0+deb8u1 NOTE: The issue was introduced as part CVE-2015-6833, which was applied upstream NOTE: in versions 5.4.44, 5.5.28, and 5.6.12. NOTE: https://bugs.php.net/bug.php?id=72321 NOTE: http://git.php.net/?p=php-src.git;a=commitdiff;h=d144590d38fa321b46b8e199c754006318985c84 NOTE: Fixed in 5.6.23 CVE-2016-4472 (The overflow protection in Expat is removed by compilers with certain ...) {DSA-3582-1 DLA-483-1} - expat 2.1.1-2 NOTE: https://sourceforge.net/p/expat/code_git/ci/f0bec73b018caa07d3e75ec8dd967f3785d71bde/tree/expat/lib/xmlparse.c?diff=a238d7ea7a715ef3850c4cbdd86aeda7077b6bbc CVE-2016-4471 (ManageIQ in CloudForms before 4.1 allows remote authenticated users to ...) NOT-FOR-US: Red Hat CloudForms CVE-2016-4470 (The key_reject_and_link function in security/keys/key.c in the Linux k ...) {DSA-3607-1 DLA-609-1} - linux 4.6.2-2 NOTE: Fixed by: https://github.com/torvalds/linux/commit/38327424b40bcebe2de92d07312c89360ac9229a CVE-2016-4469 (Multiple cross-site request forgery (CSRF) vulnerabilities in Apache A ...) NOT-FOR-US: Apache Archiva CVE-2016-4468 (SQL injection vulnerability in Pivotal Cloud Foundry (PCF) before 238; ...) NOT-FOR-US: Pivotal Cloud Foundry CVE-2016-4467 (The C client and C-based client bindings in the Apache Qpid Proton lib ...) - qpid-proton (Windows-specific) CVE-2016-4466 REJECTED CVE-2016-4465 (The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and ...) - libstruts1.2-java (Only affects 2.3.20 to 2.3.28.1 and 2.5) NOTE: https://struts.apache.org/docs/s2-041.html CVE-2016-4464 (The application plugins in Apache CXF Fediz 1.2.x before 1.2.3 and 1.3 ...) NOT-FOR-US: Apache CXF CVE-2016-4463 (Stack-based buffer overflow in Apache Xerces-C++ before 3.1.4 allows c ...) {DSA-3610-1 DLA-535-1} - xerces-c 3.1.3+debian-2.1 (bug #828990) NOTE: http://xerces.apache.org/xerces-c/secadv/CVE-2016-4463.txt CVE-2016-4462 (By manipulating the URL parameter externalLoginKey, a malicious, logge ...) NOT-FOR-US: Apache OFBiz CVE-2016-4461 (Apache Struts 2.x before 2.3.29 allows remote attackers to execute arb ...) - libstruts1.2-java (Vulnerable code not present, CVE for incomplete fix for CVE-2016-0785) CVE-2016-4460 (Apache Pony Mail 0.6c through 0.8b allows remote attackers to bypass a ...) NOT-FOR-US: Apache Pony Mail CVE-2016-4459 (Stack-based buffer overflow in native/mod_manager/node.c in mod_cluste ...) - libapache2-mod-cluster (bug #731410) CVE-2016-4458 RESERVED CVE-2016-4457 (CloudForms Management Engine before 5.8 includes a default SSL/TLS cer ...) NOT-FOR-US: Red Hat CloudForms CVE-2016-4455 (The Subscription Manager package (aka subscription-manager) before 1.1 ...) NOT-FOR-US: Red Hat Subscription Manager CVE-2016-4454 (The vmsvga_fifo_read_raw function in hw/display/vmware_vga.c in QEMU a ...) {DLA-1599-1} - qemu 1:2.6+dfsg-3 [wheezy] - qemu (Minor issue) - qemu-kvm [wheezy] - qemu-kvm (Minor issue) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-05/msg05271.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1336429 CVE-2016-4453 (The vmsvga_fifo_run function in hw/display/vmware_vga.c in QEMU allows ...) {DLA-1599-1} - qemu 1:2.6+dfsg-3 [wheezy] - qemu (Minor issue) - qemu-kvm [wheezy] - qemu-kvm (Minor issue) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-05/msg05270.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1336650 CVE-2016-4452 RESERVED CVE-2016-4451 (The (1) Organization and (2) Locations APIs in Foreman before 1.11.3 a ...) - foreman (bug #663101) CVE-2016-4450 (os/unix/ngx_files.c in nginx before 1.10.1 and 1.11.x before 1.11.1 al ...) {DSA-3592-1} - nginx 1.10.1-1 (bug #825960) [wheezy] - nginx (Introduced in 1.3.9) CVE-2016-4449 (XML external entity (XXE) vulnerability in the xmlStringLenDecodeEntit ...) {DSA-3593-1 DLA-503-1} - libxml2 2.9.3+dfsg1-1.1 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=761430 NOTE: https://git.gnome.org/browse/libxml2/commit/?id=b1d34de46a11323fccffa9fadeb33be670d602f5 (v2.9.4) CVE-2016-4448 (Format string vulnerability in libxml2 before 2.9.4 allows attackers t ...) - libxml2 2.9.4+dfsg1-1 (bug #829718) [jessie] - libxml2 (Minor impact; too intrusive to backport) [wheezy] - libxml2 (Minor impact; too intrusive to backport) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=761029 NOTE: https://git.gnome.org/browse/libxml2/commit/?id=4472c3a5a5b516aaf59b89be602fbce52756c3e9 (v2.9.4) NOTE: https://git.gnome.org/browse/libxml2/commit/?id=502f6a6d08b08c04b3ddfb1cd21b2f699c1b7f5b (v2.9.4) CVE-2016-4447 (The xmlParseElementDecl function in parser.c in libxml2 before 2.9.4 a ...) {DSA-3593-1 DLA-503-1} - libxml2 2.9.3+dfsg1-1.1 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=759573 NOTE: https://git.gnome.org/browse/libxml2/commit/?id=00906759053986b8079985644172085f74331f83 (v2.9.4) CVE-2016-4446 (The allow_execstack plugin for setroubleshoot allows local users to ex ...) NOT-FOR-US: setroubleshoot CVE-2016-4445 (The fix_lookup_id function in sealert in setroubleshoot before 3.2.23 ...) NOT-FOR-US: setroubleshoot CVE-2016-4444 (The allow_execmod plugin for setroubleshoot before 3.2.23 allows local ...) NOT-FOR-US: setroubleshoot CVE-2016-4443 (Red Hat Enterprise Virtualization (RHEV) Manager 3.6 allows local user ...) NOT-FOR-US: org.ovirt.engine-root / engine-setup (Red Hat) CVE-2016-4442 (The rack-mini-profiler gem before 0.10.1 for Ruby allows remote attack ...) NOT-FOR-US: rack-mini-profiler gem CVE-2016-4441 (The get_cmd function in hw/scsi/esp.c in the 53C9X Fast SCSI Controlle ...) {DLA-1599-1} - qemu 1:2.6+dfsg-2 (bug #824856) [wheezy] - qemu (Minor issue; can be fixed along with a future DSA) - qemu-kvm [wheezy] - qemu-kvm (Minor issue; can be fixed along with a future DSA) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-05/msg03274.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1337505 CVE-2016-4440 (arch/x86/kvm/vmx.c in the Linux kernel through 4.6.3 mishandles the AP ...) - linux 4.5.5-1 [jessie] - linux (Introduced in 4.5) [wheezy] - linux (Introduced in 4.5) NOTE: Upstream patch: https://github.com/torvalds/linux/commit/3ce424e45411cf5a13105e0386b6ecf6eeb4f66f NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1337806 NOTE: http://comments.gmane.org/gmane.comp.emulators.kvm.devel/152100 CVE-2016-4439 (The esp_reg_write function in hw/scsi/esp.c in the 53C9X Fast SCSI Con ...) {DLA-1599-1 DLA-574-1 DLA-573-1} - qemu 1:2.6+dfsg-2 (bug #824856) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-05/msg03273.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1337502 CVE-2016-4438 (The REST plugin in Apache Struts 2 2.3.19 through 2.3.28.1 allows remo ...) - libstruts1.2-java (Only affects 2.3.20 to 2.3.28.1) NOTE: https://struts.apache.org/docs/s2-037.html CVE-2016-4437 (Apache Shiro before 1.2.5, when a cipher key has not been configured f ...) - shiro 1.2.5-1 (bug #826653) [jessie] - shiro (Minor issue) CVE-2016-4436 (Apache Struts 2 before 2.3.29 and 2.5.x before 2.5.1 allow attackers t ...) - libstruts1.2-java (Only affects 2.0.0 to 2.3.28.1) NOTE: https://struts.apache.org/docs/s2-035.html CVE-2016-4435 (An endpoint of the Agent running on the BOSH Director VM with stemcell ...) NOT-FOR-US: BOSH CVE-2016-4434 (Apache Tika before 1.13 does not properly initialize the XML parser or ...) - tika 1.18-1 (bug #825501) [jessie] - tika (Minor issue, no standard alone package, just a reverse dependency of jmeter) CVE-2016-4433 (Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to byp ...) - libstruts1.2-java (Only affects 2.3.20 to 2.3.28.1) NOTE: https://struts.apache.org/docs/s2-039.html CVE-2016-4432 (The AMQP 0-8, 0-9, 0-91, and 0-10 connection handling in Apache Qpid J ...) - qpid-java (bug #840131) CVE-2016-4431 (Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to byp ...) - libstruts1.2-java (Only affects 2.3.20 to 2.3.28.1) NOTE: https://struts.apache.org/docs/s2-040.html CVE-2016-4430 (Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, w ...) - libstruts1.2-java (Only affects 2.3.20 to 2.3.28.1) NOTE: https://struts.apache.org/docs/s2-038.html CVE-2016-4429 (Stack-based buffer overflow in the clntudp_call function in sunrpc/cln ...) {DLA-2256-1} - glibc 2.22-10 [jessie] - glibc 2.19-18+deb8u5 - eglibc [wheezy] - eglibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=20112 - libtirpc 0.2.5-1.1 (bug #840347) [wheezy] - libtirpc (Minor issue) CVE-2016-4428 (Cross-site scripting (XSS) vulnerability in OpenStack Dashboard (Horiz ...) {DSA-3617-1 DLA-520-1} - horizon 3:9.0.1-2 (bug #828967) NOTE: https://bugs.launchpad.net/bugs/1567673 CVE-2016-4427 RESERVED CVE-2016-4426 RESERVED CVE-2016-4424 RESERVED CVE-2016-4423 (The attemptAuthentication function in Component/Security/Http/Firewall ...) {DSA-3588-1} - symfony 2.8.6+dfsg-1 NOTE: https://github.com/symfony/symfony/pull/18733 NOTE: https://symfony.com/blog/cve-2016-4423-large-username-storage-in-session CVE-2015-8872 (The set_fat function in fat.c in dosfstools before 4.0 might allow att ...) {DLA-2224-1 DLA-474-1} - dosfstools 4.0-1 NOTE: https://github.com/dosfstools/dosfstools/issues/12 NOTE: https://github.com/dosfstools/dosfstools/commit/07908124838afcc99c577d1d3e84cef2dbd39cb7 CVE-2015-8870 (Integer overflow in tools/bmp2tiff.c in LibTIFF before 4.0.4 allows re ...) - tiff 4.0.3-12 [wheezy] - tiff 4.0.2-6+deb7u4 NOTE: Fixed already with the patch applied in 4.0.3-12 in unstable for the NOTE: CVE-2014-9330 issue. - tiff3 (libtiff-tools not shipped in tiff3) CVE-2013-7455 (Double free vulnerability in the DefaultICCintents function in cmscnvr ...) - lcms2 2.6-1 [wheezy] - lcms2 (vulnerable code not present, no cmsPipelineFree(Lut); in Error:-part) NOTE: https://www.kb.cert.org/vuls/id/369800 NOTE: https://github.com/mm2/Little-CMS/commit/fefaaa43c382eee632ea3ad0cfa915335140e1db#diff-189a94f0a7a47efdd43f5567e27a973b CVE-2016-XXXX [XSS] - dotclear NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/05/04/9 CVE-2016-4482 (The proc_connectinfo function in drivers/usb/core/devio.c in the Linux ...) {DSA-3607-1 DLA-516-1} - linux 4.5.5-1 NOTE: http://www.spinics.net/lists/linux-usb/msg140243.html NOTE: http://www.openwall.com/lists/oss-security/2016/05/04/2 NOTE: Fixed by: https://github.com/torvalds/linux/commit/681fef8380eb818c0b845fca5d2ab1dcbab114ee CVE-2016-4483 (The xmlBufAttrSerializeTxtContent function in xmlsave.c in libxml2 all ...) {DSA-3593-1 DLA-503-1} - libxml2 2.9.3+dfsg1-1.1 (bug #823405) NOTE: Minor issue, only when using libxml2 using recovery mode NOTE: https://git.gnome.org/browse/libxml2/commit/?id=c97750d11bb8b6f3303e7131fe526a61ac65bcfd (v2.9.4) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=766414 CVE-2016-4477 (wpa_supplicant 0.4.0 through 2.5 does not reject \n and \r characters ...) {DLA-473-1} - wpa 2.3-2.4 (bug #823411) [jessie] - wpa 2.3-1+deb8u4 NOTE: http://w1.fi/security/2016-1/ CVE-2016-4476 (hostapd 0.6.7 through 2.5 and wpa_supplicant 0.6.7 through 2.5 do not ...) {DLA-473-1} - wpa 2.3-2.4 (bug #823411) [jessie] - wpa 2.3-1+deb8u4 NOTE: http://w1.fi/security/2016-1/ CVE-2016-4413 RESERVED CVE-2016-4411 RESERVED CVE-2016-4410 RESERVED CVE-2016-4409 RESERVED CVE-2016-4408 RESERVED CVE-2016-4407 (The DSA algorithm implementation in SAP SAPCRYPTOLIB 5.555.38 does not ...) NOT-FOR-US: SAP CVE-2016-4406 (A remote cross site scripting vulnerability was identified in HPE iLO ...) NOT-FOR-US: HPE iLO CVE-2016-4405 (A remote code execution vulnerability was identified in HP Business Se ...) NOT-FOR-US: HP CVE-2016-4404 (A security vulnerability was identified in the Filter SDK component of ...) NOT-FOR-US: HPE KeyView using Filter SDK CVE-2016-4403 (A security vulnerability was identified in the Filter SDK component of ...) NOT-FOR-US: HPE KeyView using Filter SDK CVE-2016-4402 (A security vulnerability was identified in the Filter SDK component of ...) NOT-FOR-US: HPE KeyView using Filter SDK CVE-2016-4401 (Aruba ClearPass Policy Manager before 6.5.7 and 6.6.x before 6.6.2 all ...) NOT-FOR-US: Aruba ClearPass Policy Manager CVE-2016-4400 (A security vulnerability was identified in HP Network Node Manager i ( ...) NOT-FOR-US: HP Network Node Manager i CVE-2016-4399 (A security vulnerability was identified in HP Network Node Manager i ( ...) NOT-FOR-US: HP Network Node Manager i CVE-2016-4398 (A remote arbitrary code execution vulnerability was identified in HP N ...) NOT-FOR-US: HP Network Node Manager i CVE-2016-4397 (A local code execution security vulnerability was identified in HP Net ...) NOT-FOR-US: HP Network Node Manager i CVE-2016-4396 (HPE System Management Homepage before v7.6 allows remote attackers to ...) NOT-FOR-US: HPE System Management Homepage CVE-2016-4395 (HPE System Management Homepage before v7.6 allows remote attackers to ...) NOT-FOR-US: HPE System Management Homepage CVE-2016-4394 (HPE System Management Homepage before v7.6 allows remote attackers to ...) NOT-FOR-US: HPE System Management Homepage CVE-2016-4393 (HPE System Management Homepage before v7.6 allows "remote authenticate ...) NOT-FOR-US: HPE System Management Homepage CVE-2016-4392 (A remote cross site scripting vulnerability has been identified in HP ...) NOT-FOR-US: HP Business Service Management CVE-2016-4391 (A remote code execution security vulnerability has been identified in ...) NOT-FOR-US: HP ArcSight WINC Connector CVE-2016-4390 (The Filter SDK in HPE KeyView 10.18 through 10.24 allows remote attack ...) NOT-FOR-US: HPE KeyView CVE-2016-4389 (The Filter SDK in HPE KeyView 10.18 through 10.24 allows remote attack ...) NOT-FOR-US: HPE KeyView CVE-2016-4388 (The Filter SDK in HPE KeyView 10.18 through 10.24 allows remote attack ...) NOT-FOR-US: HPE KeyView CVE-2016-4387 (The Filter SDK in HPE KeyView 10.18 through 10.24 allows remote attack ...) NOT-FOR-US: HPE KeyView CVE-2016-4386 (HPE Network Automation Software 10.10 allows local users to write to a ...) NOT-FOR-US: HPE Network Automation CVE-2016-4385 (The RMI service in HP Network Automation Software 9.1x, 9.2x, 10.0x be ...) NOT-FOR-US: HPE Network Automation CVE-2016-4384 (HPE Performance Center before 12.50 and LoadRunner before 12.50 allow ...) NOT-FOR-US: HPE Performance Center CVE-2016-4383 (The glance-manage db in all versions of HPE Helion Openstack Glance al ...) - glance (unimportant; bug #868185) NOTE: https://bugs.launchpad.net/glance/+bug/1593799/ NOTE: https://wiki.openstack.org/wiki/OSSN/OSSN-0075 NOTE: No code fix, documented shortcoming CVE-2016-4382 (HPE Performance Center 11.52, 12.00, 12.01, 12.20, and 12.50 allows re ...) NOT-FOR-US: HPE Performance Center CVE-2016-4381 (HPE XP7 Command View Advanced Edition (CVAE) Suite 6.x through 8.x bef ...) NOT-FOR-US: HPE CVE-2016-4380 (Cross-site scripting (XSS) vulnerability in the AdminUI in HPE Operati ...) NOT-FOR-US: HPE CVE-2016-4379 (The TLS implementation in HPE Integrated Lights-Out 3 (aka iLO3) firmw ...) NOT-FOR-US: HPE CVE-2016-4378 (The (1) Device Manager, (2) Tiered Storage Manager, (3) Replication Ma ...) NOT-FOR-US: HPE CVE-2016-4377 (HPE Smart Update in Storage Sizing Tool before 13.0, Converged Infrast ...) NOT-FOR-US: HPE CVE-2016-4376 (HPE FOS before 7.4.1d and 8.x before 8.0.1 on StoreFabric B switches a ...) NOT-FOR-US: HPE CVE-2016-4375 (Multiple unspecified vulnerabilities in HPE Integrated Lights-Out 3 (a ...) NOT-FOR-US: HPE CVE-2016-4374 (HPE Release Control (RC) 9.13, 9.20, and 9.21 before 9.21.0005 p4 allo ...) NOT-FOR-US: HPE CVE-2016-4373 (The AdminUI in HPE Operations Manager (OM) before 9.21.130 on Linux, U ...) NOT-FOR-US: HPE CVE-2016-4372 (HPE iMC PLAT before 7.2 E0403P04, iMC EAD before 7.2 E0405P05, iMC APM ...) NOT-FOR-US: HPE CVE-2016-4371 (HPE Service Manager Software 9.30, 9.31, 9.32, 9.33, 9.34, 9.35, 9.40, ...) NOT-FOR-US: HPE Service Manager CVE-2016-4370 (HPE Project and Portfolio Management Center (PPM) 9.2x and 9.3x before ...) NOT-FOR-US: HPE Project and Portfolio Management Center CVE-2016-4369 (HPE Discovery and Dependency Mapping Inventory (DDMi) 9.30, 9.31, 9.32 ...) NOT-FOR-US: HPE Discovery and Dependency Mapping Inventory CVE-2016-4368 (HPE Universal CMDB 10.0 through 10.21, Universal CMDB Configuration Ma ...) NOT-FOR-US: HPE Universal CMDB CVE-2016-4367 (The Universal Discovery component in HPE Universal CMDB 10.0, 10.01, 1 ...) NOT-FOR-US: HPE Universal CMDB CVE-2016-4366 (HPE Systems Insight Manager (SIM) before 7.5.1 allows remote attackers ...) NOT-FOR-US: HPE Systems Insight Manager CVE-2016-4365 (HPE Insight Control server deployment allows remote attackers to obtai ...) NOT-FOR-US: HPE Insight Control CVE-2016-4364 (HPE Insight Control server deployment allows local users to gain privi ...) NOT-FOR-US: HPE Insight Control CVE-2016-4363 (HPE Insight Control server deployment allows remote attackers to modif ...) NOT-FOR-US: HPE Insight Control CVE-2016-4362 (HPE Insight Control server deployment allows remote authenticated user ...) NOT-FOR-US: HPE Insight Control CVE-2016-4361 (HPE LoadRunner 11.52 through patch 3, 12.00 through patch 1, 12.01 thr ...) NOT-FOR-US: HPE LoadRunner CVE-2016-4360 (web/admin/data.js in the Performance Center Virtual Table Server (VTS) ...) NOT-FOR-US: HPE LoadRunner CVE-2016-4359 (Stack-based buffer overflow in mchan.dll in the agent in HPE LoadRunne ...) NOT-FOR-US: HPE LoadRunner CVE-2016-4358 (HPE Matrix Operating Environment before 7.5.1 allows remote attackers ...) NOT-FOR-US: HPE Matrix Operating Environment CVE-2016-4357 (HPE Matrix Operating Environment before 7.5.1 allows remote authentica ...) NOT-FOR-US: HPE Matrix Operating Environment CVE-2016-4351 (SQL injection vulnerability in the authentication functionality in Tre ...) NOT-FOR-US: Trend Micro CVE-2016-4350 (Multiple SQL injection vulnerabilities in the Web Services web server ...) NOT-FOR-US: SolarWinds Storage Resource Monitor CVE-2014-9773 (modules/chanserv/flags.c in Atheme before 7.2.7 allows remote attacker ...) - atheme-services 7.0.7-2 [jessie] - atheme-services (Vulnerable code introduced later) NOTE: https://github.com/atheme/atheme/issues/397 NOTE: Fixed by: https://github.com/atheme/atheme/commit/c597156adc60a45b5f827793cd420945f47bc03b NOTE: Introduced in: https://github.com/atheme/atheme/commit/5c734f28068cf47b9b450af4dcf37195734b15be NOTE: http://www.openwall.com/lists/oss-security/2016/05/02/2 CVE-2016-4478 (Buffer overflow in the xmlrpc_char_encode function in modules/transpor ...) {DSA-3586-1} - atheme-services 7.0.7-2 NOTE: https://github.com/atheme/atheme/commit/87580d767868360d2fed503980129504da84b63e NOTE: http://www.openwall.com/lists/oss-security/2016/05/02/2 CVE-2016-4425 (Jansson 2.7 and earlier allows context-dependent attackers to cause a ...) {DSA-3577-1 DLA-471-1} - jansson 2.7-5 (bug #823238) NOTE: https://github.com/akheron/jansson/issues/282 NOTE: https://github.com/akheron/jansson/pull/284 NOTE: http://www.openwall.com/lists/oss-security/2016/05/01/5 CVE-2016-4422 (The pam_sm_authenticate function in pam_sshauth.c in libpam-sshauth mi ...) {DSA-3567-1} - libpam-sshauth 0.4.1-2 NOTE: Introduced in: https://bazaar.launchpad.net/~ltsp-upstream/ltsp/libpam-sshauth/revision/93/src/pam_sshauth.c NOTE: Fixed in: https://bazaar.launchpad.net/~ltsp-upstream/ltsp/libpam-sshauth/revision/114 NOTE: http://www.openwall.com/lists/oss-security/2016/05/01/2 CVE-2016-4414 (The onReadyRead function in core/coreauthhandler.cpp in Quassel before ...) - quassel 1:0.12.4-2 (bug #826402) [jessie] - quassel 1:0.10.0-2.3+deb8u3 [wheezy] - quassel (Vulnerable code introduced with 0.10.0) NOTE: https://github.com/quassel/quassel/blob/f64ac93/src/core/coreauthhandler.cpp#L100 NOTE: Introduced by: https://github.com/quassel/quassel/commit/d1bf207 (0.10.0) NOTE: Fixed by: https://github.com/quassel/quassel/commit/e67887343c433cc35bc26ad6a9392588f427e746 (0.12.4) NOTE: http://www.openwall.com/lists/oss-security/2016/04/30/2 CVE-2016-4349 (Untrusted search path vulnerability in Cisco WebEx Productivity Tools ...) NOT-FOR-US: Cisco CVE-2016-4352 (Integer overflow in the demuxer function in libmpdemux/demux_gif.c in ...) {DLA-458-1 DLA-457-1} - mplayer 2:1.3.0-2 (bug #823723) - mplayer2 (low) [jessie] - mplayer2 (Minor issue) NOTE: https://trac.mplayerhq.hu/ticket/2295 NOTE: Fixed in Revision r37857 upstream NOTE: http://www.openwall.com/lists/oss-security/2016/04/29/3 CVE-2015-8869 (OCaml before 4.03.0 does not properly handle sign extensions, which al ...) {DLA-466-1} - ocaml 4.02.3-9 (bug #824139) [jessie] - ocaml (Minor issue; can be fixed via point release and sheduling binNMUs there) NOTE: https://github.com/ocaml/ocaml/commit/659615c7b100a89eafe6253e7a5b9d84d0e8df74#diff-a97df53e3ebc59bb457191b496c90762 NOTE: http://www.openwall.com/lists/oss-security/2016/04/29/1 NOTE: Ocaml applications using the patched functions need to be recompiled with the NOTE: fixed ocaml version. CVE-2016-4341 (NetApp Clustered Data ONTAP before 8.3.2P7 allows remote attackers to ...) NOT-FOR-US: NetApp CVE-2016-4339 RESERVED CVE-2016-4338 (The mysql user parameter configuration script (userparameter_mysql.con ...) - zabbix 1:3.0.3+dfsg-1 (bug #823329) [jessie] - zabbix 1:2.2.7+dfsg-2+deb8u1 NOTE: http://seclists.org/bugtraq/2016/May/11 NOTE: https://support.zabbix.com/browse/ZBX-10741 CVE-2016-4337 (SQL injection vulnerability in the mgr.login.php file in Ktools.net Ph ...) NOT-FOR-US: Photostore CVE-2016-4336 (An exploitable out-of-bounds write exists in the Bzip2 parsing of the ...) NOT-FOR-US: Lexmark Document Filters CVE-2016-4335 (An exploitable buffer overflow exists in the XLS parsing of the Lexmar ...) NOT-FOR-US: Lexmark Document Filters CVE-2016-4334 (Jive before 2016.3.1 has an open redirect from the external-link.jspa ...) NOT-FOR-US: Jive CVE-2016-4333 (The HDF5 1.8.16 library allocating space for the array using a value f ...) {DSA-3727-1 DLA-771-1} - hdf5 1.10.0-patch1+docs-1 (bug #845301) NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0179/ NOTE: Fixed by: https://bitbucket.hdfgroup.org/projects/HDFFV/repos/hdf5/commits/73640612aad91d3f04e4d8f1ea71d42acbc85f6e CVE-2016-4332 (The library's failure to check if certain message types support a part ...) {DSA-3727-1 DLA-771-1} - hdf5 1.10.0-patch1+docs-1 (bug #845301) NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0178/ NOTE: Fixed by: https://bitbucket.hdfgroup.org/projects/HDFFV/repos/hdf5/commits/e1d50d498a0affbbd6e088b524fd495ea95dea88 CVE-2016-4331 (When decoding data out of a dataset encoded with the H5Z_NBIT decoding ...) {DSA-3727-1 DLA-771-1} - hdf5 1.10.0-patch1+docs-1 (bug #845301) NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0177/ NOTE: Fixed by: https://bitbucket.hdfgroup.org/projects/HDFFV/repos/hdf5/commits/e1c4ec3d541eecda78b3afcb1a0fa071c4b52afa NOTE: Fixed by: https://bitbucket.hdfgroup.org/projects/HDFFV/repos/hdf5/commits/43ec23616697ce0ea3f99e40900fec55fe9107ef CVE-2016-4330 (In the HDF5 1.8.16 library's failure to check if the number of dimensi ...) {DSA-3727-1 DLA-771-1} - hdf5 1.10.0-patch1+docs-1 (bug #845301) NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0176/ NOTE: Fixed by: https://bitbucket.hdfgroup.org/projects/HDFFV/repos/hdf5/commits/2e7e1899d3d7131bcbad65233ba713f6b79e2d69 CVE-2016-4329 (A local denial of service vulnerability exists in window broadcast mes ...) NOT-FOR-US: Kaspersky CVE-2016-4328 (MEDHOST Perioperative Information Management System (aka PIMS or VPIMS ...) NOT-FOR-US: MEDHOST Perioperative Information Management System CVE-2016-4327 (Cross-site scripting (XSS) vulnerability in WSO2 SOA Enablement Server ...) NOT-FOR-US: WSO2 SOA Enablement Server CVE-2016-4326 (The Chef Manage (formerly opscode-manage) add-on before 1.12.0 for Che ...) NOT-FOR-US: Chef Manage addon CVE-2016-4325 (Lantronix xPrintServer devices with firmware before 5.0.1-65 have hard ...) NOT-FOR-US: Lantronix xPrintServer CVE-2016-4324 (Use-after-free vulnerability in LibreOffice before 5.1.4 allows remote ...) {DSA-3608-1 DLA-581-1} - libreoffice 1:5.1.4~rc1-1 NOTE: https://www.libreoffice.org/about-us/security/advisories/cve-2016-4324/ NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0126/ CVE-2016-4323 (A directory traversal exists in the handling of the MXIT protocol in P ...) {DSA-3620-1 DLA-542-1} - pidgin 2.11.0-1 NOTE: http://www.talosintel.com/reports/TALOS-2016-0128/ NOTE: http://www.pidgin.im/news/security/?id=97 CVE-2016-4322 (BMC BladeLogic Server Automation (BSA) before 8.7 Patch 3 allows remot ...) NOT-FOR-US: BMC CVE-2016-4321 RESERVED CVE-2016-4320 (Atlassian Bitbucket Server before 4.7.1 allows remote attackers to rea ...) NOT-FOR-US: Atlassian Bitbucket Server CVE-2016-4319 (Atlassian JIRA Server before 7.1.9 has CSRF in auditing/settings. ...) NOT-FOR-US: Atlassian JIRA Server CVE-2016-4318 (Atlassian JIRA Server before 7.1.9 has XSS in project/ViewDefaultProje ...) NOT-FOR-US: Atlassian JIRA Server CVE-2016-4317 (Atlassian Confluence Server before 5.9.11 has XSS on the viewmyprofile ...) NOT-FOR-US: Atlassian Confluence CVE-2016-4316 (Multiple cross-site scripting (XSS) vulnerabilities in WSO2 Carbon 4.4 ...) NOT-FOR-US: WSO2 Carbon CVE-2016-4315 (Cross-site request forgery (CSRF) vulnerability in WSO2 Carbon 4.4.5 a ...) NOT-FOR-US: WSO2 Carbon CVE-2016-4314 (Directory traversal vulnerability in the LogViewer Admin Service in WS ...) NOT-FOR-US: WSO2 Carbon CVE-2016-4313 (Directory traversal vulnerability in unzip/extract feature in eXtplore ...) {DLA-596-1} - extplorer CVE-2016-4312 (XML external entity (XXE) vulnerability in the XACML flow feature in W ...) NOT-FOR-US: WSO2 Identity Server CVE-2016-4311 (Cross-site request forgery (CSRF) vulnerability in the XACML flow feat ...) NOT-FOR-US: WSO2 Identity Server CVE-2016-4310 RESERVED CVE-2016-4309 (Session fixation vulnerability in Symphony CMS 2.6.7, when session.use ...) NOT-FOR-US: Symphony CMS CVE-2016-4308 RESERVED CVE-2016-4307 (A denial of service vulnerability exists in the IOCTL handling functio ...) NOT-FOR-US: Kaspersky Internet Security KL1 driver CVE-2016-4306 (Multiple information leaks exist in various IOCTL handlers of the Kasp ...) NOT-FOR-US: Kaspersky Internet Security KLDISK driver CVE-2016-4305 (A denial of service vulnerability exists in the syscall filtering func ...) NOT-FOR-US: Kaspersky Internet Security KLIF driver CVE-2016-4304 (A denial of service vulnerability exists in the syscall filtering func ...) NOT-FOR-US: Kaspersky Internet Security KLIF driver CVE-2016-4303 (The parse_string function in cjson.c in the cJSON library mishandles U ...) {DLA-2080-1} - iperf3 3.1.3-1 (bug #827116) NOTE: https://raw.githubusercontent.com/esnet/security/master/cve-2016-4303/esnet-secadv-2016-0001.txt.asc NOTE: https://github.com/esnet/iperf/commit/f01a9ca8f7e878e438a53687dabe30b7f7222912 (3.1.x) NOTE: http://www.talosintel.com/reports/TALOS-2016-0164/ CVE-2016-4302 (Heap-based buffer overflow in the parse_codes function in archive_read ...) {DSA-3657-1 DLA-554-1} - libarchive 3.2.1-1 NOTE: http://blog.talosintel.com/2016/06/the-poisoned-archives.html NOTE: http://www.talosintel.com/reports/TALOS-2016-0154/ NOTE: https://github.com/libarchive/libarchive/issues/719 NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/05caadc7eedbef471ac9610809ba683f0c698700 (v3.2.1) CVE-2016-4301 (Stack-based buffer overflow in the parse_device function in archive_re ...) - libarchive 3.2.1-1 [jessie] - libarchive (Introduced in 3.2.0) [wheezy] - libarchive (Introduced in 3.2.0) NOTE: http://blog.talosintel.com/2016/06/the-poisoned-archives.html NOTE: http://www.talosintel.com/reports/TALOS-2016-0153/ NOTE: https://github.com/libarchive/libarchive/pull/715 NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/ecdac4d50db0cf5a0c630ba077729aaa6c5a2dd2 CVE-2016-4300 (Integer overflow in the read_SubStreamsInfo function in archive_read_s ...) {DSA-3657-1 DLA-554-1} - libarchive 3.2.1-1 NOTE: http://blog.talosintel.com/2016/06/the-poisoned-archives.html NOTE: http://www.talosintel.com/reports/TALOS-2016-0152/ NOTE: https://github.com/libarchive/libarchive/issues/718 NOTE: Requirement: https://github.com/libarchive/libarchive/commit/3d469df8eaace8297a27ce62befa295c0fdc5a3a NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/e79ef306afe332faf22e9b442a2c6b59cb175573 (v3.2.1) NOTE: Notice introduction of UMAX_ENTRY with 3d469df8eaace8297a27ce62befa295c0fdc5a3a NOTE: Libarchive 3.1.2 and lower has a much smaller "UMAX_ENTRY", which is hardcoded NOTE: in various places before 3d469df8eaace8297a27ce62befa295c0fdc5a3a and has value NOTE: 1000000, making exploitation more difficult but not impossible. CVE-2016-4299 RESERVED CVE-2016-4298 (When opening a Hangul HShow Document (.hpt) and processing a structure ...) NOT-FOR-US: Hancom Office CVE-2016-4297 RESERVED CVE-2016-4296 (When opening a Hangul Hcell Document (.cell) and processing a record t ...) NOT-FOR-US: Hancom Office CVE-2016-4295 (When opening a Hangul Hcell Document (.cell) and processing a particul ...) NOT-FOR-US: Hancom Office CVE-2016-4294 (When opening a Hangul Hcell Document (.cell) and processing a property ...) NOT-FOR-US: Hancom Office CVE-2016-4293 (Multiple heap-based buffer overflows in the (1) CBookBase::SetDefTable ...) NOT-FOR-US: Hancom Office CVE-2016-4292 (When opening a Hangul HShow Document (.hpt) and processing a structure ...) NOT-FOR-US: Hancom Office CVE-2016-4291 (When opening a Hangul HShow Document (.hpt) and processing a structure ...) NOT-FOR-US: Hancom Office CVE-2016-4290 (When opening a Hangul HShow Document (.hpt) and processing a structure ...) NOT-FOR-US: Hancom Office CVE-2016-4289 (A stack based buffer overflow vulnerability exists in the method recei ...) NOT-FOR-US: GMER CVE-2016-4288 (A local privilege escalation vulnerability exists in BlueStacks App Pl ...) NOT-FOR-US: BlueStacks CVE-2016-4287 (Integer overflow in Adobe Flash Player before 18.0.0.375 and 19.x thro ...) NOT-FOR-US: Adobe Flash Player CVE-2016-4286 (Adobe Flash Player before 18.0.0.382 and 19.x through 23.x before 23.0 ...) NOT-FOR-US: Adobe CVE-2016-4285 (Adobe Flash Player before 18.0.0.375 and 19.x through 23.x before 23.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2016-4284 (Adobe Flash Player before 18.0.0.375 and 19.x through 23.x before 23.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2016-4283 (Adobe Flash Player before 18.0.0.375 and 19.x through 23.x before 23.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2016-4282 (Adobe Flash Player before 18.0.0.375 and 19.x through 23.x before 23.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2016-4281 (Adobe Flash Player before 18.0.0.375 and 19.x through 23.x before 23.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2016-4280 (Adobe Flash Player before 18.0.0.375 and 19.x through 23.x before 23.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2016-4279 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.375 a ...) NOT-FOR-US: Adobe Flash Player CVE-2016-4278 (Adobe Flash Player before 18.0.0.375 and 19.x through 23.x before 23.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2016-4277 (Adobe Flash Player before 18.0.0.375 and 19.x through 23.x before 23.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2016-4276 (Adobe Flash Player before 18.0.0.375 and 19.x through 23.x before 23.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2016-4275 (Adobe Flash Player before 18.0.0.375 and 19.x through 23.x before 23.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2016-4274 (Adobe Flash Player before 18.0.0.375 and 19.x through 23.x before 23.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2016-4273 (Adobe Flash Player before 18.0.0.382 and 19.x through 23.x before 23.0 ...) NOT-FOR-US: Adobe CVE-2016-4272 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.375 a ...) NOT-FOR-US: Adobe Flash Player CVE-2016-4271 (Adobe Flash Player before 18.0.0.375 and 19.x through 23.x before 23.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2016-4270 (Adobe Reader and Acrobat before 11.0.17, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-4269 (Adobe Reader and Acrobat before 11.0.17, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-4268 (Adobe Reader and Acrobat before 11.0.17, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-4267 (Adobe Reader and Acrobat before 11.0.17, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-4266 (Adobe Reader and Acrobat before 11.0.17, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-4265 (Adobe Reader and Acrobat before 11.0.17, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-4264 (The Office Open XML (OOXML) feature in Adobe ColdFusion 10 before Upda ...) NOT-FOR-US: Adobe CVE-2016-4263 (Use-after-free vulnerability in Adobe Digital Editions before 4.5.2 al ...) NOT-FOR-US: Adobe CVE-2016-4262 (Adobe Digital Editions before 4.5.2 allows attackers to execute arbitr ...) NOT-FOR-US: Adobe CVE-2016-4261 (Adobe Digital Editions before 4.5.2 allows attackers to execute arbitr ...) NOT-FOR-US: Adobe CVE-2016-4260 (Adobe Digital Editions before 4.5.2 allows attackers to execute arbitr ...) NOT-FOR-US: Adobe CVE-2016-4259 (Adobe Digital Editions before 4.5.2 allows attackers to execute arbitr ...) NOT-FOR-US: Adobe CVE-2016-4258 (Adobe Digital Editions before 4.5.2 allows attackers to execute arbitr ...) NOT-FOR-US: Adobe CVE-2016-4257 (Adobe Digital Editions before 4.5.2 allows attackers to execute arbitr ...) NOT-FOR-US: Adobe CVE-2016-4256 (Adobe Digital Editions before 4.5.2 allows attackers to execute arbitr ...) NOT-FOR-US: Adobe CVE-2016-4255 (Use-after-free vulnerability in Adobe Reader and Acrobat before 11.0.1 ...) NOT-FOR-US: Adobe CVE-2016-4254 (Adobe Reader and Acrobat before 11.0.17, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-4253 (The Backup functionality in Adobe Experience Manager 5.6.1, 6.0, 6.1, ...) NOT-FOR-US: Adobe CVE-2016-4252 (Adobe Reader and Acrobat before 11.0.17, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-4251 (Adobe Reader and Acrobat before 11.0.17, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-4250 (Adobe Reader and Acrobat before 11.0.17, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-4249 (Heap-based buffer overflow in Adobe Flash Player before 18.0.0.366 and ...) NOT-FOR-US: Adobe CVE-2016-4248 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.366 a ...) NOT-FOR-US: Adobe CVE-2016-4247 (Race condition in Adobe Flash Player before 18.0.0.366 and 19.x throug ...) NOT-FOR-US: Adobe CVE-2016-4246 (Adobe Flash Player before 18.0.0.366 and 19.x through 22.x before 22.0 ...) NOT-FOR-US: Adobe CVE-2016-4245 (Adobe Flash Player before 18.0.0.366 and 19.x through 22.x before 22.0 ...) NOT-FOR-US: Adobe CVE-2016-4244 (Adobe Flash Player before 18.0.0.366 and 19.x through 22.x before 22.0 ...) NOT-FOR-US: Adobe CVE-2016-4243 (Adobe Flash Player before 18.0.0.366 and 19.x through 22.x before 22.0 ...) NOT-FOR-US: Adobe CVE-2016-4242 (Adobe Flash Player before 18.0.0.366 and 19.x through 22.x before 22.0 ...) NOT-FOR-US: Adobe CVE-2016-4241 (Adobe Flash Player before 18.0.0.366 and 19.x through 22.x before 22.0 ...) NOT-FOR-US: Adobe CVE-2016-4240 (Adobe Flash Player before 18.0.0.366 and 19.x through 22.x before 22.0 ...) NOT-FOR-US: Adobe CVE-2016-4239 (Adobe Flash Player before 18.0.0.366 and 19.x through 22.x before 22.0 ...) NOT-FOR-US: Adobe CVE-2016-4238 (Adobe Flash Player before 18.0.0.366 and 19.x through 22.x before 22.0 ...) NOT-FOR-US: Adobe CVE-2016-4237 (Adobe Flash Player before 18.0.0.366 and 19.x through 22.x before 22.0 ...) NOT-FOR-US: Adobe CVE-2016-4236 (Adobe Flash Player before 18.0.0.366 and 19.x through 22.x before 22.0 ...) NOT-FOR-US: Adobe CVE-2016-4235 (Adobe Flash Player before 18.0.0.366 and 19.x through 22.x before 22.0 ...) NOT-FOR-US: Adobe CVE-2016-4234 (Adobe Flash Player before 18.0.0.366 and 19.x through 22.x before 22.0 ...) NOT-FOR-US: Adobe CVE-2016-4233 (Adobe Flash Player before 18.0.0.366 and 19.x through 22.x before 22.0 ...) NOT-FOR-US: Adobe CVE-2016-4232 (Adobe Flash Player before 18.0.0.366 and 19.x through 22.x before 22.0 ...) NOT-FOR-US: Adobe CVE-2016-4231 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.366 a ...) NOT-FOR-US: Adobe CVE-2016-4230 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.366 a ...) NOT-FOR-US: Adobe CVE-2016-4229 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.366 a ...) NOT-FOR-US: Adobe CVE-2016-4228 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.366 a ...) NOT-FOR-US: Adobe CVE-2016-4227 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.366 a ...) NOT-FOR-US: Adobe CVE-2016-4226 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.366 a ...) NOT-FOR-US: Adobe CVE-2016-4225 (Adobe Flash Player before 18.0.0.366 and 19.x through 22.x before 22.0 ...) NOT-FOR-US: Adobe CVE-2016-4224 (Adobe Flash Player before 18.0.0.366 and 19.x through 22.x before 22.0 ...) NOT-FOR-US: Adobe CVE-2016-4223 (Adobe Flash Player before 18.0.0.366 and 19.x through 22.x before 22.0 ...) NOT-FOR-US: Adobe CVE-2016-4222 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.366 a ...) NOT-FOR-US: Adobe CVE-2016-4221 (Adobe Flash Player before 18.0.0.366 and 19.x through 22.x before 22.0 ...) NOT-FOR-US: Adobe CVE-2016-4220 (Adobe Flash Player before 18.0.0.366 and 19.x through 22.x before 22.0 ...) NOT-FOR-US: Adobe CVE-2016-4219 (Adobe Flash Player before 18.0.0.366 and 19.x through 22.x before 22.0 ...) NOT-FOR-US: Adobe CVE-2016-4218 (Adobe Flash Player before 18.0.0.366 and 19.x through 22.x before 22.0 ...) NOT-FOR-US: Adobe CVE-2016-4217 (Adobe Flash Player before 18.0.0.366 and 19.x through 22.x before 22.0 ...) NOT-FOR-US: Adobe CVE-2016-4216 (XMPCore in Adobe XMP Toolkit for Java before 5.1.3 allows remote attac ...) NOT-FOR-US: Adobe CVE-2016-4215 (Adobe Reader and Acrobat before 11.0.17, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-4214 (Adobe Reader and Acrobat before 11.0.17, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-4213 (Adobe Reader and Acrobat before 11.0.17, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-4212 (Adobe Reader and Acrobat before 11.0.17, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-4211 (Adobe Reader and Acrobat before 11.0.17, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-4210 (Integer overflow in Adobe Reader and Acrobat before 11.0.17, Acrobat a ...) NOT-FOR-US: Adobe CVE-2016-4209 (Heap-based buffer overflow in Adobe Reader and Acrobat before 11.0.17, ...) NOT-FOR-US: Adobe CVE-2016-4208 (Adobe Reader and Acrobat before 11.0.17, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-4207 (Adobe Reader and Acrobat before 11.0.17, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-4206 (Adobe Reader and Acrobat before 11.0.17, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-4205 (Adobe Reader and Acrobat before 11.0.17, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-4204 (Adobe Reader and Acrobat before 11.0.17, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-4203 (Adobe Reader and Acrobat before 11.0.17, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-4202 (Adobe Reader and Acrobat before 11.0.17, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-4201 (Adobe Reader and Acrobat before 11.0.17, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-4200 (Adobe Reader and Acrobat before 11.0.17, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-4199 (Adobe Reader and Acrobat before 11.0.17, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-4198 (Adobe Reader and Acrobat before 11.0.17, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-4197 (Adobe Reader and Acrobat before 11.0.17, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-4196 (Adobe Reader and Acrobat before 11.0.17, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-4195 (Adobe Reader and Acrobat before 11.0.17, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-4194 (Adobe Reader and Acrobat before 11.0.17, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-4193 (Adobe Reader and Acrobat before 11.0.17, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-4192 (Adobe Reader and Acrobat before 11.0.17, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-4191 (Adobe Reader and Acrobat before 11.0.17, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-4190 (Adobe Flash Player before 18.0.0.366 and 19.x through 22.x before 22.0 ...) NOT-FOR-US: Adobe CVE-2016-4189 (Adobe Flash Player before 18.0.0.366 and 19.x through 22.x before 22.0 ...) NOT-FOR-US: Adobe CVE-2016-4188 (Adobe Flash Player before 18.0.0.366 and 19.x through 22.x before 22.0 ...) NOT-FOR-US: Adobe CVE-2016-4187 (Adobe Flash Player before 18.0.0.366 and 19.x through 22.x before 22.0 ...) NOT-FOR-US: Adobe CVE-2016-4186 (Adobe Flash Player before 18.0.0.366 and 19.x through 22.x before 22.0 ...) NOT-FOR-US: Adobe CVE-2016-4185 (Adobe Flash Player before 18.0.0.366 and 19.x through 22.x before 22.0 ...) NOT-FOR-US: Adobe CVE-2016-4184 (Adobe Flash Player before 18.0.0.366 and 19.x through 22.x before 22.0 ...) NOT-FOR-US: Adobe CVE-2016-4183 (Adobe Flash Player before 18.0.0.366 and 19.x through 22.x before 22.0 ...) NOT-FOR-US: Adobe CVE-2016-4182 (Adobe Flash Player before 18.0.0.366 and 19.x through 22.x before 22.0 ...) NOT-FOR-US: Adobe CVE-2016-4181 (Adobe Flash Player before 18.0.0.366 and 19.x through 22.x before 22.0 ...) NOT-FOR-US: Adobe CVE-2016-4180 (Adobe Flash Player before 18.0.0.366 and 19.x through 22.x before 22.0 ...) NOT-FOR-US: Adobe CVE-2016-4179 (Adobe Flash Player before 18.0.0.366 and 19.x through 22.x before 22.0 ...) NOT-FOR-US: Adobe CVE-2016-4178 (Adobe Flash Player before 18.0.0.366 and 19.x through 22.x before 22.0 ...) NOT-FOR-US: Adobe CVE-2016-4177 (Adobe Flash Player before 18.0.0.366 and 19.x through 22.x before 22.0 ...) NOT-FOR-US: Adobe CVE-2016-4176 (Adobe Flash Player before 18.0.0.366 and 19.x through 22.x before 22.0 ...) NOT-FOR-US: Adobe CVE-2016-4175 (Adobe Flash Player before 18.0.0.366 and 19.x through 22.x before 22.0 ...) NOT-FOR-US: Adobe CVE-2016-4174 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.366 a ...) NOT-FOR-US: Adobe CVE-2016-4173 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.366 a ...) NOT-FOR-US: Adobe CVE-2016-4172 (Adobe Flash Player before 18.0.0.366 and 19.x through 22.x before 22.0 ...) NOT-FOR-US: Adobe CVE-2016-4171 (Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier ...) NOT-FOR-US: Adobe Flash Player CVE-2016-4170 (Cross-site scripting (XSS) vulnerability in Adobe Experience Manager 5 ...) NOT-FOR-US: Adobe CVE-2016-4169 (Adobe Experience Manager 6.0, 6.1, and 6.2 allow attackers to obtain s ...) NOT-FOR-US: Adobe CVE-2016-4168 (Cross-site scripting (XSS) vulnerability in Adobe Experience Manager 5 ...) NOT-FOR-US: Adobe CVE-2016-4167 (Adobe DNG Software Development Kit (SDK) before 1.4 2016 allows attack ...) NOT-FOR-US: Adobe CVE-2016-4166 (Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier ...) NOT-FOR-US: Adobe CVE-2016-4165 (The extension manager in Adobe Brackets before 1.7 allows attackers to ...) NOT-FOR-US: Adobe CVE-2016-4164 (Cross-site scripting (XSS) vulnerability in Adobe Brackets before 1.7 ...) NOT-FOR-US: Adobe CVE-2016-4163 (Adobe Flash Player before 18.0.0.352 and 19.x through 21.x before 21.0 ...) NOT-FOR-US: Adobe CVE-2016-4162 (Adobe Flash Player before 18.0.0.352 and 19.x through 21.x before 21.0 ...) NOT-FOR-US: Adobe CVE-2016-4161 (Adobe Flash Player before 18.0.0.352 and 19.x through 21.x before 21.0 ...) NOT-FOR-US: Adobe CVE-2016-4160 (Adobe Flash Player before 18.0.0.352 and 19.x through 21.x before 21.0 ...) NOT-FOR-US: Adobe CVE-2016-4159 (Cross-site scripting (XSS) vulnerability in Adobe ColdFusion 10 before ...) NOT-FOR-US: Adobe CVE-2016-4158 (Unquoted Windows search path vulnerability in Adobe Creative Cloud Des ...) NOT-FOR-US: Adobe CVE-2016-4157 (Untrusted search path vulnerability in the installer in Adobe Creative ...) NOT-FOR-US: Adobe CVE-2016-4156 (Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier ...) NOT-FOR-US: Adobe CVE-2016-4155 (Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier ...) NOT-FOR-US: Adobe CVE-2016-4154 (Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier ...) NOT-FOR-US: Adobe CVE-2016-4153 (Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier ...) NOT-FOR-US: Adobe CVE-2016-4152 (Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier ...) NOT-FOR-US: Adobe CVE-2016-4151 (Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier ...) NOT-FOR-US: Adobe CVE-2016-4150 (Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier ...) NOT-FOR-US: Adobe CVE-2016-4149 (Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier ...) NOT-FOR-US: Adobe CVE-2016-4148 (Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier ...) NOT-FOR-US: Adobe CVE-2016-4147 (Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier ...) NOT-FOR-US: Adobe CVE-2016-4146 (Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier ...) NOT-FOR-US: Adobe CVE-2016-4145 (Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier ...) NOT-FOR-US: Adobe CVE-2016-4144 (Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier ...) NOT-FOR-US: Adobe CVE-2016-4143 (Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier ...) NOT-FOR-US: Adobe CVE-2016-4142 (Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier ...) NOT-FOR-US: Adobe CVE-2016-4141 (Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier ...) NOT-FOR-US: Adobe CVE-2016-4140 (Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier ...) NOT-FOR-US: Adobe CVE-2016-4139 (Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier ...) NOT-FOR-US: Adobe CVE-2016-4138 (Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier ...) NOT-FOR-US: Adobe CVE-2016-4137 (Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier ...) NOT-FOR-US: Adobe CVE-2016-4136 (Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier ...) NOT-FOR-US: Adobe CVE-2016-4135 (Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier ...) NOT-FOR-US: Adobe CVE-2016-4134 (Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier ...) NOT-FOR-US: Adobe CVE-2016-4133 (Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier ...) NOT-FOR-US: Adobe CVE-2016-4132 (Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier ...) NOT-FOR-US: Adobe CVE-2016-4131 (Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier ...) NOT-FOR-US: Adobe CVE-2016-4130 (Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier ...) NOT-FOR-US: Adobe CVE-2016-4129 (Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier ...) NOT-FOR-US: Adobe CVE-2016-4128 (Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier ...) NOT-FOR-US: Adobe CVE-2016-4127 (Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier ...) NOT-FOR-US: Adobe CVE-2016-4126 (Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier ...) NOT-FOR-US: Adobe CVE-2016-4125 (Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier ...) NOT-FOR-US: Adobe CVE-2016-4124 (Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier ...) NOT-FOR-US: Adobe CVE-2016-4123 (Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier ...) NOT-FOR-US: Adobe CVE-2016-4122 (Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier ...) NOT-FOR-US: Adobe CVE-2016-4121 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.352 a ...) NOT-FOR-US: Adobe CVE-2016-4120 (Adobe Flash Player before 18.0.0.352 and 19.x through 21.x before 21.0 ...) NOT-FOR-US: Adobe CVE-2016-4119 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-4118 (Untrusted search path vulnerability in the installer in Adobe Connect ...) NOT-FOR-US: Adobe CVE-2016-4117 (Adobe Flash Player 21.0.0.226 and earlier allows remote attackers to e ...) NOT-FOR-US: Adobe Flash Player CVE-2016-4116 (Unspecified vulnerability in Adobe Flash Player 21.0.0.213 and earlier ...) NOT-FOR-US: Adobe Flash Player CVE-2016-4115 (Unspecified vulnerability in Adobe Flash Player 21.0.0.213 and earlier ...) NOT-FOR-US: Adobe Flash Player CVE-2016-4114 (Unspecified vulnerability in Adobe Flash Player 21.0.0.213 and earlier ...) NOT-FOR-US: Adobe Flash Player CVE-2016-4113 (Unspecified vulnerability in Adobe Flash Player 21.0.0.213 and earlier ...) NOT-FOR-US: Adobe Flash Player CVE-2016-4112 (Unspecified vulnerability in Adobe Flash Player 21.0.0.213 and earlier ...) NOT-FOR-US: Adobe Flash Player CVE-2016-4111 (Unspecified vulnerability in Adobe Flash Player 21.0.0.213 and earlier ...) NOT-FOR-US: Adobe Flash Player CVE-2016-4110 (Unspecified vulnerability in Adobe Flash Player 21.0.0.213 and earlier ...) NOT-FOR-US: Adobe Flash Player CVE-2016-4109 (Unspecified vulnerability in Adobe Flash Player 21.0.0.213 and earlier ...) NOT-FOR-US: Adobe Flash Player CVE-2016-4108 (Unspecified vulnerability in Adobe Flash Player 21.0.0.213 and earlier ...) NOT-FOR-US: Adobe Flash Player CVE-2016-4107 (Use-after-free vulnerability in Adobe Reader and Acrobat before 11.0.1 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-4106 (Untrusted search path vulnerability in Adobe Reader and Acrobat before ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-4105 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-4104 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-4103 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-4102 (Use-after-free vulnerability in Adobe Reader and Acrobat before 11.0.1 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-4101 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-4100 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-4099 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-4098 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-4097 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-4096 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-4095 (Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-4094 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-4093 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-4092 (Heap-based buffer overflow in Adobe Reader and Acrobat before 11.0.16, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-4091 (Heap-based buffer overflow in Adobe Reader and Acrobat before 11.0.16, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-4090 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-4089 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-4088 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-4340 (The impersonate feature in Gitlab 8.7.0, 8.6.0 through 8.6.7, 8.5.0 th ...) - gitlab 8.8.2+dfsg-1 (bug #823290) NOTE: https://about.gitlab.com/2016/05/02/cve-2016-4340-patches/ CVE-2016-4087 (Huawei S12700 switches with software before V200R008C00SPC500 and S570 ...) NOT-FOR-US: Huawei CVE-2016-4086 (Huawei HiSuite (In China) before 4.0.4.301 and (Out of China) before 4 ...) NOT-FOR-US: Huawei HiSuite Device Manager CVE-2016-4075 (Opera Mini 13 and Opera Stable 36 allow remote attackers to spoof the ...) NOT-FOR-US: Opera CVE-2016-4067 RESERVED CVE-2016-4066 (Cross-site request forgery (CSRF) vulnerability in Fortinet FortiWeb b ...) NOT-FOR-US: Fortinet CVE-2016-4065 (The ConvertToPDF plugin in Foxit Reader and PhantomPDF before 7.3.4 on ...) NOT-FOR-US: Foxit CVE-2016-4064 (Use-after-free vulnerability in the XFA forms handling functionality i ...) NOT-FOR-US: Foxit CVE-2016-4063 (Use-after-free vulnerability in Foxit Reader and PhantomPDF before 7.3 ...) NOT-FOR-US: Foxit CVE-2016-4062 (Foxit Reader and PhantomPDF before 7.3.4 on Windows improperly report ...) NOT-FOR-US: Foxit CVE-2016-4061 (Foxit Reader and PhantomPDF before 7.3.4 on Windows allow remote attac ...) NOT-FOR-US: Foxit CVE-2016-4060 (Use-after-free vulnerability in Foxit Reader and PhantomPDF before 7.3 ...) NOT-FOR-US: Foxit CVE-2016-4059 (Use-after-free vulnerability in Foxit Reader and PhantomPDF before 7.3 ...) NOT-FOR-US: Foxit CVE-2016-4074 (The jv_dump_term function in jq 1.5 allows remote attackers to cause a ...) - jq 1.5+dfsg-1.1 (low; bug #822456) [jessie] - jq 1.4-2.1+deb8u1 NOTE: https://github.com/stedolan/jq/issues/1136 NOTE: http://www.openwall.com/lists/oss-security/2016/04/24/3 CVE-2016-4069 (Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail b ...) {DLA-613-1} - roundcube 1.1.5+dfsg.1-1 (bug #822333) NOTE: https://github.com/roundcube/roundcubemail/issues/4957 NOTE: https://github.com/roundcube/roundcubemail/wiki/Changelog#release-115 NOTE: https://github.com/roundcube/roundcubemail/commit/4a408843b0ef816daf70a472a02b78cd6073a4d5 NOTE: https://github.com/roundcube/roundcubemail/commit/699af1e5206ed9114322adaa3c25c1c969640a53 (release-1.1) NOTE: http://www.openwall.com/lists/oss-security/2016/04/23/3 CVE-2016-4068 (Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1 ...) {DLA-537-1} - roundcube 1.2.1+dfsg.1-1 NOTE: https://github.com/roundcube/roundcubemail/issues/5398 NOTE: https://github.com/roundcube/roundcubemail/commit/a1fdb205f824dee7fd42dda739f207abc85ce158 CVE-2015-8864 (Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1 ...) {DLA-537-1} - roundcube 1.1.5+dfsg.1-1 (bug #822333) NOTE: https://github.com/roundcube/roundcubemail/issues/4949 NOTE: https://github.com/roundcube/roundcubemail/wiki/Changelog#release-115 NOTE: https://github.com/roundcube/roundcubemail/commit/40d7342dd9c9bd2a1d613edc848ed95a4d71aa18 NOTE: https://github.com/roundcube/roundcubemail/commit/7bbefdb63b12e2344cf1cb87aeb6e3933b4063e0 (release-1.1) NOTE: http://www.openwall.com/lists/oss-security/2016/04/23/3 NOTE: https://lists.debian.org/debian-lts/2016/06/msg00159.html CVE-2016-4085 (Stack-based buffer overflow in epan/dissectors/packet-ncp2222.inc in t ...) {DSA-3585-1 DLA-497-1} - wireshark 2.0.0~rc2+g74e5b56-1 NOTE: https://www.wireshark.org/security/wnpa-sec-2016-28.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12293 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12293 NOTE: Doesn't affect 2.x series CVE-2016-4084 (Integer signedness error in epan/dissectors/packet-mswsp.c in the MS-W ...) - wireshark 2.0.3+geed34f0-1 (low) [jessie] - wireshark (Only affects 2.x) [wheezy] - wireshark (Only affects 2.x) NOTE: https://www.wireshark.org/security/wnpa-sec-2016-27.html CVE-2016-4083 (epan/dissectors/packet-mswsp.c in the MS-WSP dissector in Wireshark 2. ...) - wireshark 2.0.3+geed34f0-1 (low) [jessie] - wireshark (Only affects 2.x) [wheezy] - wireshark (Only affects 2.x) NOTE: https://www.wireshark.org/security/wnpa-sec-2016-27.html CVE-2016-4082 (epan/dissectors/packet-gsm_cbch.c in the GSM CBCH dissector in Wiresha ...) {DSA-3585-1 DLA-497-1} - wireshark 2.0.3+geed34f0-1 (low) NOTE: https://www.wireshark.org/security/wnpa-sec-2016-26.html CVE-2016-4006 (epan/proto.c in Wireshark 1.12.x before 1.12.11 and 2.0.x before 2.0.3 ...) {DSA-3585-1 DLA-497-1} - wireshark 2.0.3+geed34f0-1 (low) NOTE: https://www.wireshark.org/security/wnpa-sec-2016-25.html CVE-2016-4081 (epan/dissectors/packet-iax2.c in the IAX2 dissector in Wireshark 1.12. ...) {DSA-3585-1 DLA-497-1} - wireshark 2.0.3+geed34f0-1 (low) NOTE: https://www.wireshark.org/security/wnpa-sec-2016-24.html CVE-2016-4080 (epan/dissectors/packet-pktc.c in the PKTC dissector in Wireshark 1.12. ...) {DSA-3585-1 DLA-497-1} - wireshark 2.0.3+geed34f0-1 (low) NOTE: https://www.wireshark.org/security/wnpa-sec-2016-23.html CVE-2016-4079 (epan/dissectors/packet-pktc.c in the PKTC dissector in Wireshark 1.12. ...) {DSA-3585-1 DLA-497-1} - wireshark 2.0.3+geed34f0-1 (low) NOTE: https://www.wireshark.org/security/wnpa-sec-2016-22.html CVE-2016-4078 (The IEEE 802.11 dissector in Wireshark 1.12.x before 1.12.11 and 2.0.x ...) - wireshark 2.0.3+geed34f0-1 (low) [jessie] - wireshark (vulnerable code not present) [wheezy] - wireshark (vulnerable code not present) NOTE: https://www.wireshark.org/security/wnpa-sec-2016-21.html NOTE: Upstream lists 1.12.x affected, I have contacted them for clarification CVE-2016-4077 (epan/reassemble.c in TShark in Wireshark 2.0.x before 2.0.3 relies on ...) - wireshark 2.0.3+geed34f0-1 (low) [jessie] - wireshark (Only affects 2.x) [wheezy] - wireshark (Only affects 2.x) NOTE: https://www.wireshark.org/security/wnpa-sec-2016-20.html CVE-2016-4076 (epan/dissectors/packet-ncp2222.inc in the NCP dissector in Wireshark 2 ...) - wireshark 2.0.3+geed34f0-1 (low) [jessie] - wireshark (Only affects 2.x) [wheezy] - wireshark (Only affects 2.x) NOTE: https://www.wireshark.org/security/wnpa-sec-2016-19.html CVE-2016-4058 (Cross-site scripting (XSS) vulnerability in Huawei Policy Center befor ...) NOT-FOR-US: Huawei CVE-2016-4057 (Huawei FusionCompute before V100R005C10SPC700 allows remote authentica ...) NOT-FOR-US: Huawei FusionCompute CVE-2016-6479 REJECTED CVE-2016-4055 (The duration function in the moment package before 2.11.2 for Node.js ...) - node-moment 2.13.0+ds-1 (unimportant) NOTE: https://github.com/moment/moment/pull/2939 NOTE: https://nodesecurity.io/advisories/55 NOTE: nodejs not covered by security support CVE-2016-4050 REJECTED CVE-2016-4049 (The bgp_dump_routes_func function in bgpd/bgp_dump.c in Quagga does no ...) {DSA-3654-1 DLA-601-1} - quagga 1.0.20160315-2 (bug #822787) NOTE: https://lists.quagga.net/pipermail/quagga-dev/2016-January/014699.html NOTE: https://lists.quagga.net/pipermail/quagga-dev/2016-April/015241.html CVE-2016-4048 (An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev1 ...) NOT-FOR-US: Open-Xchange CVE-2016-4047 (An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev8 ...) NOT-FOR-US: Open-Xchange CVE-2016-4046 (An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev1 ...) NOT-FOR-US: Open-Xchange CVE-2016-4045 (An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev1 ...) NOT-FOR-US: Open-Xchange CVE-2015-8862 (mustache package before 2.2.1 for Node.js allows remote attackers to c ...) - mustache.js (unimportant) NOTE: node-handlebars only in experimental for now, fixed in 4.0.0 NOTE: libv8 is not covered by security support CVE-2015-8861 (The handlebars package before 4.0.0 for Node.js allows remote attacker ...) - mustache.js (unimportant) NOTE: node-handlebars only in experimental for now, fixed in 4.0.0 NOTE: libv8 is not covered by security support CVE-2015-8860 (The tar package before 2.0.0 for Node.js allows remote attackers to wr ...) - node-tar 2.2.1-1 (unimportant) NOTE: libv8 is not covered by security support CVE-2015-8859 (The send package before 0.11.1 for Node.js allows attackers to obtain ...) - node-send 0.16.2-1 (unimportant) NOTE: libv8 is not covered by security support NOTE: https://nodesecurity.io/advisories/56 CVE-2015-8858 (The uglify-js package before 2.6.0 for Node.js allows attackers to cau ...) - uglifyjs 2.7.4-1 (unimportant) NOTE: libv8 is not covered by security support NOTE: https://nodesecurity.io/advisories/48 CVE-2015-8854 (The marked package before 0.3.4 for Node.js allows attackers to cause ...) - node-marked 0.3.6+dfsg-1 (unimportant) NOTE: https://nodesecurity.io/advisories/marked_redos NOTE: https://github.com/chjj/marked/issues/497 NOTE: libv8 is not covered by security support CVE-2014-9772 (The validator package before 2.0.0 for Node.js allows remote attackers ...) - validator.js (Fixed before initial release) CVE-2013-7454 (The validator module before 1.1.0 for Node.js allows remote attackers ...) - validator.js (Fixed before initial release) CVE-2013-7453 (The validator module before 1.1.0 for Node.js allows remote attackers ...) - validator.js (Fixed before initial release) CVE-2013-7452 (The validator module before 1.1.0 for Node.js allows remote attackers ...) - validator.js (Fixed before initial release) CVE-2013-7451 (The validator module before 1.1.0 for Node.js allows remote attackers ...) - validator.js (Fixed before initial release) CVE-2015-8866 (ext/libxml/libxml.c in PHP before 5.5.22 and 5.6.x before 5.6.6, when ...) {DLA-499-1} - php5 5.6.6+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=64938 NOTE: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1509817 NOTE: http://framework.zend.com/security/advisory/ZF2015-06 -> Relation to CVE-2015-5161 NOTE: http://git.php.net/?p=php-src.git;a=commit;h=de31324c221c1791b26350ba106cc26bad23ace9 NOTE: Fixed in 5.6.6, 5.5.22 NOTE: http://www.openwall.com/lists/oss-security/2016/04/21/8 CVE-2015-8867 (The openssl_random_pseudo_bytes function in ext/openssl/openssl.c in P ...) - php7.0 7.0.0-1 - php5 5.6.12+dfsg-1 [jessie] - php5 5.6.12+dfsg-0+deb8u1 [wheezy] - php5 5.4.44-0+deb7u1 NOTE: https://bugs.php.net/bug.php?id=70014 NOTE: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1534203 NOTE: http://git.php.net/?p=php-src.git;a=commit;h=16023f3e3b9c06cf677c3c980e8d574e4c162827 NOTE: Fixed in 7.0.0, 5.6.12, 5.5.28, 5.5.44 NOTE: http://www.openwall.com/lists/oss-security/2016/04/21/8 CVE-2016-4056 (Cross-site scripting (XSS) vulnerability in the Backend component in T ...) - typo3-src [wheezy] - typo3-src (See DSA 3314) CVE-2016-4054 (Buffer overflow in Squid 3.x before 3.5.17 and 4.x before 4.0.9 allows ...) {DSA-3625-1 DLA-478-1} - squid3 3.5.17-1 - squid (Squid 2.x are not vulnerable) NOTE: http://www.squid-cache.org/Advisories/SQUID-2016_6.txt NOTE: http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11841.patch (Squid 3.2) NOTE: http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12697.patch (Squid 3.3) NOTE: http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13235.patch (Squid 3.4) NOTE: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14034.patch (Squid 3.5) CVE-2016-4053 (Squid 3.x before 3.5.17 and 4.x before 4.0.9 allow remote attackers to ...) {DSA-3625-1 DLA-478-1} - squid3 3.5.17-1 - squid (Squid 2.x are not vulnerable) NOTE: http://www.squid-cache.org/Advisories/SQUID-2016_6.txt NOTE: http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11841.patch (Squid 3.2) NOTE: http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12697.patch (Squid 3.3) NOTE: http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13235.patch (Squid 3.4) NOTE: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14034.patch (Squid 3.5) CVE-2016-4052 (Multiple stack-based buffer overflows in Squid 3.x before 3.5.17 and 4 ...) {DSA-3625-1 DLA-478-1} - squid3 3.5.17-1 - squid (Squid 2.x are not vulnerable) NOTE: http://www.squid-cache.org/Advisories/SQUID-2016_6.txt NOTE: http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11841.patch (Squid 3.2) NOTE: http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12697.patch (Squid 3.3) NOTE: http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13235.patch (Squid 3.4) NOTE: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14034.patch (Squid 3.5) CVE-2016-4051 (Buffer overflow in cachemgr.cgi in Squid 2.x, 3.x before 3.5.17, and 4 ...) {DSA-3625-1 DLA-478-1} - squid3 3.5.17-1 - squid 4.1-1 [wheezy] - squid (cachemgr.cgi not installed. squid-cgi binary package built from squid3) NOTE: http://www.squid-cache.org/Advisories/SQUID-2016_5.txt NOTE: http://www.squid-cache.org/Versions/v3/3.2/changesets/SQUID-2016_5.patch (Squid 3.2) NOTE: http://www.squid-cache.org/Versions/v3/3.3/changesets/SQUID-2016_5.patch (Squid 3.3) NOTE: http://www.squid-cache.org/Versions/v3/3.4/changesets/SQUID-2016_5.patch (Squid 3.4) NOTE: http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2016_5.patch (Squid 3.5) NOTE: Fixed in wheezy by DLA-556-1, c.f. CVE-2016-5408 CVE-2016-4044 RESERVED CVE-2016-4043 (Chameleon (five.pt) in Plone 5.0rc1 through 5.1a1 allows remote authen ...) NOT-FOR-US: Plone CVE-2016-4042 (Plone 3.3 through 5.1a1 allows remote attackers to obtain information ...) NOT-FOR-US: Plone CVE-2016-4041 (Plone 4.0 through 5.1a1 does not have security declarations for Dexter ...) NOT-FOR-US: Plone CVE-2016-4040 (SQL injection vulnerability in the Workflow Screen in dotCMS before 3. ...) NOT-FOR-US: dotCMS CVE-2015-8853 (The (1) S_reghop3, (2) S_reghop4, and (3) S_reghopmaybe3 functions in ...) - perl 5.22.1-1 (bug #821848) [jessie] - perl 5.20.2-3+deb8u5 [wheezy] - perl (Minor issue) NOTE: https://rt.perl.org/Public/Bug/Display.html?id=123562 NOTE: http://perl5.git.perl.org/perl.git/commitdiff/22b433eff9a1ffa2454e18405a56650f07b385b5 NOTE: http://www.openwall.com/lists/oss-security/2016/04/20/5 CVE-2015-8863 (Off-by-one error in the tokenadd function in jv_parse.c in jq allows r ...) - jq 1.5+dfsg-1.1 (low; bug #802231) [jessie] - jq 1.4-2.1+deb8u1 NOTE: https://github.com/stedolan/jq/issues/995 NOTE: https://github.com/stedolan/jq/commit/8eb1367ca44e772963e704a700ef72ae2e12babd NOTE: http://www.openwall.com/lists/oss-security/2016/04/23/1 CVE-2016-4039 RESERVED CVE-2016-4036 (The quagga package before 0.99.23-2.6.1 in openSUSE and SUSE Linux Ent ...) {DSA-3654-1 DLA-601-1} - quagga 1.0.20160315-2 (bug #835223) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=770619 NOTE: World readable files in /etc/quagga as well in Debian CVE-2016-3955 (The usbip_recv_xbuff function in drivers/usb/usbip/usbip_common.c in t ...) {DSA-3607-1 DLA-516-1} - linux 4.5.2-1 NOTE: Upstream commit: https://git.kernel.org/linus/b348d7dddb6c4fbfc810b7a0626e8ec9e29f7cbb (v4.6-rc3) NOTE: http://www.openwall.com/lists/oss-security/2016/04/19/1 CVE-2016-4038 (Array index error in the msm_sensor_config function in kernel/SM-G9008 ...) NOT-FOR-US: Samsung Android driver CVE-2016-4035 RESERVED CVE-2016-4034 RESERVED CVE-2016-4033 RESERVED CVE-2016-4032 (Samsung SM-G920F build G920FXXU2COH2 (Galaxy S6), SM-N9005 build N9005 ...) NOT-FOR-US: Samsung CVE-2016-4031 (Samsung SM-G920F build G920FXXU2COH2 (Galaxy S6), SM-N9005 build N9005 ...) NOT-FOR-US: Samsung CVE-2016-4037 (The ehci_advance_state function in hw/usb/hcd-ehci.c in QEMU allows lo ...) {DLA-1599-1} - qemu 1:2.6+dfsg-1 (bug #822344) [wheezy] - qemu (Minor issue) - qemu-kvm [wheezy] - qemu-kvm (Minor issue) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-04/msg02691.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1325129 NOTE: http://www.openwall.com/lists/oss-security/2016/04/18/3 NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=1ae3f2f178087711f9591350abad133525ba93f2 (v2.6.0-rc3) NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=a49923d2837d20510d645d3758f1ad87c32d0730 (v2.6.0-rc3) CVE-2016-4030 (Samsung SM-G920F build G920FXXU2COH2 (Galaxy S6), SM-N9005 build N9005 ...) NOT-FOR-US: Samsung CVE-2016-4029 (WordPress before 4.5 does not consider octal and hexadecimal IP addres ...) {DSA-3681-1 DLA-633-1} - wordpress 4.5+dfsg-1 NOTE: Fixed by: https://core.trac.wordpress.org/changeset/37115 NOTE: Fixed by: https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049 NOTE: Release notes: https://codex.wordpress.org/Version_4.5 CVE-2016-4028 (An issue was discovered in Open-Xchange OX Guard before 2.4.0-rev8. OX ...) NOT-FOR-US: Open-Xchange CVE-2016-4027 (An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev1 ...) NOT-FOR-US: Open-Xchange CVE-2016-4026 (An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev1 ...) NOT-FOR-US: Open-Xchange CVE-2016-4025 (Avast Internet Security v11.x.x, Pro Antivirus v11.x.x, Premier v11.x. ...) NOT-FOR-US: Avast CVE-2016-4023 RESERVED CVE-2016-4022 RESERVED CVE-2016-4021 (The read_binary function in buffer.c in pgpdump before 0.30 allows con ...) {DLA-768-1} - pgpdump 0.31-0.1 (bug #773747) [jessie] - pgpdump 0.28-1+deb8u1 NOTE: https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-030.txt NOTE: https://github.com/kazu-yamamoto/pgpdump/pull/16 CVE-2016-4019 (Unspecified vulnerability in Zimbra Collaboration before 8.7.0 allows ...) NOT-FOR-US: Zimbra CVE-2016-4018 (The Data Provisioning Agent (aka DP Agent) in SAP HANA does not proper ...) NOT-FOR-US: SAP CVE-2016-4017 (The Data Provisioning Agent (aka DP Agent) in SAP HANA allows remote a ...) NOT-FOR-US: SAP CVE-2016-4016 (Cross-site scripting (XSS) vulnerability in SAP Manufacturing Integrat ...) NOT-FOR-US: SAP CVE-2016-4015 (The Enqueue Server in SAP NetWeaver JAVA AS 7.1 through 7.4 allows rem ...) NOT-FOR-US: SAP CVE-2016-4014 (XML external entity (XXE) vulnerability in the UDDI component in SAP N ...) NOT-FOR-US: SAP CVE-2016-XXXX [ZF2016-01: Potential Insufficient Entropy Vulnerability in ZF1] - zendframework 1.12.18+dfsg-1 [jessie] - zendframework 1.12.9+dfsg-2+deb8u6 [wheezy] - zendframework 1.11.13-1.1+deb7u6 NOTE: http://framework.zend.com/security/advisory/ZF2016-01 CVE-2016-4013 RESERVED CVE-2016-4012 RESERVED CVE-2016-4011 RESERVED CVE-2016-4010 (Magento CE and EE before 2.0.6 allows remote attackers to conduct PHP ...) NOT-FOR-US: Magento NOTE: https://magento.com/security/patches/magento-206-security-update NOTE: http://www.netanelrub.in/2016/05/17/magento-unauthenticated-remote-code-execution/ CVE-2016-4007 (Multiple unspecified vulnerabilities in the obs-service-extract_file p ...) NOT-FOR-US: obs-service-extract_file CVE-2015-8850 RESERVED CVE-2015-8849 RESERVED CVE-2015-8848 RESERVED CVE-2015-8847 RESERVED CVE-2015-8846 RESERVED CVE-2015-8843 (The Foxit Cloud Update Service (FoxitCloudUpdateService) in Foxit Read ...) NOT-FOR-US: Foxit Reader CVE-2016-4024 (Integer overflow in imlib2 before 1.4.9 on 32-bit platforms allows rem ...) {DSA-3555-1} - imlib2 1.4.8-1 (bug #821732) NOTE: Upstream fix: https://git.enlightenment.org/legacy/imlib2.git/commit/?id=7eba2e4c8ac0e20838947f10f29d0efe1add8227 NOTE: http://www.openwall.com/lists/oss-security/2016/04/14/5 CVE-2016-4005 (The Huawei Hilink App application before 3.19.2 for Android does not v ...) NOT-FOR-US: Huawei CVE-2016-4004 (Directory traversal vulnerability in Dell OpenManage Server Administra ...) NOT-FOR-US: Dell CVE-2016-4003 (Cross-site scripting (XSS) vulnerability in the URLDecoder function in ...) - libstruts1.2-java (Only affects 2.x) NOTE: http://struts.apache.org/docs/s2-028.html CVE-2016-4020 (The patch_instruction function in hw/i386/kvmvapic.c in QEMU does not ...) {DLA-1599-1 DLA-574-1 DLA-573-1} - qemu 1:2.6+dfsg-2 (bug #821062) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-04/msg01118.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1313686 NOTE: http://www.openwall.com/lists/oss-security/2016/04/13/6 CVE-2015-8851 (node-uuid before 1.4.4 uses insufficiently random data to create a GUI ...) - node-uuid 1.4.7-1 (unimportant) NOTE: https://github.com/broofa/node-uuid/issues/108 NOTE: https://github.com/broofa/node-uuid/issues/118 NOTE: https://github.com/broofa/node-uuid/issues/122 NOTE: https://github.com/broofa/node-uuid/commit/672f3834ed02c798aa021c618d0a5666c8da000d NOTE: nodejs not covered by security support CVE-2015-8844 (The signal implementation in the Linux kernel before 4.3.5 on powerpc ...) - linux 4.4.2-1 [jessie] - linux 3.16.7-ckt25-1 [wheezy] - linux (Vulnerable code introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1326540 NOTE: Upstream commit: https://git.kernel.org/linus/d2b9d2a5ad5ef04ff978c9923d19730cb05efd55 (v4.4-rc3) NOTE: Introduced by: https://git.kernel.org/linus/2b0a576d15e0e14751f00f9c87e46bad27f217e7 (v3.9-rc1) CVE-2015-8845 (The tm_reclaim_thread function in arch/powerpc/kernel/process.c in the ...) - linux 4.4.2-1 [jessie] - linux 3.16.7-ckt25-1 [wheezy] - linux (Vulnerable code introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1326540 NOTE: Upstream commit: https://git.kernel.org/linus/7f821fc9c77a9b01fe7b1d6e72717b33d8d64142 (v4.4-rc3) NOTE: Introduced by: https://git.kernel.org/linus/fb09692e71f13af7298eb603a1975850b1c7a8d8 (v3.9-rc1) CVE-2016-4000 (Jython before 2.7.1rc1 allows attackers to execute arbitrary code via ...) {DSA-3893-1 DLA-989-1} - jython 2.5.3-17 (bug #864859) NOTE: http://bugs.jython.org/issue2454 NOTE: https://hg.python.org/jython/rev/d06e29d100c0 CVE-2016-3999 (Multiple cross-site scripting (XSS) vulnerabilities in Zimbra Collabor ...) NOT-FOR-US: Zimbra CVE-2016-3998 (NetApp AltaVault 4.1 and earlier allows man-in-the-middle attackers to ...) NOT-FOR-US: NetApp AltaVault CVE-2016-3997 (NetApp Clustered Data ONTAP allows man-in-the-middle attackers to obta ...) NOT-FOR-US: NetApp Clustered Data ONTAP CVE-2016-XXXX [auth bypass] - brltty (Vulnerable code introduced later) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=967436 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/04/12/4 NOTE: Introduced in: https://github.com/brltty/brltty/commit/e62b3c925d03239a372d425fb87b2cac65d8ef19 NOTE: Fixed by: https://github.com/brltty/brltty/commit/74affe7d1401f2b43ad32e18cb78704d22604ad7 CVE-2015-8868 (Heap-based buffer overflow in the ExponentialFunction::ExponentialFunc ...) {DSA-3563-1 DLA-446-1} - poppler 0.38.0-3 (bug #822578) NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=b3425dd3261679958cd56c0f71995c15d2124433 NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=93476 NOTE: http://www.openwall.com/lists/oss-security/2016/04/12/1 CVE-2016-3996 (ClipboardDataMgr in Samsung KNOX 1.0.0 and 2.3.0 does not properly che ...) NOT-FOR-US: Samsung CVE-2016-3991 (Heap-based buffer overflow in the loadImage function in the tiffcrop t ...) {DSA-3762-1 DLA-610-1 DLA-606-1} - tiff 4.0.7-1 - tiff3 (unimportant) NOTE: src:tiff3: built binary packages do not contain the TIFF tools NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2543 NOTE: Reproducer http://bugs.fi/media/afl/libtiff/CVE-2016-3991.tif CVE-2016-3990 (Heap-based buffer overflow in the horizontalDifference8 function in ti ...) {DSA-3762-1 DLA-795-1 DLA-610-1} - tiff 4.0.7-1 (bug #836570) - tiff3 (unimportant) NOTE: src:tiff3: built binary packages do not contain the TIFF tools NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2544 CVE-2016-3989 (The NTP time-server interface on Meinberg IMS-LANTIME M3000, IMS-LANTI ...) NOT-FOR-US: Meinberg CVE-2016-3988 (Multiple stack-based buffer overflows in the NTP time-server interface ...) NOT-FOR-US: Meinberg CVE-2016-3987 (The HTTP server in Trend Micro Password Manager allows remote web serv ...) NOT-FOR-US: Trend Micro CVE-2016-3986 (Avast allows remote attackers to cause a denial of service (memory cor ...) NOT-FOR-US: Avast CVE-2016-3985 (The Terminal Services Remote Desktop Protocol (RDP) client session res ...) NOT-FOR-US: Pulse Connect Secure CVE-2016-3984 (The McAfee VirusScan Console (mcconsol.exe) in McAfee Active Response ...) NOT-FOR-US: McAfee CVE-2016-3983 (McAfee Advanced Threat Defense (ATD) before 3.4.8.178 might allow remo ...) NOT-FOR-US: McAfee CVE-2016-3980 (The Java Startup Framework (aka jstart) in SAP JAVA AS 7.2 through 7.4 ...) NOT-FOR-US: SAP CVE-2016-3979 (Internet Communication Manager (aka ICMAN or ICM) in SAP JAVA AS 7.2 t ...) NOT-FOR-US: SAP CVE-2016-3978 (The Web User Interface (WebUI) in FortiOS 5.0.x before 5.0.13, 5.2.x b ...) NOT-FOR-US: FortiOS CVE-2015-8841 (Heap-based buffer overflow in the Archive support module in ESET NOD32 ...) NOT-FOR-US: ESET NOD32 CVE-2016-4002 (Buffer overflow in the mipsnet_receive function in hw/net/mipsnet.c in ...) {DLA-1599-1} - qemu 1:2.6+dfsg-2 (bug #821061) [wheezy] - qemu (Minor issue) - qemu-kvm [wheezy] - qemu-kvm (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1326082 NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-04/msg01131.html NOTE: http://www.openwall.com/lists/oss-security/2016/04/11/6 CVE-2016-4001 (Buffer overflow in the stellaris_enet_receive function in hw/net/stell ...) {DLA-1599-1} - qemu 1:2.6+dfsg-1 (bug #821038) [wheezy] - qemu (Minor issue) - qemu-kvm [wheezy] - qemu-kvm (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1325884 NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-04/msg01334.html NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=3a15cc0e1ee7168db0782133d2607a6bfa422d66 (v2.6.0-rc2) NOTE: http://www.openwall.com/lists/oss-security/2016/04/11/4 CVE-2016-4008 (The _asn1_extract_der_octet function in lib/decoding.c in GNU Libtasn1 ...) {DSA-3568-1 DLA-495-1} - libtasn1-6 4.8-1 - libtasn1-3 NOTE: http://www.openwall.com/lists/oss-security/2016/04/11/3 NOTE: http://git.savannah.gnu.org/cgit/libtasn1.git/commit/?id=f435825c0f527a8e52e6ffbc3ad0bc60531d537e NOTE: http://git.savannah.gnu.org/cgit/libtasn1.git/commit/?id=a6e0a0b58f5cdaf4e9beca5bce69c09808cbb625 CVE-2011-5326 (imlib2 before 1.4.9 allows remote attackers to cause a denial of servi ...) {DSA-3555-1} - imlib2 1.4.8-1 (bug #639414) NOTE: https://git.enlightenment.org/legacy/imlib2.git/commit/?id=c94d83ccab15d5ef02f88d42dce38ed3f0892882 NOTE: http://www.openwall.com/lists/oss-security/2016/04/10/5 CVE-2016-3995 (The timing attack protection in Rijndael::Enc::ProcessAndXorBlock and ...) - libcrypto++ 5.6.3-6 [jessie] - libcrypto++ 5.6.1-6+deb8u2 [wheezy] - libcrypto++ 5.6.1-6+deb7u2 NOTE: https://github.com/weidai11/cryptopp/issues/146 NOTE: http://www.openwall.com/lists/oss-security/2016/04/10/6 NOTE: Initial upload in 5.6.3-5 was incomplete CVE-2016-3994 (The GIF loader in imlib2 before 1.4.9 allows remote attackers to cause ...) {DSA-3555-1} - imlib2 1.4.8-1 (bug #785369) NOTE: https://git.enlightenment.org/legacy/imlib2.git/commit/?id=37a96801663b7b4cd3fbe56cc0eb8b6a17e766a8 NOTE: http://www.openwall.com/lists/oss-security/2016/04/09/6 CVE-2016-4070 (** DISPUTED ** Integer overflow in the php_raw_url_encode function in ...) {DSA-3560-1 DLA-499-1} - php7.0 7.0.5-1 - php5 5.6.20+dfsg-1 - hhvm 3.12.11+dfsg-1 (bug #835032) NOTE: Fixed in 7.0.5, 5.6.20, 5.5.34 NOTE: https://bugs.php.net/bug.php?id=71798 NOTE: https://git.php.net/?p=php-src.git;a=commit;h=95433e8e339dbb6b5d5541473c1661db6ba2c451 NOTE: http://www.openwall.com/lists/oss-security/2016/04/11/7 NOTE: Fix in HHVM: https://github.com/facebook/hhvm/commit/ea6ff01f6c31f1615a935ef96622d623a6277d37 CVE-2016-4071 (Format string vulnerability in the php_snmp_error function in ext/snmp ...) {DSA-3560-1 DLA-499-1} - php7.0 7.0.5-1 - php5 5.6.20+dfsg-1 NOTE: Fixed in 7.0.5, 5.6.20, 5.5.34 NOTE: https://bugs.php.net/bug.php?id=71704 NOTE: https://git.php.net/?p=php-src.git;a=commit;h=6e25966544fb1d2f3d7596e060ce9c9269bbdcf8 NOTE: http://www.openwall.com/lists/oss-security/2016/04/11/7 CVE-2016-4072 (The Phar extension in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x ...) {DSA-3560-1 DLA-499-1} - php7.0 7.0.5-1 - php5 5.6.20+dfsg-1 NOTE: Fixed in 7.0.5, 5.6.20, 5.5.34 NOTE: https://bugs.php.net/bug.php?id=71860 NOTE: https://gist.github.com/smalyshev/80b5c2909832872f2ba2 NOTE: https://git.php.net/?p=php-src.git;a=commit;h=1e9b175204e3286d64dfd6c9f09151c31b5e099a NOTE: http://www.openwall.com/lists/oss-security/2016/04/11/7 CVE-2016-4073 (Multiple integer overflows in the mbfl_strcut function in ext/mbstring ...) {DSA-3560-1 DLA-499-1} - php7.0 7.0.5-1 - php5 5.6.20+dfsg-1 NOTE: Fixed in 7.0.5, 5.6.20, 5.5.34 NOTE: https://bugs.php.net/bug.php?id=71906 NOTE: https://gist.github.com/smalyshev/d8355c96a657cc5dba70 NOTE: https://git.php.net/?p=php-src.git;a=commit;h=64f42c73efc58e88671ad76b6b6bc8e2b62713e1 NOTE: http://www.openwall.com/lists/oss-security/2016/04/11/7 CVE-2016-3976 (Directory traversal vulnerability in SAP NetWeaver AS Java 7.1 through ...) NOT-FOR-US: SAP CVE-2016-3975 (Cross-site scripting (XSS) vulnerability in SAP NetWeaver AS Java 7.1 ...) NOT-FOR-US: SAP CVE-2016-3974 (XML external entity (XXE) vulnerability in the Configuration Wizard in ...) NOT-FOR-US: SAP CVE-2016-3973 (The chat feature in the Real-Time Collaboration (RTC) services 7.3 and ...) NOT-FOR-US: SAP CVE-2016-3972 (Directory traversal vulnerability in the dotTailLogServlet in dotCMS b ...) NOT-FOR-US: dotCMS CVE-2016-3971 (Cross-site scripting (XSS) vulnerability in lucene_search.jsp in dotCM ...) NOT-FOR-US: dotCMS CVE-2016-3970 RESERVED CVE-2015-8840 (The XML Data Archiving Service (XML DAS) in SAP NetWeaver AS Java does ...) NOT-FOR-US: SAP CVE-2014-9771 (Integer overflow in imlib2 before 1.4.7 allows remote attackers to cau ...) {DSA-3555-1} - imlib2 1.4.7-1 (bug #820206) NOTE: https://git.enlightenment.org/legacy/imlib2.git/commit/?id=143f299 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1324774 NOTE: http://www.openwall.com/lists/oss-security/2016/04/09/3 CVE-2014-9770 (tmpfiles.d/systemd.conf in systemd before 214 uses weak permissions fo ...) - systemd 215-1 [wheezy] - systemd (Vulnerable code not present) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=972612 NOTE: Introduced by: https://github.com/systemd/systemd/commit/a606871da508995f5ede113a8fc6538afd98966c (v213) NOTE: Fixed by (for volatile journals): https://github.com/systemd/systemd/commit/176f2acf8dee45fee832fd2ab07243f63783a238 (v214) CVE-2015-8842 (tmpfiles.d/systemd.conf in systemd before 229 uses weak permissions fo ...) - systemd 215-1 (bug #825059) [wheezy] - systemd (Vulnerable code not present) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=972612 NOTE: Introduced by: https://github.com/systemd/systemd/commit/a606871da508995f5ede113a8fc6538afd98966c (v213) NOTE: Fixed by (for current persistent journal): https://github.com/systemd/systemd/commit/afae249efa4774c6676738ac5de6aeb4daf4889f (v229) NOTE: Starting with 215 Debian no longer ships tmpfiles.d/systemd.conf, so the fixup upstream added as NOTE: afae249efa4774c6676738ac5de6aeb4daf4889f for persistent journals is not needed for the packaged NOTE: version. Anyone using a custom config needs to ensure proper permissions. CVE-2016-7921 REJECTED CVE-2016-3982 (Off-by-one error in the bmp_rle4_fread function in pngxrbmp.c in OptiP ...) {DSA-3546-1} - optipng 0.7.6-1 NOTE: https://sourceforge.net/p/optipng/bugs/57/ CVE-2016-3981 (Heap-based buffer overflow in the bmp_read_rows function in pngxrbmp.c ...) {DSA-3546-1} - optipng 0.7.6-1 NOTE: https://sourceforge.net/p/optipng/bugs/56/ CVE-2016-3977 (Heap-based buffer overflow in util/gif2rgb.c in gif2rgb in giflib 5.1. ...) - giflib 5.1.4-3 (bug #820526) [stretch] - giflib (Minor issue) [jessie] - giflib (Minor issue) [wheezy] - giflib (minor issue) NOTE: https://sourceforge.net/p/giflib/bugs/87/ NOTE: https://sourceforge.net/p/giflib/code/ci/ea8dbc5786862a3e16a5acfa3d24e2c2f608cd88/ NOTE: The issue was originally fixed in 5.1.4-0.3 but then the NMU upload NOTE: 5.1.4-0.4 just dropped the patch claiming the patch was already present NOTE: which is untrue and reopening the issue. CVE-2016-3969 (Cross-site scripting (XSS) vulnerability in McAfee Email Gateway (MEG) ...) NOT-FOR-US: McAfee Email Gateway CVE-2016-3968 (Multiple cross-site scripting (XSS) vulnerabilities in Sophos Cyberoam ...) NOT-FOR-US: Sophos CVE-2016-3967 RESERVED CVE-2016-3966 RESERVED CVE-2016-3965 RESERVED CVE-2016-3964 RESERVED CVE-2016-3963 (Siemens SCALANCE S613 allows remote attackers to cause a denial of ser ...) NOT-FOR-US: Siemens CVE-2016-3992 (cronic before 3 allows local users to write to arbitrary files via a s ...) - cronic 3-1 (bug #820331) NOTE: http://www.openwall.com/lists/oss-security/2016/04/09/4 CVE-2016-3962 (Stack-based buffer overflow in the NTP time-server interface on Meinbe ...) NOT-FOR-US: Meinberg CVE-2016-3961 (Xen and the Linux kernel through 4.5.x do not properly suppress hugetl ...) {DSA-3607-1 DLA-516-1} - linux 4.5.2-1 NOTE: http://xenbits.xen.org/xsa/advisory-174.html NOTE: Fixed by: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=103f6112f253017d7062cd74d17f4a514ed4485c CVE-2016-3960 (Integer overflow in the x86 shadow pagetable code in Xen allows local ...) {DSA-3554-1 DLA-571-1} - xen 4.8.0~rc3-1 (bug #823620) NOTE: http://xenbits.xen.org/xsa/advisory-173.html CVE-2016-3957 (The secure_load function in gluon/utils.py in web2py before 2.14.2 use ...) - web2py (bug #891220) [jessie] - web2py (Vulnerable code not present) [wheezy] - web2py (Vulnerable code not present) CVE-2016-3956 (The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js ...) - npm 5.8.0+ds-2 (bug #850322) [jessie] - npm (Nodejs in jessie not covered by security support, minor issue) NOTE: https://github.com/npm/npm/issues/8380 NOTE: https://github.com/npm/npm/commit/fea8cc92cee02c720b58f95f14d315507ccad401 (2.15.1) NOTE: https://github.com/npm/npm/commit/f67ecad59e99a03e5aad8e93cd1a086ae087cb29 (3.8.3) CVE-2016-3954 (web2py before 2.14.2 allows remote attackers to obtain the session_coo ...) - web2py (bug #891220) [jessie] - web2py (Vulnerable code not present) [wheezy] - web2py (Vulnerable code not present) CVE-2016-3953 (The sample web application in web2py before 2.14.2 might allow remote ...) - web2py (bug #891220) [jessie] - web2py (Vulnerable code not present) [wheezy] - web2py (Vulnerable code not present) CVE-2016-3952 (web2py before 2.14.1, when using the standalone version, allows remote ...) - web2py (bug #891220) [jessie] - web2py (Vulnerable code not present) [wheezy] - web2py (Vulnerable code not present) CVE-2016-3951 (Double free vulnerability in drivers/net/usb/cdc_ncm.c in the Linux ke ...) {DSA-3607-1 DLA-516-1} - linux 4.5.1-1 NOTE: https://git.kernel.org/linus/4d06dd537f95683aba3651098ae288b7cbff8274 (v4.5) NOTE: https://git.kernel.org/linus/1666984c8625b3db19a9abc298931d35ab7bc64b (v4.5) NOTE: https://www.spinics.net/lists/netdev/msg367669.html CVE-2016-3950 (Huawei AR3200 routers with software before V200R006C10SPC300 allow rem ...) NOT-FOR-US: Huawei AR3200 routers CVE-2016-3949 (Siemens SIMATIC S7-300 Profinet-enabled CPU devices with firmware befo ...) NOT-FOR-US: Siemens CVE-2016-3959 (The Verify function in crypto/dsa/dsa.go in Go before 1.5.4 and 1.6.x ...) - golang 2:1.6.1-1 (bug #820369) [jessie] - golang (Minor issue) [wheezy] - golang (Minor issue) NOTE: https://golang.org/cl/21533 CVE-2016-3958 (Untrusted search path vulnerability in Go before 1.5.4 and 1.6.x befor ...) - golang (Only affects Go on Windows) NOTE: https://golang.org/cl/21428 CVE-2016-3946 (SAP Console (aka SAPConsole) 7.30 allows local users to discover SAP S ...) NOT-FOR-US: SAP CVE-2016-3945 (Multiple integer overflows in the (1) cvt_by_strip and (2) cvt_by_tile ...) {DSA-3762-1 DLA-795-1 DLA-610-1} - tiff 4.0.7-1 - tiff3 (unimportant) NOTE: src:tiff3: built binary packages do not contain the TIFF tools NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2545 CVE-2015-8865 (The file_check_mem function in funcs.c in file before 5.23, as used in ...) {DSA-3560-1 DLA-499-1 DLA-460-1} - php7.0 7.0.5-1 - php5 5.6.20+dfsg-1 - file 1:5.24-1 (bug #827377) [jessie] - file 1:5.22+15-2+deb8u2 - hhvm 3.12.11+dfsg-1 (bug #835032) NOTE: http://bugs.gw.com/view.php?id=522 NOTE: https://github.com/file/file/commit/6713ca45e7757297381f4b4cdb9cf5e624a9ad36 NOTE: https://bugs.php.net/bug.php?id=71527 NOTE: http://git.php.net/?p=php-src.git;a=commit;h=fe13566c93f118a15a96320a546c7878fd0cfc5e NOTE: PHP fixed in 7.0.5, 5.6.20, 5.5.34 NOTE: http://www.openwall.com/lists/oss-security/2016/04/11/7 NOTE: Fix in HHVM: https://github.com/facebook/hhvm/commit/4e614ba041e24af8351afbb49c92444c0850f23b CVE-2016-3993 (Off-by-one error in the __imlib_MergeUpdate function in lib/updates.c ...) {DSA-3555-1} - imlib2 1.4.8-1 (bug #819818) NOTE: https://git.enlightenment.org/legacy/imlib2.git/commit/?id=ce94edca1ccfbe314cb7cd9453433fad404ec7ef NOTE: http://www.openwall.com/lists/oss-security/2016/04/09/5 CVE-2012-XXXX [Option -localhost seems to fail to restrict ipv6 access] [experimental] - x11vnc 0.9.16-1 - x11vnc 0.9.16-2 (low; bug #672435) [buster] - x11vnc (Minor issue; workaround exits) [stretch] - x11vnc (Minor issue; workaround exits) [jessie] - x11vnc (Minor issue; workaround exits) [wheezy] - x11vnc (Minor issue; workaround exits) CVE-2016-3948 (Squid 3.x before 3.5.16 and 4.x before 4.0.8 improperly perform bounds ...) {DSA-3625-1} - squid3 3.5.16-1 (bug #819784) [wheezy] - squid3 (Minor issue; needs substantial backporting; too intrusive to backport) - squid 4.1-1 [wheezy] - squid (Minor issue; needs substantial backporting; too intrusive to backport) NOTE: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14016.patch NOTE: http://www.squid-cache.org/Advisories/SQUID-2016_4.txt CVE-2016-3947 (Heap-based buffer overflow in the Icmp6::Recv function in icmp/Icmp6.c ...) - squid3 3.5.16-1 (bug #819783) [wheezy] - squid3 (Minor issue) - squid 4.1-1 [wheezy] - squid (Minor issue) NOTE: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14015.patch NOTE: http://www.squid-cache.org/Advisories/SQUID-2016_3.txt CVE-2016-3944 (UpdateAgent in Lenovo Accelerator Application allows man-in-the-middle ...) NOT-FOR-US: Lenovo CVE-2016-3943 (Panda Endpoint Administration Agent before 7.50.00, as used in Panda S ...) NOT-FOR-US: Panda CVE-2016-3942 RESERVED CVE-2016-3940 (The Synaptics touchscreen driver in Android before 2016-10-05 on Nexus ...) NOT-FOR-US: Synaptics driver for Android CVE-2016-3939 (drivers/video/msm/mdss/mdss_debug.c in the Qualcomm video driver in An ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-3938 (drivers/video/msm/mdss/mdss_mdp_overlay.c in the Qualcomm video driver ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-3937 (The MediaTek video driver in Android before 2016-10-05 allows attacker ...) NOT-FOR-US: MediaTek driver for Android CVE-2016-3936 (The MediaTek video driver in Android before 2016-10-05 allows attacker ...) NOT-FOR-US: MediaTek driver for Android CVE-2016-3935 (Multiple integer overflows in drivers/crypto/msm/qcedev.c in the Qualc ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-3934 (drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c in ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-3933 (mediaserver in Android before 2016-10-05 on Nexus 9 and Pixel C device ...) NOT-FOR-US: Android Mediaserver CVE-2016-3932 (mediaserver in Android before 2016-10-05 allows attackers to gain priv ...) NOT-FOR-US: Android Mediaserver CVE-2016-3931 (drivers/misc/qseecom.c in the Qualcomm QSEE Communicator driver in And ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-3930 (The NVIDIA MMC test driver in Android before 2016-10-05 on Nexus 9 dev ...) NOT-FOR-US: NVIDIA driver for Android CVE-2016-3929 (Unspecified vulnerability in a Qualcomm component in Android before 20 ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-3928 (The MediaTek video driver in Android before 2016-10-05 allows attacker ...) NOT-FOR-US: MediaTek driver for Android CVE-2016-3927 (Unspecified vulnerability in a Qualcomm component in Android before 20 ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-3926 (Unspecified vulnerability in a Qualcomm component in Android before 20 ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-3925 (server/wifi/anqp/ANQPFactory.java in Android 6.x before 2016-10-01 and ...) NOT-FOR-US: Android CVE-2016-3924 (services/audioflinger/Effects.cpp in mediaserver in Android 4.x before ...) NOT-FOR-US: Android Mediaserver CVE-2016-3923 (The Accessibility services in Android 7.0 before 2016-10-01 mishandle ...) NOT-FOR-US: Android CVE-2016-3922 (libril/RilSapSocket.cpp in Telephony in Android 6.x before 2016-10-01 ...) NOT-FOR-US: Android Telephony CVE-2016-3921 (libsysutils/src/FrameworkListener.cpp in Framework Listener in Android ...) - android-platform-system-core (libsysutils not included, bug #858177) CVE-2016-3920 (id3/ID3.cpp in libstagefright in mediaserver in Android 5.0.x before 5 ...) NOT-FOR-US: libstagefright CVE-2016-3919 REJECTED CVE-2016-3918 (email/provider/AttachmentProvider.java in AOSP Mail in Android 4.x bef ...) NOT-FOR-US: Android CVE-2016-3917 (The fingerprint login feature in Android 6.0.1 before 2016-10-01 and 7 ...) NOT-FOR-US: Android CVE-2016-3916 (camera/src/camera_metadata.c in the Camera service in Android 4.x befo ...) NOT-FOR-US: Android CVE-2016-3915 (camera/src/camera_metadata.c in the Camera service in Android 4.x befo ...) NOT-FOR-US: Android CVE-2016-3914 (Race condition in providers/telephony/MmsProvider.java in Telephony in ...) NOT-FOR-US: Android Telephony CVE-2016-3913 (media/libmediaplayerservice/MediaPlayerService.cpp in mediaserver in A ...) NOT-FOR-US: Android CVE-2016-3912 (The framework APIs in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5. ...) NOT-FOR-US: Android CVE-2016-3911 (core/java/android/os/Process.java in Zygote in Android 4.x before 4.4. ...) NOT-FOR-US: Android CVE-2016-3910 (services/soundtrigger/SoundTriggerHwService.cpp in mediaserver in Andr ...) NOT-FOR-US: Android Mediaserver CVE-2016-3909 (The SoftMPEG4 component in libstagefright in mediaserver in Android 4. ...) NOT-FOR-US: libstagefright CVE-2016-3908 (The Lock Settings Service in Android 6.x before 2016-10-01 and 7.0 bef ...) NOT-FOR-US: Android CVE-2016-3907 (An information disclosure vulnerability in Qualcomm components includi ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-3906 (An information disclosure vulnerability in Qualcomm components includi ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-3905 (CORE/HDD/src/wlan_hdd_main.c in the Qualcomm Wi-Fi driver in Android b ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-3904 (An elevation of privilege vulnerability in the Qualcomm bus driver in ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-3903 (drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c in the Qua ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-3902 (drivers/platform/msm/ipa/ipa_qmi_service.c in the Qualcomm IPA driver ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-3901 (Multiple integer overflows in drivers/crypto/msm/qcedev.c in the Qualc ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-3900 (cmds/servicemanager/service_manager.c in ServiceManager in Android 5.0 ...) NOT-FOR-US: Android CVE-2016-3899 (OMXCodec.cpp in libstagefright in mediaserver in Android 4.x before 4. ...) NOT-FOR-US: libstagefright CVE-2016-3898 (Telephony in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, 6.x befor ...) NOT-FOR-US: Android CVE-2016-3897 (The WifiEnterpriseConfig class in net/wifi/WifiEnterpriseConfig.java i ...) NOT-FOR-US: Android CVE-2016-3896 (AOSP Mail in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x befor ...) NOT-FOR-US: Android CVE-2016-3895 (Integer overflow in the Region::unflatten function in libs/ui/Region.c ...) NOT-FOR-US: Android Mediaserver CVE-2016-3894 (The Qualcomm DMA component in Android before 2016-09-05 on Nexus 6 dev ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-3893 (The wcdcal_hwdep_ioctl_shared function in sound/soc/codecs/wcdcal-hwde ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-3892 (The Qualcomm SPMI driver in Android before 2016-09-05 on Nexus 5, 5X, ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-3891 RESERVED CVE-2016-3890 (The Java Debug Wire Protocol (JDWP) implementation in adb/sockets.cpp ...) - android-platform-system-core 1:6.0.1+r43-1 [jessie] - android-platform-system-core (Minor issue) CVE-2016-3889 (Android 6.x before 2016-09-01 and 7.0 before 2016-09-01 allows physica ...) NOT-FOR-US: Android CVE-2016-3888 (internal/telephony/SMSDispatcher.java in Android 4.x before 4.4.4, 5.0 ...) NOT-FOR-US: Android CVE-2016-3887 (providers/settings/SettingsProvider.java in Android 7.0 before 2016-09 ...) NOT-FOR-US: Android CVE-2016-3886 (systemui/statusbar/phone/QuickStatusBarHeader.java in the System UI Tu ...) NOT-FOR-US: Android CVE-2016-3885 (debuggerd/debuggerd.cpp in Debuggerd in Android 5.0.x before 5.0.2, 5. ...) - android-platform-system-core (debugged not provided, see bug #858177) CVE-2016-3884 (server/notification/NotificationManagerService.java in the Notificatio ...) NOT-FOR-US: Android CVE-2016-3883 (internal/telephony/SMSDispatcher.java in Telephony in Android 4.x befo ...) NOT-FOR-US: Android CVE-2016-3882 (Off-by-one error in server/wifi/anqp/VenueNameElement.java in Wi-Fi in ...) NOT-FOR-US: Android CVE-2016-3881 (The decoder_peek_si_internal function in vp9/vp9_dx_iface.c in libvpx ...) - libvpx 1.6.1-1 [jessie] - libvpx (Minor issue) [wheezy] - libvpx (Vulnerable source not present) NOTE: probably fixed earlier, but this was the version checked NOTE: https://android.googlesource.com/platform/external/libvpx/+/4974dcbd0289a2530df2ee2a25b5f92775df80da CVE-2016-3880 (Multiple buffer overflows in rtsp/ASessionDescription.cpp in libstagef ...) NOT-FOR-US: libstagefright CVE-2016-3879 (arm-wt-22k/lib_src/eas_mdls.c in mediaserver in Android 4.x before 4.4 ...) NOT-FOR-US: Android Mediaserver CVE-2016-3878 (decoder/ih264d_api.c in mediaserver in Android 6.x before 2016-09-01 m ...) NOT-FOR-US: Android Mediaserver CVE-2016-3877 (Unspecified vulnerability in Android before 2016-09-01 has unknown imp ...) NOT-FOR-US: Android CVE-2016-3876 (providers/settings/SettingsProvider.java in Android 6.x before 2016-09 ...) NOT-FOR-US: Android CVE-2016-3875 (server/wm/WindowManagerService.java in Android 6.x before 2016-09-01 d ...) NOT-FOR-US: Android CVE-2016-3874 (CORE/HDD/src/wlan_hdd_wext.c in the Qualcomm Wi-Fi driver in Android b ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-3873 (The NVIDIA kernel in Android before 2016-09-05 on Nexus 9 devices allo ...) NOT-FOR-US: NVIDIA driver for Android CVE-2016-3872 (Buffer overflow in codecs/on2/dec/SoftVPX.cpp in libstagefright in med ...) NOT-FOR-US: libstagefright CVE-2016-3871 (Multiple buffer overflows in codecs/mp3dec/SoftMP3.cpp in libstagefrig ...) NOT-FOR-US: libstagefright CVE-2016-3870 (omx/SimpleSoftOMXComponent.cpp in libstagefright in mediaserver in And ...) NOT-FOR-US: libstagefright CVE-2016-3869 (The Broadcom Wi-Fi driver in Android before 2016-09-05 on Nexus 5, Nex ...) NOT-FOR-US: Broadcom driver for Android CVE-2016-3868 (The Qualcomm power driver in Android before 2016-09-05 on Nexus 5X and ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-3867 (The Qualcomm IPA driver in Android before 2016-09-05 on Nexus 5X and 6 ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-3866 (The Qualcomm sound driver in Android before 2016-09-05 on Nexus 5X, 6, ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-3865 (The Synaptics touchscreen driver in Android before 2016-09-05 on Nexus ...) NOT-FOR-US: Synaptics driver for Android CVE-2016-3864 (The Qualcomm radio interface layer in Android before 2016-09-05 on Nex ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-3863 (Multiple stack-based buffer overflows in the AVCC reassembly implement ...) NOT-FOR-US: libstagefright CVE-2016-3862 (media/ExifInterface.java in mediaserver in Android 4.x before 4.4.4, 5 ...) NOT-FOR-US: libstagefright CVE-2016-3861 (LibUtils in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before ...) - android-platform-system-core 1:7.0.0+r1-4 (unimportant; bug #858177) NOTE: Not running as a privileged process in SDK CVE-2016-3860 (sound/soc/msm/qdsp6v2/audio_calibration.c in the Qualcomm sound driver ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-3859 (The Qualcomm camera driver in Android before 2016-09-05 on Nexus 5, 5X ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-3858 (Buffer overflow in drivers/soc/qcom/subsystem_restart.c in the Qualcom ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-3857 (The kernel in Android before 2016-08-05 on Nexus 7 (2013) devices allo ...) {DLA-609-1} - linux 4.7.2-1 (unimportant) NOTE: Fixed by: https://git.kernel.org/linus/7de249964f5578e67b99699c5f0b405738d820a2 (v4.8-rc2) NOTE: CONFIG_OABI_COMPAT disabled in 3.13.4-1, cf. #728975 CVE-2016-3856 (netd in Android before 2016-08-05 mishandles tethering and stdio strea ...) NOT-FOR-US: Android CVE-2016-3855 (drivers/thermal/supply_lm_core.c in the Qualcomm components in Android ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-3854 (drivers/media/video/msm/msm_mctl_buf.c in the Qualcomm components in A ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-3853 (Google Play services in Android before 2016-08-05 on Nexus devices all ...) NOT-FOR-US: Android CVE-2016-3852 (The MediaTek Wi-Fi driver in Android before 2016-08-05 on Android One ...) NOT-FOR-US: MediaTek driver for Android CVE-2016-3851 (The LG Electronics bootloader Android before 2016-08-05 on Nexus 5X de ...) NOT-FOR-US: LG bootloader for Android CVE-2016-3850 (Integer overflow in app/aboot/aboot.c in the Qualcomm bootloader in An ...) NOT-FOR-US: Qualcomm bootloader for Android CVE-2016-3849 (The ION driver in Android before 2016-08-05 on Pixel C devices allows ...) NOT-FOR-US: ION driver for Android CVE-2016-3848 (The NVIDIA media driver in Android before 2016-08-05 on Nexus 9 device ...) NOT-FOR-US: NVIDIA driver for Android CVE-2016-3847 (The NVIDIA media driver in Android before 2016-08-05 on Nexus 9 device ...) NOT-FOR-US: NVIDIA driver for Android CVE-2016-3846 (The Serial Peripheral Interface driver in Android before 2016-08-05 on ...) NOT-FOR-US: Android CVE-2016-3845 (The video driver in the kernel in Android before 2016-08-05 on Nexus 5 ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-3844 (mediaserver in Android before 2016-08-05 on Nexus 9 and Pixel C device ...) NOT-FOR-US: Android Mediaserver CVE-2016-3843 (Android before 2016-08-05 does not properly restrict code execution in ...) NOT-FOR-US: Android CVE-2016-3842 (The Qualcomm GPU driver in Android before 2016-08-05 on Nexus 5X, 6, a ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-3841 (The IPv6 stack in the Linux kernel before 4.3.3 mishandles options dat ...) - linux 4.3.3-1 [jessie] - linux 3.16.7-ckt25-1 [wheezy] - linux 3.2.78-1 NOTE: Fixed by: https://git.kernel.org/linus/45f6fad84cc305103b28d73482b344d7f5b76f39 (v4.4-rc4) CVE-2016-3840 (Conscrypt in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x befor ...) NOT-FOR-US: Android CVE-2016-3839 (Bluetooth in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x befor ...) NOT-FOR-US: Android CVE-2016-3838 (Android 6.x before 2016-08-01 allows attackers to cause a denial of se ...) NOT-FOR-US: Android CVE-2016-3837 (service/jni/com_android_server_wifi_WifiNative.cpp in Wi-Fi in Android ...) NOT-FOR-US: Android CVE-2016-3836 (The SurfaceFlinger service in Android 5.0.x before 5.0.2, 5.1.x before ...) NOT-FOR-US: Android CVE-2016-3835 (The secure-session feature in the mm-video-v4l2 venc component in medi ...) NOT-FOR-US: Android CVE-2016-3834 (The camera APIs in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x ...) NOT-FOR-US: Android CVE-2016-3833 (The Shell component in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, ...) NOT-FOR-US: Android CVE-2016-3832 (The framework APIs in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5. ...) NOT-FOR-US: Android CVE-2016-3831 (The telephony component in Android 4.x before 4.4.4, 5.0.x before 5.0. ...) NOT-FOR-US: Android CVE-2016-3830 (codecs/aacdec/SoftAAC2.cpp in libstagefright in mediaserver in Android ...) NOT-FOR-US: libstagefright CVE-2016-3829 (The ih264d decoder in mediaserver in Android 6.x before 2016-08-01 doe ...) NOT-FOR-US: Android Mediaserver CVE-2016-3828 (decoder/ih264d_api.c in mediaserver in Android 6.x before 2016-08-01 m ...) NOT-FOR-US: Android Mediaserver CVE-2016-3827 (codecs/hevcdec/SoftHEVC.cpp in libstagefright in mediaserver in Androi ...) NOT-FOR-US: libstagefright CVE-2016-3826 (services/audioflinger/Effects.cpp in mediaserver in Android 4.x before ...) NOT-FOR-US: Android Mediaserver CVE-2016-3825 (mm-video-v4l2/vidc/venc/src/omx_video_base.cpp in mediaserver in Andro ...) NOT-FOR-US: Android Mediaserver CVE-2016-3824 (omx/OMXNodeInstance.cpp in libstagefright in mediaserver in Android 4. ...) NOT-FOR-US: libstagefright CVE-2016-3823 (The secure-session feature in the mm-video-v4l2 venc component in medi ...) NOT-FOR-US: Android CVE-2016-3822 (exif.c in Matthias Wandel jhead 2.87, as used in libjhead in Android 4 ...) {DSA-3825-1 DLA-864-1} - jhead 1:3.00-4 (bug #858213) CVE-2016-3821 (libmedia in mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0. ...) NOT-FOR-US: Android Mediaserver CVE-2016-3820 (The ih264d decoder in mediaserver in Android 6.x before 2016-08-01 mis ...) NOT-FOR-US: Android Mediaserver CVE-2016-3819 (Integer overflow in codecs/on2/h264dec/source/h264bsd_dpb.c in libstag ...) NOT-FOR-US: libstagefright CVE-2016-3818 (libc in Android 4.x before 4.4.4 allows remote attackers to cause a de ...) NOT-FOR-US: Android libc CVE-2016-3817 REJECTED CVE-2016-3816 (The MediaTek display driver in Android before 2016-07-05 on Android On ...) NOT-FOR-US: MediaTek driver for Android CVE-2016-3815 (The NVIDIA camera driver in Android before 2016-07-05 on Nexus 9 devic ...) NOT-FOR-US: NVIDIA driver for Android CVE-2016-3814 (The NVIDIA camera driver in Android before 2016-07-05 on Nexus 9 devic ...) NOT-FOR-US: NVIDIA driver for Android CVE-2016-3813 (The Qualcomm USB driver in Android before 2016-07-05 on Nexus 5, 5X, 6 ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-3812 (The MediaTek video codec driver in Android before 2016-07-05 on Androi ...) NOT-FOR-US: MediaTek driver for Android CVE-2016-3811 (The kernel video driver in Android before 2016-07-05 on Nexus 9 device ...) NOT-FOR-US: NVIDIA driver for Android CVE-2016-3810 (The MediaTek Wi-Fi driver in Android before 2016-07-05 on Android One ...) NOT-FOR-US: MediaTek driver for Android CVE-2016-3809 (The networking component in Android before 2016-07-05 on Android One, ...) NOT-FOR-US: Android CVE-2016-3808 (The serial peripheral interface driver in Android before 2016-07-05 on ...) NOT-FOR-US: Android CVE-2016-3807 (The serial peripheral interface driver in Android before 2016-07-05 on ...) NOT-FOR-US: Android CVE-2016-3806 (The MediaTek display driver in Android before 2016-07-05 on Android On ...) NOT-FOR-US: MediaTek driver for Android CVE-2016-3805 (The MediaTek power management driver in Android before 2016-07-05 on A ...) NOT-FOR-US: MediaTek driver for Android CVE-2016-3804 (The MediaTek power management driver in Android before 2016-07-05 on A ...) NOT-FOR-US: MediaTek driver for Android CVE-2016-3803 (The kernel filesystem implementation in Android before 2016-07-05 on N ...) NOT-FOR-US: Android kernel NOTE: https://source.android.com/security/bulletin/2016-07-01.html NOTE: No source patch available, so may relate to Apache-licensed sdcardfs. CVE-2016-3802 (The kernel filesystem implementation in Android before 2016-07-05 on N ...) NOT-FOR-US: Android kernel NOTE: https://source.android.com/security/bulletin/2016-07-01.html NOTE: No source patch available, so may relate to Apache-licensed sdcardfs. CVE-2016-3801 (The MediaTek GPS driver in Android before 2016-07-05 on Android One de ...) NOT-FOR-US: MediaTek driver for Android CVE-2016-3800 (The MediaTek video driver in Android before 2016-07-05 on Android One ...) NOT-FOR-US: MediaTek driver for Android CVE-2016-3799 (The MediaTek video driver in Android before 2016-07-05 on Android One ...) NOT-FOR-US: MediaTek driver for Android CVE-2016-3798 (The MediaTek hardware sensor driver in Android before 2016-07-05 on An ...) NOT-FOR-US: MediaTek driver for Android CVE-2016-3797 (The Qualcomm Wi-Fi driver in Android before 2016-07-05 on Nexus 5X dev ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-3796 (The MediaTek power driver in Android before 2016-07-05 on Android One ...) NOT-FOR-US: MediaTek driver for Android CVE-2016-3795 (The MediaTek power driver in Android before 2016-07-05 on Android One ...) NOT-FOR-US: MediaTek driver for Android CVE-2016-3794 REJECTED CVE-2016-3793 (The NVIDIA camera driver in Android before 2016-07-05 on Nexus 9 devic ...) NOT-FOR-US: NVIDIA driver for Android CVE-2016-3792 (CORE/HDD/src/wlan_hdd_hostapd.c in the Qualcomm Wi-Fi driver in Androi ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-3791 REJECTED CVE-2016-3790 REJECTED CVE-2016-3789 REJECTED CVE-2016-3788 REJECTED CVE-2016-3787 REJECTED CVE-2016-3786 REJECTED CVE-2016-3785 REJECTED CVE-2016-3784 REJECTED CVE-2016-3783 REJECTED CVE-2016-3782 REJECTED CVE-2016-3781 REJECTED CVE-2016-3780 REJECTED CVE-2016-3779 REJECTED CVE-2016-3778 REJECTED CVE-2016-3777 REJECTED CVE-2016-3776 REJECTED CVE-2016-3775 (The kernel filesystem implementation in Android before 2016-07-05 on N ...) NOT-FOR-US: Android kernel NOTE: https://source.android.com/security/bulletin/2016-07-01.html NOTE: No source patch available, so may relate to Apache-licensed sdcardfs. CVE-2016-3774 (The MediaTek drivers in Android before 2016-07-05 on Android One devic ...) NOT-FOR-US: MediaTek drivers for Android CVE-2016-3773 (The MediaTek drivers in Android before 2016-07-05 on Android One devic ...) NOT-FOR-US: MediaTek drivers for Android CVE-2016-3772 (The MediaTek drivers in Android before 2016-07-05 on Android One devic ...) NOT-FOR-US: MediaTek drivers for Android CVE-2016-3771 (The MediaTek drivers in Android before 2016-07-05 on Android One devic ...) NOT-FOR-US: MediaTek drivers for Android CVE-2016-3770 (The MediaTek drivers in Android before 2016-07-05 on Android One devic ...) NOT-FOR-US: MediaTek drivers for Android CVE-2016-3769 (The NVIDIA video driver in Android before 2016-07-05 on Nexus 9 device ...) NOT-FOR-US: NVIDIA drivers for Android CVE-2016-3768 (The Qualcomm performance component in Android before 2016-07-05 on Nex ...) NOT-FOR-US: Qualcomm drivers for Android CVE-2016-3767 (The MediaTek Wi-Fi driver in Android before 2016-07-05 on Android One ...) NOT-FOR-US: MediaTek drivers for Android CVE-2016-3766 (MPEG4Extractor.cpp in libstagefright in mediaserver in Android 4.x bef ...) NOT-FOR-US: libstagefright CVE-2016-3765 (decoder/impeg2d_bitstream.c in mediaserver in Android 6.x before 2016- ...) NOT-FOR-US: Android Mediaserver CVE-2016-3764 (media/libmediaplayerservice/MetadataRetrieverClient.cpp in mediaserver ...) NOT-FOR-US: Android Mediaserver CVE-2016-3763 (net/PacProxySelector.java in the Proxy Auto-Config (PAC) feature in An ...) NOT-FOR-US: Android CVE-2016-3762 (The sockets subsystem in Android 5.0.x before 5.0.2, 5.1.x before 5.1. ...) NOT-FOR-US: Android SELinux policy CVE-2016-3761 (NfcService.java in NFC in Android 4.x before 4.4.4, 5.0.x before 5.0.2 ...) NOT-FOR-US: Android CVE-2016-3760 (Bluetooth in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x b ...) NOT-FOR-US: Android CVE-2016-3759 (The Framework APIs in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, ...) NOT-FOR-US: Android CVE-2016-3758 (Multiple buffer overflows in libdex/OptInvocation.cpp in DexClassLoade ...) - android-platform-dalvik 6.0.1+r55-1 CVE-2016-3757 (The print_maps function in toolbox/lsof.c in Android 4.x before 4.4.4, ...) NOT-FOR-US: toolbox CVE-2016-3756 (Tremolo/res012.c in mediaserver in Android 4.x before 4.4.4, 5.0.x bef ...) NOT-FOR-US: Android Mediaserver CVE-2016-3755 (decoder/ih264d_parse_pslice.c in mediaserver in Android 6.x before 201 ...) NOT-FOR-US: Android Mediaserver CVE-2016-3754 (mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x bef ...) NOT-FOR-US: Android Mediaserver CVE-2016-3753 (mediaserver in Android 4.x before 4.4.4 allows remote attackers to obt ...) NOT-FOR-US: Android Mediaserver CVE-2016-3752 (internal/app/ChooserActivity.java in the ChooserTarget service in Andr ...) NOT-FOR-US: Android CVE-2016-3751 (Unspecified vulnerability in libpng before 1.6.20, as used in Android ...) NOT-FOR-US: Specific CVE assignment for libpng "fork" used on Android CVE-2016-3750 (libs/binder/Parcel.cpp in the Parcels Framework APIs in Android 4.x be ...) NOT-FOR-US: Android CVE-2016-3749 (server/LockSettingsService.java in LockSettingsService in Android 6.x ...) NOT-FOR-US: Android CVE-2016-3748 (The sockets subsystem in Android 6.x before 2016-07-01 allows attacker ...) NOT-FOR-US: Android SELinux policy CVE-2016-3747 (Use-after-free vulnerability in the mm-video-v4l2 venc component in me ...) NOT-FOR-US: Android Mediaserver CVE-2016-3746 (Use-after-free vulnerability in the mm-video-v4l2 vdec component in me ...) NOT-FOR-US: Android Mediaserver CVE-2016-3745 (Multiple buffer overflows in mediaserver in Android 4.x before 4.4.4, ...) NOT-FOR-US: Android Mediaserver CVE-2016-3744 (Buffer overflow in the create_pbuf function in btif/src/btif_hh.c in B ...) NOT-FOR-US: Android CVE-2016-3743 (decoder/ih264d_api.c in mediaserver in Android 6.x before 2016-07-01 d ...) NOT-FOR-US: Android Mediaserver CVE-2016-3742 (decoder/ih264d_process_intra_mb.c in mediaserver in Android 6.x before ...) NOT-FOR-US: Android Mediaserver CVE-2016-3741 (The H.264 decoder in mediaserver in Android 6.x before 2016-07-01 does ...) NOT-FOR-US: Android Mediaserver CVE-2016-3740 (Heap-based buffer overflow in the CreateFXPDFConvertor function in Con ...) NOT-FOR-US: Foxit CVE-2016-3739 (The (1) mbed_connect_step1 function in lib/vtls/mbedtls.c and (2) pola ...) - curl 7.50.1-1 (unimportant) NOTE: only relevant when built with mbedTLS/PolarSSL NOTE: Source-wise fixed in 7.49.0 CVE-2016-3738 (Red Hat OpenShift Enterprise 3.2 does not properly restrict access to ...) NOT-FOR-US: OpenShift Enterprise CVE-2016-3737 (The server in Red Hat JBoss Operations Network (JON) before 3.3.6 allo ...) NOT-FOR-US: Red Hat / JBoss Operations Network server CVE-2016-3736 RESERVED CVE-2016-3735 RESERVED CVE-2016-3734 (Cross-site request forgery (CSRF) vulnerability in markposts.php in Mo ...) - moodle 2.7.14+dfsg-1 NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53755 CVE-2016-3733 (The "restore teacher" feature in Moodle 3.0 through 3.0.3, 2.9 through ...) - moodle 2.7.14+dfsg-1 NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51369 CVE-2016-3732 (The capability check to access other badges in Moodle 3.0 through 3.0. ...) - moodle (Does only affect 2.8 and newer) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53589 CVE-2016-3731 (Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, and 2.8 through 2.8.11 al ...) - moodle (Does only affect 2.8 and newer) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53696 CVE-2016-3730 RESERVED CVE-2016-3729 (The user editing form in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, ...) - moodle 2.7.14+dfsg-1 NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53954 CVE-2016-3728 (Eval injection vulnerability in tftp_api.rb in the TFTP module in the ...) - foreman (bug #663101) CVE-2016-3727 (The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS be ...) - jenkins NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11 CVE-2016-3726 (Multiple open redirect vulnerabilities in Jenkins before 2.3 and LTS b ...) - jenkins NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11 CVE-2016-3725 (Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated ...) - jenkins NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11 CVE-2016-3724 (Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated u ...) - jenkins NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11 CVE-2016-3723 (Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated u ...) - jenkins NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11 CVE-2016-3722 (Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated u ...) - jenkins NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11 CVE-2016-3721 (Jenkins before 2.3 and LTS before 1.651.2 might allow remote authentic ...) - jenkins NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11 CVE-2016-3720 (XML external entity (XXE) vulnerability in XmlMapper in the Data forma ...) - jackson-dataformat-xml 2.7.4-1 (bug #823703) NOTE: https://github.com/FasterXML/jackson-dataformat-xml/commit/f0f19a4c924d9db9a1e2830434061c8640092cc0 (2.7.4) CVE-2016-3719 REJECTED CVE-2016-3718 (The (1) HTTP and (2) FTP coders in ImageMagick before 6.9.3-10 and 7.x ...) {DSA-3580-1 DLA-1401-1 DLA-486-1 DLA-484-1} - imagemagick 8:6.9.6.2+dfsg-2 - graphicsmagick 1.3.24-1 NOTE: https://sourceforge.net/p/graphicsmagick/mailman/message/35072963/ CVE-2016-3717 (The LABEL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 ...) {DSA-3580-1 DLA-1401-1 DLA-486-1 DLA-484-1} - imagemagick 8:6.9.6.2+dfsg-2 - graphicsmagick 1.3.24-1 NOTE: https://sourceforge.net/p/graphicsmagick/mailman/message/35072963/ CVE-2016-3716 (The MSL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 al ...) {DSA-3580-1 DLA-1401-1 DLA-486-1 DLA-484-1} - imagemagick 8:6.9.6.2+dfsg-2 - graphicsmagick 1.3.24-1 NOTE: https://sourceforge.net/p/graphicsmagick/mailman/message/35072963/ CVE-2016-3715 (The EPHEMERAL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0. ...) {DSA-3746-1 DSA-3580-1 DLA-486-1 DLA-484-1} - imagemagick 8:6.9.6.2+dfsg-2 - graphicsmagick 1.3.24-1 NOTE: https://sourceforge.net/p/graphicsmagick/mailman/message/35072963/ CVE-2016-3714 (The (1) EPHEMERAL, (2) HTTPS, (3) MVG, (4) MSL, (5) TEXT, (6) SHOW, (7 ...) {DSA-3746-1 DSA-3580-1 DLA-486-1 DLA-484-1} - imagemagick 8:6.9.6.2+dfsg-2 NOTE: Workaround: https://bugzilla.redhat.com/show_bug.cgi?id=1332492#c3 NOTE: https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588 NOTE: Original upstream applied patches are incomplete and still to be finished NOTE: https://imagetragick.com/ NOTE: notice how the workaround differs between the three refs above NOTE: PLT format removed with: https://github.com/ImageMagick/ImageMagick/commit/e87116ab2bd070c47943d4118a18c8f3a47461e2 - graphicsmagick 1.3.24-1 NOTE: https://sourceforge.net/p/graphicsmagick/mailman/message/35072963/ NOTE: https://sourceforge.net/p/graphicsmagick/code/ci/45998a25992d1142df201d8cf024b6c948b40748/ CVE-2016-3713 (The msr_mtrr_valid function in arch/x86/kvm/mtrr.c in the Linux kernel ...) - linux 4.5.4-1 [jessie] - linux (Introduced in v4.2-rc1) [wheezy] - linux (Introduced in v4.2-rc1) NOTE: Introduced by: https://git.kernel.org/linus/910a6aae4e2e45855efc4a268e43eed2d8445575 (v4.2-rc1) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1332139 CVE-2016-3712 (Integer overflow in the VGA module in QEMU allows local guest OS users ...) {DSA-3573-1 DLA-571-1 DLA-540-1 DLA-539-1} - qemu 1:2.6+dfsg-1 (bug #823830) - qemu-kvm - xen 4.4.0-1 [wheezy] - xen (default configuration not vulnerable) NOTE: Xen switched to qemu-system in 4.4.0-1 NOTE: http://xenbits.xen.org/xsa/advisory-179.html NOTE: mitigation: run HVM in stubdomains, PV, default video card not vulnerable, i386-only CVE-2016-3711 (HAproxy in Red Hat OpenShift Enterprise 3.2 and OpenShift Origin allow ...) NOT-FOR-US: OpenShift CVE-2016-3710 (The VGA module in QEMU improperly performs bounds checking on banked a ...) {DSA-3573-1 DLA-571-1 DLA-540-1 DLA-539-1} - qemu 1:2.6+dfsg-1 (bug #823830) - qemu-kvm - xen 4.4.0-1 [wheezy] - xen (default configuration not vulnerable) NOTE: Xen switched to qemu-system in 4.4.0-1 NOTE: http://xenbits.xen.org/xsa/advisory-179.html NOTE: mitigation: run HVM in stubdomains, PV, default video card not vulnerable, i386-only CVE-2016-3709 RESERVED CVE-2016-3708 (Red Hat OpenShift Enterprise 3.2, when multi-tenant SDN is enabled and ...) NOT-FOR-US: OpenShiftEnterprise / Red Hat CVE-2016-3707 (The icmp_check_sysrq function in net/ipv4/icmp.c in the kernel.org pro ...) - linux 3.15~rc5-1~exp1 (unimportant) NOTE: This is not really fixed in 3.15, but depends on the rt feature set patches applied NOTE: more details in kernel-sec repository. NOTE: https://lwn.net/Articles/448790/ NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1327484 CVE-2016-3706 (Stack-based buffer overflow in the getaddrinfo function in sysdeps/pos ...) {DLA-494-1} - glibc 2.22-8 [jessie] - glibc 2.19-18+deb8u5 - eglibc NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=20010 CVE-2016-3705 (The (1) xmlParserEntityCheck and (2) xmlParseAttValueComplex functions ...) {DSA-3593-1 DLA-503-1} - libxml2 2.9.3+dfsg1-1.1 (bug #823414) NOTE: https://git.gnome.org/browse/libxml2/commit/?id=8f30bdff69edac9075f4663ce3b56b0c52d48ce6 (v2.9.4) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=765207 CVE-2016-3704 (Pulp before 2.8.5 uses bash's $RANDOM in an unsafe way to generate pas ...) NOT-FOR-US: Pulp (Red Hat) CVE-2016-3703 (Red Hat OpenShift Enterprise 3.2 and 3.1 do not properly validate the ...) NOT-FOR-US: OpenShift CVE-2016-3702 (Padding oracle flaw in CloudForms Management Engine (aka CFME) 5 allow ...) NOT-FOR-US: Red Hat CloudForms Management Engine CVE-2016-3701 RESERVED CVE-2016-3700 RESERVED CVE-2016-3699 (The Linux kernel, as used in Red Hat Enterprise Linux 7.2 and Red Hat ...) - linux (Fixed before we first included the securelevel patchset) NOTE: https://github.com/mjg59/linux/commit/a4a5ed2835e8ea042868b7401dced3f517cafa76 NOTE: securelevel patchset added in 4.5.1-1 CVE-2016-3698 (libndp before 1.6, as used in NetworkManager, does not properly valida ...) {DSA-3581-1} - libndp 1.6-1 (bug #824545) NOTE: https://github.com/jpirko/libndp/commit/a4892df306e0532487f1634ba6d4c6d4bb381c7f NOTE: https://github.com/jpirko/libndp/commit/2af9a55b38b55abbf05fd116ec097d4029115839 CVE-2016-3697 (libcontainer/user/user.go in runC before 0.1.0, as used in Docker befo ...) - docker.io (Vulnerable code not present) NOTE: Affected file not present, but docker.io probably needs to be rebuild with fixed runc - runc 0.1.0+dfsg-1 NOTE: https://github.com/opencontainers/runc/commit/69af385de62ea68e2e608335cffbb0f4aa3db091 (runc, v0.1.0) NOTE: https://github.com/docker/docker/commit/da38ac6c79fe902ed0687afc73d731c95c6d491a (docker) CVE-2016-3696 (The pulp-qpid-ssl-cfg script in Pulp before 2.8.5 allows local users t ...) NOT-FOR-US: Pulp (Red Hat) CVE-2016-3695 (The einj_error_inject function in drivers/acpi/apei/einj.c in the Linu ...) - linux 4.5.1-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) CVE-2016-3694 (Multiple SQL injection vulnerabilities in modified eCommerce Shopsoftw ...) NOT-FOR-US: eCommerce Shopsoftware CVE-2016-3693 (The Safemode gem before 1.2.4 for Ruby, when initialized with a delega ...) - foreman (bug #663101) CVE-2016-3692 RESERVED CVE-2016-3691 (Routes in Kallithea before 0.3.2 allows remote attackers to bypass the ...) - kallithea (bug #689573) CVE-2016-3690 (The PooledInvokerServlet in JBoss EAP 4.x and 5.x allows remote attack ...) NOT-FOR-US: PooledInvokerServlet CVE-2016-3941 (Buffer overflow in the AStreamPeekStream function in input/stream.c in ...) - vlc 2.2.0-1 [wheezy] - vlc (Unsupported in -lts) NOTE: https://bugs.launchpad.net/bugs/1533633 NOTE: It is unclear when this was fixed exactly, marking the version in jessie as fixed for now CVE-2016-3688 (SQL injection vulnerability in dotCMS before 3.5 allows remote adminis ...) NOT-FOR-US: dotCMS CVE-2016-3687 (Open redirect vulnerability in F5 BIG-IP APM 11.2.1, 11.4.x, 11.5.x, a ...) NOT-FOR-US: F5 BIG-IP CVE-2016-3686 (The Single Sign-On (SSO) feature in F5 BIG-IP APM 11.x before 11.6.0 H ...) NOT-FOR-US: F5 BIG-IP APM CVE-2016-3685 (SAP Download Manager 2.1.142 and earlier generates an encryption key f ...) NOT-FOR-US: SAP Download Manager CVE-2016-3684 (SAP Download Manager 2.1.142 and earlier uses a hardcoded encryption k ...) NOT-FOR-US: SAP Download Manager CVE-2016-3683 RESERVED CVE-2016-3689 (The ims_pcu_parse_cdc_data function in drivers/input/misc/ims-pcu.c in ...) - linux 4.5.1-1 [jessie] - linux 3.16.36-1 [wheezy] - linux (Vulnerable code not present) NOTE: Upstream fix: https://git.kernel.org/linus/a0ad220c96692eda76b2e3fd7279f3dcd1d8a8ff (v4.6-rc1) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=971628 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1320060 CVE-2016-3682 REJECTED CVE-2016-3681 (Buffer overflow in the Wi-Fi driver in Huawei Mate 8 NXT-AL before NXT ...) NOT-FOR-US: Huawei CVE-2016-3680 (Buffer overflow in the Wi-Fi driver in Huawei Mate 8 NXT-AL before NXT ...) NOT-FOR-US: Huawei CVE-2016-3679 (Multiple unspecified vulnerabilities in Google V8 before 4.9.385.33, a ...) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2016-3678 (Huawei Quidway S9700, S5700, S5300, S9300, and S7700 switches with sof ...) NOT-FOR-US: Huawei CVE-2016-3677 (The Huawei Wear App application before 15.0.0.307 for Android does not ...) NOT-FOR-US: Huawei CVE-2016-3676 (Huawei E3276s USB modems with software before E3276s-150TCPU-V200R002B ...) NOT-FOR-US: Huawei CVE-2016-3675 (SQL injection vulnerability in Huawei Policy Center with software befo ...) NOT-FOR-US: Huawei CVE-2016-3673 REJECTED CVE-2016-3672 (The arch_pick_mmap_layout function in arch/x86/mm/mmap.c in the Linux ...) {DSA-3607-1 DLA-516-1} - linux 4.5.1-1 NOTE: http://hmarco.org/bugs/CVE-2016-3672-Unlimiting-the-stack-not-longer-disables-ASLR.html NOTE: Upstream fix: https://git.kernel.org/linus/8b8addf891de8a00e4d39fc32f93f7c5eb8feceb (v4.6-rc1) CVE-2014-9769 (pcre_jit_compile.c in PCRE 8.35 does not properly use table jumps to o ...) - pcre3 2:8.38-1 (bug #819050) [jessie] - pcre3 2:8.35-3.3+deb8u4 [wheezy] - pcre3 (Vulnerable code not present) NOTE: Upstream fix: http://vcs.pcre.org/pcre?view=revision&revision=1475 (8.36) NOTE: Introduced in: http://vcs.pcre.org/pcre?view=revision&revision=1434 (8.35) NOTE: http://www.openwall.com/lists/oss-security/2016/03/26/1 CVE-2016-3674 (Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDri ...) {DSA-3575-1 DLA-504-1} - libxstream-java 1.4.9-1 (bug #819455) NOTE: http://x-stream.github.io/changes.html#1.4.9 CVE-2016-3671 RESERVED CVE-2016-3670 (Cross-site scripting (XSS) vulnerability in users.jsp in the Profile S ...) NOT-FOR-US: Liferay CVE-2016-3669 RESERVED CVE-2016-3668 RESERVED CVE-2016-3667 RESERVED CVE-2016-3666 RESERVED CVE-2016-3665 RESERVED CVE-2016-3664 (Trend Micro Mobile Security for iOS before 3.2.1188 does not verify th ...) NOT-FOR-US: Trend Micro CVE-2016-3663 RESERVED CVE-2016-3662 RESERVED CVE-2015-8839 (Multiple race conditions in the ext4 filesystem implementation in the ...) {DLA-2241-1} - linux 4.5.1-1 [wheezy] - linux (Too much work to backport) NOTE: https://git.kernel.org/linus/ea3d7209ca01da209cda6f0dea8be9cc4b7a933b (v4.5-rc1) NOTE: https://git.kernel.org/linus/17048e8a083fec7ad841d88ef0812707fbc7e39f (v4.5-rc1) NOTE: https://git.kernel.org/linus/32ebffd3bbb4162da5ff88f9a35dd32d0a28ea70 (v4.5-rc1) NOTE: https://git.kernel.org/linus/011278485ecc3cd2a3954b5d4c73101d919bf1fa (v4.5-rc1) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=972174 CVE-2015-8838 (ext/mysqlnd/mysqlnd.c in PHP before 5.4.43, 5.5.x before 5.5.27, and 5 ...) - php5 5.6.11+dfsg-1 [jessie] - php5 5.6.12+dfsg-0+deb8u1 [wheezy] - php5 5.4.44-0+deb7u1 NOTE: Fixed in 5.6.11, 5.5.27, 5.4.43 NOTE: https://bugs.php.net/bug.php?id=69669 CVE-2015-8834 (Cross-site scripting (XSS) vulnerability in wp-includes/wp-db.php in W ...) {DSA-3639-1 DLA-633-1} - wordpress 4.2.2+dfsg-1 NOTE: https://wordpress.org/news/2015/05/wordpress-4-2-2/ NOTE: Follow-up patch from 4.2.1 -> 4.2.2 for wp-includes/wp-db.php seems not applied NOTE: This looks like a required patch: https://github.com/WordPress/WordPress/commit/a3a76fe665dfb62508a66542390a93445f1f7a59 NOTE: Changes in wp-includes/wp-db.php: https://github.com/WordPress/WordPress/commit/db8f915ee6c236ee2f39e76781bf42367e3f1490 NOTE: https://core.trac.wordpress.org/changeset/32387/ NOTE: Wheezy: https://core.trac.wordpress.org/changeset/32391 NOTE: Wheezy: https://core.trac.wordpress.org/changeset/32395 NOTE: Wheezy: https://core.trac.wordpress.org/changeset/32423 NOTE: Wheezy: https://core.trac.wordpress.org/changeset/32435 CVE-2016-3661 RESERVED CVE-2016-3660 RESERVED CVE-2016-3659 (SQL injection vulnerability in graph_view.php in Cacti 0.8.8.g allows ...) {DLA-560-1} - cacti 0.8.8h+ds1-1 (bug #820521) [jessie] - cacti 0.8.8b+dfsg-8+deb8u5 NOTE: http://bugs.cacti.net/view.php?id=2673 NOTE: Requires authenticated user CVE-2016-3658 (The TIFFWriteDirectoryTagLongLong8Array function in tif_dirwrite.c in ...) {DSA-3844-1 DLA-969-1} - tiff 4.0.6-3 (low) - tiff3 (low) [wheezy] - tiff3 (Does not ship libtiff tools) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2546 NOTE: Duplicate of http://bugzilla.maptools.org/show_bug.cgi?id=2500 CVE-2016-3657 (Buffer overflow in the GlobalProtect Portal in Palo Alto Networks PAN- ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2016-3656 (The GlobalProtect Portal in Palo Alto Networks PAN-OS before 5.0.18, 6 ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2016-3655 (The management web interface in Palo Alto Networks PAN-OS before 5.0.1 ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2016-3654 (The device management command line interface (CLI) in Palo Alto Networ ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2016-3653 (Multiple cross-site request forgery (CSRF) vulnerabilities in manageme ...) NOT-FOR-US: Symantec Endpoint Protection Manager CVE-2016-3652 (Multiple cross-site scripting (XSS) vulnerabilities in management scri ...) NOT-FOR-US: Symantec Endpoint Protection Manager CVE-2016-3651 (Symantec Endpoint Protection Manager (SEPM) 12.1 before RU6 MP5 allows ...) NOT-FOR-US: Symantec Endpoint Protection Manager CVE-2016-3650 (Symantec Endpoint Protection Manager (SEPM) 12.1 before RU6 MP5 allows ...) NOT-FOR-US: Symantec Endpoint Protection Manager CVE-2016-3649 (Symantec Endpoint Protection Manager (SEPM) 12.1 before RU6 MP5 allows ...) NOT-FOR-US: Symantec Endpoint Protection Manager CVE-2016-3648 (Symantec Endpoint Protection Manager (SEPM) 12.1 before RU6 MP5 allows ...) NOT-FOR-US: Symantec Endpoint Protection Manager CVE-2016-3647 (Symantec Endpoint Protection Manager (SEPM) 12.1 before RU6 MP5 allows ...) NOT-FOR-US: Symantec Endpoint Protection Manager CVE-2016-3646 (The AntiVirus Decomposer engine in Symantec Advanced Threat Protection ...) NOT-FOR-US: Symantec CVE-2016-3645 (Integer overflow in the TNEF unpacker in the AntiVirus Decomposer engi ...) NOT-FOR-US: Symantec CVE-2016-3644 (The AntiVirus Decomposer engine in Symantec Advanced Threat Protection ...) NOT-FOR-US: Symantec CVE-2016-3643 (SolarWinds Virtualization Manager 6.3.1 and earlier allow local users ...) NOT-FOR-US: SolarWinds Virtualization Manager CVE-2016-3642 (The RMI service in SolarWinds Virtualization Manager 6.3.1 and earlier ...) NOT-FOR-US: SolarWinds Virtualization Manager CVE-2016-3641 RESERVED CVE-2016-3640 (The Extended Application Services (aka XS or XS Engine) in SAP HANA DB ...) NOT-FOR-US: SAP HANA CVE-2016-3639 (SAP HANA DB 1.00.091.00.1418659308 allows remote attackers to obtain s ...) NOT-FOR-US: SAP HANA CVE-2016-3638 (SAP SLD Registration Program (aka SLDREG) allows local users to cause ...) NOT-FOR-US: SAP SLD CVE-2016-3637 RESERVED CVE-2016-3636 RESERVED CVE-2016-3635 (SAP Netweaver 7.4 allows remote authenticated users to bypass an inten ...) NOT-FOR-US: SAP Netweaver CVE-2016-3634 (The tagCompare function in tif_dirinfo.c in the thumbnail tool in LibT ...) {DLA-693-1} - tiff 4.0.6-3 [jessie] - tiff 4.0.3-12.3+deb8u2 - tiff3 (unimportant) [wheezy] - tiff3 (Does not ship libtiff tools) NOTE: src:tiff3: built binary packages do not contain the TIFF tools NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2547 NOTE: Upstream will remove thumbnail from 4.0.7 release NOTE: No patch available. Issue marked as wontfix by upstream. NOTE: thumbnail(1) was removed in 4.0.6-3 and DSA 3762, marking as fixed although technically still present in the source package CVE-2016-3633 (The setrow function in the thumbnail tool in LibTIFF 4.0.6 and earlier ...) {DLA-693-1} - tiff 4.0.6-3 (bug #842046) [jessie] - tiff 4.0.3-12.3+deb8u2 - tiff3 (unimportant) [wheezy] - tiff3 (Does not ship libtiff tools) NOTE: src:tiff3: built binary packages do not contain the TIFF tools NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2548 NOTE: Upstream will remove thumbnail from 4.0.7 release NOTE: No patch available. Issue marked as wontfix by upstream. NOTE: thumbnail(1) was removed in 4.0.6-3 and DSA 3762, marking as fixed although technically still present in the source package CVE-2016-3632 (The _TIFFVGetField function in tif_dirinfo.c in LibTIFF 4.0.6 and earl ...) {DLA-693-1} - tiff 4.0.6-3 [jessie] - tiff 4.0.3-12.3+deb8u2 - tiff3 (unimportant) [wheezy] - tiff3 (Does not ship libtiff tools) NOTE: src:tiff3: built binary packages do not contain the TIFF tools NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2549 NOTE: Upstream will remove thumbnail from 4.0.7 release NOTE: No patch available. Issue marked as wontfix by upstream. NOTE: thumbnail(1) was removed in 4.0.6-3 and DSA 3762, marking as fixed although technically still present in the source package CVE-2016-3631 (The (1) cpStrips and (2) cpTiles functions in the thumbnail tool in Li ...) {DLA-693-1} - tiff 4.0.6-3 (bug #820366) [jessie] - tiff 4.0.3-12.3+deb8u2 - tiff3 (unimportant) [wheezy] - tiff3 (Does not ship libtiff tools) NOTE: src:tiff3: built binary packages do not contain the TIFF tools NOTE: No patch available. Issue marked as wontfix by upstream. NOTE: thumbnail(1) was removed in 4.0.6-3 and DSA 3762, marking as fixed although technically still present in the source package CVE-2016-3630 (The binary delta decoder in Mercurial before 3.7.3 allows remote attac ...) {DSA-3542-1} - mercurial 3.7.3-1 (bug #819504) NOTE: https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_3.7.3_.282016-3-29.29 NOTE: https://selenic.com/repo/hg-stable/rev/b6ed2505d6cf (1/2) NOTE: https://selenic.com/repo/hg-stable/rev/b9714d958e89 (2/2) CVE-2016-3629 REJECTED CVE-2016-3628 (Buffer overflow in tibemsd in the server in TIBCO Enterprise Message S ...) NOT-FOR-US: TIBCO CVE-2016-3626 RESERVED CVE-2016-3625 (tif_read.c in the tiff2bw tool in LibTIFF 4.0.6 and earlier allows rem ...) - tiff 4.0.3-1 [wheezy] - tiff (Can't reproduce) - tiff3 [wheezy] - tiff3 (Does not ship libtiff tools) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2566 NOTE: Not reproducible with jessie and above, marking the version in jessie as fixed NOTE: CVE probably should/needs to be rejected, since upstream is as well unable to NOTE: reproduce the issue. Might have been a problem on reporter from id=2566 CVE-2016-3624 (The cvtClump function in the rgb2ycbcr tool in LibTIFF 4.0.6 and earli ...) {DSA-3762-1 DLA-795-1} - tiff 4.0.6-3 - tiff3 (tiff tools not built) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2568 NOTE: Upstream marked this duplicate of bug 2569 CVE-2016-3623 (The rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows remote attacker ...) {DSA-3762-1 DLA-795-1 DLA-610-1} - tiff 4.0.6-3 (unimportant) - tiff3 (unimportant) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2569 NOTE: No security impact, just triggers a crash in a CLI tool CVE-2016-3622 (The fpAcc function in tif_predict.c in the tiff2rgba tool in LibTIFF 4 ...) {DSA-3762-1 DLA-795-1} - tiff 4.0.7-1 (low; bug #820365) - tiff3 (tiff tools not built) NOTE: http://www.openwall.com/lists/oss-security/2016/04/07/4 NOTE: Fixed by: https://github.com/vadz/libtiff/commit/92d966a5fcfbdca67957c8c5c47b467aa650b286 CVE-2016-3621 (The LZWEncode function in tif_lzw.c in the bmp2tiff tool in LibTIFF 4. ...) {DLA-693-1} - tiff 4.0.6-3 (low; bug #820364) [jessie] - tiff 4.0.3-12.3+deb8u2 - tiff3 (tiff tools not built) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2565 NOTE: http://www.openwall.com/lists/oss-security/2016/04/07/3 NOTE: Utility bmp2tiff has been removed from upstream LibTIFF NOTE: bmp2tiff was removed in 4.0.6-3 and DSA 3762, marking as fixed although technically still present in the source package CVE-2016-3620 (The ZIPEncode function in tif_zip.c in the bmp2tiff tool in LibTIFF 4. ...) {DLA-693-1} - tiff 4.0.6-3 (low; bug #820363) [jessie] - tiff 4.0.3-12.3+deb8u2 - tiff3 (tiff tools not built) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2570 NOTE: http://www.openwall.com/lists/oss-security/2016/04/07/2 NOTE: Utility bmp2tiff has been removed from upstream LibTIFF NOTE: bmp2tiff was removed in 4.0.6-3 and DSA 3762, marking as fixed although technically still present in the source package CVE-2016-3619 (The DumpModeEncode function in tif_dumpmode.c in the bmp2tiff tool in ...) {DLA-693-1} - tiff 4.0.6-3 (low; bug #820362) [jessie] - tiff 4.0.3-12.3+deb8u2 - tiff3 (tiff tools not built) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2567 NOTE: http://www.openwall.com/lists/oss-security/2016/04/07/1 NOTE: Utility bmp2tiff has been removed from upstream LibTIFF NOTE: bmp2tiff was removed in 4.0.6-3 and DSA 3762, marking as fixed although technically still present in the source package CVE-2016-3618 RESERVED CVE-2016-3617 RESERVED CVE-2016-3616 (The cjpeg utility in libjpeg allows remote attackers to cause a denial ...) {DLA-1638-1} - libjpeg-turbo 1:1.4.2-1 NOTE: libjpeg-turbo: Fixed by: https://github.com/libjpeg-turbo/libjpeg-turbo/commit/6709e4a0cfa44d4f54ee8ad05753d4aa9260cb91 (1.4.2) - libjpeg6b (unimportant) NOTE: unimportant, since cjpeg not installed in binary package in any suite having src:libjpeg6b - libjpeg8 [wheezy] - libjpeg8 (Minor issue) NOTE: cjpeg in src:libjpeg8 vulnerable, but not installed in binary package since 8d1-2 - libjpeg9 1:9b-2 (bug #819969) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1319661 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1318509 CVE-2016-3627 (The xmlStringGetNodeList function in tree.c in libxml2 2.9.3 and earli ...) {DSA-3593-1 DLA-503-1} - libxml2 2.9.3+dfsg1-1.1 (bug #819006) NOTE: https://git.gnome.org/browse/libxml2/commit/?id=bdd66182ef53fe1f7209ab6535fda56366bd7ac9 (v2.9.4) NOTE: http://www.openwall.com/lists/oss-security/2016/03/21/3 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=762100 CVE-2016-3615 (Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier, 5.6.30 a ...) {DSA-3632-1 DSA-3624-1 DLA-567-1} - mariadb-10.0 10.0.26-1 - mysql-5.6 5.6.34-1 (bug #831844) - mysql-5.5 NOTE: http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html#AppendixMSQL CVE-2016-3614 (Unspecified vulnerability in Oracle MySQL 5.6.30 and earlier and 5.7.1 ...) - mysql-5.6 5.6.34-1 (bug #831844) - mysql-5.5 (Only affects MySQL 5.6 and 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html#AppendixMSQL CVE-2016-3613 (Unspecified vulnerability in the Oracle Secure Global Desktop componen ...) NOT-FOR-US: Oracle CVE-2016-3612 (Unspecified vulnerability in the Oracle VM VirtualBox component in Ora ...) - virtualbox 5.0.22-dfsg-1 [jessie] - virtualbox (Only affects 5.x) [wheezy] - virtualbox (Only affects 5.x) CVE-2016-3611 (Unspecified vulnerability in the Oracle Retail Order Broker component ...) NOT-FOR-US: Oracle CVE-2016-3610 (Unspecified vulnerability in Oracle Java SE 8u92 and Java SE Embedded ...) {DSA-3641-1 DLA-579-1} - openjdk-8 8u102-b14-1 [experimental] - openjdk-7 7u111-2.6.7-1 - openjdk-7 CVE-2016-3609 (Unspecified vulnerability in the OJVM component in Oracle Database Ser ...) NOT-FOR-US: Oracle Database CVE-2016-3608 (Unspecified vulnerability in the Oracle GlassFish Server component in ...) - glassfish (Full application server not packaged) CVE-2016-3607 (Unspecified vulnerability in the Oracle GlassFish Server component in ...) - glassfish (Full application server not packaged) CVE-2016-3606 (Unspecified vulnerability in Oracle Java SE 7u101 and 8u92 and Java SE ...) {DSA-3641-1 DLA-579-1} - openjdk-8 8u102-b14-1 [experimental] - openjdk-7 7u111-2.6.7-1 - openjdk-7 CVE-2016-3605 REJECTED CVE-2016-3604 REJECTED CVE-2016-3603 REJECTED CVE-2016-3602 REJECTED CVE-2016-3601 REJECTED CVE-2016-3600 REJECTED CVE-2016-3599 REJECTED CVE-2016-3598 (Unspecified vulnerability in Oracle Java SE 8u92 and Java SE Embedded ...) {DSA-3641-1 DLA-579-1} - openjdk-8 8u102-b14-1 [experimental] - openjdk-7 7u111-2.6.7-1 - openjdk-7 CVE-2016-3597 (Unspecified vulnerability in the Oracle VM VirtualBox component in Ora ...) - virtualbox 5.1.4-dfsg-1 [jessie] - virtualbox (Only affects 5.x) [wheezy] - virtualbox (Only affects 5.x) CVE-2016-3596 (Unspecified vulnerability in the Outside In Technology component in Or ...) NOT-FOR-US: Oracle CVE-2016-3595 (Unspecified vulnerability in the Outside In Technology component in Or ...) NOT-FOR-US: Oracle CVE-2016-3594 (Unspecified vulnerability in the Outside In Technology component in Or ...) NOT-FOR-US: Oracle CVE-2016-3593 (Unspecified vulnerability in the Outside In Technology component in Or ...) NOT-FOR-US: Oracle CVE-2016-3592 (Unspecified vulnerability in the Outside In Technology component in Or ...) NOT-FOR-US: Oracle CVE-2016-3591 (Unspecified vulnerability in the Outside In Technology component in Or ...) NOT-FOR-US: Oracle CVE-2016-3590 (Unspecified vulnerability in the Outside In Technology component in Or ...) NOT-FOR-US: Oracle CVE-2016-3589 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking compon ...) NOT-FOR-US: Oracle CVE-2016-3588 (Unspecified vulnerability in Oracle MySQL 5.7.12 and earlier allows re ...) - mysql-5.6 (Only affects MySQL 5.7) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html#AppendixMSQL CVE-2016-3587 (Unspecified vulnerability in Oracle Java SE 8u92 and Java SE Embedded ...) - openjdk-8 8u102-b14-1 CVE-2016-3586 (Unspecified vulnerability in the Oracle WebLogic Server component in O ...) NOT-FOR-US: Oracle CVE-2016-3585 (Unspecified vulnerability in the ILOM component in Oracle Sun Systems ...) NOT-FOR-US: Oracle CVE-2016-3584 (Unspecified vulnerability in Oracle Sun Solaris 11.3 allows local user ...) NOT-FOR-US: Oracle CVE-2016-3583 (Unspecified vulnerability in the Outside In Technology component in Or ...) NOT-FOR-US: Oracle CVE-2016-3582 (Unspecified vulnerability in the Outside In Technology component in Or ...) NOT-FOR-US: Oracle CVE-2016-3581 (Unspecified vulnerability in the Outside In Technology component in Or ...) NOT-FOR-US: Oracle CVE-2016-3580 (Unspecified vulnerability in the Outside In Technology component in Or ...) NOT-FOR-US: Oracle CVE-2016-3579 (Unspecified vulnerability in the Outside In Technology component in Or ...) NOT-FOR-US: Oracle CVE-2016-3578 (Unspecified vulnerability in the Outside In Technology component in Or ...) NOT-FOR-US: Oracle CVE-2016-3577 (Unspecified vulnerability in the Outside In Technology component in Or ...) NOT-FOR-US: Oracle CVE-2016-3576 (Unspecified vulnerability in the Outside In Technology component in Or ...) NOT-FOR-US: Oracle CVE-2016-3575 (Unspecified vulnerability in the Outside In Technology component in Or ...) NOT-FOR-US: Oracle CVE-2016-3574 (Unspecified vulnerability in the Outside In Technology component in Or ...) NOT-FOR-US: Oracle CVE-2016-3573 (Unspecified vulnerability in the Primavera P6 Enterprise Project Portf ...) NOT-FOR-US: Oracle CVE-2016-3572 (Unspecified vulnerability in the Primavera P6 Enterprise Project Portf ...) NOT-FOR-US: Oracle CVE-2016-3571 (Unspecified vulnerability in the Primavera P6 Enterprise Project Portf ...) NOT-FOR-US: Oracle CVE-2016-3570 (Unspecified vulnerability in the Primavera P6 Enterprise Project Portf ...) NOT-FOR-US: Oracle NOT-FOR-US: Oracle CVE-2016-3569 (Unspecified vulnerability in the Primavera P6 Enterprise Project Portf ...) NOT-FOR-US: Oracle CVE-2016-3568 (Unspecified vulnerability in the Primavera P6 Enterprise Project Portf ...) NOT-FOR-US: Oracle CVE-2016-3567 (Unspecified vulnerability in the Primavera P6 Enterprise Project Portf ...) NOT-FOR-US: Oracle CVE-2016-3566 (Unspecified vulnerability in the Primavera P6 Enterprise Project Portf ...) NOT-FOR-US: Oracle CVE-2016-3565 (Unspecified vulnerability in the Oracle Retail Order Broker component ...) NOT-FOR-US: Oracle CVE-2016-3564 (Unspecified vulnerability in the Oracle TopLink component in Oracle Fu ...) NOT-FOR-US: Oracle CVE-2016-3563 (Unspecified vulnerability in the Enterprise Manager Base Platform comp ...) NOT-FOR-US: Oracle CVE-2016-3562 (Unspecified vulnerability in the RDBMS Security and SQL*Plus component ...) NOT-FOR-US: Oracle CVE-2016-3561 (Unspecified vulnerability in the Oracle Agile PLM component in Oracle ...) NOT-FOR-US: Oracle CVE-2016-3560 (Unspecified vulnerability in the Oracle Agile PLM component in Oracle ...) NOT-FOR-US: Oracle CVE-2016-3559 (Unspecified vulnerability in the Oracle Email Center component in Orac ...) NOT-FOR-US: Oracle CVE-2016-3558 (Unspecified vulnerability in the Oracle Email Center component in Orac ...) NOT-FOR-US: Oracle CVE-2016-3557 (Unspecified vulnerability in the Oracle Agile PLM component in Oracle ...) NOT-FOR-US: Oracle CVE-2016-3556 (Unspecified vulnerability in the Oracle Agile PLM component in Oracle ...) NOT-FOR-US: Oracle CVE-2016-3555 (Unspecified vulnerability in the Oracle Agile PLM component in Oracle ...) NOT-FOR-US: Oracle CVE-2016-3554 (Unspecified vulnerability in the Oracle Agile PLM component in Oracle ...) NOT-FOR-US: Oracle CVE-2016-3553 (Unspecified vulnerability in the Oracle Agile PLM component in Oracle ...) NOT-FOR-US: Oracle CVE-2016-3552 (Unspecified vulnerability in Oracle Java SE 8u92 allows local users to ...) - openjdk-8 (Installation component of Oracle Java doesn't apply to IcedTea/OpenJDK) CVE-2016-3551 (Unspecified vulnerability in the Oracle Web Services component in Orac ...) NOT-FOR-US: Oracle CVE-2016-3550 (Unspecified vulnerability in Oracle Java SE 6u115, 7u101, and 8u92 and ...) {DSA-3641-1 DLA-579-1} - openjdk-8 8u102-b14-1 [experimental] - openjdk-7 7u111-2.6.7-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 (Not supported in Wheezy) CVE-2016-3549 (Unspecified vulnerability in the Oracle E-Business Suite Secure Enterp ...) NOT-FOR-US: Oracle CVE-2016-3548 (Unspecified vulnerability in the Oracle Marketing component in Oracle ...) NOT-FOR-US: Oracle CVE-2016-3547 (Unspecified vulnerability in the Oracle One-to-One Fulfillment compone ...) NOT-FOR-US: Oracle CVE-2016-3546 (Unspecified vulnerability in the Oracle Advanced Collections component ...) NOT-FOR-US: Oracle CVE-2016-3545 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle CVE-2016-3544 (Unspecified vulnerability in the Oracle Business Intelligence Enterpri ...) NOT-FOR-US: Oracle CVE-2016-3543 (Unspecified vulnerability in the Oracle Common Applications Calendar c ...) NOT-FOR-US: Oracle CVE-2016-3542 (Unspecified vulnerability in the Oracle Knowledge Management component ...) NOT-FOR-US: Oracle CVE-2016-3541 (Unspecified vulnerability in the Oracle Common Applications Calendar c ...) NOT-FOR-US: Oracle CVE-2016-3540 (Unspecified vulnerability in the Enterprise Manager Base Platform comp ...) NOT-FOR-US: Oracle CVE-2016-3539 (Unspecified vulnerability in the Oracle Agile PLM component in Oracle ...) NOT-FOR-US: Oracle CVE-2016-3538 (Unspecified vulnerability in the Oracle Agile PLM component in Oracle ...) NOT-FOR-US: Oracle CVE-2016-3537 (Unspecified vulnerability in the Oracle Agile PLM component in Oracle ...) NOT-FOR-US: Oracle CVE-2016-3536 (Unspecified vulnerability in the Oracle Marketing component in Oracle ...) NOT-FOR-US: Oracle CVE-2016-3535 (Unspecified vulnerability in the Oracle CRM Technical Foundation compo ...) NOT-FOR-US: Oracle CVE-2016-3534 (Unspecified vulnerability in the Oracle Installed Base component in Or ...) NOT-FOR-US: Oracle CVE-2016-3533 (Unspecified vulnerability in the Oracle Knowledge Management component ...) NOT-FOR-US: Oracle CVE-2016-3532 (Unspecified vulnerability in the Oracle Advanced Inbound Telephony com ...) NOT-FOR-US: Oracle CVE-2016-3531 (Unspecified vulnerability in the Oracle Agile PLM component in Oracle ...) NOT-FOR-US: Oracle CVE-2016-3530 (Unspecified vulnerability in the Oracle Agile PLM component in Oracle ...) NOT-FOR-US: Oracle CVE-2016-3529 (Unspecified vulnerability in the Oracle Agile PLM component in Oracle ...) NOT-FOR-US: Oracle CVE-2016-3528 (Unspecified vulnerability in the Oracle Internet Expenses component in ...) NOT-FOR-US: Oracle CVE-2016-3527 (Unspecified vulnerability in the Oracle Demand Planning component in O ...) NOT-FOR-US: Oracle CVE-2016-3526 (Unspecified vulnerability in the Oracle Agile PLM component in Oracle ...) NOT-FOR-US: Oracle CVE-2016-3525 (Unspecified vulnerability in the Oracle Applications Manager component ...) NOT-FOR-US: Oracle CVE-2016-3524 (Unspecified vulnerability in the Oracle Applications Technology Stack ...) NOT-FOR-US: Oracle CVE-2016-3523 (Unspecified vulnerability in the Oracle Web Applications Desktop Integ ...) NOT-FOR-US: Oracle CVE-2016-3522 (Unspecified vulnerability in the Oracle Web Applications Desktop Integ ...) NOT-FOR-US: Oracle CVE-2016-3521 (Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier, 5.6.30 a ...) {DSA-3632-1 DSA-3624-1 DLA-567-1} - mariadb-10.0 10.0.26-1 - mysql-5.6 5.6.34-1 (bug #831844) - mysql-5.5 NOTE: http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html#AppendixMSQL CVE-2016-3520 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle CVE-2016-3519 (Unspecified vulnerability in the Oracle Agile PLM component in Oracle ...) NOT-FOR-US: Oracle CVE-2016-3518 (Unspecified vulnerability in Oracle MySQL 5.7.12 and earlier allows re ...) - mysql-5.6 (Only affects MySQL 5.7) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html#AppendixMSQL CVE-2016-3517 (Unspecified vulnerability in the Oracle Agile PLM component in Oracle ...) NOT-FOR-US: Oracle CVE-2016-3516 (Unspecified vulnerability in the Oracle Enterprise Communications Brok ...) NOT-FOR-US: Oracle CVE-2016-3515 (Unspecified vulnerability in the Oracle Enterprise Communications Brok ...) NOT-FOR-US: Oracle CVE-2016-3514 (Unspecified vulnerability in the Oracle Enterprise Communications Brok ...) NOT-FOR-US: Oracle CVE-2016-3513 (Unspecified vulnerability in the Oracle Communications Operations Moni ...) NOT-FOR-US: Oracle CVE-2016-3512 (Unspecified vulnerability in the Oracle Customer Interaction History c ...) NOT-FOR-US: Oracle CVE-2016-3511 (Unspecified vulnerability in Oracle Java SE 7u101 and 8u92 allows loca ...) - openjdk-8 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2016-3510 (Unspecified vulnerability in the Oracle WebLogic Server component in O ...) NOT-FOR-US: Oracle CVE-2016-3509 (Unspecified vulnerability in the Oracle Agile PLM component in Oracle ...) NOT-FOR-US: Oracle CVE-2016-3508 (Unspecified vulnerability in Oracle Java SE 6u115, 7u101, and 8u92; Ja ...) {DSA-3641-1 DLA-579-1} - openjdk-8 8u102-b14-1 [experimental] - openjdk-7 7u111-2.6.7-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 (Not supported in Wheezy) CVE-2016-3507 (Unspecified vulnerability in the Oracle Agile PLM component in Oracle ...) NOT-FOR-US: Oracle CVE-2016-3506 (Unspecified vulnerability in the JDBC component in Oracle Database Ser ...) NOT-FOR-US: Oracle Database CVE-2016-3505 (Unspecified vulnerability in the Oracle WebLogic Server component in O ...) NOT-FOR-US: Oracle CVE-2016-3504 (Unspecified vulnerability in the Oracle JDeveloper component in Oracle ...) NOT-FOR-US: Oracle CVE-2016-3503 (Unspecified vulnerability in Oracle Java SE 6u115, 7u101, and 8u92 all ...) - openjdk-8 (Installation component of Oracle Java doesn't apply to IcedTea/OpenJDK) - openjdk-7 (Installation component of Oracle Java doesn't apply to IcedTea/OpenJDK) - openjdk-6 (Installation component of Oracle Java doesn't apply to IcedTea/OpenJDK) CVE-2016-3502 (Unspecified vulnerability in the Oracle WebCenter Sites component in O ...) NOT-FOR-US: Oracle CVE-2016-3501 (Unspecified vulnerability in Oracle MySQL 5.6.30 and earlier and 5.7.1 ...) - mysql-5.6 5.6.34-1 (bug #831844) - mysql-5.5 (Only affects MySQL 5.6 and 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html#AppendixMSQL CVE-2016-3500 (Unspecified vulnerability in Oracle Java SE 6u115, 7u101, and 8u92; Ja ...) {DSA-3641-1 DLA-579-1} - openjdk-8 8u102-b14-1 [experimental] - openjdk-7 7u111-2.6.7-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 (Not supported in Wheezy) CVE-2016-3499 (Unspecified vulnerability in the Oracle WebLogic Server component in O ...) NOT-FOR-US: Oracle CVE-2016-3498 (Unspecified vulnerability in Oracle Java SE 7u101 and 8u92 allows remo ...) - openjfx 8u102-b14-1 (bug #832419) CVE-2016-3497 (Unspecified vulnerability in Oracle Sun Solaris 11.3 allows local user ...) NOT-FOR-US: Oracle CVE-2016-3496 (Unspecified vulnerability in the Enterprise Manager for Fusion Middlew ...) NOT-FOR-US: Oracle CVE-2016-3495 (Unspecified vulnerability in Oracle MySQL 5.7.13 and earlier allows re ...) - mysql-5.7 5.7.15-1 - mysql-5.6 (Only affects MySQL 5.7) - mysql-5.5 (Only affects MySQL 5.7) CVE-2016-3494 (Unspecified vulnerability in the Enterprise Manager Ops Center compone ...) NOT-FOR-US: Oracle CVE-2016-3493 (Unspecified vulnerability in the Hyperion Financial Reporting componen ...) NOT-FOR-US: Oracle CVE-2016-3492 (Unspecified vulnerability in Oracle MySQL 5.5.51 and earlier, 5.6.32 a ...) {DSA-3711-1} - mariadb-10.0 10.0.28-1 - mysql-5.7 5.7.15-1 - mysql-5.6 5.6.34-1 (bug #841049) - mysql-5.5 [jessie] - mysql-5.5 5.5.52-0+deb8u1 [wheezy] - mysql-5.5 5.5.52-0+deb7u1 NOTE: Fixed in MariaDB 5.5.52, MariaDB 10.1.18, MariaDB 10.0.28 CVE-2016-3491 (Unspecified vulnerability in the Oracle CRM Technical Foundation compo ...) NOT-FOR-US: Oracle CVE-2016-3490 (Unspecified vulnerability in the Oracle Transportation Management comp ...) NOT-FOR-US: Oracle CVE-2016-3489 (Unspecified vulnerability in the Data Pump Import component in Oracle ...) NOT-FOR-US: Oracle Database CVE-2016-3488 (Unspecified vulnerability in the DB Sharding component in Oracle Datab ...) NOT-FOR-US: Oracle Database CVE-2016-3487 (Unspecified vulnerability in the Oracle WebCenter Sites component in O ...) NOT-FOR-US: Oracle CVE-2016-3486 (Unspecified vulnerability in Oracle MySQL 5.6.30 and earlier and 5.7.1 ...) - mysql-5.6 5.6.34-1 (bug #831844) - mysql-5.5 (Only affects MySQL 5.6 and 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html#AppendixMSQL CVE-2016-3485 (Unspecified vulnerability in Oracle Java SE 6u115, 7u101, and 8u92; Ja ...) - openjdk-8 (Windows-specific) - openjdk-7 (Windows-specific) - openjdk-6 (Windows-specific) CVE-2016-3484 (Unspecified vulnerability in the Database Vault component in Oracle Da ...) NOT-FOR-US: Oracle Database CVE-2016-3483 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle CVE-2016-3482 (Unspecified vulnerability in the Oracle HTTP Server component in Oracl ...) NOT-FOR-US: Oracle CVE-2016-3481 (Unspecified vulnerability in the ILOM component in Oracle Sun Systems ...) NOT-FOR-US: Oracle CVE-2016-3480 (Unspecified vulnerability in the Solaris Cluster component in Oracle S ...) NOT-FOR-US: Oracle CVE-2016-3479 (Unspecified vulnerability in the Portable Clusterware component in Ora ...) NOT-FOR-US: Oracle Database CVE-2016-3478 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle CVE-2016-3477 (Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier, 5.6.30 a ...) {DSA-3632-1 DSA-3624-1 DLA-567-1} - mariadb-10.0 10.0.26-1 - mysql-5.6 5.6.34-1 (bug #831844) - mysql-5.5 NOTE: http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html#AppendixMSQL CVE-2016-3476 (Unspecified vulnerability in the Oracle Knowledge component in Oracle ...) NOT-FOR-US: Oracle CVE-2016-3475 (Unspecified vulnerability in the Oracle Knowledge component in Oracle ...) NOT-FOR-US: Oracle CVE-2016-3474 (Unspecified vulnerability in the BI Publisher (formerly XML Publisher) ...) NOT-FOR-US: Oracle CVE-2016-3473 (Unspecified vulnerability in the BI Publisher (formerly XML Publisher) ...) NOT-FOR-US: Oracle CVE-2016-3472 (Unspecified vulnerability in the Siebel Engineering - Installer and De ...) NOT-FOR-US: Oracle Siebel CRM CVE-2016-3471 (Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.2 ...) - mariadb-10.0 10.0.22-1 [jessie] - mariadb-10.0 10.0.22-0+deb8u1 - mysql-5.6 5.6.28-1 - mysql-5.5 [jessie] - mysql-5.5 5.5.46-0+deb8u1 [wheezy] - mysql-5.5 5.5.46-0+deb7u1 NOTE: http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html#AppendixMSQL CVE-2016-3470 (Unspecified vulnerability in the Oracle Transportation Management comp ...) NOT-FOR-US: Oracle CVE-2016-3469 (Unspecified vulnerability in the Siebel Core - Server Framework compon ...) NOT-FOR-US: Oracle Siebel CRM CVE-2016-3468 (Unspecified vulnerability in the Oracle Agile Engineering Data Managem ...) NOT-FOR-US: Oracle CVE-2016-3467 (Unspecified vulnerability in the Application Express component in Orac ...) NOT-FOR-US: Oracle Database CVE-2016-3466 (Unspecified vulnerability in the Oracle Field Service component in Ora ...) NOT-FOR-US: Oracle CVE-2016-3465 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11.3 allows loc ...) NOT-FOR-US: Solaris CVE-2016-3464 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking compon ...) NOT-FOR-US: Oracle CVE-2016-3463 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking compon ...) NOT-FOR-US: Oracle CVE-2016-3462 (Unspecified vulnerability in Oracle Sun Solaris 11.3 allows local user ...) NOT-FOR-US: Solaris CVE-2016-3461 (Unspecified vulnerability in the MySQL Enterprise Monitor component in ...) NOT-FOR-US: MySQL Enterprise Monitor CVE-2016-3460 (Unspecified vulnerability in the PeopleSoft Enterprise HCM component i ...) NOT-FOR-US: PeopleSoft CVE-2016-3459 (Unspecified vulnerability in Oracle MySQL 5.6.30 and earlier and 5.7.1 ...) - mariadb-10.0 10.0.25-1 [jessie] - mariadb-10.0 10.0.25-0+deb8u1 - mysql-5.6 5.6.34-1 (bug #831844) - mysql-5.5 (Only affects MySQL 5.6 and 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html#AppendixMSQL CVE-2016-3458 (Unspecified vulnerability in Oracle Java SE 6u115, 7u101, and 8u92; an ...) {DSA-3641-1 DLA-579-1} - openjdk-8 8u102-b14-1 [experimental] - openjdk-7 7u111-2.6.7-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 (Not supported in Wheezy) CVE-2016-3457 (Unspecified vulnerability in the PeopleSoft Enterprise HCM ePerformanc ...) NOT-FOR-US: PeopleSoft CVE-2016-3456 (Unspecified vulnerability in the Oracle Complex Maintenance, Repair, a ...) NOT-FOR-US: Oracle CVE-2016-3455 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle CVE-2016-3454 (Unspecified vulnerability in the Java VM component in Oracle Database ...) NOT-FOR-US: Oracle CVE-2016-3453 (Unspecified vulnerability in Oracle Sun Solaris 10 allows local users ...) NOT-FOR-US: Oracle CVE-2016-3452 (Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 a ...) - mariadb-10.0 10.0.25-1 [jessie] - mariadb-10.0 10.0.25-0+deb8u1 - mysql-5.6 5.6.30-1 - mysql-5.5 [jessie] - mysql-5.5 5.5.49-0+deb8u1 [wheezy] - mysql-5.5 5.5.49-0+deb7u1 NOTE: http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html#AppendixMSQL CVE-2016-3451 (Unspecified vulnerability in the ILOM component in Oracle Sun Systems ...) NOT-FOR-US: Oracle CVE-2016-3450 (Unspecified vulnerability in the Siebel Core - Server Framework compon ...) NOT-FOR-US: Oracle Siebel CRM CVE-2016-3449 (Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77 allo ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-8 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2016-3448 (Unspecified vulnerability in the Application Express component in Orac ...) NOT-FOR-US: Oracle Database CVE-2016-3447 (Unspecified vulnerability in the Oracle Applications Framework compone ...) NOT-FOR-US: Oracle CVE-2016-3446 (Unspecified vulnerability in the Oracle Business Intelligence Enterpri ...) NOT-FOR-US: Oracle CVE-2016-3445 (Unspecified vulnerability in the Oracle WebLogic Server component in O ...) NOT-FOR-US: Oracle CVE-2016-3444 (Unspecified vulnerability in the Oracle Retail Integration Bus compone ...) NOT-FOR-US: Oracle CVE-2016-3443 (Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77 allo ...) - openjdk-6 (Specific to Oracle Java, not present in IcedTea) - openjdk-7 (Specific to Oracle Java, not present in IcedTea) - openjdk-8 (Specific to Oracle Java, not present in IcedTea) CVE-2016-3442 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: PeopleSoft CVE-2016-3441 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11.3 allows loc ...) NOT-FOR-US: Solaris CVE-2016-3440 (Unspecified vulnerability in Oracle MySQL 5.7.11 and earlier allows re ...) - mysql-5.6 (Only affects MySQL 5.7) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html#AppendixMSQL CVE-2016-3439 (Unspecified vulnerability in the Oracle CRM Wireless component in Orac ...) NOT-FOR-US: Oracle CVE-2016-3438 (Unspecified vulnerability in the Oracle Configurator component in Orac ...) NOT-FOR-US: Oracle CVE-2016-3437 (Unspecified vulnerability in the Oracle CRM Wireless component in Orac ...) NOT-FOR-US: Oracle CVE-2016-3436 (Unspecified vulnerability in the Oracle Common Applications Calendar c ...) NOT-FOR-US: Oracle CVE-2016-3435 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: PeopleSoft CVE-2016-3434 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle CVE-2016-3433 (Unspecified vulnerability in the Oracle Business Intelligence Enterpri ...) NOT-FOR-US: Oracle CVE-2016-3432 (Unspecified vulnerability in the BI Publisher (formerly XML Publisher) ...) NOT-FOR-US: Oracle CVE-2016-3431 (Unspecified vulnerability in the Oracle Agile PLM component in Oracle ...) NOT-FOR-US: Oracle CVE-2016-3430 RESERVED CVE-2016-3429 (Unspecified vulnerability in the Oracle Retail Xstore Point of Service ...) NOT-FOR-US: Oracle Retail CVE-2016-3428 (Unspecified vulnerability in the Oracle Agile Engineering Data Managem ...) NOT-FOR-US: Oracle CVE-2016-3427 (Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77; Jav ...) {DSA-3558-1 DLA-451-1} - openjdk-8 8u91-b14-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 (Not supported in Wheezy LTS) CVE-2016-3426 (Unspecified vulnerability in Oracle Java SE 8u77 and Java SE Embedded ...) {DSA-3558-1 DLA-451-1} - openjdk-8 8u91-b14-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 (Not supported in Wheezy LTS) CVE-2016-3425 (Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77; Jav ...) {DSA-3558-1 DLA-451-1} - openjdk-8 8u91-b14-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 (Not supported in Wheezy LTS) CVE-2016-3424 (Unspecified vulnerability in Oracle MySQL 5.7.12 and earlier allows re ...) - mysql-5.6 (Only affects MySQL 5.7) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html#AppendixMSQL CVE-2016-3423 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: PeopleSoft CVE-2016-3422 (Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77 allo ...) - openjdk-6 (Specific to Oracle Java, not present in IcedTea) - openjdk-7 (Specific to Oracle Java, not present in IcedTea) - openjdk-8 (Specific to Oracle Java, not present in IcedTea) CVE-2016-3421 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: PeopleSoft CVE-2016-3420 (Unspecified vulnerability in the Oracle Agile PLM component in Oracle ...) NOT-FOR-US: Oracle CVE-2016-3419 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11.3 allows loc ...) NOT-FOR-US: Solaris CVE-2016-3418 (Unspecified vulnerability in the DataStore component in Oracle Berkele ...) NOT-FOR-US: Oracle Berkeley DB (later closed source releases) CVE-2016-3417 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: PeopleSoft CVE-2016-3416 (Unspecified vulnerability in the Oracle WebLogic Server component in O ...) NOT-FOR-US: Oracle CVE-2016-3415 (Zimbra Collaboration before 8.7.0 allows remote attackers to conduct d ...) NOT-FOR-US: Zimbra CVE-2016-3414 (Unspecified vulnerability in Zimbra Collaboration before 8.6.0 Patch 7 ...) NOT-FOR-US: Zimbra CVE-2016-3413 (Unspecified vulnerability in Zimbra Collaboration before 8.7.0 allows ...) NOT-FOR-US: Zimbra CVE-2016-3412 (Multiple cross-site scripting (XSS) vulnerabilities in Zimbra Collabor ...) NOT-FOR-US: Zimbra CVE-2016-3411 (Cross-site scripting (XSS) vulnerability in Zimbra Collaboration befor ...) NOT-FOR-US: Zimbra CVE-2016-3410 (Multiple cross-site scripting (XSS) vulnerabilities in Zimbra Collabor ...) NOT-FOR-US: Zimbra CVE-2016-3409 (Cross-site scripting (XSS) vulnerability in Zimbra Collaboration befor ...) NOT-FOR-US: Zimbra CVE-2016-3408 (Cross-site scripting (XSS) vulnerability in Zimbra Collaboration befor ...) NOT-FOR-US: Zimbra CVE-2016-3407 (Multiple cross-site scripting (XSS) vulnerabilities in Zimbra Collabor ...) NOT-FOR-US: Zimbra CVE-2016-3406 (Multiple cross-site request forgery (CSRF) vulnerabilities in Zimbra C ...) NOT-FOR-US: Zimbra CVE-2016-3405 (Multiple unspecified vulnerabilities in Zimbra Collaboration before 8. ...) NOT-FOR-US: Zimbra CVE-2016-3404 (Unspecified vulnerability in Zimbra Collaboration before 8.7.0 allows ...) NOT-FOR-US: Zimbra CVE-2016-3403 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Admi ...) NOT-FOR-US: Zimbra CVE-2016-3402 (Unspecified vulnerability in Zimbra Collaboration before 8.7.0 allows ...) NOT-FOR-US: Zimbra CVE-2016-3401 (Unspecified vulnerability in Zimbra Collaboration before 8.7.0 allows ...) NOT-FOR-US: Zimbra CVE-2016-3400 (NetApp Data ONTAP 8.1 and 8.2, when operating in 7-Mode, allows man-in ...) NOT-FOR-US: NetApp Data ONTAP CVE-2016-3399 RESERVED CVE-2016-3398 RESERVED CVE-2014-9768 (** DISPUTED ** IBM Tivoli NetView Access Services (NVAS) allows remote ...) NOT-FOR-US: Tivoli CVE-2016-3397 REJECTED CVE-2016-3396 (Graphics Device Interface (aka GDI or GDI+) in Microsoft Windows Vista ...) NOT-FOR-US: Microsoft CVE-2016-3395 REJECTED CVE-2016-3394 REJECTED CVE-2016-3393 (Graphics Device Interface (aka GDI or GDI+) in Microsoft Windows Vista ...) NOT-FOR-US: Microsoft CVE-2016-3392 (The Edge Content Security Policy feature in Microsoft Edge does not pr ...) NOT-FOR-US: Microsoft CVE-2016-3391 (Microsoft Internet Explorer 10 and 11 and Microsoft Edge allow context ...) NOT-FOR-US: Microsoft CVE-2016-3390 (The scripting engines in Microsoft Internet Explorer 11 and Microsoft ...) NOT-FOR-US: Microsoft CVE-2016-3389 (The Chakra JavaScript engine in Microsoft Edge allows remote attackers ...) NOT-FOR-US: Microsoft CVE-2016-3388 (Microsoft Internet Explorer 10 and 11 and Microsoft Edge do not proper ...) NOT-FOR-US: Microsoft CVE-2016-3387 (Microsoft Internet Explorer 10 and 11 and Microsoft Edge do not proper ...) NOT-FOR-US: Microsoft CVE-2016-3386 (The Chakra JavaScript engine in Microsoft Edge allows remote attackers ...) NOT-FOR-US: Microsoft CVE-2016-3385 (The scripting engine in Microsoft Internet Explorer 9 through 11 allow ...) NOT-FOR-US: Microsoft CVE-2016-3384 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft CVE-2016-3383 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft CVE-2016-3382 (The scripting engines in Microsoft Internet Explorer 9 through 11 and ...) NOT-FOR-US: Microsoft CVE-2016-3381 (Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 SP1, Excel 2013 R ...) NOT-FOR-US: Microsoft CVE-2016-3380 REJECTED CVE-2016-3379 (Cross-site scripting (XSS) vulnerability in Microsoft Exchange Server ...) NOT-FOR-US: Microsoft CVE-2016-3378 (Open redirect vulnerability in Microsoft Exchange Server 2013 SP1, 201 ...) NOT-FOR-US: Microsoft CVE-2016-3377 (The Chakra JavaScript engine in Microsoft Edge allows remote attackers ...) NOT-FOR-US: Microsoft CVE-2016-3376 (The kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server ...) NOT-FOR-US: Microsoft CVE-2016-3375 (The OLE Automation mechanism and VBScript scripting engine in Microsof ...) NOT-FOR-US: Microsoft CVE-2016-3374 (The PDF library in Microsoft Edge, Windows 8.1, Windows Server 2012 Go ...) NOT-FOR-US: Microsoft CVE-2016-3373 (The kernel API in Microsoft Windows Vista SP2, Windows Server 2008 SP2 ...) NOT-FOR-US: Microsoft CVE-2016-3372 (The kernel API in Microsoft Windows Vista SP2 and Windows Server 2008 ...) NOT-FOR-US: Microsoft CVE-2016-3371 (The kernel API in Microsoft Windows Vista SP2, Windows Server 2008 SP2 ...) NOT-FOR-US: Microsoft CVE-2016-3370 (The PDF library in Microsoft Edge, Windows 8.1, Windows Server 2012 Go ...) NOT-FOR-US: Microsoft CVE-2016-3369 (Microsoft Windows 10 Gold and 1511 allows attackers to cause a denial ...) NOT-FOR-US: Microsoft CVE-2016-3368 (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windo ...) NOT-FOR-US: Microsoft CVE-2016-3367 (StringBuilder in Microsoft Silverlight 5 before 5.1.50709.0 does not p ...) NOT-FOR-US: Microsoft CVE-2016-3366 (Microsoft Outlook 2007 SP3, Outlook 2010 SP2, Outlook 2013 SP1, Outloo ...) NOT-FOR-US: Microsoft CVE-2016-3365 (Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 SP1, Excel 2013 R ...) NOT-FOR-US: Microsoft CVE-2016-3364 (Microsoft Visio 2016 allows remote attackers to execute arbitrary code ...) NOT-FOR-US: Microsoft CVE-2016-3363 (Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 SP1, Excel 2013 R ...) NOT-FOR-US: Microsoft CVE-2016-3362 (Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 SP1, Excel 2013 R ...) NOT-FOR-US: Microsoft CVE-2016-3361 (Microsoft Excel 2010 SP2 allows remote attackers to execute arbitrary ...) NOT-FOR-US: Microsoft CVE-2016-3360 (Microsoft PowerPoint 2007 SP3, PowerPoint 2010 SP2, PowerPoint 2013 SP ...) NOT-FOR-US: Microsoft CVE-2016-3359 (Microsoft Excel 2007 SP3, Excel 2010 SP2, Office Compatibility Pack SP ...) NOT-FOR-US: Microsoft CVE-2016-3358 (Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 SP1, Excel 2013 R ...) NOT-FOR-US: Microsoft CVE-2016-3357 (Microsoft Office 2007 SP3, Office 2010 SP2, Office 2013 SP1, Office 20 ...) NOT-FOR-US: Microsoft CVE-2016-3356 (The Graphics Device Interface (GDI) in Microsoft Windows 10 1607 allow ...) NOT-FOR-US: Microsoft CVE-2016-3355 (The Graphics Device Interface (GDI) in Microsoft Windows Vista SP2, Wi ...) NOT-FOR-US: Microsoft CVE-2016-3354 (The Graphics Device Interface (GDI) in Microsoft Windows Vista SP2, Wi ...) NOT-FOR-US: Microsoft CVE-2016-3353 (Microsoft Internet Explorer 9 through 11 mishandles .url files from th ...) NOT-FOR-US: Microsoft CVE-2016-3352 (Microsoft Windows 8.1, Windows RT 8.1, and Windows 10 Gold, 1511, and ...) NOT-FOR-US: Microsoft CVE-2016-3351 (Microsoft Internet Explorer 9 through 11 and Microsoft Edge allow remo ...) NOT-FOR-US: Microsoft CVE-2016-3350 (The Chakra JavaScript engine in Microsoft Edge allows remote attackers ...) NOT-FOR-US: Microsoft CVE-2016-3349 (The kernel-mode drivers in Microsoft Windows 8.1, Windows Server 2012 ...) NOT-FOR-US: Microsoft CVE-2016-3348 (The kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server ...) NOT-FOR-US: Microsoft CVE-2016-3347 REJECTED CVE-2016-3346 (Microsoft Windows 10 Gold, 1511, and 1607 does not properly enforce pe ...) NOT-FOR-US: Microsoft CVE-2016-3345 (The SMBv1 server in Microsoft Windows Vista SP2, Windows Server 2008 S ...) NOT-FOR-US: Microsoft CVE-2016-3344 (The Secure Kernel Mode feature in Microsoft Windows 10 Gold and 1511 a ...) NOT-FOR-US: Microsoft CVE-2016-3343 (The Common Log File System (CLFS) driver in Microsoft Windows Vista SP ...) NOT-FOR-US: Microsoft CVE-2016-3342 (The Common Log File System (CLFS) driver in Microsoft Windows Vista SP ...) NOT-FOR-US: Microsoft CVE-2016-3341 (The kernel-mode drivers in Transaction Manager in Microsoft Windows 8. ...) NOT-FOR-US: Microsoft CVE-2016-3340 (The Common Log File System (CLFS) driver in Microsoft Windows Vista SP ...) NOT-FOR-US: Microsoft CVE-2016-3339 REJECTED CVE-2016-3338 (The Common Log File System (CLFS) driver in Microsoft Windows Vista SP ...) NOT-FOR-US: Microsoft CVE-2016-3337 REJECTED CVE-2016-3336 REJECTED CVE-2016-3335 (The Common Log File System (CLFS) driver in Microsoft Windows Vista SP ...) NOT-FOR-US: Microsoft CVE-2016-3334 (The Common Log File System (CLFS) driver in Microsoft Windows Vista SP ...) NOT-FOR-US: Microsoft CVE-2016-3333 (The Common Log File System (CLFS) driver in Microsoft Windows Vista SP ...) NOT-FOR-US: Microsoft CVE-2016-3332 (The Common Log File System (CLFS) driver in Microsoft Windows Vista SP ...) NOT-FOR-US: Microsoft CVE-2016-3331 (Microsoft Internet Explorer 11 and Microsoft Edge allow remote attacke ...) NOT-FOR-US: Microsoft CVE-2016-3330 (Microsoft Edge allows remote attackers to execute arbitrary code or ca ...) NOT-FOR-US: Microsoft CVE-2016-3329 (Microsoft Internet Explorer 9 through 11 and Edge allow remote attacke ...) NOT-FOR-US: Microsoft CVE-2016-3328 REJECTED CVE-2016-3327 (Microsoft Internet Explorer 9 through 11 and Edge allow remote attacke ...) NOT-FOR-US: Microsoft CVE-2016-3326 (Microsoft Internet Explorer 9 through 11 and Edge allow remote attacke ...) NOT-FOR-US: Microsoft CVE-2016-3325 (Microsoft Internet Explorer 11 and Microsoft Edge allow remote attacke ...) NOT-FOR-US: Microsoft CVE-2016-3324 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft CVE-2016-3323 REJECTED CVE-2016-3322 (Microsoft Internet Explorer 11 and Edge allow remote attackers to exec ...) NOT-FOR-US: Microsoft CVE-2016-3321 (Microsoft Internet Explorer 10 and 11 load different files for attempt ...) NOT-FOR-US: Microsoft CVE-2016-3320 (Microsoft Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1 ...) NOT-FOR-US: Microsoft CVE-2016-3319 (The PDF library in Microsoft Windows 8.1, Windows Server 2012 Gold and ...) NOT-FOR-US: Microsoft CVE-2016-3318 (Microsoft Office 2007 SP3, 2010 SP2, 2013 SP1, and 2013 RT SP1 allow r ...) NOT-FOR-US: Microsoft CVE-2016-3317 (Microsoft Office 2010 SP2, Word 2007 SP3, Word 2010 SP2, Word for Mac ...) NOT-FOR-US: Microsoft CVE-2016-3316 (Microsoft Word 2013 SP1, 2013 RT SP1, 2016, and 2016 for Mac allow rem ...) NOT-FOR-US: Microsoft CVE-2016-3315 (Microsoft OneNote 2007 SP3, 2010 SP2, 2013 SP1, 2013 RT SP1, 2016, and ...) NOT-FOR-US: Microsoft CVE-2016-3314 REJECTED CVE-2016-3313 (Microsoft Office 2007 SP3, 2010 SP2, 2013 SP1, 2013 RT SP1, and 2016, ...) NOT-FOR-US: Microsoft CVE-2016-3312 (ActiveSyncProvider in Microsoft Windows 10 Gold and 1511 allows attack ...) NOT-FOR-US: Microsoft CVE-2016-3311 (The kernel-mode drivers in Microsoft Windows Vista SP2; Windows Server ...) NOT-FOR-US: Microsoft CVE-2016-3310 (The kernel-mode drivers in Microsoft Windows Vista SP2; Windows Server ...) NOT-FOR-US: Microsoft CVE-2016-3309 (The kernel-mode drivers in Microsoft Windows Vista SP2; Windows Server ...) NOT-FOR-US: Microsoft CVE-2016-3308 (The kernel-mode drivers in Microsoft Windows Vista SP2; Windows Server ...) NOT-FOR-US: Microsoft CVE-2016-3307 REJECTED CVE-2016-3306 (The kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2016-3305 (The kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2016-3304 (The Windows font library in Microsoft Windows Vista SP2, Windows Serve ...) NOT-FOR-US: Microsoft CVE-2016-3303 (The Windows font library in Microsoft Windows Vista SP2, Windows Serve ...) NOT-FOR-US: Microsoft CVE-2016-3302 (Microsoft Windows 8.1, Windows Server 2012 R2, Windows RT 8.1, and Win ...) NOT-FOR-US: Microsoft CVE-2016-3301 (The Windows font library in Microsoft Windows Vista SP2; Windows Serve ...) NOT-FOR-US: Microsoft CVE-2016-3300 (The Netlogon service in Microsoft Windows 8.1, Windows Server 2012 Gol ...) NOT-FOR-US: Microsoft CVE-2016-3299 (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windo ...) NOT-FOR-US: Microsoft CVE-2016-3298 (Microsoft Internet Explorer 9 through 11 and the Internet Messaging AP ...) NOT-FOR-US: Microsoft CVE-2016-3297 (Microsoft Internet Explorer 9 through 11 and Microsoft Edge allow remo ...) NOT-FOR-US: Microsoft CVE-2016-3296 (The Chakra JavaScript engine in Microsoft Edge allows remote attackers ...) NOT-FOR-US: Microsoft CVE-2016-3295 (Microsoft Internet Explorer 10 and 11 and Microsoft Edge allow remote ...) NOT-FOR-US: Microsoft CVE-2016-3294 (Microsoft Edge allows remote attackers to execute arbitrary code or ca ...) NOT-FOR-US: Microsoft CVE-2016-3293 (Microsoft Internet Explorer 9 through 11 and Edge allow remote attacke ...) NOT-FOR-US: Microsoft CVE-2016-3292 (Microsoft Internet Explorer 10 and 11 mishandles integrity settings an ...) NOT-FOR-US: Microsoft CVE-2016-3291 (Microsoft Internet Explorer 11 and Microsoft Edge mishandle cross-orig ...) NOT-FOR-US: Microsoft CVE-2016-3290 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft CVE-2016-3289 (Microsoft Internet Explorer 11 and Edge allow remote attackers to exec ...) NOT-FOR-US: Microsoft CVE-2016-3288 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft CVE-2016-3287 (Microsoft Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1 ...) NOT-FOR-US: Microsoft CVE-2016-3286 (The kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server ...) NOT-FOR-US: Microsoft CVE-2016-3285 REJECTED CVE-2016-3284 (Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 SP1, Excel 2013 R ...) NOT-FOR-US: Microsoft CVE-2016-3283 (Microsoft Word Viewer allows remote attackers to execute arbitrary cod ...) NOT-FOR-US: Microsoft CVE-2016-3282 (Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1 ...) NOT-FOR-US: Microsoft CVE-2016-3281 (Microsoft Office 2010 SP2, Word 2010 SP2, Word 2013 SP1, Word 2013 RT ...) NOT-FOR-US: Microsoft CVE-2016-3280 (Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1 ...) NOT-FOR-US: Microsoft CVE-2016-3279 (Microsoft Office 2010 SP2, Excel 2010 SP2, PowerPoint 2010 SP2, Word 2 ...) NOT-FOR-US: Microsoft CVE-2016-3278 (Microsoft Outlook 2010 SP2, 2013 SP1, 2013 RT SP1, and 2016 allows rem ...) NOT-FOR-US: Microsoft CVE-2016-3277 (Microsoft Internet Explorer 10 and 11 and Microsoft Edge allow remote ...) NOT-FOR-US: Microsoft CVE-2016-3276 (Microsoft Internet Explorer 11 and Microsoft Edge allow remote attacke ...) NOT-FOR-US: Microsoft CVE-2016-3275 REJECTED CVE-2016-3274 (Microsoft Internet Explorer 9 through 11 and Microsoft Edge allow remo ...) NOT-FOR-US: Microsoft CVE-2016-3273 (The XSS Filter in Microsoft Internet Explorer 9 through 11 and Microso ...) NOT-FOR-US: Microsoft CVE-2016-3272 (The kernel in Microsoft Windows 8.1, Windows Server 2012 Gold and R2, ...) NOT-FOR-US: Microsoft CVE-2016-3271 (The VBScript engine in Microsoft Edge allows remote attackers to obtai ...) NOT-FOR-US: Microsoft CVE-2016-3270 (The Graphics component in the kernel in Microsoft Windows Vista SP2; W ...) NOT-FOR-US: Microsoft CVE-2016-3269 (The Chakra JavaScript engine in Microsoft Edge allows remote attackers ...) NOT-FOR-US: Microsoft CVE-2016-3268 REJECTED CVE-2016-3267 (Microsoft Internet Explorer 9 through 11 and Microsoft Edge allow remo ...) NOT-FOR-US: Microsoft CVE-2016-3266 (The kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server ...) NOT-FOR-US: Microsoft CVE-2016-3265 (The Chakra JavaScript engine in Microsoft Edge allows remote attackers ...) NOT-FOR-US: Microsoft CVE-2016-3264 (Microsoft Internet Explorer 9 through 11 and Microsoft Edge allow remo ...) NOT-FOR-US: Microsoft CVE-2016-3263 (Graphics Device Interface (aka GDI or GDI+) in Microsoft Windows Vista ...) NOT-FOR-US: Microsoft CVE-2016-3262 (Graphics Device Interface (aka GDI or GDI+) in Microsoft Windows Vista ...) NOT-FOR-US: Microsoft CVE-2016-3261 (Microsoft Internet Explorer 11 allows remote attackers to obtain sensi ...) NOT-FOR-US: Microsoft CVE-2016-3260 (The Microsoft (1) JScript 9, (2) VBScript, and (3) Chakra JavaScript e ...) NOT-FOR-US: Microsoft CVE-2016-3259 (The Microsoft (1) JScript 9, (2) VBScript, and (3) Chakra JavaScript e ...) NOT-FOR-US: Microsoft CVE-2016-3258 (Race condition in the kernel in Microsoft Windows 8.1, Windows Server ...) NOT-FOR-US: Microsoft CVE-2016-3257 REJECTED CVE-2016-3256 (Microsoft Windows 10 Gold and 1511 allows local users to bypass the Se ...) NOT-FOR-US: Microsoft CVE-2016-3255 (Microsoft .NET Framework 2.0 SP2, 3.5, 3.5.1, 4.5.2, 4.6, and 4.6.1 al ...) NOT-FOR-US: Microsoft CVE-2016-3254 (The kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server ...) NOT-FOR-US: Microsoft CVE-2016-3253 REJECTED CVE-2016-3252 (The kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server ...) NOT-FOR-US: Microsoft CVE-2016-3251 (The GDI component in the kernel-mode drivers in Microsoft Windows Vist ...) NOT-FOR-US: Microsoft CVE-2016-3250 (The kernel-mode drivers in Microsoft Windows Server 2012 and Windows 1 ...) NOT-FOR-US: Microsoft CVE-2016-3249 (The kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server ...) NOT-FOR-US: Microsoft CVE-2016-3248 (The Microsoft (1) JScript 9, (2) VBScript, and (3) Chakra JavaScript e ...) NOT-FOR-US: Microsoft CVE-2016-3247 (Microsoft Internet Explorer 11 and Microsoft Edge allow remote attacke ...) NOT-FOR-US: Microsoft CVE-2016-3246 (Microsoft Edge allows remote attackers to execute arbitrary code or ca ...) NOT-FOR-US: Microsoft CVE-2016-3245 (Microsoft Internet Explorer 9 through 11 allows remote attackers to tr ...) NOT-FOR-US: Microsoft CVE-2016-3244 (Microsoft Edge allows remote attackers to bypass the ASLR protection m ...) NOT-FOR-US: Microsoft CVE-2016-3243 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft CVE-2016-3242 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft CVE-2016-3241 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft CVE-2016-3240 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft CVE-2016-3239 (The Print Spooler service in Microsoft Windows Vista SP2, Windows Serv ...) NOT-FOR-US: Microsoft CVE-2016-3238 (The Print Spooler service in Microsoft Windows Vista SP2, Windows Serv ...) NOT-FOR-US: Microsoft CVE-2016-3237 (Kerberos in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R ...) NOT-FOR-US: Microsoft CVE-2016-3236 (The Web Proxy Auto Discovery (WPAD) protocol implementation in Microso ...) NOT-FOR-US: Microsoft CVE-2016-3235 (Microsoft Visio 2007 SP3, Visio 2010 SP2, Visio 2013 SP1, Visio 2016, ...) NOT-FOR-US: Microsoft CVE-2016-3234 (Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Office Compat ...) NOT-FOR-US: Microsoft CVE-2016-3233 (Microsoft Excel 2007 SP3, Excel 2010 SP2, and Office Compatibility Pac ...) NOT-FOR-US: Microsoft CVE-2016-3232 (The Virtual PCI (VPCI) virtual service provider in Microsoft Windows S ...) NOT-FOR-US: Microsoft CVE-2016-3231 (The Standard Collector service in Windows Diagnostics Hub mishandles l ...) NOT-FOR-US: Microsoft CVE-2016-3230 (The Search component in Microsoft Windows 7, Windows Server 2008 R2 SP ...) NOT-FOR-US: Microsoft CVE-2016-3229 REJECTED CVE-2016-3228 (Microsoft Windows Server 2008 SP2 and R2 SP1 and Windows Server 2012 G ...) NOT-FOR-US: Microsoft CVE-2016-3227 (Use-after-free vulnerability in the DNS Server component in Microsoft ...) NOT-FOR-US: Microsoft CVE-2016-3226 (Active Directory in Microsoft Windows Server 2008 R2 SP1 and Server 20 ...) NOT-FOR-US: Microsoft CVE-2016-3225 (The SMB server component in Microsoft Windows Vista SP2, Windows Serve ...) NOT-FOR-US: Microsoft CVE-2016-3224 REJECTED CVE-2016-3223 (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windo ...) NOT-FOR-US: Microsoft CVE-2016-3222 (Microsoft Edge allows remote attackers to execute arbitrary code or ca ...) NOT-FOR-US: Microsoft CVE-2016-3221 (The kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server ...) NOT-FOR-US: Microsoft CVE-2016-3220 (atmfd.dll in the Adobe Type Manager Font Driver in Microsoft Windows V ...) NOT-FOR-US: Microsoft CVE-2016-3219 (The kernel-mode driver in Microsoft Windows 10 Gold and 1511 allows lo ...) NOT-FOR-US: Microsoft CVE-2016-3218 (The kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server ...) NOT-FOR-US: Microsoft CVE-2016-3217 REJECTED CVE-2016-3216 (GDI32.dll in the Graphics component in Microsoft Windows Vista SP2, Wi ...) NOT-FOR-US: Microsoft CVE-2016-3215 (Microsoft Windows 8.1, Windows Server 2012 Gold and R2, Windows 10 151 ...) NOT-FOR-US: Microsoft CVE-2016-3214 (The Chakra JavaScript engine in Microsoft Edge allows remote attackers ...) NOT-FOR-US: Microsoft CVE-2016-3213 (The Web Proxy Auto Discovery (WPAD) protocol implementation in Microso ...) NOT-FOR-US: Microsoft CVE-2016-3212 (The XSS Filter in Microsoft Internet Explorer 9 through 11 does not pr ...) NOT-FOR-US: Microsoft CVE-2016-3211 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft CVE-2016-3210 (The Microsoft (1) JScript and (2) VBScript engines, as used in Interne ...) NOT-FOR-US: Microsoft CVE-2016-3209 (Graphics Device Interface (aka GDI or GDI+) in Microsoft Windows Vista ...) NOT-FOR-US: Microsoft CVE-2016-3208 REJECTED CVE-2016-3207 (The Microsoft (1) JScript 5.8 and (2) VBScript 5.7 and 5.8 engines, as ...) NOT-FOR-US: Microsoft CVE-2016-3206 (The Microsoft (1) JScript 5.8 and (2) VBScript 5.7 and 5.8 engines, as ...) NOT-FOR-US: Microsoft CVE-2016-3205 (The Microsoft (1) JScript 5.8 and (2) VBScript 5.7 and 5.8 engines, as ...) NOT-FOR-US: Microsoft CVE-2016-3204 (The Microsoft (1) JScript 5.8 and 9 and (2) VBScript 5.7 and 5.8 engin ...) NOT-FOR-US: Microsoft CVE-2016-3203 (Microsoft Windows 8.1, Windows Server 2012 Gold and R2, Windows 10 Gol ...) NOT-FOR-US: Microsoft CVE-2016-3202 (The Microsoft (1) Chakra JavaScript, (2) JScript, and (3) VBScript eng ...) NOT-FOR-US: Microsoft CVE-2016-3201 (Microsoft Windows 8.1, Windows Server 2012 Gold and R2, Windows 10 Gol ...) NOT-FOR-US: Microsoft CVE-2016-3200 REJECTED CVE-2016-3199 (The Chakra JavaScript engine in Microsoft Edge allows remote attackers ...) NOT-FOR-US: Microsoft CVE-2016-3198 (Microsoft Edge allows remote attackers to bypass the Content Security ...) NOT-FOR-US: Microsoft CVE-2016-3196 (Cross-site scripting (XSS) vulnerability in Fortinet FortiAnalyzer 5.x ...) NOT-FOR-US: Fortinet CVE-2016-3195 (Cross-site scripting (XSS) vulnerability in the Web-UI in Fortinet For ...) NOT-FOR-US: Fortinet CVE-2016-3194 (Cross-site scripting (XSS) vulnerability in the address added page in ...) NOT-FOR-US: Fortinet CVE-2016-3193 (Cross-site scripting (XSS) vulnerability in the appliance web-applicat ...) NOT-FOR-US: Fortinet CVE-2016-3192 (Cloudera Manager 5.x before 5.7.1 places Sensitive Data in cleartext R ...) NOT-FOR-US: Cloudera CVE-2016-3190 (The fill_xrgb32_lerp_opaque_spans function in cairo-image-compositor.c ...) - cairo 1.14.2-2 [jessie] - cairo 1.14.0-2.1+deb8u1 [wheezy] - cairo (Minor issue) NOTE: https://cgit.freedesktop.org/cairo/patch/src/cairo-image-compositor.c?id=5c82d91a5e15d29b1489dcb413b24ee7fdf59934 CVE-2016-3189 (Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows rem ...) {DLA-1833-1} - bzip2 1.0.6-8.1 (low; bug #827744) [wheezy] - bzip2 (Minor issue) CVE-2016-3188 (The _prepopulate_request_walk function in the Prepopulate module 7.x-2 ...) NOT-FOR-US: Prepopulate module for Drupal CVE-2016-3187 (The Prepopulate module 7.x-2.x before 7.x-2.1 for Drupal allows remote ...) NOT-FOR-US: Prepopulate module for Drupal CVE-2016-3186 (Buffer overflow in the readextension function in gif2tiff.c in LibTIFF ...) {DLA-693-1 DLA-610-1} - tiff 4.0.6-3 (bug #819972) [jessie] - tiff 4.0.3-12.3+deb8u2 - tiff3 (unimportant) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1319666 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1319503 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2536 NOTE: Proposed patch from Red Hat: https://bugzilla.redhat.com/attachment.cgi?id=1144235&action=diff NOTE: gif2tiff was removed in 4.0.6-3 and DSA 3762, marking as fixed although technically still present in the source package CVE-2016-3185 (The make_http_soap_request function in ext/soap/php_http.c in PHP befo ...) - php7.0 7.0.4-1 NOTE: https://bugs.php.net/bug.php?id=71610 NOTE: https://git.php.net/?p=php-src.git;a=commit;h=eaf4e77190d402ea014207e9a7d5da1a4f3727ba NOTE: http://php.net/ChangeLog-7.php#7.0.4 - php5 5.6.12+dfsg-1 [jessie] - php5 5.6.12+dfsg-0+deb8u1 [wheezy] - php5 5.4.44-0+deb7u1 NOTE: https://git.php.net/?p=php-src.git;a=commitdiff;h=c96d08b27226193dd51f2b50e84272235c6aaa69 NOTE: https://bugs.php.net/bug.php?id=70081 NOTE: Fixed in 5.6.12, 5.5.28, 5.4.44 CVE-2016-3184 RESERVED CVE-2016-3180 (Tor Browser Launcher (aka torbrowser-launcher) before 0.2.4, during th ...) - torbrowser-launcher 0.2.4-1 [jessie] - torbrowser-launcher 0.1.9-1+deb8u3 NOTE: https://github.com/micahflee/torbrowser-launcher/issues/229 CVE-2016-3177 (Multiple use-after-free and double-free vulnerabilities in gifcolor.c ...) - giflib 5.1.4-0.1 (unimportant) [jessie] - giflib (Vulnerable code introduced in 5.1.2) NOTE: https://sourceforge.net/p/giflib/bugs/83/ NOTE: Issue only in gifcolor utility, not installed into giflib-tools NOTE: Issue introduced upstream in 5.1.2 and fixed in 5.1.3. CVE-2016-3176 (Salt before 2015.5.10 and 2015.8.x before 2015.8.8, when PAM external ...) - salt 2015.8.8+ds-1 (bug #819184) [jessie] - salt (Minor issue; external_auth not by default usable) NOTE: external_auth seems not usable by default under Jessie due to the NOTE: permissions on /var/run/salt/master. NOTE: https://docs.saltstack.com/en/latest/topics/releases/2015.8.8.html NOTE: https://docs.saltstack.com/en/latest/topics/releases/2015.5.10.html NOTE: https://github.com/saltstack/salt/pull/31826/commits/d73f70ebb289142e4f692359fe741a54f5d2ad65 NOTE: Fixed in 2015.5.10/2015.8.8 upstream CVE-2016-3175 RESERVED CVE-2016-3174 (An issue was discovered in Open-Xchange OX AppSuite before 7.8.0-rev27 ...) NOT-FOR-US: Open-Xchange CVE-2016-3173 (An issue was discovered in Open-Xchange OX AppSuite before 7.8.0-rev27 ...) NOT-FOR-US: Open-Xchange CVE-2016-3161 (For the NVIDIA Quadro, NVS, and GeForce products, GFE GameStream and N ...) NOT-FOR-US: NVIDIA drivers for Windows CVE-2016-3160 RESERVED CVE-2016-3159 (The fpu_fxrstor function in arch/x86/i387.c in Xen 4.x does not proper ...) {DSA-3554-1 DLA-571-1} - xen 4.8.0~rc3-1 (bug #823620) NOTE: http://xenbits.xen.org/xsa/advisory-172.html NOTE: CVE-2016-3159 is for the code change which is applicable for later NOTE: versions only, but which must always be combined with the code change NOTE: for CVE-2016-3158. Ie for the first hunk in xsa172.patch, which NOTE: patches the function fpu_fxrstor. CVE-2016-3158 (The xrstor function in arch/x86/xstate.c in Xen 4.x does not properly ...) {DSA-3554-1 DLA-571-1} - xen 4.8.0~rc3-1 (bug #823620) NOTE: http://xenbits.xen.org/xsa/advisory-172.html NOTE: CVE-2016-3158 is for the code change which is required for all NOTE: versions (but which is sufficient only on Xen 4.3.x, and insufficient NOTE: on later versions). Ie for the second hunk in xsa172.patch (the only NOTE: hunk in xsa172-4.3.patch), which patches the function xrstor. CVE-2016-3157 (The __switch_to function in arch/x86/kernel/process_64.c in the Linux ...) {DSA-3607-1 DLA-516-1} - linux 4.5.1-1 NOTE: http://xenbits.xen.org/xsa/advisory-171.html NOTE: https://git.kernel.org/linus/b7a584598aea7ca73140cb87b40319944dd3393f CVE-2016-3155 (Siemens APOGEE Insight uses weak permissions for the application folde ...) NOT-FOR-US: Siemens APOGEE Insight CVE-2016-XXXX [use-after-free in unserialisation] - hhvm 3.12.1+dfsg-1 NOTE: https://github.com/facebook/hhvm/commit/fd456ffad5d164c1563dc8bd97bcc2f200ff6f69 CVE-2016-6288 (The php_url_parse_ex function in ext/standard/url.c in PHP before 5.5. ...) {DLA-533-1} - hhvm 3.12.1+dfsg-1 - php5 5.6.15+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=70480 NOTE: https://github.com/facebook/hhvm/commit/3fa7e73055855c409d48e8aa1dc416a76d3dd764 NOTE: https://git.php.net/?p=php-src.git;a=commitdiff;h=629e4da7cc8b174acdeab84969cbfc606a019b31 CVE-2014-9767 (Directory traversal vulnerability in the ZipArchive::extractTo functio ...) - hhvm 3.12.1+dfsg-1 - php5 5.6.13+dfsg-1 [jessie] - php5 5.6.13+dfsg-0+deb8u1 [wheezy] - php5 5.4.45-0+deb7u1 NOTE: https://bugs.php.net/bug.php?id=70350 NOTE: https://bugs.php.net/bug.php?id=67996 NOTE: https://github.com/facebook/hhvm/commit/65c95a01541dd2fbc9c978ac53bed235b5376686 CVE-2016-3152 (Barco ClickShare CSC-1 devices with firmware before 01.09.03 allow rem ...) NOT-FOR-US: Barco ClickShare CVE-2016-3151 (Directory traversal vulnerability in the wallpaper parsing functionali ...) NOT-FOR-US: Barco ClickShare CVE-2016-3150 (Cross-site scripting (XSS) vulnerability in wallpaper.php in the Base ...) NOT-FOR-US: Barco ClickShare CVE-2016-3149 (Barco ClickShare CSC-1 devices with firmware before 01.09.03 and CSM-1 ...) NOT-FOR-US: Barco ClickShare CVE-2016-3148 RESERVED CVE-2016-3147 (Buffer overflow in the collector.exe listener of the Landesk Managemen ...) NOT-FOR-US: Landesk Management Suite CVE-2016-3146 RESERVED CVE-2016-3145 (Lexmark printers with firmware ATL before ATL.021.063, CB before CB.02 ...) NOT-FOR-US: Lexmark printers CVE-2016-3144 (Cross-site scripting (XSS) vulnerability in the Block Class module 7.x ...) NOT-FOR-US: Drupal Block Class module CVE-2016-3143 RESERVED CVE-2016-3156 (The IPv4 implementation in the Linux kernel before 4.5.2 mishandles de ...) {DSA-3607-1} - linux 4.5.1-1 [wheezy] - linux (Not a security issue since containers are not supported) NOTE: http://www.openwall.com/lists/oss-security/2016/03/15/3 CVE-2016-3133 RESERVED CVE-2016-3132 (Double free vulnerability in the SplDoublyLinkedList::offsetSet functi ...) - php7.0 7.0.6-1 NOTE: https://bugs.php.net/bug.php?id=71735 NOTE: http://git.php.net/?p=php-src.git;a=commit;h=28a6ed9f9a36b9c517e4a8a429baf4dd382fc5d5 CVE-2016-3131 (Cloudera CDH before 5.6.1 allows authorization bypass via direct inter ...) NOT-FOR-US: Cloudera CVE-2016-3130 (An information disclosure vulnerability in the Core and Management Con ...) NOT-FOR-US: BlackBerry CVE-2016-3129 (A remote shell execution vulnerability in the BlackBerry Good Enterpri ...) NOT-FOR-US: BlackBerry CVE-2016-3128 (A spoofing vulnerability in the Core of BlackBerry Enterprise Server ( ...) NOT-FOR-US: BlackBerry CVE-2016-3127 (An information disclosure vulnerability in the logging implementation ...) NOT-FOR-US: BlackBerry CVE-2016-3126 (Cross-site scripting (XSS) vulnerability in the Management Console in ...) NOT-FOR-US: BlackBerry CVE-2016-3123 RESERVED CVE-2016-3122 RESERVED CVE-2016-3121 RESERVED CVE-2016-3120 (The validate_as_request function in kdc_util.c in the Key Distribution ...) {DLA-1265-1} - krb5 1.14.3+dfsg-1 (bug #832572) [jessie] - krb5 1.12.1+dfsg-19+deb8u3 NOTE: https://github.com/krb5/krb5/commit/93b4a6306a0026cf1cc31ac4bd8a49ba5d034ba7 NOTE: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8458 CVE-2016-3119 (The process_db_args function in plugins/kdb/ldap/libkdb_ldap/ldap_prin ...) {DLA-1265-1} - krb5 1.14.2+dfsg-1 (bug #819468) [jessie] - krb5 1.12.1+dfsg-19+deb8u3 NOTE: https://github.com/krb5/krb5/commit/08c642c09c38a9c6454ab43a9b53b2a89b9eef99 CVE-2016-3118 (CRLF injection vulnerability in CA API Gateway (formerly Layer7 API Ga ...) NOT-FOR-US: CA API Gateway CVE-2016-3117 RESERVED CVE-2016-3114 (Kallithea before 0.3.2 allows remote authenticated users to edit or de ...) - kallithea (bug #689573) CVE-2016-3113 (Cross-site scripting (XSS) vulnerability in ovirt-engine allows remote ...) NOT-FOR-US: ovirt-engine CVE-2016-3112 (client/consumer/cli.py in Pulp before 2.8.3 writes consumer private ke ...) NOT-FOR-US: Pulp (Red Hat) CVE-2016-3111 (pulp.spec in the installation process for Pulp 2.8.3 generates the RSA ...) NOT-FOR-US: Pulp (Red Hat) CVE-2016-3110 (mod_cluster, as used in Red Hat JBoss Web Server 2.1, allows remote at ...) - libapache2-mod-cluster (bug #731410) CVE-2016-3109 (The backend/Login/load/ script in Shopware before 5.1.5 allows remote ...) NOT-FOR-US: Shopware CVE-2016-3108 (The pulp-gen-nodes-certificate script in Pulp before 2.8.3 allows loca ...) NOT-FOR-US: Pulp (Red Hat) CVE-2016-3107 (The Node certificate in Pulp before 2.8.3 contains the private key, an ...) NOT-FOR-US: Pulp (Red Hat) CVE-2016-3106 (Pulp before 2.8.3 creates a temporary directory during CA key generati ...) NOT-FOR-US: Pulp (Red Hat) CVE-2016-3105 (The convert extension in Mercurial before 3.8 might allow context-depe ...) {DSA-3570-1 DLA-459-1} - mercurial 3.8.1-1 NOTE: https://selenic.com/hg/rev/a56296f55a5e CVE-2016-3104 (mongod in MongoDB 2.6, when using 2.4-style users, and 2.4 allow remot ...) - mongodb 1:3.2.11-1 [jessie] - mongodb (Minor issue) [wheezy] - mongodb (Minor issue) NOTE: https://jira.mongodb.org/browse/SERVER-24378 NOTE: Marking as fixed with the first 3.x based version in unstable NOTE: This issue though affect only 2.4 (and possibly older), or 2.6 NOTE: installations, but only in circumstances where they first had a NOTE: MongoDB 2.4 installation with authentication enabled, upgraded NOTE: to 2.6, and did not complete a full upgrade CVE-2016-3103 RESERVED CVE-2016-3102 (The Script Security plugin before 1.18.1 in Jenkins might allow remote ...) - jenkins CVE-2016-3101 (Cross-site scripting (XSS) vulnerability in the Extra Columns plugin b ...) - jenkins CVE-2016-3100 (kinit in KDE Frameworks before 5.23.0 uses weak permissions (644) for ...) - kinit 5.23.0-1 (bug #827476) NOTE: https://bugs.kde.org/show_bug.cgi?id=358593 NOTE: https://bugs.kde.org/show_bug.cgi?id=363140 NOTE: https://quickgit.kde.org/?p=kinit.git&a=commitdiff&h=dece8fd89979cd1a86c03bcaceef6e9221e8d8cd NOTE: https://quickgit.kde.org/?p=kinit.git&a=commitdiff&h=72f3702dbe6cf15c06dc13da2c99c864e9022a58 CVE-2016-3099 (mod_ns in Red Hat Enterprise Linux Desktop 7, Red Hat Enterprise Linux ...) - libapache2-mod-nss 1.0.14-1 (bug #822461) [jessie] - libapache2-mod-nss (Vulnerability introduced in 1.0.11) [wheezy] - libapache2-mod-nss (Vulnerability introduced in 1.0.11) NOTE: Introduced in https://git.fedorahosted.org/cgit/mod_nss.git/commit/?id=2d1650900f4d47dc43400d826c0f7e1a7c5229b8 (1.10.11) CVE-2016-3098 RESERVED CVE-2016-3097 (Cross-site scripting (XSS) vulnerability in spacewalk-java in Red Hat ...) NOT-FOR-US: spacewalk-java CVE-2016-3096 (The create_script function in the lxc_container module in Ansible befo ...) - ansible 2.0.1.0-2 (bug #819676) [jessie] - ansible (Vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1322925 NOTE: https://sources.debian.org/src/ansible/2.0.1.0-1/lib/ansible/modules/extras/cloud/lxc/lxc_container.py/?hl=523#L523 CVE-2016-3095 (server/bin/pulp-gen-ca-certificate in Pulp before 2.8.2 allows local u ...) NOT-FOR-US: Pulp (Red Hat) CVE-2016-3094 (PlainSaslServer.java in Apache Qpid Java before 6.0.3, when the broker ...) - qpid-java (bug #840131) CVE-2016-3093 (Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method re ...) - libstruts1.2-java (Only affects Struts 2.x) NOTE: https://struts.apache.org/docs/s2-034.html CVE-2016-3092 (The MultipartStream class in Apache Commons Fileupload before 1.3.2, a ...) {DSA-3614-1 DSA-3611-1 DSA-3609-1 DLA-529-1 DLA-528-1} - libcommons-fileupload-java 1.3.2-1 - tomcat7 7.0.70-1 - tomcat8 8.0.36-1 - tomcat9 (Fixed before initial upload to Debian) NOTE: Fixed by https://svn.apache.org/r1743480 NOTE: Upstream advisory http://markmail.org/message/oyxfv73jb2g7rjg3 NOTE: https://mail-archives.us.apache.org/mod_mbox/www-announce/201606.mbox/%3C6223ece6-2b41-ef4f-22f9-d3481e492832@apache.org%3E CVE-2016-3091 (Cloud Foundry Diego 0.1468.0 through 0.1470.0 allows remote attackers ...) NOT-FOR-US: Cloud Foundry Diego CVE-2016-3090 (The TextParseUtil.translateVariables method in Apache Struts 2.x befor ...) - libstruts1.2-java [wheezy] - libstruts1.2-java NOTE: https://struts.apache.org/docs/s2-027.html CVE-2016-3089 (Cross-site scripting (XSS) vulnerability in the SWF panel in Apache Op ...) NOT-FOR-US: Apache OpenMeetings CVE-2016-3088 (The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 al ...) - activemq 5.14.0+dfsg-1 [jessie] - activemq (file server was only enabled in 5.13.2+dfsg-2) [wheezy] - activemq (file server was only enabled in 5.13.2+dfsg-2) NOTE: http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt CVE-2016-3087 (Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2. ...) - libstruts1.2-java (Only affects Struts 2.x) NOTE: https://struts.apache.org/docs/s2-033.html CVE-2016-3086 (The YARN NodeManager in Apache Hadoop 2.6.x before 2.6.5 and 2.7.x bef ...) - hadoop (bug #793644) CVE-2016-3085 (Apache CloudStack 4.5.x before 4.5.2.1, 4.6.x before 4.6.2.1, 4.7.x be ...) NOT-FOR-US: Apache CloudStack CVE-2016-3084 (The UAA reset password flow in Cloud Foundry release v236 and earlier ...) NOT-FOR-US: Cloud Foundry CVE-2016-3083 (Apache Hive (JDBC + HiveServer2) implements SSL for plain TCP and HTTP ...) NOT-FOR-US: Apache Hive CVE-2016-3082 (XSLTResult in Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.2 ...) - libstruts1.2-java (Only affects Struts 2.x) NOTE: https://struts.apache.org/docs/s2-031.html CVE-2016-3081 (Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2. ...) - libstruts1.2-java (Only affects Struts 2.x) NOTE: https://struts.apache.org/docs/s2-032.html CVE-2016-3080 (Cross-site scripting (XSS) vulnerability in spacewalk-java in Red Hat ...) NOT-FOR-US: Red Hat Satellite / Spacewalk / spacewalk-monitoring CVE-2016-3079 (Multiple cross-site scripting (XSS) vulnerabilities in the Web UI in S ...) NOT-FOR-US: Red Hat Satellite / Spacewalk CVE-2016-3078 (Multiple integer overflows in php_zip.c in the zip extension in PHP be ...) - php7.0 7.0.6-1 NOTE: http://www.openwall.com/lists/oss-security/2016/04/28/1 NOTE: Fixed in 7.0.6 NOTE: https://bugs.php.net/bug.php?id=71923 CVE-2016-3077 (The VersionMapper.fromKernelVersionString method in oVirt Engine allow ...) NOT-FOR-US: ovirt-engine CVE-2016-3076 (Heap-based buffer overflow in the j2k_encode_entry function in Pillow ...) - pillow (unimportant) - python-imaging (unimportant) NOTE: https://github.com/python-pillow/Pillow/commit/a1f244343df389cf15cdfff80327594821097295 (3.1.2) NOTE: Marked as unimportant since source vulnerable but in Debian we do NOTE: not built against openjpeg by default CVE-2016-3075 (Stack-based buffer overflow in the nss_dns implementation of the getne ...) {DLA-494-1} - glibc 2.22-6 [jessie] - glibc 2.19-18+deb8u5 - eglibc [wheezy] - eglibc (Minor issue, can be fixed via point release) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=19879 CVE-2016-3074 (Integer signedness error in GD Graphics Library 2.1.1 (aka libgd or li ...) {DSA-3602-1 DSA-3556-1} - libgd2 2.1.1-4.1 (bug #822242) - php5 5.6.21+dfsg-1 (unimportant) - php7.0 7.0.6-1 (unimportant) - hhvm 3.12.11+dfsg-1 (unimportant) NOTE: HHVM implements additional sanity checks, not directly epxloitable NOTE: PoC: https://github.com/dyntopia/exploits/tree/master/CVE-2016-3074 NOTE: Upstream fix: https://github.com/libgd/libgd/commit/2bb97f407c1145c850416a3bfbcc8cf124e68a19 NOTE: Starting with 5.4.0-1 Debian uses the system copy of libgd NOTE: PHP bug: https://bugs.php.net/bug.php?id=71912 NOTE: HHVM fix: https://github.com/facebook/hhvm/commit/29a6487d648d1593e1e2fa615d9b3a844756ddc3 CVE-2016-3073 REJECTED CVE-2016-3072 (Multiple SQL injection vulnerabilities in the scoped_search function i ...) NOT-FOR-US: Katello CVE-2016-3071 (Libreswan 3.16 might allow remote attackers to cause a denial of servi ...) - libreswan (Fixed before initial upload to Debian) NOTE: https://lists.libreswan.org/pipermail/swan-announce/2016/000019.html CVE-2016-3070 (The trace_writeback_dirty_page implementation in include/trace/events/ ...) {DSA-3607-1} - linux 4.4.2-1 [wheezy] - linux (Vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1306851 NOTE: https://git.kernel.org/linus/42cb14b110a5698ccf26ce59c4441722605a3743 (v4.4-rc1) CVE-2016-3069 (Mercurial before 3.7.3 allows remote attackers to execute arbitrary co ...) {DSA-3542-1} - mercurial 3.7.3-1 (bug #819504) NOTE: https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_3.7.3_.282016-3-29.29 NOTE: https://selenic.com/repo/hg-stable/rev/197eed39e3d5 (1/5) NOTE: https://selenic.com/repo/hg-stable/rev/cdda7b96afff (2/5) NOTE: https://selenic.com/repo/hg-stable/rev/b732e7f2aba4 (3/5) NOTE: https://selenic.com/repo/hg-stable/rev/80cac1de6aea (4/5) NOTE: https://selenic.com/repo/hg-stable/rev/ae279d4a19e9 (5/5) CVE-2016-3068 (Mercurial before 3.7.3 allows remote attackers to execute arbitrary co ...) {DSA-3542-1} - mercurial 3.7.3-1 (bug #819504) NOTE: https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_3.7.3_.282016-3-29.29 NOTE: https://selenic.com/repo/hg-stable/rev/34d43cb85de8 CVE-2016-3067 (Cygwin before 2.5.0 does not properly handle updating permissions when ...) NOT-FOR-US: Cygwin CVE-2016-3066 (The spice-gtk widget allows remote authenticated users to obtain infor ...) - spice-gtk (unimportant) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1320263 NOTE: Hardly a security issue per se, but a design limitation/risky feature NOTE: It's up to applications using spice-gtk to use it as appropriate CVE-2016-3065 (The (1) brin_page_type and (2) brin_metapage_info functions in the pag ...) - postgresql-9.5 9.5.2-1 - postgresql-9.4 (Only affects 9.5.x) - postgresql-9.1 (Only affects 9.5.x) - postgresql-8.4 (Only affects 9.5.x) NOTE: http://www.postgresql.org/about/news/1656/ NOTE: http://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=bf78a6f107949fdfb513d1b45e30cefe04e09e4f CVE-2016-XXXX [fscanf format string security bug in flashrom layout code] - flashrom 0.9.9+r1954-1 (unimportant) [wheezy] - flashrom (Minor issue) NOTE: https://www.flashrom.org/pipermail/flashrom/2016-March/014523.html NOTE: Neutralised by hardening CVE-2016-3183 (The sycc422_t_rgb function in common/color.c in OpenJPEG before 2.1.1 ...) - openjpeg2 2.1.1-1 (low; bug #818399) [jessie] - openjpeg2 (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2016/03/14/14 NOTE: https://github.com/uclouvain/openjpeg/issues/726 CVE-2016-3182 (The color_esycc_to_rgb function in bin/common/color.c in OpenJPEG befo ...) - openjpeg2 2.1.1-1 [jessie] - openjpeg2 (Vulnerable code not yet present in 2.1.0) NOTE: http://www.openwall.com/lists/oss-security/2016/03/14/13 NOTE: https://github.com/uclouvain/openjpeg/issues/725 CVE-2016-3181 REJECTED CVE-2016-3140 (The digi_port_init function in drivers/usb/serial/digi_acceleport.c in ...) {DSA-3607-1 DLA-516-1} - linux 4.5.1-1 (low) NOTE: http://seclists.org/bugtraq/2016/Mar/61 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1283378 NOTE: https://marc.info/?l=linux-usb&m=145796765030590&w=2 CVE-2016-3139 (The wacom_probe function in drivers/input/tablet/wacom_sys.c in the Li ...) - linux 4.0.2-1 (low) [jessie] - linux (Minor issue) [wheezy] - linux (Minor issue) NOTE: http://seclists.org/bugtraq/2016/Mar/60 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1283375 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1283377 CVE-2016-3138 (The acm_probe function in drivers/usb/class/cdc-acm.c in the Linux ker ...) {DSA-3607-1 DLA-516-1} - linux 4.5.1-1 (low) NOTE: http://seclists.org/bugtraq/2016/Mar/54 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1283366 NOTE: http://marc.info/?l=linux-usb&m=145803342320160&w=2 CVE-2016-3137 (drivers/usb/serial/cypress_m8.c in the Linux kernel before 4.5.1 allow ...) {DSA-3607-1 DLA-516-1} - linux 4.5.1-1 (low) NOTE: http://seclists.org/bugtraq/2016/Mar/55 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1283368 CVE-2016-3136 (The mct_u232_msr_to_state function in drivers/usb/serial/mct_u232.c in ...) {DSA-3607-1 DLA-516-1} - linux 4.5.1-1 (low) NOTE: http://seclists.org/bugtraq/2016/Mar/57 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1283370 CVE-2016-3125 (The mod_tls module in ProFTPD before 1.3.5b and 1.3.6 before 1.3.6rc2 ...) - proftpd-dfsg 1.3.5b-1 (bug #818492) [jessie] - proftpd-dfsg 1.3.5-1.1+deb8u2 [wheezy] - proftpd-dfsg (Minor issue; can be fixed in point release) NOTE: http://bugs.proftpd.org/show_bug.cgi?id=4230 NOTE: Fixed in 1.3.6rc2, 1.3.5b. CVE-2016-3064 (NetApp Clustered Data ONTAP before 8.2.4P4 and 8.3.x before 8.3.2P2 al ...) NOT-FOR-US: NetApp CVE-2016-3063 (Multiple functions in NetApp OnCommand System Manager before 8.3.2 do ...) NOT-FOR-US: NetApp CVE-2016-3062 (The mov_read_dref function in libavformat/mov.c in Libav before 11.7 a ...) {DSA-3603-1 DLA-515-1} - libav NOTE: https://git.libav.org/?p=libav.git;a=commit;h=7e01d48cfd168c3dfc663f03a3b6a98e0ecba328 NOTE: https://git.libav.org/?p=libav.git;a=commit;h=5fdcbc4a7cd81114a9f47bcb3040ca510bd6360d (11.7) NOTE: https://bugzilla.libav.org/show_bug.cgi?id=929 - ffmpeg 7:2.4.1-1 NOTE: https://github.com/FFmpeg/FFmpeg/commit/689e59b7ffed34eba6159dcc78e87133862e3746 (n0.11) CVE-2016-3061 RESERVED CVE-2016-3060 (Payments Director in IBM Financial Transaction Manager (FTM) for ACH S ...) NOT-FOR-US: IBM CVE-2016-3059 (IBM Tivoli Storage Manager for Databases: Data Protection for Microsof ...) NOT-FOR-US: IBM CVE-2016-3058 RESERVED CVE-2016-3057 (Cross-site scripting (XSS) vulnerability in IBM Sterling B2B Integrato ...) NOT-FOR-US: IBM CVE-2016-3056 (Cross-site scripting (XSS) vulnerability in Business Space in IBM Busi ...) NOT-FOR-US: IBM CVE-2016-3055 (IBM FileNet Workplace 4.0.2 before 4.0.2.14 LA012 allows remote authen ...) NOT-FOR-US: IBM CVE-2016-3054 (Cross-site scripting (XSS) vulnerability in IBM FileNet Workplace 4.0. ...) NOT-FOR-US: IBM CVE-2016-3053 (IBM AIX contains an unspecified vulnerability that would allow a local ...) NOT-FOR-US: IBM CVE-2016-3052 (Under non-standard configurations, IBM WebSphere MQ might send passwor ...) NOT-FOR-US: IBM CVE-2016-3051 (IBM Security Access Manager for Web 9.0.0 could allow an authenticated ...) NOT-FOR-US: IBM CVE-2016-3050 RESERVED CVE-2016-3049 (IBM OpenPages GRC Platform 7.1, 7.2, and 7.3 is vulnerable to HTML inj ...) NOT-FOR-US: IBM CVE-2016-3048 (IBM OpenPages GRC Platform 7.1, 7.2, and 7.3 is vulnerable to cross-si ...) NOT-FOR-US: IBM CVE-2016-3047 (Open redirect vulnerability in IBM FileNet Workplace 4.0.2 through 4.0 ...) NOT-FOR-US: IBM CVE-2016-3046 (IBM Security Access Manager for Web is vulnerable to SQL injection. A ...) NOT-FOR-US: IBM CVE-2016-3045 (IBM Security Access Manager for Web stores sensitive information in UR ...) NOT-FOR-US: IBM CVE-2016-3044 (The Linux kernel component in IBM PowerKVM 2.1 before 2.1.1.3-65.10 an ...) - linux 4.4.6-1 [jessie] - linux 3.16.36-1 [wheezy] - linux (Vulnerable code introduced later) NOTE: https://www-01.ibm.com/support/docview.wss?uid=isg3T1023969 NOTE: http://www.securityfocus.com/bid/92123/info CVE-2016-3043 (IBM Security Access Manager for Web could allow a remote attacker to o ...) NOT-FOR-US: IBM CVE-2016-3042 (Cross-site scripting (XSS) vulnerability in the Web UI in IBM WebSpher ...) NOT-FOR-US: IBM CVE-2016-3041 RESERVED CVE-2016-3040 (IBM WebSphere Application Server (WAS) Liberty, as used in IBM Securit ...) NOT-FOR-US: IBM CVE-2016-3039 (IBM Traveler 8.x and 9.x before 9.0.1.12 allows remote authenticated u ...) NOT-FOR-US: IBM CVE-2016-3038 (IBM Cognos TM1 10.1 and 10.2 is vulnerable to cross-site scripting. Th ...) NOT-FOR-US: IBM CVE-2016-3037 (IBM Cognos TM1 10.1 and 10.2 provides a service to return the victim's ...) NOT-FOR-US: IBM CVE-2016-3036 (IBM Cognos TM1 10.1 and 10.2 is vulnerable to a denial of service, cau ...) NOT-FOR-US: IBM CVE-2016-3035 (IBM AppScan Source could reveal some sensitive information through the ...) NOT-FOR-US: IBM CVE-2016-3034 (IBM AppScan Source uses a one-way hash without salt to encrypt highly ...) NOT-FOR-US: IBM CVE-2016-3033 (IBM AppScan Source 8.7 through 9.0.3.3 allows remote authenticated use ...) NOT-FOR-US: IBM CVE-2016-3032 (IBM Cognos Analytics 11.0 is vulnerable to cross-site scripting. This ...) NOT-FOR-US: IBM CVE-2016-3031 (IBM Cognos Analytics 11.0 is vulnerable to cross-site scripting. This ...) NOT-FOR-US: IBM CVE-2016-3030 RESERVED CVE-2016-3029 (IBM Security Access Manager for Web is vulnerable to cross-site reques ...) NOT-FOR-US: IBM CVE-2016-3028 (IBM Security Access Manager for Web 7.0 before IF2 and 8.0 before 8.0. ...) NOT-FOR-US: IBM CVE-2016-3027 (IBM Security Access Manager for Web is vulnerable to a denial of servi ...) NOT-FOR-US: IBM CVE-2016-3026 RESERVED CVE-2016-3025 (IBM Security Access Manager for Mobile 8.x before 8.0.1.4 IF3 and Secu ...) NOT-FOR-US: IBM CVE-2016-3024 (IBM Security Access Manager for Web allows web pages to be stored loca ...) NOT-FOR-US: IBM CVE-2016-3023 (IBM Security Access Manager for Web could allow an unauthenticated use ...) NOT-FOR-US: IBM CVE-2016-3022 (IBM Security Access Manager for Web could allow an authenticated user ...) NOT-FOR-US: IBM CVE-2016-3021 (IBM Security Access Manager for Web could allow an authenticated attac ...) NOT-FOR-US: IBM CVE-2016-3020 (IBM Security Access Manager for Web 7.0.0, 8.0.0, and 9.0.0 could allo ...) NOT-FOR-US: IBM CVE-2016-3019 (IBM Security Access Manager for Web 9.0.0 uses weaker than expected cr ...) NOT-FOR-US: IBM CVE-2016-3018 (IBM Security Access Manager for Web is vulnerable to cross-site script ...) NOT-FOR-US: IBM CVE-2016-3017 (IBM Security Access Manager for Web could allow a remote attacker to o ...) NOT-FOR-US: IBM CVE-2016-3016 (IBM Security Access Manager for Web processes patches, image backups a ...) NOT-FOR-US: IBM CVE-2016-3015 (IBM Cognos Analytics 11.0 is vulnerable to cross-site scripting. This ...) NOT-FOR-US: IBM CVE-2016-3014 (Cross-site scripting (XSS) vulnerability in IBM Rational Collaborative ...) NOT-FOR-US: IBM CVE-2016-3013 (IBM WebSphere MQ 8.0 could allow an authenticated user to crash the MQ ...) NOT-FOR-US: IBM CVE-2016-3012 (IBM API Connect (aka APIConnect) before 5.0.3.0 with NPM before 2.2.8 ...) NOT-FOR-US: IBM CVE-2016-3011 RESERVED CVE-2016-3010 (Cross-site scripting (XSS) vulnerability in the Web UI in IBM Connecti ...) NOT-FOR-US: IBM CVE-2016-3009 (Cross-site request forgery (CSRF) vulnerability in IBM Connections 4.0 ...) NOT-FOR-US: IBM CVE-2016-3008 (Cross-site scripting (XSS) vulnerability in the Web UI in IBM Connecti ...) NOT-FOR-US: IBM CVE-2016-3007 (Cross-site request forgery (CSRF) vulnerability in IBM Connections 4.x ...) NOT-FOR-US: IBM CVE-2016-3006 (Cross-site scripting (XSS) vulnerability in the Web UI in IBM Connecti ...) NOT-FOR-US: IBM CVE-2016-3005 (Cross-site scripting (XSS) vulnerability in the Web UI in IBM Connecti ...) NOT-FOR-US: IBM CVE-2016-3004 (Cross-site request forgery (CSRF) vulnerability in IBM Connections 4.0 ...) NOT-FOR-US: IBM CVE-2016-3003 (Cross-site scripting (XSS) vulnerability in the Web UI in IBM Connecti ...) NOT-FOR-US: IBM CVE-2016-3002 (IBM Connections 4.0 through CR4, 4.5 through CR5, and 5.0 before CR4 a ...) NOT-FOR-US: IBM CVE-2016-3001 (Cross-site scripting (XSS) vulnerability in the Web UI in IBM Connecti ...) NOT-FOR-US: IBM CVE-2016-3000 (The help service in IBM Connections 4.x through 4.5 CR5, 5.0 before CR ...) NOT-FOR-US: IBM CVE-2016-2999 (IBM Connections 4.x through 4.5 CR5, 5.0 before CR4, and 5.5 before CR ...) NOT-FOR-US: IBM CVE-2016-2998 (Cross-site request forgery (CSRF) vulnerability in IBM Connections 4.0 ...) NOT-FOR-US: IBM CVE-2016-2997 (Cross-site scripting (XSS) vulnerability in the Web UI in IBM Connecti ...) NOT-FOR-US: IBM CVE-2016-2996 (IBM Security Privileged Identity Manager 2.0 before 2.0.2 FP8, when Vi ...) NOT-FOR-US: IBM CVE-2016-2995 (Cross-site scripting (XSS) vulnerability in the Web UI in IBM Connecti ...) NOT-FOR-US: IBM CVE-2016-2994 (Cross-site scripting (XSS) vulnerability in IBM UrbanCode Deploy 6.2.x ...) NOT-FOR-US: IBM CVE-2016-2993 RESERVED CVE-2016-2992 (IBM Infosphere BigInsights is vulnerable to cross-site scripting. This ...) NOT-FOR-US: IBM CVE-2016-2991 (Multiple cross-site scripting (XSS) vulnerabilities in IBM Lotus Prote ...) NOT-FOR-US: IBM CVE-2016-2990 RESERVED CVE-2016-2989 (Open redirect vulnerability in the Connections Portlets component 5.x ...) NOT-FOR-US: IBM CVE-2016-2988 (IBM Tivoli Storage Manger for Virtual Environments: Data Protection fo ...) NOT-FOR-US: IBM CVE-2016-2987 (An undisclosed vulnerability in CLM applications may result in some ad ...) NOT-FOR-US: IBM CVE-2016-2986 (Cross-site scripting (XSS) vulnerability in IBM Rational Collaborative ...) NOT-FOR-US: IBM CVE-2016-2985 (IBM Spectrum Scale 4.1.1.x before 4.1.1.8 and 4.2.x before 4.2.0.4 and ...) NOT-FOR-US: IBM CVE-2016-2984 (IBM Spectrum Scale 4.1.1.x before 4.1.1.8 and 4.2.x before 4.2.0.4 and ...) NOT-FOR-US: IBM CVE-2016-2983 (IBM Tealeaf Customer Experience 8.7, 8.8, and 9.0.2 could allow a remo ...) NOT-FOR-US: IBM Tealeaf Customer Experience CVE-2016-2982 RESERVED CVE-2016-2981 (An undisclosed vulnerability in the CLM applications in IBM Jazz Team ...) NOT-FOR-US: IBM CVE-2016-2980 (The Sametime WebPlayer 8.5.2 and 9.0 is vulnerable to a script injecti ...) NOT-FOR-US: IBM CVE-2016-2979 (IBM Sametime Meeting Server 8.5.2 and 9.0 is vulnerable to cross-site ...) NOT-FOR-US: IBM CVE-2016-2978 (IBM Sametime 8.5.2 and 9.0 could store potentially sensitive informati ...) NOT-FOR-US: IBM CVE-2016-2977 (IBM Sametime Meeting Server 8.5.2 and 9.0 could allow a malicious user ...) NOT-FOR-US: IBM CVE-2016-2976 (IBM Sametime Meeting Server 8.5.2 and 9.0 could allow a meeting invite ...) NOT-FOR-US: IBM CVE-2016-2975 (IBM Sametime 8.5.2 and 9.0 is vulnerable to cross-site scripting. This ...) NOT-FOR-US: IBM CVE-2016-2974 (IBM Sametime Connect 8.5.2 and 9.0, after uninstalling the Sametime Ri ...) NOT-FOR-US: IBM CVE-2016-2973 (IBM Sametime Media Services 8.5.2 and 9.0 is vulnerable to cross-site ...) NOT-FOR-US: IBM CVE-2016-2972 (IBM Sametime Meeting Server 8.5.2 and 9.0 could store credentials of t ...) NOT-FOR-US: IBM CVE-2016-2971 (IBM Sametime Media Services 8.5.2 and 9.0 can disclose sensitive infor ...) NOT-FOR-US: IBM CVE-2016-2970 (IBM Sametime 8.5 and 9.0 meetings server may provide detailed informat ...) NOT-FOR-US: IBM CVE-2016-2969 (IBM Sametime Meeting Server 8.5.2 and 9.0 may send replies that contai ...) NOT-FOR-US: IBM CVE-2016-2968 (IBM Security QRadar Incident Forensics 7.2.x before 7.2.7 allows remot ...) NOT-FOR-US: IBM CVE-2016-2967 (IBM Sametime 8.5.2 and 9.0 is vulnerable to cross-site scripting. This ...) NOT-FOR-US: IBM CVE-2016-2966 (IBM Sametime 8.5.1 and 9.0 could allow an authenticated user to enumer ...) NOT-FOR-US: IBM CVE-2016-2965 (IBM Sametime Meeting Server 8.5.2 and 9.0 is vulnerable to cross-site ...) NOT-FOR-US: IBM CVE-2016-2964 (IBM Sametime 8.5.2 and 9.0 under certain conditions provides an error ...) NOT-FOR-US: IBM CVE-2016-2963 (Cross-site request forgery (CSRF) vulnerability in IBM BigFix Remote C ...) NOT-FOR-US: IBM CVE-2016-2962 RESERVED CVE-2016-2961 (The integration server in IBM Integration Bus 9 before 9.0.0.6 and 10 ...) NOT-FOR-US: IBM CVE-2016-2960 (IBM WebSphere Application Server (WAS) 7.x before 7.0.0.43, 8.0.0.x be ...) NOT-FOR-US: IBM CVE-2016-2959 (IBM Sametime Meeting Server 8.5.2 and 9.0 could allow a meeting room m ...) NOT-FOR-US: IBM CVE-2016-2958 (IBM Connections 4.0 through CR4, 4.5 through CR5, and 5.0 before CR4 a ...) NOT-FOR-US: IBM CVE-2016-2957 (IBM Connections 4.0 through CR4, 4.5 through CR5, and 5.0 before CR4 a ...) NOT-FOR-US: IBM CVE-2016-2956 (Cross-site scripting (XSS) vulnerability in the Web UI in IBM Connecti ...) NOT-FOR-US: IBM CVE-2016-2955 (Cross-site scripting (XSS) vulnerability in IBM Connections 5.0 before ...) NOT-FOR-US: IBM CVE-2016-2954 (Cross-site scripting (XSS) vulnerability in the Web UI in IBM Connecti ...) NOT-FOR-US: IBM CVE-2016-2953 (IBM Connections 4.0 through CR4, 4.5 through CR5, and 5.0 before CR4 d ...) NOT-FOR-US: IBM CVE-2016-2952 (IBM BigFix Remote Control before 9.1.3 does not enable the HSTS protec ...) NOT-FOR-US: IBM CVE-2016-2951 (IBM BigFix Remote Control before 9.1.3 does not properly set the defau ...) NOT-FOR-US: IBM CVE-2016-2950 (SQL injection vulnerability in IBM BigFix Remote Control before 9.1.3 ...) NOT-FOR-US: IBM CVE-2016-2949 (IBM BigFix Remote Control before 9.1.3 allows local users to obtain se ...) NOT-FOR-US: IBM CVE-2016-2948 (IBM BigFix Remote Control before 9.1.3 allows local users to discover ...) NOT-FOR-US: IBM CVE-2016-2947 (IBM Rational Collaborative Lifecycle Management 4.0 before 4.0.7 iFix1 ...) NOT-FOR-US: IBM CVE-2016-2946 (Stack-based buffer overflow in the ax Shared Libraries in the Agent in ...) NOT-FOR-US: IBM CVE-2016-2945 (The API Discovery implementation in IBM WebSphere Application Server ( ...) NOT-FOR-US: IBM CVE-2016-2944 (IBM BigFix Remote Control before 9.1.3 does not properly restrict fail ...) NOT-FOR-US: IBM CVE-2016-2943 (IBM BigFix Remote Control before 9.1.3 allows local users to obtain se ...) NOT-FOR-US: IBM CVE-2016-2942 (IBM UrbanCode Deploy could allow an authenticated attacker with specia ...) NOT-FOR-US: IBM CVE-2016-2941 (IBM UrbanCode Deploy creates temporary files during step execution tha ...) NOT-FOR-US: IBM CVE-2016-2940 (Multiple unspecified vulnerabilities in IBM BigFix Remote Control befo ...) NOT-FOR-US: IBM CVE-2016-2939 (IBM iNotes is vulnerable to cross-site scripting. This vulnerability a ...) NOT-FOR-US: IBM CVE-2016-2938 (IBM iNotes is vulnerable to cross-site scripting. This vulnerability a ...) NOT-FOR-US: IBM CVE-2016-2937 (IBM BigFix Remote Control before 9.1.3 allows remote attackers to obta ...) NOT-FOR-US: IBM CVE-2016-2936 (IBM BigFix Remote Control before 9.1.3 uses cleartext storage for unsp ...) NOT-FOR-US: IBM CVE-2016-2935 (The broker application in IBM BigFix Remote Control before 9.1.3 allow ...) NOT-FOR-US: IBM CVE-2016-2934 (Cross-site scripting (XSS) vulnerability in IBM BigFix Remote Control ...) NOT-FOR-US: IBM CVE-2016-2933 (Directory traversal vulnerability in IBM BigFix Remote Control before ...) NOT-FOR-US: IBM CVE-2016-2932 (IBM BigFix Remote Control before 9.1.3 allows remote attackers to cond ...) NOT-FOR-US: IBM CVE-2016-2931 (IBM BigFix Remote Control before 9.1.3 allows remote attackers to obta ...) NOT-FOR-US: IBM CVE-2016-2930 (IBM BigFix Remote Control 9.1.3 could allow a remote attacker to perfo ...) NOT-FOR-US: IBM CVE-2016-2929 (IBM BigFix Remote Control before 9.1.3 does not properly restrict pass ...) NOT-FOR-US: IBM CVE-2016-2928 (IBM BigFix Remote Control before 9.1.3 allows remote authenticated use ...) NOT-FOR-US: IBM CVE-2016-2927 (IBM BigFix Remote Control before 9.1.3 does not properly restrict the ...) NOT-FOR-US: IBM CVE-2016-2926 (Cross-site scripting (XSS) vulnerability in IBM Rational Collaborative ...) NOT-FOR-US: IBM CVE-2016-2925 (Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 6.1.0 ...) NOT-FOR-US: IBM CVE-2016-2924 (IBM Infosphere BigInsights is vulnerable to cross-site scripting, caus ...) NOT-FOR-US: IBM CVE-2016-2923 (IBM WebSphere Application Server (WAS) 8.5 through 8.5.5.9 Liberty bef ...) NOT-FOR-US: IBM CVE-2016-2922 (IBM Rational ClearQuest 8.0 through 8.0.1.9 and 9.0 through 9.0.1.3 (C ...) NOT-FOR-US: IBM Rational ClearQuest CVE-2016-2921 RESERVED CVE-2016-2920 RESERVED CVE-2016-2919 RESERVED CVE-2016-2918 RESERVED CVE-2016-2917 (The notifications component in IBM TRIRIGA Applications 10.4 and 10.5 ...) NOT-FOR-US: IBM CVE-2016-2916 RESERVED CVE-2016-2915 RESERVED CVE-2016-2914 (Unrestricted file upload vulnerability in the Document Builder in IBM ...) NOT-FOR-US: IBM CVE-2016-2913 RESERVED CVE-2016-2912 (Cross-site scripting (XSS) vulnerability in the Document Builder in IB ...) NOT-FOR-US: IBM CVE-2016-2911 RESERVED CVE-2016-2910 RESERVED CVE-2016-2909 RESERVED CVE-2016-2908 (IBM Single Sign On for Bluemix could allow a remote attacker to obtain ...) NOT-FOR-US: IBM CVE-2016-2907 RESERVED CVE-2016-2906 RESERVED CVE-2016-2905 RESERVED CVE-2016-2904 RESERVED CVE-2016-2903 RESERVED CVE-2016-2902 RESERVED CVE-2016-2901 (Cross-site request forgery (CSRF) vulnerability in the PA_Theme_Creato ...) NOT-FOR-US: IBM CVE-2016-2900 RESERVED CVE-2016-2899 RESERVED CVE-2016-2898 RESERVED CVE-2016-2897 RESERVED CVE-2016-2896 RESERVED CVE-2016-2895 RESERVED CVE-2016-2894 (IBM Spectrum Protect (formerly Tivoli Storage Manager) 5.5 through 6.3 ...) NOT-FOR-US: IBM CVE-2016-2893 RESERVED CVE-2016-2892 RESERVED CVE-2016-2891 RESERVED CVE-2016-2890 RESERVED CVE-2016-2889 (Cross-site request forgery (CSRF) vulnerability in the Report Builder ...) NOT-FOR-US: IBM CVE-2016-2888 (Cross-site scripting (XSS) vulnerability in the Report Builder and Dat ...) NOT-FOR-US: IBM CVE-2016-2887 (IBM IMS Enterprise Suite Data Provider before 3.2.0.1 for Microsoft .N ...) NOT-FOR-US: IBM CVE-2016-2886 RESERVED CVE-2016-2885 RESERVED CVE-2016-2884 (Cross-site request forgery (CSRF) vulnerability in IBM Forms Experienc ...) NOT-FOR-US: IBM CVE-2016-2883 (Cross-site scripting (XSS) vulnerability in IBM TRIRIGA Application Pl ...) NOT-FOR-US: IBM CVE-2016-2882 (IBM TRIRIGA Application Platform 3.3 before 3.3.2.6, 3.4 before 3.4.2. ...) NOT-FOR-US: IBM CVE-2016-2881 (IBM QRadar SIEM 7.1 before MR2 Patch 13 and 7.2 before 7.2.7 and QRada ...) NOT-FOR-US: IBM CVE-2016-2880 (IBM QRadar 7.2 stores the encryption key used to encrypt the service a ...) NOT-FOR-US: IBM CVE-2016-2879 (IBM QRadar 7.2 uses outdated hashing algorithms to hash certain passwo ...) NOT-FOR-US: IBM CVE-2016-2878 (Multiple cross-site request forgery (CSRF) vulnerabilities in IBM QRad ...) NOT-FOR-US: IBM CVE-2016-2877 (IBM QRadar SIEM 7.1 before MR2 Patch 13 and 7.2 before 7.2.7 uses weak ...) NOT-FOR-US: IBM CVE-2016-2876 (IBM QRadar SIEM 7.1 before MR2 Patch 13 and 7.2 before 7.2.7 executes ...) NOT-FOR-US: IBM CVE-2016-2875 (IBM Security QRadar SIEM 7.1.x and 7.2.x before 7.2.7 allows remote au ...) NOT-FOR-US: IBM CVE-2016-2874 (IBM QRadar SIEM 7.1 before MR2 Patch 13 and 7.2 before 7.2.7 mishandle ...) NOT-FOR-US: IBM CVE-2016-2873 (SQL injection vulnerability in IBM QRadar SIEM 7.1 before MR2 Patch 13 ...) NOT-FOR-US: IBM CVE-2016-2872 (Directory traversal vulnerability in IBM Security QRadar SIEM 7.2.x be ...) NOT-FOR-US: IBM CVE-2016-2871 (IBM QRadar SIEM 7.1 before MR2 Patch 13 and 7.2 before 7.2.7 uses clea ...) NOT-FOR-US: IBM CVE-2016-2870 (Buffer overflow in the CLI on IBM WebSphere DataPower XC10 appliances ...) NOT-FOR-US: IBM CVE-2016-2869 (Multiple cross-site scripting (XSS) vulnerabilities in the UI in IBM Q ...) NOT-FOR-US: IBM CVE-2016-2868 (IBM Security QRadar SIEM 7.2.x before 7.2.7 allows remote authenticate ...) NOT-FOR-US: IBM CVE-2016-2867 (IBM InfoSphere Streams before 4.0.1.2 and IBM Streams before 4.1.1.1 d ...) NOT-FOR-US: IBM CVE-2016-2866 (An unspecified vulnerability in IBM Jazz Team Server may disclose some ...) NOT-FOR-US: IBM CVE-2016-2865 (The GIT Integration component in IBM Rational Team Concert (RTC) 5.x b ...) NOT-FOR-US: IBM CVE-2016-2864 (Cross-site scripting (XSS) vulnerability in IBM Rational Collaborative ...) NOT-FOR-US: IBM CVE-2016-2863 (Cross-site request forgery (CSRF) vulnerability in IBM WebSphere Comme ...) NOT-FOR-US: IBM CVE-2016-2862 (Cross-site scripting (XSS) vulnerability in IBM WebSphere Commerce 6.0 ...) NOT-FOR-US: IBM CVE-2016-2861 (IBM WebSphere eXtreme Scale 7.1.0 before 7.1.0.3, 7.1.1 before 7.1.1.1 ...) NOT-FOR-US: IBM CVE-2016-2860 (The newEntry function in ptserver/ptprocs.c in OpenAFS before 1.6.17 a ...) {DSA-3569-1 DLA-493-1} - openafs 1.6.17-1 NOTE: http://git.openafs.org/?p=openafs.git;a=commitdiff;h=396240cf070a806b91fea81131d034e1399af1e0 NOTE: http://rt.central.org/rt/Ticket/Display.html?id=132822 (currently not public) CVE-2016-3154 (The encoder_contexte_ajax function in ecrire/inc/filtres.php in SPIP 2 ...) {DSA-3518-1} - spip 3.0.22-1 NOTE: http://www.openwall.com/lists/oss-security/2016/03/15/2 NOTE: patch https://core.spip.net/projects/spip/repository/revisions/22903 CVE-2016-3153 (SPIP 2.x before 2.1.19, 3.0.x before 3.0.22, and 3.1.x before 3.1.1 al ...) {DSA-3518-1} - spip 3.0.22-1 NOTE: http://www.openwall.com/lists/oss-security/2016/03/15/2 NOTE: patch https://core.spip.net/projects/spip/repository/revisions/22911 CVE-2016-XXXX [Cross-site scripting (XSS) vulnerability in cgit's "txt2html" filter] - cgit 0.12.0.git2.7.0-1 [jessie] - cgit 0.10.2.git2.0.1-3+deb8u1 NOTE: https://git.zx2c4.com/cgit/commit/filters/html-converters/txt2html?id=13c2d3df0440ce04273de3149631a9bd97490c6e NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/03/05/8 CVE-2016-3172 (SQL injection vulnerability in tree.php in Cacti 0.8.8g and earlier al ...) {DLA-560-1} - cacti 0.8.8g+ds1-2 (bug #818647) [jessie] - cacti 0.8.8b+dfsg-8+deb8u5 NOTE: http://bugs.cacti.net/view.php?id=2667 NOTE: http://www.openwall.com/lists/oss-security/2016/03/10/13 NOTE: Requires authenticated user CVE-2016-3116 (CRLF injection vulnerability in Dropbear SSH before 2016.72 allows rem ...) - dropbear 2016.72-1 [jessie] - dropbear 2014.65-1+deb8u1 [wheezy] - dropbear (Minor issue) NOTE: https://matt.ucc.asn.au/dropbear/CHANGES NOTE: Fixed in 2016.72 upstream CVE-2016-3115 (Multiple CRLF injection vulnerabilities in session.c in sshd in OpenSS ...) {DLA-1500-1} - openssh 1:7.2p2-1 [wheezy] - openssh (Minor issue) NOTE: http://www.openssh.com/txt/x11fwd.adv NOTE: Portable OpenSSH 7.2p2 contains a fix for this vulnerability. NOTE: http://www.openwall.com/lists/oss-security/2016/03/10/8 NOTE: Upstream fix: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/session.c.diff?r1=1.281&r2=1.282&sortby=date&f=h CVE-2016-3134 (The netfilter subsystem in the Linux kernel through 4.5.2 does not val ...) {DSA-3607-1 DLA-516-1} - linux 4.5.1-1 [wheezy] - linux (Minor issue) NOTE: https://code.google.com/p/google-security-research/issues/detail?id=758 NOTE: https://patchwork.ozlabs.org/patch/595575/ NOTE: http://marc.info/?l=netfilter-devel&m=145757134822741&w=2 NOTE: http://www.openwall.com/lists/oss-security/2016/03/10/4 NOTE: http://www.openwall.com/lists/oss-security/2016/03/10/7 NOTE: Non-privileged user namespaces disabled by default, only vulnerable with sysctl kernel.unprivileged_userns_clone=1 CVE-2016-3135 (Integer overflow in the xt_alloc_table_info function in net/netfilter/ ...) - linux 4.4.6-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: http://marc.info/?l=netfilter-devel&m=145757136822750&w=2 NOTE: https://patchwork.ozlabs.org/patch/595576/ NOTE: http://www.openwall.com/lists/oss-security/2016/03/10/7 CVE-2015-8835 (The make_http_soap_request function in ext/soap/php_http.c in PHP befo ...) - php5 5.6.12+dfsg-1 [jessie] - php5 5.6.12+dfsg-0+deb8u1 [wheezy] - php5 5.4.44-0+deb7u1 NOTE: https://git.php.net/?p=php-src.git;a=commitdiff;h=c96d08b27226193dd51f2b50e84272235c6aaa69 NOTE: https://bugs.php.net/bug.php?id=70081 NOTE: Fixed in 5.6.12, 5.5.28, 5.4.44 NOTE: CVE assignment is for "The first problem" section of Bug 70081 CVE-2015-8833 (Use-after-free vulnerability in the create_smp_dialog function in gtk- ...) {DSA-3528-1} - pidgin-otr 4.0.2-1 [wheezy] - pidgin-otr (Vulnerable code not present) NOTE: https://blog.fuzzing-project.org/39-Heap-use-after-free-in-Pidgin-OTR-plugin.html NOTE: https://bugs.otr.im/issues/88 NOTE: https://bugs.otr.im/issues/128 NOTE: Fixed by: https://bugs.otr.im/projects/pidgin-otr/repository/revisions/aaf551b9dd5cbba8c4abaa3d4dc7ead860efef94 NOTE: Introduced by: https://bugs.otr.im/projects/pidgin-otr/repository/revisions/c276bfa786bef8a4572a37d5633cf40f480d3ae0 NOTE: http://www.openwall.com/lists/oss-security/2016/03/09/8 CVE-2016-2859 REJECTED CVE-2016-3124 (The sanitycheck module in SimpleSAMLphp before 1.14.1 allows remote at ...) - simplesamlphp 1.14.1-1 (unimportant; bug #817162) NOTE: https://simplesamlphp.org/security/201603-01 NOTE: Fixed upstream in 1.14.1 NOTE: https://github.com/simplesamlphp/simplesamlphp/commit/952027dd7f794ff4b2d4f5eddf549c5b5070fa38 NOTE: http://www.openwall.com/lists/oss-security/2016/03/08/4 NOTE: Not treated as a security issue, many components in Debian reveal the release in use CVE-2016-2855 (The Huawei Mobile Broadband HL Service 22.001.25.00.03 and earlier use ...) NOT-FOR-US: Huawei CVE-2016-2852 RESERVED CVE-2016-2851 (Integer overflow in proto.c in libotr before 4.1.1 on 64-bit platforms ...) {DSA-3512-1} - libotr 4.1.1-1 (bug #817799) NOTE: https://lists.cypherpunks.ca/pipermail/otr-announce/2016-March/000062.html NOTE: https://www.x41-dsec.de/lab/advisories/x41-2016-001-libotr/ CVE-2016-2850 (Botan 1.11.x before 1.11.29 does not enforce TLS policy for (1) signat ...) - botan1.10 (Introduced in 1.11.0) NOTE: Introduced in 1.11.0, fixed in 1.11.29 CVE-2016-2849 (Botan before 1.10.13 and 1.11.x before 1.11.29 do not use a constant-t ...) {DSA-3565-1 DLA-449-1} - botan1.10 1.10.13-1 (bug #822698) NOTE: http://botan.randombit.net/security.html NOTE: Introduced in 1.7.15, fixed in 1.10.13 and 1.11.29 NOTE: FIX https://github.com/randombit/botan/commit/bcf13fa153a11b3e0ad54e2af6962441cea3adf1 CVE-2016-2848 (ISC BIND 9.1.0 through 9.8.4-P2 and 9.9.0 through 9.9.2-P2 allows remo ...) {DLA-672-1} - bind9 1:9.9.3.dfsg.P2-1 (bug #839051) NOTE: https://kb.isc.org/article/AA-01433 NOTE: Fixed by https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=4adf97c32fcca7d00e5756607fd045f2aab9c3d4 CVE-2016-2846 (Siemens SIMATIC S7-1200 CPU devices before 4.0 allow remote attackers ...) NOT-FOR-US: Siemens SIMATIC S7-1200 CPU devices CVE-2016-2845 (The Content Security Policy (CSP) implementation in Blink, as used in ...) {DSA-3507-1} - chromium-browser 49.0.2623.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) [squeeze] - chromium-browser (Not supported in Squeeze LTS) CVE-2016-2844 (WebKit/Source/core/layout/LayoutBlock.cpp in Blink, as used in Google ...) {DSA-3507-1} - chromium-browser 49.0.2623.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) [squeeze] - chromium-browser (Not supported in Squeeze LTS) CVE-2016-2843 (Multiple unspecified vulnerabilities in Google V8 before 4.9.385.26, a ...) {DSA-3507-1} - chromium-browser 49.0.2623.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) [squeeze] - chromium-browser (Not supported in Squeeze LTS) CVE-2016-3178 (The processRequest function in minissdpd.c in MiniSSDPd 1.2.20130907-3 ...) {DLA-454-1} - minissdpd 1.2.20130907-3.2 (bug #816759) [jessie] - minissdpd 1.2.20130907-3+deb8u1 NOTE: https://speirofr.appspot.com/files/advisory/SPADV-2016-02.md NOTE: https://github.com/miniupnp/miniupnp/commit/b238cade9a173c6f751a34acf8ccff838a62aa47 CVE-2016-3179 (The processRequest function in minissdpd.c in MiniSSDPd 1.2.20130907-3 ...) {DLA-454-1} - minissdpd 1.2.20130907-3.2 (bug #816759) [jessie] - minissdpd 1.2.20130907-3+deb8u1 NOTE: https://speirofr.appspot.com/files/advisory/SPADV-2016-02.md NOTE: https://github.com/miniupnp/miniupnp/commit/140ee8d2204b383279f854802b27bdb41c1d5d1a CVE-2016-2842 (The doapr_outch function in crypto/bio/b_print.c in OpenSSL 1.0.1 befo ...) {DSA-3500-1} - openssl 1.0.2g-1 NOTE: split from CVE-2016-0799 CVE-2016-3142 (The phar_parse_zipfile function in zip.c in the PHAR extension in PHP ...) {DLA-818-1} - php5 5.6.19+dfsg-1 [jessie] - php5 5.6.19+dfsg-0+deb8u1 [wheezy] - php5 (Minor issue, can be fixed in next update round) NOTE: https://bugs.php.net/bug.php?id=71498 NOTE: Fixed in 5.5.33, 5.6.19 NOTE: http://www.openwall.com/lists/oss-security/2016/03/10/5 NOTE: http://www.openwall.com/lists/oss-security/2016/03/13/2 NOTE: https://git.php.net/?p=php-src.git;a=commit;h=a6fdc5bb27b20d889de0cd29318b3968aabb57bd CVE-2016-3141 (Use-after-free vulnerability in wddx.c in the WDDX extension in PHP be ...) {DLA-818-1} - php5 5.6.19+dfsg-1 [jessie] - php5 5.6.19+dfsg-0+deb8u1 [wheezy] - php5 (Minor issue, can be fixed in next update round) NOTE: https://bugs.php.net/bug.php?id=71587 NOTE: Fixed in 5.5.33, 5.6.19 NOTE: http://www.openwall.com/lists/oss-security/2016/03/10/5 NOTE: http://www.openwall.com/lists/oss-security/2016/03/13/1 CVE-2016-2858 (QEMU, when built with the Pseudo Random Number Generator (PRNG) back-e ...) {DLA-1599-1} - qemu 1:2.6+dfsg-1 (bug #817183) [wheezy] - qemu (Vulnerable code not present) [squeeze] - qemu (Vulnerable code not present) - qemu-kvm (Vulnerable code not present) NOTE: Upstream patch: http://git.qemu.org/?p=qemu.git;a=commit;h=60253ed1e6ec6d8e5ef2efe7bf755f475dce9956 (v2.6.0-rc0) NOTE: Introduced in: http://git.qemu.org/?p=qemu.git;a=commit;h=a9b7b2ad7b075dba5495271706670e5c6b1304bc (v1.3.0-rc0) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1314676 NOTE: http://www.openwall.com/lists/oss-security/2016/03/04/1 CVE-2015-8832 (Multiple incomplete blacklist vulnerabilities in inc/core/class.dc.cor ...) - dotclear (bug #815979) NOTE: https://hg.dotclear.org/dotclear/rev/198580bc3d80 NOTE: https://dotclear.org/blog/post/2015/10/25/Dotclear-2.8.2 NOTE: Fixed upstream in 2.8.2 NOTE: http://www.openwall.com/lists/oss-security/2016/03/05/4 CVE-2015-8831 (Cross-site scripting (XSS) vulnerability in admin/comments.php in Dotc ...) - dotclear (bug #815979) NOTE: https://hg.dotclear.org/dotclear/rev/65e65154dadf NOTE: https://dotclear.org/blog/post/2015/10/25/Dotclear-2.8.2 NOTE: Fixed upstream in 2.8.2 NOTE: http://www.openwall.com/lists/oss-security/2016/03/05/4 CVE-2016-8000 REJECTED CVE-2016-2840 (An issue was discovered in Open-Xchange Server 6 / OX AppSuite before ...) NOT-FOR-US: Open-Xchange CVE-2016-2857 (The net_checksum_calculate function in net/checksum.c in QEMU allows l ...) {DLA-1599-1 DLA-574-1 DLA-573-1} - qemu 1:2.6+dfsg-1 (bug #817182) - qemu-kvm NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=362786f14a753d8a5256ef97d7c10ed576d6572b (v2.6.0-rc0) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1296567 NOTE: http://www.openwall.com/lists/oss-security/2016/03/03/9 CVE-2016-2854 (The aufs module for the Linux kernel 3.x and 4.x does not properly mai ...) - linux 3.18-1~exp1 [jessie] - linux (Not exploitable in default configuration) [wheezy] - linux (Vulnerable code is not present) NOTE: http://www.halfdog.net/Security/2016/AufsPrivilegeEscalationInUserNamespaces/ NOTE: https://sourceforge.net/p/aufs/mailman/message/34864744/ NOTE: This depends on a user namespace creator being able to mount aufs. NOTE: jessie: Unprivileged users are not allowed to create user namespaces by default; aufs is not allowed to be mounted from a new user namespace by default. NOTE: wheezy: User namespaces are non-functional. CVE-2016-2853 (The aufs module for the Linux kernel 3.x and 4.x does not properly res ...) - linux 3.18-1~exp1 [jessie] - linux (Not exploitable in default configuration) [wheezy] - linux (Vulnerable code is not present) NOTE: http://www.halfdog.net/Security/2016/AufsPrivilegeEscalationInUserNamespaces/ NOTE: https://sourceforge.net/p/aufs/mailman/message/34864744/ NOTE: This depends on a user namespace creator being able to mount aufs. NOTE: jessie: Unprivileged users are not allowed to create user namespaces by default; aufs is not allowed to be mounted from a new user namespace by default. NOTE: wheezy: User namespaces are non-functional. CVE-2016-2839 (Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 on Linux ...) - firefox (Uses gstreamer-ffmpeg/libav 1.0) - firefox-esr (Uses gstreamer-ffmpeg/libav 1.0) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-65/ NOTE: Related patches https://hg.mozilla.org/mozilla-central/log?rev=Bug+1275339 CVE-2016-2838 (Heap-based buffer overflow in the nsBidi::BracketData::AddOpening func ...) {DSA-3640-1 DLA-585-1} - firefox 48.0-1 - firefox-esr 45.3.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-64/ CVE-2016-2837 (Heap-based buffer overflow in the ClearKey Content Decryption Module ( ...) {DSA-3640-1 DLA-585-1} - firefox 48.0-1 - firefox-esr 45.3.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-77/ CVE-2016-2836 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-3686-1 DSA-3640-1 DLA-640-1 DLA-585-1} - firefox 48.0-1 - firefox-esr 45.3.0esr-1 - icedove 1:45.3.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-62/ CVE-2016-2835 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - firefox 48.0-1 - firefox-esr (Doesn't apply to Firefox ESR) - icedove (Doesn't apply to Thunderbird ESR) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-62/ CVE-2016-2834 (Mozilla Network Security Services (NSS) before 3.23, as used in Mozill ...) {DSA-3688-1 DLA-527-1} - nss 2:3.23-1 - firefox-esr (Doesn't apply to Firefox ESR) - firefox 47.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-61/ CVE-2016-2833 (Mozilla Firefox before 47.0 ignores Content Security Policy (CSP) dire ...) - firefox-esr (Doesn't apply to Firefox ESR) - firefox 47.0-1 CVE-2016-2832 (Mozilla Firefox before 47.0 allows remote attackers to discover the li ...) - firefox-esr (Doesn't apply to Firefox ESR) - firefox 47.0-1 CVE-2016-2831 (Mozilla Firefox before 47.0 and Firefox ESR 45.x before 45.2 do not en ...) {DSA-3600-1 DLA-521-1} - firefox-esr 45.2.0esr-1 - firefox 47.0-1 CVE-2016-2830 (Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 preserve ...) {DSA-3640-1 DLA-585-1} - firefox 48.0-1 - firefox-esr 45.3.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-63/ NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1342897 CVE-2016-2829 (Mozilla Firefox before 47.0 allows remote attackers to spoof permissio ...) - firefox-esr (Doesn't apply to Firefox ESR) - firefox 47.0-1 CVE-2016-2828 (Use-after-free vulnerability in Mozilla Firefox before 47.0 and Firefo ...) {DSA-3600-1 DLA-521-1} - firefox-esr 45.2.0esr-1 - firefox 47.0-1 CVE-2016-2827 (The mozilla::net::IsValidReferrerPolicy function in Mozilla Firefox be ...) - firefox 49.0-1 - firefox-esr (Doesn't affect ESR) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-86/ NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-87/ CVE-2016-2826 (The maintenance service in Mozilla Firefox before 47.0 and Firefox ESR ...) - firefox-esr (Only affects Windows) - firefox (Only affects Windows) CVE-2016-2825 (Mozilla Firefox before 47.0 allows remote attackers to bypass the Same ...) - firefox-esr (Doesn't apply to Firefox ESR) - firefox 47.0-1 CVE-2016-2824 (The TSymbolTableLevel class in ANGLE, as used in Mozilla Firefox befor ...) - firefox-esr (Only affects Windows) - firefox (Only affects Windows) CVE-2016-2823 RESERVED CVE-2016-2822 (Mozilla Firefox before 47.0 and Firefox ESR 45.x before 45.2 allow rem ...) {DSA-3600-1 DLA-521-1} - firefox-esr 45.2.0esr-1 - firefox 47.0-1 CVE-2016-2821 (Use-after-free vulnerability in the mozilla::dom::Element class in Moz ...) {DSA-3600-1 DLA-521-1} - firefox-esr 45.2.0esr-1 - firefox 47.0-1 CVE-2016-2820 (The Firefox Health Reports (aka FHR or about:healthreport) feature in ...) - iceweasel (Only Firefox 46) - firefox-esr (Only Firefox 46) - firefox 46.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-48/ CVE-2016-2819 (Heap-based buffer overflow in Mozilla Firefox before 47.0 and Firefox ...) {DSA-3600-1 DLA-521-1} - firefox-esr 45.2.0esr-1 - firefox 47.0-1 CVE-2016-2818 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-3647-1 DSA-3600-1 DLA-572-1 DLA-521-1} - firefox-esr 45.2.0esr-1 - firefox 47.0-1 - icedove 1:45.2.0-1 CVE-2016-2817 (The WebExtension sandbox feature in browser/components/extensions/ext- ...) - iceweasel (Only Firefox 46) - firefox-esr (Only Firefox 46) - firefox 46.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-46/ CVE-2016-2816 (Mozilla Firefox before 46.0 allows remote attackers to bypass the Cont ...) - iceweasel (Only Firefox 46) - firefox-esr (Only Firefox 46) - firefox 46.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-45/ CVE-2016-2815 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - firefox-esr (Doesn't apply to Firefox ESR) - firefox 47.0-1 CVE-2016-2814 (Heap-based buffer overflow in the stagefright::SampleTable::parseSampl ...) {DSA-3559-1} - iceweasel - firefox-esr 45.1.0esr-1 - firefox 46.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-44/ CVE-2016-2813 (Mozilla Firefox before 46.0 on Android does not properly restrict Java ...) - iceweasel (Only Firefox on Android) - firefox-esr (Only Firefox on Android) - firefox (Only Firefox on Android) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-43/ CVE-2016-2812 (Race condition in the get implementation in the ServiceWorkerManager c ...) - iceweasel (Only Firefox 46) - firefox-esr (Only Firefox 46) - firefox 46.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-42/ CVE-2016-2811 (Use-after-free vulnerability in the ServiceWorkerInfo class in the Ser ...) - iceweasel (Only Firefox 46) - firefox-esr (Only Firefox 46) - firefox 46.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-42/ CVE-2016-2810 (Mozilla Firefox before 46.0 on Android before 5.0 allows attackers to ...) - iceweasel (Only Firefox on Android) - firefox-esr (Only Firefox on Android) - firefox (Only Firefox on Android) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-41/ CVE-2016-2809 (The Mozilla Maintenance Service updater in Mozilla Firefox before 46.0 ...) - iceweasel (Only Firefox on Windows) - firefox-esr (Only Firefox on Windows) - firefox (Only Firefox on Windows) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-40/ CVE-2016-2808 (The watch implementation in the JavaScript engine in Mozilla Firefox b ...) {DSA-3559-1} - iceweasel - firefox-esr 45.1.0esr-1 - firefox 46.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-47/ CVE-2016-2807 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-3576-1 DSA-3559-1 DLA-472-1} - iceweasel - firefox-esr 45.1.0esr-1 - firefox 46.0-1 - icedove 1:45.1.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-39/ CVE-2016-2806 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-3601-1 DLA-519-1} - iceweasel (Only Firefox 45.x) - firefox-esr 45.1.0esr-1 - firefox 46.0-1 - icedove 1:45.1.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-39/ CVE-2016-2805 (Unspecified vulnerability in the browser engine in Mozilla Firefox ESR ...) {DSA-3576-1 DSA-3559-1 DLA-472-1} - iceweasel - firefox-esr (Only affects Firefox ESR 38.x) - firefox (Only affects Firefox ESR 38.x) - icedove 1:45.1.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-39/ CVE-2016-2804 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - iceweasel (Only Firefox 46) - firefox-esr (Only Firefox 46) - firefox 46.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-39/ CVE-2016-2803 (Cross-site scripting (XSS) vulnerability in the dependency graphs in B ...) - bugzilla4 (bug #669643) - bugzilla CVE-2016-2802 (The graphite2::TtfUtil::CmapSubtable4NextCodepoint function in Graphit ...) {DSA-3520-1 DSA-3515-1 DSA-3510-1} - iceweasel - firefox-esr 45.0esr-1 - firefox 45.0-1 - icedove 38.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-37/ - graphite2 1.3.6-1 CVE-2016-2801 (The graphite2::TtfUtil::CmapSubtable12Lookup function in TtfUtil.cpp i ...) {DSA-3520-1 DSA-3515-1 DSA-3510-1} - iceweasel - firefox-esr 45.0esr-1 - firefox 45.0-1 - icedove 38.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-37/ - graphite2 1.3.6-1 CVE-2016-2800 (The graphite2::Slot::getAttr function in Slot.cpp in Graphite 2 before ...) {DSA-3520-1 DSA-3515-1 DSA-3510-1} - iceweasel - firefox-esr 45.0esr-1 - firefox 45.0-1 - icedove 38.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-37/ - graphite2 1.3.6-1 CVE-2016-2799 (Heap-based buffer overflow in the graphite2::Slot::setAttr function in ...) {DSA-3520-1 DSA-3515-1 DSA-3510-1} - iceweasel - firefox-esr 45.0esr-1 - firefox 45.0-1 - icedove 38.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-37/ - graphite2 1.3.6-1 CVE-2016-2798 (The graphite2::GlyphCache::Loader::Loader function in Graphite 2 befor ...) {DSA-3520-1 DSA-3515-1 DSA-3510-1} - iceweasel - firefox-esr 45.0esr-1 - firefox 45.0-1 - icedove 38.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-37/ - graphite2 1.3.6-1 CVE-2016-2797 (The graphite2::TtfUtil::CmapSubtable12Lookup function in Graphite 2 be ...) {DSA-3520-1 DSA-3515-1 DSA-3510-1} - iceweasel - firefox-esr 45.0esr-1 - firefox 45.0-1 - icedove 38.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-37/ - graphite2 1.3.6-1 CVE-2016-2796 (Heap-based buffer overflow in the graphite2::vm::Machine::Code::Code f ...) {DSA-3520-1 DSA-3515-1 DSA-3510-1} - iceweasel - firefox-esr 45.0esr-1 - firefox 45.0-1 - icedove 38.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-37/ - graphite2 1.3.6-1 CVE-2016-2795 (The graphite2::FileFace::get_table_fn function in Graphite 2 before 1. ...) {DSA-3520-1 DSA-3515-1 DSA-3510-1} - iceweasel - firefox-esr 45.0esr-1 - firefox 45.0-1 - icedove 38.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-37/ - graphite2 1.3.6-1 CVE-2016-2794 (The graphite2::TtfUtil::CmapSubtable12NextCodepoint function in Graphi ...) {DSA-3520-1 DSA-3515-1 DSA-3510-1} - iceweasel - firefox-esr 45.0esr-1 - firefox 45.0-1 - icedove 38.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-37/ - graphite2 1.3.6-1 CVE-2016-2793 (CachedCmap.cpp in Graphite 2 before 1.3.6, as used in Mozilla Firefox ...) {DSA-3520-1 DSA-3515-1 DSA-3510-1} - iceweasel - firefox-esr 45.0esr-1 - firefox 45.0-1 - icedove 38.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-37/ - graphite2 1.3.6-1 CVE-2016-2792 (The graphite2::Slot::getAttr function in Slot.cpp in Graphite 2 before ...) {DSA-3520-1 DSA-3515-1 DSA-3510-1} - iceweasel - firefox-esr 45.0esr-1 - firefox 45.0-1 - icedove 38.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-37/ - graphite2 1.3.6-1 CVE-2016-2791 (The graphite2::GlyphCache::glyph function in Graphite 2 before 1.3.6, ...) {DSA-3520-1 DSA-3515-1 DSA-3510-1} - iceweasel - firefox-esr 45.0esr-1 - firefox 45.0-1 - icedove 38.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-37/ - graphite2 1.3.6-1 CVE-2016-2790 (The graphite2::TtfUtil::GetTableInfo function in Graphite 2 before 1.3 ...) {DSA-3520-1 DSA-3515-1 DSA-3510-1} - iceweasel - firefox-esr 45.0esr-1 - firefox 45.0-1 - icedove 38.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-37/ - graphite2 1.3.6-1 CVE-2016-2789 (Cross-site scripting (XSS) vulnerability in the Web User Interface in ...) NOT-FOR-US: Citrix CVE-2015-8829 REJECTED CVE-2015-8828 REJECTED CVE-2015-8827 REJECTED CVE-2015-8826 REJECTED CVE-2015-8825 REJECTED CVE-2015-8824 REJECTED CVE-2015-8823 (Use-after-free vulnerability in the TextField object implementation in ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8822 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8821 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8820 (Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8819 RESERVED CVE-2016-2841 (The ne2000_receive function in the NE2000 NIC emulation support (hw/ne ...) {DLA-1599-1} - qemu 1:2.6+dfsg-1 (bug #817181) [wheezy] - qemu (Minor issue) - qemu-kvm [wheezy] - qemu-kvm (Minor issue) NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=415ab35a441eca767d033a2702223e785b9d5190 (v2.6.0-rc0) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1303106 NOTE: http://www.openwall.com/lists/oss-security/2016/03/02/8 CVE-2016-2788 (MCollective 2.7.0 and 2.8.x before 2.8.9, as used in Puppet Enterprise ...) - mcollective 2.12.0+dfsg-1 (bug #850968) [jessie] - mcollective (Minor issue) [wheezy] - mcollective (Minor issue) NOTE: https://puppet.com/security/cve/cve-2016-2788 NOTE: https://github.com/puppetlabs/marionette-collective/commit/4918a0f136aea04452b48a1ba29eb9aabcf5c97d CVE-2016-2787 (The Puppet Communications Protocol in Puppet Enterprise 2015.3.x befor ...) - puppet (Specific to Puppet Enterprise) CVE-2016-2786 (The pxp-agent component in Puppet Enterprise 2015.3.x before 2015.3.3 ...) - puppet (pxp-agent not packaged in Debian) NOTE: https://puppet.com/security/cve/cve-2016-2786 CVE-2016-2785 (Puppet Server before 2.3.2 and Ruby puppetmaster in Puppet 4.x before ...) - puppet (Vulnerable code only in 4.x) NOTE: https://puppet.com/security/cve/cve-2016-2785 NOTE: https://github.com/puppetlabs/puppet/pull/4921/commits/8d2ce797db265720f0a20d1d46ee2757b4e4f6b2 CVE-2016-2784 (CMS Made Simple 2.x before 2.1.3 and 1.x before 1.12.2, when Smarty Ca ...) NOT-FOR-US: CMS Made Simple CVE-2015-8818 (The cpu_physical_memory_write_rom_internal function in exec.c in QEMU ...) - qemu 1:2.4+dfsg-1a [jessie] - qemu (Problematic memory clamping code got added later with upstream commit 965eb2f) [wheezy] - qemu (Affects Qemu versions >= 1.6.0 and <= 2.3.1) [squeeze] - qemu (Affects Qemu versions >= 1.6.0 and <= 2.3.1) - qemu-kvm (Affects Qemu versions >= 1.6.0 and <= 2.3.1) NOTE: http://www.openwall.com/lists/oss-security/2016/03/01/10 NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=b242e0e0e2969c044a318e56f7988bbd84de1f63 (v2.4.0-rc0) NOTE: same patchset than CVE-2015-8817 NOTE: https://lists.gnu.org/archive/html/qemu-stable/2016-01/msg00065.html CVE-2015-8817 (QEMU (aka Quick Emulator) built to use 'address_space_translate' to ma ...) - qemu 1:2.4+dfsg-1a [jessie] - qemu (Minor issue; too dangerous backport) [wheezy] - qemu (Affects Qemu versions >= 1.6.0 and <= 2.3.1) [squeeze] - qemu (Affects Qemu versions >= 1.6.0 and <= 2.3.1) - qemu-kvm (Affects Qemu versions >= 1.6.0 and <= 2.3.1) NOTE: http://www.openwall.com/lists/oss-security/2016/03/01/10 NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=c3c1bb99d1c11978d9ce94d1bdcf0705378c1459 (v2.3.0-rc1) NOTE: https://lists.gnu.org/archive/html/qemu-stable/2016-01/msg00060.html NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=23820dbfc79d1c9dce090b4c555994f2bb6a69b3 (v2.4.0-rc0) NOTE: https://lists.gnu.org/archive/html/qemu-stable/2016-01/msg00065.html CVE-2016-2783 (Avaya Fabric Connect Virtual Services Platform (VSP) Operating System ...) NOT-FOR-US: Avaya CVE-2016-2780 (Untrusted search path vulnerability in Huawei UTPS before UTPS-V200R00 ...) NOT-FOR-US: Huawei UTPS CVE-2016-2778 RESERVED CVE-2016-2777 REJECTED CVE-2016-2776 (buffer.c in named in ISC BIND 9 before 9.9.9-P3, 9.10.x before 9.10.4- ...) {DSA-3680-1 DLA-645-1} [experimental] - bind9 1:9.10.4-P5-1 - bind9 1:9.10.3.dfsg.P4-11 (bug #839010) NOTE: https://kb.isc.org/article/AA-01419 CVE-2016-2775 (ISC BIND 9.x before 9.9.9-P2, 9.10.x before 9.10.4-P2, and 9.11.x befo ...) {DSA-3680-1 DLA-645-1} [experimental] - bind9 1:9.10.4-P5-1 - bind9 1:9.10.3.dfsg.P4-11 (bug #831796) NOTE: https://kb.isc.org/article/AA-01393/74/CVE-2016-2775 CVE-2016-2774 (ISC DHCP 4.1.x before 4.1-ESV-R13 and 4.2.x and 4.3.x before 4.3.4 doe ...) {DLA-2003-1} - isc-dhcp 4.3.4-1 (bug #817158) [wheezy] - isc-dhcp (Minor issue) NOTE: https://kb.isc.org/article/AA-01354 NOTE: https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=commitdiff;h=0b209ea5cc333255e055113fa2ad636dda681a21 CVE-2016-2773 REJECTED CVE-2016-2772 REJECTED CVE-2016-2771 REJECTED CVE-2016-2770 REJECTED CVE-2016-2769 REJECTED CVE-2016-2768 REJECTED CVE-2016-2767 REJECTED CVE-2016-2766 REJECTED CVE-2016-2765 REJECTED CVE-2016-2764 REJECTED CVE-2016-2763 REJECTED CVE-2016-2762 REJECTED CVE-2016-2761 REJECTED CVE-2016-2760 REJECTED CVE-2016-2759 REJECTED CVE-2016-2758 REJECTED CVE-2016-2757 REJECTED CVE-2016-2756 REJECTED CVE-2016-2755 REJECTED CVE-2016-2754 REJECTED CVE-2016-2753 REJECTED CVE-2016-2752 REJECTED CVE-2016-2751 REJECTED CVE-2016-2750 REJECTED CVE-2016-2749 REJECTED CVE-2016-2748 REJECTED CVE-2016-2747 REJECTED CVE-2016-2746 REJECTED CVE-2016-2745 REJECTED CVE-2016-2744 REJECTED CVE-2016-2743 REJECTED CVE-2016-2742 REJECTED CVE-2016-2741 REJECTED CVE-2016-2740 REJECTED CVE-2016-2739 REJECTED CVE-2016-2738 REJECTED CVE-2016-2737 REJECTED CVE-2016-2736 REJECTED CVE-2016-2735 REJECTED CVE-2016-2734 REJECTED CVE-2016-2733 REJECTED CVE-2016-2732 REJECTED CVE-2016-2731 REJECTED CVE-2016-2730 REJECTED CVE-2016-2729 REJECTED CVE-2016-2728 REJECTED CVE-2016-2727 REJECTED CVE-2016-2726 REJECTED CVE-2016-2725 REJECTED CVE-2016-2724 REJECTED CVE-2016-2723 REJECTED CVE-2016-2722 REJECTED CVE-2016-2721 REJECTED CVE-2016-2720 REJECTED CVE-2016-2719 REJECTED CVE-2016-2718 REJECTED CVE-2016-2717 REJECTED CVE-2016-2716 REJECTED CVE-2016-2715 REJECTED CVE-2016-2714 REJECTED CVE-2016-2713 REJECTED CVE-2016-2712 REJECTED CVE-2016-2711 REJECTED CVE-2016-2710 REJECTED CVE-2016-2709 REJECTED CVE-2016-2708 REJECTED CVE-2016-2707 REJECTED CVE-2016-2706 REJECTED CVE-2016-2705 REJECTED CVE-2016-2704 REJECTED CVE-2016-2703 REJECTED CVE-2016-2702 REJECTED CVE-2016-2701 REJECTED CVE-2016-2700 REJECTED CVE-2016-2699 REJECTED CVE-2016-2698 REJECTED CVE-2016-2697 REJECTED CVE-2016-2696 REJECTED CVE-2016-2695 REJECTED CVE-2016-2694 REJECTED CVE-2016-2693 REJECTED CVE-2016-2692 REJECTED CVE-2016-2691 REJECTED CVE-2016-2690 REJECTED CVE-2016-2689 REJECTED CVE-2016-2688 REJECTED CVE-2016-2687 REJECTED CVE-2016-2686 REJECTED CVE-2016-2685 REJECTED CVE-2016-2684 REJECTED CVE-2016-2683 REJECTED CVE-2016-2682 REJECTED CVE-2016-2681 REJECTED CVE-2016-2680 REJECTED CVE-2016-2679 REJECTED CVE-2016-2678 REJECTED CVE-2016-2677 REJECTED CVE-2016-2676 REJECTED CVE-2016-2675 REJECTED CVE-2016-2674 REJECTED CVE-2016-2673 REJECTED CVE-2016-2672 REJECTED CVE-2016-2671 REJECTED CVE-2016-2670 REJECTED CVE-2016-2669 REJECTED CVE-2016-2668 REJECTED CVE-2016-2667 REJECTED CVE-2016-2666 REJECTED CVE-2016-2665 REJECTED CVE-2016-2664 REJECTED CVE-2016-2663 REJECTED CVE-2016-2662 REJECTED CVE-2016-2661 REJECTED CVE-2016-2660 REJECTED CVE-2016-2659 REJECTED CVE-2016-2658 REJECTED CVE-2016-2657 REJECTED CVE-2016-2656 REJECTED CVE-2016-2655 REJECTED CVE-2016-2654 REJECTED CVE-2016-2653 REJECTED CVE-2016-2652 REJECTED CVE-2016-2651 REJECTED CVE-2016-2650 REJECTED CVE-2016-2649 REJECTED CVE-2016-2648 REJECTED CVE-2016-2647 REJECTED CVE-2016-2646 REJECTED CVE-2016-2645 REJECTED CVE-2016-2644 REJECTED CVE-2016-2643 REJECTED CVE-2016-2642 REJECTED CVE-2016-2641 REJECTED CVE-2016-2640 REJECTED CVE-2016-2639 REJECTED CVE-2016-2638 REJECTED CVE-2016-2637 REJECTED CVE-2016-2636 REJECTED CVE-2016-2635 REJECTED CVE-2016-2634 REJECTED CVE-2016-2633 REJECTED CVE-2016-2632 REJECTED CVE-2016-2631 REJECTED CVE-2016-2630 REJECTED CVE-2016-2629 REJECTED CVE-2016-2628 REJECTED CVE-2016-2627 REJECTED CVE-2016-2626 REJECTED CVE-2016-2625 REJECTED CVE-2016-2624 REJECTED CVE-2016-2623 REJECTED CVE-2016-2622 REJECTED CVE-2016-2621 REJECTED CVE-2016-2620 REJECTED CVE-2016-2619 REJECTED CVE-2016-2618 REJECTED CVE-2016-2617 REJECTED CVE-2016-2616 REJECTED CVE-2016-2615 REJECTED CVE-2016-2614 REJECTED CVE-2016-2613 REJECTED CVE-2016-2612 REJECTED CVE-2016-2611 REJECTED CVE-2016-2610 REJECTED CVE-2016-2609 REJECTED CVE-2016-2608 REJECTED CVE-2016-2607 REJECTED CVE-2016-2606 REJECTED CVE-2016-2605 REJECTED CVE-2016-2604 REJECTED CVE-2016-2603 REJECTED CVE-2016-2602 REJECTED CVE-2016-2601 REJECTED CVE-2016-2600 REJECTED CVE-2016-2599 REJECTED CVE-2016-2598 REJECTED CVE-2016-2597 REJECTED CVE-2016-2596 REJECTED CVE-2016-2595 REJECTED CVE-2016-2594 REJECTED CVE-2016-2593 REJECTED CVE-2016-2592 REJECTED CVE-2016-2591 REJECTED CVE-2016-2590 REJECTED CVE-2016-2589 REJECTED CVE-2016-2588 REJECTED CVE-2016-2587 REJECTED CVE-2016-2586 REJECTED CVE-2016-2585 REJECTED CVE-2016-2584 REJECTED CVE-2016-2583 REJECTED CVE-2016-2582 REJECTED CVE-2016-2581 REJECTED CVE-2016-2580 REJECTED CVE-2016-2579 REJECTED CVE-2016-2578 REJECTED CVE-2016-2577 REJECTED CVE-2016-2576 REJECTED CVE-2016-2575 REJECTED CVE-2016-2574 REJECTED CVE-2015-8852 (Varnish 3.x before 3.0.7, when used in certain stacked installations, ...) {DSA-3553-1} - varnish 4.0.0-1 (bug #783510) NOTE: http://www.openwall.com/lists/oss-security/2016/04/16/1 NOTE: fixed in 3.0.7 upstream, mark as fixed with first 4.x version in unstable NOTE: 4.x not affected CVE-2016-XXXX [unsafe use of /tmp] - wine 4.0~rc1-1 (unimportant; bug #816034) - wine-development 3.12-2 (unimportant; bug #903622) NOTE: Negligible security impact CVE-2016-XXXX [remote memory disclosure] - node-ws 1.0.1+ds1.e6ddaae4-1 (unimportant) NOTE: fixed in 1.0.1 NOTE: https://nodesecurity.io/advisories/67 NOTE: nodejs not covered by security support CVE-2016-2782 (The treo_attach function in drivers/usb/serial/visor.c in the Linux ke ...) - linux 4.4.2-1 [jessie] - linux 3.16.7-ckt25-1 [wheezy] - linux 3.2.78-1 - linux-2.6 NOTE: Upstream commit: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=cac9b50b0d75a1d50d6c056ff65c005f3224c8e0 (v4.5-rc2) CVE-2016-2781 (chroot in GNU coreutils, when used with --userspec, allows local users ...) - coreutils (low; bug #816320) [buster] - coreutils (Minor issue) [stretch] - coreutils (Minor issue) [jessie] - coreutils (Minor issue) [wheezy] - coreutils (Minor issue) NOTE: Restricting ioctl on the kernel side seems the better approach, but rejected by Linux upstream NOTE: Fixing this issue via setsid() would introduce regressions: NOTE: https://www.kernel.org/pub/linux/utils/util-linux/v2.28/v2.28-ReleaseNotes CVE-2016-2779 (runuser in util-linux allows local users to escape to the parent sessi ...) - util-linux 2.31.1-0.1 (bug #815922) [stretch] - util-linux (Minor issue) [jessie] - util-linux (Minor issue) [wheezy] - util-linux (runuser[.c] not yet present) [squeeze] - util-linux (runuser[.c] not yet present) NOTE: Restricting ioctl on the kernel side seems the better approach, patches have been posted to kernel-hardening list NOTE: http://www.openwall.com/lists/oss-security/2016/02/27/1 NOTE: https://marc.info/?l=util-linux-ng&m=145694736107128&w=2 NOTE: 2.31 introduces a new --pty option to separate privileged and unprivileged NOTE: shells (not enabled by default and the cli switch is necessary). CVE-2016-XXXX [Partial SMAP bypass on 64-bit Linux kernels] - linux 4.4.4-1 [jessie] - linux 3.16.7-ckt25-2+deb8u1 [wheezy] - linux (Introduced in 3.10) - linux-2.6 (Introduced in 3.10) NOTE: Introduced by: https://git.kernel.org/linus/63bcff2a307b9bcc712a8251eb27df8b2e117967 (v3.10-rc1) NOTE: Fixed by: https://git.kernel.org/linus/3d44d51bd339766f0178f0cf2e8d048b4a4872aa (v4.5-rc6) NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/02/26/6 CVE-2016-7575 REJECTED CVE-2016-2573 RESERVED CVE-2016-2567 (secfilter in the Samsung kernel for Android on SM-N9005 build N9005XXU ...) NOT-FOR-US: Samsung CVE-2016-2566 (Samsung SecEmailSync on SM-G920F build G920FXXU2COH2 (Galaxy S6) devic ...) NOT-FOR-US: Samsung CVE-2016-2565 (Samsung SecEmailSync on SM-G920F build G920FXXU2COH2 (Galaxy S6) devic ...) NOT-FOR-US: Samsung CVE-2016-2564 (Invision Power Services (IPS) Community Suite before 4.1.9 makes sessi ...) NOT-FOR-US: Invision Power Services CVE-2016-2563 (Stack-based buffer overflow in the SCP command-line utility in PuTTY b ...) - putty 0.67-1 (bug #816921) [jessie] - putty (Minor issue) [wheezy] - putty (Minor issue) NOTE: http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-pscp-sink-sscanf.html NOTE: https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=bc6c15ab5f636e05b7e91883f0031a7e06117947 NOTE: https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-2563 CVE-2016-2562 (The checkHTTP function in libraries/Config.class.php in phpMyAdmin 4.5 ...) - phpmyadmin 4:4.5.5.1-1 (unimportant) [jessie] - phpmyadmin [wheezy] - phpmyadmin NOTE: vulnerabilty is only in the test suite CVE-2016-2561 (Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.4. ...) {DSA-3627-1} - phpmyadmin 4:4.5.5.1-1 [wheezy] - phpmyadmin CVE-2016-2560 (Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0. ...) {DSA-3627-1 DLA-481-1} - phpmyadmin 4:4.5.5.1-1 (low) NOTE: 7ddce5e39a4e12cd351732955394bc7055c280eb: file not present, vulnerability not found in wheezy NOTE: 0667ea8ac7519d7e642eade2686dc393d5faeae3: vulnerability present in 3.4.3.1, but code mysteriously not found in wheezy NOTE: fe3be9f4b9edd54dc39919e7dfeaaf4a67c1cf83: vulnerability introduced in 052fd61f (3.5.1) NOTE: b8f1e0f325f8f32bd82af64111d8c2e9055a363c and 73c8245a3d1893a710447957e28dcfb18d9b47ad present in wheezy and later, patch in lists.debian.org/87lh4fpyap.fsf@angela.anarcat.ath.cx CVE-2016-2559 (Cross-site scripting (XSS) vulnerability in the format function in lib ...) - phpmyadmin 4:4.5.5.1-1 (low) [jessie] - phpmyadmin [wheezy] - phpmyadmin CVE-2016-2572 (http.cc in Squid 4.x before 4.0.7 relies on the HTTP status code after ...) - squid3 (Only affects 4.x) - squid (Only affects 4.x) NOTE: http://www.squid-cache.org/Advisories/SQUID-2016_2.txt NOTE: http://www.squid-cache.org/Versions/v4/changesets/squid-4-14548.patch CVE-2016-2571 (http.cc in Squid 3.x before 3.5.15 and 4.x before 4.0.7 proceeds with ...) {DSA-3522-1 DLA-445-1} - squid3 3.5.15-1 (bug #816011) - squid (Vulnerable code not present) NOTE: http://www.squid-cache.org/Advisories/SQUID-2016_2.txt NOTE: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13990.patch NOTE: http://www.squid-cache.org/Versions/v4/changesets/squid-4-14548.patch NOTE: Upstream confirmed it does not affect squid 2.7.x CVE-2016-2570 (The Edge Side Includes (ESI) parser in Squid 3.x before 3.5.15 and 4.x ...) - squid3 3.5.15-1 (bug #816011) [wheezy] - squid3 (Minor issue, needs substantial backporting; too intrusive to backport) - squid (Vulnerable code not present) NOTE: http://www.squid-cache.org/Advisories/SQUID-2016_2.txt NOTE: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13993.patch NOTE: http://bugs.squid-cache.org/show_bug.cgi?id=3870 NOTE: http://www.squid-cache.org/Versions/v4/changesets/squid-4-14549.patch NOTE: Upstream confirmed it does not affect squid 2.7.x NOTE: It's maybe too instrusive to fix in 3.1 (squeeze and wheezy). CVE-2016-2569 (Squid 3.x before 3.5.15 and 4.x before 4.0.7 does not properly append ...) - squid3 3.5.15-1 (bug #816011) [wheezy] - squid3 (Minor issue; needs substantial backporting; too intrusive to backport) - squid (Vulnerable code not present) NOTE: http://www.squid-cache.org/Advisories/SQUID-2016_2.txt NOTE: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13991.patch NOTE: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13998.patch NOTE: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13999.patch NOTE: http://www.squid-cache.org/Versions/v4/changesets/squid-4-14552.patch NOTE: Upstream confirmed it does not affect squid 2.7.x CVE-2016-2568 (pkexec, when used with --user nonpriv, allows local users to escape to ...) - policykit-1 (low; bug #816062; bug #812512) [buster] - policykit-1 (Minor issue) [stretch] - policykit-1 (Minor issue) [jessie] - policykit-1 (Minor issue) [wheezy] - policykit-1 (Minor issue) NOTE: Restricting ioctl on the kernel side seems the better approach NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1300746 CVE-2016-2558 (The Escape interface in the Kernel Mode Driver layer in the NVIDIA GPU ...) NOT-FOR-US: NVIDIA Windows drivers CVE-2016-2557 (The Escape interface in the Kernel Mode Driver layer in the NVIDIA GPU ...) NOT-FOR-US: NVIDIA Windows drivers CVE-2016-2556 (The Escape interface in the Kernel Mode Driver layer in the NVIDIA GPU ...) NOT-FOR-US: NVIDIA Windows drivers CVE-2016-2555 (SQL injection vulnerability in include/lib/mysql_connect.inc.php in AT ...) NOT-FOR-US: ATutor CVE-2016-2553 REJECTED CVE-2016-2552 RESERVED CVE-2016-2551 RESERVED CVE-2016-3191 (The compile_branch function in pcre_compile.c in PCRE 8.x before 8.39 ...) {DLA-441-1} - pcre3 2:8.38-2 (bug #815921) [jessie] - pcre3 2:8.35-3.3+deb8u3 [wheezy] - pcre3 (Minor issue) - pcre2 10.21-1 (bug #815920) NOTE: pcre3: http://vcs.pcre.org/pcre?view=revision&revision=1631 NOTE: pcre2: http://vcs.pcre.org/pcre2?view=revision&revision=489 NOTE: https://bugs.exim.org/show_bug.cgi?id=1791 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1311503 CVE-2016-3162 (The File module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allows ...) {DSA-3498-1} - drupal8 (bug #756305) - drupal7 7.43-1 - drupal6 (Only affects Drupal 7.x and Drupal 8.x) NOTE: https://www.drupal.org/SA-CORE-2016-001 NOTE: http://www.openwall.com/lists/oss-security/2016/02/24/19 CVE-2016-3163 (The XML-RPC system in Drupal 6.x before 6.38 and 7.x before 7.43 might ...) {DSA-3498-1} - drupal7 7.43-1 - drupal6 [squeeze] - drupal6 NOTE: https://www.drupal.org/SA-CORE-2016-001 NOTE: http://www.openwall.com/lists/oss-security/2016/02/24/19 CVE-2016-3164 (Drupal 6.x before 6.38, 7.x before 7.43, and 8.x before 8.0.4 might al ...) {DSA-3498-1} - drupal8 (bug #756305) - drupal7 7.43-1 - drupal6 [squeeze] - drupal6 NOTE: https://www.drupal.org/SA-CORE-2016-001 NOTE: http://www.openwall.com/lists/oss-security/2016/02/24/19 CVE-2016-3165 (The Form API in Drupal 6.x before 6.38 ignores access restrictions on ...) - drupal7 (Only affects Drupal 6) - drupal6 [squeeze] - drupal6 NOTE: https://www.drupal.org/SA-CORE-2016-001 NOTE: http://www.openwall.com/lists/oss-security/2016/02/24/19 CVE-2016-3166 (CRLF injection vulnerability in the drupal_set_header function in Drup ...) - drupal7 (Only affects Drupal 6) - drupal6 [squeeze] - drupal6 NOTE: https://www.drupal.org/SA-CORE-2016-001 NOTE: http://www.openwall.com/lists/oss-security/2016/02/24/19 CVE-2016-3167 (Open redirect vulnerability in the drupal_goto function in Drupal 6.x ...) - drupal7 (Only affects Drupal 6) - drupal6 [squeeze] - drupal6 NOTE: https://www.drupal.org/SA-CORE-2016-001 NOTE: http://www.openwall.com/lists/oss-security/2016/02/24/19 CVE-2016-3168 (The System module in Drupal 6.x before 6.38 and 7.x before 7.43 might ...) {DSA-3498-1} - drupal7 7.43-1 - drupal6 [squeeze] - drupal6 NOTE: https://www.drupal.org/SA-CORE-2016-001 NOTE: http://www.openwall.com/lists/oss-security/2016/02/24/19 CVE-2016-3169 (The User module in Drupal 6.x before 6.38 and 7.x before 7.43 allows r ...) {DSA-3498-1} - drupal7 7.43-1 - drupal6 [squeeze] - drupal6 NOTE: https://www.drupal.org/SA-CORE-2016-001 NOTE: http://www.openwall.com/lists/oss-security/2016/02/24/19 CVE-2016-3170 (The "have you forgotten your password" links in the User module in Dru ...) {DSA-3498-1} - drupal8 (bug #756305) - drupal7 7.43-1 - drupal6 (Only affects Drupal 7.x and Drupal 8.x) NOTE: https://www.drupal.org/SA-CORE-2016-001 NOTE: http://www.openwall.com/lists/oss-security/2016/02/24/19 CVE-2016-3171 (Drupal 6.x before 6.38, when used with PHP before 5.4.45, 5.5.x before ...) - drupal7 (Only affects Drupal 6) - drupal6 [squeeze] - drupal6 NOTE: https://www.drupal.org/SA-CORE-2016-001 NOTE: http://www.openwall.com/lists/oss-security/2016/02/24/19 CVE-2016-2541 (Audacity before 2.1.2 allows remote attackers to cause a denial of ser ...) - audacity 2.1.2-1 (unimportant) [jessie] - audacity (Vulnerable code not present) [wheezy] - audacity (vulnerable code not present) NOTE: http://wiki.audacityteam.org/wiki/Release_Notes_2.1.2 NOTE: https://github.com/audacity/audacity/commit/85026f98958a8dcc09188be24a8db0385988e23f NOTE: Crash in desktop application, no security impact CVE-2016-2540 (Audacity before 2.1.2 allows remote attackers to cause a denial of ser ...) {DLA-1277-1} - audacity 2.1.2-1 (unimportant) NOTE: http://wiki.audacityteam.org/wiki/Release_Notes_2.1.2 NOTE: https://github.com/audacity/audacity/commit/407c1dc4b209111e4dbb3eec88f333aa8f69094c NOTE: https://github.com/audacity/audacity/commit/b5f2046286b266b10f87b764faa1586aee9c23ea NOTE: Crash in desktop application, no security impact CVE-2016-2539 (Cross-site request forgery (CSRF) vulnerability in install_modules.php ...) NOT-FOR-US: ATutor CVE-2016-2550 (The Linux kernel before 4.5 allows local users to bypass file-descript ...) {DSA-3503-1} - linux 4.4.4-1 - linux-2.6 NOTE: Upstream fix: https://git.kernel.org/linus/415e3d3e90ce9e18727e8843ae343eda5a58fad6 (v4.5-rc4) NOTE: Introduced by: https://git.kernel.org/linus/712f4aad406bb1ed67f3f98d04c044191f0ff593 (v4.5-rc1) NOTE: Technically wheezy-security and squeeze-lts are not affected by this CVE since the fix for NOTE: addressing CVE-2013-4312 was not applied. CVE-2016-2549 (sound/core/hrtimer.c in the Linux kernel before 4.4.1 does not prevent ...) {DSA-3503-1} - linux 4.4.2-1 - linux-2.6 NOTE: Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=2ba1fe7a06d3624f9a7586d672b55f08f7c670f3 (v4.5-rc1) CVE-2016-2548 (sound/core/timer.c in the Linux kernel before 4.4.1 retains certain li ...) {DSA-3503-1} - linux 4.4.2-1 - linux-2.6 NOTE: Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b5a663aa426f4884c71cd8580adae73f33570f0d (v4.5-rc1) CVE-2016-2547 (sound/core/timer.c in the Linux kernel before 4.4.1 employs a locking ...) {DSA-3503-1} - linux 4.4.2-1 - linux-2.6 NOTE: Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b5a663aa426f4884c71cd8580adae73f33570f0d (v4.5-rc1) CVE-2016-2546 (sound/core/timer.c in the Linux kernel before 4.4.1 uses an incorrect ...) {DSA-3503-1} - linux 4.4.2-1 - linux-2.6 NOTE: Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=af368027a49a751d6ff4ee9e3f9961f35bb4fede (v4.5-rc1) CVE-2016-2545 (The snd_timer_interrupt function in sound/core/timer.c in the Linux ke ...) {DSA-3503-1} - linux 4.4.2-1 - linux-2.6 NOTE: Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ee8413b01045c74340aa13ad5bdf905de32be736 (v4.5-rc1) CVE-2016-2544 (Race condition in the queue_delete function in sound/core/seq/seq_queu ...) {DSA-3503-1} - linux 4.4.2-1 - linux-2.6 NOTE: Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=3567eb6af614dac436c4b16a8d426f9faed639b3 (v4.5-rc1) CVE-2016-2543 (The snd_seq_ioctl_remove_events function in sound/core/seq/seq_clientm ...) {DSA-3503-1} - linux 4.4.2-1 - linux-2.6 NOTE: Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=030e2c78d3a91dd0d27fef37e91950dde333eba1 (v4.5-rc1) CVE-2016-2542 (Untrusted search path vulnerability in Flexera InstallShield through 2 ...) NOT-FOR-US: Flexera InstallShield CVE-2016-2537 (The is-my-json-valid package before 2.12.4 for Node.js has an incorrec ...) NOT-FOR-US: is-my-json-valid package for Node.js CVE-2016-2536 (Multiple use-after-free vulnerabilities in SAP 3D Visual Enterprise Vi ...) NOT-FOR-US: SAP CVE-2016-2535 RESERVED CVE-2016-2534 RESERVED CVE-2016-4421 (epan/dissectors/packet-ber.c in the ASN.1 BER dissector in Wireshark 1 ...) {DSA-3516-1} - wireshark 2.0.2+ga16e22e-1 NOTE: https://www.wireshark.org/security/wnpa-sec-2016-18.html NOTE: Affected versions: 2.0.0 to 2.0.1, 1.12.0 to 1.12.9 NOTE: Fixed versions: 2.0.2, 1.12.10 CVE-2016-4420 (The NFS dissector in Wireshark 2.x before 2.0.2 allows remote attacker ...) - wireshark 2.0.2+ga16e22e-1 [jessie] - wireshark (Vulnerable code not present) [wheezy] - wireshark (Vulnerable code not present) NOTE: https://www.wireshark.org/security/wnpa-sec-2016-17.html NOTE: Affected versions: 2.0.0 to 2.0.1 NOTE: Fixed versions: 2.0.2 CVE-2016-4419 (epan/dissectors/packet-spice.c in the SPICE dissector in Wireshark 2.x ...) - wireshark 2.0.2+ga16e22e-1 [jessie] - wireshark (Vulnerable code not present) [wheezy] - wireshark (Vulnerable code not present) NOTE: https://www.wireshark.org/security/wnpa-sec-2016-16.html NOTE: Affected versions: 2.0.0 to 2.0.1 NOTE: Fixed versions: 2.0.2 CVE-2016-4418 (epan/dissectors/packet-ber.c in the ASN.1 BER dissector in Wireshark 1 ...) {DSA-3516-1} - wireshark 2.0.2+ga16e22e-1 NOTE: https://www.wireshark.org/security/wnpa-sec-2016-15.html NOTE: Affected versions: 2.0.0 to 2.0.1, 1.12.0 to 1.12.9 NOTE: Fixed versions: 2.0.2, 1.12.10 CVE-2016-4417 (Off-by-one error in epan/dissectors/packet-gsm_abis_oml.c in the GSM A ...) {DSA-3516-1} - wireshark 2.0.2+ga16e22e-1 NOTE: https://www.wireshark.org/security/wnpa-sec-2016-14.html NOTE: Affected versions: 2.0.0 to 2.0.1, 1.12.0 to 1.12.9 NOTE: Fixed versions: 2.0.2, 1.12.10 CVE-2016-4416 (epan/dissectors/packet-ieee80211.c in the IEEE 802.11 dissector in Wir ...) - wireshark 2.0.2+ga16e22e-1 [jessie] - wireshark (Vulnerable code not present) [wheezy] - wireshark (Vulnerable code not present) NOTE: https://www.wireshark.org/security/wnpa-sec-2016-13.html NOTE: Affected versions: 2.0.0 to 2.0.1 NOTE: Fixed versions: 2.0.2 CVE-2016-4415 (wiretap/vwr.c in the Ixia IxVeriWave file parser in Wireshark 2.x befo ...) - wireshark 2.0.2+ga16e22e-1 [jessie] - wireshark (Vulnerable code not present) [wheezy] - wireshark (Vulnerable code not present) NOTE: https://www.wireshark.org/security/wnpa-sec-2016-12.html NOTE: Affected versions: 2.0.0 to 2.0.1 NOTE: Fixed versions: 2.0.2 CVE-2016-2532 (The dissect_llrp_parameters function in epan/dissectors/packet-llrp.c ...) {DSA-3516-1} - wireshark 2.0.2+ga16e22e-1 [wheezy] - wireshark (Vulnerable code not present) NOTE: https://www.wireshark.org/security/wnpa-sec-2016-11.html NOTE: Affected versions: 2.0.0 to 2.0.1, 1.12.0 to 1.12.9 NOTE: Fixed versions: 2.0.2, 1.12.10 CVE-2016-2531 (Off-by-one error in epan/dissectors/packet-rsl.c in the RSL dissector ...) {DSA-3516-1} - wireshark 2.0.2+ga16e22e-1 NOTE: https://www.wireshark.org/security/wnpa-sec-2016-10.html NOTE: Affected versions: 2.0.0 to 2.0.1, 1.12.0 to 1.12.9 NOTE: Fixed versions: 2.0.2, 1.12.10 CVE-2016-2530 (The dissct_rsl_ipaccess_msg function in epan/dissectors/packet-rsl.c i ...) {DSA-3516-1} - wireshark 2.0.2+ga16e22e-1 NOTE: https://www.wireshark.org/security/wnpa-sec-2016-10.html NOTE: Affected versions: 2.0.0 to 2.0.1, 1.12.0 to 1.12.9 NOTE: Fixed versions: 2.0.2, 1.12.10 CVE-2016-2529 (The iseries_check_file_type function in wiretap/iseries.c in the iSeri ...) - wireshark 2.0.2+ga16e22e-1 [jessie] - wireshark (Vulnerable code not present) [wheezy] - wireshark (Vulnerable code not present) NOTE: https://www.wireshark.org/security/wnpa-sec-2016-09.html NOTE: Affected versions: 2.0.0 to 2.0.1 NOTE: Fixed versions: 2.0.2 CVE-2016-2528 (The dissect_nhdr_extopt function in epan/dissectors/packet-lbmc.c in t ...) - wireshark 2.0.2+ga16e22e-1 [jessie] - wireshark (Vulnerable code not present) [wheezy] - wireshark (Vulnerable code not present) NOTE: https://www.wireshark.org/security/wnpa-sec-2016-08.html NOTE: Affected versions: 2.0.0 to 2.0.1 NOTE: Fixed versions: 2.0.2 CVE-2016-2527 (wiretap/nettrace_3gpp_32_423.c in the 3GPP TS 32.423 Trace file parser ...) - wireshark 2.0.2+ga16e22e-1 [jessie] - wireshark (Vulnerable code not present) [wheezy] - wireshark (Vulnerable code not present) NOTE: https://www.wireshark.org/security/wnpa-sec-2016-07.html NOTE: Affected versions: 2.0.0 to 2.0.1 NOTE: Fixed versions: 2.0.2 CVE-2016-2526 (epan/dissectors/packet-hiqnet.c in the HiQnet dissector in Wireshark 2 ...) - wireshark 2.0.2+ga16e22e-1 [jessie] - wireshark (Vulnerable code not present) [wheezy] - wireshark (Vulnerable code not present) NOTE: https://www.wireshark.org/security/wnpa-sec-2016-06.html NOTE: Affected versions: 2.0.0 to 2.0.1 NOTE: Fixed versions: 2.0.2 CVE-2016-2525 (epan/dissectors/packet-http2.c in the HTTP/2 dissector in Wireshark 2. ...) - wireshark 2.0.2+ga16e22e-1 [jessie] - wireshark (Vulnerable code not present) [wheezy] - wireshark (Vulnerable code not present) NOTE: https://www.wireshark.org/security/wnpa-sec-2016-05.html NOTE: Affected versions: 2.0.0 to 2.0.1 NOTE: Fixed versions: 2.0.2 CVE-2016-2524 (epan/dissectors/packet-x509af.c in the X.509AF dissector in Wireshark ...) - wireshark 2.0.2+ga16e22e-1 [jessie] - wireshark (Only affects 2.0.x) [wheezy] - wireshark (Only affects 2.0.x) [squeeze] - wireshark (Only affects 2.0.x) NOTE: https://www.wireshark.org/security/wnpa-sec-2016-04.html NOTE: Affected versions: 2.0.0 to 2.0.1 NOTE: Fixed versions: 2.0.2 CVE-2016-2523 (The dnp3_al_process_object function in epan/dissectors/packet-dnp.c in ...) {DSA-3516-1} - wireshark 2.0.2+ga16e22e-1 NOTE: https://www.wireshark.org/security/wnpa-sec-2016-03.html NOTE: Affected versions: 2.0.0 to 2.0.1, 1.12.0 to 1.12.9 NOTE: Fixed versions: 2.0.2, 1.12.10 CVE-2016-2522 (The dissect_ber_constrained_bitstring function in epan/dissectors/pack ...) - wireshark 2.0.2+ga16e22e-1 [jessie] - wireshark (Only affects 2.0.x) [wheezy] - wireshark (Only affects 2.0.x) [squeeze] - wireshark (Only affects 2.0.x) NOTE: https://www.wireshark.org/security/wnpa-sec-2016-02.html NOTE: Affected versions: 2.0.0 to 2.0.1 NOTE: Fixed versions: 2.0.2 CVE-2016-2521 (Untrusted search path vulnerability in the WiresharkApplication class ...) - wireshark (Windows-specific) NOTE: https://www.wireshark.org/security/wnpa-sec-2016-01.html NOTE: Affected versions: 2.0.0 to 2.0.1, 1.12.0 to 1.12.9 NOTE: Fixed versions: 2.0.2, 1.12.10 CVE-2016-2520 RESERVED CVE-2016-2519 (ntpd in NTP before 4.2.8p7 and 4.3.x before 4.3.92 allows remote attac ...) - ntp 1:4.2.8p7+dfsg-1 [jessie] - ntp (Minor issue) [wheezy] - ntp (Minor issue) NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security CVE-2016-2518 (The MATCH_ASSOC function in NTP before version 4.2.8p9 and 4.3.x befor ...) {DSA-3629-1 DLA-559-1} - ntp 1:4.2.8p7+dfsg-1 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security CVE-2016-2517 (NTP before 4.2.8p7 and 4.3.x before 4.3.92 allows remote attackers to ...) - ntp 1:4.2.8p7+dfsg-1 (unimportant) NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security NOTE: not a security issue, anyone with the privileges for remote configuration can NOTE: cause trouble anyway CVE-2016-2516 (NTP before 4.2.8p7 and 4.3.x before 4.3.92, when mode7 is enabled, all ...) {DSA-3629-1 DLA-559-1} - ntp 1:4.2.8p7+dfsg-1 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security CVE-2016-2514 RESERVED CVE-2016-2513 (The password hasher in contrib/auth/hashers.py in Django before 1.8.10 ...) {DSA-3544-1} - python-django 1.9.4-1 (bug #816434) NOTE: https://www.djangoproject.com/weblog/2016/mar/01/security-releases/ CVE-2016-2512 (The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x ...) {DSA-3544-1} - python-django 1.9.4-1 (bug #816434) NOTE: https://www.djangoproject.com/weblog/2016/mar/01/security-releases/ CVE-2016-2538 (Multiple integer overflows in the USB Net device emulator (hw/usb/dev- ...) {DLA-1599-1} - qemu 1:2.6+dfsg-1 (bug #815680) [wheezy] - qemu (Minor issue) [squeeze] - qemu (Not supported in Squeeze LTS) - qemu-kvm [wheezy] - qemu-kvm (Minor issue) [squeeze] - qemu-kvm (Not supported in Squeeze LTS) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-02/msg03658.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1303120 NOTE: Upstream commit: http://git.qemu.org/?p=qemu.git;a=commit;h=fe3c546c5ff2a6210f9a4d8561cc64051ca8603e (v2.6.0-rc0) NOTE: Introduced by: http://git.qemu.org/?p=qemu.git;a=commit;h=6c9f886ceae5b998dc2b9af2bf77666941689bce (v0.10.0) NOTE: http://www.openwall.com/lists/oss-security/2016/02/22/3 CVE-2016-2515 (Hawk before 3.1.3 and 4.x before 4.1.1 allow remote attackers to cause ...) NOT-FOR-US: NodeJS Hawk CVE-2016-2511 (Cross-site scripting (XSS) vulnerability in WebSVN 2.3.3 and earlier a ...) {DSA-3490-1 DLA-428-1} - websvn CVE-2016-2509 (The password-sync feature on Belden Hirschmann Classic Platform switch ...) NOT-FOR-US: Belden Hirschmann Classic Platform switches CVE-2016-2508 (media/libmediaplayerservice/nuplayer/GenericSource.cpp in mediaserver ...) NOT-FOR-US: Android Mediaserver CVE-2016-2507 (Integer overflow in codecs/on2/h264dec/source/h264bsd_storage.c in lib ...) NOT-FOR-US: libstagefright CVE-2016-2506 (DRMExtractor.cpp in libstagefright in mediaserver in Android 4.x befor ...) NOT-FOR-US: libstagefright CVE-2016-2505 (mpeg2ts/ATSParser.cpp in libstagefright in mediaserver in Android 6.x ...) NOT-FOR-US: libstagefright CVE-2016-2504 (The Qualcomm GPU driver in Android before 2016-08-05 on Nexus 5, 5X, 6 ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-2503 (The Qualcomm GPU driver in Android before 2016-07-05 on Nexus 5X and 6 ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-2502 (drivers/usb/gadget/f_serial.c in the Qualcomm USB driver in Android be ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-2501 (The Qualcomm camera driver in Android before 2016-07-05 on Nexus 5X, 6 ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-2500 (Activity Manager in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, an ...) NOT-FOR-US: Android CVE-2016-2499 (AudioSource.cpp in libstagefright in mediaserver in Android 4.x before ...) NOT-FOR-US: libstagefright CVE-2016-2498 (The Qualcomm Wi-Fi driver in Android before 2016-06-01 on Nexus 7 (201 ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-2497 (services/core/java/com/android/server/pm/PackageManagerService.java in ...) NOT-FOR-US: Android CVE-2016-2496 (The Framework UI permission-dialog implementation in Android 6.x befor ...) NOT-FOR-US: Android CVE-2016-2495 (SampleTable.cpp in libstagefright in mediaserver in Android 4.x before ...) NOT-FOR-US: libstagefright CVE-2016-2494 (Off-by-one error in sdcard/sdcard.c in Android 4.x before 4.4.4, 5.0.x ...) NOT-FOR-US: libstagefright CVE-2016-2493 (The Broadcom Wi-Fi driver in Android before 2016-06-01 on Nexus 5, Nex ...) NOT-FOR-US: Broadcom driver for Android CVE-2016-2492 (The MediaTek power-management driver in Android before 2016-06-01 on A ...) NOT-FOR-US: MediaTek driver for Android CVE-2016-2491 (The NVIDIA camera driver in Android before 2016-06-01 on Nexus 9 devic ...) NOT-FOR-US: NVIDIA driver for Android CVE-2016-2490 (The NVIDIA camera driver in Android before 2016-06-01 on Nexus 9 devic ...) NOT-FOR-US: NVIDIA driver for Android CVE-2016-2489 (The Qualcomm video driver in Android before 2016-06-01 on Nexus 5, 5X, ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-2488 (The Qualcomm camera driver in Android before 2016-06-01 on Nexus 5, 5X ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-2487 (libstagefright in mediaserver in Android 4.x before 4.4.4, 5.0.x befor ...) NOT-FOR-US: libstagefright CVE-2016-2486 (mp3dec/SoftMP3.cpp in libstagefright in mediaserver in Android 4.x bef ...) NOT-FOR-US: libstagefright CVE-2016-2485 (libstagefright in mediaserver in Android 4.x before 4.4.4, 5.0.x befor ...) NOT-FOR-US: libstagefright CVE-2016-2484 (libstagefright in mediaserver in Android 4.x before 4.4.4, 5.0.x befor ...) NOT-FOR-US: libstagefright CVE-2016-2483 (The mm-video-v4l2 venc component in mediaserver in Android 4.x before ...) NOT-FOR-US: Android Mediaserver CVE-2016-2482 (The mm-video-v4l2 vdec component in mediaserver in Android 4.x before ...) NOT-FOR-US: Android Mediaserver CVE-2016-2481 (The mm-video-v4l2 venc component in mediaserver in Android 4.x before ...) NOT-FOR-US: Android Mediaserver CVE-2016-2480 (The mm-video-v4l2 vidc component in mediaserver in Android 4.x before ...) NOT-FOR-US: Android Mediaserver CVE-2016-2479 (The mm-video-v4l2 vdec component in mediaserver in Android 4.x before ...) NOT-FOR-US: Android Mediaserver CVE-2016-2478 (mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp in mediaserver in And ...) NOT-FOR-US: Android Mediaserver CVE-2016-2477 (mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp in mediaserver in And ...) NOT-FOR-US: Android Mediaserver CVE-2016-2476 (mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x bef ...) NOT-FOR-US: Android Mediaserver CVE-2016-2475 (The Broadcom Wi-Fi driver in Android before 2016-06-01 on Nexus 5, Nex ...) NOT-FOR-US: Broadcom driver for Android CVE-2016-2474 (The Qualcomm Wi-Fi driver in Android before 2016-06-01 on Nexus 5X dev ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-2473 (The Qualcomm Wi-Fi driver in Android before 2016-06-01 on Nexus 7 (201 ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-2472 (The Qualcomm Wi-Fi driver in Android before 2016-06-01 on Nexus 7 (201 ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-2471 (The Qualcomm Wi-Fi driver in Android before 2016-06-01 on Nexus 7 (201 ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-2470 (The Qualcomm Wi-Fi driver in Android before 2016-06-01 on Nexus 7 (201 ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-2469 (The Qualcomm sound driver in Android before 2016-06-01 on Nexus 5, 6, ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-2468 (The Qualcomm GPU driver in Android before 2016-06-01 on Nexus 5, 5X, 6 ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-2467 (The Qualcomm sound driver in Android before 2016-06-01 on Nexus 5 devi ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-2466 (The Qualcomm sound driver in Android before 2016-06-01 on Nexus 6 devi ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-2465 (The Qualcomm video driver in Android before 2016-06-01 on Nexus 5, 5X, ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-2464 (libvpx in libwebm in mediaserver in Android 4.x before 4.4.4, 5.0.x be ...) - libvpx 1.6.1-1 [jessie] - libvpx (libwebm not yet present) [wheezy] - libvpx (libwebm not yet present) NOTE: probably fixed earlier, but this was the version checked CVE-2016-2463 (Multiple integer overflows in the h264dec component in libstagefright ...) NOT-FOR-US: libstagefright CVE-2016-2462 (OpenSSLCipher.java in Conscrypt in Android 6.x before 2016-05-01 misha ...) NOT-FOR-US: Android CVE-2016-2461 (OpenSSLCipher.java in Conscrypt in Android 6.x before 2016-05-01 misha ...) NOT-FOR-US: Android CVE-2016-2460 (mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x bef ...) NOT-FOR-US: Android CVE-2016-2459 (mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x bef ...) NOT-FOR-US: Android CVE-2016-2458 (The compose functionality in AOSP Mail in Android 5.0.x before 5.0.2, ...) NOT-FOR-US: Android CVE-2016-2457 (server/pm/UserManagerService.java in Wi-Fi in Android 5.0.x before 5.0 ...) NOT-FOR-US: Android CVE-2016-2456 (The MediaTek Wi-Fi driver in Android before 2016-05-01 on Android One ...) NOT-FOR-US: Android CVE-2016-2455 REJECTED CVE-2016-2454 (The Qualcomm hardware video codec in Android before 2016-05-01 on Nexu ...) NOT-FOR-US: Android CVE-2016-2453 (The MediaTek Wi-Fi driver in Android before 2016-05-01 on Android One ...) NOT-FOR-US: Android CVE-2016-2452 (codecs/amrnb/dec/SoftAMR.cpp in libstagefright in mediaserver in Andro ...) NOT-FOR-US: Android CVE-2016-2451 (codecs/on2/dec/SoftVPX.cpp in libstagefright in mediaserver in Android ...) NOT-FOR-US: Android CVE-2016-2450 (codecs/on2/enc/SoftVPXEncoder.cpp in libstagefright in mediaserver in ...) NOT-FOR-US: Android CVE-2016-2449 (services/camera/libcameraservice/device3/Camera3Device.cpp in mediaser ...) NOT-FOR-US: Android CVE-2016-2448 (media/libmediaplayerservice/nuplayer/NuPlayerStreamListener.cpp in med ...) NOT-FOR-US: Android CVE-2016-2447 REJECTED CVE-2016-2446 (The NVIDIA media driver in Android before 2016-05-01 on Nexus 9 device ...) NOT-FOR-US: Android CVE-2016-2445 (The NVIDIA media driver in Android before 2016-05-01 on Nexus 9 device ...) NOT-FOR-US: Android CVE-2016-2444 (The NVIDIA media driver in Android before 2016-05-01 on Nexus 9 device ...) NOT-FOR-US: Android CVE-2016-2443 (The Qualcomm MDP driver in Android before 2016-05-01 on Nexus 5 and Ne ...) NOT-FOR-US: Android CVE-2016-2442 (The Qualcomm buspm driver in Android before 2016-05-01 on Nexus 5X, 6, ...) NOT-FOR-US: Android CVE-2016-2441 (The Qualcomm buspm driver in Android before 2016-05-01 on Nexus 5X, 6, ...) NOT-FOR-US: Android CVE-2016-2440 (libs/binder/IPCThreadState.cpp in Binder in Android 4.x before 4.4.4, ...) NOT-FOR-US: Android CVE-2016-2439 (Buffer overflow in btif/src/btif_dm.c in Bluetooth in Android 4.x befo ...) NOT-FOR-US: Android CVE-2016-2438 REJECTED CVE-2016-2437 (The NVIDIA video driver in Android before 2016-05-01 on Nexus 9 device ...) NOT-FOR-US: Android CVE-2016-2436 (The NVIDIA video driver in Android before 2016-05-01 on Nexus 9 device ...) NOT-FOR-US: Android CVE-2016-2435 (The NVIDIA video driver in Android before 2016-05-01 on Nexus 9 device ...) NOT-FOR-US: Android CVE-2016-2434 (The NVIDIA video driver in Android before 2016-05-01 on Nexus 9 device ...) NOT-FOR-US: Android CVE-2016-2433 (The Broadcom Wi-Fi driver for Android, as used by BlackBerry smartphon ...) NOT-FOR-US: Broadcom Wi-Fi driver for Android CVE-2016-2432 (The Qualcomm TrustZone component in Android before 2016-05-01 on Nexus ...) NOT-FOR-US: Android CVE-2016-2431 (The Qualcomm TrustZone component in Android before 2016-05-01 on Nexus ...) NOT-FOR-US: Android CVE-2016-2430 (libbacktrace/Backtrace.cpp in debuggerd in Android 4.x before 4.4.4, 5 ...) NOT-FOR-US: Android CVE-2016-2429 (libFLAC/stream_decoder.c in mediaserver in Android 4.x before 4.4.4, 5 ...) NOT-FOR-US: Android CVE-2016-2428 (libAACdec/src/aacdec_drc.cpp in mediaserver in Android 4.x before 4.4. ...) NOT-FOR-US: Android CVE-2016-2427 (** DISPUTED ** The AES-GCM specification in RFC 5084, as used in Andro ...) NOT-FOR-US: Android CVE-2016-2426 (server/content/ContentService.java in the Framework component in Andro ...) NOT-FOR-US: Android CVE-2016-2425 (mail/compose/ComposeActivity.java in AOSP Mail in Android 4.x before 4 ...) NOT-FOR-US: Android CVE-2016-2424 (server/content/SyncStorageEngine.java in SyncStorageEngine in Android ...) NOT-FOR-US: Android CVE-2016-2423 (server/telecom/CallsManager.java in Telephony in Android 4.x before 4. ...) NOT-FOR-US: Android CVE-2016-2422 (Wi-Fi in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5. ...) NOT-FOR-US: Android CVE-2016-2421 (Setup Wizard in Android 5.1.x before 5.1.1 and 6.x before 2016-04-01 a ...) NOT-FOR-US: Android CVE-2016-2420 (rootdir/init.rc in Android 4.x before 4.4.4 does not ensure that the / ...) NOT-FOR-US: Android CVE-2016-2419 (media/libmedia/IDrm.cpp in mediaserver in Android 6.x before 2016-04-0 ...) NOT-FOR-US: Android CVE-2016-2418 (media/libmedia/IOMX.cpp in mediaserver in Android 6.x before 2016-04-0 ...) NOT-FOR-US: Android CVE-2016-2417 (media/libmedia/IOMX.cpp in mediaserver in Android 4.x before 4.4.4, 5. ...) NOT-FOR-US: Android CVE-2016-2416 (libs/gui/BufferQueueConsumer.cpp in mediaserver in Android 4.x before ...) NOT-FOR-US: Android CVE-2016-2415 (exchange/eas/EasAutoDiscover.java in the Autodiscover implementation i ...) NOT-FOR-US: Android CVE-2016-2414 (The Minikin library in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, ...) NOT-FOR-US: Android CVE-2016-2413 (media/libmedia/IOMX.cpp in mediaserver in Android 5.0.x before 5.0.2, ...) NOT-FOR-US: Android CVE-2016-2412 (include/core/SkPostConfig.h in Skia, as used in System_server in Andro ...) NOT-FOR-US: Android CVE-2016-2411 (A Qualcomm Power Management kernel driver in Android 6.x before 2016-0 ...) NOT-FOR-US: Android CVE-2016-2410 (A Qualcomm video kernel driver in Android 6.x before 2016-04-01 allows ...) NOT-FOR-US: Android CVE-2016-2409 (A Texas Instruments (TI) haptic kernel driver in Android 6.x before 20 ...) NOT-FOR-US: Android CVE-2016-2408 (An unspecified client-side component in Pulse Secure Desktop Client be ...) NOT-FOR-US: Pulse Secure Desktop Client CVE-2016-2407 REJECTED CVE-2016-2406 (The permission control module in Huawei Document Security Management ( ...) NOT-FOR-US: Huawei CVE-2016-2405 (Huawei Policy Center with software before V100R003C10SPC020 allows rem ...) NOT-FOR-US: Huawei CVE-2016-2404 (Huawei switches S5700, S6700, S7700, S9700 with software V200R001C00SP ...) NOT-FOR-US: Huawei CVE-2016-2403 (Symfony before 2.8.6 and 3.x before 3.0.6 allows remote attackers to b ...) {DSA-4262-1} - symfony 2.8.6+dfsg-1 [jessie] - symfony (Vulnerable code not present) NOTE: http://symfony.com/blog/cve-2016-2403-unauthorized-access-on-a-misconfigured-ldap-server-when-using-an-empty-password NOTE: Original commit incomplete and did not test for 'null' password resulting in NOTE: CVE-2018-11407. Complete fix as per NOTE: https://github.com/symfony/symfony/pull/26589 NOTE: https://github.com/symfony/symfony/commit/2f5bd18d82f4a8911d549d14c72bf935602834a9 CVE-2013-7450 (Pulp before 2.3.0 uses the same the same certificate authority key and ...) NOT-FOR-US: Pulp (Red Hat) CVE-2013-7448 (Directory traversal vulnerability in wiki.c in didiwiki allows remote ...) {DSA-3485-1 DLA-424-1} - didiwiki 0.5-12 (bug #815111) NOTE: https://github.com/OpenedHand/didiwiki/pull/1/files NOTE: http://www.openwall.com/lists/oss-security/2016/02/19/4 CVE-2016-2510 (BeanShell (bsh) before 2.0b6, when included on the classpath by an app ...) {DSA-3504-1 DLA-443-1} - bsh 2.0b4-16 NOTE: https://github.com/beanshell/beanshell/releases/tag/2.0b6 NOTE: https://github.com/beanshell/beanshell/commit/7c68fde2d6fc65e362f20863d868c112a90a9b49 NOTE: https://github.com/beanshell/beanshell/commit/1ccc66bb693d4e46a34a904db8eeff07808d2ced CVE-2016-2402 (OkHttp before 2.7.4 and 3.x before 3.1.2 allows man-in-the-middle atta ...) NOT-FOR-US: OkHttp CVE-2016-2401 RESERVED CVE-2016-2400 RESERVED CVE-2016-2399 (Integer overflow in the quicktime_read_pascal function in libquicktime ...) {DSA-3800-1 DLA-844-1} - libquicktime 2:1.2.4-10 (bug #855099) NOTE: PoC: http://www.nemux.org/2016/02/23/libquicktime-1-2-4/ CVE-2016-2398 (Comcast XFINITY Home Security System does not properly maintain base-s ...) NOT-FOR-US: XFINITY CVE-2016-2397 (The cliserver implementation in Dell SonicWALL GMS, Analyzer, and UMA ...) NOT-FOR-US: Dell CVE-2016-2396 (The GMS ViewPoint (GMSVP) web application in Dell SonicWALL GMS, Analy ...) NOT-FOR-US: Dell CVE-2016-2395 RESERVED CVE-2016-2394 RESERVED CVE-2016-2393 (Lenovo Fingerprint Manager before 8.01.57 and Touch Fingerprint before ...) NOT-FOR-US: Lenovo CVE-2016-2389 (Directory traversal vulnerability in the GetFileList function in the S ...) NOT-FOR-US: SAP CVE-2016-2388 (The Universal Worklist Configuration in SAP NetWeaver 7.4 allows remot ...) NOT-FOR-US: SAP CVE-2016-2387 (Multiple cross-site scripting (XSS) vulnerabilities in the Java Proxy ...) NOT-FOR-US: SAP CVE-2016-2386 (SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE E ...) NOT-FOR-US: SAP CVE-2015-8857 (The uglify-js package before 2.4.24 for Node.js does not properly acco ...) - uglifyjs (unimportant) NOTE: fixed in 2.4.24 NOTE: https://zyan.scripts.mit.edu/blog/backdooring-js/ NOTE: https://github.com/mishoo/UglifyJS2/issues/751 NOTE: https://nodesecurity.io/advisories/39 NOTE: nodejs not covered by security support CVE-2015-XXXX [root path disclosure] - node-send 0.16.2-1 (unimportant) NOTE: fixed in 0.11.1 NOTE: https://github.com/pillarjs/send/pull/70 NOTE: https://github.com/expressjs/serve-static/blob/master/HISTORY.md#181--2015-01-20 NOTE: https://nodesecurity.io/advisories/56 NOTE: nodejs not covered by security support CVE-2015-XXXX [handlebars: quoteless attributes in templates can lead to content injection] - libjs-handlebars (unimportant) - ruby-handlebars-assets (unimportant) NOTE: fixed in 4.0.0 NOTE: https://blog.srcclr.com/handlebars_vulnerability_research_findings/ NOTE: https://github.com/wycats/handlebars.js/pull/1083 NOTE: https://nodesecurity.io/advisories/61 NOTE: Security hardening, not a vulnerability CVE-2015-XXXX [quoteless attributes in templates can lead to content injection] - mustache.js (unimportant) NOTE: fixed in 2.2.1 NOTE: https://github.com/janl/mustache.js/commit/378bcca8a5cfe4058f294a3dbb78e8755e8e0da5 NOTE: https://nodesecurity.io/advisories/62 NOTE: Security hardening, not a vulnerability CVE-2015-9244 (Keys of objects in mysql node module v2.0.0-alpha7 and earlier are not ...) - node-mysql 2.0.0~alpha8-1 (unimportant) NOTE: https://github.com/felixge/node-mysql/issues/342 NOTE: https://nodesecurity.io/advisories/66 NOTE: nodejs not covered by security support CVE-2015-8830 (Integer overflow in the aio_setup_single_vector function in fs/aio.c i ...) - linux 4.1.3-1 [jessie] - linux 3.16.7-ckt20-1+deb8u4 [wheezy] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/4c185ce06dca14f5cea192f5a2c981ef50663f2b (v4.1-rc1) CVE-2015-8816 (The hub_activate function in drivers/usb/core/hub.c in the Linux kerne ...) {DSA-3503-1} - linux 4.4.2-1 - linux-2.6 NOTE: Fixed by: https://git.kernel.org/linus/e50293ef9775c5f1cf3fcc093037dd6a8c5684ea (v4.4-rc6) CVE-2015-8815 (Multiple cross-site scripting (XSS) vulnerabilities in Umbraco before ...) NOT-FOR-US: Umbraco CVE-2015-8814 (Umbraco before 7.4.0 allows remote attackers to bypass anti-forgery se ...) NOT-FOR-US: Umbraco CVE-2016-2392 (The is_rndis function in the USB Net device emulator (hw/usb/dev-netwo ...) {DLA-1599-1} - qemu 1:2.6+dfsg-1 (bug #815008) [wheezy] - qemu (Minor issue) [squeeze] - qemu (Not supported in Squeeze LTS) - qemu-kvm [wheezy] - qemu-kvm (Minor issue) [squeeze] - qemu-kvm (Not supported in Squeeze LTS) NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=80eecda8e5d09c442c24307f340840a5b70ea3b9 (v2.6.0-rc0) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1302299 CVE-2016-2391 (The ohci_bus_start function in the USB OHCI emulation support (hw/usb/ ...) {DLA-1599-1} - qemu 1:2.6+dfsg-1 (bug #815009) [wheezy] - qemu (Minor issue) [squeeze] - qemu (Not supported in Squeeze LTS) - qemu-kvm [wheezy] - qemu-kvm (Minor issue) [squeeze] - qemu-kvm (Not supported in Squeeze LTS) NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=fa1298c2d623522eda7b4f1f721fcb935abb7360 (v2.6.0-rc0) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1304794 NOTE: http://www.openwall.com/lists/oss-security/2016/02/16/2 CVE-2016-2390 (The FwdState::connectedToPeer method in FwdState.cc in Squid before 3. ...) - squid 4.1-1 (unimportant) - squid3 3.5.14-1 (unimportant) NOTE: http://www.squid-cache.org/Advisories/SQUID-2016_1.txt NOTE: Only affects custom builds with --enable-ssl (disabled for license purposes in Debian) CVE-2016-2382 RESERVED CVE-2016-2381 (Perl might allow context-dependent attackers to bypass the taint prote ...) {DSA-3501-1} - perl 5.22.1-8 NOTE: http://perl5.git.perl.org/perl.git/commitdiff/ae37b791a73a9e78dedb89fb2429d2628cf58076 CVE-2016-2380 (An information leak exists in the handling of the MXIT protocol in Pid ...) {DSA-3620-1 DLA-542-1} - pidgin 2.11.0-1 NOTE: http://www.talosintel.com/reports/TALOS-2016-0123/ NOTE: http://www.pidgin.im/news/security/?id=96 NOTE: https://bitbucket.org/pidgin/main/commits/8172584fd640 CVE-2016-2379 (The Mxit protocol uses weak encryption when encrypting user passwords, ...) NOTE: Mentioned at http://www.pidgin.im/news/security/?id=96 without further details CVE-2016-2378 (A buffer overflow vulnerability exists in the handling of the MXIT pro ...) {DSA-3620-1 DLA-542-1} - pidgin 2.11.0-1 NOTE: http://www.talosintel.com/reports/TALOS-2016-0120/ NOTE: http://www.pidgin.im/news/security/?id=94 NOTE: https://bitbucket.org/pidgin/main/commits/06278419c703 CVE-2016-2377 (A buffer overflow vulnerability exists in the handling of the MXIT pro ...) {DSA-3620-1 DLA-542-1} - pidgin 2.11.0-1 NOTE: http://www.talosintel.com/reports/TALOS-2016-0119/ NOTE: http://www.pidgin.im/news/security/?id=93 NOTE: https://bitbucket.org/pidgin/main/commits/0f94ef13ab37 CVE-2016-2376 (A buffer overflow vulnerability exists in the handling of the MXIT pro ...) {DSA-3620-1 DLA-542-1} - pidgin 2.11.0-1 NOTE: http://www.talosintel.com/reports/TALOS-2016-0118/ NOTE: http://www.pidgin.im/news/security/?id=92 NOTE: https://bitbucket.org/pidgin/main/commits/19f89eda8587 CVE-2016-2375 (An exploitable out-of-bounds read exists in the handling of the MXIT p ...) {DSA-3620-1 DLA-542-1} - pidgin 2.11.0-1 NOTE: http://www.talosintel.com/reports/TALOS-2016-0143/ NOTE: http://www.pidgin.im/news/security/?id=108 NOTE: https://bitbucket.org/pidgin/main/commits/b786e9814536 CVE-2016-2374 (An exploitable memory corruption vulnerability exists in the handling ...) {DSA-3620-1 DLA-542-1} - pidgin 2.11.0-1 NOTE: http://www.talosintel.com/reports/TALOS-2016-0142/ NOTE: http://www.pidgin.im/news/security/?id=107 NOTE: https://bitbucket.org/pidgin/main/commits/f6c08d962618 CVE-2016-2373 (A denial of service vulnerability exists in the handling of the MXIT p ...) {DSA-3620-1 DLA-542-1} - pidgin 2.11.0-1 NOTE: http://www.talosintel.com/reports/TALOS-2016-0141/ NOTE: http://www.pidgin.im/news/security/?id=106 NOTE: https://bitbucket.org/pidgin/main/commits/e6159ad42c4c CVE-2016-2372 (An information leak exists in the handling of the MXIT protocol in Pid ...) {DSA-3620-1 DLA-542-1} - pidgin 2.11.0-1 NOTE: http://www.talosintel.com/reports/TALOS-2016-0140/ NOTE: http://www.pidgin.im/news/security/?id=105 NOTE: https://bitbucket.org/pidgin/main/commits/5e3601f8bde4 NOTE: https://bitbucket.org/pidgin/main/commits/1c5197a66760 NOTE: https://bitbucket.org/pidgin/main/commits/648f667a679c CVE-2016-2371 (An out-of-bounds write vulnerability exists in the handling of the MXI ...) {DSA-3620-1 DLA-542-1} - pidgin 2.11.0-1 NOTE: http://www.talosintel.com/reports/TALOS-2016-0139/ NOTE: http://www.pidgin.im/news/security/?id=104 NOTE: https://bitbucket.org/pidgin/main/commits/f0287378203fbf496a9890bf273d96adefb93b74 CVE-2016-2370 (A denial of service vulnerability exists in the handling of the MXIT p ...) {DSA-3620-1 DLA-542-1} - pidgin 2.11.0-1 NOTE: http://www.talosintel.com/reports/TALOS-2016-0138/ NOTE: http://www.pidgin.im/news/security/?id=103 NOTE: https://bitbucket.org/pidgin/main/commits/5e3601f8bde4 NOTE: https://bitbucket.org/pidgin/main/commits/1c5197a66760 NOTE: https://bitbucket.org/pidgin/main/commits/648f667a679c CVE-2016-2369 (A NULL pointer dereference vulnerability exists in the handling of the ...) {DSA-3620-1 DLA-542-1} - pidgin 2.11.0-1 NOTE: http://www.talosintel.com/reports/TALOS-2016-0137/ NOTE: http://www.pidgin.im/news/security/?id=102 CVE-2016-2368 (Multiple memory corruption vulnerabilities exist in the handling of th ...) {DSA-3620-1 DLA-542-1} - pidgin 2.11.0-1 NOTE: http://www.talosintel.com/reports/TALOS-2016-0136/ NOTE: http://www.pidgin.im/news/security/?id=101 NOTE: https://bitbucket.org/pidgin/main/commits/60f95045db42 NOTE: https://bitbucket.org/pidgin/main/commits/f6efc254e947 CVE-2016-2367 (An information leak exists in the handling of the MXIT protocol in Pid ...) {DSA-3620-1 DLA-542-1} - pidgin 2.11.0-1 NOTE: http://www.talosintel.com/reports/TALOS-2016-0135/ NOTE: http://www.pidgin.im/news/security/?id=100 NOTE: https://bitbucket.org/pidgin/main/commits/5e3601f8bde4 NOTE: https://bitbucket.org/pidgin/main/commits/1c5197a66760 NOTE: https://bitbucket.org/pidgin/main/commits/648f667a679c CVE-2016-2366 (A denial of service vulnerability exists in the handling of the MXIT p ...) {DSA-3620-1 DLA-542-1} - pidgin 2.11.0-1 NOTE: http://www.talosintel.com/reports/TALOS-2016-0134/ NOTE: http://www.pidgin.im/news/security/?id=99 NOTE: https://bitbucket.org/pidgin/main/commits/abdc3025f6b8 CVE-2016-2365 (A denial of service vulnerability exists in the handling of the MXIT p ...) {DSA-3620-1 DLA-542-1} - pidgin 2.11.0-1 NOTE: http://www.talosintel.com/reports/TALOS-2016-0133/ NOTE: http://www.pidgin.im/news/security/?id=98 NOTE: https://bitbucket.org/pidgin/main/commits/1c4acc6977a8686ad980e5b820327c9c47dbeaca CVE-2016-2364 (The Chrome HUDweb plugin before 2016-05-05 for Fonality (previously tr ...) NOT-FOR-US: Fonality CVE-2016-2363 (Fonality (previously trixbox Pro) 12.6 through 14.1i before 2016-06-01 ...) NOT-FOR-US: Fonality CVE-2016-2362 (Fonality (previously trixbox Pro) 12.6 through 14.1i before 2016-06-01 ...) NOT-FOR-US: Fonality CVE-2016-2361 RESERVED CVE-2016-2360 (Milesight IP security cameras through 2016-11-14 have a default root p ...) NOT-FOR-US: Milesight IP security cameras CVE-2016-2359 (Milesight IP security cameras through 2016-11-14 allow remote attacker ...) NOT-FOR-US: Milesight IP security cameras CVE-2016-2358 (Milesight IP security cameras through 2016-11-14 have a default set of ...) NOT-FOR-US: Milesight IP security cameras CVE-2016-2357 (Milesight IP security cameras through 2016-11-14 have a hardcoded SSL ...) NOT-FOR-US: Milesight IP security cameras CVE-2016-2356 (Milesight IP security cameras through 2016-11-14 have a buffer overflo ...) NOT-FOR-US: Milesight IP security cameras CVE-2016-2355 (SQL injection vulnerability in the REST API in dotCMS before 3.3.2 all ...) NOT-FOR-US: dotCMS CVE-2016-2354 (The Bluetooth functionality in Lemur Vehicle Monitors BlueDriver befor ...) NOT-FOR-US: Lemur Vehicle Monitors BlueDriver CVE-2016-2353 (The Accellion File Transfer Appliance (FTA) before FTA_9_12_40 allows ...) NOT-FOR-US: Accellion CVE-2016-2352 (The Accellion File Transfer Appliance (FTA) before FTA_9_12_40 allows ...) NOT-FOR-US: Accellion CVE-2016-2351 (SQL injection vulnerability in home/seos/courier/security_key2.api on ...) NOT-FOR-US: Accellion CVE-2016-2350 (Multiple cross-site scripting (XSS) vulnerabilities on the Accellion F ...) NOT-FOR-US: Accellion CVE-2016-2349 (Remedy AR System Server in BMC Remedy 8.1 SP 2, 9.0, 9.0 SP 1, and 9.1 ...) NOT-FOR-US: BMC CVE-2016-2348 RESERVED CVE-2016-2347 (Integer underflow in the decode_level3_header function in lib/lha_file ...) {DSA-3540-1} - lhasa 0.3.1-1 NOTE: http://www.talosintel.com/reports/TALOS-2016-0095/ CVE-2016-2346 (Allround Automations PL/SQL Developer 11 before 11.0.6 relies on unver ...) NOT-FOR-US: Allround Automations CVE-2016-2345 (Stack-based buffer overflow in dwrcs.exe in the dwmrcs daemon in Solar ...) NOT-FOR-US: SolarWinds DameWare Mini Remote Control CVE-2016-2344 (Stack-based buffer overflow in manager.exe in Backburner Manager in Au ...) NOT-FOR-US: Autodesk Backburner CVE-2016-2343 (Patterson Dental Eaglesoft 17 has a hardcoded password of sql for the ...) NOT-FOR-US: Patterson Dental Eaglesoft 17 CVE-2016-2342 (The bgp_nlri_parse_vpnv4 function in bgp_mplsvpn.c in the VPNv4 NLRI p ...) {DSA-3532-1} - quagga 1.0.20160315-1 (bug #819179) NOTE: http://git.savannah.gnu.org/cgit/quagga.git/commit/?id=a3bc7e9400b214a0f078fdb19596ba54214a1442 NOTE: https://www.kb.cert.org/vuls/id/270232 CVE-2016-2341 RESERVED CVE-2016-2340 (The AMF framework in Granite Data Services 3.1.1-SNAPSHOT allows remot ...) NOT-FOR-US: Granite CVE-2016-2339 (An exploitable heap overflow vulnerability exists in the Fiddle::Funct ...) {DLA-1421-1} - ruby2.3 2.3.0-1 - ruby2.1 (bug #851161) NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0034/ NOTE: Fixed by: https://github.com/ruby/ruby/commit/bcc2421b4938fc1d9f5f3fb6ef2320571b27af42 NOTE: Fixed by: https://github.com/ruby/ruby/commit/de577357e80fa15f5cf13a81aa3decc783ea929e NOTE: Fixed by: https://github.com/ruby/ruby/commit/4977af3c3d54d27167bfc237f1b2802c40bddc10 CVE-2016-2338 (An exploitable heap overflow vulnerability exists in the Psych::Emitte ...) {DLA-2158-1} - ruby2.3 2.3.0-1 - ruby2.1 NOTE: https://talosintelligence.com/reports/TALOS-2016-0032 NOTE: https://git.ruby-lang.org/ruby.git/commit/?id=db48c307944a9a18877236bdf9e9b778875f38ed CVE-2016-2337 (Type confusion exists in _cancel_eval Ruby's TclTkIp class method. Att ...) {DLA-1480-1} - ruby2.3 2.3.0-1 - ruby2.1 (bug #851161) NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0031/ NOTE: https://github.com/ruby/ruby/commit/a2b8925a94a672235ca6a16e584bf09026a957ab CVE-2016-2336 (Type confusion exists in two methods of Ruby's WIN32OLE class, ole_inv ...) - ruby2.3 (Windows-specific) - ruby2.1 (Windows-specific) NOTE: Vulnerable win32ole ruby extension not included in binary packages, specific to Windows NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0029/ CVE-2016-2335 (The CInArchive::ReadFileItem method in Archive/Udf/UdfIn.cpp in 7zip 9 ...) {DSA-3599-1 DLA-510-1} - p7zip 15.14.1+dfsg-2 (bug #824160) NOTE: http://www.talosintel.com/reports/TALOS-2016-0094/ CVE-2016-2334 (Heap-based buffer overflow in the NArchive::NHfs::CHandler::ExtractZli ...) - p7zip 15.14.1+dfsg-2 (bug #824160) [jessie] - p7zip (Introduced in 9.32) [wheezy] - p7zip (Introduced in 9.32) NOTE: http://www.talosintel.com/reports/TALOS-2016-0093/ NOTE: https://twitter.com/_Icewall/status/739731922998448129 CVE-2016-2333 (SysLINK SL-1000 Machine-to-Machine (M2M) Modular Gateway devices with ...) NOT-FOR-US: SysLINK CVE-2016-2332 (flu.cgi in the web interface on SysLINK SL-1000 Machine-to-Machine (M2 ...) NOT-FOR-US: SysLINK CVE-2016-2331 (The web interface on SysLINK SL-1000 Machine-to-Machine (M2M) Modular ...) NOT-FOR-US: SysLINK CVE-2016-2385 (Heap-based buffer overflow in the encode_msg function in encode_msg.c ...) {DSA-3535-1} - kamailio 4.3.4-2 (bug #815178) NOTE: https://github.com/kamailio/kamailio/commit/f50c9c853e7809810099c970780c30b0765b0643 NOTE: https://census-labs.com/news/2016/03/30/kamailio-seas-heap-overflow/ CVE-2016-2384 (Double free vulnerability in the snd_usbmidi_create function in sound/ ...) {DSA-3503-1 DLA-439-1} - linux 4.4.2-1 - linux-2.6 NOTE: Fixed by: https://git.kernel.org/linus/07d86ca93db7e5cdf4743564d98292042ec21af7 (v4.5-rc4) NOTE: http://www.openwall.com/lists/oss-security/2016/02/14/2 NOTE: https://xairy.github.io/blog/2016/cve-2016-2384 CVE-2016-2383 (The adjust_branches function in kernel/bpf/verifier.c in the Linux ker ...) - linux 4.4.2-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) - linux-2.6 (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/a1b14d27ed0965838350f1377ff97c93ee383492 (v4.5-rc4) NOTE: Introduced by: https://git.kernel.org/linus/9bac3d6d548e5cc925570b263f35b70a00a00ffd (v4.1-rc1) NOTE: http://www.openwall.com/lists/oss-security/2016/02/14/1 CVE-2016-XXXX [exec functions ignore length but look for NULL termination] - php5 5.6.18+dfsg-1 [jessie] - php5 5.6.19+dfsg-0+deb8u1 [wheezy] - php5 5.4.45-0+deb7u7 - php5.6 5.6.18+dfsg-1 - php7.0 7.0.3-1 [squeeze] - php5 5.3.3.1-7+squeeze29 NOTE: temporary workaround until CVE assigned to explitly tag for squeeze NOTE: https://bugs.php.net/bug.php?id=71039 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1305494 NOTE: https://git.php.net/?p=php-src.git;a=commit;h=c527549e899bf211aac7d8ab5ceb1bdfedf07f14 NOTE: Fixed in 5.6.18, 5.5.32, 7.0.3 CVE-2016-10712 (In PHP before 5.5.32, 5.6.x before 5.6.18, and 7.x before 7.0.3, all o ...) {DLA-818-1} - php5 5.6.18+dfsg-1 [jessie] - php5 5.6.19+dfsg-0+deb8u1 - php5.6 5.6.18+dfsg-1 - php7.0 7.0.3-1 NOTE: https://bugs.php.net/bug.php?id=71323 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1305523 NOTE: https://git.php.net/?p=php-src.git;a=commit;h=6297a117d77fa3a0df2e21ca926a92c231819cd5 NOTE: Fixed in 5.6.18, 5.5.32, 7.0.3 CVE-2016-XXXX [Integer overflow in iptcembed()] - php5 5.6.18+dfsg-1 [jessie] - php5 5.6.19+dfsg-0+deb8u1 [wheezy] - php5 5.4.45-0+deb7u7 - php5.6 5.6.18+dfsg-1 - php7.0 7.0.3-1 [squeeze] - php5 5.3.3.1-7+squeeze29 NOTE: temporary workaround until CVE assigned to explitly tag for squeeze NOTE: https://bugs.php.net/bug.php?id=71459 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1305518 NOTE: http://git.php.net/?p=php-src.git;a=commit;h=54c210d2ea9b8539edcde1888b1104b96b38e886 NOTE: Fixed in 5.6.18, 5.5.32, 7.0.3 - hhvm 3.12.1+dfsg-1 NOTE: https://github.com/facebook/hhvm/commit/381702ffbfdae170ba3fff97d6cc1b9c69666854 CVE-2016-4348 (The _rsvg_css_normalize_font_size function in librsvg 2.40.2 allows co ...) {DSA-3584-1 DLA-477-1} - librsvg 2.40.12-1 NOTE: https://git.gnome.org/browse/librsvg/commit/?id=d1c9191949747f6dcfd207831d15dd4ba00e31f2 (2.40.12) CVE-2016-4347 REJECTED CVE-2016-4346 (Integer overflow in the str_pad function in ext/standard/string.c in P ...) - php7.0 7.0.4-1 - php5 (Only affects PHP7.x) NOTE: https://bugs.php.net/bug.php?id=71637 NOTE: https://git.php.net/?p=php-src.git;a=commit;h=57b997ebf99e0eb9a073e0dafd2ab100bd4a112d NOTE: Reproducer: second test script 2.php in upstream bugreport CVE-2016-4345 (Integer overflow in the php_filter_encode_url function in ext/filter/s ...) - php7.0 7.0.4-1 - php5 (Only affects PHP7.x) NOTE: https://bugs.php.net/bug.php?id=71637 NOTE: https://git.php.net/?p=php-src.git;a=commit;h=57b997ebf99e0eb9a073e0dafd2ab100bd4a112d CVE-2016-4344 (Integer overflow in the xml_utf8_encode function in ext/xml/xml.c in P ...) - php7.0 7.0.4-1 - php5 (Only affects PHP7.x) NOTE: https://bugs.php.net/bug.php?id=71637 NOTE: https://git.php.net/?p=php-src.git;a=commit;h=57b997ebf99e0eb9a073e0dafd2ab100bd4a112d CVE-2016-4343 (The phar_make_dirstream function in ext/phar/dirstream.c in PHP before ...) {DLA-499-1} - php7.0 7.0.3-1 - php5 5.6.18+dfsg-1 [jessie] - php5 5.6.18+dfsg-0+deb8u1 NOTE: https://bugs.php.net/bug.php?id=71331 NOTE: Fixed in 7.0.3, 5.6.18 CVE-2016-4342 (ext/phar/phar_object.c in PHP before 5.5.32, 5.6.x before 5.6.18, and ...) {DLA-818-1} - php5 5.6.18+dfsg-1 [jessie] - php5 5.6.19+dfsg-0+deb8u1 [wheezy] - php5 (Minor issue, can be fixed in next update round) [squeeze] - php5 5.3.3.1-7+squeeze29 - php5.6 5.6.18+dfsg-1 - php7.0 7.0.3-1 NOTE: https://bugs.php.net/bug.php?id=71354 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1305536 NOTE: https://git.php.net/?p=php-src.git;a=commit;h=13ad4d3e971807f9a58ab5933182907dc2958539 NOTE: Fixed in 5.6.18, 5.5.32, 7.0.3 CVE-2016-XXXX [NULL Pointer Dereference in phar_tar_setupmetadata()] - php5 5.6.18+dfsg-1 [jessie] - php5 5.6.19+dfsg-0+deb8u1 [wheezy] - php5 5.4.45-0+deb7u7 - php5.6 5.6.18+dfsg-1 - php7.0 7.0.3-1 [squeeze] - php5 5.3.3.1-7+squeeze29 NOTE: temporary workaround until CVE assigned to explitly tag for squeeze NOTE: https://bugs.php.net/bug.php?id=71391 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1305540 NOTE: https://git.php.net/?p=php-src.git;a=commit;h=1c1b8b69982375700d4b011eb89ea48b66dbd5aa NOTE: Fixed in 5.6.18, 5.5.32, 7.0.3 CVE-2016-2554 (Stack-based buffer overflow in ext/phar/tar.c in PHP before 5.5.32, 5. ...) {DLA-818-1} - php5 5.6.18+dfsg-1 [jessie] - php5 5.6.19+dfsg-0+deb8u1 [wheezy] - php5 (Minor issue, can be fixed in next update round) - php5.6 5.6.18+dfsg-1 - php7.0 7.0.3-1 NOTE: https://bugs.php.net/bug.php?id=71488 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1305543 NOTE: https://git.php.net/?p=php-src.git;a=commit;h=07c7df68bd68bbe706371fccc77c814ebb335d9e NOTE: Fixed in 5.6.18, 5.5.32, 7.0.3 NOTE: http://www.openwall.com/lists/oss-security/2016/02/22/5 CVE-2016-XXXX [Type confusion vulnerability in WDDX packet deserialization] - php5 5.6.18+dfsg-1 [jessie] - php5 5.6.19+dfsg-0+deb8u1 [wheezy] - php5 5.4.45-0+deb7u7 - php5.6 5.6.18+dfsg-1 - php7.0 7.0.3-1 NOTE: https://bugs.php.net/bug.php?id=71335 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1305559 NOTE: https://git.php.net/?p=php-src.git;a=commit;h=285cd3417fb61597345b829f5f573707bbdcd484 NOTE: Fixed in 5.6.18, 5.5.32, 7.0.3 CVE-2016-XXXX [Crash on bad SOAP request] - php5 5.6.18+dfsg-1 [jessie] - php5 5.6.19+dfsg-0+deb8u1 [wheezy] - php5 5.4.45-0+deb7u7 - php5.6 5.6.18+dfsg-1 - php7.0 7.0.3-1 [squeeze] - php5 5.3.3.1-7+squeeze29 NOTE: temporary workaround until CVE assigned to explitly tag for squeeze NOTE: https://bugs.php.net/bug.php?id=70979 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1305551 NOTE: https://git.php.net/?p=php-src.git;a=commit;h=4308c868f94df1f2b99e80038ba5ea1076d919a7 NOTE: Fixed in 5.6.18, 7.0.3 CVE-2016-2330 (libavcodec/gif.c in FFmpeg before 2.8.6 does not properly calculate a ...) - ffmpeg 2.8.6-1 - libav (Libav not affected according to upstream) NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=03d83ba34b2070878909eae18dfac0f519503777 CVE-2016-2329 (libavcodec/tiff.c in FFmpeg before 2.8.6 does not properly validate Ro ...) - ffmpeg 2.8.6-1 - libav (Vulnerable code not present in any Libav version) NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=89f464e9c229006e16f6bb5403c5529fdd0a9edd CVE-2016-2328 (libswscale/swscale_unscaled.c in FFmpeg before 2.8.6 does not validate ...) - ffmpeg 2.8.6-1 - libav (Vulnerable code not present) NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=ad3b6fa7d83db7de951ed891649af93a47e74be5 NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=757248ea3cd917a7755cb15f817a9b1f15578718 CVE-2016-2327 (libavcodec/pngenc.c in FFmpeg before 2.8.5 uses incorrect line sizes i ...) - ffmpeg 2.8.5-1 - libav (Vulnerable code not present) NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=8f4c3e4b92212d98f5b9ca2dee13e076effe9589 NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=7ec9c5ce8a753175244da971fed9f1e25aef7971 CVE-2016-2326 (Integer overflow in the asf_write_packet function in libavformat/asfen ...) {DSA-3506-1} - ffmpeg 2.8.5-1 - libav NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=7c0b84d89911b2035161f5ef51aafbfcc84aa9e2 CVE-2016-2325 RESERVED CVE-2016-2324 (Integer overflow in Git before 2.7.4 allows remote attackers to execut ...) {DSA-3521-1} - git 1:2.8.0~rc3-1 (bug #818318) NOTE: Removal of path_name: https://github.com/git/git/commit/9831e92bfa833ee9c0ce464bbc2f941ae6c2698d (v2.8.0-rc0) NOTE: http://www.openwall.com/lists/oss-security/2016/03/16/2 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=971328#c4 - cgit (path_name function from embedded git is not called) CVE-2016-2323 RESERVED CVE-2016-2322 RESERVED CVE-2016-2321 RESERVED CVE-2016-2320 RESERVED CVE-2016-2319 RESERVED CVE-2016-2315 (revision.c in git before 2.7.4 uses an incorrect integer data type, wh ...) {DSA-3521-1} - git 1:2.7.0-1 (bug #818318) NOTE: https://github.com/git/git/commit/34fa79a6cde56d6d428ab0d3160cb094ebad3305 (v2.7.0-rc0) - cgit (path_name function from embedded git is not called) CVE-2016-2314 (GlobespanVirata ftpd 1.0, as used on Huawei SmartAX MT882 devices V200 ...) NOT-FOR-US: Huawei CVE-2016-2318 (GraphicsMagick 1.3.23 allows remote attackers to cause a denial of ser ...) {DSA-3746-1 DLA-484-1} - graphicsmagick 1.3.24-1 (bug #814732) NOTE: Fixed by: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/e797bb0aec31 CVE-2016-2317 (Multiple buffer overflows in GraphicsMagick 1.3.23 allow remote attack ...) {DSA-3746-1 DLA-484-1} - graphicsmagick 1.3.24-1 (bug #814732) NOTE: FIX http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/98394eb235a6 NOTE: FIX http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/52b59d2ef4a1 NOTE: FIX http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/44ed8318ba6a CVE-2016-2311 (Black Box AlertWerks ServSensor with firmware before SP473, AlertWerks ...) NOT-FOR-US: AlertWerks CVE-2016-2310 (General Electric (GE) Multilink ML800, ML1200, ML1600, and ML2400 swit ...) NOT-FOR-US: GE Multilink devices CVE-2016-2309 (iRZ RUH2 before 2b does not validate firmware patches, which allows re ...) NOT-FOR-US: iRZ RUH2 CVE-2016-2308 (American Auto-Matrix Aspect-Nexus Building Automation Front-End Soluti ...) NOT-FOR-US: American Auto-Matrix CVE-2016-2307 (American Auto-Matrix Aspect-Nexus Building Automation Front-End Soluti ...) NOT-FOR-US: American Auto-Matrix CVE-2016-2306 (The HMI web server in Ecava IntegraXor before 5.0 build 4522 allows re ...) NOT-FOR-US: Ecava IntegraXor CVE-2016-2305 (Cross-site scripting (XSS) vulnerability in Ecava IntegraXor before 5. ...) NOT-FOR-US: Ecava IntegraXor CVE-2016-2304 (Ecava IntegraXor before 5.0 build 4522 does not include the HTTPOnly f ...) NOT-FOR-US: Ecava IntegraXor CVE-2016-2303 (CRLF injection vulnerability in Ecava IntegraXor before 5.0 build 4522 ...) NOT-FOR-US: Ecava IntegraXor CVE-2016-2302 (Ecava IntegraXor before 5.0 build 4522 allows remote attackers to obta ...) NOT-FOR-US: Ecava IntegraXor CVE-2016-2301 (SQL injection vulnerability in Ecava IntegraXor before 5.0 build 4522 ...) NOT-FOR-US: Ecava IntegraXor CVE-2016-2300 (Ecava IntegraXor before 5.0 build 4522 allows remote attackers to bypa ...) NOT-FOR-US: Ecava IntegraXor CVE-2016-2299 (SQL injection vulnerability in Ecava IntegraXor before 5.0 build 4522 ...) NOT-FOR-US: Ecava IntegraXor CVE-2016-2298 (Meteocontrol WEB'log Basic 100, Light, Pro, and Pro Unlimited allows r ...) NOT-FOR-US: Meteocontrol CVE-2016-2297 (Meteocontrol WEB'log Basic 100, Light, Pro, and Pro Unlimited allows r ...) NOT-FOR-US: Meteocontrol CVE-2016-2296 (Meteocontrol WEB'log Basic 100, Light, Pro, and Pro Unlimited does not ...) NOT-FOR-US: Meteocontrol CVE-2016-2295 (Moxa MiiNePort_E1_4641 devices with firmware 1.1.10 Build 09120714, Mi ...) NOT-FOR-US: Moxa CVE-2016-2294 (The AXM-NET module in Accuenergy Acuvim II NET Firmware 3.08 and Acuvi ...) NOT-FOR-US: Acuvim CVE-2016-2293 (The AXM-NET module in Accuenergy Acuvim II NET Firmware 3.08 and Acuvi ...) NOT-FOR-US: Acuvim CVE-2016-2292 (Stack-based buffer overflow in Pro-face GP-Pro EX EX-ED before 4.05.00 ...) NOT-FOR-US: Pro-face CVE-2016-2291 (Pro-face GP-Pro EX EX-ED before 4.05.000, PFXEXEDV before 4.05.000, PF ...) NOT-FOR-US: Pro-face CVE-2016-2290 (Heap-based buffer overflow in Pro-face GP-Pro EX EX-ED before 4.05.000 ...) NOT-FOR-US: Pro-face CVE-2016-2289 (Directory traversal vulnerability in ICONICS WebHMI 9 and earlier allo ...) NOT-FOR-US: ICONICS WebHMI NOT-FOR-US: ICONICS CVE-2016-2288 (Cogent DataHub before 7.3.10 allows local users to gain privileges by ...) NOT-FOR-US: Cogent DataHub CVE-2016-2287 (Cross-site scripting (XSS) vulnerability in XZERES 442SR OS on 442SR w ...) NOT-FOR-US: XZERES CVE-2016-2286 (Moxa MiiNePort_E1_4641 devices with firmware 1.1.10 Build 09120714, Mi ...) NOT-FOR-US: Moxa CVE-2016-2285 (Cross-site request forgery (CSRF) vulnerability on Moxa MiiNePort_E1_4 ...) NOT-FOR-US: Moxa CVE-2016-2284 REJECTED CVE-2016-2283 (Moxa ioLogik E2200 devices before 3.12 and ioAdmin Configuration Utili ...) NOT-FOR-US: Moxa ioLogik E2200 devices CVE-2016-2282 (Moxa ioLogik E2200 devices before 3.12 and ioAdmin Configuration Utili ...) NOT-FOR-US: Moxa ioLogik E2200 devices CVE-2016-2281 (Untrusted search path vulnerability in ABB Panel Builder 800 5.1 allow ...) NOT-FOR-US: ABB Panel Builder CVE-2016-2280 (Buffer overflow in RDISERVER in Honeywell Uniformance Process History ...) NOT-FOR-US: Honeywell CVE-2016-2279 (Cross-site scripting (XSS) vulnerability in the web server in Rockwell ...) NOT-FOR-US: CompactLogix CVE-2016-2278 (Schneider Electric Struxureware Building Operations Automation Server ...) NOT-FOR-US: Schneider Electric CVE-2016-2277 (IAB.exe in Rockwell Automation Integrated Architecture Builder (IAB) b ...) NOT-FOR-US: Rockwell CVE-2016-2276 REJECTED CVE-2016-2275 (The web interface on Advantech/B+B SmartWorx VESP211-EU devices with f ...) NOT-FOR-US: SmartWorx CVE-2016-2274 (An issue was discovered in Adcon Telemetry A850 Telemetry Gateway Base ...) NOT-FOR-US: Adcon CVE-2016-2273 REJECTED CVE-2016-2272 (Eaton Lighting EG2 Web Control 4.04P and earlier allows remote attacke ...) NOT-FOR-US: Eaton Lighting CVE-2016-2271 (VMX in Xen 4.6.x and earlier, when using an Intel or Cyrix CPU, allows ...) {DSA-3519-1 DLA-479-1} - xen 4.8.0~rc3-1 (bug #823620) [squeeze] - xen (Unsupported in Squeeze LTS) NOTE: http://xenbits.xen.org/xsa/advisory-170.html CVE-2016-2270 (Xen 4.6.x and earlier allows local guest administrators to cause a den ...) {DSA-3519-1 DLA-479-1} - xen 4.8.0~rc3-1 [squeeze] - xen (Unsupported in Squeeze LTS) NOTE: http://xenbits.xen.org/xsa/advisory-154.html CVE-2016-2269 RESERVED CVE-2016-2268 (Dell SecureWorks app before 2.1 for iOS does not validate SSL certific ...) NOT-FOR-US: Dell CVE-2016-2267 REJECTED CVE-2016-2266 REJECTED CVE-2016-2265 REJECTED CVE-2016-2264 REJECTED CVE-2016-2263 REJECTED CVE-2016-2262 REJECTED CVE-2016-2261 REJECTED CVE-2016-2260 REJECTED CVE-2016-2259 REJECTED CVE-2016-2258 REJECTED CVE-2016-2257 REJECTED CVE-2016-2256 REJECTED CVE-2016-2255 REJECTED CVE-2016-2254 REJECTED CVE-2016-2253 REJECTED CVE-2016-2252 REJECTED CVE-2016-2251 REJECTED CVE-2016-2250 REJECTED CVE-2016-2249 REJECTED CVE-2016-2248 REJECTED CVE-2016-2247 REJECTED CVE-2016-2246 (HP ThinPro 4.4 through 6.1 mishandles the keyboard layout control pane ...) NOT-FOR-US: HP ThinPro CVE-2016-2245 (HP Support Assistant before 8.1.52.1 allows remote attackers to bypass ...) NOT-FOR-US: HP Support Assistant CVE-2016-2244 (HP LaserJet printers and MFPs and OfficeJet Enterprise printers with f ...) NOT-FOR-US: HP LaserJet Printers CVE-2016-2243 (Sure Start on HP Commercial PCs 2015 allows local users to cause a den ...) NOT-FOR-US: HP Commercial PCs with Sure Start CVE-2015-8813 (The Page_Load function in Umbraco.Web/umbraco.presentation/umbraco/das ...) NOT-FOR-US: Umbraco CVE-2015-8812 (drivers/infiniband/hw/cxgb3/iwch_cm.c in the Linux kernel before 4.5 d ...) {DSA-3503-1 DLA-439-1} - linux 4.4.2-1 - linux-2.6 NOTE: http://www.openwall.com/lists/oss-security/2016/02/11/1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1303532 NOTE: Fixed by: https://git.kernel.org/linus/67f1aee6f45059fd6b0f5b0ecb2c97ad0451f6b3 (v4.5-rc1) NOTE: Introduced by: https://git.kernel.org/linus/04b5d028f50ff05a8f9ae049ee71f8fdfcf1f5de (v2.6.30-rc2) CVE-2016-2313 (auth_login.php in Cacti before 0.8.8g allows remote authenticated user ...) {DLA-560-1} - cacti 0.8.8g+ds1-1 (bug #814353) [jessie] - cacti 0.8.8b+dfsg-8+deb8u5 NOTE: http://svn.cacti.net/viewvc/cacti/tags/0.8.8g/docs/CHANGELOG?revision=7788&view=markup NOTE: http://bugs.cacti.net/view.php?id=2656 NOTE: Upstream fix: http://svn.cacti.net/viewvc?view=rev&revision=7770 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=965930 NOTE: http://www.openwall.com/lists/oss-security/2016/02/09/3 NOTE: Only exploitable in non default setup CVE-2016-2312 (Turning all screens off in Plasma-workspace and kscreenlocker while th ...) - plasma-workspace 4:5.4.3-2 (bug #814355) NOTE: Affects plasma-workspace < 5.5.0, kscreenlocker < 5.5.5 NOTE: kscreenlocker is only in experimental NOTE: https://www.kde.org/info/security/advisory-20160209-1.txt NOTE: https://bugs.kde.org/show_bug.cgi?id=358125 NOTE: https://bugzilla.opensuse.org/show_bug.cgi?id=964548 CVE-2016-XXXX [Stack corruption from crafted pattern] - pcre3 2:8.39-1 (bug #827564) [jessie] - pcre3 (Minor issue) [wheezy] - pcre3 (Vulnerable code not present) [squeeze] - pcre3 (Vulnerable code not present) - pcre2 (Vulnerable code not present) NOTE: https://bugs.exim.org/show_bug.cgi?id=1780 NOTE: Possibly introduced after http://vcs.pcre.org/pcre?view=revision&revision=1266 NOTE: Fixed by: http://vcs.pcre.org/pcre?view=revision&revision=1638 (8.39) CVE-2016-2242 (Exponent CMS 2.x before 2.3.7 Patch 3 allows remote attackers to execu ...) NOT-FOR-US: Exponent CMS CVE-2016-2241 RESERVED CVE-2016-2240 RESERVED CVE-2016-2239 RESERVED CVE-2016-2238 RESERVED CVE-2016-2237 RESERVED CVE-2016-2236 RESERVED CVE-2016-2235 RESERVED CVE-2016-2234 RESERVED CVE-2016-2233 (Stack-based buffer overflow in the inbound_cap_ls function in common/i ...) - hexchat 2.12.0-1 (low) [jessie] - hexchat (Minor issue, requires connection to a malicious server) NOTE: https://www.exploit-db.com/exploits/39657/ NOTE: https://github.com/hexchat/hexchat/issues/1934 NOTE: https://github.com/hexchat/hexchat/commit/4e061a43b3453a9856d34250c3913175c45afe9d CVE-2016-2231 (The Windows-based Host Interface Program (WHIP) service on Huawei Smar ...) NOT-FOR-US: Huawei CVE-2016-2230 (OpenELEC and RasPlex devices have a hardcoded password for the root ac ...) NOT-FOR-US: OpenELEC/ResPlex CVE-2016-2229 RESERVED CVE-2016-2227 RESERVED CVE-2016-2226 (Integer overflow in the string_appends function in cplus-dem.c in libi ...) {DLA-552-1} - ht 2.1.0+repack1-1 (low; bug #840358) [jessie] - ht (Minor issue) [wheezy] - ht (Minor issue) - binutils 2.27.51.20161102-1 (low) [jessie] - binutils (Minor issue) - libiberty 20161011-1 (low; bug #840360) [jessie] - libiberty (Minor issue) [wheezy] - libiberty (Minor issue) NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687 NOTE: https://gcc.gnu.org/viewcvs/gcc?view=revision&revision=234829 CVE-2015-8811 RESERVED CVE-2015-8810 RESERVED CVE-2015-8809 RESERVED CVE-2014-9766 (Integer overflow in the create_bits function in pixman-bits-image.c in ...) {DSA-3525-1 DLA-429-1} - pixman 0.32.6-1 NOTE: https://lists.freedesktop.org/archives/pixman/2014-April/003244.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=972647 CVE-2014-9765 (Buffer overflow in the main_get_appheader function in xdelta3-main.h i ...) {DSA-3484-1 DLA-417-1} - xdelta3 3.0.8-dfsg-1.1 (bug #814067) NOTE: https://github.com/jmacd/xdelta-devel/commit/ef93ff74203e030073b898c05e8b4860b5d09ef2 NOTE: http://www.openwall.com/lists/oss-security/2016/02/08/1 CVE-2017-6100 (tcpdf before 6.2.0 uploads files from the server generating PDF-files ...) - tcpdf 6.2.12+dfsg2-1 (bug #814030) [jessie] - tcpdf 6.0.093+dfsg-1+deb8u1 NOTE: https://sourceforge.net/p/tcpdf/bugs/1005/ CVE-2015-8808 (The DecodeImage function in coders/gif.c in GraphicsMagick 1.3.18 allo ...) {DSA-3746-1 DLA-484-1} - graphicsmagick 1.3.21-2 NOTE: http://www.openwall.com/lists/oss-security/2016/02/06/1 NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset;node=8e8fa353f53 CVE-2016-2223 RESERVED CVE-2016-2220 RESERVED CVE-2016-2219 (Cross-site scripting (XSS) vulnerability in the management interface i ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2016-2218 RESERVED CVE-2016-2224 (The __decode_dotted function in libc/inet/resolv.c in uClibc-ng before ...) {DLA-561-1} - uclibc (unimportant) NOTE: Just for cross-compiling, not used for actual packages NOTE: http://repo.or.cz/uclibc-ng.git/commit/d9c3a16dcab57d6b56225b9a67e9119cc9e2e4ac NOTE: http://www.openwall.com/lists/oss-security/2016/02/05/2 CVE-2016-2225 (The __read_etc_hosts_r function in libc/inet/resolv.c in uClibc-ng bef ...) {DLA-561-1} - uclibc (unimportant) NOTE: Just for cross-compiling, not used for actual packages NOTE: http://repo.or.cz/uclibc-ng.git/commit/6932f2282ba0578d6ca2f21eead920d6b78bc93c NOTE: http://www.openwall.com/lists/oss-security/2016/02/05/2 CVE-2016-2216 (The HTTP header parsing code in Node.js 0.10.x before 0.10.42, 0.11.6 ...) - nodejs 4.3.0~dfsg-1 (unimportant) NOTE: libv8 is not covered by security support NOTE: https://nodejs.org/en/blog/vulnerability/february-2016-security-releases/ CVE-2016-2215 RESERVED CVE-2016-2214 (Cross-site scripting (XSS) vulnerability in an unspecified portal auth ...) NOT-FOR-US: Huawei CVE-2016-2212 (The getOrderByStatusUrlKey function in the Mage_Rss_Helper_Order class ...) NOT-FOR-US: Magento CVE-2016-2211 (The AntiVirus Decomposer engine in Symantec Advanced Threat Protection ...) NOT-FOR-US: Symantec CVE-2016-2210 (Buffer overflow in Dec2LHA.dll in the AntiVirus Decomposer engine in S ...) NOT-FOR-US: Symantec CVE-2016-2209 (Buffer overflow in Dec2SS.dll in the AntiVirus Decomposer engine in Sy ...) NOT-FOR-US: Symantec CVE-2016-2208 (The kernel component in Symantec Anti-Virus Engine (AVE) 20151.1 befor ...) NOT-FOR-US: Symantec CVE-2016-2207 (The AntiVirus Decomposer engine in Symantec Advanced Threat Protection ...) NOT-FOR-US: Symantec CVE-2016-2206 (The management console in Symantec Workspace Streaming (SWS) 7.5.x bef ...) NOT-FOR-US: Symantec CVE-2016-2205 (Directory traversal vulnerability in the file-download configuration f ...) NOT-FOR-US: Symantec CVE-2016-2204 (The management console on Symantec Messaging Gateway (SMG) Appliance d ...) NOT-FOR-US: Symantec CVE-2016-2203 (The management console on Symantec Messaging Gateway (SMG) Appliance d ...) NOT-FOR-US: Symantec CVE-2016-2202 (The Inventory Solution component in the Management Agent in the client ...) NOT-FOR-US: Symantec CVE-2016-2201 (Siemens SIMATIC S7-1500 CPU devices before 1.8.3 allow remote attacker ...) NOTE: Siemens SIMATIC CVE-2016-2200 (Siemens SIMATIC S7-1500 CPU devices before 1.8.3 allow remote attacker ...) NOTE: Siemens SIMATIC CVE-2015-8802 REJECTED CVE-2015-8801 (Race condition in the client in Symantec Endpoint Protection (SEP) 12. ...) NOT-FOR-US: Symantec CVE-2015-8800 (Symantec Embedded Security: Critical System Protection (SES:CSP) 1.0.x ...) NOT-FOR-US: Symantec CVE-2015-8799 (Directory traversal vulnerability in the Management Server in Symantec ...) NOT-FOR-US: Symantec CVE-2015-8798 (Directory traversal vulnerability in the Management Server in Symantec ...) NOT-FOR-US: Symantec CVE-2016-4009 (Integer overflow in the ImagingResampleHorizontal function in libImagi ...) - pillow 3.1.1-1 [jessie] - pillow - python-imaging [wheezy] - python-imaging [squeeze] - python-imaging NOTE: https://github.com/python-pillow/Pillow/commit/4e0d9b0b9740d258ade40cce248c93777362ac1e NOTE: Upstream confirmed that versions prior 2.7 are not vulnerable. NOTE: https://github.com/python-pillow/Pillow/pull/1714 NOTE: https://github.com/python-pillow/Pillow/issues/1737 CVE-2016-2232 (Asterisk Open Source 1.8.x, 11.x before 11.21.1, 12.x, and 13.x before ...) {DSA-3700-1} - asterisk 1:13.7.2~dfsg-1 [wheezy] - asterisk (Minor issue) [squeeze] - asterisk (Not supported in Squeeze LTS) NOTE: http://downloads.asterisk.org/pub/security/AST-2016-003.html NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-25603 NOTE: issue was introduced in 2006 with commit 0f5e4e47, so squeeze and previous also vulnerable NOTE: patch for 11 / jessie: https://code.asterisk.org/code/changelog/asterisk?cs=da2573a3779425654543d6ac4c4dd6871ce16720 NOTE: all versions vulnerable, backport required for wheezy CVE-2016-2316 (chan_sip in Asterisk Open Source 1.8.x, 11.x before 11.21.1, 12.x, and ...) {DSA-3700-1} - asterisk 1:13.7.2~dfsg-1 [wheezy] - asterisk (Minor issue) [squeeze] - asterisk (Not supported in Squeeze LTS) NOTE: http://downloads.asterisk.org/pub/security/AST-2016-002.html NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-25397 NOTE: issue introduced in ~2008 with the SIP timer support implementation (https://issues.asterisk.org/jira/browse/ASTERISK-4257 https://issues.asterisk.org/jira/browse/ASTERISK-5187), so squeeze also vulnerable NOTE: patch for jessie / 11: https://code.asterisk.org/code/changelog/asterisk?cs=882e85388295eac8eebd0b82e71a9af0a769b41f NOTE: all versions vulnerable, backport required for wheezy CVE-2015-8807 (Cross-site scripting (XSS) vulnerability in the _renderVarInput_number ...) {DSA-3496-1} - php-horde-core 2.22.4+debian0-1 (bug #813590) NOTE: https://github.com/horde/horde/commit/11d74fa5a22fe626c5e5a010b703cd46a136f253 NOTE: http://www.openwall.com/lists/oss-security/2016/02/06/4 CVE-2016-2228 (Cross-site scripting (XSS) vulnerability in horde/templates/topbar/_me ...) {DSA-3497-1} - php-horde 5.2.9+debian0-1 (bug #813573) NOTE: https://bugs.horde.org/ticket/14213 NOTE: http://lists.horde.org/archives/announce/2016/001140.html NOTE: https://github.com/horde/horde/commit/f03301cf6edcca57121a15e80014c4d0f29d99a0 NOTE: https://github.com/horde/horde/commit/ab07a1b447de34e13983b4d7ceb18b58c3a358d8 NOTE: http://www.openwall.com/lists/oss-security/2016/02/06/4 CVE-2016-7028 REJECTED CVE-2016-2199 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Orga ...) NOT-FOR-US: Enterprise Manager in McAfee Vulnerability Manager CVE-2016-2213 (The jpeg2000_decode_tile function in libavcodec/jpeg2000dec.c in FFmpe ...) - ffmpeg 7:2.8.6-1 [squeeze] - ffmpeg (Not supported in Squeeze LTS) - libav (Vulnerable code not present) NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=0aada30510d809bccfd539a90ea37b61188f2cb4 CVE-2016-2196 (Heap-based buffer overflow in the P-521 reduction function in Botan 1. ...) - botan1.10 (Introduced in 1.11.10) NOTE: Introduced in 1.11.10, fixed in 1.11.27 NOTE: http://botan.randombit.net/security.html CVE-2016-2195 (Integer overflow in the PointGFp constructor in Botan before 1.10.11 a ...) {DSA-3565-1 DLA-449-1} - botan1.10 1.10.12-1 NOTE: Introduced in 1.9.18, fixed in 1.11.27 and 1.10.11 NOTE: http://botan.randombit.net/security.html CVE-2016-2194 (The ressol function in Botan before 1.10.11 and 1.11.x before 1.11.27 ...) {DSA-3565-1 DLA-449-1} - botan1.10 1.10.12-1 NOTE: Introduced in 1.7.15, fixed in 1.11.27 and 1.10.11 NOTE: http://botan.randombit.net/security.html CVE-2016-2193 (PostgreSQL before 9.5.x before 9.5.2 does not properly maintain row-se ...) - postgresql-9.5 9.5.2-1 - postgresql-9.4 (Only affects 9.5.x) - postgresql-9.1 (Only affects 9.5.x) - postgresql-8.4 (Only affects 9.5.x) NOTE: http://www.postgresql.org/about/news/1656/ NOTE: http://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=db69e58a0642ef7fa46d62f6c4cf2460c3a1b41b CVE-2016-2192 (PostgreSQL PL/Java before 1.5.0 allows remote authenticated users to a ...) - postgresql-pljava [wheezy] - postgresql-pljava (Minor issue) CVE-2016-2191 (The bmp_read_rows function in pngxtern/pngxrbmp.c in OptiPNG before 0. ...) {DSA-3546-1} - optipng 0.7.6-1 (bug #820068) NOTE: https://sourceforge.net/p/optipng/bugs/59/ NOTE: http://www.openwall.com/lists/oss-security/2016/04/04/2 CVE-2016-2190 (Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x ...) - moodle 2.7.13+dfsg-1 CVE-2016-2189 REJECTED CVE-2016-2188 (The iowarrior_probe function in drivers/usb/misc/iowarrior.c in the Li ...) {DLA-922-1} - linux 4.9.16-1 [jessie] - linux 3.16.43-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1317018 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1283390 NOTE: http://seclists.org/bugtraq/2016/Mar/87 NOTE: http://marc.info/?l=linux-usb&m=145796659429788&w=2 NOTE: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4ec0ef3a82125efc36173062a50624550a900ae0 NOTE: From kernel-sec triaging: the above commits only handles the case where there NOTE: are zero endpoints, but not the case where there are some endpoints but none of the expected type. NOTE: Fixed by: https://git.kernel.org/linus/b7321e81fc369abe353cf094d4f0dc2fe11ab95f (v4.11-rc2) CVE-2016-2187 (The gtco_probe function in drivers/input/tablet/gtco.c in the Linux ke ...) {DSA-3607-1 DLA-516-1} - linux 4.5.2-1 NOTE: Upstream commit: https://git.kernel.org/linus/162f98dea487206d9ab79fc12ed64700667a894d (v4.6-rc5) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1317017 CVE-2016-2186 (The powermate_probe function in drivers/input/misc/powermate.c in the ...) {DSA-3607-1 DLA-516-1} - linux 4.5.1-1 (low) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1317015 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1283384 NOTE: http://seclists.org/bugtraq/2016/Mar/85 NOTE: http://marc.info/?l=linux-usb&m=145796479528669&w=2 CVE-2016-2185 (The ati_remote2_probe function in drivers/input/misc/ati_remote2.c in ...) {DSA-3607-1 DLA-516-1} - linux 4.5.1-1 (low) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1317014 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1283362 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1283363 CVE-2016-2184 (The create_fixed_stream_quirk function in sound/usb/quirks.c in the sn ...) {DSA-3607-1 DLA-516-1} - linux 4.5.1-1 (low) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1317012 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1283355 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1283358 CVE-2016-2183 (The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec pro ...) NOTE: Generic protocol issue NOTE: The CVE is assigned for the protocol flaw in the DES/3DES cipher, used as a part of the SSL/TLS protocol. NOTE: What was done in OpenSSL: https://www.openssl.org/blog/blog/2016/08/24/sweet32/ NOTE: Python issue: https://bugs.python.org/issue27850 CVE-2016-2182 (The BN_bn2dec function in crypto/bn/bn_print.c in OpenSSL before 1.1.0 ...) {DSA-3673-1 DLA-637-1} - openssl 1.0.2i-1 NOTE: https://git.openssl.org/?p=openssl.git;a=commit;h=07bed46f332fce8c1d157689a2cdf915a982ae34 NOTE: https://git.openssl.org/?p=openssl.git;a=commit;h=099e2968ed3c7d256cda048995626664082b1b30 NOTE: https://www.openssl.org/news/secadv/20160922.txt NOTE: Fixed in 1.0.2i, 1.0.1u CVE-2016-2181 (The Anti-Replay feature in the DTLS implementation in OpenSSL before 1 ...) {DSA-3673-1 DLA-637-1} - openssl 1.0.2i-1 NOTE: https://git.openssl.org/?p=openssl.git;a=commit;h=1fb9fdc3027b27d8eb6a1e6a846435b070980770 NOTE: https://www.openssl.org/news/secadv/20160922.txt NOTE: Fixed in 1.0.2i, 1.0.1u CVE-2016-2180 (The TS_OBJ_print_bio function in crypto/ts/ts_lib.c in the X.509 Publi ...) {DSA-3673-1 DLA-637-1} - openssl 1.0.2i-1 NOTE: https://git.openssl.org/?p=openssl.git;a=commit;h=0ed26acce328ec16a3aa635f1ca37365e8c7403a NOTE: https://www.openssl.org/news/secadv/20160922.txt NOTE: Fixed in 1.0.2i, 1.0.1u CVE-2016-2179 (The DTLS implementation in OpenSSL before 1.1.0 does not properly rest ...) {DSA-3673-1 DLA-637-1} - openssl 1.0.2i-1 NOTE: https://git.openssl.org/?p=openssl.git;a=commit;h=f5c7f5dfbaf0d2f7d946d0fe86f08e6bcb36ed0d NOTE: https://www.openssl.org/news/secadv/20160922.txt NOTE: Fixed in 1.0.2i, 1.0.1u CVE-2016-2178 (The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL throug ...) {DSA-3673-1 DLA-637-1} - openssl 1.0.2i-1 (low) NOTE: Fixed in master branch in https://git.openssl.org/?p=openssl.git;a=commit;h=399944622df7bd81af62e67ea967c470534090e2 NOTE: https://www.openssl.org/news/secadv/20160922.txt NOTE: Fixed in 1.0.2i, 1.0.1u CVE-2016-2177 (OpenSSL through 1.0.2h incorrectly uses pointer arithmetic for heap-bu ...) {DSA-3673-1 DLA-637-1} - openssl 1.0.2i-1 (low) NOTE: Fixed in 1.0.2 branch in https://git.openssl.org/?p=openssl.git;a=commit;h=a004e72b95835136d3f1ea90517f706c24c03da7 NOTE: https://www.openssl.org/blog/blog/2016/06/27/undefined-pointer-arithmetic/ NOTE: https://www.openssl.org/news/secadv/20160922.txt NOTE: Fixed in 1.0.2i, 1.0.1u CVE-2016-2176 (The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL be ...) - openssl (Only applies to EBCDIC systems) NOTE: Fixed in master in https://git.openssl.org/?p=openssl.git;a=commit;h=ea96ad5a206b7b5f25dad230333e8ff032df3219 NOTE: https://www.openssl.org/news/secadv/20160503.txt CVE-2016-2175 (Apache PDFBox before 1.8.12 and 2.x before 2.0.1 does not properly ini ...) {DSA-3606-1 DLA-505-1} - libpdfbox-java 1:1.8.12-1 NOTE: Fixed on upstream 1.8 branch in https://svn.apache.org/viewvc?view=revision&revision=1739564 NOTE: Fixed on upstream 2.0 branch in https://svn.apache.org/viewvc?view=revision&revision=1739565 CVE-2016-2174 (SQL injection vulnerability in the policy admin tool in Apache Ranger ...) NOT-FOR-US: Apache Ranger CVE-2016-2173 (org.springframework.core.serializer.DefaultDeserializer in Spring AMQP ...) NOT-FOR-US: Spring AMQP CVE-2016-2172 REJECTED CVE-2016-2171 (The User Manager service in Apache Jetspeed before 2.3.1 does not prop ...) NOT-FOR-US: Apache Jetspeed CVE-2016-2170 (Apache OFBiz 12.04.x before 12.04.06 and 13.07.x before 13.07.03 allow ...) NOT-FOR-US: Apache OFBiz CVE-2016-2169 (Cloud Foundry Cloud Controller, capi-release versions prior to 1.0.0 a ...) NOT-FOR-US: Cloud Foundry CVE-2016-2168 (The req_check_access function in the mod_authz_svn module in the httpd ...) {DSA-3561-1 DLA-448-1} - subversion 1.9.4-1 NOTE: https://subversion.apache.org/security/CVE-2016-2168-advisory.txt CVE-2016-2167 (The canonicalize_username function in svnserve/cyrus_auth.c in Apache ...) {DSA-3561-1 DLA-448-1} - subversion 1.9.4-1 NOTE: https://subversion.apache.org/security/CVE-2016-2167-advisory.txt CVE-2016-2166 (The (1) proton.reactor.Connector, (2) proton.reactor.Container, and (3 ...) - qpid-proton (Vulnerable code not present) NOTE: https://issues.apache.org/jira/browse/PROTON-1157 NOTE: http://qpid.apache.org/releases/qpid-proton-0.12.1/ NOTE: Affects Qpid Proton python API starting at 0.9 up to and including 0.12.0 CVE-2016-2165 (The Loggregator Traffic Controller endpoints in cf-release v231 and lo ...) NOT-FOR-US: Cloud Foundry CVE-2016-2164 (The (1) FileService.importFileByInternalUserId and (2) FileService.imp ...) NOT-FOR-US: Apache OpenMeetings CVE-2016-2163 (Cross-site scripting (XSS) vulnerability in Apache OpenMeetings before ...) NOT-FOR-US: Apache OpenMeetings CVE-2016-2162 (Apache Struts 2.x before 2.3.25 does not sanitize text in the Locale o ...) - libstruts1.2-java (Only affects 2.0.0 to 2.3.24.1) NOTE: http://struts.apache.org/docs/s2-030.html CVE-2016-2161 (In Apache HTTP Server versions 2.4.0 to 2.4.23, malicious input to mod ...) {DSA-3796-1} - apache2 2.4.25-1 [wheezy] - apache2 (Vulnerable code introduced in 2.4.x) NOTE: https://lists.apache.org/thread.html/139862b41c0dfd5e6e00ad89c00119f9faf0dd41a2f927da9c9a4076@%3Cannounce.httpd.apache.org%3E NOTE: Fixed by: https://svn.apache.org/r1772919 NOTE: Affects: 2.4.1 to 2.4.23 NOTE: Fixed in 2.4.25 CVE-2016-2160 (Red Hat OpenShift Enterprise 3.2 and OpenShift Origin allow remote aut ...) NOT-FOR-US: OpenShift CVE-2016-2159 (The save_submission function in mod/assign/externallib.php in Moodle t ...) - moodle 2.7.13+dfsg-1 CVE-2016-2158 (lib/ajax/getnavbranch.php in Moodle through 2.6.11, 2.7.x before 2.7.1 ...) - moodle 2.7.13+dfsg-1 CVE-2016-2157 (Cross-site request forgery (CSRF) vulnerability in mod/assign/adminman ...) - moodle 2.7.13+dfsg-1 CVE-2016-2156 (calendar/externallib.php in Moodle through 2.6.11, 2.7.x before 2.7.13 ...) - moodle 2.7.13+dfsg-1 CVE-2016-2155 (The grade-reporting feature in Singleview (aka Single View) in Moodle ...) - moodle (Only affects 2.8 and later) CVE-2016-2154 (admin/tool/monitor/lib.php in Event Monitor in Moodle 2.8.x before 2.8 ...) - moodle (Only affects 2.8 and later) CVE-2016-2153 (Cross-site scripting (XSS) vulnerability in the advanced-search featur ...) - moodle 2.7.13+dfsg-1 CVE-2016-2152 (Multiple cross-site scripting (XSS) vulnerabilities in auth/db/auth.ph ...) - moodle 2.7.13+dfsg-1 CVE-2016-2151 (user/index.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x be ...) - moodle 2.7.13+dfsg-1 CVE-2016-2150 (SPICE allows local guest OS users to read from or write to arbitrary h ...) {DSA-3596-1 DLA-531-1} - spice 0.12.6-4.1 (bug #826584) CVE-2016-2149 (Red Hat OpenShift Enterprise 3.2 allows remote authenticated users to ...) NOT-FOR-US: OpenShift CVE-2016-2148 (Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox befo ...) {DLA-1445-1} - busybox 1:1.27.2-1 (bug #818497) [stretch] - busybox (Minor issue) [wheezy] - busybox (Minor issue) NOTE: https://git.busybox.net/busybox/commit/?id=352f79acbd759c14399e39baef21fc4ffe180ac2 CVE-2016-2147 (Integer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 ...) {DLA-1445-1} - busybox 1:1.27.2-1 (bug #818499) [stretch] - busybox (Minor issue) [wheezy] - busybox (Minor issue) NOTE: https://git.busybox.net/busybox/commit/?id=d474ffc68290e0a83651c4432eeabfa62cd51e87 CVE-2016-2146 (The am_read_post_data function in mod_auth_mellon before 0.11.1 does n ...) - libapache2-mod-auth-mellon 0.12.0-1 [jessie] - libapache2-mod-auth-mellon (Minor issue) CVE-2016-2145 (The am_read_post_data function in mod_auth_mellon before 0.11.1 does n ...) - libapache2-mod-auth-mellon 0.12.0-1 [jessie] - libapache2-mod-auth-mellon (Minor issue) CVE-2016-2144 REJECTED CVE-2016-2143 (The fork implementation in the Linux kernel before 4.5 on s390 platfor ...) {DSA-3607-1 DLA-516-1} - linux 4.4.6-1 [wheezy] - linux (Architecture not supported in Wheezy LTS) NOTE: Fixed by: https://git.kernel.org/linus/3446c13b268af86391d06611327006b059b8bab1 (v4.5) NOTE: Introduced in: https://git.kernel.org/linus/6252d702c5311ce916caf75ed82e5c8245171c92 (v2.6.25-rc1) CVE-2016-2142 (Red Hat OpenShift Enterprise 3.1 uses world-readable permissions on th ...) NOT-FOR-US: OpenShift CVE-2016-2141 (JGroups before 4.0 does not require the proper headers for the ENCRYPT ...) - libjgroups-java (low; bug #867493) [buster] - libjgroups-java (Minor issue, only used as build dep) [stretch] - libjgroups-java (Minor issue, only used as build dep) [jessie] - libjgroups-java (Minor issue) [wheezy] - libjgroups-java (Minor issue, only used as build dependency) CVE-2016-2140 (The libvirt driver in OpenStack Compute (Nova) before 2015.1.4 (kilo) ...) - nova 2:13.0.0-1 [jessie] - nova (Minor issue) [wheezy] - nova (Minor issue) NOTE: Affects: <=2015.1.3, >=12.0.0 <=12.0.2 CVE-2016-2139 RESERVED CVE-2016-2138 RESERVED CVE-2016-2137 REJECTED CVE-2016-2136 REJECTED CVE-2016-2135 REJECTED CVE-2016-2134 REJECTED CVE-2016-2133 REJECTED CVE-2016-2132 REJECTED CVE-2016-2131 REJECTED CVE-2016-2130 REJECTED CVE-2016-2129 REJECTED CVE-2016-2128 REJECTED CVE-2016-2127 REJECTED CVE-2016-2126 (Samba version 4.0.0 up to 4.5.2 is vulnerable to privilege elevation d ...) {DSA-3740-1} - samba 2:4.5.2+dfsg-2 [wheezy] - samba (Affects only Samba 4.0.0 to 4.5.2) NOTE: https://www.samba.org/samba/security/CVE-2016-2126.html CVE-2016-2125 (It was found that Samba before versions 4.5.3, 4.4.8, 4.3.13 always re ...) {DSA-3740-1 DLA-776-1} - samba 2:4.5.2+dfsg-2 NOTE: https://www.samba.org/samba/security/CVE-2016-2125.html NOTE: Patch (with some more) here: https://download.samba.org/pub/samba/patches/security/samba-4.3.12-security-20016-12-19.patch CVE-2016-2124 RESERVED CVE-2016-2123 (A flaw was found in samba versions 4.0.0 to 4.5.2. The Samba routine n ...) {DSA-3740-1} - samba 2:4.5.2+dfsg-2 [wheezy] - samba (Affects only Samba 4.0.0 to 4.5.2) NOTE: https://www.samba.org/samba/security/CVE-2016-2123.html CVE-2016-2122 RESERVED CVE-2016-2121 (A permissions flaw was found in redis, which sets weak permissions on ...) - redis 3:3.2.5-2 (bug #842987) [jessie] - redis (Minor issue) [wheezy] - redis (minor issue, details see #842987) NOTE: Might be Red Hat-specific, needs investigation NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1374700 CVE-2016-2120 (An issue has been found in PowerDNS Authoritative Server versions up t ...) {DSA-3764-1 DLA-798-1} - pdns 4.0.2-1 NOTE: https://doc.powerdns.com/md/security/powerdns-advisory-2016-05/ CVE-2016-2119 (libcli/smb/smbXcli_base.c in Samba 4.x before 4.2.14, 4.3.x before 4.3 ...) {DSA-3740-1} - samba 2:4.4.5+dfsg-1 (bug #830195) [wheezy] - samba (Affects Samba 4.0.0 to 4.4.0) NOTE: https://www.samba.org/samba/security/CVE-2016-2119.html NOTE: Affects Samba 4.0.0 to 4.4.4 CVE-2016-2118 (The MS-SAMR and MS-LSAD protocol implementations in Samba 3.x and 4.x ...) {DSA-3548-1} - samba 2:4.3.7+dfsg-1 NOTE: https://www.samba.org/samba/security/CVE-2016-2118.html NOTE: http://badlock.org/ CVE-2016-2117 (The atl2_probe function in drivers/net/ethernet/atheros/atlx/atl2.c in ...) {DSA-3607-1} - linux 4.5.2-1 [wheezy] - linux (Issue introduced with v3.10-rc1) NOTE: Introduced in https://git.kernel.org/linus/ec5f061564238892005257c83565a0b58ec79295 (v3.10-rc1) NOTE: http://www.openwall.com/lists/oss-security/2016/03/16/7 CVE-2016-2116 (Memory leak in the jas_iccprof_createfrombuf function in JasPer 1.900. ...) {DSA-3508-1} - jasper (bug #816626) NOTE: http://www.openwall.com/lists/oss-security/2016/03/03/12 CVE-2016-2115 (Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before ...) {DSA-3548-1} - samba 2:4.3.7+dfsg-1 NOTE: https://www.samba.org/samba/security/CVE-2016-2115.html CVE-2016-2114 (The SMB1 protocol implementation in Samba 4.x before 4.2.11, 4.3.x bef ...) {DSA-3548-1} - samba 2:4.3.7+dfsg-1 [wheezy] - samba (Affects Samba 4.0.0 to 4.4.0) NOTE: https://www.samba.org/samba/security/CVE-2016-2114.html CVE-2016-2113 (Samba 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 do ...) {DSA-3548-1} - samba 2:4.3.7+dfsg-1 [wheezy] - samba (Affects Samba 4.0.0 to 4.4.0) NOTE: https://www.samba.org/samba/security/CVE-2016-2113.html CVE-2016-2112 (The bundled LDAP client library in Samba 3.x and 4.x before 4.2.11, 4. ...) {DSA-3548-1} - samba 2:4.3.7+dfsg-1 NOTE: https://www.samba.org/samba/security/CVE-2016-2112.html CVE-2016-2111 (The NETLOGON service in Samba 3.x and 4.x before 4.2.11, 4.3.x before ...) {DSA-3548-1} - samba 2:4.3.7+dfsg-1 NOTE: https://www.samba.org/samba/security/CVE-2016-2111.html CVE-2016-2110 (The NTLMSSP authentication implementation in Samba 3.x and 4.x before ...) {DSA-3548-1} - samba 2:4.3.7+dfsg-1 NOTE: https://www.samba.org/samba/security/CVE-2016-2110.html CVE-2016-2109 (The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in the ASN.1 ...) {DSA-3566-1 DLA-456-1} - openssl 1.0.2h-1 NOTE: Fixed in master in https://git.openssl.org/?p=openssl.git;a=commit;h=c62981390d6cf9e3d612c489b8b77c2913b25807 NOTE: https://www.openssl.org/news/secadv/20160503.txt CVE-2016-2108 (The ASN.1 implementation in OpenSSL before 1.0.1o and 1.0.2 before 1.0 ...) {DSA-3566-1 DLA-456-1} - openssl 1.0.2c-1 NOTE: https://www.openssl.org/news/secadv/20160503.txt CVE-2016-2107 (The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1. ...) {DSA-3566-1 DLA-456-1} - openssl 1.0.2h-1 NOTE: https://www.openssl.org/news/secadv/20160503.txt CVE-2016-2106 (Integer overflow in the EVP_EncryptUpdate function in crypto/evp/evp_e ...) {DSA-3566-1 DLA-456-1} - openssl 1.0.2h-1 NOTE: Fixed in master in https://git.openssl.org/?p=openssl.git;a=commit;h=3f3582139fbb259a1c3cbb0a25236500a409bf26 NOTE: https://www.openssl.org/news/secadv/20160503.txt CVE-2016-2105 (Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode ...) {DSA-3566-1 DLA-456-1} - openssl 1.0.2h-1 NOTE: Fixed in master in https://git.openssl.org/?p=openssl.git;a=commit;h=ee1e3cac2e83abc77bcc8ff98729ca1e10fcc920 NOTE: https://www.openssl.org/news/secadv/20160503.txt CVE-2016-2104 (Multiple cross-site scripting (XSS) vulnerabilities in Red Hat Satelli ...) NOT-FOR-US: Red Hat Satellite CVE-2016-2103 (Multiple cross-site scripting (XSS) vulnerabilities in Red Hat Satelli ...) NOT-FOR-US: Red Hat Satellite CVE-2016-2102 (HAProxy statistics in openstack-tripleo-image-elements are non-authent ...) - tripleo-image-elements (Configuration not found in Debian's version) CVE-2016-2101 RESERVED CVE-2016-2100 (Foreman before 1.10.3 and 1.11.0 before 1.11.0-RC2 allow remote authen ...) - foreman (bug #663101) CVE-2016-2099 (Use-after-free vulnerability in validators/DTD/DTDScanner.cpp in Apach ...) {DSA-3579-1 DLA-467-1} - xerces-c 3.1.3+debian-2 (bug #823863) NOTE: https://issues.apache.org/jira/browse/XERCESC-2066 CVE-2016-2098 (Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and ...) {DSA-3509-1 DLA-604-1} - rails 2:4.2.5.2-1 [wheezy] - rails (Vulnerable code not present, is only a transitional package) [squeeze] - rails (Not supported in Squeeze LTS) - ruby-actionpack-3.2 - ruby-actionpack-2.3 [wheezy] - ruby-actionpack-2.3 NOTE: Versions Affected: 3.2.x, 4.0.x, 4.1.x, 4.2.x NOTE: Fixed Versions: 3.2.22.2, 4.1.14.2, 4.2.5.2 CVE-2016-2097 (Directory traversal vulnerability in Action View in Ruby on Rails befo ...) {DSA-3509-1 DLA-604-1} - rails 2:4.2.5.2-1 [wheezy] - rails (Vulnerable code not present, is only a transitional package) [squeeze] - rails (Not supported in Squeeze LTS) - ruby-actionpack-3.2 - ruby-actionpack-2.3 [wheezy] - ruby-actionpack-2.3 NOTE: Versions Affected: 3.2.x, 4.0.x, 4.1.x NOTE: Not affected: 4.2+ NOTE: Fixed Versions: 3.2.22.2, 4.1.14.2 CVE-2016-2096 RESERVED CVE-2016-2095 RESERVED CVE-2016-2094 (The HTTPS NIO Connector allows remote attackers to cause a denial of s ...) NOT-FOR-US: JBoss EAP CVE-2016-2093 RESERVED CVE-2015-8806 (dict.c in libxml2 allows remote attackers to cause a denial of service ...) {DSA-3593-1 DLA-503-1} - libxml2 2.9.3+dfsg1-1.1 (bug #813613) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=749115 NOTE: Same fix as CVE-2016-1839 seems to resolve the issue CVE-2015-8805 (The ecc_256_modq function in ecc-256.c in Nettle before 3.2 does not p ...) - nettle 3.2-1 (bug #813679) [jessie] - nettle 2.7.1-5+deb8u1 [wheezy] - nettle (Vulnerable code not present) [squeeze] - nettle (Vulnerable code not present) NOTE: https://git.lysator.liu.se/nettle/nettle/commit/c71d2c9d20eeebb985e3872e4550137209e3ce4d CVE-2015-8804 (x86_64/ecc-384-modp.asm in Nettle before 3.2 does not properly handle ...) - nettle 3.2-1 (bug #813679) [jessie] - nettle 2.7.1-5+deb8u1 [wheezy] - nettle (Vulnerable code not present) [squeeze] - nettle (Vulnerable code not present) NOTE: https://lists.lysator.liu.se/pipermail/nettle-bugs/2015/003024.html NOTE: https://git.lysator.liu.se/nettle/nettle/commit/fa269b6ad06dd13c901dbd84a12e52b918a09cd7 CVE-2015-8803 (The ecc_256_modp function in ecc-256.c in Nettle before 3.2 does not p ...) - nettle 3.2-1 (bug #813679) [jessie] - nettle 2.7.1-5+deb8u1 [wheezy] - nettle (Vulnerable code not present) [squeeze] - nettle (Vulnerable code not present) NOTE: https://lists.lysator.liu.se/pipermail/nettle-bugs/2015/003028.html NOTE: https://git.lysator.liu.se/nettle/nettle/commit/c71d2c9d20eeebb985e3872e4550137209e3ce4d CVE-2015-8797 (Cross-site scripting (XSS) vulnerability in webapp/web/js/scripts/plug ...) - lucene-solr (Vulnerable code not present) NOTE: https://issues.apache.org/jira/browse/SOLR-7949 CVE-2015-8796 (Cross-site scripting (XSS) vulnerability in webapp/web/js/scripts/sche ...) - lucene-solr (Vulnerable code not present) NOTE: https://issues.apache.org/jira/browse/SOLR-7920 CVE-2015-8795 (Multiple cross-site scripting (XSS) vulnerabilities in the Admin UI in ...) - lucene-solr (Vulnerable code not present) NOTE: https://issues.apache.org/jira/browse/SOLR-7346 CVE-2015-8794 (Absolute path traversal vulnerability in program/steps/addressbook/pho ...) - roundcube 1.1.2+dfsg.1-1 [wheezy] - roundcube (Vulnerable code not present) [squeeze] - roundcube (Vulnerable code not present) NOTE: http://www.scip.ch/en/?vuldb.80732 NOTE: http://web.archive.org/web/20160329044745/http://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released NOTE: http://trac.roundcube.net/ticket/1490379 CVE-2015-8793 (Cross-site scripting (XSS) vulnerability in program/include/rcmail.php ...) - roundcube 1.1.2+dfsg.1-1 [wheezy] - roundcube (Vulnerable code not present) [squeeze] - roundcube (Vulnerable code not present) NOTE: http://web.archive.org/web/20160329044745/http://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released NOTE: http://www.scip.ch/en/?vuldb.80731 NOTE: http://trac.roundcube.net/ticket/1490417 - mentions 1.0 not vulnerable, verified code not present in squeeze NOTE: http://web.archive.org/web/20150627125240/http://trac.roundcube.net:80/changeset/b782815dac/github CVE-2015-8791 (The EbmlElement::ReadCodedSizeValue function in libEBML before 1.3.3 a ...) {DSA-3538-1 DLA-438-1} - libebml 1.3.3-1 NOTE: https://lists.matroska.org/pipermail/matroska-users/2015-October/006985.html NOTE: https://github.com/Matroska-Org/libebml/commit/24e5cd7c666b1ddd85619d60486db0a5481c1b90 CVE-2015-8790 (The EbmlUnicodeString::UpdateFromUTF8 function in libEBML before 1.3.3 ...) {DSA-3538-1 DLA-438-1} - libebml 1.3.3-1 NOTE: https://lists.matroska.org/pipermail/matroska-users/2015-October/006985.html NOTE: https://github.com/Matroska-Org/libebml/commit/ababb64e0c792ad2a314245233db0833ba12036b CVE-2016-2533 (Buffer overflow in the ImagingPcdDecode function in PcdDecode.c in Pil ...) {DSA-3499-1 DLA-422-1} - pillow 3.1.1-1 - python-imaging [wheezy] - python-imaging 1.1.7-4+deb7u2 NOTE: https://github.com/python-pillow/Pillow/pull/1706 NOTE: http://www.openwall.com/lists/oss-security/2016/02/02/5 NOTE: https://github.com/python-pillow/Pillow/commit/ae453aa18b66af54e7ff716f4ccb33adca60afd4 CVE-2016-2221 (Open redirect vulnerability in the wp_validate_redirect function in wp ...) {DSA-3472-1 DLA-418-1} - wordpress 4.4.2+dfsg-1 (bug #813697) NOTE: https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/ NOTE: https://core.trac.wordpress.org/changeset/36444 NOTE: http://www.openwall.com/lists/oss-security/2016/02/04/4 CVE-2016-2222 (The wp_http_validate_url function in wp-includes/http.php in WordPress ...) {DSA-3472-1 DLA-418-1} - wordpress 4.4.2+dfsg-1 (bug #813697) NOTE: https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/ NOTE: https://core.trac.wordpress.org/changeset/36435 NOTE: http://www.openwall.com/lists/oss-security/2016/02/04/4 CVE-2016-2217 (The OpenSSL address implementation in Socat 1.7.3.0 and 2.0.0-b8 does ...) - socat 1.7.3.1-1 (bug #813536) [jessie] - socat (Broken 1024bit DH parameter generated in 1.7.3.0) [wheezy] - socat (Broken 1024bit DH parameter generated in 1.7.3.0) [squeeze] - socat (Broken 1024bit DH parameter generated in 1.7.3.0) NOTE: The issues is about "In the OpenSSL address implementation the hard coded 1024 bit DH NOTE: p parameter was not prime.". Upstream has generated new parametes (and made it 2048 NOTE: bit long. NOTE: http://www.openwall.com/lists/oss-security/2016/02/01/4 NOTE: http://www.dest-unreach.org/socat/contrib/socat-secadv7.html CVE-2015-XXXX [Type Confusion Vulnerability in PHP_to_XMLRPC_worker()] - php5 5.6.17+dfsg-1 [jessie] - php5 5.6.17+dfsg-0+deb8u1 [wheezy] - php5 5.4.45-0+deb7u4 NOTE: Workaround entry for DLA-533-1 until CVE is assigned NOTE: http://git.php.net/?p=php-src.git;a=commit;h=f3c1863aa2721343245b63ac7bd68cfdc3dd41f3 NOTE: https://bugs.php.net/bug.php?id=70728 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/02/03/3 CVE-2015-XXXX [Session WDDX Packet Deserialization Type Confusion Vulnerability] - php5 5.6.17+dfsg-1 [jessie] - php5 5.6.17+dfsg-0+deb8u1 [wheezy] - php5 5.4.45-0+deb7u4 NOTE: Workaround entry for DLA-533-1 until CVE is assigned NOTE: https://git.php.net/?p=php-src.git;a=commit;h=1785d2b805f64eaaacf98c14c9e13107bf085ab1 NOTE: https://bugs.php.net/bug.php?id=70741 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/02/03/3 CVE-2015-XXXX [Use-after-free in WDDX Packet Deserialization] - php5 5.6.17+dfsg-1 [jessie] - php5 5.6.17+dfsg-0+deb8u1 [wheezy] - php5 5.4.45-0+deb7u4 NOTE: Workaround entry for DLA-533-1 until CVE is assigned NOTE: https://git.php.net/?p=php-src.git;a=commit;h=366f9505a4aae98ef2f4ca39a838f628a324b746 NOTE: https://bugs.php.net/bug.php?id=70661 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/02/03/3 CVE-2016-5114 (sapi/fpm/fpm/fpm_log.c in PHP before 5.5.31, 5.6.x before 5.6.17, and ...) {DLA-628-1} - php5 5.6.17+dfsg-1 [jessie] - php5 5.6.17+dfsg-0+deb8u1 [squeeze] - php5 (vulnerable code not present) NOTE: https://bugs.php.net/bug.php?id=70755 NOTE: https://git.php.net/?p=php-src.git;a=commit;h=2721a0148649e07ed74468f097a28899741eb58f NOTE: http://seclists.org/bugtraq/2016/Jan/117 NOTE: http://www.openwall.com/lists/oss-security/2016/02/02/4 CVE-2016-3197 REJECTED CVE-2016-2092 RESERVED CVE-2016-2198 (QEMU (aka Quick Emulator) built with the USB EHCI emulation support is ...) {DLA-1497-1} - qemu 1:2.6+dfsg-1 (bug #813193) [wheezy] - qemu (Introduced after v1.2.0) [squeeze] - qemu (Introduced after v1.2.0) - qemu-kvm (Introduced after v1.2.0) NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=dff0367cf66f489aa772320fa2937a8cac1ca30d (v2.6.0-rc0) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1301643 CVE-2016-2197 (QEMU (aka Quick Emulator) built with an IDE AHCI emulation support is ...) - qemu 1:2.6+dfsg-1 (bug #813194) [jessie] - qemu (Vulnerable code introduced later) [wheezy] - qemu (Vulnerable code introduced later) [squeeze] - qemu (Vulnerable code introduced later) - qemu-kvm (Vulnerable code introduced later) NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=99b4cb71069f109b79b27bc629fc0cf0886dbc4b (v2.6.0-rc0) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1302057 NOTE: http://www.openwall.com/lists/oss-security/2016/01/29/2 NOTE: Introduced by: http://git.qemu.org/?p=qemu.git;a=commit;h=fc3d8e1138cd0c843d6fd75272633a31be6554ef (v2.3.0-rc2) CVE-2016-2088 (resolver.c in named in ISC BIND 9.10.x before 9.10.3-P4, when DNS cook ...) - bind9 (Introduced in Bind 9.10) NOTE: https://kb.isc.org/article/AA-01351 CVE-2016-2087 (Directory traversal vulnerability in the client in HexChat 2.11.0 allo ...) {DLA-1050-1} - xchat 2.8.8-10 [jessie] - xchat (Minor issue) - hexchat 2.12.4-4 (bug #852275) [stretch] - hexchat (Minor issue) [jessie] - hexchat (Minor issue) NOTE: https://www.exploit-db.com/exploits/39656/ NOTE: https://github.com/hexchat/hexchat/issues/1933 NOTE: https://github.com/hexchat/hexchat/commit/15600f405f2d5bda6ccf0dd73957395716e0d4d3 NOTE: Would be included in upstream source since the upload 2.12.3-0.1 to unstable but the NOTE: Debian packaging reverts the 15600f405f2d5bda6ccf0dd73957395716e0d4d3 commit NOTE: The Debian packagging drops the revert in 2.12.4-4 to not diverge from upstream. CVE-2016-2086 (Node.js 0.10.x before 0.10.42, 0.12.x before 0.12.10, 4.x before 4.3.0 ...) - nodejs 4.3.0~dfsg-1 (unimportant) NOTE: libv8 is not covered by security support NOTE: https://nodejs.org/en/blog/vulnerability/february-2016-security-releases/ CVE-2015-8792 (The KaxInternalBlock::ReadData function in libMatroska before 1.4.4 al ...) {DSA-3526-1 DLA-420-1} - libmatroska 1.4.4-1 NOTE: http://lists.matroska.org/pipermail/matroska-users/2015-October/006985.html NOTE: https://github.com/Matroska-Org/libmatroska/commit/0a2d3e3644a7453b6513db2f9bc270f77943573f CVE-2015-8789 (Use-after-free vulnerability in the EbmlMaster::Read function in libEB ...) {DSA-3538-1} - libebml 1.3.3-1 [squeeze] - libebml (Vulnerable code not present) NOTE: http://lists.matroska.org/pipermail/matroska-users/2015-October/006985.html NOTE: https://github.com/Matroska-Org/libebml/commit/88409e2a94dd3b40ff81d08bf6d92f486d036b24 CVE-2015-8788 RESERVED CVE-2016-2091 (The dwarf_read_cie_fde_prefix function in dwarf_frame2.c in libdwarf 2 ...) {DLA-669-1} - dwarfutils 20160507-1 (bug #813148) [jessie] - dwarfutils 20120410-2+deb8u1 NOTE: http://www.openwall.com/lists/oss-security/2016/01/19/3 NOTE: Fixed by http://sourceforge.net/p/libdwarf/code/ci/9565964f26966d8391fe2cfa8e6e8e59278c5f91 CVE-2016-2090 (Off-by-one vulnerability in the fgetwln function in libbsd before 0.8. ...) {DLA-2052-1} - libbsd 0.8.2-1 [wheezy] - libbsd (Vulnerable code not present) [squeeze] - libbsd (Vulnerable code not present) NOTE: Not used anywhere in Debian according to codesearch.debian.net NOTE: https://blog.fuzzing-project.org/36-Heap-buffer-overflow-in-fgetwln-function-of-libbsd.html NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=93881 NOTE: Fixed by: http://cgit.freedesktop.org/libbsd/commit/?id=c8f0723d2b4520bdd6b9eb7c3e7976de726d7ff7 (0.8.2) NOTE: Introduced by: http://cgit.freedesktop.org/libbsd/commit/?id=a97ce513e031b29a47965b740be14fb9a84277fc (0.5.0) CVE-2016-2089 (The jas_matrix_clip function in jas_seq.c in JasPer 1.900.1 allows rem ...) {DSA-3508-1} - jasper (bug #812978) [squeeze] - jasper (Minor issue) NOTE: https://github.com/mdadams/jasper/commit/c87ad330a8b8d6e5eb0065675601fdfae08ebaab CVE-2016-2085 (The evm_verify_hmac function in security/integrity/evm/evm_main.c in t ...) - linux 4.4.2-1 (unimportant) [jessie] - linux 3.16.7-ckt25-1 - linux-2.6 (unimportant) NOTE: EVM is not enabled NOTE: https://git.kernel.org/linus/613317bd212c585c20796c10afe5daaa95d4b0a1 (v4.5-rc4) CVE-2016-2084 (F5 BIG-IP LTM, AFM, Analytics, APM, ASM, Link Controller, and PEM 11.3 ...) NOT-FOR-US: F5 BIG-IP CVE-2016-2083 REJECTED CVE-2016-2082 (Cross-site request forgery (CSRF) vulnerability in VMware vRealize Log ...) NOT-FOR-US: VMware CVE-2016-2081 (Cross-site scripting (XSS) vulnerability in VMware vRealize Log Insigh ...) NOT-FOR-US: VMware CVE-2016-2080 REJECTED CVE-2016-2079 (VMware NSX Edge 6.1 before 6.1.7 and 6.2 before 6.2.3 and vCNS Edge 5. ...) NOT-FOR-US: VMware CVE-2016-2078 (Cross-site scripting (XSS) vulnerability in the Web Client in VMware v ...) NOT-FOR-US: VMware CVE-2016-2077 (VMware Workstation 11.x before 11.1.3 and VMware Player 7.x before 7.1 ...) NOT-FOR-US: VMware CVE-2016-2076 (Client Integration Plugin (CIP) in VMware vCenter Server 5.5 U3a, U3b, ...) NOT-FOR-US: VMware CVE-2016-2075 (Cross-site scripting (XSS) vulnerability in VMware vRealize Business A ...) NOT-FOR-US: VMware vRealize Business Advanced and Enterprise CVE-2016-2074 (Buffer overflow in lib/flow.c in ovs-vswitchd in Open vSwitch 2.2.x an ...) {DSA-3533-1} - openvswitch 2.3.0+git20140819-4 [wheezy] - openvswitch (Affects only 2.2.x and later) NOTE: http://openvswitch.org/pipermail/announce/2016-March/000082.html CVE-2016-2072 (The Administrative Web Interface in Citrix NetScaler Application Deliv ...) NOT-FOR-US: Citrix CVE-2016-2071 (Citrix NetScaler Application Delivery Controller (ADC) and NetScaler G ...) NOT-FOR-US: Citrix CVE-2015-8787 (The nf_nat_redirect_ipv4 function in net/netfilter/nf_nat_redirect.c i ...) - linux 4.3.5-1 [jessie] - linux (Vulnerable code introduced in v3.19-rc1) [wheezy] - linux (Vulnerable code introduced in v3.19-rc1) - linux-2.6 (Vulnerable code introduced in v3.19-rc1) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1300731 NOTE: https://lkml.org/lkml/2015/12/2/618 NOTE: Introduced by: https://git.kernel.org/linus/8b13eddfdf04cbfa561725cfc42d6868fe896f56 (v3.19-rc1) NOTE: Fixed by: https://git.kernel.org/linus/94f9cd81436c85d8c3a318ba92e236ede73752fc (v4.4-rc1) NOTE: http://www.openwall.com/lists/oss-security/2016/01/27/6 CVE-2015-8786 (The Management plugin in RabbitMQ before 3.6.1 allows remote authentic ...) - rabbitmq-server 3.6.5-1 [jessie] - rabbitmq-server (Minor issue) [wheezy] - rabbitmq-server (lengths_age or lengths_incr parameters are not present) NOTE: https://github.com/rabbitmq/rabbitmq-management/issues/97 CVE-2016-XXXX [out of bound read and write issues] - giflib 5.1.4-0.1 (bug #820594) [jessie] - giflib (Minor issue) [wheezy] - giflib (Minor issue) [squeeze] - giflib (Minor issue) NOTE: http://sourceforge.net/p/giflib/bugs/82/ NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/01/26/5 NOTE: http://sourceforge.net/p/giflib/code/ci/4cc68b315ff9a378aef6664e1be6b2144ad4a5e6/ CVE-2016-2073 (The htmlParseNameComplex function in HTMLparser.c in libxml2 allows at ...) {DSA-3593-1 DLA-503-1} - libxml2 2.9.3+dfsg1-1.1 (bug #812807) NOTE: http://www.openwall.com/lists/oss-security/2016/01/25/6 NOTE: http://www.openwall.com/lists/oss-security/2016/01/26/8 has details NOTE: Same fix as CVE-2016-1839 and CVE-2015-8806 CVE-2016-2070 (The tcp_cwnd_reduction function in net/ipv4/tcp_input.c in the Linux k ...) - linux 4.3.5-1 [jessie] - linux (Vulnerable code introduced later) [wheezy] - linux (Vulnerable code introduced later) - linux-2.6 (Vulnerable code introduced later) NOTE: Upstream commit: https://git.kernel.org/linus/8b8a321ff72c785ed5e8b4cf6eda20b35d427390 (v4.4) NOTE: Introduced by: https://git.kernel.org/linus/3759824da87b30ce7a35b4873b62b0ba38905ef5 (v4.3-rc1) CVE-2016-2068 (The MSM QDSP6 audio driver (aka sound driver) for the Linux kernel 3.x ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-2067 (drivers/gpu/msm/kgsl.c in the MSM graphics driver (aka GPU driver) for ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-2066 (Integer signedness error in the MSM QDSP6 audio driver for the Linux k ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-2065 (sound/soc/msm/qdsp6v2/msm-audio-effects-q6-v2.c in the MSM QDSP6 audio ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-2064 (sound/soc/msm/qdsp6v2/msm-audio-effects-q6-v2.c in the MSM QDSP6 audio ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-2063 (Stack-based buffer overflow in the supply_lm_input_write function in d ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-2062 (The adreno_perfcounter_query_group function in drivers/gpu/msm/adreno_ ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-2061 (Integer signedness error in the MSM V4L2 video driver for the Linux ke ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-2060 (server/TetherController.cpp in the tethering controller in netd, as di ...) NOT-FOR-US: Android CVE-2016-2059 (The msm_ipc_router_bind_control_port function in net/ipc_router/ipc_ro ...) NOT-FOR-US: Android drivers CVE-2016-2058 (Multiple cross-site scripting (XSS) vulnerabilities in Xymon 4.1.x, 4. ...) {DSA-3495-1 DLA-488-1} - xymon 4.3.25-1 NOTE: http://lists.xymon.com/pipermail/xymon/2016-February/042986.html CVE-2016-2057 (lib/xymond_ipc.c in Xymon 4.1.x, 4.2.x, and 4.3.x before 4.3.25 use we ...) {DSA-3495-1} - xymon 4.3.25-1 [wheezy] - xymon (vulnerable code not present) NOTE: http://lists.xymon.com/pipermail/xymon/2016-February/042986.html CVE-2016-2056 (xymond in Xymon 4.1.x, 4.2.x, and 4.3.x before 4.3.25 allow remote aut ...) {DSA-3495-1 DLA-488-1} - xymon 4.3.25-1 NOTE: http://lists.xymon.com/pipermail/xymon/2016-February/042986.html CVE-2016-2055 (xymond/xymond.c in xymond in Xymon 4.1.x, 4.2.x, and 4.3.x before 4.3. ...) {DSA-3495-1 DLA-488-1} - xymon 4.3.25-1 NOTE: http://lists.xymon.com/pipermail/xymon/2016-February/042986.html CVE-2016-2054 (Multiple buffer overflows in xymond/xymond.c in xymond in Xymon 4.1.x, ...) {DSA-3495-1 DLA-488-1} - xymon 4.3.25-1 NOTE: http://lists.xymon.com/pipermail/xymon/2016-February/042986.html CVE-2016-2052 (Multiple unspecified vulnerabilities in HarfBuzz before 1.0.6, as used ...) - harfbuzz 1.2.6-1 [jessie] - harfbuzz (Vulnerable code not present) - chromium-browser 48.0.2564.82-1 [wheezy] - chromium-browser (Not supported in Wheezy) NOTE: https://code.google.com/p/chromium/issues/detail?id=544270 NOTE: https://github.com/behdad/harfbuzz/commit/63ef0b41dc48d6112d1918c1b1de9de8ea90adb5 CVE-2016-2051 (Multiple unspecified vulnerabilities in Google V8 before 4.8.271.17, a ...) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2016-2048 (Django 1.9.x before 1.9.2, when ModelAdmin.save_as is set to True, all ...) - python-django 1.9.2-1 (bug #813448) [jessie] - python-django (Only affects 1.9) [wheezy] - python-django (Only affects 1.9) [squeeze] - python-django (Only affects 1.9) NOTE: https://www.djangoproject.com/weblog/2016/feb/01/releases-192-and-189/ CVE-2016-2046 (Cross-site scripting (XSS) vulnerability in the UserPortal page in SOP ...) NOT-FOR-US: SOPHOS CVE-2016-2045 (Cross-site scripting (XSS) vulnerability in the SQL editor in phpMyAdm ...) {DLA-481-1} - phpmyadmin 4:4.5.4-1 (low) [jessie] - phpmyadmin (Minor issue) [squeeze] - phpmyadmin (vulnerable code not present) NOTE: https://www.phpmyadmin.net/security/PMASA-2016-9/ CVE-2016-2044 (libraries/sql-parser/autoload.php in the SQL parser in phpMyAdmin 4.5. ...) - phpmyadmin 4:4.5.4-1 [jessie] - phpmyadmin (vulnerable code not present) [wheezy] - phpmyadmin (vulnerable code not present) [squeeze] - phpmyadmin (vulnerable code not present) NOTE: https://www.phpmyadmin.net/security/PMASA-2016-8/ NOTE: vulnerability introduced in 4.5.0.1 / 718ef31 CVE-2016-2043 (Cross-site scripting (XSS) vulnerability in the goToFinish1NF function ...) - phpmyadmin 4:4.5.4-1 [jessie] - phpmyadmin (vulnerable code not present) [wheezy] - phpmyadmin (vulnerable code not present) [squeeze] - phpmyadmin (vulnerable code not present) NOTE: https://www.phpmyadmin.net/security/PMASA-2016-7/ NOTE: vulnerability introduced in 4.3.3 / 1e971f3 CVE-2016-2042 (phpMyAdmin 4.4.x before 4.4.15.3 and 4.5.x before 4.5.4 allows remote ...) - phpmyadmin 4:4.5.4-1 (unimportant) [squeeze] - phpmyadmin (vulnerable code not present) [wheezy] - phpmyadmin (vulnerable code not present) NOTE: introduced as part of the CVE-2016-2039 fix NOTE: https://www.phpmyadmin.net/security/PMASA-2016-6/ NOTE: path disclosure not relevant on Debian CVE-2016-2041 (libraries/common.inc.php in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x b ...) {DSA-3627-1 DLA-481-1 DLA-406-1} - phpmyadmin 4:4.5.4-1 NOTE: squeeze patch backport trivial to wheezy NOTE: https://www.phpmyadmin.net/security/PMASA-2016-5/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/fe62b69a5b032de8e1d9d0a04456c1cecf46428c CVE-2016-2040 (Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0. ...) {DSA-3627-1 DLA-481-1} - phpmyadmin 4:4.5.4-1 [squeeze] - phpmyadmin (minor issue) NOTE: https://www.phpmyadmin.net/security/PMASA-2016-3/ CVE-2016-2039 (libraries/session.inc.php in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x ...) {DSA-3627-1 DLA-481-1 DLA-406-1} - phpmyadmin 4:4.5.4-1 NOTE: squeeze patch was actually incorrect and probably not functional: libraries/phpseclib/Crypt/Random.php needs some engine (e.g. AES) to work NOTE: https://www.phpmyadmin.net/security/PMASA-2016-2/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/6fe54dfa000dd6f43f237e859781fad7111ac1bd is not sufficient: one needs 29b297f to import more bits from phpseclib or simply import all of phpseclib. NOTE: such a fix needs to avoid introducing a new vulnerability as well, upstream introduced CVE-2016-2042 as part of this CVE-2016-2038 (phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x be ...) {DLA-481-1} - phpmyadmin 4:4.5.4-1 (unimportant) [squeeze] - phpmyadmin (minor issue) NOTE: https://www.phpmyadmin.net/security/PMASA-2016-1/ NOTE: path disclosure not relevant on Debian CVE-2016-2036 (The getURL function in drivers/secfilter/urlparser.c in secfilter in t ...) NOT-FOR-US: Samsung CVE-2015-8780 (Samsung wssyncmlnps before 2015-10-31 allows directory traversal in a ...) NOT-FOR-US: Samsung CVE-2016-2069 (Race condition in arch/x86/mm/tlb.c in the Linux kernel before 4.4.1 a ...) {DSA-3503-1 DLA-412-1} - linux 4.3.5-1 - linux-2.6 NOTE: http://www.openwall.com/lists/oss-security/2016/01/25/1 NOTE: https://git.kernel.org/linus/71b3c126e61177eb693423f2e18a1914205b165e (v4.5-rc1) NOTE: https://git.kernel.org/linus/4eaffdd5a5fe6ff9f95e1ab4de1ac904d5e0fa8b (v4.5-rc1) CVE-2016-2053 (The asn1_ber_decoder function in lib/asn1_decoder.c in the Linux kerne ...) - linux 4.3.1-1 [jessie] - linux 3.16.7-ckt25-2 [wheezy] - linux (Vulnerable code not present) - linux-2.6 (Vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1300237 NOTE: Introduced in https://git.kernel.org/linus/3d167d68e3805ee45ed2e8412fc03ed919c54c24 (v3.13-rc1) NOTE: Fixed by: https://git.kernel.org/linus/0d62e9dd6da45bbf0f33a8617afc5fe774c8f45f (v4.3-rc1) CVE-2015-8783 (tif_luv.c in libtiff allows attackers to cause a denial of service (ou ...) {DSA-3467-1 DLA-880-1 DLA-405-1} - tiff 4.0.6-1 - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2522 NOTE: Commit: https://github.com/vadz/libtiff/commit/aaab5c3c9d2a2c6984f23ccbc79702610439bc65 NOTE: http://www.openwall.com/lists/oss-security/2016/01/24/3 CVE-2015-8782 (tif_luv.c in libtiff allows attackers to cause a denial of service (ou ...) {DSA-3467-1 DLA-880-1 DLA-405-1} - tiff 4.0.6-1 - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2522 NOTE: Commit: https://github.com/vadz/libtiff/commit/aaab5c3c9d2a2c6984f23ccbc79702610439bc65 NOTE: http://www.openwall.com/lists/oss-security/2016/01/24/3 CVE-2015-8781 (tif_luv.c in libtiff allows attackers to cause a denial of service (ou ...) {DSA-3467-1 DLA-880-1 DLA-405-1} - tiff 4.0.6-1 - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2522#0 NOTE: Commit: https://github.com/vadz/libtiff/commit/aaab5c3c9d2a2c6984f23ccbc79702610439bc65 NOTE: http://www.openwall.com/lists/oss-security/2016/01/24/3 CVE-2015-8784 (The NeXTDecode function in tif_next.c in LibTIFF allows remote attacke ...) {DSA-3467-1 DLA-880-1 DLA-405-1} - tiff 4.0.6-1 - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2508 NOTE: Can be reproduced with tiff compiled with AddressSanitizer NOTE: and the same reproducer file http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif NOTE: Commit: https://github.com/vadz/libtiff/commit/b18012dae552f85dcc5c57d3bf4e997a15b1cc1c NOTE: http://www.openwall.com/lists/oss-security/2016/01/24/4 CVE-2016-2049 (examples/consumer/common.php in JanRain PHP OpenID library (aka php-op ...) - php-openid (unimportant) NOTE: sample code only, actual vulnerable code not shipped in package NOTE: http://www.openwall.com/lists/oss-security/2016/01/24/2 NOTE: https://github.com/openid/php-openid/issues/128 CVE-2016-2047 (The ssl_verify_server_cert function in sql-common/client.c in MariaDB ...) {DSA-3557-1 DSA-3453-1 DLA-447-1} - mariadb-10.0 10.0.23-1 NOTE: https://mariadb.atlassian.net/browse/MDEV-9212 NOTE: https://github.com/MariaDB/server/commit/f0d774d48416bb06063184380b684380ca005a41 - mysql-5.6 5.6.30-1 (bug #821094) - mysql-5.5 (bug #821100) [squeeze] - mysql-5.5 (will be fixed along with an upcoming Oracle CPU) NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html CVE-2016-2035 REJECTED CVE-2016-2034 (SQL injection vulnerability in ClearPass Policy Manager 6.5.x through ...) NOT-FOR-US: ClearPass Policy Manager CVE-2016-2033 REJECTED CVE-2016-2032 (A vulnerability exists in the Aruba AirWave Management Platform 8.x pr ...) NOT-FOR-US: Aruba AirWave Management Platform CVE-2016-2031 (Multiple vulnerabilities exists in Aruba Instate before 4.1.3.0 and 4. ...) NOT-FOR-US: Aruba Instate CVE-2016-2030 (HPE Systems Insight Manager (SIM) before 7.5.1 allows remote authentic ...) NOT-FOR-US: HPE Systems Insight Manager CVE-2016-2029 (HPE Matrix Operating Environment before 7.5.1 allows remote attackers ...) NOT-FOR-US: HPE Matrix Operating Environment CVE-2016-2028 (HPE Matrix Operating Environment before 7.5.1 allows remote authentica ...) NOT-FOR-US: HPE Matrix Operating Environment CVE-2016-2027 (HPE Matrix Operating Environment before 7.5.1 allows remote attackers ...) NOT-FOR-US: HPE Matrix Operating Environment CVE-2016-2026 (HPE Matrix Operating Environment before 7.5.1 allows remote attackers ...) NOT-FOR-US: HPE Matrix Operating Environment CVE-2016-2025 (HPE Service Manager 9.30, 9.31, 9.32, 9.33, 9.34, 9.35, 9.40, and 9.41 ...) NOT-FOR-US: HPE CVE-2016-2024 (HPE Insight Control before 7.5.1 allow remote attackers to obtain sens ...) NOT-FOR-US: HPE Insight Control CVE-2016-2023 (HPE RESTful Interface Tool 1.40 allows local users to obtain sensitive ...) NOT-FOR-US: HPE CVE-2016-2022 (HPE Systems Insight Manager (SIM) before 7.5.1 allows remote authentic ...) NOT-FOR-US: HPE Systems Insight Manager CVE-2016-2021 (HPE Systems Insight Manager (SIM) before 7.5.1 allows remote authentic ...) NOT-FOR-US: HPE Systems Insight Manager CVE-2016-2020 (HPE Systems Insight Manager (SIM) before 7.5.1 allows remote authentic ...) NOT-FOR-US: HPE Systems Insight Manager CVE-2016-2019 (HPE Systems Insight Manager (SIM) before 7.5.1 allows remote authentic ...) NOT-FOR-US: HPE Systems Insight Manager CVE-2016-2018 (HPE Systems Insight Manager (SIM) before 7.5.1 allows remote attackers ...) NOT-FOR-US: HPE Systems Insight Manager CVE-2016-2017 (HPE Systems Insight Manager (SIM) before 7.5.1 allows remote authentic ...) NOT-FOR-US: HPE Systems Insight Manager CVE-2016-2016 (Base-VxFS-50 B.05.00.01 through B.05.00.02, Base-VxFS-501 B.05.01.0 th ...) NOT-FOR-US: HPE CVE-2016-2015 (HPE System Management Homepage before 7.5.5 allows local users to obta ...) NOT-FOR-US: HPE CVE-2016-2014 (HPE Network Node Manager i (NNMi) 9.20, 9.23, 9.24, 9.25, 10.00, and 1 ...) NOT-FOR-US: HPE CVE-2016-2013 (HPE Network Node Manager i (NNMi) 9.20, 9.23, 9.24, 9.25, 10.00, and 1 ...) NOT-FOR-US: HPE CVE-2016-2012 (HPE Network Node Manager i (NNMi) 9.20, 9.23, 9.24, 9.25, 10.00, and 1 ...) NOT-FOR-US: HPE CVE-2016-2011 (Cross-site scripting (XSS) vulnerability in HPE Network Node Manager i ...) NOT-FOR-US: HPE CVE-2016-2010 (Cross-site scripting (XSS) vulnerability in HPE Network Node Manager i ...) NOT-FOR-US: HPE CVE-2016-2009 (HPE Network Node Manager i (NNMi) 9.20, 9.23, 9.24, 9.25, 10.00, and 1 ...) NOT-FOR-US: HPE CVE-2016-2008 (HPE Data Protector before 7.03_108, 8.x before 8.15, and 9.x before 9. ...) NOT-FOR-US: HPE Data Protector CVE-2016-2007 (HPE Data Protector before 7.03_108, 8.x before 8.15, and 9.x before 9. ...) NOT-FOR-US: HPE Data Protector CVE-2016-2006 (HPE Data Protector before 7.03_108, 8.x before 8.15, and 9.x before 9. ...) NOT-FOR-US: HPE Data Protector CVE-2016-2005 (HPE Data Protector before 7.03_108, 8.x before 8.15, and 9.x before 9. ...) NOT-FOR-US: HPE Data Protector CVE-2016-2004 (HPE Data Protector before 7.03_108, 8.x before 8.15, and 9.x before 9. ...) NOT-FOR-US: HPE Data Protector CVE-2016-2003 (HPE P9000 Command View Advanced Edition Software (CVAE) 7.x and 8.x be ...) NOT-FOR-US: HPE P9000 Command View Advanced Edition Software CVE-2016-2002 (The validateAdminConfig handler in the Analytics Management Console in ...) NOT-FOR-US: HPE Vertica CVE-2016-2001 (HPE Universal CMDB Foundation 10.0, 10.01, 10.10, 10.11, and 10.20 all ...) NOT-FOR-US: HPE Universal CMDB CVE-2016-2000 (HPE Asset Manager 9.40, 9.41, and 9.50 and Asset Manager CloudSystem C ...) NOT-FOR-US: HPE Asset Manager CVE-2016-1999 (The server in HP Release Control 9.13, 9.20, and 9.21 allows remote at ...) NOT-FOR-US: HP Release Control CVE-2016-1998 (HPE Service Manager (SM) 9.3x before 9.35 P4 and 9.4x before 9.41.P2 a ...) NOT-FOR-US: HPE Service Manager CVE-2016-1997 (HPE Operations Orchestration 10.x before 10.51 and Operations Orchestr ...) NOT-FOR-US: HP Operations Orchestration CVE-2016-1996 (HPE System Management Homepage before 7.5.4 allows local users to obta ...) NOT-FOR-US: HPE System Management Homepage CVE-2016-1995 (HPE System Management Homepage before 7.5.4 allows remote attackers to ...) NOT-FOR-US: HPE System Management Homepage CVE-2016-1994 (HPE System Management Homepage before 7.5.4 allows remote authenticate ...) NOT-FOR-US: HPE System Management Homepage CVE-2016-1993 (HPE System Management Homepage before 7.5.4 allows remote authenticate ...) NOT-FOR-US: HPE System Management Homepage CVE-2016-1992 (HPE ArcSight ESM before 6.8c, and ArcSight ESM Express before 6.9.1, a ...) NOT-FOR-US: HPE ArcSight ESM CVE-2016-1991 (HPE ArcSight ESM 5.x before 5.6, 6.0, 6.5.x before 6.5C SP1 Patch 2, a ...) NOT-FOR-US: HPE ArcSight ESM CVE-2016-1990 (HPE ArcSight ESM 5.x before 5.6, 6.0, 6.5.x before 6.5C SP1 Patch 2, a ...) NOT-FOR-US: HPE ArcSight ESM CVE-2016-1989 (HPE Network Automation 9.22 through 9.22.02 and 10.x before 10.00.02 a ...) NOT-FOR-US: HPE Network Automation CVE-2016-1988 (HPE Network Automation 9.22 through 9.22.02 and 10.x before 10.00.02 a ...) NOT-FOR-US: HPE Network Automation CVE-2016-1987 (HPE IPFilter A.11.31.18.21 on HP-UX, when a certain keep-state configu ...) NOT-FOR-US: HP-UX IPFilter CVE-2016-1986 (HP Continuous Delivery Automation (CDA) 1.30 allows remote attackers t ...) NOT-FOR-US: HP CDA CVE-2016-1985 (HPE Operations Manager 8.x and 9.0 on Windows allows remote attackers ...) NOT-FOR-US: HPE Operations Manager CVE-2016-1984 (The setUpSubtleUserAccount function in /bin/bw on Harman AMX devices b ...) NOT-FOR-US: Harman AMX devices CVE-2016-1980 RESERVED CVE-2016-1979 (Use-after-free vulnerability in the PK11_ImportDERPrivateKeyInfoAndRet ...) {DSA-3688-1 DSA-3576-1 DLA-480-1 DLA-472-1} - iceweasel - firefox-esr 45.0esr-1 - firefox 45.0-1 [jessie] - iceweasel (Only affects Firefox 44.x) [wheezy] - iceweasel (Only affects Firefox 44.x) - icedove 38.8.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-36/ - nss 2:3.21-1 CVE-2016-1978 (Use-after-free vulnerability in the ssl3_HandleECDHServerKeyExchange f ...) {DSA-3688-1 DLA-480-1} - iceweasel 44.0-1 [jessie] - iceweasel (Only affects Firefox 43.x) [wheezy] - iceweasel (Only affects Firefox 43.x) NOTE: Marked as fixed in 44.0-1 which would be the version fixing NOTE: the issue while using the bundled nss version. iceweasel for NOTE: unstable though used the system library. NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-15/ - nss 2:3.21-1 CVE-2016-1977 (The Machine::Code::decoder::analysis::set_ref function in Graphite 2 b ...) {DSA-3520-1 DSA-3515-1 DSA-3510-1} - iceweasel - firefox-esr 45.0esr-1 - firefox 45.0-1 - icedove 38.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-37/ - graphite2 1.3.6-1 CVE-2016-1976 (Use-after-free vulnerability in the DesktopDisplayDevice class in the ...) - iceweasel (Windows-specific) CVE-2016-1975 (Multiple race conditions in dom/media/systemservices/CamerasChild.cpp ...) - iceweasel (Windows-specific) CVE-2016-1974 (The nsScannerString::AppendUnicodeTo function in Mozilla Firefox befor ...) {DSA-3520-1 DSA-3510-1} - iceweasel - firefox-esr 45.0esr-1 - firefox 45.0-1 - icedove 38.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-34/ CVE-2016-1973 (Race condition in the GetStaticInstance function in the WebRTC impleme ...) - iceweasel - firefox-esr 45.0esr-1 - firefox 45.0-1 [jessie] - iceweasel (Only affects Firefox 44.x) [wheezy] - iceweasel (Only affects Firefox 44.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-33/ CVE-2016-1972 (Race condition in libvpx in Mozilla Firefox before 45.0 on Windows mig ...) - iceweasel (Windows-specific) - libvpx (Windows-specific) CVE-2016-1971 (The I420VideoFrame::CreateFrame function in the WebRTC implementation ...) - iceweasel (Windows-specific) CVE-2016-1970 (Integer underflow in the srtp_unprotect function in the WebRTC impleme ...) - iceweasel (Windows-specific) CVE-2016-1969 (The setAttr function in Graphite 2 before 1.3.6, as used in Mozilla Fi ...) {DSA-3515-1 DSA-3477-1} - graphite2 1.3.6-1 - iceweasel - firefox 45.0-1 - firefox-esr 45.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-38/ CVE-2016-1968 (Integer underflow in Brotli, as used in Mozilla Firefox before 45.0, a ...) - iceweasel - firefox-esr 45.0esr-1 - firefox 45.0-1 [jessie] - iceweasel (Only affects Firefox 44.x) [wheezy] - iceweasel (Only affects Firefox 44.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-30/ - brotli 0.3.0+dfsg-3 (bug #817233) NOTE: https://github.com/google/brotli/commit/37a320dd81db8d546cd24a45b4c61d87b45dcade CVE-2016-1967 (Mozilla Firefox before 45.0 does not properly restrict the availabilit ...) - iceweasel - firefox-esr 45.0esr-1 - firefox 45.0-1 [jessie] - iceweasel (Only affects Firefox 44.x) [wheezy] - iceweasel (Only affects Firefox 44.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-29/ CVE-2016-1966 (The nsNPObjWrapper::GetNewOrUsed function in dom/plugins/base/nsJSNPRu ...) {DSA-3520-1 DSA-3510-1} - iceweasel - firefox-esr 45.0esr-1 - firefox 45.0-1 - icedove 38.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-31/ CVE-2016-1965 (Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7 mishandle ...) {DSA-3510-1} - iceweasel - firefox-esr 45.0esr-1 - firefox 45.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-28/ CVE-2016-1964 (Use-after-free vulnerability in the AtomicBaseIncDec function in Mozil ...) {DSA-3520-1 DSA-3510-1} - iceweasel - firefox-esr 45.0esr-1 - firefox 45.0-1 - icedove 38.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-27/ CVE-2016-1963 (The FileReader class in Mozilla Firefox before 45.0 allows local users ...) - iceweasel - firefox-esr 45.0esr-1 - firefox 45.0-1 [jessie] - iceweasel (Only affects Firefox 44.x) [wheezy] - iceweasel (Only affects Firefox 44.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-26/ CVE-2016-1962 (Use-after-free vulnerability in the mozilla::DataChannelConnection::Cl ...) {DSA-3520-1 DSA-3510-1} - iceweasel - firefox-esr 45.0esr-1 - firefox 45.0-1 - icedove 38.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-25/ CVE-2016-1961 (Use-after-free vulnerability in the nsHTMLDocument::SetBody function i ...) {DSA-3520-1 DSA-3510-1} - iceweasel - firefox-esr 45.0esr-1 - firefox 45.0-1 - icedove 38.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-24/ CVE-2016-1960 (Integer underflow in the nsHtml5TreeBuilder class in the HTML5 string ...) {DSA-3520-1 DSA-3510-1} - iceweasel - firefox-esr 45.0esr-1 - firefox 45.0-1 - icedove 38.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-23/ CVE-2016-1959 (The ServiceWorkerManager class in Mozilla Firefox before 45.0 allows r ...) - firefox-esr 45.0esr-1 - firefox 45.0-1 - iceweasel [jessie] - iceweasel (Only affects Firefox 44.x) [wheezy] - iceweasel (Only affects Firefox 44.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-22/ CVE-2016-1958 (browser/base/content/browser.js in Mozilla Firefox before 45.0 and Fir ...) {DSA-3510-1} - iceweasel - firefox-esr 45.0esr-1 - firefox 45.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-21/ CVE-2016-1957 (Memory leak in libstagefright in Mozilla Firefox before 45.0 and Firef ...) {DSA-3520-1 DSA-3510-1} - iceweasel - firefox-esr 45.0esr-1 - firefox 45.0-1 - icedove 38.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-20/ CVE-2016-1956 (Mozilla Firefox before 45.0 on Linux, when an Intel video driver is us ...) - iceweasel - firefox-esr 45.0esr-1 - firefox 45.0-1 [jessie] - iceweasel (Only affects Firefox 44.x) [wheezy] - iceweasel (Only affects Firefox 44.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-19/ CVE-2016-1955 (Mozilla Firefox before 45.0 allows remote attackers to bypass the Same ...) - iceweasel - firefox-esr 45.0esr-1 - firefox 45.0-1 [jessie] - iceweasel (Only affects Firefox 44.x) [wheezy] - iceweasel (Only affects Firefox 44.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-18/ CVE-2016-1954 (The nsCSPContext::SendReports function in dom/security/nsCSPContext.cp ...) {DSA-3520-1 DSA-3510-1} - iceweasel - firefox-esr 45.0esr-1 - firefox 45.0-1 - icedove 38.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-17/ CVE-2016-1953 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - iceweasel - firefox-esr 45.0esr-1 - firefox 45.0-1 [jessie] - iceweasel (Only affects Firefox 44.x) [wheezy] - iceweasel (Only affects Firefox 44.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-16/ CVE-2016-1952 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-3510-1} - iceweasel - firefox-esr 45.0esr-1 - firefox 45.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-16/ CVE-2016-1951 (Multiple integer overflows in io/prprf.c in Mozilla Netscape Portable ...) {DSA-3687-1 DLA-513-1} - firefox-esr 45.0esr-1 - firefox 45.0-1 - nspr 2:4.12-1 [jessie] - nspr (Minor issue) NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1174015 NOTE: https://groups.google.com/forum/#!topic/mozilla.dev.tech.nspr/dV4MyMsg6jw NOTE: Upstream commit: https://hg.mozilla.org/projects/nspr/rev/96381e3aaae2 CVE-2016-1950 (Heap-based buffer overflow in Mozilla Network Security Services (NSS) ...) {DSA-3688-1 DSA-3520-1 DSA-3510-1 DLA-480-1} - iceweasel - firefox-esr 45.0esr-1 - firefox 45.0-1 - icedove 38.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-35/ - nss 2:3.23-1 NOTE: NSS fixed in 3.21.1 CVE-2016-1949 (Mozilla Firefox before 44.0.2 does not properly restrict the interacti ...) - iceweasel - firefox-esr 45.0esr-1 - firefox 45.0-1 [jessie] - iceweasel (Only affects Firefox 43.x) [wheezy] - iceweasel (Only affects Firefox 43.x) [squeeze] - iceweasel (Only affects Firefox 43.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-13/ CVE-2016-1948 (Mozilla Firefox before 44.0 on Android does not ensure that HTTPS is u ...) - iceweasel (Only affects Firefox for Android) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-12/ CVE-2016-1947 (Mozilla Firefox 43.x mishandles attempts to connect to the Application ...) - iceweasel 44.0-1 [jessie] - iceweasel (Only affects Firefox 43.x) [wheezy] - iceweasel (Only affects Firefox 43.x) [squeeze] - iceweasel (Only affects Firefox 43.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-11/ CVE-2016-1946 (The MoofParser::Metadata function in binding/MoofParser.cpp in libstag ...) - iceweasel 44.0-1 [jessie] - iceweasel (Only affects Firefox 43.x) [wheezy] - iceweasel (Only affects Firefox 43.x) [squeeze] - iceweasel (Only affects Firefox 43.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-10/ CVE-2016-1945 (The nsZipArchive function in Mozilla Firefox before 44.0 might allow r ...) - iceweasel 44.0-1 [jessie] - iceweasel (Only affects Firefox 43.x) [wheezy] - iceweasel (Only affects Firefox 43.x) [squeeze] - iceweasel (Only affects Firefox 43.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-10/ CVE-2016-1944 (The Buffer11::NativeBuffer11::map function in ANGLE, as used in Mozill ...) - iceweasel 44.0-1 [jessie] - iceweasel (Only affects Firefox 43.x) [wheezy] - iceweasel (Only affects Firefox 43.x) [squeeze] - iceweasel (Only affects Firefox 43.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-10/ CVE-2016-1943 (Mozilla Firefox before 44.0 on Android allows remote attackers to spoo ...) - iceweasel 44.0-1 [jessie] - iceweasel (Only affects Firefox 43.x) [wheezy] - iceweasel (Only affects Firefox 43.x) [squeeze] - iceweasel (Only affects Firefox 43.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-09/ CVE-2016-1942 (Mozilla Firefox before 44.0 allows user-assisted remote attackers to s ...) - iceweasel 44.0-1 [jessie] - iceweasel (Only affects Firefox 43.x) [wheezy] - iceweasel (Only affects Firefox 43.x) [squeeze] - iceweasel (Only affects Firefox 43.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-09/ CVE-2016-1941 (The file-download dialog in Mozilla Firefox before 44.0 on OS X enable ...) - iceweasel (Affects only Firefox on OS X) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-08/ CVE-2016-1940 (Mozilla Firefox before 44.0 on Android allows remote attackers to spoo ...) - iceweasel (Affects Firefox for Android only) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-05/ CVE-2016-1939 (Mozilla Firefox before 44.0 stores cookies with names containing verti ...) - iceweasel 44.0-1 [jessie] - iceweasel (Only affects Firefox 43.x) [wheezy] - iceweasel (Only affects Firefox 43.x) [squeeze] - iceweasel (Only affects Firefox 43.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-04/ CVE-2016-1938 (The s_mp_div function in lib/freebl/mpi/mpi.c in Mozilla Network Secur ...) {DSA-3688-1 DLA-480-1 DLA-427-1} - iceweasel 44.0-1 [jessie] - iceweasel (Only affects Firefox 43.x) [wheezy] - iceweasel (Only affects Firefox 43.x) [squeeze] - iceweasel (Only affects Firefox 43.x) NOTE: Marked as fixed in 44.0-1 which would be the version fixing NOTE: the issue while using the bundled nss version. iceweasel for NOTE: unstable though used the system library. NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-07/ - nss 2:3.21-1 NOTE: https://hg.mozilla.org/projects/nss/rev/a555bf0fc23a NOTE: https://hg.mozilla.org/projects/nss/rev/608645309ab9 NOTE: https://hg.mozilla.org/projects/nss/rev/cfd0ad4726cb NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1190248 (not yet public) CVE-2016-1937 (The protocol-handler dialog in Mozilla Firefox before 44.0 allows remo ...) - iceweasel 44.0-1 [jessie] - iceweasel (Only affects Firefox 43.x) [wheezy] - iceweasel (Only affects Firefox 43.x) [squeeze] - iceweasel (Only affects Firefox 43.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-06/ CVE-2016-1936 RESERVED CVE-2016-1935 (Buffer overflow in the BufferSubData function in Mozilla Firefox befor ...) {DSA-3491-1 DSA-3457-1} - iceweasel 44.0-1 [squeeze] - iceweasel - icedove 38.6.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-03/ CVE-2016-1934 RESERVED CVE-2016-1933 (Integer overflow in the image-deinterlacing functionality in Mozilla F ...) - iceweasel 44.0-1 [jessie] - iceweasel (Only affects Firefox 43.x) [wheezy] - iceweasel (Only affects Firefox 43.x) [squeeze] - iceweasel (Only affects Firefox 43.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-02/ CVE-2016-1932 RESERVED CVE-2016-1931 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - iceweasel 44.0-1 [jessie] - iceweasel (Only affects Firefox 43.x) [wheezy] - iceweasel (Only affects Firefox 43.x) [squeeze] - iceweasel (Only affects Firefox 43.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/ CVE-2016-1930 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-3491-1 DSA-3457-1} - iceweasel 44.0-1 [squeeze] - iceweasel - icedove 38.6.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/ CVE-2016-1929 (The XS engine in SAP HANA allows remote attackers to spoof log entries ...) NOT-FOR-US: SAP CVE-2016-1928 (Buffer overflow in the XS engine (hdbxsengine) in SAP HANA allows remo ...) NOT-FOR-US: SAP CVE-2016-1927 (The suggestPassword function in js/functions.js in phpMyAdmin 4.0.x be ...) {DSA-3627-1 DLA-481-1} - phpmyadmin 4:4.5.4-1 [squeeze] - phpmyadmin (minor issue) NOTE: https://www.phpmyadmin.net/security/PMASA-2016-4/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/6a96e67487f2faecb4de4204fee9b96b94020720 CVE-2016-1983 (The client_host function in parsers.c in Privoxy before 3.0.24 allows ...) {DSA-3460-1 DLA-398-1} - privoxy 3.0.24-1 NOTE: http://ijbswa.cvs.sourceforge.net/viewvc/ijbswa/current/parsers.c?r1=1.302&r2=1.303 NOTE: http://www.openwall.com/lists/oss-security/2016/01/21/4 CVE-2016-1982 (The remove_chunked_transfer_coding function in filters.c in Privoxy be ...) {DSA-3460-1 DLA-398-1} - privoxy 3.0.24-1 NOTE: http://ijbswa.cvs.sourceforge.net/viewvc/ijbswa/current/filters.c?r1=1.196&r2=1.197 NOTE: http://www.openwall.com/lists/oss-security/2016/01/21/4 CVE-2015-XXXX [buffer overflows in init_cups] - cups-filters 1.6.0-1 (unimportant) - foomatic-filters (unimportant) [jessie] - foomatic-filters (Minor issue) [wheezy] - foomatic-filters (Minor issue) [squeeze] - foomatic-filters 4.0.5-6+squeeze2+deb6u13 NOTE: workaround entry for DLA-399-1 until/if CVE assigned NOTE: https://bugs.linuxfoundation.org/show_bug.cgi?id=1336 NOTE: http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7431 NOTE: Doesn't cross any security boundary CVE-2016-1926 (Cross-site scripting (XSS) vulnerability in the charts module in Green ...) NOT-FOR-US: Greenbone Security Assistant CVE-2016-1921 RESERVED CVE-2016-1918 (Cross-site scripting (XSS) vulnerability in the Management Console in ...) NOT-FOR-US: BlackBerry CVE-2016-1917 (Cross-site scripting (XSS) vulnerability in the Management Console in ...) NOT-FOR-US: BlackBerry CVE-2016-1916 (Cross-site scripting (XSS) vulnerability in the Management Console in ...) NOT-FOR-US: BlackBerry CVE-2016-1915 (Multiple cross-site scripting (XSS) vulnerabilities in BlackBerry Ente ...) NOT-FOR-US: BlackBerry CVE-2016-1914 (Multiple SQL injection vulnerabilities in the com.rim.mdm.ui.server.Im ...) NOT-FOR-US: BlackBerry CVE-2016-1913 (Multiple cross-site scripting (XSS) vulnerabilities in the Redhen modu ...) NOT-FOR-US: Redhen module for Drupal CVE-2016-1912 (Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CR ...) - dolibarr 3.5.8+dfsg1-1 (bug #812496) [jessie] - dolibarr 3.5.5+dfsg1-1+deb8u1 NOTE: https://github.com/Dolibarr/dolibarr/issues/4341 CVE-2016-1911 (Multiple cross-site scripting (XSS) vulnerabilities in SAP NetWeaver 7 ...) NOT-FOR-US: SAP CVE-2016-1910 (The User Management Engine (UME) in SAP NetWeaver 7.4 allows attackers ...) NOT-FOR-US: SAP CVE-2016-1909 (Fortinet FortiAnalyzer before 5.0.12 and 5.2.x before 5.2.5; FortiSwit ...) NOT-FOR-US: FortiOS CVE-2015-8775 RESERVED CVE-2015-8774 RESERVED CVE-2015-8773 (Stack-based buffer overflow in McPvDrv.sys 4.6.111.0 in McAfee File Lo ...) NOT-FOR-US: McAfee CVE-2015-8772 (McPvDrv.sys 4.6.111.0 in McAfee File Lock 5.x in McAfee Total Protecti ...) NOT-FOR-US: McAfee CVE-2016-1981 (QEMU (aka Quick Emulator) built with the e1000 NIC emulation support i ...) {DSA-3471-1 DSA-3470-1 DSA-3469-1} - qemu 1:2.5+dfsg-5 (bug #812307) [squeeze] - qemu (Not supported in Squeeze LTS) - qemu-kvm [squeeze] - qemu-kvm (Not supported in Squeeze LTS) NOTE: Upstream patch: https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg03454.html NOTE: Introduced in http://git.qemu.org/?p=qemu.git;a=commit;h=7c23b8920329180f48b8a147b629d8837709d201 (v0.10.0) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1298570 NOTE: http://www.openwall.com/lists/oss-security/2016/01/19/10 CVE-2016-2037 (The cpio_safer_name_suffix function in util.c in cpio 2.11 allows remo ...) {DSA-3483-1 DLA-415-1} - cpio 2.11+dfsg-5 (bug #812401) NOTE: http://www.openwall.com/lists/oss-security/2016/01/19/4 NOTE: To reproduce and uncover the issue with unstable version compile with ASAN NOTE: Patch: https://lists.gnu.org/archive/html/bug-cpio/2016-01/msg00005.html NOTE: https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=d36ec5f4e93130efb24fb9678aafd88e8070095b CVE-2016-2050 (The get_abbrev_array_info function in libdwarf-20151114 allows remote ...) {DLA-669-1} - dwarfutils 20160507+git20160523.9086738-1 (unimportant) [jessie] - dwarfutils 20120410-2+deb8u1 NOTE: http://www.openwall.com/lists/oss-security/2016/01/19/9 NOTE: Fixed by http://sourceforge.net/p/libdwarf/code/ci/a05f5e2ae6a5f34daa566975894fc2803d6ec684 NOTE: Reasoning for "unimportant" severity: The affected source code is present NOTE: in dwarfdump/, but in the binary package is installed dwarfdump2/ . NOTE: dwarfdump2 (the C++ implentation) has been abandoned again by upstream in NOTE: fawour of the C version. CVE-2016-XXXX [Multiple minor security issues] - imagemagick 8:6.8.9.9-7 (bug #811308) [jessie] - imagemagick 8:6.8.9.9-5+deb8u1 [wheezy] - imagemagick 8:6.7.7.10-5+deb7u4 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/02/22/4 CVE-2016-1925 (Integer underflow in header.c in lha allows remote attackers to have u ...) - lha (unimportant) NOTE: Non-free not supported CVE-2016-1924 (The opj_tgt_reset function in OpenJpeg 2016.1.18 allows remote attacke ...) {DSA-3665-1} - openjpeg2 2.1.1-1 (bug #818399) NOTE: https://github.com/uclouvain/openjpeg/commit/1a8318f6c24623189ecb65e049267c6f2e005c0e CVE-2016-1923 (Heap-based buffer overflow in the opj_j2k_update_image_data function i ...) - openjpeg2 2.1.1-1 (bug #818399) [jessie] - openjpeg2 (Minor issue, too intrusive to backport) CVE-2016-1920 (Samsung KNOX 1.0.0 uses the shared certificate on Android, which allow ...) NOT-FOR-US: KNOX 1.0 / Android 4.3 CVE-2016-1919 (Samsung KNOX 1.0 uses a weak eCryptFS Key generation algorithm, which ...) NOT-FOR-US: KNOX 1.0 / Android 4.3 CVE-2016-1902 (The nextBytes function in the SecureRandom class in Symfony before 2.3 ...) {DSA-3588-1} - symfony 2.7.9+dfsg-1 NOTE: http://symfony.com/blog/cve-2016-1902-securerandom-s-fallback-not-secure-when-openssl-fails NOTE: https://github.com/symfony/symfony/pull/17359 CVE-2016-1906 (Openshift allows remote attackers to gain privileges by updating a bui ...) - kubernetes (Openshift Specific) NOTE: https://github.com/openshift/origin/issues/6556 NOTE: https://github.com/openshift/origin/pull/6576 CVE-2016-1905 (The API server in Kubernetes does not properly check admission control ...) - kubernetes (Fixed before the initial release in Debian, 1.2.0) NOTE: https://github.com/kubernetes/kubernetes/issues/19479 NOTE: https://github.com/kubernetes/kubernetes/pull/19481 CVE-2016-1904 (Multiple integer overflows in ext/standard/exec.c in PHP 7.x before 7. ...) - php5 (Vulnerable code not present) - php5.6 (Vulnerable code not present) NOTE: Already using safe_emalloc() in php_escape_shell_cmd() - php7.0 7.0.2-1 NOTE: https://bugs.php.net/bug.php?id=71270 NOTE: https://github.com/php/php-src/commit/2871c70efaaaa0f102557a17c727fd4d5204dd4b CVE-2016-1903 (The gdImageRotateInterpolated function in ext/gd/libgd/gd_interpolatio ...) - php5 5.6.17+dfsg-1 [jessie] - php5 5.6.14+dfsg-0+deb8u1 [wheezy] - php5 (Vulnerable code not present) [squeeze] - php5 (Vulnerable code not present, check in gdImageRotate() already available) - php5.6 5.6.17+dfsg-1 - php7.0 7.0.2-1 - hhvm 3.12.11+dfsg-1 (bug #835032) NOTE: https://bugs.php.net/bug.php?id=70976 NOTE: https://git.php.net/?p=php-src.git;a=commit;h=4b8394dd78571826ac66a69dc240c623f31d78f8 NOTE: Fix in HHVM: https://github.com/facebook/hhvm/commit/f91abcc3b156823688c54158fc4fa36d87570afe CVE-2016-1901 (Integer overflow in the authenticate_post function in CGit before 0.12 ...) {DSA-3545-1} - cgit 0.11.2.git2.3.2-1.1 (bug #812411) NOTE: http://git.zx2c4.com/cgit/commit/?id=4458abf64172a62b92810c2293450106e6dfc763 (v0.12) CVE-2016-1900 (CRLF injection vulnerability in the cgit_print_http_headers function i ...) {DSA-3545-1} - cgit 0.11.2.git2.3.2-1.1 (bug #812411) NOTE: http://git.zx2c4.com/cgit/commit/?id=513b3863d999f91b47d7e9f26710390db55f9463 (v0.12) CVE-2016-1899 (CRLF injection vulnerability in the ui-blob handler in CGit before 0.1 ...) {DSA-3545-1} - cgit 0.11.2.git2.3.2-1.1 (bug #812411) NOTE: http://git.zx2c4.com/cgit/commit/?id=1c581a072651524f3b0d91f33e22a42c4166dd96 (v0.12) CVE-2016-1896 (Race condition in the initialization process on Lexmark printers with ...) NOT-FOR-US: Firmware in Lexmark printers CVE-2016-1895 (NetApp Data ONTAP before 8.2.5 and 8.3.x before 8.3.2P12 allow remote ...) NOT-FOR-US: NetApp CVE-2016-1894 (NetApp OnCommand Workflow Automation before 3.1P2 allows remote attack ...) NOT-FOR-US: NetApp CVE-2016-1893 RESERVED CVE-2016-1892 RESERVED CVE-2016-1891 RESERVED CVE-2016-1890 RESERVED CVE-2016-1889 (Integer overflow in the bhyve hypervisor in FreeBSD 10.1, 10.2, 10.3, ...) NOT-FOR-US: bhyve hypervisor for FreeBSD CVE-2016-1888 (The telnetd service in FreeBSD 9.3, 10.1, 10.2, 10.3, and 11.0 allows ...) NOT-FOR-US: telnetd in FreeBSD CVE-2016-1887 (Integer signedness error in the sockargs function in sys/kern/uipc_sys ...) - kfreebsd-10 10.3~svn300087-1 (unimportant; bug #824605) NOTE: kfreebsd not covered by security support in Jessie CVE-2016-1886 (Integer signedness error in the genkbd_commonioctl function in sys/dev ...) - kfreebsd-10 10.3~svn300087-1 (unimportant; bug #824604) NOTE: kfreebsd not covered by security support in Jessie CVE-2016-1885 (Integer signedness error in the amd64_set_ldt function in sys/amd64/am ...) - kfreebsd-10 10.3~svn300087-1 (unimportant; bug #818426) NOTE: kfreebsd not covered by security support in Jessie - kfreebsd-9 [wheezy] - kfreebsd-9 (Unsupported in wheezy-lts) CVE-2016-1884 RESERVED CVE-2016-1883 (The issetugid system call in the Linux compatibility layer in FreeBSD ...) - kfreebsd-10 10.3~svn300087-1 (unimportant) - kfreebsd-9 (unimportant) NOTE: kfreebsd not covered by security support in Jessie CVE-2016-1882 (FreeBSD 9.3 before p33, 10.1 before p26, and 10.2 before p9 allow remo ...) - kfreebsd-10 10.3~svn296373-1 (unimportant; bug #811280) NOTE: kfreebsd not covered by security support in Jessie - kfreebsd-9 [wheezy] - kfreebsd-9 (Unsupported in wheezy-lts) CVE-2016-1881 (The kernel in FreeBSD 9.3, 10.1, and 10.2 allows local users to cause ...) - kfreebsd-10 10.3~svn296373-1 (unimportant; bug #811279) NOTE: kfreebsd not covered by security support in Jessie - kfreebsd-9 [wheezy] - kfreebsd-9 (Unsupported in wheezy-lts) CVE-2016-1880 (The Linux compatibility layer in the kernel in FreeBSD 9.3, 10.1, and ...) - kfreebsd-10 10.3~svn296373-1 (unimportant; bug #811278) NOTE: kfreebsd not covered by security support in Jessie - kfreebsd-9 [wheezy] - kfreebsd-9 (Unsupported in wheezy-lts) CVE-2016-1879 (The Stream Control Transmission Protocol (SCTP) module in FreeBSD 9.3 ...) - kfreebsd-10 (unimportant; bug #811277) NOTE: kfreebsd not covered by security support in Jessie - kfreebsd-9 [wheezy] - kfreebsd-9 (Unsupported in wheezy-lts) CVE-2016-1878 RESERVED CVE-2016-1877 RESERVED CVE-2016-1876 (The backend service process in Lenovo Solution Center (aka LSC) before ...) NOT-FOR-US: Lenovo CVE-2016-1875 RESERVED CVE-2016-1874 RESERVED CVE-2016-1873 RESERVED CVE-2016-1872 RESERVED CVE-2016-1871 RESERVED CVE-2016-1870 RESERVED CVE-2016-1869 RESERVED CVE-2016-1868 RESERVED CVE-2016-1866 (Salt 2015.8.x before 2015.8.4 does not properly handle clear messages ...) - salt 2015.8.5+ds-1 [jessie] - salt (affects only the 2015.8.x releases of Salt) NOTE: https://docs.saltstack.com/en/latest/topics/releases/2015.8.5.html CVE-2016-1865 (The kernel in Apple iOS before 9.3.3, OS X before 10.11.6, tvOS before ...) NOT-FOR-US: Apple CVE-2016-1864 (The XSS auditor in WebKit, as used in Apple iOS before 9.3 and Safari ...) NOT-FOR-US: Webkit as used by Apple CVE-2016-1863 (The kernel in Apple iOS before 9.3.3, OS X before 10.11.6, tvOS before ...) NOT-FOR-US: Apple CVE-2016-1862 (Intel Graphics Driver in Apple OS X before 10.11.5 allows attackers to ...) NOT-FOR-US: Apple CVE-2016-1861 (The NVIDIA Graphics Drivers subsystem in Apple OS X before 10.11.5 all ...) NOT-FOR-US: Apple CVE-2016-1860 (Intel Graphics Driver in Apple OS X before 10.11.5 allows attackers to ...) NOT-FOR-US: Apple CVE-2016-1859 (The WebKit Canvas implementation in Apple iOS before 9.3.2, Safari bef ...) NOT-FOR-US: Webkit as used by Apple CVE-2016-1858 (WebKit, as used in Apple iOS before 9.3.2, Safari before 9.1.1, and tv ...) NOT-FOR-US: Webkit as used by Apple CVE-2016-1857 (WebKit, as used in Apple iOS before 9.3.2, Safari before 9.1.1, and tv ...) - webkitgtk 2.12.3-1 (unimportant) NOTE: Not covered by security support CVE-2016-1856 (WebKit, as used in Apple iOS before 9.3.2, Safari before 9.1.1, and tv ...) - webkitgtk 2.12.3-1 (unimportant) NOTE: Not covered by security support CVE-2016-1855 (WebKit, as used in Apple iOS before 9.3.2, Safari before 9.1.1, and tv ...) NOT-FOR-US: Webkit as used by Apple CVE-2016-1854 (WebKit, as used in Apple iOS before 9.3.2, Safari before 9.1.1, and tv ...) NOT-FOR-US: Webkit as used by Apple CVE-2016-1853 (Tcl in Apple OS X before 10.11.5 allows remote attackers to obtain sen ...) NOT-FOR-US: Apple CVE-2016-1852 (Siri in Apple iOS before 9.3.2 does not block data detectors within re ...) NOT-FOR-US: Apple CVE-2016-1851 (The Screen Lock feature in Apple OS X before 10.11.5 mishandles passwo ...) NOT-FOR-US: Apple CVE-2016-1850 (SceneKit in Apple OS X before 10.11.5 allows remote attackers to execu ...) NOT-FOR-US: Apple CVE-2016-1849 (The "Clear History and Website Data" feature in Apple Safari before 9. ...) NOT-FOR-US: Apple CVE-2016-1848 (QuickTime in Apple OS X before 10.11.5 allows remote attackers to exec ...) NOT-FOR-US: Apple CVE-2016-1847 (OpenGL, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS b ...) NOT-FOR-US: Apple CVE-2016-1846 (The nvCommandQueue::GetHandleIndex method in the NVIDIA Graphics Drive ...) NOT-FOR-US: Apple CVE-2016-1845 REJECTED CVE-2016-1844 (The Messages component in Apple OS X before 10.11.5 mishandles roster ...) NOT-FOR-US: Apple CVE-2016-1843 (The Messages component in Apple OS X before 10.11.5 mishandles filenam ...) NOT-FOR-US: Apple CVE-2016-1842 (MapKit in Apple iOS before 9.3.2, OS X before 10.11.5, and watchOS bef ...) NOT-FOR-US: Apple CVE-2016-1841 (libxslt, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS ...) - libxslt 1.1.29-1 [jessie] - libxslt 1.1.28-2+deb8u1 [wheezy] - libxslt 1.1.26-14.1+deb7u1 NOTE: upstream bug: https://bugzilla.gnome.org/show_bug.cgi?id=758291 NOTE: upstream commit: https://git.gnome.org/browse/libxslt/commit/?id=fc1ff481fd01e9a65a921c542fed68d8c965e8a3 CVE-2016-1840 (Heap-based buffer overflow in the xmlFAParsePosCharGroup function in l ...) {DSA-3593-1 DLA-503-1} - libxml2 2.9.3+dfsg1-1.1 NOTE: https://git.gnome.org/browse/libxml2/commit/?id=cbb271655cadeb8dbb258a64701d9a3a0c4835b4 (v2.9.4) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=757711 CVE-2016-1839 (The xmlDictAddString function in libxml2 before 2.9.4, as used in Appl ...) {DSA-3593-1 DLA-503-1} - libxml2 2.9.3+dfsg1-1.1 NOTE: https://git.gnome.org/browse/libxml2/commit/?id=a820dbeac29d330bae4be05d9ecd939ad6b4aa33 (v2.9.4) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=758605 NOTE: https://code.google.com/p/google-security-research/issues/detail?id=637 CVE-2016-1838 (The xmlPArserPrintFileContextInternal function in libxml2 before 2.9.4 ...) {DSA-3593-1 DLA-503-1} - libxml2 2.9.3+dfsg1-1.1 NOTE: https://git.gnome.org/browse/libxml2/commit/?id=db07dd613e461df93dde7902c6505629bf0734e9 (v2.9.4) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=758588 NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=639 CVE-2016-1837 (Multiple use-after-free vulnerabilities in the (1) htmlPArsePubidLiter ...) {DSA-3593-1 DLA-503-1} - libxml2 2.9.3+dfsg1-1.1 NOTE: https://git.gnome.org/browse/libxml2/commit/?id=11ed4a7a90d5ce156a18980a4ad4e53e77384852 (v2.9.4) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=760263 CVE-2016-1836 (Use-after-free vulnerability in the xmlDictComputeFastKey function in ...) {DSA-3593-1} - libxml2 2.9.3+dfsg1-1.1 [wheezy] - libxml2 (Vulnerable code not present) NOTE: Fixed by: https://git.gnome.org/browse/libxml2/commit/?id=45752d2c334b50016666d8f0ec3691e2d680f0a0 (v2.9.4) NOTE: Introduced by: https://git.gnome.org/browse/libxml2/commit/?id=dcc19503193c71596278a252064a8ce66331b3cd (v2.9.2) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=759398 NOTE: Regression applies to Jessie, since fix backported as 0007-Fix-a-parsing-bug-on-non-ascii-element-and-CR-LF-usa.patch CVE-2016-1835 (Use-after-free vulnerability in the xmlSAX2AttributeNs function in lib ...) {DSA-3593-1 DLA-503-1} - libxml2 2.9.3+dfsg1-1.1 NOTE: https://git.gnome.org/browse/libxml2/commit/?id=38eae571111db3b43ffdeb05487c9f60551906fb (v2.9.4) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=759020 CVE-2016-1834 (Heap-based buffer overflow in the xmlStrncat function in libxml2 befor ...) {DSA-3593-1 DLA-503-1} - libxml2 2.9.3+dfsg1-1.1 NOTE: https://git.gnome.org/browse/libxml2/commit/?id=8fbbf5513d609c1770b391b99e33314cd0742704 (v2.9.4) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=763071 CVE-2016-1833 (The htmlCurrentChar function in libxml2 before 2.9.4, as used in Apple ...) {DSA-3593-1 DLA-503-1} - libxml2 2.9.3+dfsg1-1.1 NOTE: https://git.gnome.org/browse/libxml2/commit/?id=0bcd05c5cd83dec3406c8f68b769b1d610c72f76 (v2.9.4) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=758606 CVE-2016-1832 (libc in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1 ...) NOT-FOR-US: Apple CVE-2016-1831 (The kernel in Apple iOS before 9.3.2 and OS X before 10.11.5 allows at ...) NOT-FOR-US: Apple CVE-2016-1830 (The kernel in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before ...) NOT-FOR-US: Apple CVE-2016-1829 (The kernel in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before ...) NOT-FOR-US: Apple CVE-2016-1828 (The kernel in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before ...) NOT-FOR-US: Apple CVE-2016-1827 (The kernel in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before ...) NOT-FOR-US: Apple CVE-2016-1826 (Integer overflow in the dtrace implementation in the kernel in Apple O ...) NOT-FOR-US: Apple CVE-2016-1825 (IOHIDFamily in Apple OS X before 10.11.5 allows attackers to execute a ...) NOT-FOR-US: Apple CVE-2016-1824 (IOHIDFamily in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS befor ...) NOT-FOR-US: Apple CVE-2016-1823 (The IOHIDDevice::handleReportWithTime function in Apple iOS before 9.3 ...) NOT-FOR-US: Apple CVE-2016-1822 (IOFireWireFamily in Apple OS X before 10.11.5 allows attackers to exec ...) NOT-FOR-US: Apple CVE-2016-1821 (IOAudioFamily in Apple OS X before 10.11.5 allows attackers to execute ...) NOT-FOR-US: Apple CVE-2016-1820 (Buffer overflow in IOAudioFamily in Apple OS X before 10.11.5 allows a ...) NOT-FOR-US: Apple CVE-2016-1819 (Use-after-free vulnerability in the IOAccelContext2::clientMemoryForTy ...) NOT-FOR-US: Apple CVE-2016-1818 (IOAcceleratorFamily in Apple iOS before 9.3.2, OS X before 10.11.5, tv ...) NOT-FOR-US: Apple CVE-2016-1817 (IOAcceleratorFamily in Apple iOS before 9.3.2, OS X before 10.11.5, tv ...) NOT-FOR-US: Apple CVE-2016-1816 (IOAcceleratorFamily in Apple OS X before 10.11.5 allows attackers to e ...) NOT-FOR-US: Apple CVE-2016-1815 (IOAcceleratorFamily in Apple OS X before 10.11.5 allows attackers to e ...) NOT-FOR-US: Apple CVE-2016-1814 (IOAcceleratorFamily in Apple iOS before 9.3.2, OS X before 10.11.5, an ...) NOT-FOR-US: Apple CVE-2016-1813 (The IOAccelSharedUserClient2::page_off_resource method in Apple iOS be ...) NOT-FOR-US: Apple CVE-2016-1812 (Buffer overflow in Intel Graphics Driver in Apple OS X before 10.11.5 ...) NOT-FOR-US: Apple CVE-2016-1811 (ImageIO in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9. ...) NOT-FOR-US: Apple CVE-2016-1810 (The Graphics Drivers subsystem in Apple OS X before 10.11.5 allows att ...) NOT-FOR-US: Apple CVE-2016-1809 (Disk Utility in Apple OS X before 10.11.5 uses incorrect encryption ke ...) NOT-FOR-US: Apple CVE-2016-1808 (The Disk Images subsystem in Apple iOS before 9.3.2, OS X before 10.11 ...) NOT-FOR-US: Apple CVE-2016-1807 (Race condition in the Disk Images subsystem in Apple iOS before 9.3.2, ...) NOT-FOR-US: Apple CVE-2016-1806 (Crash Reporter in Apple OS X before 10.11.5 allows attackers to execut ...) NOT-FOR-US: Apple CVE-2016-1805 (CoreStorage in Apple OS X before 10.11.5 allows attackers to execute a ...) NOT-FOR-US: Apple CVE-2016-1804 (The Multi-Touch subsystem in Apple OS X before 10.11.5 allows attacker ...) NOT-FOR-US: Apple CVE-2016-1803 (CoreCapture in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS befor ...) NOT-FOR-US: Apple CVE-2016-1802 (CCCrypt in CommonCrypto in Apple iOS before 9.3.2, OS X before 10.11.5 ...) NOT-FOR-US: Apple CVE-2016-1801 (The CFNetwork Proxies subsystem in Apple iOS before 9.3.2, OS X before ...) NOT-FOR-US: Apple CVE-2016-1800 (Captive Network Assistant in Apple OS X before 10.11.5 mishandles a cu ...) NOT-FOR-US: Apple CVE-2016-1799 (Audio in Apple OS X before 10.11.5 allows attackers to execute arbitra ...) NOT-FOR-US: Apple CVE-2016-1798 (Audio in Apple OS X before 10.11.5 allows attackers to cause a denial ...) NOT-FOR-US: Apple CVE-2016-1797 (Apple Type Services (ATS) in Apple OS X before 10.11.5 allows attacker ...) NOT-FOR-US: Apple CVE-2016-1796 (Apple Type Services (ATS) in Apple OS X before 10.11.5 allows attacker ...) NOT-FOR-US: Apple CVE-2016-1795 (AppleGraphicsPowerManagement in Apple OS X before 10.11.5 allows attac ...) NOT-FOR-US: Apple CVE-2016-1794 (The AppleGraphicsControlClient::checkArguments method in AppleGraphics ...) NOT-FOR-US: Apple CVE-2016-1793 (AppleGraphicsDeviceControlClient in Apple OS X before 10.11.5 allows a ...) NOT-FOR-US: Apple CVE-2016-1792 (The AMD subsystem in Apple OS X before 10.11.5 allows attackers to exe ...) NOT-FOR-US: Apple CVE-2016-1791 (The AMD subsystem in Apple OS X before 10.11.5 allows attackers to obt ...) NOT-FOR-US: Apple CVE-2016-1790 (Buffer overflow in the Accessibility component in Apple iOS before 9.3 ...) NOT-FOR-US: Apple CVE-2016-1789 (Apple iBooks Author before 2.4.1 allows remote attackers to read arbit ...) NOT-FOR-US: Apple CVE-2016-1788 (Messages in Apple iOS before 9.3, OS X before 10.11.4, and watchOS bef ...) NOT-FOR-US: Apple CVE-2016-1787 (Wiki Server in Apple OS X Server before 5.1 allows remote attackers to ...) NOT-FOR-US: Apple CVE-2016-1786 (The Page Loading implementation in WebKit in Apple iOS before 9.3 and ...) NOT-FOR-US: Webkit as used by Apple CVE-2016-1785 (The Page Loading implementation in WebKit in Apple iOS before 9.3 and ...) NOT-FOR-US: Webkit as used by Apple CVE-2016-1784 (The History implementation in WebKit in Apple iOS before 9.3, Safari b ...) NOT-FOR-US: Webkit as used by Apple CVE-2016-1783 (WebKit in Apple iOS before 9.3, Safari before 9.1, and tvOS before 9.2 ...) NOT-FOR-US: Webkit as used by Apple CVE-2016-1782 (WebKit in Apple iOS before 9.3 and Safari before 9.1 does not properly ...) NOT-FOR-US: Webkit as used by Apple CVE-2016-1781 (WebKit in Apple iOS before 9.3 and Safari before 9.1 mishandles attach ...) NOT-FOR-US: Webkit as used by Apple CVE-2016-1780 (WebKit in Apple iOS before 9.3 does not prevent hidden web views from ...) NOT-FOR-US: Webkit as used by Apple CVE-2016-1779 (WebKit in Apple iOS before 9.3 and Safari before 9.1 allows remote att ...) NOT-FOR-US: Webkit as used by Apple CVE-2016-1778 (WebKit in Apple iOS before 9.3 and Safari before 9.1 allows remote att ...) NOT-FOR-US: Webkit as used by Apple CVE-2016-1777 (Web Server in Apple OS X Server before 5.1 supports the RC4 algorithm, ...) NOT-FOR-US: Webkit as used by Apple CVE-2016-1776 (Web Server in Apple OS X Server before 5.1 does not properly restrict ...) NOT-FOR-US: Webkit as used by Apple CVE-2016-1775 (TrueTypeScaler in Apple iOS before 9.3, OS X before 10.11.4, tvOS befo ...) NOT-FOR-US: Apple CVE-2016-1774 (The Time Machine server in Server App in Apple OS X Server before 5.1 ...) NOT-FOR-US: Apple CVE-2016-1773 (The code-signing subsystem in Apple OS X before 10.11.4 does not prope ...) NOT-FOR-US: Apple CVE-2016-1772 (The Top Sites feature in Apple Safari before 9.1 mishandles cookie sto ...) NOT-FOR-US: Apple CVE-2016-1771 (The Downloads feature in Apple Safari before 9.1 mishandles file expan ...) NOT-FOR-US: Apple CVE-2016-1770 (The Reminders component in Apple OS X before 10.11.4 allows attackers ...) NOT-FOR-US: Apple CVE-2016-1769 (QuickTime in Apple OS X before 10.11.4 allows remote attackers to exec ...) NOT-FOR-US: Apple CVE-2016-1768 (QuickTime in Apple OS X before 10.11.4 allows remote attackers to exec ...) NOT-FOR-US: Apple CVE-2016-1767 (QuickTime in Apple OS X before 10.11.4 allows remote attackers to exec ...) NOT-FOR-US: Apple CVE-2016-1766 (The Profiles component in Apple iOS before 9.3 does not properly valid ...) NOT-FOR-US: Apple CVE-2016-1765 (otool in Apple Xcode before 7.3 allows local users to gain privileges ...) NOT-FOR-US: Apple CVE-2016-1764 (The Content Security Policy (CSP) implementation in Messages in Apple ...) NOT-FOR-US: Apple CVE-2016-1763 (Messages in Apple iOS before 9.3 does not ensure that an auto-fill act ...) NOT-FOR-US: Apple CVE-2016-1762 (The xmlNextChar function in libxml2 before 2.9.4 allows remote attacke ...) {DSA-3593-1 DLA-503-1} - libxml2 2.9.3+dfsg1-1.1 NOTE: https://git.gnome.org/browse/libxml2/commit/?id=a7a94612aa3b16779e2c74e1fa353b5d9786c602 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=759671 CVE-2016-1761 (libxml2 in Apple iOS before 9.3, OS X before 10.11.4, and watchOS befo ...) NOT-FOR-US: No public details available, probably Apple specific libxml2 changes NOTE: Marking as NFU since a regular libxml2 security issue would have trickled down NOTE: via libxml upstream CVE-2016-1760 (The XPC Services API in LaunchServices in Apple iOS before 9.3 allows ...) NOT-FOR-US: Apple CVE-2016-1759 (The kernel in Apple OS X before 10.11.4 allows attackers to execute ar ...) NOT-FOR-US: Apple CVE-2016-1758 (The kernel in Apple iOS before 9.3 and OS X before 10.11.4 allows atta ...) NOT-FOR-US: Apple CVE-2016-1757 (Race condition in the kernel in Apple iOS before 9.3 and OS X before 1 ...) NOT-FOR-US: Apple CVE-2016-1756 (The kernel in Apple iOS before 9.3 and OS X before 10.11.4 allows atta ...) NOT-FOR-US: Apple CVE-2016-1755 (The kernel in Apple iOS before 9.3, OS X before 10.11.4, tvOS before 9 ...) NOT-FOR-US: Apple CVE-2016-1754 (The kernel in Apple iOS before 9.3, OS X before 10.11.4, tvOS before 9 ...) NOT-FOR-US: Apple CVE-2016-1753 (Multiple integer overflows in the kernel in Apple iOS before 9.3, OS X ...) NOT-FOR-US: Apple CVE-2016-1752 (The kernel in Apple iOS before 9.3, OS X before 10.11.4, tvOS before 9 ...) NOT-FOR-US: Apple CVE-2016-1751 (The kernel in Apple iOS before 9.3, tvOS before 9.2, and watchOS befor ...) NOT-FOR-US: Apple CVE-2016-1750 (Use-after-free vulnerability in the kernel in Apple iOS before 9.3, OS ...) NOT-FOR-US: Apple CVE-2016-1749 (IOUSBFamily in Apple OS X before 10.11.4 allows attackers to execute a ...) NOT-FOR-US: Apple CVE-2016-1748 (IOHIDFamily in Apple iOS before 9.3, OS X before 10.11.4, tvOS before ...) NOT-FOR-US: Apple CVE-2016-1747 (IOGraphics in Apple OS X before 10.11.4 allows attackers to execute ar ...) NOT-FOR-US: Apple CVE-2016-1746 (IOGraphics in Apple OS X before 10.11.4 allows attackers to execute ar ...) NOT-FOR-US: Apple CVE-2016-1745 (IOFireWireFamily in Apple OS X before 10.11.4 allows local users to ca ...) NOT-FOR-US: Apple CVE-2016-1744 (The Intel driver in the Graphics Drivers subsystem in Apple OS X befor ...) NOT-FOR-US: Apple CVE-2016-1743 (The Intel driver in the Graphics Drivers subsystem in Apple OS X befor ...) NOT-FOR-US: Apple CVE-2016-1742 (Untrusted search path vulnerability in the installer in Apple iTunes b ...) NOT-FOR-US: Apple CVE-2016-1741 (The NVIDIA driver in the Graphics Drivers subsystem in Apple OS X befo ...) NOT-FOR-US: Apple / NVIDIA CVE-2016-1740 (FontParser in Apple iOS before 9.3, OS X before 10.11.4, tvOS before 9 ...) NOT-FOR-US: Apple CVE-2016-1739 REJECTED CVE-2016-1738 (dyld in Apple OS X before 10.11.4 allows attackers to bypass a code-si ...) NOT-FOR-US: Apple CVE-2016-1737 (Carbon in Apple OS X before 10.11.4 allows remote attackers to execute ...) NOT-FOR-US: Apple CVE-2016-1736 (Bluetooth in Apple OS X before 10.11.4 allows attackers to execute arb ...) NOT-FOR-US: Apple CVE-2016-1735 (Bluetooth in Apple OS X before 10.11.4 allows attackers to execute arb ...) NOT-FOR-US: Apple CVE-2016-1734 (AppleUSBNetworking in Apple iOS before 9.3 and OS X before 10.11.4 all ...) NOT-FOR-US: Apple CVE-2016-1733 (AppleRAID in Apple OS X before 10.11.4 allows attackers to execute arb ...) NOT-FOR-US: Apple CVE-2016-1732 (AppleRAID in Apple OS X before 10.11.4 allows local users to obtain se ...) NOT-FOR-US: Apple CVE-2016-1731 (Apple Software Update before 2.2 on Windows does not use HTTPS, which ...) NOT-FOR-US: Apple CVE-2016-1730 (WebSheet in Apple iOS before 9.2.1 allows remote attackers to read or ...) NOT-FOR-US: Apple iOS CVE-2016-1729 (Untrusted search path vulnerability in OSA Scripts in Apple OS X befor ...) NOT-FOR-US: Apple CVE-2016-1728 (The Cascading Style Sheets (CSS) implementation in Apple iOS before 9. ...) NOT-FOR-US: Apple iOS CVE-2016-1727 (WebKit, as used in Apple iOS before 9.2.1, Safari before 9.0.3, and tv ...) NOT-FOR-US: Apple iOS CVE-2016-1726 (WebKit, as used in Apple iOS before 9.2.1 and Safari before 9.0.3, all ...) NOT-FOR-US: Apple iOS CVE-2016-1725 (WebKit, as used in Apple iOS before 9.2.1 and Safari before 9.0.3, all ...) NOT-FOR-US: Apple iOS CVE-2016-1724 (WebKit, as used in Apple iOS before 9.2.1, Safari before 9.0.3, and tv ...) NOT-FOR-US: Apple iOS CVE-2016-1723 (WebKit, as used in Apple iOS before 9.2.1 and Safari before 9.0.3, all ...) NOT-FOR-US: Apple iOS CVE-2016-1722 (syslog in Apple iOS before 9.2.1, OS X before 10.11.3, and tvOS before ...) NOT-FOR-US: Apple iOS CVE-2016-1721 (The kernel in Apple iOS before 9.2.1, OS X before 10.11.3, and tvOS be ...) NOT-FOR-US: Apple iOS CVE-2016-1720 (IOKit in Apple iOS before 9.2.1, OS X before 10.11.3, and tvOS before ...) NOT-FOR-US: Apple iOS CVE-2016-1719 (The IOHIDFamily API in Apple iOS before 9.2.1, OS X before 10.11.3, an ...) NOT-FOR-US: Apple iOS CVE-2016-1718 (The IOAcceleratorFamily2 interface in IOAcceleratorFamily in Apple OS ...) NOT-FOR-US: Apple iOS CVE-2016-1717 (The Disk Images component in Apple iOS before 9.2.1, OS X before 10.11 ...) NOT-FOR-US: Apple CVE-2016-1716 (AppleGraphicsPowerManagement in Apple OS X before 10.11.3 allows local ...) NOT-FOR-US: Apple CVE-2016-1908 (The client in OpenSSH before 7.2 mishandles failed cookie generation f ...) {DLA-1500-1} - openssh 1:7.2p1-1 [wheezy] - openssh (Minor issue) [squeeze] - openssh (Minor issue) NOTE: Upstream commit: https://anongit.mindrot.org/openssh.git/commit/?id=ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c NOTE: which needs to be applied after: https://anongit.mindrot.org/openssh.git/commit/?id=f98a09cacff7baad8748c9aa217afd155a4d493f NOTE: Background information on X11 SECURITY extension and SSH: https://thejh.net/written-stuff/openssh-6.8-xsecurity NOTE: https://lists.mindrot.org/pipermail/openssh-unix-dev/2016-January/034684.html NOTE: Red Hat Bugzilla entry: https://bugzilla.redhat.com/show_bug.cgi?id=1298741 NOTE: vulnerability is partly due to /etc/X11/Xsession.d/35x11-common_xhost-local introduced in x11-common in 1:7.6+9 (wheezy and up) NOTE: https://lists.debian.org/debian-lts/2016/01/msg00029.html NOTE: Upstream announce: http://www.openssh.com/txt/release-7.2 CVE-2016-1907 (The ssh_packet_read_poll2 function in packet.c in OpenSSH before 7.1p2 ...) - openssh 1:7.1p2-1 [jessie] - openssh (Vulnerable code not present; Introduced in OpenSSH 6.8) [wheezy] - openssh (Vulnerable code not present; Introduced in OpenSSH 6.8) [squeeze] - openssh (Issue introduced in OpenSSH 6.8) NOTE: Fixed by: https://anongit.mindrot.org/openssh.git/commit/?id=2fecfd486bdba9f51b3a789277bb0733ca36e1c0 NOTE: Introduced by: https://anongit.mindrot.org/openssh.git/commit/packet.c?id=091c302829210c41e7f57c3f094c7b9c054306f0 (V_6_8_P1) CVE-2016-1898 (FFmpeg 2.x allows remote attackers to conduct cross-origin attacks and ...) {DSA-3506-1} - ffmpeg 7:2.8.5-1 [squeeze] - ffmpeg (Not supported in Squeeze LTS) - libav NOTE: http://habrahabr.ru/company/mailru/blog/274855 NOTE: Fixed in 2.8.5 upstream CVE-2016-1897 (FFmpeg 2.x allows remote attackers to conduct cross-origin attacks and ...) {DSA-3506-1} - ffmpeg 7:2.8.5-1 [squeeze] - ffmpeg (Not supported in Squeeze LTS) - libav NOTE: http://habrahabr.ru/company/mailru/blog/274855 NOTE: Fixed in 2.8.5 upstream CVE-2016-1867 (The jpc_pi_nextcprl function in JasPer 1.900.1 allows remote attackers ...) {DSA-3785-1} - jasper (bug #811023) [jessie] - jasper (Minor issue) [wheezy] - jasper (Minor issue) [squeeze] - jasper (Minor issue) CVE-2016-1715 (The swin.sys kernel driver in McAfee Application Control (MAC) 6.1.0 b ...) NOT-FOR-US: swin.sys kernel driver in McAfee Application Control CVE-2016-1713 (Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyD ...) NOT-FOR-US: vTiger CVE-2016-1712 (Palo Alto Networks PAN-OS before 5.0.19, 5.1.x before 5.1.12, 6.0.x be ...) NOT-FOR-US: Palo Alto Networks CVE-2015-8779 (Stack-based buffer overflow in the catopen function in the GNU C Libra ...) {DSA-3481-1 DSA-3480-1 DLA-411-1} - glibc 2.21-7 (bug #812455) - eglibc NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=17905#c0 CVE-2015-8778 (Integer overflow in the GNU C Library (aka glibc or libc6) before 2.23 ...) {DSA-3481-1 DSA-3480-1 DLA-411-1} - glibc 2.21-8 (bug #812441) - eglibc NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=18240 CVE-2015-8776 (The strftime function in the GNU C Library (aka glibc or libc6) before ...) {DSA-3481-1 DSA-3480-1 DLA-411-1} - glibc 2.21-7 (bug #812445) - eglibc NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=18985 NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d36c75fc0d44deec29635dd239b0fbd206ca49b7 CVE-2015-8771 (The generate_smb_nt_hash function in include/functions.inc in GOsa all ...) {DLA-562-1 DLA-408-1} - gosa 2.7.4+reloaded2-6 [jessie] - gosa 2.7.4+reloaded2-1+deb8u2 NOTE: https://github.com/gosa-project/gosa-core/commit/a67a047cba2cdae8bccb0f0e2bc6d3eb45cfcbc8 CVE-2015-8770 (Directory traversal vulnerability in the set_skin function in program/ ...) {DSA-3541-1 DLA-392-1} - roundcube 1.1.4+dfsg.1-1 NOTE: http://web.archive.org/web/20160329044421/http://roundcube.net/news/2015/12/26/updates-1.1.4-and-1.0.8-released NOTE: https://github.com/roundcube/roundcubemail/commit/10e5192a2b1bc90ec137f5e69d0aa072c1210d6d CVE-2015-8769 (SQL injection vulnerability in Joomla! 3.x before 3.4.7 allows attacke ...) NOT-FOR-US: Joomla! CVE-2016-1711 (WebKit/Source/core/loader/FrameLoader.cpp in Blink, as used in Google ...) {DSA-3637-1} - chromium-browser 52.0.2743.82-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-1710 (The ChromeClientImpl::createWindow method in WebKit/Source/web/ChromeC ...) {DSA-3637-1} - chromium-browser 52.0.2743.82-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-1709 (Heap-based buffer overflow in the ByteArray::Get method in data/byte_a ...) {DSA-3637-1} - chromium-browser 52.0.2743.82-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-1708 (The Chrome Web Store inline-installation implementation in the Extensi ...) {DSA-3637-1} - chromium-browser 52.0.2743.82-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-1707 (ios/web/web_state/ui/crw_web_controller.mm in Google Chrome before 52. ...) {DSA-3637-1} - chromium-browser (Only affects chromium-browser on iOS) CVE-2016-1706 (The PPAPI implementation in Google Chrome before 52.0.2743.82 does not ...) {DSA-3637-1} - chromium-browser 52.0.2743.82-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-1705 (Multiple unspecified vulnerabilities in Google Chrome before 52.0.2743 ...) {DSA-3637-1} - chromium-browser 52.0.2743.82-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-1704 (Multiple unspecified vulnerabilities in Google Chrome before 51.0.2704 ...) {DSA-3637-1} - chromium-browser 52.0.2743.82-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-1703 (Multiple unspecified vulnerabilities in Google Chrome before 51.0.2704 ...) {DSA-3594-1} - chromium-browser 51.0.2704.79-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-1702 (The SkRegion::readFromMemory function in core/SkRegion.cpp in Skia, as ...) {DSA-3594-1} - chromium-browser 51.0.2704.79-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-1701 (The Autofill implementation in Google Chrome before 51.0.2704.79 misha ...) {DSA-3594-1} - chromium-browser 51.0.2704.79-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-1700 (extensions/renderer/runtime_custom_bindings.cc in Google Chrome before ...) {DSA-3594-1} - chromium-browser 51.0.2704.79-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-1699 (WebKit/Source/devtools/front_end/devtools.js in the Developer Tools (a ...) {DSA-3594-1} - chromium-browser 51.0.2704.79-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-1698 (The createCustomType function in extensions/renderer/resources/binding ...) {DSA-3594-1} - chromium-browser 51.0.2704.79-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-1697 (The FrameLoader::startLoad function in WebKit/Source/core/loader/Frame ...) {DSA-3594-1} - chromium-browser 51.0.2704.79-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-1696 (The extensions subsystem in Google Chrome before 51.0.2704.79 does not ...) {DSA-3594-1} - chromium-browser 51.0.2704.79-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-1695 (Multiple unspecified vulnerabilities in Google Chrome before 51.0.2704 ...) {DSA-3590-1} - chromium-browser 51.0.2704.63-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-1694 (browser/browsing_data/browsing_data_remover.cc in Google Chrome before ...) {DSA-3590-1} - chromium-browser 51.0.2704.63-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-1693 (browser/safe_browsing/srt_field_trial_win.cc in Google Chrome before 5 ...) {DSA-3590-1} - chromium-browser 51.0.2704.63-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-1692 (WebKit/Source/core/css/StyleSheetContents.cpp in Blink, as used in Goo ...) {DSA-3590-1} - chromium-browser 51.0.2704.63-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-1691 (Skia, as used in Google Chrome before 51.0.2704.63, mishandles coincid ...) {DSA-3590-1} - chromium-browser 51.0.2704.63-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-1690 (The Autofill implementation in Google Chrome before 51.0.2704.63 misha ...) {DSA-3590-1} - chromium-browser 51.0.2704.63-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-1689 (Heap-based buffer overflow in content/renderer/media/canvas_capture_ha ...) {DSA-3590-1} - chromium-browser 51.0.2704.63-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-1688 (The regexp (aka regular expression) implementation in Google V8 before ...) {DSA-3590-1} - chromium-browser 51.0.2704.63-1 [wheezy] - chromium-browser (Not supported in Wheezy) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2016-1687 (The renderer implementation in Google Chrome before 51.0.2704.63 does ...) {DSA-3590-1} - chromium-browser 51.0.2704.63-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-1686 (The CPDF_DIBSource::CreateDecoder function in core/fpdfapi/fpdf_render ...) {DSA-3590-1} - chromium-browser 51.0.2704.63-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-1685 (core/fxge/ge/fx_ge_text.cpp in PDFium, as used in Google Chrome before ...) {DSA-3590-1} - chromium-browser 51.0.2704.63-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-1684 (numbers.c in libxslt before 1.1.29, as used in Google Chrome before 51 ...) {DSA-3605-1 DSA-3590-1 DLA-514-1} - libxslt 1.1.29-1 NOTE: https://git.gnome.org/browse/libxslt/commit/?id=91d0540ac9beaa86719a05b749219a69baa0dd8d (v1.1.29-rc1) - chromium-browser 51.0.2704.63-1 [wheezy] - chromium-browser (Not supported in Wheezy) NOTE: Chromium bug report: https://code.google.com/p/chromium/issues/detail?id=583171 CVE-2016-1683 (numbers.c in libxslt before 1.1.29, as used in Google Chrome before 51 ...) {DSA-3605-1 DSA-3590-1 DLA-514-1} - libxslt 1.1.29-1 NOTE: https://git.gnome.org/browse/libxslt/commit/?id=d182d8f6ba3071503d96ce17395c9d55871f0242 (v1.1.29-rc1) - chromium-browser 51.0.2704.63-1 [wheezy] - chromium-browser (Not supported in Wheezy) NOTE: Chromium bug report: https://code.google.com/p/chromium/issues/detail?id=583156 CVE-2016-1682 (The ServiceWorkerContainer::registerServiceWorkerImpl function in WebK ...) {DSA-3590-1} - chromium-browser 51.0.2704.63-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-1681 (Heap-based buffer overflow in the opj_j2k_read_SPCod_SPCoc function in ...) {DSA-3590-1} - chromium-browser 51.0.2704.63-1 [wheezy] - chromium-browser (Not supported in Wheezy) NOTE: http://blog.talosintel.com/2016/06/pdfium.html CVE-2016-1680 (Use-after-free vulnerability in ports/SkFontHost_FreeType.cpp in Skia, ...) {DSA-3590-1} - chromium-browser 51.0.2704.63-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-1679 (The ToV8Value function in content/child/v8_value_converter_impl.cc in ...) {DSA-3590-1} - chromium-browser 51.0.2704.63-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-1678 (objects.cc in Google V8 before 5.0.71.32, as used in Google Chrome bef ...) {DSA-3590-1} - chromium-browser 51.0.2704.63-1 [wheezy] - chromium-browser (Not supported in Wheezy) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2016-1677 (uri.js in Google V8 before 5.1.281.26, as used in Google Chrome before ...) {DSA-3590-1} - chromium-browser 51.0.2704.63-1 [wheezy] - chromium-browser (Not supported in Wheezy) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2016-1676 (extensions/renderer/resources/binding.js in the extension bindings in ...) {DSA-3590-1} - chromium-browser 51.0.2704.63-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-1675 (Blink, as used in Google Chrome before 51.0.2704.63, allows remote att ...) {DSA-3590-1} - chromium-browser 51.0.2704.63-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-1674 (The extensions subsystem in Google Chrome before 51.0.2704.63 allows r ...) {DSA-3590-1} - chromium-browser 51.0.2704.63-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-1673 (Blink, as used in Google Chrome before 51.0.2704.63, allows remote att ...) {DSA-3590-1} - chromium-browser 51.0.2704.63-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-1672 (The ModuleSystem::RequireForJsInner function in extensions/renderer/mo ...) {DSA-3590-1} - chromium-browser 51.0.2704.63-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-1671 (Google Chrome before 50.0.2661.102 on Android mishandles / (slash) and ...) - chromium-browser (Android-specific) CVE-2016-1670 (Race condition in the ResourceDispatcherHostImpl::BeginRequest functio ...) {DSA-3590-1} - chromium-browser 51.0.2704.63-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-1669 (The Zone::New function in zone.cc in Google V8 before 5.0.71.47, as us ...) {DSA-3590-1} - chromium-browser 51.0.2704.63-1 [wheezy] - chromium-browser (Not supported in Wheezy) - libv8 (unimportant) - nodejs 4.4.6~dfsg-1 (unimportant) NOTE: libv8 not covered by security support CVE-2016-1668 (The forEachForBinding function in WebKit/Source/bindings/core/v8/Itera ...) {DSA-3590-1} - chromium-browser 51.0.2704.63-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-1667 (The TreeScope::adoptIfNeeded function in WebKit/Source/core/dom/TreeSc ...) {DSA-3590-1} - chromium-browser 51.0.2704.63-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-1666 (Multiple unspecified vulnerabilities in Google Chrome before 50.0.2661 ...) {DSA-3564-1} - chromium-browser 50.0.2661.94-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-1665 (The JSGenericLowering class in compiler/js-generic-lowering.cc in Goog ...) {DSA-3564-1} - chromium-browser 50.0.2661.94-1 [wheezy] - chromium-browser (Not supported in Wheezy) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2016-1664 (The HistoryController::UpdateForCommit function in content/renderer/hi ...) {DSA-3564-1} - chromium-browser 50.0.2661.94-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-1663 (The SerializedScriptValue::transferArrayBuffers function in WebKit/Sou ...) {DSA-3564-1} - chromium-browser 50.0.2661.94-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-1662 (extensions/renderer/gc_callback.cc in Google Chrome before 50.0.2661.9 ...) {DSA-3564-1} - chromium-browser 50.0.2661.94-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-1661 (Blink, as used in Google Chrome before 50.0.2661.94, does not ensure t ...) {DSA-3564-1} - chromium-browser 50.0.2661.94-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-1660 (Blink, as used in Google Chrome before 50.0.2661.94, mishandles assert ...) {DSA-3564-1} - chromium-browser 50.0.2661.94-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-1659 (Multiple unspecified vulnerabilities in Google Chrome before 50.0.2661 ...) {DSA-3549-1} - chromium-browser 50.0.2661.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-1658 (The Extensions subsystem in Google Chrome before 50.0.2661.75 incorrec ...) {DSA-3549-1} - chromium-browser 50.0.2661.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-1657 (The WebContentsImpl::FocusLocationBarByDefault function in content/bro ...) {DSA-3549-1} - chromium-browser 50.0.2661.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-1656 (The download implementation in Google Chrome before 50.0.2661.75 on An ...) - chromium-browser (Android-specific) CVE-2016-1655 (Google Chrome before 50.0.2661.75 does not properly consider that fram ...) {DSA-3549-1} - chromium-browser 50.0.2661.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-1654 (The media subsystem in Google Chrome before 50.0.2661.75 does not init ...) {DSA-3549-1} - chromium-browser 50.0.2661.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-1653 (The LoadBuffer implementation in Google V8, as used in Google Chrome b ...) {DSA-3549-1} - chromium-browser 50.0.2661.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2016-1652 (Cross-site scripting (XSS) vulnerability in the ModuleSystem::RequireF ...) {DSA-3549-1} - chromium-browser 50.0.2661.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-1651 (fxcodec/codec/fx_codec_jpx_opj.cpp in PDFium, as used in Google Chrome ...) {DSA-3549-1} - chromium-browser 50.0.2661.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-1650 (The PageCaptureSaveAsMHTMLFunction::ReturnFailure function in browser/ ...) {DSA-3531-1} - chromium-browser 49.0.2623.108-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-1649 (The Program::getUniformInternal function in Program.cpp in libANGLE, a ...) {DSA-3531-1} - chromium-browser 49.0.2623.108-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-1648 (Use-after-free vulnerability in the GetLoadTimes function in renderer/ ...) {DSA-3531-1} - chromium-browser 49.0.2623.108-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-1647 (Use-after-free vulnerability in the RenderWidgetHostImpl::Destroy func ...) {DSA-3531-1} - chromium-browser 49.0.2623.108-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-1646 (The Array.prototype.concat implementation in builtins.cc in Google V8, ...) {DSA-3531-1} - chromium-browser 49.0.2623.108-1 [wheezy] - chromium-browser (Not supported in Wheezy) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2016-1645 (Multiple integer signedness errors in the opj_j2k_update_image_data fu ...) {DSA-3513-1} - chromium-browser 49.0.2623.87-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-1644 (WebKit/Source/core/layout/LayoutObject.cpp in Blink, as used in Google ...) {DSA-3513-1} - chromium-browser 49.0.2623.87-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-1643 (The ImageInputType::ensurePrimaryContent function in WebKit/Source/cor ...) {DSA-3513-1} - chromium-browser 49.0.2623.87-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-1642 (Multiple unspecified vulnerabilities in Google Chrome before 49.0.2623 ...) {DSA-3507-1} - chromium-browser 49.0.2623.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) [squeeze] - chromium-browser (Not supported in Squeeze LTS) CVE-2016-1641 (Use-after-free vulnerability in content/browser/web_contents/web_conte ...) {DSA-3507-1} - chromium-browser 49.0.2623.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) [squeeze] - chromium-browser (Not supported in Squeeze LTS) CVE-2016-1640 (The Web Store inline-installer implementation in the Extensions UI in ...) {DSA-3507-1} - chromium-browser 49.0.2623.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) [squeeze] - chromium-browser (Not supported in Squeeze LTS) CVE-2016-1639 (Use-after-free vulnerability in browser/extensions/api/webrtc_audio_pr ...) {DSA-3507-1} - chromium-browser 49.0.2623.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) [squeeze] - chromium-browser (Not supported in Squeeze LTS) CVE-2016-1638 (extensions/renderer/resources/platform_app.js in the Extensions subsys ...) {DSA-3507-1} - chromium-browser 49.0.2623.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) [squeeze] - chromium-browser (Not supported in Squeeze LTS) CVE-2016-1637 (The SkATan2_255 function in effects/gradients/SkSweepGradient.cpp in S ...) {DSA-3507-1} - chromium-browser 49.0.2623.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) [squeeze] - chromium-browser (Not supported in Squeeze LTS) CVE-2016-1636 (The PendingScript::notifyFinished function in WebKit/Source/core/dom/P ...) {DSA-3507-1} - chromium-browser 49.0.2623.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) [squeeze] - chromium-browser (Not supported in Squeeze LTS) CVE-2016-1635 (extensions/renderer/render_frame_observer_natives.cc in Google Chrome ...) {DSA-3507-1} - chromium-browser 49.0.2623.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) [squeeze] - chromium-browser (Not supported in Squeeze LTS) CVE-2016-1634 (Use-after-free vulnerability in the StyleResolver::appendCSSStyleSheet ...) {DSA-3507-1} - chromium-browser 49.0.2623.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) [squeeze] - chromium-browser (Not supported in Squeeze LTS) CVE-2016-1633 (Use-after-free vulnerability in Blink, as used in Google Chrome before ...) {DSA-3507-1} - chromium-browser 49.0.2623.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) [squeeze] - chromium-browser (Not supported in Squeeze LTS) CVE-2016-1632 (The Extensions subsystem in Google Chrome before 49.0.2623.75 does not ...) {DSA-3507-1} - chromium-browser 49.0.2623.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) [squeeze] - chromium-browser (Not supported in Squeeze LTS) CVE-2016-1631 (The PPB_Flash_MessageLoop_Impl::InternalRun function in content/render ...) {DSA-3507-1} - chromium-browser 49.0.2623.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) [squeeze] - chromium-browser (Not supported in Squeeze LTS) CVE-2016-1630 (The ContainerNode::parserRemoveChild function in WebKit/Source/core/do ...) {DSA-3507-1} - chromium-browser 49.0.2623.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) [squeeze] - chromium-browser (Not supported in Squeeze LTS) CVE-2016-1629 (Google Chrome before 48.0.2564.116 allows remote attackers to bypass t ...) {DSA-3486-1} - chromium-browser 48.0.2564.116-1 [wheezy] - chromium-browser (Not supported in Wheezy) [squeeze] - chromium-browser (Not supported in Squeeze LTS) CVE-2016-1628 (pi.c in OpenJPEG, as used in PDFium in Google Chrome before 48.0.2564. ...) {DSA-4013-1 DSA-3486-1} - openjpeg [jessie] - openjpeg (Vulnerable code introduced later) [wheezy] - openjpeg (Vulnerable code introduced later) - openjpeg2 2.1.2-1.2 - chromium-browser 48.0.2564.116-1 [wheezy] - chromium-browser (Not supported in Wheezy) [squeeze] - chromium-browser (Not supported in Squeeze LTS) NOTE: openjpeg2 fixed in google by https://pdfium.googlesource.com/pdfium.git/+/76c995796f95fd4c54c5f11d2a04392f16478619%5E%21/#F2 NOTE: https://github.com/uclouvain/openjpeg/issues/850 NOTE: https://github.com/uclouvain/openjpeg/commit/11445eddad7e7fa5b273d1c83c91011c44e5d586 CVE-2016-1627 (The Developer Tools (aka DevTools) subsystem in Google Chrome before 4 ...) {DSA-3486-1} - chromium-browser 48.0.2564.116-1 [wheezy] - chromium-browser (Not supported in Wheezy) [squeeze] - chromium-browser (Not supported in Squeeze LTS) CVE-2016-1626 (The opj_pi_update_decode_poc function in pi.c in OpenJPEG, as used in ...) {DSA-4013-1 DSA-3486-1} - openjpeg [jessie] - openjpeg (Vulnerable code introduced later) [wheezy] - openjpeg (Vulnerable code introduced later) - openjpeg2 2.1.2-1.2 - chromium-browser 48.0.2564.116-1 [wheezy] - chromium-browser (Not supported in Wheezy) [squeeze] - chromium-browser (Not supported in Squeeze LTS) NOTE: openjpeg2 fixed in google by https://pdfium.googlesource.com/pdfium.git/+/76c995796f95fd4c54c5f11d2a04392f16478619%5E%21/#F2 NOTE: https://github.com/uclouvain/openjpeg/issues/850 NOTE: https://github.com/uclouvain/openjpeg/commit/11445eddad7e7fa5b273d1c83c91011c44e5d586 CVE-2016-1625 (The Chrome Instant feature in Google Chrome before 48.0.2564.109 does ...) {DSA-3486-1} - chromium-browser 48.0.2564.116-1 [wheezy] - chromium-browser (Not supported in Wheezy) [squeeze] - chromium-browser (Not supported in Squeeze LTS) CVE-2016-1624 (Integer underflow in the ProcessCommandsInternal function in dec/decod ...) {DSA-3486-1} - chromium-browser 48.0.2564.116-1 [wheezy] - chromium-browser (Not supported in Wheezy) [squeeze] - chromium-browser (Not supported in Squeeze LTS) - brotli 0.3.0+dfsg-3 (bug #817233) NOTE: https://codereview.chromium.org/1662313002 NOTE: https://codereview.chromium.org/1662313002/diff/1/third_party/brotli/dec/decode.c NOTE: Same fix/change as for CVE-2016-1968 CVE-2016-1623 (The DOM implementation in Google Chrome before 48.0.2564.109 does not ...) {DSA-3486-1} - chromium-browser 48.0.2564.116-1 [wheezy] - chromium-browser (Not supported in Wheezy) [squeeze] - chromium-browser (Not supported in Squeeze LTS) CVE-2016-1622 (The Extensions subsystem in Google Chrome before 48.0.2564.109 does no ...) {DSA-3486-1} - chromium-browser 48.0.2564.116-1 [wheezy] - chromium-browser (Not supported in Wheezy) [squeeze] - chromium-browser (Not supported in Squeeze LTS) CVE-2016-1621 (libvpx in mediaserver in Android 4.x before 4.4.4, 5.x before 5.1.1 LM ...) - libvpx 1.6.1-1 [jessie] - libvpx (Vulnerable code not present, libwebm not yet included) [wheezy] - libvpx (Vulnerable code not present, libwebm not yet included) NOTE: https://android.googlesource.com/platform/external/libvpx/+/04839626ed859623901ebd3a5fd483982186b59d%5E!/#F1 NOTE: probably fixed earlier than this version, but this was the version checked CVE-2016-1620 (Multiple unspecified vulnerabilities in Google Chrome before 48.0.2564 ...) {DSA-3456-1} - chromium-browser 48.0.2564.82-1 [wheezy] - chromium-browser (Not supported in Wheezy) [squeeze] - chromium-browser (Not supported in Squeeze LTS) CVE-2016-1619 (Multiple integer overflows in the (1) sycc422_to_rgb and (2) sycc444_t ...) {DSA-3456-1} - chromium-browser 48.0.2564.82-1 [wheezy] - chromium-browser (Not supported in Wheezy) [squeeze] - chromium-browser (Not supported in Squeeze LTS) CVE-2016-1618 (Blink, as used in Google Chrome before 48.0.2564.82, does not ensure t ...) {DSA-3456-1} - chromium-browser 48.0.2564.82-1 [wheezy] - chromium-browser (Not supported in Wheezy) [squeeze] - chromium-browser (Not supported in Squeeze LTS) CVE-2016-1617 (The CSPSource::schemeMatches function in WebKit/Source/core/frame/csp/ ...) {DSA-3456-1} - chromium-browser 48.0.2564.82-1 [wheezy] - chromium-browser (Not supported in Wheezy) [squeeze] - chromium-browser (Not supported in Squeeze LTS) CVE-2016-1616 (The CustomButton::AcceleratorPressed function in ui/views/controls/but ...) {DSA-3456-1} - chromium-browser 48.0.2564.82-1 [wheezy] - chromium-browser (Not supported in Wheezy) [squeeze] - chromium-browser (Not supported in Squeeze LTS) CVE-2016-1615 (The Omnibox implementation in Google Chrome before 48.0.2564.82 allows ...) {DSA-3456-1} - chromium-browser 48.0.2564.82-1 [wheezy] - chromium-browser (Not supported in Wheezy) [squeeze] - chromium-browser (Not supported in Squeeze LTS) CVE-2016-1614 (The UnacceleratedImageBufferSurface class in WebKit/Source/platform/gr ...) {DSA-3456-1} - chromium-browser 48.0.2564.82-1 [wheezy] - chromium-browser (Not supported in Wheezy) [squeeze] - chromium-browser (Not supported in Squeeze LTS) CVE-2016-1613 (Multiple use-after-free vulnerabilities in the formfiller implementati ...) {DSA-3456-1} - chromium-browser 48.0.2564.82-1 [wheezy] - chromium-browser (Not supported in Wheezy) [squeeze] - chromium-browser (Not supported in Squeeze LTS) CVE-2016-1612 (The LoadIC::UpdateCaches function in ic/ic.cc in Google V8, as used in ...) {DSA-3456-1} - chromium-browser 48.0.2564.82-1 [wheezy] - chromium-browser (Not supported in Wheezy) [squeeze] - chromium-browser (Not supported in Squeeze LTS) CVE-2016-1611 (Novell Filr 1.2 before Hot Patch 6 and 2.0 before Hot Patch 2 uses wor ...) NOT-FOR-US: Novell Filr CVE-2016-1610 (Directory traversal vulnerability in the email-template feature in Nov ...) NOT-FOR-US: Novell Filr CVE-2016-1609 (Multiple cross-site scripting (XSS) vulnerabilities in Novell Filr bef ...) NOT-FOR-US: Novell Filr CVE-2016-1608 (vaconfig/time in Novell Filr before 1.2 Security Update 3 and 2.0 befo ...) NOT-FOR-US: Novell Filr CVE-2016-1607 (Multiple cross-site request forgery (CSRF) vulnerabilities in the admi ...) NOT-FOR-US: Novell Filr CVE-2016-1606 (Multiple stack-based buffer overflows in COM objects in Micro Focus Ru ...) NOT-FOR-US: Micro Focus Rumba CVE-2016-1605 (Directory traversal vulnerability in the ReportViewServlet servlet in ...) NOT-FOR-US: NetIQ Sentinel CVE-2016-1604 RESERVED CVE-2016-1603 (An information leak in the NetIQ IDM ServiceNow Driver before 1.0.0.1 ...) NOT-FOR-US: NetIQ CVE-2016-1602 (A code injection in the supportconfig data collection tool in supportu ...) NOT-FOR-US: SLES support tool CVE-2016-1601 (yast2-users before 3.1.47, as used in SUSE Linux Enterprise 12 SP1, do ...) NOT-FOR-US: yast2-users / SuSE YAST CVE-2016-1600 (The ServiceNow driver in NetIQ Identity Manager versions prior to 4.6 ...) NOT-FOR-US: NetIQ Identity Manager CVE-2016-1599 (Cross-site scripting (XSS) vulnerability in NetIQ Self Service Passwor ...) NOT-FOR-US: NetIQ Self Service Password Reset CVE-2016-1598 (XSS in NetIQ IDM 4.5 Identity Applications before 4.5.4 allows attacke ...) NOT-FOR-US: NetIQ IDM CVE-2016-1597 (A logged-in user in NetIQ Access Governance Suite 6.0 through 6.4 coul ...) NOT-FOR-US: NetIQ CVE-2016-1596 (Multiple cross-site scripting (XSS) vulnerabilities in Micro Focus Nov ...) NOT-FOR-US: Micro Focus CVE-2016-1595 (LiveTime/WebObjects/LiveTime.woa/wa/DownloadAction/downloadFile in Mic ...) NOT-FOR-US: Micro Focus CVE-2016-1594 (Micro Focus Novell Service Desk before 7.2 allows remote authenticated ...) NOT-FOR-US: Micro Focus CVE-2016-1593 (Directory traversal vulnerability in the import users feature in Micro ...) NOT-FOR-US: Micro Focus CVE-2016-1592 (XSS in NetIQ Designer for Identity Manager before 4.5.3 allows remote ...) NOT-FOR-US: NetIQ Designer CVE-2016-1591 REJECTED CVE-2016-1590 REJECTED CVE-2016-1589 REJECTED CVE-2016-1588 REJECTED CVE-2016-1587 (The Snapweb interface before version 0.21.2 was exposing controls to i ...) NOT-FOR-US: Snapweb CVE-2016-1586 (A malicious webview could install long-lived unload handlers that re-u ...) NOT-FOR-US: Oxide CVE-2016-1585 (In all versions of AppArmor mount rules are accidentally widened when ...) - apparmor (low; bug #929990) [buster] - apparmor (Minor overall security impact) [stretch] - apparmor (Minor overall security impact) [jessie] - apparmor (Minor overall security impact) NOTE: https://bugs.launchpad.net/apparmor/+bug/1597017 NOTE: https://bugzilla.opensuse.org/show_bug.cgi?id=995594 NOTE: Introduced around AppArmor 2.8 upstream. NOTE: Mount rules support is enabled in Debian, but the impact of the issue is NOTE: limited to 1. lxc (not a regression, as Debian never confined LXC with AppArmor NOTE: by default before buster, in particular not with mount rules), 2. libvirtd NOTE: but the profile is not meant to be a strong security boundary. NOTE: https://bugs.launchpad.net/apparmor/+bug/1597017/comments/6 CVE-2016-1584 (In all versions of Unity8 a running but not active application on a la ...) - unity (bug #609278) CVE-2016-1583 (The ecryptfs_privileged_open function in fs/ecryptfs/kthread.c in the ...) {DSA-3607-1 DLA-516-1} - linux 4.6.2-1 CVE-2016-1582 (LXD before 2.0.2 does not properly set permissions when switching an u ...) - lxd (bug #768073) CVE-2016-1581 (LXD before 2.0.2 uses world-readable permissions for /var/lib/lxd/zfs. ...) - lxd (bug #768073) CVE-2016-1580 (The setup_snappy_os_mounts function in the ubuntu-core-launcher packag ...) NOT-FOR-US: ubuntu-core-launcher CVE-2016-1579 (UDM provides support for running commands after a download is complete ...) NOT-FOR-US: Ubuntu Download Manager CVE-2016-1578 (Use-after-free vulnerability in Oxide allows remote attackers to cause ...) NOT-FOR-US: Oxide CVE-2016-1577 (Double free vulnerability in the jas_iccattrval_destroy function in Ja ...) {DSA-3508-1} - jasper (bug #816625) NOTE: http://www.openwall.com/lists/oss-security/2016/03/03/12 CVE-2016-1576 (The overlayfs implementation in the Linux kernel through 4.5.2 does no ...) - linux 4.5.1-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) - linux-2.6 (Vulnerable code not present) NOTE: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1535150 NOTE: http://www.halfdog.net/Security/2016/OverlayfsOverFusePrivilegeEscalation/ NOTE: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e9f57ebcba563e0cd532926cab83c92bb4d79360 CVE-2016-1575 (The overlayfs implementation in the Linux kernel through 4.5.2 does no ...) - linux 4.5.1-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) - linux-2.6 (Vulnerable code not present) NOTE: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1534961 NOTE: http://www.halfdog.net/Security/2016/UserNamespaceOverlayfsXattrSetgidPrivilegeEscalation/ NOTE: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e9f57ebcba563e0cd532926cab83c92bb4d79360 CVE-2016-1574 REJECTED CVE-2016-1573 (Versions of Unity8 before 8.11+16.04.20160122-0ubuntu1 file plugins/Da ...) - unity (bug #609278) CVE-2016-1572 (mount.ecryptfs_private.c in eCryptfs-utils does not validate mount des ...) {DSA-3450-1 DLA-397-1} - ecryptfs-utils 106-2 NOTE: https://bugs.launchpad.net/ecryptfs/+bug/1530566 NOTE: https://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/revision/870 CVE-2016-1571 (The paging_invlpg function in include/asm-x86/paging.h in Xen 3.3.x th ...) {DSA-3519-1 DLA-479-1} - xen 4.8.0~rc3-1 (bug #823620) [squeeze] - xen (Unsupported in Squeeze LTS) NOTE: http://xenbits.xen.org/xsa/advisory-168.html CVE-2016-1570 (The PV superpage functionality in arch/x86/mm.c in Xen 3.4.0, 3.4.1, a ...) {DSA-3519-1 DLA-479-1} - xen 4.8.0~rc3-1 (bug #823620) [squeeze] - xen (Unsupported in Squeeze LTS) NOTE: http://xenbits.xen.org/xsa/advisory-167.html CVE-2016-1567 (chrony before 1.31.2 and 2.x before 2.2.1 do not verify peer associati ...) {DLA-742-1 DLA-414-1} - chrony 2.2.1-1 (low; bug #812923) [jessie] - chrony 1.30-2+deb8u2 NOTE: http://www.talosintel.com/reports/TALOS-2016-0071/ NOTE: http://chrony.tuxfamily.org/news.html#_20_jan_2016_chrony_2_2_1_and_chrony_1_31_2_released NOTE: Fix for 2.x http://git.tuxfamily.org/chrony/chrony.git/commit/?id=a78bf9725a7b481ebff0e0c321294ba767f2c1d8 NOTE: Fix for 1.x http://git.tuxfamily.org/chrony/chrony.git/commit/?h=1.31-security&id=df46e5ca5d70be1c0ae037f96b4b038362703832 CVE-2016-1566 (Cross-site scripting (XSS) vulnerability in the file browser in Guacam ...) - guacamole-client (bug #859136) [stretch] - guacamole-client (Minor issue) [jessie] - guacamole-client (Vulnerable code not present) - guacamole (Vulnerable code not present) NOTE: Fixed by: https://github.com/glyptodon/guacamole-client/commit/7da13129c432d1c0a577342a9bf23ca2bde9c367 CVE-2016-1565 (Cross-site scripting (XSS) vulnerability in the Field Group module 7.x ...) NOT-FOR-US: Field Group module for Drupal CVE-2015-8768 (click/install.py in click does not require files in package filesystem ...) NOT-FOR-US: Click package manager NOTE: http://www.ubuntu.com/usn/usn-2771-1/ CVE-2015-8766 (Multiple cross-site scripting (XSS) vulnerabilities in content/content ...) NOT-FOR-US: Symphony CMS CVE-2015-8765 (Intel McAfee ePolicy Orchestrator (ePO) 4.6.9 and earlier, 5.0.x, 5.1. ...) NOT-FOR-US: McAfee CVE-2015-8761 (The Values module 7.x-1.x before 7.x-1.2 for Drupal does not properly ...) NOT-FOR-US: Values module for Drupal CVE-2015-8760 (The Flvplayer component in TYPO3 6.2.x before 6.2.16 allows remote att ...) NOT-FOR-US: TYPO3 CVE-2015-8759 (Cross-site scripting (XSS) vulnerability in the typoLink function in T ...) NOT-FOR-US: TYPO3 CVE-2015-8758 (Multiple cross-site scripting (XSS) vulnerabilities in unspecified fro ...) NOT-FOR-US: TYPO3 CVE-2015-8757 (Cross-site scripting (XSS) vulnerability in the Extension Manager in T ...) NOT-FOR-US: TYPO3 CVE-2015-8756 (Cross-site scripting (XSS) vulnerability in the search result view in ...) NOT-FOR-US: TYPO3 CVE-2015-8755 (Multiple cross-site scripting (XSS) vulnerabilities in unspecified bac ...) NOT-FOR-US: TYPO3 CVE-2015-8754 (The Mollom module 6.x-2.7 before 6.x-2.15 for Drupal allows remote att ...) NOT-FOR-US: Mollom module for Drupal CVE-2015-8753 (SAP Afaria 7.0.6001.5 allows remote attackers to bypass authorization ...) NOT-FOR-US: SAP Afaria CVE-2015-8752 REJECTED CVE-2016-1714 (The (1) fw_cfg_write and (2) fw_cfg_read functions in hw/nvram/fw_cfg. ...) {DSA-3471-1 DSA-3470-1 DSA-3469-1} - qemu 1:2.5+dfsg-4 [squeeze] - qemu (Not supported in Squeeze LTS) - qemu-kvm [squeeze] - qemu-kvm (Not supported in Squeeze LTS) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1296060 NOTE: Upstream fix: https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg00428.html NOTE: http://www.openwall.com/lists/oss-security/2016/01/11/7 NOTE: fw_cfg support for guest-side data writes removed in 2.4 (1:2.4+dfsg-1a) NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=023e3148567ac898c7258138f8e86c3c2bb40d07 (v2.4.0-rc0) NOTE: fw_cfg_read removed in: http://git.qemu.org/?p=qemu.git;a=commit;h=6c8d56a2e95712a6206a2671d2b04b2e59cabc0b CVE-2015-8767 (net/sctp/sm_sideeffect.c in the Linux kernel before 4.3 does not prope ...) {DSA-3448-1 DLA-412-1} - linux 4.3.1-1 [wheezy] - linux 3.2.73-2+deb7u3 - linux-2.6 NOTE: https://git.kernel.org/linus/635682a14427d241bab7bbdeebb48a7d7b91638e (v4.3-rc4) NOTE: http://www.openwall.com/lists/oss-security/2016/01/11/4 CVE-2016-1569 (FireBird 2.5.5 allows remote authenticated users to cause a denial of ...) - firebird2.5 2.5.5.26952.ds4-3 (bug #810599) [jessie] - firebird2.5 (Issue introduced in 2.5.5) [wheezy] - firebird2.5 (Issue introduced in 2.5.5) [squeeze] - firebird2.5 (Issue introduced in 2.5.5) NOTE: http://tracker.firebirdsql.org/browse/CORE-5068 NOTE: http://www.openwall.com/lists/oss-security/2016/01/10/2 CVE-2016-1568 (Use-after-free vulnerability in hw/ide/ahci.c in QEMU, when built with ...) {DSA-3471-1 DSA-3470-1 DSA-3469-1} - qemu 1:2.5+dfsg-2 (bug #810527) [squeeze] - qemu (Vulnerable code introduced later) - qemu-kvm [squeeze] - qemu-kvm (Vulnerable code introduced later) NOTE: Fixed by: https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg01184.html NOTE: ahci emulation added in: http://git.qemu.org/?p=qemu.git;a=commit;h=f6ad2e32f8d833c7f1c75dc084a84a8f02704d64 (v0.14.0-rc0) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1288532 NOTE: http://www.openwall.com/lists/oss-security/2016/01/09/1 CVE-2016-1563 (NetApp Clustered Data ONTAP 8.3.1 does not properly verify X.509 certi ...) NOT-FOR-US: NetApp CVE-2016-1562 (The REST API in the DTE Energy Insight application before 1.7.8 for An ...) NOT-FOR-US: DTE Energy Insight CVE-2016-1561 (ExaGrid appliances with firmware before 4.8 P26 have a default SSH pub ...) NOT-FOR-US: ExaGrid appliances CVE-2016-1560 (ExaGrid appliances with firmware before 4.8 P26 have a default passwor ...) NOT-FOR-US: ExaGrid appliances CVE-2016-1559 (D-Link DAP-1353 H/W vers. B1 3.15 and earlier, D-Link DAP-2553 H/W ver ...) NOT-FOR-US: D-Link CVE-2016-1558 (Buffer overflow in D-Link DAP-2310 2.06 and earlier, DAP-2330 1.06 and ...) NOT-FOR-US: D-Link CVE-2016-1557 (Netgear WNAP320, WNDAP350, and WNDAP360 before 3.5.5.0 reveal wireless ...) NOT-FOR-US: Netgear CVE-2016-1556 (Information disclosure in Netgear WN604 before 3.3.3; WNAP210, WNAP320 ...) NOT-FOR-US: Netgear CVE-2016-1555 ((1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) b ...) NOT-FOR-US: Netgear CVE-2016-1554 RESERVED CVE-2016-1553 RESERVED CVE-2016-1552 RESERVED - hhvm 3.12.1+dfsg-1 NOTE: https://github.com/facebook/hhvm/commit/979b5b312ffbd56126c52f3dcb6cf8fcab89664f NOTE: https://github.com/facebook/hhvm/commit/604689e1565ea6361f9d81f839cd56bdda3b45ed NOTE: https://github.com/facebook/hhvm/commit/f21dccdde582c61d5a9b52dd821bcb1f08169d28 CVE-2016-1551 (ntpd in NTP 4.2.8p3 and NTPsec a5fb34b9cc89b92a8fef2f459004865c93bb7f9 ...) - ntp (Does not affect Linux or FreeBSD) NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security CVE-2016-1550 (An exploitable vulnerability exists in the message authentication func ...) {DSA-3629-1 DLA-559-1} - ntp 1:4.2.8p7+dfsg-1 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security CVE-2016-1549 (A malicious authenticated peer can create arbitrarily-many ephemeral a ...) - ntp 1:4.2.8p7+dfsg-1 [jessie] - ntp (Minor issue) [wheezy] - ntp (Minor issue) NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#February_2018_ntp_4_2_8p11_NTP_S NOTE: additional significant protection went into ntp-4.2.8p11. CVE-2016-1548 (An attacker can spoof a packet from a legitimate ntpd server with an o ...) {DSA-3629-1 DLA-559-1} - ntp 1:4.2.8p7+dfsg-1 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security CVE-2016-1547 (An off-path attacker can cause a preemptible client association to be ...) {DSA-3629-1 DLA-559-1} - ntp 1:4.2.8p7+dfsg-1 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security CVE-2016-1546 (The Apache HTTP Server 2.4.17 and 2.4.18, when mod_http2 is enabled, d ...) - apache2 2.4.20-1 [jessie] - apache2 (Vulnerable code not present) [wheezy] - apache2 (Vulnerable code not present) NOTE: HTTP/2 support introduced in 2.4.17 NOTE: Upstream commit: http://svn.apache.org/viewvc?view=revision&revision=1733727 NOTE: Upsteam backport for 2.4.x: http://svn.apache.org/viewvc?view=revision&revision=1734413 CVE-2016-1545 RESERVED CVE-2016-1544 (nghttp2 before 1.7.1 allows remote attackers to cause a denial of serv ...) - nghttp2 1.7.1-1 [jessie] - nghttp2 (Minor issue) NOTE: Fix spread across multiple commits: https://github.com/tatsuhiro-t/nghttp2/compare/v1.7.0...v1.7.1 NOTE: Commits between 1.7.0 and 1.7.1 seem almost limited to this issue, cf. NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1308461#c3 CVE-2016-1543 (The RPC API in the RSCD agent in BMC BladeLogic Server Automation (BSA ...) NOT-FOR-US: BMC CVE-2016-1542 (The RPC API in RSCD agent in BMC BladeLogic Server Automation (BSA) 8. ...) NOT-FOR-US: BMC CVE-2016-1541 (Heap-based buffer overflow in the zip_read_mac_metadata function in ar ...) {DSA-3574-1} [experimental] - libarchive 3.2.0-1 - libarchive 3.1.2-11.1 (bug #823893) [wheezy] - libarchive (Vulnerable code not present) NOTE: keeping the experimental tracking version as well since maintainer said not to merge NMU changelog NOTE: http://www.kb.cert.org/vuls/id/862384 NOTE: http://www.talosintel.com/reports/TALOS-2016-0155/ NOTE: https://github.com/libarchive/libarchive/commit/d0331e8e5b05b475f20b1f3101fe1ad772d7e7e7 (v3.2.0) NOTE: Feature added in https://github.com/libarchive/libarchive/commit/1399a59680fa2dfca68764468ed0bcaa0331fde7 CVE-2016-1540 RESERVED CVE-2016-1539 RESERVED CVE-2016-1538 RESERVED CVE-2016-1537 RESERVED CVE-2016-1536 RESERVED CVE-2016-1535 RESERVED CVE-2016-1534 RESERVED CVE-2016-1533 RESERVED CVE-2016-1532 RESERVED CVE-2016-1531 (Exim before 4.86.2, when installed setuid root, allows local users to ...) {DSA-3517-1} - exim4 4.86.2-1 NOTE: https://lists.exim.org/lurker/message/20160302.191005.a72d8433.en.html CVE-2016-1530 RESERVED CVE-2016-1529 RESERVED CVE-2016-1528 RESERVED CVE-2016-1527 RESERVED CVE-2016-1526 (The TtfUtil:LocaLookup function in TtfUtil.cpp in Libgraphite in Graph ...) {DSA-3491-1 DSA-3479-1 DSA-3477-1} - graphite2 1.3.5-1 NOTE: http://blog.talosintel.com/2016/02/vulnerability-spotlight-libgraphite.html NOTE: Talos Blog mentions this CVE, but it is not listed in NOTE: http://talosintel.com/vulnerability-reports/ - iceweasel 44.0-1 [squeeze] - iceweasel - icedove 38.6.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-14/ CVE-2016-1525 (Directory traversal vulnerability in data/config/image.do in NETGEAR M ...) NOT-FOR-US: NETGEAR Management System NMS300 CVE-2016-1524 (Multiple unrestricted file upload vulnerabilities in NETGEAR Managemen ...) NOT-FOR-US: NETGEAR Management System NMS300 CVE-2016-1523 (The SillMap::readFace function in FeatureMap.cpp in Libgraphite in Gra ...) {DSA-3491-1 DSA-3479-1 DSA-3477-1} - graphite2 1.3.5-1 NOTE: http://www.talosintel.com/reports/TALOS-2016-0059/ NOTE: http://blog.talosintel.com/2016/02/vulnerability-spotlight-libgraphite.html - iceweasel 44.0-1 [squeeze] - iceweasel - icedove 38.6.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-14/ CVE-2016-1522 (Code.cpp in Libgraphite in Graphite 2 1.2.4, as used in Mozilla Firefo ...) {DSA-3479-1} - graphite2 1.3.5-1 NOTE: http://www.talosintel.com/reports/TALOS-2016-0057/ NOTE: http://www.talosintel.com/reports/TALOS-2016-0060/ NOTE: http://blog.talosintel.com/2016/02/vulnerability-spotlight-libgraphite.html CVE-2016-1521 (The directrun function in directmachine.cpp in Libgraphite in Graphite ...) {DSA-3479-1} - graphite2 1.3.5-1 NOTE: http://www.talosintel.com/reports/TALOS-2016-0058/ NOTE: http://www.talosintel.com/reports/TALOS-2016-0061/ NOTE: http://blog.talosintel.com/2016/02/vulnerability-spotlight-libgraphite.html CVE-2016-1520 (The Grandstream Wave app 1.0.1.26 and earlier for Android does not use ...) NOT-FOR-US: Grandstream Wave app CVE-2016-1519 (The com.softphone.common package in the Grandstream Wave app 1.0.1.26 ...) NOT-FOR-US: Grandstream Wave app CVE-2016-1518 (The auto-provisioning mechanism in the Grandstream Wave app 1.0.1.26 a ...) NOT-FOR-US: Grandstream Wave app CVE-2016-1517 (OpenCV 3.0.0 allows remote attackers to cause a denial of service (seg ...) [experimental] - opencv 3.4.4+dfsg-1~exp1 - opencv 3.2.0+dfsg-6 (bug #872043) [stretch] - opencv (Minor issue) [jessie] - opencv (Minor issue) [wheezy] - opencv (Minor issue) NOTE: https://arxiv.org/pdf/1701.04739.pdf NOTE: https://github.com/opencv/opencv/issues/5956 CVE-2016-1516 (OpenCV 3.0.0 has a double free issue that allows attackers to execute ...) {DLA-1438-1 DLA-1117-1} [experimental] - opencv 3.4.4+dfsg-1~exp1 - opencv 3.2.0+dfsg-6 (bug #872043) [stretch] - opencv (Minor issue) NOTE: https://arxiv.org/pdf/1701.04739.pdf NOTE: https://github.com/opencv/opencv/issues/5956 CVE-2016-1515 REJECTED CVE-2016-1514 REJECTED CVE-2016-1513 (The Impress tool in Apache OpenOffice 4.1.2 and earlier allows remote ...) {DLA-591-1} - libreoffice 1:4.3.3-1 NOTE: http://www.openoffice.org/security/cves/CVE-2016-1513.html NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0051/ NOTE: https://cgit.freedesktop.org/libreoffice/core/commit/?id=fd64d444b730f6cb7216dac8f6e3f9 NOTE: https://cgit.freedesktop.org/libreoffice/core/commit/?id=adbdac2dd6799789a45cd3b6ca48919889a8b64d (origin/libreoffice-4-3-3) NOTE: Fixed at least in 4.3.3 based version, maybe alredy earlier. CVE-2016-1512 RESERVED CVE-2016-1511 RESERVED CVE-2016-1510 RESERVED CVE-2016-1509 RESERVED CVE-2016-1508 RESERVED CVE-2016-1507 RESERVED CVE-2016-1506 RESERVED CVE-2016-1502 (NetApp SnapCenter Server 1.0 and 1.0P1 allows remote attackers to part ...) NOT-FOR-US: NetApp CVE-2016-1497 (The Configuration utility in F5 BIG-IP systems 11.0.x, 11.1.x, 11.2.x ...) NOT-FOR-US: F5 BIG-IP CVE-2016-1496 (The graphics driver in Huawei P8 smartphones with software GRA-TL00 be ...) NOT-FOR-US: Huawei CVE-2016-1495 (Integer overflow in the graphics drivers in Huawei Mate S smartphones ...) NOT-FOR-US: Huawei CVE-2016-1564 (Multiple cross-site scripting (XSS) vulnerabilities in wp-includes/cla ...) {DSA-3444-1} - wordpress 4.4.1+dfsg-1 (bug #810325) [squeeze] - wordpress (Vulnerable code not present) NOTE: https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/ NOTE: https://core.trac.wordpress.org/changeset/36185 NOTE: https://wpvulndb.com/vulnerabilities/8358 NOTE: https://twitter.com/brutelogic/status/685105483397619713 NOTE: http://www.openwall.com/lists/oss-security/2016/01/08/3 CVE-2015-XXXX [use after free / double free] - lighttpd 1.4.39-1 [jessie] - lighttpd (Regression introduced in 1.4.36) [wheezy] - lighttpd (Regression introduced in 1.4.36) [squeeze] - lighttpd (Regression introduced in 1.4.36) NOTE: http://redmine.lighttpd.net/issues/2700 NOTE: Introduced in 1.4.36: http://web.archive.org/web/20150906061055/http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2976 CVE-2016-1503 (dhcpcd before 6.10.0, as used in Android 4.x before 4.4.4, 5.0.x befor ...) - dhcpcd5 6.10.1-1 (bug #810621) [jessie] - dhcpcd5 (Vulnerable code not present) [wheezy] - dhcpcd5 (Vulnerable code not present) - dhcpcd (Vulnerable code not present) NOTE: https://dev.marples.name/rDHC1475a702df74b120db847991bc011e3441a045b8 NOTE: http://www.openwall.com/lists/oss-security/2016/01/07/3 NOTE: dhcpcd 3.2.3- in squeeze and wheezy differ very much from dhcpcd5 in later Debian versions. CVE-2016-1504 (dhcpcd before 6.10.0 allows remote attackers to cause a denial of serv ...) - dhcpcd5 6.10.1-1 (bug #810620) [jessie] - dhcpcd5 (Vulnerable code not present) [wheezy] - dhcpcd5 (Vulnerable code not present) - dhcpcd (Vulnerable code not present) [squeeze] - dhcpcd (Vulnerable code not present) NOTE: https://dev.marples.name/rDHC33c03b26c01201152774ef92e7b773281b8d8443 NOTE: http://www.openwall.com/lists/oss-security/2016/01/07/3 NOTE: dhcpcd 3.2.3- in squeeze and wheezy differ very much from dhcpcd5 in later Debian versions. CVE-2016-XXXX [Missing normalization] - ruby-rack-attack 4.3.1-1 NOTE: https://github.com/kickstarter/rack-attack/commit/76c2e3143099d938883ae5654527b47e9e6a8977 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/01/07/1 CVE-2016-1501 (ownCloud Server before 8.0.9 and 8.1.x before 8.1.4 allow remote authe ...) - owncloud 7.0.12~dfsg-2 [jessie] - owncloud 7.0.4+dfsg-4~deb8u4 NOTE: https://owncloud.org/security/advisory/?id=oc-sa-2016-004 CVE-2016-1500 (ownCloud Server before 7.0.12, 8.0.x before 8.0.10, 8.1.x before 8.1.5 ...) [experimental] - owncloud 8.2.2~dfsg-1 - owncloud 7.0.12~dfsg-1 [jessie] - owncloud 7.0.4+dfsg-4~deb8u4 NOTE: https://owncloud.org/security/advisory/?id=oc-sa-2016-003 CVE-2016-1499 (ownCloud Server before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8. ...) [experimental] - owncloud 8.2.2~dfsg-1 - owncloud 7.0.12~dfsg-2 [jessie] - owncloud 7.0.4+dfsg-4~deb8u4 NOTE: https://owncloud.org/security/advisory/?id=oc-sa-2016-002 CVE-2016-1498 (Cross-site scripting (XSS) vulnerability in the OCS discovery provider ...) [experimental] - owncloud 8.2.2~dfsg-1 - owncloud 7.0.12~dfsg-1 [jessie] - owncloud 7.0.4+dfsg-4~deb8u4 NOTE: https://owncloud.org/security/advisory/?id=oc-sa-2016-001 CVE-2016-1493 (Intel Driver Update Utility before 2.4 retrieves driver updates in cle ...) NOT-FOR-US: Intel Driver Update Utility CVE-2016-1492 (The Wifi hotspot in Lenovo SHAREit before 3.5.48_ww for Android, when ...) NOT-FOR-US: Lenovo CVE-2016-1491 (The Wifi hotspot in Lenovo SHAREit before 3.2.0 for Windows, when conf ...) NOT-FOR-US: Lenovo CVE-2016-1490 (The Wifi hotspot in Lenovo SHAREit before 3.2.0 for Windows allows rem ...) NOT-FOR-US: Lenovo CVE-2016-1489 (Lenovo SHAREit before 3.2.0 for Windows and SHAREit before 3.5.48_ww f ...) NOT-FOR-US: Lenovo CVE-2016-1488 (Cross-site scripting (XSS) vulnerability in the login form in the inte ...) NOT-FOR-US: Siemens CVE-2016-1487 (Lexmark Markvision Enterprise before 2.3.0 misuses the Apache Commons ...) NOT-FOR-US: Lexmark CVE-2016-1486 (A vulnerability in the email attachment scanning functionality of the ...) NOT-FOR-US: Siemens OZW OZW672 CVE-2016-1485 (Cross-site scripting (XSS) vulnerability in Cisco Identity Services En ...) NOT-FOR-US: Cisco CVE-2016-1484 (Cisco WebEx Meetings Server 2.6 allows remote attackers to bypass inte ...) NOT-FOR-US: Cisco CVE-2016-1483 (Cisco WebEx Meetings Server 2.6 allows remote attackers to cause a den ...) NOT-FOR-US: Cisco CVE-2016-1482 (Cisco WebEx Meetings Server 2.6 allows remote attackers to execute arb ...) NOT-FOR-US: Cisco CVE-2016-1481 (A vulnerability in the email message filtering feature of Cisco AsyncO ...) NOT-FOR-US: Cisco CVE-2016-1480 (A vulnerability in the Multipurpose Internet Mail Extensions (MIME) sc ...) NOT-FOR-US: Cisco CVE-2016-1479 (Cisco IP Phone 8800 devices with software 11.0(1) allow remote attacke ...) NOT-FOR-US: Cisco CVE-2016-1478 (Cisco IOS 15.5(3)S3, 15.6(1)S2, 15.6(2)S1, and 15.6(2)T1 does not prop ...) NOT-FOR-US: Cisco CVE-2016-1477 (Cisco Connected Streaming Analytics 1.1.1 allows remote authenticated ...) NOT-FOR-US: Cisco CVE-2016-1476 (Cross-site scripting (XSS) vulnerability on Cisco IP Phone 8800 device ...) NOT-FOR-US: Cisco CVE-2016-1475 RESERVED CVE-2016-1474 (Cisco Prime Infrastructure 2.2(2) does not properly restrict use of IF ...) NOT-FOR-US: Cisco CVE-2016-1473 (Cisco Small Business 220 devices with firmware before 1.0.1.1 have a h ...) NOT-FOR-US: Cisco CVE-2016-1472 (The web-based management interface on Cisco Small Business 220 devices ...) NOT-FOR-US: Cisco CVE-2016-1471 (Cross-site scripting (XSS) vulnerability in the web-based management i ...) NOT-FOR-US: Cisco CVE-2016-1470 (Cross-site request forgery (CSRF) vulnerability in the web-based manag ...) NOT-FOR-US: Cisco CVE-2016-1469 (The HTTP framework on Cisco SPA300, SPA500, and SPA51x devices allows ...) NOT-FOR-US: Cisco CVE-2016-1468 (The administrative web interface in Cisco TelePresence Video Communica ...) NOT-FOR-US: Cisco CVE-2016-1467 (Cisco Videoscape Session Resource Manager (VSRM) allows remote attacke ...) NOT-FOR-US: Cisco CVE-2016-1466 (Cisco Unified Communications Manager IM and Presence Service 9.1(1) SU ...) NOT-FOR-US: Cisco CVE-2016-1465 (Cisco Nexus 1000v Application Virtual Switch (AVS) devices before 5.2( ...) NOT-FOR-US: Cisco CVE-2016-1464 (Cisco WebEx Meetings Player T29.10, when WRF file support is enabled, ...) NOT-FOR-US: Cisco CVE-2016-1463 (Cisco FireSIGHT System Software 5.3.0, 5.3.1, 5.4.0, 6.0, and 6.0.1 al ...) NOT-FOR-US: Cisco CVE-2016-1462 (Cross-site scripting (XSS) vulnerability in the web-based management i ...) NOT-FOR-US: Cisco CVE-2016-1461 (Cisco AsyncOS on Email Security Appliance (ESA) devices through 9.7.0- ...) NOT-FOR-US: Cisco CVE-2016-1460 (Cisco Wireless LAN Controller (WLC) devices 7.4(121.0) and 8.0(0.30220 ...) NOT-FOR-US: Cisco CVE-2016-1459 (Cisco IOS 12.4 and 15.0 through 15.5 and IOS XE 3.13 through 3.17 allo ...) NOT-FOR-US: Cisco CVE-2016-1458 (The web-based GUI in Cisco Firepower Management Center 4.x and 5.x bef ...) NOT-FOR-US: Cisco CVE-2016-1457 (The web-based GUI in Cisco Firepower Management Center 4.x and 5.x bef ...) NOT-FOR-US: Cisco CVE-2016-1456 (The CLI in Cisco IOS XR 6.x through 6.0.1 allows local users to execut ...) NOT-FOR-US: Cisco CVE-2016-1455 (Cisco NX-OS before 7.0(3)I2(2e) and 7.0(3)I4 before 7.0(3)I4(1) has an ...) NOT-FOR-US: Cisco CVE-2016-1454 (Cisco NX-OS 4.0 through 7.3 and 11.0 through 11.2 on 1000v, 2000, 3000 ...) NOT-FOR-US: Cisco CVE-2016-1453 (Buffer overflow in the Overlay Transport Virtualization (OTV) GRE feat ...) NOT-FOR-US: Cisco CVE-2016-1452 (Cisco ASR 5000 devices with software 18.3 through 20.0.0 allow remote ...) NOT-FOR-US: Cisco CVE-2016-1451 (Cross-site scripting (XSS) vulnerability in the web-based management i ...) NOT-FOR-US: Cisco CVE-2016-1450 (Cisco WebEx Meetings Server 2.6 allows remote authenticated users to c ...) NOT-FOR-US: Cisco WebEx CVE-2016-1449 (Cross-site scripting (XSS) vulnerability in Cisco WebEx Meetings Serve ...) NOT-FOR-US: Cisco WebEx CVE-2016-1448 (Cross-site request forgery (CSRF) vulnerability in Cisco WebEx Meeting ...) NOT-FOR-US: Cisco WebEx CVE-2016-1447 (Cross-site scripting (XSS) vulnerability in the administrator interfac ...) NOT-FOR-US: Cisco WebEx CVE-2016-1446 (SQL injection vulnerability in Cisco WebEx Meetings Server 2.6 allows ...) NOT-FOR-US: Cisco WebEx CVE-2016-1445 (Cisco Adaptive Security Appliance (ASA) Software 8.2 through 9.4.3.3 a ...) NOT-FOR-US: Cisco Adaptive Security Appliance CVE-2016-1444 (The Mobile and Remote Access (MRA) component in Cisco TelePresence Vid ...) NOT-FOR-US: Cisco CVE-2016-1443 (The virtual network stack on Cisco AMP Threat Grid Appliance devices b ...) NOT-FOR-US: Cisco CVE-2016-1442 (The administrative web interface in Cisco Prime Infrastructure (PI) be ...) NOT-FOR-US: Cisco CVE-2016-1441 (Cisco Cloud Network Automation Provisioner (CNAP) 1.0(0) in Cisco Conf ...) NOT-FOR-US: Cisco CVE-2016-1440 (The proxy process on Cisco Web Security Appliance (WSA) devices throug ...) NOT-FOR-US: Cisco CVE-2016-1439 (Cross-site scripting (XSS) vulnerability in the management interface i ...) NOT-FOR-US: Cisco CVE-2016-1438 (Cisco AsyncOS 9.7.0-125 on Email Security Appliance (ESA) devices allo ...) NOT-FOR-US: Cisco CVE-2016-1437 (SQL injection vulnerability in the SQL database in Cisco Prime Collabo ...) NOT-FOR-US: Cisco CVE-2016-1436 (The General Packet Radio Switching Tunneling Protocol 1 (aka GTPv1) im ...) NOT-FOR-US: Cisco CVE-2016-1435 (Cisco 8800 phones with software 11.0(1) do not properly enforce mounte ...) NOT-FOR-US: Cisco CVE-2016-1434 (The license-certificate upload functionality on Cisco 8800 phones with ...) NOT-FOR-US: Cisco CVE-2016-1433 (Cisco IOS XR 6.0 and 6.0.1 on NCS 6000 devices allows remote attackers ...) NOT-FOR-US: Cisco CVE-2016-1432 (Cisco IOS XE 3.15S and 3.16S on cBR-8 Converged Broadband Router devic ...) NOT-FOR-US: Cisco CVE-2016-1431 (Cross-site scripting (XSS) vulnerability in Cisco Firepower Management ...) NOT-FOR-US: Cisco CVE-2016-1430 (Cisco RV180 and RV180W devices allow remote authenticated users to exe ...) NOT-FOR-US: Cisco CVE-2016-1429 (Directory traversal vulnerability in the web interface on Cisco RV180 ...) NOT-FOR-US: Cisco CVE-2016-1428 (Double free vulnerability in Cisco IOS XE 3.15S, 3.16S, and 3.17S allo ...) NOT-FOR-US: Cisco IOS CVE-2016-1427 (The System Configuration Protocol (SCP) core messaging interface in Ci ...) NOT-FOR-US: Cisco Prime Network Registrar CVE-2016-1426 (Cisco IOS XR 5.x through 5.2.5 on NCS 6000 devices allows remote attac ...) NOT-FOR-US: Cisco IOS CVE-2016-1425 (Cisco IOS 15.0(2)SG5, 15.1(2)SG3, 15.2(1)E, 15.3(3)S, and 15.4(1.13)S ...) NOT-FOR-US: Cisco IOS CVE-2016-1424 (Cisco IOS 15.2(1)T1.11 and 15.2(2)TST allows remote attackers to cause ...) NOT-FOR-US: Cisco IOS CVE-2016-1423 (A vulnerability in the display of email messages in the Messages in Qu ...) NOT-FOR-US: Cisco ESA CVE-2016-1422 RESERVED CVE-2016-1421 (A vulnerability in the web application for Cisco IP Phones could allow ...) NOT-FOR-US: Cisco CVE-2016-1420 (The installation component on Cisco Application Policy Infrastructure ...) NOT-FOR-US: Cisco CVE-2016-1419 (Cisco Access Point devices with software 8.2(102.43) allow remote atta ...) NOT-FOR-US: Cisco CVE-2016-1418 (Cisco Aironet Access Point Software 8.2(100.0) on 1830e, 1830i, 1850e, ...) NOT-FOR-US: Cisco CVE-2016-1417 (Untrusted search path vulnerability in Snort 2.9.7.0-WIN32 allows remo ...) NOT-FOR-US: Cisco CVE-2016-1416 (Cisco Prime Collaboration Provisioning 10.6 SP2 (aka 10.6.0.10602) mis ...) NOT-FOR-US: Cisco Prime CVE-2016-1415 (Cisco WebEx Meetings Player T29.10, when WRF file support is enabled, ...) NOT-FOR-US: Cisco CVE-2016-1414 RESERVED CVE-2016-1413 (The web interface in Cisco Firepower Management Center 5.4.0 through 6 ...) NOT-FOR-US: Cisco CVE-2016-1412 RESERVED CVE-2016-1411 (A vulnerability in the update functionality of Cisco AsyncOS Software ...) NOT-FOR-US: Cisco CVE-2016-1410 (Cisco WebEx Meeting Center Original Release Base allows remote attacke ...) NOT-FOR-US: Cisco CVE-2016-1409 (The Neighbor Discovery (ND) protocol implementation in the IPv6 stack ...) NOT-FOR-US: Cisco CVE-2016-1408 (Cisco Prime Infrastructure 1.2 through 3.1 and Evolved Programmable Ne ...) NOT-FOR-US: Cisco CVE-2016-1407 (Cisco IOS XR through 5.3.2 mishandles Local Packet Transport Services ...) NOT-FOR-US: Cisco CVE-2016-1406 (The API web interface in Cisco Prime Infrastructure before 3.1 and Cis ...) NOT-FOR-US: Cisco CVE-2016-1405 (libclamav in ClamAV (aka Clam AntiVirus), as used in Advanced Malware ...) - clamav 0.99+dfsg-1 CVE-2016-1404 (Cisco UCS Invicta 4.3, 4.5, and 5.0.1 on Invicta appliances and Invict ...) NOT-FOR-US: Cisco CVE-2016-1403 (CISCO IP 8800 phones with software 11.0.1 and earlier allow local user ...) NOT-FOR-US: Cisco CVE-2016-1402 (The Active Directory (AD) integration component in Cisco Identity Serv ...) NOT-FOR-US: Cisco CVE-2016-1401 (Cross-site scripting (XSS) vulnerability in the management interface i ...) NOT-FOR-US: Cisco CVE-2016-1400 (Cisco TelePresence Video Communications Server (VCS) X8.x before X8.7. ...) NOT-FOR-US: Cisco CVE-2016-1399 (The packet-processing microcode in Cisco IOS 15.2(2)EA, 15.2(2)EA1, 15 ...) NOT-FOR-US: Cisco CVE-2016-1398 (Buffer overflow in the web-based management interface on Cisco RV110W ...) NOT-FOR-US: Cisco CVE-2016-1397 (Buffer overflow in the web-based management interface on Cisco RV110W ...) NOT-FOR-US: Cisco CVE-2016-1396 (Cross-site scripting (XSS) vulnerability in the web-based management i ...) NOT-FOR-US: Cisco CVE-2016-1395 (The web-based management interface on Cisco RV110W devices with firmwa ...) NOT-FOR-US: Cisco CVE-2016-1394 (Cisco Firepower System Software 6.0.0 through 6.1.0 has a hardcoded ac ...) NOT-FOR-US: Cisco Firepower System Software CVE-2016-1393 (SQL injection vulnerability in Cisco Cloud Network Automation Provisio ...) NOT-FOR-US: Cisco CVE-2016-1392 (Open redirect vulnerability in Cisco Prime Collaboration Assurance Sof ...) NOT-FOR-US: Cisco CVE-2016-1391 (Cisco Prime Network Analysis Module (NAM) before 6.1(1) patch.6.1-2-fi ...) NOT-FOR-US: Cisco CVE-2016-1390 (Cisco Prime Network Analysis Module (NAM) before 6.1(1) patch.6.1-2-fi ...) NOT-FOR-US: Cisco CVE-2016-1389 (Open redirect vulnerability in Cisco WebEx Meetings Server (CWMS) 2.6 ...) NOT-FOR-US: Cisco CVE-2016-1388 (Cisco Prime Network Analysis Module (NAM) before 6.1(1) patch.6.1-2-fi ...) NOT-FOR-US: Cisco CVE-2016-1387 (The XML API in TelePresence Codec (TC) 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.3 ...) NOT-FOR-US: Cisco CVE-2016-1386 (The API in Cisco Application Policy Infrastructure Controller Enterpri ...) NOT-FOR-US: Cisco CVE-2016-1385 (The XML parser in Cisco Adaptive Security Appliance (ASA) Software thr ...) NOT-FOR-US: Cisco Adaptive Security Appliance CVE-2016-1384 (The NTP implementation in Cisco IOS 15.1 and 15.5 and IOS XE 3.2 throu ...) NOT-FOR-US: Cisco CVE-2016-1383 (Memory leak in Cisco AsyncOS through 8.8 on Web Security Appliance (WS ...) NOT-FOR-US: Cisco CVE-2016-1382 (Cisco AsyncOS before 8.5.3-069 and 8.6 through 8.8 on Web Security App ...) NOT-FOR-US: Cisco CVE-2016-1381 (Memory leak in Cisco AsyncOS 8.5 through 9.0 before 9.0.1-162 on Web S ...) NOT-FOR-US: Cisco CVE-2016-1380 (Cisco AsyncOS 8.0 before 8.0.6-119 on Web Security Appliance (WSA) dev ...) NOT-FOR-US: Cisco CVE-2016-1379 (Cisco Adaptive Security Appliance (ASA) Software 9.0 through 9.5.1 mis ...) NOT-FOR-US: Cisco Adaptive Security Appliance CVE-2016-1378 (Cisco IOS before 15.2(2)E1 on Catalyst switches allows remote attacker ...) NOT-FOR-US: Cisco IOS CVE-2016-1377 (Cross-site scripting (XSS) vulnerability in Cisco Unity Connection thr ...) NOT-FOR-US: Cisco CVE-2016-1376 (Cisco IOS XR 4.2.3, 4.3.0, 4.3.4, and 5.3.1 on ASR 9000 devices allows ...) NOT-FOR-US: Cisco CVE-2016-1375 (Cross-site scripting (XSS) vulnerability in Cisco IP Interoperability ...) NOT-FOR-US: Cisco CVE-2016-1374 (The web framework in Cisco Unified Computing System (UCS) Performance ...) NOT-FOR-US: Cisco CVE-2016-1373 (The gadgets-integration API in Cisco Finesse 8.5(1) through 8.5(5), 8. ...) NOT-FOR-US: Cisco CVE-2016-1372 (ClamAV (aka Clam AntiVirus) before 0.99.2 allows remote attackers to c ...) {DLA-546-1} - clamav 0.99.2+dfsg-1 [jessie] - clamav 0.99.2+dfsg-0+deb8u1 NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11514 NOTE: https://foxglovesecurity.com/2016/06/13/finding-pearls-fuzzing-clamav/ CVE-2016-1371 (ClamAV (aka Clam AntiVirus) before 0.99.2 allows remote attackers to c ...) {DLA-546-1} - clamav 0.99.2+dfsg-1 [jessie] - clamav 0.99.2+dfsg-0+deb8u1 NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11514 NOTE: https://foxglovesecurity.com/2016/06/13/finding-pearls-fuzzing-clamav/ CVE-2016-1370 (Cisco Prime Network Analysis Module (NAM) before 6.2(1-b) miscalculate ...) NOT-FOR-US: Cisco CVE-2016-1369 (The Adaptive Security Appliance (ASA) 5585-X FirePOWER Security Servic ...) NOT-FOR-US: Cisco Adaptive Security Appliance CVE-2016-1368 (Cisco FirePOWER System Software 5.3.x through 5.3.0.6 and 5.4.x throug ...) NOT-FOR-US: Cisco CVE-2016-1367 (The DHCPv6 relay implementation in Cisco Adaptive Security Appliance ( ...) NOT-FOR-US: Cisco CVE-2016-1366 (The SCP and SFTP modules in Cisco IOS XR 5.0.0 through 5.2.5 on Networ ...) NOT-FOR-US: Cisco IOS XR CVE-2016-1365 (The Grapevine update process in Cisco Application Policy Infrastructur ...) NOT-FOR-US: Cisco CVE-2016-1364 (Cisco Wireless LAN Controller (WLC) Software 7.4 before 7.4.130.0(MD) ...) NOT-FOR-US: Cisco CVE-2016-1363 (Buffer overflow in the redirection functionality in Cisco Wireless LAN ...) NOT-FOR-US: Cisco CVE-2016-1362 (Cisco AireOS 4.1 through 7.4.120.0, 7.5.x, and 7.6.100.0 on Wireless L ...) NOT-FOR-US: Cisco CVE-2016-1361 (Cisco IOS XR through 4.3.2 on Gigabit Switch Router (GSR) 12000 device ...) NOT-FOR-US: Cisco CVE-2016-1360 (Cisco Prime LAN Management Solution (LMS) through 4.2.5 uses the same ...) NOT-FOR-US: Cisco CVE-2016-1359 (Cisco Prime Infrastructure 3.0 allows remote authenticated users to ex ...) NOT-FOR-US: Cisco CVE-2016-1358 (Cisco Prime Infrastructure 2.2, 3.0, and 3.1(0.0) allows remote authen ...) NOT-FOR-US: Cisco CVE-2016-1357 (The password-management administration component in Cisco Policy Suite ...) NOT-FOR-US: Cisco CVE-2016-1356 (Cisco FireSIGHT System Software 6.1.0 does not use a constant-time alg ...) NOT-FOR-US: Cisco CVE-2016-1355 (Cross-site scripting (XSS) vulnerability in the Device Management UI i ...) NOT-FOR-US: Cisco CVE-2016-1354 (Cross-site scripting (XSS) vulnerability in Cisco Unified Communicatio ...) NOT-FOR-US: Cisco CVE-2016-1353 (The TCP implementation in Cisco Videoscape Distribution Suite for Inte ...) NOT-FOR-US: Cisco Videoscape Distribution Suite CVE-2016-1352 (Cisco Unified Computing System (UCS) Central Software 1.3(1b) and earl ...) NOT-FOR-US: Cisco CVE-2016-1351 (The Locator/ID Separation Protocol (LISP) implementation in Cisco IOS ...) NOT-FOR-US: Cisco CVE-2016-1350 (Cisco IOS 15.3 and 15.4, Cisco IOS XE 3.8 through 3.11, and Cisco Unif ...) NOT-FOR-US: Cisco CVE-2016-1349 (The Smart Install client implementation in Cisco IOS 12.2, 15.0, and 1 ...) NOT-FOR-US: Cisco CVE-2016-1348 (Cisco IOS 15.0 through 15.5 and IOS XE 3.3 through 3.16 allow remote a ...) NOT-FOR-US: Cisco CVE-2016-1347 (The Wide Area Application Services (WAAS) Express implementation in Ci ...) NOT-FOR-US: Cisco IOS CVE-2016-1346 (The kernel in Cisco TelePresence Server 3.0 through 4.2(4.18) on Mobil ...) NOT-FOR-US: Cisco CVE-2016-1345 (Cisco FireSIGHT System Software 5.4.0 through 6.0.1 and ASA with FireP ...) NOT-FOR-US: Cisco Firepower CVE-2016-1344 (The IKEv2 implementation in Cisco IOS 15.0 through 15.6 and IOS XE 3.3 ...) NOT-FOR-US: Cisco IOS CVE-2016-1343 (The XML parser in Cisco Information Server (CIS) 6.2 allows remote att ...) NOT-FOR-US: Cisco CVE-2016-1342 (The device login page in Cisco FirePOWER Management Center 5.3 through ...) NOT-FOR-US: Cisco CVE-2016-1341 (Cisco NX-OS 7.0(1)N1(1), 7.0(1)N1(3), and 7.0(4)N1(1) on Nexus 2000 Fa ...) NOT-FOR-US: Cisco CVE-2016-1340 (Heap-based buffer overflow in Cisco Unified Computing System (UCS) Pla ...) NOT-FOR-US: Cisco CVE-2016-1339 (Cisco Unified Computing System (UCS) Platform Emulator 2.5(2)TS4, 3.0( ...) NOT-FOR-US: Cisco CVE-2016-1338 (Cisco TelePresence Video Communication Server (VCS) X8.5.1 and X8.5.2 ...) NOT-FOR-US: Cisco CVE-2016-1337 (Cisco EPC3928 devices allow remote attackers to obtain sensitive confi ...) NOT-FOR-US: Cisco CVE-2016-1336 (goform/Docsis_system on Cisco EPC3928 devices allows remote attackers ...) NOT-FOR-US: Cisco CVE-2016-1335 (The SSH implementation in Cisco StarOS before 19.3.M0.62771 and 20.x b ...) NOT-FOR-US: Cisco StarOS CVE-2016-1334 (Cisco Small Business 500 Wireless Access Point devices with firmware 1 ...) NOT-FOR-US: Cisco CVE-2016-1333 (Cisco IOS 15.5(3)M and 15.6(1)T0a on Cisco 1000 Connected Grid routers ...) NOT-FOR-US: Cisco IOS CVE-2016-1332 REJECTED CVE-2016-1331 (Multiple cross-site scripting (XSS) vulnerabilities in Cisco Emergency ...) NOT-FOR-US: Cisco Emergency Responder CVE-2016-1330 (Cisco IOS 15.2(4)E on Industrial Ethernet 2000 devices allows remote a ...) NOT-FOR-US: Cisco IOS CVE-2016-1329 (Cisco NX-OS 6.0(2)U6(1) through 6.0(2)U6(5) on Nexus 3000 devices and ...) NOT-FOR-US: Cisco Nexus CVE-2016-1328 (goform/WClientMACList on Cisco EPC3928 devices allows remote attackers ...) NOT-FOR-US: Cisco CVE-2016-1327 (Buffer overflow in the web server on Cisco DPC2203 and EPC2203 devices ...) NOT-FOR-US: Cisco CVE-2016-1326 (The administration interface on Cisco DPQ3925 devices with firmware r1 ...) NOT-FOR-US: Cisco CVE-2016-1325 (The administration interface on Cisco DPC3939B and DPC3941 devices all ...) NOT-FOR-US: Cisco CVE-2016-1324 (The REST interface in Cisco Spark 2015-06 allows remote attackers to c ...) NOT-FOR-US: Cisco Spark CVE-2016-1323 (The REST interface in Cisco Spark 2015-06 allows remote authenticated ...) NOT-FOR-US: Cisco Spark CVE-2016-1322 (The REST interface in Cisco Spark 2015-07-04 allows remote attackers t ...) NOT-FOR-US: Cisco Spark CVE-2016-1321 (Cisco Universal Small Cell devices with firmware R2.12 through R3.5 co ...) NOT-FOR-US: Cisco CVE-2016-1320 (The CLI in Cisco Prime Collaboration 9.0 and 11.0 allows local users t ...) NOT-FOR-US: Cisco CVE-2016-1319 (Cisco Unified Communications Manager (aka CallManager) 9.1(2.10000.28) ...) NOT-FOR-US: Cisco CVE-2016-1318 (Cross-site scripting (XSS) vulnerability in Cisco Application Policy I ...) NOT-FOR-US: Cisco CVE-2016-1317 (Cisco Unified Communications Manager 11.5(0.98000.480) allows remote a ...) NOT-FOR-US: Cisco CVE-2016-1316 (Cisco TelePresence Video Communication Server (VCS) X8.1 through X8.7, ...) NOT-FOR-US: Cisco CVE-2016-1315 (The proxy engine in Cisco Advanced Malware Protection (AMP), when used ...) NOT-FOR-US: Cisco CVE-2016-1314 (Cross-site scripting (XSS) vulnerability in Cisco Unified Communicatio ...) NOT-FOR-US: Cisco CVE-2016-1313 (Cisco UCS Invicta C3124SA Appliance 4.3.1 through 5.0.1, UCS Invicta S ...) NOT-FOR-US: Cisco CVE-2016-1312 (The HTTPS inspection engine in the Content Security and Control Securi ...) NOT-FOR-US: Cisco CVE-2016-1311 (Cross-site scripting (XSS) vulnerability in the management interface i ...) NOT-FOR-US: Cisco CVE-2016-1310 (Cross-site scripting (XSS) vulnerability in Cisco Unity Connection 11. ...) NOT-FOR-US: Cisco CVE-2016-1309 (Multiple cross-site scripting (XSS) vulnerabilities in Cisco WebEx Mee ...) NOT-FOR-US: Cisco CVE-2016-1308 (SQL injection vulnerability in Cisco Unified Communications Manager 10 ...) NOT-FOR-US: Cisco CVE-2016-1307 (The Openfire server in Cisco Finesse Desktop 10.5(1) and 11.0(1) and U ...) NOT-FOR-US: Cisco CVE-2016-1306 (Multiple cross-site scripting (XSS) vulnerabilities in Cisco Fog Direc ...) NOT-FOR-US: Cisco CVE-2016-1305 (Cross-site scripting (XSS) vulnerability in Cisco Application Policy I ...) NOT-FOR-US: Cisco CVE-2016-1304 (Cross-site scripting (XSS) vulnerability in Cisco Unity Connection 10. ...) NOT-FOR-US: Cisco CVE-2016-1303 (The web GUI on Cisco Small Business 500 devices 1.2.0.92 allows remote ...) NOT-FOR-US: Cisco CVE-2016-1302 (Cisco Application Policy Infrastructure Controller (APIC) devices with ...) NOT-FOR-US: Cisco CVE-2016-1301 (The RBAC implementation in Cisco ASA-CX Content-Aware Security softwar ...) NOT-FOR-US: Cisco CVE-2016-1300 (Cross-site scripting (XSS) vulnerability in Cisco Unity Connection (UC ...) NOT-FOR-US: Cisco CVE-2016-1299 (The web-management GUI implementation on Cisco Small Business SG300 de ...) NOT-FOR-US: Cisco CVE-2016-1298 (Multiple cross-site scripting (XSS) vulnerabilities in Cisco Unified C ...) NOT-FOR-US: Cisco CVE-2016-1297 (The Device Manager GUI in Cisco Application Control Engine (ACE) 4710 ...) NOT-FOR-US: Cisco CVE-2016-1296 (The proxy engine on Cisco Web Security Appliance (WSA) devices with so ...) NOT-FOR-US: Cisco CVE-2016-1295 (Cisco Adaptive Security Appliance (ASA) Software 8.4 allows remote att ...) NOT-FOR-US: Cisco CVE-2016-1294 (Cross-site scripting (XSS) vulnerability in the Management Center in C ...) NOT-FOR-US: Cisco CVE-2016-1293 (Multiple cross-site scripting (XSS) vulnerabilities in the Management ...) NOT-FOR-US: Cisco CVE-2016-1292 RESERVED CVE-2016-1291 (Cisco Prime Infrastructure 1.2.0 through 2.2(2) and Cisco Evolved Prog ...) NOT-FOR-US: Cisco CVE-2016-1290 (The web API in Cisco Prime Infrastructure 1.2.0 through 2.2(2) and Cis ...) NOT-FOR-US: Cisco CVE-2016-1289 (The API in Cisco Prime Infrastructure 1.2 through 3.0 and Evolved Prog ...) NOT-FOR-US: Cisco Prime CVE-2016-1288 (The HTTPS Proxy feature in Cisco AsyncOS before 8.5.3-051 and 9.x befo ...) NOT-FOR-US: Cisco Web Security Appliance CVE-2016-1287 (Buffer overflow in the IKEv1 and IKEv2 implementations in Cisco ASA So ...) NOT-FOR-US: Cisco ASA CVE-2016-1286 (named in ISC BIND 9.x before 9.9.8-P4 and 9.10.x before 9.10.3-P4 allo ...) {DSA-3511-1} - bind9 1:9.10.3.dfsg.P4-6 NOTE: https://kb.isc.org/article/AA-01353 CVE-2016-1285 (named in ISC BIND 9.x before 9.9.8-P4 and 9.10.x before 9.10.3-P4 does ...) {DSA-3511-1} - bind9 1:9.10.3.dfsg.P4-6 NOTE: https://kb.isc.org/article/AA-01352 CVE-2016-1284 (rdataset.c in ISC BIND 9 Supported Preview Edition 9.9.8-S before 9.9. ...) - bind9 (Only Supported Preview Edition/Subscription Edition) NOTE: https://kb.isc.org/article/AA-01348 CVE-2016-1505 (The filesystem storage backend in Radicale before 1.1 on Windows allow ...) - radicale (Only an issue on MS Windows) CVE-2015-8764 (Off-by-one error in the EAP-PWD module in FreeRADIUS 3.0 through 3.0.8 ...) - freeradius (Affects 3.0 up to 3.0.8) NOTE: http://freeradius.org/security.html#eap-pwd-2015 CVE-2015-8763 (The EAP-PWD module in FreeRADIUS 3.0 through 3.0.8 allows remote attac ...) - freeradius (Affects 3.0 up to 3.0.8) NOTE: http://freeradius.org/security.html#eap-pwd-2015 CVE-2015-8762 (The EAP-PWD module in FreeRADIUS 3.0 through 3.0.8 allows remote attac ...) - freeradius (Affects 3.0 up to 3.0.8) NOTE: http://freeradius.org/security.html#eap-pwd-2015 CVE-2015-8751 (Integer overflow in the jas_matrix_create function in JasPer allows co ...) - jasper 1.900.1-5.1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1294039 NOTE: In 1.900.1-5.1 this issue was fixed as part of the patch for CVE-2008-3520 NOTE: like other distribution did. CVE-2015-8750 (libdwarf 20151114 and earlier allows remote attackers to cause a denia ...) {DLA-669-1 DLA-388-1} - dwarfutils 20160507-1 (bug #813182) [jessie] - dwarfutils 20120410-2+deb8u1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1294264 NOTE: https://github.com/tomhughes/libdwarf/commit/11750a2838e52953013e3114ef27b3c7b1780697 CVE-2015-8749 (The volume_utils._parse_volume_info function in OpenStack Compute (Nov ...) - nova 2:13.0.0~rc3-1 [jessie] - nova (Minor issue) [wheezy] - nova (Minor issue) NOTE: https://launchpad.net/bugs/1516765 NOTE: Affects: >= 2014.2 <= 2015.1.2, ==12.0.0 CVE-2015-8748 (Radicale before 1.1 allows remote authenticated users to bypass owner_ ...) {DSA-3462-1 DLA-403-1} - radicale 1.1.1-1 (bug #809920) CVE-2015-8747 (The multifilesystem storage backend in Radicale before 1.1 allows remo ...) {DSA-3462-1 DLA-403-1} - radicale 1.1.1-1 (bug #809920) CVE-2015-8746 (fs/nfs/nfs4proc.c in the NFS client in the Linux kernel before 4.2.2 d ...) - linux 4.3.1-1 [jessie] - linux 3.16.7-ckt20-1 [wheezy] - linux (Vulnerable code not present) - linux-2.6 (Vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1295802 NOTE: Fixed by: https://git.kernel.org/linus/18e3b739fdc826481c6a1335ce0c5b19b3d415da (v4.3-rc1) NOTE: Fixed as well in v3.16.7-ckt18 (commit: 6a64d8c4c07c176abee384803f28fa1507963369) NOTE: Introduced by: https://git.kernel.org/linus/ec011fe847347b40c60fdb5085f65227762e2e08 (v3.13-rc1) CVE-2016-1494 (The verify function in the RSA package for Python (Python-RSA) before ...) - python-rsa 3.2.3-1.1 (bug #809980) [jessie] - python-rsa 3.1.4-1+deb8u1 NOTE: proposed fix: https://bitbucket.org/sybren/python-rsa/pull-requests/14/security-fix-bb06-attack-in-verify-by/diff NOTE: https://blog.filippo.io/bleichenbacher-06-signature-forgery-in-python-rsa/ CVE-2015-8604 (SQL injection vulnerability in the host_new_graphs function in graphs_ ...) {DSA-3494-1 DLA-386-1} - cacti 0.8.8f+ds1-4 NOTE: http://bugs.cacti.net/view.php?id=2652 NOTE: http://www.openwall.com/lists/oss-security/2016/01/04/8 CVE-2016-1282 RESERVED CVE-2016-1281 (Untrusted search path vulnerability in the installer for TrueCrypt 7.2 ...) NOT-FOR-US: Truecrypt CVE-2015-8742 (The dissect_CPMSetBindings function in epan/dissectors/packet-mswsp.c ...) - wireshark 2.0.1+g59ea380-1 [jessie] - wireshark (Only affects 2.x) [wheezy] - wireshark (Only affects 2.x) [squeeze] - wireshark (Only affects 2.x) NOTE: https://www.wireshark.org/security/wnpa-sec-2015-60.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11931 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=d48b0eff28c995947ac3f8d842ddd9b50dd5798d CVE-2015-8741 (The dissect_ppi function in epan/dissectors/packet-ppi.c in the PPI di ...) - wireshark 2.0.1+g59ea380-1 [jessie] - wireshark (Only affects 2.x) [wheezy] - wireshark (Only affects 2.x) [squeeze] - wireshark (Only affects 2.x) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=2290eba5cb25f927f9142680193ac1158d35506e NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11876 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-59.html CVE-2015-8740 (The dissect_tds7_colmetadata_token function in epan/dissectors/packet- ...) - wireshark 2.0.1+g59ea380-1 [jessie] - wireshark (Only affects 2.x) [wheezy] - wireshark (Only affects 2.x) [squeeze] - wireshark (Only affects 2.x) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=e78093f69f1e95df919bbe644baa06c7e4e720c0 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11846 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-58.html CVE-2015-8739 (The ipmi_fmt_udpport function in epan/dissectors/packet-ipmi.c in the ...) - wireshark 2.0.1+g59ea380-1 [jessie] - wireshark (Only affects 2.x) [wheezy] - wireshark (Only affects 2.x) [squeeze] - wireshark (Only affects 2.x) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=96bf82ced0b58c7a4c2a6c300efeebe4f05c0ff4 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11831 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-57.html CVE-2015-8738 (The s7comm_decode_ud_cpu_szl_subfunc function in epan/dissectors/packe ...) - wireshark 2.0.1+g59ea380-1 [jessie] - wireshark (Only affects 2.x) [wheezy] - wireshark (Only affects 2.x) [squeeze] - wireshark (Only affects 2.x) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=858c3f0079f987833fb22eba2c361d1a88ba4103 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11823 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-56.html CVE-2015-8737 (The mp2t_open function in wiretap/mp2t.c in the MP2T file parser in Wi ...) - wireshark 2.0.1+g59ea380-1 [jessie] - wireshark (Only affects 2.x) [wheezy] - wireshark (Only affects 2.x) [squeeze] - wireshark (Only affects 2.x) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=e3fc691368af60bbbaec9e038ee6a6d3b7707955 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11821 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-55.html CVE-2015-8736 (The mp2t_find_next_pcr function in wiretap/mp2t.c in the MP2T file par ...) - wireshark 2.0.1+g59ea380-1 [jessie] - wireshark (Only affects 2.x) [wheezy] - wireshark (Only affects 2.x) [squeeze] - wireshark (Only affects 2.x) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=baa3eab78b422616a92ee38551c1b1510dca4ccb NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11820 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-54.html CVE-2015-8735 (The get_value function in epan/dissectors/packet-btatt.c in the Blueto ...) - wireshark 2.0.1+g59ea380-1 [jessie] - wireshark (Only affects 2.x) [wheezy] - wireshark (Only affects 2.x) [squeeze] - wireshark (Only affects 2.x) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=83bad0215dae54e77d34f8b187900125f672366e NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11817 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-53.html CVE-2015-8734 (The dissect_nwp function in epan/dissectors/packet-nwp.c in the NWP di ...) - wireshark 2.0.1+g59ea380-1 [jessie] - wireshark (Only affects 2.x) [wheezy] - wireshark (Only affects 2.x) [squeeze] - wireshark (Only affects 2.x) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=9b2c889abe0219fc162659e106c5b95deb6268f3 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11726 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-52.html CVE-2015-8733 (The ngsniffer_process_record function in wiretap/ngsniffer.c in the Sn ...) {DSA-3505-1} - wireshark 2.0.1+g59ea380-1 [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Not supported in Squeeze LTS) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=53a3e53fce30523d11ab3df319fba7b75d63076f NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11827 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-51.html CVE-2015-8732 (The dissect_zcl_pwr_prof_pwrprofstatersp function in epan/dissectors/p ...) {DSA-3505-1} - wireshark 2.0.1+g59ea380-1 [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Vulnerable code not present) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=eb0c034f6e4cdbf5ae36dd9ba8e2743630b7bd38 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=9352616ec9742f2ed3d2802d0c8c100d51ca410b NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11830 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-50.html CVE-2015-8731 (The dissct_rsl_ipaccess_msg function in epan/dissectors/packet-rsl.c i ...) {DSA-3516-1} - wireshark 2.0.1+g59ea380-1 [squeeze] - wireshark (Not supported in Squeeze LTS) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=2930d3105c3ff2bfb1278b34ad10e2e71c3b8fb0 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11829 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-49.html NOTE: fix released in 2.0.1 is incomplete, but the rest is tracked under CVE-2016-2530 CVE-2015-8730 (epan/dissectors/packet-nbap.c in the NBAP dissector in Wireshark 1.12. ...) {DSA-3505-1} - wireshark 2.0.1+g59ea380-1 [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Vulnerable code not present) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=d2644aef369af0667220b5bd69996915b29d753d NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11815 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-48.html CVE-2015-8729 (The ascend_seek function in wiretap/ascendtext.c in the Ascend file pa ...) {DSA-3505-1} - wireshark 2.0.1+g59ea380-1 [squeeze] - wireshark (Not supported in Squeeze LTS) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=338da1c0ea0b2f8595d3a7b6d6c9548f7da3e27b NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11794 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-47.html CVE-2015-8728 (The Mobile Identity parser in (1) epan/dissectors/packet-ansi_a.c in t ...) {DSA-3505-1} - wireshark 2.0.1+g59ea380-1 [wheezy] - wireshark 1.8.2-5wheezy18 [squeeze] - wireshark (Not supported in Squeeze LTS) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=15edc8d714b11dcff3a04e5d00b8db9adfdb81ed NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11797 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-46.html CVE-2015-8727 (The dissect_rsvp_common function in epan/dissectors/packet-rsvp.c in t ...) {DSA-3505-1} - wireshark 2.0.1+g59ea380-1 [squeeze] - wireshark (Not supported in Squeeze LTS) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=56baca60271379cb97f6a4a6bf72eb526e8b52d0 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11793 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-45.html CVE-2015-8726 (wiretap/vwr.c in the VeriWave file parser in Wireshark 1.12.x before 1 ...) {DSA-3505-1} - wireshark 2.0.1+g59ea380-1 [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Vulnerable code not present) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=b8fa3d463c1bdd9b84c897441e7a5c8ad1f0f292 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=185911de7d337246044c8e99da2f5b4bac74c0d5 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11791 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11789 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-44.html CVE-2015-8725 (The dissect_diameter_base_framed_ipv6_prefix function in epan/dissecto ...) {DSA-3505-1} - wireshark 2.0.1+g59ea380-1 [wheezy] - wireshark 1.8.2-5wheezy18 [squeeze] - wireshark (Not supported in Squeeze LTS) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=aaa28a9d39158ca1033bbd3372cf423abbf4f202 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11792 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-43.html CVE-2015-8724 (The AirPDcapDecryptWPABroadcastKey function in epan/crypt/airpdcap.c i ...) {DSA-3505-1} - wireshark 2.0.1+g59ea380-1 (unimportant) [wheezy] - wireshark 1.8.2-5wheezy18 [squeeze] - wireshark (Not supported in Squeeze LTS) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=83f2818118ae255db949bb3a4b3a26ebd1c5f7c5 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11826 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-42.html NOTE: Not suitable for code injection CVE-2015-8723 (The AirPDcapPacketProcess function in epan/crypt/airpdcap.c in the 802 ...) {DSA-3505-1} - wireshark 2.0.1+g59ea380-1 [wheezy] - wireshark 1.8.2-5wheezy18 [squeeze] - wireshark (Not supported in Squeeze LTS) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=40b283181c63cb28bc6f58d80315eccca6650da0 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11790 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-42.html CVE-2015-8722 (epan/dissectors/packet-sctp.c in the SCTP dissector in Wireshark 1.12. ...) {DSA-3505-1} - wireshark 2.0.1+g59ea380-1 [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Not supported in Squeeze LTS) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=2259bf8a827088081bef101f98e4983de8aa8099 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=1b32d505a59475d51d9b2bed5f0869d2d154e8b6 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11767 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-41.html CVE-2015-8721 (Buffer overflow in the tvb_uncompress function in epan/tvbuff_zlib.c i ...) {DSA-3505-1} - wireshark 2.0.1+g59ea380-1 [squeeze] - wireshark (Not supported in Squeeze LTS) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=cec0593ae6c3bca65eff65741c2a10f3de3e0afe NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11548 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-40.html CVE-2015-8720 (The dissect_ber_GeneralizedTime function in epan/dissectors/packet-ber ...) {DSA-3505-1} - wireshark 2.0.1+g59ea380-1 [squeeze] - wireshark (Not supported in Squeeze LTS) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=921bb07115fbffc081ec56a5022b4a9d58db6d39 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-39.html CVE-2015-8719 (The dissect_dns_answer function in epan/dissectors/packet-dns.c in the ...) {DSA-3505-1} - wireshark 2.0.1+g59ea380-1 [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Not supported in Squeeze LTS) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=30651ab18b42e666f57ea239e58f3ff3a5e9c4ad NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10988 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-38.html CVE-2015-8718 (Double free vulnerability in epan/dissectors/packet-nlm.c in the NLM d ...) {DSA-3505-1} - wireshark 2.0.1+g59ea380-1 [squeeze] - wireshark (Not supported in Squeeze LTS) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=81dfe6d450ada42d12f20ac26a6d8ae2302df37e NOTE: http://www.wireshark.org/security/wnpa-sec-2015-37.html CVE-2015-8717 (The dissect_sdp function in epan/dissectors/packet-sdp.c in the SDP di ...) {DSA-3505-1} - wireshark 2.0.1+g59ea380-1 [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Not supported in Squeeze LTS) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=2ddd92b6f8f587325b9e14598658626f3a007c5c NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9887 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-36.html CVE-2015-8716 (The init_t38_info_conv function in epan/dissectors/packet-t38.c in the ...) {DSA-3505-1} - wireshark 2.0.1+g59ea380-1 [squeeze] - wireshark (Not supported in Squeeze LTS) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=eb6ccb1b0c4ad02b828652c3fe6e8d51c30a315e NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9887 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-35.html CVE-2015-8715 (epan/dissectors/packet-alljoyn.c in the AllJoyn dissector in Wireshark ...) {DSA-3505-1} - wireshark 2.0.1+g59ea380-1 [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Not supported in Squeeze LTS) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=40caff2d1fb08262c84aaaa8ac584baa8866dd7c NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11607 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-34.html CVE-2015-8714 (The dissect_dcom_OBJREF function in epan/dissectors/packet-dcom.c in t ...) {DSA-3505-1} - wireshark 2.0.1+g59ea380-1 [squeeze] - wireshark (Not supported in Squeeze LTS) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=d34267d0503a67235bf259fd2f2f2d2bb8b18cf5 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11610 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-33.html CVE-2015-8713 (epan/dissectors/packet-umts_fp.c in the UMTS FP dissector in Wireshark ...) {DSA-3505-1} - wireshark 2.0.1+g59ea380-1 [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Not supported in Squeeze LTS) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=67b6d4f7e6f2117b40957fd51518aa2a3e659002 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11606 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-32.html CVE-2015-8712 (The dissect_hsdsch_channel_info function in epan/dissectors/packet-umt ...) {DSA-3505-1} - wireshark 2.0.1+g59ea380-1 [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Not supported in Squeeze LTS) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=2ae329a47b7f0ac94089c23e79c6b8bc18ba80ea NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11602 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-32.html CVE-2015-8711 (epan/dissectors/packet-nbap.c in the NBAP dissector in Wireshark 1.12. ...) {DSA-3505-1} - wireshark 2.0.1+g59ea380-1 [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Not supported in Squeeze LTS) NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=5bf565690ad9f0771196d8fa237aa37fae3bb7cc NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=5b4ada17723ed8af7e85cb48d537437ed614e417 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=23379ae3624df82c170f48e5bb3250a97ec61c13 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11841 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11835 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11602 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-31.html CVE-2015-8707 (Password reset tokens in Magento CE before 1.9.2.2, and Magento EE bef ...) NOT-FOR-US: Magento CVE-2015-8744 (QEMU (aka Quick Emulator) built with a VMWARE VMXNET3 paravirtual NIC ...) {DSA-3471-1} - qemu 1:2.5+dfsg-1 [wheezy] - qemu (Vulnerable code introduced later) [squeeze] - qemu (Vulnerable code introduced later) - qemu-kvm (Vulnerable code not present) NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=a7278b36fcab9af469563bd7b9dadebe2ae25e48 (v2.5.0-rc0) NOTE: VMXNET3 device implementation introduced in http://git.qemu.org/?p=qemu.git;a=commit;h=786fd2b0f87baded8c9e55307b99719eea3e016e (v1.5.0-rc0) CVE-2015-8745 (QEMU (aka Quick Emulator) built with a VMWARE VMXNET3 paravirtual NIC ...) {DSA-3471-1} - qemu 1:2.5+dfsg-1 [wheezy] - qemu (Vulnerable code introduced later) [squeeze] - qemu (Vulnerable code introduced later) - qemu-kvm (Vulnerable code not present) NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=c6048f849c7e3f009786df76206e895a69de032c (v2.5.0-rc0) NOTE: VMXNET3 device implementation introduced in http://git.qemu.org/?p=qemu.git;a=commit;h=786fd2b0f87baded8c9e55307b99719eea3e016e (v1.5.0-rc0) CVE-2015-8743 (QEMU (aka Quick Emulator) built with the NE2000 device emulation suppo ...) {DSA-3471-1 DSA-3470-1 DSA-3469-1} - qemu 1:2.5+dfsg-2 (bug #810519) [squeeze] - qemu (Unsupported in squeeze-lts) - qemu-kvm [squeeze] - qemu-kvm (Unsupported in squeeze-lts) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1264929 NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg00050.html NOTE: Introduced by (at least after): http://git.qemu.org/?p=qemu.git;a=commit;h=69b910399a3c40620a5213adaeb14a37366d97ac NOTE: http://www.openwall.com/lists/oss-security/2016/01/04/1 CVE-2014-9764 (imlib2 before 1.4.7 allows remote attackers to cause a denial of servi ...) {DSA-3537-1 DLA-401-1} - imlib2 1.4.7-1 NOTE: https://git.enlightenment.org/legacy/imlib2.git/commit/?h=v1.4.7&id=1f9b0b32728803a1578e658cd0955df773e34f49 CVE-2014-9763 (imlib2 before 1.4.7 allows remote attackers to cause a denial of servi ...) {DSA-3537-1 DLA-401-1} - imlib2 1.4.7-1 NOTE: https://git.enlightenment.org/legacy/imlib2.git/commit/?h=v1.4.7&id=c21beaf1780cf3ca291735ae7d58a3dde63277a2 CVE-2014-9762 (imlib2 before 1.4.7 allows remote attackers to cause a denial of servi ...) {DSA-3537-1 DLA-401-1} - imlib2 1.4.7-1 NOTE: https://git.enlightenment.org/legacy/imlib2.git/commit/?h=v1.4.7&id=39641e74a560982fbf93f29bf96b37d27803cb56 CVE-2014-9761 (Multiple stack-based buffer overflows in the GNU C Library (aka glibc ...) {DLA-411-1} - glibc 2.23-1 (bug #813187) [jessie] - glibc (Minor issue) [wheezy] - eglibc (Minor issue) - eglibc NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=16962 NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e02cabecf0d025ec4f4ddee290bdf7aadb873bb3 NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=8f5e8b01a1da2a207228f2072c934fa5918554b8 NOTE: Fixed for 2.23 upstream CVE-2014-9760 (Cross-site scripting (XSS) vulnerability in the displayLogin function ...) - gosa 2.7.4+reloaded1-5 [wheezy] - gosa 2.7.4-4.3~deb7u2 [squeeze] - gosa 2.6.11-3+squeeze4 NOTE: Fixed in 2.7.4+reloaded1-3 with follow-up fix in 2.7.4+reloaded1-5 NOTE: https://github.com/gosa-project/gosa-core/commit/e35b990464a2c2cf64d6833a217ed944876e7732 CVE-2014-9759 (Incomplete blacklist vulnerability in the config_is_private function i ...) - mantis (Affects >= 1.3.0-beta.1) NOTE: http://github.com/mantisbt/mantisbt/commit/7927c275 NOTE: https://sourceforge.net/p/mantisbt/mailman/message/32948048/ NOTE: https://mantisbt.org/bugs/view.php?id=20277 NOTE: http://www.openwall.com/lists/oss-security/2016/01/02/1 CVE-2016-1283 (The pcre_compile2 function in pcre_compile.c in PCRE 8.38 mishandles t ...) - pcre3 2:8.38-3.1 (bug #809706) [jessie] - pcre3 2:8.35-3.3+deb8u3 [wheezy] - pcre3 (Vulnerable code not present) [squeeze] - pcre3 (Vulnerable code not present) NOTE: Introduced after http://vcs.pcre.org/pcre?view=revision&revision=1361 - pcre2 (Vulnerable code not present) NOTE: https://bugs.exim.org/show_bug.cgi?id=1767 NOTE: Upstream fix: http://vcs.pcre.org/pcre?view=revision&revision=1636 CVE-2016-1280 (PKId in Juniper Junos OS before 12.1X44-D52, 12.1X46 before 12.1X46-D3 ...) NOT-FOR-US: Juniper Junos OS CVE-2016-1279 (J-Web in Juniper Junos OS before 12.1X46-D45, 12.1X46-D50, 12.1X47 bef ...) NOT-FOR-US: Juniper Junos OS CVE-2016-1278 (Juniper Junos OS before 12.1X46-D50 on SRX Series devices reverts to " ...) NOT-FOR-US: Juniper Junos OS CVE-2016-1277 (Juniper Junos OS before 12.1X46-D50, 12.1X47 before 12.1X47-D40, 12.3X ...) NOT-FOR-US: Juniper Junos OS CVE-2016-1276 (Juniper Junos OS before 12.1X46-D50, 12.1X47 before 12.1X47-D23, 12.3X ...) NOT-FOR-US: Juniper Junos OS CVE-2016-1275 (Juniper Junos OS before 13.3R9, 14.1R6 before 14.1R6-S1, and 14.1 befo ...) NOT-FOR-US: Juniper Junos OS CVE-2016-1274 (Juniper Junos OS 14.1X53 before 14.1X53-D30 on QFX Series switches all ...) NOT-FOR-US: Juniper Junos OS CVE-2016-1273 (Juniper Junos OS before 13.2X51-D40, 14.x before 14.1X53-D30, and 15.x ...) NOT-FOR-US: Juniper Junos OS CVE-2016-1272 RESERVED CVE-2016-1271 (Juniper Junos OS before 12.1X46-D45, 12.1X47 before 12.1X47-D30, 12.3 ...) NOT-FOR-US: Juniper Junos OS CVE-2016-1270 (The rpd daemon in Juniper Junos OS before 12.1X44-D60, 12.1X46 before ...) NOT-FOR-US: Juniper Junos OS CVE-2016-1269 (Juniper Junos OS before 12.1X44-D60, 12.1X46 before 12.1X46-D40, 12.1X ...) NOT-FOR-US: Juniper Junos OS CVE-2016-1268 (The administrative web services interface in Juniper ScreenOS before 6 ...) NOT-FOR-US: Juniper ScreenOS CVE-2016-1267 (Race condition in the RPC functionality in Juniper Junos OS before 12. ...) NOT-FOR-US: Juniper Junos OS CVE-2016-1266 RESERVED CVE-2016-1265 (A remote unauthenticated network based attacker with access to Junos S ...) NOT-FOR-US: Juniper CVE-2016-1264 (Race condition in the Op command in Juniper Junos OS before 12.1X44-D5 ...) NOT-FOR-US: Juniper Junos OS CVE-2016-1263 (Juniper Junos OS before 12.1X46-D45, 12.1X46-D50, 12.1X47 before 12.1X ...) NOT-FOR-US: Juniper Junos OS CVE-2016-1262 (Juniper Junos OS before 12.1X46-D45, 12.1X47 before 12.1X47-D30, 12.1X ...) NOT-FOR-US: Juniper CVE-2016-1261 (J-Web does not validate certain input that may lead to cross-site requ ...) NOT-FOR-US: Juniper CVE-2016-1260 (Juniper Junos OS before 13.2X51-D36, 14.1X53 before 14.1X53-D25, and 1 ...) NOT-FOR-US: Juniper CVE-2016-1259 RESERVED CVE-2016-1258 (Embedthis Appweb, as used in J-Web in Juniper Junos OS before 12.1X44- ...) NOT-FOR-US: Juniper CVE-2016-1257 (The Routing Engine in Juniper Junos OS 13.2R5 through 13.2R8, 13.3R1 b ...) NOT-FOR-US: Juniper CVE-2016-1256 (Juniper Junos OS before 12.1X44-D55, 12.1X46 before 12.1X46-D40, 12.1X ...) NOT-FOR-US: Juniper CVE-2015-8706 RESERVED CVE-2015-8705 (buffer.c in named in ISC BIND 9.10.x before 9.10.3-P3, when debug logg ...) - bind9 (Only affects 9.10.0->9.10.3-P2) NOTE: https://kb.isc.org/article/AA-01336 CVE-2015-8704 (apl_42.c in ISC BIND 9.x before 9.9.8-P3, 9.9.x, and 9.10.x before 9.1 ...) {DSA-3449-1 DLA-396-1} - bind9 1:9.10.3.dfsg.P4-6 (bug #812077) NOTE: https://kb.isc.org/article/AA-01335 CVE-2015-8703 (ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE and ZXV10 ...) NOT-FOR-US: ZTE router CVE-2015-8702 (The DNS::GetResult function in dns.cpp in InspIRCd before 2.0.19 allow ...) {DSA-3527-1 DLA-384-1} - inspircd 2.0.20-1 NOTE: https://github.com/inspircd/inspircd/commit/6058483d9fbc1b904d5ae7cfea47bfcde5c5b559 NOTE: http://www.inspircd.org/2015/04/16/v2019-released.html CVE-2015-8701 (QEMU (aka Quick Emulator) built with the Rocker switch emulation suppo ...) - qemu 1:2.5+dfsg-3 (bug #809313) [jessie] - qemu (Vulnerable code introduced after qemu 2.3) [wheezy] - qemu (Vulnerable code introduced after qemu 2.3) [squeeze] - qemu (Vulnerable code introduced after qemu 2.3) - qemu-kvm (Vulnerable code introduced after qemu 2.3) NOTE: http://www.openwall.com/lists/oss-security/2015/12/28/6 CVE-2015-8700 RESERVED CVE-2015-8699 (Multiple cross-site scripting (XSS) vulnerabilities in CA Release Auto ...) NOT-FOR-US: CA Release Automation CVE-2016-1255 (The pg_ctlcluster script in postgresql-common package in Debian wheezy ...) {DLA-774-1} - postgresql-common 178 [jessie] - postgresql-common 165+deb8u2 NOTE: Fix: https://anonscm.debian.org/cgit/pkg-postgresql/postgresql-common.git/commit/?id=c8989206ec360f199400c74f129f7b4cb878c1ee NOTE: Testsuite update: https://anonscm.debian.org/cgit/pkg-postgresql/postgresql-common.git/commit/?id=30f0e4200cfc358b4536bf5d1f6c48abb779d438 CVE-2016-1254 (Tor before 0.2.8.12 might allow remote attackers to cause a denial of ...) {DSA-3741-1 DLA-754-1} - tor 0.2.9.8-2 (bug #848847) NOTE: https://blog.torproject.org/blog/tor-02812-released NOTE: https://trac.torproject.org/projects/tor/ticket/21018 CVE-2016-1253 (The most package in Debian wheezy before 5.0.0a-2.2, in Debian jessie ...) {DLA-745-1} - most 5.0.0a-3 (bug #848132) [jessie] - most 5.0.0a-2.3+deb8u1 CVE-2016-1252 (The apt package in Debian jessie before 1.0.9.8.4, in Debian unstable ...) {DSA-3733-1} - apt 1.4~beta2 [wheezy] - apt (Issue introduced in apt >= 0.9.8) NOTE: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1647467 CVE-2016-1251 (There is a vulnerability of type use-after-free affecting DBD::mysql ( ...) - libdbd-mysql-perl 4.041-1 [jessie] - libdbd-mysql-perl (Minor issue) [wheezy] - libdbd-mysql-perl (Minor issue) NOTE: Only an issue with mysql_server_prepare=1 NOTE: https://github.com/perl5-dbi/DBD-mysql/commit/3619c170461a3107a258d1fd2d00ed4832adb1b1 (4.041) CVE-2016-1250 REJECTED CVE-2016-1249 (The DBD::mysql module before 4.039 for Perl, when using server-side pr ...) - libdbd-mysql-perl 4.039-1 (bug #844475) [jessie] - libdbd-mysql-perl (Minor issue) [wheezy] - libdbd-mysql-perl (Minor issue) NOTE: https://github.com/perl5-dbi/DBD-mysql/commit/793b72b1a0baa5070adacaac0e12fd995a6fbabe (4.039) NOTE: http://www.openwall.com/lists/oss-security/2016/11/16/1 CVE-2016-1248 (vim before patch 8.0.0056 does not properly validate values for the 'f ...) {DSA-3722-1 DLA-718-1} - vim 2:8.0.0095-1 - neovim 0.1.6-4 NOTE: Fixed by: https://github.com/vim/vim/commit/d0b5138ba4bccff8a744c99836041ef6322ed39a NOTE: Fixed by (neovim): https://github.com/neovim/neovim/commit/4fad66fbe637818b6b3d6bc5d21923ba72795040 CVE-2016-1247 (The nginx package before 1.6.2-5+deb8u3 on Debian jessie, the nginx pa ...) {DSA-3701-1} - nginx 1.10.2-1 (bug #842295) [wheezy] - nginx (Introduced by the fix for CVE-2013-0337, not applied) NOTE: Issue introduced with the Debian specific fix for CVE-2013-0337 / #701112 NOTE: http://legalhackers.com/advisories/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html CVE-2016-1246 (Buffer overflow in the DBD::mysql module before 4.037 for Perl allows ...) {DSA-3684-1 DLA-656-1} - libdbd-mysql-perl 4.037-1 (low) NOTE: https://github.com/perl5-dbi/DBD-mysql/commit/7c164a0c86cec6ee95df1d141e67b0e85dfdefd2 (4.037) CVE-2016-1245 (It was discovered that the zebra daemon in Quagga before 1.0.20161017 ...) {DSA-3695-1 DLA-662-1} - quagga 1.0.20160315-3 (bug #841162) NOTE: Fixed by: https://github.com/Quagga/quagga/commit/cfb1fae25f8c092e0d17073eaf7bd428ce1cd546 NOTE: https://lists.quagga.net/pipermail/quagga-users/2016-October/014478.html CVE-2016-1244 (The extractTree function in unADF allows remote attackers to execute a ...) {DSA-3676-1 DLA-631-1} - unadf 0.7.11a-4 (bug #838248) CVE-2016-1243 (Stack-based buffer overflow in the extractTree function in unADF allow ...) {DSA-3676-1 DLA-631-1} - unadf 0.7.11a-4 (bug #838248) CVE-2016-1242 (file_open in Tryton before 3.2.17, 3.4.x before 3.4.14, 3.6.x before 3 ...) {DSA-3656-1 DLA-607-1} - tryton-server 4.0.4-1 CVE-2016-1241 (Tryton 3.x before 3.2.17, 3.4.x before 3.4.14, 3.6.x before 3.6.12, 3. ...) {DSA-3656-1} - tryton-server 4.0.4-1 [wheezy] - tryton-server (password_hash field introduced in 3.2 series) CVE-2016-1240 (The Tomcat init script in the tomcat7 package before 7.0.56-3+deb8u4 a ...) {DSA-3670-1 DSA-3669-1 DLA-623-1 DLA-622-1} - tomcat8 8.0.36-3 - tomcat7 7.0.70-3 - tomcat6 6.0.41-3 NOTE: Since 6.0.41-3, src:tomcat6 only builds a servlet and docs CVE-2016-1239 [loads arbitrary code from the current untrusted directory] RESERVED - duck 0.10 [jessie] - duck 0.7+deb8u1 NOTE: https://anonscm.debian.org/cgit/collab-maint/duck.git/commit/?id=b43b5bbf07973c54b8f1c581a941f4facc97177a (0.10) CVE-2016-1238 ((1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) ...) {DSA-3628-1 DLA-1578-1 DLA-584-1 DLA-565-1} - perl 5.22.2-3 - libsys-syslog-perl [jessie] - libsys-syslog-perl 0.33-1+deb8u1 NOTE: http://article.gmane.org/gmane.comp.lang.perl.perl5.porters/160507 NOTE: Although more modules and scripts are affected by similar issue and mentioned NOTE: in the DSA/DLA, the CVE is for src:perl (and libsys-syslog-perl beeing dual-lived) NOTE: and thus not adding more source packages here. CVE-2016-1237 (nfsd in the Linux kernel through 4.6.3 allows local users to bypass in ...) {DSA-3607-1} - linux 4.6.2-2 [wheezy] - linux (Vulnerable code introduced later) NOTE: Introduced by: https://git.kernel.org/linus/4ac7249ea5a0ceef9f8269f63f33cc873c3fac61 (v3.14-rc1) NOTE: Prerequisite: https://git.kernel.org/linus/485e71e8fb6356c08c7fc6bcce4bf02c9a9a663f NOTE: Fixed by: https://git.kernel.org/linus/999653786df6954a31044528ac3f7a5dadca08f4 CVE-2016-1236 (Multiple cross-site scripting (XSS) vulnerabilities in (1) revision.ph ...) {DSA-3572-1 DLA-462-1} - websvn NOTE: http://www.openwall.com/lists/oss-security/2016/05/05/22 CVE-2016-1235 (The oarsh script in OAR before 2.5.7 allows remote authenticated users ...) {DSA-3543-1} - oar 2.5.7-1 (bug #819952) NOTE: https://raw.githubusercontent.com/oar-team/oar/ce77ffed620fdce94881c9b35064507777c24a1c/debian/patches/004-fix-oarsh-security-issue CVE-2016-1234 (Stack-based buffer overflow in the glob implementation in GNU C Librar ...) {DLA-494-1} - glibc 2.22-8 [jessie] - glibc 2.19-18+deb8u5 - eglibc [wheezy] - eglibc (Minor issue, can be fixed in a point update) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=19779 CVE-2016-1233 (An unspecified udev rule in the Debian fuse package in jessie before 2 ...) {DSA-3451-1} - fuse 2.9.5-1 [wheezy] - fuse (Problematic permissions via udev rule not set) [squeeze] - fuse (Problematic permissions via udev rule not set) CVE-2016-1232 (The mod_dialback module in Prosody before 0.9.9 does not properly gene ...) {DSA-3439-1 DLA-391-1} - prosody 0.9.9-1 NOTE: https://prosody.im/security/advisory_20160108-2/ CVE-2016-1231 (Directory traversal vulnerability in the HTTP file-serving module (mod ...) {DSA-3439-1} - prosody 0.9.9-1 [squeeze] - prosody (Vulnerable code not present) NOTE: https://prosody.im/security/advisory_20160108-1/ CVE-2016-1230 (Cross-site scripting (XSS) vulnerability in NTT PC Communications WebA ...) NOT-FOR-US: NTT CVE-2016-1229 (Cross-site scripting (XSS) vulnerability in HumHub 0.20.0-beta.1 throu ...) NOT-FOR-US: HumHub CVE-2016-1228 (Cross-site request forgery (CSRF) vulnerability on NTT EAST Hikari Den ...) NOT-FOR-US: NTT CVE-2016-1227 (NTT EAST Hikari Denwa routers with firmware PR-400MI, RT-400MI, and RV ...) NOT-FOR-US: NTT CVE-2016-1226 (Cross-site scripting (XSS) vulnerability in Trend Micro Internet Secur ...) NOT-FOR-US: Trend Micro CVE-2016-1225 (Trend Micro Internet Security 8 and 10 allows remote attackers to read ...) NOT-FOR-US: Trend Micro CVE-2016-1224 (CRLF injection vulnerability in Trend Micro Worry-Free Business Securi ...) NOT-FOR-US: Trend Micro CVE-2016-1223 (Directory traversal vulnerability in Trend Micro Office Scan 11.0, Wor ...) NOT-FOR-US: Trend Micro CVE-2016-1222 (Cross-site scripting (XSS) vulnerability in Kobe Beauty php-contact-fo ...) NOT-FOR-US: Kobe Beauty CVE-2016-1221 (Jetstar App for iOS before 3.0.0 does not verify X.509 certificates fr ...) NOT-FOR-US: Jetstar App CVE-2016-1220 (Cybozu Garoon before 4.2.2 does not properly restrict access. ...) NOT-FOR-US: Cybozu CVE-2016-1219 (Cybozu Garoon before 4.2.2 allows remote attackers to bypass login aut ...) NOT-FOR-US: Cybozu CVE-2016-1218 (SQL injection vulnerability in Cybozu Garoon before 4.2.2. ...) NOT-FOR-US: Cybozu CVE-2016-1217 (Cross-site scripting (XSS) vulnerability in the "Check available times ...) NOT-FOR-US: Cybozu CVE-2016-1216 (Cross-site scripting (XSS) vulnerability in the "New appointment" func ...) NOT-FOR-US: Cybozu CVE-2016-1215 (Cross-site scripting (XSS) vulnerability in the "User details" functio ...) NOT-FOR-US: Cybozu CVE-2016-1214 (Cross-site scripting (XSS) vulnerability in the "Response request" fun ...) NOT-FOR-US: Cybozu CVE-2016-1213 (The "Scheduler" function in Cybozu Garoon before 4.2.2 allows remote a ...) NOT-FOR-US: Cybozu CVE-2016-1212 (Directory traversal vulnerability in futomi MP Form Mail CGI Professio ...) NOT-FOR-US: futomi MP Form Mail CGI Professional Edition CVE-2016-1211 (Cross-site scripting (XSS) vulnerability in Epoch Web Mailing List 0.3 ...) NOT-FOR-US: Epoch Web Mailing List CVE-2016-1210 (The 105 BANK app 1.0 and 1.1 for Android and 1.0 for iOS does not veri ...) NOT-FOR-US: 105 BANK app CVE-2016-1209 (The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote att ...) NOT-FOR-US: Wordpress plugin CVE-2016-1208 (The server in Apple FileMaker before 14.0.4 on OS X allows remote atta ...) NOT-FOR-US: Apple FileMaker CVE-2016-1207 (Cross-site scripting (XSS) vulnerability on I-O DATA DEVICE WN-G300R d ...) NOT-FOR-US: I-O DATA CVE-2016-1206 (The WPS implementation on I-O DATA DEVICE WN-GDN/R3, WN-GDN/R3-C, WN-G ...) NOT-FOR-US: I-O DATA CVE-2016-1205 (Cross-site scripting (XSS) vulnerability in the shiro8 (1) category_fr ...) NOT-FOR-US: EC-CUBE plugin CVE-2016-1204 RESERVED CVE-2016-1203 RESERVED CVE-2016-1202 (Untrusted search path vulnerability in Atom Electron before 0.33.5 all ...) NOT-FOR-US: Atom Electron CVE-2016-1201 (Cross-site request forgery (CSRF) vulnerability in LOCKON EC-CUBE 3.0. ...) NOT-FOR-US: LOCKON CVE-2016-1200 (The management screen in LOCKON EC-CUBE 3.0.7 through 3.0.9 allows rem ...) NOT-FOR-US: LOCKON CVE-2016-1199 (The login page in the management screen in LOCKON EC-CUBE 3.0.0 throug ...) NOT-FOR-US: LOCKON CVE-2016-1198 (Photopt for Android before 2.0.1 does not verify SSL certificates. ...) NOT-FOR-US: Photopt for Android CVE-2016-1197 (Cross-site scripting (XSS) vulnerability in Cybozu Garoon 4.x before 4 ...) NOT-FOR-US: Cybozu CVE-2016-1196 (Cybozu Garoon 3.x and 4.x before 4.2.1 allows remote authenticated use ...) NOT-FOR-US: Cybozu CVE-2016-1195 (Open redirect vulnerability in Cybozu Garoon 3.x and 4.x before 4.2.1 ...) NOT-FOR-US: Cybozu CVE-2016-1194 (Cybozu Garoon before 4.2.1 allows remote attackers to cause a denial o ...) NOT-FOR-US: Cybozu CVE-2016-1193 (Cybozu Garoon 3.7 through 4.2 allows remote attackers to obtain sensit ...) NOT-FOR-US: Cybozu CVE-2016-1192 (Directory traversal vulnerability in the logging implementation in Cyb ...) NOT-FOR-US: Cybozu CVE-2016-1191 (Directory traversal vulnerability in the Files function in Cybozu Garo ...) NOT-FOR-US: Cybozu CVE-2016-1190 (Cybozu Garoon 3.1 through 4.2 allows remote authenticated users to byp ...) NOT-FOR-US: Cybozu CVE-2016-1189 (Cybozu Garoon 3.x and 4.x before 4.2.1 allows remote authenticated use ...) NOT-FOR-US: Cybozu CVE-2016-1188 (Cybozu Garoon 3.x and 4.x before 4.2.1 allows remote authenticated use ...) NOT-FOR-US: Cybozu CVE-2016-1187 (Cybozu KUNAI for iPhone 2.0.3 through 3.1.5 and for Android 2.1.2 thro ...) NOT-FOR-US: Cybozu CVE-2016-1186 (Kintone mobile for Android 1.0.0 through 1.0.5 does not verify SSL ser ...) NOT-FOR-US: Kintone mobile for Android CVE-2016-1185 (The Cybozu kintone mobile application 1.x before 1.0.6 for Android all ...) NOT-FOR-US: Cybozu CVE-2016-1184 (Tokyo Star bank App for Android before 1.4 and Tokyo Star bank App for ...) NOT-FOR-US: Tokyo Star bank App for Android CVE-2016-1183 (NTT Data TERASOLUNA Server Framework for Java(WEB) 2.0.0.1 through 2.0 ...) NOT-FOR-US: NTT CVE-2016-1182 (ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not prop ...) - libstruts1.2-java [wheezy] - libstruts1.2-java (basically fixed in CVE-2015-0899) NOTE: https://jvn.jp/en/jp/JVN65044642/ NOTE: Two conditions must be met to exploit this vulnerability NOTE: condition one is already fixed in CVE-2015-0899, so everything is fine NOTE: condition two can be fixed by the following patch: NOTE: https://github.com/kawasima/struts1-forever/commit/eda3a79907ed8fcb0387a0496d0cb14332f250e8 NOTE: but as this completely deactivates multipart requests, this should not be generally applied CVE-2016-1181 (ActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles mu ...) - libstruts1.2-java [wheezy] - libstruts1.2-java (basically fixed in CVE-2015-0899) NOTE: https://jvn.jp/en/jp/JVN03188560/ NOTE: Two conditions must be met to exploit this vulnerability NOTE: condition one is already fixed in CVE-2015-0899, so everything is fine NOTE: condition two can be fixed by the following patch: NOTE: https://github.com/kawasima/struts1-forever/commit/eda3a79907ed8fcb0387a0496d0cb14332f250e8 NOTE: but as this completely deactivates multipart requests, this should not be generally applied CVE-2016-1180 (Cross-site scripting (XSS) vulnerability in the Cyber-Will Social-butt ...) NOT-FOR-US: Cyber-Will Social-button Premium plugin CVE-2016-1179 (Cross-site scripting (XSS) vulnerability in the standard template of t ...) NOT-FOR-US: appleple a-blog cms CVE-2016-1178 (The session management of the comment functionality in appleple a-blog ...) NOT-FOR-US: appleple a-blog cms CVE-2016-1177 (The management screen in Falcon WisePoint 4.3.1 and earlier and WisePo ...) NOT-FOR-US: Falcon WisePoint CVE-2016-1176 (Buffer overflow in the ActiveX control in Sharp EVA Animeter allows re ...) NOT-FOR-US: Sharp EVA Animeter CVE-2016-1175 (Cross-site request forgery (CSRF) vulnerability in AQUOS Photo Player ...) NOT-FOR-US: AQUOS Photo Player CVE-2016-1174 (Cross-site request forgery (CSRF) vulnerability in the Menubook plugin ...) NOT-FOR-US: baserCMS CVE-2016-1173 (Cross-site scripting (XSS) vulnerability in the Menubook plugin before ...) NOT-FOR-US: baserCMS CVE-2016-1172 (Cross-site request forgery (CSRF) vulnerability in the Recruit plugin ...) NOT-FOR-US: baserCMS CVE-2016-1171 (Cross-site scripting (XSS) vulnerability in the Recruit plugin before ...) NOT-FOR-US: baserCMS CVE-2016-1170 (Cross-site request forgery (CSRF) vulnerability in the Casebook plugin ...) NOT-FOR-US: baserCMS CVE-2016-1169 (Cross-site scripting (XSS) vulnerability in the Casebook plugin before ...) NOT-FOR-US: baserCMS CVE-2016-1168 (Cross-site request forgery (CSRF) vulnerability on NEC Aterm WF800HP d ...) NOT-FOR-US: NEC CVE-2016-1167 (Cross-site request forgery (CSRF) vulnerability on NEC Aterm WG300HP d ...) NOT-FOR-US: NEC CVE-2016-1166 REJECTED CVE-2016-1165 REJECTED CVE-2016-1164 REJECTED CVE-2016-1163 REJECTED CVE-2016-1162 REJECTED CVE-2016-1161 (Cross-site request forgery (CSRF) vulnerability in ManageEngine Passwo ...) NOT-FOR-US: ManageEngine Password Manager Pro CVE-2016-1160 (Cross-site scripting (XSS) vulnerability in the WP Favorite Posts plug ...) NOT-FOR-US: WP Favorite Posts plugin for WordPress CVE-2016-1159 (In ZOHO Password Manager Pro (PMP) 8.3.0 (Build 8303) and 8.4.0 (Build ...) NOT-FOR-US: ZOHO CVE-2016-1158 (Cross-site request forgery (CSRF) vulnerability on Corega CG-WLBARGMH ...) NOT-FOR-US: Corega CVE-2016-1157 (Cross-site scripting (XSS) vulnerability in log_chat.cgi in Script* Lo ...) NOT-FOR-US: Log-Chat CVE-2016-1156 (LINE 4.3.0.724 and earlier on Windows and 4.3.1 and earlier on OS X al ...) NOT-FOR-US: LINE CVE-2016-1155 (HTTP header injection vulnerability in the URLConnection class in Andr ...) NOT-FOR-US: Android CVE-2016-1154 (SQL injection vulnerability in the Help plug-in 1.3.5 and earlier in C ...) NOT-FOR-US: Cuore EC-CUBE CVE-2016-1153 (customapp in Cybozu Office 9.9.0 through 10.3.0 allows remote authenti ...) NOT-FOR-US: Cybozu Office CVE-2016-1152 (Cybozu Office 9.9.0 through 10.3.0 allows remote authenticated users t ...) NOT-FOR-US: Cybozu Office CVE-2016-1151 (Multiple cross-site request forgery (CSRF) vulnerabilities in Cybozu O ...) NOT-FOR-US: Cybozu Office CVE-2016-1150 (Cross-site scripting (XSS) vulnerability in Cybozu Office 9.0.0 throug ...) NOT-FOR-US: Cybozu Office CVE-2016-1149 (Cross-site scripting (XSS) vulnerability in Cybozu Office 9.0.0 throug ...) NOT-FOR-US: Cybozu Office CVE-2016-1148 (Akerun - Smart Lock Robot App for iOS before 1.2.4 does not verify SSL ...) NOT-FOR-US: Akerun CVE-2016-1147 REJECTED CVE-2016-1146 REJECTED CVE-2016-1145 (Directory traversal vulnerability in WebManager in NEC EXPRESSCLUSTER ...) NOT-FOR-US: NEC EXPRESSCLUSTER CVE-2016-1144 (Cross-site scripting (XSS) vulnerability in JOB-CUBE -JOB WEB SYSTEM b ...) NOT-FOR-US: High Income CVE-2016-1143 (Cross-site scripting (XSS) vulnerability in main.rb in Vine MV before ...) NOT-FOR-US: Vine MV CVE-2016-1142 (Seeds acmailer before 3.8.21 and 3.9.x before 3.9.15 Beta allows remot ...) NOT-FOR-US: Seeds acmailer CVE-2016-1141 (KDDI HOME SPOT CUBE devices before 2 allow remote authenticated users ...) NOT-FOR-US: KDDI HOME SPOT CUBE CVE-2016-1140 (KDDI HOME SPOT CUBE devices before 2 allow remote attackers to conduct ...) NOT-FOR-US: KDDI HOME SPOT CUBE CVE-2016-1139 (Cross-site request forgery (CSRF) vulnerability on KDDI HOME SPOT CUBE ...) NOT-FOR-US: KDDI HOME SPOT CUBE CVE-2016-1138 (CRLF injection vulnerability on KDDI HOME SPOT CUBE devices before 2 a ...) NOT-FOR-US: KDDI HOME SPOT CUBE CVE-2016-1137 (Open redirect vulnerability on KDDI HOME SPOT CUBE devices before 2 al ...) NOT-FOR-US: KDDI HOME SPOT CUBE CVE-2016-1136 (Cross-site scripting (XSS) vulnerability on KDDI HOME SPOT CUBE device ...) NOT-FOR-US: KDDI HOME SPOT CUBE CVE-2016-1135 (Cross-site scripting (XSS) vulnerability on BUFFALO BHR-4GRV2 devices ...) NOT-FOR-US: BUFFALO CVE-2016-1134 (Cross-site request forgery (CSRF) vulnerability on BUFFALO BHR-4GRV2 d ...) NOT-FOR-US: BUFFALO CVE-2016-1133 (CRLF injection vulnerability in the on_req function in lib/handler/red ...) - h2o (Fixed before initial upload to Debian) NOTE: https://github.com/h2o/h2o/issues/682 NOTE: https://github.com/h2o/h2o/issues/684 NOTE: https://github.com/h2o/h2o/pull/684 CVE-2016-1132 (Shoplat App for iOS 1.10.00 through 1.18.00 does not properly verify S ...) NOT-FOR-US: Shoplat App CVE-2016-1131 (Buffer overflow in the CL_vsprintf function in Takumi Yamada DX Librar ...) NOT-FOR-US: Takumi Yamada CVE-2015-8698 (CA Release Automation (formerly LISA Release Automation) 5.0.2 before ...) NOT-FOR-US: CA Release Automation CVE-2015-8696 RESERVED CVE-2015-8695 RESERVED CVE-2015-8694 RESERVED CVE-2015-8693 RESERVED CVE-2015-8692 RESERVED CVE-2015-8691 RESERVED CVE-2015-8690 RESERVED CVE-2015-8689 RESERVED CVE-2015-8688 (Gajim before 0.16.5 allows remote attackers to modify the roster and i ...) {DSA-3492-1 DLA-413-1} - gajim 0.16.5-0.1 (bug #809900) NOTE: http://gultsch.de/gajim_roster_push_and_message_interception.html NOTE: https://trac.gajim.org/changeset/af78b7c068904d78c5dfb802826aae99f26a8947/ CVE-2015-8687 (Multiple cross-site scripting (XSS) vulnerabilities in the Management ...) NOT-FOR-US: Alcatel CVE-2015-8686 RESERVED CVE-2015-8685 (Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CR ...) - dolibarr 3.5.8+dfsg1-1 (bug #812449) [jessie] - dolibarr 3.5.5+dfsg1-1+deb8u1 NOTE: https://github.com/Dolibarr/dolibarr/issues/4291 NOTE: https://github.com/GPCsolutions/dolibarr/commit/0d3181324c816bdf664ca5e1548dfe8eb05c54f8 CVE-2015-8684 (Exponent CMS before 2.3.7 does not properly restrict the types of file ...) NOT-FOR-US: Exponent CMS CVE-2015-8682 (The Video0 driver in Huawei P8 smartphones with software GRA-UL00 befo ...) NOT-FOR-US: Huawei CVE-2015-8681 (The ovisp driver in Huawei P8 smartphones with software GRA-TL00 befor ...) NOT-FOR-US: Huawei CVE-2015-8680 (The Graphics driver in Huawei P8 smartphones with software GRA-TL00 be ...) NOT-FOR-US: Huawei CVE-2015-8679 (The Maxim_smartpa_dev driver in Huawei P8 smartphones with software GR ...) NOT-FOR-US: Huawei CVE-2015-8678 (The ION driver in Huawei P8 smartphones with software GRA-TL00 before ...) NOT-FOR-US: ION driver in Huawei P8 smartphones CVE-2015-8677 (Memory leak in Huawei S5300EI, S5300SI, S5310HI, and S6300EI Campus se ...) NOT-FOR-US: Huawei CVE-2015-8676 (Memory leak in Huawei S5300EI, S5300SI, S5310HI, S6300EI/ S2350EI, and ...) NOT-FOR-US: Huawei CVE-2015-8675 (Huawei S5300 Campus Series switches with software before V200R005SPH00 ...) NOT-FOR-US: Huawei CVE-2015-8674 REJECTED CVE-2015-8673 (Huawei TE30, TE40, TE50, and TE60 multimedia video conferencing endpoi ...) NOT-FOR-US: Huawei CVE-2015-8672 (The presentation transmission permission management mechanism in Huawe ...) NOT-FOR-US: Huawei CVE-2015-8671 (Huawei LogCenter V100R001C10 could allow an authenticated attacker to ...) NOT-FOR-US: Huawei CVE-2015-8670 (Huawei LogCenter V100R001C10 could allow an authenticated attacker to ...) NOT-FOR-US: Huawei CVE-2015-8667 (Cross-site scripting (XSS) vulnerability in Reset Your Password module ...) NOT-FOR-US: Exponent CMS CVE-2015-8664 (Integer overflow in the WebCursor::Deserialize function in content/com ...) - chromium-browser 47.0.2526.111-1 [wheezy] - chromium-browser (Not supported in Wheezy) [squeeze] - chromium-browser (Not supported in Squeeze LTS) CVE-2015-8663 (The ff_get_buffer function in libavcodec/utils.c in FFmpeg before 2.8. ...) {DLA-1611-1} - ffmpeg 7:2.8.4-1 [squeeze] - ffmpeg (Not supported in Squeeze LTS) - libav NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=abee0a1c60612e8638640a8a3738fffb65e16dbf NOTE: For libav in jessie the patch needs to applied in libavcodec/decode.c in line 1884. CVE-2015-8662 (The ff_dwt_decode function in libavcodec/jpeg2000dwt.c in FFmpeg befor ...) {DLA-1611-1} - ffmpeg 7:2.8.4-1 [squeeze] - ffmpeg (Not supported in Squeeze LTS) - libav [wheezy] - libav (Vulnerable code not present) NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=75422280fbcdfbe9dc56bde5525b4d8b280f1bc5 CVE-2015-8661 (The h264_slice_header_init function in libavcodec/h264_slice.c in FFmp ...) {DLA-1611-1} - ffmpeg 7:2.8.3-1 [squeeze] - ffmpeg (Not supported in Squeeze LTS) - libav NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=4ea4d2f438c9a7eba37980c9a87be4b34943e4d5 CVE-2015-8658 (Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8657 (Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8656 (Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8655 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8654 (Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8653 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8652 (Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8651 (Integer overflow in Adobe Flash Player before 18.0.0.324 and 19.x and ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8650 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.324 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8649 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.324 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8648 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.324 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8647 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.324 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8646 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.324 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8645 (Adobe Flash Player before 18.0.0.324 and 19.x and 20.x before 20.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8644 (Adobe Flash Player before 18.0.0.324 and 19.x and 20.x before 20.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8643 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.324 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8642 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.324 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8641 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.324 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8640 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.324 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8639 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.324 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8638 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.324 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8637 REJECTED CVE-2015-8636 (Adobe Flash Player before 18.0.0.324 and 19.x and 20.x before 20.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8635 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.324 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8634 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.324 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8633 RESERVED CVE-2015-8632 RESERVED CVE-2015-8631 (Multiple memory leaks in kadmin/server/server_stubs.c in kadmind in MI ...) {DSA-3466-1 DLA-423-1} - krb5 1.13.2+dfsg-5 (bug #813126) NOTE: Fixed by: https://github.com/krb5/krb5/commit/83ed75feba32e46f736fcce0d96a0445f29b96c2 CVE-2015-8630 (The (1) kadm5_create_principal_3 and (2) kadm5_modify_principal functi ...) - krb5 1.13.2+dfsg-5 (bug #813127) [jessie] - krb5 1.12.1+dfsg-19+deb8u2 [wheezy] - krb5 (Vulnerability introduced in 1.12) [squeeze] - krb5 (Vulnerability introduced in 1.12) NOTE: Fixed by: https://github.com/krb5/krb5/commit/b863de7fbf080b15e347a736fdda0a82d42f4f6b NOTE: Introduced by: https://github.com/krb5/krb5/commit/0780e46fc13dbafa177525164997cd204cc50b51 (krb5-1.12-alpha1) CVE-2015-8629 (The xdr_nullstring function in lib/kadm5/kadm_rpc_xdr.c in kadmind in ...) {DSA-3466-1 DLA-423-1} - krb5 1.13.2+dfsg-5 (bug #813296) NOTE: Fixed by: https://github.com/krb5/krb5/commit/df17a1224a3406f57477bcd372c61e04c0e5a5bb CVE-2015-8620 (Heap-based buffer overflow in the Avast virtualization driver (aswSnx. ...) NOT-FOR-US: Avast CVE-2015-8669 (libraries/config/messages.inc.php in phpMyAdmin 4.0.x before 4.0.10.12 ...) - phpmyadmin 4:4.5.3.1-1 (unimportant) [squeeze] - phpmyadmin (Vulnerable code not present) NOTE: https://www.phpmyadmin.net/security/PMASA-2015-6/ NOTE: non-issue for Debian-packaged version CVE-2015-8668 (Heap-based buffer overflow in the PackBitsPreEncode function in tif_pa ...) {DLA-693-1} [jessie] - tiff 4.0.3-12.3+deb8u2 - tiff 4.0.6-3 (bug #842046) - tiff3 [wheezy] - tiff3 (Does not ship libtiff tools) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2563 NOTE: Red Hat say it's only OOB read: https://bugzilla.redhat.com/show_bug.cgi?id=1294425#c1 NOTE: Red Hat's patch is partially incorrect according to upstream NOTE: Issue was also marked as wontfix, because bmp2tiff utility has been removed NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2563#c4 NOTE: Reproducer file here: http://bugzilla.maptools.org/attachment.cgi?id=677 NOTE: bmp2tiff was removed in 4.0.6-3 and DSA 3762, marking as fixed although technically still present in the source package CVE-2015-8683 (The putcontig8bitCIELab function in tif_getimage.c in LibTIFF 4.0.6 al ...) {DSA-3467-1 DLA-610-1 DLA-402-1} - tiff 4.0.6-1 (bug #809021) - tiff3 NOTE: http://www.openwall.com/lists/oss-security/2015/12/25/1 NOTE: https://github.com/vadz/libtiff/commit/f94a29a822f5528d2334592760fbb7938f15eb55 CVE-2015-8665 (tif_getimage.c in LibTIFF 4.0.6 allows remote attackers to cause a den ...) {DSA-3467-1 DLA-610-1 DLA-402-1} - tiff 4.0.6-1 (bug #808968) - tiff3 NOTE: http://www.openwall.com/lists/oss-security/2015/12/24/2 NOTE: https://github.com/vadz/libtiff/commit/f94a29a822f5528d2334592760fbb7938f15eb55 CVE-2015-8666 (Heap-based buffer overflow in QEMU, when built with the Q35-chipset-ba ...) {DLA-1497-1} - qemu 1:2.5+dfsg-1 [wheezy] - qemu (Minor issue) [squeeze] - qemu (Unsupported in squeeze-lts) - qemu-kvm [squeeze] - qemu-kvm (Unsupported in squeeze-lts) [wheezy] - qemu-kvm (Minor issue) NOTE: Upstream commit: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=d9a3b33d2c9f996537b7f1d0246dee2d0120cefb (v2.5.0-rc1) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1283722 NOTE: http://www.openwall.com/lists/oss-security/2015/12/24/1 NOTE: Vulnerable code introduced after 0.14.50: http://git.qemu.org/?p=qemu.git;a=commit;h=23910d3f669d46073b403876e30a7314599633af CVE-2016-1130 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1129 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1128 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1127 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1126 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1125 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1124 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1123 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1122 (Use-after-free vulnerability in Adobe Reader and Acrobat before 11.0.1 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1121 (Use-after-free vulnerability in Adobe Reader and Acrobat before 11.0.1 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1120 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1119 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1118 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1117 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1116 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1115 (Adobe ColdFusion 10 before Update 19, 11 before Update 8, and 2016 bef ...) NOT-FOR-US: Adobe CVE-2016-1114 (Adobe ColdFusion 10 before Update 19, 11 before Update 8, and 2016 bef ...) NOT-FOR-US: Adobe CVE-2016-1113 (Cross-site scripting (XSS) vulnerability in Adobe ColdFusion 10 before ...) NOT-FOR-US: Adobe CVE-2016-1112 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1111 (Double free vulnerability in Adobe Reader and Acrobat before 11.0.14, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1110 (Unspecified vulnerability in Adobe Flash Player 21.0.0.213 and earlier ...) NOT-FOR-US: Adobe Flash Player CVE-2016-1109 (Unspecified vulnerability in Adobe Flash Player 21.0.0.213 and earlier ...) NOT-FOR-US: Adobe Flash Player CVE-2016-1108 (Unspecified vulnerability in Adobe Flash Player 21.0.0.213 and earlier ...) NOT-FOR-US: Adobe Flash Player CVE-2016-1107 (Unspecified vulnerability in Adobe Flash Player 21.0.0.213 and earlier ...) NOT-FOR-US: Adobe Flash Player CVE-2016-1106 (Unspecified vulnerability in Adobe Flash Player 21.0.0.213 and earlier ...) NOT-FOR-US: Adobe Flash Player CVE-2016-1105 (Unspecified vulnerability in Adobe Flash Player 21.0.0.213 and earlier ...) NOT-FOR-US: Adobe Flash Player CVE-2016-1104 (Unspecified vulnerability in Adobe Flash Player 21.0.0.213 and earlier ...) NOT-FOR-US: Adobe Flash Player CVE-2016-1103 (Unspecified vulnerability in Adobe Flash Player 21.0.0.213 and earlier ...) NOT-FOR-US: Adobe Flash Player CVE-2016-1102 (Unspecified vulnerability in Adobe Flash Player 21.0.0.213 and earlier ...) NOT-FOR-US: Adobe Flash Player CVE-2016-1101 (Unspecified vulnerability in Adobe Flash Player 21.0.0.213 and earlier ...) NOT-FOR-US: Adobe Flash Player CVE-2016-1100 (Unspecified vulnerability in Adobe Flash Player 21.0.0.213 and earlier ...) NOT-FOR-US: Adobe Flash Player CVE-2016-1099 (Unspecified vulnerability in Adobe Flash Player 21.0.0.213 and earlier ...) NOT-FOR-US: Adobe Flash Player CVE-2016-1098 (Unspecified vulnerability in Adobe Flash Player 21.0.0.213 and earlier ...) NOT-FOR-US: Adobe Flash Player CVE-2016-1097 (Unspecified vulnerability in Adobe Flash Player 21.0.0.213 and earlier ...) NOT-FOR-US: Adobe Flash Player CVE-2016-1096 (Unspecified vulnerability in Adobe Flash Player 21.0.0.213 and earlier ...) NOT-FOR-US: Adobe Flash Player CVE-2016-1095 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1094 (Use-after-free vulnerability in Adobe Reader and Acrobat before 11.0.1 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1093 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1092 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1091 (Use-after-free vulnerability in Adobe Reader and Acrobat before 11.0.1 ...) NOT-FOR-US: Adobe CVE-2016-1090 (Untrusted search path vulnerability in Adobe Reader and Acrobat before ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1089 (Use-after-free vulnerability in Adobe Reader and Acrobat before 11.0.1 ...) NOT-FOR-US: Adobe CVE-2016-1088 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1087 (Untrusted search path vulnerability in Adobe Reader and Acrobat before ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1086 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1085 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1084 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1083 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1082 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1081 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1080 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1079 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1078 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1077 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1076 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1075 (Use-after-free vulnerability in Adobe Reader and Acrobat before 11.0.1 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1074 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1073 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1072 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1071 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1070 (Use-after-free vulnerability in Adobe Reader and Acrobat before 11.0.1 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1069 (Use-after-free vulnerability in Adobe Reader and Acrobat before 11.0.1 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1068 (Use-after-free vulnerability in Adobe Reader and Acrobat before 11.0.1 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1067 (Use-after-free vulnerability in Adobe Reader and Acrobat before 11.0.1 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1066 (Use-after-free vulnerability in Adobe Reader and Acrobat before 11.0.1 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1065 (Use-after-free vulnerability in Adobe Reader and Acrobat before 11.0.1 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1064 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1063 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1062 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1061 (Use-after-free vulnerability in Adobe Reader and Acrobat before 11.0.1 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1060 (Use-after-free vulnerability in Adobe Reader and Acrobat before 11.0.1 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1059 (Use-after-free vulnerability in Adobe Reader and Acrobat before 11.0.1 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1058 (Use-after-free vulnerability in Adobe Reader and Acrobat before 11.0.1 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1057 (Use-after-free vulnerability in Adobe Reader and Acrobat before 11.0.1 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1056 (Use-after-free vulnerability in Adobe Reader and Acrobat before 11.0.1 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1055 (Use-after-free vulnerability in Adobe Reader and Acrobat before 11.0.1 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1054 (Use-after-free vulnerability in Adobe Reader and Acrobat before 11.0.1 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1053 (Use-after-free vulnerability in Adobe Reader and Acrobat before 11.0.1 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1052 (Use-after-free vulnerability in Adobe Reader and Acrobat before 11.0.1 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1051 (Use-after-free vulnerability in Adobe Reader and Acrobat before 11.0.1 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1050 (Use-after-free vulnerability in Adobe Reader and Acrobat before 11.0.1 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1049 (Use-after-free vulnerability in Adobe Reader and Acrobat before 11.0.1 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1048 (Use-after-free vulnerability in Adobe Reader and Acrobat before 11.0.1 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1047 (Use-after-free vulnerability in Adobe Reader and Acrobat before 11.0.1 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1046 (Use-after-free vulnerability in Adobe Reader and Acrobat before 11.0.1 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1045 (Use-after-free vulnerability in Adobe Reader and Acrobat before 11.0.1 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1044 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1043 (Integer overflow in Adobe Reader and Acrobat before 11.0.16, Acrobat a ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1042 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1041 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1040 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1039 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1038 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1037 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1036 (Cross-site scripting (XSS) vulnerability in Adobe Analytics AppMeasure ...) NOT-FOR-US: Adobe CVE-2016-1035 (Adobe RoboHelp Server 9 before 9.0.1 mishandles SQL queries, which all ...) NOT-FOR-US: Adobe CVE-2016-1034 (The Sync Process in the JavaScript API for Creative Cloud Libraries in ...) NOT-FOR-US: Adobe CVE-2016-1033 (Adobe Flash Player before 18.0.0.343 and 19.x through 21.x before 21.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2016-1032 (Adobe Flash Player before 18.0.0.343 and 19.x through 21.x before 21.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2016-1031 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.343 a ...) NOT-FOR-US: Adobe Flash Player CVE-2016-1030 (Adobe Flash Player before 18.0.0.343 and 19.x through 21.x before 21.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2016-1029 (Adobe Flash Player before 18.0.0.343 and 19.x through 21.x before 21.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2016-1028 (Adobe Flash Player before 18.0.0.343 and 19.x through 21.x before 21.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2016-1027 (Adobe Flash Player before 18.0.0.343 and 19.x through 21.x before 21.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2016-1026 (Adobe Flash Player before 18.0.0.343 and 19.x through 21.x before 21.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2016-1025 (Adobe Flash Player before 18.0.0.343 and 19.x through 21.x before 21.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2016-1024 (Adobe Flash Player before 18.0.0.343 and 19.x through 21.x before 21.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2016-1023 (Adobe Flash Player before 18.0.0.343 and 19.x through 21.x before 21.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2016-1022 (Adobe Flash Player before 18.0.0.343 and 19.x through 21.x before 21.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2016-1021 (Adobe Flash Player before 18.0.0.343 and 19.x through 21.x before 21.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2016-1020 (Adobe Flash Player before 18.0.0.343 and 19.x through 21.x before 21.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2016-1019 (Adobe Flash Player 21.0.0.197 and earlier allows remote attackers to c ...) NOT-FOR-US: Adobe Flash Player CVE-2016-1018 (Stack-based buffer overflow in Adobe Flash Player before 18.0.0.343 an ...) NOT-FOR-US: Adobe Flash Player CVE-2016-1017 (Use-after-free vulnerability in the LoadVars.decode function in Adobe ...) NOT-FOR-US: Adobe Flash Player CVE-2016-1016 (Use-after-free vulnerability in the Transform object implementation in ...) NOT-FOR-US: Adobe Flash Player CVE-2016-1015 (Adobe Flash Player before 18.0.0.343 and 19.x through 21.x before 21.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2016-1014 (Untrusted search path vulnerability in Adobe Flash Player before 18.0. ...) NOT-FOR-US: Adobe Flash Player CVE-2016-1013 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.343 a ...) NOT-FOR-US: Adobe Flash Player CVE-2016-1012 (Adobe Flash Player before 18.0.0.343 and 19.x through 21.x before 21.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2016-1011 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.343 a ...) NOT-FOR-US: Adobe Flash Player CVE-2016-1010 (Integer overflow in Adobe Flash Player before 18.0.0.333 and 19.x thro ...) NOT-FOR-US: Adobe Flash Player CVE-2016-1009 (Adobe Reader and Acrobat before 11.0.15, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-1008 (Untrusted search path vulnerability in Adobe Reader and Acrobat before ...) NOT-FOR-US: Adobe CVE-2016-1007 (Adobe Reader and Acrobat before 11.0.15, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-1006 (Adobe Flash Player before 18.0.0.343 and 19.x through 21.x before 21.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2016-1005 (Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2016-1004 REJECTED CVE-2016-1003 REJECTED CVE-2016-1002 (Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2016-1001 (Heap-based buffer overflow in Adobe Flash Player before 18.0.0.333 and ...) NOT-FOR-US: Adobe Flash Player CVE-2016-1000 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.333 a ...) NOT-FOR-US: Adobe Flash Player CVE-2016-0999 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.333 a ...) NOT-FOR-US: Adobe Flash Player CVE-2016-0998 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.333 a ...) NOT-FOR-US: Adobe Flash Player CVE-2016-0997 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.333 a ...) NOT-FOR-US: Adobe Flash Player CVE-2016-0996 (Use-after-free vulnerability in the setInterval method in Adobe Flash ...) NOT-FOR-US: Adobe Flash Player CVE-2016-0995 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.333 a ...) NOT-FOR-US: Adobe Flash Player CVE-2016-0994 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.333 a ...) NOT-FOR-US: Adobe Flash Player CVE-2016-0993 (Integer overflow in Adobe Flash Player before 18.0.0.333 and 19.x thro ...) NOT-FOR-US: Adobe Flash Player CVE-2016-0992 (Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2016-0991 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.333 a ...) NOT-FOR-US: Adobe Flash Player CVE-2016-0990 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.333 a ...) NOT-FOR-US: Adobe Flash Player CVE-2016-0989 (Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2016-0988 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.333 a ...) NOT-FOR-US: Adobe Flash Player CVE-2016-0987 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.333 a ...) NOT-FOR-US: Adobe Flash Player CVE-2016-0986 (Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2016-0985 (Adobe Flash Player before 18.0.0.329 and 19.x and 20.x before 20.0.0.3 ...) NOT-FOR-US: Adobe CVE-2016-0984 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.329 a ...) NOT-FOR-US: Adobe CVE-2016-0983 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.329 a ...) NOT-FOR-US: Adobe CVE-2016-0982 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.329 a ...) NOT-FOR-US: Adobe CVE-2016-0981 (Adobe Flash Player before 18.0.0.329 and 19.x and 20.x before 20.0.0.3 ...) NOT-FOR-US: Adobe CVE-2016-0980 (Adobe Flash Player before 18.0.0.329 and 19.x and 20.x before 20.0.0.3 ...) NOT-FOR-US: Adobe CVE-2016-0979 (Adobe Flash Player before 18.0.0.329 and 19.x and 20.x before 20.0.0.3 ...) NOT-FOR-US: Adobe CVE-2016-0978 (Adobe Flash Player before 18.0.0.329 and 19.x and 20.x before 20.0.0.3 ...) NOT-FOR-US: Adobe CVE-2016-0977 (Adobe Flash Player before 18.0.0.329 and 19.x and 20.x before 20.0.0.3 ...) NOT-FOR-US: Adobe CVE-2016-0976 (Adobe Flash Player before 18.0.0.329 and 19.x and 20.x before 20.0.0.3 ...) NOT-FOR-US: Adobe CVE-2016-0975 (Use-after-free vulnerability in the instanceof function in Adobe Flash ...) NOT-FOR-US: Adobe CVE-2016-0974 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.329 a ...) NOT-FOR-US: Adobe CVE-2016-0973 (Use-after-free vulnerability in the URLRequest object implementation i ...) NOT-FOR-US: Adobe CVE-2016-0972 (Adobe Flash Player before 18.0.0.329 and 19.x and 20.x before 20.0.0.3 ...) NOT-FOR-US: Adobe CVE-2016-0971 (Heap-based buffer overflow in Adobe Flash Player before 18.0.0.329 and ...) NOT-FOR-US: Adobe CVE-2016-0970 (Adobe Flash Player before 18.0.0.329 and 19.x and 20.x before 20.0.0.3 ...) NOT-FOR-US: Adobe CVE-2016-0969 (Adobe Flash Player before 18.0.0.329 and 19.x and 20.x before 20.0.0.3 ...) NOT-FOR-US: Adobe CVE-2016-0968 (Adobe Flash Player before 18.0.0.329 and 19.x and 20.x before 20.0.0.3 ...) NOT-FOR-US: Adobe CVE-2016-0967 (Adobe Flash Player before 18.0.0.329 and 19.x and 20.x before 20.0.0.3 ...) NOT-FOR-US: Adobe CVE-2016-0966 (Adobe Flash Player before 18.0.0.329 and 19.x and 20.x before 20.0.0.3 ...) NOT-FOR-US: Adobe CVE-2016-0965 (Adobe Flash Player before 18.0.0.329 and 19.x and 20.x before 20.0.0.3 ...) NOT-FOR-US: Adobe CVE-2016-0964 (Adobe Flash Player before 18.0.0.329 and 19.x and 20.x before 20.0.0.3 ...) NOT-FOR-US: Adobe CVE-2016-0963 (Integer overflow in Adobe Flash Player before 18.0.0.333 and 19.x thro ...) NOT-FOR-US: Adobe Flash Player CVE-2016-0962 (Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2016-0961 (Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2016-0960 (Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2016-0959 (Use after free vulnerability in Adobe Flash Player Desktop Runtime bef ...) NOT-FOR-US: Adobe Flash Player CVE-2016-0958 (Adobe Experience Manager 5.6.1, 6.0.0, and 6.1.0 might allow remote at ...) NOT-FOR-US: Adobe CVE-2016-0957 (Dispatcher before 4.1.5 in Adobe Experience Manager 5.6.1, 6.0.0, and ...) NOT-FOR-US: Adobe CVE-2016-0956 (The Servlets Post component 2.3.6 in Apache Sling, as used in Adobe Ex ...) NOT-FOR-US: Apache Sling CVE-2016-0955 (Cross-site scripting (XSS) vulnerability in Adobe Experience Manager ( ...) NOT-FOR-US: Adobe CVE-2016-0954 (Adobe Digital Editions before 4.5.1 allows attackers to execute arbitr ...) NOT-FOR-US: Adobe CVE-2016-0953 (Adobe Photoshop CC 2014 before 15.2.4, Photoshop CC 2015 before 16.1.2 ...) NOT-FOR-US: Adobe CVE-2016-0952 (Adobe Photoshop CC 2014 before 15.2.4, Photoshop CC 2015 before 16.1.2 ...) NOT-FOR-US: Adobe CVE-2016-0951 (Adobe Photoshop CC 2014 before 15.2.4, Photoshop CC 2015 before 16.1.2 ...) NOT-FOR-US: Adobe CVE-2016-0950 (Adobe Connect before 9.5.2 allows remote attackers to spoof the user i ...) NOT-FOR-US: Adobe CVE-2016-0949 (Adobe Connect before 9.5.2 allows remote attackers to have an unspecif ...) NOT-FOR-US: Adobe CVE-2016-0948 (Cross-site request forgery (CSRF) vulnerability in Adobe Connect befor ...) NOT-FOR-US: Adobe CVE-2016-0947 (Untrusted search path vulnerability in Adobe Download Manager, as used ...) NOT-FOR-US: Adobe CVE-2016-0946 (Adobe Reader and Acrobat before 11.0.14, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-0945 (Adobe Reader and Acrobat before 11.0.14, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-0944 (Adobe Reader and Acrobat before 11.0.14, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-0943 (Adobe Reader and Acrobat before 11.0.14, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-0942 (Adobe Reader and Acrobat before 11.0.14, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-0941 (Use-after-free vulnerability in the Search object implementation in Ad ...) NOT-FOR-US: Adobe CVE-2016-0940 (Use-after-free vulnerability in Adobe Reader and Acrobat before 11.0.1 ...) NOT-FOR-US: Adobe CVE-2016-0939 (Adobe Reader and Acrobat before 11.0.14, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-0938 (The AcroForm plugin in Adobe Reader and Acrobat before 11.0.14, Acroba ...) NOT-FOR-US: Adobe CVE-2016-0937 (Use-after-free vulnerability in the OCG object implementation in Adobe ...) NOT-FOR-US: Adobe CVE-2016-0936 (Adobe Reader and Acrobat before 11.0.14, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-0935 (Double free vulnerability in Adobe Reader and Acrobat before 11.0.14, ...) NOT-FOR-US: Adobe CVE-2016-0934 (Use-after-free vulnerability in AGM.dll in Adobe Reader and Acrobat be ...) NOT-FOR-US: Adobe CVE-2016-0933 (Adobe Reader and Acrobat before 11.0.14, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-0932 (Use-after-free vulnerability in the Doc object implementation in Adobe ...) NOT-FOR-US: Adobe CVE-2016-0931 (Adobe Reader and Acrobat before 11.0.14, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2015-8660 (The ovl_setattr function in fs/overlayfs/inode.c in the Linux kernel t ...) - linux 4.3.3-3 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) - linux-2.6 (Vulnerable code not present) NOTE: Upstream commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=acff81ec2c79492b180fade3c2894425cd35a545 (v4.4-rc4) NOTE: OverlayFS introduced in https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e9be9d5e76e34872f0c37d72e25bc27fe9e2c54c (v3.18-rc2) NOTE: http://www.openwall.com/lists/oss-security/2015/12/23/5 CVE-2015-8659 (The idle stream handling in nghttp2 before 1.6.0 allows attackers to h ...) - nghttp2 1.6.0-1 [jessie] - nghttp2 (Vulnerable code introduced later) NOTE: https://nghttp2.org/blog/2015/12/23/nghttp2-v1-6-0/ NOTE: Fixed by: https://github.com/tatsuhiro-t/nghttp2/commit/f8c30d022982d089fb90543c0cd5628b161d065d NOTE: Introduced at least after: https://github.com/tatsuhiro-t/nghttp2/commit/b2fb888363c08e98aae0638db62cdf7d164ea1d1 CVE-2015-8628 (The (1) Special:MyPage, (2) Special:MyTalk, (3) Special:MyContribution ...) - mediawiki 1:1.25.5-1 (low) [wheezy] - mediawiki (Minor issue) [squeeze] - mediawiki (Not supported in Squeeze LTS) NOTE: https://phabricator.wikimedia.org/T109724 CVE-2015-8627 (MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, ...) - mediawiki 1:1.25.5-1 (low) [wheezy] - mediawiki (Minor issue) [squeeze] - mediawiki (Not supported in Squeeze LTS) NOTE: https://phabricator.wikimedia.org/T97897 CVE-2015-8626 (The User::randomPassword function in MediaWiki before 1.23.12, 1.24.x ...) - mediawiki 1:1.25.5-1 (low) [wheezy] - mediawiki (Minor issue) [squeeze] - mediawiki (Not supported in Squeeze LTS) NOTE: https://phabricator.wikimedia.org/T115522 CVE-2015-8625 (MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, ...) - mediawiki (Vulnerable code not present) NOTE: https://phabricator.wikimedia.org/T118032 CVE-2015-8624 (The User::matchEditToken function in includes/User.php in MediaWiki be ...) - mediawiki 1:1.25.5-1 (low) [wheezy] - mediawiki (Minor issue) [squeeze] - mediawiki (Not supported in Squeeze LTS) NOTE: https://phabricator.wikimedia.org/T119309 CVE-2015-8623 (The User::matchEditToken function in includes/User.php in MediaWiki be ...) - mediawiki 1:1.25.5-1 (low) [wheezy] - mediawiki (Minor issue) [squeeze] - mediawiki (Not supported in Squeeze LTS) NOTE: https://gerrit.wikimedia.org/r/#/c/156336/5/includes/User.php CVE-2015-8622 (Cross-site scripting (XSS) vulnerability in MediaWiki before 1.23.12, ...) - mediawiki 1:1.25.5-1 (low) [wheezy] - mediawiki (Minor issue) [squeeze] - mediawiki (Not supported in Squeeze LTS) NOTE: https://phabricator.wikimedia.org/T117899 CVE-2015-8621 (t-coffee before 11.00.8cbe486-2 allows local users to write to ~/.t_co ...) - t-coffee 11.00.8cbe486-2 (low; bug #751579) [jessie] - t-coffee (Minor issue) [wheezy] - t-coffee (Minor issue) [squeeze] - t-coffee (version in Squeeze uses system() and umask is handled correctly by sh (as opposed to later versions that use mkdir())) CVE-2015-8617 (Format string vulnerability in the zend_throw_or_error function in Zen ...) - php7.0 7.0.1-1 NOTE: https://bugs.php.net/bug.php?id=71105 NOTE: https://github.com/php/php-src/commit/b101a6bbd4f2181c360bd38e7683df4a03cba83e (php-7.0.2RC1) CVE-2015-8616 (Use-after-free vulnerability in the Collator::sortWithSortKeys functio ...) - php7.0 7.0.1-1 NOTE: https://bugs.php.net/bug.php?id=71020 NOTE: http://www.openwall.com/lists/oss-security/2015/12/22/4 CVE-2015-8697 (stalin 0.11-5 allows local users to write to arbitrary files. ...) - stalin (unimportant; bug #808730) [squeeze] - stalin (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2015/12/27/1 NOTE: Not exploitable with kernel hardening since wheezy CVE-2015-8708 (Stack-based buffer overflow in the conv_euctojis function in codeconv. ...) - claws-mail 3.13.1-1.1 (bug #811048) [jessie] - claws-mail (Incomplete fix for CVE-2015-8614 not applied) [wheezy] - claws-mail (Incomplete fix for CVE-2015-8614 not applied) [squeeze] - claws-mail (Incomplete fix for CVE-2015-8614 not applied; instead all fixed included in DLA-383-1) - macopix (Incomplete fix not applied) CVE-2015-8614 (Multiple stack-based buffer overflows in the (1) conv_jistoeuc, (2) co ...) {DSA-3452-1 DLA-383-1} - claws-mail 3.13.1-1 - macopix 1.7.4-6 [jessie] - macopix (Minor issue) [wheezy] - macopix (Minor issue) NOTE: http://git.claws-mail.org/?p=claws.git;a=commit;h=d390fa07f5548f3173dd9cc13b233db5ce934c82 (3.13.1) NOTE: http://git.claws-mail.org/?p=claws.git;a=commitdiff;h=e3ffcb455e0376053451ce968e6c71ef37708222 (not yet in tagged release) NOTE: Upstream patch is broken - first comparison uses wrong operator and others appear NOTE: to assume wrong maximum character length. NOTE: http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3557 NOTE: http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3584 NOTE: https://bugs.gentoo.org/show_bug.cgi?id=569010 CVE-2015-8611 (BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Link Controller, and P ...) NOT-FOR-US: BIG-IP CVE-2015-8613 (Stack-based buffer overflow in the megasas_ctrl_get_info function in Q ...) {DSA-3471-1} - qemu 1:2.5+dfsg-3 (bug #809232) [wheezy] - qemu (Vulnerable code not present) [squeeze] - qemu (Vulnerable code not present) - qemu-kvm (Vulnerable code not present) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg03737.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1284008 NOTE: http://www.openwall.com/lists/oss-security/2015/12/21/7 NOTE: LSI Megaraid SAS HBA emulation introduced in http://git.qemu.org/?p=qemu.git;a=commitdiff;h=e8f943c3bcc2a578bfd30b825f2ebaf345c63a09 (v1.2.0-rc0) CVE-2015-8618 (The Int.Exp Montgomery code in the math/big library in Go 1.5.x before ...) - golang 2:1.5.3-1 (bug #809168) [jessie] - golang (Introduced in 1.5 release) [wheezy] - golang (Introduced in 1.5 release) NOTE: https://go-review.googlesource.com/#/c/17672/ NOTE: Introduced in 1.5 release. Fixed in 1.5.3 upstream. NOTE: http://www.openwall.com/lists/oss-security/2015/12/21/6 CVE-2015-8615 (The hvm_set_callback_via function in arch/x86/hvm/irq.c in Xen 4.6 doe ...) {DLA-479-1} - xen 4.8.0~rc3-1 (bug #823620) [jessie] - xen (Only affects 4.6) [wheezy] - xen (Only affects 4.6) [squeeze] - xen (Only affects 4.6) NOTE: http://xenbits.xen.org/xsa/advisory-169.html CVE-2015-8619 (The Human Monitor Interface support in QEMU allows remote attackers to ...) {DSA-3471-1} - qemu 1:2.5+dfsg-5 (bug #809237) [wheezy] - qemu (Issue introduced afer 1.2) [squeeze] - qemu (Issue introduced afer 1.2) - qemu-kvm [wheezy] - qemu-kvm (Introduced after 1.2) NOTE: According maintainer in https://bugs.debian.org/809237#17 introduced after 1.2 NOTE: https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg02930.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1283926 CVE-2016-1922 (QEMU (aka Quick Emulator) built with the TPR optimization for 32-bit W ...) {DSA-3471-1 DSA-3470-1 DSA-3469-1} - qemu 1:2.5+dfsg-4 (bug #811201) [squeeze] - qemu (Unsupported in squeeze-lts) - qemu-kvm [squeeze] - qemu-kvm (Unsupported in squeeze-lts) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg02812.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1283934 NOTE: http://www.openwall.com/lists/oss-security/2016/01/16/1 NOTE: Possibly introduced in http://git.qemu.org/?p=qemu.git;a=commit;h=4917cf44326a1bda2fd7f27303aff7a25ad86518 (v1.6.0-rc0) NOTE: kvmapic introduced after 1.0.50 (http://git.qemu.org/?p=qemu.git;a=commit;h=e5ad936b0fd7dfd7fd7908be6f9f1ca88f63b96b) CVE-2016-0930 (Pivotal Cloud Foundry (PCF) Ops Manager before 1.6.19 and 1.7.x before ...) NOT-FOR-US: Pivotal Cloud Foundry CVE-2016-0929 (The metrics-collection component in RabbitMQ for Pivotal Cloud Foundry ...) NOT-FOR-US: Pivotal Cloud Foundry CVE-2016-0928 (Multiple open redirect vulnerabilities in Pivotal Cloud Foundry (PCF) ...) NOT-FOR-US: Pivotal Cloud Foundry CVE-2016-0927 (Cross-site scripting (XSS) vulnerability in Pivotal Cloud Foundry (PCF ...) NOT-FOR-US: Pivotal Cloud Foundry CVE-2016-0926 (Cross-site scripting (XSS) vulnerability in Apps Manager in Pivotal Cl ...) NOT-FOR-US: Pivotal Cloud Foundry CVE-2016-0925 (Cross-site scripting (XSS) vulnerability in the Case Management applic ...) NOT-FOR-US: EMC RSA Adaptive Authentication CVE-2016-0924 REJECTED CVE-2016-0923 (The client in EMC RSA BSAFE Micro Edition Suite (MES) 4.0.x before 4.0 ...) NOT-FOR-US: RSA BSAFE Micro Edition Suite CVE-2016-0922 (EMC ViPR SRM before 3.7.2 does not restrict the number of password-aut ...) NOT-FOR-US: EMC ViPR SRM CVE-2016-0921 (Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) in EMC Avamar ...) NOT-FOR-US: EMC Avamar CVE-2016-0920 (Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) in EMC Avamar ...) NOT-FOR-US: EMC Avamar CVE-2016-0919 (EMC RSA Web Threat Detection version 5.0, RSA Web Threat Detection ver ...) NOT-FOR-US: RSA Web Threat Detection CVE-2016-0918 (EMC RSA Identity Management and Governance before 6.8.1 P25 and 6.9.x ...) NOT-FOR-US: EMC RSA Identity Governance and Lifecycle CVE-2016-0917 (The SMB service in EMC VNXe (VNXe3200 Operating Environment prior to 3 ...) NOT-FOR-US: EMC VNX CVE-2016-0916 (EMC NetWorker 8.2.1.x and 8.2.2.x before 8.2.2.6 and 9.x before 9.0.0. ...) NOT-FOR-US: EMC NetWorker CVE-2016-0915 (The Self-Service Portal in EMC RSA Authentication Manager (AM) Prime S ...) NOT-FOR-US: EMC RSA Authentication Manager CVE-2016-0914 (EMC Documentum WebTop 6.8 before Patch 13 and 6.8.1 before Patch 02, D ...) NOT-FOR-US: EMC Documentum WebTop and WebTop Clients CVE-2016-0913 (The client in EMC Replication Manager (RM) before 5.5.3.0_01-PatchHotf ...) NOT-FOR-US: EMC CVE-2016-0912 (EMC Data Domain OS 5.4 through 5.7 before 5.7.2.0 allows remote authen ...) NOT-FOR-US: EMC Data Domain OS CVE-2016-0911 (EMC Data Domain OS 5.4 through 5.7 before 5.7.2.0 has a default no_roo ...) NOT-FOR-US: EMC Data Domain OS CVE-2016-0910 (EMC Data Domain OS 5.5 before 5.5.4.0, 5.6 before 5.6.1.004, and 5.7 b ...) NOT-FOR-US: EMC Data Domain OS CVE-2016-0909 (EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) versions ...) NOT-FOR-US: EMC CVE-2016-0908 (EMC Isilon OneFS 7.1.x before 7.1.1.9 and 7.2.x before 7.2.1.2 allows ...) NOT-FOR-US: EMC Isilon CVE-2016-0907 (EMC Isilon OneFS 7.1.x and 7.2.x before 7.2.1.3 and 8.0.x before 8.0.0 ...) NOT-FOR-US: EMC Isilon CVE-2016-0906 (The web-restore interface in Avamar Data Store (ADS) and Avamar Virtua ...) NOT-FOR-US: EMC Avamar CVE-2016-0905 (Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) in EMC Avamar ...) NOT-FOR-US: EMC Avamar CVE-2016-0904 (Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) in EMC Avamar ...) NOT-FOR-US: EMC Avamar CVE-2016-0903 (Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) in EMC Avamar ...) NOT-FOR-US: EMC Avamar CVE-2016-0902 (CRLF injection vulnerability in EMC RSA Authentication Manager before ...) NOT-FOR-US: RSA Authentication Manager CVE-2016-0901 (Cross-site scripting (XSS) vulnerability in EMC RSA Authentication Man ...) NOT-FOR-US: RSA Authentication Manager CVE-2016-0900 (Cross-site scripting (XSS) vulnerability in EMC RSA Authentication Man ...) NOT-FOR-US: RSA Authentication Manager CVE-2016-0899 (EMC RSA Archer GRC 5.5.x before 5.5.3.4 allows remote authenticated us ...) NOT-FOR-US: RSA Archer GRC Platform CVE-2016-0898 (MySQL for PCF tiles 1.7.x before 1.7.10 were discovered to log the AWS ...) NOT-FOR-US: MySQL for PCF tiles CVE-2016-0897 (Pivotal Cloud Foundry (PCF) Ops Manager before 1.6.17 and 1.7.x before ...) NOT-FOR-US: Pivotal Cloud Foundry CVE-2016-0896 (Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.6.34 and 1.7.x be ...) NOT-FOR-US: Pivotal Cloud Foundry CVE-2016-0895 (EMC RSA Data Loss Prevention 9.6 before SP2 P5 allows remote attackers ...) NOT-FOR-US: EMC CVE-2016-0894 (EMC RSA Data Loss Prevention 9.6 before SP2 P5 allows remote authentic ...) NOT-FOR-US: EMC CVE-2016-0893 (EMC RSA Data Loss Prevention 9.6 before SP2 P5 allows remote authentic ...) NOT-FOR-US: EMC CVE-2016-0892 (Cross-site scripting (XSS) vulnerability in EMC RSA Data Loss Preventi ...) NOT-FOR-US: EMC CVE-2016-0891 (Multiple cross-site request forgery (CSRF) vulnerabilities in administ ...) NOT-FOR-US: EMC ViPR SRM CVE-2016-0890 (EMC PowerPath Virtual (Management) Appliance 2.0, EMC PowerPath Virtua ...) NOT-FOR-US: EMC CVE-2016-0889 (An HTTP servlet in vApp Manager in EMC Unisphere for VMAX Virtual Appl ...) NOT-FOR-US: EMC CVE-2016-0888 (EMC Documentum D2 before 4.6 lacks intended ACLs for configuration obj ...) NOT-FOR-US: EMC Documentum D2 CVE-2016-0887 (EMC RSA BSAFE Micro Edition Suite (MES) 4.0.x and 4.1.x before 4.1.5, ...) NOT-FOR-US: EMC CVE-2016-0886 (EMC Documentum xCP 2.1 before patch 24 and 2.2 before patch 12 allows ...) NOT-FOR-US: EMC Documentum CVE-2016-0885 REJECTED CVE-2016-0884 REJECTED CVE-2016-0883 (Pivotal Cloud Foundry (PCF) Ops Manager before 1.5.14 and 1.6.x before ...) NOT-FOR-US: Pivotal Cloud Foundry CVE-2016-0882 (EMC Documentum xCP 2.1 before patch 23 and 2.2 before patch 11 allows ...) NOT-FOR-US: EMC Documentum CVE-2016-0881 (EMC Documentum xCP 2.1 before patch 23 and 2.2 before patch 11 allows ...) NOT-FOR-US: EMC Documentum CVE-2015-8610 RESERVED CVE-2015-8609 RESERVED CVE-2015-8608 (The VDir::MapPathA and VDir::MapPathW functions in Perl 5.22 allow rem ...) - perl (Only affects Perl on Windows) NOTE: https://rt.perl.org/Public/Bug/Display.html?id=126755 CVE-2015-8607 (The canonpath function in the File::Spec module in PathTools before 3. ...) {DSA-3441-1} - perl 5.22.1-4 (bug #810719) [wheezy] - perl (Introduced in 5.20.0) [squeeze] - perl (Introduced in 5.20.0) - libfile-spec-perl [wheezy] - libfile-spec-perl (Introduced in 3.47) [squeeze] - libfile-spec-perl (Introduced in 3.47) NOTE: http://perl5.git.perl.org/perl.git/commit/130509aa42a87eef258fab0182ee2c7ad16baa8b NOTE: https://rt.perl.org/Public/Bug/Display.html?id=126862 CVE-2015-8606 (Multiple cross-site scripting (XSS) vulnerabilities in SilverStripe CM ...) NOT-FOR-US: SilverStripe CVE-2015-8605 (ISC DHCP 4.x before 4.1-ESV-R12-P1, 4.2.x, and 4.3.x before 4.3.3-P1 a ...) {DSA-3442-1 DLA-385-2 DLA-385-1} - isc-dhcp 4.3.3-7 (bug #810875) NOTE: https://kb.isc.org/article/AA-01334 CVE-2015-8603 (Cross-site scripting (XSS) vulnerability in Serendipity before 2.0.3 a ...) - serendipity CVE-2015-8602 (The Token Insert Entity module 7.x-1.x before 7.x-1.1 for Drupal does ...) NOT-FOR-US: Token Insert Entity module for Drupal CVE-2015-8601 (The Chat Room module 7.x-2.x before 7.x-2.2 for Drupal does not proper ...) NOT-FOR-US: Chat Room module for Drupal CVE-2015-8600 (The SysAdminWebTool servlets in SAP Mobile Platform allow remote attac ...) NOT-FOR-US: SAP CVE-2015-8599 RESERVED CVE-2015-8598 RESERVED CVE-2015-8597 (Open redirect vulnerability in Blue Coat ProxySG 6.5 before 6.5.8.8 an ...) NOT-FOR-US: Blue Coat CVE-2015-8596 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-8595 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-8594 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-8593 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-8592 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-8612 (The EnableNetwork method in the Network class in plugins/mechanism/Net ...) {DSA-3427-1} - blueman 2.0.3-1 [squeeze] - blueman (vulnerable code not present) NOTE: https://twitter.com/thegrugq/status/677809527882813440 NOTE: https://github.com/blueman-project/blueman/commit/a3845bbed5fdddf14daec436b7e74f62719a71c1 NOTE: http://www.openwall.com/lists/oss-security/2015/12/18/6 CVE-2015-8709 (** DISPUTED ** kernel/ptrace.c in the Linux kernel through 4.4.1 misha ...) - linux 4.3.3-3 [jessie] - linux 3.16.7-ckt20-1+deb8u2 [wheezy] - linux (Vulnerable code not present) - linux-2.6 (Vulnerable code not present) NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/12/17/12 NOTE: https://lkml.org/lkml/2015/12/12/259 CVE-2016-0880 REJECTED CVE-2016-0879 (Moxa Secure Router EDR-G903 devices before 3.4.12 do not delete copies ...) NOT-FOR-US: Moxa CVE-2016-0878 (Moxa Secure Router EDR-G903 devices before 3.4.12 allow remote attacke ...) NOT-FOR-US: Moxa CVE-2016-0877 (Memory leak on Moxa Secure Router EDR-G903 devices before 3.4.12 allow ...) NOT-FOR-US: Moxa CVE-2016-0876 (Moxa Secure Router EDR-G903 devices before 3.4.12 allow remote attacke ...) NOT-FOR-US: Moxa CVE-2016-0875 (Moxa Secure Router EDR-G903 devices before 3.4.12 allow remote attacke ...) NOT-FOR-US: Moxa CVE-2016-0874 RESERVED CVE-2016-0873 RESERVED CVE-2016-0872 (A Plaintext Storage of a Password issue was discovered in Kabona AB We ...) NOT-FOR-US: Kabona AB WebDatorCentral CVE-2016-0871 (Eaton Lighting EG2 Web Control 4.04P and earlier allows remote attacke ...) NOT-FOR-US: Eaton Lighting EG2 Web Control CVE-2016-0870 (The web server in Trane Tracer SC 4.2.1134 and earlier allows remote a ...) NOT-FOR-US: Trane Tracer CVE-2016-0869 (Heap-based buffer overflow in MICROSYS PROMOTIC before 8.3.11 allows r ...) NOT-FOR-US: MICROSYS PROMOTIC CVE-2016-0868 (Stack-based buffer overflow on Rockwell Automation Allen-Bradley Micro ...) NOT-FOR-US: MicroLogix CVE-2016-0867 (CAREL PlantVisorEnhanced allows remote attackers to bypass intended ac ...) NOT-FOR-US: CAREL CVE-2016-0866 (Cross-site scripting (XSS) vulnerability in Tollgrade SmartGrid LightH ...) NOT-FOR-US: Tollgrade CVE-2016-0865 (Tollgrade SmartGrid LightHouse Sensor Management System (SMS) Software ...) NOT-FOR-US: Tollgrade CVE-2016-0864 (Tollgrade SmartGrid LightHouse Sensor Management System (SMS) Software ...) NOT-FOR-US: Tollgrade CVE-2016-0863 (Cross-site request forgery (CSRF) vulnerability in Tollgrade SmartGrid ...) NOT-FOR-US: Tollgrade CVE-2016-0862 (General Electric (GE) Industrial Solutions UPS SNMP/Web Adapter device ...) NOT-FOR-US: General Electric devices CVE-2016-0861 (General Electric (GE) Industrial Solutions UPS SNMP/Web Adapter device ...) NOT-FOR-US: General Electric devices CVE-2016-0860 (Buffer overflow in the BwpAlarm subsystem in Advantech WebAccess befor ...) NOT-FOR-US: BwpAlarm CVE-2016-0859 (Integer overflow in the Kernel service in Advantech WebAccess before 8 ...) NOT-FOR-US: Advantech CVE-2016-0858 (Race condition in Advantech WebAccess before 8.1 allows remote attacke ...) NOT-FOR-US: Advantech CVE-2016-0857 (Multiple heap-based buffer overflows in Advantech WebAccess before 8.1 ...) NOT-FOR-US: Advantech CVE-2016-0856 (Multiple stack-based buffer overflows in Advantech WebAccess before 8. ...) NOT-FOR-US: Advantech CVE-2016-0855 (Directory traversal vulnerability in Advantech WebAccess before 8.1 al ...) NOT-FOR-US: Advantech CVE-2016-0854 (Unrestricted file upload vulnerability in the uploadImageCommon functi ...) NOT-FOR-US: Advantech CVE-2016-0853 (Advantech WebAccess before 8.1 allows remote attackers to obtain sensi ...) NOT-FOR-US: Advantech CVE-2016-0852 (Advantech WebAccess before 8.1 allows remote attackers to bypass an in ...) NOT-FOR-US: Advantech CVE-2016-0851 (Advantech WebAccess before 8.1 allows remote attackers to cause a deni ...) NOT-FOR-US: Advantech CVE-2016-0850 (The PORCHE_PAIRING_CONFLICT feature in Bluetooth in Android 4.x before ...) NOT-FOR-US: Android CVE-2016-0849 (Multiple integer overflows in minzip/SysUtil.c in the Recovery Procedu ...) NOT-FOR-US: Android CVE-2016-0848 (Race condition in Download Manager in Android 4.x before 4.4.4, 5.0.x ...) NOT-FOR-US: Android CVE-2016-0847 (The Telecom Component in Android 5.0.x before 5.0.2, 5.1.x before 5.1. ...) NOT-FOR-US: Android CVE-2016-0846 (libs/binder/IMemory.cpp in the IMemory Native Interface in Android 4.x ...) NOT-FOR-US: Android CVE-2016-0845 REJECTED CVE-2016-0844 (The Qualcomm RF driver in Android 6.x before 2016-04-01 does not prope ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-0843 (The Qualcomm ARM processor performance-event manager in Android 4.x be ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-0842 (The H.264 decoder in libstagefright in Android 6.x before 2016-04-01 m ...) NOT-FOR-US: libstagefright CVE-2016-0841 (media/libmedia/mediametadataretriever.cpp in mediaserver in Android 4. ...) NOT-FOR-US: Android Mediaserver CVE-2016-0840 (Multiple stack-based buffer underflows in decoder/ih264d_parse_cavlc.c ...) NOT-FOR-US: Android Mediaserver CVE-2016-0839 (post_proc/volume_listener.c in mediaserver in Android 6.x before 2016- ...) NOT-FOR-US: Android Mediaserver CVE-2016-0838 (Sonivox in mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2 ...) NOT-FOR-US: Android Mediaserver CVE-2016-0837 (MPEG4Extractor.cpp in libstagefright in mediaserver in Android 4.x bef ...) NOT-FOR-US: libstagefright CVE-2016-0836 (Stack-based buffer overflow in decoder/impeg2d_vld.c in mediaserver in ...) NOT-FOR-US: Android Mediaserver CVE-2016-0835 (decoder/impeg2d_dec_hdr.c in mediaserver in Android 6.x before 2016-04 ...) NOT-FOR-US: Android Mediaserver CVE-2016-0834 (An unspecified media codec in mediaserver in Android 6.x before 2016-0 ...) NOT-FOR-US: Android Mediaserver CVE-2016-0833 (Android allows users to cause a denial of service. ...) NOT-FOR-US: Android CVE-2016-0832 (Setup Wizard in Android 5.1.x before LMY49H and 6.x before 2016-03-01 ...) NOT-FOR-US: Android CVE-2016-0831 (The getDeviceIdForPhone function in internal/telephony/PhoneSubInfoCon ...) NOT-FOR-US: Android CVE-2016-0830 (btif_config.c in Bluetooth in Android 6.x before 2016-03-01 allows rem ...) NOT-FOR-US: Android CVE-2016-0829 (The BnGraphicBufferProducer::onTransact function in libs/gui/IGraphicB ...) NOT-FOR-US: Android Mediaserver CVE-2016-0828 (The BnGraphicBufferConsumer::onTransact function in libs/gui/IGraphicB ...) NOT-FOR-US: Android Mediaserver CVE-2016-0827 (Multiple integer overflows in libeffects in mediaserver in Android 4.x ...) NOT-FOR-US: Android Mediaserver CVE-2016-0826 (libcameraservice in mediaserver in Android 4.x before 4.4.4, 5.x befor ...) NOT-FOR-US: Android Mediaserver CVE-2016-0825 (The Widevine Trusted Application in Android 6.0.1 before 2016-03-01 al ...) NOT-FOR-US: Android CVE-2016-0824 (libmpeg2 in libstagefright in Android 6.x before 2016-03-01 allows att ...) NOT-FOR-US: libstagefright CVE-2016-0823 (The pagemap_open function in fs/proc/task_mmu.c in the Linux kernel be ...) - linux 4.0.2-1 [jessie] - linux 3.16.7-ckt11-1 [wheezy] - linux 3.2.71-1 NOTE: Upstream patch: https://git.kernel.org/linus/ab676b7d6fbf4b294bf198fb27ade5b0e865c7ce (v4.0-rc5) NOTE: https://googleprojectzero.blogspot.cz/2015/03/exploiting-dram-rowhammer-bug-to-gain.html CVE-2016-0822 (The MediaTek connectivity kernel driver in Android 6.0.1 before 2016-0 ...) NOT-FOR-US: MediaTek driver for Android CVE-2016-0821 (The LIST_POISON feature in include/linux/poison.h in the Linux kernel ...) {DSA-3607-1 DLA-516-1} - linux 4.3.1-1 NOTE: Upstream patch: https://git.kernel.org/linus/8a5e5e02fc83aaf67053ab53b359af08c6c49aaf (v4.3-rc1) CVE-2016-0820 (The MediaTek Wi-Fi kernel driver in Android 6.0.1 before 2016-03-01 al ...) NOT-FOR-US: MediaTek driver for Android CVE-2016-0819 (The Qualcomm performance component in Android 4.x before 4.4.4, 5.x be ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-0818 (The caching functionality in the TrustManagerImpl class in TrustManage ...) NOT-FOR-US: Android CVE-2016-0817 RESERVED CVE-2016-0816 (mediaserver in Android 6.x before 2016-03-01 allows remote attackers t ...) NOT-FOR-US: Android Mediaserver CVE-2016-0815 (The MPEG4Source::fragmentedRead function in MPEG4Extractor.cpp in libs ...) NOT-FOR-US: libstagefright CVE-2016-0814 RESERVED CVE-2016-0813 (packages/SystemUI/src/com/android/systemui/recents/AlternateRecentsCom ...) NOT-FOR-US: Android CVE-2016-0812 (The interceptKeyBeforeDispatching function in policy/src/com/android/i ...) NOT-FOR-US: Android CVE-2016-0811 (Integer overflow in the BnCrypto::onTransact function in media/libmedi ...) NOT-FOR-US: Android CVE-2016-0810 (media/libmedia/SoundPool.cpp in mediaserver in Android 4.x before 4.4. ...) NOT-FOR-US: Android Mediaserver CVE-2016-0809 (Use-after-free vulnerability in the wifi_cleanup function in bcmdhd/wi ...) NOT-FOR-US: Android CVE-2016-0808 (Integer overflow in the getCoverageFormat12 function in CmapCoverage.c ...) NOT-FOR-US: Android CVE-2016-0807 (The get_build_id function in elf_utils.cpp in Debuggerd in Android 6.x ...) - android-platform-system-core 1:7.0.0+r1-1 (unimportant) NOTE: debuggerd not included, see bug #858177 CVE-2016-0806 (The Qualcomm Wi-Fi driver in the kernel in Android 4.x before 4.4.4, 5 ...) NOT-FOR-US: Android drivers CVE-2016-0805 (The performance event manager for Qualcomm ARM processors in Android 4 ...) NOT-FOR-US: Android drivers CVE-2016-0804 (The NuPlayer::GenericSource::notifyPreparedAndCleanup function in medi ...) NOT-FOR-US: Android CVE-2016-0803 (libstagefright in mediaserver in Android 4.x before 4.4.4, 5.x before ...) NOT-FOR-US: libstagefright CVE-2016-0802 (The Broadcom Wi-Fi driver in the kernel in Android 4.x before 4.4.4, 5 ...) NOT-FOR-US: Android drivers CVE-2016-0801 (The Broadcom Wi-Fi driver in the kernel in Android 4.x before 4.4.4, 5 ...) {DLA-1573-1} - firmware-nonfree 20180518-1 (bug #869639) [stretch] - firmware-nonfree 20161130-4 [jessie] - firmware-nonfree (non-free not supported) CVE-2016-0800 (The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before ...) - openssl 1.0.0c-2 - nss 3.13 NOTE: openssl 1.0.0c-2 dropped SSLv2 support NOTE: NSS disabled SSLv2 by default in 3.13 NOTE: https://www.openssl.org/news/secadv/20160301.txt NOTE: https://www.drownattack.com/ NOTE: GNUTLS never implemented SSLv2 NOTE: http://blog.cryptographyengineering.com/2016/03/attack-of-week-drown.html CVE-2016-0799 (The fmtstr function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1. ...) {DSA-3500-1} - openssl 1.0.2g-1 NOTE: https://www.openssl.org/news/secadv/20160301.txt NOTE: Fixed in master in https://git.openssl.org/?p=openssl.git;a=commit;h=a801bf263849a2ef773e5bc0c86438cbba720835 NOTE: https://guidovranken.wordpress.com/2016/02/27/openssl-cve-2016-0799-heap-corruption-via-bio_printf/ CVE-2016-0798 (Memory leak in the SRP_VBASE_get_by_user implementation in OpenSSL 1.0 ...) {DSA-3500-1} - openssl 1.0.2g-1 NOTE: https://www.openssl.org/news/secadv/20160301.txt NOTE: Fixed in master in https://git.openssl.org/?p=openssl.git;a=commit;h=59a908f1e8380412a81392c468b83bf6071beb2a CVE-2016-0797 (Multiple integer overflows in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 be ...) {DSA-3500-1} - openssl 1.0.2g-1 NOTE: https://www.openssl.org/news/secadv/20160301.txt NOTE: Fixed in master in https://git.openssl.org/?p=openssl.git;a=commit;h=99ba9fd02fd481eb971023a3a0a251a37eb87e4c CVE-2016-0796 RESERVED CVE-2016-0795 (LibreOffice before 5.0.5 allows remote attackers to cause a denial of ...) {DSA-3482-1} - libreoffice 1:5.0.5~rc1-1 NOTE: https://www.libreoffice.org/about-us/security/advisories/cve-2016-0795/ CVE-2016-0794 (The lwp filter in LibreOffice before 5.0.4 allows remote attackers to ...) {DSA-3482-1} - libreoffice 1:5.0.5~rc1-1 NOTE: https://www.libreoffice.org/about-us/security/advisories/cve-2016-0794/ CVE-2016-0793 (Incomplete blacklist vulnerability in the servlet filter restriction m ...) NOT-FOR-US: WildFly / Red Hat JBoss EAP CVE-2016-0792 (Multiple unspecified API endpoints in Jenkins before 1.650 and LTS bef ...) - jenkins NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24 CVE-2016-0791 (Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time ...) - jenkins NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24 CVE-2016-0790 (Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time ...) - jenkins NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24 CVE-2016-0789 (CRLF injection vulnerability in the CLI command documentation in Jenki ...) - jenkins NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24 CVE-2016-0788 (The remoting module in Jenkins before 1.650 and LTS before 1.642.2 all ...) - jenkins NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24 CVE-2016-0787 (The diffie_hellman_sha256 function in kex.c in libssh2 before 1.7.0 im ...) {DSA-3487-1 DLA-426-1} - libssh2 1.5.0-2.1 (bug #815662) NOTE: Upstream fix: https://github.com/libssh2/libssh2/commit/ca5222ea819cc5ed797860070b4c6c1aeeb28420 NOTE: Upstream patch only fixes DH SHA-256 key exchange type, not DH SHA-1 CVE-2016-0786 RESERVED CVE-2016-0785 (Apache Struts 2.x before 2.3.28 allows remote attackers to execute arb ...) - libstruts1.2-java (Only 2.0.0 to 2.3.28.1) NOTE: http://struts.apache.org/docs/s2-029.html CVE-2016-0784 (Directory traversal vulnerability in the Import/Export System Backups ...) NOT-FOR-US: Apache OpenMeetings CVE-2016-0783 (The sendHashByUser function in Apache OpenMeetings before 3.1.1 genera ...) NOT-FOR-US: Apache OpenMeetings CVE-2016-0782 (The administration web console in Apache ActiveMQ 5.x before 5.11.4, 5 ...) - activemq 5.13.2+dfsg-1 (unimportant) NOTE: Admin console not enabled in the Debian package, see #702670 NOTE: https://activemq.apache.org/security-advisories.data/CVE-2016-0782-announcement.txt CVE-2016-0781 (The UAA OAuth approval pages in Cloud Foundry v208 to v231, Login-serv ...) NOT-FOR-US: Cloud Foundry CVE-2016-0780 (It was discovered that cf-release v231 and lower, Pivotal Cloud Foundr ...) NOT-FOR-US: Cloud Foundry CVE-2016-0779 (The EjbObjectInputStream class in Apache TomEE before 1.7.4 and 7.x be ...) NOT-FOR-US: Apache TomEE CVE-2016-0778 (The (1) roaming_read and (2) roaming_write functions in roaming_common ...) {DSA-3446-1 DLA-387-1} - openssh 1:7.1p2-1 NOTE: https://www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt CVE-2016-0777 (The resend_bytes function in roaming_common.c in the client in OpenSSH ...) {DSA-3446-1 DLA-387-1} - openssh 1:7.1p2-1 (bug #810984) NOTE: https://www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt CVE-2016-0776 REJECTED CVE-2016-0775 (Buffer overflow in the ImagingFliDecode function in libImaging/FliDeco ...) {DSA-3499-1 DLA-422-1} - pillow 3.1.1-1 (bug #813909) - python-imaging [wheezy] - python-imaging 1.1.7-4+deb7u2 NOTE: https://github.com/python-pillow/Pillow/commit/bcaaf97f4ff25b3b5b9e8efeda364e17e80858ec (3.1.1) CVE-2016-0774 (The (1) pipe_read and (2) pipe_write implementations in fs/pipe.c in a ...) {DLA-439-1} - linux 3.16.2-2 [wheezy] - linux 3.2.73-2+deb7u3 - linux-2.6 NOTE: https://rhn.redhat.com/errata/RHSA-2016-0103.html NOTE: The upstream fix for 3.16 was correct, but wheezy had a incomplete backport CVE-2016-0773 (PostgreSQL before 9.1.20, 9.2.x before 9.2.15, 9.3.x before 9.3.11, 9. ...) {DSA-3476-1 DSA-3475-1 DLA-432-1} - postgresql-9.5 9.5.1-1 - postgresql-9.4 - postgresql-9.1 [jessie] - postgresql-9.1 (postgresql-9.1 in jessie only provides PL/Perl) NOTE: http://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=3bb3f42f3749d40b8d4de65871e8d828b18d4a45 CVE-2016-0772 (The smtplib library in CPython (aka Python) before 2.7.12, 3.x before ...) {DLA-1663-1 DLA-871-1 DLA-522-1} - python3.5 3.5.2~rc1-1 - python3.4 - python3.2 - python2.7 2.7.12~rc1-1 [jessie] - python2.7 2.7.9-2+deb8u1 NOTE: 3.4 branch: https://hg.python.org/cpython/rev/d590114c2394 NOTE: 2.7 branch: https://hg.python.org/cpython/rev/b3ce713fb9be CVE-2016-0771 (The internal DNS server in Samba 4.x before 4.1.23, 4.2.x before 4.2.9 ...) {DSA-3514-1} - samba 2:4.3.6+dfsg-1 [wheezy] - samba (Vulnerable code not present) [squeeze] - samba (Vulnerable code not present) NOTE: https://www.samba.org/samba/security/CVE-2016-0771.html CVE-2016-0770 (Cross-site scripting (XSS) vulnerability in includes/admin/pages/manag ...) NOT-FOR-US: Wordpress plugin CVE-2016-0769 (Multiple SQL injection vulnerabilities in eshop-orders.php in the eSho ...) NOT-FOR-US: Wordpress plugin CVE-2016-0768 (PostgreSQL PL/Java after 9.0 does not honor access controls on large o ...) - postgresql-pljava [wheezy] - postgresql-pljava (Minor issue on undocumented API that got later removed) CVE-2016-0767 (PostgreSQL PL/Java before 1.5.0 allows remote authenticated users with ...) - postgresql-pljava [wheezy] - postgresql-pljava (Minor issue) CVE-2016-0766 (PostgreSQL before 9.1.20, 9.2.x before 9.2.15, 9.3.x before 9.3.11, 9. ...) {DSA-3476-1 DSA-3475-1} - postgresql-9.5 9.5.1 - postgresql-9.4 - postgresql-9.1 [jessie] - postgresql-9.1 (postgresql-9.1 in jessie only provides PL/Perl) CVE-2016-0765 (Multiple cross-site scripting (XSS) vulnerabilities in eshop-orders.ph ...) NOT-FOR-US: Wordpress plugin CVE-2016-0764 (Race condition in Network Manager before 1.0.12 as packaged in Red Hat ...) - network-manager 1.1.91-1 (bug #820354) [jessie] - network-manager (Minor issue) [wheezy] - network-manager (Minor issue) NOTE: Upstream fix: https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=60b7ed3bdc3941a3b7c56824fba4b7291e79041f (1.2-beta2) NOTE: Fixed in 1.0.12 for the 1.0.x branch: https://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/NEWS?h=1.0.12 CVE-2016-0763 (The setGlobalContext method in org/apache/naming/factory/ResourceLinkF ...) {DSA-3609-1 DSA-3552-1 DSA-3530-1 DLA-435-1} - tomcat9 (Fixed before initial upload to Debian) - tomcat8 8.0.32-1 - tomcat7 7.0.68-1 - tomcat6 6.0.41-3 NOTE: Since 6.0.41-3, src:tomcat6 only builds a servlet and docs NOTE: Fixed in 6.0.45, 7.0.68, 8.0.32, 9.0.0.M3 CVE-2016-0762 (The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0. ...) {DSA-3721-1 DSA-3720-1 DLA-729-1 DLA-728-1} - tomcat8 8.0.37-1 (low) - tomcat7 7.0.72-1 (low; bug #842662) - tomcat6 6.0.41-3 (low) NOTE: Since 6.0.41-3, src:tomcat6 only builds a servlet and docs in Jessie NOTE: http://markmail.org/message/pzuk6hauzljnm4r7?q=list:org.apache.tomcat.announce/ NOTE: Fixed by: http://svn.apache.org/r1758501 (8.0.x) NOTE: Fixed by: http://svn.apache.org/r1758502 (7.0.x) NOTE: Fixed by: https://svn.apache.org/viewvc?view=revision&revision=1758506 (6.0.x) CVE-2016-0761 (Cloud Foundry Garden-Linux versions prior to v0.333.0 and Elastic Runt ...) NOT-FOR-US: Cloud Foundry CVE-2016-0760 (Multiple incomplete blacklist vulnerabilities in Apache Sentry before ...) NOT-FOR-US: Apache Hive CVE-2016-0759 REJECTED CVE-2016-0758 (Integer overflow in lib/asn1_decoder.c in the Linux kernel before 4.6 ...) - linux 4.5.4-1 [jessie] - linux 3.16.36-1 [wheezy] - linux (Vulnerable code introduced in v3.10-rc1) NOTE: https://lkml.org/lkml/2016/5/12/270 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1300257 NOTE: Fixed by: https://git.kernel.org/linus/23c8a812dc3c621009e4f0e5342aa4e2ede1ceaa NOTE: Introduced by: https://git.kernel.org/linus/42d5ec27f873c654a68f7f865dcd7737513e9508 (v3.10-rc1) CVE-2016-0757 (OpenStack Image Service (Glance) before 2015.1.3 (kilo) and 11.0.x bef ...) - glance 2:12.0.0-1 [jessie] - glance (Minor issue) [wheezy] - glance (Minor issue) NOTE: <=2015.1.2, >=11.0.0 <= 11.0.1 NOTE: https://bugs.launchpad.net/bugs/1525915 CVE-2016-0756 (The generate_dialback function in the mod_dialback module in Prosody b ...) {DSA-3463-1 DLA-407-1} - prosody 0.9.10-1 NOTE: http://blog.prosody.im/prosody-0-9-10-released/ NOTE: https://prosody.im/security/advisory_20160127/ NOTE: Upstream fix https://github.com/bjc/prosody/commit/8708def4f55e61acdd5b2c762d420ab40da0d015 CVE-2016-0755 (The ConnectionExists function in lib/url.c in libcurl before 7.47.0 do ...) {DSA-3455-1} - curl 7.47.0-1 [wheezy] - curl (Too intrusive to backport) NOTE: http://curl.haxx.se/docs/adv_20160127A.html CVE-2016-0754 (cURL before 7.47.0 on Windows allows attackers to write to arbitrary f ...) - curl (Windows only) NOTE: http://curl.haxx.se/docs/adv_20160127B.html CVE-2016-0753 (Active Model in Ruby on Rails 4.1.x before 4.1.14.1, 4.2.x before 4.2. ...) {DSA-3464-1 DLA-642-1 DLA-641-1 DLA-498-1} - rails 2:4.2.5.1-1 [wheezy] - rails (Vulnerable code not present, is only a transitional package) [squeeze] - rails (Not supported in Squeeze LTS) - ruby-activerecord-3.2 - ruby-activerecord-2.3 [wheezy] - ruby-activerecord-2.3 - ruby-activesupport-3.2 - ruby-activesupport-2.3 [wheezy] - ruby-activesupport-2.3 - ruby-activemodel-3.2 CVE-2016-0752 (Directory traversal vulnerability in Action View in Ruby on Rails befo ...) {DSA-3464-1 DLA-604-1} - rails 2:4.2.5.1-1 [wheezy] - rails (Vulnerable code not present, is only a transitional package) [squeeze] - rails (Not supported in Squeeze LTS) - ruby-actionpack-3.2 - ruby-actionpack-2.3 [wheezy] - ruby-actionpack-2.3 CVE-2016-0751 (actionpack/lib/action_dispatch/http/mime_type.rb in Action Pack in Rub ...) {DSA-3464-1 DLA-604-1} - rails 2:4.2.5.1-1 [wheezy] - rails (Vulnerable code not present, is only a transitional package) [squeeze] - rails (Not supported in Squeeze LTS) - ruby-actionpack-3.2 - ruby-actionpack-2.3 [wheezy] - ruby-actionpack-2.3 CVE-2016-0750 (The hotrod java client in infinispan before 9.1.0.Final automatically ...) NOT-FOR-US: Infinispan CVE-2016-0749 (The smartcard interaction in SPICE allows remote attackers to cause a ...) {DSA-3596-1} - spice 0.12.6-4.1 (bug #826585) [wheezy] - spice (Vulnerable code not present. Configured with --disable-smartcard) CVE-2016-0748 RESERVED CVE-2016-0747 (The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 does not pr ...) {DSA-3473-1} - nginx 1.9.10-1 (bug #812806) [squeeze] - nginx (Vulnerable code not present) NOTE: http://mailman.nginx.org/pipermail/nginx/2016-January/049700.html NOTE: https://github.com/nginx/nginx/commit/4016e6b1da4fbf9c45963211791be124cd7ffb8f (release-1.9.10) NOTE: https://github.com/nginx/nginx/commit/fe89d99796d42b86816e17d9c87ab16964768024 (release-1.9.10) CVE-2016-0746 (Use-after-free vulnerability in the resolver in nginx 0.6.18 through 1 ...) {DSA-3473-1} - nginx 1.9.10-1 (bug #812806) [squeeze] - nginx (Vulnerable code not present) NOTE: http://mailman.nginx.org/pipermail/nginx/2016-January/049700.html NOTE: https://github.com/nginx/nginx/commit/4b581a7c21e4328d059bf400a059c0458fc9f806 (release-1.9.10) NOTE: https://github.com/nginx/nginx/commit/a3d42258d97ebd0b638c20976654d3edfbaf943f (release-1.9.10) CVE-2016-0745 RESERVED CVE-2016-0744 RESERVED CVE-2016-0743 RESERVED CVE-2016-0742 (The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 allows remo ...) {DSA-3473-1 DLA-404-1} - nginx 1.9.10-1 (bug #812806) NOTE: http://mailman.nginx.org/pipermail/nginx/2016-January/049700.html NOTE: https://github.com/nginx/nginx/commit/c44fd4e837f979912749a5a19490ccb9b46398d3 (release-1.9.10) CVE-2016-0741 (slapd/connection.c in 389 Directory Server (formerly Fedora Directory ...) - 389-ds-base 1.3.4.8-1 [jessie] - 389-ds-base (Only affects 1.3.4 and up) NOTE: https://fedorahosted.org/389/ticket/48412 CVE-2016-0740 (Buffer overflow in the ImagingLibTiffDecode function in libImaging/Tif ...) {DSA-3499-1} - pillow 3.1.1-1 (bug #813905) - python-imaging (Vulnerable code introduce in 2.0.0) NOTE: Issue when linked against libtiff >= 4.0.0 NOTE: Fixed by: https://github.com/python-pillow/Pillow/commit/6dcbf5bd96b717c58d7b642949da8d323099928e (3.1.1) NOTE: Introduced by: https://github.com/python-pillow/Pillow/commit/e782fe721e0156de9636e78cd881d9f9e7e6ce50 (2.0.0) CVE-2016-0739 (libssh before 0.7.3 improperly truncates ephemeral secrets generated f ...) {DSA-3488-1 DLA-425-1} - libssh 0.6.3-4.3 (bug #815663) NOTE: Upstream fix: https://git.libssh.org/projects/libssh.git/commit/?h=v0-7&id=f8d0026c65fc8a55748ae481758e2cf376c26c86 CVE-2016-0738 (OpenStack Object Storage (Swift) before 2.3.1 (Kilo), 2.4.x, and 2.5.x ...) - swift 2.5.0-3 (bug #812984) [jessie] - swift (Vulnerable code not present) [wheezy] - swift (Vulnerable code not present) NOTE: Swift: >=2.2.1 <= 2.3.0, >= 2.4.0 <= 2.5.0 CVE-2016-0737 (OpenStack Object Storage (Swift) before 2.4.0 does not properly close ...) - swift 2.4.0-1 [jessie] - swift (Vulnerable code not present) [wheezy] - swift (Vulnerable code not present) NOTE: Swift: >=2.2.1 <= 2.3.0 CVE-2016-0736 (In Apache HTTP Server versions 2.4.0 to 2.4.23, mod_session_crypto was ...) {DSA-3796-1} - apache2 2.4.25-1 [wheezy] - apache2 (Vulnerable code not present) NOTE: https://lists.apache.org/thread.html/139862b41c0dfd5e6e00ad89c00119f9faf0dd41a2f927da9c9a4076@%3Cannounce.httpd.apache.org%3E NOTE: Fixed by: https://svn.apache.org/r1772812 NOTE: Affects: 2.4.1 to 2.4.23 NOTE: Fixed in 2.4.25 CVE-2016-0735 (Apache Ranger 0.5.x before 0.5.2 allows remote authenticated users to ...) NOT-FOR-US: Apache Ranger CVE-2016-0734 (The web-based administration console in Apache ActiveMQ 5.x before 5.1 ...) - activemq (Admin console not enabled in the Debian package, see #702670) NOTE: https://activemq.apache.org/security-advisories.data/CVE-2016-0734-announcement.txt CVE-2016-0733 (The Admin UI in Apache Ranger before 0.5.1 does not properly handle au ...) NOT-FOR-US: Apache Ranger CVE-2016-0732 (The identity zones feature in Pivotal Cloud Foundry 208 through 229; U ...) NOT-FOR-US: Pivotal Cloud Foundry CVE-2016-0731 (The File Browser View in Apache Ambari before 2.2.1 allows remote auth ...) NOT-FOR-US: Apache Ambari CVE-2016-0730 REJECTED CVE-2016-0729 (Multiple buffer overflows in (1) internal/XMLReader.cpp, (2) util/XMLU ...) {DSA-3493-1 DLA-433-1} - xerces-c 3.1.3+debian-1 (bug #815907) NOTE: http://xerces.apache.org/xerces-c/secadv/CVE-2016-0729.txt NOTE: http://svn.apache.org/viewvc?view=revision&revision=1727978 CVE-2016-0728 (The join_session_keyring function in security/keys/process_keys.c in t ...) {DSA-3448-1} - linux 4.3.3-6 [wheezy] - linux (Introduced in v3.8-rc1) - linux-2.6 (Introduced in v3.8-rc1) NOTE: Upstream commit: https://git.kernel.org/linus/23567fd052a9abb6d67fe8e7a9ccdd9800a540f2 NOTE: Introduced in https://git.kernel.org/linus/3a50597de8635cd05133bd12c95681c82fe7b878 (v3.8-rc1) NOTE: http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/ CVE-2016-0727 (The crontab script in the ntp package before 1:4.2.6.p3+dfsg-1ubuntu3. ...) - ntp 1:4.2.8p9+dfsg-2 (low; bug #839998) [jessie] - ntp (Minor issue) [wheezy] - ntp (Minor issue) NOTE: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1528050 NOTE: http://www.halfdog.net/Security/2015/NtpCronjobUserNtpToRootPrivilegeEscalation/ NOTE: Originally addressed in 1:4.2.8p8+dfsg-1.1, then refixed in 1:4.2.8p9+dfsg-2 CVE-2016-0726 (The Fedora Nagios package uses "nagiosadmin" as the default password f ...) - nagios3 (Specific to Fedora installation) CVE-2016-0725 (Cross-site scripting (XSS) vulnerability in the search_pagination func ...) - moodle (Only affects 3.0 to 3.0.1, 2.9 to 2.9.3 and 2.8 to 2.8.9) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52552 CVE-2016-0724 (The (1) core_enrol_get_course_enrolment_methods and (2) enrol_self_get ...) - moodle 2.7.12+dfsg-1 (bug #811344) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52072 CVE-2016-0723 (Race condition in the tty_ioctl function in drivers/tty/tty_io.c in th ...) {DSA-3448-1 DLA-412-1} - linux 4.3.3-6 [wheezy] - linux 3.2.73-2+deb7u3 - linux-2.6 NOTE: http://lkml.iu.edu/hypermail/linux/kernel/1511.3/03045.html NOTE: https://git.kernel.org/linus/5c17c861a357e9458001f021a7afa7aab9937439 (v4.5-rc2) CVE-2016-0722 REJECTED CVE-2016-0721 (Session fixation vulnerability in pcsd in pcs before 0.9.157. ...) - pcs 0.9.149-1 NOTE: https://github.com/feist/pcs/commit/bc6ad9086857559db57f4e3e6de66762291c0774 (0.9.149) NOTE: https://github.com/feist/pcs/commit/e9b28833d54a47ec441f6dbad0db96e1fc662a5b (0.9.149) NOTE: https://github.com/feist/pcs/commit/acdbbe8307e6f4a36b2c7754765e732e43fe8d17 (0.9.149) CVE-2016-0720 (Cross-site request forgery (CSRF) vulnerability in pcsd web UI in pcs ...) - pcs 0.9.149-1 NOTE: https://github.com/feist/pcs/commit/3360ecd318f7631bf5826d99a20bf4b29d86dc9c (0.9.149) NOTE: https://github.com/feist/pcs/commit/d49435de20f71bd0816c42b445ed484dd21fbe96 (0.9.149) NOTE: https://github.com/feist/pcs/commit/b9e7f061788c3b86a0c67d2d4158f067ec5eb625 (0.9.149) CVE-2016-0719 REJECTED CVE-2016-0718 (Expat allows context-dependent attackers to cause a denial of service ...) {DSA-3582-1 DLA-483-1} - expat 2.1.1-2 - firefox 48.0-1 (unimportant) - firefox-esr (Doesn't affect Firefox ESR) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-68/ NOTE: Firefox links dynamically against expat CVE-2016-0717 REJECTED CVE-2016-0716 REJECTED CVE-2016-0715 (Pivotal Cloud Foundry Elastic Runtime version 1.4.0 through 1.4.5, 1.5 ...) NOT-FOR-US: Pivotal Cloud Foundry Elastic Runtime CVE-2016-0714 (The session-persistence implementation in Apache Tomcat 6.x before 6.0 ...) {DSA-3609-1 DSA-3552-1 DSA-3530-1 DLA-435-1} - tomcat9 (Fixed before initial upload to Debian) - tomcat8 8.0.32-1 - tomcat7 7.0.68-1 - tomcat6 6.0.41-3 NOTE: Since 6.0.41-3, src:tomcat6 only builds a servlet and docs NOTE: Fixed in 6.0.45, 7.0.68, 8.0.32, 9.0.0.M3 CVE-2016-0713 (Gorouter in Cloud Foundry cf-release v141 through v228 allows man-in-t ...) NOT-FOR-US: Cloud Foundry CVE-2016-0712 (Cross-site scripting (XSS) vulnerability in Apache Jetspeed before 2.3 ...) NOT-FOR-US: Apache Jetspeed CVE-2016-0711 (Multiple cross-site scripting (XSS) vulnerabilities in Apache Jetspeed ...) NOT-FOR-US: Apache Jetspeed CVE-2016-0710 (Multiple SQL injection vulnerabilities in the User Manager service in ...) NOT-FOR-US: Apache Jetspeed CVE-2016-0709 (Directory traversal vulnerability in the Import/Export function in the ...) NOT-FOR-US: Apache Jetspeed CVE-2016-0708 (Applications deployed to Cloud Foundry, versions v166 through v227, ma ...) NOT-FOR-US: Cloud Foundry CVE-2016-0707 (The agent in Apache Ambari before 2.1.2 uses weak permissions for the ...) NOT-FOR-US: Apache Ambari CVE-2016-0706 (Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, ...) {DSA-3609-1 DSA-3552-1 DSA-3530-1 DLA-435-1} - tomcat9 (Fixed before initial upload to Debian) - tomcat8 8.0.32-1 - tomcat7 7.0.68-1 - tomcat6 6.0.41-3 NOTE: Since 6.0.41-3, src:tomcat6 only builds a servlet and docs NOTE: Fixed in 6.0.45, 7.0.68, 8.0.32, 9.0.0.M3 CVE-2016-0705 (Double free vulnerability in the dsa_priv_decode function in crypto/ds ...) {DSA-3500-1} - openssl 1.0.2g-1 [squeeze] - openssl (vulnerable code not present) NOTE: Fixed in master in https://git.openssl.org/?p=openssl.git;a=commit;h=ab4a81f69ec88d06c9d8de15326b9296d7f498ed NOTE: https://www.openssl.org/news/secadv/20160301.txt CVE-2016-0704 (An oracle protection mechanism in the get_client_master_key function i ...) - openssl 1.0.0c-2 NOTE: 1.0.0c-2 dropped SSLv2 support NOTE: https://www.openssl.org/news/secadv/20160301.txt CVE-2016-0703 (The get_client_master_key function in s2_srvr.c in the SSLv2 implement ...) - openssl 1.0.0c-2 NOTE: 1.0.0c-2 dropped SSLv2 support NOTE: https://www.openssl.org/news/secadv/20160301.txt CVE-2016-0702 (The MOD_EXP_CTIME_COPY_FROM_PREBUF function in crypto/bn/bn_exp.c in O ...) {DSA-3500-1} - openssl 1.0.2g-1 NOTE: https://www.openssl.org/news/secadv/20160301.txt NOTE: https://cachebleed.info CVE-2016-0701 (The DH_check_pub_key function in crypto/dh/dh_check.c in OpenSSL 1.0.2 ...) - openssl 1.0.2f-2 [jessie] - openssl (Only affects 1.0.2) [wheezy] - openssl (Only affects 1.0.2) [squeeze] - openssl (Only affects 1.0.2) CVE-2015-8591 REJECTED CVE-2015-8590 REJECTED CVE-2015-8589 REJECTED CVE-2015-8588 REJECTED CVE-2015-8587 REJECTED CVE-2015-8586 REJECTED CVE-2015-8585 REJECTED CVE-2015-8584 REJECTED CVE-2015-8583 REJECTED CVE-2015-8582 REJECTED CVE-2015-8581 REJECTED CVE-2015-8580 (Multiple use-after-free vulnerabilities in the (1) Print method and (2 ...) NOT-FOR-US: Foxit CVE-2015-8579 (Kaspersky Total Security 2015 15.0.2.361 allocates memory with Read, W ...) NOT-FOR-US: Kaspersky CVE-2015-8578 (AVG Internet Security 2015 allocates memory with Read, Write, Execute ...) NOT-FOR-US: AVG CVE-2015-8577 (The Buffer Overflow Protection (BOP) feature in McAfee VirusScan Enter ...) NOT-FOR-US: McAfee CVE-2015-8576 REJECTED CVE-2015-8574 REJECTED CVE-2015-8573 REJECTED CVE-2015-XXXX [XSA-166: ioreq handling possibly susceptible to multiple read issue] - xen 4.8.0~rc3-1 [jessie] - xen 4.4.1-9+deb8u4 [wheezy] - xen 4.1.6.lts1-1 [squeeze] - xen (Unsupported in Squeeze LTS) NOTE: http://xenbits.xen.org/xsa/advisory-166.html CVE-2015-8572 (Multiple buffer overflows in Autodesk Design Review (ADR) before 2013 ...) NOT-FOR-US: Autodesk CVE-2015-8571 (Integer overflow in Autodesk Design Review (ADR) before 2013 Hotfix 2 ...) NOT-FOR-US: Autodesk CVE-2015-8570 (The password reset functionality in Lepide Active Directory Self Servi ...) NOT-FOR-US: Lepide CVE-2015-8575 (The sco_sock_bind function in net/bluetooth/sco.c in the Linux kernel ...) {DSA-3434-1 DLA-378-1} - linux 4.3.3-3 - linux-2.6 NOTE: Upstream commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5233252fce714053f0151680933571a2da9cbfb4 (v4.4-rc6) CVE-2015-8566 (The Session package 1.x before 1.3.1 for Joomla! Framework allows remo ...) NOT-FOR-US: Session package for Joomla CVE-2015-8565 (Directory traversal vulnerability in Joomla! 3.2.0 through 3.3.x and 3 ...) NOT-FOR-US: Joomla! CVE-2015-8564 (Directory traversal vulnerability in Joomla! 3.4.x before 3.4.6 allows ...) NOT-FOR-US: Joomla! CVE-2015-8563 (Cross-site request forgery (CSRF) vulnerability in the com_templates c ...) NOT-FOR-US: Joomla! CVE-2015-8562 (Joomla! 1.5.x, 2.x, and 3.x before 3.4.6 allow remote attackers to con ...) NOT-FOR-US: Joomla! CVE-2015-8561 (The F1BookView ActiveX control in F1 Bookview in Schneider Electric Pr ...) NOT-FOR-US: F1BookView CVE-2015-8555 (Xen 4.6.x, 4.5.x, 4.4.x, 4.3.x, and earlier do not initialize x86 FPU ...) {DSA-3519-1 DLA-479-1} - xen 4.8.0~rc3-1 (bug #823620) [squeeze] - xen (Unsupported in Squeeze LTS) NOTE: http://xenbits.xen.org/xsa/advisory-165.html CVE-2015-8554 (Buffer overflow in hw/pt-msi.c in Xen 4.6.x and earlier, when using th ...) {DLA-479-1} - xen 4.4.0-1 [squeeze] - xen (Unsupported in Squeeze LTS) NOTE: http://xenbits.xen.org/xsa/advisory-164.html CVE-2015-8553 (Xen allows guest OS users to obtain sensitive information from uniniti ...) {DSA-4497-1} - linux 4.19.37-1 [jessie] - linux (Intrusive; breaks qemu as used in Jessie; cf. kernel-sec for more details) [wheezy] - linux (Intrusive; breaks qemu as used in Wheezy; cf. kernel-sec for more details) - linux-2.6 [squeeze] - linux-2.6 (Xen not supported in Squeeze LTS) NOTE: CVE for the incomplete patches from XSA-120 and supplied in NOTE: XSA-120 v5+ addendum patch. NOTE: Cf. https://bugzilla.redhat.com/show_bug.cgi?id=1289128#c2 NOTE: http://xenbits.xen.org/xsa/advisory-120.html NOTE: Patch is discussed in http://thread.gmane.org/gmane.comp.emulators.xen.devel/140440/focus=140441 NOTE: and http://thread.gmane.org/gmane.linux.kernel/1924087/focus=1924088 NOTE: https://git.kernel.org/linus/7681f31ec9cdacab4fd10570be924f2cef6669ba CVE-2015-8552 (The PCI backend driver in Xen, when running on an x86 system and using ...) {DSA-3434-1} [experimental] - linux 4.4~rc6-1~exp1 - linux 4.3.3-3 - linux-2.6 [squeeze] - linux-2.6 (Xen not supported in Squeeze LTS) NOTE: http://xenbits.xen.org/xsa/advisory-157.html NOTE: https://git.kernel.org/linus/56441f3c8e5bd45aab10dd9f8c505dd4bec03b0d NOTE: https://git.kernel.org/linus/5e0ce1455c09dd61d029b8ad45d82e1ac0b6c4c9 NOTE: https://git.kernel.org/linus/a396f3a210c3a61e94d6b87ec05a75d0be2a60d0 NOTE: https://git.kernel.org/linus/7cfb905b9638982862f0331b36ccaaca5d383b49 NOTE: https://git.kernel.org/linus/408fb0e5aa7fda0059db282ff58c3b2a4278baa0 CVE-2015-8551 (The PCI backend driver in Xen, when running on an x86 system and using ...) {DSA-3434-1} [experimental] - linux 4.4~rc6-1~exp1 - linux 4.3.3-3 - linux-2.6 [squeeze] - linux-2.6 (Xen not supported in Squeeze LTS) NOTE: http://xenbits.xen.org/xsa/advisory-157.html NOTE: https://git.kernel.org/linus/56441f3c8e5bd45aab10dd9f8c505dd4bec03b0d NOTE: https://git.kernel.org/linus/5e0ce1455c09dd61d029b8ad45d82e1ac0b6c4c9 NOTE: https://git.kernel.org/linus/a396f3a210c3a61e94d6b87ec05a75d0be2a60d0 NOTE: https://git.kernel.org/linus/7cfb905b9638982862f0331b36ccaaca5d383b49 NOTE: https://git.kernel.org/linus/408fb0e5aa7fda0059db282ff58c3b2a4278baa0 CVE-2015-8550 (Xen, when used on a system providing PV backends, allows local guest O ...) {DSA-3519-1 DSA-3471-1 DSA-3434-1 DLA-479-1} [experimental] - linux 4.4~rc6-1~exp1 - linux 4.3.3-3 - linux-2.6 [squeeze] - linux-2.6 (Xen not supported in Squeeze LTS) - qemu 1:2.5+dfsg-2 (bug #809229) [wheezy] - qemu (vulnerable code not present) [squeeze] - qemu (vulnerable code not present) - qemu-kvm [wheezy] - qemu-kvm (vulnerable code not present) [squeeze] - qemu-kvm (vulnerable code not present) - xen 4.8.0~rc3-1 (bug #823620) [squeeze] - xen (Unsupported in Squeeze LTS) NOTE: http://xenbits.xen.org/xsa/advisory-155.html NOTE: https://git.kernel.org/linus/454d5d882c7e412b840e3c99010fe81a9862f6fb NOTE: https://git.kernel.org/linus/0f589967a73f1f30ab4ac4dd9ce0bb399b4d6357 NOTE: https://git.kernel.org/linus/68a33bfd8403e4e22847165d149823a2e0e67c9c NOTE: https://git.kernel.org/linus/1f13d75ccb806260079e0679d55d9253e370ec8a NOTE: https://git.kernel.org/linus/18779149101c0dd43ded43669ae2a92d21b6f9cb NOTE: https://git.kernel.org/linus/be69746ec12f35b484707da505c6c76ff06f97dc NOTE: https://git.kernel.org/linus/8135cf8b092723dbfcc611fe6fdcb3a36c9951c5 CVE-2015-8549 (XML external entity (XXE) vulnerability in PyAMF before 0.8.0 allows r ...) - pyamf CVE-2015-8569 (The (1) pptp_bind and (2) pptp_connect functions in drivers/net/ppp/pp ...) {DSA-3434-1} - linux 4.3.3-3 - linux-2.6 [squeeze] - linux-2.6 (Vulnerable code introduced later) NOTE: http://www.openwall.com/lists/oss-security/2015/12/15/7 NOTE: Upstream commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=09ccfd238e5a0e670d8178cf50180ea81ae09ae1 (v4.4-rc6) NOTE: pptp_{connect,bind} introduced in https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=00959ade36acadc00e757f87060bf6e4501d545f (v2.6.37-rc1) NOTE: https://lkml.org/lkml/2015/12/14/252 CVE-2015-8568 (Memory leak in QEMU, when built with a VMWARE VMXNET3 paravirtual NIC ...) {DSA-3471-1} - qemu 1:2.5+dfsg-3 (bug #808145) [wheezy] - qemu (Vulnerable code not present) [squeeze] - qemu (Vulnerable code not present) - qemu-kvm (Vulnerable code not present) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg02299.html NOTE: http://www.openwall.com/lists/oss-security/2015/12/15/4 CVE-2015-8567 (Memory leak in net/vmxnet3.c in QEMU allows remote attackers to cause ...) {DSA-3471-1} - qemu 1:2.5+dfsg-3 (bug #808145) [wheezy] - qemu (Vulnerable code not present) [squeeze] - qemu (Vulnerable code not present) - qemu-kvm (Vulnerable code not present) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg02299.html NOTE: http://www.openwall.com/lists/oss-security/2015/12/15/4 CVE-2015-8559 (The knife bootstrap command in chef leaks the validator.pem private RS ...) - chef (low; bug #809670) [buster] - chef (Minor issue; workaround using validatorless bootstrapping) [stretch] - chef (Minor issue; workaround using validatorless bootstrapping) [jessie] - chef (Minor issue; workaround using validatorless bootstrapping) [wheezy] - chef (Minor issue; workaround using validatorless bootstrapping) NOTE: https://github.com/chef/chef/issues/3871 NOTE: https://github.com/chef/chef/pull/8885 NOTE: http://www.openwall.com/lists/oss-security/2015/12/14/10 NOTE: Workaround: use validatorless bootstrapping CVE-2015-8558 (The ehci_process_itd function in hw/usb/hcd-ehci.c in QEMU allows loca ...) {DSA-3471-1 DSA-3470-1 DSA-3469-1} - qemu 1:2.5+dfsg-2 (bug #808144) [squeeze] - qemu (Not supported in Squeeze LTS) - qemu-kvm [squeeze] - qemu-kvm (Not supported in Squeeze LTS) NOTE: Upstream commit: http://git.qemu.org/?p=qemu.git;a=commit;h=156a2e4dbffa85997636a7a39ef12da6f1b40254 NOTE: http://www.openwall.com/lists/oss-security/2015/12/14/9 CVE-2015-8557 (The FontManager._get_nix_font_path function in formatters/img.py in Py ...) {DSA-3445-1 DLA-369-1} - pygments 2.0.1+dfsg-2 (bug #802828) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1276321 NOTE: https://bitbucket.org/birkenfeld/pygments-main/commits/0036ab1c99e256298094505e5e92f NOTE: http://www.openwall.com/lists/oss-security/2015/12/14/6 CVE-2015-8548 (Multiple unspecified vulnerabilities in Google V8 before 4.7.80.23, as ...) {DSA-3418-1} - chromium-browser 47.0.2526.80-1 [wheezy] - chromium-browser (Not supported in Wheezy) [squeeze] - chromium-browser (Not supported in Squeeze LTS) CVE-2015-8546 (An issue was discovered on Samsung mobile devices with software throug ...) NOT-FOR-US: Samsung mobile devices CVE-2015-8545 RESERVED CVE-2015-8544 (NetApp SnapDrive for Windows before 7.0.2P4, 7.0.3, and 7.1 before 7.1 ...) NOT-FOR-US: NetApp CVE-2015-8542 (An issue was discovered in Open-Xchange Guard before 2.2.0-rev8. The " ...) NOT-FOR-US: Open-Xchange CVE-2015-8556 (Local privilege escalation vulnerability in the Gentoo QEMU package be ...) - qemu (Issue specific to virtfs-proxy-helper in Gentoo installed suid) NOTE: http://www.openwall.com/lists/oss-security/2015/12/14/5 CVE-2015-8785 (The fuse_fill_write_pages function in fs/fuse/file.c in the Linux kern ...) {DSA-3503-1 DLA-412-1} - linux 4.3.5-1 - linux-2.6 NOTE: Upstream commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=3ca8138f014a913f98e6ef40e939868e1e9ea876 (v4.4-rc5) NOTE: Introduced in: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ea9b9907b82a09bd1a708004454f7065de77c5b0 (v2.6.26-rc1) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1290642 NOTE: http://www.openwall.com/lists/oss-security/2016/01/24/1 CVE-2015-XXXX [remotely triggerable crash] - ruby-eventmachine 1.0.7-1 (bug #678512; bug #696015) [jessie] - ruby-eventmachine 1.0.3-6+deb8u1 [wheezy] - ruby-eventmachine 0.12.10-3+deb7u1 NOTE: Workaround entry for DLA-549-1 until CVE assigned NOTE: https://github.com/eventmachine/eventmachine/issues/501#issuecomment-37307556 CVE-2015-8560 (Incomplete blacklist vulnerability in util.c in foomatic-rip in cups-f ...) {DSA-3429-1 DSA-3419-1 DLA-371-1} - cups-filters 1.4.0-1 (bug #807930) [wheezy] - cups-filters (Vulnerable code not present; introduced in 1.0.42) - foomatic-filters 4.0.17-7 (bug #807993) NOTE: http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7419 NOTE: http://www.openwall.com/lists/oss-security/2015/12/13/2 CVE-2015-9097 (The mail gem before 2.5.5 for Ruby (aka A Really Ruby Mail Library) is ...) {DLA-489-1} - ruby-mail 2.6.1+dfsg1-1 NOTE: https://github.com/mikel/mail/commit/72befdc4dab3e6e288ce226a7da2aa474cf5be83 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/12/11/3 NOTE: Fixed in 2.6.0 NOTE: "Note that, this patch might not be complete ..." https://bugzilla.redhat.com/show_bug.cgi?id=1293598 CVE-2015-8547 (The CoreUserInputHandler::doMode function in core/coreuserinputhandler ...) - quassel 1:0.12.2-3 (bug #807801) [jessie] - quassel 1:0.10.0-2.3+deb8u2 [wheezy] - quassel (Vulnerable code not present) [squeeze] - quassel (Vulnerable code not present) NOTE: https://github.com/quassel/quassel/commit/b8edbda019eeb99da8663193e224efc9d1265dc7 NOTE: Support for oping a whole channel with /op * was only added in NOTE: https://github.com/quassel/quassel/commit/7ecbc1bf921880f7b03af779de7d9611853a0d46 (0.10-beta1) NOTE: http://www.openwall.com/lists/oss-security/2015/12/12/1 CVE-2015-8541 RESERVED CVE-2016-0700 (Unspecified vulnerability in the Oracle WebLogic Server component in O ...) NOT-FOR-US: Oracle CVE-2016-0699 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking compon ...) NOT-FOR-US: Oracle FLEXCUBE CVE-2016-0698 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle CVE-2016-0697 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle CVE-2016-0696 (Unspecified vulnerability in the Oracle WebLogic Server component in O ...) NOT-FOR-US: Oracle CVE-2016-0695 (Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77; Jav ...) {DSA-3558-1 DLA-451-1} - openjdk-8 8u91-b14-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 (Not supported in Wheezy LTS) CVE-2016-0694 (Unspecified vulnerability in the DataStore component in Oracle Berkele ...) NOT-FOR-US: Oracle Berkeley DB (later closed source releases) CVE-2016-0693 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11.3 allows rem ...) NOT-FOR-US: Solaris CVE-2016-0692 (Unspecified vulnerability in the DataStore component in Oracle Berkele ...) NOT-FOR-US: Oracle Berkeley DB (later closed source releases) CVE-2016-0691 (Unspecified vulnerability in the RDBMS Security component in Oracle Da ...) NOT-FOR-US: Oracle CVE-2016-0690 (Unspecified vulnerability in the RDBMS Security component in Oracle Da ...) NOT-FOR-US: Oracle CVE-2016-0689 (Unspecified vulnerability in the DataStore component in Oracle Berkele ...) NOT-FOR-US: Oracle Berkeley DB (later closed source releases) CVE-2016-0688 (Unspecified vulnerability in the Oracle WebLogic Server component in O ...) NOT-FOR-US: Oracle CVE-2016-0687 (Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77 and ...) {DSA-3558-1 DLA-451-1} - openjdk-8 8u91-b14-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 (Not supported in Wheezy LTS) CVE-2016-0686 (Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77 and ...) {DSA-3558-1 DLA-451-1} - openjdk-8 8u91-b14-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 (Not supported in Wheezy LTS) CVE-2016-0685 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle CVE-2016-0684 (Unspecified vulnerability in the Oracle Retail MICROS ARS POS componen ...) NOT-FOR-US: Oracle Retail CVE-2016-0683 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle CVE-2016-0682 (Unspecified vulnerability in the DataStore component in Oracle Berkele ...) NOT-FOR-US: Oracle Berkeley DB (later closed source releases) CVE-2016-0681 (Unspecified vulnerability in the Oracle OLAP component in Oracle Datab ...) NOT-FOR-US: Oracle CVE-2016-0680 (Unspecified vulnerability in the PeopleSoft Enterprise SCM component i ...) NOT-FOR-US: Oracle CVE-2016-0679 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle CVE-2016-0678 (Unspecified vulnerability in the Oracle VM VirtualBox component in Ora ...) - virtualbox 5.0.18-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2016-0677 (Unspecified vulnerability in the RDBMS Security component in Oracle Da ...) NOT-FOR-US: Oracle CVE-2016-0676 (Unspecified vulnerability in Oracle Sun Solaris 10 allows local users ...) NOT-FOR-US: Solaris CVE-2016-0675 (Unspecified vulnerability in the Oracle WebLogic Server component in O ...) NOT-FOR-US: Oracle CVE-2016-0674 (Unspecified vulnerability in the Siebel Core - Common Components compo ...) NOT-FOR-US: Siebel CVE-2016-0673 (Unspecified vulnerability in the Siebel UI Framework component in Orac ...) NOT-FOR-US: Siebel CVE-2016-0672 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking compon ...) NOT-FOR-US: Oracle FLEXCUBE CVE-2016-0671 (Unspecified vulnerability in the Oracle HTTP Server component in Oracl ...) NOT-FOR-US: Oracle CVE-2016-0670 REJECTED CVE-2016-0669 (Unspecified vulnerability in Oracle Sun Solaris 11.3 allows local user ...) NOT-FOR-US: Solaris CVE-2016-0668 (Unspecified vulnerability in Oracle MySQL 5.6.28 and earlier and 5.7.1 ...) {DSA-3595-1} - mysql-5.6 5.6.30-1 (bug #821094) - mysql-5.5 (Only affects MySQL 5.6 and MySQL 5.7) - mariadb-10.0 10.0.24-1 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html CVE-2016-0667 (Unspecified vulnerability in Oracle MySQL 5.7.11 and earlier allows lo ...) - mysql-5.6 (Only affects MySQL 5.7) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html CVE-2016-0666 (Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 a ...) {DSA-3595-1 DSA-3557-1 DLA-447-1} - mysql-5.6 5.6.30-1 (bug #821094) - mysql-5.5 (bug #821100) - mariadb-10.0 10.0.25-1 (bug #823325) NOTE: Fixed in MariaDB 10.0.25 NOTE: https://mariadb.com/kb/en/mariadb/mariadb-10025-release-notes/ NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html CVE-2016-0665 (Unspecified vulnerability in Oracle MySQL 5.6.28 and earlier and 5.7.1 ...) - mysql-5.6 5.6.30-1 (bug #821094) - mysql-5.5 (Only affects MySQL 5.6 and MySQL 5.7) NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html CVE-2016-0664 REJECTED CVE-2016-0663 (Unspecified vulnerability in Oracle MySQL 5.7.10 and earlier allows lo ...) - mysql-5.6 (Only affects MySQL 5.7) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html CVE-2016-0662 (Unspecified vulnerability in Oracle MySQL 5.7.11 and earlier allows lo ...) - mysql-5.6 (Only affects MySQL 5.7) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html CVE-2016-0661 (Unspecified vulnerability in Oracle MySQL 5.6.28 and earlier and 5.7.1 ...) - mysql-5.6 5.6.30-1 (bug #821094) - mysql-5.5 (Only affects MySQL 5.6 and MySQL 5.7) NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html CVE-2016-0660 REJECTED CVE-2016-0659 (Unspecified vulnerability in Oracle MySQL 5.7.11 and earlier allows lo ...) - mysql-5.6 (Only affects MySQL 5.7) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html CVE-2016-0658 (Unspecified vulnerability in Oracle MySQL 5.7.10 and earlier allows lo ...) - mysql-5.6 (Only affects MySQL 5.7) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html CVE-2016-0657 (Unspecified vulnerability in Oracle MySQL 5.7.11 and earlier allows lo ...) - mysql-5.6 (Only affects MySQL 5.7) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html CVE-2016-0656 (Unspecified vulnerability in Oracle MySQL 5.7.10 and earlier allows lo ...) - mysql-5.6 (Only affects MySQL 5.7) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html CVE-2016-0655 (Unspecified vulnerability in Oracle MySQL 5.6.29 and earlier and 5.7.1 ...) {DSA-3595-1} - mysql-5.6 5.6.30-1 (bug #821094) - mysql-5.5 (Only affects MySQL 5.6 and MySQL 5.7) - mariadb-10.0 10.0.25-1 (bug #823325) NOTE: Fixed in MariaDB 10.0.25 NOTE: https://mariadb.com/kb/en/mariadb/mariadb-10025-release-notes/ NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html CVE-2016-0654 (Unspecified vulnerability in Oracle MySQL 5.7.10 and earlier allows lo ...) - mysql-5.6 (Only affects MySQL 5.7) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html CVE-2016-0653 (Unspecified vulnerability in Oracle MySQL 5.7.10 and earlier allows lo ...) - mysql-5.6 (Only affects MySQL 5.7) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html CVE-2016-0652 (Unspecified vulnerability in Oracle MySQL 5.7.10 and earlier allows lo ...) - mysql-5.6 (Only affects MySQL 5.7) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html CVE-2016-0651 (Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier allows lo ...) - mysql-5.6 (Only affects MySQL 5.5) - mysql-5.5 [jessie] - mysql-5.5 5.5.47-0+deb8u1 [wheezy] - mysql-5.5 5.5.47-0+deb7u1 - mariadb-10.0 10.0.23-1 [jessie] - mariadb-10.0 10.0.23-0+deb8u1 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html CVE-2016-0650 (Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 a ...) {DSA-3595-1 DSA-3557-1 DLA-447-1} - mysql-5.6 5.6.30-1 (bug #821094) - mysql-5.5 (bug #821100) - mariadb-10.0 10.0.24-1 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html CVE-2016-0649 (Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 a ...) {DSA-3595-1 DSA-3557-1 DLA-447-1} - mysql-5.6 5.6.30-1 (bug #821094) - mysql-5.5 (bug #821100) - mariadb-10.0 10.0.24-1 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html CVE-2016-0648 (Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 a ...) {DSA-3595-1 DSA-3557-1 DLA-447-1} - mysql-5.6 5.6.30-1 (bug #821094) - mysql-5.5 (bug #821100) - mariadb-10.0 10.0.25-1 (bug #823325) NOTE: Fixed in MariaDB 10.0.25 NOTE: https://mariadb.com/kb/en/mariadb/mariadb-10025-release-notes/ NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html CVE-2016-0647 (Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 a ...) {DSA-3595-1 DSA-3557-1 DLA-447-1} - mysql-5.6 5.6.30-1 (bug #821094) - mysql-5.5 (bug #821100) - mariadb-10.0 10.0.25-1 (bug #823325) NOTE: Fixed in MariaDB 10.0.25 NOTE: https://mariadb.com/kb/en/mariadb/mariadb-10025-release-notes/ NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html CVE-2016-0646 (Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 a ...) {DSA-3595-1 DSA-3557-1 DLA-447-1} - mysql-5.6 5.6.30-1 (bug #821094) - mysql-5.5 (bug #821100) - mariadb-10.0 10.0.24-1 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html CVE-2016-0645 REJECTED CVE-2016-0644 (Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 a ...) {DSA-3595-1 DSA-3557-1 DLA-447-1} - mysql-5.6 5.6.30-1 (bug #821094) - mysql-5.5 (bug #821100) - mariadb-10.0 10.0.24-1 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html CVE-2016-0643 (Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 a ...) {DSA-3595-1 DSA-3557-1 DLA-447-1} - mysql-5.6 5.6.30-1 (bug #821094) - mysql-5.5 (bug #821100) - mariadb-10.0 10.0.25-1 (bug #823325) NOTE: Fixed in MariaDB 10.0.25 NOTE: https://mariadb.com/kb/en/mariadb/mariadb-10025-release-notes/ NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html CVE-2016-0642 (Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 a ...) {DSA-3557-1 DLA-447-1} - mysql-5.6 5.6.30-1 (bug #821094) - mysql-5.5 (bug #821100) - mariadb-10.0 10.0.23-1 [jessie] - mariadb-10.0 10.0.23-0+deb8u1 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html CVE-2016-0641 (Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 a ...) {DSA-3595-1 DSA-3557-1 DLA-447-1} - mysql-5.6 5.6.30-1 (bug #821094) - mysql-5.5 (bug #821100) - mariadb-10.0 10.0.24-1 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html CVE-2016-0640 (Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 a ...) {DSA-3595-1 DSA-3557-1 DLA-447-1} - mysql-5.6 5.6.30-1 (bug #821094) - mysql-5.5 (bug #821100) - mariadb-10.0 10.0.24-1 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html CVE-2016-0639 (Unspecified vulnerability in Oracle MySQL 5.6.29 and earlier and 5.7.1 ...) - mysql-5.6 5.6.30-1 (bug #821094) - mysql-5.5 (Only affects MySQL 5.6 and 5.7) NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html CVE-2016-0638 (Unspecified vulnerability in the Oracle WebLogic Server component in O ...) NOT-FOR-US: Oracle CVE-2016-0637 REJECTED CVE-2016-0636 (Unspecified vulnerability in Oracle Java SE 7u97, 8u73, and 8u74 allow ...) {DSA-3558-1 DLA-451-1} - openjdk-8 8u77-b03-1 [experimental] - openjdk-7 7u95-2.6.4-3 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 (Not supported in Wheezy LTS) NOTE: http://www.oracle.com/technetwork/topics/security/alert-cve-2016-0636-2949497.html NOTE: https://blogs.oracle.com/security/entry/security_alert_cve_2016_0636 NOTE: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/c44179bce874 CVE-2016-0635 (Unspecified vulnerability in the Enterprise Manager Ops Center compone ...) NOT-FOR-US: MySQL Enterprise Monitor CVE-2016-0634 (The expansion of '\h' in the prompt string in bash 4.3 allows remote a ...) - bash 4.4-1 (unimportant) [jessie] - bash 4.3-11+deb8u1 NOTE: http://www.openwall.com/lists/oss-security/2016/09/16/8 NOTE: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025 NOTE: Fixed bin Bash upstream bash-4.4 NOTE: This doesn't cross any reasonable security boundaries, an attacker with the NOTE: ability to modify the hostname in an arbitrary manner is in the position to NOTE: exploit various other system components anyway NOTE: Fixed by (4.3): https://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/bash43-047 CVE-2016-0633 REJECTED CVE-2016-0632 REJECTED CVE-2016-0631 REJECTED CVE-2016-0630 REJECTED CVE-2016-0629 REJECTED CVE-2016-0628 REJECTED CVE-2016-0627 REJECTED CVE-2016-0626 REJECTED CVE-2016-0625 REJECTED CVE-2016-0624 REJECTED CVE-2016-0623 (Unspecified vulnerability in Oracle Sun Solaris 11.3 allows remote att ...) NOT-FOR-US: Solaris CVE-2016-0622 REJECTED CVE-2016-0621 REJECTED CVE-2016-0620 REJECTED CVE-2016-0619 REJECTED CVE-2016-0618 (Unspecified vulnerability in Oracle Sun Solaris 11 allows local users ...) NOT-FOR-US: Oracle Sun Solaris CVE-2016-0617 (Unspecified vulnerability in the kernel-uek component in Oracle Linux ...) - linux 4.4.2-1 [jessie] - linux (Vulnerable code introduced later) [wheezy] - linux (Vulnerable code introduced later) - linux-2.6 (Vulnerable code introduced later) NOTE: Introduced by: https://git.kernel.org/linus/1bfad99ab42569807d0ca1698449cae5e8c0334a (v4.3-rc1) NOTE: Fixed by: https://git.kernel.org/linus/9aacdd354d197ad64685941b36d28ea20ab88757 (v4.5-rc1) CVE-2016-0616 (Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier and Maria ...) {DSA-3459-1 DSA-3453-1 DLA-409-1} - mysql-5.6 (Only affects MySQL 5.5) - mysql-5.5 (bug #811428) - mariadb-10.0 10.0.23-1 NOTE: http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html#AppendixMSQL CVE-2016-0615 REJECTED CVE-2016-0614 (Unspecified vulnerability in the Oracle BI Publisher component in Orac ...) NOT-FOR-US: Oracle CVE-2016-0613 REJECTED CVE-2016-0612 REJECTED CVE-2016-0611 (Unspecified vulnerability in Oracle MySQL 5.6.27 and earlier and 5.7.9 ...) - mysql-5.6 5.6.28-1 (bug #811443) - mysql-5.5 (Only affects MySQL 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html#AppendixMSQL CVE-2016-0610 (Unspecified vulnerability in Oracle MySQL 5.6.27 and earlier and Maria ...) - mysql-5.6 5.6.28-1 (bug #811443) - mysql-5.5 (Only affects MySQL 5.6) - mariadb-10.0 10.0.22-1 [jessie] - mariadb-10.0 10.0.22-0+deb8u1 NOTE: http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html#AppendixMSQL CVE-2016-0609 (Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 a ...) {DSA-3459-1 DSA-3453-1 DLA-409-1} - mysql-5.6 5.6.28-1 (bug #811443) - mysql-5.5 (bug #811428) - mariadb-10.0 10.0.23-1 NOTE: http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html#AppendixMSQL CVE-2016-0608 (Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 a ...) {DSA-3459-1 DSA-3453-1 DLA-409-1} - mysql-5.6 5.6.28-1 (bug #811443) - mysql-5.5 (bug #811428) - mariadb-10.0 10.0.23-1 NOTE: http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html#AppendixMSQL CVE-2016-0607 (Unspecified vulnerability in Oracle MySQL 5.6.27 and earlier and 5.7.9 ...) - mysql-5.6 5.6.28-1 (bug #811443) - mysql-5.5 (Only affects MySQL 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html#AppendixMSQL CVE-2016-0606 (Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 a ...) {DSA-3459-1 DSA-3453-1 DLA-409-1} - mysql-5.6 5.6.28-1 (bug #811443) - mysql-5.5 (bug #811428) - mariadb-10.0 10.0.23-1 NOTE: http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html#AppendixMSQL CVE-2016-0605 (Unspecified vulnerability in Oracle MySQL 5.6.26 and earlier allows re ...) - mysql-5.6 5.6.27-1 - mysql-5.5 (Only affects MySQL 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html#AppendixMSQL CVE-2016-0604 REJECTED CVE-2016-0603 (Unspecified vulnerability in the Java SE component in Oracle Java SE 6 ...) - openjdk-8 (Java on Windows) - openjdk-7 (Java on Windows) - openjdk-6 (Java on Windows) CVE-2016-0602 (Unspecified vulnerability in the Oracle VM VirtualBox component in Ora ...) - virtualbox (VirtualBox Windows Installer component) NOTE: http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html#AppendixOVIR CVE-2016-0601 (Unspecified vulnerability in Oracle MySQL 5.7.9 allows remote authenti ...) - mysql-5.6 (Only affects MySQL 5.7) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html#AppendixMSQL CVE-2016-0600 (Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 a ...) {DSA-3459-1 DSA-3453-1 DLA-409-1} - mysql-5.6 5.6.28-1 (bug #811443) - mysql-5.5 (bug #811428) - mariadb-10.0 10.0.23-1 NOTE: http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html#AppendixMSQL CVE-2016-0599 (Unspecified vulnerability in Oracle MySQL 5.7.9 allows remote authenti ...) - mysql-5.6 (Only affects MySQL 5.7) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html#AppendixMSQL CVE-2016-0598 (Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 a ...) {DSA-3459-1 DSA-3453-1 DLA-409-1} - mysql-5.6 5.6.28-1 (bug #811443) - mysql-5.5 (bug #811428) - mariadb-10.0 10.0.23-1 NOTE: http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html#AppendixMSQL CVE-2016-0597 (Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 a ...) {DSA-3459-1 DSA-3453-1 DLA-409-1} - mysql-5.6 5.6.28-1 (bug #811443) - mysql-5.5 (bug #811428) - mariadb-10.0 10.0.23-1 NOTE: http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html#AppendixMSQL CVE-2016-0596 (Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier and 5.6.2 ...) {DSA-3459-1 DSA-3453-1 DLA-409-1} - mysql-5.6 5.6.28-1 (bug #811443) - mysql-5.5 (bug #811428) - mariadb-10.0 10.0.23-1 NOTE: http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html#AppendixMSQL CVE-2016-0595 (Unspecified vulnerability in Oracle MySQL 5.6.27 and earlier allows re ...) - mysql-5.6 5.6.28-1 (bug #811443) - mysql-5.5 (Only affects MySQL 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html#AppendixMSQL CVE-2016-0594 (Unspecified vulnerability in Oracle MySQL 5.6.21 and earlier allows re ...) - mysql-5.6 5.6.25-2 - mysql-5.5 (Only affects MySQL 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html#AppendixMSQL CVE-2016-0593 REJECTED CVE-2016-0592 (Unspecified vulnerability in the Oracle VM VirtualBox component in Ora ...) {DSA-3454-1} - virtualbox 5.0.14-dfsg-1 [wheezy] - virtualbox (DSA 3454) NOTE: http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html#AppendixOVIR CVE-2016-0591 (Unspecified vulnerability in the PeopleSoft Enterprise SCM Purchasing ...) NOT-FOR-US: PeopleSoft CVE-2016-0590 (Unspecified vulnerability in the PeopleSoft Enterprise SCM Order Manag ...) NOT-FOR-US: Oracle CVE-2016-0589 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle CVE-2016-0588 (Unspecified vulnerability in the Oracle General Ledger component in Or ...) NOT-FOR-US: Oracle CVE-2016-0587 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: PeopleSoft CVE-2016-0586 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle CVE-2016-0585 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle CVE-2016-0584 (Unspecified vulnerability in the Oracle CRM Technology Foundation comp ...) NOT-FOR-US: Oracle CVE-2016-0583 (Unspecified vulnerability in the Oracle CRM Technology Foundation comp ...) NOT-FOR-US: Oracle CVE-2016-0582 (Unspecified vulnerability in the Oracle CRM Technology Foundation comp ...) NOT-FOR-US: Oracle CVE-2016-0581 (Unspecified vulnerability in the Oracle Approvals Management component ...) NOT-FOR-US: Oracle CVE-2016-0580 (Unspecified vulnerability in the Oracle Report Manager component in Or ...) NOT-FOR-US: Oracle CVE-2016-0579 (Unspecified vulnerability in the Oracle CRM Technology Foundation comp ...) NOT-FOR-US: Oracle CVE-2016-0578 (Unspecified vulnerability in the Oracle CRM Technology Foundation comp ...) NOT-FOR-US: Oracle CVE-2016-0577 (Unspecified vulnerability in the Oracle WebLogic Server component in O ...) NOT-FOR-US: Oracle CVE-2016-0576 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle CVE-2016-0575 (Unspecified vulnerability in the Oracle Learning Management component ...) NOT-FOR-US: Oracle CVE-2016-0574 (Unspecified vulnerability in the Oracle WebLogic Server component in O ...) NOT-FOR-US: Oracle CVE-2016-0573 (Unspecified vulnerability in the Oracle WebLogic Server component in O ...) NOT-FOR-US: Oracle CVE-2016-0572 (Unspecified vulnerability in the Oracle WebLogic Server component in O ...) NOT-FOR-US: Oracle CVE-2016-0571 (Unspecified vulnerability in the Oracle Balanced Scorecard component i ...) NOT-FOR-US: Oracle CVE-2016-0570 (Unspecified vulnerability in the Oracle HCM Configuration Workbench co ...) NOT-FOR-US: Oracle CVE-2016-0569 (Unspecified vulnerability in the Oracle E-Business Intelligence compon ...) NOT-FOR-US: Oracle CVE-2016-0568 (Unspecified vulnerability in the Oracle Email Center component in Orac ...) NOT-FOR-US: Oracle CVE-2016-0567 (Unspecified vulnerability in the Oracle E-Business Intelligence compon ...) NOT-FOR-US: Oracle CVE-2016-0566 (Unspecified vulnerability in the Oracle Marketing component in Oracle ...) NOT-FOR-US: Oracle CVE-2016-0565 (Unspecified vulnerability in the Oracle Marketing component in Oracle ...) NOT-FOR-US: Oracle CVE-2016-0564 (Unspecified vulnerability in the Oracle E-Business Intelligence compon ...) NOT-FOR-US: Oracle CVE-2016-0563 (Unspecified vulnerability in the Oracle CRM Technical Foundation compo ...) NOT-FOR-US: Oracle CVE-2016-0562 (Unspecified vulnerability in the Oracle Common Applications component ...) NOT-FOR-US: Oracle CVE-2016-0561 (Unspecified vulnerability in the Oracle E-Business Intelligence compon ...) NOT-FOR-US: Oracle CVE-2016-0560 (Unspecified vulnerability in the Oracle Customer Intelligence componen ...) NOT-FOR-US: Oracle CVE-2016-0559 (Unspecified vulnerability in the Oracle Customer Intelligence componen ...) NOT-FOR-US: Oracle CVE-2016-0558 (Unspecified vulnerability in the Oracle Service Contracts component in ...) NOT-FOR-US: Oracle CVE-2016-0557 (Unspecified vulnerability in the Oracle Advanced Collections component ...) NOT-FOR-US: Oracle CVE-2016-0556 (Unspecified vulnerability in the Oracle Advanced Collections component ...) NOT-FOR-US: Oracle CVE-2016-0555 (Unspecified vulnerability in the Oracle CADView-3D component in Oracle ...) NOT-FOR-US: Oracle CVE-2016-0554 (Unspecified vulnerability in the Oracle Interaction Center Intelligenc ...) NOT-FOR-US: Oracle CVE-2016-0553 (Unspecified vulnerability in the Oracle E-Business Intelligence compon ...) NOT-FOR-US: Oracle CVE-2016-0552 (Unspecified vulnerability in the Oracle Customer Intelligence componen ...) NOT-FOR-US: Oracle CVE-2016-0551 (Unspecified vulnerability in the Oracle Customer Intelligence componen ...) NOT-FOR-US: Oracle CVE-2016-0550 (Unspecified vulnerability in the Oracle CRM Technical Foundation compo ...) NOT-FOR-US: Oracle CVE-2016-0549 (Unspecified vulnerability in the Oracle E-Business Intelligence compon ...) NOT-FOR-US: Oracle CVE-2016-0548 (Unspecified vulnerability in the Oracle E-Business Intelligence compon ...) NOT-FOR-US: Oracle CVE-2016-0547 (Unspecified vulnerability in the Oracle E-Business Intelligence compon ...) NOT-FOR-US: Oracle CVE-2016-0546 (Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 a ...) {DSA-3459-1 DSA-3453-1 DLA-409-1} - mysql-5.6 5.6.28-1 (bug #811443) - mysql-5.5 (bug #811428) - mariadb-10.0 10.0.23-1 NOTE: http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html#AppendixMSQL CVE-2016-0545 (Unspecified vulnerability in the Oracle Customer Intelligence componen ...) NOT-FOR-US: Oracle CVE-2016-0544 (Unspecified vulnerability in the Oracle Marketing component in Oracle ...) NOT-FOR-US: Oracle CVE-2016-0543 (Unspecified vulnerability in the Oracle Marketing component in Oracle ...) NOT-FOR-US: Oracle CVE-2016-0542 (Unspecified vulnerability in the Oracle Field Service component in Ora ...) NOT-FOR-US: Oracle CVE-2016-0541 (Unspecified vulnerability in the Oracle Configurator component in Orac ...) NOT-FOR-US: Oracle CVE-2016-0540 (Unspecified vulnerability in the Oracle Configurator component in Orac ...) NOT-FOR-US: Oracle CVE-2016-0539 (Unspecified vulnerability in the Oracle Report Manager component in Or ...) NOT-FOR-US: Oracle CVE-2016-0538 (Unspecified vulnerability in the Oracle Financial Consolidation Hub co ...) NOT-FOR-US: Oracle CVE-2016-0537 (Unspecified vulnerability in the Oracle Human Resources component in O ...) NOT-FOR-US: Oracle CVE-2016-0536 (Unspecified vulnerability in the Oracle Universal Work Queue component ...) NOT-FOR-US: Oracle CVE-2016-0535 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11 allows remot ...) NOT-FOR-US: Oracle CVE-2016-0534 (Unspecified vulnerability in the Oracle Project Contracts component in ...) NOT-FOR-US: Oracle CVE-2016-0533 (Unspecified vulnerability in the Oracle CRM Technical Foundation compo ...) NOT-FOR-US: Oracle CVE-2016-0532 (Unspecified vulnerability in the Oracle CRM Technical Foundation compo ...) NOT-FOR-US: Oracle CVE-2016-0531 (Unspecified vulnerability in the Oracle Applications Manager component ...) NOT-FOR-US: Oracle CVE-2016-0530 (Unspecified vulnerability in the Oracle Customer Interaction History c ...) NOT-FOR-US: Oracle CVE-2016-0529 (Unspecified vulnerability in the Oracle Customer Interaction History c ...) NOT-FOR-US: Oracle CVE-2016-0528 (Unspecified vulnerability in the Oracle Customer Interaction History c ...) NOT-FOR-US: Oracle CVE-2016-0527 (Unspecified vulnerability in the Oracle Customer Interaction History c ...) NOT-FOR-US: Oracle CVE-2016-0526 (Unspecified vulnerability in the Oracle CRM Technical Foundation compo ...) NOT-FOR-US: Oracle CVE-2016-0525 (Unspecified vulnerability in the Oracle Universal Work Queue component ...) NOT-FOR-US: Oracle CVE-2016-0524 (Unspecified vulnerability in the Oracle Universal Work Queue component ...) NOT-FOR-US: Oracle CVE-2016-0523 (Unspecified vulnerability in the Oracle Interaction Blending component ...) NOT-FOR-US: Oracle CVE-2016-0522 (Unspecified vulnerability in the Oracle Retail Open Commerce Platform ...) NOT-FOR-US: Oracle CVE-2016-0521 (Unspecified vulnerability in the Oracle iProcurement component in Orac ...) NOT-FOR-US: Oracle CVE-2016-0520 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle CVE-2016-0519 (Unspecified vulnerability in the Oracle iReceivables component in Orac ...) NOT-FOR-US: Oracle CVE-2016-0518 (Unspecified vulnerability in the Oracle Human Resources component in O ...) NOT-FOR-US: Oracle CVE-2016-0517 (Unspecified vulnerability in the Oracle Human Resources component in O ...) NOT-FOR-US: Oracle CVE-2016-0516 (Unspecified vulnerability in the Oracle Quality component in Oracle E- ...) NOT-FOR-US: Oracle CVE-2016-0515 (Unspecified vulnerability in the Oracle CRM Technical Foundation compo ...) NOT-FOR-US: Oracle CVE-2016-0514 (Unspecified vulnerability in the Oracle CRM Technical Foundation compo ...) NOT-FOR-US: Oracle CVE-2016-0513 (Unspecified vulnerability in the Oracle CRM Technical Foundation compo ...) NOT-FOR-US: Oracle CVE-2016-0512 (Unspecified vulnerability in the Oracle Human Resources component in O ...) NOT-FOR-US: Oracle CVE-2016-0511 (Unspecified vulnerability in the Oracle E-Business Intelligence compon ...) NOT-FOR-US: Oracle CVE-2016-0510 (Unspecified vulnerability in the Oracle E-Business Intelligence compon ...) NOT-FOR-US: Oracle CVE-2016-0509 (Unspecified vulnerability in the Oracle Internet Expenses component in ...) NOT-FOR-US: Oracle CVE-2016-0508 (Unspecified vulnerability in the Oracle iLearning component in Oracle ...) NOT-FOR-US: Oracle CVE-2016-0507 (Unspecified vulnerability in the Oracle iReceivables component in Orac ...) NOT-FOR-US: Oracle CVE-2016-0506 (Unspecified vulnerability in the Oracle Retail Order Management System ...) NOT-FOR-US: Oracle CVE-2016-0505 (Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 a ...) {DSA-3459-1 DSA-3453-1 DLA-409-1} - mysql-5.6 5.6.28-1 (bug #811443) - mysql-5.5 (bug #811428) - mariadb-10.0 10.0.23-1 NOTE: http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html#AppendixMSQL CVE-2016-0504 (Unspecified vulnerability in Oracle MySQL 5.6.27 and earlier and 5.7.9 ...) - mysql-5.6 5.6.28-1 (bug #811443) - mysql-5.5 (Only affects MySQL 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html#AppendixMSQL CVE-2016-0503 (Unspecified vulnerability in Oracle MySQL 5.6.27 and earlier and 5.7.9 ...) - mysql-5.6 5.6.28-1 (bug #811443) - mysql-5.5 (Only affects MySQL 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html#AppendixMSQL CVE-2016-0502 (Unspecified vulnerability in Oracle MySQL 5.5.31 and earlier and 5.6.1 ...) - mysql-5.6 5.6.25-2 - mysql-5.5 5.5.33+dfsg-1 - mariadb-10.0 (Fixed before the initial release in Debian, 10.0.4) NOTE: http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html#AppendixMSQL CVE-2016-0501 (Unspecified vulnerability in the Oracle Secure Global Desktop componen ...) NOT-FOR-US: Oracle CVE-2016-0500 (Unspecified vulnerability in the Oracle Retail Order Broker Cloud Serv ...) NOT-FOR-US: Oracle CVE-2016-0499 (Unspecified vulnerability in the Java VM component in Oracle Database ...) NOT-FOR-US: Oracle CVE-2016-0498 (Unspecified vulnerability in the Oracle Agile Engineering Data Managem ...) NOT-FOR-US: Oracle CVE-2016-0497 (Unspecified vulnerability in the Oracle Agile Engineering Data Managem ...) NOT-FOR-US: Oracle CVE-2016-0496 (Unspecified vulnerability in the MICROS CWDirect component in Oracle R ...) NOT-FOR-US: Oracle CVE-2016-0495 (Unspecified vulnerability in the Oracle VM VirtualBox component in Ora ...) {DSA-3454-1} - virtualbox 5.0.14-dfsg-1 [wheezy] - virtualbox (DSA 3454) NOTE: http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html#AppendixOVIR CVE-2016-0494 (Unspecified vulnerability in the Java SE and Java SE Embedded componen ...) {DSA-3725-1 DSA-3465-1 DSA-3458-1 DLA-545-1 DLA-410-1} - openjdk-8 8u72-b15-1 - openjdk-7 7u95-2.6.4-1 - openjdk-6 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1298906#c1 NOTE: Upstream commit for OpenJDK: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/f556d4c82ef1 - icu 57.1-4 NOTE: ICU not directly affected by CVE-2016-0494 itself since original patch for NOTE: CVE-2015-4844 was not yet applied. CVE-2016-0494 was introduced as part of NOTE: the CVE-2015-4844 fix. To avoid confusion with the DSA text in DSA-3725-1 NOTE: threat this CVE separately as affected src:icu despite beeing for the NOTE: incomplete fix for CVE-2015-4844 CVE-2016-0493 (Unspecified vulnerability in Oracle Sun Solaris 11 allows local users ...) NOT-FOR-US: Oracle CVE-2016-0492 (Unspecified vulnerability in the Oracle Application Testing Suite comp ...) NOT-FOR-US: Oracle CVE-2016-0491 (Unspecified vulnerability in the Oracle Application Testing Suite comp ...) NOT-FOR-US: Oracle CVE-2016-0490 (Unspecified vulnerability in the Oracle Application Testing Suite comp ...) NOT-FOR-US: Oracle CVE-2016-0489 (Unspecified vulnerability in the Oracle Application Testing Suite comp ...) NOT-FOR-US: Oracle CVE-2016-0488 (Unspecified vulnerability in the Oracle Application Testing Suite comp ...) NOT-FOR-US: Oracle CVE-2016-0487 (Unspecified vulnerability in the Oracle Application Testing Suite comp ...) NOT-FOR-US: Oracle CVE-2016-0486 (Unspecified vulnerability in the Oracle Application Testing Suite comp ...) NOT-FOR-US: Oracle CVE-2016-0485 (Unspecified vulnerability in the Oracle Application Testing Suite comp ...) NOT-FOR-US: Oracle CVE-2016-0484 (Unspecified vulnerability in the Oracle Application Testing Suite comp ...) NOT-FOR-US: Oracle CVE-2016-0483 (Unspecified vulnerability in Oracle Java SE 6u105, 7u91, and 8u66; Jav ...) {DSA-3465-1 DSA-3458-1 DLA-410-1} - openjdk-8 8u72-b15-1 - openjdk-7 7u95-2.6.4-1 - openjdk-6 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1299441#c2 CVE-2016-0482 (Unspecified vulnerability in the Oracle Application Testing Suite comp ...) NOT-FOR-US: Oracle CVE-2016-0481 (Unspecified vulnerability in the Oracle Application Testing Suite comp ...) NOT-FOR-US: Oracle CVE-2016-0480 (Unspecified vulnerability in the Oracle Application Testing Suite comp ...) NOT-FOR-US: Oracle CVE-2016-0479 (Unspecified vulnerability in the Oracle Business Intelligence Enterpri ...) NOT-FOR-US: Oracle CVE-2016-0478 (Unspecified vulnerability in the Oracle Application Testing Suite comp ...) NOT-FOR-US: Oracle CVE-2016-0477 (Unspecified vulnerability in the Oracle Application Testing Suite comp ...) NOT-FOR-US: Oracle CVE-2016-0476 (Unspecified vulnerability in the Oracle Application Testing Suite comp ...) NOT-FOR-US: Oracle CVE-2016-0475 (Unspecified vulnerability in the Java SE, Java SE Embedded, and JRocki ...) - openjdk-8 8u72-b15-1 CVE-2016-0474 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle CVE-2016-0473 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle CVE-2016-0472 (Unspecified vulnerability in the XDB - XML Database component in Oracl ...) NOT-FOR-US: Oracle CVE-2016-0471 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle CVE-2016-0470 (Unspecified vulnerability in the Oracle BI Publisher component in Orac ...) NOT-FOR-US: Oracle CVE-2016-0469 (Unspecified vulnerability in the Oracle Retail MICROS C2 component in ...) NOT-FOR-US: Oracle Retail CVE-2016-0468 (Unspecified vulnerability in the Oracle Business Intelligence Enterpri ...) NOT-FOR-US: Oracle CVE-2016-0467 (Unspecified vulnerability in the Security component in Oracle Database ...) NOT-FOR-US: Oracle CVE-2016-0466 (Unspecified vulnerability in the Java SE, Java SE Embedded, and JRocki ...) {DSA-3465-1 DSA-3458-1 DLA-410-1} - openjdk-8 8u72-b15-1 - openjdk-7 7u95-2.6.4-1 - openjdk-6 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1299385#c4 CVE-2016-0465 (Unspecified vulnerability in the Solaris Cluster component in Oracle S ...) NOT-FOR-US: Oracle CVE-2016-0464 (Unspecified vulnerability in the Oracle WebLogic Server component in O ...) NOT-FOR-US: Oracle CVE-2016-0463 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle CVE-2016-0462 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle CVE-2016-0461 (Unspecified vulnerability in the XDB - XML Database component in Oracl ...) NOT-FOR-US: Oracle CVE-2016-0460 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle CVE-2016-0459 (Unspecified vulnerability in the Oracle Applications Framework compone ...) NOT-FOR-US: Oracle CVE-2016-0458 (Unspecified vulnerability in Oracle Sun Solaris 11 allows local users ...) NOT-FOR-US: Oracle CVE-2016-0457 (Unspecified vulnerability in the Application Mgmt Pack for E-Business ...) NOT-FOR-US: Oracle CVE-2016-0456 (Unspecified vulnerability in the Application Mgmt Pack for E-Business ...) NOT-FOR-US: Oracle CVE-2016-0455 (Unspecified vulnerability in the Enterprise Manager Base Platform comp ...) NOT-FOR-US: Oracle CVE-2016-0454 (Unspecified vulnerability in the Oracle Mobile Application Servlet com ...) NOT-FOR-US: Oracle CVE-2016-0453 (Unspecified vulnerability in the Oracle GlassFish Server component in ...) - glassfish (Full application server not packaged) CVE-2016-0452 (Unspecified vulnerability in the Oracle GoldenGate component in Oracle ...) NOT-FOR-US: Oracle CVE-2016-0451 (Unspecified vulnerability in the Oracle GoldenGate component in Oracle ...) NOT-FOR-US: Oracle CVE-2016-0450 (Unspecified vulnerability in the Oracle GoldenGate component in Oracle ...) NOT-FOR-US: Oracle CVE-2016-0449 (Unspecified vulnerability in the Enterprise Manager Base Platform comp ...) NOT-FOR-US: Oracle CVE-2016-0448 (Unspecified vulnerability in the Java SE and Java SE Embedded componen ...) {DSA-3465-1 DSA-3458-1 DLA-410-1} - openjdk-8 8u72-b15-1 - openjdk-7 7u95-2.6.4-1 - openjdk-6 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1299385#c4 CVE-2016-0447 (Unspecified vulnerability in the Enterprise Manager Base Platform comp ...) NOT-FOR-US: Oracle CVE-2016-0446 (Unspecified vulnerability in the Enterprise Manager Base Platform comp ...) NOT-FOR-US: Oracle CVE-2016-0445 (Unspecified vulnerability in the Enterprise Manager Base Platform comp ...) NOT-FOR-US: Oracle CVE-2016-0444 (Unspecified vulnerability in the Enterprise Manager Base Platform comp ...) NOT-FOR-US: Oracle CVE-2016-0443 (Unspecified vulnerability in the Enterprise Manager Base Platform comp ...) NOT-FOR-US: Oracle CVE-2016-0442 (Unspecified vulnerability in the Enterprise Manager Base Platform comp ...) NOT-FOR-US: Oracle CVE-2016-0441 (Unspecified vulnerability in the Oracle GlassFish Server component in ...) - glassfish (Full application server not packaged) CVE-2016-0440 (Unspecified vulnerability in Oracle Sun Solaris 11 allows remote attac ...) NOT-FOR-US: Oracle CVE-2016-0439 (Unspecified vulnerability in the Web Cache component in Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2016-0438 (Unspecified vulnerability in the Oracle Retail Point-of-Service compon ...) NOT-FOR-US: Oracle CVE-2016-0437 (Unspecified vulnerability in the Oracle Retail Point-of-Service compon ...) NOT-FOR-US: Oracle CVE-2016-0436 (Unspecified vulnerability in the Oracle Retail Point-of-Service compon ...) NOT-FOR-US: Oracle CVE-2016-0435 (Unspecified vulnerability in the Oracle Retail Point-of-Service compon ...) NOT-FOR-US: Oracle CVE-2016-0434 (Unspecified vulnerability in the Oracle Retail Point-of-Service compon ...) NOT-FOR-US: Oracle CVE-2016-0433 (Unspecified vulnerability in the Web Cache component in Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2016-0432 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle CVE-2016-0431 (Unspecified vulnerability in Oracle Sun Solaris 11 allows local users ...) NOT-FOR-US: Oracle CVE-2016-0430 (Unspecified vulnerability in the Web Cache component in Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2016-0429 (Unspecified vulnerability in the Oracle BI Publisher component in Orac ...) NOT-FOR-US: Oracle CVE-2016-0428 (Unspecified vulnerability in Oracle Sun Solaris 11 allows local users ...) NOT-FOR-US: Oracle CVE-2016-0427 (Unspecified vulnerability in the Enterprise Manager Base Platform comp ...) NOT-FOR-US: Oracle CVE-2016-0426 (Unspecified vulnerability in Oracle Sun Solaris 11 allows local users ...) NOT-FOR-US: Oracle CVE-2016-0425 (Unspecified vulnerability in the JD Edwards EnterpriseOne Tools compon ...) NOT-FOR-US: Oracle CVE-2016-0424 (Unspecified vulnerability in the JD Edwards EnterpriseOne Tools compon ...) NOT-FOR-US: Oracle CVE-2016-0423 (Unspecified vulnerability in the JD Edwards EnterpriseOne Tools compon ...) NOT-FOR-US: Oracle CVE-2016-0422 (Unspecified vulnerability in the JD Edwards EnterpriseOne Tools compon ...) NOT-FOR-US: Oracle CVE-2016-0421 (Unspecified vulnerability in the JD Edwards EnterpriseOne Tools compon ...) NOT-FOR-US: Oracle CVE-2016-0420 (Unspecified vulnerability in the JD Edwards EnterpriseOne Tools compon ...) NOT-FOR-US: Oracle CVE-2016-0419 (Unspecified vulnerability in Oracle Sun Solaris 11 allows local users ...) NOT-FOR-US: Oracle CVE-2016-0418 (Unspecified vulnerability in Oracle Sun Solaris 11 allows local users ...) NOT-FOR-US: Oracle CVE-2016-0417 (Unspecified vulnerability in the Solaris Cluster component in Oracle S ...) NOT-FOR-US: Oracle CVE-2016-0416 (Unspecified vulnerability in Oracle Sun Solaris 11 allows remote attac ...) NOT-FOR-US: Oracle CVE-2016-0415 (Unspecified vulnerability in the Enterprise Manager Base Platform comp ...) NOT-FOR-US: Oracle CVE-2016-0414 (Unspecified vulnerability in Oracle Sun Solaris 11 allows local users ...) NOT-FOR-US: Oracle CVE-2016-0413 (Unspecified vulnerability in the Oracle Identity Federation component ...) NOT-FOR-US: Oracle CVE-2016-0412 (Unspecified vulnerability in the PeopleSoft Enterprise SCM eProcuremen ...) NOT-FOR-US: Oracle CVE-2016-0411 (Unspecified vulnerability in the Enterprise Manager Base Platform comp ...) NOT-FOR-US: Oracle CVE-2016-0410 REJECTED CVE-2016-0409 (Unspecified vulnerability in the PeopleSoft Enterprise HCM Global Payr ...) NOT-FOR-US: Oracle CVE-2016-0408 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle CVE-2016-0407 (Unspecified vulnerability in the PeopleSoft Enterprise HCM component i ...) NOT-FOR-US: Oracle NOT-FOR-US: PeopleSoft CVE-2016-0406 (Unspecified vulnerability in Oracle Sun Solaris 11 allows local users ...) NOT-FOR-US: Oracle CVE-2016-0405 (Unspecified vulnerability in the Solaris Cluster component in Oracle S ...) NOT-FOR-US: Oracle CVE-2016-0404 (Unspecified vulnerability in the Oracle Identity Federation component ...) NOT-FOR-US: Oracle CVE-2016-0403 (Unspecified vulnerability in Oracle Sun Solaris 11 allows remote attac ...) NOT-FOR-US: Oracle CVE-2016-0402 (Unspecified vulnerability in the Java SE and Java SE Embedded componen ...) {DSA-3465-1 DSA-3458-1 DLA-410-1} - openjdk-8 8u72-b15-1 - openjdk-7 7u95-2.6.4-1 - openjdk-6 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1298957#c2 CVE-2016-0401 (Unspecified vulnerability in the Oracle BI Publisher component in Orac ...) NOT-FOR-US: Oracle CVE-2015-8536 (MITRE is populating this ID because it was assigned prior to Lenovo be ...) NOT-FOR-US: Lenovo CVE-2015-8535 (MITRE is populating this ID because it was assigned prior to Lenovo be ...) NOT-FOR-US: Lenovo CVE-2015-8534 (MITRE is populating this ID because it was assigned prior to Lenovo be ...) NOT-FOR-US: Lenovo CVE-2015-8540 (Integer underflow in the png_check_keyword function in pngwutil.c in l ...) {DSA-3443-1 DLA-375-1} - libpng (bug #807694) NOTE: http://www.openwall.com/lists/oss-security/2015/12/10/6 NOTE: https://sourceforge.net/p/libpng/bugs/244/ NOTE: http://sourceforge.net/p/libpng/code/ci/d9006f683c641793252d92254a75ae9b815b42ed/ NOTE: Fixed in 1.0.66, 1.2.56, 1.4.19, and 1.5.26 CVE-2015-8543 (The networking implementation in the Linux kernel through 4.3.3, as us ...) {DLA-378-1} - linux 4.3.3-1 [jessie] - linux 3.16.7-ckt20-1+deb8u1 [wheezy] - linux 3.2.73-2+deb7u2 - linux-2.6 NOTE: http://www.openwall.com/lists/oss-security/2015/12/09/3 NOTE: Upstream commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=79462ad02e861803b3840cc782248c7359451cd9 (v4.4-rc6) CVE-2015-8539 (The KEYS subsystem in the Linux kernel before 4.4 allows local users t ...) - linux (Vulnerable code not present) - linux-2.6 (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=096fe9eaea40a17e125569f9e657e34cdb6d73bd (v4.4-rc3) NOTE: Introduced by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=146aa8b1453bd8f1ff2304ffb71b4ee0eb9acdcc (v4.4-rc1) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1284450 NOTE: http://www.openwall.com/lists/oss-security/2015/12/09/1 CVE-2016-0400 (CRLF injection vulnerability in IBM WebSphere eXtreme Scale 7.1.0 befo ...) NOT-FOR-US: IBM CVE-2016-0399 (Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Managemen ...) NOT-FOR-US: IBM CVE-2016-0398 (IBM Cognos Analytics (CA) 11.0 before 11.0.2 allows remote attackers t ...) NOT-FOR-US: IBM CVE-2016-0397 (WebReports in IBM BigFix Platform (formerly Tivoli Endpoint Manager) 9 ...) NOT-FOR-US: IBM CVE-2016-0396 (IBM Tivoli Endpoint Manager could allow a user under special circumsta ...) NOT-FOR-US: IBM CVE-2016-0395 RESERVED CVE-2016-0394 (IBM Integration Bus and WebSphere Message broker sets incorrect permis ...) NOT-FOR-US: IBM CVE-2016-0393 (IBM Maximo Asset Management 7.5 before 7.5.0.10-TIV-MBS-IFIX002 and 7. ...) NOT-FOR-US: IBM CVE-2016-0392 (IBM General Parallel File System (GPFS) in GPFS Storage Server 2.0.0 t ...) NOT-FOR-US: IBM CVE-2016-0391 (The IBM Watson Developer Cloud services on Bluemix platforms do not pr ...) NOT-FOR-US: IBM CVE-2016-0390 (Cross-site scripting (XSS) vulnerability in IBM Algorithmics Algo One ...) NOT-FOR-US: IBM CVE-2016-0389 (Admin Center in IBM WebSphere Application Server (WAS) 8.5.5.2 through ...) NOT-FOR-US: IBM CVE-2016-0388 RESERVED CVE-2016-0387 (Cross-site scripting (XSS) vulnerability in IBM TRIRIGA Application Pl ...) NOT-FOR-US: IBM CVE-2016-0386 (Cross-site request forgery (CSRF) vulnerability in IBM TRIRIGA Applica ...) NOT-FOR-US: IBM CVE-2016-0385 (Buffer overflow in IBM WebSphere Application Server (WAS) 7.0 before 7 ...) NOT-FOR-US: IBM CVE-2016-0384 RESERVED CVE-2016-0383 RESERVED CVE-2016-0382 (The IBM Tealeaf Consumer Experience 8.7, 8.8, and 9.0 portal exposes s ...) NOT-FOR-US: IBM CVE-2016-0381 (IBM Cognos TM1 10.2.2 before FP5, when the host/pmhub/pm/admin AdminGr ...) NOT-FOR-US: IBM CVE-2016-0380 (IBM Sterling Connect:Direct for Unix 4.1.0 before 4.1.0.4 iFix073 and ...) NOT-FOR-US: IBM CVE-2016-0379 (IBM WebSphere MQ 7.5 before 7.5.0.7 and 8.0 before 8.0.0.5 mishandles ...) NOT-FOR-US: IBM CVE-2016-0378 (IBM WebSphere Application Server (WAS) Liberty before 16.0.0.3, when t ...) NOT-FOR-US: IBM CVE-2016-0377 (The Administrative Console in IBM WebSphere Application Server (WAS) 7 ...) NOT-FOR-US: IBM CVE-2016-0376 (The com.ibm.rmi.io.SunSerializableFactory class in IBM SDK, Java Techn ...) NOT-FOR-US: IBM CVE-2016-0375 (JMS Client in IBM MessageSight 1.1.x through 1.1.0.1, 1.2.x through 1. ...) NOT-FOR-US: IBM CVE-2016-0374 (The builder tools in IBM TRIRIGA Application Platform 3.3 before 3.3.2 ...) NOT-FOR-US: IBM CVE-2016-0373 (IBM UrbanCode Deploy 6.0 through 6.2.2.1 could allow an authenticated ...) NOT-FOR-US: IBM CVE-2016-0372 (IBM Rational Collaborative Lifecycle Management 3.0.1.6 before iFix8, ...) NOT-FOR-US: IBM CVE-2016-0371 (The Tivoli Storage Manager (TSM) password may be displayed in plain te ...) NOT-FOR-US: IBM CVE-2016-0370 (Cross-site scripting (XSS) vulnerability in IBM Forms Experience Build ...) NOT-FOR-US: IBM CVE-2016-0369 (XML external entity (XXE) vulnerability in IBM Forms Experience Builde ...) NOT-FOR-US: IBM Forms Experience Builder CVE-2016-0368 RESERVED CVE-2016-0367 (IBM Security Identity Manager Virtual Appliance 7.0.x before 7.0.1.3-I ...) NOT-FOR-US: IBM Security Identity Manager Virtual Appliance CVE-2016-0366 (IBM Security Identity Manager Virtual Appliance 7.0.x before 7.0.1.3-I ...) NOT-FOR-US: IBM Security Identity Manager Virtual Appliance CVE-2016-0365 (IBM UrbanCode Deploy 6.0.x before 6.0.1.13, 6.1.x before 6.1.3.3, and ...) NOT-FOR-US: IBM CVE-2016-0364 (IBM UrbanCode Deploy 6.0.x before 6.0.1.13, 6.1.x before 6.1.3.3, and ...) NOT-FOR-US: IBM CVE-2016-0363 (The com.ibm.CORBA.iiop.ClientDelegate class in IBM SDK, Java Technolog ...) NOT-FOR-US: IBM JDK CVE-2016-0362 (IBM TRIRIGA Application Platform 3.3 before 3.3.2.6, 3.4 before 3.4.2. ...) NOT-FOR-US: IBM CVE-2016-0361 (IBM General Parallel File System (GPFS) 3.5 before 3.5.0.29 efix 6 and ...) NOT-FOR-US: IBM General Parallel File System CVE-2016-0360 (IBM Websphere MQ JMS 7.0.1, 7.1, 7.5, 8.0, and 9.0 client provides cla ...) NOT-FOR-US: IBM CVE-2016-0359 (CRLF injection vulnerability in IBM WebSphere Application Server (WAS) ...) NOT-FOR-US: IBM CVE-2016-0358 (IBM Sametime 8.5.2 and 9.0 could allow an unauthorized authenticated u ...) NOT-FOR-US: IBM CVE-2016-0357 (IBM Security Identity Manager (ISIM) Virtual Appliance 7.0.0.0 through ...) NOT-FOR-US: IBM CVE-2016-0356 (IBM Sametime Enterprise Meeting Server 8.5.2 and 9.0 could allow an au ...) NOT-FOR-US: IBM CVE-2016-0355 (IBM Sametime Enterprise Meeting Server 8.5.2 and 9.0 could allow an au ...) NOT-FOR-US: IBM CVE-2016-0354 (IBM Sametime Enterprise Meeting Server 8.5.2 and 9.0 could allow an au ...) NOT-FOR-US: IBM CVE-2016-0353 (IBM Security Privileged Identity Manager 2.0 before 2.0.2 FP8, when Vi ...) NOT-FOR-US: IBM CVE-2016-0352 RESERVED CVE-2016-0351 (IBM Security Identity Manager Virtual Appliance 7.0.x before 7.0.1.3-I ...) NOT-FOR-US: IBM Security Identity Manager Virtual Appliance CVE-2016-0350 (Cross-site scripting (XSS) vulnerability in the Report Builder and Dat ...) NOT-FOR-US: IBM CVE-2016-0349 (IBM Business Process Manager 8.5.6 through 8.5.6.2 and 8.5.7 before 8. ...) NOT-FOR-US: IBM CVE-2016-0348 (Cross-site request forgery (CSRF) vulnerability in IBM TRIRIGA Applica ...) NOT-FOR-US: IBM TRIRIGA Application Platform CVE-2016-0347 RESERVED CVE-2016-0346 (Cross-site scripting (XSS) vulnerability in IBM Cognos Business Intell ...) NOT-FOR-US: IBM CVE-2016-0345 (IBM TRIRIGA Application Platform 3.3 before 3.3.2.6, 3.4 before 3.4.2. ...) NOT-FOR-US: IBM TRIRIGA Application Platform CVE-2016-0344 (Cross-site scripting (XSS) vulnerability in the My Reports component i ...) NOT-FOR-US: IBM TRIRIGA Application Platform CVE-2016-0343 (IBM TRIRIGA Application Platform 3.3 before 3.3.2.6, 3.4 before 3.4.2. ...) NOT-FOR-US: IBM TRIRIGA Application Platform CVE-2016-0342 (IBM TRIRIGA Application Platform 3.3 before 3.3.2.6, 3.4 before 3.4.2. ...) NOT-FOR-US: IBM TRIRIGA Application Platform CVE-2016-0341 (IBM Multi-Enterprise Integration Gateway 1.0 through 1.0.0.1 and B2B A ...) NOT-FOR-US: IBM CVE-2016-0340 (IBM Security Identity Manager (ISIM) Virtual Appliance 7.0.0.0 through ...) NOT-FOR-US: IBM CVE-2016-0339 (IBM Security Identity Manager (ISIM) Virtual Appliance 7.0.0.0 through ...) NOT-FOR-US: IBM CVE-2016-0338 (IBM Security Identity Manager (ISIM) Virtual Appliance 7.0.0.0 through ...) NOT-FOR-US: IBM CVE-2016-0337 RESERVED CVE-2016-0336 (Cross-site scripting (XSS) vulnerability in IBM Security Identity Mana ...) NOT-FOR-US: IBM Security Identity Manager CVE-2016-0335 (Cross-site request forgery (CSRF) vulnerability in IBM Security Identi ...) NOT-FOR-US: IBM Security Identity Manager CVE-2016-0334 RESERVED CVE-2016-0333 RESERVED CVE-2016-0332 (IBM Security Identity Manager (ISIM) Virtual Appliance 7.0.0.0 through ...) NOT-FOR-US: IBM Security Identity Manager CVE-2016-0331 (Cross-site scripting (XSS) vulnerability in IBM Rational Team Concert ...) NOT-FOR-US: IBM CVE-2016-0330 (IBM Security Identity Manager (ISIM) Virtual Appliance 7.0.0.0 through ...) NOT-FOR-US: IBM CVE-2016-0329 (Open redirect vulnerability in IBM Emptoris Sourcing 10.0.0.x before 1 ...) NOT-FOR-US: IBM CVE-2016-0328 (IBM Security Guardium Database Activity Monitor 8.2 before p310, 9.x t ...) NOT-FOR-US: IBM CVE-2016-0327 (IBM Security Identity Manager (ISIM) Virtual Appliance 7.0.0.0 through ...) NOT-FOR-US: IBM Security Identity Manager CVE-2016-0326 (IBM Rational Quality Manager (RQM) and Rational Collaborative Lifecycl ...) NOT-FOR-US: IBM CVE-2016-0325 (IBM Rational Collaborative Lifecycle Management 3.0.1.6 before iFix8, ...) NOT-FOR-US: IBM CVE-2016-0324 (IBM Security Identity Manager (ISIM) Virtual Appliance 7.0.0.0 through ...) NOT-FOR-US: IBM Security Identity Manager CVE-2016-0323 (The Auto-Scaling agent in Liberty for Java in IBM Bluemix before 2.7-2 ...) NOT-FOR-US: IBM CVE-2016-0322 (Cross-site scripting (XSS) vulnerability in IBM Connections 4.0 throug ...) NOT-FOR-US: IBM CVE-2016-0321 (IBM Personal Communications (aka PCOMM) 6.x before 6.0.17 and 12.x bef ...) NOT-FOR-US: IBM CVE-2016-0320 (IBM UrbanCode Deploy could allow an authenticated user to modify Ucd o ...) NOT-FOR-US: IBM CVE-2016-0319 (The XML parser in Lifecycle Query Engine (LQE) in IBM Jazz Reporting S ...) NOT-FOR-US: IBM CVE-2016-0318 (Lifecycle Query Engine (LQE) in IBM Jazz Reporting Service 6.0 and 6.0 ...) NOT-FOR-US: IBM CVE-2016-0317 (Lifecycle Query Engine (LQE) in IBM Jazz Reporting Service 6.0 and 6.0 ...) NOT-FOR-US: IBM CVE-2016-0316 (Cross-site scripting (XSS) vulnerability in Lifecycle Query Engine (LQ ...) NOT-FOR-US: IBM CVE-2016-0315 (The Report Builder and Data Collection Component (DCC) in IBM Jazz Rep ...) NOT-FOR-US: IBM CVE-2016-0314 (The Report Builder and Data Collection Component (DCC) in IBM Jazz Rep ...) NOT-FOR-US: IBM CVE-2016-0313 (Cross-site scripting (XSS) vulnerability in the Report Builder and Dat ...) NOT-FOR-US: IBM CVE-2016-0312 (IBM TRIRIGA Application Platform before 3.3.2 allows remote attackers ...) NOT-FOR-US: IBM TRIRIGA Application Platform CVE-2016-0311 (Cross-site scripting (XSS) vulnerability in IBM Tivoli Business Servic ...) NOT-FOR-US: IBM Tivoli Business Service Manager CVE-2016-0310 (IBM Connections 5.5 and earlier is vulnerable to possible host header ...) NOT-FOR-US: IBM CVE-2016-0309 RESERVED CVE-2016-0308 (IBM Connections 5.5 and earlier is vulnerable to possible link manipul ...) NOT-FOR-US: IBM CVE-2016-0307 (IBM Connections 5.5 and earlier allows remote attackers to obtain sens ...) NOT-FOR-US: IBM CVE-2016-0306 (IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.41, 8.0 before ...) NOT-FOR-US: IBM CVE-2016-0305 (IBM Connections is vulnerable to cross-site scripting, caused by impro ...) NOT-FOR-US: IBM CVE-2016-0304 (The Java Console in IBM Domino 8.5.x before 8.5.3 FP6 IF13 and 9.x bef ...) NOT-FOR-US: IBM CVE-2016-0303 (Cross-site scripting (XSS) vulnerability in IBM Tivoli Integrated Port ...) NOT-FOR-US: IBM Tivoli Integrated Portal CVE-2016-0302 RESERVED CVE-2016-0301 (Heap-based buffer overflow in the KeyView PDF filter in IBM Domino 8.5 ...) NOT-FOR-US: IBM CVE-2016-0300 (IBM TRIRIGA Application Platform 3.3 before 3.3.2.6, 3.4 before 3.4.2. ...) NOT-FOR-US: IBM TRIRIGA Application Platform CVE-2016-0299 (IBM TRIRIGA Application Platform 3.3 before 3.3.2.6, 3.4 before 3.4.2. ...) NOT-FOR-US: IBM CVE-2016-0298 (Directory traversal vulnerability in IBM Security Guardium Database Ac ...) NOT-FOR-US: IBM CVE-2016-0297 (IBM Tivoli Endpoint Manager - Mobile Device Management (MDM) could all ...) NOT-FOR-US: IBM CVE-2016-0296 (IBM Tivoli Endpoint Manager - Mobile Device Management (MDM) stores po ...) NOT-FOR-US: IBM CVE-2016-0295 (Cross-site request forgery (CSRF) vulnerability in the IBM BigFix Plat ...) NOT-FOR-US: IBM CVE-2016-0294 RESERVED CVE-2016-0293 (Cross-site scripting (XSS) vulnerability in IBM BigFix Platform (forme ...) NOT-FOR-US: IBM CVE-2016-0292 (WebReports in IBM BigFix Platform (formerly Tivoli Endpoint Manager) 9 ...) NOT-FOR-US: IBM CVE-2016-0291 (IBM BigFix Platform 9.0, 9.1 before 9.1.8, and 9.2 before 9.2.8 allow ...) NOT-FOR-US: IBM CVE-2016-0290 RESERVED CVE-2016-0289 (shiprec.xml in the SHIPREC application in IBM Maximo Asset Management ...) NOT-FOR-US: IBM CVE-2016-0288 (IBM Security AppScan Standard 8.7.x, 8.8.x, and 9.x before 9.0.3.2 and ...) NOT-FOR-US: IBM CVE-2016-0287 (IBM i Access 7.1 on Windows allows local users to discover registry pa ...) NOT-FOR-US: IBM CVE-2016-0286 (IBM Tivoli Business Service Manager 6.1.0 before 6.1.0-TIV-BSM-FP0004 ...) NOT-FOR-US: IBM Tivoli Business Service Manager CVE-2016-0285 (Cross-site scripting (XSS) vulnerability in IBM Rational Collaborative ...) NOT-FOR-US: IBM CVE-2016-0284 (The XML parser in IBM Rational Collaborative Lifecycle Management 3.0. ...) NOT-FOR-US: IBM CVE-2016-0283 (Cross-site scripting (XSS) vulnerability in the OpenID Connect (OIDC) ...) NOT-FOR-US: IBM CVE-2016-0282 (Cross-site scripting (XSS) vulnerability in IBM iNotes before 8.5.3 FP ...) NOT-FOR-US: IBM CVE-2016-0281 (The mustendd driver in IBM AIX 5.3, 6.1, 7.1, and 7.2 and VIOS 2.2.x, ...) NOT-FOR-US: IBM CVE-2016-0280 (Cross-site scripting (XSS) vulnerability in IBM Information Server Fra ...) NOT-FOR-US: IBM CVE-2016-0279 (Heap-based buffer overflow in the KeyView PDF filter in IBM Domino 8.5 ...) NOT-FOR-US: IBM CVE-2016-0278 (Heap-based buffer overflow in the KeyView PDF filter in IBM Domino 8.5 ...) NOT-FOR-US: IBM CVE-2016-0277 (Heap-based buffer overflow in the KeyView PDF filter in IBM Domino 8.5 ...) NOT-FOR-US: IBM CVE-2016-0276 (IBM Financial Transaction Manager (FTM) for ACH Services for Multi-Pla ...) NOT-FOR-US: IBM Financial Transaction Manager CVE-2016-0275 (IBM Financial Transaction Manager (FTM) for ACH Services for Multi-Pla ...) NOT-FOR-US: IBM Financial Transaction Manager CVE-2016-0274 (IBM Financial Transaction Manager (FTM) for ACH Services for Multi-Pla ...) NOT-FOR-US: IBM Financial Transaction Manager CVE-2016-0273 (Cross-site scripting (XSS) vulnerability in IBM Rational Collaborative ...) NOT-FOR-US: IBM CVE-2016-0272 (Cross-site request forgery (CSRF) vulnerability in IBM Financial Trans ...) NOT-FOR-US: IBM Financial Transaction Manager CVE-2016-0271 (The agents in IBM UrbanCode Deploy 6.x before 6.0.1.14, 6.1.x before 6 ...) NOT-FOR-US: IBM CVE-2016-0270 (IBM Domino 9.0.1 Fix Pack 3 Interim Fix 2 through 9.0.1 Fix Pack 5 Int ...) NOT-FOR-US: IBM CVE-2016-0269 (Cross-site scripting (XSS) vulnerability in IBM BigFix Platform 9.x be ...) NOT-FOR-US: IBM CVE-2016-0268 (XML external entity (XXE) vulnerability in IBM Financial Transaction M ...) NOT-FOR-US: IBM Financial Transaction Manager CVE-2016-0267 (IBM UrbanCode Deploy 6.0.x before 6.0.1.13, 6.1.x before 6.1.3.3, and ...) NOT-FOR-US: IBM CVE-2016-0266 (IBM AIX 5.3, 6.1, 7.1, and 7.2 and VIOS 2.2.x do not default to the la ...) NOT-FOR-US: IBM CVE-2016-0265 (IBM Campaign is vulnerable to cross-site scripting, caused by improper ...) NOT-FOR-US: IBM CVE-2016-0264 (Buffer overflow in the Java Virtual Machine (JVM) in IBM SDK, Java Tec ...) NOT-FOR-US: IBM JDK CVE-2016-0263 (IBM Spectrum Scale 4.1 before 4.1.1.5 and 4.2 before 4.2.0.2 and Gener ...) NOT-FOR-US: IBM CVE-2016-0262 (Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Managemen ...) NOT-FOR-US: IBM CVE-2016-0261 (Cross-site scripting (XSS) vulnerability in IBM Curam Social Program M ...) NOT-FOR-US: IBM CVE-2016-0260 (Memory leak in queue-manager agents in IBM WebSphere MQ 8.x before 8.0 ...) NOT-FOR-US: IBM CVE-2016-0259 (runmqsc in IBM WebSphere MQ 8.x before 8.0.0.5 allows local users to b ...) NOT-FOR-US: IBM CVE-2016-0258 RESERVED CVE-2016-0257 RESERVED CVE-2016-0256 RESERVED CVE-2016-0255 (IBM Marketing Platform 9.1 and 10.0 is vulnerable to stored cross-site ...) NOT-FOR-US: IBM CVE-2016-0254 (IBM Cognos Business Intelligence 10.1 and 10.2 is vulnerable to a deni ...) NOT-FOR-US: IBM CVE-2016-0253 (Cross-site scripting (XSS) vulnerability in IBM Financial Transaction ...) NOT-FOR-US: IBM Financial Transaction Manager CVE-2016-0252 (IBM Control Center 6.x before 6.0.0.1 iFix06 and Sterling Control Cent ...) NOT-FOR-US: IBM CVE-2016-0251 RESERVED CVE-2016-0250 (XML external entity (XXE) vulnerability in IBM InfoSphere Information ...) NOT-FOR-US: IBM CVE-2016-0249 (SQL injection vulnerability in IBM Security Guardium Database Activity ...) NOT-FOR-US: IBM CVE-2016-0248 (IBM Security Guardium 9.0 before p700 and 10.0 before p100 allows man- ...) NOT-FOR-US: IBM CVE-2016-0247 (IBM Security Guardium 8.2 before p310, 9.x through 9.5 before p700, an ...) NOT-FOR-US: IBM CVE-2016-0246 (Cross-site scripting (XSS) vulnerability in IBM Security Guardium 8.2 ...) NOT-FOR-US: IBM CVE-2016-0245 (The XML parser in IBM WebSphere Portal 8.0.x before 8.0.0.1 CF20 and 8 ...) NOT-FOR-US: IBM CVE-2016-0244 (Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 6.1.0 ...) NOT-FOR-US: IBM CVE-2016-0243 (Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 6.1.0 ...) NOT-FOR-US: IBM CVE-2016-0242 (IBM Security Guardium 10.x through 10.1 before p100 allows remote auth ...) NOT-FOR-US: IBM CVE-2016-0241 (IBM Security Guardium Database Activity Monitor 8.2 before p310, 9.x t ...) NOT-FOR-US: IBM CVE-2016-0240 (IBM Security Guardium Database Activity Monitor 8.2 before p310, 9.x t ...) NOT-FOR-US: IBM CVE-2016-0239 (IBM Security Guardium Database Activity Monitor 9.x through 9.5 before ...) NOT-FOR-US: IBM CVE-2016-0238 (IBM Security Guardium 9.0, 9.1, 9.5, 10.0, and 10.1 transmits sensitiv ...) NOT-FOR-US: IBM CVE-2016-0237 (IBM Security Guardium Database Activity Monitor 10 allows local users ...) NOT-FOR-US: IBM CVE-2016-0236 (IBM Security Guardium Database Activity Monitor 8.2 before p310, 9.x t ...) NOT-FOR-US: IBM CVE-2016-0235 (IBM Security Guardium Database Activity Monitor 10 allows local users ...) NOT-FOR-US: IBM CVE-2016-0234 (IBM OpenPages GRC Platform 7.1, 7.2, and 7.3 could allow a local user ...) NOT-FOR-US: IBM CVE-2016-0233 (SQL injection vulnerability in IBM Marketing Platform 8.5.x, 8.6.x, an ...) NOT-FOR-US: IBM CVE-2016-0232 (IBM Financial Transaction Manager (FTM) for ACH Services, Check Servic ...) NOT-FOR-US: IBM CVE-2016-0231 (IBM Financial Transaction Manager (FTM) for ACH Services, Check Servic ...) NOT-FOR-US: IBM CVE-2016-0230 (IBM Power Hardware Management Console (HMC) 7.3 through 7.3.0 SP7, 7.9 ...) NOT-FOR-US: IBM CVE-2016-0229 (Cross-site scripting (XSS) vulnerability in IBM Marketing Platform 8.6 ...) NOT-FOR-US: IBM CVE-2016-0228 (IBM Marketing Platform 10.0 could allow a remote attacker to conduct p ...) NOT-FOR-US: IBM CVE-2016-0227 (Cross-site scripting (XSS) vulnerability in the document-list control ...) NOT-FOR-US: IBM CVE-2016-0226 (The client implementation in IBM Informix Dynamic Server 11.70.xCn on ...) NOT-FOR-US: IBM CVE-2016-0225 (IBM WebSphere Commerce 6.x through 6.0.0.11 and 7.x through 7.0.0.9 al ...) NOT-FOR-US: IBM CVE-2016-0224 (SQL injection vulnerability in IBM Marketing Platform 8.5.x, 8.6.x, an ...) NOT-FOR-US: IBM CVE-2016-0223 (Cross-site scripting (XSS) vulnerability in the Webform Framework API ...) NOT-FOR-US: IBM Forms Server CVE-2016-0222 (IBM Maximo Asset Management 7.6 before 7.6.0.3 IFIX001 allows remote a ...) NOT-FOR-US: IBM CVE-2016-0221 (Cross-site scripting (XSS) vulnerability in IBM Cognos TM1, as used in ...) NOT-FOR-US: IBM CVE-2016-0220 RESERVED CVE-2016-0219 (XML external entity (XXE) vulnerability in IBM Rational Team Concert 3 ...) NOT-FOR-US: IBM Rational Team Concert CVE-2016-0218 (IBM Cognos Business Intelligence and IBM Cognos Analytics are vulnerab ...) NOT-FOR-US: IBM CVE-2016-0217 (IBM Cognos Business Intelligence and IBM Cognos Analytics are vulnerab ...) NOT-FOR-US: IBM CVE-2016-0216 (Stack-based buffer overflow in IBM Tivoli Storage Manager FastBack 5.5 ...) NOT-FOR-US: IBM CVE-2016-0215 (IBM DB2 9.7, 10.1 before FP6, and 10.5 before FP8 on AIX, Linux, HP, S ...) NOT-FOR-US: IBM DB2 CVE-2016-0214 (IBM Tivoli Endpoint Manager could allow a remote attacker to upload ar ...) NOT-FOR-US: IBM CVE-2016-0213 (Stack-based buffer overflow in IBM Tivoli Storage Manager FastBack 5.5 ...) NOT-FOR-US: IBM CVE-2016-0212 (Stack-based buffer overflow in IBM Tivoli Storage Manager FastBack 5.5 ...) NOT-FOR-US: IBM CVE-2016-0211 (IBM DB2 9.7 through FP11, 9.8, 10.1 through FP5, and 10.5 through FP7 ...) NOT-FOR-US: IBM CVE-2016-0210 (IBM Sterling B2B Integrator Standard Edition could allow a remote atta ...) NOT-FOR-US: IBM CVE-2016-0209 (Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 8.5.0 ...) NOT-FOR-US: IBM CVE-2016-0208 (IBM WebSphere Commerce 6.x through 6.0.0.11, 7.x through 7.0.0.9, and ...) NOT-FOR-US: IBM CVE-2016-0207 (IBM Algorithmics One-Algo Risk Application (ARA) 4.9.1 through 5.1.0 a ...) NOT-FOR-US: IBM Algorithmics One-Algo Risk Application CVE-2016-0206 (IBM Cloud Orchestrator could allow a local authenticated attacker to c ...) NOT-FOR-US: IBM CVE-2016-0205 (A vulnerability has been identified in IBM Cloud Orchestrator 2.3, 2.3 ...) NOT-FOR-US: IBM CVE-2016-0204 (Open redirect vulnerability in IBM Cloud Orchestrator 2.4.x before 2.4 ...) NOT-FOR-US: IBM CVE-2016-0203 (A vulnerability has been identified in the IBM Cloud Orchestrator task ...) NOT-FOR-US: IBM CVE-2016-0202 (A vulnerability has been identified in tasks, backend object generated ...) NOT-FOR-US: IBM CVE-2016-0201 (GSKit in IBM Security Network Protection 5.3.1 before 5.3.1.7 and 5.3. ...) NOT-FOR-US: IBM CVE-2015-8538 (dwarf_leb.c in libdwarf allows attackers to cause a denial of service ...) {DLA-669-1} - dwarfutils 20160507-1 (bug #807817) [jessie] - dwarfutils 20120410-2+deb8u1 [squeeze] - dwarfutils (No segfault with provided test case) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1289385 NOTE: http://www.openwall.com/lists/oss-security/2015/12/09/2 NOTE: http://sourceforge.net/p/libdwarf/code/ci/da724a0bc5eec8e9ec0b0cb0c238a80e34466459/ CVE-2015-8533 REJECTED CVE-2015-8532 REJECTED CVE-2015-8531 (Cross-site scripting (XSS) vulnerability in IBM Security Access Manage ...) NOT-FOR-US: IBM CVE-2015-8530 (Stack-based buffer overflow in the Initialize function in an ActiveX c ...) NOT-FOR-US: IBM CVE-2015-8529 RESERVED CVE-2015-8528 REJECTED CVE-2015-8527 REJECTED CVE-2015-8526 REJECTED CVE-2015-8525 REJECTED CVE-2015-8524 (Cross-site scripting (XSS) vulnerability in Process Portal in IBM Busi ...) NOT-FOR-US: IBM CVE-2015-8523 (The server in IBM Tivoli Storage Manager FastBack 5.5.x and 6.x before ...) NOT-FOR-US: IBM CVE-2015-8522 (Buffer overflow in the server in IBM Tivoli Storage Manager FastBack 5 ...) NOT-FOR-US: IBM CVE-2015-8521 (Buffer overflow in the server in IBM Tivoli Storage Manager FastBack 5 ...) NOT-FOR-US: IBM CVE-2015-8520 (Buffer overflow in the server in IBM Tivoli Storage Manager FastBack 5 ...) NOT-FOR-US: IBM CVE-2015-8519 (Buffer overflow in the server in IBM Tivoli Storage Manager FastBack 5 ...) NOT-FOR-US: IBM CVE-2015-8518 RESERVED CVE-2015-8517 REJECTED CVE-2015-8516 REJECTED CVE-2015-8515 REJECTED CVE-2015-8514 REJECTED CVE-2015-8513 REJECTED CVE-2015-8512 (The lockscreen feature in Mozilla Firefox OS before 2.5 does not prope ...) NOT-FOR-US: Firefox OS CVE-2015-8511 (Race condition in the lockscreen feature in Mozilla Firefox OS before ...) NOT-FOR-US: Firefox OS CVE-2015-8510 (Cross-site scripting (XSS) vulnerability in the internationalization f ...) NOT-FOR-US: Firefox OS CVE-2015-8509 (Template.pm in Bugzilla 2.x, 3.x, and 4.x before 4.2.16, 4.3.x and 4.4 ...) - bugzilla4 (bug #669643) CVE-2015-8508 (Cross-site scripting (XSS) vulnerability in showdependencygraph.cgi in ...) - bugzilla4 (bug #669643) CVE-2015-8507 (mediaserver in Android 6.0 before 2015-12-01 allows remote attackers t ...) NOT-FOR-US: Android CVE-2015-8506 (mediaserver in Android before 5.1.1 LMY48Z and 6.0 before 2015-12-01 a ...) NOT-FOR-US: Android CVE-2015-8505 (mediaserver in Android before 5.1.1 LMY48Z allows remote attackers to ...) NOT-FOR-US: Android CVE-2015-8503 RESERVED CVE-2015-8502 REJECTED CVE-2015-8501 REJECTED CVE-2015-8500 REJECTED CVE-2015-8499 REJECTED CVE-2015-8498 REJECTED CVE-2015-8497 REJECTED CVE-2015-8496 REJECTED CVE-2015-8495 REJECTED CVE-2015-8494 REJECTED CVE-2015-8493 REJECTED CVE-2015-8492 REJECTED CVE-2015-8491 REJECTED CVE-2015-8490 REJECTED CVE-2015-8489 (customapp in Cybozu Office 9.9.0 through 10.3.0 allows remote authenti ...) NOT-FOR-US: Cybozu Office CVE-2015-8488 (Cybozu Office 10.3.0 allows remote attackers to read image files via a ...) NOT-FOR-US: Cybozu Office CVE-2015-8487 (Cybozu Office 9.0.0 through 10.3 allows remote attackers to discover C ...) NOT-FOR-US: Cybozu Office CVE-2015-8486 (Cybozu Office 9.9.0 through 10.3.0 allows remote authenticated users t ...) NOT-FOR-US: Cybozu Office CVE-2015-8485 (Cybozu Office 9.9.0 through 10.3.0 allows remote authenticated users t ...) NOT-FOR-US: Cybozu Office CVE-2015-8484 (Cybozu Office 9.9.0 through 10.3.0 allows remote authenticated users t ...) NOT-FOR-US: Cybozu Office CVE-2015-8483 (Open redirect vulnerability in Cybozu Office 10.2.0 through 10.3.0 all ...) NOT-FOR-US: Cybozu Office CVE-2015-8482 (Blue Coat Unified Agent before 4.6.2 does not prevent modification of ...) NOT-FOR-US: Blue Coat Unified Agent CVE-2015-8481 (Atlassian JIRA Software 7.0.3, JIRA Core 7.0.3, and the bundled JIRA S ...) NOT-FOR-US: Atlassian CVE-2015-8504 (Qemu, when built with VNC display driver support, allows remote attack ...) {DSA-3471-1 DSA-3470-1 DSA-3469-1} - qemu 1:2.5+dfsg-1 (bug #808130) [squeeze] - qemu (Not supported in Squeeze LTS) - qemu-kvm [squeeze] - qemu-kvm (Not supported in Squeeze LTS) NOTE: Fixed by http://git.qemu.org/?p=qemu.git;a=commitdiff;h=4c65fed8bdf96780735dbdb92a8bd0d6b6526cc3 (v2.5.0-rc3) NOTE: Issue possibly introduced after http://git.qemu.org/?p=qemu.git;a=commitdiff;h=6cec5487990bf3f1f22b3fcb871978255e92ae0d (v0.10.0) NOTE: http://www.openwall.com/lists/oss-security/2015/12/08/4 CVE-2016-0200 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft CVE-2016-0199 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft CVE-2016-0198 (Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1 ...) NOT-FOR-US: Microsoft CVE-2016-0197 (dxgkrnl.sys in the DirectX Graphics kernel subsystem in the kernel-mod ...) NOT-FOR-US: Microsoft CVE-2016-0196 (The kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server ...) NOT-FOR-US: Microsoft CVE-2016-0195 (The Imaging Component in Microsoft Windows Vista SP2, Windows Server 2 ...) NOT-FOR-US: Microsoft CVE-2016-0194 (Microsoft Internet Explorer 10 and 11 allows remote attackers to bypas ...) NOT-FOR-US: Microsoft CVE-2016-0193 (The Chakra JavaScript engine in Microsoft Edge allows remote attackers ...) NOT-FOR-US: Microsoft CVE-2016-0192 (Microsoft Internet Explorer 9 through 11 and Microsoft Edge allow remo ...) NOT-FOR-US: Microsoft CVE-2016-0191 (The Chakra JavaScript engine in Microsoft Edge allows remote attackers ...) NOT-FOR-US: Microsoft CVE-2016-0190 (Volume Manager Driver in Microsoft Windows 8.1, Windows Server 2012 Go ...) NOT-FOR-US: Microsoft CVE-2016-0189 (The Microsoft (1) JScript 5.8 and (2) VBScript 5.7 and 5.8 engines, as ...) NOT-FOR-US: Microsoft CVE-2016-0188 (The User Mode Code Integrity (UMCI) implementation in Device Guard in ...) NOT-FOR-US: Microsoft CVE-2016-0187 (The Microsoft (1) JScript 5.8 and (2) VBScript 5.8 engines, as used in ...) NOT-FOR-US: Microsoft CVE-2016-0186 (The Chakra JavaScript engine in Microsoft Edge allows remote attackers ...) NOT-FOR-US: Microsoft CVE-2016-0185 (Media Center in Microsoft Windows Vista SP2, Windows 7 SP1, and Window ...) NOT-FOR-US: Microsoft CVE-2016-0184 (Use-after-free vulnerability in GDI in Microsoft Windows Vista SP2, Wi ...) NOT-FOR-US: Microsoft CVE-2016-0183 (The Windows font library in Microsoft Office 2010 SP2, Word 2010 SP2, ...) NOT-FOR-US: Microsoft CVE-2016-0182 (Windows Journal in Microsoft Windows Vista SP2, Windows 7 SP1, Windows ...) NOT-FOR-US: Microsoft CVE-2016-0181 (Microsoft Windows 10 Gold and 1511 allows local users to bypass the Vi ...) NOT-FOR-US: Microsoft CVE-2016-0180 (The kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2016-0179 (Windows Shell in Microsoft Windows 8.1, Windows Server 2012 R2, Window ...) NOT-FOR-US: Microsoft CVE-2016-0178 (The RPC NDR Engine in Microsoft Windows Vista SP2, Windows Server 2008 ...) NOT-FOR-US: Microsoft CVE-2016-0177 REJECTED CVE-2016-0176 (dxgkrnl.sys in the DirectX Graphics kernel subsystem in the kernel-mod ...) NOT-FOR-US: Microsoft CVE-2016-0175 (The kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server ...) NOT-FOR-US: Microsoft CVE-2016-0174 (The kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server ...) NOT-FOR-US: Microsoft CVE-2016-0173 (The kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server ...) NOT-FOR-US: Microsoft CVE-2016-0172 REJECTED CVE-2016-0171 (The kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server ...) NOT-FOR-US: Microsoft CVE-2016-0170 (GDI in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1 ...) NOT-FOR-US: Microsoft CVE-2016-0169 (GDI in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1 ...) NOT-FOR-US: Microsoft CVE-2016-0168 (GDI in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1 ...) NOT-FOR-US: Microsoft CVE-2016-0167 (The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server ...) NOT-FOR-US: Microsoft Windows CVE-2016-0166 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2016-0165 (The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server ...) NOT-FOR-US: Microsoft Windows CVE-2016-0164 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2016-0163 REJECTED CVE-2016-0162 (Microsoft Internet Explorer 9 through 11 allows remote attackers to de ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2016-0161 (Microsoft Edge allows remote attackers to bypass the Same Origin Polic ...) NOT-FOR-US: Microsoft Edge CVE-2016-0160 (Microsoft Internet Explorer 11 mishandles DLL loading, which allows lo ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2016-0159 (Microsoft Internet Explorer 9 allows remote attackers to execute arbit ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2016-0158 (Microsoft Edge allows remote attackers to bypass the Same Origin Polic ...) NOT-FOR-US: Microsoft Edge CVE-2016-0157 (Microsoft Edge allows remote attackers to execute arbitrary code or ca ...) NOT-FOR-US: Microsoft Edge CVE-2016-0156 (Microsoft Edge allows remote attackers to execute arbitrary code or ca ...) NOT-FOR-US: Microsoft Edge CVE-2016-0155 (Microsoft Edge allows remote attackers to execute arbitrary code or ca ...) NOT-FOR-US: Microsoft Edge CVE-2016-0154 (Microsoft Internet Explorer 9 through 11 and Microsoft Edge allow remo ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2016-0153 (OLE in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1 ...) NOT-FOR-US: Microsoft Windows CVE-2016-0152 (Internet Information Services (IIS) in Microsoft Windows Vista SP2 and ...) NOT-FOR-US: Microsoft CVE-2016-0151 (The Client-Server Run-time Subsystem (CSRSS) in Microsoft Windows 8.1, ...) NOT-FOR-US: Microsoft Windows CVE-2016-0150 (HTTP.sys in Microsoft Windows 10 Gold and 1511 allows remote attackers ...) NOT-FOR-US: Microsoft Windows CVE-2016-0149 (Microsoft .NET Framework 2.0 SP2, 3.0 SP2, 3.5, 3.5.1, 4.5.2, 4.6, and ...) NOT-FOR-US: Microsoft CVE-2016-0148 (Microsoft .NET Framework 4.6 and 4.6.1 mishandles library loading, whi ...) NOT-FOR-US: Microsoft .NET CVE-2016-0147 (Microsoft XML Core Services 3.0 allows remote attackers to execute arb ...) NOT-FOR-US: Microsoft XML Core Services CVE-2016-0146 REJECTED CVE-2016-0145 (The font library in Microsoft Windows Vista SP2; Windows Server 2008 S ...) NOT-FOR-US: Microsoft Windows CVE-2016-0144 REJECTED CVE-2016-0143 (The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server ...) NOT-FOR-US: Microsoft Windows CVE-2016-0142 (Video Control in Microsoft Windows Vista SP2, Windows 7 SP1, Windows 8 ...) NOT-FOR-US: Microsoft CVE-2016-0141 (The Visual Basic macros in Microsoft Office 2007 SP3, 2010 SP2, 2013 S ...) NOT-FOR-US: Microsoft CVE-2016-0140 (Microsoft Office 2007 SP3, Office 2010 SP2, Word Automation Services o ...) NOT-FOR-US: Microsoft CVE-2016-0139 (Microsoft Excel 2010 SP2, Word for Mac 2011, and Excel Viewer allow re ...) NOT-FOR-US: Microsoft Excel CVE-2016-0138 (Microsoft Exchange Server 2007 SP3, 2010 SP3, 2013 SP1, 2013 Cumulativ ...) NOT-FOR-US: Microsoft CVE-2016-0137 (The Click-to-Run (C2R) implementation in Microsoft Office 2013 SP1 and ...) NOT-FOR-US: Microsoft CVE-2016-0136 (Microsoft Excel 2007 SP3, Excel 2010 SP2, Office Compatibility Pack SP ...) NOT-FOR-US: Microsoft Excel CVE-2016-0135 (The Secondary Logon Service in Microsoft Windows 10 Gold and 1511 allo ...) NOT-FOR-US: Microsoft Windows CVE-2016-0134 (Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1 ...) NOT-FOR-US: Microsoft CVE-2016-0133 (The USB Mass Storage Class driver in Microsoft Windows Vista SP2, Wind ...) NOT-FOR-US: Microsoft CVE-2016-0132 (Microsoft .NET Framework 2.0 SP2, 3.0 SP2, 3.5, 3.5.1, 4.5.2, 4.6, and ...) NOT-FOR-US: Microsoft CVE-2016-0131 REJECTED CVE-2016-0130 (Microsoft Edge allows remote attackers to execute arbitrary code or ca ...) NOT-FOR-US: Microsoft CVE-2016-0129 (Microsoft Edge allows remote attackers to execute arbitrary code or ca ...) NOT-FOR-US: Microsoft CVE-2016-0128 (The SAM and LSAD protocol implementations in Microsoft Windows Vista S ...) NOT-FOR-US: Microsoft Windows CVE-2016-0127 (Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1 ...) NOT-FOR-US: Microsoft Word CVE-2016-0126 (Microsoft Office 2013 SP1, 2013 RT SP1, and 2016 allows remote attacke ...) NOT-FOR-US: Microsoft CVE-2016-0125 (Microsoft Edge mishandles the Referer policy, which allows remote atta ...) NOT-FOR-US: Microsoft CVE-2016-0124 (Microsoft Edge allows remote attackers to execute arbitrary code or ca ...) NOT-FOR-US: Microsoft CVE-2016-0123 (Microsoft Edge allows remote attackers to execute arbitrary code or ca ...) NOT-FOR-US: Microsoft CVE-2016-0122 (Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 SP1, Excel 2013 R ...) NOT-FOR-US: Microsoft CVE-2016-0121 (The Adobe Type Manager Library in Microsoft Windows Vista SP2, Windows ...) NOT-FOR-US: Microsoft CVE-2016-0120 (The Adobe Type Manager Library in Microsoft Windows Vista SP2, Windows ...) NOT-FOR-US: Microsoft CVE-2016-0119 REJECTED CVE-2016-0118 (The PDF library in Microsoft Windows 10 Gold and 1511 allows remote at ...) NOT-FOR-US: Microsoft CVE-2016-0117 (The PDF library in Microsoft Windows 8.1, Windows Server 2012 Gold and ...) NOT-FOR-US: Microsoft CVE-2016-0116 (Microsoft Edge allows remote attackers to execute arbitrary code or ca ...) NOT-FOR-US: Microsoft CVE-2016-0115 REJECTED CVE-2016-0114 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft CVE-2016-0113 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft CVE-2016-0112 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft CVE-2016-0111 (Microsoft Internet Explorer 9 through 11 and Microsoft Edge allow remo ...) NOT-FOR-US: Microsoft CVE-2016-0110 (Microsoft Internet Explorer 10 through 11 and Microsoft Edge allow rem ...) NOT-FOR-US: Microsoft CVE-2016-0109 (Microsoft Internet Explorer 11 and Microsoft Edge allow remote attacke ...) NOT-FOR-US: Microsoft CVE-2016-0108 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft CVE-2016-0107 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft CVE-2016-0106 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft CVE-2016-0105 (Microsoft Internet Explorer 9 through 11 and Microsoft Edge allow remo ...) NOT-FOR-US: Microsoft CVE-2016-0104 (Microsoft Internet Explorer 10 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft CVE-2016-0103 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft CVE-2016-0102 (Microsoft Internet Explorer 11 and Microsoft Edge allow remote attacke ...) NOT-FOR-US: Microsoft CVE-2016-0101 (Microsoft Windows Server 2008 R2 SP1, Windows 7 SP1, Windows 8.1, Wind ...) NOT-FOR-US: Microsoft CVE-2016-0100 (Microsoft Windows Vista SP2 and Server 2008 SP2 mishandle library load ...) NOT-FOR-US: Microsoft CVE-2016-0099 (The Secondary Logon Service in Microsoft Windows Vista SP2, Windows Se ...) NOT-FOR-US: Microsoft CVE-2016-0098 (Microsoft Windows Server 2008 R2 SP1, Windows 7 SP1, Windows 8.1, Wind ...) NOT-FOR-US: Microsoft CVE-2016-0097 REJECTED CVE-2016-0096 (The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server ...) NOT-FOR-US: Microsoft CVE-2016-0095 (The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server ...) NOT-FOR-US: Microsoft CVE-2016-0094 (The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server ...) NOT-FOR-US: Microsoft CVE-2016-0093 (The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server ...) NOT-FOR-US: Microsoft CVE-2016-0092 (OLE in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1 ...) NOT-FOR-US: Microsoft CVE-2016-0091 (OLE in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1 ...) NOT-FOR-US: Microsoft CVE-2016-0090 (Hyper-V in Microsoft Windows 8.1, Windows Server 2012 R2, and Windows ...) NOT-FOR-US: Microsoft CVE-2016-0089 (Hyper-V in Microsoft Windows 8.1, Windows Server 2012 Gold and R2, and ...) NOT-FOR-US: Microsoft CVE-2016-0088 (Hyper-V in Microsoft Windows 8.1, Windows Server 2012 Gold and R2, and ...) NOT-FOR-US: Microsoft CVE-2016-0087 (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and W ...) NOT-FOR-US: Microsoft CVE-2016-0086 REJECTED CVE-2016-0085 REJECTED CVE-2016-0084 (Microsoft Edge allows remote attackers to execute arbitrary code or ca ...) NOT-FOR-US: Microsoft CVE-2016-0083 REJECTED CVE-2016-0082 REJECTED CVE-2016-0081 REJECTED CVE-2016-0080 (Microsoft Edge mishandles exceptions during window-message dispatch op ...) NOT-FOR-US: Microsoft CVE-2016-0079 (The kernel in Microsoft Windows 10 Gold, 1511, and 1607 allows local u ...) NOT-FOR-US: Microsoft CVE-2016-0078 REJECTED CVE-2016-0077 (Microsoft Internet Explorer 9 through 11 and Microsoft Edge misparse H ...) NOT-FOR-US: Microsoft CVE-2016-0076 REJECTED CVE-2016-0075 (The kernel in Microsoft Windows 8.1, Windows Server 2012 Gold and R2, ...) NOT-FOR-US: Microsoft CVE-2016-0074 REJECTED CVE-2016-0073 (The kernel in Microsoft Windows 8.1, Windows Server 2012 Gold and R2, ...) NOT-FOR-US: Microsoft CVE-2016-0072 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft CVE-2016-0071 (Microsoft Internet Explorer 9 allows remote attackers to execute arbit ...) NOT-FOR-US: Microsoft CVE-2016-0070 (The kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2016-0069 (Microsoft Internet Explorer 9 through 11 allows remote attackers to by ...) NOT-FOR-US: Microsoft CVE-2016-0068 (Microsoft Internet Explorer 9 through 11 allows remote attackers to by ...) NOT-FOR-US: Microsoft CVE-2016-0067 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft CVE-2016-0066 REJECTED CVE-2016-0065 REJECTED CVE-2016-0064 (Microsoft Internet Explorer 10 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft CVE-2016-0063 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft CVE-2016-0062 (Microsoft Internet Explorer 11 and Microsoft Edge allow remote attacke ...) NOT-FOR-US: Microsoft CVE-2016-0061 (Microsoft Internet Explorer 9 through 11 and Microsoft Edge allow remo ...) NOT-FOR-US: Microsoft CVE-2016-0060 (Microsoft Internet Explorer 9 through 11 and Microsoft Edge allow remo ...) NOT-FOR-US: Microsoft CVE-2016-0059 (The Hyperlink Object Library in Microsoft Internet Explorer 9 through ...) NOT-FOR-US: Microsoft CVE-2016-0058 (Buffer overflow in the PDF Library in Microsoft Windows 8.1, Windows S ...) NOT-FOR-US: Microsoft CVE-2016-0057 (Microsoft Office 2007 SP3, 2010 SP2, 2013 SP1, and 2016 does not prope ...) NOT-FOR-US: Microsoft CVE-2016-0056 (Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1 ...) NOT-FOR-US: Microsoft CVE-2016-0055 (Microsoft Office 2007 SP3 allows remote attackers to execute arbitrary ...) NOT-FOR-US: Microsoft CVE-2016-0054 (Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 SP1, Excel 2013 R ...) NOT-FOR-US: Microsoft CVE-2016-0053 (Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1 ...) NOT-FOR-US: Microsoft CVE-2016-0052 (Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1 ...) NOT-FOR-US: Microsoft CVE-2016-0051 (The WebDAV client in Microsoft Windows Vista SP2, Windows Server 2008 ...) NOT-FOR-US: Microsoft CVE-2016-0050 (Network Policy Server (NPS) in Microsoft Windows Server 2008 SP2 and R ...) NOT-FOR-US: Microsoft CVE-2016-0049 (Kerberos in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R ...) NOT-FOR-US: Microsoft CVE-2016-0048 (The kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server ...) NOT-FOR-US: Microsoft CVE-2016-0047 (WinForms in Microsoft .NET Framework 2.0 SP2, 3.5, 3.5.1, 4.5.2, 4.6, ...) NOT-FOR-US: Microsoft CVE-2016-0046 (Windows Reader in Microsoft Windows 8.1, Windows Server 2012 Gold and ...) NOT-FOR-US: Microsoft CVE-2016-0045 REJECTED CVE-2016-0044 (Sync Framework in Microsoft Windows 8.1, Windows Server 2012 R2, and W ...) NOT-FOR-US: Microsoft CVE-2016-0043 REJECTED CVE-2016-0042 (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windo ...) NOT-FOR-US: Microsoft CVE-2016-0041 (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windo ...) NOT-FOR-US: Microsoft CVE-2016-0040 (The kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2016-0039 (Cross-site scripting (XSS) vulnerability in SharePoint Server in Micro ...) NOT-FOR-US: Microsoft CVE-2016-0038 (Windows Journal in Microsoft Windows Vista SP2, Windows Server 2008 SP ...) NOT-FOR-US: Microsoft CVE-2016-0037 (The forms-based authentication implementation in Active Directory Fede ...) NOT-FOR-US: Microsoft CVE-2016-0036 (The Remote Desktop Protocol (RDP) implementation in Microsoft Windows ...) NOT-FOR-US: Microsoft CVE-2016-0035 (Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 SP1, Excel 2013 R ...) NOT-FOR-US: Microsoft CVE-2016-0034 (Microsoft Silverlight 5 before 5.1.41212.0 mishandles negative offsets ...) NOT-FOR-US: Microsoft CVE-2016-0033 (Microsoft .NET Framework 2.0 SP2, 3.5, 3.5.1, 4.5.2, 4.6, and 4.6.1 do ...) NOT-FOR-US: Microsoft CVE-2016-0032 (Cross-site scripting (XSS) vulnerability in Outlook Web Access (OWA) i ...) NOT-FOR-US: Microsoft CVE-2016-0031 (Cross-site scripting (XSS) vulnerability in Outlook Web Access (OWA) i ...) NOT-FOR-US: Microsoft CVE-2016-0030 (Cross-site scripting (XSS) vulnerability in Outlook Web Access (OWA) i ...) NOT-FOR-US: Microsoft CVE-2016-0029 (Cross-site scripting (XSS) vulnerability in Outlook Web Access (OWA) i ...) NOT-FOR-US: Microsoft CVE-2016-0028 (Outlook Web Access (OWA) in Microsoft Exchange Server 2013 SP1, Cumula ...) NOT-FOR-US: Microsoft CVE-2016-0027 REJECTED CVE-2016-0026 (The Common Log File System (CLFS) driver in Microsoft Windows Vista SP ...) NOT-FOR-US: Microsoft CVE-2016-0025 (Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1 ...) NOT-FOR-US: Microsoft CVE-2016-0024 (The Chakra JavaScript engine in Microsoft Edge allows remote attackers ...) NOT-FOR-US: Microsoft CVE-2016-0023 REJECTED CVE-2016-0022 (Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1 ...) NOT-FOR-US: Microsoft CVE-2016-0021 (Microsoft InfoPath 2007 SP3, 2010 SP2, and 2013 SP1 allows remote atta ...) NOT-FOR-US: Microsoft CVE-2016-0020 (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and W ...) NOT-FOR-US: Microsoft CVE-2016-0019 (The Remote Desktop Protocol (RDP) service implementation in Microsoft ...) NOT-FOR-US: Microsoft CVE-2016-0018 (Microsoft Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 R ...) NOT-FOR-US: Microsoft CVE-2016-0017 REJECTED CVE-2016-0016 (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windo ...) NOT-FOR-US: Microsoft CVE-2016-0015 (DirectShow in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2016-0014 (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windo ...) NOT-FOR-US: Microsoft CVE-2016-0013 REJECTED CVE-2016-0012 (Microsoft Office 2007 SP3, Excel 2007 SP3, PowerPoint 2007 SP3, Visio ...) NOT-FOR-US: Microsoft CVE-2016-0011 (Microsoft SharePoint Server 2013 SP1 and SharePoint Foundation 2013 SP ...) NOT-FOR-US: Microsoft CVE-2016-0010 (Microsoft Office 2007 SP3, Office 2010 SP2, Office 2013 SP1, Office 20 ...) NOT-FOR-US: Microsoft CVE-2016-0009 (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windo ...) NOT-FOR-US: Microsoft CVE-2016-0008 (The graphics device interface in Microsoft Windows Vista SP2, Windows ...) NOT-FOR-US: Microsoft CVE-2016-0007 (The sandbox implementation in Microsoft Windows Vista SP2, Windows Ser ...) NOT-FOR-US: Microsoft CVE-2016-0006 (The sandbox implementation in Microsoft Windows Vista SP2, Windows Ser ...) NOT-FOR-US: Microsoft CVE-2016-0005 (Microsoft Internet Explorer 9 through 11 allows remote attackers to by ...) NOT-FOR-US: Microsoft CVE-2016-0004 REJECTED CVE-2016-0003 (Microsoft Edge allows remote attackers to execute arbitrary code via u ...) NOT-FOR-US: Microsoft CVE-2016-0002 (The Microsoft (1) VBScript 5.7 and 5.8 and (2) JScript 5.7 and 5.8 eng ...) NOT-FOR-US: Microsoft CVE-2016-0001 REJECTED CVE-2015-8480 (The VideoFramePool::PoolImpl::CreateFrame function in media/base/video ...) - chromium-browser 47.0.2526.73-1 [wheezy] - chromium-browser (Not supported in Wheezy) [squeeze] - chromium-browser (Not supported in Squeeze LTS) CVE-2015-8479 (Use-after-free vulnerability in the AudioOutputDevice::OnDeviceAuthori ...) - chromium-browser 47.0.2526.73-1 [wheezy] - chromium-browser (Not supported in Wheezy) [squeeze] - chromium-browser (Not supported in Squeeze LTS) CVE-2015-8478 (Multiple unspecified vulnerabilities in Google V8 before 4.7.80.23, as ...) - chromium-browser 47.0.2526-73-1 [wheezy] - chromium-browser (Not supported in Wheezy) [squeeze] - chromium-browser (Not supported in Squeeze LTS) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2015-8475 RESERVED CVE-2015-8471 RESERVED NOT-FOR-US: ATutor CVE-2015-8470 (The console in Puppet Enterprise 3.7.x, 3.8.x, and 2015.2.x does not s ...) NOT-FOR-US: Puppet Enterprise CVE-2015-8469 RESERVED CVE-2015-8468 RESERVED CVE-2015-8467 (The samldb_check_user_account_control_acl function in dsdb/samdb/ldb_m ...) {DSA-3433-1} - samba 2:4.1.22+dfsg-1 [wheezy] - samba (Only affects 4.0.0 to 4.3.2) [squeeze] - samba (Only affects 4.0.0 to 4.3.2) NOTE: https://www.samba.org/samba/security/CVE-2015-8467.html CVE-2015-8466 (Swift3 before 1.9 allows remote attackers to conduct replay attacks vi ...) {DSA-3583-1} - swift-plugin-s3 1.9-1 (bug #822688) CVE-2014-9758 (Cross-site scripting (XSS) vulnerability in Magento E-Commerce Platfor ...) NOT-FOR-US: Magento CVE-2015-XXXX [uses non-random tempdir /tmp/tmprepo.0/.git/] - git-repair 1.20151215-1 (unimportant; bug #807341) NOTE: Non-exploitable on release archs due to kernel hardening CVE-2015-8537 (app/views/journals/index.builder in Redmine before 2.6.9, 3.0.x before ...) {DSA-3529-1} - redmine 3.2.0-1 (bug #807826) [squeeze] - redmine (Vulnerable code not present in 1.0.1) [wheezy] - redmine (Redmine not supported because of rails) NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories NOTE: https://www.redmine.org/issues/21419 (private) NOTE: https://github.com/redmine/redmine/commit/7e423fb4538247d59e01958c48b491f196a1de56 NOTE: upstream fixed in 2.6.9, 3.0.6 and 3.1.3 NOTE: http://www.openwall.com/lists/oss-security/2015/12/08/8 CVE-2016-1000033 (Shotwell version 0.22.0 (and possibly other versions) is vulnerable to ...) - shotwell 0.22.0-3 (low; bug #807110) [jessie] - shotwell (Minor issue) [wheezy] - shotwell (Minor issue) [squeeze] - shotwell (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2015/12/04/4 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=754488 CVE-2015-8476 (Multiple CRLF injection vulnerabilities in PHPMailer before 5.2.14 all ...) {DSA-3416-1 DLA-363-1} - libphp-phpmailer 5.2.14+dfsg-1 (bug #807265) NOTE: https://github.com/PHPMailer/PHPMailer/commit/6687a96a18b8f12148881e4ddde795ae477284b0 (v5.2.14) CVE-2015-8474 (Open redirect vulnerability in the valid_back_url function in app/cont ...) {DSA-3529-1} - redmine 3.2.0-1 (bug #807272) [squeeze] - redmine (Redmine not supported because of rails) [wheezy] - redmine (Redmine not supported because of rails) NOTE: http://www.redmine.org/projects/redmine/wiki/Security_Advisories NOTE: https://www.redmine.org/issues/19577 (private) NOTE: commit: https://github.com/redmine/redmine/commit/032f2c9be6520d9d1a1608aa4f1d5d1f184f2472 NOTE: upstream fixed in 2.6.7, 3.0.5 and 3.1.1 NOTE: http://www.openwall.com/lists/oss-security/2015/12/04/1 NOTE: depends on the CVE-2014-1985 fix first CVE-2015-8473 (The Issues API in Redmine before 2.6.8, 3.0.x before 3.0.6, and 3.1.x ...) {DSA-3529-1} - redmine 3.2.0-1 (bug #807345) [squeeze] - redmine (code dates from the API changes introduced in 735a83c, part of 1.1) [wheezy] - redmine (Redmine not supported because of rails) NOTE: https://www.redmine.org/projects/redmine/wiki/Changelog_3_0 NOTE: https://www.redmine.org/issues/21136 NOTE: http://www.openwall.com/lists/oss-security/2015/12/03/7 NOTE: https://github.com/redmine/redmine/commit/8d8f612fa368a72c56b63f7ce6b7e98cab9feb22 CVE-2015-8465 RESERVED CVE-2015-8464 RESERVED CVE-2015-8463 RESERVED CVE-2015-8462 RESERVED CVE-2015-8461 (Race condition in resolver.c in named in ISC BIND 9.9.8 before 9.9.8-P ...) - bind9 (Only affects 9.9.8 -> 9.9.8-P1, 9.9.8-S1 -> 9.9.8-S2, 9.10.3 -> 9.10.3-P1) NOTE: https://kb.isc.org/article/AA-01319 CVE-2015-8460 (Adobe Flash Player before 18.0.0.324 and 19.x and 20.x before 20.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8459 (Adobe Flash Player before 18.0.0.324 and 19.x and 20.x before 20.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8458 (Heap-based buffer overflow in AGM.dll in Adobe Reader and Acrobat 10.x ...) NOT-FOR-US: Adobe CVE-2015-8457 (Stack-based buffer overflow in Adobe Flash Player before 18.0.0.268 an ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8456 (Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8455 (Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8454 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8453 (Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8452 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8451 (Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8450 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8449 (Use-after-free vulnerability in the MovieClip object implementation in ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8448 (Use-after-free vulnerability in the DisplacementMapFilter object imple ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8447 (Use-after-free vulnerability in the Color object implementation in Ado ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8446 (Heap-based buffer overflow in Adobe Flash Player before 18.0.0.268 and ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8445 (Integer overflow in the Shader filter implementation in Adobe Flash Pl ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8444 (Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8443 (Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8442 (Use-after-free vulnerability in the MovieClip object implementation in ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8441 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8440 (Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8439 (The SharedObject object implementation in Adobe Flash Player before 18 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8438 (Heap-based buffer overflow in Adobe Flash Player before 18.0.0.268 and ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8437 (Use-after-free vulnerability in the Selection object implementation in ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8436 (Use-after-free vulnerability in the PrintJob object implementation in ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8435 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8434 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8433 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8432 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8431 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8430 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8429 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8428 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8427 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8426 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8425 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8424 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8423 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8422 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8421 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8420 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8419 (Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8418 (Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8417 (Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8416 (Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8415 (Buffer overflow in Adobe Flash Player before 18.0.0.268 and 19.x and 2 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8414 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8413 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8412 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8411 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8410 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8409 (Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8408 (Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8407 (Stack-based buffer overflow in Adobe Flash Player before 18.0.0.268 an ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8406 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8405 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8404 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8403 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8402 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8401 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8399 (Atlassian Confluence before 5.8.17 allows remote authenticated users t ...) NOT-FOR-US: Atlassian Confluence CVE-2015-8398 (Cross-site scripting (XSS) vulnerability in Atlassian Confluence befor ...) NOT-FOR-US: Atlassian Confluence CVE-2015-8397 (The JPEGLSCodec::DecodeExtent function in MediaStorageAndFileFormat/gd ...) - gdcm 2.6.2-1 [jessie] - gdcm 2.4.4-3+deb8u1 [wheezy] - gdcm (Vulnerable code not present) [squeeze] - gdcm (Vulnerable code not present) NOTE: http://census-labs.com/news/2016/01/11/gdcm-out-bounds-read-jpeglscodec-decodeextent/ NOTE: http://sourceforge.net/p/gdcm/gdcm/ci/e547b1ded3fd21e0b0ad149f13045aa12d4b9b7c/ CVE-2015-8396 (Integer overflow in the ImageRegionReader::ReadIntoBuffer function in ...) - gdcm 2.6.2-1 [jessie] - gdcm 2.4.4-3+deb8u1 [wheezy] - gdcm (Minor issue) [squeeze] - gdcm (Vulnerable code not present) NOTE: http://census-labs.com/news/2016/01/11/gdcm-buffer-overflow-imageregionreaderreadintobuffer/ NOTE: http://sourceforge.net/p/gdcm/gdcm/ci/0f6f82052484774d072784f32105cecc79c45c19/ NOTE: http://sourceforge.net/p/gdcm/gdcm/ci/92cd6d7fe0d01c61cf68ac4ef65ef388ee252415/ NOTE: http://sourceforge.net/p/gdcm/gdcm/ci/9cbca25ff7f20c432b61eb9f4cae43a946502b66/ NOTE: http://sourceforge.net/p/gdcm/gdcm/ci/e0dd1114c82d372dd905c029ddbee4e81ed01a89/ CVE-2012-6704 (The sock_setsockopt function in net/core/sock.c in the Linux kernel be ...) {DLA-772-1} - linux 3.8.11-1 NOTE: Fixed by: https://git.kernel.org/linus/82981930125abfd39d7c8378a9cfdf5e1be2002b (v3.5-rc1) CVE-2012-6703 (Integer overflow in the snd_compr_allocate_buffer function in sound/co ...) - linux 3.8.11-1 [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/b35cc8225845112a616e3a2266d2fde5ab13d3ab (3.7-rc1) CVE-2012-6702 (Expat, when used in a parser that has not called XML_SetHashSalt or pa ...) {DSA-3597-1 DLA-508-1} - expat 2.1.1-3 CVE-2012-6701 (Integer overflow in fs/aio.c in the Linux kernel before 3.4.1 allows l ...) - linux (Fixed in v3.2.19; which was before src:linux rename) - linux-2.6 3.2.19-1 NOTE: https://git.kernel.org/linus/a70b52ec1aaeaf60f4739edb1b422827cb6f3893 (v3.5-rc1) NOTE: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=07343eab681bf8c22a2b31d978569a5f65253171 (v3.2.19) CVE-2012-6700 (The decode_search function in dhcp.c in dhcpcd 3.x does not properly f ...) {DSA-3534-1 DLA-362-1} - dhcpcd NOTE: https://launchpadlibrarian.net/228152582/dhcp.c.patch NOTE: original ubuntu bug: https://bugs.launchpad.net/ubuntu/+source/dhcpcd/+bug/1517226 CVE-2012-6699 (The decode_search function in dhcp.c in dhcpcd 3.x allows remote DHCP ...) {DSA-3534-1} - dhcpcd NOTE: https://launchpadlibrarian.net/228152582/dhcp.c.patch NOTE: original ubuntu bug: https://bugs.launchpad.net/ubuntu/+source/dhcpcd/+bug/1517226 CVE-2012-6698 (The decode_search function in dhcp.c in dhcpcd 3.x allows remote DHCP ...) {DSA-3534-1 DLA-362-1} - dhcpcd NOTE: https://launchpadlibrarian.net/228152582/dhcp.c.patch NOTE: original ubuntu bug: https://bugs.launchpad.net/ubuntu/+source/dhcpcd/+bug/1517226 CVE-2015-8379 (CakePHP 2.x and 3.x before 3.1.5 might allow remote attackers to bypas ...) - cakephp 2.8.0-1 (bug #832316) [jessie] - cakephp (Minor issue) [wheezy] - cakephp (vulnerable code not present) NOTE: http://karmainsecurity.com/KIS-2016-01 NOTE: https://github.com/cakephp/cakephp/commit/0f818a23a876c01429196bf7623e1e94a50230f0 CVE-2015-8400 (The HTTPS fallback implementation in Shell In A Box (aka shellinabox) ...) - shellinabox 2.19 [jessie] - shellinabox (Minor issue) [wheezy] - shellinabox (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2015/12/02/6 CVE-2015-8377 (SQL injection vulnerability in the host_new_graphs_save function in gr ...) {DSA-3494-1 DLA-374-1} - cacti 0.8.8f+ds1-4 NOTE: http://bugs.cacti.net/view.php?id=2655 NOTE: http://seclists.org/fulldisclosure/2015/Dec/att-57/cacti_sqli%281%29.txt CVE-2015-XXXX [Avoid unbounded SFTP extended attribute key/values] - proftpd-dfsg 1.3.5b-1 [jessie] - proftpd-dfsg 1.3.5e-0+deb8u1 [wheezy] - proftpd-dfsg (Minor issue; can be fixed in point release) [squeeze] - proftpd-dfsg (Vulnerable code not present) NOTE: http://bugs.proftpd.org/show_bug.cgi?id=4210 NOTE: https://github.com/proftpd/proftpd/pull/171 CVE-2015-8376 (Multiple cross-site scripting (XSS) vulnerabilities in Symphony CMS 2. ...) NOT-FOR-US: Microsoft CVE-2015-8373 (The kea-dhcp4 and kea-dhcp6 servers 0.9.2 and 1.0.0-beta in ISC Kea, w ...) - isc-kea (Fixed before the initial version uploaded to Debian) CVE-2015-8372 RESERVED CVE-2015-8371 [Composer Cache Injection vulnerability] RESERVED - composer 1.0.0~alpha11-3 NOTE: http://flyingmana.de/blog_en/2016/02/14/composer_cache_injection_vulnerability_cve_2015_8371.html CVE-2015-8370 (Multiple integer underflows in Grub2 1.98 through 2.02 allow physicall ...) {DSA-3421-1 DLA-368-1} - grub2 2.02~beta2-33 (bug #807614) NOTE: https://twitter.com/lostinsecurity/status/674925944524640257 NOTE: http://hmarco.org/bugs/CVE-2015-8370-Grub2-authentication-bypass.html CVE-2015-8369 (SQL injection vulnerability in include/top_graph_header.php in Cacti 0 ...) {DSA-3423-1 DLA-374-1} - cacti 0.8.8f+ds1-3 (bug #807599) NOTE: http://bugs.cacti.net/view.php?id=2646 CVE-2015-8378 (In KeePassX before 0.4.4, a cleartext copy of password data is created ...) - keepassx 0.4.3+dfsg-1 (bug #791858) [jessie] - keepassx 0.4.3+dfsg-0.1+deb8u1 [wheezy] - keepassx (Minor issue) [squeeze] - keepassx (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2015/11/30/4 CVE-2015-8375 (Cross-site scripting (XSS) vulnerability in PHP-Fusion 9. ...) NOT-FOR-US: PHP-Fusion CVE-2015-8368 (ntopng (aka ntop) before 2.2 allows remote authenticated users to chan ...) - ntopng 2.2+dfsg1-1 (bug #816190) [jessie] - ntopng (Minor issue) NOTE: fixed upstream in 2.2 NOTE: https://www.exploit-db.com/exploits/38836/ NOTE: https://github.com/ntop/ntopng/commit/2e0620be3410f5e22c9aa47e261bc5a12be692c6 CVE-2015-8367 (The phase_one_correct function in Libraw before 0.17.1 allows attacker ...) - libraw 0.17.1-1 (bug #806809) [jessie] - libraw 0.16.0-9+deb8u2 [wheezy] - libraw (Vulnerable code not present) [squeeze] - libraw (Vulnerable code not present) - dcraw (Vulnerable code not present) - kodi (Vulnerable code not present) - darktable 2.0.0-1 [jessie] - darktable (Vulnerable code not present) [wheezy] - darktable (Vulnerable code not present) [squeeze] - darktable (Vulnerable code not present) - ufraw (Vulnerable code not present) - rawtherapee (Vulnerable code not present) - exactimage (Vulnerable code not present) - xbmc [jessie] - xbmc (Transitional dummy package) [wheezy] - xbmc (Vulnerable code not present) NOTE: Fixed by: https://github.com/LibRaw/LibRaw/commit/89d065424f09b788f443734d44857289489ca9e2 NOTE: Introduced by: https://github.com/LibRaw/LibRaw/commit/7b1430c76a19c93f3cc755bb2ff9bda0ba9b4082 (0.15.0) CVE-2015-8366 (Array index error in smal_decode_segment function in LibRaw before 0.1 ...) - libraw 0.17.1-1 (bug #806809) [jessie] - libraw 0.16.0-9+deb8u2 [wheezy] - libraw (Vulnerable code not present) [squeeze] - libraw (Vulnerable code not present) - dcraw 9.28-1 (bug #864168) [stretch] - dcraw (Minor issue) [jessie] - dcraw (Minor issue) [wheezy] - dcraw (Vulnerable code not present) [squeeze] - dcraw (Vulnerable code not present) - kodi (Vulnerable code not present) - darktable 2.0.0-1 [jessie] - darktable (Vulnerable code not present) [wheezy] - darktable (Vulnerable code not present) [squeeze] - darktable (Vulnerable code not present) - ufraw 0.20-4 (bug #818882) [jessie] - ufraw (Minor issue) [wheezy] - ufraw (Vulnerable code not present) [squeeze] - ufraw (Vulnerable code not present) - rawtherapee 4.2.1241-2 [jessie] - rawtherapee 4.2-1+deb8u2 [wheezy] - rawtherapee (Vulnerable code not present) [squeeze] - rawtherapee (Vulnerable code not present) - exactimage 0.9.1-13 [jessie] - exactimage 0.8.9-7+deb8u2 [wheezy] - exactimage (Vulnerable code not present) [squeeze] - exactimage (Vulnerable code not present) NOTE: exactimage: smal_decode_segment inside dcraw.h not dcraw.c - xbmc [jessie] - xbmc (Transitional dummy package) [wheezy] - xbmc (Vulnerable code not present) NOTE: Fixed by: https://github.com/LibRaw/LibRaw/commit/89d065424f09b788f443734d44857289489ca9e2 CVE-2015-8365 (The smka_decode_frame function in libavcodec/smacker.c in FFmpeg befor ...) {DSA-4012-1 DLA-1142-1} - ffmpeg 7:2.8.3-1 (bug #806519) [squeeze] - ffmpeg (Not supported in Squeeze LTS) - libav NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=4a9af07a49295e014b059c1ab624c40345af5892 NOTE: fix for the libav 11.9 branch: https://git.libav.org/?p=libav.git;a=commit;h=v11.9-5-g88762a0 NOTE: fix for the libav 0.8 branch: https://git.libav.org/?p=libav.git;a=commit;h=9fba59f471725e5235d5378e795ebf8b59472817 CVE-2015-8364 (Integer overflow in the ff_ivi_init_planes function in libavcodec/ivi. ...) {DLA-1611-1} - ffmpeg 7:2.8.3-1 (bug #806519) [squeeze] - ffmpeg (Not supported in Squeeze LTS) - libav NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=df91aa034b82b77a3c4e01791f4a2b2ff6c82066 CVE-2015-8363 (The jpeg2000_read_main_headers function in libavcodec/jpeg2000dec.c in ...) {DLA-1611-1} - ffmpeg 7:2.8.3-1 (bug #806519) [squeeze] - ffmpeg (Not supported in Squeeze LTS) - libav [wheezy] - libav (Vulnerable code not present) NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=44a7f17d0b20e6f8d836b2957e3e357b639f19a2 CVE-2015-8362 (The setUpSubtleUserAccount function in /bin/bw on Harman AMX devices b ...) NOT-FOR-US: Harman AMX CVE-2015-8361 (Multiple unspecified services in Atlassian Bamboo before 5.9.9 and 5.1 ...) NOT-FOR-US: Atlassian CVE-2015-8360 (An unspecified resource in Atlassian Bamboo before 5.9.9 and 5.10.x be ...) NOT-FOR-US: Atlassian CVE-2015-8359 RESERVED CVE-2015-8358 (Directory traversal vulnerability in the bitrix.mpbuilder module befor ...) NOT-FOR-US: Bitrix CVE-2015-8357 (Directory traversal vulnerability in the bitrix.xscan module before 1. ...) NOT-FOR-US: Bitrix CVE-2015-8356 (Multiple SQL injection vulnerabilities in the mcart.xls module 6.5.2 a ...) NOT-FOR-US: Bitrix CVE-2015-8355 (Multiple SQL injection vulnerabilities in the orion.extfeedbackform mo ...) NOT-FOR-US: Bitrix CVE-2015-8354 (Cross-site scripting (XSS) vulnerability in the Ultimate Member WordPr ...) NOT-FOR-US: WordPress plugin ultimate-member CVE-2015-8353 (Cross-site scripting (XSS) vulnerability in the Role Scoper plugin bef ...) NOT-FOR-US: WordPress plugin role-scoper CVE-2015-8352 (Directory traversal vulnerability in Zen Cart 1.5.4 allows remote atta ...) NOT-FOR-US: Zen Cart CVE-2015-8351 (PHP remote file inclusion vulnerability in the Gwolle Guestbook plugin ...) NOT-FOR-US: WordPress plugin gwolle-gb CVE-2015-8350 (Multiple cross-site scripting (XSS) vulnerabilities in the Calls to Ac ...) NOT-FOR-US: WordPress plugin cta CVE-2015-8349 (Cross-site scripting (XSS) vulnerability in SourceBans before 2.0 pre- ...) NOT-FOR-US: SourceBeans CVE-2015-8348 RESERVED CVE-2015-8347 RESERVED CVE-2015-8344 RESERVED CVE-2015-8343 RESERVED CVE-2015-8342 REJECTED CVE-2015-8341 (The libxl toolstack library in Xen 4.1.x through 4.6.x does not proper ...) {DSA-3519-1} - xen 4.8.0~rc3-1 (bug #823620) [wheezy] - xen (Minor issue, xl not used in wheezy) [squeeze] - xen (Not supported in Squeeze LTS) NOTE: http://xenbits.xen.org/xsa/advisory-160.html CVE-2015-8340 (The memory_exchange function in common/memory.c in Xen 3.2.x through 4 ...) {DSA-3519-1 DLA-479-1} - xen 4.8.0~rc3-1 (bug #823620) [squeeze] - xen (Not supported in Squeeze LTS) NOTE: http://xenbits.xen.org/xsa/advisory-159.html CVE-2015-8339 (The memory_exchange function in common/memory.c in Xen 3.2.x through 4 ...) {DSA-3519-1 DLA-479-1} - xen 4.8.0~rc3-1 (bug #823620) [squeeze] - xen (Not supported in Squeeze LTS) NOTE: http://xenbits.xen.org/xsa/advisory-159.html CVE-2015-8338 (Xen 4.6.x and earlier does not properly enforce limits on page order i ...) {DSA-3633-1} - xen 4.8.0~rc3-1 (bug #823620) [wheezy] - xen (Only affects Xen on arm) [squeeze] - xen (Only affects Xen on arm) NOTE: http://xenbits.xen.org/xsa/advisory-158.html CVE-2014-9757 (The Ignite Realtime Smack XMPP API, as used in Atlassian Bamboo before ...) NOT-FOR-US: Atlassian Bamboo CVE-2015-8374 (fs/btrfs/inode.c in the Linux kernel before 4.3.3 mishandles compresse ...) - linux 4.2.6-2 [jessie] - linux 3.16.7-ckt20-1+deb8u1 [wheezy] - linux 3.2.78-1 - linux-2.6 [squeeze] - linux-2.6 (btrfs in 2.6.32 is just a tech preview and not usable for production) NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0305cd5f7fca85dae392b9ba85b116896eb7c1c7 (v4.4-rc1) NOTE: http://www.openwall.com/lists/oss-security/2015/11/27/2 NOTE: CVE assignment for the vulnerability with the impact of "User B now NOTE: gets to see the 1000 bytes that user A truncated from its file before NOTE: it made its file world readable" CVE-2015-8337 (The HIFI driver in Huawei P8 phones with software GRA-TL00 before GRA- ...) NOT-FOR-US: Huawei CVE-2015-8336 (Huawei FusionCompute with software before V100R005C10SPC700 allows rem ...) NOT-FOR-US: Huawei FusionCompute CVE-2015-8335 (Huawei VCN500 with software before V100R002C00SPC201 logs passwords in ...) NOT-FOR-US: Huawei CVE-2015-8334 (SQL injection vulnerability in the Operation and Maintenance Unit (OMU ...) NOT-FOR-US: Huawei CVE-2015-8333 (The Operation and Maintenance Unit (OMU) in Huawei VCN500 with softwar ...) NOT-FOR-US: Huawei CVE-2015-8332 (Huawei Video Content Management (VCM) before V100R001C10SPC001 does no ...) NOT-FOR-US: Huawei CVE-2015-8331 (The Operation and Maintenance Unit (OMU) in Huawei VCN500 with softwar ...) NOT-FOR-US: Huawei CVE-2015-8330 (The PCo agent in SAP Plant Connectivity (PCo) allows remote attackers ...) NOT-FOR-US: SAP CVE-2015-8329 (SAP Manufacturing Integration and Intelligence (aka MII, formerly xMII ...) NOT-FOR-US: SAP CVE-2015-8328 (Unspecified vulnerability in the NVAPI support layer in the NVIDIA GPU ...) - nvidia-graphics-drivers (Windows only) CVE-2015-8327 (Incomplete blacklist vulnerability in util.c in foomatic-rip in cups-f ...) {DSA-3429-1 DSA-3411-1 DLA-365-1} - cups-filters 1.2.0-1 [wheezy] - cups-filters (Vulnerable code not present; introduced in 1.0.42) - foomatic-filters 4.0.17-7 (bug #806886) CVE-2015-8325 (The do_setup_env function in session.c in sshd in OpenSSH through 7.2p ...) {DSA-3550-1} - openssh 1:7.2p2-3 NOTE: Upstream fix: https://anongit.mindrot.org/openssh.git/commit/?id=85bdcd7c92fe7ff133bbc4e10a65c91810f88755 CVE-2015-XXXX [RCE in gitlab-shell 2.6.6-2.6.7] - gitlab-shell (Only affects version 2.6.6-2.6.7) NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/11/25/5 CVE-2015-8345 (The eepro100 emulator in QEMU qemu-kvm blank allows local guest users ...) {DSA-3471-1 DSA-3470-1 DSA-3469-1} - qemu 1:2.5+dfsg-1 (bug #806373) [jessie] - qemu (Minor issue, can be fixed along in a later DSA) [wheezy] - qemu (Minor issue, can be fixed along in a later DSA) [squeeze] - qemu (Not supported in Squeeze LTS) - qemu-kvm [jessie] - qemu-kvm (Minor issue, can be fixed along in a later DSA) [wheezy] - qemu-kvm (Minor issue, can be fixed along in a later DSA) [squeeze] - qemu-kvm (Not supported in Squeeze LTS) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2015-10/msg03911.html NOTE: http://www.openwall.com/lists/oss-security/2015/11/25/3 CVE-2015-8346 (app/views/timelog/_form.html.erb in Redmine before 2.6.8, 3.0.x before ...) {DSA-3529-1 DLA-351-1} - redmine 3.2.0-1 (bug #806376) [wheezy] - redmine (Redmine not supported because of rails) [squeeze] - redmine (Redmine not supported because of rails) NOTE: https://www.redmine.org/projects/redmine/wiki/Changelog_3_0 NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories NOTE: https://www.redmine.org/issues/21150 (private) NOTE: http://www.openwall.com/lists/oss-security/2015/11/25/1 NOTE: Commit: https://github.com/redmine/redmine/commit/945a091c94a9ed651f61e225fa8646479478e9d4 NOTE: Commit: https://github.com/redmine/redmine/commit/c096dde88ff02872ba35edc4dc403c80a7867b5c NOTE: For squeeze, the bug is in app/views/timelog/edit.rhtml NOTE: upstream fixed in 2.6.8, 3.0.6 and 3.1.2 CVE-2015-XXXX [Insecure permissions for backup directory] - dbconfig-common 1.8.58 (bug #805638) [jessie] - dbconfig-common 1.8.47+nmu3+deb8u1 [wheezy] - dbconfig-common 1.8.47+nmu1+deb7u1 [squeeze] - dbconfig-common 1.8.46+squeeze.1 NOTE: Workaround entry for DLA-390-1 (since no CVE for this issue) CVE-2015-8323 RESERVED CVE-2015-8322 (NetApp OnCommand System Manager 8.3.x before 8.3.2 allows remote authe ...) NOT-FOR-US: NetApp CVE-2015-8326 (The IPTables-Parse module before 1.6 for Perl allows local users to wr ...) - libiptables-parse-perl 1.6-1 [jessie] - libiptables-parse-perl 1.1-1+deb8u1 [wheezy] - libiptables-parse-perl 1.1-1+deb7u1 [squeeze] - libiptables-parse-perl (Minor issue) NOTE: https://github.com/mtrmac/IPTables-Parse/commit/b400b976d81140f6971132e94eb7657b5b0a2b87 NOTE: http://www.openwall.com/lists/oss-security/2015/11/24/6 CVE-2015-8381 (The compile_regex function in pcre_compile.c in PCRE before 8.38 and p ...) - pcre3 2:8.38-1 (bug #796762; bug #795539) [jessie] - pcre3 2:8.35-3.3+deb8u2 [wheezy] - pcre3 (Vulnerable code introduced later) [squeeze] - pcre3 (Vulnerable code introduced later) NOTE: https://bugs.exim.org/show_bug.cgi?id=1672 NOTE: http://vcs.pcre.org/pcre?view=revision&revision=1594 NOTE: http://www.openwall.com/lists/oss-security/2015/08/24/1 NOTE: https://bugs.exim.org/show_bug.cgi?id=1667 NOTE: http://www.openwall.com/lists/oss-security/2015/08/05/3 NOTE: http://vcs.pcre.org/pcre?view=revision&revision=1585 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1250943 CVE-2015-8380 (The pcre_exec function in pcre_exec.c in PCRE before 8.38 mishandles a ...) - pcre3 2:8.38-1 (bug #806467) [jessie] - pcre3 2:8.35-3.3+deb8u2 [wheezy] - pcre3 (Vulnerable code not present) NOTE: For wheezy: same code looks present around patched lines, though the NOTE: reproducer does not lead to a crash, and just gives NOTE: "Matched, but too many substrings" [squeeze] - pcre3 (Vulnerable code not present) NOTE: Fixed in 8.38 upstream - pcre2 NOTE: Commit: http://vcs.pcre.org/pcre?view=revision&revision=1565 NOTE: https://bugs.exim.org/show_bug.cgi?id=1637 NOTE: https://blog.fuzzing-project.org/29-Heap-Overflow-in-PCRE.html CVE-2015-8321 RESERVED CVE-2015-8319 (Heap-based buffer overflow in the HIFI driver in Huawei P8 smartphones ...) NOT-FOR-US: Huawei CVE-2015-8318 (Heap-based buffer overflow in the HIFI driver in Huawei P8 smartphones ...) NOT-FOR-US: Huawei CVE-2015-8315 (The ms package before 0.7.1 for Node.js allows attackers to cause a de ...) - node-ms (Fixed before initial upload to Debian) CVE-2015-8314 RESERVED CVE-2015-8313 (GnuTLS incorrectly validates the first byte of padding in CBC modes ...) {DSA-3408-1 DLA-364-1} - gnutls28 (Vulnerable code not present) - gnutls26 NOTE: https://blog.hboeck.de/archives/877-A-little-POODLE-left-in-GnuTLS-old-versions.html CVE-2015-8312 (Off-by-one error in afs_pioctl.c in OpenAFS before 1.6.16 might allow ...) {DSA-3569-1 DLA-493-1} - openafs 1.6.17-1 NOTE: http://git.openafs.org/?p=openafs.git;a=commitdiff;h=2ef863720da4d9f368aaca0461c672a3008195ca NOTE: http://rt.central.org/rt/Ticket/Display.html?id=132256 CVE-2015-8311 RESERVED CVE-2015-8310 (Cross-site scripting (XSS) vulnerability in Cherry Music before 0.36.0 ...) NOT-FOR-US: Cherry Music CVE-2015-8309 (Directory traversal vulnerability in Cherry Music before 0.36.0 allows ...) NOT-FOR-US: Cherry Music CVE-2015-8307 (The Graphics driver in Huawei P8 smartphones with software GRA-TL00 be ...) NOT-FOR-US: Huawei CVE-2015-8306 (Buffer overflow in the HIFI driver in Huawei P8 phones with software G ...) NOT-FOR-US: Huawei CVE-2015-8305 (Huawei Sophia-L10 smartphones with software before P7-L10C900B852 allo ...) NOT-FOR-US: Huawei CVE-2015-8304 (Integer overflow in Huawei P7 phones with software before P7-L07 V100R ...) NOT-FOR-US: Huawei CVE-2015-8303 (Huawei Document Security Management (DSM) with software before V100R00 ...) NOT-FOR-US: Huawei CVE-2015-8302 RESERVED CVE-2015-8301 RESERVED CVE-2015-8324 (The ext4 implementation in the Linux kernel before 2.6.34 does not pro ...) {DLA-360-1} - linux 2.6.37-1 - linux-2.6 NOTE: http://www.openwall.com/lists/oss-security/2015/11/23/2 NOTE: https://bugs.openvz.org/browse/OVZ-6541 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1267261 NOTE: Commit fixing the issue: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=744692dc059845b2a3022119871846e74d4f6e11 (v2.6.34-rc1) CVE-2015-8320 (Apache Cordova-Android before 3.7.0 improperly generates random values ...) NOT-FOR-US: Apache Cordova CVE-2015-8316 (Array index error in LightDM (aka Light Display Manager) 1.14.3, 1.16. ...) - lightdm 1.16.6-1 [jessie] - lightdm (Affects 1.14.x, 1.16.x and development 1.17.x) [wheezy] - lightdm (Affects 1.14.x, 1.16.x and development 1.17.x) NOTE: http://www.openwall.com/lists/oss-security/2015/11/21/2 NOTE: https://bugs.launchpad.net/lightdm/+bug/15168 NOTE: https://bazaar.launchpad.net/~lightdm-team/lightdm/1.14/revision/2166 (1.14.x) NOTE: https://bazaar.launchpad.net/~lightdm-team/lightdm/1.16/revision/2207 (1.16.x) CVE-2015-8300 (Polycom BToE Connector before 3.0.0 uses weak permissions (Everyone: F ...) NOT-FOR-US: Polycom BToE Connector CVE-2015-8299 (Buffer overflow in the Group messages monitor (Falcon) in KNX ETS 4.1. ...) NOT-FOR-US: Falcon CVE-2015-8298 (Multiple SQL injection vulnerabilities in the login page in RXTEC RXAd ...) NOT-FOR-US: RXTEC CVE-2015-8297 REJECTED CVE-2015-8296 REJECTED CVE-2015-8295 REJECTED CVE-2015-8294 REJECTED CVE-2015-8293 REJECTED CVE-2015-8292 REJECTED CVE-2015-8291 REJECTED CVE-2015-8290 REJECTED CVE-2015-8289 (The password-recovery feature on NETGEAR D3600 devices with firmware 1 ...) NOT-FOR-US: Netgear routers CVE-2015-8288 (NETGEAR D3600 devices with firmware 1.0.0.49 and D6000 devices with fi ...) NOT-FOR-US: Netgear routers CVE-2015-8287 (Swann SRNVW-470LCD devices with firmware through 0114 and SWNVW-470CAM ...) NOT-FOR-US: Swann CVE-2015-8286 (Zhuhai RaySharp firmware has a hardcoded root password, which makes it ...) NOT-FOR-US: Zhuhai RaySharp CVE-2015-8285 (The webssx.sys driver in QuickHeal 16.00 allows remote attackers to ca ...) NOT-FOR-US: QuickHeal CVE-2015-8284 (SeaWell Networks Spectrum SDC 02.05.00 allows remote viewer users to p ...) NOT-FOR-US: SeaWell Networks Spectrum CVE-2015-8283 (Directory traversal vulnerability in configure_manage.php in SeaWell N ...) NOT-FOR-US: SeaWell Networks Spectrum CVE-2015-8282 (SeaWell Networks Spectrum SDC 02.05.00 has a default password of "admi ...) NOT-FOR-US: SeaWell Networks Spectrum CVE-2015-8281 (Web Viewer 1.0.0.193 on Samsung SRN-1670D devices allows attackers to ...) NOT-FOR-US: Samsung CVE-2015-8280 (Web Viewer 1.0.0.193 on Samsung SRN-1670D devices allows remote attack ...) NOT-FOR-US: Samsung CVE-2015-8279 (Web Viewer 1.0.0.193 on Samsung SRN-1670D devices allows remote attack ...) NOT-FOR-US: Samsung CVE-2015-8278 RESERVED CVE-2015-8277 (Multiple buffer overflows in (1) lmgrd and (2) Vendor Daemon in Flexer ...) NOT-FOR-US: Flexera FlexNet Publisher CVE-2015-8276 (LVRTC eParakstitajs 3.0 (1.3.0) and edoc-libraries-2.5.4_01 allow atta ...) NOT-FOR-US: LVRTC eParakstitajs CVE-2015-8275 (LVRTC eParakstitajs 3.0 (1.3.0) and edoc-libraries-2.5.4_01 allow atta ...) NOT-FOR-US: LVRTC eParakstitajs CVE-2015-8274 RESERVED CVE-2015-8273 RESERVED CVE-2015-8272 (RTMPDump 2.4 allows remote attackers to trigger a denial of service (N ...) {DSA-3850-1 DLA-917-1} - rtmpdump 2.4+20151223.gitfa8646d.1-1 NOTE: http://git.ffmpeg.org/gitweb/rtmpdump.git/commitdiff/4312322107a94c81d3ec5b98f91bc6b923551dc5 NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0068/ NOTE: Correct Debian version would have been 2.4+20151223.gitfa8646d-1 but due NOTE: to missing upstream source import the fixes are really only present in NOTE: 2.4+20151223.gitfa8646d.1-1 CVE-2015-8271 (The AMF3CD_AddProp function in amf.c in RTMPDump 2.4 allows remote RTM ...) {DSA-3850-1 DLA-917-1} - rtmpdump 2.4+20151223.gitfa8646d.1-1 NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0067/ NOTE: http://git.ffmpeg.org/gitweb/rtmpdump.git/commitdiff/39ec7eda489717d503bc4cbfaa591c93205695b6 NOTE: http://git.ffmpeg.org/gitweb/rtmpdump.git/commitdiff/530f9bb2a02a78c1198fb2bf0293a12d225e4691 NOTE: Correct Debian version would have been 2.4+20151223.gitfa8646d-1 but due NOTE: to missing upstream source import the fixes are really only present in NOTE: 2.4+20151223.gitfa8646d.1-1 CVE-2015-8270 (The AMF3ReadString function in amf.c in RTMPDump 2.4 allows remote RTM ...) {DSA-3850-1 DLA-917-1} - rtmpdump 2.4+20151223.gitfa8646d.1-1 NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0066/ NOTE: http://git.ffmpeg.org/gitweb/rtmpdump.git/commitdiff/10b580aabcec1621b25518271ba1ab2b018be88e NOTE: Correct Debian version would have been 2.4+20151223.gitfa8646d-1 but due NOTE: to missing upstream source import the fixes are really only present in NOTE: 2.4+20151223.gitfa8646d.1-1 CVE-2015-8269 (The API on Fisher-Price Smart Toy Bear devices allows remote attackers ...) NOT-FOR-US: Fisher-Price CVE-2015-8268 (The up.time agent in Idera Uptime Infrastructure Monitor 7.5 and 7.6 o ...) NOT-FOR-US: Idera Uptime Infrastructure Monitor CVE-2015-8267 (The PasswordReset.Controllers.ResetController.ChangePasswordIndex meth ...) NOT-FOR-US: Dovestones CVE-2015-8266 RESERVED CVE-2015-8265 (Huawei Mobile WiFi E5151 routers with software before E5151s-2TCPU-V20 ...) NOT-FOR-US: Huawei CVE-2015-8264 (Untrusted search path vulnerability in F-Secure Online Scanner allows ...) NOT-FOR-US: F-Secure Online Scanner CVE-2015-8263 (NETGEAR WNR1000v3 devices with firmware 1.0.2.68 use the same source p ...) NOT-FOR-US: NETGEAR CVE-2015-8262 (Buffalo WZR-600DHP2 devices with firmware 2.09, 2.13, and 2.16 use an ...) NOT-FOR-US: BUFFALO CVE-2015-8261 (The DroneDeleteOldMeasurements implementation in Ipswitch WhatsUp Gold ...) NOT-FOR-US: Ipswitch CVE-2015-8260 RESERVED CVE-2015-8259 RESERVED CVE-2015-8258 (AXIS Communications products with firmware through 5.80.x allow remote ...) NOT-FOR-US: AXIS Communications CVE-2015-8257 (The devtools.sh script in AXIS network cameras allows remote authentic ...) NOT-FOR-US: Axis network cameras CVE-2015-8256 (Multiple cross-site scripting (XSS) vulnerabilities in Axis network ca ...) NOT-FOR-US: Axis network cameras CVE-2015-8255 (AXIS Communications products allow CSRF, as demonstrated by admin/pwdg ...) NOT-FOR-US: AXIS Communications CVE-2015-8254 (The Frontel protocol before 3 on RSI Video Technologies Videofied devi ...) NOT-FOR-US: Frontel CVE-2015-8253 (The Frontel protocol before 3 on RSI Video Technologies Videofied devi ...) NOT-FOR-US: Frontel CVE-2015-8252 (The Frontel protocol before 3 on RSI Video Technologies Videofied devi ...) NOT-FOR-US: Frontel CVE-2015-8251 (OpenStage 60 and OpenScape Desk Phone IP 55G SIP V3, OpenStage 15, 20E ...) NOT-FOR-US: OpenStage CVE-2015-8250 RESERVED CVE-2015-8249 (The FileUploadServlet class in ManageEngine Desktop Central 9 before b ...) NOT-FOR-US: ManageEngine Desktop Central CVE-2015-8248 REJECTED CVE-2015-8247 (Cross-site scripting (XSS) vulnerability in synnefoclient in Synnefo I ...) NOT-FOR-US: Synnefo CVE-2015-8246 RESERVED CVE-2015-8245 RESERVED CVE-2015-8244 RESERVED CVE-2015-XXXX [ZF2015-09: Potential Information Disclosure and Insufficient Entropy vulnerability in Zend/Captcha/Word] - zendframework 1.12.17+dfsg-1 [jessie] - zendframework 1.12.9+dfsg-2+deb8u5 [wheezy] - zendframework 1.11.13-1.1+deb7u5 [squeeze] - zendframework (Minor issue) NOTE: security hardening NOTE: http://framework.zend.com/security/advisory/ZF2015-09 NOTE: https://github.com/zendframework/zf1/commit/4a41392f89bf510a8ab801eacb117fe7ea25b575 CVE-2009-5149 (Arris DG860A, TG862A, and TG862G devices with firmware TS0703128_10061 ...) NOT-FOR-US: Arris hardware CVE-2015-XXXX [Missing bounds checking and verification of data type causes segfault] - libmaxminddb 1.1.5-1 (bug #805657) NOTE: https://github.com/maxmind/libmaxminddb/commit/51255f113fe3c7b63ffe957636a7656a3ff9d1ff NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1283919 CVE-2015-8308 (LXDM before 0.5.2 did not start X server with -auth, which allows loca ...) - lxdm 0.5.3-1 (bug #805659) NOTE: http://git.lxde.org/gitweb/?p=lxde/lxdm.git;a=commitdiff;h=e8f387089e241360bdc6955d3e479450722dcea3 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1268900 NOTE: http://advisories.mageia.org/MGASA-2015-0411.html NOTE: http://www.openwall.com/lists/oss-security/2015/11/20/2 CVE-2015-8243 RESERVED CVE-2015-8240 (The Traffic Management Microkernel (TMM) in F5 BIG-IP LTM, AAM, AFM, A ...) NOT-FOR-US: F5 BIG-IP CVE-2015-8238 RESERVED CVE-2015-8237 RESERVED CVE-2015-8236 (Arista EOS before 4.11.12, 4.12 before 4.12.11, 4.13 before 4.13.14M, ...) NOT-FOR-US: Arista EOS CVE-2015-8235 (Directory traversal vulnerability in Spiffy before 5.4. ...) - chicken 4.10.0-1 [jessie] - chicken (Minor issue) [wheezy] - chicken (Minor issue) CVE-2015-8233 (Cross-site scripting (XSS) vulnerability in the MAYO theme 7.x-1.x bef ...) NOT-FOR-US: Drupal theme CVE-2015-8232 (The UC Profile module 6.x-1.x before 6.x-1.3 for Drupal does not prope ...) NOT-FOR-US: Drupal theme CVE-2015-8231 (Huawei eSpace 7910 and 7950 IP phones with software before V200R002C00 ...) NOT-FOR-US: Huawei CVE-2015-8230 (Memory leak in Huawei eSpace 8950 IP phones with software before V200R ...) NOT-FOR-US: Huawei CVE-2015-8229 (Huawei eSpace U2980 unified gateway with software before V100R001C10 a ...) NOT-FOR-US: Huawai CVE-2015-8228 (Directory traversal vulnerability in the SFTP server in Huawei AR 120, ...) NOT-FOR-US: Huawai CVE-2015-8227 (The built-in web server in Huawei VP9660 multi-point control unit with ...) NOT-FOR-US: Huawai CVE-2015-8226 (The Joint Photographic Experts Group Processing Unit (JPU) driver in H ...) NOT-FOR-US: Huawei CVE-2015-8225 (The Joint Photographic Experts Group Processing Unit (JPU) driver in H ...) NOT-FOR-US: Huawei CVE-2015-8224 (Huawei P8 before GRA-CL00C92B210, before GRA-L09C432B200, before GRA-T ...) NOT-FOR-US: Huawei CVE-2015-8223 (Huawei P7 before P7-L00C17B851, P7-L05C00B851, and P7-L09C92B85, and P ...) NOT-FOR-US: Huawei CVE-2015-8222 (The lxd-unix.socket systemd unit file in the Ubuntu lxd package before ...) - lxd (bug #768073) CVE-2015-8221 (Integer overflow in Google Picasa before 3.9.140 Build 259 allows remo ...) NOT-FOR-US: Google Picasa CVE-2015-8220 (Stack-based buffer overflow in the URI handler in DWRCC.exe in SolarWi ...) NOT-FOR-US: SolarWinds remote control CVE-2015-8242 (The xmlSAX2TextNode function in SAX2.c in the push interface in the HT ...) - libxml2 2.9.3+dfsg1-1 (bug #805146) [jessie] - libxml2 (Vulnerable code introduced later) [wheezy] - libxml2 (Vulnerable code introduced later) [squeeze] - libxml2 (Vulnerable code introduced later) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=756372 NOTE: Introduced by: https://git.gnome.org/browse/libxml2/commit/?id=826bc320206f70fccd2941a77d363e95e8076898 (v2.9.2-rc1) NOTE: Fixed by: https://git.gnome.org/browse/libxml2/commit/?id=8fb4a770075628d6441fb17a1e435100e2f3b1a2 (v2.9.3) CVE-2015-8241 (The xmlNextChar function in libxml2 2.9.2 does not properly check the ...) {DSA-3430-1 DLA-355-1} - libxml2 2.9.3+dfsg1-1 (bug #806384) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=756263 NOTE: https://git.gnome.org/browse/libxml2/commit/?id=ab2b9a93ff19cedde7befbf2fcc48c6e352b6cbe NOTE: Introduced/Uncovered by https://git.gnome.org/browse/libxml2/commit/?id=a7dfab7411cbf545f359dd3157e5df1eb0e7ce31 (fix for CVE-2015-7941) NOTE: http://www.openwall.com/lists/oss-security/2015/11/17/5 CVE-2015-8239 (The SHA-2 digest support in the sudoers plugin in sudo after 1.8.7 all ...) - sudo 1.8.17p1-1 (bug #805563) [jessie] - sudo (Minor issue) [wheezy] - sudo (Command digests are only supported by version 1.8.7 or higher) [squeeze] - sudo (Command digests are only supported by version 1.8.7 or higher) NOTE: http://www.openwall.com/lists/oss-security/2015/11/10/2 CVE-2015-8234 (The image signature algorithm in OpenStack Glance 11.0.0 allows remote ...) - glance (unimportant) CVE-2015-8219 (The init_tile function in libavcodec/jpeg2000dec.c in FFmpeg before 2. ...) - ffmpeg 7:2.8.2-1 [squeeze] - ffmpeg (Vulnerable code not present) - libav [jessie] - libav (Vulnerable code not present) [wheezy] - libav (Vulnerable code not present) NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commit;h=43492ff3ab68a343c1264801baa1d5a02de10167 CVE-2015-8218 (The decode_uncompressed function in libavcodec/faxcompr.c in FFmpeg be ...) - ffmpeg 7:2.8.2-1 [squeeze] - ffmpeg (Vulnerable code not present) - libav (Vulnerable feature not present) NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commit;h=d4a731b84a08f0f3839eaaaf82e97d8d9c67da46 NOTE: Vulnerability affects G3{1, 2}D code extensions feature, which is not present NOTE: in libav 0.8 and 9. branches: https://lists.debian.org/debian-lts/2017/12/msg00011.html NOTE: 11.x features G3 support, but the vulnerable code was introduced later CVE-2015-8217 (The ff_hevc_parse_sps function in libavcodec/hevc_ps.c in FFmpeg befor ...) {DLA-1611-1} - ffmpeg 7:2.8.2-1 [squeeze] - ffmpeg (Vulnerable code not present) - libav [jessie] - libav (Contains a similar code block like the one referenced by the ffmpeg commit) [wheezy] - libav (Vulnerable code not present) NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commit;h=93f30f825c08477fe8f76be00539e96014cc83c8 CVE-2015-8216 (The ljpeg_decode_yuv_scan function in libavcodec/mjpegdec.c in FFmpeg ...) {DLA-1611-1} - ffmpeg 7:2.8.2-1 [squeeze] - ffmpeg (Not supported in Squeeze LTS) - libav NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commit;h=d24888ef19ba38b787b11d1ee091a3d94920c76a NOTE: patch does not apply cleanly in jessie's libav, possibly needs some brainwork CVE-2015-8215 (net/ipv6/addrconf.c in the IPv6 stack in the Linux kernel before 4.0 d ...) {DSA-3364-1 DLA-310-1} - linux 4.0.2-1 - linux-2.6 NOTE: Patch for the kernel to harden against invalid MTUs: http://article.gmane.org/gmane.linux.network/351269 NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=77751427a1ff25b27d47a4c36b12c3c8667855ac (v4.0-rc3) CVE-2015-8214 (Siemens SIMATIC CP 343-1 Advanced devices before 3.0.44, CP 343-1 Lean ...) NOT-FOR-US: Siemens CVE-2015-8213 (The get_format function in utils/formats.py in Django before 1.7.x bef ...) {DSA-3404-1 DLA-349-1} - python-django 1.8.7-1 NOTE: https://github.com/django/django/commit/316bc3fc9437c5960c24baceb93c73f1939711e4 (master) NOTE: https://github.com/django/django/commit/8a01c6b53169ee079cb21ac5919fdafcc8c5e172 (1.7.x) NOTE: https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/ CVE-2015-8212 (CGI handling flaw in bozohttpd in NetBSD 6.0 through 6.0.6, 6.1 throug ...) {DLA-490-1} - bozohttpd NOTE: FIX http://cvsweb.netbsd.org/bsdweb.cgi/src/libexec/httpd/bozohttpd.c.diff?r1=1.79&r2=1.80&only_with_tag=MAIN NOTE: http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2016-005.txt.asc NOTE: http://www.eterna.com.au/bozohttpd/CHANGES NOTE: http://www.eterna.com.au/bozohttpd/bozohttpd-20160415.tar.bz2 CVE-2015-8211 REJECTED CVE-2015-8210 REJECTED CVE-2015-8209 REJECTED CVE-2015-8208 REJECTED CVE-2015-8207 REJECTED CVE-2015-8206 REJECTED CVE-2015-8205 REJECTED CVE-2015-8204 REJECTED CVE-2015-8203 REJECTED CVE-2015-8202 REJECTED CVE-2015-8201 REJECTED CVE-2015-8200 REJECTED CVE-2015-8199 REJECTED CVE-2015-8198 REJECTED CVE-2015-8197 REJECTED CVE-2015-8196 REJECTED CVE-2015-8195 REJECTED CVE-2015-8194 REJECTED CVE-2015-8193 REJECTED CVE-2015-8192 REJECTED CVE-2015-8191 REJECTED CVE-2015-8190 REJECTED CVE-2015-8189 REJECTED CVE-2015-8188 REJECTED CVE-2015-8187 REJECTED CVE-2015-8186 REJECTED CVE-2015-8185 REJECTED CVE-2015-8184 REJECTED CVE-2015-8183 REJECTED CVE-2015-8182 REJECTED CVE-2015-8181 REJECTED CVE-2015-8180 REJECTED CVE-2015-8179 REJECTED CVE-2015-8178 REJECTED CVE-2015-8177 REJECTED CVE-2015-8175 RESERVED CVE-2015-8174 RESERVED CVE-2015-8173 RESERVED CVE-2015-8172 RESERVED CVE-2015-8171 RESERVED CVE-2015-8170 RESERVED CVE-2015-8169 RESERVED CVE-2015-8168 RESERVED CVE-2015-8167 RESERVED CVE-2015-8166 RESERVED CVE-2015-8165 RESERVED CVE-2015-8164 RESERVED CVE-2015-8163 RESERVED CVE-2015-8162 RESERVED CVE-2015-8161 RESERVED CVE-2015-8160 RESERVED CVE-2015-8159 RESERVED CVE-2015-8158 (The getresponse function in ntpq in NTP versions before 4.2.8p9 and 4. ...) {DSA-3629-1 DLA-559-1} - ntp 1:4.2.8p7+dfsg-1 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit NOTE: http://support.ntp.org/bin/view/Main/NtpBug2948 CVE-2015-8157 (SQL injection vulnerability in the Management Server in Symantec Embed ...) NOT-FOR-US: Symantec CVE-2015-8156 (Unquoted Windows search path vulnerability in EEDService in Symantec E ...) NOT-FOR-US: Symantec CVE-2015-8155 REJECTED CVE-2015-8154 (The SysPlant.sys driver in the Application and Device Control (ADC) co ...) NOT-FOR-US: Symantec CVE-2015-8153 (SQL injection vulnerability in Symantec Endpoint Protection Manager (S ...) NOT-FOR-US: Symantec CVE-2015-8152 (Cross-site request forgery (CSRF) vulnerability in Symantec Endpoint P ...) NOT-FOR-US: Symantec CVE-2015-8151 (Symantec Encryption Management Server (SEMS) 3.3.2 before MP12 allows ...) NOT-FOR-US: Symantec CVE-2015-8150 (Symantec Encryption Management Server (SEMS) 3.3.2 before MP12 allows ...) NOT-FOR-US: Symantec CVE-2015-8149 (The LDAP service in Symantec Encryption Management Server (SEMS) 3.3.2 ...) NOT-FOR-US: Symantec CVE-2015-8148 (The LDAP service in Symantec Encryption Management Server (SEMS) 3.3.2 ...) NOT-FOR-US: Symantec CVE-2015-8145 RESERVED CVE-2015-8144 RESERVED CVE-2015-8143 RESERVED CVE-2015-8142 RESERVED CVE-2015-8141 RESERVED CVE-2015-8140 (The ntpq protocol in NTP before 4.2.8p7 allows remote attackers to con ...) - ntp 1:4.2.8p7+dfsg-1 [jessie] - ntp (Minor issue, no code fix by upstream and mitigation exists) [wheezy] - ntp (Minor issue) NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit NOTE: http://support.ntp.org/bin/view/Main/NtpBug2947 NOTE: Mitigated in 4.2.8p6 CVE-2015-8139 (ntpq in NTP before 4.2.8p7 allows remote attackers to obtain origin ti ...) - ntp 1:4.2.8p7+dfsg-1 [jessie] - ntp (Minor issue, no code fix by upstream and mitigation exists) [wheezy] - ntp (Minor issue) NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit NOTE: http://support.ntp.org/bin/view/Main/NtpBug2946 NOTE: Mitigated in 4.2.8p6 CVE-2015-8138 (NTP before 4.2.8p6 and 4.3.x before 4.3.90 allows remote attackers to ...) {DSA-3629-1 DLA-559-1} - ntp 1:4.2.8p7+dfsg-1 NOTE: http://www.talosintel.com/reports/TALOS-2016-0077/ NOTE: https://github.com/ntp-project/ntp/commit/880191b72409a1965712999d248d70e6f7163af8 NOTE: The upstream fix for this issue is reported to be incomplete: NOTE: http://bugs.ntp.org/show_bug.cgi?id=2945#c7 NOTE: http://lists.ntp.org/pipermail/hackers/2016-January/007406.html NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security CVE-2015-8137 RESERVED CVE-2015-8136 RESERVED CVE-2015-8135 REJECTED CVE-2015-8134 REJECTED CVE-2015-8133 REJECTED CVE-2015-8132 REJECTED CVE-2015-8131 (Cross-site request forgery (CSRF) vulnerability in Elasticsearch Kiban ...) - kibana (bug #700337) CVE-2015-8130 RESERVED CVE-2015-8129 RESERVED CVE-2015-8128 RESERVED CVE-2015-8127 RESERVED CVE-2013-7447 (Integer overflow in the gdk_cairo_set_source_pixbuf function in gdk/gd ...) {DLA-419-1} - gtk+2.0 2.24.30-1.1 (bug #799275) [jessie] - gtk+2.0 2.24.25-3+deb8u1 [wheezy] - gtk+2.0 (Minor issue; can be fixed via wheezy-pu) - gtk+3.0 3.10.7-1 (bug #818090) [wheezy] - gtk+3.0 3.4.2-7+deb7u1 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=703220 NOTE: Fixed by: https://git.gnome.org/browse/gtk+/commit?id=894b1ae76a32720f4bb3d39cf460402e3ce331d6 CVE-2013-7446 (Use-after-free vulnerability in net/unix/af_unix.c in the Linux kernel ...) {DSA-3426-1 DLA-360-1} - linux 4.2.6-2 - linux-2.6 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1273845 NOTE: https://groups.google.com/forum/#!topic/syzkaller/3twDUI4Cpm8 NOTE: http://www.openwall.com/lists/oss-security/2015/11/18/9 NOTE: Introduced by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ec0d215f9420564fc8286dcf93d2d068bb53a07e (v2.6.26-rc9) NOTE: Fixed by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=7d267278a9ece963d77eefec61630223fce08c6c (v4.4-rc4) CVE-2015-8317 (The xmlParseXMLDecl function in parser.c in libxml2 before 2.9.3 allow ...) {DSA-3430-1 DLA-355-1} - libxml2 2.9.2+zdfsg1-4 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=751631 NOTE: https://git.gnome.org/browse/libxml2/commit/?id=709a952110e98621c9b78c4f26462a9d8333102e NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=751603 NOTE: https://git.gnome.org/browse/libxml2/commit/?id=9aa37588ee78a06ca1379a9d9356eab16686099c CVE-2015-XXXX [Kernel: Unprivileged user can freeze journald] - linux (unimportant) - linux-2.6 (Vulnerable code not present) NOTE: https://github.com/systemd/systemd/issues/1822 NOTE: Issue in Linux related to unprivileged CLONE_NEWUSER affecting systemd, but we disable unprivileged use by default CVE-2015-8125 (Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7 ...) {DSA-3402-1} - symfony 2.7.7+dfsg-1 NOTE: http://symfony.com/blog/cve-2015-8125-potential-remote-timing-attack-vulnerability-in-security-remember-me-service NOTE: https://github.com/symfony/symfony/pull/16630 CVE-2015-8124 (Session fixation vulnerability in the "Remember Me" login feature in S ...) {DSA-3402-1} - symfony 2.7.7+dfsg-1 NOTE: http://symfony.com/blog/cve-2015-8124-session-fixation-in-the-remember-me-login-feature NOTE: https://github.com/symfony/symfony/pull/16631 CVE-2015-8123 REJECTED CVE-2015-8122 REJECTED CVE-2015-8121 REJECTED CVE-2015-8120 REJECTED CVE-2015-8119 REJECTED CVE-2015-8118 REJECTED CVE-2015-8117 REJECTED CVE-2015-8116 REJECTED CVE-2015-8115 REJECTED CVE-2015-8114 REJECTED CVE-2015-8113 (Untrusted search path vulnerability in the client in Symantec Endpoint ...) NOT-FOR-US: Symantec CVE-2015-8112 RESERVED CVE-2015-8111 RESERVED CVE-2015-8110 (Lenovo System Update (formerly ThinkVantage System Update) before 5.07 ...) NOT-FOR-US: Lenovo CVE-2015-8109 (Lenovo System Update (formerly ThinkVantage System Update) before 5.07 ...) NOT-FOR-US: Lenovo CVE-2015-8108 (The management interface in LenovoEMC EZ Media & Backup (hm3), ix2 ...) NOT-FOR-US: LenovoEMC CVE-2015-8107 (Format string vulnerability in GNU a2ps 4.14 allows remote attackers t ...) - a2ps 1:4.14-1.2 [wheezy] - a2ps (Minor issue) [squeeze] - a2ps (Minor issue) CVE-2015-8106 (Format string vulnerability in the CmdKeywords function in funct1.c in ...) - latex2rtf 2.3.10-1 (unimportant; bug #805398) [wheezy] - latex2rtf (Vulnerable code introduced later) [squeeze] - latex2rtf (Vulnerable code introduced later) NOTE: keywords command support introduced in http://sourceforge.net/p/latex2rtf/code/1152 NOTE: http://sourceforge.net/p/latex2rtf/code/1152/tree//trunk/funct1.c?diff=50900fed34309d3c639c868f:1151 NOTE: latex2rtf compiled with -D_FORTIFY_SOURCE=2 NOTE: Rendered non-exploitable by toolchain hardening CVE-2015-8472 (Buffer overflow in the png_set_PLTE function in libpng before 1.0.65, ...) {DSA-3443-1 DLA-410-1 DLA-375-1} - libpng (bug #807112) - libpng1.6 1.6.20-1 (bug #807112) NOTE: Fixed in 1.6.20, 1.5.25, 1.4.18, 1.2.55, and 1.0.65 NOTE: https://github.com/glennrp/libpng/commit/7e1ca9ceba4e64259863efdd98bab9b55bdc0b9c NOTE: https://github.com/glennrp/libpng/commit/4488a96126bbefda51d07835411d8e847a88b2b7 NOTE: https://github.com/glennrp/libpng/commit/ad224c6907e8a274f2679eae4c2e3085fdc7e8c8 CVE-2015-8126 (Multiple buffer overflows in the (1) png_set_PLTE and (2) png_get_PLTE ...) {DSA-3507-1 DSA-3399-1 DLA-410-1 DLA-343-1} - libpng 1.2.54-1 (bug #805113) NOTE: http://www.openwall.com/lists/oss-security/2015/11/12/2 NOTE: Fixed in 1.6.19, 1.5.24, 1.4.17, 1.2.54, and 1.0.64 NOTE: The original patch was incomplete, cf. NOTE: http://www.openwall.com/lists/oss-security/2015/12/03/6 NOTE: and fixed in new upstream versions 1.6.20, 1.5.25, NOTE: 1.4.18, 1.2.55, and 1.0.65 - chromium-browser 49.0.2623.75-1 [wheezy] - chromium-browser (Not supported in Wheezy) [squeeze] - chromium-browser (Not supported in Squeeze LTS) CVE-2015-8105 (Cross-site scripting (XSS) vulnerability in program/js/app.js in Round ...) - roundcube 1.1.3+dfsg.1-1 [wheezy] - roundcube (Vulnerable code not present) [squeeze] - roundcube (Vulnerable code not present) NOTE: https://github.com/roundcube/roundcubemail/issues/4900 NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/dd7db217979d6960f53b6544cf053d8c0db8c416 CVE-2015-XXXX [directory traversal in servefile] - servefile 0.4.4-1 [jessie] - servefile (Minor issue) [wheezy] - servefile (Minor issue) NOTE: https://github.com/sebageek/servefile/commit/cd7eee21be3602ab6118a23eec8e2628d1a6488c CVE-2015-8102 RESERVED CVE-2015-8101 RESERVED CVE-2015-8099 (F5 BIG-IP LTM, AFM, Analytics, APM, ASM, Link Controller, and PEM 11.3 ...) NOT-FOR-US: F5 BIG-IP CVE-2015-8098 (F5 BIG-IP APM 11.4.1 before 11.4.1 HF9, 11.5.x before 11.5.3, and 11.6 ...) NOT-FOR-US: BIG-IP CVE-2015-8097 RESERVED CVE-2015-8096 (Integer overflow in Google Picasa 3.9.140 Build 239 and Build 248 allo ...) NOT-FOR-US: Google Picasa CVE-2015-8095 (The recycle bin feature in the Monster Menus module 7.x-1.21 before 7. ...) NOT-FOR-US: Monster Menus module for Drupal CVE-2015-8094 (Open redirect vulnerability in Cloudera HUE before 3.10.0 allows remot ...) NOT-FOR-US: Cloudera HUE CVE-2015-8093 RESERVED CVE-2015-8092 RESERVED CVE-2015-8091 REJECTED CVE-2015-8090 (The Web Server component in TIBCO LogLogic Unity before 1.1.1 allows r ...) NOT-FOR-US: TIBCO CVE-2015-8104 (The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x thr ...) {DSA-3454-1 DSA-3426-1 DSA-3414-1 DLA-479-1} - linux 4.2.6-2 - linux-2.6 - xen 4.8.0~rc3-1 (bug #823620) [squeeze] - linux-2.6 (KVM not supported in Squeeze LTS) [squeeze] - xen (Not supported in Squeeze LTS) NOTE: http://xenbits.xen.org/xsa/advisory-156.html NOTE: Upstream patch: https://lkml.org/lkml/2015/11/10/218 NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=cbdb967af3d54993f5814f1cee0ed311a055377d - virtualbox 5.0.10-dfsg-1 [wheezy] - virtualbox (DSA 3454) NOTE: http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html#AppendixOVIR CVE-2015-8100 (The net-snmp package in OpenBSD through 5.8 uses 0644 permissions for ...) - net-snmp (Specific to packaging in OpenBSD) CVE-2015-8089 (The GPU driver in Huawei P7 phones with software P7-L00 before P7-L00C ...) NOT-FOR-US: Huawei CVE-2015-8088 (Heap-based buffer overflow in the HIFI driver in Huawei Mate 7 phones ...) NOT-FOR-US: Huawei CVE-2015-8087 (Huawei NE20E-S, NE40E-M, and NE40E-M2 routers with software before V80 ...) NOT-FOR-US: Huawei CVE-2015-8086 (Huawei AR routers with software before V200R007C00SPC100; Quidway S930 ...) NOT-FOR-US: Huawei CVE-2015-8085 (Huawei AR routers with software before V200R007C00SPC100; Quidway S930 ...) NOT-FOR-US: Huawei CVE-2015-8084 (Huawei USG5500, USG2100, USG2200, and USG5100 unified security gateway ...) NOT-FOR-US: Huawei CVE-2015-8083 (An unspecified module in Huawei eSpace U1910, U1911, U1930, U1960, U19 ...) NOT-FOR-US: Huawei CVE-2015-8082 (The Login Disable module 6.x-1.x before 6.x-1.1 and 7.x-1.x before 7.x ...) NOT-FOR-US: Login Disable module for Drupal CVE-2015-8081 (The Field as Block module 7.x-1.x before 7.x-1.4 for Drupal might allo ...) NOT-FOR-US: Field as Block module for Drupal CVE-2015-8103 (The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625 ...) - jenkins (bug #804522) NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11 CVE-2015-7501 (Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data G ...) - libcommons-collections3-java 3.2.2-1 (unimportant) [jessie] - libcommons-collections3-java 3.2.1-7+deb8u1 [wheezy] - libcommons-collections3-java 3.2.1-5+deb7u1 [squeeze] - libcommons-collections3-java 3.2.1-4+deb6u1 NOTE: workaround entry to associate the squeeze-lts, wheezy- and jessie-security fixes with the NOTE: corresponding entry with unstable and the hardening change. - libcommons-collections4-java (unimportant) NOTE: severity unimportant since this is a hardening change, actual vulnerability relies in specific NOTE: https://issues.apache.org/jira/browse/COLLECTIONS-580 NOTE: No CVE is expected to be assigned, cf http://www.openwall.com/lists/oss-security/2015/11/17/19 NOTE: Patches for 3.2.x: NOTE: https://github.com/apache/commons-collections/commit/1642b00d67b96de87cad44223efb9ab5b4fb7be5 NOTE: https://github.com/apache/commons-collections/commit/5ec476b0b756852db865b2e442180f091f8209ee NOTE: https://github.com/apache/commons-collections/commit/bce4d022f27a723fa0e0b7484dcbf0afa2dd210a NOTE: https://github.com/apache/commons-collections/commit/d9a00134f16d685bea11b2b12de824845e6473e3 NOTE: Patches for 4.x: NOTE: https://github.com/apache/commons-collections/commit/e585cd0433ae4cfbc56e58572b9869bd0c86b611 NOTE: https://github.com/apache/commons-collections/commit/da1a5fe00d79e1840b7e52317933e9eb56e88246 NOTE: https://github.com/apache/commons-collections/commit/3eee44cf63b1ebb0da6925e98b3dcc6ef1e4d610 NOTE: https://github.com/apache/commons-collections/commit/78d47d4d098ab814a7a00a0b1c81646b27f050cf NOTE: https://github.com/apache/commons-collections/commit/b2b8f4adc557e4ef1ee2fe5e0ab46866c06ec55b CVE-2015-8079 (qt5-qtwebkit before 5.4 records private browsing URLs to its favicon d ...) - qtwebkit (unimportant) NOTE: qtwebkit not covered by security support CVE-2015-8080 (Integer overflow in the getnum function in lua_struct.c in Redis 2.8.x ...) {DSA-3412-1} - redis 2:3.0.5-4 (bug #804419) [wheezy] - redis (Vulnerable code not present) [squeeze] - redis (Vulnerable code not present) NOTE: https://github.com/antirez/redis/issues/2855 CVE-2015-8078 (Integer overflow in the index_urlfetch function in imap/index.c in Cyr ...) - cyrus-imapd-2.4 2.4.18-4 (bug #804182) [jessie] - cyrus-imapd-2.4 (Incomplete patch for CVE-2015-8076 not applied) [wheezy] - cyrus-imapd-2.4 (Incomplete patch for CVE-2015-8076 not applied) NOTE: https://cyrus.foundation/cyrus-imapd/commit/?id=6fb6a272171f49c79ba6ab7c6403eb25b39ec1b2 CVE-2015-8077 (Integer overflow in the index_urlfetch function in imap/index.c in Cyr ...) - cyrus-imapd-2.4 2.4.18-4 (bug #804182) [jessie] - cyrus-imapd-2.4 (Incomplete patch for CVE-2015-8076 not applied) [wheezy] - cyrus-imapd-2.4 (Incomplete patch for CVE-2015-8076 not applied) NOTE: https://cyrus.foundation/cyrus-imapd/commit/?id=745e161c834f1eb6d62fc14477f51dae799e1e08 CVE-2015-8074 (mediaserver in Android before 5.1.1 LMY48X allows remote attackers to ...) NOT-FOR-US: Android CVE-2015-8073 (mediaserver in Android 4.4 and 5.1 before 5.1.1 LMY48X allows remote a ...) NOT-FOR-US: Android CVE-2015-8072 (mediaserver in Android 4.4 through 5.x before 5.1.1 LMY48X and 6.0 bef ...) NOT-FOR-US: Android CVE-2015-8071 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8070 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8069 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8068 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8067 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8066 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8065 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8064 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8063 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8062 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8061 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8060 (Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8059 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8058 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8057 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8056 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8055 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8054 REJECTED CVE-2015-8053 (Cross-site scripting (XSS) vulnerability in Adobe ColdFusion 10 before ...) NOT-FOR-US: Adobe ColdFusion CVE-2015-8052 (Cross-site scripting (XSS) vulnerability in Adobe ColdFusion 10 before ...) NOT-FOR-US: Adobe ColdFusion CVE-2015-8051 (The Adobe Premiere Clip app before 1.2.1 for iOS mishandles unspecifie ...) NOT-FOR-US: Adobe Pemiere Clip CVE-2015-8050 (Use-after-free vulnerability in the MovieClip object implementation in ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8049 (Use-after-free vulnerability in the TextField object implementation in ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8048 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8047 (Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8046 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.261 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8045 (Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8044 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.261 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8043 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.261 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8042 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.261 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8040 (The rtsp_getdlsendtime method in the CNC_Ctrl control in Samsung Smart ...) NOT-FOR-US: Samsung SmartViewer CVE-2015-8039 (Samsung SmartViewer allows remote attackers to execute arbitrary code ...) NOT-FOR-US: Samsung SmartViewer CVE-2015-8038 (Multiple cross-site scripting (XSS) vulnerabilities in the Graphical U ...) NOT-FOR-US: Fortinet CVE-2015-8037 (Multiple cross-site scripting (XSS) vulnerabilities in the Graphical U ...) NOT-FOR-US: Fortinet CVE-2015-8036 (Heap-based buffer overflow in ARM mbed TLS (formerly PolarSSL) 1.3.x b ...) {DSA-3468-1} - mbedtls (Fixed before the initial release to Debian) [experimental] - polarssl 1.3.14-0.1 - polarssl [wheezy] - polarssl (Vulnerable code introduced later) [squeeze] - polarssl (Vulnerable code introduced later) NOTE: support for session tickets added in 1.3.0. NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2015-01 CVE-2015-8034 (The state.sls function in Salt before 2015.8.3 uses weak permissions o ...) - salt 2015.8.3+ds-1 (bug #807356) [jessie] - salt (Minor issue) NOTE: For jessie: /var/cache/salt/minion is created with restricted permissions on NOTE: first start of salt-minion in verify_env mitigating the issue, cf. NOTE: https://sources.debian.org/src/salt/2014.1.13%2Bds-3/salt/utils/verify.py/#L207 NOTE: https://github.com/cachedout/salt/commit/097838ec0c52b1e96f7f761e5fb3cd7e79808741 NOTE: https://github.com/saltstack/salt/issues/28455 CVE-2014-9755 (The hardware VPN client in Viprinet MultichannelVPN Router 300 version ...) NOT-FOR-US: Viprinet CVE-2014-9754 (The hardware VPN client in Viprinet MultichannelVPN Router 300 version ...) NOT-FOR-US: Viprinet CVE-2015-8075 REJECTED CVE-2015-8033 RESERVED CVE-2015-8032 RESERVED CVE-2015-8035 (The xz_decomp function in xzlib.c in libxml2 2.9.1 does not properly d ...) {DSA-3430-1} - libxml2 2.9.3+dfsg1-1 (bug #803942) [squeeze] - libxml2 (No LZMA/XZ support in version 2.7.8) NOTE: Upstream patch: https://git.gnome.org/browse/libxml2/commit/?id=f0709e3ca8f8947f2d91ed34e92e38a4c23eae63 (v2.9.3) NOTE: You can use "xmllint --version" to verify if libxml2 is compiled with "Lzma" support. NOTE: sid's 2.9.2+zdfsg1-4 claims to have "Lzma" support but it's broken in fact... NOTE: so it barfs on the problematic file (parser error : Start tag expected, NOTE: '<' not found) even though it does not have the fix yet. The next upstream NOTE: release will fix this issue and will restore XZ support. NOTE: http://www.openwall.com/lists/oss-security/2015/11/02/2 CVE-2015-7984 (Multiple cross-site request forgery (CSRF) vulnerabilities in Horde be ...) {DSA-3391-1} - php-horde 5.2.8+debian0-1 (bug #803641) NOTE: https://www.htbridge.com/advisory/HTB23272 NOTE: https://github.com/horde/horde/commit/a199d74932c902844514b2a83d21e7e221257dae NOTE: http://lists.horde.org/archives/dev/Week-of-Mon-20141201/028821.html CVE-2015-8031 RESERVED CVE-2015-8030 (SAP 3D Visual Enterprise Viewer (VEV) allows remote attackers to execu ...) NOT-FOR-US: SAP CVE-2015-8029 (SAP 3D Visual Enterprise Viewer (VEV) allows remote attackers to execu ...) NOT-FOR-US: SAP CVE-2015-8028 (Multiple buffer overflows in SAP 3D Visual Enterprise Viewer (VEV) all ...) NOT-FOR-US: SAP CVE-2015-8027 (Node.js 0.12.x before 0.12.9, 4.x before 4.2.3, and 5.x before 5.1.1 d ...) - nodejs 4.2.3~dfsg-1 (bug #806385) [jessie] - nodejs (0.10 series not affected) NOTE: https://nodejs.org/en/blog/vulnerability/cve-2015-8027_cve-2015-6764/ CVE-2015-8024 (McAfee Enterprise Security Manager (ESM), Enterprise Security Manager/ ...) NOT-FOR-US: McAfee CVE-2015-8023 (The server implementation of the EAP-MSCHAPv2 protocol in the eap-msch ...) {DSA-3398-1 DLA-345-1} - strongswan 5.3.3-3 NOTE: https://www.strongswan.org/blog/2015/11/16/strongswan-vulnerability-%28cve-2015-8023%29.html CVE-2015-8022 (The Configuration utility in F5 BIG-IP LTM, Analytics, APM, ASM, GTM, ...) NOT-FOR-US: F5 BIG-IP CVE-2015-8021 (Incomplete blacklist vulnerability in the Configuration utility in F5 ...) NOT-FOR-US: F5 BIG-IP CVE-2015-8020 (Clustered Data ONTAP versions 8.0, 8.3.1, and 8.3.2 contain a default ...) NOT-FOR-US: Clustered Data ONTAP CVE-2015-8018 RESERVED CVE-2015-8017 RESERVED CVE-2015-8016 RESERVED CVE-2015-8015 RESERVED CVE-2015-8014 RESERVED CVE-2015-8009 (The MWOAuthDataStore::lookup_token function in Extension:OAuth for Med ...) NOT-FOR-US: Mediawiki extension OAuth CVE-2015-8008 (The OAuth extension for MediaWiki improperly negotiates a new client t ...) NOT-FOR-US: Mediawiki extension OAuth CVE-2015-8007 (The Echo extension for MediWiki does not properly implement the hideus ...) NOT-FOR-US: Mediawiki extension Echo CVE-2015-8006 (Cross-site scripting (XSS) vulnerability in the PageTriage toolbar in ...) NOT-FOR-US: Mediawiki extension PageTriage CVE-2015-XXXX [iptables-persistent minor local info leak] - iptables-persistent 1.0.4 (low; bug #764645) [jessie] - iptables-persistent 1.0.3+deb8u1 [wheezy] - iptables-persistent 0.5.7+deb7u1 [squeeze] - iptables-persistent (Minor issue) NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/01/05/5 CVE-2015-XXXX - cinnamon-settings-daemon 2.8.3-1 (low) [jessie] - cinnamon-settings-daemon 2.2.4.repack-7+deb8u1 NOTE: https://github.com/linuxmint/cinnamon-settings-daemon/commit/ac5e0be8c1817616dbdb056b6881cfc4660f57a8 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/10/28/3 CVE-2015-8025 (driver/subprocs.c in XScreenSaver before 5.34 does not properly perfor ...) {DSA-3438-1 DLA-338-1} - xscreensaver 5.34-1 (bug #802914) NOTE: http://pkgs.fedoraproject.org/cgit/xscreensaver.git/plain/xscreensaver-5.33-0002-Modify-sigchld_hander-in_signal_hander_p-mechanism.patch?id=b57f59f3482fedf70ce7a3541094e2512290139f NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1274452 CVE-2015-8005 (MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25 ...) - mediawiki 1:1.25.5-1 [wheezy] - mediawiki (Minor issues) [squeeze] - mediawiki (Not supported in Squeeze LTS) NOTE: https://phabricator.wikimedia.org/T108616 CVE-2015-8004 (MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25 ...) - mediawiki 1:1.25.5-1 [wheezy] - mediawiki (Minor issues) [squeeze] - mediawiki (Not supported in Squeeze LTS) NOTE: https://phabricator.wikimedia.org/T95589 CVE-2015-8003 (MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25 ...) - mediawiki 1:1.25.5-1 [wheezy] - mediawiki (Minor issues) [squeeze] - mediawiki (Not supported in Squeeze LTS) NOTE: https://phabricator.wikimedia.org/T91850 CVE-2015-8002 (The chunked upload API (ApiUpload) in MediaWiki before 1.23.11, 1.24.x ...) - mediawiki 1:1.25.5-1 [wheezy] - mediawiki (Minor issues) [squeeze] - mediawiki (Not supported in Squeeze LTS) NOTE: https://phabricator.wikimedia.org/T91205 CVE-2015-8001 (The chunked upload API (ApiUpload) in MediaWiki before 1.23.11, 1.24.x ...) - mediawiki 1:1.25.5-1 [wheezy] - mediawiki (Minor issues) [squeeze] - mediawiki (Not supported in Squeeze LTS) NOTE: https://phabricator.wikimedia.org/T91203 CVE-2015-8000 (db.c in named in ISC BIND 9.x before 9.9.8-P2 and 9.10.x before 9.10.3 ...) {DSA-3420-1 DLA-370-1} - bind9 1:9.9.5.dfsg-12.1 (bug #808081) NOTE: https://kb.isc.org/article/AA-01317 CVE-2015-7999 (Multiple SQL injection vulnerabilities in the Administration Web UI se ...) NOT-FOR-US: Citrix CVE-2015-7998 (The administration UI in Citrix NetScaler Application Delivery Control ...) NOT-FOR-US: Citrix CVE-2015-7997 (Multiple cross-site scripting (XSS) vulnerabilities in the Nitro API i ...) NOT-FOR-US: Citrix CVE-2015-7996 (The Nitro API in Citrix NetScaler Application Delivery Controller (ADC ...) NOT-FOR-US: Citrix CVE-2015-7994 (The SQL interface in SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allo ...) NOT-FOR-US: SAP HANA CVE-2015-7993 (The Extended Application Services (aka XS or XS Engine) in SAP HANA DB ...) NOT-FOR-US: SAP HANA CVE-2015-7992 (SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote authenticat ...) NOT-FOR-US: SAP HANA CVE-2015-7991 (The Web Dispatcher service in SAP HANA DB 1.00.73.00.389160 (NewDB100_ ...) NOT-FOR-US: SAP HANA CVE-2015-7988 (The handle_regservice_request function in mDNSResponder before 625.41. ...) NOT-FOR-US: mDNSResponder CVE-2015-7987 (Multiple buffer overflows in mDNSResponder before 625.41.2 allow remot ...) NOT-FOR-US: mDNSResponder CVE-2015-7986 (The index server (hdbindexserver) in SAP HANA 1.00.095 allows remote a ...) NOT-FOR-US: SAP CVE-2015-7985 (Valve Steam 2.10.91.91 uses weak permissions (Users: read and write) f ...) - steam (specific to the steam installor on windows) CVE-2015-8019 (The skb_copy_and_csum_datagram_iovec function in net/core/datagram.c i ...) - linux (Vulnerable code not present) - linux-2.6 (Vulnerable code not present) NOTE: http://www.openwall.com/lists/oss-security/2015/10/27/11 NOTE: Only for all stable kernels before v3.19 which have backported commit NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=89c22d8c3b278212eef6a8cc66b570bc840a6f5a NOTE: but are lacking the ioviter conversion. CVE-2015-7983 RESERVED CVE-2015-7982 RESERVED CVE-2015-7980 (Cross-site scripting (XSS) vulnerability in the Compass Rose module 6. ...) NOT-FOR-US: Drupal addon Compass Rose CVE-2015-7990 (Race condition in the rds_sendmsg function in net/rds/sendmsg.c in the ...) {DSA-3396-1 DLA-360-1} - linux 4.2.6-1 - linux-2.6 NOTE: https://lkml.org/lkml/2015/10/16/530 NOTE: http://www.openwall.com/lists/oss-security/2015/10/27/5 CVE-2015-7979 (NTP before 4.2.8p6 and 4.3.x before 4.3.90 allows remote attackers to ...) {DSA-3629-1 DLA-559-1} - ntp 1:4.2.8p7+dfsg-1 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit NOTE: http://support.ntp.org/bin/view/Main/NtpBug2942 NOTE: https://github.com/ntp-project/ntp/commit/fe46889f7baa75fc8e6c0fcde87706d396ce1461 CVE-2015-7978 (NTP before 4.2.8p6 and 4.3.0 before 4.3.90 allows a remote attackers t ...) {DSA-3629-1 DLA-559-1} - ntp 1:4.2.8p7+dfsg-1 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit NOTE: http://support.ntp.org/bin/view/Main/NtpBug2940 NOTE: https://github.com/ntp-project/ntp/commit/8a0c765f3c47633fa262356b0818788d1cf249b1 CVE-2015-7977 (ntpd in NTP before 4.2.8p6 and 4.3.x before 4.3.90 allows remote attac ...) {DSA-3629-1 DLA-559-1} - ntp 1:4.2.8p7+dfsg-1 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit NOTE: http://support.ntp.org/bin/view/Main/NtpBug2939 NOTE: https://github.com/ntp-project/ntp/commit/8a0c765f3c47633fa262356b0818788d1cf249b1 CVE-2015-7976 (The ntpq saveconfig command in NTP 4.1.2, 4.2.x before 4.2.8p6, 4.3, 4 ...) - ntp 1:4.2.8p7+dfsg-1 (low) [jessie] - ntp (Minor issue, mitigation exists) [wheezy] - ntp (Minor issue, can be fixed along in a future update) NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit NOTE: http://support.ntp.org/bin/view/Main/NtpBug2938 NOTE: https://github.com/ntp-project/ntp/commit/3680c2e4d5f88905ce062c7b43305d610a2c9796 NOTE: https://github.com/ntp-project/ntp/commit/7fe04606062ed674db3b9553d32dedad29504d61 CVE-2015-7975 (The nextvar function in NTP before 4.2.8p6 and 4.3.x before 4.3.90 doe ...) - ntp 1:4.2.8p7+dfsg-1 [jessie] - ntp (Introduced in 4.2.8) [wheezy] - ntp (Introduced in 4.2.8) NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit NOTE: http://support.ntp.org/bin/view/Main/NtpBug2937 CVE-2015-7974 (NTP 4.x before 4.2.8p6 and 4.3.x before 4.3.90 do not verify peer asso ...) {DSA-3629-1 DLA-559-1} - ntp 1:4.2.8p7+dfsg-1 (low) NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit NOTE: http://support.ntp.org/bin/view/Main/NtpBug2936 CVE-2015-7973 (NTP before 4.2.8p6 and 4.3.x before 4.3.90, when configured in broadca ...) - ntp 1:4.2.8p7+dfsg-1 (low) [jessie] - ntp (Minor issue, can be fixed along in a future update) [wheezy] - ntp (Minor issue, can be fixed along in a future update) NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit NOTE: http://support.ntp.org/bin/view/Main/NtpBug2935 CVE-2015-7972 (The (1) libxl_set_memory_target function in tools/libxl/libxl.c and (2 ...) {DSA-3414-1 DLA-479-1} - xen 4.6.0-1 [wheezy] - xen (Minor issue, xl not used in wheezy) [squeeze] - xen (not supported in squeeze-lts) NOTE: http://xenbits.xen.org/xsa/advisory-153.html CVE-2015-7971 (Xen 3.2.x through 4.6.x does not limit the number of printk console me ...) {DSA-3414-1 DLA-479-1} - xen 4.6.0-1 [squeeze] - xen (not supported in squeeze-lts) NOTE: http://xenbits.xen.org/xsa/advisory-152.html CVE-2015-7970 (The p2m_pod_emergency_sweep function in arch/x86/mm/p2m-pod.c in Xen 3 ...) {DSA-3414-1 DLA-479-1} - xen 4.6.0-1 [wheezy] - xen (Minor issue, too intrusive to backport) [squeeze] - xen (not supported in squeeze-lts) NOTE: http://xenbits.xen.org/xsa/advisory-150.html CVE-2015-7969 (Multiple memory leaks in Xen 4.0 through 4.6.x allow local guest admin ...) {DSA-3414-1 DLA-479-1} - xen 4.6.0-1 [squeeze] - xen (not supported in squeeze-lts) NOTE: http://xenbits.xen.org/xsa/advisory-149.html NOTE: http://xenbits.xen.org/xsa/advisory-151.html CVE-2015-7968 (nwbc_ext2int in SAP NetWeaver Application Server before Security Note ...) NOT-FOR-US: SAP CVE-2015-7967 (SafeNet Authentication Service for Citrix Web Interface Agent uses a w ...) NOT-FOR-US: SafeNet Authentication Service CVE-2015-7966 (SafeNet Authentication Service Windows Logon Agent uses a weak ACL for ...) NOT-FOR-US: SafeNet Authentication Service CVE-2015-7965 (SafeNet Authentication Service Windows Logon Agent uses a weak ACL for ...) NOT-FOR-US: SafeNet Authentication Service CVE-2015-7964 (SafeNet Authentication Service for NPS Agent uses a weak ACL for unspe ...) NOT-FOR-US: SafeNet Authentication Service CVE-2015-7963 (SafeNet Authentication Service for AD FS Agent uses a weak ACL for uns ...) NOT-FOR-US: SafeNet Authentication Service CVE-2015-7962 (SafeNet Authentication Service for Outlook Web App Agent uses a weak A ...) NOT-FOR-US: SafeNet Authentication Service CVE-2015-7961 (SafeNet Authentication Service Remote Web Workplace Agent uses a weak ...) NOT-FOR-US: SafeNet Authentication Service CVE-2015-7960 REJECTED CVE-2015-7959 REJECTED CVE-2015-7958 REJECTED CVE-2015-7957 REJECTED CVE-2015-7956 REJECTED CVE-2015-7955 REJECTED CVE-2015-7954 REJECTED CVE-2015-7953 REJECTED CVE-2015-7952 REJECTED CVE-2015-7951 REJECTED CVE-2015-7950 REJECTED CVE-2015-7949 REJECTED CVE-2015-7948 REJECTED CVE-2015-7947 REJECTED CVE-2015-7946 (Information Exposure vulnerability in Unity8 as used on the Ubuntu pho ...) NOT-FOR-US: Unity8 (predates Lomiri) CVE-2015-7945 (The RESTful control interface (aka RAPI or ganeti-rapi) in Ganeti befo ...) {DSA-3431-1} - ganeti 2.15.2-1 (bug #809538) [squeeze] - ganeti (Depends on KVM/Xen, unsupported in Squeeze LTS) NOTE: http://www.ocert.org/advisories/ocert-2015-012.html NOTE: http://git.ganeti.org/?p=ganeti.git;a=commit;h=09fb8fc73c5fe33756cc63036d121b3d6dfa3f64 NOTE: http://git.ganeti.org/?p=ganeti.git;a=commit;h=6e94ad76446904961744f9b0826414a5e4120693 NOTE: http://git.ganeti.org/?p=ganeti.git;a=commit;h=6d44be24c50944fc35de7a490bc836938a82e1df NOTE: http://git.ganeti.org/?p=ganeti.git;a=commit;h=6f9ba80f8312d5607da70841f698c49000a31126 CVE-2015-7944 (The RESTful control interface (aka RAPI or ganeti-rapi) in Ganeti befo ...) {DSA-3431-1} - ganeti 2.15.2-1 (bug #809537) [squeeze] - ganeti (Depends on KVM/Xen, unsupported in Squeeze LTS) NOTE: http://www.ocert.org/advisories/ocert-2015-012.html NOTE: http://git.ganeti.org/?p=ganeti.git;a=commit;h=201fcb916b8164c78f4ed8e0c9cfc0227a78684c CVE-2015-9261 (huft_build in archival/libarchive/decompress_gunzip.c in BusyBox befor ...) {DLA-1445-1 DLA-337-1} - busybox 1:1.27.2-1 (bug #803097) [stretch] - busybox (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2015/10/25/3 NOTE: http://git.busybox.net/busybox/commit/?id=1de25a6e87e0e627aa34298105a3d17c60a1f44e NOTE: https://git.busybox.net/busybox/commit/archival/libarchive/decompress_gunzip.c?id=6bd3fff51aa74e2ee2d87887b12182a3b09792ef CVE-2015-7995 (The xsltStylePreCompute function in preproc.c in libxslt 1.1.28 does n ...) {DSA-3605-1 DLA-514-1} - libxslt 1.1.28-2.1 (bug #802971) [squeeze] - libxslt (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1257962 NOTE: http://www.openwall.com/lists/oss-security/2015/10/27/10 NOTE: https://git.gnome.org/browse/libxslt/commit/?id=7ca19df892ca22d9314e95d59ce2abdeff46b617 (v1.1.29-rc1) CVE-2015-8982 (Integer overflow in the strxfrm function in the GNU C Library (aka gli ...) - glibc 2.21-1 (bug #803927) [jessie] - glibc 2.19-18+deb8u2 [wheezy] - eglibc 2.13-38+deb7u9 - eglibc [squeeze] - eglibc 2.11.3-4+deb6u8 NOTE: workaround entry for DLA-350-1 until/if CVE assigned NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=16009 NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=0f9e585480ed NOTE: http://openwall.com/lists/oss-security/2015/09/08/2 CVE-2015-8026 (Heap-based buffer overflow in the verify_vbr_checksum function in exfa ...) - exfat-utils 1.2.1-1 [jessie] - exfat-utils 1.1.0-2+deb8u1 [wheezy] - exfat-utils 0.9.7-2+deb7u1 - fuse-exfat 1.2.1-1 [jessie] - fuse-exfat 1.1.0-2+deb8u1 [wheezy] - fuse-exfat 0.9.7-2+deb7u1 NOTE: https://github.com/relan/exfat/issues/5 NOTE: https://crashes.fuzzing-project.org/exfatfsck-heap-overflow-write-verify_vbr_checksum NOTE: https://github.com/relan/exfat/commit/2e86ae5f81da11f11673d0546efb525af02b7786 CVE-2015-XXXX [Endlees loop issue] - exfat-utils 1.2.1-1 [jessie] - exfat-utils 1.1.0-2+deb8u1 [wheezy] - exfat-utils 0.9.7-2+deb7u1 - fuse-exfat 1.2.1-1 [jessie] - fuse-exfat 1.1.0-2+deb8u1 [wheezy] - fuse-exfat 0.9.7-2+deb7u1 NOTE: https://github.com/relan/exfat/issues/6 NOTE: https://crashes.fuzzing-project.org/exfatfsck-endless-loop NOTE: https://github.com/relan/exfat/commit/35a1f77f9be2d8b21731f758baba4334935bf18b NOTE: will possibly not get a CVE, cf. http://www.openwall.com/lists/oss-security/2015/10/29/13 CVE-2015-8010 (Cross-site scripting (XSS) vulnerability in the Classic-UI with the CS ...) - icinga 1.13.3-3 (bug #803432) [jessie] - icinga (Minor issue) [wheezy] - icinga (Minor issue) [squeeze] - icinga (Vulnerable code not present) NOTE: Introduced by: https://dev.icinga.org/issues/593 in 1.3. NOTE: Upstream issue: https://dev.icinga.org/issues/10453 NOTE: Upstream fix: https://dev.icinga.org/projects/icinga-core/repository/revisions/5c816f5d9352c373e9dadb95b63612a96cf96dff NOTE: http://www.openwall.com/lists/oss-security/2015/10/23/15 CVE-2015-7981 (The png_convert_to_rfc1123 function in png.c in libpng 1.0.x before 1. ...) {DSA-3399-1 DLA-343-1} - libpng 1.2.54-1 (bug #803078) NOTE: http://sourceforge.net/p/libpng/bugs/241/ NOTE: http://sourceforge.net/p/libpng/code/ci/fbf0f024346ca0a4ffc64b082a95c6b6bb6d29c4/ CVE-2015-7939 (Heap-based buffer overflow in Unitronics VisiLogic OPLC IDE before 9.8 ...) NOT-FOR-US: Unitronics CVE-2015-7938 (Advantech EKI-132x devices with firmware before 2015-12-31 allow remot ...) NOT-FOR-US: Advantech CVE-2015-7937 (Stack-based buffer overflow in the GoAhead Web Server on Schneider Ele ...) NOT-FOR-US: Schneider Electric CVE-2015-7936 (Cross-site request forgery (CSRF) vulnerability in Motorola Solutions ...) NOT-FOR-US: Motorola Solutions MOSCAD IP Gateway CVE-2015-7935 (Motorola Solutions MOSCAD IP Gateway allows remote attackers to read a ...) NOT-FOR-US: Motorola Solutions MOSCAD IP Gateway CVE-2015-7934 (The Java client in Adcon Telemetry A840 Telemetry Gateway Base Station ...) NOT-FOR-US: Adcon CVE-2015-7933 RESERVED CVE-2015-7932 (Adcon Telemetry A840 Telemetry Gateway Base Station allows remote atta ...) NOT-FOR-US: Adcon CVE-2015-7931 (The Java client in Adcon Telemetry A840 Telemetry Gateway Base Station ...) NOT-FOR-US: Adcon CVE-2015-7930 (Adcon Telemetry A840 Telemetry Gateway Base Station has hardcoded cred ...) NOT-FOR-US: Adcon CVE-2015-7929 (eWON devices with firmware through 10.1s0 support unspecified GET requ ...) NOT-FOR-US: eWON devices CVE-2015-7928 (eWON devices with firmware before 10.1s0 do not have an off autocomple ...) NOT-FOR-US: eWON devices CVE-2015-7927 (Cross-site scripting (XSS) vulnerability on eWON devices with firmware ...) NOT-FOR-US: eWON devices CVE-2015-7926 (eWON devices with firmware before 10.1s0 omit RBAC for I/O server info ...) NOT-FOR-US: eWON devices CVE-2015-7925 (Cross-site request forgery (CSRF) vulnerability on eWON devices with f ...) NOT-FOR-US: eWON devices CVE-2015-7924 (eWON devices with firmware before 10.1s0 do not trigger the discarding ...) NOT-FOR-US: eWON devices CVE-2015-7923 (Westermo WeOS before 4.19.0 uses the same SSL private key across diffe ...) NOT-FOR-US: Westermo CVE-2015-7922 REJECTED CVE-2015-7921 (The FTP server in Pro-face GP-Pro EX EX-ED before 4.05.000, PFXEXEDV b ...) NOT-FOR-US: Pro-face GP-Pro EX EX-ED CVE-2015-7920 REJECTED CVE-2015-7919 (SearchBlox 8.3 before 8.3.1 allows remote attackers to write to the co ...) NOT-FOR-US: SearchBlox CVE-2015-7918 (Multiple buffer overflows in the F1BookView ActiveX control in F1 Book ...) NOT-FOR-US: F1BookView CVE-2015-7917 (Untrusted search path vulnerability in Open Automation OPC Systems.NET ...) NOT-FOR-US: Open Automation OPC Systems.NET CVE-2015-7916 (Cross-site scripting (XSS) vulnerability in Sauter EY-WS505F0x0 moduWe ...) NOT-FOR-US: Sauter CVE-2015-7915 (Sauter EY-WS505F0x0 moduWeb Vision before 1.6.0 sends cleartext creden ...) NOT-FOR-US: Sauter CVE-2015-7914 (Sauter EY-WS505F0x0 moduWeb Vision before 1.6.0 allows remote attacker ...) NOT-FOR-US: Sauter CVE-2015-7913 (ag_server_service.exe in the AggreGate Server Service in Tibbo AggreGa ...) NOT-FOR-US: AggreGate CVE-2015-7912 (The Ice Faces servlet in ag_server_service.exe in the AggreGate Server ...) NOT-FOR-US: AggreGate CVE-2015-7911 (Saia Burgess PCD1.M0xx0, PCD1.M2xx0, PCD2.M5xx0, PCD3.Mxx60, PCD3.Mxxx ...) NOT-FOR-US: Saia Burgess devices CVE-2015-7910 (Exemys Telemetry Web Server relies on an HTTP Location header to indic ...) NOT-FOR-US: Exemys CVE-2015-7909 (Stack-based buffer overflow in Hospira Communication Engine (CE) befor ...) NOT-FOR-US: Hospira CVE-2015-7908 (Honeywell Midas gas detectors before 1.13b3 and Midas Black gas detect ...) NOT-FOR-US: Honeywell Midas gas detectors and Midas Black gas detectors CVE-2015-7907 (Directory traversal vulnerability in the web server on Honeywell Midas ...) NOT-FOR-US: Honeywell Midas gas detectors and Midas Black gas detectors CVE-2015-7906 (LOYTEC LIP-3ECTB 6.0.1, LINX-100, LVIS-3E100, and LIP-ME201 devices al ...) NOT-FOR-US: LOYTEC LIP-3ECTB 6.0.1, LINX-100, LVIS-3E100, and LIP-ME201 devices CVE-2015-7905 (Unitronics VisiLogic OPLC IDE before 9.8.02 allows remote attackers to ...) NOT-FOR-US: Unitronics CVE-2015-7904 (Unrestricted file upload vulnerability in Infinite Automation Mango Au ...) NOT-FOR-US: Mango Automation CVE-2015-7903 (SQL injection vulnerability in Infinite Automation Mango Automation 2. ...) NOT-FOR-US: Mango Automation CVE-2015-7902 (Infinite Automation Mango Automation 2.5.x and 2.6.x before 2.6.0 buil ...) NOT-FOR-US: Mango Automation CVE-2015-7901 (Infinite Automation Mango Automation 2.5.x and 2.6.x through 2.6.0 bui ...) NOT-FOR-US: Mango Automation CVE-2015-7900 (Infinite Automation Mango Automation 2.5.x and 2.6.x before 2.6.0 buil ...) NOT-FOR-US: Mango Automation CVE-2015-7898 (Samsung Gallery in the Samsung Galaxy S6 allows local users to cause a ...) NOT-FOR-US: Samsung CVE-2015-7897 (The media scanning functionality in the face recognition library in an ...) NOT-FOR-US: Samsung CVE-2015-7896 (LibQJpeg in the Samsung Galaxy S6 before the October 2015 MR allows re ...) NOT-FOR-US: Samsung CVE-2015-7895 (Samsung Gallery on the Samsung Galaxy S6 allows local users to cause a ...) NOT-FOR-US: Samsung CVE-2015-7894 (The DCMProvider service in Samsung LibQjpeg on a Samsung SM-G925V devi ...) NOT-FOR-US: Samsung CVE-2015-7893 (SecEmailUI in Samsung Galaxy S6 does not sanitize HTML email content, ...) NOT-FOR-US: Samsung CVE-2015-7892 (Stack-based buffer overflow in the m2m1shot_compat_ioctl32 function in ...) NOT-FOR-US: Samsung CVE-2015-7891 (Race condition in the ioctl implementation in the Samsung Graphics 2D ...) NOT-FOR-US: Samsung Graphics 2D driver on Samsung devices with Android CVE-2015-7890 (Multiple buffer overflows in the esa_write function in /dev/seirenin t ...) NOT-FOR-US: Samsung CVE-2015-7889 (The SecEmailComposer/EmailComposer application in the Samsung S6 Edge ...) NOT-FOR-US: Samsung CVE-2015-7888 (Directory traversal vulnerability in the WifiHs20UtilityService on the ...) NOT-FOR-US: WifiHs20UtilityService on Samsung S6 Edge LRX22G.G925VVRU1AOE2 CVE-2015-7887 (NetApp SnapCenter Server 1.0 allows remote authenticated users to list ...) NOT-FOR-US: NetApp SnapCenter Server CVE-2015-7886 (NetApp Data ONTAP before 8.2.4P1, when 7-Mode and HTTP access are enab ...) NOT-FOR-US: NetApp CVE-2015-7899 (The com_content component in Joomla! 3.x before 3.4.5 does not properl ...) NOT-FOR-US: Joomla! CVE-2015-7883 RESERVED CVE-2015-7882 (Improper handling of LDAP authentication in MongoDB Server versions 3. ...) - mongodb (Only affects Enterprise version) CVE-2015-7881 (The Colorbox module 7.x-2.x before 7.x-2.10 for Drupal allows remote a ...) NOT-FOR-US: Colorbox module for Drupal CVE-2015-7880 (The Entity Registration module 7.x-1.x before 7.x-1.5 for Drupal allow ...) NOT-FOR-US: Entity Registration module for Drupal CVE-2015-7879 (Cross-site scripting (XSS) vulnerability in the Stickynote module 7.x ...) NOT-FOR-US: Stickynote module for Drupal CVE-2015-7878 (Cross-site scripting (XSS) vulnerability in the Taxonomy Find module 6 ...) NOT-FOR-US: Taxonomy Find module for Drupal CVE-2015-7877 (Multiple SQL injection vulnerabilities in the User Dashboard module 7. ...) NOT-FOR-US: User Dashboard module for Drupal CVE-2015-7876 (The escapeLike function in sqlsrv/database.inc in the Drupal 7 driver ...) NOT-FOR-US: Driver for SQL Server and SQL Azure module for Drupal CVE-2015-7875 (ctools 6.x-1.x before 6.x-1.14 and 7.x-1.x before 7.x-1.8 in Drupal do ...) NOT-FOR-US: Ctools module for Drupal CVE-2015-7874 (Buffer overflow in the chat server in KiTTY Portable 0.65.0.2p and ear ...) NOT-FOR-US: KiTTY Portable CVE-2015-7873 (The redirection feature in url.php in phpMyAdmin 4.4.x before 4.4.15.1 ...) {DSA-3382-1} - phpmyadmin 4:4.5.1-1 (low) [jessie] - phpmyadmin (Minor issue) [wheezy] - phpmyadmin (Vulnerable code not present) [squeeze] - phpmyadmin (Vulnerable code not present) CVE-2015-7943 (Open redirect vulnerability in the Overlay module in Drupal 7.x before ...) {DLA-548-1} - drupal7 7.41-1 [jessie] - drupal7 7.32-1+deb8u9 NOTE: https://www.drupal.org/SA-CORE-2015-004 NOTE: http://www.openwall.com/lists/oss-security/2015/10/21/6 NOTE: http://cgit.drupalcode.org/drupal/commit/?id=9f72251c9291b5613acb9ca4ea7a51b4739e3f93 CVE-2015-7885 (The dgnc_mgmt_ioctl function in drivers/staging/dgnc/dgnc_mgmt.c in th ...) - linux 4.4.2-1 (unimportant) NOTE: dgnc driver not built [wheezy] - linux (Vulnerable code not present) - linux-2.6 (Vulnerable code not present) NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit?id=4b6184336ebb5c8dc1eae7f7ab46ee608a748b05 CVE-2015-7884 (The vivid_fb_ioctl function in drivers/media/platform/vivid/vivid-osd. ...) - linux 4.2.6-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) - linux-2.6 (Vulnerable code not present) NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=eda98796aff0d9bf41094b06811f5def3b4c333c (v4.4-rc1) CVE-2015-7871 (Crypto-NAK packets in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x befo ...) {DSA-3388-1 DLA-335-1} - ntp 1:4.2.8p4+dfsg-1 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_Security_Vulner NOTE: https://github.com/ntp-project/ntp/commit/aa44b5835d69d8ee031736bb8ee2730a514edb7d CVE-2015-7870 RESERVED CVE-2015-7869 (Multiple integer overflows in the kernel mode driver for the NVIDIA GP ...) - nvidia-graphics-drivers 352.63-1 (bug #805917) [jessie] - nvidia-graphics-drivers 340.96-1 [wheezy] - nvidia-graphics-drivers 304.131-1 [squeeze] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx 340.96-1 (bug #805919) - nvidia-graphics-drivers-legacy-304xx 304.131-2 (bug #805918) [jessie] - nvidia-graphics-drivers-legacy-304xx (Non-free not supported) CVE-2015-7868 RESERVED CVE-2015-7867 RESERVED CVE-2015-7866 (Unquoted Windows search path vulnerability in the Smart Maximize Helpe ...) NOT-FOR-US: NVIDIA drivers for Windows CVE-2015-7865 (nvSCPAPISvr.exe in the Stereoscopic 3D Driver Service in the NVIDIA GP ...) NOT-FOR-US: NVIDIA drivers for Windows CVE-2015-7864 RESERVED CVE-2015-7863 (The default configuration of Persistent Accelerite Radia Client Automa ...) NOT-FOR-US: Persistent Accelerite Radia CVE-2015-7862 (Persistent Accelerite Radia Client Automation (formerly HP Client Auto ...) NOT-FOR-US: Persistent Accelerite Radia CVE-2015-7861 (Persistent Accelerite Radia Client Automation (formerly HP Client Auto ...) NOT-FOR-US: Persistent Accelerite Radia CVE-2015-7860 (Stack-based buffer overflow in the agent in Persistent Accelerite Radi ...) NOT-FOR-US: Persistent Accelerite Radia CVE-2015-7859 (The com_contenthistory component in Joomla! 3.2 before 3.4.5 does not ...) NOT-FOR-US: Joomla! CVE-2015-7858 (SQL injection vulnerability in Joomla! 3.2 before 3.4.4 allows remote ...) NOT-FOR-US: Joomla! CVE-2015-7857 (SQL injection vulnerability in the getListQuery function in administra ...) NOT-FOR-US: Joomla! CVE-2015-7856 (OpenNMS has a default password of rtc for the rtc account, which makes ...) NOT-FOR-US: OpenNMS CVE-2015-7855 (The decodenetnum function in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3 ...) {DSA-3388-1 DLA-335-1} - ntp 1:4.2.8p4+dfsg-1 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_Security_Vulner NOTE: https://github.com/ntp-project/ntp/commit/ba716a464ecb20618560075f2e4e1051e5b6f24f CVE-2015-7854 (Buffer overflow in the password management functionality in NTP 4.2.x ...) - ntp 1:4.2.8p4+dfsg-1 [jessie] - ntp (Bug introduced in 4.2.7p262) [wheezy] - ntp (Bug introduced in 4.2.7p262) [squeeze] - ntp (Bug introduced in 4.2.7p262) NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_Security_Vulner NOTE: https://github.com/ntp-project/ntp/commit/1bb401576f412532d8cdcca5509b85ad29605913 CVE-2015-7853 (The datalen parameter in the refclock driver in NTP 4.2.x before 4.2.8 ...) - ntp 1:4.2.8p4+dfsg-1 [jessie] - ntp (Bug introduced in 4.2.8p1-beta3) [wheezy] - ntp (Bug introduced in 4.2.8p1-beta3) [squeeze] - ntp (Bug introduced in 4.2.8p1-beta3) NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_Security_Vulner NOTE: https://github.com/ntp-project/ntp/commit/8482b536f9494a5d45196ab5b7e13040f5940261 CVE-2015-7852 (ntpq in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remot ...) {DSA-3388-1 DLA-335-1} - ntp 1:4.2.8p4+dfsg-1 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_Security_Vulner NOTE: https://github.com/ntp-project/ntp/commit/07a5b8141e354a998a52994c3c9cd547927e56ce CVE-2015-7851 (Directory traversal vulnerability in the save_config function in ntpd ...) {DSA-3388-1 DLA-335-1} - ntp 1:4.2.8p4+dfsg-1 [jessie] - ntp (Vulnerability only affects VMS) [wheezy] - ntp (Vulnerability only affects VMS) [squeeze] - ntp (Vulnerability only affects VMS) NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_Security_Vulner NOTE: https://github.com/ntp-project/ntp/commit/184516e143ce4448ddb5b9876dd372008cc779f6 CVE-2015-7850 (ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remot ...) {DSA-3388-1 DLA-335-1} - ntp 1:4.2.8p4+dfsg-1 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_Security_Vulner NOTE: https://github.com/ntp-project/ntp/commit/bb928ef08eec020ef6008f3a140702ccc0536b8e CVE-2015-7849 (Use-after-free vulnerability in ntpd in NTP 4.2.x before 4.2.8p4, and ...) - ntp 1:4.2.8p4+dfsg-1 [jessie] - ntp (Bug introduced in 4.2.7p262) [wheezy] - ntp (Bug introduced in 4.2.7p262) [squeeze] - ntp (Bug introduced in 4.2.7p262) NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_Security_Vulner NOTE: https://github.com/ntp-project/ntp/commit/9c22e66c8f2be6aa0c846f0d9804db20f93c105d CVE-2015-7848 (An integer overflow can occur in NTP-dev.4.3.70 leading to an out-of-b ...) - ntp 1:4.2.8p4+dfsg-1 [jessie] - ntp (Bug introduced in 4.2.7p131) [wheezy] - ntp (Bug introduced in 4.2.7p131) [squeeze] - ntp (Bug introduced in 4.2.7p131) NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_Security_Vulner NOTE: https://github.com/ntp-project/ntp/commit/c04c3d3d940dfe1a53132925c4f51aef017d2e0f CVE-2015-7847 (Huawei MBB (Mobile Broadband) product E3272s with software versions ea ...) NOT-FOR-US: Huawei CVE-2015-7846 (Huawei S7700, S9700, S9300 before V200R07C00SPC500, and AR200, AR1200, ...) NOT-FOR-US: Huawei CVE-2015-7845 (The exception handling mechanism in the CLI Module in Huawei eSpace U1 ...) NOT-FOR-US: Huawei CVE-2015-7844 (Huawei FusionAccess with software V100R005C10,V100R005C20 could allow ...) NOT-FOR-US: Huawei CVE-2015-7843 (The management interface on Huawei FusionServer rack servers RH2288 V3 ...) NOT-FOR-US: Huawei CVE-2015-7842 (Huawei FusionServer rack servers RH2288 V3 with software before V100R0 ...) NOT-FOR-US: Huawei CVE-2015-7841 (The login page of the server on Huawei FusionServer rack servers RH228 ...) NOT-FOR-US: Huawei CVE-2015-7872 (The key_gc_unused_keys function in security/keys/gc.c in the Linux ker ...) {DSA-3396-1} - linux 4.2.5-1 - linux-2.6 [squeeze] - linux-2.6 (Vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1272371 NOTE: Prerequisite for Fedora patches: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=94c4554ba07adbdde396748ee7ae01e86cf2d8d7 NOTE: Patches from Fedora: http://pkgs.fedoraproject.org/cgit/kernel.git/commit/?id=d76d5fe34b5c151ad83761160998b1075729b541 NOTE: Upstream commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f05819df10d7b09f6d1eb6f8534a8f68e5a4fe61 (v4.3-rc7) NOTE: http://www.openwall.com/lists/oss-security/2015/10/20/5 CVE-2015-8013 (s2k.js in OpenPGP.js will decrypt arbitrary messages regardless of pas ...) - node-openpgp (bug #787774) NOTE: http://www.openwall.com/lists/oss-security/2015/10/13/7 CVE-2015-7840 (The command line management console (CMC) in SolarWinds Log and Event ...) NOT-FOR-US: SolarWinds CVE-2015-7839 (SolarWinds Log and Event Manager (LEM) allows remote attackers to exec ...) NOT-FOR-US: SolarWinds CVE-2015-7838 (ProcessFileUpload.jsp in SolarWinds Storage Manager before 6.2 allows ...) NOT-FOR-US: SolarWinds CVE-2015-7837 (The Linux kernel, as used in Red Hat Enterprise Linux 7, kernel-rt, an ...) - linux 4.5.1-1 (unimportant) NOTE: secureboot not yet supported in the Debian package in 4.3 NOTE: https://github.com/mjg59/linux/commit/4b2b64d5a6ebc84214755ebccd599baef7c1b798 NOTE: Fix is included in 4.5.1-1 with the patches/features/all/securelevel/kexec-uefi-copy-secure_boot-flag-in-boot-params-acro.patch CVE-2015-7836 (Siemens RUGGEDCOM ROS before 4.2.1 allows remote attackers to obtain s ...) NOT-FOR-US: Siemens CVE-2015-7835 (The mod_l2_entry function in arch/x86/mm.c in Xen 3.4 through 4.6.x do ...) {DSA-3390-1} - xen 4.6.0-1 [squeeze] - xen (not supported in squeeze-lts) NOTE: http://xenbits.xen.org/xsa/advisory-148.html CVE-2015-7834 (Multiple unspecified vulnerabilities in Google V8 before 4.6.85.23, as ...) - chromium-browser 46.0.2490.71-1 [wheezy] - chromium-browser (Not supported in Wheezy) [squeeze] - chromium-browser (Not supported in Squeeze LTS) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2015-7833 (The usbvision driver in the Linux kernel package 3.10.0-123.20.1.el7 t ...) {DSA-3426-1 DSA-3396-1 DLA-360-1} - linux 4.2.6-2 - linux-2.6 NOTE: http://git.linuxtv.org/cgit.cgi/media_tree.git/commit?id=588afcc1c0e45358159090d95bf7b246fb67565 NOTE: http://git.linuxtv.org/cgit.cgi/media_tree.git/commit?id=fa52bd506f274b7619955917abfde355e3d19ff NOTE: initial fix missed a second needed commit. CVE-2015-7832 RESERVED CVE-2015-7831 (In Cloudera Hue, there is privilege escalation by a read-only user whe ...) NOT-FOR-US: Cloudera CVE-2015-7829 (Adobe Reader and Acrobat 10.x before 10.1.16 and 11.x before 11.0.13, ...) NOT-FOR-US: Adobe CVE-2015-7828 (SAP HANA Database 1.00 SPS10 and earlier do not require authentication ...) NOT-FOR-US: SAP HANA CVE-2015-7827 (Botan before 1.10.13 and 1.11.x before 1.11.22 make it easier for remo ...) {DSA-3565-1 DLA-449-1} - botan1.10 1.10.13-1 (bug #817932) NOTE: Fixed in 1.11.22 and 1.10.13. Affected all previous versions. NOTE: http://botan.randombit.net/security.html CVE-2015-7826 (botan 1.11.x before 1.11.22 improperly handles wildcard matching again ...) - botan1.10 (Introduced in 1.11.0) NOTE: Introduced in 1.11.0, fixed in 1.11.22 NOTE: http://botan.randombit.net/security.html CVE-2015-7825 (botan before 1.11.22 improperly validates certificate paths, which all ...) - botan1.10 (Introduced in 1.11.6) NOTE: Introduced in 1.11.6, fixed in 1.11.22 NOTE: http://botan.randombit.net/security.html CVE-2015-7824 (botan 1.11.x before 1.11.22 makes it easier for remote attackers to de ...) - botan1.10 (Introduced in 1.11.0) NOTE: Introduced in 1.11.0, fixed in 1.11.22 NOTE: http://botan.randombit.net/security.html CVE-2015-7823 (Open redirect vulnerability in CMSPages/GetDocLink.ashx in Kentico CMS ...) NOT-FOR-US: Kentico CMS CVE-2015-7822 (Multiple cross-site scripting (XSS) vulnerabilities in Kentico CMS 8.2 ...) NOT-FOR-US: Kentico CMS CVE-2015-7821 RESERVED CVE-2015-7820 (Race condition in the administration-panel web service in IBM System N ...) NOT-FOR-US: IBM CVE-2015-7819 (The DB service in IBM System Networking Switch Center (SNSC) before 7. ...) NOT-FOR-US: IBM CVE-2015-7818 (The administration-panel web service in IBM System Networking Switch C ...) NOT-FOR-US: IBM CVE-2015-7817 (Race condition in the administration-panel web service in IBM System N ...) NOT-FOR-US: IBM CVE-2015-7816 (The DisplayTopKeywords function in plugins/Referrers/Controller.php in ...) - matomo (bug #448532) CVE-2015-7815 (Directory traversal vulnerability in core/ViewDataTable/Factory.php in ...) - matomo (bug #448532) CVE-2015-7814 (Race condition in the relinquish_memory function in arch/arm/domain.c ...) {DSA-3414-1} - xen 4.6.0-1 NOTE: http://xenbits.xen.org/xsa/advisory-147.html [wheezy] - xen (arm not yet supported) [squeeze] - xen (not supported in squeeze-lts) CVE-2015-7813 (Xen 4.4.x, 4.5.x, and 4.6.x does not limit the number of printk consol ...) {DSA-3414-1} - xen 4.6.0-1 [wheezy] - xen (arm not yet supported) [squeeze] - xen (not supported in squeeze-lts) NOTE: http://xenbits.xen.org/xsa/advisory-146.html CVE-2015-7812 (The hypercall_create_continuation function in arch/arm/domain.c in Xen ...) {DSA-3414-1} - xen 4.6.0-1 [wheezy] - xen (arm not yet supported) [squeeze] - xen (not supported in squeeze-lts) NOTE: http://xenbits.xen.org/xsa/advisory-145.html CVE-2013-7445 (The Direct Rendering Manager (DRM) subsystem in the Linux kernel throu ...) - linux [buster] - linux (Minor issue, requires invasive changes) [stretch] - linux (Minor issue, requires invasive changes) [jessie] - linux (Minor issue, requires invasive changes) [wheezy] - linux (Minor issue, requires invasive changes) [jessie] - linux-4.9 (Minor issue, requires invasive changes) - linux-2.6 NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=60533 CVE-2015-8011 (Buffer overflow in the lldp_decode function in daemon/protocols/lldp.c ...) - lldpd 0.7.19-1 [jessie] - lldpd 0.7.11-2+deb8u1 [wheezy] - lldpd (Vulnerable code not present) [squeeze] - lldpd (Vulnerable code not present) NOTE: https://github.com/vincentbernat/lldpd/commit/dd4f16e7e816f2165fba76e3d162cd8d2978dcb2 NOTE: http://www.openwall.com/lists/oss-security/2015/10/16/2 CVE-2015-8012 (lldpd before 0.8.0 allows remote attackers to cause a denial of servic ...) - lldpd 0.7.19-1 [jessie] - lldpd 0.7.11-2+deb8u1 [wheezy] - lldpd (Vulnerable code not present) [squeeze] - lldpd (Vulnerable code not present) NOTE: https://github.com/vincentbernat/lldpd/commit/793526f8884455f43daecd0a2c46772388417a00 NOTE: http://www.openwall.com/lists/oss-security/2015/10/18/2 CVE-2015-XXXX [cakephp: XML class SSRF vulnerability] - cakephp 2.6.7-1 (bug #832283) [jessie] - cakephp (Minor issue) [wheezy] - cakephp 1.3.15-1+deb7u1 [squeeze] - cakephp 1.3.2-1.1+deb6u11 NOTE: Workaround entry for DLA-333-1 and DLA-566-1 until/if CVE assigned NOTE: http://seclists.org/fulldisclosure/2015/Oct/70 NOTE: https://github.com/cakephp/cakephp/releases/tag/2.6.6 CVE-2015-7830 (The pcapng_read_if_descr_block function in wiretap/pcapng.c in the pca ...) {DSA-3505-1} - wireshark 1.12.8+g5b6e543-1 [squeeze] - wireshark (Vulnerable code not present) NOTE: https://www.wireshark.org/security/wnpa-sec-2015-30.html CVE-2015-7811 RESERVED CVE-2015-7810 (libbluray MountManager class has a time-of-check time-of-use (TOCTOU) ...) - libbluray 1:0.9.1-1 (low) [jessie] - libbluray (Minor issue, too intrusive to backport) [wheezy] - libbluray (Minor issue) NOTE: CVE was assigned specific to the Fedora packages, cf. NOTE: http://www.openwall.com/lists/oss-security/2015/10/12/7 NOTE: Salvatored asked if Debian needs a separate CVE: NOTE: http://www.openwall.com/lists/oss-security/2015/10/13/6 NOTE: No reply, so we'll just use the same ID NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=959434 CVE-2015-7808 (The vB_Api_Hook::decodeArguments method in vBulletin 5 Connect 5.1.2 t ...) NOT-FOR-US: vBulletin CVE-2015-7807 RESERVED CVE-2015-7806 (Eval injection vulnerability in the fm_saveHelperGatherItems function ...) NOT-FOR-US: Wordpress plugin CVE-2015-7805 (Heap-based buffer overflow in libsndfile 1.0.25 allows remote attacker ...) {DLA-928-1 DLA-356-1} - libsndfile 1.0.25-10 (bug #804445) [jessie] - libsndfile 1.0.25-9.1+deb8u1 NOTE: http://www.nemux.org/2015/10/13/libsndfile-1-0-25-heap-overflow/ NOTE: https://www.exploit-db.com/exploits/38447/ CVE-2015-7802 (gifread.c in gif2png, as used in OptiPNG before 0.7.6, allows remote a ...) - optipng 0.7.6-1 (unimportant; bug #801700) NOTE: Not a security flaw as the under-read does not depend on input CVE-2015-7801 (Use-after-free vulnerability in OptiPNG 0.6.4 allows remote attackers ...) {DLA-332-1} - optipng 0.7.5-1 [wheezy] - optipng 0.6.4-1+deb7u1 CVE-2015-7800 RESERVED CVE-2015-7799 (The slhc_init function in drivers/net/slip/slhc.c in the Linux kernel ...) {DSA-3426-1 DLA-360-1} - linux 4.2.6-2 - linux-2.6 NOTE: https://code.google.com/p/android/issues/detail?id=187973 NOTE: DoS, requires access to /dev/ppp which is root-only by default NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0baa57d8dc32db78369d8b5176ef56c5e2e18ab3 NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4ab42d78e37a294ac7bc56901d563c642e03c4ae CVE-2015-7798 (Cross-site scripting (XSS) vulnerability in Cybozu Office 9.0.0 throug ...) NOT-FOR-US: Cybozu Office CVE-2015-7797 (Cross-site scripting (XSS) vulnerability in Cybozu Office 9.0.0 throug ...) NOT-FOR-US: Cybozu Office CVE-2015-7796 (Cross-site scripting (XSS) vulnerability in Cybozu Office 9.0.0 throug ...) NOT-FOR-US: Cybozu Office CVE-2015-7795 (Cross-site scripting (XSS) vulnerability in Cybozu Office 9.0.0 throug ...) NOT-FOR-US: Cybozu Office CVE-2015-7794 (Corega CG-WLNCM4G devices provide an open DNS resolver, which allows r ...) NOT-FOR-US: Corega CVE-2015-7793 (Corega CG-WLBARAGM devices provide an open proxy service, which allows ...) NOT-FOR-US: Corega CVE-2015-7792 (Corega CG-WLBARGS devices allow remote attackers to perform administra ...) NOT-FOR-US: Corega CVE-2015-7791 (Multiple SQL injection vulnerabilities in admin.php in the Collne Welc ...) NOT-FOR-US: Collne Welcart plugin for WordPress CVE-2015-7790 (Cross-site scripting (XSS) vulnerability on ASUS Japan WL-330NUL devic ...) NOT-FOR-US: ASUS CVE-2015-7789 (ASUS Japan WL-330NUL devices with firmware before 3.0.0.42 allow remot ...) NOT-FOR-US: ASUS CVE-2015-7788 (ASUS Japan WL-330NUL devices with firmware before 3.0.0.42 allow remot ...) NOT-FOR-US: ASUS CVE-2015-7787 (ASUS Japan WL-330NUL devices with firmware before 3.0.0.42 allow remot ...) NOT-FOR-US: ASUS CVE-2015-7786 (Cross-site scripting (XSS) vulnerability in the NTT DATA Smart Sourcin ...) NOT-FOR-US: NTT DATA CVE-2015-7785 (GANMA! App for iOS does not verify SSL certificates. ...) NOT-FOR-US: GANMA! App for iOS CVE-2015-7784 (SQL injection vulnerability in the BOKUBLOCK (1) BbAdminViewsControl21 ...) NOT-FOR-US: BOKUBLOCK CVE-2015-7783 (Cross-site scripting (XSS) vulnerability in Let's PHP! p++BBS before 4 ...) NOT-FOR-US: p++BBS CVE-2015-7782 (Cross-site scripting (XSS) vulnerability in Let's PHP! Frame high-spee ...) NOT-FOR-US: Let's PHP! CVE-2015-7781 (ManageEngine Firewall Analyzer before 8.0 does not restrict access per ...) NOT-FOR-US: ManageEngine Firewall Analyzer CVE-2015-7780 (Directory traversal vulnerability in ManageEngine Firewall Analyzer be ...) NOT-FOR-US: ManageEngine Firewall Analyzer CVE-2015-7779 REJECTED CVE-2015-7778 (Gurunavi App for iOS before 6.0.0 does not verify SSL certificates whi ...) NOT-FOR-US: Gurunavi App for iOS CVE-2015-7777 (Cross-site scripting (XSS) vulnerability in index.php in JosephErnest ...) NOT-FOR-US: JosephErnest Void CVE-2015-7776 (Cybozu Garoon 3.x and 4.x before 4.2.0 does not properly restrict load ...) NOT-FOR-US: Cybozu CVE-2015-7775 (Cross-site scripting (XSS) vulnerability in Cybozu Garoon 4.0.3 allows ...) NOT-FOR-US: Cybozu CVE-2015-7774 (PC-EGG pWebManager before 3.3.10, and before 2.2.2 for PHP 4.x, allows ...) NOT-FOR-US: PC-EGG CVE-2015-7773 (Unrestricted file upload vulnerability in the Panel component in Basti ...) NOT-FOR-US: Bastian Allgeier Kirby CVE-2015-7772 (Cross-site scripting (XSS) vulnerability in the runtime engine in the ...) NOT-FOR-US: Newphoria CVE-2015-7771 (Cross-site scripting (XSS) vulnerability in the runtime engine in the ...) NOT-FOR-US: Newphoria CVE-2015-7770 (Dell SonicWall TotalSecure TZ 100 devices with firmware before 5.9.1.0 ...) NOT-FOR-US: Dell CVE-2015-7769 (baserCMS 3.0.2 through 3.0.8 allows remote authenticated users to exec ...) NOT-FOR-US: baserCMS CVE-2015-7768 (Buffer overflow in Konica Minolta FTP Utility 1.0 allows remote attack ...) NOT-FOR-US: Konica Minolta CVE-2015-7767 (Buffer overflow in Konica Minolta FTP Utility 1.0 allows remote attack ...) NOT-FOR-US: Konica Minolta CVE-2015-7766 (PGSQL:SubmitQuery.do in ZOHO ManageEngine OpManager 11.6, 11.5, and ea ...) NOT-FOR-US: ZOHO CVE-2015-7765 (ZOHO ManageEngine OpManager 11.5 build 11600 and earlier uses a hardco ...) NOT-FOR-US: ZOHO CVE-2015-7809 (The displayBlock function Template.php in Sensio Labs Twig before 1.20 ...) {DSA-3343-1} - twig 1.20.0-1 NOTE: http://symfony.com/blog/security-release-twig-1-20-0 CVE-2015-7804 (Off-by-one error in the phar_parse_zipfile function in ext/phar/zip.c ...) {DSA-3380-1 DLA-341-1} - php5 5.6.14+dfsg-1 (medium) NOTE: https://bugs.php.net/bug.php?id=70433 CVE-2015-7803 (The phar_get_entry_data function in ext/phar/util.c in PHP before 5.5. ...) {DSA-3380-1 DLA-341-1} - php5 5.6.14+dfsg-1 (low) NOTE: https://bugs.php.net/bug.php?id=69720 CVE-2015-7764 (Lemur 0.1.4 does not use sufficient entropy in its IV when encrypting ...) - lemur (bug #809533) CVE-2015-7763 (rx/rx.c in OpenAFS 1.5.75 through 1.5.78, 1.6.x before 1.6.15, and 1.7 ...) {DSA-3387-1 DLA-342-1} - openafs 1.6.15-1 NOTE: https://www.openafs.org/security CVE-2015-7762 (rx/rx.c in OpenAFS before 1.6.15 and 1.7.x before 1.7.33 does not prop ...) {DSA-3387-1 DLA-342-1} - openafs 1.6.15-1 NOTE: https://www.openafs.org/security CVE-2015-7761 (Mail in Apple OS X before 10.11 does not properly recognize user prefe ...) NOT-FOR-US: Apple CVE-2015-7760 (libxpc in launchd in Apple OS X before 10.11 does not restrict the cre ...) NOT-FOR-US: Apple CVE-2015-7759 (BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, Link Controller, and PEM 12 ...) NOT-FOR-US: BIG-IP CVE-2015-7757 REJECTED CVE-2015-7756 (The encryption implementation in Juniper ScreenOS 6.2.0r15 through 6.2 ...) NOT-FOR-US: Juniper ScreenOS CVE-2015-7755 (Juniper ScreenOS 6.2.0r15 through 6.2.0r18, 6.3.0r12 before 6.3.0r12b, ...) NOT-FOR-US: Juniper ScreenOS CVE-2015-7754 (Juniper ScreenOS before 6.3.0r21, when ssh-pka is configured and enabl ...) NOT-FOR-US: Juniper CVE-2015-7753 RESERVED CVE-2015-7752 (The SSH server in Juniper Junos OS before 12.1X44-D50, 12.1X46 before ...) NOT-FOR-US: Juniper CVE-2015-7751 (Juniper Junos OS before 12.1X44-D50, 12.1X46 before 12.1X46-D35, 12.1X ...) NOT-FOR-US: Juniper CVE-2015-7750 (The L2TP packet processing functionality in Juniper Netscreen and Scre ...) NOT-FOR-US: Juniper CVE-2015-7749 (The PFE daemon in Juniper vSRX virtual firewalls with Junos OS before ...) NOT-FOR-US: Juniper CVE-2015-7748 (Juniper chassis with Trio (Trinity) chipset line cards and Junos OS 13 ...) NOT-FOR-US: Juniper CVE-2015-7746 (NetApp Data ONTAP before 8.2.4, when operating in 7-Mode, allows remot ...) NOT-FOR-US: NetApp CVE-2015-7745 RESERVED CVE-2015-7744 (wolfSSL (formerly CyaSSL) before 3.6.8 does not properly handle faults ...) - wolfssl 3.9.10+dfsg-1 - mysql-5.6 5.6.27-1 - mysql-5.5 5.5.46-0+deb8u1 [jessie] - mysql-5.5 5.5.46-0+deb8u1 [wheezy] - mysql-5.5 5.5.46-0+deb7u1 [squeeze] - mysql-5.5 5.5.46-0+deb6u1 - mariadb-10.0 10.0.22-1 [jessie] - mariadb-10.0 10.0.22-0+deb8u1 NOTE: http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html#AppendixMSQL CVE-2015-7743 (XML external entity vulnerability in PRTG Network Monitor before 16.2. ...) NOT-FOR-US: PRTG Network Monitor CVE-2015-7742 RESERVED CVE-2015-7741 RESERVED CVE-2015-7739 RESERVED CVE-2015-7738 RESERVED CVE-2015-7737 RESERVED CVE-2015-7736 RESERVED CVE-2015-7735 RESERVED CVE-2015-7734 RESERVED CVE-2015-7733 RESERVED CVE-2015-7732 (The Avira Mobile Security app before 1.5.11 for iOS sends sensitive lo ...) NOT-FOR-US: Avira Mobile Security app CVE-2015-7731 RESERVED CVE-2015-7730 (SAP BusinessObjects BI Platform 4.1, BusinessObjects Edge 4.0, and Bus ...) NOT-FOR-US: SAP BusinessObjects CVE-2015-7729 (Eval injection in test-net.xsjs in the Web-based Development Workbench ...) NOT-FOR-US: SAP HANA CVE-2015-7728 (Cross-site scripting (XSS) vulnerability in user creation in the Web-b ...) NOT-FOR-US: SAP HANA CVE-2015-7727 (Multiple SQL injection vulnerabilities in the Web-based Development Wo ...) NOT-FOR-US: SAP HANA CVE-2015-7726 (Cross-site scripting (XSS) vulnerability in role deletion in the Web-b ...) NOT-FOR-US: SAP HANA CVE-2015-7725 (Multiple SQL injection vulnerabilities in the Web-based Development Wo ...) NOT-FOR-US: SAP HANA CVE-2015-7724 (AMD fglrx-driver before 15.9 allows local users to gain privileges via ...) - fglrx-driver 1:15.9-1 (bug #803517) [jessie] - fglrx-driver (Non-free not supported) [wheezy] - fglrx-driver (non-free not supported) [squeeze] - fglrx-driver (non-free not supported) NOTE: http://seclists.org/fulldisclosure/2015/Oct/103 CVE-2015-7723 (AMD fglrx-driver before 15.7 allows local users to gain privileges via ...) - fglrx-driver 1:15.7-1 (bug #803517) [jessie] - fglrx-driver (Non-free not supported) [wheezy] - fglrx-driver (non-free not supported) [squeeze] - fglrx-driver (non-free not supported) NOTE: http://seclists.org/fulldisclosure/2015/Oct/104 CVE-2015-7722 RESERVED CVE-2015-7721 RESERVED CVE-2015-7720 RESERVED CVE-2015-7719 RESERVED CVE-2015-7718 (mediaserver in Android 5.x before 5.1.1 LMY48T and 6.0 before 2015-10- ...) NOT-FOR-US: mediaserver in Android CVE-2015-7717 (mediaserver in Android 5.x before 5.1.1 LMY48T and 6.0 before 2015-10- ...) NOT-FOR-US: mediaserver in Android CVE-2015-7716 (libstagefright in Android 5.x before 5.1.1 LMY48T allows remote attack ...) NOT-FOR-US: libstagefright in Android CVE-2015-7715 (Cross-site request forgery (CSRF) vulnerability in the Realtyna RPL (c ...) NOT-FOR-US: Realtyna RPL for Joomla! CVE-2015-7714 (Multiple SQL injection vulnerabilities in the Realtyna RPL (com_rpl) c ...) NOT-FOR-US: Realtyna RPL for Joomla! CVE-2015-7712 (Multiple eval injection vulnerabilities in mods/_standard/gradebook/ed ...) NOT-FOR-US: ATutor CVE-2015-7711 (Cross-site scripting (XSS) vulnerability in popuphelp.php in ATutor 2. ...) NOT-FOR-US: ATutor CVE-2015-7710 RESERVED CVE-2015-7709 (The arkeiad daemon in the Arkeia Backup Agent in Western Digital Arkei ...) NOT-FOR-US: Western Digital CVE-2015-7708 (Cross-site scripting (XSS) vulnerability in 4images 1.7.11 and earlier ...) NOT-FOR-US: 4images CVE-2015-7707 (Ignite Realtime Openfire 3.10.2 allows remote authenticated users to g ...) NOT-FOR-US: Ignite Realtime Openfire CVE-2015-7706 (Multiple cross-site scripting (XSS) vulnerabilities in Secure Data Spa ...) NOT-FOR-US: Secure Data Space CVE-2014-9756 (The psf_fwrite function in file_io.c in libsndfile allows attackers to ...) {DLA-928-1 DLA-356-1} - libsndfile 1.0.25-10 (bug #804447) [jessie] - libsndfile 1.0.25-9.1+deb8u1 NOTE: https://github.com/erikd/libsndfile/commit/725c7dbb95bfaf8b4bb7b04820e3a00cceea9ce6 CVE-2014-9753 (confirm.php in ATutor 2.2 and earlier allows remote attackers to bypas ...) NOT-FOR-US: ATutor CVE-2014-9752 (Unrestricted file upload vulnerability in mods/_core/properties/lib/co ...) NOT-FOR-US: ATutor CVE-2015-7758 (Gummi 0.6.5 allows local users to write to arbitrary files via a symli ...) - gummi 0.6.5-6 (bug #756432) [jessie] - gummi 0.6.5-3+deb8u1 [wheezy] - gummi 0.6.3-1.2+deb7u2 NOTE: http://www.openwall.com/lists/oss-security/2015/10/08/4 CVE-2008-7316 (mm/filemap.c in the Linux kernel before 2.6.25 allows local users to c ...) - linux (Issue fixed before the src:linux-2.6 rename) - linux-2.6 2.6.25-1 NOTE: https://git.kernel.org/linus/124d3b7041f9a0ca7c43a6293e1cae4576c32fd5 (v2.6.25-rc1) CVE-2008-7315 (UI-Dialog 1.09 and earlier allows remote attackers to execute arbitrar ...) - libui-dialog-perl 1.21-0.1 (bug #496448) [jessie] - libui-dialog-perl (Minor issue) [wheezy] - libui-dialog-perl (Minor issue) [squeeze] - libui-dialog-perl (Minor issue) NOTE: https://rt.cpan.org/Public/Bug/Display.html?id=107364 NOTE: http://www.openwall.com/lists/oss-security/2015/10/08/2 CVE-2015-7740 (Huawei P7 before P7-L00C17B851, P7-L05C00B851, and P7-L09C92B851 and P ...) NOT-FOR-US: ARM Mali GPU driver CVE-2015-7545 (The (1) git-remote-ext and (2) unspecified other remote helper program ...) {DSA-3435-1} - git 1:2.6.1-1 [squeeze] - git (git 1.7.2 did not have git-remote-ext yet) NOTE: http://www.openwall.com/lists/oss-security/2015/10/06/1 CVE-2015-7747 (Buffer overflow in the afReadFrames function in audiofile (aka libaudi ...) - audiofile 0.3.6-3 (bug #801102) [jessie] - audiofile 0.3.6-2+deb8u1 [wheezy] - audiofile (Minor issue) [squeeze] - audiofile (Vulnerable code introduced later) NOTE: http://www.openwall.com/lists/oss-security/2015/10/06/2 CVE-2015-7705 (The rate limiting feature in NTP 4.x before 4.2.8p4 and 4.3.x before 4 ...) - ntp 1:4.2.8p4+dfsg-3 [jessie] - ntp (Default config not affected) [wheezy] - ntp (Default config not affected) [squeeze] - ntp (Default config not affected) NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_Security_Vulner NOTE: https://github.com/ntp-project/ntp/commit/21d57dc336dbe9a975baca5ce5ae4da5b71ff123 NOTE: https://github.com/ntp-project/ntp/commit/492758c3d0690d3ccf7130fabfcf670997f12f7b NOTE: Original fix was reported broken, then fixed in http://bugs.ntp.org/show_bug.cgi?id=2952 (4.2.8p7) NOTE: Original upsteam bug: http://support.ntp.org/bin/view/Main/NtpBug2901 CVE-2015-7704 (The ntpd client in NTP 4.x before 4.2.8p4 and 4.3.x before 4.3.77 allo ...) {DSA-3388-1 DLA-335-1} - ntp 1:4.2.8p4+dfsg-3 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_Security_Vulner NOTE: Original ntp fix applied in 1:4.2.8p4+dfsg-1for CVE-2015-7704 is apparently broken NOTE: http://lists.ntp.org/pipermail/pool/2015-October/007631.html CVE-2015-7703 (The "pidfile" or "driftfile" directives in NTP ntpd 4.2.x before 4.2.8 ...) {DSA-3388-1 DLA-335-1} - ntp 1:4.2.8p4+dfsg-1 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_Security_Vulner NOTE: https://github.com/ntp-project/ntp/commit/5dea6ff160c7e8f7cb038619ccccd28c3a8df637 NOTE: https://github.com/ntp-project/ntp/commit/cdae0f1369ade98dc7ae912a0f1953b6e533cb88 CVE-2015-7702 (The crypto_xmit function in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3. ...) {DSA-3388-1 DLA-335-1} - ntp 1:4.2.8p4+dfsg-1 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_Security_Vulner NOTE: https://github.com/ntp-project/ntp/commit/c4cd4aaf418f57f7225708a93bf48afb2bc9c1da CVE-2015-7701 (Memory leak in the CRYPTO_ASSOC function in ntpd in NTP 4.2.x before 4 ...) {DSA-3388-1 DLA-335-1} - ntp 1:4.2.8p4+dfsg-1 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_Security_Vulner NOTE: https://github.com/ntp-project/ntp/commit/d7cd5e186034340402f1393e0813c7d2b14ea6ca NOTE: https://github.com/ntp-project/ntp/commit/79604d925e4477247eee202155215e7865293809 CVE-2015-7700 (Double-free vulnerability in the sPLT chunk structure and png.c in png ...) - pngcrush 1.8.13-0.1 (bug #874109) [stretch] - pngcrush (Minor issue) [jessie] - pngcrush (Minor issue) [wheezy] - pngcrush (Minor issue) NOTE: http://sourceforge.net/p/pmt/code/ci/e8ae5a842e86324f0bee91f4d98245fddb8ea5dd (1.7.87) CVE-2015-7697 (Info-ZIP UnZip 6.0 allows remote attackers to cause a denial of servic ...) {DSA-3386-1 DLA-330-1} - unzip 6.0-19 (bug #802160) CVE-2015-7696 (Info-ZIP UnZip 6.0 allows remote attackers to cause a denial of servic ...) {DSA-3386-1 DLA-330-1} - unzip 6.0-19 (bug #802162) CVE-2015-7695 (The PDO adapters in Zend Framework before 1.12.16 do not filer null by ...) {DSA-3369-1 DLA-326-1} - zendframework 1.12.16+dfsg-1 NOTE: http://framework.zend.com/security/advisory/ZF2015-08 NOTE: https://github.com/zendframework/zf1/commit/2ac9c30f73ec2e6235c602bed745749a551b4fe2 CVE-2015-7694 RESERVED CVE-2015-7693 RESERVED CVE-2015-7692 (The crypto_xmit function in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3. ...) {DSA-3388-1 DLA-335-1} - ntp 1:4.2.8p4+dfsg-1 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_Security_Vulner NOTE: Fixed upstream together with CVE-2015-7702 CVE-2015-7691 (The crypto_xmit function in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3. ...) {DSA-3388-1 DLA-335-1} - ntp 1:4.2.8p4+dfsg-1 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_Security_Vulner NOTE: Fixed upstream together with CVE-2015-7702 CVE-2015-7690 RESERVED CVE-2015-7689 RESERVED CVE-2015-7688 RESERVED CVE-2015-7685 (GLPI before 0.85.3 allows remote authenticated users to create super-a ...) - glpi (unimportant) NOTE: https://forge.glpi-project.org/issues/5218 NOTE: Only supported behind an authenticated HTTP zone CVE-2015-7684 (Unrestricted file upload in GLPI before 0.85.3 allows remote authentic ...) - glpi (unimportant) NOTE: https://forge.glpi-project.org/issues/5217 NOTE: Only supported behind an authenticated HTTP zone CVE-2015-7683 (Absolute path traversal vulnerability in Font.php in the Font plugin b ...) NOT-FOR-US: Font plugin for WordPress CVE-2015-7682 (Multiple SQL injection vulnerabilities in pie-register/pie-register.ph ...) NOT-FOR-US: Pie Register plugin for WordPress CVE-2015-7681 REJECTED CVE-2015-7680 (Ipswitch MOVEit DMZ before 8.2 provides different error messages for a ...) NOT-FOR-US: MOVEit File Transfer web- and mobile application CVE-2015-7679 (Cross-site scripting (XSS) vulnerability in Ipswitch MOVEit Mobile bef ...) NOT-FOR-US: MOVEit File Transfer web- and mobile application CVE-2015-7678 (Multiple cross-site request forgery (CSRF) vulnerabilities in Ipswitch ...) NOT-FOR-US: MOVEit File Transfer web- and mobile application CVE-2015-7677 (The MOVEitISAPI service in Ipswitch MOVEit DMZ before 8.2 provides dif ...) NOT-FOR-US: MOVEit File Transfer web- and mobile application CVE-2015-7676 (Ipswitch MOVEit File Transfer (formerly DMZ) 8.1 and earlier, when con ...) NOT-FOR-US: MOVEit File Transfer web- and mobile application CVE-2015-7675 (The "Send as attachment" feature in Ipswitch MOVEit DMZ before 8.2 and ...) NOT-FOR-US: MOVEit File Transfer web- and mobile application CVE-2015-7672 (Cross-site scripting (XSS) vulnerability in Centreon 2.6.1 (fixed in C ...) - centreon-web (bug #913903) CVE-2014-9751 (The read_network_packet function in ntp_io.c in ntpd in NTP 4.x before ...) {DSA-3154-1 DLA-149-1} - ntp 1:4.2.6.p5+dfsg-4 NOTE: http://bugs.ntp.org/show_bug.cgi?id=2672 (not yet public) CVE-2014-9750 (ntp_crypto.c in ntpd in NTP 4.x before 4.2.8p1, when Autokey Authentic ...) {DSA-3154-2 DSA-3154-1 DLA-149-1} - ntp 1:4.2.6.p5+dfsg-5 NOTE: http://bugs.ntp.org/show_bug.cgi?id=2671 CVE-2014-9749 (Squid 3.4.4 through 3.4.11 and 3.5.0.1 through 3.5.1, when Digest auth ...) - squid (related code not present in 2.7.X) - squid3 3.4.8-6 (bug #776464) [wheezy] - squid3 (Minor issue) [squeeze] - squid3 (Minor issue) NOTE: http://bugs.squid-cache.org/show_bug.cgi?id=4066 NOTE: http://bazaar.launchpad.net/~squid/squid/3.4/revision/13211 (Squid 3.4) NOTE: http://bazaar.launchpad.net/~squid/squid/3.5/revision/13735 (Squid 3.5) CVE-2014-9748 (The uv_rwlock_t fallback implementation for Windows XP and Server 2003 ...) - libuv 1.7.4-1 (unimportant) - nodejs 4.0.0~dfsg-1 (unimportant) NOTE: Only affects Windows CVE-2015-7713 (OpenStack Compute (Nova) before 2014.2.4 (juno) and 2015.1.x before 20 ...) - nova 1:12.0.0-2 [jessie] - nova (Minor issue) [wheezy] - nova (Minor issue) NOTE: <=2014.2.3, >=2015.1.0, <=2015.1.1 NOTE: http://www.openwall.com/lists/oss-security/2015/10/05/10 CVE-2015-XXXX [Remotely triggerable buffer overflow in OpenSMTPD] - opensmtpd 5.7.3p1-1 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/10/04/2 NOTE: Fixed with 5.7.3 upstream release CVE-2015-7687 (Use-after-free vulnerability in OpenSMTPD before 5.7.2 allows remote a ...) - opensmtpd 5.7.3p1-1 (bug #800787) CVE-2015-7686 (Algorithmic complexity vulnerability in Address.pm in the Email-Addres ...) - libemail-address-perl 1.912-1 (bug #868170; unimportant) [stretch] - libemail-address-perl 1.908-1+deb9u1 [jessie] - libemail-address-perl (Minor issue) [wheezy] - libemail-address-perl (Minor issue) [squeeze] - libemail-address-perl (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2015/10/02/13 NOTE: Possibility of DoS vs. usability issue for Email::Address NOTE: Mitigation: https://github.com/Perl-Email-Project/Email-Address/commit/aeaf0d7f1b0897b54cb246b8ac15d3ef177e5cae CVE-2015-7671 RESERVED CVE-2015-7670 (Multiple SQL injection vulnerabilities in includes/update.php in the S ...) NOT-FOR-US: Support Ticket System plugin for WordPress CVE-2015-7669 (Multiple directory traversal vulnerabilities in (1) includes/MapImport ...) NOT-FOR-US: Easy2Map plugin for WordPress CVE-2015-7668 (Cross-site scripting (XSS) vulnerability in includes/MapPinImageSave.p ...) NOT-FOR-US: Easy2Map plugin for WordPress CVE-2015-7667 (Multiple cross-site scripting (XSS) vulnerabilities in (1) templates/a ...) NOT-FOR-US: ResAds plugin for WordPress CVE-2015-7666 (Multiple cross-site scripting (XSS) vulnerabilities in the (1) cp_upda ...) NOT-FOR-US: Payment Form for PayPal Pro plugin for WordPress CVE-2015-7664 RESERVED CVE-2015-7663 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.261 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7662 (Adobe Flash Player before 18.0.0.261 and 19.x before 19.0.0.245 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7661 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.261 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7660 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.261 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7659 (Adobe Flash Player before 18.0.0.261 and 19.x before 19.0.0.245 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7658 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.261 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7657 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.261 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7656 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.261 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7655 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.261 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7654 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.261 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7653 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.261 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7652 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.261 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7651 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.261 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7650 (Adobe Reader and Acrobat 10.x before 10.1.16 and 11.x before 11.0.13, ...) NOT-FOR-US: Adobe Reader CVE-2015-7649 (Adobe Shockwave Player before 12.2.1.171 allows attackers to execute a ...) NOT-FOR-US: Adobe Shockwave Player CVE-2015-7648 (Adobe Flash Player before 18.0.0.255 and 19.x before 19.0.0.226 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7647 (Adobe Flash Player before 18.0.0.255 and 19.x before 19.0.0.226 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7646 REJECTED CVE-2015-7645 (Adobe Flash Player 18.x through 18.0.0.252 and 19.x through 19.0.0.207 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7644 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.252 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7643 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.252 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7642 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.252 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7641 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.252 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7640 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.252 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7639 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.252 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7638 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.252 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7637 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.252 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7636 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.252 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7635 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.252 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7634 (Adobe Flash Player before 18.0.0.252 and 19.x before 19.0.0.207 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7633 (Adobe Flash Player before 18.0.0.252 and 19.x before 19.0.0.207 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7632 (Buffer overflow in Adobe Flash Player before 18.0.0.252 and 19.x befor ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7631 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.252 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7630 (Adobe Flash Player before 18.0.0.252 and 19.x before 19.0.0.207 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7629 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.252 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7628 (Adobe Flash Player before 18.0.0.252 and 19.x before 19.0.0.207 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7627 (Adobe Flash Player before 18.0.0.252 and 19.x before 19.0.0.207 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7626 (Adobe Flash Player before 18.0.0.252 and 19.x before 19.0.0.207 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7625 (Adobe Flash Player before 18.0.0.252 and 19.x before 19.0.0.207 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2015-7624 (Adobe Reader and Acrobat 10.x before 10.1.16 and 11.x before 11.0.13, ...) NOT-FOR-US: Adobe CVE-2015-7623 (The ANAuthenticateResource method in Adobe Reader and Acrobat 10.x bef ...) NOT-FOR-US: Adobe CVE-2015-7622 (Adobe Reader and Acrobat 10.x before 10.1.16 and 11.x before 11.0.13, ...) NOT-FOR-US: Adobe CVE-2015-7621 (Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 1 ...) NOT-FOR-US: Adobe CVE-2015-7620 (The ANSendForBrowserReview method in Adobe Reader and Acrobat 10.x bef ...) NOT-FOR-US: Adobe CVE-2015-7619 (The ANShareFile2 method in Adobe Reader and Acrobat 10.x before 10.1.1 ...) NOT-FOR-US: Adobe CVE-2015-7618 (The CBAutoConfigCommentRepository method in Adobe Reader and Acrobat 1 ...) NOT-FOR-US: Adobe CVE-2015-7617 (Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 1 ...) NOT-FOR-US: Adobe CVE-2015-7616 (The ANVerifyComments method in Adobe Reader and Acrobat 10.x before 10 ...) NOT-FOR-US: Adobe CVE-2015-7615 (Use-after-free vulnerability in a SaveAs feature in Adobe Reader and A ...) NOT-FOR-US: Adobe CVE-2015-7614 (Adobe Reader and Acrobat 10.x before 10.1.16 and 11.x before 11.0.13, ...) NOT-FOR-US: Adobe CVE-2015-7612 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Orga ...) NOT-FOR-US: McAfee CVE-2015-7665 (Tails before 1.7 includes the wget program but does not prevent automa ...) NOT-FOR-US: wget as used in Tails NOTE: http://www.openwall.com/lists/oss-security/2015/10/01/10 CVE-2015-7613 (Race condition in the IPC object implementation in the Linux kernel th ...) {DSA-3372-1 DLA-325-1} - linux 4.2.3-1 - linux-2.6 NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b9a532277938798b53178d5a66af6e2915cb27cf (v4.3-rc4) CVE-2015-7610 (Cross-site request forgery (CSRF) vulnerability in the login form in Z ...) NOT-FOR-US: Zimbra CVE-2015-7609 (Synacor Zimbra Mail Client 8.6 before 8.6.0 Patch 5 has XSS via the er ...) NOT-FOR-US: Synacor Zimbra Mail Client CVE-2015-7608 RESERVED CVE-2015-7607 RESERVED CVE-2015-7606 RESERVED CVE-2015-7605 RESERVED CVE-2015-7673 (io-tga.c in gdk-pixbuf before 2.32.0 uses heap memory after its alloca ...) {DSA-3378-1 DLA-434-1} - gdk-pixbuf 2.32.0-1 - gtk+2.0 2.21.5-1 NOTE: http://www.openwall.com/lists/oss-security/2015/10/01/3 NOTE: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=19f9685dbff7d1f929c61cf99188df917a18811d NOTE: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=edf6fb8d856574bc3bb3a703037f56533229267c NOTE: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=6ddca835100107e6b5841ce9d56074f6d98c387e NOTE: gtk+2.0 2.21.5-1 removed the embedded copy of gdk-pixbuf and build-depends on external gdk-pixbuf CVE-2015-8875 (Multiple integer overflows in the (1) pixops_composite_nearest, (2) pi ...) {DSA-3589-1 DLA-450-1} - gdk-pixbuf 2.34.0-1 NOTE: Fixed by: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=dbfe8f70471864818bf458a39c8a99640895bd22 (2.33.1) NOTE: http://www.openwall.com/lists/oss-security/2016/05/12/3 CVE-2015-7674 (Integer overflow in the pixops_scale_nearest function in pixops/pixops ...) {DSA-3378-1 DLA-450-1 DLA-434-1} - gdk-pixbuf 2.32.1-1 NOTE: http://www.openwall.com/lists/oss-security/2015/10/01/4 NOTE: Fix for CVE-2015-7674: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=e9a5704edaa9aee9498f1fbf6e1b70fcce2e55aa (2.32.1) NOTE: Additional hardening against further overflows (but not part of the CVE assignment): https://git.gnome.org/browse/gdk-pixbuf/commit/?id=dbfe8f70471864818bf458a39c8a99640895bd22 (2.33.1) NOTE: The CVE is only assigned for the overflow in the pixops_scale_nearest function. - gtk+2.0 2.21.5-1 NOTE: gtk+2.0 2.21.5-1 removed the embedded copy of gdk-pixbuf and build-depends on external gdk-pixbuf CVE-2015-XXXX [trivial hash complexity DoS attack] - php5 (bug #800564) [jessie] - php5 (Too intrusive to backport) [wheezy] - php5 (Too intrusive to backport) [squeeze] - php5 (Too intrusive to backport) NOTE: https://bugs.php.net/bug.php?id=70644 NOTE: https://github.com/bk2204/php-hash-dos CVE-2015-7698 (icewind1991 SMB before 1.0.3 allows remote authenticated users to exec ...) - php-smb 1.0.3a-1 NOTE: https://owncloud.org/security/advisory/?id=oc-sa-2015-017 CVE-2015-7699 (The files_external app in ownCloud Server before 7.0.9, 8.0.x before 8 ...) {DSA-3373-1} - owncloud 7.0.9~dfsg-1 NOTE: https://owncloud.org/security/advisory/?id=oc-sa-2015-018 NOTE: https://github.com/owncloud/core/commit/b05e178bbf884b120d1106e6a28f35aa50d6d06f CVE-2015-7611 (Apache James Server 2.3.2, when configured with file-based user reposi ...) NOT-FOR-US: Apache James CVE-2015-7604 (Cross-site scripting (XSS) vulnerability in Splunk Web in Splunk Enter ...) NOT-FOR-US: Splunk CVE-2015-7603 (Directory traversal vulnerability in Konica Minolta FTP Utility 1.0 al ...) NOT-FOR-US: Konica Minolta FTP Utility CVE-2015-7602 (Directory traversal vulnerability in BisonWare BisonFTP 3.5 allows rem ...) NOT-FOR-US: BisonWare BisonFTP CVE-2015-7601 (Directory traversal vulnerability in PCMan's FTP Server 2.0.7 allows r ...) NOT-FOR-US: PCMan's FTP Server CVE-2015-7600 (Cisco VPN Client 5.x through 5.0.07.0440 uses weak permissions for vpn ...) NOT-FOR-US: Cisco VPN Client CVE-2015-7599 (Integer overflow in the _authenticate function in svc_auth.c in Wind R ...) NOT-FOR-US: Wind River VxWorks CVE-2015-7598 (SafeNet Authentication Service TokenValidator Proxy Agent uses a weak ...) NOT-FOR-US: SafeNet Authentication Service CVE-2015-7597 (SafeNet Authentication Service IIS Agent uses a weak ACL for unspecifi ...) NOT-FOR-US: SafeNet Authentication Service CVE-2015-7596 (SafeNet Authentication Service End User Software Tools for Windows use ...) NOT-FOR-US: SafeNet Authentication Service CVE-2015-7595 REJECTED CVE-2015-7594 REJECTED CVE-2015-7593 REJECTED CVE-2015-7592 REJECTED CVE-2015-7591 REJECTED CVE-2015-7590 REJECTED CVE-2015-7589 REJECTED CVE-2015-7588 REJECTED CVE-2015-7587 REJECTED CVE-2015-7586 REJECTED CVE-2015-7585 REJECTED CVE-2015-7584 REJECTED CVE-2015-7583 REJECTED CVE-2015-7582 REJECTED CVE-2015-7581 (actionpack/lib/action_dispatch/routing/route_set.rb in Action Pack in ...) {DSA-3464-1} - rails 2:4.2.5.1-1 [wheezy] - rails (Vulnerable code not present, is only a transitional package) [squeeze] - rails (Not supported in Squeeze LTS) - ruby-actionpack-3.2 [wheezy] - ruby-actionpack-3.2 (Vulnerable code not present) - ruby-actionpack-2.3 [wheezy] - ruby-actionpack-2.3 CVE-2015-7580 (Cross-site scripting (XSS) vulnerability in lib/rails/html/scrubbers.r ...) - ruby-rails-html-sanitizer 1.0.3-1 (bug #812814) CVE-2015-7579 (Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer g ...) - ruby-rails-html-sanitizer 1.0.3-1 (bug #812814) CVE-2015-7578 (Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer g ...) - ruby-rails-html-sanitizer 1.0.3-1 (bug #812814) CVE-2015-7577 (activerecord/lib/active_record/nested_attributes.rb in Active Record i ...) {DSA-3464-1 DLA-496-1} - rails 2:4.2.5.1-1 [wheezy] - rails (Vulnerable code not present, is only a transitional package) [squeeze] - rails (Not supported in Squeeze LTS) - ruby-activerecord-3.2 - ruby-activerecord-2.3 [wheezy] - ruby-activerecord-2.3 CVE-2015-7576 (The http_basic_authenticate_with method in actionpack/lib/action_contr ...) {DSA-3464-1 DLA-604-1} - rails 2:4.2.5.1-1 [wheezy] - rails (Vulnerable code not present, is only a transitional package) [squeeze] - rails (Not supported in Squeeze LTS) - ruby-actionpack-3.2 - ruby-actionpack-2.3 [wheezy] - ruby-actionpack-2.3 - ruby-activesupport-3.2 [wheezy] - ruby-activesupport-3.2 (Vulnerable code not present) - ruby-activesupport-2.3 [wheezy] - ruby-activesupport-2.3 NOTE: https://github.com/rails/rails/commit/a6fa3960c3a149e83eb2ff057be4472a82958e3d CVE-2015-7575 (Mozilla Network Security Services (NSS) before 3.20.2, as used in Mozi ...) {DSA-3688-1 DSA-3491-1 DSA-3465-1 DSA-3458-1 DSA-3457-1 DSA-3437-1 DSA-3436-1 DLA-410-1} - iceweasel 43.0.2-1 [squeeze] - iceweasel - icedove 38.6.0-1 [squeeze] - icedove - nss 2:3.21-1 [squeeze] - nss (only affects nss post 2012-07-26) [wheezy] - nss (TLS 1.2 not supported in 3.14, only 3.15.1 and above) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-150/ NOTE: Patch in SuSE Bugzilla: https://bugzilla.suse.com/attachment.cgi?id=660286 NOTE: NSS upstream fix is actually in 3.20.2: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.20.2_release_notes NOTE: NSS patch: https://hg.mozilla.org/projects/nss/raw-rev/891676aa0d85 - openssl 1.0.1f-1 [squeeze] - openssl (Vulnerable code not present) NOTE: OpenSSL fix: https://git.openssl.org/?p=openssl.git;a=commit;h=5e1ff664f95ab4c9176b3e86b5111e5777bad61a - openjdk-8 7u95-2.6.4-1 - openjdk-7 7u95-2.6.4-1 - openjdk-6 NOTE: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/1ad1d1b46fef - gnutls28 3.3.15-1 [jessie] - gnutls28 3.3.8-6+deb8u3 - gnutls26 [squeeze] - gnutls26 (TLS1.2 not supported) NOTE: http://gnutls.org/security.html#GNUTLS-SA-2015-2 NOTE: http://lists.gnutls.org/pipermail/gnutls-devel/2015-April/007572.html NOTE: https://gitlab.com/gnutls/gnutls/commit/7d9d5c61f8445dc9e9ca47bb575c77cef17da17a NOTE: https://gitlab.com/gnutls/gnutls/commit/0e3fc7881d37246fc2d51dc404cad95b205c0e1e NOTE: https://gitlab.com/gnutls/gnutls/commit/6822a37947d4e38c45b1afc0121cda35ba897182 NOTE: http://www.openwall.com/lists/oss-security/2015/05/05/8 NOTE: http://www.mitls.org/pages/attacks/SLOTH CVE-2015-7574 REJECTED CVE-2015-7573 REJECTED CVE-2015-7572 REJECTED CVE-2015-7571 (Unrestricted file upload vulnerability in Yeager CMS 1.2.1 allows remo ...) NOT-FOR-US: Yeager CMS CVE-2015-7570 (Multiple server-side request forgery (SSRF) vulnerabilities in Yeager ...) NOT-FOR-US: Yeager CMS CVE-2015-7569 (SQL injection vulnerability in "yeager/y.php/tab_USERLIST" in Yeager C ...) NOT-FOR-US: Yeager CMS CVE-2015-7568 (SQL injection vulnerability in the password recovery feature in Yeager ...) NOT-FOR-US: Yeager CMS CVE-2015-7567 (SQL injection vulnerability in Yeager CMS 1.2.1 allows remote attacker ...) NOT-FOR-US: Yeager CMS CVE-2015-7566 (The clie_5_attach function in drivers/usb/serial/visor.c in the Linux ...) {DSA-3448-1 DLA-412-1} - linux 4.3.3-6 [wheezy] - linux 3.2.73-2+deb7u3 - linux-2.6 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1283371 (not (yet) public) NOTE: Proposed upstream patch: http://marc.info/?l=linux-usb&m=145260786729359&w=2 CVE-2015-7565 (Cross-site scripting (XSS) vulnerability in Ember.js 1.8.x through 1.1 ...) NOT-FOR-US: ember.js CVE-2015-7564 (Multiple SQL injection vulnerabilities in TeamPass 2.1.24 and earlier ...) - teampass (bug #730180) CVE-2015-7563 (Cross-site request forgery (CSRF) vulnerability in TeamPass 2.1.24 and ...) - teampass (bug #730180) CVE-2015-7562 (Multiple cross-site scripting (XSS) vulnerabilities in TeamPass 2.1.24 ...) - teampass (bug #730180) CVE-2015-7561 (Kubernetes in OpenShift3 allows remote authenticated users to use the ...) NOT-FOR-US: OpenShift CVE-2015-7560 (The SMB1 implementation in smbd in Samba 3.x and 4.x before 4.1.23, 4. ...) {DSA-3514-1} - samba 2:4.3.6+dfsg-1 NOTE: https://www.samba.org/samba/security/CVE-2015-7560.html CVE-2015-7559 (It was found that the Apache ActiveMQ client before 5.15.5 exposed a r ...) {DLA-913-1} - activemq 5.14.3-3 (bug #860866) [jessie] - activemq 5.6.0+dfsg1-4+deb8u3 NOTE: Upstream commit: https://git-wip-us.apache.org/repos/asf?p=activemq.git;h=b8fc78e NOTE: https://issues.apache.org/jira/browse/AMQ-6470 CVE-2015-7558 (librsvg before 2.40.12 allows context-dependent attackers to cause a d ...) {DSA-3584-1 DLA-477-1} - librsvg 2.40.12-1 [squeeze] - librsvg (Too intrusive to backport) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1268243 NOTE: https://git.gnome.org/browse/librsvg/commit/?id=a51919f7e1ca9c535390a746fbf6e28c8402dc61 (2.40.12) CVE-2015-7557 (The _rsvg_node_poly_build_path function in rsvg-shapes.c in librsvg be ...) {DLA-395-1} - librsvg 2.40.9-2 [jessie] - librsvg 2.40.5-1+deb8u1 [wheezy] - librsvg 2.36.1-2+deb7u1 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=738050 (not public accessible) NOTE: https://git.gnome.org/browse/librsvg/commit/rsvg-shapes.c?id=40af93e6eb1c94b90c3b9a0b87e0840e126bb8df (2.40.7) CVE-2015-7556 (DeleGate 9.9.13 allows local users to gain privileges as demonstrated ...) NOT-FOR-US: DeleGate CVE-2015-7555 (Heap-based buffer overflow in giffix.c in giffix in giflib 5.1.1 allow ...) {DLA-389-1} - giflib 5.1.2-0.1 (bug #808704) [jessie] - giflib 4.1.6-11+deb8u1 [wheezy] - giflib 4.1.6-10+deb7u1 NOTE: Upstream fix http://sourceforge.net/p/giflib/code/ci/179510be300bf11115e37528d79619b53c884a63 CVE-2015-7554 (The _TIFFVGetField function in tif_dir.c in libtiff 4.0.6 allows attac ...) {DLA-693-1 DLA-692-1} - tiff 4.0.7-7 (bug #809066; bug #842043; bug #850316) [jessie] - tiff 4.0.3-12.3+deb8u4 - tiff3 NOTE: http://www.openwall.com/lists/oss-security/2015/12/26/7 NOTE: SUSE seem to have a fix (disputed): https://bugzilla.suse.com/show_bug.cgi?id=960341 NOTE: Reproducer file here: https://bugzilla.suse.com/attachment.cgi?id=665389 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2564 NOTE: partially fixed by http://bugzilla.maptools.org/show_bug.cgi?id=2564#c2 NOTE: -- NOTE: The problem is present in tiff3 3.9.6-11+deb7u1 on wheezy (the problematic code NOTE: gets executed under gdb), however for some reason this does not lead to a segfault. CVE-2015-7553 (Race condition in the kernel in Red Hat Enterprise Linux 7, kernel-rt ...) - linux (RHEL-specific backport bug) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1288934 NOTE: Related to an incomplete RHEL backport of https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8ac2bde2a4a05c38e2bd733bea94507cb1461e06 CVE-2015-7552 (Heap-based buffer overflow in the gdk_pixbuf_flip function in gdk-pixb ...) {DSA-3589-1 DLA-501-1} - gdk-pixbuf 2.32.0-1 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=958963 NOTE: This was fixed by one of the commits between 2.31.6 and 2.32.0. NOTE: Fixed by: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=4f68cb78a5277f169b9531e6998c00c7976594e4 (2.31.7) CVE-2015-7551 (The Fiddle::Handle implementation in ext/fiddle/handle.c in Ruby befor ...) - ruby1.9.1 [wheezy] - ruby1.9.1 (Minor issue) [squeeze] - ruby1.9.1 (DL already fixed with CVE-2009-5147, Fiddle does not have vulnerable code) - ruby2.0 - ruby2.1 (bug #796344) [jessie] - ruby2.1 2.1.5-2+deb8u3 - ruby2.2 2.2.4-1 (bug #796551) NOTE: https://www.ruby-lang.org/en/news/2015/12/16/unsafe-tainted-string-usage-in-fiddle-and-dl-cve-2015-7551/ CVE-2015-7550 (The keyctl_read_key function in security/keys/keyctl.c in the Linux ke ...) {DSA-3434-1 DLA-378-1} - linux 4.3.3-3 - linux-2.6 NOTE: https://git.kernel.org/linus/b4a1b4f5047e4f54e194681125c74c0aa64d637d (v4.4-rc8) CVE-2015-7549 (The MSI-X MMIO support in hw/pci/msix.c in QEMU (aka Quick Emulator) a ...) {DSA-3471-1} - qemu 1:2.5+dfsg-1 (bug #808131) [wheezy] - qemu (Vulnerable code not present) [squeeze] - qemu (Vulnerable code not present) - qemu-kvm [wheezy] - qemu-kvm (Vulnerable code not present) [squeeze] - qemu-kvm (Vulnerable code not present) NOTE: Upstream commit: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=43b11a91dd861a946b231b89b7542856ade23d1b (v2.5.0-rc0) NOTE: Introduced by: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=d35e428c8400f9ddc07e5a15ff19622c869b9ba0 (v1.2.0-rc0) CVE-2015-7548 (OpenStack Compute (Nova) before 2015.1.3 (kilo) and 12.0.x before 12.0 ...) - nova 2:13.0.0~rc3-1 [jessie] - nova (Minor issue) [wheezy] - nova (Minor issue) NOTE: Affects: Nova: <=2015.1.2, ==12.0.0 NOTE: https://bugs.launchpad.net/bugs/1524274 CVE-2015-7547 (Multiple stack-based buffer overflows in the (1) send_dg and (2) send_ ...) {DSA-3481-1 DSA-3480-1 DLA-416-1} - glibc 2.21-8 - eglibc NOTE: https://googleonlinesecurity.blogspot.cz/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html NOTE: https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html CVE-2015-7546 (The identity service in OpenStack Identity (Keystone) before 2015.1.3 ...) - keystone 2:9.0.0~rc2-1 [jessie] - keystone (Too intrusive to backport, needs to switch to different token provider) [wheezy] - keystone (Too intrusive to backport, needs to switch to different token provider) - python-keystonemiddleware 3.0.0-1 [jessie] - python-keystonemiddleware (Too intrusive to backport, needs to switch to different token provider) NOTE: https://wiki.openstack.org/wiki/OSSN/OSSN-0062 NOTE: Keystone: <= 2015.1.2, >= 8.0.0 <= 8.0.1 NOTE: Keystonemiddleware: >= 1.5.0 <= 1.5.3, >= 1.6.0 <= 2.3.2 CVE-2015-7544 (redhat-support-plugin-rhev in Red Hat Enterprise Virtualization Manage ...) NOT-FOR-US: redhat-support-plugin-rhev CVE-2015-7543 (aRts 1.5.10 and kdelibs3 3.5.10 and earlier do not properly create tem ...) {DLA-367-1 DLA-366-1} - kde4libs (Fixed before the first release in Debian) - kdelibs - arts NOTE: https://quickgit.kde.org/?p=kdelibs.git&a=blobdiff&h=8c0f6401271c495c68e340e06b09239eb755ce5e&hp=45b72f0d5c3421b571e9515497352a0a9942a075&hb=cc5515ed7ce8884c9b18169158ba29ab2f7a3db7&f=kinit%2Flnusertemp.c CVE-2015-7542 (A vulnerability exists in libgwenhywfar through 4.12.0 due to the usag ...) {DLA-469-1} - libgwenhywfar 4.12.0beta-3 (bug #748955; medium) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1272503 NOTE: Debian packaging fix: http://source.lenk.info/git/pkg-libgwenhywfar.git/commitdiff/86dacaae3a233f6ca3b420e0bfdb12eb5ef40b91 CVE-2015-7541 (The initialize method in the Histogram class in lib/colorscore/histogr ...) NOT-FOR-US: colorscore gem for Ruby CVE-2015-7540 (The LDAP server in the AD domain controller in Samba 4.x before 4.1.22 ...) {DSA-3433-1} - samba 2:4.1.22+dfsg-1 [wheezy] - samba (Only affects 4.0.0 to 4.1.21) [squeeze] - samba (Only affects 4.0.0 to 4.1.21) NOTE: https://www.samba.org/samba/security/CVE-2015-7540.html CVE-2015-7539 (The Plugins Manager in Jenkins before 1.640 and LTS before 1.625.2 doe ...) - jenkins CVE-2015-7538 (Jenkins before 1.640 and LTS before 1.625.2 allow remote attackers to ...) - jenkins CVE-2015-7537 (Cross-site request forgery (CSRF) vulnerability in Jenkins before 1.64 ...) - jenkins CVE-2015-7536 (Cross-site scripting (XSS) vulnerability in Jenkins before 1.640 and L ...) - jenkins CVE-2015-7535 REJECTED CVE-2015-7534 REJECTED CVE-2015-7533 REJECTED CVE-2015-7532 REJECTED CVE-2015-7531 REJECTED CVE-2015-7530 REJECTED CVE-2015-7529 (sosreport in SoS 3.x allows local users to obtain sensitive informatio ...) - sosreport 3.2+git276-g7da50d6-3 (unimportant) NOTE: Neutralised by kernel hardening CVE-2015-7528 (Kubernetes before 1.2.0-alpha.5 allows remote attackers to read arbitr ...) - kubernetes (Fixed before initial release to archive) NOTE: https://github.com/kubernetes/kubernetes/pull/17886 CVE-2015-7527 (lib/core.php in the Cool Video Gallery plugin 1.9 for WordPress allows ...) NOT-FOR-US: WordPress plugin cool-video-gallery CVE-2015-7526 REJECTED CVE-2015-7525 REJECTED CVE-2015-7524 REJECTED CVE-2015-7523 REJECTED CVE-2015-7522 REJECTED CVE-2015-7521 (The authorization framework in Apache Hive 1.0.0, 1.0.1, 1.1.0, 1.1.1, ...) NOT-FOR-US: Apache Hive CVE-2015-7520 (Multiple cross-site scripting (XSS) vulnerabilities in the (1) RadioGr ...) NOT-FOR-US: Apache Wicket CVE-2015-7519 (agent/Core/Controller/SendRequest.cpp in Phusion Passenger before 4.0. ...) {DLA-1399-1 DLA-394-1} - passenger 5.0.22-1 (bug #807354) - ruby-passenger (bug #864651) [wheezy] - ruby-passenger (Minor issue) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=956281 NOTE: https://github.com/phusion/passenger/commit/c04590871ca0878d4d3ac1220c5a554b049056b4 (4.x) NOTE: https://github.com/phusion/passenger/commit/ddb8ecc4ebf260e4967f57f271d4f5761abeac3e (5.x) CVE-2015-7518 (Multiple cross-site scripting (XSS) vulnerabilities in information pop ...) - foreman (bug #663101) CVE-2015-7517 (Multiple SQL injection vulnerabilities in the Double Opt-In for Downlo ...) NOT-FOR-US: Double Opt-In for Download plugin for WordPress CVE-2015-7516 (ONOS before 1.5.0 when using the ifwd app allows remote attackers to c ...) NOT-FOR-US: Onos CVE-2015-7515 (The aiptek_probe function in drivers/input/tablet/aiptek.c in the Linu ...) {DSA-3607-1} - linux 4.4.2-1 [wheezy] - linux 3.2.81-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1285326 NOTE: https://os-s.net/advisories/OSS-2016-05_aiptek.pdf NOTE: Upstream commit: https://git.kernel.org/linus/8e20cf2bce122ce9262d6034ee5d5b76fbb92f96 (v4.4-rc6) CVE-2015-7514 (OpenStack Ironic 4.2.0 through 4.2.1 does not "clean" the disk after u ...) - ironic 1:4.2.2-1 (bug #807269) CVE-2015-7513 (arch/x86/kvm/x86.c in the Linux kernel before 4.4 does not reset the P ...) {DSA-3434-1} - linux 4.3.3-3 - linux-2.6 [squeeze] - linux-2.6 (KVM not supported in Squeeze LTS) NOTE: https://git.kernel.org/linus/0185604c2d82c560dab2f2933a18f797e74ab5a8 (v4.4-rc7) CVE-2015-7512 (Buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEM ...) {DSA-3471-1 DSA-3470-1 DSA-3469-1} - qemu 1:2.5+dfsg-1 (bug #806741) [squeeze] - qemu (Not supported in Squeeze LTS) - qemu-kvm [squeeze] - qemu-kvm (Not supported in Squeeze LTS) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2015-11/msg06341.html CVE-2015-7511 (Libgcrypt before 1.6.5 does not properly perform elliptic-point curve ...) {DSA-3478-1 DSA-3474-1} - libgcrypt20 1.6.5-2 - libgcrypt11 [squeeze] - libgcrypt11 (Vulnerable code not present) NOTE: http://www.cs.tau.ac.IL/~tromer/ecdh/ NOTE: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=fcbb9fcc2e6983ea61bf565b6ee2e29816b8cd57 (LIBGCRYPT-1-5-BRANCH) NOTE: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=de7db12fa04016e12dffb2b678632f45eba15ec4 (libgcrypt-1.6.5) NOTE: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=28eb424e4427b320ec1c9c4ce56af25d495230bd (libgcrypt-1.6.5) NOTE: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=88e1358962e902ff1cbec8d53ba3eee46407851a (master) CVE-2015-7510 (Stack-based buffer overflow in the getpwnam and getgrnam functions of ...) - systemd 229-1 [jessie] - systemd (Vulnerable code introduced later, v223) [wheezy] - systemd (Vulnerable code introduced later, v223) NOTE: https://github.com/systemd/systemd/commit/cb31827d62066a04b02111df3052949fda4b6888 (v229) NOTE: https://github.com/systemd/systemd/issues/2002 CVE-2015-7509 (fs/ext4/namei.c in the Linux kernel before 3.7 allows physically proxi ...) - linux 3.8-1~experimental.1 [wheezy] - linux 3.2.68-1 - linux-2.6 [squeeze] - linux-2.6 2.6.32-48squeeze9 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1259222 NOTE: https://git.kernel.org/linus/c9b92530a723ac5ef8e352885a1862b18f31b2f5 NOTE: https://git.kernel.org/linus/0e9a9a1ad619e7e987815d20262d36a2f95717ca CVE-2015-7508 (Heap-based buffer overflow in the bmp_decode_rle function in libnsbmp. ...) - libnsbmp [squeeze] - libnsbmp (Library not used anywhere in Debian) NOTE: http://source.netsurf-browser.org/libnsbmp.git/commit/?id=041df43bbe273b0829132b0b17d89a69da2927d4 - netsurf 3.2+dfsg-3 (bug #810491) [jessie] - netsurf (netsurf already relies only entirely unsupported mozjs) [wheezy] - netsurf (netsurf already relies only entirely unsupported mozjs) CVE-2015-7507 (libnsbmp.c in Libnsbmp 0.1.2 allows context-dependent attackers to cau ...) - libnsbmp [squeeze] - libnsbmp (Library not used anywhere in Debian) NOTE: http://source.netsurf-browser.org/libnsbmp.git/commit/?id=49427b52ba41a1813e3822301612e2e170107efd - netsurf 3.2+dfsg-3 (bug #810491) [jessie] - netsurf (netsurf already relies only entirely unsupported mozjs) [wheezy] - netsurf (netsurf already relies only entirely unsupported mozjs) CVE-2015-7506 (The gif_next_LZW function in libnsgif.c in Libnsgif 0.1.2 allows conte ...) - libnsgif [squeeze] - libnsgif (Library not used anywhere in Debian) NOTE: http://source.netsurf-browser.org/libnsgif.git/commit/?id=088fa0819f1aeaf212a95caf7393a38c1640b5f0 - netsurf 3.2+dfsg-3 (bug #810491) [jessie] - netsurf (netsurf already relies only entirely unsupported mozjs) [wheezy] - netsurf (netsurf already relies only entirely unsupported mozjs) CVE-2015-7505 (Stack-based buffer overflow in the gif_next_LZW function in libnsgif.c ...) - libnsgif [squeeze] - libnsgif (Library not used anywhere in Debian) NOTE: http://source.netsurf-browser.org/libnsgif.git/commit/?id=a268d2c15252ac58c19f1b19771822c66bcf73b2 - netsurf 3.2+dfsg-3 (bug #810491) [jessie] - netsurf (netsurf already relies only entirely unsupported mozjs) [wheezy] - netsurf (netsurf already relies only entirely unsupported mozjs) CVE-2015-7504 (Heap-based buffer overflow in the pcnet_receive function in hw/net/pcn ...) {DSA-3471-1 DSA-3470-1 DSA-3469-1} - qemu 1:2.5+dfsg-1 (bug #806742) [squeeze] - qemu (Not supported in Squeeze LTS) - qemu-kvm [squeeze] - qemu-kvm (Not supported in Squeeze LTS) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2015-11/msg06342.html NOTE: Xen not affected in wheezy, CVE covered by XSA-162: https://marc.info/?l=oss-security&m=144888089404618&w=2 CVE-2015-7503 (Zend Framework before 2.4.9, zend-framework/zend-crypt 2.4.x before 2. ...) NOT-FOR-US: php-zend-crypt NOTE: http://framework.zend.com/security/advisory/ZF2015-10 CVE-2015-7502 (Red Hat CloudForms 3.2 Management Engine (CFME) 5.4.4 and CloudForms 4 ...) NOT-FOR-US: Red Hat CloudForms CVE-2015-7500 (The xmlParseMisc function in parser.c in libxml2 before 2.9.3 allows c ...) {DSA-3430-1 DLA-373-1} - libxml2 2.9.3+dfsg1-1 NOTE: https://git.gnome.org/browse/libxml2/commit/?id=f1063fdbe7fa66332bbb76874101c2a7b51b519f (v2.9.3) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=756525 (upstream bug not yet open) CVE-2015-7499 (Heap-based buffer overflow in the xmlGROW function in parser.c in libx ...) {DSA-3430-1 DLA-373-1} - libxml2 2.9.3+dfsg1-1 NOTE: https://git.gnome.org/browse/libxml2/commit/?id=28cd9cb747a94483f4aea7f0968d202c20bb4cfc (v2.9.3) NOTE: https://git.gnome.org/browse/libxml2/commit/?id=35bcb1d758ed70aa7b257c9c3b3ff55e54e3d0da (v2.9.3) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=756479 (upstream bug not yet open) CVE-2015-7498 (Heap-based buffer overflow in the xmlParseXmlDecl function in parser.c ...) {DSA-3430-1 DLA-373-1} - libxml2 2.9.3+dfsg1-1 NOTE: https://git.gnome.org/browse/libxml2/commit/?id=afd27c21f6b36e22682b7da20d726bce2dcb2f43 (v2.9.3) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=756527 (upstream bug not yet open) CVE-2015-7497 (Heap-based buffer overflow in the xmlDictComputeFastQKey function in d ...) {DSA-3430-1 DLA-373-1} - libxml2 2.9.3+dfsg1-1 NOTE: https://git.gnome.org/browse/libxml2/commit/?id=6360a31a84efe69d155ed96306b9a931a40beab9 (v2.9.3) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=756528 (upstream bug not yet open) CVE-2015-7496 (GNOME Display Manager (gdm) before 3.18.2 allows physically proximate ...) - gdm3 3.18.2-1 [jessie] - gdm3 (Vulnerable code not present, unreproducible) [wheezy] - gdm3 (Vulnerable code not present, unreproducible) [squeeze] - gdm3 (Vulnerable code not present) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=758032 NOTE: https://git.gnome.org/browse/gdm/commit/?id=5ac2246 NOTE: https://git.gnome.org/browse/gdm/commit/?id=05e5fc2 CVE-2015-7495 RESERVED CVE-2015-7494 (A vulnerability has been identified in IBM Cloud Orchestrator services ...) NOT-FOR-US: IBM CVE-2015-7493 (IBM InfoSphere Information Server could allow a local user under speci ...) NOT-FOR-US: IBM CVE-2015-7492 (Cross-site scripting (XSS) vulnerability in Reference Data Management ...) NOT-FOR-US: IBM CVE-2015-7491 (Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 8.0.x ...) NOT-FOR-US: IBM CVE-2015-7490 (IBM InfoSphere Information Server 8.5 through FP3, 8.7 through FP2, 9. ...) NOT-FOR-US: IBM CVE-2015-7489 (IBM SPSS Statistics 22.0.0.2 before IF10 and 23.0.0.2 before IF7 uses ...) NOT-FOR-US: IBM CVE-2015-7488 (IBM Spectrum Scale 4.1.1.x before 4.1.1.4 and 4.2.x before 4.2.0.1, in ...) NOT-FOR-US: IBM CVE-2015-7487 (IBM Maximo Asset Management 7.1 through 7.1.1.13, 7.5.0 before 7.5.0.9 ...) NOT-FOR-US: IBM CVE-2015-7486 (Cross-site scripting (XSS) vulnerability in IBM Rational Engineering L ...) NOT-FOR-US: IBM Rational Engineering Lifecycle Manager CVE-2015-7485 (Cross-site scripting (XSS) vulnerability in IBM Rational Engineering L ...) NOT-FOR-US: IBM Rational Engineering Lifecycle Manager CVE-2015-7484 (IBM Rational Engineering Lifecycle Manager 3.0 before 3.0.1.6 iFix7 In ...) NOT-FOR-US: IBM Rational Engineering Lifecycle Manager CVE-2015-7483 RESERVED CVE-2015-7482 RESERVED CVE-2015-7481 RESERVED CVE-2015-7480 RESERVED CVE-2015-7479 RESERVED CVE-2015-7478 RESERVED CVE-2015-7477 RESERVED CVE-2015-7476 RESERVED CVE-2015-7475 RESERVED CVE-2015-7474 (Cross-site scripting (XSS) vulnerability in Jazz Foundation in IBM Rat ...) NOT-FOR-US: IBM Rational Engineering Lifecycle Manager CVE-2015-7473 (runmqsc in IBM WebSphere MQ 8.x before 8.0.0.5 allows local users to b ...) NOT-FOR-US: IBM CVE-2015-7472 (IBM WebSphere Portal 6.1.0 through 6.1.0.6 CF27, 6.1.5 through 6.1.5.3 ...) NOT-FOR-US: IBM CVE-2015-7471 (Cross-site scripting (XSS) vulnerability in IBM Rational Collaborative ...) NOT-FOR-US: IBM CVE-2015-7470 (Report Builder in IBM Jazz Reporting Service (JRS) 5.x before 5.0.2-Ra ...) NOT-FOR-US: IBM CVE-2015-7469 (Report Builder in IBM Jazz Reporting Service (JRS) 5.x before 5.0.2-Ra ...) NOT-FOR-US: IBM CVE-2015-7468 (Report Builder in IBM Jazz Reporting Service (JRS) 5.x before 5.0.2-Ra ...) NOT-FOR-US: IBM CVE-2015-7467 (Cross-site scripting (XSS) vulnerability in Report Builder in IBM Jazz ...) NOT-FOR-US: IBM CVE-2015-7466 (Lifecycle Query Engine (LQE) in IBM Jazz Reporting Service (JRS) 6.0 b ...) NOT-FOR-US: IBM CVE-2015-7465 (Cross-site request forgery (CSRF) vulnerability in Lifecycle Query Eng ...) NOT-FOR-US: IBM CVE-2015-7464 (Report Builder in IBM Jazz Reporting Service (JRS) 5.x before 5.0.2-Ra ...) NOT-FOR-US: IBM CVE-2015-7463 (IBM Business Process Manager 7.5.x, 8.0.x, 8.5.0, 8.5.5, and 8.5.6.0 t ...) NOT-FOR-US: IBM CVE-2015-7462 (IBM WebSphere MQ 8.0.0.4 on IBM i platforms allows local users to disc ...) NOT-FOR-US: IBM CVE-2015-7461 (XML external entity (XXE) vulnerability in IBM Connections 3.0.1.1 and ...) NOT-FOR-US: IBM CVE-2015-7460 (Cross-site scripting (XSS) vulnerability in IBM Connections 3.0.1.1 an ...) NOT-FOR-US: IBM CVE-2015-7459 (Cross-site scripting (XSS) vulnerability in IBM Connections 3.0.1.1 an ...) NOT-FOR-US: IBM CVE-2015-7458 (Cross-site scripting (XSS) vulnerability in IBM Connections 3.0.1.1 an ...) NOT-FOR-US: IBM CVE-2015-7457 (Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 8.0.x ...) NOT-FOR-US: IBM CVE-2015-7456 (IBM Spectrum Scale 4.1.1 before 4.1.1.4, and 4.2.0.0, allows remote au ...) NOT-FOR-US: IBM CVE-2015-7455 (IBM WebSphere Portal 7.x through 7.0.0.2 CF29, 8.0.x before 8.0.0.1 CF ...) NOT-FOR-US: IBM CVE-2015-7454 (Business Space in IBM WebSphere Process Server 6.1.2.0 through 7.0.0.5 ...) NOT-FOR-US: IBM CVE-2015-7453 (Cross-site scripting (XSS) vulnerability in IBM Rational Collaborative ...) NOT-FOR-US: IBM CVE-2015-7452 (IBM Maximo Asset Management 7.5 before 7.5.0.9 FP9 and 7.6 before 7.6. ...) NOT-FOR-US: IBM CVE-2015-7451 (Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Managemen ...) NOT-FOR-US: IBM CVE-2015-7450 (Serialized-object interfaces in certain IBM analytics, business soluti ...) NOT-FOR-US: IBM CVE-2015-7449 (IBM Rational Collaborative Lifecycle Management (CLM) 4.0.x before 4.0 ...) NOT-FOR-US: IBM CVE-2015-7448 (SQL injection vulnerability in IBM Maximo Asset Management 7.1 through ...) NOT-FOR-US: IBM CVE-2015-7447 (IBM WebSphere Portal 6.1.0 through 6.1.0.6 CF27, 6.1.5 through 6.1.5.3 ...) NOT-FOR-US: IBM CVE-2015-7446 (Cross-site request forgery (CSRF) vulnerability in IBM Flash System V9 ...) NOT-FOR-US: IBM CVE-2015-7445 (IBM Multi-Enterprise Integration Gateway 1.0 through 1.0.0.1 and B2B A ...) NOT-FOR-US: IBM CVE-2015-7444 (The Update Installer in IBM WebSphere Commerce Enterprise 7.0.0.8 and ...) NOT-FOR-US: IBM CVE-2015-7443 RESERVED CVE-2015-7442 (consoleinst.sh in IBM Installation Manager before 1.7.4.4 and 1.8.x be ...) NOT-FOR-US: IBM CVE-2015-7441 (Remote Artifact Loader (RAL) in IBM WebSphere Process Server 7 and Bus ...) NOT-FOR-US: IBM CVE-2015-7440 (IBM Rational Collaborative Lifecycle Management (CLM) 3.0.1 before 3.0 ...) NOT-FOR-US: IBM CVE-2015-7439 (Cross-site scripting (XSS) vulnerability in InfoSphere Data Architect ...) NOT-FOR-US: IBM CVE-2015-7438 (IBM Sterling B2B Integrator 5.2 allows local users to obtain sensitive ...) NOT-FOR-US: IBM CVE-2015-7437 (Queue Watcher in IBM Sterling B2B Integrator 5.2 allows local users to ...) NOT-FOR-US: IBM CVE-2015-7436 (IBM Tivoli Common Reporting (TCR) 2.1 before IF14, 2.1.1 before IF22, ...) NOT-FOR-US: IBM CVE-2015-7435 (IBM Tivoli Common Reporting (TCR) 2.1 before IF14, 2.1.1 before IF22, ...) NOT-FOR-US: IBM CVE-2015-7434 (IBM Capacity Management Analytics 2.1.0.0 allows local users to discov ...) NOT-FOR-US: IBM CVE-2015-7433 (IBM Capacity Management Analytics 2.1.0.0 allows local users to discov ...) NOT-FOR-US: IBM CVE-2015-7432 (IBM Capacity Management Analytics 2.1.0.0 allows local users to decryp ...) NOT-FOR-US: IBM CVE-2015-7431 (Cross-site scripting (XSS) vulnerability in Queue Watcher in IBM Sterl ...) NOT-FOR-US: IBM CVE-2015-7430 (The Hadoop connector 1.1.1, 2.4, 2.5, and 2.7.0-0 before 2.7.0-3 for I ...) NOT-FOR-US: IBM CVE-2015-7429 (The Data Protection extension in the VMware GUI in IBM Tivoli Storage ...) NOT-FOR-US: IBM CVE-2015-7428 (Open redirect vulnerability in IBM WebSphere Portal 8.0.x before 8.0.0 ...) NOT-FOR-US: IBM CVE-2015-7427 (IBM DataPower Gateway appliances with firmware 6.x before 6.0.0.17, 6. ...) NOT-FOR-US: IBM CVE-2015-7426 (The Data Protection extension in the VMware GUI in IBM Tivoli Storage ...) NOT-FOR-US: IBM CVE-2015-7425 (The Data Protection component in the VMware vSphere GUI in IBM Tivoli ...) NOT-FOR-US: IBM CVE-2015-7424 (IBM InfoSphere Master Data Management (MDM) - Collaborative Edition 9. ...) NOT-FOR-US: IBM CVE-2015-7423 (Multiple cross-site scripting (XSS) vulnerabilities in IBM InfoSphere ...) NOT-FOR-US: IBM CVE-2015-7422 (Buffer overflow in IBM i Access 7.1 on Windows allows local users to c ...) NOT-FOR-US: IBM i Access CVE-2015-7421 (Unspecified vulnerability in GSKit on IBM MQ M2000 appliances before 8 ...) NOT-FOR-US: IBM CVE-2015-7420 (Unspecified vulnerability in GSKit on IBM MQ M2000 appliances before 8 ...) NOT-FOR-US: IBM CVE-2015-7419 (IBM WebSphere Portal 8.0.0.1 before CF19 and 8.5.0 before CF09 allows ...) NOT-FOR-US: IBM CVE-2015-7418 (IBM WebSphere eXtreme Scale and the WebSphere DataPower XC10 Appliance ...) NOT-FOR-US: IBM CVE-2015-7417 (Cross-site scripting (XSS) vulnerability in IBM WebSphere Application ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2015-7416 (AFP Workbench Viewer in IBM i Access 7.1 on Windows allows remote atta ...) NOT-FOR-US: IBM CVE-2015-7415 (Multiple cross-site scripting (XSS) vulnerabilities in IBM UrbanCode D ...) NOT-FOR-US: IBM CVE-2015-7414 (Cross-site scripting (XSS) vulnerability in the GDS component in IBM I ...) NOT-FOR-US: IBM CVE-2015-7413 (Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 8.0.0 ...) NOT-FOR-US: IBM CVE-2015-7412 (The GatewayScript modules on IBM DataPower Gateways with software 7.2. ...) NOT-FOR-US: IBM CVE-2015-7411 (The portal client in IBM Tivoli Monitoring (ITM) 6.2.2 through FP9, 6. ...) NOT-FOR-US: IBM CVE-2015-7410 (The Health Check tool in IBM Sterling B2B Integrator 5.2 does not prop ...) NOT-FOR-US: IBM CVE-2015-7409 (Cross-site scripting (XSS) vulnerability in IBM Security QRadar SIEM 7 ...) NOT-FOR-US: IBM CVE-2015-7408 (The server in IBM Spectrum Protect (aka Tivoli Storage Manager) 5.5 an ...) NOT-FOR-US: IBM CVE-2015-7407 (Cross-site request forgery (CSRF) vulnerability in Lotus Mashups in IB ...) NOT-FOR-US: IBM CVE-2015-7406 RESERVED CVE-2015-7405 RESERVED CVE-2015-7404 (IBM Tivoli Storage Manager for Databases: Data Protection for Microsof ...) NOT-FOR-US: IBM CVE-2015-7403 (IBM Spectrum Scale 4.1.1.x before 4.1.1.3 and General Parallel File Sy ...) NOT-FOR-US: IBM CVE-2015-7402 (Cross-site scripting (XSS) vulnerability in IBM Curam Social Program M ...) NOT-FOR-US: IBM CVE-2015-7401 (IBM Curam Social Program Management 6.1.x before 6.1.1.1 allows remote ...) NOT-FOR-US: IBM CVE-2015-7400 (The Lotus Mashups component in IBM Mashup Center 3.0.0.1 allows remote ...) NOT-FOR-US: IBM CVE-2015-7399 (IBM WebSphere Message Broker 7 before 7.0.0.8 and 8 before 8.0.0.6 and ...) NOT-FOR-US: IBM CVE-2015-7398 (Cross-site scripting (XSS) vulnerability in IBM Emptoris Contract Mana ...) NOT-FOR-US: IBM CVE-2015-7397 (Multiple open redirect vulnerabilities in the Aurora starter store in ...) NOT-FOR-US: IBM CVE-2015-7396 (The Scheduler in IBM Maximo Asset Management 7.5 before 7.5.0.8 IF6 an ...) NOT-FOR-US: IBM CVE-2015-7395 (IBM Maximo Asset Management 7.1 through 7.1.1.13, 7.5.0 before 7.5.0.8 ...) NOT-FOR-US: IBM CVE-2015-7394 (The datastor kernel module in F5 BIG-IP Analytics, APM, ASM, Link Cont ...) NOT-FOR-US: BIG-IQ CVE-2015-7393 (dcoep in BIG-IP LTM, Analytics, APM, ASM, and Link Controller 11.2.0 t ...) NOT-FOR-US: BIG-IP CVE-2015-7392 (Heap-based buffer overflow in the parse_string function in libs/esl/sr ...) - freeswitch (bug #389591) CVE-2015-7391 (Multiple cross-site scripting (XSS) vulnerabilities in TestLink before ...) NOT-FOR-US: TestLink CVE-2015-7390 (SQL injection vulnerability in TestLink before 1.9.14 allows remote at ...) NOT-FOR-US: TestLink CVE-2015-7389 RESERVED CVE-2015-7388 RESERVED CVE-2015-7387 (ZOHO ManageEngine EventLog Analyzer 10.6 build 10060 and earlier allow ...) NOT-FOR-US: ZOHO ManageEngine EventLog Analyzer CVE-2015-7386 (Multiple cross-site scripting (XSS) vulnerabilities in includes/metabo ...) NOT-FOR-US: Gallery - Photo Albums - Portfolio plugin for WordPress CVE-2015-7385 (Cross-site scripting (XSS) vulnerability in Open-Xchange OX Guard befo ...) NOT-FOR-US: Open-Xchange CVE-2015-7384 (Node.js 4.0.0, 4.1.0, and 4.1.1 allows remote attackers to cause a den ...) - nodejs 4.1.1~dfsg-3 (bug #800580) [jessie] - nodejs (Vulnerability not present) NOTE: https://groups.google.com/forum/#!topic/nodejs-sec/fSNEQiuof6I CVE-2015-8076 (The index_urlfetch function in index.c in Cyrus IMAP 2.3.x before 2.3. ...) - cyrus-imapd-2.4 2.4.17+nocaldav-2 [jessie] - cyrus-imapd-2.4 2.4.17+nocaldav-0~deb8u1 [wheezy] - cyrus-imapd-2.4 (Minor issue; can be fixed alone in a future DLA) NOTE: http://www.openwall.com/lists/oss-security/2015/09/29/2 NOTE: https://cyrus.foundation/cyrus-imapd/commit/?id=07de4ff1bf2fa340b9d77b8e7de8d43d47a33921 NOTE: https://cyrus.foundation/cyrus-imapd/commit/?id=c21e179c1f6b968fe69bebe079176714e511587b CVE-2015-7383 (Multiple cross-site scripting (XSS) vulnerabilities in Web Reference D ...) NOT-FOR-US: Web Reference Database (aka refbase) CVE-2015-7382 (SQL injection vulnerability in install.php in Web Reference Database ( ...) NOT-FOR-US: Web Reference Database (aka refbase) CVE-2015-7381 (Multiple PHP remote file inclusion vulnerabilities in install.php in W ...) NOT-FOR-US: Web Reference Database (aka refbase) CVE-2015-7380 RESERVED CVE-2015-7379 RESERVED CVE-2015-7378 (Panda Security URL Filtering before 4.3.1.9 uses a weak ACL for the "P ...) NOT-FOR-US: Panda Security CVE-2015-7377 (Cross-site scripting (XSS) vulnerability in pie-register/pie-register. ...) NOT-FOR-US: Pie Register plugin for WordPress CVE-2015-7376 RESERVED CVE-2015-7375 (Schneider Electric InduSoft Web Studio before 8.0 allows remote attack ...) NOT-FOR-US: Schneider Electric InduSoft Web Studio CVE-2015-7374 (The Remote Agent component in Schneider Electric InduSoft Web Studio b ...) NOT-FOR-US: Schneider Electric InduSoft Web Studio CVE-2015-7373 (Cross-site scripting (XSS) vulnerability in the "magic-macros" feature ...) NOT-FOR-US: Revive Adserver CVE-2015-7372 (Directory traversal vulnerability in delivery-dev/al.php in Revive Ads ...) NOT-FOR-US: Revive Adserver CVE-2015-7371 (Revive Adserver before 3.2.2 does not restrict access to run-mpe.php, ...) NOT-FOR-US: Revive Adserver CVE-2015-7370 (Multiple cross-site scripting (XSS) vulnerabilities in open-flash-char ...) NOT-FOR-US: Revive Adserver CVE-2015-7369 (The default Flash cross-domain policy (crossdomain.xml) in Revive Adse ...) NOT-FOR-US: Revive Adserver CVE-2015-7368 (Revive Adserver before 3.2.2 does not send the appropriate Cache-Contr ...) NOT-FOR-US: Revive Adserver CVE-2015-7367 (Revive Adserver before 3.2.2 allows remote attackers to perform unspec ...) NOT-FOR-US: Revive Adserver CVE-2015-7366 (Multiple cross-site request forgery (CSRF) vulnerabilities in Revive A ...) NOT-FOR-US: Revive Adserver CVE-2015-7365 (Cross-site scripting (XSS) vulnerability in the plugin upgrade form in ...) NOT-FOR-US: Revive Adserver CVE-2015-7364 (The HTML_Quickform library, as used in Revive Adserver before 3.2.2, a ...) NOT-FOR-US: Revive Adserver CVE-2015-7363 (Cross-site scripting (XSS) vulnerability in the advanced settings page ...) NOT-FOR-US: Fortinet CVE-2015-7362 (Fortinet FortiClient Linux SSLVPN before build 2313, when installed on ...) NOT-FOR-US: Fortinet CVE-2015-7361 (FortiOS 5.2.3, when configured to use High Availability (HA) and the d ...) NOT-FOR-US: FortiOS CVE-2015-7360 (Multiple cross-site scripting (XSS) vulnerabilities in the Web User In ...) NOT-FOR-US: Fortinet CVE-2015-XXXX [DoS] - libemail-address-perl 1.908-1 [jessie] - libemail-address-perl (Minor issue vs. usability impact of module) [wheezy] - libemail-address-perl (Minor issue vs. usability impact of module) [squeeze] - libemail-address-perl 1.889-2+deb6u2 NOTE: workaround entry for DLA-320-1 until/if CVE assigned NOTE: For the denial of service issue as of 1.908 as mitigation default value NOTE: for nestable comments set to deep level 1. NOTE: https://github.com/rjbs/Email-Address/commit/3056b7da4fffbce9ad92f9799fffc587ab40303d NOTE: No CVE will be assigned for behaviour change between 1.907 and 1.908 NOTE: See CVE-2015-7686 for the underlying CWE-407 ("Algorithmic Complexity") NOTE: issue still present in 1.908 NOTE: http://www.openwall.com/lists/oss-security/2015/10/02/13 CVE-2015-7359 (The (1) IsVolumeAccessibleByCurrentUser and (2) MountDevice methods in ...) NOT-FOR-US: TrueCrypt CVE-2015-7358 (The IsDriveLetterAvailable method in Driver/Ntdriver.c in TrueCrypt 7. ...) NOT-FOR-US: TrueCrypt CVE-2015-7357 (Cross-site scripting (XSS) vulnerability in the uDesign (aka U-Design) ...) NOT-FOR-US: uDesign CVE-2015-7356 RESERVED CVE-2015-7355 RESERVED CVE-2015-7354 RESERVED CVE-2015-7353 RESERVED CVE-2015-7352 RESERVED CVE-2015-7351 RESERVED CVE-2015-7350 RESERVED CVE-2015-7349 (Cross-site scripting (XSS) vulnerability in the sample feedback.inc fi ...) NOT-FOR-US: Citrix CVE-2015-7348 (Cross-site scripting (XSS) vulnerability in zTree 3.5.19.1 and possibl ...) NOT-FOR-US: zTree CVE-2015-7347 (Cross-site scripting (XSS) vulnerability in ZCMS JavaServer Pages Cont ...) NOT-FOR-US: ZCMS CVE-2015-7346 (SQL injection vulnerability in ZCMS 1.1. ...) NOT-FOR-US: ZCMS CVE-2015-7345 RESERVED CVE-2015-7344 (HikaShop Joomla Component before 2.6.0 has XSS via an injected payload ...) NOT-FOR-US: Joomla addon CVE-2015-7343 (JNews Joomla Component before 8.5.0 has XSS via the mailingsearch para ...) NOT-FOR-US: Joomla addon CVE-2015-7342 (JNews Joomla Component before 8.5.0 allows SQL injection via upload th ...) NOT-FOR-US: Joomla addon CVE-2015-7341 (JNews Joomla Component before 8.5.0 allows arbitrary File Upload via S ...) NOT-FOR-US: Joomla addon CVE-2015-7340 (JEvents Joomla Component before 3.4.0 RC6 has SQL Injection via evid i ...) NOT-FOR-US: Joomla addon CVE-2015-7339 (JCE Joomla Component 2.5.0 to 2.5.2 allows arbitrary file upload via a ...) NOT-FOR-US: Joomla addon CVE-2015-7338 (SQL Injection exists in AcyMailing Joomla Component before 4.9.5 via e ...) NOT-FOR-US: Joomla addon CVE-2015-7336 (MITRE is populating this ID because it was assigned prior to Lenovo be ...) NOT-FOR-US: Lenovo CVE-2015-7335 (MITRE is populating this ID because it was assigned prior to Lenovo be ...) NOT-FOR-US: Lenovo CVE-2015-7334 (MITRE is populating this ID because it was assigned prior to Lenovo be ...) NOT-FOR-US: Lenovo CVE-2015-7333 (MITRE is populating this ID because it was assigned prior to Lenovo be ...) NOT-FOR-US: Lenovo CVE-2015-7332 RESERVED CVE-2015-7331 (The mcollective-puppet-agent plugin before 1.11.1 for Puppet allows re ...) - puppet (Only affects Puppet Enterprise) NOTE: https://puppet.com/security/cve/cve-2015-7331 CVE-2015-7330 (Puppet Enterprise 2015.3 before 2015.3.1 allows remote attackers to by ...) NOT-FOR-US: Puppet Enterprise (Puppet Communications Protocol broker) CVE-2015-7329 RESERVED CVE-2015-7328 (Puppet Server in Puppet Enterprise before 3.8.x before 3.8.3 and 2015. ...) - puppet (Only affects Puppet Enterprise) CVE-2015-7327 (Mozilla Firefox before 41.0 does not properly restrict the availabilit ...) - iceweasel (Windows-specific) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-114/ CVE-2015-7326 (XML External Entity (XXE) vulnerability in Milton Webdav before 2.7.0. ...) NOT-FOR-US: Milton Webdav CVE-2015-7325 RESERVED CVE-2015-7324 (Multiple cross-site scripting (XSS) vulnerabilities in helpers/comment ...) NOT-FOR-US: StackIdeas Komento component for Joomla! CVE-2015-7323 (The Secure Meeting (Pulse Collaboration) in Pulse Connect Secure (form ...) NOT-FOR-US: Pulse Connect Secure CVE-2015-7322 (The Secure Meeting (Pulse Collaboration) in Pulse Connect Secure (form ...) NOT-FOR-US: Pulse Connect Secure CVE-2015-7321 RESERVED CVE-2015-7320 (Multiple cross-site scripting (XSS) vulnerabilities in cpabc_appointme ...) NOT-FOR-US: Appointment Booking Calendar plugin for WordPress CVE-2015-7319 (SQL injection vulnerability in cpabc_appointments_admin_int_calendar_l ...) NOT-FOR-US: Appointment Booking Calendar plugin for WordPress CVE-2015-7318 (Plone 3.3.0 through 3.3.6 allows remote attackers to inject headers in ...) NOT-FOR-US: Plone CVE-2015-7317 (Kupu 3.3.0 through 3.3.6, 4.0.0 through 4.0.10, 4.1.0 through 4.1.6, a ...) NOT-FOR-US: Plone CVE-2015-7316 (Cross-site scripting (XSS) vulnerability in Plone 3.3.0 through 3.3.6, ...) NOT-FOR-US: Plone CVE-2015-7315 (Plone 3.3.0 through 3.3.6, 4.0.0 through 4.0.10, 4.1.0 through 4.1.6, ...) NOT-FOR-US: Plone CVE-2015-7310 (McAfee Enterprise Security Manager (ESM), Enterprise Security Manager/ ...) NOT-FOR-US: McAfee CVE-2015-7309 (The theme editor in Bolt before 2.2.5 does not check the file extensio ...) NOT-FOR-US: Bolt CMS CVE-2015-7314 (The Precious module in gollum before 4.0.1 allows remote attackers to ...) NOT-FOR-US: Gollum wiki CVE-2015-7308 RESERVED CVE-2015-7307 (Cross-site scripting (XSS) vulnerability in the CMS Updater module 7.x ...) NOT-FOR-US: CMS Updater module for Drupal CVE-2015-7306 (The CMS Updater module 7.x-1.x before 7.x-1.3 for Drupal does not prop ...) NOT-FOR-US: CMS Updater module for Drupal CVE-2015-7305 (The Scald module 7.x-1.x before 7.x-1.5 for Drupal does not properly r ...) NOT-FOR-US: Scald module for Drupal CVE-2015-7304 (Cross-site scripting (XSS) vulnerability in the amoCRM module 7.x-1.x ...) NOT-FOR-US: amoCRM module for Drupal CVE-2015-7303 (Use-after-free vulnerability in the Update Manager service in Avira Ma ...) NOT-FOR-US: Avira CVE-2015-7302 RESERVED CVE-2015-7301 RESERVED CVE-2015-7300 RESERVED CVE-2015-7299 (SQL injection vulnerability in Runtime/Runtime/AjaxCall.ashx in K2 bla ...) NOT-FOR-US: K2 CVE-2015-7298 (ownCloud Desktop Client before 2.0.1, when compiled with a Qt release ...) - owncloud-client 2.0.0+dfsg-1 [jessie] - owncloud-client (not compiled with a Qt release greater than 5.3.x) NOTE: https://owncloud.org/security/advisory/?id=oc-sa-2015-016 CVE-2015-7297 (SQL injection vulnerability in Joomla! 3.2 before 3.4.4 allows remote ...) NOT-FOR-US: Joomla! CVE-2015-XXXX [Privilege escalation via core-gui] - core-network (bug #799756) NOTE: http://pf.itd.nrl.navy.mil/pipermail/core-users/2015-August/001837.html CVE-2015-7313 (LibTIFF allows remote attackers to cause a denial of service (memory c ...) - tiff 4.0.7-1 (bug #800124) [jessie] - tiff (Minor issue) [wheezy] - tiff (Can't reproduce) [squeeze] - tiff (Can't reproduce the issue, file is rejected with "Integer overflow in TIFFVStripSize" and "cannot handle zero strip size.") - tiff3 [wheezy] - tiff3 (Can't reproduce the issue, file is rejected with "Integer overflow in TIFFVStripSize" and "cannot handle zero strip size.") NOTE: Test file here: https://marc.info/?l=oss-security&m=144284777006804&q=p6 NOTE: Reproduce with "ltrace -e realloc tiffdither /tmp/oom.tif /dev/null" NOTE: at the end you see "libtiff.so.5->realloc(0, 1636178024)" CVE-2015-7311 (libxl in Xen 4.1.x through 4.6.x does not properly handle the readonly ...) {DSA-3414-1} - xen 4.8.0~rc3-1 (bug #823620) [wheezy] - xen (Minor issue, xl not used in wheezy) [squeeze] - xen (Only affects 4.1 and later) NOTE: http://xenbits.xen.org/xsa/advisory-142.html CVE-2015-7296 (Securifi Almond devices with firmware before AL1-R201EXP10-L304-W34 an ...) NOT-FOR-US: Securifi Almond devices CVE-2015-7294 (ldapauth-fork before 2.3.3 allows remote attackers to perform LDAP inj ...) NOT-FOR-US: NodeJS ldapauth NOTE: http://www.openwall.com/lists/oss-security/2015/09/18/4 NOTE: https://github.com/vesse/node-ldapauth-fork/issues/21 NOTE: https://github.com/vesse/node-ldapauth-fork/commit/3feea43e243698bcaeffa904a7324f4d96df60e4 NOTE: https://nodesecurity.io/advisories/19 CVE-2015-7293 (Multiple cross-site request forgery (CSRF) vulnerabilities in Zope Man ...) NOT-FOR-US: Zope Management Interface CVE-2015-7292 (Stack-based buffer overflow in the havok_write function in drivers/sta ...) NOT-FOR-US: Amazon Fire OS CVE-2015-7291 (Cross-site request forgery (CSRF) vulnerability in adv_pwd_cgi in the ...) NOT-FOR-US: Arris CVE-2015-7290 (Cross-site scripting (XSS) vulnerability in adv_pwd_cgi in the web man ...) NOT-FOR-US: Arris CVE-2015-7289 (Arris DG860A, TG862A, and TG862G devices with firmware TS0703128_10061 ...) NOT-FOR-US: Arris CVE-2015-7288 (CSL DualCom GPRS CS2300-R devices with firmware 1.25 through 3.53 allo ...) NOT-FOR-US: CSL DualCom CVE-2015-7287 (CSL DualCom GPRS CS2300-R devices with firmware 1.25 through 3.53 use ...) NOT-FOR-US: CSL DualCom CVE-2015-7286 (CSL DualCom GPRS CS2300-R devices with firmware 1.25 through 3.53 rely ...) NOT-FOR-US: CSL DualCom CVE-2015-7285 (CSL DualCom GPRS CS2300-R devices with firmware 1.25 through 3.53 do n ...) NOT-FOR-US: CSL DualCom CVE-2015-7284 (Cross-site request forgery (CSRF) vulnerability on ZyXEL NBG-418N devi ...) NOT-FOR-US: ZyXEL CVE-2015-7283 (The web administration interface on ZyXEL NBG-418N devices with firmwa ...) NOT-FOR-US: ZyXEL CVE-2015-7282 (ReadyNet WRT300N-DD devices with firmware 1.0.26 use the same source p ...) NOT-FOR-US: ReadyNet CVE-2015-7281 (Cross-site request forgery (CSRF) vulnerability on ReadyNet WRT300N-DD ...) NOT-FOR-US: ReadyNet CVE-2015-7280 (The web administration interface on ReadyNet WRT300N-DD devices with f ...) NOT-FOR-US: ReadyNet CVE-2015-7279 (Amped Wireless R10000 devices with firmware 2.5.2.11 use an improper a ...) NOT-FOR-US: Amped Wireless CVE-2015-7278 (Cross-site request forgery (CSRF) vulnerability on Amped Wireless R100 ...) NOT-FOR-US: Amped Wireless CVE-2015-7277 (The web administration interface on Amped Wireless R10000 devices with ...) NOT-FOR-US: Amped Wireless CVE-2015-7276 (Technicolor C2000T and C2100T uses hard-coded cryptographic keys. ...) NOT-FOR-US: Technicolor CVE-2015-7275 (Dell Integrated Remote Access Controller (iDRAC) 6 before 2.85 and 7/8 ...) NOT-FOR-US: Dell iDRAC CVE-2015-7274 (Dell Integrated Remote Access Controller (iDRAC) 6 before 2.80 allows ...) NOT-FOR-US: Dell iDRAC CVE-2015-7273 (Dell Integrated Remote Access Controller (iDRAC) 7/8 before 2.21.21.21 ...) NOT-FOR-US: Dell iDRAC CVE-2015-7272 (Dell Integrated Remote Access Controller (iDRAC) 6 before 2.80 and 7/8 ...) NOT-FOR-US: Dell iDRAC CVE-2015-7271 (Dell Integrated Remote Access Controller (iDRAC) 7/8 before 2.21.21.21 ...) NOT-FOR-US: Dell iDRAC CVE-2015-7270 (Dell Integrated Remote Access Controller (iDRAC) 6 before 2.80 and 7/8 ...) NOT-FOR-US: Dell iDRAC CVE-2015-7269 (Seagate ST500LT015 hard disk drives, when operating in eDrive mode on ...) NOT-FOR-US: Seagate ST500LT015 hard disk drives CVE-2015-7268 (Samsung 850 Pro and PM851 solid-state drives and Seagate ST500LT015 an ...) NOT-FOR-US: Samsung CVE-2015-7267 (Samsung 850 Pro and PM851 solid-state drives and Seagate ST500LT015 an ...) NOT-FOR-US: Samsung CVE-2015-7266 (The Interactive Advertising Bureau (IAB) OpenRTB 2.3 protocol implemen ...) NOT-FOR-US: Interactive Advertising Bureau (IAB) OpenRTB CVE-2015-7265 (Facebook Proxygen before 2015-11-09 mismanages HTTPMessage.request sta ...) NOT-FOR-US: Facebook Proxygen CVE-2015-7264 (The SPDY/2 codec in Facebook Proxygen before 2015-11-09 truncates a ce ...) NOT-FOR-US: Facebook Proxygen CVE-2015-7263 (The SPDY/2 codec in Facebook Proxygen before 2015-11-09 allows remote ...) NOT-FOR-US: Facebook Proxygen CVE-2015-7262 (QNAP iArtist Lite before 1.4.54, as distributed with QNAP Signage Stat ...) NOT-FOR-US: QNAP CVE-2015-7261 (The FTP service in QNAP iArtist Lite before 1.4.54, as distributed wit ...) NOT-FOR-US: QNAP CVE-2015-7260 (Liebert MultiLink Automated Shutdown v4.2.4 allows local users to gain ...) NOT-FOR-US: Liebert MultiLink Automated Shutdown CVE-2015-7259 (ZTE ADSL ZXV10 W300 modems W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_ ...) NOT-FOR-US: ZTE modems CVE-2015-7258 (ZTE ADSL ZXV10 W300 modems W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_ ...) NOT-FOR-US: ZTE modems CVE-2015-7257 (ZTE ADSL ZXV10 W300 modems W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_ ...) NOT-FOR-US: ZTE modems CVE-2015-7256 (ZyXEL NWA1100-N, NWA1100-NH, NWA1121-NI, NWA1123-AC, and NWA1123-NI ac ...) NOT-FOR-US: ZyXEL CVE-2015-7255 (ZTE OX-330P, ZXHN H108N, W300V1.0.0S_ZRD_TR1_D68, HG110, GAN9.8T101A-B ...) NOT-FOR-US: ZTE CVE-2015-7254 (Directory traversal vulnerability on Huawei HG532e, HG532n, and HG532s ...) NOT-FOR-US: Huawei CVE-2015-7253 (The Web Console in Commvault Edge Server 10 R2 allows remote attackers ...) NOT-FOR-US: Commvault Edge Server CVE-2015-7252 (Cross-site scripting (XSS) vulnerability in cgi-bin/webproc on ZTE ZXH ...) NOT-FOR-US: ZTE router CVE-2015-7251 (ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE have a har ...) NOT-FOR-US: ZTE router CVE-2015-7250 (Absolute path traversal vulnerability in cgi-bin/webproc on ZTE ZXHN H ...) NOT-FOR-US: ZTE router CVE-2015-7249 (ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE allow remo ...) NOT-FOR-US: ZTE router CVE-2015-7248 (ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE allow remo ...) NOT-FOR-US: ZTE router CVE-2015-7247 (D-Link DVG-N5402SP with firmware W1000CN-00, W1000CN-03, or W2000EN-00 ...) NOT-FOR-US: D-Link CVE-2015-7246 (D-Link DVG-N5402SP with firmware W1000CN-00, W1000CN-03, or W2000EN-00 ...) NOT-FOR-US: D-Link CVE-2015-7245 (Directory traversal vulnerability in D-Link DVG-N5402SP with firmware ...) NOT-FOR-US: D-Link CVE-2015-7244 (The default configuration of the server in MobaXterm before 8.3 has a ...) NOT-FOR-US: MobaXterm CVE-2015-7243 (Buffer overflow in Boxoft WAV to MP3 Converter allows remote attackers ...) NOT-FOR-US: Boxoft CVE-2015-7242 (Cross-site scripting (XSS) vulnerability in the Push-Service-Mails fea ...) NOT-FOR-US: AVM CVE-2015-7241 (XML External Entity (XXE) vulnerability in SAP Netweaver before 7.01. ...) NOT-FOR-US: SAP Netweaver CVE-2015-7240 RESERVED CVE-2015-7239 (SQL injection vulnerability in the BP_FIND_JOBS_WITH_PROGRAM function ...) NOT-FOR-US: J2EE CVE-2015-7238 (The Secondary server in Threat Intelligence Exchange (TIE) before 1.2. ...) NOT-FOR-US: TIE CVE-2015-7237 (Directory traversal vulnerability in the remote log viewing functional ...) NOT-FOR-US: McAfee CVE-2015-7235 (Multiple SQL injection vulnerabilities in dex_reservations.php in the ...) NOT-FOR-US: CP Reservation Calendar plugin for WordPress CVE-2015-7234 (The OSF module 7.x-3.x before 7.x-3.1 for Drupal, when the OSF Ontolog ...) NOT-FOR-US: OSF module for Drupal CVE-2015-7233 (Cross-site request forgery (CSRF) vulnerability in the OSF module 7.x- ...) NOT-FOR-US: OSF module for Drupal CVE-2015-7232 (Cross-site scripting (XSS) vulnerability in unspecified administration ...) NOT-FOR-US: OSF module for Drupal CVE-2015-7231 (The Commerce Commonwealth (CBA) module 7.x-1.x before 7.x-1.5 for Drup ...) NOT-FOR-US: The Commerce Commonwealth module for Drupal CVE-2015-7230 (The Workbench Email module 7.x-3.x before 7.x-3.4 for Drupal allows re ...) NOT-FOR-US: Workbench Email module for Drupal CVE-2015-7229 (The Twitter module 6.x-5.x before 6.x-5.2, 7.x-5.x before 7.x-5.9, and ...) NOT-FOR-US: Twitter module for Drupal CVE-2015-7228 (The RESTful module 7.x-1.x before 7.x-1.3 for Drupal does not properly ...) NOT-FOR-US: RESTful module for Drupal CVE-2015-7227 (The Fieldable Panels Panes module 7.x-1.x before 7.x-1.7 for Drupal do ...) NOT-FOR-US: Fieldable Panels Panes module for Drupal CVE-2015-7226 (The Administration Views module 7.x-1.x before 7.x-1.5 for Drupal chec ...) NOT-FOR-US: Administration Views module for Drupal CVE-2015-7224 (puppetlabs-mysql 3.1.0 through 3.6.0 allow remote attackers to bypass ...) - puppet-module-puppetlabs-mysql 3.6.1-1 [jessie] - puppet-module-puppetlabs-mysql (Vulnerable code not present) CVE-2015-7295 (hw/virtio/virtio.c in the Virtual Network Device (virtio-net) support ...) {DSA-3471-1 DSA-3470-1 DSA-3469-1} - qemu 1:2.4+dfsg-4 (bug #799452) [jessie] - qemu (Minor issue; can be fixed along in a later DSA) [wheezy] - qemu (Minor issue; can be fixed along in a later DSA) [squeeze] - qemu (Not supported in Squeeze LTS) - qemu-kvm [wheezy] - qemu-kvm (Minor issue; can be fixed along in a later DSA) [squeeze] - qemu-kvm (Not supported in Squeeze LTS) NOTE: http://www.openwall.com/lists/oss-security/2015/09/18/5 NOTE: https://lists.gnu.org/archive/html/qemu-devel/2015-09/msg04729.html NOTE: https://lists.gnu.org/archive/html/qemu-devel/2015-09/msg04730.html NOTE: https://lists.gnu.org/archive/html/qemu-devel/2015-09/msg04731.html CVE-2015-7223 (The WebExtension APIs in Mozilla Firefox before 43.0 allow remote atta ...) - iceweasel (ESR38 series not affected) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-148/ CVE-2015-7222 (Integer underflow in the Metadata::setData function in MetaData.cpp in ...) {DSA-3422-1} - iceweasel 38.5.0esr-1 [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-147/ NOTE: Probably specific to Android CVE-2015-7221 (Buffer overflow in the nsDeque::GrowCapacity function in xpcom/glue/ns ...) - iceweasel (ESR38 series not affected) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-144/ CVE-2015-7220 (Buffer overflow in the XDRBuffer::grow function in js/src/vm/Xdr.cpp i ...) - iceweasel (ESR38 series not affected) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-144/ CVE-2015-7219 (The HTTP/2 implementation in Mozilla Firefox before 43.0 allows remote ...) - iceweasel (ESR38 series not affected) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-142/ CVE-2015-7218 (The HTTP/2 implementation in Mozilla Firefox before 43.0 allows remote ...) - iceweasel (ESR38 series not affected) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-142/ CVE-2015-7217 (The gdk-pixbuf configuration in Mozilla Firefox before 43.0 on Linux G ...) - iceweasel (Iceweasel in Debian uses the system copy of gdk-pixbuf) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-143/ CVE-2015-7216 (The gdk-pixbuf configuration in Mozilla Firefox before 43.0 on Linux G ...) - iceweasel (Iceweasel in Debian uses the system copy of gdk-pixbuf) NOTE: Disabled in src:gdk-pixbuf in 2.31.7-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-143/ CVE-2015-7215 (The importScripts function in the Web Workers API implementation in Mo ...) - iceweasel (ESR38 series not affected) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-140/ CVE-2015-7214 (Mozilla Firefox before 43.0 and Firefox ESR 38.x before 38.5 allow rem ...) {DSA-3432-1 DSA-3422-1} - iceweasel 38.5.0esr-1 [squeeze] - iceweasel - icedove 38.5.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-149/ CVE-2015-7213 (Integer overflow in the MPEG4Extractor::readMetaData function in MPEG4 ...) {DSA-3432-1 DSA-3422-1} - iceweasel 38.5.0esr-1 [squeeze] - iceweasel - icedove 38.5.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-146/ CVE-2015-7212 (Integer overflow in the mozilla::layers::BufferTextureClient::Allocate ...) {DSA-3432-1 DSA-3422-1} - iceweasel 38.5.0esr-1 [squeeze] - iceweasel - icedove 38.5.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-139/ CVE-2015-7211 (Mozilla Firefox before 43.0 mishandles the # (number sign) character i ...) - iceweasel (ESR38 series not affected) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-141/ CVE-2015-7210 (Use-after-free vulnerability in Mozilla Firefox before 43.0 and Firefo ...) {DSA-3422-1} - iceweasel 38.5.0esr-1 [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-138/ CVE-2015-7209 REJECTED CVE-2015-7208 (Mozilla Firefox before 43.0 stores cookies containing vertical tab cha ...) - iceweasel 44.0-1 [jessie] - iceweasel (Only affects Firefox 43.x) [wheezy] - iceweasel (Only affects Firefox 43.x) [squeeze] - iceweasel (Only affects Firefox 43.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-04/ NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-137/ CVE-2015-7207 (Mozilla Firefox before 43.0 does not properly restrict the availabilit ...) - iceweasel (ESR38 series not affected) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-136/ CVE-2015-7206 REJECTED CVE-2015-7205 (Integer underflow in the RTPReceiverVideo::ParseRtpPacket function in ...) {DSA-3432-1 DSA-3422-1} - iceweasel 38.5.0esr-1 [squeeze] - iceweasel - icedove 38.5.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-145/ CVE-2015-7204 (Mozilla Firefox before 43.0 does not properly store the properties of ...) - iceweasel (ESR38 series not affected) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-135/ CVE-2015-7203 (Buffer overflow in the DirectWriteFontInfo::LoadFontFamilyData functio ...) - iceweasel (ESR38 series not affected) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-144/ CVE-2015-7202 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - iceweasel (ESR38 series not affected) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-134/ CVE-2015-7201 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-3432-1 DSA-3422-1} - iceweasel 38.5.0esr-1 [squeeze] - iceweasel - icedove 38.5.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-134/ CVE-2015-7200 (The CryptoKey interface implementation in Mozilla Firefox before 42.0 ...) {DSA-3410-1 DSA-3393-1} - iceweasel 38.4.0esr-1 [squeeze] - iceweasel - icedove 38.4.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-131/ CVE-2015-7199 (The (1) AddWeightedPathSegLists and (2) SVGPathSegListSMILType::Interp ...) {DSA-3410-1 DSA-3393-1} - iceweasel 38.4.0esr-1 [squeeze] - iceweasel - icedove 38.4.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-131/ CVE-2015-7198 (Buffer overflow in the rx::TextureStorage11 class in ANGLE, as used in ...) {DSA-3410-1 DSA-3393-1} - iceweasel 38.4.0esr-1 [squeeze] - iceweasel - icedove 38.4.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-131/ CVE-2015-7197 (Mozilla Firefox before 42.0 and Firefox ESR 38.x before 38.4 improperl ...) {DSA-3410-1 DSA-3393-1} - iceweasel 38.4.0esr-1 [squeeze] - iceweasel - icedove 38.4.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-132/ CVE-2015-7196 (Mozilla Firefox before 42.0 and Firefox ESR 38.x before 38.4, when a J ...) {DSA-3393-1} - iceweasel 38.4.0esr-1 [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-130/ CVE-2015-7195 (The URL parsing implementation in Mozilla Firefox before 42.0 improper ...) - iceweasel (ESR38 series not affected) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-129/ CVE-2015-7194 (Buffer underflow in libjar in Mozilla Firefox before 42.0 and Firefox ...) {DSA-3410-1 DSA-3393-1} - iceweasel 38.4.0esr-1 [squeeze] - iceweasel - icedove 38.4.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-128/ CVE-2015-7193 (Mozilla Firefox before 42.0 and Firefox ESR 38.x before 38.4 improperl ...) {DSA-3410-1 DSA-3393-1} - iceweasel 38.4.0esr-1 [squeeze] - iceweasel - icedove 38.4.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-127/ CVE-2015-7192 (The accessibility-tools feature in Mozilla Firefox before 42.0 on OS X ...) - iceweasel (Only affects Firefox on MacOS) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-126/ CVE-2015-7191 (Mozilla Firefox before 42.0 on Android improperly restricts URL string ...) - iceweasel (Only affects Firefox on Android) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-125/ CVE-2015-7190 (The Search feature in Mozilla Firefox before 42.0 on Android through 4 ...) - iceweasel (Only affects Firefox on Android) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-124/ CVE-2015-7189 (Race condition in the JPEGEncoder function in Mozilla Firefox before 4 ...) {DSA-3410-1 DSA-3393-1} - iceweasel 38.4.0esr-1 [squeeze] - iceweasel - icedove 38.4.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-123/ CVE-2015-7188 (Mozilla Firefox before 42.0 and Firefox ESR 38.x before 38.4 allow rem ...) {DSA-3410-1 DSA-3393-1} - iceweasel 38.4.0esr-1 [squeeze] - iceweasel - icedove 38.4.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-122/ CVE-2015-7187 (The Add-on SDK in Mozilla Firefox before 42.0 misinterprets a "script: ...) - iceweasel (ESR38 series not affected) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-121/ CVE-2015-7186 (Mozilla Firefox before 42.0 on Android allows user-assisted remote att ...) - iceweasel (Only affects Firefox on Android) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-120/ CVE-2015-7185 (Mozilla Firefox before 42.0 on Android does not ensure that the addres ...) - iceweasel (ESR38 series not affected) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-119/ CVE-2015-7184 (The fetch API implementation in Mozilla Firefox before 41.0.2 does not ...) - iceweasel (Affects only Firefox later than 38) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-115/ CVE-2015-7183 (Integer overflow in the PL_ARENA_ALLOCATE implementation in Netscape P ...) {DSA-3406-1 DSA-3393-1 DLA-344-1} - iceweasel 38.4.0esr-1 [squeeze] - iceweasel - nspr 2:4.10.10-1 - icedove 31.7.0-1~deb8u1 [squeeze] - icedove - virtualbox-ose [squeeze] - virtualbox-ose (No longer supported in Squeeze LTS) - virtualbox 5.0.10-dfsg-1 [jessie] - virtualbox 4.3.36-dfsg-1+deb8u1 [wheezy] - virtualbox (Minor issue, will be fixed when included in next CPU) NOTE: VirtualBox fixed: 4.0.36, 4.1.44, 4.2.36, 4.3.34, 5.0.10 NOTE: http://hg.mozilla.org/projects/nspr/rev/c9c965b2b19c NOTE: http://hg.mozilla.org/projects/nspr/rev/bd8fb4498fa6 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-133/ NOTE: Icedove, virtualbox(-ose)? have embedded copies of nspr. NOTE: Fixes impact macros PL_ARENA_ALLOCATE and PL_ARENA_GROW, other packages need to be recompiled: NOTE: jss (on wheezy/jessie) according to codesearch.debian.net CVE-2015-7182 (Heap-based buffer overflow in the ASN.1 decoder in Mozilla Network Sec ...) {DSA-3688-1 DSA-3410-1 DSA-3393-1 DLA-480-1 DLA-354-1} - nss 2:3.20.1-1 NOTE: http://hg.mozilla.org/projects/nss/rev/4dc247276e58 NOTE: http://hg.mozilla.org/projects/nss/rev/534aca7a5bca NOTE: http://hg.mozilla.org/projects/nss/rev/b4feb2cb0ed6 - iceweasel 38.4.0esr-1 [squeeze] - iceweasel - icedove 38.4.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-133/ NOTE: Patch for wheezy/jessie: https://lists.debian.org/debian-lts/2015/11/msg00098.html CVE-2015-7181 (The sec_asn1d_parse_leaf function in Mozilla Network Security Services ...) {DSA-3688-1 DSA-3410-1 DSA-3393-1 DLA-480-1 DLA-354-1} - nss 2:3.20.1-1 NOTE: http://hg.mozilla.org/projects/nss/rev/8ac7f47eecbb NOTE: http://hg.mozilla.org/projects/nss/rev/25cb033147fd - iceweasel 38.4.0esr-1 [squeeze] - iceweasel - icedove 38.4.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-133/ NOTE: Patch for wheezy/jessie: https://lists.debian.org/debian-lts/2015/11/msg00098.html CVE-2015-7180 (The ReadbackResultWriterD3D11::Run function in Mozilla Firefox before ...) {DSA-3365-1} - iceweasel 38.3.0esr-1 [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-112/ CVE-2015-7179 (The VertexBufferInterface::reserveVertexSpace function in libGLES in A ...) - iceweasel (Windows-specific) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-113/ CVE-2015-7178 (The ProgramBinary::linkAttributes function in libGLES in ANGLE, as use ...) - iceweasel (Windows-specific) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-113/ CVE-2015-7177 (The InitTextures function in Mozilla Firefox before 41.0 and Firefox E ...) {DSA-3365-1} - iceweasel 38.3.0esr-1 [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-112/ CVE-2015-7176 (The AnimationThread function in Mozilla Firefox before 41.0 and Firefo ...) {DSA-3365-1} - iceweasel 38.3.0esr-1 [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-112/ CVE-2015-7175 (The XULContentSinkImpl::AddText function in Mozilla Firefox before 41. ...) {DSA-3365-1} - iceweasel 38.3.0esr-1 [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-112/ CVE-2015-7174 (The nsAttrAndChildArray::GrowBy function in Mozilla Firefox before 41. ...) {DSA-3365-1} - iceweasel 38.3.0esr-1 [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-112/ CVE-2015-7173 REJECTED CVE-2015-7172 REJECTED CVE-2015-7171 REJECTED CVE-2015-7170 REJECTED CVE-2015-7169 REJECTED CVE-2015-7168 REJECTED CVE-2015-7167 REJECTED CVE-2015-7166 REJECTED CVE-2015-7165 REJECTED CVE-2015-7164 REJECTED CVE-2015-7163 REJECTED CVE-2015-7162 REJECTED CVE-2015-7161 REJECTED CVE-2015-7160 REJECTED CVE-2015-7159 REJECTED CVE-2015-7158 REJECTED CVE-2015-7157 REJECTED CVE-2015-7156 REJECTED CVE-2015-7155 REJECTED CVE-2015-7154 REJECTED CVE-2015-7153 REJECTED CVE-2015-7152 REJECTED CVE-2015-7151 REJECTED CVE-2015-7150 REJECTED CVE-2015-7149 REJECTED CVE-2015-7148 REJECTED CVE-2015-7147 REJECTED CVE-2015-7146 REJECTED CVE-2015-7145 REJECTED CVE-2015-7144 REJECTED CVE-2015-7143 REJECTED CVE-2015-7142 REJECTED CVE-2015-7141 REJECTED CVE-2015-7140 REJECTED CVE-2015-7139 REJECTED CVE-2015-7138 REJECTED CVE-2015-7137 REJECTED CVE-2015-7136 REJECTED CVE-2015-7135 REJECTED CVE-2015-7134 REJECTED CVE-2015-7133 REJECTED CVE-2015-7132 REJECTED CVE-2015-7131 REJECTED CVE-2015-7130 REJECTED CVE-2015-7129 REJECTED CVE-2015-7128 REJECTED CVE-2015-7127 REJECTED CVE-2015-7126 REJECTED CVE-2015-7125 REJECTED CVE-2015-7124 REJECTED CVE-2015-7123 REJECTED CVE-2015-7122 REJECTED CVE-2015-7121 REJECTED CVE-2015-7120 REJECTED CVE-2015-7119 REJECTED CVE-2015-7118 RESERVED CVE-2015-7117 (Apple QuickTime before 7.7.9 allows remote attackers to execute arbitr ...) NOT-FOR-US: Apple QuickTime CVE-2015-7116 (libxml2 in Apple iOS before 9.2, OS X before 10.11.2, and tvOS before ...) NOT-FOR-US: Possibly Apple-specific CVE ID for libxml2 CVE-2015-7115 (libxml2 in Apple iOS before 9.2, OS X before 10.11.2, and tvOS before ...) NOT-FOR-US: Possibly Apple-specific CVE ID for libxml2 CVE-2015-7114 REJECTED CVE-2015-7113 (The LaunchServices component in Apple iOS before 9.2 and watchOS befor ...) NOT-FOR-US: Apple CVE-2015-7112 (The IOHIDFamily API in Apple iOS before 9.2, OS X before 10.11.2, tvOS ...) NOT-FOR-US: Apple CVE-2015-7111 (The IOHIDFamily API in Apple iOS before 9.2, OS X before 10.11.2, tvOS ...) NOT-FOR-US: Apple CVE-2015-7110 (The Disk Images component in Apple OS X before 10.11.2 and tvOS before ...) NOT-FOR-US: Apple CVE-2015-7109 (IOAcceleratorFamily in Apple OS X before 10.11.2 and tvOS before 9.1 a ...) NOT-FOR-US: Apple CVE-2015-7108 (The Bluetooth HCI interface in Apple OS X before 10.11.2 allows local ...) NOT-FOR-US: Apple CVE-2015-7107 (QuickLook in Apple iOS before 9.2 and OS X before 10.11.2 allows remot ...) NOT-FOR-US: Apple CVE-2015-7106 (The Intel Graphics Driver component in Apple OS X before 10.11.2 allow ...) NOT-FOR-US: Apple CVE-2015-7105 (CoreGraphics in Apple iOS before 9.2, OS X before 10.11.2, tvOS before ...) NOT-FOR-US: Apple CVE-2015-7104 (WebKit in Apple Safari before 9.0.2 and tvOS before 9.1 allows remote ...) NOT-FOR-US: Webkit as used by Apple CVE-2015-7103 (WebKit in Apple iOS before 9.2, Safari before 9.0.2, and tvOS before 9 ...) NOT-FOR-US: Apple CVE-2015-7102 (WebKit in Apple iOS before 9.2, Safari before 9.0.2, and tvOS before 9 ...) NOT-FOR-US: Apple CVE-2015-7101 (WebKit in Apple iOS before 9.2, Safari before 9.0.2, and tvOS before 9 ...) NOT-FOR-US: Apple CVE-2015-7100 (WebKit in Apple iOS before 9.2, Safari before 9.0.2, and tvOS before 9 ...) NOT-FOR-US: Apple CVE-2015-7099 (WebKit in Apple iOS before 9.2, Safari before 9.0.2, and tvOS before 9 ...) NOT-FOR-US: Apple CVE-2015-7098 (WebKit in Apple iOS before 9.2, Safari before 9.0.2, and tvOS before 9 ...) - webkit2gtk 2.10.5-1 (unimportant) CVE-2015-7097 (WebKit in Apple iOS before 9.2, Safari before 9.0.2, and tvOS before 9 ...) NOT-FOR-US: Apple CVE-2015-7096 (WebKit in Apple iOS before 9.2, Safari before 9.0.2, and tvOS before 9 ...) - webkit2gtk 2.10.5-1 (unimportant) CVE-2015-7095 (WebKit in Apple iOS before 9.2, Safari before 9.0.2, and tvOS before 9 ...) NOT-FOR-US: Apple CVE-2015-7094 (CFNetwork HTTPProtocol in Apple iOS before 9.2 and OS X before 10.11.2 ...) NOT-FOR-US: Apple CVE-2015-7093 (Safari in Apple iOS before 9.2 allows remote attackers to spoof a URL ...) NOT-FOR-US: Apple CVE-2015-7092 (Apple QuickTime before 7.7.9 allows remote attackers to execute arbitr ...) NOT-FOR-US: Apple QuickTime CVE-2015-7091 (Apple QuickTime before 7.7.9 allows remote attackers to execute arbitr ...) NOT-FOR-US: Apple QuickTime CVE-2015-7090 (Apple QuickTime before 7.7.9 allows remote attackers to execute arbitr ...) NOT-FOR-US: Apple QuickTime CVE-2015-7089 (Apple QuickTime before 7.7.9 allows remote attackers to execute arbitr ...) NOT-FOR-US: Apple QuickTime CVE-2015-7088 (Apple QuickTime before 7.7.9 allows remote attackers to execute arbitr ...) NOT-FOR-US: Apple QuickTime CVE-2015-7087 (Apple QuickTime before 7.7.9 allows remote attackers to execute arbitr ...) NOT-FOR-US: Apple QuickTime CVE-2015-7086 (Apple QuickTime before 7.7.9 allows remote attackers to execute arbitr ...) NOT-FOR-US: Apple QuickTime CVE-2015-7085 (Apple QuickTime before 7.7.9 allows remote attackers to execute arbitr ...) NOT-FOR-US: Apple QuickTime CVE-2015-7084 (The kernel in Apple iOS before 9.2, OS X before 10.11.2, tvOS before 9 ...) NOT-FOR-US: Apple CVE-2015-7083 (The kernel in Apple iOS before 9.2, OS X before 10.11.2, tvOS before 9 ...) NOT-FOR-US: Apple CVE-2015-7082 (Multiple unspecified vulnerabilities in Git before 2.5.4, as used in A ...) NOT-FOR-US: Apple-specific git extension for Xcode CVE-2015-7081 (iBooks in Apple iOS before 9.2 and OS X before 10.11.2 allows remote a ...) NOT-FOR-US: Apple CVE-2015-7080 (Siri in Apple iOS before 9.2 allows physically proximate attackers to ...) NOT-FOR-US: Apple CVE-2015-7079 (dyld in Apple iOS before 9.2 and tvOS before 9.1 mishandles segment va ...) NOT-FOR-US: Apple CVE-2015-7078 (Use-after-free vulnerability in Hypervisor in Apple OS X before 10.11. ...) NOT-FOR-US: Apple CVE-2015-7077 (The Intel Graphics Driver component in Apple OS X before 10.11.2 allow ...) NOT-FOR-US: Apple CVE-2015-7076 (The Intel Graphics Driver component in Apple OS X before 10.11.2 allow ...) NOT-FOR-US: Apple CVE-2015-7075 (CoreMedia Playback in Apple iOS before 9.2, OS X before 10.11.2, tvOS ...) NOT-FOR-US: Apple CVE-2015-7074 (CoreMedia Playback in Apple iOS before 9.2, OS X before 10.11.2, and t ...) NOT-FOR-US: Apple CVE-2015-7073 (Apple iOS before 9.2, OS X before 10.11.2, tvOS before 9.1, and watchO ...) NOT-FOR-US: Apple CVE-2015-7072 (dyld in Apple iOS before 9.2, tvOS before 9.1, and watchOS before 2.1 ...) NOT-FOR-US: Apple CVE-2015-7071 (The File Bookmark component in Apple OS X before 10.11.2 allows attack ...) NOT-FOR-US: Apple CVE-2015-7070 (Mobile Replayer in GPUTools Framework in Apple iOS before 9.2 allows a ...) NOT-FOR-US: Apple CVE-2015-7069 (Mobile Replayer in GPUTools Framework in Apple iOS before 9.2 allows a ...) NOT-FOR-US: Apple CVE-2015-7068 (IOKit SCSI in Apple iOS before 9.2, OS X before 10.11.2, tvOS before 9 ...) NOT-FOR-US: Apple CVE-2015-7067 (IOThunderboltFamily in Apple OS X before 10.11.2 allows local users to ...) NOT-FOR-US: Apple CVE-2015-7066 (OpenGL in Apple iOS before 9.2, OS X before 10.11.2, tvOS before 9.1, ...) NOT-FOR-US: Apple CVE-2015-7065 (OpenGL in Apple iOS before 9.2, OS X before 10.11.2, and tvOS before 9 ...) NOT-FOR-US: Apple CVE-2015-7064 (OpenGL in Apple iOS before 9.2, OS X before 10.11.2, tvOS before 9.1, ...) NOT-FOR-US: Apple CVE-2015-7063 (The kernel loader in EFI in Apple OS X before 10.11.2 allows local use ...) NOT-FOR-US: Apple CVE-2015-7062 (Apple OS X before 10.11.2 and tvOS before 9.1 allow local users to byp ...) NOT-FOR-US: Apple CVE-2015-7061 (The ASN.1 decoder in Apple OS X before 10.11.2, tvOS before 9.1, and w ...) NOT-FOR-US: Apple CVE-2015-7060 (The ASN.1 decoder in Apple OS X before 10.11.2, tvOS before 9.1, and w ...) NOT-FOR-US: Apple CVE-2015-7059 (The ASN.1 decoder in Apple OS X before 10.11.2, tvOS before 9.1, and w ...) NOT-FOR-US: Apple CVE-2015-7058 (Apple iOS before 9.2, OS X before 10.11.2, and tvOS before 9.1 imprope ...) NOT-FOR-US: Apple CVE-2015-7057 (otools in Apple Xcode before 7.2 allows local users to gain privileges ...) NOT-FOR-US: Apple CVE-2015-7056 (IDE SCM in Apple Xcode before 7.2 does not recognize .gitignore files, ...) NOT-FOR-US: Apple CVE-2015-7055 (AppleMobileFileIntegrity in Apple iOS before 9.2 and tvOS before 9.1 d ...) NOT-FOR-US: Apple CVE-2015-7054 (zlib in the Compression component in Apple iOS before 9.2, OS X before ...) NOT-FOR-US: Apple CVE-2015-7053 (ImageIO in Apple iOS before 9.2, OS X before 10.11.2, tvOS before 9.1, ...) NOT-FOR-US: Apple CVE-2015-7052 (kext tools in Apple OS X before 10.11.2 mishandles kernel-extension lo ...) NOT-FOR-US: Apple CVE-2015-7051 (MobileStorageMounter in Apple iOS before 9.2 and tvOS before 9.1 misha ...) NOT-FOR-US: Apple CVE-2015-7050 (WebKit in Apple iOS before 9.2 and Safari before 9.0.2 misparses conte ...) NOT-FOR-US: Apple CVE-2015-7049 (otools in Apple Xcode before 7.2 allows local users to gain privileges ...) NOT-FOR-US: Apple CVE-2015-7048 (WebKit in Apple iOS before 9.2, Safari before 9.0.2, and tvOS before 9 ...) NOT-FOR-US: Apple CVE-2015-7047 (The kernel in Apple iOS before 9.2, OS X before 10.11.2, tvOS before 9 ...) NOT-FOR-US: Apple CVE-2015-7046 (The Sandbox feature in xnu in Apple iOS before 9.2, OS X before 10.11. ...) NOT-FOR-US: Apple CVE-2015-7045 (Keychain Access in Apple OS X before 10.11.2 and tvOS before 9.1 impro ...) NOT-FOR-US: Apple CVE-2015-7044 (The System Integrity Protection feature in Apple OS X before 10.11.2 m ...) NOT-FOR-US: Apple CVE-2015-7043 (The kernel in Apple iOS before 9.2, OS X before 10.11.2, tvOS before 9 ...) NOT-FOR-US: Apple CVE-2015-7042 (The kernel in Apple iOS before 9.2, OS X before 10.11.2, tvOS before 9 ...) NOT-FOR-US: Apple CVE-2015-7041 (The kernel in Apple iOS before 9.2, OS X before 10.11.2, tvOS before 9 ...) NOT-FOR-US: Apple CVE-2015-7040 (The kernel in Apple iOS before 9.2, OS X before 10.11.2, tvOS before 9 ...) NOT-FOR-US: Apple CVE-2015-7039 (Buffer overflow in libc in Apple iOS before 9.2, OS X before 10.11.2, ...) NOT-FOR-US: Apple CVE-2015-7038 (Buffer overflow in libc in Apple iOS before 9.2, OS X before 10.11.2, ...) NOT-FOR-US: Apple CVE-2015-7037 (Directory traversal vulnerability in Mobile Backup in Photos in Apple ...) NOT-FOR-US: Apple CVE-2015-7036 (The fts3_tokenizer function in SQLite, as used in Apple iOS before 8.4 ...) NOT-FOR-US: Apple CVE-2015-7035 (Apple Mac EFI before 2015-002, as used in OS X before 10.11.1 and othe ...) NOT-FOR-US: Apple CVE-2015-7034 (The Apple iWork application before 2.6 for iOS and Apple Pages before ...) NOT-FOR-US: Apple CVE-2015-7033 (The Apple iWork application before 2.6 for iOS, Apple Keynote before 6 ...) NOT-FOR-US: Apple CVE-2015-7032 (The Apple iWork application before 2.6 for iOS, Apple Keynote before 6 ...) NOT-FOR-US: Apple CVE-2015-7031 (The Web Service component in Apple OS X Server before 5.0.15 omits an ...) NOT-FOR-US: Apple CVE-2015-7030 (The Swift implementation in Apple Xcode before 7.1 mishandles type con ...) NOT-FOR-US: Apple CVE-2015-7029 (Apple AirPort Base Station Firmware before 7.6.7 and 7.7.x before 7.7. ...) NOT-FOR-US: Apple CVE-2015-7028 REJECTED CVE-2015-7027 REJECTED CVE-2015-7026 REJECTED CVE-2015-7025 REJECTED CVE-2015-7024 (Untrusted search path vulnerability in Apple OS X before 10.11.1 allow ...) NOT-FOR-US: Apple CVE-2015-7023 (CFNetwork in Apple iOS before 9.1 and OS X before 10.11.1 does not pro ...) NOT-FOR-US: Apple CVE-2015-7022 (The Telephony subsystem in Apple iOS before 9.1 allows attackers to ob ...) NOT-FOR-US: Apple CVE-2015-7021 (The Graphics Drivers subsystem in Apple OS X before 10.11.1 allows loc ...) NOT-FOR-US: Apple CVE-2015-7020 (The NVIDIA driver in the Graphics Drivers subsystem in Apple OS X befo ...) NOT-FOR-US: Apple CVE-2015-7019 (The NVIDIA driver in the Graphics Drivers subsystem in Apple OS X befo ...) NOT-FOR-US: Apple CVE-2015-7018 (FontParser in Apple iOS before 9.1 and OS X before 10.11.1 allows remo ...) NOT-FOR-US: Apple CVE-2015-7017 (CoreText in Apple iOS before 9.1, OS X before 10.11.1, and iTunes befo ...) NOT-FOR-US: Apple CVE-2015-7016 (The MCX Application Restrictions component in Apple OS X before 10.11. ...) NOT-FOR-US: Apple CVE-2015-7015 (Heap-based buffer overflow in the DNS client library in configd in App ...) NOT-FOR-US: Apple CVE-2015-7014 (WebKit, as used in Apple iOS before 9.1, Safari before 9.0.1, and iTun ...) NOT-FOR-US: Apple CVE-2015-7013 (WebKit, as used in Apple Safari before 9.0.1 and iTunes before 12.3.1, ...) NOT-FOR-US: Webkit as used by Apple CVE-2015-7012 (WebKit, as used in Apple iOS before 9.1, Safari before 9.0.1, and iTun ...) NOT-FOR-US: Apple CVE-2015-7011 (WebKit, as used in Apple Safari before 9.0.1 and iTunes before 12.3.1, ...) NOT-FOR-US: Webkit as used by Apple CVE-2015-7010 (FontParser in Apple iOS before 9.1 and OS X before 10.11.1 allows remo ...) NOT-FOR-US: Apple CVE-2015-7009 (FontParser in Apple iOS before 9.1 and OS X before 10.11.1 allows remo ...) NOT-FOR-US: Apple CVE-2015-7008 (FontParser in Apple iOS before 9.1 and OS X before 10.11.1 allows remo ...) NOT-FOR-US: Apple CVE-2015-7007 (Script Editor in Apple OS X before 10.11.1 allows remote attackers to ...) NOT-FOR-US: Apple CVE-2015-7006 (Directory traversal vulnerability in the BOM (aka Bill of Materials) c ...) NOT-FOR-US: Apple CVE-2015-7005 (WebKit, as used in Apple iOS before 9.1, allows remote attackers to ex ...) NOT-FOR-US: Apple CVE-2015-7004 (The kernel in Apple iOS before 9.1 allows attackers to cause a denial ...) NOT-FOR-US: Apple CVE-2015-7003 (coreaudiod in Audio in Apple OS X before 10.11.1 does not initialize a ...) NOT-FOR-US: Apple CVE-2015-7002 (WebKit, as used in Apple iOS before 9.1, Safari before 9.0.1, and iTun ...) NOT-FOR-US: Apple CVE-2015-7001 (AppSandbox in Apple iOS before 9.2, OS X before 10.11.2, tvOS before 9 ...) NOT-FOR-US: Apple CVE-2015-7000 (Notification Center in Apple iOS before 9.1 mishandles changes to "Sho ...) NOT-FOR-US: Apple CVE-2015-6999 (The OCSP client in Apple iOS before 9.1 does not check for certificate ...) NOT-FOR-US: Apple CVE-2015-6998 REJECTED CVE-2015-6997 (The X.509 certificate-trust implementation in Apple iOS before 9.1 doe ...) NOT-FOR-US: Apple CVE-2015-6996 (IOAcceleratorFamily in Apple iOS before 9.1, OS X before 10.11.1, and ...) NOT-FOR-US: Apple CVE-2015-6995 (The Disk Images component in Apple iOS before 9.1 and OS X before 10.1 ...) NOT-FOR-US: Apple CVE-2015-6994 (The kernel in Apple iOS before 9.1 and OS X before 10.11.1 mishandles ...) NOT-FOR-US: Apple CVE-2015-6993 (FontParser in Apple iOS before 9.1 and OS X before 10.11.1 allows remo ...) NOT-FOR-US: Apple CVE-2015-6992 (CoreText in Apple iOS before 9.1, OS X before 10.11.1, and iTunes befo ...) NOT-FOR-US: Apple CVE-2015-6991 (FontParser in Apple iOS before 9.1 and OS X before 10.11.1 allows remo ...) NOT-FOR-US: Apple CVE-2015-6990 (FontParser in Apple iOS before 9.1 and OS X before 10.11.1 allows remo ...) NOT-FOR-US: Apple CVE-2015-6989 (Grand Central Dispatch in Apple iOS before 9.1, OS X before 10.11.1, a ...) NOT-FOR-US: Apple CVE-2015-6988 (The kernel in Apple iOS before 9.1 and OS X before 10.11.1 does not in ...) NOT-FOR-US: Apple CVE-2015-6987 (The File Bookmark component in Apple OS X before 10.11.1 allows local ...) NOT-FOR-US: Apple CVE-2015-6986 (com.apple.driver.AppleVXD393 in the Graphics Driver subsystem in Apple ...) NOT-FOR-US: Apple CVE-2015-6985 (Apple Type Services (ATS) in Apple OS X before 10.11.1 allows remote a ...) NOT-FOR-US: Apple CVE-2015-6984 (libarchive in Apple OS X before 10.11.1 allows attackers to write to a ...) NOT-FOR-US: Apple CVE-2015-6983 (Double free vulnerability in Apple iOS before 9.1 and OS X before 10.1 ...) NOT-FOR-US: Apple CVE-2015-6982 (WebKit, as used in Apple iOS before 9.1, allows remote attackers to ex ...) NOT-FOR-US: Apple CVE-2015-6981 (WebKit, as used in Apple iOS before 9.1, allows remote attackers to ex ...) NOT-FOR-US: Apple CVE-2015-6980 (Directory Utility in Apple OS X before 10.11.1 mishandles authenticati ...) NOT-FOR-US: Apple CVE-2015-6979 (GasGauge in Apple iOS before 9.1 allows attackers to execute arbitrary ...) NOT-FOR-US: Apple CVE-2015-6978 (FontParser in Apple iOS before 9.1 and OS X before 10.11.1 allows remo ...) NOT-FOR-US: Apple CVE-2015-6977 (FontParser in Apple iOS before 9.1 and OS X before 10.11.1 allows remo ...) NOT-FOR-US: Apple CVE-2015-6976 (FontParser in Apple iOS before 9.1 and OS X before 10.11.1 allows remo ...) NOT-FOR-US: Apple CVE-2015-6975 (CoreText in Apple iOS before 9.1, OS X before 10.11.1, and iTunes befo ...) NOT-FOR-US: Apple CVE-2015-6974 (IOHIDFamily in Apple iOS before 9.1, OS X before 10.11.1, and watchOS ...) NOT-FOR-US: Apple CVE-2015-6973 (Multiple cross-site request forgery (CSRF) vulnerabilities in Ignite R ...) NOT-FOR-US: Openfire CVE-2015-6972 (Multiple cross-site scripting (XSS) vulnerabilities in Ignite Realtime ...) NOT-FOR-US: Openfire CVE-2015-6971 (Lenovo System Update (formerly ThinkVantage System Update) before 5.07 ...) NOT-FOR-US: Lenovo CVE-2015-6970 (The web interface in Bosch Security Systems NBN-498 Dinion2X Day/Night ...) NOT-FOR-US: Bosch CVE-2015-6969 (Cross-site scripting (XSS) vulnerability in js/2k11.min.js in the 2k11 ...) - serendipity CVE-2015-6968 (Multiple incomplete blacklist vulnerabilities in the serendipity_isAct ...) - serendipity CVE-2015-6967 (Unrestricted file upload vulnerability in the My Image plugin in Nibbl ...) NOT-FOR-US: Nibbleblog CVE-2015-6966 (Multiple cross-site request forgery (CSRF) vulnerabilities in Nibblebl ...) NOT-FOR-US: Nibbleblog CVE-2015-6965 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Cont ...) NOT-FOR-US: Contact Form Generator plugin for WordPress CVE-2015-6964 RESERVED CVE-2015-6963 REJECTED CVE-2015-6962 (SQL injection vulnerability in the web application in Farol allows rem ...) NOT-FOR-US: Farol CVE-2015-7236 (Use-after-free vulnerability in xprt_set_caller in rpcb_svc_com.c in r ...) {DSA-3366-1 DLA-311-1} - rpcbind 0.2.1-6.1 (bug #799307) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=946204 NOTE: http://www.spinics.net/lists/linux-nfs/msg53045.html NOTE: http://www.openwall.com/lists/oss-security/2015/09/17/1 CVE-2015-6961 (Open redirect vulnerability in gluon/tools.py in Web2py 2.9.11 allows ...) - web2py 2.12.3-1 [jessie] - web2py (Minor issue) [wheezy] - web2py (Minor issue) NOTE: Fixed by: https://github.com/web2py/web2py/commit/e31a099cb3456fef471886339653430ae59056b0 (R-2.12.1) NOTE: https://github.com/web2py/web2py/issues/731 CVE-2015-6960 (edx-platform before 2015-09-17 allows XSS via a team name. ...) NOT-FOR-US: Open edX CVE-2015-6959 (Cross-site scripting (XSS) vulnerability in Vindula 1.9. ...) NOT-FOR-US: Vindula CVE-2015-6958 RESERVED CVE-2015-6957 RESERVED CVE-2015-6956 RESERVED CVE-2015-6955 RESERVED CVE-2015-6954 RESERVED CVE-2015-6953 RESERVED CVE-2015-6952 RESERVED CVE-2015-6951 RESERVED CVE-2015-6950 RESERVED CVE-2015-6949 (Stack-based buffer overflow in the ASUS TM-AC1900 router allows remote ...) NOT-FOR-US: ASUS TM-AC1900 router CVE-2015-6948 (Heap-based buffer overflow in the Microsoft Word document conversion f ...) NOT-FOR-US: Corel WordPerfect CVE-2015-6947 REJECTED CVE-2015-6946 (Multiple stack-based buffer overflows in the Reprise License Manager s ...) NOT-FOR-US: Borland AccuRev CVE-2015-6945 (Cross-site scripting (XSS) vulnerability in JSP/MySQL Administrador We ...) NOT-FOR-US: JSP/MySQL Administrador Web 1 CVE-2015-6944 (Cross-site request forgery (CSRF) vulnerability in JSP/MySQL Administr ...) NOT-FOR-US: JSP/MySQL Administrador Web 1 CVE-2015-6943 (SQL injection vulnerability in the serendipity_checkCommentToken funct ...) - serendipity CVE-2015-6942 (Cross-site scripting (XSS) vulnerability in Coremail XT3.0 allows remo ...) NOT-FOR-US: Coremail CVE-2015-6941 (win_useradd, salt-cloud and the Linode driver in salt 2015.5.x before ...) - salt 2015.8.1+ds-1 [jessie] - salt (Minor issue) NOTE: https://docs.saltstack.com/en/latest/topics/releases/2015.8.1.html NOTE: https://github.com/twangboy/salt/commit/c0689e32154c41f59840ae10ffc5fbfa30618710 CVE-2015-6940 (The GetResource servlet in Pentaho Business Analytics (BA) Suite 4.5.x ...) NOT-FOR-US: Pentaho CVE-2015-7989 (Cross-site scripting (XSS) vulnerability in the user list table in Wor ...) {DSA-3383-1 DSA-3375-1 DLA-321-1} - wordpress 4.3.1+dfsg-1 (bug #799140) NOTE: https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a NOTE: http://www.openwall.com/lists/oss-security/2015/10/26/7 CVE-2015-7337 (The editor in IPython Notebook before 3.2.2 and Jupyter Notebook 4.0.x ...) - ipython (Affects versions 3.0 to 3.2.1) NOTE: http://www.openwall.com/lists/oss-security/2015/09/16/3 CVE-2015-7940 (The Bouncy Castle Java library before 1.51 does not validate a point i ...) {DSA-3417-1 DLA-361-1} - bouncycastle 1.51-1 (bug #802671) NOTE: https://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html NOTE: Commits: https://github.com/bcgit/bc-java/commit/5cb2f05 NOTE: Possibly needed to include as well: https://github.com/bcgit/bc-java/commit/e25e94a NOTE: Peter Dettman offered to assist if backporting fails and to review the result. CVE-2015-6939 (Cross-site scripting (XSS) vulnerability in the login module in Joomla ...) NOT-FOR-US: Joomla! CVE-2015-6936 RESERVED CVE-2015-6935 REJECTED CVE-2015-6934 (Serialized-object interfaces in VMware vRealize Orchestrator 6.x, vCen ...) NOT-FOR-US: VMware CVE-2015-6933 (The VMware Tools HGFS (aka Shared Folders) implementation in VMware Wo ...) NOT-FOR-US: VMware CVE-2015-6932 (VMware vCenter Server 5.5 before u3 and 6.0 before u1 does not verify ...) NOT-FOR-US: VMware CVE-2015-6931 (Cross-site scripting (XSS) vulnerability in the vSphere Web Client in ...) NOT-FOR-US: VMware CVE-2015-8871 (Use-after-free vulnerability in the opj_j2k_write_mco function in j2k. ...) {DSA-3665-1} - openjpeg2 2.1.1-1 (bug #800149) - openjpeg (Vulnerable code not present; opj_j2k_write_mco function) NOTE: https://github.com/uclouvain/openjpeg/commit/940100c28ae28931722290794889cf84a92c5f6f NOTE: https://github.com/uclouvain/openjpeg/issues/563 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1263359 NOTE: http://www.openwall.com/lists/oss-security/2015/09/15/4 CVE-2015-6930 RESERVED CVE-2015-6929 (Multiple cross-site scripting (XSS) vulnerabilities in Nokia Networks ...) NOT-FOR-US: Nokia CVE-2015-6928 (classes/admin.class.php in CubeCart 5.2.12 through 5.2.16 and 6.x befo ...) NOT-FOR-US: CubeCart CVE-2015-6926 (The OpenID Single Sign-On authentication functionality in OXID eShop b ...) NOT-FOR-US: OXID eShop CVE-2015-6925 (wolfSSL (formerly CyaSSL) before 3.6.8 allows remote attackers to caus ...) - wolfssl 3.9.10+dfsg-1 (bug #801120) CVE-2015-6924 RESERVED CVE-2015-6923 (The ndvbs module in VBox Communications Satellite Express Protocol 2.3 ...) NOT-FOR-US: VBox Communications Satellite Express Protocol CVE-2015-6922 (Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.33, 8.x bef ...) NOT-FOR-US: Kaseya Virtual System Administrator CVE-2015-6921 (Cross-site scripting (XSS) vulnerability in the Zendesk Feedback Tab m ...) NOT-FOR-US: Zendesk Feedback Tab for Drupal CVE-2015-6920 (Cross-site scripting (XSS) vulnerability in js/window.php in the sourc ...) NOT-FOR-US: sourceAFRICA plugin for WordPress CVE-2015-6919 (Cross-site scripting (XSS) vulnerability in the googleSearch (CSE) (co ...) NOT-FOR-US: googleSearch (CSE) component for Joomla! CVE-2015-6918 (salt before 2015.5.5 leaks git usernames and passwords to the log. ...) - salt 2015.8.1+ds-1 (bug #803182) [jessie] - salt (Minor issue) NOTE: https://github.com/saltstack/salt/commit/28aa9b105804ff433d8f663b2f9b804f2b75495a NOTE: Fix https://github.com/saltstack/salt/pull/26486 builds on NOTE: https://github.com/saltstack/salt/pull/26483 CVE-2015-6917 RESERVED CVE-2015-6916 RESERVED CVE-2015-6915 (SQL injection vulnerability in Montala Limited ResourceSpace 7.3.7009 ...) NOT-FOR-US: Montala Limited ResourceSpace CVE-2015-6914 (Absolute path traversal vulnerability in SiteFactory CMS 5.5.9 allows ...) NOT-FOR-US: SiteFactory CMS CVE-2015-6913 (Cross-site scripting (XSS) vulnerability in the "Create download task ...) NOT-FOR-US: Synology Download Station CVE-2015-6912 (Synology Video Station before 1.5-0763 allows remote attackers to exec ...) NOT-FOR-US: Synology Video Station CVE-2015-6911 (SQL injection vulnerability in Synology Video Station before 1.5-0763 ...) NOT-FOR-US: Synology Video Station CVE-2015-6910 (SQL injection vulnerability in Synology Video Station before 1.5-0757 ...) NOT-FOR-US: Synology Video Station CVE-2015-6909 (Cross-site scripting (XSS) vulnerability in the "Create download task ...) NOT-FOR-US: Synology Download Station CVE-2015-6907 REJECTED CVE-2015-6906 REJECTED CVE-2015-6905 REJECTED CVE-2015-6904 REJECTED CVE-2015-6903 REJECTED CVE-2015-6902 REJECTED CVE-2015-6901 REJECTED CVE-2015-6900 REJECTED CVE-2015-6899 REJECTED CVE-2015-6898 REJECTED CVE-2015-6897 REJECTED CVE-2015-6896 REJECTED CVE-2015-6895 REJECTED CVE-2015-6894 REJECTED CVE-2015-6893 REJECTED CVE-2015-6892 REJECTED CVE-2015-6891 REJECTED CVE-2015-6890 REJECTED CVE-2015-6889 REJECTED CVE-2015-6888 REJECTED CVE-2015-6887 REJECTED CVE-2015-6886 REJECTED CVE-2015-6885 REJECTED CVE-2015-6884 REJECTED CVE-2015-6883 REJECTED CVE-2015-6882 REJECTED CVE-2015-6881 REJECTED CVE-2015-6880 REJECTED CVE-2015-6879 REJECTED CVE-2015-6878 REJECTED CVE-2015-6877 REJECTED CVE-2015-6876 REJECTED CVE-2015-6875 REJECTED CVE-2015-6874 REJECTED CVE-2015-6873 REJECTED CVE-2015-6872 REJECTED CVE-2015-6871 REJECTED CVE-2015-6870 REJECTED CVE-2015-6869 REJECTED CVE-2015-6868 REJECTED CVE-2015-6867 (The vertica-udx-zygote process in HP Vertica 7.1.1 UDx does not requir ...) NOT-FOR-US: HP Vertica CVE-2015-6866 REJECTED CVE-2015-6865 REJECTED CVE-2015-6864 (HPE ArcSight Logger before 6.1P1 allows remote authenticated users to ...) NOT-FOR-US: HPE ArcSight Logger CVE-2015-6863 (HPE ArcSight Logger before 6.1P1 allows remote attackers to execute ar ...) NOT-FOR-US: HPE ArcSight Logger CVE-2015-6862 (HPE UCMDB Browser before 4.02 allows remote attackers to obtain sensit ...) NOT-FOR-US: HPE UCMDB Browser CVE-2015-6861 (HPE Helion Eucalyptus 3.4.0 through 4.2.0 allows remote authenticated ...) NOT-FOR-US: HPE Helion Eucalyptus CVE-2015-6860 (HPE Network Switches with software 15.16.x and 15.17.x allow local use ...) NOT-FOR-US: HPE Network Switches CVE-2015-6859 (HPE Network Switches with software 15.16.x and 15.17.x allow local use ...) NOT-FOR-US: HPE Network Switches CVE-2015-6858 (HP Insight Control server provisioning before 7.5.0 RabbitMQ allows re ...) NOT-FOR-US: HP Insight Control CVE-2015-6857 (Unspecified vulnerability in Virtual Table Server (VTS) in HP LoadRunn ...) NOT-FOR-US: HP Performance Center CVE-2015-6856 (Dell Pre-Boot Authentication Driver (PBADRV.sys) 1.0.1.5 allows local ...) NOT-FOR-US: Dell CVE-2015-6854 (The non-Domino web agents in CA Single Sign-On (aka SSO, formerly Site ...) NOT-FOR-US: CA Single Sign-On CVE-2015-6853 (The Domino web agent in CA Single Sign-On (aka SSO, formerly SiteMinde ...) NOT-FOR-US: CA Single Sign-On CVE-2015-6852 (Directory traversal vulnerability in the API in EMC Secure Remote Serv ...) NOT-FOR-US: EMC Secure Remote Services Virtual Edition CVE-2015-6851 (EMC RSA SecurID Web Agent before 8.0 allows physically proximate attac ...) NOT-FOR-US: RSA SecurID CVE-2015-6850 (EMC VPLEX GeoSynchrony 5.4 SP1 before P3 and 5.5 before Patch 1 has a ...) NOT-FOR-US: EMC VPLEX CVE-2015-6849 (EMC NetWorker before 8.0.4.5, 8.1.x before 8.1.3.6, 8.2.x before 8.2.2 ...) NOT-FOR-US: EMC CVE-2015-6848 (EMC Isilon OneFS 7.1.x before 7.1.1.5, 7.2.0.x before 7.2.0.3, and 7.2 ...) NOT-FOR-US: EMC CVE-2015-6847 (The default configuration of EMC VPLEX GeoSynchrony 5.4 SP1 before P3 ...) NOT-FOR-US: EMC VPLEX CVE-2015-6846 (EMC SourceOne Email Supervisor before 7.2 uses hardcoded encryption ke ...) NOT-FOR-US: EMC SourceOne CVE-2015-6845 (EMC SourceOne Email Supervisor before 7.2 does not properly employ ran ...) NOT-FOR-US: EMC SourceOne CVE-2015-6844 (Cross-site scripting (XSS) vulnerability in Reviewer in EMC SourceOne ...) NOT-FOR-US: EMC SourceOne CVE-2015-6843 (Reviewer in EMC SourceOne Email Supervisor before 7.2 does not properl ...) NOT-FOR-US: EMC SourceOne CVE-2015-6842 RESERVED CVE-2015-6841 RESERVED CVE-2015-6840 RESERVED CVE-2015-6937 (The __rds_conn_create function in net/rds/connection.c in the Linux ke ...) {DSA-3364-1 DLA-310-1} - linux 4.2.1-1 - linux-2.6 NOTE: Fixed by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=74e98eb085889b0d2d4908f59f6e00026063014f (v4.3-rc1) CVE-2015-6908 (The ber_get_next function in libraries/liblber/io.c in OpenLDAP 2.4.42 ...) {DSA-3356-1 DLA-309-1} - openldap 2.4.42+dfsg-2 (bug #798622) NOTE: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=6fe51a9ab04fd28bbc171da3cf12f1c1040d6629 NOTE: http://www.openldap.org/its/index.cgi/Software%20Bugs?id=8240;selectid=8240 NOTE: http://www.openwall.com/lists/oss-security/2015/09/11/2 CVE-2015-7312 (Multiple race conditions in the Advanced Union Filesystem (aufs) aufs3 ...) - linux 4.2.1-1 (bug #796036) [jessie] - linux 3.16.7-ckt11-1+deb8u4 [wheezy] - linux (Vulnerable code not present) - linux-2.6 (Vulnerable code not present) NOTE: http://www.openwall.com/lists/oss-security/2015/09/10/3 NOTE: http://sourceforge.net/p/aufs/mailman/message/34449209/ NOTE: For Linux kernel with aufs aufs3-mmap.patch or aufs4-mmap.patch mmap patch CVE-2014-9745 (The parse_encoding function in type1/t1load.c in FreeType before 2.5.3 ...) {DSA-3370-1 DLA-319-1} - freetype 2.6-1 (bug #798620) NOTE: https://launchpad.net/bugs/1492124 NOTE: http://www.ubuntu.com/usn/usn-2739-1/ NOTE: https://savannah.nongnu.org/bugs/?41590 NOTE: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=df14e6c0b9592cbb24d5381dfc6106b14f915e75 (VER-2-5-3) NOTE: http://www.openwall.com/lists/oss-security/2015/09/11/4 CVE-2014-9746 (The (1) t1_parse_font_matrix function in type1/t1load.c, (2) cid_parse ...) {DSA-3370-1 DLA-319-1} - freetype 2.6-1 (bug #798619) NOTE: https://launchpad.net/bugs/1449225 NOTE: http://www.ubuntu.com/usn/usn-2739-1/ NOTE: https://savannah.nongnu.org/bugs/?41309 NOTE: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=8b281f83e8516535756f92dbf90940ac44bd45e1 (VER-2-5-3) NOTE: http://www.openwall.com/lists/oss-security/2015/09/11/4 CVE-2014-9747 (The t42_parse_encoding function in type42/t42parse.c in FreeType befor ...) {DSA-3370-1 DLA-319-1} - freetype 2.6-1 (bug #798619) NOTE: https://launchpad.net/bugs/1449225 NOTE: http://www.ubuntu.com/usn/usn-2739-1/ NOTE: https://savannah.nongnu.org/bugs/?41309 NOTE: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=8b281f83e8516535756f92dbf90940ac44bd45e1 (VER-2-5-3) NOTE: http://www.openwall.com/lists/oss-security/2015/09/11/4 CVE-2015-6855 (hw/ide/core.c in QEMU does not properly restrict the commands accepted ...) {DSA-3362-1 DSA-3361-1} - qemu 1:2.4+dfsg-2 - qemu-kvm [squeeze] - qemu (Not supported in Squeeze LTS) [squeeze] - qemu-kvm (Not supported in Squeeze LTS) NOTE: http://www.openwall.com/lists/oss-security/2015/09/10/1 NOTE: Fix commit: http://git.qemu.org/?p=qemu.git;a=commit;h=d9033e1d3aa666c5071580617a57bd853c5d794a NOTE: exec_cmd introduced in http://git.qemu.org/?p=qemu.git;a=commit;h=7cff87ff6ab117799e32e42c2e4dc4c0588e583a NOTE: cmd_table introduced in http://git.qemu.org/?p=qemu.git;a=commit;h=844505b12e722d9ba7060480e766351fc6313501 CVE-2015-6927 (vzctl before 4.9.4 determines the virtual environment (VE) layout base ...) {DSA-3357-1} - vzctl 4.9.4-1 [wheezy] - vzctl (Vulnerability not present) [squeeze] - vzctl (Vulnerability not present) NOTE: https://tracker.debian.org/news/711965 NOTE: https://src.openvz.org/projects/OVZL/repos/vzctl/commits/9e98ea630ac0e88b44e3e23c878a5166aeb74e1c NOTE: https://plus.google.com/+OpenVZorg/posts/gidyrouNi7D NOTE: https://wiki.openvz.org/Download/vzctl/4.9.4 CVE-2015-6839 (The parse function in MSA vot.Ar 3.1 does not check whether a candidat ...) NOT-FOR-US: MSA vot.Ar CVE-2015-6829 (Multiple SQL injection vulnerabilities in the getip function in wp-lim ...) NOT-FOR-US: getip function in wp-limit-login-attempts.php in the WP Limit Login Attempts plugin for WordPress CVE-2015-6828 (The tweet_info function in class/__functions.php in the SecureMoz Secu ...) NOT-FOR-US: SecureMoz plugin CVE-2015-6827 (Cross-site request forgery (CSRF) vulnerability in Auto-Exchanger 5.1. ...) NOT-FOR-US: Auto-Exchanger CVE-2015-6826 (The ff_rv34_decode_init_thread_copy function in libavcodec/rv34.c in F ...) {DLA-1611-1} - ffmpeg 7:2.7.2-1 [squeeze] - ffmpeg (Not supported in Squeeze LTS) - libav NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=3197c0aa87a3b7190e17d49e6fbc7b554e4b3f0a CVE-2015-6825 (The ff_frame_thread_init function in libavcodec/pthread_frame.c in FFm ...) {DLA-1611-1} - ffmpeg 7:2.7.2-1 [squeeze] - ffmpeg (Not supported in Squeeze LTS) - libav [wheezy] - libav (Vulnerable code not present) NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=f1a38264f20382731cf2cc75fdd98f4c9a84a626 CVE-2015-6824 (The sws_init_context function in libswscale/utils.c in FFmpeg before 2 ...) {DLA-1611-2} - ffmpeg 7:2.7.2-1 [squeeze] - ffmpeg (Not supported in Squeeze LTS) - libav NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=a5d44d5c220e12ca0cb7a4eceb0f74759cb13111 CVE-2015-6823 (The allocate_buffers function in libavcodec/alac.c in FFmpeg before 2. ...) {DLA-1611-2} - ffmpeg 7:2.7.2-1 [squeeze] - ffmpeg (Not supported in Squeeze LTS) - libav NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=f7068bf277a37479aecde2832208d820682b35e6 CVE-2015-6822 (The destroy_buffers function in libavcodec/sanm.c in FFmpeg before 2.7 ...) {DLA-1611-2 DLA-1611-1} - ffmpeg 7:2.7.2-1 [squeeze] - ffmpeg (Not supported in Squeeze LTS) - libav NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=39bbdebb1ed8eb9c9b0cd6db85afde6ba89d86e4 CVE-2015-6821 (The ff_mpv_common_init function in libavcodec/mpegvideo.c in FFmpeg be ...) {DLA-1611-1} - ffmpeg 7:2.7.2-1 [squeeze] - ffmpeg (Not supported in Squeeze LTS) - libav NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=b160fc290cf49b516c5b6ee0730fd9da7fc623b1 CVE-2015-6820 (The ff_sbr_apply function in libavcodec/aacsbr.c in FFmpeg before 2.7. ...) {DLA-1611-1} - ffmpeg 7:2.7.2-1 [squeeze] - ffmpeg (Not supported in Squeeze LTS) - libav NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=79a98294da6cd85f8c86b34764c5e0c43b09eea3 CVE-2015-6819 (Multiple integer underflows in the ff_mjpeg_decode_frame function in l ...) - ffmpeg 7:2.7.2-1 [squeeze] - ffmpeg (Not supported in Squeeze LTS) - libav (Vulnerable code not present in any Libav version) CVE-2015-6818 (The decode_ihdr_chunk function in libavcodec/pngdec.c in FFmpeg before ...) {DLA-1611-1} - ffmpeg 7:2.7.2-1 [squeeze] - ffmpeg (Not supported in Squeeze LTS) - libav NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=47f4e2d8960ca756ca153ab8e3e93d80449b8c91 NOTE: For libav in jessie, the patch needs to go into the decode_frame() function in libavcodec/pngdec.c CVE-2015-6814 RESERVED CVE-2015-6813 RESERVED CVE-2015-6812 (Invision Power Services IPS Community Suite (aka Invision Power Board, ...) NOT-FOR-US: Invision Power Services IPS Community Suite CVE-2015-6811 (SQL injection vulnerability in the Sophos Cyberoam CR500iNG-XP firewal ...) NOT-FOR-US: Sophos Cyberoam CR500iNG-XP firewall appliance with CyberoamOS CVE-2015-6810 (Cross-site scripting (XSS) vulnerability in Invision Power Services IP ...) NOT-FOR-US: Invision Power Services IPS Community Suite CVE-2015-6809 (Multiple cross-site scripting (XSS) vulnerabilities in BEdita before 3 ...) NOT-FOR-US: BEdita CVE-2015-6808 (Cross-site scripting (XSS) vulnerability in the Spotlight module 7.x-1 ...) NOT-FOR-US: Spotlight module for Drupal CVE-2015-6807 (Cross-site scripting (XSS) vulnerability in the Mass Contact module 6. ...) NOT-FOR-US: Mass Contact module for Drupal CVE-2015-6805 (Cross-site scripting (XSS) vulnerability in the MDC Private Message pl ...) NOT-FOR-US: MDC Private Message plugin for WordPress CVE-2015-6830 (libraries/plugins/auth/AuthenticationCookie.class.php in phpMyAdmin 4. ...) {DSA-3382-1} - phpmyadmin 4:4.4.14.1-1 (low) [jessie] - phpmyadmin (Minor issue) [wheezy] - phpmyadmin (Vulnerable code not present) [squeeze] - phpmyadmin (Vulnerable code not present) CVE-2015-XXXX [hardening for RSA-CRT leak] - libgcrypt11 [wheezy] - libgcrypt11 (Minor issue; additional hardening) [squeeze] - libgcrypt11 (Minor issue; additional hardening) - libgcrypt20 1.6.4-3 [jessie] - libgcrypt20 (Minor issue; additional hardening) NOTE: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=b85c8d6645039fc9d403791750510e439731d479 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/09/08/5 NOTE: Thread on oss-security to clarify if this should be CVE-2015-5738 or a new CVE CVE-2015-6838 (The xsl_ext_function_php function in ext/xsl/xsltprocessor.c in PHP be ...) {DSA-3358-1 DLA-341-1} - php5 5.6.13+dfsg-1 - hhvm 3.12.1+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=69782 NOTE: http://www.openwall.com/lists/oss-security/2015/09/07/5 NOTE: Fixed in 5.5.45 and 5.6.13 NOTE: https://github.com/facebook/hhvm/commit/f358ec0e905df41feaa9dc75f4dee814cfe5a60a CVE-2015-6837 (The xsl_ext_function_php function in ext/xsl/xsltprocessor.c in PHP be ...) {DSA-3358-1 DLA-341-1} - php5 5.6.13+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=69782 NOTE: http://www.openwall.com/lists/oss-security/2015/09/07/5 NOTE: Fixed in 5.5.45 and 5.6.13 CVE-2015-6836 (The SoapClient __call method in ext/soap/soap.c in PHP before 5.4.45, ...) {DSA-3358-1 DLA-341-1} - php5 5.6.13+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=70388 NOTE: http://www.openwall.com/lists/oss-security/2015/09/07/5 NOTE: Fixed in 5.5.45 and 5.6.13 CVE-2015-6835 (The session deserializer in PHP before 5.4.45, 5.5.x before 5.5.29, an ...) {DSA-3358-1} - php5 5.6.13+dfsg-1 [squeeze] - php5 (Too intrusive to backport) NOTE: https://bugs.php.net/bug.php?id=70219 NOTE: http://www.openwall.com/lists/oss-security/2015/09/07/5 NOTE: Fixed in 5.5.45 and 5.6.13 CVE-2015-6834 (Multiple use-after-free vulnerabilities in PHP before 5.4.45, 5.5.x be ...) {DSA-3358-1 DLA-341-1} - php5 5.6.13+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=70172 NOTE: https://bugs.php.net/bug.php?id=70365 NOTE: https://bugs.php.net/bug.php?id=70366 NOTE: http://www.openwall.com/lists/oss-security/2015/09/07/5 NOTE: Fixed in 5.5.45 and 5.6.13 CVE-2015-7225 (Tinfoil Devise-two-factor before 2.0.0 does not strictly follow sectio ...) - ruby-devise-two-factor 2.0.0-1 (bug #798466) NOTE: http://www.openwall.com/lists/oss-security/2015/09/06/2 CVE-2015-8777 (The process_envvars function in elf/rtld.c in the GNU C Library (aka g ...) {DSA-3480-1 DLA-316-1} - glibc 2.21-1 (bug #798316; bug #801691) [jessie] - glibc 2.19-18+deb8u2 - eglibc [squeeze] - eglibc 2.11.3-4+deb6u7 NOTE: http://www.openwall.com/lists/oss-security/2015/09/05/8 NOTE: Upstream bug https://sourceware.org/bugzilla/show_bug.cgi?id=18928 NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=a014cecd82b71b70a6a843e250e06b541ad524f7 CVE-2015-6815 (The process_tx_desc function in hw/net/e1000.c in QEMU before 2.4.0.1 ...) {DSA-3362-1 DSA-3361-1} - qemu 1:2.4+dfsg-2 (bug #798101) [squeeze] - qemu (Not supported in Squeeze LTS) - qemu-kvm [squeeze] - qemu-kvm (Not supported in Squeeze LTS) NOTE: http://www.openwall.com/lists/oss-security/2015/09/04/4 NOTE: Upstream fix: https://lists.gnu.org/archive/html/qemu-devel/2015-09/msg01199.html CVE-2015-6816 (ganglia-web before 3.7.1 allows remote attackers to bypass authenticat ...) - ganglia-web (unimportant; bug #798213) - ganglia 3.6.0-1 (unimportant) [squeeze] - ganglia (affected code not present) NOTE: See README.Debian.security, only supported behind an authenticated HTTP zone, #702776 NOTE: starting with 3.6.0-1 the web front is no longer built from src:ganglia so marking this version as fixed NOTE: http://www.openwall.com/lists/oss-security/2015/09/04/2 NOTE: https://github.com/ganglia/ganglia-web/issues/267 CVE-2015-6817 (PgBouncer 1.6.x before 1.6.1, when configured with auth_user, allows r ...) - pgbouncer 1.6.1-1 [jessie] - pgbouncer (Introduced in 1.6) [wheezy] - pgbouncer (Introduced in 1.6) [squeeze] - pgbouncer (Introduced in 1.6) NOTE: http://web.archive.org/web/20150905195759/http://pgbouncer.github.io/2015/09/pgbouncer-1-6-1/ NOTE: https://github.com/pgbouncer/pgbouncer/issues/69 NOTE: http://www.openwall.com/lists/oss-security/2015/09/04/3 CVE-2015-XXXX [val_dane_check: usage DANE-TA(2) may bypass cert validation entirely] [experimental] - dnsval 2.1-1 - dnsval 2.0-2 (bug #797470) [jessie] - dnsval (Should possibly be removed in a stable-proposed-update from Jessie) NOTE: Removal in jessie would need as well update to irssi and kamailio NOTE: dnsval/2.0-2 only disables/let val_dane_check fail on usage 2 because not implemented correctly CVE-2015-XXXX [Memory corruption] - libvncserver 0.9.8-1 [squeeze] - libvncserver 0.9.7-2+deb6u2 NOTE: workaround entry for DLA-380-1 until/if CVE assigned NOTE: https://github.com/LibVNC/libvncserver/commit/804335f9d296440bb708ca844f5d89b58b50b0c6 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/09/03/8 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=706087#c1 notes that the fix breaks ABI CVE-2015-6938 (Cross-site scripting (XSS) vulnerability in the file browser in notebo ...) - ipython 2.4.1-1 (low; bug #798886) [jessie] - ipython (Minor issue) [wheezy] - ipython (Minor issue) [squeeze] - ipython (Vulnerable code not present) NOTE: Affected versions: 0.12 <= x <= 4.0 NOTE: http://www.openwall.com/lists/oss-security/2015/09/02/3 CVE-2015-6804 RESERVED CVE-2015-6803 RESERVED CVE-2015-6802 RESERVED CVE-2015-6801 RESERVED CVE-2015-6800 RESERVED CVE-2015-6799 RESERVED CVE-2015-6798 RESERVED CVE-2015-6797 RESERVED CVE-2015-6796 RESERVED CVE-2015-6795 RESERVED CVE-2015-6794 RESERVED CVE-2015-6793 RESERVED CVE-2015-6792 (The MIDI subsystem in Google Chrome before 47.0.2526.106 does not prop ...) {DSA-3456-1} - chromium-browser 47.0.2526.111-1 [wheezy] - chromium-browser [squeeze] - chromium-browser NOTE: http://googlechromereleases.blogspot.de/2015/12/stable-channel-update_15.html CVE-2015-6791 (Multiple unspecified vulnerabilities in Google Chrome before 47.0.2526 ...) {DSA-3418-1} - chromium-browser 47.0.2526.80-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6790 (The WebPageSerializerImpl::openTagToString function in WebKit/Source/w ...) {DSA-3418-1} - chromium-browser 47.0.2526.80-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6789 (Race condition in the MutationObserver implementation in Blink, as use ...) {DSA-3418-1} - chromium-browser 47.0.2526.80-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6788 (The ObjectBackedNativeHandler class in extensions/renderer/object_back ...) {DSA-3418-1} - chromium-browser 47.0.2526.80-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6787 (Multiple unspecified vulnerabilities in Google Chrome before 47.0.2526 ...) - chromium-browser 47.0.2526.73-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6786 (The CSPSourceList::matches function in WebKit/Source/core/frame/csp/CS ...) {DSA-3415-1} - chromium-browser 47.0.2526.73-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6785 (The CSPSource::hostMatches function in WebKit/Source/core/frame/csp/CS ...) {DSA-3415-1} - chromium-browser 47.0.2526.73-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6784 (The page serializer in Google Chrome before 47.0.2526.73 mishandles Ma ...) {DSA-3415-1} - chromium-browser 47.0.2526.73-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6783 (The FindStartOffsetOfFileInZipFile function in crazy_linker_zip.cpp in ...) - chromium-browser (android only) CVE-2015-6782 (The Document::open function in WebKit/Source/core/dom/Document.cpp in ...) {DSA-3415-1} - chromium-browser 47.0.2526.73-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6781 (Integer overflow in the FontData::Bound function in data/font_data.cc ...) {DSA-3415-1} - chromium-browser 47.0.2526.73-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6780 (Use-after-free vulnerability in the Infobars implementation in Google ...) {DSA-3415-1} - chromium-browser 47.0.2526.73-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6779 (PDFium, as used in Google Chrome before 47.0.2526.73, does not properl ...) {DSA-3415-1} - chromium-browser 47.0.2526.73-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6778 (The CJBig2_SymbolDict class in fxcodec/jbig2/JBig2_SymbolDict.cpp in P ...) {DSA-3415-1} - chromium-browser 47.0.2526.73-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6777 (Use-after-free vulnerability in the ContainerNode::notifyNodeInsertedI ...) {DSA-3415-1} - chromium-browser 47.0.2526.73-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6776 (The opj_dwt_decode_1* functions in dwt.c in OpenJPEG, as used in PDFiu ...) {DSA-3415-1} - chromium-browser 47.0.2526.73-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6775 (fpdfsdk/src/jsapi/fxjs_v8.cpp in PDFium, as used in Google Chrome befo ...) {DSA-3415-1} - chromium-browser 47.0.2526.73-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6774 (Use-after-free vulnerability in the GetLoadTimes function in renderer/ ...) {DSA-3415-1} - libv8-3.14 (unimportant) NOTE: libv8 not covered by security support - chromium-browser 47.0.2526.73-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6773 (The convolution implementation in Skia, as used in Google Chrome befor ...) {DSA-3415-1} - chromium-browser 47.0.2526.73-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6772 (The DOM implementation in Blink, as used in Google Chrome before 47.0. ...) {DSA-3415-1} - chromium-browser 47.0.2526.73-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6771 (js/array.js in Google V8, as used in Google Chrome before 47.0.2526.73 ...) {DSA-3415-1} - libv8-3.14 (unimportant) NOTE: libv8 not covered by security support - chromium-browser 47.0.2526.73-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6770 (The DOM implementation in Google Chrome before 47.0.2526.73 allows rem ...) {DSA-3415-1} - chromium-browser 47.0.2526.73-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6769 (The provisional-load commit implementation in WebKit/Source/bindings/c ...) {DSA-3415-1} - chromium-browser 47.0.2526.73-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6768 (The DOM implementation in Google Chrome before 47.0.2526.73 allows rem ...) {DSA-3415-1} - chromium-browser 47.0.2526.73-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6767 (Use-after-free vulnerability in content/browser/appcache/appcache_disp ...) {DSA-3415-1} - chromium-browser 47.0.2526.73-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6766 (Use-after-free vulnerability in the AppCache implementation in Google ...) {DSA-3415-1} - chromium-browser 47.0.2526.73-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6765 (Use-after-free vulnerability in content/browser/appcache/appcache_upda ...) {DSA-3415-1} - chromium-browser 47.0.2526.73-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6764 (The BasicJsonStringifier::SerializeJSArray function in json-stringifie ...) {DSA-3415-1} - libv8-3.14 (unimportant) NOTE: libv8 not covered by security support - nodejs 4.2.3~dfsg-1 (bug #806385) [jessie] - nodejs (0.10 series not affected) NOTE: https://nodejs.org/en/blog/vulnerability/cve-2015-8027_cve-2015-6764/ - chromium-browser 47.0.2526.73-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6763 (Multiple unspecified vulnerabilities in Google Chrome before 46.0.2490 ...) {DSA-3376-1} - chromium-browser 46.0.2490.71-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6762 (The CSSFontFaceSrcValue::fetch function in core/css/CSSFontFaceSrcValu ...) {DSA-3376-1} - chromium-browser 46.0.2490.71-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6761 (The update_dimensions function in libavcodec/vp8.c in FFmpeg through 2 ...) {DSA-3376-1 DLA-1611-1} - ffmpeg 7:2.8.1-1 [squeeze] - ffmpeg (Not supported in Squeeze LTS) - libav [wheezy] - libav (Vulnerable code not present) - chromium-browser 44.0.2403.157-1 [wheezy] - chromium-browser [squeeze] - chromium-browser NOTE: https://code.google.com/p/chromium/issues/detail?id=447860 NOTE: https://code.google.com/p/chromium/issues/detail?id=532967 NOTE: Starting with 44.0.2403.157-1 chromium uses the ffmpeg system copy NOTE: It looks like this relates to multithreaded decoding of VPx codecs, which is not implemented in the squeeze version. But I'm not sure as the second bug report is still private. NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=dabea74d0e82ea80cd344f630497cafcb3ef872c CVE-2015-6760 (The Image11::map function in renderer/d3d/d3d11/Image11.cpp in libANGL ...) {DSA-3376-1} - chromium-browser 46.0.2490.71-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6759 (The shouldTreatAsUniqueOrigin function in platform/weborigin/SecurityO ...) {DSA-3376-1} - chromium-browser 46.0.2490.71-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6758 (The CPDF_Document::GetPage function in fpdfapi/fpdf_parser/fpdf_parser ...) {DSA-3376-1} - chromium-browser 46.0.2490.71-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6757 (Use-after-free vulnerability in content/browser/service_worker/embedde ...) {DSA-3376-1} - chromium-browser 46.0.2490.71-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6756 (Use-after-free vulnerability in the CPDFSDK_PageView implementation in ...) {DSA-3376-1} - chromium-browser 46.0.2490.71-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6755 (The ContainerNode::parserInsertBefore function in core/dom/ContainerNo ...) {DSA-3376-1} - chromium-browser 46.0.2490.71-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6754 (Cross-site scripting (XSS) vulnerability in the administration interfa ...) NOT-FOR-US: Drupal Path Breadcrumbs module CVE-2015-6753 (Multiple cross-site scripting (XSS) vulnerabilities in the Quick Edit ...) NOT-FOR-US: Drupal Quick Edit module CVE-2015-6752 (Cross-site scripting (XSS) vulnerability in the Search API Autocomplet ...) NOT-FOR-US: Drupal Search API Autocomplete module CVE-2015-6751 (Multiple cross-site scripting (XSS) vulnerabilities in the Time Tracke ...) NOT-FOR-US: Drupal Time Tracker module CVE-2015-6750 (Buffer overflow in Ricoh DL FTP Server 1.1.0.6 and earlier allows remo ...) NOT-FOR-US: Ricoh DL FTP Server CVE-2015-6747 (Basware Banking (Maksuliikenne) 8.90.07.X does not properly prevent ac ...) NOT-FOR-US: Basware Banking CVE-2015-6746 (Basware Banking (Maksuliikenne) before 8.90.07.X stores private keys i ...) NOT-FOR-US: Basware Banking CVE-2015-6745 (Basware Banking (Maksuliikenne) 8.90.07.X relies on the client to enfo ...) NOT-FOR-US: Basware Banking CVE-2015-6744 (Basware Banking (Maksuliikenne) before 8.90.07.X relies on the client ...) NOT-FOR-US: Basware Banking CVE-2015-6743 (Basware Banking (Maksuliikenne) 8.90.07.X uses a hardcoded password fo ...) NOT-FOR-US: Basware Banking CVE-2015-6742 (Basware Banking (Maksuliikenne) before 8.90.07.X uses a hardcoded pass ...) NOT-FOR-US: Basware Banking CVE-2015-6723 (The ANTrustPropagateAll method in Adobe Reader and Acrobat 10.x before ...) NOT-FOR-US: Adobe CVE-2015-6806 (The MScrollV function in ansi.c in GNU screen 4.3.1 and earlier does n ...) {DSA-3352-1 DLA-305-1} - screen 4.3.1-2 (bug #797624) NOTE: https://savannah.gnu.org/bugs/?45713 NOTE: http://www.openwall.com/lists/oss-security/2015/09/01/1 CVE-2015-6749 (Buffer overflow in the aiff_open function in oggenc/audio.c in vorbis- ...) {DLA-1010-1 DLA-317-1} - vorbis-tools 1.4.0-7 (bug #797461) [jessie] - vorbis-tools 1.4.0-6+deb8u1 NOTE: http://www.openwall.com/lists/oss-security/2015/08/29/1 NOTE: https://trac.xiph.org/ticket/2212 CVE-2015-6741 RESERVED CVE-2015-6740 RESERVED CVE-2015-6739 RESERVED CVE-2015-6738 RESERVED CVE-2015-6748 (Cross-site scripting (XSS) vulnerability in jsoup before 1.8.3. ...) {DLA-2075-1} - jsoup 1.8.3-1 (bug #797275) [wheezy] - jsoup (Minor issue) NOTE: https://github.com/jhy/jsoup/pull/582 NOTE: https://hibernate.atlassian.net/browse/HV-1012 NOTE: https://issues.jboss.org/browse/WFLY-5223 NOTE: http://www.openwall.com/lists/oss-security/2015/08/28/3 CVE-2015-6726 RESERVED CVE-2015-6725 (The ANSendForSharedReview method in Adobe Reader and Acrobat 10.x befo ...) NOT-FOR-US: Adobe CVE-2015-6724 (The ANSendForApproval method in Adobe Reader and Acrobat 10.x before 1 ...) NOT-FOR-US: Adobe CVE-2015-5723 (Doctrine Annotations before 1.2.7, Cache before 1.3.2 and 1.4.x before ...) {DSA-3369-1} - php-doctrine-annotations 1.2.7-1 (low) [jessie] - php-doctrine-annotations 1.2.1-1+deb8u1 - php-doctrine-cache 1.4.2-1 (low) [jessie] - php-doctrine-cache 1.3.1-1+deb8u1 [experimental] - php-doctrine-common 2.5.1-1 - php-doctrine-common 2.4.3-1 (low) [jessie] - php-doctrine-common 2.4.2-2+deb8u1 [experimental] - doctrine 2.5.1+dfsg-1 - doctrine 2.4.8-1 (low) [jessie] - doctrine 2.4.6-1+deb8u1 [wheezy] - doctrine (Minor issue) [squeeze] - doctrine (Minor issue) [experimental] - aws-sdk-for-php 3.2.1-1 - aws-sdk-for-php (Vulnerable code not present) - php-doctrine-bundle 1.5.2-1 (low) - zendframework 1.12.16+dfsg-1 (low) [squeeze] - zendframework (No unsafe permissions found in cache functions) NOTE: Review of zendframework 1.10.6 in Squeeze found no usage of default unsafe permission except in library/Zend/Search/Lucene/Storage/Directory/Filesystem.php but which is unlikely to cause a security issue. NOTE: http://www.doctrine-project.org/2015/08/31/security_misconfiguration_vulnerability_in_various_doctrine_projects.html NOTE: https://github.com/aws/aws-sdk-php/releases/tag/3.2.1 NOTE: http://framework.zend.com/security/advisory/ZF2015-07 CVE-2015-6722 (The CBSharedReviewStatusDialog method in Adobe Reader and Acrobat 10.x ...) NOT-FOR-US: Adobe CVE-2015-6721 (The CBSharedReviewSecurityDialog method in Adobe Reader and Acrobat 10 ...) NOT-FOR-US: Adobe CVE-2015-6720 (The ANRunSharedReviewEmailStep method in Adobe Reader and Acrobat 10.x ...) NOT-FOR-US: Adobe CVE-2015-6719 (The CBSharedReviewCloseDialog method in Adobe Reader and Acrobat 10.x ...) NOT-FOR-US: Adobe CVE-2015-6718 (The CBSharedReviewIfOfflineDialog method in Adobe Reader and Acrobat 1 ...) NOT-FOR-US: Adobe CVE-2015-6717 (The DynamicAnnotStore method in Adobe Reader and Acrobat 10.x before 1 ...) NOT-FOR-US: Adobe CVE-2015-6716 (The ANSendForFormDistribution method in Adobe Reader and Acrobat 10.x ...) NOT-FOR-US: Adobe CVE-2015-6715 (The Function apply implementation in Adobe Reader and Acrobat 10.x bef ...) NOT-FOR-US: Adobe CVE-2015-6714 (The Function bind implementation in Adobe Reader and Acrobat 10.x befo ...) NOT-FOR-US: Adobe CVE-2015-6713 (The Function call implementation in Adobe Reader and Acrobat 10.x befo ...) NOT-FOR-US: Adobe CVE-2015-6712 (The ANSendApprovalToAuthorEnabled method in Adobe Reader and Acrobat 1 ...) NOT-FOR-US: Adobe CVE-2015-6711 (The DoIdentityDialog method in Adobe Reader and Acrobat 10.x before 10 ...) NOT-FOR-US: Adobe CVE-2015-6710 (The CBBBRInit method in Adobe Reader and Acrobat 10.x before 10.1.16 a ...) NOT-FOR-US: Adobe CVE-2015-6709 (The CBBBRInvite method in Adobe Reader and Acrobat 10.x before 10.1.16 ...) NOT-FOR-US: Adobe CVE-2015-6708 (The ANStartApproval method in Adobe Reader and Acrobat 10.x before 10. ...) NOT-FOR-US: Adobe CVE-2015-6707 (The ANSendForReview method in Adobe Reader and Acrobat 10.x before 10. ...) NOT-FOR-US: Adobe CVE-2015-6706 (Adobe Reader and Acrobat 10.x before 10.1.16 and 11.x before 11.0.13, ...) NOT-FOR-US: Adobe CVE-2015-6705 (Adobe Reader and Acrobat 10.x before 10.1.16 and 11.x before 11.0.13, ...) NOT-FOR-US: Adobe CVE-2015-6704 (The animations property implementation in Adobe Reader and Acrobat 10. ...) NOT-FOR-US: Adobe CVE-2015-6703 (The loadFlashMovie function in Adobe Reader and Acrobat 10.x before 10 ...) NOT-FOR-US: Adobe CVE-2015-6702 (The createSquareMesh function in Adobe Reader and Acrobat 10.x before ...) NOT-FOR-US: Adobe CVE-2015-6701 (The ambientIlluminationColor property implementation in Adobe Reader a ...) NOT-FOR-US: Adobe CVE-2015-6700 (The setBackground function in Adobe Reader and Acrobat 10.x before 10. ...) NOT-FOR-US: Adobe CVE-2015-6699 (The addForegroundSprite function in Adobe Reader and Acrobat 10.x befo ...) NOT-FOR-US: Adobe CVE-2015-6698 (Heap-based buffer overflow in the AcroForm implementation in Adobe Rea ...) NOT-FOR-US: Adobe CVE-2015-6697 (Adobe Reader and Acrobat 10.x before 10.1.16 and 11.x before 11.0.13, ...) NOT-FOR-US: Adobe CVE-2015-6696 (Heap-based buffer overflow in Adobe Reader and Acrobat 10.x before 10. ...) NOT-FOR-US: Adobe CVE-2015-6695 (Adobe Reader and Acrobat 10.x before 10.1.16 and 11.x before 11.0.13, ...) NOT-FOR-US: Adobe CVE-2015-6694 (Adobe Reader and Acrobat 10.x before 10.1.16 and 11.x before 11.0.13, ...) NOT-FOR-US: Adobe CVE-2015-6693 (The signatureSetSeedValue method in Adobe Reader and Acrobat 10.x befo ...) NOT-FOR-US: Adobe CVE-2015-6692 (Buffer overflow in Adobe Reader and Acrobat 10.x before 10.1.16 and 11 ...) NOT-FOR-US: Adobe CVE-2015-6691 (Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 1 ...) NOT-FOR-US: Adobe CVE-2015-6690 (Use-after-free vulnerability in the popUpMenuEx method in Adobe Reader ...) NOT-FOR-US: Adobe CVE-2015-6689 (Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 1 ...) NOT-FOR-US: Adobe CVE-2015-6688 (Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 1 ...) NOT-FOR-US: Adobe CVE-2015-6687 (Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 1 ...) NOT-FOR-US: Adobe CVE-2015-6686 (Adobe Reader and Acrobat 10.x before 10.1.16 and 11.x before 11.0.13, ...) NOT-FOR-US: Adobe CVE-2015-6685 (Adobe Reader and Acrobat 10.x before 10.1.16 and 11.x before 11.0.13, ...) NOT-FOR-US: Adobe CVE-2015-6684 (Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 1 ...) NOT-FOR-US: Adobe CVE-2015-6683 (Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 1 ...) NOT-FOR-US: Adobe CVE-2015-6682 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.241 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-6681 (Adobe Shockwave Player before 12.2.0.162 allows attackers to execute a ...) NOT-FOR-US: Adobe Shockwave Player CVE-2015-6680 (Adobe Shockwave Player before 12.2.0.162 allows attackers to execute a ...) NOT-FOR-US: Adobe Shockwave Player CVE-2015-6679 (Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2015-6678 (Buffer overflow in Adobe Flash Player before 18.0.0.241 and 19.x befor ...) NOT-FOR-US: Adobe Flash Player CVE-2015-6677 (Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2015-6676 (Buffer overflow in Adobe Flash Player before 18.0.0.241 and 19.x befor ...) NOT-FOR-US: Adobe Flash Player CVE-2015-6675 (Siemens RUGGEDCOM ROS 3.8.0 through 4.1.x permanently enables the IP f ...) NOT-FOR-US: Siemens RUGGEDCOM ROS CVE-2015-6672 (Cross-site scripting (XSS) vulnerability in the Administrative Web Int ...) NOT-FOR-US: Citrix CVE-2015-6671 (Open edX edx-platform before 2015-08-25 requires use of the database f ...) NOT-FOR-US: Open edX CVE-2015-6670 (ownCloud Server before 7.0.8, 8.0.x before 8.0.6, and 8.1.x before 8.1 ...) {DSA-3373-1} - owncloud 7.0.8~dfsg-1 [experimental] - owncloud-calendar 0.7.3-1 NOTE: https://owncloud.org/security/advisory/?id=oc-sa-2015-015 NOTE: https://github.com/owncloud/calendar/commit/4e0306adb13b19919e90857eaf7681303cd45414 CVE-2015-6669 RESERVED CVE-2015-6668 (The Job Manager plugin before 0.7.25 allows remote attackers to read a ...) NOT-FOR-US: Wordpress plugin CVE-2015-6667 RESERVED CVE-2015-6664 (XML external entity (XXE) vulnerability in the application import func ...) NOT-FOR-US: SAP Mobile Platform CVE-2015-6663 (Cross-site scripting (XSS) vulnerability in the Client form in the Dev ...) NOT-FOR-US: SAP Afaria CVE-2015-6662 (XML external entity (XXE) vulnerability in SAP NetWeaver Portal 7.4 al ...) NOT-FOR-US: SAP NetWeaver Portal CVE-2015-6657 RESERVED CVE-2015-6656 RESERVED CVE-2014-9744 (Memory leak in PolarSSL before 1.3.9 allows remote attackers to cause ...) - polarssl 1.3.9-1 [wheezy] - polarssl (Affects only 1.3.x series) [squeeze] - polarssl (Affects only 1.3.x series) CVE-2015-6666 REJECTED CVE-2015-6655 (Cross-site request forgery (CSRF) vulnerability in Pligg CMS 2.0.2 all ...) NOT-FOR-US: Pligg CMS CVE-2015-6654 (The xenmem_add_to_physmap_one function in arch/arm/mm.c in Xen 4.5.x, ...) {DSA-3414-1} - xen 4.8.0~rc3-1 (bug #823620; bug #800128) [wheezy] - xen (Xen on arm not yet supported) [squeeze] - xen (Xen on arm not yet supported) NOTE: http://xenbits.xen.org/xsa/advisory-141.html CVE-2015-6653 REJECTED CVE-2015-6652 REJECTED CVE-2015-6651 REJECTED CVE-2015-6650 REJECTED CVE-2015-6649 REJECTED CVE-2015-6648 RESERVED CVE-2015-6647 (The Widevine QSEE TrustZone application in Android 5.x before 5.1.1 LM ...) NOT-FOR-US: Android CVE-2015-6646 (The System V IPC implementation in the kernel in Android before 6.0 20 ...) NOT-FOR-US: Android NOTE: https://source.android.com/security/bulletin/2016-01-01.html NOTE: This doesn't represent a specific kernel vulnerability. Android does not need and did not apply resource limits to System V IPC. CVE-2015-6645 (SyncManager in Android before 5.1.1 LMY49F and 6.0 before 2016-01-01 a ...) NOT-FOR-US: Android CVE-2015-6644 (Bouncy Castle in Android before 5.1.1 LMY49F and 6.0 before 2016-01-01 ...) {DSA-3829-1 DLA-893-1} - bouncycastle 1.54-1 NOTE: https://source.android.com/security/bulletin/2016-01-01.html#information_disclosure_vulnerability_in_bouncy_castle NOTE: https://android.googlesource.com/platform/external/bouncycastle/+/3e128c5fea3a0ca2d372aa09c4fd4bb0eadfbd3f NOTE: Fixed differently upstream https://github.com/bcgit/bc-java/issues/177#issuecomment-290671336 CVE-2015-6643 (Setup Wizard in Android 5.x before 5.1.1 LMY49F and 6.0 before 2016-01 ...) NOT-FOR-US: Android CVE-2015-6642 (The kernel in Android before 5.1.1 LMY49F and 6.0 before 2016-01-01 al ...) NOT-FOR-US: Qualcomm driver for Android NOTE: https://www.codeaurora.org/projects/security-advisories/information-disclosure-vulnerability-kernel-ipc-router-module-cve-2015-6642 CVE-2015-6641 (Bluetooth in Android 6.0 before 2016-01-01 allows remote attackers to ...) NOT-FOR-US: Android CVE-2015-6640 (The prctl_set_vma_anon_name function in kernel/sys.c in Android before ...) NOT-FOR-US: Android kernel extension NOTE: https://android.googlesource.com/kernel%2Fcommon/+/69bfe2d957d903521d32324190c2754cb073be15 CVE-2015-6639 (The Widevine QSEE TrustZone application in Android 5.x before 5.1.1 LM ...) NOT-FOR-US: Android CVE-2015-6638 (The Imagination Technologies driver in Android 5.x before 5.1.1 LMY49F ...) NOT-FOR-US: Imagination driver for Android CVE-2015-6637 (The MediaTek misc-sd driver in Android before 5.1.1 LMY49F and 6.0 bef ...) NOT-FOR-US: MediaTek driver for Android CVE-2015-6636 (mediaserver in Android 5.x before 5.1.1 LMY49F and 6.0 before 2016-01- ...) NOT-FOR-US: Android Mediaserver CVE-2015-6635 RESERVED CVE-2015-6634 (The display drivers in Android before 5.1.1 LMY48Z allow remote attack ...) NOT-FOR-US: Android CVE-2015-6633 (The display drivers in Android before 5.1.1 LMY48Z and 6.0 before 2015 ...) NOT-FOR-US: Android CVE-2015-6632 (libstagefright in Android before 5.1.1 LMY48Z and 6.0 before 2015-12-0 ...) NOT-FOR-US: libstagefright CVE-2015-6631 (libstagefright in Android before 5.1.1 LMY48Z and 6.0 before 2015-12-0 ...) NOT-FOR-US: libstagefright CVE-2015-6630 (SystemUI in Android 5.x before 5.1.1 LMY48Z and 6.0 before 2015-12-01 ...) NOT-FOR-US: Android CVE-2015-6629 (Wi-Fi in Android 5.x before 5.1.1 LMY48Z allows attackers to obtain se ...) NOT-FOR-US: Android CVE-2015-6628 (Media Framework in Android before 5.1.1 LMY48Z and 6.0 before 2015-12- ...) NOT-FOR-US: Android CVE-2015-6627 (The Audio component in Android before 5.1.1 LMY48Z and 6.0 before 2015 ...) NOT-FOR-US: Android CVE-2015-6626 (libstagefright in Android before 5.1.1 LMY48Z and 6.0 before 2015-12-0 ...) NOT-FOR-US: libstagefright CVE-2015-6625 (System Server in Android 6.0 before 2015-12-01 allows attackers to obt ...) NOT-FOR-US: Android CVE-2015-6624 (System Server in Android 6.0 before 2015-12-01 allows attackers to obt ...) NOT-FOR-US: Android CVE-2015-6623 (Wi-Fi in Android 6.0 before 2015-12-01 allows attackers to gain privil ...) NOT-FOR-US: Android CVE-2015-6622 (The Native Frameworks Library in Android before 5.1.1 LMY48Z and 6.0 b ...) NOT-FOR-US: Android CVE-2015-6621 (SystemUI in Android 5.x before 5.1.1 LMY48Z and 6.0 before 2015-12-01 ...) NOT-FOR-US: Android CVE-2015-6620 (libstagefright in Android before 5.1.1 LMY48Z and 6.0 before 2015-12-0 ...) NOT-FOR-US: libstagefright CVE-2015-6619 (The kernel in Android before 5.1.1 LMY48Z and 6.0 before 2015-12-01 al ...) - linux (Appears to be caused by a flawed backport of O_TMPFILE feature) NOTE: https://android.googlesource.com/device%2Fhtc%2Fflounder-kernel/+/25d3e5d71865a7c0324423fad87aaabb70e82ee4 CVE-2015-6618 (Bluetooth in Android 4.4 and 5.x before 5.1.1 LMY48Z allows user-assis ...) NOT-FOR-US: Android CVE-2015-6617 (Skia, as used in Android before 5.1.1 LMY48Z and 6.0 before 2015-12-01 ...) - skia (bug #818180) CVE-2015-6616 (mediaserver in Android before 5.1.1 LMY48Z and 6.0 before 2015-12-01 a ...) NOT-FOR-US: mediaserver in Android CVE-2015-6615 RESERVED CVE-2015-6614 (Telephony in Android 5.x before 5.1.1 LMY48X allows attackers to gain ...) NOT-FOR-US: Android CVE-2015-6613 (Bluetooth in Android before 5.1.1 LMY48X and 6.0 before 2015-11-01 all ...) NOT-FOR-US: Android CVE-2015-6612 (libmedia in Android before 5.1.1 LMY48X and 6.0 before 2015-11-01 allo ...) NOT-FOR-US: Android CVE-2015-6611 (mediaserver in Android before 5.1.1 LMY48X and 6.0 before 2015-11-01 a ...) NOT-FOR-US: mediaserver in Android CVE-2015-6610 (libstagefright in Android before 5.1.1 LMY48X and 6.0 before 2015-11-0 ...) NOT-FOR-US: libstagefright CVE-2015-6609 (libutils in Android before 5.1.1 LMY48X and 6.0 before 2015-11-01 allo ...) - android-platform-frameworks-native (unimportant; bug #806375) CVE-2015-6608 (mediaserver in Android 5.x before 5.1.1 LMY48X and 6.0 before 2015-11- ...) NOT-FOR-US: mediaserver in Android CVE-2015-6607 (SQLite before 3.8.9, as used in Android before 5.1.1 LMY48T, allows at ...) NOT-FOR-US: Android NOTE: The change simply rebased sqlite to 3.8.9, which seems to have happened NOTE: for CVE-2015-3414, CVE-2015-3415 and CVE-2015-3416, but no new sqlite issue CVE-2015-6606 (The Secure Element Evaluation Kit (aka SEEK or SmartCard API) plugin i ...) NOT-FOR-US: Android CVE-2015-6605 (mediaserver in Android before 5.1.1 LMY48T allows attackers to cause a ...) NOT-FOR-US: mediaserver in Android CVE-2015-6604 (libstagefright in Android before 5.1.1 LMY48T allows remote attackers ...) NOT-FOR-US: libstagefright in Android CVE-2015-6603 (libstagefright in Android before 5.1.1 LMY48T allows remote attackers ...) NOT-FOR-US: libstagefright in Android CVE-2015-6602 (libutils in Android through 5.1.1 LMY48M allows remote attackers to ex ...) - android-platform-frameworks-native (unimportant; bug #806375) CVE-2015-6601 (libstagefright in Android before 5.1.1 LMY48T allows remote attackers ...) NOT-FOR-US: libstagefright in Android CVE-2015-6600 (libstagefright in Android before 5.1.1 LMY48T allows remote attackers ...) NOT-FOR-US: libstagefright in Android CVE-2015-6599 (libstagefright in Android before 5.1.1 LMY48T allows remote attackers ...) NOT-FOR-US: libstagefright in Android CVE-2015-6598 (libstagefright in Android before 5.1.1 LMY48T allows remote attackers ...) NOT-FOR-US: libstagefright in Android CVE-2015-6597 RESERVED CVE-2015-6596 (mediaserver in Android before 5.1.1 LMY48T allows attackers to gain pr ...) NOT-FOR-US: mediaserver in Android CVE-2015-6595 RESERVED CVE-2015-6594 RESERVED CVE-2015-6592 (Huawei UAP2105 before V300R012C00SPC160(BootRom) does not require auth ...) NOT-FOR-US: Huawei CVE-2015-6591 (Directory traversal vulnerability in application/templates/amelia/load ...) NOT-FOR-US: Free Reprintables ArticleFR CVE-2015-6590 RESERVED CVE-2015-6589 (Directory traversal vulnerability in Kaseya Virtual System Administrat ...) NOT-FOR-US: Kaseya Virtual System Administrator CVE-2015-6588 (Cross-site scripting (XSS) vulnerability in login-fsp.html in MODX Rev ...) NOT-FOR-US: MODX Revolution CVE-2015-6587 (The vlserver in OpenAFS before 1.6.13 allows remote authenticated user ...) {DSA-3320-1 DLA-342-1} - openafs 1.6.13-1 NOTE: http://www.openafs.org/pages/security/OPENAFS-SA-2015-006.txt CVE-2015-6586 (The mDNS module in Huawei WLAN AC6005, AC6605, and ACU2 devices with s ...) NOT-FOR-US: Huawei CVE-2015-6585 (hwpapp.dll in Hangul Word Processor allows remote attackers to execute ...) NOT-FOR-US: Hangul Word Processor CVE-2015-6584 (Cross-site scripting (XSS) vulnerability in the DataTables plugin 1.10 ...) - datatables.js 1.10.9+dfsg-1 NOTE: http://www.securityfocus.com/archive/1/archive/1/536437/100/0/threaded NOTE: https://www.netsparker.com/cve-2015-6384-xss-vulnerability-identified-in-datatables/ NOTE: https://github.com/DataTables/DataTables/issues/602 NOTE: https://github.com/DataTables/DataTablesSrc/commit/ccf86dc5982bd8e16d NOTE: https://nodesecurity.io/advisories/5 CVE-2015-6583 (Google Chrome before 45.0.2454.85 does not display a location bar for ...) - chromium-browser 45.0.2454.85-1 [jessie] - chromium-browser 45.0.2454.85-1~deb8u1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6582 (The decompose function in platform/transforms/TransformationMatrix.cpp ...) - chromium-browser 45.0.2454.85-1 [jessie] - chromium-browser 45.0.2454.85-1~deb8u1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6581 (Double free vulnerability in the opj_j2k_copy_default_tcp_and_create_t ...) {DSA-3665-1} - openjpeg (Vulnerable code not present, function opj_j2k_copy_default_tcp_and_create_tcd) - openjpeg2 2.1.1-1 (bug #800453) NOTE: Openjpeg2 fix: https://github.com/uclouvain/openjpeg/commit/0fa5a17c98c4b8f9ee2286f4f0a50cf52a5fccb0 - chromium-browser 45.0.2454.85-1 [jessie] - chromium-browser 45.0.2454.85-1~deb8u1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6580 (Multiple unspecified vulnerabilities in Google V8 before 4.5.103.29, a ...) - chromium-browser 45.0.2454.85-1 [jessie] - chromium-browser 45.0.2454.85-1~deb8u1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6579 RESERVED CVE-2015-6578 RESERVED CVE-2015-6577 RESERVED CVE-2015-6576 (Bamboo 2.2 before 5.8.5 and 5.9.x before 5.9.7 allows remote attackers ...) NOT-FOR-US: Atlassian Bamboo CVE-2015-6575 (SampleTable.cpp in libstagefright in Android before 5.1.1 LMY48I does ...) NOT-FOR-US: libstagefright in Android CVE-2015-6574 (The SNAP Lite component in certain SISCO MMS-EASE and AX-S4 ICCP produ ...) NOT-FOR-US: SISCO MMS-EASE CVE-2015-6573 RESERVED CVE-2015-6572 RESERVED CVE-2015-6571 RESERVED CVE-2015-6570 RESERVED CVE-2015-6569 (Race condition in the LoadBalancer module in the Atlassian Floodlight ...) NOT-FOR-US: Atlassian CVE-2015-6568 (Wolf CMS before 0.8.3.1 allows unrestricted file rename and PHP Code E ...) NOT-FOR-US: Wolf CMS CVE-2015-6567 (Wolf CMS before 0.8.3.1 allows unrestricted file upload and PHP Code E ...) NOT-FOR-US: Wolf CMS CVE-2015-6566 (zarafa-autorespond in Zarafa Collaboration Platform (ZCP) before 7.2.1 ...) - zarafa (bug #658433) CVE-2015-6562 RESERVED CVE-2015-6561 RESERVED CVE-2015-6560 RESERVED CVE-2015-6559 RESERVED CVE-2015-6558 RESERVED CVE-2015-6557 (IBM Tivoli Storage Manager for Databases: Data Protection for Microsof ...) NOT-FOR-US: IBM CVE-2015-6556 (EACommunicatorSrv.exe in the Framework Service in the client in Symant ...) NOT-FOR-US: Symantec CVE-2015-6555 (Symantec Endpoint Protection Manager (SEPM) 12.1 before 12.1-RU6-MP3 a ...) NOT-FOR-US: Symantec CVE-2015-6554 (Symantec Endpoint Protection Manager (SEPM) 12.1 before 12.1-RU6-MP3 a ...) NOT-FOR-US: Symantec CVE-2015-6553 REJECTED CVE-2015-6552 (The management-services protocol implementation in Veritas NetBackup 7 ...) NOT-FOR-US: Veritas NetBackup CVE-2015-6551 (Veritas NetBackup 7.x through 7.5.0.7 and 7.6.0.x through 7.6.0.4 and ...) NOT-FOR-US: Veritas NetBackup CVE-2015-6550 (bpcd in Veritas NetBackup 7.x through 7.5.0.7, 7.6.0.x through 7.6.0.4 ...) NOT-FOR-US: Veritas NetBackup CVE-2015-6549 (Cross-site scripting (XSS) vulnerability in an application console in ...) NOT-FOR-US: Symantec NetBackup OpsCenter CVE-2015-6548 (Multiple SQL injection vulnerabilities in a PHP script in the manageme ...) NOT-FOR-US: Symantec Web Gateway CVE-2015-6547 (The management console on Symantec Web Gateway (SWG) appliances with s ...) NOT-FOR-US: Semantec Web Gateway CVE-2015-6546 (The vCMP host in F5 BIG-IP Analytics, APM, ASM, GTM, Link Controller, ...) NOT-FOR-US: F5 BIG-IP CVE-2015-6545 (Cross-site request forgery (CSRF) vulnerability in ajax.php in Cerb be ...) NOT-FOR-US: Cerb CVE-2015-6544 (Cross-site scripting (XSS) vulnerability in application/dashboard.clas ...) NOT-FOR-US: Combodo CVE-2015-6543 RESERVED CVE-2015-6542 REJECTED CVE-2015-6541 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Mail ...) NOT-FOR-US: Zimbra CVE-2015-6540 (Cross-site scripting (XSS) vulnerability in Intellect Design Arena Int ...) NOT-FOR-US: Intellect Design Arena Intellect Core banking CVE-2015-6539 RESERVED CVE-2015-6538 (The login page in Epiphany Cardio Server 3.3, 4.0, and 4.1 mishandles ...) NOT-FOR-US: Epiphany Cardio Server CVE-2015-6537 (SQL injection vulnerability in the login page in Epiphany Cardio Serve ...) NOT-FOR-US: Epiphany Cardio Server CVE-2015-6536 RESERVED CVE-2015-6535 (Cross-site scripting (XSS) vulnerability in includes/options-profiles. ...) NOT-FOR-US: YouTube Embed plugin for WordPress CVE-2015-6534 RESERVED CVE-2015-6533 RESERVED CVE-2015-6532 RESERVED CVE-2015-6531 (Palo Alto Networks Panorama VM Appliance with PAN-OS before 6.0.1 migh ...) NOT-FOR-US: Palo Alto Networks Panorama VM Appliance CVE-2015-6530 (Cross-site scripting (XSS) vulnerability in OpenText Secure MFT 2013 b ...) NOT-FOR-US: OpenText Secure MFT 2013 CVE-2015-6529 (Multiple cross-site scripting (XSS) vulnerabilities in phpipam 1.1.010 ...) - phpipam (bug #731713) CVE-2015-6528 (Multiple cross-site scripting (XSS) vulnerabilities in install_classic ...) NOT-FOR-US: Coppermine Photo Gallery CVE-2015-6525 (Multiple integer overflows in the evbuffer API in Libevent 2.0.x befor ...) {DSA-3119-1} - libevent 2.0.21-stable-2 [squeeze] - libevent (Only for issues in 2.0.x and 2.1.x) NOTE: Split from CVE-2014-6272 CVE-2015-6524 (The LDAPLoginModule implementation in the Java Authentication and Auth ...) - activemq 5.6.0+dfsg1-4 (low) [wheezy] - activemq 5.6.0+dfsg-1+deb7u1 NOTE: http://activemq.apache.org/security-advisories.data/CVE-2014-3612-announcement.txt CVE-2015-6523 (Cross-site request forgery (CSRF) vulnerability in the Portfolio plugi ...) NOT-FOR-US: Portfolio plugin for WordPress CVE-2015-6522 (SQL injection vulnerability in the WP Symposium plugin before 15.8 for ...) NOT-FOR-US: WP Symposium plugin for WordPress CVE-2015-6661 (Drupal 6.x before 6.37 and 7.x before 7.39 allows remote attackers to ...) {DSA-3346-1} - drupal7 7.39-1 - drupal6 [squeeze] - drupal6 NOTE: https://www.drupal.org/SA-CORE-2015-003 NOTE: http://www.openwall.com/lists/oss-security/2015/08/21/5 CVE-2015-6660 (The Form API in Drupal 6.x before 6.37 and 7.x before 7.39 does not pr ...) {DSA-3346-1} - drupal7 7.39-1 - drupal6 [squeeze] - drupal6 NOTE: https://www.drupal.org/SA-CORE-2015-003 NOTE: http://www.openwall.com/lists/oss-security/2015/08/21/5 CVE-2015-6659 (SQL injection vulnerability in the SQL comment filtering system in the ...) {DSA-3346-1} - drupal7 7.39-1 NOTE: https://www.drupal.org/SA-CORE-2015-003 NOTE: http://www.openwall.com/lists/oss-security/2015/08/21/5 CVE-2015-6658 (Cross-site scripting (XSS) vulnerability in the Autocomplete system in ...) {DSA-3346-1} - drupal7 7.39-1 - drupal6 [squeeze] - drupal6 NOTE: https://www.drupal.org/SA-CORE-2015-003 NOTE: http://www.openwall.com/lists/oss-security/2015/08/21/5 CVE-2015-6665 (Cross-site scripting (XSS) vulnerability in the Ajax handler in Drupal ...) {DSA-3346-1} - drupal7 7.39-1 NOTE: https://www.drupal.org/SA-CORE-2015-003 NOTE: http://www.openwall.com/lists/oss-security/2015/08/21/5 CVE-2015-6673 (Use-after-free vulnerability in Decoder.cpp in libpgf before 6.15.32. ...) {DLA-2035-1} - libpgf 6.14.12-3.2 (bug #798032) NOTE: http://www.openwall.com/lists/oss-security/2015/08/19/14 NOTE: Details on the CVE assignment: http://www.openwall.com/lists/oss-security/2015/08/25/9 NOTE: https://sourceforge.net/p/libpgf/code/147/ NOTE: https://sourceforge.net/p/libpgf/code/148/ CVE-2015-6527 (The php_str_replace_in_subject function in ext/standard/string.c in PH ...) - php5 (Specific to PHP 7) NOTE: http://git.php.net/?p=php-src.git;a=commit;h=6aeee47b2cd47915ccfa3b41433a3f57aea24dd5 NOTE: https://bugs.php.net/bug.php?id=70140 CVE-2015-6521 (Multiple cross-site scripting (XSS) vulnerabilities in ATutor LMS vers ...) NOT-FOR-US: ATutor CVE-2015-6519 (SQL injection vulnerability in Arab Portal 3 allows remote attackers t ...) NOT-FOR-US: Arab Portal 3 CVE-2015-6518 (Multiple cross-site scripting (XSS) vulnerabilities in phpLiteAdmin 1. ...) - phpliteadmin (Fixed before initial upload) CVE-2015-6517 (Cross-site request forgery (CSRF) vulnerability in phpLiteAdmin 1.1 al ...) - phpliteadmin (Fixed before initial upload) CVE-2015-6516 (SQL injection vulnerability in cygnux.org sysPass 1.0.9 and earlier al ...) NOT-FOR-US: cygnux.org sysPass CVE-2015-6515 (Cross-site scripting (XSS) vulnerability in Splunk Web in Splunk Enter ...) NOT-FOR-US: Splunk CVE-2015-6514 (Cross-site scripting (XSS) vulnerability in the Dashboard in Splunk En ...) NOT-FOR-US: Splunk Enterprise CVE-2015-6513 (Multiple SQL injection vulnerabilities in the J2Store (com_j2store) ex ...) NOT-FOR-US: Joomla extension com_j2store CVE-2015-6512 (SQL injection vulnerability in the get_messages function in server/plu ...) NOT-FOR-US: FreiChat CVE-2015-6511 (Cross-site scripting (XSS) vulnerability in pfSense before 2.2.3 allow ...) NOT-FOR-US: pfSense CVE-2015-6510 (Multiple cross-site scripting (XSS) vulnerabilities in pfSense before ...) NOT-FOR-US: pfSense CVE-2015-6509 (Multiple cross-site scripting (XSS) vulnerabilities in pfSense before ...) NOT-FOR-US: pfSense CVE-2015-6508 (Cross-site scripting (XSS) vulnerability in pfSense before 2.2.3 allow ...) NOT-FOR-US: pfSense CVE-2015-6507 (The hdbsql client 1.00.091.00 Build 1418659308-1530 in SAP HANA allows ...) NOT-FOR-US: SAP CVE-2015-6833 (Directory traversal vulnerability in the PharData class in PHP before ...) {DSA-3344-1 DLA-341-1} - php5 5.6.12+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=70019 NOTE: http://www.openwall.com/lists/oss-security/2015/08/19/3 NOTE: Fixed upstream in 5.4.44 and 5.6.12 CVE-2015-6831 (Multiple use-after-free vulnerabilities in SPL in PHP before 5.4.44, 5 ...) {DSA-3344-1 DLA-341-1} - php5 5.6.12+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=70169 NOTE: https://bugs.php.net/bug.php?id=70168 NOTE: https://bugs.php.net/bug.php?id=70166 NOTE: https://bugs.php.net/bug.php?id=70155 NOTE: http://www.openwall.com/lists/oss-security/2015/08/19/3 NOTE: Fixed upstream in 5.4.44 and 5.6.12 CVE-2015-6832 (Use-after-free vulnerability in the SPL unserialize implementation in ...) {DSA-3344-1 DLA-341-1} - php5 5.6.12+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=70068 NOTE: http://www.openwall.com/lists/oss-security/2015/08/19/3 NOTE: Fixed upstream in 5.4.44 and 5.6.12 CVE-2015-6505 RESERVED CVE-2015-6504 RESERVED CVE-2015-6503 RESERVED CVE-2015-6502 (Cross-site scripting (XSS) vulnerability in the console in Puppet Ente ...) NOT-FOR-US: Puppet Enterprise CVE-2015-6501 (Open redirect vulnerability in the Console in Puppet Enterprise before ...) - puppet (Limited to Puppet Enterprise) CVE-2015-6500 (Directory traversal vulnerability in ownCloud Server before 8.0.6 and ...) {DSA-3373-1} - owncloud 7.0.10~dfsg-2 (bug #800126) NOTE: https://owncloud.org/security/advisory/?id=oc-sa-2015-014 NOTE: https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-048.txt NOTE: https://github.com/owncloud/core/commit/9f8c0a3a8d14f1c127b2034faa14d8d309f962e9 CVE-2015-6499 RESERVED CVE-2015-6498 (Alcatel-Lucent Home Device Manager before 4.1.10, 4.2.x before 4.2.2 a ...) NOT-FOR-US: Alcatel-Lucent Home Device Manager CVE-2015-6497 (The create function in app/code/core/Mage/Catalog/Model/Product/Api/V2 ...) NOT-FOR-US: Magento CVE-2015-6495 (There is Sensitive Information in Cloudera Manager before 5.4.6 Diagno ...) NOT-FOR-US: Cloudera CVE-2015-6494 (Cross-site scripting (XSS) vulnerability in Infinite Automation Mango ...) NOT-FOR-US: Infinite Automation Mango Automation CVE-2015-6493 (Cross-site request forgery (CSRF) vulnerability in Infinite Automation ...) NOT-FOR-US: Infinite Automation Mango Automation CVE-2015-6492 (Allen-Bradley MicroLogix 1100 devices before B FRN 15.000 and 1400 dev ...) NOT-FOR-US: Allen-Bradley MicroLogix CVE-2015-6491 (Allen-Bradley MicroLogix 1100 devices before B FRN 15.000 and 1400 dev ...) NOT-FOR-US: Allen-Bradley MicroLogix CVE-2015-6490 (Stack-based buffer overflow on Allen-Bradley MicroLogix 1100 devices b ...) NOT-FOR-US: Allen-Bradley MicroLogix CVE-2015-6489 RESERVED CVE-2015-6488 (Cross-site scripting (XSS) vulnerability in the web server on Allen-Br ...) NOT-FOR-US: Allen-Bradley MicroLogix CVE-2015-6487 REJECTED CVE-2015-6486 (SQL injection vulnerability on Allen-Bradley MicroLogix 1100 devices b ...) NOT-FOR-US: Allen-Bradley MicroLogix CVE-2015-6485 (Schneider Electric Telvent Sage 2300 RTUs with firmware before C3413-5 ...) NOT-FOR-US: Schneider CVE-2015-6484 (3S-Smart CODESYS Gateway Server before 2.3.9.48 allows remote attacker ...) NOT-FOR-US: 3S-Smart CODESYS CVE-2015-6483 RESERVED CVE-2015-6482 (Runtime Toolkit before 2.4.7.48 in 3S-Smart CODESYS before 2.3.9.48 al ...) NOT-FOR-US: 3S-Smart CODESYS CVE-2015-6481 (The login function in the RequestController class in Moxa OnCell Centr ...) NOT-FOR-US: Moxa CVE-2015-6480 (The MessageBrokerServlet servlet in Moxa OnCell Central Manager before ...) NOT-FOR-US: Moxa CVE-2015-6479 (ACEmanager in Sierra Wireless ALEOS 4.4.2 and earlier on ES440, ES450, ...) NOT-FOR-US: Sierra Wireless ALEOS CVE-2015-6478 (Unitronics VisiLogic OPLC IDE before 9.8.02 does not properly restrict ...) NOT-FOR-US: Unitronics VisiLogic OPLC IDE CVE-2015-6477 (Multiple cross-site scripting (XSS) vulnerabilities in the Wind Farm P ...) NOT-FOR-US: Nordex Control CVE-2015-6476 (Advantech EKI-122x-BE devices with firmware before 1.65, EKI-132x devi ...) NOT-FOR-US: Advantech EKI-122x-BE devices CVE-2015-6475 (Multiple cross-site scripting (XSS) vulnerabilities in IBC Solar Serve ...) NOT-FOR-US: ServeMaster CVE-2015-6474 (IBC Solar ServeMaster TLP+ and Danfoss TLX Pro+ allow remote attackers ...) NOT-FOR-US: ServeMaster CVE-2015-6473 (WAGO IO 750-849 01.01.27 and WAGO IO 750-881 01.02.05 do not contain p ...) NOT-FOR-US: WAGO IO CVE-2015-6472 (WAGO IO 750-849 01.01.27 and 01.02.05, WAGO IO 750-881, and WAGO IO 75 ...) NOT-FOR-US: WAGO IO CVE-2015-6471 (Eaton Cooper Power Systems ProView 4.x and 5.x before 5.1 on Form 6 co ...) NOT-FOR-US: Eaton Cooper Power Systems ProView CVE-2015-6470 (Resource Data Management Data Manager before 2.2 allows remote authent ...) NOT-FOR-US: Resource Data Manager CVE-2015-6469 (The interpreter in IBC Solar ServeMaster TLP+ and Danfoss TLX Pro+ all ...) NOT-FOR-US: ServerMaster CVE-2015-6468 (Cross-site request forgery (CSRF) vulnerability in Resource Data Manag ...) NOT-FOR-US: Resource Data Manager CVE-2015-6467 (Advantech WebAccess before 8.1 allows remote attackers to execute arbi ...) NOT-FOR-US: Advantech CVE-2015-6466 (Cross-site scripting (XSS) vulnerability in the Diagnosis Ping feature ...) NOT-FOR-US: Moxa switches CVE-2015-6465 (The GoAhead web server on Moxa EDS-405A and EDS-408A switches with fir ...) NOT-FOR-US: Moxa switches CVE-2015-6464 (The administrative web interface on Moxa EDS-405A and EDS-408A switche ...) NOT-FOR-US: Moxa switches CVE-2015-6463 (CodeWrights HART Comm DTM components, as used with Endress+Hauser Fiel ...) NOT-FOR-US: CodeWrights HART Comm DTM components CVE-2015-6462 (Reflected Cross-Site Scripting (nonpersistent) allows an attacker to c ...) NOT-FOR-US: Schneider CVE-2015-6461 (Remote file inclusion allows an attacker to craft a specific URL refer ...) NOT-FOR-US: Schneider CVE-2015-6460 (Multiple heap-based buffer overflows in 3S-Smart CODESYS Gateway Serve ...) NOT-FOR-US: CODESYS Gateway Server CVE-2015-6459 (Absolute path traversal vulnerability in the download feature in FileD ...) NOT-FOR-US: FileDownloadServlet CVE-2015-6458 (Moxa SoftCMS 1.3 and prior is susceptible to a buffer overflow conditi ...) NOT-FOR-US: Moxa CVE-2015-6457 (Moxa SoftCMS 1.3 and prior is susceptible to a buffer overflow conditi ...) NOT-FOR-US: Moxa CVE-2015-6456 (GE Digital Energy MDS PulseNET and MDS PulseNET Enterprise before 3.1. ...) NOT-FOR-US: PulseNET CVE-2015-6455 REJECTED CVE-2015-6454 (Everest PeakHMI before 8.7.0.2, when the video server is used, allows ...) NOT-FOR-US: PeakHMI CVE-2015-6453 REJECTED CVE-2015-6452 REJECTED CVE-2015-6451 REJECTED CVE-2015-6450 REJECTED CVE-2015-6449 REJECTED CVE-2015-6448 REJECTED CVE-2015-6447 REJECTED CVE-2015-6446 REJECTED CVE-2015-6445 REJECTED CVE-2015-6444 REJECTED CVE-2015-6443 REJECTED CVE-2015-6442 REJECTED CVE-2015-6441 REJECTED CVE-2015-6440 REJECTED CVE-2015-6439 REJECTED CVE-2015-6438 REJECTED CVE-2015-6437 REJECTED CVE-2015-6436 REJECTED CVE-2015-6435 (An unspecified CGI script in Cisco FX-OS before 1.1.2 on Firepower 900 ...) NOT-FOR-US: Cisco CVE-2015-6434 (Cisco Prime Infrastructure does not properly restrict use of IFRAME el ...) NOT-FOR-US: Cisco CVE-2015-6433 (SQL injection vulnerability in Cisco Unified Communications Manager 11 ...) NOT-FOR-US: Cisco CVE-2015-6432 (Cisco IOS XR 4.2.0, 4.3.0, 5.0.0, 5.1.0, 5.2.0, 5.2.2, 5.2.4, 5.3.0, a ...) NOT-FOR-US: Cisco CVE-2015-6431 (Cisco IOS XE 16.1.1 allows remote attackers to cause a denial of servi ...) NOT-FOR-US: Cisco CVE-2015-6430 RESERVED CVE-2015-6429 (The IKEv1 state machine in Cisco IOS 15.4 through 15.6 and IOS XE 3.15 ...) NOT-FOR-US: Cisco CVE-2015-6428 (Cisco DPQ3925 devices with EDVA r1 Base allow remote attackers to obta ...) NOT-FOR-US: Cisco CVE-2015-6427 (Cisco FireSIGHT Management Center allows remote attackers to bypass th ...) NOT-FOR-US: Cisco CVE-2015-6426 (Cisco Prime Network Services Controller 3.0 allows local users to bypa ...) NOT-FOR-US: Cisco CVE-2015-6425 (The WebApplications Identity Management subsystem in Cisco Unified Com ...) NOT-FOR-US: Cisco CVE-2015-6424 (The boot manager in Cisco Application Policy Infrastructure Controller ...) NOT-FOR-US: Cisco CVE-2015-6423 (The DCERPC Inspection implementation in Cisco Adaptive Security Applia ...) NOT-FOR-US: Cisco CVE-2015-6422 (The self-service application in Cisco Unified Communications Domain Ma ...) NOT-FOR-US: Cisco CVE-2015-6421 (cifs-ao in the CIFS optimization functionality on Cisco Wide Area Appl ...) NOT-FOR-US: Cisco CVE-2015-6420 (Serialized-object interfaces in certain Cisco Collaboration and Social ...) NOT-FOR-US: Cisco CVE-2015-6419 (Cisco FireSIGHT Management Center with software 4.10.3, 5.2.0, 5.3.0, ...) NOT-FOR-US: Cisco CVE-2015-6418 (The random-number generator on Cisco Small Business RV routers 4.x and ...) NOT-FOR-US: Cisco CVE-2015-6417 (Cisco Videoscape Distribution Suite Service Manager (VDS-SM) 3.4.0 and ...) NOT-FOR-US: Cisco CVE-2015-6416 (Cross-site scripting (XSS) vulnerability in Cisco Unified Email Intera ...) NOT-FOR-US: Cisco CVE-2015-6415 (Cisco Unified Computing System (UCS) 2.2(3f)A on Fabric Interconnect 6 ...) NOT-FOR-US: Cisco CVE-2015-6414 (Cisco TelePresence Video Communication Server (VCS) X8.6 uses the same ...) NOT-FOR-US: Cisco CVE-2015-6413 (Cisco TelePresence Video Communication Server (VCS) Expressway X8.6 al ...) NOT-FOR-US: Cisco CVE-2015-6412 (Cisco Modular Encoding Platform D9036 Software before 02.04.70 has har ...) NOT-FOR-US: Cisco CVE-2015-6411 (Cisco FirePOWER Management Center 5.4.1.3, 6.0.0, and 6.0.1 provides v ...) NOT-FOR-US: Cisco CVE-2015-6410 (The Mobile and Remote Access (MRA) services implementation in Cisco Un ...) NOT-FOR-US: Cisco CVE-2015-6409 (Cisco Jabber 10.6.x, 11.0.x, and 11.1.x on Windows allows man-in-the-m ...) NOT-FOR-US: Cisco CVE-2015-6408 (Cross-site request forgery (CSRF) vulnerability in Cisco Unity Connect ...) NOT-FOR-US: Cisco CVE-2015-6407 (Cisco Emergency Responder 10.5(3.10000.9) allows remote attackers to u ...) NOT-FOR-US: Cisco CVE-2015-6406 (Directory traversal vulnerability in the Tools menu in Cisco Emergency ...) NOT-FOR-US: Cisco CVE-2015-6405 (Cross-site request forgery (CSRF) vulnerability in Cisco Emergency Res ...) NOT-FOR-US: Cisco CVE-2015-6404 (Cisco Hosted Collaboration Mediation Fulfillment 10.6(3) does not use ...) NOT-FOR-US: Cisco CVE-2015-6403 (The TFTP implementation on Cisco Small Business SPA30x, SPA50x, SPA51x ...) NOT-FOR-US: Cisco CVE-2015-6402 (Cross-site scripting (XSS) vulnerability in the management interface o ...) NOT-FOR-US: Cisco CVE-2015-6401 (Cisco EPC3928 devices with EDVA 5.5.10, 5.5.11, and 5.7.1 allow remote ...) NOT-FOR-US: Cisco CVE-2015-6400 (Multiple cross-site scripting (XSS) vulnerabilities in Cisco Emergency ...) NOT-FOR-US: Cisco CVE-2015-6399 (The Supervisor 1.0.0.0 and 1.0.0.1 in Cisco Integrated Management Cont ...) NOT-FOR-US: Cisco CVE-2015-6398 (Cisco Nexus 9000 Application Centric Infrastructure (ACI) Mode switche ...) NOT-FOR-US: Cisco CVE-2015-6397 (Cisco RV110W, RV130W, and RV215W devices have an incorrect RBAC config ...) NOT-FOR-US: Cisco CVE-2015-6396 (The CLI command parser on Cisco RV110W, RV130W, and RV215W devices all ...) NOT-FOR-US: Cisco CVE-2015-6395 (Cisco Prime Service Catalog 10.0, 10.0(R2), 10.1, and 11.0 does not pr ...) NOT-FOR-US: Cisco CVE-2015-6394 (The kernel in Cisco NX-OS 5.2(9)N1(1) on Nexus 5000 devices allows loc ...) NOT-FOR-US: Cisco CVE-2015-6393 (Cisco NX-OS 4.1 through 7.3 and 11.0 through 11.2 on Nexus 2000, 3000, ...) NOT-FOR-US: Cisco CVE-2015-6392 (Cisco NX-OS 4.1 through 7.3 and 11.0 through 11.2 on Nexus 2000, 5000, ...) NOT-FOR-US: Cisco CVE-2015-6391 (Cisco Unified SIP 3905 phones allow remote attackers to cause a denial ...) NOT-FOR-US: Cisco CVE-2015-6390 (Cross-site scripting (XSS) vulnerability in the management interface i ...) NOT-FOR-US: Cisco CVE-2015-6389 (Cisco Prime Collaboration Assurance before 11.0 has a hardcoded cmuser ...) NOT-FOR-US: Cisco Prime Collaboration Assurance CVE-2015-6388 (Cisco Unified Computing System (UCS) Central software 1.3(0.1) allows ...) NOT-FOR-US: Cisco CVE-2015-6387 (Cross-site scripting (XSS) vulnerability in Cisco Unified Computing Sy ...) NOT-FOR-US: Cisco CVE-2015-6386 (The passthrough FTP feature on Cisco Web Security Appliance (WSA) devi ...) NOT-FOR-US: Cisco CVE-2015-6385 (The publish-event event-manager feature in Cisco IOS 15.5(2)S and 15.5 ...) NOT-FOR-US: Cisco CVE-2015-6384 (The Cisco WebEx Meetings application before 8.5.1 for Android improper ...) NOT-FOR-US: Cisco CVE-2015-6383 (Cisco IOS XE 15.4(3)S on ASR 1000 devices improperly loads software pa ...) NOT-FOR-US: Cisco CVE-2015-6382 (Cisco ASR 5000 devices with software 16.0(900) allow remote attackers ...) NOT-FOR-US: Cisco CVE-2015-6381 RESERVED CVE-2015-6380 (An unspecified script in the web interface in Cisco Firepower Extensib ...) NOT-FOR-US: Cisco CVE-2015-6379 (The XML parser in the management interface in Cisco Adaptive Security ...) NOT-FOR-US: Cisco CVE-2015-6378 (Cross-site request forgery (CSRF) vulnerability on Cisco DPQ3925 devic ...) NOT-FOR-US: Cisco CVE-2015-6377 (Cisco Virtual Topology System (VTS) 2.0(0) and 2.0(1) allows remote at ...) NOT-FOR-US: Cisco CVE-2015-6376 (Cross-site request forgery (CSRF) vulnerability in Cisco TelePresence ...) NOT-FOR-US: Cisco CVE-2015-6375 (The debug-logging (aka debug cns) feature in Cisco Networking Services ...) NOT-FOR-US: Cisco CVE-2015-6374 (The web interface in Cisco Firepower Extensible Operating System 1.1(1 ...) NOT-FOR-US: Cisco CVE-2015-6373 (Cross-site request forgery (CSRF) vulnerability in Cisco Firepower Ext ...) NOT-FOR-US: Cisco CVE-2015-6372 (Cross-site scripting (XSS) vulnerability in the web-based management i ...) NOT-FOR-US: Cisco CVE-2015-6371 (Cisco Firepower Extensible Operating System 1.1(1.160) on Firepower 90 ...) NOT-FOR-US: Cisco CVE-2015-6370 (The Management I/O (MIO) component in Cisco Firepower Extensible Opera ...) NOT-FOR-US: Cisco CVE-2015-6369 (The USB driver in Cisco Firepower Extensible Operating System 1.1(1.16 ...) NOT-FOR-US: Cisco CVE-2015-6368 (Cisco Firepower Extensible Operating System 1.1(1.160) on Firepower 90 ...) NOT-FOR-US: Cisco CVE-2015-6367 (Cisco Aironet 1800 devices with software 8.1(131.0) allow remote attac ...) NOT-FOR-US: Cisco CVE-2015-6366 (Cisco IOS 15.2(04)M6 and 15.4(03)S lets physical-interface ACLs supers ...) NOT-FOR-US: Cisco CVE-2015-6365 (Cisco IOS 15.2(04)M and 15.4(03)M lets physical-interface ACLs superse ...) NOT-FOR-US: Cisco CVE-2015-6364 (Cisco Content Delivery System Manager Software 3.2 on Videoscape Distr ...) NOT-FOR-US: Cisco CVE-2015-6363 (Multiple cross-site scripting (XSS) vulnerabilities in the web framewo ...) NOT-FOR-US: Cisco CVE-2015-6362 (The web GUI in Cisco Connected Grid Network Management System (CG-NMS) ...) NOT-FOR-US: Cisco CVE-2015-6361 (The administrative web interface on Cisco DPC3939 (XB3) devices with f ...) NOT-FOR-US: Cisco CVE-2015-6360 (The encryption-processing feature in Cisco libSRTP before 1.5.3 allows ...) {DSA-3539-1 DLA-393-1} [experimental] - srtp 1.5.3~dfsg-1 - srtp 1.4.5~20130609~dfsg-1.2 (bug #807698) NOTE: Fix: https://github.com/cisco/libsrtp/commit/704a31774db0dd941094fd2b47c21638b8dc3de2 NOTE: Fixup: https://github.com/cisco/libsrtp/commit/be95365fbb4788b688cab7af61c65b7989055fb4 NOTE: Fixup: https://github.com/cisco/libsrtp/commit/be06686c8e98cc7bd934e10abb6f5e971d03f8ee NOTE: Fixup: https://github.com/cisco/libsrtp/commit/cdc69f2acde796a4152a250f869271298abc233f CVE-2015-6359 (The Neighbor Discovery (ND) protocol implementation in the IPv6 stack ...) NOT-FOR-US: Cisco IOS CVE-2015-6358 (Multiple Cisco embedded devices use hardcoded X.509 certificates and S ...) NOT-FOR-US: Cisco CVE-2015-6357 (The rule-update feature in Cisco FireSIGHT Management Center (MC) 5.2 ...) NOT-FOR-US: Cisco FireSIGHT CVE-2015-6356 (Cross-site scripting (XSS) vulnerability in the WeChat page in Cisco S ...) NOT-FOR-US: Cisco CVE-2015-6355 (The web interface in Cisco Unified Computing System (UCS) 2.2(5b)A on ...) NOT-FOR-US: Cisco CVE-2015-6354 (Multiple cross-site scripting (XSS) vulnerabilities in Cisco FireSight ...) NOT-FOR-US: Cisco CVE-2015-6353 (Multiple cross-site scripting (XSS) vulnerabilities in Cisco FireSight ...) NOT-FOR-US: Cisco CVE-2015-6352 (Cisco Unified Communications Domain Manager before 10.6(1) provides di ...) NOT-FOR-US: Cisco CVE-2015-6351 (Cisco ASR 5500 System Architecture Evolution (SAE) Gateway devices wit ...) NOT-FOR-US: Cisco CVE-2015-6350 (SQL injection vulnerability in the web framework in Cisco Prime Servic ...) NOT-FOR-US: Cisco CVE-2015-6349 (Cross-site scripting (XSS) vulnerability in the web interface in the S ...) NOT-FOR-US: Cisco CVE-2015-6348 (The report-generation web interface in the Solution Engine in Cisco Se ...) NOT-FOR-US: Cisco CVE-2015-6347 (The Solution Engine in Cisco Secure Access Control Server (ACS) 5.7(0. ...) NOT-FOR-US: Cisco CVE-2015-6346 (Cross-site scripting (XSS) vulnerability in Cisco Secure Access Contro ...) NOT-FOR-US: Cisco CVE-2015-6345 (SQL injection vulnerability in the Solution Engine in Cisco Secure Acc ...) NOT-FOR-US: Cisco CVE-2015-6344 (The web-based GUI in Cisco Adaptive Security Appliance (ASA) CX Contex ...) NOT-FOR-US: Cisco Adaptive Security Appliance CVE-2015-6343 (The SIP implementation in Cisco IOS 15.5(3)M on Cisco Unified Border E ...) NOT-FOR-US: Cisco CVE-2015-6342 REJECTED CVE-2015-6341 (The Web Management GUI on Cisco Wireless LAN Controller (WLC) devices ...) NOT-FOR-US: Cisco CVE-2015-6340 (The Proxy Mobile IPv6 (PMIPv6) component in the CDMA implementation on ...) NOT-FOR-US: Cisco CVE-2015-6339 REJECTED CVE-2015-6338 REJECTED CVE-2015-6337 (Cross-site scripting (XSS) vulnerability in Cisco Application Policy I ...) NOT-FOR-US: Cisco CVE-2015-6336 (Cisco Aironet 1800 devices with software 7.2, 7.3, 7.4, 8.1(112.3), 8. ...) NOT-FOR-US: Cisco CVE-2015-6335 (The policy implementation in Cisco FireSIGHT Management Center 5.3.1.7 ...) NOT-FOR-US: Cisco CVE-2015-6334 (Cisco ASR 5000 and 5500 devices with software 18.0.0.57828 and 19.0.M0 ...) NOT-FOR-US: Cisco CVE-2015-6333 (Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows ...) NOT-FOR-US: Cisco CVE-2015-6332 (Cisco Prime Infrastructure 2.2 allows remote attackers to cause a deni ...) NOT-FOR-US: Cisco CVE-2015-6331 (SQL injection vulnerability in the web framework in Cisco Prime Collab ...) NOT-FOR-US: Cisco CVE-2015-6330 (Cross-site request forgery (CSRF) vulnerability in Cisco Prime Collabo ...) NOT-FOR-US: Cisco CVE-2015-6329 (SQL injection vulnerability in Cisco Prime Collaboration Provisioning ...) NOT-FOR-US: Cisco CVE-2015-6328 (The web framework in Cisco Prime Collaboration Assurance (PCA) 10.5(1) ...) NOT-FOR-US: Cisco CVE-2015-6327 (The IKEv1 implementation in Cisco Adaptive Security Appliance (ASA) so ...) NOT-FOR-US: Cisco CVE-2015-6326 (Cisco Adaptive Security Appliance (ASA) software 7.2 and 8.2 before 8. ...) NOT-FOR-US: Cisco CVE-2015-6325 (Cisco Adaptive Security Appliance (ASA) software 7.2 and 8.2 before 8. ...) NOT-FOR-US: Cisco CVE-2015-6324 (The DHCPv6 relay implementation in Cisco Adaptive Security Appliance ( ...) NOT-FOR-US: Cisco CVE-2015-6323 (The Admin portal in Cisco Identity Services Engine (ISE) 1.1.x, 1.2.0 ...) NOT-FOR-US: Cisco CVE-2015-6322 (The IPC channel in Cisco AnyConnect Secure Mobility Client 2.0.0343 th ...) NOT-FOR-US: Cisco CVE-2015-6321 (Cisco AsyncOS before 8.5.7-042, 9.x before 9.1.0-032, 9.1.x before 9.1 ...) NOT-FOR-US: Cisco CVE-2015-6320 (The IP ingress packet handler on Cisco Aironet 1800 devices with softw ...) NOT-FOR-US: Cisco CVE-2015-6319 (SQL injection vulnerability in the web-based management interface on C ...) NOT-FOR-US: Cisco CVE-2015-6318 (Cisco TelePresence Video Communication Server (VCS) Expressway X8.5.1 ...) NOT-FOR-US: Cisco CVE-2015-6317 (Cisco Identity Services Engine (ISE) before 2.0 allows remote authenti ...) NOT-FOR-US: Cisco CVE-2015-6316 (The default configuration of sshd_config in Cisco Mobility Services En ...) NOT-FOR-US: Cisco CVE-2015-6315 (Cisco Aironet 1850 access points with software 8.1(112.4) allow local ...) NOT-FOR-US: Cisco CVE-2015-6314 (Cisco Wireless LAN Controller (WLC) devices with software 7.6.x, 8.0 b ...) NOT-FOR-US: Cisco Wireless LAN Controller CVE-2015-6313 (Cisco TelePresence Server 4.1(2.29) through 4.2(4.17) on 7010; Mobilit ...) NOT-FOR-US: Cisco CVE-2015-6312 (Cisco TelePresence Server 3.1 on 7010, Mobility Services Engine (MSE) ...) NOT-FOR-US: Cisco CVE-2015-6311 (Cisco Wireless LAN Controller (WLC) devices with software 7.0(240.0), ...) NOT-FOR-US: Cisco CVE-2015-6310 (The REST interface in Cisco Unified Communications Manager IM and Pres ...) NOT-FOR-US: Cisco CVE-2015-6309 (Cisco Email Security Appliance (ESA) 8.5.6-106 and 9.6.0-042 allows re ...) NOT-FOR-US: Cisco CVE-2015-6308 (Cisco NX-OS 6.0(2)U6(0.46) on N3K devices allows remote authenticated ...) NOT-FOR-US: Cisco CVE-2015-6307 (Cisco FirePOWER (formerly Sourcefire) 7000 and 8000 devices with softw ...) NOT-FOR-US: Cisco CVE-2015-6306 (Cisco AnyConnect Secure Mobility Client 4.1(8) on OS X and Linux does ...) NOT-FOR-US: Cisco CVE-2015-6305 (Untrusted search path vulnerability in the CMainThread::launchDownload ...) NOT-FOR-US: Cisco CVE-2015-6304 (Cross-site request forgery (CSRF) vulnerability in Cisco TelePresence ...) NOT-FOR-US: Cisco CVE-2015-6303 (The Cisco Spark application 2015-07-04 for mobile operating systems do ...) NOT-FOR-US: Cisco CVE-2015-6302 (The RADIUS functionality on Cisco Wireless LAN Controller (WLC) device ...) NOT-FOR-US: Cisco CVE-2015-6301 (The DHCPv6 server in Cisco IOS on ASR 9000 devices with software 5.2.0 ...) NOT-FOR-US: Cisco CVE-2015-6300 (Cisco Secure Access Control Server (ACS) Solution Engine 5.7(0.15) all ...) NOT-FOR-US: Cisco CVE-2015-6299 (SQL injection vulnerability in the web interface in Cisco Unity Connec ...) NOT-FOR-US: Cisco CVE-2015-6298 (The admin web interface in Cisco AsyncOS 8.x before 8.0.8-113, 8.1.x a ...) NOT-FOR-US: Cisco CVE-2015-6297 (The DHCPv6 server in Cisco IOS on ASR 9000 devices with software 5.2.0 ...) NOT-FOR-US: Cisco CVE-2015-6296 (Cisco Prime Network Registrar (CPNR) 8.1(3.3), 8.2(3), and 8.3(2) has ...) NOT-FOR-US: Cisco CVE-2015-6295 (Cisco NX-OS 6.1(2)I3(4) and 7.0(3)I1(1) on Nexus 9000 (N9K) devices al ...) NOT-FOR-US: Cisco CVE-2015-6294 (Cisco IOS 15.2(3)E and earlier and IOS XE 3.6(2)E and earlier allow re ...) NOT-FOR-US: Cisco CVE-2015-6293 (Cisco AsyncOS 8.x before 8.0.8-113, 8.1.x and 8.5.x before 8.5.3-051, ...) NOT-FOR-US: Cisco CVE-2015-6292 (The proxy-cache implementation in Cisco AsyncOS 8.0.x before 8.0.7-151 ...) NOT-FOR-US: Cisco CVE-2015-6291 (Cisco AsyncOS before 8.5.7-043, 9.x before 9.1.1-023, and 9.5.x and 9. ...) NOT-FOR-US: Cisco CVE-2015-6290 (Cisco Web Security Appliance (WSA) 8.0.7 allows remote HTTP servers to ...) NOT-FOR-US: Cisco CVE-2015-6289 (Cisco IOS 15.5(3)M on Integrated Services Router (ISR) 800, 819, and 8 ...) NOT-FOR-US: Cisco CVE-2015-6288 (Cisco Content Security Management Appliance (SMA) 7.8.0-000 does not p ...) NOT-FOR-US: Cisco CVE-2015-6287 (Cisco Web Security Appliance (WSA) 8.0.6-078 and 8.0.6-115 allows remo ...) NOT-FOR-US: Cisco CVE-2015-6286 (Cisco Application Visibility and Control (AVC) 15.3(3)JA, when FlexCon ...) NOT-FOR-US: Cisco CVE-2015-6285 (Format string vulnerability in Cisco Email Security Appliance (ESA) 7. ...) NOT-FOR-US: Cisco Email Security Appliance CVE-2015-6284 (Buffer overflow in the Conference Control Protocol API implementation ...) NOT-FOR-US: Cisco TelePresence Server CVE-2015-6283 REJECTED CVE-2015-6282 (Cisco IOS XE 2.x and 3.x before 3.10.6S, 3.11.xS through 3.13.xS befor ...) NOT-FOR-US: Cisco IOS CVE-2015-6281 RESERVED CVE-2015-6280 (The SSHv2 functionality in Cisco IOS 15.2, 15.3, 15.4, and 15.5 and IO ...) NOT-FOR-US: Cisco IOS CVE-2015-6279 (The IPv6 snooping functionality in the first-hop security subsystem in ...) NOT-FOR-US: Cisco IOS CVE-2015-6278 (The IPv6 snooping functionality in the first-hop security subsystem in ...) NOT-FOR-US: Cisco IOS CVE-2015-6277 (The ARP implementation in Cisco NX-OS on Nexus 1000V devices for VMwar ...) NOT-FOR-US: Cisco CVE-2015-6276 (Cisco TelePresence IX5000 8.0.3 stores a private key associated with a ...) NOT-FOR-US: Cisco TelePresence CVE-2015-6275 RESERVED CVE-2015-6274 (The IPv4 implementation on Cisco ASR 1000 devices with software 15.5(3 ...) NOT-FOR-US: Cisco ASR CVE-2015-6273 (Cisco IOS XE before 3.1.2S on ASR 1000 devices mishandles the automati ...) NOT-FOR-US: Cisco CVE-2015-6272 (Cisco IOS XE 2.1.0 through 2.2.3 and 2.3.0 on ASR 1000 devices, when N ...) NOT-FOR-US: Cisco CVE-2015-6271 (Cisco IOS XE 2.1.0 through 2.4.3 and 2.5.0 on ASR 1000 devices, when N ...) NOT-FOR-US: Cisco CVE-2015-6270 (Cisco IOS XE before 2.2.3 on ASR 1000 devices allows remote attackers ...) NOT-FOR-US: Cisco CVE-2015-6269 (Cisco IOS XE before 2.2.3 on ASR 1000 devices allows remote attackers ...) NOT-FOR-US: Cisco CVE-2015-6268 (Cisco IOS XE before 2.2.3 on ASR 1000 devices allows remote attackers ...) NOT-FOR-US: Cisco CVE-2015-6267 (Cisco IOS XE before 2.2.3 on ASR 1000 devices allows remote attackers ...) NOT-FOR-US: Cisco CVE-2015-6266 (The guest portal in Cisco Identity Services Engine (ISE) 3300 1.2(0.89 ...) NOT-FOR-US: Cisco CVE-2015-6265 (The CLI in Cisco Application Control Engine (ACE) 4700 A5 3.0 and earl ...) NOT-FOR-US: Cisco CVE-2015-6264 REJECTED CVE-2015-6263 (The RADIUS client implementation in Cisco IOS 15.4(3)M2.2, when a shar ...) NOT-FOR-US: Cisco IOS CVE-2015-6262 (Cross-site request forgery (CSRF) vulnerability in Cisco Prime Infrast ...) NOT-FOR-US: Cisco CVE-2015-6261 (Cisco TelePresence Video Communication Server (VCS) Expressway X8.5.2 ...) NOT-FOR-US: Cisco CVE-2015-6260 (Cisco NX-OS 7.1(1)N1(1) on Nexus 5500, 5600, and 6000 devices does not ...) NOT-FOR-US: Cisco CVE-2015-6259 (The JavaServer Pages (JSP) component in Cisco Integrated Management Co ...) NOT-FOR-US: Cisco CVE-2015-6258 (The Internet Access Point Protocol (IAPP) module on Cisco Wireless LAN ...) NOT-FOR-US: Cisco CVE-2015-6257 RESERVED CVE-2015-6256 (Cisco ASR 5000 devices with software 19.0.M0.60828 allow remote attack ...) NOT-FOR-US: Cisco Aggregation Services Router CVE-2015-6255 (Cross-site scripting (XSS) vulnerability in Cisco Unified Web and E-Ma ...) NOT-FOR-US: Cisco Unified Web and E-Mail Interaction Manager CVE-2015-6254 (The (1) Service Provider (SP) and (2) Identity Provider (IdP) in Picke ...) NOT-FOR-US: PicketLink CVE-2015-6253 (edx-platform before 2015-08-17 allows XSS in the Studio listing of cou ...) NOT-FOR-US: Open edX CVE-2014-9743 (Cross-site scripting (XSS) vulnerability in the httpd_HtmlError functi ...) - vlc 2.2.0~rc2-1 [squeeze] - vlc (Unsupported in squeeze-lts) [wheezy] - vlc (Unsupported in wheezy-lts) CVE-2015-6526 (The perf_callchain_user_64 function in arch/powerpc/perf/callchain.c i ...) - linux 4.1.3-1 [jessie] - linux 3.16.7-ckt11-1 [wheezy] - linux 3.2.71-1 - linux-2.6 [squeeze] - linux-2.6 (powerpc not supported in Squeeze LTS) NOTE: http://www.openwall.com/lists/oss-security/2015/08/18/4 NOTE: Fixed by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9a5cbce421a283e6aea3c4007f141735bf9da8c3 (v4.1-rc1) CVE-2015-6252 (The vhost_dev_ioctl function in drivers/vhost/vhost.c in the Linux ker ...) {DSA-3364-1} - linux 4.1.5-1 - linux-2.6 [squeeze] - linux-2.6 (Vulnerable code not present) NOTE: https://lkml.org/lkml/2015/8/10/375 NOTE: Fixed by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=7932c0bd7740f4cd2aa168d3ce0199e7af7d72d5 (v4.2-rc5) CVE-2015-6239 RESERVED CVE-2015-6238 (Multiple cross-site scripting (XSS) vulnerabilities in the Google Anal ...) NOT-FOR-US: Google Analyticator plugin for WordPress CVE-2015-6237 (The RPC service in Tripwire (formerly nCircle) IP360 VnE Manager 7.2.2 ...) NOT-FOR-US: Tripwire IP360 VnE Manager CVE-2015-6236 REJECTED CVE-2015-6235 REJECTED CVE-2015-6234 REJECTED CVE-2015-6233 REJECTED CVE-2015-6232 REJECTED CVE-2015-6231 REJECTED CVE-2015-6230 REJECTED CVE-2015-6229 REJECTED CVE-2015-6228 REJECTED CVE-2015-6227 REJECTED CVE-2015-6226 REJECTED CVE-2015-6225 REJECTED CVE-2015-6224 REJECTED CVE-2015-6223 REJECTED CVE-2015-6222 REJECTED CVE-2015-6221 REJECTED CVE-2015-6220 REJECTED CVE-2015-6219 REJECTED CVE-2015-6218 REJECTED CVE-2015-6217 REJECTED CVE-2015-6216 REJECTED CVE-2015-6215 REJECTED CVE-2015-6214 REJECTED CVE-2015-6213 REJECTED CVE-2015-6212 REJECTED CVE-2015-6211 REJECTED CVE-2015-6210 REJECTED CVE-2015-6209 REJECTED CVE-2015-6208 REJECTED CVE-2015-6207 REJECTED CVE-2015-6206 REJECTED CVE-2015-6205 REJECTED CVE-2015-6204 REJECTED CVE-2015-6203 REJECTED CVE-2015-6202 REJECTED CVE-2015-6201 REJECTED CVE-2015-6200 REJECTED CVE-2015-6199 REJECTED CVE-2015-6198 REJECTED CVE-2015-6197 REJECTED CVE-2015-6196 REJECTED CVE-2015-6195 REJECTED CVE-2015-6194 REJECTED CVE-2015-6193 REJECTED CVE-2015-6192 REJECTED CVE-2015-6191 REJECTED CVE-2015-6190 REJECTED CVE-2015-6189 REJECTED CVE-2015-6188 REJECTED CVE-2015-6187 REJECTED CVE-2015-6186 REJECTED CVE-2015-6185 REJECTED CVE-2015-6184 (The CAttrArray object implementation in Microsoft Internet Explorer 7 ...) NOT-FOR-US: Microsoft CVE-2015-6183 REJECTED CVE-2015-6182 REJECTED CVE-2015-6181 REJECTED CVE-2015-6180 REJECTED CVE-2015-6179 REJECTED CVE-2015-6178 REJECTED CVE-2015-6177 (Microsoft Excel 2007 SP3, Office Compatibility Pack SP3, and Excel Vie ...) NOT-FOR-US: Microsoft CVE-2015-6176 (Microsoft Edge mishandles HTML attributes in HTTP responses, which all ...) NOT-FOR-US: Microsoft CVE-2015-6175 (The kernel in Microsoft Windows 10 Gold allows local users to gain pri ...) NOT-FOR-US: Microsoft CVE-2015-6174 (The kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2015-6173 (The kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2015-6172 (Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1 ...) NOT-FOR-US: Microsoft CVE-2015-6171 (The kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2015-6170 (Microsoft Edge allows remote attackers to gain privileges via a crafte ...) NOT-FOR-US: Microsoft CVE-2015-6169 (Microsoft Edge misparses HTTP responses, which allows remote attackers ...) NOT-FOR-US: Microsoft CVE-2015-6168 (Microsoft Edge allows remote attackers to execute arbitrary code or ca ...) NOT-FOR-US: Microsoft CVE-2015-6167 REJECTED CVE-2015-6166 (Microsoft Silverlight 5 before 5.1.41105.00 allows remote attackers to ...) NOT-FOR-US: Microsoft CVE-2015-6165 (Microsoft Silverlight 5 before 5.1.41105.00 allows remote attackers to ...) NOT-FOR-US: Microsoft CVE-2015-6164 (Microsoft Internet Explorer 9 through 11 improperly implements a cross ...) NOT-FOR-US: Microsoft CVE-2015-6163 REJECTED CVE-2015-6162 (Microsoft Internet Explorer 10 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft CVE-2015-6161 (Microsoft Internet Explorer 7 through 11 and Microsoft Edge allow remo ...) NOT-FOR-US: Microsoft CVE-2015-6160 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft CVE-2015-6159 (Microsoft Internet Explorer 11 and Microsoft Edge allow remote attacke ...) NOT-FOR-US: Microsoft CVE-2015-6158 (Microsoft Internet Explorer 11 and Microsoft Edge allow remote attacke ...) NOT-FOR-US: Microsoft CVE-2015-6157 (Microsoft Internet Explorer 11 allows remote attackers to obtain sensi ...) NOT-FOR-US: Microsoft CVE-2015-6156 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft CVE-2015-6155 (Microsoft Internet Explorer 10 and 11 and Microsoft Edge allow remote ...) NOT-FOR-US: Microsoft CVE-2015-6154 (Microsoft Internet Explorer 7 through 11 and Microsoft Edge allow remo ...) NOT-FOR-US: Microsoft CVE-2015-6153 (Microsoft Internet Explorer 11 and Microsoft Edge allow remote attacke ...) NOT-FOR-US: Microsoft CVE-2015-6152 (Microsoft Internet Explorer 10 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft CVE-2015-6151 (Microsoft Internet Explorer 8 through 11 and Microsoft Edge allow remo ...) NOT-FOR-US: Microsoft CVE-2015-6150 (Microsoft Internet Explorer 7 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft CVE-2015-6149 (Microsoft Internet Explorer 8 and 9 allows remote attackers to execute ...) NOT-FOR-US: Microsoft CVE-2015-6148 (Microsoft Internet Explorer 9 through 11 and Microsoft Edge allow remo ...) NOT-FOR-US: Microsoft CVE-2015-6147 (Microsoft Internet Explorer 8 and 9 allows remote attackers to execute ...) NOT-FOR-US: Microsoft CVE-2015-6146 (Microsoft Internet Explorer 7 and 8 allows remote attackers to execute ...) NOT-FOR-US: Microsoft CVE-2015-6145 (Microsoft Internet Explorer 7 and 8 allows remote attackers to execute ...) NOT-FOR-US: Microsoft CVE-2015-6144 (Microsoft Internet Explorer 8 through 11 and Microsoft Edge mishandle ...) NOT-FOR-US: Microsoft CVE-2015-6143 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft CVE-2015-6142 (Microsoft Internet Explorer 11 and Microsoft Edge allow remote attacke ...) NOT-FOR-US: Microsoft CVE-2015-6141 (Microsoft Internet Explorer 9 allows remote attackers to execute arbit ...) NOT-FOR-US: Microsoft CVE-2015-6140 (Microsoft Internet Explorer 11 and Microsoft Edge allow remote attacke ...) NOT-FOR-US: Microsoft CVE-2015-6139 (Microsoft Internet Explorer 11 and Microsoft Edge mishandle content ty ...) NOT-FOR-US: Microsoft CVE-2015-6138 (Microsoft Internet Explorer 8 through 11 mishandles HTML attributes in ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-6137 REJECTED CVE-2015-6136 (The Microsoft (1) VBScript 5.7 and 5.8 and (2) JScript 5.7 and 5.8 eng ...) NOT-FOR-US: Microsof CVE-2015-6135 (The Microsoft (1) VBScript 5.7 and 5.8 and (2) JScript 5.7 and 5.8 eng ...) NOT-FOR-US: Microsof CVE-2015-6134 (Microsoft Internet Explorer 9 allows remote attackers to execute arbit ...) NOT-FOR-US: Microsof CVE-2015-6133 (Microsoft Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Win ...) NOT-FOR-US: Microsof CVE-2015-6132 (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windo ...) NOT-FOR-US: Microsof CVE-2015-6131 (Windows Media Center in Microsoft Windows Vista SP2, Windows 7 SP1, Wi ...) NOT-FOR-US: Microsof CVE-2015-6130 (Integer underflow in Uniscribe in Microsoft Windows 7 SP1 and Windows ...) NOT-FOR-US: Microsof CVE-2015-6129 REJECTED CVE-2015-6128 (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and W ...) NOT-FOR-US: Microsoft Windows CVE-2015-6127 (Windows Media Center in Microsoft Windows Vista SP2, Windows 7 SP1, Wi ...) NOT-FOR-US: Windows Media Center CVE-2015-6126 (Race condition in the Pragmatic General Multicast (PGM) protocol imple ...) NOT-FOR-US: Microsoft CVE-2015-6125 (Use-after-free vulnerability in the DNS server in Microsoft Windows Se ...) NOT-FOR-US: Microsoft Windows CVE-2015-6124 (Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1 ...) NOT-FOR-US: Microsoft CVE-2015-6123 (Cross-site scripting (XSS) vulnerability in Microsoft Excel for Mac 20 ...) NOT-FOR-US: Microsoft CVE-2015-6122 (Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel for Mac 2011, Office C ...) NOT-FOR-US: Microsoft CVE-2015-6121 REJECTED CVE-2015-6120 REJECTED CVE-2015-6119 REJECTED CVE-2015-6118 (Microsoft Office 2007 SP3 and Office 2010 SP2 allow remote attackers t ...) NOT-FOR-US: Microsoft Office CVE-2015-6117 (Microsoft SharePoint Server 2013 SP1 and SharePoint Foundation 2013 SP ...) NOT-FOR-US: Microsoft CVE-2015-6116 REJECTED CVE-2015-6115 (Microsoft .NET Framework 2.0 SP2, 3.5, and 3.5.1 allows remote attacke ...) NOT-FOR-US: Microsoft .NET Framework CVE-2015-6114 (Microsoft Silverlight 5 before 5.1.41105.00 allows remote attackers to ...) NOT-FOR-US: Microsoft Silverlight CVE-2015-6113 (The kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft Windows CVE-2015-6112 (SChannel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R ...) NOT-FOR-US: Microsoft Windows CVE-2015-6111 (IPSec in Microsoft Windows 8, Windows 8.1, Windows Server 2012 Gold an ...) NOT-FOR-US: Microsoft Windows CVE-2015-6110 REJECTED CVE-2015-6109 (The kernel in Microsoft Windows 8.1, Windows Server 2012 R2, Windows R ...) NOT-FOR-US: Microsoft Windows CVE-2015-6108 (The Windows font library in Microsoft Windows Vista SP2; Windows Serve ...) NOT-FOR-US: Microsoft Windows CVE-2015-6107 (The Windows font library in Microsoft Windows Vista SP2, Windows Serve ...) NOT-FOR-US: Microsoft Windows CVE-2015-6106 (The Windows font library in Microsoft Windows Vista SP2, Windows Serve ...) NOT-FOR-US: Microsoft Windows CVE-2015-6105 REJECTED CVE-2015-6104 (The Adobe Type Manager Library in Microsoft Windows Vista SP2, Windows ...) NOT-FOR-US: Microsoft Windows CVE-2015-6103 (The Adobe Type Manager Library in Microsoft Windows Vista SP2, Windows ...) NOT-FOR-US: Microsoft Windows CVE-2015-6102 (The kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft Windows CVE-2015-6101 (The kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft Windows CVE-2015-6100 (The kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft Windows CVE-2015-6099 (Cross-site scripting (XSS) vulnerability in ASP.NET in Microsoft .NET ...) NOT-FOR-US: Microsoft .NET CVE-2015-6098 (Buffer overflow in the Network Driver Interface Standard (NDIS) implem ...) NOT-FOR-US: Microsoft Windows CVE-2015-6097 (Heap-based buffer overflow in Windows Journal in Microsoft Windows Vis ...) NOT-FOR-US: Microsoft Windows CVE-2015-6096 (The XML DTD parser in Microsoft .NET Framework 2.0 SP2, 3.5, 3.5.1, 4, ...) NOT-FOR-US: Microsoft .NET CVE-2015-6095 (Kerberos in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R ...) NOT-FOR-US: Microsoft Windows CVE-2015-6094 (Microsoft Excel 2010 SP2, Excel 2013 SP1, Excel 2013 RT SP1, Excel 201 ...) NOT-FOR-US: Microsoft CVE-2015-6093 (Microsoft Office 2007 SP3, Office 2010 SP2, Office 2013 SP1, Office 20 ...) NOT-FOR-US: Microsoft CVE-2015-6092 (Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1 ...) NOT-FOR-US: Microsoft CVE-2015-6091 (Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1 ...) NOT-FOR-US: Microsoft CVE-2015-6090 REJECTED CVE-2015-6089 (The Microsoft (1) VBScript and (2) JScript engines, as used in Interne ...) NOT-FOR-US: Microsoft CVE-2015-6088 (Microsoft Internet Explorer 9 through 11 and Microsoft Edge allow remo ...) NOT-FOR-US: Microsoft CVE-2015-6087 (Microsoft Internet Explorer 7 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft CVE-2015-6086 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ob ...) NOT-FOR-US: Microsoft CVE-2015-6085 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft CVE-2015-6084 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft CVE-2015-6083 (Microsoft Internet Explorer 8 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft CVE-2015-6082 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft CVE-2015-6081 (Microsoft Internet Explorer 8 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft CVE-2015-6080 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft CVE-2015-6079 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft CVE-2015-6078 (Microsoft Internet Explorer 9 through 11 and Microsoft Edge allow remo ...) NOT-FOR-US: Microsoft CVE-2015-6077 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft CVE-2015-6076 (Microsoft Internet Explorer 7 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft CVE-2015-6075 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft CVE-2015-6074 (Microsoft Internet Explorer 7 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft CVE-2015-6073 (Microsoft Internet Explorer 11 and Microsoft Edge allow remote attacke ...) NOT-FOR-US: Microsoft CVE-2015-6072 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft CVE-2015-6071 (Microsoft Internet Explorer 7 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft CVE-2015-6070 (Microsoft Internet Explorer 7 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft CVE-2015-6069 (Microsoft Internet Explorer 8 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft CVE-2015-6068 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft CVE-2015-6067 REJECTED CVE-2015-6066 (Microsoft Internet Explorer 7 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft CVE-2015-6065 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft CVE-2015-6064 (Microsoft Internet Explorer 10 and 11 and Microsoft Edge allow remote ...) NOT-FOR-US: Microsoft CVE-2015-6063 REJECTED CVE-2015-6062 REJECTED CVE-2015-6061 (Cross-site scripting (XSS) vulnerability in Microsoft Skype for Busine ...) NOT-FOR-US: Microsoft CVE-2015-6060 REJECTED CVE-2015-6059 (The Microsoft (1) VBScript 5.7 and 5.8 and (2) JScript 5.7 and 5.8 eng ...) NOT-FOR-US: Microsoft CVE-2015-6058 (Microsoft Edge mishandles HTML attributes in HTTP responses, which all ...) NOT-FOR-US: Microsoft Edge CVE-2015-6057 (Microsoft Edge allows remote attackers to obtain sensitive information ...) NOT-FOR-US: Microsoft Edge CVE-2015-6056 (The (1) JScript and (2) VBScript engines in Microsoft Internet Explore ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-6055 (The Microsoft (1) VBScript 5.7 and 5.8 and (2) JScript 5.7 and 5.8 eng ...) NOT-FOR-US: Microsoft CVE-2015-6054 REJECTED CVE-2015-6053 (Microsoft Internet Explorer 11 allows remote attackers to obtain sensi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-6052 (The Microsoft (1) VBScript 5.7 and 5.8 and (2) JScript 5.7 and 5.8 eng ...) NOT-FOR-US: Microsoft CVE-2015-6051 (Microsoft Internet Explorer 10 and 11 allows remote attackers to gain ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-6050 (Microsoft Internet Explorer 10 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-6049 (Microsoft Internet Explorer 7 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-6048 (Microsoft Internet Explorer 7 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-6047 (The broker EditWith feature in Microsoft Internet Explorer 8 through 1 ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-6046 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ob ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-6045 (Use-after-free vulnerability in the CElement object implementation in ...) NOT-FOR-US: Microsoft CVE-2015-6044 (Microsoft Internet Explorer 8 allows remote attackers to gain privileg ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-6043 REJECTED CVE-2015-6042 (Use-after-free vulnerability in the CWindow object implementation in M ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-6041 REJECTED CVE-2015-6040 (Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel for Mac 2011, Excel 20 ...) NOT-FOR-US: Microsoft CVE-2015-6039 (Cross-site scripting (XSS) vulnerability in Microsoft SharePoint Serve ...) NOT-FOR-US: Microsoft CVE-2015-6038 (Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 SP1, Excel 2013 R ...) NOT-FOR-US: Microsoft CVE-2015-6037 (Cross-site scripting (XSS) vulnerability in Microsoft Excel Services o ...) NOT-FOR-US: Microsoft CVE-2015-6036 (QNAP Signage Station before 2.0.1 allows remote attackers to bypass au ...) NOT-FOR-US: QNAP Signage Station CVE-2015-6035 (Opsview before 2015-11-06 has XSS via SNMP. ...) NOT-FOR-US: Opsview CVE-2015-6034 (EPSON Network Utility 4.10 uses weak permissions (Everyone: Full Contr ...) NOT-FOR-US: Epson CVE-2015-6033 (Qolsys IQ Panel (aka QOL) before 1.5.1 does not verify the digital sig ...) NOT-FOR-US: Qolsys IQ Panel CVE-2015-6032 (Qolsys IQ Panel (aka QOL) before 1.5.1 has hardcoded cryptographic key ...) NOT-FOR-US: Qolsys IQ Panel CVE-2015-6031 (Buffer overflow in the IGDstartelt function in igd_desc_parse.c in the ...) {DSA-3379-1} - miniupnpc 1.9.20140610-2.1 (bug #802650) NOTE: http://talosintel.com/reports/TALOS-2015-0035/ NOTE: https://github.com/miniupnp/miniupnp/commit/79cca974a4c2ab1199786732a67ff6d898051b78 CVE-2015-6030 (HP ArcSight Logger 6.0.0.7307.1, ArcSight Command Center 6.8.0.1896.0, ...) NOT-FOR-US: HP Arcsight Logger CVE-2015-6029 (HP ArcSight Logger before 6.0 P2 does not limit attempts to authentica ...) NOT-FOR-US: HP Arcsight Logger CVE-2015-6028 (Castle Rock Computing SNMPc before 2015-12-17 has SQL injection via th ...) NOT-FOR-US: Castle Rock Computing SNMPc CVE-2015-6027 (Castle Rock Computing SNMPc before 2015-12-17 has XSS via SNMP. ...) NOT-FOR-US: Castle Rock Computing SNMPc CVE-2015-6026 RESERVED CVE-2015-6025 RESERVED CVE-2015-6024 (ping.cgi in NetCommWireless HSPA 3G10WVE wireless routers with firmwar ...) NOT-FOR-US: Qolsys NetCommWireless CVE-2015-6023 (ping.cgi in NetCommWireless HSPA 3G10WVE wireless routers with firmwar ...) NOT-FOR-US: Qolsys NetCommWireless CVE-2015-6022 (Unrestricted file upload vulnerability in QNAP Signage Station before ...) NOT-FOR-US: QNAP Signage Station CVE-2015-6021 (Spiceworks Desktop before 2015-12-01 has XSS via an SNMP response. ...) NOT-FOR-US: Spiceworks Desktop CVE-2015-6020 (ZyXEL PMG5318-B20A devices with firmware 1.00AANC0b5 allow remote auth ...) NOT-FOR-US: ZyXEL CVE-2015-6019 (The management portal on ZyXEL PMG5318-B20A devices with firmware 1.00 ...) NOT-FOR-US: ZyXEL CVE-2015-6018 (The diagnostic-ping implementation on ZyXEL PMG5318-B20A devices with ...) NOT-FOR-US: ZyXEL CVE-2015-6017 (Multiple cross-site scripting (XSS) vulnerabilities in Forms/rpAuth_1 ...) NOT-FOR-US: ZyXEL CVE-2015-6016 (ZyXEL P-660HW-T1 2 devices with ZyNOS firmware 3.40(AXH.0), PMG5318-B2 ...) NOT-FOR-US: ZyXEL CVE-2015-6015 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle CVE-2015-6014 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle CVE-2015-6013 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle CVE-2015-6012 (Multiple open redirect vulnerabilities in Web Reference Database (aka ...) NOT-FOR-US: Web Reference Database (aka refbase) CVE-2015-6011 (Web Reference Database (aka refbase) through 0.9.6 and bleeding-edge b ...) NOT-FOR-US: Web Reference Database (aka refbase) CVE-2015-6010 (Multiple cross-site scripting (XSS) vulnerabilities in Web Reference D ...) NOT-FOR-US: Web Reference Database (aka refbase) CVE-2015-6009 (Multiple SQL injection vulnerabilities in Web Reference Database (aka ...) NOT-FOR-US: Web Reference Database (aka refbase) CVE-2015-6008 (install.php in Web Reference Database (aka refbase) through 0.9.6 allo ...) NOT-FOR-US: Web Reference Database (aka refbase) CVE-2015-6007 (Cross-site request forgery (CSRF) vulnerability in Web Reference Datab ...) NOT-FOR-US: Web Reference Database (aka refbase) CVE-2015-6006 (The AddUserFinding implementation in Medicomp MEDCIN Engine 2.22.20153 ...) NOT-FOR-US: Medicomp CVE-2015-6005 (Multiple cross-site scripting (XSS) vulnerabilities in IPSwitch WhatsU ...) NOT-FOR-US: IPSwitch CVE-2015-6004 (Multiple SQL injection vulnerabilities in IPSwitch WhatsUp Gold before ...) NOT-FOR-US: IPSwitch CVE-2015-6003 (Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 ...) NOT-FOR-US: QNAP QTS CVE-2015-6002 RESERVED CVE-2015-6001 RESERVED CVE-2015-6000 (Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyD ...) NOT-FOR-US: Vtiger CRM CVE-2015-5999 (Multiple cross-site request forgery (CSRF) vulnerabilities in the D-Li ...) NOT-FOR-US: D-Link DIR-816L Wireless Router CVE-2015-5998 (Impero Education Pro before 5105 relies on the -1|AUTHENTICATE\x02PASS ...) NOT-FOR-US: Impero Education Pro CVE-2015-5997 (Impero Education Pro before 5105 uses a hardcoded CBC key and initiali ...) NOT-FOR-US: Impero Education Pro CVE-2015-5996 (Cross-site request forgery (CSRF) vulnerability on Mediabridge Mediali ...) NOT-FOR-US: Mediabridge Medialink devices CVE-2015-5995 (Mediabridge Medialink MWN-WAPR300N devices with firmware 5.07.50 and T ...) NOT-FOR-US: Mediabridge Medialink devices CVE-2015-5994 (The web management interface on Mediabridge Medialink MWN-WAPR300N dev ...) NOT-FOR-US: Mediabridge Medialink devices CVE-2015-5993 (Buffer overflow in form2ping.cgi on Philippine Long Distance Telephone ...) NOT-FOR-US: SpeedSurf CVE-2015-5992 (Cross-site scripting (XSS) vulnerability in form2WlanSetup.cgi on Phil ...) NOT-FOR-US: SpeedSurf CVE-2015-5991 (Cross-site request forgery (CSRF) vulnerability in form2WlanSetup.cgi ...) NOT-FOR-US: SpeedSurf CVE-2015-5990 (Cross-site request forgery (CSRF) vulnerability on Belkin F9K1102 2 de ...) NOT-FOR-US: Belkin devices CVE-2015-5989 (Belkin F9K1102 2 devices with firmware 2.10.17 rely on client-side Jav ...) NOT-FOR-US: Belkin devices CVE-2015-5988 (The web management interface on Belkin F9K1102 2 devices with firmware ...) NOT-FOR-US: Belkin devices CVE-2015-5987 (Belkin F9K1102 2 devices with firmware 2.10.17 use an improper algorit ...) NOT-FOR-US: Belkin devices CVE-2015-6241 (The proto_tree_add_bytes_item function in epan/proto.c in the protocol ...) {DSA-3367-1} - wireshark 1.12.7+g7fc8978-1 [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Not supported in Squeeze LTS) NOTE: https://www.wireshark.org/security/wnpa-sec-2015-21.html CVE-2015-6242 (The wmem_block_split_free_chunk function in epan/wmem/wmem_allocator_b ...) {DSA-3367-1} - wireshark 1.12.7+g7fc8978-1 [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Not supported in Squeeze LTS) NOTE: https://www.wireshark.org/security/wnpa-sec-2015-22.html CVE-2015-6243 (The dissector-table implementation in epan/packet.c in Wireshark 1.12. ...) {DSA-3367-1 DLA-497-1} - wireshark 1.12.7+g7fc8978-1 [squeeze] - wireshark (Not supported in Squeeze LTS) NOTE: https://www.wireshark.org/security/wnpa-sec-2015-23.html CVE-2015-6244 (The dissect_zbee_secure function in epan/dissectors/packet-zbee-securi ...) {DSA-3367-1} - wireshark 1.12.7+g7fc8978-1 [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Vulnerable code not present) NOTE: https://www.wireshark.org/security/wnpa-sec-2015-24.html CVE-2015-6245 (epan/dissectors/packet-gsm_rlcmac.c in the GSM RLC/MAC dissector in Wi ...) {DSA-3367-1} - wireshark 1.12.7+g7fc8978-1 [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Not supported in Squeeze LTS) NOTE: https://www.wireshark.org/security/wnpa-sec-2015-25.html CVE-2015-6246 (The dissect_wa_payload function in epan/dissectors/packet-waveagent.c ...) {DSA-3367-1 DLA-497-1} - wireshark 1.12.7+g7fc8978-1 [squeeze] - wireshark (Not supported in Squeeze LTS) NOTE: https://www.wireshark.org/security/wnpa-sec-2015-26.html CVE-2015-6247 (The dissect_openflow_tablemod_v5 function in epan/dissectors/packet-op ...) {DSA-3367-1} - wireshark 1.12.7+g7fc8978-1 [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Not supported in Squeeze LTS) NOTE: https://www.wireshark.org/security/wnpa-sec-2015-27.html CVE-2015-6248 (The ptvcursor_add function in the ptvcursor implementation in epan/pro ...) {DSA-3367-1 DLA-497-1} - wireshark 1.12.7+g7fc8978-1 [squeeze] - wireshark (Not supported in Squeeze LTS) NOTE: https://www.wireshark.org/security/wnpa-sec-2015-28.html CVE-2015-6249 (The dissect_wccp2r1_address_table_info function in epan/dissectors/pac ...) {DSA-3367-1} - wireshark 1.12.7+g7fc8978-1 [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Not supported in Squeeze LTS) NOTE: https://www.wireshark.org/security/wnpa-sec-2015-29.html CVE-2015-6250 (simple-php-captcha before commit 9d65a945029c7be7bb6bc893759e74c5636be ...) NOT-FOR-US: simple-php-captcha CVE-2015-5986 (openpgpkey_61.c in named in ISC BIND 9.9.7 before 9.9.7-P3 and 9.10.x ...) - bind9 (Vulnerable code present only since 9.9.7) NOTE: https://kb.isc.org/article/AA-01291 CVE-2015-6496 (conntrackd in conntrack-tools 1.4.2 and earlier does not ensure that t ...) {DSA-3341-1 DLA-295-1} - conntrack 1:1.4.2-3 (bug #796103) NOTE: http://www.openwall.com/lists/oss-security/2015/08/14/4 NOTE: http://bugzilla.netfilter.org/show_bug.cgi?id=910 NOTE: https://git.netfilter.org/conntrack-tools/commit/?id=c392c159605956c7bd4a264ab4490e2b2704c0cd CVE-2015-5985 REJECTED CVE-2015-5984 REJECTED CVE-2015-5983 REJECTED CVE-2015-5982 REJECTED CVE-2015-5981 REJECTED CVE-2015-5980 REJECTED CVE-2015-5979 REJECTED CVE-2015-5978 REJECTED CVE-2015-5977 REJECTED CVE-2015-5976 REJECTED CVE-2015-5975 REJECTED CVE-2015-5974 REJECTED CVE-2015-5973 REJECTED CVE-2015-5972 REJECTED CVE-2015-5971 REJECTED CVE-2015-5970 (The ChangePassword RPC method in Novell ZENworks Configuration Managem ...) NOT-FOR-US: Novell CVE-2015-5969 (The mysql-systemd-helper script in the mysql-community-server package ...) NOT-FOR-US: SuSE-specific mysql packaging bug CVE-2015-5968 (Cross-site scripting (XSS) vulnerability in Novell Filr 1.2 before Hot ...) NOT-FOR-US: Novell CVE-2015-5967 REJECTED CVE-2015-5966 REJECTED CVE-2015-5965 (The SSL-VPN feature in Fortinet FortiOS before 4.3.13 only checks the ...) NOT-FOR-US: Fortinet FortiOS CVE-2015-6506 (Cross-site scripting (XSS) vulnerability in the cryptography interface ...) {DSA-3335-1} - request-tracker4 4.2.11-2 [jessie] - request-tracker4 4.2.8-3+deb8u1 [wheezy] - request-tracker4 (Vulnerable code not present) NOTE: https://github.com/bestpractical/rt/commit/36a461947b00b105336adb4997d1c7767d8484c4 NOTE: http://www.openwall.com/lists/oss-security/2015/08/13/8 CVE-2015-6565 (sshd in OpenSSH 6.8 and 6.9 uses world-writable permissions for TTY de ...) - openssh (Vulnerable code introduce in V_6_8_P1) NOTE: https://anongit.mindrot.org/openssh.git/commit/?id=6f941396b6835ad18018845f515b0c4fe20be21a NOTE: Issue introduced with https://anongit.mindrot.org/openssh.git/commit/?id=a5883d4eccb94b16c355987f58f86a7dee17a0c2 (V_6_8_P1) NOTE: http://www.openwall.com/lists/oss-security/2015/08/12/1 CVE-2015-6563 (The monitor component in sshd in OpenSSH before 7.0 on non-OpenBSD pla ...) {DLA-1500-1} - openssh 1:6.9p1-1 (bug #795711) [wheezy] - openssh (Minor issue) [squeeze] - openssh (Minor issue) NOTE: https://anongit.mindrot.org/openssh.git/commit/?id=d4697fe9a28dab7255c60433e4dd23cf7fce8a8b NOTE: http://www.openwall.com/lists/oss-security/2015/08/11/9 CVE-2015-6564 (Use-after-free vulnerability in the mm_answer_pam_free_ctx function in ...) {DLA-1500-1} - openssh 1:6.9p1-1 (bug #795711) [wheezy] - openssh (Minor issue) [squeeze] - openssh (Minor issue) NOTE: https://anongit.mindrot.org/openssh.git/commit/?id=5e75f5198769056089fb06c4d738ab0e5abc66f7 NOTE: http://www.openwall.com/lists/oss-security/2015/08/11/9 CVE-2015-6737 (Cross-site scripting (XSS) vulnerability in the Widgets extension for ...) NOT-FOR-US: Widgets extension for MediaWiki NOTE: https://phabricator.wikimedia.org/T88964 CVE-2015-6736 (The Quiz extension for MediaWiki allows remote attackers to cause a de ...) NOT-FOR-US: Quiz extension for MediaWiki NOTE: https://phabricator.wikimedia.org/T97083 CVE-2015-6735 (The reset functionality in the TimedMediaHandler extension for MediaWi ...) NOT-FOR-US: TimedMediaHandler extension for MediaWiki NOTE: https://phabricator.wikimedia.org/T100211 CVE-2015-6734 (Cross-site scripting (XSS) vulnerability in contrib/cssgen.php in the ...) - mediawiki-extensions (contrib directory not present) NOTE: https://phabricator.wikimedia.org/T108198 CVE-2015-6733 (GeSHi, as used in the SyntaxHighlight_GeSHi extension and MediaWiki be ...) - mediawiki-extensions (contrib directory not present) NOTE: https://phabricator.wikimedia.org/T108198 CVE-2015-6732 (Multiple cross-site scripting (XSS) vulnerabilities in the SemanticFor ...) NOT-FOR-US: SemanticForms extension for MediaWiki NOTE: https://phabricator.wikimedia.org/T103391 NOTE: https://phabricator.wikimedia.org/T103765 NOTE: https://phabricator.wikimedia.org/T103765 CVE-2015-6731 (Multiple cross-site scripting (XSS) vulnerabilities in the SemanticFor ...) NOT-FOR-US: SemanticForms extension for MediaWiki NOTE: https://phabricator.wikimedia.org/T103391 NOTE: https://phabricator.wikimedia.org/T103765 NOTE: https://phabricator.wikimedia.org/T103765 CVE-2015-6730 (Cross-site scripting (XSS) vulnerability in thumb.php in MediaWiki bef ...) - mediawiki 1:1.25.5-1 (bug #799096) [wheezy] - mediawiki (Minor issues) [squeeze] - mediawiki (Not supported in Squeeze LTS) NOTE: https://phabricator.wikimedia.org/T97391 CVE-2015-6729 (Cross-site scripting (XSS) vulnerability in thumb.php in MediaWiki bef ...) - mediawiki (Introduced in 1.21) NOTE: https://phabricator.wikimedia.org/T97391 CVE-2015-6728 (The ApiBase::getWatchlistUser function in MediaWiki before 1.23.10, 1. ...) - mediawiki 1:1.25.5-1 (bug #799096) [wheezy] - mediawiki (Minor issues) [squeeze] - mediawiki (Not supported in Squeeze LTS) NOTE: https://phabricator.wikimedia.org/T94116 CVE-2013-7444 (The Special:Contributions page in MediaWiki before 1.22.0 allows remot ...) - mediawiki 1:1.25.5-1 (bug #799096) [wheezy] - mediawiki (Minor issues) [squeeze] - mediawiki (Not supported in Squeeze LTS) NOTE: https://phabricator.wikimedia.org/T106893 NOTE: https://github.com/wikimedia/mediawiki/commit/dc2966bd05b69321300c63fd0bd78e7c78ecea6e CVE-2015-6727 (The Special:DeletedContributions page in MediaWiki before 1.23.10, 1.2 ...) - mediawiki 1:1.25.5-1 (bug #799096) [wheezy] - mediawiki (Minor issues) [squeeze] - mediawiki (Not supported in Squeeze LTS) NOTE: https://phabricator.wikimedia.org/T106893 NOTE: https://github.com/wikimedia/mediawiki/commit/5faabfa1bbf65536ea36108887040198afcb3c82 CVE-2015-5964 (The (1) contrib.sessions.backends.base.SessionBase.flush and (2) cache ...) {DSA-3338-1 DLA-301-1} - python-django 1.7.10-1 (bug #796104) NOTE: https://www.djangoproject.com/weblog/2015/aug/18/security-releases/ CVE-2015-5963 (contrib.sessions.middleware.SessionMiddleware in Django 1.8.x before 1 ...) {DSA-3338-1 DLA-301-1} - python-django 1.7.10-1 (bug #796104) NOTE: https://www.djangoproject.com/weblog/2015/aug/18/security-releases/ CVE-2015-5962 (Integer signedness error in the SharedBufferManagerParent::RecvAllocat ...) NOT-FOR-US: Mozilla Firefox OS CVE-2015-5961 (The COPPA error page in the Accounts setup dialog in Mozilla Firefox O ...) NOT-FOR-US: Mozilla Firefox OS CVE-2015-5960 (Mozilla Firefox OS before 2.2 allows physically proximate attackers to ...) NOT-FOR-US: Mozilla Firefox OS CVE-2015-6520 (IPPUSBXD before 1.22 listens on all interfaces, which allows remote at ...) - ippusbxd 1.22-1 (bug #795162) NOTE: http://www.openwall.com/lists/oss-security/2015/08/11/1 NOTE: https://github.com/tillkamppeter/ippusbxd/commit/46844402bca7a38fc224483ba6f0a93c4613203f NOTE: https://github.com/tillkamppeter/ippusbxd/commit/a632841f8e65d402e13e81921515f5a1e2736c82 CVE-2015-XXXX [publicfile-installer: insecure use of /tmp] - publicfile-installer 0.11-1 (bug #795062) CVE-2015-XXXX [net/http: broken trailers don't close a server connection] - golang 2:1.4.3-1 [jessie] - golang (Minor issue) [wheezy] - golang (Minor issue) NOTE: https://github.com/golang/go/issues/12027 NOTE: https://github.com/golang/go/commit/26049f6f9171d1190f3bbe05ec304845cfe6399f NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/08/06/2 CVE-2015-6251 (Double free vulnerability in GnuTLS before 3.3.17 and 3.4.x before 3.4 ...) {DSA-3334-1} - gnutls28 3.3.17-1 (bug #795068) - gnutls26 (Vulnerable code not present) NOTE: http://www.openwall.com/lists/oss-security/2015/08/10/1 NOTE: https://gitlab.com/gnutls/gnutls/commit/272854367efc130fbd4f1a51840d80c630214e12 NOTE: http://www.gnutls.org/security.html#GNUTLS-SA-2015-3 NOTE: _gnutls_x509_dn_to_string() introduced in 3.1.10 via: NOTE: https://gitlab.com/gnutls/gnutls/commit/6be35136333b5d6289f23209cf896e741462909a CVE-2015-5958 (phpFileManager 0.9.8 allows remote attackers to execute arbitrary comm ...) NOT-FOR-US: phpFileManager CVE-2015-5956 (The sanitizeLocalUrl function in TYPO3 6.x before 6.2.15, 7.x before 7 ...) - typo3-src [wheezy] - typo3-src (See DSA 3314) [squeeze] - typo3-src (not supported in squeeze-lts) NOTE: http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-009/ CVE-2015-5955 (ownCloud iOS app before 3.4.4 does not properly switch state between m ...) NOT-FOR-US: ownCloud iOS app CVE-2015-5954 (The virtual filesystem in ownCloud Server before 6.0.9, 7.0.x before 7 ...) {DSA-3373-1} - owncloud 7.0.7~dfsg-1 NOTE: https://owncloud.org/security/advisory/?id=oc-sa-2015-011 CVE-2015-5953 (Cross-site scripting (XSS) vulnerability in the activity application i ...) {DSA-3373-1} - owncloud 7.0.6+dfsg-1 NOTE: https://owncloud.org/security/advisory/?id=oc-sa-2015-010 CVE-2015-5952 (Directory traversal vulnerability in Thomson Reuters for FATCA before ...) NOT-FOR-US: Thomson Reuters FATCA CVE-2015-5951 (A file upload issue exists in the specid parameter in Thomson Reuters ...) NOT-FOR-US: Thomson Reuters FATCA CVE-2015-5950 (The NVIDIA display driver R352 before 353.82 and R340 before 341.81 on ...) - nvidia-graphics-drivers 340.93-1 (bug #800566) [jessie] - nvidia-graphics-drivers (Non-free not supported) [wheezy] - nvidia-graphics-drivers (Non-free not supported) [squeeze] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-304xx 304.128-5 [jessie] - nvidia-graphics-drivers-legacy-304xx 304.128-1 CVE-2015-5949 (VideoLAN VLC media player 2.2.1 allows remote attackers to cause a den ...) {DSA-3342-1} - vlc 2.2.1-3 (bug #796255) [wheezy] - vlc (Vulnerability introduced by later changes) [squeeze] - vlc (Vulnerability introduced by later changes) NOTE: https://git.videolan.org/?p=vlc/vlc-2.2.git;a=commitdiff;h=ce91452460a75d7424b165c4dc8db98114c3cbd9;hp=9e12195d3e4316278af1fa4bcb6a705ff27456fd NOTE: http://www.ocert.org/advisories/ocert-2015-009.html CVE-2015-5948 (Race condition in SuiteCRM before 7.2.3 allows remote attackers to exe ...) NOT-FOR-US: SuiteCRM CVE-2015-5947 (SuiteCRM before 7.2.3 allows remote attackers to execute arbitrary cod ...) NOT-FOR-US: SuiteCRM CVE-2015-5946 (Incomplete blacklist vulnerability in SuiteCRM 7.2.2 allows remote aut ...) NOT-FOR-US: SugarCRM CVE-2015-5945 (The Sandbox subsystem in Apple OS X before 10.11.1 allows local users ...) NOT-FOR-US: Apple CVE-2015-5944 (CoreText in Apple OS X before 10.11.1 allows remote attackers to execu ...) NOT-FOR-US: Apple CVE-2015-5943 (SecurityAgent in Apple OS X before 10.11.1 does not prevent synthetic ...) NOT-FOR-US: Apple CVE-2015-5942 (FontParser in Apple iOS before 9.1, OS X before 10.11.1, and watchOS b ...) NOT-FOR-US: Apple CVE-2015-5941 REJECTED CVE-2015-5940 (The Accelerate Framework component in Apple iOS before 9.1 and OS X be ...) NOT-FOR-US: Apple CVE-2015-5939 (ImageIO in Apple iOS before 9.1, OS X before 10.11.1, and watchOS befo ...) NOT-FOR-US: Apple CVE-2015-5938 (ImageIO in Apple OS X before 10.11.1 allows remote attackers to execut ...) NOT-FOR-US: Apple CVE-2015-5937 (ImageIO in Apple iOS before 9.1, OS X before 10.11.1, and watchOS befo ...) NOT-FOR-US: Apple CVE-2015-5936 (ImageIO in Apple iOS before 9.1, OS X before 10.11.1, and watchOS befo ...) NOT-FOR-US: Apple CVE-2015-5935 (ImageIO in Apple iOS before 9.1, OS X before 10.11.1, and watchOS befo ...) NOT-FOR-US: Apple CVE-2015-5934 (Audio in Apple OS X before 10.11.1 allows remote attackers to execute ...) NOT-FOR-US: Apple CVE-2015-5933 (Audio in Apple OS X before 10.11.1 allows remote attackers to execute ...) NOT-FOR-US: Apple CVE-2015-5932 (The kernel in Apple OS X before 10.11.1 allows local users to gain pri ...) NOT-FOR-US: Apple CVE-2015-5931 (WebKit, as used in Apple Safari before 9.0.1 and iTunes before 12.3.1, ...) NOT-FOR-US: Webkit as used by Apple CVE-2015-5930 (WebKit, as used in Apple iOS before 9.1, Safari before 9.0.1, and iTun ...) NOT-FOR-US: Apple CVE-2015-5929 (WebKit, as used in Apple iOS before 9.1, Safari before 9.0.1, and iTun ...) NOT-FOR-US: Apple CVE-2015-5928 (WebKit, as used in Apple iOS before 9.1, Safari before 9.0.1, and iTun ...) NOT-FOR-US: Apple CVE-2015-5927 (FontParser in Apple iOS before 9.1, OS X before 10.11.1, and watchOS b ...) NOT-FOR-US: Apple CVE-2015-5926 (The CoreGraphics component in Apple iOS before 9.1, OS X before 10.11. ...) NOT-FOR-US: Apple CVE-2015-5925 (The CoreGraphics component in Apple iOS before 9.1, OS X before 10.11. ...) NOT-FOR-US: Apple CVE-2015-5924 (The OpenGL implementation in Apple iOS before 9.1 and OS X before 10.1 ...) NOT-FOR-US: Apple CVE-2015-5923 (Apple iOS before 9.0.2 does not properly restrict the options availabl ...) NOT-FOR-US: Apple CVE-2015-5922 (Unspecified vulnerability in International Components for Unicode (ICU ...) NOT-FOR-US: Apple CVE-2015-5921 (WebKit in Apple iOS before 9 mishandles "Content-Disposition: attachme ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5920 (The Software Update component in Apple iTunes before 12.3 does not pro ...) NOT-FOR-US: Apple CVE-2015-5919 (GasGauge in Apple watchOS before 2 allows local users to gain privileg ...) NOT-FOR-US: Apple watchOS CVE-2015-5918 (GasGauge in Apple watchOS before 2 allows local users to gain privileg ...) NOT-FOR-US: Apple watchOS CVE-2015-5917 (The glob implementation in tnftpd (formerly lukemftpd), as used in App ...) NOT-FOR-US: Apple CVE-2015-5916 (The Apple Pay component in Apple iOS before 9 allows remote terminals ...) NOT-FOR-US: Apple CVE-2015-5915 (Apple OS X before 10.11 does not ensure that the keychain's lock state ...) NOT-FOR-US: Apple CVE-2015-5914 (The EFI component in Apple OS X before 10.11 allows physically proxima ...) NOT-FOR-US: Apple CVE-2015-5913 (Heimdal, as used in Apple OS X before 10.11, allows remote attackers t ...) NOT-FOR-US: Apple CVE-2015-5912 (The CFNetwork FTPProtocol component in Apple iOS before 9 allows remot ...) NOT-FOR-US: Apple CVE-2015-5911 (Multiple unspecified vulnerabilities in Twisted in Wiki Server in Appl ...) NOT-FOR-US: Apple CVE-2015-5910 (IDE Xcode Server in Apple Xcode before 7.0 does not ensure that server ...) NOT-FOR-US: Apple CVE-2015-5909 (IDE Xcode Server in Apple Xcode before 7.0 does not properly restrict ...) NOT-FOR-US: Apple CVE-2015-5908 REJECTED CVE-2015-5907 (WebKit in Apple iOS before 9 allows man-in-the-middle attackers to con ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5906 (The HTML form implementation in WebKit in Apple iOS before 9 does not ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5905 (Safari in Apple iOS before 9 allows remote attackers to spoof the rela ...) NOT-FOR-US: Apple CVE-2015-5904 (Safari in Apple iOS before 9 allows remote attackers to spoof the rela ...) NOT-FOR-US: Apple CVE-2015-5903 (The kernel in Apple iOS before 9 allows local users to gain privileges ...) NOT-FOR-US: Apple CVE-2015-5902 (The debugging feature in the kernel in Apple OS X before 10.11 mismana ...) NOT-FOR-US: Apple CVE-2015-5901 (The Secure Empty Trash feature in Finder in Apple OS X before 10.11 im ...) NOT-FOR-US: Apple CVE-2015-5900 (The protected range register in the EFI component in Apple OS X before ...) NOT-FOR-US: Apple CVE-2015-5899 (libpthread in the kernel in Apple iOS before 9 allows local users to g ...) NOT-FOR-US: Apple CVE-2015-5898 (CFNetwork in Apple iOS before 9 relies on the hardware UID for its cac ...) NOT-FOR-US: Apple CVE-2015-5897 (The Address Book framework in Apple OS X before 10.11 allows local use ...) NOT-FOR-US: Apple CVE-2015-5896 (The kernel in Apple iOS before 9 allows local users to gain privileges ...) NOT-FOR-US: Apple CVE-2015-5895 (Multiple unspecified vulnerabilities in SQLite before 3.8.10.2, as use ...) NOT-FOR-US: Apple CVE-2015-5894 (The X.509 certificate-trust implementation in Apple OS X before 10.11 ...) NOT-FOR-US: Apple CVE-2015-5893 (SMBClient in SMB in Apple OS X before 10.11 allows local users to obta ...) NOT-FOR-US: Apple CVE-2015-5892 (Siri in Apple iOS before 9 allows physically proximate attackers to by ...) NOT-FOR-US: Apple CVE-2015-5891 (The SMB implementation in the kernel in Apple OS X before 10.11 allows ...) NOT-FOR-US: Apple CVE-2015-5890 (IOGraphics in Apple OS X before 10.11 allows local users to gain privi ...) NOT-FOR-US: Apple CVE-2015-5889 (rsh in the remote_cmds component in Apple OS X before 10.11 allows loc ...) NOT-FOR-US: Apple CVE-2015-5888 (The Install Framework Legacy component in Apple OS X before 10.11 allo ...) NOT-FOR-US: Apple CVE-2015-5887 (The TLS Handshake Protocol implementation in Secure Transport in Apple ...) NOT-FOR-US: Apple CVE-2015-5886 REJECTED CVE-2015-5885 (The CFNetwork Cookies component in Apple iOS before 9 allows remote at ...) NOT-FOR-US: Apple CVE-2015-5884 (The Mail Drop feature in Mail in Apple OS X before 10.11 mishandles en ...) NOT-FOR-US: Apple CVE-2015-5883 (The bidirectional text-display and text-selection implementations in T ...) NOT-FOR-US: Apple CVE-2015-5882 (The processor_set_tasks API implementation in Apple iOS before 9 allow ...) NOT-FOR-US: Apple CVE-2015-5881 REJECTED CVE-2015-5880 (CoreAnimation in Apple iOS before 9 allows attackers to bypass intende ...) NOT-FOR-US: Apple CVE-2015-5879 (XNU in the kernel in Apple iOS before 9 does not properly validate the ...) NOT-FOR-US: Apple CVE-2015-5878 (Notes in Apple OS X before 10.11 misparses links, which allows local u ...) NOT-FOR-US: Apple CVE-2015-5877 (The Intel Graphics Driver component in Apple OS X before 10.11 allows ...) NOT-FOR-US: Apple CVE-2015-5876 (dyld in Dev Tools in Apple iOS before 9 allows attackers to execute ar ...) NOT-FOR-US: Apple CVE-2015-5875 (Cross-site scripting (XSS) vulnerability in Notes in Apple OS X before ...) NOT-FOR-US: Apple CVE-2015-5874 (CoreText in Apple iOS before 9 and iTunes before 12.3 allows remote at ...) NOT-FOR-US: Apple CVE-2015-5873 (IOGraphics in Apple OS X before 10.11 allows local users to gain privi ...) NOT-FOR-US: Apple CVE-2015-5872 (IOGraphics in Apple OS X before 10.11 allows local users to gain privi ...) NOT-FOR-US: Apple CVE-2015-5871 (IOGraphics in Apple OS X before 10.11 allows local users to gain privi ...) NOT-FOR-US: Apple CVE-2015-5870 (The debugging interfaces in the kernel in Apple OS X before 10.11 allo ...) NOT-FOR-US: Apple CVE-2015-5869 (The Neighbor Discovery (ND) protocol implementation in the IPv6 stack ...) NOT-FOR-US: Apple CVE-2015-5868 (The kernel in Apple iOS before 9 allows local users to gain privileges ...) NOT-FOR-US: Apple CVE-2015-5867 (IOHIDFamily in Apple iOS before 9 allows attackers to execute arbitrar ...) NOT-FOR-US: Apple CVE-2015-5866 (IOHIDFamily in Apple OS X before 10.11 allows attackers to execute arb ...) NOT-FOR-US: Apple CVE-2015-5865 (IOGraphics in Apple OS X before 10.11 allows attackers to obtain sensi ...) NOT-FOR-US: Apple CVE-2015-5864 (IOAudioFamily in Apple OS X before 10.11 allows local users to obtain ...) NOT-FOR-US: Apple CVE-2015-5863 (IOStorageFamily in Apple iOS before 9 does not properly initialize an ...) NOT-FOR-US: Apple CVE-2015-5862 (The Audio component in Apple iOS before 9 allows remote attackers to c ...) NOT-FOR-US: Apple CVE-2015-5861 (SpringBoard in Apple iOS before 9 allows physically proximate attacker ...) NOT-FOR-US: Apple CVE-2015-5860 (The CFNetwork HTTPProtocol component in Apple iOS before 9 mishandles ...) NOT-FOR-US: Apple CVE-2015-5859 (The CFNetwork HTTPProtocol component in Apple iOS before 9 and OS X be ...) NOT-FOR-US: Apple CVE-2015-5858 (The CFNetwork HTTPProtocol component in Apple iOS before 9 allows remo ...) NOT-FOR-US: Apple CVE-2015-5857 (Mail in Apple iOS before 9 allows remote attackers to use an address-b ...) NOT-FOR-US: Apple CVE-2015-5856 (The Application Store component in Apple iOS before 9 allows remote at ...) NOT-FOR-US: Apple CVE-2015-5855 (Apple iOS before 9 allows attackers to discover the e-mail address of ...) NOT-FOR-US: Apple CVE-2015-5854 (The backup implementation in Time Machine in Apple OS X before 10.11 a ...) NOT-FOR-US: Apple CVE-2015-5853 (AirScan in Apple OS X before 10.11 allows man-in-the-middle attackers ...) NOT-FOR-US: Apple CVE-2015-5852 REJECTED CVE-2015-5851 (The convenience initializer in the Multipeer Connectivity component in ...) NOT-FOR-US: Apple CVE-2015-5850 (AppleKeyStore in Apple iOS before 9 allows physically proximate attack ...) NOT-FOR-US: Apple CVE-2015-5849 (The filtering implementation in AppleEvents in Apple OS X before 10.11 ...) NOT-FOR-US: Apple CVE-2015-5848 (IOAcceleratorFamily in Apple iOS before 9 allows local users to gain p ...) NOT-FOR-US: Apple CVE-2015-5847 (The Disk Images component in Apple iOS before 9 allows local users to ...) NOT-FOR-US: Apple CVE-2015-5846 (IOKit in the kernel in Apple iOS before 9 allows attackers to execute ...) NOT-FOR-US: Apple CVE-2015-5845 (IOKit in the kernel in Apple iOS before 9 allows attackers to execute ...) NOT-FOR-US: Apple CVE-2015-5844 (IOKit in the kernel in Apple iOS before 9 allows attackers to execute ...) NOT-FOR-US: Apple CVE-2015-5843 (IOMobileFrameBuffer in Apple iOS before 9 allows local users to gain p ...) NOT-FOR-US: Apple CVE-2015-5842 (XNU in the kernel in Apple iOS before 9 does not properly initialize a ...) NOT-FOR-US: Apple CVE-2015-5841 (The CFNetwork Proxies component in Apple iOS before 9 does not properl ...) NOT-FOR-US: Apple CVE-2015-5840 (The checkint division routines in removefile in Apple iOS before 9 all ...) NOT-FOR-US: Apple CVE-2015-5839 (dyld in Apple iOS before 9 allows attackers to bypass a code-signing p ...) NOT-FOR-US: Apple CVE-2015-5838 (SpringBoard in Apple iOS before 9 does not properly restrict access to ...) NOT-FOR-US: Apple CVE-2015-5837 (PluginKit in Apple iOS before 9 allows attackers to bypass an intended ...) NOT-FOR-US: Apple CVE-2015-5836 (Apple Online Store Kit in Apple OS X before 10.11 improperly validates ...) NOT-FOR-US: Apple CVE-2015-5835 (Apple iOS before 9 allows attackers to obtain sensitive information ab ...) NOT-FOR-US: Apple CVE-2015-5834 (IOAcceleratorFamily in Apple iOS before 9 allows attackers to obtain s ...) NOT-FOR-US: Apple CVE-2015-5833 (The Login Window component in Apple OS X before 10.11 does not ensure ...) NOT-FOR-US: Apple CVE-2015-5832 (The iTunes Store component in Apple iOS before 9 does not properly del ...) NOT-FOR-US: Apple CVE-2015-5831 (NetworkExtension in the kernel in Apple iOS before 9 does not properly ...) NOT-FOR-US: Apple CVE-2015-5830 (The Intel Graphics Driver component in Apple OS X before 10.11 allows ...) NOT-FOR-US: Apple CVE-2015-5829 (Data Detectors Engine in Apple iOS before 9 allows remote attackers to ...) NOT-FOR-US: Apple CVE-2015-5828 (The API in the WebKit Plug-ins component in Apple Safari before 9 does ...) NOT-FOR-US: Apple Safari CVE-2015-5827 (WebKit in Apple iOS before 9 allows remote attackers to bypass the Sam ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5826 (WebKit in Apple iOS before 9 does not properly select the cases in whi ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5825 (WebKit in Apple iOS before 9 does not properly restrict the availabili ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5824 (The NSURL implementation in the CFNetwork SSL component in Apple iOS b ...) NOT-FOR-US: Apple CVE-2015-5823 (WebKit, as used in JavaScriptCore in Apple iOS before 9 and iTunes bef ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5822 (WebKit, as used in JavaScriptCore in Apple iOS before 9 and iTunes bef ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5821 (WebKit, as used in Apple iOS before 9 and iTunes before 12.3, allows r ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5820 (WebKit in Apple iOS before 9 allows remote attackers to trigger a dial ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5819 (WebKit, as used in Apple iOS before 9 and iTunes before 12.3, allows r ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5818 (WebKit, as used in Apple iOS before 9 and iTunes before 12.3, allows r ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5817 (WebKit, as used in Apple iOS before 9 and iTunes before 12.3, allows r ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5816 (WebKit, as used in JavaScriptCore in Apple iOS before 9 and iTunes bef ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5815 (WebKit, as used in Apple iTunes before 12.3, allows man-in-the-middle ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5814 (WebKit, as used in JavaScriptCore in Apple iOS before 9 and iTunes bef ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5813 (WebKit, as used in Apple iOS before 9 and iTunes before 12.3, allows r ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5812 (WebKit, as used in Apple iOS before 9 and iTunes before 12.3, allows r ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5811 (WebKit, as used in Apple iOS before 9 and iTunes before 12.3, allows r ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5810 (WebKit, as used in Apple iOS before 9 and iTunes before 12.3, allows r ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5809 (WebKit, as used in Apple iOS before 9 and iTunes before 12.3, allows r ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5808 (WebKit, as used in Apple iTunes before 12.3, allows man-in-the-middle ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5807 (WebKit, as used in Apple iOS before 9 and iTunes before 12.3, allows r ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5806 (WebKit, as used in Apple iOS before 9 and iTunes before 12.3, allows r ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5805 (WebKit, as used in Apple iOS before 9 and iTunes before 12.3, allows r ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5804 (WebKit, as used in Apple iOS before 9 and iTunes before 12.3, allows r ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5803 (WebKit, as used in Apple iOS before 9 and iTunes before 12.3, allows r ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5802 (WebKit, as used in Apple iOS before 9 and iTunes before 12.3, allows r ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5801 (WebKit, as used in Apple iOS before 9 and iTunes before 12.3, allows r ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5800 (WebKit, as used in Apple iOS before 9 and iTunes before 12.3, allows r ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5799 (WebKit, as used in Apple iOS before 9 and iTunes before 12.3, allows r ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5798 (WebKit, as used in Apple iTunes before 12.3, allows man-in-the-middle ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5797 (WebKit, as used in Apple iOS before 9 and iTunes before 12.3, allows r ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5796 (WebKit, as used in Apple iOS before 9 and iTunes before 12.3, allows r ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5795 (WebKit, as used in Apple iOS before 9 and iTunes before 12.3, allows r ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5794 (WebKit, as used in Apple iOS before 9 and iTunes before 12.3, allows r ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5793 (WebKit, as used in JavaScriptCore in Apple iOS before 9 and iTunes bef ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5792 (WebKit, as used in Apple iOS before 9 and iTunes before 12.3, allows r ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5791 (WebKit, as used in JavaScriptCore in Apple iOS before 9 and iTunes bef ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5790 (WebKit, as used in Apple iOS before 9 and iTunes before 12.3, allows r ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5789 (WebKit, as used in Apple iOS before 9 and iTunes before 12.3, allows r ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5788 (The WebKit Canvas implementation in Apple iOS before 9 allows remote a ...) NOT-FOR-US: Apple CVE-2015-5787 (The kernel in Apple iOS before 8.4.1 does not properly restrict debugg ...) NOT-FOR-US: Apple CVE-2015-5786 (Apple QuickTime before 7.7.8 allows remote attackers to execute arbitr ...) NOT-FOR-US: Apple CVE-2015-5785 (Apple QuickTime before 7.7.8 allows remote attackers to execute arbitr ...) NOT-FOR-US: Apple CVE-2015-5784 (runner in Install.framework in the Install Framework Legacy component ...) NOT-FOR-US: Apple OS X CVE-2015-5783 (IOGraphics in Apple OS X before 10.10.5 allows attackers to execute ar ...) NOT-FOR-US: Apple OS X CVE-2015-5782 (ImageIO in Apple iOS before 8.4.1 and OS X before 10.10.5 does not pro ...) NOT-FOR-US: Apple OS X CVE-2015-5781 (ImageIO in Apple iOS before 8.4.1 and OS X before 10.10.5 does not pro ...) NOT-FOR-US: Apple OS X CVE-2015-5780 (The Safari Extensions implementation in Apple Safari before 9 does not ...) NOT-FOR-US: Apple CVE-2015-5779 (QuickTime 7 in Apple OS X before 10.10.5 allows remote attackers to ex ...) NOT-FOR-US: Apple OS X CVE-2015-5778 (CoreMedia Playback in Apple iOS before 8.4.1 and OS X before 10.10.5 a ...) NOT-FOR-US: Apple OS X CVE-2015-5777 (CoreMedia Playback in Apple iOS before 8.4.1 and OS X before 10.10.5 a ...) NOT-FOR-US: Apple OS X CVE-2015-5776 (Libinfo in Apple iOS before 8.4.1 and OS X before 10.10.5 allows remot ...) NOT-FOR-US: Apple CVE-2015-5775 (FontParser in Apple iOS before 8.4.1 and OS X before 10.10.5 allows re ...) NOT-FOR-US: Apple OS X CVE-2015-5774 (Buffer overflow in IOHIDFamily in Apple iOS before 8.4.1 and OS X befo ...) NOT-FOR-US: Apple OS X CVE-2015-5773 (QL Office in Apple iOS before 8.4.1 and OS X before 10.10.5 allows rem ...) NOT-FOR-US: Apple OS X CVE-2015-5772 (Heap-based buffer overflow in SceneKit in Apple OS X before 10.10.5 al ...) NOT-FOR-US: Apple OS X CVE-2015-5771 (Quartz Composer Framework in Apple OS X before 10.10.5 allows remote a ...) NOT-FOR-US: Apple OS X CVE-2015-5770 (MobileInstallation in Apple iOS before 8.4.1 does not ensure the uniqu ...) NOT-FOR-US: Apple OS X CVE-2015-5769 (The MSVDX driver in Apple iOS before 8.4.1 allows remote attackers to ...) NOT-FOR-US: Apple OS X CVE-2015-5768 (AppleGraphicsControl in Apple OS X before 10.10.5 allows attackers to ...) NOT-FOR-US: Apple OS X CVE-2015-5767 (The user interface in Safari in Apple iOS before 9 allows remote attac ...) NOT-FOR-US: Apple CVE-2015-5766 (Directory traversal vulnerability in Air Traffic in Apple iOS before 8 ...) NOT-FOR-US: Apple OS X CVE-2015-5765 (The user interface in Safari in Apple iOS before 9 allows remote attac ...) NOT-FOR-US: Apple CVE-2015-5764 (The user interface in Safari in Apple iOS before 9 allows remote attac ...) NOT-FOR-US: Apple CVE-2015-5763 (ntfs in Apple OS X before 10.10.5 allows local users to gain privilege ...) NOT-FOR-US: Apple OS X CVE-2015-5762 RESERVED CVE-2015-5761 (CoreText in Apple iOS before 8.4.1 and OS X before 10.10.5 allows remo ...) NOT-FOR-US: Apple OS X CVE-2015-5760 REJECTED CVE-2015-5759 (WebKit in Apple iOS before 8.4.1 allows remote attackers to spoof clic ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-5758 (ImageIO in Apple iOS before 8.4.1 and OS X before 10.10.5 allows remot ...) NOT-FOR-US: Apple OS X CVE-2015-5757 (libpthread in Apple iOS before 8.4.1 and OS X before 10.10.5 allows at ...) NOT-FOR-US: Apple CVE-2015-5756 (FontParser in Apple iOS before 8.4.1 and OS X before 10.10.5 allows re ...) NOT-FOR-US: Apple OS X CVE-2015-5755 (CoreText in Apple iOS before 8.4.1 and OS X before 10.10.5 allows remo ...) NOT-FOR-US: Apple OS X CVE-2015-5754 (Race condition in runner in Install.framework in the Install Framework ...) NOT-FOR-US: Apple OS X CVE-2015-5753 (QuickTime 7 in Apple OS X before 10.10.5 allows remote attackers to ex ...) NOT-FOR-US: Apple OS X CVE-2015-5752 (Backup in Apple iOS before 8.4.1 allows attackers to bypass intended r ...) NOT-FOR-US: Apple OS X CVE-2015-5751 (QuickTime 7 in Apple OS X before 10.10.5 allows remote attackers to ex ...) NOT-FOR-US: Apple OS X CVE-2015-5750 (Data Detectors Engine in Apple OS X before 10.10.5 allows attackers to ...) NOT-FOR-US: Apple OS X CVE-2015-5749 (The Sandbox_profiles component in Apple iOS before 8.4.1 allows attack ...) NOT-FOR-US: Apple OS X CVE-2015-5748 (The kernel in Apple OS X before 10.10.5 does not properly mount HFS vo ...) NOT-FOR-US: Apple OS X CVE-2015-5747 (The fasttrap driver in the kernel in Apple OS X before 10.10.5 allows ...) NOT-FOR-US: Apple OS X CVE-2015-5746 (AppleFileConduit in Apple iOS before 8.4.1 allows attackers to bypass ...) NOT-FOR-US: Apple OS X CVE-2015-5744 RESERVED CVE-2015-5743 RESERVED CVE-2015-5742 (VeeamVixProxy in Veeam Backup & Replication (B&R) before 8.0 u ...) NOT-FOR-US: Veeam CVE-2015-5738 (The RSA-CRT implementation in the Cavium Software Development Kit (SDK ...) - openssl (OpenSSL upstream is not affected) CVE-2015-5959 (Froxlor before 0.9.33.2 with the default configuration/setup might all ...) - froxlor (bug #581792) CVE-2015-5957 (Buffer overflow in the DumpSysVar function in var.c in Remind before 3 ...) {DLA-289-1} - remind 03.01.15-1 (unimportant) NOTE: Non-exploitable starting with Wheezy due to D_FORTIFY_SOURCE CVE-2015-5745 (Buffer overflow in the send_control_msg function in hw/char/virtio-ser ...) {DSA-3349-1 DSA-3348-1} - qemu 1:2.4+dfsg-1a (bug #795087) [wheezy] - qemu 1.1.2+dfsg-6a+deb7u9 [squeeze] - qemu (Vulnerable code introduced later) - qemu-kvm [squeeze] - qemu-kvm (Vulnerable code introduced later) NOTE: http://www.openwall.com/lists/oss-security/2015/08/06/3 NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=7882080388be5088e72c425b02223c02e6cb4295 (v2.4.0-rc3) NOTE: Introduced in: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=98b19252cf1bd97c54bc4613f3537c5ec0aae263 (v0.13.0-rc0) NOTE: Patch for wheezy needs change since uses iov_from_buf: NOTE: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=dcf6f5e15ecee4f593eeacbe0591c1addc004d92 NOTE: iov_* function changed in http://git.qemu.org/?p=qemu.git;a=commitdiff;h=2278a69e7020d86a8c73a28474e7709d3e7d5081 (v1.2.0-rc0) CVE-2015-5737 (The (1) mdare64_48.sys, (2) mdare32_48.sys, (3) mdare32_52.sys, (4) md ...) NOT-FOR-US: Fortinet CVE-2015-5736 (The Fortishield.sys driver in Fortinet FortiClient before 5.2.4 allows ...) NOT-FOR-US: Fortinet CVE-2015-5735 (The (1) mdare64_48.sys, (2) mdare32_48.sys, (3) mdare32_52.sys, and (4 ...) NOT-FOR-US: Fortinet CVE-2015-5729 (The Soft Access Point (AP) feature in Samsung Smart TVs X10P, X12, X14 ...) NOT-FOR-US: Samsung CVE-2015-5728 RESERVED CVE-2015-5727 (The BER decoder in Botan 1.10.x before 1.10.10 and 1.11.x before 1.11. ...) {DSA-3565-1 DLA-449-1} - botan1.10 1.10.10-1 NOTE: Fixed in 1.11.19 and 1.10.10, affected all previous versions of 1.10 and 1.11 NOTE: http://botan.randombit.net/security.html CVE-2015-5726 (The BER decoder in Botan 0.10.x before 1.10.10 and 1.11.x before 1.11. ...) {DSA-3565-1 DLA-449-1} - botan1.10 1.10.10-1 NOTE: Fixed in 1.11.19 and 1.10.10, affected all previous versions of 1.10 and 1.11 NOTE: http://botan.randombit.net/security.html CVE-2015-5725 (SQL injection vulnerability in the offset method in the Active Record ...) - codeigniter (bug #471583) CVE-2014-9742 (The Miller-Rabin primality check in Botan before 1.10.8 and 1.11.x bef ...) {DLA-449-1} - botan1.10 1.10.8-1 NOTE: Introduced in 1.8.3, fixed in 1.10.8 and 1.11.9 NOTE: http://botan.randombit.net/security.html CVE-2015-5741 (The net/http library in net/http/transfer.go in Go before 1.4.3 does n ...) - golang 2:1.4.2-4 (bug #795106) [jessie] - golang (Minor issue) [wheezy] - golang (Minor issue) NOTE: https://github.com/golang/go/commit/300d9a21583e7cf0149a778a0611e76ff7c6680f NOTE: https://github.com/golang/go/commit/143822585e32449860e624cace9d2e521deee62e CVE-2015-5740 (The net/http library in net/http/transfer.go in Go before 1.4.3 does n ...) - golang 2:1.4.2-4 (bug #795106) [jessie] - golang (Minor issue) [wheezy] - golang (Minor issue) NOTE: https://github.com/golang/go/commit/300d9a21583e7cf0149a778a0611e76ff7c6680f NOTE: https://github.com/golang/go/commit/143822585e32449860e624cace9d2e521deee62e CVE-2015-5739 (The net/http library in net/textproto/reader.go in Go before 1.4.3 doe ...) - golang 2:1.4.2-4 (bug #795106) [jessie] - golang (Minor issue) [wheezy] - golang (Minor issue) NOTE: https://github.com/golang/go/commit/117ddcb83d7f42d6aa72241240af99ded81118e9 CVE-2015-5724 RESERVED CVE-2015-5722 (buffer.c in named in ISC BIND 9.x before 9.9.7-P3 and 9.10.x before 9. ...) {DSA-3350-1 DLA-308-1} - bind9 1:9.9.5.dfsg-12 NOTE: https://kb.isc.org/article/AA-01287 CVE-2015-5721 (Malware Information Sharing Platform (MISP) before 2.3.90 allows remot ...) NOT-FOR-US: Malware Information Sharing Platform CVE-2015-5720 (Multiple cross-site scripting (XSS) vulnerabilities in the template-cr ...) NOT-FOR-US: Malware Information Sharing Platform CVE-2015-5719 (app/Controller/TemplatesController.php in Malware Information Sharing ...) NOT-FOR-US: Malware Information Sharing Platform CVE-2015-5718 (Stack-based buffer overflow in the handle_debug_network function in th ...) NOT-FOR-US: Websense Content Gateway CVE-2015-5734 (Cross-site scripting (XSS) vulnerability in the legacy theme preview i ...) {DSA-3383-1 DSA-3332-1 DLA-294-1} - wordpress 4.2.4+dfsg-1 (bug #794560) NOTE: https://core.trac.wordpress.org/changeset/33549 CVE-2015-5733 (Cross-site scripting (XSS) vulnerability in the refreshAdvancedAccessi ...) - wordpress 4.2.4+dfsg-1 (bug #794560) [jessie] - wordpress 4.1+dfsg-1+deb8u1 [wheezy] - wordpress 3.6.1+dfsg-1~deb7u6 [squeeze] - wordpress 3.6.1+dfsg-1~deb6u6 NOTE: For jessie and wheezy the fix was already contained NOTE: in a previous update. The the same was included in NOTE: the fix with cs32176_dashboard_esc_titles NOTE: but the issue apparently later reintroduced NOTE: https://core.trac.wordpress.org/changeset/33540 NOTE: https://core.trac.wordpress.org/changeset/33541 CVE-2015-5732 (Cross-site scripting (XSS) vulnerability in the form function in the W ...) {DSA-3383-1 DSA-3332-1 DLA-294-1} - wordpress 4.2.4+dfsg-1 (bug #794560) NOTE: https://core.trac.wordpress.org/changeset/33529 CVE-2015-5731 (Cross-site request forgery (CSRF) vulnerability in wp-admin/post.php i ...) {DSA-3383-1 DSA-3332-1 DLA-294-1} - wordpress 4.2.4+dfsg-1 (bug #794560) NOTE: https://core.trac.wordpress.org/changeset/33542 NOTE: https://core.trac.wordpress.org/changeset/33543 CVE-2015-5730 (The sanitize_widget_instance function in wp-includes/class-wp-customiz ...) {DSA-3332-1} - wordpress 4.2.4+dfsg-1 (bug #794560) [squeeze] - wordpress (Vulnerable code introduced later) [wheezy] - wordpress (Vulnerable code introduced later) NOTE: https://core.trac.wordpress.org/changeset/33535 NOTE: https://core.trac.wordpress.org/changeset/33536 CVE-2015-5717 (The Siemens COMPAS Mobile application before 1.6 for Android does not ...) NOT-FOR-US: Siemens CVE-2015-5716 RESERVED CVE-2015-5715 (The mw_editPost function in wp-includes/class-wp-xmlrpc-server.php in ...) {DSA-3383-1 DSA-3375-1 DLA-321-1} - wordpress 4.3.1+dfsg-1 (bug #799140) NOTE: https://wordpress.org/news/2015/09/wordpress-4-3-1/ NOTE: https://github.com/WordPress/WordPress/commit/9c57f3a4291f2311ae05f22c10eedeb0f69337ab CVE-2015-5714 (Cross-site scripting (XSS) vulnerability in WordPress before 4.3.1 all ...) {DSA-3383-1 DSA-3375-1 DLA-321-1} - wordpress 4.3.1+dfsg-1 (bug #799140) NOTE: https://wordpress.org/news/2015/09/wordpress-4-3-1/ NOTE: https://github.com/WordPress/WordPress/commit/f72b21af23da6b6d54208e5c1d65ececdaa109c8 CVE-2015-5713 (Spotfire Parsing Library and Spotfire Security Filter in TIBCO Spotfir ...) NOT-FOR-US: TIBCO CVE-2015-5712 (Spotfire Parsing Library and Spotfire Security Filter in TIBCO Spotfir ...) NOT-FOR-US: TIBCO CVE-2015-5711 (TIBCO Managed File Transfer Internet Server before 7.2.5, Managed File ...) NOT-FOR-US: TIBCO CVE-2015-5710 RESERVED CVE-2015-5709 RESERVED CVE-2015-5708 RESERVED CVE-2015-5703 (SQL injection vulnerability in the public key discovery API call in Op ...) NOT-FOR-US: Open-Xchange CVE-2015-8395 (PCRE before 8.38 mishandles certain references, which allows remote at ...) - pcre3 2:8.38-1 [jessie] - pcre3 2:8.35-3.3+deb8u2 [wheezy] - pcre3 (Vulnerable code introduced later) [squeeze] - pcre3 (Vulnerable code introduced later) NOTE: Fixed in 8.38 NOTE: http://vcs.pcre.org/pcre?view=revision&revision=1594 NOTE: related issue to CVE-2015-8384 and CVE-2015-8392 NOTE: Same fix as used for CVE-2015-8381 CVE-2015-8394 (PCRE before 8.38 mishandles the (?(<digits>) and (?(R<digits& ...) - pcre3 2:8.38-1 [jessie] - pcre3 2:8.35-3.3+deb8u2 [wheezy] - pcre3 (Minor issue) [squeeze] - pcre3 (Minor issue) NOTE: Fixed in 8.38 NOTE: http://vcs.pcre.org/pcre?view=revision&revision=1589 CVE-2015-8393 (pcregrep in PCRE before 8.38 mishandles the -q option for binary files ...) - pcre3 2:8.38-1 [jessie] - pcre3 2:8.35-3.3+deb8u2 [wheezy] - pcre3 (Minor issue) [squeeze] - pcre3 (Minor issue) NOTE: Fixed in 8.38 NOTE: http://vcs.pcre.org/pcre?view=revision&revision=1586 CVE-2015-8392 (PCRE before 8.38 mishandles certain instances of the (?| substring, wh ...) - pcre3 2:8.38-1 [jessie] - pcre3 2:8.35-3.3+deb8u2 [wheezy] - pcre3 (Vulnerable code introduced later) [squeeze] - pcre3 (Vulnerable code introduced later) NOTE: Fixed in 8.38 NOTE: http://vcs.pcre.org/pcre?view=revision&revision=1585 NOTE: related issue to CVE-2015-8384 and CVE-2015-8395 CVE-2015-8391 (The pcre_compile function in pcre_compile.c in PCRE before 8.38 mishan ...) - pcre3 2:8.38-1 [jessie] - pcre3 2:8.35-3.3+deb8u2 [wheezy] - pcre3 (Minor issue) [squeeze] - pcre3 (Vulnerable code introduced later) NOTE: Fixed in 8.38 NOTE: Fixed by: http://vcs.pcre.org/pcre?view=revision&revision=1579 NOTE: First bad commit: http://vcs.pcre.org/pcre?view=revision&revision=640 CVE-2015-8390 (PCRE before 8.38 mishandles the [: and \\ substrings in character clas ...) - pcre3 2:8.38-1 [jessie] - pcre3 2:8.35-3.3+deb8u2 [wheezy] - pcre3 (Minor issue) [squeeze] - pcre3 (Minor issue) NOTE: Fixed in 8.38 NOTE: http://vcs.pcre.org/pcre?view=revision&revision=1578 CVE-2015-8389 (PCRE before 8.38 mishandles the /(?:|a|){100}x/ pattern and related pa ...) - pcre3 2:8.38-1 [jessie] - pcre3 2:8.35-3.3+deb8u2 [wheezy] - pcre3 (Vulnerable code not present) [squeeze] - pcre3 (Vulnerable code not present) NOTE: Fixed in 8.38 NOTE: Fixed by: http://vcs.pcre.org/pcre?view=revision&revision=1577 NOTE: First bad commit: http://vcs.pcre.org/pcre?view=revision&revision=1440 NOTE: Only after r1577 looks like there is another new issue (stack-buffer-underflow, READ of size 4 when running PoC) CVE-2015-8388 (PCRE before 8.38 mishandles the /(?=di(?<=(?1))|(?=(.))))/ pattern ...) - pcre3 2:8.35-7 [jessie] - pcre3 2:8.35-3.3+deb8u1 [wheezy] - pcre3 (Minor issue) [squeeze] - pcre3 (Minor issue) NOTE: https://bugs.exim.org/show_bug.cgi?id=1651 NOTE: http://vcs.pcre.org/pcre?view=revision&revision=1571 NOTE: Fixed in 8.38 NOTE: Different issue than CVE-2015-5073 but same fixing commit CVE-2015-8387 (PCRE before 8.38 mishandles (?123) subroutine calls and related subrou ...) - pcre3 2:8.38-1 [jessie] - pcre3 2:8.35-3.3+deb8u2 [wheezy] - pcre3 (Minor issue) [squeeze] - pcre3 (Minor issue) NOTE: Fixed in 8.38 NOTE: http://vcs.pcre.org/pcre?view=revision&revision=1563 CVE-2015-8386 (PCRE before 8.38 mishandles the interaction of lookbehind assertions a ...) - pcre3 2:8.38-1 [jessie] - pcre3 2:8.35-3.3+deb8u2 [wheezy] - pcre3 (Vulnerable code introduced later) [squeeze] - pcre3 (Vulnerable code introduced later) NOTE: Fixed in 8.38 NOTE: Fixed by: http://vcs.pcre.org/pcre?view=revision&revision=1560 NOTE: Reproducer fails starting from at least http://vcs.pcre.org/pcre?view=revision&revision=1379 NOTE: but the patched code is as well already present in wheezy at least. CVE-2015-8385 (PCRE before 8.38 mishandles the /(?|(\k'Pm')|(?'Pm'))/ pattern and rel ...) - pcre3 2:8.38-1 [jessie] - pcre3 2:8.35-3.3+deb8u2 [wheezy] - pcre3 (Minor issue) [squeeze] - pcre3 (Minor issue) NOTE: Fixed in 8.38 NOTE: http://vcs.pcre.org/pcre?view=revision&revision=1559 CVE-2015-8384 (PCRE before 8.38 mishandles the /(?J)(?'d'(?'d'\g{d}))/ pattern and re ...) - pcre3 2:8.35-7.2 [jessie] - pcre3 2:8.35-3.3+deb8u1 [wheezy] - pcre3 (Vulnerable code introduced later) [squeeze] - pcre3 (Vulnerable code introduced later) NOTE: https://bugs.exim.org/show_bug.cgi?id=1636 NOTE: related issue to CVE-2015-8392 and CVE-2015-8395 NOTE: Fixed in 8.38 NOTE: Fixed by http://vcs.pcre.org/pcre?view=revision&revision=1558 NOTE: Same fixing commit as CVE-2015-3210 but different issues CVE-2015-8383 (PCRE before 8.38 mishandles certain repeated conditional groups, which ...) - pcre3 2:8.38-1 [jessie] - pcre3 2:8.35-3.3+deb8u2 [wheezy] - pcre3 (vulnerable coded introduce in 8.34) [squeeze] - pcre3 (vulnerable code introduced in 8.34) NOTE: Fixed in 8.38 NOTE: http://www.openwall.com/lists/oss-security/2015/11/29/1 NOTE: Fixed by http://vcs.pcre.org/pcre?view=revision&revision=1557 NOTE: Introduced by/first bad commit: http://vcs.pcre.org/pcre?view=revision&revision=1365 CVE-2015-8382 (The match function in pcre_exec.c in PCRE before 8.37 mishandles the / ...) - pcre3 2:8.35-7.2 (bug #794589) [jessie] - pcre3 2:8.35-3.3+deb8u2 [wheezy] - pcre3 (Minor issue) [squeeze] - pcre3 (Minor issue) NOTE: http://vcs.pcre.org/pcre/code/trunk/pcre_exec.c?r1=1502&r2=1510 NOTE: https://bugs.exim.org/show_bug.cgi?id=1537 NOTE: Fixed upstream in upstream release pcre-8.37 NOTE: http://www.openwall.com/lists/oss-security/2015/08/04/2 CVE-2015-XXXX [more to CVE-2015-2059] - libidn 1.32-1 [jessie] - libidn 1.29-1+deb8u1 [wheezy] - libidn 1.25-2+deb7u1 [squeeze] - libidn 1.15-2+deb6u2 NOTE: Introduced by fix for CVE-2015-2059 NOTE: https://lists.gnu.org/archive/html/help-libidn/2015-07/msg00026.html NOTE: Patch: http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=58c721ac2dc96bccd737f3f544f3a22a50477bbf NOTE: Testcase: http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=c261018477f971d274dee305d27f8bff4afd4238 NOTE: squeeze-tagged entry as temporary workaround until CVE assigned for issue solved in DLA-291-1 CVE-2015-XXXX [Sidekiq::Web lacks CSRF protection] - ruby-sidekiq 3.4.2~dfsg-3 [jessie] - ruby-sidekiq (Minor issue) NOTE: https://github.com/mperham/sidekiq/pull/2422 NOTE: Fixed by https://github.com/mperham/sidekiq/commit/cf3c43b2410c4573e05ac119494e41115f4140ad NOTE: Fix released in sidekiq 3.4.2 NOTE: Follow-up fix: https://github.com/mperham/sidekiq/commit/75a3524c919857aac16e0541b0cb107f48d00694 NOTE: Follow-up commit not included in 3.4.2~dfsg-1 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/08/01/2 CVE-2015-XXXX [XSS via job arguments display class in Sidekiq::Web] - ruby-sidekiq 3.4.2~dfsg-3 [jessie] - ruby-sidekiq (Minor issue) NOTE: https://github.com/mperham/sidekiq/pull/2309 NOTE: Fixed by https://github.com/mperham/sidekiq/commit/54766f336620ca0ce3b0b87a7a56382496e64b61 NOTE: Fix released in sidekiq 3.4.0 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/08/01/2 CVE-2015-XXXX [XSS via queue name in Sidekiq::Web] - ruby-sidekiq 3.4.2~dfsg-3 [jessie] - ruby-sidekiq (Minor issue) NOTE: https://github.com/mperham/sidekiq/issues/2330 NOTE: Fixed by https://github.com/mperham/sidekiq/commit/2178d66b6686fbf4430223c34c184a64c9906828 NOTE: Fix released in sidekiq 3.4.0 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/08/01/2 CVE-2015-5707 (Integer overflow in the sg_start_req function in drivers/scsi/sg.c in ...) {DSA-3329-1 DLA-310-1} - linux 4.1.3-1 - linux-2.6 NOTE: http://www.openwall.com/lists/oss-security/2015/08/01/6 NOTE: Probably introduced in https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=10db10d144c0248f285242f79daf6b9de6b00a62 (v2.6.28-rc1) NOTE: Fixed by https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=451a2886b6bf90e2fb378f7c46c655450fb96e81 (v4.1-rc1) NOTE: Fixed by https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=fdc81f45e9f57858da6351836507fbcf1b7583ee (v4.1-rc1) CVE-2015-5706 (Use-after-free vulnerability in the path_openat function in fs/namei.c ...) - linux 4.0.4-1 [jessie] - linux 3.16.7-ckt11-1+deb8u3 [wheezy] - linux (Introduced in v3.11-rc1) - linux-2.6 (Introduced in v3.11-rc1) NOTE: http://www.openwall.com/lists/oss-security/2015/08/01/5 NOTE: Introduced by https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=60545d0d4610b02e55f65d141c95b18ccf855b6e (v3.11-rc1) NOTE: Fixed by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f15133df088ecadd141ea1907f2c96df67c729f0 (v4.1-rc3) CVE-2014-9939 (ihex.c in GNU Binutils before 2.26 contains a stack buffer overflow wh ...) {DLA-552-1 DLA-324-1} - binutils 2.25.90.20151125-1 [jessie] - binutils (Minor issue) - gdb 7.10-1 (unimportant) NOTE: http://www.openwall.com/lists/oss-security/2015/07/31/6 NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=18750 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commitdiff;h=7e27a9d5f22f9f7ead11738b1546d0b5c737266b CVE-2015-5702 RESERVED CVE-2002-2446 (GE Healthcare Millennium MG, NC, and MyoSIGHT has a password of insite ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2015-5705 (Argument injection vulnerability in devscripts before 2.15.7 allows re ...) - devscripts 2.15.8 (bug #794365) [jessie] - devscripts (Vulnerable code not present) [wheezy] - devscripts (Vulnerable code not present) [squeeze] - devscripts (Vulnerable code not present) NOTE: Introduced in https://anonscm.debian.org/cgit/collab-maint/devscripts.git/commit/?id=025ad4ea8ba92d32bd698a83149f782c17f78bf0 (v2.15.5) CVE-2015-5704 (scripts/licensecheck.pl in devscripts before 2.15.7 allows local users ...) - devscripts 2.15.7 (bug #794260) [jessie] - devscripts (Vulnerable code not present) [wheezy] - devscripts (Vulnerable code not present) [squeeze] - devscripts (Vulnerable code not present) NOTE: Introduced in https://anonscm.debian.org/cgit/collab-maint/devscripts.git/commit/?id=025ad4ea8ba92d32bd698a83149f782c17f78bf0 (v2.15.5) NOTE: http://www.openwall.com/lists/oss-security/2015/08/01/1 CVE-2015-5699 (The Switch Configuration Tools Backend (clcmd_server) in Cumulus Linux ...) NOT-FOR-US: Cumulus Linux NOTE: https://lists.cumulusnetworks.com/pipermail/cumulus-security-announce/2015-July/000002.html CVE-2015-5698 (Cross-site request forgery (CSRF) vulnerability in the web server on S ...) NOT-FOR-US: Siemens CVE-2015-5696 (Dell Netvault Backup before 10.0.5 allows remote attackers to cause a ...) NOT-FOR-US: Dell Netvault Backup CVE-2015-5693 (The management console on Symantec Web Gateway (SWG) appliances with s ...) NOT-FOR-US: Symantec Web Gateway CVE-2015-5692 (admin_messages.php in the management console on Symantec Web Gateway ( ...) NOT-FOR-US: Symantec Web Gateway CVE-2015-5691 (Multiple cross-site scripting (XSS) vulnerabilities in PHP scripts in ...) NOT-FOR-US: Symantec Web Gateway CVE-2015-5690 (The management console on Symantec Web Gateway (SWG) appliances with s ...) NOT-FOR-US: Symantec Web Gateway CVE-2015-5689 (ghostexp.exe in Ghost Explorer Utility in Symantec Ghost Solutions Sui ...) NOT-FOR-US: Symantec CVE-2009-5148 RESERVED CVE-2015-5695 (Designate 2015.1.0 through 1.0.0.0b1 as packaged in OpenStack Kilo doe ...) [experimental] - designate 1:1.0.0~b2-1 - designate 2015.1.0+2015.08.26.git34.9fa07c5798-1 (bug #796108) [jessie] - designate 2014.1-18+deb8u1 CVE-2015-5694 (Designate does not enforce the DNS protocol limit concerning record se ...) [experimental] - designate 1:1.0.0~b2-1 - designate 2015.1.0+2015.08.26.git34.9fa07c5798-1 (bug #796108) [jessie] - designate (Vulnerable code doesn't exist) CVE-2015-5688 (Directory traversal vulnerability in lib/app/index.js in Geddy before ...) NOT-FOR-US: Geddy NOTE: https://github.com/geddy/geddy/issues/697 NOTE: https://github.com/geddy/geddy/pull/699 NOTE: https://nodesecurity.io/advisories/10 CVE-2015-5687 (system/session/drivers/cookie.php in Anchor CMS 0.9.x allows remote at ...) NOT-FOR-US: Anchor CMS CVE-2015-5686 (Parts of the Puppet Enterprise Console 3.x were found to be susceptibl ...) NOT-FOR-US: Puppet Enterprise Console CVE-2015-5685 (The lazy_bdecode function in BitTorrent DHT bootstrap server (bootstra ...) {DLA-312-1} - libtorrent-rasterbar 1.0.6-1 (bug #797046) [jessie] - libtorrent-rasterbar (Minor issue) [wheezy] - libtorrent-rasterbar (Minor issue) NOTE: Even though the CVE mentions BitTorrent DHT Bootstrap server, the vulnerable lazy_bdecode() function is effectively also available in libtorrent-rasterbar in all Debian releases. NOTE: Patch on libtorrent-rasterbar that has been applied in 1.0.6: https://github.com/arvidn/libtorrent/commit/d9945f6f50a8c967888cd9c2ebe65ffbe462056e CVE-2015-5684 (MITRE is populating this ID because it was assigned prior to Lenovo be ...) NOT-FOR-US: Lenovo CVE-2015-5683 RESERVED CVE-2015-5682 (upload.php in the Powerplay Gallery plugin 3.3 for WordPress allows re ...) NOT-FOR-US: Powerplay Gallery plugin for WordPress CVE-2015-5681 (Unrestricted file upload vulnerability in upload.php in the Powerplay ...) NOT-FOR-US: Powerplay Gallery plugin for WordPress CVE-2015-5680 RESERVED CVE-2015-5679 RESERVED CVE-2015-5678 RESERVED CVE-2015-5677 (bsnmpd, as used in FreeBSD 9.3, 10.1, and 10.2, uses world-readable pe ...) NOT-FOR-US: bsnmpd CVE-2015-5676 RESERVED CVE-2015-5675 (The sys_amd64 IRET Handler in the kernel in FreeBSD 9.3 and 10.1 allow ...) - kfreebsd-10 10.1~svn274115-10 (unimportant; bug #796996) NOTE: kfreebsd not covered by security support in Jessie - kfreebsd-9 (bug #796997) [wheezy] - kfreebsd-9 (Unsupported in wheezy-lts) - kfreebsd-8 [wheezy] - kfreebsd-8 (kfreebsd-8 only a test kernel, can be fixed in a point release) [squeeze] - kfreebsd-8 (kfreebsd-i386/amd64 not supported in Squeeze LTS) CVE-2015-5674 (The routed daemon in FreeBSD 9.3 before 9.3-RELEASE-p22, 10.2-RC2 befo ...) NOT-FOR-US: routed daemon in FreeBSD CVE-2015-5673 (eventapp/lib/gcloud.rb in the ISUCON5 qualifier portal (aka eventapp) ...) NOT-FOR-US: ISUCON5 qualifier portal CVE-2015-5672 (TYPE-MOON Fate/stay night, Fate/hollow ataraxia, Witch on the Holy Nig ...) NOT-FOR-US: TYPE-MOON CVE-2015-5671 (Techno Project Japan Enisys Gw before 1.4.1 allows remote attackers to ...) NOT-FOR-US: Techno Project Japan Enisys Gw CVE-2015-5670 (Cross-site scripting (XSS) vulnerability in Techno Project Japan Enisy ...) NOT-FOR-US: Techno Project Japan Enisys Gw CVE-2015-5669 (Techno Project Japan Enisys Gw before 1.4.1 allows remote authenticate ...) NOT-FOR-US: Techno Project Japan Enisys Gw CVE-2015-5668 (SQL injection vulnerability in Techno Project Japan Enisys Gw before 1 ...) NOT-FOR-US: Techno Project Japan Enisys Gw CVE-2015-5667 (Cross-site scripting (XSS) vulnerability in the HTML-Scrubber module b ...) {DLA-339-1} - libhtml-scrubber-perl 0.15-1 (bug #803943) [jessie] - libhtml-scrubber-perl 0.11-1+deb8u1 [wheezy] - libhtml-scrubber-perl 0.09-1+deb7u1 NOTE: Upstream fix: https://github.com/nigelm/html-scrubber/commit/e1978cc37867e85c06a84a4651745235010cd6cd CVE-2015-5666 (ANA App for Android 3.1.1 and earlier, and ANA App for iOS 3.3.6 and e ...) NOT-FOR-US: ANA App CVE-2015-5665 (Cross-site request forgery (CSRF) vulnerability in LOCKON EC-CUBE 2.11 ...) NOT-FOR-US: LOCKON CVE-2015-5664 (Cross-site scripting (XSS) vulnerability in File Station in QNAP QTS b ...) NOT-FOR-US: QNAP CVE-2015-5663 (The file-execution functionality in WinRAR before 5.30 beta 5 allows l ...) NOT-FOR-US: WinRAR CVE-2015-5662 (Directory traversal vulnerability in Avast before 150918-0 allows remo ...) NOT-FOR-US: Avast CVE-2015-5661 (The SAND STUDIO AirDroid application 1.1.0 and earlier for Android mis ...) NOT-FOR-US: SAND STUDIO AirDroid CVE-2015-5660 (Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2. ...) {DLA-485-1} - extplorer NOTE: http://extplorer.net/news/18 NOTE: http://extplorer.net/projects/extplorer/repository/diff?utf8=%E2%9C%93&rev=242&rev_to=241 CVE-2015-5659 (SQL injection vulnerability in Network Applied Communication Laborator ...) NOT-FOR-US: Network Applied Communication Laboratory Pref Shimane CMS CVE-2015-5658 REJECTED CVE-2015-5657 REJECTED CVE-2015-5656 REJECTED CVE-2015-5655 (The Adways Party Track SDK before 1.6.6 for iOS does not verify X.509 ...) NOT-FOR-US: Adways Party Track SDK CVE-2015-5654 (Cross-site scripting (XSS) vulnerability in Dojo Toolkit before 1.2 al ...) - dojo (Fixed before the first version in Debian) CVE-2015-5653 (Buffer overflow in Canary Labs Trend Web Server before 9.5.2 allows re ...) NOT-FOR-US: Canary Labs Trend Web Server CVE-2015-5652 (Untrusted search path vulnerability in python.exe in Python through 3. ...) NOT-FOR-US: Python on Windows CVE-2015-5651 (Cross-site scripting (XSS) vulnerability in Dotclear before 2.8.1 allo ...) - dotclear (bug #815979) NOTE: http://dotclear.org/blog/post/2015/09/23/Dotclear-2.8.1 CVE-2015-5650 (Directory traversal vulnerability in AjaXplorer 2.0 allows remote atta ...) NOT-FOR-US: AjaXplorer CVE-2015-5649 (Cybozu Garoon 3.x through 3.7.5 and 4.x through 4.0.3 mishandles authe ...) NOT-FOR-US: Cybozu Garoon CVE-2015-5648 (SQL injection vulnerability in list.php in phpRechnung before 1.6.5 al ...) NOT-FOR-US: phpRechnung CVE-2015-5647 (The RSS Reader component in Cybozu Garoon 3.x through 3.7.5 and 4.x th ...) NOT-FOR-US: Cybozu Garoon CVE-2015-5646 (Cybozu Garoon 3.x through 3.7.5 and 4.x through 4.0.3 allows remote au ...) NOT-FOR-US: Cybozu Garoon CVE-2015-5645 (ICZ MATCHA SNS before 1.3.7 allows remote authenticated users to obtai ...) NOT-FOR-US: ICZ MATCHA CVE-2015-5644 (The installer in ICZ MATCHA SNS before 1.3.7 does not properly configu ...) NOT-FOR-US: ICZ MATCHA CVE-2015-5643 (The installer in ICZ MATCHA INVOICE before 2.5.7 does not properly con ...) NOT-FOR-US: ICZ MATCHA CVE-2015-5642 (Multiple SQL injection vulnerabilities in ICZ MATCHA INVOICE before 2. ...) NOT-FOR-US: ICZ MATCHA CVE-2015-5641 (SQL injection vulnerability in baserCMS before 3.0.8 allows remote aut ...) NOT-FOR-US: baserCMS CVE-2015-5640 (baserCMS before 3.0.8 allows remote authenticated users to modify arbi ...) NOT-FOR-US: baserCMS CVE-2015-5639 (niconico App for iOS before 6.38 does not verify SSL certificates whic ...) NOT-FOR-US: niconico App for iOS CVE-2015-5638 (Directory traversal vulnerability in H2O before 1.4.5 and 1.5.x before ...) - h2o (Fixed before initial upload to Debian) NOTE: https://github.com/h2o/h2o/issues/921 CVE-2015-5637 (The Newphoria Photon application before 1.2 for Android allows attacke ...) NOT-FOR-US: Newphoria CVE-2015-5636 (The Newphoria Reversi application before 1.0.3 for Android and before ...) NOT-FOR-US: Newphoria CVE-2015-5635 (The Newphoria Koritore application before 1.1 for Android and before 1 ...) NOT-FOR-US: Newphoria CVE-2015-5634 (The Newphoria MEGAPHONE MUSIC application before 1.1 for Android and b ...) NOT-FOR-US: Newphoria CVE-2015-5633 (The Newphoria Auction Camera application for iOS and before 1.2 for An ...) NOT-FOR-US: Newphoria CVE-2015-5632 (The runtime engine in the Newphoria applican framework before 1.12.3 f ...) NOT-FOR-US: Newphoria CVE-2015-5631 (Cross-site request forgery (CSRF) vulnerability in the Remote UI on Ca ...) NOT-FOR-US: Canon CVE-2015-5630 (Cross-site scripting (XSS) vulnerability in the NTT Broadband Platform ...) NOT-FOR-US: NTT CVE-2015-5629 (The NTT Broadband Platform Japan Connected-free Wi-Fi application 1.6. ...) NOT-FOR-US: NTT CVE-2015-5628 (Stack-based buffer overflow in Yokogawa CENTUM CS 1000 R3.08.70 and ea ...) NOT-FOR-US: Yokogawa CVE-2015-5627 (Stack-based buffer overflow in Yokogawa CENTUM CS 1000 R3.08.70 and ea ...) NOT-FOR-US: Yokogawa CVE-2015-5626 (Stack-based buffer overflow in Yokogawa CENTUM CS 1000 R3.08.70 and ea ...) NOT-FOR-US: Yokogawa CVE-2015-5625 (Cross-site scripting (XSS) vulnerability in OpenDocMan before 1.3.4 al ...) NOT-FOR-US: OpenDocMan CVE-2015-5624 (Buffer overflow in the ExecCall method in c2lv6.ocx in the FreeBit ELP ...) NOT-FOR-US: FreeBit CVE-2015-5697 (The get_bitmap_file function in drivers/md/md.c in the Linux kernel be ...) {DSA-3329-1 DLA-310-1} - linux 4.1.3-1 - linux-2.6 NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b6878d9e03043695dbf3fa1caa6dfc09db225b16 (v4.2-rc6) NOTE: http://www.openwall.com/lists/oss-security/2015/07/28/2 CVE-2015-5620 RESERVED CVE-2015-5619 (Logstash 1.4.x before 1.4.5 and 1.5.x before 1.5.4 with Lumberjack out ...) - logstash (bug #664841) CVE-2015-5618 (Chiyu BF-630 and BF-630W fingerprint access-control devices allow remo ...) NOT-FOR-US: Chiyu BF-630 and BF-630W fingerprint access-control devices CVE-2015-5617 (SQL injection vulnerability in pub/m_pending_news/delete_pending_news. ...) NOT-FOR-US: Enorth Webpublisher CMS CVE-2015-5616 RESERVED CVE-2015-5615 REJECTED CVE-2015-5614 REJECTED CVE-2015-5613 (Cross-site scripting (XSS) vulnerability in October CMS build 271 and ...) NOT-FOR-US: October CMS CVE-2015-5612 (Cross-site scripting (XSS) vulnerability in October CMS build 271 and ...) NOT-FOR-US: October CMS CVE-2015-5623 (WordPress before 4.2.3 does not properly verify the edit_posts capabil ...) {DSA-3328-1} - wordpress 4.2.3+dfsg-1 [wheezy] - wordpress (Vulnerable code not present) [squeeze] - wordpress (Vulnerable code not present) NOTE: https://core.trac.wordpress.org/changeset/33357 CVE-2015-5622 (Cross-site scripting (XSS) vulnerability in WordPress before 4.2.3 all ...) {DSA-3383-1 DSA-3332-1 DLA-294-1} - wordpress 4.2.3+dfsg-1 NOTE: https://core.trac.wordpress.org/changeset/33359 CVE-2015-5611 (Unspecified vulnerability in Uconnect before 15.26.1, as used in certa ...) NOT-FOR-US: Uconnect CVE-2015-5610 (The RSM (aka RSMWinService) service in SolarWinds N-Able N-Central bef ...) NOT-FOR-US: SolarWinds CVE-2015-5609 (Absolute path traversal vulnerability in the Image Export plugin 1.1 f ...) NOT-FOR-US: Image Export plugin for WordPress CVE-2015-5608 (Open redirect vulnerability in Joomla! CMS 3.0.0 through 3.4.1. ...) NOT-FOR-US: Joomla! CVE-2015-5606 (Vordel XML Gateway (acquired by Axway) version 7.2.2 could allow remot ...) NOT-FOR-US: Vordel XML Gateway CVE-2015-5605 (The regular-expression implementation in Google V8, as used in Google ...) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2015-5604 RESERVED CVE-2015-5603 (The HipChat for JIRA plugin before 6.30.0 for Atlassian JIRA allows re ...) NOT-FOR-US: HipChat plugin CVE-2015-5602 (sudoedit in Sudo before 1.8.15 allows local users to gain privileges v ...) {DSA-3440-1 DLA-382-1} - sudo 1.8.15-1.1 (bug #804149) NOTE: http://bugzilla.sudo.ws/show_bug.cgi?id=707 NOTE: http://www.sudo.ws/repos/sudo/rev/9636fd256325 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1277426 NOTE: https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1512781 CVE-2015-5601 (edx-platform before 2015-07-20 allows code execution by privileged use ...) NOT-FOR-US: Open edX CVE-2015-5600 (The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH th ...) {DLA-1500-1 DLA-288-1} - openssh 1:6.9p1-1 (bug #793616) [wheezy] - openssh (Minor issue; not in default configurations) NOTE: http://seclists.org/fulldisclosure/2015/Jul/92 NOTE: Affects configurations that have KbdInteractiveAuthentication set NOTE: to yes. Default for KbdInteractiveAuthentication is to use whatever NOTE: value ChallengeResponseAuthentication is set to, which is 'no' in NOTE: default configurations in Debian. CVE-2015-5599 (Multiple SQL injection vulnerabilities in upload.php in the Powerplay ...) NOT-FOR-US: Powerplay Gallery plugin for WordPress CVE-2015-5598 RESERVED CVE-2015-5597 RESERVED CVE-2015-5596 RESERVED CVE-2015-5595 (Cross-site request forgery (CSRF) vulnerability in admin.php in Zenpho ...) NOT-FOR-US: Zenphoto CVE-2015-5594 (The sanitize_string function in ZenPhoto before 1.4.9 utilized the htm ...) NOT-FOR-US: Zenphoto CVE-2015-5593 (The sanitize_string function in Zenphoto before 1.4.9 does not properl ...) NOT-FOR-US: Zenphoto CVE-2015-5592 (Incomplete blacklist in sanitize_string in Zenphoto before 1.4.9 allow ...) NOT-FOR-US: Zenphoto CVE-2015-5591 (SQL injection vulnerability in Zenphoto before 1.4.9 allow remote admi ...) NOT-FOR-US: Zenphoto CVE-2015-5588 (Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5587 (Stack-based buffer overflow in Adobe Flash Player before 18.0.0.241 an ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5586 (Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 1 ...) NOT-FOR-US: Adobe CVE-2015-5585 REJECTED CVE-2015-5584 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.241 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5583 (Adobe Reader and Acrobat 10.x before 10.1.16 and 11.x before 11.0.13, ...) NOT-FOR-US: Adobe CVE-2015-5582 (Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5581 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.241 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5580 (Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5579 (Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5578 (Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5577 (Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5576 (Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5575 (Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5574 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.241 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5573 (Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5572 (Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5571 (Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5570 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.241 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5569 (Adobe Flash Player before 18.0.0.252 and 19.x before 19.0.0.207 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5568 (Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5567 (Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5566 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.232 o ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5565 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.232 o ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5564 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.232 o ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5563 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.232 o ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5562 (Adobe Flash Player before 18.0.0.232 on Windows and OS X and before 11 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5561 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.232 o ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5560 (Integer overflow in Adobe Flash Player before 18.0.0.232 on Windows an ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5559 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.232 o ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5558 (Adobe Flash Player before 18.0.0.232 on Windows and OS X and before 11 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5557 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.232 o ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5556 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.232 o ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5555 (Adobe Flash Player before 18.0.0.232 on Windows and OS X and before 11 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5554 (Adobe Flash Player before 18.0.0.232 on Windows and OS X and before 11 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5553 (Adobe Flash Player before 18.0.0.232 on Windows and OS X and before 11 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5552 (Adobe Flash Player before 18.0.0.232 on Windows and OS X and before 11 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5551 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.232 o ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5550 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.232 o ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5549 (Adobe Flash Player before 18.0.0.232 on Windows and OS X and before 11 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5548 (Adobe Flash Player before 18.0.0.232 on Windows and OS X and before 11 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5547 (Adobe Flash Player before 18.0.0.232 on Windows and OS X and before 11 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5546 (Adobe Flash Player before 18.0.0.232 on Windows and OS X and before 11 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5545 (Adobe Flash Player before 18.0.0.232 on Windows and OS X and before 11 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5544 (Adobe Flash Player before 18.0.0.232 on Windows and OS X and before 11 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5543 REJECTED CVE-2015-5542 REJECTED CVE-2015-5541 (Heap-based buffer overflow in Adobe Flash Player before 18.0.0.232 on ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5540 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.232 o ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5539 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.232 o ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5538 (Multiple unspecified vulnerabilities in Citrix NetScaler Application D ...) NOT-FOR-US: Citrix CVE-2015-5537 (The SSL layer of the HTTPS service in Siemens RuggedCom ROS before 4.2 ...) NOT-FOR-US: Siemens CVE-2015-XXXX [integer overflow] - freexl 1.0.2-1 [jessie] - freexl 1.0.0g-1+deb8u2 [wheezy] - freexl 1.0.0b-1+deb7u2 NOTE: For the issue fixed in DSA-3310-1 not yet CVEified NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/07/06/7 CVE-2015-XXXX [SQL Injection in host_templates.php] - cacti 0.8.8e+ds1-1 [jessie] - cacti 0.8.8b+dfsg-8+deb8u2 [wheezy] - cacti 0.8.8a+dfsg-5+deb7u6 [squeeze] - cacti 0.8.7g-1+squeeze7 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/07/18/4 NOTE: http://bugs.cacti.net/view.php?id=2584 NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7731 CVE-2015-XXXX [SQL Injection in graph_templates.php] - cacti 0.8.8e+ds1-1 [jessie] - cacti 0.8.8b+dfsg-8+deb8u2 [wheezy] - cacti 0.8.8a+dfsg-5+deb7u6 [squeeze] - cacti 0.8.7g-1+squeeze7 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/07/18/4 NOTE: http://bugs.cacti.net/view.php?id=2583 NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7731 CVE-2015-XXXX [SQL Injection in data_templates.php] - cacti 0.8.8e+ds1-1 [jessie] - cacti 0.8.8b+dfsg-8+deb8u2 [wheezy] - cacti 0.8.8a+dfsg-5+deb7u6 [squeeze] - cacti 0.8.7g-1+squeeze7 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/07/18/4 NOTE: http://bugs.cacti.net/view.php?id=2582 NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7731 CVE-2015-XXXX [SQL Injection in cdef.php] - cacti 0.8.8e+ds1-1 [jessie] - cacti 0.8.8b+dfsg-8+deb8u2 [wheezy] - cacti 0.8.8a+dfsg-5+deb7u6 [squeeze] - cacti 0.8.7g-1+squeeze7 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/07/18/4 NOTE: http://bugs.cacti.net/view.php?id=2580 NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7731 CVE-2015-XXXX [SQL Injection Vulnerability in data sources] - cacti 0.8.8e+ds1-1 [jessie] - cacti 0.8.8b+dfsg-8+deb8u2 [wheezy] - cacti 0.8.8a+dfsg-5+deb7u6 [squeeze] - cacti 0.8.7g-1+squeeze7 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/07/18/4 NOTE: http://bugs.cacti.net/view.php?id=2579 NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7731 CVE-2015-XXXX [SQL Injection Vulnerability in graph items and graph template items] - cacti 0.8.8e+ds1-1 [jessie] - cacti 0.8.8b+dfsg-8+deb8u2 [wheezy] - cacti 0.8.8a+dfsg-5+deb7u6 [squeeze] - cacti 0.8.7g-1+squeeze7 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/07/18/4 NOTE: http://bugs.cacti.net/view.php?id=2574 NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7731 CVE-2015-5590 (Stack-based buffer overflow in the phar_fix_filepath function in ext/p ...) {DSA-3344-1 DLA-307-1} - php5 5.6.11+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=69923 NOTE: http://git.php.net/?p=php-src.git;a=commit;h=6dedeb40db13971af45276f80b5375030aa7e76f NOTE: Fixed in 5.6.11, 5.4.43 CVE-2015-5589 (The phar_convert_to_other function in ext/phar/phar_object.c in PHP be ...) {DSA-3344-1 DLA-307-1} - php5 5.6.11+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=69958 NOTE: http://git.php.net/?p=php-src.git;a=commit;h=bf58162ddf970f63502837f366930e44d6a992cf NOTE: Fixed in 5.6.11, 5.4.43 CVE-2015-5536 (Belkin N300 Dual-Band Wi-Fi Range Extender with firmware before 1.04.1 ...) NOT-FOR-US: Belkin router CVE-2015-5535 (Cross-site scripting (XSS) vulnerability in the qTranslate plugin 2.5. ...) NOT-FOR-US: qTranslate plugin for wordpress CVE-2015-5534 (Multiple cross-site request forgery (CSRF) vulnerabilities in Oxwall b ...) NOT-FOR-US: Oxwall CVE-2015-5533 (SQL injection vulnerability in counter-options.php in the Count Per Da ...) NOT-FOR-US: WordPress plugin count-per-day CVE-2015-5532 (Multiple cross-site scripting (XSS) vulnerabilities in the Paid Member ...) NOT-FOR-US: WordPress plugin paid-memberships-pro CVE-2015-5530 (Multiple cross-site request forgery (CSRF) vulnerabilities in Free Rep ...) NOT-FOR-US: Free Reprintables CVE-2015-5529 (Multiple cross-site scripting (XSS) vulnerabilities in Free Reprintabl ...) NOT-FOR-US: Free Reprintables CVE-2015-5528 (Cross-site scripting (XSS) vulnerability in the save_order function in ...) NOT-FOR-US: save_order function in class-floating-social-bar.php in the Floating Social Bar plugin for WordPress CVE-2015-5527 RESERVED CVE-2015-5526 RESERVED CVE-2015-5525 RESERVED CVE-2015-5524 (An issue was discovered on Samsung mobile devices with KK(4.4) and lat ...) NOT-FOR-US: Samsung mobile devices CVE-2015-5531 (Directory traversal vulnerability in Elasticsearch before 1.6.1 allows ...) - elasticsearch 1.6.1+dfsg-1 (bug #792617) [jessie] - elasticsearch (No longer supported, see DSA 3389) NOTE: https://www.elastic.co/blog/elasticsearch-1-7-0-and-1-6-1-released#security CVE-2015-5521 (Cross-site scripting (XSS) vulnerability in BlackCat CMS 1.1.2 allows ...) NOT-FOR-US: BlackCat CMS CVE-2015-5520 (Cross-site scripting (XSS) vulnerability in the Users module in Orchar ...) NOT-FOR-US: Orchard CMS CVE-2015-5519 (Cross-site scripting (XSS) vulnerability in the applyConvolution demo ...) NOT-FOR-US: WideImage CVE-2015-5518 RESERVED CVE-2015-5517 RESERVED CVE-2015-8176 REJECTED CVE-2015-5516 (Memory leak in the last hop kernel module in F5 BIG-IP LTM, GTM, and L ...) NOT-FOR-US: F5 BIG-IP CVE-2015-6240 (The chroot, jail, and zone connection plugins in ansible before 1.9.2 ...) {DLA-1923-1} - ansible 1.9.2+dfsg-1 (low) NOTE: http://www.openwall.com/lists/oss-security/2015/07/14/3 CVE-2015-5515 (The Views Bulk Operations (VBO) module 6.x-1.x and 7.x-3.x before 7.x- ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5514 (Cross-site scripting (XSS) vulnerability in the Migrate module 7.x-2.x ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5513 (Cross-site scripting (XSS) vulnerability in the Shibboleth authenticat ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5512 (The me aliases module 6.x-2.x before 6.x-2.10 and 7.x-1.x before 7.x-1 ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5511 (The HybridAuth Social Login module 7.x-2.x before 7.x-2.13 for Drupal ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5510 (Open redirect vulnerability in the Content Construction Kit (CCK) 6.x- ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5509 (The Administration Views module 7.x-1.x before 7.x-1.4 for Drupal, whe ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5508 (Cross-site request forgery (CSRF) vulnerability in the XC NCIP Provide ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5507 (Cross-site scripting (XSS) vulnerability in the Inline Entity Form mod ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5506 (The Apache Solr Real-Time module 7.x-1.x before 7.x-1.2 for Drupal doe ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5505 (The HTTP Strict Transport Security (HSTS) module 6.x-1.x before 6.x-1. ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5504 (SQL injection vulnerability in the Novalnet Payment Module Ubercart mo ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5503 (Open redirect vulnerability in the Chamilo integration module 7.x-1.x ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5502 (The Storage API module 7.x-1.x before 7.x-1.8 for Drupal does not prop ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5501 (The Hostmaster (Aegir) module 6.x-2.x before 6.x-2.4 and 7.x-3.x befor ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5500 (Cross-site scripting (XSS) vulnerability in the Navigate module for Dr ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5499 (The Navigate module for Drupal does not properly check permissions, wh ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5498 (The Shipwire API module 7.x-1.x before 7.x-1.03 for Drupal does not ch ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5497 (Cross-site scripting (XSS) vulnerability in the Web Links module 6.x-2 ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5496 (The pass2pdf module for Drupal does not restrict access to generated P ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5495 (Cross-site scripting (XSS) vulnerability in the Mobile sliding menu mo ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5494 (Cross-site scripting (XSS) vulnerability in the Webform Matrix Compone ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5493 (The Entityform Block module 7.x-1.x before 7.x-1.3 for Drupal does not ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5492 (Cross-site scripting (XSS) vulnerability in the Video Consultation mod ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5491 (The Dynamic display block module 7.x-1.x before 7.x-1.1 for Drupal all ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5490 (The _views_fetch_data method in includes/cache.inc in the Views module ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5489 (Cross-site scripting (XSS) vulnerability in the Smart Trim module 7.x- ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5488 (Cross-site scripting (XSS) vulnerability in the MailChimp Signup submo ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5487 (Cross-site scripting (XSS) vulnerability in the Camtasia Relay module ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5486 RESERVED CVE-2015-5485 (Cross-site scripting (XSS) vulnerability in the Event Import page (imp ...) NOT-FOR-US: Event Import page (import-eventbrite-events.php) in the Modern Tribe Eventbrite Tickets plugin for WordPress CVE-2015-5484 (Cross-site scripting (XSS) vulnerability in the Plotly plugin before 1 ...) NOT-FOR-US: Plotly plugin for WordPress CVE-2015-5483 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Priv ...) NOT-FOR-US: Private Only plugin for WordPress CVE-2015-5482 (Directory traversal vulnerability in the GD bbPress Attachments plugin ...) NOT-FOR-US: GD bbPress Attachments plugin for WordPress CVE-2015-5481 (Cross-site scripting (XSS) vulnerability in forms/panels.php in the GD ...) NOT-FOR-US: GD bbPress Attachments plugin for WordPress CVE-2015-5480 RESERVED CVE-2015-5479 (The ff_h263_decode_mba function in libavcodec/ituh263dec.c in Libav be ...) {DLA-644-1} - ffmpeg (Vulnerable code not present) [squeeze] - ffmpeg (Not supported in Squeeze LTS) - libav (low) [jessie] - libav 6:11.6-1~deb8u1 [wheezy] - libav (Minor issue, can be fixed along in a future DSA) NOTE: Patch in libav: https://git.libav.org/?p=libav.git;a=commit;h=0a49a62f998747cfa564d98d36a459fe70d3299b NOTE: Fixed in libav 11.5 CVE-2015-5478 RESERVED CVE-2015-5477 (named in ISC BIND 9.x before 9.9.7-P2 and 9.10.x before 9.10.2-P3 allo ...) {DSA-3319-1 DLA-285-1} - bind9 1:9.9.5.dfsg-11 (bug #793903) NOTE: https://kb.isc.org/article/AA-01272/0 CVE-2015-5476 RESERVED CVE-2015-5475 (Multiple cross-site scripting (XSS) vulnerabilities in Request Tracker ...) {DSA-3335-1} - request-tracker4 4.2.11-2 NOTE: https://github.com/bestpractical/rt/commit/67d517ba3421ba462e349c73207a627d137ef8ac (4.2.x) NOTE: https://github.com/bestpractical/rt/commit/4ec786bb4743f67a35a634c1bf43b13d3d3b39a9 (4.0.x) CVE-2015-5474 (BitTorrent and uTorrent allow remote attackers to inject command line ...) NOT-FOR-US: uTorrent CVE-2015-5473 (Multiple directory traversal vulnerabilities in Samsung SyncThru 6 bef ...) NOT-FOR-US: Samsung CVE-2015-5472 (Absolute path traversal vulnerability in lib/download.php in the IBS M ...) NOT-FOR-US: IBS Mappro plugin for WordPress CVE-2015-5471 (Absolute path traversal vulnerability in include/user/download.php in ...) NOT-FOR-US: Swim Team plugin for WordPress CVE-2015-5469 (Absolute path traversal vulnerability in the MDC YouTube Downloader pl ...) NOT-FOR-US: MDC YouTube Downloader plugin for WordPress CVE-2015-5468 (Directory traversal vulnerability in the WP e-Commerce Shop Styling pl ...) NOT-FOR-US: Commerce Shop Styling plugin for WordPress CVE-2015-5467 RESERVED CVE-2015-5466 (Silicon Integrated Systems XGI WindowsXP Display Manager (aka XGI VGA ...) NOT-FOR-US: Silicon Integrated Systems XGI WindowsXP Display Manager CVE-2015-5465 (Silicon Integrated Systems WindowsXP Display Manager (aka VGA Driver M ...) NOT-FOR-US: Silicon Integrated Systems CVE-2015-5464 (The Gemalto SafeNet Luna HSM allows remote authenticated users to bypa ...) NOT-FOR-US: Gemalto CVE-2015-5463 (AxiomSL's Axiom java applet module (used for editing uploaded Excel fi ...) NOT-FOR-US: AxiomSL's Axiom CVE-2015-5462 (AxiomSL's Axiom Google Web Toolkit module 9.5.3 and earlier allows rem ...) NOT-FOR-US: AxiomSL's Axiom CVE-2015-5607 (Cross-site request forgery in the REST API in IPython 2 and 3. ...) - ipython 2.4.1-1 (bug #793123) [jessie] - ipython (Minor issue) [wheezy] - ipython (Minor issue) [squeeze] - ipython (Vulnerable code not present) NOTE: https://github.com/ipython/ipython/commit/a05fe052a18810e92d9be8c1185952c13fe4e5b0 (2.x) NOTE: https://github.com/ipython/ipython/commit/1415a9710407e7c14900531813c15ba6165f0816 (3.x) NOTE: Affected versions: 0.12 <= version <= 3.2.0 NOTE: http://www.openwall.com/lists/oss-security/2015/07/12/4 CVE-2014-8878 (KDE KMail does not encrypt attachments in emails when "automatic encry ...) - kdepim 4:4.14.5-1 (bug #791800) [jessie] - kdepim (Minor issue) [wheezy] - kdepim (Minor issue) [squeeze] - kdepim (Bogus condition not present) NOTE: https://bugs.kde.org/show_bug.cgi?id=340312 NOTE: http://www.openwall.com/lists/oss-security/2015/07/15/5 CVE-2013-7443 (Buffer overflow in the skip-scan optimization in SQLite 3.8.2 allows r ...) - sqlite3 3.8.3-1 [wheezy] - sqlite3 (Vulnerable code introduced in 3.8.2) [squeeze] - sqlite3 (Vulnerable code introduced in 3.8.2) NOTE: Fixed by: https://www.sqlite.org/src/info/ac5852d6403c9c96 NOTE: Introduced by: https://www.sqlite.org/src/info/b0bb975c0986fe01 NOTE: https://www.sqlite.org/src/info/520070ec7fbaac NOTE: http://www.openwall.com/lists/oss-security/2015/07/14/5 CVE-2015-5461 (Open redirect vulnerability in the Redirect function in stageshow_redi ...) NOT-FOR-US: Redirect function in stageshow_redirect.php in the StageShow plugin for WordPress CVE-2015-5460 (Cross-site scripting (XSS) vulnerability in app/views/events/_menu.htm ...) NOT-FOR-US: Snorby CVE-2015-5459 (SQL injection vulnerability in the AdvanceSearch.class in AdventNetPas ...) NOT-FOR-US: Password Manager Pro CVE-2015-5458 (Session fixation vulnerability in fileupload.php in PivotX before 2.3. ...) NOT-FOR-US: PivotX CVE-2015-5457 (PivotX before 2.3.11 does not validate the new file extension when ren ...) NOT-FOR-US: PivotX CVE-2015-5456 (Cross-site scripting (XSS) vulnerability in the form method in modules ...) NOT-FOR-US: PivotX CVE-2015-5455 (Cross-site scripting (XSS) vulnerability in X-Cart 4.5.0 and earlier a ...) NOT-FOR-US: X-cart CVE-2015-5454 (Cross-site scripting (XSS) vulnerability in Nucleus CMS allows remote ...) NOT-FOR-US: Nucleus CMS CVE-2015-5453 (Watchguard XCS 9.2 and 10.0 before build 150522 allow remote authentic ...) NOT-FOR-US: Watchguard XCS CVE-2015-5452 (SQL injection vulnerability in Watchguard XCS 9.2 and 10.0 before buil ...) NOT-FOR-US: Watchguard XCS CVE-2014-9741 (Multiple cross-site scripting (XSS) vulnerabilities in ESRI ArcGIS for ...) NOT-FOR-US: ArcGIS CVE-2015-5451 (Cross-site request forgery (CSRF) vulnerability in HP Operations Orche ...) NOT-FOR-US: HP Operations Orchestration Central CVE-2015-5450 REJECTED CVE-2015-5449 REJECTED CVE-2015-5448 (HP Asset Manager 9.40 and 9.41 before 9.41.11103 P4-rev1 and 9.50 befo ...) NOT-FOR-US: HP Asset Manager CVE-2015-5447 (Cross-site scripting (XSS) vulnerability in HP StoreOnce Backup system ...) NOT-FOR-US: HP StoreOnce Backup CVE-2015-5446 (HP StoreOnce Backup system software before 3.13.1 allows remote attack ...) NOT-FOR-US: HP StoreOnce Backup CVE-2015-5445 (Cross-site request forgery (CSRF) vulnerability in HP StoreOnce Backup ...) NOT-FOR-US: HP StoreOnce Backup CVE-2015-5444 (Multiple cross-site scripting (XSS) vulnerabilities in HP Smart Profil ...) NOT-FOR-US: SPS DAL CVE-2015-5443 (HP 3PAR Service Processor SP 4.2.0.GA-29 (GA) SPOCC, SP 4.3.0.GA-17 (G ...) NOT-FOR-US: HP CVE-2015-5442 (Unspecified vulnerability in HP Software Update before 5.005.002.002 a ...) NOT-FOR-US: HP Software Update CVE-2015-5441 (Multiple cross-site scripting (XSS) vulnerabilities in HP ArcSight Man ...) NOT-FOR-US: HP Arcsight CVE-2015-5440 (HP UCMDB 10.00 and 10.01 before 10.01CUP12, 10.10 and 10.11 before 10. ...) NOT-FOR-US: HP UCMDB CVE-2015-5439 REJECTED CVE-2015-5438 REJECTED CVE-2015-5437 REJECTED CVE-2015-5436 REJECTED CVE-2015-5435 (Unspecified vulnerability in HP Integrated Lights-Out (iLO) firmware 3 ...) NOT-FOR-US: HP CVE-2015-5434 (HPE Networking Products, originally branded as Comware 5, Comware 7, H ...) NOT-FOR-US: HP H3C CVE-2015-5433 (HP Virtual Connect Enterprise Manager (VCEM) SDK before 7.5.0, as used ...) NOT-FOR-US: HP Virtual Connect Enterprise Manager CVE-2015-5432 (HP Virtual Connect Enterprise Manager (VCEM) SDK before 7.5.0, as used ...) NOT-FOR-US: HP Virtual Connect Enterprise Manager CVE-2015-5431 (HP Matrix Operating Environment before 7.5.0 allows remote authenticat ...) NOT-FOR-US: HP Matrix Operating Environment CVE-2015-5430 (HP Matrix Operating Environment before 7.5.0 allows remote attackers t ...) NOT-FOR-US: HP Matrix Operating Environment CVE-2015-5429 (HP Matrix Operating Environment before 7.5.0 allows remote attackers t ...) NOT-FOR-US: HP Matrix Operating Environment CVE-2015-5428 (HP Matrix Operating Environment before 7.5.0 allows remote attackers t ...) NOT-FOR-US: HP Matrix Operating Environment CVE-2015-5427 (HP Matrix Operating Environment before 7.5.0 allows remote attackers t ...) NOT-FOR-US: HP Matrix Operating Environment CVE-2015-5426 (Unspecified vulnerability in HP LoadRunner Controller before 12.50 all ...) NOT-FOR-US: HP LoadRunner CVE-2015-5425 REJECTED CVE-2015-5424 (Unspecified vulnerability in HP KeyView before 10.23.0.1 and 10.24.x b ...) NOT-FOR-US: HP KeyView CVE-2015-5423 (Unspecified vulnerability in HP KeyView before 10.23.0.1 and 10.24.x b ...) NOT-FOR-US: HP KeyView CVE-2015-5422 (Unspecified vulnerability in HP KeyView before 10.23.0.1 and 10.24.x b ...) NOT-FOR-US: HP KeyView CVE-2015-5421 (Unspecified vulnerability in HP KeyView before 10.23.0.1 and 10.24.x b ...) NOT-FOR-US: HP KeyView CVE-2015-5420 (Unspecified vulnerability in HP KeyView before 10.23.0.1 and 10.24.x b ...) NOT-FOR-US: HP KeyView CVE-2015-5419 (Unspecified vulnerability in HP KeyView before 10.23.0.1 and 10.24.x b ...) NOT-FOR-US: HP KeyView CVE-2015-5418 (Unspecified vulnerability in HP KeyView before 10.23.0.1 and 10.24.x b ...) NOT-FOR-US: HP KeyView CVE-2015-5417 (Unspecified vulnerability in HP KeyView before 10.23.0.1 and 10.24.x b ...) NOT-FOR-US: HP KeyView CVE-2015-5416 (Unspecified vulnerability in HP KeyView before 10.23.0.1 and 10.24.x b ...) NOT-FOR-US: HP KeyView CVE-2015-5415 REJECTED CVE-2015-5414 REJECTED CVE-2015-5413 (HP Version Control Repository Manager (VCRM) before 7.5.0 allows remot ...) NOT-FOR-US: HP Version Control Repository Manager CVE-2015-5412 (Cross-site request forgery (CSRF) vulnerability in HP Version Control ...) NOT-FOR-US: HP Version Control Repository Manager CVE-2015-5411 (HP Version Control Repository Manager (VCRM) before 7.5.0 allows remot ...) NOT-FOR-US: HP Version Control Repository Manager CVE-2015-5410 (HP Version Control Repository Manager (VCRM) before 7.5.0 allows remot ...) NOT-FOR-US: HP Version Control Repository Manager CVE-2015-5409 (Buffer overflow in HP Version Control Repository Manager (VCRM) before ...) NOT-FOR-US: HP Version Control Repository Manager CVE-2015-5408 (HP CentralView Fraud Risk Management 11.1, 11.2, and 11.3; CentralView ...) NOT-FOR-US: HP CentralView Fraud Risk Management CVE-2015-5407 (HP CentralView Fraud Risk Management 11.1, 11.2, and 11.3; CentralView ...) NOT-FOR-US: HP CentralView Fraud Risk Management CVE-2015-5406 (HP CentralView Fraud Risk Management 11.1, 11.2, and 11.3; CentralView ...) NOT-FOR-US: HP CentralView Fraud Risk Management CVE-2015-5405 (HP Systems Insight Manager (SIM) before 7.5.0, as used in HP Matrix Op ...) NOT-FOR-US: HP Systems Insight Manager CVE-2015-5404 (HP Systems Insight Manager (SIM) before 7.5.0, as used in HP Matrix Op ...) NOT-FOR-US: HP Systems Insight Manager CVE-2015-5403 (HP Systems Insight Manager (SIM) before 7.5.0, as used in HP Matrix Op ...) NOT-FOR-US: HP Systems Insight Manager CVE-2015-5402 (HP Systems Insight Manager (SIM) before 7.5.0, as used in HP Matrix Op ...) NOT-FOR-US: HP Systems Insight Manager CVE-2015-5401 (Teradata Gateway before 15.00.03.02-1 and 15.10.x before 15.10.00.01-1 ...) NOT-FOR-US: Teradata CVE-2015-5399 (Cross-site scripting (XSS) vulnerability in PHPVibe before 4.21 allows ...) NOT-FOR-US: PHPVibe CVE-2015-5398 RESERVED CVE-2015-5397 (Cross-site request forgery (CSRF) vulnerability in Joomla! 3.2.0 throu ...) NOT-FOR-US: Joomla! CVE-2015-5396 RESERVED CVE-2015-5394 RESERVED CVE-2015-5393 RESERVED CVE-2015-5392 RESERVED CVE-2015-5391 RESERVED CVE-2015-5390 RESERVED CVE-2015-5389 RESERVED CVE-2015-5388 RESERVED CVE-2015-5387 RESERVED CVE-2015-5386 (Siemens SICAM MIC devices with firmware before 2404 allow remote attac ...) NOT-FOR-US: Siemens CVE-2015-5385 RESERVED CVE-2015-5384 (AxiomSL's Axiom Google Web Toolkit module 9.5.3 and earlier is vulnera ...) NOT-FOR-US: AxiomSL's Axiom CVE-2015-5379 (Cross-site scripting (XSS) vulnerability in actions.hsp in the Ajax We ...) NOT-FOR-US: Axigen CVE-2015-5378 (Logstash 1.5.x before 1.5.3 and 1.4.x before 1.4.4 allows remote attac ...) - logstash (bug #664841) CVE-2015-5377 (** DISPUTED ** Elasticsearch before 1.6.1 allows remote attackers to e ...) - elasticsearch 1.6.1+dfsg-1 (bug #792617) [jessie] - elasticsearch (No longer supported, see DSA 3389) NOTE: https://www.elastic.co/blog/elasticsearch-1-7-0-and-1-6-1-released#security CVE-2015-5376 (SQL injection vulnerability in the login form in GSI WiNPAT Portal 3.2 ...) NOT-FOR-US: GSI WiNPAT Portal CVE-2015-5375 (Cross-site scripting (XSS) vulnerability in unspecified dialogs for pr ...) NOT-FOR-US: Open-Xchange CVE-2015-5374 (A vulnerability has been identified in Firmware variant PROFINET IO fo ...) NOT-FOR-US: Siemens CVE-2015-5373 RESERVED CVE-2015-5372 (The SAML 2.0 implementation in AdNovum nevisAuth 4.13.0.0 before 4.18. ...) NOT-FOR-US: AdNovum nevisAuth CVE-2015-5371 (The AuthenticationFilter class in SolarWinds Storage Manager allows re ...) NOT-FOR-US: SolarWinds CVE-2015-5370 (Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before ...) {DSA-3548-1} - samba 2:4.3.7+dfsg-1 NOTE: https://www.samba.org/samba/security/CVE-2015-5370.html CVE-2015-5369 (Pulse Connect Secure (aka PCS and formerly Juniper PCS) PSC6000, PCS65 ...) NOT-FOR-US: Pulse Connect Secure / Juniper PCS CVE-2015-5368 (The HP lt4112 LTE/HSPA+ Gobi 4G module with firmware before 12.500.00. ...) NOT-FOR-US: HP CVE-2015-5367 (The HP lt4112 LTE/HSPA+ Gobi 4G module with firmware before 12.500.00. ...) NOT-FOR-US: HP CVE-2014-9740 (Cross-site scripting (XSS) vulnerability in the Rules Link module 7.x- ...) NOT-FOR-US: Rules Link module for Drupal CVE-2014-9739 (Cross-site scripting (XSS) vulnerability in the Node Field module 7.x- ...) NOT-FOR-US: Node Field module for Drupal CVE-2014-9738 (Multiple cross-site scripting (XSS) vulnerabilities in the Tournament ...) NOT-FOR-US: Tournament module for Drupal CVE-2014-9737 (Open redirect vulnerability in the Language Switcher Dropdown module 7 ...) NOT-FOR-US: Language Switcher Dropdown module for Drupal CVE-2014-9736 (GE Healthcare Centricity Clinical Archive Audit Trail Repository has a ...) NOT-FOR-US: GE Healthcare Centricity Clinical Archive Audit Trail Repository CVE-2013-7442 (GE Healthcare Centricity PACS Workstation 4.0 and 4.0.1 has a password ...) NOT-FOR-US: GE Healthcare Centricity PACS Workstation CVE-2012-6695 (GE Healthcare Centricity PACS Workstation 4.0 and 4.0.1 has a password ...) NOT-FOR-US: GE Healthcare Centricity PACS Workstation CVE-2012-6694 (GE Healthcare Centricity PACS Workstation 4.0 and 4.0.1, and Server 4. ...) NOT-FOR-US: GE Healthcare Centricity PACS Workstation CVE-2012-6693 (GE Healthcare Centricity PACS 4.0 Server has a default password of (1) ...) NOT-FOR-US: GE Healthcare Centricity PACS CVE-2011-5325 (Directory traversal vulnerability in the BusyBox implementation of tar ...) {DLA-1445-1} - busybox 1:1.27.2-1 (bug #802702) [stretch] - busybox (Minor issue) [wheezy] - busybox (Minor issue) [squeeze] - busybox (Minor issue) CVE-2011-5324 (The TeraRecon server, as used in GE Healthcare Centricity PACS-IW 3.7. ...) NOT-FOR-US: GE Healthcare Centricity PACS-IW CVE-2011-5323 (GE Healthcare Centricity PACS-IW 3.7.3.7, 3.7.3.8, and possibly other ...) NOT-FOR-US: GE Healthcare Centricity PACS-IW CVE-2011-5322 (GE Healthcare Centricity Analytics Server 1.1 has a default password o ...) NOT-FOR-US: GE Healthcare Centricity Analytics Server CVE-2015-8041 (Multiple integer overflows in the NDEF record parser in hostapd before ...) {DSA-3397-1} - wpa 2.3-2.2 (bug #795740) - wpasupplicant [squeeze] - wpasupplicant (0.7.0-v2.4 with with CONFIG_WPS_NFC=y) - hostapd [squeeze] - hostapd (v0.7.0-v2.4 with CONFIG_WPS_NFC=y) NOTE: http://www.openwall.com/lists/oss-security/2015/07/08/3 NOTE: http://w1.fi/security/2015-5/ CVE-2015-5395 (Cross-site request forgery (CSRF) vulnerability in SOGo before 3.1.0. ...) - sogo 3.2.4-0.2 (bug #796197) [wheezy] - sogo (not supported in Wheezy LTS) NOTE: https://lists.debian.org/debian-lts/2016/05/msg00197.html NOTE: http://www.openwall.com/lists/oss-security/2015/07/07/10 NOTE: http://www.sogo.nu/bugs/view.php?id=3246 NOTE: https://github.com/inverse-inc/sogo/commit/582baf2960969c73f98643e46cfb49432c30b711 (SOGo-3.1.0) CVE-2015-5470 (The label decompression functionality in PowerDNS Recursor before 3.6. ...) {DSA-3307-1 DSA-3306-1} - pdns 3.4.5-1 [wheezy] - pdns (3.2 and up affected) [squeeze] - pdns (3.2 and up affected) - pdns-recursor 3.7.3-1 [wheezy] - pdns-recursor (3.5 and up affected) [squeeze] - pdns-recursor (3.5 and up affected) NOTE: http://www.openwall.com/lists/oss-security/2015/07/07/6 NOTE: https://doc.powerdns.com/md/security/powerdns-advisory-2015-01/ NOTE: Patch: http://downloads.powerdns.com/patches/2015-01/rec-3.7.2.patch CVE-2015-5383 (Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to obtain ...) - roundcube (protection is done in apache config in binary package) NOTE: http://www.openwall.com/lists/oss-security/2015/07/06/10 NOTE: http://trac.roundcube.net/ticket/1490378 CVE-2015-5382 (program/steps/addressbook/photo.inc in Roundcube Webmail before 1.0.6 ...) - roundcube 1.1.2+dfsg.1-1 (bug #791643) [wheezy] - roundcube (Vulnerable code not present) [squeeze] - roundcube (Vulnerable code not present) NOTE: http://www.openwall.com/lists/oss-security/2015/07/06/10 NOTE: http://trac.roundcube.net/ticket/1490379 CVE-2015-5381 (Cross-site scripting (XSS) vulnerability in program/include/rcmail.php ...) - roundcube 1.1.2+dfsg.1-1 (bug #791643) [wheezy] - roundcube (Vulnerable code not present) [squeeze] - roundcube (Vulnerable code not present) NOTE: http://www.openwall.com/lists/oss-security/2015/07/06/10 NOTE: http://trac.roundcube.net/ticket/1490417 CVE-2015-5400 (Squid before 3.5.6 does not properly handle CONNECT method peer respon ...) {DSA-3327-1 DLA-286-1} - squid 4.1-1 [wheezy] - squid (Fix is hard to backport and default configuration is not affected) [squeeze] - squid (Fix is hard to backport and default configuration is not affected) - squid3 3.5.6-1 (bug #793128) NOTE: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13856.patch (3.5) NOTE: http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13225.patch (3.4) NOTE: http://www.squid-cache.org/Advisories/SQUID-2015_2.txt NOTE: http://www.openwall.com/lists/oss-security/2015/07/06/8 NOTE: In squeeze's squid3 the code is structured differently but the bug still appears to be present. NOTE: For squid 2.x all versions are affected, cf. comment by upstream in NOTE: https://bugs.debian.org/793128#12 CVE-2015-5380 (The Utf8DecoderBase::WriteUtf16Slow function in unicode-decoder.cc in ...) - nodejs (Only affects 0.12.x) NOTE: http://www.openwall.com/lists/oss-security/2015/07/05/1 CVE-2015-5365 (Cross-site scripting (XSS) vulnerability in Zurmo CRM 3.0.2 allows rem ...) NOT-FOR-US: Zurmo CRM CVE-2015-5363 (The SRX Network Security Daemon (nsd) in Juniper SRX Series services g ...) NOT-FOR-US: Juniper CVE-2015-5362 (The BFD daemon in Juniper Junos OS 12.1X44 before 12.1X44-D50, 12.1X46 ...) NOT-FOR-US: Juniper CVE-2015-5361 (Background For regular, unencrypted FTP traffic, the FTP ALG can inspe ...) NOT-FOR-US: Juniper CVE-2015-5360 (IPv6 sendd in Juniper Junos 12.1X44 before 12.1X44-D51, 12.1X46 before ...) NOT-FOR-US: Juniper CVE-2015-5359 (Juniper Junos OS 12.1X44 before 12.1X44-D50, 12.1X46 before 12.1X46-D3 ...) NOT-FOR-US: Juniper CVE-2015-5358 (Juniper Junos OS 12.1X44 before 12.1X44-D50, 12.1X46 before 12.1X46-D3 ...) NOT-FOR-US: Juniper CVE-2015-5357 (The Juniper EX4600, QFX3500, QFX3600, and QFX5100 switches with Junos ...) NOT-FOR-US: Juniper CVE-2015-5356 (Cross-site scripting (XSS) vulnerability in admin/filebrowser.php in G ...) NOT-FOR-US: GetSimple CMS CVE-2015-5355 (Multiple cross-site scripting (XSS) vulnerabilities in GetSimple CMS b ...) NOT-FOR-US: GetSimple CMS CVE-2015-5354 (Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote a ...) NOT-FOR-US: Novius OS CVE-2015-5353 (Directory traversal vulnerability in Novius OS 5.0.1 (Elche) allows re ...) NOT-FOR-US: Novius OS CVE-2015-5351 (The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x ...) {DSA-3609-1 DSA-3552-1 DSA-3530-1 DLA-435-1} - tomcat9 (Fixed before initial upload to Debian) - tomcat8 8.0.32-1 - tomcat7 7.0.68-1 - tomcat6 6.0.41-3 NOTE: Since 6.0.41-3, src:tomcat6 only builds a servlet and docs NOTE: Fixed in 7.0.68, 8.0.32, 9.0.0.M3 NOTE: Upstream advisory does not make reference to 6.x but looking at the NOTE: upstream patches reveals that this issue is fixed since 6.0.45 NOTE: http://svn.apache.org/viewvc?view=revision&revision=1720661 NOTE: http://svn.apache.org/viewvc?view=revision&revision=1720663 CVE-2015-5350 (In Garden versions 0.22.0-0.329.0, a vulnerability has been discovered ...) NOT-FOR-US: Cloud Foundry CVE-2015-5349 (The CSV export in Apache LDAP Studio and Apache Directory Studio befor ...) NOT-FOR-US: Apache LDAP Studio and Apache Directory Studio CVE-2015-5348 (Apache Camel 2.6.x through 2.14.x, 2.15.x before 2.15.5, and 2.16.x be ...) NOT-FOR-US: Apache Camel CVE-2015-5347 (Cross-site scripting (XSS) vulnerability in the getWindowOpenJavaScrip ...) NOT-FOR-US: Apache Wicket CVE-2015-5346 (Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x ...) {DSA-3609-1 DSA-3552-1 DSA-3530-1} - tomcat9 (Fixed before initial upload to Debian) - tomcat8 8.0.30-1 - tomcat7 7.0.68-1 - tomcat6 6.0.41-3 NOTE: Since 6.0.41-3, src:tomcat6 only builds a servlet and docs [squeeze] - tomcat6 (Minor issue, very unlikely to exploit) NOTE: Fixed in 7.0.67, 8.0.30, 9.0.0.M3 NOTE: https://svn.apache.org/viewvc?view=revision&revision=1713187 NOTE: http://svn.apache.org/viewvc?view=revision&revision=1713185 NOTE: http://svn.apache.org/viewvc?view=revision&revision=1723506 CVE-2015-5345 (The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7. ...) {DSA-3609-1 DSA-3552-1 DSA-3530-1 DLA-435-1} - tomcat9 (Fixed before initial upload to Debian) - tomcat8 8.0.30-1 - tomcat7 7.0.68-1 - tomcat6 6.0.41-3 NOTE: Since 6.0.41-3, src:tomcat6 only builds a servlet and docs NOTE: Fixed in 6.0.45, 7.0.67, 8.0.30, 9.0.0.M3 CVE-2015-5344 (The camel-xstream component in Apache Camel before 2.15.5 and 2.16.x b ...) NOT-FOR-US: Apache Camel CVE-2015-5343 (Integer overflow in util.c in mod_dav_svn in Apache Subversion 1.7.x, ...) {DSA-3424-1} - subversion 1.9.3-1 [wheezy] - subversion (Vulnerable code not present) [squeeze] - subversion (Vulnerable code not present) NOTE: https://subversion.apache.org/security/CVE-2015-5343-advisory.txt CVE-2015-5342 (The choice module in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x ...) - moodle 2.7.11+dfsg-1 [squeeze] - moodle (Unsupported in squeeze-lts) CVE-2015-5341 (mod_scorm in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before ...) - moodle 2.7.11+dfsg-1 [squeeze] - moodle (Unsupported in squeeze-lts) CVE-2015-5340 (Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2. ...) - moodle 2.7.11+dfsg-1 [squeeze] - moodle (Unsupported in squeeze-lts) CVE-2015-5339 (The core_enrol_get_enrolled_users web service in enrol/externallib.php ...) - moodle 2.7.11+dfsg-1 [squeeze] - moodle (Unsupported in squeeze-lts) CVE-2015-5338 (Multiple cross-site request forgery (CSRF) vulnerabilities in the less ...) - moodle 2.7.11+dfsg-1 [squeeze] - moodle (Unsupported in squeeze-lts) CVE-2015-5337 (Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2. ...) - moodle 2.7.11+dfsg-1 [squeeze] - moodle (Unsupported in squeeze-lts) CVE-2015-5336 (Multiple cross-site scripting (XSS) vulnerabilities in the survey modu ...) - moodle 2.7.11+dfsg-1 [squeeze] - moodle (Unsupported in squeeze-lts) CVE-2015-5335 (Cross-site request forgery (CSRF) vulnerability in admin/registration/ ...) - moodle 2.7.11+dfsg-1 [squeeze] - moodle (Unsupported in squeeze-lts) CVE-2015-5334 (Off-by-one error in the OBJ_obj2txt function in LibreSSL before 2.3.1 ...) - libressl (bug #754513) CVE-2015-5333 (Memory leak in the OBJ_obj2txt function in LibreSSL before 2.3.1 allow ...) - libressl (bug #754513) CVE-2015-5332 (Atto in Moodle 2.8.x before 2.8.9 and 2.9.x before 2.9.3 allows remote ...) - moodle (Only affects 2.8 and later) CVE-2015-5331 (Moodle 2.9.x before 2.9.3 does not properly check the contact list bef ...) - moodle (Only affects 2.9 and later) CVE-2015-5330 (ldb before 1.1.24, as used in the AD LDAP server in Samba 4.x before 4 ...) {DSA-3433-1} - samba 2:4.1.22+dfsg-1 [wheezy] - samba (Only affects 4.0.0 to 4.3.2) [squeeze] - samba (Only affects 4.0.0 to 4.3.2) - ldb 2:1.1.24-1 [jessie] - ldb 2:1.1.17-2+deb8u1 [wheezy] - ldb (Minor issue, only relevant in conjunction with Samba 4, which isn't in wheezy) [squeeze] - ldb (Minor issue) NOTE: https://git.samba.org/?p=samba.git;a=commit;h=1aef718f3cc175d90d40202a333042a38ba382b1 (v4-1-stable) NOTE: https://git.samba.org/?p=samba.git;a=commit;h=7bcac237656083e67bbac9b50be9b319bb2d7eb8 (v4-1-stable) NOTE: https://git.samba.org/?p=samba.git;a=commit;h=5f3c7541c2f10ac2174538288f6569af587d69f0 (v4-1-stable) NOTE: https://git.samba.org/?p=samba.git;a=commit;h=a561ae6294fa926bf3a15b9aaf3d18d25d5e971f (v4-1-stable) NOTE: https://git.samba.org/?p=samba.git;a=commit;h=f07626d0297ed6bd21623409e1ea1ae1138d23a8 (v4-1-stable) NOTE: https://git.samba.org/?p=samba.git;a=commit;h=83f1d39cd9ab9b8b548602f9ee806a994fca9d0c (v4-1-stable) NOTE: https://www.samba.org/samba/security/CVE-2015-5330.html NOTE: Samba update needs as well fixed ldb CVE-2015-5329 (The TripleO Heat templates (tripleo-heat-templates), as used in Red Ha ...) - tripleo-heat-templates 5.2.0-1 (bug #851396) CVE-2015-5328 RESERVED CVE-2015-5327 (Out-of-bounds memory read in the x509_decode_time function in x509_cer ...) - linux (Only affected 4.3-rc1 onwards) - linux-2.6 (Only affected 4.3-rc1 onwards) NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=cc25b994acfbc901429da682d0f73c190e960206 (v4.4-rc1) CVE-2015-5326 (Cross-site scripting (XSS) vulnerability in the slave overview page in ...) - jenkins NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11 CVE-2015-5325 (Jenkins before 1.638 and LTS before 1.625.2 allow attackers to bypass ...) - jenkins NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11 CVE-2015-5324 (Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to ...) - jenkins NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11 CVE-2015-5323 (Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict a ...) - jenkins NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11 CVE-2015-5322 (Directory traversal vulnerability in Jenkins before 1.638 and LTS befo ...) - jenkins NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11 CVE-2015-5321 (The sidepanel widgets in the CLI command overview and help pages in Je ...) - jenkins NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11 CVE-2015-5320 (Jenkins before 1.638 and LTS before 1.625.2 do not properly verify the ...) - jenkins NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11 CVE-2015-5319 (XML external entity (XXE) vulnerability in the create-job CLI command ...) - jenkins NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11 CVE-2015-5318 (Jenkins before 1.638 and LTS before 1.625.2 uses a publicly accessible ...) - jenkins NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11 CVE-2015-5317 (The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 ...) - jenkins NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11 CVE-2015-5316 (The eap_pwd_perform_confirm_exchange function in eap_peer/eap_pwd.c in ...) {DSA-3397-1} - wpa 2.3-2.3 (bug #804710) [wheezy] - wpa (v2.3-v2.5 with CONFIG_EAP_PWD=y) - wpasupplicant (v2.3-v2.5 with CONFIG_EAP_PWD=y) - hostapd (v2.3-v2.5 with CONFIG_EAP_PWD=y) NOTE: http://w1.fi/security/2015-8/ NOTE: https://w1.fi/security/2015-8/eap-pwd-unexpected-confirm.txt NOTE: https://w1.fi/security/2015-8/0001-EAP-pwd-peer-Fix-error-path-for-unexpected-Confirm-m.patch CVE-2015-5315 (The eap_pwd_process function in eap_peer/eap_pwd.c in wpa_supplicant 2 ...) {DSA-3397-1} - wpa 2.3-2.3 (bug #804708) [wheezy] - wpa (v2.0-v2.5 with CONFIG_EAP_PWD=y) - wpasupplicant (v2.0-v2.5 with CONFIG_EAP_PWD=y) - hostapd (v2.0-v2.5 with CONFIG_EAP_PWD=y) NOTE: http://w1.fi/security/2015-7/ NOTE: https://w1.fi/security/2015-7/eap-pwd-missing-last-fragment-length-validation.txt NOTE: https://w1.fi/security/2015-7/0001-EAP-pwd-peer-Fix-last-fragment-length-validation.patch CVE-2015-5314 (The eap_pwd_process function in eap_server/eap_server_pwd.c in hostapd ...) {DSA-3397-1} - wpa 2.3-2.3 (bug #804708) [wheezy] - wpa (v2.0-v2.5 with CONFIG_EAP_PWD=y) - wpasupplicant (v2.0-v2.5 with CONFIG_EAP_PWD=y) - hostapd (v2.0-v2.5 with CONFIG_EAP_PWD=y) NOTE: http://w1.fi/security/2015-7/ NOTE: https://w1.fi/security/2015-7/eap-pwd-missing-last-fragment-length-validation.txt NOTE: https://w1.fi/security/2015-7/0001-EAP-pwd-server-Fix-last-fragment-length-validation.patch CVE-2015-5313 (Directory traversal vulnerability in the virStorageBackendFileSystemVo ...) - libvirt 1.3.0-1 (bug #808273) [jessie] - libvirt 1.2.9-9+deb8u2 [wheezy] - libvirt (Vulnerable code introduced later) [squeeze] - libvirt (Vulnerable code introduced later) NOTE: Fixed by: https://libvirt.org/git/?p=libvirt.git;a=commit;h=034e47c338b13a95cf02106a3af912c1c5f818d7 NOTE: Broken by: https://libvirt.org/git/?p=libvirt.git;a=commit;h=c930410bebae0a45889b992a7932c663b06cbbcd (v1.1.0-rc1) NOTE: http://security.libvirt.org/2015/0004.html CVE-2015-5312 (The xmlStringLenDecodeEntities function in parser.c in libxml2 before ...) {DSA-3430-1 DLA-373-1} - libxml2 2.9.3+dfsg1-1 NOTE: https://git.gnome.org/browse/libxml2/commit/?id=69030714cde66d525a8884bda01b9e8f0abf8e1e (v2.9.3) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=756733 (upstream bug not yet open) CVE-2015-5311 (PowerDNS (aka pdns) Authoritative Server 3.4.4 before 3.4.7 allows rem ...) - pdns 3.4.7-1 [jessie] - pdns (Only 3.4.4 and later affected) [wheezy] - pdns (Only 3.4.4 and later affected) [squeeze] - pdns (Only 3.4.4 and later affected) - pdns-recursor (recursor not affected) NOTE: http://www.openwall.com/lists/oss-security/2015/11/09/3 CVE-2015-5310 (The WNM Sleep Mode code in wpa_supplicant 2.x before 2.6 does not prop ...) {DSA-3397-1} - wpa 2.3-2.3 (bug #804707) [wheezy] - wpa (v2.0-v2.5 with CONFIG_WNM=y) - wpasupplicant (v2.0-v2.5 with CONFIG_WNM=y) - hostapd (v2.0-v2.5 with CONFIG_WNM=y) NOTE: http://w1.fi/security/2015-6/ NOTE: https://w1.fi/security/2015-6/0001-WNM-Ignore-Key-Data-in-WNM-Sleep-Mode-Response-frame.patch NOTE: https://w1.fi/security/2015-6/wpa_supplicant-unauthorized-wnm-sleep-mode-gtk-control.txt CVE-2015-5309 (Integer overflow in the terminal emulator in PuTTY before 0.66 allows ...) {DSA-3409-1 DLA-347-1} - putty 0.66-1 NOTE: http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-ech-overflow.html NOTE: https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=6056396f77cafc7e40da4d09f1d6212408dcb065 CVE-2015-5308 (Multiple SQL injection vulnerabilities in cs_admin_users.php in the wp ...) NOT-FOR-US: wp-championship plugin for WordPress CVE-2015-5307 (The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x thr ...) {DSA-3454-1 DSA-3414-1 DSA-3396-1 DLA-479-1} - linux 4.2.6-1 - linux-2.6 - xen 4.8.0~rc3-1 (bug #823620) [squeeze] - linux-2.6 (KVM not supported in Squeeze LTS) [squeeze] - xen (Not supported in Squeeze LTS) NOTE: http://xenbits.xen.org/xsa/advisory-156.html - virtualbox 5.0.10-dfsg-1 [wheezy] - virtualbox (DSA 3454) NOTE: http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html#AppendixOVIR CVE-2015-5306 (OpenStack Ironic Inspector (aka ironic-inspector or ironic-discoverd), ...) - ironic-inspector 3.2.0-1 NOTE: https://bugs.launchpad.net/ironic-inspector/+bug/1506419 CVE-2015-5305 (Directory traversal vulnerability in Kubernetes, as used in Red Hat Op ...) - kubernetes (Fixed before the initial release in Debian, 1.2.0) NOTE: https://github.com/kubernetes/kubernetes/pull/15975 CVE-2015-5304 (Red Hat JBoss Enterprise Application Platform (EAP) before 6.4.5 does ...) NOT-FOR-US: Red Hat JBoss Enterprise Application Platform CVE-2015-5303 (The TripleO Heat templates (tripleo-heat-templates), when deployed via ...) - tripleo-heat-templates 5.2.0-1 (bug #851396) CVE-2015-5302 (libreport 2.0.7 before 2.6.3 only saves changes to the first file when ...) NOT-FOR-US: abrt/libreport CVE-2015-5301 (providers/saml2/admin.py in the Identity Provider (IdP) server in Ipsi ...) - ipsilon (bug #826838) CVE-2015-5300 (The panic_gate check in NTP before 4.2.8p5 is only re-enabled after th ...) {DSA-3388-1 DLA-335-1} - ntp 1:4.2.8p4+dfsg-2 NOTE: https://www.cs.bu.edu/~goldbe/NTPattack.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1271076 CVE-2015-5299 (The shadow_copy2_get_shadow_copy_data function in modules/vfs_shadow_c ...) {DSA-3433-1 DLA-379-1} - samba 2:4.1.22+dfsg-1 NOTE: https://www.samba.org/samba/security/CVE-2015-5299.html CVE-2015-5298 [Google Login Plugin for Jenkins authentication bypass] RESERVED NOT-FOR-US: Plugin not packaged in Debian NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-10-12 CVE-2015-5297 (An integer overflow issue has been reported in the general_composite_r ...) {DLA-1587-1} - pixman 0.33.4-1 NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=92027 NOTE: Patch: https://cgit.freedesktop.org/pixman/patch/?id=204fcd24d9b7e3988b7496e723014f327828751a CVE-2015-5296 (Samba 3.x and 4.x before 4.1.22, 4.2.x before 4.2.7, and 4.3.x before ...) {DSA-3433-1 DLA-379-1} - samba 2:4.1.22+dfsg-1 NOTE: https://www.samba.org/samba/security/CVE-2015-5296.html CVE-2015-5295 (The template-validate command in OpenStack Orchestration API (Heat) be ...) - heat 1:6.0.0~rc3-1 [jessie] - heat (Minor issue) NOTE: Affects: <=2015.1.2, ==5.0.0 CVE-2015-5294 REJECTED CVE-2015-5293 (Red Hat Enterprise Virtualization Manager 3.6 and earlier gives valid ...) NOT-FOR-US: RHEV CVE-2015-5292 (Memory leak in the Privilege Attribute Certificate (PAC) responder plu ...) - sssd 1.13.1-1 [jessie] - sssd (Minor issue; responder not built) NOTE: binary package has the sssd_pac_plugin.so but the responder NOTE: part is not build. [wheezy] - sssd (vulnerable code not present) [squeeze] - sssd (vulnerable code not present) NOTE: https://fedorahosted.org/sssd/ticket/2803 NOTE: https://fedorahosted.org/sssd/attachment/ticket/2803/0001-Fix-memory-leak-in-sssdpac_verify.patch CVE-2015-5291 (Heap-based buffer overflow in PolarSSL 1.x before 1.2.17 and ARM mbed ...) {DSA-3468-1 DLA-331-1} - mbedtls (Fixed before the initial release to Debian) [experimental] - polarssl 1.3.14-0.1 - polarssl (bug #801413) NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2015-01 CVE-2015-5290 (A Denial of Service vulnerability exists in ircd-ratbox 3.0.9 in the M ...) - charybdis 3.4.2-5 [jessie] - charybdis 3.4.2-5~deb8u1 [wheezy] - charybdis (Minor issue) - ircd-ratbox (bug #805065) [jessie] - ircd-ratbox (Minor issue) [wheezy] - ircd-ratbox (Minor issue) [squeeze] - ircd-ratbox (Slow leak; workaround is available) NOTE: http://elemental-ircd.com/security/e50b0d59-f3c5-4472-a3cd-e2e07731417c/ CVE-2015-5289 (Multiple stack-based buffer overflows in json parsing in PostgreSQL be ...) {DSA-3374-1} - postgresql-9.4 9.4.5-1 - postgresql-9.1 (no json datatype) - postgresql-8.4 (no json datatype) CVE-2015-5288 (The crypt function in contrib/pgcrypto in PostgreSQL before 9.0.23, 9. ...) {DSA-3475-1 DSA-3374-1 DLA-329-1} - postgresql-9.4 9.4.5-1 - postgresql-9.1 [jessie] - postgresql-9.1 (postgresql-9.1 in jessie only provides PL/Perl) - postgresql-8.4 [wheezy] - postgresql-8.4 (postgresql-8.4 in wheezy only provides PL/Perl; EOL upstream) [squeeze] - postgresql-8.4 (minor issue) CVE-2015-5287 (The abrt-hook-ccpp help program in Automatic Bug Reporting Tool (ABRT) ...) NOT-FOR-US: abrt is Red Hat / Fedora specific CVE-2015-5286 (OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x b ...) - glance 1:11.0.0-1 (bug #800741) [jessie] - glance (Vulnerable code not present) [wheezy] - glance (Vulnerable code not present) NOTE: jessie: According to confirmation via upstream the fix for CVE-2014-9623 NOTE: was complete here so CVE-2015-5286 not affecting jessie. NOTE: <=2014.2.3, >=2015.1.0, <=2015.1.1 CVE-2015-5285 (CRLF injection vulnerability in Kallithea before 0.3 allows remote att ...) - kallithea (bug #689573) CVE-2015-5284 (ipa-kra-install in FreeIPA before 4.2.2 puts the CA agent certificate ...) - freeipa (Introduced in 4.2) NOTE: https://fedorahosted.org/freeipa/ticket/5347 NOTE: Upstream commit: https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=55a66ccba3e2181a50e7733b7476991975b7455f CVE-2015-5283 (The sctp_init function in net/sctp/protocol.c in the Linux kernel befo ...) - linux 4.2.1-2 [jessie] - linux 3.16.7-ckt11-1+deb8u5 [wheezy] - linux (Vulnerable code not present) - linux-2.6 (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8e2d61e0aed2b7c4ecb35844fe07e0b2b762dee4 (v4.3-rc3) NOTE: Introduced by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4db67e808640e3934d82ce61ee8e2e89fd877ba8 (v3.7-rc1) CVE-2015-5282 (Cross-site scripting (XSS) vulnerability in Foreman 1.7.0 and after. ...) - foreman (bug #663101) CVE-2015-5281 (The grub2 package before 2.02-0.29 in Red Hat Enterprise Linux (RHEL) ...) - grub2 (SecureBoot not yet supported) CVE-2015-5280 REJECTED CVE-2015-5279 (Heap-based buffer overflow in the ne2000_receive function in hw/net/ne ...) {DSA-3362-1 DSA-3361-1} - qemu 1:2.4+dfsg-3 (bug #799074) [squeeze] - qemu (Not supported in Squeeze LTS) - qemu-kvm [squeeze] - qemu-kvm (Not supported in Squeeze LTS) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2015-09/msg03984.html CVE-2015-5278 (The ne2000_receive function in hw/net/ne2000.c in QEMU before 2.4.0.1 ...) {DSA-3362-1 DSA-3361-1} - qemu 1:2.4+dfsg-3 (bug #799073) [squeeze] - qemu (Not supported in Squeeze LTS) - qemu-kvm [squeeze] - qemu-kvm (Not supported in Squeeze LTS) NOTE: Fix: https://lists.gnu.org/archive/html/qemu-devel/2015-09/msg03985.html NOTE: Possibly introduced around http://git.qemu.org/?p=qemu.git;a=commitdiff;h=0ae045ae439ad83692ad039a554f7d62acf9de5c (v0.9.1) CVE-2015-5277 (The get_contents function in nss_files/files-XXX.c in the Name Service ...) - glibc 2.21-1 (bug #799966) [jessie] - glibc 2.19-18+deb8u2 - eglibc [wheezy] - eglibc (Vulnerable code not present) [squeeze] - eglibc (Vulnerable code not present) CVE-2015-5276 (The std::random_device class in libstdc++ in the GNU Compiler Collecti ...) - gcc-5 5.3.0-1 - gcc-4.9 4.9.3-5 [jessie] - gcc-4.9 (Minor issue) NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=65142 NOTE: Upstream commit: https://gcc.gnu.org/viewcvs/gcc?view=revision&revision=227687 CVE-2015-5275 REJECTED CVE-2015-5274 (rubygem-openshift-origin-console in Red Hat OpenShift 2.2 allows remot ...) NOT-FOR-US: OpenShift CVE-2015-5273 (The abrt-action-install-debuginfo-to-abrt-cache help program in Automa ...) NOT-FOR-US: abrt is Red Hat / Fedora specific CVE-2015-5272 (The Forum module in Moodle 2.7.x before 2.7.10 allows remote authentic ...) - moodle 2.7.10+dfsg-1 (bug #799634) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50576 CVE-2015-5271 (The TripleO Heat templates (tripleo-heat-templates) do not properly or ...) - tripleo-heat-templates (Vulnerability introduced later) NOTE: Fixed by: https://github.com/openstack/tripleo-heat-templates/commit/1730d95acdbee7c7bbcfe1eba8a48ef2b0cc1476 NOTE: Introduced by: https://github.com/openstack/tripleo-heat-templates/commit/65d64b6a52366f36955e5e48a29f4ef0ca2ff973 (0.8.2) [Puppet: Swift Overcloud Proxy/Storage support] NOTE: https://bugs.launchpad.net/tripleo/+bug/1494896 CVE-2015-5270 REJECTED CVE-2015-5269 (Cross-site scripting (XSS) vulnerability in group/overview.php in Mood ...) - moodle 2.7.10+dfsg-1 (bug #799634) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50709 CVE-2015-5268 (The rating component in Moodle through 2.6.11, 2.7.x before 2.7.10, 2. ...) - moodle 2.7.10+dfsg-1 (bug #799634) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50173 CVE-2015-5267 (lib/moodlelib.php in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x ...) - moodle 2.7.10+dfsg-1 (bug #799634) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50860 CVE-2015-5266 (The enrol_meta_sync function in enrol/meta/locallib.php in Moodle thro ...) - moodle 2.7.10+dfsg-1 (bug #799634) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50744 CVE-2015-5265 (The wiki component in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8. ...) - moodle 2.7.10+dfsg-1 (bug #799634) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48371 CVE-2015-5264 (The lesson module in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x ...) - moodle 2.7.10+dfsg-1 (bug #799634) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50516 CVE-2015-5263 (pulp-consumer-client 2.4.0 through 2.6.3 does not check the server's T ...) NOT-FOR-US: Pulp (Red Hat) CVE-2015-5262 (http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents ...) {DLA-322-1} - httpcomponents-client 4.3.6-1 (low) [jessie] - httpcomponents-client (Minor issue) [squeeze] - httpcomponents-client (Regression introduced in 4.3.0) [wheezy] - httpcomponents-client (Regression introduced in 4.3.0) - commons-httpclient 3.1-12 (bug #798650) [jessie] - commons-httpclient 3.1-11+deb8u1 [wheezy] - commons-httpclient 3.1-10.2+deb7u2 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1261538 NOTE: https://issues.apache.org/jira/browse/HTTPCLIENT-1478 says it's really fixed in 4.3.6 and that 4.2.x did not have this bug. NOTE: Proposed patch for commons-httpclient: https://bugzilla.redhat.com/show_bug.cgi?id=1259892 NOTE: Checked that both 4.0.1 (in Squeeze) and 4.1.1 (in Wheezy) have the call to set the timout before the SSL connection is opened. NOTE: Jessie's 4.3.5-2 is however missing the upstream patch: http://svn.apache.org/viewvc/httpcomponents/httpclient/branches/4.3.x/httpclient/src/main/java/org/apache/http/conn/ssl/SSLConnectionSocketFactory.java?r1=1560975&r2=1626784 CVE-2015-5261 (Heap-based buffer overflow in SPICE before 0.12.6 allows guest OS user ...) {DSA-3371-1} - spice 0.12.5-1.3 (bug #801091) CVE-2015-5260 (Heap-based buffer overflow in SPICE before 0.12.6 allows guest OS user ...) {DSA-3371-1} - spice 0.12.5-1.3 (bug #801089) CVE-2015-5259 (Integer overflow in the read_string function in libsvn_ra_svn/marshal. ...) - subversion 1.9.3-1 [jessie] - subversion (Only affects 1.9.0 through 1.9.2 (inclusive)) [wheezy] - subversion (Only affects 1.9.0 through 1.9.2 (inclusive)) [squeeze] - subversion (Only affects 1.9.0 through 1.9.2 (inclusive)) NOTE: https://subversion.apache.org/security/CVE-2015-5259-advisory.txt CVE-2015-5258 (Cross-site request forgery (CSRF) vulnerability in springframework-soc ...) NOT-FOR-US: springframework-social CVE-2015-5257 (drivers/usb/serial/whiteheat.c in the Linux kernel before 4.2.4 allows ...) {DSA-3372-1 DLA-325-1} - linux 4.2.1-1 - linux-2.6 NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=cbb4be652d374f64661137756b8f357a1827d6a4 (v4.3-rc3) CVE-2015-5256 (Apache Cordova-Android before 4.1.0, when an application relies on a r ...) NOT-FOR-US: Apache Cordova CVE-2015-5255 (Adobe BlazeDS, as used in ColdFusion 10 before Update 18 and 11 before ...) NOT-FOR-US: Adobe CVE-2015-5254 (Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that c ...) {DSA-3524-1} - activemq 5.13.2+dfsg-1 (bug #809733) NOTE: http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt NOTE: https://git-wip-us.apache.org/repos/asf?p=activemq.git;h=6f03921b31d9fefeddb0f4fa63150ed1f94a14b1 (5.11.x) NOTE: https://git-wip-us.apache.org/repos/asf?p=activemq.git;h=73a0caf758f9e4916783a205c7e422b4db27905c (5.11.x) NOTE: Patch applied to Fedora (5.6.0 based version): http://pkgs.fedoraproject.org/cgit/activemq.git/diff/activemq-5.6.0-CVE-2015-5254.patch?id=e3ef8a1b62d10273a814090be9168aa3019ace72 NOTE: https://issues.apache.org/jira/browse/AMQ-6013 CVE-2015-5253 (The SAML Web SSO module in Apache CXF before 2.7.18, 3.0.x before 3.0. ...) NOT-FOR-US: Apache CXF CVE-2015-5252 (vfs.c in smbd in Samba 3.x and 4.x before 4.1.22, 4.2.x before 4.2.7, ...) {DSA-3433-1 DLA-379-1} - samba 2:4.1.22+dfsg-1 NOTE: https://www.samba.org/samba/security/CVE-2015-5252.html CVE-2015-5251 (OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x b ...) - glance 1:11.0.0-1 (bug #799931) [jessie] - glance 2014.1.3-12+deb8u1 [wheezy] - glance (Minor issue) NOTE: <=2014.2.3, >=2015.1.0, <=2015.1.1 CVE-2015-5250 (The API server in OpenShift Origin 1.0.5 allows remote attackers to ca ...) NOT-FOR-US: OpenShift CVE-2015-5249 REJECTED CVE-2015-5248 (Reflected file download vulnerability in Red Hat Feedhenry Enterprise ...) NOT-FOR-US: Red Hat Mobile CVE-2015-5247 (The virStorageVolCreateXML API in libvirt 1.2.14 through 1.2.19 allows ...) - libvirt 1.2.20-1 (bug #799132) [jessie] - libvirt (Vulnerable code introduced later) [wheezy] - libvirt (Vulnerable code introduced later) [squeeze] - libvirt (Vulnerable code introduced later) NOTE: http://security.libvirt.org/2015/0003.html NOTE: Broken by https://libvirt.org/git/?p=libvirt.git;a=commit;h=155ca616eb231181f6978efc9e3a1eb0eb60af8a (v1.2.14-rc1) NOTE: and by https://libvirt.org/git/?p=libvirt.git;a=commit;h=7c2d65dde2595c07d56aad1e043f7b1836592d89 (v1.2.16-rc1) CVE-2015-5246 (The LDAP Authentication functionality in Foreman might allow remote at ...) - foreman (bug #663101) CVE-2015-5245 (CRLF injection vulnerability in the Ceph Object Gateway (aka radosgw o ...) [experimental] - ceph 0.94.3-1 - ceph 0.80.10-1 (bug #798567) [jessie] - ceph 0.80.7-2+deb8u1 NOTE: http://tracker.ceph.com/issues/12537 NOTE: https://github.com/ceph/ceph/pull/5430 CVE-2015-5244 (The NSSCipherSuite option with ciphersuites enabled in mod_nss before ...) - libapache2-mod-nss 1.0.12-1 (bug #799464) [jessie] - libapache2-mod-nss (Vulnerability introduced in 1.0.11) [wheezy] - libapache2-mod-nss (Vulnerability introduced in 1.0.11) NOTE: Introduced in https://git.fedorahosted.org/cgit/mod_nss.git/commit/?id=2d1650900f4d47dc43400d826c0f7e1a7c5229b8 (1.0.11) NOTE: Fixed by https://git.fedorahosted.org/cgit/mod_nss.git/commit/?id=34e1ccecb4a7d5054dba2f92b403af9b6ae1e110 (1.0.12) CVE-2015-5243 (phpWhois allows remote attackers to execute arbitrary code via a craft ...) NOT-FOR-US: phpWhois CVE-2015-5242 (OpenStack Swift-on-File (aka Swiftonfile) does not properly restrict u ...) NOT-FOR-US: swiftonfile CVE-2015-5241 (After logging into the portal, the logout jsp page redirects the brows ...) NOT-FOR-US: Apache jUDDI CVE-2015-5240 (Race condition in OpenStack Neutron before 2014.2.4 and 2015.1 before ...) - neutron 1:7.0.0-1 [jessie] - neutron (Minor issue) NOTE: versions through 2014.2.3 and 2015.1 versions through 2015.1.1 CVE-2015-5239 (Integer overflow in the VNC display driver in QEMU before 2.1.0 allows ...) {DLA-574-1 DLA-573-1} - qemu 2.1+dfsg-1 [squeeze] - qemu (Not supported in Squeeze LTS) - qemu-kvm [squeeze] - qemu-kvm (Not supported in Squeeze LTS) NOTE: Upstream fix: http://git.qemu.org/?p=qemu.git;a=commit;h=f9a70e79391f6d7c2a912d785239ee8effc1922d (v2.1.0-rc0) CVE-2015-5238 RESERVED CVE-2015-5237 (protobuf allows remote authenticated attackers to cause a heap-based b ...) - protobuf (unimportant) NOTE: https://github.com/google/protobuf/issues/760 NOTE: Upstream doesn't consider this a real issue in practice. CVE-2015-5236 RESERVED CVE-2015-5235 (IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly dete ...) - icedtea-web 1.6.1-1 (bug #798467) [jessie] - icedtea-web 1.5.3-1 [wheezy] - icedtea-web (Minor issue) CVE-2015-5234 (IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly sani ...) - icedtea-web 1.6.1-1 (bug #798467) [jessie] - icedtea-web 1.5.3-1 [wheezy] - icedtea-web (Minor issue) CVE-2015-5233 (Foreman before 1.8.4 and 1.9.x before 1.9.1 do not properly apply view ...) - foreman (bug #663101) CVE-2015-5232 (Race conditions in opa-fm before 10.4.0.0.196 and opa-ff before 10.4.0 ...) NOT-FOR-US: OPA Fabric Manager and OPA tools and Fast Fabric CVE-2015-5231 (The service daemon in CRIU does not properly restrict access to non-du ...) - criu 1.8-2 (bug #797110) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1256728 CVE-2015-5230 (The DNS packet parsing/generation code in PowerDNS (aka pdns) Authorit ...) {DSA-3347-1} - pdns 3.4.6-1 [wheezy] - pdns (Only affects 3.4.0-3.4.5) [squeeze] - pdns (Only affects 3.4.0-3.4.5) NOTE: https://downloads.powerdns.com/patches/2015-02/ CVE-2015-5229 (The calloc function in the glibc package in Red Hat Enterprise Linux ( ...) - glibc (RHEL-specific backport) - eglibc (RHEL-specific backport) CVE-2015-5228 (The service daemon in CRIU creates log and dump files insecurely, whic ...) - criu 1.8-2 (bug #797111) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1255782 CVE-2015-5227 (The Landing Pages plugin before 1.9.2 for WordPress allows remote atta ...) NOT-FOR-US: Landing Pages plugin for WordPress CVE-2015-5226 REJECTED CVE-2015-5225 (Buffer overflow in the vnc_refresh_server_surface function in the VNC ...) {DSA-3348-1} - qemu 1:2.4+dfsg-1a (bug #796465) [wheezy] - qemu (Vulnerable code introduced in 2.1.0) [squeeze] - qemu (Vulnerable code introduced in 2.1.0) - qemu-kvm (Vulnerable code introduced in 2.1.0) NOTE: Fix: https://lists.gnu.org/archive/html/qemu-devel/2015-08/msg02495.html NOTE: Introduced by: http://git.qemu.org/?p=qemu.git;a=commit;h=bea60dd7679364493a0d7f5b (v2.1.0-rc0) CVE-2015-5224 (The mkostemp function in login-utils in util-linux when used incorrect ...) [experimental] - util-linux 2.27~rc2-2 - util-linux 2.27-1 (unimportant) NOTE: chfn/chsh not built in util-linux in Debian (--disable-chfn-chsh) NOTE: https://github.com/karelzak/util-linux/commit/bde91c85bdc77975155058276f99d2e0f5eab5a9 (v2.27-rc2) CVE-2015-5223 (OpenStack Object Storage (Swift) before 2.4.0 allows attackers to obta ...) - swift 2.4.0-1 (bug #797032) [jessie] - swift 2.2.0-1+deb8u1 [wheezy] - swift (Minor issue) CVE-2015-5222 (Red Hat OpenShift Enterprise 3.0.0.0 does not properly check permissio ...) NOT-FOR-US: OpenShift CVE-2015-5221 (Use-after-free vulnerability in the mif_process_cmpt function in libja ...) {DLA-1583-1} - jasper (bug #796253) [wheezy] - jasper (Minor issue) [squeeze] - jasper (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2015/08/20/4 NOTE: Fixed by https://github.com/mdadams/jasper/commit/df5d2867e8004e51e18b89865bc4aa69229227b3 CVE-2015-5220 (The Web Console in Red Hat Enterprise Application Platform (EAP) befor ...) NOT-FOR-US: JBoss EAP CVE-2015-5219 (The ULOGTOD function in ntp.d in SNTP before 4.2.7p366 does not proper ...) {DSA-3388-1 DLA-335-1} - ntp 1:4.2.8p3+dfsg-1 (low) [jessie] - ntp (Minor issue) [wheezy] - ntp (Minor issue) [squeeze] - ntp (Minor issue) NOTE: https://github.com/ntp-project/ntp/commit/5f295cd05c3c136d39f5b3e500a2d781bdbb59c8 CVE-2015-5218 (Buffer overflow in text-utils/colcrt.c in colcrt in util-linux before ...) - util-linux 2.27-1 (unimportant; bug #798067) NOTE: https://www.spinics.net/lists/util-linux-ng/msg11873.html CVE-2015-5217 (providers/saml2/admin.py in the Identity Provider (IdP) server in Ipsi ...) - ipsilon (bug #826838) CVE-2015-5216 (The Identity Provider (IdP) server in Ipsilon 0.1.0 before 1.0.1 does ...) - ipsilon (bug #826838) CVE-2015-5215 (** DISPUTED ** The default configuration of the Jinja templating engin ...) - ipsilon (bug #826838) CVE-2015-5214 (LibreOffice before 4.4.6 and 5.x before 5.0.1 and Apache OpenOffice be ...) {DSA-3394-1} - libreoffice 1:5.0.1~rc2-1 NOTE: https://www.libreoffice.org/about-us/security/advisories/cve-2015-5214/ CVE-2015-5213 (Integer overflow in LibreOffice before 4.4.5 and Apache OpenOffice bef ...) {DSA-3394-1} - libreoffice 1:5.0.1~rc1-1 NOTE: https://www.libreoffice.org/about-us/security/advisories/cve-2015-5213/ CVE-2015-5212 (Integer underflow in LibreOffice before 4.4.5 and Apache OpenOffice be ...) {DSA-3394-1} - libreoffice 1:5.0.1~rc1-1 NOTE: https://www.libreoffice.org/about-us/security/advisories/cve-2015-5212/ CVE-2015-5211 (Under some situations, the Spring Framework 4.2.0 to 4.2.1, 4.0.0 to 4 ...) {DLA-1853-1} - libspring-java 4.1.9-1 [wheezy] - libspring-java (Minor issue) NOTE: https://jira.spring.io/browse/SPR-13548 NOTE: https://github.com/spring-projects/spring-framework/commit/2bd1da NOTE: https://github.com/spring-projects/spring-framework/commit/a95c3d NOTE: https://github.com/spring-projects/spring-framework/commit/03f547 NOTE: https://pivotal.io/security/cve-2015-5211 CVE-2015-5210 (Open redirect vulnerability in Apache Ambari before 2.1.2 allows remot ...) NOT-FOR-US: Apache Ambari CVE-2015-5209 (Apache Struts 2.x before 2.3.24.1 allows remote attackers to manipulat ...) - libstruts1.2-java [wheezy] - libstruts1.2-java (Only affects versions >= 2.x) NOTE: https://struts.apache.org/docs/s2-026.html CVE-2015-5208 (Apache Cordova iOS before 4.0.0 allows remote attackers to execute arb ...) NOT-FOR-US: Apache Cordova CVE-2015-5207 (Apache Cordova iOS before 4.0.0 might allow attackers to bypass a URL ...) NOT-FOR-US: Apache Cordova CVE-2015-5206 (Unspecified vulnerability in the HTTP/2 experimental feature in Apache ...) - trafficserver 6.0.0-1 [wheezy] - trafficserver (Vulnerable code not present) CVE-2015-5205 REJECTED CVE-2015-5204 (CRLF injection vulnerability in the Apache Cordova File Transfer Plugi ...) NOT-FOR-US: Apache Cordova Android File Transfer Plugin CVE-2015-5203 (Double free vulnerability in the jasper_image_stop_load function in Ja ...) {DLA-1583-1} - jasper (bug #796107) [wheezy] - jasper (Minor issue) [squeeze] - jasper (Minor issue) NOTE: Analysis/More information/Fixing commits: https://bugzilla.redhat.com/show_bug.cgi?id=1254242#c11 CVE-2015-5202 (Red Hat Satellite 6 allows remote authenticated users with privileged ...) NOT-FOR-US: Satellite6 CVE-2015-5201 (VDSM and libvirt in Red Hat Enterprise Virtualization Hypervisor (aka ...) NOT-FOR-US: Red Hat vdms CVE-2015-5200 (The trace functionality in libvdpau before 1.1.1, when used in a setui ...) {DSA-3355-1 DLA-306-1} - libvdpau 1.1.1-1 (bug #797895) NOTE: http://lists.x.org/archives/xorg-announce/2015-August/002630.html NOTE: http://cgit.freedesktop.org/~aplattner/libvdpau/commit/?id=d1f9c16b1a8187110e501c9116d21ffee25c0ba4 CVE-2015-5199 (Directory traversal vulnerability in dlopen in libvdpau before 1.1.1 a ...) {DSA-3355-1 DLA-306-1} - libvdpau 1.1.1-1 (bug #797895) NOTE: http://lists.x.org/archives/xorg-announce/2015-August/002630.html NOTE: http://cgit.freedesktop.org/~aplattner/libvdpau/commit/?id=d1f9c16b1a8187110e501c9116d21ffee25c0ba4 CVE-2015-5198 (libvdpau before 1.1.1, when used in a setuid or setgid application, al ...) {DSA-3355-1 DLA-306-1} - libvdpau 1.1.1-1 (bug #797895) NOTE: http://lists.x.org/archives/xorg-announce/2015-August/002630.html NOTE: http://cgit.freedesktop.org/~aplattner/libvdpau/commit/?id=d1f9c16b1a8187110e501c9116d21ffee25c0ba4 CVE-2015-5197 REJECTED CVE-2015-5196 REJECTED CVE-2015-5195 (ntp_openssl.m4 in ntpd in NTP before 4.2.7p112 allows remote attackers ...) {DSA-3388-1 DLA-335-1} - ntp 1:4.2.8p3+dfsg-1 (low) [jessie] - ntp (Minor issue) [wheezy] - ntp (Minor issue) [squeeze] - ntp (Minor issue) NOTE: https://github.com/ntp-project/ntp/commit/52e977d79a0c4ace997e5c74af429844da2f27be CVE-2015-5194 (The log_config_command function in ntp_parser.y in ntpd in NTP before ...) {DSA-3388-1 DLA-335-1} - ntp 1:4.2.8p3+dfsg-1 (low) [jessie] - ntp (Minor issue) [wheezy] - ntp (Minor issue) [squeeze] - ntp (Minor issue) NOTE: https://github.com/ntp-project/ntp/commit/553f2fa65865c31c5e3c48812cfd46176cffdd27 NOTE: Fixed in 4.2.7p42 CVE-2015-5193 REJECTED CVE-2015-5192 REJECTED CVE-2015-5191 (VMware Tools prior to 10.0.9 contains multiple file system races in li ...) - open-vm-tools 2:10.1.5-5055683-5 (low; bug #869633) [stretch] - open-vm-tools 2:10.1.5-5055683-4+deb9u1 [jessie] - open-vm-tools (Vulnerable code not present) [wheezy] - open-vm-tools (Vulnerable code not present) NOTE: 9.10.x: https://github.com/vmware/open-vm-tools/commit/c1304ce8bfd9c0c33999e496bf7049d5c3d45821 NOTE: 10.0.x: https://github.com/vmware/open-vm-tools/commit/b3068b04880eda4ca3e13f2d34fb8ce336ad1a4f NOTE: 10.1.x: https://github.com/vmware/open-vm-tools/commit/22e58289f71232310d30cf162b83b5151a937bac CVE-2015-5190 (The pcsd web UI in PCS 0.9.139 and earlier allows remote authenticated ...) - pcs (Fixed before initial release to Debian) NOTE: https://github.com/feist/pcs/commit/634f6d93e4091946441f366e29859ed64a2c977a (0.9.144) CVE-2015-5189 (Race condition in pcsd in PCS 0.9.139 and earlier uses a global variab ...) - pcs (Fixed before the initial release in Debian) NOTE: Patch in Fedora: http://pkgs.fedoraproject.org/cgit/rpms/pcs.git/plain/fixed-session-and-cookies-processing.patch?h=f22&id=c4b5ad398cb011cdf31374d37943b6593411ae65 NOTE: Patch in CentOS 7 corresponding to RHSA-2015:1700: https://git.centos.org/blob/rpms!pcs/bafb6400d552c4d9e9cb46ddbe523e8f47e0de63/SOURCES!bz1253289-fixed-session-and-cookies-processing.patch CVE-2015-5188 (Cross-site request forgery (CSRF) vulnerability in the Web Console (we ...) NOT-FOR-US: JBoss EAP CVE-2015-5187 (Candlepin allows remote attackers to obtain sensitive information by o ...) NOT-FOR-US: candlepin / subscription-manager CVE-2015-5186 (Audit before 2.4.4 in Linux does not sanitize escape characters in fil ...) - audit 1:2.4.4-1 (unimportant; bug #795457) NOTE: Hardening, not a vulnerability. This is treated as a vulnerability in terminal emulators NOTE: https://fedorahosted.org/audit/changeset/1122 CVE-2015-5185 (The lookupProviders function in providerMgr.c in sblim-sfcb 1.3.4 and ...) - sblim-sfcb (bug #754493) CVE-2015-5184 (The Hawtio console in A-MQ allows remote attackers to obtain sensitive ...) NOT-FOR-US: A-MQ's Hawtio console CVE-2015-5183 (The Hawtio console in A-MQ does not set HTTPOnly or Secure attributes ...) NOT-FOR-US: A-MQ's Hawtio console CVE-2015-5182 (Cross-site request forgery (CSRF) vulnerability in the jolokia API in ...) NOT-FOR-US: A-MQ's Hawtio console CVE-2015-5181 (The JBoss console in A-MQ allows remote attackers to execute arbitrary ...) NOT-FOR-US: A-MQ's Hawtio console CVE-2015-5180 (res_query in libresolv in glibc before 2.25 allows remote attackers to ...) - glibc 2.24-9 (low; bug #796106) [jessie] - glibc (Minor issue, too intrusive to backport) - eglibc (low) [wheezy] - eglibc (Minor issue) [squeeze] - eglibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=18784 NOTE: Originally proposed for jessie 8.8, but breaks the NSS ABI so was retracted CVE-2015-5179 (FreeIPA might display user data improperly via vectors involving non-p ...) - freeipa (unimportant; bug #795399) NOTE: https://fedorahosted.org/freeipa/ticket/5153 NOTE: Negligible security impact CVE-2015-5178 (The Management Console in Red Hat Enterprise Application Platform befo ...) NOT-FOR-US: JBoss EAP CVE-2015-5177 (Double free vulnerability in the SLPDKnownDAAdd function in slpd/slpd_ ...) {DSA-3353-1 DLA-304-1} - openslp-dfsg 1.2.1-11 (bug #795429) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-5177 CVE-2015-5176 (The PortletRequestDispatcher in PortletBridge, as used in Red Hat JBos ...) NOT-FOR-US: PortletBridge component in JBoss Portal CVE-2015-5175 (Application plugins in Apache CXF Fediz before 1.1.3 and 1.2.x before ...) NOT-FOR-US: Apache CXF Fediz CVE-2015-5174 (Directory traversal vulnerability in RequestUtil.java in Apache Tomcat ...) {DSA-3609-1 DSA-3552-1 DSA-3530-1 DLA-435-1} - tomcat8 8.0.28-1 - tomcat7 7.0.68-1 - tomcat6 6.0.41-3 NOTE: Since 6.0.41-3, src:tomcat6 only builds a servlet and docs NOTE: Fixed in 6.0.45, 7.0.65, 8.0.27 CVE-2015-5173 (Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Piv ...) NOT-FOR-US: Cloud Foundry Runtime cf-release CVE-2015-5172 (Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Piv ...) NOT-FOR-US: Cloud Foundry Runtime cf-release CVE-2015-5171 (The password change functionality in Cloud Foundry Runtime cf-release ...) NOT-FOR-US: Cloud Foundry Runtime cf-release CVE-2015-5170 (Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Piv ...) NOT-FOR-US: Cloud Foundry Runtime cf-release CVE-2015-5169 (Cross-site scripting (XSS) vulnerability in Apache Struts before 2.3.2 ...) - libstruts1.2-java (Affects 2.0.0 - 2.3.16.3) CVE-2015-5168 (Unspecified vulnerability in the HTTP/2 experimental feature in Apache ...) - trafficserver 6.0.0-1 [wheezy] - trafficserver (Vulnerable code not present) CVE-2015-5167 (The Policy Admin Tool in Apache Ranger before 0.5.1 allows remote auth ...) NOT-FOR-US: Apache Ranger CVE-2015-5166 (Use-after-free vulnerability in QEMU in Xen 4.5.x and earlier does not ...) - qemu 1:2.4+dfsg-1a (bug #794611) [jessie] - qemu (Vulnerable code not present) [wheezy] - qemu (Vulnerable code not present) [squeeze] - qemu (Vulnerable code not present) - qemu-kvm (Vulnerable code not present) - xen 4.4.0-1 [wheezy] - xen (Vulnerable code not present) [squeeze] - xen (Vulnerable code not present) NOTE: Xen switched to qemu-system in 4.4.0-1 NOTE: pci_piix3_xen_ide_unplug introduced in http://git.qemu.org/?p=qemu.git;a=commitdiff;h=679f4f8b178e7c66fbc2f39c905374ee8663d5d8 (v1.0-rc0) NOTE: BlockDriverState converted to BlockBackend in http://git.qemu.org/?p=qemu.git;a=commitdiff;h=4be746345f13e99e468c60acbd3a355e8183e3ce (v2.2.0-rc0) NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=6cd387833d05e8ad31829d97e474dc420625aed9 (v2.4.0-rc4) NOTE: http://xenbits.xen.org/xsa/advisory-139.html CVE-2015-5165 (The C+ mode offload emulation in the RTL8139 network card device model ...) {DSA-3349-1 DSA-3348-1 DLA-479-1} - qemu 1:2.4+dfsg-1a (bug #794610) [wheezy] - qemu 1.1.2+dfsg-6a+deb7u9 [squeeze] - qemu (Not supported in Squeeze LTS) - qemu-kvm [squeeze] - qemu-kvm (Not supported in Squeeze LTS) - xen 4.4.0-1 [wheezy] - xen (Too intrusive to backport) [squeeze] - xen (Not supported in Squeeze LTS) NOTE: Xen switched to qemu-system in 4.4.0-1 NOTE: http://xenbits.xen.org/xsa/advisory-140.html NOTE: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=39b8e7dcaf04cbdb926b478f825b160d852752b5 NOTE: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=d6812d60e7932de3cd0f602c0ee63dd3d09f1847 NOTE: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=e1c120a9c54872f8a538ff9129d928de4e865cbd NOTE: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=03247d43c577dfea8181cd40177ad5ba77c8db76 NOTE: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=c6296ea88df040054ccd781f3945fe103f8c7c17 NOTE: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=4240be45632db7831129f124bcf53c1223825b0f NOTE: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=8357946b15f0a31f73dd691b7da95f29318ed310 CVE-2015-5164 (The Qpid server on Red Hat Satellite 6 does not properly restrict mess ...) NOT-FOR-US: Qpid server on Satellite6 CVE-2015-5163 (The import task action in OpenStack Image Service (Glance) 2015.1.x be ...) - glance 2015.1.0-4 (bug #795453) [jessie] - glance (Affects Glance 2015.1 versions trough 2015.1.1) [wheezy] - glance (Affects Glance 2015.1 versions trough 2015.1.1) CVE-2015-5162 (The image parser in OpenStack Cinder 7.0.2 and 8.0.0 through 8.1.1; Gl ...) - cinder 2:8.0.0-1 [jessie] - cinder (Minor issue) - glance 2:12.0.0-1 (low) [jessie] - glance (Minor issue) [wheezy] - glance (not supported in Wheezy) - nova 2:13.0.0-1 (low) [jessie] - nova (Minor issue) [wheezy] - nova (Minor issue) NOTE: Patches: http://www.openwall.com/lists/oss-security/2016/10/06/8 CVE-2015-5161 (The Zend_Xml_Security::scan in ZendXml before 1.0.1 and Zend Framework ...) {DSA-3340-1 DLA-302-1} - zendframework 1.12.14+dfsg-1 - php-zend-xml 1.0.1-1 NOTE: http://framework.zend.com/security/advisory/ZF2015-06 NOTE: Root issue already fixed in PHP 5.6.6, so this one is not relevant starting with Jessie CVE-2015-5160 (libvirt before 2.2 includes Ceph credentials on the qemu command line ...) - libvirt 2.2.0-1 (low; bug #796111) [jessie] - libvirt (Minor issue; needs changes first in QEMU) [wheezy] - libvirt (Minor issue; needs changes first in QEMU) [squeeze] - libvirt (Unsupported in squeeze-lts) NOTE: libvirt side fixed with: http://libvirt.org/git/?p=libvirt.git;a=commit;h=d53d465083edeb64cc7b78249c030734c0d91c6b NOTE: https://libvirt.org/git/?p=libvirt.git;a=commit;h=a1344f70a128921e7fe7213da7c1afbc962fba9c NOTE: and needs at least Qemu 2.6, which is satisfied in Stretch and later. NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1182074 (not yet opened) NOTE: https://www.redhat.com/archives/libvir-list/2011-November/msg00853.html NOTE: Needs changes in QEMU for passing passwords. Affects at least iSCSI and rbd/ceph. CVE-2015-5159 (python-kdcproxy before 0.3.2 allows remote attackers to cause a denial ...) NOT-FOR-US: kdcproxy CVE-2015-5158 (Stack-based buffer overflow in hw/scsi/scsi-bus.c in QEMU, when built ...) - qemu 1:2.4+dfsg-1a (bug #793388) [jessie] - qemu (Vulnerable code not present) [wheezy] - qemu (Vulnerable code not present) [squeeze] - qemu (Vulnerable code not present) - qemu-kvm (Vulnerable code not present) NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2015-07/msg04558.html NOTE: Introduced in http://git.qemu.org/?p=qemu.git;a=commitdiff;h=1894df02811f6b79ea3ffbf1084599d96f316173 (v2.2.0-rc0) CVE-2015-5157 (arch/x86/entry/entry_64.S in the Linux kernel before 4.1.6 on the x86_ ...) {DSA-3313-1} - linux 4.0.8-2 [wheezy] - linux (Introduced in 3.3) - linux-2.6 (Introduced in 3.3) NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9b6e6a8334d56354853f9c255d1395c2ba570e0a NOTE: Same fix as for CVE-2015-3290. CVE-2015-5156 (The virtnet_probe function in drivers/net/virtio_net.c in the Linux ke ...) {DSA-3364-1 DLA-310-1} - linux 4.1.5-1 - linux-2.6 NOTE: http://marc.info/?l=linux-netdev&m=143868216724068&w=2 CVE-2015-5155 REJECTED CVE-2015-5154 (Heap-based buffer overflow in the IDE subsystem in QEMU, as used in Xe ...) {DSA-3348-1} - qemu 1:2.4+dfsg-1a (bug #793811) [wheezy] - qemu (Vulnerable code not present, introduced in 1.3) [squeeze] - qemu (Vulnerable code not present, introduced in 1.3) - qemu-kvm (Vulnerable code not present, introduced in 1.3) - xen 4.4.0-1 [wheezy] - xen (Vulnerable code not present, introduced in 4.2) [squeeze] - xen (Vulnerable code not present, introduced in 4.2) NOTE: Xen switched to qemu-system in 4.4.0-1 NOTE: http://xenbits.xen.org/xsa/advisory-138.html NOTE: qemu patches: NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=d2ff85854512574e7209f295e87b0835d5b032c6 NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=cb72cba83021fa42719e73a5249c12096a4d1cfc NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=03441c3a4a42beb25460dd11592539030337d0f8 NOTE: Introduced by: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=ce560dcf20c14194db5ef3b9fc1ea592d4e68109 (v1.3.0-rc0) CVE-2015-5153 (Pulp does not remove permissions for named objects upon deletion, whic ...) NOT-FOR-US: Pulp (Red Hat) CVE-2015-5152 (Foreman after 1.1 and before 1.9.0-RC1 does not redirect HTTP requests ...) - foreman (bug #663101) CVE-2015-5151 (Cross-site scripting (XSS) vulnerability in the Slider Revolution (rev ...) NOT-FOR-US: Slider Revolution (revslider) plugin for WordPress CVE-2015-5150 (Multiple cross-site scripting (XSS) vulnerabilities in Zoho ManageEngi ...) NOT-FOR-US: Zoho ManageEngine SupportCenter Plus CVE-2015-5149 (Directory traversal vulnerability in Zoho ManageEngine SupportCenter P ...) NOT-FOR-US: Zoho ManageEngine SupportCenter Plus CVE-2015-5148 (SQL injection vulnerability in LivelyCart 1.2.0 allows remote attacker ...) NOT-FOR-US: LivelyCart CVE-2015-5145 (validators.URLValidator in Django 1.8.x before 1.8.3 allows remote att ...) - python-django (Vulnerable code not present) NOTE: https://www.djangoproject.com/weblog/2015/jul/08/security-releases/ CVE-2015-5144 (Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8 ...) {DSA-3305-1 DLA-272-1} - python-django 1.7.9-1 NOTE: https://www.djangoproject.com/weblog/2015/jul/08/security-releases/ NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-5144 has split out patches CVE-2015-5143 (The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7 ...) {DSA-3305-1 DLA-272-1} - python-django 1.7.9-1 NOTE: https://www.djangoproject.com/weblog/2015/jul/08/security-releases/ CVE-2015-5142 RESERVED CVE-2015-5141 RESERVED CVE-2015-5140 RESERVED CVE-2015-5139 RESERVED CVE-2015-5138 RESERVED CVE-2015-5137 RESERVED CVE-2015-5136 RESERVED CVE-2015-5135 RESERVED CVE-2015-5134 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.232 o ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5133 (Buffer overflow in Adobe Flash Player before 18.0.0.232 on Windows and ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5132 (Buffer overflow in Adobe Flash Player before 18.0.0.232 on Windows and ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5131 (Buffer overflow in Adobe Flash Player before 18.0.0.232 on Windows and ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5130 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.232 o ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5129 (Heap-based buffer overflow in Adobe Flash Player before 18.0.0.232 on ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5128 REJECTED CVE-2015-5127 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.232 o ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5126 REJECTED CVE-2015-5125 (Adobe Flash Player before 18.0.0.232 on Windows and OS X and before 11 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5124 (Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5123 (Use-after-free vulnerability in the BitmapData class in the ActionScri ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5122 (Use-after-free vulnerability in the DisplayObject class in the ActionS ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5121 (Adobe Shockwave Player before 12.1.9.159 allows attackers to execute a ...) NOT-FOR-US: Shockwave CVE-2015-5120 (Adobe Shockwave Player before 12.1.9.159 allows attackers to execute a ...) NOT-FOR-US: Shockwave CVE-2015-5119 (Use-after-free vulnerability in the ByteArray class in the ActionScrip ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5118 (Heap-based buffer overflow in Adobe Flash Player before 13.0.0.302 and ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5117 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5116 (Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5115 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5114 (Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 1 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5113 (Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 1 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5112 REJECTED CVE-2015-5111 (Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 1 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5110 (Stack-based buffer overflow in Adobe Reader and Acrobat 10.x before 10 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5109 (Integer overflow in Adobe Reader and Acrobat 10.x before 10.1.15 and 1 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5108 (Integer overflow in Adobe Reader and Acrobat 10.x before 10.1.15 and 1 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5107 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5106 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5105 (Heap-based buffer overflow in Adobe Reader and Acrobat 10.x before 10. ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5104 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5103 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5102 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5101 (Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 1 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5100 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5099 (Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 1 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5098 (Heap-based buffer overflow in Adobe Reader and Acrobat 10.x before 10. ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5097 (Integer overflow in Adobe Reader and Acrobat 10.x before 10.1.15 and 1 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5096 (Heap-based buffer overflow in Adobe Reader and Acrobat 10.x before 10. ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5095 (Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 1 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5094 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5093 (Buffer overflow in Adobe Reader and Acrobat 10.x before 10.1.15 and 11 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5092 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5091 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5090 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5089 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5088 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5087 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5086 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5085 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-5084 (The Siemens SIMATIC WinCC Sm@rtClient and Sm@rtClient Lite application ...) NOT-FOR-US: Siemens CVE-2015-5083 RESERVED CVE-2015-5082 (Endian Firewall before 3.0 allows remote attackers to execute arbitrar ...) NOT-FOR-US: Endian Firewall CVE-2015-5080 (The Management Interface in Citrix NetScaler Application Delivery Cont ...) NOT-FOR-US: Citrix CVE-2015-5079 (Directory traversal vulnerability in widgets/logs.php in BlackCat CMS ...) NOT-FOR-US: BlackCat CMS CVE-2015-5078 (SQL injection vulnerability in the insert function in application/cont ...) - limesurvey (bug #472802) CVE-2015-5077 RESERVED CVE-2015-5076 (Multiple cross-site scripting (XSS) vulnerabilities in X2Engine X2CRM ...) NOT-FOR-US: X2Engine CVE-2015-5075 (Cross-site request forgery (CSRF) vulnerability in X2Engine X2CRM befo ...) NOT-FOR-US: X2Engine CVE-2015-5074 (Incomplete blacklist vulnerability in the FileUploadsFilter class in p ...) NOT-FOR-US: X2Engine CVE-2015-5072 (The BIRT Engine servlet in the AR System Mid Tier component before 9.0 ...) NOT-FOR-US: AR System Mid Tier CVE-2015-5071 (AR System Mid Tier in the AR System Mid Tier component before 9.0 SP1 ...) NOT-FOR-US: AR System Mid Tier CVE-2014-9735 (The ThemePunch Slider Revolution (revslider) plugin before 3.0.96 for ...) NOT-FOR-US: WordPress plugins ThemePunch Slider Revolution (revslider) and Showbiz Pro CVE-2014-9734 (Directory traversal vulnerability in the Slider Revolution (revslider) ...) NOT-FOR-US: Slider Revolution (revslider) plugin for WordPress CVE-2015-5146 (ntpd in ntp before 4.2.8p3 with remote configuration enabled allows re ...) {DSA-3388-1 DLA-335-1} - ntp 1:4.2.8p3+dfsg-1 [jessie] - ntp (Minor issue) [wheezy] - ntp (Minor issue) [squeeze] - ntp (Minor issue) NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#June_2015_NTP_Security_Vulnerabi CVE-2015-5352 (The x11_open_helper function in channels.c in ssh in OpenSSH before 6. ...) {DLA-1500-1 DLA-288-1} - openssh 1:6.9p1-1 (bug #790798) [wheezy] - openssh (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2015/07/01/7 NOTE: https://anongit.mindrot.org/openssh.git/commit/?h=V_6_9&id=1bf477d3cdf1a864646d59820878783d42357a1d CVE-2015-5147 (Stack-based buffer overflow in the header_anchor function in the HTML ...) - ruby-redcarpet (Affects v3.3.0 - v3.3.1) NOTE: https://github.com/vmg/redcarpet/commit/2cee777c1e5babe8a1e2683d31ea75cc4afe55fb NOTE: http://www.openwall.com/lists/oss-security/2015/06/29/3 CVE-2015-5081 (Cross-site request forgery (CSRF) vulnerability in django CMS before 3 ...) - python-django-cms (bug #516183) CVE-2015-5073 (Heap-based buffer overflow in the find_fixedlength function in pcre_co ...) - pcre3 2:8.35-7 (bug #790000) [jessie] - pcre3 2:8.35-3.3+deb8u1 [wheezy] - pcre3 (Minor issue) [squeeze] - pcre3 (Minor issue) NOTE: https://bugs.exim.org/show_bug.cgi?id=1651 NOTE: Fixed by: http://vcs.pcre.org/pcre?view=revision&revision=1571 (8.38) NOTE: Introduced in http://vcs.pcre.org/pcre?view=revision&revision=454 (8.00) NOTE: http://www.openwall.com/lists/oss-security/2015/06/26/1 CVE-2015-5068 (XML external entity (XXE) vulnerability in SAP Mobile Platform 3 allow ...) NOT-FOR-US: SAP CVE-2015-5067 (The (1) Cross-System Tools and (2) Data Transfer Workbench in SAP NetW ...) NOT-FOR-US: SAP CVE-2015-5066 (Multiple cross-site scripting (XSS) vulnerabilities in the MetalGenix ...) NOT-FOR-US: MetalGenix GeniXCMS CVE-2015-5065 (Absolute path traversal vulnerability in proxy.php in the google curre ...) NOT-FOR-US: Paypal Currency Converter Basic For WooCommerce plugin for WordPress CVE-2015-5064 (Multiple cross-site scripting (XSS) vulnerabilities in MySql Lite Admi ...) NOT-FOR-US: MySql Lite Administrator CVE-2015-5063 (Multiple cross-site scripting (XSS) vulnerabilities in SilverStripe CM ...) - silverstripe (bug #528461) CVE-2015-5062 (Open redirect vulnerability in SilverStripe CMS & Framework 3.1.13 ...) - silverstripe (bug #528461) CVE-2015-5061 (Cross-site scripting (XSS) vulnerability in Zoho ManageEngine AssetExp ...) NOT-FOR-US: Zoho ManageEngine AssetExplorer CVE-2015-5060 (Cross-site scripting (XSS) vulnerability in anchor-cms before 0.9-dev. ...) NOT-FOR-US: anchor-cms CVE-2015-5058 (Memory leak in the virtual server component in F5 Big-IP LTM, AAM, AFM ...) NOT-FOR-US: F5 BIG-IP CVE-2015-5056 RESERVED CVE-2015-5055 RESERVED CVE-2015-5054 (Open redirect vulnerability in Ellucian (formerly SunGard) Banner Stud ...) NOT-FOR-US: Ellucian (formerly SunGard) Banner Student CVE-2015-5053 (The host memory mapping path feature in the NVIDIA GPU graphics driver ...) - nvidia-graphics-drivers 352.41-1 [jessie] - nvidia-graphics-drivers (Only affects R352 and R346 Linux branches) [wheezy] - nvidia-graphics-drivers (Only affects R352 and R346 Linux branches) CVE-2015-5052 (SQL injection vulnerability in Sefrengo before 1.6.5 beta2. ...) NOT-FOR-US: Sefrengo CVE-2015-5051 (IBM Maximo Asset Management 7.5 before 7.5.0.8 IF6 and 7.6 before 7.6. ...) NOT-FOR-US: IBM CVE-2015-5050 (Cross-site request forgery (CSRF) vulnerability in IBM Emptoris Contra ...) NOT-FOR-US: IBM CVE-2015-5049 (SQL injection vulnerability in the API in IBM OpenPages GRC Platform 7 ...) NOT-FOR-US: IBM CVE-2015-5048 RESERVED CVE-2015-5047 RESERVED CVE-2015-5046 RESERVED CVE-2015-5045 (The Administration and Reporting tool in IBM Rational License Key Serv ...) NOT-FOR-US: IBM CVE-2015-5044 (The Flow Collector in IBM Security QRadar QFLOW 7.1.x before 7.1 MR2 P ...) NOT-FOR-US: IBM QRadar CVE-2015-5043 (diag in IBM Security Guardium 8.2 before p6015, 9.0 before p6015, 9.1, ...) NOT-FOR-US: IBM Security Guardium CVE-2015-5042 (IBM Emptoris Contract Management 9.5.0.x before 9.5.0.6 iFix15, 10.0.0 ...) NOT-FOR-US: IBM CVE-2015-5041 (The J9 JVM in IBM SDK, Java Technology Edition 6 before SR16 FP20, 6 R ...) NOT-FOR-US: IBM JDK CVE-2015-5040 (Buffer overflow in IBM Domino 8.5.1 through 8.5.3 before 8.5.3 FP6 IF1 ...) NOT-FOR-US: IBM Domino CVE-2015-5039 (The Remote Client and change management integrations in IBM Rational C ...) NOT-FOR-US: IBM CVE-2015-5038 (IBM Connections 3.x before 3.0.1.1 CR3, 4.0 before CR4, 4.5 before CR5 ...) NOT-FOR-US: IBM CVE-2015-5037 (Cross-site request forgery (CSRF) vulnerability in IBM Connections 3.x ...) NOT-FOR-US: IBM CVE-2015-5036 (Cross-site scripting (XSS) vulnerability in IBM Connections 3.x before ...) NOT-FOR-US: IBM CVE-2015-5035 (Cross-site scripting (XSS) vulnerability in IBM Connections 3.x before ...) NOT-FOR-US: IBM CVE-2015-5034 RESERVED CVE-2015-5033 RESERVED CVE-2015-5032 RESERVED CVE-2015-5031 RESERVED CVE-2015-5030 RESERVED CVE-2015-5029 RESERVED CVE-2015-5028 RESERVED CVE-2015-5027 RESERVED CVE-2015-5026 RESERVED CVE-2015-5025 RESERVED CVE-2015-5024 (IBM Emptoris Sourcing 10.0.2.0 before iFix6, 10.0.2.2 before iFix11, 1 ...) NOT-FOR-US: IBM CVE-2015-5023 (SQL injection vulnerability in IBM Curam Social Program Management 6.1 ...) NOT-FOR-US: IBM CVE-2015-5022 (IBM Multi-Enterprise Integration Gateway 1.x through 1.0.0.1 and B2B A ...) NOT-FOR-US: IBM CVE-2015-5021 (IBM InfoSphere Information Server 11.3 and 11.5 allows remote authenti ...) NOT-FOR-US: IBM CVE-2015-5020 (The Big SQL component in IBM InfoSphere BigInsights 3.0, 3.0.0.1, 3.0. ...) NOT-FOR-US: IBM CVE-2015-5019 (IBM Sterling Integrator 5.1 before 5010004_8 and Sterling B2B Integrat ...) NOT-FOR-US: IBM CVE-2015-5018 (IBM Security Access Manager for Web 7.0.0 before FP19 and 8.0 before 8 ...) NOT-FOR-US: IBM CVE-2015-5017 (IBM Maximo Asset Management 7.1 through 7.1.1.13, 7.5.0 before 7.5.0.8 ...) NOT-FOR-US: IBM CVE-2015-5016 (IBM Maximo Asset Management 7.1, 7.5, and 7.6; Maximo Asset Management ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2015-5015 (IBM WebSphere Commerce Enterprise 7.0.0.9 and 8.x before Feature Pack ...) NOT-FOR-US: IBM CVE-2015-5014 (IBM Cognos Disclosure Management (CDM) 10.1.x and 10.2.x before 10.2.4 ...) NOT-FOR-US: IBM CVE-2015-5013 (The IBM Security Access Manager appliance includes configuration files ...) NOT-FOR-US: IBM CVE-2015-5012 (The SSH implementation on IBM Security Access Manager for Web applianc ...) NOT-FOR-US: IBM CVE-2015-5011 (IBM WebSphere Message Broker 8 before 8.0.0.6 and Integration Bus 9 be ...) NOT-FOR-US: IBM CVE-2015-5010 (IBM Security Access Manager for Web 7.0 before 7.0.0 IF21, 8.0 before ...) NOT-FOR-US: IBM CVE-2015-5009 (Cross-site scripting (XSS) vulnerability in IBM WebSphere Commerce 6.0 ...) NOT-FOR-US: IBM CVE-2015-5008 (Cross-site scripting (XSS) vulnerability in IBM WebSphere Commerce 6.0 ...) NOT-FOR-US: IBM CVE-2015-5007 (Cross-site request forgery (CSRF) vulnerability in IBM WebSphere Comme ...) NOT-FOR-US: IBM WebSphere CVE-2015-5006 (IBM Java Security Components in IBM SDK, Java Technology Edition 8 bef ...) NOT-FOR-US: IBM JDK CVE-2015-5005 (CSPOC in IBM PowerHA SystemMirror on AIX 6.1 and 7.1 allows remote aut ...) NOT-FOR-US: IBM CVE-2015-5004 (The Edge Component Caching Proxy in IBM WebSphere Application Server ( ...) NOT-FOR-US: IBM CVE-2015-5003 (The portal in IBM Tivoli Monitoring (ITM) 6.2.2 through FP9, 6.2.3 thr ...) NOT-FOR-US: IBM Tivoli Monitoring CVE-2015-5002 (Cross-site scripting (XSS) vulnerability in IBM Host On-Demand 11.0 th ...) NOT-FOR-US: IBM CVE-2015-5001 (IBM WebSphere Portal 6.1.0 through 6.1.0.6 CF27, 6.1.5 through 6.1.5.3 ...) NOT-FOR-US: IBM WebSphere Portal CVE-2015-5000 RESERVED CVE-2015-4999 RESERVED CVE-2015-4998 (Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 6.1.0 ...) NOT-FOR-US: IBM WebSphere Portal CVE-2015-4997 (IBM WebSphere Portal 8.5.0 before CF08 allows remote attackers to bypa ...) NOT-FOR-US: IBM CVE-2015-4996 (IBM Rational ClearQuest 7.1.x and 8.0.0.x before 8.0.0.17 and 8.0.1.x ...) NOT-FOR-US: IBM Rational ClearQuest CVE-2015-4995 RESERVED CVE-2015-4994 (Buffer overflow in IBM Domino 8.5.1 through 8.5.3 before 8.5.3 FP6 IF1 ...) NOT-FOR-US: IBM CVE-2015-4993 (Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 6.1.0 ...) NOT-FOR-US: IBM WebSphere CVE-2015-4992 (IBM Sterling B2B Integrator 5.2 before 5020500_8 allows remote authent ...) NOT-FOR-US: IBM CVE-2015-4991 (IBM SPSS Modeler 14.2 through FP3 IF027, 15 through FP3 IF015, 16 thro ...) NOT-FOR-US: IBM CVE-2015-4990 (The portal in IBM Tealeaf Customer Experience before 8.7.1.8818, 8.8 b ...) NOT-FOR-US: IBM Tealeaf Customer Experience CVE-2015-4989 (The portal in IBM Tealeaf Customer Experience before 8.7.1.8814, 8.8 b ...) NOT-FOR-US: IBM Tealeaf Customer Experience CVE-2015-4988 (Directory traversal vulnerability in the replay server in IBM Tealeaf ...) NOT-FOR-US: IBM Tealeaf Customer Experience CVE-2015-4987 (The search and replay servers in IBM Tealeaf Customer Experience 8.0 t ...) NOT-FOR-US: IBM Tealeaf Customer Experience CVE-2015-4986 RESERVED CVE-2015-4985 RESERVED CVE-2015-4984 RESERVED CVE-2015-4983 RESERVED CVE-2015-4982 RESERVED CVE-2015-4981 (IBM General Parallel File System (GPFS) 3.5.x before 3.5.0.27 and 4.1. ...) NOT-FOR-US: IBM General Parallel File System CVE-2015-4980 (Unspecified vulnerability in IBM WebSphere Commerce 7.0.0.6 through 7. ...) NOT-FOR-US: IBM WebSphere CVE-2015-4979 RESERVED CVE-2015-4978 RESERVED CVE-2015-4977 RESERVED CVE-2015-4976 RESERVED CVE-2015-4975 RESERVED CVE-2015-4974 (IBM General Parallel File System (GPFS) 3.5.x before 3.5.0.27 and 4.1. ...) NOT-FOR-US: IBM CVE-2015-4973 (Cross-site scripting (XSS) vulnerability in IBM Multi-Enterprise Integ ...) NOT-FOR-US: IBM CVE-2015-4972 RESERVED CVE-2015-4971 (Cross-site scripting (XSS) vulnerability in IBM Emptoris Strategic Sup ...) NOT-FOR-US: IBM CVE-2015-4970 RESERVED CVE-2015-4969 RESERVED CVE-2015-4968 REJECTED CVE-2015-4967 (SQL injection vulnerability in IBM Maximo Asset Management 7.1 through ...) NOT-FOR-US: IBM CVE-2015-4966 (IBM Maximo Asset Management 7.1 through 7.1.1.13, 7.5.0 before 7.5.0.9 ...) NOT-FOR-US: IBM CVE-2015-4965 (maximouiweb/webmodule/webclient/utility/merlin.jsp in IBM Maximo Asset ...) NOT-FOR-US: IBM CVE-2015-4964 (IBM UrbanCode Deploy 6.0 and 6.0.1.x before 6.0.1.10, 6.1.1.x before 6 ...) NOT-FOR-US: IBM CVE-2015-4963 (IBM Security Access Manager for Web 7.x before 7.0.0.16 and 8.x before ...) NOT-FOR-US: IBM CVE-2015-4962 (Jazz Team Server in Jazz Foundation in IBM Rational Collaborative Life ...) NOT-FOR-US: IBM CVE-2015-4961 (IBM Tealeaf Customer Experience 8.x before 8.7.1.8847 FP10, 8.8.x befo ...) NOT-FOR-US: IBM CVE-2015-4960 (IBM InfoSphere Master Data Management - Collaborative Edition 9.1, 10. ...) NOT-FOR-US: IBM InfoSphere Master Data Management CVE-2015-4959 (Cross-site scripting (XSS) vulnerability in IBM Tivoli Federated Ident ...) NOT-FOR-US: IBM Tivoli Federated Identity Manager CVE-2015-4958 (IBM InfoSphere Master Data Management - Collaborative Edition 9.1, 10. ...) NOT-FOR-US: IBM InfoSphere Master Data Management CVE-2015-4957 (Cross-site scripting (XSS) vulnerability in the Web UI in IBM Security ...) NOT-FOR-US: IBM Security QRadar SIEM CVE-2015-4956 (The Web UI in IBM Security QRadar SIEM 7.1.x before 7.1 MR2 Patch 12 a ...) NOT-FOR-US: IBM Security QRadar SIEM CVE-2015-4955 (Cross-site scripting (XSS) vulnerability in IBM Business Process Manag ...) NOT-FOR-US: IBM CVE-2015-4954 (IBM BigFix Remote Control before Interim Fix pack 9.1.2-TIV-IBRC912-IF ...) NOT-FOR-US: IBM CVE-2015-4953 (IBM BigFix Remote Control before Interim Fix pack 9.1.2-TIV-IBRC912-IF ...) NOT-FOR-US: IBM CVE-2015-4952 (The on-demand plugin in IBM Endpoint Manager for Remote Control 9.0.1 ...) NOT-FOR-US: IBM CVE-2015-4951 (Client Acceptor Daemon (CAD) in the client in IBM Spectrum Protect (fo ...) NOT-FOR-US: IBM Spectrum Protect CVE-2015-4950 (The mailbox-restore feature in IBM Tivoli Storage Manager for Mail: Da ...) NOT-FOR-US: IBM CVE-2015-4949 (IBM Tivoli Storage Manager for Databases: Data Protection for Microsof ...) NOT-FOR-US: IBM CVE-2015-4948 (netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre chan ...) NOT-FOR-US: IBM CVE-2015-4947 (Stack-based buffer overflow in the Administration Server in IBM HTTP S ...) NOT-FOR-US: IBM WebSphere CVE-2015-4946 (Rational LifeCycle Project Administration in Jazz Team Server in IBM R ...) NOT-FOR-US: IBM CVE-2015-4945 (Unspecified vulnerability in the IBM Maximo Anywhere application 7.5.1 ...) NOT-FOR-US: IBM CVE-2015-4944 (Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Managemen ...) NOT-FOR-US: IBM CVE-2015-4943 (IBM WebSphere MQ Light 1.x before 1.0.2 allows remote attackers to cau ...) NOT-FOR-US: IBM WebSphere CVE-2015-4942 (IBM WebSphere MQ Light 1.x before 1.0.2 allows remote attackers to cau ...) NOT-FOR-US: IBM WebSphere CVE-2015-4941 (IBM WebSphere MQ Light 1.x before 1.0.2 mishandles abbreviated TLS han ...) NOT-FOR-US: IBM WebSphere CVE-2015-4940 (Apache Ambari before 2.1, as used in IBM Infosphere BigInsights 4.x be ...) NOT-FOR-US: IBM CVE-2015-4939 (Cross-site scripting (XSS) vulnerability in IBM Emptoris Supplier Life ...) NOT-FOR-US: IBM CVE-2015-4938 (IBM WebSphere Application Server 7.x before 7.0.0.39, 8.0.x before 8.0 ...) NOT-FOR-US: IBM WebSphere CVE-2015-4937 RESERVED CVE-2015-4936 (Unspecified vulnerability in IBM WebSphere eXtreme Scale 8.6 through 8 ...) NOT-FOR-US: IBM CVE-2015-4935 (Stack-based buffer overflow in the server in IBM Tivoli Storage Manage ...) NOT-FOR-US: IBM CVE-2015-4934 (Stack-based buffer overflow in the server in IBM Tivoli Storage Manage ...) NOT-FOR-US: IBM CVE-2015-4933 (Stack-based buffer overflow in the server in IBM Tivoli Storage Manage ...) NOT-FOR-US: IBM CVE-2015-4932 (Stack-based buffer overflow in the server in IBM Tivoli Storage Manage ...) NOT-FOR-US: IBM CVE-2015-4931 (Stack-based buffer overflow in the server in IBM Tivoli Storage Manage ...) NOT-FOR-US: IBM CVE-2015-4930 (IBM QRadar SIEM 7.1 MR2 before Patch 11 IF02 and 7.2.x before 7.2.5 Pa ...) NOT-FOR-US: IBM QRadar SIEM CVE-2015-4929 (IBM License Metric Tool 9 before 9.2.1.0 and Endpoint Manager for Soft ...) NOT-FOR-US: IBM CVE-2015-4928 (Apache Ambari before 2.1, as used in IBM Infosphere BigInsights 4.x be ...) NOT-FOR-US: Apache Ambari CVE-2015-4927 (The Reporting and Monitoring component in Tivoli Monitoring in IBM Tiv ...) NOT-FOR-US: IBM CVE-2015-4926 (Unspecified vulnerability in the Oracle Applications Framework compone ...) NOT-FOR-US: Oracle CVE-2015-4925 (Unspecified vulnerability in the Workspace Manager component in Oracle ...) NOT-FOR-US: Oracle CVE-2015-4924 (Unspecified vulnerability in the Oracle Agile PLM component in Oracle ...) NOT-FOR-US: Oracle CVE-2015-4923 (Unspecified vulnerability in the XML Developer's Kit for C component i ...) NOT-FOR-US: Oracle CVE-2015-4922 (Unspecified vulnerability in Oracle Sun Solaris 11 allows local users ...) NOT-FOR-US: Oracle CVE-2015-4921 (Unspecified vulnerability in the Database Vault component in Oracle Da ...) NOT-FOR-US: Oracle CVE-2015-4920 (Unspecified vulnerability in Oracle Sun Solaris 11 allows local users ...) NOT-FOR-US: Oracle CVE-2015-4919 (Unspecified vulnerability in the JD Edwards EnterpriseOne Tools compon ...) NOT-FOR-US: Oracle CVE-2015-4918 REJECTED CVE-2015-4917 (Unspecified vulnerability in the Oracle Agile PLM component in Oracle ...) NOT-FOR-US: Oracle CVE-2015-4916 (Unspecified vulnerability in Oracle Java SE 8u60 and JavaFX 2.2.85 all ...) - openjfx 8u91-b14-1 (bug #823622) CVE-2015-4915 (Unspecified vulnerability in the Integrated Lights Out Manager (ILOM) ...) NOT-FOR-US: Oracle CVE-2015-4914 (Unspecified vulnerability in the Oracle HTTP Server component in Oracl ...) NOT-FOR-US: Oracle CVE-2015-4913 (Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier an ...) {DSA-3385-1 DSA-3377-1 DLA-359-1} - mysql-5.6 5.6.27-1 (bug #802563) - mysql-5.5 (bug #802564) - mariadb-10.0 10.0.22-1 (bug #802874) NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html CVE-2015-4912 (Unspecified vulnerability in the Oracle Access Manager component in Or ...) NOT-FOR-US: Oracle CVE-2015-4911 (Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60; Jav ...) {DSA-3465-1 DSA-3381-1 DLA-346-1} - openjdk-6 - openjdk-7 7u85-2.6.1-6 - openjdk-8 8u66-b17-1 CVE-2015-4910 (Unspecified vulnerability in Oracle MySQL Server 5.6.26 and earlier al ...) - mysql-5.6 5.6.27-1 (bug #802563) - mysql-5.5 (Only affects MySQL 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html CVE-2015-4909 (Unspecified vulnerability in the Oracle JDeveloper component in Oracle ...) NOT-FOR-US: Oracle CVE-2015-4908 (Unspecified vulnerability in Oracle Java SE 8u60 and JavaFX 2.2.85 all ...) - openjfx 8u91-b14-1 (bug #823622) CVE-2015-4907 (Unspecified vulnerability in Oracle Sun Solaris 11.2 allows local user ...) NOT-FOR-US: Oracle Sun Solaris CVE-2015-4906 (Unspecified vulnerability in Oracle Java SE 8u60 and JavaFX 2.2.85 all ...) - openjfx 8u91-b14-1 (bug #823622) CVE-2015-4905 (Unspecified vulnerability in Oracle MySQL Server 5.6.23 and earlier al ...) - mysql-5.6 5.6.25-2 - mysql-5.5 (Only affects MySQL 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html CVE-2015-4904 (Unspecified vulnerability in Oracle MySQL Server 5.6.25 and earlier al ...) - mysql-5.6 5.6.27-1 (bug #802563) - mysql-5.5 (Only affects MySQL 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html CVE-2015-4903 (Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and ...) {DSA-3465-1 DSA-3381-1 DLA-346-1} - openjdk-6 - openjdk-7 7u85-2.6.1-6 - openjdk-8 8u66-b17-1 CVE-2015-4902 (Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60 allo ...) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-8 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2015-4901 (Unspecified vulnerability in Oracle Java SE 8u60 allows remote attacke ...) - openjfx 8u91-b14-1 (bug #823622) CVE-2015-4900 (Unspecified vulnerability in the XDB - XML Database component in Oracl ...) NOT-FOR-US: Oracle CVE-2015-4899 (Unspecified vulnerability in the Oracle GlassFish Server component in ...) - glassfish (Full application server not packaged) CVE-2015-4898 (Unspecified vulnerability in the Oracle Applications Framework compone ...) NOT-FOR-US: Oracle CVE-2015-4897 REJECTED CVE-2015-4896 (Unspecified vulnerability in the Oracle VM VirtualBox component in Ora ...) {DSA-3384-1} - virtualbox 5.0.8-dfsg-1 - virtualbox-ose [squeeze] - virtualbox-ose (No longer supported in Squeeze LTS) CVE-2015-4895 (Unspecified vulnerability in Oracle MySQL Server 5.6.25 and earlier al ...) {DSA-3385-1} - mysql-5.6 5.6.27-1 (bug #802563) - mysql-5.5 (Only affects MySQL 5.6) - mariadb-10.0 10.0.21-3 NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html CVE-2015-4894 (Unspecified vulnerability in the Mobile Server component in Oracle Dat ...) NOT-FOR-US: Oracle CVE-2015-4893 (Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60; Jav ...) {DSA-3465-1 DSA-3381-1 DLA-346-1} - openjdk-6 - openjdk-7 7u85-2.6.1-6 - openjdk-8 8u66-b17-1 CVE-2015-4892 (Unspecified vulnerability in the Oracle Agile PLM component in Oracle ...) NOT-FOR-US: Oracle CVE-2015-4891 (Unspecified vulnerability in Oracle Sun Solaris 11.2 allows local user ...) NOT-FOR-US: Oracle Sun Solaris CVE-2015-4890 (Unspecified vulnerability in Oracle MySQL Server 5.6.26 and earlier al ...) - mysql-5.6 5.6.27-1 (bug #802563) - mysql-5.5 (Only affects MySQL 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html CVE-2015-4889 REJECTED CVE-2015-4888 (Unspecified vulnerability in the Java VM component in Oracle Database ...) NOT-FOR-US: Oracle CVE-2015-4887 (Unspecified vulnerability in the PeopleSoft Enterprise HCM component i ...) NOT-FOR-US: Oracle CVE-2015-4886 (Unspecified vulnerability in the Oracle Report Manager component in Or ...) NOT-FOR-US: Oracle CVE-2015-4885 (Unspecified vulnerability in the Enterprise Manager Base Platform comp ...) NOT-FOR-US: Oracle CVE-2015-4884 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle CVE-2015-4883 (Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and ...) {DSA-3465-1 DSA-3381-1 DLA-346-1} - openjdk-6 - openjdk-7 7u85-2.6.1-6 - openjdk-8 8u66-b17-1 CVE-2015-4882 (Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and ...) {DSA-3465-1 DSA-3381-1 DLA-346-1} - openjdk-6 - openjdk-7 7u85-2.6.1-6 - openjdk-8 8u66-b17-1 CVE-2015-4881 (Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and ...) {DSA-3465-1 DSA-3381-1 DLA-346-1} - openjdk-6 - openjdk-7 7u85-2.6.1-6 - openjdk-8 8u66-b17-1 CVE-2015-4880 (Unspecified vulnerability in the Oracle WebCenter Content component in ...) NOT-FOR-US: Oracle CVE-2015-4879 (Unspecified vulnerability in Oracle MySQL Server 5.5.44 and earlier, a ...) {DSA-3385-1 DSA-3377-1 DLA-359-1} - mysql-5.6 5.6.27-1 (bug #802563) - mysql-5.5 (bug #802564) - mariadb-10.0 10.0.21-3 NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html CVE-2015-4878 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle CVE-2015-4877 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle CVE-2015-4876 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle CVE-2015-4875 (Unspecified vulnerability in the Enterprise Manager Base Platform comp ...) NOT-FOR-US: Oracle CVE-2015-4874 (Unspecified vulnerability in the Enterprise Manager Base Platform comp ...) NOT-FOR-US: Oracle CVE-2015-4873 (Unspecified vulnerability in the Database Scheduler component in Oracl ...) NOT-FOR-US: Oracle CVE-2015-4872 (Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60; Jav ...) {DSA-3465-1 DSA-3381-1 DLA-346-1} - openjdk-6 - openjdk-7 7u85-2.6.1-6 - openjdk-8 8u66-b17-1 CVE-2015-4871 (Unspecified vulnerability in Oracle Java SE 7u85 allows remote attacke ...) {DSA-3401-1} - openjdk-7 7u91-2.6.3-1 CVE-2015-4870 (Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier, a ...) {DSA-3385-1 DSA-3377-1 DLA-359-1} - mysql-5.6 5.6.27-1 (bug #802563) - mysql-5.5 (bug #802564) - mariadb-10.0 10.0.22-1 (bug #802874) NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html CVE-2015-4869 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11.2 allows loc ...) NOT-FOR-US: Oracle Sun Solaris CVE-2015-4868 (Unspecified vulnerability in Oracle Java SE 8u60 and Java SE Embedded ...) - openjdk-8 8u66-b17-1 CVE-2015-4867 (Unspecified vulnerability in the Oracle WebCenter Content component in ...) NOT-FOR-US: Oracle CVE-2015-4866 (Unspecified vulnerability in Oracle MySQL Server 5.6.23 and earlier al ...) - mysql-5.6 5.6.25-2 - mysql-5.5 (Only affects MySQL 5.6) - mariadb-10.0 10.0.19-1 [jessie] - mariadb-10.0 10.0.20-0+deb8u1 NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html NOTE: MariaDB: fixed in 10.0.18 CVE-2015-4865 (Unspecified vulnerability in the Oracle Applications Framework compone ...) NOT-FOR-US: Oracle CVE-2015-4864 (Unspecified vulnerability in Oracle MySQL Server 5.5.43 and earlier an ...) - mysql-5.6 5.6.25-2 - mysql-5.5 [jessie] - mysql-5.5 5.5.44-0+deb8u1 [wheezy] - mysql-5.5 5.5.44-0+deb7u1 [squeeze] - mysql-5.5 5.5.46-0+deb6u1 CVE-2015-4863 (Unspecified vulnerability in the Portable Clusterware component in Ora ...) NOT-FOR-US: Oracle CVE-2015-4862 (Unspecified vulnerability in Oracle MySQL Server 5.6.26 and earlier al ...) - mysql-5.6 5.6.27-1 (bug #802563) - mysql-5.5 (Only affects MySQL 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html CVE-2015-4861 (Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier, a ...) {DSA-3385-1 DSA-3377-1 DLA-359-1} - mysql-5.6 5.6.27-1 (bug #802563) - mysql-5.5 (bug #802564) - mariadb-10.0 10.0.22-1 (bug #802874) NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html CVE-2015-4860 (Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and ...) {DSA-3465-1 DSA-3381-1 DLA-346-1} - openjdk-6 - openjdk-7 7u85-2.6.1-6 - openjdk-8 8u66-b17-1 CVE-2015-4859 (Unspecified vulnerability in the Enterprise Manager Base Platform comp ...) NOT-FOR-US: Oracle CVE-2015-4858 (Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier, a ...) {DSA-3385-1 DSA-3377-1 DLA-359-1} - mysql-5.6 5.6.27-1 (bug #802563) - mysql-5.5 (bug #802564) - mariadb-10.0 10.0.22-1 (bug #802874) NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html CVE-2015-4857 (Unspecified vulnerability in the RDBMS component in Oracle Database Se ...) NOT-FOR-US: Oracle CVE-2015-4856 (Unspecified vulnerability in the Oracle VM VirtualBox component in Ora ...) - virtualbox 5.0.0-dfsg-1 [jessie] - virtualbox 4.3.30-dfsg-1+deb8u1 [wheezy] - virtualbox 4.1.40-dfsg-1+deb7u1 - virtualbox-ose [squeeze] - virtualbox-ose (No longer supported in Squeeze LTS) CVE-2015-4855 REJECTED CVE-2015-4854 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle CVE-2015-4853 REJECTED CVE-2015-4852 (The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2. ...) NOT-FOR-US: Oracle CVE-2015-4851 (Unspecified vulnerability in the Oracle iSupplier Portal component in ...) NOT-FOR-US: Oracle CVE-2015-4850 (Unspecified vulnerability in the PeopleSoft Enterprise HCM component i ...) NOT-FOR-US: Oracle CVE-2015-4849 (Unspecified vulnerability in the Oracle Payments component in Oracle E ...) NOT-FOR-US: Oracle CVE-2015-4848 (Unspecified vulnerability in the Oracle Configurator component in Orac ...) NOT-FOR-US: Oracle CVE-2015-4847 (Unspecified vulnerability in the Oracle Configurator component in Orac ...) NOT-FOR-US: Oracle CVE-2015-4846 (Unspecified vulnerability in the Oracle Applications Manager component ...) NOT-FOR-US: Oracle CVE-2015-4845 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle CVE-2015-4844 (Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and ...) {DSA-3725-1 DSA-3465-1 DSA-3381-1 DLA-545-1 DLA-346-1} - openjdk-6 - openjdk-7 7u85-2.6.1-6 - openjdk-8 8u66-b17-1 - icu 57.1-1.1 NOTE: http://bugs.icu-project.org/trac/ticket/12020 NOTE: For ICU note that the original fix causes additional problems: NOTE: https://ssl.icu-project.org/trac/ticket/12020#comment:4 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1298906#c1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1273318 NOTE: see also CVE-2016-0494, introduced in through the fix for this CVE. NOTE: Upstream commit for OpenJDK: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/dbb4e2bdfa9e CVE-2015-4843 (Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and ...) {DSA-3465-1 DSA-3381-1 DLA-346-1} - openjdk-6 - openjdk-7 7u85-2.6.1-6 - openjdk-8 8u66-b17-1 CVE-2015-4842 (Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and ...) {DSA-3465-1 DSA-3381-1 DLA-346-1} - openjdk-6 - openjdk-7 7u85-2.6.1-6 - openjdk-8 8u66-b17-1 CVE-2015-4841 (Unspecified vulnerability in the Siebel Core - Server Framework compon ...) NOT-FOR-US: Oracle Siebel CRM CVE-2015-4840 (Unspecified vulnerability in Oracle Java SE 7u85 and 8u60, and Java SE ...) {DSA-3381-1} - openjdk-7 7u85-2.6.1-6 - openjdk-8 8u66-b17-1 CVE-2015-4839 (Unspecified vulnerability in the Oracle Applications Technology Stack ...) NOT-FOR-US: Oracle CVE-2015-4838 (Unspecified vulnerability in the Oracle JDeveloper component in Oracle ...) NOT-FOR-US: Oracle CVE-2015-4837 (Unspecified vulnerability in Oracle Sun Solaris 11.2 allows local user ...) NOT-FOR-US: Oracle Sun Solaris CVE-2015-4836 (Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier, a ...) {DSA-3385-1 DSA-3377-1 DLA-359-1} - mysql-5.6 5.6.27-1 (bug #802563) - mysql-5.5 (bug #802564) - mariadb-10.0 10.0.22-1 (bug #802874) NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html CVE-2015-4835 (Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and ...) {DSA-3465-1 DSA-3381-1 DLA-346-1} - openjdk-6 - openjdk-7 7u85-2.6.1-6 - openjdk-8 8u66-b17-1 CVE-2015-4834 (Unspecified vulnerability in Oracle Sun Solaris 11.2 allows local user ...) NOT-FOR-US: Oracle Sun Solaris CVE-2015-4833 (Unspecified vulnerability in Oracle MySQL Server 5.6.25 and earlier al ...) - mysql-5.6 5.6.27-1 (bug #802563) - mysql-5.5 (Only affects MySQL 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html CVE-2015-4832 (Unspecified vulnerability in the Oracle Identity Manager component in ...) NOT-FOR-US: Oracle CVE-2015-4831 (Unspecified vulnerability in Oracle Sun Solaris 11.2 allows local user ...) NOT-FOR-US: Oracle Sun Solaris CVE-2015-4830 (Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier an ...) {DSA-3385-1 DSA-3377-1 DLA-359-1} - mysql-5.6 5.6.27-1 (bug #802563) - mysql-5.5 (bug #802564) - mariadb-10.0 10.0.22-1 (bug #802874) NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html CVE-2015-4829 REJECTED CVE-2015-4828 (Unspecified vulnerability in the PeopleSoft Enterprise FSCM component ...) NOT-FOR-US: Oracle CVE-2015-4827 (Unspecified vulnerability in the Oracle Retail Open Commerce Platform ...) NOT-FOR-US: Oracle CVE-2015-4826 (Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier an ...) {DSA-3385-1 DSA-3377-1 DLA-359-1} - mysql-5.6 5.6.27-1 (bug #802563) - mysql-5.5 (bug #802564) - mariadb-10.0 10.0.22-1 (bug #802874) NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html CVE-2015-4825 (Unspecified vulnerability in the PeopleSoft Enterprise FIN Expenses co ...) NOT-FOR-US: Oracle CVE-2015-4824 (Unspecified vulnerability in the Oracle Agile PLM component in Oracle ...) NOT-FOR-US: Oracle CVE-2015-4823 (Unspecified vulnerability in the Hyperion Installation Technology comp ...) NOT-FOR-US: Oracle CVE-2015-4822 (Unspecified vulnerability in Oracle Sun Solaris 11.2 allows local user ...) NOT-FOR-US: Oracle Sun Solaris CVE-2015-4821 (Unspecified vulnerability in the Integrated Lights Out Manager (ILOM) ...) NOT-FOR-US: Oracle CVE-2015-4820 (Unspecified vulnerability in Oracle Sun Solaris 11.2 allows local user ...) NOT-FOR-US: Oracle Sun Solaris CVE-2015-4819 (Unspecified vulnerability in Oracle MySQL Server 5.5.44 and earlier, a ...) {DSA-3385-1 DSA-3377-1 DLA-359-1} - mysql-5.6 5.6.27-1 (bug #802563) - mysql-5.5 (bug #802564) - mariadb-10.0 10.0.21-3 NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html CVE-2015-4818 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle CVE-2015-4817 (Unspecified vulnerability in Oracle Sun Solaris 11.2 allows local user ...) NOT-FOR-US: Oracle Sun Solaris CVE-2015-4816 (Unspecified vulnerability in Oracle MySQL Server 5.5.44 and earlier al ...) {DSA-3385-1 DSA-3377-1 DLA-359-1} - mysql-5.6 (Only affects MySQL 5.5) - mysql-5.5 (bug #802564) - mariadb-10.0 10.0.21-3 NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html CVE-2015-4815 (Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier an ...) {DSA-3385-1 DSA-3377-1 DLA-359-1} - mysql-5.6 5.6.27-1 (bug #802563) - mysql-5.5 (bug #802564) - mariadb-10.0 10.0.22-1 (bug #802874) NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html CVE-2015-4814 REJECTED CVE-2015-4813 (Unspecified vulnerability in the Oracle VM VirtualBox component in Ora ...) {DSA-3384-1} - virtualbox 5.0.8-dfsg-1 - virtualbox-ose [squeeze] - virtualbox-ose (No longer supported in Squeeze LTS) CVE-2015-4812 (Unspecified vulnerability in the Oracle HTTP Server component in Oracl ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2015-4811 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2015-4810 (Unspecified vulnerability in Oracle Java SE 7u85 and 8u60 allows local ...) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-8 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2015-4809 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2015-4808 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2015-4807 (Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier an ...) - mysql-5.6 (Only on Windows plattform) - mysql-5.5 (Only on Windows plattform) - mariadb-10.0 (Only on Windows plattform) NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html CVE-2015-4806 (Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and ...) {DSA-3465-1 DSA-3381-1 DLA-346-1} - openjdk-6 - openjdk-7 7u85-2.6.1-6 - openjdk-8 8u66-b17-1 CVE-2015-4805 (Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and ...) {DSA-3465-1 DSA-3381-1 DLA-346-1} - openjdk-6 - openjdk-7 7u85-2.6.1-6 - openjdk-8 8u66-b17-1 CVE-2015-4804 (Unspecified vulnerability in the PeopleSoft Enterprise HCM Talent Acqu ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2015-4803 (Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60; Jav ...) {DSA-3465-1 DSA-3381-1 DLA-346-1} - openjdk-6 - openjdk-7 7u85-2.6.1-6 - openjdk-8 8u66-b17-1 CVE-2015-4802 (Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier an ...) {DSA-3385-1 DSA-3377-1 DLA-359-1} - mysql-5.6 5.6.27-1 (bug #802563) - mysql-5.5 (bug #802564) - mariadb-10.0 10.0.22-1 (bug #802874) NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html CVE-2015-4801 (Unspecified vulnerability in Oracle Sun Solaris 11.2 allows local user ...) NOT-FOR-US: Oracle Sun Solaris CVE-2015-4800 (Unspecified vulnerability in Oracle MySQL Server 5.6.26 and earlier al ...) - mysql-5.6 5.6.27-1 (bug #802563) - mysql-5.5 (Only affects MySQL 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html CVE-2015-4799 (Unspecified vulnerability in the Oracle WebCenter Sites component in O ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2015-4798 (Unspecified vulnerability in the Oracle Applications Technology Stack ...) NOT-FOR-US: Oracle E-Business Suite CVE-2015-4797 (Unspecified vulnerability in the Oracle Agile PLM component in Oracle ...) NOT-FOR-US: Oracle Supply Chain Products Suite CVE-2015-4796 (Unspecified vulnerability in the Java VM component in Oracle Database ...) NOT-FOR-US: Oracle Database Server CVE-2015-4795 (Unspecified vulnerability in the Oracle Utilities Work and Asset Manag ...) NOT-FOR-US: Oracle Industry Applications CVE-2015-4794 (Unspecified vulnerability in the Java VM component in Oracle Database ...) NOT-FOR-US: Oracle Database Server CVE-2015-4793 (Unspecified vulnerability in the Oracle Communications Convergence com ...) NOT-FOR-US: Oracle Communications Applications CVE-2015-4792 (Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier an ...) {DSA-3385-1 DSA-3377-1 DLA-359-1} - mysql-5.6 5.6.27-1 (bug #802563) - mysql-5.5 (bug #802564) - mariadb-10.0 10.0.22-1 (bug #802874) NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html CVE-2015-4791 (Unspecified vulnerability in Oracle MySQL Server 5.6.26 and earlier al ...) - mysql-5.6 (Only on Windows plattform) - mysql-5.5 (Only affects MySQL 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html CVE-2015-4790 (Unspecified vulnerability in the Data Store component in Oracle Berkel ...) NOT-FOR-US: Oracle Berkeley DB (Unspecified vulnerability) CVE-2015-4789 (Unspecified vulnerability in the Data Store component in Oracle Berkel ...) NOT-FOR-US: Oracle Berkeley DB (Unspecified vulnerability) CVE-2015-4788 (Unspecified vulnerability in the Data Store component in Oracle Berkel ...) NOT-FOR-US: Oracle Berkeley DB (Unspecified vulnerability) CVE-2015-4787 (Unspecified vulnerability in the Data Store component in Oracle Berkel ...) NOT-FOR-US: Oracle Berkeley DB (Unspecified vulnerability) CVE-2015-4786 (Unspecified vulnerability in the Data Store component in Oracle Berkel ...) NOT-FOR-US: Oracle Berkeley DB (Unspecified vulnerability) CVE-2015-4785 (Unspecified vulnerability in the Data Store component in Oracle Berkel ...) NOT-FOR-US: Oracle Berkeley DB (Unspecified vulnerability) CVE-2015-4784 (Unspecified vulnerability in the Data Store component in Oracle Berkel ...) NOT-FOR-US: Oracle Berkeley DB (Unspecified vulnerability) CVE-2015-4783 (Unspecified vulnerability in the Data Store component in Oracle Berkel ...) NOT-FOR-US: Oracle Berkeley DB (Unspecified vulnerability) CVE-2015-4782 (Unspecified vulnerability in the Data Store component in Oracle Berkel ...) NOT-FOR-US: Oracle Berkeley DB (Unspecified vulnerability) CVE-2015-4781 (Unspecified vulnerability in the Data Store component in Oracle Berkel ...) NOT-FOR-US: Oracle Berkeley DB (Unspecified vulnerability) CVE-2015-4780 (Unspecified vulnerability in the Data Store component in Oracle Berkel ...) NOT-FOR-US: Oracle Berkeley DB (Unspecified vulnerability) CVE-2015-4779 (Unspecified vulnerability in the Data Store component in Oracle Berkel ...) NOT-FOR-US: Oracle Berkeley DB (Unspecified vulnerability) CVE-2015-4778 (Unspecified vulnerability in the Data Store component in Oracle Berkel ...) NOT-FOR-US: Oracle Berkeley DB (Unspecified vulnerability) CVE-2015-4777 (Unspecified vulnerability in the Data Store component in Oracle Berkel ...) NOT-FOR-US: Oracle Berkeley DB (Unspecified vulnerability) CVE-2015-4776 (Unspecified vulnerability in the Data Store component in Oracle Berkel ...) NOT-FOR-US: Oracle Berkeley DB (Unspecified vulnerability) CVE-2015-4775 (Unspecified vulnerability in the Data Store component in Oracle Berkel ...) NOT-FOR-US: Oracle Berkeley DB (Unspecified vulnerability) CVE-2015-4774 (Unspecified vulnerability in the Data Store component in Oracle Berkel ...) NOT-FOR-US: Oracle Berkeley DB (Unspecified vulnerability) CVE-2015-4773 (Unspecified vulnerability in the Hyperion Common Security component in ...) NOT-FOR-US: Oracle Hyperion CVE-2015-4772 (Unspecified vulnerability in Oracle MySQL Server 5.6.24 and earlier al ...) - mysql-5.6 5.6.25-2 - mysql-5.5 (Only 5.6 series) NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixMSQL CVE-2015-4771 (Unspecified vulnerability in Oracle MySQL Server 5.6.24 and earlier al ...) - mysql-5.6 5.6.25-2 - mysql-5.5 (Only 5.6 series) NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixMSQL CVE-2015-4770 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11.2 allows loc ...) NOT-FOR-US: Oracle Sun Solaris CVE-2015-4769 (Unspecified vulnerability in Oracle MySQL Server 5.6.24 and earlier al ...) - mysql-5.6 5.6.25-2 - mysql-5.5 (Only 5.6 series) NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixMSQL CVE-2015-4768 (Unspecified vulnerability in the Oracle Transportation Management comp ...) NOT-FOR-US: Oracal Supply Chain CVE-2015-4767 (Unspecified vulnerability in Oracle MySQL Server 5.6.24 and earlier al ...) - mysql-5.6 5.6.25-2 - mysql-5.5 (Only 5.6 series) NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixMSQL CVE-2015-4766 (Unspecified vulnerability in Oracle MySQL Server 5.6.25 and earlier al ...) - mysql-5.6 5.6.27-1 (bug #802563) - mysql-5.5 (Only affects MySQL 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html CVE-2015-4765 (Unspecified vulnerability in the Oracle Applications Manager component ...) NOT-FOR-US: Oracle Applications Manager CVE-2015-4764 (Unspecified vulnerability in the Data Store component in Oracle Berkel ...) NOT-FOR-US: Oracle Berkeley DB (Unspecified vulnerability) CVE-2015-4763 (Unspecified vulnerability in the Oracle Agile PLM component in Oracle ...) NOT-FOR-US: Oracle Supply Chain CVE-2015-4762 (Unspecified vulnerability in the Oracle Applications DBA component in ...) NOT-FOR-US: Oracle E-Business Suite CVE-2015-4761 (Unspecified vulnerability in Oracle MySQL Server 5.6.24 and earlier al ...) - mysql-5.6 5.6.25-2 - mysql-5.5 (Only 5.6 series) NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixMSQL CVE-2015-4760 (Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45 allow ...) {DSA-3339-1 DSA-3323-1 DSA-3316-1 DLA-303-1 DLA-283-1} [experimental] - openjdk-6 6b36-1.13.8-1 - openjdk-6 - openjdk-7 7u79-2.5.6-1 - openjdk-8 8u66-b01-1 - icu 52.1-10 NOTE: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/3f9845510b47 NOTE: "Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets." CVE-2015-4759 (Unspecified vulnerability in the Oracle Data Integrator component in O ...) NOT-FOR-US: Oracle Fusion CVE-2015-4758 (Unspecified vulnerability in the Oracle Data Integrator component in O ...) NOT-FOR-US: Oracle Fusion CVE-2015-4757 (Unspecified vulnerability in Oracle MySQL Server 5.5.42 and earlier an ...) {DSA-3311-1} - mysql-5.6 5.6.25-2 - mysql-5.5 5.5.43-0+deb8u1 NOTE: mysql-5.5 5.5.43 was not uploaded to unstable, bug migrated to unstable due to upload to jessie-security [jessie] - mysql-5.5 5.5.43-0+deb8u1 [wheezy] - mysql-5.5 5.5.43-0+deb7u1 - mariadb-10.0 10.0.19-1 NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixMSQL CVE-2015-4756 (Unspecified vulnerability in Oracle MySQL Server 5.6.22 and earlier al ...) - mysql-5.6 5.6.25-2 - mysql-5.5 (Only 5.6 series) NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixMSQL CVE-2015-4755 (Unspecified vulnerability in the RDBMS Security component in Oracle Da ...) NOT-FOR-US: Oracle Database Server CVE-2015-4754 (Unspecified vulnerability in the Data Store component in Oracle Berkel ...) NOT-FOR-US: Oracle Berkeley DB (Unspecified vulnerability) CVE-2015-4753 (Unspecified vulnerability in the RDBMS Support Tools component in Orac ...) NOT-FOR-US: Oracle Database Server CVE-2015-4752 (Unspecified vulnerability in Oracle MySQL Server 5.5.43 and earlier an ...) {DSA-3311-1 DSA-3308-1 DLA-359-1} - mysql-5.6 5.6.25-2 - mysql-5.5 (bug #792445) - mariadb-10.0 10.0.20-1 NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixMSQL CVE-2015-4751 (Unspecified vulnerability in the Oracle Access Manager component in Or ...) NOT-FOR-US: Oracle Fusion CVE-2015-4750 (Unspecified vulnerability in the Oracle VM Server for SPARC component ...) NOT-FOR-US: Oracle VM Server CVE-2015-4749 (Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45; JRoc ...) {DSA-3339-1 DSA-3316-1 DLA-303-1} [experimental] - openjdk-6 6b36-1.13.8-1 - openjdk-6 - openjdk-7 7u79-2.5.6-1 - openjdk-8 8u66-b01-1 NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixJAVA NOTE: "Applies to client and server deployment of Java." CVE-2015-4748 (Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45; JRoc ...) {DSA-3339-1 DSA-3316-1 DLA-303-1} [experimental] - openjdk-6 6b36-1.13.8-1 - openjdk-6 - openjdk-7 7u79-2.5.6-1 - openjdk-8 8u66-b01-1 NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixJAVA NOTE: "Applies to client and server deployment of Java." CVE-2015-4747 (Unspecified vulnerability in the Oracle Event Processing component in ...) NOT-FOR-US: Oracle Fusion CVE-2015-4746 (Unspecified vulnerability in the Oracle Agile Product Lifecycle Manage ...) NOT-FOR-US: Oracle Supply Chain CVE-2015-4745 (Unspecified vulnerability in the Oracle Endeca Information Discovery S ...) NOT-FOR-US: Oracle Fusion CVE-2015-4744 (Unspecified vulnerability in the Oracle GlassFish Server component in ...) - glassfish (Full application server not packaged) CVE-2015-4743 (Unspecified vulnerability in the Oracle Applications DBA component in ...) NOT-FOR-US: Oracle E-Business CVE-2015-4742 (Unspecified vulnerability in the Oracle JDeveloper component in Oracle ...) NOT-FOR-US: Oracle Fusion CVE-2015-4741 (Unspecified vulnerability in the Oracle Applications Framework compone ...) NOT-FOR-US: Oracle E-Business CVE-2015-4740 (Unspecified vulnerability in the RDBMS Partitioning component in Oracl ...) NOT-FOR-US: Oracle Database Server CVE-2015-4739 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle E-Business CVE-2015-4738 (Unspecified vulnerability in the PeopleSoft Enterprise HCM Candidate G ...) NOT-FOR-US: Oracle PeopleSoft CVE-2015-4737 (Unspecified vulnerability in Oracle MySQL Server 5.5.43 and earlier, a ...) {DSA-3308-1 DLA-359-1} - mysql-5.6 5.6.25-2 - mysql-5.5 (bug #792445) - mariadb-10.0 NOTE: Possibly related to https://github.com/mysql/mysql-server/commit/c655515d NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixMSQL NOTE: https://lists.launchpad.net/maria-developers/msg08985.html NOTE: https://mariadb.atlassian.net/browse/MDEV-8269 NOTE: Marked as not-affected for MariaDB since Oracle has given no evidence of NOTE: affecting MariaDB to their developers. CVE-2015-4736 (Unspecified vulnerability in Oracle Java SE 7u80 and 8u45 allows remot ...) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-8 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2015-4735 (Unspecified vulnerability in the Enterprise Manager for Oracle Databas ...) NOT-FOR-US: Oracle Database CVE-2015-4734 (Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and ...) {DSA-3465-1 DSA-3381-1 DLA-346-1} - openjdk-6 - openjdk-7 7u85-2.6.1-6 - openjdk-8 8u66-b17-1 CVE-2015-4733 (Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and ...) {DSA-3339-1 DSA-3316-1 DLA-303-1} [experimental] - openjdk-6 6b36-1.13.8-1 - openjdk-6 - openjdk-7 7u79-2.5.6-1 - openjdk-8 8u66-b01-1 NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixJAVA NOTE: "Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets." CVE-2015-4732 (Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and ...) {DSA-3339-1 DSA-3316-1 DLA-303-1} [experimental] - openjdk-6 6b36-1.13.8-1 - openjdk-6 - openjdk-7 7u79-2.5.6-1 - openjdk-8 8u66-b01-1 NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixJAVA NOTE: "Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets." CVE-2015-4731 (Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45; Java ...) {DSA-3339-1 DSA-3316-1 DLA-303-1} [experimental] - openjdk-6 6b36-1.13.8-1 - openjdk-6 - openjdk-7 7u79-2.5.6-1 - openjdk-8 8u66-b01-1 NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixJAVA NOTE: "Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets." CVE-2015-4730 (Unspecified vulnerability in Oracle MySQL 5.6.20 and earlier allows re ...) - mysql-5.6 5.6.25-2 - mysql-5.5 (Only affects MySQL 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html CVE-2015-4729 (Unspecified vulnerability in Oracle Java SE 7u80 and 8u45 allows remot ...) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-8 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2015-4728 (Unspecified vulnerability in the Oracle Sourcing component in Oracle E ...) NOT-FOR-US: Oracle E-Business CVE-2015-4727 (Unspecified vulnerability in Oracle Virtualization Sun Ray Software be ...) NOT-FOR-US: Oracle Virtulization CVE-2015-4726 (PHP remote file inclusion vulnerability in ajax/myajaxphp.php in Audio ...) NOT-FOR-US: AudioShare CVE-2015-4725 (Cross-site scripting (XSS) vulnerability in forgot.php in AudioShare 2 ...) NOT-FOR-US: AudioShare CVE-2015-4724 (SQL injection vulnerability in Concrete5 5.7.3.1. ...) NOT-FOR-US: Concrete5 CVE-2015-4723 RESERVED CVE-2015-4722 RESERVED CVE-2015-4721 (Multiple cross-site scripting (XSS) vulnerabilities in Concrete5 5.7.3 ...) NOT-FOR-US: Concrete5 CVE-2015-4720 REJECTED CVE-2015-4719 RESERVED CVE-2015-4718 (The external SMB storage driver in ownCloud Server before 6.0.8, 7.0.x ...) {DSA-3373-1} - owncloud 7.0.6+dfsg-1 NOTE: https://owncloud.org/security/advisory/?id=oc-sa-2015-008 NOTE: https://github.com/owncloud/core/commit/200e9d949783efbd57f39acedebc03924c1dfff4 CVE-2015-4717 (The filename sanitization component in ownCloud Server before 6.0.8, 7 ...) {DSA-3373-1} - owncloud 7.0.6+dfsg-1 NOTE: https://owncloud.org/security/advisory/?id=oc-sa-2015-007 NOTE: https://github.com/owncloud/core/commit/5fa749cd9656ca6eab30bac0ef4e7625b8a8be2e CVE-2015-4716 (Directory traversal vulnerability in the routing component in ownCloud ...) {DSA-3373-1} - owncloud 7.0.6+dfsg-1 (unimportant) NOTE: Specific to installations on Windows NOTE: https://owncloud.org/security/advisory/?id=oc-sa-2015-006 CVE-2015-4715 (The fetch function in OAuth/Curl.php in Dropbox-PHP, as used in ownClo ...) - php-dropbox 1.0.0-4 (unimportant) [jessie] - php-dropbox 1.0.0-3+deb8u1 NOTE: https://owncloud.org/security/advisory/?id=oc-sa-2015-005 NOTE: Only relevant if server runs PHP below 5.6.0 CVE-2015-4714 (Cross-site scripting (XSS) vulnerability in the DreamBox DM500-S allow ...) NOT-FOR-US: DreamBox DM500-S CVE-2015-4713 (SQL injection vulnerability in ApPHP Hotel Site 3.x.x allows remote ed ...) NOT-FOR-US: ApPHP Hotel Site CVE-2015-4712 RESERVED CVE-2015-4711 RESERVED CVE-2015-4710 RESERVED CVE-2015-4709 REJECTED CVE-2015-4708 RESERVED CVE-2015-4705 RESERVED CVE-2015-4702 RESERVED CVE-2015-4701 RESERVED CVE-2015-4699 (Cross-site scripting (XSS) vulnerability in the Splash Portal in Cloud ...) NOT-FOR-US: Cloud4Wi CVE-2015-4698 RESERVED CVE-2015-4697 (Cross-site request forgery (CSRF) vulnerability in Google Analyticator ...) NOT-FOR-US: WordPress plugin google-analyticator CVE-2015-4694 (Directory traversal vulnerability in download.php in the Zip Attachmen ...) NOT-FOR-US: Zip Attachments plugin for WordPress CVE-2015-4693 RESERVED CVE-2015-4691 RESERVED CVE-2015-4690 RESERVED CVE-2015-4689 (Ellucian (formerly SunGard) Banner Student 8.5.1.2 through 8.7 allows ...) NOT-FOR-US: Ellucian (formerly SunGard) Banner Student CVE-2015-4688 (Ellucian (formerly SunGard) Banner Student 8.5.1.2 through 8.7 allow r ...) NOT-FOR-US: Ellucian (formerly SunGard) Banner Student CVE-2015-4687 (Cross-site scripting (XSS) vulnerability in Ellucian (formerly SunGard ...) NOT-FOR-US: Ellucian (formerly SunGard) Banner Student CVE-2015-4686 RESERVED CVE-2015-4685 (Polycom RealPresence Resource Manager (aka RPRM) before 8.4 allows loc ...) NOT-FOR-US: Polycom RealPresence Resource Manager CVE-2015-4684 (Multiple directory traversal vulnerabilities in Polycom RealPresence R ...) NOT-FOR-US: Polycom RealPresence Resource Manager CVE-2015-4683 (Polycom RealPresence Resource Manager (aka RPRM) before 8.4 allows att ...) NOT-FOR-US: Polycom RealPresence Resource Manager CVE-2015-4682 (Polycom RealPresence Resource Manager (aka RPRM) before 8.4 allows rem ...) NOT-FOR-US: Polycom RealPresence Resource Manager CVE-2015-4681 (Polycom RealPresence Resource Manager (aka RPRM) before 8.4 allows loc ...) NOT-FOR-US: Polycom RealPresence Resource Manager CVE-2015-4679 (Multiple cross-site scripting (XSS) vulnerabilities in the web interfa ...) NOT-FOR-US: Airties RT-210 CVE-2015-4678 (SQL injection vulnerability in Persian Car CMS 1.0 allows remote attac ...) NOT-FOR-US: Persian Car CMS CVE-2015-4677 (Cross-site request forgery (CSRF) vulnerability in FiverrScript (aka F ...) NOT-FOR-US: FiverrScript CVE-2015-4676 (SQL injection vulnerability in ticket.php in TickFa 1.x allows remote ...) NOT-FOR-US: TickFa CVE-2015-4675 (Buffer overflow in the Tiny SRP library (aka TinySRP) allows remote at ...) NOT-FOR-US: Tiny SRP CVE-2015-5070 (The (1) filesystem::get_wml_location function in filesystem.cpp and (2 ...) {DLA-297-1} [experimental] - wesnoth-1.13 1:1.13.1-1 - wesnoth-1.12 1:1.12.4-1 - wesnoth-1.10 [jessie] - wesnoth-1.10 1:1.10.7-2+deb8u1 [wheezy] - wesnoth-1.10 1:1.10.3-3+deb7u2 - wesnoth-1.8 NOTE: https://github.com/wesnoth/wesnoth/commit/b2738ffb2fdd2550ececb74f76f75583c43c8b59 CVE-2015-5069 (The (1) filesystem::get_wml_location function in filesystem.cpp and (2 ...) {DLA-297-1} [experimental] - wesnoth-1.13 1:1.13.1-1 - wesnoth-1.12 1:1.12.4-1 - wesnoth-1.10 [jessie] - wesnoth-1.10 1:1.10.7-2+deb8u1 [wheezy] - wesnoth-1.10 1:1.10.3-3+deb7u2 - wesnoth-1.8 NOTE: https://github.com/wesnoth/wesnoth/commit/f8914468182e8d0a1551b430c0879ba236fe4d6d CVE-2015-5059 (The "Project Documentation" feature in MantisBT 1.2.19 and earlier, wh ...) - mantis [wheezy] - mantis (Minor issue) [squeeze] - mantis (Unsupported in squeeze-lts) NOTE: http://github.com/mantisbt/mantisbt/commit/f39cf525 (1.2.x) NOTE: https://mantisbt.org/bugs/view.php?id=19873 CVE-2015-5057 (Cross-site scripting (XSS) vulnerability exists in the Wordpress admin ...) NOT-FOR-US: WordPress plugin broken-link-checker CVE-2015-4707 (Cross-site scripting (XSS) vulnerability in IPython before 3.2 allows ...) - ipython 2.4.1-1 (bug #789824) [jessie] - ipython (Minor issue) [wheezy] - ipython (Problematic code introduced in rel-2.0.0) [squeeze] - ipython (Problematic code introduced in rel-2.0.0) NOTE: https://github.com/ipython/ipython/commit/1fcc9943c000ab553ebc029db99ecbd0536960d6 NOTE: http://www.openwall.com/lists/oss-security/2015/06/22/4 CVE-2015-4706 (Cross-site scripting (XSS) vulnerability in IPython 3.x before 3.2 all ...) - ipython (Only affects 3.x) CVE-2015-4704 (Directory traversal vulnerability in the Download Zip Attachments plug ...) NOT-FOR-US: WordPress plugin download-zip-attachments CVE-2015-4703 (Absolute path traversal vulnerability in mysqldump_download.php in the ...) NOT-FOR-US: WordPress plugin wp-instance-rename CVE-2015-4700 (The bpf_int_jit_compile function in arch/x86/net/bpf_jit_comp.c in the ...) {DSA-3329-1} - linux 4.0.7-1 - linux-2.6 [squeeze] - linux-2.6 (Introduced in v3.0-rc1) NOTE: Upstream commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=3f7352bf21f8fd7ba3e2fcef9488756f188e12be (v4.1-rc6) NOTE: Introduced in: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0a14842f5a3c0e88a1e59fac5c3025db39721f74 (v3.0-rc1) CVE-2015-4696 (Use-after-free vulnerability in libwmf 0.2.8.4 allows remote attackers ...) {DSA-3302-1 DLA-257-1} - libwmf 0.2.8.4-10.4 (bug #784192) CVE-2015-4695 (meta.h in libwmf 0.2.8.4 allows remote attackers to cause a denial of ...) {DSA-3302-1 DLA-257-1} - libwmf 0.2.8.4-10.4 (bug #784205) CVE-2015-4680 (FreeRADIUS 2.2.x before 2.2.8 and 3.0.x before 3.0.9 does not properly ...) {DLA-977-1} - freeradius 2.2.8+dfsg-0.1 (bug #789623) [jessie] - freeradius (Minor issue) [squeeze] - freeradius (Minor issue) NOTE: Recommended configuration is to use self-signed CAs for EAP-TLS methods. NOTE: See raddb/certs/README NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/5e698b407dcac2bc45cf03484bac4398109d25c3 (v2.x.x branch) NOTE: http://www.ocert.org/advisories/ocert-2015-008.html CVE-2015-4674 (The autoupdate implementation in TimeDoctor Pro 1.4.72.3 on Windows re ...) NOT-FOR-US: TimeDoctor Pro CVE-2015-4673 (Multiple cross-site scripting (XSS) vulnerabilities in ClipBucket 2.7. ...) NOT-FOR-US: ClipBucket CVE-2015-4672 RESERVED CVE-2015-4671 (Cross-site scripting (XSS) vulnerability in OpenCart before 2.1.0.2 al ...) NOT-FOR-US: OpenCart CVE-2015-4670 (Directory traversal vulnerability in the AjaxFileUpload control in Dev ...) NOT-FOR-US: AjaxControlToolkit CVE-2015-4669 (The MySQL "root" user in Xsuite 2.x does not have a password set, whic ...) NOT-FOR-US: Xsuite CVE-2015-4668 (Open redirect vulnerability in Xsuite 2.4.4.5 and earlier allows remot ...) NOT-FOR-US: Xsuite CVE-2015-4667 (Multiple hardcoded credentials in Xsuite 2.x. ...) NOT-FOR-US: Xsuite CVE-2015-4666 (Directory traversal vulnerability in opm/read_sessionlog.php in Xceedi ...) NOT-FOR-US: Xceedium Xsuite CVE-2015-4665 (Cross-site scripting (XSS) vulnerability in ajax_cmd.php in Xceedium X ...) NOT-FOR-US: Xceedium Xsuite CVE-2015-4664 (An improper input validation vulnerability in CA Privileged Access Man ...) NOT-FOR-US: CA Privileged Access Manager CVE-2015-4663 RESERVED - hhvm 3.11.0+dfsg-1 NOTE: https://github.com/facebook/hhvm/commit/e282a459188a472e177b45ad2d2989289294df74 CVE-2015-4662 RESERVED CVE-2015-4661 (Cross-site scripting (XSS) vulnerability in Symphony CMS 2.6.2 allows ...) NOT-FOR-US: Symphony CMS CVE-2015-4660 (Cross-site scripting (XSS) vulnerability in Enhanced SQL Portal 5.0.79 ...) NOT-FOR-US: Enhanced SQL Portal CVE-2015-4659 (Cross-site request forgery (CSRF) vulnerability in ClickHeat 1.14 and ...) NOT-FOR-US: ClickHeat CVE-2015-4658 (Multiple SQL injection vulnerabilities in admin/login.php in Milw0rm C ...) NOT-FOR-US: Milw0rm Clone Script CVE-2015-4657 (Cross-site scripting (XSS) vulnerability in Mailbird 2.0.16.0 and earl ...) NOT-FOR-US: Mailbird CVE-2015-4656 (Multiple cross-site scripting (XSS) vulnerabilities in Synology Photo ...) NOT-FOR-US: Synology Photo Station CVE-2015-4655 (Cross-site scripting (XSS) vulnerability in Synology DiskStation Manag ...) NOT-FOR-US: Synology DiskStation Manager CVE-2015-4654 (SQL injection vulnerability in the EQ Event Calendar component for Joo ...) NOT-FOR-US: EQ Event Calendar component for Joomla! CVE-2015-4653 RESERVED CVE-2015-4650 (Aruba Networks ClearPass Policy Manager before 6.4.7 and 6.5.x before ...) NOT-FOR-US: Aruba Networks ClearPass Policy Manager CVE-2015-4649 (Aruba Networks ClearPass Policy Manager before 6.4.7 and 6.5.x before ...) NOT-FOR-US: Aruba Networks ClearPass Policy Manager CVE-2015-4648 (Stack-based buffer overflow in the Ipropsapi.ipropsapiCtrl.1 ActiveX c ...) NOT-FOR-US: Pansonic Security API CVE-2015-4647 (Multiple stack-based buffer overflows in Ipropsapi in Panasonic Securi ...) NOT-FOR-US: Pansonic Security API CVE-2015-4641 (Directory traversal vulnerability in the SwiftKey language-pack update ...) NOT-FOR-US: SwiftKey language-pack update implementation on Samsung devices CVE-2015-4640 (The SwiftKey language-pack update implementation on Samsung Galaxy S4, ...) NOT-FOR-US: SwiftKey language-pack update implementation on Samsung devices CVE-2012-6692 (Cross-site scripting (XSS) vulnerability in js/wp-seo-metabox.js in th ...) NOT-FOR-US: WordPress plugin wordpress-seo CVE-2015-4652 (epan/dissectors/packet-gsm_a_dtap.c in the GSM DTAP dissector in Wires ...) {DSA-3294-1} - wireshark 1.12.6+gee1fce6-1 [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Vulnerable code not present) NOTE: http://www.wireshark.org/security/wnpa-sec-2015-20.html CVE-2015-4651 (The dissect_wccp2r1_address_table_info function in epan/dissectors/pac ...) {DSA-3294-1} - wireshark 1.12.6+gee1fce6-1 [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Vulnerable code not present) NOTE: http://www.wireshark.org/security/wnpa-sec-2015-19.html CVE-2015-4646 ((1) unsquash-1.c, (2) unsquash-2.c, (3) unsquash-3.c, and (4) unsquash ...) - squashfs-tools 1:4.3-2 (bug #793468) [jessie] - squashfs-tools (Minor issue) [wheezy] - squashfs-tools (Minor issue) [squeeze] - squashfs-tools (Minor issue) NOTE: https://github.com/plougher/squashfs-tools/commit/f95864afe8833fe3ad782d714b41378e860977b1 NOTE: https://github.com/plougher/squashfs-tools/commit/ba215d73e153a6f237088b4ecb88c702bb4d4183 NOTE: Further more complete fixes went into 1:4.3+git190815-1 CVE-2015-4645 (Integer overflow in the read_fragment_table_4 function in unsquash-4.c ...) - squashfs-tools 1:4.3-2 (bug #793467) [jessie] - squashfs-tools (Minor issue) [wheezy] - squashfs-tools (Minor issue) [squeeze] - squashfs-tools (Minor issue) NOTE: https://github.com/plougher/squashfs-tools/commit/f95864afe8833fe3ad782d714b41378e860977b1 NOTE: https://github.com/plougher/squashfs-tools/commit/ba215d73e153a6f237088b4ecb88c702bb4d4183 NOTE: Further more complete fixes went into 1:4.3+git190815-1 CVE-2015-4642 (The escapeshellarg function in ext/standard/exec.c in PHP before 5.4.4 ...) - php5 (Windows specific) NOTE: https://bugs.php.net/bug.php?id=69646 NOTE: http://git.php.net/?p=php-src.git;a=commitdiff;h=d2ac264ffea5ca2e85640b6736e0c7cd4ee9a4a9 NOTE: http://www.openwall.com/lists/oss-security/2015/06/18/3 CVE-2015-4643 (Integer overflow in the ftp_genlist function in ext/ftp/ftp.c in PHP b ...) {DSA-3344-1 DLA-307-1} - php5 5.6.11+dfsg-1 NOTE: Fixed in 5.6.10 / 5.5.26 / 5.4.42 NOTE: https://bugs.php.net/bug.php?id=69545#1431550655 NOTE: http://git.php.net/?p=php-src.git;a=commitdiff;h=0765623d6991b62ffcd93ddb6be8a5203a2fa7e2 NOTE: http://www.openwall.com/lists/oss-security/2015/06/18/3 CVE-2015-4644 (The php_pgsql_meta_data function in pgsql.c in the PostgreSQL (aka pgs ...) {DSA-3344-1 DLA-307-1} - php5 5.6.11+dfsg-1 NOTE: Fixed in 5.6.10 / 5.5.26 / 5.4.42 NOTE: https://bugs.php.net/bug.php?id=69667 NOTE: http://git.php.net/?p=php-src.git;a=commitdiff;h=2cc4e69cc6d8dbc4b3568ad3dd583324a7c11d64 NOTE: http://www.openwall.com/lists/oss-security/2015/06/18/3 CVE-2015-4639 (Cross-site scripting (XSS) vulnerability in opac-addbybiblionumber.pl ...) NOT-FOR-US: Koha CVE-2015-4638 (The FastL4 virtual server in F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ...) NOT-FOR-US: FastL4 CVE-2015-4637 (The REST API in F5 BIG-IQ Cloud, Device, and Security 4.4.0 and 4.5.0 ...) NOT-FOR-US: BIG-IQ CVE-2015-4636 RESERVED CVE-2015-4635 RESERVED CVE-2015-4634 (SQL injection vulnerability in graphs.php in Cacti before 0.8.8e allow ...) {DSA-3312-1 DLA-278-1} - cacti 0.8.8e+ds1-1 NOTE: http://bugs.cacti.net/view.php?id=2577 NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7731 CVE-2015-4633 (Multiple SQL injection vulnerabilities in Koha 3.14.x before 3.14.16, ...) - koha (bug #389876) CVE-2015-4632 (Multiple directory traversal vulnerabilities in Koha 3.14.x before 3.1 ...) - koha (bug #389876) CVE-2015-4631 (Multiple cross-site scripting (XSS) vulnerabilities in Koha 3.14.x bef ...) - koha (bug #389876) CVE-2015-4630 (Multiple cross-site request forgery (CSRF) vulnerabilities in Koha 3.1 ...) - koha (bug #389876) CVE-2015-4629 (Huawei E5756S before V200R002B146D23SP00C00 allows remote attackers to ...) NOT-FOR-US: Huawei CVE-2015-4628 (SQL injection vulnerability in application/controllers/admin/questiong ...) - limesurvey (bug #472802) CVE-2015-4627 (SQL injection vulnerability in Pragyan CMS 3.0. ...) NOT-FOR-US: Pragyan CMS CVE-2015-4626 (B.A.S C2Box before 4.0.0 (r19171) relies on client-side validation, wh ...) NOT-FOR-US: B.A.S C2Box CVE-2015-4624 (Hak5 WiFi Pineapple 2.0 through 2.3 uses predictable CSRF tokens. ...) NOT-FOR-US: Hak5 WiFi Pineapple CVE-2015-4623 RESERVED CVE-2015-4622 RESERVED CVE-2015-4621 RESERVED CVE-2015-4620 (name.c in named in ISC BIND 9.7.x through 9.9.x before 9.9.7-P1 and 9. ...) {DSA-3304-1 DLA-270-1} - bind9 1:9.9.5.dfsg-10 (bug #791715) NOTE: https://kb.isc.org/article/AA-01267 CVE-2015-4619 (Cross-site request forgery (CSRF) vulnerability in Spina before commit ...) NOT-FOR-US: Spina CMS CVE-2015-4618 RESERVED CVE-2015-4617 (Vulnerability in Easy2map-photos WordPress Plugin v1.09 MapPinImageUpl ...) NOT-FOR-US: WordPress plugin easy2map-photos CVE-2015-4616 (Directory traversal vulnerability in includes/MapPinImageSave.php in t ...) NOT-FOR-US: Easy2Map plugin for WordPress CVE-2015-4615 (Vulnerability in Easy2map-photos WordPress Plugin v1.09 allows SQL Inj ...) NOT-FOR-US: WordPress plugin easy2map-photos CVE-2015-4614 (Multiple SQL injection vulnerabilities in includes/Function.php in the ...) NOT-FOR-US: Easy2Map plugin for WordPress CVE-2015-4613 (SQL injection vulnerability in the backend module in the Developer Log ...) NOT-FOR-US: TYPO3 extension devlog CVE-2015-4612 (SQL injection vulnerability in the "FAQ - Frequently Asked Questions" ...) NOT-FOR-US: TYPO3 extension js_faq CVE-2015-4611 (SQL injection vulnerability in the Smoelenboek (ncgov_smoelenboek) ext ...) NOT-FOR-US: TYPO3 extension ncgov_smoelenboek CVE-2015-4610 (SQL injection vulnerability in the Store Locator (locator) extension b ...) NOT-FOR-US: TYPO3 extension locator CVE-2015-4609 (SQL injection vulnerability in the wt_directory extension before 1.4.2 ...) NOT-FOR-US: TYPO3 extension wt_directory CVE-2015-4608 (Cross-site scripting (XSS) vulnerability in the BE User Log (beko_beus ...) NOT-FOR-US: TYPO3 extension beko_beuserlog CVE-2015-4607 (Unrestricted file upload vulnerability in the Frontend User Upload (fe ...) NOT-FOR-US: TYPO3 extension feupload CVE-2015-4606 (Unrestricted file upload vulnerability in the Job Fair (jobfair) exten ...) NOT-FOR-US: TYPO3 extension jobfair CVE-2015-4597 RESERVED CVE-2015-4596 (Lenovo Mouse Suite before 6.73 allows local users to run arbitrary cod ...) NOT-FOR-US: Lenovo CVE-2015-4595 RESERVED CVE-2015-4594 (eClinicalWorks Population Health (CCMR) suffers from a session fixatio ...) NOT-FOR-US: eClinicalWorks Population Health CVE-2015-4593 (eClinicalWorks Population Health (CCMR) suffers from a cross-site requ ...) NOT-FOR-US: eClinicalWorks Population Health CVE-2015-4592 (eClinicalWorks Population Health (CCMR) suffers from an SQL injection ...) NOT-FOR-US: eClinicalWorks Population Health CVE-2015-4591 (eClinicalWorks Population Health (CCMR) suffers from a cross site scri ...) NOT-FOR-US: eClinicalWorks Population Health CVE-2015-4590 (The extractFrom function in Internals/QuotedString.cpp in Arduino JSON ...) NOT-FOR-US: Arduino JSON CVE-2015-4589 RESERVED CVE-2015-4587 (Cross-site scripting (XSS) vulnerability in the Alcatel-Lucent CellPip ...) NOT-FOR-US: Alcatel-Lucent CellPipe 7130 router CVE-2015-4586 (Cross-site request forgery (CSRF) vulnerability in Alcatel-Lucent Cell ...) NOT-FOR-US: Alcatel-Lucent CellPipe 7130 RG 5Ae.M2013 HOL CVE-2015-4585 RESERVED CVE-2015-4584 RESERVED CVE-2015-4583 RESERVED CVE-2015-4582 RESERVED CVE-2015-4581 RESERVED CVE-2015-4580 RESERVED CVE-2015-4579 RESERVED CVE-2015-4578 RESERVED CVE-2015-4577 RESERVED CVE-2015-4576 RESERVED CVE-2015-4575 RESERVED CVE-2015-4574 RESERVED CVE-2015-4573 RESERVED CVE-2015-4572 RESERVED CVE-2015-4571 RESERVED CVE-2015-4570 RESERVED CVE-2015-4569 RESERVED CVE-2015-4568 RESERVED CVE-2015-4567 RESERVED CVE-2015-4566 RESERVED CVE-2015-4565 RESERVED CVE-2015-4564 RESERVED CVE-2015-4563 RESERVED CVE-2015-4562 RESERVED CVE-2015-4561 RESERVED CVE-2015-4560 RESERVED CVE-2015-4559 (Cross-site scripting (XSS) vulnerability in the product deployment fea ...) NOT-FOR-US: Intel McAfee ePolicy Orchestrator CVE-2015-4558 RESERVED CVE-2015-4557 (Cross-site scripting (XSS) vulnerability in the new_Twitter_sign_butto ...) NOT-FOR-US: WordPress plugin nextend-twitter-connect CVE-2015-4555 (Buffer overflow in the HTTP administrative interface in TIBCO Rendezvo ...) NOT-FOR-US: TIBCO CVE-2015-4554 (Multiple unspecified vulnerabilities in TIBCO Spotfire Client and Spot ...) NOT-FOR-US: TIBCO CVE-2015-4553 (A file upload issue exists in DeDeCMS before 5.7-sp1, which allows mal ...) NOT-FOR-US: DeDeCMS CVE-2015-4552 (Cross-site scripting (XSS) vulnerability in the quick edit function in ...) NOT-FOR-US: MyBB CVE-2015-4551 (LibreOffice before 4.4.5 and Apache OpenOffice before 4.1.2 uses the s ...) {DSA-3394-1} - libreoffice 1:5.0.1~rc1-1 NOTE: https://www.libreoffice.org/about-us/security/advisories/cve-2015-4551/ CVE-2015-4550 (The Cavium cryptographic-module firmware on Cisco Adaptive Security Ap ...) NOT-FOR-US: Cisco CVE-2015-4549 RESERVED CVE-2015-4548 (EMC RSA Web Threat Detection before 5.1 SP1 allows local users to obta ...) NOT-FOR-US: EMC RSA Web Threat Detection CVE-2015-4547 (EMC RSA Web Threat Detection before 5.1 SP1 stores a cleartext AnnoDB ...) NOT-FOR-US: EMC RSA Web Threat Detection CVE-2015-4546 (Directory traversal vulnerability in EMC RSA OneStep 6.9 before build ...) NOT-FOR-US: EMC RSA OneStep CVE-2015-4545 (EMC Isilon OneFS 7.1 before 7.1.1.8, 7.2.0 before 7.2.0.4, and 7.2.1 b ...) NOT-FOR-US: EMC Isilon OneFS CVE-2015-4544 (EMC Documentum Content Server before 7.1P20 and 7.2.x before 7.2P04 do ...) NOT-FOR-US: EMC Documentum Content Server CVE-2015-4543 (EMC RSA Archer GRC 5.x before 5.5.3 uses cleartext for stored password ...) NOT-FOR-US: EMC RSA Archer GRC CVE-2015-4542 (EMC RSA Archer GRC 5.x before 5.5.3 allows remote authenticated users ...) NOT-FOR-US: EMC RSA Archer GRC CVE-2015-4541 (Multiple cross-site scripting (XSS) vulnerabilities in EMC RSA Archer ...) NOT-FOR-US: EMC RSA Archer GRC CVE-2015-4540 (Multiple cross-site scripting (XSS) vulnerabilities in EMC RSA Identit ...) NOT-FOR-US: EMC RSA CVE-2015-4539 (Multiple cross-site scripting (XSS) vulnerabilities in EMC RSA Identit ...) NOT-FOR-US: EMC RSA CVE-2015-4538 (The XML parser in EMC Atmos before 2.2.3.426 and 2.3.x before 2.3.1.0 ...) NOT-FOR-US: EMC Atmos CVE-2015-4537 (Lockbox in EMC Documentum D2 before 4.5 uses a hardcoded passphrase wh ...) NOT-FOR-US: EMC Documentum D2 CVE-2015-4536 (EMC Documentum Content Server before 7.0 P20, 7.1 before P18, and 7.2 ...) NOT-FOR-US: EMC Documentum Content Server CVE-2015-4535 (Java Method Server (JMS) in EMC Documentum Content Server before 6.7SP ...) NOT-FOR-US: EMC Documentum Content Server CVE-2015-4534 (Java Method Server (JMS) in EMC Documentum Content Server before 6.7SP ...) NOT-FOR-US: EMC Documentum Content Server CVE-2015-4533 (EMC Documentum Content Server before 6.7SP1 P32, 6.7SP2 before P25, 7. ...) NOT-FOR-US: EMC Documentum Content Server CVE-2015-4532 (EMC Documentum Content Server before 6.7SP1 P32, 6.7SP2 before P25, 7. ...) NOT-FOR-US: EMC Documentum Content Server CVE-2015-4531 (EMC Documentum Content Server before 6.7SP1 P32, 6.7SP2 before P25, 7. ...) NOT-FOR-US: EMC Documentum Content Server CVE-2015-4530 (Cross-site request forgery (CSRF) vulnerability in EMC Documentum WebT ...) NOT-FOR-US: EMC Documentum Content Server CVE-2015-4529 (Open redirect vulnerability in EMC Documentum WebTop before 6.8P02, Do ...) NOT-FOR-US: EMC Documentum WebTop CVE-2015-4528 (Cross-site scripting (XSS) vulnerability in EMC Documentum CenterStage ...) NOT-FOR-US: EMC Documentum CenterStage CVE-2015-4527 (Directory traversal vulnerability in EMC Avamar Server 7.x before 7.1. ...) NOT-FOR-US: EMC Avamar CVE-2015-4526 (EMC RecoverPoint for Virtual Machines (VMs) 4.2 allows local users to ...) NOT-FOR-US: EMC RecoverPoint CVE-2015-4525 (The log-gather implementation in the web administration interface in E ...) NOT-FOR-US: EMC Isilon OneFS CVE-2015-4524 (Unrestricted file upload vulnerability in EMC Documentum WebTop 6.7SP1 ...) NOT-FOR-US: EMC Documentum WebTop Client CVE-2015-4523 (Blue Coat Malware Analysis Appliance (MAA) before 4.2.5 and Malware An ...) NOT-FOR-US: Blue Coat CVE-2015-4522 (The nsUnicodeToUTF8::GetMaxLength function in Mozilla Firefox before 4 ...) {DSA-3365-1} - iceweasel 38.3.0esr-1 [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-112/ CVE-2015-4521 (The ConvertDialogOptions function in Mozilla Firefox before 41.0 and F ...) {DSA-3365-1} - iceweasel 38.3.0esr-1 [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-112/ CVE-2015-4520 (Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 allow rem ...) {DSA-3365-1} - iceweasel 38.3.0esr-1 [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-111/ CVE-2015-4519 (Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 allow use ...) {DSA-3365-1} - iceweasel 38.3.0esr-1 [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-110/ CVE-2015-4518 (The Reader View implementation in Mozilla Firefox before 42.0 has an i ...) - iceweasel (ESR38 series not affected) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-118/ CVE-2015-4517 (NetworkUtils.cpp in Mozilla Firefox before 41.0 and Firefox ESR 38.x b ...) {DSA-3365-1} - iceweasel 38.3.0esr-1 [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-112/ CVE-2015-4516 (Mozilla Firefox before 41.0 allows remote attackers to bypass certain ...) - iceweasel (Affects only 40.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-109/ CVE-2015-4515 (Mozilla Firefox before 42.0, when NTLM v1 is enabled for HTTP authenti ...) - iceweasel (ESR38 series not affected) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-117/ CVE-2015-4514 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - iceweasel (ESR38 series not affected) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-116/ CVE-2015-4513 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-3410-1 DSA-3393-1} - iceweasel 38.4.0esr-1 [squeeze] - iceweasel - icedove 38.4.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-116/ CVE-2015-4512 (gfx/2d/DataSurfaceHelpers.cpp in Mozilla Firefox before 41.0 on Linux ...) - iceweasel (Affects only 40.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-107/ CVE-2015-4511 (Heap-based buffer overflow in the nestegg_track_codec_data function in ...) {DSA-3365-1} - iceweasel 38.3.0esr-1 [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-105/ CVE-2015-4510 (Race condition in the WorkerPrivate::NotifyFeatures function in Mozill ...) - iceweasel (Affects only 40.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-104/ CVE-2015-4509 (Use-after-free vulnerability in the HTMLVideoElement interface in Mozi ...) {DSA-3365-1} - iceweasel 38.3.0esr-1 [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-106/ CVE-2015-4508 (Mozilla Firefox before 41.0, when reader mode is enabled, allows remot ...) - iceweasel (Affects only 40.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-103/ CVE-2015-4507 (The SavedStacks class in the JavaScript implementation in Mozilla Fire ...) - iceweasel (Affects only 40.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-102/ CVE-2015-4506 (Buffer overflow in the vp9_init_context_buffers function in libvpx, as ...) {DSA-3365-1} - iceweasel 38.3.0esr-1 [squeeze] - iceweasel - libvpx 1.4.0-4 (unimportant) [squeeze] - libvpx (no vp9 support in this version) [wheezy] - libvpx (no vp9 support in this version) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-101/ NOTE: this is a duplicate of CVE-2015-1258, libvpx in google chrome CVE-2015-4505 (updater.exe in Mozilla Firefox before 41.0 and Firefox ESR 38.x before ...) - iceweasel (Windows-specific) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-100/ CVE-2015-4504 (The lut_inverse_interp16 function in the QCMS library in Mozilla Firef ...) - iceweasel (Affects only 40.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-98/ CVE-2015-4503 (The TCP Socket API implementation in Mozilla Firefox before 41.0 misha ...) - iceweasel (Affects only 40.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-97/ CVE-2015-4502 (js/src/proxy/Proxy.cpp in Mozilla Firefox before 41.0 mishandles certa ...) - iceweasel (Affects only 40.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-108/ CVE-2015-4501 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - iceweasel (Affects only 40.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-96/ CVE-2015-4500 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-3365-1} - iceweasel 38.3.0esr-1 [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-96/ CVE-2015-4499 (Util.pm in Bugzilla 2.x, 3.x, and 4.x before 4.2.15, 4.3.x and 4.4.x b ...) - bugzilla4 (bug #669643) - bugzilla [squeeze] - bugzilla (Not supported in Squeeze LTS) CVE-2015-4498 (The add-on installation feature in Mozilla Firefox before 40.0.3 and F ...) {DSA-3345-1} - iceweasel 38.2.1esr-1 [squeeze] - iceweasel (Not supported in Squeeze LTS) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-95 CVE-2015-4497 (Use-after-free vulnerability in the CanvasRenderingContext2D implement ...) {DSA-3345-1} - iceweasel 38.2.1esr-1 [squeeze] - iceweasel (Not supported in Squeeze LTS) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-94/ CVE-2015-4496 (Multiple integer overflows in libstagefright in Mozilla Firefox before ...) - iceweasel 38.0-1 [jessie] - iceweasel 38.2.0esr-1~deb8u1 [wheezy] - iceweasel 38.2.0esr-1~deb7u1 [squeeze] - iceweasel (Not supported in Squeeze LTS) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-93/ CVE-2015-4495 (The PDF reader in Mozilla Firefox before 39.0.3, Firefox ESR 38.x befo ...) - iceweasel 38.1.1esr-1 [jessie] - iceweasel (Only affects 38.x ESR and 39) [wheezy] - iceweasel (Only affects 38.x ESR and 39) [squeeze] - iceweasel (Only affects 38.x ESR and 39) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-78/ - pdf.js 1.1.366+dfsg-1 [jessie] - pdf.js 1.0.907+dfsg-1+deb8u1 NOTE: for jessie: xul-ext-pdf.js binary package build was removed NOTE: https://github.com/mozilla/pdf.js/commit/0b5330781c367fcbc997947adbf2bdcdf71f61bc NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1179262 CVE-2015-4494 (Mozilla Firefox OS before 2.2 does not require the wifi-manage privile ...) NOT-FOR-US: Firefox OS CVE-2015-4493 (Heap-based buffer overflow in the stagefright::ESDS::parseESDescriptor ...) {DSA-3333-1} - iceweasel 38.2.0esr-1 [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-83/ CVE-2015-4492 (Use-after-free vulnerability in the XMLHttpRequest::Open implementatio ...) {DSA-3333-1} - iceweasel 38.2.0esr-1 [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-92/ CVE-2015-4491 (Integer overflow in the make_filter_table function in pixops/pixops.c ...) {DSA-3337-2 DSA-3337-1 DLA-434-1} - gdk-pixbuf 2.31.7-1 - gtk+2.0 2.21.5-1 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=752297 NOTE: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=ffec86ed5010c5a2be14f47b33bcf4ed3169a199 NOTE: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=8dba67cb4f38d62a47757741ad41e3f245b4a32a NOTE: http://www.openwall.com/lists/oss-security/2015/07/17/17 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-88/ NOTE: gtk+2.0 2.21.5-1 removed the embedded copy of gdk-pixbuf and build-depends on external gdk-pixbuf CVE-2015-4490 (The nsCSPHostSrc::permits function in dom/security/nsCSPUtils.cpp in M ...) - iceweasel (Only affects Firefox 39) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-91 CVE-2015-4489 (The nsTArray_Impl class in Mozilla Firefox before 40.0, Firefox ESR 38 ...) {DSA-3410-1 DSA-3333-1} - iceweasel 38.2.0esr-1 - icedove 38.3.0-1 [squeeze] - icedove [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-90/ CVE-2015-4488 (Use-after-free vulnerability in the StyleAnimationValue class in Mozil ...) {DSA-3410-1 DSA-3333-1} - iceweasel 38.2.0esr-1 - icedove 38.3.0-1 [squeeze] - icedove [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-90/ CVE-2015-4487 (The nsTSubstring::ReplacePrep function in Mozilla Firefox before 40.0, ...) {DSA-3410-1 DSA-3333-1} - iceweasel 38.2.0esr-1 - icedove 38.3.0-1 [squeeze] - icedove [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-90/ CVE-2015-4486 (The decrease_ref_count function in libvpx in Mozilla Firefox before 40 ...) - libvpx 1.4.0-1 [jessie] - libvpx (Vulnerable code not present) [wheezy] - libvpx (Vulnerable code not present) [squeeze] - libvpx (Vulnerable code not present) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-89/ NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1177948 is restricted CVE-2015-4485 (Heap-based buffer overflow in the resize_context_buffers function in l ...) - libvpx 1.4.0-1 [jessie] - libvpx (Vulnerable code not present) [wheezy] - libvpx (Vulnerable code not present) [squeeze] - libvpx (Vulnerable code not present) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-89/ NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1178148 is restricted CVE-2015-4484 (The js::jit::AssemblerX86Shared::lock_addl function in the JavaScript ...) {DSA-3333-1} - iceweasel 38.2.0esr-1 [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-87/ CVE-2015-4483 (Mozilla Firefox before 40.0 allows man-in-the-middle attackers to bypa ...) - iceweasel (Only affects Firefox 39) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-86/ CVE-2015-4482 (mar_read.c in the Updater in Mozilla Firefox before 40.0 and Firefox E ...) - iceweasel (Updater not used in Debian) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-85/ CVE-2015-4481 (Race condition in the Mozilla Maintenance Service in Mozilla Firefox b ...) - iceweasel (Only affects Firefox on Windows) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-84/ CVE-2015-4480 (Integer overflow in the stagefright::SampleTable::isValid function in ...) {DSA-3333-1} - iceweasel 38.2.0esr-1 [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-83/ CVE-2015-4479 (Multiple integer overflows in libstagefright in Mozilla Firefox before ...) {DSA-3333-1} - iceweasel 38.2.0esr-1 [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-83/ CVE-2015-4478 (Mozilla Firefox before 40.0 and Firefox ESR 38.x before 38.2 do not im ...) {DSA-3333-1} - iceweasel 38.2.0esr-1 [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-82/ CVE-2015-4477 (Use-after-free vulnerability in the MediaStream playback feature in Mo ...) - iceweasel (Only affects Firefox 39) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-81/ CVE-2015-4476 (Mozilla Firefox before 41.0 on Android allows user-assisted remote att ...) - iceweasel (Affects only Firefox on Android) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-99/ CVE-2015-4475 (The mozilla::AudioSink function in Mozilla Firefox before 40.0 and Fir ...) {DSA-3333-1} - iceweasel 38.2.0esr-1 [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-80/ CVE-2015-4474 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - iceweasel (Only affects Firefox 39) - icedove (Only affects Firefox 39) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-79/ CVE-2015-4473 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-3410-1 DSA-3333-1} - iceweasel 38.2.0esr-1 - icedove 38.3.0-1 [squeeze] - icedove [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-79/ CVE-2015-4466 RESERVED CVE-2015-4465 (Cross-site scripting (XSS) vulnerability in the zM Ajax Login & Re ...) NOT-FOR-US: WordPress plugin zM Ajax Login & Register CVE-2015-4464 (Kguard Digital Video Recorder 104, 108, v2 does not have any authoriza ...) NOT-FOR-US: Kguard Digital Video Recorder CVE-2015-4463 (The file_manager component in eFront CMS before 3.6.15.5 allows remote ...) NOT-FOR-US: eFront CMS CVE-2015-4462 (Absolute path traversal vulnerability in the file_manager component of ...) NOT-FOR-US: eFront CMS CVE-2015-4461 (Absolute path traversal vulnerability in eFront CMS 3.6.15.4 and earli ...) NOT-FOR-US: eFront CMS CVE-2015-4460 (Cross-site request forgery (CSRF) vulnerability in SecuritySetting/Use ...) NOT-FOR-US: C2Box CVE-2015-4459 RESERVED CVE-2015-4458 (The TLS implementation in the Cavium cryptographic-module firmware, as ...) NOT-FOR-US: Cisco CVE-2014-9733 (nw.js before 0.11.5 can simulate user input events in a normal frame, ...) NOT-FOR-US: nw.js CVE-2015-4603 (The exception::getTraceAsString function in Zend/zend_exceptions.c in ...) - php5 5.6.9+dfsg-1 [jessie] - php5 5.6.9+dfsg-0+deb8u1 [wheezy] - php5 5.4.41-0+deb7u1 NOTE: https://bugs.php.net/bug.php?id=69152 [2015-03-03 04:30 UTC] CVE-2015-4602 (The __PHP_Incomplete_Class function in ext/standard/incomplete_class.c ...) {DLA-307-1} - php5 5.6.9+dfsg-1 [jessie] - php5 5.6.9+dfsg-0+deb8u1 [wheezy] - php5 5.4.41-0+deb7u1 NOTE: http://git.php.net/?p=php-src.git;a=commitdiff;h=fb83c76deec58f1fab17c350f04c9f042e5977d1 NOTE: https://bugs.php.net/bug.php?id=69152 CVE-2015-4601 (PHP before 5.6.7 might allow remote attackers to cause a denial of ser ...) {DLA-307-1} - php5 5.6.9+dfsg-1 [jessie] - php5 5.6.9+dfsg-0+deb8u1 [wheezy] - php5 5.4.41-0+deb7u1 NOTE: http://git.php.net/?p=php-src.git;a=commitdiff;h=0c136a2abd49298b66acb0cad504f0f972f5bfe8 NOTE: https://bugs.php.net/bug.php?id=69152 CVE-2015-4600 (The SoapClient implementation in PHP before 5.4.40, 5.5.x before 5.5.2 ...) {DLA-307-1} - php5 5.6.9+dfsg-1 [jessie] - php5 5.6.9+dfsg-0+deb8u1 [wheezy] - php5 5.4.41-0+deb7u1 NOTE: http://git.php.net/?p=php-src.git;a=commitdiff;h=0c136a2abd49298b66acb0cad504f0f972f5bfe8 NOTE: https://bugs.php.net/bug.php?id=69152 CVE-2015-4599 (The SoapFault::__toString method in ext/soap/soap.c in PHP before 5.4. ...) {DLA-307-1} - php5 5.6.9+dfsg-1 [jessie] - php5 5.6.9+dfsg-0+deb8u1 [wheezy] - php5 5.4.41-0+deb7u1 NOTE: https://bugs.php.net/bug.php?id=69152 NOTE: http://git.php.net/?p=php-src.git;a=commitdiff;h=51856a76f87ecb24fe1385342be43610fb6c86e4 CVE-2015-4598 (PHP before 5.4.42, 5.5.x before 5.5.26, and 5.6.x before 5.6.10 does n ...) {DSA-3344-1 DLA-307-1} - php5 5.6.11+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=69719 NOTE: Fixed in 5.6.10 and 5.4.42 upstream CVE-2015-4588 (Heap-based buffer overflow in the DecodeImage function in libwmf 0.2.8 ...) {DSA-3302-1 DLA-253-1} - libwmf 0.2.8.4-10.4 (bug #787644) CVE-2015-4556 (The string-translate* procedure in the data-structures unit in CHICKEN ...) - chicken 4.10.0-1 (bug #788833) [jessie] - chicken (Minor issue) [wheezy] - chicken (Minor issue) [squeeze] - chicken (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2015/06/15/1 CVE-2015-2967 (Cross-site scripting (XSS) vulnerability in settings.php in Cacti befo ...) {DSA-3295-1 DLA-255-1} - cacti 0.8.8d+ds1-1 [squeeze] - cacti 0.8.7g-1+squeeze6 NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7718 NOTE: http://jvn.jp/en/jp/JVN78187936/ NOTE: Fixed upstream in 0.8.8d CVE-2015-4457 (Multiple cross-site scripting (XSS) vulnerabilities in the Cloudera Ma ...) NOT-FOR-US: Cloudera CVE-2015-4456 (ownCloud Desktop Client before 1.8.2 does not call QNetworkReply::igno ...) {DSA-3363-1} - owncloud-client 1.8.4+dfsg-1 NOTE: https://owncloud.org/security/advisory/?id=oc-sa-2015-009 CVE-2015-4455 (Unrestricted file upload vulnerability in includes/upload.php in the A ...) NOT-FOR-US: WordPress plugin aviary-image-editor-add-on-for-gravity-forms CVE-2015-4454 (SQL injection vulnerability in the get_hash_graph_template function in ...) {DSA-3295-1 DLA-255-1} - cacti 0.8.8d+ds1-1 NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7720 NOTE: http://bugs.cacti.net/view.php?id=2572 NOTE: Fixed upstream in 0.8.8d CVE-2015-4453 (interface/globals.php in OpenEMR 2.x, 3.x, and 4.x before 4.2.0 patch ...) NOT-FOR-US: OpenEMR CVE-2015-4452 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-4451 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-4450 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-4449 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-4448 (Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 1 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-4447 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-4446 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-4445 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-4444 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-4443 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-4442 REJECTED CVE-2015-4441 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-4440 REJECTED CVE-2015-4439 REJECTED CVE-2015-4438 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-4437 REJECTED CVE-2015-4436 REJECTED CVE-2015-4435 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-4434 REJECTED CVE-2015-4433 (Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-4432 (Heap-based buffer overflow in Adobe Flash Player before 13.0.0.302 and ...) NOT-FOR-US: Adobe Flash Player CVE-2015-4431 (Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-4430 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-4429 (Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-4428 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-4427 (Multiple cross-site scripting (XSS) vulnerabilities in Test/WorkArea/w ...) NOT-FOR-US: Ektron CMS CVE-2015-4426 (SQL injection vulnerability in pimcore before build 3473 allows remote ...) NOT-FOR-US: pimcore CVE-2015-4425 (Directory traversal vulnerability in pimcore before build 3473 allows ...) NOT-FOR-US: pimcore CVE-2015-4424 RESERVED CVE-2015-4423 RESERVED CVE-2015-4422 (The TEEOS module in Huawei Mate 7 (Mate7-TL10) smartphones before V100 ...) NOT-FOR-US: TEEOS module in Huawei Mate 7 CVE-2015-4421 (The tzdriver module in Huawei Mate 7 (Mate7-TL10) smartphones before V ...) NOT-FOR-US: tzdriver module in Huawei Mate 7 CVE-2015-4420 (Multiple cross-site scripting (XSS) vulnerabilities in Opsview 4.6.2 a ...) NOT-FOR-US: Opsview CVE-2015-4419 RESERVED CVE-2015-4418 (Zoho NetFlow Analyzer build 10250 and earlier does not have an off aut ...) NOT-FOR-US: Zoho NetFlow Analyzer CVE-2015-4417 RESERVED CVE-2015-4416 RESERVED CVE-2015-4415 (Multiple directory traversal vulnerabilities in func.php in Magnifica ...) NOT-FOR-US: Magnifica Webscripts Anima Gallery CVE-2015-4414 (Directory traversal vulnerability in download_audio.php in the SE HTML ...) NOT-FOR-US: WordPress plugin se-html5-album-audio-player CVE-2015-4413 (Cross-site scripting (XSS) vulnerability in the new_fb_sign_button fun ...) NOT-FOR-US: WordPress plugin nextend-facebook-connect CVE-2015-4409 (Buffer overflow on Hikvision NVR DS-76xxNI-E1/2 and DS-77xxxNI-E4 devi ...) NOT-FOR-US: Hikvision CVE-2015-4408 (Buffer overflow on Hikvision NVR DS-76xxNI-E1/2 and DS-77xxxNI-E4 devi ...) NOT-FOR-US: Hikvision CVE-2015-4407 (Buffer overflow on Hikvision NVR DS-76xxNI-E1/2 and DS-77xxxNI-E4 devi ...) NOT-FOR-US: Hikvision CVE-2015-4406 RESERVED CVE-2015-4405 RESERVED CVE-2015-4404 RESERVED CVE-2015-4403 RESERVED CVE-2015-4402 RESERVED CVE-2015-4401 RESERVED CVE-2015-4400 (Ring (formerly DoorBot) video doorbells allow remote attackers to obta ...) NOT-FOR-US: Ring video doorbells CVE-2015-4399 RESERVED CVE-2015-4398 (Open redirect vulnerability in the Chaos tool suite (ctools) module be ...) NOT-FOR-US: Drupal module Chaos tool suite CVE-2015-4397 (Cross-site request forgery (CSRF) vulnerability in the Node Template m ...) NOT-FOR-US: Drupal module Node Template CVE-2015-4396 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Keyw ...) NOT-FOR-US: Drupal module Keyword Research CVE-2015-4395 (The HybridAuth Social Login module 7.x-2.x before 7.x-2.10 for Drupal ...) NOT-FOR-US: Drupal module HybridAuth Social Login CVE-2015-4394 (The Services module 7.x-3.x before 7.x-3.12 for Drupal allows remote a ...) NOT-FOR-US: Drupal module Services CVE-2015-4393 (The resource/endpoint for uploading files in the Services module 7.x-3 ...) NOT-FOR-US: Drupal module Services CVE-2015-4392 (Cross-site scripting (XSS) vulnerability in the Display Suite module 7 ...) NOT-FOR-US: Drupal module Display Suite CVE-2015-4391 (Cross-site request forgery (CSRF) vulnerability in the CiviCRM private ...) NOT-FOR-US: Drupal module CiviCRM CVE-2015-4390 (Multiple cross-site request forgery (CSRF) vulnerabilities in the User ...) NOT-FOR-US: Drupal module User Import CVE-2015-4389 (The Open Graph Importer (og_tag_importer) 7.x-1.x for Drupal does not ...) NOT-FOR-US: Drupal module Open Graph Importer CVE-2015-4388 (Cross-site scripting (XSS) vulnerability in the Current Search Links m ...) NOT-FOR-US: Drupal module Current Search Links CVE-2015-4387 (Cross-site scripting (XSS) vulnerability in unspecified administration ...) NOT-FOR-US: Drupal module Password Policy CVE-2015-4386 (Multiple cross-site scripting (XSS) vulnerabilities in unspecified adm ...) NOT-FOR-US: Drupal module EntityBulkDelete CVE-2015-4385 (Cross-site scripting (XSS) vulnerability in unspecified administration ...) NOT-FOR-US: Drupal module Imagefield Info CVE-2015-4384 (Cross-site scripting (XSS) vulnerability in the Ubercart Webform Check ...) NOT-FOR-US: Drupal module Ubercart Webform Checkout Pane CVE-2015-4383 (Cross-site request forgery (CSRF) vulnerability in the Decisions modul ...) NOT-FOR-US: Drupal module Decisions CVE-2015-4382 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Invo ...) NOT-FOR-US: Drupal module Invoice CVE-2015-4381 (Cross-site scripting (XSS) vulnerability in the Invoice module 6.x-1.x ...) NOT-FOR-US: Drupal module Invoice CVE-2015-4380 (Cross-site scripting (XSS) vulnerability in the Linear Case module 6.x ...) NOT-FOR-US: Drupal module Linear Case CVE-2015-4379 (Cross-site request forgery (CSRF) vulnerability in the Webform Multipl ...) NOT-FOR-US: Drupal module Webform Multiple File Upload CVE-2015-4378 (Cross-site scripting (XSS) vulnerability in the Crumbs module 7.x-2.x ...) NOT-FOR-US: Drupal module Crumbs CVE-2015-4377 (Cross-site scripting (XSS) vulnerability in unspecified administration ...) NOT-FOR-US: Drupal module Petition CVE-2015-4376 (Cross-site scripting (XSS) vulnerability in the Profile2 Privacy modul ...) NOT-FOR-US: Drupal module Profile2 Privacy CVE-2015-4375 (The Chaos tool suite (ctools) module 7.x-1.x before 7.x-1.7 for Drupal ...) NOT-FOR-US: Drupal module Chaos tool suite CVE-2015-4374 (Cross-site scripting (XSS) vulnerability in the Webform module before ...) NOT-FOR-US: Webform module for Drupal CVE-2015-4373 (Cross-site scripting (XSS) vulnerability in the OG tabs module before ...) NOT-FOR-US: Drupal module OG tabs CVE-2015-4372 (Cross-site scripting (XSS) vulnerability in the Image Title module bef ...) NOT-FOR-US: Drupal module Image Title CVE-2015-4371 (Open redirect vulnerability in the Perfecto module before 7.x-1.2 for ...) NOT-FOR-US: Drupal module Perfecto CVE-2015-4370 (Cross-site scripting (XSS) vulnerability in the Site Documentation mod ...) NOT-FOR-US: Drupal module Site Documentation CVE-2015-4369 (Cross-site scripting (XSS) vulnerability in the Trick Question module ...) NOT-FOR-US: Drupal module Trick Question CVE-2015-4368 (The Commerce Ogone module 7.x-1.x before 7.x-1.5 for Drupal allows rem ...) NOT-FOR-US: Drupal module Commerce Ogone CVE-2015-4367 (Cross-site scripting (XSS) vulnerability in the Simple Subscription mo ...) NOT-FOR-US: Drupal module Simple Subscription CVE-2015-4366 (Cross-site scripting (XSS) vulnerability in the Mover module 6.x-1.0 f ...) NOT-FOR-US: Drupal module Mover CVE-2015-4365 (Cross-site scripting (XSS) vulnerability in the Taxonomy Accordion mod ...) NOT-FOR-US: Drupal module Taxonomy Accordion CVE-2015-4364 (Multiple cross-site request forgery (CSRF) vulnerabilities in includes ...) NOT-FOR-US: Drupal module Campaign Monitor CVE-2015-4363 (Open redirect vulnerability in the finder_form_goto function in the Fi ...) NOT-FOR-US: Drupal module Finder CVE-2015-4362 (Cross-site request forgery (CSRF) vulnerability in tracking_code.admin ...) NOT-FOR-US: Drupal module Tracking Code CVE-2015-4361 (Cross-site request forgery (CSRF) vulnerability in the Registration co ...) NOT-FOR-US: Drupal Module Registration codes CVE-2015-4360 (Cross-site request forgery (CSRF) vulnerability in the Registration co ...) NOT-FOR-US: Drupal Module Registration codes CVE-2015-4359 (Multiple cross-site scripting (XSS) vulnerabilities in the Registratio ...) NOT-FOR-US: Drupal Module Registration codes CVE-2015-4358 (Cross-site scripting (XSS) vulnerability in unspecified administration ...) NOT-FOR-US: Drupal module Ubercart Display Coupons CVE-2015-4357 (Cross-site scripting (XSS) vulnerability in the Webform module before ...) NOT-FOR-US: Drupal module Webform CVE-2015-4356 (Cross-site scripting (XSS) vulnerability in the view-based webform res ...) NOT-FOR-US: Drupal module Webform CVE-2015-4355 (Cross-site request forgery (CSRF) vulnerability in the Watchdog Aggreg ...) NOT-FOR-US: Drupal module Watchdog Aggregator CVE-2015-4354 (Cross-site scripting (XSS) vulnerability in the Ubercart Webform Integ ...) NOT-FOR-US: Drupal module Ubercart Webform Integration CVE-2015-4353 (Cross-site request forgery (CSRF) vulnerability in the Custom Sitemap ...) NOT-FOR-US: Drupal module Custom Sitemap CVE-2015-4352 (Cross-site request forgery (CSRF) vulnerability in the Spider Video Pl ...) NOT-FOR-US: Drupal module Spider Video Player CVE-2015-4351 (The Spider Video Player module for Drupal allows remote authenticated ...) NOT-FOR-US: Drupal module Spider Video Player CVE-2015-4350 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Spid ...) NOT-FOR-US: Drupal Module Spider Catalog CVE-2015-4349 (Cross-site request forgery (CSRF) vulnerability in the Spider Contacts ...) NOT-FOR-US: Drupal Module Spider Catalog CVE-2015-4348 (SQL injection vulnerability in the Spider Contacts module for Drupal a ...) NOT-FOR-US: Drupal module Spider Contacts CVE-2015-4347 (Cross-site scripting (XSS) vulnerability in the inLinks Integration mo ...) NOT-FOR-US: Drupal module inLinks Integration CVE-2015-4346 (Cross-site scripting (XSS) vulnerability in the SMS Framework module 6 ...) NOT-FOR-US: Drupal module SMS Framework CVE-2015-4345 (The RESTWS Basic Auth submodule in the RESTful Web Services module 7.x ...) NOT-FOR-US: Drupal module RESTful Web Services CVE-2015-4344 (The Services Basic Authentication module 7.x-1.x through 7.x-1.3 for D ...) NOT-FOR-US: Drupal module Services Basic Authentication CVE-2015-4343 RESERVED CVE-2015-4342 (SQL injection vulnerability in Cacti before 0.8.8d allows remote attac ...) {DSA-3295-1 DLA-255-1} - cacti 0.8.8d+ds1-1 NOTE: Original report: http://seclists.org/fulldisclosure/2015/Jun/19 NOTE: Upstream bug: http://bugs.cacti.net/view.php?id=2571 (not yet accessible) NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7719 NOTE: Fixed upstream in 0.8.8d CVE-2015-4341 RESERVED CVE-2015-4340 RESERVED CVE-2015-4339 RESERVED CVE-2015-4334 (The default configuration of SGOS in Blue Coat ProxySG before 6.2.16.5 ...) NOT-FOR-US: Blue Coat ProxySG CVE-2015-4333 RESERVED CVE-2015-4332 RESERVED CVE-2015-4331 (Cisco Prime Infrastructure (PI) 1.4(0.45) and earlier, when AAA authen ...) NOT-FOR-US: Cisco Prime Infrastructure CVE-2015-4330 (A local file script in Cisco TelePresence Video Communication Server ( ...) NOT-FOR-US: Cisco CVE-2015-4329 (The administrator web interface in Cisco TelePresence Video Communicat ...) NOT-FOR-US: Cisco TelePresence Video Communication Server CVE-2015-4328 (Cisco TelePresence Video Communication Server (VCS) Expressway X8.5.2 ...) NOT-FOR-US: Cisco TelePresence Video Communication Server CVE-2015-4327 (The CLI in Cisco TelePresence Video Communication Server (VCS) Express ...) NOT-FOR-US: Cisco TelePresence Video Communication Server CVE-2015-4326 RESERVED CVE-2015-4325 (The process-management implementation in Cisco TelePresence Video Comm ...) NOT-FOR-US: Cisco TelePresence Video Communication Server CVE-2015-4324 (Buffer overflow in Cisco NX-OS on Nexus 1000V devices for VMware vSphe ...) NOT-FOR-US: Cisco CVE-2015-4323 (Buffer overflow in Cisco NX-OS on Nexus 1000V devices for VMware vSphe ...) NOT-FOR-US: Cisco CVE-2015-4322 (Cisco Content Security Management Appliance (SMA) 8.3.6-039, 9.1.0-31, ...) NOT-FOR-US: Cisco CVE-2015-4321 (The Unicast Reverse Path Forwarding (uRPF) implementation in Cisco Ada ...) NOT-FOR-US: Cisco CVE-2015-4320 (The Configuration Log File component in Cisco TelePresence Video Commu ...) NOT-FOR-US: Cisco CVE-2015-4319 (The password-change feature in the administrative web interface in Cis ...) NOT-FOR-US: Cisco CVE-2015-4318 (Cisco TelePresence Video Communication Server (VCS) Expressway X8.5.2 ...) NOT-FOR-US: Cisco CVE-2015-4317 (Cisco TelePresence Video Communication Server (VCS) Expressway X8.5.2 ...) NOT-FOR-US: Cisco CVE-2015-4316 (The Mobile and Remote Access (MRA) endpoint-validation feature in Cisc ...) NOT-FOR-US: Cisco CVE-2015-4315 (The Call Policy Configuration page in Cisco TelePresence Video Communi ...) NOT-FOR-US: Cisco CVE-2015-4314 (The System Snapshot feature in Cisco TelePresence Video Communication ...) NOT-FOR-US: Cisco CVE-2015-4313 RESERVED CVE-2015-4312 RESERVED CVE-2015-4311 RESERVED CVE-2015-4310 (Multiple cross-site scripting (XSS) vulnerabilities in Cisco Finesse 1 ...) NOT-FOR-US: Cisco CVE-2015-4309 RESERVED CVE-2015-4308 (The webGUI configuration-export feature in Cisco Edge Bluebird Operati ...) NOT-FOR-US: Cisco CVE-2015-4307 (The web framework in Cisco Prime Collaboration Provisioning before 11. ...) NOT-FOR-US: Cisco Prime Collaboration Provisioning CVE-2015-4306 (The web framework in Cisco Prime Collaboration Assurance before 10.5.1 ...) NOT-FOR-US: Cisco Prime Collaboration Assurance CVE-2015-4305 (The web framework in Cisco Prime Collaboration Assurance before 10.5.1 ...) NOT-FOR-US: Cisco Prime Collaboration Assurance CVE-2015-4304 (The web framework in Cisco Prime Collaboration Assurance before 10.5.1 ...) NOT-FOR-US: Cisco Prime Collaboration Assurance CVE-2015-4303 (Cisco TelePresence Video Communication Server (VCS) X8.5.2 allows remo ...) NOT-FOR-US: Cisco CVE-2015-4302 (The web interface in Cisco FireSIGHT Management Center 5.3.1.4 allows ...) NOT-FOR-US: Cisco CVE-2015-4301 (Cisco NX-OS on Nexus 9000 devices 11.1(1c) allows remote authenticated ...) NOT-FOR-US: Cisco CVE-2015-4300 REJECTED CVE-2015-4299 (Cisco Unified Web and E-Mail Interaction Manager 9.0(2) improperly per ...) NOT-FOR-US: Cisco CVE-2015-4298 (Cisco Unified Web and E-Mail Interaction Manager 9.0(2) and 11.0(1) im ...) NOT-FOR-US: Cisco CVE-2015-4297 (Open redirect vulnerability in Cisco WebEx Node for Media Convergence ...) NOT-FOR-US: Cisco CVE-2015-4296 (Nexus Data Broker (NDB) on Cisco Nexus 3000 devices with software 6.0( ...) NOT-FOR-US: Cisco CVE-2015-4295 (The Prime Collaboration Deployment component in Cisco Unified Communic ...) NOT-FOR-US: Cisco CVE-2015-4294 (Cross-site scripting (XSS) vulnerability in Cisco IM and Presence Serv ...) NOT-FOR-US: Cisco CVE-2015-4293 (The packet-reassembly implementation in Cisco IOS XE 3.13S and earlier ...) NOT-FOR-US: Cisco CVE-2015-4292 (Cross-site scripting (XSS) vulnerability in the management interface i ...) NOT-FOR-US: Cisco CVE-2015-4291 (Cisco IOS XE 2.x before 2.4.3 and 2.5.x before 2.5.1 on ASR 1000 devic ...) NOT-FOR-US: Cisco CVE-2015-4290 (The kernel extension in Cisco AnyConnect Secure Mobility Client 4.0(20 ...) NOT-FOR-US: Cisco CVE-2015-4289 (Directory traversal vulnerability in Cisco AnyConnect Secure Mobility ...) NOT-FOR-US: Cisco CVE-2015-4288 (The LDAP implementation on the Cisco Web Security Appliance (WSA) 8.5. ...) NOT-FOR-US: Cisco CVE-2015-4287 (Cisco Firepower Extensible Operating System 1.1(1.86) on Firepower 900 ...) NOT-FOR-US: Cisco CVE-2015-4286 (The web framework in Cisco UCS Central Software 1.3(0.99) allows remot ...) NOT-FOR-US: Cisco CVE-2015-4285 (The Local Packet Transport Services (LPTS) implementation in Cisco IOS ...) NOT-FOR-US: Cisco CVE-2015-4284 (The Concurrent Data Management Replication process in Cisco IOS XR 5.3 ...) NOT-FOR-US: Cisco CVE-2015-4283 (Cisco Videoscape Policy Resource Manager (PRM) 3.5.4 allows remote att ...) NOT-FOR-US: Cisco CVE-2015-4282 (Cisco Mobility Services Engine (MSE) through 8.0.120.7 uses weak permi ...) NOT-FOR-US: Cisco CVE-2015-4281 (Cross-site request forgery (CSRF) vulnerability in Cisco WebEx Meeting ...) NOT-FOR-US: Cisco CVE-2015-4280 (Cisco Prime Collaboration Assurance 10.0 allows remote attackers to ca ...) NOT-FOR-US: Cisco CVE-2015-4279 (The Manager component in Cisco Unified Computing System (UCS) 2.2(3b) ...) NOT-FOR-US: Cisco CVE-2015-4278 (Cisco Email Security Appliance (ESA) devices with software 8.5.6-106 a ...) NOT-FOR-US: Cisco CVE-2015-4277 (The global-configuration implementation on Cisco ASR 9000 devices with ...) NOT-FOR-US: Cisco CVE-2015-4276 (Cisco WebEx Meetings Server 2.5MR1 allows remote authenticated users t ...) NOT-FOR-US: Cisco CVE-2015-4275 (The Packet Data Network Gateway (aka PGW) component on Cisco ASR 5000 ...) NOT-FOR-US: Cisco CVE-2015-4274 (Cross-site request forgery (CSRF) vulnerability in the web framework i ...) NOT-FOR-US: Cisco CVE-2015-4273 (The Packet Data Network Gateway (aka PGW) component on Cisco ASR 5000 ...) NOT-FOR-US: Cisco CVE-2015-4272 (Multiple cross-site scripting (XSS) vulnerabilities in the ccmivr page ...) NOT-FOR-US: Cisco CVE-2015-4271 (Cisco TelePresence TC before 7.3.4 on Integrator C devices allows remo ...) NOT-FOR-US: Cisco CVE-2015-4270 (Multiple cross-site scripting (XSS) vulnerabilities in Cisco FireSIGHT ...) NOT-FOR-US: Cisco CVE-2015-4269 (The Tomcat throttling feature in Cisco Unified Communications Manager ...) NOT-FOR-US: Cisco CVE-2015-4268 (Multiple cross-site scripting (XSS) vulnerabilities in the Infra Admin ...) NOT-FOR-US: Cisco CVE-2015-4267 (Cross-site request forgery (CSRF) vulnerability in the web framework i ...) NOT-FOR-US: Cisco CVE-2015-4266 (The web interface in Cisco Identity Services Engine (ISE) 1.1(4.1), 1. ...) NOT-FOR-US: Cisco CVE-2015-4265 (Cisco Unified Computing System (UCS) B Blade Server Software 2.2.x bef ...) NOT-FOR-US: Cisco Unified Computing System CVE-2015-4264 RESERVED CVE-2015-4263 (The Control and Provisioning functionality in Cisco Mobility Services ...) NOT-FOR-US: Cisco CVE-2015-4262 (The password-change feature in Cisco Unified MeetingPlace Web Conferen ...) NOT-FOR-US: Cisco Unified MeetingPlace CVE-2015-4261 REJECTED CVE-2015-4260 (Cross-site scripting (XSS) vulnerability in Cisco Hosted Collaboration ...) NOT-FOR-US: Cisco CVE-2015-4259 (The Integrated Management Controller on Cisco Unified Computing System ...) NOT-FOR-US: Cisco CVE-2015-4258 (Cross-site request forgery (CSRF) vulnerability on Cisco TelePresence ...) NOT-FOR-US: Cisco CVE-2015-4257 (Cross-site request forgery (CSRF) vulnerability on Cisco TelePresence ...) NOT-FOR-US: Cisco CVE-2015-4256 (Cross-site request forgery (CSRF) vulnerability on Cisco TelePresence ...) NOT-FOR-US: Cisco CVE-2015-4255 (Cross-site request forgery (CSRF) vulnerability on Cisco TelePresence ...) NOT-FOR-US: Cisco CVE-2015-4254 (Cross-site request forgery (CSRF) vulnerability on Cisco TelePresence ...) NOT-FOR-US: Cisco CVE-2015-4253 (Cross-site request forgery (CSRF) vulnerability on Cisco TelePresence ...) NOT-FOR-US: Cisco CVE-2015-4252 (Cross-site request forgery (CSRF) vulnerability on Cisco TelePresence ...) NOT-FOR-US: Cisco CVE-2015-4251 REJECTED CVE-2015-4250 REJECTED CVE-2015-4249 REJECTED CVE-2015-4248 REJECTED CVE-2015-4247 REJECTED CVE-2015-4246 REJECTED CVE-2015-4245 REJECTED CVE-2015-4244 (The boot implementation on Cisco ASR 5000 and 5500 devices with softwa ...) NOT-FOR-US: Cisco CVE-2015-4243 (The PPPoE establishment implementation in Cisco IOS XE 3.5.0S on ASR 1 ...) NOT-FOR-US: Cisco CVE-2015-4242 (Cross-site request forgery (CSRF) vulnerability in Cisco FireSIGHT Sys ...) NOT-FOR-US: Cisco CVE-2015-4241 (Cisco Adaptive Security Appliance (ASA) Software 9.3(2) allows remote ...) NOT-FOR-US: Cisco CVE-2015-4240 (Cisco IP Communicator 8.6(4) allows remote attackers to cause a denial ...) NOT-FOR-US: Cisco CVE-2015-4239 (Cisco Adaptive Security Appliance (ASA) Software 9.3(2.243) and 100.13 ...) NOT-FOR-US: Cisco Adaptive Security Appliance CVE-2015-4238 (The SNMP implementation in Cisco Adaptive Security Appliance (ASA) Sof ...) NOT-FOR-US: Cisco Adaptive Security Appliance CVE-2015-4237 (The CLI parser in Cisco NX-OS 4.1(2)E1(1), 6.2(11b), 6.2(12), 7.2(0)ZZ ...) NOT-FOR-US: Cisco NX-OS CVE-2015-4236 (Cisco AsyncOS on Email Security Appliance (ESA) devices with software ...) NOT-FOR-US: Cisco CVE-2015-4235 (Cisco Application Policy Infrastructure Controller (APIC) devices with ...) NOT-FOR-US: Cisco Application Policy Infrastructure Controller CVE-2015-4234 (Cisco NX-OS 6.0(2) and 6.2(2) on Nexus devices has an improper OS conf ...) NOT-FOR-US: Cisco NX-OS CVE-2015-4233 (SQL injection vulnerability in Cisco Unified MeetingPlace 8.6(1.2) all ...) NOT-FOR-US: Cisco Unified MeetingPlace CVE-2015-4232 (Cisco NX-OS 6.2(10) on Nexus and MDS 9000 devices allows local users t ...) NOT-FOR-US: Cisco NX-OS CVE-2015-4231 (The Python interpreter in Cisco NX-OS 6.2(8a) on Nexus 7000 devices al ...) NOT-FOR-US: Cisco NX-OS CVE-2015-4230 (Memory leak in Cisco Headend System Release allows remote attackers to ...) NOT-FOR-US: Cisco CVE-2015-4229 (The web framework in Cisco Unified Communications Domain Manager 8.1(4 ...) NOT-FOR-US: Cisco Unified Communications Domain Manager CVE-2015-4228 (Cisco Digital Content Manager (DCM) 15.0.0 might allow remote ad serve ...) NOT-FOR-US: Cisco Digital Content Manager CVE-2015-4227 (Memory leak in Cisco Headend System Release allows remote attackers to ...) NOT-FOR-US: Cisco CVE-2015-4226 (The packet-storing feature on Cisco 9900 phones with firmware 9.3(2) d ...) NOT-FOR-US: Cisco CVE-2015-4225 (Cisco Application Policy Infrastructure Controller (APIC) 1.0(1.110a) ...) NOT-FOR-US: Cisco CVE-2015-4224 (Cisco Wireless LAN Controller (WLC) devices with software 7.0(240.0) a ...) NOT-FOR-US: Cisco CVE-2015-4223 (Cisco IOS XR 5.1.3 allows remote attackers to cause a denial of servic ...) NOT-FOR-US: Cisco CVE-2015-4222 (SQL injection vulnerability in Cisco Unified Communications Manager IM ...) NOT-FOR-US: Cisco CVE-2015-4221 (Cisco Unified Communications Manager IM and Presence Service 9.1(1) do ...) NOT-FOR-US: Cisco CVE-2015-4220 (Cross-site scripting (XSS) vulnerability in Cisco Unified Presence Ser ...) NOT-FOR-US: Cisco CVE-2015-4219 (Cisco Secure Access Control System before 5.4(0.46.2) and 5.5 before 5 ...) NOT-FOR-US: Cisco CVE-2015-4218 (The web-based user interface in Cisco Jabber through 9.6(3) and 9.7 th ...) NOT-FOR-US: Cisco Jabber CVE-2015-4217 (The remote-support feature on Cisco Web Security Virtual Appliance (WS ...) NOT-FOR-US: Cisco CVE-2015-4216 (The remote-support feature on Cisco Web Security Virtual Appliance (WS ...) NOT-FOR-US: Cisco CVE-2015-4215 (Cisco Wireless LAN Controller (WLC) devices with software 7.5(102.0) a ...) NOT-FOR-US: Cisco CVE-2015-4214 (Cisco Unified MeetingPlace 8.6(1.2) and 8.6(1.9) allows remote authent ...) NOT-FOR-US: Cisco CVE-2015-4213 (Cisco NX-OS 1.1(1g) on Nexus 9000 devices allows remote authenticated ...) NOT-FOR-US: Cisco CVE-2015-4212 (Cisco WebEx Meeting Center allows remote attackers to obtain sensitive ...) NOT-FOR-US: Cisco CVE-2015-4211 (Cisco AnyConnect Secure Mobility Client 3.1(60) on Windows does not pr ...) NOT-FOR-US: Cisco CVE-2015-4210 (Cross-site scripting (XSS) vulnerability in Cisco WebEx Meeting Center ...) NOT-FOR-US: Cisco CVE-2015-4209 (Cisco WebEx Meeting Center does not properly determine authorization f ...) NOT-FOR-US: Cisco CVE-2015-4208 (Cisco WebEx Meeting Center does not properly restrict the content of U ...) NOT-FOR-US: Cisco CVE-2015-4207 (Cisco WebEx Meeting Center places a meeting's access number in a URL, ...) NOT-FOR-US: Cisco CVE-2015-4206 (Cisco Unified Communications Manager (UCM) 8.0 through 8.6 allows remo ...) NOT-FOR-US: Cisco CVE-2015-4205 (Cisco IOS XR 5.3.1 on ASR 9000 devices allows remote attackers to caus ...) NOT-FOR-US: Cisco CVE-2015-4204 (Memory leak in Cisco IOS 12.2 in the Performance Routing Engine (PRE) ...) NOT-FOR-US: Cisco CVE-2015-4203 (Race condition in Cisco IOS 12.2SCH in the Performance Routing Engine ...) NOT-FOR-US: Cisco CVE-2015-4202 (Cisco IOS 12.2SCH on uBR10000 router Cable Modem Termination Systems ( ...) NOT-FOR-US: Cisco CVE-2015-4201 (The Gateway General Packet Radio Service Support Node (GGSN) component ...) NOT-FOR-US: Cisco CVE-2015-4200 (Memory leak in the IPv6-to-IPv4 functionality in Cisco IOS 15.3S in th ...) NOT-FOR-US: Cisco IOS CVE-2015-4199 (Race condition in the IPv6-to-IPv4 functionality in Cisco IOS 15.3S in ...) NOT-FOR-US: Cisco CVE-2015-4198 (Cross-site scripting (XSS) vulnerability in the web framework on Cisco ...) NOT-FOR-US: Cisco CVE-2015-4197 (Cisco NX-OS 5.2(5) on Nexus 7000 devices allows remote attackers to ca ...) NOT-FOR-US: Cisco CVE-2015-4196 (Platform Software before 4.4.5 in Cisco Unified Communications Domain ...) NOT-FOR-US: Cisco Unified Communications Domain Manager CVE-2015-4195 (Cisco IOS XR 5.1.1.K9SEC allows remote authenticated users to cause a ...) NOT-FOR-US: Cisco CVE-2015-4194 (The web-based administrative interface in Cisco WebEx Meeting Center p ...) NOT-FOR-US: Cisco CVE-2015-4193 RESERVED CVE-2015-4192 RESERVED CVE-2015-4191 (Cisco IOS XR 5.2.1 allows remote attackers to cause a denial of servic ...) NOT-FOR-US: Cisco CVE-2015-4190 (Cisco Cloud Portal in Cisco Prime Service Catalog 9.4.1_vortex on Clou ...) NOT-FOR-US: Cisco CVE-2015-4189 (Cross-site request forgery (CSRF) vulnerability in Cisco Data Center A ...) NOT-FOR-US: Cisco CVE-2015-4188 (SQL injection vulnerability in the Manager interface in Cisco Prime Co ...) NOT-FOR-US: Cisco CVE-2015-4187 RESERVED CVE-2015-4186 (The diagnostics subsystem in the administrative web interface on Cisco ...) NOT-FOR-US: Cisco CVE-2015-4185 (The TCL interpreter in Cisco IOS 15.2 does not properly maintain the v ...) NOT-FOR-US: Cisco IOS CVE-2015-4184 (The anti-spam scanner on Cisco Email Security Appliance (ESA) devices ...) NOT-FOR-US: Cisco Email Security Appliance CVE-2015-4183 (Cisco UCS Central Software 1.2(1a) allows local users to gain privileg ...) NOT-FOR-US: Cisco CVE-2015-4182 (The administrative web interface in Cisco Identity Services Engine (IS ...) NOT-FOR-US: Cisco Identity Services Engine CVE-2015-4181 (Directory traversal vulnerability in get_file.php in phpMyBackupPro 2. ...) NOT-FOR-US: phpMyBackupPro CVE-2015-4180 (Directory traversal vulnerability in get_file.php in phpMyBackupPro 2. ...) NOT-FOR-US: phpMyBackupPro CVE-2015-4175 RESERVED CVE-2015-4174 (Cross-site scripting (XSS) vulnerability in the integrated web server ...) NOT-FOR-US: Siemens Climatix BACnet/IP communication module CVE-2015-4173 (Unquoted Windows search path vulnerability in the autorun value in Del ...) NOT-FOR-US: Dell SonicWall NetExtender CVE-2010-5325 (Heap-based buffer overflow in the unhtmlify function in foomatic-rip i ...) - foomatic-filters 4.0.5-6 - cups-filters (Vulnerable code not present) NOTE: cups-filters 1.0.42 introduced foomatic-rip filter which already was fixed. NOTE: https://bugs.linuxfoundation.org/show_bug.cgi?id=515 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1218297 NOTE: http://bzr.linuxfoundation.org/loggerhead/openprinting/foomatic/foomatic-filters/revision/239 (HEAD) NOTE: http://bzr.linuxfoundation.org/loggerhead/openprinting/foomatic-4.0/foomatic-filters/revision/225 (4.0.x branch) CVE-2010-5324 (Directory traversal vulnerability in UploadServlet in the Remote Manag ...) NOT-FOR-US: Novell ZENworks Configuration Management CVE-2015-4692 (The kvm_apic_has_events function in arch/x86/kvm/lapic.h in the Linux ...) - linux 4.0.8-1 [jessie] - linux 3.16.7-ckt11-1+deb8u3 [wheezy] - linux (Vulnerable code not present) - linux-2.6 (vulnerable code not present) NOTE: http://www.openwall.com/lists/oss-security/2015/06/10/6 NOTE: Vulnerable function introduced in https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=66450a21f99636af4fafac2afd33f1a40631bc3a (v3.10-rc1) CVE-2015-4625 (Integer overflow in the authentication_agent_new_cookie function in Po ...) [experimental] - policykit-1 0.113-1 - policykit-1 0.105-12 (low; bug #796134) [jessie] - policykit-1 0.105-15~deb8u1 [wheezy] - policykit-1 (Minor issue) [squeeze] - policykit-1 (Minor issue) NOTE: http://lists.freedesktop.org/archives/polkit-devel/2015-May/000419.html NOTE: http://lists.freedesktop.org/archives/polkit-devel/2015-June/000425.html NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=90837 NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=90832 NOTE: http://www.openwall.com/lists/oss-security/2015/06/08/3 NOTE: http://cgit.freedesktop.org/polkit/commit/?id=ea544ffc18405237ccd95d28d7f45afef49aca17 NOTE: http://cgit.freedesktop.org/polkit/commit/?id=493aa5dc1d278ab9097110c1262f5229bbaf1766 NOTE: http://cgit.freedesktop.org/polkit/commit/?id=fb5076b7c05d01a532d593a4079a29cf2d63a228 CVE-2015-4412 (BSON injection vulnerability in the legal? function in BSON (bson-ruby ...) - ruby-bson (corresponding change in ruby-bson not present) NOTE: Originating from https://github.com/mongodb/bson-ruby/commit/21141c78d99f23d5f34d32010557ef19d0f77203#diff-8c8558c185bbb548ccb5a6d6ac4bfee5L219 CVE-2015-4411 (The Moped::BSON::ObjecId.legal? method in mongodb/bson-ruby before 3.0 ...) - ruby-bson (corresponding change in ruby-bson not present) NOTE: https://github.com/mongoid/moped/commit/dd5a7c14b5d2e466f7875d079af71ad19774609b#diff-3b93602f64c2fe46d38efd9f73ef5358R24 CVE-2015-4410 (The Moped::BSON::ObjecId.legal? method in rubygem-moped before commit ...) - ruby-bson 1.10.0-2 (bug #787951) [jessie] - ruby-bson 1.10.0-1+deb8u1 NOTE: "original" implementation of legal? using ^[0-9a-f]{24}$ regular expression NOTE: Fix: https://github.com/mongodb/mongo-ruby-driver/commit/bb544c2f6fd62940f04ddc1abeeaa3f23c1a9ade (1.x-stable) NOTE: http://sakurity.com/blog/2015/06/04/mongo_ruby_regexp.html NOTE: https://sources.debian.org/src/ruby-bson/1.10.0-1/lib/bson/types/object_id.rb/#L54 NOTE: http://www.openwall.com/lists/oss-security/2015/06/06/1 CVE-2015-4338 (Static code injection vulnerability in the XCloner plugin 3.1.2 for Wo ...) NOT-FOR-US: WordPress plugin xclonerbackupandrestore CVE-2015-4337 (Cross-site scripting (XSS) vulnerability in the XCloner plugin 3.1.2 f ...) NOT-FOR-US: WordPress plugin xclonerbackupandrestore CVE-2015-4336 (cloner.functions.php in the XCloner plugin 3.1.2 for WordPress allows ...) NOT-FOR-US: WordPress plugin xclonerbackupandrestore CVE-2015-4335 (Redis before 2.8.21 and 3.x before 3.0.2 allows remote attackers to ex ...) {DSA-3279-1} - redis 2:3.0.2-1 [wheezy] - redis (Lua support introduced in version 2.6.0) [squeeze] - redis (Lua support introduced in version 2.6.0) NOTE: http://benmmurphy.github.io/blog/2015/06/04/redis-eval-lua-sandbox-escape/ NOTE: Patch: https://github.com/antirez/redis/commit/fdf9d455098f54f7666c702ae464e6ea21e25411 NOTE: http://www.openwall.com/lists/oss-security/2015/06/05/3 CVE-2015-XXXX [Null pointer access in inflatehd tool] - nghttp2 (unimportant) NOTE: Upstream report: https://github.com/tatsuhiro-t/nghttp2/issues/235 NOTE: Git commit: https://github.com/tatsuhiro-t/nghttp2/commit/3572e7c6343cb85fc21f5667a7ed0902cf5305cf NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/06/03/20 NOTE: inflatehd not installed into the Debian binary packages CVE-2015-5523 (The ParseValue function in lexer.c in tidy before 4.9.31 allows remote ...) {DSA-3309-1 DLA-273-1} - tidy 20091223cvs-1.5 (bug #792571) NOTE: https://github.com/htacg/tidy-html5/issues/217#issuecomment-108565501 NOTE: http://www.openwall.com/lists/oss-security/2015/06/04/2 CVE-2015-5522 (Heap-based buffer overflow in the ParseValue function in lexer.c in ti ...) {DSA-3309-1 DLA-273-1} - tidy 20091223cvs-1.5 (bug #792571) NOTE: https://github.com/htacg/tidy-html5/issues/217 NOTE: http://www.openwall.com/lists/oss-security/2015/06/04/2 CVE-2015-6593 REJECTED CVE-2015-4179 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Code ...) NOT-FOR-US: WordPress plugin codestyling-localization CVE-2015-4176 (fs/namespace.c in the Linux kernel before 4.0.2 does not properly supp ...) - linux (Introducing commit was applied to 4.0.2 but e0c9c0afd2fc958ffa34b697972721d81df8a56f as well backported into 4.0.2) - linux-2.6 (Introduced and fixed in 4.1-rc1 upstream) NOTE: Introduced by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce07d891a0891d3c0d0c2d73d577490486b809e1 (v4.1-rc1) NOTE: Fixed by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e0c9c0afd2fc958ffa34b697972721d81df8a56f (v4.1-rc1) CVE-2015-4172 RESERVED CVE-2015-4171 (strongSwan 4.3.0 through 5.x before 5.3.2 and strongSwan VPN Client be ...) {DSA-3282-1 DLA-244-1} - strongswan 5.3.1-1 NOTE: https://www.strongswan.org/blog/2015/06/08/strongswan-vulnerability-(cve-2015-4171).html CVE-2015-4169 RESERVED CVE-2015-4168 RESERVED CVE-2015-4166 (Cloudera Key Trustee Server before 5.4.3 does not store keys synchrono ...) NOT-FOR-US: Cloudera CVE-2015-4165 (The snapshot API in Elasticsearch before 1.6.0 when another applicatio ...) - elasticsearch 1.6.0+dfsg-1 (bug #788471) [jessie] - elasticsearch (No longer supported, see DSA 3389) NOTE: https://github.com/elastic/elasticsearch/issues/11068 NOTE: https://github.com/elastic/elasticsearch/pull/11284 NOTE: https://github.com/imotov/elasticsearch/commit/f5cfb2a1869d1a52930cbd3138278a6e2c1b22e6 CVE-2015-4164 (The compat_iret function in Xen 3.1 through 4.5 iterates the wrong way ...) {DSA-3286-1} - xen 4.6.0-1 (bug #795721) [squeeze] - xen (Not supported in Squeeze LTS) NOTE: http://xenbits.xen.org/xsa/advisory-136.html CVE-2015-4163 (GNTTABOP_swap_grant_ref in Xen 4.2 through 4.5 does not check the gran ...) {DSA-3286-1} - xen 4.6.0-1 (bug #795721) [wheezy] - xen (Xen 4.2 onwards are vulnerable) [squeeze] - xen (Xen 4.2 onwards are vulnerable) NOTE: http://xenbits.xen.org/xsa/advisory-134.html CVE-2015-4162 (XML external entity (XXE) vulnerability in the management interface in ...) NOT-FOR-US: PAN-OS CVE-2015-4161 (SAP Afaria does not properly restrict access to unspecified functional ...) NOT-FOR-US: SAP Afaria CVE-2015-4160 (SQL injection vulnerability in SAP ASE Database Platform allows remote ...) NOT-FOR-US: SAP ASE Database Platform CVE-2015-4159 (SQL injection vulnerability in SAP HANA Web-based Development Workbenc ...) NOT-FOR-US: SAP HANA CVE-2015-4158 (SAP ABAP & Java Server allows remote attackers to cause a denial o ...) NOT-FOR-US: SAP ABAP & Java Server CVE-2015-4157 (SAP Content Server allows remote attackers to cause a denial of servic ...) NOT-FOR-US: SAP Content Server CVE-2015-4156 (GNU Parallel before 20150522 (Nepal), when using (1) --cat or (2) --fi ...) - parallel 20161222-1 (unimportant; bug #787954) NOTE: https://lists.gnu.org/archive/html/parallel/2015-04/msg00045.html NOTE: https://lists.gnu.org/archive/html/parallel/2015-05/msg00024.html NOTE: Not exploitable with kernel hardening since wheezy CVE-2015-4155 (GNU Parallel before 20150422, when using (1) --pipe, (2) --tmux, (3) - ...) - parallel 20161222-1 (unimportant; bug #787954) NOTE: https://lists.gnu.org/archive/html/parallel/2015-04/msg00045.html NOTE: Not exploitable with kernel hardening since wheezy CVE-2015-4154 RESERVED CVE-2015-4153 (Directory traversal vulnerability in the zM Ajax Login & Register ...) NOT-FOR-US: WordPress plugin zm-ajax-login-register CVE-2015-4152 (Directory traversal vulnerability in the file output plugin in Elastic ...) - logstash (bug #664841) CVE-2015-4151 RESERVED CVE-2015-4150 RESERVED CVE-2015-4149 RESERVED CVE-2015-4138 (The WebUI component in Blue Coat SSL Visibility Appliance SV800, SV180 ...) NOT-FOR-US: Blue Coat SSL Visibility Appliance CVE-2015-4137 (SQL injection vulnerability in related.php in Milw0rm Clone Script 1.0 ...) NOT-FOR-US: Milw0rm Clone Script CVE-2015-4136 RESERVED CVE-2014-9727 (AVM Fritz!Box allows remote attackers to execute arbitrary commands vi ...) NOT-FOR-US: AVM Fritz!Box CVE-2014-9731 (The UDF filesystem implementation in the Linux kernel before 3.18.2 do ...) {DLA-246-1} - linux 3.16.7-ckt4-1 [wheezy] - linux 3.2.68-1 - linux-2.6 NOTE: Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0e5cc9a40ada6046e6bc3bdfcd0c0d7e4b706b14 (v3.19-rc3) NOTE: http://www.openwall.com/lists/oss-security/2015/06/03/4 CVE-2015-5366 (The (1) udp_recvmsg and (2) udpv6_recvmsg functions in the Linux kerne ...) {DSA-3313-1 DLA-310-1} - linux 4.0.7-1 [wheezy] - linux 3.2.68-1+deb7u3 - linux-2.6 NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=beb39db59d14990e401e235faf66a6b9b31240b0 (v4.1-rc7) NOTE: http://web.archive.org/web/20160309082241/https://twitter.com/grsecurity/status/605854034260426753 NOTE: http://www.openwall.com/lists/oss-security/2015/06/30/13 CVE-2015-5364 (The (1) udp_recvmsg and (2) udpv6_recvmsg functions in the Linux kerne ...) {DSA-3313-1 DLA-310-1} - linux 4.0.7-1 [wheezy] - linux 3.2.68-1+deb7u3 - linux-2.6 NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=beb39db59d14990e401e235faf66a6b9b31240b0 (v4.1-rc7) NOTE: http://web.archive.org/web/20160309082241/https://twitter.com/grsecurity/status/605854034260426753 NOTE: http://www.openwall.com/lists/oss-security/2015/06/30/13 CVE-2015-XXXX [uudecode: stack out of bounds read access] - sharutils (unimportant) NOTE: Negligible security impact NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/06/02/8 CVE-2014-9730 (The udf_pc_to_char function in fs/udf/symlink.c in the Linux kernel be ...) {DLA-246-1} - linux 3.16.7-ckt4-1 [wheezy] - linux 3.2.68-1 - linux-2.6 NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e237ec37ec154564f8690c5bd1795339955eeef9 (v3.19-rc3) NOTE: http://www.openwall.com/lists/oss-security/2015/06/02/7 CVE-2014-9729 (The udf_read_inode function in fs/udf/inode.c in the Linux kernel befo ...) {DLA-246-1} - linux 3.16.7-ckt4-1 [wheezy] - linux 3.2.68-1 - linux-2.6 NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e159332b9af4b04d882dbcfe1bb0117f0a6d4b58 (v3.19-rc3) NOTE: http://www.openwall.com/lists/oss-security/2015/06/02/7 CVE-2014-9728 (The UDF filesystem implementation in the Linux kernel before 3.18.2 do ...) {DLA-246-1} - linux 3.16.7-ckt4-1 [wheezy] - linux 3.2.68-1 - linux-2.6 NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e159332b9af4b04d882dbcfe1bb0117f0a6d4b58 (v3.19-rc3) NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e237ec37ec154564f8690c5bd1795339955eeef9 (v3.19-rc3) NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=a1d47b262952a45aae62bd49cfaf33dd76c11a2c (v3.19-rc3) NOTE: http://www.openwall.com/lists/oss-security/2015/06/02/7 CVE-2015-4167 (The udf_read_inode function in fs/udf/inode.c in the Linux kernel befo ...) {DSA-3313-1 DSA-3290-1 DLA-246-1} - linux 4.0.2-1 - linux-2.6 NOTE: Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=23b133bdc452aa441fcb9b82cbf6dd05cfd342d0 (v4.0-rc1) NOTE: http://www.openwall.com/lists/oss-security/2015/06/02/6 CVE-2015-4140 (Cross-site request forgery (CSRF) vulnerability in the WP Smiley plugi ...) NOT-FOR-US: WordPress plugin wp-smiley CVE-2015-4139 (Cross-site scripting (XSS) vulnerability in smilies4wp.php in the WP S ...) NOT-FOR-US: WordPress plugin wp-smiley CVE-2015-4135 (Cross-site scripting (XSS) vulnerability in goto.php in phpwind 8.7 al ...) NOT-FOR-US: PHPWind CVE-2015-4134 (Open redirect vulnerability in goto.php in phpwind 8.7 allows remote a ...) NOT-FOR-US: PHPWind CVE-2015-4133 (Unrestricted file upload vulnerability in admin/scripts/FileUploader/p ...) NOT-FOR-US: ReFlex Gallery plugin for WordPress CVE-2015-4132 (Multiple cross-site scripting (XSS) vulnerabilities in Aruba Networks ...) NOT-FOR-US: Aruba Networks CPPM CVE-2015-4131 RESERVED CVE-2015-4130 [command-injection] RESERVED NOT-FOR-US: NodeJS ungit NOTE: https://github.com/FredrikNoren/ungit/issues/486 NOTE: https://nodesecurity.io/advisories/40 CVE-2015-4129 (SQL injection vulnerability in Subrion CMS before 3.3.3 allows remote ...) NOT-FOR-US: Subrion CMS CVE-2015-4128 RESERVED CVE-2015-4127 (Cross-site scripting (XSS) vulnerability in the church_admin plugin be ...) NOT-FOR-US: church_admin plugin for WordPress CVE-2015-4178 (The fs_pin implementation in the Linux kernel before 4.0.5 does not en ...) - linux (Commit was applied to 4.0.2 as well but fixed in Debian by two subsequent commits) NOTE: Debian both applies "mnt: Fail collect_mounts when applied to unmounted mounts" NOTE: and "fs_pin: Allow for the possibility that m_list or s_list go unused." in NOTE: 4.0.2-1 - linux-2.6 (Introduced and fixed in 4.1-rc1 upstream) NOTE: Introduced by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce07d891a0891d3c0d0c2d73d577490486b809e1 (v4.1-rc1) NOTE: Fixed by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=820f9f147dcce2602eefd9b575bbbd9ea14f0953 (v4.1-rc1) NOTE: http://www.openwall.com/lists/oss-security/2015/05/29/5 CVE-2015-4177 (The collect_mounts function in fs/namespace.c in the Linux kernel befo ...) - linux (Commit was applied to 4.0.2 as well but fixed in Debian by two subsequent commits) NOTE: Debian both applies "mnt: Fail collect_mounts when applied to unmounted mounts" NOTE: and "fs_pin: Allow for the possibility that m_list or s_list go unused." in NOTE: 4.0.2-1 - linux-2.6 (Introduced and fixed in 4.1-rc1 upstream) NOTE: Introduced by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce07d891a0891d3c0d0c2d73d577490486b809e1 (v4.1-rc1) NOTE: Fixed by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=cd4a40174b71acd021877341684d8bb1dc8ea4ae (v4.1-rc1) NOTE: http://www.openwall.com/lists/oss-security/2015/05/29/5 CVE-2015-4126 RESERVED CVE-2015-4125 RESERVED CVE-2015-4124 RESERVED CVE-2015-4123 RESERVED CVE-2015-4122 RESERVED CVE-2015-4121 RESERVED CVE-2015-4120 RESERVED CVE-2015-4119 (Multiple cross-site request forgery (CSRF) vulnerabilities in ISPConfi ...) NOT-FOR-US: ISPConfig CVE-2015-4118 (SQL injection vulnerability in monitor/show_sys_state.php in ISPConfig ...) NOT-FOR-US: ISPConfig CVE-2015-4117 (Vesta Control Panel before 0.9.8-14 allows remote authenticated users ...) NOT-FOR-US: Vesta Control Panel CVE-2015-4116 (Use-after-free vulnerability in the spl_ptr_heap_insert function in ex ...) - php5 5.6.11+dfsg-1 (unimportant) [jessie] - php5 5.6.12+dfsg-0+deb8u1 NOTE: https://bugs.php.net/bug.php?id=69737 NOTE: Fixed in 5.6.11, 5.5.27 NOTE: Not treated as security issue, only triggerable with malformed PHP code CVE-2015-4115 RESERVED CVE-2015-4114 RESERVED CVE-2015-4113 RESERVED CVE-2015-4112 (The Management Console in BlackBerry Enterprise Server (BES) 12 before ...) NOT-FOR-US: BlackBerry CVE-2015-4111 (mc_demux_mp4_ds.ax in an unspecified third-party codec demux in BlackB ...) NOT-FOR-US: BlackBerry CVE-2015-4110 RESERVED CVE-2015-4109 (Multiple SQL injection vulnerabilities in the ratings module in the Us ...) NOT-FOR-US: WordPress plugin users-ultra CVE-2015-4108 (Multiple cross-site request forgery (CSRF) vulnerabilities in Wing FTP ...) NOT-FOR-US: Wing FTP Server CVE-2015-4107 REJECTED CVE-2015-4106 (QEMU does not properly restrict write access to the PCI config space f ...) {DSA-3286-1 DSA-3284-1} - qemu 1:2.3+dfsg-5 (bug #787547) [wheezy] - qemu (Vulnerable code not present) [squeeze] - qemu (Vulnerable code not present) - qemu-kvm (Vulnerable code not present) - xen 4.4.0-1 [squeeze] - xen (Not supported in Squeeze LTS) NOTE: Xen switched to qemu-system in 4.4.0-1 NOTE: http://xenbits.xen.org/xsa/advisory-131.html CVE-2015-4105 (Xen 3.3.x through 4.5.x enables logging for PCI MSI-X pass-through err ...) {DSA-3286-1 DSA-3284-1} - qemu 1:2.3+dfsg-5 (bug #787547) [wheezy] - qemu (Vulnerable code not present) [squeeze] - qemu (Vulnerable code not present) - qemu-kvm (Vulnerable code not present) - xen 4.4.0-1 [squeeze] - xen (Not supported in Squeeze LTS) NOTE: Xen switched to qemu-system in 4.4.0-1 NOTE: http://xenbits.xen.org/xsa/advisory-130.html CVE-2015-4104 (Xen 3.3.x through 4.5.x does not properly restrict access to PCI MSI m ...) {DSA-3286-1 DSA-3284-1} - qemu 1:2.3+dfsg-5 (bug #787547) [wheezy] - qemu (Vulnerable code not present) [squeeze] - qemu (Vulnerable code not present) - qemu-kvm (Vulnerable code not present) - xen 4.4.0-1 [squeeze] - xen (Not supported in Squeeze LTS) NOTE: Xen switched to qemu-system in 4.4.0-1 NOTE: http://xenbits.xen.org/xsa/advisory-129.html CVE-2015-4103 (Xen 3.3.x through 4.5.x does not properly restrict write access to the ...) {DSA-3286-1 DSA-3284-1} - qemu 1:2.3+dfsg-5 (bug #787547) [wheezy] - qemu (Vulnerable code not present) [squeeze] - qemu (Vulnerable code not present) - qemu-kvm (Vulnerable code not present) - xen 4.4.0-1 [squeeze] - xen (Not supported in Squeeze LTS) NOTE: Xen switched to qemu-system in 4.4.0-1 NOTE: http://xenbits.xen.org/xsa/advisory-128.html CVE-2015-4102 RESERVED CVE-2015-4101 RESERVED CVE-2015-4100 (Puppet Enterprise 3.7.x and 3.8.0 might allow remote authenticated use ...) - puppet (Only affects Puppet Enterprise) NOTE: https://puppet.com/security/cve/CVE-2015-4100 CVE-2015-4099 RESERVED CVE-2015-4098 RESERVED CVE-2015-4097 RESERVED CVE-2015-4096 RESERVED CVE-2015-4095 RESERVED CVE-2015-4094 (The Thycotic Password Manager Secret Server application through 2.3 fo ...) NOT-FOR-US: Thycotic Password Manager Secret Server application for iOS CVE-2015-4093 (Cross-site scripting (XSS) vulnerability in Elasticsearch Kibana 4.x b ...) - kibana (bug #700337) CVE-2015-4092 (Buffer overflow in the XComms process in SAP Afaria 7.00.6620.2 SP5 al ...) NOT-FOR-US: SAP Afaria CVE-2015-4091 (XML external entity (XXE) vulnerability in SAP NetWeaver AS Java 7.4 a ...) NOT-FOR-US: SAP NetWeaver AS Java CVE-2015-4090 RESERVED CVE-2015-4089 (Multiple cross-site request forgery (CSRF) vulnerabilities in the opti ...) NOT-FOR-US: Wordpress plugin CVE-2015-4088 RESERVED CVE-2015-4087 RESERVED CVE-2007-6758 (Server-side request forgery (SSRF) vulnerability in feed-proxy.php in ...) NOT-FOR-US: feed-proxy.php CVE-2015-4086 RESERVED CVE-2015-4084 (Cross-site scripting (XSS) vulnerability in the Free Counter plugin 1. ...) NOT-FOR-US: Free Counter plugin for WordPress CVE-2015-4083 RESERVED CVE-2015-4081 RESERVED CVE-2015-4080 (The Kankun Smart Socket device and mobile application uses a hardcoded ...) NOT-FOR-US: Kankun Smart Socket device and mobile application CVE-2015-4079 RESERVED CVE-2015-4078 (Cloudera Navigator 2.2.x before 2.2.4 and 2.3.x before 2.3.3 include s ...) NOT-FOR-US: Cloudera CVE-2015-4077 (The (1) mdare64_48.sys, (2) mdare32_48.sys, (3) mdare32_52.sys, and (4 ...) NOT-FOR-US: Fortinet CVE-2015-4076 RESERVED CVE-2015-4075 (The Helpdesk Pro plugin before 1.4.0 for Joomla! allows remote attacke ...) NOT-FOR-US: Joomla! plugin CVE-2015-4074 (Directory traversal vulnerability in the Helpdesk Pro plugin before 1. ...) NOT-FOR-US: Joomla! plugin CVE-2015-4073 (Multiple SQL injection vulnerabilities in the Helpdesk Pro plugin befo ...) NOT-FOR-US: Joomla! plugin CVE-2015-4072 (Multiple cross-site scripting (XSS) vulnerabilities in the Helpdesk Pr ...) NOT-FOR-US: Joomla! plugin CVE-2015-4071 (The Helpdesk Pro Plugin before 1.4.0 for Joomla! allows remote attacke ...) NOT-FOR-US: Helpdesk Pro Plugin for Joomla! CVE-2015-4070 (Open redirect vulnerability in the proxyimages function in wowproxy.ph ...) NOT-FOR-US: Wow Moodboard Lite CVE-2015-4069 (The EdgeServiceImpl web service in Arcserve UDP before 5.0 Update 4 al ...) NOT-FOR-US: EdgeServiceImpl web service in Arcserve UDP CVE-2015-4068 (Directory traversal vulnerability in Arcserve UDP before 5.0 Update 4 ...) NOT-FOR-US: Arcserve UDP CVE-2015-4067 (Integer overflow in the libnv6 module in Dell NetVault Backup before 1 ...) NOT-FOR-US: Dell NetVault Backup CVE-2015-4066 (Multiple SQL injection vulnerabilities in admin/handlers.php in the Gi ...) NOT-FOR-US: GigPress plugin for WordPress CVE-2015-4061 RESERVED CVE-2015-4060 (Heap-based buffer overflow in the TermProxy (WLTermProxyService.exe) s ...) NOT-FOR-US: Wavelink ConnectPro CVE-2015-4059 (Heap-based buffer overflow in the License Server (LicenseServer.exe) i ...) NOT-FOR-US: Wavelink Terminal Emulation CVE-2015-4058 REJECTED CVE-2015-4057 (The "Plug-in for VMware vCenter" in VCE Vision Intelligent Operations ...) NOT-FOR-US: VCE Vision Intelligent Operations CVE-2015-4056 (The System Library in VCE Vision Intelligent Operations before 2.6.5 d ...) NOT-FOR-US: VCE Vision Intelligent Operations CVE-2015-4055 RESERVED CVE-2015-XXXX [hwclock(8) SUID privilege escalation] [experimental] - util-linux 2.27~rc1-1 - util-linux 2.27-1 (unimportant; bug #786804) NOTE: hwclock is not installed suid in Debian NOTE: https://github.com/karelzak/util-linux/commit/687cc5d58942b24a9f4013c68876d8cbea907ab1 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/05/26/10 CVE-2015-4082 (attic before 0.15 does not confirm unencrypted backups with the user, ...) - attic 0.16-1 (bug #787435) [jessie] - attic (Minor issue) NOTE: https://github.com/jborg/attic/issues/271 NOTE: https://github.com/jborg/attic/commit/78f9ad1faba7193ca7f0acccbc13b1ff6ebf9072 NOTE: http://www.openwall.com/lists/oss-security/2015/05/25/3 CVE-2015-4170 (Race condition in the ldsem_cmpxchg function in drivers/tty/tty_ldsem. ...) - linux 3.13.4-1 [wheezy] - linux (commit 4898e640caf03fdbaf2122d5a33949bf3e4a5b34 not backported) - linux-2.6 (commit 4898e640caf03fdbaf2122d5a33949bf3e4a5b34 not backported) NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=cf872776fc84128bb779ce2b83a37c884c3203ae (v3.13-rc5) NOTE: Affected code was introduced by the rewrite in https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4898e640caf03fdbaf2122d5a33949bf3e4a5b34 (v3.11-rc1) NOTE: http://www.openwall.com/lists/oss-security/2015/05/26/1 CVE-2015-4065 (Cross-site scripting (XSS) vulnerability in shared/shortcodes/inbound- ...) NOT-FOR-US: WordPress plugin landing-pages CVE-2015-4064 (SQL injection vulnerability in modules/module.ab-testing.php in the La ...) NOT-FOR-US: WordPress plugin landing-pages CVE-2015-4063 (Cross-site scripting (XSS) vulnerability in includes/nsp_search.php in ...) NOT-FOR-US: WordPress plugin newstatpress CVE-2015-4062 (SQL injection vulnerability in includes/nsp_search.php in the NewStatP ...) NOT-FOR-US: WordPress plugin newstatpress CVE-2015-4052 RESERVED CVE-2015-4051 (Beckhoff IPC Diagnostics before 1.8 does not properly restrict access ...) NOT-FOR-US: Beckhoff IPC Diagnostics CVE-2015-4050 (FragmentListener in the HttpKernel component in Symfony 2.3.19 through ...) {DSA-3276-1} - symfony 2.7.0~beta2+dfsg-2 NOTE: https://github.com/fabpot/symfony/commit/d320d27699abcea12479cf608908fa91bcc133d4 NOTE: http://symfony.com/blog/cve-2015-4050-esi-unauthorized-access CVE-2014-9726 RESERVED CVE-2014-9725 RESERVED CVE-2014-9724 RESERVED CVE-2014-9723 RESERVED CVE-2014-9722 RESERVED CVE-2015-XXXX [XSS in group administration] - php-horde 5.2.5+debian0-1 (bug #785364) [jessie] - php-horde 5.2.1+debian0-2+deb8u1 NOTE: https://github.com/horde/horde/commit/dae5277746abe613de0cacc004e95e9ed9d78220 CVE-2015-4053 (The admin command in ceph-deploy before 1.5.25 uses world-readable per ...) - ceph-deploy (Fixed with initial upload to Debian) NOTE: http://tracker.ceph.com/issues/11694 CVE-2015-4049 (Unisys Libra 43xx, 63xx, and 83xx, and FS600 class systems with MCP-FI ...) NOT-FOR-US: Unisys Libra CVE-2015-4048 RESERVED CVE-2012-6691 (Multiple cross-site request forgery (CSRF) vulnerabilities in the admi ...) NOT-FOR-US: osCMax CVE-2015-4054 (PgBouncer before 1.5.5 allows remote attackers to cause a denial of se ...) - pgbouncer 1.5.5-1 [jessie] - pgbouncer 1.5.4-6+deb8u1 [wheezy] - pgbouncer 1.5.2-4+deb7u1 [squeeze] - pgbouncer (Minor issue) NOTE: https://github.com/pgbouncer/pgbouncer/commit/edab5be6665b9e8de66c25ba527509b229468573 (master) NOTE: https://github.com/pgbouncer/pgbouncer/commit/74d6e5f7de5ec736f71204b7b422af7380c19ac5 (stable-1.5) NOTE: https://github.com/pgbouncer/pgbouncer/issues/42 NOTE: http://www.openwall.com/lists/oss-security/2015/05/21/2 CVE-2015-8147 REJECTED CVE-2015-8146 REJECTED CVE-2015-4046 (The asset discovery scanner in AlienVault OSSIM before 5.0.1 allows re ...) NOT-FOR-US: AlienVault OSSIM CVE-2015-4045 (The sudoers file in the asset discovery scanner in AlienVault OSSIM be ...) NOT-FOR-US: AlienVault OSSIM CVE-2015-4044 RESERVED CVE-2015-4043 (SQL injection vulnerability in ConnX ESP HR Management 4.4.0 allows re ...) NOT-FOR-US: ConnX ESP CVE-2015-4040 (Directory traversal vulnerability in the configuration utility in F5 B ...) NOT-FOR-US: F5 BIG-IP CVE-2015-4039 (Multiple cross-site scripting (XSS) vulnerabilities in the WP Membersh ...) NOT-FOR-US: WordPress plugin WP Membership CVE-2015-4038 (The WP Membership plugin 1.2.3 for WordPress allows remote authenticat ...) NOT-FOR-US: WordPress plugin WP Membership CVE-2015-4037 (The slirp_smb function in net/slirp.c in QEMU 2.3.0 and earlier create ...) {DSA-3285-1 DSA-3284-1} - qemu 1:2.3+dfsg-5 [wheezy] - qemu 1.1.2+dfsg-6a+deb7u8 [squeeze] - qemu (Not supported in Squeeze LTS) - qemu-kvm [squeeze] - qemu-kvm (Not supported in Squeeze LTS) NOTE: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=8b8f1c7e9ddb2e88a144638f6527bf70e32343e3 CVE-2015-4034 (The createFromParcel method in the com.absolute.android.persistence.Me ...) NOT-FOR-US: Samsung Galaxy S5 CVE-2015-4033 (Samsung SBeam allows remote attackers to read arbitrary images by leve ...) NOT-FOR-US: Samsung SBeam CVE-2015-4032 (projectContents.jsp in the Developer tools in Visual Mining NetCharts ...) NOT-FOR-US: Visual Mining NetCharts Server CVE-2015-4031 (Directory traversal vulnerability in saveFile.jsp in the development i ...) NOT-FOR-US: Visual Mining NetChart CVE-2015-4030 RESERVED CVE-2015-4029 (Cross-site scripting (XSS) vulnerability in the WebGUI in pfSense befo ...) NOT-FOR-US: pfSense CVE-2015-4028 RESERVED CVE-2015-4027 (The AcuWVSSchedulerv10 service in Acunetix Web Vulnerability Scanner ( ...) NOT-FOR-US: Acunetix Web Vulnerability Scanner CVE-2013-7440 (The ssl.match_hostname function in CPython (aka Python) before 2.7.9 a ...) - python3.4 3.4~b1-4 - python3.3 3.3.3-1 - python3.2 [wheezy] - python3.2 (Minor issue, too intrusive to backport) - python3.1 [squeeze] - python3.1 (Minor issue) - python2.7 2.7.9-1 [wheezy] - python2.7 (Minor issue, too intrusive to backport) - python2.6 [wheezy] - python2.6 (Minor issue, too intrusive to backport) [squeeze] - python2.6 (Minor issue) - python2.5 [squeeze] - python2.5 (Minor issue) NOTE: https://bugs.python.org/issue17997#msg194950 NOTE: https://hg.python.org/cpython/rev/10d0edadbcdd NOTE: The CVE is only about refusing multiple wildcards. Backporting that part only is not so difficult. CVE-2015-4047 (racoon/gssapi.c in IPsec-Tools 0.8.2 allows remote attackers to cause ...) {DSA-3272-1 DLA-234-1} - ipsec-tools 1:0.8.2+20140711-3 (bug #785778) NOTE: http://www.openwall.com/lists/oss-security/2015/05/20/1 CVE-2015-4023 RESERVED CVE-2015-4020 (RubyGems 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.4.x before 2.4 ...) - rubygems (Affects versions between 2.0 and 2.4.6 and incomplete fix not applied) - libgems-ruby (Affects versions between 2.0 and 2.4.6 and incomplete fix not applied) - ruby1.8 (Vulnerable code not present) - ruby1.9.1 (Bundles 1.8.23, vulnerable code introduced in later 1.9.1 versions; incomplete fix not applied) - ruby2.1 (Incomplete fix not applied) - ruby2.2 (Incomplete fix not applied) - jruby (Incomplete fix not applied) NOTE: Original patch https://github.com/rubygems/rubygems/commit/6bbee35 NOTE: introduced another vulnerability, assigned CVE-2015-4020. This CVE NOTE: only applies if only 6bbee35 was applied without 5c7bfb5 NOTE: https://github.com/rubygems/rubygems/commit/5c7bfb5 CVE-2015-4019 RESERVED CVE-2015-4018 (SQL injection vulnerability in feedwordpresssyndicationpage.class.php ...) NOT-FOR-US: FeedWordPress plugin for WordPress CVE-2015-4016 (The client detection protocol in Valve Steam allows remote attackers t ...) NOT-FOR-US: Related to non-free steam package. NOTE: The affected code is believed to be downloaded from Valve on startup. NOTE: http://store.steampowered.com/news/16801/ NOTE: http://www.zerodayinitiative.com/advisories/ZDI-15-233/ CVE-2015-4015 RESERVED CVE-2015-4014 RESERVED CVE-2015-4013 RESERVED CVE-2015-4012 RESERVED CVE-2015-4011 RESERVED CVE-2015-4042 (Integer overflow in the keycompare_mb function in sort.c in sort in GN ...) - coreutils (Debian does not apply coreutils-i18n.patch) NOTE: https://github.com/pixelb/coreutils/commit/bea5e36cc876ed627bb5e0eca36fdfaa6465e940 NOTE: http://pkgs.fedoraproject.org/cgit/coreutils.git/plain/coreutils-i18n.patch CVE-2015-4041 (The keycompare_mb function in sort.c in sort in GNU Coreutils through ...) - coreutils (Debian does not apply coreutils-i18n.patch) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=928749 NOTE: https://github.com/pixelb/coreutils/commit/bea5e36cc876ed627bb5e0eca36fdfaa6465e940 NOTE: http://pkgs.fedoraproject.org/cgit/coreutils.git/plain/coreutils-i18n.patch CVE-2015-4035 (scripts/xzgrep.in in xzgrep 5.2.x before 5.2.0, before 5.0.0 does not ...) - xz-utils (Affects 4.999.9beta) NOTE: http://www.openwall.com/lists/oss-security/2015/05/18/7 CVE-2015-4010 (Cross-site request forgery (CSRF) vulnerability in the Encrypted Conta ...) NOT-FOR-US: Encrypted Contact Form plugin for WordPress CVE-2015-4009 RESERVED CVE-2015-4008 RESERVED CVE-2015-4007 RESERVED CVE-2015-4006 RESERVED CVE-2015-4005 RESERVED CVE-2015-4004 (The OZWPAN driver in the Linux kernel through 4.0.5 relies on an untru ...) - linux 4.3-1 (unimportant) NOTE: ozwpan driver not built [wheezy] - linux (ozwpan driver not present) - linux-2.6 (ozwpan driver not present) NOTE: https://lkml.org/lkml/2015/5/13/739 NOTE: Not enabled in Debian kernels; staging drivers are not supported NOTE: Driver was removed in Linux 4.3 CVE-2015-4003 (The oz_usb_handle_ep_data function in drivers/staging/ozwpan/ozusbsvc1 ...) - linux 4.1.3-1 (unimportant) NOTE: ozwpan driver not built [wheezy] - linux (ozwpan driver not present) - linux-2.6 (ozwpan driver not present) NOTE: https://lkml.org/lkml/2015/5/13/741 NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=04bf464a5dfd9ade0dda918e44366c2c61fce80b (v4.1-rc7) NOTE: Not enabled in Debian kernels; staging drivers are not supported CVE-2015-4002 (drivers/staging/ozwpan/ozusbsvc1.c in the OZWPAN driver in the Linux k ...) - linux 4.1.3-1 (unimportant) NOTE: ozwpan driver not built [wheezy] - linux (ozwpan driver not present) - linux-2.6 (ozwpan driver not present) NOTE: https://lkml.org/lkml/2015/5/13/740 NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d114b9fe78c8d6fc6e70808c2092aa307c36dc8e (v4.1-rc7) NOTE: https://lkml.org/lkml/2015/5/13/742 NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9a59029bc218b48eff8b5d4dde5662fd79d3e1a8 (v4.1-rc7) NOTE: Not enabled in Debian kernels; staging drivers are not supported CVE-2015-4001 (Integer signedness error in the oz_hcd_get_desc_cnf function in driver ...) - linux 4.1.3-1 (unimportant) NOTE: ozwpan driver not built [wheezy] - linux (ozwpan driver not present) - linux-2.6 (ozwpan driver not present) NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b1bb5b49373b61bf9d2c73a4d30058ba6f069e4c (v4.1-rc7) NOTE: https://lkml.org/lkml/2015/5/13/744 NOTE: Not enabled in Debian kernels; staging drivers are not supported CVE-2015-4000 (The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is ena ...) {DSA-3688-1 DSA-3339-1 DSA-3324-1 DSA-3316-1 DSA-3300-1 DSA-3287-1 DLA-507-1 DLA-303-1 DLA-247-1} - openssl 1.0.2b-1 - nss 2:3.19.1-1 [squeeze] - nss (no point in switching min key size so close to EOL) [experimental] - openjdk-6 6b36-1.13.8-1 - openjdk-6 - openjdk-7 7u79-2.5.6-1 - openjdk-8 8u66-b01-1 - icedove 38.1.0-1 NOTE: CVE assigned specific to vulnerability in the TLS protocol that was NOTE: disclosed in section 3.2 of the NOTE: https://weakdh.org/imperfect-forward-secrecy.pdf paper. NOTE: Some links on the status of various implementations/protocols: NOTE: IKE/IPSEC: https://nohats.ca/wordpress/blog/2015/05/20/weakdh-and-ike-ipsec/ NOTE: OpenSSL: https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/ NOTE: OpenSSL 1.0.2b-1 limits it to 768 bit, future versions will increase the limit NOTE: GNUTLS: http://lists.gnutls.org/pipermail/gnutls-devel/2015-May/007597.html NOTE: NSS/iceweasel/icedove: https://www.mozilla.org/en-US/security/advisories/mfsa2015-70/ NOTE: NSS patch increasing limit to 1023 bits: https://hg.mozilla.org/projects/nss/rev/ae72d76f8d24 CVE-2015-3999 (Piriform CCleaner 3.26.0.1988 through 5.02.5101 writes the filenames t ...) NOT-FOR-US: Piriform CCleaner CVE-2015-3998 (Cross-site scripting (XSS) vulnerability in phpwhois 4.2.5, as used in ...) NOT-FOR-US: phpwhois component of adsense-click-fraud-monitoring wordpress plugin CVE-2015-3997 RESERVED CVE-2015-3996 (The default AFSecurityPolicy.validatesDomainName configuration for AFS ...) - owncloud (iOS-specific) NOTE: https://owncloud.org/security/advisory/?id=oc-sa-2015-012 CVE-2015-3995 (SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote authenticat ...) NOT-FOR-US: SAP HANA DB CVE-2015-3994 (The grant.xsfunc application in testApps/grantAccess/ in the XS Engine ...) NOT-FOR-US: SAP HANA DB CVE-2015-3993 (Actian Matrix 5.1.x through 5.1.2.4 and 5.2.x through 5.2.0.1 allows r ...) NOT-FOR-US: Actian Matrix CVE-2015-3992 RESERVED CVE-2015-3991 (strongSwan 5.2.2 and 5.3.0 allows remote attackers to cause a denial o ...) - strongswan 5.3.0-2 [jessie] - strongswan (only affects 5.2.2+ and 5.3.0+) [wheezy] - strongswan (only affects 5.2.2+ and 5.3.0+) [squeeze] - strongswan (only affects 5.2.2+ and 5.3.0+) NOTE: http://www.strongswan.org/blog/2015/06/01/strongswan-vulnerability-(cve-2015-3991).html CVE-2015-3990 (The GMS ViewPoint (GMSVP) web application in Dell Sonicwall GMS, Analy ...) NOT-FOR-US: Dell CVE-2015-3989 (Multiple cross-site scripting (XSS) vulnerabilities in concrete5 befor ...) NOT-FOR-US: concrete5 CVE-2014-9720 (Tornado before 3.2.2 sends arbitrary responses that contain a fixed CS ...) {DLA-475-1 DLA-279-1} - python-tornado 3.2.2-1 NOTE: https://github.com/tornadoweb/tornado/commit/1c36307463b1e8affae100bf9386948e6c1b2308 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=930362 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1222816 CVE-2014-9719 RESERVED CVE-2015-4026 (The pcntl_exec implementation in PHP before 5.4.41, 5.5.x before 5.5.2 ...) {DSA-3280-1 DLA-307-1} - php5 5.6.9+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=68598 NOTE: Fixed upstream in 5.4.41, 5.5.25, 5.6.9 CVE-2015-4025 (PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 truncat ...) {DSA-3280-1 DLA-307-1} - php5 5.6.9+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=69418 NOTE: Fixed upstream in 5.4.41, 5.5.25, 5.6.9 CVE-2015-4024 (Algorithmic complexity vulnerability in the multipart_buffer_headers f ...) {DSA-3280-1} - php5 5.6.9+dfsg-1 [squeeze] - php5 (Too intrusive to backport) NOTE: https://bugs.php.net/bug.php?id=69364 NOTE: http://www.openwall.com/lists/oss-security/2015/05/18/2 NOTE: Fixed upstream in 5.4.41, 5.5.25, 5.6.9 - hhvm 3.11.0+dfsg-1 NOTE: HHVM fix: https://github.com/facebook/hhvm/commit/6188457bd90ed2f3516e778dca8e91536d91802e CVE-2015-4022 (Integer overflow in the ftp_genlist function in ext/ftp/ftp.c in PHP b ...) {DSA-3280-1 DLA-307-1} - php5 5.6.9+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=69545 NOTE: http://www.openwall.com/lists/oss-security/2015/05/18/2 NOTE: Fixed upstream in 5.4.41, 5.5.25, 5.6.9 CVE-2015-4021 (The phar_parse_tarfile function in ext/phar/tar.c in PHP before 5.4.41 ...) {DSA-3280-1 DLA-307-1} - php5 5.6.9+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=69453 NOTE: http://git.php.net/?p=php-src.git;a=commit;h=c27f012b7a447e59d4a704688971cbfa7dddaa74 NOTE: http://www.openwall.com/lists/oss-security/2015/05/17/2 and http://www.openwall.com/lists/oss-security/2015/05/18/2 NOTE: Fixed upstream in 5.4.41, 5.5.25, 5.6.9 CVE-2015-3987 (Multiple unquoted Windows search path vulnerabilities in the (1) Clien ...) NOT-FOR-US: McAfee CVE-2015-3986 (Cross-site request forgery (CSRF) vulnerability in the TheCartPress eC ...) NOT-FOR-US: TheCartPress eCommerce Shopping Cart (aka The Professional WordPress eCommerce Plugin) plugin for WordPress CVE-2015-3985 RESERVED CVE-2015-3984 RESERVED CVE-2015-3983 (The pcs daemon (pcsd) in PCS 0.9.137 and earlier does not include the ...) - pcs (Fixed before initial release to Debian) NOTE: https://github.com/feist/pcs/commit/898204596a779673c88097bbdbe2d7ed6ed0cc8b (0.9.140) CVE-2015-3982 (The session.flush function in the cached_db backend in Django 1.8.x be ...) - python-django (Only affects 1.8 and development branch) NOTE: https://www.djangoproject.com/weblog/2015/may/20/security-release/ CVE-2015-3981 (SAP NetWeaver RFC SDK allows attackers to obtain sensitive information ...) NOT-FOR-US: SAP NetWeaver CVE-2015-3980 (SQL injection vulnerability in the Business Rules Framework (CRM-BF-BR ...) NOT-FOR-US: SAP CRM CVE-2015-3979 (Unspecified vulnerability in the Business Rules Framework (CRM-BF-BRF) ...) NOT-FOR-US: SAP CRM CVE-2015-3978 (SAP Sybase Unwired Platform Online Data Proxy allows local users to ob ...) NOT-FOR-US: SAP Sybase Unwired Platform Online Data Proxy CVE-2015-3977 (Buffer overflow in Schneider Electric IMT25 Magnetic Flow DTM before 1 ...) NOT-FOR-US: Schneider Electric CVE-2015-3976 (Cross-site scripting (XSS) vulnerability in GE Multilink ML810/3000/31 ...) NOT-FOR-US: GE CVE-2015-3975 REJECTED CVE-2015-3974 (EasyIO EasyIO-30P-SF controllers with firmware before 0.5.21 and 2.x b ...) NOT-FOR-US: EasyIO EasyIO-30P-SF controllers CVE-2015-3973 (Janitza UMG 508, 509, 511, 604, and 605 devices improperly generate se ...) NOT-FOR-US: Janitza UMG devices CVE-2015-3972 (The web interface on Janitza UMG 508, 509, 511, 604, and 605 devices s ...) NOT-FOR-US: Janitza UMG devices CVE-2015-3971 (The debug interface on Janitza UMG 508, 509, 511, 604, and 605 devices ...) NOT-FOR-US: Janitza UMG devices CVE-2015-3970 (Multiple cross-site scripting (XSS) vulnerabilities in the web interfa ...) NOT-FOR-US: Janitza UMG devices CVE-2015-3969 (Janitza UMG 508, 509, 511, 604, and 605 devices allow remote attackers ...) NOT-FOR-US: Janitza UMG devices CVE-2015-3968 (The FTP service on Janitza UMG 508, 509, 511, 604, and 605 devices has ...) NOT-FOR-US: Janitza UMG devices CVE-2015-3967 (Cross-site request forgery (CSRF) vulnerability on Janitza UMG 508, 50 ...) NOT-FOR-US: Janitza UMG devices CVE-2015-3966 (The IPsec SA establishment process on Innominate mGuard devices with f ...) NOT-FOR-US: Innominate mGuard CVE-2015-3965 (Hospira Symbiq Infusion System 3.13 and earlier allows remote authenti ...) NOT-FOR-US: Hospira Symbiq Infusion System CVE-2015-3964 (SMA Solar Sunny WebBox has hardcoded passwords, which makes it easier ...) NOT-FOR-US: SMA Solar Sunny WebBox CVE-2015-3963 (Wind River VxWorks before 5.5.1, 6.5.x through 6.7.x before 6.7.1.1, 6 ...) NOT-FOR-US: Wind River VxWorks as used on Schneider Electric devices CVE-2015-3962 (Schneider Electric StruxureWare Building Expert MPM before 2.15 does n ...) NOT-FOR-US: Schneider Electric StruxureWare CVE-2015-3961 (The web-server component in MNS before 4.5.6 on Belden GarrettCom Magn ...) NOT-FOR-US: Belden GarrettCom switches CVE-2015-3960 (The firmware in MNS before 4.5.6 on Belden GarrettCom Magnum 6K and Ma ...) NOT-FOR-US: Belden GarrettCom switches CVE-2015-3959 (The firmware in MNS before 4.5.6 on Belden GarrettCom Magnum 6K and Ma ...) NOT-FOR-US: Belden GarrrettCom switches CVE-2015-3958 (Hospira LifeCare PCA Infusion System 5.0 and earlier, and possibly oth ...) NOT-FOR-US: Hospira LifeCare CVE-2015-3957 (Hospira LifeCare PCA Infusion System before 7.0 stores private keys an ...) NOT-FOR-US: Hospira LifeCare CVE-2015-3956 (Hospira Plum A+ Infusion System version 13.4 and prior, Plum A+3 Infus ...) NOT-FOR-US: Hospira CVE-2015-3955 (Stack-based buffer overflow in Hospira LifeCare PCA Infusion System 5. ...) NOT-FOR-US: Hospira LifeCare CVE-2015-3954 (Hospira Plum A+ Infusion System version 13.4 and prior, Plum A+3 Infus ...) NOT-FOR-US: Hospira CVE-2015-3953 (Hard-coded accounts may be used to access Hospira Plum A+ Infusion Sys ...) NOT-FOR-US: Hospira CVE-2015-3952 (Wireless keys are stored in plain text on Hospira Plum A+ Infusion Sys ...) NOT-FOR-US: Hospira CVE-2015-3951 (RLE Nova-Wind Turbine HMI devices store cleartext credentials, which a ...) NOT-FOR-US: RLE Nova-Wind Turbines CVE-2015-3950 (Cross-site request forgery (CSRF) vulnerability in XZERES 442SR OS on ...) NOT-FOR-US: XZERES 442SR (wind turbine) CVE-2015-3949 (Sinapsi eSolar Light with firmware before 2.0.3970_schsl_2.2.85 allows ...) NOT-FOR-US: Sinapsi eSolar Light CVE-2015-3948 (Cross-site scripting (XSS) vulnerability in Advantech WebAccess before ...) NOT-FOR-US: Advantech WebAccess CVE-2015-3947 (SQL injection vulnerability in Advantech WebAccess before 8.1 allows r ...) NOT-FOR-US: Advantech WebAccess CVE-2015-3946 (Cross-site request forgery (CSRF) vulnerability in Advantech WebAccess ...) NOT-FOR-US: Advantech WebAccess CVE-2015-3945 REJECTED CVE-2015-3944 REJECTED CVE-2015-3943 (Advantech WebAccess before 8.1 allows remote attackers to read sensiti ...) NOT-FOR-US: Advantech WebAccess CVE-2015-3942 (Multiple cross-site scripting (XSS) vulnerabilities in the web-server ...) NOT-FOR-US: Belden GarrettCom switches CVE-2015-3941 REJECTED CVE-2015-3940 (Untrusted search path vulnerability in Schneider Electric Wonderware S ...) NOT-FOR-US: Schneider Electric CVE-2015-3939 (Directory traversal vulnerability in the NC854 and NC856 modules for I ...) NOT-FOR-US: IDS RTU 850C devices CVE-2015-3938 (The HTTP application on Mitsubishi Electric MELSEC FX3G PLC devices be ...) NOT-FOR-US: Mitsubishi Electric MELSEC devices CVE-2015-3937 RESERVED CVE-2015-3936 RESERVED CVE-2015-3935 (Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CR ...) - dolibarr 3.5.7+dfsg1-1 (bug #787762) [jessie] - dolibarr 3.5.5+dfsg1-1+deb8u1 NOTE: https://github.com/Dolibarr/dolibarr/issues/2857 NOTE: https://github.com/GPCsolutions/dolibarr/commit/a7f6bbd316e9b96216e9b2c7a065c9251c9a8907 CVE-2015-3934 (Multiple SQL injection vulnerabilities in Fiyo CMS 2.0_1.9.1 allow rem ...) NOT-FOR-US: Fiyo CMS CVE-2015-3933 (Multiple SQL injection vulnerabilities in inc/lib/User.class.php in Me ...) NOT-FOR-US: MetalGenix GeniXCMS CVE-2015-3932 (Netlock Mokka before 2.7.8.1204 allows remote attackers to perform XML ...) NOT-FOR-US: Netlock Mokka CVE-2015-3931 (Microsec e-Szigno before 3.2.7.12 allows remote attackers to perform X ...) NOT-FOR-US: Microsec e-Szigno CVE-2015-3930 RESERVED CVE-2015-3929 RESERVED CVE-2015-3928 RESERVED CVE-2015-3927 RESERVED CVE-2015-3926 RESERVED CVE-2015-3925 RESERVED CVE-2015-3924 RESERVED CVE-2015-3923 (Coppermine Photo Gallery before 1.5.36 allows remote attackers to enum ...) NOT-FOR-US: Coppermine Photo Gallery CVE-2015-3922 (Open redirect vulnerability in mode.php in Coppermine Photo Gallery be ...) NOT-FOR-US: Coppermine Photo Gallery CVE-2015-3921 (Cross-site scripting (XSS) vulnerability in contact.php in Coppermine ...) NOT-FOR-US: Coppermine Photo Gallery CVE-2015-3920 RESERVED CVE-2015-3919 REJECTED CVE-2015-3918 RESERVED CVE-2015-3917 RESERVED CVE-2015-3916 RESERVED CVE-2015-3915 RESERVED CVE-2015-3914 RESERVED CVE-2015-3913 (The IP stack in multiple Huawei Campus series switch models allows rem ...) NOT-FOR-US: Huawei CVE-2015-3912 (Huawei E355s Mobile WiFi with firmware before 22.158.45.02.625 and WEB ...) NOT-FOR-US: Huawei CVE-2015-3911 (Huawei E587 Mobile WiFi with firmware before 11.203.30.00.00 allows re ...) NOT-FOR-US: Huawei CVE-2015-3910 (Multiple unspecified vulnerabilities in Google V8 before 4.3.61.21, as ...) {DSA-3267-1} - chromium-browser 43.0.2357.65-1 [wheezy] - chromium-browser [squeeze] - chromium-browser - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2015-3909 RESERVED CVE-2015-3908 (Ansible before 1.9.2 does not verify that the server hostname matches ...) {DLA-1923-1} - ansible 1.9.2+dfsg-1 (low) NOTE: http://www.openwall.com/lists/oss-security/2015/07/14/4 NOTE: Fixed in commit https://github.com/ansible/ansible/commit/be7c59c7bbe2c7cfaad0151c42693ebd0ea4243f CVE-2015-3907 (CodeIgniter Rest Server (aka codeigniter-restserver) 2.7.1 allows XXE ...) NOT-FOR-US: CodeIgniter Rest Server CVE-2015-3906 (The logcat_dump_text function in wiretap/logcat.c in the Android Logca ...) {DSA-3277-1} - wireshark 1.12.5+g5819e5b-1 [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Vulnerable code not present) NOTE: http://www.wireshark.org/security/wnpa-sec-2015-18.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11188 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=b3b1f7c3aa2233a147294bad833b748d38fba84d CVE-2015-3904 (Multiple cross-site scripting (XSS) vulnerabilities in roomcloud.php i ...) NOT-FOR-US: Roomcloud plugin for WordPress CVE-2015-3901 RESERVED CVE-2015-3900 (RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4 ...) - rubygems (Affects versions between 2.0 and 2.4.6) - libgems-ruby (Affects versions between 2.0 and 2.4.6) - ruby1.8 (Vulnerable code not present) - ruby1.9.1 (Bundles 1.8.23, vulnerable code introduced in later 1.9.1 versions) - ruby2.1 2.1.5-4 (bug #790119) [jessie] - ruby2.1 2.1.5-2+deb8u2 - ruby2.2 2.2.2-3 (bug #790111) - jruby 1.7.20.1-2 [jessie] - jruby (Vulnerable code introduced with 1.7.19) [wheezy] - jruby (Vulnerable code introduced with 1.7.19) [squeeze] - jruby (Vulnerable code introduced with 1.7.19) NOTE: https://github.com/rubygems/rubygems/commit/6bbee35 NOTE: https://github.com/rubygems/rubygems/commit/5c7bfb5 NOTE: http://blog.rubygems.org/2015/05/14/CVE-2015-3900.html CVE-2015-3899 RESERVED CVE-2015-3898 (Multiple open redirect vulnerabilities in Bonita BPM Portal before 6.5 ...) NOT-FOR-US: Bonita BPM Portal CVE-2015-3897 (Directory traversal vulnerability in Bonita BPM Portal before 6.5.3 al ...) NOT-FOR-US: Bonita BPM Portal CVE-2015-3896 RESERVED CVE-2015-3895 RESERVED CVE-2015-3894 RESERVED CVE-2015-3893 RESERVED CVE-2015-3892 RESERVED CVE-2015-3891 RESERVED CVE-2015-3890 (Use-after-free vulnerability in Open Litespeed before 1.3.10. ...) NOT-FOR-US: Open Litespeed CVE-2015-3889 RESERVED CVE-2015-3888 (Jolla Sailfish OS before 1.1.2.16 allows remote attackers to spoof pho ...) NOT-FOR-US: Jolla Sailfish OS CVE-2015-3887 (Untrusted search path vulnerability in ProxyChains-NG before 4.9 allow ...) NOT-FOR-US: proxychains-ng NOTE: proxychains does not contain the vulnerable code CVE-2015-3884 (Unrestricted file upload vulnerability in the (1) myAccount, (2) proje ...) NOT-FOR-US: qdPM CVE-2015-3883 (Multiple cross-site scripting (XSS) vulnerabilities in qdPM 8.3 allow ...) NOT-FOR-US: qdPM CVE-2015-3882 (qdPM 8.3 allows remote attackers to obtain sensitive information via i ...) NOT-FOR-US: qdPM CVE-2015-3881 (Information disclosure issue in qdPM 8.3 allows remote attackers to ob ...) NOT-FOR-US: qdPM CVE-2015-3879 (Media Player Framework in Android before 5.1.1 LMY48T allows attackers ...) NOT-FOR-US: Media Player Framework in Android CVE-2015-3878 (Media Projection in Android 5.x before 5.1.1 LMY48T and 6.0 before 201 ...) NOT-FOR-US: Media Projection in Android CVE-2015-3877 (Skia, as used in Android before 5.1.1 LMY48T, allows remote attackers ...) NOT-FOR-US: Skia, as used in Android CVE-2015-3876 (libstagefright in Android through 5.1.1 LMY48M allows remote attackers ...) NOT-FOR-US: libstagefright in Android CVE-2015-3875 (libutils in Android before 5.1.1 LMY48T allows remote attackers to exe ...) - android-platform-frameworks-native (unimportant; bug #806375) CVE-2015-3874 (The Sonivox components in Android before 5.1.1 LMY48T allow remote att ...) NOT-FOR-US: The Sonivox components in Android CVE-2015-3873 (libstagefright in Android before 5.1.1 LMY48T allows remote attackers ...) NOT-FOR-US: libstagefright in Android CVE-2015-3872 (libstagefright in Android before 5.1.1 LMY48T allows remote attackers ...) NOT-FOR-US: libstagefright in Android CVE-2015-3871 (libstagefright in Android before 5.1.1 LMY48T allows remote attackers ...) NOT-FOR-US: libstagefright in Android CVE-2015-3870 (libstagefright in Android before 5.1.1 LMY48T allows remote attackers ...) NOT-FOR-US: libstagefright in Android CVE-2015-3869 (libstagefright in Android before 5.1.1 LMY48T allows remote attackers ...) NOT-FOR-US: libstagefright in Android CVE-2015-3868 (libstagefright in Android before 5.1.1 LMY48T allows remote attackers ...) NOT-FOR-US: libstagefright in Android CVE-2015-3867 (libstagefright in Android before 5.1.1 LMY48T allows remote attackers ...) NOT-FOR-US: libstagefright in Android CVE-2015-3866 RESERVED CVE-2015-3865 (The Runtime subsystem in Android before 5.1.1 LMY48T allows attackers ...) NOT-FOR-US: The Runtime subsystem in Android CVE-2015-3864 (Integer underflow in the MPEG4Extractor::parseChunk function in MPEG4E ...) NOT-FOR-US: libstagefright in mediaserver in Android CVE-2015-3863 (Multiple integer overflows in the Blob class in keystore/keystore.cpp ...) NOT-FOR-US: Keystore in Android CVE-2015-3862 (mediaserver in Android before 5.1.1 LMY48T allows attackers to cause a ...) NOT-FOR-US: mediaserver in Android CVE-2015-3861 (Multiple integer overflows in the addVorbisCodecInfo function in matro ...) NOT-FOR-US: libstagefright in mediaserver in Android CVE-2015-3860 (packages/Keyguard/res/layout/keyguard_password_view.xml in Lockscreen ...) NOT-FOR-US: Lockscreen in Android CVE-2015-3859 RESERVED CVE-2015-3858 (The checkDestination function in internal/telephony/SMSDispatcher.java ...) NOT-FOR-US: Android CVE-2015-3857 RESERVED CVE-2015-3856 RESERVED CVE-2015-3855 RESERVED CVE-2015-3854 (packages/SystemUI/src/com/android/systemui/power/PowerNotificationWarn ...) NOT-FOR-US: Android CVE-2015-3853 RESERVED CVE-2015-3852 RESERVED CVE-2015-3851 RESERVED CVE-2015-3850 RESERVED CVE-2015-3849 (The Region_createFromParcel function in core/jni/android/graphics/Regi ...) NOT-FOR-US: Region in Android CVE-2015-3848 RESERVED CVE-2015-3847 (Bluetooth in Android before 5.1.1 LMY48T allows attackers to remove st ...) NOT-FOR-US: Bluetooth in Android CVE-2015-3846 RESERVED CVE-2015-3845 (The Parcel::appendFrom function in libs/binder/Parcel.cpp in Binder in ...) NOT-FOR-US: Binder in Android CVE-2015-3844 (The getProcessRecordLocked method in services/core/java/com/android/se ...) NOT-FOR-US: ActivityManager in Android CVE-2015-3843 (The SIM Toolkit (STK) framework in Android before 5.1.1 LMY48I allows ...) NOT-FOR-US: SIM Toolkit (STK) framework in Android CVE-2015-3842 (Multiple heap-based buffer overflows in libeffects in the Audio Policy ...) NOT-FOR-US: Android CVE-2015-3841 RESERVED CVE-2015-3840 (The MessageStatusReceiver service in the AndroidManifest.XML in Androi ...) NOT-FOR-US: MessageStatusReceiver in Android CVE-2015-3839 (The updateMessageStatus function in Android 5.1.1 and earlier allows l ...) NOT-FOR-US: Android CVE-2015-3838 RESERVED CVE-2015-3837 (The OpenSSLX509Certificate class in org/conscrypt/OpenSSLX509Certifica ...) NOT-FOR-US: Android CVE-2015-3836 (The Parse_wave function in arm-wt-22k/lib_src/eas_mdls.c in the Sonivo ...) NOT-FOR-US: Sonivox DLS-to-EAS converter in Android CVE-2015-3835 (Buffer overflow in the OMXNodeInstance::emptyBuffer function in omx/OM ...) NOT-FOR-US: libstagefright in Android CVE-2015-3834 (Multiple integer overflows in the BnHDCP::onTransact function in media ...) NOT-FOR-US: libstagefright in Android CVE-2015-3833 (The getRunningAppProcesses function in services/core/java/com/android/ ...) NOT-FOR-US: Android CVE-2015-3832 (Multiple buffer overflows in MPEG4Extractor.cpp in libstagefright in A ...) NOT-FOR-US: libstagefright in Android CVE-2015-3831 (Buffer overflow in the readAt function in BpMediaHTTPConnection in med ...) NOT-FOR-US: mediaserver service in Android CVE-2015-3830 (The stock Android browser address bar in all Android operating systems ...) NOT-FOR-US: Android CVE-2015-3829 (Off-by-one error in the MPEG4Extractor::parseChunk function in MPEG4Ex ...) NOT-FOR-US: libstagefright in Android CVE-2015-3828 (The MPEG4Extractor::parse3GPPMetaData function in MPEG4Extractor.cpp i ...) NOT-FOR-US: libstagefright in Android CVE-2015-3827 (The MPEG4Extractor::parseChunk function in MPEG4Extractor.cpp in libst ...) NOT-FOR-US: libstagefright in Android CVE-2015-3826 (The MPEG4Extractor::parse3GPPMetaData function in MPEG4Extractor.cpp i ...) NOT-FOR-US: libstagefright in Android CVE-2015-3825 REJECTED CVE-2015-3824 (The MPEG4Extractor::parseChunk function in MPEG4Extractor.cpp in libst ...) NOT-FOR-US: libstagefright in Android CVE-2015-3823 (libstagefright in Android before 5.1.1 LMY48T allows remote attackers ...) NOT-FOR-US: libstagefright in Android CVE-2015-3822 RESERVED CVE-2015-3821 RESERVED CVE-2015-3820 RESERVED CVE-2015-3819 RESERVED CVE-2015-3818 RESERVED CVE-2015-3817 RESERVED CVE-2015-3816 RESERVED CVE-2015-3903 (libraries/Config.class.php in phpMyAdmin 4.0.x before 4.0.10.10, 4.2.x ...) {DSA-3382-1} - phpmyadmin 4:4.4.6.1-1 (unimportant) [wheezy] - phpmyadmin (Vulnerable code not present) [squeeze] - phpmyadmin (Vulnerable code not present) CVE-2015-3902 (Multiple cross-site request forgery (CSRF) vulnerabilities in the setu ...) {DSA-3382-1 DLA-336-1} - phpmyadmin 4:4.4.6.1-1 (unimportant) CVE-2015-4036 (Array index error in the tcm_vhost_make_tpg function in drivers/vhost/ ...) - linux 3.16.7-ckt9-1 [wheezy] - linux (Vulnerable code not present) - linux-2.6 [squeeze] - linux-2.6 (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=59c816c1f24df0204e01851431d3bab3eb76719c (v4.0-rc1) NOTE: http://www.openwall.com/lists/oss-security/2015/05/13/4 CVE-2015-3988 (Multiple cross-site scripting (XSS) vulnerabilities in OpenStack Dashb ...) - horizon 2015.1.0-2 (bug #786741) [jessie] - horizon (Vulnerable code not present) [wheezy] - horizon (Vulnerable code not present) NOTE: http://www.openwall.com/lists/oss-security/2015/05/12/9 CVE-2015-3886 (libinfinity before 0.6.6-1 does not validate expired SSL certificates, ...) - libinfinity 0.6.6-1 (bug #783601) [jessie] - libinfinity 0.6.6-1~deb8u1 [wheezy] - libinfinity (vulnerable code not present) [squeeze] - libinfinity (vulnerable code not present) NOTE: https://github.com/gobby/libinfinity/commit/c97f870f5ae13112988d9f8ad464b4f679903706 NOTE: https://github.com/gobby/gobby/issues/61 NOTE: http://www.openwall.com/lists/oss-security/2015/05/12/1 CVE-2015-3815 (The detect_version function in wiretap/logcat.c in the Android Logcat ...) {DSA-3277-1} - wireshark 1.12.5+g5819e5b-1 [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Vulnerable code not present) NOTE: https://www.wireshark.org/security/wnpa-sec-2015-18.html CVE-2015-3814 (The (1) dissect_tfs_request and (2) dissect_tfs_response functions in ...) {DSA-3277-1} - wireshark 1.12.5+g5819e5b-1 [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Vulnerable code not present) NOTE: https://www.wireshark.org/security/wnpa-sec-2015-17.html CVE-2015-3813 (The fragment_add_work function in epan/reassemble.c in the packet-reas ...) {DSA-3277-1} - wireshark 1.12.5+g5819e5b-1 [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Vulnerable code not present) NOTE: https://www.wireshark.org/security/wnpa-sec-2015-16.html CVE-2015-3812 (Multiple memory leaks in the x11_init_protocol function in epan/dissec ...) {DSA-3277-1} - wireshark 1.12.5+g5819e5b-1 [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Vulnerable code not present) NOTE: https://www.wireshark.org/security/wnpa-sec-2015-15.html CVE-2015-3811 (epan/dissectors/packet-wcp.c in the WCP dissector in Wireshark 1.10.x ...) {DSA-3277-1 DLA-241-1} - wireshark 1.12.5+g5819e5b-1 [wheezy] - wireshark 1.8.2-5wheezy16 NOTE: add fixed version for wheezy directly in CVE list since CVE-2015-3811 the only fixed in DSA-3277-1 NOTE: https://www.wireshark.org/security/wnpa-sec-2015-14.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10978 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=a6fc6aa0b4efc1a1c3d7a2e3b5189e888fb6ccc2 CVE-2015-3810 (epan/dissectors/packet-websocket.c in the WebSocket dissector in Wires ...) {DSA-3277-1} - wireshark 1.12.5+g5819e5b-1 [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Vulnerable code not present) NOTE: https://www.wireshark.org/security/wnpa-sec-2015-13.html CVE-2015-3809 (The dissect_lbmr_pser function in epan/dissectors/packet-lbmr.c in the ...) {DSA-3277-1} - wireshark 1.12.5+g5819e5b-1 [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Vulnerable code not present) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11036 NOTE: https://www.wireshark.org/security/wnpa-sec-2015-12.html CVE-2015-3808 (The dissect_lbmr_pser function in epan/dissectors/packet-lbmr.c in the ...) {DSA-3277-1} - wireshark 1.12.5+g5819e5b-1 [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Vulnerable code not present) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11036 NOTE: https://www.wireshark.org/security/wnpa-sec-2015-12.html CVE-2015-3807 (libxml2 in Apple iOS before 8.4.1 and OS X before 10.10.5 allows remot ...) NOT-FOR-US: Apple CVE-2015-3806 (Apple iOS before 8.4.1 and OS X before 10.10.5 allow local users to by ...) NOT-FOR-US: Apple CVE-2015-3805 (Apple iOS before 8.4.1 and OS X before 10.10.5 allow local users to by ...) NOT-FOR-US: Apple OS X CVE-2015-3804 (FontParser in Apple iOS before 8.4.1 and OS X before 10.10.5 allows re ...) NOT-FOR-US: Apple CVE-2015-3803 (Apple iOS before 8.4.1 and OS X before 10.10.5 allow local users to by ...) NOT-FOR-US: Apple OS X CVE-2015-3802 (Apple iOS before 8.4.1 and OS X before 10.10.5 allow local users to by ...) NOT-FOR-US: Apple OS X CVE-2015-3801 (The document.cookie API implementation in the CFNetwork Cookies subsys ...) NOT-FOR-US: Apple CVE-2015-3800 (The DiskImages component in Apple iOS before 8.4.1 and OS X before 10. ...) NOT-FOR-US: Apple OS X CVE-2015-3799 (The Apple ID OD plug-in in Apple OS X before 10.10.5 allows attackers ...) NOT-FOR-US: Apple OS X CVE-2015-3798 (The TRE library in Libc in Apple iOS before 8.4.1 and OS X before 10.1 ...) NOT-FOR-US: Apple CVE-2015-3797 (The TRE library in Libc in Apple iOS before 8.4.1 and OS X before 10.1 ...) NOT-FOR-US: Apple CVE-2015-3796 (The TRE library in Libc in Apple iOS before 8.4.1 and OS X before 10.1 ...) NOT-FOR-US: Apple CVE-2015-3795 (libxpc in Apple iOS before 8.4.1 and OS X before 10.10.5 allows attack ...) NOT-FOR-US: Apple CVE-2015-3794 (The Speech UI in Apple OS X before 10.10.5, when speech alerts are ena ...) NOT-FOR-US: Apple OS X CVE-2015-3793 (CFPreferences in Apple iOS before 8.4.1 allows attackers to bypass the ...) NOT-FOR-US: Apple OS X CVE-2015-3792 (QuickTime 7 in Apple OS X before 10.10.5 allows remote attackers to ex ...) NOT-FOR-US: QuickTime CVE-2015-3791 (QuickTime 7 in Apple OS X before 10.10.5 allows remote attackers to ex ...) NOT-FOR-US: QuickTime CVE-2015-3790 (QuickTime 7 in Apple OS X before 10.10.5 allows remote attackers to ex ...) NOT-FOR-US: QuickTime CVE-2015-3789 (QuickTime 7 in Apple OS X before 10.10.5 allows remote attackers to ex ...) NOT-FOR-US: QuickTime CVE-2015-3788 (QuickTime 7 in Apple OS X before 10.10.5 allows remote attackers to ex ...) NOT-FOR-US: QuickTime CVE-2015-3787 (The Bluetooth subsystem in Apple OS X before 10.10.5 allows remote att ...) NOT-FOR-US: Apple OS X CVE-2015-3786 (The Bluetooth subsystem in Apple OS X before 10.10.5 does not properly ...) NOT-FOR-US: Apple OS X CVE-2015-3785 (The Telephony component in Apple OS X before 10.11, when the Continuit ...) NOT-FOR-US: Apple CVE-2015-3784 (Office Viewer in Apple iOS before 8.4.1 and OS X before 10.10.5 allows ...) NOT-FOR-US: Apple OS X CVE-2015-3783 (SceneKit in Apple OS X before 10.10.5 allows remote attackers to execu ...) NOT-FOR-US: Apple OS X CVE-2015-3782 (CloudKit in Apple iOS before 8.4.1 and OS X before 10.10.5 allows atta ...) NOT-FOR-US: Apple OS X CVE-2015-3781 (Cross-site scripting (XSS) vulnerability in Quick Look in Apple OS X b ...) NOT-FOR-US: Apple OS X CVE-2015-3780 (The Bluetooth subsystem in Apple OS X before 10.10.5 allows attackers ...) NOT-FOR-US: Apple OS X CVE-2015-3779 (QuickTime 7 in Apple OS X before 10.10.5 allows remote attackers to ex ...) NOT-FOR-US: QuickTime CVE-2015-3778 (bootp in Apple iOS before 8.4.1 and OS X before 10.10.5 allows remote ...) NOT-FOR-US: Apple CVE-2015-3777 (Multiple buffer overflows in blued in the Bluetooth subsystem in Apple ...) NOT-FOR-US: Apple OS X CVE-2015-3776 (IOKit in Apple iOS before 8.4.1 and OS X before 10.10.5 allows attacke ...) NOT-FOR-US: Apple OS X CVE-2015-3775 (Apple OS X before 10.10.5 does not properly implement authentication, ...) NOT-FOR-US: Apple OS X CVE-2015-3774 (The Dictionary app in Apple OS X before 10.10.5 does not use HTTPS, wh ...) NOT-FOR-US: Apple OS X CVE-2015-3773 (The SMB client in Apple OS X before 10.10.5 allows remote attackers to ...) NOT-FOR-US: Apple OS X CVE-2015-3772 (IOFireWireFamily in Apple OS X before 10.10.5 allows local users to ga ...) NOT-FOR-US: Apple OS X CVE-2015-3771 (IOFireWireFamily in Apple OS X before 10.10.5 allows local users to ga ...) NOT-FOR-US: Apple OS X CVE-2015-3770 (IOGraphics in Apple OS X before 10.10.5 allows attackers to execute ar ...) NOT-FOR-US: Apple OS X CVE-2015-3769 (IOFireWireFamily in Apple OS X before 10.10.5 allows local users to ga ...) NOT-FOR-US: Apple OS X CVE-2015-3768 (Integer overflow in the kernel in Apple iOS before 8.4.1 and OS X befo ...) NOT-FOR-US: Apple OS X CVE-2015-3767 (udf in Apple OS X before 10.10.5 allows local users to gain privileges ...) NOT-FOR-US: Apple CVE-2015-3766 (The kernel in Apple iOS before 8.4.1 and OS X before 10.10.5 does not ...) NOT-FOR-US: Apple OS X CVE-2015-3765 (QuickTime 7 in Apple OS X before 10.10.5 allows remote attackers to ex ...) NOT-FOR-US: Apple CVE-2015-3764 (Notification Center in Apple OS X before 10.10.5 does not properly rem ...) NOT-FOR-US: QuickTime CVE-2015-3763 (Safari in Apple iOS before 8.4.1 does not limit the rate of JavaScript ...) NOT-FOR-US: Safari CVE-2015-3762 (The Text Formats component in Apple OS X before 10.10.5, as used in Te ...) NOT-FOR-US: Apple OS X CVE-2015-3761 (The kernel in Apple OS X before 10.10.5 does not properly validate pat ...) NOT-FOR-US: Apple OS X CVE-2015-3760 (dyld in Apple OS X before 10.10.5 does not properly validate pathnames ...) NOT-FOR-US: Apple OS X CVE-2015-3759 (Location Framework in Apple iOS before 8.4.1 allows local users to byp ...) NOT-FOR-US: Apple OS X CVE-2015-3758 (UIKit WebView in Apple iOS before 8.4.1 allows attackers to bypass an ...) NOT-FOR-US: Apple OS X CVE-2015-3757 (Apple OS X before 10.10.5 does not properly restrict access to the Dat ...) NOT-FOR-US: Apple OS X CVE-2015-3756 (The Certificate UI in Apple iOS before 8.4.1 does not prevent X.509 ce ...) NOT-FOR-US: Apple OS X CVE-2015-3755 (WebKit in Apple Safari before 6.2.8, 7.x before 7.1.8, and 8.x before ...) NOT-FOR-US: Safari CVE-2015-3754 (The private-browsing implementation in WebKit in Apple Safari before 6 ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-3753 (WebKit in Apple Safari before 6.2.8, 7.x before 7.1.8, and 8.x before ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-3752 (The Content Security Policy implementation in WebKit in Apple Safari b ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-3751 (WebKit in Apple Safari before 6.2.8, 7.x before 7.1.8, and 8.x before ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-3750 (WebKit in Apple Safari before 6.2.8, 7.x before 7.1.8, and 8.x before ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-3749 (WebKit, as used in Apple iOS before 8.4.1 and Safari before 6.2.8, 7.x ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-3748 (WebKit, as used in Apple iOS before 8.4.1 and Safari before 6.2.8, 7.x ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-3747 (WebKit, as used in Apple iOS before 8.4.1 and Safari before 6.2.8, 7.x ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-3746 (WebKit, as used in Apple iOS before 8.4.1 and Safari before 6.2.8, 7.x ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-3745 (WebKit, as used in Apple iOS before 8.4.1 and Safari before 6.2.8, 7.x ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-3744 (WebKit, as used in Apple iOS before 8.4.1 and Safari before 6.2.8, 7.x ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-3743 (WebKit, as used in Apple iOS before 8.4.1 and Safari before 6.2.8, 7.x ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-3742 (WebKit, as used in Apple iOS before 8.4.1 and Safari before 6.2.8, 7.x ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-3741 (WebKit, as used in Apple iOS before 8.4.1 and Safari before 6.2.8, 7.x ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-3740 (WebKit, as used in Apple iOS before 8.4.1 and Safari before 6.2.8, 7.x ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-3739 (WebKit, as used in Apple iOS before 8.4.1 and Safari before 6.2.8, 7.x ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-3738 (WebKit, as used in Apple iOS before 8.4.1 and Safari before 6.2.8, 7.x ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-3737 (WebKit, as used in Apple iOS before 8.4.1 and Safari before 6.2.8, 7.x ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-3736 (WebKit, as used in Apple iOS before 8.4.1 and Safari before 6.2.8, 7.x ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-3735 (WebKit, as used in Apple iOS before 8.4.1 and Safari before 6.2.8, 7.x ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-3734 (WebKit, as used in Apple iOS before 8.4.1 and Safari before 6.2.8, 7.x ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-3733 (WebKit, as used in Apple iOS before 8.4.1 and Safari before 6.2.8, 7.x ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-3732 (WebKit, as used in Apple iOS before 8.4.1 and Safari before 6.2.8, 7.x ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-3731 (WebKit, as used in Apple iOS before 8.4.1 and Safari before 6.2.8, 7.x ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-3730 (WebKit, as used in Apple iOS before 8.4.1 and Safari before 6.2.8, 7.x ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-3729 (Apple Safari before 6.2.8, 7.x before 7.1.8, and 8.x before 8.0.8, as ...) NOT-FOR-US: Apple CVE-2015-3728 (The WiFi Connectivity feature in Apple iOS before 8.4 allows remote Wi ...) NOT-FOR-US: Apple iOS CVE-2015-3727 (WebKit in Apple Safari before 6.2.7, 7.x before 7.1.7, and 8.x before ...) NOT-FOR-US: Apple Safari CVE-2015-3726 (The Telephony subsystem in Apple iOS before 8.4 allows physically prox ...) NOT-FOR-US: Apple iOS CVE-2015-3725 (MobileInstallation in Apple iOS before 8.4 does not ensure the uniquen ...) NOT-FOR-US: Apple iOS CVE-2015-3724 (CoreGraphics in Apple iOS before 8.4 allows remote attackers to execut ...) NOT-FOR-US: Apple iOS CVE-2015-3723 (CoreGraphics in Apple iOS before 8.4 allows remote attackers to execut ...) NOT-FOR-US: Apple iOS CVE-2015-3722 (Application Store in Apple iOS before 8.4 does not ensure the uniquene ...) NOT-FOR-US: Apple iOS CVE-2015-3721 (The kernel in Apple iOS before 8.4 and OS X before 10.10.4 does not pr ...) NOT-FOR-US: Apple iOS CVE-2015-3720 (The kernel in Apple OS X before 10.10.4 does not properly manage memor ...) NOT-FOR-US: Apple OS X CVE-2015-3719 (TrueTypeScaler in FontParser in Apple iOS before 8.4 and OS X before 1 ...) NOT-FOR-US: Apple iOS and Apple OS X CVE-2015-3718 (systemstatsd in the System Stats subsystem in Apple OS X before 10.10. ...) NOT-FOR-US: Apple OS X CVE-2015-3717 (Multiple buffer overflows in the printf functionality in SQLite, as us ...) NOT-FOR-US: sqlite as shipped in iOS NOTE: Fix for sqlite in iOS, upstream doesn't know whether it affects the standard NOTE: code base, but Apple would probably have submitted a patch if that were the case NOTE: sqlite-dev thread: https://groups.google.com/forum/#!topic/sqlite-dev/U7OjAbZO6LA CVE-2015-3716 (Spotlight in Apple OS X before 10.10.4 allows attackers to execute arb ...) NOT-FOR-US: Apple OS X CVE-2015-3715 (The code-signing implementation in Apple OS X before 10.10.4 does not ...) NOT-FOR-US: Apple OS X CVE-2015-3714 (Apple OS X before 10.10.4 does not properly consider custom resource r ...) NOT-FOR-US: Apple OS X CVE-2015-3713 (QuickTime in Apple OS X before 10.10.4 allows remote attackers to exec ...) NOT-FOR-US: Apple OS X CVE-2015-3712 (The NVIDIA graphics driver in Apple OS X before 10.10.4 allows attacke ...) NOT-FOR-US: Apple OS X CVE-2015-3711 (The NTFS implementation in Apple OS X before 10.10.4 allows attackers ...) NOT-FOR-US: Apple OS X CVE-2015-3710 (Mail in Apple iOS before 8.4 and OS X before 10.10.4 allows remote att ...) NOT-FOR-US: Apple OS X CVE-2015-3709 (Race condition in kext tools in Apple OS X before 10.10.4 allows local ...) NOT-FOR-US: Apple OS X CVE-2015-3708 (kextd in kext tools in Apple OS X before 10.10.4 allows attackers to w ...) NOT-FOR-US: Apple OS X CVE-2015-3707 (The FireWire driver in IOFireWireFamily in Apple OS X before 10.10.4 a ...) NOT-FOR-US: Apple OS X CVE-2015-3706 (IOAcceleratorFamily in Apple OS X before 10.10.4 allows attackers to e ...) NOT-FOR-US: Apple OS X CVE-2015-3705 (IOAcceleratorFamily in Apple OS X before 10.10.4 allows attackers to e ...) NOT-FOR-US: Apple OS X CVE-2015-3704 (runner in Install.framework in the Install Framework Legacy subsystem ...) NOT-FOR-US: Apple OS X CVE-2015-3703 (ImageIO in Apple iOS before 8.4 and OS X before 10.10.4 allows remote ...) NOT-FOR-US: Apple iOS and Apple OS X CVE-2015-3702 (Buffer overflow in the Intel Graphics Driver in Apple OS X before 10.1 ...) NOT-FOR-US: Apple OS X CVE-2015-3701 (Buffer overflow in the Intel Graphics Driver in Apple OS X before 10.1 ...) NOT-FOR-US: Apple OS X CVE-2015-3700 (Buffer overflow in the Intel Graphics Driver in Apple OS X before 10.1 ...) NOT-FOR-US: Apple OS X CVE-2015-3699 (Buffer overflow in the Intel Graphics Driver in Apple OS X before 10.1 ...) NOT-FOR-US: Apple OS X CVE-2015-3698 (Buffer overflow in the Intel Graphics Driver in Apple OS X before 10.1 ...) NOT-FOR-US: Apple OS X CVE-2015-3697 (Buffer overflow in the Intel Graphics Driver in Apple OS X before 10.1 ...) NOT-FOR-US: Apple OS X CVE-2015-3696 (Buffer overflow in the Intel Graphics Driver in Apple OS X before 10.1 ...) NOT-FOR-US: Apple OS X CVE-2015-3695 (Buffer overflow in the Intel Graphics Driver in Apple OS X before 10.1 ...) NOT-FOR-US: Apple OS X CVE-2015-3694 (FontParser in Apple iOS before 8.4 and OS X before 10.10.4 allows remo ...) NOT-FOR-US: Apple iOS and Apple OS X CVE-2015-3693 (Apple Mac EFI before 2015-001, as used in OS X before 10.10.4 and othe ...) NOT-FOR-US: Apple OS X CVE-2015-3692 (Apple Mac EFI before 2015-001, as used in OS X before 10.10.4 and othe ...) NOT-FOR-US: Apple OS X CVE-2015-3691 (The Monitor Control Command Set kernel extension in the Display Driver ...) NOT-FOR-US: Apple OS X CVE-2015-3690 (The DiskImages subsystem in Apple iOS before 8.4 and OS X before 10.10 ...) NOT-FOR-US: Apple iOS and Apple OS X CVE-2015-3689 (CoreText in Apple iOS before 8.4 and OS X before 10.10.4 allows remote ...) NOT-FOR-US: Apple iOS and Apple OS X CVE-2015-3688 (CoreText in Apple iOS before 8.4 and OS X before 10.10.4 allows remote ...) NOT-FOR-US: Apple iOS and Apple OS X CVE-2015-3687 (CoreText in Apple iOS before 8.4 and OS X before 10.10.4 allows remote ...) NOT-FOR-US: Apple iOS and Apple OS X CVE-2015-3686 (CoreText in Apple iOS before 8.4 and OS X before 10.10.4 allows remote ...) NOT-FOR-US: Apple iOS and Apple OS X CVE-2015-3685 (CoreText in Apple iOS before 8.4 and OS X before 10.10.4 allows remote ...) NOT-FOR-US: Apple iOS and Apple OS X CVE-2015-3684 (The HTTPAuthentication implementation in CFNetwork in Apple iOS before ...) NOT-FOR-US: Apple iOS and Apple OS X CVE-2015-3683 (The Bluetooth HCI interface implementation in Apple OS X before 10.10. ...) NOT-FOR-US: Apple OS X CVE-2015-3682 (Apple Type Services (ATS) in Apple OS X before 10.10.4 allows remote a ...) NOT-FOR-US: Apple OS X CVE-2015-3681 (Apple Type Services (ATS) in Apple OS X before 10.10.4 allows remote a ...) NOT-FOR-US: Apple OS X CVE-2015-3680 (Apple Type Services (ATS) in Apple OS X before 10.10.4 allows remote a ...) NOT-FOR-US: Apple OS X CVE-2015-3679 (Apple Type Services (ATS) in Apple OS X before 10.10.4 allows remote a ...) NOT-FOR-US: Apple OS X CVE-2015-3678 (AppleThunderboltEDMService in Apple OS X before 10.10.4 allows local u ...) NOT-FOR-US: Apple OS X CVE-2015-3677 (The LZVN compression feature in AppleFSCompression in Apple OS X befor ...) NOT-FOR-US: Apple OS X CVE-2015-3676 (AppleGraphicsControl in Apple OS X before 10.10.4 allows attackers to ...) NOT-FOR-US: Apple OS X CVE-2015-3675 (The default configuration of the Apache HTTP Server on Apple OS X befo ...) - apache2 (default configuration on Apple OS X) CVE-2015-3674 (afpserver in Apple OS X before 10.10.4 allows remote attackers to exec ...) NOT-FOR-US: Apple OS X CVE-2015-3673 (Admin Framework in Apple OS X before 10.10.4 does not properly restric ...) NOT-FOR-US: Apple OS X CVE-2015-3672 (Admin Framework in Apple OS X before 10.10.4 does not properly handle ...) NOT-FOR-US: Apple OS X CVE-2015-3671 (Admin Framework in Apple OS X before 10.10.4 does not properly verify ...) NOT-FOR-US: Apple OS X CVE-2015-3670 REJECTED CVE-2015-3669 (QT Media Foundation in Apple QuickTime before 7.7.7 allows remote atta ...) NOT-FOR-US: Apple QuickTime CVE-2015-3668 (QT Media Foundation in Apple QuickTime before 7.7.7, as used in OS X b ...) NOT-FOR-US: Apple QuickTime CVE-2015-3667 (QT Media Foundation in Apple QuickTime before 7.7.7, as used in OS X b ...) NOT-FOR-US: Apple QuickTime CVE-2015-3666 (QT Media Foundation in Apple QuickTime before 7.7.7, as used in OS X b ...) NOT-FOR-US: Apple QuickTime CVE-2015-3665 (QT Media Foundation in Apple QuickTime before 7.7.7 allows remote atta ...) NOT-FOR-US: Apple QuickTime CVE-2015-3664 (QT Media Foundation in Apple QuickTime before 7.7.7 allows remote atta ...) NOT-FOR-US: Apple QuickTime CVE-2015-3663 (QT Media Foundation in Apple QuickTime before 7.7.7, as used in OS X b ...) NOT-FOR-US: Apple QuickTime CVE-2015-3662 (QT Media Foundation in Apple QuickTime before 7.7.7, as used in OS X b ...) NOT-FOR-US: Apple QuickTime CVE-2015-3661 (QT Media Foundation in Apple QuickTime before 7.7.7, as used in OS X b ...) NOT-FOR-US: Apple QuickTime CVE-2015-3660 (Cross-site scripting (XSS) vulnerability in the PDF functionality in W ...) NOT-FOR-US: Apple WebKit CVE-2015-3659 (The SQLite authorizer in the Storage functionality in WebKit in Apple ...) NOT-FOR-US: Apple WebKit CVE-2015-3658 (The Page Loading functionality in WebKit in Apple Safari before 6.2.7, ...) NOT-FOR-US: Apple WebKit CVE-2015-3657 (Aruba Networks ClearPass Policy Manager before 6.4.7 and 6.5.x before ...) NOT-FOR-US: Aruba Networks ClearPass Policy Manager CVE-2015-3656 (Aruba Networks ClearPass Policy Manager before 6.4.7 and 6.5.x before ...) NOT-FOR-US: Aruba Networks ClearPass Policy Manager CVE-2015-3655 (Cross-site request forgery (CSRF) vulnerability in Aruba Networks Clea ...) NOT-FOR-US: Aruba Networks ClearPass Policy Manager CVE-2015-3654 (Aruba Networks ClearPass Policy Manager before 6.4.7 and 6.5.x before ...) NOT-FOR-US: Aruba Networks ClearPass Policy Manager CVE-2015-3653 (Aruba Networks ClearPass Policy Manager before 6.4.7 and 6.5.x before ...) NOT-FOR-US: Aruba Networks ClearPass Policy Manager CVE-2015-3652 RESERVED CVE-2015-3651 RESERVED CVE-2015-3650 (vmware-vmx.exe in VMware Workstation 7.x through 10.x before 10.0.7 an ...) NOT-FOR-US: VMware CVE-2015-3649 (The open-uri-cached rubygem allows local users to execute arbitrary Ru ...) NOT-FOR-US: open-uri-cached rubygem CVE-2015-3648 (Directory traversal vulnerability in pages/setup.php in Montala Limite ...) NOT-FOR-US: ResourceSpace CVE-2015-3647 (Multiple cross-site scripting (XSS) vulnerabilities in wppa-ajax-front ...) NOT-FOR-US: WP Photo Album Plus (aka WPPA) plugin for WordPress CVE-2015-3645 RESERVED CVE-2015-3644 (Stunnel 5.00 through 5.13, when using the redirect option, does not re ...) {DSA-3299-1} - stunnel4 3:5.18-1 (bug #785352) [wheezy] - stunnel4 (Affects 5.00 through 5.13 with specfic configurations) [squeeze] - stunnel4 (Affects 5.00 through 5.13 with specfic configurations) NOTE: https://www.stunnel.org/CVE-2015-3644.html CVE-2015-3885 (Integer overflow in the ljpeg_start function in dcraw 7.00 and earlier ...) {DSA-3692-1 DLA-243-1 DLA-228-1} - dcraw 9.26-1 (bug #785019) [jessie] - dcraw (Minor issue) [wheezy] - dcraw (Minor issue) [squeeze] - dcraw (Minor issue) - ufraw 0.20-3 (bug #786783) [jessie] - ufraw 0.20-2+deb8u1 [wheezy] - ufraw (Minor issue) [squeeze] - ufraw (Minor issue) - libraw 0.16.2-1 (bug #786788) [jessie] - libraw 0.16.0-9+deb8u1 [wheezy] - libraw 0.14.6-2+deb7u1 [squeeze] - libraw (Minor issue) - rawtherapee 4.2-2 [jessie] - rawtherapee 4.2-1+deb8u1 [wheezy] - rawtherapee 4.0.9-4+deb7u1 [squeeze] - rawtherapee (Minor issue) - rawstudio [wheezy] - rawstudio (Minor issue) [squeeze] - rawstudio (Minor issue) - xbmc 2:13.2+dfsg1-5 (bug #786688) [jessie] - xbmc (Minor issue) [wheezy] - xbmc (Minor issue) - kodi 16.0+dfsg1-1 (bug #792299) - exactimage 0.9.1-5 (bug #786785) [jessie] - exactimage 0.8.9-7+deb8u1 [wheezy] - exactimage 0.8.5-5+deb7u4 [squeeze] - exactimage (Minor issue) - freeimage 3.15.4-6 (bug #786790) [wheezy] - freeimage (Minor issue) [squeeze] - freeimage (Minor issue) - darktable 1.6.7-1 (bug #786792) [jessie] - darktable 1.4.2-1+deb8u1 [wheezy] - darktable (Minor issue) NOTE: http://www.ocert.org/advisories/ocert-2015-006.html NOTE: https://codesearch.debian.net/results/int%20CLASS%20ljpeg_start NOTE: Starting with 2:13.2+dfsg1-5 xbmc is a transitional package CVE-2015-3880 (Open redirect vulnerability in phpBB before 3.0.14 and 3.1.x before 3. ...) - phpbb3 3.0.14-1 [jessie] - phpbb3 3.0.12-5+deb8u1 [wheezy] - phpbb3 3.0.10-4+deb7u3 [squeeze] - phpbb3 (Minor issue) NOTE: https://wiki.phpbb.com/Release_Highlights/3.0.14 NOTE: Patch: https://github.com/phpbb/phpbb/commit/1a3350619f428d9d69d196c52128727e27ef2f04 NOTE: http://www.openwall.com/lists/oss-security/2015/05/12/2 CVE-2015-XXXX [pdf2djvu: insecure use of /tmp when executing c44] - pdf2djvu 0.7.21-1 (bug #784889) [jessie] - pdf2djvu 0.7.17-4+deb8u1 [wheezy] - pdf2djvu 0.7.12-2+deb7u1 [squeeze] - pdf2djvu (Minor issue) NOTE: https://bitbucket.org/jwilk/pdf2djvu/issue/103 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/05/09/7 CVE-2015-XXXX [didjvu: insecure use of /tmp when executing c44] - didjvu 0.4-1 (bug #784888) [jessie] - didjvu 0.2.8-1+deb8u1 [wheezy] - didjvu 0.2.3-2+deb7u1 NOTE: https://bitbucket.org/jwilk/didjvu/issue/8 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/05/09/7 CVE-2015-4146 (The EAP-pwd peer implementation in hostapd and wpa_supplicant 1.0 thro ...) {DSA-3397-1} - wpa 2.3-2.2 (bug #787371) [wheezy] - wpa (Vulnerable code introduced later) NOTE: support for fragmentation added in https://w1.fi/cgit/hostap/commit/?id=5ea93947ca67ba83529798b806a15b247cdb2e93 - wpasupplicant (v1.0-v2.4 with CONFIG_EAP_PWD=y) - hostapd (v1.0-v2.4 with CONFIG_EAP_PWD=y) NOTE: http://w1.fi/security/2015-4/ NOTE: http://w1.fi/security/2015-4/eap-pwd-missing-payload-length-validation.txt NOTE: http://w1.fi/security/2015-4/0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch NOTE: http://www.openwall.com/lists/oss-security/2015/05/07/5 CVE-2015-4145 (The EAP-pwd server and peer implementation in hostapd and wpa_supplica ...) {DSA-3397-1} - wpa 2.3-2.2 (bug #787371) [wheezy] - wpa (Vulnerable code introduced later) NOTE: support for fragmentation added in https://w1.fi/cgit/hostap/commit/?id=5ea93947ca67ba83529798b806a15b247cdb2e93 - wpasupplicant (v1.0-v2.4 with CONFIG_EAP_PWD=y) - hostapd (v1.0-v2.4 with CONFIG_EAP_PWD=y) NOTE: http://w1.fi/security/2015-4/ NOTE: http://w1.fi/security/2015-4/eap-pwd-missing-payload-length-validation.txt NOTE: http://w1.fi/security/2015-4/0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch NOTE: http://w1.fi/security/2015-4/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch NOTE: http://www.openwall.com/lists/oss-security/2015/05/07/5 CVE-2015-4144 (The EAP-pwd server and peer implementation in hostapd and wpa_supplica ...) {DSA-3397-1} - wpa 2.3-2.2 (bug #787371) [wheezy] - wpa (Vulnerable code introduced later) NOTE: support for fragmentation added in https://w1.fi/cgit/hostap/commit/?id=5ea93947ca67ba83529798b806a15b247cdb2e93 - wpasupplicant (v1.0-v2.4 with CONFIG_EAP_PWD=y) - hostapd (v1.0-v2.4 with CONFIG_EAP_PWD=y) NOTE: http://w1.fi/security/2015-4/ NOTE: http://w1.fi/security/2015-4/eap-pwd-missing-payload-length-validation.txt NOTE: http://w1.fi/security/2015-4/0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch NOTE: http://w1.fi/security/2015-4/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch NOTE: http://www.openwall.com/lists/oss-security/2015/05/07/5 CVE-2015-4143 (The EAP-pwd server and peer implementation in hostapd and wpa_supplica ...) {DSA-3397-1} - wpa 2.3-2.2 (bug #787371) - wpasupplicant (v1.0-v2.4 with CONFIG_EAP_PWD=y) - hostapd (v1.0-v2.4 with CONFIG_EAP_PWD=y) NOTE: http://w1.fi/security/2015-4/ NOTE: http://w1.fi/security/2015-4/eap-pwd-missing-payload-length-validation.txt NOTE: http://w1.fi/security/2015-4/0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch NOTE: http://w1.fi/security/2015-4/0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch NOTE: http://www.openwall.com/lists/oss-security/2015/05/07/5 CVE-2015-4142 (Integer underflow in the WMM Action frame parser in hostapd 0.5.5 thro ...) {DSA-3397-1 DLA-260-1} - wpa 2.3-2.2 (bug #787373) - wpasupplicant [squeeze] - wpasupplicant (0.7.0-v2.4 with with specific configurations) - hostapd NOTE: http://w1.fi/security/2015-3/ NOTE: http://w1.fi/security/2015-3/integer-underflow-in-ap-mode-wmm-action-frame.txt NOTE: http://www.openwall.com/lists/oss-security/2015/05/09/5 CVE-2015-4141 (The WPS UPnP function in hostapd, when using WPS AP, and wpa_supplican ...) {DSA-3397-1} - wpa 2.3-2.2 (bug #787372) - wpasupplicant (unimportant) [squeeze] - wpasupplicant (Affects v0.7.0-v2.4 with CONFIG_WPS_ER=y in the build configuration) - hostapd [squeeze] - hostapd (Affects 0.7.0-v2.4 with CONFIG_WPS_UPNP=y in the build configuration and upnp_iface parameter on runtime) NOTE: http://w1.fi/security/2015-2/ NOTE: http://w1.fi/security/2015-2/wps-upnp-http-chunked-transfer-encoding.txt NOTE: http://www.openwall.com/lists/oss-security/2015/05/09/4 CVE-2015-XXXX [incorrect parsing of from header when assigning pgp keys] - semi 1.14.7~0.20120428-17 (bug #784712) [jessie] - semi 1.14.7~0.20120428-14+deb8u1 [wheezy] - semi (Minor issue) [squeeze] - semi (Minor issue) NOTE: http://thread.gmane.org/gmane.mail.wanderlust.general.japanese/9819 NOTE: Fixed in https://github.com/wanderlust/semi/commit/9976269556c5bcc021e4edf1b0e1accd39929528 CVE-2015-XXXX [incorrect substring matching when assigning pgp keys] - semi 1.14.7~0.20120428-17 (bug #784712) [jessie] - semi 1.14.7~0.20120428-14+deb8u1 [wheezy] - semi (Minor issue) [squeeze] - semi (Minor issue) NOTE: https://github.com/wanderlust/semi/issues/9 NOTE: https://github.com/wanderlust/semi/commit/5c8466321d281d72850c298b9ebcd466b4b0160c NOTE: https://github.com/wanderlust/semi/commit/da44c8e0ea6baf5dac2b8debf86f720a541f31a5 - mew 1:6.6-3 [jessie] - mew 1:6.6-2+deb8u1 [wheezy] - mew (Minor issue) [squeeze] - mew (Minor issue) - mew-beta 7.0.50~6.6+0.20150508-1 [jessie] - mew-beta 7.0.50~6.6+0.20140902-1+deb8u1 [wheezy] - mew-beta (Minor issue) [squeeze] - mew-beta (Minor issue) CVE-2015-3429 (Cross-site scripting (XSS) vulnerability in example.html in Genericons ...) {DSA-3328-1} - wordpress 4.2.2+dfsg-1 (bug #784603) [wheezy] - wordpress (twentyfifteen theme not present) [squeeze] - wordpress (twentyfifteen theme not present) NOTE: https://wordpress.org/news/2015/05/wordpress-4-2-2/ NOTE: https://www.netsparker.com/cve-2015-3429-dom-xss-vulnerability-in-twenty-fifteen-wordpress-theme/ NOTE: The default theme twentyfifteen is not present in wheezy. Upstream has NOTE: commited https://core.trac.wordpress.org/changeset/32385 though which NOTE: will enericons example.html files if present. As the file was included NOTE: in other popular themes and plugins maybe it should as well be included NOTE: in an update for wordpress for wheezy? CVE-2014-9721 (libzmq before 4.0.6 and 4.1.x before 4.1.1 allows remote attackers to ...) {DSA-3255-1} - zeromq3 4.0.5+dfsg-3 (bug #784366) NOTE: https://github.com/zeromq/libzmq/issues/1273 NOTE: https://github.com/zeromq/zeromq4-x/commit/b6e3e0f601e2c1ec1f3aac880ed6a3fe63043e51 NOTE: http://www.openwall.com/lists/oss-security/2015/05/07/8 CVE-2015-3643 (usb-creator before 0.2.38.3ubuntu0.1 on Ubuntu 12.04 LTS, before 0.2.5 ...) NOT-FOR-US: usb-creator CVE-2015-3642 (The TLS and DTLS processing functionality in Citrix NetScaler Applicat ...) NOT-FOR-US: Citrix CVE-2015-3641 (bitcoind and Bitcoin-Qt prior to 0.10.2 allow attackers to cause a den ...) - bitcoin 0.10.2-1 CVE-2015-3640 (phpMyBackupPro 2.5 and earlier does not properly escape the "." charac ...) NOT-FOR-US: phpMyBackupPro CVE-2015-3639 (phpMyBackupPro 2.5 and earlier does not properly sanitize input string ...) NOT-FOR-US: phpMyBackupPro CVE-2015-3638 (phpMyBackupPro before 2.5 does not validate integer input, which allow ...) NOT-FOR-US: phpMyBackupPro CVE-2015-3637 (SQL injection vulnerability in phpMyBackupPro when run in multi-user m ...) NOT-FOR-US: phpMyBackupPro CVE-2015-3635 RESERVED CVE-2015-3634 (The SlideshowPluginSlideshowStylesheet::loadStylesheetByAJAX function ...) NOT-FOR-US: Slideshow plugin for Wordpress CVE-2015-3633 (Foxit Reader, Enterprise Reader, and PhantomPDF before 7.1.5 allow rem ...) NOT-FOR-US: Foxit Reader, Enterprise Reader, PhantomPDF CVE-2015-3632 (Foxit Reader, Enterprise Reader, and PhantomPDF before 7.1.5 allow rem ...) NOT-FOR-US: Foxit Reader, Enterprise Reader, PhantomPDF CVE-2015-3631 (Docker Engine before 1.6.1 allows local users to set arbitrary Linux S ...) - docker.io 1.6.1+dfsg1-1 (bug #784726) NOTE: http://www.openwall.com/lists/oss-security/2015/05/07/10 CVE-2015-3630 (Docker Engine before 1.6.1 uses weak permissions for (1) /proc/asound, ...) - docker.io 1.6.1+dfsg1-1 (bug #784726) NOTE: http://www.openwall.com/lists/oss-security/2015/05/07/10 CVE-2015-3629 (Libcontainer 1.6.0, as used in Docker Engine, allows local users to es ...) - docker.io 1.6.1+dfsg1-1 (bug #784726) NOTE: http://www.openwall.com/lists/oss-security/2015/05/07/10 CVE-2015-3628 (The iControl API in F5 BIG-IP LTM, AFM, Analytics, APM, ASM, Link Cont ...) NOT-FOR-US: F5 CVE-2015-3627 (Libcontainer and Docker Engine before 1.6.1 opens the file-descriptor ...) - docker.io 1.6.1+dfsg1-1 (bug #784726) NOTE: http://www.openwall.com/lists/oss-security/2015/05/07/10 CVE-2015-3626 (Cross-site scripting (XSS) vulnerability in the DHCP Monitor page in t ...) NOT-FOR-US: Fortinet FortiOS CVE-2015-3625 (The NVIDIA GPU driver for FreeBSD R352 before 352.09, 346 before 346.7 ...) - nvidia-graphics-drivers (FreeBSD drivers in separate blobs/source) CVE-2015-3624 (Cross-site request forgery (CSRF) vulnerability in Test/WorkArea/DmsMe ...) NOT-FOR-US: Ektron Content Management System CVE-2015-3623 (XML external entity (XXE) vulnerability in QlikTech Qlikview before 11 ...) NOT-FOR-US: QlikTech CVE-2015-3621 (Untrusted search path vulnerability in SAP Enterprise Central Componen ...) NOT-FOR-US: SAP ECC CVE-2015-3620 (Cross-site scripting (XSS) vulnerability in the advanced dataset repor ...) NOT-FOR-US: Fortinet FortiAnalyzer CVE-2015-3619 (Cross-site scripting (XSS) vulnerability in assets/js/vm2admin.js in t ...) NOT-FOR-US: Joomla addon CVE-2015-3618 (Cross-site scripting (XSS) vulnerability in Nagios Business Process In ...) NOT-FOR-US: Nagios Business Process Intelligence CVE-2015-3617 (Fortinet FortiManager 5.0 before 5.0.11 and 5.2 before 5.2.2 allow loc ...) NOT-FOR-US: Fortinet CVE-2015-3616 (SQL injection vulnerability in Fortinet FortiManager 5.0.x before 5.0. ...) NOT-FOR-US: Fortinet CVE-2015-3615 (Cross-site scripting (XSS) vulnerability in Fortinet FortiManager 5.0. ...) NOT-FOR-US: Fortinet CVE-2015-3614 (Fortinet FortiManager 5.0.x before 5.0.11, 5.2.x before 5.2.2 allows r ...) NOT-FOR-US: Fortinet CVE-2015-3613 (A vulnerability exists in in FortiManager 5.2.1 and earlier and 5.0.10 ...) NOT-FOR-US: Fortinet CVE-2015-3612 (A Cross-site Scripting (XSS) vulnerability exists in FortiManager 5.2. ...) NOT-FOR-US: Fortinet CVE-2015-3611 (A Command Injection vulnerability exists in FortiManager 5.2.1 and ear ...) NOT-FOR-US: Fortinet CVE-2015-3610 (The Siemens HomeControl for Room Automation application before 2.0.1 f ...) NOT-FOR-US: Siemens HomeControl for Room Automation application for Android CVE-2015-3609 RESERVED CVE-2015-3608 RESERVED CVE-2015-3607 RESERVED CVE-2015-3606 RESERVED CVE-2015-3605 RESERVED CVE-2015-3604 RESERVED CVE-2015-3603 RESERVED CVE-2015-3602 RESERVED CVE-2015-3601 RESERVED CVE-2015-3600 RESERVED CVE-2015-3599 RESERVED CVE-2015-3598 RESERVED CVE-2015-3597 RESERVED CVE-2015-3596 RESERVED CVE-2015-3595 RESERVED CVE-2015-3594 RESERVED CVE-2015-3593 RESERVED CVE-2015-3592 RESERVED CVE-2015-3591 REJECTED CVE-2015-3590 RESERVED CVE-2015-3589 RESERVED CVE-2015-3588 RESERVED CVE-2015-3587 RESERVED CVE-2015-3586 RESERVED CVE-2015-3585 RESERVED CVE-2015-3584 RESERVED CVE-2015-3583 RESERVED CVE-2015-3582 RESERVED CVE-2015-3581 RESERVED CVE-2015-3580 RESERVED CVE-2015-3579 RESERVED CVE-2015-3578 RESERVED CVE-2015-3577 RESERVED CVE-2015-3576 RESERVED CVE-2015-3575 RESERVED CVE-2015-3574 RESERVED CVE-2015-3573 RESERVED CVE-2015-3572 REJECTED CVE-2015-3571 REJECTED CVE-2015-3570 RESERVED CVE-2015-3569 REJECTED CVE-2015-3568 RESERVED CVE-2015-3567 RESERVED CVE-2015-3566 RESERVED CVE-2015-3565 RESERVED CVE-2015-3564 RESERVED CVE-2015-3563 RESERVED CVE-2015-3562 RESERVED CVE-2015-3561 RESERVED CVE-2015-3560 RESERVED CVE-2015-3559 RESERVED CVE-2015-3558 RESERVED CVE-2015-3557 RESERVED CVE-2015-3556 RESERVED CVE-2015-3555 RESERVED CVE-2015-3554 RESERVED CVE-2015-3553 RESERVED CVE-2015-3552 RESERVED CVE-2015-3551 RESERVED CVE-2015-3550 RESERVED CVE-2015-3549 RESERVED CVE-2015-3548 RESERVED CVE-2015-3547 RESERVED CVE-2015-3546 RESERVED CVE-2015-3545 RESERVED CVE-2015-3544 RESERVED CVE-2015-3543 RESERVED CVE-2015-3542 RESERVED CVE-2015-3541 RESERVED CVE-2015-3540 RESERVED CVE-2015-3539 RESERVED CVE-2015-3538 RESERVED CVE-2015-3537 RESERVED CVE-2015-3536 RESERVED CVE-2015-3535 RESERVED CVE-2015-3534 RESERVED CVE-2015-3533 RESERVED CVE-2015-3532 RESERVED CVE-2015-3531 RESERVED CVE-2015-3530 RESERVED CVE-2015-3529 RESERVED CVE-2015-3528 RESERVED CVE-2015-3527 RESERVED CVE-2015-3526 RESERVED CVE-2015-3525 RESERVED CVE-2015-3524 RESERVED CVE-2015-3523 RESERVED CVE-2015-3522 RESERVED CVE-2015-3521 RESERVED CVE-2015-3520 RESERVED CVE-2015-3519 RESERVED CVE-2015-3518 RESERVED CVE-2015-3517 RESERVED CVE-2015-3516 RESERVED CVE-2015-3515 RESERVED CVE-2015-3514 RESERVED CVE-2015-3513 RESERVED CVE-2015-3512 RESERVED CVE-2015-3511 RESERVED CVE-2015-3510 RESERVED CVE-2015-3509 RESERVED CVE-2015-3508 RESERVED CVE-2015-3507 RESERVED CVE-2015-3506 RESERVED CVE-2015-3505 RESERVED CVE-2015-3504 RESERVED CVE-2015-3503 RESERVED CVE-2015-3502 RESERVED CVE-2015-3501 RESERVED CVE-2015-3500 RESERVED CVE-2015-3499 RESERVED CVE-2015-3498 RESERVED CVE-2015-3497 RESERVED CVE-2015-3496 RESERVED CVE-2015-3495 RESERVED CVE-2015-3494 RESERVED CVE-2015-3493 RESERVED CVE-2015-3492 RESERVED CVE-2015-3491 RESERVED CVE-2015-3490 RESERVED CVE-2015-3489 RESERVED CVE-2015-3488 RESERVED CVE-2015-3487 RESERVED CVE-2015-3486 RESERVED CVE-2015-3485 RESERVED CVE-2015-3484 RESERVED CVE-2015-3483 RESERVED CVE-2015-3482 RESERVED CVE-2015-3481 RESERVED CVE-2015-3480 RESERVED CVE-2015-3479 RESERVED CVE-2015-3478 RESERVED CVE-2015-3477 RESERVED CVE-2015-3476 RESERVED CVE-2015-3475 RESERVED CVE-2015-3474 RESERVED CVE-2015-3473 RESERVED CVE-2015-3472 RESERVED CVE-2015-3471 RESERVED CVE-2015-3470 RESERVED CVE-2015-3469 RESERVED CVE-2015-3468 RESERVED CVE-2015-3467 RESERVED CVE-2015-3466 RESERVED CVE-2015-3465 RESERVED CVE-2015-3464 RESERVED NOT-FOR-US: Oracle FLEXCUBE CVE-2015-3463 RESERVED NOT-FOR-US: Oracle FLEXCUBE CVE-2015-3462 RESERVED CVE-2015-3461 RESERVED CVE-2015-3460 RESERVED CVE-2015-3905 (Buffer overflow in the set_cs_start function in t1disasm.c in t1utils ...) {DLA-256-1} - t1utils 1.38-4 (bug #779274) [wheezy] - t1utils (Minor issue) NOTE: https://github.com/kohler/t1utils/issues/4 NOTE: http://www.openwall.com/lists/oss-security/2015/05/13/9 CVE-2015-XXXX [crashes on crafted upack packed file] - clamav 0.98.7+dfsg-1 [jessie] - clamav 0.98.7+dfsg-0+deb8u1 [wheezy] - clamav 0.98.7+dfsg-0+deb7u1 [squeeze] - clamav 0.98.7+dfsg-0+deb6u1 NOTE: https://github.com/vrtadmin/clamav-devel/commit/a18af359decd270f5088e80e2ee2866c62e0843e NOTE: https://github.com/vrtadmin/clamav-devel/commit/ed56f56c1f1529bda877ddd116ae7bc064667c73 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/05/03/3 CVE-2015-XXXX [crash during algorithmic detection on crafted PE file] - clamav 0.98.7+dfsg-1 [jessie] - clamav 0.98.7+dfsg-0+deb8u1 [wheezy] - clamav 0.98.7+dfsg-0+deb7u1 [squeeze] - clamav 0.98.7+dfsg-0+deb6u1 NOTE: https://github.com/vrtadmin/clamav-devel/commit/a7bdfb4f0d3210eeab49280726ff3ea6d703280e NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/05/03/4 CVE-2015-XXXX [BUG/MAJOR: http: don't read past buffer's end in http_replace_value] - haproxy 1.5.12-1 [jessie] - haproxy (Minor issue) [squeeze] - haproxy (Vulnerable code not present) NOTE: Upstream fix: http://git.haproxy.org/?p=haproxy-1.5.git;a=commit;h=8e05ac2044c6523c867ceaaae1f10486370eec89 NOTE: Introduced by: http://git.haproxy.org/?p=haproxy-1.5.git;a=commit;h=c9c2daf283011e9b9ab0af57629af47862e14e0e CVE-2015-XXXX [BUG/MAJOR: http: prevent risk of reading past end with balance url_param] - haproxy 1.5.12-1 [jessie] - haproxy (Minor issue) [squeeze] - haproxy (Similar check was already present) NOTE: Upstream fix: http://git.haproxy.org/?p=haproxy-1.5.git;a=commit;h=522aab39753e8ed13786bc57b03ef7ae4ffe6c87 NOTE: For squeeze, the above commit message implies that the fix does not need to be backported to version 1.4 and indeed, the code already contains a (different) check that limits the value of "len". CVE-2015-4017 (Salt before 2014.7.6 does not verify certificates when connecting via ...) - salt (Vulnerable code not present in the version in Debian stable/unstable) NOTE: http://www.openwall.com/lists/oss-security/2015/05/02/1 CVE-2015-3646 (OpenStack Identity (Keystone) before 2014.1.5 and 2014.2.x before 2014 ...) - keystone 2015.1.0-1 [jessie] - keystone (Minor issue) [wheezy] - keystone (Vulnerable code not present) NOTE: Affects: versions through 2014.1.4, and 2014.2 versions through 2014.2.3 CVE-2015-3636 (The ping_unhash function in net/ipv4/ping.c in the Linux kernel before ...) {DSA-3290-1} - linux 4.0.2-1 [jessie] - linux 3.16.7-ckt11-1 - linux-2.6 [squeeze] - linux-2.6 (Vulnerable code not present) NOTE: Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=a134f083e79fb4c3d0a925691e732c56911b4326 (v4.1-rc2) NOTE: https://lkml.org/lkml/2011/5/13/382 CVE-2015-3459 (The communication module on the Hospira LifeCare PCA Infusion System b ...) NOT-FOR-US: Hospira Lifecare PCA CVE-2015-3458 (The fetchView function in the Mage_Core_Block_Template_Zend class in M ...) NOT-FOR-US: Magento CVE-2015-3457 (Magento Community Edition (CE) 1.9.1.0 and Enterprise Edition (EE) 1.1 ...) NOT-FOR-US: Magento CVE-2015-3456 (The Floppy Disk Controller (FDC) in QEMU, as used in Xen 4.5.x and ear ...) {DSA-3274-1 DSA-3262-1 DSA-3259-1 DLA-268-1 DLA-249-1 DLA-248-1} - qemu 1:2.3+dfsg-3 NOTE: qemu 1:2.3+dfsg-3 is pending in the NEW queue [wheezy] - qemu 1.1.2+dfsg-6a+deb7u7 - qemu-kvm [wheezy] - qemu-kvm 1.1.2+dfsg-6+deb7u7 - xen 4.4.0-1 [squeeze] - xen (Not supported in Squeeze LTS) NOTE: Xen switched to qemu-system in 4.4.0-1 - xen-qemu-dm-4.0 NOTE: http://xenbits.xen.org/xsa/advisory-133.html [squeeze] - xen-qemu-dm-4.0 (Not supported in Squeeze LTS) - virtualbox 4.3.28-dfsg-1 (bug #785424) - virtualbox-ose NOTE: http://www.oracle.com/technetwork/topics/security/alert-cve-2015-3456-2542656.html NOTE: http://venom.crowdstrike.com/ CVE-2015-3454 (TelescopeJS before 0.15 leaks user bcrypt password hashes in websocket ...) NOT-FOR-US: TelescopeJS CVE-2015-3453 RESERVED CVE-2015-3452 RESERVED CVE-2015-3450 (Heap-based buffer overflow in libaxl 0.6.9 allows attackers to cause a ...) NOT-FOR-US: libaxl CVE-2015-3449 (The Windows client in SAP Afaria 7.0.6398.0 uses weak permissions (Eve ...) NOT-FOR-US: SAP Afaria CVE-2015-3448 (REST client for Ruby (aka rest-client) before 1.7.3 logs usernames and ...) - ruby-rest-client 1.8.0-1 [jessie] - ruby-rest-client (Minor issue, logging not enabled by default) [wheezy] - ruby-rest-client (Minor issue, logging not enabled by default) - librestclient-ruby [squeeze] - librestclient-ruby (Minor issue, logging not enabled by default) CVE-2015-3447 (Multiple cross-site scripting (XSS) vulnerabilities in macIpSpoofView. ...) NOT-FOR-US: Dell SonicWALL SonicOS CVE-2015-3622 (The _asn1_extract_der_octet function in lib/decoding.c in GNU Libtasn1 ...) {DSA-3256-1} - libtasn1-6 4.4-3 - libtasn1-3 (Introduced with 3.6) NOTE: https://blog.fuzzing-project.org/9-Heap-overflow-invalid-read-in-Libtasn1-TFPA-0052015.html NOTE: http://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=commitdiff;h=f979435823a02f842c41d49cd41cc81f25b5d677 NOTE: Introduced by http://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=commitdiff;h=609d5c1366fb424f6150c4eed358d246e61cf204 (libtasn1_3_6) NOTE: DECR_LEN introduced in http://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=commitdiff;h=154909136c12cfa5c60732b7210827dfb1ec6aee (libtasn1_3_6) CVE-2015-3455 (Squid 3.2.x before 3.2.14, 3.3.x before 3.3.14, 3.4.x before 3.4.13, a ...) - squid 4.1-1 (unimportant) - squid3 3.5.6-1 (unimportant) NOTE: http://www.squid-cache.org/Advisories/SQUID-2015_1.txt NOTE: Only affects custom builds with --enable-ssl (disabled for license purposes in Debian) CVE-2015-3446 (The Framework Daemon in AlienVault Unified Security Management before ...) NOT-FOR-US: AlienVault Unified Security Management CVE-2015-3445 RESERVED CVE-2015-3444 RESERVED CVE-2015-3443 (Cross-site scripting (XSS) vulnerability in the basic dashboard in Thy ...) NOT-FOR-US: Thycotic Secret Server CVE-2015-3442 (Soreco Xpert.Line 3.0 allows local users to spoof users and consequent ...) NOT-FOR-US: Soreco CVE-2015-3441 (The Parental Control panel in Genexis devices with DRGOS before 1.14.1 ...) NOT-FOR-US: Genexis devices CVE-2015-3437 RESERVED CVE-2015-3436 (provider/server/ECServer.cpp in Zarafa Collaboration Platform (ZCP) be ...) - zarafa (bug #658433) CVE-2015-3435 (Samsung Security Manager (SSM) before 1.31 allows remote attackers to ...) NOT-FOR-US: Samsung Security Manager CVE-2015-3434 RESERVED CVE-2015-3433 RESERVED CVE-2015-3432 (Multiple cross-site scripting (XSS) vulnerabilities in Pydio (formerly ...) - ajaxplorer (bug #668381) CVE-2015-3431 (Pydio (formerly AjaXplorer) before 6.0.7 allows remote attackers to ex ...) - ajaxplorer (bug #668381) CVE-2015-3430 RESERVED CVE-2015-3428 RESERVED CVE-2015-3426 RESERVED CVE-2015-3425 (Cross-site scripting (XSS) vulnerability in Accentis Content Resource ...) NOT-FOR-US: Accentis Content Resource Management System CVE-2015-3424 (SQL injection vulnerability in Accentis Content Resource Management Sy ...) NOT-FOR-US: Accentis Content Resource Management System CVE-2015-3423 (Multiple SQL injection vulnerabilities in NetCracker Resource Manageme ...) NOT-FOR-US: NetCracker Resource Management System CVE-2015-3422 (Cross-site scripting (XSS) vulnerability in SearchBlox before 8.2.1 al ...) NOT-FOR-US: SearchBlox CVE-2015-3421 (The eshop_checkout function in checkout.php in the Wordpress Eshop plu ...) NOT-FOR-US: Wordpress Eshop CVE-2015-3419 (vBulletin 5.x through 5.1.6 allows remote authenticated users to bypas ...) NOT-FOR-US: vBulletin CVE-2015-3413 RESERVED - hhvm 3.11.0+dfsg-1 NOTE: https://github.com/facebook/hhvm/commit/02a7a8f086c9181002fca0f0d9cef42963fdf46a CVE-2015-3412 (PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 does no ...) {DLA-307-1} - php5 5.6.9+dfsg-1 [jessie] - php5 5.6.9+dfsg-0+deb8u1 [wheezy] - php5 5.4.41-0+deb7u1 NOTE: http://git.php.net/?p=php-src.git;a=commit;h=52b93f0cfd3cba7ff98cc5198df6ca4f23865f80 NOTE: http://git.php.net/?p=php-src.git;a=commit;h=4435b9142ff9813845d5c97ab29a5d637bedb257 NOTE: https://bugs.php.net/bug.php?id=69353 CVE-2015-3411 (PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 does no ...) {DLA-307-1} - php5 5.6.9+dfsg-1 [jessie] - php5 5.6.9+dfsg-0+deb8u1 [wheezy] - php5 5.4.41-0+deb7u1 NOTE: https://bugs.php.net/bug.php?id=69353 CVE-2015-3410 RESERVED CVE-2015-3427 (Quassel before 0.12.2 does not properly re-initialize the database ses ...) {DSA-3258-1} - quassel 1:0.10.0-2.4 (bug #783926) [wheezy] - quassel (incomplete fix for CVE-2013-4422 not applied) [squeeze] - quassel (incomplete fix for CVE-2013-4422 not applied) NOTE: https://github.com/quassel/quassel/commit/6605882f41331c80f7ac3a6992650a702ec71283 NOTE: http://quassel-irc.org/node/120 CVE-2015-3420 (The ssl-proxy-openssl.c function in Dovecot before 2.2.17, when SSLv3 ...) - dovecot 1:2.2.13-12 (bug #783649) [jessie] - dovecot 1:2.2.13-12~deb8u1 [wheezy] - dovecot (Problematic patch introducing the issue not applied) [squeeze] - dovecot (Vulnerable code not present & not reproducible) NOTE: http://www.openwall.com/lists/oss-security/2015/04/26/3 NOTE: Patch: http://web.archive.org/web/20150907231530/http://hg.dovecot.org/dovecot-2.2/rev/86f535375750 NOTE: Segfault reproducible if using openssl/1.0.2a-1 from sid. NOTE: http://dovecot.org/pipermail/dovecot/2015-April/100579.html NOTE: It is openssl crashing but because dovecot ignores an erlier NOTE: returned error from dovecot, related to openssl bug: NOTE: https://rt.openssl.org/Ticket/Display.html?id=3818&user=guest&pass=guest NOTE: Possibly introduced due to http://web.archive.org/web/20150121182933/http://hg.dovecot.org:80/dovecot-2.2/rev/09d3c9c6f0ad CVE-2015-3440 (Cross-site scripting (XSS) vulnerability in wp-includes/wp-db.php in W ...) {DSA-3250-1 DLA-236-1} - wordpress 4.2.1+dfsg-1 (bug #783554) NOTE: http://klikki.fi/adv/wordpress2.html NOTE: https://wordpress.org/news/2015/04/wordpress-4-2-1/ NOTE: http://www.openwall.com/lists/oss-security/2015/04/27/4 NOTE: https://core.trac.wordpress.org/changeset/32299 CVE-2015-XXXX [Some plugins were vulnerable to an SQL injection vulnerability] - wordpress 4.2+dfsg-1 (bug #783347) [jessie] - wordpress 4.1+dfsg-1+deb8u1 [wheezy] - wordpress 3.6.1+dfsg-1~deb7u6 [squeeze] - wordpress 3.6.1+dfsg-1~deb6u6 NOTE: https://wordpress.org/news/2015/04/wordpress-4-1-2/ NOTE: http://www.openwall.com/lists/oss-security/2015/04/26/2 NOTE: To be decided: http://www.openwall.com/lists/oss-security/2015/04/28/7 CVE-2015-XXXX [files with invalid or unsafe names could be uploaded] - wordpress 4.2+dfsg-1 (bug #783347) [jessie] - wordpress 4.1+dfsg-1+deb8u1 [wheezy] - wordpress (File upload vulnerability only in WordPress 4.1 and higher) [squeeze] - wordpress (File upload vulnerability only in WordPress 4.1 and higher) NOTE: https://wordpress.org/news/2015/04/wordpress-4-1-2/ NOTE: http://www.openwall.com/lists/oss-security/2015/04/26/2 NOTE: To be decided: http://www.openwall.com/lists/oss-security/2015/04/28/7 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/06/10/11 CVE-2015-3439 (Cross-site scripting (XSS) vulnerability in the Ephox (formerly Moxiec ...) {DSA-3250-1 DLA-236-1} - wordpress 4.2+dfsg-1 (bug #783347) NOTE: http://codex.wordpress.org/Version_4.1.2 NOTE: https://wordpress.org/news/2015/04/wordpress-4-1-2/ CVE-2015-3438 (Multiple cross-site scripting (XSS) vulnerabilities in WordPress befor ...) {DSA-3250-1 DLA-236-1} - wordpress 4.2+dfsg-1 (bug #783347) NOTE: http://codex.wordpress.org/Version_4.1.2 NOTE: https://wordpress.org/news/2015/04/wordpress-4-1-2/ CVE-2015-3451 (The _clone function in XML::LibXML before 2.0119 does not properly set ...) {DSA-3243-1 DLA-214-1} - libxml-libxml-perl 2.0116+dfsg-2 (bug #783443) NOTE: http://www.openwall.com/lists/oss-security/2015/04/25/2 NOTE: https://bitbucket.org/shlomif/perl-xml-libxml/commits/5962fd067580767777e94640b129ae8930a68a30 NOTE: https://bitbucket.org/shlomif/perl-xml-libxml/commits/915f1dbaf21c5f3c21d7c519c70fd93859e47152 CVE-2015-3418 (The ProcPutImage function in dix/dispatch.c in X.Org Server (aka xserv ...) {DLA-120-2} - xorg-server 2:1.16.4-1 (bug #774308) [wheezy] - xorg-server 2:1.12.4-6+deb7u6 NOTE: http://cgit.freedesktop.org/xorg/xserver/commit/?id=dc777c346d5d452a53b13b917c45f6a1bad2f20b NOTE: https://bugzilla.suse.com/show_bug.cgi?id=928520 (not public yet) CVE-2015-3417 (Use-after-free vulnerability in the ff_h264_free_tables function in li ...) {DSA-3288-1} - ffmpeg 7:2.6.1-1 [squeeze] - ffmpeg (Vulnerable code not present) - libav 6:11.4-1 [wheezy] - libav (Vulnerable code not present) NOTE: https://github.com/FFmpeg/FFmpeg/commit/e8714f6f93d1a32f4e4655209960afcf4c185214 CVE-2015-3404 (The Certify module before 6.x-2.3 for Drupal does not properly perform ...) NOT-FOR-US: Certify module for Drupal CVE-2015-3403 RESERVED CVE-2015-3402 RESERVED CVE-2015-3401 RESERVED CVE-2015-3399 RESERVED CVE-2015-3398 RESERVED CVE-2015-3397 (Cross-site scripting (XSS) vulnerability in Yii Framework before 2.0.4 ...) - yii (bug #597899) CVE-2015-3396 RESERVED CVE-2015-3395 (The msrle_decode_pal4 function in msrledec.c in Libav before 10.7 and ...) {DSA-3288-1} - ffmpeg 7:2.6.2-1 [squeeze] - ffmpeg (Not supported in Squeeze LTS) - libav 6:11.4-1 [wheezy] - libav - chromium-browser NOTE: Patch in ffmpeg: https://github.com/FFmpeg/FFmpeg/commit/f7e1367f58263593e6cee3c282f7277d7ee9d553 NOTE: Patch in libav: https://git.libav.org/?p=libav.git;a=commit;h=5ecabd3c54b7c802522dc338838c9a4c2dc42948 CVE-2015-3394 RESERVED CVE-2015-3393 (Open redirect vulnerability in the Commerce WeDeal module before 7.x-1 ...) NOT-FOR-US: Drupal addon CVE-2015-3392 (Cross-site scripting (XSS) vulnerability in the Ajax Timeline module b ...) NOT-FOR-US: Drupal addon CVE-2015-3391 (The Path Breadcrumbs module before 7.x-3.2 for Drupal allows remote at ...) NOT-FOR-US: Drupal addon CVE-2015-3390 (Cross-site scripting (XSS) vulnerability in the Facebook Album Fetcher ...) NOT-FOR-US: Drupal addon CVE-2015-3389 (Cross-site scripting (XSS) vulnerability in the Download counts report ...) NOT-FOR-US: Drupal addon CVE-2015-3388 (Cross-site request forgery (CSRF) vulnerability in the Commerce Balanc ...) NOT-FOR-US: Drupal addon CVE-2015-3387 (Multiple cross-site scripting (XSS) vulnerabilities in the Taxonomy To ...) NOT-FOR-US: Drupal addon CVE-2015-3386 (Cross-site scripting (XSS) vulnerability in the Node Access Product mo ...) NOT-FOR-US: Drupal addon CVE-2015-3385 (Cross-site scripting (XSS) vulnerability in the Taxonomy Path module b ...) NOT-FOR-US: Drupal addon CVE-2015-3384 (Cross-site scripting (XSS) vulnerability in the Bank Account Listing P ...) NOT-FOR-US: Drupal addon CVE-2015-3383 (Open redirect vulnerability in the Node basket module for Drupal allow ...) NOT-FOR-US: Drupal addon CVE-2015-3382 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Node ...) NOT-FOR-US: Drupal addon CVE-2015-3381 (Cross-site scripting (XSS) vulnerability in the Node basket module for ...) NOT-FOR-US: Drupal addon CVE-2015-3380 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Feat ...) NOT-FOR-US: Drupal addon CVE-2015-3379 (The Views module before 6.x-2.18, 6.x-3.x before 6.x-3.2, and 7.x-3.x ...) NOT-FOR-US: Drupal Views module CVE-2015-3378 (Open redirect vulnerability in the Views module before 6.x-2.18, 6.x-3 ...) NOT-FOR-US: Drupal Views module CVE-2015-3377 RESERVED CVE-2015-3376 (Cross-site scripting (XSS) vulnerability in the Quizzler module before ...) NOT-FOR-US: Quizzler module for Drupal CVE-2015-3375 (Cross-site request forgery (CSRF) vulnerability in the Shibboleth Auth ...) NOT-FOR-US: Shibboleth Authentication module for Drupal CVE-2015-3374 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Corn ...) NOT-FOR-US: Corner module fro Drupal CVE-2015-3373 (The Amazon AWS module before 7.x-1.3 for Drupal uses the base URL and ...) NOT-FOR-US: Amazon AWS module for Drupal CVE-2015-3372 (Cross-site scripting (XSS) vulnerability in the Node Invite module bef ...) NOT-FOR-US: Node Invite module for Drupal CVE-2015-3371 (Open redirect vulnerability in the Node Invite module before 6.x-2.5 f ...) NOT-FOR-US: Node Invite module for Drupal CVE-2015-3370 (Cross-site request forgery (CSRF) vulnerability in the Node Invite mod ...) NOT-FOR-US: Node Invite module for Drupal CVE-2015-3369 (Cross-site scripting (XSS) vulnerability in the Taxonews module before ...) NOT-FOR-US: Taxonews module for Drupal CVE-2015-3368 (Cross-site scripting (XSS) vulnerability in the administration user in ...) NOT-FOR-US: Classified Ads module for Drupal CVE-2015-3367 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Patt ...) NOT-FOR-US: Ptterns module for Drupal CVE-2015-3366 (Cross-site request forgery (CSRF) vulnerability in the Alfresco module ...) NOT-FOR-US: Alfresco module for Drupal CVE-2015-3365 (Cross-site scripting (XSS) vulnerability in the nodeauthor module for ...) NOT-FOR-US: nodeauthor module for Drupal CVE-2015-3364 (Cross-site scripting (XSS) vulnerability in the Content Analysis modul ...) NOT-FOR-US: Content Analysis module for Drupal CVE-2015-3363 (Cross-site request forgery (CSRF) vulnerability in the Contact Form Fi ...) NOT-FOR-US: Contact Forms Fields module for Drupal CVE-2015-3362 (Cross-site scripting (XSS) vulnerability in the Video module before 7. ...) NOT-FOR-US: Video module for Drupal CVE-2015-3361 (Cross-site scripting (XSS) vulnerability in the Linkit module before 7 ...) NOT-FOR-US: Linkit module for Drupal CVE-2015-3360 (Cross-site scripting (XSS) vulnerability in the Term Merge module befo ...) NOT-FOR-US: Term Merge module for Drupal CVE-2015-3359 (Multiple cross-site scripting (XSS) vulnerabilities in the Room Reserv ...) NOT-FOR-US: Room Reservations module for Drupal CVE-2015-3358 (Multiple open redirect vulnerabilities in the Tadaa! module before 7.x ...) NOT-FOR-US: Tadaa! module for Drupal CVE-2015-3357 (Cross-site scripting (XSS) vulnerability in the Wishlist module before ...) NOT-FOR-US: Wishlist module for Drupal CVE-2015-3356 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Tada ...) NOT-FOR-US: Tadaa! module for Drupal CVE-2015-3355 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Batc ...) NOT-FOR-US: Batch Jobs module for Drupal CVE-2015-3354 (Cross-site request forgery (CSRF) vulnerability in the Wishlist module ...) NOT-FOR-US: Drupal module Wishlist CVE-2015-3353 (Cross-site scripting (XSS) vulnerability in the Field Display Label mo ...) NOT-FOR-US: Field Display Label module for Drupal CVE-2015-3352 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Jamm ...) NOT-FOR-US: Drupal module Jammer CVE-2015-3351 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Log ...) NOT-FOR-US: Log Watcher module for Drupal CVE-2015-3350 (Cross-site request forgery (CSRF) vulnerability in the Todo Filter mod ...) NOT-FOR-US: Drupal module Todo Filter CVE-2015-3349 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Htac ...) NOT-FOR-US: Htaccess module for Drupal CVE-2015-3348 (Cross-site scripting (XSS) vulnerability in the Cloudwords for Multili ...) NOT-FOR-US: Cloudwords for Multilingual Drupal module for Drupal CVE-2015-3347 (Cross-site request forgery (CSRF) vulnerability in the Cloudwords for ...) NOT-FOR-US: Cloudwords for Multilingual Drupal module for Drupal CVE-2015-3346 (SQL injection vulnerability in the WikiWiki module before 6.x-1.2 for ...) NOT-FOR-US: WikiWiki module for Drupal CVE-2015-3345 (SQL injection vulnerability in the PHPlist Integration Module before 6 ...) NOT-FOR-US: Drupal module PHPlist CVE-2015-3344 (Cross-site scripting (XSS) vulnerability in the Course module 6.x-1.x ...) NOT-FOR-US: Drupal module Course CVE-2015-3343 (Cross-site request forgery (CSRF) vulnerability in the OPAC module bef ...) NOT-FOR-US: OPAC module for Drupal CVE-2015-3342 (Open redirect vulnerability in the Ubercart Currency Conversion module ...) NOT-FOR-US: Ubercart Currency Conversion module for Drupal CVE-2015-3341 RESERVED CVE-2015-3400 (sharenfs 0.6.4, when built with commits bcdd594 and 7d08880 from the z ...) - zfs-linux (Specific to packages on archive.zfsonlinux.org repositories) NOTE: Issue with ZFS on Linux Debian packages specific as published in the archive.zfsonlinux.org repositories NOTE: https://github.com/zfsonlinux/zfs/issues/3319 CVE-2015-3338 RESERVED CVE-2015-3337 (Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1. ...) {DSA-3241-1} - elasticsearch 1.0.3+dfsg-7 NOTE: https://www.elastic.co/blog/elasticsearch-1-5-2-and-1-4-5-released CVE-2015-3336 (Google Chrome before 42.0.2311.90 does not always ask the user before ...) {DSA-3238-1} - chromium-browser 42.0.2311.90-1 [wheezy] - chromium-browser [squeeze] - chromium-browser - libv8-3.14 (unimportant) NOTE: libv8 not covered by security support CVE-2015-3335 (The NaClSandbox::InitializeLayerTwoSandbox function in components/nacl ...) - chromium-browser (native client support not built) CVE-2015-3334 (browser/ui/website_settings/website_settings.cc in Google Chrome befor ...) {DSA-3238-1} - chromium-browser 42.0.2311.90-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-3333 (Multiple unspecified vulnerabilities in Google V8 before 4.2.77.14, as ...) {DSA-3238-1} - chromium-browser 42.0.2311.90-1 [wheezy] - chromium-browser [squeeze] - chromium-browser - libv8-3.14 (unimportant) NOTE: libv8 not covered by security support CVE-2015-3340 (Xen 4.2.x through 4.5.x does not initialize certain fields, which allo ...) {DSA-3414-1} - xen 4.6.0-1 (unimportant; bug #784011) [wheezy] - xen 4.1.4-3+deb7u8 [squeeze] - xen (Not supported in Squeeze LTS) NOTE: http://xenbits.xen.org/xsa/advisory-132.html CVE-2015-4605 (The mcopy function in softmagic.c in file 5.x, as used in the Fileinfo ...) {DLA-307-1} - php5 5.6.9+dfsg-1 (bug #783099) [jessie] - php5 5.6.9+dfsg-0+deb8u1 [wheezy] - php5 5.4.41-0+deb7u1 - file (Not reproducible with file, see #783108) NOTE: https://git.php.net/?p=php-src.git;a=commitdiff;h=f938112c495b0d26572435c0be73ac0bfe642ecd NOTE: https://bugs.php.net/bug.php?id=68819 CVE-2015-4604 (The mget function in softmagic.c in file 5.x, as used in the Fileinfo ...) {DLA-307-1} - php5 5.6.9+dfsg-1 (bug #783099) [jessie] - php5 5.6.9+dfsg-0+deb8u1 [wheezy] - php5 5.4.41-0+deb7u1 - file (Not reproducible with file, see #783108) NOTE: https://git.php.net/?p=php-src.git;a=commitdiff;h=f938112c495b0d26572435c0be73ac0bfe642ecd NOTE: https://bugs.php.net/bug.php?id=68819 CVE-2015-3339 (Race condition in the prepare_binprm function in fs/exec.c in the Linu ...) {DSA-3237-1 DLA-246-1} - linux 3.16.7-ckt9-3 - linux-2.6 NOTE: Fixed by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8b01fc86b9f425899f8a3a8fc1c47d73c2c20543 NOTE: http://www.openwall.com/lists/oss-security/2015/04/20/1 CVE-2015-7942 (The xmlParseConditionalSections function in parser.c in libxml2 does n ...) {DSA-3430-1 DLA-334-1} - libxml2 2.9.3+dfsg1-1 (bug #802827) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=744980#c8 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=756456#c0 NOTE: https://git.gnome.org/browse/libxml2/commit/?id=bd0526e66a56e75a18da8c15c4750db8f801c52d NOTE: https://git.gnome.org/browse/libxml2/commit/?id=41ac9049a27f52e7a1f3b341f8714149fc88d450 CVE-2015-7941 (libxml2 2.9.2 does not properly stop parsing invalid input, which allo ...) {DSA-3430-1 DLA-266-1} - libxml2 2.9.2+really2.9.1+dfsg1-0.1 (bug #783010) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=744980 NOTE: http://www.openwall.com/lists/oss-security/2015/04/19/5 NOTE: http://www.openwall.com/lists/oss-security/2015/10/22/5 NOTE: https://git.gnome.org/browse/libxml2/commit/?id=a7dfab7411cbf545f359dd3157e5df1eb0e7ce31 (v2.9.3) NOTE: https://git.gnome.org/browse/libxml2/commit/?id=9b8512337d14c8ddf662fcb98b0135f225a1c489 (v2.9.3) CVE-2015-8710 (The htmlParseComment function in HTMLparser.c in libxml2 allows attack ...) {DSA-3430-1 DLA-266-1} - libxml2 2.9.2+really2.9.1+dfsg1-0.1 (bug #782985) NOTE: Added workaround item to reflect entry fixed status, remove once CVE assigned NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/04/19/4 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=746048 NOTE: https://git.gnome.org/browse/libxml2/commit/?id=e724879d964d774df9b7969fc846605aa1bac54c CVE-2015-3328 RESERVED CVE-2015-3327 RESERVED CVE-2015-3326 (Trend Micro ScanMail for Microsoft Exchange (SMEX) 10.2 before Hot Fix ...) NOT-FOR-US: Trend Micro ScanMail for Exchange CVE-2015-3325 (SQL injection vulnerability in forum.php in the WP Symposium plugin be ...) NOT-FOR-US: WP Symposium plugin for WordPress CVE-2015-3324 (The ThinkServer System Manager (TSM) Baseboard Management Controller b ...) NOT-FOR-US: ThinkServer CVE-2015-3323 (The ThinkServer System Manager (TSM) Baseboard Management Controller b ...) NOT-FOR-US: ThinkServer CVE-2015-3322 (Lenovo ThinkServer RD350, RD450, RD550, RD650, and TD350 servers befor ...) NOT-FOR-US: ThinkServer CVE-2015-3321 (Services and files in Lenovo Fingerprint Manager before 8.01.42 have i ...) NOT-FOR-US: Lenovo CVE-2015-3320 (Lenovo USB Enhanced Performance Keyboard software before 2.0.2.2 inclu ...) NOT-FOR-US: Lenovo USB Enhanced Performance Keyboard software CVE-2014-9717 (fs/namespace.c in the Linux kernel before 4.0.2 processes MNT_DETACH u ...) - linux 4.0.2-1 (low) [jessie] - linux (Too intrusive to backport) [wheezy] - linux (user namespaces known broken before 3.5, see kernel-sec info) - linux-2.6 (user namespaces known broken before 3.5, see kernel-sec info) NOTE: https://groups.google.com/forum/#!topic/linux.kernel/HnegnbXk0Vs NOTE: Proposed fixes: http://www.spinics.net/lists/linux-containers/msg30786.html NOTE: http://www.openwall.com/lists/oss-security/2015/04/17/4 NOTE: CVE assignement for issue in http://marc.info/?l=linux-kernel&m=141271552117745&w=2 CVE-2015-3330 (The php_handler function in sapi/apache2handler/sapi_apache2.c in PHP ...) {DSA-3198-1 DLA-212-1} - php5 5.6.7+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=69218 NOTE: https://bugs.php.net/bug.php?id=68486 NOTE: Fixed by: http://git.php.net/?p=php-src.git;a=commit;h=809610f5ea38a83b284e1125d1fff129bdd615e7 NOTE: http://www.openwall.com/lists/oss-security/2015/04/17/3 NOTE: For details on scope of the CVE assignment: http://www.openwall.com/lists/oss-security/2015/04/17/7 CVE-2015-3319 (Hotspot Express hotEx Billing Manager 73 does not include the HTTPOnly ...) NOT-FOR-US: Hotspot Express hotEx Billing Manager CVE-2015-3318 (CA Common Services, as used in CA Client Automation r12.5 SP01, r12.8, ...) NOT-FOR-US: CA Common Services in ca.com products CVE-2015-3317 (CA Common Services, as used in CA Client Automation r12.5 SP01, r12.8, ...) NOT-FOR-US: CA Common Services in ca.com products CVE-2015-3316 (CA Common Services, as used in CA Client Automation r12.5 SP01, r12.8, ...) NOT-FOR-US: CA Common Services in ca.com products CVE-2015-3314 (SQL injection vulnerability in WordPress Tune Library plugin before 1. ...) NOT-FOR-US: Wordpress plugin CVE-2015-3313 (SQL injection vulnerability in WordPress Community Events plugin befor ...) NOT-FOR-US: Wordpress plugin CVE-2015-3312 RESERVED CVE-2015-3311 RESERVED CVE-2015-3307 (The phar_parse_metadata function in ext/phar/phar.c in PHP before 5.4. ...) {DSA-3280-1 DLA-307-1} - php5 5.6.9+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=69443 NOTE: http://git.php.net/?p=php-src.git;a=commit;h=17cbd0b5b78a7500f185b3781a2149881bfff8ae CVE-2015-3329 (Multiple stack-based buffer overflows in the phar_set_inode function i ...) {DSA-3280-1 DLA-212-1} - php5 5.6.9+dfsg-1 NOTE: http://git.php.net/?p=php-src.git;a=commit;h=f59b67ae50064560d7bfcdb0d6a8ab284179053c NOTE: https://bugs.php.net/bug.php?id=69441 NOTE: http://www.openwall.com/lists/oss-security/2015/04/16/22 NOTE: Fixed in 5.6.8 and 5.4.40 CVE-2015-3315 (Automatic Bug Reporting Tool (ABRT) allows local users to read, change ...) NOT-FOR-US: abrt is Red Hat / Fedora specific CVE-2015-3309 (Directory traversal vulnerability in node/utils/Minify.js in Etherpad ...) - etherpad-lite (bug #576998) CVE-2015-3308 (Double free vulnerability in lib/x509/x509_ext.c in GnuTLS before 3.3. ...) [experimental] - gnutls28 3.3.14-1 - gnutls28 3.3.8-7 (bug #782776) [jessie] - gnutls28 3.3.8-6+deb8u1 - gnutls26 (Introduced in 3.3.0) NOTE: https://gitlab.com/gnutls/gnutls/commit/d6972be33264ecc49a86cd0958209cd7363af1e9 NOTE: https://gitlab.com/gnutls/gnutls/commit/053ae65403216acdb0a4e78b25ad66ee9f444f02 CVE-2015-3305 RESERVED CVE-2015-3304 RESERVED CVE-2015-3303 RESERVED CVE-2015-3302 (The TheCartPress eCommerce Shopping Cart (aka The Professional WordPre ...) NOT-FOR-US: TheCartPress eCommerce Shopping Cart CVE-2015-3301 (Directory traversal vulnerability in the TheCartPress eCommerce Shoppi ...) NOT-FOR-US: TheCartPress eCommerce Shopping Cart (aka The Professional WordPress eCommerce Plugin) plugin for WordPress CVE-2015-3300 (Multiple cross-site scripting (XSS) vulnerabilities in the TheCartPres ...) NOT-FOR-US: TheCartPress eCommerce Shopping Cart (aka The Professional WordPress eCommerce Plugin) plugin for WordPress CVE-2015-3299 (Cross-site scripting (XSS) vulnerability in the Floating Social Bar pl ...) NOT-FOR-US: Wordpress plugin CVE-2015-3298 RESERVED CVE-2015-3296 (Multiple cross-site scripting (XSS) vulnerabilities in NodeBB before 0 ...) NOT-FOR-US: NodeBB CVE-2015-3295 (markdown-it before 4.1.0 does not block data: URLs. ...) - ruby-rails-assets-markdown-it 4.2.1-1 CVE-2015-3294 (The tcp_request function in Dnsmasq before 2.73rc4 does not properly h ...) {DSA-3251-1 DLA-225-1} - dnsmasq 2.72-3.1 (bug #783459) NOTE: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2015q2/009382.html NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=ad4a8ff7d9097008d7623df8543df435bfddeac8 CVE-2015-3293 (FortiMail 5.0.3 through 5.2.3 allows remote administrators to obtain c ...) NOT-FOR-US: FortiMail CVE-2015-3292 (The installer in NetApp OnCommand Workflow Automation before 2.2.1P1 a ...) NOT-FOR-US: NetApp OnCommand Workflow Automation CVE-2015-3291 (arch/x86/entry/entry_64.S in the Linux kernel before 4.1.6 on the x86_ ...) {DSA-3313-1} - linux 4.0.8-2 [wheezy] - linux (Present since 3.3) - linux-2.6 (Present since 3.3) NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=a27507ca2d796cfa8d907de31ad730359c8a6d06 (prerequisite) NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=810bc075f78ff2c221536eb3008eac6a492dba2d NOTE: Introduced around 3.3-rc1: (https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=3f3c8b8c4b2a34776c3470142a7c8baafcda6eb0) CVE-2015-3290 (arch/x86/entry/entry_64.S in the Linux kernel before 4.1.6 on the x86_ ...) {DSA-3313-1} - linux 4.0.8-2 [wheezy] - linux (Introduced in 3.13) - linux-2.6 (Introduced in 3.13) NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9d05041679904b12c12421cbcf9cb5f4860a8d7b (prerequisite) NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0e181bb58143cb4a2e8f01c281b0816cd0e4798e (prerequisite) NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9b6e6a8334d56354853f9c255d1395c2ba570e0a CVE-2015-3289 (OpenStack Glance before 2015.1.1 (kilo) allows remote authenticated us ...) - glance 2015.1.0-4 (bug #793896) [jessie] - glance (Vulnerable code introduced later) [wheezy] - glance (Vulnerable code introduced later) CVE-2015-3288 (mm/memory.c in the Linux kernel before 4.1.4 mishandles anonymous page ...) - linux 4.2-1 [jessie] - linux 3.16.7-ckt17-1 [wheezy] - linux 3.2.71-1 NOTE: https://git.kernel.org/linus/6b7339f4c31ad69c8e9c0b2859276e22cf72176d (v4.2-rc2) CVE-2015-3287 REJECTED CVE-2015-3286 (Buffer overflow in the Solaris kernel extension in OpenAFS before 1.6. ...) - openafs (The Solaris kernel extension in versions through 1.6.12) NOTE: http://www.openafs.org/pages/security/OPENAFS-SA-2015-005.txt CVE-2015-3285 (The pioctl for the OSD FS command in OpenAFS before 1.6.13 uses the wr ...) {DSA-3320-1 DLA-342-1} - openafs 1.6.13-1 NOTE: http://www.openafs.org/pages/security/OPENAFS-SA-2015-004.txt CVE-2015-3284 (pioctls in OpenAFS 1.6.x before 1.6.13 allows local users to read kern ...) {DSA-3320-1} - openafs 1.6.13-1 [squeeze] - openafs (Only 1.6.0 trough 1.6.12) NOTE: http://www.openafs.org/pages/security/OPENAFS-SA-2015-003.txt CVE-2015-3283 (OpenAFS before 1.6.13 allows remote attackers to spoof bos commands vi ...) {DSA-3320-1 DLA-342-1} - openafs 1.6.13-1 NOTE: http://www.openafs.org/pages/security/OPENAFS-SA-2015-002.txt CVE-2015-3282 (vos in OpenAFS before 1.6.13, when updating VLDB entries, allows remot ...) {DSA-3320-1 DLA-342-1} - openafs 1.6.13-1 NOTE: http://www.openafs.org/pages/security/OPENAFS-SA-2015-001.txt CVE-2015-3281 (The buffer_slow_realign function in HAProxy 1.5.x before 1.5.14 and 1. ...) {DSA-3301-1} - haproxy 1.5.14-1 [squeeze] - haproxy (Affects 1.5.x and 1.6-dev only) NOTE: http://git.haproxy.org/?p=haproxy-1.5.git;a=commitdiff;h=7ec765568883b2d4e5a2796adbeb492a22ec9bd4 (1.5.x) CVE-2015-3280 (OpenStack Compute (nova) before 2014.2.4 (juno) and 2015.1.x before 20 ...) - nova 1:12.0.0-2 (low; bug #798883) [jessie] - nova (Minor issue) [wheezy] - nova (Affected code introduced later) NOTE: 2014.2 versions through 2014.2.3, and 2015.1 versions through 2015.1.1 CVE-2015-3279 (Integer overflow in filter/texttopdf.c in texttopdf in cups-filters be ...) {DSA-3303-1 DLA-314-1} - cups-filters 1.0.71-1 - cups 1.5.0-16 NOTE: cups moved filters to separate package in 1.5.0-16 NOTE: http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7365 CVE-2015-3278 (The cipherstring parsing code in nss_compat_ossl while in multi-keywor ...) NOT-FOR-US: nss_compat_ossl (OpenSSL to NSS Porting Library) CVE-2015-3277 (The mod_nss module before 1.0.11 in Fedora allows remote attackers to ...) - libapache2-mod-nss (bug #795657) [stretch] - libapache2-mod-nss (Minor issue) [jessie] - libapache2-mod-nss (Vulnerability introduced in 1.0.11) [wheezy] - libapache2-mod-nss (Vulnerability introduced in 1.0.11) NOTE: Introduced by https://pagure.io/mod_nss/c/2d1650900f4d47dc43400d826c0f7e1a7c5229b8 (1.10.11) CVE-2015-3276 (The nss_parse_ciphers function in libraries/libldap/tls_m.c in OpenLDA ...) - openldap (unimportant) NOTE: Debian builds with GNUTLS, not NSS CVE-2015-3275 (Multiple cross-site scripting (XSS) vulnerabilities in the SCORM modul ...) - moodle 2.7.9+dfsg-1 (bug #792242) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50614 CVE-2015-3274 (Cross-site scripting (XSS) vulnerability in the user_get_user_details ...) - moodle 2.7.9+dfsg-1 (bug #792242) [squeeze] - moodle (Only similar function looks like the fixed version) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50130 CVE-2015-3273 (mod/forum/post.php in Moodle 2.9.x before 2.9.1 does not consider the ...) - moodle (Affects only 2.9) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50220 CVE-2015-3272 (Open redirect vulnerability in the clean_param function in lib/moodlel ...) - moodle 2.7.9+dfsg-1 (bug #792242) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50688 CVE-2015-3271 (Apache Tika server (aka tika-server) in Apache Tika 1.9 might allow re ...) - tika (The server isn't shipped in the Debian package) NOTE: https://marc.info/?l=oss-security&m=143948566828051&w=2 CVE-2015-3270 (Apache Ambari before 2.0.2 or 2.1.x before 2.1.1 allows remote authent ...) NOT-FOR-US: Apache Ambari CVE-2015-3269 (Apache Flex BlazeDS, as used in flex-messaging-core.jar in Adobe LiveC ...) NOT-FOR-US: Adobe CVE-2015-3268 (Cross-site scripting (XSS) vulnerability in the DisplayEntityField.get ...) NOT-FOR-US: Apache OFBiz CVE-2015-3267 (Cross-site scripting (XSS) vulnerability in the 404 error page in Red ...) NOT-FOR-US: JBoss Operations Network CVE-2015-3266 RESERVED CVE-2015-3265 RESERVED CVE-2015-3264 RESERVED CVE-2015-3263 RESERVED CVE-2015-3262 RESERVED CVE-2015-3261 RESERVED CVE-2015-3260 RESERVED CVE-2015-3259 (Stack-based buffer overflow in the xl command line utility in Xen 4.1. ...) {DSA-3414-1} - xen 4.6.0-1 (low; bug #795721) [wheezy] - xen (Minor issue, xl not used in wheezy) [squeeze] - xen (xl not shipped in Squeeze) NOTE: http://xenbits.xen.org/xsa/advisory-137.html CVE-2015-3258 (Heap-based buffer overflow in the WriteProlog function in filter/textt ...) {DSA-3303-1 DLA-314-1} - cups-filters 1.0.70-1 - cups 1.5.0-16 NOTE: cups moved filters to separate package in 1.5.0-16 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1235385 CVE-2015-3257 (Zend/Diactoros/Uri::filterPath in zend-diactoros before 1.0.4 does not ...) NOT-FOR-US: zend-diactoros NOTE: https://framework.zend.com/security/advisory/ZF2015-05 CVE-2015-3256 (PolicyKit (aka polkit) before 0.113 allows local users to cause a deni ...) - policykit-1 (The Policykit versions which rely on Javascript/Spidermonkey haven't been uploaded to unstable) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=69501 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=910262#c75 CVE-2015-3255 (The polkit_backend_action_pool_init function in polkitbackend/polkitba ...) [experimental] - policykit-1 0.113-1 - policykit-1 0.105-12 (bug #796134) [jessie] - policykit-1 0.105-15~deb8u1 [wheezy] - policykit-1 (Minor issue) [squeeze] - policykit-1 (Minor issue) NOTE: http://cgit.freedesktop.org/polkit/commit/?id=9f5e0c731784003bd4d6fc75ab739ff8b2ea269f CVE-2015-3254 (The client libraries in Apache Thrift before 0.9.3 might allow remote ...) - thrift-compiler (Vulnerable code not present) NOTE: Affects src:thrift, which is only in experimental. The issue is fixed upstream in 0.9.3 NOTE: so any future upload of thrift to unstable can mark this item as (fixed NOTE: before the initial upload to Debian unstable) CVE-2015-3253 (The MethodClosure class in runtime/MethodClosure.java in Apache Groovy ...) {DLA-274-1} - groovy 2.4.6-1 (bug #793397) [jessie] - groovy 1.8.6-4+deb8u1 [wheezy] - groovy 1.8.6-1+deb7u1 - groovy2 2.2.2+dfsg-5 (bug #793398) [jessie] - groovy2 2.2.2+dfsg-3+deb8u1 CVE-2015-3252 (Apache CloudStack before 4.5.2 does not properly preserve VNC password ...) NOT-FOR-US: Apache CloudStack CVE-2015-3251 (Apache CloudStack before 4.5.2 might allow remote authenticated admini ...) NOT-FOR-US: Apache CloudStack CVE-2015-3250 (Apache Directory LDAP API before 1.0.0-M31 allows attackers to conduct ...) - apache-directory-api 1.0.0~M20-3 (bug #791957) NOTE: http://www.openwall.com/lists/oss-security/2015/07/07/5 CVE-2015-3249 (The HTTP/2 experimental feature in Apache Traffic Server 5.3.x before ...) - trafficserver 5.3.1-1 [wheezy] - trafficserver (HTTP2 support does not exist) NOTE: http://mail-archives.us.apache.org/mod_mbox/www-announce/201507.mbox/%3CCABF6JR37mWzDmXDqRQwRUXiojBZrhidndnsY1ZgmcZv-o7-a+g@mail.gmail.com%3E CVE-2015-3248 (openhpi/Makefile.am in OpenHPI before 3.6.0 uses world-writable permis ...) - openhpi (Only affects RPM packaging, in Debian directory is not world-writable, bug #789543) CVE-2015-3247 (Race condition in the worker_update_monitors_config function in SPICE ...) {DSA-3354-1} - spice 0.12.5-1.2 (bug #797976) [wheezy] - spice (monitors_config support introduced in 0.11.3) NOTE: Referenced Bug with Details from Red Hat is currently private NOTE: Patch: https://git.centos.org/blob/rpms!spice.git/11e32f6dd156a3c4847da29d989837437e973ccc/SOURCES!0038-Avoid-race-conditions-reading-monitor-configs-from-g.patch CVE-2015-3246 (libuser before 0.56.13-8 and 0.60 before 0.60-7, as used in the userhe ...) {DLA-468-1} - libuser 1:0.62~dfsg-0.1 (bug #793465) [jessie] - libuser (Minor issue) CVE-2015-3245 (Incomplete blacklist vulnerability in the chfn function in libuser bef ...) {DLA-468-1} - libuser 1:0.62~dfsg-0.1 (bug #793465) [jessie] - libuser (Minor issue) NOTE: initially attributed to usermode package, root-cause fixed in libuser instead CVE-2015-3244 (The Portlet Bridge for JavaServer Faces in Red Hat JBoss Portal 6.2.0, ...) NOT-FOR-US: PortletBridge component of Red Hat JBoss Portal CVE-2015-3243 (rsyslog uses weak permissions for generating log files, which allows l ...) - rsyslog (unimportant) NOTE: The default for syslog is $FileCreateMode 0644 but the rsyslog.conf NOTE: provided by the Debian package sets $FileCreateMode 0640 CVE-2015-3242 REJECTED CVE-2015-3241 (OpenStack Compute (nova) 2015.1 through 2015.1.1, 2014.2.3, and earlie ...) - nova 1:12.0.0-2 (bug #796109) [jessie] - nova (Minor issue) [wheezy] - nova (Minor issue) NOTE: https://launchpad.net/bugs/1387543 NOTE: Affects: versions through 2014.1.4, and 2014.2 versions through 2014.2.3, and version 2015.1.0 NOTE: https://git.openstack.org/cgit/openstack/nova/commit/?id=7ab75d5b0b75fc3426323bef19bf436a258b9707 CVE-2015-3240 (The pluto IKE daemon in libreswan before 3.15 and Openswan before 2.6. ...) - openswan [squeeze] - openswan (Not supported in Squeeze LTS) [wheezy] - openswan (Not supported in Wheezy LTS) - libreswan (Fixed before the initial upload to Debian) NOTE: https://libreswan.org/security/CVE-2015-3240/ CVE-2015-3239 (Off-by-one error in the dwarf_to_unw_regnum function in include/dwarf_ ...) {DLA-271-1} - libunwind 1.1-4 (low; bug #790830) [jessie] - libunwind (Minor issue) [wheezy] - libunwind (Minor issue) - android-platform-external-libunwind 7.0.0+r1-4 (bug #849346) NOTE: http://savannah.nongnu.org/bugs/?45276 (private bug) NOTE: http://git.savannah.gnu.org/cgit/libunwind.git/commit/?id=396b6c7ab737e2bff244d640601c436a26260ca1 CVE-2015-3238 (The _unix_run_helper_binary function in the pam_unix module in Linux-P ...) - pam 1.1.8-3.2 (bug #789986) [jessie] - pam 1.1.8-3.1+deb8u1 [wheezy] - pam (Minor issue e.g. in combination with enabled SELinux) [squeeze] - pam (Minor issue e.g. in combination with enabled SELinux) NOTE: https://git.fedorahosted.org/cgit/linux-pam.git/commit/?id=e89d4c97385ff8180e6e81e84c5aa745daf28a79 NOTE: https://www.redhat.com/archives/pam-list/2015-June/msg00001.html CVE-2015-3237 (The smb_request_state function in cURL and libcurl 7.40.0 through 7.42 ...) - curl 7.43.0-1 [jessie] - curl (Vulnerable code not present) [wheezy] - curl (Vulnerable code not present) [squeeze] - curl (Vulnerable code not present) NOTE: http://curl.haxx.se/docs/adv_20150617B.html CVE-2015-3236 (cURL and libcurl 7.40.0 through 7.42.1 send the HTTP Basic authenticat ...) - curl 7.43.0-1 [jessie] - curl (Vulnerable code not present) [wheezy] - curl (Vulnerable code not present) [squeeze] - curl (Vulnerable code not present) NOTE: http://curl.haxx.se/docs/adv_20150617A.html CVE-2015-3235 (Foreman before 1.9.0 allows remote authenticated users with the edit_u ...) - foreman (bug #663101) CVE-2015-3234 (The OpenID module in Drupal 6.x before 6.36 and 7.x before 7.38 allows ...) {DSA-3291-1} - drupal7 7.38-1 - drupal6 [squeeze] - drupal6 NOTE: https://www.drupal.org/SA-CORE-2015-002 CVE-2015-3233 (Open redirect vulnerability in the Overlay module in Drupal 7.x before ...) {DSA-3291-1} - drupal7 7.38-1 - drupal6 (Only affects Drupal 7.x) NOTE: https://www.drupal.org/SA-CORE-2015-002 CVE-2015-3232 (Open redirect vulnerability in the Field UI module in Drupal 7.x befor ...) {DSA-3291-1} - drupal7 7.38-1 - drupal6 (Only affects Drupal 7.x) NOTE: https://www.drupal.org/SA-CORE-2015-002 CVE-2015-3231 (The Render cache system in Drupal 7.x before 7.38, when used to cache ...) {DSA-3291-1} - drupal7 7.38-1 - drupal6 (Only affects Drupal 7.x) NOTE: https://www.drupal.org/SA-CORE-2015-002 CVE-2015-3230 (389 Directory Server (formerly Fedora Directory Server) before 1.3.3.1 ...) - 389-ds-base 1.3.3.12-1 (bug #789202) [jessie] - 389-ds-base (Vulnerable code not present, fix for 47838 not applied in Jessie) NOTE: https://fedorahosted.org/389/ticket/48194 NOTE: Regression if https://fedorahosted.org/389/ticket/47838 applied CVE-2015-3229 (fedora-cloud-atomic.ks in spin-kickstarts allows remote attackers to c ...) NOT-FOR-US: Fedora Atomic CVE-2015-3228 (Integer overflow in the gs_heap_alloc_bytes function in base/gsmalloc. ...) {DSA-3326-1 DLA-280-1} - ghostscript 9.15~dfsg-1 (bug #793489) NOTE: http://bugs.ghostscript.com/show_bug.cgi?id=696070 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0c0b0859 NOTE: File to reproduce segfault with ps2pdf: http://bugs.ghostscript.com/attachment.cgi?id=11776 CVE-2015-3227 (The (1) jdom.rb and (2) rexml.rb components in Active Support in Ruby ...) {DSA-3464-1 DLA-603-1} - rails 2:4.2.4-2 (bug #790487) [squeeze] - rails (Unsupported in squeeze-lts) [wheezy] - rails (Vulnerable code not present, is only a transitional package) - ruby-activesupport-3.2 - ruby-activesupport-2.3 [wheezy] - ruby-activesupport-2.3 (https://lists.debian.org/debian-security-announce/2014/msg00164.html) CVE-2015-3226 (Cross-site scripting (XSS) vulnerability in json/encoding.rb in Active ...) {DSA-3464-1} - rails 2:4.2.4-2 (bug #790486) [squeeze] - rails (Unsupported in squeeze-lts) [wheezy] - rails (Vulnerable code not present, is only a transitional package) - ruby-activesupport-3.2 [wheezy] - ruby-activesupport-3.2 (Vulnerable code not present) - ruby-activesupport-2.3 [wheezy] - ruby-activesupport-2.3 (https://lists.debian.org/debian-security-announce/2014/msg00164.html) CVE-2015-3225 (lib/rack/utils.rb in Rack before 1.5.4 and 1.6.x before 1.6.2, as used ...) {DSA-3322-1 DLA-254-1} - ruby-rack 1.5.2-4 (bug #789311) - ruby-rack1.4 - librack-ruby NOTE: http://seclists.org/oss-sec/2015/q2/729 has patches for 1.5 and 1.6 CVE-2015-3224 (request.rb in Web Console before 2.1.3, as used with Ruby on Rails 3.x ...) NOT-FOR-US: Web Console Ruby Gem CVE-2015-3223 (The ldb_wildcard_compare function in ldb_match.c in ldb before 1.1.24, ...) {DSA-3433-1} - samba 2:4.1.22+dfsg-1 [wheezy] - samba (Only affects 4.0.0 to 4.3.2) [squeeze] - samba (Only affects 4.0.0 to 4.3.2) - ldb 2:1.1.24-1 [jessie] - ldb 2:1.1.17-2+deb8u1 [wheezy] - ldb (Minor issue, only relevant in conjunction with Samba 4, which isn't in wheezy) [squeeze] - ldb (Minor issue) NOTE: https://www.samba.org/samba/security/CVE-2015-3223.html NOTE: https://git.samba.org/?p=samba.git;a=commit;h=fb456954f332c07a645226d59b3b00ec252f8b26 (v4-1-stable) NOTE: https://git.samba.org/?p=samba.git;a=commit;h=bb1b783ee9d7259cfc6a1fe882f22189747f8684 (v4-1-stable) NOTE: Samba update needs as well fixed ldb CVE-2015-3222 (syscheck/seechanges.c in OSSEC 2.7 through 2.8.1 on NIX systems allows ...) - ossec-hids (bug #361954) CVE-2015-3221 (OpenStack Neutron before 2014.2.4 (juno) and 2015.1.x before 2015.1.1 ...) - neutron 2015.1.0+2015.06.24.git61.bdf194a0e1-1 (bug #789713) [jessie] - neutron (ipset code introduced in Juno) NOTE: https://bugs.launchpad.net/neutron/+bug/1461054/comments/18 NOTE: 2014.2 versions through 2014.2.3 and 2015.1.0 version CVE-2015-3220 (The tlslite library before 0.4.9 for Python allows remote attackers to ...) - tlslite CVE-2015-3219 (Cross-site scripting (XSS) vulnerability in the Orchestration/Stack se ...) {DSA-3617-1} - horizon 2015.1.0+2015.06.09.git15.e63af6c598-1 (bug #788306) [wheezy] - horizon (Vulnerable code not present) NOTE: 2014.2 versions through 2014.2.3 and version 2015.1.0 CVE-2015-3218 (The authentication_agent_new function in polkitbackend/polkitbackendin ...) [experimental] - policykit-1 0.113-1 - policykit-1 0.105-11 (bug #787932) [jessie] - policykit-1 0.105-15~deb8u1 [wheezy] - policykit-1 (Minor issue) [squeeze] - policykit-1 (Vulnerable code introduced later) NOTE: http://lists.freedesktop.org/archives/polkit-devel/2015-May/000420.html NOTE: Patch: http://cgit.freedesktop.org/polkit/commit/?id=48e646918efb2bf0b3b505747655726d7869f31c NOTE: Introduced by: http://cgit.freedesktop.org/polkit/commit/?id=6eeb077bc90c9c7783360a526b2f04645b1b0848 CVE-2015-3217 (PCRE 7.8 and 8.32 through 8.37, and PCRE2 10.10 mishandle group empty ...) - pcre3 2:8.38-1 (bug #787641) [jessie] - pcre3 (Minor issue) [wheezy] - pcre3 (Minor issue) [squeeze] - pcre3 (Minor issue) NOTE: https://bugs.exim.org/show_bug.cgi?id=1638 NOTE: Upstream fix: http://vcs.pcre.org/pcre?view=revision&revision=1566 NOTE: More information: https://bugzilla.redhat.com/show_bug.cgi?id=1228283#c2 CVE-2015-3216 (Race condition in a certain Red Hat patch to the PRNG lock implementat ...) - openssl (Affects Red Hat specific patch) NOTE: More information in https://bugzilla.redhat.com/show_bug.cgi?id=1225994 CVE-2015-3215 (The NetKVM Windows Virtio driver allows remote attackers to cause a de ...) NOT-FOR-US: virtio Windows drivers CVE-2015-3214 (The pit_ioport_read in i8254.c in the Linux kernel before 2.6.33 and Q ...) {DSA-3348-1} - qemu 1:2.4+dfsg-1a (bug #795461) [wheezy] - qemu (Introduced in 1.3.0) [squeeze] - qemu (Introduced in 1.3.0) - qemu-kvm (Introduced in 1.3.0) - xen 4.4.0-1 [wheezy] - xen (Vulnerable code introduced in 1.3.0, embedded version is 0.10.2) NOTE: Xen switched to qemu-system in 4.4.0-1 NOTE: Upstream commit: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=d4862a87e31a51de9eb260f25c9e99a75efe3235 NOTE: Introduced in http://git.qemu.org/?p=qemu.git;a=commitdiff;h=0505bcdec8228d8de39ab1a02644e71999e7c052 (v1.3.0-rc0) - linux (Fixed before linux-2.6 -> linux rename, v2.6.33-rc8) - linux-2.6 2.6.37-1 [squeeze] - linux-2.6 (KVM not supported in Squeeze LTS) NOTE: Upstream commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ee73f656a604d5aa9df86a97102e4e462dd79924 (v2.6.33-rc8) CVE-2015-3213 (The gesture handling code in Clutter before 1.16.2 allows physically p ...) - clutter-1.0 1.18.0-1 [wheezy] - clutter-1.0 (Vulnerable code introduced later) [squeeze] - clutter-1.0 (Vulnerable code was introduced past 1.12.0) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=749847 NOTE: Introduced by: https://git.gnome.org/browse/clutter/commit/?id=abcf1d589f29ba7914d5648bb9814ad26c13cd83 (1.13.2) NOTE: Fixed by: https://git.gnome.org/browse/clutter/commit/?id=97724939c8de004d7fa230f3ff64862d957f93a9 (1.17.2) CVE-2015-3212 (Race condition in net/sctp/socket.c in the Linux kernel before 4.1.2 a ...) {DSA-3329-1} - linux 4.0.8-1 - linux-2.6 (Vulnerable code introduced later) NOTE: https://marc.info/?l=linux-netdev&m=143277436124732&w=2 NOTE: Introduced by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9f7d653b67aed2d92540fbb0a8adaf32fcf352ae (v3.1-rc1) CVE-2015-3211 (php-fpm allows local users to write to or create arbitrary files via a ...) - php5 (Red Hat specific problem in the rpm package) CVE-2015-3210 (Heap-based buffer overflow in PCRE 8.34 through 8.37 and PCRE2 10.10 a ...) - pcre3 2:8.35-7.2 (bug #787433) [jessie] - pcre3 2:8.35-3.3+deb8u1 [wheezy] - pcre3 (Vulnerable code introduced later) [squeeze] - pcre3 (Vulnerable code introduced later) NOTE: https://bugs.exim.org/show_bug.cgi?id=1636 NOTE: Fixed by: http://vcs.pcre.org/pcre?view=revision&revision=1558 NOTE: Affected code refactored in: http://vcs.pcre.org/pcre?view=revision&revision=1359 (8.34) NOTE: Issue then introduced by: http://vcs.pcre.org/pcre?view=revision&revision=1361 CVE-2015-3209 (Heap-based buffer overflow in the PCNET controller in QEMU allows remo ...) {DSA-3286-1 DSA-3285-1 DSA-3284-1} - qemu 1:2.3+dfsg-6 (bug #788460) [wheezy] - qemu 1.1.2+dfsg-6a+deb7u8 - qemu-kvm - xen 4.4.0-1 [squeeze] - xen (Not supported in Squeeze LTS) [squeeze] - xen-qemu-dm-4.0 (Not supported in Squeeze LTS) [squeeze] - qemu (Not supported in Squeeze LTS) [squeeze] - qemu-kvm (Not supported in Squeeze LTS) NOTE: Xen switched to qemu-system in 4.4.0-1 NOTE: http://xenbits.xen.org/xsa/advisory-135.html CVE-2015-3208 (XML external entity (XXE) vulnerability in the XPath selector componen ...) NOT-FOR-US: HornetQ CVE-2015-3207 RESERVED CVE-2015-3206 (The checkPassword function in python-kerberos does not authenticate th ...) {DLA-265-2 DLA-265-1} - pykerberos 1.1.5-1 (bug #796195) [jessie] - pykerberos 1.1.5-0.1+deb8u1 [wheezy] - pykerberos 1.1+svn4895-1+deb7u1 NOTE: CVE originally assigned for python-kerberos, pykerberos is a fork of the NOTE: former. NOTE: KDC verification support in pykerberos added in https://github.com/02strich/pykerberos/commit/02d13860b25fab58e739f0e000bed0067b7c6f9c NOTE: Using the above code as is might break existing installations since a keytab is required to call krb5_verify_init_creds CVE-2015-3205 (libmimedir allows remote attackers to execute arbitrary code via a VCF ...) - libmimedir (bug #789197) [jessie] - libmimedir (Minor issue) [wheezy] - libmimedir (Minor issue) [squeeze] - libmimedir (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1222251 CVE-2015-3204 (libreswan 3.9 through 3.12 allows remote attackers to cause a denial o ...) - libreswan (Fixed before the initial upload to Debian) NOTE: https://libreswan.org/security/CVE-2015-3204/CVE-2015-3204.txt NOTE: https://libreswan.org/security/CVE-2015-3204/CVE-2015-3204-libreswan.patch CVE-2015-3203 (Unrestricted file upload vulnerability in h5ai before 0.25.0 allows re ...) NOT-FOR-US: h5ai CVE-2015-3202 (fusermount in FUSE before 2.9.3-15 does not properly clear the environ ...) {DSA-3268-2 DSA-3268-1 DSA-3266-1 DLA-238-1 DLA-226-2 DLA-226-1} - fuse 2.9.3-16 (bug #786439) NOTE: Upstream fix: http://web.archive.org/web/20150529051222/http://sourceforge.net:80/p/fuse/fuse/ci/fe2d96 - ntfs-3g 1:2014.2.15AR.3-3 (bug #786475) NOTE: ntfs-3g source wise affected but wheezy version uses --with-fuse=external NOTE: ntfs-3g is built with internal copy since 1:2013.1.13AR.3-2 CVE-2015-3201 (Thermostat before 2.0.0 uses world-readable permissions for the web.xm ...) NOT-FOR-US: thermostat CVE-2015-3200 (mod_auth in lighttpd before 1.4.36 allows remote attackers to inject a ...) - lighttpd 1.4.37-1 (low; bug #787132) [jessie] - lighttpd (Minor issue) [wheezy] - lighttpd (Minor issue) [squeeze] - lighttpd (Minor issue) NOTE: http://jaanuskp.blogspot.com/2015/05/cve-2015-3200.html NOTE: http://redmine.lighttpd.net/issues/2646 CVE-2015-3199 REJECTED CVE-2015-3198 (The Undertow module of WildFly 9.x before 9.0.0.CR2 and 10.x before 10 ...) NOT-FOR-US: Undertow module of WildFly / JBOSS CVE-2015-3197 (ssl/s2_srvr.c in OpenSSL 1.0.1 before 1.0.1r and 1.0.2 before 1.0.2f d ...) {DLA-421-1} - openssl 1.0.0c-2 NOTE: 1.0.0c-2 dropped SSLv2 support NOTE: No MITM: https://bugzilla.redhat.com/show_bug.cgi?id=1301846#c3 CVE-2015-3196 (ssl/s3_clnt.c in OpenSSL 1.0.0 before 1.0.0t, 1.0.1 before 1.0.1p, and ...) {DSA-3413-1} - openssl 1.0.2d-1 [squeeze] - openssl (Only affects 1.0.0 to 1.0.2) CVE-2015-3195 (The ASN1_TFLG_COMBINE implementation in crypto/asn1/tasn_dec.c in Open ...) {DSA-3413-1 DLA-358-1} - openssl 1.0.2e-1 NOTE: https://www.openssl.org/news/secadv/20151203.txt CVE-2015-3194 (crypto/rsa/rsa_ameth.c in OpenSSL 1.0.1 before 1.0.1q and 1.0.2 before ...) {DSA-3413-1} - openssl 1.0.2e-1 [squeeze] - openssl (Only affects 1.0.1 and 1.0.2) NOTE: https://www.openssl.org/news/secadv/20151203.txt CVE-2015-3193 (The Montgomery squaring implementation in crypto/bn/asm/x86_64-mont5.p ...) - openssl 1.0.2e-1 [jessie] - openssl (Only affects 1.0.2) [wheezy] - openssl (Only affects 1.0.2) [squeeze] - openssl (Only affects 1.0.2) NOTE: https://www.openssl.org/news/secadv/20151203.txt CVE-2015-3192 (Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not pro ...) {DLA-1853-1} - libspring-java 4.1.9-1 (low; bug #796137) [wheezy] - libspring-java (Minor issue) NOTE: https://pivotal.io/security/cve-2015-3192 NOTE: https://jira.spring.io/browse/SPR-13136 CVE-2015-3191 (With Cloud Foundry Runtime cf-release versions v209 or earlier, UAA St ...) NOT-FOR-US: Cloud Foundry CVE-2015-3190 (With Cloud Foundry Runtime cf-release versions v209 or earlier, UAA St ...) NOT-FOR-US: Cloud Foundry CVE-2015-3189 (With Cloud Foundry Runtime cf-release versions v208 or earlier, UAA St ...) NOT-FOR-US: Cloud Foundry CVE-2015-3188 (The UI daemon in Apache Storm 0.10.0 before 0.10.0-beta1 allows remote ...) NOT-FOR-US: Apache Storm CVE-2015-3187 (The svn_repos_trace_node_locations function in Apache Subversion befor ...) {DSA-3331-1 DLA-293-1} - subversion 1.9.0-1 NOTE: https://subversion.apache.org/security/CVE-2015-3187-advisory.txt CVE-2015-3186 (Cross-site scripting (XSS) vulnerability in Apache Ambari before 2.1.0 ...) NOT-FOR-US: Apache Ambari CVE-2015-3185 (The ap_some_auth_required function in server/request.c in the Apache H ...) {DSA-3325-1} - apache2 2.4.16-1 [wheezy] - apache2 (Bug introduced during 2.4 development) [squeeze] - apache2 (Bug introduced during 2.4 development) NOTE: https://www.apache.org/dist/httpd/Announcement2.4.txt NOTE: http://web.archive.org/web/20150918024815/http://www.apache.org:80/dist/httpd/CHANGES_2.4.16 NOTE: http://svn.apache.org/viewvc?view=revision&revision=1684525 NOTE: Behavior changed in 2.4.x refactoring, API no longer usable in 2.4.x CVE-2015-3184 (mod_authz_svn in Apache Subversion 1.7.x before 1.7.21 and 1.8.x befor ...) {DSA-3331-1} - subversion 1.9.0-1 [wheezy] - subversion (1.6 does not build with apache 2.4) [squeeze] - subversion (1.6 does not build with apache 2.4) NOTE: https://subversion.apache.org/security/CVE-2015-3184-advisory.txt NOTE: subversion needs to be built with a fixed apache version CVE-2015-3183 (The chunked transfer coding implementation in the Apache HTTP Server b ...) {DSA-3325-1 DLA-284-1} - apache2 2.4.16-1 NOTE: https://www.apache.org/dist/httpd/Announcement2.4.txt NOTE: http://web.archive.org/web/20150918024815/http://www.apache.org:80/dist/httpd/CHANGES_2.4.16 NOTE: http://svn.apache.org/viewvc?view=revision&revision=1684515 NOTE: http://svn.apache.org/viewvc?view=revision&revision=1687338 (2.2.x) NOTE: http://svn.apache.org/viewvc?view=revision&revision=1687339 (2.2.x) CVE-2015-3182 (epan/dissectors/packet-dec-dnart.c in the DECnet NSP/RT dissector in W ...) - wireshark 1.12.0~rc1-1 [jessie] - wireshark (Only affected 1.10.x) [wheezy] - wireshark (Only affected 1.10.x) [squeeze] - wireshark (Only affected 1.10.x) NOTE: https://www.wireshark.org/security/wnpa-sec-2015-01.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1219409 CVE-2015-3181 (files/externallib.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2. ...) - moodle 2.7.8+dfsg-1 (bug #785591) [squeeze] - moodle (Not supported in Squeeze LTS) CVE-2015-3180 (lib/navigationlib.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2. ...) - moodle 2.7.8+dfsg-1 (bug #785591) [squeeze] - moodle (Not supported in Squeeze LTS) CVE-2015-3179 (login/confirm.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x ...) - moodle 2.7.8+dfsg-1 (bug #785591) [squeeze] - moodle (Not supported in Squeeze LTS) CVE-2015-3178 (Cross-site scripting (XSS) vulnerability in the external_format_text f ...) - moodle 2.7.8+dfsg-1 (bug #785591) [squeeze] - moodle (Not supported in Squeeze LTS) CVE-2015-3177 (Moodle 2.8.x before 2.8.6 does not consider the tool/monitor:subscribe ...) - moodle (Only affects versions 2.8 to 2.8.5) CVE-2015-3176 (The account-confirmation feature in login/confirm.php in Moodle throug ...) - moodle 2.7.8+dfsg-1 (bug #785591) [squeeze] - moodle (Not supported in Squeeze LTS) CVE-2015-3175 (Multiple open redirect vulnerabilities in Moodle through 2.5.9, 2.6.x ...) - moodle 2.7.8+dfsg-1 (bug #785591) [squeeze] - moodle (Not supported in Squeeze LTS) CVE-2015-3174 (mod/quiz/db/access.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2 ...) - moodle 2.7.8+dfsg-1 (bug #785591) [squeeze] - moodle (Not supported in Squeeze LTS) CVE-2015-3173 RESERVED CVE-2015-3172 RESERVED CVE-2015-3171 (sosreport 3.2 uses weak permissions for generated sosreport archives, ...) - sosreport 3.2-2 (bug #769521) NOTE: https://github.com/sosreport/sos/commit/d7759d3ddae5fe99a340c88a1d370d65cfa73fd6 NOTE: https://github.com/sosreport/sos/issues/425 CVE-2015-3170 (selinux-policy when sysctl fs.protected_hardlinks are set to 0 allows ...) NOT-FOR-US: Red Hat specific issue with selinux-policy rpm package CVE-2015-3169 (Cross-site scripting (XSS) vulnerability in askbot 0.7.51-4.el6.noarch ...) - askbot (bug #687966) CVE-2015-3168 REJECTED CVE-2015-3167 (contrib/pgcrypto in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2 ...) {DSA-3270-1 DSA-3269-1 DLA-227-1} - postgresql-9.4 9.4.2-1 - postgresql-9.1 NOTE: Since 9.1.1-2 src:postgresql-9.1 builds only postgresql-plperl-9.1, source-wise fixed - postgresql-8.4 [wheezy] - postgresql-8.4 (postgresql-8.4 in wheezy only provides PL/Perl; EOL upstream) CVE-2015-3166 (The snprintf implementation in PostgreSQL before 9.0.20, 9.1.x before ...) {DSA-3270-1 DSA-3269-1 DLA-227-1} - postgresql-9.4 9.4.2-1 - postgresql-9.1 - postgresql-8.4 [wheezy] - postgresql-8.4 (postgresql-8.4 in wheezy only provides PL/Perl; EOL upstream) CVE-2015-3165 (Double free vulnerability in PostgreSQL before 9.0.20, 9.1.x before 9. ...) {DSA-3270-1 DSA-3269-1 DLA-227-1} - postgresql-9.4 9.4.2-1 - postgresql-9.1 NOTE: Since 9.1.1-2 src:postgresql-9.1 builds only postgresql-plperl-9.1, source-wise fixed - postgresql-8.4 [wheezy] - postgresql-8.4 (postgresql-8.4 in wheezy only provides PL/Perl; EOL upstream) CVE-2015-3164 (The authentication setup in XWayland 1.16.x and 1.17.x before 1.17.2 s ...) - xorg-server 2:1.17.2-1 (bug #788410) [jessie] - xorg-server 2:1.16.4-1+deb8u2 [wheezy] - xorg-server (XWayland not present) [squeeze] - xorg-server (XWayland not present) NOTE: http://lists.freedesktop.org/archives/wayland-devel/2015-June/022548.html NOTE: Patch 1/3: http://cgit.freedesktop.org/xorg/xserver/commit/?id=c4534a38b68aa07fb82318040dc8154fb48a9588 NOTE: Patch 2/3: http://cgit.freedesktop.org/xorg/xserver/commit/?id=4b4b9086d02b80549981d205fb1f495edc373538 NOTE: Patch 3/3: http://cgit.freedesktop.org/xorg/xserver/commit/?id=76636ac12f2d1dbdf7be08222f80e7505d53c451 CVE-2015-3163 (The admin pages for power types and key types in Beaker before 20.1 do ...) NOT-FOR-US: Beaker (toolset for managing test labs, not src:beaker in Debian) CVE-2015-3162 (Cross-site scripting (XSS) vulnerability in the edit comment dialog in ...) NOT-FOR-US: Beaker (toolset for managing test labs, not src:beaker in Debian) CVE-2015-3161 (The search bar code in bkr/server/widgets.py in Beaker before 20.1 doe ...) NOT-FOR-US: Beaker (toolset for managing test labs, not src:beaker in Debian) CVE-2015-3160 (XML external entity (XXE) vulnerability in bkr/server/jobs.py in Beake ...) NOT-FOR-US: Beaker (toolset for managing test labs, not src:beaker in Debian) CVE-2015-3159 (The abrt-action-install-debuginfo-to-abrt-cache help program in Automa ...) NOT-FOR-US: abrt is Red Hat / Fedora specific CVE-2015-3158 (The invokeNextValve function in identity/federation/bindings/tomcat/id ...) NOT-FOR-US: PicketLink CVE-2015-3157 REJECTED CVE-2015-3156 (The _write_config function in trove/guestagent/datastore/experimental/ ...) - openstack-trove (unimportant; bug #787654) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1216073#c1 NOTE: partially fixed already in 2015.1~rc2-1, cf. #787654 NOTE: will be completed during kilo release CVE-2015-3155 (Foreman before 1.8.1 does not set the secure flag for the _session_id ...) - foreman (bug #663101) CVE-2015-3154 (CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framewor ...) {DSA-3265-1 DLA-251-1} - zendframework 1.12.12+dfsg-1 [jessie] - zendframework 1.12.9+dfsg-2+deb8u1 NOTE: http://framework.zend.com/security/advisory/ZF2015-04 CVE-2015-3153 (The default configuration for cURL and libcurl before 7.42.1 sends cus ...) {DSA-3240-1} - curl 7.42.1-1 [wheezy] - curl (Too intrusive to backport) [squeeze] - curl (Too intrusive to backport) NOTE: http://curl.haxx.se/docs/adv_20150429.html CVE-2015-3152 (Oracle MySQL before 5.7.3, Oracle MySQL Connector/C (aka libmysqlclien ...) {DSA-3311-1} - mariadb-10.0 10.0.20-1 - percona-xtradb-cluster-5.5 NOTE: CVE was assigned explicitly only for MariaDB and Percona, but not Oracle MySQL NOTE: since Oracle is a CNA itself. NOTE: http://www.ocert.org/advisories/ocert-2015-003.html NOTE: http://mysqlblog.fivefarmers.com/2015/04/29/ssltls-in-5-6-and-5-5-ocert-advisory/ NOTE: https://mariadb.atlassian.net/browse/MDEV-7937 CVE-2015-3151 (Directory traversal vulnerability in abrt-dbus in Automatic Bug Report ...) NOT-FOR-US: abrt is Red Hat / Fedora specific CVE-2015-3150 (abrt-dbus in Automatic Bug Reporting Tool (ABRT) allows local users to ...) NOT-FOR-US: abrt is Red Hat / Fedora specific CVE-2015-3149 (The Hotspot component in OpenJDK8 as packaged in Red Hat Enterprise Li ...) - openjdk-8 (defective patch not applied) CVE-2015-3148 (cURL and libcurl 7.10.6 through 7.41.0 do not properly re-use authenti ...) {DSA-3232-1 DLA-211-1} - curl 7.42.0-1 NOTE: http://curl.haxx.se/docs/adv_20150422B.html CVE-2015-3147 (daemon/abrt-handle-upload.in in Automatic Bug Reporting Tool (ABRT), w ...) NOT-FOR-US: abrt is Red Hat / Fedora specific CVE-2015-3146 (The (1) SSH_MSG_NEWKEYS and (2) SSH_MSG_KEXDH_REPLY packet handlers in ...) - libssh 0.6.3-4.2 (bug #784404) [jessie] - libssh 0.6.3-4+deb8u1 [wheezy] - libssh 0.5.4-1+deb7u3 [squeeze] - libssh (Issue only present in versions > 0.5.1, squeeze has 0.4.5) NOTE: https://www.libssh.org/2015/04/30/libssh-0-6-5-security-and-bugfix-release/ CVE-2015-3145 (The sanitize_cookie_path function in cURL and libcurl 7.31.0 through 7 ...) - curl 7.42.0-1 [jessie] - curl 7.38.0-4+deb8u1 [wheezy] - curl (Affects 7.31.0 to and including 7.41.0) [squeeze] - curl (Affects 7.31.0 to and including 7.41.0) NOTE: http://curl.haxx.se/docs/adv_20150422C.html CVE-2015-3144 (The fix_hostname function in cURL and libcurl 7.37.0 through 7.41.0 do ...) - curl 7.42.0-1 [jessie] - curl 7.38.0-4+deb8u1 [wheezy] - curl (Affects 7.37.0 to and including 7.41.0) [squeeze] - curl (Affects 7.37.0 to and including 7.41.0) NOTE: http://curl.haxx.se/docs/adv_20150422D.html CVE-2015-3143 (cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use NTLM c ...) {DSA-3232-1 DLA-211-1} - curl 7.42.0-1 NOTE: http://curl.haxx.se/docs/adv_20150422A.html CVE-2015-3142 (The kernel-invoked coredump processor in Automatic Bug Reporting Tool ...) NOT-FOR-US: abrt is Red Hat / Fedora specific CVE-2015-3141 (Multiple cross-site request forgery (CSRF) vulnerabilities in Synametr ...) NOT-FOR-US: Synametrics Technologies Xeams CVE-2015-3140 (Multiple cross-site request forgery (CSRF) vulnerabilities in Synametr ...) NOT-FOR-US: Synametrics CVE-2015-3139 RESERVED CVE-2015-3138 (print-wb.c in tcpdump before 4.7.4 allows remote attackers to cause a ...) - tcpdump (Introduced in 4.7) NOTE: https://github.com/the-tcpdump-group/tcpdump/issues/446 NOTE: Fixed by: https://github.com/the-tcpdump-group/tcpdump/commit/3ed82f4ed0095768529afc22b923c8f7171fff70 NOTE: Introduced by: https://github.com/the-tcpdump-group/tcpdump/commit/3a3ec26085461998074b827b112d38e8f3246a86 CVE-2015-3137 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3136 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3135 (Heap-based buffer overflow in Adobe Flash Player before 13.0.0.302 and ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3134 (Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3133 (Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3132 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3131 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3130 (Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3129 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3128 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3127 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3126 (Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3125 (Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3124 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3123 (Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3122 (Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3121 (Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3120 (Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3119 (Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3118 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3117 (Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3116 (Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3115 (Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3114 (Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3113 (Heap-based buffer overflow in Adobe Flash Player before 13.0.0.296 and ...) NOT-FOR-US: Adobe Flash Player NOTE: https://helpx.adobe.com/security/products/flash-player/apsb15-14.html CVE-2015-3112 (Adobe Photoshop CC before 16.0 (aka 2015.0.0) and Adobe Bridge CC befo ...) NOT-FOR-US: Adobe CVE-2015-3111 (Heap-based buffer overflow in Adobe Photoshop CC before 16.0 (aka 2015 ...) NOT-FOR-US: Adobe CVE-2015-3110 (Integer overflow in Adobe Photoshop CC before 16.0 (aka 2015.0.0) and ...) NOT-FOR-US: Adobe CVE-2015-3109 (Adobe Photoshop CC before 16.0 (aka 2015.0.0) allows attackers to exec ...) NOT-FOR-US: Adobe CVE-2015-3108 (Adobe Flash Player before 13.0.0.292 and 14.x through 18.x before 18.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3107 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.292 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3106 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.292 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3105 (Adobe Flash Player before 13.0.0.292 and 14.x through 18.x before 18.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3104 (Integer overflow in Adobe Flash Player before 13.0.0.292 and 14.x thro ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3103 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.292 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3102 (Adobe Flash Player before 13.0.0.292 and 14.x through 18.x before 18.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3101 (The Flash broker in Adobe Flash Player before 13.0.0.292 and 14.x thro ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3100 (Stack-based buffer overflow in Adobe Flash Player before 13.0.0.292 an ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3099 (Adobe Flash Player before 13.0.0.292 and 14.x through 18.x before 18.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3098 (Adobe Flash Player before 13.0.0.292 and 14.x through 18.x before 18.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3097 (Adobe Flash Player before 13.0.0.292 and 14.x through 18.x before 18.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3096 (Adobe Flash Player before 13.0.0.292 and 14.x through 18.x before 18.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3095 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2015-3094 REJECTED CVE-2015-3093 (Adobe Flash Player before 13.0.0.289 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3092 (Adobe Flash Player before 13.0.0.289 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3091 (Adobe Flash Player before 13.0.0.289 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3090 (Adobe Flash Player before 13.0.0.289 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3089 (Adobe Flash Player before 13.0.0.289 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3088 (Heap-based buffer overflow in Adobe Flash Player before 13.0.0.289 and ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3087 (Integer overflow in Adobe Flash Player before 13.0.0.289 and 14.x thro ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3086 (Adobe Flash Player before 13.0.0.289 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3085 (Adobe Flash Player before 13.0.0.289 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3084 (Adobe Flash Player before 13.0.0.289 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3083 (Adobe Flash Player before 13.0.0.289 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3082 (Adobe Flash Player before 13.0.0.289 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3081 (Race condition in Adobe Flash Player before 13.0.0.289 and 14.x throug ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3080 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.289 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3079 (Adobe Flash Player before 13.0.0.289 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3078 (Adobe Flash Player before 13.0.0.289 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3077 (Adobe Flash Player before 13.0.0.289 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3076 (Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 o ...) NOT-FOR-US: Adobe CVE-2015-3075 (Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 1 ...) NOT-FOR-US: Adobe CVE-2015-3074 (Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 o ...) NOT-FOR-US: Adobe CVE-2015-3073 (Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 o ...) NOT-FOR-US: Adobe CVE-2015-3072 (Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 o ...) NOT-FOR-US: Adobe CVE-2015-3071 (Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 o ...) NOT-FOR-US: Adobe CVE-2015-3070 (Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 o ...) NOT-FOR-US: Adobe CVE-2015-3069 (Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 o ...) NOT-FOR-US: Adobe CVE-2015-3068 (Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 o ...) NOT-FOR-US: Adobe CVE-2015-3067 (Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 o ...) NOT-FOR-US: Adobe CVE-2015-3066 (Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 o ...) NOT-FOR-US: Adobe CVE-2015-3065 (Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 o ...) NOT-FOR-US: Adobe CVE-2015-3064 (Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 o ...) NOT-FOR-US: Adobe CVE-2015-3063 (Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 o ...) NOT-FOR-US: Adobe CVE-2015-3062 (Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 o ...) NOT-FOR-US: Adobe CVE-2015-3061 (Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 o ...) NOT-FOR-US: Adobe CVE-2015-3060 (Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 o ...) NOT-FOR-US: Adobe CVE-2015-3059 (Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 1 ...) NOT-FOR-US: Adobe CVE-2015-3058 (Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 o ...) NOT-FOR-US: Adobe CVE-2015-3057 (Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 o ...) NOT-FOR-US: Adobe CVE-2015-3056 (Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 o ...) NOT-FOR-US: Adobe CVE-2015-3055 (Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 1 ...) NOT-FOR-US: Adobe CVE-2015-3054 (Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 1 ...) NOT-FOR-US: Adobe CVE-2015-3053 (Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 1 ...) NOT-FOR-US: Adobe CVE-2015-3052 (Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 o ...) NOT-FOR-US: Adobe CVE-2015-3051 (Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 o ...) NOT-FOR-US: Adobe CVE-2015-3050 (Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 o ...) NOT-FOR-US: Adobe CVE-2015-3049 (Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 o ...) NOT-FOR-US: Adobe CVE-2015-3048 (Buffer overflow in Adobe Reader and Acrobat 10.x before 10.1.14 and 11 ...) NOT-FOR-US: Adobe CVE-2015-3047 (Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 o ...) NOT-FOR-US: Adobe CVE-2015-3046 (Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 o ...) NOT-FOR-US: Adobe CVE-2015-3045 REJECTED CVE-2015-3044 (Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3043 (Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3042 (Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3041 (Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3040 (Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3039 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.281 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3038 (Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-3037 RESERVED CVE-2015-3036 (Stack-based buffer overflow in the run_init_sbus function in the KCode ...) NOT-FOR-US: KCodes NetUSB module for the Linux kernel CVE-2015-3035 (Directory traversal vulnerability in TP-LINK Archer C5 (1.2) with firm ...) NOT-FOR-US: TP-LINK Router CVE-2015-3034 RESERVED CVE-2015-3033 RESERVED CVE-2015-3032 RESERVED CVE-2015-3031 RESERVED CVE-2015-3027 (Clang in LLVM, as used in Apple Xcode before 6.3, performs incorrect r ...) NOT-FOR-US: Clang in LLVM as used in Apple Xcode CVE-2015-3025 RESERVED CVE-2015-3024 RESERVED CVE-2015-3023 RESERVED CVE-2015-3022 RESERVED CVE-2015-3021 RESERVED CVE-2015-3020 RESERVED CVE-2015-3019 RESERVED CVE-2015-3018 RESERVED CVE-2015-3017 RESERVED CVE-2015-3016 RESERVED CVE-2015-3015 RESERVED CVE-2015-3014 RESERVED CVE-2015-3009 RESERVED CVE-2014-9716 (Cross-site scripting (XSS) vulnerability in WebODF before 0.5.4 allows ...) - owncloud (embedded partial copy doesn't contain the related code) - owncloud-documents (embedded partial copy doesn't contain the related code) - webodf (bug #727529) CVE-2015-3416 (The sqlite3VXPrintf function in printf.c in SQLite before 3.8.9 does n ...) {DSA-3252-2 DSA-3252-1} - sqlite3 3.8.9-1 (bug #783968) [squeeze] - sqlite3 (Can't reproduce the issue) NOTE: http://www.sqlite.org/src/info/c494171f77dc2e5e NOTE: http://seclists.org/bugtraq/2015/Apr/97 NOTE: https://lists.debian.org/debian-lts/2015/06/msg00031.html CVE-2015-3415 (The sqlite3VdbeExec function in vdbe.c in SQLite before 3.8.9 does not ...) {DSA-3252-1} - sqlite3 3.8.9-1 (bug #783968) [wheezy] - sqlite3 (Vulnerable code not present) [squeeze] - sqlite3 (Vulnerable code not present) NOTE: https://www.sqlite.org/src/info/02e3c88fbf6abdcf NOTE: http://seclists.org/bugtraq/2015/Apr/97 CVE-2015-3414 (SQLite before 3.8.9 does not properly implement the dequoting of colla ...) {DSA-3252-1} - sqlite3 3.8.9-1 (bug #783968) [wheezy] - sqlite3 (Can't reproduce the issue) [squeeze] - sqlite3 (Can't reproduce the issue) NOTE: https://www.sqlite.org/src/info/eddc05e7bb31fae7 NOTE: http://seclists.org/bugtraq/2015/Apr/97 CVE-2015-3306 (The mod_copy module in ProFTPD 1.3.5 allows remote attackers to read a ...) {DSA-3263-1} - proftpd-dfsg 1.3.5-2 (bug #782781) [squeeze] - proftpd-dfsg (mod_copy not available in version 1.3.3) NOTE: http://www.openwall.com/lists/oss-security/2015/04/15/2 NOTE: https://github.com/proftpd/proftpd/pull/109 NOTE: http://bugs.proftpd.org/show_bug.cgi?id=4169 NOTE: https://cxsecurity.com/issue/WLB-2015040075 CVE-2015-3331 (The __driver_rfc4106_decrypt function in arch/x86/crypto/aesni-intel_g ...) {DSA-3237-1} - linux 3.16.7-ckt9-3 (bug #782561) - linux-2.6 [squeeze] - linux-2.6 (Vulnerable code introduced in v2.6.38-rc1) NOTE: http://www.openwall.com/lists/oss-security/2015/04/14/16 NOTE: Fixed by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ccfe8c3f7e52ae83155cb038753f4c75b774ca8a (v4.0-rc5) NOTE: Introduced by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0bd82f5f6355775fbaf7d3c664432ce1b862be1e (v2.6.38-rc1) CVE-2015-3332 (A certain backport in the TCP Fast Open implementation for the Linux k ...) - linux 3.16.7-ckt9-3 (bug #782515) [jessie] - linux 3.16.7-ckt9-3~deb8u1 [wheezy] - linux (TCP Fast Open introduced in v3.6-rc1) - linux-2.6 (TCP Fast Open introduced in v3.6-rc1) NOTE: http://www.openwall.com/lists/oss-security/2015/04/14/14 NOTE: http://thread.gmane.org/gmane.linux.network/359588 CVE-2016-4353 (ber-decoder.c in Libksba before 1.3.3 does not properly handle decoder ...) - libksba 1.3.3-1 (low) [jessie] - libksba 1.3.2-1+deb8u1 [wheezy] - libksba (Minor issue) [squeeze] - libksba (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2015/04/13/5 NOTE: http://www.openwall.com/lists/oss-security/2016/04/29/5 NOTE: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=07116a314f4dcd4d96990bbd74db95a03a9f650a CVE-2016-4355 (Multiple integer overflows in ber-decoder.c in Libksba before 1.3.3 al ...) - libksba 1.3.3-1 (low) [jessie] - libksba 1.3.2-1+deb8u1 [wheezy] - libksba (Minor issue) [squeeze] - libksba (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2015/04/13/5 NOTE: http://www.openwall.com/lists/oss-security/2016/04/29/5 NOTE: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=aea7b6032865740478ca4b706850a5217f1c3887 CVE-2016-4354 (ber-decoder.c in Libksba before 1.3.3 uses an incorrect integer data t ...) - libksba 1.3.3-1 (low) [jessie] - libksba 1.3.2-1+deb8u1 [wheezy] - libksba (Minor issue) [squeeze] - libksba (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2015/04/13/5 NOTE: http://www.openwall.com/lists/oss-security/2016/04/29/5 NOTE: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=aea7b6032865740478ca4b706850a5217f1c3887 CVE-2016-4356 (The append_utf8_value function in the DN decoder (dn.c) in Libksba bef ...) - libksba 1.3.3-1 (low) [jessie] - libksba 1.3.2-1+deb8u1 [wheezy] - libksba (Minor issue) [squeeze] - libksba (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2015/04/13/5 NOTE: http://www.openwall.com/lists/oss-security/2016/04/29/5 NOTE: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=243d12fdec66a4360fbb3e307a046b39b5b4ffc3 CVE-2015-3310 (Buffer overflow in the rc_mksid function in plugins/radius/util.c in P ...) {DSA-3228-1 DLA-205-1} - ppp 2.4.6-3.1 (bug #782450) NOTE: http://www.openwall.com/lists/oss-security/2015/04/13/4 NOTE: Patch: https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=17;filename=ppp_2.4.6-3.1-nmu.diff;att=1;bug=782450 CVE-2015-5621 (The snmp_pdu_parse function in snmp_api.c in net-snmp 5.7.2 and earlie ...) {DSA-4154-1 DLA-1317-1} - net-snmp 5.7.3+dfsg-1.1 (bug #788964) [squeeze] - net-snmp (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2015/04/13/1 NOTE: Upstream patch: https://sourceforge.net/p/net-snmp/code/ci/f23bcd3ac6ddee5d0a48f9703007ccc738914791/ NOTE: https://sourceforge.net/p/net-snmp/bugs/2615/ (currently not public) CVE-2015-4085 (Directory traversal vulnerability in node/hooks/express/tests.js in Et ...) - etherpad-lite (bug #576998) NOTE: http://www.openwall.com/lists/oss-security/2015/04/11/10 CVE-2015-3297 (Directory traversal vulnerability in node/utils/Minify.js in Etherpad ...) - etherpad-lite (bug #576998) CVE-2015-3010 (ceph-deploy before 1.5.23 uses weak permissions (644) for ceph/ceph.cl ...) - ceph-deploy (Fixed with initial upload to Debian) NOTE: http://www.openwall.com/lists/oss-security/2015/04/09/9 CVE-2015-3405 (ntp-keygen in ntp 4.2.8px before 4.2.8p2-RC2 and 4.3.x before 4.3.12 d ...) {DSA-3223-1 DLA-192-1} - ntp 1:4.2.6.p5+dfsg-7 NOTE: https://bugs.ntp.org/show_bug.cgi?id=2797 NOTE: Patch: http://bk1.ntp.org/ntp-stable/?PAGE=patch&REV=55199296N2gFqH1Hm5GOnhrk9Ypygg NOTE: http://www.openwall.com/lists/oss-security/2015/04/09/5 CVE-2015-3008 (Asterisk Open Source 1.8 before 1.8.32.3, 11.x before 11.17.1, 12.x be ...) {DSA-3700-1 DLA-455-1} - asterisk 1:13.7.2~dfsg-1 (bug #782411) [squeeze] - asterisk (Not supported in Squeeze LTS) NOTE: http://downloads.asterisk.org/pub/security/AST-2015-003.html NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-24847 NOTE: Patch: https://issues.asterisk.org/jira/secure/attachment/52082/asterisk-null-in-cn.patch CVE-2015-3007 (The Juniper SRX Series services gateways with Junos OS 12.1X46 before ...) NOT-FOR-US: Juniper CVE-2015-3006 (On the QFX3500 and QFX3600 platforms, the number of bytes collected fr ...) NOT-FOR-US: Juniper CVE-2015-3005 (Cross-site scripting (XSS) vulnerability in the Dynamic VPN in Juniper ...) NOT-FOR-US: Juniper CVE-2015-3004 (J-Web in Juniper Junos 11.4 before 11.4R12, 12.1X44 before 12.1X44-D35 ...) NOT-FOR-US: Juniper CVE-2015-3003 (Juniper Junos 12.1X44 before 12.1X44-D45, 12.1X46 before 12.1X46-D30, ...) NOT-FOR-US: Juniper CVE-2015-3002 (Juniper Junos 12.1X44 before 12.1X44-D45, 12.1X46 before 12.1X46-D30, ...) NOT-FOR-US: Juniper CVE-2015-3001 (SysAid Help Desk before 15.2 uses a hardcoded password of Password1 fo ...) NOT-FOR-US: SysAid Help Desk CVE-2015-3000 (SysAid Help Desk before 15.2 allows remote attackers to cause a denial ...) NOT-FOR-US: SysAid Help Desk CVE-2015-2999 (Multiple SQL injection vulnerabilities in SysAid Help Desk before 15.2 ...) NOT-FOR-US: SysAid Help Desk CVE-2015-2998 (SysAid Help Desk before 15.2 uses a hardcoded encryption key, which ma ...) NOT-FOR-US: SysAid Help Desk CVE-2015-2997 (SysAid Help Desk before 15.2 allows remote attackers to obtain sensiti ...) NOT-FOR-US: SysAid Help Desk CVE-2015-2996 (Multiple directory traversal vulnerabilities in SysAid Help Desk befor ...) NOT-FOR-US: SysAid Help Desk CVE-2015-2995 (The RdsLogsEntry servlet in SysAid Help Desk before 15.2 does not prop ...) NOT-FOR-US: SysAid Help Desk CVE-2015-2994 (Unrestricted file upload vulnerability in ChangePhoto.jsp in SysAid He ...) NOT-FOR-US: SysAid Help Desk CVE-2015-2993 (SysAid Help Desk before 15.2 does not properly restrict access to cert ...) NOT-FOR-US: SysAid Help Desk CVE-2015-2992 (Apache Struts before 2.3.20 has a cross-site scripting (XSS) vulnerabi ...) - libstruts1.2-java (Affects 2.0.0 - 2.3.16.3) CVE-2015-2991 (Buffer overflow in NScripter before 3.00 allows remote attackers to ex ...) NOT-FOR-US: NScripter CVE-2015-2990 (Directory traversal vulnerability in zhtml.cgi in NEOJAPAN desknet NEO ...) NOT-FOR-US: desknet NEO CVE-2015-2989 (Cross-site scripting (XSS) vulnerability in index.php in LEMON-S PHP T ...) NOT-FOR-US: LEMON-S CVE-2015-2988 (Rakuten card App for iOS 5.2.0 through 5.2.4 does not verify SSL certi ...) NOT-FOR-US: Rakuten card App for iOS CVE-2015-2987 (Type74 ED before 4.0 misuses 128-bit ECB encryption for small files, w ...) NOT-FOR-US: Type74 ED CVE-2015-2986 (Cross-site scripting (XSS) vulnerability in rakuto.net hitSuji (rktSNS ...) NOT-FOR-US: hitSuji CVE-2015-2985 (Cross-site scripting (XSS) vulnerability in guide-park.com BBS X102 1. ...) NOT-FOR-US: guide-park.com BBS CVE-2015-2984 (I-O DATA DEVICE WN-G54/R2 routers with firmware before 1.03 and NP-BBR ...) NOT-FOR-US: I-O DATA CVE-2015-2983 (Cross-site request forgery (CSRF) vulnerability in admin.php in PHP Ko ...) NOT-FOR-US: Kobo Photo Gallery CMS CVE-2015-2982 (Cross-site scripting (XSS) vulnerability in jquery.lightbox-0.5.min.js ...) NOT-FOR-US: Kobo Photo Gallery CMS CVE-2015-2981 (The Yodobashi App for Android 1.2.1.0 and earlier does not verify X.50 ...) NOT-FOR-US: Yodobashi App for Android CVE-2015-2980 (The Yodobashi application 1.2.1.0 and earlier for Android allows remot ...) NOT-FOR-US: Yodobashi application for Android CVE-2015-2979 (Webservice-DIC yoyaku_v41 allows remote attackers to execute arbitrary ...) NOT-FOR-US: Webservice-DIC yoyaku_v41 CVE-2015-2978 (Webservice-DIC yoyaku_v41 allows remote attackers to bypass authentica ...) NOT-FOR-US: Webservice-DIC yoyaku_v41 CVE-2015-2977 (Webservice-DIC yoyaku_v41 allows remote attackers to create arbitrary ...) NOT-FOR-US: Webservice-DIC yoyaku_v41 CVE-2015-2976 (Multiple cross-site scripting (XSS) vulnerabilities in Research Artisa ...) NOT-FOR-US: Research Artisan Lite CVE-2015-2975 (Research Artisan Lite before 1.18 does not ensure that a user has auth ...) NOT-FOR-US: Research Artisan Lite CVE-2015-2974 (LEMON-S PHP Gazou BBS plus before 2.36 allows remote attackers to uplo ...) NOT-FOR-US: LEMON-S PHP Gazou BBS CVE-2015-2973 (Multiple cross-site scripting (XSS) vulnerabilities in the Welcart plu ...) NOT-FOR-US: Welcart plugin for WordPress CVE-2015-2972 (Multiple SQL injection vulnerabilities in Sysphonic Thetis before 2.3. ...) NOT-FOR-US: Syshonic Thetis CVE-2015-2971 (Directory traversal vulnerability in Seeds acmailer before 3.8.18 and ...) NOT-FOR-US: Seeds acmailer CVE-2015-2970 (index.php in LEMON-S PHP Simple Oekaki BBS before 1.21 allows remote a ...) NOT-FOR-US: Oekaki BBS CVE-2015-2969 (Cross-site scripting (XSS) vulnerability in index.php in LEMON-S PHP S ...) NOT-FOR-US: Oekaki BBS CVE-2015-2968 RESERVED CVE-2015-2966 (Directory traversal vulnerability in the Droidware UK Explorer+ File M ...) NOT-FOR-US: Droidware UK Explorer+ File Manager application for Android CVE-2015-2965 (Directory traversal vulnerability in osCommerce Japanese 2.2ms1j-R8 an ...) NOT-FOR-US: osCommerce Japanese CVE-2015-2964 (NAMSHI | JOSE 5.0.0 and earlier allows remote attackers to bypass sign ...) NOT-FOR-US: NAMSHI | JOSE CVE-2015-2963 (The thoughtbot paperclip gem before 4.2.2 for Ruby does not consider t ...) NOT-FOR-US: thoughtbot paperclip gem for ruby CVE-2015-2962 (CGI RESCUE BloBee 1.20 and earlier allows remote attackers to write to ...) NOT-FOR-US: CGI RESCUE BloBee CVE-2015-2961 (Cross-site request forgery (CSRF) vulnerability in Zoho NetFlow Analyz ...) NOT-FOR-US: Zoho NetFlow Analyzer CVE-2015-2960 (Cross-site scripting (XSS) vulnerability in Zoho NetFlow Analyzer buil ...) NOT-FOR-US: Zoho NetFlow Analyzer CVE-2015-2959 (Zoho NetFlow Analyzer build 10250 and earlier does not check for admin ...) NOT-FOR-US: Zoho NetFlow Analyzer CVE-2015-2958 (Igreks MilkyStep Light 0.94 and earlier and Professional 1.82 and earl ...) NOT-FOR-US: Igreks MilkyStep CVE-2015-2957 (Cross-site scripting (XSS) vulnerability in Igreks MilkyStep Light 0.9 ...) NOT-FOR-US: Igreks MilkyStep CVE-2015-2956 (SQL injection vulnerability in Igreks MilkyStep Light 0.94 and earlier ...) NOT-FOR-US: Igreks MilkyStep CVE-2015-2955 (Igreks MilkyStep Light 0.94 and earlier and Professional 1.82 and earl ...) NOT-FOR-US: Igreks MilkyStep CVE-2015-2954 (Cross-site request forgery (CSRF) vulnerability in Igreks MilkyStep Li ...) NOT-FOR-US: Igreks MilkyStep CVE-2015-2953 (Igreks MilkyStep Light 0.94 and earlier and Professional 1.82 and earl ...) NOT-FOR-US: Igreks MilkyStep CVE-2015-2952 (The user-information management functionality in Igreks MilkyStep Ligh ...) NOT-FOR-US: Igreks MilkyStep CVE-2015-2951 (JWT.php in F21 JWT before 2.0 allows remote attackers to bypass signat ...) NOT-FOR-US: PHP JWT aibrary CVE-2015-2950 (Directory traversal vulnerability in the Brandon Bowles Open Explorer ...) NOT-FOR-US: Brandon Bowles Open Explorer application for Android CVE-2015-2949 (Cross-site scripting (XSS) vulnerability in ZenPhoto20 1.1.3 and earli ...) NOT-FOR-US: ZenPhoto20 CVE-2015-2948 (Cross-site scripting (XSS) vulnerability in the image processor in Zen ...) NOT-FOR-US: Zenphoto CVE-2015-2947 (KanColleViewer versions 3.8.1 and earlier operates as an open proxy wh ...) NOT-FOR-US: KanColleViewer CVE-2015-2946 (Stack-based buffer overflow in the Open CAD Format Council SXF common ...) NOT-FOR-US: Open CAD Format Council SXF common library CVE-2015-2945 (mt-phpincgi.php in Hajime Fujimoto mt-phpincgi before 2015-05-15 does ...) NOT-FOR-US: Hajime Fujimoto mt-phpincgi CVE-2015-2944 (Multiple cross-site scripting (XSS) vulnerabilities in Apache Sling AP ...) NOT-FOR-US: Apache Sling CVE-2015-2943 (Honda Moto LINC 1.6.1 does not verify SSL certificates. ...) NOT-FOR-US: Honda Moto LINC CVE-2015-3026 (Icecast before 2.4.2, when a stream_auth handler is defined for URL au ...) {DSA-3239-1} - icecast2 2.4.2-1 (bug #782120) [wheezy] - icecast2 (stream_auth introduced in 2.3.3) [squeeze] - icecast2 (stream_auth introduced in 2.3.3) NOTE: https://trac.xiph.org/ticket/2191 NOTE: http://www.openwall.com/lists/oss-security/2015/04/08/8 CVE-2014-9715 (include/net/netfilter/nf_conntrack_extend.h in the netfilter subsystem ...) {DSA-3237-1} - linux 3.14.5-1 (bug #741667) - linux-2.6 (Introduced in 3.6) NOTE: http://marc.info/?l=netfilter-devel&m=140112364215200&w=2 NOTE: Fixed by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=223b02d923ecd7c84cf9780bb3686f455d279279 (v3.15-rc1) NOTE: Introduced by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5b423f6a40a0327f9d40bc8b97ce9be266f74368 (v3.6-rc5) NOTE: Introduced in 3.2.x in https://git.kernel.org/cgit/linux/kernel/git/bwh/linux-3.2.y.git/commit/?id=cc1b75d796ad050c83c95733c4220aaa04fa1304 (v3.2.33) NOTE: http://www.openwall.com/lists/oss-security/2015/04/08/1 CVE-2013-7439 (Multiple off-by-one errors in the (1) MakeBigReq and (2) SetReqLen mac ...) {DSA-3224-1 DLA-199-1} - libx11 2:1.6.0-1 NOTE: http://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=39547d600a13713e15429f49768e54c3173c828d NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=56508 NOTE: http://www.openwall.com/lists/oss-security/2015/04/08/4 NOTE: The following packages will be recompiled after the release of NOTE: the DSA for wheezy and the DLA for squeeze: NOTE: libxrender (1:0.9.7-1+deb7u2 / 0.9.6-1+squeeze1+build1) NOTE: libxi (TBD / 1.3-8+build1) NOTE: libxfixes (TBD / 4.0.5-1+squeeze1+build1) NOTE: libxrandr (TBD / 1.3.0-3+squeeze1+build1) NOTE: libsdl1.2 (TBD / 1.2.14-6.1+build1) NOTE: libxv (TBD / 1.0.5-1+squeeze1+build1) NOTE: libxp (TBD / 1.0.0.xsf1-2+squeeze1+build1) NOTE: libxext (TBD / 1.1.2-1+squeeze1+build1) NOTE: xserver-xorg-video-vmware (TBD / 11.0.1-2+build1) NOTE: cairo (TBD / 1.8.10-6+build1) NOTE: open-vm-tools (TBD / 8.4.2-261024-1+build1) NOTE: wine-gecko-1.4 (wheezy) NOTE: list completed by analyzing http://codesearch.debian.net/results/SetReqLen and http://codesearch.debian.net/results/MakeBigReq CVE-2015-3030 (The web interface in McAfee Advanced Threat Defense (MATD) before 3.4. ...) NOT-FOR-US: McAfee Advanced Threat Defense CVE-2015-3029 (The web interface in McAfee Advanced Threat Defense (MATD) before 3.4. ...) NOT-FOR-US: McAfee Advanced Threat Defense CVE-2015-3028 (McAfee Advanced Threat Defense (MATD) before 3.4.4.63 allows remote au ...) NOT-FOR-US: McAfee Advanced Threat Defense CVE-2015-2930 RESERVED CVE-2015-2926 (Cross-site scripting (XSS) vulnerability in Php/stats/statsRecent.inc. ...) NOT-FOR-US: phpTrafficA CVE-2014-9714 (Cross-site scripting (XSS) vulnerability in the WddxPacket::recursiveA ...) - hhvm 3.11.0+dfsg-1 NOTE: https://github.com/facebook/hhvm/commit/324701c9fd31beb4f070f1b7ef78b115fbdfec34 CVE-2015-3406 (The PGP signature parsing in Module::Signature before 0.74 allows remo ...) {DSA-3261-1 DLA-264-1} - libmodule-signature-perl 0.78-1 (bug #783451) NOTE: Upstream fix: https://github.com/audreyt/module-signature/commit/8a9164596fa5952d4fbcde5aa1c7d1c7bc85372f NOTE: http://www.openwall.com/lists/oss-security/2015/04/07/1 NOTE: Changes might needed in libtest-signature-perl, need further investigation CVE-2015-3407 (Module::Signature before 0.74 allows remote attackers to bypass signat ...) {DSA-3261-1 DLA-264-1} - libmodule-signature-perl 0.78-1 (bug #783451) NOTE: Upstream fix: https://github.com/audreyt/module-signature/commit/8a9164596fa5952d4fbcde5aa1c7d1c7bc85372f NOTE: http://www.openwall.com/lists/oss-security/2015/04/07/1 NOTE: libtest-signature-perl needed to be updated CVE-2015-3408 (Module::Signature before 0.74 allows remote attackers to execute arbit ...) {DSA-3261-1 DLA-264-1} - libmodule-signature-perl 0.78-1 (bug #783451) NOTE: Upstream fix: https://github.com/audreyt/module-signature/commit/8a9164596fa5952d4fbcde5aa1c7d1c7bc85372f NOTE: http://www.openwall.com/lists/oss-security/2015/04/07/1 NOTE: Changes might needed in libtest-signature-perl, need further investigation CVE-2015-3409 (Untrusted search path vulnerability in Module::Signature before 0.75 a ...) {DSA-3261-1 DLA-264-1} - libmodule-signature-perl 0.78-1 (bug #783451) NOTE: Upstream fix: https://github.com/audreyt/module-signature/commit/c41e8885b862b9fce2719449bc9336f0bea658ef NOTE: http://www.openwall.com/lists/oss-security/2015/04/07/1 NOTE: Changes might needed in libtest-signature-perl, need further investigation CVE-2015-2921 RESERVED CVE-2015-2920 RESERVED CVE-2015-2919 RESERVED CVE-2015-2918 (The Studio component in OrientDB Server Community Edition before 2.0.1 ...) NOT-FOR-US: OrientDB CVE-2015-2917 (Securifi Almond devices with firmware before AL1-R201EXP10-L304-W34 an ...) NOT-FOR-US: Securifi Almond CVE-2015-2916 (Cross-site request forgery (CSRF) vulnerability on Securifi Almond dev ...) NOT-FOR-US: Securifi Almond CVE-2015-2915 (Securifi Almond devices with firmware before AL1-R201EXP10-L304-W34 an ...) NOT-FOR-US: Securifi Almond CVE-2015-2914 (Securifi Almond devices with firmware before AL1-R201EXP10-L304-W34 an ...) NOT-FOR-US: Securifi Almond CVE-2015-2913 (server/network/protocol/http/OHttpSessionManager.java in the Studio co ...) NOT-FOR-US: OrientDB CVE-2015-2912 (The JSONP endpoint in the Studio component in OrientDB Server Communit ...) NOT-FOR-US: OrientDB CVE-2015-2911 RESERVED CVE-2015-2910 RESERVED CVE-2015-2909 (Dedicated Micros DV-IP Express, SD Advanced, SD, EcoSense, and DS2 dev ...) NOT-FOR-US: Dedicated Micros DVR products CVE-2015-2908 (** DISPUTED ** Mobile Devices (aka MDI) C4 OBD-II dongles with firmwar ...) NOT-FOR-US: Mobile Devices (aka MDI) C4 OBD-II dongles CVE-2015-2907 (** DISPUTED ** Mobile Devices (aka MDI) C4 OBD-II dongles with firmwar ...) NOT-FOR-US: Mobile Devices (aka MDI) C4 OBD-II dongles CVE-2015-2906 (** DISPUTED ** Mobile Devices (aka MDI) C4 OBD-II dongles with firmwar ...) NOT-FOR-US: Mobile Devices (aka MDI) C4 OBD-II dongles CVE-2015-2905 (Cross-site request forgery (CSRF) vulnerability on Actiontec GT784WN m ...) NOT-FOR-US: Actiontec CVE-2015-2904 (Actiontec GT784WN modems with firmware before NCS01-1.0.13 have hardco ...) NOT-FOR-US: Actiontec CVE-2015-2903 (The CWSAPI SOAP service in HP ArcSight SmartConnectors before 7.1.6 ha ...) NOT-FOR-US: HP ArcSight CVE-2015-2902 (HP ArcSight SmartConnectors before 7.1.6 do not verify X.509 certifica ...) NOT-FOR-US: HP ArcSight CVE-2015-2901 (Multiple stack-based buffer overflows in Medicomp MEDCIN Engine 2.22.2 ...) NOT-FOR-US: Medicomp CVE-2015-2900 (The AddUserFinding add_userfinding2 function in Medicomp MEDCIN Engine ...) NOT-FOR-US: Medicomp CVE-2015-2899 (Heap-based buffer overflow in the QualifierList retrieve_qualifier_lis ...) NOT-FOR-US: Medicomp CVE-2015-2898 (Multiple stack-based buffer overflows in Medicomp MEDCIN Engine before ...) NOT-FOR-US: Medicomp CVE-2015-2897 (Sierra Wireless ALEOS before 4.4.2 on AirLink ES, GX, and LS devices h ...) NOT-FOR-US: Sierra Wireless ALEOS CVE-2015-2896 (The up.time client in Idera Uptime Infrastructure Monitor through 7.6 ...) NOT-FOR-US: Idera Uptime Infrastructure Monitor CVE-2015-2895 (Buffer overflow in the up.time client in Idera Uptime Infrastructure M ...) NOT-FOR-US: Idera Uptime Infrastructure Monitor CVE-2015-2894 (Format string vulnerability in the up.time client in Idera Uptime Infr ...) NOT-FOR-US: Idera Uptime Infrastructure Monitor CVE-2015-2893 RESERVED CVE-2015-2892 RESERVED CVE-2015-2891 RESERVED CVE-2015-2890 (The BIOS implementation on Dell Latitude, OptiPlex, Precision Mobile W ...) NOT-FOR-US: BIOS implementations on Dell hardware with model-dependent firmware CVE-2015-2889 (Summer Baby Zoom Wifi Monitor & Internet Viewing System allows rem ...) NOT-FOR-US: Summer Baby Zoom Wifi Monitor and Internet Viewing System CVE-2015-2888 (Summer Baby Zoom Wifi Monitor & Internet Viewing System allows rem ...) NOT-FOR-US: Summer Baby Zoom Wifi Monitor and Internet Viewing System CVE-2015-2887 (iBaby M3S has a password of admin for the backdoor admin account. ...) NOT-FOR-US: iBaby M3S CVE-2015-2886 (iBaby M6 allows remote attackers to obtain sensitive information, rela ...) NOT-FOR-US: iBaby M6 CVE-2015-2885 (Lens Peek-a-View has a password of 2601hx for the backdoor admin accou ...) NOT-FOR-US: Lens Peek-a-View CVE-2015-2884 (Philips In.Sight B120/37 allows remote attackers to obtain sensitive i ...) NOT-FOR-US: Philips In.Sight B120/37 CVE-2015-2883 (Philips In.Sight B120/37 has XSS, related to the Weaved cloud web serv ...) NOT-FOR-US: Philips In.Sight B120/37 CVE-2015-2882 (Philips In.Sight B120/37 has a password of b120root for the backdoor r ...) NOT-FOR-US: Philips In.Sight B120/37 CVE-2015-2881 (Gynoii has a password of guest for the backdoor guest account and a pa ...) NOT-FOR-US: Gynoii CVE-2015-2880 (TRENDnet WiFi Baby Cam TV-IP743SIC has a password of admin for the bac ...) NOT-FOR-US: TRENDnet WiFi Baby Cam TV-IP743SIC CVE-2015-2879 RESERVED CVE-2015-2878 (Multiple cross-site request forgery (CSRF) vulnerabilities in Hexis Ha ...) NOT-FOR-US: Hexis HawkEye CVE-2015-2877 (** DISPUTED ** Kernel Samepage Merging (KSM) in the Linux kernel 2.6.3 ...) - linux (unimportant) - linux-2.6 (unimportant) NOTE: https://www.usenix.org/conference/woot15/workshop-program/presentation/barresi NOTE: http://www.antoniobarresi.com/security/cloud/2015/07/30/cain/ NOTE: Architectual limitation, workaround exists CVE-2015-2876 (Unrestricted file upload vulnerability on Seagate GoFlex Satellite, Se ...) NOT-FOR-US: Seagate GoFlex CVE-2015-2875 (Absolute path traversal vulnerability on Seagate GoFlex Satellite, Sea ...) NOT-FOR-US: Seagate GoFlex CVE-2015-2874 (Seagate GoFlex Satellite, Seagate Wireless Mobile Storage, Seagate Wir ...) NOT-FOR-US: Seagate GoFlex CVE-2015-2873 (Trend Micro Deep Discovery Inspector (DDI) on Deep Discovery Threat ap ...) NOT-FOR-US: Trend Micro CVE-2015-2872 (Multiple cross-site scripting (XSS) vulnerabilities in Trend Micro Dee ...) NOT-FOR-US: Trend Micro CVE-2015-2871 (Chiyu BF-660C fingerprint access-control devices allow remote attacker ...) NOT-FOR-US: Chiyu BF-660C fingerprint access-control devices CVE-2015-2870 (Cross-site scripting (XSS) vulnerability on Chiyu BF-630, BF-630W, and ...) NOT-FOR-US: Chiyu fingerprint access-control devices CVE-2015-2869 (The FileInfo plugin before 2.22 for Ghisler Total Commander allows rem ...) NOT-FOR-US: Ghisler Total Commander CVE-2015-2868 (An exploitable remote code execution vulnerability exists in the Trane ...) NOT-FOR-US: Trane CVE-2015-2867 (A design flaw in the Trane ComfortLink II SCC firmware version 2.0.2 s ...) NOT-FOR-US: Trane CVE-2015-2866 (SQL injection vulnerability on the Grandstream GXV3611_HD camera with ...) NOT-FOR-US: Grandstream camera CVE-2015-2865 REJECTED CVE-2015-2864 (Retrospect and Retrospect Client before 10.0.2.119 on Windows, before ...) NOT-FOR-US: Retrospect Client CVE-2015-2863 (Open redirect vulnerability in Kaseya Virtual System Administrator (VS ...) NOT-FOR-US: Kaseya VSA CVE-2015-2862 (Directory traversal vulnerability in Kaseya Virtual System Administrat ...) NOT-FOR-US: Kaseya VSA CVE-2015-2861 (Cross-site request forgery (CSRF) vulnerability in Vesta Control Panel ...) NOT-FOR-US: Vesta Control Panel CVE-2015-2860 (Directory traversal vulnerability in Avigilon Control Center (ACC) 4 b ...) NOT-FOR-US: Avigilon Control Center CVE-2015-2859 (Intel McAfee ePolicy Orchestrator (ePO) 4.x through 4.6.9 and 5.x thro ...) NOT-FOR-US: Intel McAfee ePolicy Orchestrator CVE-2015-2858 (Datalex airline booking software before 2015-09-03 allows remote attac ...) NOT-FOR-US: Datalex airline booking software CVE-2015-2857 (Accellion File Transfer Appliance before FTA_9_11_210 allows remote at ...) NOT-FOR-US: Accellion File Transfer Appliance CVE-2015-2856 (Directory traversal vulnerability in the template function in function ...) NOT-FOR-US: Accellion File Transfer Appliance CVE-2015-2855 (The WebUI component in Blue Coat SSL Visibility Appliance SV800, SV180 ...) NOT-FOR-US: Blue Coat SSL Visibility Appliance CVE-2015-2854 (The WebUI component in Blue Coat SSL Visibility Appliance SV800, SV180 ...) NOT-FOR-US: Blue Coat SSL Visibility Appliance CVE-2015-2853 (Session fixation vulnerability in the WebUI component in Blue Coat SSL ...) NOT-FOR-US: Blue Coat SSL Visibility Appliance CVE-2015-2852 (Cross-site request forgery (CSRF) vulnerability in the WebUI component ...) NOT-FOR-US: Blue Coat SSL Visibility Appliance CVE-2015-2851 (client_chown in the sync client in Synology Cloud Station 1.1-2291 thr ...) NOT-FOR-US: Synology Cloud Station CVE-2015-2850 (Cross-site scripting (XSS) vulnerability in index-login.ant in the ANT ...) NOT-FOR-US: ANTlabs CVE-2015-2849 (SQL injection vulnerability in main.ant in the ANTlabs InnGate firmwar ...) NOT-FOR-US: ANTlabs CVE-2015-2848 (Cross-site request forgery (CSRF) vulnerability in Honeywell Tuxedo To ...) NOT-FOR-US: Honeywell Tuxedo Touch CVE-2015-2847 (Honeywell Tuxedo Touch before 5.2.19.0_VA relies on client-side authen ...) NOT-FOR-US: Honeywell Tuxedo Touch CVE-2015-2846 (BitTorrent Sync allows remote attackers to execute arbitrary commands ...) - btsync (bug #706639) CVE-2015-2845 (The cpanel function in go_site.php in GoAutoDial GoAdmin CE before 3.3 ...) NOT-FOR-US: GoAutoDial GoAdmin CE CVE-2015-2844 (The cpanel function in go_site.php in GoAutoDial GoAdmin CE before 3.3 ...) NOT-FOR-US: GoAutoDial GoAdmin CE CVE-2015-2843 (Multiple SQL injection vulnerabilities in GoAutoDial GoAdmin CE before ...) NOT-FOR-US: GoAutoDial GoAdmin CE CVE-2015-2842 (Unrestricted file upload vulnerability in go_audiostore.php in the aud ...) NOT-FOR-US: GoAutoDial GoAdmin CE CVE-2015-2841 (Citrix NetScaler AppFirewall, as used in NetScaler 10.5, allows remote ...) NOT-FOR-US: Citrix NetScaler CVE-2015-2840 (Cross-site scripting (XSS) vulnerability in help/rt/large_search.html ...) NOT-FOR-US: Citrix NetScaler CVE-2015-2839 (The Nitro API in Citrix NetScaler before 10.5 build 52.3nc uses an inc ...) NOT-FOR-US: Citrix NetScaler CVE-2015-2838 (Cross-site request forgery (CSRF) vulnerability in Nitro API in Citrix ...) NOT-FOR-US: Citrix NetScaler CVE-2015-2929 (The Hidden Service (HS) client implementation in Tor before 0.2.4.27, ...) {DSA-3216-1 DLA-187-1} - tor 0.2.5.12-1 NOTE: https://trac.torproject.org/projects/tor/ticket/15601 NOTE: http://www.openwall.com/lists/oss-security/2015/04/06/5 CVE-2015-2928 (The Hidden Service (HS) server implementation in Tor before 0.2.4.27, ...) {DSA-3216-1 DLA-187-1} - tor 0.2.5.12-1 NOTE: https://trac.torproject.org/projects/tor/ticket/15600 NOTE: http://www.openwall.com/lists/oss-security/2015/04/06/5 CVE-2015-2837 RESERVED CVE-2015-2836 RESERVED CVE-2015-2835 RESERVED CVE-2015-2834 RESERVED CVE-2015-2833 RESERVED CVE-2015-2832 RESERVED CVE-2015-2927 (node 0.3.2 and URONode before 1.0.5r3 allows remote attackers to cause ...) - node (bug #777013) [jessie] - node (Minor issue) [squeeze] - node (Minor issue) [wheezy] - node (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2015/04/03/10 CVE-2015-XXXX [caja automounts USB flash drives and CD/DVD drives while session is locked] - caja 1.8.2-4 (bug #781608) [jessie] - caja 1.8.2-3+deb8u1 NOTE: https://github.com/mate-desktop/caja/issues/398 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/04/03/12 CVE-2015-3013 (ownCloud Server before 5.0.19, 6.x before 6.0.7, and 7.x before 7.0.5 ...) {DSA-3244-1} [experimental] - owncloud 7.0.5+dfsg-1 - owncloud 7.0.4+dfsg-3 NOTE: https://owncloud.org/security/advisory/?id=oc-sa-2015-004 CVE-2015-3012 (Multiple cross-site scripting (XSS) vulnerabilities in WebODF before 0 ...) {DSA-3244-1} [experimental] - owncloud 7.0.5+dfsg-1 - owncloud 7.0.4+dfsg-3 - owncloud-documents (Fixed before initial release to Debian) - webodf (bug #727529) NOTE: https://owncloud.org/security/advisory/?id=oc-sa-2015-002 CVE-2015-3011 (Multiple cross-site scripting (XSS) vulnerabilities in the contacts ap ...) {DSA-3244-1} [experimental] - owncloud 7.0.5+dfsg-1 - owncloud 7.0.4+dfsg-3 - ownclound-contacts (bug #779055) NOTE: owncloud-contacts fixed in 0.3.0.18+8.0.0+dfsg-1 NOTE: https://owncloud.org/security/advisory/?id=oc-sa-2015-001 CVE-2015-8855 (The semver package before 4.3.2 for Node.js allows attackers to cause ...) - node-semver 5.3.0-1 (unimportant) NOTE: https://nodesecurity.io/advisories/semver_redos NOTE: https://github.com/npm/npm/releases/tag/v2.7.5 NOTE: libv8 is not covered by security support CVE-2015-2925 (The prepend_path function in fs/dcache.c in the Linux kernel before 4. ...) {DLA-325-1} - linux 4.2.1-1 [jessie] - linux 3.16.7-ckt11-1+deb8u4 [wheezy] - linux 3.2.68-1+deb7u5 - linux-2.6 NOTE: http://permalink.gmane.org/gmane.linux.kernel.containers/29173 NOTE: http://permalink.gmane.org/gmane.linux.kernel.containers/29177 CVE-2015-2924 (The receive_ra function in rdisc/nm-lndp-rdisc.c in the Neighbor Disco ...) - network-manager 1.0.2-1 (bug #783295) [jessie] - network-manager (Minor issue) [wheezy] - network-manager (Minor issue) [squeeze] - network-manager (Minor issue) CVE-2015-2923 (The Neighbor Discovery (ND) protocol implementation in the IPv6 stack ...) {DSA-3175-2} [experimental] - kfreebsd-11 11.0~svn284956-1 - kfreebsd-10 10.1~svn274115-4 (bug #782107) [jessie] - kfreebsd-10 (kfreebsd not a release arch) - kfreebsd-9 [wheezy] - kfreebsd-9 (Minor issue) - kfreebsd-8 [wheezy] - kfreebsd-8 (kfreebsd-8 only a test kernel, will be fixed in a point update) [squeeze] - kfreebsd-8 (kfreebsd-i386/amd64 not supported in Squeeze LTS) NOTE: https://lists.freebsd.org/pipermail/freebsd-net/2015-April/041934.html CVE-2015-2922 (The ndisc_router_discovery function in net/ipv6/ndisc.c in the Neighbo ...) {DSA-3237-1 DLA-246-1} - linux 3.16.7-ckt9-1 - linux-2.6 NOTE: Upstream commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6fd99094de2b83d1d4c8457f2c83483b2828e75a CVE-2015-2829 (Citrix NetScaler Application Delivery Controller (ADC) and NetScaler G ...) NOT-FOR-US: Citrix NetScaler Application Delivery Controller CVE-2015-2828 (CA Spectrum 9.2.x and 9.3.x before 9.3 H02 does not properly validate ...) NOT-FOR-US: CA Spectrum CVE-2015-2827 (Cross-site scripting (XSS) vulnerability in CA Spectrum 9.2.x and 9.3. ...) NOT-FOR-US: CA Spectrum CVE-2015-2826 (WordPress Simple Ads Manager plugin 2.5.94 and 2.5.96 allows remote at ...) NOT-FOR-US: WordPress plugin simple-ads-manager CVE-2015-2825 (Unrestricted file upload vulnerability in sam-ajax-admin.php in the Si ...) NOT-FOR-US: WordPress plugin simple-ads-manager CVE-2015-2824 (Multiple SQL injection vulnerabilities in the Simple Ads Manager plugi ...) NOT-FOR-US: WordPress plugin simple-ads-manager CVE-2015-2823 (Siemens SIMATIC HMI Basic Panels 2nd Generation before WinCC (TIA Port ...) NOT-FOR-US: Siemens CVE-2015-2822 (Siemens SIMATIC HMI Comfort Panels before WinCC (TIA Portal) 13 SP1 Up ...) NOT-FOR-US: Siemens CVE-2015-2821 (TYPO3 Neos 1.1.x before 1.1.3 and 1.2.x before 1.2.3 allows remote edi ...) NOT-FOR-US: TYPO3 Neos CVE-2015-2820 (Buffer overflow in XcListener in SAP Afaria 7.0.6001.5 allows remote a ...) NOT-FOR-US: SAP Afaria CVE-2015-2819 (SAP Sybase SQL Anywhere 11 and 16 allows remote attackers to cause a d ...) NOT-FOR-US: SAP Sybase SQL Anywhere CVE-2015-2818 (XML external entity (XXE) vulnerability in SAP Mobile Platform 3 allow ...) NOT-FOR-US: SAP Mobile Platform CVE-2015-2817 (The SAP Management Console in SAP NetWeaver 7.40 allows remote attacke ...) NOT-FOR-US: SAP NetWeaver CVE-2015-2816 (The XcListener in SAP Afaria 7.0.6001.5 does not properly restrict acc ...) NOT-FOR-US: SAP Afaria CVE-2015-2815 (Buffer overflow in the C_SAPGPARAM function in the NetWeaver Dispatche ...) NOT-FOR-US: NetWeaver Dispatcher in SAP KERNEL CVE-2015-2814 (SAP EMR Unwired (com.sap.mobile.healthcare.emr.v2) and Clinical Task T ...) NOT-FOR-US: SAP EMR Unwired and Clinical Task Tracker CVE-2015-2813 (XML external entity (XXE) vulnerability in SAP Mobile Platform allows ...) NOT-FOR-US: SAP Mobile Platform CVE-2015-2812 (XML external entity (XXE) vulnerability in XMLValidationComponent in S ...) NOT-FOR-US: SAP NetWeaver Portal CVE-2015-2811 (XML external entity (XXE) vulnerability in ReportXmlViewer in SAP NetW ...) NOT-FOR-US: SAP NetWeaver Portal CVE-2015-2830 (arch/x86/kernel/entry_64.S in the Linux kernel before 3.19.2 does not ...) {DSA-3237-1 DLA-246-1} - linux 3.16.7-ckt9-1 - linux-2.6 NOTE: Upstream commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=956421fbb74c3a6261903f3836c0740187cf038b (v4.0-rc3) NOTE: http://www.openwall.com/lists/oss-security/2015/04/02/1 CVE-2015-XXXX [Signature Bypass in several JSON Web Token Libraries] - pyjwt 1.3.0-1 (bug #781640) [jessie] - pyjwt 0.2.1-1+deb8u1 NOTE: Added workaround item to reflect entry fixed status, remove once CVE assigned NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/04/01/4 NOTE: https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/ NOTE: ruby-jwt not directly affected, see https://github.com/jwt/ruby-jwt/issues/76 CVE-2015-2810 (Integer overflow in the HwpApp::CHncSDS_Manager function in Hancom Off ...) NOT-FOR-US: Hancom Office Hwp CVE-2015-2809 (The Multicast DNS (mDNS) responder in Synology DiskStation Manager (DS ...) NOT-FOR-US: Synology DiskStation Manager CVE-2015-2808 (The RC4 algorithm, as used in the TLS protocol and SSL protocol, does ...) {DSA-3339-1 DSA-3316-1 DLA-303-1} NOTE: This CVE is specific to the design of the RC4 protocol and not to its NOTE: implementations. [experimental] - openjdk-6 6b36-1.13.8-1 - openjdk-6 - openjdk-7 7u79-2.5.6-1 - openjdk-8 8u66-b01-1 NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixJAVA NOTE: "Applies to client and server deployment of JSSE." CVE-2015-2807 (Cross-site scripting (XSS) vulnerability in js/window.php in the Navis ...) NOT-FOR-US: Navis DocumentCloud plugin for WordPress CVE-2015-2831 (Buffer overflow in das_watchdog 0.9.0 allows local users to execute ar ...) {DSA-3221-1 DLA-194-1} - das-watchdog 0.9.0-3.1 (bug #781806) NOTE: Upstream commit: https://github.com/kmatheussen/das_watchdog/commit/bd20bb02e75e2c NOTE: http://www.openwall.com/lists/oss-security/2015/04/01/8 CVE-2015-2805 (Cross-site request forgery (CSRF) vulnerability in sec/content/sec_asa ...) NOT-FOR-US: Alcatel-Lucent OmniSwitch CVE-2015-2804 (The management web interface in Alcatel-Lucent OmniSwitch 6450, 6250, ...) NOT-FOR-US: Alcatel-Lucent OmniSwitch CVE-2015-2803 (SQL injection vulnerability in mod1/index.php in the Akronymmanager (s ...) NOT-FOR-US: TYPO3 extension sb_akronymmanager CVE-2015-2802 (An Information Disclosure vulnerability exists in HP SiteScope 11.2 an ...) NOT-FOR-US: HP SiteScope CVE-2015-2801 RESERVED CVE-2015-2800 (The user authentication module in Huawei Campus switches S5700, S5300, ...) NOT-FOR-US: Huawei CVE-2015-2799 RESERVED CVE-2015-2798 (SQL injection vulnerability in Joomla! Component Contact Form Maker 1. ...) NOT-FOR-US: Joomla! extension CVE-2015-2797 (Stack-based buffer overflow in AirTies Air 6372, 5760, 5750, 5650TT, 5 ...) NOT-FOR-US: AirTies Air DSL modems CVE-2015-2796 (Multiple cross-site scripting (XSS) vulnerabilities in Project-Pier Pr ...) NOT-FOR-US: Project-Pier ProjectPier-Core CVE-2015-2795 RESERVED CVE-2015-2794 (The installation wizard in DotNetNuke (DNN) before 7.4.1 allows remote ...) NOT-FOR-US: DotNetNuke CVE-2015-2792 (The WPML plugin before 3.1.9 for WordPress does not properly handle mu ...) NOT-FOR-US: WPML plugin for WordPress CVE-2015-2791 (The "menu sync" function in the WPML plugin before 3.1.9 for WordPress ...) NOT-FOR-US: WPML plugin for WordPress CVE-2015-2790 (Foxit Reader, Enterprise Reader, and PhantomPDF before 7.1 allow remot ...) NOT-FOR-US: Foxit Reader, Enterprise Reader, and PhantomPDF CVE-2015-2789 (Unquoted Windows search path vulnerability in the Foxit Cloud Safe Upd ...) NOT-FOR-US: Foxit Reader CVE-2015-XXXX [xdeb: disables apt's signature checks] - xdeb 0.6.7 (bug #781595) [wheezy] - xdeb (Minor issue) CVE-2015-2931 (Incomplete blacklist vulnerability in includes/upload/UploadBase.php i ...) - mediawiki 1:1.19.20+dfsg-2.3 [wheezy] - mediawiki (Not supported in Wheezy LTS) [squeeze] - mediawiki (Not supported in Squeeze LTS) NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html NOTE: http://www.openwall.com/lists/oss-security/2015/04/01/1 CVE-2015-2932 (Incomplete blacklist vulnerability in MediaWiki before 1.19.24, 1.2x b ...) - mediawiki 1:1.19.20+dfsg-2.3 [wheezy] - mediawiki (Not supported in Wheezy LTS) [squeeze] - mediawiki (Not supported in Squeeze LTS) NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html NOTE: http://www.openwall.com/lists/oss-security/2015/04/01/1 CVE-2015-2933 (Cross-site scripting (XSS) vulnerability in the Html class in MediaWik ...) - mediawiki 1:1.19.20+dfsg-2.3 [wheezy] - mediawiki (Not supported in Wheezy LTS) [squeeze] - mediawiki (Not supported in Squeeze LTS) NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html NOTE: http://www.openwall.com/lists/oss-security/2015/04/01/1 CVE-2015-2934 (MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 ...) - mediawiki 1:1.19.20+dfsg-2.3 [wheezy] - mediawiki (Not supported in Wheezy LTS) [squeeze] - mediawiki (Not supported in Squeeze LTS) NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html NOTE: http://www.openwall.com/lists/oss-security/2015/04/01/1 CVE-2015-2935 (MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 ...) - mediawiki 1:1.19.20+dfsg-2.3 [wheezy] - mediawiki (Not supported in Wheezy LTS) [squeeze] - mediawiki (Not supported in Squeeze LTS) NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html NOTE: http://www.openwall.com/lists/oss-security/2015/04/01/1 CVE-2015-2936 (MediaWiki 1.24.x before 1.24.2, when using PBKDF2 for password hashing ...) - mediawiki 1:1.19.20+dfsg-2.3 [wheezy] - mediawiki (Not supported in Wheezy LTS) [squeeze] - mediawiki (Not supported in Squeeze LTS) NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html NOTE: http://www.openwall.com/lists/oss-security/2015/04/01/1 CVE-2015-2937 (MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 ...) - mediawiki 1:1.19.20+dfsg-2.3 [wheezy] - mediawiki (Not supported in Wheezy LTS) [squeeze] - mediawiki (Not supported in Squeeze LTS) NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html NOTE: http://www.openwall.com/lists/oss-security/2015/04/01/1 CVE-2015-2938 (Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.24, ...) - mediawiki 1:1.19.20+dfsg-2.3 [wheezy] - mediawiki (Not supported in Wheezy LTS) [squeeze] - mediawiki (Not supported in Squeeze LTS) NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html NOTE: http://www.openwall.com/lists/oss-security/2015/04/01/1 CVE-2015-2939 (Cross-site scripting (XSS) vulnerability in the Scribunto extension fo ...) - mediawiki 1:1.19.20+dfsg-2.3 [wheezy] - mediawiki (Not supported in Wheezy LTS) [squeeze] - mediawiki (Not supported in Squeeze LTS) NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html NOTE: http://www.openwall.com/lists/oss-security/2015/04/01/1 CVE-2015-2940 (Cross-site request forgery (CSRF) vulnerability in the CheckUser exten ...) - mediawiki 1:1.19.20+dfsg-2.3 [wheezy] - mediawiki (Not supported in Wheezy LTS) [squeeze] - mediawiki (Not supported in Squeeze LTS) NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html NOTE: http://www.openwall.com/lists/oss-security/2015/04/01/1 CVE-2015-2941 (Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.24, ...) - mediawiki 1:1.19.20+dfsg-2.3 (unimportant) NOTE: HHVM not packaged in Debian NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html NOTE: http://www.openwall.com/lists/oss-security/2015/04/01/1 CVE-2015-2942 (MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 ...) - mediawiki 1:1.19.20+dfsg-2.3 (unimportant) NOTE: HHVM not packaged in Debian NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html NOTE: http://www.openwall.com/lists/oss-security/2015/04/01/1 CVE-2015-2786 (Unspecified vulnerability in MyBB (aka MyBulletinBoard) before 1.8.4 h ...) NOT-FOR-US: MyBB CVE-2015-2784 (The papercrop gem before 0.3.0 for Ruby on Rails does not properly han ...) NOT-FOR-US: papercrop Ruby gem CVE-2015-2783 (ext/phar/phar.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x b ...) {DSA-3280-1 DLA-212-1} - php5 5.6.9+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=69324 NOTE: http://git.php.net/?p=php-src.git;a=commit;h=17cbd0b5b78a7500f185b3781a2149881bfff8ae NOTE: Fixed in 5.6.8 and 5.4.40 CVE-2015-2781 (Cross-site scripting (XSS) vulnerability in cgi-bin/hotspotlogin.cgi i ...) NOT-FOR-US: Hotspot Express hotEx Billing Manager CVE-2015-2780 (Unrestricted file upload vulnerability in Berta CMS allows remote atta ...) NOT-FOR-US: Berta CMS CVE-2015-2777 RESERVED CVE-2015-2775 (Directory traversal vulnerability in GNU Mailman before 2.1.20, when n ...) {DSA-3214-1 DLA-186-1} - mailman 1:2.1.18-2 (bug #781626) NOTE: https://bugs.launchpad.net/mailman/+bug/1437145 NOTE: https://mail.python.org/pipermail/mailman-developers/2015-March/024875.html CVE-2015-2773 (SVM in Websense TRITON V-Series appliances before 8.0.0 allows attacke ...) NOT-FOR-US: Websense TRITON V-Series appliances CVE-2015-2772 (SVM in Websense TRITON V-Series appliances before 8.0.0 allows attacke ...) NOT-FOR-US: Websense TRITON V-Series appliances CVE-2015-2771 (The Mail Server in Websense TRITON AP-EMAIL and V-Series appliances be ...) NOT-FOR-US: Websense TRITON AP-EMAIL and V-Series appliances CVE-2015-2770 (Cross-site request forgery (CSRF) vulnerability in the command line pa ...) NOT-FOR-US: Websense TRITON V-Series appliances CVE-2015-2769 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Pers ...) NOT-FOR-US: Websense TRITON AP-EMAIL CVE-2015-2768 (Cross-site scripting (XSS) vulnerability in Websense TRITON AP-EMAIL b ...) NOT-FOR-US: Websense TRITON AP-EMAIL CVE-2015-2767 (Unspecified vulnerability in Websense TRITON AP-EMAIL before 8.0.0 has ...) NOT-FOR-US: Websense TRITON AP-EMAIL CVE-2015-2766 (The Personal Email Manager (PEM) in Websense TRITON AP-EMAIL before 8. ...) NOT-FOR-US: Websense TRITON AP-EMAIL CVE-2015-2765 (The Email Security Gateway in Websense TRITON AP-EMAIL before 8.0.0 al ...) NOT-FOR-US: Websense TRITON AP-EMAIL CVE-2015-2764 (Multiple cross-site scripting (XSS) vulnerabilities in Websense TRITON ...) NOT-FOR-US: Websense TRITON AP-DATA CVE-2015-2763 (Unspecified vulnerability in Websense TRITON AP-EMAIL before 8.0.0 has ...) NOT-FOR-US: Websense TRITON AP-EMAIL CVE-2015-2762 (Websense TRITON AP-WEB before 8.0.0 allows remote attackers to enumera ...) NOT-FOR-US: Websense TRITON AP-WEB CVE-2015-2761 (Cross-site scripting (XSS) vulnerability in the Exceptions and Scannin ...) NOT-FOR-US: Websense TRITON AP-WEB CVE-2015-2760 (Cross-site scripting (XSS) vulnerability in the ePO extension in McAfe ...) NOT-FOR-US: McAfee CVE-2015-2759 (Multiple cross-site request forgery (CSRF) vulnerabilities in the ePO ...) NOT-FOR-US: McAfee CVE-2015-2758 (The ePO extension in McAfee Data Loss Prevention Endpoint (DLPe) befor ...) NOT-FOR-US: McAfee CVE-2015-2757 (The ePO extension in McAfee Data Loss Prevention Endpoint (DLPe) befor ...) NOT-FOR-US: McAfee CVE-2014-9712 (Websense TRITON V-Series appliances before 7.8.3 Hotfix 03 and 7.8.4 b ...) NOT-FOR-US: Websense TRITON V-Series appliances CVE-2013-7438 (Multiple buffer overflows in pbm212030 allow remote attackers to cause ...) NOT-FOR-US: pbm2l2030 NOTE: http://www.openprinting.org/driver/pbm2l2030/ (typo in the official CVE description) CVE-2015-XXXX [crashes found with afl] - hp2xx 3.4.4-10 (low) [wheezy] - hp2xx 3.4.4-8+deb7u1 [squeeze] - hp2xx (Minor issue) CVE-2015-2793 (Cross-site scripting (XSS) vulnerability in templates/openid-selector. ...) - ikiwiki 3.20141016.2 (bug #781483) [wheezy] - ikiwiki 3.20120629.2 [squeeze] - ikiwiki (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2015/03/30/5 CVE-2015-2806 (Stack-based buffer overflow in asn1_der_decoding in libtasn1 before 4. ...) {DSA-3220-1 DLA-195-1} [experimental] - libtasn1-6 4.4-1 - libtasn1-6 4.2-3 - libtasn1-3 NOTE: https://gitlab.com/gnutls/libtasn1/commit/4d4f992826a4962790ecd0cce6fbba4a415ce149 NOTE: http://www.openwall.com/lists/oss-security/2015/03/29/4 NOTE: Only in the asn1 definition parser, not in the asn1 parser itself NOTE: https://lists.gnu.org/archive/html/help-libtasn1/2015-01/msg00000.html CVE-2013-7441 (The modern style negotiation in Network Block Device (nbd-server) 2.9. ...) {DSA-3271-1} - nbd 1:3.4-1 (bug #781547) [squeeze] - nbd (Named export introduced in 2.9.17) NOTE: http://www.openwall.com/lists/oss-security/2015/05/19/6 CVE-2015-2787 (Use-after-free vulnerability in the process_nested_data function in ex ...) {DSA-3198-1 DLA-212-1} - php5 5.6.7+dfsg-1 NOTE: https://bugs.php.net/68976 CVE-2015-2782 (Buffer overflow in Open-source ARJ archiver 3.10.22 allows remote atta ...) {DSA-3213-1 DLA-188-1} - arj 3.10.22-13 (bug #774015) NOTE: http://www.openwall.com/lists/oss-security/2015/03/28/5 CVE-2015-2756 (QEMU, as used in Xen 3.3.x through 4.5.x, does not properly restrict a ...) {DSA-3259-1 DLA-479-1} - xen 4.2.0~rc2-1 (bug #781620) [squeeze] - xen (Not supported in Squeeze LTS) - qemu 1:2.3+dfsg-3 [wheezy] - qemu (Vulnerable code not present) [squeeze] - qemu (Vulnerable code not present) - qemu-kvm (Vulnerable code not present) NOTE: http://xenbits.xen.org/xsa/advisory-126.html CVE-2015-2755 (Multiple cross-site request forgery (CSRF) vulnerabilities in the AB G ...) NOT-FOR-US: AB Google Map Travel (AB-MAP) plugin for WordPress CVE-2015-2752 (The XEN_DOMCTL_memory_mapping hypercall in Xen 3.2.x through 4.5.x, wh ...) {DLA-479-1} - xen 4.4.1-9 (bug #781620) [squeeze] - xen (Not supported in Squeeze LTS) NOTE: http://xenbits.xen.org/xsa/advisory-125.html CVE-2015-2751 (Xen 4.3.x, 4.4.x, and 4.5.x, when using toolstack disaggregation, allo ...) - xen 4.4.1-9 (bug #781620) [wheezy] - xen (Affected functionality introduced in 4.2) [squeeze] - xen (Affected functionality introduced in 4.2) NOTE: http://xenbits.xen.org/xsa/advisory-127.html CVE-2015-2748 (Websense TRITON AP-WEB before 8.0.0 does not properly restrict access ...) NOT-FOR-US: Websense TRITON AP-WEB CVE-2015-2747 (Multiple cross-site scripting (XSS) vulnerabilities in the data loss p ...) NOT-FOR-US: Websense Triton CVE-2015-2746 (The network diagnostics tool (CommandLineServlet) in the Appliance Man ...) NOT-FOR-US: Websense TRITON CVE-2010-5323 (Directory traversal vulnerability in UploadServlet in the Remote Manag ...) NOT-FOR-US: Novell ZENworks Configuration Management CVE-2015-2774 (Erlang/OTP before 18.0-rc1 does not properly check CBC padding bytes w ...) - erlang 1:17.3-dfsg-4 (low; bug #781839) [squeeze] - erlang (Minor issue) [wheezy] - erlang (Minor issue) NOTE: http://www.erlang.org/news/85 NOTE: CVE about "ssl: ... added padding check for TLS-1.0 due to the Poodle vulnerability." NOTE: https://github.com/erlang/otp/commit/e53c55dd0ab69982bc511396ccf8655d27c6d38c CVE-2015-2745 (Multiple cross-site scripting (XSS) vulnerabilities in the Search app ...) NOT-FOR-US: Mozilla Firefox OS CVE-2015-2744 (Cross-site scripting (XSS) vulnerability in the Search app in Gaia in ...) NOT-FOR-US: Mozilla Firefox OS CVE-2015-2743 (PDF.js in Mozilla Firefox before 39.0 and Firefox ESR 31.x before 31.8 ...) {DSA-3300-1} - iceweasel 38.1.0esr-1 [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-69/ CVE-2015-2742 (Mozilla Firefox before 39.0 on OS X includes native key press informat ...) - iceweasel (OS X specific) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-68/ CVE-2015-2741 (Mozilla Firefox before 39.0, Firefox ESR 38.x before 38.1, and Thunder ...) - iceweasel 38.1.0esr-1 [squeeze] - iceweasel [jessie] - iceweasel (Only affects Firefox 38 and later) [wheezy] - iceweasel (Only affects Firefox 38 and later) - icedove 38.1.0-1 [squeeze] - icedove [jessie] - icedove (Only affects Thunderbird 38 and later) [wheezy] - icedove (Only affects Thunderbird 38 and later) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-67/ CVE-2015-2740 (Buffer overflow in the nsXMLHttpRequest::AppendToResponseText function ...) {DSA-3324-1 DSA-3300-1} - iceweasel 38.1.0esr-1 [squeeze] - iceweasel - icedove 38.1.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-66/ CVE-2015-2739 (The ArrayBufferBuilder::append function in Mozilla Firefox before 39.0 ...) {DSA-3324-1 DSA-3300-1} - iceweasel 38.1.0esr-1 [squeeze] - iceweasel - icedove 38.1.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-66/ CVE-2015-2738 (The YCbCrImageDataDeserializer::ToDataSourceSurface function in the YC ...) {DSA-3324-1 DSA-3300-1} - iceweasel 38.1.0esr-1 [squeeze] - iceweasel - icedove 38.1.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-66/ CVE-2015-2737 (The rx::d3d11::SetBufferData function in the Direct3D 11 implementatio ...) {DSA-3324-1 DSA-3300-1} - iceweasel 38.1.0esr-1 [squeeze] - iceweasel - icedove 38.1.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-66/ CVE-2015-2736 (The nsZipArchive::BuildFileList function in Mozilla Firefox before 39. ...) {DSA-3324-1 DSA-3300-1} - iceweasel 38.1.0esr-1 [squeeze] - iceweasel - icedove 38.1.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-66/ CVE-2015-2735 (nsZipArchive.cpp in Mozilla Firefox before 39.0, Firefox ESR 31.x befo ...) {DSA-3324-1 DSA-3300-1} - iceweasel 38.1.0esr-1 [squeeze] - iceweasel - icedove 38.1.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-66/ CVE-2015-2734 (The CairoTextureClientD3D9::BorrowDrawTarget function in the Direct3D ...) {DSA-3324-1 DSA-3300-1} - iceweasel 38.1.0esr-1 [squeeze] - iceweasel - icedove 38.1.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-66/ CVE-2015-2733 (Use-after-free vulnerability in the CanonicalizeXPCOMParticipant funct ...) - iceweasel 38.1.0esr-1 [jessie] - iceweasel (Only affects Firefox 38 and later) [wheezy] - iceweasel (Only affects Firefox 38 and later) [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-65/ CVE-2015-2732 RESERVED CVE-2015-2731 (Use-after-free vulnerability in the CSPService::ShouldLoad function in ...) {DSA-3300-1} - iceweasel 38.1.0esr-1 [squeeze] - iceweasel - icedove 38.1.0-1 [jessie] - icedove (Does not affect 31.x ESR Thunderbird) [wheezy] - icedove (Does not affect 31.x ESR Thunderbird) [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-63/ CVE-2015-2730 (Mozilla Network Security Services (NSS) before 3.19.1, as used in Mozi ...) {DSA-3336-1 DLA-315-1} - nss 2:3.19.1-1 - iceweasel 38.1.0esr-1 [jessie] - iceweasel (Only affects Firefox 38 and later) [wheezy] - iceweasel (Only affects Firefox 38 and later) [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-64/ NOTE: https://hg.mozilla.org/projects/nss/rev/fc6870938172 NOTE: https://hg.mozilla.org/projects/nss/rev/2c05e861ce07 CVE-2015-2729 (The AudioParamTimeline::AudioNodeInputValue function in the Web Audio ...) - iceweasel 38.1.0esr-1 [jessie] - iceweasel (Only affects Firefox 38 and later) [wheezy] - iceweasel (Only affects Firefox 38 and later) [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-62/ CVE-2015-2728 (The IndexedDatabaseManager class in the IndexedDB implementation in Mo ...) {DSA-3300-1} - iceweasel 38.1.0esr-1 [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-61/ CVE-2015-2727 (Mozilla Firefox 38.0 and Firefox ESR 38.0 allow user-assisted remote a ...) - iceweasel 38.1.0esr-1 [jessie] - iceweasel (Only affects Firefox 38 and later) [wheezy] - iceweasel (Only affects Firefox 38 and later) [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-60/ CVE-2015-2726 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - iceweasel 38.1.0esr-1 [squeeze] - iceweasel [jessie] - iceweasel (Only affects Firefox 39) [wheezy] - iceweasel (Only affects Firefox 39) - icedove 38.1.0-1 [squeeze] - icedove [jessie] - icedove (Only affects Icedove 39) [wheezy] - icedove (Only affects Icedove 39) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-59/ CVE-2015-2725 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - iceweasel 38.1.0esr-1 [squeeze] - iceweasel [jessie] - iceweasel (Only affects Firefox 38 and later) [wheezy] - iceweasel (Only affects Firefox 38 and later) - icedove 38.1.0-1 [squeeze] - icedove [jessie] - icedove (Only affects Icedove 38 and later) [wheezy] - icedove (Only affects Icedove 38 and later) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-59/ CVE-2015-2724 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-3324-1 DSA-3300-1} - iceweasel 38.1.0esr-1 [squeeze] - iceweasel - icedove 38.1.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-59/ CVE-2015-2723 REJECTED CVE-2015-2722 (Use-after-free vulnerability in the CanonicalizeXPCOMParticipant funct ...) - iceweasel 38.1.0esr-1 [jessie] - iceweasel (Only affects Firefox 38 and later) [wheezy] - iceweasel (Only affects Firefox 38 and later) [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-65/ CVE-2015-2721 (Mozilla Network Security Services (NSS) before 3.19, as used in Mozill ...) {DSA-3336-1 DSA-3324-1 DSA-3300-1 DLA-315-1} - nss 2:3.19.1-1 NOTE: NSS patch: https://hg.mozilla.org/projects/nss/rev/6b4770c76bc8 NOTE: NSS testcase: https://hg.mozilla.org/projects/nss/rev/1865635f5df5 - iceweasel 38.1.0esr-1 [squeeze] - iceweasel - icedove 38.1.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-71/ CVE-2015-2720 (The update implementation in Mozilla Firefox before 38.0 on Windows do ...) - iceweasel (Only affects Windows) CVE-2015-2719 RESERVED CVE-2015-2718 (The WebChannel.jsm module in Mozilla Firefox before 38.0 allows remote ...) - iceweasel 38.0-1 [jessie] - iceweasel (Only affects 37.x) [wheezy] - iceweasel (Only affects 37.x) [squeeze] - iceweasel (Only affects 37.x) CVE-2015-2717 (Integer overflow in libstagefright in Mozilla Firefox before 38.0 allo ...) - iceweasel 38.0-1 [jessie] - iceweasel (Only affects 37.x) [wheezy] - iceweasel (Only affects 37.x) [squeeze] - iceweasel (Only affects 37.x) CVE-2015-2716 (Buffer overflow in the XML parser in Mozilla Firefox before 38.0, Fire ...) {DSA-3264-1 DSA-3260-1} - iceweasel 38.0-1 [squeeze] - iceweasel - icedove 31.7.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-54/ CVE-2015-2715 (Race condition in the nsThreadManager::RegisterCurrentThread function ...) - iceweasel 38.0-1 [jessie] - iceweasel (Only affects 37.x) [wheezy] - iceweasel (Only affects 37.x) [squeeze] - iceweasel (Only affects 37.x) CVE-2015-2714 (Mozilla Firefox before 38.0 on Android does not properly restrict writ ...) - iceweasel (Only affects Firefox on Android) CVE-2015-2713 (Use-after-free vulnerability in the SetBreaks function in Mozilla Fire ...) {DSA-3264-1 DSA-3260-1} - iceweasel 38.0-1 [squeeze] - iceweasel - icedove 31.7.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-51/ CVE-2015-2712 (The asm.js implementation in Mozilla Firefox before 38.0 does not prop ...) - iceweasel 38.0-1 [jessie] - iceweasel (Only affects 37.x) [wheezy] - iceweasel (Only affects 37.x) [squeeze] - iceweasel (Only affects 37.x) CVE-2015-2711 (Mozilla Firefox before 38.0 does not recognize a referrer policy deliv ...) - iceweasel 38.0-1 [jessie] - iceweasel (Only affects 37.x) [wheezy] - iceweasel (Only affects 37.x) [squeeze] - iceweasel (Only affects 37.x) CVE-2015-2710 (Heap-based buffer overflow in the SVGTextFrame class in Mozilla Firefo ...) {DSA-3264-1 DSA-3260-1} - iceweasel 38.0-1 [squeeze] - iceweasel - icedove 31.7.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-48/ CVE-2015-2709 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - iceweasel 38.0-1 [jessie] - iceweasel (Only affects 37.x) [wheezy] - iceweasel (Only affects 37.x) [squeeze] - iceweasel (Only affects 37.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-46/ CVE-2015-2708 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-3264-1 DSA-3260-1} - iceweasel 38.0-1 [squeeze] - iceweasel - icedove 31.7.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-46/ CVE-2015-2707 RESERVED CVE-2015-2706 (Race condition in the AsyncPaintWaitEvent::AsyncPaintWaitEvent functio ...) [experimental] - iceweasel 37.0.2-1 - iceweasel (Only affects 37.x series) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-45/ CVE-2015-2705 RESERVED CVE-2015-2703 (Multiple cross-site scripting (XSS) vulnerabilities in Websense TRITON ...) NOT-FOR-US: Websense CVE-2015-2702 (Cross-site scripting (XSS) vulnerability in the Message Log in the Ema ...) NOT-FOR-US: Websense CVE-2015-2701 (Cross-site request forgery (CSRF) vulnerability in CS-Cart 4.2.4 allow ...) NOT-FOR-US: CS-Cart CVE-2014-9713 (The default slapd configuration in the Debian openldap package 2.4.23- ...) {DSA-3209-1 DLA-203-1} - openldap 2.4.40-2 (bug #761406) CVE-2014-9711 (Multiple cross-site scripting (XSS) vulnerabilities in the Investigati ...) NOT-FOR-US: Websense CVE-2015-2700 RESERVED CVE-2015-2699 RESERVED CVE-2015-2698 (The iakerb_gss_export_sec_context function in lib/gssapi/krb5/iakerb.c ...) - krb5 1.13.2+dfsg-4 [jessie] - krb5 (Only affected when applying original patch for CVE-2015-2696 only) [wheezy] - krb5 (Only affected when applying original patch for CVE-2015-2696 only) [squeeze] - krb5 (Vulnerable code not present) NOTE: Upstream ticket: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8273 NOTE: https://github.com/krb5/krb5/commit/3db8dfec1ef50ddd78d6ba9503185995876a39fd CVE-2015-2697 (The build_principal_va function in lib/krb5/krb/bld_princ.c in MIT Ker ...) {DSA-3395-2 DSA-3395-1 DLA-340-1} - krb5 1.13.2+dfsg-3 (bug #803088) NOTE: https://github.com/krb5/krb5/commit/f0c094a1b745d91ef2f9a4eae2149aac026a5789 NOTE: Upstream ticket: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8252 CVE-2015-2696 (lib/gssapi/krb5/iakerb.c in MIT Kerberos 5 (aka krb5) before 1.14 reli ...) {DSA-3395-1} - krb5 1.13.2+dfsg-3 (bug #803084) [squeeze] - krb5 (Vulnerable code not present) NOTE: https://github.com/krb5/krb5/commit/e04f0283516e80d2f93366e0d479d13c9b5c8c2a NOTE: Upstream ticket: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8244 CVE-2015-2695 (lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) before 1. ...) {DSA-3395-1 DLA-340-1} - krb5 1.13.2+dfsg-3 (bug #803083) NOTE: https://github.com/krb5/krb5/commit/b51b33f2bc5d1497ddf5bd107f791c101695000d NOTE: Upstream ticket: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8244 CVE-2015-2694 (The kdcpreauth modules in MIT Kerberos 5 (aka krb5) 1.12.x and 1.13.x ...) - krb5 1.12.1+dfsg-20 (bug #783557) [jessie] - krb5 1.12.1+dfsg-19+deb8u3 [wheezy] - krb5 (Minor issue and can be fixed in a future DSA) [squeeze] - krb5 (Minor issue and can be fixed in a future DSA) NOTE: Upstream ticket: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8160 NOTE: Upstream commit: https://github.com/krb5/krb5/commit/e3b5a5e5267818c97750b266df50b6a3d4649604 NOTE: wheezy marked as no-dsa since OTP plugin not present. But the issue NOTE: might affect any out-of-tree plugins with similar bug as the OTP NOTE: has. Thus basicaly only krb5/1.12 is affected. CVE-2015-2693 RESERVED CVE-2015-2692 (AdBlock before 2.21 allows remote attackers to block arbitrary resourc ...) NOT-FOR-US: AdBlock CVE-2015-2691 RESERVED CVE-2015-2690 (Multiple cross-site scripting (XSS) vulnerabilities in views/add-licen ...) NOT-FOR-US: Digium Addons module for FreePBX CVE-2015-2704 (realmd allows remote attackers to inject arbitrary configurations in t ...) - realmd 0.16.0-1 (bug #781179) [jessie] - realmd (Minor issue) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=89207 CVE-2015-2776 (The parse_SST function in FreeXL before 1.0.0i allows remote attackers ...) {DSA-3208-1} [experimental] - freexl 1.0.1-1~exp1 - freexl 1.0.0g-1+deb8u1 (bug #781228) NOTE: Reproducer: https://www.dropbox.com/s/gh61gzaf8jj30hj/freexl_6889d18b?dl=0 CVE-2015-2754 (FreeXL before 1.0.0i allows remote attackers to cause a denial of serv ...) {DSA-3208-1} [experimental] - freexl 1.0.1-1~exp1 - freexl 1.0.0g-1+deb8u1 (bug #781228) NOTE: Reproducer: https://www.dropbox.com/s/66srfory903w6cl/freexl_d7273f72?dl=0 CVE-2015-2753 (FreeXL before 1.0.0i allows remote attackers to cause a denial of serv ...) {DSA-3208-1} [experimental] - freexl 1.0.1-1~exp1 - freexl 1.0.0g-1+deb8u1 (bug #781228) NOTE: Reproducer: https://www.dropbox.com/s/3htzndywvtmomlx/freexl_9f74b0e8?dl=0 CVE-2015-2685 RESERVED CVE-2015-2683 (Citrix Command Center before 5.1 Build 35.4 and 5.2 before Build 42.7 ...) NOT-FOR-US: Citrix Command Center CVE-2015-2682 (Citrix Command Center before 5.1 Build 35.4 and 5.2 before Build 42.7 ...) NOT-FOR-US: Citrix Command Center CVE-2015-2681 (Multiple cross-site scripting (XSS) vulnerabilities in the ASUS RT-G32 ...) NOT-FOR-US: Asus CVE-2015-2680 (Cross-site request forgery (CSRF) vulnerability in MetalGenix GeniXCMS ...) NOT-FOR-US: MetalGenix GeniXCMS CVE-2015-2679 (Multiple SQL injection vulnerabilities in MetalGenix GeniXCMS before 0 ...) NOT-FOR-US: MetalGenix GeniXCMS CVE-2015-2678 (Multiple cross-site scripting (XSS) vulnerabilities in MetalGenix Geni ...) NOT-FOR-US: MetalGenix GeniXCMS CVE-2015-2677 (Multiple cross-site scripting (XSS) vulnerabilities in ocPortal before ...) - ocportal (bug #625865) CVE-2015-2676 (Cross-site request forgery (CSRF) vulnerability in the ASUS RT-G32 rou ...) NOT-FOR-US: Asus CVE-2015-2689 (Tor before 0.2.4.26 and 0.2.5.x before 0.2.5.11 does not properly hand ...) {DSA-3203-1 DLA-178-1} - tor 0.2.5.11-1 NOTE: https://bugs.torproject.org/14129 CVE-2015-2688 (buf_pullup in Tor before 0.2.4.26 and 0.2.5.x before 0.2.5.11 does not ...) {DSA-3203-1 DLA-178-1} - tor 0.2.5.11-1 NOTE: https://trac.torproject.org/projects/tor/ticket/15083 CVE-2015-2687 (OpenStack Compute (nova) Icehouse, Juno and Havana when live migration ...) - nova 2014.1-1 [wheezy] - nova (Minor issue) NOTE: This is no longer a security issue starting with icehouse, so marking 2014.1 as fixed NOTE: https://bugs.launchpad.net/nova/+bug/1419577 CVE-2015-2673 (The ec_ajax_update_option and ec_ajax_clear_all_taxrates functions in ...) NOT-FOR-US: WP EasyCart plugin for Wordpress CVE-2015-2671 RESERVED CVE-2015-2670 REJECTED CVE-2015-2669 RESERVED CVE-2015-2668 (ClamAV before 0.98.7 allows remote attackers to cause a denial of serv ...) {DLA-233-1} - clamav 0.98.7+dfsg-1 [jessie] - clamav 0.98.7+dfsg-0+deb8u1 [wheezy] - clamav 0.98.7+dfsg-0+deb7u1 CVE-2015-2667 (Untrusted search path vulnerability in GNS3 1.2.3 allows local users t ...) - gns3 (Windows specific) CVE-2015-2665 (Cross-site scripting (XSS) vulnerability in Cacti before 0.8.8d allows ...) {DSA-3295-1 DLA-255-1} - cacti 0.8.8d+ds1-1 NOTE: http://www.fortiguard.com/advisory/FG-VD-15-017/ NOTE: http://bugs.cacti.net/view.php?id=2542 (bug is not yet accessible) NOTE: http://svn.cacti.net/viewvc/cacti/tags/0.8.8d/graphs.php?r1=7716&r2=7717&view=patch CVE-2015-2664 (Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45 allow ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-8 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2015-2663 (Unspecified vulnerability in the Oracle Transportation Management comp ...) NOT-FOR-US: Oracle Supply Chain CVE-2015-2662 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11.2 allows loc ...) NOT-FOR-US: Solaris DHCP (dhcpagent) CVE-2015-2661 (Unspecified vulnerability in Oracle MySQL Server 5.6.24 and earlier al ...) - mysql-5.6 5.6.25-2 - mysql-5.5 (Only 5.6 series) NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixMSQL CVE-2015-2660 (Unspecified vulnerability in the Oracle Agile PLM component in Oracle ...) NOT-FOR-US: Oracle Supply Chain CVE-2015-2659 (Unspecified vulnerability in Oracle Java SE 8u45 and Java SE Embedded ...) - openjdk-6 (Only affects Java 8) - openjdk-7 (Only affects Java 8) - openjdk-8 8u66-b01-1 CVE-2015-2658 (Unspecified vulnerability in the Web Cache component in Oracle Fusion ...) NOT-FOR-US: Oracle Fusion CVE-2015-2657 (Unspecified vulnerability in the Oracle Transportation Management comp ...) NOT-FOR-US: Oracle Supply Chain CVE-2015-2656 (Unspecified vulnerability in the Data Store component in Oracle Berkel ...) NOT-FOR-US: Oracle Berkeley DB (Unspecified vulnerability) CVE-2015-2655 (Unspecified vulnerability in the Application Express component in Orac ...) NOT-FOR-US: Oracle Database Server CVE-2015-2654 (Unspecified vulnerability in the Data Store component in Oracle Berkel ...) NOT-FOR-US: Oracle Berkeley DB (Unspecified vulnerability) CVE-2015-2653 (Unspecified vulnerability in the Oracle Commerce Guided Search / Oracl ...) NOT-FOR-US: Oracle Commerce CVE-2015-2652 (Unspecified vulnerability in the Oracle Marketing component in Oracle ...) NOT-FOR-US: Oracle E-Business CVE-2015-2651 (Unspecified vulnerability in Oracle Sun Solaris 11.2 allows local user ...) NOT-FOR-US: Solaris Virtualized NIC Driver CVE-2015-2650 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: PeopleSoft CVE-2015-2649 (Unspecified vulnerability in the Siebel UI Framework component in Orac ...) NOT-FOR-US: Oracle Seibel CRM CVE-2015-2648 (Unspecified vulnerability in Oracle MySQL Server 5.5.43 and earlier an ...) {DSA-3311-1 DSA-3308-1 DLA-359-1} - mysql-5.6 5.6.25-2 - mysql-5.5 (bug #792445) - mariadb-10.0 10.0.20-1 NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixMSQL CVE-2015-2647 (Unspecified vulnerability in the Enterprise Manager for Oracle Databas ...) NOT-FOR-US: Oracle Database CVE-2015-2646 (Unspecified vulnerability in the Enterprise Manager for Oracle Databas ...) NOT-FOR-US: Oracle Database CVE-2015-2645 (Unspecified vulnerability in the Oracle Web Applications Desktop Integ ...) NOT-FOR-US: Oracle E-Business CVE-2015-2644 (Unspecified vulnerability in the Oracle Agile PLM Framework component ...) NOT-FOR-US: Oracle Supply Chain CVE-2015-2643 (Unspecified vulnerability in Oracle MySQL Server 5.5.43 and earlier an ...) {DSA-3311-1 DSA-3308-1 DLA-359-1} - mysql-5.6 5.6.25-2 - mysql-5.5 (bug #792445) - mariadb-10.0 10.0.20-1 NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixMSQL CVE-2015-2642 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11.2 allows loc ...) NOT-FOR-US: Oracle Sun Solaris CVE-2015-2641 (Unspecified vulnerability in Oracle MySQL Server 5.6.24 and earlier al ...) - mysql-5.6 5.6.25-2 - mysql-5.5 (Only 5.6 series) NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixMSQL CVE-2015-2640 (Unspecified vulnerability in the Data Store component in Oracle Berkel ...) NOT-FOR-US: Oracle Berkeley DB (Unspecified vulnerability) CVE-2015-2639 (Unspecified vulnerability in Oracle MySQL Server 5.6.24 and earlier al ...) - mysql-5.6 5.6.25-2 - mysql-5.5 (Only 5.6 series) NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixMSQL CVE-2015-2638 (Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45; Java ...) - openjdk-6 (Specific to Oracle Java, not present in IcedTea) - openjdk-7 (Specific to Oracle Java, not present in IcedTea) - openjdk-8 (Specific to Oracle Java, not present in IcedTea) NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixJAVA CVE-2015-2637 (Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45; Java ...) - openjdk-6 (Specific to Oracle Java, not present in IcedTea) - openjdk-7 (Specific to Oracle Java, not present in IcedTea) - openjdk-8 (Specific to Oracle Java, not present in IcedTea) NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixJAVA CVE-2015-2636 (Unspecified vulnerability in the Oracle Data Integrator component in O ...) NOT-FOR-US: Oracle Fusion CVE-2015-2635 (Unspecified vulnerability in the Oracle Data Integrator component in O ...) NOT-FOR-US: Oracle Fusion CVE-2015-2634 (Unspecified vulnerability in the Oracle Data Integrator component in O ...) NOT-FOR-US: Oracle Fusion CVE-2015-2633 (Unspecified vulnerability in the Enterprise Manager Ops Center compone ...) NOT-FOR-US: Oracle Enterprise Manager Grid Control CVE-2015-2632 (Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45 allow ...) {DSA-3725-1 DSA-3339-1 DSA-3316-1 DLA-545-1 DLA-381-1 DLA-303-1} [experimental] - openjdk-6 6b36-1.13.8-1 - openjdk-6 - openjdk-7 7u79-2.5.6-1 - openjdk-8 8u66-b01-1 NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixJAVA NOTE: "Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets." - icu 55.1-7 NOTE: http://bugs.icu-project.org/trac/ticket/11865 (not yet public) CVE-2015-2631 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11.2 allows loc ...) NOT-FOR-US: Solaris (rmformat) CVE-2015-2630 (Unspecified vulnerability in the Technology stack component in Oracle ...) NOT-FOR-US: Oracle E-Business CVE-2015-2629 (Unspecified vulnerability in the Java VM component in Oracle Database ...) NOT-FOR-US: Oracle Database Server CVE-2015-2628 (Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and ...) {DSA-3339-1 DSA-3316-1 DLA-303-1} [experimental] - openjdk-6 6b36-1.13.8-1 - openjdk-6 - openjdk-7 7u79-2.5.6-1 - openjdk-8 8u66-b01-1 NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixJAVA NOTE: "Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets." CVE-2015-2627 (Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45 allow ...) - openjdk-6 (Specific to Java client installer) - openjdk-7 (Specific to Java client installer) - openjdk-8 (Specific to Java client installer) CVE-2015-2626 (Unspecified vulnerability in the Data Store component in Oracle Berkel ...) NOT-FOR-US: Oracle Berkeley DB (Unspecified vulnerability) CVE-2015-2625 (Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45; JRoc ...) {DSA-3339-1 DSA-3316-1 DLA-303-1} [experimental] - openjdk-6 6b36-1.13.8-1 - openjdk-6 - openjdk-7 7u79-2.5.6-1 - openjdk-8 8u66-b01-1 NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixJAVA NOTE: "Applies to client and server deployment of JSSE." CVE-2015-2624 (Unspecified vulnerability in the Data Store component in Oracle Berkel ...) NOT-FOR-US: Oracle Berkeley DB (Unspecified vulnerability) CVE-2015-2623 (Unspecified vulnerability in the Oracle GlassFish Server component in ...) - glassfish (Full application server not packaged) CVE-2015-2622 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: PeopleSoft CVE-2015-2621 (Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and ...) {DSA-3339-1 DSA-3316-1 DLA-303-1} [experimental] - openjdk-6 6b36-1.13.8-1 - openjdk-6 - openjdk-7 7u79-2.5.6-1 - openjdk-8 8u66-b01-1 NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixJAVA NOTE: "Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets." CVE-2015-2620 (Unspecified vulnerability in Oracle MySQL Server 5.5.43 and earlier an ...) {DSA-3308-1 DLA-359-1} - mysql-5.6 5.6.25-2 - mysql-5.5 (bug #792445) - mariadb-10.0 10.0.20-1 [jessie] - mariadb-10.0 10.0.20-0+deb8u1 NOTE: Possibly related to https://github.com/mysql/mysql-server/commit/fdae90dd NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixMSQL CVE-2015-2619 (Unspecified vulnerability in Oracle Java SE 7u80 and 8u45, JavaFX 2.2. ...) - openjdk-7 (Specific to Oracle Java, not present in IcedTea) - openjdk-8 (Specific to Oracle Java, not present in IcedTea) CVE-2015-2618 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle E-Business CVE-2015-2617 (Unspecified vulnerability in Oracle MySQL Server 5.6.24 and earlier al ...) - mysql-5.6 5.6.25-2 - mysql-5.5 (Only 5.6 series) NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixMSQL CVE-2015-2616 (Unspecified vulnerability in Oracle Sun Solaris 3.3 and 4.2 allows loc ...) NOT-FOR-US: Oracle Sun Solaris CVE-2015-2615 (Unspecified vulnerability in the Oracle Applications Framework compone ...) NOT-FOR-US: Oracle E-Business CVE-2015-2614 (Unspecified vulnerability in Oracle Sun Solaris 11.2 allows local user ...) NOT-FOR-US: Solaris (NVM Express Driver) CVE-2015-2613 (Unspecified vulnerability in Oracle Java SE 7u80 and 8u45, and Java SE ...) {DSA-3339-1 DSA-3316-1} - openjdk-6 (Does not apply to OpenJDK 6.x, only 7.x and 8.x) - openjdk-7 7u79-2.5.6-1 - openjdk-8 8u66-b01-1 NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixJAVA NOTE: "Applies to client and server deployment of Java." CVE-2015-2612 (Unspecified vulnerability in the Siebel Core - Server OM Svcs componen ...) NOT-FOR-US: Oracle Seibel CMS CVE-2015-2611 (Unspecified vulnerability in Oracle MySQL Server 5.6.24 and earlier al ...) - mysql-5.6 5.6.25-2 - mysql-5.5 (Only 5.6 series) NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixMSQL CVE-2015-2610 (Unspecified vulnerability in the Oracle Applications Framework compone ...) NOT-FOR-US: Oracle E-Business CVE-2015-2609 (Unspecified vulnerability in Oracle Sun Solaris 11.2 allows local user ...) NOT-FOR-US: Solaris (performance counters) CVE-2015-2608 (Unspecified vulnerability in (1) the Oracle Communications Diameter Si ...) NOT-FOR-US: Oracle Communications Applications CVE-2015-2607 (Unspecified vulnerability in the Oracle Commerce Guided Search / Oracl ...) NOT-FOR-US: Oracle Commerce CVE-2015-2606 (Unspecified vulnerability in the Oracle Endeca Information Discovery S ...) NOT-FOR-US: Oracle Fusion CVE-2015-2605 (Unspecified vulnerability in the Oracle Endeca Information Discovery S ...) NOT-FOR-US: Oracle Fusion CVE-2015-2604 (Unspecified vulnerability in the Oracle Endeca Information Discovery S ...) NOT-FOR-US: Oracle Fusion CVE-2015-2603 (Unspecified vulnerability in the Oracle Endeca Information Discovery S ...) NOT-FOR-US: Oracle Fusion CVE-2015-2602 (Unspecified vulnerability in the Oracle Endeca Information Discovery S ...) NOT-FOR-US: Oracle Fusion CVE-2015-2601 (Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, JRoc ...) {DSA-3339-1 DSA-3316-1 DLA-303-1} [experimental] - openjdk-6 6b36-1.13.8-1 - openjdk-6 - openjdk-7 7u79-2.5.6-1 - openjdk-8 8u66-b01-1 NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixJAVA NOTE: "Applies to client and server deployment of Java." CVE-2015-2600 (Unspecified vulnerability in the Siebel Core - Server OM Svcs componen ...) NOT-FOR-US: Oracle Siebel CMS CVE-2015-2599 (Unspecified vulnerability in the RDBMS Scheduler component in Oracle D ...) NOT-FOR-US: Oracle Database Server CVE-2015-2598 (Unspecified vulnerability in the mobile app in Oracle Business Intelli ...) NOT-FOR-US: Oracle Fusion CVE-2015-2597 (Unspecified vulnerability in Oracle Java SE 7u80 and 8u45 allows local ...) - openjdk-6 (Specific to MacOS X) - openjdk-7 (Specific to MacOS X) - openjdk-8 (Specific to MacOS X) CVE-2015-2596 (Unspecified vulnerability in Oracle Java SE 7u80 allows remote attacke ...) - openjdk-7 (Specific to Oracle Java, not present in IcedTea) CVE-2015-2595 (Unspecified vulnerability in the Oracle OLAP component in Oracle Datab ...) NOT-FOR-US: Oracle Database Server CVE-2015-2594 (Unspecified vulnerability in the Oracle VM VirtualBox component in Ora ...) {DSA-3359-1 DLA-313-1} - virtualbox 4.3.30-dfsg-1 (bug #792446) - virtualbox-ose [squeeze] - virtualbox-ose (Bridged networking over wifi is unlikely to be used in production and vulnerability is not a remote one) NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixOVIR NOTE: "This issue affects Windows, Linux and Mac OS X hosts only when guests using bridged networking over Wifi." CVE-2015-2593 (Unspecified vulnerability in the Oracle Access Manager component in Or ...) NOT-FOR-US: Oracle Fusion CVE-2015-2592 (Unspecified vulnerability in the Hyperion Enterprise Performance Manag ...) NOT-FOR-US: Oracle Hyperion CVE-2015-2591 (Unspecified vulnerability in the PeopleSoft Enterprise Portal - Intera ...) NOT-FOR-US: PeopleSoft CVE-2015-2590 (Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and ...) {DSA-3339-1 DSA-3316-1 DLA-303-1} [experimental] - openjdk-6 6b36-1.13.8-1 - openjdk-6 - openjdk-7 7u79-2.5.6-1 - openjdk-8 8u66-b01-1 NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixJAVA NOTE: "Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets." CVE-2015-2589 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11.2 allows loc ...) NOT-FOR-US: Solaris CVE-2015-2588 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: PeopleSoft CVE-2015-2587 (Unspecified vulnerability in the Siebel UI Framework component in Orac ...) NOT-FOR-US: Oracle Siebel CMS CVE-2015-2586 (Unspecified vulnerability in the Application Express component in Orac ...) NOT-FOR-US: Oracle Database Server CVE-2015-2585 (Unspecified vulnerability in the Application Express component in Orac ...) NOT-FOR-US: Oracle Database Server CVE-2015-2584 (Unspecified vulnerability in the Hyperion Enterprise Performance Manag ...) NOT-FOR-US: Oracle Hyperion CVE-2015-2583 (Unspecified vulnerability in the Data Store component in Oracle Berkel ...) NOT-FOR-US: Oracle Berkeley DB (Unspecified vulnerability) CVE-2015-2582 (Unspecified vulnerability in Oracle MySQL Server 5.5.43 and earlier an ...) {DSA-3311-1 DSA-3308-1 DLA-359-1} - mysql-5.6 5.6.25-2 - mysql-5.5 (bug #792445) - mariadb-10.0 10.0.20-1 NOTE: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixMSQL CVE-2015-2581 (Unspecified vulnerability in the Oracle Secure Global Desktop componen ...) NOT-FOR-US: Oracle Virtualization CVE-2015-2580 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11.2 allows loc ...) NOT-FOR-US: Oracle Sun Solaris CVE-2015-2579 (Unspecified vulnerability in the Oracle Health Sciences Argus Safety c ...) NOT-FOR-US: Oracle CVE-2015-2578 (Unspecified vulnerability in Oracle Sun Solaris 11.2 allows remote att ...) NOT-FOR-US: Oracle Sun Solaris CVE-2015-2577 (Unspecified vulnerability in Oracle Sun Solaris 10 allows local users ...) NOT-FOR-US: Oracle Sun Solaris CVE-2015-2576 (Unspecified vulnerability in the MySQL Utilities component in Oracle M ...) NOT-FOR-US: MySQL Utilities component of MySQL on Windows CVE-2015-2575 (Unspecified vulnerability in the MySQL Connectors component in Oracle ...) {DSA-3621-1 DLA-526-1} - mysql-connector-java 5.1.37-1 CVE-2015-2574 (Unspecified vulnerability in Oracle Sun Solaris 10 allows local users ...) NOT-FOR-US: Oracle Sun Solaris CVE-2015-2573 (Unspecified vulnerability in Oracle MySQL Server 5.5.41 and earlier, a ...) {DSA-3311-1 DSA-3229-1 DLA-359-1} - mysql-5.5 5.5.42-1 - mariadb-10.0 10.0.17-1 - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixMSQL CVE-2015-2572 (Unspecified vulnerability in the Oracle Hyperion Smart View for Office ...) NOT-FOR-US: Oracle CVE-2015-2571 (Unspecified vulnerability in Oracle MySQL Server 5.5.42 and earlier, a ...) {DSA-3311-1 DSA-3229-1 DLA-359-1} - mysql-5.5 (bug #782645) [jessie] - mysql-5.5 5.5.43-0+deb8u1 - mariadb-10.0 10.0.19-1 - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixMSQL CVE-2015-2570 (Unspecified vulnerability in the Oracle Demand Planning component in O ...) NOT-FOR-US: Oracle CVE-2015-2569 REJECTED CVE-2015-2568 (Unspecified vulnerability in Oracle MySQL Server 5.5.41 and earlier, a ...) {DSA-3311-1 DSA-3229-1 DLA-359-1} - mysql-5.5 5.5.42-1 - mariadb-10.0 10.0.17-1 - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixMSQL CVE-2015-2567 (Unspecified vulnerability in Oracle MySQL Server 5.6.23 and earlier al ...) - mysql-5.5 (Only affects 5.6) - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixMSQL CVE-2015-2566 (Unspecified vulnerability in Oracle MySQL Server 5.6.22 and earlier al ...) - mysql-5.5 (Only affects 5.6) - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixMSQL CVE-2015-2565 (Unspecified vulnerability in the Oracle Installed Base component in Or ...) NOT-FOR-US: Oracle CVE-2015-2564 (SQL injection vulnerability in client-edit.php in ProjectSend (formerl ...) NOT-FOR-US: ProjectSend CVE-2015-2563 (SQL injection vulnerability in groups.php in Vastal I-Tech phpVID 0.9. ...) NOT-FOR-US: Vastal I-Tech phpVID CVE-2015-2562 (Multiple SQL injection vulnerabilities in the Web-Dorado ECommerce WD ...) NOT-FOR-US: Joomla component com_ecommercewd CVE-2015-2561 RESERVED CVE-2015-2560 (Manage Engine Desktop Central 9 before build 90135 allows remote attac ...) NOT-FOR-US: Manage Engine Desktop Central CVE-2015-2558 (Use-after-free vulnerability in Microsoft Excel 2007 SP3, Excel 2010 S ...) NOT-FOR-US: Microsoft CVE-2015-2557 (Buffer overflow in Microsoft Visio 2007 SP3 and 2010 SP2 allows remote ...) NOT-FOR-US: Microsoft CVE-2015-2556 (The InfoPath Forms Services component in Microsoft SharePoint Server 2 ...) NOT-FOR-US: Microsoft CVE-2015-2555 (Use-after-free vulnerability in Microsoft Excel 2010 SP2, Excel 2013 S ...) NOT-FOR-US: Microsoft CVE-2015-2554 (The kernel in Microsoft Windows 8, Windows 8.1, Windows Server 2012 Go ...) NOT-FOR-US: Microsoft Windows CVE-2015-2553 (The kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft Windows CVE-2015-2552 (The kernel in Microsoft Windows 8, Windows 8.1, Windows Server 2012 Go ...) NOT-FOR-US: Microsoft Windows CVE-2015-2551 REJECTED CVE-2015-2550 (The kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft Windows CVE-2015-2549 (The kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft Windows CVE-2015-2548 (Use-after-free vulnerability in the Tablet Input Band in Windows Shell ...) NOT-FOR-US: Microsoft Windows CVE-2015-2547 REJECTED CVE-2015-2546 (The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server ...) NOT-FOR-US: Microsoft Windows CVE-2015-2545 (Microsoft Office 2007 SP3, 2010 SP2, 2013 SP1, and 2013 RT SP1 allows ...) NOT-FOR-US: Microsoft Office CVE-2015-2544 (Cross-site scripting (XSS) vulnerability in Outlook Web Access (OWA) i ...) NOT-FOR-US: Microsoft OWA CVE-2015-2543 (Cross-site scripting (XSS) vulnerability in Outlook Web Access (OWA) i ...) NOT-FOR-US: Microsoft OWA CVE-2015-2542 (Microsoft Internet Explorer 10 and 11 and Microsoft Edge allow remote ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2541 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2540 REJECTED CVE-2015-2539 REJECTED CVE-2015-2538 REJECTED CVE-2015-2537 REJECTED CVE-2015-2536 (Cross-site scripting (XSS) vulnerability in Microsoft Lync Server 2013 ...) NOT-FOR-US: Microsoft Lync CVE-2015-2535 (Active Directory in Microsoft Windows Server 2008 SP2 and R2 SP1 and S ...) NOT-FOR-US: Microsoft Windows CVE-2015-2534 (Hyper-V in Microsoft Windows 8.1, Windows Server 2012 R2, and Windows ...) NOT-FOR-US: Microsoft Windows CVE-2015-2533 REJECTED CVE-2015-2532 (Cross-site scripting (XSS) vulnerability in Microsoft Lync Server 2013 ...) NOT-FOR-US: Microsoft Lync CVE-2015-2531 (Cross-site scripting (XSS) vulnerability in the jQuery engine in Micro ...) NOT-FOR-US: Microsoft Lync CVE-2015-2530 (Windows Journal in Microsoft Windows Vista SP2, Windows Server 2008 SP ...) NOT-FOR-US: Microsoft Windows CVE-2015-2529 (The kernel in Microsoft Windows 8.1, Windows Server 2012 R2, Windows R ...) NOT-FOR-US: Microsoft Windows CVE-2015-2528 (Microsoft Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Win ...) NOT-FOR-US: Microsoft Windows CVE-2015-2527 (The process-initialization implementation in win32k.sys in the kernel- ...) NOT-FOR-US: Microsoft Windows CVE-2015-2526 (Microsoft .NET Framework 4.5, 4.5.1, 4.5.2, and 4.6 allows remote atta ...) NOT-FOR-US: Microsoft .NET Framework CVE-2015-2525 (Task Scheduler in Microsoft Windows Vista SP2, Windows Server 2008 SP2 ...) NOT-FOR-US: Microsoft Windows CVE-2015-2524 (Microsoft Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Win ...) NOT-FOR-US: Microsoft Windows CVE-2015-2523 (Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 SP1, Excel 2013 R ...) NOT-FOR-US: Microsoft Excel CVE-2015-2522 (Cross-site scripting (XSS) vulnerability in Microsoft SharePoint Found ...) NOT-FOR-US: Microsoft SharePoint CVE-2015-2521 (Microsoft Excel 2007 SP3, Excel 2010 SP2, Office Compatibility Pack SP ...) NOT-FOR-US: Microsoft Excel CVE-2015-2520 (Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel for Mac 2011 and 2016, ...) NOT-FOR-US: Microsoft Excel CVE-2015-2519 (Integer overflow in Windows Journal in Microsoft Windows Vista SP2, Wi ...) NOT-FOR-US: Microsoft Windows CVE-2015-2518 (The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server ...) NOT-FOR-US: Microsoft Windows CVE-2015-2517 (The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server ...) NOT-FOR-US: Microsoft Windows CVE-2015-2516 (Windows Journal in Microsoft Windows Vista SP2, Windows Server 2008 SP ...) NOT-FOR-US: Microsoft Windows CVE-2015-2515 (Use-after-free vulnerability in Windows Shell in Microsoft Windows Vis ...) NOT-FOR-US: Microsoft Windows CVE-2015-2514 (Windows Journal in Microsoft Windows Vista SP2, Windows Server 2008 SP ...) NOT-FOR-US: Microsoft Windows CVE-2015-2513 (Windows Journal in Microsoft Windows Vista SP2, Windows Server 2008 SP ...) NOT-FOR-US: Microsoft Windows CVE-2015-2512 (The Adobe Type Manager Library in Microsoft Windows Vista SP2, Windows ...) NOT-FOR-US: Microsoft Windows CVE-2015-2511 (The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server ...) NOT-FOR-US: Microsoft Windows CVE-2015-2510 (Buffer overflow in the Adobe Type Manager Library in Microsoft Windows ...) NOT-FOR-US: Microsoft Windows CVE-2015-2509 (Windows Media Center in Microsoft Windows Vista SP2, Windows 7 SP1, Wi ...) NOT-FOR-US: Microsoft Windows CVE-2015-2508 (The Adobe Type Manager Library in Microsoft Windows 10 allows local us ...) NOT-FOR-US: Microsoft Windows CVE-2015-2507 (The Adobe Type Manager Library in Microsoft Windows Vista SP2, Windows ...) NOT-FOR-US: Microsoft Windows CVE-2015-2506 (atmfd.dll in the Adobe Type Manager Library in Microsoft Windows Vista ...) NOT-FOR-US: Microsoft Windows CVE-2015-2505 (Outlook Web Access (OWA) in Microsoft Exchange Server 2013 Cumulative ...) NOT-FOR-US: Microsoft Exchange CVE-2015-2504 (Microsoft .NET Framework 2.0 SP2, 3.5, 3.5.1, 4, 4.5, 4.5.1, 4.5.2, an ...) NOT-FOR-US: Microsoft .NET Framework CVE-2015-2503 (Microsoft Access 2007 SP3, Excel 2007 SP3, InfoPath 2007 SP3, OneNote ...) NOT-FOR-US: Microsoft CVE-2015-2502 (Microsoft Internet Explorer 7 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2501 (Microsoft Internet Explorer 9 allows remote attackers to execute arbit ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2500 (Microsoft Internet Explorer 7 and 8 allows remote attackers to execute ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2499 (Microsoft Internet Explorer 7 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2498 (Microsoft Internet Explorer 7 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2497 REJECTED CVE-2015-2496 REJECTED CVE-2015-2495 REJECTED CVE-2015-2494 (Microsoft Internet Explorer 7 through 11 and Microsoft Edge allow remo ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2493 (The (1) VBScript and (2) JScript engines in Microsoft Internet Explore ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2492 (Microsoft Internet Explorer 7 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2491 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2490 (Microsoft Internet Explorer 7 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2489 (Microsoft Internet Explorer 11 allows remote attackers to gain privile ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2488 REJECTED CVE-2015-2487 (Microsoft Internet Explorer 7 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2486 (Microsoft Internet Explorer 7 through 11 and Microsoft Edge allow remo ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2485 (Microsoft Internet Explorer 9 through 11 and Microsoft Edge allow remo ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2484 (Microsoft Internet Explorer 10 and 11 uses an incorrect flag during ce ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2483 (Microsoft Internet Explorer 10 and 11 allows remote attackers to obtai ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2482 (The Microsoft (1) VBScript 5.7 and 5.8 and (2) JScript 5.7 and 5.8 eng ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2481 (The RyuJIT compiler in Microsoft .NET Framework 4.6 produces incorrect ...) NOT-FOR-US: Microsoft .NET Framework CVE-2015-2480 (The RyuJIT compiler in Microsoft .NET Framework 4.6 produces incorrect ...) NOT-FOR-US: Microsoft .NET Framework CVE-2015-2479 (The RyuJIT compiler in Microsoft .NET Framework 4.6 produces incorrect ...) NOT-FOR-US: Microsoft .NET Framework CVE-2015-2478 (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windo ...) NOT-FOR-US: Microsoft Windows CVE-2015-2477 (Microsoft Office 2007 SP3, Office for Mac 2011, Office for Mac 2016, a ...) NOT-FOR-US: Microsoft Office CVE-2015-2476 (The WebDAV client in Microsoft Windows Vista SP2, Windows Server 2008 ...) NOT-FOR-US: Microsoft Windows CVE-2015-2475 (Cross-site scripting (XSS) vulnerability in uddi/search/frames.aspx in ...) NOT-FOR-US: Microsoft Windows CVE-2015-2474 (Microsoft Windows Vista SP2 and Server 2008 SP2 allow remote authentic ...) NOT-FOR-US: Microsoft Windows CVE-2015-2473 (Untrusted search path vulnerability in the client in Remote Desktop Pr ...) NOT-FOR-US: Microsoft Windows CVE-2015-2472 (Remote Desktop Session Host (RDSH) in Remote Desktop Protocol (RDP) th ...) NOT-FOR-US: Microsoft Windows CVE-2015-2471 (Microsoft XML Core Services 3.0, 5.0, and 6.0 supports SSL 2.0, which ...) NOT-FOR-US: Microsoft XML Core Services CVE-2015-2470 (Integer underflow in Microsoft Office 2007 SP3, Office 2010 SP2, Offic ...) NOT-FOR-US: Microsoft Office CVE-2015-2469 (Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, and Office fo ...) NOT-FOR-US: Microsoft Office CVE-2015-2468 (Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1 ...) NOT-FOR-US: Microsoft Office CVE-2015-2467 (Microsoft Office 2007 SP3 allows remote attackers to execute arbitrary ...) NOT-FOR-US: Microsoft Office CVE-2015-2466 (Microsoft Office 2007 SP3, 2010 SP2, 2013 SP1, and 2013 RT SP1 allows ...) NOT-FOR-US: Microsoft Office CVE-2015-2465 (The Windows shell in Microsoft Windows Vista SP2, Windows Server 2008 ...) NOT-FOR-US: Microsoft Windows CVE-2015-2464 (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windo ...) NOT-FOR-US: Microsoft Windows CVE-2015-2463 (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windo ...) NOT-FOR-US: Microsoft Windows CVE-2015-2462 (ATMFD.DLL in the Windows Adobe Type Manager Library in Microsoft Windo ...) NOT-FOR-US: Microsoft Windows CVE-2015-2461 (ATMFD.DLL in the Windows Adobe Type Manager Library in Microsoft Windo ...) NOT-FOR-US: Microsoft Windows CVE-2015-2460 (ATMFD.DLL in the Windows Adobe Type Manager Library in Microsoft Windo ...) NOT-FOR-US: Microsoft Windows CVE-2015-2459 (ATMFD.DLL in the Windows Adobe Type Manager Library in Microsoft Windo ...) NOT-FOR-US: Microsoft Windows CVE-2015-2458 (ATMFD.DLL in the Windows Adobe Type Manager Library in Microsoft Windo ...) NOT-FOR-US: Microsoft Windows CVE-2015-2457 REJECTED CVE-2015-2456 (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windo ...) NOT-FOR-US: Microsoft Windows CVE-2015-2455 (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windo ...) NOT-FOR-US: Microsoft Windows CVE-2015-2454 (The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server ...) NOT-FOR-US: Microsoft Windows CVE-2015-2453 (The Client/Server Run-time Subsystem (CSRSS) in Microsoft Windows Vist ...) NOT-FOR-US: Microsoft Windows CVE-2015-2452 (Microsoft Internet Explorer 7 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2451 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2450 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2449 (Microsoft Internet Explorer 7 through 11 and Edge allow remote attacke ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2448 (Microsoft Internet Explorer 9 and 10 allows remote attackers to execut ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2447 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2446 (Microsoft Internet Explorer 11 and Edge allow remote attackers to exec ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2445 (Microsoft Internet Explorer 10 allows remote attackers to bypass the A ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2444 (Microsoft Internet Explorer 8 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2443 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2442 (Microsoft Internet Explorer 8 through 11 and Edge allow remote attacke ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2441 (Microsoft Internet Explorer 7 through 11 and Edge allow remote attacke ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2440 (Microsoft XML Core Services 3.0, 5.0, and 6.0 allows remote attackers ...) NOT-FOR-US: Mirosoft XML Core Services CVE-2015-2439 REJECTED CVE-2015-2438 REJECTED CVE-2015-2437 REJECTED CVE-2015-2436 REJECTED CVE-2015-2435 (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windo ...) NOT-FOR-US: Microsoft Windows CVE-2015-2434 (Microsoft XML Core Services 3.0 and 5.0 supports SSL 2.0, which makes ...) NOT-FOR-US: Mirosoft XML Core Services CVE-2015-2433 (The kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft Windows CVE-2015-2432 (ATMFD.DLL in the Windows Adobe Type Manager Library in Microsoft Windo ...) NOT-FOR-US: Microsoft Windows CVE-2015-2431 (Microsoft Office 2007 SP3 and 2010 SP2, Live Meeting 2007 Console, Lyn ...) NOT-FOR-US: Mirosoft Office CVE-2015-2430 (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windo ...) NOT-FOR-US: Microsoft Windows CVE-2015-2429 (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windo ...) NOT-FOR-US: Microsoft Windows CVE-2015-2428 (Object Manager in Microsoft Windows Vista SP2, Windows Server 2008 SP2 ...) NOT-FOR-US: Microsoft Windows CVE-2015-2427 (Microsoft Internet Explorer 9 allows remote attackers to execute arbit ...) NOT-FOR-US: Microsoft CVE-2015-2426 (Buffer underflow in atmfd.dll in the Windows Adobe Type Manager Librar ...) NOT-FOR-US: Microsoft Adobe Type Manager Library CVE-2015-2425 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2424 (Microsoft PowerPoint 2007 SP3, Word 2007 SP3, PowerPoint 2010 SP2, Wor ...) NOT-FOR-US: Microsoft CVE-2015-2423 (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windo ...) NOT-FOR-US: Microsoft Windows CVE-2015-2422 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2421 (Microsoft Internet Explorer 6 through 11 allows remote attackers to by ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2420 (Cross-site scripting (XSS) vulnerability in Microsoft System Center 20 ...) NOT-FOR-US: Microsoft System Center CVE-2015-2419 (JScript 9 in Microsoft Internet Explorer 10 and 11 allows remote attac ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2418 (Race condition in Microsoft Malicious Software Removal Tool (MSRT) bef ...) NOT-FOR-US: Microsoft MSRT CVE-2015-2417 (OLE in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows S ...) NOT-FOR-US: Microsoft Windows CVE-2015-2416 (OLE in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows S ...) NOT-FOR-US: Microsoft Windows CVE-2015-2415 (Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 SP1, Excel 2013 R ...) NOT-FOR-US: Microsoft Excel CVE-2015-2414 (Microsoft Internet Explorer 8 through 11 allows remote attackers to ob ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2413 (Microsoft Internet Explorer 6 through 11 allows remote attackers to de ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2412 (Microsoft Internet Explorer 10 and 11 allows remote attackers to read ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2411 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2410 (Microsoft Internet Explorer 6 through 11 allows remote attackers to de ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2409 REJECTED CVE-2015-2408 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2407 REJECTED CVE-2015-2406 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2405 REJECTED CVE-2015-2404 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2403 (Microsoft Internet Explorer 8 allows remote attackers to execute arbit ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2402 (Microsoft Internet Explorer 7 through 11 allows remote attackers to ga ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2401 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2400 REJECTED CVE-2015-2399 REJECTED CVE-2015-2398 (Microsoft Internet Explorer 8 through 11 allows remote attackers to by ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2397 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2396 REJECTED CVE-2015-2395 REJECTED CVE-2015-2394 REJECTED CVE-2015-2393 REJECTED CVE-2015-2392 REJECTED CVE-2015-2391 (Microsoft Internet Explorer 9 allows remote attackers to execute arbit ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2390 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2389 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2388 (Microsoft Internet Explorer 8 and 9 allows remote attackers to execute ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2387 (ATMFD.DLL in the Adobe Type Manager Font Driver in Microsoft Windows S ...) NOT-FOR-US: Microsoft Windows CVE-2015-2386 REJECTED CVE-2015-2385 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2384 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2383 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-2382 (win32k.sys in the kernel-mode drivers in Microsoft Windows 8, Windows ...) NOT-FOR-US: Microsoft Windows CVE-2015-2381 (win32k.sys in the kernel-mode drivers in Microsoft Windows 8, Windows ...) NOT-FOR-US: Microsoft Windows CVE-2015-2380 (Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1 ...) NOT-FOR-US: Microsoft Office CVE-2015-2379 (Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1 ...) NOT-FOR-US: Microsoft Office CVE-2015-2378 (Untrusted search path vulnerability in Microsoft Excel 2007 SP3, Excel ...) NOT-FOR-US: Microsoft Excel CVE-2015-2377 (Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 SP1, Excel 2013 R ...) NOT-FOR-US: Microsoft Excel CVE-2015-2376 (Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 SP1, Excel 2013 R ...) NOT-FOR-US: Microsoft Excel CVE-2015-2375 (Microsoft Excel 2010 SP2, Excel 2013 SP1, Excel 2013 RT SP1, Excel Vie ...) NOT-FOR-US: Microsoft Excel CVE-2015-2374 (The Netlogon service in Microsoft Windows Server 2003 SP2 and R2 SP2, ...) NOT-FOR-US: Microsoft Windows CVE-2015-2373 (The Remote Desktop Protocol (RDP) server service in Microsoft Windows ...) NOT-FOR-US: Microsoft Windows CVE-2015-2372 (vbscript.dll in Microsoft VBScript 5.6 through 5.8, as used with Inter ...) NOT-FOR-US: Microsoft VBScript CVE-2015-2371 (The Windows Installer service in Microsoft Windows Server 2003 SP2 and ...) NOT-FOR-US: Microsoft Windows CVE-2015-2370 (The authentication implementation in the RPC subsystem in Microsoft Wi ...) NOT-FOR-US: Microsoft Windows CVE-2015-2369 (Untrusted search path vulnerability in Windows Media Device Manager in ...) NOT-FOR-US: Microsoft Windows CVE-2015-2368 (Untrusted search path vulnerability in Microsoft Windows 7 SP1, Window ...) NOT-FOR-US: Microsoft Windows CVE-2015-2367 (win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 ...) NOT-FOR-US: Microsoft Windows CVE-2015-2366 (win32k.sys in the kernel-mode drivers in Microsoft Windows 7 SP1, Wind ...) NOT-FOR-US: Microsoft Windows CVE-2015-2365 (win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 ...) NOT-FOR-US: Microsoft Windows CVE-2015-2364 (The graphics component in Microsoft Windows Server 2003 SP2 and R2 SP2 ...) NOT-FOR-US: Microsoft Windows CVE-2015-2363 (win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 ...) NOT-FOR-US: Microsoft Windows CVE-2015-2362 (Hyper-V in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 8, Wi ...) NOT-FOR-US: Microsoft Windows CVE-2015-2361 (Hyper-V in Microsoft Windows 8.1 and Windows Server 2012 R2 does not p ...) NOT-FOR-US: Microsoft Windows CVE-2015-2360 (win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 ...) NOT-FOR-US: Microsoft Windows Server CVE-2015-2359 (Cross-site scripting (XSS) vulnerability in the web applications in Mi ...) NOT-FOR-US: Microsoft Exchange Server CVE-2015-2358 RESERVED CVE-2015-2357 RESERVED CVE-2015-2356 RESERVED CVE-2015-2355 RESERVED CVE-2015-2354 RESERVED CVE-2015-2353 RESERVED CVE-2015-2352 (The cache handler in MyBB (aka MyBulletinBoard) before 1.8.4 does not ...) NOT-FOR-US: MyBB CVE-2015-2351 (Multiple cross-site scripting (XSS) vulnerabilities in Alkacon OpenCms ...) NOT-FOR-US: Alkacon OpenCms CVE-2015-2350 (Cross-site request forgery (CSRF) vulnerability in MikroTik RouterOS 5 ...) NOT-FOR-US: MikroTik RouterOS CVE-2015-2349 (Cross-site scripting (XSS) vulnerability in defaultnewsletter.php in S ...) NOT-FOR-US: SuperWebMailer CVE-2014-9708 (Embedthis Appweb before 4.6.6 and 5.x before 5.2.1 allows remote attac ...) NOT-FOR-US: Appweb Web Server CVE-2014-9707 (EmbedThis GoAhead 3.0.0 through 3.4.1 does not properly handle path se ...) NOT-FOR-US: GoAhead Web Server CVE-2014-9710 (The Btrfs implementation in the Linux kernel before 3.19 does not ensu ...) - linux 3.16.7-ckt9-1 [wheezy] - linux (btrfs in 3.2 is just a tech preview and not usable for production) - linux-2.6 [squeeze] - linux-2.6 (btrfs in 2.6.32 is just a tech preview and not usable for production) NOTE: Upstream commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5f5bc6b1e2d5a6f827bc860ef2dc5b6f365d1339 (v3.19-rc1) NOTE: http://www.openwall.com/lists/oss-security/2015/03/24/11 CVE-2014-9718 (The (1) BMDMA and (2) AHCI HBA interfaces in the IDE functionality in ...) {DSA-3259-1} - qemu 1:2.3+dfsg-1 (unimportant; bug #781250) [wheezy] - qemu (Can be fixed along in later update) - qemu-kvm (unimportant) [wheezy] - qemu-kvm (Can be fixed along in later update) NOTE: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=3251bdcf1c67427d964517053c3d185b46e618e8 (v2.2.0-rc2) NOTE: http://www.openwall.com/lists/oss-security/2015/03/24/4 NOTE: Per maintainer not a security issue: NOTE: Qemu either leaks memory or loops infinitely. Memory leakage can be easily NOTE: mitigated using some kind of resource limits in security-sensitive environments, NOTE: and looping can trivially be done inside the virtual machine just fine, achieving NOTE: the same effect CVE-2015-2686 (net/socket.c in the Linux kernel 3.19 before 3.19.3 does not validate ...) - linux (Introduced in 3.19, never uploaded to unstable) - linux-2.6 (Introduced in 3.19, never uploaded to unstable) NOTE: Upstream commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4de930efc23b92ddf88ce91c405ee645fe6e27ea CVE-2015-XXXX [Insufficient escaping in user manager allows XSS attack] - dokuwiki 0.0.20140929.d-1 (bug #780817) [jessie] - dokuwiki (Minor issue) [wheezy] - dokuwiki (Minor issue) [squeeze] - dokuwiki (Minor issue) CVE-2015-6674 (Buffer underflow vulnerability in the Debian inspircd package before 2 ...) {DSA-3226-1 DLA-276-1} - inspircd 2.0.16-1 (bug #780880) NOTE: Correct fix: https://github.com/inspircd/inspircd/commit/ed28c1ba666b39581adb860bf51cdde43c84cc89 NOTE: http://www.openwall.com/lists/oss-security/2015/03/29/5 CVE-2012-6696 (inspircd in Debian before 2.0.7 does not properly handle unsigned inte ...) {DSA-3226-1 DLA-276-1} - inspircd 2.0.16-1 (bug #780880) NOTE: Correct fix: https://github.com/inspircd/inspircd/commit/ed28c1ba666b39581adb860bf51cdde43c84cc89 NOTE: http://www.openwall.com/lists/oss-security/2015/03/29/5 CVE-2012-6697 (InspIRCd before 2.0.7 allows remote attackers to cause a denial of ser ...) {DSA-3226-1 DLA-276-1} - inspircd 2.0.16-1 (bug #780880) NOTE: https://github.com/inspircd/inspircd/commit/58c893e834ff20495d007709220881a3ff13f423 NOTE: http://www.openwall.com/lists/oss-security/2015/03/29/5 CVE-2015-2788 (Multiple stack-based buffer overflows in the ib_fill_isqlda function i ...) {DSA-3219-1} - libdbd-firebird-perl 1.18-2 (bug #780925) NOTE: http://www.openwall.com/lists/oss-security/2015/03/30/4 CVE-2015-4148 (The do_soap_call function in ext/soap/soap.c in PHP before 5.4.39, 5.5 ...) {DLA-307-1} - php5 5.6.7+dfsg-1 [wheezy] - php5 5.4.39-0+deb7u1 NOTE: https://bugs.php.net/bug.php?id=69085 NOTE: http://www.openwall.com/lists/oss-security/2015/03/20/14 CVE-2015-4147 (The SoapClient::__call method in ext/soap/soap.c in PHP before 5.4.39, ...) {DLA-307-1} - php5 5.6.7+dfsg-1 [wheezy] - php5 5.4.39-0+deb7u1 NOTE: https://bugs.php.net/bug.php?id=69085 NOTE: http://www.openwall.com/lists/oss-security/2015/03/20/14 CVE-2015-2779 (Stack consumption vulnerability in the message splitting functionality ...) - quassel 1:0.10.0-2.3 (bug #781024) [wheezy] - quassel (According to upstream issue isn't triggerable in 0.8) [squeeze] - quassel (According to upstream issue isn't triggerable in 0.6) NOTE: https://github.com/quassel/quassel/commit/b5e38970ffd55e2dd9f706ce75af9a8d7730b1b8 NOTE: http://www.openwall.com/lists/oss-security/2015/03/20/12 CVE-2015-2778 (Quassel before 0.12-rc1 uses an incorrect data-type size when splittin ...) - quassel 1:0.10.0-2.3 (bug #781024) [wheezy] - quassel (According to upstream issue isn't triggerable in 0.8) [squeeze] - quassel (According to upstream issue isn't triggerable in 0.6) NOTE: https://github.com/quassel/quassel/commit/b5e38970ffd55e2dd9f706ce75af9a8d7730b1b8 NOTE: http://www.openwall.com/lists/oss-security/2015/03/20/12 CVE-2014-9706 (The build_index_from_tree function in index.py in Dulwich before 0.9.9 ...) {DSA-3206-1} - dulwich 0.10.1-1 (bug #780989) [jessie] - dulwich 0.9.7-3 [squeeze] - dulwich (Repo.checkout (later renamed to build_index_from_tree) introduced past 0.6.1) NOTE: Patch: https://git.samba.org/?p=jelmer/dulwich.git;a=commitdiff;h=091638be3c89f46f42c3b1d57dc1504af5729176 NOTE: http://www.openwall.com/lists/oss-security/2015/03/21/1 CVE-2015-2348 (The move_uploaded_file implementation in ext/standard/basic_functions. ...) {DSA-3198-1 DLA-444-1} - php5 5.6.7+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=69207 CVE-2015-2347 (Cross-site scripting (XSS) vulnerability in Huawei SEQ Analyst before ...) NOT-FOR-US: Huawei SEQ Analyst CVE-2015-2346 (XML external entity (XXE) vulnerability in Huawei SEQ Analyst before V ...) NOT-FOR-US: Huawei CVE-2015-2345 REJECTED CVE-2015-2344 (Cross-site scripting (XSS) vulnerability in VMware vRealize Automation ...) NOT-FOR-US: VMware vRealize Automation CVE-2015-2343 REJECTED CVE-2015-2342 (The JMX RMI service in VMware vCenter Server 5.0 before u3e, 5.1 befor ...) NOT-FOR-US: VMware CVE-2015-2341 (VMware Workstation 10.x before 10.0.5, VMware Player 6.x before 6.0.6, ...) NOT-FOR-US: VMware CVE-2015-2340 (TPInt.dll in VMware Workstation 10.x before 10.0.6 and 11.x before 11. ...) NOT-FOR-US: VMware CVE-2015-2339 (TPview.dll in VMware Workstation 10.x before 10.0.6 and 11.x before 11 ...) NOT-FOR-US: VMware CVE-2015-2338 (TPview.dll in VMware Workstation 10.x before 10.0.6 and 11.x before 11 ...) NOT-FOR-US: VMware CVE-2015-2337 (TPInt.dll in VMware Workstation 10.x before 10.0.6 and 11.x before 11. ...) NOT-FOR-US: VMware CVE-2015-2336 (TPView.dll in VMware Workstation 10.x before 10.0.6 and 11.x before 11 ...) NOT-FOR-US: VMware CVE-2015-2335 (A JSON library in MyBB (aka MyBulletinBoard) before 1.8.4 allows remot ...) NOT-FOR-US: MyBB CVE-2015-2334 (Cross-site request forgery (CSRF) vulnerability in the Admin Control P ...) NOT-FOR-US: MyBB CVE-2015-2333 (Cross-site scripting (XSS) vulnerability in the MyCode editor in MyBB ...) NOT-FOR-US: MyBB CVE-2015-2332 (Cross-site scripting (XSS) vulnerability in member.php in MyBB (aka My ...) NOT-FOR-US: MyBB CVE-2015-2559 (Drupal 6.x before 6.35 and 7.x before 7.35 allows remote authenticated ...) {DSA-3200-1} - drupal7 7.32-1+deb8u2 (bug #780772) - drupal6 [squeeze] - drupal6 NOTE: https://www.drupal.org/SA-CORE-2015-001 NOTE: http://cgit.drupalcode.org/drupal/commit/?id=8e54eca05a65c6231b02510e1917af0c9191e549 CVE-2015-2750 (Open redirect vulnerability in URL-related API functions in Drupal 6.x ...) {DSA-3200-1} - drupal7 7.32-1+deb8u2 (bug #780772) - drupal6 [squeeze] - drupal6 NOTE: https://www.drupal.org/SA-CORE-2015-001 NOTE: http://cgit.drupalcode.org/drupal/commit/includes/menu.inc?h=6.x&id=8ffc5db3c0ab926f3d4b2cf8bc51714c8c0f3c93 NOTE: http://cgit.drupalcode.org/drupal/commit/includes/common.inc?h=7.x&id=b44056d2f8e8c71d35c85ec5c2fb8f7c8a02d8a8 CVE-2015-2749 (Open redirect vulnerability in Drupal 6.x before 6.35 and 7.x before 7 ...) {DSA-3200-1} - drupal7 7.32-1+deb8u2 (bug #780772) - drupal6 [squeeze] - drupal6 NOTE: https://www.drupal.org/SA-CORE-2015-001 NOTE: http://www.openwall.com/lists/oss-security/2015/03/19/5 CVE-2015-2329 (Cross-site scripting (XSS) vulnerability in the WooCommerce plugin bef ...) NOT-FOR-US: WooCommerce plugin for WordPress CVE-2015-2328 (PCRE before 8.36 mishandles the /((?(R)a|(?1)))+/ pattern and related ...) - mongodb (unimportant) NOTE: CVE for bundled version of pcre3 in mongodb NOTE: https://jira.mongodb.org/browse/SERVER-17252 NOTE: Since 1:2.0.0-1 mongodb uses the system pcre3 - pcre3 2:8.35-7.2 (low) [jessie] - pcre3 2:8.35-3.3+deb8u2 [wheezy] - pcre3 (Minor issue) [squeeze] - pcre3 (Minor issue) NOTE: https://bugs.exim.org/show_bug.cgi?id=1515 NOTE: Fixed by: http://vcs.pcre.org/pcre?view=revision&revision=1498 NOTE: http://www.openwall.com/lists/oss-security/2015/05/31/4 CVE-2015-2327 (PCRE before 8.36 mishandles the /(((a\2)|(a*)\g<-1>))*/ pattern ...) - mongodb (unimportant) NOTE: CVE for bundled version of pcre3 in mongodb NOTE: https://jira.mongodb.org/browse/SERVER-17252 NOTE: Since 1:2.0.0-1 mongodb uses the system pcre3 - pcre3 2:8.35-7.2 (low) [jessie] - pcre3 2:8.35-3.3+deb8u1 [wheezy] - pcre3 (Minor issue) [squeeze] - pcre3 (Minor issue) NOTE: https://bugs.exim.org/show_bug.cgi?id=1503 NOTE: Fixed by: http://vcs.pcre.org/pcre?view=revision&revision=1495 NOTE: http://www.openwall.com/lists/oss-security/2015/05/31/5 CVE-2015-2326 (The pcre_compile2 function in PCRE before 8.37 allows context-dependen ...) - pcre3 2:8.35-7.2 (bug #783285) [jessie] - pcre3 2:8.35-3.3+deb8u1 [wheezy] - pcre3 (Vulnerable code introuced while refactoring between 8.33 and 8.36) [squeeze] - pcre3 (Vulnerable code introuced while refactoring between 8.33 and 8.36) NOTE: http://bugs.exim.org/show_bug.cgi?id=1592 NOTE: http://vcs.pcre.org/pcre?view=revision&revision=1529 NOTE: Reproduced invalid read in pcre3/2:8.35-3.3 NOTE: Issue introduced as a side effect of refactoring happened between 8.33 and 8.36 CVE-2015-2325 (The compile_branch function in PCRE before 8.37 allows context-depende ...) - pcre3 2:8.35-7.2 (unimportant; bug #781795) [jessie] - pcre3 2:8.35-3.3+deb8u1 NOTE: http://bugs.exim.org/show_bug.cgi?id=1591 NOTE: Fixed by: http://vcs.pcre.org/pcre?view=revision&revision=1528 NOTE: Reproducer leads to "Failed: internal error: previously-checked referenced subpattern not found at offset 17" NOTE: Upstream claims that it should though be the same bug: NOTE: http://bugs.exim.org/show_bug.cgi?id=1591#c1 NOTE: Comment from upstream: Probably every version since the support for forward referencing NOTE: was introduced is affected. CVE-2015-2324 (Cross-site scripting (XSS) vulnerability in the filemanager in the Pho ...) NOT-FOR-US: filemanager in the Photo Gallery plugin for WordPress CVE-2015-2323 (FortiOS 5.0.x before 5.0.12 and 5.2.x before 5.2.4 supports anonymous, ...) NOT-FOR-US: FortiOS CVE-2015-2322 RESERVED CVE-2015-2321 (Cross-site scripting (XSS) vulnerability in the Job Manager plugin 0.7 ...) NOT-FOR-US: WordPress plugin job-mnager CVE-2015-2317 (The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1. ...) {DSA-3204-1 DLA-272-1} - python-django 1.7.7-1 (bug #780873) [squeeze] - python-django (Minor issue, can wait next security upload) NOTE: https://github.com/django/django/commit/2342693b31f740a422abf7267c53b4e7bc487c1b (1.4.x) NOTE: https://github.com/django/django/commit/2a4113dbd532ce952308992633d802dc169a75f1 (1.7.x) CVE-2015-2316 (The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7. ...) - python-django 1.7.7-1 (bug #780874) [wheezy] - python-django (vulnerable code not present) [squeeze] - python-django (vulnerable code not present) NOTE: https://github.com/django/django/commit/e63363f8e075fa8d66326ad6a1cc3391cc95cd97 (1.7.x) CVE-2015-2315 (Cross-site scripting (XSS) vulnerability in the WPML plugin before 3.1 ...) NOT-FOR-US: WordPress plugin wpml CVE-2015-2314 (SQL injection vulnerability in the WPML plugin before 3.1.9 for WordPr ...) NOT-FOR-US: WordPress plugin wpml CVE-2012-6690 RESERVED CVE-2015-XXXX [nasal scripts can ready any file] - flightgear-data 3.0.0-3 (bug #780716) CVE-2015-XXXX [permissive file access allowed from nasal] - flightgear 3.0.0-5 (bug #780712) [squeeze] - flightgear 1.9.1-1.1+deb6u11 NOTE: workaround entry for DLA 318-1 until/if CVE assigned CVE-2015-2666 (Stack-based buffer overflow in the get_matching_model_microcode functi ...) - linux 3.16.7-ckt9-1 [wheezy] - linux (Introduced in 3.9) - linux-2.6 (Introduced in 3.9) NOTE: Introduced by https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ec400ddeff200b068ddc6c70f7321f49ecf32ed5 (v3.9-rc1) NOTE: Fixed by https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f84598bd7c851f8b0bf8cd0d7c3be0d73c432ff4 (v4.0-rc1) NOTE: http://www.openwall.com/lists/oss-security/2015/03/18/7 CVE-2015-2684 (Shibboleth Service Provider (SP) before 2.5.4 allows remote authentica ...) {DSA-3207-1 DLA-259-1} - shibboleth-sp2 2.5.3+dfsg-2 NOTE: http://shibboleth.net/community/advisories/secadv_20150319.txt CVE-2015-2672 (The xsave/xrstor implementation in arch/x86/include/asm/xsave.h in the ...) - linux - linux-2.6 NOTE: Introduced by https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f31a9f7c71691569359fa7fb8b0acaa44bce0324 (v3.17-rc1) NOTE: Fixed by https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit?id=06c8173eb92bbfc03a0fe8bb64315857d0badd06 (v4.0-rc3) NOTE: http://www.openwall.com/lists/oss-security/2015/03/18/6 CVE-2015-2331 (Integer overflow in the _zip_cdir_new function in zip_dirent.c in libz ...) {DSA-3198-1 DLA-212-1} - php5 5.6.7+dfsg-1 (bug #780713) - libzip 0.11.2-1.2 (bug #780756) [wheezy] - libzip (Vulnerable code introduced with added Zip64 support in 0.11) [squeeze] - libzip (Vulnerable code introduced with added Zip64 support in 0.11) NOTE: https://bugs.php.net/bug.php?id=69253 NOTE: https://github.com/php/php-src/commit/ef8fc4b53d92fbfcd8ef1abbd6f2f5fe2c4a11e5 NOTE: http://www.openwall.com/lists/oss-security/2015/03/18/1 NOTE: libzip patch: http://hg.nih.at/libzip/rev/9f11d54f692e CVE-2015-2330 (Late TLS certificate verification in WebKitGTK+ prior to 2.6.6 allows ...) - webkitgtk 2.4.9-1 (unimportant) [jessie] - webkitgtk 2.4.9-1~deb8u1 NOTE: Not covered by security support CVE-2015-2309 [Unsafe methods in the Request class] RESERVED - symfony 2.3.21+dfsg-4 CVE-2015-2308 (Eval injection vulnerability in the HttpCache class in HttpKernel in S ...) - symfony 2.3.21+dfsg-4 CVE-2015-2307 RESERVED CVE-2015-2306 RESERVED CVE-2015-2320 (The TLS stack in Mono before 3.12.1 allows remote attackers to have un ...) {DSA-3202-1 DLA-176-1} - mono 3.2.8+dfsg-10 (bug #780751) NOTE: https://github.com/mono/mono/commit/b371da6b2d68b4cdd0f21d6342af6c42794f998b CVE-2015-2319 (The TLS stack in Mono before 3.12.1 makes it easier for remote attacke ...) {DSA-3202-1 DLA-176-1} - mono 3.2.8+dfsg-10 (bug #780751) NOTE: https://github.com/mono/mono/commit/9c38772f094168d8bfd5bc73bf8925cd04faad10 NOTE: Patch for versions earlier than 3.4: https://gist.github.com/directhex/728af6f96d1b8c976659 CVE-2015-2318 (The TLS stack in Mono before 3.12.1 allows man-in-the-middle attackers ...) {DSA-3202-1 DLA-176-1} - mono 3.2.8+dfsg-10 (bug #780751) NOTE: https://github.com/mono/mono/commit/1509226c41d74194c146deb173e752b8d3cdeec4 NOTE: Patch for versions earlier than 3.4: https://gist.github.com/directhex/f8c6e67f551d8a608154 CVE-2015-2303 REJECTED CVE-2015-2302 REJECTED CVE-2015-2300 RESERVED CVE-2015-2299 RESERVED CVE-2015-2295 (Cross-site request forgery (CSRF) vulnerability in system_firmware_res ...) NOT-FOR-US: pfSense CVE-2015-2294 (Multiple cross-site scripting (XSS) vulnerabilities in the WebGUI in p ...) NOT-FOR-US: pfSense CVE-2015-2293 (Multiple cross-site request forgery (CSRF) vulnerabilities in admin/cl ...) NOT-FOR-US: WordPress plugin wordpress-seo CVE-2015-2292 (Multiple SQL injection vulnerabilities in admin/class-bulk-editor-list ...) NOT-FOR-US: WordPress plugin wordpress-seo CVE-2015-2291 ((1) IQVW32.sys before 1.3.1.0 and (2) IQVW64.sys before 1.3.1.0 in the ...) NOT-FOR-US: Intel Ethernet diagnostics driver for Windows CVE-2015-2290 RESERVED CVE-2015-2288 RESERVED CVE-2014-9704 RESERVED CVE-2014-9703 RESERVED CVE-2014-9702 (system/classes/DbPDO.php in Cmfive through 2015-03-15, when database c ...) NOT-FOR-US: Cmfive CVE-2014-9700 RESERVED CVE-2014-9699 (The MakerBot Replicator 5G printer runs an Apache HTTP Server with dir ...) NOT-FOR-US: MakerBot Replicator 5G printer CVE-2014-9698 RESERVED CVE-2015-2313 (Sandstorm Cap'n Proto before 0.4.1.1 and 0.5.x before 0.5.1.2, when an ...) - capnproto 0.4.1-3 (bug #780568) CVE-2015-2312 (Sandstorm Cap'n Proto before 0.4.1.1 and 0.5.x before 0.5.1.1 allows r ...) - capnproto 0.4.1-3 (bug #780567) CVE-2015-2311 (Integer underflow in Sandstorm Cap'n Proto before 0.4.1.1 and 0.5.x be ...) - capnproto 0.4.1-3 (bug #780566) CVE-2015-2310 (Integer overflow in layout.c++ in Sandstorm Cap'n Proto before 0.4.1.1 ...) - capnproto 0.4.1-3 (bug #780565) CVE-2015-8856 (Cross-site scripting (XSS) vulnerability in the serve-index package be ...) - node-serve-index 1.9.1-1 (unimportant) NOTE: libv8 is not covered by security support NOTE: https://nodesecurity.io/advisories/serve-static-xss NOTE: https://github.com/expressjs/serve-index/issues/28 CVE-2015-8903 (The ReadVICARImage function in coders/vicar.c in ImageMagick 6.x befor ...) {DLA-960-1} [experimental] - imagemagick 8:6.9.1.2-1 - imagemagick 8:6.8.9.9-6 (low) [jessie] - imagemagick 8:6.8.9.9-5+deb8u1 [squeeze] - imagemagick (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2015/02/20/4 NOTE: http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26933 NOTE: http://web.archive.org/web/20150428140926/http://trac.imagemagick.org/changeset/17856 CVE-2015-8902 (The ReadBlobByte function in coders/pdb.c in ImageMagick 6.x before 6. ...) {DLA-960-1} [experimental] - imagemagick 8:6.9.1.2-1 - imagemagick 8:6.8.9.9-6 (low) [jessie] - imagemagick 8:6.8.9.9-5+deb8u1 [squeeze] - imagemagick (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2015/02/20/4 NOTE: http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26932 NOTE: http://web.archive.org/web/20150428145652/http://trac.imagemagick.org/changeset/17855 CVE-2015-8901 (ImageMagick 6.x before 6.9.0-5 Beta allows remote attackers to cause a ...) {DLA-960-1} [experimental] - imagemagick 8:6.9.1.2-1 - imagemagick 8:6.8.9.9-6 [jessie] - imagemagick 8:6.8.9.9-5+deb8u1 [squeeze] - imagemagick (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2015/02/20/4 NOTE: http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26931 CVE-2015-8900 (The ReadHDRImage function in coders/hdr.c in ImageMagick 6.x and 7.x a ...) {DLA-960-1} [experimental] - imagemagick 8:6.9.1.2-1 - imagemagick 8:6.8.9.9-6 [jessie] - imagemagick 8:6.8.9.9-5+deb8u1 [squeeze] - imagemagick (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2015/02/20/4 NOTE: http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26929 NOTE: http://web.archive.org/web/20150501030131/http://trac.imagemagick.org/changeset/17845 NOTE: http://web.archive.org/web/20150429001241/http://trac.imagemagick.org/changeset/17846 CVE-2015-XXXX [Incomplete fix for CVE-2014-7940] - icu 52.1-8 (bug #780503) [wheezy] - icu (Incomplete patch was never applied) [squeeze] - icu (Incomplete patch was never applied) CVE-2014-9709 (The GetCode_ function in gd_gif_in.c in GD 2.1.1 and earlier, as used ...) {DSA-3215-1 DLA-189-1} - libgd2 2.1.0-5 - php5 5.6.5+dfsg-1 (unimportant) - hhvm 3.12.11+dfsg-1 (bug #835032) NOTE: https://bugs.php.net/bug.php?id=68601 NOTE: Fix in libgd2: https://bitbucket.org/libgd/gd-libgd/commits/47eb44b2e90ca88a08dca9f9a1aa9041e9587f43 NOTE: Also related: https://bitbucket.org/libgd/gd-libgd/commits/81e9a993f2893d651d225646378e3fd1b7465467 NOTE: http://git.php.net/?p=php-src.git;a=commitdiff;h=07b5896a1389c3e865cbd2fb353806b2cefe4f5c NOTE: http://git.php.net/?p=php-src.git;a=commitdiff;h=5fc2fede9c7c963c950d8b96dcc0f7af88b4d695 NOTE: Starting with 5.4.0-1 Debian uses the system copy of libgd, the embedded copy was fixed upstream in 5.6.5 NOTE: Fix in HHVM: https://github.com/facebook/hhvm/commit/469990b43c294692493f15f8400560fe5d966a02 CVE-2009-5147 (DL::dlopen in Ruby 1.8, 1.9.0, 1.9.2, 1.9.3, 2.0.0 before patchlevel 6 ...) {DLA-300-1 DLA-299-1} - ruby1.8 [wheezy] - ruby1.8 (Minor issue) - ruby1.9.1 [wheezy] - ruby1.9.1 (Minor issue) - ruby2.0 - ruby2.1 (bug #796344) [jessie] - ruby2.1 2.1.5-2+deb8u3 - ruby2.2 (Does not contain DL, cf note and corresponding CVE-2015-7551) NOTE: https://github.com/ruby/ruby/commit/4600cf725a86ce31266153647ae5aa1197b1215b NOTE: Although the is upstream commit mentioned, the corresponding change does not NOTE: seem to be contained in e.g. latest 1.9.1 and 2.1. E.g. NOTE: https://sources.debian.org/src/ruby2.1/2.1.5-4/ext/dl/handle.c/#L120 does not NOTE: contain the change. NOTE: In https://github.com/ruby/ruby/commit/07308c4d30b8c5260e5366c8eed2abf054d86fe7 NOTE: Discussion http://seclists.org/oss-sec/2015/q3/220 NOTE: DL has been replaced in 2.2 with Fiddle which has the same problem according to maintainer. CVE-2009-5146 REJECTED CVE-2015-2298 (node/utils/ExportEtherpad.js in Etherpad 1.5.x before 1.5.2 might allo ...) - etherpad-lite (bug #576998) NOTE: https://github.com/ether/etherpad-lite/commit/a0fb65205c7d7ff95f00eb9fd88e93b300f30c3d CVE-2015-2296 (The resolve_redirects function in sessions.py in requests 2.1.0 throug ...) - requests 2.4.3-6 (bug #780506) [wheezy] - requests (Vulnerable code introduced in 2.1.0) NOTE: https://github.com/kennethreitz/requests/commit/3bd8afbff29e50b38f889b2f688785a669b9aafc CVE-2015-2289 (Cross-site scripting (XSS) vulnerability in templates/2k11/admin/entri ...) - serendipity CVE-2015-2287 REJECTED CVE-2015-2286 (lms/templates/footer-edx-new.html in Open edX edx-platform before 2015 ...) NOT-FOR-US: Open edX CVE-2015-2285 (The logrotation script (/etc/cron.daily/upstart) in the Ubuntu Upstart ...) - upstart (Vulnerable cron.daily script not present) CVE-2014-9701 (Cross-site scripting (XSS) vulnerability in MantisBT before 1.2.19 and ...) - mantis (bug #780875) [wheezy] - mantis (Minor issue) [squeeze] - mantis (Unsupported in squeeze-lts) NOTE: Fixed by https://github.com/mantisbt/mantisbt/commit/d95f070d (1.2.x) NOTE: http://article.gmane.org/gmane.comp.security.oss.general/15022 NOTE: https://www.mantisbt.org/bugs/view.php?id=19493 CVE-2014-9697 (Huawei USG9560/9520/9580 before V300R001C01SPC300 allows remote attack ...) NOT-FOR-US: Huawei CVE-2014-9696 (The Hyper Module Management (HMM) software of Huawei Tecal E9000 Chass ...) NOT-FOR-US: Huawei CVE-2014-9695 (The Hyper Module Management (HMM) software of Huawei Tecal E9000 Chass ...) NOT-FOR-US: Huawei CVE-2014-9694 (Huawei Tecal RH1288 V2 V100R002C00SPC107 and earlier versions, Tecal R ...) NOT-FOR-US: Huawei CVE-2014-9693 (Huawei Tecal RH1288 V2 V100R002C00SPC107 and earlier versions, Tecal R ...) NOT-FOR-US: Huawei CVE-2014-9692 (Huawei Tecal RH1288 V2 V100R002C00SPC107 and earlier versions, Tecal R ...) NOT-FOR-US: Huawei CVE-2014-9691 (Huawei Tecal RH1288 V2 V100R002C00SPC107 and earlier versions, Tecal R ...) NOT-FOR-US: Huawei CVE-2014-9690 (Huawei home gateways WS318 with software V100R001C01B022 and earlier v ...) NOT-FOR-US: Huawei CVE-2011-5321 (The tty_open function in drivers/tty/tty_io.c in the Linux kernel befo ...) {DLA-246-1} - linux 3.2.20-1 - linux-2.6 3.2.1-1 NOTE: Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c290f8358acaeffd8e0c551ddcc24d1206143376 (v3.2-rc1) NOTE: Introduced by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4a2b5fddd53b80efcb3266ee36e23b8de28e761a (v2.6.28-rc1) NOTE: 3.2.20-1 is the first version after the src:linux-2.6 -> src:linux rename. CVE-2015-2284 (userlogin.jsp in SolarWinds Firewall Security Manager (FSM) before 6.6 ...) NOT-FOR-US: SolarWinds Firewall Security Manager CVE-2010-5322 (Cross-site scripting (XSS) vulnerability in ZeusCart 4.0 and earlier a ...) NOT-FOR-US: ZeusCart CVE-2015-2674 (Restkit allows man-in-the-middle attackers to spoof TLS servers by lev ...) - python-restkit (bug #781813) [stretch] - python-restkit (Minor issue) [jessie] - python-restkit (Minor issue) [wheezy] - python-restkit (Minor issue) [squeeze] - python-restkit (Minor issue) NOTE: https://github.com/benoitc/restkit/issues/140 NOTE: http://www.openwall.com/lists/oss-security/2015/03/12/9 CVE-2015-2283 RESERVED CVE-2015-2282 (Stack-based buffer overflow in the LZC decompression implementation (C ...) NOT-FOR-US: SAP CVE-2015-2281 (Stack-based buffer overflow in collectoragent.exe in Fortinet Single S ...) NOT-FOR-US: Fortinet Single Sign On CVE-2015-2280 (snwrite.cgi in AirLink101 SkyIPCam1620W Wireless N MPEG4 3GPP network ...) NOT-FOR-US: AirLink101 SkyIPCam1620W Wireless N MPEG4 3GPP network camera CVE-2015-2279 (cgi_test.cgi in AirLive BU-2015 with firmware 1.03.18, BU-3026 with fi ...) NOT-FOR-US: AirLive CVE-2015-2278 (The LZH decompression implementation (CsObjectInt::BuildHufTree functi ...) NOT-FOR-US: SAP CVE-2015-2277 RESERVED CVE-2015-2276 RESERVED CVE-2015-2275 (Cross-site scripting (XSS) vulnerability in WoltLab Community Gallery ...) NOT-FOR-US: WoltLab Community Gallery CVE-2015-2274 RESERVED CVE-2015-2273 (Cross-site scripting (XSS) vulnerability in mod/quiz/report/statistics ...) - moodle 2.7.7+dfsg-1 [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49364 CVE-2015-2272 (login/token.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x bef ...) - moodle 2.7.7+dfsg-1 [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48691 CVE-2015-2271 (tag/user.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before ...) - moodle 2.7.7+dfsg-1 [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49084 CVE-2015-2270 (lib/moodlelib.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x b ...) - moodle 2.7.7+dfsg-1 [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48804 CVE-2015-2269 (Multiple cross-site scripting (XSS) vulnerabilities in lib/javascript- ...) - moodle 2.7.7+dfsg-1 [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49144 CVE-2015-2268 (filter/urltolink/filter.php in Moodle through 2.5.9, 2.6.x before 2.6. ...) - moodle 2.7.7+dfsg-1 [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38466 CVE-2015-2267 (mdeploy.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before ...) - moodle 2.7.7+dfsg-1 [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49087 CVE-2015-2266 (message/index.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x b ...) - moodle 2.7.7+dfsg-1 [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49204 CVE-2015-2264 (Multiple untrusted search path vulnerabilities in (1) EQATEC.Analytics ...) NOT-FOR-US: Telerik Analytics Monitor Library CVE-2015-2263 (Cloudera Manager 4.x, 5.0.x before 5.0.6, 5.1.x before 5.1.5, 5.2.x be ...) NOT-FOR-US: Cloudera CVE-2015-2262 RESERVED CVE-2015-2261 RESERVED CVE-2015-2260 RESERVED CVE-2015-2259 RESERVED CVE-2015-2258 RESERVED CVE-2015-2257 RESERVED CVE-2015-2256 RESERVED CVE-2015-2255 (Huawei AR1220 routers with software before V200R005SPH006 allow remote ...) NOT-FOR-US: Huawei CVE-2015-2254 (Huawei OceanStor UDS devices with software before V100R002C01SPC102 mi ...) NOT-FOR-US: Huawei OceanStor UDS devices CVE-2015-2253 (The XML interface in Huawei OceanStor UDS devices with software before ...) NOT-FOR-US: Huawei CVE-2015-2252 (Huawei OceanStor UDS devices with software before V100R002C01SPC102 mi ...) NOT-FOR-US: Huawei CVE-2015-2251 (The DeviceManager in Huawei OceanStor UDS devices with software before ...) NOT-FOR-US: Huawei CVE-2015-2250 (Multiple cross-site scripting (XSS) vulnerabilities in concrete5 befor ...) NOT-FOR-US: concrete5 CVE-2015-2249 (Zimbra Collaboration before 8.6.0 patch5 has XSS. ...) NOT-FOR-US: Zimbra Collaboration CVE-2015-2248 (Cross-site request forgery (CSRF) vulnerability in the user portal in ...) NOT-FOR-US: Dell SonicWALL CVE-2015-2247 (Unspecified vulnerability in Boosted Boards skateboards allows physica ...) NOT-FOR-US: Boosted Boards skateboards CVE-2015-2246 (The MeWidget module on Huawei P7 smartphones with software P7-L10 V100 ...) NOT-FOR-US: Huawei CVE-2015-2245 (Huawei Ascend P7 allows remote attackers to cause a denial of service ...) NOT-FOR-US: Huawei CVE-2015-2244 (Multiple cross-site scripting (XSS) vulnerabilities in Webshop hun 1.0 ...) NOT-FOR-US: Webshop hun CVE-2015-2243 (Directory traversal vulnerability in Webshop hun 1.062S allows remote ...) NOT-FOR-US: Webshop hun CVE-2015-2242 (Multiple SQL injection vulnerabilities in Webshop hun 1.062S allow rem ...) NOT-FOR-US: Webshop hun CVE-2015-XXXX [several security vulnerabilities and network packets can terminate the connection] - armagetronad 0.2.8.3.2-4 (bug #780178) [wheezy] - armagetronad (Minor issue) [squeeze] - armagetronad (Minor issue) CVE-2015-2301 (Use-after-free vulnerability in the phar_rename_archive function in ph ...) {DSA-3198-1 DLA-212-1} - php5 5.6.6+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=68901 NOTE: http://git.php.net/?p=php-src.git;a=commit;h=b2cf3f064b8f5efef89bb084521b61318c71781b NOTE: http://www.openwall.com/lists/oss-security/2015/03/10/6 CVE-2014-9705 (Heap-based buffer overflow in the enchant_broker_request_dict function ...) {DSA-3195-1 DLA-212-1} - php5 5.6.6+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=68552 NOTE: http://svn.php.net/viewvc/pecl/enchant/trunk/enchant.c?r1=317600&r2=335803 NOTE: http://www.openwall.com/lists/oss-security/2015/03/10/6 CVE-2015-2265 (The remove_bad_chars function in utils/cups-browsed.c in cups-filters ...) - cups-filters 1.0.61-5 (bug #780267) [wheezy] - cups-filters (vulnerable code not present) NOTE: https://bugs.linuxfoundation.org/show_bug.cgi?id=1265 NOTE: http://www.openwall.com/lists/oss-security/2015/03/09/5 CVE-2015-2241 (Cross-site scripting (XSS) vulnerability in the contents function in a ...) - python-django 1.7.6-1 [wheezy] - python-django (Only affects 1.7.x and 1.8.x) [squeeze] - python-django (Only affects 1.7.x and 1.8.x) NOTE: https://www.djangoproject.com/weblog/2015/mar/09/security-releases/ CVE-2015-2240 RESERVED CVE-2015-2239 (Google Chrome before 41.0.2272.76, when Instant Extended mode is used, ...) - chromium-browser 41.0.2272.76-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-2238 (Multiple unspecified vulnerabilities in Google V8 before 4.1.0.21, as ...) - chromium-browser 41.0.2272.76-1 [wheezy] - chromium-browser [squeeze] - chromium-browser - libv8-3.14 (unimportant) NOTE: libv8 not covered by security support CVE-2015-2237 (Multiple SQL injection vulnerabilities in Betster (aka PHP Betoffice) ...) NOT-FOR-US: Betster CVE-2015-2236 RESERVED CVE-2015-2235 REJECTED CVE-2015-2234 (Race condition in Lenovo System Update (formerly ThinkVantage System U ...) NOT-FOR-US: Lenovo System Update CVE-2015-2233 (Lenovo System Update (formerly ThinkVantage System Update) before 5.06 ...) NOT-FOR-US: Lenovo System Update CVE-2015-2232 RESERVED CVE-2015-2231 RESERVED CVE-2015-2230 (Synacor Zimbra Collaboration Server 8.x before 8.7.0 has Reflected XSS ...) NOT-FOR-US: Synacor Zimbra Collaboration Server CVE-2015-2229 RESERVED CVE-2015-2228 RESERVED CVE-2015-2227 RESERVED CVE-2015-2226 RESERVED CVE-2015-2225 RESERVED CVE-2015-2224 RESERVED CVE-2015-2223 (Multiple cross-site scripting (XSS) vulnerabilities in the web-based c ...) NOT-FOR-US: Palo Alto Networks Traps CVE-2015-2222 (ClamAV before 0.98.7 allows remote attackers to cause a denial of serv ...) {DLA-233-1} - clamav 0.98.7+dfsg-1 [jessie] - clamav 0.98.7+dfsg-0+deb8u1 [wheezy] - clamav 0.98.7+dfsg-0+deb7u1 NOTE: https://github.com/vrtadmin/clamav-devel/commit/8aeedf3c4282bc916d6f6c290e1e530d125ec953 CVE-2015-2221 (ClamAV before 0.98.7 allows remote attackers to cause a denial of serv ...) {DLA-233-1} - clamav 0.98.7+dfsg-1 [jessie] - clamav 0.98.7+dfsg-0+deb8u1 [wheezy] - clamav 0.98.7+dfsg-0+deb7u1 NOTE: https://github.com/vrtadmin/clamav-devel/commit/0844d0cfe118b4041ed8e2ee49ff18bfbca8eaa5 NOTE: https://github.com/vrtadmin/clamav-devel/commit/26b19809fb3b940cb0fda0422d685fff02a53b5f CVE-2015-2220 (Multiple cross-site scripting (XSS) vulnerabilities in the Ninja Forms ...) NOT-FOR-US: Ninja Forms plugin for WordPress CVE-2015-2219 (Lenovo System Update (formerly ThinkVantage System Update) before 5.06 ...) NOT-FOR-US: Lenovo System Update CVE-2015-2218 (Multiple cross-site scripting (XSS) vulnerabilities in the wp_ajax_sav ...) NOT-FOR-US: wp_ajax_save_item function in wonderpluginaudio.php in the WonderPlugin Audio Player plugin for WordPress CVE-2015-2217 (Multiple cross-site scripting (XSS) vulnerabilities in Ultimate PHP Bo ...) NOT-FOR-US: myUPB CVE-2015-2216 (SQL injection vulnerability in ecomm-sizes.php in the Photocrati theme ...) NOT-FOR-US: Photocrati theme for WordPress CVE-2015-2215 (Open redirect vulnerability in the Services single sign-on server help ...) NOT-FOR-US: Drupal module Services single sign-on server helper CVE-2015-2214 (NetCat 5.01 and earlier allows remote attackers to obtain the installa ...) NOT-FOR-US: NetCat CMS CVE-2015-2213 (SQL injection vulnerability in the wp_untrash_post_comments function i ...) {DSA-3383-1 DSA-3332-1 DLA-294-1} - wordpress 4.2.4+dfsg-1 (bug #794560) NOTE: https://core.trac.wordpress.org/changeset/33555 NOTE: https://core.trac.wordpress.org/changeset/33556 CVE-2015-2212 REJECTED CVE-2015-2211 RESERVED CVE-2014-9689 (content/renderer/device_sensors/device_orientation_event_pump.cc in Go ...) - chromium-browser 41.0.2272.76-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2014-9688 (Unspecified vulnerability in the Ninja Forms plugin before 2.8.10 for ...) NOT-FOR-US: Ninja Forms plugin for WordPress CVE-2011-5319 (content/renderer/device_sensors/device_motion_event_pump.cc in Google ...) - chromium-browser 41.0.2272.76-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-XXXX [tcllib XSS] - tcllib 1.16-dfsg-2 (low; bug #780100) [wheezy] - tcllib 1.14-dfsg-3+deb7u1 [squeeze] - tcllib (Minor issue) CVE-2015-2210 (The help window in Epicor CRS Retail Store before 3.2.03.01.008 allows ...) NOT-FOR-US: Epicor CRS Retail Store CVE-2015-2209 (DLGuard 4.5 allows remote attackers to obtain the installation path vi ...) NOT-FOR-US: DLGuard CVE-2015-2208 (The saveObject function in moadmin.php in phpMoAdmin 1.1.2 allows remo ...) NOT-FOR-US: phpMoAdmin CVE-2015-2207 (Multiple cross-site scripting (XSS) vulnerabilities in NetCracker Reso ...) NOT-FOR-US: NetCracker Resource Management System CVE-2015-2206 (libraries/select_lang.lib.php in phpMyAdmin 4.0.x before 4.0.10.9, 4.2 ...) {DSA-3382-1 DLA-336-1} - phpmyadmin 4:4.4.4-1 (unimportant) NOTE: Hardening, not a concrete issue itself NOTE: https://www.phpmyadmin.net/security/PMASA-2015-1/ CVE-2015-2205 RESERVED CVE-2015-2202 RESERVED CVE-2015-2201 RESERVED CVE-2015-2200 RESERVED CVE-2015-2199 (Multiple SQL injection vulnerabilities in the WonderPlugin Audio Playe ...) NOT-FOR-US: WonderPlugin Audio Player plugin for WordPress CVE-2015-2198 (Multiple cross-site scripting (XSS) vulnerabilities in edit_prefs.php ...) NOT-FOR-US: Beehive Forum CVE-2015-2197 (Cross-site scripting (XSS) vulnerability in the Entity API module befo ...) NOT-FOR-US: Entity module for Drupal CVE-2015-2196 (SQL injection vulnerability in Spider Event Calendar 1.4.9 for WordPre ...) NOT-FOR-US: Spider Event Calender CVE-2015-2195 (Multiple cross-site scripting (XSS) vulnerabilities in the WP Media Cl ...) NOT-FOR-US: WP Media Cleaner plugin for WordPress CVE-2015-2194 (Unrestricted file upload vulnerability in the fusion_options function ...) NOT-FOR-US: fusion_options function in functions.php in the Fusion theme for WordPress CVE-2015-2193 RESERVED CVE-2015-2675 (The OAuth implementation in librest before 0.7.93 incorrectly truncate ...) - librest 0.7.92-3 (bug #780101) [wheezy] - librest (rest_proxy_call_get_url not yet used) [squeeze] - librest (rest_proxy_call_get_url not yet used) NOTE: Upstream bug: https://bugzilla.gnome.org/show_bug.cgi?id=742644 NOTE: Commit: https://git.gnome.org/browse/librest/commit/?id=b50ace7738ea038 NOTE: http://www.openwall.com/lists/oss-security/2015/03/04/6 CVE-2015-2204 (Evergreen before 2.5.9, 2.6.x before 2.6.7, and 2.7.x before 2.7.4 all ...) NOT-FOR-US: Evergreen library CVE-2015-2203 (Evergreen 2.5.9, 2.6.7, and 2.7.4 allows remote authenticated users wi ...) NOT-FOR-US: Evergreen library CVE-2013-7435 (The open-ils.pcrud endpoint in Evergreen before 2.5.9, 2.6.x before 2. ...) NOT-FOR-US: Evergreen library CVE-2015-2192 (Integer overflow in the dissect_osd2_cdb_continuation function in epan ...) - wireshark 1.12.1+g01b65bf-4 (bug #780372) [wheezy] - wireshark (Only affects 1.12.x) [squeeze] - wireshark (Only affects 1.12.x) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11024 CVE-2015-2191 (Integer overflow in the dissect_tnef function in epan/dissectors/packe ...) {DSA-3210-1 DLA-198-1} - wireshark 1.12.1+g01b65bf-4 (bug #780372) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11023 CVE-2015-2190 (epan/proto.c in Wireshark 1.12.x before 1.12.4 does not properly handl ...) - wireshark 1.12.1+g01b65bf-4 (bug #780372) [wheezy] - wireshark (Only affects 1.12.x) [squeeze] - wireshark (Only affects 1.12.x) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10983 CVE-2015-2189 (Off-by-one error in the pcapng_read function in wiretap/pcapng.c in th ...) {DSA-3210-1} - wireshark 1.12.1+g01b65bf-4 (bug #780372) [squeeze] - wireshark (Vulnerable code not present) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10895 CVE-2015-2188 (epan/dissectors/packet-wcp.c in the WCP dissector in Wireshark 1.10.x ...) {DSA-3210-1 DLA-198-1} - wireshark 1.12.1+g01b65bf-4 (bug #780372) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10844 NOTE: http://www.wireshark.org/security/wnpa-sec-2015-07.html NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=b204ff4846fe84b7789893c6b1d9afbdecac5b5d CVE-2015-2187 (The dissect_atn_cpdlc_heur function in asn1/atn-cpdlc/packet-atn-cpdlc ...) - wireshark 1.12.1+g01b65bf-4 (bug #780372) [wheezy] - wireshark (Only affects 1.12.x) [squeeze] - wireshark (Only affects 1.12.x) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9952 CVE-2015-2186 (The Ansible edxapp role in the Configuration Repo in edX allows remote ...) NOT-FOR-US: edX CVE-2015-2185 RESERVED CVE-2015-2184 (ZeusCart 4 allows remote attackers to obtain configuration information ...) NOT-FOR-US: ZeusCart CVE-2015-2183 (Multiple SQL injection vulnerabilities in the administrative backend i ...) NOT-FOR-US: ZeusCart CVE-2015-2182 (Multiple cross-site scripting (XSS) vulnerabilities in ZeusCart 4 allo ...) NOT-FOR-US: ZeusCart CVE-2015-2181 (Multiple buffer overflows in the DBMail driver in the Password plugin ...) - roundcube 1.1.1+dfsg.1-2 [wheezy] - roundcube (variable and chgdbmailusers.c does not exist) NOTE: http://trac.roundcube.net/ticket/1490261 NOTE: http://advisories.mageia.org/MGASA-2015-0400.html NOTE: http://lists.opensuse.org/opensuse-updates/2015-07/msg00032.html CVE-2015-2180 (The DBMail driver in the Password plugin in Roundcube before 1.1.0 all ...) - roundcube 1.1.1+dfsg.1-2 [wheezy] - roundcube (dbmail driver does not exist) NOTE: http://trac.roundcube.net/ticket/1490261 NOTE: http://advisories.mageia.org/MGASA-2015-0400.html NOTE: http://lists.opensuse.org/opensuse-updates/2015-07/msg00032.html CVE-2015-2179 RESERVED CVE-2015-2178 REJECTED CVE-2015-2177 (Siemens SIMATIC S7-300 CPU devices allow remote attackers to cause a d ...) NOT-FOR-US: Siemens CVE-2015-2176 RESERVED CVE-2015-2175 RESERVED CVE-2015-2174 RESERVED CVE-2015-2173 RESERVED CVE-2009-5145 (Cross-site scripting (XSS) vulnerability in ZMI pages that use the man ...) - zope2.12 2.12.10-1 CVE-2015-2171 (Middleware/SessionCookie.php in Slim before 2.6.0 allows remote attack ...) NOT-FOR-US: Slim PHP Framework CVE-2015-2170 (The upx decoder in ClamAV before 0.98.7 allows remote attackers to cau ...) {DLA-233-1} - clamav 0.98.7+dfsg-1 [jessie] - clamav 0.98.7+dfsg-0+deb8u1 [wheezy] - clamav 0.98.7+dfsg-0+deb7u1 NOTE: https://github.com/vrtadmin/clamav-devel/commit/625f5a9b8f008b8714850e4aa064dee1de06e534 CVE-2015-2169 (Cross-site scripting (XSS) vulnerability in Zoho ManageEngine AssetExp ...) NOT-FOR-US: Zoho ManageEngine AssetExplorer CVE-2015-2168 REJECTED CVE-2015-2167 (Open redirect vulnerability in the 3PI Manager in Ericsson Drutt Mobil ...) NOT-FOR-US: Ericsson CVE-2015-2166 (Directory traversal vulnerability in the Instance Monitor in Ericsson ...) NOT-FOR-US: Ericsson CVE-2015-2165 (Multiple cross-site scripting (XSS) vulnerabilities in the Report View ...) NOT-FOR-US: Ericsson CVE-2015-2164 RESERVED CVE-2015-2163 RESERVED CVE-2015-2162 RESERVED CVE-2015-2161 RESERVED CVE-2015-2160 RESERVED CVE-2015-2159 RESERVED CVE-2015-2156 (Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0 ...) - netty3.1 [wheezy] - netty3.1 (Minor issue) - netty 1:4.0.31-1 (bug #796114) [jessie] - netty (Minor issue, invasive patch) [wheezy] - netty (Minor issue) - netty-3.9 3.9.9.Final-1 (bug #793770) [jessie] - netty-3.9 (Minor issue, invasive patch) - playframework (bug #646523) [squeeze] - netty (Minor issue) NOTE: http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html NOTE: https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass NOTE: http://web.archive.org/web/20150925094949/http://engineering.linkedin.com/security/look-netty%E2%80%99s-recent-security-update-cve%C2%AD-2015%C2%AD-2156 NOTE: https://github.com/netty/netty/commit/97d871a7553a01384b43df855dccdda5205ae77a CVE-2015-2155 (The force printer in tcpdump before 4.7.2 allows remote attackers to c ...) {DSA-3193-1 DLA-174-1} - tcpdump 4.6.2-4 NOTE: http://www.ca.tcpdump.org/cve/0002-test-case-files-for-CVE-2015-2153-2154-2155.patch CVE-2015-2154 (The osi_print_cksum function in print-isoclns.c in the ethernet printe ...) {DSA-3193-1 DLA-174-1} - tcpdump 4.6.2-4 NOTE: http://www.ca.tcpdump.org/cve/0002-test-case-files-for-CVE-2015-2153-2154-2155.patch CVE-2015-2153 (The rpki_rtr_pdu_print function in print-rpki-rtr.c in the TCP printer ...) {DSA-3193-1} - tcpdump 4.6.2-4 [squeeze] - tcpdump (Vulnerable code not present) NOTE: http://www.ca.tcpdump.org/cve/0002-test-case-files-for-CVE-2015-2153-2154-2155.patch CVE-2015-2152 (Xen 4.5.x and earlier enables certain default backends when emulating ...) - xen 4.4.1-9 (low; bug #780975) [wheezy] - xen (Minor issue, xl not used in wheezy) [squeeze] - xen (Not supported in Squeeze LTS) NOTE: http://xenbits.xen.org/xsa/advisory-119.html CVE-2015-2151 (The x86 emulator in Xen 3.2.x through 4.5.x does not properly ignore s ...) {DSA-3181-1} - xen 4.4.1-8 (bug #780227) [squeeze] - xen (Not supported in Squeeze LTS) NOTE: http://xenbits.xen.org/xsa/advisory-123.html CVE-2015-2150 (Xen 3.3.x through 4.5.x and the Linux kernel through 3.19.1 do not pro ...) {DSA-3237-1} - linux 3.16.7-ckt9-1 - linux-2.6 (xen-pciback introduced in 3.1) NOTE: http://xenbits.xen.org/xsa/advisory-120.html CVE-2015-2149 (Multiple cross-site scripting (XSS) vulnerabilities in the administrat ...) NOT-FOR-US: MyBB CVE-2015-2148 (Multiple cross-site scripting (XSS) vulnerabilities in Issuetracker ph ...) NOT-FOR-US: phpBugTracker CVE-2015-2147 (Multiple SQL injection vulnerabilities in Issuetracker phpBugTracker b ...) NOT-FOR-US: phpBugTracker CVE-2015-2146 (Multiple SQL injection vulnerabilities in Issuetracker phpBugTracker b ...) NOT-FOR-US: phpBugTracker CVE-2015-2145 (Multiple cross-site scripting (XSS) vulnerabilities in Issuetracker ph ...) NOT-FOR-US: phpBugTracker CVE-2015-2144 (Multiple cross-site scripting (XSS) vulnerabilities in Issuetracker ph ...) NOT-FOR-US: phpBugTracker CVE-2015-2143 (Multiple cross-site request forgery (CSRF) vulnerabilities in Issuetra ...) NOT-FOR-US: phpBugTracker CVE-2015-2142 (Multiple cross-site request forgery (CSRF) vulnerabilities in Issuetra ...) NOT-FOR-US: phpBugTracker CVE-2015-2141 (The InvertibleRWFunction::CalculateInverse function in rw.cpp in libcr ...) {DSA-3296-1 DLA-262-1} - libcrypto++ 5.6.1-7 NOTE: https://github.com/weidai11/cryptopp/commit/9425e16437439e68c7d96abef922167d68fafaff NOTE: https://eprint.iacr.org/2015/368 CVE-2015-2140 (HP Systems Insight Manager (SIM) before 7.5.0, as used in HP Matrix Op ...) NOT-FOR-US: HP Systems Insight Manager CVE-2015-2139 (HP Systems Insight Manager (SIM) before 7.5.0, as used in HP Matrix Op ...) NOT-FOR-US: HP Systems Insight Manager CVE-2015-2138 REJECTED CVE-2015-2137 (Unspecified vulnerability in HP Operations Manager i (OMi) 9.22, 9.23, ...) NOT-FOR-US: HP Operations Manager i CVE-2015-2136 (HP ArcSight Logger before 6.0 P2 allows remote authenticated users to ...) NOT-FOR-US: HP ArcSight CVE-2015-2135 (Unspecified vulnerability in HP Intelligent Provisioning 1.00 through ...) NOT-FOR-US: HP Intelligent Provisioning CVE-2015-2134 (Cross-site request forgery (CSRF) vulnerability in HP System Managemen ...) NOT-FOR-US: Hewlett-Packard CVE-2015-2133 REJECTED CVE-2015-2132 (Unspecified vulnerability in the execve system-call implementation in ...) NOT-FOR-US: HP HP-UX CVE-2015-2131 REJECTED CVE-2015-2130 REJECTED CVE-2015-2129 REJECTED CVE-2015-2128 REJECTED CVE-2015-2127 REJECTED CVE-2015-2126 (Unspecified vulnerability in pppoec in HP HP-UX 11iv2 and 11iv3 allows ...) NOT-FOR-US: HP-UX (pppoec) CVE-2015-2125 (Unspecified vulnerability in HP WebInspect 7.x through 10.4 before 10. ...) NOT-FOR-US: HP WebInspect CVE-2015-2124 (Unspecified vulnerability in Easy Setup Wizard in HP ThinPro Linux 4.1 ...) NOT-FOR-US: HP CVE-2015-2123 (Unspecified vulnerability in HP NonStop Safeguard Security Software H0 ...) NOT-FOR-US: HP NonStop Safeguard Security Software CVE-2015-2122 (The REST layer on HP SDN VAN Controller devices 2.5 and earlier allows ...) NOT-FOR-US: HP CVE-2015-2121 (HP Network Virtualization for LoadRunner and Performance Center 8.61 a ...) NOT-FOR-US: HP CVE-2015-2120 (Unspecified vulnerability in HP SiteScope 11.1x before 11.13, 11.2x be ...) NOT-FOR-US: HP SiteScope CVE-2015-2119 REJECTED CVE-2015-2118 (Unspecified vulnerability in the Secure Pull Print and Security Pull P ...) NOT-FOR-US: HP Access Control Software CVE-2015-2117 (HP TippingPoint Security Management System (SMS) and TippingPoint Virt ...) NOT-FOR-US: HP TippingPoint CVE-2015-2116 (Unspecified vulnerability in HP Storage Data Protector 7.x before 7.03 ...) NOT-FOR-US: HP CVE-2015-2115 (Unspecified vulnerability in HP Capture and Route Software (HPCR) 1.3 ...) NOT-FOR-US: HP Capture and Route CVE-2015-2114 (HP Support Solution Framework before 11.51.0049 allows remote attacker ...) NOT-FOR-US: HP Support Solution Framework CVE-2015-2113 (Unspecified vulnerability in HP Easy Deploy, as distributed standalone ...) NOT-FOR-US: HP Thin Clients CVE-2015-2112 (Unspecified vulnerability in HP Easy Deploy, as distributed standalone ...) NOT-FOR-US: HP Thin Clients CVE-2015-2111 (Unspecified vulnerability in HP Intelligent Provisioning 1.40 through ...) NOT-FOR-US: HP Intelligent Provisioning CVE-2015-2110 (Buffer overflow in HP LoadRunner 11.52 allows remote attackers to exec ...) NOT-FOR-US: HP LoadRunner CVE-2015-2109 (Unspecified vulnerability in HP Operations Orchestration 10.x allows r ...) NOT-FOR-US: HP Operations Orchestration CVE-2015-2108 (Unspecified vulnerability in Powershell Operations in HP Operations Or ...) NOT-FOR-US: HP Operations Orchestration CVE-2015-2107 (HP Operations Manager i Management Pack 1.x before 1.01 for SAP allows ...) NOT-FOR-US: HP Operations Manager CVE-2015-2106 (Unspecified vulnerability in HP Integrated Lights-Out (iLO) firmware 2 ...) NOT-FOR-US: HP Integrated Lights-Out CVE-2015-2105 RESERVED CVE-2015-2104 REJECTED CVE-2015-2103 (Cross-site scripting (XSS) vulnerability in the admin-login panel (adm ...) NOT-FOR-US: Cosmoshop CVE-2015-2102 (SQL injection vulnerability in view_item.php in ClipBucket 2.7 RC3 (2. ...) NOT-FOR-US: ClipBucket CVE-2015-2101 (Cross-site scripting (XSS) vulnerability in the Navigate bar in the Na ...) NOT-FOR-US: Navigate module for Drupal CVE-2013-7434 RESERVED CVE-2015-XXXX [heap buffer overflow] - bibtool 2.57+ds-3 (bug #779573) [squeeze] - bibtool (Minor issue) [wheezy] - bibtool (Minor issue) NOTE: Upstream patch: https://github.com/ge-ne/bibtool/commit/c6ed92c556f28ca2c738972c647486f9e11424bf CVE-2015-XXXX [dcerpc: exit()'s on malloc failure] - suricata 2.0.7-1 [wheezy] - suricata (Unusable in wheezy, planned for removal) [squeeze] - suricata (Minor issue) NOTE: https://github.com/inliniac/suricata/commit/89017d0b03bf715a3f4e11b612c6c7a23549304a CVE-2015-XXXX [http uri parsing issue] - libhtp 1:0.5.25-1 (bug #783007) [squeeze] - libhtp (Minor issue) NOTE: if libhtp gets updated to 0.5.17 in sid, it will conflict with suricata which ships the library too (see #783005) [wheezy] - libhtp (Unusable in wheezy, planned for removal) - suricata 2.0.7-1 [wheezy] - suricata (Uses system-wide libhtp) [squeeze] - suricata (Uses system-wide libhtp) NOTE: https://redmine.openinfosecfoundation.org/issues/1391 NOTE: https://github.com/OISF/libhtp/commit/1a6c9465fb641f81460392f622d1878d5e87fc00 NOTE: Fixed in Libhtp 0.5.17 upstream CVE-2015-XXXX [MATTA-2015-002: Enforce acceptable range for Diffie-Hellman server value] - putty 0.63-10 [wheezy] - putty 0.62-9+deb7u2 [squeeze] - putty 0.60+2010-02-20-1+squeeze3 NOTE: temporary workaround until CVE assigned to explitly tag for wheezy+squeeze NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/02/27/4 NOTE: http://advisories.mageia.org/MGASA-2015-0098.html CVE-2015-2172 (DokuWiki before 2014-05-05d and before 2014-09-29c does not properly c ...) - dokuwiki 0.0.20140929.d-1 (bug #779547) [jessie] - dokuwiki 0.0.20140505.a+dfsg-4 [squeeze] - dokuwiki (Vulnerable code not present) [wheezy] - dokuwiki (Vulnerable code not present) NOTE: present since release_candidate_2013-10-28 NOTE: https://github.com/splitbrain/dokuwiki/issues/1056 NOTE: https://github.com/splitbrain/dokuwiki/commit/4970ad24ce49ec76a0ee67bca7594f918ced2f5f CVE-2015-2158 (Off-by-one error in the pngcrush_measure_idat function in pngcrush.c i ...) - pngcrush (Vulnerable code not present) NOTE: Introduced by http://sourceforge.net/p/pmt/code/ci/e1a36a9639e2db16494d90459c7c2b78677a20bf/ (1.7.83) NOTE: Fixed by: http://sourceforge.net/p/pmt/code/ci/a1ce646d00a400fd9ec321ab5cb522f40b7bdfe6/ (1.7.84) NOTE: http://www.openwall.com/lists/oss-security/2015/02/28/6 CVE-2015-2157 (The (1) ssh2_load_userkey and (2) ssh2_save_userkey functions in PuTTY ...) {DSA-3190-1 DLA-173-1} - putty 0.63-10 (bug #779488) NOTE: http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/private-key-not-wiped-2.html CVE-2015-2100 RESERVED CVE-2015-2099 RESERVED CVE-2015-2098 RESERVED CVE-2015-2097 (Multiple buffer overflows in WebGate Embedded Standard Protocol (WESP) ...) NOT-FOR-US: WESP SDK CVE-2015-2096 (Use-after-free vulnerability in the Connect function in the WESPMonito ...) NOT-FOR-US: WebGate eDVR Manager CVE-2015-2095 (Heap-based buffer overflow in the SetConnectInfo function in the WESPP ...) NOT-FOR-US: WebGate eDVR Manager CVE-2015-2094 (Stack-based buffer overflow in the WESPPlayback.WESPPlaybackCtrl.1 con ...) NOT-FOR-US: WebGate WinRDS CVE-2015-2093 (Stack-based buffer overflow in the Connect function in the WebGate Web ...) NOT-FOR-US: WebGate WEbEyeAudio ActiveX control CVE-2015-2092 (The AnnotationX.AnnList.1 ActiveX control in Agilent Technologies Feat ...) NOT-FOR-US: Agilent Technologies Feature Extraction CVE-2015-2090 (SQL injection vulnerability in the ajax_survey function in settings.ph ...) NOT-FOR-US: ajax_survey function in settings.php in the WordPress Survey and Poll plugin for WordPress CVE-2015-2089 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Cros ...) NOT-FOR-US: CrossSlide jQuery (crossslide-jquery-plugin-for-wordpress) plugin for WordPress CVE-2015-2088 (Cross-site scripting (XSS) vulnerability in unspecified administration ...) NOT-FOR-US: Term Queue model for Drupal CVE-2015-2087 (Unrestricted file upload vulnerability in the Avatar Uploader module b ...) NOT-FOR-US: Avatar Uploader module for Drupal CVE-2015-2086 (Cross-site scripting (XSS) vulnerability in the live preview in the Pa ...) NOT-FOR-US: Panopoly Magic module for Drupal CVE-2014-9687 (eCryptfs 104 and earlier uses a default salt to encrypt the mount pass ...) - ecryptfs-utils 103-4 (bug #780385) [wheezy] - ecryptfs-utils (Minor issue) [squeeze] - ecryptfs-utils (Minor issue) NOTE: http://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/revision/839 CVE-2014-9686 (The Googlemaps plugin 3.2 and earlier for Joomla! allows remote attack ...) NOT-FOR-US: Googlemaps plugin for Joomla! CVE-2013-7433 (Cross-site scripting (XSS) vulnerability in the Googlemaps plugin befo ...) NOT-FOR-US: Googlemaps plugin for Joomla! CVE-2013-7432 (The Googlemaps plugin before 3.1 for Joomla! allows remote attackers t ...) NOT-FOR-US: Googlemaps plugin for Joomla! CVE-2013-7431 (Full path disclosure in the Googlemaps plugin before 3.1 for Joomla!. ...) NOT-FOR-US: Googlemaps plugin for Joomla! CVE-2013-7430 (Cross-site scripting (XSS) vulnerability in the Googlemaps plugin befo ...) NOT-FOR-US: Googlemaps plugin for Joomla! CVE-2013-7429 (The Googlemaps plugin before 3.1 for Joomla! allows remote attackers t ...) NOT-FOR-US: Googlemaps plugin for Joomla! CVE-2013-7428 (The Googlemaps plugin before 3.1 for Joomla! allows remote attackers t ...) NOT-FOR-US: Googlemaps plugin for Joomla! CVE-2015-2085 RESERVED CVE-2015-2084 (Cross-site request forgery (CSRF) vulnerability in the Easy Social Ico ...) NOT-FOR-US: Easy Social Icons plugin for WordPress CVE-2015-2083 (Cross-site request forgery (CSRF) vulnerability in Ilch CMS allows rem ...) NOT-FOR-US: Ilch CMS CVE-2015-2082 (Cross-site scripting (XSS) vulnerability in Login.aspx in UNIT4 Prosof ...) NOT-FOR-US: UNIT4 Prosoft HRMS CVE-2015-2081 (Datto ALTO and SIRIS devices allow Remote Code Execution via unauthent ...) NOT-FOR-US: Datto ALTO and SIRIS devices CVE-2014-9685 (Multiple cross-site scripting (XSS) vulnerabilities in Vanilla Forums ...) NOT-FOR-US: Vanilla Forums CVE-2015-8985 (The pop_fail_stack function in the GNU C Library (aka glibc or libc6) ...) - glibc 2.28-1 (unimportant; bug #779392) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21163 NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=eb04c21373e2a2885f3d52ff192b0499afe3c672 (2.28) NOTE: DoS via crafted regexps are not considered security issues by glibc upstream CVE-2015-8984 (The fnmatch function in the GNU C Library (aka glibc or libc6) before ...) {DLA-316-1} - glibc 2.21-1 (bug #779587) [jessie] - glibc 2.19-18+deb8u2 - eglibc [wheezy] - eglibc 2.13-38+deb7u9 NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=18032 NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4a28f4d55a6cc33474c0792fe93b5942d81bf185 NOTE: http://www.openwall.com/lists/oss-security/2015/02/26/5 CVE-2011-5320 (scanf and related functions in glibc before 2.15 allow local users to ...) {DLA-165-1} - glibc 2.15 - eglibc 2.13-25 (bug #553206) NOTE: 2.15 ist the first version recieving the fix, mark with upstream version which should NOTE: be handled correctly then by the tracker. NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=13138 NOTE: http://www.openwall.com/lists/oss-security/2015/02/26/2 NOTE: https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=3f8cc204fdd0 NOTE: CVE assigned specific to the https://sourceware.org/bugzilla/show_bug.cgi?id=13138#c4 issue CVE-2015-2079 RESERVED CVE-2015-2078 (The SDK for Komodia Redirector with SSL Digestor, as used in Lavasoft ...) NOT-FOR-US: Lavasoft Ad-Aware Web Companion CVE-2015-2077 (The SDK for Komodia Redirector with SSL Digestor, as used in Lavasoft ...) NOT-FOR-US: Lavasoft Ad-Aware Web Companion CVE-2015-2076 (The Auditing service in SAP BusinessObjects Edge 4.0 allows remote att ...) NOT-FOR-US: SAP CVE-2015-2075 (SAP BusinessObjects Edge 4.0 allows remote attackers to delete audit e ...) NOT-FOR-US: SAP CVE-2015-2074 RESERVED CVE-2015-2073 RESERVED CVE-2015-2072 (Multiple cross-site scripting (XSS) vulnerabilities in SAP HANA 73 (1. ...) NOT-FOR-US: SAP CVE-2015-2071 (Directory traversal vulnerability in cm/newui/blog/export.jsp in eTouc ...) NOT-FOR-US: eTouch SamePage Enterprise Edition CVE-2015-2070 (SQL injection vulnerability in eTouch SamePage Enterprise Edition 4.4. ...) NOT-FOR-US: eTouch SamePage Enterprise Edition CVE-2015-2069 (Cross-site scripting (XSS) vulnerability in the WooCommerce plugin bef ...) NOT-FOR-US: WooCommerce plugin for WordPress CVE-2015-2068 (Multiple cross-site scripting (XSS) vulnerabilities in the MAGMI (aka ...) NOT-FOR-US: Magento Server CVE-2015-2067 (Directory traversal vulnerability in web/ajax_pluginconf.php in the MA ...) NOT-FOR-US: Magento Server CVE-2015-2066 (SQL injection vulnerability in DLGuard 4.5 allows remote attackers to ...) NOT-FOR-US: DLGuard CVE-2015-2065 (SQL injection vulnerability in videogalleryrss.php in the Apptha WordP ...) NOT-FOR-US: Apptha WordPress Video Gallery (contus-video-gallery) plugin for WordPress CVE-2015-2064 (Multiple cross-site scripting (XSS) vulnerabilities in DLGuard 5, 4.6, ...) NOT-FOR-US: DLGuard CVE-2015-2080 (The exception handling code in Eclipse Jetty before 9.2.9.v20150224 al ...) - jetty (Only affects 9.2.3.v20140905 through 9.2.8.v20150217) - jetty8 (Only affects 9.2.3.v20140905 through 9.2.8.v20150217) NOTE: http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00074.html NOTE: https://github.com/eclipse/jetty.project/blob/master/advisories/2015-02-24-httpparser-error-buffer-bleed.md NOTE: http://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html CVE-2015-2062 (Multiple SQL injection vulnerabilities in the Huge-IT Slider (slider-i ...) NOT-FOR-US: Huge-IT Slider (slider- image) plugin for WordPress CVE-2015-2061 (Heap-based buffer overflow in the browser plugin for PTC Creo View all ...) NOT-FOR-US: PTC Creo View CVE-2015-2057 RESERVED CVE-2015-2056 RESERVED CVE-2015-2055 (Zhone GPON 2520 with firmware R4.0.2.566b allows remote attackers to c ...) NOT-FOR-US: Zhone GPON 2520 CVE-2015-2054 (CRLF injection vulnerability in export.cfg in the web-based administra ...) NOT-FOR-US: Sierra Wireless AirCard CVE-2015-2053 (The log viewer in McAfee Agent (MA) before 4.8.0 Patch 3 and 5.0.0, wh ...) NOT-FOR-US: McAfee CVE-2015-2052 (Stack-based buffer overflow in the DIR-645 Wired/Wireless Router Rev. ...) NOT-FOR-US: DIR-645 Wired/Wireless Router Rev. Ax CVE-2015-2051 (The D-Link DIR-645 Wired/Wireless Router Rev. Ax with firmware 1.04b12 ...) NOT-FOR-US: D-Link DIR-645 Wired/Wireless Router Rev. Ax CVE-2015-2050 (D-Link DAP-1320 Rev Ax with firmware before 1.21b05 allows attackers t ...) NOT-FOR-US: D-Link DAP-1320 Rev Ax CVE-2015-2049 (Unrestricted file upload vulnerability in D-Link DCS-931L with firmwar ...) NOT-FOR-US: D-Link DCS-931L CVE-2015-2048 (Cross-site request forgery (CSRF) vulnerability in D-Link DCS-931L wit ...) NOT-FOR-US: D-Link DCS-931L CVE-2015-2045 (The HYPERVISOR_xen_version hypercall in Xen 3.2.x through 4.5.x does n ...) {DSA-3181-1} - xen 4.4.1-8 [squeeze] - xen (Unsupported in squeeze-lts) NOTE: http://xenbits.xen.org/xsa/advisory-122.html CVE-2015-2044 (The emulation routines for unspecified X86 devices in Xen 3.2.x throug ...) {DSA-3181-1} - xen 4.4.1-8 [squeeze] - xen (Unsupported in squeeze-lts) NOTE: http://xenbits.xen.org/xsa/advisory-121.html CVE-2015-2043 (Multiple cross-site scripting (XSS) vulnerabilities in Visualware MyCo ...) NOT-FOR-US: Visualware CVE-2015-2040 (Cross-site scripting (XSS) vulnerability in the Contact Form DB (aka C ...) NOT-FOR-US: Contact Form DB (aka CFDB and contact-form-7-to-database-extension) plugin for WordPress CVE-2015-2039 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Acob ...) NOT-FOR-US: Acobot Live Chat & Contact Form plugin for WordPress CVE-2015-8983 (Integer overflow in the _IO_wstr_overflow function in libio/wstrops.c ...) {DLA-316-1} - eglibc [wheezy] - eglibc 2.13-38+deb7u9 - glibc 2.21-1 (bug #779587) [jessie] - glibc 2.19-18+deb8u2 NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=17269 NOTE: Fixed upstream in 2.22 NOTE: Fixed by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bdf1ff052a8e23d637f2c838fa5642d78fcedc33 NOTE: http://www.openwall.com/lists/oss-security/2015/02/22/15 CVE-2015-8477 (Cross-site scripting (XSS) vulnerability in Redmine before 2.6.2 allow ...) - redmine 3.0~20140825-5 (low) [squeeze] - redmine (Redmine not supported because of rails) [wheezy] - redmine (Redmine not supported because of rails) NOTE: https://www.redmine.org/projects/redmine/wiki/Changelog_2_6 NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories NOTE: https://www.redmine.org/issues/19117 NOTE: https://github.com/redmine/redmine/commit/a1f40686ba43d121cbc8c095d2f8cc4095e70352#diff-847ef9328e260b1b93fd165d072b072d CVE-2005-XXXX [more related to CVE-2005-4890] - shadow (unimportant; bug #628843) NOTE: only affects the su executable, so if you use sudo you're not affected CVE-2015-2047 (The rsaauth extension in TYPO3 4.3.0 through 4.3.14, 4.4.0 through 4.4 ...) {DSA-3164-1} - typo3-src 4.5.40+dfsg1-1 (bug #778870) [squeeze] - typo3-src (Unsupported in squeeze-lts) NOTE: https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-001/ CVE-2015-2038 RESERVED CVE-2015-2037 RESERVED CVE-2015-2036 RESERVED CVE-2015-2033 (Anyterm Daemon in Infoblox Network Automation NetMRI before NETMRI-234 ...) NOT-FOR-US: Anyterm Daemon CVE-2015-2032 RESERVED CVE-2015-2031 (Cross-site scripting (XSS) vulnerability in IBM WebSphere eXtreme Scal ...) NOT-FOR-US: IBM CVE-2015-2030 (IBM WebSphere eXtreme Scale 7.1.0 before 7.1.0.3 and 7.1.1 before 7.1. ...) NOT-FOR-US: IBM CVE-2015-2029 (Session fixation vulnerability in IBM WebSphere eXtreme Scale 7.1.0 be ...) NOT-FOR-US: IBM CVE-2015-2028 (CRLF injection vulnerability in IBM WebSphere eXtreme Scale 7.1.0 befo ...) NOT-FOR-US: IBM CVE-2015-2027 (IBM WebSphere eXtreme Scale 7.1.0 before 7.1.0.3 and 7.1.1 before 7.1. ...) NOT-FOR-US: IBM CVE-2015-2026 (Cross-site request forgery (CSRF) vulnerability in IBM WebSphere eXtre ...) NOT-FOR-US: IBM CVE-2015-2025 (IBM WebSphere eXtreme Scale 7.1.0 before 7.1.0.3 and 7.1.1 before 7.1. ...) NOT-FOR-US: IBM CVE-2015-2024 RESERVED CVE-2015-2023 (Buffer overflow in IBM i Access 7.1 on Windows allows local users to g ...) NOT-FOR-US: IBM i Access 7.1 on Windows CVE-2015-2022 RESERVED CVE-2015-2021 RESERVED CVE-2015-2020 (The MyScript SDK before 1.3 for Android might allow attackers to execu ...) NOT-FOR-US: MyScript SDK CVE-2015-2019 (IBM Tivoli Security Directory Server 6.0 before iFix 75, 6.1 before iF ...) NOT-FOR-US: IBM CVE-2015-2018 (IBM Integration Bus 9 and 10 before 10.0.0.1 and WebSphere Message Bro ...) NOT-FOR-US: IBM WebSphere CVE-2015-2017 (CRLF injection vulnerability in IBM WebSphere Application Server (WAS) ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2015-2016 (Unspecified vulnerability in IBM QRadar SIEM 7.1 MR2 before Patch 11 I ...) NOT-FOR-US: IBM CVE-2015-2015 (Cross-site scripting (XSS) vulnerability in pubnames.ntf (aka the Dire ...) NOT-FOR-US: IBM Domino CVE-2015-2014 (Open redirect vulnerability in the web server in IBM Domino 8.5 before ...) NOT-FOR-US: IBM Domino CVE-2015-2013 (IBM WebSphere MQ 7.0.1 before 7.0.1.13 allows remote attackers to caus ...) NOT-FOR-US: IBM CVE-2015-2012 (The MQXR service in WMQ Telemetry in IBM WebSphere MQ 7.1 before 7.1.0 ...) NOT-FOR-US: IBM CVE-2015-2011 (The xmlrpc.cgi Webmin script in IBM QRadar SIEM 7.1 MR2 before Patch 1 ...) NOT-FOR-US: IBM CVE-2015-2010 REJECTED CVE-2015-2009 (Cross-site request forgery (CSRF) vulnerability in the xmlrpc.cgi serv ...) NOT-FOR-US: IBM CVE-2015-2008 (IBM Security QRadar SIEM 7.1.x before 7.1 MR2 Patch 12 and 7.2.x befor ...) NOT-FOR-US: IBM Security QRadar SIEM CVE-2015-2007 (Directory traversal vulnerability in IBM Security QRadar SIEM 7.2.x be ...) NOT-FOR-US: IBM Security QRadar SIEM CVE-2015-2006 RESERVED CVE-2015-2005 (IBM Security QRadar SIEM 7.1.x before 7.1 MR2 Patch 12 and 7.2.x befor ...) NOT-FOR-US: IBM Security QRadar SIEM CVE-2015-2004 (The GraceNote GNSDK SDK before SVN Changeset 1.1.7 for Android might a ...) NOT-FOR-US: GraceNote GNSDK SDK CVE-2015-2003 (The PJSIP PJSUA2 SDK before SVN Changeset 51322 for Android might allo ...) NOT-FOR-US: PJSIP PJSUA2 SDK CVE-2015-2002 (The ESRI ArcGis Runtime SDK before 10.2.6-2 for Android might allow at ...) NOT-FOR-US: ESRI ArcGis Runtime SDK CVE-2015-2001 (The MetaIO SDK before 6.0.2.1 for Android might allow attackers to exe ...) NOT-FOR-US: MetaIO SDK CVE-2015-2000 (The Jumio SDK before 1.5.0 for Android might allow attackers to execut ...) NOT-FOR-US: Jumio SDK CVE-2015-1999 (IBM Security QRadar Incident Forensics 7.2.x before 7.2.5 Patch 5 plac ...) NOT-FOR-US: IBM QRadar CVE-2015-1998 RESERVED CVE-2015-1997 (Cross-site request forgery (CSRF) vulnerability in IBM Security QRadar ...) NOT-FOR-US: IBM QRadar CVE-2015-1996 (IBM Security QRadar Incident Forensics 7.2.x before 7.2.5 Patch 5 does ...) NOT-FOR-US: IBM QRadar CVE-2015-1995 (Multiple cross-site scripting (XSS) vulnerabilities in IBM Security QR ...) NOT-FOR-US: IBM QRadar CVE-2015-1994 (IBM Security QRadar Incident Forensics 7.2.x before 7.2.5 Patch 5 does ...) NOT-FOR-US: IBM QRadar CVE-2015-1993 (IBM Security QRadar Incident Forensics 7.2.x before 7.2.5 Patch 5 does ...) NOT-FOR-US: IBM QRadar CVE-2015-1992 (IBM Systems Director 5.2.x, 6.1.x, 6.2.0.x, 6.2.1.x, 6.3.0.0, 6.3.1.x, ...) NOT-FOR-US: IBM Systems Director CVE-2015-1991 REJECTED CVE-2015-1990 REJECTED CVE-2015-1989 (SQL injection vulnerability in IBM Security QRadar Incident Forensics ...) NOT-FOR-US: IBM QRadar CVE-2015-1988 (Cross-site scripting (XSS) vulnerability in IBM Tivoli Storage Manger ...) NOT-FOR-US: IBM CVE-2015-1987 (IBM MQ Light before 1.0.0.2 allows remote attackers to cause a denial ...) NOT-FOR-US: IBM CVE-2015-1986 (The server in IBM Tivoli Storage Manager FastBack 6.1 before 6.1.12 al ...) NOT-FOR-US: IBM CVE-2015-1985 (The queue manager on IBM MQ M2000 appliances before 8.0.0.4 allows loc ...) NOT-FOR-US: IBM MQ M2000 appliances CVE-2015-1984 (IBM InfoSphere Master Data Management Collaborative Edition 9.1, 10.1, ...) NOT-FOR-US: IBM CVE-2015-1983 (Cross-site scripting (XSS) vulnerability in the Projects page in IBM U ...) NOT-FOR-US: IBM CVE-2015-1982 (IBM InfoSphere Master Data Management Collaborative Edition 9.1, 10.1, ...) NOT-FOR-US: IBM CVE-2015-1981 (Cross-site scripting (XSS) vulnerability in the web server in IBM Domi ...) NOT-FOR-US: IBM CVE-2015-1980 (IBM InfoSphere Master Data Management Collaborative Edition 9.1, 10.1, ...) NOT-FOR-US: IBM CVE-2015-1979 (Multiple cross-site scripting (XSS) vulnerabilities in the Error dialo ...) NOT-FOR-US: IBM CVE-2015-1978 (Cross-site scripting (XSS) vulnerability in IBM Tivoli Security Direct ...) NOT-FOR-US: IBM CVE-2015-1977 (Directory traversal vulnerability in the Web Administration tool in IB ...) NOT-FOR-US: IBM CVE-2015-1976 (IBM Security Directory Server could allow an authenticated user to exe ...) NOT-FOR-US: IBM CVE-2015-1975 (The web administration tool in IBM Tivoli Security Directory Server 6. ...) NOT-FOR-US: IBM CVE-2015-1974 (The web administration tool in IBM Tivoli Security Directory Server 6. ...) NOT-FOR-US: IBM CVE-2015-1973 RESERVED CVE-2015-1972 (IBM Tivoli Security Directory Server 6.0 before iFix 75, 6.1 before iF ...) NOT-FOR-US: IBM CVE-2015-1971 (Unspecified vulnerability in Jazz Team Server in Jazz Foundation in IB ...) NOT-FOR-US: IBM CVE-2015-1970 (The IBM WebSphere DataPower XC10 appliance 2.1 through 2.1.0.3 and 2.5 ...) NOT-FOR-US: IBM CVE-2015-1969 (Cross-site scripting (XSS) vulnerability in IBM Tivoli Common Reportin ...) NOT-FOR-US: IBM CVE-2015-1968 (Cross-site scripting (XSS) vulnerability in IBM InfoSphere Master Data ...) NOT-FOR-US: IBM CVE-2015-1967 (MQ Explorer in IBM WebSphere MQ before 8.0.0.3 does not recognize the ...) NOT-FOR-US: IBM CVE-2015-1966 (Multiple cross-site scripting (XSS) vulnerabilities in IBM Tivoli Fede ...) NOT-FOR-US: IBM Tivoli Federated Identity Manager CVE-2015-1965 (Stack-based buffer overflow in the server in IBM Tivoli Storage Manage ...) NOT-FOR-US: IBM CVE-2015-1964 (Stack-based buffer overflow in the server in IBM Tivoli Storage Manage ...) NOT-FOR-US: IBM CVE-2015-1963 (Stack-based buffer overflow in the server in IBM Tivoli Storage Manage ...) NOT-FOR-US: IBM CVE-2015-1962 (Stack-based buffer overflow in the server in IBM Tivoli Storage Manage ...) NOT-FOR-US: IBM CVE-2015-1961 (The REST API in IBM Business Process Manager (BPM) 7.5.x through 7.5.1 ...) NOT-FOR-US: IBM CVE-2015-1960 RESERVED CVE-2015-1959 (IBM Tivoli Security Directory Server 6.0 before iFix 75, 6.1 before iF ...) NOT-FOR-US: IBM CVE-2015-1958 (IBM MQ Light before 1.0.0.2 allows remote attackers to cause a denial ...) NOT-FOR-US: IBM CVE-2015-1957 (IBM WebSphere MQ 7.5.x before 7.5.0.6 and 8.0.x before 8.0.0.3 allows ...) NOT-FOR-US: IBM WebSphere MQ CVE-2015-1956 (IBM MQ Light before 1.0.0.2 allows remote attackers to cause a denial ...) NOT-FOR-US: IBM CVE-2015-1955 (IBM MQ Light before 1.0.0.2 allows remote attackers to cause a denial ...) NOT-FOR-US: IBM CVE-2015-1954 (Stack-based buffer overflow in the server in IBM Tivoli Storage Manage ...) NOT-FOR-US: IBM CVE-2015-1953 (Stack-based buffer overflow in the server in IBM Tivoli Storage Manage ...) NOT-FOR-US: IBM CVE-2015-1952 (Cross-site scripting (XSS) vulnerability in IBM AppScan Enterprise Edi ...) NOT-FOR-US: IBM CVE-2015-1951 (IBM Maximo Asset Management 7.1 through 7.1.1.13, 7.5.0 before 7.5.0.8 ...) NOT-FOR-US: IBM CVE-2015-1950 (IBM PowerVC Standard Edition 1.2.2.1 through 1.2.2.2 does not require ...) NOT-FOR-US: IBM CVE-2015-1949 (The server in IBM Tivoli Storage Manager FastBack 6.1 before 6.1.12 al ...) NOT-FOR-US: IBM CVE-2015-1948 (Stack-based buffer overflow in the server in IBM Tivoli Storage Manage ...) NOT-FOR-US: IBM CVE-2015-1947 (Untrusted search path vulnerability in IBM InfoSphere BigInsights 3.0, ...) NOT-FOR-US: IBM InfoSphere BigInsights CVE-2015-1946 (IBM WebSphere Application Server (WAS) 8.5 before 8.5.5.6, and WebSphe ...) NOT-FOR-US: IBM WebSphere CVE-2015-1945 (Unspecified vulnerability in the Reference Data Management component i ...) NOT-FOR-US: IBM InfoSphere CVE-2015-1944 (Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 8.0.0 ...) NOT-FOR-US: IBM WebSphere CVE-2015-1943 (IBM WebSphere Portal 6.1.0.x through 6.1.0.6 CF27, 6.1.5.x through 6.1 ...) NOT-FOR-US: IBM CVE-2015-1942 (The server in IBM Tivoli Storage Manager FastBack 6.1 before 6.1.12 al ...) NOT-FOR-US: IBM CVE-2015-1941 (The server in IBM Tivoli Storage Manager FastBack 6.1 before 6.1.12 al ...) NOT-FOR-US: IBM CVE-2015-1940 RESERVED CVE-2015-1939 RESERVED CVE-2015-1938 (The server in IBM Tivoli Storage Manager FastBack 6.1 before 6.1.12 al ...) NOT-FOR-US: IBM CVE-2015-1937 (IBM PowerVC 1.2.0.x through 1.2.0.4, 1.2.1.x through 1.2.1.2, and 1.2. ...) NOT-FOR-US: IBM PowerVC CVE-2015-1936 (The administrative console in IBM WebSphere Application Server (WAS) 8 ...) NOT-FOR-US: IBM WAS CVE-2015-1935 (The scalar-function implementation in IBM DB2 9.7 through FP10, 9.8 th ...) NOT-FOR-US: IBM DB2 CVE-2015-1934 (IBM Maximo Asset Management 7.1 through 7.1.1.13, 7.5.0 before 7.5.0.8 ...) NOT-FOR-US: IBM CVE-2015-1933 (IBM Maximo Asset Management 7.1 through 7.1.1.13, 7.5.0 before 7.5.0.8 ...) NOT-FOR-US: IBM CVE-2015-1932 (IBM WebSphere Application Server 7.x before 7.0.0.39, 8.0.x before 8.0 ...) NOT-FOR-US: IBM WebSphere CVE-2015-1931 (IBM Java Security Components in IBM SDK, Java Technology Edition 8 bef ...) NOT-FOR-US: IBM JDK CVE-2015-1930 (Stack-based buffer overflow in the server in IBM Tivoli Storage Manage ...) NOT-FOR-US: IBM CVE-2015-1929 (Stack-based buffer overflow in the server in IBM Tivoli Storage Manage ...) NOT-FOR-US: IBM CVE-2015-1928 (Jazz Team Server in Jazz Foundation in IBM Rational Collaborative Life ...) NOT-FOR-US: IBM CVE-2015-1927 (The default configuration of IBM WebSphere Application Server (WAS) 7. ...) NOT-FOR-US: IBM WAS CVE-2015-1926 (Unspecified vulnerability in the Oracle WebCenter Portal component in ...) NOT-FOR-US: Oracle WebCenter Portal CVE-2015-1925 (Stack-based buffer overflow in the server in IBM Tivoli Storage Manage ...) NOT-FOR-US: IBM CVE-2015-1924 (Stack-based buffer overflow in the server in IBM Tivoli Storage Manage ...) NOT-FOR-US: IBM CVE-2015-1923 (Buffer overflow in the server in IBM Tivoli Storage Manager FastBack 6 ...) NOT-FOR-US: IBM CVE-2015-1922 (The Data Movement implementation in IBM DB2 9.7 through FP10, 9.8 thro ...) NOT-FOR-US: IBM DB2 CVE-2015-1921 (Open redirect vulnerability in IBM WebSphere Portal 8.0.0 before 8.0.0 ...) NOT-FOR-US: IBM CVE-2015-1920 (IBM WebSphere Application Server (WAS) 6.1 through 6.1.0.47, 7.0 befor ...) NOT-FOR-US: IBM CVE-2015-1919 (Cross-site scripting (XSS) vulnerability in IBM Security QRadar Incide ...) NOT-FOR-US: IBM CVE-2015-1918 RESERVED CVE-2015-1917 (Cross-site scripting (XSS) vulnerability in the Active Content Filteri ...) NOT-FOR-US: IBM CVE-2015-1916 (Unspecified vulnerability in IBM Java 8 before SR1 allows remote attac ...) NOT-FOR-US: IBM JDK CVE-2015-1915 (The Endpoint Manager for Remote Control component in IBM Tivoli Endpoi ...) NOT-FOR-US: IBM CVE-2015-1914 (IBM Java 7 R1 before SR3, 7 before SR9, 6 R1 before SR8 FP4, 6 before ...) NOT-FOR-US: IBM JDK CVE-2015-1913 (Rational Test Control Panel in IBM Rational Test Workbench and Rationa ...) NOT-FOR-US: IBM CVE-2015-1912 RESERVED CVE-2015-1911 (Cross-site scripting (XSS) vulnerability in Sterling Order Management ...) NOT-FOR-US: Sterling Order Management CVE-2015-1910 (Cross-site scripting (XSS) vulnerability in the Reference Data Managem ...) NOT-FOR-US: IBM CVE-2015-1909 (The XML parser in the Reference Data Management component in the serve ...) NOT-FOR-US: IBM CVE-2015-1908 (Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 6.1.0 ...) NOT-FOR-US: IBM WebSphere Portal CVE-2015-1907 (The Administration and Reporting Tool in IBM Rational License Key Serv ...) NOT-FOR-US: IBM Rational License Key Server CVE-2015-1906 (Cross-site scripting (XSS) vulnerability in the REST API in IBM Busine ...) NOT-FOR-US: IBM BPM CVE-2015-1905 (The REST API in IBM Business Process Manager (BPM) 7.5.x through 7.5.1 ...) NOT-FOR-US: IBM BPM CVE-2015-1904 (IBM Business Process Manager (BPM) 8.0.x through 8.0.1.3, 8.5.0 throug ...) NOT-FOR-US: IBM CVE-2015-1903 (Stack-based buffer overflow in IBM Domino 8.5 before 8.5.3 FP6 IF7 and ...) NOT-FOR-US: IBM CVE-2015-1902 (Stack-based buffer overflow in IBM Domino 8.5 before 8.5.3 FP6 IF7 and ...) NOT-FOR-US: IBM CVE-2015-1901 (The installer in IBM InfoSphere Information Server 8.5 through 11.3 be ...) NOT-FOR-US: IBM CVE-2015-1900 (IBM InfoSphere DataStage 8.1, 8.5, 8.7, 9.1, and 11.3 through 11.3.1.2 ...) NOT-FOR-US: IBM CVE-2015-1899 (IBM WebSphere Portal 8.5 through CF05 allows remote attackers to cause ...) NOT-FOR-US: IBM CVE-2015-1898 (Stack-based buffer overflow in the FastBackMount process in IBM Tivoli ...) NOT-FOR-US: IBM CVE-2015-1897 (Stack-based buffer overflow in the FastBackMount process in IBM Tivoli ...) NOT-FOR-US: IBM CVE-2015-1896 (Stack-based buffer overflow in the FastBackMount process in IBM Tivoli ...) NOT-FOR-US: IBM CVE-2015-1895 (IBM InfoSphere Optim Workload Replay 2.x before 2.1.0.3 relies on clie ...) NOT-FOR-US: IBM CVE-2015-1894 (Cross-site request forgery (CSRF) vulnerability in IBM InfoSphere Opti ...) NOT-FOR-US: IBM CVE-2015-1893 (The IBM WebSphere DataPower XC10 appliance 2.1 before 2.1.0.3 allows r ...) NOT-FOR-US: IBM WebSphere CVE-2015-1892 (The Multicast DNS (mDNS) responder in IBM Security Access Manager for ...) NOT-FOR-US: IBM Security Access Manager CVE-2015-1891 RESERVED CVE-2015-1890 (/usr/lpp/mmfs/bin/gpfs.snap in IBM General Parallel File System (GPFS) ...) NOT-FOR-US: IBM General Parallel File System CVE-2015-1889 (The Big SQL component in IBM InfoSphere BigInsights 3.0 through 3.0.0. ...) NOT-FOR-US: IBM InfoSphere BigInsights CVE-2015-1888 (Cross-site scripting (XSS) vulnerability in IBM Content Navigator 2.0. ...) NOT-FOR-US: IBM CVE-2015-1887 (IBM WebSphere Portal 7.0.0 through 7.0.0.2 CF29, 8.0.0 before 8.0.0.1 ...) NOT-FOR-US: IBM WebSphere Portal CVE-2015-1886 (The Remote Document Conversion Service (DCS) in IBM WebSphere Portal 6 ...) NOT-FOR-US: IBM WebSphere Portal CVE-2015-1885 (WebSphereOauth20SP.ear in IBM WebSphere Application Server (WAS) 7.0 b ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2015-1884 (Directory traversal vulnerability in IBM Business Process Manager (BPM ...) NOT-FOR-US: IBM CVE-2015-1883 (IBM DB2 9.7 through FP10, 9.8 through FP5, 10.1 before FP5, and 10.5 t ...) NOT-FOR-US: IBM DB2 CVE-2015-1882 (Multiple race conditions in IBM WebSphere Application Server (WAS) 8.5 ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2015-1880 (Cross-site scripting (XSS) vulnerability in the sslvpn login page in F ...) NOT-FOR-US: Fortinet FortiOS CVE-2015-1879 (Cross-site scripting (XSS) vulnerability in the Google Doc Embedder pl ...) NOT-FOR-US: Google Doc Embedder plugin for WordPress CVE-2015-2042 (net/rds/sysctl.c in the Linux kernel before 3.19 uses an incorrect dat ...) {DSA-3237-1 DLA-246-1} - linux 3.16.7-ckt9-1 - linux-2.6 [squeeze] - linux-2.6 (Minor issue) NOTE: Upstream commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=db27ebb111e9f69efece08e4cb6a34ff980f8896 (v3.19) NOTE: (earliest) introduced in https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=3e5048495c8569bfdd552750e0315973c61e7c93 (v2.6.30-rc1) CVE-2015-2041 (net/llc/sysctl_net_llc.c in the Linux kernel before 3.19 uses an incor ...) {DSA-3237-1 DLA-246-1} - linux 3.16.7-ckt9-1 - linux-2.6 [squeeze] - linux-2.6 (Minor issue) NOTE: Upstream commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6b8d9117ccb4f81b1244aafa7bc70ef8fa45fc49 (v3.19-rc7) NOTE: (earliest) introduced in https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=590232a7150674b2036291eaefce085f3f9659c8 (v2.6.14-rc3) CVE-2015-2035 (SQL injection vulnerability in the administrative backend in Piwigo be ...) - piwigo [squeeze] - piwigo (Unsupported in squeeze-lts) NOTE: Request to mark the package as unsupported in #779104 CVE-2015-2034 (Cross-site scripting (XSS) vulnerability in the administrative backend ...) - piwigo [squeeze] - piwigo (Unsupported in squeeze-lts) NOTE: Request to mark the package as unsupported in #779104 CVE-2015-1878 (Thales nShield Connect hardware models 500, 1500, 6000, 500+, 1500+, a ...) NOT-FOR-US: nShield Connect hardware models CVE-2015-1876 (Directory traversal vulnerability in ES File Explorer 3.2.4.1. ...) NOT-FOR-US: ES File Explorer CVE-2015-1875 (SQL injection vulnerability in a2billing/customer/iridium_threed.php i ...) NOT-FOR-US: Elastix CVE-2015-1874 (Cross-site request forgery (CSRF) vulnerability in the Contact Form DB ...) NOT-FOR-US: Contact Form DB (aka CFDB and contact-form-7-to-database-extension) plugin for WordPress CVE-2015-1873 RESERVED CVE-2015-1872 (The ff_mjpeg_decode_sof function in libavcodec/mjpegdec.c in FFmpeg be ...) {DLA-1740-1 DLA-644-1} - ffmpeg 7:2.5.4-1 [squeeze] - ffmpeg (Not supported in Squeeze LTS) - libav [wheezy] - libav (Minor issue, can be fixed along in a future DSA) NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=fabbfaa095660982cc0bc63242c459561fa37037 CVE-2015-1871 RESERVED CVE-2015-1870 (The event scripts in Automatic Bug Reporting Tool (ABRT) uses world-re ...) NOT-FOR-US: abrt is Red Hat / Fedora specific CVE-2015-1869 (The default event handling scripts in Automatic Bug Reporting Tool (AB ...) NOT-FOR-US: abrt is Red Hat / Fedora specific CVE-2015-1868 (The label decompression functionality in PowerDNS Recursor 3.5.x, 3.6. ...) - pdns 3.4.4-1 [jessie] - pdns 3.4.1-4+deb8u1 [wheezy] - pdns (3.2 and up affected) [squeeze] - pdns (3.2 and up affected) - pdns-recursor 3.7.2-1 [jessie] - pdns-recursor 3.6.2-2+deb8u1 [wheezy] - pdns-recursor (3.5 and up affected) [squeeze] - pdns-recursor (3.5 and up affected) NOTE: https://doc.powerdns.com/md/security/powerdns-advisory-2015-01/ CVE-2015-1867 (Pacemaker before 1.1.13 does not properly evaluate added nodes, which ...) - pacemaker (Vulnerable code not present) NOTE: Introduced by: https://github.com/ClusterLabs/pacemaker/commit/f242c1ef (Pacemaker-1.1.12-rc1) NOTE: Fixed by: https://github.com/ClusterLabs/pacemaker/commit/84ac07c (Pacemaker-1.1.13-rc2) CVE-2015-1866 (Cross-site scripting (XSS) vulnerability in Ember.js 1.10.x before 1.1 ...) NOT-FOR-US: ember.js CVE-2015-1865 (fts.c in coreutils 8.4 allows local users to delete arbitrary files. ...) - coreutils 8.13-1 (low) [squeeze] - coreutils (Minor issue) NOTE: relevant code changed between 8.5 and 8.13, see https://bugzilla.redhat.com/show_bug.cgi?id=1211300 for details NOTE: Issue reproduced in with 8.5 and confirmed to not work with 8.13-3.5 CVE-2015-1864 (Multiple cross-site scripting (XSS) vulnerabilities in the administrat ...) - kallithea (bug #689573) CVE-2015-1863 (Heap-based buffer overflow in wpa_supplicant 1.0 through 2.4 allows re ...) {DSA-3233-1} - wpa 2.3-2 (bug #783148) - wpasupplicant (Vulnerable code present since v1.0) NOTE: http://w1.fi/security/2015-1/ NOTE: Vulnerable are v1.0-v2.4 with CONFIG_P2P build option enabled NOTE: CONFIG_P2P enabled since 1.1-1 in debian/config/wpasupplicant/linux NOTE: Binary packages built for wheezy are not affected since WiFi P2P is disabled CVE-2015-1862 (The crash reporting feature in Abrt allows local users to gain privile ...) NOT-FOR-US: abrt is Red Hat / Fedora specific CVE-2015-1861 REJECTED CVE-2015-1860 (Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase m ...) {DLA-210-1} - qt4-x11 4:4.8.6+git155-g716fbae+dfsg-2 (bug #783133) [jessie] - qt4-x11 4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1 [wheezy] - qt4-x11 (Minor issue) - qtbase-opensource-src 5.3.2+dfsg-5 (bug #783134) [jessie] - qtbase-opensource-src 5.3.2+dfsg-4+deb8u1 NOTE: http://lists.qt-project.org/pipermail/announce/2015-April/000067.html CVE-2015-1859 (Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp ...) {DLA-210-1} - qt4-x11 4:4.8.6+git155-g716fbae+dfsg-2 (bug #783133) [jessie] - qt4-x11 4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1 [wheezy] - qt4-x11 (Minor issue) - qtbase-opensource-src 5.3.2+dfsg-5 (bug #783134) [jessie] - qtbase-opensource-src 5.3.2+dfsg-4+deb8u1 NOTE: http://lists.qt-project.org/pipermail/announce/2015-April/000067.html CVE-2015-1858 (Multiple buffer overflows in gui/image/qbmphandler.cpp in the QtBase m ...) {DLA-210-1} - qt4-x11 4:4.8.6+git155-g716fbae+dfsg-2 (bug #783133) [jessie] - qt4-x11 4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1 [wheezy] - qt4-x11 (Minor issue) - qtbase-opensource-src 5.3.2+dfsg-5 (bug #783134) [jessie] - qtbase-opensource-src 5.3.2+dfsg-4+deb8u1 NOTE: http://lists.qt-project.org/pipermail/announce/2015-April/000067.html CVE-2015-1857 (The odl-mdsal-apidocs feature in OpenDaylight Helium allow remote atta ...) NOT-FOR-US: OpenDaylight CVE-2015-1856 (OpenStack Object Storage (Swift) before 2.3.0, when allow_version is c ...) - swift 2.2.0-2 (bug #783163) [jessie] - swift 2.2.0-1+deb8u1 [wheezy] - swift (Minor issue) NOTE: https://launchpad.net/bugs/1430645 CVE-2015-1855 (verify_certificate_identity in the OpenSSL extension in Ruby before 2. ...) {DSA-3247-1 DSA-3246-1 DSA-3245-1 DLA-235-1 DLA-224-1} - ruby1.8 - ruby1.9.1 - ruby2.0 - ruby2.1 2.1.5-3 - ruby2.2 2.2.2-1 NOTE: https://bugs.ruby-lang.org/issues/9644 NOTE: https://github.com/ruby/openssl/commit/e9a7bcb8bf2902f907c148a00bbcf21d3fa79596 CVE-2015-1854 (389 Directory Server before 1.3.3.10 allows attackers to bypass intend ...) {DLA-1428-1} - 389-ds-base 1.3.3.10-1 (bug #783923) NOTE: Patch applied to CentOS package: https://git.centos.org/raw/rpms!389-ds-base.git!/309aa9ee631432d72c845f70df2ce6475055423b/SOURCES!0062-CVE-2015-1854-389ds-base-access-control-bypass-with-.patch CVE-2015-1853 (chrony before 1.31.1 does not properly protect state variables in auth ...) {DSA-3222-1 DLA-193-1} - chrony 1.30-2 (bug #782160) NOTE: Fix: http://git.tuxfamily.org/chrony/chrony.git/commit/?h=1.31-security&id=d856bd34c4862398411d29200520e3a3b1d4569e CVE-2015-1852 (The s3_token middleware in OpenStack keystonemiddleware before 1.6.0 a ...) - python-keystonemiddleware 1.5.0-2 [jessie] - python-keystonemiddleware 1.0.0-3+deb8u1 - python-keystoneclient 1:1.3.0-2 (bug #783164) NOTE: originally fixed in 1:0.10.1-3 but then 1:1.3.0-1 was uploaded without the fix [jessie] - python-keystoneclient 1:0.10.1-2+deb8u1 [wheezy] - python-keystoneclient (s3_token middleware not present) NOTE: https://launchpad.net/bugs/1411063 CVE-2015-1851 (OpenStack Cinder before 2014.1.5 (icehouse), 2014.2.x before 2014.2.4 ...) {DSA-3292-1} - cinder 2015.1.0+2015.06.16.git26.9634b76ba5-1 (bug #788996) NOTE: http://www.openwall.com/lists/oss-security/2015/06/13/1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1231817 NOTE: https://bugs.launchpad.net/cinder/+bug/1415087 CVE-2015-1850 REJECTED CVE-2015-1849 (AdvancedLdapLodinMogule in Red Hat JBoss Enterprise Application Platfo ...) NOT-FOR-US: JBoss EAP CVE-2015-1848 (The pcs daemon (pcsd) in PCS 0.9.137 and earlier does not set the secu ...) - pcs (Fixed before initial release to Debian) NOTE: https://github.com/feist/pcs/commit/898204596a779673c88097bbdbe2d7ed6ed0cc8b (0.9.140) CVE-2015-1847 (Directory traversal vulnerability in the web request/response interfac ...) NOT-FOR-US: Appserver.io CVE-2015-1846 (unzoo allows remote attackers to cause a denial of service (infinite l ...) - unzoo CVE-2015-1845 (Buffer overflow in the EntrReadArch function in unzoo might allow remo ...) - unzoo CVE-2015-1844 (Foreman before 1.7.5 allows remote authenticated users to bypass organ ...) - foreman (bug #663101) CVE-2015-1843 (The Red Hat docker package before 1.5.0-28, when using the --add-regis ...) - docker.io (RHEL specific problem) CVE-2015-1842 (The puppet manifests in the Red Hat openstack-puppet-modules package b ...) NOT-FOR-US: openstack-puppet-modules CVE-2015-1841 (The Web Admin interface in Red Hat Enterprise Virtualization Manager ( ...) NOT-FOR-US: RHEV CVE-2015-1840 (jquery_ujs.js in jquery-rails before 3.1.3 and 4.x before 4.0.4 and ra ...) - ruby-jquery-rails 4.0.4-1 (bug #790395) [jessie] - ruby-jquery-rails (Minor issue) [wheezy] - ruby-jquery-rails (Minor issue) NOTE: https://hackerone.com/reports/49935 NOTE: https://groups.google.com/forum/#!msg/rubyonrails-security/XIZPbobuwaY/fqnzzpuOlA4J NOTE: https://nodesecurity.io/advisories/15 CVE-2015-1839 (modules/chef.py in SaltStack before 2014.7.4 does not properly handle ...) - salt (Vulnerable code only present in experimental version; introduced in 2014.7.0) NOTE: https://github.com/saltstack/salt/commit/22d2f7a1ec93300c34e8c42d14ec39d51e610b5c NOTE: https://github.com/saltstack/salt/commit/b49d0d4b5ca5c6f31f03e2caf97cef1088eeed81 CVE-2015-1838 (modules/serverdensity_device.py in SaltStack before 2014.7.4 does not ...) - salt (Vulnerable code only present in experimental version; introduced in 2014.7.0) NOTE: https://github.com/saltstack/salt/commit/e11298d7155e9982749483ca5538e46090caef9c CVE-2015-1837 RESERVED CVE-2015-1836 (Apache HBase 0.98 before 0.98.12.1, 1.0 before 1.0.1.1, and 1.1 before ...) NOT-FOR-US: Apache HBase CVE-2015-1835 (Apache Cordova Android before 3.7.2 and 4.x before 4.0.2, when an appl ...) NOT-FOR-US: Apache Cordova CVE-2015-1834 (A path traversal vulnerability was identified in the Cloud Foundry com ...) NOT-FOR-US: Cloud Foundry CVE-2015-1833 (XML external entity (XXE) vulnerability in Apache Jackrabbit before 2. ...) {DSA-3298-1} - jackrabbit 2.10.1-1 (bug #787316) NOTE: https://issues.apache.org/jira/browse/JCR-3883 CVE-2015-1832 (XML external entity (XXE) vulnerability in the SqlXmlUtil code in Apac ...) - derby 10.13.1.1-1 [jessie] - derby (Minor issue) NOTE: https://issues.apache.org/jira/browse/DERBY-6807 NOTE: https://svn.apache.org/viewvc?view=revision&revision=1691461 NOTE: Fixed in 10.12.1.1 CVE-2015-1831 (The default exclude patterns (excludeParams) in Apache Struts 2.3.20 a ...) - libstruts1.2-java (Affects only 2.3.20) NOTE: https://struts.apache.org/docs/s2-024.html CVE-2015-1830 (Directory traversal vulnerability in the fileserver upload/download fu ...) - activemq (Only affects activemq on Windows) NOTE: http://activemq.apache.org/security-advisories.data/CVE-2015-1830-announcement.txt CVE-2015-1829 (Unspecified vulnerability in the Oracle HTTP Server component in Oracl ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2015-1828 (The Ruby http gem before 0.7.3 does not verify hostnames in SSL connec ...) - ruby-http 1.0.2-2 [jessie] - ruby-http (Minor issue) NOTE: http.rb failed to call the `#post_connection_check` method on SSL connections. NOTE: This method implements hostname verification, and without it `http.rb` was NOTE: vulnerable to MitM attacks. The problem was corrected by calling NOTE: `#post_connection_check`. NOTE: Fixed by: https://github.com/httprb/http/commit/24626bfcdeda1084502575c3fbb6091c9e2815e0 CVE-2015-1827 (The get_user_grouplist function in the extdom plug-in in FreeIPA befor ...) - freeipa (Only affects 4.1, see bug #781224) NOTE: https://fedorahosted.org/freeipa/ticket/4908 CVE-2015-1826 RESERVED CVE-2015-1825 RESERVED CVE-2015-1824 RESERVED CVE-2015-1823 RESERVED CVE-2015-1822 (chrony before 1.31.1 does not initialize the last "next" pointer when ...) {DSA-3222-1 DLA-193-1} - chrony 1.30-2 (bug #782160) NOTE: Fix: http://git.tuxfamily.org/chrony/chrony.git/commit/?h=1.31-security&id=79eacdb7e694c7e6681b68006425df3faca51aec CVE-2015-1821 (Heap-based buffer overflow in chrony before 1.31.1 allows remote authe ...) {DSA-3222-1 DLA-193-1} - chrony 1.30-2 (bug #782160) NOTE: Fix: http://git.tuxfamily.org/chrony/chrony.git/commit/?h=1.31-security&id=cf19042ecb656b8afec0cc4906e7dd3ea9266ac8 CVE-2015-1820 (REST client for Ruby (aka rest-client) before 1.8.0 allows remote atta ...) - ruby-rest-client 1.6.7-6 (bug #781238) [wheezy] - ruby-rest-client (The correction introduces a dependency on a package not available in wheezy) - librestclient-ruby [wheezy] - librestclient-ruby (Vulnerability introduced in 1.6.1, wheezy has 1.6.0) [squeeze] - librestclient-ruby (Vulnerability introduced in 1.6.1, squeeze has 1.6.0) NOTE: https://github.com/rest-client/rest-client/issues/369 NOTE: Patch: https://github.com/rest-client/rest-client/pull/365.patch (will need new dependency to ruby-http-cookie) CVE-2015-1819 (The xmlreader in libxml allows remote attackers to cause a denial of s ...) {DSA-3430-1 DLA-266-1} - libxml2 2.9.2+really2.9.1+dfsg1-0.1 (low; bug #782782) NOTE: https://git.gnome.org/browse/libxml2/commit/?id=213f1fe0d76d30eaed6e5853057defc43e6df2c9 NOTE: Concerns by Florian Weimer: https://bugzilla.gnome.org/show_bug.cgi?id=748278 CVE-2015-1818 (XML external entity (XXE) vulnerability in the dashbuilder import faci ...) NOT-FOR-US: JBoss dashbuilder CVE-2015-1817 (Stack-based buffer overflow in the inet_pton function in network/inet_ ...) - musl 1.1.5-2 (bug #781497) CVE-2015-1816 (Forman before 1.7.4 does not verify SSL certificates for LDAP connecti ...) - foreman (bug #663101) CVE-2015-1815 (The get_rpm_nvr_by_file_path_temporary function in util.py in setroubl ...) NOT-FOR-US: setroubleshoot CVE-2015-1814 (The API token-issuing service in Jenkins before 1.606 and LTS before 1 ...) - jenkins (bug #781223) NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-03-23 CVE-2015-1813 (Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and L ...) - jenkins (bug #781223) NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-03-23 CVE-2015-1812 (Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and L ...) - jenkins (bug #781223) NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-03-23 CVE-2015-1811 (XML external entity (XXE) vulnerability in CloudBees Jenkins before 1. ...) - jenkins (bug #781223) NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27 CVE-2015-1810 (The HudsonPrivateSecurityRealm class in Jenkins before 1.600 and LTS b ...) - jenkins (bug #781223) NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27 CVE-2015-1809 (XML external entity (XXE) vulnerability in CloudBees Jenkins before 1. ...) - jenkins (bug #781223) NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27 CVE-2015-1808 (Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticate ...) - jenkins (bug #781223) NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27 CVE-2015-1807 (Directory traversal vulnerability in Jenkins before 1.600 and LTS befo ...) - jenkins (bug #781223) NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27 CVE-2015-1806 (The combination filter Groovy script in Jenkins before 1.600 and LTS b ...) - jenkins (bug #781223) NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27 CVE-2015-1805 (The (1) pipe_read and (2) pipe_write implementations in fs/pipe.c in t ...) {DSA-3290-1 DLA-246-1} - linux 3.16.2-2 - linux-2.6 NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f0d1bec9d58d4c038d0ac958c9af82be6eb18045 (v3.16-rc1) NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=637b58c2887e5e57850865839cc75f59184b23d1 (v3.15-rc1) CVE-2015-1804 (The bdfReadCharacters function in bitmap/bdfread.c in X.Org libXfont b ...) {DSA-3194-1 DLA-183-1} - libxfont 1:1.5.1-1 NOTE: http://lists.x.org/archives/xorg-announce/2015-March/002550.html CVE-2015-1803 (The bdfReadCharacters function in bitmap/bdfread.c in X.Org libXfont b ...) {DSA-3194-1 DLA-183-1} - libxfont 1:1.5.1-1 NOTE: http://lists.x.org/archives/xorg-announce/2015-March/002550.html CVE-2015-1802 (The bdfReadProperties function in bitmap/bdfread.c in X.Org libXfont b ...) {DSA-3194-1 DLA-183-1} - libxfont 1:1.5.1-1 NOTE: http://lists.x.org/archives/xorg-announce/2015-March/002550.html CVE-2015-1801 (The samsung_extdisp driver in the Samsung S4 (GT-I9500) I9500XXUEMK8 k ...) NOT-FOR-US: Samsung CVE-2015-1800 (The samsung_extdisp driver in the Samsung S4 (GT-I9500) I9500XXUEMK8 k ...) NOT-FOR-US: Samsung CVE-2015-1799 (The symmetric-key feature in the receive function in ntp_proto.c in nt ...) {DSA-3223-1 DLA-192-1} - ntp 1:4.2.6.p5+dfsg-6 (bug #782095) NOTE: http://bugs.ntp.org/show_bug.cgi?id=2781 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#Authentication_doesn_t_protect_s CVE-2015-1798 (The symmetric-key feature in the receive function in ntp_proto.c in nt ...) {DSA-3223-1 DLA-192-1} - ntp 1:4.2.6.p5+dfsg-6 (bug #782095) NOTE: http://bugs.ntp.org/show_bug.cgi?id=2779 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#ntpd_accepts_unauthenticated_pac CVE-2015-1797 REJECTED CVE-2015-1796 (The PKIX trust engines in Shibboleth Identity Provider before 2.4.4 an ...) - libopensaml2-java (bug #780383) [jessie] - libopensaml2-java (Minor issue) NOTE: Only change between 2.6.4 and 2.6.5 seems http://svn.shibboleth.net/view/java-opensaml2/branches/REL_2/src/main/java/org/opensaml/saml2/metadata/provider/AbstractReloadingMetadataProvider.java?r1=1656&r2=1680 NOTE: http://shibboleth.net/community/advisories/secadv_20150225.txt CVE-2015-1795 (Red Hat Gluster Storage RPM Package 3.2 allows local users to gain pri ...) - glusterfs (Vulnerable code specific to glusterfs.spec and not present in source in Debian) CVE-2015-1794 (The ssl3_get_key_exchange function in ssl/s3_clnt.c in OpenSSL 1.0.2 b ...) - openssl 1.0.2e-1 [jessie] - openssl (Vulnerable code not present) [wheezy] - openssl (Vulnerable code not present) [squeeze] - openssl (Vulnerable code not present) NOTE: https://www.openssl.org/news/secadv/20151203.txt CVE-2015-1793 (The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0 ...) - openssl 1.0.2d-1 [jessie] - openssl (Vulnerable code not present) [wheezy] - openssl (Vulnerable code not present) [squeeze] - openssl (Vulnerable code not present) NOTE: http://openssl.org/news/secadv/20150709.txt CVE-2015-1792 (The do_free_upto function in crypto/cms/cms_smime.c in OpenSSL before ...) {DSA-3287-1 DLA-247-1} - openssl 1.0.2b-1 NOTE: http://openssl.org/news/secadv/20150611.txt CVE-2015-1791 (Race condition in the ssl3_get_new_session_ticket function in ssl/s3_c ...) {DSA-3287-1 DLA-247-1} - openssl 1.0.2b-1 NOTE: https://git.openssl.org/?p=openssl.git;a=commit;h=98ece4eebfb6cd45cc8d550c6ac0022965071afc NOTE: https://git.openssl.org/?p=openssl.git;a=commit;h=dcad51bc13c9b716d9a66248bcc4038c071ff158 NOTE: https://git.openssl.org/?p=openssl.git;a=commit;h=708cf593587e2fda67dae9782991ff9fccc781eb CVE-2015-1790 (The PKCS7_dataDecodefunction in crypto/pkcs7/pk7_doit.c in OpenSSL bef ...) {DSA-3287-1 DLA-247-1} - openssl 1.0.2b-1 NOTE: http://openssl.org/news/secadv/20150611.txt CVE-2015-1789 (The X509_cmp_time function in crypto/x509/x509_vfy.c in OpenSSL before ...) {DSA-3287-1 DLA-247-1} - openssl 1.0.2b-1 NOTE: http://openssl.org/news/secadv/20150611.txt CVE-2015-1788 (The BN_GF2m_mod_inv function in crypto/bn/bn_gf2m.c in OpenSSL before ...) {DSA-3287-1} - openssl 1.0.2b-1 [squeeze] - openssl (Vulnerable code got introduced post 1.0.0) NOTE: http://openssl.org/news/secadv/20150611.txt CVE-2015-1787 (The ssl3_get_client_key_exchange function in s3_srvr.c in OpenSSL 1.0. ...) - openssl (Vulnerable version never in unstable) NOTE: did affect 1.0.2 (only in experimental) and 1.0.2a was uploaded to unstable CVE-2015-1786 (Cross-site request forgery (CSRF) vulnerability in Zend/Validator/Csrf ...) - zendframework (the vulnerability was introduced specifically in the 2.3 series) NOTE: http://framework.zend.com/security/advisory/ZF2015-03 CVE-2015-1785 RESERVED CVE-2015-1784 RESERVED CVE-2015-1783 (The prefix variable in the get_or_define_ns function in Lasso before c ...) - lasso 2.4.1-1 [wheezy] - lasso (Vulnerable code introduced later) [squeeze] - lasso (Vulnerable code introduced later) NOTE: Upstream fix: https://repos.entrouvert.org/lasso.git/commit/lasso/xml?id=6d854cef4211cdcdbc7446c978f23ab859847cdd (v2.4.1) NOTE: Introduced by: https://repos.entrouvert.org/lasso.git/commit/lasso/xml?id=154812b401e3845977b3a4892dbc5e5a0b9d03cf (v2.4.0) CVE-2015-1782 (The kex_agree_methods function in libssh2 before 1.5.0 allows remote s ...) {DSA-3182-1 DLA-171-1} - libssh2 1.4.3-4.1 (bug #780249) NOTE: http://www.libssh2.org/adv_20150311.html CVE-2015-1781 (Buffer overflow in the gethostbyname_r and other unspecified NSS funct ...) {DSA-3480-1 DLA-230-1} [experimental] - glibc 2.21-0experimental1 - glibc 2.19-20 (bug #796105) [jessie] - glibc 2.19-18+deb8u1 - eglibc NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=18287 NOTE: Upstream commit: https://sourceware.org/git/?p=glibc.git;a=commit;h=2959eda9272a03386 CVE-2015-1780 (oVirt users with MANIPULATE_STORAGE_DOMAIN permissions can attach a st ...) NOT-FOR-US: oVirt Engine backend CVE-2015-1779 (The VNC websocket frame decoder in QEMU allows remote attackers to cau ...) {DSA-3259-1} - qemu 1:2.3+dfsg-1 (bug #781250) [wheezy] - qemu (Websocket protocol support introduced in v1.4.0-rc0) [squeeze] - qemu (Websocket protocol support introduced in v1.4.0-rc0) - qemu-kvm (Websocket protocol support introduced in v1.4.0-rc0) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2015-03/msg04894.html NOTE: Original patches have problem: https://lists.gnu.org/archive/html/qemu-devel/2015-03/msg04995.html NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=a2bebfd6e09d NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=2cdb5e142fb93 CVE-2015-1778 (The custom authentication realm used by karaf-tomcat's "opendaylight" ...) NOT-FOR-US: OpenDaylight CVE-2015-1777 (rhnreg_ks in Red Hat Network Client Tools (aka rhn-client-tools) on Re ...) - rhn-client-tools (unimportant; bug #779817) NOTE: No security impact, this tool performs a registration at Red Hat Network, NOTE: which would fail, but no practical security impact CVE-2015-1776 (Apache Hadoop 2.6.x encrypts intermediate data generated by a MapReduc ...) - hadoop (bug #793644) CVE-2015-1775 (Server-side request forgery (SSRF) vulnerability in the proxy endpoint ...) NOT-FOR-US: Apache Ambari CVE-2015-1774 (The HWP filter in LibreOffice before 4.3.7 and 4.4.x before 4.4.2 and ...) {DSA-3236-1} - libreoffice 1:4.4.2-1 CVE-2015-1773 (Cross-site scripting (XSS) vulnerability in asdoc/templates/index.html ...) - flex-sdk (bug #602499) CVE-2015-1772 (The LDAP implementation in HiveServer2 in Apache Hive before 1.0.1 and ...) NOT-FOR-US: Apache Hive CVE-2015-1771 (Cross-site request forgery (CSRF) vulnerability in the web application ...) NOT-FOR-US: Microsoft Exchange Server CVE-2015-1770 (Microsoft Office 2013 SP1 and 2013 RT SP1 allows remote attackers to e ...) NOT-FOR-US: Microsoft Office CVE-2015-1769 (Mount Manager in Microsoft Windows Vista SP2, Windows Server 2008 SP2 ...) NOT-FOR-US: Microsoft Windows CVE-2015-1768 (win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 ...) NOT-FOR-US: Microsoft Windows Server CVE-2015-1767 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1766 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1765 (Microsoft Internet Explorer 9 through 11 allows remote attackers to re ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1764 (The web applications in Microsoft Exchange Server 2013 SP1 and Cumulat ...) NOT-FOR-US: Microsoft Exchange Server CVE-2015-1763 (Microsoft SQL Server 2008 SP3 and SP4, 2008 R2 SP2 and SP3, 2012 SP1 a ...) NOT-FOR-US: Microsoft SQL Server CVE-2015-1762 (Microsoft SQL Server 2008 SP3 and SP4, 2008 R2 SP2 and SP3, 2012 SP1 a ...) NOT-FOR-US: Microsoft SQL Server CVE-2015-1761 (Microsoft SQL Server 2008 SP3 and SP4, 2008 R2 SP2 and SP3, 2012 SP1 a ...) NOT-FOR-US: Microsoft SQL Server CVE-2015-1760 (Microsoft Office Compatibility Pack SP3, Office 2010 SP2, Office 2013 ...) NOT-FOR-US: Microsoft Office CVE-2015-1759 (Microsoft Office Compatibility Pack SP3 allows remote attackers to exe ...) NOT-FOR-US: Microsoft Office CVE-2015-1758 (Untrusted search path vulnerability in the LoadLibrary function in the ...) NOT-FOR-US: Microsoft Windows CVE-2015-1757 (Cross-site scripting (XSS) vulnerability in adfs/ls in Active Director ...) NOT-FOR-US: Microsoft Windows Server CVE-2015-1756 (Use-after-free vulnerability in Microsoft Common Controls in Microsoft ...) NOT-FOR-US: Microsoft Windows CVE-2015-1755 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1754 (Microsoft Internet Explorer 8 allows remote attackers to execute arbit ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1753 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1752 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1751 (Microsoft Internet Explorer 10 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1750 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1749 REJECTED CVE-2015-1748 (Microsoft Internet Explorer 7 through 11 allows remote attackers to ga ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1747 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1746 REJECTED CVE-2015-1745 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1744 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1743 (Microsoft Internet Explorer 7 through 11 allows remote attackers to ga ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1742 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1741 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1740 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1739 (Microsoft Internet Explorer 10 and 11 allows remote attackers to gain ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1738 (Microsoft Internet Explorer 8 and 9 allows remote attackers to execute ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1737 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1736 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1735 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1734 REJECTED CVE-2015-1733 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1732 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1731 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1730 (Microsoft Internet Explorer 9 allows remote attackers to execute arbit ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1729 (Microsoft Internet Explorer 9 through 11 allows remote attackers to re ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1728 (Microsoft Windows Media Player 10 through 12 allows remote attackers t ...) NOT-FOR-US: Microsoft Windows CVE-2015-1727 (Buffer overflow in the kernel-mode drivers in Microsoft Windows Server ...) NOT-FOR-US: Microsoft Windows Server CVE-2015-1726 (Use-after-free vulnerability in the kernel-mode drivers in Microsoft W ...) NOT-FOR-US: Microsoft Windows Server CVE-2015-1725 (Buffer overflow in the kernel-mode drivers in Microsoft Windows Server ...) NOT-FOR-US: Microsoft Windows Server CVE-2015-1724 (Use-after-free vulnerability in the kernel-mode drivers in Microsoft W ...) NOT-FOR-US: Microsoft Windows Server CVE-2015-1723 (Use-after-free vulnerability in the kernel-mode drivers in Microsoft W ...) NOT-FOR-US: Microsoft Windows Server CVE-2015-1722 (Use-after-free vulnerability in the kernel-mode drivers in Microsoft W ...) NOT-FOR-US: Microsoft Windows Server CVE-2015-1721 (The kernel-mode drivers in Microsoft Windows Server 2003 SP2 and R2 SP ...) NOT-FOR-US: Microsoft Windows Server CVE-2015-1720 (Use-after-free vulnerability in the kernel-mode drivers in Microsoft W ...) NOT-FOR-US: Microsoft Windows Server CVE-2015-1719 (The kernel-mode drivers in Microsoft Windows Server 2003 SP2 and R2 SP ...) NOT-FOR-US: Microsoft Windows Server CVE-2015-1718 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1717 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1716 (Schannel in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Wind ...) NOT-FOR-US: Microsoft Windows Server CVE-2015-1715 (Microsoft Silverlight 5 before 5.1.40416.00 allows remote attackers to ...) NOT-FOR-US: Microsoft CVE-2015-1714 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1713 (Microsoft Internet Explorer 11 allows remote attackers to gain privile ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1712 (Microsoft Internet Explorer 8 and 9 allows remote attackers to execute ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1711 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1710 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1709 (Microsoft Internet Explorer 7 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1708 (Microsoft Internet Explorer 8 and 9 allows remote attackers to execute ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1707 REJECTED CVE-2015-1706 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1705 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1704 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ga ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1703 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ga ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1702 (The Service Control Manager (SCM) in Microsoft Windows Server 2003 SP2 ...) NOT-FOR-US: Microsoft Windows Server CVE-2015-1701 (Win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 ...) NOT-FOR-US: Microsoft Windows CVE-2015-1700 (Microsoft SharePoint Server 2007 SP3, SharePoint Foundation 2010 SP2, ...) NOT-FOR-US: Microsoft CVE-2015-1699 (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windo ...) NOT-FOR-US: Microsoft Windows CVE-2015-1698 (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windo ...) NOT-FOR-US: Microsoft Windows CVE-2015-1697 (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windo ...) NOT-FOR-US: Microsoft Windows CVE-2015-1696 (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windo ...) NOT-FOR-US: Microsoft Windows CVE-2015-1695 (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windo ...) NOT-FOR-US: Microsoft Windows CVE-2015-1694 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1693 REJECTED CVE-2015-1692 (Microsoft Internet Explorer 7 through 11 allows user-assisted remote a ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1691 (Microsoft Internet Explorer 8 and 9 allows remote attackers to execute ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1690 REJECTED CVE-2015-1689 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1688 (Microsoft Internet Explorer 7 through 11 allows remote attackers to ga ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1687 (Microsoft Internet Explorer 6 through 9 allows remote attackers to exe ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1686 (The Microsoft (1) VBScript 5.6 through 5.8 and (2) JScript 5.6 through ...) NOT-FOR-US: Microsoft CVE-2015-1685 (Microsoft Internet Explorer 11 allows remote attackers to bypass the A ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1684 (VBScript.dll in the Microsoft VBScript 5.6 through 5.8 engine, as used ...) NOT-FOR-US: Microsoft CVE-2015-1683 (Microsoft Office 2007 SP3 allows remote attackers to execute arbitrary ...) NOT-FOR-US: Microsoft CVE-2015-1682 (Microsoft Office 2010 SP2, Excel 2010 SP2, PowerPoint 2010 SP2, Word 2 ...) NOT-FOR-US: Microsoft CVE-2015-1681 (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windo ...) NOT-FOR-US: Microsoft Windows CVE-2015-1680 (The kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows ...) NOT-FOR-US: Microsoft Windows Server CVE-2015-1679 (The kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows ...) NOT-FOR-US: Microsoft Windows Server CVE-2015-1678 (The kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows ...) NOT-FOR-US: Microsoft Windows Server CVE-2015-1677 (The kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows ...) NOT-FOR-US: Microsoft Windows Server CVE-2015-1676 (The kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows ...) NOT-FOR-US: Microsoft Windows Server CVE-2015-1675 (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windo ...) NOT-FOR-US: Microsoft Windows CVE-2015-1674 (The kernel in Microsoft Windows 8, Windows 8.1, Windows Server 2012 Go ...) NOT-FOR-US: Microsoft Windows CVE-2015-1673 (The Windows Forms (aka WinForms) libraries in Microsoft .NET Framework ...) NOT-FOR-US: Microsoft CVE-2015-1672 (Microsoft .NET Framework 2.0 SP2, 3.5, 3.5.1, 4, 4.5, 4.5.1, and 4.5.2 ...) NOT-FOR-US: Microsoft CVE-2015-1671 (The Windows DirectWrite library, as used in Microsoft .NET Framework 3 ...) NOT-FOR-US: Microsoft CVE-2015-1670 (The Windows DirectWrite library, as used in Microsoft .NET Framework 3 ...) NOT-FOR-US: Microsoft CVE-2015-1669 REJECTED CVE-2015-1668 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1667 (Microsoft Internet Explorer 8 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1666 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1665 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1664 REJECTED CVE-2015-1663 REJECTED CVE-2015-1662 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1661 (Microsoft Internet Explorer 6 through 11 allows remote attackers to by ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1660 (Microsoft Internet Explorer 9 allows remote attackers to execute arbit ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1659 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1658 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1657 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1656 REJECTED CVE-2015-1655 REJECTED CVE-2015-1654 REJECTED CVE-2015-1653 (Cross-site scripting (XSS) vulnerability in Microsoft SharePoint Found ...) NOT-FOR-US: Microsoft CVE-2015-1652 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1651 (Use-after-free vulnerability in Microsoft Word 2007 SP3, Word Viewer, ...) NOT-FOR-US: Microsoft CVE-2015-1650 (Use-after-free vulnerability in Microsoft Word 2007 SP3, Office 2010 S ...) NOT-FOR-US: Microsoft CVE-2015-1649 (Use-after-free vulnerability in Microsoft Word 2007 SP3, Office 2010 S ...) NOT-FOR-US: Microsoft CVE-2015-1648 (ASP.NET in Microsoft .NET Framework 1.1 SP1, 2.0 SP2, 3.5, 3.5.1, 4, 4 ...) NOT-FOR-US: Microsoft CVE-2015-1647 (Virtual Machine Manager (VMM) in Hyper-V in Microsoft Windows 8.1 and ...) NOT-FOR-US: Microsoft Windows CVE-2015-1646 (Microsoft XML Core Services (aka MSXML) 3.0 allows remote attackers to ...) NOT-FOR-US: Microsoft CVE-2015-1645 (Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2 ...) NOT-FOR-US: Microsoft Windows CVE-2015-1644 (Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2 ...) NOT-FOR-US: Microsoft Windows CVE-2015-1643 (Microsoft Windows Server 2003 R2, Windows Vista SP2, Windows Server 20 ...) NOT-FOR-US: Microsoft Windows CVE-2015-1642 (Microsoft Office 2007 SP3, 2010 SP2, and 2013 SP1 allows remote attack ...) NOT-FOR-US: Microsoft Office CVE-2015-1641 (Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1 ...) NOT-FOR-US: Microsoft CVE-2015-1640 (Cross-site scripting (XSS) vulnerability in Microsoft Project Server 2 ...) NOT-FOR-US: Microsoft CVE-2015-1639 (Cross-site scripting (XSS) vulnerability in Microsoft Office for Mac 2 ...) NOT-FOR-US: Microsoft CVE-2015-1638 (Microsoft Active Directory Federation Services (AD FS) 3.0 on Windows ...) NOT-FOR-US: Microsoft CVE-2015-1637 (Schannel (aka Secure Channel) in Microsoft Windows Server 2003 SP2, Wi ...) NOT-FOR-US: Microsoft CVE-2015-1636 (Cross-site scripting (XSS) vulnerability in Microsoft SharePoint Found ...) NOT-FOR-US: Microsoft CVE-2015-1635 (HTTP.sys in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windo ...) NOT-FOR-US: Microsoft Windows CVE-2015-1634 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1633 (Cross-site scripting (XSS) vulnerability in Microsoft SharePoint Found ...) NOT-FOR-US: Microsoft SharePoint CVE-2015-1632 (Cross-site scripting (XSS) vulnerability in errorfe.aspx in Outlook We ...) NOT-FOR-US: Microsoft CVE-2015-1631 (Microsoft Exchange Server 2013 SP1 and Cumulative Update 7 allows remo ...) NOT-FOR-US: Microsoft CVE-2015-1630 (Cross-site scripting (XSS) vulnerability in Outlook Web App (OWA) in M ...) NOT-FOR-US: Microsoft CVE-2015-1629 (Cross-site scripting (XSS) vulnerability in Outlook Web App (OWA) in M ...) NOT-FOR-US: Microsoft CVE-2015-1628 (Cross-site scripting (XSS) vulnerability in Outlook Web App (OWA) in M ...) NOT-FOR-US: Microsoft CVE-2015-1627 (Microsoft Internet Explorer 7 through 11 allows remote attackers to ga ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1626 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1625 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1624 (Microsoft Internet Explorer 8 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1623 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1622 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1621 (Cross-site scripting (XSS) vulnerability in the Webform prepopulate bl ...) NOT-FOR-US: Webform module for Drupal CVE-2015-1620 RESERVED CVE-2015-1619 (Cross-site scripting (XSS) vulnerability in the Secure Web Mail Client ...) NOT-FOR-US: McAfee Email Gateway CVE-2015-1618 (The ePO extension in McAfee Data Loss Prevention Endpoint (DLPe) befor ...) NOT-FOR-US: McAfee Data Loss Prevention Endpoint CVE-2015-1617 (Cross-site scripting (XSS) vulnerability in the ePO extension in McAfe ...) NOT-FOR-US: McAfee Data Loss Prevention Endpoint CVE-2015-1616 (SQL injection vulnerability in the ePO extension in McAfee Data Loss P ...) NOT-FOR-US: McAfee Data Loss Prevention Endpoint CVE-2015-1615 RESERVED CVE-2015-1613 (RhodeCode before 2.2.7 allows remote authenticated users to obtain API ...) NOT-FOR-US: RhodeCode CVE-2015-1612 (OpenFlow plugin for OpenDaylight before Helium SR3 allows remote attac ...) NOT-FOR-US: OpenDaylight CVE-2015-1611 (OpenFlow plugin for OpenDaylight before Helium SR3 allows remote attac ...) NOT-FOR-US: OpenDaylight CVE-2015-1610 (hosttracker in OpenDaylight l2switch allows remote attackers to change ...) NOT-FOR-US: OpenDaylight CVE-2015-1609 (MongoDB before 2.4.13 and 2.6.x before 2.6.8 allows remote attackers t ...) - mongodb 1:2.4.10-5 (bug #780129) [wheezy] - mongodb (BSONElement::validate() checks length, problematic code introduced later) [squeeze] - mongodb (BSONElement::validate() checks length (db/jsobj.cpp +589)) NOTE: https://jira.mongodb.org/browse/SERVER-17264 NOTE: Fast bson validate introduced with https://github.com/mongodb/mongo/commit/6889d1658136c753998b4a408dc8d1a3ec28e3b9 (r2.3.2) CVE-2015-1608 (Topline Opportunity Form (aka XLS Opp form) before 2015-02-15 does not ...) NOT-FOR-US: Topline Opportunity Form CVE-2015-1605 (Multiple SQL injection vulnerabilities in Dell ScriptLogic Asset Manag ...) NOT-FOR-US: Dell ScriptLogic Asset Manager CVE-2015-1602 (Siemens SIMATIC STEP 7 (TIA Portal) 12 and 13 before 13 SP1 Upd1 impro ...) NOT-FOR-US: Siemens CVE-2015-1601 (Siemens SIMATIC STEP 7 (TIA Portal) 12 and 13 before 13 SP1 Upd1 allow ...) NOT-FOR-US: Siemens CVE-2015-1599 (The Siemens SPCanywhere application for iOS allows physically proximat ...) NOT-FOR-US: Siemens SPCanywhere application for iOS CVE-2015-1598 (The Siemens SPCanywhere application for Android does not properly stor ...) NOT-FOR-US: Siemens SPCanywhere application for Android CVE-2015-1597 (The Siemens SPCanywhere application for Android does not use encryptio ...) NOT-FOR-US: Siemens SPCanywhere application for Android CVE-2015-1596 (The Siemens SPCanywhere application for Android and iOS does not prope ...) NOT-FOR-US: Siemens SPCanywhere application for Android CVE-2015-1595 (The Siemens SPCanywhere application for Android and iOS does not use e ...) NOT-FOR-US: Siemens SPCanywhere application for Android CVE-2015-1594 (Untrusted search path vulnerability in Siemens SIMATIC ProSave before ...) NOT-FOR-US: Siemens CVE-2013-7427 RESERVED CVE-2012-6688 RESERVED CVE-2015-XXXX [incorrect memory management in Gtk2::Gdk::Display::list_devices] - libgtk2-perl 2:1.2492-4 [wheezy] - libgtk2-perl 2:1.244-1+deb7u1 [squeeze] - libgtk2-perl 2:1.222-1+deb6u1 NOTE: wheezy/squeeze tagged entry as workaround/reminder for when CVE is assigned NOTE: CVE needs to be added to data/D[SL]A/list NOTE: https://mail.gnome.org/archives/gtk-perl-list/2015-January/msg00039.html NOTE: https://bugs.mageia.org/show_bug.cgi?id=15173 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/02/20/14 CVE-2015-XXXX [Linux ASLR mmap weakness: Reducing entropy by half] - linux 4.0.2-1 [jessie] - linux 3.16.7-ckt17-1 [wheezy] - linux 3.2.71-1 - linux-2.6 [squeeze] - linux-2.6 (powerpc not supported in Squeeze LTS) NOTE: http://hmarco.org/bugs/linux-ASLR-reducing-mmap-by-half.html NOTE: arm64 affected from v3.7 to v3.18 (fixed in 3.16.7-ckt12) NOTE: powerpc affected from v2.6.30 to 3.2 (pending for 3.2.70) NOTE: Fix for arm64: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d6c763afab NOTE: Fix for ppc: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?fa8cbaaf5a68 CVE-2015-2060 (cabextract before 1.6 does not properly check for leading slashes when ...) - cabextract 1.6-1 (bug #778753) [jessie] - cabextract (Minor issue) [wheezy] - cabextract (Minor issue) [squeeze] - cabextract (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2015/02/18/3 NOTE: Upstream commit: http://sourceforge.net/p/libmspack/code/217 NOTE: CVE assigned for issue were path traversal occurs because the unpatched NOTE: code does neither of the following: 1) checking for slashes after decoding NOTE: 2) checking for ordinary slashes before decoding and prohibiting overlong NOTE: encodings CVE-2015-2297 (nanohttp in libcsoap allows remote attackers to cause a denial of serv ...) - libcsoap (bug #778599) [squeeze] - libcsoap (Minor issue) [wheezy] - libcsoap (Minor issue) NOTE: CVE assigned only for the null pointer dereference, not all issues in NOTE: http://www.openwall.com/lists/oss-security/2015/02/17/2 CVE-2014-9684 (OpenStack Image Registry and Delivery Service (Glance) 2014.2 through ...) - glance (Only affects 2014.2.x releases, only present in experimental) [wheezy] - glance (Vulnerable code not present) NOTE: https://review.openstack.org/#/c/122427/ CVE-2014-9683 (Off-by-one error in the ecryptfs_decode_from_filename function in fs/e ...) {DSA-3170-1 DLA-246-1} - linux 3.16.7-ckt4-1 - linux-2.6 NOTE: Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=942080643bce061c3dd9d5718d3b745dcb39a8bc (v3.19-rc1) CVE-2013-7436 (noVNC before 0.5 does not set the secure flag for a cookie in an https ...) - novnc 1:0.4+dfsg+1+20131010+gitf68af8af3d-4 (bug #778618) [wheezy] - novnc (Only an issue in combination with later OpenStack components) NOTE: https://github.com/kanaka/noVNC/commit/ad941faddead705cd611921730054767a0b32dcd NOTE: http://www.openwall.com/lists/oss-security/2015/02/17/1 CVE-2015-2091 (The authentication hook (mgs_hook_authz) in mod-gnutls 0.5.10 and earl ...) {DSA-3177-1 DLA-170-1} - mod-gnutls 0.6-1.3 (bug #578663) NOTE: https://github.com/airtower-luna/mod_gnutls/commit/5a8a32bbfb8a83fe6358c5c31c443325a7775fc2 CVE-2009-5144 (mod-gnutls does not validate client certificates when "GnuTLSClientVer ...) - mod-gnutls 0.5.6-1 (bug #578663) NOTE: http://issues.outoforder.cc/view.php?id=93 CVE-2014-9682 (The dns-sync module before 0.1.1 for node.js allows context-dependent ...) NOT-FOR-US: node-dns-sync CVE-2014-XXXX [more to CVE-2014-6585] [experimental] - icu 55.1-1 - icu 52.1-10 (low; bug #778511) [jessie] - icu 52.1-8+deb8u2 [wheezy] - icu 4.8.1.1-12+deb7u3 [squeeze] - icu (All relevant changes already applied) NOTE: Patch: http://bugs.icu-project.org/trac/changeset/37086 NOTE: icu_4.4.1-8+squeeze3 already has the full patch except for the changes in source/layout/ContextualSubstSubtables.cpp which are commented out anyway... and the remaining if test is probably only meaningful when the backtrackClassArray call is uncommented. CVE-2015-1614 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Imag ...) NOT-FOR-US: WordPress plugin image-metadata-cruncher CVE-2015-1607 (kbx/keybox-search.c in GnuPG before 1.4.19, 2.0.x before 2.0.27, and 2 ...) [experimental] - gnupg2 2.1.2-1 - gnupg2 2.0.26-5 (bug #778577) [wheezy] - gnupg2 (Minor issue) [squeeze] - gnupg2 (Minor issue) - gnupg 1.4.18-7 (bug #778652) [wheezy] - gnupg (Too intrusive to backport; minor issue) [squeeze] - gnupg (Too intrusive to backport; minor issue) NOTE: https://blog.fuzzing-project.org/5-Multiple-issues-in-GnuPG-found-through-keyring-fuzzing-TFPA-0012015.html NOTE: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=2183683bd633818dd031b090b5530951de76f392 CVE-2015-1606 (The keyring DB in GnuPG before 2.1.2 does not properly handle invalid ...) {DSA-3184-1 DLA-175-1} [experimental] - gnupg2 2.1.2-1 - gnupg2 2.0.26-5 (bug #778577) [wheezy] - gnupg2 (Minor issue) [squeeze] - gnupg2 (Minor issue) - gnupg 1.4.18-7 (bug #778652) [squeeze] - gnupg (Minor issue) NOTE: https://blog.fuzzing-project.org/5-Multiple-issues-in-GnuPG-found-through-keyring-fuzzing-TFPA-0012015.html NOTE: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=f0f71a721ccd7ab9e40b8b6b028b59632c0cc648 CVE-2015-1604 (Unrestricted file upload vulnerability in asys/site/files.php in Admin ...) NOT-FOR-US: Landsknecht Adminsystems CVE-2015-1603 (Multiple cross-site scripting (XSS) vulnerabilities in Adminsystems CM ...) NOT-FOR-US: Landsknecht Adminsystems CVE-2015-1600 (Information disclosure vulnerability in Netatmo Indoor Module firmware ...) NOT-FOR-US: Netatmo Weather Station CVE-2015-1588 (Multiple cross-site scripting (XSS) vulnerabilities in Open-Xchange Se ...) NOT-FOR-US: Open-Xchange CVE-2015-1587 (Unrestricted file upload vulnerability in file_to_index.php in Maarch ...) NOT-FOR-US: Maarch LetterBox CVE-2015-1586 RESERVED CVE-2015-1585 (Fat Free CRM before 0.13.6 allows remote attackers to conduct cross-si ...) NOT-FOR-US: Fat Free CRM CVE-2015-1584 RESERVED CVE-2015-1583 (Multiple cross-site request forgery (CSRF) vulnerabilities in ATutor 2 ...) NOT-FOR-US: ATutor CVE-2015-1582 (Multiple cross-site scripting (XSS) vulnerabilities in the Spider Face ...) NOT-FOR-US: Spider Facebook plugin for WordPress CVE-2015-1581 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Mobi ...) NOT-FOR-US: Mobile Domain plugin for WordPress CVE-2015-1580 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Redi ...) NOT-FOR-US: Redirection Page plugin for WordPress CVE-2015-1579 (Directory traversal vulnerability in the Elegant Themes Divi theme for ...) NOT-FOR-US: Elegant Themes Divi theme for WordPress CVE-2015-1578 (Multiple open redirect vulnerabilities in u5CMS before 3.9.4 allow rem ...) NOT-FOR-US: u5CMS CVE-2015-1577 (Directory traversal vulnerability in u5admin/deletefile.php in u5CMS b ...) NOT-FOR-US: u5CMS CVE-2015-1576 (Multiple SQL injection vulnerabilities in u5CMS before 3.9.4 allow rem ...) NOT-FOR-US: u5CMS CVE-2015-1575 (Multiple cross-site scripting (XSS) vulnerabilities in u5CMS before 3. ...) NOT-FOR-US: u5CMS CVE-2015-1574 (The Google Email application 4.2.2.0200 for Android allows remote atta ...) NOT-FOR-US: Google Email application for Android CVE-2013-7425 RESERVED CVE-2014-9678 (FlexPaperViewer.swf in Flexpaper before 2.3.1 allows remote attackers ...) NOT-FOR-US: FlexPaper CVE-2014-9677 (Cross-site scripting (XSS) vulnerability in FlexPaperViewer.swf in Fle ...) NOT-FOR-US: FlexPaper CVE-2015-1593 (The stack randomization feature in the Linux kernel before 3.19.1 on 6 ...) {DSA-3170-1 DLA-155-1} - linux 3.16.7-ckt7-1 - linux-2.6 NOTE: http://hmarco.org/bugs/linux-ASLR-integer-overflow.html NOTE: https://lkml.org/lkml/2015/2/14/61 CVE-2015-1592 (Movable Type Pro, Open Source, and Advanced before 5.2.12 and Pro and ...) {DSA-3183-1} - movabletype-opensource [squeeze] - movabletype-opensource (Not supported in Squeeze LTS) NOTE: https://movabletype.org/news/2015/02/movable_type_607_and_5212_released_to_close_security_vulnera.html NOTE: http://www.openwall.com/lists/oss-security/2015/02/12/2 CVE-2015-1572 (Heap-based buffer overflow in closefs.c in the libext2fs library in e2 ...) {DSA-3166-1 DLA-162-1} - e2fsprogs 1.42.12-1.1 (bug #778948) NOTE: https://git.kernel.org/cgit/fs/ext2/e2fsprogs.git/commit/?id=49d0fe2a14f2a23da2fe299643379b8c1d37df73 CVE-2015-1571 (** DISPUTED ** The CAPWAP DTLS protocol implementation in Fortinet For ...) NOT-FOR-US: Fortinet FortiOS CVE-2015-1570 (The Endpoint Control protocol implementation in Fortinet FortiClient 5 ...) NOT-FOR-US: Fortinet FortiClient CVE-2015-1569 (Fortinet FortiClient 5.2.028 for iOS does not validate certificates, w ...) NOT-FOR-US: Fortinet FortiClient CVE-2015-2305 (Integer overflow in the regcomp implementation in the Henry Spencer BS ...) {DSA-3195-1 DLA-444-1 DLA-233-1} - php5 5.6.6+dfsg-1 (low; bug #778389) - olsrd (only when building on Android, see bug #778390) - llvm-toolchain-3.4 (low; bug #778391) [jessie] - llvm-toolchain-3.4 (Minor issue) - llvm-toolchain-3.5 1:3.5.2-2 (low; bug #778392) [jessie] - llvm-toolchain-3.5 (Minor issue) - llvm-toolchain-3.6 1:3.6-1 (bug #778393) - llvm-toolchain-3.7 1:3.7~+rc3-1 - llvm-toolchain-snapshot 1:3.8~svn245286-1 (bug #778394) - haskell-regex-posix (only when building on Windows, see bug #778395) - cups (Local regex copy only used when building on Windows, see #778396) - librcsb-core-wrapper 1.005-3 (bug #778397) - openrpt (unimportant; bug #778398) - z88dk (Local regex copy only used when building on Windows, see bug #778399) - newlib 2.0.0-1 (bug #778408) [squeeze] - newlib (Minor issue) [wheezy] - newlib (Minor issue) - yap 6.2.2-3 (low; bug #778410) [jessie] - yap (Minor issue) [squeeze] - yap (Minor issue) [wheezy] - yap (Minor issue) - vnc4 4.1.1+X4.3.0+t-1 (unimportant; bug #778403) NOTE: affected code not built in vnc4, starting with 4.1.1+X4.3.0+t-1 it's a transitional package - sma (Local regex copy only used when building on Windows, see #778411) - clamav 0.98.7+dfsg-1 (unimportant; bug #778406) [jessie] - clamav 0.98.7+dfsg-0+deb8u1 [wheezy] - clamav 0.98.7+dfsg-0+deb7u1 [squeeze] - clamav 0.98.7+dfsg-0+deb6u1 NOTE: Only exploitable through virusdb updates, which need to be trusted anywaya - knews (Uses system regex code, see #778401) - radare2 0.10.5+dfsg-1 (low; bug #778402) [jessie] - radare2 (Minor issue) [wheezy] - radare2 (Minor issue) - efl (Only used when building on Windows, see #778414) - ptlib (unimportant; bug #778404) NOTE: ptlib uses the regex code from glibc, local fallback code not used - alpine (alpine uses the regex code from glibc, local fallback code not used, bug #778413) - vigor 0.016-24 (unimportant; bug #778409) [wheezy] - vigor 0.016-19+deb7u1 - nvi 1.81.6-13 (unimportant; bug #778412) NOTE: No security impact in nvi/vigor and openrpt NOTE: http://www.kb.cert.org/vuls/id/695940 NOTE: https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/ NOTE: http://www.openwall.com/lists/oss-security/2015/02/16/8 CVE-2015-XXXX [insecure storage of password in the NUT-monitor app] - nut 2.7.2-2 (low; bug #777706) [wheezy] - nut (Minor issue) [squeeze] - nut (Minor issue) CVE-2015-1881 (OpenStack Image Registry and Delivery Service (Glance) 2014.2 through ...) - glance (Only affects 2014.2.x releases, only present in experimental) [wheezy] - glance (Vulnerable code not present) NOTE: https://review.openstack.org/#/c/156553 CVE-2015-1877 [command injection vulnerability] RESERVED {DSA-3165-1 DLA-217-1} - xdg-utils 1.1.0~rc1+git20111210-7.4 (bug #777722) CVE-2015-1568 (Cross-site request forgery (CSRF) vulnerability in the GD Infinite Scr ...) NOT-FOR-US: Drupal module GD Infinite Scroll CVE-2015-1567 (Cross-site scripting (XSS) vulnerability in the admin page in the GD I ...) NOT-FOR-US: Drupal module GD Infinite Scroll CVE-2015-1566 (Cross-site scripting (XSS) vulnerability in DotNetNuke (DNN) before 7. ...) NOT-FOR-US: DotNetNuke CVE-2015-1565 (Cross-site scripting (XSS) vulnerability in the online help in Hitachi ...) NOT-FOR-US: Hitachi CVE-2015-1564 (Cross-site scripting (XSS) vulnerability in style-underground/search i ...) NOT-FOR-US: Plain Black WebGUI CVE-2015-1562 (Multiple cross-site scripting (XSS) vulnerabilities in Saurus CMS 4.7. ...) NOT-FOR-US: Saurus CMS CVE-2015-1561 (The escape_command function in include/Administration/corePerformance/ ...) - centreon-web (bug #913903) CVE-2015-1560 (SQL injection vulnerability in the isUserAdmin function in include/com ...) - centreon-web (bug #913903) CVE-2015-1559 (Multiple cross-site request forgery (CSRF) vulnerabilities in administ ...) NOT-FOR-US: Epignosis eFront CVE-2015-1557 RESERVED CVE-2015-1556 RESERVED CVE-2015-1555 (Zend/Session/SessionManager in Zend Framework 2.2.x before 2.2.9, 2.3. ...) - zendframework (Vulnerable code not present) NOTE: http://framework.zend.com/security/advisory/ZF2015-01 CVE-2015-1553 RESERVED CVE-2015-1552 RESERVED CVE-2015-1551 (Directory traversal vulnerability in Aruba Networks ClearPass Policy M ...) NOT-FOR-US: Aruba Networks CPPM CVE-2015-1550 (Directory traversal vulnerability in Aruba Networks ClearPass Policy M ...) NOT-FOR-US: Aruba Networks CPPM CVE-2015-1549 RESERVED CVE-2015-1548 (mini_httpd 1.21 and earlier allows remote attackers to obtain sensitiv ...) - mini-httpd 1.21-1 (bug #778925) [squeeze] - mini-httpd (Minor issue) [wheezy] - mini-httpd (Minor issue) CVE-2015-1544 RESERVED CVE-2015-1543 RESERVED CVE-2015-1542 RESERVED CVE-2015-1541 (The AppWidgetServiceImpl implementation in com/android/server/appwidge ...) NOT-FOR-US: Android CVE-2015-1540 RESERVED CVE-2015-1539 (Multiple integer underflows in the ESDS::parseESDescriptor function in ...) NOT-FOR-US: libstagefright in Android CVE-2015-1538 (Integer overflow in the SampleTable::setSampleToChunkParams function i ...) NOT-FOR-US: libstagefright in Android CVE-2015-1537 (Integer overflow in IHDCP.cpp in the media_server component in Android ...) NOT-FOR-US: Android CVE-2015-1536 (Integer overflow in the Bitmap_createFromParcel function in core/jni/a ...) NOT-FOR-US: Android CVE-2015-1535 RESERVED CVE-2015-1534 RESERVED CVE-2015-1533 RESERVED CVE-2015-1532 RESERVED CVE-2015-1531 RESERVED CVE-2015-1530 (media/libmedia/IAudioPolicyService.cpp in Android before 5.1 allows at ...) NOT-FOR-US: Android CVE-2015-1529 (Integer overflow in soundtrigger/ISoundTriggerHwService.cpp in Android ...) NOT-FOR-US: Android CVE-2015-1528 (Integer overflow in the native_handle_create function in libcutils/nat ...) NOT-FOR-US: Android CVE-2015-1527 (Integer overflow in IAudioPolicyService.cpp in Android allows local us ...) NOT-FOR-US: Android CVE-2015-1526 (The media_server component in Android allows remote attackers to cause ...) NOT-FOR-US: Android CVE-2015-1525 (audio/AudioPolicyManagerBase.cpp in Android before 5.1 allows attacker ...) NOT-FOR-US: Android CVE-2015-1524 RESERVED CVE-2015-1523 RESERVED CVE-2015-1522 (analyzer/protocol/dnp3/DNP3.cc in Bro before 2.3.2 does not reject cer ...) - bro 2.3.2+dfsg-1 CVE-2015-1521 (analyzer/protocol/dnp3/DNP3.cc in Bro before 2.3.2 does not properly h ...) - bro 2.3.2+dfsg-1 CVE-2015-1520 RESERVED CVE-2015-1519 RESERVED CVE-2015-1518 (SQL injection vulnerability in the search_post function in includes/se ...) NOT-FOR-US: Redaxscript CVE-2015-1517 (SQL injection vulnerability in Piwigo before 2.7.4, when all filters a ...) - piwigo [squeeze] - piwigo (Unsupported in squeeze-lts) NOTE: Request to mark the package as unsupported in #779104 CVE-2015-1516 (Cross-site scripting (XSS) vulnerability in Polycom RealPresence Cloud ...) NOT-FOR-US: Polycom CVE-2015-1515 (The dwall.sys driver in SoftSphere DefenseWall Personal Firewall 3.24 ...) NOT-FOR-US: SoftSphere CVE-2015-1514 (Multiple SQL injection vulnerabilities in FancyFon FAMOC before 3.17.4 ...) NOT-FOR-US: FancyFon FAMOC CVE-2015-1513 (SQL injection vulnerability in SIPhone Enterprise PBX allows remote at ...) NOT-FOR-US: SIPhone Enterprise PBX CVE-2015-1512 (Multiple cross-site scripting (XSS) vulnerabilities in FancyFon FAMOC ...) NOT-FOR-US: FancyFon FAMOC CVE-2015-1511 RESERVED CVE-2015-1510 RESERVED CVE-2015-1509 RESERVED CVE-2015-1508 RESERVED CVE-2015-1507 RESERVED CVE-2015-1506 RESERVED CVE-2015-1505 RESERVED CVE-2015-1504 RESERVED CVE-2015-1503 (Multiple directory traversal vulnerabilities in IceWarp Mail Server be ...) NOT-FOR-US: Icewarp mail server CVE-2015-1502 RESERVED CVE-2015-1501 (The factory.loadExtensionFactory function in TSUnicodeGraphEditorContr ...) NOT-FOR-US: SolarWinds CVE-2015-1500 (Multiple stack-based buffer overflows in the TSUnicodeGraphEditorContr ...) NOT-FOR-US: SolarWinds CVE-2015-1499 (The ActiveMQ Broker in Samsung Security Manager (SSM) before 1.31 allo ...) NOT-FOR-US: Samsung Security Manager CVE-2015-1498 (Persistent Systems Radia Client Automation does not properly restrict ...) NOT-FOR-US: Persistent Systems Radia Client Automation CVE-2015-1497 (radexecd.exe in Persistent Systems Radia Client Automation (RCA) 7.9, ...) NOT-FOR-US: Persistent Systems Radia Client Automation CVE-2015-1496 (Motorola Scanner SDK uses weak permissions for (1) CoreScanner.exe, (2 ...) NOT-FOR-US: Motorola Scanner SDK CVE-2015-1495 (Multiple stack-based buffer overflows in Motorola Scanner SDK allow re ...) NOT-FOR-US: Motorola Scanner SDK CVE-2015-1494 (The FancyBox for WordPress plugin before 3.0.3 for WordPress does not ...) NOT-FOR-US: FancyBox plugin for WordPress CVE-2015-1492 (Untrusted search path vulnerability in the client in Symantec Endpoint ...) NOT-FOR-US: Symantec CVE-2015-1491 (SQL injection vulnerability in the management console in Symantec Endp ...) NOT-FOR-US: Symantec CVE-2015-1490 (Directory traversal vulnerability in the management console in Symante ...) NOT-FOR-US: Symantec CVE-2015-1489 (The management console in Symantec Endpoint Protection Manager (SEPM) ...) NOT-FOR-US: Symantec CVE-2015-1488 (An unspecified action handler in the management console in Symantec En ...) NOT-FOR-US: Symantec CVE-2015-1487 (The management console in Symantec Endpoint Protection Manager (SEPM) ...) NOT-FOR-US: Symantec CVE-2015-1486 (The management console in Symantec Endpoint Protection Manager (SEPM) ...) NOT-FOR-US: Symantec CVE-2015-1485 (Cross-site request forgery (CSRF) vulnerability in the administration ...) NOT-FOR-US: Enforce Server in Symantec Data Loss Prevention CVE-2015-1484 (Unquoted Windows search path vulnerability in the agent in Symantec Wo ...) NOT-FOR-US: Symantec Workspace Streaming CVE-2015-1483 (Symantec NetBackup OpsCenter 7.6.0.2 through 7.6.1 on Linux and UNIX a ...) NOT-FOR-US: Symantec NetBackup OpsCenter CVE-2014-9676 (The seg_write_packet function in libavformat/segment.c in ffmpeg 2.1.4 ...) {DLA-464-1} - ffmpeg (Vulnerable code not present in a ffmpeg version in the archive) - libav 6:11.2-1 NOTE: Patch in http://www.openwall.com/lists/oss-security/2015/01/04/10 seem to apply for libav NOTE: ffmpeg: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=169065fbfb3da1ab776379c333aebc54bb1f1bc4 NOTE: libav: https://git.libav.org/?p=libav.git;a=commit;h=b3f04657368a32a9903406395f865e230b1de348 NOTE: http://www.openwall.com/lists/oss-security/2015/01/04/10 CVE-2014-9675 (bdf/bdflib.c in FreeType before 2.5.4 identifies property names by onl ...) {DSA-3188-1 DLA-185-1} - freetype 2.5.2-3 (bug #777656) NOTE: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=2c4832d30939b45c05757f0a05128ce64c4cacc7 NOTE: https://code.google.com/p/google-security-research/issues/detail?id=151 CVE-2014-9674 (The Mac_Read_POST_Resource function in base/ftobjs.c in FreeType befor ...) {DSA-3461-1 DLA-185-1} - freetype 2.5.2-3 (bug #777656) NOTE: http://code.google.com/p/google-security-research/issues/detail?id=153 NOTE: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=240c94a185cd8dae7d03059abec8a5662c35ecd3 NOTE: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=cd4a5a26e591d01494567df9dec7f72d59551f6e CVE-2014-9673 (Integer signedness error in the Mac_Read_POST_Resource function in bas ...) {DSA-3188-1 DLA-185-1} - freetype 2.5.2-3 (bug #777656) NOTE: http://code.google.com/p/google-security-research/issues/detail?id=154 NOTE: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=35252ae9aa1dd9343e9f4884e9ddb1fee10ef415 CVE-2014-9672 (Array index error in the parse_fond function in base/ftmac.c in FreeTy ...) {DSA-3188-1 DLA-185-1} - freetype 2.5.2-3 (bug #777656) NOTE: http://code.google.com/p/google-security-research/issues/detail?id=155 NOTE: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=18a8f0d9943369449bc4de92d411c78fb08d616c CVE-2014-9671 (Off-by-one error in the pcf_get_properties function in pcf/pcfread.c i ...) {DSA-3188-1 DLA-185-1} - freetype 2.5.2-3 (bug #777656) NOTE: http://code.google.com/p/google-security-research/issues/detail?id=157 NOTE: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=0e2f5d518c60e2978f26400d110eff178fa7e3c3 CVE-2014-9670 (Multiple integer signedness errors in the pcf_get_encodings function i ...) {DSA-3188-1 DLA-185-1} - freetype 2.5.2-3 (bug #777656) NOTE: http://code.google.com/p/google-security-research/issues/detail?id=158 NOTE: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=ef1eba75187adfac750f326b563fe543dd5ff4e6 CVE-2014-9669 (Multiple integer overflows in sfnt/ttcmap.c in FreeType before 2.5.4 a ...) {DSA-3188-1 DLA-185-1} - freetype 2.5.2-3 (bug #777656) NOTE: http://code.google.com/p/google-security-research/issues/detail?id=163 NOTE: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=602040b1112c9f94d68e200be59ea7ac3d104565 CVE-2014-9668 (The woff_open_font function in sfnt/sfobjs.c in FreeType before 2.5.4 ...) - freetype 2.5.2-3 (bug #777656) [wheezy] - freetype (Vulnerable code not present) [squeeze] - freetype (Vulnerable code not present) NOTE: http://code.google.com/p/google-security-research/issues/detail?id=164 NOTE: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=f46add13895337ece929b18bb8f036431b3fb538 CVE-2014-9667 (sfnt/ttload.c in FreeType before 2.5.4 proceeds with offset+length cal ...) {DSA-3188-1 DLA-185-1} - freetype 2.5.2-3 (bug #777656) NOTE: http://code.google.com/p/google-security-research/issues/detail?id=166 NOTE: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=677ddf4f1dc1b36cef7c7ddd59a14c508f4b1891 CVE-2014-9666 (The tt_sbit_decoder_init function in sfnt/ttsbit.c in FreeType before ...) {DSA-3188-1 DLA-185-1} - freetype 2.5.2-3 (bug #777656) NOTE: http://code.google.com/p/google-security-research/issues/detail?id=167 NOTE: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=257c270bd25e15890190a28a1456e7623bba4439 CVE-2014-9665 (The Load_SBit_Png function in sfnt/pngshim.c in FreeType before 2.5.4 ...) {DLA-185-1} - freetype 2.5.2-3 (bug #777656) [wheezy] - freetype (Vulnerable code not present) [squeeze] - freetype (Vulnerable code not present) NOTE: http://code.google.com/p/google-security-research/issues/detail?id=168 NOTE: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=54abd22891bd51ef8b533b24df53b3019b5cee81 NOTE: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=b3500af717010137046ec4076d1e1c0641e33727 CVE-2014-9664 (FreeType before 2.5.4 does not check for the end of the data during ce ...) {DSA-3188-1 DLA-185-1} - freetype 2.5.2-3 (bug #777656) NOTE: http://code.google.com/p/google-security-research/issues/detail?id=183 NOTE: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=73be9f9ab67842cfbec36ee99e8d2301434c84ca NOTE: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=dd89710f0f643eb0f99a3830e0712d26c7642acd CVE-2014-9663 (The tt_cmap4_validate function in sfnt/ttcmap.c in FreeType before 2.5 ...) {DSA-3188-1 DLA-185-1} - freetype 2.5.2-3 (bug #777656) NOTE: http://code.google.com/p/google-security-research/issues/detail?id=184 NOTE: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=9bd20b7304aae61de5d50ac359cf27132bafd4c1 CVE-2014-9662 (cff/cf2ft.c in FreeType before 2.5.4 does not validate the return valu ...) - freetype 2.5.2-3 (bug #777656) [wheezy] - freetype (Vulnerable code not present) [squeeze] - freetype (Vulnerable code not present) NOTE: http://code.google.com/p/google-security-research/issues/detail?id=185 NOTE: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=5f201ab5c24cb69bc96b724fd66e739928d6c5e2 CVE-2014-9661 (type42/t42parse.c in FreeType before 2.5.4 does not consider that scan ...) {DSA-3188-1 DLA-185-1} - freetype 2.5.2-3 (bug #777656) NOTE: http://code.google.com/p/google-security-research/issues/detail?id=187 NOTE: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=3788187e0c396952cd7d905c6c61f3ff8e84b2b4 NOTE: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=42fcd6693ec7bd6ffc65ddc63e74287a65dda669 CVE-2014-9660 (The _bdf_parse_glyphs function in bdf/bdflib.c in FreeType before 2.5. ...) {DSA-3188-1 DLA-185-1} - freetype 2.5.2-3 (bug #777656) NOTE: http://code.google.com/p/google-security-research/issues/detail?id=188 NOTE: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=af8346172a7b573715134f7a51e6c5c60fa7f2ab CVE-2014-9659 (cff/cf2intrp.c in the CFF CharString interpreter in FreeType before 2. ...) - freetype 2.5.2-3 (bug #777656; bug #773084) [wheezy] - freetype (vulnerable code not present and thus incomplete fix not applied as well) [squeeze] - freetype (vulnerable code not present and thus incomplete fix not applied as well) NOTE: https://savannah.nongnu.org/bugs/?43661 NOTE: http://code.google.com/p/google-security-research/issues/detail?id=190 NOTE: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=2cdc4562f873237f1c77d43540537c7a721d3fd8 NOTE: CVE due to incomplete fix for CVE-2014-2240 CVE-2014-9658 (The tt_face_load_kern function in sfnt/ttkern.c in FreeType before 2.5 ...) {DSA-3188-1 DLA-185-1} - freetype 2.5.2-3 (bug #777656) NOTE: http://code.google.com/p/google-security-research/issues/detail?id=194 NOTE: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=f70d9342e65cd2cb44e9f26b6d7edeedf191fc6c CVE-2014-9657 (The tt_face_load_hdmx function in truetype/ttpload.c in FreeType befor ...) {DSA-3188-1 DLA-185-1} - freetype 2.5.2-3 (bug #777656) NOTE: http://code.google.com/p/google-security-research/issues/detail?id=195 NOTE: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=eca0f067068020870a429fe91f6329e499390d55 CVE-2014-9656 (The tt_sbit_decoder_load_image function in sfnt/ttsbit.c in FreeType b ...) {DSA-3188-1 DLA-185-1} - freetype 2.5.2-3 (bug #777656) NOTE: http://code.google.com/p/google-security-research/issues/detail?id=196 NOTE: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=f0292bb9920aa1dbfed5f53861e7c7a89b35833a CVE-2014-9679 (Integer underflow in the cupsRasterReadPixels function in filter/raste ...) {DSA-3172-1 DLA-159-1} [experimental] - cups 2.0.2-1 - cups 1.7.5-11 (bug #778387) NOTE: Marked with [experimental] tag as the fix is only in experimental so far NOTE: Switch this to regular fixed version once the fix is in unstable NOTE: https://www.cups.org/strfiles.php/3438/str4551.patch NOTE: http://www.openwall.com/lists/oss-security/2015/02/10/15 CVE-2015-1573 (The nft_flush_table function in net/netfilter/nf_tables_api.c in the L ...) - linux (Vulnerable code introduced in v3.18-rc1, never in the archive outside of experimental) NOTE: Fixed by https://git.kernel.org/cgit/linux/kernel/git/pablo/nf.git/commit/?id=a2f18db0c68fec96631c10cad9384c196e9008ac (v3.19-rc5) NOTE: Introduced by http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b9ac12ef099707f405d7478009564302d7ed8393 (v3.18-rc1) NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=91441 CVE-2015-2046 (Cross-site scripting (XSS) vulnerability in MantisBT 1.2.13 and later ...) - mantis [wheezy] - mantis (Minor issue) [squeeze] - mantis (Unsupported in squeeze-lts) NOTE: Upstream patch: https://github.com/mantisbt/mantisbt/commit/6defeed5 (1.2.x) NOTE: https://www.mantisbt.org/bugs/view.php?id=19301 NOTE: http://www.openwall.com/lists/oss-security/2015/02/09/10 NOTE: CVE for specific portion of the original May 2014 adm_config_report.php discovery NOTE: that remains present in version 1.2.18 and 1.2.19 CVE-2015-XXXX [fails to detect silent driver failure to change MAC] - macchanger 1.7.0-5.3 (bug #774898) [wheezy] - macchanger (Minor issue) [squeeze] - macchanger (Minor issue) CVE-2015-9101 (The fill_buffer_resample function in util.c in libmp3lame.a in LAME 3. ...) - lame 3.99.5+repack1-6 (bug #777161) [wheezy] - lame 3.99.5+repack1-3+deb7u1 [squeeze] - lame (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2015/02/12/8 CVE-2015-9100 (The fill_buffer_resample function in util.c in libmp3lame.a in LAME 3. ...) - lame 3.99.5+repack1-6 (bug #777160) [wheezy] - lame 3.99.5+repack1-3+deb7u1 [squeeze] - lame (minor issue) NOTE: http://www.openwall.com/lists/oss-security/2015/02/12/8 CVE-2015-9099 (The lame_init_params function in lame.c in libmp3lame.a in LAME 3.99.5 ...) - lame 3.99.5+repack1-6 (bug #775959) [wheezy] - lame 3.99.5+repack1-3+deb7u1 [squeeze] - lame (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2015/02/12/8 CVE-2015-XXXX [denial of service under memory stress] - libhtp 1:0.5.25-1 (bug #777522) [squeeze] - libhtp (Minor issue) [wheezy] - libhtp (Minor issue) NOTE: https://github.com/inliniac/libhtp/commit/c7c03843cd6b1cbf44eb435d160ba53aec948828 CVE-2014-9681 REJECTED CVE-2014-9680 (sudo before 1.8.12 does not ensure that the TZ environment variable is ...) {DSA-3167-1 DLA-160-1} - sudo 1.8.12-1 (bug #772707) [jessie] - sudo 1.8.10p3-1+deb8u2 NOTE: http://www.openwall.com/lists/oss-security/2014/10/15/24 NOTE: http://www.sudo.ws/repos/sudo/rev/650ac6938b59 (1.8.x) NOTE: http://www.sudo.ws/repos/sudo/rev/ac1467f71ac0 (typos) NOTE: http://www.sudo.ws/repos/sudo/rev/91859f613b88 (description) NOTE: http://www.sudo.ws/repos/sudo/rev/579b02f0dbe0 (improved description) NOTE: http://www.openwall.com/lists/oss-security/2015/02/09/12 CVE-2015-2058 (c2s/c2s.c in Jabber Open Source Server 2.3.2 and earlier truncates dat ...) - jabberd2 2.3.3-1 (bug #779154) NOTE: https://github.com/jabberd2/jabberd2/issues/85 NOTE: http://www.openwall.com/lists/oss-security/2015/02/09/13 CVE-2015-2059 (The stringprep_utf8_to_ucs4 function in libin before 1.31, as used in ...) {DSA-3578-1 DLA-476-1 DLA-277-1} - libidn 1.31-1 (medium) NOTE: http://www.openwall.com/lists/oss-security/2015/02/23/25 NOTE: Patch: http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=2e97c2796581c27213962c77f5a8571a598f9a2e NOTE: This could be attributed to a misuse of a (poorly documented) API NOTE: but since upstream provided a patch it makes more sense to fix NOTE: only libidn instead of every application using it CVE-2015-1545 (The deref_parseCtrl function in servers/slapd/overlays/deref.c in Open ...) {DSA-3209-1 DLA-203-1} - openldap 2.4.40-4 (bug #776988) [wheezy] - openldap (Minor issue) [squeeze] - openldap (Minor issue) NOTE: http://www.openldap.org/its/?findid=8027 NOTE: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=c32e74763f77675b9e144126e375977ed6dc562c CVE-2015-1546 (Double free vulnerability in the get_vrFilter function in servers/slap ...) - openldap 2.4.40-4 (bug #776991) [wheezy] - openldap (Regression introduced in 2.4.40) [squeeze] - openldap (Regression introduced in 2.4.40) NOTE: http://www.openldap.org/its/?findid=8046 NOTE: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=2f1a2dd329b91afe561cd06b872d09630d4edb6a CVE-2014-XXXX [RPATH set to untrusted directory] [experimental] - noise (bug #759868) CVE-2013-XXXX [TOCTOU race when expanding JAR files] - libbluray 0.7.0-1 (unimportant) NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/02/06/9 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=959433 NOTE: libbluray is only in wheezy and later and the issue is neutered by the kernel hardening for /tmp NOTE: Affected code removed in 0.7.0-1 CVE-2013-7437 (Multiple integer overflows in potrace 1.11 allow remote attackers to c ...) {DLA-675-1} - potrace 1.12-1 (bug #778646) [squeeze] - potrace (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=955808 NOTE: http://www.openwall.com/lists/oss-security/2015/02/06/12 CVE-2015-2785 (The GIF encoder in Byzanz allows remote attackers to cause a denial of ...) - byzanz (unimportant; bug #778261) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=852481 NOTE: http://www.openwall.com/lists/oss-security/2015/02/06/11 NOTE: Only applies to debug recordings, negligable security impact CVE-2012-6689 (The netlink_sendmsg function in net/netlink/af_netlink.c in the Linux ...) {DLA-246-1} - linux 3.6.4-1 [wheezy] - linux 3.2.30-1 - linux-2.6 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=848949 NOTE: http://www.openwall.com/lists/oss-security/2015/02/06/13 NOTE: Upstream commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=20e1db19db5d6b9e4e83021595eab0dc8f107bef (v3.6-rc5) CVE-2012-6687 (FastCGI (aka fcgi and libfcgi) 2.4.0 allows remote attackers to cause ...) {DLA-431-1 DLA-430-1} - libfcgi 2.4.0-8.3 (bug #681591) [wheezy] - libfcgi 2.4.0-8.1+deb7u1 - libfcgi-perl 0.78-2 (bug #815840) [jessie] - libfcgi-perl 0.77-1+deb8u1 [wheezy] - libfcgi-perl (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2015/02/06/4 CVE-2015-8837 (Stack-based buffer overflow in the isofs_real_readdir function in isof ...) {DSA-3551-1 DLA-323-1} - fuseiso 20070708-3.2 (bug #779047) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=863091 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=862211 NOTE: http://www.openwall.com/lists/oss-security/2015/02/06/7 CVE-2015-8836 (Integer overflow in the isofs_real_read_zf function in isofs.c in Fuse ...) {DSA-3551-1 DLA-323-1} - fuseiso 20070708-3.2 (bug #779047) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=863102 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=861358 NOTE: http://www.openwall.com/lists/oss-security/2015/02/06/7 CVE-2010-XXXX [crash when parsing overly long links] - lynx-cur 2.8.8dev.4-1 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/02/07/2 CVE-2015-1547 (The NeXTDecode function in tif_next.c in LibTIFF allows remote attacke ...) {DSA-3273-1 DLA-610-1 DLA-221-1} - tiff 4.0.3-12.1 (bug #777390) - tiff3 NOTE: http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif NOTE: fix in https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-1547 NOTE: is applied in 4.0.3-13 (but please recheck this) NOTE: Raphael Hertzog> I could not find a way to reliably use the above reproducer. No segfault. And valgrind on "xloadimage" spits lots of warnings about use of uninitialized values with a good file and with the reproducer. NOTE: Still this CVE has been added to DLA-221-1 because the patch used for CVE-2014-9655 seems to include the fix for this CVE. CVE-2015-1482 (Ansible Tower (aka Ansible UI) before 2.0.5 allows remote attackers to ...) NOT-FOR-US: Ansible Tower CVE-2015-1481 (Ansible Tower (aka Ansible UI) before 2.0.5 allows remote organization ...) NOT-FOR-US: Ansible Tower CVE-2015-1480 (ZOHO ManageEngine ServiceDesk Plus (SDP) before 9.0 build 9031 allows ...) NOT-FOR-US: ZOHO ManageEngine ServiceDesk Plus CVE-2015-1479 (SQL injection vulnerability in reports/CreateReportTable.jsp in ZOHO M ...) NOT-FOR-US: ZOHO ManageEngine ServiceDesk Plus CVE-2015-1478 (Cross-site scripting (XSS) vulnerability in the CMSJunkie J-Classified ...) NOT-FOR-US: Joomla! plugin CMSJunkie J-ClassifiedsManager CVE-2015-1477 (SQL injection vulnerability in the CMSJunkie J-ClassifiedsManager comp ...) NOT-FOR-US: Joomla! plugin CMSJunkie J-ClassifiedsManager CVE-2015-1476 (Multiple SQL injection vulnerabilities in xlinkerz ecommerceMajor allo ...) NOT-FOR-US: xlinkerz ecommerceMajor CVE-2015-1475 (Multiple cross-site scripting (XSS) vulnerabilities in my little forum ...) NOT-FOR-US: My Little Forum CVE-2015-1474 (Multiple integer overflows in the GraphicBuffer::unflatten function in ...) NOT-FOR-US: Android CVE-2015-1471 (SQL injection vulnerability in userprofile.lib.php in Pragyan CMS 3.0 ...) NOT-FOR-US: Pragyan CMS CVE-2015-1470 RESERVED CVE-2015-1469 (time.htm in the web interface on SerVision HVG Video Gateway devices w ...) NOT-FOR-US: SerVision HVG Video Gateway CVE-2015-1468 RESERVED CVE-2015-1467 (Multiple SQL injection vulnerabilities in Translations in Fork CMS bef ...) NOT-FOR-US: Fork CMS CVE-2015-1466 RESERVED CVE-2015-1464 (RT (aka Request Tracker) before 4.0.23 and 4.2.x before 4.2.10 allows ...) {DSA-3176-1 DLA-158-1} - request-tracker4 4.2.8-3 - request-tracker3.8 CVE-2015-1463 (ClamAV before 0.98.6 allows remote attackers to cause a denial of serv ...) {DLA-233-1} - clamav 0.98.6+dfsg-1 [wheezy] - clamav 0.98.6+dfsg-0+deb7u1 NOTE: https://github.com/vrtadmin/clamav-devel/commit/96ff19a19eba64bdf47f2f12ecdbc5ee331c09e2 CVE-2015-1462 (ClamAV before 0.98.6 allows remote attackers to have unspecified impac ...) {DLA-233-1} - clamav 0.98.6+dfsg-1 [wheezy] - clamav 0.98.6+dfsg-0+deb7u1 CVE-2015-1461 (ClamAV before 0.98.6 allows remote attackers to have unspecified impac ...) {DLA-233-1} - clamav 0.98.6+dfsg-1 [wheezy] - clamav 0.98.6+dfsg-0+deb7u1 CVE-2015-1460 (Huawei Quidway switches with firmware before V200R005C00SPC300 allows ...) NOT-FOR-US: Huawei Quidway switches CVE-2015-1459 (Cross-site scripting (XSS) vulnerability in Fortinet FortiAuthenticato ...) NOT-FOR-US: Fortinet FortiAuthenticator CVE-2015-1458 (Fortinet FortiAuthenticator 3.0.0 allows local users to bypass intende ...) NOT-FOR-US: Fortinet FortiAuthenticator CVE-2015-1457 (Fortinet FortiAuthenticator 3.0.0 allows local users to read arbitrary ...) NOT-FOR-US: Fortinet FortiAuthenticator CVE-2015-1456 (Fortinet FortiAuthenticator 3.0.0 logs the PostgreSQL usernames and pa ...) NOT-FOR-US: Fortinet FortiAuthenticator CVE-2015-1455 (Fortinet FortiAuthenticator 3.0.0 has a password of (1) slony for the ...) NOT-FOR-US: Fortinet FortiAuthenticator CVE-2015-1454 (Blue Coat ProxyClient before 3.3.3.3 and 3.4.x before 3.4.4.10 and Uni ...) NOT-FOR-US: Blue Coat ProxyClient and Unified Agent CVE-2015-1453 (The qm class in Fortinet FortiClient 5.2.3.091 for Android uses a hard ...) NOT-FOR-US: Fortinet FortiClient CVE-2015-1452 (The Control and Provisioning of Wireless Access Points (CAPWAP) daemon ...) NOT-FOR-US: Fortinet FortiOS CVE-2015-1451 (Multiple cross-site scripting (XSS) vulnerabilities in Fortinet FortiO ...) NOT-FOR-US: Fortinet FortiOS CVE-2015-1450 (SQL injection vulnerability in Restaurant Biller allows remote attacke ...) NOT-FOR-US: Restaurant Biller CVE-2015-1449 (Buffer overflow in the integrated web server on Siemens Ruggedcom WIN5 ...) NOT-FOR-US: Siemens Ruggedcom CVE-2015-1448 (The integrated management service on Siemens Ruggedcom WIN51xx devices ...) NOT-FOR-US: Siemens Ruggedcom CVE-2015-1447 RESERVED CVE-2015-1446 RESERVED CVE-2015-1445 (HTTP header injection in the httpd package in fli4l before 3.10.1 and ...) NOT-FOR-US: fli4l CVE-2015-1444 (Multiple cross-site scripting (XSS) vulnerabilities in the web adminis ...) NOT-FOR-US: fli4l CVE-2015-1443 (The httpd package in fli4l before 3.10.1 and 4.0 before 2015-01-30 all ...) NOT-FOR-US: fli4l CVE-2015-1442 (SQL injection vulnerability in views/zero_transact_user.php in the adm ...) NOT-FOR-US: ZeroCMS CVE-2015-1440 RESERVED CVE-2015-1439 RESERVED CVE-2015-1438 (Heap-based buffer overflow in Panda Security Kernel Memory Access Driv ...) NOT-FOR-US: Panda CVE-2015-1437 (Multiple cross-site scripting (XSS) vulnerabilities in Asus RT-N10+ D1 ...) NOT-FOR-US: Asus RT-N10+ D1 router CVE-2015-1436 (Cross-site scripting (XSS) vulnerability in the Easing Slider plugin b ...) NOT-FOR-US: Easing Slider plugin for WordPress CVE-2015-1435 (Cross-site scripting (XSS) vulnerability in my little forum before 2.3 ...) NOT-FOR-US: Little forum CVE-2015-1434 (Multiple SQL injection vulnerabilities in my little forum before 2.3.4 ...) NOT-FOR-US: Little forum CVE-2015-1429 (Directory traversal vulnerability in Cybele Software Thinfinity Remote ...) NOT-FOR-US: Cybele Software Thinfinity Remote Desktop Workstation CVE-2015-1428 (Multiple SQL injection vulnerabilities in Sefrengo before 1.6.2 allow ...) NOT-FOR-US: Sefrengo CVE-2015-1427 (The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x be ...) - elasticsearch (Affects 1.3.0-1.3.7 and 1.4.0-1.4.2, vulnerable code not present) NOTE: http://seclists.org/bugtraq/2015/Feb/92 NOTE: Problem in the Groovy scripting engine. CVE-2015-1426 (Puppet Labs Facter 1.6.0 through 2.4.0 allows local users to obtains s ...) - facter 2.4.4-1 (bug #778265) [jessie] - facter (Minor issue) [squeeze] - facter (Uses version 2008-02-01 of the EC2 API which does not expose security credentials) [wheezy] - facter (Minor issue) NOTE: http://puppetlabs.com/security/cve/cve-2015-1426 NOTE: https://tickets.puppetlabs.com/browse/FACT-800 NOTE: The assessment for Squeeze being unaffected is based on the fact that the code accesses http://169.254.169.254/2008-02-01/meta-data/ and that http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html mentions the iam/security-credentials/role key as being introduced in version 2012-01-12. CVE-2015-1493 (Directory traversal vulnerability in the min_get_slash_argument functi ...) - moodle 2.7.5+dfsg-1 [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git;a=commit;h=af9a7937cc085f96bdbc4724cadec6eeae0242fc CVE-2015-XXXX [Invalid read in ensure_filepath] - libmspack 0.5-1 - cabextract 1.4-5 [wheezy] - cabextract (Minor issue) [squeeze] - cabextract (Minor issue) NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/02/03/12 NOTE: Starting with 1.4-5 cabextract uses the mspack system library CVE-2015-XXXX [Invalid read in create_output_name] - libmspack 0.5-1 - cabextract 1.4-5 [wheezy] - cabextract (Minor issue) [squeeze] - cabextract (Minor issue) NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/02/03/12 NOTE: Starting with 1.4-5 cabextract uses the mspack system library CVE-2014-9655 (The (1) putcontig8bitYCbCr21tile function in tif_getimage.c or (2) NeX ...) {DSA-3273-1 DLA-610-1 DLA-221-1} - tiff 4.0.3-12.1 (bug #777390) - tiff3 NOTE: http://lcamtuf.coredump.cx/afl/vulns/libtiff-cvs-1.tif NOTE: http://lcamtuf.coredump.cx/afl/vulns/libtiff-cvs-2.tif CVE-2014-9654 (The Regular Expressions package in International Components for Unicod ...) {DSA-3187-1 DLA-219-1} - icu 52.1-7.1 (bug #776719) NOTE: https://ssl.icu-project.org/trac/changeset/36801 NOTE: https://chromium.googlesource.com/chromium/deps/icu/+/dd727641e190d60e4593bcb3a35c7f51eb4925c5 CVE-2014-9653 (readelf.c in file before 5.22, as used in the Fileinfo component in PH ...) {DSA-3196-1 DLA-204-1} - file 1:5.22+15-1 (bug #777585) - php5 (readelf.c not used and even removed in 5.4.36-0+deb7u3) NOTE: http://bugs.gw.com/view.php?id=409 NOTE: http://mx.gw.com/pipermail/file/2014/001649.html NOTE: http://www.openwall.com/lists/oss-security/2015/02/04/13 CVE-2015-1465 (The IPv4 implementation in the Linux kernel before 3.18.8 does not pro ...) - linux 3.16.7-ckt7-1 [wheezy] - linux (Introduced in 3.16) - linux-2.6 (Introduced in 3.16) NOTE: Upstream patch: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=df4d92549f23e1c037e83323aff58a21b3de7fe0 (v3.19-rc7) NOTE: http://www.openwall.com/lists/oss-security/2015/02/02/2 CVE-2015-1473 (The ADDW macro in stdio-common/vfscanf.c in the GNU C Library (aka gli ...) {DSA-3169-1 DLA-165-1} - glibc 2.19-15 (bug #777197) - eglibc [squeeze] - eglibc (Vulnerable code not present) NOTE: Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=16618 NOTE: Fix: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5bd80bfe9ca0d955bfbbc002781bc7b01b6bcb06 NOTE: This was introduced by https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=3f8cc204fdd0 (2.15), NOTE: the patch was backported into wheezy (patches/any/cvs-vfscanf.diff), but not squeeze CVE-2015-1472 (The ADDW macro in stdio-common/vfscanf.c in the GNU C Library (aka gli ...) {DSA-3169-1 DLA-165-1} - glibc 2.19-15 (bug #777197) - eglibc [squeeze] - eglibc (Vulnerable code not present) NOTE: Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=16618 NOTE: Fix: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5bd80bfe9ca0d955bfbbc002781bc7b01b6bcb06 NOTE: This was introduced by https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=3f8cc204fdd0 (2.15), NOTE: the patch was backported into wheezy (patches/any/cvs-vfscanf.diff), but not squeeze CVE-2015-XXXX [Infinite loop in patch] - patch 2.7.4-1 (low; bug #776271) [squeeze] - patch (Minor issue) [wheezy] - patch (Minor issue) NOTE: Different from CVE-2014-9637 CVE-2015-1441 (SQL injection vulnerability in Piwigo before 2.5.6, 2.6.x before 2.6.5 ...) - piwigo [squeeze] - piwigo (Unsupported in squeeze-lts) NOTE: Request to mark the package as unsupported in #779104 NOTE: http://piwigo.org/releases/2.7.3 CVE-2015-1433 (program/lib/Roundcube/rcube_washtml.php in Roundcube before 1.0.5 does ...) {DLA-613-1} - roundcube 0.9.5+dfsg1-4.2 (low; bug #776700) [wheezy] - roundcube (Minor issue) [squeeze] - roundcube (Minor issue) CVE-2015-1432 (The message_options function in includes/ucp/ucp_pm_options.php in php ...) - phpbb3 3.0.12-4 (low; bug #776699) [wheezy] - phpbb3 3.0.10-4+deb7u2 [squeeze] - phpbb3 (Minor issue) NOTE: https://tracker.phpbb.com/browse/PHPBB3-13526 CVE-2015-1431 (Cross-site scripting (XSS) vulnerability in includes/startup.php in ph ...) - phpbb3 3.0.12-4 (low; bug #776699) [wheezy] - phpbb3 3.0.10-4+deb7u2 [squeeze] - phpbb3 (Minor issue) NOTE: https://tracker.phpbb.com/browse/PHPBB3-13531 CVE-2015-1430 (Buffer overflow in xymon 4.3.17-1. ...) - xymon 4.3.17-5 (low; bug #776007) [squeeze] - xymon (Vulnerable code not present) [wheezy] - xymon (Vulnerable code not present) NOTE: Upstream patch: http://sourceforge.net/p/xymon/code/7483/ NOTE: http://www.openwall.com/lists/oss-security/2015/01/30/17 CVE-2015-1425 (JAKWEB Gecko CMS has Multiple Input Validation Vulnerabilities ...) NOT-FOR-US: JAKWEB Gecko CMS CVE-2015-1424 (Cross-site request forgery (CSRF) vulnerability in Gecko CMS 2.2 and 2 ...) NOT-FOR-US: Gecko CMS CVE-2015-1423 (Multiple SQL injection vulnerabilities in Gecko CMS 2.2 and 2.3 allow ...) NOT-FOR-US: Gecko CMS CVE-2015-1422 (Multiple cross-site scripting (XSS) vulnerabilities in Gecko CMS 2.2 a ...) NOT-FOR-US: Gecko CMS CVE-2015-XXXX [symlink directory traversal] - unrar-nonfree 1:5.2.7-0.1 (bug #774171) [wheezy] - unrar-nonfree 1:4.1.4-1+deb7u1 [squeeze] - unrar-nonfree (Non-free not supported) CVE-2014-9983 (Directory Traversal exists in RAR 4.x and 5.x because an unpack operat ...) - rar 2:5.3.b2-1 (bug #774172) [jessie] - rar (Non-free not supported) [wheezy] - rar (Non-free not supported) [squeeze] - rar (Not fixed upstream and license does not allow modification) NOTE: Version 5.21 upstream changes behaviour: by default rar skips symbolic links NOTE: symbolic links with absolute paths in link target when extracting. CVE-2015-1589 (Directory traversal vulnerability in arCHMage 0.2.4 allows remote atta ...) - archmage 1:0.2.4-4 (bug #776164) [squeeze] - archmage (Minor issue) [wheezy] - archmage (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2015/02/12/9 CVE-2015-1419 (Unspecified vulnerability in vsftpd 3.0.2 and earlier allows remote at ...) - vsftpd 3.0.2-18 (unimportant; bug #776922) [jessie] - vsftpd 3.0.2-17+deb8u1 NOTE: http://seclists.org/oss-sec/2015/q1/389 NOTE: Not a real security feature according the manpage and upstream CVE-2015-1418 (The do_ed_script function in pch.c in GNU patch through 2.7.6, and pat ...) NOT-FOR-US: patch as used in FreeBSD specifically CVE-2018-1000156 (GNU Patch version 2.7.6 contains an input validation vulnerability whe ...) {DLA-1348-1} - patch 2.7.6-2 (bug #894993) [stretch] - patch 2.7.5-1+deb9u1 [jessie] - patch 2.7.5-1+deb8u1 NOTE: Upstream bug: https://savannah.gnu.org/bugs/?53566 NOTE: https://rachelbythebay.com/w/2018/04/05/bangpatch/ NOTE: https://twitter.com/kurtseifried/status/982028968877436928 NOTE: This CVE is specifically for GNU patch and relates to CVE-2015-1418 NOTE: http://git.savannah.gnu.org/cgit/patch.git/commit/?id=123eaff0d5d1aebe128295959435b9ca5909c26d NOTE: Respective patch in FreeBSD: https://www.freebsd.org/security/advisories/FreeBSD-SA-15:18.bsdpatch.asc NOTE: Respective patch in OpenBSD: https://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/013_patch.patch.sig NOTE: (Functional) regression/issue introduced with only the initial commit: NOTE: https://savannah.gnu.org/bugs/?53820 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1092500 NOTE: Followup fixes needed to address https://bugs.debian.org/933140 NOTE: http://git.savannah.gnu.org/cgit/patch.git/commit/?id=19599883ffb6a450d2884f081f8ecf68edbed7ee NOTE: http://git.savannah.gnu.org/cgit/patch.git/commit/?id=369dcccdfa6336e5a873d6d63705cfbe04c55727 CVE-2015-1417 (The inet module in FreeBSD 10.2x before 10.2-PRERELEASE, 10.2-BETA2-p2 ...) - kfreebsd-10 10.2-1 (unimportant) NOTE: kfreebsd not covered by security support in Jessie CVE-2015-1416 (Larry Wall's patch; patch in FreeBSD 10.2-RC1 before 10.2-RC1-p1, 10.2 ...) - patch 2.5-1 NOTE: http://www.openwall.com/lists/oss-security/2015/08/02/6 NOTE: CVE assignment applies as well to GNU patch before 2.3 and 2.2.5 CVE-2015-1415 (The bsdinstall installer in FreeBSD 10.x before 10.1 p9, when configur ...) NOT-FOR-US: FreeBSD installer CVE-2015-1414 (Integer overflow in FreeBSD before 8.4 p24, 9.x before 9.3 p10. 10.0 b ...) {DSA-3175-2 DSA-3175-1} [experimental] - kfreebsd-11 11.0~svn284956-1 - kfreebsd-10 10.1~svn274115-4 (bug #779195) - kfreebsd-9 (bug #779201) - kfreebsd-8 (bug #779202) [wheezy] - kfreebsd-8 (kfreebsd-8 only a test kernel, will be fixed in a point update) [squeeze] - kfreebsd-8 (kfreebsd-i386/amd64 not supported in Squeeze LTS) NOTE: https://www.freebsd.org/security/advisories/FreeBSD-SA-15:04.igmp.asc CVE-2015-1413 RESERVED CVE-2015-1412 RESERVED CVE-2015-1411 RESERVED CVE-2015-1410 RESERVED CVE-2015-1409 RESERVED CVE-2015-1408 RESERVED CVE-2015-1407 RESERVED CVE-2015-1406 RESERVED CVE-2015-1400 (SQL injection vulnerability in search.php in NPDS Revolution 13 allows ...) NOT-FOR-US: NPDS Revolution CVE-2015-1399 (PHP remote file inclusion vulnerability in the fetchView function in t ...) NOT-FOR-US: Magento CVE-2015-1398 (Multiple directory traversal vulnerabilities in Magento Community Edit ...) NOT-FOR-US: Magento CVE-2015-1397 (SQL injection vulnerability in the getCsvFile function in the Mage_Adm ...) NOT-FOR-US: Magento CVE-2015-1394 (Multiple cross-site scripting (XSS) vulnerabilities in the Photo Galle ...) NOT-FOR-US: WordPress plugin photo-gallery CVE-2015-1393 (SQL injection vulnerability in the Photo Gallery plugin before 1.2.11 ...) NOT-FOR-US: WordPress plugin photo-gallery CVE-2015-1392 (Multiple SQL injection vulnerabilities in Aruba Networks ClearPass Pol ...) NOT-FOR-US: Aruba Networks CPPM CVE-2015-1391 RESERVED CVE-2015-1390 RESERVED CVE-2015-1389 (Cross-site scripting (XSS) vulnerability in Aruba Networks ClearPass P ...) NOT-FOR-US: Aruba Networks CPPM CVE-2015-1388 (The "RAP console" feature in ArubaOS 5.x through 6.2.x, 6.3.x before 6 ...) NOT-FOR-US: ArubaOS CVE-2015-1387 REJECTED CVE-2015-1385 (Cross-site scripting (XSS) vulnerability in the Blubrry PowerPress Pod ...) NOT-FOR-US: WordPress plugin powerpress CVE-2015-1384 (Cross-site scripting (XSS) vulnerability in the Banner Effect Header p ...) NOT-FOR-US: Banner Effect Header plugin for WordPress CVE-2015-1383 (Cross-site scripting (XSS) vulnerability in the geo search widget in t ...) NOT-FOR-US: WordPress plugin geo-mashup CVE-2015-1376 (pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPre ...) NOT-FOR-US: WordPress plugin Pixabay Images CVE-2015-1375 (pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPre ...) NOT-FOR-US: WordPress plugin Pixabay Images CVE-2015-1374 (Multiple cross-site request forgery (CSRF) vulnerabilities in admin.ph ...) NOT-FOR-US: ferretCMS CVE-2015-1373 (Multiple cross-site scripting (XSS) vulnerabilities in admin.php in fe ...) NOT-FOR-US: ferretCMS CVE-2015-1372 (SQL injection vulnerability in ferretCMS 1.0.4-alpha allows remote att ...) NOT-FOR-US: ferretCMS CVE-2015-1371 (Unrestricted file upload vulnerability in ferretCMS 1.0.4-alpha allows ...) NOT-FOR-US: ferretCMS CVE-2015-1368 (Multiple cross-site scripting (XSS) vulnerabilities in Ansible Tower ( ...) NOT-FOR-US: Ansible Tower CVE-2015-1367 (SQL injection vulnerability in index.php in CatBot 0.4.2 allows remote ...) NOT-FOR-US: CatBot CVE-2015-1366 (Cross-site scripting (XSS) vulnerability in pixabay-images.php in the ...) NOT-FOR-US: Wordpress plugin Pixabay Images CVE-2015-1365 (Directory traversal vulnerability in pixabay-images.php in the Pixabay ...) NOT-FOR-US: Wordpress plugin Pixabay Images CVE-2015-1364 (SQL injection vulnerability in the getProfile function in system/profi ...) NOT-FOR-US: Free Reprintables ArticleFR CVE-2015-1363 (Cross-site scripting (XSS) vulnerability in Free Reprintables ArticleF ...) NOT-FOR-US: ArticleFR CVE-2015-1362 (Buffer overflow in the Customize 35mm tab in Two Pilots Exif Pilot 4.7 ...) NOT-FOR-US: Exif Pilot CVE-2015-1361 (platform/image-decoders/ImageFrame.h in Blink, as used in Google Chrom ...) - chromium-browser 40.0.2214.91-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1360 (Skia, as used in Google Chrome before 40.0.2214.91, allows remote atta ...) - chromium-browser 40.0.2214.91-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1359 (Multiple off-by-one errors in fpdfapi/fpdf_font/font_int.h in PDFium, ...) - chromium-browser 40.0.2214.91-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1358 (The remote-management module in the (1) Multi Panels, (2) Comfort Pane ...) NOT-FOR-US: Siemens SIMATIC CVE-2015-1357 (Siemens Ruggedcom WIN51xx devices with firmware before SS4.4.4624.35, ...) NOT-FOR-US: Siemens Ruggedcom CVE-2015-1356 (Siemens SIMATIC STEP 7 (TIA Portal) before 13 SP1 determines a user's ...) NOT-FOR-US: Siemens SIMATIC CVE-2015-1355 (Siemens SIMATIC STEP 7 (TIA Portal) before 13 SP1 uses a weak password ...) NOT-FOR-US: Siemens SIMATIC CVE-2014-9648 (components/navigation_interception/intercept_navigation_resource_throt ...) - chromium-browser (Chrome on Android) CVE-2014-9647 (Use-after-free vulnerability in PDFium, as used in Google Chrome befor ...) - chromium-browser 40.0.2214.91-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2014-9646 (Unquoted Windows search path vulnerability in the GoogleChromeDistribu ...) - chromium-browser (Windows specific problem for chromium-browser) CVE-2015-1563 (The ARM GIC distributor virtualization in Xen 4.4.x and 4.5.x allows l ...) - xen 4.4.1-7 (low; bug #776319) [wheezy] - xen (Only affects 4.4 and later on arm) [squeeze] - xen (Only affects 4.4 and later on arm) CVE-2015-1558 (Asterisk Open Source 12.x before 12.8.1 and 13.x before 13.1.1, when u ...) - asterisk 1:13.1.0~dfsg-1.1 (bug #780601) [jessie] - asterisk (Only affects 12.x and 13.x) [wheezy] - asterisk (Only affects 12.x and 13.x) [squeeze] - asterisk (Only affects 12.x and 13.x) NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-24666 NOTE: http://downloads.digium.com/pub/security/AST-2015-001.html CVE-2013-7449 (The ssl_do_connect function in common/server.c in HexChat before 2.10. ...) - xchat 2.8.8-10 (bug #776609) [jessie] - xchat (Minor issue) [wheezy] - xchat (Minor issue) [squeeze] - xchat (Minor issue) - xchat-gnome (bug #829730) [wheezy] - xchat-gnome (Minor issue) [squeeze] - xchat-gnome (Minor issue) - hexchat 2.10.2-1 (bug #818009) [jessie] - hexchat 2.10.1-1+deb8u1 NOTE: https://github.com/hexchat/hexchat/issues/524 NOTE: https://github.com/hexchat/hexchat/commit/c9b63f7f9be01692b03fa15275135a4910a7e02d (v2.12.0) NOTE: https://github.com/hexchat/hexchat/commit/c99f2ba645d1f4d01d6d2bb0cc1238825e15c604 (v2.10.2) CVE-2013-7426 (Insecure Temporary file vulnerability in /tmp/kamailio_fifo in kamaili ...) - kamailio 4.0.2-1 (bug #712083) CVE-2013-7424 (The getaddrinfo function in glibc before 2.15, when compiled with libi ...) {DSA-3169-1 DLA-165-1} - glibc 2.15-1 - eglibc 2.15-1 NOTE: http://seclists.org/oss-sec/2015/q1/306 NOTE: Upstream fix: https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=2e96f1c7 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=981942 CVE-2015-1421 (Use-after-free vulnerability in the sctp_assoc_update function in net/ ...) {DSA-3170-1 DLA-155-1} - linux 3.16.7-ckt4-3 - linux-2.6 NOTE: Upstream fix: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=600ddd6825543962fb807884169e57b580dba208 CVE-2015-1420 (Race condition in the handle_to_path function in fs/fhandle.c in the L ...) {DSA-3170-1} - linux 3.16.7-ckt7-1 - linux-2.6 (Introduced in 2.6.39) NOTE: http://marc.info/?l=linux-kernel&m=142247707318982&w=2 NOTE: Upstream commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=161f873b89136eb1e69477c847d5a5033239d9ba (v4.1-rc7) CVE-2015-1405 (SQL injection vulnerability in the Content Rating Extbase extension 2. ...) NOT-FOR-US: typo3 extension CVE-2015-1404 (Cross-site scripting (XSS) vulnerability in the Content Rating Extbase ...) NOT-FOR-US: typo3 extension CVE-2015-1403 (SQL injection vulnerability in the Content Rating extension 1.0.3 and ...) NOT-FOR-US: typo3 extension CVE-2015-1402 (Cross-site scripting (XSS) vulnerability in the Content Rating extensi ...) NOT-FOR-US: typo3 extension CVE-2015-1401 (Improper Authentication vulnerability in the "LDAP / SSO Authenticatio ...) NOT-FOR-US: typo3 extension CVE-2015-1554 (kgb-bot 1.33-2 allows remote attackers to cause a denial of service (c ...) - kgb-bot (low; bug #776424) NOTE: 20190201: random crash still not reproducible CVE-2015-1369 (SQL injection vulnerability in Sequelize before 2.0.0-rc7 for Node.js ...) NOT-FOR-US: sequelize CVE-2015-1354 RESERVED CVE-2015-1349 (named in ISC BIND 9.7.0 through 9.9.6 before 9.9.6-P2 and 9.10.x befor ...) {DSA-3162-1 DLA-163-1} - bind9 1:9.9.5.dfsg-9 (low; bug #778733) CVE-2015-1348 (Heap-based buffer overflow in Aruba Instant (IAP) with firmware before ...) NOT-FOR-US: Aruba Instant CVE-2015-1347 (Cross-site scripting (XSS) vulnerability in client.inc.php in osTicket ...) NOT-FOR-US: osTicket CVE-2015-1344 (The do_write_pids function in lxcfs.c in LXCFS before 0.12 does not pr ...) - lxcfs (Fixed before initial upload to the archive) NOTE: https://bugs.launchpad.net/ubuntu/+source/lxcfs/+bug/1512854 CVE-2015-1343 (All versions of unity-scope-gdrive logs search terms to syslog. ...) NOT-FOR-US: unity-scope-gdrive CVE-2015-1342 (LXCFS before 0.12 does not properly enforce directory escapes, which m ...) - lxcfs (Fixed before initial upload to the archive) NOTE: https://bugs.launchpad.net/ubuntu/+source/lxcfs/+bug/1508481 CVE-2015-1341 (Any Python module in sys.path can be imported if the command line of t ...) NOT-FOR-US: Apport CVE-2015-1340 (LXD before version 0.19-0ubuntu5 doUidshiftIntoContainer() has an unsa ...) - lxd (bug #768073) CVE-2015-1339 (Memory leak in the cuse_channel_release function in fs/fuse/cuse.c in ...) - linux 4.4.2-1 [jessie] - linux (Vulnerable code introduced in v4.2-rc1) [wheezy] - linux (Vulnerable code introduced in v4.2-rc1) NOTE: Introduced in: https://git.kernel.org/linus/cc080e9e9be16ccf26135d366d7d2b65209f1d56 (v4.2-rc1) NOTE: Fixed in: https://git.kernel.org/linus/2c5816b4beccc8ba709144539f6fdd764f8fa49c (v4.4-rc5) CVE-2015-1338 (kernel_crashdump in Apport before 2.19 allows local users to cause a d ...) NOT-FOR-US: Apport CVE-2015-1337 (Simple Streams (simplestreams) does not properly verify the GPG signat ...) NOT-FOR-US: simplestreams CVE-2015-1336 (The daily mandb cleanup job in Man-db before 2.7.6.1-1 as packaged in ...) - man-db 2.7.6-1 (bug #840357) [jessie] - man-db (Minor issue) [wheezy] - man-db (Minor issue) [squeeze] - man-db (Not exploitable in practice) NOTE: http://www.halfdog.net/Security/2015/MandbSymlinkLocalRootPrivilegeEscalation/ NOTE: https://bugs.launchpad.net/ubuntu/+source/man-db/+bug/1482786 CVE-2015-1335 (lxc-start in lxc before 1.0.8 and 1.1.x before 1.1.4 allows local cont ...) {DSA-3400-1 DLA-442-1} - lxc 1:1.0.8-1 (bug #800471) [wheezy] - lxc (Minor issue) NOTE: https://launchpad.net/bugs/1476662 NOTE: https://github.com/lxc/lxc/commit/592fd47a6245508b79fe6ac819fe6d3b2c1289be NOTE: https://lists.linuxcontainers.org/pipermail/lxc-devel/2015-September/012434.html CVE-2015-1334 (attach.c in LXC 1.1.2 and earlier uses the proc filesystem in a contai ...) {DSA-3317-1} - lxc 1:1.0.7-4 (bug #793298) [wheezy] - lxc (Affects 0.9.0 and higher) [squeeze] - lxc (Affects 0.9.0 and higher) CVE-2015-1333 (Memory leak in the __key_link_end function in security/keys/keyring.c ...) - linux 4.1.3-1 [jessie] - linux 3.16.7-ckt11-1+deb8u3 [wheezy] - linux (Introduced in 3.13) - linux-2.6 (Introduced in 3.13) NOTE: Introduced by https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=034faeb9ef390d58239e1dce748143f6b35a0d9b (v3.13-rc1) CVE-2015-1332 (The oxide::JavaScriptDialogManager function in oxide-qt before 1.9.1 a ...) NOT-FOR-US: oxide-qt NOTE: The JavaScriptDialogManager exists as well for chromium-browser, but this NOTE: CVE seem specific assigned for an issue in oxide::JavaScriptDialogManager CVE-2015-1331 (lxclock.c in LXC 1.1.2 and earlier allows local users to create arbitr ...) {DSA-3317-1} - lxc 1:1.0.7-4 (bug #793298) [wheezy] - lxc (Affects 1.0.0 and higher) [squeeze] - lxc (Affects 1.0.0 and higher) CVE-2015-1330 (unattended-upgrades before 0.86.1 does not properly authenticate packa ...) {DSA-3297-1 DLA-267-1} - unattended-upgrades 0.86.1 CVE-2015-1329 (Use-after-free vulnerability in oxide::qt::URLRequestDelegatedJob in o ...) NOT-FOR-US: Oxide-QT CVE-2015-1328 (The overlayfs implementation in the linux (aka Linux kernel) package b ...) - linux (Ubuntu-specific flaw, overlayfs mounts restricted to privileged users in Debian) - linux-2.6 (Ubuntu-specific flaw, overlayfs mounts restricted to privileged users in Debian) NOTE: http://seclists.org/oss-sec/2015/q2/717 NOTE: https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1328.html NOTE: https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/vivid/commit/?id=78ec4549 CVE-2015-1327 (Content Hub before version 0.0+15.04.20150331-0ubuntu1.0 DBUS API only ...) NOT-FOR-US: Content Hub CVE-2015-1326 (python-dbusmock before version 0.15.1 AddTemplate() D-Bus method call ...) - python-dbusmock 0.15.1-1 (bug #786858) [jessie] - python-dbusmock 0.11.4-1+deb8u1 NOTE: https://bugs.launchpad.net/python-dbusmock/+bug/1453815 CVE-2015-1325 (Race condition in Apport before 2.17.2-0ubuntu1.1 as packaged in Ubunt ...) NOT-FOR-US: Apport CVE-2015-1324 (Apport before 2.17.2-0ubuntu1.1 as packaged in Ubuntu 15.04, before 2. ...) NOT-FOR-US: Apport CVE-2015-1323 (The simulate dbus method in aptdaemon before 1.1.1+bzr982-0ubuntu3.1 a ...) {DLA-261-1} - aptdaemon 1.1.1+bzr982-1 (bug #789162) [jessie] - aptdaemon 1.1.1-4+deb8u1 [wheezy] - aptdaemon 0.45-2+deb7u1 NOTE: https://bugs.launchpad.net/ubuntu/+source/aptdaemon/+bug/1449587 CVE-2015-1322 (Directory traversal vulnerability in the Ubuntu network-manager packag ...) - network-manager (Ubuntu specific patch) NOTE: http://www.ubuntu.com/usn/usn-2581-1 NOTE: https://bazaar.launchpad.net/~phablet-team/network-manager/ofono-format-cleanup/view/head:/debian/patches/add_ofono_settings_support.patch CVE-2015-1321 (Use-after-free vulnerability in the file picker implementation in Oxid ...) NOT-FOR-US: Oxide CVE-2015-1320 (The SeaMicro provisioning of Ubuntu MAAS logs credentials, including u ...) NOT-FOR-US: Ubuntu MAAS CVE-2015-1319 (The Unity Settings Daemon before 14.04.0+14.04.20150825-0ubuntu2 and 1 ...) - unity (bug #609278) CVE-2015-1318 (The crash reporting feature in Apport 2.13 through 2.17.x before 2.17. ...) NOT-FOR-US: Apport CVE-2015-1317 (Use-after-free vulnerability in Oxide before 1.5.6 and 1.6.x before 1. ...) NOT-FOR-US: Oxide CVE-2015-1316 (Juju Core's Joyent provider before version 1.25.5 uploads the user's p ...) - juju CVE-2015-1315 (Buffer overflow in the charset_to_intern function in unix/unix.c in In ...) - unzip (*-unzip60-alt-iconv-utf8 patch not applied in Debian) CVE-2015-1314 (The USAA Mobile Banking application before 7.10.1 for Android displays ...) NOT-FOR-US: USAA Mobile Banking application for Android CVE-2015-1313 RESERVED CVE-2015-1312 (The Dealer Portal in SAP ERP does not properly restrict access, which ...) NOT-FOR-US: SAP CVE-2015-1311 (The Extended Application Services (XS) in SAP HANA allows remote attac ...) NOT-FOR-US: SAP CVE-2015-1310 (SQL injection vulnerability in SAP Adaptive Server Enterprise (Sybase ...) NOT-FOR-US: SAP CVE-2015-1309 (XML external entity vulnerability in the Extended Computer Aided Test ...) NOT-FOR-US: SAP CVE-2015-1305 (McAfee Data Loss Prevention Endpoint (DLPe) before 9.3.400 allows loca ...) NOT-FOR-US: McAfee Data Loss Prevention Endpoint CVE-2014-9643 (K7Sentry.sys in K7 Computing Ultimate Security, Anti-Virus Plus, and T ...) NOT-FOR-US: K7 components for Windows CVE-2014-9642 (bdagent.sys in BullGuard Antivirus, Internet Security, Premium Protect ...) NOT-FOR-US: BullGuard components CVE-2014-9641 (The tmeext.sys driver before 2.0.0.1015 in Trend Micro Antivirus Plus, ...) NOT-FOR-US: Trend Micro CVE-2014-9633 (The bdisk.sys driver in COMODO Backup before 4.4.1.23 allows remote at ...) NOT-FOR-US: COMODO Backup CVE-2014-9632 (The TDI driver (avgtdix.sys) in AVG Internet Security before 2013.3495 ...) NOT-FOR-US: AVG CVE-2015-1386 (Directory traversal vulnerability in unshield 1.0-1. ...) - unshield 1.4-1 (low; bug #776193) [jessie] - unshield (Minor issue) [wheezy] - unshield (Minor issue) [squeeze] - unshield (Minor issue) NOTE: https://github.com/twogood/unshield/issues/42 CVE-2015-1382 (parsers.c in Privoxy before 3.0.23 allows remote attackers to cause a ...) {DSA-3145-1 DLA-142-1} - privoxy 3.0.21-7 (bug #776490) NOTE: http://ijbswa.cvs.sourceforge.net/viewvc/ijbswa/current/parsers.c?r1=1.297&r2=1.298 CVE-2015-1381 (Multiple unspecified vulnerabilities in pcrs.c in Privoxy before 3.0.2 ...) {DSA-3145-1 DLA-142-1} - privoxy 3.0.21-7 (bug #776490) NOTE: http://ijbswa.cvs.sourceforge.net/viewvc/ijbswa/current/pcrs.c?r1=1.46&r2=1.47 CVE-2015-1380 (jcc.c in Privoxy before 3.0.23 allows remote attackers to cause a deni ...) - privoxy 3.0.21-7 (bug #776490) [wheezy] - privoxy (Vulnerable code introduced in 3.0.20) [squeeze] - privoxy (Vulnerable code introduced in 3.0.20) NOTE: http://ijbswa.cvs.sourceforge.net/viewvc/ijbswa/current/jcc.c?r1=1.433&r2=1.434 CVE-2015-1379 (The signal handler implementations in socat before 1.7.3.0 and 2.0.0-b ...) - socat 1.7.2.4-2 (bug #776234) [wheezy] - socat (Minor issue) [squeeze] - socat (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2015/01/24/6 NOTE: Upstream advisory: http://www.dest-unreach.org/socat/contrib/socat-secadv6.txt CVE-2015-1378 (cmdlineopts.clp in grml-debootstrap in Debian 0.54, 0.68.x before 0.68 ...) - grml-debootstrap 0.68.1 (low; bug #776502) [wheezy] - grml-debootstrap (Minor issue) NOTE: https://github.com/grml/grml-debootstrap/issues/59 CVE-2015-1377 (The Read Mail module in Webmin 1.720 allows local users to read arbitr ...) - webmin CVE-2015-1395 (Directory traversal vulnerability in GNU patch versions which support ...) - patch 2.7.3-1 (bug #775873) [wheezy] - patch (Support for git-style patches added in 2.7) [squeeze] - patch (Support for git-style patches added in 2.7) NOTE: Upstream report: https://savannah.gnu.org/bugs/?44059 NOTE: http://www.openwall.com/lists/oss-security/2015/01/24/2 CVE-2015-1370 (Incomplete blacklist vulnerability in marked 0.3.2 and earlier for Nod ...) - node-marked 0.3.6+dfsg-1 (unimportant) NOTE: https://nodesecurity.io/advisories/marked_vbscript_injection NOTE: https://github.com/chjj/marked/issues/492 NOTE: libv8 is not covered by security support CVE-2013-7423 (The send_dg function in resolv/res_send.c in GNU C Library (aka glibc ...) {DLA-165-1} - glibc 2.19-1 (bug #722075) [wheezy] - eglibc 2.13-38+deb7u5 - eglibc NOTE: Fix: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f9d2d03254a58d92635a311a42253eeed5a40a47 NOTE: Upstream report: https://sourceware.org/bugzilla/show_bug.cgi?id=15946 NOTE: http://www.openwall.com/lists/oss-security/2015/01/28/16 CVE-2013-7421 (The Crypto API in the Linux kernel before 3.18.5 allows local users to ...) {DSA-3170-1} - linux 3.16.7-ckt4-2 - linux-2.6 [squeeze] - linux-2.6 (Introduced in v2.6.38-rc1) NOTE: https://lkml.org/lkml/2013/3/4/70 NOTE: https://plus.google.com/+MathiasKrause/posts/PqFCo4bfrWu NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5d26a105b5a7 (v3.19-rc1) CVE-2014-9644 (The Crypto API in the Linux kernel before 3.18.5 allows local users to ...) {DSA-3170-1} - linux 3.16.7-ckt4-2 - linux-2.6 [squeeze] - linux-2.6 (Introduced in v2.6.38-rc1) NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4943ba16bbc2 (v3.19-rc1) CVE-2014-9645 (The add_probe function in modutils/modprobe.c in BusyBox before 1.23.0 ...) {DLA-1445-1} - busybox 1:1.22.0-15 (low; bug #776186) [wheezy] - busybox (Minor issue) [squeeze] - busybox (Minor issue) NOTE: https://bugs.busybox.net/show_bug.cgi?id=7652 NOTE: http://git.busybox.net/busybox/commit/?id=4e314faa0aecb66717418e9a47a4451aec59262b CVE-2013-7422 (Integer underflow in regcomp.c in Perl before 5.20, as used in Apple O ...) - perl 5.20.0-1 (bug #776046) [wheezy] - perl (Minor issue) [squeeze] - perl (Minor issue) NOTE: https://rt.perl.org/Public/Bug/Display.html?id=119505 NOTE: http://www.openwall.com/lists/oss-security/2015/01/23/9 CVE-2015-1304 (object-observe.js in Google V8, as used in Google Chrome before 45.0.2 ...) {DSA-3376-1} - chromium-browser 45.0.2454.101-1 [jessie] - chromium-browser (minor issue) [wheezy] - chromium-browser [squeeze] - chromium-browser - libv8-3.14 (unimportant) NOTE: libv8 not covered by security support CVE-2015-1303 (bindings/core/v8/V8DOMWrapper.h in Blink, as used in Google Chrome bef ...) {DSA-3376-1} - chromium-browser 45.0.2454.101-1 [jessie] - chromium-browser (minor issue) [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1302 (The PDF viewer in Google Chrome before 46.0.2490.86 does not properly ...) {DSA-3415-1} - chromium-browser 47.0.2526.73-1 [wheezy] - chromium-browser [squeeze] - chromium-browser NOTE: http://googlechromereleases.blogspot.de/2015/11/stable-channel-update.html CVE-2015-1301 (Multiple unspecified vulnerabilities in Google Chrome before 45.0.2454 ...) {DSA-3351-1} - chromium-browser 45.0.2454.85-1 (low) [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1300 (The FrameFetchContext::updateTimingInfoForIFrameNavigation function in ...) {DSA-3351-1} - chromium-browser 45.0.2454.85-1 (low) [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1299 (Use-after-free vulnerability in the shared-timer implementation in Bli ...) {DSA-3351-1} - chromium-browser 45.0.2454.85-1 (low) [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1298 (The RuntimeEventRouter::OnExtensionUninstalled function in extensions/ ...) {DSA-3351-1} - chromium-browser 45.0.2454.85-1 (low) [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1297 (The WebRequest API implementation in extensions/browser/api/web_reques ...) {DSA-3351-1} - chromium-browser 45.0.2454.85-1 (low) [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1296 (The UnescapeURLWithAdjustmentsImpl implementation in net/base/escape.c ...) {DSA-3351-1} - chromium-browser 45.0.2454.85-1 (low) [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1295 (Multiple use-after-free vulnerabilities in the PrintWebViewHelper clas ...) {DSA-3351-1} - chromium-browser 45.0.2454.85-1 (low) [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1294 (Use-after-free vulnerability in the SkMatrix::invertNonIdentity functi ...) {DSA-3351-1} - chromium-browser 45.0.2454.85-1 (low) [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1293 (The DOM implementation in Blink, as used in Google Chrome before 45.0. ...) {DSA-3351-1} - chromium-browser 45.0.2454.85-1 (low) [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1292 (The NavigatorServiceWorker::serviceWorker function in modules/servicew ...) {DSA-3351-1} - chromium-browser 45.0.2454.85-1 (low) [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1291 (The ContainerNode::parserRemoveChild function in core/dom/ContainerNod ...) {DSA-3351-1} - chromium-browser 45.0.2454.85-1 (low) [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1290 (The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and ...) - chromium-browser 44.0.2403.89-1 [wheezy] - chromium-browser - libv8-3.14 (unimportant) NOTE: libv8 not covered by security support CVE-2015-1289 (Multiple unspecified vulnerabilities in Google Chrome before 44.0.2403 ...) {DSA-3315-1} - chromium-browser 44.0.2403.89-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1288 (The Spellcheck API implementation in Google Chrome before 44.0.2403.89 ...) {DSA-3315-1} - chromium-browser 44.0.2403.89-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1287 (Blink, as used in Google Chrome before 44.0.2403.89, enables a quirks- ...) {DSA-3315-1} - chromium-browser 44.0.2403.89-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1286 (Cross-site scripting (XSS) vulnerability in the V8ContextNativeHandler ...) {DSA-3315-1} - chromium-browser 44.0.2403.89-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1285 (The XSSAuditor::canonicalize function in core/html/parser/XSSAuditor.c ...) {DSA-3315-1} - chromium-browser 44.0.2403.89-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1284 (The LocalFrame::isURLAllowed function in core/frame/LocalFrame.cpp in ...) {DSA-3315-1} - chromium-browser 44.0.2403.89-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1283 (Multiple integer overflows in the XML_GetBuffer function in Expat thro ...) {DSA-3318-1 DSA-3315-1 DLA-281-1} - chromium-browser 44.0.2403.89-1 [wheezy] - chromium-browser [squeeze] - chromium-browser - expat 2.1.0-7 (bug #793484) NOTE: Patch: https://hg.mozilla.org/releases/mozilla-esr31/rev/2f3e78643f5c CVE-2015-1282 (Multiple use-after-free vulnerabilities in fpdfsdk/src/javascript/Docu ...) {DSA-3315-1} - chromium-browser 44.0.2403.89-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1281 (core/loader/ImageLoader.cpp in Blink, as used in Google Chrome before ...) {DSA-3315-1} - chromium-browser 44.0.2403.89-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1280 (SkPictureShader.cpp in Skia, as used in Google Chrome before 44.0.2403 ...) {DSA-3315-1} - chromium-browser 44.0.2403.89-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1279 (Integer overflow in the CJBig2_Image::expand function in fxcodec/jbig2 ...) {DSA-3315-1} - chromium-browser 44.0.2403.89-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1278 (content/browser/web_contents/web_contents_impl.cc in Google Chrome bef ...) {DSA-3315-1} - chromium-browser 44.0.2403.89-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1277 (Use-after-free vulnerability in the accessibility implementation in Go ...) {DSA-3315-1} - chromium-browser 44.0.2403.89-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1276 (Use-after-free vulnerability in content/browser/indexed_db/indexed_db_ ...) {DSA-3315-1} - chromium-browser 44.0.2403.89-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1275 (Cross-site scripting (XSS) vulnerability in org/chromium/chrome/browse ...) - chromium-browser (Android-specific) CVE-2015-1274 (Google Chrome before 44.0.2403.89 does not ensure that the auto-open l ...) {DSA-3315-1} - chromium-browser 44.0.2403.89-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1273 (Heap-based buffer overflow in j2k.c in OpenJPEG before r3002, as used ...) {DSA-3315-1} - chromium-browser 44.0.2403.89-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1272 (Use-after-free vulnerability in the GPU process implementation in Goog ...) {DSA-3315-1} - chromium-browser 44.0.2403.89-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1271 (PDFium, as used in Google Chrome before 44.0.2403.89, does not properl ...) {DSA-3315-1} - chromium-browser 44.0.2403.89-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1270 (The ucnv_io_getConverterName function in common/ucnv_io.cpp in Interna ...) {DSA-3360-1 DSA-3315-1} - chromium-browser 44.0.2403.89-1 [wheezy] - chromium-browser [squeeze] - chromium-browser - icu 55.1-5 (bug #798647) [wheezy] - icu (code in ucnv_io_getConverterName not present, introduced in 49.x) [squeeze] - icu (code in ucnv_io_getConverterName not present, introduced in 49.x) NOTE: http://bugs.icu-project.org/trac/ticket/11696 NOTE: Patch: http://bugs.icu-project.org/trac/changeset/37486/ CVE-2015-1269 (The DecodeHSTSPreloadRaw function in net/http/transport_security_state ...) {DSA-3315-1} - chromium-browser 43.0.2357.130-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1268 (bindings/scripts/v8_types.py in Blink, as used in Google Chrome before ...) {DSA-3315-1} - chromium-browser 43.0.2357.130-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1267 (Blink, as used in Google Chrome before 43.0.2357.130, does not properl ...) {DSA-3315-1} - chromium-browser 43.0.2357.130-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1266 (content/browser/webui/content_web_ui_controller_factory.cc in Google C ...) {DSA-3315-1} - chromium-browser 43.0.2357.130-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1265 (Multiple unspecified vulnerabilities in Google Chrome before 43.0.2357 ...) {DSA-3267-1} - chromium-browser 43.0.2357.65-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1264 (Cross-site scripting (XSS) vulnerability in Google Chrome before 43.0. ...) {DSA-3267-1} - chromium-browser 43.0.2357.65-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1263 (The Spellcheck API implementation in Google Chrome before 43.0.2357.65 ...) {DSA-3267-1} - chromium-browser 43.0.2357.65-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1262 (platform/fonts/shaping/HarfBuzzShaper.cpp in Blink, as used in Google ...) {DSA-3267-1} - chromium-browser 43.0.2357.65-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1261 (android/java/src/org/chromium/chrome/browser/WebsiteSettingsPopup.java ...) {DSA-3267-1} - chromium-browser 43.0.2357.65-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1260 (Multiple use-after-free vulnerabilities in content/renderer/media/user ...) {DSA-3267-1} - chromium-browser 43.0.2357.65-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1259 (PDFium, as used in Google Chrome before 43.0.2357.65, does not properl ...) {DSA-3267-1} - chromium-browser 43.0.2357.65-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1258 (Google Chrome before 43.0.2357.65 relies on libvpx code that was not b ...) {DSA-3267-1} - chromium-browser 43.0.2357.65-1 [wheezy] - chromium-browser [squeeze] - chromium-browser - libvpx 1.4.0-4 (unimportant) [wheezy] - libvpx (vp9 code introduced in 1.3.0) [squeeze] - libvpx (vp9 code not present in 0.9.1) NOTE: That's not a vulnerability in libvpx per se NOTE: 1.4.0-4 adds the workaround to configure with --size-limit=16384x16384 NOTE: https://github.com/webmproject/libvpx/commit/943e43273b0a7369d07714e7fd2e19fecfb11c7c CVE-2015-1257 (platform/graphics/filters/FEColorMatrix.cpp in the SVG implementation ...) {DSA-3267-1} - chromium-browser 43.0.2357.65-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1256 (Use-after-free vulnerability in the SVG implementation in Blink, as us ...) {DSA-3267-1} - chromium-browser 43.0.2357.65-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1255 (Use-after-free vulnerability in content/renderer/media/webaudio_captur ...) {DSA-3267-1} - chromium-browser 43.0.2357.65-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1254 (core/dom/Document.cpp in Blink, as used in Google Chrome before 43.0.2 ...) {DSA-3267-1} - chromium-browser 43.0.2357.65-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1253 (core/html/parser/HTMLConstructionSite.cpp in the DOM implementation in ...) {DSA-3267-1} - chromium-browser 43.0.2357.65-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1252 (common/partial_circular_buffer.cc in Google Chrome before 43.0.2357.65 ...) {DSA-3267-1} - chromium-browser 43.0.2357.65-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1251 (Use-after-free vulnerability in the SpeechRecognitionClient implementa ...) {DSA-3267-1} - chromium-browser 43.0.2357.65-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1250 (Multiple unspecified vulnerabilities in Google Chrome before 42.0.2311 ...) {DSA-3242-1} - chromium-browser 42.0.2311.135-1 [wheezy] - chromium-browser [squeeze] - chromium-browser NOTE: http://googlechromereleases.blogspot.com/2015/04/stable-channel-update_28.html CVE-2015-1249 (Multiple unspecified vulnerabilities in Google Chrome before 42.0.2311 ...) {DSA-3238-1} - chromium-browser 42.0.2311.90-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1248 (The FileSystem API in Google Chrome before 40.0.2214.91 allows remote ...) {DSA-3238-1} - chromium-browser 42.0.2311.90-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1247 (The SearchEngineTabHelper::OnPageHasOSDD function in browser/ui/search ...) {DSA-3238-1} - chromium-browser 42.0.2311.90-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1246 (Blink, as used in Google Chrome before 42.0.2311.90, allows remote att ...) {DSA-3238-1} - chromium-browser 42.0.2311.90-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1245 (Use-after-free vulnerability in the OpenPDFInReaderView::Update functi ...) {DSA-3238-1} - chromium-browser 42.0.2311.90-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1244 (The URLRequest::GetHSTSRedirect function in url_request/url_request.cc ...) {DSA-3238-1} - chromium-browser 42.0.2311.90-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1243 (Use-after-free vulnerability in the MutationObserver::disconnect funct ...) {DSA-3242-1} - chromium-browser 42.0.2311.135-1 [wheezy] - chromium-browser [squeeze] - chromium-browser NOTE: http://googlechromereleases.blogspot.com/2015/04/stable-channel-update_28.html CVE-2015-1242 (The ReduceTransitionElementsKind function in hydrogen-check-eliminatio ...) {DSA-3238-1} - chromium-browser 42.0.2311.90-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1241 (Google Chrome before 42.0.2311.90 does not properly consider the inter ...) {DSA-3238-1} - chromium-browser 42.0.2311.90-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1240 (gpu/blink/webgraphicscontext3d_impl.cc in the WebGL implementation in ...) {DSA-3238-1} - chromium-browser 42.0.2311.90-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1239 (Double free vulnerability in the j2k_read_ppm_v3 function in OpenJPEG ...) {DLA-1433-1} - openjpeg2 2.1.1-1 NOTE: https://bugs.chromium.org/p/chromium/issues/detail?id=430891 NOTE: https://github.com/uclouvain/openjpeg/issues/477 NOTE: The issue must have been fixed in one of the commits before or with NOTE: https://github.com/uclouvain/openjpeg/commit/2d24b6000d5611615e3e6d799e20d5fdbe4e2a1e NOTE: which corresponds to the r2997 commit as mentioned in the merge which NOTE: fixed the issue on Google/PDFium's side. CVE-2015-1238 (Skia, as used in Google Chrome before 42.0.2311.90, allows remote atta ...) {DSA-3238-1} - chromium-browser 42.0.2311.90-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1237 (Use-after-free vulnerability in the RenderFrameImpl::OnMessageReceived ...) {DSA-3238-1} - chromium-browser 42.0.2311.90-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1236 (The MediaElementAudioSourceNode::process function in modules/webaudio/ ...) {DSA-3238-1} - chromium-browser 42.0.2311.90-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1235 (The ContainerNode::parserRemoveChild function in core/dom/ContainerNod ...) {DSA-3238-1} - chromium-browser 42.0.2311.90-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1234 (Race condition in gpu/command_buffer/service/gles2_cmd_decoder.cc in G ...) - chromium-browser 41.0.2272.118-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1233 (Google Chrome before 41.0.2272.118 does not properly handle the intera ...) - chromium-browser 41.0.2272.118-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1232 (Array index error in the MidiManagerUsb::DispatchSendMidiData function ...) - chromium-browser 41.0.2272.76-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1231 (Multiple unspecified vulnerabilities in Google Chrome before 41.0.2272 ...) - chromium-browser 41.0.2272.76-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1230 (The getHiddenProperty function in bindings/core/v8/V8EventListenerList ...) - chromium-browser 41.0.2272.76-1 [wheezy] - chromium-browser [squeeze] - chromium-browser - libv8-3.14 (unimportant) NOTE: libv8 not covered by security support CVE-2015-1229 (net/http/proxy_client_socket.cc in Google Chrome before 41.0.2272.76 d ...) - chromium-browser 41.0.2272.76-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1228 (The RenderCounter::updateCounter function in core/rendering/RenderCoun ...) - chromium-browser 41.0.2272.76-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1227 (The DragImage::create function in platform/DragImage.cpp in Blink, as ...) - chromium-browser 41.0.2272.76-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1226 (The DebuggerFunction::InitAgentHost function in browser/extensions/api ...) - chromium-browser 41.0.2272.76-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1225 (PDFium, as used in Google Chrome before 41.0.2272.76, allows remote at ...) - chromium-browser 41.0.2272.76-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1224 (The VpxVideoDecoder::VpxDecode function in media/filters/vpx_video_dec ...) - chromium-browser 41.0.2272.76-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1223 (Multiple use-after-free vulnerabilities in core/html/HTMLInputElement. ...) - chromium-browser 41.0.2272.76-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1222 (Multiple use-after-free vulnerabilities in the ServiceWorkerScriptCach ...) - chromium-browser 41.0.2272.76-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1221 (Use-after-free vulnerability in Blink, as used in Google Chrome before ...) - chromium-browser 41.0.2272.76-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1220 (Use-after-free vulnerability in the GIFImageReader::parseData function ...) - chromium-browser 41.0.2272.76-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1219 (Integer overflow in the SkMallocPixelRef::NewAllocate function in core ...) - chromium-browser 41.0.2272.76-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1218 (Multiple use-after-free vulnerabilities in the DOM implementation in B ...) - chromium-browser 41.0.2272.76-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1217 (The V8LazyEventListener::prepareListenerObject function in bindings/co ...) - chromium-browser 41.0.2272.76-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1216 (Use-after-free vulnerability in the V8Window::namedPropertyGetterCusto ...) - chromium-browser 41.0.2272.76-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1215 (The filters implementation in Skia, as used in Google Chrome before 41 ...) - chromium-browser 41.0.2272.76-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1214 (Integer overflow in the SkAutoSTArray implementation in include/core/S ...) - chromium-browser 41.0.2272.76-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1213 (The SkBitmap::ReadRawPixels function in core/SkBitmap.cpp in the filte ...) - chromium-browser 41.0.2272.76-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1212 (Multiple unspecified vulnerabilities in Google Chrome before 40.0.2214 ...) - chromium-browser 40.0.2214.111-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1211 (The OriginCanAccessServiceWorkers function in content/browser/service_ ...) - chromium-browser 40.0.2214.111-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1210 (The V8ThrowException::createDOMException function in bindings/core/v8/ ...) - chromium-browser 40.0.2214.111-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1209 (Use-after-free vulnerability in the VisibleSelection::nonBoundaryShado ...) - chromium-browser 40.0.2214.111-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1208 (Integer underflow in the mov_read_default function in libavformat/mov. ...) - ffmpeg 7:2.5.3-1 NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=3ebd76a9c57558e284e94da367dd23b435e6a6d0 CVE-2015-1207 (Double-free vulnerability in libavformat/mov.c in FFMPEG in Google Chr ...) {DLA-1654-1} - ffmpeg 7:2.6.1-1 - libav NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=3859868c75313e318ebc5d0d33baada62d45dd75 CVE-2015-1206 (Heap-based buffer overflow in Google Chrome before M40 allows remote a ...) - chromium-browser 40.0.2214.91-1 [wheezy] - chromium-browser CVE-2015-1204 (Cross-site scripting (XSS) vulnerability in the Save Filters functiona ...) NOT-FOR-US: Save Filters functionality in the WP Slimstat plugin for WordPress CVE-2015-1190 RESERVED CVE-2015-1189 RESERVED CVE-2015-1188 (The certificate verification functions in the HNDS service in Swisscom ...) NOT-FOR-US: Swisscom Centro Grande DSL router CVE-2015-1187 (The ping tool in multiple D-Link and TRENDnet devices allow remote att ...) NOT-FOR-US: D-Link CVE-2015-1186 RESERVED CVE-2015-1185 RESERVED CVE-2015-1184 RESERVED CVE-2015-1183 RESERVED CVE-2015-1181 RESERVED CVE-2015-1180 (Cross-site scripting (XSS) vulnerability in the Web Reports in EventSe ...) NOT-FOR-US: EventSentry CVE-2015-1179 (Multiple cross-site scripting (XSS) vulnerabilities in data_point_deta ...) NOT-FOR-US: Mango Automation CVE-2015-1178 (Multiple cross-site scripting (XSS) vulnerabilities in cart.php in X-C ...) NOT-FOR-US: X-Cart CVE-2015-1177 (Cross-site scripting (XSS) vulnerability in Exponent CMS 2.3.2. ...) NOT-FOR-US: Exponent CMS CVE-2015-1176 (Cross-site scripting (XSS) vulnerability in upload/scp/tickets.php in ...) NOT-FOR-US: osTicket CVE-2015-1174 (Session fixation vulnerability in Unit4 Polska TETA Web (formerly TETA ...) NOT-FOR-US: Unit4 Polska TETA Web CVE-2015-1173 (Unit4 Polska TETA Web (formerly TETA Galactica) 22.62.3.4 does not pro ...) NOT-FOR-US: Unit4 Polska TETA Web CVE-2015-1172 (Unrestricted file upload vulnerability in admin/upload-file.php in the ...) NOT-FOR-US: WordPress theme holding_pattern CVE-2015-1171 (Stack-based buffer overflow in GSM SIM Utility (aka SIM Card Editor) 6 ...) NOT-FOR-US: SIM Card Editor CVE-2015-1170 (The NVIDIA Display Driver R304 before 309.08, R340 before 341.44, R343 ...) NOT-FOR-US: NVIDIA Windows driver CVE-2015-1169 (Apereo Central Authentication Service (CAS) Server before 3.5.3 allows ...) NOT-FOR-US: Apereo Central Authentication Service CVE-2015-1168 RESERVED CVE-2015-1167 RESERVED CVE-2015-1166 RESERVED CVE-2015-1165 (RT (aka Request Tracker) 3.8.8 through 4.x before 4.0.23 and 4.2.x bef ...) {DSA-3176-1 DLA-158-1} - request-tracker4 4.2.8-3 - request-tracker3.8 CVE-2015-1163 RESERVED CVE-2015-1162 RESERVED CVE-2015-1161 RESERVED CVE-2014-9631 RESERVED CVE-2014-9638 (oggenc in vorbis-tools 1.4.0 allows remote attackers to cause a denial ...) {DLA-1010-1 DLA-317-1} - vorbis-tools 1.4.0-7 (unimportant; bug #776086) [jessie] - vorbis-tools 1.4.0-6+deb8u1 - opus-tools 0.1.10-1 (unimportant; bug #780160) NOTE: https://trac.xiph.org/ticket/2137 NOTE: Fixed by: https://github.com/mark4o/opus-tools/commit/8c412e619b83eb6dd32191909cf6672e93e5802e NOTE: No security impact NOTE: proposed patch: http://lists.xiph.org/pipermail/vorbis-dev/2015-February/020423.html CVE-2014-9639 (Integer overflow in oggenc in vorbis-tools 1.4.0 allows remote attacke ...) {DLA-1010-1 DLA-317-1} - vorbis-tools 1.4.0-7 (low; bug #776086) [jessie] - vorbis-tools 1.4.0-6+deb8u1 [squeeze] - vorbis-tools (Minor issue) - opus-tools 0.1.10-1 (bug #780160) [jessie] - opus-tools (Minor issue) [wheezy] - opus-tools (Minor issue) NOTE: https://trac.xiph.org/ticket/2136 NOTE: Fixed by: https://github.com/mark4o/opus-tools/commit/8c412e619b83eb6dd32191909cf6672e93e5802e NOTE: proposed patch: http://lists.xiph.org/pipermail/vorbis-dev/2015-February/020423.html CVE-2014-9640 (oggenc/oggenc.c in vorbis-tools 1.4.0 allows remote attackers to cause ...) {DLA-1010-1 DLA-317-1} - vorbis-tools 1.4.0-6 (bug #771363) [squeeze] - vorbis-tools (Minor issue) NOTE: https://trac.xiph.org/ticket/2009 NOTE: Upstream fix: https://trac.xiph.org/changeset/19117 CVE-2014-9649 (Cross-site scripting (XSS) vulnerability in the management plugin in R ...) - rabbitmq-server 3.4.1-1 [jessie] - rabbitmq-server (Minor issue) [wheezy] - rabbitmq-server (Minor issue) [squeeze] - rabbitmq-server (Management web UI not available in version 1.8.1) NOTE: https://groups.google.com/forum/#!topic/rabbitmq-users/-3Z2FyGtXhs NOTE: http://www.openwall.com/lists/oss-security/2015/01/21/13 CVE-2014-9650 (CRLF injection vulnerability in the management plugin in RabbitMQ 2.1. ...) - rabbitmq-server 3.4.1-1 [jessie] - rabbitmq-server (Minor issue) [wheezy] - rabbitmq-server (Minor issue) [squeeze] - rabbitmq-server (Management web UI not available in version 1.8.1) NOTE: https://groups.google.com/forum/#!topic/rabbitmq-users/-3Z2FyGtXhs NOTE: Fixed by: https://github.com/rabbitmq/rabbitmq-management/commit/b5a5fc31bd49ad821a655ea9e2fe920d670a62ad NOTE: http://www.openwall.com/lists/oss-security/2015/01/21/13 CVE-2015-1396 (A Directory Traversal vulnerability exists in the GNU patch before 2.7 ...) - patch 2.7.3-1 (bug #775901) [wheezy] - patch (Not affected by CVE-2015-1196 and no incomplete fix applied) [squeeze] - patch (Not affected by CVE-2015-1196 and no incomplete fix applied) NOTE: http://www.openwall.com/lists/oss-security/2015/01/24/3 CVE-2015-1353 REJECTED CVE-2015-4471 (Off-by-one error in the lzxd_decompress function in lzxd.c in libmspac ...) - libmspack 0.5-1 (bug #775499) NOTE: http://www.openwall.com/lists/oss-security/2015/02/03/11 CVE-2014-9732 (The cabd_extract function in cabd.c in libmspack before 0.5 does not p ...) - libmspack 0.5-1 (bug #774665) NOTE: http://www.openwall.com/lists/oss-security/2015/02/03/11 CVE-2015-4470 (Off-by-one error in the inflate function in mszipd.c in libmspack befo ...) - libmspack 0.5-1 (bug #775498) NOTE: http://www.openwall.com/lists/oss-security/2015/02/03/11 CVE-2015-4472 (Off-by-one error in the READ_ENCINT macro in chmd.c in libmspack befor ...) - libmspack 0.5-1 (bug #775687) NOTE: http://www.openwall.com/lists/oss-security/2015/02/03/11 CVE-2015-1591 (The kamailio build in kamailio before 4.2.0-2 process allows local use ...) - kamailio 4.2.0-2 (bug #775681) NOTE: https://github.com/kamailio/kamailio/issues/48 CVE-2015-1590 (The kamcmd administrative utility and default configuration in kamaili ...) - kamailio 4.2.0-2 (bug #775681) NOTE: https://github.com/kamailio/kamailio/issues/48 CVE-2015-XXXX [insecure configuration permissions] - phabricator 0~git20150129-1 (bug #775479) CVE-2014-9637 (GNU patch 2.7.2 and earlier allows remote attackers to cause a denial ...) - patch 2.7.1-7 [wheezy] - patch (Vulnerability introduced later) [squeeze] - patch (Vulnerability introduced later) NOTE: https://savannah.gnu.org/bugs/?44051 NOTE: http://git.savannah.gnu.org/cgit/patch.git/commit/?id=0c08d7a902c6fdd49b704623a12d8d672ef18944 CVE-2015-XXXX [race condition between fur and fex_cleanup may create internal instead of external user] - fex 20150120-1 (low; bug #773751) [squeeze] - fex (Minor issue as it does not affect default setups) CVE-2015-XXXX [information leak in event device handling] - linux 3.16.7-ckt7-1 [wheezy] - linux (Introduced in 3.11) - linux-2.6 (Introduced in 3.11) NOTE: Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=7c4f56070fde2367766fa1fb04852599b5e1ad35 (v3.18-rc1) NOTE: Introduced by https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=483180281f0ac60d1138710eb21f4b9961901294 (v3.11-rc1) NOTE: CVE Request: http://article.gmane.org/gmane.comp.security.oss.general/15457 CVE-2015-1346 (Multiple unspecified vulnerabilities in Google V8 before 3.30.33.15, a ...) - chromium-browser 40.0.2214.91-1 [wheezy] - chromium-browser [squeeze] - chromium-browser - libv8-3.14 (unimportant; bug #773671) NOTE: libv8 not covered by security support CVE-2015-1345 (The bmexec_trans function in kwset.c in grep 2.19 through 2.21 allows ...) - grep 2.20-4.1 (low; bug #776039) [squeeze] - grep (Issue introduced with v2.18-90-g73893ff) [wheezy] - grep (Issue introduced with v2.18-90-g73893ff) NOTE: http://bugs.gnu.org/19563 NOTE: Upstream fix: http://git.sv.gnu.org/cgit/grep.git/commit/?id=83a95bd8c8561875b948cadd417c653dbe7ef2e2 CVE-2014-XXXX [formail: memory corruption] - procmail 3.22-24 (bug #769937) [wheezy] - procmail (Minor issue) [squeeze] - procmail (Minor issue) NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/01/21/9 CVE-2015-1182 (The asn1_get_sequence_of function in library/asn1parse.c in PolarSSL 1 ...) {DSA-3136-1 DLA-144-1} - polarssl 1.3.9-2.1 (bug #775776) NOTE: https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2014-04 CVE-2015-1175 (Cross-site scripting (XSS) vulnerability in blocklayered-ajax.php in t ...) NOT-FOR-US: PrestaShop CVE-2015-1160 RESERVED CVE-2015-1159 (Cross-site scripting (XSS) vulnerability in the cgi_puts function in c ...) {DSA-3283-1 DLA-239-1} - cups 1.7.5-12 CVE-2015-1158 (The add_job function in scheduler/ipp.c in cupsd in CUPS before 2.0.3 ...) {DSA-3283-1 DLA-239-1} - cups 1.7.5-12 CVE-2015-1157 (CoreText in Apple iOS 8.x through 8.3 allows remote attackers to cause ...) NOT-FOR-US: Apple iOS CVE-2015-1156 (The page-loading implementation in WebKit, as used in Apple Safari bef ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1155 (The history implementation in WebKit, as used in Apple Safari before 6 ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1154 (WebKit, as used in Apple Safari before 6.2.6, 7.x before 7.1.6, and 8. ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1153 (WebKit, as used in Apple Safari before 6.2.6, 7.x before 7.1.6, and 8. ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1152 (WebKit, as used in Apple Safari before 6.2.6, 7.x before 7.1.6, and 8. ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1151 (Wiki Server in Apple OS X Server before 4.1 allows remote attackers to ...) NOT-FOR-US: Apple CVE-2015-1150 (The Firewall component in Apple OS X Server before 4.1 uses an incorre ...) NOT-FOR-US: Apple CVE-2015-1149 (Integer overflow in the simulator in Swift in Apple Xcode before 6.3 a ...) NOT-FOR-US: Apple Xcode CVE-2015-1148 (Screen Sharing in Apple OS X before 10.10.3 stores the password of a u ...) NOT-FOR-US: Apple CVE-2015-1147 (Open Directory Client in Apple OS X before 10.10.3 sends unencrypted p ...) NOT-FOR-US: Apple CVE-2015-1146 (The Code Signing implementation in Apple OS X before 10.10.3 does not ...) NOT-FOR-US: Apple CVE-2015-1145 (The Code Signing implementation in Apple OS X before 10.10.3 does not ...) NOT-FOR-US: Apple CVE-2015-1144 (Buffer overflow in the UniformTypeIdentifiers component in Apple OS X ...) NOT-FOR-US: Apple CVE-2015-1143 (LaunchServices in Apple OS X before 10.10.3 allows local users to gain ...) NOT-FOR-US: Apple CVE-2015-1142 (LaunchServices in Apple OS X before 10.10.3 allows local users to caus ...) NOT-FOR-US: Apple CVE-2015-1141 (The mach_vm_read functionality in the kernel in Apple OS X before 10.1 ...) NOT-FOR-US: Apple CVE-2015-1140 (Buffer overflow in IOHIDFamily in Apple OS X before 10.10.3 allows loc ...) NOT-FOR-US: Apple CVE-2015-1139 (ImageIO in Apple OS X before 10.10.3 allows remote attackers to execut ...) NOT-FOR-US: Apple CVE-2015-1138 (Hypervisor in Apple OS X before 10.10.3 allows local users to cause a ...) NOT-FOR-US: Apple CVE-2015-1137 (The NVIDIA graphics driver in Apple OS X before 10.10.3 allows local u ...) NOT-FOR-US: Apple CVE-2015-1136 (Use-after-free vulnerability in CoreAnimation in Apple OS X before 10. ...) NOT-FOR-US: Apple CVE-2015-1135 (fontd in Apple Type Services (ATS) in Apple OS X before 10.10.3 allows ...) NOT-FOR-US: Apple CVE-2015-1134 (fontd in Apple Type Services (ATS) in Apple OS X before 10.10.3 allows ...) NOT-FOR-US: Apple CVE-2015-1133 (fontd in Apple Type Services (ATS) in Apple OS X before 10.10.3 allows ...) NOT-FOR-US: Apple CVE-2015-1132 (fontd in Apple Type Services (ATS) in Apple OS X before 10.10.3 allows ...) NOT-FOR-US: Apple CVE-2015-1131 (fontd in Apple Type Services (ATS) in Apple OS X before 10.10.3 allows ...) NOT-FOR-US: Apple CVE-2015-1130 (The XPC implementation in Admin Framework in Apple OS X before 10.10.3 ...) NOT-FOR-US: Apple CVE-2015-1129 (Apple Safari before 6.2.5, 7.x before 7.1.5, and 8.x before 8.0.5 does ...) NOT-FOR-US: Apple Safari CVE-2015-1128 (The private-browsing implementation in Apple Safari before 6.2.5, 7.x ...) NOT-FOR-US: Apple Safari CVE-2015-1127 (The private-browsing implementation in WebKit in Apple Safari before 6 ...) NOT-FOR-US: Apple Safari CVE-2015-1126 (WebKit, as used in Apple iOS before 8.3 and Apple Safari before 6.2.5, ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1125 (The touch-events implementation in WebKit in Apple iOS before 8.3 allo ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1124 (WebKit, as used in Apple iOS before 8.3, Apple TV before 7.2, and Appl ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1123 (WebKit, as used in Apple iOS before 8.3 and Apple TV before 7.2, allow ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1122 (WebKit, as used in Apple iOS before 8.3, Apple TV before 7.2, and Appl ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1121 (WebKit, as used in Apple iOS before 8.3, Apple TV before 7.2, and Appl ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1120 (WebKit, as used in Apple iOS before 8.3, Apple TV before 7.2, and Appl ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1119 (WebKit, as used in Apple iOS before 8.3, Apple TV before 7.2, and Appl ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1118 (libnetcore in Apple iOS before 8.3, Apple OS X before 10.10.3, and App ...) NOT-FOR-US: Apple CVE-2015-1117 (The (1) setreuid and (2) setregid system-call implementations in the k ...) NOT-FOR-US: iOS CVE-2015-1116 (The UIKit View component in Apple iOS before 8.3 displays unblurred ap ...) NOT-FOR-US: iOS CVE-2015-1115 (The Telephony component in Apple iOS before 8.3 allows attackers to by ...) NOT-FOR-US: iOS CVE-2015-1114 (The Sandbox Profiles component in Apple iOS before 8.3 and Apple TV be ...) NOT-FOR-US: iOS CVE-2015-1113 (The Sandbox Profiles component in Apple iOS before 8.3 allows attacker ...) NOT-FOR-US: iOS CVE-2015-1112 (Apple Safari before 6.2.5, 7.x before 7.1.5, and 8.x before 8.0.5, as ...) NOT-FOR-US: iOS CVE-2015-1111 (Safari in Apple iOS before 8.3 does not delete Recently Closed Tabs da ...) NOT-FOR-US: iOS CVE-2015-1110 (The Podcasts component in Apple iOS before 8.3 and Apple TV before 7.2 ...) NOT-FOR-US: iOS CVE-2015-1109 (NetworkExtension in Apple iOS before 8.3 stores credentials in VPN con ...) NOT-FOR-US: iOS CVE-2015-1108 (The Lock Screen component in Apple iOS before 8.3 does not properly en ...) NOT-FOR-US: iOS CVE-2015-1107 (The Lock Screen component in Apple iOS before 8.3 does not properly im ...) NOT-FOR-US: iOS CVE-2015-1106 (The QuickType feature in the Keyboards subsystem in Apple iOS before 8 ...) NOT-FOR-US: iOS CVE-2015-1105 (The TCP implementation in the kernel in Apple iOS before 8.3, Apple OS ...) NOT-FOR-US: iOS CVE-2015-1104 (The kernel in Apple iOS before 8.3, Apple OS X before 10.10.3, and App ...) NOT-FOR-US: iOS CVE-2015-1103 (The kernel in Apple iOS before 8.3, Apple OS X before 10.10.3, and App ...) NOT-FOR-US: iOS CVE-2015-1102 (The kernel in Apple iOS before 8.3, Apple OS X before 10.10.3, and App ...) NOT-FOR-US: iOS CVE-2015-1101 (The kernel in Apple iOS before 8.3, Apple OS X before 10.10.3, and App ...) NOT-FOR-US: iOS CVE-2015-1100 (The kernel in Apple iOS before 8.3, Apple OS X before 10.10.3, and App ...) NOT-FOR-US: iOS CVE-2015-1099 (Race condition in the setreuid system-call implementation in the kerne ...) NOT-FOR-US: iOS CVE-2015-1098 (iWork in Apple iOS before 8.3 and Apple OS X before 10.10.3 allows rem ...) NOT-FOR-US: iOS CVE-2015-1097 (IOMobileFramebuffer in Apple iOS before 8.3 and Apple TV before 7.2 al ...) NOT-FOR-US: iOS CVE-2015-1096 (IOHIDFamily in Apple iOS before 8.3, Apple OS X before 10.10.3, and Ap ...) NOT-FOR-US: iOS CVE-2015-1095 (IOHIDFamily in Apple iOS before 8.3, Apple OS X before 10.10.3, and Ap ...) NOT-FOR-US: iOS CVE-2015-1094 (IOAcceleratorFamily in Apple iOS before 8.3 and Apple TV before 7.2 al ...) NOT-FOR-US: iOS CVE-2015-1093 (FontParser in Apple iOS before 8.3 and Apple OS X before 10.10.3 allow ...) NOT-FOR-US: iOS CVE-2015-1092 (NSXMLParser in Foundation in Apple iOS before 8.3 and Apple TV before ...) NOT-FOR-US: iOS CVE-2015-1091 (The CFNetwork Session component in Apple iOS before 8.3 and Apple OS X ...) NOT-FOR-US: iOS CVE-2015-1090 (CFNetwork in Apple iOS before 8.3 does not delete HTTP Strict Transpor ...) NOT-FOR-US: iOS CVE-2015-1089 (CFNetwork in Apple iOS before 8.3 and Apple OS X before 10.10.3 does n ...) NOT-FOR-US: iOS CVE-2015-1088 (CFURL in Apple iOS before 8.3 and Apple OS X before 10.10.3 does not p ...) NOT-FOR-US: iOS CVE-2015-1087 (Directory traversal vulnerability in Backup in Apple iOS before 8.3 al ...) NOT-FOR-US: iOS CVE-2015-1086 (The Audio Drivers subsystem in Apple iOS before 8.3 and Apple TV befor ...) NOT-FOR-US: iOS CVE-2015-1085 (AppleKeyStore in Apple iOS before 8.3 does not properly restrict a cer ...) NOT-FOR-US: iOS CVE-2015-1084 (The user interface in WebKit, as used in Apple Safari before 6.2.4, 7. ...) NOT-FOR-US: Safari CVE-2015-1083 (WebKit, as used in Apple Safari before 6.2.4, 7.x before 7.1.4, and 8. ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1082 (WebKit, as used in Apple Safari before 6.2.4, 7.x before 7.1.4, and 8. ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1081 (WebKit, as used in Apple Safari before 6.2.4, 7.x before 7.1.4, and 8. ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1080 (WebKit, as used in Apple Safari before 6.2.4, 7.x before 7.1.4, and 8. ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1079 (WebKit, as used in Apple Safari before 6.2.4, 7.x before 7.1.4, and 8. ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1078 (WebKit, as used in Apple Safari before 6.2.4, 7.x before 7.1.4, and 8. ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1077 (WebKit, as used in Apple Safari before 6.2.4, 7.x before 7.1.4, and 8. ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1076 (WebKit, as used in Apple Safari before 6.2.4, 7.x before 7.1.4, and 8. ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1075 (WebKit, as used in Apple Safari before 6.2.4, 7.x before 7.1.4, and 8. ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1074 (WebKit, as used in Apple Safari before 6.2.4, 7.x before 7.1.4, and 8. ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1073 (WebKit, as used in Apple Safari before 6.2.4, 7.x before 7.1.4, and 8. ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1072 (WebKit, as used in Apple Safari before 6.2.4, 7.x before 7.1.4, and 8. ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1071 (WebKit, as used in Apple Safari before 6.2.4, 7.x before 7.1.4, and 8. ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1070 (WebKit, as used in Apple Safari before 6.2.4, 7.x before 7.1.4, and 8. ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1069 (WebKit, as used in Apple Safari before 6.2.4, 7.x before 7.1.4, and 8. ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1068 (WebKit, as used in Apple Safari before 6.2.4, 7.x before 7.1.4, and 8. ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1067 (Secure Transport in Apple iOS before 8.2, Apple OS X through 10.10.2, ...) NOT-FOR-US: Apple CVE-2015-1066 (Off-by-one error in IOAcceleratorFamily in Apple OS X through 10.10.2 ...) NOT-FOR-US: Apple CVE-2015-1065 (Multiple buffer overflows in iCloud Keychain in Apple iOS before 8.2 a ...) NOT-FOR-US: Apple CVE-2015-1064 (Springboard in Apple iOS before 8.2 allows physically proximate attack ...) NOT-FOR-US: Apple CVE-2015-1063 (CoreTelephony in Apple iOS before 8.2 allows remote attackers to cause ...) NOT-FOR-US: Apple CVE-2015-1062 (MobileStorageMounter in Apple iOS before 8.2 and Apple TV before 7.1 d ...) NOT-FOR-US: Apple CVE-2015-1061 (IOSurface in Apple iOS before 8.2, Apple OS X through 10.10.2, and App ...) NOT-FOR-US: Apple CVE-2015-1060 (Open redirect vulnerability in lib/Cake/Controller/Controller.php in A ...) NOT-FOR-US: AdaptCMS CVE-2015-1059 (Unrestricted file upload vulnerability in admin/files/add in AdaptCMS ...) NOT-FOR-US: AdaptCMS CVE-2015-1058 (Multiple cross-site scripting (XSS) vulnerabilities in AdaptCMS 3.0.3 ...) NOT-FOR-US: AdaptCMS CVE-2015-1057 (Cross-site scripting (XSS) vulnerability in usersettings.php in e107 2 ...) NOT-FOR-US: e107 CVE-2015-1056 (Cross-site scripting (XSS) vulnerability in Brother MFC-J4410DW printe ...) NOT-FOR-US: Brother printer CVE-2015-1055 (SQL injection vulnerability in the Photo Gallery plugin 1.2.7 for Word ...) NOT-FOR-US: WordPress plugin Photo Gallery CVE-2015-1054 (Cross-site scripting (XSS) vulnerability in the Games feature in Crea8 ...) NOT-FOR-US: Crea8Social CVE-2015-1053 (Cross-site scripting (XSS) vulnerability in the administrative backend ...) NOT-FOR-US: Croogo CVE-2015-1052 (Cross-site scripting (XSS) vulnerability in the poll archive in PHPKIT ...) NOT-FOR-US: PHPKIT CVE-2015-1050 (Cross-site scripting (XSS) vulnerability in F5 BIG-IP Application Secu ...) NOT-FOR-US: F5 BIG-IP Application Security Manager CVE-2015-1049 (The web server on Siemens SCALANCE X-200IRT switches with firmware bef ...) NOT-FOR-US: Siemens SCALANCE CVE-2015-1205 (Multiple unspecified vulnerabilities in Google Chrome before 40.0.2214 ...) - chromium-browser 40.0.2214.91-1 [wheezy] - chromium-browser [squeeze] - chromium-browser NOTE: See CVE-2014-9654 for the bug in src:icu CVE-2015-1203 REJECTED CVE-2015-1202 REJECTED CVE-2015-1201 (Privoxy before 3.0.22 allows remote attackers to cause a denial of ser ...) NOT-FOR-US: Bogus entry for Privoxy picked from Secunia CVE-2014-9630 (The rtp_packetize_xiph_config function in modules/stream_out/rtpfmt.c ...) {DSA-3150-1} - vlc 2.2.0~rc2-2 (bug #775866) [squeeze] - vlc (Unsupported in squeeze-lts) NOTE: https://github.com/videolan/vlc/commit/204291467724867b79735c0ee3aeb0dbc2200f97 CVE-2014-9629 (Integer overflow in the Encode function in modules/codec/schroedinger. ...) {DSA-3150-1} - vlc 2.2.0~rc2-2 (bug #775866) [squeeze] - vlc (Unsupported in squeeze-lts) NOTE: https://github.com/videolan/vlc/commit/9bb0353a5c63a7f8c6fc853faa3df4b4df1f5eb5 CVE-2014-9628 (The MP4_ReadBox_String function in modules/demux/mp4/libmp4.c in Video ...) {DSA-3150-1} - vlc 2.2.0~rc2-2 (bug #775866) [squeeze] - vlc (Unsupported in squeeze-lts) NOTE: https://github.com/videolan/vlc/commit/2e7c7091a61aa5d07e7997b393d821e91f593c39 CVE-2014-9627 (The MP4_ReadBox_String function in modules/demux/mp4/libmp4.c in Video ...) {DSA-3150-1} - vlc 2.2.0~rc2-2 (bug #775866) [squeeze] - vlc (Unsupported in squeeze-lts) NOTE: https://github.com/videolan/vlc/commit/2e7c7091a61aa5d07e7997b393d821e91f593c39 CVE-2014-9626 (Integer underflow in the MP4_ReadBox_String function in modules/demux/ ...) {DSA-3150-1} - vlc 2.2.0~rc2-2 (bug #775866) [squeeze] - vlc (Unsupported in squeeze-lts) NOTE: https://github.com/videolan/vlc/commit/2e7c7091a61aa5d07e7997b393d821e91f593c39 CVE-2014-9625 (The GetUpdateFile function in misc/update.c in the Updater in VideoLAN ...) - vlc (Update mechanism not enabled in the Debian package) [squeeze] - vlc (Unsupported in squeeze-lts) NOTE: https://github.com/videolan/vlc/commit/fbe2837bc80f155c001781041a54c58b5524fc14 CVE-2014-9623 (OpenStack Glance 2014.2.x through 2014.2.1, 2014.1.3, and earlier allo ...) - glance 2014.1.3-12 (bug #776580) [wheezy] - glance (Minor issue) NOTE: Versions: up to 2014.1.3 and 2014.2 version up to 2014.2.1 CVE-2014-9619 (Unrestricted file upload vulnerability in webadmin/ajaxfilemanager/aja ...) NOT-FOR-US: Netsweeper CVE-2014-9618 (The Client Filter Admin portal in Netsweeper before 3.1.10, 4.0.x befo ...) NOT-FOR-US: Netsweeper CVE-2014-9617 (Open redirect vulnerability in remotereporter/load_logfiles.php in Net ...) NOT-FOR-US: Netsweeper CVE-2014-9616 (Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 a ...) NOT-FOR-US: Netsweeper CVE-2014-9615 (Cross-site scripting (XSS) vulnerability in Netsweeper 4.0.4 allows re ...) NOT-FOR-US: Netsweeper CVE-2014-9614 (The Web Panel in Netsweeper before 4.0.5 has a default password of bra ...) NOT-FOR-US: Netsweeper CVE-2014-9613 (Multiple SQL injection vulnerabilities in Netsweeper before 2.6.29.10 ...) NOT-FOR-US: Netsweeper CVE-2014-9612 (SQL injection vulnerability in remotereporter/load_logfiles.php in Net ...) NOT-FOR-US: Netsweeper CVE-2014-9611 (Netsweeper before 4.0.5 allows remote attackers to bypass authenticati ...) NOT-FOR-US: Netsweeper CVE-2014-9610 (Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 a ...) NOT-FOR-US: Netsweeper CVE-2014-9609 (Directory traversal vulnerability in webadmin/reporter/view_server_log ...) NOT-FOR-US: Netsweeper CVE-2014-9608 (Cross-site scripting (XSS) vulnerability in webadmin/policy/group_tabl ...) NOT-FOR-US: Netsweeper CVE-2014-9607 (Cross-site scripting (XSS) vulnerability in remotereporter/load_logfil ...) NOT-FOR-US: Netsweeper CVE-2014-9606 (Multiple cross-site scripting (XSS) vulnerabilities in Netsweeper befo ...) NOT-FOR-US: Netsweeper CVE-2014-9605 (WebUpgrade in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x ...) NOT-FOR-US: Netsweeper CVE-2014-9604 (libavcodec/utvideodec.c in FFmpeg before 2.5.2 does not check for a ze ...) {DSA-3189-1} - ffmpeg 7:2.5.1-1 [squeeze] - ffmpeg (Not supported in Squeeze LTS) - libav 6:11.3-1 (bug #775593) NOTE: Applies to 0.8, but in different file (utvideo.c) NOTE: libav: https://git.libav.org/?p=libav.git;a=commit;h=0ce3a0f9d9523a9bcad4c6d451ca5bbd7a4f420d NOTE: ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=3881606240953b9275a247a1c98a567f3c44890f CVE-2014-9603 (The vmd_decode function in libavcodec/vmdvideo.c in FFmpeg before 2.5. ...) - ffmpeg 7:2.5.1-1 [squeeze] - ffmpeg (Not supported in Squeeze LTS) - libav (Vulnerable code not present, reproducer tested with 8, 11 and trunk) NOTE: ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=3030fb7e0d41836f8add6399e9a7c7b740b48bfd CVE-2014-9602 (libavcodec/xface.h in FFmpeg before 2.5.2 establishes certain digits a ...) - ffmpeg 7:2.5.1-1 [squeeze] - ffmpeg (Vulnerable code not present) - libav (Vulnerable code not present) CVE-2014-9601 (Pillow before 2.7.0 allows remote attackers to cause a denial of servi ...) - pillow 2.6.1-2 (bug #776303) - python-imaging [wheezy] - python-imaging (Minor issue) [squeeze] - python-imaging (Minor issue) NOTE: https://github.com/python-pillow/Pillow/commit/b3e09122e527ae554eb590741bbd7611d5710e40 NOTE: http://web.archive.org/web/20150921104441/http://pillow.readthedocs.org:80/releasenotes/2.7.0.html#png-text-chunk-size-limits CVE-2014-9600 (Untrusted search path vulnerability in Macroplant iExplorer 3.6.3.0 al ...) NOT-FOR-US: Macroplant iExplorer CVE-2014-9599 (Cross-site scripting (XSS) vulnerability in the filemanager in b2evolu ...) - b2evolution CVE-2014-9598 (The picture_Release function in misc/picture.c in VideoLAN VLC media p ...) NOTE: https://trac.videolan.org/vlc/ticket/13390 NOTE: http://seclists.org/fulldisclosure/2015/Jan/72 NOTE: This was originally reported for VLC; but upstream states that it is in libavcodec NOTE: This seems to be Windows-specific issue, the reported error couldn't be reproduced NOTE: with any ffmpeg release and libav/0.8. CVE-2014-9597 (The picture_pool_Delete function in misc/picture_pool.c in VideoLAN VL ...) NOTE: https://trac.videolan.org/vlc/ticket/13389 NOTE: http://seclists.org/fulldisclosure/2015/Jan/72 NOTE: This was originally reported for VLC; but upstream states that it is in libavcodec NOTE: This seems to be Windows-specific issue, the reported error couldn't be reproduced NOTE: with any ffmpeg release and libav/0.8. CVE-2014-9596 (Panasonic Arbitrator Back-End Server (BES) MK 2.0 VPU before 9.3.1 bui ...) NOT-FOR-US: Panasonic Arbitrator Back-End Server CVE-2014-9595 (Buffer overflow in the SAP NetWeaver Dispatcher in SAP Kernel 7.00 32- ...) NOT-FOR-US: SAP NetWeaver CVE-2014-9594 (Buffer overflow in the SAP NetWeaver Dispatcher in SAP Kernel 7.00 32- ...) NOT-FOR-US: SAP NetWeaver CVE-2014-9593 (Apache CloudStack before 4.3.2 and 4.4.x before 4.4.2 allows remote at ...) NOT-FOR-US: Apache CloudStack CVE-2015-1308 (kde-workspace 4.2.0 and plasma-workspace before 5.1.95 allows remote a ...) - kde-workspace 4:5.1.95-1 [jessie] - kde-workspace (Minor issue) [wheezy] - kde-workspace (Minor issue) CVE-2015-1307 (plasma-workspace before 5.1.95 allows remote attackers to obtain passw ...) NOT-FOR-US: KDE Plasma 5 desktop, not yet packaged CVE-2015-1306 (The newsletter posting area in the web interface in Sympa 6.0.x before ...) {DSA-3134-1 DLA-148-1} - sympa 6.1.23~dfsg-2 NOTE: https://www.sympa.org/security_advisories#security_breaches_in_newsletter_posting CVE-2014-9624 (CAPTCHA bypass vulnerability in MantisBT before 1.2.19. ...) - mantis (bug #780875) [wheezy] - mantis (Minor issue) [squeeze] - mantis (Unsupported in squeeze-lts) NOTE: Upstream commit: https://github.com/mantisbt/mantisbt/commit/39a92726 NOTE: https://www.mantisbt.org/bugs/view.php?id=17984 CVE-2015-1051 (Open redirect vulnerability in the Context UI module in the Context mo ...) NOT-FOR-US: Drupal extension drupal7-context CVE-2015-2304 (Absolute path traversal vulnerability in bsdcpio in libarchive 3.1.2 a ...) {DSA-3180-1 DLA-166-1} - libarchive 3.1.2-11 (bug #778266) NOTE: http://www.openwall.com/lists/oss-security/2015/01/16/7 NOTE: Patch: https://github.com/libarchive/libarchive/commit/59357157706d47c365b2227739e17daba3607526 CVE-2015-1200 (Race condition in pxz 4.999.99 Beta 3 uses weak file permissions for t ...) - pxz 4.999.99~beta3+git659fc9b-3 (bug #775306) CVE-2015-1199 (Directory traversal vulnerability in ppmd 10.1-5. ...) - ppmd (low; bug #775218) [jessie] - ppmd (Minor issue) [wheezy] - ppmd (Minor issue) [squeeze] - ppmd (Minor issue) CVE-2015-1195 (The V2 API in OpenStack Image Registry and Delivery Service (Glance) b ...) - glance 2014.1.3-11 (bug #775926) [wheezy] - glance (Vulnerable code not present) NOTE: up to 2014.1.3 and 2014.2 versions up to 2014.2.1 CVE-2012-XXXX [Insufficient validation of USB device descriptors] - oss4 4.2-build2010-2 (bug #775662) [wheezy] - oss4 (Minor issue) [squeeze] - oss4 (Minor issue) CVE-2015-1350 (The VFS subsystem in the Linux kernel 3.x provides an incomplete set o ...) {DLA-772-1} - linux 4.8.11-1 (bug #770492) [jessie] - linux 3.16.39-1 - linux-2.6 NOTE: Fixed by: https://git.kernel.org/linus/030b533c4fd4d2ec3402363323de4bb2983c9cee CVE-2014-XXXX [TYPO3-CORE-SA-2014-002: Multiple Vulnerabilities in TYPO3 CMS] - typo3-src 4.5.40+dfsg1-1 (bug #766502) [wheezy] - typo3-src (See DSA 3314) [squeeze] - typo3-src (Unsupported in squeeze-lts) NOTE: https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2014-002/ CVE-2013-XXXX [lhasa: several directory traversal vulnerabilities] - lhasa 0.2.0-1 [wheezy] - lhasa (Minor issue) CVE-2014-9636 (unzip 6.0 allows remote attackers to cause a denial of service (out-of ...) {DSA-3152-1 DLA-150-1} - unzip 6.0-15 (bug #776589) NOTE: http://seclists.org/oss-sec/2014/q4/489 NOTE: http://seclists.org/oss-sec/2014/q4/507 NOTE: http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450 CVE-2014-9635 (Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie he ...) - jenkins 1.565.3-3 (bug #769682) CVE-2014-9634 (Jenkins before 1.586 does not set the secure flag on session cookies w ...) - jenkins 1.565.3-3 (bug #769682) CVE-2015-1164 (Open redirect vulnerability in the serve-static plugin before 1.7.2 fo ...) - node-serve-static 1.6.4-2 (unimportant; bug #775843) NOTE: libv8 is not covered by security support NOTE: https://nodesecurity.io/advisories/serve-static-open-redirect NOTE: https://github.com/expressjs/serve-static/issues/26 CVE-2015-1048 (Open redirect vulnerability in the integrated web server on Siemens SI ...) NOT-FOR-US: Siemens CVE-2015-1047 (vpxd in VMware vCenter Server 5.0 before u3e, 5.1 before u3, and 5.5 b ...) NOT-FOR-US: VMware vCenter CVE-2015-1046 REJECTED CVE-2015-1045 REJECTED CVE-2015-1044 (vmware-authd (aka the Authorization process) in VMware Workstation 10. ...) NOT-FOR-US: VMware CVE-2015-1043 (The Host Guest File System (HGFS) in VMware Workstation 10.x before 10 ...) NOT-FOR-US: VMware CVE-2015-1041 (Cross-site scripting (XSS) vulnerability in e107_admin/filemanager.php ...) NOT-FOR-US: e107 CVE-2015-1040 (Multiple cross-site scripting (XSS) vulnerabilities in the administrat ...) NOT-FOR-US: BEdita CVE-2015-1039 (Cross-site scripting (XSS) vulnerability in user/login.phtml in ZF-Com ...) NOT-FOR-US: zfcUser CVE-2015-1037 RESERVED CVE-2015-1036 RESERVED CVE-2015-1035 RESERVED CVE-2015-1034 RESERVED CVE-2015-1033 RESERVED CVE-2015-1032 (Cross-site scripting (XSS) vulnerability in Kiwix before 0.9.1, when u ...) - kiwix NOTE: actually RFP again, but was removed from the archive on 2014-09-25 NOTE: See https://bugs.debian.org/763321 CVE-2015-1029 (The puppetlabs-stdlib module 2.1 through 3.0 and 4.1.0 through 4.5.x b ...) - puppet-module-puppetlabs-stdlib 4.9.0-1 (bug #775535) [jessie] - puppet-module-puppetlabs-stdlib (The jessie version of facter is recent enough) NOTE: http://puppetlabs.com/security/cve/cve-2015-1029 NOTE: http://lists.alioth.debian.org/pipermail/pkg-puppet-devel/2015-January/009318.html CVE-2015-1028 (Multiple cross-site scripting (XSS) vulnerabilities in D-Link DSL-2730 ...) NOT-FOR-US: D-Link router CVE-2015-1027 (The version checking subroutine in percona-toolkit before 2.2.13 and x ...) - percona-toolkit 2.2.13-1 (unimportant) [wheezy] - percona-toolkit (version-check introduced in 2.1.4) - percona-xtrabackup (unimportant) NOTE: Automatic version check is disabled and inherently insecure (CVE-2014-2029) NOTE: Patch applied to OpenSUSE 13.1: https://build.opensuse.org/package/view_file/openSUSE:13.1:Update/xtrabackup/percona-xtrabackup-CVE-2015-1027.patch?expand=1 CVE-2015-1026 (Multiple cross-site scripting (XSS) vulnerabilities in ZOHO ManageEngi ...) NOT-FOR-US: ZOHO ManageEngine CVE-2015-1025 RESERVED CVE-2015-1024 RESERVED CVE-2015-1023 RESERVED CVE-2015-1022 RESERVED CVE-2015-1021 RESERVED CVE-2015-1020 RESERVED CVE-2015-1019 RESERVED CVE-2015-1018 RESERVED CVE-2015-1017 RESERVED CVE-2015-1016 RESERVED CVE-2015-1015 (Omron CX-One CX-Programmer before 9.6, CJ2M PLC devices before 2.1, an ...) NOT-FOR-US: Omron CX-One CVE-2015-1014 (A successful exploit of these vulnerabilities requires the local user ...) NOT-FOR-US: Schneider Electric CVE-2015-1013 (OSIsoft PI AF 2.6 and 2.7 and PI SQL for AF 2.1.2.19 do not ensure tha ...) NOT-FOR-US: OSIsoft PI AF and OSIsoft PI SQL for AF CVE-2015-1012 (Wireless keys are stored in plain text on version 5 of the Hospira Lif ...) NOT-FOR-US: Hospira CVE-2015-1011 (Hospira LifeCare PCA Infusion System before 7.0 has hardcoded credenti ...) NOT-FOR-US: Hospira LifeCare CVE-2015-1010 (Rockwell Automation RSView32 7.60.00 (aka CPR9 SR4) and earlier does n ...) NOT-FOR-US: Rockwell Automation RSView32 CVE-2015-1009 (Schneider Electric InduSoft Web Studio before 7.1.3.5 Patch 5 and Wond ...) NOT-FOR-US: Schneider Electric CVE-2015-1008 (SQL injection vulnerability in Emerson AMS Device Manager before 13 al ...) NOT-FOR-US: Emerson AMS Device Manager CVE-2015-1007 (A specially crafted configuration file could be used to cause a stack- ...) NOT-FOR-US: Opto 22 PAC CVE-2015-1006 (A vulnerable file in Opto 22 PAC Project Professional versions prior t ...) NOT-FOR-US: Opto CVE-2015-1005 (IniNet embeddedWebServer (aka eWebServer) before 2.02 for Windows CE u ...) NOT-FOR-US: IniNet CVE-2015-1004 REJECTED CVE-2015-1003 (Directory traversal vulnerability in IniNet embeddedWebServer (aka eWe ...) NOT-FOR-US: IniNet CVE-2015-1002 (IniNet embeddedWebServer (aka eWebServer) before 2.02 mishandles URL e ...) NOT-FOR-US: IniNet CVE-2015-1001 (Multiple stack-based buffer overflows in IniNet embeddedWebServer (aka ...) NOT-FOR-US: IniNet CVE-2015-1000 (Stack-based buffer overflow in the OpenForIPCamTest method in the RTSP ...) NOT-FOR-US: SStreamVideo ActiveX control CVE-2015-0999 (Schneider Electric InduSoft Web Studio before 7.1.3.4 SP3 Patch 4 and ...) NOT-FOR-US: Schneider Electric InduSoft Web Studio CVE-2015-0998 (Schneider Electric InduSoft Web Studio before 7.1.3.4 SP3 Patch 4 and ...) NOT-FOR-US: Schneider Electric InduSoft Web Studio CVE-2015-0997 (Schneider Electric InduSoft Web Studio before 7.1.3.4 SP3 Patch 4 and ...) NOT-FOR-US: Schneider Electric InduSoft Web Studio CVE-2015-0996 (Schneider Electric InduSoft Web Studio before 7.1.3.4 SP3 Patch 4 and ...) NOT-FOR-US: Schneider Electric InduSoft Web Studio CVE-2015-0995 (Inductive Automation Ignition 7.7.2 uses MD5 password hashes, which ma ...) NOT-FOR-US: Inductive Automation Ignition CVE-2015-0994 (Inductive Automation Ignition 7.7.2 allows remote authenticated users ...) NOT-FOR-US: Inductive Automation Ignition CVE-2015-0993 (Inductive Automation Ignition 7.7.2 does not terminate a session upon ...) NOT-FOR-US: Inductive Automation Ignition CVE-2015-0992 (Inductive Automation Ignition 7.7.2 stores cleartext OPC Server creden ...) NOT-FOR-US: Inductive Automation Ignition CVE-2015-0991 (Inductive Automation Ignition 7.7.2 allows remote attackers to obtain ...) NOT-FOR-US: Inductive Automation Ignition CVE-2015-0990 (Untrusted search path vulnerability in Ecava IntegraXor SCADA Server b ...) NOT-FOR-US: Ecava IntegraXor SCADA Server CVE-2015-0989 (PACTware 4.1 SP3 allows remote attackers to cause a denial of service ...) NOT-FOR-US: PACTware CVE-2015-0988 (Omron CX-One CX-Programmer before 9.6 uses a reversible format for pas ...) NOT-FOR-US: Omron CX-One CVE-2015-0987 (Omron CX-One CX-Programmer before 9.6, CJ2M PLC devices before 2.1, an ...) NOT-FOR-US: Omron CX-One CVE-2015-0986 (Multiple stack-based buffer overflows in Moxa VPort ActiveX SDK Plus b ...) NOT-FOR-US: Moxa VPort ActiveX SDK Plus CVE-2015-0985 (Cross-site request forgery (CSRF) vulnerability in XZERES 442SR OS on ...) NOT-FOR-US: XZERES 442SR (wind turbine) CVE-2015-0984 (Directory traversal vulnerability in the FTP server on Honeywell Excel ...) NOT-FOR-US: Honeywell Excel Web CVE-2015-0983 REJECTED CVE-2015-0982 (Buffer overflow in an unspecified DLL in Schneider Electric Pelco DS-N ...) NOT-FOR-US: Schneider Electric CVE-2015-0981 (The SOAP web interface in SCADA Engine BACnet OPC Server before 2.1.37 ...) NOT-FOR-US: SCADA Engine BACnet CVE-2015-0980 (Format string vulnerability in BACnOPCServer.exe in the SOAP web inter ...) NOT-FOR-US: SCADA Engine BACnet CVE-2015-0979 (Heap-based buffer overflow in the SOAP web interface in SCADA Engine B ...) NOT-FOR-US: SCADA Engine BACnet CVE-2015-0978 (Multiple untrusted search path vulnerabilities in (1) EQATEC.Analytics ...) NOT-FOR-US: Elipse E3 CVE-2015-0977 (Network Vision IntraVue before 2.3.0a14 on Windows allows remote attac ...) NOT-FOR-US: IntraVue CVE-2015-0976 (Cross-site scripting (XSS) vulnerability in Inductive Automation Ignit ...) NOT-FOR-US: Inductive Automation Ignition CVE-2015-0975 RESERVED CVE-2015-0974 (Untrusted search path vulnerability in ZTE Datacard MF19 0V1.0.0B04 al ...) NOT-FOR-US: ZTE Datacard MF19 CVE-2015-0972 (Pearson ProctorCache before 2015.1.17 uses the same hardcoded password ...) NOT-FOR-US: Pearson ProctorCache CVE-2015-0971 (The DER parser in Suricata before 2.0.8 allows remote attackers to cau ...) {DSA-3254-1} - suricata 2.0.8-1 [wheezy] - suricata (ASN.1 parser for X509 certificates in DER format introduced in 1.3) [squeeze] - suricata (ASN.1 parser for X509 certificates in DER format introduced in 1.3) NOTE: http://suricata-ids.org/2015/05/06/suricata-2-0-8-available/ NOTE: Patch: https://github.com/inliniac/suricata/commit/fa73a0bb8f312fd0a95cc70f6b3ee4e4997bdba7 CVE-2015-0970 (Cross-site request forgery (CSRF) vulnerability in SearchBlox before 8 ...) NOT-FOR-US: SearchBlox CVE-2015-0969 (SearchBlox before 8.2 allows remote attackers to obtain sensitive info ...) NOT-FOR-US: SearchBlox CVE-2015-0968 (Unrestricted file upload vulnerability in admin/uploadImage.html in Se ...) NOT-FOR-US: SearchBlox CVE-2015-0967 (Multiple cross-site scripting (XSS) vulnerabilities in SearchBlox befo ...) NOT-FOR-US: SearchBlox CVE-2015-0966 RESERVED CVE-2015-0965 RESERVED CVE-2015-0964 RESERVED CVE-2015-0963 RESERVED CVE-2015-0962 (Barracuda Web Filter 7.x and 8.x before 8.1.0.005, when SSL Inspection ...) NOT-FOR-US: Barracuda Web Filter CVE-2015-0961 (Barracuda Web Filter before 8.1.0.005, when SSL Inspection is enabled, ...) NOT-FOR-US: Barracuda Web Filter CVE-2015-0960 RESERVED CVE-2015-0959 RESERVED CVE-2015-0958 RESERVED CVE-2015-0957 RESERVED CVE-2015-0956 RESERVED CVE-2015-0955 REJECTED CVE-2015-0954 RESERVED CVE-2015-0953 RESERVED CVE-2015-0952 RESERVED CVE-2015-0951 (X-Cart before 5.1.11 allows remote authenticated users to read or dele ...) NOT-FOR-US: X-Cart CVE-2015-0950 (Cross-site scripting (XSS) vulnerability in admin.php in X-Cart 5.1.6 ...) NOT-FOR-US: X-Cart CVE-2015-0949 (The System Management Mode (SMM) implementation in Dell Latitude E6430 ...) NOT-FOR-US: System Management Mode (SMM) implementation in various BIOS implementations CVE-2015-0948 RESERVED CVE-2015-0947 RESERVED CVE-2015-0946 RESERVED CVE-2015-0945 RESERVED CVE-2015-0944 RESERVED CVE-2015-0943 (Basware Banking (Maksuliikenne) before 9.10.0.0 does not encrypt commu ...) NOT-FOR-US: Basware Banking CVE-2015-0942 REJECTED CVE-2015-0941 (The Inetc plugin for Nullsoft Scriptable Install System (NSIS), as use ...) NOT-FOR-US: Nullsoft Scriptable Install System plugin Inetc CVE-2015-0940 RESERVED CVE-2015-0939 RESERVED CVE-2015-0938 (search.php on the Blue Coat Malware Analysis appliance with software b ...) NOT-FOR-US: Blue Coat CVE-2015-0937 (Cross-site scripting (XSS) vulnerability in search.php on the Blue Coa ...) NOT-FOR-US: Blue Coat CVE-2015-0936 (Ceragon FibeAir IP-10 have a default SSH public key in the authorized_ ...) NOT-FOR-US: Ceragon FibeAir IP-10 CVE-2015-0935 (Bomgar Remote Support before 15.1.1 allows remote attackers to execute ...) NOT-FOR-US: Bomgar Remote Support CVE-2015-0934 (Common LaTeX Service Interface (CLSI) before 0.1.3, as used in ShareLa ...) NOT-FOR-US: ShareLaTeX CVE-2015-0933 (Absolute path traversal vulnerability in ShareLaTeX 0.1.3 and earlier, ...) NOT-FOR-US: ShareLaTeX CVE-2015-0932 (The ANTlabs InnGate firmware on IG 3100, IG 3101, InnGate 3.00 E, InnG ...) NOT-FOR-US: ANTlabs InnGate CVE-2015-0931 (Ektron Content Management System (CMS) 8.5 and 8.7 before 8.7sp2 and 9 ...) NOT-FOR-US: Ektron CMS CVE-2015-0930 (The web interface on SerVision HVG Video Gateway devices with firmware ...) NOT-FOR-US: SerVision HVG Video Gateway CVE-2015-0929 (time.htm in the web interface on SerVision HVG Video Gateway devices w ...) NOT-FOR-US: SerVision HVG Video Gateway CVE-2015-0928 (libhtp 0.5.15 allows remote attackers to cause a denial of service (NU ...) - suricata 2.0.7-1 [wheezy] - suricata (Unusable in wheezy, planned for removal) [squeeze] - suricata (Minor issue) NOTE: https://redmine.openinfosecfoundation.org/issues/1385 NOTE: Commit: https://github.com/inliniac/suricata/commit/56196ace51395fcb2d8fc30d586e9ad782306d31 CVE-2015-0927 RESERVED CVE-2015-0926 (Labtech before 100.237 on Linux uses world-writable permissions for ro ...) NOT-FOR-US: Labtech CVE-2015-0925 (The client in iPass Open Mobile before 2.4.5 on Windows allows remote ...) NOT-FOR-US: iPass Open Mobile CVE-2015-0924 (Ceragon FibeAir IP-10 bridges have a default password for the root acc ...) NOT-FOR-US: Ceragon FiberAir IP-10 bridges CVE-2015-0923 (The ContentBlockEx method in Workarea/ServerControlWS.asmx in Ektron C ...) NOT-FOR-US: Ektron CMS CVE-2014-999999 REJECTED CVE-2014-99999 REJECTED CVE-2014-9999 REJECTED CVE-2014-9592 REJECTED CVE-2014-9591 REJECTED CVE-2014-9590 REJECTED CVE-2014-9589 REJECTED CVE-2014-9588 REJECTED CVE-2014-9586 RESERVED - binpac 0.43-1 CVE-2014-72038 REJECTED CVE-2014-62771 REJECTED CVE-2014-59156 REJECTED CVE-2014-54321 REJECTED CVE-2014-456132 REJECTED CVE-2014-32537 REJECTED CVE-2014-123456 REJECTED CVE-2014-10042 RESERVED CVE-2014-10041 RESERVED CVE-2014-10040 RESERVED CVE-2014-10038 (SQL injection vulnerability in agenda/indexdate.php in DomPHP 0.83 and ...) NOT-FOR-US: DomPHP CVE-2014-10037 (Directory traversal vulnerability in DomPHP 0.83 and earlier allows re ...) NOT-FOR-US: DomPHP CVE-2014-10036 (Cross-site scripting (XSS) vulnerability in JetBrains TeamCity before ...) NOT-FOR-US: JetBrains TeamCity CVE-2014-10035 (Multiple cross-site scripting (XSS) vulnerabilities in the admin area ...) NOT-FOR-US: couponPHP CVE-2014-10034 (Multiple SQL injection vulnerabilities in the admin area in couponPHP ...) NOT-FOR-US: couponPHP CVE-2014-10033 (SQL injection vulnerability in the update_zone function in catalog/adm ...) NOT-FOR-US: osCommerce Online Merchant CVE-2014-10032 (SQL injection vulnerability in news_popup.php in Taboada MacroNews 1.0 ...) NOT-FOR-US: Taboada MacroNews CVE-2014-10031 (Buffer overflow in the IMAPd service in Qualcomm Eudora WorldMail 9.0. ...) NOT-FOR-US: Qualcomm Eudora WorldMail CVE-2014-10030 (Open redirect vulnerability in forums/login.php in FluxBB before 1.4.1 ...) NOT-FOR-US: FluxBB CVE-2014-10029 (SQL injection vulnerability in profile.php in FluxBB before 1.4.13 and ...) NOT-FOR-US: FluxBB CVE-2014-10028 (Cross-site scripting (XSS) vulnerability in D-Link DAP-1360 router wit ...) NOT-FOR-US: D-Link DAP-1360 router CVE-2014-10027 (Multiple cross-site request forgery (CSRF) vulnerabilities in D-Link D ...) NOT-FOR-US: D-Link DAP-1360 CVE-2014-10026 (index.cgi in D-Link DAP-1360 with firmware 2.5.4 and earlier allows re ...) NOT-FOR-US: D-Link DAP-1360 CVE-2014-10025 (Multiple cross-site request forgery (CSRF) vulnerabilities in D-Link D ...) NOT-FOR-US: D-Link DAP-1360 CVE-2014-10024 (Multiple integer signedness errors in DirectShowDemuxFilter, as used i ...) NOT-FOR-US: Divx Web Player, Divx Player and Divx plugins CVE-2014-10023 (Multiple SQL injection vulnerabilities in TopicsViewer 3.0 Beta 1 allo ...) NOT-FOR-US: TopicsViewer CVE-2014-10021 (Unrestricted file upload vulnerability in UploadHandler.php in the WP ...) NOT-FOR-US: WP Symposium plugin for WordPress CVE-2014-10020 (SQL injection vulnerability in login.php in Simple e-document 1.31 all ...) NOT-FOR-US: Simple e-document CVE-2014-10019 (Multiple cross-site request forgery (CSRF) vulnerabilities in webconfi ...) NOT-FOR-US: Teracom T2-B-Gawv1.4U10Y-BI modem CVE-2014-10018 (Cross-site scripting (XSS) vulnerability in webconfig/wlan/country.htm ...) NOT-FOR-US: Teracom T2-B-Gawv1.4U10Y-BI modem CVE-2014-10017 (Multiple SQL injection vulnerabilities in the Welcart e-Commerce plugi ...) NOT-FOR-US: Welcart e-Commerce plugin for WordPress CVE-2014-10016 (Multiple cross-site scripting (XSS) vulnerabilities in the Welcart e-C ...) NOT-FOR-US: Welcart e-Commerce plugin for WordPress CVE-2014-10015 (SQL injection vulnerability in load-calendar.php in PHPJabbers Event B ...) NOT-FOR-US: PHPJabbers Event Booking Calendar CVE-2014-10014 (Multiple cross-site request forgery (CSRF) vulnerabilities in PHPJabbe ...) NOT-FOR-US: PHPJabbers Event Booking Calendar CVE-2014-10013 (SQL injection vulnerability in the Another WordPress Classifieds Plugi ...) NOT-FOR-US: Another WordPress Classifieds Plugin plugin for WordPress CVE-2014-10012 (Cross-site scripting (XSS) vulnerability in the Another WordPress Clas ...) NOT-FOR-US: Another WordPress Classifieds Plugin plugin for WordPress CVE-2014-10011 (Stack-based buffer overflow in UltraCamLib in the UltraCam ActiveX Con ...) NOT-FOR-US: TRENDnet SecurView camera TV-IP422WN CVE-2014-10010 (Directory traversal vulnerability in PHPJabbers Appointment Scheduler ...) NOT-FOR-US: PHPJabbers Appointment Scheduler CVE-2014-10009 (Multiple cross-site scripting (XSS) vulnerabilities in Stark CRM 1.0 a ...) NOT-FOR-US: Stark CRM CVE-2014-10008 (Multiple cross-site request forgery (CSRF) vulnerabilities in Stark CR ...) NOT-FOR-US: Stark CRM CVE-2014-10007 (Multiple cross-site scripting (XSS) vulnerabilities in Maian Weblog 4. ...) NOT-FOR-US: Maian Weblog CVE-2014-10006 (Multiple cross-site request forgery (CSRF) vulnerabilities in Maian Up ...) NOT-FOR-US: Maian Uploader CVE-2014-10005 (Maian Uploader 4.0 allows remote attackers to obtain sensitive informa ...) NOT-FOR-US: Maian Uploader CVE-2014-100040 RESERVED CVE-2014-10004 (SQL injection vulnerability in admin/data_files/move.php in Maian Uplo ...) NOT-FOR-US: Maian Uploader CVE-2014-100039 (mbae.sys in Malwarebytes Anti-Exploit before 1.05.1.2014 allows local ...) NOT-FOR-US: Malwarebytes Anti-Exploit CVE-2014-100038 (Cross-site scripting (XSS) vulnerability in Storytlr 1.3.dev and earli ...) NOT-FOR-US: Storytlr CVE-2014-100037 (Cross-site scripting (XSS) vulnerability in Storytlr 1.3.dev and earli ...) NOT-FOR-US: Storytlr CVE-2014-100036 (Cross-site scripting (XSS) vulnerability in FlatPress 1.0.2 allows rem ...) - flatpress (bug #466297) CVE-2014-100035 (SQL injection vulnerability in the ticket grid in the admin interface ...) NOT-FOR-US: LicensePal ArcticDesk CVE-2014-100034 (Cross-site scripting (XSS) vulnerability in the frontend interface in ...) NOT-FOR-US: LicensePal ArcticDesk CVE-2014-100033 (Directory traversal vulnerability in LicensePal ArcticDesk before 1.2. ...) NOT-FOR-US: LicensePal ArcticDesk CVE-2014-100032 (Cross-site scripting (XSS) vulnerability in top.html in the Airties Ai ...) NOT-FOR-US: Airties Air 6372 modem CVE-2014-100031 (Multiple SQL injection vulnerabilities in Ganesha Digital Library (GDL ...) NOT-FOR-US: Ganesha Digital Library CVE-2014-100030 (Cross-site scripting (XSS) vulnerability in module/search/function.php ...) NOT-FOR-US: Ganesha Digital Library CVE-2014-10003 (Multiple cross-site scripting (XSS) vulnerabilities in Maian Uploader ...) NOT-FOR-US: Maian Uploader CVE-2014-100029 (Multiple directory traversal vulnerabilities in class/session.php in G ...) NOT-FOR-US: Ganesha Digital Library CVE-2014-100028 (Cross-site scripting (XSS) vulnerability in /signup in WEBCrafted allo ...) NOT-FOR-US: WEBCrafted CVE-2014-100027 (Cross-site scripting (XSS) vulnerability in the WP SlimStat plugin bef ...) NOT-FOR-US: WP SlimStat plugin for WordPress CVE-2014-100026 (Cross-site scripting (XSS) vulnerability in readme.php in the April's ...) NOT-FOR-US: April's Super Functions Pack plugin for WordPress CVE-2014-100025 (Cross-site request forgery (CSRF) vulnerability in index.php/user_data ...) NOT-FOR-US: Savsoft Quiz CVE-2014-100024 (Cross-site scripting (XSS) vulnerability in Seo Panel before 3.4.0 all ...) NOT-FOR-US: Seo Panel CVE-2014-100023 (Multiple cross-site scripting (XSS) vulnerabilities in question.php in ...) NOT-FOR-US: mTouch Quiz CVE-2014-100022 (SQL injection vulnerability in question.php in the mTouch Quiz before ...) NOT-FOR-US: mTouch Quiz CVE-2014-100021 (Cross-site scripting (XSS) vulnerability in symfony/web/index.php/pim/ ...) NOT-FOR-US: OrangeHRM CVE-2014-100020 (SQL injection vulnerability in ChangeEmail.php in iTechClassifieds 3.0 ...) NOT-FOR-US: iTechClassifieds CVE-2014-10002 (Unspecified vulnerability in JetBrains TeamCity before 8.1 allows remo ...) NOT-FOR-US: JetBrains TeamCity CVE-2014-100019 (SQL injection vulnerability in the LTree converter in Pomm before 1.1. ...) NOT-FOR-US: LTree converter in Pomm CVE-2014-100018 (Cross-site scripting (XSS) vulnerability in the Unconfirmed plugin bef ...) NOT-FOR-US: Unconfirmed plugin for WordPress CVE-2014-100017 (Cross-site scripting (XSS) vulnerability in canned_opr.php in PhpOnlin ...) NOT-FOR-US: PhpOnlineChat CVE-2014-100016 (Cross-site scripting (XSS) vulnerability in photocrati-gallery/ecomm-s ...) NOT-FOR-US: Photocrati theme for WordPress CVE-2014-100015 (Directory traversal vulnerability in pdmwService.exe in SolidWorks Wor ...) NOT-FOR-US: SolidWorks Workgroup PDM CVE-2014-100014 (Multiple stack-based buffer overflows in pdmwService.exe in SolidWorks ...) NOT-FOR-US: SolidWorks Workgroup PDM CVE-2014-100013 (Multiple cross-site scripting (XSS) vulnerabilities in clientResponse ...) NOT-FOR-US: clientResponse CVE-2014-100012 (SQL injection vulnerability in /app in Sendy 1.1.8.4 allows remote att ...) NOT-FOR-US: Sendy CVE-2014-100011 (SQL injection vulnerability in /send-to in Sendy 1.1.9.1 allows remote ...) NOT-FOR-US: Sendy CVE-2014-100010 (Cross-site scripting (XSS) vulnerability in ClanSphere 2011.4 allows r ...) NOT-FOR-US: ClanSphere CVE-2014-10001 (Multiple cross-site request forgery (CSRF) vulnerabilities in PHPJabbe ...) NOT-FOR-US: PHPJabbers Appointment Scheduler CVE-2014-100009 (The Joomlaskin JS Multi Hotel (aka JS MultiHotel and Js-Multi-Hotel) p ...) NOT-FOR-US: JS MultiHotel CVE-2014-100008 (Cross-site scripting (XSS) vulnerability in includes/delete_img.php in ...) NOT-FOR-US: JS MultiHotel CVE-2014-100007 (Cross-site scripting (XSS) vulnerability in the HK Exif Tags plugin be ...) NOT-FOR-US: HK Exif Tags plugin for WordPress CVE-2014-100006 (Multiple cross-site scripting (XSS) vulnerabilities in modules_v3/goog ...) NOT-FOR-US: webtrees CVE-2014-100005 (Multiple cross-site request forgery (CSRF) vulnerabilities in D-Link D ...) NOT-FOR-US: D-Link DIR-600 router CVE-2014-100004 (Cross-site scripting (XSS) vulnerability in Sitecore CMS before 7.0 Up ...) NOT-FOR-US: Sitecore CMS CVE-2014-100003 (SQL injection vulnerability in includes/ym-download_functions.include. ...) NOT-FOR-US: Code Futures YourMembers plugin for WordPress CVE-2014-100002 (Directory traversal vulnerability in ManageEngine SupportCenter Plus 7 ...) NOT-FOR-US: ManageEngine SupportCenter Plus CVE-2014-100001 (Cross-site request forgery (CSRF) vulnerability in the SEO Plugin Live ...) NOT-FOR-US: SEO Plugin LiveOptim CVE-2014-100000 REJECTED CVE-2014-10000 REJECTED CVE-2013-7420 (Buffer overflow in Hancom Office 2010 SE allows remote attackers to ex ...) NOT-FOR-US: Hancom Office 2010 SE CVE-2015-XXXX [smime_keys: insecure use of /tmp] - mutt 1.5.24-1 (unimportant; bug #775199) NOTE: http://dev.mutt.org/hg/mutt/rev/babc30377614 NOTE: Rendered non-exploitable by Linux hardening since wheezy CVE-2015-XXXX [djvudigital: insecure use of /tmp] - djvulibre 3.5.27.1-3 (unimportant; bug #775193) [squeeze] - djvulibre (Minor issue) NOTE: Originally was addressed in 3.5.27.1-1 but it was reintroduced NOTE: with the 3.5.27.1-2 upload, cf. https://bugs.debian.org/775193#17 NOTE: Not exploitable with kernel hardening since wheezy CVE-2015-5701 (mktexlsr revision 36855, and before revision 36626 as packaged in texl ...) - texlive-bin (Vulnerable code not reintroduced, patch mktexlsr-use-mktemp still applied) NOTE: https://www.tug.org/svn/texlive/trunk/Build/source/texk/kpathsea/mktexlsr?r1=36626&r2=36855 CVE-2015-5700 (mktexlsr revision 22855 through revision 36625 as packaged in texlive ...) - texlive-bin 2014.20140926.35254-5 (bug #775139) [wheezy] - texlive-bin (Minor issue) [squeeze] - texlive-bin (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2015/04/23/22 NOTE: http://www.openwall.com/lists/oss-security/2015/07/28/5 NOTE: https://www.tug.org/svn/texlive/trunk/Build/source/texk/kpathsea/mktexlsr?r1=19613&r2=22885 CVE-2015-1196 (GNU patch 2.7.1 allows remote attackers to write to arbitrary files vi ...) - patch 2.7.1-7 (bug #775227) [wheezy] - patch (Support for git-style patches added in 2.7) [squeeze] - patch (Support for git-style patches added in 2.7) CVE-2014-9651 (Buffer overflow in CHICKEN 4.9.0.x before 4.9.0.2, 4.9.x before 4.9.1, ...) - chicken 4.10.0-1 (bug #775346) [jessie] - chicken (Minor issue) [wheezy] - chicken (Minor issue) [squeeze] - chicken (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2015/01/12/3 NOTE: Patch: http://lists.nongnu.org/archive/html/chicken-hackers/2014-12/txt2UqAS9CtvH.txt CVE-2015-1194 (pax 1:20140703 allows remote attackers to write to arbitrary files via ...) - pax 1:20160306-1 (low; bug #774716) [jessie] - pax (Minor issue) [squeeze] - pax (Minor issue) [wheezy] - pax (Minor issue) CVE-2015-1193 (Multiple directory traversal vulnerabilities in pax 1:20140703 allow r ...) - pax 1:20160306-1 (low; bug #774716) [jessie] - pax (Minor issue) [squeeze] - pax (Minor issue) [wheezy] - pax (Minor issue) CVE-2015-1192 (Absolute path traversal vulnerability in kgb 1.0b4 allows remote attac ...) - kgb 1.0b4+ds-14 (bug #774989) [jessie] - kgb (meant to be used as a local archiver) [wheezy] - kgb (meant to be used as a local archiver) [squeeze] - kgb (meant to be used as a local archiver) CVE-2015-1191 (Multiple directory traversal vulnerabilities in pigz 2.3.1 allow remot ...) - pigz 2.3.1-2 (bug #774978) [squeeze] - pigz (Minor issue) [wheezy] - pigz (Minor issue) NOTE: https://github.com/madler/pigz/commit/fdad1406b3ec809f4954ff7cdf9e99eb18c2458f CVE-2015-0973 (Buffer overflow in the png_read_IDAT_data function in pngrutil.c in li ...) - libpng (Affects 1.5.x and 1.6.x series) - libpng1.6 1.6.16-1 (bug #773823) - iceweasel (squeeze used the system libpng, and later versions define their own limits) - icedove (squeeze used the system libpng, and later versions define their own limits) - texlive-bin 2014.20140926.35254-6 (bug #775673) [squeeze] - texlive-bin (has a copy of libpng 1.2) [wheezy] - texlive-bin (uses system libpng) NOTE: http://tfpwn.com/files/libpng_heap_overflow_1.6.15.txt NOTE: http://mid.gmane.org/Pine.LNX.4.64.1501101510150.31425@beijing.mitre.org CVE-2015-0922 (McAfee ePolicy Orchestrator (ePO) before 4.6.9 and 5.x before 5.1.2 us ...) NOT-FOR-US: McAfee ePolicy Orchestrator CVE-2015-0921 (XML external entity (XXE) vulnerability in the Server Task Log in McAf ...) NOT-FOR-US: McAfee ePolicy Orchestrator CVE-2014-1155 REJECTED CVE-2014-1137 REJECTED CVE-2014-1004 REJECTED CVE-2013-7419 (Cross-site scripting (XSS) vulnerability in includes/refreshDate.php i ...) NOT-FOR-US: Joomlaskin JS Multi Hotel (aka JS MultiHotel and Js-Multi-Hotel) plugin for WordPress CVE-2015-2063 (Integer overflow in unace 1.2b allows remote attackers to cause a deni ...) {DSA-3178-1 DLA-164-1} - unace 1.2b-12 (bug #775003) NOTE: http://git.hadrons.org/?p=debian/pkgs/unace.git;a=commitdiff;h=319446f CVE-2015-0920 (Cross-site request forgery (CSRF) vulnerability in the Banner Effect H ...) NOT-FOR-US: Banner Effect Header plugin for WordPress CVE-2015-0919 (Multiple SQL injection vulnerabilities in the administrative backend i ...) NOT-FOR-US: Sefrengo CVE-2015-0918 (Cross-site scripting (XSS) vulnerability in the administrative backend ...) NOT-FOR-US: Sefrengo CVE-2015-0917 (Cross-site scripting (XSS) vulnerability in the backend in Kajona befo ...) NOT-FOR-US: Kajona CVE-2015-0916 (SQL injection vulnerability in graph.php in Cacti before 0.8.6f allows ...) - cacti 0.8.6f-1 CVE-2015-0915 (Cross-site scripting (XSS) vulnerability in RAKUS MailDealer 11.2.1 an ...) NOT-FOR-US: RAKUS MailDealer CVE-2015-0914 (EasyCTF before 1.4 does not validate the session ID, which allows remo ...) NOT-FOR-US: EasyCTF CVE-2015-0913 (Cross-site scripting (XSS) vulnerability in EasyCTF before 1.4 allows ...) NOT-FOR-US: EasyCTF CVE-2015-0912 (EasyCTF before 1.4 allows remote authenticated users to write executab ...) NOT-FOR-US: EasyCTF CVE-2015-0911 (Directory traversal vulnerability in TAGAWA Takao TransmitMail 1.0.11 ...) NOT-FOR-US: TAGAWA Takao TransmitMail CVE-2015-0910 (Cross-site scripting (XSS) vulnerability in TAGAWA Takao TransmitMail ...) NOT-FOR-US: TAGAWA Takao TransmitMail CVE-2015-0909 RESERVED CVE-2015-0908 RESERVED CVE-2015-0907 (Buffer overflow in Lhaplus before 1.70 allows remote attackers to exec ...) NOT-FOR-US: Lhaplus CVE-2015-0906 (Directory traversal vulnerability in Lhaplus before 1.70 allows remote ...) NOT-FOR-US: Lhaplus CVE-2015-0905 (Cross-site request forgery (CSRF) vulnerability in bBlog allows remote ...) NOT-FOR-US: bBlog CVE-2015-0904 (The Restaurant Karaoke SHIDAX app 1.3.3 and earlier on Android does no ...) NOT-FOR-US: Restaurant Karaoke SHIDAX app CVE-2015-0903 (Buffer overflow in Saitoh Kikaku Maruo Editor 8.51 and earlier allows ...) NOT-FOR-US: Saitoh Kikaku Maruo Editor CVE-2015-0902 (The Semper Fi All in One SEO Pack plugin before 2.2.6 for WordPress do ...) NOT-FOR-US: WordPress plugin all-in-one-seo-pack CVE-2015-0901 (Cross-site scripting (XSS) vulnerability in the duwasai flashy theme 1 ...) NOT-FOR-US: WordPress duwasai flashy theme CVE-2015-0900 (Cross-site scripting (XSS) vulnerability in schedule.cgi in Nishishi F ...) NOT-FOR-US: Nishishi Factory CVE-2015-0899 (The MultiPageValidator implementation in Apache Struts 1 1.1 through 1 ...) {DSA-3536-1 DLA-292-1} - libstruts1.2-java NOTE: Patch in SuSE Bugzilla: https://bugzilla.suse.com/attachment.cgi?id=629559 NOTE: Patch appplies cleanly to the Wheezy and Squeeze versions CVE-2015-0898 (futomi CGI Cafe MP Form Mail CGI eCommerce before 2.0.12 on Windows al ...) NOT-FOR-US: futomi CGI Cafe MP Form Mail CGI eCommerce CVE-2015-0897 RESERVED CVE-2015-0896 (Multiple cross-site scripting (XSS) vulnerabilities in eXtplorer befor ...) {DLA-453-1 DLA-296-1} - extplorer (bug #783231) NOTE: Upstream fixes: http://extplorer.net/projects/extplorer/repository/revisions/240 CVE-2015-0895 (Cross-site request forgery (CSRF) vulnerability in the All In One WP S ...) NOT-FOR-US: All In One WP Security & Firewall plugin for WordPress CVE-2015-0894 (SQL injection vulnerability in the All In One WP Security & Firewa ...) NOT-FOR-US: All In One WP Security & Firewall plugin for WordPress CVE-2015-0893 (Cross-site scripting (XSS) vulnerability in Maroyaka CGI Maroyaka Rela ...) NOT-FOR-US: Maroyaka CVE-2015-0892 (Cross-site scripting (XSS) vulnerability in Maroyaka CGI Maroyaka Imag ...) NOT-FOR-US: Maroyaka CVE-2015-0891 (Cross-site scripting (XSS) vulnerability in Maroyaka CGI Maroyaka Simp ...) NOT-FOR-US: Maroyaka CVE-2015-0890 (The BestWebSoft Google Captcha (aka reCAPTCHA) plugin before 1.13 for ...) NOT-FOR-US: BestWebSoft plugin for WordPress CVE-2015-0889 (KENT-WEB Joyful Note before 5.3 allows remote attackers to delete file ...) NOT-FOR-US: KENT-WEB Joyful Note CVE-2015-0888 (KENT-WEB Clip Board before 4.1 allows remote attackers to delete arbit ...) NOT-FOR-US: KENT-WEB Clip Board CVE-2015-0887 (npppd in the PPP Access Concentrator (PPPAC) on SEIL SEIL/x86 Fuji rou ...) NOT-FOR-US: SEIL routers CVE-2015-0886 (Integer overflow in the crypt_raw method in the key-stretching impleme ...) - libjbcrypt-java 0.4-1 (bug #780102) [jessie] - libjbcrypt-java (Minor issue) [wheezy] - libjbcrypt-java (Minor issue) [squeeze] - libjbcrypt-java (Minor issue) CVE-2015-0885 (checkpw 1.02 and earlier allows remote attackers to cause a denial of ...) {DSA-3192-1 DLA-191-1} - checkpw 1.02-1.1 (bug #780139) CVE-2015-0884 (Unquoted Windows search path vulnerability in Toshiba Bluetooth Stack ...) NOT-FOR-US: Toshiba Bluetooth Stack CVE-2015-0883 (SYNCK GRAPHICA Mailform Pro CGI 4.1.4 and 4.1.5, when the mailauth mod ...) NOT-FOR-US: Mailform Pro CVE-2015-0882 (Multiple cross-site scripting (XSS) vulnerabilities in zencart-ja (aka ...) NOT-FOR-US: Zen Cart CVE-2015-0881 (CRLF injection vulnerability in Squid before 3.1.1 allows remote attac ...) - squid 4.1-1 (low) [squeeze] - squid (Minor issue) [wheezy] - squid (Minor issue) - squid3 3.1.1-1 NOTE: http://www.openwall.com/lists/oss-security/2015/03/01/2 NOTE: Patch: http://www.squid-cache.org/Versions/v3/3.1/changesets/b9619.patch NOTE: https://jvn.jp/en/jp/JVN64455813/index.html CVE-2015-0880 (Buffer overflow in CREAR AL-Mail32 before 1.13d allows remote attacker ...) NOT-FOR-US: CREAR AL-Mail32 CVE-2015-0879 (CREAR AL-Mail32 before 1.13d allows remote attackers to cause a denial ...) NOT-FOR-US: CREAR AL-Mail32 CVE-2015-0878 (Directory traversal vulnerability in CREAR AL-Mail32 before 1.13d allo ...) NOT-FOR-US: CREAR AL-Mail32 CVE-2015-0877 (Unrestricted file upload vulnerability in app/lib/mlf.pl in C-BOARD Mo ...) NOT-FOR-US: C-BOARD Moyuku CVE-2015-0876 (Multiple cross-site scripting (XSS) vulnerabilities in the print_langu ...) NOT-FOR-US: Saurus CMS CVE-2015-0875 (The Ogaki Kyoritsu Bank Smartphone Passbook application 1.0.0 for Andr ...) NOT-FOR-US: Ogaki Kyoritsu Bank Smartphone Passbook application for Android CVE-2015-0874 (Smartphone Passbook 1.0.0 does not verify X.509 certificates from SSL ...) NOT-FOR-US: Smartphone Passbook CVE-2015-0873 (Cross-site scripting (XSS) vulnerability in Homepage Decorator PerlTre ...) NOT-FOR-US: PerlTreeBBS CVE-2015-0872 REJECTED CVE-2015-0871 (Cross-site scripting (XSS) vulnerability in Mrs. Shiromuku Perl CGI sh ...) NOT-FOR-US: Mrs. Shiromuku Perl CGI shiromuku(u1)GUESTBOOK CVE-2015-0870 (Cross-site scripting (XSS) vulnerability in hb.cgi in Nishishi Factory ...) NOT-FOR-US: Nishishi Factory CVE-2015-0869 (I-O DATA DEVICE NP-BBRM routers allow remote attackers to cause a deni ...) NOT-FOR-US: I-O DATA DEVICE NP-BBRM routers CVE-2015-0868 (Unrestricted file upload vulnerability in Mrs. Shiromuku Perl CGI shir ...) NOT-FOR-US: Mrs. Shiromuku Perl CGI shiromuku(bu2)BBS CVE-2015-0867 (Directory traversal vulnerability in SYNCK GRAPHICA Download Log CGI 3 ...) NOT-FOR-US: SYNCK GRAPHICA Download Log CGI CVE-2015-0866 (Multiple cross-site scripting (XSS) vulnerabilities in Zoho ManageEngi ...) NOT-FOR-US: ZOHO ManageEngine SupportCenter Plus CVE-2015-0865 RESERVED CVE-2015-0864 (Samsung Account (AKA com.osp.app.signin) before 1.6.0069 and 2.x befor ...) NOT-FOR-US: Samsung CVE-2015-0863 (GALAXY Apps (aka Samsung Apps, Samsung Updates, or com.sec.android.app ...) NOT-FOR-US: Samsung GALAXY Apps CVE-2015-0862 (Multiple cross-site scripting (XSS) vulnerabilities in the management ...) - rabbitmq-server 3.4.3-1 [jessie] - rabbitmq-server (Minor issue) [wheezy] - rabbitmq-server (Minor issue) [squeeze] - rabbitmq-server (Management web UI not available in version 1.8.1) CVE-2015-0861 (model/modelstorage.py in trytond 3.2.x before 3.2.10, 3.4.x before 3.4 ...) {DSA-3425-1} - tryton-server 3.8.1-1 [wheezy] - tryton-server (Version < 3.2) [squeeze] - tryton-server (Version < 3.2) NOTE: Mathias Behrle told us that affected versions are >= 3.2 and < 3.8.1 CVE-2015-0860 (Off-by-one error in the extracthalf function in dpkg-deb/extract.c in ...) {DSA-3407-1} - dpkg 1.18.4 [squeeze] - dpkg (Vulnerable code not present) CVE-2015-0859 (The Debian build procedure for the smokeping package in wheezy before ...) {DSA-3405-1} - smokeping 2.6.11-2 [squeeze] - smokeping (Vulnerable code not present) CVE-2015-0858 (Cool Projects TarDiff allows local users to write to arbitrary files v ...) {DSA-3562-1 DLA-564-1} - tardiff 0.1-3 NOTE: https://anonscm.debian.org/cgit/collab-maint/tardiff.git/commit/?id=9bd6a07bc204472ac27242cea16f89943b43003a CVE-2015-0857 (Cool Projects TarDiff allows remote attackers to execute arbitrary com ...) {DSA-3562-1 DLA-564-1} - tardiff 0.1-5 NOTE: https://anonscm.debian.org/cgit/collab-maint/tardiff.git/commit/?id=9bd6a07bc204472ac27242cea16f89943b43003a NOTE: Assignment is done for injection through file names and tar file name itself NOTE: First part was addressed in 0.1-3 but does not contain the fix for the tar NOTE: file name itself. NOTE: https://anonscm.debian.org/cgit/collab-maint/tardiff.git/commit/?id=a18e8df51511df276e61dbccdbe1714fc53af965 CVE-2015-0856 (daemon/Greeter.cpp in sddm before 0.13.0 does not properly disable the ...) - sddm 0.12.0-5 (bug #803336; low) NOTE: https://github.com/sddm/sddm/commit/4cfed6b0a625593 CVE-2015-0855 (The _mediaLibraryPlayCb function in mainwindow.py in pitivi before 0.9 ...) - pitivi 0.95-1 [jessie] - pitivi (Minor issue) [squeeze] - pitivi (Vulnerable code not present (no os.system())) [wheezy] - pitivi (Vulnerable code not present (no os.system())) NOTE: https://git.gnome.org/browse/pitivi/commit/?id=45a4c84edb3b4343f199bba1c65502e3f49f5bb2 (RELEASE-0_95_0) CVE-2015-0854 (App/HelperFunctions.pm in Shutter through 0.93.1 allows user-assisted ...) {DLA-769-1} - shutter 0.93.1-1 (low; bug #798862) [jessie] - shutter 0.92-0.1+deb8u1 [squeeze] - shutter (Minor issue) NOTE: https://bugs.launchpad.net/shutter/+bug/1495163 CVE-2015-0853 (svn-workbench 1.6.2 and earlier on a system with xeyes installed allow ...) - svn-workbench 1.7.0-1 (low; bug #798863) [jessie] - svn-workbench (Minor issue) [wheezy] - svn-workbench (Minor issue) [squeeze] - svn-workbench (Minor issue) CVE-2015-0852 (Multiple integer underflows in PluginPCX.cpp in FreeImage 3.17.0 and e ...) {DSA-3392-1 DLA-327-1} - freeimage 3.15.4-5 (bug #797165) NOTE: http://freeimage.cvs.sourceforge.net/viewvc/freeimage/FreeImage/Source/FreeImage/PluginPCX.cpp?r1=1.17&r2=1.18&pathrev=MAIN NOTE: http://freeimage.cvs.sourceforge.net/viewvc/freeimage/FreeImage/Source/FreeImage/PluginPCX.cpp?r1=1.18&r2=1.19&pathrev=MAIN CVE-2015-0851 (XMLTooling-C before 1.5.5, as used in OpenSAML-C and Shibboleth Servic ...) {DSA-3321-1 DLA-290-1} - xmltooling 1.5.6-1 (bug #793855) NOTE: http://shibboleth.net/community/advisories/secadv_20150721.txt NOTE: Patch: https://git.shibboleth.net/view/?p=cpp-xmltooling.git;a=commitdiff;h=2d795c731e6729309044607154978696a87fd900 NOTE: Initial advisory was listing the wrong CVE, updated later NOTE: opensaml2 will need binNMUs/sourcefull upload (cf. #794851) NOTE: [squeeze] partially affected (util/XMLHelper.cpp XMLHelper::getAttrInt method not present) (1.3.3.x) CVE-2015-0850 (The Git plugin for FusionForge before 6.0rc4 allows remote attackers t ...) {DSA-3275-1} - fusionforge 6.0~rc4-1 [squeeze] - fusionforge (Affects 5.3 and later) NOTE: https://scm.fusionforge.org/anonscm/gitweb?p=fusionforge/fusionforge.git;a=commitdiff;h=afcfe76f5195af4566ff3a8280714383fcdb5a67 NOTE: https://fusionforge.org/forum/forum.php?forum_id=41 CVE-2015-0849 [predictable temporary file vulnerability] RESERVED - pycode-browser 1:1.0-1 (unimportant; bug #790365) NOTE: Not exploitable with kernel hardening since wheezy CVE-2015-0848 (Heap-based buffer overflow in libwmf 0.2.8.4 allows remote attackers t ...) {DSA-3302-1 DLA-253-1} - libwmf 0.2.8.4-10.4 (bug #787644) CVE-2015-0847 (nbd-server.c in Network Block Device (nbd-server) before 3.11 does not ...) {DSA-3271-1 DLA-223-1} - nbd 1:3.10-1 (bug #784657) NOTE: http://sourceforge.net/p/nbd/mailman/message/34091218/ CVE-2015-0846 (django-markupfield before 1.3.2 uses the default docutils RESTRUCTURED ...) {DSA-3230-1 DLA-206-1} - django-markupfield 1.3.2-1 NOTE: https://github.com/jamesturk/django-markupfield/commit/b45734ea1d206abc1ed2a90bdc779708066d49f3 CVE-2015-0845 (Format string vulnerability in Movable Type Pro, Open Source, and Adva ...) {DSA-3227-1} - movabletype-opensource [squeeze] - movabletype-opensource (Not supported in Squeeze LTS) NOTE: https://movabletype.org/news/2015/04/movable_type_608_and_5213_released_to_close_security_vulnera.html CVE-2015-0844 (The WML/Lua API in Battle for Wesnoth 1.7.x through 1.11.x and 1.12.x ...) {DSA-3218-1 DLA-202-1} - wesnoth-1.12 1:1.12.2-1 - wesnoth-1.10 1:1.10.7-2 - wesnoth-1.8 CVE-2015-0843 [Buffer overflows due to misuse of sprintf] RESERVED - yubiserver 0.6-1 (bug #796495) [jessie] - yubiserver (Mitigated by toolchain hardening) [wheezy] - yubiserver (Can be fixed via a point release) CVE-2015-0842 [SQL injection issues (potential auth bypass)] RESERVED - yubiserver 0.6-1 (bug #796495) [jessie] - yubiserver (Minor issue) [wheezy] - yubiserver (Minor issue) CVE-2015-0841 (Off-by-one error in the readBuf function in listener.cpp in libcapsine ...) - libcapsinetwork (bug #781044; unimportant) [experimental] - monopd 0.9.8-1 - monopd (bug #781043; unimportant) NOTE: Not exploitable with dlmalloc CVE-2015-0840 (The dpkg-source command in Debian dpkg before 1.16.16 and 1.17.x befor ...) {DSA-3217-1 DLA-220-1} - dpkg 1.17.25 NOTE: Ubuntu fix for 1.15.x (version in squeeze): http://launchpadlibrarian.net/202647129/dpkg_1.15.5.6ubuntu4.9_1.15.5.6ubuntu4.10.diff.gz CVE-2015-0839 (The hp-plugin utility in HP Linux Imaging and Printing (HPLIP) makes i ...) {DLA-775-1} - hplip 3.15.11+repack0-1 (bug #787353; bug #796015) [jessie] - hplip 3.14.6-1+deb8u1 [squeeze] - hplip (Minor issue) NOTE: http://seclists.org/oss-sec/2015/q2/581 NOTE: https://bugs.launchpad.net/bugs/1432516 CVE-2015-0838 (Buffer overflow in the C implementation of the apply_delta function in ...) {DSA-3206-1 DLA-231-1} - dulwich 0.10.1-1 (bug #780958) [jessie] - dulwich 0.9.7-3 CVE-2015-0837 (The mpi_powm function in Libgcrypt before 1.6.3 and GnuPG before 1.4.1 ...) {DSA-3185-1 DSA-3184-1 DLA-190-1 DLA-175-1} - libgcrypt11 - libgcrypt20 1.6.3-2 - gnupg 1.4.18-7 NOTE: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=6cbc75e71295f23431c4ab95edc7573f2fc28476 CVE-2015-0836 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-3179-1 DSA-3174-1} - iceweasel 31.5.0esr-1 [squeeze] - iceweasel - icedove 31.5.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-11/ CVE-2015-0835 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - iceweasel (Does not affect ESR version) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-11/ CVE-2015-0834 (The WebRTC subsystem in Mozilla Firefox before 36.0 recognizes turns: ...) - iceweasel (Does not affect ESR version) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-15/ CVE-2015-0833 (Multiple untrusted search path vulnerabilities in updater.exe in Mozil ...) - iceweasel (Specific to Firefox on Windows) - icedove (Specific to Thunderbird on Windows) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-12/ CVE-2015-0832 (Mozilla Firefox before 36.0 does not properly recognize the equivalenc ...) - iceweasel (Does not affect ESR version) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-13/ CVE-2015-0831 (Use-after-free vulnerability in the mozilla::dom::IndexedDB::IDBObject ...) {DSA-3179-1 DSA-3174-1} - iceweasel 31.5.0esr-1 [squeeze] - iceweasel - icedove 31.5.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-16/ CVE-2015-0830 (The WebGL implementation in Mozilla Firefox before 36.0 does not prope ...) - iceweasel (Does not affect ESR version) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-14/ CVE-2015-0829 (Buffer overflow in libstagefright in Mozilla Firefox before 36.0 allow ...) - iceweasel (Does not affect ESR version) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-17/ CVE-2015-0828 (Double free vulnerability in the nsXMLHttpRequest::GetResponse functio ...) - iceweasel (Doesn't affect the memory allocator used in the Debian builds) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-18/ CVE-2015-0827 (Heap-based buffer overflow in the mozilla::gfx::CopyRect function in M ...) {DSA-3179-1 DSA-3174-1} - iceweasel 31.5.0esr-1 [squeeze] - iceweasel - icedove 31.5.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-19/ CVE-2015-0826 (The nsTransformedTextRun::SetCapitalization function in Mozilla Firefo ...) - iceweasel (Does not affect ESR version) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-20/ CVE-2015-0825 (Stack-based buffer underflow in the mozilla::MP3FrameParser::ParseBuff ...) - iceweasel (Does not affect ESR version) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-21/ CVE-2015-0824 (The mozilla::layers::BufferTextureClient::AllocateForSurface function ...) - iceweasel (Does not affect ESR version) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-22/ CVE-2015-0823 (Multiple use-after-free vulnerabilities in OpenType Sanitiser, as used ...) - iceweasel (Does not affect ESR version) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-23/ CVE-2015-0822 (The Form Autocompletion feature in Mozilla Firefox before 36.0, Firefo ...) {DSA-3179-1 DSA-3174-1} - iceweasel 31.5.0esr-1 [squeeze] - iceweasel - icedove 31.5.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-24/ CVE-2015-0821 (Mozilla Firefox before 36.0 allows user-assisted remote attackers to r ...) - iceweasel (Does not affect ESR version) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-25/ CVE-2015-0820 (Mozilla Firefox before 36.0 does not properly restrict transitions of ...) - iceweasel (Does not affect ESR version) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-27/ CVE-2015-0819 (The UITour::onPageEvent function in Mozilla Firefox before 36.0 does n ...) - iceweasel (Does not affect ESR version) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-26/ CVE-2015-0818 (Mozilla Firefox before 36.0.4, Firefox ESR 31.x before 31.5.3, and Sea ...) {DSA-3201-1} - iceweasel 31.5.3esr-1 [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-28/ CVE-2015-0817 (The asm.js implementation in Mozilla Firefox before 36.0.3, Firefox ES ...) {DSA-3201-1} - iceweasel 31.5.3esr-1 [squeeze] - iceweasel NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-29/ CVE-2015-0816 (Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunder ...) {DSA-3212-1 DSA-3211-1} - iceweasel 31.6.0esr-1 [squeeze] - iceweasel - icedove 31.6.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-33/ CVE-2015-0815 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-3212-1 DSA-3211-1} - iceweasel 31.6.0esr-1 [squeeze] - iceweasel - icedove 31.6.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-30/ CVE-2015-0814 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - iceweasel (only affects Firefox 37.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-30/ CVE-2015-0813 (Use-after-free vulnerability in the AppendElements function in Mozilla ...) {DSA-3212-1 DSA-3211-1} - iceweasel 31.6.0esr-1 [squeeze] - iceweasel - icedove 31.6.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-31/ CVE-2015-0812 (Mozilla Firefox before 37.0 does not require an HTTPS session for ligh ...) - iceweasel (Only affects 37.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-32/ CVE-2015-0811 (The QCMS implementation in Mozilla Firefox before 37.0 allows remote a ...) - iceweasel (Only affects 37.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-34/ CVE-2015-0810 (Mozilla Firefox before 37.0 on OS X does not ensure that the cursor is ...) - iceweasel (Only affects 37.x; only affects OS X systems) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-35/ CVE-2015-0809 RESERVED CVE-2015-0808 (The webrtc::VPMContentAnalysis::Release function in the WebRTC impleme ...) - iceweasel (Only affects 37.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-36/ CVE-2015-0807 (The navigator.sendBeacon implementation in Mozilla Firefox before 37.0 ...) {DSA-3212-1 DSA-3211-1} - iceweasel 31.6.0esr-1 [squeeze] - iceweasel - icedove 31.6.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-37/ CVE-2015-0806 (The Off Main Thread Compositing (OMTC) implementation in Mozilla Firef ...) - iceweasel (Only affects 37.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-38/ CVE-2015-0805 (The Off Main Thread Compositing (OMTC) implementation in Mozilla Firef ...) - iceweasel (Only affects 37.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-38/ CVE-2015-0804 (The HTMLSourceElement::BindToTree function in Mozilla Firefox before 3 ...) - iceweasel (Only affects 37.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-39/ CVE-2015-0803 (The HTMLSourceElement::AfterSetAttr function in Mozilla Firefox before ...) - iceweasel (Only affects 37.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-39/ CVE-2015-0802 (Mozilla Firefox before 37.0 relies on docshell type information instea ...) - iceweasel (Only affects 37.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-42/ CVE-2015-0801 (Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunder ...) {DSA-3212-1 DSA-3211-1} - iceweasel 31.6.0esr-1 [squeeze] - iceweasel - icedove 31.6.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-40/ CVE-2015-0800 (The PRNG implementation in the DNS resolver in Mozilla Firefox (aka Fe ...) - iceweasel (Only affects 37.x; only on Android) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-41/ CVE-2015-0799 (The HTTP Alternative Services feature in Mozilla Firefox before 37.0.1 ...) - iceweasel (Only affects Firefox 37.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-44/ CVE-2015-0798 (The Reader mode feature in Mozilla Firefox before 37.0.1 on Android, a ...) - iceweasel (Only affects Firefox on Android) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-43/ CVE-2015-0797 (GStreamer before 1.4.5, as used in Mozilla Firefox before 38.0, Firefo ...) {DSA-3264-1 DSA-3260-1 DSA-3225-1 DLA-2164-1} - gst-plugins-bad0.10 (bug #784220) [squeeze] - gst-plugins-bad0.10 (vulnerable code (gst/videoparsers/*) introduced later) - iceweasel 38.0-1 [squeeze] - iceweasel - icedove 31.7.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-47/ CVE-2015-0796 (In open buildservice 2.6 before 2.6.3, 2.5 before 2.5.7 and 2.4 before ...) - open-build-service (Fixed before initial upload) CVE-2015-0795 (Multiple stack-based buffer overflows in the SafeShellExecute method i ...) NOT-FOR-US: NetIQ CVE-2015-0794 (modules.d/90crypt/module-setup.sh in the dracut package before 037-17. ...) - dracut (Vulnerable code not present) NOTE: http://lists.opensuse.org/opensuse-updates/2015-11/msg00098.html NOTE: http://lists.opensuse.org/opensuse-bugs/2015-06/msg02585.html NOTE: http://lists.opensuse.org/opensuse-bugs/2015-06/msg02580.html NOTE: This seem to be a SuSE specific issue. src:dracut does not contain unsafe NOTE: handling of a /tmp/dracut_block_uuid.map file in any checked version. CVE-2015-0793 REJECTED CVE-2015-0792 REJECTED CVE-2015-0791 REJECTED CVE-2015-0790 REJECTED CVE-2015-0789 REJECTED CVE-2015-0788 REJECTED CVE-2015-0787 (XSS in NetIQ Designer for Identity Manager before 4.5.3 allows remote ...) NOT-FOR-US: NetIQ Designer for Identity Manager CVE-2015-0786 (Stack-based buffer overflow in the logging functionality in the Preboo ...) NOT-FOR-US: Novell ZENworks Configuration Management CVE-2015-0785 (com.novell.zenworks.inventory.rtr.actionclasses.wcreports in Novell ZE ...) NOT-FOR-US: Novell ZENworks Configuration Management CVE-2015-0784 (Rtrlet.class in Novell ZENworks Configuration Management (ZCM) allows ...) NOT-FOR-US: Novell ZENworks Configuration Management CVE-2015-0783 (The FileViewer class in Novell ZENworks Configuration Management (ZCM) ...) NOT-FOR-US: Novell ZENworks Configuration Management CVE-2015-0782 (SQL injection vulnerability in the ScheduleQuery method of the schedul ...) NOT-FOR-US: Novell ZENworks Configuration Management CVE-2015-0781 (Directory traversal vulnerability in the doPost method of the Rtrlet c ...) NOT-FOR-US: Novell ZENworks Configuration Management CVE-2015-0780 (SQL injection vulnerability in the GetReRequestData method of the GetS ...) NOT-FOR-US: Novell ZENworks Configuration Management CVE-2015-0779 (Directory traversal vulnerability in UploadServlet in Novell ZENworks ...) NOT-FOR-US: Novell ZENworks Configuration Management CVE-2015-0778 (osc before 0.151.0 allows remote attackers to execute arbitrary comman ...) - osc 0.149.0-2 (low; bug #780410) [wheezy] - osc 0.134.1-2+deb7u1 [squeeze] - osc (Minor issue) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=901643 CVE-2015-0777 (drivers/xen/usbback/usbback.c in linux-2.6.18-xen-3.4.0 (aka the Xen 3 ...) - linux (Addon Xen usbback patch not present) - linux-2.6 (Addon Xen usbback patch not present) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=917830 CVE-2015-0776 (telnetd in Cisco IOS XR 5.0.1 on Network Convergence System 6000 devic ...) NOT-FOR-US: Cisco IOS CVE-2015-0775 (The banner (aka MOTD) implementation in Cisco NX-OS 4.1(2)E1(1f) on Ne ...) NOT-FOR-US: Cisco NX-OS CVE-2015-0774 (Cross-site scripting (XSS) vulnerability in Cisco Application and Cont ...) NOT-FOR-US: Cisco Application and Content Networking System CVE-2015-0773 (Cisco FireSIGHT System Software 5.3.1.3 and 6.0.0 allows remote authen ...) NOT-FOR-US: Cisco FireSIGHT System Software CVE-2015-0772 (Cisco TelePresence Video Communication Server (VCS) X8.5RC4 allows rem ...) NOT-FOR-US: Cisco TelePresence Video Communication Server CVE-2015-0771 (The IKE implementation in the WS-IPSEC-3 service module in Cisco IOS 1 ...) NOT-FOR-US: Cisco IOS CVE-2015-0770 (CRLF injection vulnerability in Cisco TelePresence TC 6.x before 6.3.4 ...) NOT-FOR-US: Cisco TelePresence TC Software CVE-2015-0769 (Cisco IOS XR 4.0.1 through 4.2.0 for CRS-3 Carrier Routing System allo ...) NOT-FOR-US: Cisco IOS CVE-2015-0768 (The Device Work Center (DWC) component in Cisco Prime Network Control ...) NOT-FOR-US: Cisco Prime Network Control System CVE-2015-0767 (Cisco Edge 300 software 1.0 and 1.1 on Edge 340 devices allows local u ...) NOT-FOR-US: Cisco CVE-2015-0766 (Multiple cross-site scripting (XSS) vulnerabilities in the administrat ...) NOT-FOR-US: Cisco CVE-2015-0765 (Cisco ONS 15454 System Software 10.30 and 10.301 allows remote attacke ...) NOT-FOR-US: Cisco CVE-2015-0764 (Cisco Unified MeetingPlace 8.6(1.9) allows remote attackers to read ar ...) NOT-FOR-US: Cisco Unified MeetingPlace CVE-2015-0763 (Cisco Unified MeetingPlace 8.6(1.2) does not properly validate session ...) NOT-FOR-US: Cisco Unified MeetingPlace CVE-2015-0762 (Cross-site scripting (XSS) vulnerability in the management interface i ...) NOT-FOR-US: Cisco Unified MeetingPlace CVE-2015-0761 (Cisco AnyConnect Secure Mobility Client before 3.1(8009) and 4.x befor ...) NOT-FOR-US: Cisco AnyConnect Secure Mobility Client CVE-2015-0760 (The IKEv1 implementation in Cisco ASA Software 7.x, 8.0.x, 8.1.x, and ...) NOT-FOR-US: Cisco ASA CVE-2015-0759 (Cross-site request forgery (CSRF) vulnerability in Cisco Headend Digit ...) NOT-FOR-US: Cisco CVE-2015-0758 (The web-based user interface in Cisco Unified MeetingPlace 8.6(1.9) al ...) NOT-FOR-US: Cisco CVE-2015-0757 (The web framework in Cisco Identity Services Engine (ISE) 1.2(1.901) a ...) NOT-FOR-US: Cisco CVE-2015-0756 (Cisco Wireless LAN Controller (WLC) devices with software 7.4(1.1) all ...) NOT-FOR-US: Cisco CVE-2015-0755 (The Posture module for Cisco Identity Services Engine (ISE), as distri ...) NOT-FOR-US: Cisco CVE-2015-0754 (Cisco Finesse 10.5(1) allows remote authenticated users to obtain sens ...) NOT-FOR-US: Cisco CVE-2015-0753 (SQL injection vulnerability in Cisco Unified Email Interaction Manager ...) NOT-FOR-US: Cisco CVE-2015-0752 (Cross-site scripting (XSS) vulnerability in Cisco TelePresence Video C ...) NOT-FOR-US: Cisco CVE-2015-0751 (Cisco IP Phone 7861, when firmware from Cisco Unified Communications M ...) NOT-FOR-US: Cisco CVE-2015-0750 (The administrative web interface in Cisco Hosted Collaboration Solutio ...) NOT-FOR-US: Cisco CVE-2015-0749 (A vulnerability in Cisco Unified Communications Manager could allow an ...) NOT-FOR-US: Cisco CVE-2015-0748 RESERVED CVE-2015-0747 (Cisco Conductor for Videoscape 3.0 and Cisco Headend System Release al ...) NOT-FOR-US: Cisco CVE-2015-0746 (The REST API in Cisco Access Control Server (ACS) 5.5(0.46.2) allows r ...) NOT-FOR-US: Cisco Access Control Server CVE-2015-0745 (Cisco Headend System Release allows remote attackers to read temporary ...) NOT-FOR-US: Cisco CVE-2015-0744 (Cisco DTA Control System (DTACS) 4.0.0.9 and Cisco Headend System Rele ...) NOT-FOR-US: Cisco CVE-2015-0743 (Cisco Headend System Release allows remote attackers to cause a denial ...) NOT-FOR-US: Cisco CVE-2015-0742 (The Protocol Independent Multicast (PIM) application in Cisco Adaptive ...) NOT-FOR-US: Cisco CVE-2015-0741 (Multiple cross-site request forgery (CSRF) vulnerabilities in Cisco Pr ...) NOT-FOR-US: Cisco CVE-2015-0740 (Cross-site request forgery (CSRF) vulnerability in Cisco Unified Intel ...) NOT-FOR-US: Cisco CVE-2015-0739 (The Lights-Out Management (LOM) implementation in Cisco FireSIGHT Syst ...) NOT-FOR-US: Cisco CVE-2015-0738 (Cross-site scripting (XSS) vulnerability in the Web Tracking Report pa ...) NOT-FOR-US: Cisco CVE-2015-0737 (Multiple cross-site scripting (XSS) vulnerabilities in Cisco FireSIGHT ...) NOT-FOR-US: Cisco FireSIGHT System Software CVE-2015-0736 (Cross-site request forgery (CSRF) vulnerability in Cisco MediaSense 10 ...) NOT-FOR-US: Cisco CVE-2015-0735 (Cross-site request forgery (CSRF) vulnerability in Cisco Unified Custo ...) NOT-FOR-US: Cisco CVE-2015-0734 (Multiple cross-site scripting (XSS) vulnerabilities on the Cisco Email ...) NOT-FOR-US: Cisco CVE-2015-0733 (CRLF injection vulnerability in the HTTP Header Handler in Digital Bro ...) NOT-FOR-US: Cisco CVE-2015-0732 (Cross-site scripting (XSS) vulnerability in Cisco AsyncOS on the Web S ...) NOT-FOR-US: Cisco CVE-2015-0731 (The ISDN implementation in Cisco IOS 15.3S allows remote attackers to ...) NOT-FOR-US: Cisco CVE-2015-0730 (The SMB module in Cisco Wide Area Application Services (WAAS) 6.0(1) a ...) NOT-FOR-US: Cisco CVE-2015-0729 (Cross-site scripting (XSS) vulnerability in Cisco Secure Access Contro ...) NOT-FOR-US: Cisco CVE-2015-0728 (Cross-site scripting (XSS) vulnerability in Cisco Access Control Serve ...) NOT-FOR-US: Cisco CVE-2015-0727 (Cross-site scripting (XSS) vulnerability in the HTTP module in Cisco S ...) NOT-FOR-US: Cisco CVE-2015-0726 (The web administration interface on Cisco Wireless LAN Controller (WLC ...) NOT-FOR-US: Cisco CVE-2015-0725 (Cisco Videoscape Distribution Suite Service Broker (aka VDS-SB), when ...) NOT-FOR-US: Cisco CVE-2015-0724 (Multiple cross-site scripting (XSS) vulnerabilities in dncs 7.0.0.12 i ...) NOT-FOR-US: Cisco CVE-2015-0723 (The wireless web-authentication subsystem on Cisco Wireless LAN Contro ...) NOT-FOR-US: Cisco CVE-2015-0722 (The network drivers in Cisco TelePresence T, Cisco TelePresence TE, an ...) NOT-FOR-US: Cisco CVE-2015-0721 (Cisco NX-OS 4.0 through 7.3 on Multilayer Director and Nexus 1000V, 20 ...) NOT-FOR-US: Cisco CVE-2015-0720 RESERVED CVE-2015-0719 RESERVED CVE-2015-0718 (Cisco NX-OS 4.0 through 6.1 on Nexus 1000V 3000, 4000, 5000, 6000, and ...) NOT-FOR-US: Cisco NX-OS CVE-2015-0717 (Cisco Unified Communications Manager 10.0(1.10000.12) allows local use ...) NOT-FOR-US: Cisco CVE-2015-0716 (Cross-site request forgery (CSRF) vulnerability in the CUCReports page ...) NOT-FOR-US: Cisco Unity Connection CVE-2015-0715 (SQL injection vulnerability in the administrative web interface in Cis ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2015-0714 (Multiple cross-site scripting (XSS) vulnerabilities in Cisco Finesse S ...) NOT-FOR-US: Cisco Finesse CVE-2015-0713 (The web framework in Cisco TelePresence Advanced Media Gateway Series ...) NOT-FOR-US: Cisco CVE-2015-0712 (The session-manager service in Cisco StarOS 12.0, 12.2(300), 14.0, and ...) NOT-FOR-US: Cisco StarOS CVE-2015-0711 (The hamgr service in the IPv6 Proxy Mobile (PM) implementation in Cisc ...) NOT-FOR-US: Cisco StarOS CVE-2015-0710 (The Overlay Transport Virtualization (OTV) implementation in Cisco IOS ...) NOT-FOR-US: Cisco IOS XE CVE-2015-0709 (Cisco IOS 15.5S and IOS XE allow remote authenticated users to cause a ...) NOT-FOR-US: Cisco IOS CVE-2015-0708 (Cisco IOS 15.4S, 15.4SN, and 15.5S and IOS XE 3.13S and 3.14S allow re ...) NOT-FOR-US: Cisco IOS CVE-2015-0707 (Cross-site scripting (XSS) vulnerability in Cisco FireSIGHT System Sof ...) NOT-FOR-US: Cisco CVE-2015-0706 (Open redirect vulnerability in Cisco FireSIGHT System Software 5.3.1.1 ...) NOT-FOR-US: Cisco CVE-2015-0705 (Cross-site request forgery (CSRF) vulnerability in the SOAP API endpoi ...) NOT-FOR-US: Cisco CVE-2015-0704 (Multiple cross-site request forgery (CSRF) vulnerabilities in API feat ...) NOT-FOR-US: Cisco CVE-2015-0703 (Cross-site scripting (XSS) vulnerability in the administrative web int ...) NOT-FOR-US: Cisco CVE-2015-0702 (Unrestricted file upload vulnerability in the Custom Prompts upload im ...) NOT-FOR-US: Cisco CVE-2015-0701 (Cisco UCS Central Software before 1.3(1a) allows remote attackers to e ...) NOT-FOR-US: Cisco UCS CVE-2015-0700 (Cross-site request forgery (CSRF) vulnerability in the Dashboard page ...) NOT-FOR-US: Cisco CVE-2015-0699 (SQL injection vulnerability in the Interactive Voice Response (IVR) co ...) NOT-FOR-US: Cisco CVE-2015-0698 (Multiple cross-site scripting (XSS) vulnerabilities in filter search f ...) NOT-FOR-US: Cisco WSA CVE-2015-0697 (Open redirect vulnerability in the login page in Cisco TC Software bef ...) NOT-FOR-US: Cisco CVE-2015-0696 (Cross-site scripting (XSS) vulnerability in the login page in Cisco TC ...) NOT-FOR-US: Cisco CVE-2015-0695 (Cisco IOS XR 4.3.4 through 5.3.0 on ASR 9000 devices, when uRPF, PBR, ...) NOT-FOR-US: Cisco IOS CVE-2015-0694 (Cisco ASR 9000 devices with software 5.3.0.BASE do not recognize that ...) NOT-FOR-US: Cisco CVE-2015-0693 (Cisco Web Security Appliance (WSA) devices with software 8.5.0-ise-147 ...) NOT-FOR-US: Cisco WSA CVE-2015-0692 (Cisco Web Security Appliance (WSA) devices with software 8.5.0-ise-147 ...) NOT-FOR-US: Cisco WSA CVE-2015-0691 (A certain Cisco JAR file, as distributed in Cache Cleaner in Cisco Sec ...) NOT-FOR-US: Cisco Secure Desktop Cache Cleaner CVE-2015-0690 (Cross-site scripting (XSS) vulnerability in the HTML help system on Ci ...) NOT-FOR-US: Cisco CVE-2015-0689 (Cisco Cloud Web Security before 3.0.1.7 allows remote attackers to byp ...) NOT-FOR-US: Cisco CVE-2015-0688 (Cisco IOS XE 3.10.2S on an ASR 1000 device with an Embedded Services P ...) NOT-FOR-US: Cisco CVE-2015-0687 (The SNMP implementation in Cisco IOS 15.1(2)SG4 on Catalyst 4500 devic ...) NOT-FOR-US: Cisco CVE-2015-0686 (The SNMP implementation in Cisco NX-OS 6.1(2)I2(3) on Nexus 9000 devic ...) NOT-FOR-US: Cisco CVE-2015-0685 (Cisco IOS XE before 3.7.5S on ASR 1000 devices does not properly handl ...) NOT-FOR-US: Cisco CVE-2015-0684 (SQL injection vulnerability in the Image Management component in Cisco ...) NOT-FOR-US: Cisco CVE-2015-0683 (Cisco Unified Communications Domain Manager 8.1(4) allows remote authe ...) NOT-FOR-US: Cisco CVE-2015-0682 (Cisco Unified Communications Domain Manager 8.1(4) allows remote authe ...) NOT-FOR-US: Cisco CVE-2015-0681 (The TFTP server in Cisco IOS 12.2(44)SQ1, 12.2(33)XN1, 12.4(25e)JAM1, ...) NOT-FOR-US: Cisco IOS CVE-2015-0680 (Cisco Unified Call Manager (CM) 9.1(2.1000.28) does not properly restr ...) NOT-FOR-US: Cisco CVE-2015-0679 (The web-authentication functionality on Cisco Wireless LAN Controller ...) NOT-FOR-US: Cisco CVE-2015-0678 (The virtualization layer in Cisco ASA FirePOWER Software before 5.3.1. ...) NOT-FOR-US: Cisco ASA CVE-2015-0677 (The XML parser in Cisco Adaptive Security Appliance (ASA) Software 8.4 ...) NOT-FOR-US: Cisco ASA CVE-2015-0676 (The DNS implementation in Cisco Adaptive Security Appliance (ASA) Soft ...) NOT-FOR-US: Cisco ASA CVE-2015-0675 (The failover ipsec implementation in Cisco Adaptive Security Appliance ...) NOT-FOR-US: Cisco ASA CVE-2015-0674 (Cross-site scripting (XSS) vulnerability in the Alert Service of Cisco ...) NOT-FOR-US: Cisco CVE-2015-0673 (Cisco Mobility Services Engine (MSE) 8.0(110.0) allows remote authenti ...) NOT-FOR-US: Cisco CVE-2015-0672 (The DHCPv4 server in Cisco IOS XR 5.2.2 on ASR 9000 devices allows rem ...) NOT-FOR-US: Cisco CVE-2015-0671 (The DNS implementation in Cisco Videoscape Distribution Suite for Inte ...) NOT-FOR-US: Cisco CVE-2015-0670 (The default configuration of Cisco Small Business IP phones SPA 300 7. ...) NOT-FOR-US: Cisco CVE-2015-0669 (The Autonomic Networking Infrastructure (ANI) implementation in Cisco ...) NOT-FOR-US: Cisco CVE-2015-0668 (Cross-site scripting (XSS) vulnerability in the administration portal ...) NOT-FOR-US: Cisco CVE-2015-0667 (The Management Interface on Cisco Content Services Switch (CSS) 11500 ...) NOT-FOR-US: Cisco CVE-2015-0666 (Directory traversal vulnerability in the fmserver servlet in Cisco Pri ...) NOT-FOR-US: Cisco CVE-2015-0665 (The Hostscan module in Cisco AnyConnect Secure Mobility Client 4.0(.00 ...) NOT-FOR-US: Cisco CVE-2015-0664 (The IPC channel in Cisco AnyConnect Secure Mobility Client 4.0(.00051) ...) NOT-FOR-US: Cisco CVE-2015-0663 (Cisco AnyConnect Secure Mobility Client 4.0(.00051) and earlier does n ...) NOT-FOR-US: Cisco CVE-2015-0662 (Cisco AnyConnect Secure Mobility Client 4.0(.00051) and earlier allows ...) NOT-FOR-US: Cisco CVE-2015-0661 (The SNMPv2 implementation in Cisco IOS XR allows remote authenticated ...) NOT-FOR-US: Cisco CVE-2015-0660 (Cisco Virtual TelePresence Server Software does not properly restrict ...) NOT-FOR-US: Cisco CVE-2015-0659 (The Autonomic Networking Infrastructure (ANI) implementation in Cisco ...) NOT-FOR-US: Cisco CVE-2015-0658 (The DHCP implementation in the PowerOn Auto Provisioning (POAP) featur ...) NOT-FOR-US: Cisco CVE-2015-0657 (Cisco IOS XR allows remote attackers to cause a denial of service (RSV ...) NOT-FOR-US: Cisco CVE-2015-0656 (Cross-site scripting (XSS) vulnerability in the login page in Cisco Ne ...) NOT-FOR-US: Cisco NAM CVE-2015-0655 (Cross-site scripting (XSS) vulnerability in Unified Web Interaction Ma ...) NOT-FOR-US: Cisco Unified Web CVE-2015-0654 (Race condition in the TLS implementation in MainApp in the management ...) NOT-FOR-US: Cisco CVE-2015-0653 (The management interface in Cisco TelePresence Video Communication Ser ...) NOT-FOR-US: Cisco CVE-2015-0652 (The Session Description Protocol (SDP) implementation in Cisco TelePre ...) NOT-FOR-US: Cisco CVE-2015-0651 (Cross-site request forgery (CSRF) vulnerability in the web GUI in Cisc ...) NOT-FOR-US: Cisco CVE-2015-0650 (The Service Discovery Gateway (aka mDNS Gateway) in Cisco IOS 12.2, 12 ...) NOT-FOR-US: Cisco CVE-2015-0649 (Cisco IOS 12.2, 12.4, 15.0, 15.2, and 15.3 allows remote attackers to ...) NOT-FOR-US: Cisco CVE-2015-0648 (Memory leak in Cisco IOS 12.2, 12.4, 15.0, 15.2, and 15.3 allows remot ...) NOT-FOR-US: Cisco CVE-2015-0647 (Cisco IOS 12.2, 12.4, 15.0, 15.2, and 15.3 allows remote attackers to ...) NOT-FOR-US: Cisco CVE-2015-0646 (Memory leak in the TCP input module in Cisco IOS 12.2, 12.4, 15.0, 15. ...) NOT-FOR-US: Cisco CVE-2015-0645 (The Layer 4 Redirect (L4R) feature in Cisco IOS XE 2.x and 3.x before ...) NOT-FOR-US: Cisco CVE-2015-0644 (AppNav in Cisco IOS XE 3.8 through 3.10 before 3.10.3S, 3.11 before 3. ...) NOT-FOR-US: Cisco CVE-2015-0643 (Cisco IOS 12.2, 12.4, 15.0, 15.1, 15.2, 15.3, and 15.4 and IOS XE 2.5. ...) NOT-FOR-US: Cisco CVE-2015-0642 (Cisco IOS 12.2, 12.4, 15.0, 15.1, 15.2, 15.3, and 15.4 and IOS XE 2.5. ...) NOT-FOR-US: Cisco CVE-2015-0641 (Cisco IOS XE 2.x and 3.x before 3.9.0S, 3.10 before 3.10.0S, 3.11 befo ...) NOT-FOR-US: Cisco CVE-2015-0640 (The high-speed logging (HSL) feature in Cisco IOS XE 2.x and 3.x befor ...) NOT-FOR-US: Cisco CVE-2015-0639 (The Common Flow Table (CFT) feature in Cisco IOS XE 3.6 and 3.7 before ...) NOT-FOR-US: Cisco CVE-2015-0638 (Cisco IOS 12.2, 12.4, 15.0, 15.2, and 15.3, when a VRF interface is co ...) NOT-FOR-US: Cisco CVE-2015-0637 (The Autonomic Networking Infrastructure (ANI) implementation in Cisco ...) NOT-FOR-US: Cisco CVE-2015-0636 (The Autonomic Networking Infrastructure (ANI) implementation in Cisco ...) NOT-FOR-US: Cisco CVE-2015-0635 (The Autonomic Networking Infrastructure (ANI) implementation in Cisco ...) NOT-FOR-US: Cisco CVE-2015-0634 (Cross-site scripting (XSS) vulnerability in the administrative interfa ...) NOT-FOR-US: Cisco CVE-2015-0633 (The Integrated Management Controller (IMC) in Cisco Unified Computing ...) NOT-FOR-US: Cisco CVE-2015-0632 (Race condition in the Neighbor Discovery (ND) protocol implementation ...) NOT-FOR-US: Cisco IOS CVE-2015-0631 (Race condition in the SSL implementation on Cisco Intrusion Prevention ...) NOT-FOR-US: Cisco IPS CVE-2015-0630 RESERVED CVE-2015-0629 RESERVED CVE-2015-0628 (The proxy engine on Cisco Web Security Appliance (WSA) devices allows ...) NOT-FOR-US: Cisco WSA CVE-2015-0627 RESERVED CVE-2015-0626 (The SOAP interface in Cisco Hosted Collaboration Solution (HCS) allows ...) NOT-FOR-US: Cisco HCS CVE-2015-0625 RESERVED CVE-2015-0624 (The web framework in Cisco AsyncOS on Email Security Appliance (ESA), ...) NOT-FOR-US: Cisco CVE-2015-0623 (Cross-site scripting (XSS) vulnerability in the Administrator report p ...) NOT-FOR-US: Cisco WSA CVE-2015-0622 (The Wireless Intrusion Detection (aka WIDS) functionality on Cisco Wir ...) NOT-FOR-US: Cisco WLC CVE-2015-0621 (Cisco TelePresence MCU devices with software 4.5(1.45) allow remote at ...) NOT-FOR-US: Cisco TelePresence CVE-2015-0620 (The XML parser in Cisco TelePresence Management Suite (TMS) 14.3(.2) a ...) NOT-FOR-US: Cisco TelePresence CVE-2015-0619 (Memory leak in the embedded web server in the WebVPN subsystem in Cisc ...) NOT-FOR-US: Cisco Adaptive Security Appliance CVE-2015-0618 (Cisco IOS XR 5.0.1 and 5.2.1 on Network Convergence System (NCS) 6000 ...) NOT-FOR-US: Cisco IOS CVE-2015-0617 (Cisco ASR 5500 System Architecture Evolution (SAE) Gateway devices all ...) NOT-FOR-US: Cisco CVE-2015-0616 (The Connection Conversation Manager (aka CuCsMgr) process in Cisco Uni ...) NOT-FOR-US: Cisco CVE-2015-0615 (The call-handling implementation in Cisco Unity Connection 8.5 before ...) NOT-FOR-US: Cisco CVE-2015-0614 (The Connection Conversation Manager (aka CuCsMgr) process in Cisco Uni ...) NOT-FOR-US: Cisco CVE-2015-0613 (The Connection Conversation Manager (aka CuCsMgr) process in Cisco Uni ...) NOT-FOR-US: Cisco CVE-2015-0612 (The Connection Conversation Manager (aka CuCsMgr) process in Cisco Uni ...) NOT-FOR-US: Cisco CVE-2015-0611 (The administrative web-management portal in Cisco IX 8 (.0.1) and earl ...) NOT-FOR-US: Cisco TelePresence CVE-2015-0610 (Race condition in the object-group ACL feature in Cisco IOS 15.5(2)T a ...) NOT-FOR-US: Cisco CVE-2015-0609 (Race condition in the Common Classification Engine (CCE) in the Measur ...) NOT-FOR-US: Cisco CVE-2015-0608 (Race condition in the Measurement, Aggregation, and Correlation Engine ...) NOT-FOR-US: Cisco CVE-2015-0607 (The Authentication Proxy feature in Cisco IOS does not properly handle ...) NOT-FOR-US: Cisco CVE-2015-0606 (The IOS Shell in Cisco IOS allows local users to cause a denial of ser ...) NOT-FOR-US: Cisco CVE-2015-0605 (The uuencode inspection engine in Cisco AsyncOS on Cisco Email Securit ...) NOT-FOR-US: Cisco CVE-2015-0604 (The web framework on Cisco Unified IP 9900 phones with firmware 9.4(.1 ...) NOT-FOR-US: Cisco CVE-2015-0603 (Cisco Unified IP 9900 phones with firmware 9.4(.1) and earlier use wea ...) NOT-FOR-US: Cisco CVE-2015-0602 (The mobility extension on Cisco Unified IP 9900 phones with firmware 9 ...) NOT-FOR-US: Cisco CVE-2015-0601 (Cisco Unified IP 9900 phones with firmware 9.4(.1) and earlier allow l ...) NOT-FOR-US: Cisco CVE-2015-0600 (The mobility extension on Cisco Unified IP 9900 phones with firmware 9 ...) NOT-FOR-US: Cisco CVE-2015-0599 (The web interface in Cisco Integrated Management Controller in Cisco U ...) NOT-FOR-US: Cisco CVE-2015-0598 (The RADIUS implementation in Cisco IOS and IOS XE allows remote attack ...) NOT-FOR-US: Cisco CVE-2015-0597 (The Forgot Password feature in Cisco WebEx Meetings Server 1.5(.1.131) ...) NOT-FOR-US: Cisco CVE-2015-0596 (Cross-site request forgery (CSRF) vulnerability in Cisco WebEx Meeting ...) NOT-FOR-US: Cisco CVE-2015-0595 (The XMLAPI in Cisco WebEx Meetings Server 1.5(.1.131) and earlier allo ...) NOT-FOR-US: Cisco CVE-2015-0594 (Multiple cross-site scripting (XSS) vulnerabilities in the help pages ...) NOT-FOR-US: Cisco CVE-2015-0593 (The Zone-Based Firewall implementation in Cisco IOS 12.4(122)T and ear ...) NOT-FOR-US: Cisco CVE-2015-0592 (The Zone-Based Firewall implementation in Cisco IOS 15.4(2)T3 and earl ...) NOT-FOR-US: Cisco CVE-2015-0591 (Cisco Unified Communications Domain Manager (UCDM) 10 allows remote at ...) NOT-FOR-US: Cisco Unified Communications Domain Manager CVE-2015-0590 (Cisco WebEx Meeting Center allows remote attackers to activate disable ...) NOT-FOR-US: Cisco WebEx CVE-2015-0589 (The administrative web interface in Cisco WebEx Meetings Server 1.0 th ...) NOT-FOR-US: Cisco CVE-2015-0588 (Cross-site request forgery (CSRF) vulnerability in Cisco Unified Commu ...) NOT-FOR-US: Cisco Unified Communications Domain Manager CVE-2015-0587 RESERVED CVE-2015-0586 (The Network-Based Application Recognition (NBAR) protocol implementati ...) NOT-FOR-US: Cisco CVE-2015-0585 RESERVED CVE-2015-0584 (The image-upgrade implementation on Cisco Desktop Collaboration Experi ...) NOT-FOR-US: Cisco CVE-2015-0583 (Cisco WebEx Meeting Center does not properly restrict the content of U ...) NOT-FOR-US: Cisco WebEx Meeting Center CVE-2015-0582 (The High Availability (HA) subsystem in Cisco NX-OS on MDS 9000 device ...) NOT-FOR-US: Cisco NX-OS CVE-2015-0581 (The XML parser in Cisco Prime Service Catalog before 10.1 allows remot ...) NOT-FOR-US: Cisco CVE-2015-0580 (Multiple SQL injection vulnerabilities in the ACS View reporting inter ...) NOT-FOR-US: Cisco Secure Access Control System CVE-2015-0579 (Cisco TelePresence Video Communication Server (VCS) and Cisco Expressw ...) NOT-FOR-US: Cisco TelePrecence Video Communication Server CVE-2015-0578 (Cisco Adaptive Security Appliance (ASA) Software, when a DHCPv6 relay ...) NOT-FOR-US: Cisco Adaptive Security Appliance CVE-2015-0577 (Multiple cross-site scripting (XSS) vulnerabilities in the IronPort Sp ...) NOT-FOR-US: Cisco AsyncOS CVE-2015-0576 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-0575 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-0574 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-0573 (drivers/media/platform/msm/broadcast/tsc.c in the TSC driver for the L ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-0572 (Multiple race conditions in drivers/char/adsprpc.c and drivers/char/ad ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-0571 (The WLAN (aka Wi-Fi) driver for the Linux kernel 3.x and 4.x, as used ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-0570 (Stack-based buffer overflow in the SET_WPS_IE IOCTL implementation in ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-0569 (Heap-based buffer overflow in the private wireless extensions IOCTL im ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-0568 (Use-after-free vulnerability in the msm_set_crop function in drivers/m ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-0567 RESERVED CVE-2015-0566 RESERVED CVE-2015-0565 (NaCl in 2015 allowed the CLFLUSH instruction, making rowhammer attacks ...) - nacl (unimportant) NOTE: https://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=284 NOTE: Limited impact, and for chromium itself the CLFLUSH instruction has been NOTE: disalowed. CVE-2014-9585 (The vdso_addr function in arch/x86/vdso/vma.c in the Linux kernel thro ...) {DSA-3170-1 DLA-155-1} - linux 3.16.7-ckt4-1 - linux-2.6 NOTE: https://git.kernel.org/cgit/linux/kernel/git/tip/tip.git/commit/?id=fbe1bf140671619508dfa575d74a185ae53c5dbb NOTE: http://marc.info/?l=linux-kernel&m=141911002822659&w=2 CVE-2014-9583 (common.c in infosvr in ASUS WRT firmware 3.0.0.4.376_1071, 3.0.0.376.2 ...) NOT-FOR-US: infosvr in ASUS WRT firmware CVE-2014-9582 (Cross-site scripting (XSS) vulnerability in components/filemanager/dia ...) NOT-FOR-US: Codiad CVE-2014-9581 (Directory traversal vulnerability in components/filemanager/download.p ...) NOT-FOR-US: Codiad CVE-2014-9580 (Cross-site scripting (XSS) vulnerability in ProjectSend (formerly cFTP ...) NOT-FOR-US: ProjectSend CVE-2014-9579 (VDG Security SENSE (formerly DIVA) 2.3.13 stores administrator credent ...) NOT-FOR-US: VDG Security SENSE CVE-2014-9578 (VDG Security SENSE (formerly DIVA) 2.3.13 performs authentication with ...) NOT-FOR-US: VDG Security SENSE CVE-2014-9577 (VDG Security SENSE (formerly DIVA) 2.3.13 sends the user database when ...) NOT-FOR-US: VDG Security SENSE CVE-2014-9576 (VDG Security SENSE (formerly DIVA) 2.3.13 has a hardcoded password of ...) NOT-FOR-US: VDG Security SENSE CVE-2014-9575 (VDG Security SENSE (formerly DIVA) before 2.3.15 allows remote attacke ...) NOT-FOR-US: VDG Security SENSE CVE-2014-9574 (Directory traversal vulnerability in install.php in FluxBB before 1.5. ...) NOT-FOR-US: FluxBB CVE-2014-9573 (SQL injection vulnerability in manage_user_page.php in MantisBT before ...) - mantis (bug #780875) [wheezy] - mantis (Minor issue) [squeeze] - mantis (Unsupported in squeeze-lts) NOTE: Upstream patch: http://github.com/mantisbt/mantisbt/commit/69c2d28d (1.2.x) NOTE: https://www.mantisbt.org/bugs/view.php?id=17940 CVE-2014-9572 (MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 does not properly ...) - mantis (bug #780875) [wheezy] - mantis (Minor issue) [squeeze] - mantis (Unsupported in squeeze-lts) NOTE: Upstream patch: http://github.com/mantisbt/mantisbt/commit/5571bcf9 (1.2.x) NOTE: https://www.mantisbt.org/bugs/view.php?id=17939 CVE-2014-9571 (Cross-site scripting (XSS) vulnerability in admin/install.php in Manti ...) - mantis (bug #780875) [wheezy] - mantis (Minor issue) [squeeze] - mantis (Unsupported in squeeze-lts) NOTE: Upstream patch: http://github.com/mantisbt/mantisbt/commit/6d47c047 (1.2.x) NOTE: https://www.mantisbt.org/bugs/view.php?id=17938 CVE-2014-9570 (Multiple cross-site scripting (XSS) vulnerabilities in the MyWebsiteAd ...) NOT-FOR-US: WordPress plugin MyWebsiteAdvisor Simple Security CVE-2014-9569 (Multiple cross-site scripting (XSS) vulnerabilities in SAP NetWeaver B ...) NOT-FOR-US: SAP NetWeaver Business Client CVE-2014-9568 (puppetlabs-rabbitmq 3.0 through 4.1 stores the RabbitMQ Erlang cookie ...) NOT-FOR-US: Puppet module rabbitmq CVE-2014-9567 (Unrestricted file upload vulnerability in process-upload.php in Projec ...) NOT-FOR-US: ProjectSend CVE-2014-9566 (Multiple SQL injection vulnerabilities in the Manage Accounts page in ...) NOT-FOR-US: SolarWinds CVE-2014-9565 (Cross-site request forgery (CSRF) vulnerability in IBM Flex System EN6 ...) NOT-FOR-US: IBM CVE-2014-9564 (CRLF injection vulnerability in IBM Flex System EN6131 40Gb Ethernet a ...) NOT-FOR-US: IBM CVE-2014-9563 (CRLF injection vulnerability in the web-based management (WBM) interfa ...) NOT-FOR-US: Unify (former Siemens) OpenStage SIP and OpenScape Desk Phone CVE-2014-9562 (Cross-site scripting (XSS) vulnerability in display_dialog.php in M2 O ...) NOT-FOR-US: M2 OptimalSite CVE-2014-9561 (Cross-site scripting (XSS) vulnerability in redir_last_post_list.php i ...) NOT-FOR-US: SoftBB CVE-2014-9560 (SQL injection vulnerability in redir_last_post_list.php in SoftBB 0.1. ...) NOT-FOR-US: SoftBB CVE-2014-9559 (Cross-site scripting (XSS) vulnerability in SnipSnap 0.5.2a, 1.0b1, an ...) NOT-FOR-US: SnipSnap CVE-2014-9558 (Multiple SQL injection vulnerabilities in SmartCMS v.2. ...) NOT-FOR-US: SmartCMS CVE-2014-9557 (Multiple cross-site scripting (XSS) vulnerabilities in SmartCMS v.2. ...) NOT-FOR-US: SmartCMS CVE-2014-9555 RESERVED CVE-2014-9554 RESERVED CVE-2014-9553 RESERVED CVE-2014-9552 RESERVED CVE-2014-9551 RESERVED CVE-2014-9550 RESERVED CVE-2014-9549 RESERVED CVE-2014-9548 RESERVED CVE-2014-9547 RESERVED CVE-2014-9546 RESERVED CVE-2014-9545 RESERVED CVE-2014-9544 RESERVED CVE-2014-9543 RESERVED CVE-2014-9542 RESERVED CVE-2014-9541 RESERVED CVE-2014-9540 RESERVED CVE-2014-9539 RESERVED CVE-2014-9538 RESERVED CVE-2014-9537 RESERVED CVE-2014-9536 RESERVED CVE-2014-9535 RESERVED CVE-2014-9534 RESERVED CVE-2014-9533 RESERVED CVE-2014-9532 RESERVED CVE-2014-9531 RESERVED CVE-2014-9530 (A vulnerability exists in nw.js before 0.11.3 when calling nw methods ...) NOT-FOR-US: nw.js CVE-2014-9528 (SQL injection vulnerability in the actionIndex function in protected/m ...) NOT-FOR-US: HumHub CVE-2014-9527 (HSLFSlideShow in Apache POI before 3.11 allows remote attackers to cau ...) - libapache-poi-java 3.10.1-2 (low; bug #775171) [wheezy] - libapache-poi-java (Minor issue) CVE-2015-1198 (Multiple directory traversal vulnerabilities in ha 0.999p+dfsg-5. ...) - ha (low; bug #774954) [squeeze] - ha (Minor issue) [wheezy] - ha (Minor issue) CVE-2015-1352 (The build_tablename function in pgsql.c in the PostgreSQL (aka pgsql) ...) {DSA-3195-1} - php5 5.6.6+dfsg-2 (bug #777036) [squeeze] - php5 (vulnerable code (build_tablename()) introduced later) NOTE: https://bugs.php.net/bug.php?id=68741 NOTE: http://git.php.net/?p=php-src.git;a=commit;h=124fb22a13fafa3648e4e15b4f207c7096d8155e CVE-2015-1351 (Use-after-free vulnerability in the _zend_shared_memdup function in ze ...) - php5 5.6.6+dfsg-2 (bug #777033) [squeeze] - php5 (opcache introduced in 5.5) [wheezy] - php5 (opcache introduced in 5.5) NOTE: https://bugs.php.net/bug.php?id=68677 NOTE: http://git.php.net/?p=php-src.git;a=commit;h=777c39f4042327eac4b63c7ee87dc1c7a09a3115 CVE-2015-XXXX [insecure keyring handling] - weboob 1.0-3 (low; bug #774838) [wheezy] - weboob (Minor issue) CVE-2015-1042 (The string_sanitize_url function in core/string_api.php in MantisBT 1. ...) - mantis (bug #780875) [wheezy] - mantis (Minor issue) [squeeze] - mantis (Incomplete fix not applied) NOTE: https://www.mantisbt.org/bugs/view.php?id=17997 NOTE: http://github.com/mantisbt/mantisbt/commit/d95f070d CVE-2015-1031 (Multiple use-after-free vulnerabilities in Privoxy before 3.0.22 allow ...) {DSA-3133-1 DLA-142-1} - privoxy 3.0.21-5 (bug #775167) NOTE: http://www.privoxy.org/announce.txt NOTE: http://ijbswa.cvs.sourceforge.net/viewvc/ijbswa/current/list.c?view=patch&r1=1.31&r2=1.32&pathrev=v_3_0_22 CVE-2015-1030 (Memory leak in the rfc2553_connect_to function in jbsocket.c in Privox ...) - privoxy 3.0.21-5 (bug #775167) [squeeze] - privoxy (Introduced in 3.0.21) [wheezy] - privoxy (Introduced in 3.0.21) NOTE: http://www.privoxy.org/announce.txt NOTE: http://ijbswa.cvs.sourceforge.net/viewvc/ijbswa/current/cgisimple.c?view=patch&r1=1.130&r2=1.131&pathrev=v_3_0_22 CVE-2015-1197 (cpio 2.11, when using the --no-absolute-filenames option, allows local ...) - cpio 2.11+dfsg-4.1 (low; bug #774669) [wheezy] - cpio (Minor issue) [squeeze] - cpio (Minor issue) NOTE: Patch used in SUSE: https://bugzilla.suse.com/attachment.cgi?id=599460&action=diff NOTE: https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=45b0ee2b407913c533f7ded8d6f8cbeec16ff6ca NOTE: Regression in upstream's handling of patch https://bugs.debian.org/946267 CVE-2015-4469 (The chmd_read_headers function in chmd.c in libmspack before 0.5 does ...) - libmspack 0.4-3 (bug #774726) NOTE: http://www.openwall.com/lists/oss-security/2015/02/03/11 CVE-2015-4468 (Multiple integer overflows in the search_chunk function in chmd.c in l ...) - libmspack 0.4-3 (bug #774726) NOTE: http://www.openwall.com/lists/oss-security/2015/02/03/11 CVE-2015-4467 (The chmd_init_decomp function in chmd.c in libmspack before 0.5 does n ...) - libmspack 0.4-3 (bug #774725) NOTE: http://www.openwall.com/lists/oss-security/2015/02/03/11 CVE-2015-9275 (ARC 5.21q allows directory traversal via a full pathname in an archive ...) - arc 5.21q-6 (low; bug #774527) [stretch] - arc 5.21q-4+deb9u1 [jessie] - arc (Minor issue) [wheezy] - arc (Minor issue) [squeeze] - arc (Minor issue) CVE-2015-XXXX [saves unknown host's fingerprint in known_hosts without any prompt] - lftp 4.6.1-2 (low; bug #774769) [jessie] - lftp 4.6.0-1+deb8u1 [squeeze] - lftp (Minor issue) [wheezy] - lftp (Minor issue) NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/03/12/10 CVE-2014-9587 (Multiple cross-site request forgery (CSRF) vulnerabilities in Roundcub ...) {DLA-613-1} - roundcube 1.1.1+dfsg.1-2 (bug #775576) [squeeze] - roundcube (Minor issue) [wheezy] - roundcube (Minor issue) NOTE: https://github.com/roundcube/roundcubemail/commit/376cbfd4f2dfcf455717409b70d9d056cbeb08b1 CVE-2015-0564 (Buffer underflow in the ssl_decrypt_record function in epan/dissectors ...) {DSA-3141-1 DLA-198-1} - wireshark 1.12.1+g01b65bf-3 (bug #776135) NOTE: https://www.wireshark.org/security/wnpa-sec-2015-05.html CVE-2015-0563 (epan/dissectors/packet-smtp.c in the SMTP dissector in Wireshark 1.10. ...) {DLA-198-1} - wireshark 1.12.1+g01b65bf-3 (bug #776135) [squeeze] - wireshark (Only affected 1.10) [wheezy] - wireshark (Only affected 1.10) NOTE: https://www.wireshark.org/security/wnpa-sec-2015-04.html CVE-2015-0562 (Multiple use-after-free vulnerabilities in epan/dissectors/packet-dec- ...) {DSA-3141-1 DLA-198-1} - wireshark 1.12.1+g01b65bf-3 (bug #776135) NOTE: https://www.wireshark.org/security/wnpa-sec-2015-03.html CVE-2015-0561 (asn1/lpp/lpp.cnf in the LPP dissector in Wireshark 1.10.x before 1.10. ...) - wireshark 1.12.1+g01b65bf-3 (bug #776135) [squeeze] - wireshark (Only affected 1.8.9) [wheezy] - wireshark (Only affected 1.8.9) NOTE: https://www.wireshark.org/security/wnpa-sec-2015-02.html CVE-2015-0560 (The dissect_wccp2r1_address_table_info function in epan/dissectors/pac ...) - wireshark 1.12.1+g01b65bf-3 (bug #776135) [squeeze] - wireshark (Only affected 1.10) [wheezy] - wireshark (Only affected 1.10) NOTE: https://www.wireshark.org/security/wnpa-sec-2015-01.html CVE-2015-0559 (Multiple use-after-free vulnerabilities in epan/dissectors/packet-wccp ...) - wireshark 1.12.1+g01b65bf-3 (bug #776135) [squeeze] - wireshark (Only affected 1.10) [wheezy] - wireshark (Only affected 1.10) NOTE: https://www.wireshark.org/security/wnpa-sec-2015-01.html CVE-2015-0558 (The ADB (formerly Pirelli Broadband Solutions) P.DGA4001N router with ...) NOT-FOR-US: ADB (formerly Pirelli Broadband Solutions) P.DGA4001N router CVE-2015-0555 (Buffer overflow in the XnsSdkDeviceIpInstaller.ocx ActiveX control in ...) NOT-FOR-US: Samsung CVE-2015-0554 (The ADB (formerly Pirelli Broadband Solutions) P.DGA4001N router with ...) NOT-FOR-US: ADB router CVE-2015-0553 (Cross-site scripting (XSS) vulnerability in admin/pages/modify.php in ...) NOT-FOR-US: WebsiteBaker CVE-2014-9526 (Multiple cross-site scripting (XSS) vulnerabilities in concrete5 5.7.2 ...) NOT-FOR-US: concrete5 CVE-2014-9525 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Time ...) NOT-FOR-US: Timed Popup (wp-timed-popup) plugin for WordPress CVE-2014-9524 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Face ...) NOT-FOR-US: Facebook Like Box (cardoza-facebook-like-box) plugin for WordPress CVE-2014-9523 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Our ...) NOT-FOR-US: Our Team Showcase (our-team-enhanced) plugin for WordPress CVE-2014-9522 (Multiple cross-site scripting (XSS) vulnerabilities in CMS Papoo Light ...) NOT-FOR-US: CMS Papoo Light CVE-2014-9521 (Unrestricted file upload vulnerability in uploadScript.php in Infinite ...) NOT-FOR-US: InfiniteWP Admin Panel CVE-2014-9520 (SQL injection vulnerability in execute.php in InfiniteWP Admin Panel b ...) NOT-FOR-US: InfiniteWP Admin Panel CVE-2014-9519 (SQL injection vulnerability in login.php in InfiniteWP Admin Panel bef ...) NOT-FOR-US: InfiniteWP Admin Panel CVE-2014-9518 (Cross-site scripting (XSS) vulnerability in login.cgi in D-Link router ...) NOT-FOR-US: login.cgi in D-Link router DIR-655 (rev Bx) with firmware before 2.12b01 CVE-2014-9517 (Cross-site scripting (XSS) vulnerability in D-link IP camera DCS-2103 ...) NOT-FOR-US: D-link IP camera DCS-2103 CVE-2014-9516 (Cross-site scripting (XSS) vulnerability in Social Microblogging PRO 1 ...) NOT-FOR-US: Social Microblogging PRO CVE-2014-9515 (Dozer improperly uses a reflection-based approach to type conversion, ...) NOT-FOR-US: Dozer CVE-2014-9514 (Cross-site scripting (XSS) vulnerability in BMC Footprints Service Cor ...) NOT-FOR-US: BMC CVE-2014-9512 (rsync 3.1.1 allows remote attackers to write to arbitrary files via a ...) - rsync 3.1.1-3 (low; bug #778333) [wheezy] - rsync (Affected sanitising functionality not yet present) [squeeze] - rsync (Affected sanitising functionality not yet present) NOTE: http://xteam.baidu.com/?p=169 CVE-2014-9511 RESERVED CVE-2014-9510 (Cross-site request forgery (CSRF) vulnerability in the administration ...) NOT-FOR-US: TP-Link TL-WR840N router CVE-2014-9509 (The frontend rendering component in TYPO3 4.5.x before 4.5.39, 4.6.x t ...) - typo3-src [wheezy] - typo3-src (See DSA 3314) [squeeze] - typo3-src (Unsupported in squeeze-lts) NOTE: Solution is to remove he configuration options config.prefixLocalAnchors NOTE: (and optionally also config.baseUrl) in favor of config.absRefPrefix CVE-2014-9508 (The frontend rendering component in TYPO3 4.5.x before 4.5.39, 4.6.x t ...) - typo3-src 4.5.40+dfsg1-1 (bug #775105) [wheezy] - typo3-src (See DSA 3314) [squeeze] - typo3-src (Unsupported in squeeze-lts) NOTE: https://review.typo3.org/#/c/35222/ NOTE: https://review.typo3.org/gitweb?p=Packages/TYPO3.CMS.git;a=commitdiff;h=63ae7ddd11d284a121f23ce86282e3149bc16f96 CVE-2014-9505 (Cross-site scripting (XSS) vulnerability in the School Administration ...) NOT-FOR-US: School Administration module for Drupal CVE-2014-9504 (The OG Subgroups module, when used with the Open Atrium module 7.x-2.x ...) NOT-FOR-US: Open Atrium module for Drupal CVE-2014-9503 (The Discussions sub module in the Open Atrium module 7.x-2.x before 7. ...) NOT-FOR-US: Open Atrium module for Drupal CVE-2014-9502 (Multiple cross-site request forgery (CSRF) vulnerabilities in unspecif ...) NOT-FOR-US: Open Atrium module for Drupal CVE-2014-9501 (Cross-site scripting (XSS) vulnerability in the Poll Chart Block modul ...) NOT-FOR-US: Poll Chart Block module for Drupal CVE-2014-9500 (Cross-site scripting (XSS) vulnerability in the Moip module 7.x-1.x be ...) NOT-FOR-US: Moip module for Drupal CVE-2014-9499 (Cross-site scripting (XSS) vulnerability in the Godwin's Law module be ...) NOT-FOR-US: Godwin's Law for Drupal CVE-2014-9498 (Cross-site scripting (XSS) vulnerability in the Webform Invitation mod ...) NOT-FOR-US: Webform Invitation module for Drupal CVE-2014-9492 REJECTED CVE-2014-9491 (The devzvol_readdir function in illumos does not check the return valu ...) NOT-FOR-US: illumos CVE-2014-9490 (The numtok function in lib/raven/okjson.rb in the raven-ruby gem befor ...) NOT-FOR-US: raven ruby gem CVE-2014-9488 (The is_utf8_well_formed function in GNU less before 475 allows remote ...) - less 481-1 (unimportant; bug #780247) NOTE: http://www.openwall.com/lists/oss-security/2015/03/10/14 NOTE: https://blog.fuzzing-project.org/3-less-out-of-bounds-read-access-TFPA-0022014.html CVE-2014-9484 RESERVED CVE-2014-9473 (Unrestricted file upload vulnerability in lib_nonajax.php in the Cform ...) NOT-FOR-US: formsII plugin for WordPress CVE-2014-9472 (The email gateway in RT (aka Request Tracker) 3.0.0 through 4.x before ...) {DSA-3176-1 DLA-158-1} - request-tracker4 4.2.8-3 - request-tracker3.8 (unimportant) CVE-2014-9470 (Cross-site scripting (XSS) vulnerability in the loadForm function in F ...) NOT-FOR-US: Fork CMS CVE-2014-9469 (Cross-site scripting (XSS) vulnerability in vBulletin 3.5.4, 3.6.0, 3. ...) NOT-FOR-US: vBulletin CVE-2014-9468 (Multiple cross-site scripting (XSS) vulnerabilities in InstantASP Inst ...) NOT-FOR-US: InstantASP InstantForum.NET CVE-2014-9467 RESERVED CVE-2014-9466 (Open-Xchange (OX) AppSuite and Server before 7.4.2-rev42, 7.6.0 before ...) NOT-FOR-US: Open-Xchange CVE-2014-9464 (SQL injection vulnerability in Category.php in Microweber CMS 0.95 bef ...) NOT-FOR-US: Microweber CMS CVE-2014-9463 (functions_vbseo_hook.php in the VBSEO module for vBulletin allows remo ...) NOT-FOR-US: vBulletin CVE-2014-9462 (The _validaterepo function in sshpeer in Mercurial before 3.2.4 allows ...) {DSA-3257-1 DLA-237-1} - mercurial 3.4-1 (bug #783237) NOTE: http://chargen.matasano.com/chargen/2015/3/17/this-new-vulnerability-mercurial-command-injection-cve-2014-9462.html NOTE: http://selenic.com/hg/rev/e3f30068d2eb CVE-2014-9461 (Directory traversal vulnerability in models/Cart66.php in the Cart66 L ...) NOT-FOR-US: Cart66 Lite plugin for WordPress CVE-2014-9460 (Multiple cross-site request forgery (CSRF) vulnerabilities in the WP-V ...) NOT-FOR-US: WP-ViperGB plugin for WordPress CVE-2014-9459 (Cross-site request forgery (CSRF) vulnerability in the AdminObserver f ...) NOT-FOR-US: e107 CVE-2014-9458 (Heap-based buffer overflow in the GDB debugger module in Hex-Rays IDA ...) NOT-FOR-US: Hex-Rays IDA Pro CVE-2014-9457 (SQL injection vulnerability in classes/mono_display.class.php in PMB 4 ...) NOT-FOR-US: PMB CVE-2014-9456 (Buffer overflow in NotePad++ 6.6.9 allows remote attackers to have uns ...) NOT-FOR-US: NotePad++ CVE-2014-9455 (SQL injection vulnerability in showads.php in CTS Projects & Softw ...) NOT-FOR-US: CTS Projects & Software ClassAd CVE-2014-9454 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Simp ...) NOT-FOR-US: Simple Sticky Footer plugin for WordPress CVE-2014-9453 (Multiple cross-site scripting (XSS) vulnerabilities in simple-visitor- ...) NOT-FOR-US: Simple visitor stat plugin for WordPress CVE-2014-9452 (Directory traversal vulnerability in VDG Security SENSE (formerly DIVA ...) NOT-FOR-US: VDG Security SENSE CVE-2014-9451 (Multiple stack-based buffer overflows in the DIVA web service API (/we ...) NOT-FOR-US: VDG Security SENS CVE-2014-9448 (Buffer overflow in Mini-stream RM-MP3 Converter 3.1.2.1.2010.03.30 all ...) NOT-FOR-US: Mini-stream RM-MP3 Converter CVE-2014-9445 (SQL injection vulnerability in incl/create.inc.php in Installatron GQ ...) NOT-FOR-US: GQ File Manager CVE-2014-9444 (Cross-site scripting (XSS) vulnerability in the Frontend Uploader plug ...) NOT-FOR-US: Frontend Uploader plugin for WordPress CVE-2014-9443 (Cross-site scripting (XSS) vulnerability in the Relevanssi plugin befo ...) NOT-FOR-US: Relevanssi plugin for WordPress CVE-2014-9442 (SQL injection vulnerability in models/Cart66Ajax.php in the Cart66 Lit ...) NOT-FOR-US: Cart66 Lite plugin for WordPress CVE-2014-9441 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Ligh ...) NOT-FOR-US: Lightbox Photo Gallery plugin for WordPress CVE-2014-9440 (SQL injection vulnerability in browse.php in phpMyRecipes 1.2.2 allows ...) NOT-FOR-US: phpMyRecipes CVE-2014-9439 (Cross-site scripting (XSS) vulnerability in Easy File Sharing Web Serv ...) NOT-FOR-US: Easy File Sharing Web Server CVE-2014-9438 (Cross-site request forgery (CSRF) vulnerability in the Moderator Contr ...) NOT-FOR-US: vBulletin CVE-2014-9437 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Slid ...) NOT-FOR-US: Sliding Social Icons plugin for WordPress CVE-2014-9436 (Absolute path traversal vulnerability in SysAid On-Premise before 14.4 ...) NOT-FOR-US: SysAid CVE-2014-9435 (Multiple SQL injection vulnerabilities in Absolut Engine 1.73 allow re ...) NOT-FOR-US: Absolut Engine CVE-2014-9434 (Cross-site scripting (XSS) vulnerability in admin/managerrelated.php i ...) NOT-FOR-US: Absolut Engine CVE-2014-9431 (Multiple cross-site request forgery (CSRF) vulnerabilities in Smoothwa ...) NOT-FOR-US: Smoothwall CVE-2014-9430 (Cross-site scripting (XSS) vulnerability in httpd/cgi-bin/vpn.cgi/vpnc ...) NOT-FOR-US: Smoothwall CVE-2014-9429 (Multiple cross-site scripting (XSS) vulnerabilities in Smoothwall Expr ...) NOT-FOR-US: Smoothwall CVE-2013-7418 (cgi-bin/iptablesgui.cgi in IPCop (aka IPCop Firewall) before 2.1.5 all ...) NOT-FOR-US: IPCop CVE-2013-7417 (Cross-site scripting (XSS) vulnerability in cgi-bin/ipinfo.cgi in IPCo ...) NOT-FOR-US: IPCop CVE-2011-5318 (Multiple cross-site request forgery (CSRF) vulnerabilities in diafan.C ...) NOT-FOR-US: diafan.CMS CVE-2011-5317 (Cross-site scripting (XSS) vulnerability in editText.php in WonderCMS ...) NOT-FOR-US: WonderCMS CVE-2011-5316 (Cross-site request forgery (CSRF) vulnerability in admin/index.php in ...) NOT-FOR-US: Cambio CVE-2011-5315 (Cross-site request forgery (CSRF) vulnerability in admin/index.php in ...) NOT-FOR-US: whCMS CVE-2011-5314 (templates/default/index.php in Redaxscript 0.3.2 allows remote attacke ...) NOT-FOR-US: Redaxscript CVE-2011-5313 (Multiple SQL injection vulnerabilities in includes/password.php in Red ...) NOT-FOR-US: Redaxscript CVE-2011-5312 (Multiple cross-site scripting (XSS) vulnerabilities in Gollos 2.8 allo ...) NOT-FOR-US: Gollos CVE-2011-5311 (Cross-site request forgery (CSRF) vulnerability in pages.php in Wikipa ...) NOT-FOR-US: Wikipad CVE-2011-5310 (Directory traversal vulnerability in pages.php in Wikipad 1.6.0 allows ...) NOT-FOR-US: Wikipad CVE-2011-5309 (Cross-site scripting (XSS) vulnerability in pages.php in Wikipad 1.6.0 ...) NOT-FOR-US: Wikipad CVE-2011-5308 (Multiple SQL injection vulnerabilities in cdnvote-post.php in the cdnv ...) NOT-FOR-US: cdnvote plugin for WordPress CVE-2011-5307 (Cross-site scripting (XSS) vulnerability in index.php in the PhotoSmas ...) NOT-FOR-US: PhotoSmash plugin for WordPress CVE-2011-5306 (Cross-site request forgery (CSRF) vulnerability in cgi-bin/admin/setup ...) NOT-FOR-US: CosmoShop ePRO CVE-2011-5305 (Multiple cross-site scripting (XSS) vulnerabilities in CosmoShop ePRO ...) NOT-FOR-US: CosmoShop ePRO CVE-2011-5304 (Multiple cross-site scripting (XSS) vulnerabilities in the Sodahead Po ...) NOT-FOR-US: Sodahead Polls plugin for WordPress CVE-2011-5303 (Cross-site scripting (XSS) vulnerability in Spitfire CMS 1.0.436 allow ...) NOT-FOR-US: Spitfire CMS CVE-2011-5302 (Cross-site request forgery (CSRF) vulnerability in adm/admin_edit.php ...) NOT-FOR-US: PHPDug CVE-2011-5301 (Multiple cross-site scripting (XSS) vulnerabilities in PHPDug 2.0.0 al ...) NOT-FOR-US: PHPDug CVE-2011-5300 (Cross-site request forgery (CSRF) vulnerability in admin/setup/config/ ...) NOT-FOR-US: poMMo Aardvark CVE-2011-5299 (Multiple cross-site scripting (XSS) vulnerabilities in poMMo Aardvark ...) NOT-FOR-US: poMMo Aardvark CVE-2011-5298 (Multiple cross-site request forgery (CSRF) vulnerabilities in Argyle S ...) NOT-FOR-US: Argyle Social CVE-2011-5297 (Multiple cross-site scripting (XSS) vulnerabilities in TTChat 1.0.4 al ...) NOT-FOR-US: TTChat CVE-2011-5296 (Cross-site scripting (XSS) vulnerability in profilo.php in Happy Chat ...) NOT-FOR-US: Happy Chat CVE-2011-5295 (Buffer overflow in the Download method in a certain ActiveX control in ...) NOT-FOR-US: Gogago YouTube Video Converter CVE-2011-5294 (The SaveMessage method in the LEADeMail.LEADSmtp.20 ActiveX control in ...) NOT-FOR-US: Kofax e-Transactions Sender Sendbox CVE-2011-5293 (The cmdSave method in the ThreeDify.ThreeDifyDesigner.1 ActiveX contro ...) NOT-FOR-US: ThreeDify Designer CVE-2011-5292 (The EaseWeFtp.FtpLibrary ActiveX control in EaseWeFtp.ocx in Easewe FT ...) NOT-FOR-US: Easewe FTP OCX CVE-2011-5291 (The SaveData method in the Cygnicon.ViewControl.1 ActiveX control in C ...) NOT-FOR-US: Ashampoo 3D CAD Professional CVE-2011-5290 (The SaveToFile method in the UniBasicPack.UniTextBox ActiveX control i ...) NOT-FOR-US: IDrive Online Backup CVE-2011-5289 (The SaveDecrypted method in the ChilkatCrypt2.ChilkatOmaDrm.1 ActiveX ...) NOT-FOR-US: aTube Catcher CVE-2011-5288 (Multiple buffer overflows in the ThreeDify.ThreeDifyDesigner.1 ActiveX ...) NOT-FOR-US: ThreeDify Designer CVE-2011-5287 (Multiple cross-site scripting (XSS) vulnerabilities in HESK before 2.4 ...) NOT-FOR-US: HESK CVE-2011-5286 (SQL injection vulnerability in social-slider-2/ajax.php in the Social ...) NOT-FOR-US: Social Slider plugin for WordPress CVE-2011-5285 (Multiple cross-site scripting (XSS) vulnerabilities in BugFree 2.1.3 a ...) NOT-FOR-US: BugFree CVE-2011-5284 (Cross-site request forgery (CSRF) vulnerability in the web management ...) NOT-FOR-US: Smoothwall CVE-2011-5283 (Cross-site scripting (XSS) vulnerability in the web management interfa ...) NOT-FOR-US: Smoothwall CVE-2010-5321 (Memory leak in drivers/media/video/videobuf-core.c in the videobuf sub ...) - linux (unimportant; bug #827340) - linux-2.6 (unimportant) NOTE: Unclear, old report for Linux NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=620629#c0 NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=120571 CVE-2010-5320 (Multiple cross-site request forgery (CSRF) vulnerabilities in MemHT Po ...) NOT-FOR-US: MemHT Portal CVE-2010-5319 (Multiple cross-site request forgery (CSRF) vulnerabilities in Kandidat ...) NOT-FOR-US: Kandidat CMS CVE-2010-5318 (The password-reset feature in as/index.php in SweetRice CMS before 0.6 ...) NOT-FOR-US: SweetRice CMS CVE-2010-5317 (Multiple SQL injection vulnerabilities in index.php in SweetRice CMS b ...) NOT-FOR-US: SweetRice CMS CVE-2010-5316 (Cross-site scripting (XSS) vulnerability in as/index.php in SweetRice ...) NOT-FOR-US: SweetRice CMS CVE-2010-5315 (Multiple cross-site request forgery (CSRF) vulnerabilities in BEdita b ...) NOT-FOR-US: BEdita CVE-2010-5314 (Cross-site scripting (XSS) vulnerability in controllers/home_controlle ...) NOT-FOR-US: BEdita CVE-2014-9507 (MediaWiki 1.21.x, 1.22.x before 1.22.14, and 1.23.x before 1.23.7, whe ...) - mediawiki (There is no content handler in REL1_19) NOTE: Upstream bug https://phabricator.wikimedia.org/T72901 CVE-2014-9506 (MantisBT before 1.2.18 does not properly check permissions when sendin ...) {DSA-3120-1} - mantis [squeeze] - mantis (Unsupported in squeeze-lts) NOTE: https://www.mantisbt.org/bugs/view.php?id=9885 CVE-2014-9584 (The parse_rock_ridge_inode_internal function in fs/isofs/rock.c in the ...) {DSA-3128-1 DLA-155-1} - linux 3.16.7-ckt4-1 - linux-2.6 NOTE: Upstream fix: https://git.kernel.org/linus/4e2024624e678f0ebb916e6192bd23c1f9fdf696 (v3.19-rc3) CVE-2015-1038 (p7zip 9.20.1 allows remote attackers to write to arbitrary files via a ...) {DSA-3289-1 DLA-245-1} - p7zip 9.20.1~dfsg.1-4.2 (bug #774660) NOTE: Upstream bug: http://sourceforge.net/p/p7zip/bugs/147/ CVE-2014-10022 (Apache Traffic Server before 5.1.2 allows remote attackers to cause a ...) - trafficserver 5.2.0-1 (bug #778895) [wheezy] - trafficserver (Only affects 5.x) NOTE: https://issues.apache.org/jira/browse/TS-3223 (fixed in 5.1.2) NOTE: https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;a=commit;h=8b5f0345dade6b2822d9b52c8ad12e63011a5c12 NOTE: notes: https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12327089&styleName=Html&projectId=12310963 CVE-2014-XXXX [crashes on crafted ELF] - ht 2.1.0-1 (low; bug #773308) [jessie] - ht (Minor issue) [wheezy] - ht (Minor issue) [squeeze] - ht (Minor issue) CVE-2014-XXXX [insecure LUA default load path] - libquvi 0.4.1-3 (low; bug #774555) [wheezy] - libquvi (Minor issue) [squeeze] - libquvi (Minor issue) CVE-2014-9489 (The gollum-grit_adapter Ruby gem dependency in gollum before 3.1.1 and ...) NOT-FOR-US: Gollum wiki CVE-2014-9487 (The getid3 library in MediaWiki before 1.24.1, 1.23.8, 1.22.15 and 1.1 ...) NOT-FOR-US: Mediawiki extension not packaged in src:mediawiki-extensions CVE-2014-9481 (The Scribunto extension for MediaWiki allows remote attackers to obtai ...) NOT-FOR-US: Mediawiki extension not packaged in src:mediawiki-extensions CVE-2014-9480 (Cross-site scripting (XSS) vulnerability in the Hovercards extension f ...) NOT-FOR-US: Mediawiki extension not packaged in src:mediawiki-extensions CVE-2014-9479 (Cross-site scripting (XSS) vulnerability in the preview in the Templat ...) NOT-FOR-US: Mediawiki extension not packaged in src:mediawiki-extensions CVE-2014-9478 (Cross-site scripting (XSS) vulnerability in the preview in the ExpandT ...) NOT-FOR-US: Mediawiki extension not packaged in src:mediawiki-extensions CVE-2014-9477 (Multiple cross-site scripting (XSS) vulnerabilities in the Listings ex ...) NOT-FOR-US: Mediawiki extension not packaged in src:mediawiki-extensions CVE-2014-9450 (Multiple SQL injection vulnerabilities in chart_bar.php in the fronten ...) - zabbix 1:2.2.7+dfsg-2 (bug #774750) [squeeze] - zabbix (Unsupported in squeeze-lts) NOTE: https://support.zabbix.com/browse/ZBX-8582 NOTE: https://github.com/svn2github/zabbix/commit/984bd3bec2d6ca5a80104a5574d19b7f4d04f24b CVE-2014-9449 (Buffer overflow in the RiffVideo::infoTagsHandler function in riffvide ...) - exiv2 0.24-4.1 (bug #773846) [wheezy] - exiv2 (Vulnerable code not present) [squeeze] - exiv2 (Vulnerable code not present) NOTE: http://dev.exiv2.org/issues/960 NOTE: http://dev.exiv2.org/projects/exiv2/repository/diff?rev=3264&rev_to=3263 CVE-2014-9447 (Directory traversal vulnerability in the read_long_names function in l ...) - elfutils 0.159-4.1 (bug #775536) [wheezy] - elfutils (Minor issue) [squeeze] - elfutils (Minor issue) NOTE: https://git.fedorahosted.org/cgit/elfutils.git/commit/?id=147018e729e7c22eeabf15b82d26e4bf68a0d18e CVE-2015-0552 (Directory traversal vulnerability in the gcab_folder_extract function ...) - gcab 0.4-2 (bug #774580) CVE-2015-XXXX [Zoo directory traversal] - zoo (low; bug #774453) [stretch] - zoo (Minor issue) [jessie] - zoo (Minor issue) [wheezy] - zoo (Minor issue) [squeeze] - zoo (Minor issue) NOTE: CVE Request: https://marc.info/?l=oss-security&m=142024361327375&w=2 CVE-2015-XXXX [buffer over-read] - arc (low; bug #774439) [buster] - arc (Minor issue) [stretch] - arc (Minor issue) [jessie] - arc (Minor issue) [wheezy] - arc (Minor issue) [squeeze] - arc (Minor issue) CVE-2015-0557 (Open-source ARJ archiver 3.10.22 does not properly remove leading slas ...) {DSA-3213-1 DLA-188-1} - arj 3.10.22-13 (low; bug #774435) CVE-2015-0556 (Open-source ARJ archiver 3.10.22 allows remote attackers to conduct di ...) {DSA-3213-1 DLA-188-1} - arj 3.10.22-13 (low; bug #774434) CVE-2014-9529 (Race condition in the key_gc_unused_keys function in security/keys/gc. ...) {DSA-3128-1} - linux 3.16.7-ckt4-1 - linux-2.6 (Vulnerable code not present) NOTE: http://marc.info/?l=linux-kernel&m=141986398232547&w=2 NOTE: http://marc.info/?l=linux-kernel&m=142047362307894&w=2 CVE-2014-9513 (Insecure use of temporary files in xbindkeys-config 0.1.3-2 allows rem ...) - xbindkeys-config (unimportant; bug #772473) [jessie] - xbindkeys-config (Minor issue) [wheezy] - xbindkeys-config (Minor issue) [squeeze] - xbindkeys-config (Minor issue) NOTE: Not exploitable with kernel hardening since jessie CVE-2014-9495 (Heap-based buffer overflow in the png_combine_row function in libpng b ...) - libpng (Affects 1.5.x and 1.6.x series) - texlive-bin 2014.20140926.35254-4 (bug #773824) [squeeze] - texlive-bin (has a copy of libpng 1.2) [wheezy] - texlive-bin (uses system libpng) - libpng1.6 1.6.16-1 (bug #773823) - iceweasel (squeeze used the system libpng, and later versions define their own limits) - icedove (squeeze used the system libpng, and later versions define their own limits) NOTE: http://sourceforge.net/p/png-mng/mailman/message/33173461/ CVE-2014-9465 (senddocument.php in Zarafa WebApp before 2.0 beta 3 and WebAccess in Z ...) - zarafa (bug #658433) CVE-2014-9446 (Multiple cross-site scripting (XSS) vulnerabilities in the Staff clien ...) - koha (bug #702134) CVE-2014-9433 (Multiple cross-site scripting (XSS) vulnerabilities in cms/front_conte ...) NOT-FOR-US: Contenido CMS CVE-2014-9432 (Multiple cross-site scripting (XSS) vulnerabilities in templates/2k11/ ...) - serendipity CVE-2014-XXXX [denial of service with specific packets] - libhtp 1:0.5.25-1 (bug #774897) [wheezy] - libhtp (Minor issue) [squeeze] - libhtp (Minor issue) NOTE: https://redmine.openinfosecfoundation.org/issues/1272 NOTE: https://github.com/inliniac/libhtp/commit/4acebf251bb6c8343dd5f37f1b48cb38fec4fed4 NOTE: CVE Request: http://seclists.org/oss-sec/2014/q4/1035 CVE-2014-9485 (Directory traversal vulnerability in the do_extract_currentfile functi ...) - minizip 1.1-5 (low; bug #774321) CVE-2014-9426 (** DISPUTED ** The apprentice_load function in libmagic/apprentice.c i ...) NOTE: Disputed PHP issue to be rejected, code wasn't present in squeeze/wheezy or file (PHP-specific) CVE-2014-9423 (The svcauth_gss_accept_sec_context function in lib/rpc/svc_auth_gss.c ...) {DSA-3153-1 DLA-146-1} - krb5 1.12.1+dfsg-17 CVE-2014-9422 (The check_rpcsec_auth function in kadmin/server/kadm_rpc_svc.c in kadm ...) {DSA-3153-1 DLA-146-1} - krb5 1.12.1+dfsg-17 CVE-2014-9421 (The auth_gssapi_unwrap_data function in lib/rpc/auth_gssapi_misc.c in ...) {DSA-3153-1 DLA-146-1} - krb5 1.12.1+dfsg-17 CVE-2014-9418 (The eSpace Meeting ActiveX control (eSpaceStatusCtrl.dll) in Huawei eS ...) NOT-FOR-US: Huawei CVE-2014-9417 (The Meeting component in Huawei eSpace Desktop before V100R001C03 allo ...) NOT-FOR-US: Huawei CVE-2014-9416 (Multiple untrusted search path vulnerabilities in Huawei eSpace Deskto ...) NOT-FOR-US: Huawei CVE-2014-9415 (Huawei eSpace Desktop before V100R001C03 allows local users to cause a ...) NOT-FOR-US: Huawei CVE-2014-9414 (The W3 Total Cache plugin before 0.9.4.1 for WordPress does not proper ...) NOT-FOR-US: WordPress plugin W3 Total Cache CVE-2014-9413 (Multiple cross-site request forgery (CSRF) vulnerabilities in the IP B ...) NOT-FOR-US: IP Ban (simple-ip-ban) plugin for WordPress CVE-2014-9482 (Use-after-free vulnerability in dwarfdump in libdwarf 20130126 through ...) - dwarfutils (Vulnerable code introduced later, see bug #774530) NOTE: http://www.openwall.com/lists/oss-security/2014/12/31/3 CVE-2014-9427 (sapi/cgi/cgi_main.c in the CGI component in PHP through 5.4.36, 5.5.x ...) {DSA-3117-1} - php5 5.6.5+dfsg-1 [squeeze] - php5 (Introduced in 5.4.1) NOTE: https://bugs.php.net/bug.php?id=68618 NOTE: http://git.php.net/?p=php-src.git;a=commit;h=f9ad3086693fce680fbe246e4a45aa92edd2ac35 CVE-2014-XXXX [CRAM-MD5 authentication bypass] - dbmail (Only affects versions supporting cram-md5, so 3.0.0 and later) NOTE: http://blog.gmane.org/gmane.mail.imap.dbmail/day=20141219 CVE-2014-9483 (Emacs 24.4 allows remote attackers to bypass security restrictions. ...) - emacs24 24.5+1-1 (unimportant; bug #774090) - emacs23 (Only affects Emacs 24) NOTE: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=18939 NOTE: Plain bug, security implications rather far-fetched CVE-2014-9556 (Integer overflow in the qtmd_decompress function in libmspack 0.4 allo ...) - libmspack 0.4-2 (bug #773041) - cabextract 1.4-5 (bug #772891) [wheezy] - cabextract (Minor issue) [squeeze] - cabextract (Minor issue) NOTE: Starting with 1.4-5 cabextract uses the mspack system library CVE-2012-6686 REJECTED CVE-2012-6685 (Nokogiri before 1.5.4 is vulnerable to XXE attacks ...) {DLA-229-1} - ruby-nokogiri 1.5.4-1 (low) - libnokogiri-ruby NOTE: https://github.com/sparklemotion/nokogiri/issues/693 NOTE: Full fix requires fixing CVE-2014-0191 in libxml2 too. CVE-2014-9428 (The batadv_frag_merge_packets function in net/batman-adv/fragmentation ...) - linux 3.16.7-ckt4-1 (bug #774155) [wheezy] - linux (Introduced in 3.13) - linux-2.6 (Introduced in 3.13) NOTE: http://thread.gmane.org/gmane.linux.network/343494 NOTE: Introduced by https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=610bfc6bc99bc83680d190ebc69359a05fc7f605 (v3.13-rc1) NOTE: Fixed by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5b6698b0e4a37053de35cc24ee695b98a7eb712b CVE-2014-9496 (The sd2_parse_rsrc_fork function in sd2.c in libsndfile allows attacke ...) {DLA-928-1 DLA-356-1} - libsndfile 1.0.25-9.1 (low; bug #774162) [squeeze] - libsndfile (Minor issue) CVE-2014-XXXX [a2p: buffer overflow] - perl 5.22.0~rc2-1 (unimportant; bug #769606) CVE-2014-9486 REJECTED CVE-2014-9497 (Buffer overflow in mpg123 before 1.18.0. ...) {DLA-655-1} - mpg123 1.18.0-1 [squeeze] - mpg123 (Introduced in 1.14.1) NOTE: http://sourceforge.net/p/mpg123/bugs/201/ CVE-2015-0551 (Multiple cross-site scripting (XSS) vulnerabilities in EMC Documentum ...) NOT-FOR-US: EMC Documentum WebTop Client CVE-2015-0550 (Directory traversal vulnerability in EMC Documentum Thumbnail Server 6 ...) NOT-FOR-US: EMC Documentum Thumbnail Server CVE-2015-0549 (Cross-site scripting (XSS) vulnerability in EMC Documentum D2 before 4 ...) NOT-FOR-US: EMC Documentum D2 CVE-2015-0548 (The D2DownloadService.getDownloadUrls service method in EMC Documentum ...) NOT-FOR-US: EMC Documentum D2 CVE-2015-0547 (The D2CenterstageService.getComments service method in EMC Documentum ...) NOT-FOR-US: EMC Documentum D2 CVE-2015-0546 (EMC Unified Infrastructure Manager/Provisioning (UIM/P) 4.1 allows rem ...) NOT-FOR-US: EMC Unified Infrastructure Manager/Provisioning CVE-2015-0545 (EMC Unisphere for VMAX 8.x before 8.0.3.4 sets up the Java Debugging W ...) NOT-FOR-US: EMC Unisphere CVE-2015-0544 (EMC Secure Remote Services Virtual Edition (ESRS VE) 3.x before 3.06 d ...) NOT-FOR-US: EMC Secure Remote Services Virtual Edition CVE-2015-0543 (EMC Secure Remote Services Virtual Edition (ESRS VE) 3.x before 3.06 d ...) NOT-FOR-US: EMC Secure Remote Services Virtual Edition CVE-2015-0542 (Multiple cross-site request forgery (CSRF) vulnerabilities in EMC RSA ...) NOT-FOR-US: EMC RSA CVE-2015-0541 (Cross-site request forgery (CSRF) vulnerability in EMC RSA Web Threat ...) NOT-FOR-US: RSA Web Threat Detection CVE-2015-0540 (SQL injection vulnerability in the xAdmin interface in EMC Document Sc ...) NOT-FOR-US: EMC Document Sciences xPression CVE-2015-0539 REJECTED CVE-2015-0538 (ftagent.exe in EMC AutoStart 5.4.x and 5.5.x before 5.5.0.508 HF4 allo ...) NOT-FOR-US: EMC AutoStart CVE-2015-0537 (Integer underflow in the base64-decoding implementation in EMC RSA BSA ...) NOT-FOR-US: EMC RSA CVE-2015-0536 (EMC RSA BSAFE Micro Edition Suite (MES) 4.0.x before 4.0.8 and 4.1.x b ...) NOT-FOR-US: EMC RSA CVE-2015-0535 (EMC RSA BSAFE Micro Edition Suite (MES) 4.0.x before 4.0.8 and 4.1.x b ...) NOT-FOR-US: EMC RSA CVE-2015-0534 (EMC RSA BSAFE Micro Edition Suite (MES) 4.0.x before 4.0.8 and 4.1.x b ...) NOT-FOR-US: EMC RSA CVE-2015-0533 (EMC RSA BSAFE Micro Edition Suite (MES) 4.0.x before 4.0.8 and 4.1.x b ...) NOT-FOR-US: EMC RSA CVE-2015-0532 (EMC RSA Identity Management and Governance (IMG) 6.9 before P04 and 6. ...) NOT-FOR-US: EMC RSA Identity Management and Governance CVE-2015-0531 (EMC SourceOne Email Management before 7.2 does not have a lockout mech ...) NOT-FOR-US: EMC SourceOne Email Management CVE-2015-0530 (Buffer overflow in an unspecified function in nsr_render_log in EMC Ne ...) NOT-FOR-US: EMC NetWorker CVE-2015-0529 (EMC PowerPath Virtual Appliance (aka vApp) before 2.0 has default pass ...) NOT-FOR-US: EMC PowerPath Virtual Appliance CVE-2015-0528 (The RPC daemon in EMC Isilon OneFS 6.5.x and 7.0.x before 7.0.2.13, 7. ...) NOT-FOR-US: EMC Isilon OneFS CVE-2015-0527 (EMC Documentum xCelerated Management System (xMS) 1.1 before P14 store ...) NOT-FOR-US: EMC CVE-2015-0526 (Multiple cross-site scripting (XSS) vulnerabilities in EMC RSA Validat ...) NOT-FOR-US: EMC RSA Validation Manager CVE-2015-0525 (The Gateway Provisioning service in EMC Secure Remote Services Virtual ...) NOT-FOR-US: EMC CVE-2015-0524 (SQL injection vulnerability in the Gateway Provisioning service in EMC ...) NOT-FOR-US: EMC CVE-2015-0523 (EMC RSA Certificate Manager (RCM) before 6.9 build 558 and RSA Registr ...) NOT-FOR-US: RSA CVE-2015-0522 (Cross-site scripting (XSS) vulnerability in EMC RSA Certificate Manage ...) NOT-FOR-US: RSA CVE-2015-0521 (Cross-site scripting (XSS) vulnerability in EMC RSA Certificate Manage ...) NOT-FOR-US: RSA CVE-2015-0520 REJECTED CVE-2015-0519 (The InputAccel Database (IADB) installation process in EMC Captiva Cap ...) NOT-FOR-US: EMC Captiva Capture CVE-2015-0518 (The Properties service in the D2FS web-service component in EMC Docume ...) NOT-FOR-US: EMC Documentum D2 CVE-2015-0517 (The D2-API component in EMC Documentum D2 3.1 through SP1, 4.0 and 4.1 ...) NOT-FOR-US: EMC Documentum D2 CVE-2015-0516 (Directory traversal vulnerability in EMC M&R (aka Watch4Net) befor ...) NOT-FOR-US: EMC CVE-2015-0515 (Unrestricted file upload vulnerability in EMC M&R (aka Watch4Net) ...) NOT-FOR-US: EMC CVE-2015-0514 (EMC M&R (aka Watch4Net) before 6.5u1 and ViPR SRM before 3.6.1 mig ...) NOT-FOR-US: EMC CVE-2015-0513 (Multiple cross-site scripting (XSS) vulnerabilities in the administrat ...) NOT-FOR-US: EMC CVE-2015-0512 (Open redirect vulnerability in EMC Unisphere Central before 4.0 allows ...) NOT-FOR-US: EMC CVE-2015-0511 (Unspecified vulnerability in Oracle MySQL Server 5.6.23 and earlier al ...) - mysql-5.5 (Only affects 5.6) - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixMSQL CVE-2015-0510 (Unspecified vulnerability in the Oracle Commerce Platform component in ...) NOT-FOR-US: Oracle CVE-2015-0509 (Unspecified vulnerability in the Oracle Hyperion BI+ component in Orac ...) NOT-FOR-US: Oracle CVE-2015-0508 (Unspecified vulnerability in Oracle MySQL Server 5.6.23 and earlier al ...) - mysql-5.5 (Only affects 5.6) - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixMSQL CVE-2015-0507 (Unspecified vulnerability in Oracle MySQL Server 5.6.23 and earlier al ...) - mysql-5.5 (Only affects 5.6) - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixMSQL CVE-2015-0506 (Unspecified vulnerability in Oracle MySQL Server 5.6.23 and earlier al ...) - mysql-5.5 (Only affects 5.6) - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixMSQL CVE-2015-0505 (Unspecified vulnerability in Oracle MySQL Server 5.5.42 and earlier, a ...) {DSA-3311-1 DSA-3229-1 DLA-359-1} - mysql-5.5 (bug #782645) [jessie] - mysql-5.5 5.5.43-0+deb8u1 - mariadb-10.0 10.0.19-1 - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixMSQL CVE-2015-0504 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle CVE-2015-0503 (Unspecified vulnerability in Oracle MySQL Server 5.6.23 and earlier al ...) - mysql-5.5 (Only affects 5.6) - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixMSQL CVE-2015-0502 (Unspecified vulnerability in the Siebel UI Framework component in Orac ...) NOT-FOR-US: Oracle CVE-2015-0501 (Unspecified vulnerability in Oracle MySQL Server 5.5.42 and earlier, a ...) {DSA-3311-1 DSA-3229-1 DLA-359-1} - mysql-5.5 (bug #782645) [jessie] - mysql-5.5 5.5.43-0+deb8u1 - mariadb-10.0 10.0.19-1 - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixMSQL CVE-2015-0500 (Unspecified vulnerability in Oracle MySQL Server 5.6.23 and earlier al ...) - mysql-5.5 (Only affects 5.6) - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixMSQL CVE-2015-0499 (Unspecified vulnerability in Oracle MySQL Server 5.5.42 and earlier, a ...) {DSA-3311-1 DSA-3229-1 DLA-359-1} - mysql-5.5 (bug #782645) [jessie] - mysql-5.5 5.5.43-0+deb8u1 - mariadb-10.0 10.0.19-1 - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixMSQL CVE-2015-0498 (Unspecified vulnerability in Oracle MySQL Server 5.6.23 and earlier al ...) - mysql-5.5 (Only affects 5.6) - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixMSQL CVE-2015-0497 (Unspecified vulnerability in the PeopleSoft Enterprise Portal Interact ...) NOT-FOR-US: Oracle CVE-2015-0496 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle CVE-2015-0495 (Unspecified vulnerability in the Oracle Commerce Guided Search / Oracl ...) NOT-FOR-US: Oracle CVE-2015-0494 (Unspecified vulnerability in the Oracle Retail Central Office componen ...) NOT-FOR-US: Oracle CVE-2015-0493 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle CVE-2015-0492 (Unspecified vulnerability in Oracle Java SE 7u76 and 8u40, and JavaFX ...) - openjdk-7 (JavaFX not part of OpenJDK) - openjdk-8 (JavaFX not part of OpenJDK) CVE-2015-0491 (Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u ...) - openjdk-6 (Specific to Oracle Java, not present in IcedTea) - openjdk-7 (Specific to Oracle Java, not present in IcedTea) - openjdk-8 (Specific to Oracle Java, not present in IcedTea) NOTE: Due to the vague disclosure policy by Oracle the exact nature is unknown CVE-2015-0490 (Unspecified vulnerability in the Oracle Agile Engineering Data Managem ...) NOT-FOR-US: Oracle CVE-2015-0489 (Unspecified vulnerability in the Application Management Pack for Oracl ...) NOT-FOR-US: Oracle CVE-2015-0488 (Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u ...) {DSA-3316-1 DSA-3235-1 DSA-3234-1 DLA-213-1} - openjdk-6 6b35-1.13.7-1 - openjdk-7 7u79-2.5.5-1 - openjdk-8 8u45-b14-1 NOTE: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/04cda5b7a3c1 CVE-2015-0487 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle CVE-2015-0486 (Unspecified vulnerability in Oracle Java SE 8u40 allows remote attacke ...) - openjdk-8 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2015-0485 (Unspecified vulnerability in the PeopleSoft Enterprise SCM Strategic S ...) NOT-FOR-US: Oracle CVE-2015-0484 (Unspecified vulnerability in Oracle Java SE 7u76 and 8u40, and Java FX ...) - openjdk-7 (JavaFX not part of OpenJDK) - openjdk-8 (JavaFX not part of OpenJDK) CVE-2015-0483 (Unspecified vulnerability in the Core RDBMS component in Oracle Databa ...) NOT-FOR-US: Oracle CVE-2015-0482 (Unspecified vulnerability in the Oracle WebLogic Server component in O ...) NOT-FOR-US: Oracle CVE-2015-0481 REJECTED CVE-2015-0480 (Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u ...) {DSA-3316-1 DSA-3235-1 DSA-3234-1 DLA-213-1} - openjdk-8 8u45-b14-1 - openjdk-7 7u79-2.5.5-1 (bug #774953) - openjdk-6 6b35-1.13.7-1 NOTE: http://www.openwall.com/lists/oss-security/2015/01/16/2 CVE-2015-0479 (Unspecified vulnerability in the XDK and XDB - XML Database component ...) NOT-FOR-US: Oracle CVE-2015-0478 (Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u ...) {DSA-3316-1 DSA-3235-1 DSA-3234-1 DLA-213-1} - openjdk-6 6b35-1.13.7-1 - openjdk-7 7u79-2.5.5-1 - openjdk-8 8u45-b14-1 CVE-2015-0477 (Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u ...) {DSA-3316-1 DSA-3235-1 DSA-3234-1 DLA-213-1} - openjdk-6 6b35-1.13.7-1 - openjdk-7 7u79-2.5.5-1 - openjdk-8 8u45-b14-1 CVE-2015-0476 (Unspecified vulnerability in the SQL Trace Analyzer component in Oracl ...) NOT-FOR-US: Oracle CVE-2015-0475 (Unspecified vulnerability in the JD Edwards EnterpriseOne Technology c ...) NOT-FOR-US: Oracle CVE-2015-0474 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle CVE-2015-0473 (Unspecified vulnerability in the Enterprise Manager Base Platform comp ...) NOT-FOR-US: Oracle CVE-2015-0472 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle CVE-2015-0471 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11.2 allows loc ...) NOT-FOR-US: Oracle CVE-2015-0470 (Unspecified vulnerability in Oracle Java SE 8u40 allows remote attacke ...) {DSA-3316-1 DSA-3235-1 DSA-3234-1 DLA-213-1} - openjdk-6 6b35-1.13.7-1 - openjdk-7 7u79-2.5.5-1 - openjdk-8 8u45-b14-1 CVE-2015-0469 (Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u ...) {DSA-3316-1 DSA-3235-1 DSA-3234-1 DLA-213-1} - openjdk-6 6b35-1.13.7-1 - openjdk-7 7u79-2.5.5-1 - openjdk-8 8u45-b14-1 CVE-2015-0468 (Unspecified vulnerability in the Core RDBMS component in Oracle Databa ...) NOT-FOR-US: Oracle Database Server CVE-2015-0467 (Unspecified vulnerability in the PeopleSoft Enterprise HCM Talent Acqu ...) NOT-FOR-US: PeopleSoft CVE-2015-0466 (Unspecified vulnerability in the Oracle Retail Back Office component i ...) NOT-FOR-US: Oracle CVE-2015-0465 (Unspecified vulnerability in the Oracle Transportation Management comp ...) NOT-FOR-US: Oracle CVE-2015-0464 (Unspecified vulnerability in the Oracle Transportation Management comp ...) NOT-FOR-US: Oracle CVE-2015-0463 (Unspecified vulnerability in the Oracle Transportation Management comp ...) NOT-FOR-US: Oracle CVE-2015-0462 (Unspecified vulnerability in the Oracle Transportation Management comp ...) NOT-FOR-US: Oracle CVE-2015-0461 (Unspecified vulnerability in the Oracle Access Manager component in Or ...) NOT-FOR-US: Oracle CVE-2015-0460 (Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u ...) {DSA-3316-1 DSA-3235-1 DSA-3234-1 DLA-213-1} - openjdk-6 6b35-1.13.7-1 - openjdk-7 7u79-2.5.5-1 - openjdk-8 8u45-b14-1 CVE-2015-0459 (Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u ...) - openjdk-6 (Specific to Oracle Java, not present in IcedTea) - openjdk-7 (Specific to Oracle Java, not present in IcedTea) - openjdk-8 (Specific to Oracle Java, not present in IcedTea) NOTE: Due to the vague disclosure policy by Oracle the exact nature is unknown CVE-2015-0458 (Unspecified vulnerability in in Oracle Java SE 6u91, 7u76, and 8u40 al ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-8 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2015-0457 (Unspecified vulnerability in the Java VM component in Oracle Database ...) NOT-FOR-US: Oracle CVE-2015-0456 (Unspecified vulnerability in the Oracle WebCenter Portal component in ...) NOT-FOR-US: Oracle CVE-2015-0455 (Unspecified vulnerability in the XDB - XML Database component in Oracl ...) NOT-FOR-US: Oracle CVE-2015-0454 REJECTED CVE-2015-0453 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle CVE-2015-0452 (Unspecified vulnerability in the Oracle VM Server for SPARC component ...) NOT-FOR-US: Oracle CVE-2015-0451 (Unspecified vulnerability in the Oracle OpenSSO component in Oracle Fu ...) NOT-FOR-US: Oracle CVE-2015-0450 (Unspecified vulnerability in the Oracle WebCenter Portal component in ...) NOT-FOR-US: Oracle CVE-2015-0449 (Unspecified vulnerability in the Oracle WebLogic Server component in O ...) NOT-FOR-US: Oracle CVE-2015-0448 (Unspecified vulnerability in Oracle Sun Solaris 11.2 allows local user ...) NOT-FOR-US: Oracle CVE-2015-0447 (Unspecified vulnerability in the Oracle Applications Technology Stack ...) NOT-FOR-US: Oracle CVE-2015-0446 (Unspecified vulnerability in the Oracle Data Integrator component in O ...) NOT-FOR-US: Oracle Fusion CVE-2015-0445 (Unspecified vulnerability in the Oracle Data Integrator component in O ...) NOT-FOR-US: Oracle Fusion CVE-2015-0444 (Unspecified vulnerability in the Oracle Data Integrator component in O ...) NOT-FOR-US: Oracle Fusion CVE-2015-0443 (Unspecified vulnerability in the Oracle Data Integrator component in O ...) NOT-FOR-US: Oracle Fusion CVE-2015-0442 REJECTED CVE-2015-0441 (Unspecified vulnerability in Oracle MySQL Server 5.5.41 and earlier, a ...) {DSA-3311-1 DSA-3229-1} - mysql-5.5 5.5.42-1 - mariadb-10.0 10.0.17-1 - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixMSQL CVE-2015-0440 (Unspecified vulnerability in the Oracle Knowledge component in Oracle ...) NOT-FOR-US: Oracle CVE-2015-0439 (Unspecified vulnerability in Oracle MySQL Server 5.6.22 and earlier al ...) - mysql-5.5 (Only affects 5.6) - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixMSQL CVE-2015-0438 (Unspecified vulnerability in Oracle MySQL Server 5.6.22 and earlier al ...) - mysql-5.5 (Only affects 5.6) - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixMSQL CVE-2015-0437 (Unspecified vulnerability in Oracle Java SE 8u25 allows remote attacke ...) - openjdk-8 8u40~b22-1 CVE-2015-0436 (Unspecified vulnerability in the Oracle iLearning component in Oracle ...) NOT-FOR-US: Oracle iLearning CVE-2015-0435 (Unspecified vulnerability in the Oracle Transportation Management comp ...) NOT-FOR-US: Oracle CVE-2015-0434 (Unspecified vulnerability in the Oracle Access Manager component in Or ...) NOT-FOR-US: Oracle CVE-2015-0433 (Unspecified vulnerability in Oracle MySQL Server 5.5.41 and earlier, a ...) {DSA-3311-1 DSA-3229-1} - mysql-5.5 5.5.42-1 - mariadb-10.0 10.0.17-1 - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixMSQL CVE-2015-0432 (Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier al ...) {DSA-3135-1} - mysql-5.5 5.5.42-1 (bug #775881) - mariadb-10.0 10.0.16-1 (bug #775882) - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html#AppendixMSQL CVE-2015-0431 (Unspecified vulnerability in the Oracle Transportation Management comp ...) NOT-FOR-US: Oracle CVE-2015-0430 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11 allows local ...) NOT-FOR-US: Oracle Sun Solaris CVE-2015-0429 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11 allows local ...) NOT-FOR-US: Oracle Sun Solaris CVE-2015-0428 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11 allows local ...) NOT-FOR-US: Oracle Sun Solaris CVE-2015-0427 (Unspecified vulnerability in the Oracle VM VirtualBox component in Ora ...) - virtualbox 4.3.18-dfsg-2 (bug #775888) [wheezy] - virtualbox (Introduced in 4.3) - virtualbox-ose (Introduced in 4.3) CVE-2015-0426 (Unspecified vulnerability in the Enterprise Manager Base Platform comp ...) NOT-FOR-US: Oracle CVE-2015-0425 (Unspecified vulnerability in the Oracle Enterprise Asset Management co ...) NOT-FOR-US: Oracle CVE-2015-0424 (Unspecified vulnerability in the Integrated Lights Out Manager (ILOM) ...) NOT-FOR-US: Oracle Sun Systems Products Suite ILOM CVE-2015-0423 (Unspecified vulnerability in Oracle MySQL Server 5.6.22 and earlier al ...) - mysql-5.5 (Only affects 5.6) - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixMSQL CVE-2015-0422 (Unspecified vulnerability in the Oracle Transportation Management comp ...) NOT-FOR-US: Oracle Supply Chain Products Suite CVE-2015-0421 (Unspecified vulnerability in Oracle Java SE 8u25 allows local users to ...) - openjdk-8 8u40~b22-1 CVE-2015-0420 (Unspecified vulnerability in the Oracle Forms component in Oracle Fusi ...) NOT-FOR-US: Oracle CVE-2015-0419 (Unspecified vulnerability in the Siebel UI Framework component in Orac ...) NOT-FOR-US: Oracle CVE-2015-0418 (Unspecified vulnerability in the Oracle VM VirtualBox component in Ora ...) {DSA-3143-1 DLA-268-1} - virtualbox 4.3.2-dfsg-1 (low; bug #775888) - virtualbox-ose (low) NOTE: This only affects releases < 4.3, so marking the first 4.3 upload as the fixed version NOTE: Upstream patches in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775888#30 CVE-2015-0417 (Unspecified vulnerability in the Siebel UI Framework component in Orac ...) NOT-FOR-US: Oracle CVE-2015-0416 (Unspecified vulnerability in the Oracle Agile PLM component in Oracle ...) NOT-FOR-US: Oracle CVE-2015-0415 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle CVE-2015-0414 (Unspecified vulnerability in the Oracle SOA Suite component in Oracle ...) NOT-FOR-US: Oracle CVE-2015-0413 (Unspecified vulnerability in Oracle Java SE 7u72 and 8u25 allows local ...) - openjdk-7 (Specific to Oracle Java, not present in IcedTea) - openjdk-8 (Specific to Oracle Java, not present in IcedTea) NOTE: Due to the vague disclosure policy by Oracle the exact nature is unknown CVE-2015-0412 (Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allow ...) {DSA-3147-1 DSA-3144-1 DLA-157-1} - openjdk-6 6b34-1.13.6-1 - openjdk-7 7u75-2.5.4-1 - openjdk-8 8u40~b22-1 CVE-2015-0411 (Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier, a ...) {DSA-3135-1} - mysql-5.5 5.5.42-1 (bug #775881) - mariadb-10.0 10.0.16-1 (bug #775882) - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html#AppendixMSQL CVE-2015-0410 (Unspecified vulnerability in the Java SE, Java SE Embedded, JRockit co ...) {DSA-3147-1 DSA-3144-1 DLA-157-1} - openjdk-6 6b34-1.13.6-1 - openjdk-7 7u75-2.5.4-1 - openjdk-8 8u40~b22-1 CVE-2015-0409 (Unspecified vulnerability in Oracle MySQL Server 5.6.21 and earlier al ...) - mysql-5.5 (Only MySQL 5.6) - mariadb-10.0 (Vulnerable code not present, see https://bugs.debian.org/775882#39) - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html#AppendixMSQL NOTE: For mariadb-10.0 not clear if affected CVE-2015-0408 (Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u ...) {DSA-3147-1 DSA-3144-1 DLA-157-1} - openjdk-6 6b34-1.13.6-1 - openjdk-7 7u75-2.5.4-1 - openjdk-8 8u40~b22-1 CVE-2015-0407 (Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u ...) {DSA-3147-1 DSA-3144-1 DLA-157-1} - openjdk-6 6b34-1.13.6-1 - openjdk-7 7u75-2.5.4-1 - openjdk-8 8u40~b22-1 CVE-2015-0406 (Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allow ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-8 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2015-0405 (Unspecified vulnerability in Oracle MySQL Server 5.6.22 and earlier al ...) - mysql-5.5 (Only affects 5.6) - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixMSQL CVE-2015-0404 (Unspecified vulnerability in the Oracle Applications Framework compone ...) NOT-FOR-US: Oracle CVE-2015-0403 (Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allow ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-8 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2015-0402 (Unspecified vulnerability in the Siebel Core - Server BizLogic Script ...) NOT-FOR-US: Oracle CVE-2015-0401 (Unspecified vulnerability in the Oracle Directory Server Enterprise Ed ...) NOT-FOR-US: Oracle CVE-2015-0400 (Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allow ...) - openjdk-6 (This only affects Java on Windows) - openjdk-7 (This only affects Java on Windows) - openjdk-8 (This only affects Java on Windows) CVE-2015-0399 (Unspecified vulnerability in the Oracle Business Intelligence Enterpri ...) NOT-FOR-US: Oracle CVE-2015-0398 (Unspecified vulnerability in the Siebel Life Sciences component in Ora ...) NOT-FOR-US: Oracle CVE-2015-0397 (Unspecified vulnerability in Oracle Sun Solaris 11 allows local users ...) NOT-FOR-US: Oracle Sun Solaris CVE-2015-0396 (Unspecified vulnerability in the Oracle GlassFish Server component in ...) - glassfish (Full application server not packaged) CVE-2015-0395 (Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u ...) {DSA-3147-1 DSA-3144-1 DLA-157-1} - openjdk-6 6b34-1.13.6-1 - openjdk-7 7u75-2.5.4-1 - openjdk-8 8u40~b22-1 CVE-2015-0394 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle CVE-2015-0393 (Unspecified vulnerability in the Oracle Applications DBA component in ...) NOT-FOR-US: Oracle CVE-2015-0392 (Unspecified vulnerability in the Siebel Core - Server BizLogic Script ...) NOT-FOR-US: Oracle CVE-2015-0391 (Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, a ...) - mysql-5.5 5.5.39-1 [wheezy] - mysql-5.5 5.5.40-0+wheezy1 - mariadb-10.0 10.0.14-2 - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html#AppendixMSQL CVE-2015-0390 (Unspecified vulnerability in the MICROS Retail component in Oracle Ret ...) NOT-FOR-US: Oracle CVE-2015-0389 (Unspecified vulnerability in the Oracle OpenSSO component in Oracle Fu ...) NOT-FOR-US: Oracle CVE-2015-0388 (Unspecified vulnerability in the Siebel UI Framework component in Orac ...) NOT-FOR-US: Oracle CVE-2015-0387 (Unspecified vulnerability in the Siebel Core - Server OM Services comp ...) NOT-FOR-US: Oracle CVE-2015-0386 (Unspecified vulnerability in the Oracle HTTP Server component in Oracl ...) NOT-FOR-US: Oracle CVE-2015-0385 (Unspecified vulnerability in Oracle MySQL Server 5.6.21 and earlier al ...) - mysql-5.5 (Only MySQL 5.6) - mariadb-10.0 (Vulnerable code not present, see https://bugs.debian.org/775882#39) - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html#AppendixMSQL NOTE: For mariadb-10.0 not clear if affected CVE-2015-0384 (Unspecified vulnerability in the Siebel Public Sector component in Ora ...) NOT-FOR-US: Oracle CVE-2015-0383 (Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u ...) {DSA-3147-1 DSA-3144-1 DLA-157-1} - openjdk-6 6b34-1.13.6-1 - openjdk-7 7u75-2.5.4-1 (bug #761683) - openjdk-8 8u40~b22-1 CVE-2015-0382 (Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier an ...) {DSA-3135-1} - mysql-5.5 5.5.42-1 (bug #775881) - mariadb-10.0 10.0.16-1 (bug #775882) - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html#AppendixMSQL CVE-2015-0381 (Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier an ...) {DSA-3135-1} - mysql-5.5 5.5.42-1 (bug #775881) - mariadb-10.0 10.0.16-1 (bug #775882) - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html#AppendixMSQL CVE-2015-0380 (Unspecified vulnerability in the Oracle Telecommunications Billing Int ...) NOT-FOR-US: Oracle CVE-2015-0379 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle CVE-2015-0378 (Unspecified vulnerability in Oracle Sun Solaris 11 allows local users ...) NOT-FOR-US: Oracle Sun Solaris CVE-2015-0377 (Unspecified vulnerability in the Oracle VM VirtualBox component in Ora ...) {DSA-3143-1 DLA-268-1} - virtualbox 4.3.2-dfsg-1 (bug #775888) - virtualbox-ose NOTE: According to http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html the 4.3 NOTE: series is not affected, so marking the first 4.3 upload as fixed NOTE: Upstream patches in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775888#30 CVE-2015-0376 (Unspecified vulnerability in the Oracle WebCenter Content component in ...) NOT-FOR-US: Oracle CVE-2015-0375 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11 allows remot ...) NOT-FOR-US: Oracle Sun Solaris CVE-2015-0374 (Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier an ...) {DSA-3135-1} - mysql-5.5 5.5.42-1 (bug #775881) - mariadb-10.0 10.0.16-1 (bug #775882) - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html#AppendixMSQL CVE-2015-0373 (Unspecified vulnerability in the OJVM component in Oracle Database Ser ...) NOT-FOR-US: Oracle CVE-2015-0372 (Unspecified vulnerability in the Oracle Containers for J2EE component ...) NOT-FOR-US: Oracle CVE-2015-0371 (Unspecified vulnerability in the Core RDBMS component in Oracle Databa ...) NOT-FOR-US: Oracle CVE-2015-0370 (Unspecified vulnerability in the Core RDBMS component in Oracle Databa ...) NOT-FOR-US: Oracle CVE-2015-0369 (Unspecified vulnerability in the Siebel UI Framework component in Orac ...) NOT-FOR-US: Oracle CVE-2015-0368 (Unspecified vulnerability in the Oracle Transportation Management comp ...) NOT-FOR-US: Oracle CVE-2015-0367 (Unspecified vulnerability in the Oracle Access Manager component in Or ...) NOT-FOR-US: Oracle CVE-2015-0366 (Unspecified vulnerability in the Siebel Core - EAI component in Oracle ...) NOT-FOR-US: Oracle CVE-2015-0365 (Unspecified vulnerability in the Siebel Core - Server Infrastructure c ...) NOT-FOR-US: Oracle CVE-2015-0364 (Unspecified vulnerability in the Siebel Core - EAI component in Oracle ...) NOT-FOR-US: Oracle CVE-2015-0363 (Unspecified vulnerability in the Siebel Core EAI component in Oracle S ...) NOT-FOR-US: Oracle CVE-2015-0362 (Unspecified vulnerability in the BI Publisher (formerly XML Publisher) ...) NOT-FOR-US: Oracle CVE-2015-0361 (Use-after-free vulnerability in Xen 4.2.x, 4.3.x, and 4.4.x allows rem ...) - xen 4.4.1-7 (bug #776319) [wheezy] - xen (Only affects 4.2 and later) [squeeze] - xen (Only affects 4.2 and later) CVE-2014-9425 (Double free vulnerability in the zend_ts_hash_graceful_destroy functio ...) - php5 (unimportant; bug #774154) NOTE: php5 binary packages not built with --with-maintainer-zts CVE-2014-9424 (Double free vulnerability in the ssl_parse_clienthello_use_srtp_ext fu ...) - libressl (bug #754513) CVE-2014-9412 (Multiple cross-site scripting (XSS) vulnerabilities in NetIQ Access Ma ...) NOT-FOR-US: NetIQ Access Manager CVE-2014-9411 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2014-9410 (The vfe31_proc_general function in drivers/media/video/msm/vfe/msm_vfe ...) NOT-FOR-US: Qualcomm driver for Android CVE-2014-9409 RESERVED CVE-2014-9408 (Ekahau B4 staff badge tag 5.7 with firmware 1.4.52, Real-Time Location ...) NOT-FOR-US: Ekahau Real-Time Location Tracking System CVE-2014-9407 (Multiple cross-site request forgery (CSRF) vulnerabilities in Revive A ...) NOT-FOR-US: Revive Adserver CVE-2014-9406 (ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT ...) NOT-FOR-US: ARRIS Touchstone TG862G/CT Telephony Gateway CVE-2014-9405 (A Cross-Site Scripting (XSS) vulnerability exists in the description f ...) NOT-FOR-US: Freebox OS CVE-2014-9404 REJECTED CVE-2014-9401 (Cross-site request forgery (CSRF) vulnerability in the WP Limit Posts ...) NOT-FOR-US: WP Limit Posts Automatically plugin for WordPress CVE-2014-9400 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Wp U ...) NOT-FOR-US: Wp Unique Article Header Image plugin for WordPress CVE-2014-9399 (Cross-site request forgery (CSRF) vulnerability in the TweetScribe plu ...) NOT-FOR-US: TweetScribe plugin for WordPress CVE-2014-9398 (Cross-site request forgery (CSRF) vulnerability in the Twitter LiveBlo ...) NOT-FOR-US: Twitter LiveBlog plugin for WordPress CVE-2014-9397 (Cross-site request forgery (CSRF) vulnerability in the twimp-wp plugin ...) NOT-FOR-US: twimp-wp plugin for WordPress CVE-2014-9396 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Simp ...) NOT-FOR-US: SimpleFlickr plugin for WordPress CVE-2014-9395 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Simp ...) NOT-FOR-US: Simplelife plugin for WordPress CVE-2014-9394 (Multiple cross-site request forgery (CSRF) vulnerabilities in the PWGR ...) NOT-FOR-US: PWGRandom plugin for WordPress CVE-2014-9393 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Post ...) NOT-FOR-US: Post to Twitter plugin for WordPress CVE-2014-9392 (Cross-site request forgery (CSRF) vulnerability in the PictoBrowser (p ...) NOT-FOR-US: PictoBrowser plugin for WordPress CVE-2014-9391 (Multiple cross-site request forgery (CSRF) vulnerabilities in the gSli ...) NOT-FOR-US: gSlideShow plugin for WordPress CVE-2014-9389 (Directory traversal vulnerability in Sonatype Nexus OSS and Pro before ...) NOT-FOR-US: Sonatype Nexus OSS and Pro CVE-2014-9388 (bug_report.php in MantisBT before 1.2.18 allows remote attackers to as ...) {DSA-3120-1} - mantis [squeeze] - mantis (Unsupported in squeeze-lts) NOTE: https://www.mantisbt.org/bugs/view.php?id=17878 CVE-2014-9387 (SAP BusinessObjects Edge 4.1 allows remote attackers to obtain the SI_ ...) NOT-FOR-US: SAP BussinessObjects Edge CVE-2014-9386 (Zenoss Core before 4.2.5 SP161 sets an infinite lifetime for the sessi ...) - zenoss (bug #361253) CVE-2014-9385 (Cross-site request forgery (CSRF) vulnerability in Zenoss Core through ...) - zenoss (bug #361253) CVE-2014-9384 RESERVED CVE-2014-9383 RESERVED CVE-2014-9382 (Freebox OS Web interface 3.0.2 has CSRF which can allow VPN user accou ...) NOT-FOR-US: Freebox OS CVE-2014-9375 (Directory traversal vulnerability in the LibraryFileUploadServlet serv ...) NOT-FOR-US: Lexmark CVE-2014-9373 (Directory traversal vulnerability in the CollectorConfInfoServlet serv ...) NOT-FOR-US: ManageEngine NetFlow Analyzer CVE-2014-9372 (Directory traversal vulnerability in the UploadAccountActivities servl ...) NOT-FOR-US: ManageEngine Password Manager Pro CVE-2014-9371 (The NativeAppServlet in ManageEngine Desktop Central MSP before 90075 ...) NOT-FOR-US: ManageEngine Desktop Central MSP CVE-2014-9370 RESERVED CVE-2014-9369 (Siemens SPC controllers SPC4000, SPC5000, and SPC6000 before 3.6.0 all ...) NOT-FOR-US: Siemens CVE-2014-9368 (Cross-site request forgery (CSRF) vulnerability in the twitterDash plu ...) NOT-FOR-US: WordPress plugin twitterDash CVE-2014-9367 (Incomplete blacklist vulnerability in the urlEncode function in lib/TW ...) - twiki NOTE: http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-9367 CVE-2014-9366 RESERVED CVE-2014-9493 (The V2 API in OpenStack Image Registry and Delivery Service (Glance) b ...) - glance 2014.1.3-6 (bug #773836) [wheezy] - glance (Vulnerable code not present) NOTE: up to 2014.1.3 and 2014.2 version up to 2014.2.1 NOTE: fixed in experimental with 2014.2.1-2 CVE-2014-XXXX - json-glib (unimportant; bug #772585) [squeeze] - json-glib (Tool not yet present) [wheezy] - json-glib (Tool not yet present) NOTE: Negligible security impact CVE-2014-9475 (Cross-site scripting (XSS) vulnerability in thumb.php in MediaWiki bef ...) {DSA-3110-1} - mediawiki 1:1.19.20+dfsg-2.2 (bug #773654) [squeeze] - mediawiki NOTE: https://phabricator.wikimedia.org/T76686 (still not public) CVE-2014-9476 (MediaWiki 1.2x before 1.22.15, 1.23.x before 1.23.8, and 1.24.x before ...) - mediawiki (CORS support was added in 1.20) NOTE: https://phabricator.wikimedia.org/T77028 CVE-2014-9419 (The __switch_to function in arch/x86/kernel/process_64.c in the Linux ...) {DSA-3128-1} - linux 3.16.7-ckt4-1 - linux-2.6 [squeeze] - linux-2.6 (Too risky to backport) NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/arch/x86?id=f647d7c155f069c1a068030255c300663516420e (v3.19-rc1) CVE-2014-9420 (The rock_continue function in fs/isofs/rock.c in the Linux kernel thro ...) {DLA-155-1} - linux 3.16.7-ckt4-1 [wheezy] - linux 3.2.65-1 - linux-2.6 NOTE: Upstream fix: https://git.kernel.org/linus/f54e18f1b831c92f6512d2eedb224cd63d607d3d (v3.19-rc1) CVE-2014-9390 (Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x befo ...) {DLA-237-1} - git 1:2.1.4-1 [wheezy] - git (Minor issue) [squeeze] - git (Minor issue) - libgit2 0.21.3-1 (bug #774048) [jessie] - libgit2 0.21.1-3 - jgit 3.7.0-1 (bug #774050) [jessie] - jgit (Minor issue) [wheezy] - jgit (Minor issue) - mercurial 3.1.2-2 (bug #773640) [wheezy] - mercurial 2.2.2-4 [squeeze] - mercurial (Minor issue) - dulwich 0.10.1-1 [jessie] - dulwich (Minor issue) [wheezy] - dulwich (Minor issue) [squeeze] - dulwich (Minor issue) CVE-2014-9376 (Integer underflow in Ettercap 0.8.1 allows remote attackers to cause a ...) - ettercap 1:0.8.1-3 (bug #773416) [squeeze] - ettercap (Vulnerable code not present according to upstream author in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773416#20) CVE-2014-9377 (Heap-based buffer overflow in the nbns_spoof function in plug-ins/nbns ...) - ettercap 1:0.8.1-3 (bug #773416) [squeeze] - ettercap (Vulnerable code not present according to upstream author in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773416#20) CVE-2014-9378 (Ettercap 0.8.1 does not validate certain return values, which allows r ...) - ettercap 1:0.8.1-3 (bug #773416) [squeeze] - ettercap (Vulnerable code not present according to upstream author in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773416#20) CVE-2014-9379 (The radius_get_attribute function in dissectors/ec_radius.c in Etterca ...) - ettercap 1:0.8.1-3 (bug #773416) [squeeze] - ettercap (Vulnerable code not present according to upstream author in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773416#20) CVE-2014-9380 (The dissector_cvs function in dissectors/ec_cvs.c in Ettercap 0.8.1 al ...) {DLA-126-1} - ettercap 1:0.8.1-3 (bug #773416) NOTE: Patch for squeeze in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773416#20 CVE-2014-9381 (Integer signedness error in the dissector_cvs function in dissectors/e ...) {DLA-126-1} - ettercap 1:0.8.1-3 (bug #773416) NOTE: Patch for squeeze in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773416#20 CVE-2014-9403 (The CWebAdminMod::ChanPage function in modules/webadmin.cpp in ZNC bef ...) - znc 1.2-4 (bug #744712) [wheezy] - znc (Minor issue) [squeeze] - znc (Minor issue) NOTE: https://github.com/znc/znc/issues/528 NOTE: https://github.com/znc/znc/commit/8756be513ab6663dcd64087006b257ff34e8e487 CVE-2014-9620 (The ELF parser in file 5.08 through 5.21 allows remote attackers to ca ...) {DSA-3121-1} - file 1:5.21+15-1 [squeeze] - file (Introduced in 5.08) - php5 (readelf.c not used and even removed in 5.4.36-0+deb7u3) NOTE: Report: http://mx.gw.com/pipermail/file/2014/001653.html NOTE: Fix: https://github.com/file/file/commit/ce90e05774dd77d86cfc8dfa6da57b32816841c4 NOTE: Introduced by: https://github.com/file/file/commit/956a45ab1c54b11304b367056f41905e72a02380#diff-bc5c24ef9f39a5f4963ca28ecbc645b3L423 CVE-2014-9621 (The ELF parser in file 5.16 through 5.21 allows remote attackers to ca ...) - file 1:5.21+15-1 [wheezy] - file (Introduced in 5.16) [squeeze] - file (Introduced in 5.16) - php5 5.6.5+dfsg-1 [wheezy] - php5 (Vulnerable code not present) [squeeze] - php5 (Vulnerable code not present) NOTE: Report: http://mx.gw.com/pipermail/file/2014/001654.html NOTE: Fix: https://github.com/file/file/commit/65437cee25199dbd385fb35901bc0011e164276c NOTE: Introduced by: https://github.com/file/file/commit/c8451af8ab0c2e2a93ce93b9c68257d31576cc85 (5.16) NOTE: readelf.c has been removed in PHP in 5.6.5, see http://php.net/ChangeLog-5.php#5.6.5 CVE-2014-9494 (RabbitMQ before 3.4.0 allows remote attackers to bypass the loopback_u ...) - rabbitmq-server 3.4.1-1 (bug #773134) [jessie] - rabbitmq-server 3.3.5-1.1 [wheezy] - rabbitmq-server (does not have this access control mechanism) [squeeze] - rabbitmq-server (does not have this access control mechanism) NOTE: http://hg.rabbitmq.com/rabbitmq-management/rev/c3c41177a11a NOTE: http://hg.rabbitmq.com/rabbitmq-management/rev/35e916df027d NOTE: http://www.rabbitmq.com/release-notes/README-3.4.0.txt CVE-2014-9652 (The mconvert function in softmagic.c in file before 5.21, as used in t ...) {DSA-3126-1 DSA-3121-1 DLA-145-1} - file 1:5.21+15-1 [squeeze] - file (The code was not vulnerable, confirmed with Valgrind on the test data submitted to upstream) [wheezy] - file 5.11-2+deb7u7 - php5 5.6.5+dfsg-1 [wheezy] - php5 5.4.36-0+deb7u3 NOTE: http://bugs.gw.com/view.php?id=398 NOTE: https://github.com/file/file/commit/59e63838913eee47f5c120a6c53d4565af638158 NOTE: https://bugs.php.net/bug.php?id=68735 CVE-2014-9402 (The nss_dns implementation of getnetbyname in GNU C Library (aka glibc ...) {DSA-3169-1 DLA-122-1} - glibc 2.19-14 (bug #775572) - eglibc NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=17630 CVE-2014-9364 (Cross-site scripting (XSS) vulnerability in the Unified Login form in ...) NOT-FOR-US: LoginToboggan Drupal Module CVE-2014-9363 (Open redirect vulnerability in the path-based meta tag editing form in ...) NOT-FOR-US: Meta tags quick Drupal Module CVE-2014-9362 (Cross-site scripting (XSS) vulnerability in the path-based meta tag ed ...) NOT-FOR-US: Meta tags quick Drupal module CVE-2014-9361 (The LoginToboggan module 7.x-1.x before 7.x-1.4 for Drupal does not pr ...) NOT-FOR-US: LoginToboggan Drupal Module CVE-2014-9360 (XML external entity (XXE) vulnerability in Scalix Web Access 11.4.6.12 ...) NOT-FOR-US: Scalix Web Access CVE-2014-9359 RESERVED CVE-2014-9358 (Docker before 1.3.3 does not properly validate image IDs, which allows ...) - docker.io 1.3.3~dfsg1-1 (bug #772909) CVE-2014-9357 (Docker 1.3.2 allows remote attackers to execute arbitrary code with ro ...) - docker.io 1.3.3~dfsg1-1 (bug #772909) CVE-2014-9356 (Path traversal vulnerability in Docker before 1.3.3 allows remote atta ...) - docker.io 1.3.3~dfsg1-1 (bug #772909) CVE-2014-9355 (Puppet Enterprise before 3.7.1 allows remote authenticated users to ob ...) - puppet (Only affects Puppet Enterprise) CVE-2014-9354 (NetApp OnCommand Balance before 4.2P3 allows local users to obtain sen ...) NOT-FOR-US: NetApp OnCommand Balance CVE-2014-9353 (NetApp OnCommand Balance before 4.2P2 contains a "default privileged a ...) NOT-FOR-US: NetApp OnCommand Balance CVE-2014-9352 (Cross-site scripting (XSS) vulnerability in the mail administration lo ...) NOT-FOR-US: Scalix Web Access CVE-2014-9350 (TP-Link TL-WR740N 4 with firmware 3.17.0 Build 140520, 3.16.6 Build 13 ...) NOT-FOR-US: TP-Link Router CVE-2014-9349 (Multiple cross-site scripting (XSS) vulnerabilities in admin/robots.li ...) NOT-FOR-US: RobotStats CVE-2014-9348 (SQL injection vulnerability in the formulaireRobot function in admin/r ...) NOT-FOR-US: RobotStats CVE-2014-9347 (SQL injection vulnerability in dosearch.php in phpMyRecipes 1.2.2 allo ...) NOT-FOR-US: phpMyRecipes CVE-2014-9346 (Multiple cross-site scripting (XSS) vulnerabilities in the Hierarchica ...) NOT-FOR-US: Hierarchical Select Drupal Module CVE-2014-9345 (SQL injection vulnerability in Guruperl.net Advertise With Pleasure! P ...) NOT-FOR-US: AWP PRO CVE-2014-9344 (Cross-site request forgery (CSRF) vulnerability in Snowfox CMS before ...) NOT-FOR-US: Snowfox CMS CVE-2014-9343 (Open redirect vulnerability in modules/system/controller/selectlanguag ...) NOT-FOR-US: Snowfox CMS CVE-2014-9342 (Cross-site scripting (XSS) vulnerability in the tree view (pl_tree.php ...) NOT-FOR-US: F5 BIG-IP CVE-2014-9341 (Multiple cross-site request forgery (CSRF) vulnerabilities in the yURL ...) NOT-FOR-US: WordPress plugin yURL ReTwitt CVE-2014-9340 (Multiple cross-site request forgery (CSRF) vulnerabilities in the wpCo ...) NOT-FOR-US: WordPress plugin wpCommentTwit CVE-2014-9339 (Multiple cross-site request forgery (CSRF) vulnerabilities in the SPNb ...) NOT-FOR-US: WordPress plugin SPNbabble CVE-2014-9338 (Multiple cross-site request forgery (CSRF) vulnerabilities in the O2Tw ...) NOT-FOR-US: WordPress plugin O2Tweet CVE-2014-9337 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Miki ...) NOT-FOR-US: WordPress plugin Mikiurl Wordpress Eklentisi CVE-2014-9336 (Multiple cross-site request forgery (CSRF) vulnerabilities in the iTwi ...) NOT-FOR-US: WordPress plugin iTwitter CVE-2014-9335 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Dand ...) NOT-FOR-US: WordPress plugin DandyID Services CVE-2014-9334 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Bird ...) NOT-FOR-US: Bird Feeder plugin for WordPress CVE-2014-9333 RESERVED CVE-2014-9332 RESERVED CVE-2014-9331 (Cross-site request forgery (CSRF) vulnerability in ZOHO ManageEngine D ...) NOT-FOR-US: ZOHO ManageEngine Desktop Central CVE-2014-9330 (Integer overflow in tif_packbits.c in bmp2tif in libtiff 4.0.3 allows ...) {DSA-3273-1 DLA-221-1} - tiff 4.0.3-12 (bug #773987) - tiff3 (The tiff3 source package doesn't build the TIFF tools) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2494 CVE-2014-9329 RESERVED CVE-2014-9328 (ClamAV before 0.98.6 allows remote attackers to have unspecified impac ...) {DLA-233-1} - clamav 0.98.6+dfsg-1 [wheezy] - clamav 0.98.6+dfsg-0+deb7u1 NOTE: https://github.com/vrtadmin/clamav-devel/commit/5e1fbf3668bd167828d675830103b3c1ccdcb76d CVE-2014-9327 RESERVED CVE-2014-9326 (The automatic signature update functionality in the (1) Phone Home fea ...) NOT-FOR-US: F5 BIG-IP CVE-2014-9325 (Multiple cross-site scripting (XSS) vulnerabilities in TWiki 6.0.1 all ...) - twiki NOTE: http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-9325 CVE-2014-9324 (The GenericInterface in OTRS Help Desk 3.2.x before 3.2.17, 3.3.x befo ...) {DSA-3124-1} - otrs2 3.3.9-3 [squeeze] - otrs2 (Problematic module got introduced later) NOTE: https://www.otrs.com/security-advisory-2014-06-incomplete-access-control/ NOTE: Fix for 3.1.x: https://github.com/OTRS/otrs/commit/3058438a372db0d1a11c365d48a5fc7b1db24e90 CVE-2014-9322 (arch/x86/kernel/entry_64.S in the Linux kernel before 3.17.5 does not ...) - linux 3.16.7-ckt2-1 [wheezy] - linux 3.2.63-2+deb7u2 - linux-2.6 [squeeze] - linux-2.6 2.6.32-48squeeze9 CVE-2014-9321 RESERVED CVE-2014-9320 RESERVED NOT-FOR-US: SAP Business Objects CVE-2014-9319 (The ff_hevc_decode_nal_sps function in libavcodec/hevc_ps.c in FFMpeg ...) - libav (Vulnerable code not present, reproducer tested with 8, 11 and trunk) - ffmpeg 2.4.4-1 [squeeze] - ffmpeg (Vulnerable code not present) NOTE: ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=ea38e5a6b75706477898eb1e6582d667dbb9946c CVE-2014-9318 (The raw_decode function in libavcodec/rawdec.c in FFMpeg before 2.1.6, ...) - libav (Vulnerable code not present, format not supported) - ffmpeg 2.4.4-1 [squeeze] - ffmpeg (Vulnerable code not present) NOTE: ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=1d3a3b9f8907625b361420d48fe05716859620ff CVE-2014-9317 (The decode_ihdr_chunk function in libavcodec/pngdec.c in FFMpeg before ...) {DLA-1611-1} - libav - ffmpeg 2.4.4-1 [squeeze] - ffmpeg (Vulnerable code not present) NOTE: ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=79ceaf827be0b070675d4cd0a55c3386542defd8 CVE-2014-9316 (The mjpeg_decode_app function in libavcodec/mjpegdec.c in FFMpeg befor ...) - libav (Vulnerable code not present, reproducer tested with 8, 11 and trunk) - ffmpeg 2.4.4-1 [squeeze] - ffmpeg (Not supported in Squeeze LTS) NOTE: ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=0eecf40935b22644e6cd74c586057237ecfd6844 CVE-2014-9315 RESERVED CVE-2014-9314 RESERVED CVE-2014-9313 RESERVED CVE-2014-9312 (Unrestricted File Upload vulnerability in Photo Gallery 1.2.5. ...) NOT-FOR-US: Photo Gallery CVE-2014-9311 (Cross-site scripting (XSS) vulnerability in admin.php in the Shareahol ...) NOT-FOR-US: Shareaholic plugin for WordPress CVE-2014-9310 (Cross-site scripting (XSS) vulnerability in the WordPress Backup to Dr ...) NOT-FOR-US: WordPress Backup to Dropbox plugin for WordPress CVE-2014-9309 RESERVED CVE-2014-9308 (Unrestricted file upload vulnerability in inc/amfphp/administration/ba ...) NOT-FOR-US: WordPress plugin WP EasyCart CVE-2014-9307 RESERVED CVE-2014-9306 RESERVED CVE-2014-9305 (SQL injection vulnerability in the shortcodeProductsTable function in ...) NOT-FOR-US: shortcodeProductsTable function in models/Cart66Ajax.php in the Cart66 Lite plugin for WordPress CVE-2014-9304 (Plex Media Server before 0.9.9.3 allows remote attackers to bypass the ...) NOT-FOR-US: Plex Media Server CVE-2014-9303 (EntryPass N5200 Active Network Control Panel allows remote attackers t ...) NOT-FOR-US: EntryPass CVE-2014-9302 (Server-side request forgery (SSRF) vulnerability in the cmisbrowser se ...) NOT-FOR-US: Alfresco Community Edition CVE-2014-9301 (Server-side request forgery (SSRF) vulnerability in the proxy servlet ...) NOT-FOR-US: Alfreso Community Edition CVE-2014-9300 (Cross-site request forgery (CSRF) vulnerability in the cmisbrowser ser ...) NOT-FOR-US: Alfreso Community Edition CVE-2014-9299 REJECTED CVE-2014-9374 (Double free vulnerability in the WebSocket Server (res_http_websocket ...) - asterisk 1:13.1.0~dfsg-1 (bug #773230) [jessie] - asterisk 1:11.13.1~dfsg-2 [wheezy] - asterisk (Web socket code not yet present) [squeeze] - asterisk (Web socket code not yet present) NOTE: http://downloads.digium.com/pub/security/AST-2014-019.html CVE-2014-9323 (The xdr_status_vector function in Firebird before 2.1.7 and 2.5.x befo ...) {DSA-3109-1 DLA-130-1 DLA-123-1} - firebird2.5 2.5.3.26778.ds4-5 (bug #772880) - firebird2.1 NOTE: http://sourceforge.net/p/firebird/code/60331 NOTE: http://tracker.firebirdsql.org/browse/CORE-4630 CVE-2014-9298 REJECTED CVE-2014-9297 REJECTED CVE-2014-9296 (The receive function in ntp_proto.c in ntpd in NTP before 4.2.8 contin ...) {DSA-3108-1 DLA-116-1} - ntp 1:4.2.6.p5+dfsg-3.2 (bug #773576) NOTE: http://bugs.ntp.org/show_bug.cgi?id=2670 (not yet open) CVE-2014-9295 (Multiple stack-based buffer overflows in ntpd in NTP before 4.2.8 allo ...) {DSA-3108-1 DLA-116-1} - ntp 1:4.2.6.p5+dfsg-3.2 (bug #773576) NOTE: http://bugs.ntp.org/show_bug.cgi?id=2667 (not yet open) NOTE: http://bugs.ntp.org/show_bug.cgi?id=2668 (not yet open) NOTE: http://bugs.ntp.org/show_bug.cgi?id=2669 (not yet open) CVE-2014-9294 (util/ntp-keygen.c in ntp-keygen in NTP before 4.2.7p230 uses a weak RN ...) {DSA-3108-1 DLA-116-1} - ntp 1:4.2.6.p5+dfsg-3.2 (bug #773576) NOTE: http://bugs.ntp.org/show_bug.cgi?id=2666 (not yet open) CVE-2014-9293 (The config_auth function in ntpd in NTP before 4.2.7p11, when an auth ...) {DSA-3108-1 DLA-116-1} - ntp 1:4.2.6.p5+dfsg-3.2 (bug #773576) NOTE: http://bugs.ntp.org/show_bug.cgi?id=2665 (not yet open) CVE-2014-9292 (Server-side request forgery (SSRF) vulnerability in proxy.php in the j ...) NOT-FOR-US: jRSS WordPress Plugin CVE-2014-9291 REJECTED CVE-2014-9290 REJECTED CVE-2014-9289 REJECTED CVE-2014-9288 REJECTED CVE-2014-9287 REJECTED CVE-2014-9286 REJECTED CVE-2014-9285 REJECTED CVE-2014-9284 (The Buffalo WHR-1166DHP 1.60 and earlier, WSR-600DHP 1.60 and earlier, ...) NOT-FOR-US: Buffalo routers CVE-2014-9283 (The BestWebSoft Captcha plugin before 4.0.7 for WordPress allows remot ...) NOT-FOR-US: BestWebSoft plugin for WordPress CVE-2014-9282 (Directory traversal vulnerability in the Speed Root Explorer applicati ...) NOT-FOR-US: Speed Root Explorer CVE-2014-9268 (The AdView.AdViewer.1 ActiveX control in Autodesk Design Review (ADR) ...) NOT-FOR-US: Autodesk Design Review CVE-2014-9267 (Heap-based buffer overflow in the PTC IsoView ActiveX control allows r ...) NOT-FOR-US: PTC IsoView CVE-2014-9266 (The STWConfig ActiveX control in Samsung SmartViewer does not properly ...) NOT-FOR-US: Samsung SmartViewer CVE-2014-9265 (Stack-based buffer overflow in the BackupToAvi method in the CNC_Ctrl ...) NOT-FOR-US: Samsung SmartViewer CVE-2014-9264 (Stack-based buffer overflow in the .NET Data Provider in SAP SQL Anywh ...) NOT-FOR-US: SAP SQL Anywhere CVE-2014-9263 (Multiple buffer overflows in the PocketNetNVRMediaClientAxCtrl.NVRMedi ...) NOT-FOR-US: 3S Pocketnet Tech VMS CVE-2014-9262 (The Duplicator plugin in Wordpress before 0.5.10 allows remote authent ...) NOT-FOR-US: Duplicator plugin in Wordpress CVE-2014-9261 (The sanitize function in Codoforum 2.5.1 does not properly implement f ...) NOT-FOR-US: Codoforum CVE-2014-9260 (The basic_settings function in the download manager plugin for WordPre ...) NOT-FOR-US: download manager plugin for WordPress CVE-2014-9259 RESERVED CVE-2014-9258 (SQL injection vulnerability in ajax/getDropdownValue.php in GLPI befor ...) - glpi (unimportant) NOTE: Only supported behind an authenticated HTTP zone CVE-2014-9257 RESERVED CVE-2014-9256 RESERVED CVE-2014-9255 RESERVED CVE-2014-9254 (bb_func_unsub.php in MiniBB 3.1 before 20141127 uses an incorrect regu ...) NOT-FOR-US: MiniBB CVE-2014-9253 (The default file type whitelist configuration in conf/mime.conf in the ...) - dokuwiki 0.0.20140929.d-1 (bug #773429) [jessie] - dokuwiki (Minor issue) [wheezy] - dokuwiki (Minor issue) [squeeze] - dokuwiki (Minor issue) NOTE: https://github.com/splitbrain/dokuwiki/commit/778ddf6f2cd9ed38b9db2d73e823b8c21243a960 NOTE: Advisory: http://security.szurek.pl/dokuwiki-20140929a-xss.html CVE-2014-9252 (Zenoss Core through 5 Beta 3 stores cleartext passwords in the session ...) - zenoss (bug #361253) CVE-2014-9251 (Zenoss Core through 5 Beta 3 uses a weak algorithm to hash passwords, ...) - zenoss (bug #361253) CVE-2014-9250 (Zenoss Core through 5 Beta 3 does not include the HTTPOnly flag in a S ...) - zenoss (bug #361253) CVE-2014-9249 (The default configuration of Zenoss Core before 5 allows remote attack ...) - zenoss (bug #361253) CVE-2014-9248 (Zenoss Core through 5 Beta 3 does not require complex passwords, which ...) - zenoss (bug #361253) CVE-2014-9247 (Zenoss Core through 5 Beta 3 allows remote authenticated users to obta ...) - zenoss (bug #361253) CVE-2014-9246 REJECTED CVE-2014-9245 (Zenoss Core through 5 Beta 3 allows remote attackers to obtain sensiti ...) - zenoss (bug #361253) CVE-2014-9244 REJECTED CVE-2014-9243 (Multiple cross-site scripting (XSS) vulnerabilities in WebsiteBaker 2. ...) NOT-FOR-US: WebsiteBaker CVE-2014-9242 (SQL injection vulnerability in admin/pages/modify.php in WebsiteBaker ...) NOT-FOR-US: WebsiteBaker CVE-2014-9241 (Multiple cross-site scripting (XSS) vulnerabilities in MyBB (aka MyBul ...) NOT-FOR-US: MyBB CVE-2014-9240 (SQL injection vulnerability in member.php in MyBB (aka MyBulletinBoard ...) NOT-FOR-US: MyBB CVE-2014-9239 (SQL injection vulnerability in the IPS Connect service (interface/ipsc ...) NOT-FOR-US: Invision Power Board CVE-2014-9238 (D-link IP camera DCS-2103 with firmware 1.0.0 allows remote attackers ...) NOT-FOR-US: D-link DCS-2103 CVE-2014-9237 (SQL injection vulnerability in Proticaret E-Commerce 3.0 allows remote ...) NOT-FOR-US: Proticaret E-Commerce CVE-2014-9236 (Cross-site scripting (XSS) vulnerability in php/edit_photos.php in Zop ...) - zoph (unimportant) NOTE: http://seclists.org/fulldisclosure/2014/Nov/45 NOTE: https://github.com/jeroenrnl/zoph/issues/59 NOTE: The SQL injection and XSS claims appear to be mostly unfounded. CVE-2014-9235 (Multiple SQL injection vulnerabilities in Zoph (aka Zoph Organizes Pho ...) - zoph (unimportant) NOTE: http://seclists.org/fulldisclosure/2014/Nov/45 NOTE: https://github.com/jeroenrnl/zoph/issues/59 NOTE: The SQL injection and XSS claims appear to be mostly unfounded. CVE-2014-9234 (Directory traversal vulnerability in cgi-bin/sddownload.cgi in D-link ...) NOT-FOR-US: D-link DCS-2103 CVE-2014-9233 REJECTED CVE-2014-9232 REJECTED CVE-2014-9231 REJECTED CVE-2014-9230 (Cross-site scripting (XSS) vulnerability in the administration console ...) NOT-FOR-US: Enforce Server in Symantec Data Loss Prevention CVE-2014-9229 (Multiple SQL injection vulnerabilities in interface PHP scripts in the ...) NOT-FOR-US: Symantec CVE-2014-9228 (sysplant.sys in the Manager component in Symantec Endpoint Protection ...) NOT-FOR-US: Symantec CVE-2014-9227 (Multiple untrusted search path vulnerabilities in the Manager componen ...) NOT-FOR-US: Symantec CVE-2014-9226 (The management server in Symantec Critical System Protection (SCSP) 5. ...) NOT-FOR-US: Symantec Data Center Security CVE-2014-9225 (The ajaxswing webui in the management server in Symantec Critical Syst ...) NOT-FOR-US: Symantec Data Center Security CVE-2014-9224 (Cross-site scripting (XSS) vulnerability in the ajaxswing webui in the ...) NOT-FOR-US: Symantec Data Center Security CVE-2014-9223 (Multiple buffer overflows in AllegroSoft RomPager, as used in Huawei H ...) NOT-FOR-US: RomPager NOTE: http://mis.fortunecook.ie/ CVE-2014-9222 (AllegroSoft RomPager 4.34 and earlier, as used in Huawei Home Gateway ...) NOT-FOR-US: RomPager NOTE: http://mis.fortunecook.ie/ CVE-2014-9221 (strongSwan 4.5.x through 5.2.x before 5.2.1 allows remote attackers to ...) {DSA-3118-1} - strongswan 5.2.1-5 [squeeze] - strongswan (MODP_CUSTOM Diffie-Hellman group not implemented in 4.4.1) CVE-2014-9217 (Graylog2 before 0.92 allows remote attackers to bypass LDAP authentica ...) - graylog2 (bug #652273) CVE-2014-9216 RESERVED CVE-2014-9215 (SQL injection vulnerability in the CheckEmail function in includes/fun ...) NOT-FOR-US: PBBoard CVE-2014-9214 RESERVED CVE-2014-9213 RESERVED CVE-2014-9212 (Multiple cross-site scripting (XSS) vulnerabilities in Altitude uAgent ...) NOT-FOR-US: Altitude uAgent CVE-2014-9211 (ClickDesk version 4.3 and below has persistent cross site scripting ...) NOT-FOR-US: ClickDesk CVE-2014-9210 REJECTED CVE-2014-9209 (Untrusted search path vulnerability in the Clean Utility application i ...) NOT-FOR-US: Rockwell Automation FactoryTalk Services Platform CVE-2014-9208 (Multiple stack-based buffer overflows in unspecified DLL files in Adva ...) NOT-FOR-US: Advantech CVE-2014-9207 (Untrusted search path vulnerability in CmnView.exe in CIMON CmnView 2. ...) NOT-FOR-US: CIMON CmnView CVE-2014-9206 (Stack-based buffer overflow in Device Type Manager (DTM) 3.1.6 and ear ...) NOT-FOR-US: Schneider Electric Invensys CVE-2014-9205 (Stack-based buffer overflow in the PmBase64Decode function in an unspe ...) NOT-FOR-US: MICROSYS PROMOTIC CVE-2014-9204 (Stack-based buffer overflow in OPCTest.exe in Rockwell Automation RSLi ...) NOT-FOR-US: OPCTest.exe in Rockwell Automation RSLinx Classic CVE-2014-9203 (Buffer overflow in the Field Device Tool (FDT) Frame application in th ...) NOT-FOR-US: HART Device Type Manager (DTM) library CVE-2014-9202 (Multiple stack-based buffer overflows in an unspecified DLL file in Ad ...) NOT-FOR-US: Advantech WebAccess CVE-2014-9201 (Beckwith Electric M-6200 Digital Voltage Regulator Control with firmwa ...) NOT-FOR-US: Beckwith Electric digital voltage regulators CVE-2014-9200 (Stack-based buffer overflow in an unspecified DLL file in a DTM develo ...) NOT-FOR-US: Schneider Electric CVE-2014-9199 (The Clorius Controls Java web client before 01.00.0009g allows remote ...) NOT-FOR-US: Clorius Controls Java web client CVE-2014-9198 (The FTP server on the Schneider Electric ETG3000 FactoryCast HMI Gatew ...) NOT-FOR-US: Schneider Electric CVE-2014-9197 (The Schneider Electric ETG3000 FactoryCast HMI Gateway with firmware b ...) NOT-FOR-US: Schneider Electric CVE-2014-9196 (Eaton Cooper Power Systems ProView 4.0 and 5.0 before 5.0 11 on Form 6 ...) NOT-FOR-US: Eaton Cooper Power Systems CVE-2014-9195 (Phoenix Contact ProConOs and MultiProg do not require authentication, ...) NOT-FOR-US: Phoenix Contact ProConOs and MultiProg CVE-2014-9194 (Arbiter 1094B GPS Substation Clock allows remote attackers to cause a ...) NOT-FOR-US: Arbiter 1094B GPS Substation Clock CVE-2014-9193 (Innominate mGuard with firmware before 7.6.6 and 8.x before 8.1.4 allo ...) NOT-FOR-US: Innominate mGuard CVE-2014-9192 (Integer overflow in Trihedral Engineering VTScada (formerly VTS) 6.5 t ...) NOT-FOR-US: Trihedral Engineering VTScada CVE-2014-9191 (The CodeWrights HART Device Type Manager (DTM) library in Emerson HART ...) NOT-FOR-US: Emerson HART DTM CVE-2014-9190 (Stack-based buffer overflow in Schneider Electric Wonderware InTouch A ...) NOT-FOR-US: Schneider Electric CVE-2014-9189 (Multiple stack-based buffer overflow vulnerabilities were found in Hon ...) NOT-FOR-US: Honeywell Experion PKS CVE-2014-9188 (Buffer overflow in an ActiveX control in MDraw30.ocx in Schneider Elec ...) NOT-FOR-US: Schneider Electric ProClima CVE-2014-9187 (Multiple heap-based buffer overflow vulnerabilities exist in Honeywell ...) NOT-FOR-US: Honeywell Experion PKS CVE-2014-9186 (A file inclusion vulnerability exists in the confd.exe module in Honey ...) NOT-FOR-US: Honeywell CVE-2014-9185 (Static code injection vulnerability in install.php in Morfy CMS 1.05 a ...) NOT-FOR-US: Morfy CMS CVE-2014-9184 (ZTE ZXDSL 831CII allows remote attackers to bypass authentication via ...) NOT-FOR-US: ZTE ZXDSL Modem CVE-2014-9183 (ZTE ZXDSL 831CII has a default password of admin for the admin account ...) NOT-FOR-US: ZTE ZDSL Modem CVE-2014-9182 (models/comment.php in Anchor CMS 0.9.2 and earlier allows remote attac ...) NOT-FOR-US: Anchor CMS CVE-2014-9181 (Multiple directory traversal vulnerabilities in Plex Media Server befo ...) NOT-FOR-US: Plex Media Server CVE-2014-9180 (Open redirect vulnerability in go.php in Eleanor CMS allows remote att ...) NOT-FOR-US: Eleanor CMS CVE-2014-9179 (Cross-site scripting (XSS) vulnerability in the SupportEzzy Ticket Sys ...) NOT-FOR-US: SupportEzzy Ticket System plugin for WordPress CVE-2014-9178 (Multiple SQL injection vulnerabilities in classes/ajax.php in the Smar ...) NOT-FOR-US: Smarty Pants Plugin for WordPress CVE-2014-9177 (The HTML5 MP3 Player with Playlist Free plugin before 2.7 for WordPres ...) NOT-FOR-US: Playlist Free WordPress Plugin CVE-2014-9176 (Cross-site scripting (XSS) vulnerability in the InstaSqueeze Sexy Sque ...) NOT-FOR-US: InstaSqueeze Sexy Squeeze Pages plugin for WordPress CVE-2014-9175 (SQL injection vulnerability in wpdatatables.php in the wpDataTables pl ...) NOT-FOR-US: wpDataTables WordPress Plugin CVE-2014-9174 (Cross-site scripting (XSS) vulnerability in the Google Analytics by Yo ...) NOT-FOR-US: Google Analytics by Yoast (google-analytics-for-wordpress) plugin for WordPress CVE-2014-9173 (SQL injection vulnerability in view.php in the Google Doc Embedder plu ...) NOT-FOR-US: Google Doc Embedder plugin for WordPress CVE-2014-9474 (Buffer overflow in the mpfr_strtofr function in GNU MPFR before 3.1.2- ...) - mpfr4 3.1.2-2 (low; bug #772008) [squeeze] - mpfr4 (Minor issue) [wheezy] - mpfr4 (Minor issue) NOTE: https://gforge.inria.fr/scm/viewvc.php?view=rev&root=mpfr&revision=9243 CVE-2015-0360 (Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0359 (Double free vulnerability in Adobe Flash Player before 13.0.0.281 and ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0358 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.281 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0357 (Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0356 (Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0355 (Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0354 (Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0353 (Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0352 (Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0351 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.281 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0350 (Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0349 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.281 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0348 (Buffer overflow in Adobe Flash Player before 13.0.0.281 and 14.x throu ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0347 (Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0346 (Double free vulnerability in Adobe Flash Player before 13.0.0.281 and ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0345 (Cross-site scripting (XSS) vulnerability in Adobe ColdFusion 10 before ...) NOT-FOR-US: Adobe ColdFusion CVE-2015-0344 (Cross-site scripting (XSS) vulnerability in the web app in Adobe Conne ...) NOT-FOR-US: Adobe CVE-2015-0343 (Cross-site scripting (XSS) vulnerability in admin/home/homepage/search ...) NOT-FOR-US: Adobe CVE-2015-0342 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.277 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0341 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.277 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0340 (Adobe Flash Player before 13.0.0.277 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0339 (Adobe Flash Player before 13.0.0.277 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0338 (Integer overflow in Adobe Flash Player before 13.0.0.277 and 14.x thro ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0337 (Adobe Flash Player before 13.0.0.277 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0336 (Adobe Flash Player before 13.0.0.277 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0335 (Adobe Flash Player before 13.0.0.277 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0334 (Adobe Flash Player before 13.0.0.277 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0333 (Adobe Flash Player before 13.0.0.277 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0332 (Adobe Flash Player before 13.0.0.277 and 14.x through 17.x before 17.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0331 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.269 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0330 (Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0329 (Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0328 (Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0327 (Heap-based buffer overflow in Adobe Flash Player before 13.0.0.269 and ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0326 (Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0325 (Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0324 (Buffer overflow in Adobe Flash Player before 13.0.0.269 and 14.x throu ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0323 (Heap-based buffer overflow in Adobe Flash Player before 13.0.0.269 and ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0322 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.269 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0321 (Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0320 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.269 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0319 (Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0318 (Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0317 (Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0316 (Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0315 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.269 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0314 (Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0313 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.269 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0312 (Double free vulnerability in Adobe Flash Player before 13.0.0.264 and ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0311 (Unspecified vulnerability in Adobe Flash Player through 13.0.0.262 and ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0310 (Adobe Flash Player before 13.0.0.262 and 14.x through 16.x before 16.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0309 (Heap-based buffer overflow in Adobe Flash Player before 13.0.0.260 and ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0308 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.260 a ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0307 (Adobe Flash Player before 13.0.0.260 and 14.x through 16.x before 16.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0306 (Adobe Flash Player before 13.0.0.260 and 14.x through 16.x before 16.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0305 (Adobe Flash Player before 13.0.0.260 and 14.x through 16.x before 16.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0304 (Heap-based buffer overflow in Adobe Flash Player before 13.0.0.260 and ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0303 (Adobe Flash Player before 13.0.0.260 and 14.x through 16.x before 16.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0302 (Adobe Flash Player before 13.0.0.260 and 14.x through 16.x before 16.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0301 (Adobe Flash Player before 13.0.0.260 and 14.x through 16.x before 16.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2014-9275 (UnRTF allows remote attackers to cause a denial of service (out-of-bou ...) {DSA-3158-1 DLA-133-1} - unrtf 0.21.5-2 (bug #772811) NOTE: https://lists.gnu.org/archive/html/bug-unrtf/2014-11/msg00000.html NOTE: https://lists.gnu.org/archive/html/bug-unrtf/2014-12/msg00001.html NOTE: Patch: https://bitbucket.org/medoc/unrtf-int/commits/1df886f2e65f7c512a6217588ae8d94d4bcbc63d NOTE: Patch: https://bitbucket.org/medoc/unrtf-int/commits/3c7ff3f888de0f0d957fe67b6bd4bec9c0d475f3 CVE-2014-9274 (UnRTF allows remote attackers to cause a denial of service (crash) and ...) {DSA-3158-1 DLA-133-1} - unrtf 0.21.5-2 (bug #772811) NOTE: https://lists.gnu.org/archive/html/bug-unrtf/2014-11/msg00001.html NOTE: https://lists.gnu.org/archive/html/bug-unrtf/2014-12/msg00000.html NOTE: Patch: https://bitbucket.org/medoc/unrtf-int/commits/b0cef89a170a66bc48f8dd288ce562ea8ca91f7a CVE-2014-9278 (The OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 a ...) - openssh (patch not applied to Debian) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1169843 NOTE: Patch https://bugzilla.mindrot.org/show_bug.cgi?id=1867 from not applied in Debian CVE-2014-9277 (The wfMangleFlashPolicy function in OutputHandler.php in MediaWiki bef ...) {DSA-3100-1} - mediawiki 1:1.19.20+dfsg-2.1 (bug #772764) [squeeze] - mediawiki NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=71478 NOTE: backported patches for 1.19: NOTE: https://gerrit.wikimedia.org/r/#/c/175725/ NOTE: https://gerrit.wikimedia.org/r/#/c/175960/ CVE-2014-9276 (Cross-site request forgery (CSRF) vulnerability in the Special:Expande ...) - mediawiki (Vulnerable code not present) NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=71111 NOTE: No special expand templates before 1.23.x but available as extension. CVE-2014-9220 (SQL injection vulnerability in OpenVAS Manager before 4.0.6 and 5.x be ...) NOT-FOR-US: OpenVAS Manager CVE-2014-9219 (Cross-site scripting (XSS) vulnerability in the redirection feature in ...) - phpmyadmin 4:4.2.12-2 (bug #774194) [wheezy] - phpmyadmin (Vulnerable code not present) [squeeze] - phpmyadmin (Vulnerable code not present) NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/9b2479b7216dd91a6cc2f231c0fd6b85d457f6e2 NOTE: https://www.phpmyadmin.net/security/PMASA-2014-18/ CVE-2014-9218 (libraries/common.inc.php in phpMyAdmin 4.0.x before 4.0.10.7, 4.1.x be ...) {DSA-3382-1 DLA-336-1} - phpmyadmin 4:4.2.12-2 (low; bug #774194) NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/1ac863c7573d12012374d5d41e5c7dc5505ea6e1 (master) NOTE: https://www.phpmyadmin.net/security/PMASA-2014-17/ CVE-2014-9172 REJECTED CVE-2014-9171 REJECTED CVE-2014-9170 REJECTED CVE-2014-9169 REJECTED CVE-2014-9168 REJECTED CVE-2014-9167 REJECTED CVE-2014-9166 (Adobe ColdFusion 10 before Update 15 and 11 before Update 3 allows att ...) NOT-FOR-US: Adobe ColdFusion CVE-2014-9165 (Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 1 ...) NOT-FOR-US: Adobe Reader CVE-2014-9164 (Adobe Flash Player before 13.0.0.259 and 14.x through 16.x before 16.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2014-9163 (Stack-based buffer overflow in Adobe Flash Player before 13.0.0.259 an ...) NOT-FOR-US: Adobe Flash Player CVE-2014-9162 (Adobe Flash Player before 13.0.0.259 and 14.x through 16.x before 16.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2014-9161 (CoolType.dll in Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x ...) NOT-FOR-US: Adobe CVE-2014-9160 (Multiple heap-based buffer overflows in Adobe Reader and Acrobat 10.x ...) NOT-FOR-US: Adobe CVE-2014-9159 (Heap-based buffer overflow in Adobe Reader and Acrobat 10.x before 10. ...) NOT-FOR-US: Adobe Reader CVE-2014-9158 (Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 o ...) NOT-FOR-US: Adobe Reader CVE-2014-9155 (Directory traversal vulnerability in the Avatar Uploader module 6.x-1. ...) NOT-FOR-US: Avatar Uploader module for Drupal CVE-2014-9154 (The Notify module 7.x-1.x before 7.x-1.1 for Drupal does not properly ...) NOT-FOR-US: Notify module for Drupal CVE-2014-9153 (Cross-site scripting (XSS) vulnerability in the Services module 7.x-3. ...) NOT-FOR-US: Services module for Drupal CVE-2014-9152 (The _user_resource_create function in the Services module 7.x-3.x befo ...) NOT-FOR-US: Services module for Drupal CVE-2014-9151 (The Services module 7.x-3.x before 7.x-3.10 for Drupal does not proper ...) NOT-FOR-US: Services module for Drupal CVE-2014-9150 (Race condition in the MoveFileEx call hook feature in Adobe Reader and ...) NOT-FOR-US: Adobe CVE-2014-9149 RESERVED CVE-2014-9148 (Fiyo CMS 2.0.1.8 allows remote attackers to bypass intended access res ...) NOT-FOR-US: Fiyo CMS CVE-2014-9147 (Fiyo CMS 2.0.1.8 allows remote attackers to obtain sensitive informati ...) NOT-FOR-US: Fiyo CMS CVE-2014-9146 (Multiple cross-site scripting (XSS) vulnerabilities in Fiyo CMS 2.0.1. ...) NOT-FOR-US: Fiyo CMS CVE-2014-9145 (Multiple SQL injection vulnerabilities in Fiyo CMS 2.0.1.8 allow remot ...) NOT-FOR-US: Fiyo CMS CVE-2014-9144 (Technicolor Router TD5130 with firmware 2.05.C29GV allows remote attac ...) NOT-FOR-US: Technicolor routers CVE-2014-9143 (Open redirect vulnerability in Technicolor Router TD5130 with firmware ...) NOT-FOR-US: Technicolor routers CVE-2014-9142 (Cross-site scripting (XSS) vulnerability in Technicolor Router TD5130 ...) NOT-FOR-US: Technicolor routers CVE-2014-9141 (The installer in Thomson Reuters Fixed Assets CS 13.1.4 and earlier us ...) NOT-FOR-US: Thomson Reuters Fixed Assets CVE-2014-9139 RESERVED CVE-2014-9138 RESERVED CVE-2014-9137 (Huawei USG9500 with software V200R001C01SPC800 and earlier versions, V ...) NOT-FOR-US: Huawei CVE-2014-9136 (Huawei FusionManager with software V100R002C03 and V100R003C00 could a ...) NOT-FOR-US: Huawei CVE-2014-9135 (The PackageInstaller module in Huawei P7-L10 smartphones before V100R0 ...) NOT-FOR-US: PackageInstaller module in Huawei P7-L10 CVE-2014-9134 (Unrestricted file upload vulnerability in Huawei Honor Cube Wireless R ...) NOT-FOR-US: Huawei Wireless Router CVE-2014-9133 RESERVED CVE-2014-9132 RESERVED CVE-2014-9131 RESERVED CVE-2014-9128 RESERVED CVE-2014-9127 (Open-School Community Edition 2.2 does not properly restrict access to ...) NOT-FOR-US: Open-School Community Edition CVE-2014-9126 (Multiple cross-site scripting (XSS) vulnerabilities in Open-School Com ...) NOT-FOR-US: Open-School Community Edition CVE-2014-9125 RESERVED CVE-2014-9124 RESERVED CVE-2014-9123 RESERVED CVE-2014-9122 RESERVED CVE-2014-9121 RESERVED CVE-2014-9120 (Cross-site scripting (XSS) vulnerability in Subrion CMS before 3.2.3 a ...) NOT-FOR-US: Subrion CMS CVE-2014-9119 (Directory traversal vulnerability in download.php in the DB Backup plu ...) NOT-FOR-US: WordPress plugin db-backup CVE-2014-9118 (The web administrative portal in Zhone zNID GPON 2426A before S3.0.501 ...) NOT-FOR-US: ZHONE Router CVE-2014-9115 (SQL injection vulnerability in the rate_picture function in include/fu ...) - piwigo [squeeze] - piwigo (Unsupported in squeeze-lts) NOTE: Request to mark the package as unsupported in #779104 CVE-2014-9113 (CCH Wolters Kluwer ProSystem fx Engagement (aka PFX Engagement) 7.1 an ...) NOT-FOR-US: PFX Engagement CVE-2014-9111 RESERVED CVE-2014-9110 RESERVED CVE-2014-9109 RESERVED CVE-2014-9108 RESERVED CVE-2014-9107 RESERVED CVE-2014-9106 RESERVED CVE-2014-9105 RESERVED CVE-2014-9104 (Multiple cross-site request forgery (CSRF) vulnerabilities in the XML- ...) NOT-FOR-US: Desktop Client in OpenVPN Access Server CVE-2014-9103 (Multiple cross-site scripting (XSS) vulnerabilities in the Kunena comp ...) NOT-FOR-US: Kunena component for Joomla! CVE-2014-9102 (Multiple SQL injection vulnerabilities in the Kunena component before ...) NOT-FOR-US: Kunena component for Joomla! CVE-2014-9101 (Multiple cross-site request forgery (CSRF) vulnerabilities in Oxwall 1 ...) NOT-FOR-US: Oxwall and SkaDate Lite CVE-2014-9100 (Cross-site scripting (XSS) vulnerability in the WhyDoWork AdSense plug ...) NOT-FOR-US: WhyDoWork AdSense plugin for WordPress CVE-2014-9099 (Cross-site request forgery (CSRF) vulnerability in the WhyDoWork AdSen ...) NOT-FOR-US: WhyDoWork AdSense plugin for WordPress CVE-2014-9098 (Multiple cross-site scripting (XSS) vulnerabilities in the Apptha Word ...) NOT-FOR-US: Apptha WordPress Plugin CVE-2014-9097 (Multiple SQL injection vulnerabilities in the Apptha WordPress Video G ...) NOT-FOR-US: Apptha WordPress Plugin CVE-2014-9096 (Multiple SQL injection vulnerabilities in recover.php in Pligg CMS 2.0 ...) NOT-FOR-US: Pligg CVE-2014-9095 (Multiple SQL injection vulnerabilities in Raritan Power IQ 4.1.0 and 4 ...) NOT-FOR-US: Raritan Power IQ CVE-2014-9094 (Multiple cross-site scripting (XSS) vulnerabilities in deploy/designer ...) NOT-FOR-US: Digital Zoom Studio (DZS) Video Gallery plugin for WordPress CVE-2014-9088 RESERVED CVE-2014-9086 RESERVED CVE-2014-9085 RESERVED CVE-2014-9084 RESERVED CVE-2014-9083 RESERVED CVE-2014-9082 RESERVED CVE-2014-9081 RESERVED CVE-2014-9080 RESERVED CVE-2014-9079 RESERVED CVE-2014-9078 RESERVED CVE-2014-9077 RESERVED CVE-2014-9076 RESERVED CVE-2014-9075 RESERVED CVE-2014-9074 RESERVED CVE-2014-9073 RESERVED CVE-2014-9072 RESERVED CVE-2014-9071 RESERVED CVE-2014-9070 RESERVED CVE-2014-9069 RESERVED CVE-2014-9068 RESERVED CVE-2014-9067 RESERVED CVE-2014-9066 (Xen 4.4.x and earlier, when using a large number of VCPUs, does not pr ...) - xen (unimportant) NOTE: Architectual/design limitation, not treated as a security issue CVE-2014-9065 (common/spinlock.c in Xen 4.4.x and earlier does not properly handle re ...) - xen 4.4.1-6 [wheezy] - xen (Only affects 4.2 and later) [squeeze] - xen (Only affects 4.2 and later) CVE-2014-9064 RESERVED CVE-2014-9063 RESERVED CVE-2014-9062 RESERVED CVE-2014-9061 RESERVED CVE-2014-9060 (The LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x bef ...) - moodle 2.7.5+dfsg-1 [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47927 NOTE: https://moodle.org/mod/forum/discuss.php?d=275165 CVE-2014-9058 RESERVED CVE-2014-9057 (SQL injection vulnerability in the XML-RPC interface in Movable Type b ...) {DSA-3183-1} - movabletype-opensource (bug #774192) [squeeze] - movabletype-opensource (Not supported in Squeeze LTS) NOTE: https://movabletype.org/news/2014/12/6.0.6.html NOTE: https://movabletype.org/documentation/appendices/release-notes/6.0.6.html CVE-2014-9056 RESERVED CVE-2014-9055 RESERVED CVE-2014-9054 RESERVED CVE-2014-9053 RESERVED CVE-2014-9052 RESERVED CVE-2014-9051 RESERVED CVE-2014-9049 (The documents application in ownCloud Server 6.x before 6.0.6 and 7.x ...) - owncloud 7.0.3+dfsg-1 NOTE: https://owncloud.org/security/advisory/?id=oc-sa-2014-025 CVE-2014-9048 (The documents application in ownCloud Server 6.x before 6.0.6 and 7.x ...) - owncloud 7.0.3+dfsg-1 NOTE: https://owncloud.org/security/advisory/?id=oc-sa-2014-024 CVE-2014-9047 (Multiple unspecified vulnerabilities in the preview system in ownCloud ...) - owncloud 7.0.3+dfsg-1 NOTE: https://owncloud.org/security/advisory/?id=oc-sa-2014-026 CVE-2014-9046 (The OC_Util::getUrlContent function in ownCloud Server before 5.0.18, ...) - owncloud 7.0.3+dfsg-1 NOTE: https://owncloud.org/security/advisory/?id=oc-sa-2014-023 CVE-2014-9045 (The FTP backend in user_external in ownCloud Server before 5.0.18 and ...) - owncloud 7~20140504+dfsg-1 NOTE: Only affects 5.x and 6.x, so marking first 7 release as fixed NOTE: https://owncloud.org/security/advisory/?id=oc-sa-2014-022 CVE-2014-9044 (Asset Pipeline in ownCloud 7.x before 7.0.3 uses an MD5 hash of the ab ...) - owncloud 7.0.3+dfsg-1 NOTE: https://owncloud.org/security/advisory/?id=oc-sa-2014-021 CVE-2014-9043 (The user_ldap (aka LDAP user and group backend) application in ownClou ...) - owncloud 7.0.3+dfsg-1 NOTE: https://owncloud.org/security/advisory/?id=oc-sa-2014-020 CVE-2014-9042 (Cross-site scripting (XSS) vulnerability in the import functionality i ...) - owncloud 7.0.3+dfsg-1 NOTE: https://owncloud.org/security/advisory/?id=oc-sa-2014-028 CVE-2014-9041 (The import functionality in the bookmarks application in ownCloud serv ...) - owncloud 7.0.3+dfsg-1 NOTE: https://owncloud.org/security/advisory/?id=oc-sa-2014-019 CVE-2014-9040 RESERVED CVE-2014-9029 (Multiple off-by-one errors in the (1) jpc_dec_cp_setfromcox and (2) jp ...) {DSA-3089-1 DLA-101-1} - jasper 1.900.1-debian1-2.2 (bug #772036) CVE-2014-9027 (Multiple cross-site request forgery (CSRF) vulnerabilities in ZTE ZXDS ...) NOT-FOR-US: ZTE ZXDSL 831CII CVE-2014-9026 (The Ubercart module 7.x-3.x before 7.x-3.7 for Drupal does not properl ...) NOT-FOR-US: Ubercart module for Drupal CVE-2014-9025 (The default checkout completion rule in the commerce_order module in t ...) NOT-FOR-US: Drupal Commerce module for Drupal CVE-2014-9024 (The Protected Pages module 7.x-2.x before 7.x-2.4 for Drupal allows re ...) NOT-FOR-US: Protected Pages module for Drupal CVE-2014-9023 (The Twilio module 7.x-1.x before 7.x-1.9 for Drupal does not properly ...) NOT-FOR-US: Twilio module for Drupal CVE-2014-9022 (The Webform Component Roles module 6.x-1.x before 6.x-1.8 and 7.x-1.x ...) NOT-FOR-US: Webform Component Roles module for Drupal CVE-2014-9021 (Multiple cross-site scripting (XSS) vulnerabilities in ZTE ZXDSL 831 a ...) NOT-FOR-US: ZTE ZXDSL 831 CVE-2014-9020 (Cross-site scripting (XSS) vulnerability in the Quick Stats page (psil ...) NOT-FOR-US: ZTE ZXDSL 831 and 831CII CVE-2014-9019 (Multiple cross-site request forgery (CSRF) vulnerabilities in ZTE ZXDS ...) NOT-FOR-US: ZTE ZXDSL 831CII CVE-2014-9017 (Cross-site scripting (XSS) vulnerability in OpenKM before 6.4.19 (buil ...) NOT-FOR-US: OpenKM CVE-2012-6684 (Cross-site scripting (XSS) vulnerability in the RedCloth library 4.2.9 ...) {DSA-3168-1 DLA-167-1} - ruby-redcloth 4.2.9-4 (bug #774748) - redcloth NOTE: http://co3k.org/blog/redcloth-unfixed-xss-en CVE-2012-6683 RESERVED CVE-2012-6682 (Cross-site scripting (XSS) vulnerability in downloads/actions/editdown ...) NOT-FOR-US: DragonByte Technologies vBDownloads module for vBulletin CVE-2012-6681 RESERVED CVE-2012-6680 RESERVED CVE-2012-6679 RESERVED CVE-2012-6678 RESERVED CVE-2012-6677 RESERVED CVE-2012-6676 RESERVED CVE-2012-6675 RESERVED CVE-2012-6674 RESERVED CVE-2012-6673 RESERVED CVE-2012-6672 RESERVED CVE-2012-6671 (Multiple cross-site scripting (XSS) vulnerabilities in actions/main.ph ...) NOT-FOR-US: DragonByte Technologies Forumon RPG module for vBulletin CVE-2012-6670 (Multiple cross-site scripting (XSS) vulnerabilities in the DragonByte ...) NOT-FOR-US: DragonByte Technologies vbActivity module for vBulletin CVE-2012-6669 RESERVED CVE-2012-6668 (Multiple cross-site scripting (XSS) vulnerabilities in the Shout Repor ...) NOT-FOR-US: DragonByte Technologies vBShout module for vBulletin CVE-2012-6667 (Cross-site scripting (XSS) vulnerability in vbshout.php in DragonByte ...) NOT-FOR-US: DragonByte Technologies vBShout module for vBulletin CVE-2012-6666 (vBSeo before 3.6.0PL2 allows XSS via the member.php u parameter. ...) NOT-FOR-US: vBSeo CVE-2010-5313 (Race condition in arch/x86/kvm/x86.c in the Linux kernel before 2.6.38 ...) - linux 2.6.38-1 - linux-2.6 2.6.38-1 [squeeze] - linux-2.6 (KVM not supported in Squeeze LTS) NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=fc3a9157d314 (v2.6.38-rc1) CVE-2014-9156 (The FileField module 6.x-3.x before 6.x-3.13 for Drupal does not prope ...) NOT-FOR-US: Drupal module FileField CVE-2014-9129 (Cross-site request forgery (CSRF) vulnerability in the CreativeMinds C ...) NOT-FOR-US: WordPress plugin cm-download-manager CVE-2014-8123 (Buffer overflow in the bGetPPS function in wordole.c in Antiword 0.37 ...) - antiword 0.37-5 (bug #771768) NOTE: http://www.openwall.com/lists/oss-security/2014/12/01/4 NOTE: This actually was fixed long time ago in https://bugs.debian.org/407015 CVE-2014-8104 (OpenVPN 2.x before 2.0.11, 2.1.x, 2.2.x before 2.2.3, and 2.3.x before ...) {DSA-3084-1 DLA-98-1} - openvpn 2.3.4-5 NOTE: https://github.com/OpenVPN/openvpn/commit/c5590a6821e37f3b29735f55eb0c2b9c0924138c NOTE: http://web.archive.org/web/20150514123219/https://forums.openvpn.net/topic17625.html CVE-2014-9272 (The string_insert_href function in MantisBT 1.2.0a1 through 1.2.x befo ...) {DSA-3120-1} - mantis [squeeze] - mantis (Unsupported in squeeze-lts) NOTE: http://github.com/mantisbt/mantisbt/commit/05378e00 NOTE: http://www.mantisbt.org/bugs/view.php?id=17297 CVE-2014-9281 (Cross-site scripting (XSS) vulnerability in admin/copy_field.php in Ma ...) {DSA-3120-1} - mantis [squeeze] - mantis (Unsupported in squeeze-lts) NOTE: http://github.com/mantisbt/mantisbt/commit/e5fc835a NOTE: http://www.mantisbt.org/bugs/view.php?id=17876 CVE-2014-9271 (Cross-site scripting (XSS) vulnerability in file_download.php in Manti ...) {DSA-3120-1} - mantis [squeeze] - mantis (Unsupported in squeeze-lts) NOTE: http://www.mantisbt.org/bugs/view.php?id=17874 NOTE: http://github.com/mantisbt/mantisbt/commit/9fb8cf36f CVE-2014-9270 (Cross-site scripting (XSS) vulnerability in the projax_array_serialize ...) {DSA-3120-1} - mantis [squeeze] - mantis (Unsupported in squeeze-lts) NOTE: http://github.com/mantisbt/mantisbt/commit/0bff06ec NOTE: http://www.mantisbt.org/bugs/view.php?id=17583 CVE-2014-9269 (Cross-site scripting (XSS) vulnerability in helper_api.php in MantisBT ...) {DSA-3120-1} - mantis [squeeze] - mantis (Unsupported in squeeze-lts) NOTE: http://github.com/mantisbt/mantisbt/commit/511564cc NOTE: http://www.mantisbt.org/bugs/view.php?id=17890 CVE-2014-9280 (The current_user_get_bug_filter function in core/current_user_api.php ...) {DSA-3120-1} - mantis [squeeze] - mantis (Unsupported in squeeze-lts) NOTE: http://github.com/mantisbt/mantisbt/commit/599364b2 NOTE: http://www.mantisbt.org/bugs/view.php?id=17875 CVE-2014-9279 (The print_test_result function in admin/upgrade_unattended.php in Mant ...) - mantis (unimportant) [squeeze] - mantis (Unsupported in squeeze-lts) NOTE: http://github.com/mantisbt/mantisbt/commit/0826cef8 NOTE: http://www.mantisbt.org/bugs/view.php?id=17877 NOTE: unimportant, source affected but unrelevant for Debian, upgrade_unattended.php removed also in binary package CVE-2014-9140 (Buffer overflow in the ppp_hdlc function in print-ppp.c in tcpdump 4.6 ...) {DSA-3086-1 DLA-102-1} - tcpdump 4.6.2-3 NOTE: https://github.com/the-tcpdump-group/tcpdump/commit/0f95d441e4b5d7512cc5c326c8668a120e048eda NOTE: http://seclists.org/tcpdump/2014/q4/72 CVE-2014-9130 (scanner.c in LibYAML 0.1.5 and 0.1.6, as used in the YAML-LibYAML (aka ...) {DSA-3115-1 DSA-3103-1 DSA-3102-1 DLA-127-1 DLA-110-1 DLA-109-1} - libyaml 0.1.6-3 (bug #771366) - libyaml-libyaml-perl 0.41-6 (bug #771365) - pyyaml 3.11-2 (bug #772815) NOTE: https://bitbucket.org/xi/libyaml/issue/10/wrapped-strings-cause-assert-failure NOTE: https://bitbucket.org/xi/libyaml/commits/2b9156756423e967cfd09a61d125d883fca6f4f2 NOTE: for pyyaml: might be need to be removed here (no-CVE assigned) or separate CVE NOTE: for pyyaml: https://bitbucket.org/xi/pyyaml/commits/ddf211a41bb231c365fece5599b7e484e6dc33fc/raw/ CVE-2014-9117 (MantisBT before 1.2.18 uses the public_key parameter value as the key ...) {DSA-3120-1} - mantis [squeeze] - mantis (Unsupported in squeeze-lts) NOTE: http://github.com/mantisbt/mantisbt/commit/7bb78e4581ff1092c811ea96582fe602624cdcdd NOTE: https://www.mantisbt.org/bugs/view.php?id=17811 CVE-2014-9116 (The write_one_header function in mutt 1.5.23 does not properly handle ...) {DSA-3083-1 DLA-100-1} - mutt 1.5.23-2 (bug #771125) NOTE: Detailed analysis in https://bugzilla.redhat.com/show_bug.cgi?id=1168463#c4 NOTE: Upstream bugreport: http://dev.mutt.org/trac/ticket/3716 CVE-2014-9114 (Blkid in util-linux before 2.26rc-1 allows local users to execute arbi ...) - util-linux 2.25.2-4 (bug #771274) [squeeze] - util-linux (Minor issue) [wheezy] - util-linux (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2014/11/26/13 NOTE: https://github.com/karelzak/util-linux/commit/89e90ae7b2826110ea28c1c0eb8e7c56c3907bdc CVE-2014-9112 (Heap-based buffer overflow in the process_copy_in function in GNU Cpio ...) {DSA-3111-1 DLA-111-1} - cpio 2.11+dfsg-4 (bug #772793) NOTE: http://lcamtuf.coredump.cx/afl/vulns/lesspipe-cpio-bad-write.cpio NOTE: https://savannah.gnu.org/bugs/?43709 NOTE: http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=746f3ff6 (fix buffer overflow) NOTE: http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=54d1c42a (fix range checking of length of link name) NOTE: http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=58df4f1b (fixup of former commit) NOTE: http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=fd262d11 (fix null deref) NOTE: http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=f6a8a2cb (fix test suite in former commit) CVE-2014-9089 (Multiple SQL injection vulnerabilities in view_all_bug_page.php in Man ...) {DSA-3120-1} - mantis [squeeze] - mantis (Unsupported in squeeze-lts) NOTE: https://www.mantisbt.org/bugs/view.php?id=17841 NOTE: http://github.com/mantisbt/mantisbt/commit/b0021673 CVE-2014-9273 (lib/handle.c in Hivex before 1.3.11 allows local users to execute arbi ...) - hivex 1.3.11-1 (low) [jessie] - hivex 1.3.10-2+deb8u1 [wheezy] - hivex (Minor issue) [squeeze] - hivex (Minor issue) NOTE: https://github.com/libguestfs/hivex/commit/357f26fa64fd1d9ccac2331fe174a8ee9c607adb NOTE: https://github.com/libguestfs/hivex/commit/4bbdf555f88baeae0fa804a369a81a83908bd705 CVE-2014-9087 (Integer underflow in the ksba_oid_to_str function in Libksba before 1. ...) {DSA-3078-1 DLA-141-1} - libksba 1.3.2-1 (bug #770972) - gnupg2 (Fixed before entering unstable; affected only 2.1 and betas) NOTE: http://lists.gnupg.org/pipermail/gnupg-announce/2014q4/000359.html NOTE: Upstream commit: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=f715b9e156dfa99ae829fc694e5a0abd23ef97d7 CVE-2014-9157 (Format string vulnerability in the yyerror function in lib/cgraph/scan ...) {DSA-3098-1 DLA-105-1} - graphviz 2.38.0-7 (bug #772648) NOTE: https://github.com/ellson/graphviz/commit/99eda421f7ddc27b14e4ac1d2126e5fe41719081 CVE-2014-9471 (The parse_datetime function in GNU coreutils allows remote attackers t ...) - coreutils 8.23-1 (low) [wheezy] - coreutils (Minor issue) [squeeze] - coreutils (Minor issue) NOTE: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=16872 NOTE: http://debbugs.gnu.org/cgi/bugreport.cgi?msg=11;filename=date-tz-crash.patch;att=1;bug=16872 NOTE: http://debbugs.gnu.org/cgi/bugreport.cgi?msg=19;filename=coreutils-date-crash.patch;att=1;bug=16872 CVE-2014-9365 (The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) ...) - python2.5 [squeeze] - python2.5 (Too intrusive to backport) - python2.6 [wheezy] - python2.6 (Too intrusive to backport) [squeeze] - python2.6 (Too intrusive to backport) - python2.7 2.7.9-1 [wheezy] - python2.7 (Too intrusive to backport) - python3.1 [squeeze] - python3.1 (Too intrusive to backport) - python3.2 [wheezy] - python3.2 (Too intrusive to backport) - python3.3 - python3.4 3.4.2-2 [jessie] - python3.4 (Backporting to stable would break existing applications) NOTE: http://bugs.python.org/issue22417 CVE-2014-9351 (engine/server/server.cpp in Teeworlds 0.6.x before 0.6.3 allows remote ...) - teeworlds 0.6.2+dfsg-2 (bug #770514) [wheezy] - teeworlds (Minor issue) [squeeze] - teeworlds (Vulnerable code not present) NOTE: https://github.com/teeworlds/teeworlds/commit/a766cb44bcffcdb0b88e776d01c5ee1323d44f85 NOTE: https://www.teeworlds.com/?page=news&id=11200 CVE-2014-9093 (LibreOffice before 4.3.5 allows remote attackers to cause a denial of ...) {DSA-3163-1} - libreoffice 1:4.3.3-2 (bug #771163) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=86449 NOTE: http://cgit.freedesktop.org/libreoffice/core/commit/?h=libreoffice-4-3&id=b4840d3632e4404bee4bd192a7db916cbad3a401 NOTE: fixed in experimental with 1:4.4.0~beta1-1 CVE-2014-9092 (libjpeg-turbo before 1.3.1 allows remote attackers to cause a denial o ...) - libjpeg-turbo 1:1.3.1-11 (bug #768369) CVE-2014-9090 (The do_double_fault function in arch/x86/kernel/traps.c in the Linux k ...) {DSA-3093-1 DLA-103-1} - linux 3.16.7-ckt2-1 - linux-2.6 NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6f442be2fb22be02cafa606f1769fa1e6f894441 (v3.18-rc6) CVE-2014-9059 (lib/setup.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x befo ...) - moodle 2.7.5+dfsg-1 (bug #775842) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47966 NOTE: https://moodle.org/mod/forum/discuss.php?d=275146 CVE-2014-9050 (Heap-based buffer overflow in the cli_scanpe function in libclamav/pe. ...) {DLA-95-1} - clamav 0.98.5+dfsg-1 (bug #770985) [wheezy] - clamav 0.98.5+dfsg-0+deb7u1 NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11155 NOTE: Upstream commit: https://github.com/vrtadmin/clamav-devel/commit/fc3794a54d2affe5770c1f876484a871c783e91e CVE-2014-9039 (wp-login.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x befo ...) {DSA-3085-1 DLA-236-1} - wordpress 4.0.1+dfsg-1 (bug #770425) NOTE: Upstream patch: http://core.trac.wordpress.org/changeset/30431 NOTE: https://wordpress.org/news/2014/11/wordpress-4-0-1/ CVE-2014-9038 (wp-includes/http.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3. ...) {DSA-3085-1 DLA-236-1} - wordpress 4.0.1+dfsg-1 (bug #770425) NOTE: https://wordpress.org/news/2014/11/wordpress-4-0-1/ NOTE: Upstream patch: https://core.trac.wordpress.org/changeset/30444 CVE-2014-9037 (WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4. ...) {DSA-3085-1 DLA-236-1} - wordpress 4.0.1+dfsg-1 (bug #770425) NOTE: https://wordpress.org/news/2014/11/wordpress-4-0-1/ CVE-2014-9036 (Cross-site scripting (XSS) vulnerability in WordPress before 3.7.5, 3. ...) {DSA-3085-1 DLA-236-1} - wordpress 4.0.1+dfsg-1 (bug #770425) NOTE: https://wordpress.org/news/2014/11/wordpress-4-0-1/ CVE-2014-9035 (Cross-site scripting (XSS) vulnerability in Press This in WordPress be ...) {DSA-3085-1 DLA-236-1} - wordpress 4.0.1+dfsg-1 (bug #770425) NOTE: https://wordpress.org/news/2014/11/wordpress-4-0-1/ CVE-2014-9034 (wp-includes/class-phpass.php in WordPress before 3.7.5, 3.8.x before 3 ...) {DSA-3085-1 DLA-236-1} - wordpress 4.0.1+dfsg-1 (bug #770425) NOTE: https://wordpress.org/news/2014/11/wordpress-4-0-1/ NOTE: Upstream patch: http://core.trac.wordpress.org/changeset/30467 CVE-2014-9033 (Cross-site request forgery (CSRF) vulnerability in wp-login.php in Wor ...) {DSA-3085-1 DLA-236-1} - wordpress 4.0.1+dfsg-1 (bug #770425) NOTE: https://wordpress.org/news/2014/11/wordpress-4-0-1/ NOTE: Upstream patch: http://core.trac.wordpress.org/changeset/30418 CVE-2014-9032 (Cross-site scripting (XSS) vulnerability in the media-playlists featur ...) - wordpress 4.0.1+dfsg-1 (bug #770425) [wheezy] - wordpress (Affects 3.9, 3.9.1, 3.9.2, 4.0 only) [squeeze] - wordpress (Affects 3.9, 3.9.1, 3.9.2, 4.0 only) NOTE: https://wordpress.org/news/2014/11/wordpress-4-0-1/ CVE-2014-9031 (Cross-site scripting (XSS) vulnerability in the wptexturize function i ...) {DSA-3085-1 DLA-236-1} - wordpress 4.0.1+dfsg-1 (bug #770425) NOTE: https://wordpress.org/news/2014/11/wordpress-4-0-1/ CVE-2014-9028 (Heap-based buffer overflow in stream_decoder.c in libFLAC before 1.3.1 ...) {DSA-3082-1 DLA-99-1} - flac 1.3.0-3 (bug #770918) NOTE: Upstream patches: NOTE: https://git.xiph.org/?p=flac.git;a=commit;h=fcf0ba06ae12ccd7c67cee3c8d948df15f946b85 NOTE: https://git.xiph.org/?p=flac.git;a=patch;h=5a365996d739bdf4711af51d9c2c71c8a5e14660 CVE-2014-9014 (Directory traversal vulnerability in the ajaxinit function in wpmarket ...) NOT-FOR-US: WP Marketplace plugin for WordPress CVE-2014-9013 (The ajaxinit function in wpmarketplace/libs/cart.php in the WP Marketp ...) NOT-FOR-US: WP Marketplace plugin for WordPress CVE-2014-9012 RESERVED CVE-2014-9011 RESERVED CVE-2014-9010 RESERVED CVE-2014-9009 RESERVED CVE-2014-9008 RESERVED CVE-2014-9007 RESERVED CVE-2014-9006 (Monstra 3.0.1 and earlier uses a cookie to track how many login attemp ...) NOT-FOR-US: Monstra CVE-2014-9005 (Multiple SQL injection vulnerabilities in vldPersonals before 2.7.1 al ...) NOT-FOR-US: vldPersonals CVE-2014-9004 (Cross-site scripting (XSS) vulnerability in vldPersonals before 2.7.1 ...) NOT-FOR-US: vldPersonals CVE-2014-9003 (Cross-site request forgery (CSRF) vulnerability in Lantronix xPrintSer ...) NOT-FOR-US: Lantronix xPrintServer CVE-2014-9002 (Lantronix xPrintServer does not properly restrict access to ips/, whic ...) NOT-FOR-US: Lantronix xPrintServer CVE-2014-9001 (reminders/index.php in Incredible PBX 11 2.0.6.5.0 allows remote authe ...) NOT-FOR-US: Incredible PBX CVE-2014-9000 (Mule Enterprise Management Console (MMC) does not properly restrict ac ...) NOT-FOR-US: Mule Enterprise Management Console CVE-2014-8999 (SQL injection vulnerability in htdocs/modules/system/admin.php in XOOP ...) NOT-FOR-US: XOOPS CVE-2014-8998 (lib/message.php in X7 Chat 2.0.0 through 2.0.5.1 allows remote authent ...) NOT-FOR-US: X7 Chat CVE-2014-8997 (Unrestricted file upload vulnerability in the Photo functionality in D ...) NOT-FOR-US: DigitalVidhya Digi Online Examination System CVE-2014-8996 (Multiple cross-site scripting (XSS) vulnerabilities in Nibbleblog befo ...) NOT-FOR-US: Nibbleblog CVE-2014-8995 (SQL injection vulnerability in Maarch LetterBox 2.8 allows remote atta ...) NOT-FOR-US: Maarch LetterBox CVE-2014-8993 (Cross-site scripting (XSS) vulnerability in the backend in Open-Xchang ...) NOT-FOR-US: Open-Xchange CVE-2014-8992 (Cross-site scripting (XSS) vulnerability in manager/assets/fileapi/Fil ...) NOT-FOR-US: MODX Revolution CVE-2014-9030 (The do_mmu_update function in arch/x86/mm.c in Xen 3.2.x through 4.4.x ...) {DSA-3140-1} - xen 4.4.1-4 (low; bug #770230) [squeeze] - xen (Unsupported in squeeze-lts) CVE-2014-9015 (Drupal 6.x before 6.34 and 7.x before 7.34 allows remote attackers to ...) {DSA-3075-1} - drupal7 7.32-1+deb8u1 (bug #770469) - drupal6 [squeeze] - drupal6 NOTE: https://www.drupal.org/SA-CORE-2014-006 CVE-2014-9016 (The password hashing API in Drupal 7.x before 7.34 and the Secure Pass ...) {DSA-3075-1} - drupal7 7.32-1+deb8u1 (bug #770469) - drupal6 (Only affects Drupal 7.x) NOTE: https://www.drupal.org/SA-CORE-2014-006 CVE-2014-9018 (Icecast before 2.4.1 transmits the output of the on-connect script, wh ...) - icecast2 2.4.0-1.1 (bug #770222) [wheezy] - icecast2 (Minor issue) [squeeze] - icecast2 (Minor issue) NOTE: https://trac.xiph.org/ticket/2089 CVE-2015-0300 RESERVED CVE-2015-0299 (Multiple cross-site scripting (XSS) vulnerabilities in Open Source Poi ...) NOT-FOR-US: Open Source Point of Sale CVE-2015-0298 (Cross-site scripting (XSS) vulnerability in the manager web interface ...) - libapache2-mod-cluster (bug #731410) CVE-2015-0297 (Red Hat JBoss Operations Network 3.3.1 does not properly restrict acce ...) NOT-FOR-US: RHQ CVE-2015-0296 (The pre-install script in texlive 3.1.20140525_r34255.fc21 as packaged ...) - texlive-base (Specific to Red Hat packaging/postinst) CVE-2015-0295 (The BMP decoder in QtGui in QT before 5.5 does not properly calculate ...) {DLA-210-1} - qt4-x11 4:4.8.6+git64-g5dc8b2b+dfsg-3 (bug #779550) [wheezy] - qt4-x11 (Minor issue) [experimental] - qtbase-opensource-src 5.4.1+dfsg-2 - qtbase-opensource-src 5.3.2+dfsg-5 (bug #779580) [jessie] - qtbase-opensource-src 5.3.2+dfsg-4+deb8u1 NOTE: http://lists.qt-project.org/pipermail/announce/2015-February/000059.html CVE-2015-0294 (GnuTLS before 3.3.13 does not validate that the signature algorithms m ...) {DSA-3191-1 DLA-180-1} - gnutls26 [experimental] - gnutls28 3.3.13-1 - gnutls28 3.3.8-6 (bug #779428) NOTE: https://gitlab.com/gnutls/gnutls/commit/6e76e9b9fa845b76b0b9a45f05f4b54a052578ff (gnutls_3_3_13) CVE-2015-0293 (The SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0 ...) {DLA-177-1} - openssl 1.0.0c-2 NOTE: 1.0.0c-2 dropped SSLv2 support CVE-2015-0292 (Integer underflow in the EVP_DecodeUpdate function in crypto/evp/encod ...) {DSA-3197-1 DLA-177-1} - openssl 1.0.1h-1 CVE-2015-0291 (The sigalgs implementation in t1_lib.c in OpenSSL 1.0.2 before 1.0.2a ...) - openssl (Only affects 1.0.2, only in experimental) CVE-2015-0290 (The multi-block feature in the ssl3_write_bytes function in s3_pkt.c i ...) - openssl (Only affects 1.0.2, only in experimental) CVE-2015-0289 (The PKCS#7 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0. ...) {DSA-3197-1 DLA-177-1} - openssl 1.0.1k-2 CVE-2015-0288 (The X509_to_X509_REQ function in crypto/x509/x509_req.c in OpenSSL bef ...) {DSA-3197-1 DLA-177-1} - openssl 1.0.1k-2 NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=28a00bcd8e318da18031b2ac8778c64147cd54f9 CVE-2015-0287 (The ASN1_item_ex_d2i function in crypto/asn1/tasn_dec.c in OpenSSL bef ...) {DSA-3197-1 DLA-177-1} - openssl 1.0.1k-2 CVE-2015-0286 (The ASN1_TYPE_cmp function in crypto/asn1/a_type.c in OpenSSL before 0 ...) {DSA-3197-1 DLA-177-1} - openssl 1.0.1k-2 CVE-2015-0285 (The ssl3_client_hello function in s3_clnt.c in OpenSSL 1.0.2 before 1. ...) - openssl (Only affects 1.0.2, only in experimental) NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e1b568dd2462f7cacf98f3d117936c34e2849a6b CVE-2015-0284 (Cross-site scripting (XSS) vulnerability in spacewalk-java in Spacewal ...) NOT-FOR-US: Red Hat Satellite CVE-2015-0283 (The slapi-nis plug-in before 0.54.2 does not properly reallocate memor ...) - slapi-nis 0.54.2-1 (bug #781346) CVE-2015-0282 (GnuTLS before 3.1.0 does not verify that the RSA PKCS #1 signature alg ...) {DSA-3191-1 DLA-180-1} - gnutls26 - gnutls28 (Fixed in 3.1.0) NOTE: http://www.gnutls.org/security.html#GNUTLS-SA-2015-1 CVE-2015-0281 RESERVED CVE-2015-0280 RESERVED CVE-2015-0279 (JBoss RichFaces before 4.5.4 allows remote attackers to inject express ...) NOT-FOR-US: RichFaces CVE-2015-0278 (libuv before 0.10.34 does not properly drop group privileges, which al ...) - libuv 0.10.28-6 (bug #779173) NOTE: https://github.com/libuv/libuv/commit/66ab38918c911bcff025562cf06237d7fedaba0c NOTE: https://github.com/libuv/libuv/pull/215 CVE-2015-0277 (The Service Provider (SP) in PicketLink before 2.7.0 does not ensure t ...) NOT-FOR-US: PicketLink CVE-2015-0276 (Cross-site request forgery (CSRF) vulnerability in Kallithea before 0. ...) - kallithea (bug #689573) CVE-2015-0275 (The ext4_zero_range function in fs/ext4/extents.c in the Linux kernel ...) - linux 3.16.7-ckt9-1 [wheezy] - linux (Introduced in v3.15) - linux-2.6 (Introduced in v3.15) NOTE: Proposed upstream patch: http://www.spinics.net/lists/linux-ext4/msg47193.html CVE-2015-0274 (The XFS implementation in the Linux kernel before 3.15 improperly uses ...) - linux 3.11.5-1 [wheezy] - linux (Introduced in v3.11-rc1) - linux-2.6 (Introduced in v3.11-rc1) NOTE: Fixed by https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8275cdd0e7ac550dcce2b3ef6d2fb3b808c1ae59 (v3.15-rc5) NOTE: Introduced by https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e461fcb194172b3f709e0b478d2ac1bdac7ab9a3 (v3.11-rc1) CVE-2015-0273 (Multiple use-after-free vulnerabilities in ext/date/php_date.c in PHP ...) {DSA-3195-1} - php5 5.6.6+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=68942 NOTE: http://git.php.net/?p=php-src.git;a=commit;h=c377f1a715476934133f3254d1e0d4bf3743e2d2 NOTE: http://git.php.net/?p=php-src.git;a=commit;h=71335e6ebabc1b12c057d8017fd811892ecdfd24 CVE-2015-0272 (GNOME NetworkManager allows remote attackers to cause a denial of serv ...) - network-manager 1.0.4-1 [jessie] - network-manager (Will be fixed on the kernel side) [wheezy] - network-manager (code introduced in 0.9.10) [squeeze] - network-manager (code introduced in 0.9.10) NOTE: Commit for NetworkManager: http://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=d5fc88e573fa58b93034b04d35a2454f5d28cad9 (1.2-beta1) NOTE: Issue introduced in 0.9.10 with http://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=7d5779300450bc2602ba4f7f472ebfa58bea3571 CVE-2015-0271 (The log-viewing function in the Red Hat redhat-access-plugin before 6. ...) - horizon (RedHat-specific plugin) CVE-2015-0270 (Zend Framework before 2.2.10 and 2.3.x before 2.3.5 has Potential SQL ...) - zendframework (the vulnerability was introduced in the 2 series) - php-zend-db (Fixed before initial upload to the archive) NOTE: http://framework.zend.com/security/advisory/ZF2015-02 CVE-2015-0269 (Directory traversal vulnerability in Contao before 3.2.19, and 3.4.x b ...) NOT-FOR-US: Contao CVE-2015-0268 (The vgic_v2_to_sgi function in arch/arm/vgic-v2.c in Xen 4.5.x, when r ...) - xen (Only affects 4.5) NOTE: http://xenbits.xen.org/xsa/advisory-117.html CVE-2015-0267 (The Red Hat module-setup.sh script for kexec-tools, as distributed in ...) - kexec-tools (Vulnerable script not present in the Debian package) CVE-2015-0266 (The Policy Admin Tool in Apache Ranger before 0.5.0 allows remote auth ...) NOT-FOR-US: Apache Ranger CVE-2015-0265 (Cross-site scripting (XSS) vulnerability in the Policy Admin Tool in A ...) NOT-FOR-US: Apache Ranger CVE-2015-0264 (Multiple XML external entity (XXE) vulnerabilities in builder/xml/XPat ...) NOT-FOR-US: Apache Camel CVE-2015-0263 (XML external entity (XXE) vulnerability in the XML converter setup in ...) NOT-FOR-US: Apache Camel CVE-2015-0262 REJECTED CVE-2015-0261 (Integer signedness error in the mobility_opt_print function in the IPv ...) {DSA-3193-1 DLA-174-1} - tcpdump 4.6.2-4 NOTE: http://www.ca.tcpdump.org/cve/0003-test-case-for-cve2015-0261-corrupted-IPv6-mobility-h.patch CVE-2015-0260 (RhodeCode before 2.2.7 and Kallithea 0.1 allows remote authenticated u ...) - kallithea (bug #753975) CVE-2015-0259 (OpenStack Compute (Nova) before 2014.1.4, 2014.2.x before 2014.2.3, an ...) - nova 2014.1.3-11 (bug #780250) [wheezy] - nova (Vulnerable code not present) CVE-2015-0258 (Multiple incomplete blacklist vulnerabilities in the avatar upload fun ...) {DLA-2125-1} - collabtive NOTE: https://github.com/philippK-de/Collabtive/commit/9ce6301583669d0a8ecb4d23fb56e34b68511335 CVE-2015-0257 (Red Hat Enterprise Virtualization (RHEV) Manager before 3.5.1 uses wea ...) NOT-FOR-US: ovirt / RHEV CVE-2015-0256 RESERVED CVE-2015-0255 (X.Org Server (aka xserver and xorg-server) before 1.16.3 and 1.17.x be ...) {DSA-3160-1 DLA-218-1} - xorg-server 2:1.16.4-1 CVE-2015-0254 (Apache Standard Taglibs before 1.2.3 allows remote attackers to execut ...) - jakarta-taglibs-standard 1.1.2-3 (bug #779621) [wheezy] - jakarta-taglibs-standard (Minor issue) NOTE: https://bz.apache.org/bugzilla/show_bug.cgi?id=57560 CVE-2015-0253 (The read_request_line function in server/protocol.c in the Apache HTTP ...) - apache2 (Vulnerable version 2.4.11 never in Debian) CVE-2015-0252 (internal/XMLReader.cpp in Apache Xerces-C before 3.1.2 allows remote a ...) {DSA-3199-1 DLA-181-1} - xerces-c 3.1.1-5.1 (bug #780827) NOTE: http://svn.apache.org/viewvc?view=revision&revision=1667870 CVE-2015-0251 (The mod_dav_svn server in Subversion 1.5.0 through 1.7.19 and 1.8.0 th ...) {DSA-3231-1 DLA-207-1} - subversion 1.8.10-6 NOTE: https://subversion.apache.org/security/CVE-2015-0251-advisory.txt CVE-2015-0250 (XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) ...) {DSA-3205-1 DLA-182-1} - batik 1.7+dfsg-5 (bug #780897) NOTE: https://issues.apache.org/jira/browse/BATIK-1018 NOTE: https://issues.apache.org/jira/browse/BATIK-1113 NOTE: Commit disabling external xml entities: https://svn.apache.org/viewvc/xmlgraphics/batik/trunk/sources/org/apache/batik/dom/util/SAXDocumentFactory.java?r1=662304&r2=1664335&diff_format=h NOTE: PoC: https://www.ernw.de/download/xxe_batik.tar.xz CVE-2015-0249 (The weblog page template in Apache Roller 5.1 through 5.1.1 allows rem ...) NOT-FOR-US: Apache Roller CVE-2015-0248 (The (1) mod_dav_svn and (2) svnserve servers in Subversion 1.6.0 throu ...) {DSA-3231-1 DLA-207-1} - subversion 1.8.10-6 NOTE: https://subversion.apache.org/security/CVE-2015-0248-advisory.txt CVE-2015-0247 (Heap-based buffer overflow in openfs.c in the libext2fs library in e2f ...) {DSA-3166-1 DLA-153-1} - e2fsprogs 1.42.12-1 NOTE: https://git.kernel.org/cgit/fs/ext2/e2fsprogs.git/commit/?id=f66e6ce4 CVE-2015-0246 REJECTED CVE-2015-0245 (D-Bus 1.4.x through 1.6.x before 1.6.30, 1.8.x before 1.8.16, and 1.9. ...) {DSA-3161-1} - dbus 1.8.16-1 (bug #777545) [squeeze] - dbus (affects 1.4 and above) CVE-2015-0244 (PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9. ...) {DSA-3155-1 DLA-152-1} - postgresql-9.4 9.4.1-1 - postgresql-9.1 9.1.11-2 - postgresql-8.4 [wheezy] - postgresql-8.4 (postgresql-8.4 in wheezy only provides PL/Perl) CVE-2015-0243 (Multiple buffer overflows in contrib/pgcrypto in PostgreSQL before 9.0 ...) {DSA-3155-1 DLA-152-1} - postgresql-9.4 9.4.1-1 - postgresql-9.1 9.1.11-2 - postgresql-8.4 [wheezy] - postgresql-8.4 (postgresql-8.4 in wheezy only provides PL/Perl) CVE-2015-0242 (Stack-based buffer overflow in the *printf function implementations in ...) - postgresql-9.4 (Only affects PostgreSQL on Windows) - postgresql-9.1 (Only affects PostgreSQL on Windows) CVE-2015-0241 (The to_char function in PostgreSQL before 9.0.19, 9.1.x before 9.1.15, ...) {DSA-3155-1 DLA-152-1} - postgresql-9.4 9.4.1-1 - postgresql-9.1 9.1.11-2 - postgresql-8.4 [wheezy] - postgresql-8.4 (postgresql-8.4 in wheezy only provides PL/Perl) CVE-2015-0240 (The Netlogon server implementation in smbd in Samba 3.5.x and 3.6.x be ...) {DSA-3171-1 DLA-156-1} - samba 2:4.1.17+dfsg-1 (bug #779033) - samba4 4.0.0~beta2+dfsg1-3.2+deb7u2 NOTE: Server components removed from src:samba4 in 4.0.0~beta2+dfsg1-3.2+deb7u2 NOTE: https://www.samba.org/samba/security/CVE-2015-0240 CVE-2015-0239 (The em_sysenter function in arch/x86/kvm/emulate.c in the Linux kernel ...) {DSA-3170-1} - linux 3.16.7-ckt4-2 - linux-2.6 [squeeze] - linux-2.6 (KVM not supported in Squeeze LTS) NOTE: Introduced by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8c60435261deaefeb53ce3222d04d7d5bea81296 NOTE: Fixed by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f3747379accba8e95d70cec0eae0582c8c182050 NOTE: http://permalink.gmane.org/gmane.linux.kernel.commits.head/502245 CVE-2015-0238 (selinux-policy as packaged in Red Hat OpenShift 2 allows attackers to ...) NOT-FOR-US: selinux-policy as shipped with Red Hat OpenShift 2 CVE-2015-0237 (Red Hat Enterprise Virtualization (RHEV) Manager before 3.5.1 ignores ...) NOT-FOR-US: Red Hat vdms CVE-2015-0236 (libvirt before 1.2.12 allow remote authenticated users to obtain the V ...) - libvirt 1.2.9-8 (bug #776065) [wheezy] - libvirt (Vulnerable code introduced in v1.1.0-rc1) [squeeze] - libvirt (Vulnerable code introduced in v1.1.0-rc1) NOTE: Upstream fix: http://libvirt.org/git/?p=libvirt.git;a=commit;h=03c3c0c874c84dfa51ef17556062b095c6e1c0a3 NOTE: Upstream fix: http://libvirt.org/git/?p=libvirt.git;a=commit;h=b347c0c2a321ec5c20aae214927949832a288c5a NOTE: Introduced by: http://libvirt.org/git/?p=libvirt.git;a=commit;h=e341435e5090677c67a0d3d4ca0393102054841f (v1.1.0-rc1) NOTE: http://security.libvirt.org/2015/0001.html CVE-2015-0235 (Heap-based buffer overflow in the __nss_hostname_digits_dots function ...) {DSA-3142-1 DLA-139-1} - eglibc (high; bug #776391) - glibc 2.18-1 (high) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=15014 CVE-2015-0234 (Multiple temporary file creation vulnerabilities in pki-core 10.2.0. ...) - dogtag-pki (unimportant) NOTE: Rendered unexploitable by /tmp hardening in Debian kernel CVE-2015-0233 (Multiple insecure Temporary File vulnerabilities in 389 Administration ...) - 389-admin 1.1.38-1 (unimportant) NOTE: Rendered unexploitable by /tmp hardening in Debian kernel CVE-2015-0232 (The exif_process_unicode function in ext/exif/exif.c in PHP before 5.4 ...) {DSA-3195-1 DLA-212-1} - php5 5.6.5+dfsg-1 NOTE: https://bugs.php.net/patch-display.php?bug=68799&patch=bug68799fix&revision=1420966468 NOTE: https://bugs.php.net/bug.php?id=68799 CVE-2015-0231 (Use-after-free vulnerability in the process_nested_data function in ex ...) {DSA-3195-1} - php5 5.6.5+dfsg-1 [squeeze] - php5 (Broken patch for CVE-2014-8142 never applied) NOTE: https://bugs.php.net/bug.php?id=68710 NOTE: Upstream fix: https://github.com/php/php-src/commit/b585a3aed7880a5fa5c18e2b838fc96f40e075bd NOTE: in unstable actually incomplete fix was not yet applied, so n/a but wheezy is CVE-2015-0230 REJECTED CVE-2015-0229 REJECTED CVE-2015-0228 (The lua_websocket_read function in lua_request.c in the mod_lua module ...) - apache2 2.4.10-10 (low) [wheezy] - apache2 (no mod_lua in 2.2) [squeeze] - apache2 (no mod_lua in 2.2) NOTE: https://github.com/apache/httpd/commit/643f0fcf3b8ab09a68f0ecd2aa37aafeda3e63ef CVE-2015-0227 (Apache WSS4J before 1.6.17 and 2.x before 2.0.2 allows remote attacker ...) - wss4j 1.6.15-2 (bug #777741) [wheezy] - wss4j (Vulnerable code not present) [squeeze] - wss4j (Vulnerable code not present) CVE-2015-0226 (Apache WSS4J before 1.6.17 and 2.0.x before 2.0.2 improperly leaks inf ...) - wss4j 1.6.15-2 (bug #777741) [wheezy] - wss4j (Vulnerable code not present) [squeeze] - wss4j (Vulnerable code not present) CVE-2015-0225 (The default configuration in Apache Cassandra 1.2.0 through 1.2.19, 2. ...) - cassandra (bug #585905) CVE-2015-0224 (qpidd in Apache Qpid 0.30 and earlier allows remote attackers to cause ...) - qpid-cpp (Incomplete fix for CVE-2015-0203 not applied) NOTE: CVE is for incomplete fix for CVE-2015-0203, which is not fixed in Debian NOTE: https://issues.apache.org/jira/browse/QPID-6310 CVE-2015-0223 (Unspecified vulnerability in Apache Qpid 0.30 and earlier allows remot ...) - qpid-cpp (bug #772794) [wheezy] - qpid-cpp (Minor issue) NOTE: https://issues.apache.org/jira/browse/QPID-6325 CVE-2015-0222 (ModelMultipleChoiceField in Django 1.6.x before 1.6.10 and 1.7.x befor ...) - python-django 1.7.1-1.1 (bug #775375) [wheezy] - python-django (1.4.x not affected) [squeeze] - python-django (1.2.x not affected) NOTE: https://www.djangoproject.com/weblog/2015/jan/13/security/ CVE-2015-0221 (The django.views.static.serve view in Django before 1.4.18, 1.6.x befo ...) {DSA-3151-1 DLA-143-1} - python-django 1.7.1-1.1 (bug #775375) NOTE: https://www.djangoproject.com/weblog/2015/jan/13/security/ CVE-2015-0220 (The django.util.http.is_safe_url function in Django before 1.4.18, 1.6 ...) {DSA-3151-1 DLA-143-1} - python-django 1.7.1-1.1 (bug #775375) NOTE: https://www.djangoproject.com/weblog/2015/jan/13/security/ CVE-2015-0219 (Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allo ...) {DSA-3151-1 DLA-143-1} - python-django 1.7.1-1.1 (bug #775375) NOTE: https://www.djangoproject.com/weblog/2015/jan/13/security/ CVE-2015-0218 (Cross-site request forgery (CSRF) vulnerability in auth/shibboleth/log ...) - moodle 2.7.5+dfsg-1 (bug #775842) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: https://moodle.org/mod/forum/discuss.php?d=278618#p1196684 CVE-2015-0217 (filter/mediaplugin/filter.php in Moodle through 2.5.9, 2.6.x before 2. ...) - moodle 2.7.5+dfsg-1 (bug #775842) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: https://moodle.org/mod/forum/discuss.php?d=278617#p1196683 CVE-2015-0216 (access.php in the Lesson module in Moodle 2.8.x before 2.8.2 does not ...) - moodle (Only affects 2.8.x) NOTE: https://moodle.org/mod/forum/discuss.php?d=278616#p1196682 CVE-2015-0215 (calendar/externallib.php in Moodle through 2.5.9, 2.6.x before 2.6.7, ...) - moodle 2.7.5+dfsg-1 (bug #775842) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: https://moodle.org/mod/forum/discuss.php?d=278615#p1196681 CVE-2015-0214 (message/externallib.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2 ...) - moodle 2.7.5+dfsg-1 (bug #775842) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: https://moodle.org/mod/forum/discuss.php?d=278614#p1196680 CVE-2015-0213 (Multiple cross-site request forgery (CSRF) vulnerabilities in (1) edit ...) - moodle 2.7.5+dfsg-1 (bug #775842) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: https://moodle.org/mod/forum/discuss.php?d=278613#p1196679 CVE-2015-0212 (Cross-site scripting (XSS) vulnerability in course/pending.php in Mood ...) - moodle 2.7.5+dfsg-1 (bug #775842) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: https://moodle.org/mod/forum/discuss.php?d=278612#p1196678 CVE-2015-0211 (mod/lti/ajax.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x be ...) - moodle 2.7.5+dfsg-1 (bug #775842) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: https://moodle.org/mod/forum/discuss.php?d=278611#p1196676 CVE-2015-0210 (wpa_supplicant 2.0-16 does not properly check certificate subject name ...) NOTE: likely to be REJECTed NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0210 CVE-2015-0209 (Use-after-free vulnerability in the d2i_ECPrivateKey function in crypt ...) {DSA-3197-1 DLA-177-1} - openssl 1.0.1k-2 NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=1b4a8df38fc9ab3c089ca5765075ee53ec5bd66a CVE-2015-0208 (The ASN.1 signature-verification implementation in the rsa_item_verify ...) - openssl (Only affects 1.0.2, only in experimental) CVE-2015-0207 (The dtls1_listen function in d1_lib.c in OpenSSL 1.0.2 before 1.0.2a d ...) - openssl (Only affects 1.0.2, only in experimental) CVE-2015-0206 (Memory leak in the dtls1_buffer_record function in d1_pkt.c in OpenSSL ...) {DSA-3125-1} - openssl 1.0.1k-1 [squeeze] - openssl (Affects 1.0.1 and 1.0.0) NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=04685bc949e90a877656cf5020b6d4f90a9636a6 CVE-2015-0205 (The ssl3_get_cert_verify function in s3_srvr.c in OpenSSL 1.0.0 before ...) {DSA-3125-1} - openssl 1.0.1k-1 [squeeze] - openssl (Only affects 1.0.1 and 1.0.0) NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=98a0f9660d374f58f79ee0efcc8c1672a805e8e8 CVE-2015-0204 (The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9. ...) {DSA-3125-1 DLA-132-1} - openssl 1.0.1k-1 NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=37580f43b5a39f5f4e920d17273fab9713d3a744 CVE-2015-0203 (The qpidd broker in Apache Qpid 0.30 and earlier allows remote authent ...) - qpid-cpp (bug #775359) [wheezy] - qpid-cpp (Minor issue) CVE-2015-0202 (The mod_dav_svn server in Subversion 1.8.0 through 1.8.11 allows remot ...) - subversion 1.8.10-6 [wheezy] - subversion (Vulnerability introduced with 1.8.0) [squeeze] - subversion (Vulnerability introduced with 1.8.0) NOTE: https://subversion.apache.org/security/CVE-2015-0202-advisory.txt CVE-2015-0201 (The Java SockJS client in Pivotal Spring Framework 4.1.x before 4.1.5 ...) - libspring-java (Only affects Spring Framework 4.1.0 to 4.1.4) CVE-2015-0200 (IBM WebSphere Commerce 6.x through 6.0.0.11 and 7.x before 7.0.0.8 IF2 ...) NOT-FOR-US: IBM WebSphere CVE-2015-0199 (The mmfslinux kernel module in IBM General Parallel File System (GPFS) ...) NOT-FOR-US: IBM General Parallel File System CVE-2015-0198 (IBM General Parallel File System (GPFS) 3.4 before 3.4.0.32, 3.5 befor ...) NOT-FOR-US: IBM General Parallel File System CVE-2015-0197 (IBM General Parallel File System (GPFS) 3.4 before 3.4.0.32, 3.5 befor ...) NOT-FOR-US: IBM General Parallel File System CVE-2015-0196 (CRLF injection vulnerability in IBM WebSphere Commerce 6.0 through 6.0 ...) NOT-FOR-US: IBM CVE-2015-0195 (Cross-site scripting (XSS) vulnerability in IBM Content Template Catal ...) NOT-FOR-US: IBM CVE-2015-0194 (XML External Entity (XXE) vulnerability in IBM Sterling B2B Integrator ...) NOT-FOR-US: IBM CVE-2015-0193 (Cross-site scripting (XSS) vulnerability in IBM Business Process Manag ...) NOT-FOR-US: IBM Business Process Manager CVE-2015-0192 (Unspecified vulnerability in IBM Java 8 before SR1, 7 R1 before SR2 FP ...) NOT-FOR-US: IBM JDK CVE-2015-0191 REJECTED CVE-2015-0190 RESERVED CVE-2015-0189 (The cluster repository manager in IBM WebSphere MQ 7.5 before 7.5.0.5 ...) NOT-FOR-US: IBM CVE-2015-0188 RESERVED CVE-2015-0187 RESERVED CVE-2015-0186 RESERVED CVE-2015-0185 RESERVED CVE-2015-0184 RESERVED CVE-2015-0183 RESERVED CVE-2015-0182 RESERVED CVE-2015-0181 RESERVED CVE-2015-0180 (The Connector Migration Tool in IBM InfoSphere Information Server 8.1 ...) NOT-FOR-US: IBM CVE-2015-0179 (Notes System Diagnostic (NSD) in IBM Domino 8.5.x before 8.5.3 FP6 IF6 ...) NOT-FOR-US: IBM Domino CVE-2015-0178 (The Java overlay feature in IBM Bluemix Liberty before 1.13-20150209-1 ...) NOT-FOR-US: IBM Bluemix Liberty CVE-2015-0177 (Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 8.5.0 ...) NOT-FOR-US: IBM WebSphere Portal CVE-2015-0176 (Cross-site scripting (XSS) vulnerability in MQ XR WebSockets Listener ...) NOT-FOR-US: IBM WebSphere MQ CVE-2015-0175 (IBM WebSphere Application Server (WAS) 8.5 Liberty Profile before 8.5. ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2015-0174 (The SNMP implementation in IBM WebSphere Application Server (WAS) 8.5 ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2015-0173 (The HTTP connection-management functionality in Internet Pass-Thru (IP ...) NOT-FOR-US: IBM CVE-2015-0172 (IBM Security SiteProtector System 3.0, 3.1.0 and 3.1.1 allows remote a ...) NOT-FOR-US: IBM Security SiteProtector System CVE-2015-0171 (Directory traversal vulnerability in IBM Security SiteProtector System ...) NOT-FOR-US: IBM CVE-2015-0170 (IBM Security SiteProtector System 3.0 before 3.0.0.7, 3.1 before 3.1.0 ...) NOT-FOR-US: IBM CVE-2015-0169 (IBM Security SiteProtector System 3.0 before 3.0.0.7, 3.1 before 3.1.0 ...) NOT-FOR-US: IBM CVE-2015-0168 (Cross-site scripting (XSS) vulnerability in IBM Security SiteProtector ...) NOT-FOR-US: IBM CVE-2015-0167 (Cross-site scripting (XSS) vulnerability in textAngular-sanitize.js in ...) NOT-FOR-US: textAngular CVE-2015-0166 REJECTED CVE-2015-0165 REJECTED CVE-2015-0164 REJECTED CVE-2015-0163 REJECTED CVE-2015-0162 (IBM Security SiteProtector System 3.0, 3.1, and 3.1.1 allows local use ...) NOT-FOR-US: IBM CVE-2015-0161 (SQL injection vulnerability in IBM Security SiteProtector System 3.0 b ...) NOT-FOR-US: IBM CVE-2015-0160 (IBM Security SiteProtector System 3.0 before 3.0.0.7, 3.1 before 3.1.0 ...) NOT-FOR-US: IBM CVE-2015-0159 REJECTED CVE-2015-0158 (Cross-site scripting (XSS) vulnerability in the Coach NG framework in ...) NOT-FOR-US: IBM Business Process Manager CVE-2015-0157 (IBM DB2 9.7 through FP10, 9.8 through FP5, 10.1 before FP5, and 10.5 t ...) NOT-FOR-US: IBM DB2 CVE-2015-0156 (Cross-site scripting (XSS) vulnerability in IBM Business Process Manag ...) NOT-FOR-US: IBM CVE-2015-0155 REJECTED CVE-2015-0154 REJECTED CVE-2015-0153 (D-Link DIR-815 devices with firmware before 2.07.B01 allow remote atta ...) NOT-FOR-US: D-Link CVE-2015-0152 (D-Link DIR-815 devices with firmware before 2.07.B01 allow remote atta ...) NOT-FOR-US: D-Link CVE-2015-0151 (Cross-site request forgery (CSRF) vulnerability in D-Link DIR-815 devi ...) NOT-FOR-US: D-Link CVE-2015-0150 (The remote administration UI in D-Link DIR-815 devices with firmware b ...) NOT-FOR-US: D-Link CVE-2015-0149 (The developer portal in IBM API Management 3.0 before 3.0.4.1 does not ...) NOT-FOR-US: IBM API Management CVE-2015-0148 RESERVED CVE-2015-0147 RESERVED CVE-2015-0146 (IBM Content Collector for Email 3.0 before 3.0.0.6-IBM-ICC-Server-IF00 ...) NOT-FOR-US: IBM Content Collector CVE-2015-0145 (Cross-site request forgery (CSRF) vulnerability in IBM OpenPages GRC P ...) NOT-FOR-US: IBM CVE-2015-0144 (Cross-site scripting (XSS) vulnerability in IBM OpenPages GRC Platform ...) NOT-FOR-US: IBM CVE-2015-0143 (IBM OpenPages GRC Platform 6.2 before IF7, 6.2.1 before 6.2.1.1 IF5, 7 ...) NOT-FOR-US: IBM CVE-2015-0142 (IBM OpenPages GRC Platform 6.2 before IF7, 6.2.1 before 6.2.1.1 IF5, 7 ...) NOT-FOR-US: IBM CVE-2015-0141 (IBM OpenPages GRC Platform 6.2 before IF7, 6.2.1 before 6.2.1.1 IF5, 7 ...) NOT-FOR-US: IBM CVE-2015-0140 (An unspecified ActiveX control in IBM SPSS Statistics 22.0 through FP1 ...) NOT-FOR-US: IBM CVE-2015-0139 (Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 8.0.0 ...) NOT-FOR-US: IBM WebSphere Portal CVE-2015-0138 (GSKit in IBM Tivoli Directory Server (ITDS) 6.0 before 6.0.0.73-ISS-IT ...) NOT-FOR-US: IBM Tivoli Directory Server CVE-2015-0137 (IBM PowerVC Standard 1.2.0.x before 1.2.0.4 and 1.2.1.x before 1.2.2 v ...) NOT-FOR-US: IBM PowerVC CVE-2015-0136 (powervc-iso-import in IBM PowerVC 1.2.0.x before 1.2.0.4 and 1.2.1.x b ...) NOT-FOR-US: IBM PowerVC CVE-2015-0135 (IBM Domino 8.5 before 8.5.3 FP6 IF4 and 9.0 before 9.0.1 FP3 IF2 allow ...) NOT-FOR-US: IBM Domino CVE-2015-0134 (Buffer overflow in the SSLv2 implementation in IBM Domino 8.5.x before ...) NOT-FOR-US: IBM CVE-2015-0133 (IBM WebSphere Commerce 7.0 Feature Pack 4 through 8 allows remote atta ...) NOT-FOR-US: IBM CVE-2015-0132 (The XML parser in IBM Rational DOORS Next Generation 4.x before 4.0.7 ...) NOT-FOR-US: IBM CVE-2015-0131 (Cross-site scripting (XSS) vulnerability in IBM Leads 7.x, 8.1.0 befor ...) NOT-FOR-US: IBM CVE-2015-0130 (Cross-site scripting (XSS) vulnerability in Jazz Team Server in Jazz F ...) NOT-FOR-US: IBM CVE-2015-0129 (Cross-site scripting (XSS) vulnerability in IBM Rational Quality Manag ...) NOT-FOR-US: IBM Rational Quality Manager CVE-2015-0128 (Cross-site scripting (XSS) vulnerability in IBM Rational Quality Manag ...) NOT-FOR-US: IBM Rational Quality Manager CVE-2015-0127 (IBM Leads 7.x, 8.1.0 before 8.1.0.14, 8.2, 8.5.0 before 8.5.0.7.3, 8.6 ...) NOT-FOR-US: IBM CVE-2015-0126 (IBM Leads 7.x, 8.1.0 before 8.1.0.14, 8.2, 8.5.0 before 8.5.0.7.3, 8.6 ...) NOT-FOR-US: IBM CVE-2015-0125 (Cross-site scripting (XSS) vulnerability in IBM Rational DOORS Next Ge ...) NOT-FOR-US: IBM Rational DOORS Next Generation CVE-2015-0124 (Cross-site scripting (XSS) vulnerability in IBM Rational Quality Manag ...) NOT-FOR-US: IBM Rational Quality Manager CVE-2015-0123 (Cross-site scripting (XSS) vulnerability in IBM Rational Team Concert ...) NOT-FOR-US: IBM Rational Team Concert CVE-2015-0122 (Cross-site scripting (XSS) vulnerability in IBM Rational Team Concert ...) NOT-FOR-US: IBM Rational Team Concert CVE-2015-0121 (IBM Rational Requirements Composer 3.0 through 3.0.1.6 and 4.0 through ...) NOT-FOR-US: IBM CVE-2015-0120 (Buffer overflow in the FastBackMount process in IBM Tivoli Storage Man ...) NOT-FOR-US: IBM CVE-2015-0119 (FastBack Mount in IBM Tivoli Storage Manager FastBack 6.1.x before 6.1 ...) NOT-FOR-US: IBM Tivoli Storage Manager FastBack CVE-2015-0118 (IBM WebSphere Message Broker Toolkit 7 before 7007 IF2 and 8 before 80 ...) NOT-FOR-US: IBM CVE-2015-0117 (The LDAP Server in IBM Domino 8.5.x before 8.5.3 FP6 IF6 and 9.x befor ...) NOT-FOR-US: IBM Domino CVE-2015-0116 (IBM Leads 7.x, 8.1.0 before 8.1.0.14, 8.2, 8.5.0 before 8.5.0.7.3, 8.6 ...) NOT-FOR-US: IBM CVE-2015-0115 (Cross-site request forgery (CSRF) vulnerability in IBM Leads 7.x, 8.1. ...) NOT-FOR-US: IBM CVE-2015-0114 (Stack-based buffer overflow in IBM V5R4, and IBM i Access for Windows ...) NOT-FOR-US: IBM CVE-2015-0113 (The Jazz help system in IBM Rational Collaborative Lifecycle Managemen ...) NOT-FOR-US: IBM Rational Collaborative Lifecycle Management CVE-2015-0112 (Jazz Team Server in Jazz Foundation in IBM Rational Collaborative Life ...) NOT-FOR-US: IBM Rational CVE-2015-0111 RESERVED CVE-2015-0110 (IBM Business Process Manager (aka BPM) 7.5.x, 8.0.x, and 8.5.x and Web ...) NOT-FOR-US: IBM CVE-2015-0109 (Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Managemen ...) NOT-FOR-US: IBM CVE-2015-0108 (Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Managemen ...) NOT-FOR-US: IBM CVE-2015-0107 (IBM Tivoli IT Asset Management for IT, Tivoli Service Request Manager, ...) NOT-FOR-US: IBM CVE-2015-0106 (Cross-site scripting (XSS) vulnerability in IBM Business Process Manag ...) NOT-FOR-US: IBM Business Process Manager CVE-2015-0105 (Cross-site scripting (XSS) vulnerability in the Process Portal in IBM ...) NOT-FOR-US: IBM Business Process Manager CVE-2015-0104 (IBM Tivoli IT Asset Management for IT, Tivoli Service Request Manager, ...) NOT-FOR-US: IBM CVE-2015-0103 (Multiple cross-site scripting (XSS) vulnerabilities in the Process Por ...) NOT-FOR-US: IBM Business Process Manager CVE-2015-0102 (IBM Workflow for Bluemix does not set the secure flag for the session ...) NOT-FOR-US: IBM CVE-2015-0101 (Cross-site scripting (XSS) vulnerability in IBM Business Process Manag ...) NOT-FOR-US: IBM CVE-2015-0100 (Microsoft Internet Explorer 8 allows remote attackers to execute arbit ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0099 (Microsoft Internet Explorer 10 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0098 (Task Scheduler in Microsoft Windows 7 SP1 and Windows Server 2008 R2 S ...) NOT-FOR-US: Microsoft Windows CVE-2015-0097 (Microsoft Excel 2007 SP3, PowerPoint 2007 SP3, Word 2007 SP3, Excel 20 ...) NOT-FOR-US: Microsoft CVE-2015-0096 (Untrusted search path vulnerability in Microsoft Windows Server 2003 S ...) NOT-FOR-US: Microsoft CVE-2015-0095 (The kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows ...) NOT-FOR-US: Microsoft CVE-2015-0094 (The kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows ...) NOT-FOR-US: Microsoft CVE-2015-0093 (Adobe Font Driver in Microsoft Windows Server 2003 SP2, Windows Vista ...) NOT-FOR-US: Microsoft CVE-2015-0092 (Adobe Font Driver in Microsoft Windows Server 2003 SP2, Windows Vista ...) NOT-FOR-US: Microsoft CVE-2015-0091 (Adobe Font Driver in Microsoft Windows Server 2003 SP2, Windows Vista ...) NOT-FOR-US: Microsoft CVE-2015-0090 (Adobe Font Driver in Microsoft Windows Server 2003 SP2, Windows Vista ...) NOT-FOR-US: Microsoft CVE-2015-0089 (Adobe Font Driver in Microsoft Windows Server 2003 SP2, Windows Vista ...) NOT-FOR-US: Microsoft CVE-2015-0088 (Adobe Font Driver in Microsoft Windows Server 2003 SP2, Windows Vista ...) NOT-FOR-US: Microsoft CVE-2015-0087 (Adobe Font Driver in Microsoft Windows Server 2003 SP2, Windows Vista ...) NOT-FOR-US: Microsoft CVE-2015-0086 (Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 Gol ...) NOT-FOR-US: Microsoft CVE-2015-0085 (Use-after-free vulnerability in Microsoft Office 2007 SP3, Excel 2007 ...) NOT-FOR-US: Microsoft CVE-2015-0084 (The Task Scheduler in Microsoft Windows 7 SP1, Windows Server 2008 R2 ...) NOT-FOR-US: Microsoft CVE-2015-0083 REJECTED CVE-2015-0082 REJECTED CVE-2015-0081 (Windows Text Services (WTS) in Microsoft Windows Server 2003 SP2, Wind ...) NOT-FOR-US: Microsoft CVE-2015-0080 (Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2 ...) NOT-FOR-US: Microsoft CVE-2015-0079 (The Remote Desktop Protocol (RDP) implementation in Microsoft Windows ...) NOT-FOR-US: Microsoft CVE-2015-0078 (win32k.sys in the kernel-mode drivers in Microsoft Windows 8, Windows ...) NOT-FOR-US: Microsoft CVE-2015-0077 (The kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows ...) NOT-FOR-US: Microsoft CVE-2015-0076 (The photo-decoder implementation in Microsoft Windows Vista SP2, Windo ...) NOT-FOR-US: Microsoft CVE-2015-0075 (The kernel in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Wi ...) NOT-FOR-US: Microsoft CVE-2015-0074 (Adobe Font Driver in Microsoft Windows Server 2003 SP2, Windows Vista ...) NOT-FOR-US: Microsoft CVE-2015-0073 (The Windows Registry Virtualization feature in the kernel in Microsoft ...) NOT-FOR-US: Microsoft CVE-2015-0072 (Cross-site scripting (XSS) vulnerability in Microsoft Internet Explore ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0071 (Microsoft Internet Explorer 9 through 11 allows remote attackers to by ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0070 (Microsoft Internet Explorer 6 through 11 allows remote attackers to re ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0069 (Microsoft Internet Explorer 10 and 11 allows remote attackers to bypas ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0068 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0067 (Microsoft Internet Explorer 6 through 9 allows remote attackers to exe ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0066 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0065 (Microsoft Word 2007 SP3 allows remote attackers to execute arbitrary c ...) NOT-FOR-US: Microsoft Word CVE-2015-0064 (Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word Automati ...) NOT-FOR-US: Microsoft CVE-2015-0063 (Microsoft Excel 2007 SP3; the proofing tools in Office 2010 SP2; Excel ...) NOT-FOR-US: Microsoft CVE-2015-0062 (Microsoft Windows Server 2008 R2 SP1, Windows 7 SP1, Windows 8, Window ...) NOT-FOR-US: Microsoft CVE-2015-0061 (Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2 ...) NOT-FOR-US: Microsoft CVE-2015-0060 (The font mapper in win32k.sys in the kernel-mode drivers in Microsoft ...) NOT-FOR-US: Microsoft CVE-2015-0059 (win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2008 ...) NOT-FOR-US: Microsoft CVE-2015-0058 (Double free vulnerability in win32k.sys in the kernel-mode drivers in ...) NOT-FOR-US: Microsoft CVE-2015-0057 (win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 ...) NOT-FOR-US: Microsoft CVE-2015-0056 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0055 (Microsoft Internet Explorer 10 and 11 allows remote attackers to gain ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0054 (Microsoft Internet Explorer 7 through 11 allows remote attackers to ga ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0053 (Microsoft Internet Explorer 6 through 8 allows remote attackers to exe ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0052 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0051 (Microsoft Internet Explorer 8 allows remote attackers to bypass the AS ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0050 (Microsoft Internet Explorer 8 and 9 allows remote attackers to execute ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0049 (Microsoft Internet Explorer 8 and 10 allows remote attackers to execut ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0048 (Microsoft Internet Explorer 9 allows remote attackers to execute arbit ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0047 REJECTED CVE-2015-0046 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0045 (Microsoft Internet Explorer 6 through 8 allows remote attackers to exe ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0044 (Microsoft Internet Explorer 8 and 9 allows remote attackers to execute ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0043 (Microsoft Internet Explorer 8 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0042 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0041 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0040 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0039 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0038 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0037 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0036 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0035 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0034 REJECTED CVE-2015-0033 REJECTED CVE-2015-0032 (vbscript.dll in Microsoft VBScript 5.6 through 5.8, as used with Inter ...) NOT-FOR-US: Microsoft CVE-2015-0031 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0030 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0029 (Microsoft Internet Explorer 6 and 8 allows remote attackers to execute ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0028 (Microsoft Internet Explorer 9 allows remote attackers to execute arbit ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0027 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0026 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0025 (Microsoft Internet Explorer 10 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0024 REJECTED CVE-2015-0023 (Microsoft Internet Explorer 10 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0022 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0021 (Microsoft Internet Explorer 6 through 10 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0020 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0019 (Microsoft Internet Explorer 9 and 10 allows remote attackers to execut ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0018 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0017 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-0016 (Directory traversal vulnerability in the TS WebProxy (aka TSWbPrxy) co ...) NOT-FOR-US: Microsoft Windows CVE-2015-0015 (Microsoft Windows Server 2003 SP2, Server 2008 SP2 and R2 SP1, and Ser ...) NOT-FOR-US: Microsoft Windows CVE-2015-0014 (Buffer overflow in the Telnet service in Microsoft Windows Server 2003 ...) NOT-FOR-US: Microsoft Windows CVE-2015-0013 REJECTED CVE-2015-0012 (Microsoft System Center Virtual Machine Manager (VMM) 2012 R2 Update R ...) NOT-FOR-US: Microsoft CVE-2015-0011 (mrxdav.sys (aka the WebDAV driver) in the kernel-mode drivers in Micro ...) NOT-FOR-US: Microsoft Windows CVE-2015-0010 (The CryptProtectMemory function in cng.sys (aka the Cryptography Next ...) NOT-FOR-US: Microsoft CVE-2015-0009 (The Group Policy Security Configuration policy implementation in Micro ...) NOT-FOR-US: Microsoft CVE-2015-0008 (The UNC implementation in Microsoft Windows Server 2003 SP2, Windows V ...) NOT-FOR-US: Microsoft CVE-2015-0007 REJECTED CVE-2015-0006 (The Network Location Awareness (NLA) service in Microsoft Windows Serv ...) NOT-FOR-US: Microsoft Windows CVE-2015-0005 (The NETLOGON service in Microsoft Windows Server 2003 SP2, Windows Ser ...) NOT-FOR-US: Microsoft CVE-2015-0004 (The User Profile Service (aka ProfSvc) in Microsoft Windows Server 200 ...) NOT-FOR-US: Microsoft Windows CVE-2015-0003 (win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 ...) NOT-FOR-US: Microsoft CVE-2015-0002 (The AhcVerifyAdminContext function in ahcache.sys in the Application C ...) NOT-FOR-US: Microsoft Windows CVE-2015-0001 (The Windows Error Reporting (WER) component in Microsoft Windows 8, Wi ...) NOT-FOR-US: Microsoft Windows CVE-2014-8994 (The check_diskio plugin 3.2.6 and earlier for Nagios and Icinga allows ...) NOT-FOR-US: check_diskio nagios/icinga plugin CVE-2014-8989 (The Linux kernel through 3.17.4 does not properly restrict dropping of ...) - linux 3.16.7-ckt4-1 [wheezy] - linux (User namespaces only usable in later kernels) - linux-2.6 (User namespaces only usable in later kernels) NOTE: http://thread.gmane.org/gmane.linux.man/7385/ CVE-2014-8986 (Cross-site scripting (XSS) vulnerability in the selection list in the ...) {DSA-3120-1} - mantis [squeeze] - mantis (Unsupported in squeeze-lts) NOTE: https://github.com/mantisbt/mantisbt/commit/cabacdc291c251bfde0dc2a2c945c02cef41bf40 NOTE: https://github.com/mantisbt/mantisbt/commit/e326b73a (1.2.x) CVE-2014-8985 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft CVE-2014-8984 REJECTED CVE-2014-8983 REJECTED CVE-2014-8982 REJECTED CVE-2014-8981 REJECTED CVE-2014-8980 REJECTED CVE-2014-8979 REJECTED CVE-2014-8978 REJECTED CVE-2014-8977 REJECTED CVE-2014-8976 REJECTED CVE-2014-8975 REJECTED CVE-2014-8974 REJECTED CVE-2014-8973 REJECTED CVE-2014-8972 REJECTED CVE-2014-8971 REJECTED CVE-2014-8970 REJECTED CVE-2014-8969 REJECTED CVE-2014-8968 REJECTED CVE-2014-8967 (Use-after-free vulnerability in Microsoft Internet Explorer allows rem ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-8966 (Microsoft Internet Explorer 6 through 8 allows remote attackers to exe ...) NOT-FOR-US: Internet Explorer CVE-2014-8965 RESERVED CVE-2014-8964 (Heap-based buffer overflow in PCRE 8.36 and earlier allows remote atta ...) - pcre3 2:8.35-3.3 (bug #770478) [wheezy] - pcre3 (Minor issue) [squeeze] - pcre3 (Minor issue) NOTE: http://bugs.exim.org/show_bug.cgi?id=1546 NOTE: http://www.exim.org/viewvc/pcre2?revision=154&view=revision CVE-2014-8963 RESERVED CVE-2014-8962 (Stack-based buffer overflow in stream_decoder.c in libFLAC before 1.3. ...) {DSA-3082-1 DLA-99-1} - flac 1.3.0-3 (bug #770918) NOTE: https://git.xiph.org/?p=flac.git;a=patch;h=5b3033a2b355068c11fe637e14ac742d273f076e NOTE: http://lists.xiph.org/pipermail/flac-dev/2014-November/005185.html CVE-2014-8961 (Directory traversal vulnerability in libraries/error_report.lib.php in ...) - phpmyadmin 4:4.2.12-1 [squeeze] - phpmyadmin (Vulnerable code not present) [wheezy] - phpmyadmin (Vulnerable code not present) NOTE: https://www.phpmyadmin.net/security/PMASA-2014-16/ CVE-2014-8960 (Cross-site scripting (XSS) vulnerability in libraries/error_report.lib ...) - phpmyadmin 4:4.2.12-1 [squeeze] - phpmyadmin (Vulnerable code not present) [wheezy] - phpmyadmin (Vulnerable code not present) NOTE: https://www.phpmyadmin.net/security/PMASA-2014-15/ CVE-2014-8959 (Directory traversal vulnerability in libraries/gis/GIS_Factory.class.p ...) - phpmyadmin 4:4.2.12-1 [squeeze] - phpmyadmin (Vulnerable code not present) [wheezy] - phpmyadmin (Vulnerable code not present) NOTE: https://www.phpmyadmin.net/security/PMASA-2014-14/ CVE-2014-8958 (Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0. ...) {DSA-3382-1 DLA-336-1} - phpmyadmin 4:4.2.12-1 (low) NOTE: https://www.phpmyadmin.net/security/PMASA-2014-13/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/42b64e12b5f596366f94ef72365fd69a019ba820 and NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/c7685e5acd3f8e722f4f374c6fa821590865b68d need NOTE: to be backported to 3.4 CVE-2014-8957 (Cross-site scripting (XSS) vulnerability in OpenKM before 6.4.19 allow ...) NOT-FOR-US: OpenKM CVE-2014-8956 (Stack-based buffer overflow in the K7Sentry.sys kernel mode driver (ak ...) NOT-FOR-US: K7 Computing CVE-2014-8955 (Cross-site scripting (XSS) vulnerability in the Contact Form Clean and ...) NOT-FOR-US: WordPress plugin clean-and-simple-contact-form-by-meg-nicholas CVE-2014-8954 (Multiple cross-site scripting (XSS) vulnerabilities in phpSound 1.0.5 ...) NOT-FOR-US: phpSound CVE-2014-8953 (Multiple cross-site request forgery (CSRF) vulnerabilities in Php Scri ...) NOT-FOR-US: Php Scriptlerim Who's Who CVE-2014-8952 (Multiple unspecified vulnerabilities in Check Point Security Gateway R ...) NOT-FOR-US: Check Point Security Gateway CVE-2014-8951 (Unspecified vulnerability in Check Point Security Gateway R75, R76, R7 ...) NOT-FOR-US: Check Point Security Gateway CVE-2014-8950 (Unspecified vulnerability in Check Point Security Gateway R77 and R77. ...) NOT-FOR-US: Check Point Security Gateway CVE-2014-8949 (The iMember360 plugin 3.8.012 through 3.9.001 for WordPress allows rem ...) NOT-FOR-US: WordPress plugin iMember360 CVE-2014-8948 (Cross-site request forgery (CSRF) vulnerability in the iMember360 plug ...) NOT-FOR-US: WordPress plugin iMember360 CVE-2014-8947 RESERVED CVE-2014-8946 RESERVED CVE-2014-8945 (admin.php?page=projects in Lexiglot through 2014-11-20 allows command ...) NOT-FOR-US: Lexiglot CVE-2014-8944 (Lexiglot through 2014-11-20 allows XSS (Reflected) via the username, o ...) NOT-FOR-US: Lexiglot CVE-2014-8943 (Lexiglot through 2014-11-20 allows SSRF via the admin.php?page=project ...) NOT-FOR-US: Lexiglot CVE-2014-8942 (Lexiglot through 2014-11-20 allows CSRF. ...) NOT-FOR-US: Lexiglot CVE-2014-8941 (Lexiglot through 2014-11-20 allows SQL injection via an admin.php?page ...) NOT-FOR-US: Lexiglot CVE-2014-8940 (Lexiglot through 2014-11-20 allows remote attackers to obtain sensitiv ...) NOT-FOR-US: Lexiglot CVE-2014-8939 (Lexiglot through 2014-11-20 allows remote attackers to obtain sensitiv ...) NOT-FOR-US: Lexiglot CVE-2014-8938 (Lexiglot through 2014-11-20 allows local users to obtain sensitive inf ...) NOT-FOR-US: Lexiglot CVE-2014-8937 (Lexiglot through 2014-11-20 allows denial of service because api/updat ...) NOT-FOR-US: Lexiglot CVE-2014-8936 REJECTED CVE-2014-8935 REJECTED CVE-2014-8934 REJECTED CVE-2014-8933 REJECTED CVE-2014-8932 REJECTED CVE-2014-8931 REJECTED CVE-2014-8930 RESERVED CVE-2014-8929 REJECTED CVE-2014-8928 REJECTED CVE-2014-8927 (Common Inventory Technology (CIT) before 2.7.0.2050 in IBM License Met ...) NOT-FOR-US: IBM CVE-2014-8926 (Common Inventory Technology (CIT) before 2.7.0.2050 in IBM License Met ...) NOT-FOR-US: IBM CVE-2014-8925 (Cross-site request forgery (CSRF) vulnerability in ClearQuest Web in I ...) NOT-FOR-US: IBM CVE-2014-8924 (The server in IBM License Metric Tool 7.2.2 before IF15 and 7.5 before ...) NOT-FOR-US: IBM CVE-2014-8923 (The (1) IBM Tivoli Identity Manager Active Directory adapter before 5. ...) NOT-FOR-US: IBM CVE-2014-8922 RESERVED CVE-2014-8921 (The IBM Notes Traveler Companion application 1.0 and 1.1 before 201411 ...) NOT-FOR-US: IBM Notes Traveler Companion CVE-2014-8920 (Buffer overflow in the Data Transfer Program in IBM i Access 5770-XE1 ...) NOT-FOR-US: IBM CVE-2014-8919 RESERVED CVE-2014-8918 (IBM Security AppScan Standard 8.x and 9.x before 9.0.1.1 FP1 does not ...) NOT-FOR-US: IBM CVE-2014-8917 (Multiple cross-site scripting (XSS) vulnerabilities in (1) dojox/form/ ...) NOT-FOR-US: IBM CVE-2014-8916 (Cross-site scripting (XSS) vulnerability in IBM OpenPages GRC Platform ...) NOT-FOR-US: IBM CVE-2014-8915 RESERVED CVE-2014-8914 (Cross-site scripting (XSS) vulnerability in the Process Portal in IBM ...) NOT-FOR-US: IBM CVE-2014-8913 (Cross-site scripting (XSS) vulnerability in the Process Portal in IBM ...) NOT-FOR-US: IBM CVE-2014-8912 (IBM WebSphere Portal 6.1.0 through 6.1.0.6 CF27, 6.1.5 through 6.1.5.3 ...) NOT-FOR-US: IBM WebSphere Portal CVE-2014-8911 (Cross-site scripting (XSS) vulnerability in IBM Content Navigator 2.0. ...) NOT-FOR-US: IBM Content Navigator CVE-2014-8910 (IBM DB2 9.7 through FP10, 9.8 through FP5, 10.1 before FP5, and 10.5 t ...) NOT-FOR-US: IBM DB2 CVE-2014-8909 (Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 6.1.0 ...) NOT-FOR-US: IBM WebSphere Portal CVE-2014-8908 RESERVED CVE-2014-8907 RESERVED CVE-2014-8906 RESERVED CVE-2014-8905 RESERVED CVE-2014-8904 (lquerylv in cmdlvm in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x allows ...) NOT-FOR-US: IBM AIX, VIOS CVE-2014-8903 (IBM Curam Social Program Management 6.0 SP2 before EP26, 6.0.4 before ...) NOT-FOR-US: IBM CVE-2014-8902 (Cross-site scripting (XSS) vulnerability in the Blog Portlet in IBM We ...) NOT-FOR-US: IBM WebSphere Portal CVE-2014-8901 (IBM DB2 9.5 through FP10, 9.7 through FP10, 9.8 through FP5, 10.1 thro ...) NOT-FOR-US: IBM CVE-2014-8900 (Cross-site request forgery (CSRF) vulnerability in IBM UrbanCode Relea ...) NOT-FOR-US: IBM CVE-2014-8899 (Cross-site scripting (XSS) vulnerability in the Collaboration Server i ...) NOT-FOR-US: IBM CVE-2014-8898 (Cross-site scripting (XSS) vulnerability in the Collaboration Server i ...) NOT-FOR-US: IBM CVE-2014-8897 (Cross-site scripting (XSS) vulnerability in the Collaboration Server i ...) NOT-FOR-US: IBM CVE-2014-8896 (The Collaboration Server in IBM InfoSphere Master Data Management Serv ...) NOT-FOR-US: IBM CVE-2014-8895 (IBM TRIRIGA Application Platform 3.2.1.x, 3.3.2 before 3.3.2.3, and 3. ...) NOT-FOR-US: IBM CVE-2014-8894 (Open redirect vulnerability in IBM TRIRIGA Application Platform 3.2.1. ...) NOT-FOR-US: IBM CVE-2014-8893 (Multiple cross-site scripting (XSS) vulnerabilities in (1) mainpage.js ...) NOT-FOR-US: IBM CVE-2014-8892 (Unspecified vulnerability in the Java Virtual Machine (JVM) in IBM SDK ...) NOT-FOR-US: IBM Java CVE-2014-8891 (Unspecified vulnerability in the Java Virtual Machine (JVM) in IBM SDK ...) NOT-FOR-US: IBM Java CVE-2014-8890 (IBM WebSphere Application Server Liberty Profile 8.5.x before 8.5.5.4 ...) NOT-FOR-US: IBM CVE-2014-8889 (Dropbox SDK for Android before 1.6.2 might allow remote attackers to o ...) NOT-FOR-US: Dropbox SDK for Android CVE-2014-8888 (The remote administration interface in D-Link DIR-815 devices with fir ...) NOT-FOR-US: D-Link CVE-2014-8887 (IBM Marketing Operations 7.x and 8.x before 8.5.0.7.2, 8.6.x before 8. ...) NOT-FOR-US: IBM Marketing Operations CVE-2014-8886 (AVM FRITZ!OS before 6.30 extracts the contents of firmware updates bef ...) NOT-FOR-US: AVM FRITZ!OS CVE-2014-8885 RESERVED CVE-2014-8883 RESERVED CVE-2014-8882 RESERVED CVE-2014-8881 RESERVED CVE-2014-8880 RESERVED CVE-2014-8879 RESERVED CVE-2014-8877 (The alterSearchQuery function in lib/controllers/CmdownloadController. ...) NOT-FOR-US: CreativeMinds CM Downloads Manager plugin for WordPress CVE-2014-8876 RESERVED CVE-2014-8875 (The XML_RPC_cd function in lib/pear/XML/RPC.php in Revive Adserver bef ...) NOT-FOR-US: Revive Adserver CVE-2014-8874 (The ke_questionnaire extension 2.5.2 and earlier for TYPO3 uses predic ...) NOT-FOR-US: TYPO3 Extension ke_questionnaire CVE-2014-8873 (A .desktop file in the Debian openjdk-7 package 7u79-2.5.5-1~deb8u1 in ...) {DSA-3316-1 DSA-3235-1} - openjdk-8 8u45-b14-1 (high) - openjdk-7 7u79-2.5.5-1 (high) - openjdk-6 (high) [squeeze] - openjdk-6 (MIME type setting is harmless on squeeze) [wheezy] - openjdk-6 (MIME type setting is harmless on wheezy) [squeeze] - openjdk-7 (MIME type setting is harmless on this squeeze) [wheezy] - openjdk-7 (MIME type setting is harmless on wheezy) NOTE: Starting with mime-support 3.53, MimeType entries in desktop NOTE: files end up in /etc/mailcap, which introduces the user-initiated NOTE: code execution. CVE-2014-8872 (Improper Verification of Cryptographic Signature in AVM FRITZ!Box 6810 ...) NOT-FOR-US: AVM FRITZ!Box CVE-2014-8871 (Directory traversal vulnerability in hybris Commerce software suite 5. ...) NOT-FOR-US: hybris Commerce CVE-2014-8870 (Open redirect vulnerability in mobiquo/smartbanner/welcome.php in the ...) NOT-FOR-US: Woltlab Burning Board plugin Tapatalk CVE-2014-8869 (Multiple cross-site scripting (XSS) vulnerabilities in mobiquo/smartba ...) NOT-FOR-US: Woltlab Burning Board plugin Tapatalk CVE-2014-8868 (EntryPass N5200 Active Network Control Panel does not properly restric ...) NOT-FOR-US: EntryPass N5200 CVE-2014-8867 (The acceleration support for the "REP MOVS" instruction in Xen 4.4.x, ...) {DSA-3140-1} - xen 4.4.1-5 (bug #770230) [squeeze] - xen (Unsupported in squeeze-lts) CVE-2014-8866 (The compatibility mode hypercall argument translation in Xen 3.3.x thr ...) {DSA-3140-1} - xen 4.4.1-5 (bug #770230) [squeeze] - xen (Unsupported in squeeze-lts) CVE-2014-8865 REJECTED CVE-2014-8864 REJECTED CVE-2014-8863 REJECTED CVE-2014-8862 REJECTED CVE-2014-8861 REJECTED CVE-2014-8860 REJECTED CVE-2014-8859 REJECTED CVE-2014-8858 REJECTED CVE-2014-8857 REJECTED CVE-2014-8856 REJECTED CVE-2014-8855 REJECTED CVE-2014-8854 REJECTED CVE-2014-8853 REJECTED CVE-2014-8852 REJECTED CVE-2014-8851 REJECTED CVE-2014-8850 REJECTED CVE-2014-8849 REJECTED CVE-2014-8848 REJECTED CVE-2014-8847 REJECTED CVE-2014-8846 REJECTED CVE-2014-8845 REJECTED CVE-2014-8844 REJECTED CVE-2014-8843 REJECTED CVE-2014-8842 RESERVED CVE-2014-8841 RESERVED CVE-2014-8840 (The iTunes Store component in Apple iOS before 8.1.3 allows remote att ...) NOT-FOR-US: Apple CVE-2014-8839 (Spotlight in Apple OS X before 10.10.2 does not enforce the Mail "Load ...) NOT-FOR-US: Apple CVE-2014-8838 (The Security component in Apple OS X before 10.10.2 does not properly ...) NOT-FOR-US: Apple CVE-2014-8837 (Multiple unspecified vulnerabilities in the Bluetooth driver in Apple ...) NOT-FOR-US: Apple CVE-2014-8836 (The Bluetooth driver in Apple OS X before 10.10.2 allows attackers to ...) NOT-FOR-US: Apple CVE-2014-8835 (The xpc_data_get_bytes function in libxpc in Apple OS X before 10.10.2 ...) NOT-FOR-US: Apple CVE-2014-8834 (UserAccountUpdater in Apple OS X 10.10 before 10.10.2 stores a PDF doc ...) NOT-FOR-US: Apple CVE-2014-8833 (SpotlightIndex in Apple OS X before 10.10.2 does not properly perform ...) NOT-FOR-US: Apple CVE-2014-8832 (The indexing functionality in Spotlight in Apple OS X before 10.10.2 w ...) NOT-FOR-US: Apple CVE-2014-8831 (security_taskgate in Apple OS X before 10.10.2 allows attackers to rea ...) NOT-FOR-US: Apple CVE-2014-8830 (Heap-based buffer overflow in SceneKit in Apple OS X before 10.10.2 al ...) NOT-FOR-US: Apple CVE-2014-8829 (SceneKit in Apple OS X before 10.10.2 allows attackers to execute arbi ...) NOT-FOR-US: Apple CVE-2014-8828 (Sandbox in Apple OS X before 10.10 allows attackers to write to the sa ...) NOT-FOR-US: Apple CVE-2014-8827 (LoginWindow in Apple OS X before 10.10.2 does not transition to the lo ...) NOT-FOR-US: Apple CVE-2014-8826 (LaunchServices in Apple OS X before 10.10.2 does not properly handle f ...) NOT-FOR-US: Apple CVE-2014-8825 (The kernel in Apple OS X before 10.10.2 does not properly perform iden ...) NOT-FOR-US: Apple CVE-2014-8824 (The kernel in Apple OS X before 10.10.2 does not properly validate IOD ...) NOT-FOR-US: Apple CVE-2014-8823 (The IOUSBControllerUserClient::ReadRegister function in the IOUSB cont ...) NOT-FOR-US: Apple CVE-2014-8822 (IOHIDFamily in Apple OS X before 10.10.2 allows attackers to execute a ...) NOT-FOR-US: Apple CVE-2014-8821 (The Intel Graphics Driver in Apple OS X before 10.10.2 allows local us ...) NOT-FOR-US: Apple CVE-2014-8820 (The Intel Graphics Driver in Apple OS X before 10.10.2 allows local us ...) NOT-FOR-US: Apple CVE-2014-8819 (The Intel Graphics Driver in Apple OS X before 10.10.2 allows local us ...) NOT-FOR-US: Apple CVE-2014-8818 REJECTED CVE-2014-8817 (coresymbolicationd in CoreSymbolication in Apple OS X before 10.10.2 d ...) NOT-FOR-US: Apple CVE-2014-8816 (CoreGraphics in Apple OS X before 10.10 allows remote attackers to exe ...) NOT-FOR-US: Apple CVE-2014-8815 RESERVED CVE-2014-8814 RESERVED CVE-2014-8813 RESERVED CVE-2014-8812 RESERVED CVE-2014-8811 RESERVED CVE-2014-8810 (SQL injection vulnerability in ajax/mail_functions.php in the WP Sympo ...) NOT-FOR-US: WP Symposium plugin for WordPress CVE-2014-8809 (Multiple cross-site scripting (XSS) vulnerabilities in the WP Symposiu ...) NOT-FOR-US: WP Symposium plugin for WordPress CVE-2014-8808 RESERVED CVE-2014-8807 RESERVED CVE-2014-8806 RESERVED CVE-2014-8805 RESERVED CVE-2014-8804 RESERVED CVE-2014-8803 RESERVED CVE-2014-8802 (The Pie Register plugin before 2.0.14 for WordPress does not properly ...) NOT-FOR-US: WordPress plugin Pie Register CVE-2014-8801 (Directory traversal vulnerability in services/getfile.php in the Paid ...) NOT-FOR-US: Paid Memberships Pro plugin for WordPress CVE-2014-8800 (Cross-site scripting (XSS) vulnerability in nextend-facebook-settings. ...) NOT-FOR-US: Nextend Facebook Connect plugin for WordPress CVE-2014-8799 (Directory traversal vulnerability in the dp_img_resize function in php ...) NOT-FOR-US: dp_img_resize function in php/dp-functions.php in the DukaPress plugin for WordPress CVE-2014-8798 RESERVED CVE-2014-8797 RESERVED CVE-2014-8796 RESERVED CVE-2014-8795 RESERVED CVE-2014-8794 RESERVED CVE-2014-8793 (Cross-site scripting (XSS) vulnerability in lib/max/Admin/UI/Field/Pub ...) NOT-FOR-US: Revive Adserver CVE-2014-8792 RESERVED CVE-2014-8791 (project/register.php in Tuleap before 7.7, when sys_create_project_in_ ...) NOT-FOR-US: Enalean Tuleap CVE-2014-8790 (XML external entity (XXE) vulnerability in admin/api.php in GetSimple ...) NOT-FOR-US: GetSimple CMS CVE-2014-8789 (GleamTech FileVista before 6.1 allows remote authenticated users to cr ...) NOT-FOR-US: GleamTech FileVista CVE-2014-8788 (GleamTech FileVista before 6.1 allows remote authenticated users to ob ...) NOT-FOR-US: GleamTech FileVista CVE-2014-8787 RESERVED CVE-2014-8786 RESERVED CVE-2014-8785 RESERVED CVE-2014-8784 RESERVED CVE-2014-8783 RESERVED CVE-2014-8782 RESERVED CVE-2014-8781 RESERVED CVE-2014-8780 (Cross-site scripting (XSS) vulnerability in Jease 2.11 allows remote a ...) NOT-FOR-US: Jease CVE-2014-8779 (Pexip Infinity before 8 uses the same SSH host keys across different c ...) NOT-FOR-US: Pexip Infinity CVE-2014-8778 (Checkmarx CxSAST (formerly CxSuite) before 7.1.8 allows remote authent ...) NOT-FOR-US: Checkmarx CVE-2014-8777 RESERVED CVE-2014-8776 RESERVED CVE-2014-8775 (MODX Revolution 2.x before 2.2.15 does not include the HTTPOnly flag i ...) NOT-FOR-US: MODx Revolution CVE-2014-8774 (Cross-site scripting (XSS) vulnerability in manager/index.php in MODX ...) NOT-FOR-US: MODx Revolution CVE-2014-8773 (MODX Revolution 2.x before 2.2.15 allows remote attackers to bypass th ...) NOT-FOR-US: MODx Revolution CVE-2014-8772 (Cross-site scripting (XSS) vulnerability in the search_controller in X ...) NOT-FOR-US: X3 CMS CVE-2014-8771 (Multiple cross-site request forgery (CSRF) vulnerabilities in the admi ...) NOT-FOR-US: X3 CMS CVE-2014-8770 (Unrestricted file upload vulnerability in magmi/web/magmi.php in the M ...) NOT-FOR-US: Magento CVE-2012-6665 (Directory traversal vulnerability in index.php in phpMoneyBooks 1.0.4 ...) NOT-FOR-US: phpMoneyBooks CVE-2012-6664 RESERVED CVE-2012-6663 (General Electric D20ME devices are not properly configured and reveal ...) NOT-FOR-US: General Electric D20ME devices CVE-2014-8988 (MantisBT before 1.2.18 allows remote authenticated users to bypass the ...) {DSA-3120-1} - mantis [squeeze] - mantis (Unsupported in squeeze-lts) NOTE: http://github.com/mantisbt/mantisbt/commit/5f0b150b NOTE: http://www.mantisbt.org/bugs/view.php?id=17742 CVE-2014-9622 (Eval injection vulnerability in xdg-utils 1.1.0 RC1, when no supported ...) {DSA-3131-1 DLA-217-1} - xdg-utils 1.1.0~rc1+git20111210-7.3 (bug #773085) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=66670 CVE-2014-8991 (pip 1.3 through 1.5.6 allows local users to cause a denial of service ...) - python-pip 1.5.6-4 (bug #725847) [wheezy] - python-pip (Vulnerable code only in >= 1.3) [squeeze] - python-pip (Vulnerable code only in >= 1.3) NOTE: https://github.com/pypa/pip/pull/2122 CVE-2014-8987 (Cross-site scripting (XSS) vulnerability in the "set configuration" bo ...) - mantis (Vulnerable code introduced later) NOTE: Affected upstream versions >= 1.2.13, <= 1.2.17 NOTE: https://github.com/mantisbt/mantisbt/commit/49c3d089 NOTE: http://www.mantisbt.org/bugs/view.php?id=17870 CVE-2014-8884 (Stack-based buffer overflow in the ttusbdecfe_dvbs_diseqc_send_master_ ...) {DSA-3093-1 DLA-118-1} - linux 3.16.7-ckt2-1 - linux-2.6 NOTE: Upstream commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f2e323ec96077642d397bb1c355def536d489d16 (v3.18-rc1) CVE-2014-8769 (tcpdump 3.8 through 4.6.2 might allow remote attackers to obtain sensi ...) {DSA-3086-1 DLA-102-1} - tcpdump 4.6.2-2 (bug #770424) NOTE: http://www.securityfocus.com/archive/1/534009/30/0/threaded CVE-2014-8768 (Multiple Integer underflows in the geonet_print function in tcpdump 4. ...) - tcpdump 4.6.2-2 (bug #770415) [wheezy] - tcpdump (Vulnerable code added in 4.5.0) [squeeze] - tcpdump (Vulnerable code added in 4.5.0) NOTE: http://www.securityfocus.com/archive/1/534010/30/0/threaded CVE-2014-8767 (Integer underflow in the olsr_print function in tcpdump 3.9.6 through ...) {DSA-3086-1 DLA-102-1} - tcpdump 4.6.2-2 (bug #770434) NOTE: http://www.securityfocus.com/archive/1/534011/30/0/threaded CVE-2014-8742 (Directory traversal vulnerability in the ReportDownloadServlet servlet ...) NOT-FOR-US: Lexmark CVE-2014-8741 (Directory traversal vulnerability in the GfdFileUploadServerlet servle ...) NOT-FOR-US: Lexmark CVE-2014-8740 RESERVED CVE-2014-8739 (Unrestricted file upload vulnerability in server/php/UploadHandler.php ...) NOT-FOR-US: Joomla/Wordpress plugin CVE-2014-8736 (The Open Atrium Core module for Drupal before 7.x-2.22 allows remote a ...) NOT-FOR-US: Drupal module Open Atrium Core CVE-2014-8735 (The Bad Behavior module 6.x-2.x before 6.x-2.2216 and 7.x-2.x before 7 ...) NOT-FOR-US: Drupal module Bad Behavior CVE-2014-8734 (The Organic Groups Menu (aka OG Menu) module before 7.x-2.2 for Drupal ...) NOT-FOR-US: Drupal module Organic Groups Menu CVE-2014-8733 (Cloudera Manager 5.2.0, 5.2.1, and 5.3.0 stores the LDAP bind password ...) NOT-FOR-US: Cloudera Manager CVE-2014-8730 (The SSL profiles component in F5 BIG-IP LTM, APM, and ASM 10.0.0 throu ...) NOT-FOR-US: SSL/TLS implementation error in F5 products (and historic NSS releases) CVE-2014-8729 RESERVED CVE-2014-8728 (SQL injection vulnerability in the login page (login/login) in Subex R ...) NOT-FOR-US: Subex CVE-2014-8727 (Multiple directory traversal vulnerabilities in F5 BIG-IP before 10.2. ...) NOT-FOR-US: F5 BIG-IP CVE-2014-8726 RESERVED CVE-2014-8725 RESERVED CVE-2014-8724 (Cross-site scripting (XSS) vulnerability in the W3 Total Cache plugin ...) NOT-FOR-US: W3 Total Cache plugin for WordPress CVE-2014-8723 (GetSimple CMS 3.3.4 allows remote attackers to obtain sensitive inform ...) NOT-FOR-US: GetSimple CMS CVE-2014-8722 (GetSimple CMS 3.3.4 allows remote attackers to obtain sensitive inform ...) NOT-FOR-US: GetSimple CMS CVE-2014-8721 RESERVED CVE-2014-8720 RESERVED CVE-2014-8719 RESERVED CVE-2014-8718 RESERVED CVE-2014-8717 RESERVED CVE-2014-8715 RESERVED CVE-2014-8708 (Pluck CMS 4.7.2 allows remote attackers to execute arbitrary code via ...) NOT-FOR-US: Pluck CMS CVE-2014-8707 (Cross-site scripting (XSS) vulnerability in TinyMCE in Pluck CMS 4.7.2 ...) NOT-FOR-US: Pluck CMS CVE-2014-8706 (Pluck CMS 4.7.2 allows remote attackers to obtain sensitive informatio ...) NOT-FOR-US: Pluck CMS CVE-2014-8705 (PHP remote file inclusion vulnerability in editInplace.php in Wonder C ...) NOT-FOR-US: Wonder CMS CVE-2014-8704 (Directory traversal vulnerability in index.php in Wonder CMS 2014 allo ...) NOT-FOR-US: Wonder CMS CVE-2014-8703 (Cross-site scripting (XSS) vulnerability in Wonder CMS 2014 allows rem ...) NOT-FOR-US: Wonder CMS CVE-2014-8702 (Wonder CMS 2014 allows remote attackers to obtain sensitive informatio ...) NOT-FOR-US: Wonder CMS CVE-2014-8701 (Wonder CMS 2014 allows remote attackers to obtain sensitive informatio ...) NOT-FOR-US: Wonder CMS CVE-2014-8700 RESERVED CVE-2014-8699 RESERVED CVE-2014-8698 RESERVED CVE-2014-8697 RESERVED CVE-2014-8696 RESERVED CVE-2014-8695 RESERVED CVE-2014-8694 RESERVED CVE-2014-8693 RESERVED CVE-2014-8692 RESERVED CVE-2014-8691 RESERVED CVE-2014-8690 (Multiple cross-site scripting (XSS) vulnerabilities in Exponent CMS be ...) NOT-FOR-US: Exponent CMS CVE-2014-8689 RESERVED CVE-2014-8688 (An issue was discovered in Telegram Messenger 2.6 for iOS and 1.8.2 fo ...) NOT-FOR-US: Telegram Messenger CVE-2014-8687 (Seagate Business NAS devices with firmware before 2015.00322 allow rem ...) NOT-FOR-US: Seagate Business NAS devices CVE-2014-8686 (CodeIgniter before 2.2.0 makes it easier for attackers to decode sessi ...) - codeigniter (bug #471583) CVE-2014-8685 RESERVED CVE-2014-8684 (CodeIgniter before 3.0 and Kohana 3.2.3 and earlier and 3.3.x through ...) - codeigniter (bug #471583) CVE-2014-8683 (Cross-site scripting (XSS) vulnerability in models/issue.go in Gogs (a ...) NOT-FOR-US: Go Git Service CVE-2014-8682 (Multiple SQL injection vulnerabilities in Gogs (aka Go Git Service) 0. ...) NOT-FOR-US: Go Git Service CVE-2014-8681 (SQL injection vulnerability in the GetIssues function in models/issue. ...) NOT-FOR-US: Go Git Service CVE-2014-8680 (The GeoIP functionality in ISC BIND 9.10.0 through 9.10.1 allows remot ...) - bind9 (Only affects 9.10 to 9.11) NOTE: https://kb.isc.org/article/AA-01217/0 CVE-2014-8679 RESERVED CVE-2014-8678 (The ConfigSaveServlet servlet in ManageEngine OpUtils before build 710 ...) NOT-FOR-US: ManageEngine OpUtils CVE-2014-8677 (The installation process for SOPlanning 1.32 and earlier allows remote ...) NOT-FOR-US: SOPlanning CVE-2014-8676 (Directory traversal vulnerability in the file_get_contents function in ...) NOT-FOR-US: SOPlanning CVE-2014-8675 (Soplanning 1.32 and earlier generates static links for sharing ICAL ca ...) NOT-FOR-US: SOPlanning CVE-2014-8674 (Multiple Cross-Site Scripting (XSS) vulnerabilities exist in Simple On ...) NOT-FOR-US: Simple Online Planning CVE-2014-8673 (Multiple SQL vulnerabilities exist in planning.php, user_list.php, pro ...) NOT-FOR-US: Simple Online Planning CVE-2014-8672 (Cross-site scripting (XSS) vulnerability in the RewardingYourself appl ...) NOT-FOR-US: RewardingYourself application for Android and BlackBerry CVE-2014-8671 (Cross-site scripting (XSS) vulnerability in the GWT Mobile PhoneGap Sh ...) NOT-FOR-US: GWT Mobile PhoneGap Showcase application for Android CVE-2014-8670 (Open redirect vulnerability in go.php in vBulletin 4.2.1 allows remote ...) NOT-FOR-US: vBulletin CVE-2014-8669 (The SAP Promotion Guidelines (CRM-MKT-MPL-TPM-PPG) module for SAP CRM ...) NOT-FOR-US: SAP CVE-2014-8668 (SQL injection vulnerability in SAP Contract Accounting allows remote a ...) NOT-FOR-US: SAP CVE-2014-8667 (Cross-site scripting (XSS) vulnerability in SAP HANA Web-based Develop ...) NOT-FOR-US: SAP CVE-2014-8666 (The User & Server configuration, InfoView refresh, user rights (BI ...) NOT-FOR-US: SAP CVE-2014-8665 (The SAP Business Intelligence Development Workbench allows remote atta ...) NOT-FOR-US: SAP CVE-2014-8664 (SQL injection vulnerability in Product Safety (EHS-SAF) component in S ...) NOT-FOR-US: SAP CVE-2014-8663 (SQL injection vulnerability in Data Basis (BW-WHM-DBA) in SAP NetWeave ...) NOT-FOR-US: SAP CVE-2014-8662 (Unspecified vulnerability in SAP Payroll Process allows remote attacke ...) NOT-FOR-US: SAP CVE-2014-8661 (The SAP CRM Internet Sales module allows remote attackers to execute a ...) NOT-FOR-US: SAP CVE-2014-8660 (SAP Document Management Services allows local users to execute arbitra ...) NOT-FOR-US: SAP CVE-2014-8659 (Directory traversal vulnerability in SAP Environment, Health, and Safe ...) NOT-FOR-US: SAP CVE-2014-8658 (Cross-site scripting (XSS) vulnerability in RefinedWiki Original Theme ...) NOT-FOR-US: Atlassian Confluence theme CVE-2014-8657 (The Compal Broadband Networks (CBN) CH6640E and CG6640E Wireless Gatew ...) NOT-FOR-US: Compal Gateways CVE-2014-8656 (The Compal Broadband Networks (CBN) CH6640E and CG6640E Wireless Gatew ...) NOT-FOR-US: Compal Gateways CVE-2014-8655 (The Compal Broadband Networks (CBN) CH6640E and CG6640E Wireless Gatew ...) NOT-FOR-US: Compal Gateways CVE-2014-8654 (Multiple cross-site request forgery (CSRF) vulnerabilities in Compal B ...) NOT-FOR-US: Compal Gateways CVE-2014-8653 (Cross-site scripting (XSS) vulnerability in Compal Broadband Networks ...) NOT-FOR-US: Compal Gateways CVE-2014-8652 (Elipse E3 3.x and earlier allows remote attackers to cause a denial of ...) NOT-FOR-US: Elipse E3 CVE-2014-8649 REJECTED CVE-2014-8648 REJECTED CVE-2014-8647 REJECTED CVE-2014-8646 REJECTED CVE-2014-8645 REJECTED CVE-2014-8644 RESERVED CVE-2014-8643 (Mozilla Firefox before 35.0 on Windows allows remote attackers to bypa ...) - iceweasel (Only affects Firefox on Windows) NOTE: http://www.mozilla.org/security/announce/2015/mfsa2015-07.html CVE-2014-8642 (Mozilla Firefox before 35.0 and SeaMonkey before 2.32 do not consider ...) - iceweasel (Only affects versions > 31.x) NOTE: http://www.mozilla.org/security/announce/2015/mfsa2015-08.html CVE-2014-8641 (Use-after-free vulnerability in the WebRTC implementation in Mozilla F ...) {DSA-3127-1} - iceweasel 31.4.0esr-1 [squeeze] - iceweasel NOTE: http://www.mozilla.org/security/announce/2015/mfsa2015-06.html CVE-2014-8640 (The mozilla::dom::AudioParamTimeline::AudioNodeInputValue function in ...) - iceweasel (Only affects versions > 31.x) NOTE: http://www.mozilla.org/security/announce/2015/mfsa2015-05.html CVE-2014-8639 (Mozilla Firefox before 35.0, Firefox ESR 31.x before 31.4, Thunderbird ...) {DSA-3132-1 DSA-3127-1} - iceweasel 31.4.0esr-1 [squeeze] - iceweasel - icedove 31.4.0-1 [squeeze] - icedove NOTE: http://www.mozilla.org/security/announce/2015/mfsa2015-04.html CVE-2014-8638 (The navigator.sendBeacon implementation in Mozilla Firefox before 35.0 ...) {DSA-3132-1 DSA-3127-1} - iceweasel 31.4.0esr-1 [squeeze] - iceweasel - icedove 31.4.0-1 [squeeze] - icedove NOTE: http://www.mozilla.org/security/announce/2015/mfsa2015-03.html CVE-2014-8637 (Mozilla Firefox before 35.0 and SeaMonkey before 2.32 do not properly ...) - iceweasel (Only affects versions > 31.x) NOTE: http://www.mozilla.org/security/announce/2015/mfsa2015-02.html CVE-2014-8636 (The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaM ...) - iceweasel (Only affects versions > 31.x) NOTE: http://www.mozilla.org/security/announce/2015/mfsa2015-09.html CVE-2014-8635 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - iceweasel (Only affects versions > 31.x) CVE-2014-8634 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-3132-1 DSA-3127-1} - iceweasel 31.4.0esr-1 [squeeze] - iceweasel - icedove 31.4.0-1 [squeeze] - icedove NOTE: http://www.mozilla.org/security/announce/2015/mfsa2015-01.html CVE-2014-8633 RESERVED CVE-2014-8632 (The structured-clone implementation in Mozilla Firefox before 34.0 and ...) - iceweasel (Only affects Firefox 33) CVE-2014-8631 (The Chrome Object Wrapper (COW) implementation in Mozilla Firefox befo ...) - iceweasel (Only affects Firefox 33) CVE-2014-8630 (Bugzilla before 4.0.16, 4.1.x and 4.2.x before 4.2.12, 4.3.x and 4.4.x ...) - bugzilla4 (bug #669643) - bugzilla [squeeze] - bugzilla NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1079065 CVE-2014-8629 (Cross-site scripting (XSS) vulnerability in the Page visualization age ...) NOT-FOR-US: Pandora FMS CVE-2014-8624 RESERVED CVE-2014-8623 RESERVED CVE-2014-8622 (Cross-site scripting (XSS) vulnerability in compfight-search.php in th ...) NOT-FOR-US: Compfight plugin for WordPress CVE-2014-8621 (SQL injection vulnerability in the Store Locator plugin 2.3 through 3. ...) NOT-FOR-US: Wordpress plugin CVE-2014-8620 RESERVED CVE-2014-8619 (Cross-site scripting (XSS) vulnerability in the autolearn configuratio ...) NOT-FOR-US: Fortinet FortiWeb CVE-2014-8618 (Cross-site scripting (XSS) vulnerability in the theme login page in Fo ...) NOT-FOR-US: Fortinet FortiADC CVE-2014-8617 (Cross-site scripting (XSS) vulnerability in the Web Action Quarantine ...) NOT-FOR-US: FortiMail CVE-2014-8616 (Multiple cross-site scripting (XSS) vulnerabilities in Fortinet FortiO ...) NOT-FOR-US: Fortinet FortiOS CVE-2014-8615 REJECTED CVE-2014-8614 REJECTED CVE-2014-8613 (The sctp module in FreeBSD 10.1 before p5, 10.0 before p17, 9.3 before ...) [experimental] - kfreebsd-11 11.0~svn284956-1 - kfreebsd-10 10.1~svn274115-2 (bug #776416) - kfreebsd-9 [wheezy] - kfreebsd-9 9.0-10+deb70.8 NOTE: kfreebsd-9/9.0-10+deb70.8 disabled SCTP protocol - kfreebsd-8 [wheezy] - kfreebsd-8 (kfreebsd-8 only a test kernel, can be fixed in a point release) [squeeze] - kfreebsd-8 (kfreebsd-i386/amd64 not supported in Squeeze LTS) NOTE: https://security.freebsd.org/advisories/FreeBSD-SA-15:03.sctp.asc CVE-2014-8612 (Multiple array index errors in the Stream Control Transmission Protoco ...) [experimental] - kfreebsd-11 11.0~svn284956-1 - kfreebsd-10 10.1~svn274115-2 (bug #776415) - kfreebsd-9 [wheezy] - kfreebsd-9 9.0-10+deb70.8 NOTE: kfreebsd-9/9.0-10+deb70.8 disabled SCTP protocol - kfreebsd-8 [wheezy] - kfreebsd-8 (kfreebsd-8 only a test kernel, can be fixed in a point release) [squeeze] - kfreebsd-8 (kfreebsd-i386/amd64 not supported in Squeeze LTS) NOTE: https://security.FreeBSD.org/advisories/FreeBSD-SA-15:02.kmem.asc CVE-2014-8611 (The __sflush function in fflush.c in stdio in libc in FreeBSD 10.1 and ...) NOT-FOR-US: Apple CVE-2014-8610 (AndroidManifest.xml in Android before 5.0.0 does not require the SEND_ ...) NOT-FOR-US: Android CVE-2014-8609 (The addAccount method in src/com/android/settings/accounts/AddAccountS ...) NOT-FOR-US: Android CVE-2014-8608 (The K7Sentry.sys kernel mode driver (aka K7AV Sentry Device Driver) be ...) NOT-FOR-US: K7 Computing CVE-2014-8607 (The XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla! provides ...) NOT-FOR-US: XCloner plugin for WordPress and Joomla! CVE-2014-8606 (Directory traversal vulnerability in the XCloner plugin 3.1.1 for Word ...) NOT-FOR-US: XCloner plugin for WordPress and Joomla! CVE-2014-8605 (The XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla! stores da ...) NOT-FOR-US: XCloner plugin for WordPress and Joomla! CVE-2014-8604 (The XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla! returns t ...) NOT-FOR-US: XCloner plugin for WordPress and Joomla! CVE-2014-8603 (cloner.functions.php in the XCloner plugin 3.1.1 for WordPress and 3.5 ...) NOT-FOR-US: XCloner plugin for WordPress and Joomla! CVE-2014-8602 (iterator.c in NLnet Labs Unbound before 1.5.1 does not limit delegatio ...) {DSA-3097-1 DLA-107-1} - unbound 1.4.22-3 (bug #772622) NOTE: http://www.unbound.net/pipermail/unbound-users/2014-December/003662.html CVE-2014-8601 (PowerDNS Recursor before 3.6.2 does not limit delegation chaining, whi ...) {DSA-3096-1 DLA-104-1} - pdns-recursor 3.6.2-1 NOTE: http://doc.powerdns.com/md/security/powerdns-advisory-2014-02/ NOTE: Backported patches available at https://downloads.powerdns.com/patches/2014-02/ CVE-2014-8600 (Multiple cross-site scripting (XSS) vulnerabilities in KDE-Runtime 4.1 ...) - kde-runtime 4:4.14.2-2 (bug #769632) [wheezy] - kde-runtime (Minor issue) [squeeze] - kdebase-runtime (Minor issue) - webkitkde 1.3.4-2 (unimportant) NOTE: webkitpart: http://quickgit.kde.org/?p=kwebkitpart.git&a=commit&h=641aa7c75631084260ae89aecbdb625e918c6689 NOTE: kde-runtime: http://quickgit.kde.org/?p=kde-runtime.git&a=commit&h=d68703900edc8416fbcd2550cd336cbbb76decb9 NOTE: Upstream advisory: https://www.kde.org/info/security/advisory-20141113-1.txt NOTE: webkit not covered by security support CVE-2014-8599 RESERVED CVE-2014-8597 RESERVED CVE-2014-8596 (Multiple SQL injection vulnerabilities in PHP-Fusion 7.02.07 allow rem ...) NOT-FOR-US: PHP-Fusion CVE-2014-8595 (arch/x86/x86_emulate/x86_emulate.c in Xen 3.2.1 through 4.4.x does not ...) {DSA-3140-1} - xen 4.4.1-4 (bug #770230) [squeeze] - xen (Unsupported in squeeze-lts) CVE-2014-8594 (The do_mmu_update function in arch/x86/mm.c in Xen 4.x through 4.4.x d ...) {DSA-3140-1} - xen 4.4.1-4 (low; bug #770230) [squeeze] - xen (Unsupported in squeeze-lts) CVE-2014-8593 (Multiple cross-site scripting (XSS) vulnerabilities in Allomani Weblin ...) NOT-FOR-US: Allomani Weblinks CVE-2014-8587 (SAPCRYPTOLIB before 5.555.38, SAPSECULIB, and CommonCryptoLib before 8 ...) NOT-FOR-US: SAP NetWeaver CVE-2014-8586 (SQL injection vulnerability in the CP Multi View Event Calendar plugin ...) NOT-FOR-US: WordPress plugin CP Multi View Event Calendar CVE-2014-8585 (Directory traversal vulnerability in the WordPress Download Manager pl ...) NOT-FOR-US: WordPress plugin WordPress Download Manager NOTE: To be REJECTED CVE-2014-8584 (Cross-site scripting (XSS) vulnerability in the Web Dorado Spider Vide ...) NOT-FOR-US: WordPress plugin Web Dorado Spider Video Player (aka WordPress Video Player) CVE-2013-7416 (canto_curses/guibase.py in Canto Curses before 0.9.0 allows remote fee ...) - canto (bug #731582) [wheezy] - canto (Vulnerable code not present) [squeeze] - canto (Vulnerable code not present) CVE-2013-7415 RESERVED CVE-2013-7414 RESERVED CVE-2013-7413 RESERVED CVE-2013-7412 RESERVED CVE-2013-7411 RESERVED CVE-2013-7410 RESERVED CVE-2010-5312 (Cross-site scripting (XSS) vulnerability in jquery.ui.dialog.js in the ...) {DSA-3249-1 DLA-258-1} - jqueryui 1.10.1+dfsg-1 - owncloud (embedded copy, bug #722500, of version 1.10.1, already fixed) NOTE: http://bugs.jqueryui.com/ticket/6016 NOTE: https://github.com/jquery/jquery-ui/commit/7e9060c109b928769a664dbcc2c17bd21231b6f3 CVE-2010-5311 RESERVED CVE-2014-8738 (The _bfd_slurp_extended_name_table function in bfd/archive.c in GNU bi ...) {DSA-3123-2 DSA-3123-1 DLA-184-1} - binutils 2.24.90.20141124-1 - binutils-mingw-w64 5.2 NOTE: Upstream tracker: https://sourceware.org/bugzilla/show_bug.cgi?id=17533 NOTE: Upstream patch: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=bb0d867169d7e9743d229804106a8fbcab7f3b3f CVE-2014-8737 (Multiple directory traversal vulnerabilities in GNU binutils 2.24 and ...) {DSA-3123-2 DSA-3123-1 DLA-184-1} - binutils 2.24.90.20141124-1 - binutils-mingw-w64 5.2 NOTE: Upstream tracker: https://sourceware.org/bugzilla/show_bug.cgi?id=17552 NOTE: Upstream patch: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=dd9b91de2149ee81d47f708e7b0bbf57da10ad42 CVE-2014-8732 (Cross-site scripting (XSS) vulnerability in phpMemcachedAdmin 1.2.2 an ...) NOT-FOR-US: phpMemcachedAdmin CVE-2014-8731 (PHPMemcachedAdmin 1.2.2 and earlier allows remote attackers to execute ...) NOT-FOR-US: phpMemcachedAdmin CVE-2014-8716 (The JPEG decoder in ImageMagick before 6.8.9-9 allows local users to c ...) {DLA-960-1 DLA-90-1} - imagemagick 8:6.8.9.9-3 (bug #768494) [squeeze] - imagemagick (Minor issue) NOTE: http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26456 CVE-2014-8714 (The dissect_write_structured_field function in epan/dissectors/packet- ...) {DSA-3076-1 DLA-198-1} - wireshark 1.12.1+g01b65bf-2 (bug #769410) NOTE: https://www.wireshark.org/security/wnpa-sec-2014-23.html NOTE: Versions 1.12.0 to 1.12.1, and 1.10.0 to 1.10.10. It is fixed in versions 1.12.2 and 1.10.11. CVE-2014-8713 (Stack-based buffer overflow in the build_expert_data function in epan/ ...) {DSA-3076-1 DLA-198-1} - wireshark 1.12.1+g01b65bf-2 (bug #769410) NOTE: https://www.wireshark.org/security/wnpa-sec-2014-22.html NOTE: Versions 1.12.0 to 1.12.1, and 1.10.0 to 1.10.10. It is fixed in versions 1.12.2 and 1.10.11. CVE-2014-8712 (The build_expert_data function in epan/dissectors/packet-ncp2222.inc i ...) {DSA-3076-1 DLA-198-1} - wireshark 1.12.1+g01b65bf-2 (bug #769410) NOTE: https://www.wireshark.org/security/wnpa-sec-2014-22.html NOTE: Versions 1.12.0 to 1.12.1, and 1.10.0 to 1.10.10. It is fixed in versions 1.12.2 and 1.10.11. CVE-2014-8711 (Multiple integer overflows in epan/dissectors/packet-amqp.c in the AMQ ...) {DSA-3076-1 DLA-198-1} - wireshark 1.12.1+g01b65bf-2 (bug #769410) NOTE: https://www.wireshark.org/security/wnpa-sec-2014-21.html NOTE: Versions 1.12.0 to 1.12.1, and 1.10.0 to 1.10.10. It is fixed in versions 1.12.2 and 1.10.11. CVE-2014-8710 (The decompress_sigcomp_message function in epan/sigcomp-udvm.c in the ...) {DSA-3076-1 DLA-198-1} - wireshark 1.12.1+g01b65bf-2 (bug #769410) NOTE: https://www.wireshark.org/security/wnpa-sec-2014-20.html NOTE: Versions 1.10.0 to 1.10.10. It is fixed in versions 1.12.2 and 1.10.11. CVE-2014-8709 (The ieee80211_fragment function in net/mac80211/tx.c in the Linux kern ...) {DLA-118-1} - linux 3.14.2-1 [wheezy] - linux 3.2.57-1 - linux-2.6 NOTE: Fixed by https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=338f977f4eb441e69bb9a46eaa0ac715c931a67f (v3.14-rc3) NOTE: Introduced by https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=2de8e0d999b8790861cd3749bec2236ccc1c8110 (v2.6.30-rc1) CVE-2014-8650 (python-requests-Kerberos through 0.5 does not handle mutual authentica ...) - python-requests-kerberos 0.5-2 (bug #768408) NOTE: https://github.com/requests/requests-kerberos/pull/36 NOTE: request adding https://github.com/mkomitee/requests-kerberos/commit/9c1e08cc17bb6950455a85d33d391ecd2bce6eb6 CVE-2014-8628 (Memory leak in PolarSSL before 1.2.12 and 1.3.x before 1.3.9 allows re ...) {DSA-3116-1 DLA-129-1} - polarssl 1.3.9-1 NOTE: Cf. https://bugzilla.redhat.com/show_bug.cgi?id=1159845#c5 and following. NOTE: Patch for 1.2.x: https://github.com/polarssl/polarssl/commit/6b440389136afbcb0d831f880176c830bd3e0c7c NOTE: Version 1.2.11 also brings other security-relevant fixes. Maybe update to new upstream version? CVE-2014-8627 (PolarSSL 1.3.8 does not properly negotiate the signature algorithm to ...) - polarssl 1.3.9-1 [wheezy] - polarssl (Problem introduced in 1.3.8) [squeeze] - polarssl (Problem introduced in 1.3.8) CVE-2014-8626 (Stack-based buffer overflow in the date_from_ISO8601 function in ext/x ...) - php5 5.2.9.dfsg.1-1 NOTE: https://bugs.php.net/bug.php?id=45226 NOTE: http://git.php.net/?p=php-src.git;a=commit;h=c818d0d01341907fee82bdb81cab07b7d93bb9db CVE-2014-8625 (Multiple format string vulnerabilities in the parse_error_msg function ...) - dpkg 1.17.22 (unimportant; bug #768485) [wheezy] - dpkg 1.16.16 [squeeze] - dpkg (Regression introduced in 1.16.2) NOTE: Rendered non-exploitable by toolchain hardening NOTE: https://bugs.launchpad.net/ubuntu/+source/dpkg/+bug/1389135 NOTE: Regression introduced with https://anonscm.debian.org/cgit/dpkg/dpkg.git/commit/?id=0b8652b226a7601dfd71471797d15168a7337242 (1.16.2) CVE-2014-8598 (The XML Import/Export plugin in MantisBT 1.2.x does not restrict acces ...) {DSA-3120-1} - mantis [squeeze] - mantis (Unsupported in squeeze-lts) NOTE: https://github.com/mantisbt/mantisbt/commit/80a15487 NOTE: http://www.mantisbt.org/bugs/view.php?id=17780 CVE-2014-8592 (Unspecified vulnerability in SAP Host Agent, as used in SAP NetWeaver ...) NOT-FOR-US: SAP NetWeaver CVE-2014-8591 (Unspecified vulnerability in SAP Internet Communication Manager (ICM), ...) NOT-FOR-US: SAP NetWeaver CVE-2014-8590 (XML external entity (XXE) vulnerability in the Web Service Navigator i ...) NOT-FOR-US: SAP NetWeaver Application Server CVE-2014-8589 (Integer overflow in SAP Network Interface Router (SAProuter) 40.4 allo ...) NOT-FOR-US: SAP Network Interface Router CVE-2014-8588 (SQL injection vulnerability in metadata.xsjs in SAP HANA 1.00.60.37937 ...) NOT-FOR-US: SAP HANA CVE-2014-8581 RESERVED CVE-2014-8580 (Citrix NetScaler Application Delivery Controller and NetScaler Gateway ...) NOT-FOR-US: Citrix Netscaler CVE-2014-8579 (TRENDnet TEW-823DRU devices with firmware before 1.00b36 have a hardco ...) NOT-FOR-US: TRENDnet TEW-823DRU devices CVE-2014-8578 (Cross-site scripting (XSS) vulnerability in the Groups panel in OpenSt ...) - horizon 2014.1.1-3 [wheezy] - horizon (Vulnerable code not present) NOTE: this was split from CVE-2014-3475 by MITRE CVE-2014-8577 (Multiple cross-site scripting (XSS) vulnerabilities in Croogo before 2 ...) NOT-FOR-US: Croogo CVE-2014-8576 REJECTED CVE-2014-8575 REJECTED CVE-2014-8574 REJECTED CVE-2014-8573 REJECTED CVE-2014-8572 (Huawei AC6605 with software V200R001C00; AC6605 with software V200R002 ...) NOT-FOR-US: Huawei CVE-2014-8571 (Apps on Huawei Ascend P6 mobile phones with software EDGE-U00 V100R001 ...) NOT-FOR-US: Huawei CVE-2014-8570 (Huawei S9300, S9303, S9306, S9312 with software V100R002; S7700, S7703 ...) NOT-FOR-US: Huawei CVE-2014-8569 RESERVED CVE-2014-8568 RESERVED CVE-2014-8565 REJECTED CVE-2014-8564 (The _gnutls_ecc_ansi_x963_export function in gnutls_ecc.c in GnuTLS 3. ...) - gnutls28 3.3.8-4 (bug #769154) - gnutls26 (Vulnerable code not present; no support for ECC) NOTE: https://gitlab.com/gnutls/gnutls/commit/e821e1908686657a45c1b735f6d077b7a8493e2b (3.3.x branch) NOTE: http://www.gnutls.org/security.html#GNUTLS-SA-2014-5 NOTE: in experimental fixed in 3.3.10-1 CVE-2014-8563 (Synacor Zimbra Collaboration before 8.0.9 allows plaintext command inj ...) NOT-FOR-US: Synacor Zimbra Collaboration CVE-2014-8560 RESERVED CVE-2014-8558 (JExperts Channel Platform 5.0.33_CCB allows remote authenticated users ...) NOT-FOR-US: JExperts Tecnologia Channel Software CVE-2014-8557 (Multiple cross-site scripting (XSS) vulnerabilities in JExperts Channe ...) NOT-FOR-US: JExperts Tecnologia Channel Software CVE-2014-8556 RESERVED CVE-2014-8555 (Directory traversal vulnerability in report/reportViewAction.jsp in Pr ...) NOT-FOR-US: Progress Software OpenEdge CVE-2014-8553 (The mci_account_get_array_by_id function in api/soap/mc_account_api.ph ...) {DSA-3120-1} - mantis [squeeze] - mantis (Unsupported in squeeze-lts) NOTE: https://www.mantisbt.org/bugs/view.php?id=17243 (currently private) NOTE: https://github.com/mantisbt/mantisbt/commit/f779e3d4394a0638d822849863c4098421d911c5 CVE-2014-8552 (The WinCC server in Siemens SIMATIC WinCC 7.0 through SP3, 7.2 before ...) NOT-FOR-US: Siemens CVE-2014-8551 (The WinCC server in Siemens SIMATIC WinCC 7.0 through SP3, 7.2 before ...) NOT-FOR-US: Siemens CVE-2014-8550 RESERVED CVE-2014-8549 (libavcodec/on2avc.c in FFmpeg before 2.4.2 does not constrain the numb ...) - ffmpeg 7:2.4.3-1 [squeeze] - ffmpeg (Vulnerable code not present) - libav 6:11.2-1 (bug #773626) [wheezy] - libav (Vulnerable code not present) NOTE: ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=550f3e9df3410b3dd975e590042c0d83e20a8da3 NOTE: libav: https://git.libav.org/?p=libav.git;a=commit;h=cee4490b521fd0d02476d46aa2598af24fb8d686 CVE-2014-8548 (Off-by-one error in libavcodec/smc.c in FFmpeg before 2.4.2 allows rem ...) {DSA-3189-1} - ffmpeg 7:2.4.3-1 [squeeze] - ffmpeg (Backports to 0.5.x not useful, too many checks missing) - libav 6:11.2-1 (bug #773626) NOTE: ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=c727401aa9d62335e89d118a5b4e202edf39d905 NOTE: libav: https://git.libav.org/?p=libav.git;a=commit;h=d423dd72be451462c6fb1cbbe313bed0194001ab CVE-2014-8547 (libavcodec/gifdec.c in FFmpeg before 2.4.2 does not properly compute i ...) {DSA-3189-1} - ffmpeg 7:2.4.3-1 [squeeze] - ffmpeg (Backports to 0.5.x not useful, too many checks missing) - libav 6:11.2-1 (bug #773626) NOTE: ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=8f1457864be8fb9653643519dea1c6492f1dde57 NOTE: libav: https://git.libav.org/?p=libav.git;a=commit;h=0b39ac6f54505a538c21fe49a626de94c518c903 CVE-2014-8546 (Integer underflow in libavcodec/cinepak.c in FFmpeg before 2.4.2 allow ...) - ffmpeg 7:2.4.3-1 [squeeze] - ffmpeg (Backports to 0.5.x not useful, too many checks missing) - libav (Vulnerable code not present, reproducer tested with 8, 11 and trunk) NOTE: ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=e7e5114c506957f40aafd794e06de1a7e341e9d5 CVE-2014-8545 (libavcodec/pngdec.c in FFmpeg before 2.4.2 accepts the monochrome-blac ...) - ffmpeg 7:2.4.3-1 [squeeze] - ffmpeg (Backports to 0.5.x not useful, too many checks missing) - libav (Vulnerable code not present) NOTE: ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=3e2b745020c2dbf0201fe7df3dad9e7e0b2e1bb6 CVE-2014-8544 (libavcodec/tiff.c in FFmpeg before 2.4.2 does not properly validate bi ...) {DSA-3189-1} - ffmpeg 7:2.4.3-1 [squeeze] - ffmpeg (Backports to 0.5.x not useful, too many checks missing) - libav 6:11.3-1 (bug #773626) NOTE: ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=e1c0cfaa419aa5d320540d5a1b3f8fd9b82ab7e5 NOTE: libav: https://git.libav.org/?p=libav.git;a=commit;h=ae5e1f3d663a8c9a532d89e588cbc61f171c9186 CVE-2014-8543 (libavcodec/mmvideo.c in FFmpeg before 2.4.2 does not consider all line ...) {DSA-3189-1} - ffmpeg 7:2.4.3-1 [squeeze] - ffmpeg (Backports to 0.5.x not useful, too many checks missing) - libav 6:11.2-1 (bug #773626) NOTE: ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=8b0e96e1f21b761ca15dbb470cd619a1ebf86c3e NOTE: libav: https://git.libav.org/?p=libav.git;a=commit;h=17ba719d9ba30c970f65747f42d5fbb1e447ca28 CVE-2014-8542 (libavcodec/utils.c in FFmpeg before 2.4.2 omits a certain codec ID dur ...) {DLA-1654-1} - ffmpeg 7:2.4.3-1 [squeeze] - ffmpeg (Backports to 0.5.x not useful, too many checks missing) - libav 6:11.2-1 (bug #773626) [wheezy] - libav (Vulnerable code not present) NOTE: ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=105654e376a736d243aef4a1d121abebce912e6b NOTE: libav: https://git.libav.org/?p=libav.git;a=commit;h=88626e5af8d006e67189bf10b96b982502a7e8ad CVE-2014-8541 (libavcodec/mjpegdec.c in FFmpeg before 2.4.2 considers only dimension ...) - ffmpeg 7:2.4.3-1 [squeeze] - ffmpeg (Backports to 0.5.x not useful, too many checks missing) - libav 6:11.2-1 (bug #773626) [wheezy] - libav (Vulnerable code not present) NOTE: ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=5c378d6a6df8243f06c87962b873bd563e58cd39 NOTE: libav: https://git.libav.org/?p=libav.git;a=commit;h=809c3023b699c54c90511913d3b6140dd2436550 CVE-2014-8539 (Cross-site scripting (XSS) vulnerability in Simple Email Form 1.8.5 an ...) NOT-FOR-US: Simple Email CVE-2013-7409 (Buffer overflow in ALLPlayer 5.6.2 through 5.8.1 allows remote attacke ...) NOT-FOR-US: ALLPlayer CVE-2014-8651 (The KDE Clock KCM policykit helper in kde-workspace before 4.11.14 and ...) - kde-workspace 4:4.11.13-2 (unimportant) NOTE: https://projects.kde.org/projects/kde/kde-workspace/repository/diff?rev=54d0bfb5effff9c8cf60da890b7728cbe36a454e&rev_to=fd2aa9deed44fad6107625ad7360157fea7296f6 NOTE: On Debian changing the clock requires authentication, so it's not exploitable NOTE: in the standard setup CVE-2014-8583 (mod_wsgi before 4.2.4 for Apache, when creating a daemon process group ...) - mod-wsgi 4.2.7-1 [wheezy] - mod-wsgi (Minor issue) [squeeze] - mod-wsgi (Minor issue) NOTE: https://github.com/GrahamDumpleton/mod_wsgi/commit/545354a80b9cc20d8b6916ca30542eab36c3b8bd CVE-2014-8582 (FortiNet FortiADC-E with firmware 3.1.1 before 4.0.5 and Coyote Point ...) NOT-FOR-US: FortiNet FortiADC-E CVE-2014-8567 (The mod_auth_mellon module before 0.8.1 allows remote attackers to cau ...) - libapache2-mod-auth-mellon 0.9.0 CVE-2014-8566 (The mod_auth_mellon module before 0.8.1 allows remote attackers to obt ...) - libapache2-mod-auth-mellon 0.9.1 CVE-2014-8554 (SQL injection vulnerability in the mc_project_get_attachments function ...) {DSA-3120-1} - mantis [squeeze] - mantis (Unsupported in squeeze-lts) NOTE: http://www.mantisbt.org/bugs/view.php?id=17812 NOTE: http://github.com/mantisbt/mantisbt/commit/99ffb0af (1.2.x branch) NOTE: http://github.com/mantisbt/mantisbt/commit/5faf97ab (master) CVE-2014-8540 (The groups API in GitLab 6.x and 7.x before 7.4.3 allows remote authen ...) - gitlab (Fixed before initial upload to Debian) CVE-2014-8538 (The Hijab Modern (aka com.Aisyaidea.HijabModern) application 1.0 for A ...) NOT-FOR-US: Hijab Modern (aka com.Aisyaidea.HijabModern) application for Android CVE-2014-8537 (McAfee Network Data Loss Prevention (NDLP) before 9.2.2 allows local u ...) NOT-FOR-US: McAfee CVE-2014-8536 (McAfee Network Data Loss Prevention (NDLP) before 9.2.2 allows local u ...) NOT-FOR-US: McAfee CVE-2014-8535 (McAfee Network Data Loss Prevention (NDLP) before 9.2.2 allows local u ...) NOT-FOR-US: McAfee CVE-2014-8534 (Unspecified vulnerability in the login form in McAfee Network Data Los ...) NOT-FOR-US: McAfee CVE-2014-8533 (McAfee Network Data Loss Prevention (NDLP) before 9.3 allows remote at ...) NOT-FOR-US: McAfee CVE-2014-8532 (Unspecified vulnerability in McAfee Network Data Loss Prevention befor ...) NOT-FOR-US: McAfee CVE-2014-8531 (The TLS/SSL Server in McAfee Network Data Loss Prevention (NDLP) befor ...) NOT-FOR-US: McAfee CVE-2014-8530 (Unspecified vulnerability in McAfee Network Data Loss Prevention (NDLP ...) NOT-FOR-US: McAfee CVE-2014-8529 (McAfee Network Data Loss Prevention (NDLP) before 9.3 stores the SSH k ...) NOT-FOR-US: McAfee CVE-2014-8528 (McAfee Network Data Loss Prevention (NDLP) before 9.3 logs session IDs ...) NOT-FOR-US: McAfee CVE-2014-8527 (McAfee Network Data Loss Prevention (NDLP) before 9.3 allows local use ...) NOT-FOR-US: McAfee CVE-2014-8526 (McAfee Network Data Loss Prevention (NDLP) before 9.3 allows local use ...) NOT-FOR-US: McAfee CVE-2014-8525 (McAfee Network Data Loss Prevention (NDLP) before 9.3 does not include ...) NOT-FOR-US: McAfee CVE-2014-8524 (McAfee Network Data Loss Prevention (NDLP) before 9.3 does not disable ...) NOT-FOR-US: McAfee CVE-2014-8523 (Cross-site request forgery (CSRF) vulnerability in McAfee Network Data ...) NOT-FOR-US: McAfee CVE-2014-8522 (The MySQL database in McAfee Network Data Loss Prevention (NDLP) befor ...) NOT-FOR-US: McAfee CVE-2014-8521 (Cross-site scripting (XSS) vulnerability in McAfee Network Data Loss P ...) NOT-FOR-US: McAfee CVE-2014-8520 (McAfee Network Data Loss Prevention (NDLP) before 9.3 allows remote at ...) NOT-FOR-US: McAfee CVE-2014-8519 (Unspecified vulnerability in McAfee Network Data Loss Prevention (NDLP ...) NOT-FOR-US: McAfee CVE-2014-8518 (The (1) Removable Media and (2) CD and DVD encryption offsite access o ...) NOT-FOR-US: McAfee CVE-2014-8516 (Unrestricted file upload vulnerability in Visual Mining NetCharts Serv ...) NOT-FOR-US: Visual Mining NetCharts Server CVE-2014-8515 (The web interface in BitTorrent allows remote attackers to execute arb ...) NOT-FOR-US: uTorrent CVE-2014-8514 (Buffer overflow in an ActiveX control in MDraw30.ocx in Schneider Elec ...) NOT-FOR-US: Schneider Electric ProClima CVE-2014-8513 (Buffer overflow in an ActiveX control in MDraw30.ocx in Schneider Elec ...) NOT-FOR-US: Schneider Electric ProClima CVE-2014-8512 (Buffer overflow in an ActiveX control in Atx45.ocx in Schneider Electr ...) NOT-FOR-US: Schneider Electric ProClima CVE-2014-8511 (Buffer overflow in an ActiveX control in Atx45.ocx in Schneider Electr ...) NOT-FOR-US: Schneider Electric ProClima CVE-2014-8510 (The AdminUI in Trend Micro InterScan Web Security Virtual Appliance (I ...) NOT-FOR-US: Trend Micro InterScan Web Security Virtual Appliance CVE-2014-8509 (The lazy_bdecode function in BitTorrent bootstrap-dht (aka Bootstrap) ...) NOT-FOR-US: BitTorrent bootstrap-dht (aka Bootstrap) CVE-2014-8508 (Cross-site scripting (XSS) vulnerability in s_network.asp in the Denon ...) NOT-FOR-US: Denon devices CVE-2014-8507 (Multiple SQL injection vulnerabilities in the queryLastApp method in p ...) NOT-FOR-US: Android CVE-2014-8506 (Multiple SQL injection vulnerabilities in Etiko CMS allow remote attac ...) NOT-FOR-US: Etiko CMS CVE-2014-8505 (Multiple cross-site scripting (XSS) vulnerabilities in Etiko CMS allow ...) NOT-FOR-US: Etiko CMS CVE-2014-8504 (Stack-based buffer overflow in the srec_scan function in bfd/srec.c in ...) {DSA-3123-2 DSA-3123-1 DLA-184-1} - binutils 2.24.90.20141104-1 - binutils-mingw-w64 5.2 NOTE: http://openwall.com/lists/oss-security/2014/10/27/4 NOTE: http://openwall.com/lists/oss-security/2014/10/27/5 NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=17510#c7 NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=17510#c8 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=708d7d0d11f0f2d776171979aa3479e8e12a38a0 CVE-2014-8503 (Stack-based buffer overflow in the ihex_scan function in bfd/ihex.c in ...) {DSA-3123-2 DSA-3123-1 DLA-184-1} - binutils 2.24.90.20141104-1 - binutils-mingw-w64 5.2 NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=17512#c33 NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=17512#c34 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0102ea8cec5fc509bba6c91df61b7ce23a799d32 CVE-2014-8502 (Heap-based buffer overflow in the pe_print_edata function in bfd/peXXi ...) {DSA-3123-2 DSA-3123-1 DLA-184-1} - binutils 2.24.90.20141104-1 - binutils-mingw-w64 5.2 NOTE: See https://sourceware.org/bugzilla/show_bug.cgi?id=17512#c17 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=5a4b0ccc20ba30caef53b01bee2c0aaa5b855339 CVE-2014-8501 (The _bfd_XXi_swap_aouthdr_in function in bfd/peXXigen.c in GNU binutil ...) {DSA-3123-2 DSA-3123-1 DLA-184-1} - binutils 2.24.90.20141104-1 - binutils-mingw-w64 5.2 - gdb (unimportant) NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7e1e19887abd24aeb15066b141cdff5541e0ec8e CVE-2014-8500 (ISC BIND 9.0.x through 9.8.x, 9.9.0 through 9.9.6, and 9.10.0 through ...) {DSA-3094-1 DLA-112-1} - bind9 1:9.9.5.dfsg-7 (bug #772610) NOTE: https://kb.isc.org/article/AA-01216/0 CVE-2014-8499 (Multiple SQL injection vulnerabilities in ManageEngine Password Manage ...) NOT-FOR-US: ManageEngine Password Manager Pro (PMP) CVE-2014-8498 (SQL injection vulnerability in BulkEditSearchResult.cc in ManageEngine ...) NOT-FOR-US: ManageEngine Password Manager Pro (PMP) CVE-2014-8497 RESERVED CVE-2014-8496 (Digicom DG-5514T ADSL router with firmware 3.2 generates predictable s ...) NOT-FOR-US: Digicom Router CVE-2014-8495 (Citrix XenMobile MDX Toolkit before 9.0.4, when used to wrap iOS 8 app ...) NOT-FOR-US: Citrix XenMobile MDX Toolkit CVE-2014-8494 (ESTsoft ALUpdate 8.5.1.0.0 uses weak permissions (Users: Full Control) ...) NOT-FOR-US: ESTsoft ALUpdate CVE-2014-8493 (ZTE ZXHN H108L with firmware 4.0.0d_ZRQ_GR4 allows remote attackers to ...) NOT-FOR-US: ZTE ZXHN H108L CVE-2014-8492 (Multiple cross-site scripting (XSS) vulnerabilities in assets/misc/fal ...) NOT-FOR-US: Wordpress plugin CVE-2014-8491 (The Grand Flagallery plugin before 4.25 for WordPress allows remote at ...) NOT-FOR-US: Grand Flagallery plugin for WordPress CVE-2014-8490 (Cross-site scripting (XSS) vulnerability in TennisConnect COMPONENTS 9 ...) NOT-FOR-US: TennisConnect COMPONENTS CVE-2014-8990 (default-rsyncssh.lua in Lsyncd 2.1.5 and earlier allows remote attacke ...) {DSA-3130-1} - lsyncd 2.1.5-2 (low; bug #767227) [squeeze] - lsyncd (Minor issue) NOTE: https://github.com/axkibe/lsyncd/issues/220 NOTE: Upstream commit: https://github.com/creshal/lsyncd/commit/18f02ad013b41a72753912155ae2ba72f2a53e52 NOTE: also required: https://github.com/axkibe/lsyncd/commit/e9ffda07f0145f50f2756f8ee3fb0775b455122b NOTE: the initial commit would be an incomplete fix and needs additional changes CVE-2014-8559 (The d_walk function in fs/dcache.c in the Linux kernel through 3.17.2 ...) {DSA-3170-1} - linux 3.16.7-ckt4-1 - linux-2.6 (Introduced in 2.6.38) NOTE: References in http://www.openwall.com/lists/oss-security/2014/10/30/7 NOTE: Upstream fix: https://git.kernel.org/linus/ca5358ef75fc69fee5322a38a340f5739d997c10 (v3.19-rc1) NOTE: Upstream fix: https://git.kernel.org/linus/946e51f2bf37f1656916eb75bd0742ba33983c28 (v3.19-rc1) CVE-2014-8517 (The fetch_url function in usr.bin/ftp/fetch.c in tnftp, as used in Net ...) - tnftp 20130505-2 (low; bug #767171) [wheezy] - tnftp (Minor issue) [squeeze] - tnftp (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2014/10/28/4 CVE-2014-9915 (Off-by-one error in ImageMagick before 6.6.0-4 allows remote attackers ...) - imagemagick 8:6.8.9.9-1 (bug #767240) [wheezy] - imagemagick (Vulnerable code not present) [squeeze] - imagemagick (Vulnerable code not present) NOTE: http://www.openwall.com/lists/oss-security/2016/12/20/3 CVE-2014-8355 (PCX parser code in ImageMagick before 6.8.9-9 allows remote attackers ...) {DLA-960-1 DLA-242-1} - imagemagick 8:6.8.9.9-1 (bug #767240) [squeeze] - imagemagick (Minor issue) NOTE: https://int21.de/cve/CVE-2014-8355-pcx-oob-heap-overflow.html - graphicsmagick 1.3.20-3+deb8u1 (bug #778238) [wheezy] - graphicsmagick (Minor issue) [squeeze] - graphicsmagick (Minor issue) NOTE: http://sourceforge.net/p/graphicsmagick/code/ci/4426024497f9ed26cbadc5af5a5de55ac84796ff/ (graphicsmagick) CVE-2014-8562 (DCM decode in ImageMagick before 6.8.9-9 allows remote attackers to ca ...) {DLA-960-1 DLA-242-1} - imagemagick 8:6.8.9.9-1 (bug #767240) [squeeze] - imagemagick (Minor issue) CVE-2014-8354 (The HorizontalFilter function in resize.c in ImageMagick before 6.8.9- ...) {DLA-960-1 DLA-242-1} - imagemagick 8:6.8.9.9-1 [squeeze] - imagemagick (Minor issue) NOTE: https://int21.de/cve/CVE-2014-8354-oob-heap-overflow.html CVE-2014-8561 (imagemagick 6.8.9.6 has remote DOS via infinite loop ...) - imagemagick 8:6.8.9.9-1 (bug #764872) [wheezy] - imagemagick (Vulnerable code introduced later; regression) [squeeze] - imagemagick (Vulnerable code introduced later; regression) CVE-2014-8489 (Open redirect vulnerability in startSSO.ping in the SP Endpoints in Pi ...) NOT-FOR-US: PingFederate SP Endpoints CVE-2014-8488 (Cross-site scripting (XSS) vulnerability in the administrator panel in ...) NOT-FOR-US: yourls CVE-2014-8487 (Kony Management (aka Enterprise Mobile Management or EMM) 1.2 and earl ...) NOT-FOR-US: Kony Management CVE-2014-8486 REJECTED CVE-2014-8482 RESERVED CVE-2014-8479 (The FTP server on Siemens SCALANCE X-300 switches with firmware before ...) NOT-FOR-US: FTP server on Siemens SCALANCE X-300 switches CVE-2014-8478 (The web server on Siemens SCALANCE X-300 switches with firmware before ...) NOT-FOR-US: web server on Siemens SCALANCE X-300 switches CVE-2014-8477 RESERVED CVE-2014-8476 (The setlogin function in FreeBSD 8.4 through 10.1-RC4 does not initial ...) {DSA-3070-1} [experimental] - kfreebsd-11 11.0~svn284956-1 (bug #768109) - kfreebsd-10 10.1~svn274115-1 (bug #768108) - kfreebsd-9 (bug #768104) - kfreebsd-8 (bug #768106) [wheezy] - kfreebsd-8 (kfreebsd-8 only a test kernel, can be fixed in a point release) [squeeze] - kfreebsd-8 (Unsupported in squeeze-lts) NOTE: http://security.FreeBSD.org/advisories/FreeBSD-SA-14:25.setlogin.asc CVE-2014-8475 (FreeBSD 9.1, 9.2, and 10.0, when compiling OpenSSH with Kerberos suppo ...) - openssh (freebsd-specific build system issue) CVE-2014-8474 (CA Cloud Service Management (CSM) before Summer 2014 allows remote att ...) NOT-FOR-US: CA Cloud Service Management CVE-2014-8473 (Cross-site request forgery (CSRF) vulnerability in CA Cloud Service Ma ...) NOT-FOR-US: CA Cloud Service Management CVE-2014-8472 (CA Cloud Service Management (CSM) before Summer 2014 does not properly ...) NOT-FOR-US: CA Cloud Service Management CVE-2014-8471 (CA Cloud Service Management (CSM) before Summer 2014 allows remote att ...) NOT-FOR-US: CA Cloud Service Management CVE-2014-8470 RESERVED CVE-2014-8469 (Cross-site scripting (XSS) vulnerability in Guests/Boots in AdminCP in ...) NOT-FOR-US: PHPFox CVE-2013-7408 (F5 BIG-IP Analytics 11.x before 11.4.0 uses a predictable session cook ...) NOT-FOR-US: F5 BIG-IP Analytics CVE-2010-XXXX [insecure handling of /tmp files in debian/preinst] - riece 8.0.0-1.3 (unimportant; bug #601325) [squeeze] - riece (Minor issue) NOTE: Not exploitable with kernel hardening since wheezy CVE-2014-7401 REJECTED CVE-2014-8483 (The blowfishECB function in core/cipher.cpp in Quassel IRC 0.10.0 allo ...) {DSA-3068-1 DSA-3063-1 DLA-168-1} - quassel 0.10.0-2.1 (bug #766962) [squeeze] - quassel (Problematic code does not exist in 0.6.3-2+squeeze2) NOTE: https://github.com/quassel/quassel/commit/8b5ecd226f9208af3074b33d3b7cf5e14f55b138 NOTE: http://bugs.quassel-irc.org/issues/1314 - konversation 1.5-2 (bug #768191) NOTE: https://bugs.kde.org/show_bug.cgi?id=210792 CVE-2014-8481 (The instruction decoder in arch/x86/kvm/emulate.c in the KVM subsystem ...) - linux (Present in 3.17 with incomplete fix) - linux-2.6 (Present in 3.17 with incomplete fix) NOTE: Fix: https://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?id=a430c9166312e1aa3d80bce32374233bdbfeba32 CVE-2014-8480 (The instruction decoder in arch/x86/kvm/emulate.c in the KVM subsystem ...) - linux (Introduced in 3.17) - linux-2.6 (Introduced in 3.17) NOTE: The NULL pointer dereference was introduced in https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=41061cdb98a0bec464278b4db8e894a3121671f5 (v3.17-rc1) NOTE: Fix: https://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?id=3f6f1480d86bf9fc16c160d803ab1d006e3058d5 CVE-2014-8485 (The setup_group function in bfd/elf.c in libbfd in GNU binutils 2.24 a ...) {DSA-3123-2 DSA-3123-1 DLA-184-1} - binutils 2.24.90.20141104-1 - binutils-mingw-w64 5.2 NOTE: http://lcamtuf.blogspot.com.au/2014/10/psa-dont-run-strings-on-untrusted-files.html NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=493a33860c71cac998f1a56d6d87d6faa801fbaa NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=17510 CVE-2014-8484 (The srec_scan function in bfd/srec.c in libdbfd in GNU binutils before ...) {DSA-3123-2 DSA-3123-1 DLA-184-1} - binutils 2.24.51.20140903-1 - binutils-mingw-w64 5.2 NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=17509 NOTE: Upstream commit: https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=bd25671c6f202c4a5108883caa2adb24ff6f361f NOTE: http://openwall.com/lists/oss-security/2014/10/23/5 CVE-2014-8468 RESERVED CVE-2014-8467 RESERVED CVE-2014-8466 RESERVED CVE-2014-8465 RESERVED CVE-2014-8464 RESERVED CVE-2014-8463 RESERVED CVE-2014-8462 RESERVED CVE-2014-8461 (Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 o ...) NOT-FOR-US: Adobe Reader CVE-2014-8460 (Heap-based buffer overflow in Adobe Reader and Acrobat 10.x before 10. ...) NOT-FOR-US: Adobe Reader CVE-2014-8459 (Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 o ...) NOT-FOR-US: Adobe Reader CVE-2014-8458 (Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 o ...) NOT-FOR-US: Adobe Reader CVE-2014-8457 (Heap-based buffer overflow in Adobe Reader and Acrobat 10.x before 10. ...) NOT-FOR-US: Adobe Reader CVE-2014-8456 (Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 o ...) NOT-FOR-US: Adobe Reader CVE-2014-8455 (Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 1 ...) NOT-FOR-US: Adobe Reader CVE-2014-8454 (Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 1 ...) NOT-FOR-US: Adobe Reader CVE-2014-8453 (Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 o ...) NOT-FOR-US: Adobe Reader CVE-2014-8452 (Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 o ...) NOT-FOR-US: Adobe Reader CVE-2014-8451 (An unspecified JavaScript API in Adobe Reader and Acrobat 10.x before ...) NOT-FOR-US: Adobe Reader CVE-2014-8450 (Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2014-8449 (Integer overflow in Adobe Reader and Acrobat 10.x before 10.1.13 and 1 ...) NOT-FOR-US: Adobe Reader CVE-2014-8448 (An unspecified JavaScript API in Adobe Reader and Acrobat 10.x before ...) NOT-FOR-US: Adobe Reader CVE-2014-8447 (Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 o ...) NOT-FOR-US: Adobe Reader CVE-2014-8446 (Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 o ...) NOT-FOR-US: Adobe Reader CVE-2014-8445 (Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 o ...) NOT-FOR-US: Adobe Reader CVE-2014-8444 REJECTED CVE-2014-8443 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.259 a ...) NOT-FOR-US: Adobe Flash Player CVE-2014-8442 (Adobe Flash Player before 13.0.0.252 and 14.x and 15.x before 15.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2014-8441 (Adobe Flash Player before 13.0.0.252 and 14.x and 15.x before 15.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2014-8440 (Adobe Flash Player before 13.0.0.252 and 14.x and 15.x before 15.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2014-8439 (Adobe Flash Player before 13.0.0.258 and 14.x and 15.x before 15.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2014-8438 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.252 a ...) NOT-FOR-US: Adobe Flash Player CVE-2014-8437 (Adobe Flash Player before 13.0.0.252 and 14.x and 15.x before 15.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2014-8436 RESERVED CVE-2014-8435 RESERVED CVE-2014-8434 RESERVED CVE-2014-8433 RESERVED CVE-2014-8432 RESERVED CVE-2014-8431 RESERVED CVE-2014-8430 RESERVED CVE-2014-8429 (Cross-site request forgery (CSRF) vulnerability in Xavoc Technocrats x ...) NOT-FOR-US: xEpan CMS CVE-2014-8428 (Privilege escalation vulnerability in Barracuda Load Balancer 5.0.0.01 ...) NOT-FOR-US: Barracuda CVE-2014-8427 RESERVED CVE-2014-8426 (Hard coded weak credentials in Barracuda Load Balancer 5.0.0.015. ...) NOT-FOR-US: Barracuda CVE-2014-8425 (The management portal in ARRIS VAP2500 before FW08.41 allows remote at ...) NOT-FOR-US: Management portal in ARRIS VAP2500 CVE-2014-8424 (ARRIS VAP2500 before FW08.41 does not properly validate passwords, whi ...) NOT-FOR-US: ARRIS VAP2500 CVE-2014-8423 (Unspecified vulnerability in the management portal in ARRIS VAP2500 be ...) NOT-FOR-US: ARRIS VAP2500 CVE-2014-8422 (The web-based management (WBM) interface in Unify (former Siemens) Ope ...) NOT-FOR-US: Unify (former Siemens) OpenStage SIP and OpenScape Desk Phone CVE-2014-8421 (Unify (former Siemens) OpenStage SIP and OpenScape Desk Phone IP V3 de ...) NOT-FOR-US: Unify (former Siemens) OpenStage SIP and OpenScape Desk Phone CVE-2014-8420 (The ViewPoint web application in Dell SonicWALL Global Management Syst ...) NOT-FOR-US: Dell SonicWALL CVE-2014-8419 (Wibu-Systems CodeMeter Runtime before 5.20 uses weak permissions (read ...) NOT-FOR-US: Wibu-Systems CodeMeter Runtime CVE-2014-8418 (The DB dialplan function in Asterisk Open Source 1.8.x before 1.8.32, ...) {DLA-455-1} - asterisk 1:13.1.0~dfsg-1 (bug #771463) [jessie] - asterisk 1:11.13.1~dfsg-2 [squeeze] - asterisk (Unsupported in squeeze-lts) NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-24534 NOTE: http://downloads.digium.com/pub/security/AST-2014-018.html CVE-2014-8417 (ConfBridge in Asterisk 11.x before 11.14.1, 12.x before 12.7.1, and 13 ...) - asterisk 1:13.1.0~dfsg-1 (bug #771463) [jessie] - asterisk 1:11.13.1~dfsg-2 [wheezy] - asterisk (Only affects 11.x, 12.x and 13.x) [squeeze] - asterisk (Unsupported in squeeze-lts) NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-24490 NOTE: http://downloads.digium.com/pub/security/AST-2014-017.html CVE-2014-8416 (Use-after-free vulnerability in the PJSIP channel driver in Asterisk O ...) - asterisk 1:13.1.0~dfsg-1 [jessie] - asterisk (PJSIP channel not available yet) [wheezy] - asterisk (PJSIP channel not available yet) [squeeze] - asterisk (PJSIP channel not available yet) NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-24471 NOTE: http://downloads.digium.com/pub/security/AST-2014-016.html CVE-2014-8415 (Race condition in the chan_pjsip channel driver in Asterisk Open Sourc ...) - asterisk 1:13.1.0~dfsg-1 [jessie] - asterisk (PJSIP channel not available yet) [wheezy] - asterisk (PJSIP channel not available yet) [squeeze] - asterisk (PJSIP channel not available yet) NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-24471 NOTE: http://downloads.digium.com/pub/security/AST-2014-015.html CVE-2014-8414 (ConfBridge in Asterisk 11.x before 11.14.1 and Certified Asterisk 11.6 ...) - asterisk 1:13.1.0~dfsg-1 (bug #771463) [jessie] - asterisk 1:11.13.1~dfsg-2 [wheezy] - asterisk (Only affects 11.x) [squeeze] - asterisk (Unsupported in squeeze-lts) NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-24440 NOTE: http://downloads.digium.com/pub/security/AST-2014-014.html CVE-2014-8413 (The res_pjsip_acl module in Asterisk Open Source 12.x before 12.7.1 an ...) - asterisk 1:13.1.0~dfsg-1 [jessie] - asterisk (PJSIP channel not available yet) [wheezy] - asterisk (PJSIP channel not available yet) [squeeze] - asterisk (PJSIP channel not available yet) NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-24531 NOTE: http://downloads.digium.com/pub/security/AST-2014-013.html CVE-2014-8412 (The (1) VoIP channel drivers, (2) DUNDi, and (3) Asterisk Manager Inte ...) {DLA-455-1} - asterisk 1:13.1.0~dfsg-1 (bug #771463) [jessie] - asterisk 1:11.13.1~dfsg-2 [squeeze] - asterisk (Unsupported in squeeze-lts) NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-24469 NOTE: http://downloads.digium.com/pub/security/AST-2014-012.html CVE-2014-8411 RESERVED CVE-2014-8410 RESERVED CVE-2014-8409 RESERVED CVE-2014-8408 RESERVED CVE-2014-8407 RESERVED CVE-2014-8406 RESERVED CVE-2014-8405 RESERVED CVE-2014-8404 RESERVED CVE-2014-8403 RESERVED CVE-2014-8402 RESERVED CVE-2014-8401 RESERVED CVE-2014-8400 RESERVED CVE-2014-8398 (Multiple untrusted search path vulnerabilities in Corel FastFlick allo ...) NOT-FOR-US: Corel FastFlick CVE-2014-8397 (Untrusted search path vulnerability in Corel VideoStudio PRO X7 or Fas ...) NOT-FOR-US: Corel CVE-2014-8396 (Untrusted search path vulnerability in Corel PDF Fusion allows local u ...) NOT-FOR-US: Corel PDF Fusion CVE-2014-8395 (Untrusted search path vulnerability in Corel Painter 2015 allows local ...) NOT-FOR-US: Corel Painter CVE-2014-8394 (Multiple untrusted search path vulnerabilities in Corel CAD 2014 allow ...) NOT-FOR-US: Corel CAD CVE-2014-8393 (DLL Hijacking vulnerability in CorelDRAW X7, Corel Photo-Paint X7, Cor ...) NOT-FOR-US: Corel CVE-2014-8392 RESERVED CVE-2014-8391 (The Web interface in Sendio before 7.2.4 does not properly handle sess ...) NOT-FOR-US: Sendio CVE-2014-8390 (Multiple buffer overflows in Schneider Electric VAMPSET before 2.2.168 ...) NOT-FOR-US: Schneider Electric CVE-2014-8389 (cgi-bin/mft/wireless_mft.cgi in AirLive BU-2015 with firmware 1.03.18 ...) NOT-FOR-US: AirLive CVE-2014-8388 (Stack-based buffer overflow in Advantech WebAccess, formerly BroadWin ...) NOT-FOR-US: Advantech WebAccess CVE-2014-8387 (cgi/utility.cgi in Advantech EKI-6340 2.05 Wi-Fi Mesh Access Point all ...) NOT-FOR-US: Advantech EKI-6340 CVE-2014-8386 (Multiple stack-based buffer overflows in Advantech AdamView 4.3 and ea ...) NOT-FOR-US: Advantech AdamView CVE-2014-8385 (Buffer overflow on Advantech EKI-1200 gateways with firmware before 1. ...) NOT-FOR-US: Advantech EKI-1200 gateways CVE-2014-8384 (The InFocus IN3128HD projector with firmware 0.26 does not restrict ac ...) NOT-FOR-US: InFocus IN3128HD projector CVE-2014-8383 (The InFocus IN3128HD projector with firmware 0.26 allows remote attack ...) NOT-FOR-US: InFocus IN3128HD projector CVE-2014-8382 RESERVED CVE-2014-8381 (Multiple cross-site scripting (XSS) vulnerabilities in Megapolis.Porta ...) NOT-FOR-US: Megapolis.Portal Manager CVE-2014-8380 (Cross-site scripting (XSS) vulnerability in Splunk 6.1.1 allows remote ...) NOT-FOR-US: Splunk CVE-2014-8379 (Multiple cross-site scripting (XSS) vulnerabilities in the Marketo MA ...) NOT-FOR-US: Drupal module Marketo MA CVE-2014-8378 (Cross-site scripting (XSS) vulnerability in the TableField module 7.x- ...) NOT-FOR-US: Drupal module TableField CVE-2014-8377 (Cross-site scripting (XSS) vulnerability in Webasyst Shop-Script 5.2.2 ...) NOT-FOR-US: Webasyst Shop-Script CVE-2014-8376 (Cross-site scripting (XSS) vulnerability in the context administration ...) NOT-FOR-US: Drupal module Site Banner CVE-2014-8375 (SQL injection vulnerability in GBgallery.php in the GB Gallery Slidesh ...) NOT-FOR-US: WordPress plugin GB Gallery Slideshow CVE-2014-8374 REJECTED CVE-2014-8373 (The VMware Remote Console (VMRC) function in VMware vCloud Automation ...) NOT-FOR-US: VMware vCloud Automation Center CVE-2014-8372 (AirWatch by VMware On-Premise 7.3.x before 7.3.3.0 (FP3) allows remote ...) NOT-FOR-US: VMware AirWatch CVE-2014-8371 (VMware vCenter Server Appliance (vCSA) 5.5 before Update 2, 5.1 before ...) NOT-FOR-US: VMware vSphere CVE-2014-8370 (VMware Workstation 10.x before 10.0.5, VMware Player 6.x before 6.0.5, ...) NOT-FOR-US: VMware CVE-2014-8369 (The kvm_iommu_map_pages function in virt/kvm/iommu.c in the Linux kern ...) {DSA-3093-1} - linux 3.16.7-ckt2-1 - linux-2.6 (Incomplete fix for CVE-2014-3601 was not applied) NOTE: Introduced by http://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?id=350b8bdd689cd2ab2c67c8a86a0be86cfa0751a7 NOTE: Fixed by: https://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?id=3d32e4dbe71374a6780eaf51d719d76f9a9bf22f CVE-2014-8368 (The web interface in Aruba Networks AirWave before 7.7.14 and 8.x befo ...) NOT-FOR-US: Aruba Networks AirWave CVE-2014-8367 (SQL injection vulnerability in Aruba Networks ClearPass Policy Manager ...) NOT-FOR-US: Aruba Networks ClearPass Policy Manager CVE-2014-8366 (SQL injection vulnerability in openSIS 4.5 through 5.3 allows remote a ...) NOT-FOR-US: openSIS CVE-2014-8365 (Multiple cross-site scripting (XSS) vulnerabilities in Xornic Contact ...) NOT-FOR-US: Xornic Contact Us Form CVE-2014-8364 (Cross-site scripting (XSS) vulnerability in ss_handler.php in the Word ...) NOT-FOR-US: WordPress plugin wpSS CVE-2014-8363 (SQL injection vulnerability in ss_handler.php in the WordPress Spreads ...) NOT-FOR-US: WordPress plugin wpSS CVE-2014-8362 (Vivint Sky Control Panel 1.1.1.9926 allows remote attackers to enable ...) NOT-FOR-US: Vivint Sky Control Panel CVE-2014-8361 (The miniigd SOAP service in Realtek SDK allows remote attackers to exe ...) NOT-FOR-US: Realtek SDK CVE-2014-8360 (Directory traversal vulnerability in inc/autoload.function.php in GLPI ...) - glpi (unimportant) NOTE: Only supported behind an authenticated HTTP zone NOTE: original bug: https://forge.indepnet.net/issues/5101 NOTE: followup: https://forge.indepnet.net/issues/5113 NOTE: appears to be a generic autoloading abuse; possibly with NOTE: some use of simplepie being the attack vector CVE-2014-8359 (Untrusted search path vulnerability in Huawei Mobile Partner for Windo ...) NOT-FOR-US: Huawei Mobile Partner for Windows CVE-2014-8358 (Huawei EC156, EC176, and EC177 USB Modem products with software before ...) NOT-FOR-US: Huawei CVE-2014-8357 (backupsettings.html in the web administrative portal in Zhone zNID GPO ...) NOT-FOR-US: ZHONE Router CVE-2014-8356 (The web administrative portal in Zhone zNID 2426A before S3.0.501 allo ...) NOT-FOR-US: ZHONE Router CVE-2014-8353 RESERVED CVE-2014-8352 (Cross-site scripting (XSS) vulnerability in json.php in French Nationa ...) NOT-FOR-US: CookieViz CVE-2014-8351 (SQL injection vulnerability in info.php in French National Commission ...) NOT-FOR-US: CookieViz CVE-2014-8349 (Cross-site scripting (XSS) vulnerability in Liferay Portal Enterprise ...) NOT-FOR-US: Liferay Portal CVE-2014-8348 RESERVED CVE-2014-8347 (An Authentication Bypass vulnerability exists in the MatchPasswordData ...) NOT-FOR-US: Filemaker CVE-2014-8346 (The Remote Controls feature on Samsung mobile devices does not validat ...) NOT-FOR-US: Samsung mobile devices CVE-2014-8345 RESERVED CVE-2014-8344 RESERVED CVE-2014-8343 RESERVED CVE-2014-8342 RESERVED CVE-2014-8341 RESERVED CVE-2014-8340 (SQL injection vulnerability in Php/Functions/log_function.php in phpTr ...) NOT-FOR-US: phpTrafficA CVE-2014-8339 (SQL injection vulnerability in midroll.php in Nuevolab Nuevoplayer for ...) NOT-FOR-US: Nuevolabs Nuevoplayer for clipshare CVE-2014-8338 (Cross-site scripting (XSS) vulnerability in vwrooms/js/jsor-jcarousel/ ...) NOT-FOR-US: VideoWhisper Webcam plugins for Drupal CVE-2014-8337 (Unrestricted file upload vulnerability in includes/classes/uploadify-v ...) NOT-FOR-US: HelpDEZk CVE-2014-8336 (The "Sql Run Query" panel in WP-DBManager (aka Database Manager) plugi ...) NOT-FOR-US: WP-DBManager plugin for WordPress CVE-2014-8335 ((1) wp-dbmanager.php and (2) database-manage.php in the WP-DBManager ( ...) NOT-FOR-US: WP-DBManager (aka Database Manager) plugin for WordPress CVE-2014-8334 (The WP-DBManager (aka Database Manager) plugin before 2.7.2 for WordPr ...) NOT-FOR-US: WordPress plugin wp-dbmanager CVE-2014-8332 RESERVED CVE-2014-8331 (Multiple cross-site request forgery (CSRF) vulnerabilities in Huawei H ...) NOT-FOR-US: Huawei HiLink CVE-2014-8330 (Cross-site scripting (XSS) vulnerability in EspoCRM allows remote auth ...) NOT-FOR-US: EspoCRM CVE-2014-8329 (Schrack Technik microControl with firmware before 1.7.0 (937) stores s ...) NOT-FOR-US: Schrack Technik microControl CVE-2014-8324 (network.c in Aircrack-ng before 1.2 Beta 3 allows remote attackers to ...) - aircrack-ng 1:1.2-0~beta3-2 (bug #767979) NOTE: https://github.com/aircrack-ng/aircrack-ng/commit/88702a3ce4c28a973bf69023cd0312f412f6193e NOTE: https://github.com/aircrack-ng/aircrack-ng/pull/16 CVE-2014-8323 (buddy-ng.c in Aircrack-ng before 1.2 Beta 3 allows remote attackers to ...) - aircrack-ng 1:1.2-0~beta3-2 (bug #767979) NOTE: https://github.com/aircrack-ng/aircrack-ng/commit/da087238963c1239fdabd47dc1b65279605aca70 NOTE: https://github.com/aircrack-ng/aircrack-ng/pull/15 CVE-2014-8322 (Stack-based buffer overflow in the tcp_test function in aireplay-ng.c ...) - aircrack-ng 1:1.2-0~beta3-2 (bug #767979) NOTE: https://github.com/aircrack-ng/aircrack-ng/commit/091b153f294b9b695b0b2831e65936438b550d7b NOTE: https://github.com/aircrack-ng/aircrack-ng/pull/14 CVE-2014-8321 (Stack-based buffer overflow in the gps_tracker function in airodump-ng ...) - aircrack-ng 1:1.2-0~beta3-2 (bug #767979) NOTE: https://github.com/aircrack-ng/aircrack-ng/commit/ff70494dd389ba570dbdbf36f217c28d4381c6b5 NOTE: https://github.com/aircrack-ng/aircrack-ng/pull/13 CVE-2014-8320 (Cross-site scripting (XSS) vulnerability in the Custom Search module 6 ...) NOT-FOR-US: Drupal module Custom Search CVE-2014-8319 (Cross-site scripting (XSS) vulnerability in the easy_social_admin_summ ...) NOT-FOR-US: Drupal module Easy Social CVE-2014-8318 (Cross-site scripting (XSS) vulnerability in the Webform module 6.x-3.x ...) NOT-FOR-US: Drupal module Webform CVE-2014-8317 (Cross-site scripting (XSS) vulnerability in the Webform Validation mod ...) NOT-FOR-US: Drupal module Webform Validation CVE-2013-7407 (Cross-site request forgery (CSRF) vulnerability in the MRBS module for ...) NOT-FOR-US: Drupal module MRBS CVE-2013-7406 (SQL injection vulnerability in the MRBS module for Drupal allows remot ...) NOT-FOR-US: Drupal module MRBS CVE-2014-8350 (Smarty before 3.1.21 allows remote attackers to bypass the secure mode ...) {DLA-452-1} - smarty3 3.1.21-1 (bug #765920) - smarty (Only affects 3.x series) [squeeze] - smarty3 (Unsupported in squeeze-lts) NOTE: https://github.com/smarty-php/smarty/commit/279bdbd3521cd717cae6a3ba48f1c3c6823f439d.patch CVE-2014-8399 (The default configuration in systemd-shim 8 enables the Abandon debugg ...) - systemd-shim 8-4 NOTE: Fixed by: https://github.com/desrt/systemd-shim/commit/d2e91c118f6128875274a638007702d1cc665893 NOTE: with version 8-4 systemd-shim does not ship anymore a dbus policy, see https://bugs.debian.org/765101 CVE-2014-8333 (The VMware driver in OpenStack Compute (Nova) before 2014.1.4 allows r ...) - nova 2014.1.3-7 [wheezy] - nova (Vulnerable code not present) NOTE: versions affected up to to 2014.1.3 NOTE: https://launchpad.net/bugs/1359138 NOTE: https://review.openstack.org/125492 CVE-2014-8328 (The default configuration in the Dynamic Content Elements (dce) extens ...) NOT-FOR-US: TYPO3 extension dce CVE-2014-8327 (The fal_sftp extension before 0.2.6 for TYPO3 uses weak permissions fo ...) NOT-FOR-US: TYPO3 extension fal_sftp CVE-2014-8326 (Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0. ...) - phpmyadmin 4:4.2.10.1-1 (low) [wheezy] - phpmyadmin (Vulnerable code not present) [squeeze] - phpmyadmin (Vulnerable code not present) NOTE: https://www.phpmyadmin.net/security/PMASA-2014-12/ CVE-2014-8325 (The Calendar Base (cal) extension before 1.5.9 and 1.6.x before 1.6.1 ...) NOT-FOR-US: TYPO3 extension cal CVE-2014-8316 (XML External Entity (XXE) vulnerability in polestar_xml.jsp in SAP Bus ...) NOT-FOR-US: SAP BusinessObjects Explorer CVE-2014-8315 (polestar_xml.jsp in SAP BusinessObjects Explorer 14.0.5 build 882 repl ...) NOT-FOR-US: SAP BusinessObjects Explorer CVE-2014-8314 (Multiple cross-site scripting (XSS) vulnerabilities in SAP HANA Develo ...) NOT-FOR-US: SAP HANA CVE-2014-8313 (Eval injection in ide/core/base/server/net.xsjs in the Developer Workb ...) NOT-FOR-US: SAP HANA CVE-2014-8312 (Business Warehouse (BW) in SAP Netweaver AS ABAP 7.31 allows remote au ...) NOT-FOR-US: SAP Netweaver AS ABAP CVE-2014-8311 (SAP BusinessObjects Edge 4.0 allows remote attackers to obtain sensiti ...) NOT-FOR-US: SAP BusinessObjects Edge CVE-2014-8310 (The CMS CORBA listener in SAP BusinessObjects BI Edge 4.0 allows remot ...) NOT-FOR-US: SAP BusinessObjects BI Edge CVE-2014-8309 (SAP BusinessObjects 4.0 and BusinessObjects XI (BOXI) R2 and 3.1 gener ...) NOT-FOR-US: SAP CVE-2014-8308 (Cross-site scripting (XSS) vulnerability in the Send to Inbox function ...) NOT-FOR-US: SAP BusinessObjects BI EDGE CVE-2014-8307 (Multiple cross-site scripting (XSS) vulnerabilities in skins/default/o ...) NOT-FOR-US: C97net Cart Engine CVE-2014-8306 (SQL injection vulnerability in the sql_query function in cart.php in C ...) NOT-FOR-US: C97net Cart Engine CVE-2014-8305 (Open redirect vulnerability in the redir function in includes/function ...) NOT-FOR-US: C97net Cart Engine CVE-2014-8304 (Cross-site scripting (XSS) vulnerability in In-Portal CMS 5.2.0 and ea ...) NOT-FOR-US: In-Portal CVE-2014-8303 (Cross-site scripting (XSS) vulnerability in Splunk Web in Splunk Enter ...) NOT-FOR-US: Splunk Web CVE-2014-8302 (Cross-site scripting (XSS) vulnerability in Splunk Web in Splunk Enter ...) NOT-FOR-US: Splunk Web CVE-2014-8301 (Cross-site scripting (XSS) vulnerability in Splunk Web in Splunk Enter ...) NOT-FOR-US: Splunk Web CVE-2014-8300 RESERVED CVE-2014-8299 RESERVED CVE-2014-8298 (The NVIDIA Linux Discrete GPU drivers before R304.125, R331.x before R ...) - nvidia-graphics-drivers 340.65-1 [wheezy] - nvidia-graphics-drivers (Non-free not supported) [squeeze] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-304xx 304.125-1 - nvidia-graphics-drivers-legacy-173xx (bug #772973) [wheezy] - nvidia-graphics-drivers-legacy-173xx (Non-free not supported) [squeeze] - nvidia-graphics-drivers-legacy-173xx (Non-free not supported) - nvidia-graphics-drivers-legacy-96xx (bug #772972) [wheezy] - nvidia-graphics-drivers-legacy-96xx (Non-free not supported) [squeeze] - nvidia-graphics-drivers-legacy-96xx (Non-free not supported) CVE-2014-8297 RESERVED CVE-2014-8296 (Cross-site scripting (XSS) vulnerability in the Modal Frame API module ...) NOT-FOR-US: Drupal module Modal Frame API CVE-2014-XXXX [freecad downloads and executes code] - freecad 0.14.3702+dfsg-3 (bug #764814) [squeeze] - freecad (Problematic code not present) NOTE: http://freecadweb.org/tracker/view.php?id=1785 CVE-2014-8295 (SQL injection vulnerability in joblogs.php in Bacula-Web 5.2.10 allows ...) NOT-FOR-US: Bacula-Web NOTE: Bacula-Web is not part of bacula itself and not ITP #656891 CVE-2014-8294 (Multiple SQL injection vulnerabilities in Voice Of Web AllMyGuests 0.4 ...) NOT-FOR-US: Voice Of Web AllMyGuests CVE-2014-8293 (Cross-site scripting (XSS) vulnerability in Voice Of Web AllMyGuests 0 ...) NOT-FOR-US: Voice Of Web AllMyGuests CVE-2014-8764 (DokuWiki 2014-05-05a and earlier, when using Active Directory for LDAP ...) {DSA-3059-1 DLA-79-1} - dokuwiki 0.0.20140929.a-1 (bug #766545) [jessie] - dokuwiki (PHP 5.6 in jessie fixes this on the PHP level, see #766545) NOTE: Fix at PHP level: http://git.php.net/?p=php-src.git;a=commitdiff;h=ad1b9eef98df53adefa0c79c02e5dc1f2b928b8c CVE-2014-8763 (DokuWiki before 2014-05-05b, when using Active Directory for LDAP auth ...) {DSA-3059-1 DLA-79-1} - dokuwiki 0.0.20140929.a-1 (bug #766545) [jessie] - dokuwiki (PHP 5.6 in jessie fixes this on the PHP level, see #766545) NOTE: Fix at PHP level: http://git.php.net/?p=php-src.git;a=commitdiff;h=ad1b9eef98df53adefa0c79c02e5dc1f2b928b8c CVE-2014-8762 (The ajax_mediadiff function in DokuWiki before 2014-05-05a allows remo ...) {DSA-3059-1} - dokuwiki 0.0.20140505.a+dfsg-1 (bug #766545) [squeeze] - dokuwiki (Vulnerable code not present) CVE-2014-8761 (inc/template.php in DokuWiki before 2014-05-05a only checks for access ...) {DSA-3059-1} - dokuwiki 0.0.20140505.a+dfsg-1 (bug #766545) [squeeze] - dokuwiki (Vulnerable code not present) CVE-2014-8760 (ejabberd before 2.1.13 does not enforce the starttls_required setting ...) {DLA-881-1} - ejabberd 14.07-3 (low; bug #767535) [squeeze] - ejabberd (Minor issue) NOTE: http://mail.jabber.org/pipermail/operators/2014-October/002438.html NOTE: Patch https://github.com/processone/ejabberd/commit/7bdc1151b CVE-2014-8759 RESERVED CVE-2014-8758 (Cross-site scripting (XSS) vulnerability in Best Gallery Albums Plugin ...) NOT-FOR-US: Wordpress plugin CVE-2014-8757 (LG On-Screen Phone (OSP) before 4.3.010 allows remote attackers to byp ...) NOT-FOR-US: LG On-Screen Phone CVE-2014-8756 (The NcrCtl4.NcrNet.1 control in Panasonic Network Camera Recorder befo ...) NOT-FOR-US: Panasonic Network Camera CVE-2014-8755 (Panasonic Network Camera View 3 and 4 allows remote attackers to execu ...) NOT-FOR-US: Panasonic Network Camera CVE-2014-8754 (Open redirect vulnerability in track-click.php in the Ad-Manager plugi ...) NOT-FOR-US: WordPress plugin ad-manager-for-wp CVE-2014-8753 (Multiple cross-site scripting (XSS) vulnerabilities in Cit-e-Net Cit-e ...) NOT-FOR-US: Cit-e-Net CVE-2014-8752 (Multiple cross-site scripting (XSS) vulnerabilities in view.php in JCE ...) NOT-FOR-US: JCE-Tech PHP Video Script CVE-2014-8751 (Multiple cross-site scripting (XSS) vulnerabilities in goYWP WebPress ...) NOT-FOR-US: goYWP WebPress CVE-2014-8749 (Server-side request forgery (SSRF) vulnerability in admin/htaccess/bps ...) NOT-FOR-US: BulletProof Security plugin for WordPress CVE-2014-8748 (Cross-site scripting (XSS) vulnerability in the Google Doubleclick for ...) NOT-FOR-US: Drupal module Google Doubleclick for Publishers CVE-2014-8747 (Cross-site scripting (XSS) vulnerability in the Drupal Commons module ...) NOT-FOR-US: Drupal module Drupal Commons CVE-2014-8746 (Cross-site scripting (XSS) vulnerability in the Skeleton theme 7.x-1.2 ...) NOT-FOR-US: Drupal theme Skeleton CVE-2014-8745 (Cross-site scripting (XSS) vulnerability in the Custom Search module 6 ...) NOT-FOR-US: Drupal module Custom Search CVE-2014-8744 (Cross-site scripting (XSS) vulnerability in the Nivo Slider module 7.x ...) NOT-FOR-US: Drupal module Nivo Slider CVE-2014-8743 (Multiple cross-site scripting (XSS) vulnerabilities in the Maestro mod ...) NOT-FOR-US: Drupal module Maestro CVE-2014-8292 REJECTED CVE-2014-8291 REJECTED CVE-2014-8290 REJECTED CVE-2014-8289 REJECTED CVE-2014-8288 REJECTED CVE-2014-8287 REJECTED CVE-2014-8286 REJECTED CVE-2014-8285 REJECTED CVE-2014-8284 REJECTED CVE-2014-8283 REJECTED CVE-2014-8282 REJECTED CVE-2014-8281 REJECTED CVE-2014-8280 REJECTED CVE-2014-8279 REJECTED CVE-2014-8278 REJECTED CVE-2014-8277 REJECTED CVE-2014-8276 REJECTED CVE-2014-8275 (OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k d ...) {DSA-3125-1 DLA-132-1} - openssl 1.0.1k-1 NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=86edf13b1c97526c0cf63c37342aaa01f5442688 NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=5951cc004b96cd681ffdf39d3fc9238a1ff597ae NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=a8565530e27718760220df469f0a071c85b9e731 NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=178c562a4621162dbe19a7c34fa2ad558684f40e CVE-2014-8274 RESERVED CVE-2014-8273 RESERVED CVE-2014-8272 (The IPMI 1.5 functionality in Dell iDRAC6 modular before 3.65, iDRAC6 ...) NOT-FOR-US: Dell iDRAC6 CVE-2014-8271 (Buffer overflow in the Reclaim function in Tianocore EDK2 before SVN 1 ...) NOT-FOR-US: uefi CVE-2014-8270 (BMC Track-It! 11.3 allows remote attackers to gain privileges and exec ...) NOT-FOR-US: BMC Track-It! CVE-2014-8269 (Multiple stack-based buffer overflows in (1) HWOPOSScale.ocx and (2) H ...) NOT-FOR-US: Honeywell OPOS Suite CVE-2014-8268 (QPR Portal before 2012.2.1 allows remote attackers to modify or delete ...) NOT-FOR-US: QPR Portal CVE-2014-8267 (Cross-site scripting (XSS) vulnerability in QPR Portal 2014.1.1 and ea ...) NOT-FOR-US: QPR Portal CVE-2014-8266 (Multiple cross-site scripting (XSS) vulnerabilities in the note-creati ...) NOT-FOR-US: QPR Portal CVE-2014-8265 RESERVED CVE-2014-8264 RESERVED CVE-2014-8263 RESERVED CVE-2014-8262 RESERVED CVE-2014-8261 RESERVED CVE-2014-8260 RESERVED CVE-2014-8259 RESERVED CVE-2014-8258 RESERVED CVE-2014-8257 RESERVED CVE-2014-8256 RESERVED CVE-2014-8255 RESERVED CVE-2014-8254 RESERVED CVE-2014-8253 RESERVED CVE-2014-8252 RESERVED CVE-2014-8251 RESERVED CVE-2014-8250 RESERVED CVE-2014-8249 RESERVED CVE-2014-8248 (SQL injection vulnerability in CA Release Automation (formerly iTKO LI ...) NOT-FOR-US: CA Release Automation CVE-2014-8247 (Cross-site scripting (XSS) vulnerability in CA Release Automation (for ...) NOT-FOR-US: CA Release Automation CVE-2014-8246 (Cross-site request forgery (CSRF) vulnerability in CA Release Automati ...) NOT-FOR-US: CA Release Automation CVE-2014-8245 RESERVED CVE-2014-8244 (Linksys SMART WiFi firmware on EA2700 and EA3500 devices; before 2.1.4 ...) NOT-FOR-US: Linksys SMART WiFi CVE-2014-8243 (Linksys SMART WiFi firmware on EA2700 and EA3500 devices; before 2.1.4 ...) NOT-FOR-US: Linksys SMART WiFi CVE-2014-8239 REJECTED CVE-2014-8238 REJECTED CVE-2014-8237 REJECTED CVE-2014-8236 REJECTED CVE-2014-8235 REJECTED CVE-2014-8234 REJECTED CVE-2014-8233 REJECTED CVE-2014-8232 REJECTED CVE-2014-8231 REJECTED CVE-2014-8230 REJECTED CVE-2014-8229 REJECTED CVE-2014-8228 REJECTED CVE-2014-8227 REJECTED CVE-2014-8226 REJECTED CVE-2014-8225 REJECTED CVE-2014-8224 REJECTED CVE-2014-8223 REJECTED CVE-2014-8222 REJECTED CVE-2014-8221 REJECTED CVE-2014-8220 REJECTED CVE-2014-8219 REJECTED CVE-2014-8218 REJECTED CVE-2014-8217 REJECTED CVE-2014-8216 REJECTED CVE-2014-8215 REJECTED CVE-2014-8214 REJECTED CVE-2014-8213 REJECTED CVE-2014-8212 REJECTED CVE-2014-8211 REJECTED CVE-2014-8210 REJECTED CVE-2014-8209 REJECTED CVE-2014-8208 REJECTED CVE-2014-8207 REJECTED CVE-2014-8206 REJECTED CVE-2014-8205 REJECTED CVE-2014-8204 REJECTED CVE-2014-8203 REJECTED CVE-2014-8202 REJECTED CVE-2014-8201 REJECTED CVE-2014-8200 REJECTED CVE-2014-8199 REJECTED CVE-2014-8198 REJECTED CVE-2014-8197 REJECTED CVE-2014-8196 REJECTED CVE-2014-8195 REJECTED CVE-2014-8194 REJECTED CVE-2014-8193 REJECTED CVE-2014-8192 REJECTED CVE-2014-8191 REJECTED CVE-2014-8190 REJECTED CVE-2014-8189 REJECTED CVE-2014-8188 REJECTED CVE-2014-8187 REJECTED CVE-2014-8186 REJECTED CVE-2014-8185 REJECTED CVE-2014-8184 (A vulnerability was found in liblouis, versions 2.5.x before 2.5.4. A ...) - liblouis 2.6.2-1 (bug #880621) [jessie] - liblouis 2.5.3-3+deb8u1 [wheezy] - liblouis (Vulnerable code introduced in 2.5.0) NOTE: https://github.com/liblouis/liblouis/issues/425 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1492701 NOTE: Introduced by: https://github.com/liblouis/liblouis/commit/26ca8619a29951d6b4acf8b7a732a8b35e4e7bd3 (liblouis_2_5_0) NOTE: Fixed in merge: https://github.com/liblouis/liblouis/commit/dc97ef791a4fae9da11592c79f9f79e010596e0c#diff-7ade83431f79d2120c82012aee3b05c9L4524 NOTE: CVE is for several buffer overflows in the findTable function, cf. NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1492701#c7 CVE-2014-8183 (It was found that foreman, versions 1.x.x before 1.15.6, in Satellite ...) NOT-FOR-US: Red Hat Satellite CVE-2014-8182 (An off-by-one error leading to a crash was discovered in openldap 2.4 ...) - openldap (Vulnerable code introduced in RHEL specific patch) NOTE: http://www.openldap.org/its/index.cgi/Software%20Enhancements?id=7027 NOTE: Reference for upstream fix: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blobdiff;f=libraries/libldap/dnssrv.c;h=de849e30d5b01ae855853c79e88fb06d7aea1137;hp=6d1bfa8e3c2b05ca5ed0ebebc00c3a30086bca95;hb=31995b535e10c45e698b62d39db998c51f799327;hpb=5de85b922aaa5bfa6eb53db6000adf01ebdb0736 NOTE: and: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=eef1ca007f60fdcb9b5368608e87dd0b2404bceb NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1095976#c26 claims this flaw was never in a OpenLDAP release CVE-2014-8181 (The kernel in Red Hat Enterprise Linux 7 and MRG-2 does not clear garb ...) - linux (Specific to RHEL 7) CVE-2014-8180 (MongoDB on Red Hat Satellite 6 allows local users to bypass authentica ...) NOT-FOR-US: Red Hat Satellite CVE-2014-8179 (Docker Engine before 1.8.3 and CS Docker Engine before 1.6.2-CS7 does ...) - docker.io 1.8.3~ds1-1 CVE-2014-8178 (Docker Engine before 1.8.3 and CS Docker Engine before 1.6.2-CS7 do no ...) - docker.io 1.8.3~ds1-1 CVE-2014-8177 (The Red Hat gluster-swift package, as used in Red Hat Gluster Storage ...) NOT-FOR-US: gluster-swift CVE-2014-8176 (The dtls1_clear_queues function in ssl/d1_lib.c in OpenSSL before 0.9. ...) {DSA-3287-1 DLA-247-1} - openssl 1.0.1h-1 NOTE: http://openssl.org/news/secadv/20150611.txt CVE-2014-8175 (Red Hat JBoss Fuse before 6.2.0 allows remote authenticated users to b ...) NOT-FOR-US: JBoss Fuse CVE-2014-8174 (eDeploy makes it easier for remote attackers to execute arbitrary code ...) - edeploy (bug #717664) CVE-2014-8173 (The pmd_none_or_trans_huge_or_clear_bad function in include/asm-generi ...) - linux 3.13.4-1 [wheezy] - linux (Introduced in 3.10 with 1998cc048901) - linux-2.6 (Introduced in 3.10 with 1998cc048901) NOTE: Upstream commit: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ee53664bda169f519ce3c6a22d378f0b946c8178 (v3.13-rc5) CVE-2014-8172 (The filesystem implementation in the Linux kernel before 3.13 performs ...) - linux 3.13.4-1 [wheezy] - linux (Too intrusive to backport) - linux-2.6 [squeeze] - linux-2.6 (Too intrusive to backport) NOTE: Upstream commit: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=eee5cc2702929fd41cce28058dc6d6717f723f87 (v3.13-rc1) CVE-2014-8171 (The memory resource controller (aka memcg) in the Linux kernel allows ...) - linux 3.12.6-1 [wheezy] - linux (Too difficult and risky to backport) - linux-2.6 [squeeze] - linux-2.6 (Too difficult and risky to backport) NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=3812c8c8f3953921ef18544110dafc3505c1ac62 (v3.12-rc1) NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4942642080ea82d99ab5b653abb9a12b7ba31f4a (v3.12-rc6) CVE-2014-8170 (ovirt_safe_delete_config in ovirtfunctions.py and other unspecified lo ...) - ovirt-node (bug #502024) CVE-2014-8169 (automount 5.0.8, when a program map uses certain interpreted languages ...) - autofs 5.0.8-2 (bug #779591) [wheezy] - autofs (Vulnerable code introduced in 5.0.8) - autofs5 (Vulnerable code introduced in 5.0.8) CVE-2014-8168 (Red Hat Satellite 6 allows local users to access mongod and delete pul ...) NOT-FOR-US: Red Hat Satellite CVE-2014-8167 (vdsm and vdsclient does not validate certficate hostname from another ...) NOT-FOR-US: Red Hat vdms and vdsclient CVE-2014-8166 (The browsing feature in the server in CUPS does not filter ANSI escape ...) - cups (unimportant) NOTE: Patch: https://bugzilla.redhat.com/attachment.cgi?id=916761 NOTE: Terminal emulators need to perform proper escaping CVE-2014-8165 (scripts/amsvis/powerpcAMS/amsnet.py in powerpc-utils-python uses the p ...) - powerpc-utils (Vulnerable code not present) NOTE: http://sourceforge.net/p/powerpc-utils/mailman/message/32884230 CVE-2014-8164 RESERVED NOT-FOR-US: Red Hat CloudForms CVE-2014-8163 (Directory traversal vulnerability in the XMLRPC interface in Red Hat S ...) NOT-FOR-US: Red Hat Satellite CVE-2014-8162 (XML external entity (XXE) in the RPC interface in Spacewalk and Red Ha ...) NOT-FOR-US: Red Hat Satellite CVE-2014-8161 (PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9. ...) {DSA-3155-1 DLA-152-1} - postgresql-9.4 9.4.1-1 - postgresql-9.1 9.1.11-2 - postgresql-8.4 [wheezy] - postgresql-8.4 (postgresql-8.4 in wheezy only provides PL/Perl) CVE-2014-8160 (net/netfilter/nf_conntrack_proto_generic.c in the Linux kernel before ...) {DSA-3170-1 DLA-155-1} - linux 3.16.7-ckt4-1 - linux-2.6 NOTE: Upstream commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=db29a9508a9246e77087c5531e45b2c88ec6988b (v3.18-rc1) NOTE: http://www.spinics.net/lists/netfilter-devel/msg33430.html CVE-2014-8159 (The InfiniBand (IB) implementation in the Linux kernel package before ...) {DSA-3237-1 DLA-246-1} - linux 3.16.7-ckt9-1 - linux-2.6 CVE-2014-8158 (Multiple stack-based buffer overflows in jpc_qmfb.c in JasPer 1.900.1 ...) {DSA-3138-1 DLA-138-1} - jasper 1.900.1-debian1-2.4 (bug #775970) NOTE: http://www.ocert.org/advisories/ocert-2015-001.html CVE-2014-8157 (Off-by-one error in the jpc_dec_process_sot function in JasPer 1.900.1 ...) {DSA-3138-1 DLA-138-1} - jasper 1.900.1-debian1-2.4 (bug #775970) NOTE: http://www.ocert.org/advisories/ocert-2015-001.html CVE-2014-8156 (The D-Bus security policy files in /etc/dbus-1/system.d/*.conf in fso- ...) - fso-deviced 0.12.0-5 [wheezy] - fso-deviced (Minor issue) - fso-datad 0.12.0-3 [wheezy] - fso-datad (Minor issue) - fso-frameworkd 0.9.5.9+git20110512-5 [wheezy] - fso-frameworkd (Minor issue) [squeeze] - fso-frameworkd (Minor issue) - fso-gsmd 0.12.0-4 [wheezy] - fso-gsmd (Minor issue) - fso-usaged 0.12.0-3 [wheezy] - fso-usaged (Minor issue) [squeeze] - fso-usaged (Minor issue) - phonefsod 0.1+git20121018-2 [wheezy] - phonefsod (Minor issue) [squeeze] - phonefsod (Minor issue) CVE-2014-8155 (GnuTLS before 2.9.10 does not verify the activation and expiration dat ...) {DLA-180-1} - gnutls26 2.9.10-1 - gnutls28 (Initial version 3.0.0-1 already contained the check based on 2.9.10) NOTE: Fixed by: https://gitlab.com/gnutls/gnutls/commit/897cbce62c0263a498088ac3e465aa5f05f8719c CVE-2014-8154 (The Gst.MapInfo function in Vala 0.26.0 and 0.26.1 uses an incorrect b ...) - vala-0.26 0.26.1-1.1 (bug #775913) - vala-0.16 (MapInfo not yet present) - vala-0.14 (MapInfo not yet present) - vala (MapInfo not yet present) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=678663 NOTE: https://git.gnome.org/browse/vala/commit/?id=3092537db65887e24a3d3e87a27caf9c5295e4f7 NOTE: Binaries with buggy bindings package that use Gst.MapInfo() function NOTE: are affected as well and need to be rebuilt, shotwell, rygel, ... CVE-2014-8153 (The L3 agent in OpenStack Neutron 2014.2.x before 2014.2.2, when using ...) - neutron (Affects neutron 2014.2 up to 2014.2.1) CVE-2014-8152 (Apache Santuario XML Security for Java 2.0.x before 2.0.3 allows remot ...) - libxml-security-java (streaming XML Signature support introduced in 2.0.0) NOTE: http://svn.apache.org/viewvc?view=revision&revision=1634334 NOTE: http://santuario.apache.org/secadv.data/CVE-2014-8152.txt.asc CVE-2014-8151 (The darwinssl_connect_step1 function in lib/vtls/curl_darwinssl.c in l ...) - curl (Only relevant when building with darwinssl/Mac OS X) NOTE: http://curl.haxx.se/docs/adv_20150108A.html CVE-2014-8150 (CRLF injection vulnerability in libcurl 6.0 through 7.x before 7.40.0, ...) {DSA-3122-1 DLA-134-1} - curl 7.38.0-4 NOTE: http://curl.haxx.se/docs/adv_20150108B.html CVE-2014-8149 (OpenDaylight defense4all 1.1.0 and earlier allows remote authenticated ...) NOT-FOR-US: OpenDaylight CVE-2014-8148 (The default D-Bus access control rule in Midgard2 10.05.7.1 allows loc ...) - midgard2-core (bug #774630) CVE-2014-8147 (The resolveImplicitLevels function in common/ubidi.c in the Unicode Bi ...) {DSA-3323-1} - icu 52.1-9 (bug #784773) [wheezy] - icu (Vulnerable code not present) [squeeze] - icu (Vulnerable code not present) - chromium-browser 42.0.2311.135-1 [jessie] - chromium-browser 42.0.2311.135-1~deb8u1 [wheezy] - chromium-browser (Vulnerable code not present) [squeeze] - chromium-browser (Not supported in Squeeze LTS) NOTE: Patch: http://bugs.icu-project.org/trac/changeset/37080 CVE-2014-8146 (The resolveImplicitLevels function in common/ubidi.c in the Unicode Bi ...) {DSA-3323-1} - icu 52.1-9 (bug #784773) [wheezy] - icu (Vulnerable code not present) [squeeze] - icu (Vulnerable code not present) - chromium-browser 42.0.2311.135-1 [jessie] - chromium-browser 42.0.2311.135-1~deb8u1 [wheezy] - chromium-browser (Vulnerable code not present) [squeeze] - chromium-browser (Not supported in Squeeze LTS) NOTE: Patch: http://bugs.icu-project.org/trac/changeset/37162 CVE-2014-8145 (Multiple heap-based buffer overflows in Sound eXchange (SoX) 14.4.1 an ...) {DSA-3112-1 DLA-1687-1 DLA-128-1} - sox 14.4.2-2 (bug #773720) [stretch] - sox 14.4.1-5+deb9u1 NOTE: The two needed patches were added in 14.4.1-5 but not to the series file NOTE: so the patches got not applied during build. CVE-2014-8144 (Cross-site request forgery (CSRF) vulnerability in doorkeeper before 1 ...) NOT-FOR-US: doorkeeper OAuth provider CVE-2014-8143 (Samba 4.0.x before 4.0.24, 4.1.x before 4.1.16, and 4.2.x before 4.2rc ...) - samba 2:4.1.17+dfsg-1 (bug #776993) [wheezy] - samba (Only affects 4.0 and later) [squeeze] - samba (Only affects 4.0 and later) - samba4 4.0.0~beta2+dfsg1-3.2+deb7u2 NOTE: AD-related packages removed from src:samba4 in 4.0.0~beta2+dfsg1-3.2+deb7u2 NOTE: https://www.samba.org/samba/security/CVE-2014-8143 CVE-2014-8142 (Use-after-free vulnerability in the process_nested_data function in ex ...) {DSA-3117-1} - php5 5.6.5+dfsg-1 (unimportant) NOTE: http://git.php.net/?p=php-src.git;a=commitdiff;h=630f9c33c23639de85c3fd306b209b538b73b4c9 NOTE: http://git.php.net/?p=php-src.git;a=commitdiff;h=53f129a44d3c4ec0fae57993b9ae2f6cb48973cc NOTE: Only affects an inherently insecure use case CVE-2014-8141 (Heap-based buffer overflow in the getZip64Data function in Info-ZIP Un ...) {DSA-3113-1 DLA-124-1} - unzip 6.0-13 (bug #773722) CVE-2014-8140 (Heap-based buffer overflow in the test_compr_eb function in Info-ZIP U ...) {DSA-3113-1 DLA-124-1} - unzip 6.0-13 (bug #773722) CVE-2014-8139 (Heap-based buffer overflow in the CRC32 verification in Info-ZIP UnZip ...) {DSA-3113-1 DLA-150-1 DLA-124-1} - unzip 6.0-16 (bug #773722) CVE-2014-8138 (Heap-based buffer overflow in the jp2_decode function in JasPer 1.900. ...) {DSA-3106-1 DLA-121-1} - jasper 1.900.1-debian1-2.3 (bug #773463) CVE-2014-8137 (Double free vulnerability in the jas_iccattrval_destroy function in Ja ...) {DSA-3106-1 DLA-121-1} - jasper 1.900.1-debian1-2.3 (bug #773463) CVE-2014-8136 (The (1) qemuDomainMigratePerform and (2) qemuDomainMigrateFinish2 func ...) - libvirt 1.2.9-7 (bug #773856) [wheezy] - libvirt (Vulnerable code introduced later) [squeeze] - libvirt (Vulnerable code introduced later) NOTE: Upstream commit: http://libvirt.org/git/?p=libvirt.git;a=commit;h=2bdcd29c713dfedd813c89f56ae98f6f3898313d (v1.2.11-rc2) NOTE: Introduced in http://libvirt.org/git/?p=libvirt.git;a=commitdiff;h=abf75aea247e (v1.1.0-rc1) CVE-2014-8135 (The storageVolUpload function in storage/storage_driver.c in libvirt b ...) - libvirt 1.2.9-7 (bug #773855) [wheezy] - libvirt (Vulnerable code introduced later) [squeeze] - libvirt (Vulnerable code introduced later) NOTE: Upstream fix: http://libvirt.org/git/?p=libvirt.git;a=commit;h=87b9437f8951f9d24f9a85c6bbfff0e54df8c984 (v1.2.11-rc1) NOTE: Introduced by http://libvirt.org/git/?p=libvirt.git;a=commitdiff;h=4a85bf3e2fa703fdc14e8c49d5017ef04832a1d7 (v1.2.8-rc1) CVE-2014-8134 (The paravirt_ops_setup function in arch/x86/kernel/kvm.c in the Linux ...) {DLA-155-1} - linux 3.16.7-ckt4-1 [wheezy] - linux 3.2.65-1 - linux-2.6 NOTE: http://www.spinics.net/lists/kvm/msg111458.html CVE-2014-8133 (arch/x86/kernel/tls.c in the Thread Local Storage (TLS) implementation ...) {DSA-3128-1 DLA-155-1} - linux 3.16.7-ckt4-1 - linux-2.6 NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/arch/x86?id=41bdc78544b8a93a9c6814b8bbbfef966272abbe CVE-2014-8132 (Double free vulnerability in the ssh_packet_kexinit function in kex.c ...) - libssh 0.6.3-4 (bug #773577) [wheezy] - libssh 0.5.4-1+deb7u3 [squeeze] - libssh (Issue only present in versions > 0.5.1, squeeze has 0.4.5) NOTE: http://www.libssh.org/2014/12/19/libssh-0-6-4-security-and-bugfix-release/ NOTE: Upstream patch: http://git.libssh.org/projects/libssh.git/commit/?id=c2aed4ca78030d9014a890cb4370e6dc8264823f CVE-2014-8131 (The qemu implementation of virConnectGetAllDomainStats in libvirt befo ...) - libvirt 1.2.9-7 (bug #773858) [wheezy] - libvirt (Vulnerable code introduced later) [squeeze] - libvirt (Vulnerable code introduced later) NOTE: Introduced by http://libvirt.org/git/?p=libvirt.git;a=commit;h=d1bde8ed (v1.2.9-rc1) NOTE: Introduced by http://libvirt.org/git/?p=libvirt.git;a=commit;h=1f4831ee (v1.2.9-rc1) NOTE: https://www.redhat.com/archives/libvir-list/2014-December/msg00551.html NOTE: https://www.redhat.com/archives/libvir-list/2014-December/msg00600.html CVE-2014-8130 (The _TIFFmalloc function in tif_unix.c in LibTIFF 4.0.3 does not rejec ...) - tiff (unimportant; bug #776185) - tiff3 (The tiff3 source package doesn't build the TIFF tools) NOTE: Advisory: http://www.conostix.com/pub/adv/CVE-2014-8130-LibTIFF-Division_By_Zero.txt NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2483 NOTE: Crash in a frontend tool w/o potential for code injection, marked as unimportant CVE-2014-8129 (LibTIFF 4.0.3 allows remote attackers to cause a denial of service (ou ...) {DSA-3273-1 DLA-610-1 DLA-221-1} - tiff 4.0.3-12.1 (bug #776185) - tiff3 NOTE: Advisory: http://www.conostix.com/pub/adv/CVE-2014-8129-LibTIFF-Out-of-bounds_Reads_and_Writes.txt NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2487 (tiff2pdf) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2488 (tiff2pdf) NOTE: The tiff3 source package doesn't build the TIFF tools, but most of these bugs are in the library CVE-2014-8128 (LibTIFF prior to 4.0.4, as used in Apple iOS before 8.4 and OS X befor ...) {DSA-3273-1 DLA-693-1 DLA-610-1 DLA-221-1} - tiff 4.0.3-12.3 (bug #776185) - tiff3 NOTE: Advisory: http://www.conostix.com/pub/adv/CVE-2014-8128-LibTIFF-Out-of-bounds_Writes.txt NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2489 (thumbnail) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2490 (tiffdither) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2491 (tiffdither) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2492 (tiffdither) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2493 (thumbnail and tiffcmp) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2495 (tiff2pdf) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2499 (thumbnail and tiffcmp) [not fixed yet in CVS HEAD] NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2501 (tiffdither) NOTE: The tiff3 source package doesn't build the TIFF tools, but most of these bugs are in the library CVE-2014-8127 (LibTIFF 4.0.3 allows remote attackers to cause a denial of service (ou ...) {DSA-3273-1} - tiff 4.0.6-3 (unimportant; bug #776185) - tiff3 (The tiff3 source package doesn't build the TIFF tools) NOTE: Advisory: http://www.conostix.com/pub/adv/CVE-2014-8127-LibTIFF-Out-of-bounds_Reads.txt NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2484 (thumbnail) NOTE: Fix https://github.com/vadz/libtiff/commit/3996fa0f84f4a8b7e65fe4b8f0681711022034ea NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2485 (tiff2bw) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2486 (tiff2rgba) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2496 (tiff2ps and tiffdither) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2497 (tiffmedian) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2500 (tiffset) [not fixed yet in CVS HEAD] NOTE: 4.0.3-12.1 fixes all issues except 2500 NOTE: 2500 is fixed by upstream as per 2016-10-25 NOTE: Crash in a frontend tool w/o potential for code injection, marked as unimportant CVE-2014-8126 (The scheduler in HTCondor before 8.2.6 allows remote authenticated use ...) {DSA-3149-1} - condor 8.2.3~dfsg.1-6 (bug #775276) NOTE: https://htcondor-wiki.cs.wisc.edu/index.cgi/tktview?tn=4764 NOTE: https://htcondor-wiki.cs.wisc.edu/index.cgi/chngview?cn=41878 NOTE: https://github.com/htcondor/htcondor/commit/e891cea9970496aac74caf72604475a2b7e6a0ca.patch NOTE: https://github.com/htcondor/htcondor/commit/aebc6b0492acdc8b21b39ba22e33661752c2c37d.patch CVE-2014-8125 (XML external entity (XXE) vulnerability in Drools and jBPM before 6.2. ...) NOT-FOR-US: jBPM CVE-2014-8124 (OpenStack Dashboard (Horizon) before 2014.1.3 and 2014.2.x before 2014 ...) - horizon 2014.1.3-6 (bug #772710) [wheezy] - horizon (Minor issue) - python-django-openstack-auth 1.1.6-5 (bug #772712) NOTE: up to 2014.1.3 and 2014.2 version up to 2014.2.1 CVE-2014-8122 (Race condition in JBoss Weld before 2.2.8 and 3.x before 3.0.0 Alpha3 ...) NOT-FOR-US: JBoss Weld CVE-2014-8121 (DB_LOOKUP in nss_files/files-XXX.c in the Name Service Switch (NSS) in ...) {DSA-3480-1 DLA-316-1} - glibc 2.21-1 (low; bug #779587) [jessie] - glibc 2.19-18+deb8u2 - eglibc (low) [wheezy] - eglibc (Minor issue) [squeeze] - eglibc (Minor issue) NOTE: Patch: https://sourceware.org/git/?p=glibc.git;a=commit;h=03d2730b44cc2236318fd978afa2651753666c55 CVE-2014-8120 (The agent in Thermostat before 1.0.6, when using unspecified configura ...) NOT-FOR-US: Thermostat Hotspot instrumentation CVE-2014-8119 (The find_ifcfg_path function in netcf before 0.2.7 might allow attacke ...) - netcf (suse and redhat driver are not built on Debian) NOTE: Issue is in the way the netcf's find_ifcfg_path() function processed NOTE: certain XPath expressions according to Red Hat bugzilla. NOTE: The fix consists in augeas getting a new API aug_escape_name which NOTE: netcf needs to use. NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1172176#c3 NOTE: https://www.redhat.com/archives/augeas-devel/2014-December/msg00000.html NOTE: The affected code is only in drv_redhat.c and drv_suse.c and the Debian NOTE: build not affected. CVE-2014-8118 (Integer overflow in RPM 4.12 and earlier allows remote attackers to ex ...) {DSA-3129-1 DLA-140-1} - rpm 4.11.3-1.1 (bug #773101) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1168715 CVE-2014-8117 (softmagic.c in file before 5.21 does not properly limit recursion, whi ...) {DSA-3121-1 DSA-2868-1 DLA-145-1 DLA-131-1} - file 1:5.21+15-1 (low; bug #773148) - php5 5.6.4+dfsg-2 NOTE: https://www.freebsd.org/security/advisories/FreeBSD-SA-14:28.file.asc NOTE: https://github.com/file/file/commit/6f737ddfadb596d7d4a993f7ed2141ffd664a81c NOTE: Other commits needed as well: http://www.openwall.com/lists/oss-security/2014/12/16/2 CVE-2014-8116 (The ELF parser (readelf.c) in file before 5.21 allows remote attackers ...) {DSA-3121-1 DLA-131-1} - file 1:5.21+15-1 (low; bug #773148) - php5 5.6.4+dfsg-2 [wheezy] - php5 (Affected code not used in filemagic) [squeeze] - php5 (Affected code not used in filemagic) NOTE: https://www.freebsd.org/security/advisories/FreeBSD-SA-14:28.file.asc NOTE: https://github.com/file/file/commit/b4c01141e5367f247b84dcaf6aefbb4e741842b NOTE: https://github.com/file/file/commit/d7cdad007c507e6c79f51f058dd77fab70ceb9f6 NOTE: Other commits needed as well: http://www.openwall.com/lists/oss-security/2014/12/16/2 CVE-2014-8115 (The default authorization constrains in KIE Workbench 6.0.x allows rem ...) NOT-FOR-US: KIE Workbench CVE-2014-8114 (The UberFire Framework 0.3.x does not properly restrict paths, which a ...) NOT-FOR-US: UberFire Framework CVE-2014-8113 RESERVED CVE-2014-8112 (389 Directory Server 1.3.1.x, 1.3.2.x before 1.3.2.27, and 1.3.3.x bef ...) - 389-ds-base 1.3.3.5-4 (bug #779909) CVE-2014-8111 (Apache Tomcat Connectors (mod_jk) before 1.2.41 ignores JkUnmount rule ...) {DSA-3278-1 DLA-240-1} - libapache-mod-jk 1:1.2.40+svn150520-1 (bug #783233) NOTE: Fix: http://svn.apache.org/r1647017 CVE-2014-8110 (Multiple cross-site scripting (XSS) vulnerabilities in the web based a ...) - activemq (Admin console not enabled in the Debian package, see #702670) NOTE: http://activemq.apache.org/security-advisories.data/CVE-2014-8110-announcement.txt CVE-2014-8109 (mod_lua.c in the mod_lua module in the Apache HTTP Server 2.3.x and 2. ...) - apache2 2.4.10-9 [wheezy] - apache2 (mod_lua only in 2.4) [squeeze] - apache2 (mod_lua only in 2.4) CVE-2014-8108 (The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.7.x ...) - subversion 1.8.10-5 (bug #773315) [wheezy] - subversion (Introduced in 1.7.0) [squeeze] - subversion (Introduced in 1.7.0) NOTE: http://subversion.apache.org/security/CVE-2014-8108-advisory.txt CVE-2014-8107 REJECTED CVE-2014-8106 (Heap-based buffer overflow in the Cirrus VGA emulator (hw/display/cirr ...) {DSA-3088-1 DSA-3087-1} - qemu 2.1+dfsg-9 (bug #772025) [squeeze] - qemu (Unsupported in squeeze-lts) - qemu-kvm [squeeze] - qemu-kvm NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2014-12/msg00508.html CVE-2014-8105 (389 Directory Server before 1.3.2.27 and 1.3.3.x before 1.3.3.9 does n ...) - 389-ds-base 1.3.3.5-4 (bug #779909) CVE-2014-8103 (X.Org Server (aka xserver and xorg-server) 1.15.0 through 1.16.x befor ...) - xorg-server 2:1.16.2.901-1 [wheezy] - xorg-server (Introduced in 1.15.0) [squeeze] - xorg-server (Introduced in 1.15.0) CVE-2014-8102 (The SProcXFixesSelectSelectionInput function in the XFixes extension i ...) {DSA-3095-1 DLA-120-1} - xorg-server 2:1.16.2.901-1 CVE-2014-8101 (The RandR extension in XFree86 4.2.0, X.Org X Window System (aka X11 o ...) {DSA-3095-1 DLA-120-1} - xorg-server 2:1.16.2.901-1 CVE-2014-8100 (The Render extension in XFree86 4.0.1, X.Org X Window System (aka X11 ...) {DSA-3095-1 DLA-120-1} - xorg-server 2:1.16.2.901-1 CVE-2014-8099 (The XVideo extension in XFree86 4.0.0, X.Org X Window System (aka X11 ...) {DSA-3095-1 DLA-120-1} - xorg-server 2:1.16.2.901-1 CVE-2014-8098 (The GLX extension in XFree86 4.0, X.Org X Window System (aka X11 or X) ...) {DSA-3095-1 DLA-120-1} - xorg-server 2:1.16.2.901-1 CVE-2014-8097 (The DBE extension in X.Org X Window System (aka X11 or X) X11R6.1 and ...) {DSA-3095-1 DLA-120-1} - xorg-server 2:1.16.2.901-1 CVE-2014-8096 (The SProcXCMiscGetXIDList function in the XC-MISC extension in X.Org X ...) {DSA-3095-1 DLA-120-1} - xorg-server 2:1.16.2.901-1 CVE-2014-8095 (The XInput extension in X.Org X Window System (aka X11 or X) X11R4 and ...) {DSA-3095-1 DLA-120-1} - xorg-server 2:1.16.2.901-1 CVE-2014-8094 (Integer overflow in the ProcDRI2GetBuffers function in the DRI2 extens ...) {DSA-3095-1 DLA-120-1} - xorg-server 2:1.16.2.901-1 CVE-2014-8093 (Multiple integer overflows in the GLX extension in XFree86 4.0, X.Org ...) {DSA-3095-1 DLA-120-1} - xorg-server 2:1.16.2.901-1 CVE-2014-8092 (Multiple integer overflows in X.Org X Window System (aka X11 or X) X11 ...) {DSA-3095-1 DLA-120-1} - xorg-server 2:1.16.2.901-1 CVE-2014-8091 (X.Org X Window System (aka X11 and X) X11R5 and X.Org Server (aka xser ...) {DSA-3095-1 DLA-120-1} - xorg-server 2:1.16.2.901-1 CVE-2014-8090 (The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x befo ...) {DSA-3159-1 DSA-3157-1 DLA-200-1 DLA-88-1} - ruby1.8 (Incomplete fix never relesed for 1.9) - ruby1.9.1 (Incomplete fix never relesed for 1.9) - ruby2.0 (Incomplete fix never relesed for 1.9) - ruby2.1 2.1.5-1 (bug #770932) NOTE: For the incomplete fix for CVE-2014-8080 NOTE: https://www.ruby-lang.org/en/news/2014/11/13/rexml-dos-cve-2014-8090/ CVE-2014-8087 (Cross-site scripting (XSS) vulnerability in the post highlights plugin ...) NOT-FOR-US: Wordpress plugin CVE-2014-8085 (Unrestricted file upload vulnerability in the CWebContact::doModel met ...) NOT-FOR-US: OsClass CVE-2014-8084 (Directory traversal vulnerability in oc-includes/osclass/controller/aj ...) NOT-FOR-US: OsClass CVE-2014-8083 (SQL injection vulnerability in the Search::setJsonAlert method in OSCl ...) NOT-FOR-US: OsClass CVE-2014-8082 (lib/functions/database.class.php in TestLink before 1.9.13 allows remo ...) NOT-FOR-US: TestLink CVE-2014-8081 (lib/execute/execSetResults.php in TestLink before 1.9.13 allows remote ...) NOT-FOR-US: TestLink CVE-2014-8080 (The REXML parser in Ruby 1.9.x before 1.9.3-p550, 2.0.x before 2.0.0-p ...) {DSA-3159-1 DSA-3157-1 DLA-200-1 DLA-88-1} - ruby1.8 - ruby1.9.1 - ruby2.0 - ruby2.1 2.1.4-1 NOTE: https://www.ruby-lang.org/en/news/2014/10/27/rexml-dos-cve-2014-8080/ NOTE: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/?pathrev=48161 CVE-2014-8079 (Cross-site scripting (XSS) vulnerability in the MAYO theme 7.x-1.x bef ...) NOT-FOR-US: Drupal theme MAYO CVE-2014-8078 (Cross-site scripting (XSS) vulnerability in the Print (aka Printer, e- ...) NOT-FOR-US: Drupal module Print CVE-2014-8077 (Cross-site scripting (XSS) vulnerability in the NewsFlash theme 6.x-1. ...) NOT-FOR-US: Drupal theme NewsFlash CVE-2014-8076 (Cross-site scripting (XSS) vulnerability in the Professional theme 7.x ...) NOT-FOR-US: Drupal theme Professional CVE-2014-8075 (Cross-site scripting (XSS) vulnerability in the Tribune module 6.x-1.x ...) NOT-FOR-US: Drupal theme Tribune CVE-2014-8766 (Multiple SQL injection vulnerabilities in Allomani Weblinks 1.0 allow ...) NOT-FOR-US: Allomani Weblinks CVE-2014-8765 (Multiple cross-site scripting (XSS) vulnerabilities in the Project Iss ...) NOT-FOR-US: Drupal module Project Issue File Review CVE-2014-8750 (Race condition in the VMware driver in OpenStack Compute (Nova) before ...) - nova (ESX driver not enabled in libvirt) NOTE: https://launchpad.net/bugs/1357372 CVE-2014-XXXX [rsync collision attack] - rsync 3.1.2-1 (low; bug #786423) [jessie] - rsync (Minor issue, too instrusive to backport) [wheezy] - rsync (Minor issue, too instrusive to backport) [squeeze] - rsync (Minor issue, too instrusive to backport) NOTE: CVE-2014-8242 was only specific assigned for librsync but rsync has equivalent issue NOTE: https://github.com/therealmik/rsync-collision NOTE: https://git.samba.org/?p=rsync.git;a=commit;h=eac858085e3ac94ec0ab5061d11f52652c90a869 NOTE: https://lists.samba.org/archive/rsync/2015-May/030123.html CVE-2014-8242 (librsync before 1.0.0 uses a truncated MD4 checksum to match blocks, w ...) [experimental] - librsync 1.0.0-1~exp1 - librsync 2.0.2-1 (low; bug #776246) [buster] - librsync (Minor issue, too instrusive to backport) [stretch] - librsync (Minor issue, too instrusive to backport) [jessie] - librsync (Minor issue, too instrusive to backport) [wheezy] - librsync (Minor issue, too instrusive to backport) [squeeze] - librsync (Minor issue, too instrusive to backport) CVE-2014-8241 (XRegion in TigerVNC allows remote VNC servers to cause a denial of ser ...) - tigervnc 1.7.0-2 (bug #849478) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1151312 NOTE: Patch applied in Red Hat https://bugzilla.redhat.com/attachment.cgi?id=946490 CVE-2014-8240 (Integer overflow in TigerVNC allows remote VNC servers to cause a deni ...) - tigervnc 1.7.0-1 (bug #849479) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1151307 NOTE: Patch https://bugzilla.redhat.com/attachment.cgi?id=947578 is not applied CVE-2014-8086 (Race condition in the ext4_file_write_iter function in fs/ext4/file.c ...) - linux 3.16.7-ckt2-1 [wheezy] - linux (Vulnerable code not present) - linux-2.6 (Vulnerable code not present) NOTE: http://www.spinics.net/lists/linux-ext4/msg45683.html CVE-2014-8089 (SQL injection vulnerability in Zend Framework before 1.12.9, 2.2.x bef ...) {DSA-3265-1 DLA-251-1} - zendframework 1.12.9+dfsg-1 NOTE: http://framework.zend.com/security/advisory/ZF2014-06 CVE-2014-8088 (The (1) Zend_Ldap class in Zend before 1.12.9 and (2) Zend\Ldap compon ...) {DSA-3265-1 DLA-251-1} - zendframework 1.12.9+dfsg-1 NOTE: http://framework.zend.com/security/advisory/ZF2014-05 CVE-2014-8074 (Buffer overflow in the SetLogFile method in Foxit.FoxitPDFSDKProCtrl.5 ...) NOT-FOR-US: Foxit PDF SDK CVE-2014-8073 (Cross-site request forgery (CSRF) vulnerability in OpenMRS 2.1 Standal ...) NOT-FOR-US: OpenMRS CVE-2014-8072 (The administration module in OpenMRS 2.1 Standalone Edition allows rem ...) NOT-FOR-US: OpenMRS CVE-2014-8071 (Multiple cross-site scripting (XSS) vulnerabilities in OpenMRS 2.1 Sta ...) NOT-FOR-US: OpenMRS CVE-2014-8070 (Open redirect vulnerability in YOOtheme Pagekit CMS 0.8.7 allows remot ...) NOT-FOR-US: YOOtheme Pagekit CMS CVE-2014-8069 (Multiple cross-site scripting (XSS) vulnerabilities in YOOtheme Pageki ...) NOT-FOR-US: YOOtheme Pagekit CMS CVE-2014-8068 (Adobe Digital Editions (DE) 4 does not use encryption for transmission ...) NOT-FOR-US: Adobe Digital Editions CVE-2014-8067 REJECTED CVE-2014-8066 REJECTED CVE-2014-8065 REJECTED CVE-2014-8064 REJECTED CVE-2014-8063 REJECTED CVE-2014-8062 REJECTED CVE-2014-8061 REJECTED CVE-2014-8060 REJECTED CVE-2014-8059 REJECTED CVE-2014-8058 REJECTED CVE-2014-8057 REJECTED CVE-2014-8056 REJECTED CVE-2014-8055 REJECTED CVE-2014-8054 REJECTED CVE-2014-8053 REJECTED CVE-2014-8052 REJECTED CVE-2014-8051 REJECTED CVE-2014-8050 REJECTED CVE-2014-8049 REJECTED CVE-2014-8048 REJECTED CVE-2014-8047 REJECTED CVE-2014-8046 REJECTED CVE-2014-8045 REJECTED CVE-2014-8044 REJECTED CVE-2014-8043 REJECTED CVE-2014-8042 REJECTED CVE-2014-8041 REJECTED CVE-2014-8040 REJECTED CVE-2014-8039 REJECTED CVE-2014-8038 REJECTED CVE-2014-8037 RESERVED CVE-2014-8036 (The outlookpa component in Cisco WebEx Meetings Server does not proper ...) NOT-FOR-US: Cisco CVE-2014-8035 (The web framework in Cisco WebEx Meetings Server produces different re ...) NOT-FOR-US: Cisco CVE-2014-8034 (Cisco WebEx Meetings Server 1.5 presents the same CAPTCHA challenge fo ...) NOT-FOR-US: Cisco WebEx Meetings Server CVE-2014-8033 (The play/modules component in Cisco WebEx Meetings Server allows remot ...) NOT-FOR-US: Cisco CVE-2014-8032 (The OutlookAction LI in Cisco WebEx Meetings Server allows remote auth ...) NOT-FOR-US: Cisco CVE-2014-8031 (Cross-site request forgery (CSRF) vulnerability in Cisco WebEx Meeting ...) NOT-FOR-US: Cisco CVE-2014-8030 (Cross-site scripting (XSS) vulnerability in sendPwMail.do in Cisco Web ...) NOT-FOR-US: Cisco CVE-2014-8029 (Open redirect vulnerability in the web interface in Cisco Secure Acces ...) NOT-FOR-US: Cisco CVE-2014-8028 (Multiple cross-site scripting (XSS) vulnerabilities in the web framewo ...) NOT-FOR-US: Cisco CVE-2014-8027 (The RBAC component in Cisco Secure Access Control System (ACS) allows ...) NOT-FOR-US: Cisco CVE-2014-8026 (Cross-site scripting (XSS) vulnerability in the Guest Server in Cisco ...) NOT-FOR-US: Cisco CVE-2014-8025 (The API in the Guest Server in Cisco Jabber, when HTML5 is used, allow ...) NOT-FOR-US: Cisco CVE-2014-8024 (The API in the Guest Server in Cisco Jabber, when the HTML5 CORS featu ...) NOT-FOR-US: Cisco CVE-2014-8023 (Cisco Adaptive Security Appliance (ASA) Software 9.2(.3) and earlier, ...) NOT-FOR-US: Cisco CVE-2014-8022 (Multiple cross-site scripting (XSS) vulnerabilities in Cisco Identity ...) NOT-FOR-US: Cisco Identity Services Engine CVE-2014-8021 (Cross-site scripting (XSS) vulnerability in Cisco AnyConnect Secure Mo ...) NOT-FOR-US: Cisco CVE-2014-8020 (Cisco Unified Communication Domain Manager Platform Software allows re ...) NOT-FOR-US: Cisco CVE-2014-8019 (Directory traversal vulnerability in Cisco Enterprise Content Delivery ...) NOT-FOR-US: Cisco CVE-2014-8018 (Multiple cross-site scripting (XSS) vulnerabilities in Business Voice ...) NOT-FOR-US: Cisco CVE-2014-8017 (The periodic-backup feature in Cisco Identity Services Engine (ISE) al ...) NOT-FOR-US: Cisco CVE-2014-8016 (The Cisco IronPort Email Security Appliance (ESA) allows remote attack ...) NOT-FOR-US: Cisco CVE-2014-8015 (The Sponsor Portal in Cisco Identity Services Engine (ISE) allows remo ...) NOT-FOR-US: Cisco CVE-2014-8014 (Cisco IOS XR allows remote attackers to cause a denial of service (RSV ...) NOT-FOR-US: Cisco CVE-2014-8013 (The TACACS+ command-authorization implementation in Cisco NX-OS allows ...) NOT-FOR-US: Cisco CVE-2014-8012 (Cross-site scripting (XSS) vulnerability in the WebVPN Portal Login pa ...) NOT-FOR-US: Cisco CVE-2014-8011 RESERVED CVE-2014-8010 (The web framework in Cisco Unified Communications Domain Manager 8 all ...) NOT-FOR-US: Cisco Unified Communications Domain Manager CVE-2014-8009 (The Management subsystem in Cisco Unified Computing System 2.1(3f) and ...) NOT-FOR-US: Cisco Unified Computing System CVE-2014-8008 (Absolute path traversal vulnerability in the Real-Time Monitoring Tool ...) NOT-FOR-US: Cisco CVE-2014-8007 (Cisco Prime Infrastructure allows remote authenticated users to read d ...) NOT-FOR-US: Cisco CVE-2014-8006 (The Disaster Recovery (DRA) feature on the Cisco ISB8320-E High-Defini ...) NOT-FOR-US: Cisco CVE-2014-8005 (Race condition in the lighttpd module in Cisco IOS XR 5.1 and earlier ...) NOT-FOR-US: Cisco CVE-2014-8004 (Cisco IOS XR allows remote attackers to cause a denial of service (LIS ...) NOT-FOR-US: Cisco CVE-2014-8003 (Cisco Integrated Management Controller in Cisco Unified Computing Syst ...) NOT-FOR-US: Cisco Unified Computing System CVE-2014-8002 (Use-after-free vulnerability in decode_slice.cpp in Cisco OpenH264 1.2 ...) NOT-FOR-US: Cisco CVE-2014-8001 (Buffer overflow in decode.cpp in Cisco OpenH264 1.2.0 and earlier allo ...) NOT-FOR-US: Cisco CVE-2014-8000 (Cisco Unified Communications Manager IM and Presence Service 9.1(1) pr ...) NOT-FOR-US: Cisco CVE-2014-7999 (Cisco-Meraki MS, MR, and MX devices with firmware before 2014-09-24 al ...) NOT-FOR-US: Cisco-Meraki devices CVE-2014-7998 (Cisco IOS on Aironet access points, when "dot11 aaa authenticator" deb ...) NOT-FOR-US: Cisco IOS CVE-2014-7997 (The DHCP implementation in Cisco IOS on Aironet access points does not ...) NOT-FOR-US: Cisco IOS CVE-2014-7996 (Cross-site request forgery (CSRF) vulnerability in the web framework i ...) NOT-FOR-US: Cisco CVE-2014-7995 (Cisco-Meraki MS, MR, and MX devices with firmware before 2014-09-24 al ...) NOT-FOR-US: Cisco-Meraki devices CVE-2014-7994 (Cisco-Meraki MS, MR, and MX devices with firmware before 2014-09-24 al ...) NOT-FOR-US: Cisco-Meraki devices CVE-2014-7993 (Cisco-Meraki MS, MR, and MX devices with firmware before 2014-09-24 al ...) NOT-FOR-US: Cisco-Meraki devices CVE-2014-7992 (The DLSw implementation in Cisco IOS does not initialize packet buffer ...) NOT-FOR-US: Cisco IOS CVE-2014-7991 (The Remote Mobile Access Subsystem in Cisco Unified Communications Man ...) NOT-FOR-US: Cisco CVE-2014-7990 (Cisco IOS XE 3.5E and earlier on WS-C3850, WS-C3860, and AIR-CT5760 de ...) NOT-FOR-US: Cisco CVE-2014-7989 (Cisco Unified Computing System on B-Series blade servers allows local ...) NOT-FOR-US: Cisco CVE-2014-7988 (The Unified Messaging Service (UMS) in Cisco Unity Connection 10.5 and ...) NOT-FOR-US: Cisco CVE-2014-7987 (Cross-site scripting (XSS) vulnerability in EspoCRM before 2.6.0 allow ...) NOT-FOR-US: EspoCRM CVE-2014-7986 (install/index.php in EspoCRM before 2.6.0 allows remote attackers to r ...) NOT-FOR-US: EspoCRM CVE-2014-7985 (Directory traversal vulnerability in EspoCRM before 2.6.0 allows remot ...) NOT-FOR-US: EspoCRM CVE-2014-7984 (Joomla! CMS 2.5.x before 2.5.19 and 3.x before 3.2.3 allows remote att ...) NOT-FOR-US: Joomla! CVE-2014-7983 (Cross-site scripting (XSS) vulnerability in com_contact in Joomla! CMS ...) NOT-FOR-US: Joomla component com_contact CVE-2014-7982 (Cross-site scripting (XSS) vulnerability in Joomla! CMS 2.5.x before 2 ...) NOT-FOR-US: Joomla! CVE-2014-7981 (SQL injection vulnerability in Joomla! CMS 3.1.x and 3.2.x before 3.2. ...) NOT-FOR-US: Joomla! CVE-2014-7980 (Multiple cross-site scripting (XSS) vulnerabilities in template.php in ...) NOT-FOR-US: Drupal theme Zen CVE-2014-7979 (Cross-site scripting (XSS) vulnerability in the SimpleCorp theme 7.x-1 ...) NOT-FOR-US: Drupal theme SimpleCorp CVE-2014-7978 (Cross-site scripting (XSS) vulnerability in the BlueMasters theme 7.x- ...) NOT-FOR-US: Drupal theme BlueMasters CVE-2014-7977 RESERVED CVE-2014-7976 RESERVED CVE-2014-7974 RESERVED CVE-2014-7973 RESERVED CVE-2014-7972 RESERVED CVE-2014-7971 RESERVED CVE-2014-7969 REJECTED CVE-2014-7966 RESERVED CVE-2014-7965 RESERVED CVE-2014-7964 RESERVED CVE-2014-7963 RESERVED CVE-2014-7962 RESERVED CVE-2014-7961 RESERVED CVE-2014-7959 (SQL injection vulnerability in admin/htaccess/bpsunlock.php in the Bul ...) NOT-FOR-US: BulletProof Security plugin for WordPress CVE-2014-7958 (Cross-site scripting (XSS) vulnerability in admin/htaccess/bpsunlock.p ...) NOT-FOR-US: BulletProof Security plugin for WordPress CVE-2014-7957 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Pods ...) NOT-FOR-US: WordPress plugin Pods CVE-2014-7956 (Cross-site scripting (XSS) vulnerability in the Pods plugin before 2.5 ...) NOT-FOR-US: WordPress plugin Pods CVE-2014-7955 RESERVED CVE-2014-7954 (Directory traversal vulnerability in the doSendObjectInfo method in fr ...) NOT-FOR-US: MtpServer class in Android CVE-2014-7953 (Race condition in the bindBackupAgent method in the ActivityManagerSer ...) NOT-FOR-US: Android CVE-2014-7952 (The backup mechanism in the adb tool in Android might allow attackers ...) NOT-FOR-US: Android NOTE: the vulnerability is in the Android OS itself (and its backup manager) NOTE: adb is just an intermediary in the backup process CVE-2014-7951 (Directory traversal vulnerability in the Android debug bridge (aka adb ...) NOT-FOR-US: Android CVE-2014-7950 RESERVED CVE-2014-7949 RESERVED CVE-2014-7948 (The AppCacheUpdateJob::URLFetcher::OnResponseStarted function in conte ...) - chromium-browser 40.0.2214.91-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2014-7947 (OpenJPEG before r2944, as used in PDFium in Google Chrome before 40.0. ...) - chromium-browser 40.0.2214.91-1 [wheezy] - chromium-browser [squeeze] - chromium-browser - openjpeg2 2.1.1-1 [jessie] - openjpeg2 (Minor issue) NOTE: If backported to jessie, https://github.com/uclouvain/openjpeg/commit/8f9cc62b3f9a1da9712329ddcedb9750d585505c needs to be included - openjpeg (Vulnerable code not present) CVE-2014-7946 (The RenderTable::simplifiedNormalFlowLayout function in core/rendering ...) - chromium-browser 40.0.2214.91-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2014-7945 (OpenJPEG before r2908, as used in PDFium in Google Chrome before 40.0. ...) - chromium-browser 40.0.2214.91-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2014-7944 (The sycc422_to_rgb function in fxcodec/codec/fx_codec_jpx_opj.cpp in P ...) - chromium-browser 40.0.2214.91-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2014-7943 (Skia, as used in Google Chrome before 40.0.2214.91, allows remote atta ...) - chromium-browser 40.0.2214.91-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2014-7942 (The Fonts implementation in Google Chrome before 40.0.2214.91 does not ...) - chromium-browser 40.0.2214.91-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2014-7941 (The SelectionOwner::ProcessTarget function in ui/base/x/selection_owne ...) - chromium-browser 40.0.2214.91-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2014-7940 (The collator implementation in i18n/ucol.cpp in International Componen ...) {DSA-3187-1 DLA-219-1} - chromium-browser 40.0.2214.91-1 [wheezy] - chromium-browser [squeeze] - chromium-browser - icu 52.1-7.1 (bug #776265) CVE-2014-7939 (Google Chrome before 40.0.2214.91, when the Harmony proxy in Google V8 ...) - chromium-browser 40.0.2214.91-1 [wheezy] - chromium-browser [squeeze] - chromium-browser - libv8-3.14 (unimportant; bug #773671) NOTE: libv8 not covered by security support CVE-2014-7938 (The Fonts implementation in Google Chrome before 40.0.2214.91 allows r ...) - chromium-browser 40.0.2214.91-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2014-7937 (Multiple off-by-one errors in libavcodec/vorbisdec.c in FFmpeg before ...) - chromium-browser 40.0.2214.91-1 [wheezy] - chromium-browser [squeeze] - chromium-browser - ffmpeg 7:2.4.2-1 [squeeze] - ffmpeg - libav (bug #785326; can't reproduce the issue) [jessie] - libav (Can't reproduce the issue) [wheezy] - libav (Can't reproduce the issue) NOTE: ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=8c50704ebf1777bee76772c4835d9760b3721057 CVE-2014-7936 (Use-after-free vulnerability in the ZoomBubbleView::Close function in ...) - chromium-browser 40.0.2214.91-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2014-7935 (Use-after-free vulnerability in browser/speech/tts_message_filter.cc i ...) - chromium-browser 40.0.2214.91-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2014-7934 (Use-after-free vulnerability in the DOM implementation in Blink, as us ...) - chromium-browser 40.0.2214.91-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2014-7933 (Use-after-free vulnerability in the matroska_read_seek function in lib ...) {DSA-3189-1} - chromium-browser 40.0.2214.91-1 [wheezy] - chromium-browser [squeeze] - chromium-browser - ffmpeg 7:2.5.1-1 [squeeze] - ffmpeg - libav 6:11.3-1 NOTE: ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=490a3ebf36821b81f73e34ad3f554cb523dd2682 NOTE: libav: https://git.libav.org/?p=libav.git;a=commit;h=490a3ebf36821b81f73e34ad3f554cb523dd2682 CVE-2014-7932 (Use-after-free vulnerability in the Element::detach function in core/d ...) - chromium-browser 40.0.2214.91-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2014-7931 (factory.cc in Google V8, as used in Google Chrome before 40.0.2214.91, ...) - chromium-browser 40.0.2214.91-1 [wheezy] - chromium-browser [squeeze] - chromium-browser - libv8-3.14 (unimportant; bug #773671) NOTE: libv8 not covered by security support CVE-2014-7930 (Use-after-free vulnerability in core/events/TreeScopeEventContext.cpp ...) - chromium-browser 40.0.2214.91-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2014-7929 (Use-after-free vulnerability in the HTMLScriptElement::didMoveToNewDoc ...) - chromium-browser 40.0.2214.91-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2014-7928 (hydrogen.cc in Google V8, as used Google Chrome before 40.0.2214.91, d ...) - chromium-browser 40.0.2214.91-1 [wheezy] - chromium-browser [squeeze] - chromium-browser - libv8-3.14 (unimportant; bug #773671) NOTE: libv8 not covered by security support CVE-2014-7927 (The SimplifiedLowering::DoLoadBuffer function in compiler/simplified-l ...) - chromium-browser 40.0.2214.91-1 [wheezy] - chromium-browser [squeeze] - chromium-browser - libv8-3.14 (unimportant; bug #773671) NOTE: libv8 not covered by security support CVE-2014-7926 (The Regular Expressions package in International Components for Unicod ...) {DSA-3187-1 DLA-219-1} - chromium-browser 40.0.2214.91-1 [wheezy] - chromium-browser [squeeze] - chromium-browser - icu 52.1-7.1 (bug #776265) CVE-2014-7925 (Use-after-free vulnerability in the WebAudio implementation in Blink, ...) - chromium-browser 40.0.2214.91-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2014-7924 (Use-after-free vulnerability in the IndexedDB implementation in Google ...) - chromium-browser 40.0.2214.91-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2014-7923 (The Regular Expressions package in International Components for Unicod ...) {DSA-3187-1 DLA-219-1} - chromium-browser 40.0.2214.91-1 [wheezy] - chromium-browser [squeeze] - chromium-browser - icu 52.1-7.1 (bug #776265) CVE-2014-7922 (The GoogleAuthUtil.getToken method in the Google Play services SDK bef ...) NOT-FOR-US: Google Play CVE-2014-7921 (mediaserver in Android 4.0.3 through 5.x before 5.1 allows attackers t ...) NOT-FOR-US: Android MediaServer CVE-2014-7920 (mediaserver in Android 2.2 through 5.x before 5.1 allows attackers to ...) NOT-FOR-US: Android MediaServer CVE-2014-7919 (b/libs/gui/ISurfaceComposer.cpp in Android allows attackers to trigger ...) NOT-FOR-US: Android CVE-2014-7918 RESERVED CVE-2014-7917 (Integer overflow in SampleTable.cpp in libstagefright in Android befor ...) NOT-FOR-US: libstagefright in Android CVE-2014-7916 (Integer overflow in SampleTable.cpp in libstagefright in Android befor ...) NOT-FOR-US: libstagefright in Android CVE-2014-7915 (Integer overflow in SampleTable.cpp in libstagefright in Android befor ...) NOT-FOR-US: libstagefright in Android CVE-2014-7914 (btif/src/btif_dm.c in Android before 5.1 does not properly enforce the ...) NOT-FOR-US: Android CVE-2014-7913 (The print_option function in dhcp-common.c in dhcpcd through 6.9.1, as ...) {DLA-506-1} - dhcpcd5 7.0.8-0.1 (unimportant; bug #846938) NOTE: https://roy.marples.name/git/dhcpcd.git/commit/?id=93f3066bb0bc0974eab1943543205312a6b512ad NOTE: Not exploitable according to upstream, possibly limited to Bionic CVE-2014-7912 (The get_option function in dhcp.c in dhcpcd before 6.2.0, as used in d ...) {DLA-506-1} - dhcpcd5 6.9.1-1 [jessie] - dhcpcd5 (Minor issue) NOTE: https://dev.marples.name/rDHCc204b018d1cfe740fb3179532070ae10fe34aaf3 CVE-2014-7911 (luni/src/main/java/java/io/ObjectInputStream.java in the java.io.Objec ...) NOT-FOR-US: Android CVE-2014-7910 (Multiple unspecified vulnerabilities in Google Chrome before 39.0.2171 ...) - chromium-browser 39.0.2171.71-1 [wheezy] - chromium-browser [squeeze] - chromium-browser NOTE: https://code.google.com/p/chromium/issues/detail?id=433500 (private) CVE-2014-7909 (effects/SkDashPathEffect.cpp in Skia, as used in Google Chrome before ...) - chromium-browser 39.0.2171.71-1 [wheezy] - chromium-browser [squeeze] - chromium-browser NOTE: https://code.google.com/p/chromium/issues/detail?id=391001 (private) CVE-2014-7908 (Multiple integer overflows in the CheckMov function in media/base/cont ...) - chromium-browser 39.0.2171.71-1 [wheezy] - chromium-browser [squeeze] - chromium-browser NOTE: https://code.google.com/p/chromium/issues/detail?id=425980 (private) CVE-2014-7907 (Multiple use-after-free vulnerabilities in modules/screen_orientation/ ...) - chromium-browser 39.0.2171.71-1 [wheezy] - chromium-browser [squeeze] - chromium-browser NOTE: https://code.google.com/p/chromium/issues/detail?id=424453 (private) CVE-2014-7906 (Use-after-free vulnerability in the Pepper plugins in Google Chrome be ...) - chromium-browser 39.0.2171.71-1 [wheezy] - chromium-browser [squeeze] - chromium-browser NOTE: https://code.google.com/p/chromium/issues/detail?id=423030 (private) CVE-2014-7905 (Google Chrome before 39.0.2171.65 on Android does not prevent navigati ...) - chromium-browser 39.0.2171.71-1 [wheezy] - chromium-browser [squeeze] - chromium-browser NOTE: https://code.google.com/p/chromium/issues/detail?id=421817 (private) CVE-2014-7904 (Buffer overflow in Skia, as used in Google Chrome before 39.0.2171.65, ...) - chromium-browser 39.0.2171.71-1 [wheezy] - chromium-browser [squeeze] - chromium-browser NOTE: https://code.google.com/p/chromium/issues/detail?id=418161 (private) CVE-2014-7903 (Buffer overflow in OpenJPEG before r2911 in PDFium, as used in Google ...) - chromium-browser 39.0.2171.71-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2014-7902 (Use-after-free vulnerability in PDFium, as used in Google Chrome befor ...) - chromium-browser 39.0.2171.71-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2014-7901 (Integer overflow in the opj_t2_read_packet_data function in fxcodec/fx ...) - chromium-browser 39.0.2171.71-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2014-7900 (Use-after-free vulnerability in the CPDF_Parser::IsLinearizedFile func ...) - chromium-browser 39.0.2171.71-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2014-7899 (Google Chrome before 38.0.2125.101 allows remote attackers to spoof th ...) - chromium-browser 39.0.2171.71-1 [wheezy] - chromium-browser [squeeze] - chromium-browser NOTE: http://googlechromereleases.blogspot.com/2014/11/stable-channel-update_18.html NOTE: https://chromium.googlesource.com/chromium/src/+/5cfbddc9cc972f5133f26664dbf5810bb569cd04 CVE-2014-7898 (The OLE Point of Sale (OPOS) drivers before 1.13.003 on HP Point of Sa ...) NOT-FOR-US: The OLE Point of Sale (OPOS) drivers CVE-2014-7897 (The OLE Point of Sale (OPOS) drivers before 1.13.003 on HP Point of Sa ...) NOT-FOR-US: The OLE Point of Sale (OPOS) drivers CVE-2014-7896 (Multiple cross-site scripting (XSS) vulnerabilities in HP XP P9000 Com ...) NOT-FOR-US: HP CVE-2014-7895 (The OLE Point of Sale (OPOS) drivers before 1.13.003 on HP Point of Sa ...) NOT-FOR-US: The OLE Point of Sale (OPOS) drivers CVE-2014-7894 (The OLE Point of Sale (OPOS) drivers before 1.13.003 on HP Point of Sa ...) NOT-FOR-US: The OLE Point of Sale (OPOS) drivers CVE-2014-7893 (The OLE Point of Sale (OPOS) drivers before 1.13.003 on HP Point of Sa ...) NOT-FOR-US: The OLE Point of Sale (OPOS) drivers CVE-2014-7892 (The OLE Point of Sale (OPOS) drivers before 1.13.003 on HP Point of Sa ...) NOT-FOR-US: The OLE Point of Sale (OPOS) drivers CVE-2014-7891 (The OLE Point of Sale (OPOS) drivers before 1.13.003 on HP Point of Sa ...) NOT-FOR-US: The OLE Point of Sale (OPOS) drivers CVE-2014-7890 (The OLE Point of Sale (OPOS) drivers before 1.13.003 on HP Point of Sa ...) NOT-FOR-US: The OLE Point of Sale (OPOS) drivers CVE-2014-7889 (The OLE Point of Sale (OPOS) drivers before 1.13.003 on HP Point of Sa ...) NOT-FOR-US: The OLE Point of Sale (OPOS) drivers CVE-2014-7888 (The OLE Point of Sale (OPOS) drivers before 1.13.003 on HP Point of Sa ...) NOT-FOR-US: The OLE Point of Sale (OPOS) drivers CVE-2014-7887 REJECTED CVE-2014-7886 RESERVED NOT-FOR-US: HP Network Automation CVE-2014-7885 (Multiple unspecified vulnerabilities in HP ArcSight Enterprise Securit ...) NOT-FOR-US: HP ArcSight CVE-2014-7884 (Multiple unspecified vulnerabilities in HP ArcSight Logger before 6.0P ...) NOT-FOR-US: HP ArcSight CVE-2014-7883 (HP Universal CMDB (UCMDB) Probe 9.05, 10.01, and 10.11 enables the HTT ...) NOT-FOR-US: HP CVE-2014-7882 (Unspecified vulnerability in HP SiteScope 11.1x and 11.2x allows remot ...) NOT-FOR-US: HP SiteScope CVE-2014-7881 (Cross-site scripting (XSS) vulnerability in the server in HP Insight C ...) NOT-FOR-US: HP Insight Control CVE-2014-7880 (Multiple unspecified vulnerabilities in the POP implementation in HP O ...) NOT-FOR-US: HP OpenVMS TCP/IP CVE-2014-7879 (HP HP-UX B.11.11, B.11.23, and B.11.31, when the PAM configuration inc ...) NOT-FOR-US: HP-UX CVE-2014-7878 (The Application Lifecycle Service (ALS) in HP Helion Cloud Development ...) NOT-FOR-US: HP Helion Cloud Development Platform CVE-2014-7877 (Unspecified vulnerability in the kernel in HP HP-UX B.11.31 allows loc ...) NOT-FOR-US: HP-UX CVE-2014-7876 (Unspecified vulnerability in HP Integrated Lights-Out (iLO) firmware 2 ...) NOT-FOR-US: HP Integrated Lights-Out CVE-2014-7875 (Unspecified vulnerability on the HP LaserJet CM3530 Multifunction Prin ...) NOT-FOR-US: HP Color LaserJet Printers CVE-2014-7874 (Cross-site request forgery (CSRF) vulnerability in HP System Managemen ...) NOT-FOR-US: HP-UX running System Management Homepage CVE-2014-7873 RESERVED CVE-2014-7872 (Comodo GeekBuddy before 4.18.121 does not restrict access to the VNC s ...) NOT-FOR-US: Comodo GeekBuddy CVE-2014-7871 (SQL injection vulnerability in Open-Xchange (OX) AppSuite before 7.4.2 ...) NOT-FOR-US: Open-Xchange CVE-2014-7870 (Cross-site scripting (XSS) vulnerability in the Custom Search module 6 ...) NOT-FOR-US: Drupal module Custom Search CVE-2014-7869 (Cross-site scripting (XSS) vulnerability in the configuration UI in th ...) NOT-FOR-US: Drupal module Context Form Alteration CVE-2014-7868 (Multiple SQL injection vulnerabilities in ZOHO ManageEngine OpManager ...) NOT-FOR-US: ZOHO CVE-2014-7867 (SQL injection vulnerability in the com.manageengine.opmanager.servlet. ...) NOT-FOR-US: ZOHO CVE-2014-7866 (Multiple directory traversal vulnerabilities in ZOHO ManageEngine OpMa ...) NOT-FOR-US: ZOHO CVE-2014-7865 REJECTED CVE-2014-7864 (Multiple SQL injection vulnerabilities in the FailOverHelperServlet (a ...) NOT-FOR-US: ZOHO ManageEngine OpManager CVE-2014-7863 (The FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngi ...) NOT-FOR-US: ZOHO ManageEngine CVE-2014-7862 (The DCPluginServelet servlet in ManageEngine Desktop Central and Deskt ...) NOT-FOR-US: ManageEngine CVE-2014-7861 (The IOHIDSecurePromptClient function in Apple OS X does not properly v ...) NOT-FOR-US: Apple OS X CVE-2011-5282 (mIRC prior to 7.22 has a message leak because chopping of outbound mes ...) NOT-FOR-US: mIRC CVE-2008-7314 (mIRC before 6.35 allows attackers to cause a denial of service (crash) ...) NOT-FOR-US: mIRC CVE-2014-7975 (The do_umount function in fs/namespace.c in the Linux kernel through 3 ...) - linux 3.16.7-1 [wheezy] - linux (User namespaces only usable in later kernels) - linux-2.6 [squeeze] - linux-2.6 (User namespaces only usable in later kernels) NOTE: http://thread.gmane.org/gmane.linux.kernel.stable/109312 NOTE: Upstream commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0ef3a56b1c466629cd0bf482b09c7b0e5a085bb5 (v3.18-rc1) CVE-2014-7970 (The pivot_root implementation in fs/namespace.c in the Linux kernel th ...) [wheezy] - linux (User namespaces only usable in later kernels) - linux-2.6 (User namespaces only usable in later kernels) - linux 3.16.7-1 NOTE: Upstream commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0d0826019e529f21c84687521d03f60cd241ca7d CVE-2014-7968 (VDSM allows remote attackers to cause a denial of service (connection ...) - vdsm (bug #668538) CVE-2014-7967 (Multiple unspecified vulnerabilities in Google V8 before 3.28.71.15, a ...) - libv8 [wheezy] - libv8 (Minor issue, Chromium in Wheezy uses its own fixed copy) [squeeze] - libv8 (Unsupported in squeeze-lts) - libv8-3.14 (unimportant; bug #773671) - chromium-browser 38.0.2125.101-1 [wheezy] - chromium-browser [squeeze] - chromium-browser NOTE: libv8 not covered by security support CVE-2014-7960 (OpenStack Object Storage (Swift) before 2.2.0 allows remote authentica ...) - swift 2.2.0-1 [wheezy] - swift (Minor issue) NOTE: affected version: all up to 2.1.0 CVE-2014-7860 (The web/web_file/fb_publish.php script in D-Link DNS-320L before 1.04b ...) NOT-FOR-US: D-Link CVE-2014-7859 (Stack-based buffer overflow in login_mgr.cgi in D-Link firmware DNR-32 ...) NOT-FOR-US: D-Link CVE-2014-7858 (The check_login function in D-Link DNR-326 before 2.10 build 03 allows ...) NOT-FOR-US: D-Link CVE-2014-7857 (D-Link DNS-320L firmware before 1.04b12, DNS-327L before 1.03b04 Build ...) NOT-FOR-US: D-Link CVE-2014-7856 RESERVED CVE-2014-7855 RESERVED CVE-2014-7854 RESERVED CVE-2014-7853 (The JBoss Application Server (WildFly) JacORB subsystem in Red Hat JBo ...) NOT-FOR-US: JBoss AS/WildFly Domain Management CVE-2014-7852 (Cross-site scripting (XSS) vulnerability in JBoss RichFaces, as used i ...) NOT-FOR-US: RichFaces CVE-2014-7851 (oVirt 3.2.2 through 3.5.0 does not invalidate the restapi session afte ...) NOT-FOR-US: ovirt-engine-webadmin CVE-2014-7850 (Cross-site scripting (XSS) vulnerability in the Web UI in FreeIPA 4.x ...) - freeipa 4.3.1-1 (unimportant) NOTE: https://fedorahosted.org/freeipa/ticket/4742 NOTE: Upstream commit: https://pagure.io/freeipa/c/af9fd4dfe2c18e52127480c959c35ad37b566095 CVE-2014-7849 (The Role Based Access Control (RBAC) implementation in JBoss Enterpris ...) NOT-FOR-US: JBoss AS/WildFly Domain Management CVE-2014-7848 (lib/phpunit/bootstrap.php in Moodle 2.6.x before 2.6.6 and 2.7.x befor ...) - moodle 2.7.5+dfsg-1 (bug #775842) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47287 CVE-2014-7847 (iplookup/index.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x ...) - moodle 2.7.5+dfsg-1 (bug #775842) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47321 CVE-2014-7846 (tag/tag_autocomplete.php in Moodle through 2.4.11, 2.5.x before 2.5.9, ...) - moodle 2.7.5+dfsg-1 (bug #775842) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47965 CVE-2014-7845 (The generate_password function in Moodle through 2.4.11, 2.5.x before ...) - moodle 2.7.5+dfsg-1 (bug #775842) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47050 CVE-2014-7844 (BSD mailx 8.1.2 and earlier allows remote attackers to execute arbitra ...) {DSA-3105-1 DSA-3104-1 DLA-114-1 DLA-113-1} - bsd-mailx 8.1.2-0.20141216cvs-1 - heirloom-mailx 12.5-3.1 (bug #773417) CVE-2014-7843 (The __clear_user function in arch/arm64/lib/clear_user.S in the Linux ...) - linux 3.16.7-ckt2-1 [wheezy] - linux (arm64 support introduced in 3.7) - linux-2.6 (arm64 support introduced in 3.7) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1163744 NOTE: Upstream patch proposal: https://lkml.org/lkml/2014/11/12/584 CVE-2014-7842 (Race condition in arch/x86/kvm/x86.c in the Linux kernel before 3.17.4 ...) - linux 3.16.7-ckt2-1 [wheezy] - linux 3.2.65-1 - linux-2.6 [squeeze] - linux-2.6 (KVM not supported in Squeeze LTS) NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=a2b9e6c1a35a (v3.18-rc1) CVE-2014-7841 (The sctp_process_param function in net/sctp/sm_make_chunk.c in the SCT ...) {DSA-3093-1 DLA-118-1} - linux 3.16.7-ckt2-1 - linux-2.6 NOTE: Upstream patch: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e40607cbe270a9e8360907cb1e62ddf0736e4864 (v3.18-rc5) CVE-2014-7840 (The host_from_stream_offset function in arch_init.c in QEMU, when load ...) - qemu 2.1+dfsg-8 (low; bug #769451) [wheezy] - qemu (Minor issue, hardly exploitable in practice) [squeeze] - qemu (Minor issue, hardly exploitable in practice) - qemu-kvm (low) [wheezy] - qemu-kvm (Minor issue, hardly exploitable in practice) [squeeze] - qemu-kvm (Minor issue, hardly exploitable in practice) NOTE: http://thread.gmane.org/gmane.comp.emulators.qemu/306117 CVE-2014-7839 (DocumentProvider in RESTEasy 2.3.7 and 3.0.9 does not configure the (1 ...) - resteasy 3.0.6-2 (bug #770544) NOTE: https://issues.jboss.org/browse/RESTEASY-1130 CVE-2014-7838 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Foru ...) - moodle 2.7.5+dfsg-1 (bug #775842) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47924 CVE-2014-7837 (mod/wiki/admin.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x ...) - moodle 2.7.5+dfsg-1 (bug #775842) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47949 CVE-2014-7836 (Multiple cross-site request forgery (CSRF) vulnerabilities in the LTI ...) - moodle 2.7.5+dfsg-1 (bug #775842) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47924 CVE-2014-7835 (webservice/upload.php in Moodle 2.6.x before 2.6.6 and 2.7.x before 2. ...) - moodle 2.7.5+dfsg-1 (bug #775842) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47868 CVE-2014-7834 (mod/forum/externallib.php in Moodle 2.6.x before 2.6.6 and 2.7.x befor ...) - moodle 2.7.5+dfsg-1 (bug #775842) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45303 CVE-2014-7833 (mod/data/edit.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x ...) - moodle 2.7.5+dfsg-1 (bug #775842) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47697 CVE-2014-7832 (mod/lti/launch.php in the LTI module in Moodle through 2.4.11, 2.5.x b ...) - moodle 2.7.5+dfsg-1 (bug #775842) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47921 CVE-2014-7831 (lib/classes/grades_external.php in Moodle 2.7.x before 2.7.3 does not ...) - moodle 2.7.5+dfsg-1 (bug #775842) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47766 CVE-2014-7830 (Cross-site scripting (XSS) vulnerability in mod/feedback/mapcourse.php ...) - moodle 2.7.5+dfsg-1 (bug #775842) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47865 CVE-2014-7829 (Directory traversal vulnerability in actionpack/lib/action_dispatch/mi ...) - rails 2:4.1.8-1 (bug #770934) [wheezy] - rails (src:rails in wheezy is just a transition package) [squeeze] - rails (Only affects >= 3) - rails-3.2 - ruby-actionpack-3.2 [wheezy] - ruby-actionpack-3.2 (Minor issue) - ruby-actionpack-2.3 (Only affects >= 3) CVE-2014-7828 (FreeIPA 4.0.x before 4.0.5 and 4.1.x before 4.1.1, when 2FA is enabled ...) - freeipa 4.0.5-1 (bug #768294) NOTE: https://fedorahosted.org/freeipa/ticket/4690 CVE-2014-7827 (The org.jboss.security.plugins.mapping.JBossMappingManager implementat ...) NOT-FOR-US: JBoss Security CVE-2014-7826 (kernel/trace/trace_syscalls.c in the Linux kernel through 3.17.2 does ...) - linux 3.16.7-ckt2-1 [wheezy] - linux (Vulnerable code introduced later) - linux-2.6 (Vulnerable code introduced later) NOTE: Fixed by https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=086ba77a6db00ed858ff07451bedee197df868c9 (v3.18-rc3) NOTE: Support for SOFT_DISABLE to syscall events was added in https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d562aff93bfb530b0992141500a402d17081189d (v3.13-rc1) CVE-2014-7825 (kernel/trace/trace_syscalls.c in the Linux kernel through 3.17.2 does ...) - linux 3.16.7-ckt2-1 [wheezy] - linux (Affected feature not enabled) - linux-2.6 [squeeze] - linux-2.6 (Affected feature not enabled) NOTE: CONFIG_FTRACE_SYSCALL not enabled in squeeze NOTE: Fixed by https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=086ba77a6db00ed858ff07451bedee197df868c9 (v3.18-rc3) CVE-2014-7824 (D-Bus 1.3.0 through 1.6.x before 1.6.26, 1.8.x before 1.8.10, and 1.9. ...) {DSA-3099-1} - dbus 1.8.10-1 [squeeze] - dbus (dbus 1.2.x does not support FD passing) NOTE: Since this CVE is only a complement for the fix to CVE-2014-3636, versions not affected by CVE-2014-3636 do not need the patch provided for this CVE. CVE-2014-7823 (The virDomainGetXMLDesc API in Libvirt before 1.2.11 allows remote rea ...) - libvirt 1.2.9-4 (bug #769149) [wheezy] - libvirt (Introduced in v1.0.0) [squeeze] - libvirt (Introduced in v1.0.0) NOTE: Introduced in http://libvirt.org/git/?p=libvirt.git;a=commit;h=28f8dfdcccd4c0f69063ef741545b37d8a7f7935 (v1.0.0) NOTE: Fixed by http://libvirt.org/git/?p=libvirt.git;a=commit;h=b1674ad5a97441b7e1bd5f5ebaff498ef2fbb11b CVE-2014-7822 (The implementation of certain splice_write file operations in the Linu ...) {DSA-3170-1 DLA-155-1} - linux 3.16.2-1 - linux-2.6 NOTE: Upstream fixes: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8d0207652cbe27d1f962050737848e5ad4671958 (v3.16-rc1) CVE-2014-7821 (OpenStack Neutron before 2014.1.4 and 2014.2.x before 2014.2.1 allows ...) - neutron 2014.1.3-6 (bug #770431) NOTE: Versions up to 2014.1.3 and 2014.2 NOTE: https://launchpad.net/bugs/1378450 CVE-2014-7820 RESERVED CVE-2014-7819 (Multiple directory traversal vulnerabilities in server.rb in Sprockets ...) - ruby-sprockets 2.12.3-1 [wheezy] - ruby-sprockets (Minor issue) CVE-2014-7818 (Directory traversal vulnerability in actionpack/lib/action_dispatch/mi ...) - rails 2:4.1.8-1 (bug #770934) [wheezy] - rails (src:rails in wheezy is just a transition package) [squeeze] - rails (Only affects >= 3) - rails-3.2 - ruby-actionpack-3.2 [wheezy] - ruby-actionpack-3.2 (Minor issue) - ruby-actionpack-2.3 (Only affects >= 3) CVE-2014-7817 (The wordexp function in GNU C Library (aka glibc) 2.21 does not enforc ...) {DSA-3142-1 DLA-97-1} - glibc 2.19-14 (bug #775572) - eglibc [wheezy] - eglibc (Will be fixed through a point update) NOTE: https://sourceware.org/ml/libc-alpha/2014-11/msg00519.html NOTE: Git commit: https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a39208bd7fb76c1b01c127b4c61f9bfd915bfe7c CVE-2014-7816 (Directory traversal vulnerability in JBoss Undertow 1.0.x before 1.0.1 ...) - undertow (only when running on Windows) CVE-2014-7815 (The set_pixel_format function in ui/vnc.c in QEMU allows remote attack ...) {DSA-3067-1 DSA-3066-1} - qemu 2.1+dfsg-7 [squeeze] - qemu (Unsupported in squeeze-lts) - qemu-kvm [squeeze] - qemu-kvm NOTE: Upstream commit: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=e6908bfe8e07f2b452e78e677da1b45b1c0f6829 CVE-2014-7814 (SQL injection vulnerability in Red Hat CloudForms 3.1 Management Engin ...) NOT-FOR-US: Red Hat CloudForms Management Engine CVE-2014-7813 (Red Hat CloudForms 3 Management Engine (CFME) allows remote authentica ...) NOT-FOR-US: Red Hat CloudForms Management Engine CVE-2014-7812 (Cross-site scripting (XSS) vulnerability in Spacewalk and Red Hat Netw ...) NOT-FOR-US: Red Hat Satellite / Spacewalk CVE-2014-7811 (Multiple cross-site scripting (XSS) vulnerabilities in Spacewalk and R ...) NOT-FOR-US: Red Hat Satellite / Spacewalk CVE-2014-7810 (The Expression Language (EL) implementation in Apache Tomcat 6.x befor ...) {DSA-3530-1 DSA-3447-1 DSA-3428-1 DLA-232-1} - tomcat6 6.0.41-3 (bug #787010) NOTE: Marked as fixed in 6.0.41-3 which only builds the libservlet2.5-java and libservlet2.5-java-doc packages - tomcat7 7.0.61-1 - tomcat8 8.0.21-2 NOTE: http://svn.apache.org/viewvc?view=revision&revision=1645366 (6.x) NOTE: http://svn.apache.org/viewvc?view=revision&revision=1659538 (6.x) NOTE: http://svn.apache.org/viewvc?view=revision&revision=1644019 (7.x) NOTE: http://svn.apache.org/viewvc?view=revision&revision=1645644 (7.x) CVE-2014-7809 (Apache Struts 2.0.0 through 2.3.x before 2.3.20 uses predictable <s ...) - libstruts1.2-java (Struts 2.0.0 through to Struts 2.3.16.3) CVE-2014-7808 (Apache Wicket before 1.5.13, 6.x before 6.19.0, and 7.x before 7.0.0-M ...) NOT-FOR-US: Apache Wicket CVE-2014-7807 (Apache CloudStack 4.3.x before 4.3.2 and 4.4.x before 4.4.2 allows rem ...) NOT-FOR-US: Apache CloudStack CVE-2014-7806 REJECTED CVE-2014-7805 REJECTED CVE-2014-7804 (The Gangsta Auto Thief III (aka com.apptreestudios.gdup3) application ...) NOT-FOR-US: Gangsta Auto Thief III (aka com.apptreestudios.gdup3) application for Android CVE-2014-7803 (The Woodward Bail (aka com.onesolutionapps.woodwardbailandroid) applic ...) NOT-FOR-US: Woodward Bail (aka com.onesolutionapps.woodwardbailandroid) application for Android CVE-2014-7802 (The Top Roller Coasters Europe 2 (aka com.appaapps.top10tallesteuropea ...) NOT-FOR-US: Top Roller Coasters Europe 2 (aka com.appaapps.top10tallesteuropeanrollercoasters2) application for Android CVE-2014-7801 REJECTED CVE-2014-7800 (The Daily Green (aka it.opentt.blog.dailygreen) application 2014.07 dl ...) NOT-FOR-US: Daily Green (aka it.opentt.blog.dailygreen) application for Android CVE-2014-7799 (The Squishy birds (aka com.tatmob.squishybirds) application 1.0.1 for ...) NOT-FOR-US: Squishy birds (aka com.tatmob.squishybirds) application for Android CVE-2014-7798 (The Coca-Cola FM Brasil (aka com.enyetech.radio.coca_cola.fm_br) appli ...) NOT-FOR-US: Coca-Cola FM Brasil (aka com.enyetech.radio.coca_cola.fm_br) application for Android CVE-2014-7797 (The Thai food (aka com.foods.thaifood) application 1.0 for Android doe ...) NOT-FOR-US: Thai food (aka com.foods.thaifood) application for Android CVE-2014-7796 (The House365 Radio (aka com.nobexinc.wls_27853803.rc) application 3.2. ...) NOT-FOR-US: House365 Radio (aka com.nobexinc.wls_27853803.rc) application for Android CVE-2014-7795 (The Harpers Bazaar Art (aka com.itp.harpersart) application @7F080181 ...) NOT-FOR-US: Harpers Bazaar Art (aka com.itp.harpersart) application for Android CVE-2014-7794 (The Knights of the Void (aka me.narr8.android.serial.knights_of_the_vo ...) NOT-FOR-US: Knights of the Void (aka me.narr8.android.serial.knights_of_the_void) application for Android CVE-2014-7793 (The CB - Calciatori Brutti (aka com.calciatori.brutti) application 1.0 ...) NOT-FOR-US: CB - Calciatori Brutti (aka com.calciatori.brutti) application for Android CVE-2014-7792 REJECTED CVE-2014-7791 (The Backyard Wrestling (aka com.wBackyardWrestling) application 0.1 fo ...) NOT-FOR-US: Backyard Wrestling (aka com.wBackyardWrestling) application for Android CVE-2014-7790 REJECTED CVE-2014-7789 (The Zillion Muslims (aka com.zillionmuslims.src) application 1.1 for A ...) NOT-FOR-US: Zillion Muslims (aka com.zillionmuslims.src) application for Android CVE-2014-7788 (The Best Free Giveaways (aka com.wIphone5GiveAways) application 0.1 fo ...) NOT-FOR-US: Best Free Giveaways (aka com.wIphone5GiveAways) application for Android CVE-2014-7787 (The iShuttle (aka com.synapse.ishuttle_user) application 1.0 for Andro ...) NOT-FOR-US: iShuttle (aka com.synapse.ishuttle_user) application for Android CVE-2014-7786 (The English Football Magazine (aka com.magzter.englishfootball) applic ...) NOT-FOR-US: English Football Magazine (aka com.magzter.englishfootball) application for Android CVE-2014-7785 (The AAAA Discount Bail (aka com.onesolutionapps.aaaadiscountbailandroi ...) NOT-FOR-US: AAAA Discount Bail (aka com.onesolutionapps.aaaadiscountbailandroid) application for Android CVE-2014-7784 (The Schon! Magazine (aka com.magzter.schonmagazine) application 3.0 fo ...) NOT-FOR-US: Schon! Magazine (aka com.magzter.schonmagazine) application for Android CVE-2014-7783 (The Bill G. Bennett (aka com.billgbennett) application 1.0 for Android ...) NOT-FOR-US: Bill G. Bennett (aka com.billgbennett) application for Android CVE-2014-7782 (The Macedonia Hacienda Hotel (aka appinventor.ai_orolimpio999.HotelMac ...) NOT-FOR-US: Macedonia Hacienda Hotel (aka appinventor.ai_orolimpio999.HotelMacedonia) application for Android CVE-2014-7781 (The Marijuana Handbook Lite - Weed (aka com.fallacystudios.marijuanaha ...) NOT-FOR-US: Marijuana Handbook Lite - Weed (aka com.fallacystudios.marijuanahandbooklite) application for Android CVE-2014-7780 (The Pakistan Cricket News (aka com.conduit.app_cf18df8bdf454eb0a836e2d ...) NOT-FOR-US: Pakistan Cricket News (aka com.conduit.app_cf18df8bdf454eb0a836e2d29886bc40.app) application for Android CVE-2014-7779 (The Kuran'in Bilimsel Mucizeleri (aka com.wKurannBilimselMucizeleri) a ...) NOT-FOR-US: Kuran'in Bilimsel Mucizeleri (aka com.wKurannBilimselMucizeleri) application for Android CVE-2014-7778 (The Epc World (aka com.magzter.epcworld) application 3.1 for Android d ...) NOT-FOR-US: Epc World (aka com.magzter.epcworld) application for Android CVE-2014-7777 (The Slingshot Forum (aka com.tapatalk.theslingshotforumcom) applicatio ...) NOT-FOR-US: Slingshot Forum (aka com.tapatalk.theslingshotforumcom) application for Android CVE-2014-7776 (The Kavita KS (aka com.snaplion.kavitaks) application 2.4 for Android ...) NOT-FOR-US: Kavita KS (aka com.snaplion.kavitaks) application for Android CVE-2014-7775 (The Champak - Hindi (aka com.magzter.champakhindi) application 3.0.1 f ...) NOT-FOR-US: Champak - Hindi (aka com.magzter.champakhindi) application for Android CVE-2014-7774 (The Herbs & Flowers Dictionary (aka com.wHerbsNFlowersDictionary) ...) NOT-FOR-US: Herbs & Flowers Dictionary (aka com.wHerbsNFlowersDictionary) application for Android CVE-2014-7773 (The Cleveland Football STREAM (aka com.appstronautme.clevelandfootball ...) NOT-FOR-US: Cleveland Football STREAM (aka com.appstronautme.clevelandfootballstream) application for Android CVE-2014-7772 (The MB Tickets (aka com.xcr.android.mbtickets) application 3.0.1 for A ...) NOT-FOR-US: MB Tickets (aka com.xcr.android.mbtickets) application for Android CVE-2014-7771 (The World Tamil Bayan (aka com.wWorldTamilBayan) application 0.1 for A ...) NOT-FOR-US: World Tamil Bayan (aka com.wWorldTamilBayan) application for Android CVE-2014-7770 (The Lagu POP Indonesia (aka com.lagu.pop.indonesia.xygwphqpuomclljvaa) ...) NOT-FOR-US: Lagu POP Indonesia (aka com.lagu.pop.indonesia.xygwphqpuomclljvaa) application for Android CVE-2014-7769 (The Accurate Lending (aka com.soln.S7B193908AEA1937C7CBB4E889A46D3C0) ...) NOT-FOR-US: Accurate Lending (aka com.soln.S7B193908AEA1937C7CBB4E889A46D3C0) application for Android CVE-2014-7768 (The Analects of Confucius (aka com.azbc88881.lunyu) application 8.0 fo ...) NOT-FOR-US: Analects of Confucius (aka com.azbc88881.lunyu) application for Android CVE-2014-7767 (The A+ (aka cn.xrzcm) application 1.0.1 for Android does not verify X. ...) NOT-FOR-US: A+ (aka cn.xrzcm) application for Android CVE-2014-7766 (The 7 Habits Personal Development (aka appinventor.ai_ingka_d_jiw.TheC ...) NOT-FOR-US: 7 Habits Personal Development (aka appinventor.ai_ingka_d_jiw.TheCompleteGuideToApplyingThe7HabitsInHolisticPersonalDevelopment) application for Android CVE-2014-7765 (The Hundred Thousands Kid Book (aka it.tinytap.attsa.thousands) applic ...) NOT-FOR-US: Hundred Thousands Kid Book (aka it.tinytap.attsa.thousands) application for Android CVE-2014-7764 (The Semper Invicta Fitness (aka com.semper.invicta.fitness) applicatio ...) NOT-FOR-US: Semper Invicta Fitness (aka com.semper.invicta.fitness) application for Android CVE-2014-7763 (The Listen up! mirucho (aka jp.ameba.kiiteyo.android) application 1.1. ...) NOT-FOR-US: Listen up! mirucho (aka jp.ameba.kiiteyo.android) application for Android CVE-2014-7762 (The Bite it! (aka com.ASA1Touch.Bite_it) application 1.1.8 for Android ...) NOT-FOR-US: Bite it! (aka com.ASA1Touch.Bite_it) application for Android CVE-2014-7761 (The Ink Cards (aka com.sincerely.android.ink) application 2.0.4 for An ...) NOT-FOR-US: Ink Cards (aka com.sincerely.android.ink) application for Android CVE-2014-7760 (The Health assistance service (aka net.nttcloud.ft.karada) application ...) NOT-FOR-US: Health assistance service (aka net.nttcloud.ft.karada) application for Android CVE-2014-7759 (The Jazz Lovers Radio (aka com.nobexinc.wls_99273254.rc) application 3 ...) NOT-FOR-US: Jazz Lovers Radio (aka com.nobexinc.wls_99273254.rc) application for Android CVE-2014-7758 (The AMKAMAL Science Portfolio (aka com.wAMKAMALSciencePortfolio) appli ...) NOT-FOR-US: AMKAMAL Science Portfolio (aka com.wAMKAMALSciencePortfolio) application for Android CVE-2014-7757 (The Awful Ninja Game (aka com.absolutelyawfulapplications.awfulninjaga ...) NOT-FOR-US: Awful Ninja Game (aka com.absolutelyawfulapplications.awfulninjagame) application for Android CVE-2014-7756 (The Radiohead fan (aka nl.jborsje.android.bandnews.radiohead) applicat ...) NOT-FOR-US: Radiohead fan (aka nl.jborsje.android.bandnews.radiohead) application for Android CVE-2014-7755 (The eTopUpOnline (aka com.moremagic.etopup.client.android) application ...) NOT-FOR-US: eTopUpOnline (aka com.moremagic.etopup.client.android) application for Android CVE-2014-7754 (The Condor S.E. (aka com.app_condorsoutheast.layout) application 1.399 ...) NOT-FOR-US: Condor S.E. (aka com.app_condorsoutheast.layout) application for Android CVE-2014-7753 (The Circa News (aka cir.ca) application 2.1.3 for Android does not ver ...) NOT-FOR-US: Circa News (aka cir.ca) application for Android CVE-2014-7752 (The NASIOC (aka net.endoftime.android.forumrunner.nasioc) application ...) NOT-FOR-US: NASIOC (aka net.endoftime.android.forumrunner.nasioc) application for Android CVE-2014-7751 (The Recetas de Tragos (aka com.wRecetasdeTragos) application 0.1 for A ...) NOT-FOR-US: Recetas de Tragos (aka com.wRecetasdeTragos) application for Android CVE-2014-7750 (The Taster Magazine (aka com.magazinecloner.taster) application @7F080 ...) NOT-FOR-US: Taster Magazine (aka com.magazinecloner.taster) application for Android CVE-2014-7749 (The CamDictionary (aka com.intsig.camdict) application 2.3.0.20131118 ...) NOT-FOR-US: CamDictionary (aka com.intsig.camdict) application for Android CVE-2014-7748 (The Garip Ve Ilginc Olaylar (aka com.wGaripveeIlgincOlay) application ...) NOT-FOR-US: Garip Ve Ilginc Olaylar (aka com.wGaripveeIlgincOlay) application for Android CVE-2014-7747 REJECTED CVE-2014-7746 (The Fusion Flowers - Weddings (aka com.triactivemedia.fusionweddings) ...) NOT-FOR-US: Fusion Flowers - Weddings (aka com.triactivemedia.fusionweddings) application for Android CVE-2014-7745 (The Flight Manager (aka com.flightmanager.view) application 4.0 for An ...) NOT-FOR-US: Flight Manager (aka com.flightmanager.view) application for Android CVE-2014-7744 (The Musulmanin.com (aka com.wSalyafiyailimurdjiya) application 0.1 for ...) NOT-FOR-US: Musulmanin.com (aka com.wSalyafiyailimurdjiya) application for Android CVE-2014-7743 (The Humor Ironias y Realidades (aka com.wHumork) application 0.63.1337 ...) NOT-FOR-US: Humor Ironias y Realidades (aka com.wHumork) application for Android CVE-2014-7742 (The Noticias del Vaticano (aka com.wNoticiasdelVaticano) application 0 ...) NOT-FOR-US: Noticias del Vaticano (aka com.wNoticiasdelVaticano) application for Android CVE-2014-7741 (The Healing Bookstore (aka com.wHealingBookstore) application 0.1 for ...) NOT-FOR-US: Healing Bookstore (aka com.wHealingBookstore) application for Android CVE-2014-7740 (The Pony Magazine (aka com.triactivemedia.ponymagazine) application @7 ...) NOT-FOR-US: Pony Magazine (aka com.triactivemedia.ponymagazine) application for Android CVE-2014-7739 (The Anahi A Adopter FR (aka com.wAnahiAAdopterFR) application 0.1 for ...) NOT-FOR-US: Anahi A Adopter FR (aka com.wAnahiAAdopterFR) application for Android CVE-2014-7738 REJECTED CVE-2014-7737 (The FMAC : Federation Culinaire (aka com.fmac) application 1.0 for And ...) NOT-FOR-US: FMAC : Federation Culinaire (aka com.fmac) application for Android CVE-2014-7736 REJECTED CVE-2014-7735 (The Dr. Sheikh Adnan Ibrahim (aka com.amitaff.adnanIbrahim) applicatio ...) NOT-FOR-US: Dr. Sheikh Adnan Ibrahim (aka com.amitaff.adnanIbrahim) application for Android CVE-2014-7734 (The Reds Anytime Bail (aka com.onesolutionapps.redsanytimebailandroid) ...) NOT-FOR-US: Reds Anytime Bail (aka com.onesolutionapps.redsanytimebailandroid) application for Android CVE-2014-7733 (The Karaf Magazin (aka com.magzter.karafmagazin) application 3.0 for A ...) NOT-FOR-US: Karaf Magazin (aka com.magzter.karafmagazin) application for Android CVE-2014-7732 REJECTED CVE-2014-7731 (The Radio de la Cato (aka com.radio.de.la.cato) application 2.0 for An ...) NOT-FOR-US: Radio de la Cato (aka com.radio.de.la.cato) application for Android CVE-2014-7730 REJECTED CVE-2014-7729 REJECTED CVE-2014-7728 (The Logan Banner (aka com.soln.S8B5C1F53B8CBE06D5DE0A0E7E23DCDA7) appl ...) NOT-FOR-US: Logan Banner (aka com.soln.S8B5C1F53B8CBE06D5DE0A0E7E23DCDA7) application for Android CVE-2014-7727 (The Dj Brad H (aka com.dreamstep.wDjBradH) application 0.90 for Androi ...) NOT-FOR-US: Dj Brad H (aka com.dreamstep.wDjBradH) application for Android CVE-2014-7726 (The Golosinas Simpson1 (aka com.wGolosinasSimpson1) application 0.1 fo ...) NOT-FOR-US: Golosinas Simpson1 (aka com.wGolosinasSimpson1) application for Android CVE-2014-7725 (The Rally Albania Live 2014 (aka com.wRallyAlbaniaLIVE2014) applicatio ...) NOT-FOR-US: Rally Albania Live 2014 (aka com.wRallyAlbaniaLIVE2014) application for Android CVE-2014-7724 (The Chemssou Blink (aka com.chemssou.blink) application 1.0 for Androi ...) NOT-FOR-US: Chemssou Blink (aka com.chemssou.blink) application for Android CVE-2014-7723 (The Carnegie Mellon Silicon Valley (aka edu.cmu.sv.mobile) application ...) NOT-FOR-US: Carnegie Mellon Silicon Valley (aka edu.cmu.sv.mobile) application for Android CVE-2014-7722 (The Indian Jeweller (aka com.magzter.indianjeweller) application 3.0 f ...) NOT-FOR-US: Indian Jeweller (aka com.magzter.indianjeweller) application for Android CVE-2014-7721 (The President Clicker (aka com.flexymind.pclicker) application 1.0.4 f ...) NOT-FOR-US: President Clicker (aka com.flexymind.pclicker) application for Android CVE-2014-7720 (The Better Homes and Gardens Aus (aka com.pacificmagazines.betterhomes ...) NOT-FOR-US: Better Homes and Gardens Aus (aka com.pacificmagazines.betterhomesandgardens) application for Android CVE-2014-7719 (The BASEBALL MANAGER K (aka com.cjenm.yagamkgoogle) application 1.13 f ...) NOT-FOR-US: BASEBALL MANAGER K (aka com.cjenm.yagamkgoogle) application for Android CVE-2014-7718 (The Travel+Leisure (aka com.magzter.travelleisure) application 3.0 for ...) NOT-FOR-US: Travel+Leisure (aka com.magzter.travelleisure) application for Android CVE-2014-7717 (The Mills-Hazel Property Mgmt (aka com.appexpress.millshazelpropertyma ...) NOT-FOR-US: Mills-Hazel Property Mgmt (aka com.appexpress.millshazelpropertymanagement) application for Android CVE-2014-7716 (The Ultimate Christian Radios (aka com.ngg.ultimatechristianradios) ap ...) NOT-FOR-US: Ultimate Christian Radios (aka com.ngg.ultimatechristianradios) application for Android CVE-2014-7715 (The GIGA HOBBY (aka com.innopage.store.gigahobby) application 1.0.6 fo ...) NOT-FOR-US: GIGA HOBBY (aka com.innopage.store.gigahobby) application for Android CVE-2014-7714 (The ibon (aka tw.net.pic.mobi) application 3.2.1 for Android does not ...) NOT-FOR-US: ibon (aka tw.net.pic.mobi) application for Android CVE-2014-7713 (The Skin&Ink Magazine (aka com.triactivemedia.skinandink) applicat ...) NOT-FOR-US: Skin&Ink Magazine (aka com.triactivemedia.skinandink) application for Android CVE-2014-7712 (The Tiket.com Hotel & Flight (aka com.tiket.gits) application 1.1. ...) NOT-FOR-US: Tiket.com Hotel & Flight (aka com.tiket.gits) application for Android CVE-2014-7711 REJECTED CVE-2014-7710 (The India Today Telugu (aka com.magzter.indiatoday.telugu) application ...) NOT-FOR-US: India Today Telugu (aka com.magzter.indiatoday.telugu) application for Android CVE-2014-7709 REJECTED CVE-2014-7708 (The Raven - The Culture Lover (aka com.booksbyraven) application 1.60 ...) NOT-FOR-US: Raven - The Culture Lover (aka com.booksbyraven) application for Android CVE-2014-7707 (The Outdoor Design And Living (aka com.pocketmagsau.outdoordesignandli ...) NOT-FOR-US: Outdoor Design And Living (aka com.pocketmagsau.outdoordesignandliving) application for Android CVE-2014-7706 REJECTED CVE-2014-7705 (The Atkins Diet Free Shopping List (aka com.wAtkinsDietFreeShoppingLis ...) NOT-FOR-US: Atkins Diet Free Shopping List (aka com.wAtkinsDietFreeShoppingList) application for Android CVE-2014-7704 REJECTED CVE-2014-7703 (The Terrorizer Magazine (aka com.triactivemedia.terrorizer) applicatio ...) NOT-FOR-US: Terrorizer Magazine (aka com.triactivemedia.terrorizer) application for Android CVE-2014-7702 (The ahtty (aka com.crevation.babylon.ahtty) application 1.97.16 for An ...) NOT-FOR-US: ahtty (aka com.crevation.babylon.ahtty) application for Android CVE-2014-7701 (The DoNotTrackMe - Mobile Privacy (aka com.abine.dnt) application 1.1. ...) NOT-FOR-US: DoNotTrackMe - Mobile Privacy (aka com.abine.dnt) application for Android CVE-2014-7700 (The Flying Fox (aka com.chillingo.slyfoxfree.android.aja) application ...) NOT-FOR-US: Flying Fox (aka com.chillingo.slyfoxfree.android.aja) application for Android CVE-2014-7699 REJECTED CVE-2014-7698 (The Xinhua International (aka org.xinhua.xnews_international) applicat ...) NOT-FOR-US: Xinhua International (aka org.xinhua.xnews_international) application for Android CVE-2014-7697 (The Eyvah! Bosandim ozgurum (aka com.wEyvahBosandimBlog) application 0 ...) NOT-FOR-US: Eyvah! Bosandim ozgurum (aka com.wEyvahBosandimBlog) application for Android CVE-2014-7696 (The Halftime Magazine (aka com.magzter.halftimemagazine) application 3 ...) NOT-FOR-US: Halftime Magazine (aka com.magzter.halftimemagazine) application for Android CVE-2014-7695 (The easaa Baoneng (aka com.easaa.baoneng) application 1.0 for Android ...) NOT-FOR-US: easaa Baoneng (aka com.easaa.baoneng) application for Android CVE-2014-7694 (The Corvette Museum (aka com.app_corvettemuseum.layout) application 1. ...) NOT-FOR-US: Corvette Museum (aka com.app_corvettemuseum.layout) application for Android CVE-2014-7693 (The JusApp! (aka com.tapatalk.jusappcombrforum) application 3.7.5 for ...) NOT-FOR-US: JusApp! (aka com.tapatalk.jusappcombrforum) application for Android CVE-2014-7692 (The Lent Experience (aka com.wLentExperience) application 0.1 for Andr ...) NOT-FOR-US: Lent Experience (aka com.wLentExperience) application for Android CVE-2014-7691 (The Life Story of Sheikh Mujib (aka com.wbongobondho) application 0.1 ...) NOT-FOR-US: Life Story of Sheikh Mujib (aka com.wbongobondho) application for Android CVE-2014-7690 (The myfone Shopping (aka com.twm.pt.eccart) application 2.1.01.00.040 ...) NOT-FOR-US: myfone Shopping (aka com.twm.pt.eccart) application for Android CVE-2014-7689 (The GzoneRC - The RC Hobby Hub (aka com.wGzoneRC) application 0.1 for ...) NOT-FOR-US: GzoneRC - The RC Hobby Hub (aka com.wGzoneRC) application for Android CVE-2014-7688 (The Home Improvement (aka com.whomeimprovementapp) application 0.1 for ...) NOT-FOR-US: Home Improvement (aka com.whomeimprovementapp) application for Android CVE-2014-7687 REJECTED CVE-2014-7686 (The So. Co. Business Partnership (aka com.ChamberMe.SCBPSOUTHERNCO) ap ...) NOT-FOR-US: So. Co. Business Partnership (aka com.ChamberMe.SCBPSOUTHERNCO) application for Android CVE-2014-7685 (The Razer Comms - Gaming Messenger (aka com.razerzone.comms) applicati ...) NOT-FOR-US: Razer Comms - Gaming Messenger (aka com.razerzone.comms) application for Android CVE-2014-7684 REJECTED CVE-2014-7683 (The Free Canadian Author Previews (aka com.booksellerscanada.authorpre ...) NOT-FOR-US: Free Canadian Author Previews (aka com.booksellerscanada.authorpreview) application for Android CVE-2014-7682 (The GR8! TV (aka com.magzter.greighttv) application 3.0 for Android do ...) NOT-FOR-US: GR8! TV (aka com.magzter.greighttv) application for Android CVE-2014-7681 (The VMware vForums 2014 (aka com.coreapps.android.followme.vmwarevforu ...) NOT-FOR-US: VMware vForums 2014 (aka com.coreapps.android.followme.vmwarevforums) application for Android CVE-2014-7680 REJECTED CVE-2014-7679 REJECTED CVE-2014-7678 REJECTED CVE-2014-7677 (The Scudetto (aka com.scudetto) application 2.7 for Android does not v ...) NOT-FOR-US: Scudetto (aka com.scudetto) application for Android CVE-2014-7676 (The Home Made Air Freshener (aka com.wHomeMadeAirFreshener) applicatio ...) NOT-FOR-US: Home Made Air Freshener (aka com.wHomeMadeAirFreshener) application for Android CVE-2014-7675 REJECTED CVE-2014-7674 (The TicketOne.it (aka it.ticketone.mobile.app.Android) application 2.2 ...) NOT-FOR-US: TicketOne.it (aka it.ticketone.mobile.app.Android) application for Android CVE-2014-7673 REJECTED CVE-2014-7672 REJECTED CVE-2014-7671 (The Tekno Apsis (aka com.teknoapsis) application 2.4 for Android does ...) NOT-FOR-US: Tekno Apsis (aka com.teknoapsis) application for Android CVE-2014-7670 (The Motor Town: Machine Soul Free (aka com.alawar.motortownfree) appli ...) NOT-FOR-US: Motor Town: Machine Soul Free (aka com.alawar.motortownfree) application for Android CVE-2014-7669 REJECTED CVE-2014-7668 (The Ads Free. Cz advert (aka cz.inzeratyzdarma.cz) application 1.4 for ...) NOT-FOR-US: Ads Free. Cz advert (aka cz.inzeratyzdarma.cz) application for Android CVE-2014-7667 (The Coca-Cola FM Honduras (aka com.enyetech.radio.coca_cola.fm_hn) app ...) NOT-FOR-US: Coca-Cola FM Honduras (aka com.enyetech.radio.coca_cola.fm_hn) application for Android CVE-2014-7666 (The American Waterfowler (aka com.magazinecloner.americanwaterfowler) ...) NOT-FOR-US: American Waterfowler (aka com.magazinecloner.americanwaterfowler) application for Android CVE-2014-7665 REJECTED CVE-2014-7664 (The Bilingual Magic Ball Relajo (aka com.wBilingualMagicBallRelajo) ap ...) NOT-FOR-US: Bilingual Magic Ball Relajo (aka com.wBilingualMagicBallRelajo) application for Android CVE-2014-7663 (The Right to the Nitty Gritty (aka com.wGoNittyGritty) application 0.1 ...) NOT-FOR-US: Right to the Nitty Gritty (aka com.wGoNittyGritty) application for Android CVE-2014-7662 REJECTED CVE-2014-7661 (The Masquito Blogger (aka com.wmasquito) application 0.1 for Android d ...) NOT-FOR-US: Masquito Blogger (aka com.wmasquito) application for Android CVE-2014-7660 (The Gent Magazine (aka com.magzter.thegentmagazine) application 3.0 fo ...) NOT-FOR-US: Gent Magazine (aka com.magzter.thegentmagazine) application for Android CVE-2014-7659 (The ExpeditersOnline.com Forum (aka com.quoord.tapatalkeo.activity) ap ...) NOT-FOR-US: ExpeditersOnline.com Forum (aka com.quoord.tapatalkeo.activity) application for Android CVE-2014-7658 REJECTED CVE-2014-7657 REJECTED CVE-2014-7656 (The Indian Management (aka com.magzter.indianmanagement) application 3 ...) NOT-FOR-US: Indian Management (aka com.magzter.indianmanagement) application for Android CVE-2014-7655 (The Dresden Transport Museum (aka de.appack.project.vmd) application 2 ...) NOT-FOR-US: Dresden Transport Museum (aka de.appack.project.vmd) application for Android CVE-2014-7654 REJECTED CVE-2014-7653 REJECTED CVE-2014-7652 (The Magicam Photo Magic Editor (aka mobi.magicam.editor) application 5 ...) NOT-FOR-US: Magicam Photo Magic Editor (aka mobi.magicam.editor) application for Android CVE-2014-7651 REJECTED CVE-2014-7650 (The JJA- Juvenile Justice Act 1986 (aka com.felix.jja) application 1.0 ...) NOT-FOR-US: JJA- Juvenile Justice Act 1986 (aka com.felix.jja) application for Android CVE-2014-7649 (The Classic Car Buyer (aka com.magazinecloner.carbuyer) application @7 ...) NOT-FOR-US: Classic Car Buyer (aka com.magazinecloner.carbuyer) application for Android CVE-2014-7648 (The SMARTalk (aka jp.co.fusioncom.smartalk.android) application 1.1 fo ...) NOT-FOR-US: SMARTalk (aka jp.co.fusioncom.smartalk.android) application for Android CVE-2014-7647 (The BOOKING DISCOUNT (aka com.wmygoodhotelscom) application 0.1 for An ...) NOT-FOR-US: BOOKING DISCOUNT (aka com.wmygoodhotelscom) application for Android CVE-2014-7646 (The EMT-Paramedic Lite (aka com.wEMTparamedicLite) application 0.1 for ...) NOT-FOR-US: EMT-Paramedic Lite (aka com.wEMTparamedicLite) application for Android CVE-2014-7645 REJECTED CVE-2014-7644 (The Go MSX MLS (aka com.doapps.android.realestate.RE_16b9c09c4d5b0e174 ...) NOT-FOR-US: Go MSX MLS (aka com.doapps.android.realestate.RE_16b9c09c4d5b0e174208f35e7c49f9a0) application for Android CVE-2014-7643 (The C.R. Group (aka com.c.r.group) application 1.0 for Android does no ...) NOT-FOR-US: C.R. Group (aka com.c.r.group) application for Android CVE-2014-7642 (The Pegasus Airlines (aka com.wPegasusAirlines) application 0.84.13503 ...) NOT-FOR-US: Pegasus Airlines (aka com.wPegasusAirlines) application for Android CVE-2014-7641 REJECTED CVE-2014-7640 (The Hotel Room (aka com.wHotelRoom) application 0.1 for Android does n ...) NOT-FOR-US: Hotel Room (aka com.wHotelRoom) application for Android CVE-2014-7639 REJECTED CVE-2014-7638 (The Fabuestereo 88.1 FM (aka com.nobexinc.wls_27892411.rc) application ...) NOT-FOR-US: Fabuestereo 88.1 FM (aka com.nobexinc.wls_27892411.rc) application for Android CVE-2014-7637 REJECTED CVE-2014-7636 (The United Hawk Nation (aka com.united12thman) application 2.1 for And ...) NOT-FOR-US: United Hawk Nation (aka com.united12thman) application for Android CVE-2014-7635 REJECTED CVE-2014-7634 (The Adopt O Pet (aka com.wFindAPet) application 0.1 for Android does n ...) NOT-FOR-US: Adopt O Pet (aka com.wFindAPet) application for Android CVE-2014-7633 (The Dino Zoo (aka com.tappocket.dinozoostar) application 1.5 for Andro ...) NOT-FOR-US: Dino Zoo (aka com.tappocket.dinozoostar) application for Android CVE-2014-7632 (The news revolution - bahrain (aka com.news.revolution.BH) application ...) NOT-FOR-US: news revolution - bahrain (aka com.news.revolution.BH) application for Android CVE-2014-7631 (The Villa Antonia (aka com.appbuilder.u7p5019) application 1 for Andro ...) NOT-FOR-US: Villa Antonia (aka com.appbuilder.u7p5019) application for Android CVE-2014-7630 (The Fling Gold (aka com.mbgames.fling.gold) application 1.1.3 for Andr ...) NOT-FOR-US: Fling Gold (aka com.mbgames.fling.gold) application for Android CVE-2014-7629 (The Yulman Stadium (aka com.dub.app.tulanestadium) application 1.4.25 ...) NOT-FOR-US: Yulman Stadium (aka com.dub.app.tulanestadium) application for Android CVE-2014-7628 (The Acorn Comms (aka com.acorncomms.app) application 3.0 for Android d ...) NOT-FOR-US: Acorn Comms (aka com.acorncomms.app) application for Android CVE-2014-7627 REJECTED CVE-2014-7626 (The Atme (aka com.bedigital.atme) application 1.0.10 for Android does ...) NOT-FOR-US: Atme (aka com.bedigital.atme) application for Android CVE-2014-7625 REJECTED CVE-2014-7624 (The Guess the Pixel Character Quiz (aka com.aiadp.pixelcQuiz) applicat ...) NOT-FOR-US: Guess the Pixel Character Quiz (aka com.aiadp.pixelcQuiz) application for Android CVE-2014-7623 REJECTED CVE-2014-7622 (The Affinity Mobile ATM Locator (aka com.collegemobile.affinity.locato ...) NOT-FOR-US: Affinity Mobile ATM Locator (aka com.collegemobile.affinity.locator) application for Android CVE-2014-7621 (The EIN Lookup (aka appinventor.ai_siwanuth.EINLookup) application 1.1 ...) NOT-FOR-US: EIN Lookup (aka appinventor.ai_siwanuth.EINLookup) application for Android CVE-2014-7620 (The Authors On Tour - Live! (aka com.appmakr.app122286) application 4 ...) NOT-FOR-US: Authors On Tour - Live! (aka com.appmakr.app122286) application for Android CVE-2014-7619 REJECTED CVE-2014-7618 (The Interior Design (aka com.interior.design.mcreda) application 1.0 f ...) NOT-FOR-US: Interior Design (aka com.interior.design.mcreda) application for Android CVE-2014-7617 (The www.roads365.com (aka ydx.android) application 1.0.1 for Android d ...) NOT-FOR-US: www.roads365.com (aka ydx.android) application for Android CVE-2014-7616 (The Physics Forums (aka com.tapatalk.physicsforumscom) application 3.9 ...) NOT-FOR-US: Physics Forums (aka com.tapatalk.physicsforumscom) application for Android CVE-2014-7615 REJECTED CVE-2014-7614 (The Warrior Beach Retreat (aka com.wWarriorBeachRetreat) application 0 ...) NOT-FOR-US: Warrior Beach Retreat (aka com.wWarriorBeachRetreat) application for Android CVE-2014-7613 (The WASPS Official Programmes (aka com.triactivemedia.wasps) applicati ...) NOT-FOR-US: WASPS Official Programmes (aka com.triactivemedia.wasps) application for Android CVE-2014-7612 (The e-Kiosk (aka com.ekioskreader.android.pdfviewer) application 1.74 ...) NOT-FOR-US: e-Kiosk (aka com.ekioskreader.android.pdfviewer) application for Android CVE-2014-7611 (The Lost Temple (aka com.crazy.game.good.mengchenglu.templeI) applicat ...) NOT-FOR-US: Lost Temple (aka com.crazy.game.good.mengchenglu.templeI) application for Android CVE-2014-7610 (The Kadinlar Kulubu KKMobileApp (aka com.tapatalk.kadinlarkulubucom) a ...) NOT-FOR-US: Kadinlar Kulubu KKMobileApp (aka com.tapatalk.kadinlarkulubucom) application for Android CVE-2014-7609 (The iStunt 2 (aka com.miniclip.istunt2) application 1.1.2 for Android ...) NOT-FOR-US: iStunt 2 (aka com.miniclip.istunt2) application for Android CVE-2014-7608 (The Carrier Enterprise HVAC Assist (aka com.es.CE) application 4.0 for ...) NOT-FOR-US: Carrier Enterprise HVAC Assist (aka com.es.CE) application for Android CVE-2014-7607 (The Swamiji.tv (aka org.yidl.SwamijiTV) application 2.0 for Android do ...) NOT-FOR-US: Swamiji.tv (aka org.yidl.SwamijiTV) application for Android CVE-2014-7606 (The Concursive (aka com.concursive.app) application 2.1 for Android do ...) NOT-FOR-US: Concursive (aka com.concursive.app) application for Android CVE-2014-7605 (The Actors Key (aka com.conduit.app_f83daeb6861b401bb103c33ea4210029.a ...) NOT-FOR-US: Actors Key (aka com.conduit.app_f83daeb6861b401bb103c33ea4210029.app) application for Android CVE-2014-7604 (The Easy Tips For Glowing Skin (aka com.n.easytipsforglowingskin) appl ...) NOT-FOR-US: Easy Tips For Glowing Skin (aka com.n.easytipsforglowingskin) application for Android CVE-2014-7603 (The Gravey Design (aka com.dreamstep.wGraveyDesign) application 0.58.1 ...) NOT-FOR-US: Gravey Design (aka com.dreamstep.wGraveyDesign) application for Android CVE-2014-7602 (The FRONT (aka com.magazinecloner.front) application @7F08017A for And ...) NOT-FOR-US: FRONT (aka com.magazinecloner.front) application for Android CVE-2014-7601 REJECTED CVE-2014-7600 REJECTED CVE-2014-7599 REJECTED CVE-2014-7598 (The Poker Puzzle (aka com.sharpiq.pokerpuzzle) application 1.0.0 for A ...) NOT-FOR-US: Poker Puzzle (aka com.sharpiq.pokerpuzzle) application for Android CVE-2014-7597 (The Fabulas Infantiles (aka com.mobincube.android.sc_9I1A3) applicatio ...) NOT-FOR-US: Fabulas Infantiles (aka com.mobincube.android.sc_9I1A3) application for Android CVE-2014-7596 (The Paramore (aka uk.co.pixelkicks.paramore) application 2.3.4 for And ...) NOT-FOR-US: Paramore (aka uk.co.pixelkicks.paramore) application for Android CVE-2014-7595 (The devada.co.uk (aka com.wdevadacouk) application 1.2 for Android doe ...) NOT-FOR-US: devada.co.uk (aka com.wdevadacouk) application for Android CVE-2014-7594 REJECTED CVE-2014-7593 (The Mr Whippet - Yorkshire Ice (aka com.appytimes.ice) application 1.1 ...) NOT-FOR-US: Mr Whippet - Yorkshire Ice (aka com.appytimes.ice) application for Android CVE-2014-7592 (The FOL (aka com.desire2learn.fol.mobile.app.campuslife.directory) app ...) NOT-FOR-US: FOL (aka com.desire2learn.fol.mobile.app.campuslife.directory) application for Android CVE-2014-7591 (The Demon (aka com.ireadercity.c24) application 3.0.2 for Android does ...) NOT-FOR-US: Demon (aka com.ireadercity.c24) application for Android CVE-2014-7590 (The WebPromoExperts (aka ua.com.webpromoexperts) application 1.8 for A ...) NOT-FOR-US: WebPromoExperts (aka ua.com.webpromoexperts) application for Android CVE-2014-7589 (The Industrial and Commercial Bank of China (ICBC) Banking (aka com.ic ...) NOT-FOR-US: Industrial and Commercial Bank of China (ICBC) Banking (aka com.icbc.android) application for Android CVE-2014-7588 REJECTED CVE-2014-7587 (The Blocked in Free (aka com.blueup.blocked) application 1.0 for Andro ...) NOT-FOR-US: Blocked in Free (aka com.blueup.blocked) application for Android CVE-2014-7586 REJECTED CVE-2014-7585 (The Biplane Forum (aka com.gcspublishing.biplaneforum) application 3.7 ...) NOT-FOR-US: Biplane Forum (aka com.gcspublishing.biplaneforum) application for Android CVE-2014-7584 (The ACN2GO (aka com.dataparadigm.acnmobile) application 1.7 for Androi ...) NOT-FOR-US: ACN2GO (aka com.dataparadigm.acnmobile) application for Android CVE-2014-7583 REJECTED CVE-2014-7582 (The Water Lateral Sizer (aka com.wWaterLateralSizer) application 1.2 f ...) NOT-FOR-US: Water Lateral Sizer (aka com.wWaterLateralSizer) application for Android CVE-2014-7581 (The Quotes of Travis Barker (aka com.celebrity_quotes.travisbarker) ap ...) NOT-FOR-US: Quotes of Travis Barker (aka com.celebrity_quotes.travisbarker) application for Android CVE-2014-7580 (The Thailand Investor News (aka nudecreative.thaistock.set) applicatio ...) NOT-FOR-US: Thailand Investor News (aka nudecreative.thaistock.set) application for Android CVE-2014-7579 REJECTED CVE-2014-7578 (The Bieber News Now (aka com.jbnews) application 12.0.5 for Android do ...) NOT-FOR-US: Bieber News Now (aka com.jbnews) application for Android CVE-2014-7577 (The B&H Photo Video Pro Audio (aka com.bhphoto) application 2.5.1 ...) NOT-FOR-US: B&H Photo Video Pro Audio (aka com.bhphoto) application for Android CVE-2014-7576 (The Chien Binh Bakugan 2 LongTieng (aka com.htv.chien.binh.bakugan.ii. ...) NOT-FOR-US: Chien Binh Bakugan 2 LongTieng (aka com.htv.chien.binh.bakugan.ii.hanh.trinh.moi.long.tieng) application for Android CVE-2014-7575 (The eBiblio Andalucia (aka com.bqreaders.reader.ebiblioandalucia) appl ...) NOT-FOR-US: eBiblio Andalucia (aka com.bqreaders.reader.ebiblioandalucia) application for Android CVE-2014-7574 REJECTED CVE-2014-7573 (The droid Survey Offline Forms (aka com.contact.droidSURVEY) applicati ...) NOT-FOR-US: droid Survey Offline Forms (aka com.contact.droidSURVEY) application for Android CVE-2014-7572 (The Stoner's Handbook L- Bud Guide (aka fallacystudios.stonershandbook ...) NOT-FOR-US: Stoner's Handbook L- Bud Guide (aka fallacystudios.stonershandbooklite) application for Android CVE-2014-7571 (The Grey's Anatomy Fan (aka nl.jborsje.android.tvfan.greysanatomy) app ...) NOT-FOR-US: Grey's Anatomy Fan (aka nl.jborsje.android.tvfan.greysanatomy) application for Android CVE-2014-7570 (The Fire Equipments Screen lock (aka com.locktheworld.screen.lock.them ...) NOT-FOR-US: Fire Equipments Screen lock (aka com.locktheworld.screen.lock.theme.FireEquipments) application for Android CVE-2014-7569 (The Best Greatness Quotes (aka best.free.greatness.quotes.android.app) ...) NOT-FOR-US: Best Greatness Quotes (aka best.free.greatness.quotes.android.app) application for Android CVE-2014-7568 (The Marcus Butler Unofficial (aka com.automon.ay.marcus.butler) applic ...) NOT-FOR-US: Marcus Butler Unofficial (aka com.automon.ay.marcus.butler) application for Android CVE-2014-7567 (The iMig 2012 (aka com.webges.imig) application 1.0.0 for Android does ...) NOT-FOR-US: iMig 2012 (aka com.webges.imig) application for Android CVE-2014-7566 (The Stift Neuburg (aka de.appack.project.neuburg) application 1.1 for ...) NOT-FOR-US: Stift Neuburg (aka de.appack.project.neuburg) application for Android CVE-2014-7565 (The Rando Noeux (aka com.gmteditions.NoeuxLesMinesDistrib) application ...) NOT-FOR-US: Rando Noeux (aka com.gmteditions.NoeuxLesMinesDistrib) application for Android CVE-2014-7564 (The Simple Car Care Tip and Advice (aka com.a1481542198504ee106f182c8a ...) NOT-FOR-US: Simple Car Care Tip and Advice (aka com.a1481542198504ee106f182c8a.a40350826a) application for Android CVE-2014-7563 (The Tactical Force LLC (aka com.conduit.app_69f61a8852b046f2846054b30c ...) NOT-FOR-US: Tactical Force LLC (aka com.conduit.app_69f61a8852b046f2846054b30c4032a7.app) application for Android CVE-2014-7562 (The Health Advocate SmartHelp (aka com.healthadvocate.ui) application ...) NOT-FOR-US: Health Advocate SmartHelp (aka com.healthadvocate.ui) application for Android CVE-2014-7561 REJECTED CVE-2014-7560 (The Fabasoft Cloud (aka com.fabasoft.android.cmis.folio_cloud) applica ...) NOT-FOR-US: Fabasoft Cloud (aka com.fabasoft.android.cmis.folio_cloud) application for Android CVE-2014-7559 (The InstaTalks (aka com.natrobit.instatalks) application 1.3.1 for And ...) NOT-FOR-US: InstaTalks (aka com.natrobit.instatalks) application for Android CVE-2014-7558 (The Everest Poker (aka com.wEverestPoker) application 0.1 for Android ...) NOT-FOR-US: Everest Poker (aka com.wEverestPoker) application for Android CVE-2014-7557 (The zroadster.com (aka com.tapatalk.zroadstercomforum) application 2.4 ...) NOT-FOR-US: zroadster.com (aka com.tapatalk.zroadstercomforum) application for Android CVE-2014-7556 REJECTED CVE-2014-7555 (The Apparound BLEND (aka com.apparound.mobile.catalogo) application 4. ...) NOT-FOR-US: Apparound BLEND (aka com.apparound.mobile.catalogo) application for Android CVE-2014-7554 (The Bouqs - Flowers Simplified (aka com.bouqs.activity) application 1. ...) NOT-FOR-US: Bouqs - Flowers Simplified (aka com.bouqs.activity) application for Android CVE-2014-7553 (The GET NYCE Lightworks (aka com.wGETNYCE) application 0.84.13506.9895 ...) NOT-FOR-US: GET NYCE Lightworks (aka com.wGETNYCE) application for Android CVE-2014-7552 (The Zombie Diary (aka com.ezjoy.feelingtouch.zombiediary) application ...) NOT-FOR-US: Zombie Diary (aka com.ezjoy.feelingtouch.zombiediary) application for Android CVE-2014-7551 (The Noticias Bebes Beybies (aka com.beybies) application 1.0 for Andro ...) NOT-FOR-US: Noticias Bebes Beybies (aka com.beybies) application for Android CVE-2014-7550 (The basketball news & videos (aka com.basketbal.news.caesar) appli ...) NOT-FOR-US: basketball news & videos (aka com.basketbal.news.caesar) application for Android CVE-2014-7549 REJECTED CVE-2014-7548 REJECTED CVE-2014-7547 (The Texas Poker Unlimited Hold'em (aka com.fpinternet.texaspokerunlimi ...) NOT-FOR-US: Texas Poker Unlimited Hold'em (aka com.fpinternet.texaspokerunlimitedholdem) application for Android CVE-2014-7546 (The Buddhist Prayer (aka com.buddhist.prayer.mantra.sutra) application ...) NOT-FOR-US: Buddhist Prayer (aka com.buddhist.prayer.mantra.sutra) application for Android CVE-2014-7545 REJECTED CVE-2014-7544 (The Secret City - Motion Comic (aka me.narr8.android.serial.the_secret ...) NOT-FOR-US: Secret City - Motion Comic (aka me.narr8.android.serial.the_secret_city) application for Android CVE-2014-7543 (The Blood (aka com.sheridan.ash) application 2.1 for Android does not ...) NOT-FOR-US: Blood (aka com.sheridan.ash) application for Android CVE-2014-7542 (The l'Informatiu (aka com.linformatiu.spm) application 2.0 for Android ...) NOT-FOR-US: l'Informatiu (aka com.linformatiu.spm) application for Android CVE-2014-7541 REJECTED CVE-2014-7540 REJECTED CVE-2014-7539 (The Zhang Zhijun Taiwan Visit 2014-06-25 (aka com.zizizzi) application ...) NOT-FOR-US: Zhang Zhijun Taiwan Visit 2014-06-25 (aka com.zizizzi) application for Android CVE-2014-7538 (The Headlines news India (aka com.dreamstep.wHEADLINESNEWSINDIA) appli ...) NOT-FOR-US: Headlines news India (aka com.dreamstep.wHEADLINESNEWSINDIA) application for Android CVE-2014-7537 REJECTED CVE-2014-7536 (The Service Academy Forums (aka com.tapatalk.serviceacademyforumscom) ...) NOT-FOR-US: Service Academy Forums (aka com.tapatalk.serviceacademyforumscom) application for Android CVE-2014-7535 (The Classic Racer (aka com.triactivemedia.classicracer) application @7 ...) NOT-FOR-US: Classic Racer (aka com.triactivemedia.classicracer) application for Android CVE-2014-7534 (The Funny & Interesting Things (aka com.wFunnyandInterestingThings ...) NOT-FOR-US: Funny & Interesting Things (aka com.wFunnyandInterestingThings) application for Android CVE-2014-7533 (The NotreDame Seguradora (aka br.com.notredame.mobile.NotreDame) appli ...) NOT-FOR-US: NotreDame Seguradora (aka br.com.notredame.mobile.NotreDame) application for Android CVE-2014-7532 (The GES Agri Connect (aka com.wAgriConnect) application 0.1 for Androi ...) NOT-FOR-US: GES Agri Connect (aka com.wAgriConnect) application for Android CVE-2014-7531 REJECTED CVE-2014-7530 (The PRIX IMPORT (aka com.myapphone.android.myapppriximport) applicatio ...) NOT-FOR-US: PRIX IMPORT (aka com.myapphone.android.myapppriximport) application for Android CVE-2014-7529 (The Bodyguard for Hire (aka com.dreamstep.wBodyGuardforHire) applicati ...) NOT-FOR-US: Bodyguard for Hire (aka com.dreamstep.wBodyGuardforHire) application for Android CVE-2014-7528 (The Horsepower (aka com.apptive.android.apps.horsepower) application 2 ...) NOT-FOR-US: Horsepower (aka com.apptive.android.apps.horsepower) application for Android CVE-2014-7527 (The Savage Nation Mobile Web (aka com.wSavageNation) application 0.57. ...) NOT-FOR-US: Savage Nation Mobile Web (aka com.wSavageNation) application for Android CVE-2014-7526 (The Immunize Canada (aka ca.ohri.immunizeapp) application 1.0.1 for An ...) NOT-FOR-US: Immunize Canada (aka ca.ohri.immunizeapp) application for Android CVE-2014-7525 (The Domain Name Search & Web Host (aka com.wDomainNameSearchandReg ...) NOT-FOR-US: Domain Name Search & Web Host (aka com.wDomainNameSearchandRegistration) application for Android CVE-2014-7524 (The Bed and Breakfast (aka com.wbedandbreakfastapp) application 0.1 fo ...) NOT-FOR-US: Bed and Breakfast (aka com.wbedandbreakfastapp) application for Android CVE-2014-7523 (The Radio Bethlehem RB2000 (aka com.Abuhadbah.rbl2000v2) application 1 ...) NOT-FOR-US: Radio Bethlehem RB2000 (aka com.Abuhadbah.rbl2000v2) application for Android CVE-2014-7522 (The Maccabi Pakal (aka com.ideomobile.pakalmaccabi) application 1.2 fo ...) NOT-FOR-US: Maccabi Pakal (aka com.ideomobile.pakalmaccabi) application for Android CVE-2014-7521 (The Anderson Musaamil (aka com.app_andersonmusaamil.layout) applicatio ...) NOT-FOR-US: Anderson Musaamil (aka com.app_andersonmusaamil.layout) application for Android CVE-2014-7520 (The Nova 92.1 FM (aka com.wNova921FM) application 1.0 for Android does ...) NOT-FOR-US: Nova 92.1 FM (aka com.wNova921FM) application for Android CVE-2014-7519 (The Cycling Manager Game Cff (aka com.CyclingManagerGame) application ...) NOT-FOR-US: Cycling Manager Game Cff (aka com.CyclingManagerGame) application for Android CVE-2014-7518 (The Bowl Expo 2014 (aka com.coreapps.android.followme.bowlexpo14) appl ...) NOT-FOR-US: Bowl Expo 2014 (aka com.coreapps.android.followme.bowlexpo14) application for Android CVE-2014-7517 (The Myanmar Movies HD (aka com.wmyanmarmoviesHD) application 0.1 for A ...) NOT-FOR-US: Myanmar Movies HD (aka com.wmyanmarmoviesHD) application for Android CVE-2014-7516 (The Central East LHIN News (aka com.wCentralEastLHINNews) application ...) NOT-FOR-US: Central East LHIN News (aka com.wCentralEastLHINNews) application for Android CVE-2014-7515 (The Bail Bonds (aka com.onesolutionapps.chadlewisbailbondsandroid) app ...) NOT-FOR-US: Bail Bonds (aka com.onesolutionapps.chadlewisbailbondsandroid) application for Android CVE-2014-7514 REJECTED CVE-2014-7513 (The Top Hangover Cures (aka com.TopHangoverCures) application 1.2 for ...) NOT-FOR-US: Top Hangover Cures (aka com.TopHangoverCures) application for Android CVE-2014-7512 REJECTED CVE-2014-7511 REJECTED CVE-2014-7510 (The Graffit It (aka com.presenttechnologies.graffitit) application 1.1 ...) NOT-FOR-US: Graffit It (aka com.presenttechnologies.graffitit) application for Android CVE-2014-7509 (The A Very Short History of Japan (aka com.ireadercity.c51) applicatio ...) NOT-FOR-US: A Very Short History of Japan (aka com.ireadercity.c51) application for Android CVE-2014-7508 (The Help For Doc (aka com.childrens.physician.relations) application 1 ...) NOT-FOR-US: Help For Doc (aka com.childrens.physician.relations) application for Android CVE-2014-7507 (The Hector Leal (aka ad.hector.leal.com) application 13/08/14 for Andr ...) NOT-FOR-US: Hector Leal (aka ad.hector.leal.com) application for Android CVE-2014-7506 (The Realtime Music Rank (aka com.blogspot.imapp.immusicrank2) applicat ...) NOT-FOR-US: Realtime Music Rank (aka com.blogspot.imapp.immusicrank2) application for Android CVE-2014-7505 (The AppTalk (aka com.chatatami.apptalk) application 1.4.8 for Android ...) NOT-FOR-US: AppTalk (aka com.chatatami.apptalk) application for Android CVE-2014-7504 REJECTED CVE-2014-7503 REJECTED CVE-2014-7502 (The Escucha elDiario.es (aka es.lacabradev.escuchaeldiario) applicatio ...) NOT-FOR-US: Escucha elDiario.es (aka es.lacabradev.escuchaeldiario) application for Android CVE-2014-7501 (The Translation Widget (aka com.wTranslationGadget) application 0.1 fo ...) NOT-FOR-US: Translation Widget (aka com.wTranslationGadget) application for Android CVE-2014-7500 REJECTED CVE-2014-7499 (The Sword (aka com.ireadercity.c25) application 3.0.2 for Android does ...) NOT-FOR-US: Sword (aka com.ireadercity.c25) application for Android CVE-2014-7498 (The Space Cinema (aka it.thespacecinema.android) application 2.0.6 for ...) NOT-FOR-US: Space Cinema (aka it.thespacecinema.android) application for Android CVE-2014-7497 (The Portfolium (aka com.wPortfolium) application 0.1 for Android does ...) NOT-FOR-US: Portfolium (aka com.wPortfolium) application for Android CVE-2014-7496 REJECTED CVE-2014-7495 (The LogosQuest - Beginnings (aka com.wLogosQuest) application 1.0 for ...) NOT-FOR-US: LogosQuest - Beginnings (aka com.wLogosQuest) application for Android CVE-2014-7494 (The Kontan Kiosk (aka com.appsfoundry.scoopwl.id.kontankiosk) applicat ...) NOT-FOR-US: Kontan Kiosk (aka com.appsfoundry.scoopwl.id.kontankiosk) application for Android CVE-2014-7493 (The 100 Books (aka com.ireadercity.c20) application 3.0.2 for Android ...) NOT-FOR-US: 100 Books (aka com.ireadercity.c20) application for Android CVE-2014-7492 (The Secretos de belleza (aka com.rareartifact.secretosdebelleza83A55CB ...) NOT-FOR-US: Secretos de belleza (aka com.rareartifact.secretosdebelleza83A55CB8) application for Android CVE-2014-7491 (The Short Stories (aka com.ireadercity.c48) application 3.0.2 for Andr ...) NOT-FOR-US: Short Stories (aka com.ireadercity.c48) application for Android CVE-2014-7490 (The Menaka - Marathi (aka com.magzter.menakamarathi) application 3.0 f ...) NOT-FOR-US: Menaka - Marathi (aka com.magzter.menakamarathi) application for Android CVE-2014-7489 REJECTED CVE-2014-7488 (The Vineyard All In (aka com.wVineyardAllIn) application 0.1 for Andro ...) NOT-FOR-US: Vineyard All In (aka com.wVineyardAllIn) application for Android CVE-2014-7487 (The ADT Aesthetic Dentistry Today (aka com.magazinecloner.aestheticden ...) NOT-FOR-US: ADT Aesthetic Dentistry Today (aka com.magazinecloner.aestheticdentistry) application for Android CVE-2014-7486 (The Mitsubishi Road Assist (aka com.agero.mitsubishi) application 1.0 ...) NOT-FOR-US: Mitsubishi Road Assist (aka com.agero.mitsubishi) application for Android CVE-2014-7485 (The Not Lost Just Somewhere Else (aka it.tinytap.attsa.notlost) applic ...) NOT-FOR-US: Not Lost Just Somewhere Else (aka it.tinytap.attsa.notlost) application for Android CVE-2014-7484 (The Coca-Cola FM Guatemala (aka com.enyetech.radio.coca_cola.fm_gu) ap ...) NOT-FOR-US: Coca-Cola FM Guatemala (aka com.enyetech.radio.coca_cola.fm_gu) application for Android CVE-2014-7483 (The Desire2Learn FUSION 2014 (aka com.desire2learn.fusion2012) applica ...) NOT-FOR-US: Desire2Learn FUSION 2014 (aka com.desire2learn.fusion2012) application for Android CVE-2014-7482 REJECTED CVE-2014-7481 (The ETG Hosting (aka com.etg.web.hosting) application 2.0 for Android ...) NOT-FOR-US: ETG Hosting (aka com.etg.web.hosting) application for Android CVE-2014-7480 REJECTED CVE-2014-7479 REJECTED CVE-2014-7478 (The nashaplaneta.su (aka com.wNashaPlaneta) application 1.02 for Andro ...) NOT-FOR-US: nashaplaneta.su (aka com.wNashaPlaneta) application for Android CVE-2014-7477 REJECTED CVE-2014-7476 (The Healthy Lunch Diet Recipes (aka com.best.lunchdietrecipes) applica ...) NOT-FOR-US: Healthy Lunch Diet Recipes (aka com.best.lunchdietrecipes) application for Android CVE-2014-7475 (The Ionic View (aka com.ionic.viewapp) application 0.0.2 for Android d ...) NOT-FOR-US: Ionic View (aka com.ionic.viewapp) application for Android CVE-2014-7474 REJECTED CVE-2014-7473 REJECTED CVE-2014-7472 (The CSApp - Colegio San Agustin (aka com.goodbarber.csapp) application ...) NOT-FOR-US: CSApp - Colegio San Agustin (aka com.goodbarber.csapp) application for Android CVE-2014-7471 (The international-arbitration-attorney.com (aka com.w0f1d79a1010d819ac ...) NOT-FOR-US: international-arbitration-attorney.com (aka com.w0f1d79a1010d819acbee876007d0bebc) application for Android CVE-2014-7470 (The I Know the Movie (aka com.guilardi.jesaislefilm2) application jesa ...) NOT-FOR-US: I Know the Movie (aka com.guilardi.jesaislefilm2) application for Android CVE-2014-7469 (The Best Beginning (aka com.bbbeta) application 2.0 for Android does n ...) NOT-FOR-US: Best Beginning (aka com.bbbeta) application for Android CVE-2014-7468 (The AG Klettern Odenwald (aka de.appack.project.agko) application 1.2 ...) NOT-FOR-US: AG Klettern Odenwald (aka de.appack.project.agko) application for Android CVE-2014-7467 (The HoneyBee Mag (aka com.magzter.honeybeemag) application 3.0 for And ...) NOT-FOR-US: HoneyBee Mag (aka com.magzter.honeybeemag) application for Android CVE-2014-7466 (The Live TV Browser (aka com.wHDSmartBrowser) application 2.0 for Andr ...) NOT-FOR-US: Live TV Browser (aka com.wHDSmartBrowser) application for Android CVE-2014-7465 (The PC Advisor (aka com.triactivemedia.pcadvisor) application @7F08017 ...) NOT-FOR-US: PC Advisor (aka com.triactivemedia.pcadvisor) application for Android CVE-2014-7464 (The Magic Stamp (aka vn.avagame.apotatem) application 2.8 for Android ...) NOT-FOR-US: Magic Stamp (aka vn.avagame.apotatem) application for Android CVE-2014-7463 (The IM5 Fans Planet (aka uk.co.pixelkicks.im5) application 2.3.1 for A ...) NOT-FOR-US: IM5 Fans Planet (aka uk.co.pixelkicks.im5) application for Android CVE-2014-7462 (The Fashion Story: Neon 90's (aka com.teamlava.fashionstory39) applica ...) NOT-FOR-US: Fashion Story: Neon 90's (aka com.teamlava.fashionstory39) application for Android CVE-2014-7461 (The A King Sperm by Dr. Seema Rao (aka com.wKingSperm) application 0.6 ...) NOT-FOR-US: A King Sperm by Dr. Seema Rao (aka com.wKingSperm) application for Android CVE-2014-7460 (The Slots Heaven:FREE Slot Machine (aka com.twelvegigs.heaven.slots) a ...) NOT-FOR-US: Slots Heaven:FREE Slot Machine (aka com.twelvegigs.heaven.slots) application for Android CVE-2014-7459 (The Press-Leader (aka com.soln.S95309F65AD59F99CFC2C710A517B0B7E) appl ...) NOT-FOR-US: Press-Leader (aka com.soln.S95309F65AD59F99CFC2C710A517B0B7E) application for Android CVE-2014-7458 (The BloomYou Valentine (aka com.bloomyouteam.bloomyou.valentine) appli ...) NOT-FOR-US: BloomYou Valentine (aka com.bloomyouteam.bloomyou.valentine) application for Android CVE-2014-7457 (The Electronics For You (aka com.magzter.electronicsforyou) applicatio ...) NOT-FOR-US: Electronics For You (aka com.magzter.electronicsforyou) application for Android CVE-2014-7456 (The Digit Magazine (aka com.magzter.digitmagazine) application 3.01 fo ...) NOT-FOR-US: Digit Magazine (aka com.magzter.digitmagazine) application for Android CVE-2014-7455 (The Zoella Unofficial (aka com.automon.ay.zoella) application 1.4.0.5 ...) NOT-FOR-US: Zoella Unofficial (aka com.automon.ay.zoella) application for Android CVE-2014-7454 (The Detox Juicing Diet Recipes (aka com.wDetoxJuicingDietRecipes) appl ...) NOT-FOR-US: Detox Juicing Diet Recipes (aka com.wDetoxJuicingDietRecipes) application for Android CVE-2014-7453 REJECTED CVE-2014-7452 (The Shaklee Product Catalog (aka com.wProductCatalog) application 2.0 ...) NOT-FOR-US: Shaklee Product Catalog (aka com.wProductCatalog) application for Android CVE-2014-7451 REJECTED CVE-2014-7450 (The allnurses (aka com.tapatalk.allnursescom) application 3.4.10 for A ...) NOT-FOR-US: allnurses (aka com.tapatalk.allnursescom) application for Android CVE-2014-7449 (The My NGEMC Account (aka com.ngemc.smartapps) application 1.153.0034 ...) NOT-FOR-US: My NGEMC Account (aka com.ngemc.smartapps) application for Android CVE-2014-7448 (The DealSide Institutional (aka com.magzter.dealsideinstitutional) app ...) NOT-FOR-US: DealSide Institutional (aka com.magzter.dealsideinstitutional) application for Android CVE-2014-7447 (The Dattch - The Lesbian App (aka com.dattch.dattch.app) application 0 ...) NOT-FOR-US: Dattch - The Lesbian App (aka com.dattch.dattch.app) application for Android CVE-2014-7446 (The Bilingual Magic Ball (aka com.wBilingualMagicBall) application 0.1 ...) NOT-FOR-US: Bilingual Magic Ball (aka com.wBilingualMagicBall) application for Android CVE-2014-7445 (The LEGEND OF TRANCE (aka com.legendoftrance) application 1.0 for Andr ...) NOT-FOR-US: LEGEND OF TRANCE (aka com.legendoftrance) application for Android CVE-2014-7444 (The Baidu Navigation (aka com.baidu.navi) application 3.5.0 for Androi ...) NOT-FOR-US: Baidu Navigation (aka com.baidu.navi) application for Android CVE-2014-7443 (The Face Fun Photo Collage Maker 2 (aka com.kauf.facefunphotocollagema ...) NOT-FOR-US: Face Fun Photo Collage Maker 2 (aka com.kauf.facefunphotocollagemaker2) application for Android CVE-2014-7442 REJECTED CVE-2014-7441 (The Pakan Ken Tube (aka com.PakanKen) application 0.1 for Android does ...) NOT-FOR-US: Pakan Ken Tube (aka com.PakanKen) application for Android CVE-2014-7440 REJECTED CVE-2014-7439 (The bene+ odmeny a slevy (aka cz.gemoney.bene.android) application 1.2 ...) NOT-FOR-US: bene+ odmeny a slevy (aka cz.gemoney.bene.android) application for Android CVE-2014-7438 REJECTED NOT-FOR-US: pbm2l2030 printer driver CVE-2014-7437 (The Love Horoscope Guide (aka com.charl.charlylovehoroscopes) applicat ...) NOT-FOR-US: Love Horoscope Guide (aka com.charl.charlylovehoroscopes) application for Android CVE-2014-7436 (The SOS recette (aka com.sos.recette) application 1.0 for Android does ...) NOT-FOR-US: SOS recette (aka com.sos.recette) application for Android CVE-2014-7435 (The AJD Bail Bonds (aka com.onesolutionapps.ajdbailbondsandroid) appli ...) NOT-FOR-US: AJD Bail Bonds (aka com.onesolutionapps.ajdbailbondsandroid) application for Android CVE-2014-7434 (The RTSinfo (aka ch.rts.rtsinfo) application 1.4.8 for Android does no ...) NOT-FOR-US: RTSinfo (aka ch.rts.rtsinfo) application for Android CVE-2014-7433 (The Student ID (aka com.computas.studentbevis) application 1.2 for And ...) NOT-FOR-US: Student ID (aka com.computas.studentbevis) application for Android CVE-2014-7432 (The CalculatorApp (aka com.intuit.alm.testandroidapp) application 4.0 ...) NOT-FOR-US: CalculatorApp (aka com.intuit.alm.testandroidapp) application for Android CVE-2014-7431 (The Breeze Jersey (aka com.sc.breezeje.banking) application 1.0 for An ...) NOT-FOR-US: Breeze Jersey (aka com.sc.breezeje.banking) application for Android CVE-2014-7430 (The Flood-It (aka com.appspot.eoltek.flood) application 4.2 for Androi ...) NOT-FOR-US: Flood-It (aka com.appspot.eoltek.flood) application for Android CVE-2014-7429 REJECTED CVE-2014-7428 (The 7725.com Three Kingdoms (aka com.platform7725.youai.jiejian) appli ...) NOT-FOR-US: 7725.com Three Kingdoms (aka com.platform7725.youai.jiejian) application for Android CVE-2014-7427 (The Hunting Trophy Whitetails (aka com.wHuntingTrophyWhitetails) appli ...) NOT-FOR-US: Hunting Trophy Whitetails (aka com.wHuntingTrophyWhitetails) application for Android CVE-2014-7426 REJECTED CVE-2014-7425 (The Doodle Devil Free (aka com.joybits.doodledevil_free) application 2 ...) NOT-FOR-US: Doodle Devil Free (aka com.joybits.doodledevil_free) application for Android CVE-2014-7424 (The Quran Abu Bakr AshShatiri Free (aka com.wQuranAbuBakrFREE) applica ...) NOT-FOR-US: Quran Abu Bakr AshShatiri Free (aka com.wQuranAbuBakrFREE) application for Android CVE-2014-7423 (The Youth Incorporated (aka com.magzter.youthincorporated) application ...) NOT-FOR-US: Youth Incorporated (aka com.magzter.youthincorporated) application for Android CVE-2014-7422 (The HEA Mobile (aka com.homerelectric.smartapps) application 1.153.003 ...) NOT-FOR-US: HEA Mobile (aka com.homerelectric.smartapps) application for Android CVE-2014-7421 (The Revel in the Rideau Lakes (aka com.mytoursapp.android.app326) appl ...) NOT-FOR-US: Revel in the Rideau Lakes (aka com.mytoursapp.android.app326) application for Android CVE-2014-7420 (The Just Bureaucracy (aka com.magzter.justbureaucracy) application 3.0 ...) NOT-FOR-US: Just Bureaucracy (aka com.magzter.justbureaucracy) application for Android CVE-2014-7419 (The PokeCreator Lite (aka com.pokecreator.builderlite) application 1.1 ...) NOT-FOR-US: PokeCreator Lite (aka com.pokecreator.builderlite) application for Android CVE-2014-7418 (The BBC Knowledge Magazine (aka com.magzter.bbcknowledge) application ...) NOT-FOR-US: BBC Knowledge Magazine (aka com.magzter.bbcknowledge) application for Android CVE-2014-7417 (The Real Academia de Bellas Artes (aka com.adianteventures.adianteapps ...) NOT-FOR-US: Real Academia de Bellas Artes (aka com.adianteventures.adianteapps.real_academia_de_bellas_artes) application for Android CVE-2014-7416 (The Craft Stamper Magazine (aka com.triactivemedia.craftstamper) appli ...) NOT-FOR-US: Craft Stamper Magazine (aka com.triactivemedia.craftstamper) application for Android CVE-2014-7415 (The Asylum! (aka com.nobexinc.wls_96362255.rc) application 3.3.10 for ...) NOT-FOR-US: Asylum! (aka com.nobexinc.wls_96362255.rc) application for Android CVE-2014-7414 (The CLEO Malaysia (aka com.magzter.cleomalaysia) application 3.01 for ...) NOT-FOR-US: CLEO Malaysia (aka com.magzter.cleomalaysia) application for Android CVE-2014-7413 (The Rajendra Suriji (aka com.rajendrasuriji.nakodabhairav.com) applica ...) NOT-FOR-US: Rajendra Suriji (aka com.rajendrasuriji.nakodabhairav.com) application for Android CVE-2014-7412 REJECTED CVE-2014-7411 REJECTED CVE-2014-7410 (The Aptallik Testi (aka com.wAptallikTesti) application 4.0 for Androi ...) NOT-FOR-US: Aptallik Testi (aka com.wAptallikTesti) application for Android CVE-2014-7409 (The Liburan Hemat (aka com.liburan.bro) application 1.0 for Android do ...) NOT-FOR-US: Liburan Hemat (aka com.liburan.bro) application for Android CVE-2014-7408 (The Gary Johnson for President '12 (aka com.GaryJohnson2012) applicati ...) NOT-FOR-US: Gary Johnson for President '12 (aka com.GaryJohnson2012) application for Android CVE-2014-7407 (The Game Day Tix (aka com.xcr.android.mygamedaytickets) application 2. ...) NOT-FOR-US: Game Day Tix (aka com.xcr.android.mygamedaytickets) application for Android CVE-2014-7406 (The Deakin University (aka com.desire2learn.campuslife.deakin.edu.au.d ...) NOT-FOR-US: Deakin University (aka com.desire2learn.campuslife.deakin.edu.au.directory) application for Android CVE-2014-7405 (The Belaire Family Orthodontics (aka com.app_bf.layout) application 1. ...) NOT-FOR-US: Belaire Family Orthodontics (aka com.app_bf.layout) application for Android CVE-2014-7404 REJECTED CVE-2014-7403 (The NZHondas.com (aka com.tapatalk.nzhondascom) application 3.6.14 for ...) NOT-FOR-US: NZHondas.com (aka com.tapatalk.nzhondascom) application for Android CVE-2014-7400 REJECTED CVE-2014-7399 (The Suzanne Glathar (aka com.app_sglathar.layout) application 1.399 fo ...) NOT-FOR-US: Suzanne Glathar (aka com.app_sglathar.layout) application for Android CVE-2014-7398 (The Dil Bilgisi Kurallari (aka com.buronya.dilbilgisi) application 1.0 ...) NOT-FOR-US: Dil Bilgisi Kurallari (aka com.buronya.dilbilgisi) application for Android CVE-2014-7397 (The ileri Gazetesi - Yozgat (aka com.byfes.ilerigazetesi) application ...) NOT-FOR-US: ileri Gazetesi - Yozgat (aka com.byfes.ilerigazetesi) application for Android CVE-2014-7396 (The PocketKnife Bravo Super (aka com.wPocketKnifeBravo) application 0. ...) NOT-FOR-US: PocketKnife Bravo Super (aka com.wPocketKnifeBravo) application for Android CVE-2014-7395 (The USF BCM (aka com.appmakr.app193115) application 252847 for Android ...) NOT-FOR-US: USF BCM (aka com.appmakr.app193115) application for Android CVE-2014-7394 (The www.alaaliwat.com (aka com.alaliwat.marsa) application 4.9 for And ...) NOT-FOR-US: www.alaaliwat.com (aka com.alaliwat.marsa) application for Android CVE-2014-7393 (The 100 Beauty Tips (aka com.ww100BeautyTipsApp) application 1.1 for A ...) NOT-FOR-US: 100 Beauty Tips (aka com.ww100BeautyTipsApp) application for Android CVE-2014-7392 (The Russian Federation Traffic Rules (aka com.russia.pdd) application ...) NOT-FOR-US: Russian Federation Traffic Rules (aka com.russia.pdd) application for Android CVE-2014-7391 (The Synx addictive puzzle game (aka us.synx.mobile.play) application 1 ...) NOT-FOR-US: Synx addictive puzzle game (aka us.synx.mobile.play) application for Android CVE-2014-7390 (The Enchanted Fashion Crush (aka com.tabtale.springcrushbundleint) app ...) NOT-FOR-US: Enchanted Fashion Crush (aka com.tabtale.springcrushbundleint) application for Android CVE-2014-7389 (The Amnesia Groove (aka com.nobexinc.wls_88552576.rc) application 3.2. ...) NOT-FOR-US: Amnesia Groove (aka com.nobexinc.wls_88552576.rc) application for Android CVE-2014-7388 (The Sunday Indian Oriya (aka com.magzter.thesundayindianoriya) applica ...) NOT-FOR-US: Sunday Indian Oriya (aka com.magzter.thesundayindianoriya) application for Android CVE-2014-7387 (The ACC Advocacy Action (aka com.acc.app.android.ui) application 2.0 f ...) NOT-FOR-US: ACC Advocacy Action (aka com.acc.app.android.ui) application for Android CVE-2014-7386 REJECTED CVE-2014-7385 (The Aperture Mobile Media (aka com.app_aperturemobilemedia.layout) app ...) NOT-FOR-US: Aperture Mobile Media (aka com.app_aperturemobilemedia.layout) application for Android CVE-2014-7384 (The Joe's Lawn Service (aka com.appexpress.joeslawnservice) applicatio ...) NOT-FOR-US: Joe's Lawn Service (aka com.appexpress.joeslawnservice) application for Android CVE-2014-7383 REJECTED CVE-2014-7382 (The Alternative Connection (aka com.wAlternativeConnection) applicatio ...) NOT-FOR-US: Alternative Connection (aka com.wAlternativeConnection) application for Android CVE-2014-7381 REJECTED CVE-2014-7380 (The Cedar Kiosk (aka com.apps2you.cedarkiosk) application 1.1 for Andr ...) NOT-FOR-US: Cedar Kiosk (aka com.apps2you.cedarkiosk) application for Android CVE-2014-7379 (The Kiddie Kinderschoenen (aka nl.eigenwinkelapp.kiddiekinderschoenen) ...) NOT-FOR-US: Kiddie Kinderschoenen (aka nl.eigenwinkelapp.kiddiekinderschoenen) application for Android CVE-2014-7378 (The Jobranco (aka com.jobranco) application 1.1 for Android does not v ...) NOT-FOR-US: Jobranco (aka com.jobranco) application for Android CVE-2014-7377 REJECTED CVE-2014-7376 (The Facebook Profits on Steroids (aka com.wFacebookProfitsonSteroids) ...) NOT-FOR-US: Facebook Profits on Steroids (aka com.wFacebookProfitsonSteroids) application for Android CVE-2014-7375 (The Childcare (aka com.app_macchildcare.layout) application 1.399 for ...) NOT-FOR-US: Childcare (aka com.app_macchildcare.layout) application for Android CVE-2014-7374 (The SPIN - Motion Comic (aka me.narr8.android.serial.spin) application ...) NOT-FOR-US: SPIN - Motion Comic (aka me.narr8.android.serial.spin) application for Android CVE-2014-7373 (The Inspire Weddings (aka com.magzter.inspireweddings) application 3.0 ...) NOT-FOR-US: Inspire Weddings (aka com.magzter.inspireweddings) application for Android CVE-2014-7372 (The Mr.Sausage (aka com.app_mrsausage.layout) application 1.301 for An ...) NOT-FOR-US: Mr.Sausage (aka com.app_mrsausage.layout) application for Android CVE-2014-7371 (The Magic Balloonman Marty Boone (aka com.app_martyboone.layout) appli ...) NOT-FOR-US: Magic Balloonman Marty Boone (aka com.app_martyboone.layout) application for Android CVE-2014-7370 (The Job MoBleeps (aka com.wJobMoBleeps) application 0.1 for Android do ...) NOT-FOR-US: Job MoBleeps (aka com.wJobMoBleeps) application for Android CVE-2014-7369 (The Il Brillo Parlante (aka com.wIlBrilloParlante) application 0.1 for ...) NOT-FOR-US: Il Brillo Parlante (aka com.wIlBrilloParlante) application for Android CVE-2014-7368 (The Compassion Satisfaction (aka com.wCompassionSatisfactionWorkshopPr ...) NOT-FOR-US: Compassion Satisfaction (aka com.wCompassionSatisfactionWorkshopPresentation) application for Android CVE-2014-7367 (The TuS 1947 Radis (aka com.tus1947radis) application 1.0 for Android ...) NOT-FOR-US: TuS 1947 Radis (aka com.tus1947radis) application for Android CVE-2014-7366 (The Identity (aka com.magzter.identity) application 3.01 for Android d ...) NOT-FOR-US: Identity (aka com.magzter.identity) application for Android CVE-2014-7365 REJECTED CVE-2014-7364 (The Promotional Items (aka com.wPromotionalItems) application 0.1 for ...) NOT-FOR-US: Promotional Items (aka com.wPromotionalItems) application for Android CVE-2014-7363 REJECTED CVE-2014-7362 (The Naranjas Con Tocados (aka com.NaranjasConTocados.com) application ...) NOT-FOR-US: Naranjas Con Tocados (aka com.NaranjasConTocados.com) application for Android CVE-2014-7361 (The Harry's Pub (aka com.emunching.harryspub) application 1.0.0 for An ...) NOT-FOR-US: Harry's Pub (aka com.emunching.harryspub) application for Android CVE-2014-7360 (The How To Boil Eggs (aka com.appmakr.app842173) application 251333 fo ...) NOT-FOR-US: How To Boil Eggs (aka com.appmakr.app842173) application for Android CVE-2014-7359 (The MAPA DA MINA (aka com.wMAPADAMINA) application 0.1 for Android doe ...) NOT-FOR-US: MAPA DA MINA (aka com.wMAPADAMINA) application for Android CVE-2014-7358 (The Vermont Powder (aka com.concursive.vermontpowder) application 4.1 ...) NOT-FOR-US: Vermont Powder (aka com.concursive.vermontpowder) application for Android CVE-2014-7357 (The Grandparenting is Great (aka com.app_gig.layout) application 1.400 ...) NOT-FOR-US: Grandparenting is Great (aka com.app_gig.layout) application for Android CVE-2014-7356 REJECTED CVE-2014-7355 REJECTED CVE-2014-7354 (The Penumbra eMag (aka com.magzter.penumbraemag) application 3.0 for A ...) NOT-FOR-US: Penumbra eMag (aka com.magzter.penumbraemag) application for Android CVE-2014-7353 (The JAZAN 24 (aka com.jazan24.Mcreda) application 1.0 for Android does ...) NOT-FOR-US: JAZAN 24 (aka com.jazan24.Mcreda) application for Android CVE-2014-7352 (The India's Anthem (aka appinventor.ai_opalfoxy83.India_Anthem) applic ...) NOT-FOR-US: India's Anthem (aka appinventor.ai_opalfoxy83.India_Anthem) application for Android CVE-2014-7351 (The GLOBAL MOVIE MAGAZINE (aka com.magzter.globalmoviemagazine) applic ...) NOT-FOR-US: GLOBAL MOVIE MAGAZINE (aka com.magzter.globalmoviemagazine) application for Android CVE-2014-7350 REJECTED CVE-2014-7349 REJECTED CVE-2014-7348 (The HOT CARS (aka com.magzter.hotcars) application 3.0 for Android doe ...) NOT-FOR-US: HOT CARS (aka com.magzter.hotcars) application for Android CVE-2014-7347 REJECTED CVE-2014-7346 (The Bespoke (aka com.magzter.bespoke) application 3.0 for Android does ...) NOT-FOR-US: Bespoke (aka com.magzter.bespoke) application for Android CVE-2014-7345 (The DIYChatroom (aka com.tapatalk.diychatroomcom) application 3.4.0 fo ...) NOT-FOR-US: DIYChatroom (aka com.tapatalk.diychatroomcom) application for Android CVE-2014-7344 (The Classic Arms & Militaria (aka com.magazinecloner.classicarmsan ...) NOT-FOR-US: Classic Arms & Militaria (aka com.magazinecloner.classicarmsandm) application for Android CVE-2014-7343 REJECTED CVE-2014-7342 (The Echo News (aka com.solo.report) 1.10 application (beta) for Androi ...) NOT-FOR-US: Echo News (aka com.solo.report) 1.10 application for Android CVE-2014-7341 (The SAsync (aka com.sasync.sasyncmap) application 1.2.0 for Android do ...) NOT-FOR-US: SAsync (aka com.sasync.sasyncmap) application for Android CVE-2014-7340 (The Old Bike Mart (aka com.magazinecloner.oldbike) application @7F0801 ...) NOT-FOR-US: Old Bike Mart (aka com.magazinecloner.oldbike) application for Android CVE-2014-7339 (The Cuanto Conoces A un Amigo (aka com.makeitpossible.CuantoConocesAun ...) NOT-FOR-US: Cuanto Conoces A un Amigo (aka com.makeitpossible.CuantoConocesAunAmigo) application for Android CVE-2014-7338 (The faailkhair (aka com.faailkhair.app) application 1.0 for Android do ...) NOT-FOR-US: faailkhair (aka com.faailkhair.app) application for Android CVE-2014-7337 (The Acorn Estate Agents (aka com.acorn.ea) application 3.1 for Android ...) NOT-FOR-US: Acorn Estate Agents (aka com.acorn.ea) application for Android CVE-2014-7336 (The Taking Your Company Public (aka biz.app4mobile.app_016e43d03ee54d1 ...) NOT-FOR-US: Taking Your Company Public (aka biz.app4mobile.app_016e43d03ee54d1facd6c9532a00e724.app) application for Android CVE-2014-7335 (The Liver Health - Hepatitis C (aka gov.nyc.dohmh.HepC) application 2. ...) NOT-FOR-US: Liver Health - Hepatitis C (aka gov.nyc.dohmh.HepC) application for Android CVE-2014-7334 (The Where Dallas (aka com.magzter.wheredallas) application 3.0.2 for A ...) NOT-FOR-US: Where Dallas (aka com.magzter.wheredallas) application for Android CVE-2014-7333 (The Aloha Guide (aka com.aloha.guide.japnese) application 1.3 for Andr ...) NOT-FOR-US: Aloha Guide (aka com.aloha.guide.japnese) application for Android CVE-2014-7332 REJECTED CVE-2014-7331 (The TodaysSeniorsNetwork (aka com.wTodaysSeniorsNetwork) application 0 ...) NOT-FOR-US: TodaysSeniorsNetwork (aka com.wTodaysSeniorsNetwork) application for Android CVE-2014-7330 (The XtendCU Mobile (aka com.metova.cuae.xtend) application 1.0.28 for ...) NOT-FOR-US: XtendCU Mobile (aka com.metova.cuae.xtend) application for Android CVE-2014-7329 (The Motoring Classics (aka com.aptusi.android.motoring) application 1. ...) NOT-FOR-US: Motoring Classics (aka com.aptusi.android.motoring) application for Android CVE-2014-7328 (The brain abundance info (aka com.wbrainabundance) application 0.1 for ...) NOT-FOR-US: brain abundance info (aka com.wbrainabundance) application for Android CVE-2014-7327 (The Macau Business (aka com.magzter.macaubusiness) application 3.0 for ...) NOT-FOR-US: Macau Business (aka com.magzter.macaubusiness) application for Android CVE-2014-7326 (The ETA Mobile (aka com.en2grate.etamobile) application 1.6.6 for Andr ...) NOT-FOR-US: ETA Mobile (aka com.en2grate.etamobile) application for Android CVE-2014-7325 (The Business Intelligence (aka com.magzter.businessintelligence) appli ...) NOT-FOR-US: Business Intelligence (aka com.magzter.businessintelligence) application for Android CVE-2014-7324 REJECTED CVE-2014-7323 (The Dignity Dialogue (aka com.magzter.dignitydialogue) application 3.0 ...) NOT-FOR-US: Dignity Dialogue (aka com.magzter.dignitydialogue) application for Android CVE-2014-7322 REJECTED CVE-2014-7321 (The Firenze map (aka com.wFirenzemap) application 0.1 for Android does ...) NOT-FOR-US: Firenze map (aka com.wFirenzemap) application for Android CVE-2014-7320 (The SHIRAKABA (aka com.SHIRAKABA) application 1.0 for Android does not ...) NOT-FOR-US: SHIRAKABA (aka com.SHIRAKABA) application for Android CVE-2014-7319 REJECTED CVE-2014-7318 REJECTED CVE-2014-7317 (The Aloha Bail Bonds (aka com.onesolutionapps.alohabailbondsandroid) a ...) NOT-FOR-US: Aloha Bail Bonds (aka com.onesolutionapps.alohabailbondsandroid) application for Android CVE-2014-7316 (The Safe Arrival (aka com.synrevoice.safearrival) application 1.2 for ...) NOT-FOR-US: Safe Arrival (aka com.synrevoice.safearrival) application for Android CVE-2014-7315 (The Where Atlanta (aka com.magzter.whereatlanta) application 3.0.2 for ...) NOT-FOR-US: Where Atlanta (aka com.magzter.whereatlanta) application for Android CVE-2014-7314 (The Intelligent SME (aka com.magzter.intelligentsme) application 3.0 f ...) NOT-FOR-US: Intelligent SME (aka com.magzter.intelligentsme) application for Android CVE-2014-7313 (The One You Fitness (aka com.app_oneyou.layout) application 1.399 for ...) NOT-FOR-US: One You Fitness (aka com.app_oneyou.layout) application for Android CVE-2014-7312 REJECTED CVE-2014-7311 REJECTED CVE-2014-7310 (The Ali Visual (aka com.ali.visual) application 1.0 for Android does n ...) NOT-FOR-US: Ali Visual (aka com.ali.visual) application for Android CVE-2014-7309 (The Where2Stop-Cardlocks-Free (aka appinventor.ai_kidatheart99.Where2S ...) NOT-FOR-US: Where2Stop-Cardlocks-Free (aka appinventor.ai_kidatheart99.Where2Stop_Cardlocks) application for Android CVE-2014-7308 REJECTED CVE-2014-7307 (The ForoSocuellamos (aka com.forosocuellamos.tlcttbeukajwpeqreg) appli ...) NOT-FOR-US: ForoSocuellamos (aka com.forosocuellamos.tlcttbeukajwpeqreg) application for Android CVE-2014-7306 RESERVED CVE-2014-7305 RESERVED CVE-2014-7304 RESERVED CVE-2014-7303 (SGI Tempo, as used on SGI ICE-X systems, uses weak permissions for cer ...) NOT-FOR-US: SGI Tempo CVE-2014-7302 (SGI Tempo, as used on SGI ICE-X systems, uses weak permissions for cer ...) NOT-FOR-US: SGI Tempo CVE-2014-7301 (SGI Tempo, as used on SGI ICE-X systems, uses weak permissions for cer ...) NOT-FOR-US: SGI Tempo CVE-2014-7299 (Unspecified vulnerability in administrative interfaces in ArubaOS 6.3. ...) NOT-FOR-US: Aruba ArubaOS CVE-2014-7298 (adsetgroups in Centrify Server Suite 2008 through 2014.1 and Centrify ...) NOT-FOR-US: Centrify CVE-2014-7297 (Unspecified vulnerability in the folder framework in the Enfold theme ...) NOT-FOR-US: folder framework in the Enfold theme for WordPress CVE-2014-7296 (The default configuration in the accessibility engine in SpagoBI 5.0.0 ...) NOT-FOR-US: Spago CVE-2014-7294 (Open redirect vulnerability in the logon page in NYU OpenSSO Integrati ...) NOT-FOR-US: Ex Libris Patron Directory Services CVE-2014-7293 (Cross-site scripting (XSS) vulnerability in the logon page in NYU Open ...) NOT-FOR-US: NYU OpenSSO Integration for Ex Libris Patron Directory Services CVE-2014-7292 (Open redirect vulnerability in the Click-Through feature in Newtellige ...) NOT-FOR-US: Newtelligence dasBlog CVE-2014-7291 (Multiple cross-site scripting (XSS) vulnerabilities in api_events.php ...) NOT-FOR-US: Springshare LibCal CVE-2014-7290 (Multiple cross-site scripting (XSS) vulnerabilities in Atlas Systems A ...) NOT-FOR-US: Atlas Systems Aeon CVE-2014-7289 (SQL injection vulnerability in the management server in Symantec Criti ...) NOT-FOR-US: Symantec Data Center Security CVE-2014-7288 (Symantec PGP Universal Server and Encryption Management Server before ...) NOT-FOR-US: Symantec Encryption Management Server CVE-2014-7287 (The key-management component in Symantec PGP Universal Server and Encr ...) NOT-FOR-US: Symantec CVE-2014-7286 (Buffer overflow in AClient in Symantec Deployment Solution 6.9 and ear ...) NOT-FOR-US: Symantec Deployment Solution CVE-2014-7285 (The management console on the Symantec Web Gateway (SWG) appliance bef ...) NOT-FOR-US: Symantec Web Gateway CVE-2014-7282 RESERVED CVE-2014-7281 (Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Tech ...) NOT-FOR-US: Tenda A32 Router CVE-2014-7280 (Cross-site scripting (XSS) vulnerability in the Web UI before 2.3.4 Bu ...) NOT-FOR-US: Nessus Web UI CVE-2014-7279 (The Konke Smart Plug K does not require authentication for TELNET sess ...) NOT-FOR-US: Konke Smart Plug K CVE-2014-7284 (The net_get_random_once implementation in net/core/utils.c in the Linu ...) - linux 3.16.2-1 [wheezy] - linux (Vulnerable code introduced in 3.13) - linux-2.6 (Vulnerable code introduced in 3.13) NOTE: Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=3d4405226d27b3a215e4d03cfa51f536244e5de7 (v3.15-rc7) NOTE: Introduced by https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=a48e42920ff38bc90bbf75143fff4555723d4540 NOTE: http://secondlookforensics.com/ngro-linux-kernel-bug/ CVE-2014-7283 (The xfs_da3_fixhashpath function in fs/xfs/xfs_da_btree.c in the xfs i ...) - linux 3.16.2-1 [wheezy] - linux (Vulnerable code introduced in 3.10 upstream) - linux-2.6 (Vulnerable code introduced in 3.10 upstream) NOTE: Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c88547a8119e3b581318ab65e9b72f27f23e641d (v3.15-rc1) NOTE: http://marc.info/?l=linux-xfs&m=139590613002926&w=2 NOTE: Reproducer: http://oss.sgi.com/cgi-bin/gitweb.cgi?p=xfs/cmds/xfstests.git;a=commitdiff;h=947ee8bd4b59770534297572b14c695e9c6e001e CVE-2014-7295 (The (1) Special:Preferences and (2) Special:UserLogin pages in MediaWi ...) {DSA-3046-1} - mediawiki 1:1.19.20+dfsg-1 [squeeze] - mediawiki NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-October/000163.html NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=70672 CVE-2014-7278 (The login page on the ZyXEL SBG-3300 Security Gateway with firmware 1. ...) NOT-FOR-US: ZyXEL CVE-2014-7277 (Cross-site scripting (XSS) vulnerability in the login page on the ZyXE ...) NOT-FOR-US: ZyXEL CVE-2014-7276 RESERVED CVE-2014-7275 (The POP3-over-SSL implementation in getmail 4.0.0 through 4.44.0 does ...) {DSA-3091-1 DLA-106-1} - getmail4 4.46.0-1 (bug #766670) CVE-2014-7274 (The IMAP-over-SSL implementation in getmail 4.44.0 does not verify tha ...) {DSA-3091-1 DLA-106-1} - getmail4 4.46.0-1 (bug #766670) CVE-2014-7273 (The IMAP-over-SSL implementation in getmail 4.0.0 through 4.43.0 does ...) {DSA-3091-1 DLA-106-1} - getmail4 4.44.0-1 (bug #766670) CVE-2014-7272 (Simple Desktop Display Manager (SDDM) before 0.10.0 allows local users ...) [experimental] - sddm 0.11.0-1 - sddm 0.11.0-2 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=897788 CVE-2014-7271 (Simple Desktop Display Manager (SDDM) before 0.10.0 allows local users ...) [experimental] - sddm 0.11.0-1 - sddm 0.11.0-2 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=897788 CVE-2014-7270 (Cross-site request forgery (CSRF) vulnerability on ASUS JAPAN RT-AC87U ...) NOT-FOR-US: ASUS routers CVE-2014-7269 (ASUS JAPAN RT-AC87U routers with firmware 3.0.0.4.378.3754 and earlier ...) NOT-FOR-US: ASUS routers CVE-2014-7268 (Cross-site scripting (XSS) vulnerability in the data-export feature in ...) NOT-FOR-US: Ricksoft WBS Gantt-Chart add-on for JIRA CVE-2014-7267 (Cross-site scripting (XSS) vulnerability in the output-page generator ...) NOT-FOR-US: Ricksoft WBS Gantt-Chart add-on for JIRA CVE-2014-7266 (Algorithmic complexity vulnerability in Cybozu Remote Service Manager ...) NOT-FOR-US: Cybozu Remote Service Manager CVE-2014-7265 (Cross-site scripting (XSS) vulnerability in LinPHA allows remote attac ...) NOT-FOR-US: LinPHA CVE-2014-7264 (Multiple cross-site scripting (XSS) vulnerabilities in admin/themes/de ...) - chyrp (bug #664739) CVE-2014-7263 (Cross-site scripting (XSS) vulnerability in ULTRAPOP.JP i-HTTPD allows ...) NOT-FOR-US: ULTRAPOP.JP i-HTTPD CVE-2014-7262 (Cross-site scripting (XSS) vulnerability in the Omake BBS component in ...) NOT-FOR-US: ULTRAPOP.JP i-HTTPD CVE-2014-7261 (Cross-site scripting (XSS) vulnerability in ULTRAPOP.JP i-HTTPD allows ...) NOT-FOR-US: ULTRAPOP.JP i-HTTPD CVE-2014-7260 (The Server Side Includes (SSI) implementation in the File Upload BBS c ...) NOT-FOR-US: ULTRAPOP.JP i-HTTPD CVE-2014-7259 (SQUARE ENIX Co., Ltd. Kaku-San-Sei Million Arthur before 2.25 for Andr ...) NOT-FOR-US: SQUARE ENIX CVE-2014-7258 (Cross-site scripting (XSS) vulnerability in KENT-WEB Clip Board 2.91 a ...) NOT-FOR-US: KENT-WEB CLip Board CVE-2014-7257 (SQL injection vulnerability in DBD::PgPP 0.05 and earlier ...) NOT-FOR-US: DBD::PgPP CVE-2014-7256 (The (1) PPP Access Concentrator (PPPAC) and (2) Dial-Up Networking Int ...) NOT-FOR-US: SEIL Routers CVE-2014-7255 (Internet Initiative Japan Inc. SEIL Series routers SEIL/X1 2.50 throug ...) NOT-FOR-US: SEIL Routers CVE-2014-7254 (Unspecified vulnerability in ARROWS Me F-11D allows physically proxima ...) NOT-FOR-US: Arrows Me CVE-2014-7253 (FUJITSU F-12C, ARROWS Tab LTE F-01D, ARROWS Kiss F-03D, and REGZA Phon ...) NOT-FOR-US: ARROWS CVE-2014-7252 (Multiple unspecified vulnerabilities in the Syslink driver for Texas I ...) NOT-FOR-US: ARROWS CVE-2014-7251 (XML external entity (XXE) vulnerability in the WebHMI server in Yokoga ...) NOT-FOR-US: Yokogawa CVE-2014-7250 (The TCP stack in 4.3BSD Net/2, as used in FreeBSD 5.4, NetBSD possibly ...) - kfreebsd-8 [wheezy] - kfreebsd-8 (Not supported in wheezy LTS) - kfreebsd-9 [wheezy] - kfreebsd-9 (Not supported in wheezy LTS) - kfreebsd-10 (bug #778367) [jessie] - kfreebsd-10 (Not supported in Jessie LTS) CVE-2014-7249 (Buffer overflow on the Allied Telesis AR440S, AR441S, AR442S, AR745, A ...) NOT-FOR-US: Allied Telesis CVE-2014-7248 (Cross-site scripting (XSS) vulnerability in IPA iLogScanner 4.0 allows ...) NOT-FOR-US: IPA iLogScanner CVE-2014-7247 (Unspecified vulnerability in JustSystems Ichitaro 2008 through 2011; I ...) NOT-FOR-US: JustSystems Ichitaro CVE-2014-7246 (The Core Server in OpenAM 9.5.3 through 9.5.5, 10.0.0 through 10.0.2, ...) NOT-FOR-US: OpenAM (SSO Server) NOTE: This is not the openam answering machine. CVE-2014-7245 REJECTED CVE-2014-7244 REJECTED CVE-2014-7243 (LG Electronics Mobile WiFi router L-09C, L-03E, and L-04D does not res ...) NOT-FOR-US: LG Routers CVE-2014-7242 (The SumaHo application 3.0.0 and earlier for Android and the SumaHo "d ...) NOT-FOR-US: SumaHo (applications for Android) CVE-2014-7241 (The TSUTAYA application 5.3 and earlier for Android allows remote atta ...) NOT-FOR-US: TSUTAYA application for Android CVE-2014-7240 (Cross-site scripting (XSS) vulnerability in the Easy Contact Form Solu ...) NOT-FOR-US: Wordpress plugin CVE-2014-7239 RESERVED CVE-2014-7238 (The WordPress plugin Contact Form Integrated With Google Maps 1.0-2.4 ...) NOT-FOR-US: WordPress plugin Contact Form Integrated With Google Maps CVE-2014-7237 (lib/TWiki/Sandbox.pm in TWiki 6.0.0 and earlier, when running on Windo ...) - twiki NOTE: http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7237 CVE-2014-7236 (Eval injection vulnerability in lib/TWiki/Plugins.pm in TWiki before 6 ...) - twiki NOTE: http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7236 CVE-2014-7235 (htdocs_ari/includes/login.php in the ARI Framework module/Asterisk Rec ...) NOT-FOR-US: FreePBX CVE-2014-7234 REJECTED CVE-2014-7233 (GE Healthcare Precision THUNIS-800+ has a default password of (1) 1973 ...) NOT-FOR-US: GE Healthcare Precision THUNIS-800+ CVE-2014-7232 (GE Healthcare Discovery XR656 and XR656 G2 has a password of (1) 2geti ...) NOT-FOR-US: GE Healthcare Discovery XR656 and XR656 G2 CVE-2014-7229 (Unspecified vulnerability in Joomla! before 2.5.4 before 2.5.26, 3.x b ...) NOT-FOR-US: Joomla! CVE-2014-7228 (Akeeba Restore (restore.php), as used in Joomla! 2.5.4 through 2.5.25, ...) NOT-FOR-US: Joomla! CVE-2014-7227 REJECTED CVE-2014-7226 (The file comment feature in Rejetto HTTP File Server (hfs) 2.3c and ea ...) NOT-FOR-US: Rejetto HTTP File Server CVE-2014-7225 RESERVED CVE-2014-7224 (A Code Execution vulnerability exists in Android prior to 4.4.0 relate ...) NOT-FOR-US: Android addJavascriptInterface CVE-2014-7223 RESERVED CVE-2014-7222 (Buffer overflow in TeamSpeak Client 3.0.14 and earlier allows remote a ...) - teamspeak-client [wheezy] - teamspeak-client (non-free is not supported) CVE-2014-7221 (TeamSpeak Client 3.0.14 and earlier allows remote authenticated users ...) - teamspeak-client [wheezy] - teamspeak-client (non-free is not supported) CVE-2014-7220 RESERVED CVE-2014-7219 RESERVED CVE-2014-7218 RESERVED CVE-2014-7217 (Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0. ...) - phpmyadmin 4:4.2.9.1-1 (low) NOTE: https://www.phpmyadmin.net/security/PMASA-2014-11/ [wheezy] - phpmyadmin (Vulnerable code not present) [squeeze] - phpmyadmin (Vulnerable code not present) CVE-2014-7216 (Multiple stack-based buffer overflows in Yahoo! Messenger 11.5.0.228 a ...) NOT-FOR-US: Yahoo CVE-2014-7215 REJECTED CVE-2014-7214 REJECTED CVE-2014-7213 REJECTED CVE-2014-7212 REJECTED CVE-2014-7211 REJECTED CVE-2014-7210 [pdns in Debian creates too privileged MySQL user] RESERVED {DLA-492-1} - pdns 3.3.1-1 [squeeze] - pdns (Vulnerabile code not present) NOTE: Debian packaging specific. CVE-2014-7209 (run-mailcap in the Debian mime-support package before 3.52-1+deb7u1 al ...) {DSA-3114-1 DLA-125-1} - mime-support 3.58 CVE-2014-7208 (GParted before 0.15.0 allows local users to execute arbitrary commands ...) - gparted 0.16.1-1 [wheezy] - gparted (Minor issue) [squeeze] - gparted (Minor issue) CVE-2014-7207 (A certain Debian patch to the IPv6 implementation in the Linux kernel ...) {DSA-3060-1} - linux (Issue specific to 3.2.x) NOTE: In 3.2.x introduced with https://git.kernel.org/cgit/linux/kernel/git/bwh/linux-3.2.y.git/commit/?h=linux-3.2.y&id=64b5c251d5b2cee4a0f697bfb90d79263f6dd517 NOTE: which is a backport of https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=73f156a6e8c1074ac6327e0abd1169e95eb66463 (v3.16-rc1) NOTE: The missing commit for the 3.2.x branch was applied already earlier (before v3.16) mainline: NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=916e4cf46d0204806c062c8c6c4d1f633852c5b6 (v3.14-rc6) NOTE: http://bugs.debian.org/766195 - linux-2.6 (Issue specific to 3.2.x) CVE-2014-7206 (The changelog command in Apt before 1.0.9.2 allows local users to writ ...) {DSA-3048-1} - apt 1.0.9.2 (bug #763780) [squeeze] - apt (apt changelog command and vulnerable code not present) NOTE: mitigated by Linux kernel features in wheezy and up CVE-2013-7405 (The Ad Hoc Reporting feature in GE Healthcare Centricity DMS 4.2 has a ...) NOT-FOR-US: GE Healthcare Centricity DMS CVE-2013-7404 (GE Healthcare Discovery NM 750b has a password of 2getin for the insit ...) NOT-FOR-US: GE Healthcare Discovery NM 750b CVE-2012-6662 (Cross-site scripting (XSS) vulnerability in the default content option ...) - jqueryui 1.10.1+dfsg-1 [wheezy] - jqueryui (ui.tooltip not yet present) [squeeze] - jqueryui (code not present) NOTE: http://bugs.jqueryui.com/ticket/8861 NOTE: https://github.com/jquery/jquery-ui/commit/f2854408cce7e4b7fc6bf8676761904af9c96bde CVE-2012-6661 (Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta ...) - zope2.12 2.12.26-1 - zope2.13 (Fixed before initial upload in upstream version 2.13.19) NOTE: CVE SPLIT from CVE-2012-5508 CVE-2012-6660 (GE Healthcare Precision MPi has a password of (1) orion for the servic ...) NOT-FOR-US: GE Healthcare Precision MPi CVE-2011-5374 RESERVED CVE-2010-5310 (The Acquisition Workstation for the GE Healthcare Revolution XQ/i has ...) NOT-FOR-US: GE Healthcare Revolution XQ/i CVE-2010-5309 (GE Healthcare CADStream Server has a default password of confirma for ...) NOT-FOR-US: GE Healthcare CADStream Server CVE-2010-5308 (GE Healthcare Optima MR360 does not require authentication for the HIP ...) NOT-FOR-US: GE Healthcare Optima MR360 CVE-2010-5307 (The HIPAA configuration interface in GE Healthcare Optima MR360 has a ...) NOT-FOR-US: GE Healthcare Optima MR360 CVE-2010-5306 (GE Healthcare Optima CT680, CT540, CT640, and CT520 has a default pass ...) NOT-FOR-US: GE Healthcare Optima CVE-2009-5143 (GE Healthcare Discovery 530C has a password of #bigguy1 for the (1) ac ...) NOT-FOR-US: GE Healthcare Discovery 530C CVE-2007-6757 (GE Healthcare Centricity DMS 4.2, 4.1, and 4.0 has a password of Muse! ...) NOT-FOR-US: GE Healthcare Centricity DMS CVE-2006-7253 (GE Healthcare Infinia II has a default password of (1) infinia for the ...) NOT-FOR-US: GE Healthcare Infinia II CVE-2004-2777 (GE Healthcare Centricity Image Vault 3.x has a password of (1) gemnet ...) NOT-FOR-US: GE Healthcare Centricity Image Vault CVE-2003-1603 (GE Healthcare Discovery VH has a default password of (1) interfile for ...) NOT-FOR-US: GE Healthcare Discovery VH CVE-2002-2445 (GE Healthcare Millennium MG, NC, and MyoSIGHT has a default password o ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1594 (GE Healthcare eNTEGRA P&R has a password of (1) entegra for the en ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1254 (crypto/rsa/rsa_gen.c in OpenSSL before 0.9.6 mishandles C bitwise-shif ...) - openssl 0.9.6-1 NOTE: https://git.openssl.org/?p=openssl.git;a=commit;h=db82b8f9bd432a59aea8e1014694e15fc457c2bb CVE-2000-1253 RESERVED CVE-2014-7300 (GNOME Shell 3.14.x before 3.14.1, when the Screen Lock feature is used ...) - gnome-shell 3.14.1-1 (low) [wheezy] - gnome-shell (Minor issue) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=737456 NOTE: PrtSc is an unauthenticated request that's available to untrusted NOTE: parties. A series of requests can consume a large amount of memory. NOTE: The combination of this PrtSc behavior and the existence of the NOTE: oom-killer allows authentication bypass for command execution. NOTE: Therefore, the product must limit the aggregate memory consumption of NOTE: all active requests, and the lack of this limit is a vulnerability. CVE-2014-7231 (The strutils.mask_password function in the OpenStack Oslo utility libr ...) - python-oslo.utils 0.2.0-1 NOTE: https://launchpad.net/bugs/1345233 NOTE: https://review.openstack.org/gitweb?p=openstack%2Foslo.utils.git;a=commitdiff;h=e0425691d90bce0bbe847a9ff49468ce0fab5486 CVE-2014-7230 (The processutils.execute function in OpenStack oslo-incubator, Cinder, ...) - cinder 2014.1.3-4 (low; bug #765704) - nova 2014.1.3-5 (low; bug #765714) [wheezy] - nova (Minor issue) - openstack-trove 2014.1.3-1 (low) NOTE: https://launchpad.net/bugs/1343604 CVE-2014-7205 (Eval injection vulnerability in the internals.batch function in lib/ba ...) NOTE: https://nodesecurity.io/advisories/bassmaster_js_injection NOT-FOR-US: node.js package bassmaster CVE-2014-7201 (Multiple SQL injection vulnerabilities in the search function in pi1/c ...) NOT-FOR-US: JobControl extension for TYPO3 CVE-2014-7200 (Cross-site scripting (XSS) vulnerability in pi1/class.tx_dmmjobcontrol ...) NOT-FOR-US: JobControl extension for TYPO3 CVE-2014-7198 (OMERO before 5.0.6 has multiple CSRF vulnerabilities because the frame ...) NOT-FOR-US: OMERO CVE-2014-7197 RESERVED CVE-2014-7196 REJECTED CVE-2014-7195 (Spotfire Web Player Engine in TIBCO Spotfire Web Player 6.0.x before 6 ...) NOT-FOR-US: Spotfire Web Player CVE-2014-7194 (TIBCO Managed File Transfer Internet Server before 7.2.4, Managed File ...) NOT-FOR-US: TIBCO CVE-2014-7193 (The Crumb plugin before 3.0.0 for Node.js does not properly restrict t ...) NOT-FOR-US: Crumb CVE-2014-7192 (Eval injection vulnerability in index.js in the syntax-error package b ...) - libv8 [wheezy] - libv8 (Minor issue, Chromium in Wheezy uses its own fixed copy) [squeeze] - libv8 (Unsupported in squeeze-lts) - libv8-3.14 (unimportant; bug #773623) NOTE: libv8 not covered by security support CVE-2014-7191 (The qs module before 1.0.0 in Node.js does not call the compact functi ...) - node-qs 2.2.4-1 NOTE: https://github.com/raymondfeng/node-querystring/commit/43a604b7847e56bba49d0ce3e222fe89569354d8 NOTE: https://nodesecurity.io/advisories/qs_dos_memory_exhaustion CVE-2014-7188 (The hvm_msr_read_intercept function in arch/x86/hvm/hvm.c in Xen 4.1 t ...) {DSA-3041-1} - xen 4.4.1-3 [squeeze] - xen CVE-2014-7184 RESERVED CVE-2014-7183 (Multiple cross-site scripting (XSS) vulnerabilities in the search.php ...) NOT-FOR-US: LifeCart CVE-2014-7182 (Multiple cross-site scripting (XSS) vulnerabilities in the WP Google M ...) NOT-FOR-US: WP Google Maps plugin for WordPress CVE-2014-7181 (Cross-site scripting (XSS) vulnerability in the Max Foundry MaxButtons ...) NOT-FOR-US: Max Foundry MaxButtons plugin for WordPress CVE-2014-7180 (Electric Cloud ElectricCommander before 4.2.6 and 5.x before 5.0.3 use ...) NOT-FOR-US: ElectricCommander CVE-2014-7179 RESERVED CVE-2014-7178 (Enalean Tuleap before 7.5.99.6 allows remote attackers to execute arbi ...) NOT-FOR-US: Enalean Tuleap CVE-2014-7177 (XML External Entity vulnerability in Enalean Tuleap 7.2 and earlier al ...) NOT-FOR-US: Enalean Tuleap CVE-2014-7176 (SQL injection vulnerability in Enalean Tuleap before 7.5.99.4 allows r ...) NOT-FOR-US: Enalean Tuleap CVE-2014-7175 (FarLinX X25 Gateway through 2014-09-25 allows attackers to write arbit ...) NOT-FOR-US: FarLinX X25 Gateway CVE-2014-7174 (FarLinX X25 Gateway through 2014-09-25 allows directory traversal via ...) NOT-FOR-US: FarLinX X25 Gateway CVE-2014-7173 (FarLinX X25 Gateway through 2014-09-25 allows command injection via sh ...) NOT-FOR-US: FarLinX X25 Gateway CVE-2014-7172 RESERVED CVE-2014-7171 RESERVED CVE-2014-7170 (Race condition in Puppet Server 0.2.0 allows local users to obtain sen ...) NOT-FOR-US: Puppet Server (replacement for puppetmaster) CVE-2014-7204 (jscript.c in Exuberant Ctags 5.8 allows remote attackers to cause a de ...) {DSA-3042-1 DLA-69-1} - exuberant-ctags 1:5.9~svn20110310-8 (bug #742605) NOTE: http://sourceforge.net/p/ctags/code/791/ CVE-2014-7203 (libzmq (aka ZeroMQ/C++) 4.0.x before 4.0.5 does not ensure that nonces ...) - zeromq (Vulnerable code not present, only zmq 4.x onwards) - zeromq3 4.0.5+dfsg-1 NOTE: Code commit: https://github.com/zeromq/libzmq/issues/1191 CVE-2014-7202 (stream_engine.cpp in libzmq (aka ZeroMQ/C++)) 4.0.5 before 4.0.5 allow ...) - zeromq (Vulnerable code not present, only zmq 4.x onwards) - zeromq3 4.0.5+dfsg-1 NOTE: Code commit: https://github.com/zeromq/libzmq/issues/1190 CVE-2014-7190 (Multiple cross-site request forgery (CSRF) vulnerabilities in Openfile ...) NOT-FOR-US: Openfiler CVE-2014-7189 (crpyto/tls in Go 1.1 before 1.3.2, when SessionTicketsDisabled is enab ...) - golang 2:1.3.2-1 [wheezy] - golang (Vulnerable code not present, only Go 1.1 onwards) NOTE: https://groups.google.com/forum/#!msg/golang-nuts/eeOHNw_shwU/OHALUmroA5kJ NOTE: https://code.google.com/p/go/source/detail?r=eae0457c101512f59296538f0162749eba325892&name=release-branch.go1.3 CVE-2014-7187 (Off-by-one error in the read_token_word function in parse.y in GNU Bas ...) {DSA-3035-1 DLA-63-1} - bash 4.3-9.2 CVE-2014-7186 (The redirection implementation in parse.y in GNU Bash through 4.3 bash ...) {DSA-3035-1 DLA-63-1} - bash 4.3-9.2 CVE-2014-7185 (Integer overflow in bufferobject.c in Python before 2.7.8 allows conte ...) - python2.5 (low) [squeeze] - python2.5 (Minor issue) - python2.6 (low) [squeeze] - python2.6 (Minor issue) [wheezy] - python2.6 (Minor issue) - python2.7 2.7.8-1 (low; bug #763848) [wheezy] - python2.7 (Minor issue) NOTE: http://bugs.python.org/issue21831 NOTE: Upstream fix http://hg.python.org/cpython/rev/8d963c7db507 CVE-2014-7168 RESERVED CVE-2014-7167 RESERVED CVE-2014-7166 RESERVED CVE-2014-7165 RESERVED CVE-2014-7164 RESERVED CVE-2014-7163 RESERVED CVE-2014-7162 RESERVED CVE-2014-7161 RESERVED CVE-2014-7160 RESERVED CVE-2014-7159 RESERVED CVE-2014-7158 (Cross-site request forgery (CSRF) vulnerability in Exinda WAN Optimiza ...) NOT-FOR-US: Exinda WAN Optimization Suite CVE-2014-7157 (Cross-site scripting (XSS) vulnerability in Exinda WAN Optimization Su ...) NOT-FOR-US: Exinda WAN Optimization Suite CVE-2014-7153 (SQL injection vulnerability in the editgallery function in admin/galle ...) NOT-FOR-US: WordPress plugin Huge-IT Image Gallery CVE-2014-XXXX [cyassl: RSA Padding check vulnerability] - cyassl - wolfssl 3.4.8+dfsg-1 NOTE: wolfssl actually fixed with the initial upload to unstable after the rename NOTE: http://www.yassl.com/yaSSL/Blog/Entries/2014/9/12_CyaSSL_3.2.0_Released.html NOTE: http://www.intelsecurity.com/advanced-threat-research/# NOTE: similar to CVE-2014-1568 in nss CVE-2014-7199 (Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.19, ...) {DSA-3036-1} - mediawiki 1:1.19.19+dfsg-1 (bug #762754) [squeeze] - mediawiki CVE-2014-7169 (GNU Bash through 4.3 bash43-025 processes trailing strings after certa ...) {DSA-3035-1 DLA-63-1} - bash 4.3-9.2 (bug #762760) CVE-2014-7156 (The x86_emulate function in arch/x86/x86_emulate/x86_emulate.c in Xen ...) {DSA-3041-1} - xen 4.4.1-3 [squeeze] - xen CVE-2014-7155 (The x86_emulate function in arch/x86/x86_emulate/x86_emulate.c in Xen ...) {DSA-3041-1} - xen 4.4.1-3 [squeeze] - xen CVE-2014-7154 (Race condition in HVMOP_track_dirty_vram in Xen 4.0.0 through 4.4.x do ...) {DSA-3041-1} - xen 4.4.1-3 [squeeze] - xen CVE-2014-7152 (Cross-site scripting (XSS) vulnerability in the Easy MailChimp Forms p ...) NOT-FOR-US: WordPress plugin Easy MailChimp Forms CVE-2014-7151 (Multiple cross-site scripting (XSS) vulnerabilities in the NEX-Forms L ...) NOT-FOR-US: NEX-Forms Lite plugin for WordPress CVE-2014-7150 RESERVED CVE-2014-7149 RESERVED CVE-2014-7148 RESERVED CVE-2014-7147 RESERVED CVE-2014-7146 (The XmlImportExport plugin in MantisBT 1.2.17 and earlier allows remot ...) {DSA-3120-1} - mantis [squeeze] - mantis (Unsupported in squeeze-lts) NOTE: http://www.mantisbt.org/bugs/view.php?id=17725 NOTE: https://github.com/mantisbt/mantisbt/commit/bed19db9 (1.2.x branch) NOTE: https://github.com/mantisbt/mantisbt/commit/84017535 (master) CVE-2014-7140 (Unspecified vulnerability in the management interface in Citrix NetSca ...) NOT-FOR-US: Citrix NetScaler CVE-2014-7139 (Multiple cross-site scripting (XSS) vulnerabilities in the Contact For ...) NOT-FOR-US: WordPress plugin Contact Form DB CVE-2014-7138 (Cross-site scripting (XSS) vulnerability in the Google Calendar Events ...) NOT-FOR-US: WordPress plugin Google Calendar Events CVE-2014-7137 (Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM before 3.6. ...) - dolibarr 3.5.5+dfsg1-1 (bug #770313) CVE-2014-7136 (Heap-based buffer overflow in the K7FWFilt.sys kernel mode driver (aka ...) NOT-FOR-US: K7 Computing CVE-2014-7135 (The Ayuntamiento de Coana (aka com.wInfoCoa) application 0.2 for Andro ...) NOT-FOR-US: Ayuntamiento de Coana (aka com.wInfoCoa) application for Android CVE-2014-7134 (The PROF. USMAN ALI AWHEELA (aka com.wPROFUAAWHEELA) application 2.1 f ...) NOT-FOR-US: PROF. USMAN ALI AWHEELA (aka com.wPROFUAAWHEELA) application for Android CVE-2014-7133 REJECTED CVE-2014-7132 (The Jambatan PBB Semporna (aka com.wJAMBATANPBBSEMPORNA) application 1 ...) NOT-FOR-US: Jambatan PBB Semporna (aka com.wJAMBATANPBBSEMPORNA) application for Android CVE-2014-7131 (The Digital Content NewFronts 2014 (aka com.coreapps.android.followme. ...) NOT-FOR-US: Digital Content NewFronts 2014 (aka com.coreapps.android.followme.newfronts2014) application for Android CVE-2014-7130 REJECTED CVE-2014-7129 (The Argus Leader Print Edition (aka com.argusleader.android.prod) appl ...) NOT-FOR-US: Argus Leader Print Edition (aka com.argusleader.android.prod) application for Android CVE-2014-7128 (The Toyota OC (aka com.tapatalk.toyotaownersclubcomforums) application ...) NOT-FOR-US: Toyota OC (aka com.tapatalk.toyotaownersclubcomforums) application for Android CVE-2014-7127 (The Football Espana magazine (aka com.triactivemedia.footballespana) a ...) NOT-FOR-US: Football Espana magazine (aka com.triactivemedia.footballespana) application for Android CVE-2014-7126 REJECTED CVE-2014-7125 (The Motor (aka com.magzter.motorhwpublishing) application 3.0 for Andr ...) NOT-FOR-US: Motor (aka com.magzter.motorhwpublishing) application for Android CVE-2014-7124 (The IP Alarm (aka com.cosesy.gadget.alarm) application 1.4 for Android ...) NOT-FOR-US: IP Alarm (aka com.cosesy.gadget.alarm) application for Android CVE-2014-7123 (The Brevir Harian V2 (aka com.brevir.harian.v) application 2.0 for And ...) NOT-FOR-US: Brevir Harian V2 (aka com.brevir.harian.v) application for Android CVE-2014-7122 (The Lansing State Journal Print (aka com.lansingjournal.android.prod) ...) NOT-FOR-US: Lansing State Journal Print (aka com.lansingjournal.android.prod) application for Android CVE-2014-7121 (The Dhanam (aka com.magzter.dhanam) application 3.1 for Android does n ...) NOT-FOR-US: Dhanam (aka com.magzter.dhanam) application for Android CVE-2014-7120 (The Model Laboratory (aka com.magazinecloner.modellaboratory) applicat ...) NOT-FOR-US: Model Laboratory (aka com.magazinecloner.modellaboratory) application for Android CVE-2014-7119 (The GNAM 2013 (aka com.beepeers.gndam) application 1.0 for Android doe ...) NOT-FOR-US: GNAM 2013 (aka com.beepeers.gndam) application for Android CVE-2014-7118 (The Itography Item Hunt (aka com.itography.application) application 3. ...) NOT-FOR-US: Itography Item Hunt (aka com.itography.application) application for Android CVE-2014-7117 (The Forest Area FCU Mobile (aka com.metova.cuae.fafcu) application 1.0 ...) NOT-FOR-US: Forest Area FCU Mobile (aka com.metova.cuae.fafcu) application for Android CVE-2014-7116 (The NRA Journal (aka com.magazinecloner.nationalrifleassociationjourna ...) NOT-FOR-US: NRA Journal (aka com.magazinecloner.nationalrifleassociationjournal) application for Android CVE-2014-7115 (The Letters to God - soc. network (aka com.wPismakBoguLetterstoGod) ap ...) NOT-FOR-US: Letters to God - soc. network (aka com.wPismakBoguLetterstoGod) application for Android CVE-2014-7114 REJECTED CVE-2014-7113 (The NASA Universe Wallpapers Xeus (aka com.xeusNASA) application 1.0 f ...) NOT-FOR-US: NASA Universe Wallpapers Xeus (aka com.xeusNASA) application for Android CVE-2014-7112 REJECTED CVE-2014-7111 (The Android Excellence (aka an.exc.ap) application 1.4.1 for Android d ...) NOT-FOR-US: Android Excellence (aka an.exc.ap) application for Android CVE-2014-7110 REJECTED CVE-2014-7109 (The Nesvarnik (aka cz.dtest.nesvarnik) application 1.0 for Android doe ...) NOT-FOR-US: Nesvarnik (aka cz.dtest.nesvarnik) application for Android CVE-2014-7108 (The Stop Headaches and Migraines (aka com.StopHeadachesandMigraines) a ...) NOT-FOR-US: Stop Headaches and Migraines (aka com.StopHeadachesandMigraines) application for Android CVE-2014-7107 (The Human Factor (aka com.magzter.thehumanfactor) application 3.01 for ...) NOT-FOR-US: The Human Factor (aka com.magzter.thehumanfactor) application for Android CVE-2014-7106 (The Orakel-Ball (aka com.wOrakelball) application 0.2 for Android does ...) NOT-FOR-US: Orakel-Ball (aka com.wOrakelball) application for Android CVE-2014-7105 REJECTED CVE-2014-7104 (The gymnoOVP (iOVP) (aka com.johtru.gymnoOVP) application 1.2 for Andr ...) NOT-FOR-US: gymnoOVP (iOVP) (aka com.johtru.gymnoOVP) application for Android CVE-2014-7103 (The Oskarshamnsliv (aka appinventor.ai_stadslivsguiden.Oskarshamnsliv) ...) NOT-FOR-US: Oskarshamnsliv (aka appinventor.ai_stadslivsguiden.Oskarshamnsliv) application for Android CVE-2014-7102 (The Car Insurance Quote Comparison (aka com.seopa.quotezone) applicati ...) NOT-FOR-US: Car Insurance Quote Comparison (aka com.seopa.quotezone) application for Android CVE-2014-7101 (The Talk Radio Europe (aka com.nobexinc.wls_31251464.rc) application 3 ...) NOT-FOR-US: Talk Radio Europe (aka com.nobexinc.wls_31251464.rc) application for Android CVE-2014-7100 (The www.sm3ny.com (aka sm3ny.com) application 1.0 for Android does not ...) NOT-FOR-US: www.sm3ny.com (aka sm3ny.com) application for Android CVE-2014-7099 (The Woodcraft Magazine (aka com.magzter.woodcraftmagazine) application ...) NOT-FOR-US: Woodcraft Magazine (aka com.magzter.woodcraftmagazine) application for Android CVE-2014-7098 (The Fylet Secure Large File Sender (aka com.application.fyletFileSende ...) NOT-FOR-US: Fylet Secure Large File Sender (aka com.application.fyletFileSender) application for Android CVE-2014-7097 REJECTED CVE-2014-7096 REJECTED CVE-2014-7095 REJECTED CVE-2014-7094 REJECTED CVE-2014-7093 (The Superbike Magazine (aka com.triactivemedia.superbike) application ...) NOT-FOR-US: Superbike Magazine (aka com.triactivemedia.superbike) application for Android CVE-2014-7092 (The Ubooly (aka com.ubooly.ubooly) application 4.3.0 for Android does ...) NOT-FOR-US: Ubooly (aka com.ubooly.ubooly) application for Android CVE-2014-7091 (The Sacramento Kings (aka com.tibco.gse.sports) application 6.0.8 for ...) NOT-FOR-US: Sacramento Kings (aka com.tibco.gse.sports) application for Android CVE-2014-7090 (The MyVCCCD (aka com.dub.app.ventura) application 1.4.14 for Android d ...) NOT-FOR-US: MyVCCCD (aka com.dub.app.ventura) application for Android CVE-2014-7089 (The COMPETITION INFORMATION (aka com.ear.bilgiyarismasi) application 0 ...) NOT-FOR-US: COMPETITION INFORMATION (aka com.ear.bilgiyarismasi) application for Android CVE-2014-7088 (The JDM Lifestyle (aka com.hondatech) application 6.4 for Android does ...) NOT-FOR-US: JDM Lifestyle (aka com.hondatech) application for Android CVE-2014-7087 (The Top Roller Coasters Europe 1 (aka com.appaapps.top10tallesteuropea ...) NOT-FOR-US: Top Roller Coasters Europe 1 (aka com.appaapps.top10tallesteuropeanrollercoasters1) application for Android CVE-2014-7086 (The Killer Screen lock (aka com.cc.theme.shashou) application 0.5 for ...) NOT-FOR-US: Killer Screen lock (aka com.cc.theme.shashou) application for Android CVE-2014-7085 (The i Newspaper (aka com.independent.thei) application @7F080184 for A ...) NOT-FOR-US: i Newspaper (aka com.independent.thei) application for Android CVE-2014-7084 (The Hesheng 80 (aka com.ireadercity.c29) application 3.0.2 for Android ...) NOT-FOR-US: Hesheng 80 (aka com.ireadercity.c29) application for Android CVE-2014-7083 (The Jiu Jik (aka com.scmp.jiujik) application 1.4.0 for Android does n ...) NOT-FOR-US: Jiu Jik (aka com.scmp.jiujik) application for Android CVE-2014-7082 (The No Disturb (aka com.blogspot.imapp.imnodisturb) application 3.3 fo ...) NOT-FOR-US: No Disturb (aka com.blogspot.imapp.imnodisturb) application for Android CVE-2014-7081 REJECTED CVE-2014-7080 (The Sigong ebook (aka com.sigongsa.sigonggenre) application 1.0.0 for ...) NOT-FOR-US: Sigong ebook (aka com.sigongsa.sigonggenre) application for Android CVE-2014-7079 (The Romeo and Juliet (aka jp.co.cybird.appli.android.rjs) application ...) NOT-FOR-US: Romeo and Juliet (aka jp.co.cybird.appli.android.rjs) application for Android CVE-2014-7078 (The Payoneer Sign Up (aka com.wPayoneerSignUp) application 0.1 for And ...) NOT-FOR-US: Payoneer Sign Up (aka com.wPayoneerSignUp) application for Android CVE-2014-7077 (The Gulf Coast Educators FCU (aka com.metova.cuae.gcefcu) application ...) NOT-FOR-US: Gulf Coast Educators FCU (aka com.metova.cuae.gcefcu) application for Android CVE-2014-7076 (The Sanctuary Asia (aka com.magzter.sanctuaryasia) application 3.0 for ...) NOT-FOR-US: Sanctuary Asia (aka com.magzter.sanctuaryasia) application for Android CVE-2014-7075 (The HAPPY (aka com.tw.knowhowdesign.sinfonghuei) application 2.0 for A ...) NOT-FOR-US: HAPPY (aka com.tw.knowhowdesign.sinfonghuei) application for Android CVE-2014-7074 REJECTED CVE-2014-7073 (The Andrew Magdy Kamal's Network (aka com.wAndSocialREWApps) applicati ...) NOT-FOR-US: Andrew Magdy Kamal's Network (aka com.wAndSocialREWApps) application for Android CVE-2014-7072 (The Venezia map (aka com.wVeneziamap) application 0.1 for Android does ...) NOT-FOR-US: Venezia map (aka com.wVeneziamap) application for Android CVE-2014-7071 (The Autocar India (aka com.magzter.autocarindia) application 3.03 for ...) NOT-FOR-US: Autocar India (aka com.magzter.autocarindia) application for Android CVE-2014-7070 (The Air War Hero (aka com.dev.airwar) application 3.0 for Android does ...) NOT-FOR-US: Air War Hero (aka com.dev.airwar) application for Android CVE-2014-7069 (The Aventino Brand (aka com.AventinoBrand) application 2.2 for Android ...) NOT-FOR-US: Aventino Brand (aka com.AventinoBrand) application for Android CVE-2014-7068 (The Neumann Student Activities (aka com.appmakr.app153856) application ...) NOT-FOR-US: Neumann Student Activities (aka com.appmakr.app153856) application for Android CVE-2014-7067 (The BTD5 Videos (aka com.wxTYILIEIRBTD5Videos) application 0.1 for And ...) NOT-FOR-US: BTD5 Videos (aka com.wxTYILIEIRBTD5Videos) application for Android CVE-2014-7066 (The LegalEra (aka com.magzter.legalera) application 3.0 for Android do ...) NOT-FOR-US: LegalEra (aka com.magzter.legalera) application for Android CVE-2014-7065 (The Nigerias Business Directory (aka com.wNigeriasBusinessDirectory) a ...) NOT-FOR-US: Nigerias Business Directory (aka com.wNigeriasBusinessDirectory) application for Android CVE-2014-7064 (The ben10 omniverse walkthrough (aka com.wben10omniverse2walkthrough) ...) NOT-FOR-US: ben10 omniverse walkthrough (aka com.wben10omniverse2walkthrough) application for Android CVE-2014-7063 (The Bikers Romagna (aka com.bikers.romagna) application 1.0 for Androi ...) NOT-FOR-US: Bikers Romagna (aka com.bikers.romagna) application for Android CVE-2014-7062 (The Association Min Ajlik (aka com.association.min.ajlik) application ...) NOT-FOR-US: Association Min Ajlik (aka com.association.min.ajlik) application for Android CVE-2014-7061 (The MODSIM World 2014 (aka com.concursive.modsimworld) application 2.0 ...) NOT-FOR-US: MODSIM World 2014 (aka com.concursive.modsimworld) application for Android CVE-2014-7060 (The Your Tango (aka com.your.tango) application 1.0 for Android does n ...) NOT-FOR-US: Your Tango (aka com.your.tango) application for Android CVE-2014-7059 (The TheDevildogGamer (aka com.wTheDevildogGamer) application 1.0 for A ...) NOT-FOR-US: TheDevildogGamer (aka com.wTheDevildogGamer) applicationfor Android CVE-2014-7058 (The Efendimizin Sunnetleri (aka com.wEfendimizinSunnetleri) applicatio ...) NOT-FOR-US: Efendimizin Sunnetleri (aka com.wEfendimizinSunnetleri) application for Android CVE-2014-7057 (The Hong Kong Tatler Society (aka com.magzter.hongkongtatlersociety) a ...) NOT-FOR-US: Hong Kong Tatler Society (aka com.magzter.hongkongtatlersociety) application for Android CVE-2014-7056 (The Yeast Infection (aka com.wyeastinfectionapp) application 0.1 for A ...) NOT-FOR-US: Yeast Infection (aka com.wyeastinfectionapp) application for Android CVE-2014-7055 (The NCCI's Annual Issues Symposium (aka com.quickmobile.ais14) applica ...) NOT-FOR-US: NCCI's Annual Issues Symposium (aka com.quickmobile.ais14) application for Android CVE-2014-7054 (The musica de barrios sonideros (aka com.nobexinc.wls_93155702.rc) app ...) NOT-FOR-US: musica de barrios sonideros (aka com.nobexinc.wls_93155702.rc) application for Android CVE-2014-7053 (The City Star ME (aka com.citystarme) application 1.0 for Android does ...) NOT-FOR-US: City Star ME (aka com.citystarme) application for Android CVE-2014-7052 (The sahab-alkher.com (aka com.tapatalk.sahabalkhercomvb) application 2 ...) NOT-FOR-US: sahab-alkher.com (aka com.tapatalk.sahabalkhercomvb) application for Android CVE-2014-7051 REJECTED CVE-2014-7050 (The givenu give (aka com.givenu.give) application 1.5.3 for Android do ...) NOT-FOR-US: givenu give (aka com.givenu.give) application for Android CVE-2014-7049 (The SomTodo - Task/To-do widget (aka com.somcloud.somtodo) application ...) NOT-FOR-US: SomTodo - Task/To-do widget (aka com.somcloud.somtodo) application for Android CVE-2014-7048 (The Bear ID Lock (aka com.wBearIDLock) application 0.1 for Android doe ...) NOT-FOR-US: Bear ID Lock (aka com.wBearIDLock) application for Android CVE-2014-7047 (The Ocean Avenue Mobile Pro (aka com.oceanavenue.mobile) application 2 ...) NOT-FOR-US: Ocean Avenue Mobile Pro (aka com.oceanavenue.mobile) application for Android CVE-2014-7046 (The George Wassouf (aka com.devkhr32.georgewassouf) application 1.0 fo ...) NOT-FOR-US: George Wassouf (aka com.devkhr32.georgewassouf) application for Android CVE-2014-7045 (The Bust Out Bail (aka com.onesolutionapps.bustoutbailandroid) applica ...) NOT-FOR-US: Bust Out Bail (aka com.onesolutionapps.bustoutbailandroid) application for Android CVE-2014-7044 (The Street Walker (aka kt.road.StreetWalker) application 0.0.1 for And ...) NOT-FOR-US: Street Walker (aka kt.road.StreetWalker) application for Android CVE-2014-7043 (The Cadpage (aka net.anei.cadpage) application 1.7.44 for Android does ...) NOT-FOR-US: Cadpage (aka net.anei.cadpage) application for Android CVE-2014-7042 (** DISPUTED ** The My nTelos (aka com.telespree.ntelospostpay) applica ...) NOT-FOR-US: My nTelos (aka com.telespree.ntelospostpay) application for Android CVE-2014-7041 (The SimGene (aka com.japanbioinformatics.simgene) application 1.3 for ...) NOT-FOR-US: SimGene (aka com.japanbioinformatics.simgene) application for Android CVE-2014-7040 (The UniCredit Investors (aka eu.unicreditgroup.brand.ucinvestors) appl ...) NOT-FOR-US: UniCredit Investors (aka eu.unicreditgroup.brand.ucinvestors) application for Android CVE-2014-7039 (The Wild Women United (aka com.wildwomenunited) application 1.0 for An ...) NOT-FOR-US: Wild Women United (aka com.wildwomenunited) application for Android CVE-2014-7038 (The Al Jazeera (aka com.Al.Jazeera.net) application 6.0 for Android do ...) NOT-FOR-US: Al Jazeera (aka com.Al.Jazeera.net) application for Android CVE-2014-7037 (The Noble Sticker "FREE" (aka com.kuronecostudio.kizokustamp.free) app ...) NOT-FOR-US: Noble Sticker "FREE" (aka com.kuronecostudio.kizokustamp.free) application for Android CVE-2014-7036 (The Quest Federal CU Mobile (aka com.metova.cuae.questfcu) application ...) NOT-FOR-US: Quest Federal CU Mobile (aka com.metova.cuae.questfcu) application for Android CVE-2014-7035 (The Harmonizers Planet (aka uk.co.pixelkicks.fifthharmony) application ...) NOT-FOR-US: Harmonizers Planet (aka uk.co.pixelkicks.fifthharmony) application for Android CVE-2014-7034 (The Senator Inn & Spa (aka com.conduit.app_cc06e8e9659c4cf7b361ad0 ...) NOT-FOR-US: Senator Inn & Spa (aka com.conduit.app_cc06e8e9659c4cf7b361ad0b7717f3a4.app) application for Android CVE-2014-7033 (The Cure Viewer (aka com.livedoor.android.cureviewer) application 1.03 ...) NOT-FOR-US: Cure Viewer (aka com.livedoor.android.cureviewer) application for Android CVE-2014-7032 (The MYHABIT (aka com.amazon.myhabit) application @7F080041 for Android ...) NOT-FOR-US: MYHABIT (aka com.amazon.myhabit) application for Android CVE-2014-7031 (The RedAtoms Three (aka com.redatoms.mojodroid.tw.gp) application 2.5 ...) NOT-FOR-US: RedAtoms Three (aka com.redatoms.mojodroid.tw.gp) application for Android CVE-2014-7030 (The Dieta Dukan passo a passo (aka com.rareartifact.dukanpasoapaso82BE ...) NOT-FOR-US: Dieta Dukan passo a passo (aka com.rareartifact.dukanpasoapaso82BE0897) application for Android CVE-2014-7029 (The Bultmonster Registret (aka com.bultmonster.registret) application ...) NOT-FOR-US: Bultmonster Registret (aka com.bultmonster.registret) application for Android CVE-2014-7028 (The Ibis pau centre (aka com.myapphone.android.myappibispaucentre) app ...) NOT-FOR-US: Ibis pau centre (aka com.myapphone.android.myappibispaucentre) application for Android CVE-2014-7027 (The Esercizi per le donne (aka com.rareartifact.eserciziperledonne6D55 ...) NOT-FOR-US: Esercizi per le donne (aka com.rareartifact.eserciziperledonne6D5578C6) application for Android CVE-2014-7026 (The LIFE TIME FITNESS (aka com.lifetimefitness.ltfmobile) application ...) NOT-FOR-US: LIFE TIME FITNESS (aka com.lifetimefitness.ltfmobile) application for Android CVE-2014-7025 (The Who-is-it? Lite name caller time limited free (aka de.profiler.and ...) NOT-FOR-US: Who-is-it? Lite name caller time limited free (aka de.profiler.android.whoisit) application for Android CVE-2014-7024 (The Hardest Game Collection (aka com.lotfun.abuse) application 1.5.0 f ...) NOT-FOR-US: Hardest Game Collection (aka com.lotfun.abuse) application for Android CVE-2014-7023 (The Find Color (aka com.chudong.color) application 1.1.1 for Android d ...) NOT-FOR-US: Find Color (aka com.chudong.color) application for Android CVE-2014-7022 (The Modelisme.com forum/portail (aka com.tapatalk.modelismecomforum) a ...) NOT-FOR-US: Modelisme.com forum/portail (aka com.tapatalk.modelismecomforum) application for Android CVE-2014-7021 (The Leg Surgery - Kids Games (aka com.harriskerioe.legsurgery) applica ...) NOT-FOR-US: Leg Surgery - Kids Games (aka com.harriskerioe.legsurgery) application for Android CVE-2014-7020 (The Diabetes Forum (aka com.tapatalk.diabetescoukdiabetesforum) applic ...) NOT-FOR-US: Diabetes Forum (aka com.tapatalk.diabetescoukdiabetesforum) application for Android CVE-2014-7019 (The Clarks Inn (aka com.ClarksInn) application 3.3.0 for Android does ...) NOT-FOR-US: Clarks Inn (aka com.ClarksInn) application for Android CVE-2014-7018 (The LOVE DANCE (aka com.efunfun.ddianle.lovedance) application 1.2.062 ...) NOT-FOR-US: LOVE DANCE (aka com.efunfun.ddianle.lovedance) application for Android CVE-2014-7017 (The Tim Ban Bon Phuong (aka com.entertaiment.timbanbonphuong) applicat ...) NOT-FOR-US: Tim Ban Bon Phuong (aka com.entertaiment.timbanbonphuong) application for Android CVE-2014-7016 (The Mahasna Batik (aka com.batik.mahasna) application 1.0 for Android ...) NOT-FOR-US: Mahasna Batik (aka com.batik.mahasna) application for Android CVE-2014-7015 (The JJ Texas Hold'em Poker (aka cn.jj.poker) application 1.13.23.HD fo ...) NOT-FOR-US: JJ Texas Hold'em Poker (aka cn.jj.poker) application for Android CVE-2014-7014 REJECTED CVE-2014-7013 (The Funny Photo Color Editor (aka com.doirdeditor.funcloreditor) appli ...) NOT-FOR-US: Funny Photo Color Editor (aka com.doirdeditor.funcloreditor) application for Android CVE-2014-7012 (The Coffee Inn (aka lt.lemonlabs.android.coffeeinn) application 2.0.1 ...) NOT-FOR-US: Coffee Inn (aka lt.lemonlabs.android.coffeeinn) application for Android CVE-2014-7011 (The NWTC Mobile (aka com.dub.app.nwtc) application 1.4.17 for Android ...) NOT-FOR-US: NWTC Mobile (aka com.dub.app.nwtc) application for Android CVE-2014-7010 (The UTSA Mobile (aka com.dub.app.utsa) application 1.4.21 for Android ...) NOT-FOR-US: UTSA Mobile (aka com.dub.app.utsa) application for Android CVE-2014-7009 (The HKBN My Account (aka com.hkbn.myaccount) application @7F070015 for ...) NOT-FOR-US: HKBN My Account (aka com.hkbn.myaccount) application for Android CVE-2014-7008 (The Forum FrAndroid beta (aka com.tapatalk.forumfrandroidcom) applicat ...) NOT-FOR-US: Forum FrAndroid beta (aka com.tapatalk.forumfrandroidcom) application for Android CVE-2014-7007 (The Master Mix (aka com.nobexinc.wls_24832536.rc) application 3.3.5 fo ...) NOT-FOR-US: Master Mix (aka com.nobexinc.wls_24832536.rc) application for Android CVE-2014-7006 (The HydFM (aka com.apheliontechnologies.hydfm) application 1.1.9 for A ...) NOT-FOR-US: HydFM (aka com.apheliontechnologies.hydfm) application for Android CVE-2014-7005 (The Foconet (aka suporte.com.foconet) application 1.0 for Android does ...) NOT-FOR-US: Foconet (aka suporte.com.foconet) application for Android CVE-2014-7004 (The PETA (aka com.peta.android) application 1.1 for Android does not v ...) NOT-FOR-US: PETA (aka com.peta.android) application for Android CVE-2014-7003 (The Goodwin (aka com.goodwin.Goodwin) application 1.15 for Android doe ...) NOT-FOR-US: Goodwin (aka com.goodwin.Goodwin) application for Android CVE-2014-7002 (The Sopexa Pavillon France (aka com.goomeoevents.pavillonfrance) appli ...) NOT-FOR-US: Sopexa Pavillon France (aka com.goomeoevents.pavillonfrance) application for Android CVE-2014-7001 (The Jian Ren (aka cn.sh.scustom.janren) application 1.5.1 for Android ...) NOT-FOR-US: Jian Ren (aka cn.sh.scustom.janren) application for Android CVE-2014-7000 (The Paul Alexander Campaign (aka hr.apps.n51261427) application 4.5.8 ...) NOT-FOR-US: Paul Alexander Campaign (aka hr.apps.n51261427) application for Android CVE-2014-6999 (The Questoes OAB (aka com.pedefeijao.questoesoab) application oab_andr ...) NOT-FOR-US: Questoes OAB (aka com.pedefeijao.questoesoab) application for Android CVE-2014-6998 (The PinkFong TV (aka kr.co.smartstudy.pinkfongtv_android_googlemarket) ...) NOT-FOR-US: PinkFong TV (aka kr.co.smartstudy.pinkfongtv_android_googlemarket) application for Android CVE-2014-6997 (The Dino Village (aka com.tappocket.dinovillage) application 1.6 for A ...) NOT-FOR-US: Dino Village (aka com.tappocket.dinovillage) application for Android CVE-2014-6996 (The Martial Arts Battle Card (aka com.tapenjoy.zjh.tw) application 1.0 ...) NOT-FOR-US: Martial Arts Battle Card (aka com.tapenjoy.zjh.tw) application for Android CVE-2014-6995 (The adidas eyewear (aka com.adidasep.eyewear) application 1.2 for Andr ...) NOT-FOR-US: adidas eyewear (aka com.adidasep.eyewear) application for Android CVE-2014-6994 (The Atecea (aka com.atecea) application 1.2 for Android does not verif ...) NOT-FOR-US: Atecea (aka com.atecea) application for Android CVE-2014-6993 (The Codeeta Coupons (aka com.codeeta.promos) application 1.0.5 for And ...) NOT-FOR-US: Codeeta Coupons (aka com.codeeta.promos) application for Android CVE-2014-6992 (The Timeless Black (aka com.apptive.android.apps.timeless) application ...) NOT-FOR-US: Timeless Black (aka com.apptive.android.apps.timeless) application for Android CVE-2014-6991 (The LiveAuctions.tv (aka air.LiveAndroidMaxx) application 2.005 for An ...) NOT-FOR-US: LiveAuctions.tv (aka air.LiveAndroidMaxx) application for Android CVE-2014-6990 (The Albasit artes y danza (aka com.adianteventures.adianteapps.albasit ...) NOT-FOR-US: Albasit artes y danza (aka com.adianteventures.adianteapps.albasit_artes_y_danza) application for Android CVE-2014-6989 (The Germanwings (aka com.germanwings.android) application 2.1.13 for A ...) NOT-FOR-US: Germanwings (aka com.germanwings.android) application for Android CVE-2014-6988 (The Quotes in Images (aka pt.lumberapps.imagensfrases) application 3.7 ...) NOT-FOR-US: Quotes in Images (aka pt.lumberapps.imagensfrases) application for Android CVE-2014-6987 (The Mass Gaming TV (aka net.massgamers) application 1.0 for Android do ...) NOT-FOR-US: Mass Gaming TV (aka net.massgamers) application for Android CVE-2014-6986 (The Pregnancy Tips (aka com.rareartifact.tipsforpregnant71C80129) appl ...) NOT-FOR-US: Pregnancy Tips (aka com.rareartifact.tipsforpregnant71C80129) application for Android CVE-2014-6985 (The Georgia Packing (aka com.tapatalk.georgiapackingorg) application 3 ...) NOT-FOR-US: Georgia Packing (aka com.tapatalk.georgiapackingorg) application for Android CVE-2014-6984 (The Shots (aka com.shots.android) application 1.0.8 for Android does n ...) NOT-FOR-US: Shots (aka com.shots.android) application for Android CVE-2014-6983 (The NBE (aka com.nbe.app) application 1.1 for Android does not verify ...) NOT-FOR-US: NBE (aka com.nbe.app) application for Android CVE-2014-6982 (The Arabic Troll Football (aka com.hamoosh.ArabicTrollFootball) applic ...) NOT-FOR-US: Arabic Troll Football (aka com.hamoosh.ArabicTrollFootball) application for Android CVE-2014-6981 (The Taiwan Business Bank (aka com.mitake.TBB) application 2.04 for And ...) NOT-FOR-US: Taiwan Business Bank (aka com.mitake.TBB) application for Android CVE-2014-6980 (The LINE PLAY (aka jp.naver.lineplay.android) application 2.3.1.1 for ...) NOT-FOR-US: LINE PLAY (aka jp.naver.lineplay.android) application for Android CVE-2014-6979 (The MiWay Insurance Ltd (aka com.MiWay.MD) application 1.2 for Android ...) NOT-FOR-US: MiWay Insurance Ltd (aka com.MiWay.MD) application for Android CVE-2014-6978 (The Karim Rahal Essoulami (aka com.karim.rahal.essoulami.lcxogeyuiztee ...) NOT-FOR-US: Karim Rahal Essoulami (aka com.karim.rahal.essoulami.lcxogeyuizteegxvnq) application for Android CVE-2014-6977 (The eLearn (aka com.desire2learn.campuslife.chattanoogastate.edu.direc ...) NOT-FOR-US: eLearn (aka com.desire2learn.campuslife.chattanoogastate.edu.directory) application for Android CVE-2014-6976 (The Aeroexpress (aka ru.lynx.aero) application 2.6.2 for Android does ...) NOT-FOR-US: Aeroexpress (aka ru.lynx.aero) application for Android CVE-2014-6975 (The Twin Lin (aka com.twinlin.twmo) application 5 for Android does not ...) NOT-FOR-US: Twin Lin (aka com.twinlin.twmo) application for Android CVE-2014-6974 (The MifaShow Hairstyles (aka com.mifashow) application 3.7 for Android ...) NOT-FOR-US: MifaShow Hairstyles (aka com.mifashow) application for Android CVE-2014-6973 (The Care4Kids (aka com.codetherapy.care4kids) application 1.03 for And ...) NOT-FOR-US: Care4Kids (aka com.codetherapy.care4kids) application for Android CVE-2014-6972 (The Kazakhstan Radio (aka com.wordbox.kazakhstanRadio) application 2.5 ...) NOT-FOR-US: Kazakhstan Radio (aka com.wordbox.kazakhstanRadio) application for Android CVE-2014-6971 (The Easy Video Downloader (aka com.simon.padillar.EasyVideo) applicati ...) NOT-FOR-US: Easy Video Downloader (aka com.simon.padillar.EasyVideo) application for Android CVE-2014-6970 (The North American Ismaili Games (aka hr.apps.n166983741) application ...) NOT-FOR-US: North American Ismaili Games (aka hr.apps.n166983741) application for Android CVE-2014-6969 (The Deltin Suites (aka com.DeltinSuites) application 3.4.1 for Android ...) NOT-FOR-US: Deltin Suites (aka com.DeltinSuites) application for Android CVE-2014-6968 (The Grandma's Grotto (aka com.mobileappsuite.grandmasgrotto) applicati ...) NOT-FOR-US: Grandma's Grotto (aka com.mobileappsuite.grandmasgrotto) application for Android CVE-2014-6967 (The Albion College (aka com.vivomobile.albioncollege) application 2.1. ...) NOT-FOR-US: Albion College (aka com.vivomobile.albioncollege) application for Android CVE-2014-6966 (The West Bend School District (aka net.parentlink.westbend) applicatio ...) NOT-FOR-US: West Bend School District (aka net.parentlink.westbend) application for Android CVE-2014-6965 (The FAZ.NET (aka net.faz.FAZ) application 1.0.1 for Android does not v ...) NOT-FOR-US: FAZ.NET (aka net.faz.FAZ) application for Android CVE-2014-6964 (The Hanyang University Admissions (aka kr.ac.hanyang.planner) applicat ...) NOT-FOR-US: Hanyang University Admissions (aka kr.ac.hanyang.planner) application for Android CVE-2014-6963 (The feiron (aka es.sw.feironmobile.app) application 1.1 for Android do ...) NOT-FOR-US: feiron (aka es.sw.feironmobile.app) application for Android CVE-2014-6962 (The Elk Grove PublicStuff (aka com.wassabi.elkgrove) application 3.2 f ...) NOT-FOR-US: Elk Grove PublicStuff (aka com.wassabi.elkgrove) application for Android CVE-2014-6961 (The SudaniNet (aka com.sudaninet.wtwqiqbegq_btwlda) application 2.0 fo ...) NOT-FOR-US: SudaniNet (aka com.sudaninet.wtwqiqbegq_btwlda) application for Android CVE-2014-6960 (The Multitrac (aka com.multitrac) application 1.04 for Android does no ...) NOT-FOR-US: Multitrac (aka com.multitrac) application for Android CVE-2014-6959 (The QinCard (aka com.haowan.qincard) application 2.0 for Android does ...) NOT-FOR-US: QinCard (aka com.haowan.qincard) application for Android CVE-2014-6958 (The ISMRM-ESMRMB 2014 (aka com.coreapps.android.followme.ismrm_esmrmb1 ...) NOT-FOR-US: ISMRM-ESMRMB 2014 (aka com.coreapps.android.followme.ismrm_esmrmb14) application for Android CVE-2014-6957 (The scottcolibmn (aka com.bredir.boopsie.scottlib) application 4.5.110 ...) NOT-FOR-US: scottcolibmn (aka com.bredir.boopsie.scottlib) application for Android CVE-2014-6956 (The Hydrogen Water (aka com.appzone628) application 1.0 for Android do ...) NOT-FOR-US: Hydrogen Water (aka com.appzone628) application for Android CVE-2014-6955 (The Le Grand Bleu (aka com.appzone468) application 1.0 for Android doe ...) NOT-FOR-US: Le Grand Bleu (aka com.appzone468) application for Android CVE-2014-6954 (The Deer Hunting Calls + Guide (aka com.anawaz.deerhuntingcalls.free) ...) NOT-FOR-US: Deer Hunting Calls + Guide (aka com.anawaz.deerhuntingcalls.free) application for Android CVE-2014-6953 (The AFTERLIFE WITH ARCHIE (aka com.afterlifewitharchie.afterlifewithar ...) NOT-FOR-US: AFTERLIFE WITH ARCHIE (aka com.afterlifewitharchie.afterlifewitharchie) application for Android CVE-2014-6952 (The Manga Facts (aka app.mangafacts.ar) application 1.0 for Android do ...) NOT-FOR-US: Manga Facts (aka app.mangafacts.ar) application for Android CVE-2014-6951 (The OneFile Ignite (aka uk.co.onefile.ignite) application 1.19 for And ...) NOT-FOR-US: OneFile Ignite (aka uk.co.onefile.ignite) application for Android CVE-2014-6950 (The Mt. Airy News (aka com.soln.SBE4A803AD6430A6E9DBA5688AA644148) app ...) NOT-FOR-US: Mt. Airy News (aka com.soln.SBE4A803AD6430A6E9DBA5688AA644148) application for Android CVE-2014-6949 (The Akne Ernahrung (aka com.rareartifact.akneernahrung72010074) applic ...) NOT-FOR-US: Akne Ernahrung (aka com.rareartifact.akneernahrung72010074) application for Android CVE-2014-6948 (The TH3 professional Al Mohtarif (aka com.th3professional.almohtarif) ...) NOT-FOR-US: TH3 professional Al Mohtarif (aka com.th3professional.almohtarif) application for Android CVE-2014-6947 (The Archie Comics (aka com.iversecomics.archie.android) application 1. ...) NOT-FOR-US: Archie Comics (aka com.iversecomics.archie.android) application for Android CVE-2014-6946 (The Re:kyu (aka com.appzone619) application 1.0 for Android does not v ...) NOT-FOR-US: Re:kyu (aka com.appzone619) application for Android CVE-2014-6945 (The Neeku Naaku Dash Dash (aka com.dakshaa.nndd) application 1.0 for A ...) NOT-FOR-US: Neeku Naaku Dash Dash (aka com.dakshaa.nndd) application for Android CVE-2014-6944 (The mitfahrgelegenheit.at (aka com.carpooling.android.at) application ...) NOT-FOR-US: mitfahrgelegenheit.at (aka com.carpooling.android.at) application for Android CVE-2014-6943 (The Konigsleiten (aka com.knigsleiten) application 1.0 for Android doe ...) NOT-FOR-US: Konigsleiten (aka com.knigsleiten) application for Android CVE-2014-6942 (The Alisha Marie (Unofficial) (aka com.automon.ay.alisha.marie) applic ...) NOT-FOR-US: Alisha Marie (Unofficial) (aka com.automon.ay.alisha.marie) application for Android CVE-2014-6941 (The NOS Alive (aka pt.optimus.optimusalive2011) application 5.1 for An ...) NOT-FOR-US: NOS Alive (aka pt.optimus.optimusalive2011) application for Android CVE-2014-6940 (The Absolute Lending Solutions (aka com.soln.S008F6C05EC0B63264B429F6D ...) NOT-FOR-US: Absolute Lending Solutions (aka com.soln.S008F6C05EC0B63264B429F6D76286562) application for Android CVE-2014-6939 (The Sketch W Friends FREE -Tablets (aka air.com.xlabz.SketchWFriendsFr ...) NOT-FOR-US: Sketch W Friends FREE -Tablets (aka air.com.xlabz.SketchWFriendsFree) application for Android CVE-2014-6938 (The Apostilas musicais (aka com.apostilas) application 1.0 for Android ...) NOT-FOR-US: Apostilas musicais (aka com.apostilas) application for Android CVE-2014-6937 (The China CITIC Bank Credit Card (aka com.citiccard.mobilebank) applic ...) NOT-FOR-US: China CITIC Bank Credit Card (aka com.citiccard.mobilebank) application for Android CVE-2014-6936 (The IDS 2013 (aka de.mobileeventguide.ids2013) application 1.21 for An ...) NOT-FOR-US: IDS 2013 (aka de.mobileeventguide.ids2013) application for Android CVE-2014-6935 (The ColorMania - Color Quiz Game (aka com.ColormaniaColoringGames) app ...) NOT-FOR-US: ColorMania - Color Quiz Game (aka com.ColormaniaColoringGames) application for Android CVE-2014-6934 (The Physics Chemistry Biology Quiz (aka com.pdevsmcqs.pcbmcqseries) ap ...) NOT-FOR-US: Physics Chemistry Biology Quiz (aka com.pdevsmcqs.pcbmcqseries) application for Android CVE-2014-6933 (The Toraware Takojyou (aka ltd.pte.wavea.torawaretakojyou) application ...) NOT-FOR-US: Toraware Takojyou (aka ltd.pte.wavea.torawaretakojyou) application for Android CVE-2014-6932 (The All Navalny (aka com.all.navalny) application 1.10 for Android doe ...) NOT-FOR-US: All Navalny (aka com.all.navalny) application for Android CVE-2014-6931 (The Treves Dance Center (aka com.myapphone.android.myapptrvesdancecent ...) NOT-FOR-US: Treves Dance Center (aka com.myapphone.android.myapptrvesdancecenter) application for Android CVE-2014-6930 (The Abram Radio Groove! (aka com.nobexinc.wls_79226887.rc) application ...) NOT-FOR-US: Abram Radio Groove! (aka com.nobexinc.wls_79226887.rc) application for Android CVE-2014-6929 (The AIHce 2014 (aka com.coreapps.android.followme.aihce2014) applicati ...) NOT-FOR-US: AIHce 2014 (aka com.coreapps.android.followme.aihce2014) application for Android CVE-2014-6928 (The Rastreador de Celulares (aka com.mobincube.android.sc_9KTH8) appli ...) NOT-FOR-US: Rastreador de Celulares (aka com.mobincube.android.sc_9KTH8) application for Android CVE-2014-6927 (The Myanmar Housing : mmHome (aka com.mmhome3) application 1.3 for And ...) NOT-FOR-US: Myanmar Housing : mmHome (aka com.mmhome3) application for Android CVE-2014-6926 (The Allt om Brollop (aka com.paperton.wl.alltombrollop) application 1. ...) NOT-FOR-US: Allt om Brollop (aka com.paperton.wl.alltombrollop) application for Android CVE-2014-6925 (The Steyr Forum (aka com.tapatalk.steyrclubcomvb) application 3.9.12 f ...) NOT-FOR-US: Steyr Forum (aka com.tapatalk.steyrclubcomvb) application for Android CVE-2014-6924 (The Metro News (aka com.netpia.ha.metro) application 1.6.5 for Android ...) NOT-FOR-US: Metro News (aka com.netpia.ha.metro) application for Android CVE-2014-6923 (The Dubrovnik Guided Walking Tours (aka com.mytoursapp.android.app351) ...) NOT-FOR-US: Dubrovnik Guided Walking Tours (aka com.mytoursapp.android.app351) application for Android CVE-2014-6922 (The KFAI Community Radio (aka com.skyblue.pra.kfai) application 2.0.4 ...) NOT-FOR-US: KFAI Community Radio (aka com.skyblue.pra.kfai) application for Android CVE-2014-6921 (The Buckhorn Grill (aka com.orderingapps.buckhorn) application 2.8 for ...) NOT-FOR-US: Buckhorn Grill (aka com.orderingapps.buckhorn) application for Android CVE-2014-6920 (The Canal 44 (aka com.canal.canal44) application 1.0 for Android does ...) NOT-FOR-US: Canal 44 (aka com.canal.canal44) application for Android CVE-2014-6919 (The Metalcasting Newsstand (aka air.com.yudu.ReaderAIR3017071) applica ...) NOT-FOR-US: Metalcasting Newsstand (aka air.com.yudu.ReaderAIR3017071) application for Android CVE-2014-6918 (The Bikers Underground (aka hr.ap.n66871172) application 4.5.10 for An ...) NOT-FOR-US: Bikers Underground (aka hr.ap.n66871172) application for Android CVE-2014-6917 (The www.knote.kr Smart (aka kr.or.knote.android) application 1.0.3 for ...) NOT-FOR-US: www.knote.kr Smart (aka kr.or.knote.android) application for Android CVE-2014-6916 (The mama.cn (aka cn.ziipin.mama.ui) application 1.02 for Android does ...) NOT-FOR-US: mama.cn (aka cn.ziipin.mama.ui) application for Android CVE-2014-6915 REJECTED CVE-2014-6914 (The Houcine El Jasmi (aka com.devkhr31.houcineeljasmi) application 1.0 ...) NOT-FOR-US: Houcine El Jasmi (aka com.devkhr31.houcineeljasmi) application for Android CVE-2014-6913 (The Dive The World (aka com.paperton.wl.divetheworld) application 1.53 ...) NOT-FOR-US: Dive The World (aka com.paperton.wl.divetheworld) application for Android CVE-2014-6912 (The IRA's 59th Annual Conference (aka com.coreapps.android.followme.ir ...) NOT-FOR-US: IRA's 59th Annual Conference (aka com.coreapps.android.followme.ira_14) application for Android CVE-2014-6911 (The diziturky HD 2015 (aka com.adv.diziturky) application 2014 for And ...) NOT-FOR-US: diziturky HD 2015 (aka com.adv.diziturky) application for Android CVE-2014-6910 (The MemorizeIt! (aka com.kshinenterprises.kshinent.memorizeit) applica ...) NOT-FOR-US: MemorizeIt! (aka com.kshinenterprises.kshinent.memorizeit) application for Android CVE-2014-6909 (The Coca-Cola FM Peru (aka com.enyetech.radio.coca_cola.fm_pe) applica ...) NOT-FOR-US: Coca-Cola FM Peru (aka com.enyetech.radio.coca_cola.fm_pe) application for Android CVE-2014-6908 (The Forum IC (aka com.tapatalk.forumimmigrercom) application 3.3.12 fo ...) NOT-FOR-US: Forum IC (aka com.tapatalk.forumimmigrercom) application for Android CVE-2014-6907 (The Rakuten Install (aka co.jp.rakuten.installapp) application 1.5.0 f ...) NOT-FOR-US: Rakuten Install (aka co.jp.rakuten.installapp) application for Android CVE-2014-6906 (The Loli Chocolate Cake (aka com.alison.kang.chocolatecake) applicatio ...) NOT-FOR-US: Loli Chocolate Cake (aka com.alison.kang.chocolatecake) application for Android CVE-2014-6905 (The H2O Human Harmony Organization (aka com.netpia.ha.theh2o) applicat ...) NOT-FOR-US: H2O Human Harmony Organization (aka com.netpia.ha.theh2o) application for Android CVE-2014-6904 (The Safe Browser - The Web Filter (aka com.cloudacl) application 1.2.5 ...) NOT-FOR-US: Safe Browser - The Web Filter (aka com.cloudacl) application for Android CVE-2014-6903 (The Gulf Power Mobile Bill Pay (aka com.tionetworks.gulf) application ...) NOT-FOR-US: Gulf Power Mobile Bill Pay (aka com.tionetworks.gulf) application for Android CVE-2014-6902 (The Anjuke (aka com.anjuke.android.app) application 7.1.7 for Android ...) NOT-FOR-US: Anjuke (aka com.anjuke.android.app) application for Android CVE-2014-6901 (The RADIOS DEL ECUADOR (aka com.nobexinc.wls_87612622.rc) application ...) NOT-FOR-US: RADIOS DEL ECUADOR (aka com.nobexinc.wls_87612622.rc) application for Android CVE-2014-6900 (The EAGE Amsterdam 2014 (aka com.coreapps.android.followme.eage_2014) ...) NOT-FOR-US: EAGE Amsterdam 2014 (aka com.coreapps.android.followme.eage_2014) application for Android CVE-2014-6899 (The Jazeera Airways (aka com.winit.jazeeraairways) application 2.7 for ...) NOT-FOR-US: Jazeera Airways (aka com.winit.jazeeraairways) application for Android CVE-2014-6898 (The Boopsie MyLibrary (aka com.bredir.boopsie.mylibrary) application 4 ...) NOT-FOR-US: Boopsie MyLibrary (aka com.bredir.boopsie.mylibrary) application for Android CVE-2014-6897 (The Skyrim Map (aka com.neko.skyrimmap) application 2.1 for Android do ...) NOT-FOR-US: Skyrim Map (aka com.neko.skyrimmap) application for Android CVE-2014-6896 (The Yik Yak (aka com.yik.yak) application 2.0.002 for Android does not ...) NOT-FOR-US: Yik Yak (aka com.yik.yak) application for Android CVE-2014-6895 (The Throne Rush (aka com.progrestar.bft) application 2.3.10 for Androi ...) NOT-FOR-US: Throne Rush (aka com.progrestar.bft) application for Android CVE-2014-6894 (The Lucktastic (aka com.lucktastic.scratch) application 1.2.6 for Andr ...) NOT-FOR-US: Lucktastic (aka com.lucktastic.scratch) application for Android CVE-2014-6893 (The Pushpins Grocery Coupons (aka com.pushpinsapp.pushpins) applicatio ...) NOT-FOR-US: Pushpins Grocery Coupons (aka com.pushpinsapp.pushpins) application for Android CVE-2014-6892 (The kalahari.com Shopping (aka com.kalahari.shop) application 1.4.2.1 ...) NOT-FOR-US: kalahari.com Shopping (aka com.kalahari.shop) application for Android CVE-2014-6891 (The Vodafone Avantaj Cepte (aka com.vodafone.avantajcepte.main) applic ...) NOT-FOR-US: Vodafone Avantaj Cepte (aka com.vodafone.avantajcepte.main) application for Android CVE-2014-6890 (The CouponCabin - Coupons & Deals (aka com.couponcabin) applicatio ...) NOT-FOR-US: CouponCabin - Coupons & Deals (aka com.couponcabin) application for Android CVE-2014-6889 (The GunBroker.com (aka com.gunbroker.android) application 1.1.2 for An ...) NOT-FOR-US: GunBroker.com (aka com.gunbroker.android) application for Android CVE-2014-6888 (The PennyTalk Mobile (aka net.idt.pennytalk.android) application 2.0.3 ...) NOT-FOR-US: PennyTalk Mobile (aka net.idt.pennytalk.android) application for Android CVE-2014-6887 (The EXPRESS (aka com.gpshopper.express.android) application 2.5.3 for ...) NOT-FOR-US: EXPRESS (aka com.gpshopper.express.android) application for Android CVE-2014-6886 (The WePhone - phone calls vs skype (aka com.wephoneapp) application 1. ...) NOT-FOR-US: WePhone - phone calls vs skype (aka com.wephoneapp) application for Android CVE-2014-6885 (The Academy Sports + Outdoors Visa (aka com.usbank.icsmobile.academysp ...) NOT-FOR-US: Academy Sports + Outdoors Visa (aka com.usbank.icsmobile.academysports) application for Android CVE-2014-6884 (The Ford Credit Account Manager (aka com.fordcredit.accountmanager) ap ...) NOT-FOR-US: Ford Credit Account Manager (aka com.fordcredit.accountmanager) application for Android CVE-2014-6883 (The CNNMoney Portfolio for stocks (aka com.cnn.portfolio) application ...) NOT-FOR-US: CNNMoney Portfolio for stocks (aka com.cnn.portfolio) application for Android CVE-2014-6882 (The Western Federal Credit Union (aka com.kerrata.pulse.western) appli ...) NOT-FOR-US: Western Federal Credit Union (aka com.kerrata.pulse.western) application for Android CVE-2014-6881 (The PNC Virtual Wallet (aka com.pnc.ecommerce.mobile.vw.android) appli ...) NOT-FOR-US: PNC Virtual Wallet (aka com.pnc.ecommerce.mobile.vw.android) application for Android CVE-2014-6880 (The TradeHero (aka com.tradehero.th) application 2.2.5 for Android doe ...) NOT-FOR-US: TradeHero (aka com.tradehero.th) application for Android CVE-2014-6879 (The Equifax Mobile (aka com.equifax) application 1.5 for Android does ...) NOT-FOR-US: Equifax Mobile (aka com.equifax) application for Android CVE-2014-6878 (The RBFCU Mobile (aka com.Vertifi.DeposZip.P314089681) application 3.1 ...) NOT-FOR-US: RBFCU Mobile (aka com.Vertifi.DeposZip.P314089681) application for Android CVE-2014-6877 (The Santander Personal Banking (aka com.sovereign.santander) applicati ...) NOT-FOR-US: Santander Personal Banking (aka com.sovereign.santander) application for Android CVE-2014-6876 (The American Express Serve (aka com.serve.mobile) application @7F0901E ...) NOT-FOR-US: American Express Serve (aka com.serve.mobile) application for Android CVE-2014-6875 (The Woodforest Mobile Banking (aka com.woodforest) application 3.1 for ...) NOT-FOR-US: Woodforest Mobile Banking (aka com.woodforest) application for Android CVE-2014-6874 (The ModSim Connected (aka com.concursive.modsim) application 2.0 for A ...) NOT-FOR-US: ModSim Connected (aka com.concursive.modsim) application for Android CVE-2014-6873 (The AMGC (aka com.amec.uae) application 6.0 for Android does not verif ...) NOT-FOR-US: AMGC (aka com.amec.uae) application for Android CVE-2014-6872 (The TTNET Muzik (aka com.ttnet.muzik) application 3.2 for Android does ...) NOT-FOR-US: TTNET Muzik (aka com.ttnet.muzik) application for Android CVE-2014-6871 (The Hogs Fly Crazy (aka com.pedrojayme.hogsflycrazy) application 1.0.0 ...) NOT-FOR-US: Hogs Fly Crazy (aka com.pedrojayme.hogsflycrazy) application for Android CVE-2014-6870 (The BGEnergy (aka com.bluegrass.smartapps) application 1.153.0034 for ...) NOT-FOR-US: BGEnergy (aka com.bluegrass.smartapps) application for Android CVE-2014-6869 (The barcode scanner (aka tw.com.books.android.plus) application 2.3.0 ...) NOT-FOR-US: barcode scanner (aka tw.com.books.android.plus) application for Android CVE-2014-6868 (The DS audio (aka com.synology.DSaudio) application 3.4 for Android do ...) NOT-FOR-US: DS audio (aka com.synology.DSaudio) application for Android CVE-2014-6867 (The Sortir en Alsace (aka com.axessweb.sortirenalsace) application 0.5 ...) NOT-FOR-US: Sortir en Alsace (aka com.axessweb.sortirenalsace) application for Android CVE-2014-6866 (The HomeAdvisor Mobile (aka com.servicemagic.consumer) application 3.0 ...) NOT-FOR-US: HomeAdvisor Mobile (aka com.servicemagic.consumer) application for Android CVE-2014-6865 (The Jamal Bates Show (aka com.conduit.app_3a95e13827c54c4da9056fafb33e ...) NOT-FOR-US: Jamal Bates Show (aka com.conduit.app_3a95e13827c54c4da9056fafb33ecc8d.app) application for Android CVE-2014-6864 (The Forest River Forums (aka com.socialknowledge.forestriverforums) ap ...) NOT-FOR-US: Forest River Forums (aka com.socialknowledge.forestriverforums) application for Android CVE-2014-6863 (The Mootorratturid & biker.ee (aka ee.digitalfruit.mootorratturid) ...) NOT-FOR-US: Mootorratturid & biker.ee (aka ee.digitalfruit.mootorratturid) application for Android CVE-2014-6862 (The ArtAcces (aka cat.gencat.mobi.artacces) application 1.0 for Androi ...) NOT-FOR-US: ArtAcces (aka cat.gencat.mobi.artacces) application for Android CVE-2014-6861 (The Terrarienbilder.com Forum (aka com.tapatalk.terrarienbildercomvb) ...) NOT-FOR-US: Terrarienbilder.com Forum (aka com.tapatalk.terrarienbildercomvb) application for Android CVE-2014-6860 (The Trial Tracker (aka com.etcweb.android.trial_tracker) application 1 ...) NOT-FOR-US: Trial Tracker (aka com.etcweb.android.trial_tracker) application for Android CVE-2014-6859 (The Daum Maps - Subway (aka net.daum.android.map) application 3.9.1 fo ...) NOT-FOR-US: Daum Maps - Subway (aka net.daum.android.map) application for Android CVE-2014-6858 (The Mostafa Shemeas (aka com.mostafa.shemeas.website) application 1.0 ...) NOT-FOR-US: Mostafa Shemeas (aka com.mostafa.shemeas.website) application for Android CVE-2014-6857 (The Car Wallpapers HD (aka com.arab4x4.gallery.app) application 1.3 fo ...) NOT-FOR-US: Car Wallpapers HD (aka com.arab4x4.gallery.app) application for Android CVE-2014-6856 (The AHRAH (aka com.vet2pet.aid219426) application 219426 for Android d ...) NOT-FOR-US: AHRAH (aka com.vet2pet.aid219426) application for Android CVE-2014-6855 (The Long (aka com.imop.longjiang.android) application 1.0.4 for Androi ...) NOT-FOR-US: Long (aka com.imop.longjiang.android) application for Android CVE-2014-6854 (The EyeXam (aka com.globaleyeventures.eyexam) application 1.4 for Andr ...) NOT-FOR-US: EyeXam (aka com.globaleyeventures.eyexam) application for Android CVE-2014-6853 (The Foxit MobilePDF - PDF Reader (aka com.foxit.mobile.pdf.lite) appli ...) NOT-FOR-US: Foxit MobilePDF - PDF Reader (aka com.foxit.mobile.pdf.lite) application for Android CVE-2014-6852 (The LedLine.gr Official (aka com.automon.ledline.gr) application 1.4.0 ...) NOT-FOR-US: LedLine.gr Official (aka com.automon.ledline.gr) application for Android CVE-2014-6851 (The New Beginnings CFC (aka com.goodbarber.nbcfc) application 1.1 for ...) NOT-FOR-US: New Beginnings CFC (aka com.goodbarber.nbcfc) application for Android CVE-2014-6850 (The SED Account (aka com.starkville.smartapps) application 1.153.0034 ...) NOT-FOR-US: SED Account (aka com.starkville.smartapps) application for Android CVE-2014-6849 REJECTED CVE-2014-6848 (The DS file (aka com.synology.DSfile) application 4.1.1 for Android do ...) NOT-FOR-US: DS file (aka com.synology.DSfile) application for Android CVE-2014-6847 (The Horoscopes and Dreams (aka com.horoscopesanddreams) application 1. ...) NOT-FOR-US: Horoscopes and Dreams (aka com.horoscopesanddreams) application for Android CVE-2014-6846 (The Four Seasons Beverly Hills (aka com.intelitycorp.FourSeasons.andro ...) NOT-FOR-US: Four Seasons Beverly Hills (aka com.intelitycorp.FourSeasons.android.ice) application for Android CVE-2014-6845 (The MediaFire (aka com.mediafire.android) application 1.1.1 for Androi ...) NOT-FOR-US: MediaFire (aka com.mediafire.android) application for Android CVE-2014-6844 (The ABC Song (aka com.tabtale.abcsingalong) application 1.0.0 for Andr ...) NOT-FOR-US: ABC Song (aka com.tabtale.abcsingalong) application for Android CVE-2014-6843 (The Sweatshop (aka com.orderingapps.sweatshop) application 2.96 for An ...) NOT-FOR-US: Sweatshop (aka com.orderingapps.sweatshop) application for Android CVE-2014-6842 (The Daily Advertiser Print (aka com.lafayettedailyadv.android.prod) ap ...) NOT-FOR-US: Daily Advertiser Print (aka com.lafayettedailyadv.android.prod) application for Android CVE-2014-6841 (The RTI INDIA (aka com.vbulletin.build_890) application 3.8.21 for And ...) NOT-FOR-US: RTI INDIA (aka com.vbulletin.build_890) application for Android CVE-2014-6840 (The My Wedding Planner (aka app.wedding) application 1.5 for Android d ...) NOT-FOR-US: My Wedding Planner (aka app.wedding) application for Android CVE-2014-6839 (The Alma Corinthiana (aka com.alma.corinthiana) application 1.0 for An ...) NOT-FOR-US: Alma Corinthiana (aka com.alma.corinthiana) application for Android CVE-2014-6838 (The Groupama toujours la (aka com.groupama.toujoursla) application 1.3 ...) NOT-FOR-US: Groupama toujours la (aka com.groupama.toujoursla) application for Android CVE-2014-6837 (The Hillside (aka com.hillside.hermanus) application 1.1 for Android d ...) NOT-FOR-US: Hillside (aka com.hillside.hermanus) application for Android CVE-2014-6836 (The DS photo+ (aka com.synology.dsphoto) application 3.3 for Android d ...) NOT-FOR-US: DS photo+ (aka com.synology.dsphoto) application for Android CVE-2014-6835 (The Herbal Guide (aka com.pocket.herbal.guide) application 1.0 for And ...) NOT-FOR-US: Herbal Guide (aka com.pocket.herbal.guide) application for Android CVE-2014-6834 (The Instaroid - Instagram Viewer (aka net.muik.instaroid) application ...) NOT-FOR-US: Instaroid - Instagram Viewer (aka net.muik.instaroid) application for Android CVE-2014-6833 (The AuctionTrac Dealer (aka com.adesa.dealer.phone) application 2.0.3 ...) NOT-FOR-US: AuctionTrac Dealer (aka com.adesa.dealer.phone) application for Android CVE-2014-6832 (The Bersa Forum (aka com.gcspublishing.bersaforum) application 3.9.16 ...) NOT-FOR-US: Bersa Forum (aka com.gcspublishing.bersaforum) application for Android CVE-2014-6831 (The Hippo Studio (aka com.appgreen.hippostudio) application 1.0 for An ...) NOT-FOR-US: Hippo Studio (aka com.appgreen.hippostudio) application for Android CVE-2014-6830 (The Covet Fashion - Shopping Game (aka com.crowdstar.covetfashion) app ...) NOT-FOR-US: Covet Fashion - Shopping Game (aka com.crowdstar.covetfashion) application for Android CVE-2014-6829 (The Hook (aka com.hook.android) application 0.9.3 for Android does not ...) NOT-FOR-US: Hook (aka com.hook.android) application for Android CVE-2014-6828 (The Gulf Credit Union (aka Fi_Mobile.Gulf) application 1.1 for Android ...) NOT-FOR-US: Gulf Credit Union (aka Fi_Mobile.Gulf) application for Android CVE-2014-6827 (The DK ONLINE Beta (aka com.sgmobile.dkonline) application 1.0.2 for A ...) NOT-FOR-US: DK ONLINE Beta (aka com.sgmobile.dkonline) application for Android CVE-2014-6826 (The Tic-Tac To The MAX FREE (aka com.tothemax) application 1.2 for And ...) NOT-FOR-US: Tic-Tac To The MAX FREE (aka com.tothemax) application for Android CVE-2014-6825 (The Teatro Franco Parenti (aka com.mintlab.mx.teatroparenti) applicati ...) NOT-FOR-US: Teatro Franco Parenti (aka com.mintlab.mx.teatroparenti) application for Android CVE-2014-6824 (The kamkomesan (aka com.anek.kamkomesan) application 1.0 for Android d ...) NOT-FOR-US: kamkomesan (aka com.anek.kamkomesan) application for Android CVE-2014-6823 (The kuailecaidengmi (aka com.licai.kuailecaidengmi) application 1.7.12 ...) NOT-FOR-US: kuailecaidengmi (aka com.licai.kuailecaidengmi) application for Android CVE-2014-6822 (The Nerdico (aka com.nerdico.danielepais) application 1.9 Stable for A ...) NOT-FOR-US: Nerdico (aka com.nerdico.danielepais) application for Android CVE-2014-6821 (The voetbal (aka nl.jborsje.android.voetbal.az) application 4.7.2 for ...) NOT-FOR-US: voetbal (aka nl.jborsje.android.voetbal.az) application for Android CVE-2014-6820 (The Amebra Ameba (aka jp.honeytrap15.amebra) application 1.0.0 for And ...) NOT-FOR-US: Amebra Ameba (aka jp.honeytrap15.amebra) application for Android CVE-2014-6819 (The Lapp Group Catalogue (aka com.prinovis.LappKabel) application 1.4 ...) NOT-FOR-US: Lapp Group Catalogue (aka com.prinovis.LappKabel) application for Android CVE-2014-6818 (The OHBM 20th Annual Meeting (aka com.coreapps.android.followme.ohbm20 ...) NOT-FOR-US: OHBM 20th Annual Meeting (aka com.coreapps.android.followme.ohbm2014) application for Android CVE-2014-6817 (The Cove (aka org.covechurch.app) application 1.0.2 for Android does n ...) NOT-FOR-US: Cove (aka org.covechurch.app) application for Android CVE-2014-6816 (The WISDOM (aka lvtu99.com.nescmxiaoniuniu) application 2.1 for Androi ...) NOT-FOR-US: WISDOM (aka lvtu99.com.nescmxiaoniuniu) application for Android CVE-2014-6815 (The Vouch! (aka com.voucherry.voucherry) application 2.1.6 for Android ...) NOT-FOR-US: Vouch! (aka com.voucherry.voucherry) application for Android CVE-2014-6814 (The Sentinels Randomizer (aka com.mikehipps.sentinelsrandomizer) appli ...) NOT-FOR-US: Sentinels Randomizer (aka com.mikehipps.sentinelsrandomizer) application for Android CVE-2014-6813 (The klassens (aka com.mcreda.klassens.apps) application 1.0 for Androi ...) NOT-FOR-US: klassens (aka com.mcreda.klassens.apps) application for Android CVE-2014-6812 (The Aloha Guide (aka com.aloha.guide.english) application 1.5 for Andr ...) NOT-FOR-US: Aloha Guide (aka com.aloha.guide.english) application for Android CVE-2014-6811 REJECTED CVE-2014-6810 (The RIMS 2014 Annual Conference (aka com.coreapps.android.followme.rim ...) NOT-FOR-US: RIMS 2014 Annual Conference (aka com.coreapps.android.followme.rims2014) application for Android CVE-2014-6809 REJECTED CVE-2014-6808 (The Active 24 (aka com.zentity.app.active24) application 1.0.1 for And ...) NOT-FOR-US: Active 24 (aka com.zentity.app.active24) application for Android CVE-2014-6807 (The OLA School (aka com.conduit.app_00f9890a4f0145f2aae9d714e20b273a.a ...) NOT-FOR-US: OLA School (aka com.conduit.app_00f9890a4f0145f2aae9d714e20b273a.app) application for Android CVE-2014-6806 (The Thanodi - Setswana Translator (aka com.thanodi.thanodi) applicatio ...) NOT-FOR-US: Thanodi - Setswana Translator (aka com.thanodi.thanodi) application for Android CVE-2014-6805 (The weibo (aka magic.weibo) application 1.2 for Android does not verif ...) NOT-FOR-US: weibo (aka magic.weibo) application for Android CVE-2014-6804 (The Deschutes Public MobileLibrary (aka com.bredir.boopsie.deschutes) ...) NOT-FOR-US: Deschutes Public MobileLibrary (aka com.bredir.boopsie.deschutes) application for Android CVE-2014-6803 (The Bank of Moscow EIRTS Rent (aka ru.bm.rbs.android) application 1.0. ...) NOT-FOR-US: Bank of Moscow EIRTS Rent (aka ru.bm.rbs.android) application for Android CVE-2014-6802 (The First Assembly NLR (aka com.subsplash.thechurchapp.firstassemblynl ...) NOT-FOR-US: First Assembly NLR (aka com.subsplash.thechurchapp.firstassemblynlr) application for Android CVE-2014-6801 (The frank matano (aka com.frank.matano) application 1.0 for Android do ...) NOT-FOR-US: frank matano (aka com.frank.matano) application for Android CVE-2014-6800 (The Bloom Township 206 (aka net.parentlink.bloom) application 4.0.500 ...) NOT-FOR-US: Bloom Township 206 (aka net.parentlink.bloom) application for Android CVE-2014-6799 (The Investigation Tool (aka gov.ca.post.lp.itool) application 1.0.0 fo ...) NOT-FOR-US: Investigation Tool (aka gov.ca.post.lp.itool) application for Android CVE-2014-6798 (The McMaster Marauders (aka com.weever.marauders) application 1.0.1 fo ...) NOT-FOR-US: McMaster Marauders (aka com.weever.marauders) application for Android CVE-2014-6797 (The Abu Ali Anasheeds (aka com.faapps.abuali_anasheeds) application 1. ...) NOT-FOR-US: Abu Ali Anasheeds (aka com.faapps.abuali_anasheeds) application for Android CVE-2014-6796 (The LocalSense (aka com.LocalSense) application 1.2.1 for Android does ...) NOT-FOR-US: LocalSense (aka com.LocalSense) application for Android CVE-2014-6795 (The Beekeeping Forum (aka com.tapatalk.supporttapatalkcomxxxxx) applic ...) NOT-FOR-US: Beekeeping Forum (aka com.tapatalk.supporttapatalkcomxxxxx) application for Android CVE-2014-6794 (The AAPLD (aka com.bredir.boopsie.aapld) application 4.5.110 for Andro ...) NOT-FOR-US: AAPLD (aka com.bredir.boopsie.aapld) application for Android CVE-2014-6793 (The Arch Friend (aka com.xyproto.archfriend) application 0.4.2 for And ...) NOT-FOR-US: Arch Friend (aka com.xyproto.archfriend) application for Android CVE-2014-6792 (The Suriname Radio (aka com.wordbox.surinameRadio) application 1.5 for ...) NOT-FOR-US: Suriname Radio (aka com.wordbox.surinameRadio) application for Android CVE-2014-6791 (The Angel Reigns (aka com.conduit.app_dab60e7bd60d4f23a14b3fb7357f9dcd ...) NOT-FOR-US: Angel Reigns (aka com.conduit.app_dab60e7bd60d4f23a14b3fb7357f9dcd.app) application for Android CVE-2014-6790 (The INVEX (aka com.mobilatolye.keyinternet) application 1.0.2 for Andr ...) NOT-FOR-US: INVEX (aka com.mobilatolye.keyinternet) application for Android CVE-2014-6789 (The Anaheim Library 2Go! (aka com.bredir.boopsie.anaheim) application ...) NOT-FOR-US: Anaheim Library 2Go! (aka com.bredir.boopsie.anaheim) application for Android CVE-2014-6788 (The Oman News (aka com.oman.news.rmtzlnbuooordciw) application 1.0 for ...) NOT-FOR-US: Oman News (aka com.oman.news.rmtzlnbuooordciw) application for Android CVE-2014-6787 (The Counter Intuition (aka com.counter.intuition) application 1.2 for ...) NOT-FOR-US: Counter Intuition (aka com.counter.intuition) application for Android CVE-2014-6786 (The Math for Kids - Subtraction (aka it.tinytap.attsa.deepsub) applica ...) NOT-FOR-US: Math for Kids - Subtraction (aka it.tinytap.attsa.deepsub) application for Android CVE-2014-6785 (The Renny McLean Ministries (aka com.subsplash.thechurchapp.s_GJQX72) ...) NOT-FOR-US: Renny McLean Ministries (aka com.subsplash.thechurchapp.s_GJQX72) application for Android CVE-2014-6784 (The Fermononrespiri Mobile (aka com.tapatalk.rmonlineitforums) applica ...) NOT-FOR-US: Fermononrespiri Mobile (aka com.tapatalk.rmonlineitforums) application for Android CVE-2014-6783 (The Campus Link - Campus TV HKUSU (aka com.campus.tv.hkusu) applicatio ...) NOT-FOR-US: Campus Link - Campus TV HKUSU (aka com.campus.tv.hkusu) application for Android CVE-2014-6782 (The Abraham Tours (aka com.mytoursapp.android.app432) application 1.1. ...) NOT-FOR-US: Abraham Tours (aka com.mytoursapp.android.app432) application for Android CVE-2014-6781 (The Aloha Stadium - Hawaii (aka com.stadium.aloha) application 1.2 for ...) NOT-FOR-US: Aloha Stadium - Hawaii (aka com.stadium.aloha) application for Android CVE-2014-6780 (The MeiTalk (aka com.playjia.meitalk) application @7F060012 for Androi ...) NOT-FOR-US: MeiTalk (aka com.playjia.meitalk) application for Android CVE-2014-6779 (The Cart App (aka com.virtecha.mobilewallet) application 1.5 for Andro ...) NOT-FOR-US: Cart App (aka com.virtecha.mobilewallet) application for Android CVE-2014-6778 (The Goat Forum (aka com.gcspublishing.goatspot) application 3.9.15 for ...) NOT-FOR-US: Goat Forum (aka com.gcspublishing.goatspot) application for Android CVE-2014-6777 (The blueeleph (aka eg.film.blueeleph) application 1.0 for Android does ...) NOT-FOR-US: blueeleph (aka eg.film.blueeleph) application for Android CVE-2014-6776 (The United Advantage NW Federal Cr (aka com.myappengine.uanwfcu) appli ...) NOT-FOR-US: United Advantage NW Federal Cr (aka com.myappengine.uanwfcu) application for Android CVE-2014-6775 (The Light for Pets (aka com.helenwoodward.light4pets) application 1.0 ...) NOT-FOR-US: Light for Pets (aka com.helenwoodward.light4pets) application for Android CVE-2014-6774 (The USEK (aka com.university.usek) application 1.0.8 for Android does ...) NOT-FOR-US: USEK (aka com.university.usek) application for Android CVE-2014-6773 (The CIH Quiz game (aka com.bowenehs.cihquizgameapp) application 1.3 fo ...) NOT-FOR-US: CIH Quiz game (aka com.bowenehs.cihquizgameapp) application for Android CVE-2014-6772 (The United Educational CU (aka com.metova.cuae.uecu) application 1.0.2 ...) NOT-FOR-US: United Educational CU (aka com.metova.cuae.uecu) application for Android CVE-2014-6771 (The United Heritage Mobile (aka Fi_Mobile.UHCU) application 1.1 for An ...) NOT-FOR-US: United Heritage Mobile (aka Fi_Mobile.UHCU) application for Android CVE-2014-6770 (The Aerospace Jobs (aka com.app_aerospacejobs.layout) application 1.39 ...) NOT-FOR-US: Aerospace Jobs (aka com.app_aerospacejobs.layout) application for Android CVE-2014-6769 (The Meteo Belgique (aka com.mobilesoft.belgiumweather) application 3.2 ...) NOT-FOR-US: Meteo Belgique (aka com.mobilesoft.belgiumweather) application for Android CVE-2014-6768 (The Anywhere Anytime Yoga Workout (aka com.bayart.yoga) application 1. ...) NOT-FOR-US: Anywhere Anytime Yoga Workout (aka com.bayart.yoga) application for Android CVE-2014-6767 (The Juggle! FREE (aka com.jakyl.juggleforfree) application 3.0.0 for A ...) NOT-FOR-US: Juggle! FREE (aka com.jakyl.juggleforfree) application for Android CVE-2014-6766 (The Afro-Beat (aka com.zero.themelock.tambourine) application 0.2 for ...) NOT-FOR-US: Afro-Beat (aka com.zero.themelock.tambourine) application for Android CVE-2014-6765 (The No Fuss Home Loans (aka com.soln.SA2CAA74BBC3AFEFE7C8BE3F3AAC499E7 ...) NOT-FOR-US: No Fuss Home Loans (aka com.soln.SA2CAA74BBC3AFEFE7C8BE3F3AAC499E7) application for Android CVE-2014-6764 (The Assyrian (aka com.b2.assyrian.activity) application 2.2 for Androi ...) NOT-FOR-US: Assyrian (aka com.b2.assyrian.activity) application for Android CVE-2014-6763 (The Codename Birdgame (aka com.devsecondfictioncom.devsecondfictioncom ...) NOT-FOR-US: Codename Birdgame (aka com.devsecondfictioncom.devsecondfictioncom.birdadhoc) application for Android CVE-2014-6762 (The bongomovie (aka com.mbwasi.bongomovie) application 1.0 for Android ...) NOT-FOR-US: bongomovie (aka com.mbwasi.bongomovie) application for Android CVE-2014-6761 (The Aprende a Meditar (aka com.rareartifact.aprendeameditar544CB0A2) a ...) NOT-FOR-US: Aprende a Meditar (aka com.rareartifact.aprendeameditar544CB0A2) application for Android CVE-2014-6760 (The Harem Thief Dating (aka com.haremthief.haremthief) application 1.2 ...) NOT-FOR-US: Harem Thief Dating (aka com.haremthief.haremthief) application for Android CVE-2014-6759 (The Downton Abbey Fan Portal (aka com.downton.abbey.fan.portal) applic ...) NOT-FOR-US: Downton Abbey Fan Portal (aka com.downton.abbey.fan.portal) application for Android CVE-2014-6758 (The Qin Story (aka com.kongzhong.tjmammoth.android.cqqslengp) applicat ...) NOT-FOR-US: Qin Story (aka com.kongzhong.tjmammoth.android.cqqslengp) application for Android CVE-2014-6757 (The Koran - AlqoranVideos (aka com.alqoran.videos.example) application ...) NOT-FOR-US: Koran - AlqoranVideos (aka com.alqoran.videos.example) application for Android CVE-2014-6756 (The Reddit Aww (aka org.biais.redditawww) application 1.2.1 for Androi ...) NOT-FOR-US: Reddit Aww (aka org.biais.redditawww) application for Android CVE-2014-6755 (The SDN Forum (TapaTalk) (aka com.tapatalk.forumshiftdeletenet) applic ...) NOT-FOR-US: SDN Forum (TapaTalk) (aka com.tapatalk.forumshiftdeletenet) application for Android CVE-2014-6754 (The Vector Outage Manager (aka nz.co.vector.outagemanager) application ...) NOT-FOR-US: Vector Outage Manager (aka nz.co.vector.outagemanager) application for Android CVE-2014-6753 (The sunnat e rasool (aka com.imsoft.sunnat_e_rasool) application 2.0 f ...) NOT-FOR-US: sunnat e rasool (aka com.imsoft.sunnat_e_rasool) application for Android CVE-2014-6752 (The Mindless Behavior Fan Base (aka com.mindless.behavior.fan.base) ap ...) NOT-FOR-US: Mindless Behavior Fan Base (aka com.mindless.behavior.fan.base) application for Android CVE-2014-6751 (The Grasshopper Beta (aka com.grasshopper.dialer) application 2.1 for ...) NOT-FOR-US: Grasshopper Beta (aka com.grasshopper.dialer) application for Android CVE-2014-6750 (The $0.99 Kindle Books (aka com.kindle.books.for99) application 6.0 fo ...) NOT-FOR-US: $0.99 Kindle Books (aka com.kindle.books.for99) application for Android CVE-2014-6749 (The American Nurses Association (aka com.dub.poweredbydub.assoc.ana) a ...) NOT-FOR-US: American Nurses Association (aka com.dub.poweredbydub.assoc.ana) application for Android CVE-2014-6748 (The GEMAIRE's HVAC Assist (aka com.es.Gemaire) application 5.0 for And ...) NOT-FOR-US: GEMAIRE's HVAC Assist (aka com.es.Gemaire) application for Android CVE-2014-6747 (The SeeOn (aka com.seeon) application 4.0.7 for Android does not verif ...) NOT-FOR-US: SeeOn (aka com.seeon) application for Android CVE-2014-6746 (The Infiniti Roadside Assistance (aka com.ccas.rsa.common.infiniti) ap ...) NOT-FOR-US: Infiniti Roadside Assistance (aka com.ccas.rsa.common.infiniti) application for Android CVE-2014-6745 (The Family Location (aka com.sosocome.family) application 3.4 2014-5-2 ...) NOT-FOR-US: Family Location (aka com.sosocome.family) application for Android CVE-2014-6744 (The Al-Ahsa News (aka com.alahsa.news) application 2.0 for Android doe ...) NOT-FOR-US: Al-Ahsa News (aka com.alahsa.news) application for Android CVE-2014-6743 (The Hearsay: A Social Party Game (aka air.com.lip.per) application 1.7 ...) NOT-FOR-US: Hearsay: A Social Party Game (aka air.com.lip.per) application for Android CVE-2014-6742 (The All around Cyprus (aka com.cyprus.newspapers) application 2.11 for ...) NOT-FOR-US: All around Cyprus (aka com.cyprus.newspapers) application for Android CVE-2014-6741 (The John MacArthur (aka com.john.macarthur) application 1.0.26 for And ...) NOT-FOR-US: John MacArthur (aka com.john.macarthur) application for Android CVE-2014-6740 (The XD Forum (aka com.tapatalk.xdforumcomforum) application 3.9.17 for ...) NOT-FOR-US: XD Forum (aka com.tapatalk.xdforumcomforum) application for Android CVE-2014-6739 (The Well-Being Connect Mobile (aka com.healthways.wellbeinggo) applica ...) NOT-FOR-US: Well-Being Connect Mobile (aka com.healthways.wellbeinggo) application for Android CVE-2014-6738 (The Maccabi Tel Aviv (aka com.monkeytech.maccabi) application 1.0 for ...) NOT-FOR-US: Maccabi Tel Aviv (aka com.monkeytech.maccabi) application for Android CVE-2014-6737 (The Ultimate Target-Armored Sniper (aka air.wood.liame.ultimatetarget) ...) NOT-FOR-US: Ultimate Target-Armored Sniper (aka air.wood.liame.ultimatetarget) application for Android CVE-2014-6736 (The EPL Hat Trick (aka com.hat.trick.goal) application 1.0 for Android ...) NOT-FOR-US: EPL Hat Trick (aka com.hat.trick.goal) application for Android CVE-2014-6735 (The imagine Next bmobile (aka com.conduit.app_51c3c19581af465092327dd2 ...) NOT-FOR-US: imagine Next bmobile (aka com.conduit.app_51c3c19581af465092327dd25591b224.app) application for Android CVE-2014-6734 (The Wine Making (aka com.gcspublishing.winemakingtalk) application 3.7 ...) NOT-FOR-US: Wine Making (aka com.gcspublishing.winemakingtalk) application for Android CVE-2014-6733 (The My T-Mobile (aka at.tmobile.android.myt) application @7F0C0030 for ...) NOT-FOR-US: My T-Mobile (aka at.tmobile.android.myt) application for Android CVE-2014-6732 (The Westpac Mobile Banking (aka org.westpac.bank) application 5.21 for ...) NOT-FOR-US: Westpac Mobile Banking (aka org.westpac.bank) application for Android CVE-2014-6731 (The Alfa-Bank (aka ru.alfabank.mobile.android) application 5.5.1.1 for ...) NOT-FOR-US: Alfa-Bank (aka ru.alfabank.mobile.android) application for Android CVE-2014-6730 (The Melodigram (aka com.minusdegree.melodigramandroid) application 1.1 ...) NOT-FOR-US: Melodigram (aka com.minusdegree.melodigramandroid) application for Android CVE-2014-6729 (The Grilling with Rich (aka com.grilling.with.rich) application 1.0 fo ...) NOT-FOR-US: Grilling with Rich (aka com.grilling.with.rich) application for Android CVE-2014-6728 (The ThinkPal (aka com.mythinkpalapp) application 1.6.3 for Android doe ...) NOT-FOR-US: ThinkPal (aka com.mythinkpalapp) application for Android CVE-2014-6727 (The Mikeius (Official App) (aka com.automon.mikeius) application 1.4.2 ...) NOT-FOR-US: Mikeius (Official App) (aka com.automon.mikeius) application for Android CVE-2014-6726 (The 30A (aka com.app30a) application 5.26.2 for Android does not verif ...) NOT-FOR-US: 30A (aka com.app30a) application for Android CVE-2014-6725 (The SchoolXM (aka apprentice.schoolxm) application 1.2 for Android doe ...) NOT-FOR-US: SchoolXM (aka apprentice.schoolxm) application for Android CVE-2014-6724 (The Soap Making (aka com.tapatalk.soapmakingforumcom) application 3.7. ...) NOT-FOR-US: Soap Making (aka com.tapatalk.soapmakingforumcom) application for Android CVE-2014-6723 (The Comics Plus (aka com.iversecomics.comicsplus.android) application ...) NOT-FOR-US: Comics Plus (aka com.iversecomics.comicsplus.android) application for Android CVE-2014-6722 (The Pescuit Crap Lite (aka ro.aventurilapescui.pescuitcrap.lite) appli ...) NOT-FOR-US: Pescuit Crap Lite (aka ro.aventurilapescui.pescuitcrap.lite) application for Android CVE-2014-6721 (The Pharmaguideline (aka com.pharmaguideline) application 1.2.0 for An ...) NOT-FOR-US: Pharmaguideline (aka com.pharmaguideline) application for Android CVE-2014-6720 (The Pesca de Carpa Lite (aka com.clearfishing.pescadecarpa.lite) appli ...) NOT-FOR-US: Pesca de Carpa Lite (aka com.clearfishing.pescadecarpa.lite) application for Android CVE-2014-6719 (The Kayak Angler Magazine (aka air.com.yudu.ReaderAIR1360155) applicat ...) NOT-FOR-US: Kayak Angler Magazine (aka air.com.yudu.ReaderAIR1360155) application for Android CVE-2014-6718 (The My Mobile Day (aka com.mymobileday) application 1.3 for Android do ...) NOT-FOR-US: My Mobile Day (aka com.mymobileday) application for Android CVE-2014-6717 (The iTriage Health (aka com.healthagen.iTriage) application 5.29 for A ...) NOT-FOR-US: iTriage Health (aka com.healthagen.iTriage) application for Android CVE-2014-6716 (The fastin (aka moda.azyae.fastin.net) application 1.0 for Android doe ...) NOT-FOR-US: fastin (aka moda.azyae.fastin.net) application for Android CVE-2014-6715 (The SlotMachine (aka com.popoinnovation.SlotMachine) application 1.03 ...) NOT-FOR-US: SlotMachine (aka com.popoinnovation.SlotMachine) application for Android CVE-2014-6714 (The WebMD (aka com.webmd.android) application 3.5 for Android does not ...) NOT-FOR-US: WebMD (aka com.webmd.android) application for Android CVE-2014-6713 (The MedQuiz: Medical Chat and MCQs (aka com.pdevsmedd.med) application ...) NOT-FOR-US: MedQuiz: Medical Chat and MCQs (aka com.pdevsmedd.med) application for Android CVE-2014-6712 (The Airlines International (aka org.iata.IAMagazine) application 1.0 f ...) NOT-FOR-US: Airlines International (aka org.iata.IAMagazine) application for Android CVE-2014-6711 (The ABC Lounge Webradio (aka com.nobexinc.wls_66087017.rc) application ...) NOT-FOR-US: ABC Lounge Webradio (aka com.nobexinc.wls_66087017.rc) application for Android CVE-2014-6710 (The Chifro Kids Coloring Game (aka com.chifro.kids_coloring_game) appl ...) NOT-FOR-US: Chifro Kids Coloring Game (aka com.chifro.kids_coloring_game) application for Android CVE-2014-6709 (The TechRadar News (aka com.techradar.news) application 1.0 for Androi ...) NOT-FOR-US: TechRadar News (aka com.techradar.news) application for Android CVE-2014-6708 (The Sporting Club Uphoria (aka com.sportinginnovations.skc) applicatio ...) NOT-FOR-US: Sporting Club Uphoria (aka com.sportinginnovations.skc) application for Android CVE-2014-6707 (The 7Sage LSAT Prep - Proctor (aka com.sevensage.lsat) application 2.1 ...) NOT-FOR-US: 7Sage LSAT Prep - Proctor (aka com.sevensage.lsat) application for Android CVE-2014-6706 (The Embry-Riddle (aka com.dub.app.erau) application 1.4.04 for Android ...) NOT-FOR-US: Embry-Riddle (aka com.dub.app.erau) application for Android CVE-2014-6705 (The Maher Zain (aka com.vanagas.app.maher_zain) application 1.1 for An ...) NOT-FOR-US: Maher Zain (aka com.vanagas.app.maher_zain) application for Android CVE-2014-6704 (The Utah Jazz (aka com.sportinginnovations.jazz) application 2.0.0 for ...) NOT-FOR-US: Utah Jazz (aka com.sportinginnovations.jazz) application for Android CVE-2014-6703 (The phonearabs4 (aka com.phonearabs4.myapps) application 1.4 for Andro ...) NOT-FOR-US: phonearabs4 (aka com.phonearabs4.myapps) application for Android CVE-2014-6702 (The StarSat International (aka com.conduit.app_b15a1814d2d840198e70e3c ...) NOT-FOR-US: StarSat International (aka com.conduit.app_b15a1814d2d840198e70e3c235af5e8b.app) application for Android CVE-2014-6701 (The Vendormate Mobile (aka com.vendormate.mobile) application 3.0 for ...) NOT-FOR-US: Vendormate Mobile (aka com.vendormate.mobile) application for Android CVE-2014-6700 (The NBA Game Time 2013-2014 (aka com.nbadigital.gametimelite) applicat ...) NOT-FOR-US: NBA Game Time 2013-2014 (aka com.nbadigital.gametimelite) application for Android CVE-2014-6699 (The Weather Channel (aka com.weather.Weather) application 5.2.0 for An ...) NOT-FOR-US: Weather Channel (aka com.weather.Weather) application for Android CVE-2014-6698 (The Galaxy Online 2 (aka air.com.igg.galaxyAPhone) application 1.2.3 f ...) NOT-FOR-US: Galaxy Online 2 (aka air.com.igg.galaxyAPhone) application for Android CVE-2014-6697 (The Morocco Weather (aka com.mobilesoft.meteomaroc) application 3.1 fo ...) NOT-FOR-US: Morocco Weather (aka com.mobilesoft.meteomaroc) application for Android CVE-2014-6696 (The Candy Girl Party Makeover (aka com.bearhugmedia.android_candygirlp ...) NOT-FOR-US: Candy Girl Party Makeover (aka com.bearhugmedia.android_candygirlparty) application for Android CVE-2014-6695 (The Wedding Photo Frames-Love Pics (aka com.WeddingPhotoFramesLovePics ...) NOT-FOR-US: Wedding Photo Frames-Love Pics (aka com.WeddingPhotoFramesLovePics) application for Android CVE-2014-6694 (The 5SOS Family Planet (aka uk.co.pixelkicks.fivesos) application 2.3. ...) NOT-FOR-US: 5SOS Family Planet (aka uk.co.pixelkicks.fivesos) application for Android CVE-2014-6693 (The Juiker (aka org.itri) application 3.2.0829.1 for Android does not ...) NOT-FOR-US: Juiker (aka org.itri) application for Android CVE-2014-6692 (The Kingsoft Clip (Office Tool) (aka cn.wps.clip) application 1.5.1 fo ...) NOT-FOR-US: Kingsoft Clip (Office Tool) (aka cn.wps.clip) application for Android CVE-2014-6691 (The UC Browser HD (aka com.uc.browser.hd) application 3.3.1.469 for An ...) NOT-FOR-US: UC Browser HD (aka com.uc.browser.hd) application for Android CVE-2014-6690 (The InstaMessage - Instagram Chat (aka com.futurebits.instamessage.fre ...) NOT-FOR-US: InstaMessage - Instagram Chat (aka com.futurebits.instamessage.free) application for Android CVE-2014-6689 (The JW Cards (aka com.jingwei.card) application 3.8.0 for Android does ...) NOT-FOR-US: JW Cards (aka com.jingwei.card) application for Android CVE-2014-6688 (The Voices.com (aka com.voices.voices) application 1.5 for Android doe ...) NOT-FOR-US: Voices.com (aka com.voices.voices) application for Android CVE-2014-6687 (The wSaudichannelAlNasr (aka com.wSaudichannelAlNasr) application 0.1 ...) NOT-FOR-US: wSaudichannelAlNasr (aka com.wSaudichannelAlNasr) application for Android CVE-2014-6686 (The Zoho Books - Accounting App (aka com.zoho.books) application 3.1.9 ...) NOT-FOR-US: Zoho Books - Accounting App (aka com.zoho.books) application for Android CVE-2014-6685 (The Tsushima Travel Guide (aka com.netjapan.ntsushima) application 1.9 ...) NOT-FOR-US: Tsushima Travel Guide (aka com.netjapan.ntsushima) application for Android CVE-2014-6684 (The MOL bringaPONT (aka hu.mol.bringapont) application 1.1 for Android ...) NOT-FOR-US: MOL bringaPONT (aka hu.mol.bringapont) application for Android CVE-2014-6683 (The Open Electrical Webser (aka com.wOpenElectricalWeb) application 0. ...) NOT-FOR-US: Open Electrical Webser (aka com.wOpenElectricalWeb) application for Android CVE-2014-6682 (The w88235ff7bdc2fb574f1789750ea99ed6 (aka com.w88235ff7bdc2fb574f1789 ...) NOT-FOR-US: w88235ff7bdc2fb574f1789750ea99ed6 (aka com.w88235ff7bdc2fb574f1789750ea99ed6) application for Android CVE-2014-6681 (The Mahabharata Audiocast (aka com.wordbox.mahabharataAudiocast) appli ...) NOT-FOR-US: Mahabharata Audiocast (aka com.wordbox.mahabharataAudiocast) application for Android CVE-2014-6680 (The superheroquiz (aka com.davidhey.superheroquiz) application 1.0 for ...) NOT-FOR-US: superheroquiz (aka com.davidhey.superheroquiz) application for Android CVE-2014-6679 (The wEPISDParentPortal (aka com.dreamstep.wEPISDParentPortal) applicat ...) NOT-FOR-US: wEPISDParentPortal (aka com.dreamstep.wEPISDParentPortal) application for Android CVE-2014-6678 (The Algeria Radio (aka com.wordbox.algeriaRadio) application 2.5 for A ...) NOT-FOR-US: Algeria Radio (aka com.wordbox.algeriaRadio) application for Android CVE-2014-6677 (The Ticket Round Up (aka com.xcr.android.ticketroundupapp) application ...) NOT-FOR-US: Ticket Round Up (aka com.xcr.android.ticketroundupapp) application for Android CVE-2014-6676 (The Exercitii pentru abdomen (aka com.rareartifact.exercitiipentruabdo ...) NOT-FOR-US: Exercitii pentru abdomen (aka com.rareartifact.exercitiipentruabdomen41E29322) application for Android CVE-2014-6675 (The Ruta Exacta (aka com.rutaexacta.m) application 1.0 for Android doe ...) NOT-FOR-US: Ruta Exacta (aka com.rutaexacta.m) application for Android CVE-2014-6674 (The Amazighmusic (aka nl.appsandroo.Amazighmusic) application 1.0 for ...) NOT-FOR-US: Amazighmusic (aka nl.appsandroo.Amazighmusic) application for Android CVE-2014-6673 (The ChallengerTX (aka com.zhtiantian.ChallengerTX) application 3.9.12. ...) NOT-FOR-US: ChallengerTX (aka com.zhtiantian.ChallengerTX) application for Android CVE-2014-6672 (The Friendcaster (aka uk.co.senab.blueNotifyFree) application 5.4.5 fo ...) NOT-FOR-US: Friendcaster (aka uk.co.senab.blueNotifyFree) application for Android CVE-2014-6671 (The World Cup 2014 Brazil - Xem TV (aka vn.letshare.football.worldcup) ...) NOT-FOR-US: World Cup 2014 Brazil - Xem TV (aka vn.letshare.football.worldcup) application for Android CVE-2014-6670 (The SingaporeMotherhood Forum (aka com.tapatalk.singaporemotherhoodcom ...) NOT-FOR-US: SingaporeMotherhood Forum (aka com.tapatalk.singaporemotherhoodcomforum) application for Android CVE-2014-6669 (The Inside Crochet (aka com.magazinecloner.insidecrochet) application ...) NOT-FOR-US: Inside Crochet (aka com.magazinecloner.insidecrochet) application for Android CVE-2014-6668 (The African Radios Live (aka com.nana.africanradioslive) application 1 ...) NOT-FOR-US: African Radios Live (aka com.nana.africanradioslive) application for Android CVE-2014-6667 (The racemotocross (aka com.bossappsmk.racemotocross) application 1.2 f ...) NOT-FOR-US: racemotocross (aka com.bossappsmk.racemotocross) application for Android CVE-2014-6666 (The Baglamukhi (aka com.wshribaglamukhiblog) application 0.1 for Andro ...) NOT-FOR-US: Baglamukhi (aka com.wshribaglamukhiblog) application for Android CVE-2014-6665 (The Ahmed Bukhatir Nasheeds TV (aka com.wAhmedBukhatirApp) application ...) NOT-FOR-US: Ahmed Bukhatir Nasheeds TV (aka com.wAhmedBukhatirApp) application for Android CVE-2014-6664 (The Latin Angels Music HD (aka com.applizards.lafreetj) application 2. ...) NOT-FOR-US: Latin Angels Music HD (aka com.applizards.lafreetj) application for Android CVE-2014-6663 (The Addis Gag Funny Amharic Pic (aka com.wAmharicFunnyPicture) applica ...) NOT-FOR-US: Addis Gag Funny Amharic Pic (aka com.wAmharicFunnyPicture) application for Android CVE-2014-6662 (The Forum Krstarice (aka com.tapatalk.forumkrstaricacom) application 3 ...) NOT-FOR-US: Forum Krstarice (aka com.tapatalk.forumkrstaricacom) application for Android CVE-2014-6661 (The netease movie (aka com.netease.movie) application 4.7.2 for Androi ...) NOT-FOR-US: netease movie (aka com.netease.movie) application for Android CVE-2014-6660 (The Koleksi Hadis Nabi SAW (aka com.wKoleksiHadisNabiSAW) application ...) NOT-FOR-US: Koleksi Hadis Nabi SAW (aka com.wKoleksiHadisNabiSAW) application for Android CVE-2014-6659 (The Defence.pk (aka com.tapatalk.defencepkforums) application 2.4.13.1 ...) NOT-FOR-US: Defence.pk (aka com.tapatalk.defencepkforums) application for Android CVE-2014-6658 (The Apploi Job Search- Find Jobs (aka com.apploi) application 4.19 for ...) NOT-FOR-US: Apploi Job Search- Find Jobs (aka com.apploi) application for Android CVE-2014-6657 (The Leadership Newspapers (aka com.LeadershipNewspapers) application 1 ...) NOT-FOR-US: Leadership Newspapers (aka com.LeadershipNewspapers) application for Android CVE-2014-6656 (The drareym (aka com.drareym) application 0.1 for Android does not ver ...) NOT-FOR-US: drareym (aka com.drareym) application for Android CVE-2014-6655 (The Tortoise Forum (aka org.tortoiseforum.android.forumrunner) applica ...) NOT-FOR-US: Tortoise Forum (aka org.tortoiseforum.android.forumrunner) application for Android CVE-2014-6654 (The wTrootrooTvIzle (aka com.wTrootrooTvIzle) application 0.1 for Andr ...) NOT-FOR-US: wTrootrooTvIzle (aka com.wTrootrooTvIzle) application for Android CVE-2014-6653 (The Afghan Radio (aka com.wordbox.afghanRadio) application 2.5 for And ...) NOT-FOR-US: Afghan Radio (aka com.wordbox.afghanRadio) application for Android CVE-2014-6652 (The Wizaz Forum (aka com.tapatalk.wizazplforum) application 3.6.4 for ...) NOT-FOR-US: Wizaz Forum (aka com.tapatalk.wizazplforum) application for Android CVE-2014-6651 (The Planet of the Vapes Forum (aka com.tapatalk.planetofthevapescoukfo ...) NOT-FOR-US: Planet of the Vapes Forum (aka com.tapatalk.planetofthevapescoukforums) application for Android CVE-2014-6650 (The NextGenUpdate (aka com.tapatalk.nextgenupdatecomforums) applicatio ...) NOT-FOR-US: NextGenUpdate (aka com.tapatalk.nextgenupdatecomforums) application for Android CVE-2014-6649 (The MyBroadband Tapatalk (aka com.tapatalk.mybroadbandcozavb) applicat ...) NOT-FOR-US: MyBroadband Tapatalk (aka com.tapatalk.mybroadbandcozavb) application for Android CVE-2014-6648 (The iPhone4.TW (aka com.tapatalk.iPhone4TWforums) application 3.3.20 f ...) NOT-FOR-US: iPhone4.TW (aka com.tapatalk.iPhone4TWforums) application for Android CVE-2014-6647 (The ElForro.com (aka com.tapatalk.elforrocom) application 2.4.3.10 for ...) NOT-FOR-US: ElForro.com (aka com.tapatalk.elforrocom) application for Android CVE-2014-6646 (The bellyhoodcom (aka com.tapatalk.bellyhoodcom) application 3.4.23 fo ...) NOT-FOR-US: bellyhoodcom (aka com.tapatalk.bellyhoodcom) application for Android CVE-2014-6645 (The Batch library for Android does not verify X.509 certificates from ...) NOT-FOR-US: Batch library for Android CVE-2014-6644 REJECTED CVE-2014-6643 (The FIAT Forum (aka com.tapatalk.fiatforumcom) application 3.8.41 for ...) NOT-FOR-US: FIAT Forum (aka com.tapatalk.fiatforumcom) application for Android CVE-2014-6642 (The Mark's Daily Apple Forum (aka com.tapatalk.marksdailyapplecomforum ...) NOT-FOR-US: Mark's Daily Apple Forum (aka com.tapatalk.marksdailyapplecomforum) application for Android CVE-2014-6641 (The Homesteading Today (aka com.tapatalk.homesteadingtodaycom) applica ...) NOT-FOR-US: Homesteading Today (aka com.tapatalk.homesteadingtodaycom) application for Android CVE-2014-6640 (The DNB Trade (aka lt.dnb.mobiletrade) application 1 for Android does ...) NOT-FOR-US: DNB Trade (aka lt.dnb.mobiletrade) application for Android CVE-2014-6639 (The TIO MobilePay - Bill Payments (aka com.tionetworks.mobile.android. ...) NOT-FOR-US: TIO MobilePay - Bill Payments (aka com.tionetworks.mobile.android.tioclient) application for Android CVE-2014-6638 (The wTMDesktop (aka com.wTMDesktop) application 1 for Android does not ...) NOT-FOR-US: wTMDesktop (aka com.wTMDesktop) application for Android CVE-2014-6637 (The Facebook Facts (aka com.wFacebookFacts) application 0.1 for Androi ...) NOT-FOR-US: Facebook Facts (aka com.wFacebookFacts) application for Android CVE-2014-6636 (The LG Telepresence (aka com.rsupport.rtc.lge) application 2.0.12 Buil ...) NOT-FOR-US: LG Telepresence (aka com.rsupport.rtc.lge) application for Android CVE-2014-6635 (Cross-site scripting (XSS) vulnerability in Exponent CMS 2.3.0 allows ...) NOT-FOR-US: Exponent CMS CVE-2014-6634 RESERVED CVE-2014-6633 (The safe_eval function in trytond in Tryton before 2.4.15, 2.6.x befor ...) {DSA-3043-1 DLA-70-1} - tryton-server 3.2.3-1 NOTE: https://bugs.tryton.org/issue4155 CVE-2014-6632 (Joomla! 2.5.x before 2.5.25, 3.x before 3.2.4, and 3.3.x before 3.3.4 ...) NOT-FOR-US: Joomla! CVE-2014-6631 (Cross-site scripting (XSS) vulnerability in com_media in Joomla! 3.2.x ...) NOT-FOR-US: Joomla! CVE-2014-6630 RESERVED CVE-2014-6629 RESERVED CVE-2014-6628 (Aruba Networks ClearPass Policy Manager (CPPM) before 6.5.0 allows rem ...) NOT-FOR-US: Aruba Networks ClearPass CVE-2014-6627 (Aruba Networks ClearPass before 6.3.5 and 6.4.x before 6.4.1 allows re ...) NOT-FOR-US: Aruba Networks ClearPass CVE-2014-6626 (Aruba Networks ClearPass before 6.3.6 and 6.4.x before 6.4.1 does not ...) NOT-FOR-US: Aruba Networks ClearPass CVE-2014-6625 (The Policy Manager in Aruba Networks ClearPass before 6.3.6 and 6.4.x ...) NOT-FOR-US: Aruba Networks ClearPass CVE-2014-6624 (The Insight module in Aruba Networks ClearPass before 6.3.6 and 6.4.x ...) NOT-FOR-US: Aruba Networks ClearPass CVE-2014-6623 (Cross-site request forgery (CSRF) vulnerability in the Insight module ...) NOT-FOR-US: Aruba Networks ClearPass CVE-2014-6622 (Aruba Networks ClearPass before 6.3.6 and 6.4.x before 6.4.1 allows re ...) NOT-FOR-US: Aruba Networks ClearPass CVE-2014-6621 (Aruba Networks ClearPass before 6.3.6 and 6.4.x before 6.4.1 does not ...) NOT-FOR-US: Aruba Networks ClearPass CVE-2014-6620 (Cross-site scripting (XSS) vulnerability in Aruba Networks ClearPass b ...) NOT-FOR-US: Aruba Networks ClearPass CVE-2014-6619 (Multiple cross-site scripting (XSS) vulnerabilities in register-exec.p ...) NOT-FOR-US: PizzaInn_Project Restaurant Script CVE-2014-6618 (Cross-site scripting (XSS) vulnerability in Your Online Shop allows re ...) NOT-FOR-US: Your Online Shop CVE-2014-6617 (Softing FG-100 PB PROFIBUS firmware version FG-x00-PB_V2.02.0.00 conta ...) NOT-FOR-US: Softing FG-100 CVE-2014-6616 (Cross-site scripting (XSS) vulnerability in Softing FG-100 PROFIBUS Si ...) NOT-FOR-US: Softing FG-100 CVE-2014-6615 RESERVED CVE-2014-6614 RESERVED CVE-2014-6613 RESERVED CVE-2014-6612 RESERVED CVE-2014-6611 (The BlackBerry World app before 5.0.0.262 on BlackBerry 10 OS 10.2.0, ...) NOT-FOR-US: BlackBerry CVE-2014-6609 (The res_pjsip_pubsub module in Asterisk Open Source 12.x before 12.5.1 ...) - asterisk (only affects 12.x series) NOTE: http://downloads.asterisk.org/pub/security/AST-2014-009.html CVE-2014-6608 RESERVED CVE-2014-6606 RESERVED CVE-2014-6605 RESERVED CVE-2014-6604 (Cross-site scripting (XSS) vulnerability in class-s2-list-table.php in ...) NOT-FOR-US: Subscribe2 plugin for WordPress CVE-2014-6603 (The SSHParseBanner function in SSH parser (app-layer-ssh.c) in Suricat ...) [squeeze] - suricata (Vulnerable code not yet present) [wheezy] - suricata (Vulnerable code not yet present) - suricata 2.0.4-1 (bug #762828) CVE-2014-6602 (Microsoft Asha OS on the Microsoft Mobile Nokia Asha 501 phone 14.0.4 ...) NOT-FOR-US: Microsoft Asha OS CVE-2012-6659 (Cross-site scripting (XSS) vulnerability in the admin interface in Pho ...) NOT-FOR-US: Phorum CVE-2014-7144 (OpenStack keystonemiddleware (formerly python-keystoneclient) 0.x befo ...) - python-keystonemiddleware 1.0.0-3 (bug #762748) - python-keystoneclient 1:0.10.1-2 (bug #762749) [wheezy] - python-keystoneclient (Minor issue) CVE-2014-7143 (Python Twisted 14.0 trustRoot is not respected in HTTP client ...) - twisted 14.0.2-1 (bug #761983) [wheezy] - twisted (Only affects 14.0 series) [squeeze] - twisted (Only affects 14.0 series) CVE-2014-6610 (Asterisk Open Source 11.x before 11.12.1 and 12.x before 12.5.1 and Ce ...) {DLA-455-1} - asterisk 1:11.12.1~dfsg-1 (medium; bug #762164) [squeeze] - asterisk (Vulnerable code not present) NOTE: http://downloads.asterisk.org/pub/security/AST-2014-010.html NOTE: http://downloads.asterisk.org/pub/security/AST-2014-010-11.diff applies on 1:1.8.13.1~dfsg1-3+deb7u3 NOTE: Squeeze version doesn't have res/res_fax_spandsp.c with the problem. CVE-2014-6607 (M/Monit 3.3.2 and earlier does not verify the original password before ...) NOT-FOR-US: M/Monit CVE-2014-6601 (Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allow ...) {DSA-3147-1 DSA-3144-1 DLA-157-1} - openjdk-6 6b34-1.13.6-1 - openjdk-7 7u75-2.5.4-1 - openjdk-8 8u40~b22-1 CVE-2014-6600 (Unspecified vulnerability in Oracle Sun Solaris 11 allows local users ...) NOT-FOR-US: Oracle Sun Solaris CVE-2014-6599 (Unspecified vulnerability in the Siebel Core - Common Components compo ...) NOT-FOR-US: Oracle CVE-2014-6598 (Unspecified vulnerability in the Oracle Communications Diameter Signal ...) NOT-FOR-US: Oracle CVE-2014-6597 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle CVE-2014-6596 (Unspecified vulnerability in the Siebel UI Framework component in Orac ...) NOT-FOR-US: Oracle CVE-2014-6595 (Unspecified vulnerability in the Oracle VM VirtualBox component in Ora ...) - virtualbox 4.3.18-dfsg-2 (bug #775888) [wheezy] - virtualbox (Introduced in 4.3) - virtualbox-ose (Introduced in 4.3) CVE-2014-6594 (Unspecified vulnerability in the Oracle iLearning component in Oracle ...) NOT-FOR-US: Oracle iLearning CVE-2014-6593 (Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u ...) {DSA-3147-1 DSA-3144-1 DLA-157-1} - openjdk-6 6b34-1.13.6-1 - openjdk-7 7u75-2.5.4-1 - openjdk-8 8u40~b22-1 CVE-2014-6592 (Unspecified vulnerability in the Oracle OpenSSO component in Oracle Fu ...) NOT-FOR-US: Oracle CVE-2014-6591 (Unspecified vulnerability in the Java SE component in Oracle Java SE 5 ...) {DSA-3187-1 DSA-3147-1 DSA-3144-1 DLA-219-1 DLA-157-1} - openjdk-6 6b34-1.13.6-1 - openjdk-7 7u75-2.5.4-1 - openjdk-8 8u40~b22-1 - icu 52.1-7 (bug #775884) CVE-2014-6590 (Unspecified vulnerability in the Oracle VM VirtualBox component in Ora ...) - virtualbox 4.3.18-dfsg-2 (bug #775888) [wheezy] - virtualbox (Introduced in 4.3) - virtualbox-ose (Introduced in 4.3) CVE-2014-6589 (Unspecified vulnerability in the Oracle VM VirtualBox component in Ora ...) - virtualbox 4.3.18-dfsg-2 (bug #775888) [wheezy] - virtualbox (Introduced in 4.3) - virtualbox-ose (Introduced in 4.3) CVE-2014-6588 (Unspecified vulnerability in the Oracle VM VirtualBox component in Ora ...) - virtualbox 4.3.18-dfsg-2 (bug #775888) [wheezy] - virtualbox (Introduced in 4.3) - virtualbox-ose (Introduced in 4.3) CVE-2014-6587 (Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allow ...) {DSA-3147-1 DSA-3144-1 DLA-157-1} - openjdk-6 6b34-1.13.6-1 - openjdk-7 7u75-2.5.4-1 - openjdk-8 8u40~b22-1 CVE-2014-6586 (Unspecified vulnerability in the PeopleSoft Enterprise HRMS component ...) NOT-FOR-US: Oracle CVE-2014-6585 (Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u ...) {DSA-3187-1 DSA-3147-1 DSA-3144-1 DLA-219-1 DLA-157-1} - openjdk-6 6b34-1.13.6-1 - openjdk-7 7u75-2.5.4-1 - openjdk-8 8u40~b22-1 - icu 52.1-7.1 (bug #776264) CVE-2014-6584 (Unspecified vulnerability in the Integrated Lights Out Manager (ILOM) ...) NOT-FOR-US: Oracle Sun Systems Products Suite ILOM CVE-2014-6583 (Unspecified vulnerability in the Oracle Marketing component in Oracle ...) NOT-FOR-US: Oracle CVE-2014-6582 (Unspecified vulnerability in the Oracle HCM Configuration Workbench co ...) NOT-FOR-US: Oracle CVE-2014-6581 (Unspecified vulnerability in the Oracle Customer Intelligence componen ...) NOT-FOR-US: Oracle CVE-2014-6580 (Unspecified vulnerability in the Oracle Reports Developer component in ...) NOT-FOR-US: Oracle CVE-2014-6579 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle CVE-2014-6578 (Unspecified vulnerability in the Workspace Manager component in Oracle ...) NOT-FOR-US: Oracle CVE-2014-6577 (Unspecified vulnerability in the XML Developer's Kit for C component i ...) NOT-FOR-US: Oracle CVE-2014-6576 (Unspecified vulnerability in the Oracle Adaptive Access Manager compon ...) NOT-FOR-US: Oracle CVE-2014-6575 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11 allows remot ...) NOT-FOR-US: Oracle Sun Solaris CVE-2014-6574 (Unspecified vulnerability in the Oracle Agile PLM for Process componen ...) NOT-FOR-US: Oracle CVE-2014-6573 (Unspecified vulnerability in the Enterprise Manager Ops Center compone ...) NOT-FOR-US: Oracle CVE-2014-6572 (Unspecified vulnerability in the Oracle Customer Interaction History c ...) NOT-FOR-US: Oracle CVE-2014-6571 (Unspecified vulnerability in the Oracle HTTP Server component in Oracl ...) NOT-FOR-US: Oracle CVE-2014-6570 (Unspecified vulnerability in Oracle Sun Solaris 11 allows local users ...) NOT-FOR-US: Oracle Sun Solaris CVE-2014-6569 (Unspecified vulnerability in the Oracle WebLogic Server component in O ...) NOT-FOR-US: Oracle CVE-2014-6568 (Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier, a ...) {DSA-3135-1} - mysql-5.5 5.5.42-1 (bug #775881) - mariadb-10.0 10.0.16-1 (bug #775882) - percona-xtradb-cluster-5.5 NOTE: http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html#AppendixMSQL CVE-2014-6567 (Unspecified vulnerability in the Core RDBMS component in Oracle Databa ...) NOT-FOR-US: Oracle CVE-2014-6566 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle CVE-2014-6565 (Unspecified vulnerability in the JD Edwards EnterpriseOne Tools compon ...) NOT-FOR-US: Oracle CVE-2014-6564 (Unspecified vulnerability in Oracle MySQL Server 5.6.19 and earlier al ...) - mysql-5.5 (Only affects MySQL 5.6) - mysql-5.1 (Only affects MySQL 5.6) - mariadb-10.0 (Fixed before initial upload) CVE-2014-6563 (Unspecified vulnerability in the Java VM component in Oracle Database ...) NOT-FOR-US: Oracle Database Server CVE-2014-6562 (Unspecified vulnerability in Oracle Java SE 8u20 allows remote attacke ...) - openjdk-8 8u40~b09-1 CVE-2014-6561 (Unspecified vulnerability in the Oracle Payments component in Oracle E ...) NOT-FOR-US: Oracle CVE-2014-6560 (Unspecified vulnerability in the Java VM component in Oracle Database ...) NOT-FOR-US: Oracle Database Server CVE-2014-6559 (Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier, a ...) {DSA-3054-1} - mysql-5.5 5.5.40-1 - mariadb-10.0 10.0.15-1 - percona-xtradb-cluster-5.5 CVE-2014-6558 (Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u ...) {DSA-3080-1 DSA-3077-1 DLA-96-1} - openjdk-6 6b33-1.13.5-1 - openjdk-7 7u71-2.5.3-1 - openjdk-8 8u40~b09-1 CVE-2014-6557 (Unspecified vulnerability in the Application Performance Management co ...) NOT-FOR-US: Oracle Enterprise Manager Grid Control CVE-2014-6556 (Unspecified vulnerability in the Oracle Applications DBA component in ...) NOT-FOR-US: Oracle CVE-2014-6555 (Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier an ...) {DSA-3054-1} - mysql-5.5 5.5.40-1 - mariadb-10.0 10.0.15-1 - percona-xtradb-cluster-5.5 CVE-2014-6554 (Unspecified vulnerability in the Oracle Access Manager component in Or ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2014-6553 (Unspecified vulnerability in the Oracle Access Manager component in Or ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2014-6552 (Unspecified vulnerability in the Oracle Access Manager component in Or ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2014-6551 (Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier an ...) {DSA-3054-1} - mysql-5.5 5.5.39-1 - mariadb-5.5 5.5.39-1 - mariadb-10.0 (Fixed before initial upload) - percona-xtradb-cluster-5.5 CVE-2014-6550 (Unspecified vulnerability in the Oracle Applications Object Library co ...) NOT-FOR-US: Oracle CVE-2014-6549 (Unspecified vulnerability in Oracle Java SE 8u25 allows remote attacke ...) - openjdk-8 8u40~b22-1 CVE-2014-6548 (Unspecified vulnerability in the Oracle SOA Suite component in Oracle ...) NOT-FOR-US: Oracle CVE-2014-6547 (Unspecified vulnerability in the JPublisher component in Oracle Databa ...) NOT-FOR-US: Oracle Database Server CVE-2014-6546 (Unspecified vulnerability in the JPublisher component in Oracle Databa ...) NOT-FOR-US: Oracle Database Server CVE-2014-6545 (Unspecified vulnerability in the Java VM component in Oracle Database ...) NOT-FOR-US: Oracle Database Server CVE-2014-6544 (Unspecified vulnerability in the JDBC component in Oracle Database Ser ...) NOT-FOR-US: Oracle Database Server CVE-2014-6543 (Unspecified vulnerability in the Agile PLM component in Oracle Supply ...) NOT-FOR-US: Oracle Supply Chain Products Suite CVE-2014-6542 (Unspecified vulnerability in the SQLJ component in Oracle Database Ser ...) NOT-FOR-US: Oracle Database Server CVE-2014-6541 (Unspecified vulnerability in the Recovery component in Oracle Database ...) NOT-FOR-US: Oracle CVE-2014-6540 (Unspecified vulnerability in the Oracle VM VirtualBox component in Ora ...) - virtualbox-guest-additions - virtualbox-guest-additions-iso 4.3.14-1 [wheezy] - virtualbox-guest-additions-iso (Non-free not supported) [squeeze] - virtualbox-guest-additions (Non-free not supported) NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html CVE-2014-6539 (Unspecified vulnerability in the Oracle Applications Framework compone ...) NOT-FOR-US: Oracle E-Business Suite CVE-2014-6538 (Unspecified vulnerability in the Java VM component in Oracle Database ...) NOT-FOR-US: Oracle Database Server CVE-2014-6537 (Unspecified vulnerability in the Java VM component in Oracle Database ...) NOT-FOR-US: Oracle Database Server CVE-2014-6536 (Unspecified vulnerability in the Agile PLM component in Oracle Supply ...) NOT-FOR-US: Oracle Supply Chain Products Suite CVE-2014-6535 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2014-6534 (Unspecified vulnerability in the Oracle WebLogic Server component in O ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2014-6533 (Unspecified vulnerability in the Oracle Transportation Management comp ...) NOT-FOR-US: Oracle Supply Chain Products Suite CVE-2014-6532 (Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allow ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-8 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2014-6531 (Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u ...) {DSA-3080-1 DSA-3077-1 DLA-96-1} - openjdk-6 6b33-1.13.5-1 - openjdk-7 7u71-2.5.3-1 - openjdk-8 8u40~b09-1 CVE-2014-6530 (Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, a ...) {DSA-3054-1} - mysql-5.5 5.5.39-1 - mariadb-5.5 5.5.39-1 - mariadb-10.0 (Fixed before initial upload) - percona-xtradb-cluster-5.5 CVE-2014-6529 (Unspecified vulnerability in Oracle Sun Solaris 11 allows remote attac ...) NOT-FOR-US: Oracle Sun Solaris 11 CVE-2014-6528 (Unspecified vulnerability in the Siebel Core - System Management compo ...) NOT-FOR-US: Oracle CVE-2014-6527 (Unspecified vulnerability in Oracle Java SE 7u67 and 8u20 allows remot ...) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-8 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2014-6526 (Unspecified vulnerability in the Oracle Directory Server Enterprise Ed ...) NOT-FOR-US: Oracle CVE-2014-6525 (Unspecified vulnerability in the Oracle Web Applications Desktop Integ ...) NOT-FOR-US: Oracle CVE-2014-6524 (Unspecified vulnerability in Oracle Solaris 10 allows local users to a ...) NOT-FOR-US: Oracle Solaris CVE-2014-6523 (Unspecified vulnerability in the Oracle Applications Framework compone ...) NOT-FOR-US: Oracle E-Business Suite CVE-2014-6522 (Unspecified vulnerability in the Oracle JDeveloper component in Oracle ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2014-6521 (Unspecified vulnerability in Oracle Solaris 10 allows local users to a ...) NOT-FOR-US: Oracle Solaris CVE-2014-6520 (Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier al ...) {DSA-3054-1} - mysql-5.5 5.5.39-1 - mysql-5.1 (Only affects 5.5 series) - mariadb-5.5 5.5.39-1 - mariadb-10.0 (Fixed before initial upload) - percona-xtradb-cluster-5.5 CVE-2014-6519 (Unspecified vulnerability in Oracle Java SE 7u67 and 8u20, and Java SE ...) {DSA-3080-1 DSA-3077-1 DLA-96-1} - openjdk-6 6b33-1.13.5-1 - openjdk-7 7u71-2.5.3-1 - openjdk-8 8u40~b09-1 CVE-2014-6518 (Unspecified vulnerability in Oracle Solaris 10 and 11 allows local use ...) NOT-FOR-US: Oracle Solaris CVE-2014-6517 (Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20; Java ...) {DSA-3080-1 DSA-3077-1 DLA-96-1} - openjdk-6 6b33-1.13.5-1 - openjdk-7 7u71-2.5.3-1 - openjdk-8 8u40~b09-1 CVE-2014-6516 (Unspecified vulnerability in the JD Edwards EnterpriseOne Tools compon ...) NOT-FOR-US: Oracle JD Edwards Products CVE-2014-6515 (Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allow ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-8 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2014-6514 (Unspecified vulnerability in the PL/SQL component in Oracle Database S ...) NOT-FOR-US: Oracle CVE-2014-6513 (Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20, and ...) - openjdk-6 (Windows-specific) - openjdk-7 (Windows-specific) - openjdk-8 (Windows-specific) CVE-2014-6512 (Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u ...) {DSA-3080-1 DSA-3077-1 DLA-96-1} - openjdk-6 6b33-1.13.5-1 - openjdk-7 7u71-2.5.3-1 - openjdk-8 8u40~b09-1 NOTE: Upstream OpenJDK commit: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/0798607dd425 CVE-2014-6511 (Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u ...) {DSA-3080-1 DSA-3077-1 DLA-96-1} - openjdk-6 6b33-1.13.5-1 - openjdk-7 7u71-2.5.3-1 - openjdk-8 8u40~b09-1 CVE-2014-6510 (Unspecified vulnerability in Oracle Solaris 11 allows local users to a ...) NOT-FOR-US: Oracle Solaris CVE-2014-6509 (Unspecified vulnerability in Oracle Solaris 10 allows local users to a ...) NOT-FOR-US: Oracle Solaris CVE-2014-6508 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11 allows remot ...) NOT-FOR-US: Oracle Sun Solaris 10 and 11 CVE-2014-6507 (Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier, a ...) {DSA-3054-1} - mysql-5.5 5.5.40-1 - mariadb-5.5 - mariadb-10.0 10.0.15-1 - percona-xtradb-cluster-5.5 CVE-2014-6506 (Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u ...) {DSA-3080-1 DSA-3077-1 DLA-96-1} - openjdk-6 6b33-1.13.5-1 - openjdk-7 7u71-2.5.3-1 - openjdk-8 8u40~b09-1 CVE-2014-6505 (Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, a ...) {DSA-3054-1} - mysql-5.5 5.5.39-1 - mariadb-5.5 5.5.39-1 - mariadb-10.0 (Fixed before initial upload) - percona-xtradb-cluster-5.5 CVE-2014-6504 (Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, and 7u67, an ...) {DSA-3080-1 DSA-3077-1 DLA-96-1} - openjdk-6 6b33-1.13.5-1 - openjdk-7 7u71-2.5.3-1 - openjdk-8 8u40~b09-1 CVE-2014-6503 (Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allow ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-8 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2014-6502 (Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u ...) {DSA-3080-1 DSA-3077-1 DLA-96-1} - openjdk-6 6b33-1.13.5-1 - openjdk-7 7u71-2.5.3-1 - openjdk-8 8u40~b09-1 CVE-2014-6501 (Unspecified vulnerability in Oracle Sun Solaris 11 allows local users ...) NOT-FOR-US: Oracle Sun Solaris 11 CVE-2014-6500 (Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier, a ...) {DSA-3054-1} - mysql-5.5 5.5.40-1 - mariadb-5.5 - mariadb-10.0 10.0.15-1 - percona-xtradb-cluster-5.5 - cyassl (bug #770229) - wolfssl (WolfSSL not affected) CVE-2014-6499 (Unspecified vulnerability in the Oracle WebLogic Server component in O ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2014-6498 (Unspecified vulnerability in the Oracle Transportation Management comp ...) NOT-FOR-US: Oracle Supply Chain Products Suite CVE-2014-6497 (Unspecified vulnerability in Oracle Sun Solaris 11 allows local users ...) NOT-FOR-US: Oracle Sun Solaris 11 CVE-2014-6496 (Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier, a ...) {DSA-3054-1} - mysql-5.5 5.5.40-1 - mariadb-5.5 - mariadb-10.0 10.0.15-1 - percona-xtradb-cluster-5.5 - cyassl (bug #770229) - wolfssl (WolfSSL not affected) CVE-2014-6495 (Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, a ...) {DSA-3054-1} - mysql-5.5 5.5.39-1 - mariadb-5.5 5.5.39-1 - mariadb-10.0 (Fixed before initial upload) - percona-xtradb-cluster-5.5 - cyassl (bug #770229) - wolfssl (WolfSSL not affected) CVE-2014-6494 (Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier, a ...) {DSA-3054-1} - mysql-5.5 5.5.40-1 - mariadb-5.5 - mariadb-10.0 10.0.15-1 - percona-xtradb-cluster-5.5 - cyassl (bug #770229) - wolfssl (WolfSSL not affected) CVE-2014-6493 (Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allow ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-8 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2014-6492 (Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20, when ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-8 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2014-6491 (Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier an ...) {DSA-3054-1} - mysql-5.5 5.5.40-1 - mariadb-5.5 - mariadb-10.0 10.0.15-1 - percona-xtradb-cluster-5.5 - cyassl (bug #770229) - wolfssl (WolfSSL not affected) CVE-2014-6490 (Unspecified vulnerability in Oracle Sun Solaris 11 allows remote attac ...) NOT-FOR-US: Oracle Sun Solaris 11 CVE-2014-6489 (Unspecified vulnerability in Oracle MySQL Server 5.6.19 and earlier al ...) - mysql-5.5 (Only MySQL 5.6) - mysql-5.1 (Only MySQL 5.6) - mariadb-10.0 (Fixed before initial upload) CVE-2014-6488 (Unspecified vulnerability in the Enterprise Manager for Oracle Databas ...) NOT-FOR-US: Oracle Enterprise Manager Grid Control EM Base Plattform CVE-2014-6487 (Unspecified vulnerability in the Oracle Identity Manager component in ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2014-6486 (Unspecified vulnerability in the PeopleSoft Enterprise HRMS component ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2014-6485 (Unspecified vulnerability in Oracle Java SE 8u20 and JavaFX 2.2.65 all ...) - openjdk-8 8u40~b09-1 CVE-2014-6484 (Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, a ...) {DSA-3054-1} - mysql-5.5 5.5.39-1 - mariadb-5.5 5.5.39-1 - mariadb-10.0 (Fixed before initial upload) - percona-xtradb-cluster-5.5 CVE-2014-6483 (Unspecified vulnerability in the Application Express component in Orac ...) NOT-FOR-US: Oracle Database Server CVE-2014-6482 (Unspecified vulnerability in the PeopleSoft Enterprise PT PeopleTools ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2014-6481 (Unspecified vulnerability in Oracle Solaris 10 and 11 allows remote at ...) NOT-FOR-US: Oracle Solaris CVE-2014-6480 (Unspecified vulnerability in the Solaris Cluster component in Oracle S ...) NOT-FOR-US: Oracle CVE-2014-6479 (Unspecified vulnerability in the Oracle Applications Technology compon ...) NOT-FOR-US: Oracle E-Business Suite CVE-2014-6478 (Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, a ...) {DSA-3054-1} - mysql-5.5 5.5.39-1 - mariadb-5.5 5.5.39-1 - mariadb-10.0 (Fixed before initial upload) - percona-xtradb-cluster-5.5 - cyassl - wolfssl (WolfSSL not affected) CVE-2014-6477 (Unspecified vulnerability in the JPublisher component in Oracle Databa ...) NOT-FOR-US: Oracle Database CVE-2014-6476 (Unspecified vulnerability in Oracle Java SE 7u67 and 8u20 allows remot ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-8 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2014-6475 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2014-6474 (Unspecified vulnerability in Oracle MySQL Server 5.6.19 and earlier al ...) - mysql-5.5 (Only affects MySQL 5.6) - mysql-5.1 (Only affects MySQL 5.6) - mariadb-10.0 (Fixed before initial upload) CVE-2014-6473 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11 allows local ...) NOT-FOR-US: Oracle Sun Solaris 10 and 11 CVE-2014-6472 (Unspecified vulnerability in the Oracle Applications Framework compone ...) NOT-FOR-US: Oracle E-Business Suite CVE-2014-6471 (Unspecified vulnerability in the Oracle Applications Manager component ...) NOT-FOR-US: Oracle E-Business Suite CVE-2014-6470 (Unspecified vulnerability in Oracle Sun Solaris 11 allows local users ...) NOT-FOR-US: Oracle Sun Solaris 11 CVE-2014-6469 (Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier an ...) {DSA-3054-1} - mysql-5.5 5.5.40-1 - mariadb-5.5 - mariadb-10.0 10.0.15-1 - percona-xtradb-cluster-5.5 CVE-2014-6468 (Unspecified vulnerability in Oracle Java SE 8u20 allows local users to ...) - openjdk-8 8u40~b09-1 CVE-2014-6467 (Unspecified vulnerability in the Java VM component in Oracle Database ...) NOT-FOR-US: Oracle Database Server CVE-2014-6466 (Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20, when ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-8 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2014-6465 (Unspecified vulnerability in the Oracle Communications Session Border ...) NOT-FOR-US: Oracle Communications Applications CVE-2014-6464 (Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier an ...) {DSA-3054-1} - mysql-5.5 5.5.40-1 - mariadb-5.5 - mariadb-10.0 10.0.15-1 - percona-xtradb-cluster-5.5 CVE-2014-6463 (Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier an ...) {DSA-3054-1} - mysql-5.5 5.5.39-1 - mariadb-5.5 5.5.39-1 - mariadb-10.0 (Fixed before initial upload) - percona-xtradb-cluster-5.5 CVE-2014-6462 (Unspecified vulnerability in the Oracle Access Manager component in Or ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2014-6461 (Unspecified vulnerability in the Agile PLM component in Oracle Supply ...) NOT-FOR-US: Oracle Supply Chain Products Suite CVE-2014-6460 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2014-6459 (Unspecified vulnerability in the Oracle Secure Global Desktop componen ...) NOT-FOR-US: Oracle Virtualization CVE-2014-6458 (Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allow ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-8 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2014-6457 (Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u ...) {DSA-3080-1 DSA-3077-1 DLA-96-1} - openjdk-6 6b33-1.13.5-1 - openjdk-7 7u71-2.5.3-1 - openjdk-8 8u40~b09-1 CVE-2014-6456 (Unspecified vulnerability in Oracle Java SE 7u67 and 8u20 allows remot ...) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-8 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2014-6455 (Unspecified vulnerability in the SQLJ component in Oracle Database Ser ...) NOT-FOR-US: Oracle Database Server CVE-2014-6454 (Unspecified vulnerability in the SQLJ component in Oracle Database Ser ...) NOT-FOR-US: Oracle Database Server CVE-2014-6453 (Unspecified vulnerability in the Java VM component in Oracle Database ...) NOT-FOR-US: Oracle Database Server CVE-2014-6452 (Unspecified vulnerability in the SQLJ component in Oracle Database Ser ...) NOT-FOR-US: Oracle Database Server CVE-2014-6451 (J-Web in Juniper vSRX virtual firewalls with Junos OS before 15.1X49-D ...) NOT-FOR-US: Juniper CVE-2014-6450 (Juniper Junos OS before 11.4R12-S4, 12.1X44 before 12.1X44-D41, 12.1X4 ...) NOT-FOR-US: Juniper Junos OS CVE-2014-6449 (Juniper Junos OS before 12.1X44-D50, 12.1X46 before 12.1X46-D35, 12.1X ...) NOT-FOR-US: Juniper Junos OS CVE-2014-6448 (Juniper Junos OS 13.2 before 13.2R5, 13.2X51, 13.2X52, and 13.3 before ...) NOT-FOR-US: Juniper CVE-2014-6447 (Multiple vulnerabilities exist in Juniper Junos J-Web error handling t ...) NOT-FOR-US: Juniper CVE-2014-6446 (The Infusionsoft Gravity Forms plugin 1.5.3 through 1.5.10 for WordPre ...) NOT-FOR-US: WordPress plugin Infusionsoft Gravity Forms CVE-2014-6445 (Multiple cross-site scripting (XSS) vulnerabilities in includes/toAdmi ...) NOT-FOR-US: WordPress plugin Contact Form 7 Integrations CVE-2014-6444 (Multiple cross-site scripting (XSS) vulnerabilities in the Titan Frame ...) NOT-FOR-US: Titan Framework plugin for WordPress CVE-2014-6443 RESERVED CVE-2014-6442 RESERVED CVE-2014-6441 RESERVED CVE-2014-6440 (VideoLAN VLC media player before 2.1.5 allows remote attackers to exec ...) - vlc 2.1.5-1 (low) [wheezy] - vlc (Introduced in 2.1) [squeeze] - vlc (Unsupported in squeeze-lts) CVE-2014-6439 (Cross-site scripting (XSS) vulnerability in the CORS functionality in ...) - elasticsearch 1.0.3+dfsg-4 (bug #763958; low) CVE-2014-6438 (The URI.decode_www_form_component method in Ruby before 1.9.2-p330 all ...) {DLA-275-1} - ruby1.9.1 1.9.3.0-1 - ruby1.8 (Vulnerable code not present) NOTE: https://www.ruby-lang.org/en/news/2014/08/19/ruby-1-9-2-p330-released/ NOTE: https://github.com/ruby/www.ruby-lang.org/issues/817 NOTE: https://github.com/ruby/ruby/commit/5082e91876502a2f3dde862406a0efe9f85afcdb NOTE: https://github.com/ruby/ruby/commit/7b9354af8805c02ed968765abe300162e0fcc943 NOTE: CVE assignment is specific to ruby 1.9.x series? CVE-2014-6437 (Aztech ADSL DSL5018EN (1T1R), DSL705E, and DSL705EU devices allow remo ...) NOT-FOR-US: Aztech ADSL DSL5018EN (1T1R), DSL705E, and DSL705EU devices CVE-2014-6436 (Aztech ADSL DSL5018EN (1T1R), DSL705E, and DSL705EU devices improperly ...) NOT-FOR-US: Aztech ADSL DSL5018EN (1T1R), DSL705E, and DSL705EU devices CVE-2014-6435 (cgi-bin/AZ_Retrain.cgi in Aztech ADSL DSL5018EN (1T1R), DSL705E, and D ...) NOT-FOR-US: Aztech ADSL DSL5018EN (1T1R), DSL705E, and DSL705EU devices CVE-2014-6434 (gpExec in GoPro HERO 3+ allows remote attackers to execute arbitrary c ...) NOT-FOR-US: GoPro CVE-2014-6433 (gpExec in GoPro HERO 3+ allows remote attackers to execute arbitrary f ...) NOT-FOR-US: GoPro CVE-2014-6420 (Cross-site scripting (XSS) vulnerability in Livefyre LiveComments 3.0 ...) NOT-FOR-US: Livefyre LiveComments CVE-2014-6419 RESERVED CVE-2014-6415 RESERVED CVE-2014-6413 (A Cross-site Scripting (XSS) vulnerability exists in WatchGuard XTM 11 ...) NOT-FOR-US: WatchGuard CVE-2014-6412 (WordPress before 4.4 makes it easier for remote attackers to predict p ...) - wordpress (Affects only Wordpress on Windows systems) CVE-2014-6411 RESERVED CVE-2014-6409 (Cross-site request forgery (CSRF) vulnerability in M/Monit 3.3.2 and e ...) NOT-FOR-US: M/Monit CVE-2014-6408 (Docker 1.3.0 through 1.3.1 allows remote attackers to modify the defau ...) - docker.io 1.3.2~dfsg1-1 CVE-2014-6407 (Docker before 1.3.2 allows remote attackers to write to arbitrary file ...) - docker.io 1.3.2~dfsg1-1 CVE-2014-6406 RESERVED CVE-2014-6405 RESERVED CVE-2014-6404 RESERVED CVE-2014-6403 RESERVED CVE-2014-6402 RESERVED CVE-2014-6401 RESERVED CVE-2014-6400 RESERVED CVE-2014-6399 RESERVED CVE-2014-6398 RESERVED CVE-2014-6397 RESERVED CVE-2014-6396 (The dissector_postgresql function in dissectors/ec_postgresql.c in Ett ...) - ettercap 1:0.8.1-3 (bug #773416) [squeeze] - ettercap (Vulnerable code not present according to upstream author in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773416#20) CVE-2014-6395 (Heap-based buffer overflow in the dissector_postgresql function in dis ...) - ettercap 1:0.8.1-3 (bug #773416) [squeeze] - ettercap (Vulnerable code not present according to upstream author in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773416#20) CVE-2014-6394 (visionmedia send before 0.8.4 for Node.js uses a partial comparison fo ...) - node-send 0.9.4-1 NOTE: https://nodesecurity.io/advisories/send-directory-traversal CVE-2014-6393 (The Express web framework before 3.11 and 4.x before 4.5 for Node.js d ...) - node-express 4.16.4-1 (unimportant) NOTE: libv8 is not covered by security support CVE-2014-6392 (** DISPUTED ** Cross-site scripting (XSS) vulnerability in the Faceboo ...) NOT-FOR-US: Facebook app and Facebook Messenger app for iOS CVE-2014-6391 RESERVED CVE-2014-6390 RESERVED CVE-2014-6389 (backup.php in PHPCompta/NOALYSS before 6.7.2 allows remote attackers t ...) NOT-FOR-US: PhpCompta CVE-2014-6388 REJECTED CVE-2013-7403 RESERVED NOT-FOR-US: WordPress plugin wp-video-commando CVE-2012-6658 (Multiple cross-site scripting (XSS) vulnerabilities in SpiceWorks 5.3. ...) NOT-FOR-US: SpiceWorks CVE-2014-7145 (The SMB2_tcon function in fs/cifs/smb2pdu.c in the Linux kernel before ...) - linux 3.16.3-1 [wheezy] - linux (Introduced in 3.7) - linux-2.6 (Introduced in 3.7) NOTE: upstream fix: https://github.com/torvalds/linux/commit/18f39e7be0121317550d03e267e3ebd4dbfbb3ce (v3.17-rc2) CVE-2014-6432 (The SnifferDecompress function in wiretap/ngsniffer.c in the DOS Sniff ...) {DSA-3049-1 DLA-198-1} - wireshark 1.12.1+g01b65bf-1 NOTE: https://www.wireshark.org/security/wnpa-sec-2014-19.html CVE-2014-6431 (Buffer overflow in the SnifferDecompress function in wiretap/ngsniffer ...) {DSA-3049-1 DLA-198-1} - wireshark 1.12.1+g01b65bf-1 NOTE: https://www.wireshark.org/security/wnpa-sec-2014-19.html CVE-2014-6430 (The SnifferDecompress function in wiretap/ngsniffer.c in the DOS Sniff ...) {DSA-3049-1 DLA-198-1} - wireshark 1.12.1+g01b65bf-1 NOTE: https://www.wireshark.org/security/wnpa-sec-2014-19.html CVE-2014-6429 (The SnifferDecompress function in wiretap/ngsniffer.c in the DOS Sniff ...) {DSA-3049-1 DLA-198-1} - wireshark 1.12.1+g01b65bf-1 NOTE: https://www.wireshark.org/security/wnpa-sec-2014-19.html CVE-2014-6428 (The dissect_spdu function in epan/dissectors/packet-ses.c in the SES d ...) {DSA-3049-1 DLA-198-1} - wireshark 1.12.1+g01b65bf-1 NOTE: https://www.wireshark.org/security/wnpa-sec-2014-18.html CVE-2014-6427 (Off-by-one error in the is_rtsp_request_or_reply function in epan/diss ...) {DSA-3049-1} - wireshark 1.12.1+g01b65bf-1 [squeeze] - wireshark (Vulnerable code not present) NOTE: https://www.wireshark.org/security/wnpa-sec-2014-17.html CVE-2014-6426 (The dissect_hip_tlv function in epan/dissectors/packet-hip.c in the HI ...) - wireshark 1.12.1+g01b65bf-1 [wheezy] - wireshark (Only applies to 1.12.x) [squeeze] - wireshark (Only applies to 1.12.x) NOTE: https://www.wireshark.org/security/wnpa-sec-2014-16.html CVE-2014-6425 (The (1) get_quoted_string and (2) get_unquoted_string functions in epa ...) - wireshark 1.12.1+g01b65bf-1 [wheezy] - wireshark (Only applies to 1.12.x) [squeeze] - wireshark (Only applies to 1.12.x) NOTE: https://www.wireshark.org/security/wnpa-sec-2014-15.html CVE-2014-6424 (The dissect_v9_v10_pdu_data function in epan/dissectors/packet-netflow ...) {DSA-3049-1} - wireshark 1.12.1+g01b65bf-1 [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Vulnerable code not present) NOTE: https://www.wireshark.org/security/wnpa-sec-2014-14.html CVE-2014-6423 (The tvb_raw_text_add function in epan/dissectors/packet-megaco.c in th ...) {DSA-3049-1 DLA-198-1} - wireshark 1.12.1+g01b65bf-1 NOTE: https://www.wireshark.org/security/wnpa-sec-2014-13.html CVE-2014-6422 (The SDP dissector in Wireshark 1.10.x before 1.10.10 creates duplicate ...) {DSA-3049-1 DLA-198-1} - wireshark 1.12.0+git+4fab41a1-1 NOTE: https://www.wireshark.org/security/wnpa-sec-2014-12.html NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commitdiff;h=04c05a21e34cec326f1aff2f5f8a6e74e1ced984 (v1.11.3) CVE-2014-6421 (Use-after-free vulnerability in the SDP dissector in Wireshark 1.10.x ...) - wireshark 1.12.0~rc1-1 [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Vulnerable code not present) NOTE: https://www.wireshark.org/security/wnpa-sec-2014-12.html NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commitdiff;h=81c4eee84b6ee19fd27929856fa1465b1af148c6 (v1.10.10) CVE-2014-6418 (net/ceph/auth_x.c in Ceph, as used in the Linux kernel before 3.16.3, ...) - linux 3.16.3-1 [wheezy] - linux 3.2.63-1 - linux-2.6 [squeeze] - linux-2.6 (Introduced in 2.6.34) NOTE: Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c27a3e4d667fdcad3db7b104f75659478e0c68d8 (v3.17-rc5) NOTE: http://tracker.ceph.com/issues/8979 CVE-2014-6417 (net/ceph/auth_x.c in Ceph, as used in the Linux kernel before 3.16.3, ...) - linux 3.16.3-1 [wheezy] - linux 3.2.63-1 - linux-2.6 [squeeze] - linux-2.6 (Introduced in 2.6.34) NOTE: Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c27a3e4d667fdcad3db7b104f75659478e0c68d8 (v3.17-rc5) NOTE: http://tracker.ceph.com/issues/8979 CVE-2014-6416 (Buffer overflow in net/ceph/auth_x.c in Ceph, as used in the Linux ker ...) - linux 3.16.3-1 [wheezy] - linux 3.2.63-1 - linux-2.6 [squeeze] - linux-2.6 (Introduced in 2.6.34) NOTE: Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c27a3e4d667fdcad3db7b104f75659478e0c68d8 (v3.17-rc5) NOTE: http://tracker.ceph.com/issues/8979 CVE-2014-6414 (OpenStack Neutron before 2014.2.4 and 2014.1 before 2014.1.2 allows re ...) - neutron 2014.1.3-1 NOTE: vulnerable versions up to 2013.2.4 and 2014.1 versions up to 2014.1.2 CVE-2014-6410 (The __udf_read_inode function in fs/udf/inode.c in the Linux kernel th ...) {DLA-118-1} - linux 3.16.5-1 [wheezy] - linux 3.2.63-1 - linux-2.6 NOTE: Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c03aa9f6e1f938618e6db2e23afef0574efeeb65 (v3.17-rc5) CVE-2012-6657 (The sock_setsockopt function in net/core/sock.c in the Linux kernel be ...) {DLA-103-1} - linux 3.6.4-1 [wheezy] - linux 3.2.32-1 - linux-2.6 NOTE: Upstream fix: https://git.kernel.org/linus/3e10986d1d698140747fcfc2761ec9cb64c1d582 (v3.6) CVE-2014-6386 (Juniper Junos 11.4 before 11.4R8, 12.1X44 before 12.1X44-D35, 12.1X45 ...) NOT-FOR-US: Juniper CVE-2014-6385 (Juniper Junos 11.4 before 11.4R13, 12.1X44 before 12.1X44-D45, 12.1X46 ...) NOT-FOR-US: Juniper CVE-2014-6384 (Juniper Junos 12.1X44 before 12.1X44-D45, 12.1X46 before 12.1X46-D25, ...) NOT-FOR-US: Juniper CVE-2014-6383 (The stateless firewall in Juniper Junos 13.3R3, 14.1R1, and 14.1R2, wh ...) NOT-FOR-US: Juniper CVE-2014-6382 (The Juniper MX Series routers with Junos 13.3R3 through 13.3Rx before ...) NOT-FOR-US: Juniper CVE-2014-6381 (Juniper WLC devices with WLAN Software releases 8.0.x before 8.0.4, 9. ...) NOT-FOR-US: Juniper CVE-2014-6380 (Juniper Junos 11.4 before R11, 12.1 before R9, 12.1X44 before D30, 12. ...) NOT-FOR-US: Juniper Junos CVE-2014-6379 (Juniper Junos 11.4 before R12, 12.1 before R10, 12.1X44 before D35, 12 ...) NOT-FOR-US: Juniper Junos CVE-2014-6378 (Juniper Junos 11.4 before R12-S4, 12.1X44 before D35, 12.1X45 before D ...) NOT-FOR-US: Juniper Junos CVE-2014-6377 (Juniper JunosE before 13.3.3p0-1, 14.x before 14.3.2, and 15.x before ...) NOT-FOR-US: Juniper Junos CVE-2014-6376 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-6375 (Microsoft Internet Explorer 8 allows remote attackers to execute arbit ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-6374 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-6373 (Microsoft Internet Explorer 10 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-6372 REJECTED CVE-2014-6371 REJECTED CVE-2014-6370 REJECTED CVE-2014-6369 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-6368 (Microsoft Internet Explorer 11 allows remote attackers to bypass the A ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-6367 REJECTED CVE-2014-6366 (Microsoft Internet Explorer 6 and 7 allows remote attackers to execute ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-6365 (Microsoft Internet Explorer 8 through 11 allows remote attackers to by ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-6364 (Use-after-free vulnerability in Microsoft Office 2007 SP3; 2010 SP2; 2 ...) NOT-FOR-US: Microsoft Office CVE-2014-6363 (vbscript.dll in Microsoft VBScript 5.6 through 5.8, as used with Inter ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-6362 (Use-after-free vulnerability in Microsoft Office 2007 SP3, 2010 SP2, a ...) NOT-FOR-US: Microsoft Office CVE-2014-6361 (Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 Gold and SP1, Exc ...) NOT-FOR-US: Microsoft Excel CVE-2014-6360 (Microsoft Excel 2007 SP3, Excel 2010 SP2, and Office Compatibility Pac ...) NOT-FOR-US: Microsoft Excel CVE-2014-6359 REJECTED CVE-2014-6358 REJECTED CVE-2014-6357 (Use-after-free vulnerability in Microsoft Office 2010 SP2, Office 2013 ...) NOT-FOR-US: Microsoft Office CVE-2014-6356 (Array index error in Microsoft Word 2007 SP3, Word 2010 SP2, and Offic ...) NOT-FOR-US: Microsoft Word CVE-2014-6355 (The Graphics Component in Microsoft Windows Server 2003 SP2, Windows V ...) NOT-FOR-US: Microsft Windows CVE-2014-6354 (Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Interne ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-6353 (Microsoft Internet Explorer 6 through 10 allows remote attackers to ex ...) NOT-FOR-US: Microsoft CVE-2014-6352 (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windo ...) NOT-FOR-US: Microsoft CVE-2014-6351 (Microsoft Internet Explorer 8 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft CVE-2014-6350 (Microsoft Internet Explorer 10 and 11 allows remote attackers to gain ...) NOT-FOR-US: Microsoft CVE-2014-6349 (Microsoft Internet Explorer 10 and 11 allows remote attackers to gain ...) NOT-FOR-US: Microsoft CVE-2014-6348 (Microsoft Internet Explorer 9 allows remote attackers to execute arbit ...) NOT-FOR-US: Microsoft CVE-2014-6347 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-6346 (Microsoft Internet Explorer 8 through 11 allows remote attackers to re ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-6345 (Microsoft Internet Explorer 9 and 10 allows remote attackers to read c ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-6344 (Microsoft Internet Explorer 8 and 9 allows remote attackers to execute ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-6343 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-6342 (Microsoft Internet Explorer 9 allows remote attackers to execute arbit ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-6341 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-6340 (Microsoft Internet Explorer 6 through 11 allows remote attackers to re ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-6339 (Microsoft Internet Explorer 8 and 9 allows remote attackers to bypass ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-6338 REJECTED CVE-2014-6337 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-6336 (Outlook Web App (OWA) in Microsoft Exchange Server 2013 SP1 and Cumula ...) NOT-FOR-US: Microsoft Exchange Server CVE-2014-6335 (Microsoft Word 2007 SP3, Word Viewer, and Office Compatibility Pack SP ...) NOT-FOR-US: Microsoft Office CVE-2014-6334 (Microsoft Word 2007 SP3, Word Viewer, and Office Compatibility Pack SP ...) NOT-FOR-US: Microsoft CVE-2014-6333 (Microsoft Word 2007 SP3, Word Viewer, and Office Compatibility Pack SP ...) NOT-FOR-US: Microsoft CVE-2014-6332 (OleAut32.dll in OLE in Microsoft Windows Server 2003 SP2, Windows Vist ...) NOT-FOR-US: Microsoft CVE-2014-6331 (Microsoft Active Directory Federation Services (AD FS) 2.0, 2.1, and 3 ...) NOT-FOR-US: Microsoft CVE-2014-6330 (Microsoft Internet Explorer 9 allows remote attackers to execute arbit ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-6329 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-6328 (Microsoft Internet Explorer 8 through 11 allows remote attackers to by ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-6327 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-6326 (Cross-site scripting (XSS) vulnerability in Microsoft Exchange Server ...) NOT-FOR-US: Microsoft Exchange Server CVE-2014-6325 (Cross-site scripting (XSS) vulnerability in Microsoft Exchange Server ...) NOT-FOR-US: Microsoft Exchange Server CVE-2014-6324 (The Kerberos Key Distribution Center (KDC) in Microsoft Windows Server ...) NOT-FOR-US: Microsoft Windows CVE-2014-6323 (Microsoft Internet Explorer 7 through 11 allows remote attackers to ob ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-6322 (The Windows Audio service in Microsoft Windows Vista SP2, Windows Serv ...) NOT-FOR-US: Microsoft CVE-2014-6321 (Schannel in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Wind ...) NOT-FOR-US: Microsoft CVE-2014-6320 REJECTED CVE-2014-6319 (Outlook Web App (OWA) in Microsoft Exchange Server 2007 SP3, 2010 SP3, ...) NOT-FOR-US: Microsoft Exchange Server CVE-2014-6318 (The audit logon feature in Remote Desktop Protocol (RDP) in Microsoft ...) NOT-FOR-US: Microsoft CVE-2014-6317 (Array index error in win32k.sys in the kernel-mode drivers in Microsof ...) NOT-FOR-US: Microsoft CVE-2014-6316 (core/string_api.php in MantisBT before 1.2.18 does not properly catego ...) {DSA-3120-1} - mantis [squeeze] - mantis (Unsupported in squeeze-lts) NOTE: http://github.com/mantisbt/mantisbt/commit/e66ecc9f NOTE: https://www.mantisbt.org/bugs/view.php?id=17648 NOTE: https://www.mantisbt.org/bugs/view.php?id=17362 NOTE: https://www.mantisbt.org/bugs/view.php?id=17698 NOTE: https://www.mantisbt.org/bugs/view.php?id=17811 CVE-2014-6315 (Multiple cross-site scripting (XSS) vulnerabilities in the Web-Dorado ...) NOT-FOR-US: WordPress plugin Photo Gallery CVE-2014-6314 RESERVED CVE-2014-6313 (Cross-site scripting (XSS) vulnerability in the WooCommerce plugin bef ...) NOT-FOR-US: WordPress plugin WooCommerce CVE-2014-6312 (Cross-site request forgery (CSRF) vulnerability in the Login Widget Wi ...) NOT-FOR-US: Login Widget With Shortcode (login-sidebar-widget) plugin for WordPress CVE-2014-6309 (The HTTP and WebSocket engine components in the server in Kaazing Gate ...) NOT-FOR-US: Kaazing Gateway CVE-2014-6308 (Directory traversal vulnerability in OSClass before 3.4.2 allows remot ...) NOT-FOR-US: OsClass CVE-2014-6307 RESERVED CVE-2014-6306 RESERVED CVE-2014-6305 RESERVED CVE-2014-6304 (The Form Controls CSS file in PNMsoft Sequence Kinetics before 7.7 all ...) NOT-FOR-US: PNMsoft CVE-2014-6303 (The Monitoring Administration pages in PNMsoft Sequence Kinetics befor ...) NOT-FOR-US: PNMsoft CVE-2014-6302 (The Monitoring Administration pages in PNMsoft Sequence Kinetics befor ...) NOT-FOR-US: PNMsoft CVE-2014-6301 (Multiple cross-site scripting (XSS) vulnerabilities in the tables-mana ...) NOT-FOR-US: PNMsoft CVE-2014-6300 (Cross-site scripting (XSS) vulnerability in the micro history implemen ...) - phpmyadmin 4:4.2.8.1-1 NOTE: https://www.phpmyadmin.net/security/PMASA-2014-10/ [squeeze] - phpmyadmin (Vulnerable code not present) [wheezy] - phpmyadmin (Vulnerable code not present) CVE-2014-6299 (Cross-site request forgery (CSRF) vulnerability in the mm_forum extens ...) NOT-FOR-US: TYPO3 extension CVE-2014-6298 (Unrestricted file upload vulnerability in the mm_forum extension befor ...) NOT-FOR-US: TYPO3 extension CVE-2014-6297 (Cross-site scripting (XSS) vulnerability in the mm_forum extension bef ...) NOT-FOR-US: TYPO3 extension CVE-2014-6296 (Cross-site scripting (XSS) vulnerability in the WEC Map (wec_map) exte ...) NOT-FOR-US: TYPO3 extension CVE-2014-6295 (SQL injection vulnerability in the WEC Map (wec_map) extension before ...) NOT-FOR-US: TYPO3 extension CVE-2014-6294 (Cross-site scripting (XSS) vulnerability in the External links click s ...) NOT-FOR-US: TYPO3 extension CVE-2014-6293 (SQL injection vulnerability in the Statistics (ke_stats) extension bef ...) NOT-FOR-US: TYPO3 extension CVE-2014-6292 (The femanager extension before 1.0.9 for TYPO3 allows remote frontend ...) NOT-FOR-US: TYPO3 extension CVE-2014-6291 (Cross-site scripting (XSS) vulnerability in the Alphabetic Sitemap (al ...) NOT-FOR-US: TYPO3 extension CVE-2014-6290 (The News (tt_news) extension before 3.5.2 for TYPO3 allows remote atta ...) NOT-FOR-US: TYPO3 extension CVE-2014-6289 (The Ajax dispatcher for Extbase in the Yet Another Gallery (yag) exten ...) NOT-FOR-US: TYPO3 extension CVE-2014-6288 (The powermail extension 2.x before 2.0.11 for TYPO3 allows remote atta ...) NOT-FOR-US: TYPO3 extension CVE-2014-6287 (The findMacroMarker function in parserLib.pas in Rejetto HTTP File Ser ...) NOT-FOR-US: Rejetto HTTP File Server CVE-2014-6286 RESERVED CVE-2014-6285 RESERVED CVE-2014-6284 (SAP Adaptive Server Enterprise (ASE) before 15.7 SP132 and 16.0 before ...) NOT-FOR-US: SAP Adaptive Server Enterprise CVE-2014-6283 (SAP Adaptive Server Enterprise (ASE) 15.7 before SP122 or SP63, 15.5 b ...) NOT-FOR-US: SAP Adaptive Server Enterprise CVE-2014-6282 RESERVED CVE-2014-6281 RESERVED CVE-2014-6280 (Multiple cross-site scripting (XSS) vulnerabilities in OSClass before ...) NOT-FOR-US: OsClass CVE-2014-6279 RESERVED CVE-2014-6278 (GNU Bash through 4.3 bash43-026 does not properly parse function defin ...) - bash 4.3-9.2 (high) [wheezy] - bash 4.2+dfsg-0.1+deb7u3 (high) [squeeze] - bash 4.1-3+deb6u2 (high) NOTE: Florian Weimer's variables-affix.patch patch applied in Debian prevents NOTE: exploitation of this issue by making bash only use environment variables NOTE: with specific names (BASH_FUNC_*()) to define functions from its NOTE: environment. CVE-2014-6277 (GNU Bash through 4.3 bash43-026 does not properly parse function defin ...) - bash 4.3-9.2 [wheezy] - bash 4.2+dfsg-0.1+deb7u3 [squeeze] - bash 4.1-3+deb6u2 NOTE: Florian Weimer's variables-affix.patch patch applied in Debian prevents NOTE: exploitation of this issue by making bash only use environment variables NOTE: with specific names (BASH_FUNC_*()) to define functions from its NOTE: environment. CVE-2014-6276 (schema.py in Roundup before 1.5.1 does not properly limit attributes i ...) {DSA-3502-1} - roundup (bug #816780) NOTE: http://hg.code.sf.net/p/roundup/code/rev/a403c29ffaf9 CVE-2014-6275 (FusionForge before 5.3.2 use scripts that run under the shared Apache ...) - fusionforge 5.3.2-1 [squeeze] - fusionforge (Not supported in Squeeze LTS) NOTE: https://lists.fusionforge.org/pipermail/fusionforge-general/2014-September/002824.html CVE-2014-6274 [S3 and Glacier remotes creds embedded in the git repo were not encrypted] RESERVED - git-annex 5.20140919 [wheezy] - git-annex (Vulnerable code introduced in 3.20121126) NOTE: https://git-annex.branchable.com/upgrades/insecure_embedded_creds/ CVE-2014-6273 (Buffer overflow in the HTTP transport code in apt-get in APT 1.0.1 and ...) {DSA-3031-1 DLA-58-1} - apt 1.0.3 CVE-2014-6272 (Multiple integer overflows in the evbuffer API in Libevent 1.4.x befor ...) {DSA-3119-1 DLA-137-1} - libevent 2.0.21-stable-2 (bug #774645) CVE-2014-6271 (GNU Bash through 4.3 processes trailing strings after function definit ...) {DSA-3032-1 DLA-59-1} - bash 4.3-9.1 CVE-2014-6267 RESERVED CVE-2014-6266 RESERVED CVE-2014-6265 RESERVED CVE-2014-6264 RESERVED CVE-2014-6263 RESERVED CVE-2014-6262 (Multiple format string vulnerabilities in the python module in RRDtool ...) {DLA-2131-1} - rrdtool 1.5.4-1 NOTE: https://github.com/oetiker/rrdtool-1.x/pull/532 NOTE: https://github.com/oetiker/rrdtool-1.x/commit/64ed5314af1255ab6dded45f70b39cdeab5ae2ec (v1.5.0-rc1) NOTE: https://github.com/oetiker/rrdtool-1.x/commit/85261a013112e278c90224033f5b0592ee387786 (v1.4.9) CVE-2014-6261 (Zenoss Core through 5 Beta 3 does not properly implement the Check For ...) - zenoss (bug #361253) CVE-2014-6260 (Zenoss Core through 5 Beta 3 does not require a password for modifying ...) - zenoss (bug #361253) CVE-2014-6259 (Zenoss Core through 5 Beta 3 does not properly detect recursion during ...) - zenoss (bug #361253) CVE-2014-6258 (An unspecified endpoint in Zenoss Core through 5 Beta 3 allows remote ...) - zenoss (bug #361253) CVE-2014-6257 (Zenoss Core through 5 Beta 3 allows remote attackers to bypass intende ...) - zenoss (bug #361253) CVE-2014-6256 (Zenoss Core through 5 Beta 3 allows remote attackers to bypass intende ...) - zenoss (bug #361253) CVE-2014-6255 (Open redirect vulnerability in the login form in Zenoss Core before 4. ...) - zenoss (bug #361253) CVE-2014-6254 (Multiple cross-site scripting (XSS) vulnerabilities in Zenoss Core thr ...) - zenoss (bug #361253) CVE-2014-6253 (Multiple cross-site request forgery (CSRF) vulnerabilities in Zenoss C ...) - zenoss (bug #361253) CVE-2013-7400 (The Direct Mail (direct_mail) extension before 3.1.2 for TYPO3 allows ...) NOT-FOR-US: TYPO3 extension direct_mail CVE-2014-6387 (gpc_api.php in MantisBT 1.2.17 and earlier allows remote attackers to ...) {DSA-3120-1} - mantis [squeeze] - mantis (Unsupported in squeeze-lts) NOTE: http://www.mantisbt.org/bugs/view.php?id=17640 NOTE: http://github.com/mantisbt/mantisbt/commit/215968fa8 (1.2.x branch) NOTE: http://github.com/mantisbt/mantisbt/commit/fc02c46ee (master branch) CVE-2014-XXXX [install-sh: insecure use of /tmp] - automake1.11 1:1.11.6-4 (unimportant; bug #827346) - automake-1.14 (unimportant; bug #827347) [jessie] - automake-1.14 1:1.14.1-4+deb8u1 - automake-1.15 1:1.15-3 (unimportant; bug #760455) NOTE: http://seclists.org/oss-sec/2014/q3/588 NOTE: Neutralised by kernel hardening CVE-2014-6252 (Buffer overflow in disp+work.exe 7000.52.12.34966 and 7200.117.19.5029 ...) NOT-FOR-US: SAP NetWeaver CVE-2014-6311 (generate_doygen.pl in ace before 6.2.7+dfsg-2 creates predictable file ...) - ace 6.2.7+dfsg-2 (unimportant; bug #760709) NOTE: Not installed into the binary packages CVE-2014-6310 (Buffer overflow in CHICKEN 4.9.0 and 4.9.0.1 may allow remote attacker ...) - chicken (Affects only CHICKEN Scheme on the Android platform) CVE-2014-6270 (Off-by-one error in the snmpHandleUdp function in snmp_core.cc in Squi ...) - squid 4.1-1 (unimportant) NOTE: SNMP was not built in squid 2.x - squid3 3.4.8-1 (low; bug #761002) [wheezy] - squid3 (Minor issue) [squeeze] - squid3 (Minor issue) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=895773 NOTE: Upstream commits: http://bazaar.launchpad.net/~squid/squid/trunk/revision/13574 NOTE: http://bazaar.launchpad.net/~squid/squid/trunk/revision/13582 NOTE: http://www.squid-cache.org/Advisories/SQUID-2014_3.txt CVE-2014-7142 (The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain ...) - squid 4.1-1 [squeeze] - squid (Minor issue) [wheezy] - squid (Minor issue) - squid3 3.4.8-1 (bug #760999) [squeeze] - squid3 (Minor issue) [wheezy] - squid3 (Minor issue) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=891268 NOTE: http://www.squid-cache.org/Advisories/SQUID-2014_4.txt CVE-2014-7141 (The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain ...) - squid 4.1-1 [squeeze] - squid (Minor issue) [wheezy] - squid (Minor issue) - squid3 3.4.8-1 (bug #760999) [squeeze] - squid3 (Minor issue) [wheezy] - squid3 (Minor issue) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=891268 NOTE: http://www.squid-cache.org/Advisories/SQUID-2014_4.txt CVE-2014-6268 (The evtchn_fifo_set_pending function in Xen 4.4.x allows local guest u ...) - xen 4.4.1-3 [wheezy] - xen (Affects only Xen 4.4 onwards) [squeeze] - xen (Affects only Xen 4.4 onwards) CVE-2014-6251 (Stack-based buffer overflow in CPUMiner before 2.4.1 allows remote att ...) NOT-FOR-US: CPUMiner, related to cgminer according to #773624 CVE-2014-6250 RESERVED CVE-2014-6249 RESERVED CVE-2014-6248 RESERVED CVE-2014-6247 RESERVED CVE-2014-6246 RESERVED CVE-2014-6245 RESERVED CVE-2014-6244 RESERVED CVE-2014-6243 (Cross-site scripting (XSS) vulnerability in the EWWW Image Optimizer p ...) NOT-FOR-US: WordPress plugin EWWW Image Optimizer CVE-2014-6242 (Multiple SQL injection vulnerabilities in the All In One WP Security & ...) NOT-FOR-US: WordPress plugin All In One WP Security CVE-2014-6230 (WP-Ban plugin before 1.6.4 for WordPress, when running in certain conf ...) NOT-FOR-US: WordPress plugin WP-Ban CVE-2014-6229 (The HashContext class in hphp/runtime/ext/ext_hash.cpp in Facebook Hip ...) NOT-FOR-US: Facebook HipHop Virtual Machine CVE-2014-6228 (Integer overflow in the string_chunk_split function in hphp/runtime/ba ...) NOT-FOR-US: Facebook HipHop Virtual Machine CVE-2010-5305 (The potential exists for exposure of the product's password used to re ...) NOT-FOR-US: Rockwell CVE-2014-3618 (Heap-based buffer overflow in formisc.c in formail in procmail 3.22 al ...) {DSA-3019-1 DLA-46-1} - procmail 3.22-22 (bug #760443) NOTE: http://www.openwall.com/lists/oss-security/2014/09/03/8 CVE-2014-6241 (SQL injection vulnerability in the wt_directory extension before 1.4.1 ...) NOT-FOR-US: TYPO3 extension wt_directory CVE-2014-6240 (Cross-site scripting (XSS) vulnerability in the Google Sitemap (weeaar ...) NOT-FOR-US: TYPO3 extension weeaar_googlesitemap CVE-2014-6239 (SQL injection vulnerability in the Address visualization with Google M ...) NOT-FOR-US: TYPO3 extension st_address_map CVE-2014-6238 (Cross-site scripting (XSS) vulnerability in the Akronymmanager (aka SB ...) NOT-FOR-US: TYPO3 extension Akronymmanager CVE-2014-6237 (Cross-site scripting (XSS) vulnerability in the News Pack extension 0. ...) NOT-FOR-US: TYPO3 extension News Pack CVE-2014-6236 (Unspecified vulnerability in the LumoNet PHP Include (lumophpinclude) ...) NOT-FOR-US: TYPO3 extension lumophpinclude CVE-2014-6235 (Unspecified vulnerability in the ke DomPDF extension before 0.0.5 for ...) NOT-FOR-US: TYPO3 extension DomPDF CVE-2014-6234 (Cross-site scripting (XSS) vulnerability in the Open Graph protocol (j ...) NOT-FOR-US: TYPO3 extension jh_opengraphprotocol CVE-2014-6233 (SQL injection vulnerability in the Flat Manager (flatmgr) extension be ...) NOT-FOR-US: TYPO3 extension flatmgr CVE-2014-6232 (Unspecified vulnerability in the LDAP (eu_ldap) extension before 2.8.1 ...) NOT-FOR-US: TYPO3 extension eu_ldap CVE-2014-6231 (Unspecified vulnerability in the CWT Frontend Edit (cwt_feedit) extens ...) NOT-FOR-US: TYPO3 extension cwt_feedit NOTE: This is different from the feedit extension in typo3-src. CVE-2014-6227 RESERVED CVE-2014-6226 RESERVED CVE-2014-6225 RESERVED CVE-2014-6224 RESERVED CVE-2014-6223 RESERVED CVE-2014-6222 (Directory traversal vulnerability in IBM Marketing Operations 7.x and ...) NOT-FOR-US: IBM Marketing Operations CVE-2014-6221 (The MSCAPI/MSCNG interface implementation in GSKit in IBM Rational Cle ...) NOT-FOR-US: IBM Rational ClearCase CVE-2014-6220 RESERVED CVE-2014-6219 RESERVED CVE-2014-6218 RESERVED CVE-2014-6217 RESERVED CVE-2014-6216 RESERVED CVE-2014-6215 (Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 6.1.0 ...) NOT-FOR-US: IBM CVE-2014-6214 (Cross-site request forgery (CSRF) vulnerability in IBM WebSphere Porta ...) NOT-FOR-US: IBM CVE-2014-6213 RESERVED CVE-2014-6212 (The Echo API in IBM Emptoris Contract Management 9.5.x before 9.5.0.6 ...) NOT-FOR-US: IBM CVE-2014-6211 (The command-line scripts in IBM WebSphere Commerce 6.0 through 6.0.0.1 ...) NOT-FOR-US: IBM CVE-2014-6210 (IBM DB2 9.7 through FP10, 9.8 through FP5, 10.1 through FP4, and 10.5 ...) NOT-FOR-US: IBM CVE-2014-6209 (IBM DB2 9.5 through FP10, 9.7 through FP10, 9.8 through FP5, 10.1 thro ...) NOT-FOR-US: IBM CVE-2014-6208 RESERVED CVE-2014-6207 RESERVED CVE-2014-6206 RESERVED CVE-2014-6205 RESERVED CVE-2014-6204 RESERVED CVE-2014-6203 RESERVED CVE-2014-6202 RESERVED CVE-2014-6201 RESERVED CVE-2014-6200 RESERVED CVE-2014-6199 (The HTTP Server Adapter in IBM Sterling B2B Integrator 5.1 and 5.2.x a ...) NOT-FOR-US: IBM CVE-2014-6198 (Cross-site request forgery (CSRF) vulnerability in IBM Security Networ ...) NOT-FOR-US: IBM CVE-2014-6197 (IBM Security Network Protection 5.1.x and 5.2.x before 5.2.0.0 FP5 and ...) NOT-FOR-US: IBM CVE-2014-6196 (Cross-site scripting (XSS) vulnerability in IBM Web Experience Factory ...) NOT-FOR-US: IBM WEF CVE-2014-6195 (The (1) Java GUI and (2) Web GUI components in the IBM Tivoli Storage ...) NOT-FOR-US: IBM Tivoli CVE-2014-6194 (Directory traversal vulnerability in an unspecified web form in IBM Ma ...) NOT-FOR-US: IBM Maximo CVE-2014-6193 (IBM WebSphere Portal 8.0.0 through 8.0.0.1 CF14 and 8.5.0 before CF04, ...) NOT-FOR-US: IBM CVE-2014-6192 (Cross-site scripting (XSS) vulnerability in IBM Curam Social Program M ...) NOT-FOR-US: IBM CVE-2014-6191 (Cross-site scripting (XSS) vulnerability in IBM Curam Social Program M ...) NOT-FOR-US: IBM CVE-2014-6190 (The log viewer in IBM Workload Deployer 3.1 before 3.1.0.7 allows remo ...) NOT-FOR-US: IBM CVE-2014-6189 (Cross-site scripting (XSS) vulnerability in IBM Security Network Prote ...) NOT-FOR-US: IBM CVE-2014-6188 (Multiple cross-site scripting (XSS) vulnerabilities in IBM WebSphere S ...) NOT-FOR-US: IBM CVE-2014-6187 (Multiple cross-site request forgery (CSRF) vulnerabilities in IBM WebS ...) NOT-FOR-US: IBM CVE-2014-6186 (IBM WebSphere Service Registry and Repository (WSRR) 6.3.x before 6.3. ...) NOT-FOR-US: IBM CVE-2014-6185 (dsmtca in the client in IBM Tivoli Storage Manager (TSM) 6.3 before 6. ...) NOT-FOR-US: IBM NOTE: https://www-01.ibm.com/support/docview.wss?uid=swg21695715 CVE-2014-6184 (Stack-based buffer overflow in dsmtca in the client in IBM Tivoli Stor ...) NOT-FOR-US: IBM Tivoli CVE-2014-6183 (IBM Security Network Protection 5.1 before 5.1.0.0 FP13, 5.1.1 before ...) NOT-FOR-US: IBM Security Network Protection CVE-2014-6182 (Directory traversal vulnerability in an export function in the Process ...) NOT-FOR-US: IBM CVE-2014-6181 (IBM WebSphere Service Registry and Repository (WSRR) 7.0.x before 7.0. ...) NOT-FOR-US: IBM CVE-2014-6180 (Cross-site scripting (XSS) vulnerability in the Web UI in IBM WebSpher ...) NOT-FOR-US: IBM CVE-2014-6179 (Cross-site scripting (XSS) vulnerability in the Web UI in IBM WebSpher ...) NOT-FOR-US: IBM CVE-2014-6178 (Cross-site scripting (XSS) vulnerability in the widgets in IBM WebSphe ...) NOT-FOR-US: IBM CVE-2014-6177 (IBM WebSphere Service Registry and Repository (WSRR) 7.0.x before 7.0. ...) NOT-FOR-US: IBM CVE-2014-6176 (IBM WebSphere Process Server 7.0, WebSphere Enterprise Service Bus 7.0 ...) NOT-FOR-US: IBM CVE-2014-6175 (Cross-site scripting (XSS) vulnerability in IBM Marketing Operations 7 ...) NOT-FOR-US: IBM Marketing Operations CVE-2014-6174 (IBM WebSphere Application Server 7.x before 7.0.0.37, 8.0.x before 8.0 ...) NOT-FOR-US: IBM CVE-2014-6173 (Cross-site scripting (XSS) vulnerability in the Process Inspector in I ...) NOT-FOR-US: IBM CVE-2014-6172 (IBM API Management 3.0 before 3.0.4.0 IF1 allows remote attackers to o ...) NOT-FOR-US: IBM CVE-2014-6171 (Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 6.1.0 ...) NOT-FOR-US: IBM CVE-2014-6170 (The HTTPInput node in IBM WebSphere Message Broker 7.0 before 7.0.0.8 ...) NOT-FOR-US: IBM CVE-2014-6169 (Cross-site scripting (XSS) vulnerability in IBM Forms Experience Build ...) NOT-FOR-US: IBM Forms Experience Builder CVE-2014-6168 (Cross-site request forgery (CSRF) vulnerability in IBM Security Identi ...) NOT-FOR-US: IBM CVE-2014-6167 (Cross-site scripting (XSS) vulnerability in the URL rewriting feature ...) NOT-FOR-US: IBM CVE-2014-6166 (The Communications Enabled Applications (CEA) service in IBM WebSphere ...) NOT-FOR-US: IBM CVE-2014-6165 RESERVED CVE-2014-6164 (IBM WebSphere Application Server 8.0.x before 8.0.0.10 and 8.5.x befor ...) NOT-FOR-US: IBM CVE-2014-6163 (Cross-site scripting (XSS) vulnerability on the IBM WebSphere DataPowe ...) NOT-FOR-US: IBM CVE-2014-6162 RESERVED CVE-2014-6161 (Cross-site scripting (XSS) vulnerability in IBM Tivoli Netcool/Impact ...) NOT-FOR-US: IBM CVE-2014-6160 (IBM WebSphere Service Registry and Repository (WSRR) 8.5 before 8.5.0. ...) NOT-FOR-US: IBM CVE-2014-6159 (IBM DB2 9.7 before FP10, 9.8 through FP5, 10.1 through FT4, and 10.5 t ...) NOT-FOR-US: IBM CVE-2014-6158 (Multiple directory traversal vulnerabilities in the file-upload featur ...) NOT-FOR-US: IBM CVE-2014-6157 RESERVED CVE-2014-6156 RESERVED CVE-2014-6155 (Multiple directory traversal vulnerabilities in the ServiceRegistry UI ...) NOT-FOR-US: IBM CVE-2014-6154 (Directory traversal vulnerability in IBM Optim Performance Manager for ...) NOT-FOR-US: IBM Optim CVE-2014-6153 (The Web UI in IBM WebSphere Service Registry and Repository (WSRR) 6.3 ...) NOT-FOR-US: IBM CVE-2014-6152 (Multiple cross-site scripting (XSS) vulnerabilities in IBM Tivoli Inte ...) NOT-FOR-US: IBM Tivoli CVE-2014-6151 (CRLF injection vulnerability in IBM Tivoli Integrated Portal (TIP) 2.2 ...) NOT-FOR-US: IBM Tivoli CVE-2014-6150 (Cross-site scripting (XSS) vulnerability in IBM Tivoli Application Dep ...) NOT-FOR-US: IBM Tivoli TADDM CVE-2014-6149 (Directory traversal vulnerability in BIRT-viewer in IBM Tivoli Applica ...) NOT-FOR-US: IBM Tivoli TADDM CVE-2014-6148 (IBM Tivoli Application Dependency Discovery Manager (TADDM) 7.2.0.0 th ...) NOT-FOR-US: IBM Tivoli TADDM CVE-2014-6147 (IBM Flex System Manager (FSM) 1.1.x.x, 1.2.0.x, 1.2.1.x, 1.3.0.0, 1.3. ...) NOT-FOR-US: IBM FSM CVE-2014-6146 (IBM Sterling B2B Integrator 5.2.x through 5.2.4, when the Connect:Dire ...) NOT-FOR-US: IBM CVE-2014-6145 (Cross-site scripting (XSS) vulnerability in the server in IBM Cognos B ...) NOT-FOR-US: IBM CVE-2014-6144 (Cross-site scripting (XSS) vulnerability in IBM Rational Quality Manag ...) NOT-FOR-US: IBM CVE-2014-6143 (The IBM WebSphere DataPower XC10 appliance 2.1 and 2.5 before FP4 allo ...) NOT-FOR-US: IBM CVE-2014-6142 RESERVED CVE-2014-6141 (IBM Tivoli Monitoring (ITM) 6.2.0 through FP03, 6.2.1 through FP04, 6. ...) NOT-FOR-US: IBM CVE-2014-6140 (IBM Tivoli Endpoint Manager Mobile Device Management (MDM) before 9.0. ...) NOT-FOR-US: IBM Endpoint Manager Mobile Device Management Components CVE-2014-6139 (The Search REST API in IBM Business Process Manager 8.0.1.3, 8.5.0.1, ...) NOT-FOR-US: IBM BPM CVE-2014-6138 (The IBM WebSphere DataPower XC10 appliance 2.1 and 2.5 before FP4 allo ...) NOT-FOR-US: IBM CVE-2014-6137 (Cross-site scripting (XSS) vulnerability in the Relay Diagnostic page ...) NOT-FOR-US: IBM Endpoint Manager CVE-2014-6136 (IBM Security AppScan Standard 8.x and 9.x before 9.0.1.1 FP1 supports ...) NOT-FOR-US: IBM CVE-2014-6135 (IBM Security AppScan Enterprise 8.5 before 8.5 IFix 002, 8.6 before 8. ...) NOT-FOR-US: IBM CVE-2014-6134 (IBM Rational ClearCase 8.0.0 before 8.0.0.14 and 8.0.1 before 8.0.1.7, ...) NOT-FOR-US: IBM CVE-2014-6133 (IBM API Management 3.x before 3.0.1.0 allows local users to obtain sen ...) NOT-FOR-US: IBM API Management CVE-2014-6132 (Cross-site scripting (XSS) vulnerability in the Web UI in IBM WebSpher ...) NOT-FOR-US: IBM CVE-2014-6131 (IBM Rational Jazz Team Server (JTS), as used in Rational Collaborative ...) NOT-FOR-US: IBM CVE-2014-6130 (The IBM Notes Traveler application before 9.0.1.3 for Android lacks a ...) NOT-FOR-US: IBM Notes Traveler application for Android CVE-2014-6129 (IBM Rational Jazz Team Server (JTS), as used in Rational Collaborative ...) NOT-FOR-US: IBM CVE-2014-6128 RESERVED CVE-2014-6127 RESERVED CVE-2014-6126 (Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 8.5.0 ...) NOT-FOR-US: IBM WebSphere Portal CVE-2014-6125 (Cross-site request forgery (CSRF) vulnerability in IBM WebSphere Porta ...) NOT-FOR-US: IBM WebSphere Portal CVE-2014-6124 RESERVED CVE-2014-6123 (IBM Rational AppScan Source 8.0 through 8.0.0.2 and 8.5 through 8.5.0. ...) NOT-FOR-US: IBM CVE-2014-6122 (IBM Security AppScan Enterprise 8.5 before 8.5 IFix 002, 8.6 before 8. ...) NOT-FOR-US: IBM CVE-2014-6121 (Cross-site scripting (XSS) vulnerability in IBM Security AppScan Enter ...) NOT-FOR-US: IBM CVE-2014-6120 (IBM Rational AppScan Source 8.0 through 8.0.0.2 and 8.5 through 8.5.0. ...) NOT-FOR-US: IBM Rational AppScan Source CVE-2014-6119 (IBM Security AppScan Enterprise 8.5 before 8.5 IFix 002, 8.6 before 8. ...) NOT-FOR-US: IBM CVE-2014-6118 RESERVED CVE-2014-6117 RESERVED CVE-2014-6116 (The Telemetry Component in WebSphere MQ 8.0.0.1 before p000-001-L14091 ...) NOT-FOR-US: IBM WebSphere CVE-2014-6115 (IBM Rational Insight 1.1.1.5 allows remote attackers to bypass authent ...) NOT-FOR-US: IBM Rational Insight CVE-2014-6114 (The Hosted Transparent Decision Service in the Rule Execution Server i ...) NOT-FOR-US: IBM WebSphere CVE-2014-6113 (Cross-site scripting (XSS) vulnerability in the Web Reports component ...) NOT-FOR-US: IBM Tivoli CVE-2014-6112 (IBM Tivoli Identity Manager 5.1.x before 5.1.0.15-ISS-TIM-IF0057 and S ...) NOT-FOR-US: IBM CVE-2014-6111 (IBM Tivoli Identity Manager 5.1.x before 5.1.0.15-ISS-TIM-IF0057 and S ...) NOT-FOR-US: IBM CVE-2014-6110 (IBM Security Identity Manager 6.x before 6.0.0.3 IF14 does not properl ...) NOT-FOR-US: IBM CVE-2014-6109 (IBM Tivoli Identity Manager 5.1.x before 5.1.0.15-ISS-TIM-IF0057 and S ...) NOT-FOR-US: IBM CVE-2014-6108 (IBM Tivoli Identity Manager 5.1.x before 5.1.0.15-ISS-TIM-IF0057 and S ...) NOT-FOR-US: IBM CVE-2014-6107 (IBM Security Identity Manager 6.x before 6.0.0.3 IF14 allows remote at ...) NOT-FOR-US: IBM CVE-2014-6106 (Cross-site request forgery (CSRF) vulnerability in IBM Security Identi ...) NOT-FOR-US: IBM CVE-2014-6105 (IBM Security Identity Manager 6.x before 6.0.0.3 IF14 allows remote at ...) NOT-FOR-US: IBM CVE-2014-6104 RESERVED CVE-2014-6103 RESERVED CVE-2014-6102 (IBM Maximo Asset Management 7.1 through 7.1.1.13 and 7.5.0 before 7.5. ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2014-6101 (Cross-site scripting (XSS) vulnerability in the redirect-login feature ...) NOT-FOR-US: IBM Business Process Manager CVE-2014-6100 (Cross-site scripting (XSS) vulnerability in the Admin UI in IBM Tivoli ...) NOT-FOR-US: IBM Tivoli Directory Server CVE-2014-6099 (The Change Password feature in IBM Sterling B2B Integrator 5.2.x throu ...) NOT-FOR-US: IBM Sterling CVE-2014-6098 (IBM Security Identity Manager 6.x before 6.0.0.3 IF14 allows remote at ...) NOT-FOR-US: IBM CVE-2014-6097 (IBM DB2 9.7 before FP10 and 9.8 through FP5 on Linux, UNIX, and Window ...) NOT-FOR-US: IBM CVE-2014-6096 (Cross-site scripting (XSS) vulnerability in IBM Security Identity Mana ...) NOT-FOR-US: IBM CVE-2014-6095 (Directory traversal vulnerability in IBM Security Identity Manager 6.x ...) NOT-FOR-US: IBM CVE-2014-6094 RESERVED CVE-2014-6093 (Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 7.0.x ...) NOT-FOR-US: IBM WebSphere CVE-2014-6092 (IBM Curam Social Program Management (SPM) 5.2 before SP6 EP6, 6.0 SP2 ...) NOT-FOR-US: IBM Curam Social Program Management CVE-2014-6091 (Cross-site scripting (XSS) vulnerability in IBM Curam Social Program M ...) NOT-FOR-US: IBM Curam Social Program Management CVE-2014-6090 (Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) ...) NOT-FOR-US: IBM Curam Social Program Management CVE-2014-6089 (IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security A ...) NOT-FOR-US: IBM CVE-2014-6088 (IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security A ...) NOT-FOR-US: IBM CVE-2014-6087 (IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security A ...) NOT-FOR-US: IBM CVE-2014-6086 (IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security A ...) NOT-FOR-US: IBM CVE-2014-6085 RESERVED CVE-2014-6084 (IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security A ...) NOT-FOR-US: IBM CVE-2014-6083 (IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security A ...) NOT-FOR-US: IBM CVE-2014-6082 (IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security A ...) NOT-FOR-US: IBM CVE-2014-6081 RESERVED CVE-2014-6080 (SQL injection vulnerability in IBM Security Access Manager for Mobile ...) NOT-FOR-US: IBM CVE-2014-6079 (Cross-site scripting (XSS) vulnerability in the Local Management Inter ...) NOT-FOR-US: IBM Security Access Manager CVE-2014-6078 (IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security A ...) NOT-FOR-US: IBM CVE-2014-6077 (Cross-site request forgery (CSRF) vulnerability in IBM Security Access ...) NOT-FOR-US: IBM CVE-2014-6076 (IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security A ...) NOT-FOR-US: IBM CVE-2014-6075 (IBM Security QRadar SIEM and QRadar Risk Manager 7.1 before MR2 Patch ...) NOT-FOR-US: IBM Security QRadar SIEM CVE-2014-6074 (IBM UrbanCode Deploy 6.1.0.2 before IF1 allows remote authenticated us ...) NOT-FOR-US: IBM UrbanCode Deploy CVE-2014-6073 RESERVED CVE-2014-6072 RESERVED CVE-2014-6071 (jQuery 1.4.2 allows remote attackers to conduct cross-site scripting ( ...) - jquery 1.6.1-1 [squeeze] - jquery (Only exploitable when following anti-patterns) NOTE: see https://bugzilla.redhat.com/show_bug.cgi?id=1136683#c2 CVE-2014-6069 RESERVED CVE-2014-6068 RESERVED CVE-2014-6067 RESERVED CVE-2014-6066 RESERVED CVE-2014-6065 RESERVED CVE-2014-6064 (The Accounts tab in the administrative user interface in McAfee Web Ga ...) NOT-FOR-US: McAfee Web Gateway CVE-2014-6063 RESERVED CVE-2014-6062 RESERVED CVE-2014-6061 RESERVED CVE-2014-6059 (WordPress Advanced Access Manager Plugin before 2.8.2 has an Arbitrary ...) NOT-FOR-US: WordPress Advanced Access Manager Plugin CVE-2014-6058 RESERVED CVE-2014-6057 RESERVED CVE-2014-6056 RESERVED CVE-2014-6055 (Multiple stack-based buffer overflows in the File Transfer feature in ...) {DSA-3081-1 DLA-1979-1 DLA-197-1} - libvncserver 0.9.9+dfsg-6.1 (bug #762745) - italc 1:3.0.1+dfsg1-1 NOTE: https://github.com/newsoft/libvncserver/commit/06ccdf016154fde8eccb5355613ba04c59127b2e NOTE: https://github.com/newsoft/libvncserver/commit/f528072216dec01cee7ca35d94e171a3b909e677 NOTE: https://github.com/newsoft/libvncserver/commit/256964b884c980038cd8b2f0d180fbb295b1c748 (improvement) NOTE: check for possible ABI break: https://bugzilla.redhat.com/show_bug.cgi?id=1144293#c2 CVE-2014-6054 (The rfbProcessClientNormalMessage function in libvncserver/rfbserver.c ...) {DSA-3081-1 DLA-1979-1 DLA-197-1} - libvncserver 0.9.9+dfsg-6.1 (bug #762745) - italc 1:3.0.1+dfsg1-1 NOTE: https://github.com/newsoft/libvncserver/commit/05a9bd41a8ec0a9d580a8f420f41718bdd235446 NOTE: https://github.com/newsoft/libvncserver/commit/f18f24ce65f5cac22ddcf3ed51417e477f9bad09 (hardening) NOTE: https://github.com/newsoft/libvncserver/commit/5dee1cbcd83920370a487c4fd2718aa4d3eba548 (required for sparc) NOTE: https://github.com/newsoft/libvncserver/commit/819481c5e2003cd36d002336c248de8c75de362e (hardening) NOTE: https://github.com/newsoft/libvncserver/commit/e5d9b6a07257c12bf3b6242ddea79ea1c95353a8 (hardening) CVE-2014-6053 (The rfbProcessClientNormalMessage function in libvncserver/rfbserver.c ...) {DSA-3081-1 DLA-2045-1 DLA-2014-1 DLA-1979-1 DLA-197-1} - libvncserver 0.9.9+dfsg-6.1 (bug #762745) - italc 1:3.0.1+dfsg1-1 - tightvnc 1:1.3.9-9.1 [buster] - tightvnc 1:1.3.9-9deb10u1 [stretch] - tightvnc 1:1.3.9-9+deb9u1 - vino 3.22.0-6 (bug #945784) [buster] - vino (Minor issue) [stretch] - vino (Minor issue) NOTE: https://github.com/newsoft/libvncserver/commit/6037a9074d52b1963c97cb28ea1096c7c14cbf28 CVE-2014-6052 (The HandleRFBServerMessage function in libvncclient/rfbproto.c in LibV ...) {DSA-3081-1 DLA-1979-1 DLA-197-1} - libvncserver 0.9.9+dfsg-6.1 (bug #762745) - italc 1:3.0.1+dfsg1-1 - veyon 4.1.4+repack1-1 NOTE: https://github.com/newsoft/libvncserver/commit/85a778c0e45e87e35ee7199f1f25020648e8b812 CVE-2014-6051 (Integer overflow in the MallocFrameBuffer function in vncviewer.c in L ...) {DSA-3081-1 DLA-1979-1 DLA-197-1} - libvncserver 0.9.9+dfsg-6.1 (bug #762745) - italc 1:3.0.1+dfsg1-1 - veyon 4.1.4+repack1-1 NOTE: https://github.com/newsoft/libvncserver/commit/045a044e8ae79db9244593fbce154cdf6e843273 CVE-2014-6050 (phpMyFAQ before 2.8.13 allows remote attackers to bypass the CAPTCHA p ...) NOT-FOR-US: phpMyFAQ CVE-2014-6049 (phpMyFAQ before 2.8.13 allows remote authenticated users with admin pr ...) NOT-FOR-US: phpMyFAQ CVE-2014-6048 (phpMyFAQ before 2.8.13 allows remote attackers to read arbitrary attac ...) NOT-FOR-US: phpMyFAQ CVE-2014-6047 (phpMyFAQ before 2.8.13 allows remote authenticated users with certain ...) NOT-FOR-US: phpMyFAQ CVE-2014-6046 (Multiple cross-site request forgery (CSRF) vulnerabilities in phpMyFAQ ...) NOT-FOR-US: phpMyFAQ CVE-2014-6045 (SQL injection vulnerability in phpMyFAQ before 2.8.13 allows remote au ...) NOT-FOR-US: phpMyFAQ CVE-2014-6044 RESERVED CVE-2014-6043 (ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8.2 build 8020 ...) NOT-FOR-US: ZOHO ManageEngine EventLog Analyzer CVE-2014-6042 RESERVED CVE-2014-6041 (The Android WebView in Android before 4.4 allows remote attackers to b ...) NOT-FOR-US: Android Browser application CVE-2014-6039 (ManageEngine EventLog Analyzer version 7 through 9.9 build 9002 has a ...) NOT-FOR-US: ManageEngine EventLog Analyzer CVE-2014-6038 (Zoho ManageEngine EventLog Analyzer versions 7 through 9.9 build 9002 ...) NOT-FOR-US: ManageEngine EventLog Analyzer CVE-2014-6037 (Directory traversal vulnerability in the agentUpload servlet in ZOHO M ...) NOT-FOR-US: ZOHO ManageEngine EventLog Analyzer CVE-2014-6036 (Directory traversal vulnerability in the multipartRequest servlet in Z ...) NOT-FOR-US: ZOHO CVE-2014-6035 (Directory traversal vulnerability in the FileCollector servlet in ZOHO ...) NOT-FOR-US: ZOHO CVE-2014-6034 (Directory traversal vulnerability in the com.me.opmanager.extranet.rem ...) NOT-FOR-US: ZOHO CVE-2014-6033 REJECTED CVE-2014-6032 (Multiple XML External Entity (XXE) vulnerabilities in the Configuratio ...) NOT-FOR-US: F5 Networks Big-IP CVE-2014-6031 (Buffer overflow in the mcpq daemon in F5 BIG-IP systems 10.x before 10 ...) NOT-FOR-US: F5 BIG-IP systems CVE-2014-6030 (Multiple SQL injection vulnerabilities in ClassApps SelectSurvey.NET b ...) NOT-FOR-US: ClassApps SelectSurvey.NET CVE-2014-6026 RESERVED CVE-2014-6025 (The Chartboost library before 2.0.2 for Android does not verify X.509 ...) NOT-FOR-US: Chartboost library for Android CVE-2014-6024 (The Flurry library before 3.4.0 for Android does not verify X.509 cert ...) NOT-FOR-US: Flurry library for Android CVE-2014-6023 (The s-peek credit rating report (aka com.rhomobile.speek) application ...) NOT-FOR-US: s-peek credit rating report (aka com.rhomobile.speek) application for Android CVE-2014-6022 (The Versent Books (aka com.versentbooks) application 1.1.99 for Androi ...) NOT-FOR-US: Versent Books (aka com.versentbooks) application for Android CVE-2014-6021 (The Harley-Davidson Visa (aka com.usbank.icsmobile.harleydavidson) app ...) NOT-FOR-US: Harley-Davidson Visa (aka com.usbank.icsmobile.harleydavidson) application for Android CVE-2014-6020 (The Fuel Rewards Network (aka com.excentus.frn) application 1 for Andr ...) NOT-FOR-US: Fuel Rewards Network (aka com.excentus.frn) application for Android CVE-2014-6019 (The psychology (aka com.alek.psychology) application 1.0.2 for Android ...) NOT-FOR-US: psychology (aka com.alek.psychology) application for Android CVE-2014-6018 (The global beauty research (aka com.appems.topgirl) application 1.6 fo ...) NOT-FOR-US: global beauty research (aka com.appems.topgirl) application for Android CVE-2014-6017 (The Doodle Drop (aka net.lazyer.DoodleDrop) application 1 for Android ...) NOT-FOR-US: Doodle Drop (aka net.lazyer.DoodleDrop) application for Android CVE-2014-6016 (The Celluloid (aka com.eurisko.celluloid) application 1.3 for Android ...) NOT-FOR-US: Celluloid (aka com.eurisko.celluloid) application for Android CVE-2014-6015 (The TuCarro (aka com.tucarro) application 2.0.5 for Android does not v ...) NOT-FOR-US: TuCarro (aka com.tucarro) application for Android CVE-2014-6014 (The Conquest Of Fantasia (aka air.com.ingen.studios.cof.sg) applicatio ...) NOT-FOR-US: Conquest Of Fantasia (aka air.com.ingen.studios.cof.sg) application for Android CVE-2014-6013 (The nuSquare (aka tw.com.nuphoto.nusquare) application 1.0.78 for Andr ...) NOT-FOR-US: nuSquare (aka tw.com.nuphoto.nusquare) application for Android CVE-2014-6012 (The Gravity Bounce (aka net.toddm.gb) application 1.1 for Android does ...) NOT-FOR-US: Gravity Bounce (aka net.toddm.gb) application for Android CVE-2014-6011 (The cutprice (aka kr.co.wedoit.cutprice) application 1.0.4 for Android ...) NOT-FOR-US: cutprice (aka kr.co.wedoit.cutprice) application for Android CVE-2014-6010 (The Rasta Weed Widgets HD (aka aw.awesomewidgets.rastaweed) applicatio ...) NOT-FOR-US: Rasta Weed Widgets HD (aka aw.awesomewidgets.rastaweed) application for Android CVE-2014-6009 (The Zombie Detector (aka com.jimmybolstad.zombiedetector) application ...) NOT-FOR-US: Zombie Detector (aka com.jimmybolstad.zombiedetector) application for Android CVE-2014-6008 (The Blitz Bingo (aka com.appMobi.sbbingo.app) application 2.3 for Andr ...) NOT-FOR-US: Blitz Bingo (aka com.appMobi.sbbingo.app) application for Android CVE-2014-6007 (The LikeHero Get Instagram Likes (aka com.fraoula.likehero) applicatio ...) NOT-FOR-US: LikeHero Get Instagram Likes (aka com.fraoula.likehero) application for Android CVE-2014-6006 (The Gratta & Vinci? (aka com.dreamstep.wGrattaevinci) application ...) NOT-FOR-US: Gratta & Vinci? (aka com.dreamstep.wGrattaevinci) application for Android CVE-2014-6005 (The Survey.com Mobile (aka com.survey.android) application 3.2.16 for ...) NOT-FOR-US: Survey.com Mobile (aka com.survey.android) application for Android CVE-2014-6004 (The Pocket Cam Photo Editor (aka mobi.pocketcam.editor) application 3 ...) NOT-FOR-US: Pocket Cam Photo Editor (aka mobi.pocketcam.editor) application for Android CVE-2014-6003 (The Belas Frases de Amor (aka com.goodbarber.frasesdeamor) application ...) NOT-FOR-US: Belas Frases de Amor (aka com.goodbarber.frasesdeamor) application for Android CVE-2014-6002 (The DTE Energy (aka com.dteenergy.mydte) application 3.0.3 for Android ...) NOT-FOR-US: DTE Energy (aka com.dteenergy.mydte) application for Android CVE-2014-6001 (The gewara (aka com.gewara) application 5.2.3 for Android does not ver ...) NOT-FOR-US: gewara (aka com.gewara) application for Android CVE-2014-6000 (The FreshDirect (aka com.freshdirect.android) application 2.7.1 for An ...) NOT-FOR-US: FreshDirect (aka com.freshdirect.android) application for Android CVE-2014-5999 (The autonavi (aka com.telenav.doudouyou.android.autonavi) application ...) NOT-FOR-US: autonavi (aka com.telenav.doudouyou.android.autonavi) application for Android CVE-2014-5998 (The SkyDrive Assistant (aka com.dhh.sky) application 2.1 for Android d ...) NOT-FOR-US: SkyDrive Assistant (aka com.dhh.sky) application for Android CVE-2014-5997 (The Auto Trader (aka za.co.autotrader.android.app) application 2 for A ...) NOT-FOR-US: Auto Trader (aka za.co.autotrader.android.app) application for Android CVE-2014-5996 (The DEKRA Used Car Report (aka com.dekra.maengelreport) application 3. ...) NOT-FOR-US: DEKRA Used Car Report (aka com.dekra.maengelreport) application for Android CVE-2014-5995 (The eWUS mobile (aka pl.dreryk.ewustest) application 1.4.5 for Android ...) NOT-FOR-US: eWUS mobile (aka pl.dreryk.ewustest) application for Android CVE-2014-5994 (The ding* ezetop. Top-up Any Phone (aka com.ezetop.world) application ...) NOT-FOR-US: ding* ezetop. Top-up Any Phone (aka com.ezetop.world) application for Android CVE-2014-5993 (The MLB Preplay (aka com.preplay.android.mlb) application 5.4.2 for An ...) NOT-FOR-US: MLB Preplay (aka com.preplay.android.mlb) application for Android CVE-2014-5992 (The successsecrets (aka com.alek.successsecrets) application 1.2.3 for ...) NOT-FOR-US: successsecrets (aka com.alek.successsecrets) application for Android CVE-2014-5991 (The Skin Conditions and Diseases (aka com.appsgeyser.wSkinConditions) ...) NOT-FOR-US: Skin Conditions and Diseases (aka com.appsgeyser.wSkinConditions) application for Android CVE-2014-5990 (The cookbible (aka net.bookjam.cookbible) application 1.0.0 for Androi ...) NOT-FOR-US: cookbible (aka net.bookjam.cookbible) application for Android CVE-2014-5989 (The baby days (aka jp.co.cyberagent.babydays) application 1.5.8 for An ...) NOT-FOR-US: baby days (aka jp.co.cyberagent.babydays) application for Android CVE-2014-5988 (The Azkend Gold (aka com.the10tons.azkend.gold) application 1.2.6 for ...) NOT-FOR-US: Azkend Gold (aka com.the10tons.azkend.gold) application for Android CVE-2014-5987 (The My3 - by 3HK (aka com.my3) application @7F0A0001 for Android does ...) NOT-FOR-US: My3 - by 3HK (aka com.my3) application for Android CVE-2014-5986 (The Educational Puzzles - Letters (aka com.EducationalPuzzlesLetters) ...) NOT-FOR-US: Educational Puzzles - Letters (aka com.EducationalPuzzlesLetters) application for Android CVE-2014-5985 (The Animal Kaiser Zangetsu (aka com.wAnimalKaiserZangetsu) application ...) NOT-FOR-US: Animal Kaiser Zangetsu (aka com.wAnimalKaiserZangetsu) application for Android CVE-2014-5984 (The Little Dragons (aka com.playcomo.dragongame) application 1.0.256 f ...) NOT-FOR-US: Little Dragons (aka com.playcomo.dragongame) application for Android CVE-2014-5983 (The Threadflip : Buy, Sell Fashion (aka com.threadflip.android) applic ...) NOT-FOR-US: Threadflip : Buy, Sell Fashion (aka com.threadflip.android) application for Android CVE-2014-5982 (The RunKeeper - GPS Track Run Walk (aka com.fitnesskeeper.runkeeper.pr ...) NOT-FOR-US: RunKeeper - GPS Track Run Walk (aka com.fitnesskeeper.runkeeper.pro) application for Android CVE-2014-5981 (The MoWeather (aka com.moji.moweather) application 1.40.05 for Android ...) NOT-FOR-US: MoWeather (aka com.moji.moweather) application for Android CVE-2014-5980 (The Genertel (aka com.genertel) application 2.6.0 for Android does not ...) NOT-FOR-US: Genertel (aka com.genertel) application for Android CVE-2014-5979 (The TV Bengali Open Directory (aka com.TVBengali) application 1.4 for ...) NOT-FOR-US: TV Bengali Open Directory (aka com.TVBengali) application for Android CVE-2014-5978 (The memetan (aka memetan.android.com.activity) application 1.1.0 for A ...) NOT-FOR-US: memetan (aka memetan.android.com.activity) application for Android CVE-2014-5977 (The Mobile Face (aka com.wFacemobile) application 0.74.13432.91159 for ...) NOT-FOR-US: Mobile Face (aka com.wFacemobile) application for Android CVE-2014-5976 (The alibaba (aka com.alibaba.wireless) application 4.1.0.0 for Android ...) NOT-FOR-US: alibaba (aka com.alibaba.wireless) application for Android CVE-2014-5975 (The eponyms (aka com.anddeveloper.eponyms) application 3.2 for Android ...) NOT-FOR-US: eponyms (aka com.anddeveloper.eponyms) application for Android CVE-2014-5974 (The PSECU Mobile+ (aka com.Vertifi.Mobile.P231381116) application 2.2 ...) NOT-FOR-US: PSECU Mobile+ (aka com.Vertifi.Mobile.P231381116) application for Android CVE-2014-5973 (The Aquarium Advice (aka com.socialknowledge.aquariumadvice) applicati ...) NOT-FOR-US: Aquarium Advice (aka com.socialknowledge.aquariumadvice) application for Android CVE-2014-5972 (The Loving - Couple Essential (aka com.xiaoenai.app) application 4.0.1 ...) NOT-FOR-US: Loving - Couple Essential (aka com.xiaoenai.app) application for Android CVE-2014-5971 (The Fiksu library for Android does not verify X.509 certificates from ...) NOT-FOR-US: Fiksu library for Android CVE-2014-5970 (The BabyBus (aka com.sinyee.babybus.concert.ru) application 3.91 for A ...) NOT-FOR-US: BabyBus (aka com.sinyee.babybus.concert.ru) application for Android CVE-2014-5969 (The healthylifestyle (aka com.alek.healthylifestyle) application 1.2.2 ...) NOT-FOR-US: healthylifestyle (aka com.alek.healthylifestyle) application for Android CVE-2014-5968 (The iGolf - Golf GPS (aka com.igolf) application 20 for Android does n ...) NOT-FOR-US: iGolf - Golf GPS (aka com.igolf) application for Android CVE-2014-5967 (The Designs Nail Arts (aka com.decoracionesnailart.flickr) application ...) NOT-FOR-US: Designs Nail Arts (aka com.decoracionesnailart.flickr) application for Android CVE-2014-5966 (The Dreamland Super Theme GO Gold (aka com.gau.go.launcherex.viptheme. ...) NOT-FOR-US: Designs Nail Arts (aka com.decoracionesnailart.flickr) application for Android CVE-2014-5965 (The GrooveMusic (aka com.mobincube.android.sc_2HKFF) application 2.0.0 ...) NOT-FOR-US: GrooveMusic (aka com.mobincube.android.sc_2HKFF) application for Android CVE-2014-5964 (The MegaBank (aka com.megabank.mobilebank) application 2.0 for Android ...) NOT-FOR-US: MegaBank (aka com.megabank.mobilebank) application for Android CVE-2014-5963 (The Halieutics (aka com.corn.Halieutics) application 21.40.5 for Andro ...) NOT-FOR-US: Halieutics (aka com.corn.Halieutics) application for Android CVE-2014-5962 (The Guess The Actor (aka com.gamelikeinc.actors) application 1.1 for A ...) NOT-FOR-US: Guess The Actor (aka com.gamelikeinc.actors) application for Android CVE-2014-5961 (The russiananime (aka com.rareartifact.russiananime68A5CCFE) applicati ...) NOT-FOR-US: russiananime (aka com.rareartifact.russiananime68A5CCFE) application for Android CVE-2014-5960 (The BundesArztsuche (aka de.kbv.bas) application 1.0.1 for Android doe ...) NOT-FOR-US: BundesArztsuche (aka de.kbv.bas) application for Android CVE-2014-5959 (The tx Smart (aka com.wooriwm.txsmart) application 7.05 for Android do ...) NOT-FOR-US: tx Smart (aka com.wooriwm.txsmart) application for Android CVE-2014-5958 (The ChatBox - Chat Rooms (aka com.droidchatroom.messengerapp) applicat ...) NOT-FOR-US: ChatBox - Chat Rooms (aka com.droidchatroom.messengerapp) application for Android CVE-2014-5957 (The Alien War Survivors (aka com.ly.a13.gp) application 1.3.1 for Andr ...) NOT-FOR-US: Alien War Survivors (aka com.ly.a13.gp) application for Android CVE-2014-5956 (The VPlayer Video Player (aka me.abitno.vplayer.t) application 3.2.6 f ...) NOT-FOR-US: VPlayer Video Player (aka me.abitno.vplayer.t) application for Android CVE-2014-5955 (The Atomic Fusion (aka com.bytesized.fusion) application 1.7 for Andro ...) NOT-FOR-US: Atomic Fusion (aka com.bytesized.fusion) application for Android CVE-2014-5954 (The State Bank Anywhere (aka com.sbi.SBIFreedomPlus) application 2.0.1 ...) NOT-FOR-US: State Bank Anywhere (aka com.sbi.SBIFreedomPlus) application for Android CVE-2014-5953 (The KASKUS (aka com.kaskus.android) application 2.13.0 for Android doe ...) NOT-FOR-US: KASKUS (aka com.kaskus.android) application for Android CVE-2014-5952 (The E-Dziennik (aka com.librus.dziennik) application 0.5.2 for Android ...) NOT-FOR-US: E-Dziennik (aka com.librus.dziennik) application for Android CVE-2014-5951 (The SinoPac (aka com.sionpac.app.SinoPac) application 2.4.2 for Androi ...) NOT-FOR-US: SinoPac (aka com.sionpac.app.SinoPac) application for Android CVE-2014-5950 (The NOW (aka com.smtown.smtownnow.androidapp) application 0.9.8 for An ...) NOT-FOR-US: NOW (aka com.smtown.smtownnow.androidapp) application for Android CVE-2014-5949 (The TICKET APP - Concerts & Sports (aka com.xcr.android.ticketapp) ...) NOT-FOR-US: TICKET APP - Concerts & Sports (aka com.xcr.android.ticketapp) application for Android CVE-2014-5948 (The Obama for America (aka com.barackobama.ofa) application 1.02 for A ...) NOT-FOR-US: Obama for America (aka com.barackobama.ofa) application for Android CVE-2014-5947 (The psicofxp (aka com.tapatalk.psicofxpcom) application 2.4.12.15 for ...) NOT-FOR-US: psicofxp (aka com.tapatalk.psicofxpcom) application for Android CVE-2014-5946 (The forumhawaaworldcom (aka com.tapatalk.forumhawaaworldcom) applicati ...) NOT-FOR-US: forumhawaaworldcom (aka com.tapatalk.forumhawaaworldcom) application for Android CVE-2014-5945 (The Edline Mobile (aka com.wEdlineFree) application 0.63.13369.34294 f ...) NOT-FOR-US: Edline Mobile (aka com.wEdlineFree) application for Android CVE-2014-5944 (The Soccer Blitz (aka soccer.blitz) application 1.06 for Android does ...) NOT-FOR-US: Soccer Blitz (aka soccer.blitz) application for Android CVE-2014-5943 (The LabMSF Antivirus beta (aka com.ReSync.RNGN) 1.0.2 application Beta ...) NOT-FOR-US: LabMSF Antivirus beta (aka com.ReSync.RNGN) 1.0.2 application for Android CVE-2014-5942 (The Baby Stomach Surgery (aka com.harriskerioe.stomachsurgery) applica ...) NOT-FOR-US: Baby Stomach Surgery (aka com.harriskerioe.stomachsurgery) application for Android CVE-2014-5941 (The Armpit Spa & Girl Games (aka com.freegames.spamakeover) applic ...) NOT-FOR-US: Armpit Spa & Girl Games (aka com.freegames.spamakeover) application for Android CVE-2014-5940 (The PocketPC.ch (aka com.tapatalk.pocketpcch) application 3.9.51 for A ...) NOT-FOR-US: PocketPC.ch (aka com.tapatalk.pocketpcch) application for Android CVE-2014-5939 (The travelzadcomvb (aka com.tapatalk.travelzadcomvb) application 3.3.1 ...) NOT-FOR-US: travelzadcomvb (aka com.tapatalk.travelzadcomvb) application for Android CVE-2014-5938 (The AllDealsAsia All Deals ADA app (aka com.ada.deals) application 4.2 ...) NOT-FOR-US: AllDealsAsia All Deals ADA app (aka com.ada.deals) application for Android CVE-2014-5937 (The Social Networking (aka com.wSocialNetworkingSites) application 0.3 ...) NOT-FOR-US: Social Networking (aka com.wSocialNetworkingSites) application for Android CVE-2014-5936 (The INCOgnito Private Browser (aka com.SL.InCoBrowser) application 1.4 ...) NOT-FOR-US: INCOgnito Private Browser (aka com.SL.InCoBrowser) application for Android CVE-2014-5935 (The Daily Free App @ Amazon (aka com.kattanweb.android.dfaa) applicati ...) NOT-FOR-US: Daily Free App @ Amazon (aka com.kattanweb.android.dfaa) application for Android CVE-2014-5934 (The Flurv Chat (aka com.flurv.android) application 4.3.3 for Android d ...) NOT-FOR-US: Flurv Chat (aka com.flurv.android) application for Android CVE-2014-5933 (The Coke Studio 7 (aka com.cokeshare.pakistan) application 1 for Andro ...) NOT-FOR-US: Coke Studio 7 (aka com.cokeshare.pakistan) application for Android CVE-2014-5932 (The Vodafone Mobile@Work (aka com.mobileiron.vodafone.MIClient) applic ...) NOT-FOR-US: Vodafone Mobile@Work (aka com.mobileiron.vodafone.MIClient) application for Android CVE-2014-5931 (The Stop & Shop SCAN IT! Mobile (aka com.modivmedia.scanitss) appl ...) NOT-FOR-US: Stop & Shop SCAN IT! Mobile (aka com.modivmedia.scanitss) application for Android CVE-2014-5930 (The Store and Share (aka sg.com.singnet.mystorage.android) application ...) NOT-FOR-US: Store and Share (aka sg.com.singnet.mystorage.android) application for Android CVE-2014-5929 (The emartmall (aka kr.co.emart.emartmall) application 1.3.3 for Androi ...) NOT-FOR-US: emartmall (aka kr.co.emart.emartmall) application for Android CVE-2014-5928 (The Steganos Online Shield VPN (aka com.steganos.onlineshield) applica ...) NOT-FOR-US: Steganos Online Shield VPN (aka com.steganos.onlineshield) application for Android CVE-2014-5927 (The FastCustomer -- Fast Customer (aka www.fastcustomer.com) applicati ...) NOT-FOR-US: FastCustomer -- Fast Customer (aka www.fastcustomer.com) application for Android CVE-2014-5926 (The DCU Mobile Banking (aka com.Vertifi.Mobile.P211391825) application ...) NOT-FOR-US: DCU Mobile Banking (aka com.Vertifi.Mobile.P211391825) application for Android CVE-2014-5925 (The 10000 Kindle Books Downloads (aka com.ww10000KindleBooksLatestnBes ...) NOT-FOR-US: 10000 Kindle Books Downloads (aka com.ww10000KindleBooksLatestnBestSellers) application for Android CVE-2014-5924 (The Monster Makeup (aka com.bearhugmedia.android_monster) application ...) NOT-FOR-US: Monster Makeup (aka com.bearhugmedia.android_monster) application for Android CVE-2014-5923 (The Facebook Status Via (aka com.StatusViaAdvanced) application 3.5 fo ...) NOT-FOR-US: Facebook Status Via (aka com.StatusViaAdvanced) application for Android CVE-2014-5922 (The ga6748 (aka com.g.ga6748) application 1 for Android does not verif ...) NOT-FOR-US: ga6748 (aka com.g.ga6748) application for Android CVE-2014-5921 (The Need for Speed Network (aka com.ea.nfsautolog.bv) application 1.0. ...) NOT-FOR-US: Need for Speed Network (aka com.ea.nfsautolog.bv) application for Android CVE-2014-5920 (The VK Amberfog (aka com.amberfog.vkfree) application 3.5.6 for Androi ...) NOT-FOR-US: VK Amberfog (aka com.amberfog.vkfree) application for Android CVE-2014-5919 (The SurDoc - 100GB+ FREE storage (aka com.jd.surdoc) application 1.3.4 ...) NOT-FOR-US: SurDoc - 100GB+ FREE storage (aka com.jd.surdoc) application for Android CVE-2014-5918 (The Secret Circle - talk freely (aka com.easyxapp.secret) application ...) NOT-FOR-US: Secret Circle - talk freely (aka com.easyxapp.secret) application for Android CVE-2014-5917 (The Slideshow 365 (aka com.Slideshow) application 3.6 for Android does ...) NOT-FOR-US: Slideshow 365 (aka com.Slideshow) application for Android CVE-2014-5916 (The Minha Oi (aka br.com.mobicare.minhaoi) application 1.15.0 for Andr ...) NOT-FOR-US: Minha Oi (aka br.com.mobicare.minhaoi) application for Android CVE-2014-5915 (The Tigo Copa Mundial FIFA 2014 (aka com.fwc2014.millicom.and) applica ...) NOT-FOR-US: Tigo Copa Mundial FIFA 2014 (aka com.fwc2014.millicom.and) application for Android CVE-2014-5914 (The Finansbank Cep Subesi (aka com.finansbank.mobile.cepsube) applicat ...) NOT-FOR-US: Finansbank Cep Subesi (aka com.finansbank.mobile.cepsube) application for Android CVE-2014-5913 (The Allies in War (aka com.gamelion.aiw) application 1.3.2 for Android ...) NOT-FOR-US: Allies in War (aka com.gamelion.aiw) application for Android CVE-2014-5912 (The InNote (aka com.intsig.notes) application 1.0.3.20131119 for Andro ...) NOT-FOR-US: InNote (aka com.intsig.notes) application for Android CVE-2014-5911 (The Free App Icons & Icon Packs (aka com.jellytap.cooliconfinder) ...) NOT-FOR-US: Free App Icons & Icon Packs (aka com.jellytap.cooliconfinder) application for Android CVE-2014-5910 (The Dog Whistle (aka com.dogwhistle.dogtrainingandroidapp) application ...) NOT-FOR-US: Dog Whistle (aka com.dogwhistle.dogtrainingandroidapp) application for Android CVE-2014-5909 (The watcha (aka com.frograms.watcha) application 2.0.2 for Android doe ...) NOT-FOR-US: watcha (aka com.frograms.watcha) application for Android CVE-2014-5908 (The Kmart (aka com.kmart.android) application @7F0C00EF for Android do ...) NOT-FOR-US: Kmart (aka com.kmart.android) application for Android CVE-2014-5907 (The Pet Salon (aka com.libiitech.petsalon) application 1.0.1 for Andro ...) NOT-FOR-US: Pet Salon (aka com.libiitech.petsalon) application for Android CVE-2014-5906 (The Lil Wayne Slots: FREE SLOTS (aka com.lilwayneslots.slots.android) ...) NOT-FOR-US: Lil Wayne Slots: FREE SLOTS (aka com.lilwayneslots.slots.android) application for Android CVE-2014-5905 (The Grocery List - Tomatoes (aka com.meucarrinho) application 5.1.4 fo ...) NOT-FOR-US: Grocery List - Tomatoes (aka com.meucarrinho) application for Android CVE-2014-5904 (The MiniInTheBox Online Shopping (aka com.miniinthebox.android) applic ...) NOT-FOR-US: MiniInTheBox Online Shopping (aka com.miniinthebox.android) application for Android CVE-2014-5903 (The Mobile@Work (aka com.mobileiron) application 6.0.0.1.12R for Andro ...) NOT-FOR-US: Mobile@Work (aka com.mobileiron) application for Android CVE-2014-5902 (The UA Cinemas - Mobile ticketing (aka com.mtel.uacinemaapps) applicat ...) NOT-FOR-US: UA Cinemas - Mobile ticketing (aka com.mtel.uacinemaapps) application for Android CVE-2014-5901 (The Beauty Bible - App for Girls (aka com.my.beauty.bible) application ...) NOT-FOR-US: Beauty Bible - App for Girls (aka com.my.beauty.bible) application for Android CVE-2014-5900 (The myHomework Student Planner (aka com.myhomeowork) application 3.0.2 ...) NOT-FOR-US: myHomework Student Planner (aka com.myhomeowork) application for Android CVE-2014-5899 (The Nespresso (aka com.nespresso.activities) application 2.4.1 for And ...) NOT-FOR-US: Nespresso (aka com.nespresso.activities) application for Android CVE-2014-5898 (The Heavy Duty Truck Driver Simulator 3D (aka com.oas.heavy.duty.truck ...) NOT-FOR-US: Heavy Duty Truck Driver Simulator 3D (aka com.oas.heavy.duty.truck.driver.simulator3d) application for Android CVE-2014-5897 (The Parallel Mafia MMORPG (aka com.perblue.pm.client) application @7F0 ...) NOT-FOR-US: Parallel Mafia MMORPG (aka com.perblue.pm.client) application for Android CVE-2014-5896 (The GlobalTalk- free phone calls (aka com.seawolftech.globaltalk) appl ...) NOT-FOR-US: GlobalTalk- free phone calls (aka com.seawolftech.globaltalk) application for Android CVE-2014-5895 (The ShopYourWay (aka com.sears.shopyourway) application 1.9 for Androi ...) NOT-FOR-US: ShopYourWay (aka com.sears.shopyourway) application for Android CVE-2014-5894 (The AireTalk: Text, Call, & More! (aka com.pingshow.amper) applica ...) NOT-FOR-US: AireTalk: Text, Call, & More! (aka com.pingshow.amper) application for Android CVE-2014-5893 (The froyo (aka com.shinsegae.mobile.froyo) application 5.1.3 for Andro ...) NOT-FOR-US: froyo (aka com.shinsegae.mobile.froyo) application for Android CVE-2014-5892 (The greenbill (aka com.show.greenbill_G) application 2.0.3 for Android ...) NOT-FOR-US: greenbill (aka com.show.greenbill_G) application for Android CVE-2014-5891 (The SnipSnap Coupon App (aka com.snipsnap.snipsnapapp) application 1.1 ...) NOT-FOR-US: SnipSnap Coupon App (aka com.snipsnap.snipsnapapp) application for Android CVE-2014-5890 (The KBO sports2i 2014 (aka com.sports2i) application 5.1.00 for Androi ...) NOT-FOR-US: KBO sports2i 2014 (aka com.sports2i) application for Android CVE-2014-5889 (The Android Forums (aka com.tapatalk.androidforumscom) application 2.4 ...) NOT-FOR-US: Android Forums (aka com.tapatalk.androidforumscom) application for Android CVE-2014-5888 (The SLOTS: Bible Slots Free (aka com.topfreegames.topbibleslots) appli ...) NOT-FOR-US: SLOTS: Bible Slots Free (aka com.topfreegames.topbibleslots) application for Android CVE-2014-5887 (The Yell Local Search (aka com.yell.launcher2) application 4.2.1.4 for ...) NOT-FOR-US: Yell Local Search (aka com.yell.launcher2) application for Android CVE-2014-5886 (The iVysilani ceske televize (aka cz.motion.ivysilani) application 1.6 ...) NOT-FOR-US: iVysilani ceske televize (aka cz.motion.ivysilani) application for Android CVE-2014-5885 (The Disaster Alert (aka disasterAlert.PDC) application 3.2 for Android ...) NOT-FOR-US: Disaster Alert (aka disasterAlert.PDC) application for Android CVE-2014-5884 (The 1&1 Online Storage (aka de.einsundeins.smartdrive) application ...) NOT-FOR-US: 1&1 Online Storage (aka de.einsundeins.smartdrive) application for Android CVE-2014-5883 (The 7-ELEVEN (aka ecowork.seven) application 2.08.000 for Android does ...) NOT-FOR-US: 7-ELEVEN (aka ecowork.seven) application for Android CVE-2014-5882 (The Homoo Ijiri (aka jp.co.applica) application 3.7 for Android does n ...) NOT-FOR-US: Homoo Ijiri (aka jp.co.applica) application for Android CVE-2014-5881 (The Yahoo! Japan Box (aka jp.co.yahoo.android.ybox) application 1.5.1 ...) NOT-FOR-US: Yahoo! ybox application for android CVE-2014-5879 (The tvguide (aka kenneth.tvguide) application 1.9.14 for Android does ...) NOT-FOR-US: tvguide application for Android CVE-2014-5878 (The ium (aka net.ium.mobile.android) application 3.3.4 for Android doe ...) NOT-FOR-US: ium application for Android CVE-2014-5877 (The TV Guide (aka net.micene.minigroup.palimpsests.lite) application 5 ...) NOT-FOR-US: TV Guide application for Android CVE-2014-5876 (The WD My Cloud (aka com.wdc.wd2go) application 4.0.0 for Android does ...) NOT-FOR-US: WD My Cloud application for Android CVE-2014-5875 (The Sylphone (aka com.sylpheo.prospectosyl) application 5.3.8 for Andr ...) NOT-FOR-US: Sylphone application for Android CVE-2014-5874 (The SplashID (aka com.splashidandroid) application 7.2.2 for Android d ...) NOT-FOR-US: SplashID application for Android CVE-2014-5873 (The Sears (aka com.sears.android) application 6.2.8 for Android does n ...) NOT-FOR-US: Sears application for Android CVE-2014-5872 (The SafeNetMobile Pass (aka securecomputing.devices.android.controller ...) NOT-FOR-US: SafeNetMobile Pass application for Android CVE-2014-5871 (The Piwik Mobile 2 (aka org.piwik.mobile2) application 2.0.1 for Andro ...) NOT-FOR-US: Piwik Mobile 2 application for Android CVE-2014-5870 (The Kmart (aka com.kmart.android) application 6.2.8 for Android does n ...) NOT-FOR-US: Kmart application for Android CVE-2014-5869 (The CNNMoney Portfolio (aka com.cnn.cnnmoney) application 1.03 for And ...) NOT-FOR-US: CNNMoney Portfolio application for Android CVE-2014-5868 (The Cisco Technical Support (aka com.cisco.swtg_android) application 3 ...) NOT-FOR-US: Cisco Technical Support application for Android CVE-2014-5867 (The Capital One Spark Pay (aka com.capitalone.sparkpay) application 0. ...) NOT-FOR-US: Capital One Spark Pay application for Android CVE-2014-5866 (The CA DMV (aka gov.ca.dmv) application 2 for Android does not verify ...) NOT-FOR-US: CA DMV application for Android CVE-2014-5865 (The Ask.com (aka com.ask.android) application 2.2.5 for Android does n ...) NOT-FOR-US: Ask.com application for Android CVE-2014-5864 (The Swish payments (aka se.bankgirot.swish) application 2 for Android ...) NOT-FOR-US: Swish payments application for Android CVE-2014-5863 (The mpang.gp (aka air.com.cjenm.mpang.gp) application 4.0.0 for Androi ...) NOT-FOR-US: mpang.gp application for Android CVE-2014-5862 (The ecalendar2 (aka cn.etouch.ecalendar2) application 4.5.3 for Androi ...) NOT-FOR-US: ecalendar2 application for Android CVE-2014-5861 (The BoyAhoy - Gay Chat (aka com.boyahoy.android) application 4.3.6 for ...) NOT-FOR-US: BoyAhoy application for Android CVE-2014-5860 (The Slide Show Creator (aka com.amem) application 4.4.3 for Android do ...) NOT-FOR-US: Slide Show Creator application for Android CVE-2014-5859 (The Star Girl: Colors of Spring (aka com.animoca.google.starGirlSpring ...) NOT-FOR-US: Star Girl application for Android CVE-2014-5858 (The Candy Blast (aka com.appgame7.candyblast) application 1.1.001 for ...) NOT-FOR-US: Candy Blast application for Android CVE-2014-5857 (The White & Yellow Pages (aka com.avantar.wny) application 5.1.1 f ...) NOT-FOR-US: White & Yellow Pages application for Android CVE-2014-5856 (The Selfie Camera -Facial Beauty- (aka com.cfinc.cunpic) application 1 ...) NOT-FOR-US: Selfie Camera application for Android CVE-2014-5855 (The CJmall (aka com.cjoshppingphone) application 4.1.8 for Android doe ...) NOT-FOR-US: CJmall application for Android CVE-2014-5854 (The Windows Live Hotmail PUSH mail (aka com.clearhub.wl) application 1 ...) NOT-FOR-US: Windows Live Hotmail PUSH mail application for Android CVE-2014-5853 (The Knights N Squires (aka com.com2us.imhero.normal.freefull.google.gl ...) NOT-FOR-US: Knights N Squires application for Android CVE-2014-5852 (The Kakao (aka com.com2us.tinypang.kakao.freefull2.google.global.andro ...) NOT-FOR-US: Kakao application for Android CVE-2014-5851 (The Dark Summoner (aka com.darksummoner) application 1.03.39 for Andro ...) NOT-FOR-US: Dark Summoner application for Android CVE-2014-5850 (The Kaave Fali (aka com.didilabs.kaavefali) application 1.5.1 for Andr ...) NOT-FOR-US: Kaave Fali application for Android CVE-2014-5849 (The Maleficent Free Fall (aka com.disney.maleficent_goo) application 1 ...) NOT-FOR-US: Maleficent Free Fall application for Android CVE-2014-5848 (The Dubstep Hero (aka com.electricpunch.dubstephero) application 1.9 f ...) NOT-FOR-US: Dubstep Hero application for Android CVE-2014-5847 (The Big Win Slots - Slot Machines (aka com.gosub60.BigWinSlots) applic ...) NOT-FOR-US: Big Win Slot application for Android CVE-2014-5846 (The Fairy Princess Makeover Salon (aka com.mobgams.dressup.fairy.princ ...) NOT-FOR-US: Fairy Princess Makeover Salon application for Android CVE-2014-5845 (The Strike Fighters Israel (aka com.thirdwire.strikefighters.mideast.a ...) NOT-FOR-US: Strike Fighers Israel application for Android CVE-2014-5844 (The Alsunna (aka com.wAlsunna) application 0.1 for Android does not ve ...) NOT-FOR-US: Alsunna application for Android CVE-2014-5843 (The ADP AGENCY Immobiliare (aka com.wAdpagencyAndroid) application 0.1 ...) NOT-FOR-US: ADP AGENCY Immobiliare application for Android CVE-2014-5842 (The 2G Live Tv (aka com.ww2GLiveTv) application 0.9 for Android does n ...) NOT-FOR-US: 2G Live TV application for Android CVE-2014-5841 (The Girls Calendar Period&Weight (aka jp.co.cybird.apps.lifestyle. ...) NOT-FOR-US: Girls Calendar Period&Weight application for Android CVE-2014-5840 (The forfone: Free Calls & Messages (aka com.forfone.sip) forfone a ...) NOT-FOR-US: forfone application for Android CVE-2014-5839 (The Acces Compte (aka com.fullsix.android.labanquepostale.accountacces ...) NOT-FOR-US: Acces Compte application for Android CVE-2014-5838 (The Girls Games - Shoes Maker (aka com.g6677.android.shoemaker) applic ...) NOT-FOR-US: Girls Games application for Android CVE-2014-5837 (The My Railway (aka com.gameinsight.myrailway) application 1.1.33 for ...) NOT-FOR-US: My Railway application for Android CVE-2014-5836 (The GittiGidiyor (aka com.gittigidiyormobil) application 1.4.1 for And ...) NOT-FOR-US: GittiGidiyor application for Android CVE-2014-5835 (The Club Personal (aka com.globant.clubpersonal) application 2.6 for A ...) NOT-FOR-US: Club Personal application for Android CVE-2014-5834 (The Solitaire Deluxe (aka com.gosub60.solfree2) application 2.8.5 for ...) NOT-FOR-US: Solitaire Deluxe application for Android CVE-2014-5833 (The FriendCaster Chat (aka com.handmark.friendcaster.chat) application ...) NOT-FOR-US: Friendaster Chat application for Android CVE-2014-5832 (The hananbank (aka com.hanabank.ebk.channel.android.hananbank) applica ...) NOT-FOR-US: hananbank application for Android CVE-2014-5831 (The Hotel Story: Resort Simulation (aka com.happylabs.hotelstory) appl ...) NOT-FOR-US: Hotel Story application for Android CVE-2014-5830 (The Farm Frenzy Gold (aka com.herocraft.game.farmfrenzy.gold) applicat ...) NOT-FOR-US: Farm Frenzy Gold application for Android CVE-2014-5829 (The Hobby Lobby Stores (aka com.hobbylobbystores.android) application ...) NOT-FOR-US: Hobby Lobby Stores application for Android CVE-2014-5828 (The 3Kundenzone (aka com.hutchison3g.at.android.selfcare) application ...) NOT-FOR-US: 3Kundenzone application for Android CVE-2014-5827 (The Ibotta - Better than Coupons. (aka com.ibotta.android) application ...) NOT-FOR-US: Ibotta application for Android CVE-2014-5826 (The Rix GO Locker Theme (aka com.jiubang.goscreenlock.theme.rix.getjar ...) NOT-FOR-US: Rix GO Locker Theme application for Android CVE-2014-5825 (The Guess The Movie (aka com.june.guessthemovie) application 2.982 for ...) NOT-FOR-US: Guess The Movie application for Android CVE-2014-5824 (The longjiang (aka com.longjiang.kr) application 2.0.6 for Android doe ...) NOT-FOR-US: longjiang application for Android CVE-2014-5823 (The The Cleaner - Speed up & Clean (aka com.liquidum.thecleaner) a ...) NOT-FOR-US: The Cleaner application for Android CVE-2014-5822 (The VK Kate Mobile (aka com.perm.kate) application 9.6.1 for Android d ...) NOT-FOR-US: VK Kate Mobile application for Android CVE-2014-5821 (The Guitar Tuner Free - GuitarTuna (aka com.ovelin.guitartuna) applica ...) NOT-FOR-US: Guitar Tuner Free application for Android CVE-2014-5820 (The OkCupid Dating (com.okcupid.okcupid) application 3.4.6 for Android ...) NOT-FOR-US: OkCupid Dating application for Android CVE-2014-5819 (The PHONE for Google Voice & GTalk (aka com.moplus.gvphone) applic ...) NOT-FOR-US: PHONE for Google Voice & GTalk application for Android CVE-2014-5818 (The Tiny Tower (aka com.mobage.ww.a560.tinytower_android) application ...) NOT-FOR-US: Tiny Tower application for Android CVE-2014-5817 (The Mini Pets (aka com.miniclip.animalshelter) application 2.0.3 for A ...) NOT-FOR-US: Mini Pets application for Android CVE-2014-5816 (The MeiPai (aka com.meitu.meipaimv) application 1.2.0 for Android does ...) NOT-FOR-US: MeiPai application for Android CVE-2014-5815 (The Solitaire Arena (aka com.mavenhut.solitaire) application 1.0.15 fo ...) NOT-FOR-US: Solitaire Arena application for Android CVE-2014-5814 REJECTED CVE-2014-5813 (The lostword (aka zozo.android.lostword) application 5.9 for Android d ...) NOT-FOR-US: lostword application for Android CVE-2014-5812 (The VDM Officiel (aka vdm.activities) application 5 for Android does n ...) NOT-FOR-US: VDM Officiel application for Android CVE-2014-5811 (The ZOOM Cloud Meetings (aka us.zoom.videomeetings) application @7F060 ...) NOT-FOR-US: ZOOM cloud Meetings application for Android CVE-2014-5810 (The SGK Hizmet Dokumu 4a (aka tr.gov.sgk.hizmetDokumu4a) application 1 ...) NOT-FOR-US: SGK Hizmet Dokumu 4a application for Android CVE-2014-5809 (The Smart Browser (aka smartbrowser.geniuscloud) application 2.0 for A ...) NOT-FOR-US: Smart Browser (aka smartbrowser.geniuscloud) application for Android CVE-2014-5808 (The Whisper (aka sh.whisper) application 4.0.6 for Android does not ve ...) NOT-FOR-US: Whisper application for Android CVE-2014-5807 (The Safari Browser (aka safari.safaribrowser.internetexplorer) applica ...) NOT-FOR-US: Safari Browser application for Android CVE-2014-5806 (The World of Tanks Assistant (aka ru.worldoftanks.mobile) application ...) NOT-FOR-US: World of Tanks Assistant application for Android CVE-2014-5805 (The Dating for everyone - Mamba! (aka ru.mamba.client) application 3.5 ...) NOT-FOR-US: Dating for everyone - Mamba! application for Android CVE-2014-5804 (The Mail.Ru Dating (aka ru.mail.love) application 3 for Android does n ...) NOT-FOR-US: Mail.Ru Dating application for Android CVE-2014-5803 (The Towers N' Trolls (aka project.android.ftdjni) application 1.6.4 fo ...) NOT-FOR-US: Towers N' Trolls application for Android CVE-2014-5802 (The PlayScape (aka playscape.mominis.gameconsole.com) application 9.3. ...) NOT-FOR-US: PlayScape application for Android CVE-2014-5801 (The DataGard VPN + AV (aka ocshield.com) application @7F050013 for And ...) NOT-FOR-US: DataGard VPN + AV application for Android CVE-2014-5800 (The smart.nhibzbanking (aka nh.smart.nhibzbanking) application 2.1 for ...) NOT-FOR-US: smart.nhibzbanking application for Android CVE-2014-5799 (The smart.card (aka nh.smart.card) application 3.2 for Android does no ...) NOT-FOR-US: smart.card application for Android CVE-2014-5798 (The smart.calculator (aka nh.smart.calculator) application 2 for Andro ...) NOT-FOR-US: smart.calculator application for Android CVE-2014-5797 (The smart (aka nh.smart) application 3.0.5 for Android does not verify ...) NOT-FOR-US: smart application for Android CVE-2014-5796 (The Chest Workout (aka net.p4p.chest) application 2.0.8 for Android do ...) NOT-FOR-US: Chest workout application for Android CVE-2014-5794 (The 8 Minutes Abs Workout (aka net.p4p.absen) application 2.0.9 for An ...) NOT-FOR-US: 8 Minutes Abs Workout application for Android CVE-2014-5793 (The Bilgi Yarisi (aka net.mobilecraft.bilgiyarisi) application 1.8 for ...) NOT-FOR-US: Bilgi Yarisi application for Android CVE-2014-5792 (The Reign of Dragons: Build-Battle (aka net.gree.android.pf.greeapp575 ...) NOT-FOR-US: Reign of Dragons application for Android CVE-2014-5791 (The Daum Cloud (aka net.daum.android.cloud) application 1.6.18 for And ...) NOT-FOR-US: Daum cloud application for Android CVE-2014-5790 (The Pets Fun House (aka mominis.Generic_Android.Pets_Fun_House) applic ...) NOT-FOR-US: Pets Fun House application for Android CVE-2014-5789 (The Ninja Chicken Ooga Booga (aka mominis.Generic_Android.Ninja_Chicke ...) NOT-FOR-US: Nija Chicken Ooga Booga application for Android CVE-2014-5788 (The Ninja Chicken Adventure Island (aka mominis.Generic_Android.Ninja_ ...) NOT-FOR-US: Ninja Chicken Adventure Island application for Android CVE-2014-5787 (The Ninja Chicken (aka mominis.Generic_Android.Ninja_Chicken) applicat ...) NOT-FOR-US: Ninja Chicken application for Android CVE-2014-5786 (The Jewels & Diamonds (aka mominis.Generic_Android.Jewels_and_Diam ...) NOT-FOR-US: Jewels & Diamonds application for Android CVE-2014-5785 (The Bouncy Bill World-Cup (aka mominis.Generic_Android.Bouncy_Bill_Wor ...) NOT-FOR-US: Bouncy Bill World-Cup application for Android CVE-2014-5784 (The Bouncy Bill Seasons (aka mominis.Generic_Android.Bouncy_Bill_Seaso ...) NOT-FOR-US: Bouncy Bill Seasons application for Android CVE-2014-5783 (The Bouncy Bill Monster Smasher ed (aka mominis.Generic_Android.Bouncy ...) NOT-FOR-US: Bouncy Bill Monster Smasher ed application for Android CVE-2014-5782 (The Bouncy Bill Halloween (aka mominis.Generic_Android.Bouncy_Bill_Hal ...) NOT-FOR-US: Bouncy Bill Halloween application for Android CVE-2014-5781 (The Bouncy Bill Easter Tales (aka mominis.Generic_Android.Bouncy_Bill_ ...) NOT-FOR-US: Bouncy Bill Easter Tales application for Android CVE-2014-5780 (The Bouncy Bill (aka mominis.Generic_Android.Bouncy_Bill) application ...) NOT-FOR-US: Bouncy Bill application for Android CVE-2014-5779 (The Jack'd - Gay Chat & Dating (aka mobi.jackd.android) applicatio ...) NOT-FOR-US: Jack'd - Gay Chat & Dating (aka mobi.jackd.android) application for Android CVE-2014-5778 (The Pou (aka me.pou.app) application 1.4.53 for Android does not verif ...) NOT-FOR-US: Pou (aka me.pou.app) application for Android CVE-2014-5777 (The icon wallpaper dressup-CocoPPa (aka jp.united.app.cocoppa) applica ...) NOT-FOR-US: icon wallpaper dressup-CocoPPa (aka jp.united.app.cocoppa) application for Android CVE-2014-5776 (The PlayMemories Online (aka jp.co.sony.tablet.PersonalSpace) applicat ...) NOT-FOR-US: PlayMemories Online (aka jp.co.sony.tablet.PersonalSpace) application for Android CVE-2014-5775 (The Super Fast Browser (aka iron.web.jalepano.browser) application 2.0 ...) NOT-FOR-US: Super Fast Browser (aka iron.web.jalepano.browser) application for Android CVE-2014-5774 (The Web Browser & Explorer (aka internetexplorer.browser.webexplor ...) NOT-FOR-US: Web Browser & Explorer (aka internetexplorer.browser.webexplorer) application for Android CVE-2014-5773 (The RegisteredAssistant (aka Icr.RegisteredAssistant) application 0.2. ...) NOT-FOR-US: RegisteredAssistant (aka Icr.RegisteredAssistant) application for Android CVE-2014-5772 (The Government Bookstore (aka hksarg.isd.sop.govbookstore) application ...) NOT-FOR-US: Government Bookstore (aka hksarg.isd.sop.govbookstore) application for Android CVE-2014-5771 (The Credit Union of Texas Mobile (aka Fi_Mobile.CUOT) application 1.1 ...) NOT-FOR-US: Credit Union of Texas Mobile (aka Fi_Mobile.CUOT) application for Android CVE-2014-5770 (The Web Browser for Android (aka explore.web.browser) application 1.2 ...) NOT-FOR-US: Web Browser for Android (aka explore.web.browser) application for Android CVE-2014-5769 (The Mobiscope Local (aka ehs.mobiscope.kernel) application 1.05 for An ...) NOT-FOR-US: Mobiscope Local (aka ehs.mobiscope.kernel) application for Android CVE-2014-5768 (The Food Planner (aka dk.boggie.madplan.android) application 4.8.4.3-g ...) NOT-FOR-US: Food Planner (aka dk.boggie.madplan.android) application for Android CVE-2014-5767 (The IM+ (aka de.shapeservices.impluslite) application 6.6.2 for Androi ...) NOT-FOR-US: IM+ (aka de.shapeservices.impluslite) application for Android CVE-2014-5766 (The Uber B2B (aka de.mobileeventguide.uberb2b) application 1.9 for And ...) NOT-FOR-US: Uber B2B (aka de.mobileeventguide.uberb2b) application for Android CVE-2014-5765 (The Paint for Friends (aka de.lotumlabs.buddypainting) application 1.5 ...) NOT-FOR-US: Paint for Friends (aka de.lotumlabs.buddypainting) application for Android CVE-2014-5764 (The Antivirus Free (aka com.zrgiu.antivirus) application 7.2.16.02 for ...) NOT-FOR-US: Antivirus Free (aka com.zrgiu.antivirus) application for Android CVE-2014-5763 (The Kid Mode: Free Games + Lock (aka com.zoodles.kidmode) application ...) NOT-FOR-US: Kid Mode: Free Games + Lock (aka com.zoodles.kidmode) application for Android CVE-2014-5762 (The Cut the Rope: Time Travel (aka com.zeptolab.timetravel.free.google ...) NOT-FOR-US: Cut the Rope: Time Travel (aka com.zeptolab.timetravel.free.google) application for Android CVE-2014-5761 (The Zipcar (aka com.zc.android) application 3.4.2 for Android does not ...) NOT-FOR-US: Zipcar (aka com.zc.android) application for Android CVE-2014-5760 (The Pizza Hut (aka com.yum.pizzahut) application 2.0.5 for Android doe ...) NOT-FOR-US: Pizza Hut (aka com.yum.pizzahut) application for Android CVE-2014-5759 (The Awesome Antivirus 2014 (aka com.yoursite.top5antivirus2014) applic ...) NOT-FOR-US: Awesome Antivirus 2014 (aka com.yoursite.top5antivirus2014) application for Android CVE-2014-5758 (The Yellow Pages Local Search (aka com.yellowbook.android2) applicatio ...) NOT-FOR-US: Yellow Pages Local Search (aka com.yellowbook.android2) application for Android CVE-2014-5757 (The Buy Tickets (aka com.xcr.android.buytickets) application 2.3 for A ...) NOT-FOR-US: Buy Tickets (aka com.xcr.android.buytickets) application for Android CVE-2014-5756 (The Buy 99 Cents Only Products (aka com.ww99CentsOnlyStores) applicati ...) NOT-FOR-US: Buy 99 Cents Only Products (aka com.ww99CentsOnlyStores) application for Android CVE-2014-5755 (The verizon (aka com.wverizonwirelessbill) application 0.1 for Android ...) NOT-FOR-US: verizon (aka com.wverizonwirelessbill) application for Android CVE-2014-5754 (The Verizon Instant Refills 24/7 (aka com.wVerizonInstantRefill247) ap ...) NOT-FOR-US: Verizon Instant Refills 24/7 (aka com.wVerizonInstantRefill247) application for Android CVE-2014-5753 (The Twitter No Background (aka com.wTwitternobackground) application 0 ...) NOT-FOR-US: Twitter No Background (aka com.wTwitternobackground) application for Android CVE-2014-5752 (The wTradersActivity (aka com.wTradersActivity) application 0.1 for An ...) NOT-FOR-US: wTradersActivity (aka com.wTradersActivity) application for Android CVE-2014-5751 (The Tor Browser the Short Guide (aka com.wTorShortUserManual) applicat ...) NOT-FOR-US: Tor Browser the Short Guide (aka com.wTorShortUserManual) application for Android CVE-2014-5750 (The Pro Bet Tips (aka com.wProBetTips) application 0.2 for Android doe ...) NOT-FOR-US: Pro Bet Tips (aka com.wProBetTips) application for Android CVE-2014-5749 (The Jelly Splash (aka com.wooga.jelly_splash) application 1.11.3 for A ...) NOT-FOR-US: Jelly Splash (aka com.wooga.jelly_splash) application for Android CVE-2014-5748 (The wK12olslogin (aka com.wK12olslogin) application 0.1 for Android do ...) NOT-FOR-US: wK12olslogin (aka com.wK12olslogin) application for Android CVE-2014-5747 (The XFINITY Constant Guard Mobile (aka com.whitesky.mobile.android) ap ...) NOT-FOR-US: XFINITY Constant Guard Mobile (aka com.whitesky.mobile.android) application for Android CVE-2014-5746 (The Government Best Jobs (aka com.wGovernmentBestJobs) application 0.1 ...) NOT-FOR-US: Government Best Jobs (aka com.wGovernmentBestJobs) application for Android CVE-2014-5745 (The FREE Pageplus Activation (aka com.wFREEPageplusActivations) applic ...) NOT-FOR-US: FREE Pageplus Activation (aka com.wFREEPageplusActivations) application for Android CVE-2014-5744 (The RE-VOLT 2 : MULTIPLAYER (aka com.wegoi.revolt2multiplayer) applica ...) NOT-FOR-US: RE-VOLT 2 : MULTIPLAYER (aka com.wegoi.revolt2multiplayer) application for Android CVE-2014-5743 (The RE-VOLT 2 : Best RC 3D Racing (aka com.wego.revolt2_global) applic ...) NOT-FOR-US: RE-VOLT 2 : Best RC 3D Racing (aka com.wego.revolt2_global) application for Android CVE-2014-5742 (The Eversnap Private Photo Album (aka com.weddingsnap.android) applica ...) NOT-FOR-US: Eversnap Private Photo Album (aka com.weddingsnap.android) application for Android CVE-2014-5741 (The Security - Complete (aka com.webroot.security.complete) applicatio ...) NOT-FOR-US: Security - Complete (aka com.webroot.security.complete) application for Android CVE-2014-5740 (The Security - Free (aka com.webroot.security) application 3.6.0.6610 ...) NOT-FOR-US: Security - Free (aka com.webroot.security) application for Android CVE-2014-5739 (The Garfield's Diner (aka com.webprancer.google.GarfieldsDiner) applic ...) NOT-FOR-US: Garfield's Diner (aka com.webprancer.google.GarfieldsDiner) application for Android CVE-2014-5738 (The Garfield's Defense (aka com.webprancer.google.garfieldDefense) app ...) NOT-FOR-US: Garfield's Defense (aka com.webprancer.google.garfieldDefense) application for Android CVE-2014-5737 (The CDsoft (aka com.wCDSOFT) application 0.2 for Android does not veri ...) NOT-FOR-US: CDsoft (aka com.wCDSOFT) application for Android CVE-2014-5736 (The Buy Coins (aka com.wBuyCoins) application 0.62.13364.24150 for And ...) NOT-FOR-US: Buy Coins (aka com.wBuyCoins) application for Android CVE-2014-5735 (The Buy A Gift (aka com.wBuyAGift) application 13529.90084 for Android ...) NOT-FOR-US: Buy A Gift (aka com.wBuyAGift) application for Android CVE-2014-5734 (The Buy Books (aka com.wBooksForSale) application 0.1 for Android does ...) NOT-FOR-US: Buy Books (aka com.wBooksForSale) application for Android CVE-2014-5733 (The Shop Love (aka com.waterwish.shoplove) application 1.05 for Androi ...) NOT-FOR-US: Shop Love (aka com.waterwish.shoplove) application for Android CVE-2014-5732 (The Wamba - meet women and men (aka com.wamba.client) application 3 fo ...) NOT-FOR-US: Wamba - meet women and men (aka com.wamba.client) application for Android CVE-2014-5731 (The Word Search (aka com.virtuesoft.wordsearch) application 2.3.0 for ...) NOT-FOR-US: Word Search (aka com.virtuesoft.wordsearch) application for Android CVE-2014-5730 (The russkoe TB HD (aka com.videotelecom.russkoeHD) application 3.6 for ...) NOT-FOR-US: russkoe TB HD (aka com.videotelecom.russkoeHD) application for Android CVE-2014-5729 (The Viddy (aka com.viddy.Viddy) application 1.3.9 for Android does not ...) NOT-FOR-US: Viddy (aka com.viddy.Viddy) application for Android CVE-2014-5728 (The Vevo - Watch HD Music Videos (aka com.vevo) application 2.0.27 for ...) NOT-FOR-US: Vevo - Watch HD Music Videos (aka com.vevo) application for Android CVE-2014-5727 (The uTorrent Remote (aka com.utorrent.web) application 1.0.20110929 fo ...) NOT-FOR-US: uTorrent Remote (aka com.utorrent.web) application for Android CVE-2014-5726 (The Security Service myBranch App (aka com.tyfone.ssfcu.mbanking) appl ...) NOT-FOR-US: Security Service myBranch App (aka com.tyfone.ssfcu.mbanking) application for Android CVE-2014-5725 (The Truecaller - Caller ID & Block (aka com.truecaller) applicatio ...) NOT-FOR-US: Truecaller - Caller ID & Block (aka com.truecaller) application for Android CVE-2014-5724 (The Gambling Insider Magazine (aka com.triactivemedia.gambling) applic ...) NOT-FOR-US: Gambling Insider Magazine (aka com.triactivemedia.gambling) application for Android CVE-2014-5723 (The Trapster (aka com.trapster.android) application 4.3.2 for Android ...) NOT-FOR-US: Trapster (aka com.trapster.android) application for Android CVE-2014-5722 (The SwiftKey Keyboard + Emoji (aka com.touchtype.swiftkey) application ...) NOT-FOR-US: SwiftKey Keyboard + Emoji (aka com.touchtype.swiftkey) application for Android CVE-2014-5721 (The Touchnote Postcards (aka com.touchnote.android) application 4.2.7 ...) NOT-FOR-US: Touchnote Postcards (aka com.touchnote.android) application for Android CVE-2014-5720 (The Bike Race Free - Top Free Game (aka com.topfreegames.bikeracefreew ...) NOT-FOR-US: Bike Race Free - Top Free Game (aka com.topfreegames.bikeracefreeworld) application for Android CVE-2014-5719 (The BIKE RACING 2014 (aka com.timuzsolutions.bikeracing2014) applicati ...) NOT-FOR-US: BIKE RACING 2014 (aka com.timuzsolutions.bikeracing2014) application for Android CVE-2014-5718 REJECTED CVE-2014-5717 (The Fashion Style (aka com.thirtysixyougames.google.starGirlSingapore) ...) NOT-FOR-US: Fashion Style (aka com.thirtysixyougames.google.starGirlSingapore) application for Android CVE-2014-5716 (The GUNSHIP BATTLE : Helicopter 3D (aka com.theonegames.gunshipbattle) ...) NOT-FOR-US: GUNSHIP BATTLE : Helicopter 3D (aka com.theonegames.gunshipbattle) application for Android CVE-2014-5715 (The Street Racing (aka com.tgb.streetracing.lite5pp) application 4.0.4 ...) NOT-FOR-US: Street Racing (aka com.tgb.streetracing.lite5pp) application for Android CVE-2014-5714 (The Text Me! Free Texting & Call (aka com.textmeinc.textme) applic ...) NOT-FOR-US: Text Me! Free Texting & Call (aka com.textmeinc.textme) application for Android CVE-2014-5713 (The Telly - Watch the good stuff (aka com.telly) application 2.5.1 for ...) NOT-FOR-US: Telly - Watch the good stuff (aka com.telly) application for Android CVE-2014-5712 (The Turbo River Racing Free (aka com.tektite.androidgames.trrfree) app ...) NOT-FOR-US: Turbo River Racing Free (aka com.tektite.androidgames.trrfree) application for Android CVE-2014-5711 (The Microsoft Tech Companion (aka com.technet) application 1.0.6 for A ...) NOT-FOR-US: Microsoft Tech Companion (aka com.technet) application for Android CVE-2014-5710 (The Cisco Class Locator Fast Lane (aka com.tabletkings.mycompany.fastl ...) NOT-FOR-US: Cisco Class Locator Fast Lane (aka com.tabletkings.mycompany.fastlane.cisco) application for Android CVE-2014-5709 (The Donut Maker (aka com.sunstorm.android.donut) application 1.27 for ...) NOT-FOR-US: Donut Maker (aka com.sunstorm.android.donut) application for Android CVE-2014-5708 (The Best Racing/moto Games Ranking (aka com.subapp.android.racing) app ...) NOT-FOR-US: Best Racing/moto Games Ranking (aka com.subapp.android.racing) application for Android CVE-2014-5707 (The Bunny Run (aka com.stargirlgames.google.bunnyrun) application 1.1. ...) NOT-FOR-US: Bunny Run (aka com.stargirlgames.google.bunnyrun) application for Android CVE-2014-5706 (The SomNote - Journal/Memo (aka com.somcloud.somnote) application 2.1. ...) NOT-FOR-US: SomNote - Journal/Memo (aka com.somcloud.somnote) application for Android CVE-2014-5705 (The Sonic CD Lite (aka com.soa.sega.soniccdlite) application 1.0.4 for ...) NOT-FOR-US: Sonic CD Lite (aka com.soa.sega.soniccdlite) application for Android CVE-2014-5704 (The DISH Anywhere (aka com.sm.SlingGuide.Dish) application 3.5.10 for ...) NOT-FOR-US: DISH Anywhere (aka com.sm.SlingGuide.Dish) application for Android CVE-2014-5703 (The Slingo Lottery Challenge (aka com.slingo.slingolotterychallenge) a ...) NOT-FOR-US: Slingo Lottery Challenge (aka com.slingo.slingolotterychallenge) application for Android CVE-2014-5702 (The Penguin Run (aka com.skyboard.google.penguinRun) application 1.1 f ...) NOT-FOR-US: Penguin Run (aka com.skyboard.google.penguinRun) application for Android CVE-2014-5701 (The Skout: Chats. Friends. Fun. (aka com.skout.android) application 4. ...) NOT-FOR-US: Skout: Chats. Friends. Fun. (aka com.skout.android) application for Android CVE-2014-5700 (The Brain lab - brain age games IQ (aka com.sixdead.brainlab) applicat ...) NOT-FOR-US: Brain lab - brain age games IQ (aka com.sixdead.brainlab) application for Android CVE-2014-5699 (The Parallel Kingdom MMO (aka com.silvermoon.client) application @7F07 ...) NOT-FOR-US: Parallel Kingdom MMO (aka com.silvermoon.client) application for Android CVE-2014-5698 (The Furdiburb (aka com.sheado.lite.pet) application 1.1.2 for Android ...) NOT-FOR-US: Furdiburb (aka com.sheado.lite.pet) application for Android CVE-2014-5697 (The Dress Up! Girl Party (aka com.sgn.DressUp.GirlParty) application 2 ...) NOT-FOR-US: Dress Up! Girl Party (aka com.sgn.DressUp.GirlParty) application for Android CVE-2014-5696 (The Sonic 4 Episode II LITE (aka com.sega.sonic4ep2lite) application 2 ...) NOT-FOR-US: Sonic 4 Episode II LITE (aka com.sega.sonic4ep2lite) application for Android CVE-2014-5695 (The Hello Kitty Cafe (aka com.sd.google.helloKittyCafe) application 1. ...) NOT-FOR-US: Hello Kitty Cafe (aka com.sd.google.helloKittyCafe) application for Android CVE-2014-5694 (The Scoutmob local deals & events (aka com.scoutmob.ile) applicati ...) NOT-FOR-US: Scoutmob local deals & events (aka com.scoutmob.ile) application for Android CVE-2014-5693 (The Slots Vacation - FREE Slots (aka com.scopely.slotsvacation) applic ...) NOT-FOR-US: Slots Vacation - FREE Slots (aka com.scopely.slotsvacation) application for Android CVE-2014-5692 (The Safeway (aka com.safeway.client.android.safeway) application 4.1.0 ...) NOT-FOR-US: Safeway (aka com.safeway.client.android.safeway) application for Android CVE-2014-5691 (The Best Phone Security (aka com.rvappstudios.phonesecurity) applicati ...) NOT-FOR-US: Best Phone Security (aka com.rvappstudios.phonesecurity) application for Android CVE-2014-5690 (The Runtastic Timer (aka com.runtastic.android.timer) application 1.0. ...) NOT-FOR-US: Runtastic Timer (aka com.runtastic.android.timer) application for Android CVE-2014-5689 (The Runtastic Road Bike (aka com.runtastic.android.roadbike.lite) appl ...) NOT-FOR-US: Runtastic Road Bike (aka com.runtastic.android.roadbike.lite) application for Android CVE-2014-5688 (The Runtastic Pedometer (aka com.runtastic.android.pedometer.lite) app ...) NOT-FOR-US: Runtastic Pedometer (aka com.runtastic.android.pedometer.lite) application for Android CVE-2014-5687 (The Runtastic Mountain Bike (aka com.runtastic.android.mountainbike.li ...) NOT-FOR-US: Runtastic Mountain Bike (aka com.runtastic.android.mountainbike.lite) application for Android CVE-2014-5686 (The Runtastic Me (aka com.runtastic.android.me.lite) application 1.0.2 ...) NOT-FOR-US: Runtastic Me (aka com.runtastic.android.me.lite) application for Android CVE-2014-5685 (The Runtastic Heart Rate (aka com.runtastic.android.heartrate.lite) ap ...) NOT-FOR-US: Runtastic Heart Rate (aka com.runtastic.android.heartrate.lite) application for Android CVE-2014-5684 (The Runtastic Running & Fitness (aka com.runtastic.android) applic ...) NOT-FOR-US: Runtastic Running & Fitness (aka com.runtastic.android) application for Android CVE-2014-5683 (The Piano Teacher (aka com.rubycell.pianisthd) application 20140730 fo ...) NOT-FOR-US: Piano Teacher (aka com.rubycell.pianisthd) application for Android CVE-2014-5682 (The Retale - Weekly Ads & Deals (aka com.retale.android) applicati ...) NOT-FOR-US: Retale - Weekly Ads & Deals (aka com.retale.android) application for Android CVE-2014-5681 (The XDA-Developers (aka com.quoord.tapatalkxda.activity) application 3 ...) NOT-FOR-US: XDA-Developers (aka com.quoord.tapatalkxda.activity) application for Android CVE-2014-5680 (The Tapatalk (aka com.quoord.tapatalkpro.activity) application 4.8.0 f ...) NOT-FOR-US: Tapatalk (aka com.quoord.tapatalkpro.activity) application for Android CVE-2014-5679 (The PopU 2: Get Likes on Instagram (aka com.popuapp.popu) application ...) NOT-FOR-US: PopU 2: Get Likes on Instagram (aka com.popuapp.popu) application for Android CVE-2014-5678 (The IQ Test (aka com.pophub.androidiqtest.free) application 3.3 for An ...) NOT-FOR-US: IQ Test (aka com.pophub.androidiqtest.free) application for Android CVE-2014-5677 (The Point Inside Shopping & Travel (aka com.pointinside.android.ap ...) NOT-FOR-US: Point Inside Shopping & Travel (aka com.pointinside.android.app) application for Android CVE-2014-5676 (The Township (aka com.playrix.township) application 1.5.1 for Android ...) NOT-FOR-US: Township (aka com.playrix.township) application for Android CVE-2014-5675 (The Phonegram - Instagram Download (aka com.pinssible.padgram) applica ...) NOT-FOR-US: Phonegram - Instagram Download (aka com.pinssible.padgram) application for Android CVE-2014-5674 (The PicsArt - Photo Studio (aka com.picsart.studio) application 4.5.5 ...) NOT-FOR-US: PicsArt - Photo Studio (aka com.picsart.studio) application for Android CVE-2014-5673 (The Easy Finder & Anti-Theft (aka com.nqmobile.easyfinder) applica ...) NOT-FOR-US: Easy Finder & Anti-Theft (aka com.nqmobile.easyfinder) application for Android CVE-2014-5672 (The NQ Mobile Security & Antivirus (aka com.nqmobile.antivirus20) ...) NOT-FOR-US: NQ Mobile Security & Antivirus (aka com.nqmobile.antivirus20) application for Android CVE-2014-5671 (The Super Stickman Golf (aka com.noodlecake.ssg) application 2.2 for A ...) NOT-FOR-US: Super Stickman Golf (aka com.noodlecake.ssg) application for Android CVE-2014-5670 (The SAS: Zombie Assault 3 (aka com.ninjakiwi.sas3zombieassault) applic ...) NOT-FOR-US: SAS: Zombie Assault 3 (aka com.ninjakiwi.sas3zombieassault) application for Android CVE-2014-5669 (The 9GAG - Funny pics and videos (aka com.ninegag.android.app) applica ...) NOT-FOR-US: 9GAG - Funny pics and videos (aka com.ninegag.android.app) application for Android CVE-2014-5668 (The BAND -Group sharing & planning (aka com.nhn.android.band) appl ...) NOT-FOR-US: BAND -Group sharing & planning (aka com.nhn.android.band) application for Android CVE-2014-5667 (The Vault-Hide SMS, Pics & Videos (aka com.netqin.ps) application ...) NOT-FOR-US: Vault-Hide SMS, Pics & Videos (aka com.netqin.ps) application for Android CVE-2014-5666 (The AVD Download Video (aka com.myboyfriendisageek.videocatcher.demo) ...) NOT-FOR-US: AVD Download Video (aka com.myboyfriendisageek.videocatcher.demo) application for Android CVE-2014-5665 (The Mzone Login (aka com.mr384.MzoneLogin) application 1.2.0 for Andro ...) NOT-FOR-US: Mzone Login (aka com.mr384.MzoneLogin) application for Android CVE-2014-5664 (The Spider Solitaire (aka com.mobilityware.spider) application 3.0.0 f ...) NOT-FOR-US: Spider Solitaire (aka com.mobilityware.spider) application for Android CVE-2014-5663 (The FreeCell Solitaire (aka com.mobilityware.freecell) application 2.1 ...) NOT-FOR-US: FreeCell Solitaire (aka com.mobilityware.freecell) application for Android CVE-2014-5662 (The Rail Rush (aka com.miniclip.railrush) application 1.9.0 for Androi ...) NOT-FOR-US: Rail Rush (aka com.miniclip.railrush) application for Android CVE-2014-5661 (The Anger of Stick 3 (aka com.miniclip.angerofstick3) application 1.0. ...) NOT-FOR-US: Anger of Stick 3 (aka com.miniclip.angerofstick3) application for Android CVE-2014-5660 (The TN Members 1st FCU-RDC (aka com.metova.cuae.tmffcu) application 1. ...) NOT-FOR-US: TN Members 1st FCU-RDC (aka com.metova.cuae.tmffcu) application for Android CVE-2014-5659 (The ASTRO File Manager with Cloud (aka com.metago.astro) application A ...) NOT-FOR-US: ASTRO File Manager with Cloud (aka com.metago.astro) application for Android CVE-2014-5658 (The MercadoLibre (aka com.mercadolibre) application 3.8.7 for Android ...) NOT-FOR-US: MercadoLibre (aka com.mercadolibre) application for Android CVE-2014-5657 (The CA Lottery Results (aka com.matcho0.calotto) application 2.1 for A ...) NOT-FOR-US: CA Lottery Results (aka com.matcho0.calotto) application for Android CVE-2014-5656 (The TRA Auctions for Buyers (aka com.manheim.tra) application 2.6 for ...) NOT-FOR-US: TRA Auctions for Buyers (aka com.manheim.tra) application for Android CVE-2014-5655 (The CM Browser - Fast & Secure (aka com.ksmobile.cb) application 5 ...) NOT-FOR-US: CM Browser - Fast & Secure (aka com.ksmobile.cb) application for Android CVE-2014-5654 (The Kaspersky Internet Security (aka com.kms.free) application 11.4.4. ...) NOT-FOR-US: Kaspersky Internet Security (aka com.kms.free) application for Android CVE-2014-5653 (The Unblock Me FREE (aka com.kiragames.unblockmefree) application 1.4. ...) NOT-FOR-US: Unblock Me FREE (aka com.kiragames.unblockmefree) application for Android CVE-2014-5652 (The Kicksend Photo Prints (aka com.kicksend.android.print) application ...) NOT-FOR-US: Kicksend Photo Prints (aka com.kicksend.android.print) application for Android CVE-2014-5651 (The Kicksend: Share & Print Photos (aka com.kicksend.android) appl ...) NOT-FOR-US: Kicksend: Share & Print Photos (aka com.kicksend.android) application for Android CVE-2014-5650 (The Traffic Jam Free (aka com.jiuzhangtech.rushhour) application 1.7.7 ...) NOT-FOR-US: Traffic Jam Free (aka com.jiuzhangtech.rushhour) application for Android CVE-2014-5649 (The iLove - Free Dating & Chat App (aka com.jestadigital.android.i ...) NOT-FOR-US: iLove - Free Dating & Chat App (aka com.jestadigital.android.ilove) application for Android CVE-2014-5648 (The Chat, Flirt & Dating Heart JAUMO (aka com.jaumo) application 2 ...) NOT-FOR-US: Chat, Flirt & Dating Heart JAUMO (aka com.jaumo) application for Android CVE-2014-5647 (The ISL Light Remote Desktop (aka com.islonline.isllight.mobile.androi ...) NOT-FOR-US: ISL Light Remote Desktop (aka com.islonline.isllight.mobile.android) application for Android CVE-2014-5646 (The AMC Security- Antivirus, Clean (aka com.iobit.mobilecare) applicat ...) NOT-FOR-US: AMC Security- Antivirus, Clean (aka com.iobit.mobilecare) application for Android CVE-2014-5645 (The CamScanner -Phone PDF Creator (aka com.intsig.camscanner) applicat ...) NOT-FOR-US: CamScanner -Phone PDF Creator (aka com.intsig.camscanner) application for Android CVE-2014-5644 (The Brightest LED Flashlight (aka com.intellectualflame.ledflashlight. ...) NOT-FOR-US: Brightest LED Flashlight (aka com.intellectualflame.ledflashlight.washer) application for Android CVE-2014-5643 (The Instachat -Instagram Messenger (aka com.instachat.android) applica ...) NOT-FOR-US: Instachat -Instagram Messenger (aka com.instachat.android) application for Android CVE-2014-5642 (The IMPI Mobile Security (aka com.impi) application 2.1.0 for Android ...) NOT-FOR-US: IMPI Mobile Security (aka com.impi) application for Android CVE-2014-5641 (The Cloud Manager (aka com.ileaf.cloud_manager) application 1.6 for An ...) NOT-FOR-US: Cloud Manager (aka com.ileaf.cloud_manager) application for Android CVE-2014-5640 (The CM Backup -Restore,Cloud,Photo (aka com.ijinshan.kbackup) applicat ...) NOT-FOR-US: CM Backup -Restore,Cloud,Photo (aka com.ijinshan.kbackup) application for Android CVE-2014-5639 (The ADT Taxis (aka com.icabbi.adttaxisApp) application 6 for Android d ...) NOT-FOR-US: ADT Taxis (aka com.icabbi.adttaxisApp) application for Android CVE-2014-5638 (The Huntington Mobile (aka com.huntington.m) application 2.1.222 for A ...) NOT-FOR-US: Huntington Mobile (aka com.huntington.m) application for Android CVE-2014-5637 (The Eu Sei (aka com.guilardi.eusei) application eusei_android_5.5 for ...) NOT-FOR-US: Eu Sei (aka com.guilardi.eusei) application for Android CVE-2014-5636 (The Cloud Browser (aka com.granitamalta.cloudbrowser) application 2.2. ...) NOT-FOR-US: Cloud Browser (aka com.granitamalta.cloudbrowser) application for Android CVE-2014-5635 (The Buy Yorkshire Conference (aka com.gotfocus.buyyorkshire) applicati ...) NOT-FOR-US: Buy Yorkshire Conference (aka com.gotfocus.buyyorkshire) application for Android CVE-2014-5634 (The Madipass Martinique (aka com.goodbarber.madipassmartinique) applic ...) NOT-FOR-US: Madipass Martinique (aka com.goodbarber.madipassmartinique) application for Android CVE-2014-5633 (The Kiss Kiss Office (aka com.girlsgames123.kisskissoffice) applicatio ...) NOT-FOR-US: Kiss Kiss Office (aka com.girlsgames123.kisskissoffice) application for Android CVE-2014-5632 (The Mega Jump (aka com.getsetgames.megajump) application @7F080002 for ...) NOT-FOR-US: Mega Jump (aka com.getsetgames.megajump) application for Android CVE-2014-5631 (The Video Poker Casino (aka com.geaxgame.videopoker) application 1.0.5 ...) NOT-FOR-US: Video Poker Casino (aka com.geaxgame.videopoker) application for Android CVE-2014-5630 (The Home Repair (aka com.gcspublishing.houserepairtalk) application 3. ...) NOT-FOR-US: Home Repair (aka com.gcspublishing.houserepairtalk) application for Android CVE-2014-5629 (The Stupid Zombies (aka com.gameresort.stupidzombies) application 1.12 ...) NOT-FOR-US: Stupid Zombies (aka com.gameresort.stupidzombies) application for Android CVE-2014-5628 (The Wonder Zoo - Animal rescue ! (aka com.gameloft.android.ANMP.GloftZ ...) NOT-FOR-US: Wonder Zoo - Animal rescue ! (aka com.gameloft.android.ANMP.GloftZRHM) application for Android CVE-2014-5627 (The Ice Age Village (aka com.gameloft.android.ANMP.GloftIAHM) applicat ...) NOT-FOR-US: Ice Age Village (aka com.gameloft.android.ANMP.GloftIAHM) application for Android CVE-2014-5626 (The Brothers In Arms 2 Free+ (aka com.gameloft.android.ANMP.GloftB2HM) ...) NOT-FOR-US: Brothers In Arms 2 Free+ (aka com.gameloft.android.ANMP.GloftB2HM) application for Android CVE-2014-5625 (The Perfect Kick (aka com.gamegou.PerfectKick.google) application 1.3. ...) NOT-FOR-US: Perfect Kick (aka com.gamegou.PerfectKick.google) application for Android CVE-2014-5624 (The Sniper Shooter Free - Fun Game (aka com.fungamesforfree.snipershoo ...) NOT-FOR-US: Sniper Shooter Free - Fun Game (aka com.fungamesforfree.snipershooter.free) application for Android CVE-2014-5623 (The penguinchefshop (aka com.freegames.penguinchefshop) application 1. ...) NOT-FOR-US: penguinchefshop (aka com.freegames.penguinchefshop) application for Android CVE-2014-5622 (The Follow Mania for Instagram (aka com.followmania) application 1.2.1 ...) NOT-FOR-US: Follow Mania for Instagram (aka com.followmania) application for Android CVE-2014-5621 (The Office Zombie (aka com.fluik.OfficeZombieGoogleFree) application 1 ...) NOT-FOR-US: Office Zombie (aka com.fluik.OfficeZombieGoogleFree) application for Android CVE-2014-5620 (The Office Jerk Free (aka com.fluik.OfficeJerkFree) application 1.7.13 ...) NOT-FOR-US: Office Jerk Free (aka com.fluik.OfficeJerkFree) application for Android CVE-2014-5619 REJECTED CVE-2014-5618 (The Cartoon Camera (aka com.fingersoft.cartooncamera) application 1.2. ...) NOT-FOR-US: Cartoon Camera (aka com.fingersoft.cartooncamera) application for Android CVE-2014-5617 (The Exsoul Web Browser (aka com.exsoul) application 3.3.3 for Android ...) NOT-FOR-US: Exsoul Web Browser (aka com.exsoul) application for Android CVE-2014-5616 (The Web Browser & Explorer (aka com.explore.web.browser) applicati ...) NOT-FOR-US: Web Browser & Explorer (aka com.explore.web.browser) application for Android CVE-2014-5615 (The Snap Secure (aka com.exclaim.snapsecure.app) application 9.5 for A ...) NOT-FOR-US: Snap Secure (aka com.exclaim.snapsecure.app) application for Android CVE-2014-5614 (The Love Collage - Photo Editor (aka com.etoolkit.lovecollage) applica ...) NOT-FOR-US: Love Collage - Photo Editor (aka com.etoolkit.lovecollage) application for Android CVE-2014-5613 (The Able Remote (aka com.entertailion.android.remote) application 2.3. ...) NOT-FOR-US: Able Remote (aka com.entertailion.android.remote) application for Android CVE-2014-5612 (The Gmarket (aka com.ebay.kr.gmarket) application 5.1.3 for Android do ...) NOT-FOR-US: Gmarket (aka com.ebay.kr.gmarket) application for Android CVE-2014-5611 (The eBay Kleinanzeigen for Germany (aka com.ebay.kleinanzeigen) applic ...) NOT-FOR-US: eBay Kleinanzeigen for Germany (aka com.ebay.kleinanzeigen) application for Android CVE-2014-5610 (The ce4arab market (aka com.dreamstep.wce4arabmarket) application 0.12 ...) NOT-FOR-US: ce4arab market (aka com.dreamstep.wce4arabmarket) application for Android CVE-2014-5609 (The Stickman Ski Racer (aka com.djinnworks.StickmanSkiRacer.free) appl ...) NOT-FOR-US: Stickman Ski Racer (aka com.djinnworks.StickmanSkiRacer.free) application for Android CVE-2014-5608 (The Line Runner (Free) (aka com.djinnworks.linerunnerfree) application ...) NOT-FOR-US: Line Runner (Free) (aka com.djinnworks.linerunnerfree) application for Android CVE-2014-5607 (The Where's My Water? Free (aka com.disney.WMWLite) application 1.9.1 ...) NOT-FOR-US: Where's My Water? Free (aka com.disney.WMWLite) application for Android CVE-2014-5606 (The Where's My Perry? Free (aka com.disney.WMPLite) application 1.5.1 ...) NOT-FOR-US: Where's My Perry? Free (aka com.disney.WMPLite) application for Android CVE-2014-5605 (The QQ Copy (aka com.digimobistudio.qqcopy) application 1 for Android ...) NOT-FOR-US: QQ Copy (aka com.digimobistudio.qqcopy) application for Android CVE-2014-5604 (The Akinator the Genie FREE (aka com.digidust.elokence.akinator.freemi ...) NOT-FOR-US: Akinator the Genie FREE (aka com.digidust.elokence.akinator.freemium) application for Android CVE-2014-5603 (The DeskRoll Remote Desktop (aka com.deskroll.client1) application 0.6 ...) NOT-FOR-US: DeskRoll Remote Desktop (aka com.deskroll.client1) application for Android CVE-2014-5602 (The Magzter -Magazine & Book Store (aka com.dci.magzter) applicati ...) NOT-FOR-US: Magzter -Magazine & Book Store (aka com.dci.magzter) application for Android CVE-2014-5601 (The 1800CONTACTS App (aka com.contacts1800.ecomapp) application 2.7.0 ...) NOT-FOR-US: 1800CONTACTS App (aka com.contacts1800.ecomapp) application for Android CVE-2014-5600 (The familyconnect (aka com.comcast.plaxo.familyconnect.app) applicatio ...) NOT-FOR-US: familyconnect (aka com.comcast.plaxo.familyconnect.app) application for Android CVE-2014-5599 (The Tiny Farm (aka com.com2us.tinyfarm.normal.freefull.google.global.a ...) NOT-FOR-US: Tiny Farm (aka com.com2us.tinyfarm.normal.freefull.google.global.android.common) application for Android CVE-2014-5598 (The Puzzle Family (aka com.com2us.puzzlefamily.up.freefull.google.glob ...) NOT-FOR-US: Puzzle Family (aka com.com2us.puzzlefamily.up.freefull.google.global.android.common) application for Android CVE-2014-5597 (The 9 Innings: 2014 Pro Baseball (aka com.com2us.nipb2013.normal.freef ...) NOT-FOR-US: 9 Innings: 2014 Pro Baseball (aka com.com2us.nipb2013.normal.freefull.google.global.android.common) application for Android CVE-2014-5596 (The Homerun Battle 2 (aka com.com2us.homerunbattle2.normal.freefull.go ...) NOT-FOR-US: Homerun Battle 2 (aka com.com2us.homerunbattle2.normal.freefull.google.global.android.common) application for Android CVE-2014-5595 (The actionpuzzlefamily for Kakao (aka com.com2us.actionpuzzlefamily.ka ...) NOT-FOR-US: actionpuzzlefamily for Kakao (aka com.com2us.actionpuzzlefamily.kakao.freefull.google.global.android.common) application for Android CVE-2014-5594 (The CIBC Mobile Banking (aka com.cibc.android.mobi) application 3.2 fo ...) NOT-FOR-US: CIBC Mobile Banking (aka com.cibc.android.mobi) application for Android CVE-2014-5593 (The Christian Dating Cafe (aka com.christiancafe.mobile.android) appli ...) NOT-FOR-US: Christian Dating Cafe (aka com.christiancafe.mobile.android) application for Android CVE-2014-5592 (The Free Dating Heart COL (aka com.choiceoflove.dating) application 2. ...) NOT-FOR-US: Free Dating Heart COL (aka com.choiceoflove.dating) application for Android CVE-2014-5591 (The Frankly Chat (aka com.chatfrankly.android) application 3.0.1 for A ...) NOT-FOR-US: Frankly Chat (aka com.chatfrankly.android) application for Android CVE-2014-5590 (The Snake Evolution (aka com.btwgames.snake) application 1.3.1 for And ...) NOT-FOR-US: Snake Evolution (aka com.btwgames.snake) application for Android CVE-2014-5589 (The Now Browser (Material) (aka com.browser.nowbasic) 2.8.1 applicatio ...) NOT-FOR-US: Now Browser (Material) (aka com.browser.nowbasic) 2.8.1 application for Android CVE-2014-5588 (The Free eBooks (aka com.bmfapps.freekindlebooks) application 14 for A ...) NOT-FOR-US: Free eBooks (aka com.bmfapps.freekindlebooks) application for Android CVE-2014-5587 (The brokenscreencrank (aka com.biggame.brokenscreencrank) application ...) NOT-FOR-US: brokenscreencrank (aka com.biggame.brokenscreencrank) application for Android CVE-2014-5586 (The BIATNET (aka com.biatnet.mobile) application 1.1 for Android does ...) NOT-FOR-US: BIATNET (aka com.biatnet.mobile) application for Android CVE-2014-5585 (The Like4Like: Get Instagram Likes (aka com.bepop.bepop) application 2 ...) NOT-FOR-US: Like4Like: Get Instagram Likes (aka com.bepop.bepop) application for Android CVE-2014-5584 (The Background Check BeenVerified (aka com.beenverified.android) appli ...) NOT-FOR-US: Background Check BeenVerified (aka com.beenverified.android) application for Android CVE-2014-5583 (The Most Popular Ringtones (aka com.bbs.mostpopularringtones) applicat ...) NOT-FOR-US: Most Popular Ringtones (aka com.bbs.mostpopularringtones) application for Android CVE-2014-5582 (The Ingress Intel Helper (aka com.bb.ingressintel) application 1.2 for ...) NOT-FOR-US: Ingress Intel Helper (aka com.bb.ingressintel) application for Android CVE-2014-5581 (The mirror photo shape (aka com.baiwang.styleinstamirror) application ...) NOT-FOR-US: mirror photo shape (aka com.baiwang.styleinstamirror) application for Android CVE-2014-5580 (The BackgroundCheckProTool (aka com.BackgroundCheckProTool) applicatio ...) NOT-FOR-US: BackgroundCheckProTool (aka com.BackgroundCheckProTool) application for Android CVE-2014-5579 (The Anywhere Pad-Meet, Collaborate (aka com.azeus.anywherepad) applica ...) NOT-FOR-US: Anywhere Pad-Meet, Collaborate (aka com.azeus.anywherepad) application for Android CVE-2014-5578 (The Trading 212 FOREX (aka com.avuscapital.trading212) application bef ...) NOT-FOR-US: Trading 212 FOREX (aka com.avuscapital.trading212) application for Android CVE-2014-5577 (The AVON Buy & Sell (aka com.AVONBeautyntheRep) application 0.3 fo ...) NOT-FOR-US: AVON Buy & Sell (aka com.AVONBeautyntheRep) application for Android CVE-2014-5576 (The Avira Secure Backup (aka com.avira.avirabackup) application 1.2.3 ...) NOT-FOR-US: Avira Secure Backup (aka com.avira.avirabackup) application for Android CVE-2014-5575 REJECTED CVE-2014-5574 (The Ask.fm - Social Q&A Network (aka com.askfm) application 1.2.4 ...) NOT-FOR-US: Ask.fm - Social Q&A Network (aka com.askfm) application for Android CVE-2014-5573 (The Appstros - FREE Gift Cards! (aka com.appstros.main) application 1. ...) NOT-FOR-US: Appstros - FREE Gift Cards! (aka com.appstros.main) application for Android CVE-2014-5572 (The Jazzpodium De Tor (aka com.appmakr.app273713) application 206160 f ...) NOT-FOR-US: Jazzpodium De Tor (aka com.appmakr.app273713) application for Android CVE-2014-5571 (The Appeak Poker (aka com.appeak.poker) application 2.4.5 for Android ...) NOT-FOR-US: Appeak Poker (aka com.appeak.poker) application for Android CVE-2014-5570 (The DailyFinance - Stocks & News (aka com.aol.mobile.dailyFinance) ...) NOT-FOR-US: DailyFinance - Stocks & News (aka com.aol.mobile.dailyFinance) application for Android CVE-2014-5569 (The Star Girl (aka com.animoca.google.starGirl) application 3.4.1 for ...) NOT-FOR-US: Star Girl (aka com.animoca.google.starGirl) application for Android CVE-2014-5568 (The Las Vegas Lottery Scratch Off (aka com.androkera.lottery) applicat ...) NOT-FOR-US: Las Vegas Lottery Scratch Off (aka com.androkera.lottery) application for Android CVE-2014-5567 (The hasb_e_haal (aka com.anawaz.hasb_e_haal) application 1.0.9 for And ...) NOT-FOR-US: hasb_e_haal (aka com.anawaz.hasb_e_haal) application for Android CVE-2014-5566 (The Selfshot - Front Flash Camera (aka com.americos.selfshot) applicat ...) NOT-FOR-US: Selfshot - Front Flash Camera (aka com.americos.selfshot) application for Android CVE-2014-5565 (The GadgetTrak Mobile Security (aka com.activetrak.android.app) applic ...) NOT-FOR-US: GadgetTrak Mobile Security (aka com.activetrak.android.app) application for Android CVE-2014-5564 (The Angry Gran Toss (aka com.aceviral.angrygrantoss) application 1.1.1 ...) NOT-FOR-US: Angry Gran Toss (aka com.aceviral.angrygrantoss) application for Android CVE-2014-5563 (The Show do Milhao 2014 (aka br.com.lgrmobile.sdm) application 1.4.6 f ...) NOT-FOR-US: Show do Milhao 2014 (aka br.com.lgrmobile.sdm) application for Android CVE-2014-5562 (The Coles Credit Card App (aka au.com.colesfinancialservices.mobile) a ...) NOT-FOR-US: Coles Credit Card App (aka au.com.colesfinancialservices.mobile) application for Android CVE-2014-5561 (The Word Search Free (aka air.wordSearchFree) application 4.9 for Andr ...) NOT-FOR-US: Word Search Free (aka air.wordSearchFree) application for Android CVE-2014-5560 (The Popscene (Music Industry Sim) (aka air.Popscene) application 1.04 ...) NOT-FOR-US: Popscene (Music Industry Sim) (aka air.Popscene) application for Android CVE-2014-5559 (The Kids GoldFish Care (aka air.josiane.sauveterre.kidsgoldfishcare) a ...) NOT-FOR-US: Kids GoldFish Care (aka air.josiane.sauveterre.kidsgoldfishcare) application for Android CVE-2014-5558 (The Hard Time (Prison Sim) (aka air.HardTime) application 1.111 for An ...) NOT-FOR-US: Hard Time (Prison Sim) (aka air.HardTime) application for Android CVE-2014-5557 (The America's Economy for Phone (aka air.gov.census.mobile.phone.ameri ...) NOT-FOR-US: America's Economy for Phone (aka air.gov.census.mobile.phone.americaseconomy) application for Android CVE-2014-5556 (The Fly Fishing & Fly Tying (aka air.com.yudu.ReaderAIR3209899) ap ...) NOT-FOR-US: Fly Fishing & Fly Tying (aka air.com.yudu.ReaderAIR3209899) application for Android CVE-2014-5555 (The Counting & Addition Kids Games (aka air.com.tribalnova.ilearnw ...) NOT-FOR-US: Counting & Addition Kids Games (aka air.com.tribalnova.ilearnwith.ipad.PokoAddEn) application for Android CVE-2014-5554 (The Fun Preschool Creativity Game (aka air.com.tribalnova.ilearnwith.i ...) NOT-FOR-US: Fun Preschool Creativity Game (aka air.com.tribalnova.ilearnwith.ipad.MotherAppEn) application for Android CVE-2014-5553 (The Kids Preschool Learning Games (aka air.com.tribalnova.ilearnwith.i ...) NOT-FOR-US: Kids Preschool Learning Games (aka air.com.tribalnova.ilearnwith.ipad.App3En) application for Android CVE-2014-5552 (The Numbers & Addition! Math games (aka air.com.tribalnova.ilearnw ...) NOT-FOR-US: Numbers & Addition! Math games (aka air.com.tribalnova.ilearnwith.ipad.App2En) application for Android CVE-2014-5551 (The Alphabet & Spelling Kids Games (aka air.com.tribalnova.ilearnw ...) NOT-FOR-US: Alphabet & Spelling Kids Games (aka air.com.tribalnova.ilearnwith.ipad.App1En) application for Android CVE-2014-5550 (The Animals! Kids Preschool Games (aka air.com.tribalnova.Animals) app ...) NOT-FOR-US: Animals! Kids Preschool Games (aka air.com.tribalnova.Animals) application for Android CVE-2014-5549 (The Puppy Slots (aka air.com.starluxstudios.PuppySlotsFree) applicatio ...) NOT-FOR-US: Puppy Slots (aka air.com.starluxstudios.PuppySlotsFree) application for Android CVE-2014-5548 (The Christmas Words (aka air.com.sevenBulls.summerWords) application 1 ...) NOT-FOR-US: Christmas Words (aka air.com.sevenBulls.summerWords) application for Android CVE-2014-5547 (The Mahjong Galaxy Space Lite (aka air.com.permadi.mahjongIris) applic ...) NOT-FOR-US: Mahjong Galaxy Space Lite (aka air.com.permadi.mahjongIris) application for Android CVE-2014-5546 (The Africa Memory (aka air.com.klon4enabor4e.AfricaMemory) application ...) NOT-FOR-US: Africa Memory (aka air.com.klon4enabor4e.AfricaMemory) application for Android CVE-2014-5545 (The Sprint jump (aka air.com.ilaz.appilas) application 1 for Android d ...) NOT-FOR-US: Sprint jump (aka air.com.ilaz.appilas) application for Android CVE-2014-5544 (The SongPop (aka air.com.freshplanet.games.WaM) application 1.21.2 for ...) NOT-FOR-US: SongPop (aka air.com.freshplanet.games.WaM) application for Android CVE-2014-5543 (The Hidden Object - Alice Free (aka air.com.differencegames.hovisionso ...) NOT-FOR-US: Hidden Object - Alice Free (aka air.com.differencegames.hovisionsofalicefree) application for Android CVE-2014-5542 (The Hidden Object Mystery (aka air.com.differencegames.hodetectivemyst ...) NOT-FOR-US: Hidden Object Mystery (aka air.com.differencegames.hodetectivemysteryfree) application for Android CVE-2014-5541 (The Hidden Memory - Aladdin FREE! (aka air.com.differencegames.hmaladd ...) NOT-FOR-US: Hidden Memory - Aladdin FREE! (aka air.com.differencegames.hmaladdinfree) application for Android CVE-2014-5540 (The Flick a Trade (aka air.com.cygnecode.fat) application 3.3 for Andr ...) NOT-FOR-US: Flick a Trade (aka air.com.cygnecode.fat) application for Android CVE-2014-5539 (The Michael Baker FCU (aka air.com.creditunionhomebanking.mb155) appli ...) NOT-FOR-US: Michael Baker FCU (aka air.com.creditunionhomebanking.mb155) application for Android CVE-2014-5538 (The Westmoreland Water FCU (aka air.com.creditunionhomebanking.mb115) ...) NOT-FOR-US: Westmoreland Water FCU (aka air.com.creditunionhomebanking.mb115) application for Android CVE-2014-5537 (The Abduction Stacker Free (aka air.com.chewygames.abductionstacker2) ...) NOT-FOR-US: Abduction Stacker Free (aka air.com.chewygames.abductionstacker2) application for Android CVE-2014-5536 (The Bingo Bash - Free Bingo Casino (aka air.com.bitrhymes.bingo) appli ...) NOT-FOR-US: Bingo Bash - Free Bingo Casino (aka air.com.bitrhymes.bingo) application for Android CVE-2014-5535 (The Baby Get Up - Kids Care (aka air.brown.jordansa.getup) application ...) NOT-FOR-US: Baby Get Up - Kids Care (aka air.brown.jordansa.getup) application for Android CVE-2014-5534 (The Princess Shopping (aka air.android.PrincessShopping) application 2 ...) NOT-FOR-US: Princess Shopping (aka air.android.PrincessShopping) application for Android CVE-2014-5533 REJECTED CVE-2014-5532 (The Honolulu (aka adidas.jp.android.running.honolulu) application 2 fo ...) NOT-FOR-US: Honolulu (aka adidas.jp.android.running.honolulu) application for Android CVE-2014-5531 (The Abode (aka abode.webview) application 1.7 for Android does not ver ...) NOT-FOR-US: Abode (aka abode.webview) application for Android CVE-2014-5530 REJECTED CVE-2014-5529 (The Gameloft library for Android does not verify X.509 certificates fr ...) NOT-FOR-US: Gameloft library for Android CVE-2014-5528 (The Appsflyer library for Android does not verify X.509 certificates f ...) NOT-FOR-US: Appsflyer library for Android CVE-2014-5527 (The Tapjoy library for Android does not verify X.509 certificates from ...) NOT-FOR-US: Tapjoy library for Android CVE-2014-5526 (The Inmobi library for Android does not verify X.509 certificates from ...) NOT-FOR-US: Inmobi library for Android CVE-2014-5525 (The MoMinis library for Android does not verify X.509 certificates fro ...) NOT-FOR-US: MoMinis library for Android CVE-2014-5524 (The Adcolony library for Android does not verify X.509 certificates fr ...) NOT-FOR-US: Adcolony library for Android CVE-2014-5523 REJECTED CVE-2014-5522 REJECTED CVE-2014-5521 (plugins/useradmin/fingeruser.php in XRMS CRM, possibly 1.99.2, allows ...) NOT-FOR-US: XRMS CRM CVE-2014-5520 (SQL injection vulnerability in XRMS CRM, possibly 1.99.2, allows remot ...) NOT-FOR-US: XRMS CRM CVE-2014-5518 RESERVED CVE-2014-5517 RESERVED CVE-2014-5516 (Cross-site request forgery (CSRF) vulnerability in the Storefront Appl ...) NOT-FOR-US: KonaKart CVE-2014-5515 RESERVED - ntopng 1.2.1+dfsg1-1 (bug #760990) CVE-2014-5514 RESERVED - ntopng 1.2.1+dfsg1-1 (bug #760990) CVE-2014-5513 RESERVED - ntopng 1.2.1+dfsg1-1 (bug #760990) CVE-2014-5512 RESERVED - ntopng 1.2.1+dfsg1-1 (bug #760990) CVE-2014-5511 RESERVED - ntopng 1.2.1+dfsg1-1 (bug #760990) CVE-2014-5510 RESERVED CVE-2014-5508 (Multiple integer overflows in the HelpServ module (mod-helpserv.c) in ...) NOT-FOR-US: srvx (irc services) CVE-2014-5507 (iBackup 10.0.0.32 and earlier uses weak permissions (Everyone: Full Co ...) NOT-FOR-US: iBackup CVE-2014-5506 (Double free vulnerability in SAP Crystal Reports allows remote attacke ...) NOT-FOR-US: SAP Crystal Reports CVE-2014-5505 (Stack-based buffer overflow in SAP Crystal Reports allows remote attac ...) NOT-FOR-US: SAP Crystal Reports CVE-2014-5504 (SolarWinds Log and Event Manager before 6.0 uses "static" credentials, ...) NOT-FOR-US: SolarWinds CVE-2014-5503 (SQL injection vulnerability in the Guest Login Portal in the Sophos Cy ...) NOT-FOR-US: Sophos Cyberoam CyberoamOS CVE-2014-5502 (The Sophos Cyberoam appliances with CyberoamOS before 10.6.1 GA allows ...) NOT-FOR-US: Sophos Cyberoam CyberoamOS CVE-2014-5501 (Stack-based buffer overflow in the diagnose service in the Sophos Cybe ...) NOT-FOR-US: Sophos Cyberoam CyberoamOS CVE-2014-5500 (Synacor Zimbra Collaboration before 8.0.8 has XSS. ...) NOT-FOR-US: Synacor Zimbra Collaboration CVE-2014-5499 RESERVED CVE-2014-5498 RESERVED CVE-2014-5497 RESERVED CVE-2014-5496 RESERVED CVE-2014-5495 RESERVED CVE-2014-5494 RESERVED CVE-2014-5493 RESERVED CVE-2014-5492 RESERVED CVE-2014-5491 RESERVED CVE-2014-5490 RESERVED CVE-2014-5489 RESERVED CVE-2014-5488 RESERVED CVE-2014-5487 RESERVED CVE-2014-5486 RESERVED CVE-2014-5485 RESERVED CVE-2014-5484 RESERVED CVE-2014-5483 RESERVED CVE-2014-5482 RESERVED CVE-2014-5481 RESERVED CVE-2014-5480 RESERVED CVE-2014-5479 RESERVED CVE-2014-5478 RESERVED CVE-2014-5477 RESERVED CVE-2014-5476 RESERVED CVE-2014-5475 RESERVED CVE-2014-5474 RESERVED CVE-2014-5473 RESERVED CVE-2014-5470 RESERVED CVE-2014-5469 RESERVED CVE-2014-5468 (A File Inclusion vulnerability exists in Railo 4.2.1 and earlier via a ...) NOT-FOR-US: Railo CVE-2014-5467 RESERVED CVE-2014-5466 (Cross-site scripting (XSS) vulnerability in the Dashboard in Splunk We ...) NOT-FOR-US: Splunk CVE-2014-5465 (Directory traversal vulnerability in force-download.php in the Downloa ...) NOT-FOR-US: WordPress plugin Download Shortcode CVE-2014-5463 RESERVED CVE-2014-5462 (Multiple SQL injection vulnerabilities in OpenEMR 4.1.2 (Patch 7) and ...) NOT-FOR-US: OpenEMR CVE-2014-5460 (Unrestricted file upload vulnerability in the Tribulant Slideshow Gall ...) NOT-FOR-US: Tribulant Slideshow Gallery plugin for WordPress CVE-2013-7399 RESERVED CVE-2010-5304 (A NULL pointer dereference flaw was found in the way LibVNCServer befo ...) NOT-FOR-US: RealVNC CVE-2014-6269 (Multiple integer overflows in the http_request_forward_body function i ...) - haproxy 1.5.4-1 [squeeze] - haproxy (Vulnerable code not present) NOTE: http://article.gmane.org/gmane.comp.web.haproxy/17726 NOTE: http://article.gmane.org/gmane.comp.web.haproxy/18097 NOTE: http://git.haproxy.org/?p=haproxy-1.5.git;a=commitdiff;h=b4d05093bc89f71377230228007e69a1434c1a0c CVE-2014-5256 (Node.js 0.8 before 0.8.28 and 0.10 before 0.10.30 does not consider th ...) - nodejs 0.10.38~dfsg-1 (unimportant; bug #760385) CVE-2014-7402 (The SK encar (aka com.encardirect.app) application @7F050000 for Andro ...) NOT-FOR-US: SK encar (aka com.encardirect.app) application for Android CVE-2013-7402 (Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allo ...) {DSA-3101-1} - c-icap 1:0.3.1-1 NOTE: http://sourceforge.net/p/c-icap/code/1018/ NOTE: http://sourceforge.net/p/c-icap/code/1021 CVE-2013-7401 (The parse_request function in request.c in c-icap 0.2.x allows remote ...) {DSA-3101-1} - c-icap 1:0.3.1-1 NOTE: http://sourceforge.net/p/c-icap/bugs/59/ NOTE: http://sourceforge.net/p/c-icap/code/1018/ CVE-2014-6070 (Multiple cross-site scripting (XSS) vulnerabilities in Adiscon LogAnal ...) - loganalyzer 3.6.6+dfsg-1 (bug #760372) CVE-2014-6029 (TorrentFlux 2.4 allows remote authenticated users to delete or modify ...) - torrentflux (bug #759573) [wheezy] - torrentflux (Minor issue) [squeeze] - torrentflux (Minor issue) CVE-2014-6028 (TorrentFlux 2.4 allows remote authenticated users to obtain other user ...) - torrentflux (bug #759573) [wheezy] - torrentflux (Minor issue) [squeeze] - torrentflux (Minor issue) CVE-2014-6027 (Multiple cross-site scripting (XSS) vulnerabilities in TorrentFlux 2.4 ...) - torrentflux (bug #759574) [wheezy] - torrentflux (Minor issue) [squeeze] - torrentflux (Minor issue) CVE-2014-6040 (GNU C Library (aka glibc) before 2.20 allows context-dependent attacke ...) {DSA-3142-1 DLA-97-1} - glibc 2.19-12 - eglibc [wheezy] - eglibc (Will be fixed in a point update) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=17325 NOTE: https://sourceware.org/ml/libc-alpha/2014-08/msg00473.html CVE-2014-5519 (The Ploticus module in PhpWiki 1.5.0 allows remote attackers to execut ...) - phpwiki CVE-2014-5509 (clipedit in the Clipboard module for Perl allows local users to delete ...) - libclipboard-perl (Fixed with initial upload to Debian) CVE-2014-5458 (SQL injection vulnerability in sqrl_verify.php in php-sqrl allows remo ...) NOT-FOR-US: php-sqrl CVE-2014-5457 (QNAP TS-469U with firmware 4.0.7 Build 20140410, TS-459U, TS-EC1679U-R ...) NOT-FOR-US: QNAP CVE-2014-5456 (Cross-site scripting (XSS) vulnerability in the Social Stats module be ...) NOT-FOR-US: Drupal Social Stats module CVE-2014-5455 (Unquoted Windows search path vulnerability in the ptservice service pr ...) NOT-FOR-US: PrivateTunnel as bundled in OpenVPN CVE-2014-5454 (Unrestricted file upload vulnerability in the image upload module in S ...) NOT-FOR-US: SAS Visual Analytics CVE-2014-5453 (Ubisoft Uplay PC before 4.6.1.3217 use weak permissions (Everyone: Ful ...) NOT-FOR-US: Ubisoft Uplay PC CVE-2014-5452 (CDA.xsl in HL7 C-CDA 1.1 and earlier does not anticipate the possibili ...) NOT-FOR-US: HL7 C-CDA CVE-2014-5451 (Cross-site scripting (XSS) vulnerability in manager/templates/default/ ...) NOT-FOR-US: MODX Revolution CVE-2014-5446 (Directory traversal vulnerability in the DisplayChartPDF servlet in ZO ...) NOT-FOR-US: ZOHO CVE-2014-5445 (Multiple absolute path traversal vulnerabilities in ZOHO ManageEngine ...) NOT-FOR-US: ZOHO CVE-2014-5444 (Geary before 0.6.3 does not present the user with a warning when a TLS ...) - geary 0.6.3-1 NOTE: Upstream bugreport: https://bugzilla.gnome.org/show_bug.cgi?id=713247 NOTE: Upstream fix: https://git.gnome.org/browse/geary/commit/?h=geary-0.6&id=55f06a7bdcedb7efde6a516bde626ea28793ca7e CVE-2014-5442 RESERVED CVE-2014-5441 (Multiple cross-site scripting (XSS) vulnerabilities in app/views/layou ...) NOT-FOR-US: Fat Free CRM CVE-2014-5440 (SQL injection vulnerability in Login.aspx in MPEX Business Solutions M ...) NOT-FOR-US: MX-SmartTimer CVE-2014-5439 (Multiple Stack-based Buffer Overflow vulnerabilities exists in Sniffit ...) {DLA-713-1} - sniffit 0.3.7.beta-20 (bug #845122) [jessie] - sniffit 0.3.7.beta-17+deb8u1 NOTE: http://hmarco.org/bugs/CVE-2014-5439-sniffit_0.3.7-stack-buffer-overflow.html CVE-2014-5438 (Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT ...) NOT-FOR-US: Arris Touchstone CVE-2014-5437 (Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS To ...) NOT-FOR-US: Arris Touchstone CVE-2014-5436 (A directory traversal vulnerability exists in the confd.exe module in ...) NOT-FOR-US: Honeywell CVE-2014-5435 (An arbitrary memory write vulnerability exists in the dual_onsrv.exe m ...) NOT-FOR-US: Honeywell CVE-2014-5434 (Baxter SIGMA Spectrum Infusion System version 6.05 (model 35700BAX) wi ...) NOT-FOR-US: Baxter SIGMA Spectrum Infusion System CVE-2014-5433 (An unauthenticated remote attacker may be able to execute commands to ...) NOT-FOR-US: Baxter SIGMA Spectrum Infusion System CVE-2014-5432 (Baxter SIGMA Spectrum Infusion System version 6.05 (model 35700BAX) wi ...) NOT-FOR-US: Baxter SIGMA Spectrum Infusion System CVE-2014-5431 (Baxter SIGMA Spectrum Infusion System version 6.05 (model 35700BAX) wi ...) NOT-FOR-US: Baxter SIGMA Spectrum Infusion System CVE-2014-5430 (Untrusted search path vulnerability in ABB RobotStudio 5.6x before 5.6 ...) NOT-FOR-US: ABB RobotStudio CVE-2014-5429 (DNP Master Driver 3.02 and earlier in Elipse SCADA 2.29 build 141 and ...) NOT-FOR-US: Elipse SCADA CVE-2014-5428 (Unrestricted file upload vulnerability in unspecified web services in ...) NOT-FOR-US: Johnson Controls Metasys CVE-2014-5427 (Johnson Controls Metasys 4.1 through 6.5, as used in Application and D ...) NOT-FOR-US: Johnson Controls Metasys CVE-2014-5426 (MatrikonOPC OPC Server for DNP3 1.2.3 and earlier allows remote attack ...) NOT-FOR-US: MatrikonOPC CVE-2014-5425 (IOServer before Beta2112.exe allows remote attackers to cause a denial ...) NOT-FOR-US: IOServer CVE-2014-5424 (Rockwell Automation Connected Components Workbench (CCW) before 7.00.0 ...) NOT-FOR-US: Rockwell Automation Connected Components Workbench CVE-2014-5423 (CareFusion Pyxis SupplyStation 8.1 with hardware test tool before 1.0. ...) NOT-FOR-US: CareFusion CVE-2014-5422 (CareFusion Pyxis SupplyStation 8.1 with hardware test tool before 1.0. ...) NOT-FOR-US: CareFusion CVE-2014-5421 (CareFusion Pyxis SupplyStation 8.1 with hardware test tool 1.0.16 and ...) NOT-FOR-US: CareFusion CVE-2014-5420 (CareFusion Pyxis SupplyStation 8.1 with hardware test tool before 1.0. ...) NOT-FOR-US: CareFusion CVE-2014-5419 (GE Multilink ML800, ML1200, ML1600, and ML2400 switches with firmware ...) NOT-FOR-US: GE Multilink CVE-2014-5418 (GE Multilink ML800, ML1200, ML1600, and ML2400 switches with firmware ...) NOT-FOR-US: GE Multilink CVE-2014-5417 (Cross-site scripting (XSS) vulnerability in Meinberg NTP Server firmwa ...) NOT-FOR-US: Meinberg NTP Server firmware on LANTIME M-Series devices CVE-2014-5416 REJECTED CVE-2014-5415 (Beckhoff Embedded PC images before 2014-10-22 and Automation Device Sp ...) NOT-FOR-US: Beckhoff Embedded PC image CVE-2014-5414 (Beckhoff Embedded PC images before 2014-10-22 and Automation Device Sp ...) NOT-FOR-US: Beckhoff Embedded PC image CVE-2014-5413 (Schneider Electric StruxureWare SCADA Expert ClearSCADA 2010 R3 throug ...) NOT-FOR-US: Schneider Electric CVE-2014-5412 (Schneider Electric StruxureWare SCADA Expert ClearSCADA 2010 R3 throug ...) NOT-FOR-US: Schneider Electric CVE-2014-5411 (Multiple cross-site scripting (XSS) vulnerabilities in Schneider Elect ...) NOT-FOR-US: Schneider Electric CVE-2014-5410 (The DNP3 feature on Rockwell Automation Allen-Bradley MicroLogix 1400 ...) NOT-FOR-US: MicroLogix controller CVE-2014-5409 (The 17046 Ethernet card before 94450214LFMT100SEM-L.R3-CL for the GE D ...) NOT-FOR-US: GE Digital Energy Hydran CVE-2014-5408 (Cross-site scripting (XSS) vulnerability in the login script in the Wi ...) NOT-FOR-US: Nordex Control 2 CVE-2014-5407 (Multiple stack-based buffer overflows in Schneider Electric VAMPSET 2. ...) NOT-FOR-US: Schneider Electric CVE-2014-5406 (The Hospira LifeCare PCA Infusion System before 7.0 does not validate ...) NOT-FOR-US: Hospira LifeCare CVE-2014-5405 (Hospira MedNet before 6.1 uses a hardcoded cleartext password to contr ...) NOT-FOR-US: Hospira MedNet CVE-2014-5404 REJECTED CVE-2014-5403 (Hospira MedNet before 6.1 uses hardcoded cryptographic keys for protec ...) NOT-FOR-US: Hospira MedNet CVE-2014-5402 REJECTED CVE-2014-5401 (Hospira MedNet software version 5.8 and prior uses vulnerable versions ...) NOT-FOR-US: Hospira CVE-2014-5400 (The installation component in Hospira MedNet before 6.1 places clearte ...) NOT-FOR-US: Hospira MedNet CVE-2014-5399 (SQL injection vulnerability in Schneider Electric Wonderware Informati ...) NOT-FOR-US: Schneider Electric CVE-2014-5398 (Schneider Electric Wonderware Information Server (WIS) Portal 4.0 SP1 ...) NOT-FOR-US: Schneider Electric CVE-2014-5397 (Cross-site scripting (XSS) vulnerability in Schneider Electric Wonderw ...) NOT-FOR-US: Schneider Electric CVE-2014-5396 (The web interface in Schrack Technik microControl with firmware before ...) NOT-FOR-US: Schrack Technik microControl CVE-2014-5395 (Multiple cross-site request forgery (CSRF) vulnerabilities in Huawei H ...) NOT-FOR-US: Huawei Routers CVE-2014-5394 (Multiple Huawei Campus switches allow remote attackers to enumerate us ...) NOT-FOR-US: Huawei CVE-2014-5393 (Directory traversal vulnerability in the JobScheduler Operations Cente ...) NOT-FOR-US: JobScheduler CVE-2014-5392 (XML External Entity (XXE) vulnerability in JobScheduler before 1.6.424 ...) NOT-FOR-US: JobScheduler CVE-2014-5391 (Cross-site scripting (XSS) vulnerability in the JobScheduler Operation ...) NOT-FOR-US: JobScheduler CVE-2014-5390 RESERVED CVE-2014-5389 (SQL injection vulnerability in content-audit-schedule.php in the Conte ...) NOT-FOR-US: WordPress plugin Content Audit CVE-2014-5387 (Multiple SQL injection vulnerabilities in EllisLab ExpressionEngine be ...) NOT-FOR-US: EllisLab ExpressionEngine Core CVE-2014-5386 (The mcrypt_create_iv function in hphp/runtime/ext/mcrypt/ext_mcrypt.cp ...) NOT-FOR-US: Facebook HipHop Virtual Machine CVE-2014-5385 (com/salesmanager/central/profile/ProfileAction.java in Shopizer 1.1.5 ...) NOT-FOR-US: Shopizer CVE-2014-5384 (The VIQR module in the iconv implementation in FreeBSD 10.0 before p6 ...) NOT-FOR-US: iconv system library of FreeBSD and NetBSD CVE-2014-5383 (SQL injection vulnerability in AlienVault OSSIM before 4.7.0 allows re ...) NOT-FOR-US: AlienVault OSSIM CVE-2010-5303 (Cross-site scripting (XSS) vulnerability in the displayError function ...) NOT-FOR-US: TimThumb CVE-2010-5302 (Cross-site scripting (XSS) vulnerability in timthumb.php in TimThumb b ...) NOT-FOR-US: TimThumb CVE-2009-5142 (Cross-site scripting (XSS) vulnerability in timthumb.php in TimThumb 1 ...) NOT-FOR-US: TimThumb CVE-2014-5472 (The parse_rock_ridge_inode_internal function in fs/isofs/rock.c in the ...) {DLA-103-1} - linux 3.16.2-1 [wheezy] - linux 3.2.63-1 - linux-2.6 NOTE: https://code.google.com/p/google-security-research/issues/detail?id=88 NOTE: https://github.com/torvalds/linux/commit/410dd3cf4c9b36f27ed4542ee18b1af5e68645a4 NOTE: commit contained first in v3.17-rc2 CVE-2014-5471 (Stack consumption vulnerability in the parse_rock_ridge_inode_internal ...) {DLA-103-1} - linux 3.16.2-1 [wheezy] - linux 3.2.63-1 - linux-2.6 NOTE: https://code.google.com/p/google-security-research/issues/detail?id=88 NOTE: https://github.com/torvalds/linux/commit/410dd3cf4c9b36f27ed4542ee18b1af5e68645a4 NOTE: commit contained first in v3.17-rc2 CVE-2014-5464 (Cross-site scripting (XSS) vulnerability in the nDPI traffic classific ...) - ntopng 1.2.1+dfsg1-1 (bug #760990) NOTE: http://seclists.org/fulldisclosure/2014/Aug/65 CVE-2014-5459 (The PEAR_REST class in REST.php in PEAR in PHP through 5.6.0 allows lo ...) - php5 (unimportant; bug #682157; bug #759282) NOTE: Although #682157 and #759282 got closed the issues with unsafe use of NOTE: /tmp are not yet resolved, cf. https://bugs.debian.org/682157#36 NOTE: Neutralised by kernel hardening CVE-2014-5450 (Zarafa Collaboration Platform 4.1 uses world-readable permissions for ...) - zarafa (bug #658433) CVE-2014-5449 (Zarafa WebAccess 4.1 and WebApp uses world-readable permissions for th ...) - zarafa (bug #658433) CVE-2014-5448 (Zarafa 5.00 uses world-readable permissions for the files in the log d ...) - zarafa (bug #658433) CVE-2014-5447 (Zarafa WebAccess 7.1.10 and WebApp 1.6 beta uses weak permissions (644 ...) - zarafa (bug #658433) CVE-2014-5443 (Seafile Server before 3.1.2 and Server Professional Edition before 3.1 ...) - seafile (Fixed before initial upload to the archive) CVE-2014-5388 (Off-by-one error in the pci_read function in the ACPI PCI hotplug inte ...) - qemu 2.1+dfsg-5 [squeeze] - qemu (Introduced in 1.7) [wheezy] - qemu (Introduced in 1.7) - qemu-kvm [squeeze] - qemu-kvm (Introduced in 1.7) [wheezy] - qemu-kvm (Introduced in 1.7) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2014-08/msg03338.html NOTE: Introduced in http://git.qemu.org/?p=qemu.git;a=commit;h=db4728e6fec0364b866d3106125974eedc00e091 CVE-2014-5382 (Multiple cross-site scripting (XSS) vulnerabilities in the web interfa ...) NOT-FOR-US: Schrack Technik microControl CVE-2014-5381 (Grand MA 300 allows a brute-force attack on the PIN. ...) NOT-FOR-US: Grand MA 300 CVE-2014-5380 (Grand MA 300 allows retrieval of the access PIN from sniffed data. ...) NOT-FOR-US: Grand MA 300 CVE-2014-5379 RESERVED CVE-2014-5378 RESERVED CVE-2014-5377 (ReadUsersFromMasterServlet in ManageEngine DeviceExpert before 5.9 bui ...) NOT-FOR-US: ManageEngine DeviceExpert CVE-2014-5376 (Adaptive Computing Moab before 7.2.9 and 8 before 8.0.0, when a pre-ge ...) NOT-FOR-US: Adaptive Computing Moab CVE-2014-5375 (The server in Adaptive Computing Moab before 7.2.9 and 8 before 8.0.0 ...) NOT-FOR-US: Adaptive Computing Moab CVE-2014-5374 RESERVED CVE-2014-5373 RESERVED CVE-2014-5372 RESERVED CVE-2014-5371 RESERVED CVE-2014-5370 (Directory traversal vulnerability in the CFChart servlet (com.naryx.ta ...) NOT-FOR-US: New Atlanta BlueDragon CVE-2014-5369 (Enigmail 1.7.x before 1.7.2 sends emails in plaintext when encryption ...) - enigmail 2:1.7.2-1 [wheezy] - enigmail (Introduced in 1.7) [squeeze] - enigmail (Introduced in 1.7) NOTE: http://sourceforge.net/p/enigmail/forum/support/thread/3e7268a4/#b315 NOTE: and http://sourceforge.net/p/enigmail/bugs/294/ NOTE: fixed in 1.7.1 and 1.8.0 upstream (not yet released) CVE-2014-5367 REJECTED CVE-2014-5366 RESERVED CVE-2014-5365 RESERVED CVE-2014-5364 RESERVED CVE-2014-5363 RESERVED CVE-2014-5362 (The admin interface in Landesk Management Suite 9.6 and earlier allows ...) NOT-FOR-US: LANDesk Management Suite CVE-2014-5361 (Multiple cross-site request forgery (CSRF) vulnerabilities in Landesk ...) NOT-FOR-US: LANDesk Management Suite CVE-2014-5360 (Cross-site scripting (XSS) vulnerability in the admin interface in LAN ...) NOT-FOR-US: LANDESK Management Suite CVE-2014-5359 (Directory traversal vulnerability in SafeNet Authentication Service (S ...) NOT-FOR-US: SafeNet Authentication Service CVE-2014-5358 RESERVED CVE-2014-5357 RESERVED CVE-2014-5355 (MIT Kerberos 5 (aka krb5) through 1.13.1 incorrectly expects that a kr ...) {DLA-1265-1} - krb5 1.12.1+dfsg-18 (bug #778647) [squeeze] - krb5 (Minor issue) NOTE: Upstream commit: https://github.com/krb5/krb5/commit/102bb6ebf20f9174130c85c3b052ae104e5073ec CVE-2014-5354 (plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in MIT Kerberos 5 (aka ...) - krb5 1.12.1+dfsg-16 (bug #773228) [wheezy] - krb5 (do not expose a way for principal entries to have no long-term key material) [squeeze] - krb5 (do not expose a way for principal entries to have no long-term key material) NOTE: Upstream commit: https://github.com/krb5/krb5/commit/04038bf3633c4b909b5ded3072dc88c8c419bf16 CVE-2014-5353 (The krb5_ldap_get_password_policy_from_dn function in plugins/kdb/ldap ...) {DLA-1265-1} - krb5 1.12.1+dfsg-16 (bug #773226) [squeeze] - krb5 (Minor issue, needs elevated privileges to trigger crash) NOTE: Upstream commit: https://github.com/krb5/krb5/commit/d1f707024f1d0af6e54a18885322d70fa15ec4d3 CVE-2014-5352 (The krb5_gss_process_context_token function in lib/gssapi/krb5/process ...) {DSA-3153-1 DLA-146-1} - krb5 1.12.1+dfsg-17 CVE-2014-5351 (The kadm5_randkey_principal_3 function in lib/kadm5/srv/svr_principal. ...) {DLA-1265-1} - krb5 1.12.1+dfsg-10 (bug #762479) [squeeze] - krb5 (Minor issue) NOTE: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8018 NOTE: Upstream commit: https://github.com/krb5/krb5/commit/af0ed4df4dfae762ab5fb605f5a0c8f59cb4f6ca CVE-2014-5350 (Multiple directory traversal vulnerabilities in Bitdefender GravityZon ...) NOT-FOR-US: Bitdefender GravityZone CVE-2014-5349 (Stack-based buffer overflow in Baidu Spark Browser 26.5.9999.3511 allo ...) NOT-FOR-US: Baidu Spark Browser CVE-2014-5348 (Cross-site scripting (XSS) vulnerability in apps/zxtm/locallog.cgi in ...) NOT-FOR-US: Riverbed Stingray Traffic Manager Virtual Appliance CVE-2014-5347 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Disq ...) NOT-FOR-US: Disqus Comment System plugin for WordPress CVE-2014-5346 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Disq ...) NOT-FOR-US: Disqus Comment System plugin for WordPress CVE-2014-5345 (Cross-site scripting (XSS) vulnerability in upgrade.php in the Disqus ...) NOT-FOR-US: Disqus Comment System plugin for WordPress CVE-2014-5344 (Multiple cross-site scripting (XSS) vulnerabilities in the Mobiloud (m ...) NOT-FOR-US: Mobiloud (mobiloud-mobile-app-plugin) plugin for WordPress CVE-2014-5343 (Cross-site scripting (XSS) vulnerability in Feng Office allows remote ...) NOT-FOR-US: Feng Office CVE-2014-5342 (Aruba Networks ClearPass before 6.3.5 and 6.4.x before 6.4.1 allows re ...) NOT-FOR-US: Aruba Networks ClearPass CVE-2014-5341 (The SFTP external storage driver (files_external) in ownCloud Server b ...) - owncloud 7~20140504+dfsg-1 NOTE: Only affects 5.x and 6.x, so marking first 7 release as fixed NOTE: https://owncloud.org/security/advisory/?id=oc-sa-2014-019 CVE-2014-5340 (The wato component in Check_MK before 1.2.4p4 and 1.2.5 before 1.2.5i4 ...) - check-mk 1.2.6p4-1 (bug #758883) [wheezy] - check-mk (does not use pickle, vulnerable code not present) NOTE: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=192d41525502dc8de10ac99f57bd988450c17566 NOTE: introduces incompatible changes to older versions, see https://bugzilla.redhat.com/show_bug.cgi?id=1132337#c2 CVE-2014-5339 (Check_MK before 1.2.4p4 and 1.2.5 before 1.2.5i4 allows remote authent ...) - check-mk 1.2.6p4-1 (bug #758883) [wheezy] - check-mk (Vulnerable code not present) NOTE: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=7998aa4d53d2fef7302c0761b9c8f47e2f626e18 CVE-2014-5338 (Multiple cross-site scripting (XSS) vulnerabilities in the multisite c ...) - check-mk 1.2.6p4-1 (bug #758883) [wheezy] - check-mk (Minor issue) NOTE: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=076468b10e660abdeaaaa6c459a4aa3ce8e07 CVE-2014-5337 (The WordPress Mobile Pack plugin before 2.0.2 for WordPress does not p ...) NOT-FOR-US: WordPress plugin Mobile Pack CVE-2014-5335 (Multiple cross-site request forgery (CSRF) vulnerabilities in innovaph ...) NOT-FOR-US: innovaphone PBX CVE-2014-5334 (FreeNAS before 9.3-M3 has a blank admin password, which allows remote ...) NOT-FOR-US: FreeNAS CVE-2014-5332 (Race condition in NVMap in NVIDIA Tegra Linux Kernel 3.10 allows local ...) - linux (drivers/video/tegra not present) NOTE: http://googleprojectzero.blogspot.de/2015/01/exploiting-nvmap-to-escape-chrome.html CVE-2014-5331 (Cross-site scripting (XSS) vulnerability in Aflax allows remote attack ...) NOT-FOR-US: Aflax CVE-2014-5330 (Cross-site scripting (XSS) vulnerability in BirdBlog allows remote att ...) NOT-FOR-US: BirdBlog CVE-2014-5329 RESERVED CVE-2014-5328 (Buffer overflow in the Webserver component on the Huawei E5332 router ...) NOT-FOR-US: Huawei router CVE-2014-5327 (Buffer overflow in the Webserver component on the Huawei E5332 router ...) NOT-FOR-US: Huawei router CVE-2014-5326 (Cross-site scripting (XSS) vulnerability in Direct Web Remoting (DWR) ...) - dwr (bug #601517) CVE-2014-5325 (The (1) DOMConverter, (2) JDOMConverter, (3) DOM4JConverter, and (4) X ...) - dwr (bug #601517) CVE-2014-5324 (Unrestricted file upload vulnerability in the N-Media file uploader pl ...) NOT-FOR-US: N-Media file uploader plugin for WordPress CVE-2014-5323 (The Yuko Yuko (aka jp.co.yukoyuko.android.yukoyuko_android) applicatio ...) NOT-FOR-US: Yuko Yuko (aka jp.co.yukoyuko.android.yukoyuko_android) application for Android CVE-2014-5322 (Cross-site scripting (XSS) vulnerability in the Instant Web Publish fu ...) NOT-FOR-US: FileMaker Pro CVE-2014-5321 (FileMaker Pro before 13 and Pro Advanced before 13 does not verify X.5 ...) NOT-FOR-US: FileMaker Pro CVE-2014-5320 (The Bump application for Android does not properly handle implicit int ...) NOT-FOR-US: Bump application for Android CVE-2014-5319 (Directory traversal vulnerability in the S-Link SLFileManager applicat ...) NOT-FOR-US: S-Link SLFileManager application for Android CVE-2014-5318 (The jigbrowser+ application 1.8.1 and earlier for iOS allows remote at ...) NOT-FOR-US: jigbrowser+ application for iOS CVE-2014-5317 (Cross-site scripting (XSS) vulnerability in php365.com 365 Links 3.11 ...) NOT-FOR-US: php365.com components CVE-2014-5316 (Cross-site scripting (XSS) vulnerability in Dotclear before 2.6.4 allo ...) - dotclear 2.6.4+dfsg-1 CVE-2014-5315 (Cross-site scripting (XSS) vulnerability in the Help page in Adobe Acr ...) NOT-FOR-US: Adobe CVE-2014-5314 (Buffer overflow in Cybozu Office 9 and 10 before 10.1.0, Mailwise 4 an ...) NOT-FOR-US: Cybozu Office CVE-2014-5313 (Cross-site scripting (XSS) vulnerability in the management page in Six ...) - movabletype-opensource [wheezy] - movabletype-opensource (Not supported in Wheezy) CVE-2014-5461 (Buffer overflow in the vararg functions in ldo.c in Lua 5.1 through 5. ...) {DSA-3016-1 DSA-3015-1 DLA-47-1} - lua5.1 5.1.5-7 - lua5.2 5.2.3-1 NOTE: http://www.lua.org/bugs.html#5.2.2-1 NOTE: fixed in 5.2.3, see https://bugzilla.redhat.com/show_bug.cgi?id=1132304#c7 CVE-2014-5368 (Directory traversal vulnerability in the file_get_contents function in ...) NOT-FOR-US: WordPress plugin wp-source-control CVE-2014-5333 (Adobe Flash Player before 13.0.0.241 and 14.x before 14.0.0.176 on Win ...) NOT-FOR-US: Adobe Flash Player NOTE: assignment not from Adobe, see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-5333 CVE-2014-5356 (OpenStack Image Registry and Delivery Service (Glance) before 2013.2.4 ...) - glance 2014.1.3-1 [wheezy] - glance (Vulnerable code not present) NOTE: Versions: up to 2013.2.3 and 2014.1 to 2014.1.2 CVE-2014-5336 (Monkey HTTP Server before 1.5.3, when the File Descriptor Table (FDT) ...) - monkey (low) [squeeze] - monkey (Minor issue) CVE-2014-5312 RESERVED CVE-2014-5311 RESERVED CVE-2014-5310 RESERVED CVE-2014-5309 RESERVED CVE-2014-5308 (Multiple SQL injection vulnerabilities in TestLink 1.9.11 allow remote ...) NOT-FOR-US: TestLink CVE-2014-5307 (Heap-based buffer overflow in the PavTPK.sys kernel mode driver of Pan ...) NOT-FOR-US: Panda Security CVE-2014-5306 RESERVED CVE-2014-5305 RESERVED CVE-2014-5304 RESERVED CVE-2014-5303 RESERVED CVE-2014-5302 (Directory traversal vulnerability in ServiceDesk Plus and Plus MSP v5 ...) NOT-FOR-US: ManageEngine components CVE-2014-5301 (Directory traversal vulnerability in ServiceDesk Plus MSP v5 to v9.0 v ...) NOT-FOR-US: ManageEngine components CVE-2014-5300 (Adaptive Computing Moab before 7.2.9 and 8 before 8.0.0 allows remote ...) NOT-FOR-US: Adaptive Computing Moab CVE-2014-5299 RESERVED CVE-2014-5298 (FileUploadsFilter.php in X2Engine 4.1.7 and earlier, when running on c ...) NOT-FOR-US: X2Engine CVE-2014-5297 (The actionSendErrorReport method in protected/controllers/SiteControll ...) NOT-FOR-US: X2Engine CVE-2014-5296 RESERVED CVE-2014-5295 RESERVED CVE-2014-5294 RESERVED CVE-2014-5293 RESERVED CVE-2014-5292 RESERVED CVE-2014-5291 RESERVED CVE-2014-5290 RESERVED CVE-2014-5289 (Buffer overflow in Senkas Kolibri 2.0 allows remote attackers to execu ...) NOT-FOR-US: Senkas Kolibri CVE-2014-5288 (A CSRF Vulnerability exists in Kemp Load Master before 7.0-18a via uns ...) NOT-FOR-US: Kemp Load Master CVE-2014-5287 (A Bash script injection vulnerability exists in Kemp Load Master 7.1-1 ...) NOT-FOR-US: Kemp Load Master CVE-2014-5286 (The ActiveMatrix Policy Manager Authentication module in TIBCO ActiveM ...) NOT-FOR-US: TIBCO CVE-2014-5285 (Unspecified vulnerability in the Authentication Module in TIBCO Spotfi ...) NOT-FOR-US: TIBCO Spotfire Server CVE-2014-5284 (host-deny.sh in OSSEC before 2.8.1 writes to temporary files with pred ...) - ossec-hids (bug #361954) CVE-2014-5283 RESERVED CVE-2014-5282 (Docker before 1.3 does not properly validate image IDs, which allows r ...) - docker.io 1.3.0~dfsg1-1 CVE-2014-5281 RESERVED CVE-2014-5280 (boot2docker 1.2 and earlier allows attackers to conduct cross-site req ...) NOT-FOR-US: boot2docker CVE-2014-5279 (The Docker daemon managed by boot2docker 1.2 and earlier improperly en ...) NOT-FOR-US: boot2docker CVE-2014-5278 (A vulnerability exists in Docker before 1.2 via container names, which ...) - docker.io 1.2.0~dfsg1-1 CVE-2014-5277 (Docker before 1.3.1 and docker-py before 0.5.3 fall back to HTTP when ...) - docker.io 1.3.1~dfsg1-1 NOTE: https://groups.google.com/d/topic/docker-user/oYm0i3xShJU/discussion CVE-2014-5276 (Multiple cross-site scripting (XSS) vulnerabilities in Pro Chat Rooms ...) NOT-FOR-US: Pro Chat Rooms CVE-2014-5275 (Multiple SQL injection vulnerabilities in includes/functions.php in Pr ...) NOT-FOR-US: Pro Chat Rooms CVE-2014-5264 RESERVED CVE-2014-5259 (Cross-site scripting (XSS) vulnerability in cattranslate.php in the Ca ...) NOT-FOR-US: BlackCat CMS CVE-2014-5258 (Directory traversal vulnerability in showTempFile.php in webEdition CM ...) NOT-FOR-US: webEdition CMS CVE-2014-5257 (Multiple cross-site scripting (XSS) vulnerabilities in Forma Lms befor ...) NOT-FOR-US: Forma Lms CVE-2014-5248 (Cross-site scripting (XSS) vulnerability in MyBB before 1.6.15 allows ...) NOT-FOR-US: MyBB CVE-2014-5246 (The Shenzhen Tenda Technology Tenda A5s router with firmware 3.02.05_C ...) NOT-FOR-US: Shenzhen Tenda Technology Tenda A5s router CVE-2014-5245 RESERVED CVE-2014-5244 RESERVED CVE-2014-5239 (The Microsoft Outlook.com application before 7.8.2.12.49.7090 for Andr ...) NOT-FOR-US: Microsoft CVE-2014-5238 (XML external entity (XXE) vulnerability in Open-Xchange (OX) AppSuite ...) NOT-FOR-US: Open-Xchange CVE-2014-5237 (Server-side request forgery (SSRF) vulnerability in the documentconver ...) NOT-FOR-US: Open-Xchange CVE-2014-5236 (Multiple absolute path traversal vulnerabilities in documentconverter ...) NOT-FOR-US: Open-Xchange CVE-2014-5235 (Cross-site scripting (XSS) vulnerability in the frontend in Open-Xchan ...) NOT-FOR-US: Open-Xchange CVE-2014-5234 (Cross-site scripting (XSS) vulnerability in the backend in Open-Xchang ...) NOT-FOR-US: Open-Xchange CVE-2012-6654 (Multiple SQL injection vulnerabilities in ZPanel 10.0.1 and earlier al ...) NOT-FOR-US: ZPanel CVE-2014-5274 (Cross-site scripting (XSS) vulnerability in the view operations page i ...) - phpmyadmin 4:4.2.7.1-1 (low; bug #758536) [wheezy] - phpmyadmin (vulnerable code not present) [squeeze] - phpmyadmin (vulnerable code not present) NOTE: https://www.phpmyadmin.net/security/PMASA-2014-9/ NOTE: Version 3.x uses the browser-provided confirmation window and not custom HTML. CVE-2014-5273 (Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0. ...) - phpmyadmin 4:4.2.7.1-1 (low; bug #758536) [wheezy] - phpmyadmin (vulnerable code not present) [squeeze] - phpmyadmin (vulnerable code not present) NOTE: https://www.phpmyadmin.net/security/PMASA-2014-8/ NOTE: Most of the affected Javascript files do not exist on version 3.3 and 3.4. NOTE: Those that do do not contain the problematic code. CVE-2014-5268 (The Fasttoggle module 7.x-1.3 and 7.x-1.4 for Drupal allows remote att ...) NOT-FOR-US: Drupal addon CVE-2014-5250 (Unspecified vulnerability in the AJAX autocompletion callback in the B ...) NOT-FOR-US: Drupal addon CVE-2014-5249 (SQL injection vulnerability in the "Biblio self autocomplete" submodul ...) NOT-FOR-US: Drupal addon CVE-2012-6656 (iconvdata/ibm930.c in GNU C Library (aka glibc) before 2.16 allows con ...) {DSA-3142-1 DLA-97-1} - glibc 2.17-1 - eglibc [wheezy] - eglibc (Will be fixed in a point update) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=14134 NOTE: https://sourceware.org/git/?p=glibc.git;a=commit;h=6e230d11837f3ae7b375ea69d7905f0d18eb79e5 CVE-2012-6655 (An issue exists AccountService 0.6.37 in the user_change_password_auth ...) - accountsservice (low; bug #757912) [buster] - accountsservice (Minor issue) [stretch] - accountsservice (Minor issue) [jessie] - accountsservice (Minor issue) [wheezy] - accountsservice (Minor issue) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=55000 CVE-2014-5272 (libavcodec/iff.c in FFMpeg before 1.1.14, 1.2.x before 1.2.8, 2.2.x be ...) - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg (Backports to 0.5.x not useful, too many checks missing) - libav (Vulnerable code not present) NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=3539d6c63a16e1b2874bb037a86f317449c58770 NOTE: Does not apply to Libav at all. CVE-2014-5271 (Heap-based buffer overflow in the encode_slice function in libavcodec/ ...) - ffmpeg (Vulnerable code not present) - libav 6:11-1 [wheezy] - libav (Vulnerable code not present) NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=52b81ff4635c077b2bc8b8d3637d933b6629d803 NOTE: new ffmpeg now in experimental, CVE fixed in 7:2.4-1 NOTE: https://git.libav.org/?p=libav.git;a=commitdiff;h=45ce880a9b3e50cfa088f111dffaf8685bd7bc6b CVE-2014-5262 (SQL injection vulnerability in the graph settings script (graph_settin ...) {DSA-3007-1 DLA-40-1} - cacti 0.8.8b+dfsg-8 NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7454 CVE-2014-5261 (The graph settings script (graph_settings.php) in Cacti 0.8.8b and ear ...) {DSA-3007-1 DLA-40-1} - cacti 0.8.8b+dfsg-8 NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7454 CVE-2014-4274 (Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier an ...) {DSA-3054-1 DLA-75-1} - mariadb-5.5 5.5.39-1 - mariadb-10.0 (Fixed before initial upload) - mysql-5.5 5.5.39-1 - mysql-5.1 - percona-xtradb-cluster-5.5 NOTE: Fix MySQL: https://bazaar.launchpad.net/~mysql/mysql-server/5.5/revision/4638 NOTE: Fix MariaDB: https://bazaar.launchpad.net/~maria-captains/maria/5.5/revision/4261?sort=date#storage/myisam/ha_myisam.cc CVE-2014-5270 (Libgcrypt before 1.5.4, as used in GnuPG and other products, does not ...) {DSA-3073-1 DSA-3024-1 DLA-93-1 DLA-54-1} - gnupg 1.4.16-1 NOTE: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=cad8216f9a0b33c9dc84ecc4f385b00045e7b496 - libgcrypt11 1.5.4-1 - libgcrypt20 1.6.0-2 NOTE: http://lists.gnupg.org/pipermail/gnupg-announce/2014q3/000352.html CVE-2014-5267 (modules/openid/xrds.inc in Drupal 6.x before 6.33 and 7.x before 7.31 ...) {DSA-2999-1} - drupal7 7.31-1 CVE-2014-5266 (The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 a ...) {DSA-3001-1 DSA-2999-1 DLA-56-1} - wordpress 3.9.2+dfsg-1 (bug #757312) NOTE: https://core.trac.wordpress.org/changeset/29405/branches/3.9 - drupal7 7.31-1 - drupal6 [squeeze] - drupal6 NOTE: https://www.drupal.org/SA-CORE-2014-004 CVE-2014-5265 (The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 a ...) {DSA-3001-1 DSA-2999-1 DLA-56-1} - wordpress 3.9.2+dfsg-1 (bug #757312) NOTE: https://core.trac.wordpress.org/changeset/29405/branches/3.9 - drupal7 7.31-1 - drupal6 [squeeze] - drupal6 NOTE: https://www.drupal.org/SA-CORE-2014-004 CVE-2014-5253 (OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno befo ...) - keystone 2014.1.2.1-1 [wheezy] - keystone (Affects 2014.1 versions up to 2014.1.1) NOTE: https://launchpad.net/bugs/1349597 NOTE: https://git.openstack.org/cgit/openstack/keystone/commit/?id=317f9d34b4da20c21edd5b851889298b67c843e1 CVE-2014-5252 (The V3 API in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 ...) - keystone 2014.1.2.1-1 [wheezy] - keystone (Affects 2014.1 versions up to 2014.1.1) NOTE: https://launchpad.net/bugs/1348820 NOTE: https://git.openstack.org/cgit/openstack/keystone/commit/?id=bdb88c662ac2035f9b0d8a229a5db5f60f5f16ae CVE-2014-5251 (The MySQL token driver in OpenStack Identity (Keystone) 2014.1.x befor ...) - keystone 2014.1.2.1-1 [wheezy] - keystone (Affects 2014.1 versions up to 2014.1.1) NOTE: https://launchpad.net/bugs/1347961 NOTE: https://git.openstack.org/cgit/openstack/keystone/commit/?id=6cbf835542d62e6e5db4b4aef7141b1731cad9dc CVE-2014-5263 (vmstate_xhci_event in hw/usb/hcd-xhci.c in QEMU 1.6.0 does not termina ...) - qemu 2.1+dfsg-1 [wheezy] - qemu (Vulnerable code introduced in v1.6.0) [squeeze] - qemu (Vulnerable code introduced in v1.6.0) - qemu-kvm (Vulnerable code not present) NOTE: patch http://git.qemu.org/?p=qemu.git;a=commit;h=3afca1d6d413592c2b78cf28f52fa24a586d8f56 CVE-2014-5269 (Plack::App::File in Plack before 1.0031 removes trailing slash charact ...) {DLA-61-1} - libplack-perl 1.0031-1 [wheezy] - libplack-perl 0.9989-1+deb7u1 NOTE: https://github.com/plack/Plack/issues/405 CVE-2014-5255 (xcfa before 5.0.1 creates temporary files insecurely which could allow ...) - xcfa 5.0.1-1 (unimportant; bug #756600) NOTE: Neutralised by kernel temp hardening CVE-2014-5254 (xcfa before 5.0.1 creates temporary files insecurely which could allow ...) - xcfa 5.0.1-1 (unimportant; bug #756600) NOTE: Not exploitable with kernel hardening since wheezy CVE-2014-XXXX [Enforce use of HTTPS for MathJax in IPython] - ipython 0.12-1 [wheezy] - ipython (Minor issue) [squeeze] - ipython (Affects versions <= 2.1 and >= 0.12) NOTE: https://github.com/ipython/ipython/issues/6246 NOTE: patch: https://github.com/ipython/ipython/commit/f58dabb277d0cdfb603d46cd01fcf29819ae7613 NOTE: in Debian patch to use mathjax from system was added right away in version 0.12 CVE-2014-5260 (The (1) mkxmltype and (2) mkdtskel scripts in XML-DT before 0.64 allow ...) - libxml-dt-perl 0.66-1 (bug #756566) [wheezy] - libxml-dt-perl (Minor issue) [squeeze] - libxml-dt-perl (Vulnerable code introduced later) CVE-2014-6060 (The get_option function in dhcpcd 4.0.0 through 6.x before 6.4.3 allow ...) - dhcpcd5 6.0.5-2 (low; bug #770043) [wheezy] - dhcpcd5 5.5.6-1+deb7u1 - dhcpcd (Affects dhcpcd 4.0.0 to 6.4.2) NOTE: http://roy.marples.name/projects/dhcpcd/ci/1d2b93aa5ce25a8a710082fe2d36a6bf7f5794d5?sbs=0 CVE-2014-5243 (MediaWiki before 1.19.18, 1.20.x through 1.22.x before 1.22.9, and 1.2 ...) {DSA-3011-1} - mediawiki 1:1.19.18+dfsg-0.1 (bug #758510) [squeeze] - mediawiki NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=65778 CVE-2014-5242 (Cross-site scripting (XSS) vulnerability in mediawiki.page.image.pagin ...) - mediawiki (Vulnerable code not present) NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=66608 NOTE: Introduced in 1.22wmf14, https://bugzilla.wikimedia.org/show_bug.cgi?id=66608#c18 CVE-2014-5241 (The JSONP endpoint in includes/api/ApiFormatJson.php in MediaWiki befo ...) {DSA-3011-1} - mediawiki 1:1.19.18+dfsg-0.1 (bug #758510) [squeeze] - mediawiki NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=68187 CVE-2014-5233 (The Siemens SIMATIC WinCC Sm@rtClient app before 1.0.2 for iOS allows ...) NOT-FOR-US: Siemens SIMATIC WinCC Sm@rtClient CVE-2014-5232 (The Siemens SIMATIC WinCC Sm@rtClient app before 1.0.2 for iOS allows ...) NOT-FOR-US: Siemens SIMATIC WinCC Sm@rtClient CVE-2014-5231 (The Siemens SIMATIC WinCC Sm@rtClient app before 1.0.2 for iOS allows ...) NOT-FOR-US: Siemens SIMATIC WinCC Sm@rtClient CVE-2014-5230 REJECTED CVE-2014-5229 REJECTED CVE-2014-5228 REJECTED CVE-2014-5227 REJECTED CVE-2014-5226 REJECTED CVE-2014-5225 REJECTED CVE-2014-5224 REJECTED CVE-2014-5223 REJECTED CVE-2014-5222 REJECTED CVE-2014-5221 REJECTED CVE-2014-5220 (The mdcheck script of the mdadm package for openSUSE 13.2 prior to ver ...) - mdadm 3.3.4-1 (unimportant) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=910500 NOTE: https://github.com/mapcollab/mdadm/commit/979b1feb093b1c2e0f8b58716329f2da092741d4 NOTE: misc/mdcheck not installed into binary packages CVE-2014-5219 RESERVED CVE-2014-5218 RESERVED CVE-2014-5217 (Cross-site request forgery (CSRF) vulnerability in nps/servlet/webacc ...) NOT-FOR-US: NetIQ Access Manager CVE-2014-5216 (Multiple cross-site scripting (XSS) vulnerabilities in NetIQ Access Ma ...) NOT-FOR-US: NetIQ Access Manager CVE-2014-5215 (NetIQ Access Manager (NAM) 4.x before 4.0.1 HF3 allows remote authenti ...) NOT-FOR-US: NetIQ Access Manager CVE-2014-5214 (nps/servlet/webacc in iManager in the Administration Console server in ...) NOT-FOR-US: NetIQ Access Manager CVE-2014-5213 (nds/files/opt/novell/eDirectory/lib64/ndsimon/public/images in iMonito ...) NOT-FOR-US: Novell eDirectory CVE-2014-5212 (Cross-site scripting (XSS) vulnerability in nds/search/data in iMonito ...) NOT-FOR-US: Novell eDirectory CVE-2014-5211 (Stack-based buffer overflow in the Attachmate Reflection FTP Client be ...) NOT-FOR-US: Attachmate Reflection FTP Client CVE-2014-5210 (The av-centerd SOAP service in AlienVault OSSIM before 4.7.0 allows re ...) NOT-FOR-US: AlienVault OSSIM CVE-2014-5209 (An Information Disclosure vulnerability exists in NTP 4.2.7p25 private ...) - ntp 1:4.2.8p3+dfsg-1 [jessie] - ntp (can be worked around by disabling mode in configuration) NOTE: Starting with 4.2.8, mode 7 is marked as deprecated and disabled by default, NOTE: treat this as the fixed version here. NOTE: http://bk.ntp.org/ntp-stable/?PAGE=patch&REV=4eae26a46gF81Tr6RRrYnf6jWhVo0g NOTE: http://bk.ntp.org/ntp-stable/?PAGE=patch&REV=4eb4b512O-jx-s-epS2A75g9mitvfQ CVE-2014-5208 (BKBCopyD.exe in the Batch Management Packages in Yokogawa CENTUM CS 30 ...) NOT-FOR-US: Batch Management Packages in Yokogawa and Exaopc CVE-2014-5202 (Cross-site scripting (XSS) vulnerability in compfight-search.php in th ...) NOT-FOR-US: WordPress plugin compfight CVE-2014-5201 (SQL injection vulnerability in the Gallery Objects plugin 0.4 for Word ...) NOT-FOR-US: WordPress plugin gallery-objects CVE-2014-5200 (SQL injection vulnerability in game_play.php in the FB Gorilla plugin ...) NOT-FOR-US: WordPress plugin fbgorilla CVE-2014-5199 (Cross-site request forgery (CSRF) vulnerability in the WordPress File ...) NOT-FOR-US: WordPress plugin wp-file-upload CVE-2014-5198 (Cross-site scripting (XSS) vulnerability in Splunk Web in Splunk Enter ...) NOT-FOR-US: Splunk CVE-2014-5197 (Directory traversal vulnerability in (1) Splunk Web or the (2) Splunkd ...) NOT-FOR-US: Splunk CVE-2014-5196 (Cross-site request forgery (CSRF) vulnerability in improved-user-searc ...) NOT-FOR-US: WordPress plugin improved-user-search-in-backend CVE-2014-5195 (Unity before 7.2.3 and 7.3.x before 7.3.1, as used in Ubuntu, does not ...) - unity (bug #609278) CVE-2014-5194 (Static code injection vulnerability in admin/admin.php in Sphider 1.3. ...) NOT-FOR-US: Sphider CVE-2014-5193 (Cross-site scripting (XSS) vulnerability in admin/admin.php in Sphider ...) NOT-FOR-US: Sphider CVE-2014-5192 (SQL injection vulnerability in admin/admin.php in Sphider 1.3.6 allows ...) NOT-FOR-US: Sphider CVE-2014-5191 (Cross-site scripting (XSS) vulnerability in the Preview plugin before ...) - ckeditor 4.4.4+dfsg1-1 (bug #760736) [wheezy] - ckeditor (Preview plugin not yet present) [squeeze] - ckeditor (Preview plugin not yet present) CVE-2014-5190 (Cross-site scripting (XSS) vulnerability in captcha-secureimage/test/i ...) NOT-FOR-US: WordPress plugin SI CAPTCHA Anti-Spam CVE-2014-5189 (SQL injection vulnerability in lib/optin/optin_page.php in the Lead Oc ...) NOT-FOR-US: WordPress plugin Lead-Octopus-Power CVE-2014-5188 (Cross-site scripting (XSS) vulnerability in doemailpassword.tml in Lyr ...) NOT-FOR-US: Lyris ListManager CVE-2014-5187 (Directory traversal vulnerability in the Tom M8te (tom-m8te) plugin 1. ...) NOT-FOR-US: WordPress plugin tom-m8te CVE-2014-5186 (SQL injection vulnerability in the All Video Gallery (all-video-galler ...) NOT-FOR-US: WordPress plugin all-video-gallery CVE-2014-5185 (SQL injection vulnerability in the Quartz plugin 1.01.1 for WordPress ...) NOT-FOR-US: WordPress plugin quartz CVE-2014-5184 (SQL injection vulnerability in the stripshow-storylines page in the st ...) NOT-FOR-US: WordPress plugin stripshow CVE-2014-5183 (SQL injection vulnerability in includes/mode-edit.php in the Simple Re ...) NOT-FOR-US: WordPress plugin simple-retail-menus CVE-2014-5182 (Multiple SQL injection vulnerabilities in the yawpp plugin 1.2 for Wor ...) NOT-FOR-US: WordPress plugin yawpp CVE-2014-5181 (Directory traversal vulnerability in lastfm-proxy.php in the Last.fm R ...) NOT-FOR-US: WordPress plugin lastfm-rotation CVE-2014-5180 (SQL injection vulnerability in the videos page in the HDW Player Plugi ...) NOT-FOR-US: WordPress plugin hdw-player-video-player-video-gallery CVE-2014-5178 (Multiple cross-site scripting (XSS) vulnerabilities in Easy File Shari ...) NOT-FOR-US: Easy File Sharing CVE-2014-5176 (SAP FI Manager Self-Service has a hard-coded user name, which makes it ...) NOT-FOR-US: SAP CVE-2014-5175 (The License Measurement servlet in SAP Solution Manager 7.1 allows rem ...) NOT-FOR-US: SAP CVE-2014-5174 (The SAP Netweaver Business Warehouse component does not properly restr ...) NOT-FOR-US: SAP CVE-2014-5173 (SAP HANA Extend Application Services (XS) allows remote attackers to b ...) NOT-FOR-US: SAP CVE-2014-5172 (Multiple cross-site scripting (XSS) vulnerabilities in the XS Administ ...) NOT-FOR-US: SAP CVE-2014-5171 (SAP HANA Extend Application Services (XS) does not encrypt transmissio ...) NOT-FOR-US: SAP CVE-2013-7398 (main/java/com/ning/http/client/AsyncHttpClientConfig.java in Async Htt ...) - async-http-client (Vulnerable code not present, bug #773364) NOTE: https://github.com/AsyncHttpClient/async-http-client/issues/197 NOTE: https://github.com/AsyncHttpClient/async-http-client/commit/3c9152e2c75f7e8b654beec40383748a14c6b51b CVE-2013-7397 (Async Http Client (aka AHC or async-http-client) before 1.9.0 skips X. ...) - async-http-client 1.6.5-3 [wheezy] - async-http-client (Minor issue) NOTE: https://github.com/AsyncHttpClient/async-http-client/issues/352 CVE-2013-7396 RESERVED CVE-2013-7395 (ZOLL Defibrillator / Monitor X Series has a default (1) supervisor pas ...) NOT-FOR-US: ZOLL Defibrillator / Monitor X Series CVE-2013-7394 (The "runshellscript echo.sh" script in Splunk before 5.0.5 allows remo ...) NOT-FOR-US: Splunk CVE-2012-6653 (Unspecified vulnerability in the All Video Gallery (all-video-gallery) ...) NOT-FOR-US: WordPress plugin all-video-gallery CVE-2007-6756 (ZOLL Defibrillator / Monitor M Series, E Series, and R Series have a d ...) NOT-FOR-US: ZOLL Defibrillator / Monitor M Series, E Series, and R Series CVE-2014-5207 (fs/namespace.c in the Linux kernel through 3.16.1 does not properly re ...) - linux 3.16.2-1 [wheezy] - linux (User namespaces only usable in later kernels) - linux-2.6 (User namespaces only usable in later kernels) NOTE: Fixed by https://git.kernel.org/cgit/linux/kernel/git/ebiederm/user-namespace.git/commit/?h=for-linus&id=9566d6742852c527bf5af38af5cbb878dad75705 (v3.17-rc1) NOTE: and: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ffbc6f0ead47fa5a1dc9642b0331cb75c20a640e (v3.17-rc1) NOTE: Introduced by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0c55cfc4166d9a0f38de779bd4d75a90afbe7734 (v3.8) NOTE: Thread starting at http://www.openwall.com/lists/oss-security/2014/08/12/6 CVE-2014-5206 (The do_remount function in fs/namespace.c in the Linux kernel through ...) - linux 3.16.2-1 [wheezy] - linux (User namespaces only usable in later kernels) - linux-2.6 (User namespaces only usable in later kernels) NOTE: https://git.kernel.org/cgit/linux/kernel/git/ebiederm/user-namespace.git/commit/?h=for-linus&id=db181ce011e3c033328608299cd6fac06ea50130 NOTE: Thread starting at http://www.openwall.com/lists/oss-security/2014/08/12/6 CVE-2014-5247 (The _UpgradeBeforeConfigurationChange function in lib/client/gnt_clust ...) - ganeti 2.11.5-1 [wheezy] - ganeti (Vulnerable code not present) [squeeze] - ganeti (Vulnerable code not present) NOTE: http://www.ocert.org/advisories/ocert-2014-006.html CVE-2014-5240 (Cross-site scripting (XSS) vulnerability in wp-includes/pluggable.php ...) {DSA-3001-1 DLA-56-1} - wordpress 3.9.2+dfsg-1 (bug #757312) NOTE: https://core.trac.wordpress.org/changeset/29398 CVE-2014-5205 (wp-includes/pluggable.php in WordPress before 3.9.2 does not use delim ...) {DSA-3001-1 DLA-56-1} - wordpress 3.9.2+dfsg-1 (bug #757312) NOTE: https://core.trac.wordpress.org/changeset/29408 CVE-2014-5204 (wp-includes/pluggable.php in WordPress before 3.9.2 rejects invalid CS ...) {DSA-3001-1 DLA-56-1} - wordpress 3.9.2+dfsg-1 (bug #757312) NOTE: https://core.trac.wordpress.org/changeset/29384 CVE-2014-5203 (wp-includes/class-wp-customize-widgets.php in the widget implementatio ...) - wordpress 3.9.2+dfsg-1 (bug #757312) [wheezy] - wordpress (Vulnerable code not present) [squeeze] - wordpress (Vulnerable code not present) NOTE: https://core.trac.wordpress.org/changeset/29389 CVE-2014-3528 (Apache Subversion 1.0.0 through 1.7.x before 1.7.17 and 1.8.x before 1 ...) - subversion 1.8.10-1 (low) [squeeze] - subversion (Minor issue) [wheezy] - subversion (Minor issue) NOTE: http://mail-archives.apache.org/mod_mbox/subversion-dev/201407.mbox/%3C53DAB4A7.8030004%40reser.org%3E CVE-2014-5179 (The freelinking module for Drupal, as used in the Freelinking for Case ...) NOT-FOR-US: drupal6-freelinking module CVE-2014-5177 (libvirt 1.0.0 through 1.2.x before 1.2.5, when fine grained access con ...) - libvirt 1.2.4-1 (low) [wheezy] - libvirt (Not exploitable in that version) [squeeze] - libvirt (Not exploitable in that version) NOTE: http://security.libvirt.org/2014/0003.html CVE-2014-5170 (The Storage API module 7.x before 7.x-1.6 for Drupal might allow remot ...) NOT-FOR-US: Storage API module for Drupal CVE-2014-5169 (Cross-site scripting (XSS) vulnerability in the Date module before 7.x ...) NOT-FOR-US: Drupal module Date CVE-2014-5168 RESERVED CVE-2014-5167 RESERVED CVE-2014-5166 RESERVED CVE-2014-5165 (The dissect_ber_constrained_bitstring function in epan/dissectors/pack ...) {DSA-3002-1} - wireshark 1.12.0+git+4fab41a1-1 [squeeze] - wireshark (Vulnerable code not present) NOTE: http://www.wireshark.org/security/wnpa-sec-2014-11.html CVE-2014-5164 (The rlc_decode_li function in epan/dissectors/packet-rlc.c in the RLC ...) {DSA-3002-1} - wireshark 1.12.0+git+4fab41a1-1 [squeeze] - wireshark (Vulnerable code not present) NOTE: http://www.wireshark.org/security/wnpa-sec-2014-10.html CVE-2014-5163 (The APN decode functionality in (1) epan/dissectors/packet-gtp.c and ( ...) {DSA-3002-1 DLA-38-1} - wireshark 1.12.0+git+4fab41a1-1 [squeeze] - wireshark 1.2.11-6+squeeze15 NOTE: http://www.wireshark.org/security/wnpa-sec-2014-09.html CVE-2014-5162 (The read_new_line function in wiretap/catapult_dct2000.c in the Catapu ...) {DSA-3002-1 DLA-38-1} - wireshark 1.12.0+git+4fab41a1-1 [squeeze] - wireshark 1.2.11-6+squeeze15 NOTE: http://www.wireshark.org/security/wnpa-sec-2014-08.html CVE-2014-5161 (The dissect_log function in plugins/irda/packet-irda.c in the IrDA dis ...) {DSA-3002-1 DLA-38-1} - wireshark 1.12.0+git+4fab41a1-1 [squeeze] - wireshark 1.2.11-6+squeeze15 NOTE: http://www.wireshark.org/security/wnpa-sec-2014-08.html CVE-2014-5160 (** DISPUTED ** Multiple directory traversal vulnerabilities in crs.exe ...) NOT-FOR-US: HP Data Protector CVE-2014-5159 (SQL injection vulnerability in the ossim-framework service in AlienVau ...) NOT-FOR-US: AlienVault OSSIM CVE-2014-5158 (The (1) av-centerd SOAP service and (2) backup command in the ossim-fr ...) NOT-FOR-US: AlienVault OSSIM CVE-2014-5157 REJECTED CVE-2014-5156 RESERVED CVE-2014-5155 RESERVED CVE-2014-5154 RESERVED CVE-2014-5153 RESERVED CVE-2014-5152 RESERVED CVE-2014-5151 RESERVED CVE-2014-5150 RESERVED CVE-2014-5149 (Certain MMU virtualization operations in Xen 4.2.x through 4.4.x, when ...) - xen 4.4.1-4 (low; bug #770230) [wheezy] - xen (Minor issue, too intrusive to backport) [squeeze] - xen (Unsupported in squeeze-lts) CVE-2014-5148 (Xen 4.4.x, when running on an ARM system and "handling an unknown syst ...) - xen 4.4.1-1 [wheezy] - xen (Vulnerable code not present) [squeeze] - xen (Vulnerable code not present) CVE-2014-5147 (Xen 4.4.x, when running a 64-bit kernel on an ARM system, does not pro ...) - xen 4.4.1-1 [wheezy] - xen (Vulnerable code not present) [squeeze] - xen (Vulnerable code not present) CVE-2014-5146 (Certain MMU virtualization operations in Xen 4.2.x through 4.4.x befor ...) - xen 4.4.1-4 (low; bug #770230) [wheezy] - xen (Minor issue, too intrusive to backport) [squeeze] - xen (Unsupported in squeeze-lts) CVE-2014-5145 RESERVED CVE-2014-5144 (Cross-site scripting (XSS) vulnerability in Telescope before 0.9.3 all ...) NOT-FOR-US: Qualcomm driver for Android CVE-2014-5143 RESERVED CVE-2014-5142 RESERVED CVE-2014-5141 RESERVED CVE-2014-5140 (The bindReplace function in the query factory in includes/classes/data ...) NOT-FOR-US: Loaded Commerce CVE-2014-5139 (The ssl_set_client_disabled function in t1_lib.c in OpenSSL 1.0.1 befo ...) {DSA-2998-1} - openssl 1.0.1i-1 [squeeze] - openssl (vulnerable code not present) CVE-2014-5138 (Innovative Interfaces Sierra Library Services Platform 1.2_3 does not ...) NOT-FOR-US: Sierra Library Services Platform CVE-2014-5137 (Innovative Interfaces Sierra Library Services Platform 1.2_3 provides ...) NOT-FOR-US: Sierra Library Services Platform CVE-2014-5136 (Cross-site scripting (XSS) vulnerability in Innovative Interfaces Sier ...) NOT-FOR-US: Sierra Library Services Platform CVE-2014-5135 RESERVED CVE-2014-5134 RESERVED CVE-2014-5133 RESERVED CVE-2014-5132 (Avolve Software ProjectDox 8.1 allows remote attackers to enumerate us ...) NOT-FOR-US: ProjectDox CVE-2014-5131 (Avolve Software ProjectDox 8.1 makes it easier for remote authenticate ...) NOT-FOR-US: ProjectDox CVE-2014-5130 (Avolve Software ProjectDox 8.1 allows remote authenticated users to ob ...) NOT-FOR-US: ProjectDox CVE-2014-5129 (Cross-site scripting (XSS) vulnerability in Avolve Software ProjectDox ...) NOT-FOR-US: ProjectDox CVE-2014-5128 (Innovative Interfaces Encore Discovery Solution 4.3 places a session t ...) NOT-FOR-US: Innovative Interfaces Encore Discovery Solution CVE-2014-5127 (Open redirect vulnerability in Innovative Interfaces Encore Discovery ...) NOT-FOR-US: Innovative Interfaces Encore Discovery Solution CVE-2014-5126 RESERVED CVE-2014-5125 RESERVED CVE-2014-5124 RESERVED CVE-2014-5123 RESERVED CVE-2014-5122 (Open redirect vulnerability in ESRI ArcGIS for Server 10.1.1 allows re ...) NOT-FOR-US: ArcGIS CVE-2014-5121 (Multiple cross-site scripting (XSS) vulnerabilities in ESRI ArcGIS for ...) NOT-FOR-US: ArcGIS CVE-2014-5120 (gd_ctx.c in the GD component in PHP 5.4.x before 5.4.32 and 5.5.x befo ...) - php5 5.4.0-1 [squeeze] - php5 (Introduced in 5.4) - libgd2 (Specific to integration of gd in PHP) NOTE: https://bugs.php.net/bug.php?id=67730 NOTE: https://bugs.php.net/patch-display.php?bug_id=67730&patch=gd-null-injection&revision=latest NOTE: For the PHP5 5.4 branch this issue is fixed in version 5.4.32 NOTE: fixed in Debian with the gdIOCtx.patch patch CVE-2014-5115 (Absolute path traversal vulnerability in DirPHP 1.0 allows remote atta ...) NOT-FOR-US: DirPHP CVE-2014-5114 (WeBid 1.1.1 allows remote attackers to conduct an LDAP injection attac ...) NOT-FOR-US: WeBid Auction Script CVE-2014-5113 (Multiple cross-site scripting (XSS) vulnerabilities in test.php in Vis ...) NOT-FOR-US: Visualwave MyConnection Server CVE-2014-5112 (maint/modules/home/index.php in Fonality trixbox allows remote attacke ...) NOT-FOR-US: Fonality trixbox CVE-2014-5111 (Multiple directory traversal vulnerabilities in Fonality trixbox allow ...) NOT-FOR-US: Fonality trixbox CVE-2014-5110 (Cross-site scripting (XSS) vulnerability in user/help/html/index.php i ...) NOT-FOR-US: Fonality trixbox CVE-2014-5109 (SQL injection vulnerability in maint/modules/endpointcfg/endpoint_gene ...) NOT-FOR-US: Fonality trixbox CVE-2014-5108 (Cross-site scripting (XSS) vulnerability in single_pages\download_file ...) NOT-FOR-US: concrete5 CVE-2014-5107 (concrete5 before 5.6.3 allows remote attackers to obtain the installat ...) NOT-FOR-US: concrete5 CVE-2014-5106 (Cross-site scripting (XSS) vulnerability in Invision Power IP.Board (a ...) NOT-FOR-US: Invision Power IP.Board CVE-2014-5105 (Multiple cross-site scripting (XSS) vulnerabilities in ol-commerce 2.1 ...) NOT-FOR-US: ol-commerce CVE-2014-5104 (Multiple SQL injection vulnerabilities in ol-commerce 2.1.1 allow remo ...) NOT-FOR-US: ol-commerce CVE-2014-5103 (Cross-site scripting (XSS) vulnerability in ZOHO ManageEngine EventLog ...) NOT-FOR-US: ZOHO ManageEngine EventLog Analyzer CVE-2014-5102 (SQL injection vulnerability in vBulletin 5.0.4 through 5.1.3 Alpha 5 a ...) NOT-FOR-US: vBulletin CVE-2014-5101 (Multiple cross-site scripting (XSS) vulnerabilities in WeBid 1.1.1 all ...) NOT-FOR-US: WeBid Auction Script CVE-2014-5100 (Multiple cross-site request forgery (CSRF) vulnerabilities in Omeka be ...) NOT-FOR-US: Omeka CVE-2014-5099 RESERVED CVE-2014-5098 (Cross-site scripting (XSS) vulnerability in the Search module before 1 ...) NOT-FOR-US: Jamroom Search module CVE-2014-5097 (Multiple SQL injection vulnerabilities in Free Reprintables ArticleFR ...) NOT-FOR-US: ArticleFR CVE-2014-5096 RESERVED CVE-2014-5095 RESERVED CVE-2014-5094 (Status2k allows remote attackers to obtain configuration information v ...) NOT-FOR-US: Status2k CVE-2014-5093 (Status2k does not remove the install directory allowing credential res ...) NOT-FOR-US: Status2k CVE-2014-5092 (Status2k allows Remote Command Execution in admin/options/editpl.php. ...) NOT-FOR-US: Status2k CVE-2014-5091 (A vulnerability exits in Status2K 2.5 Server Monitoring Software via t ...) NOT-FOR-US: Status2K Server Monitoring Software CVE-2014-5090 (admin/options/logs.php in Status2k allows remote authenticated adminis ...) NOT-FOR-US: Status2k CVE-2014-5089 (SQL injection vulnerability in admin/options/logs.php in Status2k allo ...) NOT-FOR-US: Status2k CVE-2014-5088 (Cross-site scripting (XSS) vulnerability in Status2k allows remote att ...) NOT-FOR-US: Status2k CVE-2014-5087 (A vulnerability exists in Sphider Search Engine prior to 1.3.6 due to ...) NOT-FOR-US: Sphider Search Engine CVE-2014-5086 (A Command Execution vulnerability exists in Sphider Pro, and Sphider P ...) NOT-FOR-US: Sphider CVE-2014-5085 (A Command Execution vulnerability exists in Sphider Plus 3.2 due to in ...) NOT-FOR-US: Sphider CVE-2014-5084 (A Command Execution vulnerability exists in Sphider Pro 3.2 due to ins ...) NOT-FOR-US: Sphider CVE-2014-5083 (A Command Execution vulnerability exists in Sphider before 1.3.6 due t ...) NOT-FOR-US: Sphider CVE-2014-5082 (Multiple SQL injection vulnerabilities in admin/admin.php in Sphider 1 ...) NOT-FOR-US: Sphider CVE-2014-5081 (sphider prior to 1.3.6, sphider-pro prior to 3.2, and sphider-plus pri ...) NOT-FOR-US: sphider CVE-2014-5080 RESERVED CVE-2014-5079 RESERVED CVE-2014-5078 RESERVED CVE-2014-5076 (The La Banque Postale application before 3.2.6 for Android does not pr ...) NOT-FOR-US: La Banque Postale application CVE-2014-5075 (The Ignite Realtime Smack XMPP API 4.x before 4.0.2, and 3.x and 2.x w ...) - libsmack-java (bug #640873) CVE-2014-5074 (Siemens SIMATIC S7-1500 CPU devices with firmware before 1.6 allow rem ...) NOT-FOR-US: Siemens SIMATIC S7-1500 CPU devices CVE-2014-5073 (vmtadmin.cgi in VMTurbo Operations Manager before 4.6 build 28657 allo ...) NOT-FOR-US: VMTurbo Operations Manager CVE-2014-5072 (Cross-site request forgery (CSRF) vulnerability in WP Security Audit L ...) NOT-FOR-US: WP Security Audit Log plugin for WordPress CVE-2014-5071 (SQL injection vulnerability in the checkPassword function in Symmetric ...) NOT-FOR-US: Symmetricom CVE-2014-5070 (Symmetricom s350i 2.70.15 allows remote authenticated users to gain pr ...) NOT-FOR-US: Symmetricom CVE-2014-5069 (Cross-site scripting (XSS) vulnerability in Symmetricom s350i 2.70.15 ...) NOT-FOR-US: Symmetricom CVE-2014-5068 (Directory traversal vulnerability in the web application in Symmetrico ...) NOT-FOR-US: Symmetricom CVE-2014-5067 RESERVED CVE-2014-5066 RESERVED CVE-2014-5065 RESERVED CVE-2014-5064 RESERVED CVE-2014-5063 RESERVED CVE-2014-5062 RESERVED CVE-2014-5061 RESERVED CVE-2014-5060 RESERVED CVE-2014-5059 RESERVED CVE-2014-5058 RESERVED CVE-2014-5057 RESERVED CVE-2014-5056 RESERVED CVE-2014-5055 RESERVED CVE-2014-5054 RESERVED CVE-2014-5053 RESERVED CVE-2014-5052 RESERVED CVE-2014-5051 RESERVED CVE-2014-5050 RESERVED CVE-2014-5049 RESERVED CVE-2014-5048 RESERVED CVE-2014-5047 RESERVED CVE-2014-5046 RESERVED CVE-2014-5118 (Trusted Boot (tboot) before 1.8.2 has a 'loader.c' Security Bypass Vul ...) NOT-FOR-US: tboot CVE-2014-5117 (Tor before 0.2.4.23 and 0.2.5 before 0.2.5.6-alpha maintains a circuit ...) {DSA-2993-1 DLA-17-1} - tor 0.2.4.23-1 [squeeze] - tor 0.2.4.23-1~deb6u1 CVE-2014-5116 (The cairo_image_surface_get_data function in Cairo 1.10.2, as used in ...) NOTE: This is non-security bug in Wireshark, not in Cairo CVE-2014-5077 (The sctp_assoc_update function in net/sctp/associola.c in the Linux ke ...) {DLA-103-1} - linux 3.14.15-1 [wheezy] - linux 3.2.63-1 - linux-2.6 NOTE: upstream fix: http://patchwork.ozlabs.org/patch/372475/ CVE-2014-5043 REJECTED CVE-2014-5042 RESERVED CVE-2014-5041 RESERVED CVE-2014-5040 (HP Helion Eucalyptus 4.1.x before 4.1.2 and HPE Helion Eucalyptus 4.2. ...) - eucalyptus CVE-2014-5039 (Cross-site scripting (XSS) vulnerability in Eucalyptus Management Cons ...) NOT-FOR-US: Eucalyptus Management Console (relates to src:eucalyptus) CVE-2014-5038 (Eucalyptus 3.0.0 through 4.0.1, when the log level is set to DEBUG or ...) - eucalyptus CVE-2014-5037 (Eucalyptus 4.0.0 through 4.0.1, when the log level is set to INFO, log ...) - eucalyptus CVE-2014-5036 (The Storage Controller (SC) component in Eucalyptus 3.4.2 through 4.0. ...) - eucalyptus CVE-2014-5035 (The Netconf (TCP) service in OpenDaylight 1.0 allows remote attackers ...) NOT-FOR-US: Opendaylight CVE-2014-5034 (Cross-site request forgery (CSRF) vulnerability in the Brute Force Log ...) NOT-FOR-US: Brute Force Login Protection module for WordPress CVE-2014-5023 (Repository.php in Gitter, as used in Gitlist, allows remote attackers ...) - gitlist (bug #750368) CVE-2014-5018 (Incomplete blacklist vulnerability in the autoEscape function in commo ...) - limesurvey (bug #472802) CVE-2014-5017 (SQL injection vulnerability in CPDB in application/controllers/admin/p ...) - limesurvey (bug #472802) CVE-2014-5016 (Multiple cross-site scripting (XSS) vulnerabilities in LimeSurvey 2.05 ...) - limesurvey (bug #472802) CVE-2014-5014 (The WordPress Flash Uploader plugin before 3.1.3 for WordPress allows ...) NOT-FOR-US: WordPress Flash Uploader plugin for WordPress CVE-2014-5013 (DOMPDF before 0.6.2 allows remote code execution, a related issue to C ...) - php-dompdf 0.6.2+dfsg-1 (bug #813849) [jessie] - php-dompdf 0.6.1+dfsg-2+deb8u1 NOTE: https://github.com/dompdf/dompdf/releases/tag/v0.6.2 CVE-2014-5012 (DOMPDF before 0.6.2 allows denial of service. ...) - php-dompdf 0.6.2+dfsg-1 (bug #813849) [jessie] - php-dompdf 0.6.1+dfsg-2+deb8u1 NOTE: https://github.com/dompdf/dompdf/releases/tag/v0.6.2 CVE-2014-5011 (DOMPDF before 0.6.2 allows Information Disclosure. ...) - php-dompdf 0.6.2+dfsg-1 (bug #813849) [jessie] - php-dompdf 0.6.1+dfsg-2+deb8u1 NOTE: https://github.com/dompdf/dompdf/releases/tag/v0.6.2 CVE-2014-5010 RESERVED CVE-2014-5007 (Directory traversal vulnerability in the agentLogUploader servlet in Z ...) NOT-FOR-US: ZOHO ManageEngine CVE-2014-5006 (Directory traversal vulnerability in ZOHO ManageEngine Desktop Central ...) NOT-FOR-US: ZOHO ManageEngine CVE-2014-5005 (Directory traversal vulnerability in ZOHO ManageEngine Desktop Central ...) NOT-FOR-US: ZOHO ManageEngine CVE-2013-7393 (The daemonize.py module in Subversion 1.8.0 before 1.8.2 allows local ...) - subversion 1.8.5-1 (unimportant) NOTE: Optional admin-side utilities in Subversion 1.8.x NOTE: split form CVE-2013-4262 CVE-2013-7392 (Gitlist allows remote attackers to execute arbitrary commands via shel ...) - gitlist (bug #750368) CVE-2013-7391 (The Entity API module 7.x-1.x before 7.x-1.2 for Drupal, when using th ...) NOT-FOR-US: Drupal contributed module Entity API CVE-2013-7390 (Unrestricted file upload vulnerability in AgentLogUploadServlet in Man ...) NOT-FOR-US: ManageEngine DesktopCentral CVE-2011-5281 RESERVED CVE-2014-5045 (The mountpoint_last function in fs/namei.c in the Linux kernel before ...) - linux 3.14.15-1 [wheezy] - linux (Introduced in 3.12) - linux-2.6 (Introduced in 3.12) NOTE: https://lkml.org/lkml/2014/7/21/98 CVE-2014-5044 (Multiple integer overflows in libgfortran might allow remote attackers ...) - gcc-4.9 4.9.1-4 (bug #756325) - gcc-4.8 4.8.3-7 (bug #756325) - gcc-4.7 (bug #756325) [wheezy] - gcc-4.7 (Minor issue, too intrusive to backport) - gcc-4.6 (bug #756325) [wheezy] - gcc-4.6 (Minor issue, too intrusive to backport) - gcc-4.4 (bug #756325) [wheezy] - gcc-4.4 (Minor issue, too intrusive to backport) [squeeze] - gcc-4.4 (Minor issue, too intrusive to backport) - gcc-4.3 [squeeze] - gcc-4.3 (Minor issue, too intrusive to backport) NOTE: https://gcc.gnu.org/viewcvs/gcc?limit_changes=0&view=revision&revision=211721 CVE-2014-5033 (KDE kdelibs before 4.14 and kauth before 5.1 does not properly use D-B ...) {DSA-3004-1 DLA-76-1} - kde4libs 4:4.13.3-2 (bug #755814) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=864716 NOTE: http://quickgit.kde.org/?p=kdelibs.git&a=commit&h=e4e7b53b71e2659adaf52691d4accc3594203b23 CVE-2014-5032 (GLPI before 0.84.7 does not properly restrict access to cost informati ...) - glpi (unimportant) NOTE: http://www.openwall.com/lists/oss-security/2014/07/22/6 NOTE: Only supported behind an authenticated HTTP zone CVE-2014-5031 (The web interface in CUPS before 2.0 does not check that files have wo ...) {DSA-2990-1 DLA-0022-1} - cups 1.7.4-2 [squeeze] - cups 1.4.4-7+squeeze6 NOTE: https://cups.org/str.php?L4455 CVE-2014-5030 (CUPS before 2.0 allows local users to read arbitrary files via a symli ...) {DSA-2990-1 DLA-0022-1} - cups 1.7.4-2 [squeeze] - cups 1.4.4-7+squeeze6 NOTE: https://cups.org/str.php?L4455 CVE-2014-5029 (The web interface in CUPS 1.7.4 allows local users in the lp group to ...) {DSA-2990-1 DLA-0022-1} - cups 1.7.4-2 [squeeze] - cups 1.4.4-7+squeeze6 NOTE: https://cups.org/str.php?L4455 CVE-2014-5028 (The Original File and Patched File resources in Review Board 1.7.x bef ...) - reviewboard (bug #653113) CVE-2014-5027 (Cross-site scripting (XSS) vulnerability in Review Board 1.7.x before ...) - reviewboard (bug #653113) CVE-2014-5026 (Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b al ...) {DSA-3007-1 DLA-40-1} - cacti 0.8.8b+dfsg-7 NOTE: http://bugs.cacti.net/view.php?id=2456 CVE-2014-5025 (Cross-site scripting (XSS) vulnerability in data_sources.php in Cacti ...) {DSA-3007-1 DLA-40-1} - cacti 0.8.8b+dfsg-7 NOTE: http://bugs.cacti.net/view.php?id=2456 CVE-2014-5024 (Cross-site scripting (XSS) vulnerability in sgms/panelManager in Dell ...) NOT-FOR-US: DELL SonicWALL GMS CVE-2014-5015 (bozotic HTTP server (aka bozohttpd) before 20140708, as used in NetBSD ...) {DLA-490-1} - bozohttpd (bug #755197) [squeeze] - bozohttpd (Minor issue) NOTE: Fixed by: http://cvsweb.netbsd.org/bsdweb.cgi/src/libexec/httpd/bozohttpd.c.diff?r1=1.52&r2=1.53&only_with_tag=MAIN CVE-2014-5009 (Snoopy allows remote attackers to execute arbitrary commands. NOTE: t ...) - libphp-snoopy (Incorrect fix not applied) NOTE: This issue exists because of an incorrect fix for CVE-2014-5008. NOTE: https://github.com/cogdog/feed2js/pull/12#issuecomment-48283706 CVE-2014-5008 (Snoopy allows remote attackers to execute arbitrary commands. ...) {DSA-3248-1 DLA-357-1} - libphp-snoopy 2.0.0-1 (bug #778634) NOTE: http://mstrokin.com/sec/feed2js-magpierss-0day-vulnerability-not-really-it-is-actually-cve-2005-3330-cve-2008-4796/ NOTE: This issue exists because of an incorrect fix for CVE-2008-4796 (i.e., use of escapeshellcmd where escapeshellarg was required). CVE-2014-5004 (lib/brbackup.rb in the brbackup gem 0.1.1 for Ruby places the database ...) NOT-FOR-US: Ruby Gem brbackup CVE-2014-5003 (chef/travis-cookbooks/ci_environment/perlbrew/recipes/default.rb in th ...) NOT-FOR-US: Ruby Gem ciborg CVE-2014-5002 (The lynx gem before 1.0.0 for Ruby places the configured password on c ...) NOT-FOR-US: Ruby Gem lynx CVE-2014-5001 (lib/ksymfony1.rb in the kcapifony gem 2.1.6 for Ruby places database u ...) NOT-FOR-US: Ruby Gem kcapifony CVE-2014-5000 (The login function in lib/lawn.rb in the lawn-login gem 0.0.7 for Ruby ...) NOT-FOR-US: Ruby Gem lawn-login CVE-2014-4999 (vendor/plugins/dataset/lib/dataset/database/mysql.rb in the kajam gem ...) NOT-FOR-US: Ruby Gem kajam CVE-2014-4998 (test/tc_database.rb in the lean-ruport gem 0.3.8 for Ruby places the m ...) NOT-FOR-US: Ruby Gem lean-ruport CVE-2014-4997 (lib/commands/setup.rb in the point-cli gem 0.0.1 for Ruby places crede ...) NOT-FOR-US: Ruby Gem point-cli CVE-2014-4996 (lib/vlad/dba/mysql.rb in the VladTheEnterprising gem 0.2 for Ruby allo ...) NOT-FOR-US: Ruby Gem VladTheEnterprising CVE-2014-4995 (Race condition in lib/vlad/dba/mysql.rb in the VladTheEnterprising gem ...) NOT-FOR-US: Ruby Gem VladTheEnterprising CVE-2014-4994 (lib/gyazo/client.rb in the gyazo gem 1.0.0 for Ruby allows local users ...) NOT-FOR-US: Ruby Gem gyazo CVE-2014-4993 ((1) lib/backup/cli/utility.rb in the backup-agoddard gem 3.0.28 and (2 ...) NOT-FOR-US: Ruby Gems backup-agoddard and backup_checksum CVE-2014-4992 (lib/cap-strap/helpers.rb in the cap-strap gem 0.1.5 for Ruby places cr ...) NOT-FOR-US: Ruby Gem cap-strap CVE-2014-4991 ((1) lib/dataset/database/mysql.rb and (2) lib/dataset/database/postgre ...) NOT-FOR-US: Ruby Gem codders-dataset CVE-2014-4990 RESERVED CVE-2014-4989 RESERVED CVE-2014-4988 RESERVED CVE-2014-4987 (server_user_groups.php in phpMyAdmin 4.1.x before 4.1.14.2 and 4.2.x b ...) - phpmyadmin 4:4.2.6-1 (low) [wheezy] - phpmyadmin (Vulnerable code not present) [squeeze] - phpmyadmin (Vulnerable code not present) NOTE: https://www.phpmyadmin.net/security/PMASA-2014-7/ CVE-2014-4986 (Multiple cross-site scripting (XSS) vulnerabilities in js/functions.js ...) - phpmyadmin 4:4.2.6-1 (low) [wheezy] - phpmyadmin (Vulnerable code not present) [squeeze] - phpmyadmin (Vulnerable code not present) NOTE: https://www.phpmyadmin.net/security/PMASA-2014-6/ CVE-2014-4985 RESERVED CVE-2014-4984 (Déjà Vu Crescendo Sales CRM has remote SQL Injection ...) NOT-FOR-US: Deja Vu Crescendo Sales CRM CVE-2014-4983 RESERVED CVE-2014-4982 (LPAR2RRD ≤ 4.53 and ≤ 3.5 has arbitrary command injection ...) NOT-FOR-US: LPAR2RRD CVE-2014-4981 (LPAR2RRD in 3.5 and earlier allows remote attackers to execute arbitra ...) NOT-FOR-US: LPAR2RRD CVE-2014-4980 (The /server/properties resource in Tenable Web UI before 2.3.5 for Nes ...) NOT-FOR-US: Tenable Web UI for Nessus CVE-2014-4979 (Apple QuickTime allows remote attackers to execute arbitrary code or c ...) NOT-FOR-US: Apple QuickTime CVE-2014-4977 (Multiple SQL injection vulnerabilities in Dell SonicWall Scrutinizer 1 ...) NOT-FOR-US: SonicWall CVE-2014-4976 (Dell SonicWall Scrutinizer 11.0.1 allows remote authenticated users to ...) NOT-FOR-US: SonicWall CVE-2014-5022 (Cross-site scripting (XSS) vulnerability in the Ajax system in Drupal ...) {DSA-2983-1} - drupal6 (Only affects Drupal 7 core) - drupal7 7.29-1 (bug #755038) NOTE: https://www.drupal.org/SA-CORE-2014-003 CVE-2014-5021 (Cross-site scripting (XSS) vulnerability in the Form API in Drupal 6.x ...) {DSA-2983-1} - drupal6 [squeeze] - drupal6 - drupal7 7.29-1 (bug #755038) NOTE: https://www.drupal.org/SA-CORE-2014-003 CVE-2014-5020 (The File module in Drupal 7.x before 7.29 does not properly check perm ...) {DSA-2983-1} - drupal6 (Only affects Drupal 7 core) - drupal7 7.29-1 (bug #755038) NOTE: https://www.drupal.org/SA-CORE-2014-003 CVE-2014-5019 (The multisite feature in Drupal 6.x before 6.32 and 7.x before 7.29 al ...) {DSA-2983-1} - drupal6 [squeeze] - drupal6 - drupal7 7.29-1 (bug #755038) NOTE: https://www.drupal.org/SA-CORE-2014-003 CVE-2014-4975 (Off-by-one error in the encodes function in pack.c in Ruby 1.9.3 and e ...) {DSA-3157-1 DLA-200-1} - ruby1.8 (Vulnerable code not present in 1.8) - ruby1.9.1 (low) [wheezy] - ruby1.9.1 (Minor issue) - ruby2.0 (low) - ruby2.1 2.1.3-1 (low) NOTE: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=46778 CVE-2014-4974 (The ESET Personal Firewall NDIS filter (EpFwNdis.sys) kernel mode driv ...) NOT-FOR-US: ESET CVE-2014-4973 (The ESET Personal Firewall NDIS filter (EpFwNdis.sys) driver in the Fi ...) NOT-FOR-US: ESET Personal Firewall CVE-2014-4972 (Unrestricted file upload vulnerability in the Gravity Upload Ajax plug ...) NOT-FOR-US: Gravity Upload Ajax plugin for WordPress CVE-2014-4971 (Microsoft Windows XP SP3 does not validate addresses in certain IRP ha ...) NOT-FOR-US: Microsoft Windows XP CVE-2014-4970 RESERVED CVE-2014-4969 RESERVED CVE-2014-4968 (The WebView class and use of the WebView.addJavascriptInterface method ...) NOT-FOR-US: Boat Browser application for Android CVE-2014-4967 (Multiple argument injection vulnerabilities in Ansible before 1.6.7 al ...) - ansible 1.6.8+dfsg-1 NOTE: https://github.com/ansible/ansible/commit/84759faa0950146a6bae8452580b4a4cede6d871 CVE-2014-4966 (Ansible before 1.6.7 does not prevent inventory data with "{{" and "lo ...) - ansible 1.6.8+dfsg-1 NOTE: https://github.com/ansible/ansible/commit/84759faa0950146a6bae8452580b4a4cede6d871 CVE-2014-4965 (Multiple cross-site scripting (XSS) vulnerabilities in Shopizer 1.1.5 ...) NOT-FOR-US: Shopizer CVE-2014-4964 (Multiple cross-site request forgery (CSRF) vulnerabilities in Shopizer ...) NOT-FOR-US: Shopizer CVE-2014-4963 (Shopizer 1.1.5 and earlier allows remote attackers to modify the accou ...) NOT-FOR-US: Shopizer CVE-2014-4962 (Shopizer 1.1.5 and earlier allows remote attackers to reduce the total ...) NOT-FOR-US: Shopizer CVE-2014-4961 RESERVED CVE-2014-4960 (Multiple SQL injection vulnerabilities in models\gallery.php in Youtub ...) NOT-FOR-US: Joomla! component CVE-2014-4959 (**DISPUTED** SQL injection vulnerability in SQLiteDatabase.java in the ...) NOT-FOR-US: Disputed Android issue CVE-2014-4958 (Cross-site scripting (XSS) vulnerability in Telerik UI for ASP.NET AJA ...) NOT-FOR-US: Telerik UI for ASP.NET AJAX RadEditor Control CVE-2014-4957 RESERVED NOT-FOR-US: TR-069 Auto Configuration Servers NOTE: http://mis.fortunecook.ie/misfortune-cookie-tr069-protection-whitepaper.pdf CVE-2014-4956 RESERVED NOT-FOR-US: TR-069 Auto Configuration Servers NOTE: http://mis.fortunecook.ie/misfortune-cookie-tr069-protection-whitepaper.pdf CVE-2014-4955 (Cross-site scripting (XSS) vulnerability in the PMA_TRI_getRowForList ...) - phpmyadmin 4:4.2.6-1 (low) [wheezy] - phpmyadmin (Vulnerable code not present) [squeeze] - phpmyadmin (Vulnerable code not present) CVE-2014-4954 (Cross-site scripting (XSS) vulnerability in the PMA_getHtmlForActionLi ...) - phpmyadmin 4:4.2.6-1 [squeeze] - phpmyadmin (libraries/structure.lib.php not present) [wheezy] - phpmyadmin (libraries/structure.lib.php not present) CVE-2014-4953 REJECTED CVE-2014-4952 REJECTED CVE-2014-4951 REJECTED CVE-2014-4950 REJECTED CVE-2014-4949 REJECTED CVE-2014-4948 (Unspecified vulnerability in Citrix XenServer 6.2 Service Pack 1 and e ...) NOT-FOR-US: Citrix XenServer CVE-2014-4947 (Buffer overflow in the HVM graphics console support in Citrix XenServe ...) NOT-FOR-US: Citrix XenServer CVE-2014-4946 (Multiple cross-site scripting (XSS) vulnerabilities in Horde Internet ...) - php-horde-imp 6.2.0-1 - horde3 [squeeze] - horde3 NOTE: Upstream patches: NOTE: https://github.com/horde/horde/commit/578ff073724d9c179663098d8ff0076e8b361cfb NOTE: https://github.com/horde/horde/commit/2f1f4b10dec90fb67797ea80be0e029ead90f168 NOTE: The bugs are in javascript files that do not exist in the version in Squeeze. CVE-2014-4945 (Multiple cross-site scripting (XSS) vulnerabilities in Horde Internet ...) - php-horde-imp 6.2.0-1 - horde3 [squeeze] - horde3 NOTE: Upstream patch: https://github.com/horde/horde/commit/71633e649afc0704b72098a6e2530377dd67eb0c NOTE: The bug is in PHP template file that does not exist in the version in Squeeze. CVE-2014-4944 (Multiple SQL injection vulnerabilities in inc/bsk-pdf-dashboard.php in ...) NOT-FOR-US: WordPress plugin CVE-2014-4943 (The PPPoL2TP feature in net/l2tp/l2tp_ppp.c in the Linux kernel throug ...) {DSA-2992-1 DLA-103-1} - linux 3.14.13-1 - linux-2.6 NOTE: upstream commit: https://git.kernel.org/linus/3cf521f7dc87c031617fd47e4b7aa2593c2f3daf CVE-2014-4942 (The EasyCart (wp-easycart) plugin before 2.0.6 for WordPress allows re ...) NOT-FOR-US: WordPress plugin CVE-2014-4941 (Absolute path traversal vulnerability in Cross-RSS (wp-cross-rss) plug ...) NOT-FOR-US: WordPress plugin CVE-2014-4940 (Multiple directory traversal vulnerabilities in Tera Charts (tera-char ...) NOT-FOR-US: WordPress plugin CVE-2014-4939 (SQL injection vulnerability in the ENL Newsletter (enl-newsletter) plu ...) NOT-FOR-US: WordPress plugin CVE-2014-4938 (SQL injection vulnerability in the WP Rss Poster (wp-rss-poster) plugi ...) NOT-FOR-US: WordPress plugin CVE-2014-4937 (Directory traversal vulnerability in includes/bookx_export.php BookX p ...) NOT-FOR-US: WordPress plugin CVE-2014-4936 (The upgrade functionality in Malwarebytes Anti-Malware (MBAM) consumer ...) NOT-FOR-US: Malwarebytes CVE-2014-4935 RESERVED CVE-2014-4934 RESERVED CVE-2014-4933 RESERVED CVE-2014-4932 (Cross-site scripting (XSS) vulnerability in the Wordfence Security plu ...) NOT-FOR-US: Wordfence Security plugin for WordPress CVE-2014-4931 RESERVED CVE-2014-4930 (Multiple cross-site scripting (XSS) vulnerabilities in event/index2.do ...) NOT-FOR-US: ManageEngine EventLog Analyzer CVE-2014-4929 (Directory traversal vulnerability in the routing component in ownCloud ...) - owncloud 6.0.4~beta1+dfsg-1 NOTE: https://github.com/owncloud/security-advisories/blob/master/server/oc-sa-2014-018.json CVE-2014-4928 (SQL injection vulnerability in Invision Power Board (aka IPB or IP.Boa ...) NOT-FOR-US: Invision Power Board CVE-2014-4927 (Buffer overflow in ACME micro_httpd, as used in D-Link DSL2750U and DS ...) NOT-FOR-US: ACME micro_httpd CVE-2014-4926 RESERVED CVE-2014-4925 (Cross-site scripting (XSS) vulnerability in Good for Enterprise for An ...) NOT-FOR-US: Good for Enterprise for Android CVE-2014-4924 RESERVED CVE-2014-4923 RESERVED CVE-2014-4922 RESERVED CVE-2014-4921 RESERVED CVE-2014-4920 RESERVED CVE-2014-4919 (OXID eShop Professional Edition before 4.7.13 and 4.8.x before 4.8.7, ...) NOT-FOR-US: OXID eShop CVE-2014-4918 RESERVED NOT-FOR-US: TR-069 Auto Configuration Servers NOTE: http://mis.fortunecook.ie/misfortune-cookie-tr069-protection-whitepaper.pdf CVE-2014-4917 RESERVED NOT-FOR-US: TR-069 Auto Configuration Servers NOTE: http://mis.fortunecook.ie/misfortune-cookie-tr069-protection-whitepaper.pdf CVE-2014-4916 RESERVED NOT-FOR-US: TR-069 Auto Configuration Servers NOTE: http://mis.fortunecook.ie/misfortune-cookie-tr069-protection-whitepaper.pdf CVE-2014-4915 RESERVED CVE-2014-4912 (An Arbitrary File Upload issue was discovered in Frog CMS 0.9.5 due to ...) NOT-FOR-US: Frog CMS CVE-2014-4906 (The Brisbane & Queensland Alert (aka com.queensland.alert) applica ...) NOT-FOR-US: Brisbane & Queensland Alert (aka com.queensland.alert) application for Android CVE-2014-4905 (The Clean Internet Browser (aka com.cleantab.browsesecure) application ...) NOT-FOR-US: Clean Internet Browser (aka com.cleantab.browsesecure) application for Android CVE-2014-4904 (The Crossmo Calendar (aka com.crossmo.calendar) application 1.7.1 for ...) NOT-FOR-US: Crossmo Calendar (aka com.crossmo.calendar) application for Android CVE-2014-4903 (The Kakao Bingo Garden (aka com.mocoga.bingogarden) application 1.0.14 ...) NOT-FOR-US: Kakao Bingo Garden (aka com.mocoga.bingogarden) application for Android CVE-2014-4902 RESERVED CVE-2014-4901 (The Bond Trading (aka com.appmakr.app613309) application 197705 for An ...) NOT-FOR-US: Bond Trading (aka com.appmakr.app613309) application for Android CVE-2014-4900 (The migme (aka com.projectgoth) application 4.03.002 for Android does ...) NOT-FOR-US: migme (aka com.projectgoth) application for Android CVE-2014-4899 (The Indian Cement Review (aka com.magzter.indiancementreview) applicat ...) NOT-FOR-US: Indian Cement Review (aka com.magzter.indiancementreview) application for Android CVE-2014-4898 (The Harivijay (aka com.upasanhar.marathi.harivijay) application 4.0 fo ...) NOT-FOR-US: Harivijay (aka com.upasanhar.marathi.harivijay) application for Android CVE-2014-4897 (The Touriosity Travelmag (aka com.magzter.touriositytravelmag) applica ...) NOT-FOR-US: Touriosity Travelmag (aka com.magzter.touriositytravelmag) application for Android CVE-2014-4896 (The Parque Imperial (aka com.a792139893520606f84b2188a.a23428594a) app ...) NOT-FOR-US: Parque Imperial (aka com.a792139893520606f84b2188a.a23428594a) application for Android CVE-2014-4895 (The Herpin Time Radio (aka com.herpin.time.radio) application 2.0 for ...) NOT-FOR-US: Herpin Time Radio (aka com.herpin.time.radio) application for Android CVE-2014-4894 (The MyMetro (aka com.myrippleapps.mymetro) application 2.4.7 for Andro ...) NOT-FOR-US: MyMetro (aka com.myrippleapps.mymetro) application for Android CVE-2014-4893 RESERVED CVE-2014-4892 (The uControl Smart Home Automation (aka de.ucontrol) application 1.2 f ...) NOT-FOR-US: uControl Smart Home Automation (aka de.ucontrol) application for Android CVE-2014-4891 (The CT iHub (aka com.concursive.ctihub) application 1 for Android does ...) NOT-FOR-US: CT iHub (aka com.concursive.ctihub) application for Android CVE-2014-4890 (The Nano Digest (aka com.magzter.nanodigest) application 3.0 for Andro ...) NOT-FOR-US: Nano Digest (aka com.magzter.nanodigest) application for Android CVE-2014-4889 (The Diabetic Diet Guide (aka com.wDiabeticDietGuide) application 2.1 f ...) NOT-FOR-US: Diabetic Diet Guide (aka com.wDiabeticDietGuide) application for Android CVE-2014-4888 (The BattleFriends at Sea GOLD (aka com.tequilamobile.warshipslivegold) ...) NOT-FOR-US: BattleFriends at Sea GOLD (aka com.tequilamobile.warshipslivegold) application for Android CVE-2014-4887 (The Joint Radio Blues (aka com.nobexinc.wls_69685189.rc) application 3 ...) NOT-FOR-US: Joint Radio Blues (aka com.nobexinc.wls_69685189.rc) application for Android CVE-2014-4886 RESERVED CVE-2014-4885 (The CPWORLD Close Protection World (aka com.tapatalk.closeprotectionwo ...) NOT-FOR-US: CPWORLD Close Protection World (aka com.tapatalk.closeprotectionworldcom) application for Android CVE-2014-4884 (The Conrad Hotel (aka com.wConradHotel) application 0.1 for Android do ...) NOT-FOR-US: Conrad Hotel (aka com.wConradHotel) application for Android CVE-2014-4883 (resolv.c in the DNS resolver in uIP, and dns.c in the DNS resolver in ...) - xen (LWIP DNS code not present in Xen Debian packages) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1169008 CVE-2014-4882 (Aptexx Resident Anywhere does not require authentication, which allows ...) NOT-FOR-US: Aptexx Resident Anywhere CVE-2014-4881 (The PartyTrack library for Android does not verify X.509 certificates ...) NOT-FOR-US: PartyTrack library for Android CVE-2014-4880 (Buffer overflow in Hikvision DVR DS-7204 Firmware 2.2.10 build 131009, ...) NOT-FOR-US: Hikvision DVR CVE-2014-4879 RESERVED CVE-2014-4878 RESERVED CVE-2014-4877 (Absolute path traversal vulnerability in GNU Wget before 1.16, when re ...) {DSA-3062-1 DLA-82-1} - wget 1.16-1 (bug #766981) NOTE: http://git.savannah.gnu.org/cgit/wget.git/commit/?id=18b0979357ed7dc4e11d4f2b1d7e0f5932d82aa7 CVE-2014-4876 (Toshiba 4690 Operating System 6 Release 3, when the ADXSITCF logical n ...) NOT-FOR-US: Toshiba CVE-2014-4875 (CreateBossCredentials.jar in Toshiba CHEC before 6.6 build 4014 and 6. ...) NOT-FOR-US: CreateBossCredentials.jar in Toshiba CHEC CVE-2014-4874 (BMC Track-It! 11.3.0.355 allows remote authenticated users to read arb ...) NOT-FOR-US: BMC Track-It! CVE-2014-4873 (SQL injection vulnerability in TrackItWeb/Grid/GetData in BMC Track-It ...) NOT-FOR-US: BMC Track-It! CVE-2014-4872 (BMC Track-It! 11.3.0.355 does not require authentication on TCP port 9 ...) NOT-FOR-US: BMC Track-It! CVE-2014-4871 (Cross-site scripting (XSS) vulnerability in wlsecurity.html on NetComm ...) NOT-FOR-US: NetCommWireless NB604N routers CVE-2014-4870 (/opt/vyatta/bin/sudo-users/vyatta-clear-dhcp-lease.pl on the Brocade V ...) NOT-FOR-US: Brocade Vyatta CVE-2014-4869 (The Brocade Vyatta 5400 vRouter 6.4R(x), 6.6R(x), and 6.7R1 allows att ...) NOT-FOR-US: Brocade Vyatta CVE-2014-4868 (The management console on the Brocade Vyatta 5400 vRouter 6.4R(x), 6.6 ...) NOT-FOR-US: Brocade Vyatta CVE-2014-4867 (Cryoserver Security Appliance 7.3.x uses weak permissions for /etc/ini ...) NOT-FOR-US: Cryoserver CVE-2014-4866 RESERVED CVE-2014-4865 (Cross-site request forgery (CSRF) vulnerability in gui/password-wadmin ...) NOT-FOR-US: CacheGuard-OS CVE-2014-4864 (The NETGEAR ProSafe Plus Configuration Utility creates configuration b ...) NOT-FOR-US: NETGEAR ProSafe Plus Configuration Utility CVE-2014-4863 (The Arris Touchstone DG950A cable modem with software 7.10.131 has an ...) NOT-FOR-US: Arris Touchstone DG950A cable modem CVE-2014-4862 (The Netmaster CBW700N cable modem with software 81.447.392110.729.024 ...) NOT-FOR-US: Netmaster CBW700N cable modem CVE-2014-4861 (The Remote Desktop Launcher in Thycotic Secret Server before 8.6.00001 ...) NOT-FOR-US: Remote Desktop Launcher in Thycotic Secret Server CVE-2014-4860 (Multiple integer overflows in the Pre-EFI Initialization (PEI) boot ph ...) - edk2 (No support for updates of hypervisor-supplied firmware from guests) NOTE: https://www.mitre.org/sites/default/files/publications/14-2221-extreme-escalation-presentation.pdf CVE-2014-4859 (Integer overflow in the Drive Execution Environment (DXE) phase in the ...) - edk2 (No support for updates of hypervisor-supplied firmware from guests) NOTE: https://www.mitre.org/sites/default/files/publications/14-2221-extreme-escalation-presentation.pdf CVE-2014-4858 (Multiple SQL injection vulnerabilities in CWPLogin.aspx in Sabre AirCe ...) NOT-FOR-US: Sabre AirCenter Crew CVE-2014-4857 (Cross-site scripting (XSS) vulnerability in Gurock TestRail before 3.1 ...) NOT-FOR-US: Gurock TestRail CVE-2014-4856 (Cross-site scripting (XSS) vulnerability in the Polldaddy Polls & ...) NOT-FOR-US: WordPress plugin CVE-2014-4855 (Cross-site scripting (XSS) vulnerability in the Polylang plugin before ...) NOT-FOR-US: WordPress plugin CVE-2014-4854 (Cross-site scripting (XSS) vulnerability in the WP Construction Mode p ...) NOT-FOR-US: WordPress plugin CVE-2014-4853 (Cross-site scripting (XSS) vulnerability in odm-init.php in OpenDocMan ...) NOT-FOR-US: OpenDocMan CVE-2014-4852 (SQL injection vulnerability in admin/uploads.php in The Digital Craft ...) NOT-FOR-US: AtomCMS CVE-2014-4851 (Open redirect vulnerability in msg.php in FoeCMS allows remote attacke ...) NOT-FOR-US: FoeCMS CVE-2014-4850 (SQL injection vulnerability in index.php in FoeCMS allows remote attac ...) NOT-FOR-US: FoeCMS CVE-2014-4849 (Multiple cross-site scripting (XSS) vulnerabilities in msg.php in FoeC ...) NOT-FOR-US: FoeCMS CVE-2014-4848 (Cross-site scripting (XSS) vulnerability in the Blogstand Banner (blog ...) NOT-FOR-US: WordPress plugin CVE-2014-4847 (Cross-site scripting (XSS) vulnerability in the Random Banner plugin 1 ...) NOT-FOR-US: WordPress plugin CVE-2014-4846 (Cross-site scripting (XSS) vulnerability in the Meta Slider (ml-slider ...) NOT-FOR-US: WordPress plugin CVE-2014-4845 (Cross-site scripting (XSS) vulnerability in the BannerMan plugin 0.2.4 ...) NOT-FOR-US: WordPress plugin CVE-2014-4844 (The import/export functionality in IBM Business Process Manager (BPM) ...) NOT-FOR-US: IBM CVE-2014-4843 (Curam Universal Access in IBM Curam Social Program Management (SPM) 6. ...) NOT-FOR-US: IBM CVE-2014-4842 RESERVED CVE-2014-4841 RESERVED CVE-2014-4840 (IBM TRIRIGA Application Platform 3.2 and 3.3 before 3.3.0.2, 3.3.1 bef ...) NOT-FOR-US: IBM TRIRIGA Application Platform CVE-2014-4839 (Cross-site request forgery (CSRF) vulnerability in birtviewer.query in ...) NOT-FOR-US: IBM TRIRIGA Application Platform CVE-2014-4838 (Cross-site scripting (XSS) vulnerability in GanttProjectSchedulerPopup ...) NOT-FOR-US: IBM TRIRIGA Application Platform CVE-2014-4837 (Cross-site scripting (XSS) vulnerability in NewDocument.jsp in IBM TRI ...) NOT-FOR-US: IBM TRIRIGA Application Platform CVE-2014-4836 (Cross-site scripting (XSS) vulnerability in breakOutWithName.jsp in IB ...) NOT-FOR-US: IBM TRIRIGA Application Platform CVE-2014-4835 (IBM ServerGuide before 9.63, UpdateXpress System Packs Installer (UXSP ...) NOT-FOR-US: IBM CVE-2014-4834 (IBM WebSphere Commerce 6.x through 6.0.0.11 and 7.x through 7.0.0.8 do ...) NOT-FOR-US: IBM CVE-2014-4833 (IBM Security QRadar SIEM QRM 7.1 MR1 and QRM/QVM 7.2 MR2 allows remote ...) NOT-FOR-US: IBM Security QRadar SIEM CVE-2014-4832 (IBM Security QRadar SIEM and QRadar Risk Manager 7.1 before MR2 Patch ...) NOT-FOR-US: IBM Security QRadar SIEM CVE-2014-4831 (IBM Security QRadar SIEM and QRadar Risk Manager 7.1 before MR2 Patch ...) NOT-FOR-US: IBM Security QRadar SIEM CVE-2014-4830 (IBM Security QRadar SIEM QRM 7.1 MR1 and QRM/QVM 7.2 MR2 does not incl ...) NOT-FOR-US: IBM Security QRadar SIEM CVE-2014-4829 (Cross-site request forgery (CSRF) vulnerability in IBM Security QRadar ...) NOT-FOR-US: IBM Security QRadar CVE-2014-4828 (IBM Security QRadar SIEM QRM 7.1 MR1 and QRM/QVM 7.2 MR2 allows remote ...) NOT-FOR-US: IBM Security QRadar SIEM CVE-2014-4827 (Cross-site scripting (XSS) vulnerability in IBM Security QRadar SIEM Q ...) NOT-FOR-US: IBM Security QRadar SIEM CVE-2014-4826 (IBM Security QRadar SIEM 7.2 before 7.2.3 Patch 1 does not properly ha ...) NOT-FOR-US: IBM Security QRadar CVE-2014-4825 (IBM Security QRadar SIEM QRM 7.1 MR1 and QRM/QVM 7.2 MR2 does not prop ...) NOT-FOR-US: IBM Security QRadar SIEM CVE-2014-4824 (SQL injection vulnerability in IBM Security QRadar SIEM 7.2 before 7.2 ...) NOT-FOR-US: IBM Security QRadar CVE-2014-4823 (The administration console in IBM Security Access Manager for Web 7.x ...) NOT-FOR-US: IBM Security Access Manager CVE-2014-4822 (IBM WebSphere MQ classes for Java libraries 8.0 before 8.0.0.1 and Web ...) NOT-FOR-US: IBM WebSphere MQ CVE-2014-4821 (IBM WebSphere Portal 6.1.0 through 6.1.0.6 CF27, 6.1.5 through 6.1.5.3 ...) NOT-FOR-US: IBM WebSphere Portal CVE-2014-4820 (Cross-site scripting (XSS) vulnerability in IBM Integration Bus Manufa ...) NOT-FOR-US: IBM CVE-2014-4819 (The web user interface in IBM WebSphere Message Broker 8.0 before 8.0. ...) NOT-FOR-US: IBM CVE-2014-4818 (dsmtca in the client in IBM Tivoli Storage Manager (TSM) 5.4.x, 5.5.x, ...) NOT-FOR-US: IBM CVE-2014-4817 (The server in IBM Tivoli Storage Manager (TSM) 5.x and 6.x before 6.3. ...) NOT-FOR-US: IBM Tivoli Storage Manager CVE-2014-4816 (Cross-site request forgery (CSRF) vulnerability in the Administrative ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2014-4815 (Session fixation vulnerability in IBM Rational Lifecycle Integration A ...) NOT-FOR-US: IBM CVE-2014-4814 (IBM WebSphere Portal 6.1.0 through 6.1.0.6 CF27, 6.1.5 through 6.1.5.3 ...) NOT-FOR-US: IBM WebSphere Portal CVE-2014-4813 (Race condition in the client in IBM Tivoli Storage Manager (TSM) 5.4.0 ...) NOT-FOR-US: IBM Tivoli Storage Manager CVE-2014-4812 (The installer in IBM Security AppScan Source 8.x and 9.x through 9.0.1 ...) NOT-FOR-US: IBM Security AppScan Source CVE-2014-4811 (IBM Storwize 3500, 3700, 5000, and 7000 devices and SAN Volume Control ...) NOT-FOR-US: IBM CVE-2014-4810 (IBM Cognos Mobile 10.1.1 before FP3 IF1, 10.2.0 before FP2 IF1, and 10 ...) NOT-FOR-US: IBM CVE-2014-4809 (The WebSEAL component in IBM Security Access Manager for Web 7.x befor ...) NOT-FOR-US: IBM Security Access Manager CVE-2014-4808 (Unspecified vulnerability in IBM WebSphere Portal 6.1.0 through 6.1.0. ...) NOT-FOR-US: IBM WebSphere Portal CVE-2014-4807 (Sterling Order Management in IBM Sterling Selling and Fulfillment Suit ...) NOT-FOR-US: IBM Sterling Selling CVE-2014-4806 (The installation process in IBM Security AppScan Enterprise 8.x before ...) NOT-FOR-US: IBM CVE-2014-4805 (IBM DB2 10.5 before FP4 on Linux and AIX creates temporary files durin ...) NOT-FOR-US: IBM DB2 CVE-2014-4804 (Curam Universal Access in IBM Curam Social Program Management 5.2 befo ...) NOT-FOR-US: IBM Curam Social Program Management CVE-2014-4803 (CRLF injection vulnerability in the Universal Access implementation in ...) NOT-FOR-US: IBM Curam Social Program Management CVE-2014-4802 (The Saved Search Admin component in the Process Admin Console in IBM B ...) NOT-FOR-US: IBM Business Process Manager CVE-2014-4801 (Cross-site scripting (XSS) vulnerability in IBM Rational Quality Manag ...) NOT-FOR-US: IBM CVE-2014-4800 RESERVED CVE-2014-4799 RESERVED CVE-2014-4798 RESERVED CVE-2014-4797 RESERVED CVE-2014-4796 RESERVED CVE-2014-4795 RESERVED CVE-2014-4794 RESERVED CVE-2014-4793 (IBM WebSphere MQ 8.x before 8.0.0.1 does not properly enforce CHLAUTH ...) NOT-FOR-US: IBM WebSphere CVE-2014-4792 (IBM WebSphere Portal 6.1.0 through 6.1.0.6 CF27, 6.1.5 through 6.1.5.3 ...) NOT-FOR-US: IBM CVE-2014-4791 RESERVED CVE-2014-4790 (IBM Emptoris Sourcing Portfolio 9.5.x before 9.5.1.3, 10.0.0.x before ...) NOT-FOR-US: IBM Emptoris Sourcing Portfolio CVE-2014-4789 (Session fixation vulnerability in IBM Initiate Master Data Service 9.5 ...) NOT-FOR-US: IBM CVE-2014-4788 (IBM Initiate Master Data Service 9.5 before 9.5.093013, 9.7 before 9.7 ...) NOT-FOR-US: IBM CVE-2014-4787 (Cross-site scripting (XSS) vulnerability in IBM Initiate Master Data S ...) NOT-FOR-US: IBM CVE-2014-4786 (IBM Initiate Master Data Service 9.5 before 9.5.093013, 9.7 before 9.7 ...) NOT-FOR-US: IBM CVE-2014-4785 (Cross-site request forgery (CSRF) vulnerability in IBM Initiate Master ...) NOT-FOR-US: IBM CVE-2014-4784 (IBM Initiate Master Data Service 9.5 before 9.5.093013, 9.7 before 9.7 ...) NOT-FOR-US: IBM CVE-2014-4783 (Cross-site request forgery (CSRF) vulnerability in IBM Initiate Master ...) NOT-FOR-US: IBM CVE-2014-4782 (IBM InfoSphere BigInsights 2.1.2 allows remote authenticated users to ...) NOT-FOR-US: IBM CVE-2014-4781 (The alert module in IBM InfoSphere BigInsights 2.1.2 and 3.x before 3. ...) NOT-FOR-US: IBM InfoSphere BigInsights CVE-2014-4780 RESERVED CVE-2014-4779 RESERVED CVE-2014-4778 (IBM License Metric Tool 9 before 9.1.0.2 and Endpoint Manager for Soft ...) NOT-FOR-US: IBM CVE-2014-4777 RESERVED CVE-2014-4776 (IBM License Metric Tool 9 before 9.1.0.2 does not have an off autocomp ...) NOT-FOR-US: IBM CVE-2014-4775 (IBM InfoSphere Master Data Management - Collaborative Edition 10.x bef ...) NOT-FOR-US: IBM CVE-2014-4774 (Cross-site request forgery (CSRF) vulnerability in the login page in I ...) NOT-FOR-US: IBM CVE-2014-4773 RESERVED CVE-2014-4772 RESERVED CVE-2014-4771 (IBM WebSphere MQ 7.0.1 before 7.0.1.13, 7.1 before 7.1.0.6, 7.5 before ...) NOT-FOR-US: IBM WebSphere MQ CVE-2014-4770 (Cross-site scripting (XSS) vulnerability in IBM WebSphere Application ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2014-4769 (IBM WebSphere Commerce 6.x through 6.0.0.11 and 7.x through 7.0.0.8 al ...) NOT-FOR-US: IBM CVE-2014-4768 (IBM Unified Extensible Firmware Interface (UEFI) on Flex System x880 X ...) NOT-FOR-US: IBM CVE-2014-4767 (IBM WebSphere Application Server (WAS) Liberty Profile 8.5.x before 8. ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2014-4766 (IBM Sametime Classic Meeting Server 8.0.x and 8.5.x allows remote atta ...) NOT-FOR-US: IBM Sametime Classic Meeting Server CVE-2014-4765 (IBM Maximo Asset Management 7.1 through 7.1.1.13 and 7.5 through 7.5.0 ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2014-4764 (IBM WebSphere Application Server (WAS) 8.0.x before 8.0.0.10 and 8.5.x ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2014-4763 (Cross-site scripting (XSS) vulnerability in Content Navigator in Conte ...) NOT-FOR-US: IBM CVE-2014-4762 (Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 8.0.0 ...) NOT-FOR-US: IBM CVE-2014-4761 (IBM WebSphere Portal 6.1.0 through 6.1.0.6 CF27, 6.1.5 through 6.1.5.3 ...) NOT-FOR-US: IBM WebSphere Portal CVE-2014-4760 (Open redirect vulnerability in IBM WebSphere Portal 6.1.0.0 through 6. ...) NOT-FOR-US: IBM WebSphere CVE-2014-4759 (An unspecified Ajax service in the Content Management toolkit in IBM B ...) NOT-FOR-US: IBM CVE-2014-4758 (IBM Business Process Manager (BPM) 7.5.x through 8.5.5 and WebSphere L ...) NOT-FOR-US: IBM CVE-2014-4757 (The Outlook Extension in IBM Content Collector 4.0.0.x before 4.0.0.0- ...) NOT-FOR-US: IBM Content Collector CVE-2014-4756 (The Administration and Reporting Tool in IBM Rational License Key Serv ...) NOT-FOR-US: IBM CVE-2014-4755 RESERVED CVE-2014-4754 RESERVED CVE-2014-4753 RESERVED CVE-2014-4752 (IBM System Networking G8052, G8124, G8124-E, G8124-ER, G8264, G8316, a ...) NOT-FOR-US: IBM CVE-2014-4751 (Cross-site scripting (XSS) vulnerability in IBM Security Access Manage ...) NOT-FOR-US: IBM Security Access Manager CVE-2014-4750 (IBM PowerVC Express Edition 1.2.0 before FixPack3 establishes an FTP s ...) NOT-FOR-US: IBM CVE-2014-4749 (IBM PowerVC 1.2.0 before FixPack3 does not properly use the known_host ...) NOT-FOR-US: IBM CVE-2014-4748 (Cross-site scripting (XSS) vulnerability in the Classic Meeting Server ...) NOT-FOR-US: IBM Sametime CVE-2014-4747 (The Classic Meeting Server in IBM Sametime 8.x through 8.5.2.1 allows ...) NOT-FOR-US: IBM Sametime CVE-2014-4746 (IBM WebSphere Portal 8.0.0 before 8.0.0.1 CF13 and 8.5.0 through CF01 ...) NOT-FOR-US: IBM WebSphere CVE-2014-4745 RESERVED CVE-2014-4744 (Multiple cross-site scripting (XSS) vulnerabilities in osTicket before ...) NOT-FOR-US: osTicket CVE-2014-4743 (Multiple cross-site scripting (XSS) vulnerabilities in (1) search_ajax ...) NOT-FOR-US: Kajona module CVE-2014-4742 (Cross-site scripting (XSS) vulnerability in system/class_link.php in t ...) NOT-FOR-US: Kajona module CVE-2014-4741 (SQL injection vulnerability in demo/ads.php in Artifectx xClassified 1 ...) NOT-FOR-US: Artifectx xClassified CVE-2014-4740 REJECTED CVE-2014-4739 RESERVED CVE-2014-4738 (Multiple cross-site scripting (XSS) vulnerabilities in FortiGuard Fort ...) NOT-FOR-US: FortiGuard FortiWeb CVE-2014-4737 (Cross-site scripting (XSS) vulnerability in Textpattern CMS before 4.5 ...) - textpattern [squeeze] - textpattern (Vulnerability is in setup.php, which becomes inaccessible after installation) NOTE: https://github.com/textpattern/textpattern/commit/1206c7d84949a58cd0a2bc4a91ee53a0c8d4daf6 NOTE: is likely the commit fixing the issue. But it does more than the NOTE: strict minimum. CVE-2014-4736 (SQL injection vulnerability in E2 before 2.4 (2845) allows remote atta ...) NOT-FOR-US: E2 CVE-2014-4735 (Cross-site scripting (XSS) vulnerability in MyWebSQL 3.4 and earlier a ...) NOT-FOR-US: MyWebSQL CVE-2014-4734 (Cross-site scripting (XSS) vulnerability in e107_admin/db.php in e107 ...) NOT-FOR-US: e107 CVE-2014-4733 RESERVED CVE-2014-4732 RESERVED CVE-2014-4731 RESERVED CVE-2014-4730 RESERVED CVE-2014-4729 RESERVED CVE-2014-4728 (The web server in the TP-LINK N750 Wireless Dual Band Gigabit Router ( ...) NOT-FOR-US: TP-Link CVE-2014-4727 (Cross-site scripting (XSS) vulnerability in the DHCP clients page in t ...) NOT-FOR-US: TP-Link CVE-2014-4726 (Unspecified vulnerability in the MailPoet Newsletters (wysija-newslett ...) NOT-FOR-US: wysija-newsletters CVE-2014-4725 (The MailPoet Newsletters (wysija-newsletters) plugin before 2.6.7 for ...) NOT-FOR-US: wysija-newsletters CVE-2014-4978 (The rs_filter_graph function in librawstudio/rs-filter.c in rawstudio ...) - rawstudio (low; bug #754899) [wheezy] - rawstudio (Minor issue) [squeeze] - rawstudio (Vulnerable code not present) CVE-2014-5119 (Off-by-one error in the __gconv_translit_find function in gconv_trans. ...) {DSA-3012-1 DLA-43-1} - glibc 2.19-10 (medium) - eglibc (medium) NOTE: http://www.openwall.com/lists/oss-security/2014/07/14/2 NOTE: http://googleprojectzero.blogspot.com/2014/08/the-poisoned-nul-byte-2014-edition.html CVE-2014-4909 (Integer overflow in the tr_bitfieldEnsureNthBitAlloced function in bit ...) {DSA-2988-1} - transmission 2.84-0.1 (bug #755985) [squeeze] - transmission (Vulnerable code not present) NOTE: http://trac.transmissionbt.com/wiki/Changes#version-2.84 NOTE: PoC: http://web.archive.org/web/20140815000641/http://inertiawar.com:80/submission.go CVE-2013-7389 (Multiple cross-site scripting (XSS) vulnerabilities in D-Link DIR-645 ...) NOT-FOR-US: D-Link router CVE-2014-4723 (Cross-site scripting (XSS) vulnerability in the Easy Banners plugin 1. ...) NOT-FOR-US: WordPress plugin Easy Banners CVE-2014-4724 (Cross-site scripting (XSS) vulnerability in the Custom Banners plugin ...) NOT-FOR-US: WordPress plugin Custom Banners CVE-2014-4722 (Multiple cross-site scripting (XSS) vulnerabilities in the OCS Reports ...) - ocsinventory-server (unimportant) NOTE: Authentication is needed, only supported in trusted environments, see debtags CVE-2014-4914 (The Zend_Db_Select::order function in Zend Framework before 1.12.7 doe ...) {DSA-3265-1 DLA-251-1} - zendframework 1.12.7-0.1 (bug #754201) NOTE: http://framework.zend.com/security/advisory/ZF2014-04 NOTE: https://github.com/zendframework/zf1/commit/da09186c60b9168520e994af4253fba9c19c2b3d CVE-2014-4913 (ZF2014-03 has a potential cross site scripting vector in multiple view ...) - zendframework (Vulnerable code not present, only affects ZF2) NOTE: http://framework.zend.com/security/advisory/ZF2014-03 CVE-2014-4911 (The ssl_decrypt_buf function in library/ssl_tls.c in PolarSSL before 1 ...) {DSA-2981-1 DLA-36-1} - polarssl 1.3.7-2.1 (bug #754655) [squeeze] - polarssl 1.2.9-1~deb6u2 NOTE: https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2014-02 NOTE: commit for 1.3.x branch: https://github.com/polarssl/polarssl/commit/0bcc4e1df78fff6d15c3ecb521e3bd0bbee86e1c NOTE: commit for 1.2.x branch: https://github.com/polarssl/polarssl/commit/5bad6afd8c72b2c3a6574dff01ca5f8f2f04800a CVE-2014-4910 (Directory traversal vulnerability in tools/backlight_helper.c in X.Org ...) - xserver-xorg-video-intel (Vulnerable code not present) NOTE: http://lists.x.org/archives/xorg-commit/2014-July/036840.html NOTE: only experimental, and xf86-video-intel-backlight-helper not installed setuid in Debian CVE-2014-4720 (Email::Address module before 1.904 for Perl uses an inefficient regula ...) {DSA-2969-1} - libemail-address-perl 1.905-1 [squeeze] - libemail-address-perl 1.889-2+deb6u1 CVE-2014-4719 (Cross-site scripting (XSS) vulnerability in the login panel (svn/login ...) NOT-FOR-US: User-Friendly SVN CVE-2014-4718 (Multiple cross-site request forgery (CSRF) vulnerabilities in Lunar CM ...) NOT-FOR-US: Lunar CMS CVE-2014-4717 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Simp ...) NOT-FOR-US: WordPress plugin simple-share-buttons-adder CVE-2014-4716 (Cross-site request forgery (CSRF) vulnerability in Thomson TWG87OUIR a ...) NOT-FOR-US: Thomson TWG87OUIR CVE-2014-4714 REJECTED CVE-2014-4713 RESERVED CVE-2014-4712 RESERVED CVE-2014-4711 RESERVED CVE-2014-4710 (Cross-site scripting (XSS) vulnerability in zero_user_account.php in Z ...) NOT-FOR-US: ZeroCMS CVE-2014-4709 RESERVED CVE-2014-4708 RESERVED CVE-2014-4707 (Huawei Campus S7700 with software V200R001C00SPC300, V200R002C00SPC100 ...) NOT-FOR-US: Huawei CVE-2014-4706 (Huawei Campus S3700HI with software V200R001C00SPC300; Campus S5700 wi ...) NOT-FOR-US: Huawei CVE-2014-4705 (Multiple heap-based buffer overflows in the eSap software platform in ...) NOT-FOR-US: eSap CVE-2014-4704 RESERVED CVE-2013-7388 (Heap-based buffer overflow in paintlib, as used in Trimble SketchUp (f ...) NOT-FOR-US: Trimble SketchUp CVE-2012-6652 (Directory traversal vulnerability in pageflipbook.php script from inde ...) NOT-FOR-US: WordPress plugin wppageflip CVE-2012-6651 (Multiple directory traversal vulnerabilities in the Vitamin plugin bef ...) NOT-FOR-US: WordPress plugin vitamin CVE-2012-6650 RESERVED CVE-2014-XXXX [Quassel: /var/lib/quassel/quasselCert.pem world-readable] - quassel 0.10.0-2 (low) [wheezy] - quassel 0.8.0-1+deb7u2 [squeeze] - quassel (Minor issue) CVE-2014-4908 (Multiple cross-site scripting (XSS) vulnerabilities in PNP4Nagios thro ...) - pnp4nagios 0.6.24+dfsg1-1 (low) [wheezy] - pnp4nagios (Minor issue) NOTE: https://github.com/lingej/pnp4nagios/commit/cb925073edeeb97eb4ce61a86cdafccc9b87f9bb NOTE: https://bugs.gentoo.org/show_bug.cgi?id=516078 NOTE: https://github.com/lingej/pnp4nagios/commit/e4a19768a5c5e5b1276caf3dd5bb721a540ec014 NOTE: https://bugs.gentoo.org/show_bug.cgi?id=516140 CVE-2014-4907 (Cross-site scripting (XSS) vulnerability in share/pnp/application/view ...) - pnp4nagios 0.6.24+dfsg1-1 (low) [wheezy] - pnp4nagios (Minor issue) NOTE: https://bugs.gentoo.org/show_bug.cgi?id=51607 NOTE: http://sourceforge.net/p/pnp4nagios/code/ci/f846a6c9d007ca2bee05359af747619151195fc9/ CVE-2014-4715 (Yann Collet LZ4 before r119, when used on certain 32-bit platforms tha ...) - lz4 0.0~r119-1 NOTE: https://code.google.com/p/lz4/issues/detail?id=134 NOTE: https://code.google.com/p/lz4/source/detail?r=119 CVE-2014-4700 (Citrix XenDesktop 7.x, 5.x, and 4.x, when pooled random desktop groups ...) NOT-FOR-US: Citrix XenDesktop CVE-2014-4699 (The Linux kernel before 3.15.4 on Intel processors does not properly r ...) {DSA-2972-1 DLA-0015-1} - linux 3.14.10-1 - linux-2.6 [squeeze] - linux-2.6 2.6.32-48squeeze8 NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b9cd18de4db3c9ffa7e17b0dc0ca99ed5aa4d43a CVE-2014-4698 (Use-after-free vulnerability in ext/spl/spl_array.c in the SPL compone ...) - php5 5.6.0~rc3+dfsg-1 (unimportant) NOTE: http://git.php.net/?p=php-src.git;a=commit;h=22882a9d89712ff2b6ebc20a689a89452bba4dcd NOTE: https://bugs.php.net/bug.php?id=67539 NOTE: exploitable by malicious scripts only CVE-2014-4697 RESERVED CVE-2014-4696 (Multiple open redirect vulnerabilities in the Suricata package before ...) NOT-FOR-US: pfSense CVE-2014-4695 (Multiple open redirect vulnerabilities in the Snort package before 3.0 ...) NOT-FOR-US: pfSense CVE-2014-4694 (Multiple cross-site scripting (XSS) vulnerabilities in suricata_select ...) NOT-FOR-US: pfSense CVE-2014-4693 (Multiple cross-site scripting (XSS) vulnerabilities in the Snort packa ...) NOT-FOR-US: pfSense CVE-2014-4692 (pfSense before 2.1.4, when HTTP is used, does not include the HTTPOnly ...) NOT-FOR-US: pfSense CVE-2014-4691 (Session fixation vulnerability in pfSense before 2.1.4 allows remote a ...) NOT-FOR-US: pfSense CVE-2014-4690 (Multiple directory traversal vulnerabilities in pfSense before 2.1.4 a ...) NOT-FOR-US: pfSense CVE-2014-4689 (Absolute path traversal vulnerability in pkg_edit.php in pfSense befor ...) NOT-FOR-US: pfSense CVE-2014-4688 (pfSense before 2.1.4 allows remote authenticated users to execute arbi ...) NOT-FOR-US: pfSense CVE-2014-4687 (Multiple cross-site scripting (XSS) vulnerabilities in pfSense before ...) NOT-FOR-US: pfSense CVE-2014-4686 (The Project administration application in Siemens SIMATIC WinCC before ...) NOT-FOR-US: Siemens SIMATIC WinCC CVE-2014-4685 (Siemens SIMATIC WinCC before 7.3, as used in PCS7 and other products, ...) NOT-FOR-US: Siemens SIMATIC WinCC CVE-2014-4684 (The database server in Siemens SIMATIC WinCC before 7.3, as used in PC ...) NOT-FOR-US: Siemens SIMATIC WinCC CVE-2014-4683 (The WebNavigator server in Siemens SIMATIC WinCC before 7.3, as used i ...) NOT-FOR-US: Siemens SIMATIC WinCC CVE-2014-4682 (The WebNavigator server in Siemens SIMATIC WinCC before 7.3, as used i ...) NOT-FOR-US: Siemens SIMATIC WinCC CVE-2014-4681 RESERVED CVE-2014-4680 RESERVED CVE-2014-4679 RESERVED CVE-2014-4677 (The installPackage function in the installerHelper subcomponent in Lib ...) NOT-FOR-US: Libmacgpg CVE-2014-4676 RESERVED CVE-2014-4675 RESERVED CVE-2014-4674 RESERVED CVE-2014-4673 RESERVED CVE-2014-4672 (The CDetailView widget in Yii PHP Framework 1.1.14 allows remote attac ...) - yii-framework-php (bug #683810) CVE-2014-4671 (Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2014-4670 (Use-after-free vulnerability in ext/spl/spl_dllist.c in the SPL compon ...) {DSA-3008-1} - php5 5.6.0~rc3+dfsg-1 (unimportant) NOTE: exploitable by malicious scripts only NOTE: http://git.php.net/?p=php-src.git;a=commitdiff;h=df78c48354f376cf419d7a97f88ca07d572f00fb NOTE: https://bugs.php.net/bug.php?id=67538 CVE-2014-4669 (HP Enterprise Maps 1.00 allows remote authenticated users to read arbi ...) NOT-FOR-US: HP Enterprise Maps CVE-2014-4666 RESERVED CVE-2014-4665 RESERVED CVE-2014-4664 (Cross-site scripting (XSS) vulnerability in the Wordfence Security plu ...) NOT-FOR-US: Wordfence Security plugin for WordPress CVE-2014-4663 (TimThumb 2.8.13 and WordThumb 1.07, when Webshot (aka Webshots) is ena ...) NOT-FOR-US: WordPress timthumb CVE-2014-4662 RESERVED CVE-2014-4661 (Cross-site scripting (XSS) vulnerability in HP Records Manager before ...) NOT-FOR-US: HP Records Manager CVE-2014-4651 (It was found that the jclouds scriptbuilder Statements class wrote a t ...) NOT-FOR-US: JClouds CVE-2014-4647 (Stack-based buffer overflow in the loadExtensionFactory method in the ...) NOT-FOR-US: Embarcadero ER/Studio Data Architect CVE-2014-4646 (Buffer overflow in the FPDFBookmark_GetTitle method in Foxit PDF SDK D ...) NOT-FOR-US: Foxit PDF SDK CVE-2014-4645 (Cross-site scripting (XSS) vulnerability in dhcpinfo.html in D-link DS ...) NOT-FOR-US: D-Link hardware CVE-2014-4644 (SQL injection vulnerability in superlinks.php in the superlinks plugin ...) NOT-FOR-US: Cacti plugin superlinks CVE-2014-4643 (Multiple heap-based buffer overflows in the client in Core FTP LE 2.2 ...) NOT-FOR-US: Core FTP client CVE-2012-6649 (WordPress WP GPX Maps Plugin 1.1.21 allows remote attackers to execute ...) NOT-FOR-US: WordPress WP GPX Maps Plugin CVE-2014-4721 (The phpinfo implementation in ext/standard/info.c in PHP before 5.4.30 ...) {DSA-2974-1 DLA-0018-1} - php5 5.6.0~rc1+dfsg-2 (low) [squeeze] - php5 5.3.3-7+squeeze21 NOTE: https://bugs.php.net/bug.php?id=67498 NOTE: https://www.sektioneins.de/en/blog/14-07-04-phpinfo-infoleak.html CVE-2014-4668 (The cherokee_validator_ldap_check function in validator_ldap.c in Cher ...) - cherokee (low) [squeeze] - cherokee (Minor issue) CVE-2014-4667 (The sctp_association_free function in net/sctp/associola.c in the Linu ...) {DSA-2992-1 DLA-0015-1} - linux 3.14.9-1 - linux-2.6 [squeeze] - linux-2.6 2.6.32-48squeeze8 NOTE: Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d3217b15a19a4779c39b212358a5c71d725822ee (v3.16-rc1) CVE-2014-4656 (Multiple integer overflows in sound/core/control.c in the ALSA control ...) {DLA-0015-1} - linux 3.14.9-1 [wheezy] - linux 3.2.60-1 - linux-2.6 [squeeze] - linux-2.6 2.6.32-48squeeze8 CVE-2014-4655 (The snd_ctl_elem_add function in sound/core/control.c in the ALSA cont ...) {DLA-103-1} - linux 3.14.9-1 [wheezy] - linux 3.2.60-1 - linux-2.6 CVE-2014-4654 (The snd_ctl_elem_add function in sound/core/control.c in the ALSA cont ...) {DLA-103-1} - linux 3.14.9-1 [wheezy] - linux 3.2.60-1 - linux-2.6 CVE-2014-4653 (sound/core/control.c in the ALSA control implementation in the Linux k ...) {DLA-103-1} - linux 3.14.9-1 [wheezy] - linux 3.2.60-1 - linux-2.6 CVE-2014-4652 (Race condition in the tlv handler functionality in the snd_ctl_elem_us ...) {DLA-0015-1} - linux 3.14.9-1 (low) [wheezy] - linux 3.2.60-1 - linux-2.6 (low) [squeeze] - linux-2.6 2.6.32-48squeeze8 CVE-2014-4678 (The safe_eval function in Ansible before 1.6.4 does not properly restr ...) - ansible 1.6.6+dfsg-1 NOTE: https://github.com/ansible/ansible/commit/5429b85b9f6c2e640074176f36ff05fd5e4d1916 NOTE: See http://www.openwall.com/lists/oss-security/2014/06/26/30 CVE-2014-4660 (Ansible before 1.5.5 constructs filenames containing user and password ...) - ansible 1.5.5+dfsg-1 NOTE: https://github.com/ansible/ansible/commit/c4b5e46054c74176b2446c82d4df1a2610eddc08 CVE-2014-4659 (Ansible before 1.5.5 sets 0644 permissions for sources.list, which mig ...) - ansible 1.5.5+dfsg-1 NOTE: https://github.com/ansible/ansible/commit/c4b5e46054c74176b2446c82d4df1a2610eddc08 CVE-2014-4658 (The vault subsystem in Ansible before 1.5.5 does not set the umask bef ...) - ansible 1.5.5+dfsg-1 NOTE: https://github.com/ansible/ansible/commit/a0e027fe362fbc209dbeff2f72d6e95f39885c69 CVE-2014-4657 (The safe_eval function in Ansible before 1.5.4 does not properly restr ...) - ansible 1.5.5+dfsg-1 NOTE: https://github.com/ansible/ansible/commit/998793fd0ab55705d57527a38cee5e83f535974c CVE-2014-4650 (The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly h ...) - python2.6 (low) [squeeze] - python2.6 (Minor issue) [wheezy] - python2.6 (Minor issue) - python2.7 2.7.8-1 (low) [wheezy] - python2.7 (Minor issue) - python3.1 (low) [squeeze] - python3.1 (Minor issue) - python3.2 (low) [wheezy] - python3.2 (Minor issue) - python3.3 (low) - python3.4 3.4.1-8 (low) NOTE: http://bugs.python.org/issue21766 CVE-2014-4649 (SQL injection vulnerability in the photo-edit subsystem in Piwigo 2.6. ...) - piwigo (low) [squeeze] - piwigo (Unsupported in squeeze-lts) NOTE: Request to mark the package as unsupported in #779104 CVE-2014-4648 (Unspecified vulnerability in Piwigo before 2.6.3 has unknown impact an ...) - piwigo (low) [squeeze] - piwigo (Unsupported in squeeze-lts) NOTE: Request to mark the package as unsupported in #779104 CVE-2014-4642 REJECTED CVE-2014-4641 REJECTED CVE-2014-4640 REJECTED CVE-2014-4639 (EMC Documentum Web Development Kit (WDK) before 6.8 does not properly ...) NOT-FOR-US: EMC Documentum Web Development CVE-2014-4638 (EMC Documentum Web Development Kit (WDK) before 6.8 allows remote atta ...) NOT-FOR-US: EMC Documentum Web Development CVE-2014-4637 (Open redirect vulnerability in EMC Documentum Web Development Kit (WDK ...) NOT-FOR-US: EMC Documentum Web Development CVE-2014-4636 (Cross-site request forgery (CSRF) vulnerability in EMC Documentum Web ...) NOT-FOR-US: EMC Documentum Web Development CVE-2014-4635 (Multiple cross-site scripting (XSS) vulnerabilities in EMC Documentum ...) NOT-FOR-US: EMC Documentum Web Development CVE-2014-4634 (Unquoted Windows search path vulnerability in EMC Replication Manager ...) NOT-FOR-US: EMC Replication Manager and EMC AppSync CVE-2014-4633 (Cross-site scripting (XSS) vulnerability in EMC RSA Archer GRC Platfor ...) NOT-FOR-US: EMC RSA Archer GRC Platform CVE-2014-4632 (VMware vSphere Data Protection (VDP) 5.1, 5.5 before 5.5.9, and 5.8 be ...) NOT-FOR-US: EMC Avamar CVE-2014-4631 (RSA Adaptive Authentication (On-Premise) 6.0.2.1 through 7.1 P3, when ...) NOT-FOR-US: RSA Adaptive Authentication CVE-2014-4630 (EMC RSA BSAFE Micro Edition Suite (MES) 4.0.x before 4.0.6 and RSA BSA ...) NOT-FOR-US: RSA BSAFE CVE-2014-4629 (EMC Documentum Content Server 7.0, 7.1 before 7.1 P10, and 6.7 before ...) NOT-FOR-US: EMC Documentum Content Server CVE-2014-4628 (Cross-site scripting (XSS) vulnerability in EMC Isilon InsightIQ 2.x a ...) NOT-FOR-US: EMC Isilon InsightIQ CVE-2014-4627 (SQL injection vulnerability in EMC RSA Web Threat Detection 4.x before ...) NOT-FOR-US: EMC RSA Web Threat Detection CVE-2014-4626 (EMC Documentum Content Server before 6.7 SP1 P29, 6.7 SP2 before P18, ...) NOT-FOR-US: EMC Documentum Content Server CVE-2014-4625 RESERVED CVE-2014-4624 (EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7 ...) NOT-FOR-US: EMC Avamar CVE-2014-4623 (EMC Avamar 6.0.x, 6.1.x, and 7.0.x in Avamar Data Store (ADS) GEN4(S) ...) NOT-FOR-US: EMC Avamar CVE-2014-4622 (EMC Documentum Content Server before 6.7 SP2 P17, 7.0 through P15, and ...) NOT-FOR-US: EMC Documentum Content Server CVE-2014-4621 (EMC Documentum Content Server before 6.7 SP2 P17, 7.0 through P15, and ...) NOT-FOR-US: EMC Documentum Content Server CVE-2014-4620 (The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 throug ...) NOT-FOR-US: EMC NetWorker CVE-2014-4619 (EMC RSA Identity Management and Governance (IMG) 6.5.x before 6.5.1 P1 ...) NOT-FOR-US: EMC RSA Identity Management and Governance CVE-2014-4618 (EMC Documentum Content Server before 6.7 SP2 P16 and 7.x before 7.1 P0 ...) NOT-FOR-US: EMC Documentum Content Server CVE-2014-4612 (Cross-site scripting (XSS) vulnerability in the keywords manager (keyw ...) NOT-FOR-US: Coppermine Photo Gallery CVE-2014-4611 (Integer overflow in the LZ4 algorithm implementation, as used in Yann ...) - linux 3.14.9-1 (unimportant) [wheezy] - linux (LZ4 support introduced in 3.11) - linux-2.6 (LZ4 support introduced in 3.11) NOTE: possible fix in https://lkml.org/lkml/2014/7/4/288 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=883949#c12 - lz4 0.0~r119-1 NOTE: Not exploitable for lz* compressed kernel images: http://fastcompression.blogspot.fr/2014/06/debunking-lz4-20-years-old-bug-myth.html NOTE: for lz4: https://code.google.com/p/lz4/issues/detail?id=52 and https://code.google.com/p/lz4/source/detail?r=118 CVE-2014-4610 (Integer overflow in the get_len function in libavutil/lzo.c in FFmpeg ...) - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg (Backports to 0.5.x not useful, too many checks missing) NOTE: Fixed in http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=d6af26c55c1ea30f85a7d9edbc373f53be1743ee CVE-2014-4609 (Integer overflow in the get_len function in libavutil/lzo.c in Libav b ...) {DSA-2977-1} - libav 6:10.2-1 NOTE: http://git.libav.org/?p=libav.git;a=commit;h=ccda51b14c0fcae2fad73a24872dce75a7964996 CVE-2014-4608 (** DISPUTED ** Multiple integer overflows in the lzo1x_decompress_safe ...) - linux 3.14.9-1 (unimportant) [wheezy] - linux 3.2.63-1 - linux-2.6 (unimportant) [squeeze] - linux-2.6 2.6.32-48squeeze9 NOTE: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=206a81c18401c0cde6e579164f752c4b147324ce NOTE: Not exploitable with the block sizes used in kernel images CVE-2014-4607 (Integer overflow in the LZO algorithm variant in Oberhumer liblzo2 and ...) {DSA-2995-1 DLA-35-1} - lzo - lzo2 2.08-1 (bug #752861) - busybox 1:1.22.0-10 (bug #768945) [jessie] - busybox 1:1.22.0-9+deb8u1 [wheezy] - busybox (Minor issue) [squeeze] - busybox (Minor issue) CVE-2014-4606 (Cross-site scripting (XSS) vulnerability in redirect_to_zeenshare.php ...) NOT-FOR-US: WordPress plugin ZeenShare CVE-2014-4605 (Cross-site scripting (XSS) vulnerability in cal/test.php in the ZdStat ...) NOT-FOR-US: WordPress plugin ZdStatistics CVE-2014-4604 (Cross-site scripting (XSS) vulnerability in settings/pwsettings.php in ...) NOT-FOR-US: WordPress plugin Your Text Manager CVE-2014-4603 (Multiple cross-site scripting (XSS) vulnerabilities in yupdates_applic ...) NOT-FOR-US: WordPress plugin Yahoo Updates CVE-2014-4602 (Multiple cross-site scripting (XSS) vulnerabilities in xencarousel-adm ...) NOT-FOR-US: WordPress plugin XEN Carousel CVE-2014-4601 (Cross-site scripting (XSS) vulnerability in wu-ratepost.php in the Wu- ...) NOT-FOR-US: WordPress plugin Wu-Rating CVE-2014-4600 (Multiple cross-site scripting (XSS) vulnerabilities in contact/edit.ph ...) NOT-FOR-US: WordPress plugin WP Ultimate Email Marketer CVE-2014-4599 (Multiple cross-site scripting (XSS) vulnerabilities in forms/search.ph ...) NOT-FOR-US: WordPress plugin WP-Business Directory CVE-2014-4598 (Cross-site scripting (XSS) vulnerability in wp-tmkm-amazon-search.php ...) NOT-FOR-US: WordPress plugin wp-tmkm-amazon CVE-2014-4597 (Cross-site scripting (XSS) vulnerability in test.php in the WP Social ...) NOT-FOR-US: WordPress plugin WP Social Invitations CVE-2014-4596 (Multiple cross-site scripting (XSS) vulnerabilities in js/button-snapa ...) NOT-FOR-US: WordPress plugin SnapApp CVE-2014-4595 (Multiple cross-site scripting (XSS) vulnerabilities in the WP RESTful ...) NOT-FOR-US: WordPress plugin WP RESTful CVE-2014-4594 (Cross-site scripting (XSS) vulnerability in index.php in the WordPress ...) NOT-FOR-US: WordPress plugin Responsive Preview CVE-2014-4593 (Cross-site scripting (XSS) vulnerability in wp-plugins-net/index.php i ...) NOT-FOR-US: WordPress plugin WP Plugin Manager CVE-2014-4592 (Cross-site scripting (XSS) vulnerability in rss.class/scripts/magpie_d ...) NOT-FOR-US: WP-Planet plugin for WordPress CVE-2014-4591 (Cross-site scripting (XSS) vulnerability in picasa_upload.php in the W ...) NOT-FOR-US: WordPress plugin WP-Picasa-Image CVE-2014-4590 (Cross-site scripting (XSS) vulnerability in get.php in the WP Microblo ...) NOT-FOR-US: WordPress plugin WP Microblogs CVE-2014-4589 (Cross-site scripting (XSS) vulnerability in uploader.php in the WP Sil ...) NOT-FOR-US: WordPress plugin wp-media-player CVE-2014-4588 (Cross-site scripting (XSS) vulnerability in tpls/editmedia.php in the ...) NOT-FOR-US: WordPress plugin wphotfiles CVE-2014-4587 (Multiple cross-site scripting (XSS) vulnerabilities in the WP GuestMap ...) NOT-FOR-US: WordPress plugin WP GuestMap CVE-2014-4586 (Multiple cross-site scripting (XSS) vulnerabilities in the wp-football ...) NOT-FOR-US: WordPress plugin wp-football CVE-2014-4585 (Cross-site scripting (XSS) vulnerability in the WP-FaceThumb plugin po ...) NOT-FOR-US: WordPress plugin WP-FaceThumb CVE-2014-4584 (Cross-site scripting (XSS) vulnerability in admin/editFacility.php in ...) NOT-FOR-US: WordPress plugin wp-easybooking CVE-2014-4583 (Multiple cross-site scripting (XSS) vulnerabilities in forms/messages. ...) NOT-FOR-US: WordPress plugin WP-Contact CVE-2014-4582 (Cross-site scripting (XSS) vulnerability in admin/admin_show_dialogs.p ...) NOT-FOR-US: WordPress plugin WP Consultant CVE-2014-4581 (Cross-site scripting (XSS) vulnerability in facture.php in the WPCB pl ...) NOT-FOR-US: WordPress plugin WPCB CVE-2014-4580 (Cross-site scripting (XSS) vulnerability in blipbot.ajax.php in the WP ...) NOT-FOR-US: WordPress plugin WP BlipBot CVE-2014-4579 (Cross-site scripting (XSS) vulnerability in js/test.php in the Appoint ...) NOT-FOR-US: WordPress plugin Appointments Scheduler CVE-2014-4578 (Cross-site scripting (XSS) vulnerability in asset-studio/icons-launche ...) NOT-FOR-US: WordPress plugin WP App Maker CVE-2014-4577 (Absolute path traversal vulnerability in reviews.php in the WP AmASIN ...) NOT-FOR-US: WordPress plugin WP AmASIN - The Amazon Affiliate Shop CVE-2014-4576 (Cross-site scripting (XSS) vulnerability in services/diagnostics.php i ...) NOT-FOR-US: WordPress plugin WordPress Social Login CVE-2014-4575 (Cross-site scripting (XSS) vulnerability in js/window.php in the Wikip ...) NOT-FOR-US: WordPress plugin Wikipop CVE-2014-4574 (Cross-site scripting (XSS) vulnerability in resize.php in the WebEngag ...) NOT-FOR-US: WordPress plugin WebEngage CVE-2014-4573 (Multiple cross-site scripting (XSS) vulnerabilities in frame-maker.php ...) NOT-FOR-US: WordPress plugin Walk Score CVE-2014-4572 (Cross-site scripting (XSS) vulnerability in bvc.php in the Votecount f ...) NOT-FOR-US: WordPress plugin Votecount for Balatarin CVE-2014-4571 (Multiple cross-site scripting (XSS) vulnerabilities in vncal.js.php in ...) NOT-FOR-US: WordPress plugin VN-Calendar CVE-2014-4570 (Multiple cross-site scripting (XSS) vulnerabilities in the VideoWhispe ...) NOT-FOR-US: WordPress plugin VideoWhisper Video Presentation CVE-2014-4569 (Cross-site scripting (XSS) vulnerability in ls/vv_login.php in the Vid ...) NOT-FOR-US: WordPress plugin VideoWhisper Live Streaming Integration CVE-2014-4568 (Cross-site scripting (XSS) vulnerability in posts/videowhisper/r_logou ...) NOT-FOR-US: WordPress plugin CVE-2014-4567 (Cross-site scripting (XSS) vulnerability in comments/videowhisper2/r_l ...) NOT-FOR-US: Video Comments Webcam Recorder plugin for WordPress CVE-2014-4566 (Cross-site scripting (XSS) vulnerability in res/fake_twitter/frame.php ...) NOT-FOR-US: WordPress plugin CVE-2014-4565 (Multiple cross-site scripting (XSS) vulnerabilities in vcc.js.php in t ...) NOT-FOR-US: WordPress plugin CVE-2014-4564 (Cross-site scripting (XSS) vulnerability in check.php in the Validated ...) NOT-FOR-US: WordPress plugin CVE-2014-4563 (Cross-site scripting (XSS) vulnerability in go.php in the URL Cloak &a ...) NOT-FOR-US: WordPress plugin CVE-2014-4562 RESERVED CVE-2014-4561 (The ultimate-weather plugin 1.0 for WordPress has XSS ...) NOT-FOR-US: ultimate-weather plugin for WordPress CVE-2014-4560 (Cross-site scripting (XSS) vulnerability in includes/getTipo.php in th ...) NOT-FOR-US: WordPress plugin ToolPage CVE-2014-4559 (Multiple cross-site scripting (XSS) vulnerabilities in test-plugin.php ...) NOT-FOR-US: WordPress plugin CVE-2014-4558 (Cross-site scripting (XSS) vulnerability in test-plugin.php in the Swi ...) NOT-FOR-US: WordPress plugin CVE-2014-4557 (Cross-site scripting (XSS) vulnerability in test-plugin.php in the Swi ...) NOT-FOR-US: WordPress plugin Swipe Checkout for Jigoshop CVE-2014-4556 (Cross-site scripting (XSS) vulnerability in test-plugin.php in the Swi ...) NOT-FOR-US: WordPress plugin Switch Checkout for eShop CVE-2014-4555 (Cross-site scripting (XSS) vulnerability in fonts/font-form.php in the ...) NOT-FOR-US: WordPress plugin Style It CVE-2014-4554 (Cross-site scripting (XSS) vulnerability in templates/download.php in ...) NOT-FOR-US: WordPress plugin SS Downloads CVE-2014-4553 (Cross-site Scripting (XSS) in the spreadshirt-rss-3d-cube-flash-galler ...) NOT-FOR-US: spreadshirt-rss-3d-cube-flash- gallery plugin for WordPress CVE-2014-4552 (Cross-site scripting (XSS) vulnerability in library/includes/payment/p ...) NOT-FOR-US: WordPress plugin Spotlight CVE-2014-4551 (Cross-site scripting (XSS) vulnerability in diagnostics/test.php in th ...) NOT-FOR-US: WordPress plugin Social Connect CVE-2014-4550 (Cross-site scripting (XSS) vulnerability in preview-shortcode-external ...) NOT-FOR-US: Shortcode Ninja plugin for WordPress CVE-2014-4549 (Multiple cross-site scripting (XSS) vulnerabilities in pages/3DComplet ...) NOT-FOR-US: WordPress plugin WooCommerce SagePay Direct Payment Gateway CVE-2014-4548 (Cross-site scripting (XSS) vulnerability in tinymce/popup.php in the R ...) NOT-FOR-US: WordPress plugin CVE-2014-4547 (Multiple cross-site scripting (XSS) vulnerabilities in templates/defau ...) NOT-FOR-US: WordPress plugin Rezgo Online Booking CVE-2014-4546 (Cross-site scripting (XSS) vulnerability in book_ajax.php in the Rezgo ...) NOT-FOR-US: WordPress plugin Rezgo CVE-2014-4545 (Multiple cross-site scripting (XSS) vulnerabilities in pq_dialog.php i ...) NOT-FOR-US: WordPress plugin Pro Quoter CVE-2014-4544 (Cross-site scripting (XSS) vulnerability in the Podcast Channels plugi ...) NOT-FOR-US: WordPress plugin CVE-2014-4543 (Multiple cross-site scripting (XSS) vulnerabilities in payper/payper.p ...) NOT-FOR-US: WordPress plugin Pay Per Media Player CVE-2014-4542 (Cross-site scripting (XSS) vulnerability in redirect.php in the Ooorl ...) NOT-FOR-US: WordPress plugin Ooorl CVE-2014-4541 (Cross-site scripting (XSS) vulnerability in shortcode-generator/previe ...) NOT-FOR-US: WordPress plugin OMFG Mobile Pro CVE-2014-4540 (Cross-site scripting (XSS) vulnerability in oleggo-twitter/twitter_log ...) NOT-FOR-US: WordPress plugin Oleggo LiveStream CVE-2014-4539 (Cross-site scripting (XSS) vulnerability in the Movies plugin 0.6 and ...) NOT-FOR-US: WordPress plugin CVE-2014-4538 (Cross-site scripting (XSS) vulnerability in process.php in the Malware ...) NOT-FOR-US: WordPress plugin Malware Finder CVE-2014-4537 (Cross-site scripting (XSS) vulnerability in inpage.tpl.php in the Keyw ...) NOT-FOR-US: WordPress plugin Keyword Strategy Internal Links CVE-2014-4536 (Multiple cross-site scripting (XSS) vulnerabilities in tests/notAuto_t ...) NOT-FOR-US: Infusionsoft Gravity Forms plugin for WordPress CVE-2014-4535 (Cross-site scripting (XSS) vulnerability in the Import Legacy Media pl ...) NOT-FOR-US: Import Legacy Media plugin for WordPress CVE-2014-4534 (Multiple cross-site scripting (XSS) vulnerabilities in videoplayer/aut ...) NOT-FOR-US: WordPress plugin HTML5 Video Player with Playlist CVE-2014-4533 (Cross-site scripting (XSS) vulnerability in ajax_functions.php in the ...) NOT-FOR-US: WordPress plugin GEO Redirector CVE-2014-4532 (Cross-site scripting (XSS) vulnerability in templates/printAdminUsersL ...) NOT-FOR-US: WordPress plugin GarageSale CVE-2014-4531 (Cross-site scripting (XSS) vulnerability in main_page.php in the Game ...) NOT-FOR-US: WordPress plugin Game tabs CVE-2014-4530 (flog plugin 0.1 for WordPress has XSS ...) NOT-FOR-US: flog plugin for WordPress CVE-2014-4529 (Cross-site scripting (XSS) vulnerability in fpg_preview.php in the Fla ...) NOT-FOR-US: WordPress plugin Flash Photo Gallery CVE-2014-4528 (Multiple cross-site scripting (XSS) vulnerabilities in admin/swarm-set ...) NOT-FOR-US: WordPress plugin fbpromotions CVE-2014-4527 (Multiple cross-site scripting (XSS) vulnerabilities in paginas/vista-p ...) NOT-FOR-US: WordPress plugin envialosimple-email-marketing-y-newsletters-gratis CVE-2014-4526 (Multiple cross-site scripting (XSS) vulnerabilities in callback.php in ...) NOT-FOR-US: WordPress plugin efence CVE-2014-4525 (Cross-site scripting (XSS) vulnerability in magpie/scripts/magpie_slas ...) NOT-FOR-US: WordPress plugin CVE-2014-4524 (Cross-site scripting (XSS) vulnerability in classes/custom-image/media ...) NOT-FOR-US: WordPress plugin WP Easy Post Types CVE-2014-4523 (Cross-site scripting (XSS) vulnerability in the Easy Career Openings p ...) NOT-FOR-US: WordPress plugin CVE-2014-4522 (Cross-site scripting (XSS) vulnerability in client-assist.php in the d ...) NOT-FOR-US: WordPress plugin dsSearchAgent: WordPress Edition CVE-2014-4521 (Cross-site scripting (XSS) vulnerability in client-assist.php in the d ...) NOT-FOR-US: WordPress plugin dsIDXpress IDX CVE-2014-4520 (Cross-site scripting (XSS) vulnerability in phprack.php in the DMCA Wa ...) NOT-FOR-US: WordPress plugin DMCA WaterMarker CVE-2014-4519 (Cross-site scripting (XSS) vulnerability in the Conversador plugin 2.6 ...) NOT-FOR-US: WordPress plugin CVE-2014-4518 (Cross-site scripting (XSS) vulnerability in xd_resize.php in the Conta ...) NOT-FOR-US: WordPress plugin Contact Form by ContactMe.com CVE-2014-4517 (Cross-site scripting (XSS) vulnerability in getNetworkSites.php in the ...) NOT-FOR-US: WordPress plugin CBI Referral Manager CVE-2014-4516 (Cross-site scripting (XSS) vulnerability in bicm-carousel-preview.php ...) NOT-FOR-US: WordPress plugin BIC Media Widget CVE-2014-4515 (Cross-site scripting (XSS) vulnerability in mce_anyfont/dialog.php in ...) NOT-FOR-US: WordPress plugin AnyFont CVE-2014-4514 (Cross-site scripting (XSS) vulnerability in includes/api_tenpay/inc.te ...) NOT-FOR-US: WordPress plugin Alipay plugin CVE-2014-4513 (Multiple cross-site scripting (XSS) vulnerabilities in server/offline. ...) NOT-FOR-US: WordPress plugin ActiveHelper LiveHelp Live Chat CVE-2014-4512 RESERVED CVE-2014-4511 (Gitlist before 0.5.0 allows remote attackers to execute arbitrary comm ...) - gitlist (bug #750368) CVE-2014-4509 (The MKDQUOTESAFE function in the Fan-out driver scripts in Fan-Out Pla ...) NOT-FOR-US: Novell Identity Manager CVE-2014-4507 (Directory traversal vulnerability in Smart-Proxy in Foreman before 1.4 ...) - foreman (bug #663101) CVE-2014-4506 (Cross-site scripting (XSS) vulnerability in the Custom Meta module 6.x ...) NOT-FOR-US: Drupal module Custom Meta CVE-2014-4505 (Cross-site scripting (XSS) vulnerability in the Easy Breadcrumb module ...) NOT-FOR-US: Drupal module Easy Breadcrumb CVE-2014-4617 (The do_uncompress function in g10/compress.c in GnuPG 1.x before 1.4.1 ...) {DSA-2968-1 DSA-2967-1 DLA-51-1 DLA-0012-1} - gnupg 1.4.16-1.2 (bug #752497) [squeeze] - gnupg 1.4.10-4+squeeze5 - gnupg2 2.0.24-1 (bug #752498) NOTE: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff;h=11fdfcf82bd8 CVE-2014-4616 (Array index error in the scanstring function in the _json module in Py ...) - python2.5 [squeeze] - python2.5 (minor issue) - python2.6 [squeeze] - python2.6 (minor issue) [wheezy] - python2.6 (minor issue) - python2.7 2.7.7-1 (bug #752395) [wheezy] - python2.7 (minor issue) - python3.2 [wheezy] - python3.2 (minor issue) - python3.3 - python3.4 3.4.0+20140417-1 NOTE: http://bugs.python.org/issue21529 CVE-2014-4615 (The notifier middleware in OpenStack PyCADF 0.5.0 and earlier, Telemet ...) - neutron 2014.1.2-1 NOTE: upstream patch: https://git.openstack.org/cgit/openstack/neutron/commit/?id=0324965a0c2987e5cad6276f011682dec184205f (neutron) - ceilometer 2014.1.2-1 NOTE: Upstream patch: https://git.openstack.org/cgit/openstack/ceilometer/commit/?id=2b6454f9f4e0585949ab68a91ed405755438d76e (ceilometer) NOTE: Upstream patch: https://git.openstack.org/cgit/openstack/ceilometer/commit/?id=264f3b0d9640edeac743f339786e0a3b22c0f6c2 (ceilometer) - python-pycadf 0.5.1-1 NOTE: Upstream patch: https://git.openstack.org/cgit/openstack/pycadf/commit/?id=966d4410a1a69e0a3af678442a1a965dae80d720 (pycadf) CVE-2014-4614 (Multiple cross-site request forgery (CSRF) vulnerabilities in Piwigo b ...) - piwigo (low) [squeeze] - piwigo (Minor issue) NOTE: Request to mark the package as unsupported in #779104 CVE-2014-4613 (Cross-site request forgery (CSRF) vulnerability in the administration ...) - piwigo (low) [squeeze] - piwigo (Minor issue) NOTE: Request to mark the package as unsupported in #779104 CVE-2014-4510 (Cross-site scripting (XSS) vulnerability in job.cc in apt-cacher-ng 0. ...) - apt-cacher-ng 0.7.26-2 [wheezy] - apt-cacher-ng (Minor issue) [squeeze] - apt-cacher-ng (Minor issue) CVE-2014-4508 (arch/x86/kernel/entry_32.S in the Linux kernel through 3.15.1 on 32-bi ...) {DLA-103-1} - linux 3.14.9-1 [wheezy] - linux 3.2.60-1 - linux-2.6 NOTE: http://article.gmane.org/gmane.linux.kernel/1726110 NOTE: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=554086d85e71f30abe46fc014fea31929a7c6a8a CVE-2014-4504 RESERVED CVE-2014-4503 (The parse_notify function in util.c in sgminer before 4.2.2 and cgmine ...) - cgminer 4.2.3-1 CVE-2014-4502 (Multiple heap-based buffer overflows in the parse_notify function in s ...) - cgminer 4.4.2-1 CVE-2014-4501 (Multiple stack-based buffer overflows in sgminer before 4.2.2, cgminer ...) - cgminer 4.4.2-1 CVE-2014-4500 RESERVED CVE-2014-4499 (The App Store process in CommerceKit Framework in Apple OS X before 10 ...) NOT-FOR-US: Apple CVE-2014-4498 (The CPU Software in Apple OS X before 10.10.2 allows physically proxim ...) NOT-FOR-US: Apple CVE-2014-4497 (Integer signedness error in IOBluetoothFamily in the Bluetooth impleme ...) NOT-FOR-US: Apple CVE-2014-4496 (The mach_port_kobject interface in the kernel in Apple iOS before 8.1. ...) NOT-FOR-US: Apple CVE-2014-4495 (The kernel in Apple iOS before 8.1.3, Apple OS X before 10.10.2, and A ...) NOT-FOR-US: Apple CVE-2014-4494 (Springboard in Apple iOS before 8.1.3 does not properly validate signa ...) NOT-FOR-US: Apple CVE-2014-4493 (The app-installation functionality in MobileInstallation in Apple iOS ...) NOT-FOR-US: Apple CVE-2014-4492 (libnetcore in Apple iOS before 8.1.3, Apple OS X before 10.10.2, and A ...) NOT-FOR-US: Apple CVE-2014-4491 (The extension APIs in the kernel in Apple iOS before 8.1.3, Apple OS X ...) NOT-FOR-US: Apple CVE-2014-4490 REJECTED CVE-2014-4489 (IOHIDFamily in Apple iOS before 8.1.3, Apple OS X before 10.10.2, and ...) NOT-FOR-US: Apple CVE-2014-4488 (IOHIDFamily in Apple iOS before 8.1.3, Apple OS X before 10.10.2, and ...) NOT-FOR-US: Apple CVE-2014-4487 (Buffer overflow in IOHIDFamily in Apple iOS before 8.1.3, Apple OS X b ...) NOT-FOR-US: Apple CVE-2014-4486 (IOAcceleratorFamily in Apple iOS before 8.1.3, Apple OS X before 10.10 ...) NOT-FOR-US: Apple CVE-2014-4485 (Buffer overflow in the XML parser in Foundation in Apple iOS before 8. ...) NOT-FOR-US: Apple CVE-2014-4484 (FontParser in Apple iOS before 8.1.3, Apple OS X before 10.10.2, and A ...) NOT-FOR-US: Apple CVE-2014-4483 (Buffer overflow in FontParser in Apple iOS before 8.1.3, Apple OS X be ...) NOT-FOR-US: Apple CVE-2014-4482 REJECTED CVE-2014-4481 (Integer overflow in CoreGraphics in Apple iOS before 8.1.3, Apple OS X ...) NOT-FOR-US: Apple CVE-2014-4480 (Directory traversal vulnerability in afc in AppleFileConduit in Apple ...) NOT-FOR-US: Apple CVE-2014-4479 (WebKit, as used in Apple iOS before 8.1.3; Apple Safari before 6.2.3, ...) NOT-FOR-US: Apple CVE-2014-4478 REJECTED CVE-2014-4477 (WebKit, as used in Apple iOS before 8.1.3; Apple Safari before 6.2.3, ...) NOT-FOR-US: Apple CVE-2014-4476 (WebKit, as used in Apple iOS before 8.1.3; Apple Safari before 6.2.3, ...) NOT-FOR-US: Apple CVE-2014-4475 (WebKit, as used in Apple Safari before 6.2.1, 7.x before 7.1.1, and 8. ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-4474 (WebKit, as used in Apple Safari before 6.2.1, 7.x before 7.1.1, and 8. ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-4473 (WebKit, as used in Apple Safari before 6.2.1, 7.x before 7.1.1, and 8. ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-4472 (WebKit, as used in Apple Safari before 6.2.1, 7.x before 7.1.1, and 8. ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-4471 (WebKit, as used in Apple Safari before 6.2.1, 7.x before 7.1.1, and 8. ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-4470 (WebKit, as used in Apple Safari before 6.2.1, 7.x before 7.1.1, and 8. ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-4469 (WebKit, as used in Apple Safari before 6.2.1, 7.x before 7.1.1, and 8. ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-4468 (WebKit, as used in Apple Safari before 6.2.1, 7.x before 7.1.1, and 8. ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-4467 (WebKit, as used in Apple iOS before 8.1.3, does not properly determine ...) NOT-FOR-US: Apple CVE-2014-4466 (WebKit, as used in Apple Safari before 6.2.1, 7.x before 7.1.1, and 8. ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-4465 (WebKit in Apple Safari before 6.2.1, 7.x before 7.1.1, and 8.x before ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-4464 REJECTED CVE-2014-4463 (Apple iOS before 8.1.1 allows physically proximate attackers to bypass ...) NOT-FOR-US: Apple CVE-2014-4462 (WebKit, as used in Apple iOS before 8.1.1 and Apple TV before 7.0.2, a ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-4461 (The kernel in Apple iOS before 8.1.1 and Apple TV before 7.0.2 does no ...) NOT-FOR-US: Apple CVE-2014-4460 (CFNetwork in Apple iOS before 8.1.1 and OS X before 10.10.1 does not p ...) NOT-FOR-US: Apple CVE-2014-4459 (Use-after-free vulnerability in WebKit, as used in Apple OS X before 1 ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-4458 (The "System Profiler About This Mac" component in Apple OS X before 10 ...) NOT-FOR-US: Apple CVE-2014-4457 (The Sandbox Profiles subsystem in Apple iOS before 8.1.1 does not prop ...) NOT-FOR-US: Apple CVE-2014-4456 REJECTED CVE-2014-4455 (dyld in Apple iOS before 8.1.1 and Apple TV before 7.0.2 does not prop ...) NOT-FOR-US: Apple CVE-2014-4454 REJECTED CVE-2014-4453 (Apple iOS before 8.1.1 and OS X before 10.10.1 include location data d ...) NOT-FOR-US: Apple CVE-2014-4452 (WebKit, as used in Apple iOS before 8.1.1 and Apple TV before 7.0.2, a ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-4451 (Apple iOS before 8.1.1 does not properly enforce the failed-passcode l ...) NOT-FOR-US: Apple CVE-2014-4450 (The QuickType feature in the Keyboards subsystem in Apple iOS before 8 ...) NOT-FOR-US: Apple iOS CVE-2014-4449 (iCloud Data Access in Apple iOS before 8.1 does not verify X.509 certi ...) NOT-FOR-US: Apple iOS CVE-2014-4448 (House Arrest in Apple iOS before 8.1 relies on the hardware UID for it ...) NOT-FOR-US: Apple iOS CVE-2014-4447 (Profile Manager in Apple OS X Server before 4.0 allows local users to ...) NOT-FOR-US: Apple OS X CVE-2014-4446 (Mail Service in Apple OS X Server before 4.0 does not enforce SACL cha ...) NOT-FOR-US: Apple OS X CVE-2014-4445 REJECTED CVE-2014-4444 (SecurityAgent in Apple OS X before 10.10 does not ensure that a Kerber ...) NOT-FOR-US: Apple OS X CVE-2014-4443 (Apple OS X before 10.10 allows remote attackers to cause a denial of s ...) NOT-FOR-US: Apple OS X CVE-2014-4442 (The kernel in Apple OS X before 10.10 allows local users to cause a de ...) NOT-FOR-US: Apple OS X CVE-2014-4441 (NetFS Client Framework in Apple OS X before 10.10 does not ensure that ...) NOT-FOR-US: Apple OS X CVE-2014-4440 (The MCX Desktop Config Profiles implementation in Apple OS X before 10 ...) NOT-FOR-US: Apple OS X CVE-2014-4439 (Mail in Apple OS X before 10.10 does not properly recognize the remova ...) NOT-FOR-US: Apple OS X CVE-2014-4438 (Race condition in LoginWindow in Apple OS X before 10.10 allows physic ...) NOT-FOR-US: Apple OS X CVE-2014-4437 (LaunchServices in Apple OS X before 10.10 allows attackers to bypass i ...) NOT-FOR-US: Apple OS X CVE-2014-4436 (IOHIDFamily in Apple OS X before 10.10 allows attackers to cause denia ...) NOT-FOR-US: Apple OS X CVE-2014-4435 (The "iCloud Find My Mac" feature in Apple OS X before 10.10 does not p ...) NOT-FOR-US: Apple OS X CVE-2014-4434 (The kernel in Apple OS X before 10.10 allows physically proximate atta ...) NOT-FOR-US: Apple OS X CVE-2014-4433 (Heap-based buffer overflow in the kernel in Apple OS X before 10.10 al ...) NOT-FOR-US: Apple OS X CVE-2014-4432 (fdesetup in Apple OS X before 10.10 does not properly display the encr ...) NOT-FOR-US: Apple OS X CVE-2014-4431 (Dock in Apple OS X before 10.10 does not properly manage the screen-lo ...) NOT-FOR-US: Apple OS X CVE-2014-4430 (CoreStorage in Apple OS X before 10.10 retains a volume's encryption k ...) NOT-FOR-US: Apple OS X CVE-2014-4429 REJECTED CVE-2014-4428 (Bluetooth in Apple OS X before 10.10 does not require encryption for H ...) NOT-FOR-US: Apple OS X CVE-2014-4427 (App Sandbox in Apple OS X before 10.10 allows attackers to bypass a sa ...) NOT-FOR-US: Apple OS X CVE-2014-4426 (AFP File Server in Apple OS X before 10.10 allows remote attackers to ...) NOT-FOR-US: Apple OS X CVE-2014-4425 (CFPreferences in Apple OS X before 10.10 does not properly enforce the ...) NOT-FOR-US: Apple OS X CVE-2014-4424 (SQL injection vulnerability in Wiki Server in CoreCollaboration in App ...) NOT-FOR-US: Apple Mac OS X CVE-2014-4423 (The Accounts subsystem in Apple iOS before 8 allows attackers to bypas ...) NOT-FOR-US: Accounts subsystem in Apple iOS CVE-2014-4422 (The kernel in Apple iOS before 8 and Apple TV before 7 uses a predicta ...) NOT-FOR-US: Apple CVE-2014-4421 (The network-statistics interface in the kernel in Apple iOS before 8 a ...) NOT-FOR-US: Apple CVE-2014-4420 (The network-statistics interface in the kernel in Apple iOS before 8 a ...) NOT-FOR-US: Apple CVE-2014-4419 (The network-statistics interface in the kernel in Apple iOS before 8 a ...) NOT-FOR-US: Apple CVE-2014-4418 (IOKit in Apple iOS before 8 and Apple TV before 7 does not properly va ...) NOT-FOR-US: Apple CVE-2014-4417 (Safari in Apple OS X before 10.10 allows remote attackers to cause a d ...) NOT-FOR-US: Apple Safari CVE-2014-4416 (An unspecified integrated graphics driver routine in the Intel Graphic ...) NOT-FOR-US: Apples Mac OS X CVE-2014-4415 (WebKit, as used in Apple iOS before 8 and Apple TV before 7, allows re ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-4414 (WebKit, as used in Apple iOS before 8 and Apple TV before 7, allows re ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-4413 (WebKit, as used in Apple iOS before 8 and Apple TV before 7, allows re ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-4412 (WebKit, as used in Apple iOS before 8 and Apple TV before 7, allows re ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-4411 (WebKit, as used in Apple iOS before 8 and Apple TV before 7, allows re ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-4410 (WebKit, as used in Apple iOS before 8 and Apple TV before 7, allows re ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-4409 (WebKit in Apple iOS before 8 makes it easier for remote attackers to t ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-4408 (The rt_setgate function in the kernel in Apple iOS before 8 and Apple ...) NOT-FOR-US: Apple CVE-2014-4407 (IOKit in Apple iOS before 8 and Apple TV before 7 does not properly in ...) NOT-FOR-US: Apple CVE-2014-4406 (Cross-site scripting (XSS) vulnerability in Xcode Server in CoreCollab ...) NOT-FOR-US: Apple Mac OS X CVE-2014-4405 (IOHIDFamily in Apple iOS before 8 and Apple TV before 7 allows attacke ...) NOT-FOR-US: Apple CVE-2014-4404 (Heap-based buffer overflow in IOHIDFamily in Apple iOS before 8 and Ap ...) NOT-FOR-US: Apple CVE-2014-4403 (The kernel in Apple OS X before 10.9.5 allows local users to obtain se ...) NOT-FOR-US: Apple Mac OS X CVE-2014-4402 (An unspecified IOAcceleratorFamily function in Apple OS X before 10.9. ...) NOT-FOR-US: Apple Mac OS X CVE-2014-4401 (An unspecified integrated graphics driver routine in the Intel Graphic ...) NOT-FOR-US: Apple Mac OS X CVE-2014-4400 (An unspecified integrated graphics driver routine in the Intel Graphic ...) NOT-FOR-US: Apple Mac OS X CVE-2014-4399 (An unspecified integrated graphics driver routine in the Intel Graphic ...) NOT-FOR-US: Apple Mac OS X CVE-2014-4398 (An unspecified integrated graphics driver routine in the Intel Graphic ...) NOT-FOR-US: Apple Mac OS X CVE-2014-4397 (An unspecified integrated graphics driver routine in the Intel Graphic ...) NOT-FOR-US: Apple Mac OS X CVE-2014-4396 (An unspecified integrated graphics driver routine in the Intel Graphic ...) NOT-FOR-US: Apple Mac OS X CVE-2014-4395 (An unspecified integrated graphics driver routine in the Intel Graphic ...) NOT-FOR-US: Apple Mac OS X CVE-2014-4394 (An unspecified integrated graphics driver routine in the Intel Graphic ...) NOT-FOR-US: Apple Mac OS X CVE-2014-4393 (Buffer overflow in the shader compiler in the Intel Graphics Driver su ...) NOT-FOR-US: Apple Mac OS X CVE-2014-4392 REJECTED CVE-2014-4391 (The Code Signing feature in Apple OS X before 10.10 does not properly ...) NOT-FOR-US: Apple Mac OS X CVE-2014-4390 (Bluetooth in Apple OS X before 10.9.5 does not properly validate API c ...) NOT-FOR-US: Apple Mac OS X CVE-2014-4389 (Integer overflow in IOKit in Apple iOS before 8 and Apple TV before 7 ...) NOT-FOR-US: Apple CVE-2014-4388 (IOKit in Apple iOS before 8 and Apple TV before 7 does not properly va ...) NOT-FOR-US: Apple CVE-2014-4387 REJECTED CVE-2014-4386 (Race condition in the App Installation feature in Apple iOS before 8 a ...) NOT-FOR-US: Apple CVE-2014-4385 REJECTED CVE-2014-4384 (Directory traversal vulnerability in the App Installation feature in A ...) NOT-FOR-US: Apple CVE-2014-4383 (The Assets subsystem in Apple iOS before 8 and Apple TV before 7 allow ...) NOT-FOR-US: Apple CVE-2014-4382 REJECTED CVE-2014-4381 (Libnotify in Apple iOS before 8 and Apple TV before 7 lacks proper bou ...) NOT-FOR-US: Apple CVE-2014-4380 (The IOHIDFamily kernel extension in Apple iOS before 8 and Apple TV be ...) NOT-FOR-US: Apple CVE-2014-4379 (An unspecified IOHIDFamily function in Apple iOS before 8 and Apple TV ...) NOT-FOR-US: Apple CVE-2014-4378 (CoreGraphics in Apple iOS before 8 and Apple TV before 7 allows remote ...) NOT-FOR-US: Apple CVE-2014-4377 (Integer overflow in CoreGraphics in Apple iOS before 8 and Apple TV be ...) NOT-FOR-US: Apple CVE-2014-4376 (IOKit in IOAcceleratorFamily in Apple OS X before 10.9.5 allows attack ...) NOT-FOR-US: Apple Mac OS X CVE-2014-4375 (Double free vulnerability in Apple iOS before 8 and Apple TV before 7 ...) NOT-FOR-US: Apple CVE-2014-4374 (NSXMLParser in Foundation in Apple iOS before 8 allows attackers to re ...) NOT-FOR-US: Apple CVE-2014-4373 (The IntelAccelerator driver in the IOAcceleratorFamily subsystem in Ap ...) NOT-FOR-US: Apple CVE-2014-4372 (syslogd in the syslog subsystem in Apple iOS before 8 and Apple TV bef ...) NOT-FOR-US: Apple CVE-2014-4371 (The network-statistics interface in the kernel in Apple iOS before 8 a ...) NOT-FOR-US: Apple CVE-2014-4370 REJECTED CVE-2014-4369 (The IOAcceleratorFamily API implementation in Apple iOS before 8 and A ...) NOT-FOR-US: Apple CVE-2014-4368 (The Accessibility subsystem in Apple iOS before 8 allows attackers to ...) NOT-FOR-US: Apple CVE-2014-4367 (Apple iOS before 8 enables Voice Dial during all upgrade actions, whic ...) NOT-FOR-US: Apple CVE-2014-4366 (Mail in Apple iOS before 8 does not prevent sending a LOGIN command to ...) NOT-FOR-US: Apple CVE-2014-4365 REJECTED CVE-2014-4364 (The 802.1X subsystem in Apple iOS before 8 and Apple TV before 7 does ...) NOT-FOR-US: Apple CVE-2014-4363 (Safari in Apple iOS before 8 does not properly restrict the autofillin ...) NOT-FOR-US: Safari in Apple iOS CVE-2014-4362 (The Sandbox Profiles implementation in Apple iOS before 8 does not pro ...) NOT-FOR-US: Apple CVE-2014-4361 (The Home & Lock Screen subsystem in Apple iOS before 8 does not pr ...) NOT-FOR-US: Apple CVE-2014-4360 REJECTED CVE-2014-4359 REJECTED CVE-2014-4358 REJECTED CVE-2014-4357 (Accounts Framework in Apple iOS before 8 and Apple TV before 7 allows ...) NOT-FOR-US: Apple CVE-2014-4356 (Apple iOS before 8 does not follow the intended configuration setting ...) NOT-FOR-US: Apple CVE-2014-4355 REJECTED CVE-2014-4354 (Apple iOS before 8 enables Bluetooth during all upgrade actions, which ...) NOT-FOR-US: Apple CVE-2014-4353 (Race condition in iMessage in Apple iOS before 8 allows attackers to o ...) NOT-FOR-US: Apple CVE-2014-4352 (Address Book in Apple iOS before 8 relies on the hardware UID for its ...) NOT-FOR-US: Apple CVE-2014-4351 (Buffer overflow in QuickTime in Apple OS X before 10.10 allows remote ...) NOT-FOR-US: Apple QuickTime CVE-2014-4350 (Buffer overflow in QT Media Foundation in Apple OS X before 10.9.5 all ...) NOT-FOR-US: QT Media Foundation in Apple OS X CVE-2014-4349 (Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.1. ...) - phpmyadmin 4:4.2.5-1 (low) [squeeze] - phpmyadmin (Vulnerable code not present) [wheezy] - phpmyadmin (Vulnerable code not present) CVE-2014-4348 (Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.2. ...) - phpmyadmin 4:4.2.5-1 (low) [squeeze] - phpmyadmin (Vulnerable code not present) [wheezy] - phpmyadmin (Vulnerable code not present) CVE-2014-4347 (Citrix NetScaler Application Delivery Controller (ADC) and NetScaler G ...) NOT-FOR-US: Citrix NetScaler Application Delivery Controller CVE-2014-4346 (Cross-site scripting (XSS) vulnerability in administration user interf ...) NOT-FOR-US: Citrix NetScaler Application Delivery Controller CVE-2014-4345 (Off-by-one error in the krb5_encode_krbsecretkey function in plugins/k ...) {DSA-3000-1 DLA-37-1} - krb5 1.12.1+dfsg-7 (bug #757416) [squeeze] - krb5 1.8.3+dfsg-4squeeze8 NOTE: https://github.com/krb5/krb5/commit/81c332e29f10887c6b9deb065f81ba259f4c7e03 NOTE: http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2014-001.txt CVE-2014-4344 (The acc_ctx_cont function in the SPNEGO acceptor in lib/gssapi/spnego/ ...) {DSA-3000-1 DLA-37-1} - krb5 1.12.1+dfsg-5 (bug #755521) [squeeze] - krb5 1.8.3+dfsg-4squeeze8 NOTE: https://github.com/krb5/krb5/commit/524688ce87a15fc75f87efc8c039ba4c7d5c197b CVE-2014-4343 (Double free vulnerability in the init_ctx_reselect function in the SPN ...) {DSA-3000-1 DLA-37-1} - krb5 1.12.1+dfsg-5 (bug #755520) [squeeze] - krb5 1.8.3+dfsg-4squeeze8 NOTE: https://github.com/krb5/krb5/commit/f18ddf5d82de0ab7591a36e465bc24225776940f CVE-2014-4342 (MIT Kerberos 5 (aka krb5) 1.7.x through 1.12.x before 1.12.2 allows re ...) {DSA-3000-1 DLA-37-1} - krb5 1.12.1+dfsg-4 (bug #753625) [squeeze] - krb5 1.8.3+dfsg-4squeeze8 NOTE: https://github.com/krb5/krb5/commit/fb99962cbd063ac04c9a9d2cc7c75eab73f3533d CVE-2014-4341 (MIT Kerberos 5 (aka krb5) before 1.12.2 allows remote attackers to cau ...) {DSA-3000-1 DLA-37-1} - krb5 1.12.1+dfsg-4 (bug #753624) [squeeze] - krb5 1.8.3+dfsg-4squeeze8 NOTE: https://github.com/krb5/krb5/commit/fb99962cbd063ac04c9a9d2cc7c75eab73f3533d CVE-2014-4340 RESERVED CVE-2014-4339 RESERVED CVE-2014-4335 (Multiple cross-site scripting (XSS) vulnerabilities in BarracudaDrive ...) NOT-FOR-US: BarracudaDrive CVE-2014-4334 (Stack-based buffer overflow in Ubisoft Rayman Legends before 1.3.14038 ...) NOT-FOR-US: Ubisoft Rayman Legends CVE-2014-4333 (Cross-site request forgery (CSRF) vulnerability in administration/prof ...) NOT-FOR-US: Dolphin (php thing) CVE-2014-4332 RESERVED CVE-2014-4331 (Cross-site scripting (XSS) vulnerability in admin/viewer.php in Octavo ...) NOT-FOR-US: OctavoCMS CVE-2014-4330 (The Dumper method in Data::Dumper before 2.154, as used in Perl 5.20.1 ...) - perl 5.20.1-1 (bug #762256) [wheezy] - perl 5.14.2-21+deb7u2 [squeeze] - perl (Minor issue) NOTE: upstream commit: http://perl5.git.perl.org/perl.git/commitdiff/19be3be6968e2337bcdfe480693fff795ecd1304 CVE-2014-4329 (Cross-site scripting (XSS) vulnerability in lua/host_details.lua in nt ...) - ntopng 1.2.0+dfsg1-1 (bug #760990) NOTE: https://svn.ntop.org/bugzilla/show_bug.cgi?id=379 CVE-2014-4328 RESERVED CVE-2014-4327 RESERVED CVE-2014-4326 (Elasticsearch Logstash 1.0.14 through 1.4.x before 1.4.2 allows remote ...) - logstash (bug #664841) CVE-2014-4325 (The cmd_boot function in app/aboot/aboot.c in the Little Kernel (LK) b ...) NOT-FOR-US: Little Kernel (bootloader) CVE-2014-4324 RESERVED CVE-2014-4323 (The mdp_lut_hw_update function in drivers/video/msm/mdp.c in the MDP d ...) - linux (Vulnerable code drivers/video/msm not present) CVE-2014-4322 (drivers/misc/qseecom.c in the QSEECOM driver for the Linux kernel 3.x, ...) - linux (Vulnerable code drivers/misc/qseecom.c not present) CVE-2014-4321 RESERVED CVE-2014-4320 RESERVED CVE-2014-4319 RESERVED CVE-2014-4318 RESERVED CVE-2014-4317 RESERVED CVE-2014-4316 RESERVED CVE-2014-4315 REJECTED CVE-2014-4314 REJECTED CVE-2014-4313 (SQL injection vulnerability in Epicor Procurement before 7.4 SP2 allow ...) NOT-FOR-US: Epicor CVE-2014-4312 (Multiple cross-site scripting (XSS) vulnerabilities in Epicor Enterpri ...) NOT-FOR-US: Epicor CVE-2014-4311 (Epicor Enterprise 7.4 before FS74SP6_HotfixTL054181 allows attackers t ...) NOT-FOR-US: Epicor CVE-2014-4310 (Unspecified vulnerability in the JPublisher component in Oracle Databa ...) NOT-FOR-US: Oracle Database Server CVE-2014-4309 (Multiple cross-site scripting (XSS) vulnerabilities in Openfiler 2.99 ...) NOT-FOR-US: Openfiler CVE-2014-4308 (Multiple cross-site scripting (XSS) vulnerabilities in NICE Recording ...) NOT-FOR-US: NICE Recording eXpress CVE-2014-4307 (SQL injection vulnerability in categories-x.php in WebTitan before 4.0 ...) NOT-FOR-US: WebTitan CVE-2014-4306 (Directory traversal vulnerability in logs-x.php in WebTitan before 4.0 ...) NOT-FOR-US: WebTitan CVE-2014-4305 (Multiple SQL injection vulnerabilities in NICE Recording eXpress (aka ...) NOT-FOR-US: NICE Recording eXpress CVE-2014-4304 (Cross-site scripting (XSS) vulnerability in browse.php in SQL Buddy 1. ...) NOT-FOR-US: SQL Buddy CVE-2014-4303 (Multiple cross-site scripting (XSS) vulnerabilities in the Touch theme ...) NOT-FOR-US: Drupal Touch theme CVE-2014-4302 (Cross-site scripting (XSS) vulnerability in rating/rating.php in HAM3D ...) NOT-FOR-US: HAM3D Shop Engine CVE-2014-4301 (Multiple cross-site scripting (XSS) vulnerabilities in the respond_err ...) NOT-FOR-US: Ajenti CVE-2014-4300 (Unspecified vulnerability in the SQLJ component in Oracle Database Ser ...) NOT-FOR-US: Oracle Database Server CVE-2014-4299 (Unspecified vulnerability in the SQLJ component in Oracle Database Ser ...) NOT-FOR-US: Oracle Database Server CVE-2014-4298 (Unspecified vulnerability in the SQLJ component in Oracle Database Ser ...) NOT-FOR-US: Oracle Database Server CVE-2014-4297 (Unspecified vulnerability in the JPublisher component in Oracle Databa ...) NOT-FOR-US: Oracle Database Server CVE-2014-4296 (Unspecified vulnerability in the JPublisher component in Oracle Databa ...) NOT-FOR-US: Oracle Database Server CVE-2014-4295 (Unspecified vulnerability in the Java VM component in Oracle Database ...) NOT-FOR-US: Oracle Database Server CVE-2014-4294 (Unspecified vulnerability in the Java VM component in Oracle Database ...) NOT-FOR-US: Oracle Database Server CVE-2014-4293 (Unspecified vulnerability in the JPublisher component in Oracle Databa ...) NOT-FOR-US: Oracle Database Server CVE-2014-4292 (Unspecified vulnerability in the JPublisher component in Oracle Databa ...) NOT-FOR-US: Oracle Database Server CVE-2014-4291 (Unspecified vulnerability in the JPublisher component in Oracle Databa ...) NOT-FOR-US: Oracle Database Server CVE-2014-4290 (Unspecified vulnerability in the JPublisher component in Oracle Databa ...) NOT-FOR-US: Oracle Database Server CVE-2014-4289 (Unspecified vulnerability in the JDBC component in Oracle Database Ser ...) NOT-FOR-US: Oracle Database Server CVE-2014-4288 (Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allow ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-8 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2014-4287 (Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier an ...) {DSA-3054-1} - mysql-5.5 5.5.39-1 - mariadb-5.5 5.5.39-1 - mariadb-10.0 (Fixed before initial upload) - percona-xtradb-cluster-5.5 CVE-2014-4286 REJECTED CVE-2014-4285 (Unspecified vulnerability in the Oracle Applications Technology compon ...) NOT-FOR-US: Oracle E-Business Suite CVE-2014-4284 (Unspecified vulnerability in Oracle Sun Solaris 11 allows local users ...) NOT-FOR-US: Oracle Sun Solaris 11 CVE-2014-4283 (Unspecified vulnerability in Oracle Sun Solaris 11 allows remote attac ...) NOT-FOR-US: Oracle Sun Solaris 11 CVE-2014-4282 (Unspecified vulnerability in Oracle Sun Solaris 11 allows local users ...) NOT-FOR-US: Oracle Sun Solaris 11 CVE-2014-4281 (Unspecified vulnerability in the Oracle Applications Framework compone ...) NOT-FOR-US: Oracle E-Business Suite CVE-2014-4280 (Unspecified vulnerability in Oracle Sun Solaris 11 allows local users ...) NOT-FOR-US: Oracle Sun Solaris 11 CVE-2014-4279 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle CVE-2014-4278 (Unspecified vulnerability in the Oracle Applications Technology Stack ...) NOT-FOR-US: Oracle E-Business Suite CVE-2014-4277 (Unspecified vulnerability in Oracle Sun Solaris 11 allows remote attac ...) NOT-FOR-US: Oracle Sun Solaris 11 CVE-2014-4276 (Unspecified vulnerability in Oracle Sun Solaris 11 allows remote attac ...) NOT-FOR-US: Oracle Sun Solaris 11 CVE-2014-4275 (Unspecified vulnerability in Oracle Sun Solaris 11 allows local users ...) NOT-FOR-US: Oracle Sun Solaris 11 CVE-2014-4273 REJECTED CVE-2014-4272 REJECTED CVE-2014-4271 (Unspecified vulnerability in the Hyperion Essbase component in Oracle ...) NOT-FOR-US: Oracle CVE-2014-4270 (Unspecified vulnerability in the Hyperion Common Admin component in Or ...) NOT-FOR-US: Oracle CVE-2014-4269 (Unspecified vulnerability in the Hyperion Common Admin component in Or ...) NOT-FOR-US: Oracle CVE-2014-4268 (Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u ...) {DSA-2987-1 DSA-2980-1 DLA-96-1} - openjdk-6 6b32-1.13.4-1 - openjdk-7 7u65-2.5.1-1 CVE-2014-4267 (Unspecified vulnerability in the Oracle WebLogic Server component in O ...) NOT-FOR-US: Oracle WebLogic Server CVE-2014-4266 (Unspecified vulnerability in Oracle Java SE 7u60 and 8u5 allows remote ...) {DSA-2987-1 DSA-2980-1 DLA-96-1} - openjdk-6 6b32-1.13.4-1 NOTE: http://hg.openjdk.java.net/jdk6/jdk6/jdk/rev/de40a32a44f5 - openjdk-7 7u65-2.5.1-1 NOTE: http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/c58a25d48388 CVE-2014-4265 (Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2014-4264 (Unspecified vulnerability in Oracle Java SE 7u60 and 8u5 allows remote ...) {DSA-2987-1} - openjdk-6 (Vulnerable code not present) - openjdk-7 7u65-2.5.1-1 NOTE: http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/c084492f9e3d CVE-2014-4263 (Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u ...) {DSA-2987-1 DSA-2980-1 DLA-96-1} - openjdk-6 6b32-1.13.4-1 - openjdk-7 7u65-2.5.1-1 CVE-2014-4262 (Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u ...) {DSA-2987-1 DSA-2980-1 DLA-96-1} - openjdk-6 6b32-1.13.4-1 - openjdk-7 7u65-2.5.1-1 CVE-2014-4261 (Unspecified vulnerability in the Oracle VM VirtualBox component in Ora ...) - virtualbox (Only applies if VBox is running on Windows) - virtualbox-ose (Only applies if VBox is running on Windows) CVE-2014-4260 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) {DSA-2985-1} - mysql-5.5 5.5.39-1 (bug #754941) - mysql-5.1 (Only affects 5.5 and later) - mariadb-5.5 5.5.38-1 (bug #754940) - mariadb-10.0 (Fixed before initial upload) - percona-xtradb-cluster-5.5 5.5.39-25.11+dfsg-1 CVE-2014-4259 (Unspecified vulnerability in the Solaris Cluster component in Oracle S ...) NOT-FOR-US: Oracle CVE-2014-4258 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) {DSA-2985-1} - mysql-5.5 5.5.39-1 (bug #754941) - mysql-5.1 (Only affects 5.5 and later) - mariadb-5.5 5.5.38-1 (bug #754940) - mariadb-10.0 (Fixed before initial upload) - percona-xtradb-cluster-5.5 5.5.39-25.11+dfsg-1 CVE-2014-4257 (Unspecified vulnerability in the Oracle WebCenter Portal component in ...) NOT-FOR-US: Oracle WebCenter Portal CVE-2014-4256 (Unspecified vulnerability in the Oracle WebLogic Server component in O ...) NOT-FOR-US: Oracle WebLogic Server CVE-2014-4255 (Unspecified vulnerability in the Oracle WebLogic Server component in O ...) NOT-FOR-US: Oracle WebLogic Server CVE-2014-4254 (Unspecified vulnerability in the Oracle WebLogic Server component in O ...) NOT-FOR-US: Oracle WebLogic Server CVE-2014-4253 (Unspecified vulnerability in the Oracle WebLogic Server component in O ...) NOT-FOR-US: Oracle WebLogic Server CVE-2014-4252 (Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u ...) {DSA-2987-1 DSA-2980-1 DLA-96-1} - openjdk-6 6b32-1.13.4-1 - openjdk-7 7u65-2.5.1-1 CVE-2014-4251 (Unspecified vulnerability in the Oracle HTTP Server component in Oracl ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2014-4250 (Unspecified vulnerability in the Siebel Core - Server OM Frwks compone ...) NOT-FOR-US: Oracle Siebel CRM CVE-2014-4249 (Unspecified vulnerability in the BI Publisher component in Oracle Fusi ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2014-4248 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle CVE-2014-4247 (Unspecified vulnerability in Oracle Java SE 8u5 allows remote attacker ...) - openjdk-6 (JavaFX not part of OpenJDK) - openjdk-7 (JavaFX not part of OpenJDK) CVE-2014-4246 (Unspecified vulnerability in the Hyperion Analytic Provider Services c ...) NOT-FOR-US: Oracle CVE-2014-4245 (Unspecified vulnerability in the RDBMS Core component in Oracle Databa ...) NOT-FOR-US: Oracle Database Server CVE-2014-4244 (Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u ...) {DSA-2987-1 DSA-2980-1 DLA-96-1} - openjdk-6 6b32-1.13.4-1 - openjdk-7 7u65-2.5.1-1 CVE-2014-4243 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) - mysql-5.5 5.5.37-1 [wheezy] - mysql-5.5 5.5.37-0+wheezy1 - mysql-5.1 (Only affects 5.5 and later) - mariadb-5.5 5.5.36-1 (bug #754940) - mariadb-10.0 (Fixed before initial upload) - percona-xtradb-cluster-5.5 NOTE: Unspecified, but according to Oracle only for 5.5.35 and earlier CVE-2014-4242 (Unspecified vulnerability in the Oracle WebLogic Server component in O ...) NOT-FOR-US: Oracle WebLogic Server CVE-2014-4241 (Unspecified vulnerability in the Oracle WebLogic Server component in O ...) NOT-FOR-US: Oracle WebLogic Server CVE-2014-4240 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) - mysql-5.5 (Only affects 5.6) - mysql-5.1 (Only affects 5.6) - mariadb-5.5 (Only affects 5.6) - percona-xtradb-cluster-5.5 (Only affects 5.6) CVE-2014-4239 (Unspecified vulnerability in Oracle Sun Solaris 8, 9, 10, and 11.1 all ...) NOT-FOR-US: Oracle Sun Solaris CVE-2014-4238 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) - mysql-5.5 (Only affects 5.6) - mysql-5.1 (Only affects 5.6) - mariadb-5.5 (Only affects 5.6) - percona-xtradb-cluster-5.5 (Only affects 5.6) CVE-2014-4237 (Unspecified vulnerability in the RDBMS Core component in Oracle Databa ...) NOT-FOR-US: Oracle CVE-2014-4236 (Unspecified vulnerability in the RDBMS Core component in Oracle Databa ...) NOT-FOR-US: Oracle CVE-2014-4235 (Unspecified vulnerability in the Oracle iStore component in Oracle E-B ...) NOT-FOR-US: Oracle CVE-2014-4234 (Unspecified vulnerability in the Oracle Transportation Management comp ...) NOT-FOR-US: Oracle CVE-2014-4233 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) - mysql-5.5 (Only affects 5.6) - mysql-5.1 (Only affects 5.6) - mariadb-5.5 (Only affects 5.6) - percona-xtradb-cluster-5.5 (Only affects 5.6) CVE-2014-4232 (Unspecified vulnerability in the Oracle Secure Global Desktop (SGD) co ...) NOT-FOR-US: Oracle CVE-2014-4231 (Unspecified vulnerability in the Siebel Travel & Transportation co ...) NOT-FOR-US: Oracle CVE-2014-4230 (Unspecified vulnerability in the Siebel UI Framework component in Orac ...) NOT-FOR-US: Oracle CVE-2014-4229 (Unspecified vulnerability in the Oracle Transportation Management comp ...) NOT-FOR-US: Oracle CVE-2014-4228 (Unspecified vulnerability in the Oracle VM VirtualBox component in Ora ...) - virtualbox 4.3.12-dfsg-1 (bug #754939) [wheezy] - virtualbox 4.1.40-dfsg-1+deb7u1 - virtualbox-ose (Only affects 4.1 and later) CVE-2014-4227 (Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2014-4226 (Unspecified vulnerability in the PeopleSoft Enterprise FIN Install com ...) NOT-FOR-US: Oracle CVE-2014-4225 (Unspecified vulnerability in Oracle Sun Solaris 10 allows local users ...) NOT-FOR-US: Oracle Sun Solaris CVE-2014-4224 (Unspecified vulnerability in Oracle Sun Solaris 8, 9, 10, and 11.1 all ...) NOT-FOR-US: Oracle Sun Solaris CVE-2014-4223 (Unspecified vulnerability in Oracle Java SE 7u60 allows remote attacke ...) {DSA-2987-1} - openjdk-6 (Vulnerable code not present) - openjdk-7 7u65-2.5.1-1 NOTE: http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/84bce1b3d28a CVE-2014-4222 (Unspecified vulnerability in the Oracle HTTP Server component in Oracl ...) NOT-FOR-US: Oracle CVE-2014-4221 (Unspecified vulnerability in Oracle Java SE 7u60 and 8u5 allows remote ...) {DSA-2987-1} - openjdk-6 (Vulnerable code not present) - openjdk-7 7u65-2.5.1-1 NOTE: http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/bac16c82c14a CVE-2014-4220 (Unspecified vulnerability in Oracle Java SE 7u60 and 8u5 allows remote ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2014-4219 (Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows ...) {DSA-2987-1 DSA-2980-1 DLA-96-1} - openjdk-6 6b32-1.13.4-1 - openjdk-7 7u65-2.5.1-1 CVE-2014-4218 (Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u ...) {DSA-2987-1 DSA-2980-1 DLA-96-1} - openjdk-6 6b32-1.13.4-1 - openjdk-7 7u65-2.5.1-1 CVE-2014-4217 (Unspecified vulnerability in the Oracle WebLogic Server component in O ...) NOT-FOR-US: Oracle CVE-2014-4216 (Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u ...) {DSA-2987-1 DSA-2980-1 DLA-96-1} - openjdk-6 6b32-1.13.4-1 - openjdk-7 7u65-2.5.1-1 CVE-2014-4215 (Unspecified vulnerability in Oracle Solaris 10 and 11.1 allows local u ...) NOT-FOR-US: Oracle Solaris CVE-2014-4214 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) - mysql-5.5 (Only affects 5.6) - mysql-5.1 (Only affects 5.6) - mariadb-5.5 (Only affects 5.6) - percona-xtradb-cluster-5.5 (Only affects 5.6) CVE-2014-4213 (Unspecified vulnerability in the Oracle Applications Manager component ...) NOT-FOR-US: Oracle CVE-2014-4212 (Unspecified vulnerability in the Oracle Fusion Middleware component in ...) NOT-FOR-US: Oracle CVE-2014-4211 (Unspecified vulnerability in the Oracle WebCenter Portal component in ...) NOT-FOR-US: Oracle CVE-2014-4210 (Unspecified vulnerability in the Oracle WebLogic Server component in O ...) NOT-FOR-US: Oracle CVE-2014-4209 (Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u ...) {DSA-2987-1 DSA-2980-1 DLA-96-1} - openjdk-6 6b32-1.13.4-1 - openjdk-7 7u65-2.5.1-1 CVE-2014-4208 (Unspecified vulnerability in the Java SE component in Oracle Java SE 7 ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2014-4207 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) {DSA-2985-1} - mysql-5.5 5.5.39-1 (bug #754941) - mysql-5.1 (Only affects 5.5 and later) - mariadb-5.5 5.5.38-1 (bug #754940) - mariadb-10.0 (Fixed before initial upload) - percona-xtradb-cluster-5.5 5.5.39-25.11+dfsg-1 CVE-2014-4206 (Unspecified vulnerability in the Hyperion Enterprise Performance Manag ...) NOT-FOR-US: Oracle CVE-2014-4205 (Unspecified vulnerability in the Siebel UI Framework component in Orac ...) NOT-FOR-US: Oracle CVE-2014-4204 (Unspecified vulnerability in the PeopleSoft Enterprise PT PeopleTools ...) NOT-FOR-US: Oracle CVE-2014-4203 (Unspecified vulnerability in the Hyperion Enterprise Performance Manag ...) NOT-FOR-US: Oracle CVE-2014-4202 (Unspecified vulnerability in the Oracle WebLogic Server component in O ...) NOT-FOR-US: Oracle CVE-2014-4201 (Unspecified vulnerability in the Oracle WebLogic Server component in O ...) NOT-FOR-US: Oracle CVE-2014-4200 (vm-support 0.88 in VMware Tools, as distributed with VMware Workstatio ...) - open-vm-tools 2:9.4.6-1770165-1 (low; bug #770809) [squeeze] - open-vm-tools (Minor issue) [wheezy] - open-vm-tools (Minor issue) NOTE: http://seclists.org/fulldisclosure/2014/Aug/71 CVE-2014-4199 (vm-support 0.88 in VMware Tools, as distributed with VMware Workstatio ...) - open-vm-tools 2:9.4.6-1770165-7 (low; bug #770809) [squeeze] - open-vm-tools (Minor issue) [wheezy] - open-vm-tools (Minor issue) NOTE: http://seclists.org/fulldisclosure/2014/Aug/71 CVE-2014-4198 (A Two-Factor Authentication Bypass Vulnerability exists in BS-Client P ...) NOT-FOR-US: BS-Client Private Client CVE-2014-4197 (Multiple SQL injection vulnerabilities in Bank Soft Systems (BSS) RBS ...) NOT-FOR-US: Bank Soft Systems CVE-2014-4196 (Cross-site scripting (XSS) vulnerability in bsi.dll in Bank Soft Syste ...) NOT-FOR-US: Bank Soft Systems (BSS) RBS BS-Client CVE-2014-4195 (Cross-site scripting (XSS) vulnerability in zero_view_article.php in Z ...) NOT-FOR-US: ZeroCMS CVE-2014-4194 (SQL injection vulnerability in zero_transact_article.php in ZeroCMS 1. ...) NOT-FOR-US: ZeroCMS CVE-2014-XXXX [softhsm-keyconv creates security-sensibe file world-readable] - softhsm 1.3.7-2 (low; bug #752092) [squeeze] - softhsm (Minor issue) [wheezy] - softhsm (Minor issue) NOTE: Upstream fix: https://github.com/bellgrim/SoftHSMv2/commit/492447cd4a2be449e99fb9ad2519ea3277aaad28 CVE-2014-XXXX [docker VMM breakout] - docker.io 1.0.0~dfsg1-1 CVE-2014-4193 (The TLS implementation in EMC RSA BSAFE-Java Toolkits (aka Share for J ...) NOT-FOR-US: EMC RSA BSAFE-Java Toolkits CVE-2014-4192 (The Dual_EC_DRBG implementation in EMC RSA BSAFE-C Toolkits (aka Share ...) NOT-FOR-US: EMC RSA BSAFE-Java Toolkits CVE-2014-4191 (The TLS implementation in EMC RSA BSAFE-C Toolkits (aka Share for C an ...) NOT-FOR-US: EMC RSA BSAFE-Java Toolkits CVE-2014-4190 (Multiple heap-based buffer overflows in Huawei Campus Series Switches ...) NOT-FOR-US: Huawei Campus Series Switches CVE-2014-4189 (Cross-site scripting (XSS) vulnerability in Hitachi Tuning Manager bef ...) NOT-FOR-US: Hitachi Tuning Manager CVE-2014-4188 (Cross-site request forgery (CSRF) vulnerability in Hitachi Tuning Mana ...) NOT-FOR-US: Hitachi Tuning Manager CVE-2014-4187 (Cross-site scripting (XSS) vulnerability in signup.php in ClipBucket a ...) NOT-FOR-US: ClipBucket CVE-2014-4186 RESERVED CVE-2014-4185 RESERVED CVE-2014-4184 RESERVED CVE-2014-4183 RESERVED CVE-2014-4182 RESERVED CVE-2014-4181 RESERVED CVE-2014-4180 RESERVED CVE-2014-4179 RESERVED CVE-2014-4178 RESERVED CVE-2014-4177 RESERVED CVE-2014-4176 RESERVED CVE-2014-4175 RESERVED CVE-2014-4174 (wiretap/libpcap.c in the libpcap file parser in Wireshark 1.10.x befor ...) - wireshark 1.10.4-1 [squeeze] - wireshark (Only affects 1.10.x) [wheezy] - wireshark (Only affects 1.10.x) CVE-2014-4173 RESERVED CVE-2014-4172 (A URL parameter injection vulnerability was found in the back-channel ...) {DSA-3017-1} - php-cas 1.3.3-1 (bug #759718) NOTE: https://github.com/Jasig/phpCAS/pull/125 - moodle 2.7.2-1 (bug #775842) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46766 CVE-2014-4171 (mm/shmem.c in the Linux kernel through 3.15.1 does not properly implem ...) - linux 3.14.15-1 [wheezy] - linux 3.2.63-1 - linux-2.6 (Vulnerable code introduced later) NOTE: https://lkml.org/lkml/2014/7/2/518 CVE-2014-4170 (A Privilege Escalation Vulnerability exists in Free Reprintables Artic ...) NOT-FOR-US: Free Reprintables ArticleFR CVE-2014-4169 RESERVED CVE-2014-4166 (Cross-site scripting (XSS) vulnerability in the song history in SHOUTc ...) NOT-FOR-US: SHOUTcast DNAS CVE-2014-4165 (Cross-site scripting (XSS) vulnerability in ntop allows remote attacke ...) - ntop (bug #751946) [jessie] - ntop (Minor issue) [wheezy] - ntop (Minor issue) CVE-2014-4164 (Cross-site scripting (XSS) vulnerability in AlgoSec FireFlow 6.3-b230 ...) NOT-FOR-US: AlogoSec FireFlow CVE-2014-4163 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Feat ...) NOT-FOR-US: WordPress plugin Featured Comments CVE-2014-4162 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Zyxe ...) NOT-FOR-US: Zyxel P-660HW-T1 wireless CVE-2014-4161 (Cross-site scripting (XSS) vulnerability in la/umTestSSO.jsp in SAP Su ...) NOT-FOR-US: SAP Supplier Relationship Management CVE-2014-4160 (Multiple cross-site scripting (XSS) vulnerabilities in the testcanvas ...) NOT-FOR-US: SAP NetWeaver Business Client CVE-2014-4159 (Open redirect vulnerability in in la/umTestSSO.jsp in SAP Supplier Re ...) NOT-FOR-US: SAP Supplier Relationship Management CVE-2014-4158 (Stack-based buffer overflow in Kolibri 2.0 allows remote attackers to ...) NOT-FOR-US: Kolibri CVE-2014-4156 (Proxmox VE prior to 3.2: 'AccessControl.pm' User Enumeration Vulnerabi ...) NOT-FOR-US: Proxmox VE CVE-2014-4155 (Cross-site request forgery (CSRF) vulnerability in the ZTE ZXV10 W300 ...) NOT-FOR-US: ZTE router CVE-2014-4154 (ZTE ZXV10 W300 router with firmware W300V1.0.0a_ZRD_LK stores sensitiv ...) NOT-FOR-US: ZTE router CVE-2014-4153 (The av-centerd SOAP service in AlienVault OSSIM before 4.8.0 allows re ...) NOT-FOR-US: AlienVault OSSIM CVE-2014-4152 (The av-centerd SOAP service in AlienVault OSSIM before 4.8.0 allows re ...) NOT-FOR-US: AlienVault OSSIM CVE-2014-4151 (The av-centerd SOAP service in AlienVault OSSIM before 4.8.0 allows re ...) NOT-FOR-US: AlienVault OSSIM CVE-2014-4149 (Microsoft .NET Framework 1.1 SP1, 2.0 SP2, 3.5, 3.5.1, 4, 4.5, 4.5.1, ...) NOT-FOR-US: Microsoft CVE-2014-4148 (win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 ...) NOT-FOR-US: Microsoft CVE-2014-4147 REJECTED CVE-2014-4146 REJECTED CVE-2014-4145 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4144 REJECTED CVE-2014-4143 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4142 REJECTED CVE-2014-4141 (Microsoft Internet Explorer 8 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft CVE-2014-4140 (Microsoft Internet Explorer 8 through 11 allows remote attackers to by ...) NOT-FOR-US: Microsoft CVE-2014-4139 REJECTED CVE-2014-4138 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft CVE-2014-4137 (Microsoft Internet Explorer 6 and 7 allows remote attackers to execute ...) NOT-FOR-US: Microsoft CVE-2014-4136 REJECTED CVE-2014-4135 REJECTED CVE-2014-4134 (Microsoft Internet Explorer 6 through 8 allows remote attackers to exe ...) NOT-FOR-US: Microsoft CVE-2014-4133 (Microsoft Internet Explorer 6 and 7 allows remote attackers to execute ...) NOT-FOR-US: Microsoft CVE-2014-4132 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4131 REJECTED CVE-2014-4130 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4129 (Microsoft Internet Explorer 8 allows remote attackers to execute arbit ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4128 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4127 (Microsoft Internet Explorer 6 through 10 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4126 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4125 REJECTED CVE-2014-4124 (Microsoft Internet Explorer 7 through 11 allows remote attackers to ga ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4123 (Microsoft Internet Explorer 7 through 11 allows remote attackers to ga ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4122 (Microsoft .NET Framework 2.0 SP2, 3.5, and 3.5.1 omits the ASLR protec ...) NOT-FOR-US: Microsoft CVE-2014-4121 (Microsoft .NET Framework 2.0 SP2, 3.5, 3.5.1, 4, 4.5, 4.5.1, and 4.5.2 ...) NOT-FOR-US: Microsoft CVE-2014-4120 REJECTED CVE-2014-4119 REJECTED CVE-2014-4118 (XML Core Services (aka MSXML) 3.0 in Microsoft Windows Server 2003 SP2 ...) NOT-FOR-US: Microsoft CVE-2014-4117 (Microsoft Office 2007 SP3, Word 2007 SP3, Office 2010 SP1 and SP2, Wor ...) NOT-FOR-US: Microsoft CVE-2014-4116 (Cross-site scripting (XSS) vulnerability in Microsoft SharePoint Found ...) NOT-FOR-US: Microsoft CVE-2014-4115 (fastfat.sys (aka the FASTFAT driver) in the kernel-mode drivers in Mic ...) NOT-FOR-US: Microsoft CVE-2014-4114 (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windo ...) NOT-FOR-US: Microsoft CVE-2014-4113 (win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 ...) NOT-FOR-US: Microsoft CVE-2014-4112 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4111 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4110 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4109 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4108 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4107 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4106 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4105 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4104 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4103 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4102 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4101 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4100 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4099 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4098 (Microsoft Internet Explorer 8 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4097 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4096 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4095 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4094 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4093 (Microsoft Internet Explorer 10 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4092 (Microsoft Internet Explorer 8 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4091 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4090 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4089 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4088 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4087 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4086 (Microsoft Internet Explorer 6 through 8 allows remote attackers to exe ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4085 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4084 (Microsoft Internet Explorer 10 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4083 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4082 (Microsoft Internet Explorer 6 through 10 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4081 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4080 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4079 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4078 (The IP Security feature in Microsoft Internet Information Services (II ...) NOT-FOR-US: Microsoft CVE-2014-4077 (Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2 ...) NOT-FOR-US: Microsoft CVE-2014-4076 (Microsoft Windows Server 2003 SP2 allows local users to gain privilege ...) NOT-FOR-US: Microsoft CVE-2014-4075 (Cross-site scripting (XSS) vulnerability in System.Web.Mvc.dll in Micr ...) NOT-FOR-US: Microsoft CVE-2014-4074 (The Task Scheduler in Microsoft Windows 8, Windows 8.1, Windows Server ...) NOT-FOR-US: Microsoft CVE-2014-4073 (Microsoft .NET Framework 2.0 SP2, 3.5, 3.5.1, 4, 4.5, 4.5.1, and 4.5.2 ...) NOT-FOR-US: Microsoft CVE-2014-4072 (Microsoft .NET Framework 1.1 SP1, 2.0 SP2, 3.0 SP2, 3.5, 3.5.1, 4, 4.5 ...) NOT-FOR-US: Microsoft CVE-2014-4071 (The Server in Microsoft Lync Server 2013 allows remote attackers to ca ...) NOT-FOR-US: Microsoft Lync Server CVE-2014-4070 (Cross-site scripting (XSS) vulnerability in the Web Components Server ...) NOT-FOR-US: Microsoft Lync Server CVE-2014-4069 REJECTED CVE-2014-4068 (The Response Group Service in Microsoft Lync Server 2010 and 2013 and ...) NOT-FOR-US: Microsoft Lync Server CVE-2014-4067 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4066 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4065 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4064 (The kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server ...) NOT-FOR-US: Microsoft CVE-2014-4063 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4062 (Microsoft .NET Framework 1.1 SP1, 2.0 SP2, 3.0 SP2, 3.5, and 3.5.1 doe ...) NOT-FOR-US: Microsoft CVE-2014-4061 (Microsoft SQL Server 2008 SP3, 2008 R2 SP2, and 2012 SP1 does not prop ...) NOT-FOR-US: Microsoft CVE-2014-4060 (Use-after-free vulnerability in MCPlayer.dll in Microsoft Windows Medi ...) NOT-FOR-US: Microsoft CVE-2014-4059 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4058 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4057 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4056 (Microsoft Internet Explorer 7 through 10 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4055 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4054 REJECTED CVE-2014-4053 REJECTED CVE-2014-4052 (Microsoft Internet Explorer 9 and 10 allows remote attackers to execut ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4051 (Microsoft Internet Explorer 8 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4050 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4042 RESERVED CVE-2014-4041 RESERVED CVE-2014-4040 (snap in powerpc-utils 1.2.20 produces an archive with fstab and yaboot ...) - powerpc-utils 1.3.1-2 (unimportant) NOTE: SuSE decided to put/display a warning about the possibility to of NOTE: containing cleartext passwords in the produced archive containing fstab NOTE: and yaboot.conf NOTE: 1.3.1-2 upload removed /usr/sbin/snap from the installed binary package CVE-2014-4039 (ppc64-diag 2.6.1 uses 0775 permissions for /tmp/diagSEsnap and does no ...) - ppc64-diag 2.7.1-5 NOTE: SuSE Patch: https://bugzilla.suse.com/attachment.cgi?id=599147 CVE-2014-4038 (ppc64-diag 2.6.1 allows local users to overwrite arbitrary files via a ...) - ppc64-diag 2.7.1-5 NOTE: Issue partially fixed in 2.7.1-1, but not all parts fixed NOTE: SuSE Patch: https://bugzilla.suse.com/attachment.cgi?id=599147 CVE-2014-4037 (Cross-site scripting (XSS) vulnerability in editor/dialog/fck_spellerp ...) - fckeditor (low; bug #752873) [wheezy] - fckeditor (Minor issue) [squeeze] - fckeditor (Minor issue) - docvert [wheezy] - docvert (Minor issue) [squeeze] - docvert (Minor issue) - moin (unused emebdded copy) - knowledgeroot (unused embedded copy) CVE-2014-4036 (Cross-site scripting (XSS) vulnerability in modules/system/admin.php i ...) NOT-FOR-US: ImpressCMS CVE-2014-4035 (Cross-site scripting (XSS) vulnerability in booking_details.php in Bes ...) NOT-FOR-US: Advance Hotel Booking System CVE-2014-4034 (SQL injection vulnerability in zero_view_article.php in ZeroCMS 1.0 al ...) NOT-FOR-US: ZeroCMS CVE-2014-4033 (Cross-site scripting (XSS) vulnerability in libraries/includes/persona ...) NOT-FOR-US: Epignosis eFront CVE-2014-4032 (Cross-site scripting (XSS) vulnerability in apps/app_comment/form_comm ...) NOT-FOR-US: Fiyo CMS CVE-2014-4031 (The Policy Manager in Aruba Networks ClearPass 5.x, 6.0.x, 6.1.x throu ...) NOT-FOR-US: Aruba Networks ClearPass CVE-2014-4030 (Cross-site request forgery (CSRF) vulnerability in the JW Player plugi ...) NOT-FOR-US: WordPress plugin JW Player CVE-2014-4029 RESERVED CVE-2014-4028 RESERVED CVE-2014-4026 RESERVED CVE-2014-4025 RESERVED CVE-2014-4024 (SSL virtual servers in F5 BIG-IP systems 10.x before 10.2.4 HF9, 11.x ...) NOT-FOR-US: F5 BIG-IP CVE-2014-4023 (Cross-site scripting (XSS) vulnerability in tmui/dashboard/echo.jsp in ...) NOT-FOR-US: F5 BIG-IP CVE-2014-4022 (The alloc_domain_struct function in arch/arm/domain.c in Xen 4.4.x, wh ...) - xen (Only 32- and 64-bit ARM systems from Xen 4.4 onwards) CVE-2014-4019 (ZTE ZXV10 W300 router with firmware W300V1.0.0a_ZRD_LK stores sensitiv ...) NOT-FOR-US: ZTE CVE-2014-4018 (The ZTE ZXV10 W300 router with firmware W300V1.0.0a_ZRD_LK has a defau ...) NOT-FOR-US: ZTE router CVE-2010-5301 (Stack-based buffer overflow in Kolibri 2.0 allows remote attackers to ...) NOT-FOR-US: Kolibri CVE-2010-5300 (Stack-based buffer overflow in Jzip 1.3 through 2.0.0.132900 allows re ...) NOT-FOR-US: www.jzip.com NOTE: This is the jzip Z-code interpreter in Debian. CVE-2014-4168 ((1) iodined.c and (2) user.c in iodine before 0.7.0 allows remote atta ...) {DSA-2964-1} - iodine 0.6.0~rc1-19 (bug #751834) [squeeze] - iodine 0.6.0~rc1-2+deb6u1 NOTE: https://github.com/yarrick/iodine/commit/b715be5cf3978fbe589b03b09c9398d0d791f850 CVE-2014-4167 (The L3-agent in OpenStack Neutron before 2013.2.4, 2014.x before 2014. ...) - neutron 2014.1.1-1 (bug #752021) NOTE: https://launchpad.net/bugs/1309195 CVE-2014-4157 (arch/mips/include/asm/thread_info.h in the Linux kernel before 3.14.8 ...) {DLA-103-1} - linux 3.14.7-1 (bug #751417) [wheezy] - linux 3.2.60-1 - linux-2.6 (squeeze-lts only covers x86) CVE-2014-4049 (Heap-based buffer overflow in the php_parserr function in ext/standard ...) {DSA-2961-1 DLA-0010-1} - php5 5.6.0~beta4+dfsg-3 (bug #751364) [squeeze] - php5 5.3.3-7+squeeze20 NOTE: https://github.com/php/php-src/commit/b34d7849ed90ced9345f8ea1c59bc8d101c18468 CVE-2014-4048 (The PJSIP Channel Driver in Asterisk Open Source before 12.3.1 allows ...) - asterisk (Only affects Asterisk 12.x) NOTE: http://downloads.asterisk.org/pub/security/AST-2014-008.html CVE-2014-4047 (Asterisk Open Source 1.8.x before 1.8.28.1, 11.x before 11.10.1, and 1 ...) - asterisk 1:11.10.2~dfsg-1 (low) [wheezy] - asterisk 1:1.8.13.1~dfsg1-3+deb7u4 [squeeze] - asterisk (Unsupported in squeeze-lts) NOTE: http://downloads.asterisk.org/pub/security/AST-2014-007.html CVE-2014-4046 (Asterisk Open Source 11.x before 11.10.1 and 12.x before 12.3.1 and Ce ...) {DLA-455-1} - asterisk 1:11.10.2~dfsg-1 (low) [squeeze] - asterisk (Vulnerable code not present) NOTE: http://downloads.asterisk.org/pub/security/AST-2014-006.html CVE-2014-4045 (The Publish/Subscribe Framework in the PJSIP channel driver in Asteris ...) - asterisk (Only affects Asterisk 12.x) NOTE: http://downloads.asterisk.org/pub/security/AST-2014-005.html CVE-2014-4044 (OpenAFS 1.6.8 does not properly clear the fields in the host structure ...) - openafs 1.6.9-1 [wheezy] - openafs (Vulnerable code introduced in 1.6.8) [squeeze] - openafs (Vulnerable code introduced in 1.6.8) CVE-2014-4043 (The posix_spawn_file_actions_addopen function in glibc before 2.20 doe ...) {DSA-3169-1 DLA-165-1} - eglibc - glibc 2.19-2 (low; bug #751774) CVE-2014-4021 (Xen 3.2.x through 4.4.x does not properly clean memory pages recovered ...) {DSA-3006-1} - xen 4.4.1-1 (bug #751894) [squeeze] - xen (Unsupported in squeeze-lts) CVE-2014-4020 (The dissect_frame function in epan/dissectors/packet-frame.c in the fr ...) - wireshark 1.10.8-1 [wheezy] - wireshark (Only affects 1.10.0 to 1.10.7) [squeeze] - wireshark (Only affects 1.10.0 to 1.10.7) NOTE: http://www.wireshark.org/security/wnpa-sec-2014-07.html CVE-2014-4017 (Cross-site scripting (XSS) vulnerability in the Conversion Ninja plugi ...) NOT-FOR-US: WordPress plugin conversionninja CVE-2014-4016 RESERVED CVE-2014-4015 RESERVED CVE-2014-4013 (SQL injection vulnerability in the Policy Manager in Aruba Networks Cl ...) NOT-FOR-US: Aruba Networks ClearPass CVE-2014-4012 (SAP Open Hub Service has hardcoded credentials, which makes it easier ...) NOT-FOR-US: SAP CVE-2014-4011 (SAP Capacity Leveling has hardcoded credentials, which makes it easier ...) NOT-FOR-US: SAP CVE-2014-4010 (SAP Transaction Data Pool has hardcoded credentials, which makes it ea ...) NOT-FOR-US: SAP CVE-2014-4009 (SAP CCMS Monitoring (BC-CCM-MON) has hardcoded credentials, which make ...) NOT-FOR-US: SAP CVE-2014-4008 (SAP Web Services Tool (CA-WUI-WST) has hardcoded credentials, which ma ...) NOT-FOR-US: SAP CVE-2014-4007 (The SAP Upgrade tools for ABAP has hardcoded credentials, which makes ...) NOT-FOR-US: SAP CVE-2014-4006 (The SAP Trader's and Scheduler's Workbench (TSW) for SAP Oil & Gas ...) NOT-FOR-US: SAP CVE-2014-4005 (SAP Brazil add-on has hardcoded credentials, which makes it easier for ...) NOT-FOR-US: SAP CVE-2014-4004 (The (1) Structures and (2) Project-Oriented Procurement components in ...) NOT-FOR-US: SAP CVE-2014-4003 (The System Landscape Directory (SLD) in SAP NetWeaver allows remote at ...) NOT-FOR-US: SAP CVE-2014-4002 (Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b al ...) {DSA-2970-1} - cacti 0.8.8b+dfsg-6 (bug #752573) [squeeze] - cacti 0.8.7g-1+squeeze4 (bug #752573) CVE-2014-4001 RESERVED CVE-2014-4000 (Cacti before 1.0.0 allows remote authenticated users to conduct PHP ob ...) - cacti 0.8.8e+ds1-1 (low) [jessie] - cacti 0.8.8b+dfsg-8+deb8u2 [wheezy] - cacti 0.8.8a+dfsg-5+deb7u6 NOTE: http://www.cacti.net/release_notes_1_0_0.php NOTE: http://bugs.cacti.net/view.php?id=2452 (not accessible: marked as security issue) NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7731 NOTE: This CVE was fixed by introduction of the function sanitize_unserialize_selected_items NOTE: in version 0.8.8e and calling it instead of unserialize(stripslashes()). NOTE: Affected files require authenticated users. CVE-2014-3999 (The Horde_Ldap library before 2.0.6 for Horde allows remote attackers ...) - php-horde-ldap 2.0.6-1 CVE-2014-3998 RESERVED CVE-2014-3997 (SQL injection vulnerability in the MetadataServlet servlet in ManageEn ...) NOT-FOR-US: Password Manager Pro CVE-2014-3996 (SQL injection vulnerability in the LinkViewFetchServlet servlet in Man ...) NOT-FOR-US: Password Manager Pro CVE-2014-3993 RESERVED CVE-2014-3992 (Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM 3.5.3 allow ...) - dolibarr 3.5.4+dfsg2-1 (bug #755531) CVE-2014-3991 (Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CR ...) - dolibarr 3.5.5+dfsg1-1 CVE-2014-3990 (The Cart::getProducts method in system/library/cart.php in OpenCart 1. ...) NOT-FOR-US: OpenCart CVE-2014-3989 RESERVED CVE-2014-3988 (Cross-site scripting (XSS) vulnerability in index.php in SunHater KCFi ...) NOT-FOR-US: SunHater KCFinder CVE-2014-3987 RESERVED CVE-2014-3984 (Multiple unspecified vulnerabilities in Libav before 0.8.12 allow remo ...) - libav 6:0.8.12-1 NOTE: Fairly pointless CVE assignment... CVE-2014-4150 (The scheme48-send-definition function in cmuscheme48.el in Scheme 48 a ...) {DLA-0006-1} - scheme48 1.9-4 (bug #748766) [wheezy] - scheme48 1.8+dfsg-1+deb7u1 [squeeze] - scheme48 1.8+dfsg-1+deb6u1 CVE-2014-4027 (The rd_build_device_space function in drivers/target/target_core_rd.c ...) - linux 3.14.2-1 [wheezy] - linux 3.2.60-1 - linux-2.6 [squeeze] - linux-2.6 (Introduced in 2.6.38) NOTE: upstream fix: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4442dc8a92b8f9ad8ee9e7f8438f4c04c03a22dc CVE-2014-4014 (The capabilities implementation in the Linux kernel before 3.14.8 does ...) - linux 3.14.7-1 [wheezy] - linux (User namespaces only usable in later kernels) - linux-2.6 (User namespaces only usable in later kernels) NOTE: fixing commit https://git.kernel.org/linus/23adbe12ef7d3d4195e80800ab36b37bee28cd03 CVE-2014-3986 (include/tests_webservers in Lynis before 1.5.5 allows local users to o ...) - lynis 1.5.5-1 (bug #751083) [squeeze] - lynis (Minor issue) [wheezy] - lynis (Minor issue) CVE-2014-3995 (Cross-site scripting (XSS) vulnerability in gravatars/templatetags/gra ...) NOT-FOR-US: Djblets CVE-2014-3994 (Cross-site scripting (XSS) vulnerability in util/templatetags/djblets_ ...) NOT-FOR-US: Djblets CVE-2014-3983 RESERVED CVE-2014-3982 (include/tests_webservers in Lynis before 1.5.5 on AIX allows local use ...) - lynis (Specific to AIX) CVE-2014-3981 (acinclude.m4, as used in the configure script in PHP 5.5.13 and earlie ...) - php5 5.6.0~rc1+dfsg-1 (unimportant) NOTE: Only exploitable during package build CVE-2014-3979 (Bytemark Symbiosis allows remote attackers to cause a denial of servic ...) NOT-FOR-US: Bytemark Symbiosis CVE-2014-3978 (SQL injection vulnerability in TomatoCart 1.1.8.6.1 allows remote auth ...) NOT-FOR-US: TomatoCart CVE-2014-3977 (libodm.a in IBM AIX 6.1 and 7.1, and VIOS 2.2.x, allows local users to ...) NOT-FOR-US: IBM AIX CVE-2014-3976 (Buffer overflow in A10 Networks Advanced Core Operating System (ACOS) ...) NOT-FOR-US: A10 Networks Advanced Core Operating System CVE-2014-3975 (Absolute path traversal vulnerability in filemanager.php in AuraCMS 3. ...) NOT-FOR-US: AuraCMS CVE-2014-3974 (Cross-site scripting (XSS) vulnerability in filemanager.php in AuraCMS ...) NOT-FOR-US: AuraCMS CVE-2014-3973 (Multiple SQL injection vulnerabilities in FrontAccounting (FA) before ...) - frontaccounting 2.3.21-1 (bug #751867) [squeeze] - frontaccounting (Minor issue) [wheezy] - frontaccounting (Minor issue) CVE-2014-3972 (Directory traversal vulnerability in Apexis APM-J601-WS cameras with f ...) NOT-FOR-US: Apexis cameras CVE-2014-3971 (The CmdAuthenticate::_authenticateX509 function in db/commands/authent ...) - mongodb (X.509 certifictate authentication introduced in 2.6.x) NOTE: https://jira.mongodb.org/browse/SERVER-13753 NOTE: https://github.com/mongodb/mongo/commit/c151e0660b9736fe66b224f1129a16871165251b CVE-2014-3965 RESERVED CVE-2014-3964 RESERVED CVE-2014-3963 (ownCloud Server before 6.0.1 does not properly check permissions, whic ...) - owncloud 6.0.1+dfsg-1 NOTE: http://owncloud.org/about/security/advisories/oC-SA-2014-009/ CVE-2014-3962 (Multiple SQL injection vulnerabilities in Videos Tube 1.0 allow remote ...) NOT-FOR-US: Videos Tube CVE-2014-3961 (SQL injection vulnerability in the Export CSV page in the Participants ...) NOT-FOR-US: WordPress plugin Participants Database CVE-2014-3960 (Multiple cross-site scripting (XSS) vulnerabilities in OpenNMS before ...) NOT-FOR-US: OpenNMS CVE-2014-3980 (libfep 0.0.5 before 0.1.0 does not properly use UNIX domain sockets in ...) - libfep (bug #658575) CVE-2014-3959 (Cross-site scripting (XSS) vulnerability in list.jsp in the Configurat ...) NOT-FOR-US: F5 CVE-2014-3958 RESERVED CVE-2014-3957 RESERVED CVE-2014-3955 (routed in FreeBSD 8.4 through 10.1-RC2 allows remote attackers to caus ...) NOT-FOR-US: FreeBSD routed CVE-2014-3954 (Stack-based buffer overflow in rtsold in FreeBSD 9.1 through 10.1-RC2 ...) NOT-FOR-US: FreeBSD rtsold CVE-2014-3953 (FreeBSD 8.4 before p14, 9.1 before p17, 9.2 before p10, and 10.0 befor ...) {DSA-3070-1} - kfreebsd-8 [wheezy] - kfreebsd-8 (kfreebsd-8 only a test kernel, will be fixed in a point update) [squeeze] - kfreebsd-8 (Unsupported in squeeze-lts) - kfreebsd-9 (bug #754237) - kfreebsd-10 10.1~svn272463-1 CVE-2014-3952 (FreeBSD 8.4 before p14, 9.1 before p17, 9.2 before p10, and 10.0 befor ...) {DSA-3070-1} - kfreebsd-8 [squeeze] - kfreebsd-8 (Unsupported in squeeze-lts) [wheezy] - kfreebsd-8 (kfreebsd-8 only a test kernel, will be fixed in a point update) - kfreebsd-9 (bug #754236) - kfreebsd-10 10.1~svn272463-1 CVE-2014-3951 (The HZ module in the iconv implementation in FreeBSD 10.0 before p6 an ...) NOT-FOR-US: iconv system library of FreeBSD and NetBSD CVE-2014-3950 RESERVED CVE-2014-3949 (Cross-site scripting (XSS) vulnerability in the layout wizard in the G ...) NOT-FOR-US: TYPO3 extension gridelements CVE-2014-3948 (Cross-site scripting (XSS) vulnerability in the HTML export wizard in ...) NOT-FOR-US: TYPO3 extension powermail CVE-2014-3947 (Unrestricted file upload vulnerability in the powermail extension befo ...) NOT-FOR-US: TYPO3 extension powermail CVE-2014-3939 (Heap-based buffer overflow in Autodesk SketchBook Pro before 6.2.6 all ...) NOT-FOR-US: Autodesk SketchBook Pro CVE-2014-3938 (Integer overflow in Autodesk SketchBook Pro before 6.2.6 allows remote ...) NOT-FOR-US: Autodesk Sketchbook Pro CVE-2014-3937 (SQL injection vulnerability in the Contextual Related Posts plugin bef ...) NOT-FOR-US: WordPress plugin contextual-related-posts CVE-2014-3936 (Stack-based buffer overflow in the do_hnap function in www/my_cgi.cgi ...) NOT-FOR-US: D-Link CVE-2014-3935 (SQL injection vulnerability in glossaire-aff.php in the Glossaire modu ...) NOT-FOR-US: XOOPS module Glossaire CVE-2014-3934 (SQL injection vulnerability in the Submit_News module for PHP-Nuke 8.3 ...) NOT-FOR-US: PHP-Nuke CVE-2014-3933 (Cross-site scripting (XSS) vulnerability in the address components fie ...) NOT-FOR-US: Drupal module AddressField Tokens CVE-2014-3932 (SQL injection vulnerability in the device registration component in ws ...) NOT-FOR-US: CoSoSys Endpoint Protector CVE-2014-3931 (fastping.c in MRLG (aka Multi-Router Looking Glass) before 5.5.0 allow ...) NOT-FOR-US: Multi-Router Looking Glass CVE-2014-3930 (lg.pl in Cistron-LG 1.01 stores sensitive information under the web ro ...) NOT-FOR-US: Cistron-LG CVE-2014-3929 (The default configuration for Cougar-LG stores sensitive information u ...) NOT-FOR-US: Cougar-LG CVE-2014-3928 (Cougar-LG stores sensitive information under the web root with insuffi ...) NOT-FOR-US: Cougar-LG CVE-2014-3927 (mrlg-lib.php in mrlg4php before 1.0.8 allows remote attackers to execu ...) NOT-FOR-US: mrlg4php CVE-2014-3926 (Cross-site scripting (XSS) vulnerability in lg.cgi in Cougar LG 1.9 al ...) NOT-FOR-US: Cougar LG CVE-2014-3924 (Multiple cross-site scripting (XSS) vulnerabilities in Webmin before 1 ...) - webmin CVE-2014-3923 (Multiple cross-site scripting (XSS) vulnerabilities in the Digital Zoo ...) NOT-FOR-US: WordPress plugin Digital Zoom Studio Video Gallery CVE-2014-3922 (Cross-site scripting (XSS) vulnerability in Trend Micro InterScan Mess ...) NOT-FOR-US: Trend Micro InterScan CVE-2014-3921 (Cross-site scripting (XSS) vulnerability in popup.php in the Simple Po ...) NOT-FOR-US: WordPress plugin Simple Popup Images CVE-2013-7387 (Session fixation vulnerability in DataLife Engine (DLE) 9.7 and earlie ...) NOT-FOR-US: DataLife Engine CVE-2011-5280 (Multiple stack-based buffer overflows in BOINC 6.13.x allow remote att ...) - boinc 7.0.2+dfsg-1 (low) [squeeze] - boinc (Minor issue) CVE-2014-3969 (Xen 4.4.x, when running on an ARM system, does not properly check writ ...) - xen (Only ARM systems are affected from Xen 4.4 onwards) CVE-2014-3970 (The pa_rtp_recv function in modules/rtp/rtp.c in the module-rtp-recv m ...) - pulseaudio 5.0-3 (low) [squeeze] - pulseaudio (Minor issue) [wheezy] - pulseaudio (Minor issue) NOTE: http://lists.freedesktop.org/archives/pulseaudio-discuss/2014-May/020740.html CVE-2014-3968 (The HVMOP_inject_msi function in Xen 4.2.x, 4.3.x, and 4.4.x allows lo ...) - xen 4.4.1-1 (bug #757724) [wheezy] - xen (Xen versions from 4.2 onwards are vulnerable) [squeeze] - xen (Xen versions from 4.2 onwards are vulnerable) CVE-2014-3967 (The HVMOP_inject_msi function in Xen 4.2.x, 4.3.x, and 4.4.x does not ...) - xen 4.4.1-1 (bug #757724) [wheezy] - xen (Xen versions from 4.2 onwards are vulnerable) [squeeze] - xen (Xen versions from 4.2 onwards are vulnerable) CVE-2014-3966 (Cross-site scripting (XSS) vulnerability in Special:PasswordReset in M ...) {DSA-2957-1} - mediawiki 1:1.19.16+dfsg-1 (low; bug #750527) [squeeze] - mediawiki NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=65501 CVE-2014-3956 (The sm_close_on_exec function in conf.c in sendmail before 8.14.9 has ...) - sendmail 8.14.4-6 (low; bug #750562) [wheezy] - sendmail 8.14.4-4+deb7u1 [squeeze] - sendmail (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2014/06/03/1 CVE-2014-3940 (The Linux kernel through 3.14.5 does not properly consider the presenc ...) - linux 3.14.7-1 (low) [wheezy] - linux 3.2.60-1 - linux-2.6 (Only exploitable in 3.12 and later) CVE-2014-3925 (sosreport in Red Hat sos 1.7 and earlier on Red Hat Enterprise Linux ( ...) - sosreport (RedHat-specific issue) CVE-2014-3920 (Cross-site request forgery (CSRF) vulnerability in Kanboard before 1.0 ...) - kanboard (bug #790814) CVE-2014-3919 (A vulnerability exists in Netgear CG3100 devices before 3.9.2421.13.mp ...) NOT-FOR-US: Netgear CVE-2014-3918 RESERVED CVE-2014-3916 (The str_buf_cat function in string.c in Ruby 1.9.3, 2.0.0, and 2.1 all ...) - ruby2.1 (unimportant) - ruby2.0 (unimportant) - ruby1.9.1 (unimportant) - ruby1.8 (unimportant) NOTE: Only exploitable on Windows CVE-2014-3915 (The userRequest servlet in the Admin Center for Tivoli Storage Manager ...) NOT-FOR-US: Rocket Servergraph CVE-2014-3914 (Directory traversal vulnerability in the Admin Center for Tivoli Stora ...) NOT-FOR-US: Rocket ServerGraph CVE-2014-3913 (Stack-based buffer overflow in AccessServer32.exe in Ericom AccessNow ...) NOT-FOR-US: Ericom AccessNow Server CVE-2014-3912 (Stack-based buffer overflow in the FindConfigChildeKeyList method in t ...) NOT-FOR-US: Samsung iPOLiS Device Manager CVE-2014-3911 (Samsung iPOLiS Device Manager before 1.8.7 allow remote attackers to e ...) NOT-FOR-US: Samsung iPOLiS Device Manager CVE-2014-3910 (Emurasoft EmFTP allows local users to gain privileges via a Trojan hor ...) NOT-FOR-US: Emurasoft EmFTP CVE-2014-3909 (Session fixation vulnerability in Falcon WisePoint 4.1.19.7 and earlie ...) NOT-FOR-US: Falcon WisePoint CVE-2014-3908 (The Amazon.com Kindle application before 4.5.0 for Android does not ve ...) NOT-FOR-US: Amazon.com Kindle application CVE-2014-3907 (Cross-site request forgery (CSRF) vulnerability in the MailPoet Newsle ...) NOT-FOR-US: MailPoet Newsletters (wysija-newsletters) plugin for WordPress CVE-2014-3906 (SQL injection vulnerability in OSK Advance-Flow 4.41 and earlier and A ...) NOT-FOR-US: OSK Advance-Flow CVE-2014-3905 (Cross-site scripting (XSS) vulnerability in tenfourzero Shutter 0.1.4 ...) NOT-FOR-US: tenfourzero Shutter CVE-2014-3904 (SQL injection vulnerability in lib/admin.php in tenfourzero Shutter 0. ...) NOT-FOR-US: tenfourzero Shutter CVE-2014-3903 (Cross-site scripting (XSS) vulnerability in the Cakifo theme 1.x befor ...) NOT-FOR-US: Cakifo theme for WordPress CVE-2014-3902 (The CyberAgent Ameba application 3.x and 4.x before 4.5.0 for Android ...) NOT-FOR-US: CyberAgent Ameba application CVE-2014-3901 (Raritan Japan Dominion KX2-101 switches before 2 allow remote attacker ...) NOT-FOR-US: Raritan Japan Dominion KX2-101 switches CVE-2014-3900 (Cross-site scripting (XSS) vulnerability in admin/picture_modify.php i ...) - piwigo [squeeze] - piwigo (Unsupported in squeeze-lts) NOTE: Request to mark the package as unsupported in #779104 CVE-2014-3899 (Gretech GOM Player 2.2.51.5149 and earlier allows remote attackers to ...) NOT-FOR-US: Gretech GOM Player CVE-2014-3898 (Cross-site scripting (XSS) vulnerability in Fujitsu ServerView Operati ...) NOT-FOR-US: Fujitsu ServerView Operations Manager CVE-2014-3897 (Cross-site scripting (XSS) vulnerability in Homepage Decorator PerlMai ...) NOT-FOR-US: Homepage Decorator PerlMailer CVE-2014-3896 (Multiple cross-site request forgery (CSRF) vulnerabilities in CGI prog ...) NOT-FOR-US: Seeds acmailer CVE-2014-3895 (The I-O DATA TS-WLCAM camera with firmware 1.06 and earlier, TS-WLCAM/ ...) NOT-FOR-US: I-O DATA camera firmware CVE-2014-3894 (Cross-site scripting (XSS) vulnerability in PHP Kobo Multifunctional M ...) NOT-FOR-US: PHP Kobo Multifunctional MailForm CVE-2014-3893 REJECTED CVE-2014-3892 (Cross-site scripting (XSS) vulnerability in Nexa Meridian before 2014 ...) NOT-FOR-US: Nexa Meridian CVE-2014-3891 (Buffer overflow in RimArts Becky! Internet Mail before 2.68 allows rem ...) NOT-FOR-US: RimArts Becky! Internet Mail CVE-2014-3890 (silex SX-2000WG devices with firmware before 1.5.4 allow remote attack ...) NOT-FOR-US: silex device CVE-2014-3889 (silex SX-2000WG devices with firmware before 1.5.4 allow remote attack ...) NOT-FOR-US: silex device CVE-2014-3888 (Stack-based buffer overflow in BKFSim_vhfd.exe in Yokogawa CENTUM CS 1 ...) NOT-FOR-US: Yokogawa CVE-2014-3887 (Cross-site scripting (XSS) vulnerability in I-O DATA DEVICE RockDisk w ...) NOT-FOR-US: I-O DATA DEVICE CVE-2014-3886 (Cross-site scripting (XSS) vulnerability in Webmin before 1.690, when ...) - webmin CVE-2014-3885 (Cross-site scripting (XSS) vulnerability in Webmin before 1.690 allows ...) - webmin CVE-2014-3884 (Cross-site scripting (XSS) vulnerability in Usermin before 1.600 allow ...) NOT-FOR-US: Usermin CVE-2014-3883 (Usermin before 1.600 allows remote attackers to execute arbitrary oper ...) NOT-FOR-US: Usermin CVE-2014-3882 (Cross-site request forgery (CSRF) vulnerability in the Login rebuilder ...) NOT-FOR-US: WordPress plugin login-rebuilder CVE-2014-3881 (Cross-site request forgery (CSRF) vulnerability in Intercom Web Kyukin ...) NOT-FOR-US: Intercom Web Kyukincho CVE-2014-3880 (The (1) execve and (2) fexecve system calls in the FreeBSD kernel 8.4 ...) {DSA-2952-1} - kfreebsd-8 [wheezy] - kfreebsd-8 (Will be fixed in a point update) [squeeze] - kfreebsd-8 (Unsupported in squeeze-lts) - kfreebsd-9 - kfreebsd-10 10.0-6 CVE-2014-3879 (OpenPAM Nummularia 9.2 through 10.0 does not properly handle the error ...) NOT-FOR-US: OpenPAM CVE-2014-3878 (Multiple cross-site scripting (XSS) vulnerabilities in the web client ...) NOT-FOR-US: IPSwitch IMail CVE-2014-3877 (Incomplete blacklist vulnerability in Frams' Fast File EXchange (F*EX, ...) {DLA-68-1} - fex 20140530-1 [wheezy] - fex (non-free not supported) NOTE: https://www.lsexperts.de/advisories/lse-2014-05-22.txt CVE-2014-3876 (Multiple cross-site scripting (XSS) vulnerabilities in Frams' Fast Fil ...) {DLA-68-1} - fex 20140530-1 [wheezy] - fex (non-free not supported) NOTE: https://www.lsexperts.de/advisories/lse-2014-05-22.txt CVE-2014-3875 (The addto parameter to fup in Frams' Fast File EXchange (F*EX, aka fex ...) {DLA-68-1} - fex 20140530-1 [wheezy] - fex (non-free not supported) NOTE: https://www.lsexperts.de/advisories/lse-2014-05-22.txt CVE-2014-3874 RESERVED CVE-2014-3873 (The ktrace utility in the FreeBSD kernel 8.4 before p11, 9.1 before p1 ...) - kfreebsd-8 - kfreebsd-9 (bug #750493) [squeeze] - kfreebsd-8 (Unsupported in squeeze-lts) [wheezy] - kfreebsd-9 (introduced by the merge of r237663) [wheezy] - kfreebsd-8 (Non standard kernel, will be fixed in a point update) CVE-2014-3872 (Multiple SQL injection vulnerabilities in the administration login pag ...) NOT-FOR-US: D-Link firmware CVE-2014-3871 (Multiple SQL injection vulnerabilities in register.php in Geodesic Sol ...) NOT-FOR-US: GeodesicSolutions CVE-2014-3869 RESERVED CVE-2014-3868 (Multiple SQL injection vulnerabilities in ZeusCart 4.x. ...) NOT-FOR-US: ZeusCart CVE-2014-3867 (The Meeting Server in IBM Sametime 8.x through 8.5.2.1 and 9.x through ...) NOT-FOR-US: IBM Sametime CVE-2014-3863 (Cross-site scripting (XSS) vulnerability in the JChatSocial component ...) NOT-FOR-US: Joomla! component JChatSocial CVE-2014-3862 (CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to discov ...) NOT-FOR-US: HL7 C-CDA CVE-2014-3861 (Cross-site scripting (XSS) vulnerability in CDA.xsl in HL7 C-CDA 1.1 a ...) NOT-FOR-US: HL7 C-CDA CVE-2014-3860 (Xilisoft Video Converter Ultimate 7.8.1 build-20140505 has a DLL Hijac ...) NOT-FOR-US: Xilisoft Video Converter Ultimate CVE-2014-3859 (libdns in ISC BIND 9.10.0 before P2 does not properly handle EDNS opti ...) - bind9 (Only affects 9.10.0, 9.10.0-P1) NOTE: https://kb.isc.org/article/AA-01166 CVE-2014-3858 RESERVED CVE-2014-3857 (Multiple SQL injection vulnerabilities in Kerio Control Statistics in ...) NOT-FOR-US: Kerio Control CVE-2014-3856 (The funced function in fish (aka fish-shell) 1.23.0 before 2.1.1 does ...) - fish 2.1.1-1 (low; bug #746259) [squeeze] - fish (Minor issue) [wheezy] - fish (Minor issue) NOTE: https://github.com/fish-shell/fish-shell/issues/1437 CVE-2014-3855 (Directory traversal vulnerability in download.py in Pyplate 0.08 allow ...) NOT-FOR-US: Pyplate CVE-2014-3854 (Cross-site request forgery (CSRF) vulnerability in admin/addScript.py ...) NOT-FOR-US: Pyplate CVE-2014-3853 (Pyplate 0.08 does not set the secure flag for the id cookie in an http ...) NOT-FOR-US: Pyplate CVE-2014-3852 (Pyplate 0.08 does not include the HTTPOnly flag in a Set-Cookie header ...) NOT-FOR-US: Pyplate CVE-2014-3851 (usr/lib/cgi-bin/create_passwd_file.py in Pyplate 0.08 uses world-reada ...) NOT-FOR-US: Pyplate CVE-2014-3850 (Cross-site request forgery (CSRF) vulnerability in the Member Approval ...) NOT-FOR-US: WordPress plugin Member Approval 131109 CVE-2014-3849 (The iMember360 plugin 3.8.012 through 3.9.001 for WordPress does not p ...) NOT-FOR-US: WordPress plugin iMember360 CVE-2014-3848 (The iMember360 plugin before 3.9.001 for WordPress does not properly r ...) NOT-FOR-US: WordPress plugin iMember360 CVE-2014-3847 RESERVED CVE-2014-3845 (Cross-site request forgery (CSRF) vulnerability in the TinyMCE Color P ...) NOT-FOR-US: WordPress plugin TinyMCE Color Picker CVE-2014-3844 (The TinyMCE Color Picker plugin before 1.2 for WordPress does not prop ...) NOT-FOR-US: WordPress plugin TinyMCE Color Picker CVE-2014-3843 (Cross-site request forgery (CSRF) vulnerability in the Search Everythi ...) NOT-FOR-US: WordPress plugin Search Everything CVE-2014-3842 (Multiple cross-site scripting (XSS) vulnerabilities in the iMember360 ...) NOT-FOR-US: WordPress plugin iMember360 CVE-2014-3841 (Cross-site scripting (XSS) vulnerability in the Contact Bank plugin be ...) NOT-FOR-US: WordPress plugin Contact Bank CVE-2012-6648 (gdm/guest-session-cleanup.sh in gdm-guest-session 0.24 and earlier, as ...) NOT-FOR-US: gdm-guest-session (Ubuntu-specific) CVE-2010-5299 (Stack-based buffer overflow in MicroP 0.1.1.1600 allows remote attacke ...) NOT-FOR-US: MicroP CVE-2014-3946 (The query caching functionality in the Extbase Framework component in ...) {DSA-2942-1} - typo3-src 4.5.34+dfsg1-1 (bug #749215) [squeeze] - typo3-src (Unsupported in squeeze-lts) CVE-2014-3945 (The Authentication component in TYPO3 before 6.2, when salting for pas ...) {DSA-2942-1} - typo3-src 4.5.34+dfsg1-1 (bug #749215) [squeeze] - typo3-src (Unsupported in squeeze-lts) CVE-2014-3944 (The Authentication component in TYPO3 6.2.0 before 6.2.3 does not prop ...) {DSA-2942-1} - typo3-src 4.5.34+dfsg1-1 (bug #749215) [squeeze] - typo3-src (Unsupported in squeeze-lts) CVE-2014-3943 (Multiple cross-site scripting (XSS) vulnerabilities in unspecified bac ...) {DSA-2942-1} - typo3-src 4.5.34+dfsg1-1 (bug #749215) [squeeze] - typo3-src (Unsupported in squeeze-lts) CVE-2014-3942 (The Color Picker Wizard component in TYPO3 4.5.0 before 4.5.34, 4.7.0 ...) {DSA-2942-1} - typo3-src 4.5.34+dfsg1-1 (bug #749215) [squeeze] - typo3-src (Unsupported in squeeze-lts) CVE-2014-3941 (TYPO3 4.5.0 before 4.5.34, 4.7.0 before 4.7.19, 6.0.0 before 6.0.14, 6 ...) {DSA-2942-1} - typo3-src 4.5.34+dfsg1-1 (bug #749215) [squeeze] - typo3-src (Unsupported in squeeze-lts) CVE-2014-3917 (kernel/auditsc.c in the Linux kernel through 3.14.5, when CONFIG_AUDIT ...) {DLA-0015-1} - linux 3.14.7-1 [wheezy] - linux 3.2.60-1 - linux-2.6 [squeeze] - linux-2.6 2.6.32-48squeeze8 NOTE: http://article.gmane.org/gmane.linux.kernel/1713179 CVE-2014-3865 (Multiple directory traversal vulnerabilities in dpkg-source in dpkg-de ...) {DSA-2953-1} - dpkg 1.17.10 (bug #749183) CVE-2014-3864 (Directory traversal vulnerability in dpkg-source in dpkg-dev 1.3.0 all ...) {DSA-2953-1} - dpkg 1.17.10 (bug #746498) CVE-2014-3870 (Cross-site scripting (XSS) vulnerability in the bib2html plugin 0.9.3 ...) NOT-FOR-US: WordPress plugin bib2html CVE-2014-3866 (Multiple cross-site request forgery (CSRF) vulnerabilities in user_set ...) NOT-FOR-US: userCake CVE-2014-3846 (Cross-site scripting (XSS) vulnerability in Flying Cart allows remote ...) NOT-FOR-US: Flying Cart CVE-2014-3839 [owncloud: Deserialization of Untrusted Data in core] RESERVED - owncloud 6.0.3+dfsg-1 CVE-2014-3838 (ownCloud Server before 5.0.16 and 6.0.x before 6.0.3 does not properly ...) - owncloud 6.0.3+dfsg-1 NOTE: http://owncloud.org/about/security/advisories/oc-sa-2014-016/ CVE-2014-3837 (The document application in ownCloud Server before 6.0.3 uses sequenti ...) - owncloud 6.0.3+dfsg-1 NOTE: http://owncloud.org/about/security/advisories/oc-sa-2014-015/ CVE-2014-3836 (Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud ...) - owncloud 6.0.3+dfsg-1 NOTE: http://owncloud.org/about/security/advisories/oc-sa-2014-014/ CVE-2014-3835 (ownCloud Server before 5.0.16 and 6.0.x before 6.0.3 does not check pe ...) - owncloud 6.0.3+dfsg-1 NOTE: http://owncloud.org/about/security/advisories/oc-sa-2014-012/ CVE-2014-3834 (ownCloud Server before 6.0.3 does not properly check permissions, whic ...) - owncloud 6.0.3+dfsg-1 NOTE: http://owncloud.org/about/security/advisories/oc-sa-2014-011/ NOTE: http://owncloud.org/about/security/advisories/oc-sa-2014-013/ CVE-2014-3833 (Multiple cross-site scripting (XSS) vulnerabilities in the (1) Gallery ...) - owncloud 6.0.3+dfsg-2 CVE-2014-3832 (Cross-site scripting (XSS) vulnerability in the Documents component in ...) - owncloud 6.0.3+dfsg-2 CVE-2014-3831 REJECTED CVE-2014-3830 (Cross-site scripting (XSS) vulnerability in info.php in TomatoCart 1.1 ...) NOT-FOR-US: TomatoCart CVE-2014-3829 (displayServiceStatus.php in Centreon 2.5.1 and Centreon Enterprise Ser ...) - centreon-web (bug #913903) CVE-2014-3828 (Multiple SQL injection vulnerabilities in Centreon 2.5.1 and Centreon ...) - centreon-web (bug #913903) CVE-2014-3827 (Multiple cross-site scripting (XSS) vulnerabilities in the MyBB (aka M ...) NOT-FOR-US: MyBB CVE-2014-3826 (Cross-site scripting (XSS) vulnerability in MyBB before 1.6.13 allows ...) NOT-FOR-US: MyBB CVE-2014-3825 (The Juniper SRX Series devices with Junos 11.4 before 11.4R12-S4, 12.1 ...) NOT-FOR-US: Juniper Junos CVE-2014-3824 (Cross-site scripting (XSS) vulnerability in the web server in the Juni ...) NOT-FOR-US: Juniper Junos Pulse Secure Access Service CVE-2014-3823 (The Juniper Junos Pulse Secure Access Service (SSL VPN) devices with I ...) NOT-FOR-US: The Juniper Junos Pulse Secure Access Service CVE-2014-3822 (Juniper Junos 11.4 before 11.4R8, 12.1 before 12.1R5, 12.1X44 before 1 ...) NOT-FOR-US: Juniper Junos CVE-2014-3821 (Cross-site scripting (XSS) vulnerability in SRX Web Authentication (we ...) NOT-FOR-US: Juniper Junos CVE-2014-3820 (Cross-site scripting (XSS) vulnerability in the SSL VPN/UAC web server ...) NOT-FOR-US: Juniper Junos Pulse Secure Access Service CVE-2014-3819 (Juniper Junos 11.4 before 11.4R12, 12.1 before 12.1R10, 12.1X44 before ...) NOT-FOR-US: Juniper Junos CVE-2014-3818 (Juniper Junos OS 9.1 through 11.4 before 11.4R11, 12.1 before R10, 12. ...) NOT-FOR-US: Juniper Junos CVE-2014-3817 (Juniper Junos 11.4 before 11.4R12, 12.1X44 before 12.1X44-D32, 12.1X45 ...) NOT-FOR-US: Juniper Junos CVE-2014-3816 (Juniper Junos 11.4 before 11.4R12, 12.1 before 12.1R11, 12.1X44 before ...) NOT-FOR-US: Juniper Junos CVE-2014-3815 (Juniper Junos 12.1X46 before 12.1X46-D20 and 12.1X47 before 12.1X47-D1 ...) NOT-FOR-US: Juniper Junos CVE-2014-3814 (The Juniper Networks NetScreen Firewall devices with ScreenOS before 6 ...) NOT-FOR-US: Juniper Networks NetScreen Firewall CVE-2014-3813 (Unspecified vulnerability in the Juniper Networks NetScreen Firewall p ...) NOT-FOR-US: Juniper Networks NetScreen Firewall CVE-2014-3812 (The Juniper Junos Pulse Secure Access Service (SSL VPN) devices with I ...) NOT-FOR-US: Juniper Junos Pulse Secure Access Service CVE-2014-3811 (Juniper Installer Service (JIS) Client 7.x before 7.4R6 for Windows an ...) NOT-FOR-US: Junos Pulse Client CVE-2014-3810 (SQL injection vulnerability in administration/profiles.php in BoonEx D ...) NOT-FOR-US: Dolphin (php thingy) CVE-2014-3809 (Cross-site scripting (XSS) vulnerability in the management interface i ...) NOT-FOR-US: Alcatel Lucent CVE-2014-3808 (Multiple cross-site scripting (XSS) vulnerabilities in BarracudaDrive ...) NOT-FOR-US: BarracudaDrive CVE-2014-3807 (Multiple cross-site scripting (XSS) vulnerabilities in BarracudaDrive ...) NOT-FOR-US: BarracudaDrive CVE-2014-3806 (Directory traversal vulnerability in cgi-bin/help/doIt.cgi in VMTurbo ...) NOT-FOR-US: VMTurbo Operations Manager CVE-2014-3805 (The av-centerd SOAP service in AlienVault OSSIM before 4.7.0 allows re ...) NOT-FOR-US: AlienVault OSSIM CVE-2014-3804 (The av-centerd SOAP service in AlienVault OSSIM before 4.7.0 allows re ...) NOT-FOR-US: AlienVault OSSIM CVE-2014-3803 (The SpeechInput feature in Blink, as used in Google Chrome before 35.0 ...) {DSA-2939-1} - chromium-browser 35.0.1916.114-1 [squeeze] - chromium-browser CVE-2014-3802 (msdia.dll in Microsoft Debug Interface Access (DIA) SDK, as distribute ...) NOT-FOR-US: Microsoft Visual Studio CVE-2014-3799 REJECTED CVE-2014-3798 (The Windows Guest Tools in Citrix XenServer 6.2 SP1 and earlier allows ...) NOT-FOR-US: Citrix XenServer CVE-2014-3797 (Cross-site scripting (XSS) vulnerability in VMware vCenter Server Appl ...) NOT-FOR-US: VMware vSphere CVE-2014-3796 (VMware NSX 6.0 before 6.0.6, and vCloud Networking and Security (vCNS) ...) NOT-FOR-US: VMware NSX and vCNS CVE-2014-3795 REJECTED CVE-2014-3794 REJECTED CVE-2014-3793 (VMware Tools in VMware Workstation 10.x before 10.0.2, VMware Player 6 ...) NOT-FOR-US: VMware CVE-2014-3792 (Cross-site request forgery (CSRF) vulnerability in Beetel 450TC2 Route ...) NOT-FOR-US: Beetel Router CVE-2014-3791 (Stack-based buffer overflow in Easy File Sharing (EFS) Web Server 6.8 ...) NOT-FOR-US: Easy File Sharing CVE-2014-3790 (Ruby vSphere Console (RVC) in VMware vCenter Server Appliance allows r ...) NOT-FOR-US: VMware vCenter Server Appliance CVE-2014-3789 (GetPermissions.asp in Cogent Real-Time Systems Cogent DataHub before 7 ...) NOT-FOR-US: Cogent DataHub CVE-2014-3788 (Heap-based buffer overflow in the Web Server in Cogent Real-Time Syste ...) NOT-FOR-US: Cogent DataHub CVE-2014-3787 (SAP NetWeaver 7.20 and earlier allows remote attackers to read arbitra ...) NOT-FOR-US: SAP NetWeaver CVE-2013-7386 (Format string vulnerability in the PROJECT::write_account_file functio ...) - boinc 7.1.10+dfsg-1 (low) [squeeze] - boinc (Minor issue) [wheezy] - boinc (Minor issue) CVE-2013-7385 (LiveZilla 5.1.2.1 and earlier includes the MD5 hash of the operator pa ...) NOT-FOR-US: LiveZilla CVE-2013-7384 (UnrealIRCd 3.2.10 before 3.2.10.2 allows remote attackers to cause a d ...) - unrealircd (bug #515130) CVE-2014-3840 (Multiple cross-site scripting (XSS) vulnerabilities in apps/common/tem ...) - mayan (bug #718580) CVE-2014-3801 (OpenStack Orchestration API (Heat) 2013.2 through 2013.2.3 and 2014.1, ...) - heat 2014.1-4 (bug #748824) NOTE: https://launchpad.net/bugs/1311223 CVE-2014-3786 (Multiple cross-site scripting (XSS) vulnerabilities in the contact mod ...) NOT-FOR-US: Pixie CMS CVE-2014-3785 RESERVED CVE-2014-3784 RESERVED CVE-2014-3783 (SQL injection vulnerability in admin/categories.php in Dotclear before ...) - dotclear 2.6.3+dfsg-1 CVE-2014-3782 (Multiple incomplete blacklist vulnerabilities in the filemanager::isFi ...) - dotclear 2.6.3+dfsg-1 CVE-2014-3781 (The dcXmlRpc::setUser method in nc/core/class.dc.xmlrpc.php in Dotclea ...) - dotclear 2.6.3+dfsg-1 CVE-2014-3780 (Unspecified vulnerability in Citrix VDI-In-A-Box 5.3.x before 5.3.8 an ...) NOT-FOR-US: Citrix CVE-2014-3779 (Cross-site scripting (XSS) vulnerability in ZOHO ManageEngine ADSelfSe ...) NOT-FOR-US: ZOHO CVE-2014-3778 (Multiple cross-site request forgery (CSRF) vulnerabilities in goform/R ...) NOT-FOR-US: ARRIS modem CVE-2014-3777 (Directory traversal vulnerability in Reportico PHP Report Designer bef ...) NOT-FOR-US: Reportico PHP Report Designer CVE-2014-3770 RESERVED CVE-2014-3769 RESERVED CVE-2014-3768 RESERVED CVE-2014-3767 RESERVED CVE-2014-3766 RESERVED CVE-2014-3765 RESERVED CVE-2014-3764 (Cross-site scripting (XSS) vulnerability in the web-based device manag ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2014-3763 RESERVED CVE-2014-3762 RESERVED CVE-2014-3761 (Cross-site scripting (XSS) vulnerability in D-Link DAP 1150 with firmw ...) NOT-FOR-US: D-Link DAP 1150 CVE-2014-3760 (Multiple cross-site request forgery (CSRF) vulnerabilities in D-Link D ...) NOT-FOR-US: D-Link DAP 1150 CVE-2014-3759 (Multiple SQL injection vulnerabilities in the BibTex Publications (si_ ...) NOT-FOR-US: TYPO3 extension si_bibtex CVE-2014-3758 (Cross-site scripting (XSS) vulnerability in the BibTex Publications (s ...) NOT-FOR-US: TYPO3 extension si_bibtex CVE-2014-3757 (SQL injection vulnerability in sorter.php in the phpManufaktur kitForm ...) NOT-FOR-US: phpManufaktur extension CVE-2014-3754 RESERVED CVE-2014-3753 (AgileBits 1Password through 1.0.9.340 allows security feature bypass ...) NOT-FOR-US: AgileBits 1Password CVE-2014-3752 (The MiniIcpt.sys driver in G Data TotalProtection 2014 24.0.2.1 and ea ...) NOT-FOR-US: G Data TotalProtection CVE-2014-3751 RESERVED CVE-2014-3750 (The Bilyoner application before 2.3.1 for Android and before 4.6.2 for ...) NOT-FOR-US: Bilyoner for Android CVE-2014-3748 RESERVED CVE-2014-3747 RESERVED CVE-2014-3746 RESERVED CVE-2014-3745 RESERVED CVE-2014-3744 (Directory traversal vulnerability in the st module before 0.2.5 for No ...) NOT-FOR-US: Node st module CVE-2014-3743 (Multiple cross-site scripting (XSS) vulnerabilities in the Marked modu ...) - node-marked 0.3.1+dfsg-1 CVE-2014-3742 (The hapi server framework 2.0.x and 2.1.x before 2.2.0 for Node.js all ...) NOT-FOR-US: hapi framework for Node.js CVE-2014-3741 (The printDirect function in lib/printer.js in the node-printer module ...) NOT-FOR-US: node-printer CVE-2014-3740 (Cross-site scripting (XSS) vulnerability in SpiceWorks before 7.2.0019 ...) NOT-FOR-US: SpiceWorks CVE-2014-3737 (Cross-site scripting (XSS) vulnerability in templates/defaultheader.ph ...) NOT-FOR-US: Storesprite CVE-2014-3736 RESERVED CVE-2014-3735 (ir41_32.ax 4.51.16.3 for Intel Indeo Video 4.5 allows remote attackers ...) NOT-FOR-US: Intel Ideo Video CVE-2014-3734 RESERVED CVE-2014-3733 RESERVED CVE-2014-3732 RESERVED CVE-2014-3731 RESERVED CVE-2014-3729 RESERVED CVE-2014-3728 RESERVED CVE-2014-3727 RESERVED CVE-2014-3726 RESERVED CVE-2014-3725 RESERVED CVE-2014-3724 RESERVED CVE-2014-3723 RESERVED CVE-2014-3722 RESERVED CVE-2014-3721 RESERVED CVE-2014-3720 RESERVED CVE-2014-3718 (Multiple cross-site scripting (XSS) vulnerabilities in cgi-bin/tag_m.c ...) NOT-FOR-US: Ex Libris ALEPH 500 (Integrated library management system) CVE-2014-3713 RESERVED CVE-2014-3712 (Katello allows remote attackers to cause a denial of service (memory c ...) NOT-FOR-US: Katello CVE-2014-3711 (namei in FreeBSD 9.1 through 10.1-RC2 allows remote attackers to cause ...) {DSA-3070-1} - kfreebsd-9 (bug #766275) - kfreebsd-10 10.1~svn273874-1 (bug #766278) [experimental] - kfreebsd-11 11.0~svn284956-1 (bug #766279) CVE-2014-3710 (The donote function in readelf.c in file through 5.20, as used in the ...) {DSA-3074-1 DSA-3072-1 DLA-94-1 DLA-86-1} - file 1:5.20-2 (bug #768806) NOTE: Upstream fix: https://github.com/file/file/commit/39c7ac1106be844a5296d3eb5971946cc09ffda0 - php5 5.6.3+dfsg-1 (bug #768807) NOTE: https://bugs.php.net/bug.php?id=68283 NOTE: http://git.php.net/?p=php-src.git;a=commitdiff;h=1803228597e82218a8c105e67975bc50e6f5bf0d (PHP 5.4 branch) CVE-2014-3709 (The org.keycloak.services.resources.SocialResource.callback method in ...) NOT-FOR-US: JBoss KeyCloak CVE-2014-3708 (OpenStack Compute (Nova) before 2014.1.4 and 2014.2.x before 2014.2.1 ...) - nova 2014.1.3-6 (low) [wheezy] - nova (Minor issue) NOTE: affected versions up to 2014.1.3, and 2014.2 CVE-2014-3707 (The curl_easy_duphandle function in libcurl 7.17.1 through 7.38.0, whe ...) {DSA-3069-1 DLA-84-1} - curl 7.38.0-3 NOTE: http://curl.haxx.se/docs/adv_20141105.html NOTE: Upstream commit: https://github.com/bagder/curl/commit/b3875606925536f82fc61f3114ac42f29eaf6945 CVE-2014-3706 (ovirt-engine, as used in Red Hat MRG 3, allows man-in-the-middle attac ...) NOT-FOR-US: ovirt-engine CVE-2014-3705 RESERVED CVE-2014-3704 (The expandArguments function in the database abstraction API in Drupal ...) {DSA-3051-1} - drupal7 7.32-1 (bug #765507) - drupal6 (Only affects Drupal 7) CVE-2014-3703 (OpenStack PackStack 2012.2.1, when the Open vSwitch (OVS) monolithic p ...) NOT-FOR-US: Red Hat Openstack 4 Neutron CVE-2014-3702 (Directory traversal vulnerability in eNovance eDeploy allows remote at ...) - edeploy (bug #717664) CVE-2014-3701 (eDeploy has tmp file race condition flaws ...) - edeploy (bug #717664) CVE-2014-3700 (eDeploy through at least 2014-10-14 has remote code execution due to e ...) - edeploy (bug #717664) CVE-2014-3699 (eDeploy has RCE via cPickle deserialization of untrusted data ...) - edeploy (bug #717664) CVE-2014-3698 (The jabber_idn_validate function in jutil.c in the Jabber protocol plu ...) {DSA-3055-1} - pidgin 2.10.10-1 [squeeze] - pidgin (Support in oldstable is limited to IRC, Jabber/XMPP, Sametime and SIMPLE) CVE-2014-3697 (Absolute path traversal vulnerability in the untar_block function in w ...) - pidgin (Windows specific) CVE-2014-3696 (nmevent.c in the Novell GroupWise protocol plugin in libpurple in Pidg ...) {DSA-3055-1} - pidgin 2.10.10-1 [squeeze] - pidgin (Support in oldstable is limited to IRC, Jabber/XMPP, Sametime and SIMPLE) CVE-2014-3695 (markup.c in the MXit protocol plugin in libpurple in Pidgin before 2.1 ...) {DSA-3055-1} - pidgin 2.10.10-1 [squeeze] - pidgin (Support in oldstable is limited to IRC, Jabber/XMPP, Sametime and SIMPLE) CVE-2014-3694 (The (1) bundled GnuTLS SSL/TLS plugin and the (2) bundled OpenSSL SSL/ ...) {DSA-3055-1} - pidgin 2.10.10-1 [squeeze] - pidgin (Support in oldstable is limited to IRC, Jabber/XMPP, Sametime and SIMPLE) CVE-2014-3693 (Use-after-free vulnerability in the socket manager of Impress Remote i ...) - libreoffice 1:4.3.3~rc2~git20141011-1 [wheezy] - libreoffice (Introduced in 4.0.0) NOTE: https://www.libreoffice.org/about-us/security/advisories/CVE-2014-3693/ CVE-2014-3692 (The customization template in Red Hat CloudForms 3.1 Management Engine ...) NOT-FOR-US: RedHat CloudForms Management Engine CVE-2014-3691 (Smart Proxy (aka Smart-Proxy and foreman-proxy) in Foreman before 1.5. ...) NOT-FOR-US: Foreman Smart Proxy CVE-2014-3690 (arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel before 3.1 ...) {DSA-3060-1} - linux 3.16.7-1 - linux-2.6 [squeeze] - linux-2.6 (KVM not supported in Squeeze LTS) NOTE: Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d974baa398f34393db76be45f7d4d04fbdbb4a0a (v3.18-rc1) CVE-2014-3689 (The vmware-vga driver (hw/display/vmware_vga.c) in QEMU allows local g ...) {DSA-3067-1 DSA-3066-1} - qemu 2.1+dfsg-6 (bug #765496) - qemu-kvm [squeeze] - qemu-kvm [squeeze] - qemu NOTE: Upstream's quick and easy stopgap for this issue: compile out the hardware acceleration functions which lack sanity checks. NOTE: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=83afa38eb20ca27e30683edc7729880e091387fc CVE-2014-3688 (The SCTP implementation in the Linux kernel before 3.17.4 allows remot ...) {DSA-3060-1 DLA-118-1} - linux 3.16.7-1 - linux-2.6 NOTE: Upstream commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=26b87c7881006311828bb0ab271a551a62dcceb4 (v3.18-rc1) CVE-2014-3687 (The sctp_assoc_lookup_asconf_ack function in net/sctp/associola.c in t ...) {DSA-3060-1 DLA-118-1} - linux 3.16.7-1 - linux-2.6 NOTE: Upstream commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b69040d8e39f20d5215a03502a8e8b4c6ab78395 (v3.18-rc1) CVE-2014-3686 (wpa_supplicant and hostapd 0.7.2 through 2.2, when running with certai ...) {DSA-3052-1 DLA-147-1} - wpasupplicant - hostapd [squeeze] - hostapd (Vulnerable code not present in 0.6.10) - wpa 2.3-1 (bug #765352; high) CVE-2014-3685 REJECTED CVE-2014-3684 (The tm_adopt function in lib/Libifl/tm.c in Terascale Open-Source Reso ...) {DSA-3058-1 DLA-78-1} - torque 2.4.16+dfsg-1.5 (bug #763922) NOTE: https://github.com/adaptivecomputing/torque/commit/967cdc80150690459a47a35a658abeee0ca6e5cb NOTE: https://github.com/adaptivecomputing/torque/commit/f2f4c950f3d461a249111c8826da3beaafccace9 NOTE: 2.4 is end-of-life upstream thus no patches available for that branch. CVE-2014-3683 (Integer overflow in rsyslog before 7.6.7 and 8.x before 8.4.2 and sysk ...) {DSA-3047-1 DLA-72-1} - rsyslog 8.4.2-1 NOTE: http://www.rsyslog.com/remote-syslog-pri-vulnerability-cve-2014-3683/ CVE-2014-3682 (XML external entity (XXE) vulnerability in the JBPMBpmn2ResourceImpl f ...) NOT-FOR-US: jBPM Designer CVE-2014-3681 (Cross-site scripting (XSS) vulnerability in Jenkins before 1.583 and L ...) - jenkins 1.565.3-1 (bug #763899) CVE-2014-3680 (Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticate ...) - jenkins 1.565.3-1 (bug #763899) CVE-2014-3679 (The Monitoring plugin before 1.53.0 for Jenkins allows remote attacker ...) NOT-FOR-US: Jenkins monitoring plugin NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-10-01 CVE-2014-3678 (Cross-site scripting (XSS) vulnerability in the Monitoring plugin befo ...) NOT-FOR-US: Jenkins monitoring plugin NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-10-01 CVE-2014-3677 (Unspecified vulnerability in Shim might allow attackers to execute arb ...) NOT-FOR-US: shim (the UEFI one, not the systemd) CVE-2014-3676 (Heap-based buffer overflow in Shim allows remote attackers to execute ...) NOT-FOR-US: shim (the UEFI one, not the systemd) CVE-2014-3675 (Shim allows remote attackers to cause a denial of service (out-of-boun ...) NOT-FOR-US: shim (the UEFI one, not the systemd) CVE-2014-3674 (Red Hat OpenShift Enterprise before 2.2 does not properly restrict acc ...) NOT-FOR-US: OpenShift Enterprise CVE-2014-3673 (The SCTP implementation in the Linux kernel through 3.17.2 allows remo ...) {DSA-3060-1} - linux 3.16.7-1 - linux-2.6 [squeeze] - linux-2.6 2.6.32-48squeeze9 NOTE: Upstream commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9de7922bc709eee2f609cd01d98aaedc4cf5ea74 (v3.18-rc1) CVE-2014-3672 (The qemu implementation in libvirt before 1.3.0 and Xen allows local g ...) {DLA-571-1} - xen 4.4.0-1 NOTE: Xen switched to qemu-system in 4.4.0-1 NOTE: http://xenbits.xen.org/xsa/advisory-180.html NOTE: Related hardening for libvirt: https://libvirt.org/git/?p=libvirt.git;a=commit;h=0d968ad715475a1660779bcdd2c5b38ad63db4cf NOTE: This is hardly a vulnerability in qemu per se, but rather a problem of integrating qemu CVE-2014-3671 REJECTED CVE-2014-3670 (The exif_ifd_make_value function in exif.c in the EXIF extension in PH ...) {DSA-3064-1 DLA-94-1} - php5 5.6.2+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=68113 CVE-2014-3669 (Integer overflow in the object_custom function in ext/standard/var_uns ...) {DSA-3064-1 DLA-94-1} - php5 5.6.2+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=68044 CVE-2014-3668 (Buffer overflow in the date_from_ISO8601 function in the mkgmtime impl ...) {DSA-3064-1 DLA-94-1} - php5 5.6.2+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=68027 CVE-2014-3667 (Jenkins before 1.583 and LTS before 1.565.3 does not properly prevent ...) - jenkins 1.565.3-1 (bug #763899) CVE-2014-3666 (Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to ...) - jenkins 1.565.3-1 (bug #763899) CVE-2014-3665 (Jenkins before 1.587 and LTS before 1.580.1 do not properly ensure tru ...) - jenkins (bug #767541) [jessie] - jenkins (Backport not feasible, insecure feature is documented as such) NOTE: For jessie, the backport is too intrusive and since it's a cornercase, it's only documented, NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-10-30 CVE-2014-3664 (Directory traversal vulnerability in Jenkins before 1.583 and LTS befo ...) - jenkins 1.565.3-1 (bug #763899) CVE-2014-3663 (Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticate ...) - jenkins 1.565.3-1 (bug #763899) CVE-2014-3662 (Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to ...) - jenkins 1.565.3-1 (bug #763899) CVE-2014-3661 (Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to ...) - jenkins 1.565.3-1 (bug #763899) CVE-2014-3660 (parser.c in libxml2 before 2.9.2 does not properly prevent entity expa ...) {DSA-2978-2 DSA-3057-1 DLA-151-1 DLA-80-1} [jessie] - libxml2 2.9.1+dfsg1-5 - libxml2 2.9.2+dfsg1-1 (bug #765722) NOTE: https://www.ncsc.nl/actueel/nieuwsberichten/kwetsbaarheid-ontdekt-in-libxml2.html NOTE: https://git.gnome.org/browse/libxml2/commit/?id=be2a7edaf289c5da74a4f9ed3a0b6c733e775230 NOTE: Beware the upstream patch relies on other commits not NOTE: available in the squeeze/wheezy version (at least cff2546f that NOTE: changes how the ent->checked variable is used and likely a3f1e3e5 too) CVE-2014-3659 REJECTED CVE-2014-3658 RESERVED CVE-2014-3657 (The virDomainListPopulate function in conf/domain_conf.c in libvirt be ...) - libvirt 1.2.9-1 [wheezy] - libvirt (Vulnerable code introduced later) [squeeze] - libvirt (Vulnerable code introduced later) NOTE: Upstream fix: http://libvirt.org/git/?p=libvirt.git;a=commit;h=fc22b2e74890873848b43fffae43025d22053669 (v1.2.9) NOTE: Introduced by: libvirt.org/git/?p=libvirt.git;a=commit;h=2c6808044408fba9ff9547ad88bb8a0f44ee21a0 (v0.10.0-rc0) CVE-2014-3656 (JBoss KeyCloak: XSS in login-status-iframe.html ...) NOT-FOR-US: JBoss KeyCloak CVE-2014-3655 (JBoss KeyCloak is vulnerable to soft token deletion via CSRF ...) NOT-FOR-US: JBoss KeyCloak CVE-2014-3654 (Multiple cross-site scripting (XSS) vulnerabilities in spacewalk-java ...) NOT-FOR-US: Red Hat Satellite CVE-2014-3653 (Cross-site scripting (XSS) vulnerability in the template preview funct ...) - foreman (bug #663101) NOTE: http://projects.theforeman.org/issues/7483 NOTE: https://github.com/sodabrew/foreman/issues/1 CVE-2014-3652 (JBoss KeyCloak: Open redirect vulnerability via failure to validate th ...) NOT-FOR-US: JBoss KeyCloak CVE-2014-3651 (JBoss KeyCloak before 1.0.3.Final allows remote attackers to cause a d ...) NOT-FOR-US: JBoss KeyCloak CVE-2014-3650 RESERVED NOT-FOR-US: JBoss AeroGear CVE-2014-3649 (JBoss AeroGear has reflected XSS via the password field ...) NOT-FOR-US: JBoss AeroGear CVE-2014-3648 RESERVED CVE-2014-3647 (arch/x86/kvm/emulate.c in the KVM subsystem in the Linux kernel throug ...) {DSA-3060-1} - linux 3.16.7-1 - linux-2.6 [squeeze] - linux-2.6 (KVM not supported in Squeeze LTS) NOTE: https://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?id=234f3ce485d54017f15cf5e0699cff4100121601 NOTE: https://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?id=d1442d85cc30ea75f7d399474ca738e0bc96f715 CVE-2014-3646 (arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel through 3. ...) {DSA-3060-1} - linux 3.16.7-1 - linux-2.6 (Vulnerable code not present) NOTE: https://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?id=a642fc305053cc1c6e47e4f4df327895747ab485 CVE-2014-3645 (arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel before 3.1 ...) {DSA-3060-1} - linux 3.12.6-1 - linux-2.6 [squeeze] - linux-2.6 (KVM not supported in Squeeze LTS) NOTE: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=bfd0a56b90005f8c8a004baf407ad90045c2b11e (v3.12-rc1) CVE-2014-3644 RESERVED CVE-2014-3643 (jersey: XXE via parameter entities not disabled by the jersey SAX pars ...) NOT-FOR-US: Jersey SAX parser CVE-2014-3642 (vmdb/app/controllers/application_controller/performance.rb in Red Hat ...) NOT-FOR-US: Red Hat CloudForms Management Engine CVE-2014-3641 (The (1) GlusterFS and (2) Linux Smbfs drivers in OpenStack Cinder befo ...) - cinder 2014.1.3-1 NOTE: Affects version up to 2014.1.2 CVE-2014-3640 (The sosendto function in slirp/udp.c in QEMU before 2.1.2 allows local ...) {DSA-3045-1 DSA-3044-1} - qemu 2.1+dfsg-5 (bug #762532) - qemu-kvm [squeeze] - qemu-kvm [squeeze] - qemu NOTE: http://lists.nongnu.org/archive/html/qemu-devel/2014-09/msg03543.html CVE-2014-3639 (The dbus-daemon in D-Bus before 1.6.24 and 1.8.x before 1.8.8 does not ...) {DSA-3026-1 DLA-87-1} - dbus 1.8.8-1 NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=80919 CVE-2014-3638 (The bus_connections_check_reply function in config-parser.c in D-Bus b ...) {DSA-3026-1 DLA-87-1} - dbus 1.8.8-1 NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=81053 CVE-2014-3637 (D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8 does no ...) {DSA-3026-1} - dbus 1.8.8-1 [squeeze] - dbus (Version in squeeze does not support FD passing with SCM_RIGHTS) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=80559 CVE-2014-3636 (D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8 allows ...) {DSA-3026-1} - dbus 1.8.8-1 [squeeze] - dbus (Version in squeeze does not support FD passing with SCM_RIGHTS) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=82820 CVE-2014-3635 (Off-by-one error in D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x ...) {DSA-3026-1} - dbus 1.8.8-1 [squeeze] - dbus (Version in Squeeze does not support FD passing with SCM_RIGHTS) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=83622 CVE-2014-3634 (rsyslog before 7.6.6 and 8.x before 8.4.1 and sysklogd 1.5 and earlier ...) {DSA-3040-1 DLA-72-1} - rsyslog 8.4.1-1 - inetutils 2:1.9.2.39.3a460-1 [wheezy] - inetutils (Minor issue) [squeeze] - inetutils (Minor issue) CVE-2014-3633 (The qemuDomainGetBlockIoTune function in qemu/qemu_driver.c in libvirt ...) {DSA-3038-1} - libvirt 1.2.8-2 (bug #762203) [squeeze] - libvirt (Vulnerable code introduced in v0.9.8) NOTE: Upstream fix: http://libvirt.org/git/?p=libvirt.git;a=commit;h=3e745e8f775dfe6f64f18b5c2fe4791b35d3546b NOTE: Introduced in http://libvirt.org/git/?p=libvirt.git;a=commitdiff;h=eca96694a7f992be633d48d5ca03cedc9bbc3c9a (v0.9.8) NOTE: Upstream advisory: http://security.libvirt.org/2014/0004.html CVE-2014-3632 (The default configuration in a sudoers file in the Red Hat openstack-n ...) - neutron (Red Hat-specific) NOTE: Regression of fix for CVE-2013-6433, Red Hat specific in RedHat Enterprise Open Stack Platform 5.0 CVE-2014-3631 (The assoc_array_gc function in the associative-array implementation in ...) - linux 3.16.3-1 [wheezy] - linux (Vulnerable code introduced later) - linux-2.6 (Vulnerable code introduced later) NOTE: Introduced by https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b2a4df200d570b2c33a57e1ebfa5896e4bc81b69 (v3.13) NOTE: Fixed by http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=95389b08d93d5c06ec63ab49bd732b0069b7c35e CVE-2014-3630 (XML external entity (XXE) vulnerability in the Java XML processing fun ...) NOT-FOR-US: Play framework CVE-2014-3629 (XML external entity (XXE) vulnerability in the XML Exchange module in ...) - qpid-cpp (low; bug #772794) [wheezy] - qpid-cpp (Minor issue) NOTE: https://issues.apache.org/jira/secure/attachment/12680198/QPID-6218.patch CVE-2014-3628 (Cross-site scripting (XSS) vulnerability in the Admin UI Plugin / Stat ...) - lucene-solr (Only affects later 4.x releases) NOTE: https://issues.apache.org/jira/browse/SOLR-6738 CVE-2014-3627 (The YARN NodeManager daemon in Apache Hadoop 0.23.0 through 0.23.11 an ...) NOT-FOR-US: Apache Hadoop CVE-2014-3626 (The Grails Resource Plugin often has to exchange URIs for resources wi ...) NOT-FOR-US: Grails Resource Plugin CVE-2014-3625 (Directory traversal vulnerability in Pivotal Spring Framework 3.0.4 th ...) {DLA-1853-1} - libspring-java 3.2.13-1 (bug #769698) [wheezy] - libspring-java (Minor issue) NOTE: https://github.com/spring-projects/spring-framework/commit/3f68cd633f03370d33c2603a6496e81273782601 (3.2.x) NOTE: https://jira.spring.io/browse/SPR-12354 NOTE: http://www.pivotal.io/security/cve-2014-3625 CVE-2014-3624 (Apache Traffic Server 5.1.x before 5.1.1 allows remote attackers to by ...) - trafficserver 5.0.0-1 [wheezy] - trafficserver (Only affects 4.0.2 to 4.1.2) NOTE: https://issues.apache.org/jira/browse/TS-2677 CVE-2014-3623 (Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF ...) NOT-FOR-US: Apache CXF CVE-2014-3622 (Use-after-free vulnerability in the add_post_var function in the Posth ...) - php5 5.6.1+dfsg-1 (unimportant) NOTE: Not exploitable NOTE: https://bugs.php.net/bug.php?id=68088 CVE-2014-3621 (The catalog url replacement in OpenStack Identity (Keystone) before 20 ...) - keystone 2014.1.3-1 [wheezy] - keystone (Vulnerable code not present) NOTE: up to 2013.2.3 and 2014.1 versions up to 2014.1.2.1 CVE-2014-3620 (cURL and libcurl before 7.38.0 allow remote attackers to bypass the Sa ...) - curl 7.38.0-1 [wheezy] - curl (affects versions 7.31.0 and later) [squeeze] - curl (affects versions 7.31.0 and later) NOTE: http://curl.haxx.se/docs/adv_20140910B.html NOTE: Introduced by https://github.com/bagder/curl/commit/85b9dc8023 CVE-2014-3619 (The __socket_proto_state_machine function in GlusterFS 3.5 allows remo ...) [experimental] - glusterfs 3.6.2-1 - glusterfs 3.5.2-2 (bug #781018) [wheezy] - glusterfs (Vulnerability introduced after 3.2 release) [squeeze] - glusterfs (Vulnerability introduced after 3.2 release) NOTE: http://review.gluster.org/#/c/8848/ (3.5) NOTE: http://review.gluster.org/#/c/8662/4 (master) NOTE: GlusterFS after version 3.2 got changes in the RPC handling which seem to NOTE: introduce the vulnerability. With 3.2.x issue is not reproducible. CVE-2014-3617 (The forum_print_latest_discussions function in mod/forum/lib.php in Mo ...) - moodle 2.7.2-1 (bug #775842) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46619 CVE-2014-3616 (nginx 0.5.6 through 1.7.4, when using the same shared ssl_session_cach ...) {DSA-3029-1 DLA-55-1} - nginx 1.6.2-1 (bug #761940) NOTE: http://mailman.nginx.org/pipermail/nginx-announce/2014/000147.html NOTE: Upstream patch: http://trac.nginx.org/nginx/changeset/1ee1db30c9b96e9e43e85ab0bfba42140af24966/nginx (stable-1.6 branch) NOTE: See follow up on: http://mailman.nginx.org/pipermail/nginx-devel/2014-September/005948.html CVE-2014-3615 (The VGA emulator in QEMU allows local guest users to read host memory ...) {DSA-3045-1 DSA-3044-1} - qemu 2.1+dfsg-5 - qemu-kvm [squeeze] - qemu-kvm [squeeze] - qemu (Unsupported in squeeze-lts) NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=c1b886c45dc70f247300f549dce9833f3fa2def5 NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=ab9509cceabef28071e41bdfa073083859c949a7 CVE-2014-3614 (Unspecified vulnerability in PowerDNS Recursor (aka pdns_recursor) 3.6 ...) - pdns-recursor 3.6.1-1 [wheezy] - pdns-recursor (Only affects 3.6.0) [squeeze] - pdns-recursor (Only affects 3.6.0) CVE-2014-3613 (cURL and libcurl before 7.38.0 does not properly handle IP addresses i ...) {DSA-3022-1 DLA-64-1} - curl 7.38.0-1 NOTE: http://curl.haxx.se/docs/adv_20140910A.html CVE-2014-3612 (The LDAPLoginModule implementation in the Java Authentication and Auth ...) - activemq 5.6.0+dfsg1-4 (low; bug #777196) [wheezy] - activemq 5.6.0+dfsg-1+deb7u1 NOTE: http://activemq.apache.org/security-advisories.data/CVE-2014-3612-announcement.txt CVE-2014-3611 (Race condition in the __kvm_migrate_pit_timer function in arch/x86/kvm ...) {DSA-3060-1} - linux 3.16.7-1 - linux-2.6 [squeeze] - linux-2.6 (KVM not supported in Squeeze LTS) NOTE: https://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?id=2febc839133280d5a5e8e1179c94ea674489dae2 CVE-2014-3610 (The WRMSR processing functionality in the KVM subsystem in the Linux k ...) {DSA-3060-1} - linux 3.16.7-1 - linux-2.6 [squeeze] - linux-2.6 (KVM not supported in Squeeze LTS) NOTE: https://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?id=854e8bb1aa06c578c2c9145fa6bfe3680ef63b23 NOTE: https://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?id=8b3c3104c3f4f706e99365c3e0d2aa61b95f969f NOTE: Enabling CONFIG_PARAVIRT when building the kernel mitigates this issue. CVE-2014-3609 (HttpHdrRange.cc in Squid 3.x before 3.3.12 and 3.4.x before 3.4.6 allo ...) {DSA-3139-1 DSA-3014-1 DLA-216-1 DLA-45-1} - squid 2.7.STABLE9-5 (bug #776194) - squid3 3.3.8-1.2 (bug #759509) NOTE: http://www.squid-cache.org/Advisories/SQUID-2014_2.txt CVE-2014-3608 (The VMWare driver in OpenStack Compute (Nova) before 2014.1.3 allows r ...) - nova 2014.1.3-1 [wheezy] - nova (Vulnerable code in 2013.2 to 2013.2.2) NOTE: Incomplete fix for CVE-2014-2573 CVE-2014-3607 (DefaultHostnameVerifier in Ldaptive (formerly vt-ldap) does not proper ...) - libvt-ldap-java 3.3.8-1 (bug #763608) CVE-2014-3606 REJECTED CVE-2014-3605 REJECTED CVE-2014-3604 (Certificates.java in Not Yet Commons SSL before 0.3.15 does not proper ...) - not-yet-commons-ssl 0.3.15-1 (bug #759526) NOTE: http://lists.juliusdavies.ca/pipermail/not-yet-commons-ssl-juliusdavies.ca/2014-August/000832.html CVE-2014-3603 (The (1) HttpResource and (2) FileBackedHttpResource implementations in ...) - libopensaml2-java 2.6.2-1 (bug #759470) NOTE: http://shibboleth.net/community/advisories/secadv_20140813.txt NOTE: http://svn.shibboleth.net/view/java-opensaml2/branches/REL_2/src/main/java/org/opensaml/DefaultBootstrap.java?r1=1622&r2=1666&pathrev=1666 CVE-2014-3602 (Red Hat OpenShift Enterprise before 2.2 allows local users to obtain I ...) NOT-FOR-US: OpenShift CVE-2014-3601 (The kvm_iommu_map_pages function in virt/kvm/iommu.c in the Linux kern ...) - linux 3.16.2-1 [wheezy] - linux 3.2.63-1 - linux-2.6 (Vulnerable code not present) NOTE: https://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?id=350b8bdd689cd2ab2c67c8a86a0be86cfa0751a7 CVE-2014-3600 (XML external entity (XXE) vulnerability in Apache ActiveMQ 5.x before ...) - activemq 5.6.0+dfsg1-4 (low; bug #777196) [wheezy] - activemq 5.6.0+dfsg-1+deb7u1 NOTE: http://activemq.apache.org/security-advisories.data/CVE-2014-3600-announcement.txt CVE-2014-3599 (HornetQ REST is vulnerable to XML External Entity due to insecure conf ...) NOT-FOR-US: HornetQ CVE-2014-3598 (The Jpeg2KImagePlugin plugin in Pillow before 2.5.3 allows remote atta ...) - pillow 2.5.3-1 - python-imaging (Vulnerable code not present) CVE-2014-3597 (Multiple buffer overflows in the php_parserr function in ext/standard/ ...) {DSA-3008-1 DLA-67-1} - php5 5.6.0+dfsg-1 NOTE: patch: https://github.com/php/php-src/commit/2fefae47716d501aec41c1102f3fd4531f070b05#diff-d41d8cd98f00b204e9800998ecf8427e NOTE: https://bugs.php.net/bug.php?id=67717 NOTE: incomplete fix for CVE-2014-4049 CVE-2014-3596 (The getCN function in Apache Axis 1.4 and earlier does not properly ve ...) {DLA-169-1} - axis 1.4-21 (low; bug #762444) [wheezy] - axis 1.4-16.2+deb7u1 [squeeze] - axis (Minor issue) NOTE: https://issues.apache.org/jira/secure/attachment/12662672/CVE-2014-3596.patch CVE-2014-3595 (Cross-site scripting (XSS) vulnerability in spacewalk-java 1.2.39, 1.7 ...) NOT-FOR-US: Red Hat Satellite CVE-2014-3594 (Cross-site scripting (XSS) vulnerability in the Host Aggregates interf ...) - horizon 2014.1.2-3 (bug #758930) [wheezy] - horizon (Vulnerable code not present) NOTE: up to 2013.2.3, and 2014.1 versions up to 2014.1.2 CVE-2014-3593 (Eval injection vulnerability in luci 0.26.0 allows remote authenticate ...) NOT-FOR-US: Luci CVE-2014-3592 (OpenShift Origin: Improperly validated team names could allow stored X ...) NOT-FOR-US: OpenShift Origin CVE-2014-3591 (Libgcrypt before 1.6.3 and GnuPG before 1.4.19 does not implement ciph ...) {DSA-3185-1 DSA-3184-1 DLA-190-1 DLA-175-1} - libgcrypt11 - libgcrypt20 1.6.3-2 - gnupg 1.4.18-7 NOTE: http://www.cs.tau.ac.il/~tromer/radioexp/ NOTE: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=ff53cf06e966dce0daba5f2c84e03ab9db2c3c8b CVE-2014-3590 (Versions of Foreman as shipped with Red Hat Satellite 6 does not check ...) - foreman (bug #663101) CVE-2014-3589 (PIL/IcnsImagePlugin.py in Python Imaging Library (PIL) and Pillow befo ...) {DSA-3009-1 DLA-41-1} - pillow 2.5.3-1 (bug #758772) - python-imaging [squeeze] - python-imaging 1.1.7-2+deb6u1 NOTE: https://github.com/python-pillow/Pillow/commit/205e056f8f9b06ed7b925cf8aa0874bc4aaf8a7d CVE-2014-3588 RESERVED CVE-2014-3587 (Integer overflow in the cdf_read_property_info function in cdf.c in fi ...) {DSA-3021-1 DSA-3008-1 DLA-67-1 DLA-50-1} - php5 5.6.0+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=67716 NOTE: https://github.com/php/php-src/commit/7ba1409a1aee5925180de546057ddd84ff267947 - file 1:5.19-2 CVE-2014-3586 (The default configuration for the Command Line Interface in Red Hat En ...) - jbossas4 (Only builds a few libraries, not the full application server, #581226) CVE-2014-3585 (redhat-upgrade-tool: Does not check GPG signatures when upgrading vers ...) NOT-FOR-US: redhat-upgrade-tool CVE-2014-3584 (The SamlHeaderInHandler in Apache CXF before 2.6.11, 2.7.x before 2.7. ...) NOT-FOR-US: Apache CXF CVE-2014-3583 (The handle_headers function in mod_proxy_fcgi.c in the mod_proxy_fcgi ...) - apache2 2.4.10-8 (low) [wheezy] - apache2 (no mod_proxy_fcgi in 2.2) [squeeze] - apache2 (no mod_proxy_fcgi in 2.2) NOTE: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_fcgi.c?r1=1618401&r2=1638818 NOTE: Only exploitable by a malicious fcgi script. CVE-2014-3582 (In Ambari 1.2.0 through 2.2.2, it may be possible to execute arbitrary ...) NOT-FOR-US: Apache Ambari CVE-2014-3581 (The cache_merge_headers_out function in modules/cache/cache_util.c in ...) {DLA-71-1} - apache2 2.4.10-3 [wheezy] - apache2 (Only affects 2.4) NOTE: https://issues.apache.org/bugzilla/show_bug.cgi?id=56924#c6 CVE-2014-3580 (The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.x be ...) {DSA-3107-1 DLA-119-1} - subversion 1.8.10-5 (bug #773263) NOTE: http://subversion.apache.org/security/CVE-2014-3580-advisory.txt CVE-2014-3579 (XML external entity (XXE) vulnerability in Apache ActiveMQ Apollo 1.x ...) NOT-FOR-US: Apache ActiveMQ Apollo CVE-2014-3578 (Directory traversal vulnerability in Pivotal Spring Framework 3.x befo ...) {DLA-1853-1} - libspring-java 3.2.13-1 (low; bug #760733) [wheezy] - libspring-java (minor issue) NOTE: https://github.com/spring-projects/spring-framework/issues/16414 NOTE: https://github.com/spring-projects/spring-framework/commit/f6fddeb6eb7da625fd711ab371ff16512f431e8d CVE-2014-3577 (org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents Htt ...) {DLA-222-1} - httpcomponents-client 4.3.5-1 [wheezy] - httpcomponents-client 4.1.1-2+deb7u1 [squeeze] - httpcomponents-client (Minor issue) - commons-httpclient 3.1-11 (bug #758086) [wheezy] - commons-httpclient 3.1-10.2+deb7u1 NOTE: See https://bugs.debian.org/758086#59 for full details. CVE-2014-3576 (The processControlCommand function in broker/TransportConnection.java ...) {DSA-3330-1} - activemq 5.6.0+dfsg1-4+deb8u1 (bug #792857) CVE-2014-3575 (The OLE preview generation in Apache OpenOffice before 4.1.1 and OpenO ...) NOT-FOR-US: OpenOffice on Windows CVE-2014-3574 (Apache POI before 3.10.1 and 3.11.x before 3.11-beta2 allows remote at ...) - libapache-poi-java 3.10.1-1 [wheezy] - libapache-poi-java (Minor issue) NOTE: https://issues.apache.org/bugzilla/show_bug.cgi?id=54764 CVE-2014-3573 (The oVirt Engine backend module, as used in Red Hat Enterprise Virtual ...) NOT-FOR-US: oVirt Engine CVE-2014-3572 (The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9. ...) {DSA-3125-1 DLA-132-1} - openssl 1.0.1k-1 NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=ef28c6d6767a6a30df5add36171894c96628fe98 CVE-2014-3571 (OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k a ...) {DSA-3125-1 DLA-132-1} - openssl 1.0.1k-1 NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=8d7aab986b499f34d9e1bc58fbfd77f05c38116e NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=45fe66b8ba026186aa5d8ef1e0e6010ea74d5c0b CVE-2014-3570 (The BN_sqr implementation in OpenSSL before 0.9.8zd, 1.0.0 before 1.0. ...) {DSA-3125-1 DLA-132-1} - openssl 1.0.1k-1 NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=a7a44ba55cb4f884c6bc9ceac90072dea38e66d CVE-2014-3569 (The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 0.9.8zc, ...) {DSA-3125-1 DLA-81-1} - openssl 1.0.1k-1 NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=6ce9687b5aba5391fc0de50e18779eb676d0e04d CVE-2014-3568 (OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j d ...) {DSA-3053-1 DLA-81-1} - openssl 1.0.1j-1 CVE-2014-3567 (Memory leak in the tls_decrypt_ticket function in t1_lib.c in OpenSSL ...) {DSA-3053-1 DLA-81-1} - openssl 1.0.1j-1 CVE-2014-3566 (The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other prod ...) {DSA-3489-1 DSA-3253-1 DSA-3147-1 DSA-3144-1 DSA-3092-1 DLA-400-1 DLA-282-1 DLA-157-1} - arora (unimportant) - bouncycastle (SSLv3 needs to be explicitly enabled) NOTE: http://www.kb.cert.org/vuls/id/BLUU-9PYTFQ - chromium-browser 39.0.2171.71-1 (bug #765928) [wheezy] - chromium-browser [squeeze] - chromium-browser - conkeror (unimportant) - cyassl (bug #769905) - wolfssl 3.4.8+dfsg-1 NOTE: wolfssl actually fixed with the initial upload to unstable after the rename - dwb (unimportant) - openssl 1.0.1j-1 [wheezy] - openssl (Will be addressed through a point update, #774299) [squeeze] - openssl (Change considered too risky) - galeon (unimportant) - gnutls26 [squeeze] - gnutls26 (Minor issue) [wheezy] - gnutls26 (Minor issue) NOTE: https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1510163 - gnutls28 3.3.8-5 (bug #769904) - kazehakase (unimportant) - kdebase (unimportant) - kde-baseapps (unimportant) - epiphany-browser (unimportant) - haskell-tls 1.2.9-2 (bug #768164) [wheezy] - haskell-tls (Minor issue) - icedove 31.3.0-1 [squeeze] - icedove - iceweasel 31.2.0esr-2 [squeeze] - iceweasel - matrixssl (low) [squeeze] - matrixssl (Minor issue) [wheezy] - matrixssl (Minor issue) - midori (unimportant) - netsurf (unimportant) - nss 2:3.17.1-1 [squeeze] - nss (Upstream doesn't plan to disable SSLv3, stick with that) [wheezy] - nss (Upstream doesn't plan to disable SSLv3, stick with that) - openjdk-6 6b34-1.13.6-1 - openjdk-7 7u75-2.5.4-1 - openjdk-8 8u40~b04-1 - polarssl 1.3.9-2 [squeeze] - polarssl (Minor issue) [wheezy] - polarssl (Minor issue) - pound 2.6-6 (bug #765539) [squeeze] - pound (Minor issue) - surf (unimportant) - tlslite [wheezy] - tlslite (Minor issue) - uzbl (unimportant) - erlang 1:17.3-dfsg-3 (bug #771359) [squeeze] - erlang (Minor issue) [wheezy] - erlang (Minor issue) - lighttpd 1.4.35-4 (bug #765702) NOTE: https://www.openssl.org/~bodo/ssl-poodle.pdf NOTE: http://googleonlinesecurity.blogspot.fr/2014/10/this-poodle-bites-exploiting-ssl-30.html NOTE: This is only about the SSLv3 CBC padding, not about any downgrade attack or support for the fallback SCSV NOTE: Fix is to disable SSLv3 in library or application configurations NOTE: Browsers based on webkit (with the exception of Chromium) or khtml are not covered by security support CVE-2014-3565 (snmplib/mib.c in net-snmp 5.7.0 and earlier, when the -OQ option is us ...) - net-snmp 5.7.2.1~dfsg-7 (bug #760132) [wheezy] - net-snmp 5.4.3~dfsg-2.8+deb7u1 [squeeze] - net-snmp (Minor issue) CVE-2014-3564 (Multiple heap-based buffer overflows in the status_handler function in ...) {DSA-3005-1 DLA-39-1} - gpgme1.0 1.5.1-1 (bug #756651) [squeeze] - gpgme1.0 1.2.0-1.2+deb6u1 NOTE: patch: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;a=commit;h=2cbd76f7911fc215845e89b50d6af5ff4a83dd77 CVE-2014-3563 (Multiple unspecified vulnerabilities in Salt (aka SaltStack) before 20 ...) - salt 2014.1.10+ds-1 NOTE: http://docs.saltstack.com/en/latest/topics/releases/2014.1.10.html CVE-2014-3562 (Red Hat Directory Server 8 and 389 Directory Server, when debugging is ...) - 389-ds-base 1.3.2.21-1 (bug #757437) CVE-2014-3561 (The rhevm-log-collector package in Red Hat Enterprise Virtualization 3 ...) NOT-FOR-US: rhevm-log-collector CVE-2014-3560 (NetBIOS name services daemon (nmbd) in Samba 4.0.x before 4.0.21 and 4 ...) - samba 2:4.1.11+dfsg-1 (bug #756759) [squeeze] - samba (Only affects 4.x) [wheezy] - samba (Only affects 4.x) CVE-2014-3559 (The oVirt storage backend in Red Hat Enterprise Virtualization 3.4 doe ...) NOT-FOR-US: ovirt-engine-backend CVE-2014-3558 (ReflectionHelper (org.hibernate.validator.util.ReflectionHelper) in Hi ...) - libhibernate-validator-java 4.2.1-2 (low; bug #762690) [jessie] - libhibernate-validator-java (Only used as a build dependency for libhibernate3-java) [wheezy] - libhibernate-validator-java (Only used as a build dependency for libhibernate3-java) [squeeze] - libhibernate-validator-java (Only used as a build dependency for libhibernate3-java) NOTE: RedHat upgraded to new upstream versions in their security NOTE: updates. No patches are available for the 4.0.x branch we NOTE: have in Debian. Known fixed versions are 4.2.1, 4.3.2, and 5.1.2. NOTE: Upstream ticket: https://hibernate.atlassian.net/browse/HV-912 CVE-2014-3557 REJECTED CVE-2014-3556 (The STARTTLS implementation in mail/ngx_mail_smtp_handler.c in the SMT ...) - nginx 1.6.1-1 (bug #757196) [wheezy] - nginx (Affects 1.5.6 - 1.7.3) [squeeze] - nginx (Affects 1.5.6 - 1.7.3) NOTE: fixed in nginx 1.7.4, 1.6.1 CVE-2014-3555 (OpenStack Neutron before 2013.2.4, 2014.x before 2014.1.2, and Juno be ...) - neutron 2014.1.1-3 (bug #755134) CVE-2014-3554 (Buffer overflow in the ndp_msg_opt_dnssl_domain function in libndp all ...) - libndp 1.4-1 (bug #756389) CVE-2014-3553 (mod/forum/classes/post_form.php in Moodle through 2.3.11, 2.4.x before ...) - moodle 2.7.2-1 (bug #775842) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38990 CVE-2014-3552 (The Shibboleth authentication plugin in auth/shibboleth/index.php in M ...) - moodle 2.6.1-1 [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=refs%2Fheads%2FMOODLE_25_STABLE&st=commit&s=MDL-45485 CVE-2014-3551 (Multiple cross-site scripting (XSS) vulnerabilities in the advanced-gr ...) - moodle 2.7.2-1 (bug #775842) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46223 CVE-2014-3550 (Multiple cross-site scripting (XSS) vulnerabilities in admin/tool/task ...) - moodle (Only affects 2.7.x) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46227 CVE-2014-3549 (Cross-site scripting (XSS) vulnerability in the get_description functi ...) - moodle (Only affects 2.7.x) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46201 CVE-2014-3548 (Multiple cross-site scripting (XSS) vulnerabilities in Moodle through ...) - moodle 2.7.2-1 (bug #775842) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45471 CVE-2014-3547 (Multiple cross-site scripting (XSS) vulnerabilities in badges/renderer ...) - moodle 2.7.2-1 (bug #775842) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46042 CVE-2014-3546 (Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x ...) - moodle 2.7.2-1 (bug #775842) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45760 CVE-2014-3545 (Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x ...) - moodle 2.7.2-1 (bug #775842) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46148 CVE-2014-3544 (Cross-site scripting (XSS) vulnerability in user/profile.php in Moodle ...) - moodle 2.7.2-1 (bug #775842) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45683 CVE-2014-3543 (mod/imscp/locallib.php in Moodle through 2.3.11, 2.4.x before 2.4.11, ...) - moodle 2.7.2-1 (bug #775842) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45417 CVE-2014-3542 (mod/lti/service.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5 ...) - moodle 2.7.2-1 (bug #775842) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45463 CVE-2014-3541 (The Repositories component in Moodle through 2.3.11, 2.4.x before 2.4. ...) - moodle 2.7.2-1 (bug #775842) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45616 CVE-2014-3540 REJECTED CVE-2014-3539 (base/oi/doa.py in the Rope library in CPython (aka Python) allows remo ...) - rope 0.10.3-1 (bug #777525) [jessie] - rope (Minor issue) [squeeze] - rope (Minor issue) [wheezy] - rope (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1116485 NOTE: https://github.com/python-rope/rope/issues/105 NOTE: 0.10.3-1 only adds a mitigation for the issue, so not completely fixed. NOTE: Still mark it as fixed in this version because patch limits socket NOTE: connections to localhost only CVE-2014-3538 (file before 5.19 does not properly restrict the amount of data read du ...) {DSA-3021-1 DSA-3008-1 DLA-67-1 DLA-50-1} - file 1:5.19-1 NOTE: fix relies on the new feature that introduced regex/ syntax, might be too intrusive for backporting. - php5 5.6.0~rc4+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=67705 CVE-2014-3537 (The web interface in CUPS before 1.7.4 allows local users in the lp gr ...) {DSA-2990-1 DLA-0022-1} - cups 1.7.4-1 [squeeze] - cups 1.4.4-7+squeeze6 NOTE: https://www.cups.org/str.php?L4450 CVE-2014-3536 (CFME (CloudForms Management Engine) 5: RHN account information is logg ...) NOT-FOR-US: Red Hat CloudForms CVE-2014-3535 (include/linux/netdevice.h in the Linux kernel before 2.6.36 incorrectl ...) - linux (RHEL-specific, incomplete backport) - linux-2.6 (RHEL-specific, incomplete backport) NOTE: Fix: https://git.kernel.org/linus/256df2f3879efdb2e9808bdb1b54b16fbb11fa38 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=896015#c8 CVE-2014-3534 (arch/s390/kernel/ptrace.c in the Linux kernel before 3.15.8 on the s39 ...) {DSA-2992-1} - linux 3.14.13-2 (bug #728705) - linux-2.6 (Vulnerable code was introduced later) CVE-2014-3533 (dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6 allows local users to ...) {DSA-2971-1} - dbus 1.8.6-1 [squeeze] - dbus (Vulnerable code not present) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=80469 CVE-2014-3532 (dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6, when running on Linux ...) {DSA-2971-1} - dbus 1.8.6-1 [squeeze] - dbus (Fix for other kernel version) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=80163 CVE-2014-3531 (Multiple cross-site scripting (XSS) vulnerabilities in Foreman before ...) - foreman (bug #663101) CVE-2014-3530 (The org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory ...) NOT-FOR-US: PicketLink CVE-2014-3529 (The OPC SAX setup in Apache POI before 3.10.1 allows remote attackers ...) - libapache-poi-java 3.10.1-1 [wheezy] - libapache-poi-java (Minor issue) NOTE: https://issues.apache.org/bugzilla/show_bug.cgi?id=56164 CVE-2014-3527 (When using the CAS Proxy ticket authentication from Spring Security 3. ...) - libspring-security-java (bug #582181) CVE-2014-3526 (Apache Wicket before 1.5.12, 6.x before 6.17.0, and 7.x before 7.0.0-M ...) NOT-FOR-US: Apache Wicket CVE-2014-3525 (Unspecified vulnerability in Apache Traffic Server 3.x through 3.2.5, ...) - trafficserver 5.0.1-1 (low) [wheezy] - trafficserver (Minor issue) CVE-2014-3524 (Apache OpenOffice before 4.1.1 allows remote attackers to execute arbi ...) NOT-FOR-US: OpenOffice for Windows CVE-2014-3523 (Memory leak in the winnt_accept function in server/mpm/winnt/child.c i ...) - apache2 (Affects only Windows systems) CVE-2014-3522 (The Serf RA layer in Apache Subversion 1.4.0 through 1.7.x before 1.7. ...) - subversion 1.8.10-1 [wheezy] - subversion (unimportant) [squeeze] - subversion (unimportant) NOTE: https://subversion.apache.org/security/CVE-2014-3522-advisory.txt CVE-2014-3521 (The component in (1) /luci/homebase and (2) /luci/cluster menu in Red ...) NOT-FOR-US: luci as included in conga CVE-2014-3520 (OpenStack Identity (Keystone) before 2013.2.4, 2014.x before 2014.1.2, ...) - keystone 2014.1.1-3 (bug #753511) [wheezy] - keystone (Vulnerable code not present) CVE-2014-3519 (The open_by_handle_at function in vzkernel before 042stab090.5 in the ...) - linux-2.6 (Vulnerable code not yet present) - linux (Kernels after squeeze no longer contain the openvz flavour) CVE-2014-3518 (jmx-remoting.sar in JBoss Remoting, as used in Red Hat JBoss Enterpris ...) NOT-FOR-US: JBoss Application Server CVE-2014-3517 (api/metadata/handler.py in OpenStack Compute (Nova) before 2013.2.4, 2 ...) - nova 2014.1.1-8 (bug #755042) [wheezy] - nova (Only exploitable when used with neutron, which is not in stable) CVE-2014-3516 RESERVED CVE-2014-3515 (The SPL component in PHP before 5.4.30 and 5.5.x before 5.5.14 incorre ...) {DSA-2974-1 DLA-0018-1} - php5 5.6.0~rc2+dfsg-1 [squeeze] - php5 5.3.3-7+squeeze21 NOTE: https://bugs.php.net/bug.php?id=67492 CVE-2014-3514 (activerecord/lib/active_record/relation/query_methods.rb in Active Rec ...) - rails 2:4.1.5-1 [wheezy] - rails (Only affects 4.0.0 and all Later Versions) [squeeze] - rails (Unsupported in squeeze-lts) - rails-3.2 (Only affects 4.0.0 and all Later Versions) - ruby-activerecord-2.3 (Only affects 4.0.0 and all Later Versions) - ruby-activerecord-3.2 (Only affects 4.0.0 and all Later Versions) CVE-2014-3513 (Memory leak in d1_srtp.c in the DTLS SRTP extension in OpenSSL 1.0.1 b ...) {DSA-3053-1} - openssl 1.0.1j-1 [squeeze] - openssl (DLTS SRTP introduced in 1.0.1) CVE-2014-3512 (Multiple buffer overflows in crypto/srp/srp_lib.c in the SRP implement ...) {DSA-2998-1} - openssl 1.0.1i-1 [squeeze] - openssl (vulnerable code not present) CVE-2014-3511 (The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1 bef ...) {DSA-2998-1} - openssl 1.0.1i-1 [squeeze] - openssl (Doesn't support TLS higher than 1.0) CVE-2014-3510 (The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL 0.9 ...) {DSA-2998-1 DLA-33-1} - openssl 1.0.1i-1 CVE-2014-3509 (Race condition in the ssl_parse_serverhello_tlsext function in t1_lib. ...) {DSA-2998-1} - openssl 1.0.1i-1 [squeeze] - openssl (vulnerable code not present) CVE-2014-3508 (The OBJ_obj2txt function in crypto/objects/obj_dat.c in OpenSSL 0.9.8 ...) {DSA-2998-1 DLA-33-1} - openssl 1.0.1i-1 CVE-2014-3507 (Memory leak in d1_both.c in the DTLS implementation in OpenSSL 0.9.8 b ...) {DSA-2998-1 DLA-33-1} - openssl 1.0.1i-1 CVE-2014-3506 (d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, ...) {DSA-2998-1 DLA-33-1} - openssl 1.0.1i-1 CVE-2014-3505 (Double free vulnerability in d1_both.c in the DTLS implementation in O ...) {DSA-2998-1 DLA-33-1} - openssl 1.0.1i-1 CVE-2014-3504 (The (1) serf_ssl_cert_issuer, (2) serf_ssl_cert_subject, and (3) serf_ ...) - serf 1.3.7-1 (bug #757965) [wheezy] - serf (Minor issue) [squeeze] - serf (Minor issue) CVE-2014-3503 (Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate ...) NOT-FOR-US: Apache Syncope CVE-2014-3502 (Apache Cordova Android before 3.5.1 allows remote attackers to open an ...) NOT-FOR-US: Apache Cordova CVE-2014-3501 (Apache Cordova Android before 3.5.1 allows remote attackers to bypass ...) NOT-FOR-US: Apache Cordova CVE-2014-3500 (Apache Cordova Android before 3.5.1 allows remote attackers to change ...) NOT-FOR-US: Apache Cordova CVE-2014-3499 (Docker 1.0.0 uses world-readable and world-writable permissions on the ...) - docker.io (RHEL specific, socket based activation not shipped) CVE-2014-3498 (The user module in ansible before 1.6.6 allows remote authenticated us ...) - ansible 1.7.0+dfsg-1 NOTE: https://github.com/ansible/ansible/commit/8ed6350e65c82292a631f08845dfaacffe7f07f5 (v1.7.0) CVE-2014-3497 (Cross-site scripting (XSS) vulnerability in OpenStack Swift 1.11.0 thr ...) - swift 1.13.1-1 (bug #752087) [wheezy] - swift (Only affects 1.11.0 to 1.13.1) CVE-2014-3496 (cartridge_repository.rb in OpenShift Origin and Enterprise 1.2.8 throu ...) NOT-FOR-US: OpenShift Origin CVE-2014-3495 (duplicity 0.6.24 has improper verification of SSL certificates ...) - duplicity 0.6.21-1 (low; bug #751902) [wheezy] - duplicity (Minor issue) NOTE: Since python-boto 2.6.0, cf. #751902, boto's default is now to enable NOTE: certificate verification. This is as such only a issue if using boto's NOTE: version outside of the packaged one in Debian. Mark 0.6.21-1 as fixing NOTE: version since this is the first upload to unstable after python-boto NOTE: 2.8.0-1 was uploaded. CVE-2014-3494 (kio/usernotificationhandler.cpp in the POP3 kioslave in kdelibs 4.10.9 ...) - kde4libs 4:4.13.3-1 (bug #752052) [wheezy] - kde4libs (Affects kdelibs 4.10.95 to 4.13.2) [squeeze] - kde4libs (Affects kdelibs 4.10.95 to 4.13.2) NOTE: http://quickgit.kde.org/?p=kdelibs.git&a=commitdiff&h=bbae87dc1be3ae063796a582774bd5642cacdd5d&hp=1ccdb43ed3b32a7798eec6d39bb3c83a6e40228f CVE-2014-3493 (The push_ascii function in smbd in Samba 3.6.x before 3.6.24, 4.0.x be ...) {DSA-2966-1} - samba 2:4.1.9+dfsg-1 [squeeze] - samba (Only affects 3.6 and later) - samba4 4.0.0~beta2+dfsg1-3.2+deb7u2 NOTE: AD-related packages removed from src:samba4 in 4.0.0~beta2+dfsg1-3.2+deb7u2 NOTE: https://www.samba.org/samba/security/CVE-2014-3493 CVE-2014-3492 (Multiple cross-site scripting (XSS) vulnerabilities in the host YAML v ...) - foreman (bug #663101) CVE-2014-3491 (Cross-site scripting (XSS) vulnerability in Foreman before 1.4.5 and 1 ...) - foreman (bug #663101) NOTE: Details not yet known as behind http://projects.theforeman.org/issues/5881 CVE-2014-3490 (RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red H ...) NOT-FOR-US: RESTEasy framework for JBoss CVE-2014-3489 (lib/util/miq-password.rb in Red Hat CloudForms 3.0 Management Engine ( ...) NOT-FOR-US: Red Hat CloudForms Management Engine CVE-2014-3488 (The SslHandler in Netty before 3.9.2 allows remote attackers to cause ...) {DLA-2110-1} - netty (Introduced in 3.9.0) - netty-3.9 3.9.9.Final-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1107983 says only affects NOTE: 3.9.0 and 3.9.1. NOTE: https://github.com/netty/netty/issues/2562 NOTE: https://github.com/netty/netty/commit/2fa9400a59d0563a66908aba55c41e7285a04994 CVE-2014-3487 (The cdf_read_property_info function in file before 5.19, as used in th ...) {DSA-3021-1 DSA-2974-1 DLA-27-1} - file 1:5.19-1 [squeeze] - file 5.04-5+squeeze6 NOTE: https://github.com/file/file/commit/93e063ee374b6a75729df9e7201fb511e47e259d - php5 5.6.0~rc1+dfsg-1 [squeeze] - php5 (Vulnerable code was introduced later) NOTE: https://bugs.php.net/bug.php?id=67413 CVE-2014-3486 (The (1) shell_exec function in lib/util/MiqSshUtilV1.rb and (2) temp_c ...) NOT-FOR-US: Red Hat CloudForms Management Engine CVE-2014-3485 (The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterpri ...) NOT-FOR-US: ovirt-engine-api / RHEV CVE-2014-3484 (Multiple stack-based buffer overflows in the __dn_expand function in n ...) - musl 1.1.4-1 (bug #750815) CVE-2014-3483 (SQL injection vulnerability in activerecord/lib/active_record/connecti ...) {DSA-2982-1} - ruby-activerecord-2.3 [wheezy] - ruby-activerecord-2.3 - ruby-activerecord-3.2 - rails 2:4.1.4-1 [wheezy] - rails (src:rails in wheezy is just a transition package) [squeeze] - rails (Unsupported in squeeze-lts) - rails-3.2 3.2.19-1 - rails-4.0 CVE-2014-3482 (SQL injection vulnerability in activerecord/lib/active_record/connecti ...) {DSA-2982-1} - ruby-activerecord-2.3 [wheezy] - ruby-activerecord-2.3 - ruby-activerecord-3.2 - rails 2:4.1.4-1 [wheezy] - rails (src:rails in wheezy is just a transition package) [squeeze] - rails (Unsupported in squeeze-lts) - rails-3.2 3.2.19-1 - rails-4.0 CVE-2014-3481 (org.jboss.as.jaxrs.deployment.JaxrsIntegrationProcessor in Red Hat JBo ...) - jbossas4 (Only builds a few libraries, not the full application server, #581226) CVE-2014-3480 (The cdf_count_chain function in cdf.c in file before 5.19, as used in ...) {DSA-3021-1 DSA-2974-1 DLA-27-1 DLA-0018-1} - file 1:5.19-1 [squeeze] - file 5.04-5+squeeze6 NOTE: https://github.com/file/file/commit/40bade80cbe2af1d0b2cd0420cebd5d5905a2382 - php5 5.6.0~rc1+dfsg-1 [squeeze] - php5 5.3.3-7+squeeze21 NOTE: http://bugs.php.net/bug.php?id=67412 CVE-2014-3479 (The cdf_check_stream_offset function in cdf.c in file before 5.19, as ...) {DSA-3021-1 DSA-2974-1 DLA-27-1} - file 1:5.19-1 [squeeze] - file 5.04-5+squeeze6 NOTE: https://github.com/file/file/commit/36fadd29849b8087af9f4586f89dbf74ea45be67 - php5 5.6.0~rc1+dfsg-1 [squeeze] - php5 (Vulnerable code was introduced later) NOTE: https://bugs.php.net/bug.php?id=67411 CVE-2014-3478 (Buffer overflow in the mconvert function in softmagic.c in file before ...) {DSA-3021-1 DSA-2974-1 DLA-27-1} - file 1:5.19-1 [squeeze] - file 5.04-5+squeeze6 NOTE: https://github.com/file/file/commit/27a14bc7ba285a0a5ebfdb55e54001aa11932b08 - php5 5.6.0~rc1+dfsg-1 [squeeze] - php5 (Vulnerable code was introduced later) NOTE: http://bugs.php.net/bug.php?id=67410 CVE-2014-3477 (The dbus-daemon in D-Bus 1.2.x through 1.4.x, 1.6.x before 1.6.20, and ...) {DSA-2971-1 DLA-87-1} - dbus 1.8.4-1 (low) [squeeze] - dbus (Minor issue) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=78979 CVE-2014-3476 (OpenStack Identity (Keystone) before 2013.2.4, 2014.1 before 2014.1.2, ...) - keystone 2014.1.1-2 (bug #751454) [wheezy] - keystone (Vulnerable code not present) CVE-2014-3475 (Cross-site scripting (XSS) vulnerability in the Users panel (admin/use ...) - horizon 2014.1.1-3 (bug #754255) [wheezy] - horizon (Minor issue) CVE-2014-3474 (Cross-site scripting (XSS) vulnerability in horizon/static/horizon/js/ ...) - horizon 2014.1.1-3 (bug #754255) [wheezy] - horizon (Minor issue) CVE-2014-3473 (Cross-site scripting (XSS) vulnerability in the Orchestration/Stack se ...) - horizon 2014.1.1-3 (bug #754255) [wheezy] - horizon (Minor issue) CVE-2014-3472 (The isCallerInRole function in SimpleSecurityManager in JBoss Applicat ...) NOT-FOR-US: JBoss Enterprise Application Platform CVE-2014-3471 (Use-after-free vulnerability in hw/pci/pcie.c in QEMU (aka Quick Emula ...) - qemu 2.1+dfsg-1 [wheezy] - qemu (Vulnerable code not present) [wheezy] - qemu-kvm (Vulnerable code not present) [squeeze] - qemu (Vulnerable code not present) - qemu-kvm [squeeze] - qemu-kvm (Vulnerable code not present) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2014-06/msg05283.html NOTE: Upstream fix: http://git.qemu.org/?p=qemu.git;a=commit;h=554f802da3f8b09b16b9a84ad5847b2eb0e9ad2b (v2.1.0-rc0) NOTE: PCIe support introduced in v1.3: http://wiki.qemu.org/ChangeLog/1.3 CVE-2014-3470 (The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL bef ...) {DSA-2950-1 DLA-0003-1} - openssl 1.0.1h-1 (bug #750665) [squeeze] - openssl 0.9.8o-4squeeze15 CVE-2014-3469 (The (1) asn1_read_value_type and (2) asn1_read_value functions in GNU ...) {DSA-3056-1 DLA-77-1} - libtasn1-3 - libtasn1-6 3.6-1 CVE-2014-3468 (The asn1_get_bit_der function in GNU Libtasn1 before 3.6 does not prop ...) {DSA-3056-1 DLA-77-1} - libtasn1-3 - libtasn1-6 3.6-1 CVE-2014-3467 (Multiple unspecified vulnerabilities in the DER decoder in GNU Libtasn ...) {DSA-3056-1 DLA-77-1} - libtasn1-3 - libtasn1-6 3.6-1 CVE-2014-3466 (Buffer overflow in the read_server_hello function in lib/gnutls_handsh ...) {DSA-2944-1 DLA-0001-1} - gnutls26 2.12.23-16 - gnutls28 3.2.15-1 [squeeze] - gnutls26 2.8.6-1+squeeze4 NOTE: http://radare.today/technical-analysis-of-the-gnutls-hello-vulnerability/ CVE-2014-3465 (The gnutls_x509_dn_oid_name function in lib/x509/common.c in GnuTLS 3. ...) - gnutls26 (Affected code was introduced in 3.0) - gnutls28 3.2.10-1 CVE-2014-3464 (The EJB invocation handler implementation in Red Hat JBossWS, as used ...) NOT-FOR-US: JBoss WS CVE-2014-3463 REJECTED CVE-2013-7382 (VICIDIAL dialer (aka Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1, and e ...) NOT-FOR-US: VICIDIAL CVE-2013-7381 (libnotify before 1.0.4 for Node.js allows remote attackers to execute ...) NOT-FOR-US: libnotify for Node.js CVE-2013-7380 (The Etherpad Lite ep_imageconvert Plugin has a Remote Command Injectio ...) NOT-FOR-US: Etherpad Lite ep_imageconvert Plugin CVE-2013-7379 (The admin API in the tomato module before 0.0.6 for Node.js does not p ...) NOT-FOR-US: tomato module for Node.js CVE-2013-7378 (scripts/email.coffee in the Hubot Scripts module before 2.4.4 for Node ...) NOT-FOR-US: Hubot Scripts module for Node.js CVE-2013-7377 (The codem-transcode module before 0.5.0 for Node.js, when ffprobe is e ...) NOT-FOR-US: codem-transcode Node module CVE-2013-7376 (Multiple cross-site request forgery (CSRF) vulnerabilities in OpenX 2. ...) NOT-FOR-US: OpenX CVE-2014-3800 (XBMC 13.0 uses world-readable permissions for .xbmc/userdata/sources.x ...) NOTE: Starting with 2:13.2+dfsg1-5 xbmc is a transitional package - xbmc 2:13.2+dfsg1-5 (low; bug #747428) [jessie] - xbmc (Minor issue) [wheezy] - xbmc (Minor issue) NOTE: http://trac.xbmc.org/ticket/15198 CVE-2014-3774 (Multiple cross-site scripting (XSS) vulnerabilities in items.php in Te ...) - teampass (bug #730180) NOTE: https://github.com/nilsteampassnet/TeamPass/commit/fd549b245c0f639a8d47bf4f74f92c37c053706f NOTE: https://github.com/nilsteampassnet/TeamPass/commit/8820c8934d9ba0508ac345e73ad0be29049ec6de CVE-2014-3773 (Multiple SQL injection vulnerabilities in TeamPass before 2.1.20 allow ...) - teampass (bug #730180) NOTE: https://github.com/nilsteampassnet/TeamPass/commit/7715512f2bd5659cc69e063a1c513c19e384340f NOTE: https://github.com/nilsteampassnet/TeamPass/commit/7715512f2bd5659cc69e063a1c513c19e384340f NOTE: https://github.com/nilsteampassnet/TeamPass/commit/8820c8934d9ba0508ac345e73ad0be29049ec6de CVE-2014-3772 (TeamPass before 2.1.20 allows remote attackers to bypass access restri ...) - teampass (bug #730180) NOTE: https://github.com/nilsteampassnet/TeamPass/commit/7715512f2bd5659cc69e063a1c513c19e384340f CVE-2014-3771 (TeamPass before 2.1.20 allows remote attackers to bypass access restri ...) - teampass (bug #730180) NOTE: https://github.com/nilsteampassnet/TeamPass/commit/fd549b245c0f639a8d47bf4f74f92c37c053706f CVE-2014-4703 (lib/parse_ini.c in Nagios Plugins 2.0.2 allows local users to obtain s ...) - nagios-plugins (incomplete fix for CVE-2014-4701 not applied) NOTE: check_dhcp is not installed with root suid permissions in Debian NOTE: http://seclists.org/fulldisclosure/2014/Jun/141 NOTE: Introduced due to incomplete fix for CVE-2014-4701 in 2.0.2. - monitoring-plugins (Vulnerable code not present, fix for CVE-2014-4701 adressed differently directly by dropping privileges) CVE-2014-4702 (The check_icmp plugin in Nagios Plugins before 2.0.2 allows local user ...) - nagios-plugins (unimportant) NOTE: http://seclists.org/fulldisclosure/2014/May/74 NOTE: Fixed in nagios-plugins 2.0.2 NOTE: check_imcp is not installed with root suid permissions in Debian - monitoring-plugins (Fixed with initial upload to Debian) NOTE: https://github.com/monitoring-plugins/monitoring-plugins/commit/48025ff39c3a78b7805bf803ac96730cef53e15c CVE-2014-4701 (The check_dhcp plugin in Nagios Plugins before 2.0.2 allows local user ...) - nagios-plugins (unimportant) NOTE: check_dhcp is not installed with root suid permissions in Debian NOTE: http://seclists.org/fulldisclosure/2014/May/74 NOTE: fixed in nagios-plugins 2.0.2 (but needs to be made complete to not open NOTE: CVE-2014-4703) and thus include the fix from 2.0.3 upstream. - monitoring-plugins (Fixed with initial upload to Debian) NOTE: https://github.com/monitoring-plugins/monitoring-plugins/commit/48025ff39c3a78b7805bf803ac96730cef53e15c CVE-2014-3776 (Buffer overflow in the "read-u8vector!" procedure in the srfi-4 unit i ...) - chicken 4.9.0-1 (bug #748904) [squeeze] - chicken (Minor issue) [wheezy] - chicken (Minor issue) NOTE: http://lists.gnu.org/archive/html/chicken-announce/2014-05/msg00001.html NOTE: http://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commit;h=1d06ce7e21c7e903ca5dca11fda6fcf2cc52de5e CVE-2014-3775 (libgadu before 1.11.4 and 1.12.0 before 1.12.0-rc3, as used in Pidgin ...) {DSA-2935-1} - libgadu 1:1.12.0~rc3-1 [squeeze] - libgadu (Vulnerable code not present) CVE-2014-3749 (SQL injection vulnerability in Construtiva CIS Manager allows remote a ...) NOT-FOR-US: Construtiva CIS Manager CMS CVE-2014-3719 (Multiple SQL injection vulnerabilities in cgi-bin/review_m.cgi in Ex L ...) NOT-FOR-US: ALEPH500 Integrated library management system CVE-2014-3717 (Xen 4.4.x does not properly validate the load address for 64-bit ARM g ...) - xen (Only ARM systems are affected from Xen 4.4 onwards) CVE-2014-3716 (Xen 4.4.x does not properly check alignment, which allows local users ...) - xen (Only ARM systems are affected from Xen 4.4 onwards) CVE-2014-3715 (Buffer overflow in Xen 4.4.x allows local users to read system memory ...) - xen (Only ARM systems are affected from Xen 4.4 onwards) CVE-2014-3714 (The ARM image loading functionality in Xen 4.4.x does not properly val ...) - xen (Only ARM systems are affected from Xen 4.4 onwards) CVE-2014-3739 (Open redirect vulnerability in zport/acl_users/cookieAuthHelper/login_ ...) - zenoss (bug #361253) CVE-2014-3738 (Cross-site scripting (XSS) vulnerability in Zenoss 4.2.5 allows remote ...) - zenoss (bug #361253) CVE-2014-3756 (The client in Mumble 1.2.x before 1.2.6 allows remote attackers to for ...) - mumble 1.2.6-1 (bug #748189) [squeeze] - mumble (Minor issue) [wheezy] - mumble 1.2.3-349-g315b5f5-2.2+deb7u2 NOTE: http://mumble.info/security/Mumble-SA-2014-006.txt CVE-2014-3755 (The QSvg module in Qt, as used in the Mumble client 1.2.x before 1.2.6 ...) - mumble 1.2.6-1 (bug #748189) [squeeze] - mumble (Minor issue) [wheezy] - mumble 1.2.3-349-g315b5f5-2.2+deb7u2 NOTE: http://mumble.info/security/Mumble-SA-2014-005.txt CVE-2014-3461 (hw/usb/bus.c in QEMU 1.6.2 allows remote attackers to execute arbitrar ...) - qemu 2.1+dfsg-1 (bug #739589) - qemu-kvm [wheezy] - qemu (Too intrusive to backport, minor risk) [wheezy] - qemu-kvm (Too intrusive to backport, minor risk) [squeeze] - qemu (Unsupported in squeeze-lts) [squeeze] - qemu-kvm (Unsupported in squeeze-lts) NOTE: http://article.gmane.org/gmane.comp.emulators.qemu/272322 CVE-2014-3460 (Directory traversal vulnerability in the DumpToFile method in the NQMc ...) NOT-FOR-US: NetIQ Sentinel CVE-2014-3459 (Heap-based buffer overflow in SolarWinds Network Configuration Manager ...) NOT-FOR-US: SolarWinds Network Configuration Manager CVE-2014-3458 RESERVED CVE-2014-3457 RESERVED CVE-2014-3456 (Cross-site scripting (XSS) vulnerability in GitLab Enterprise Edition ...) NOT-FOR-US: GitLab Enterprise Edition CVE-2014-3455 (Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) ...) NOT-FOR-US: MediaWiki extension SemanticForms CVE-2014-3454 (Cross-site request forgery (CSRF) vulnerability in Special:CreateCateg ...) NOT-FOR-US: MediaWiki extension SemanticForms CVE-2014-3452 (Filters\LAV\avfilter-lav-4.dll in K-lite Codec 10.4.5 and earlier allo ...) NOT-FOR-US: K-lite Codec CVE-2014-3451 (OpenFire XMPP Server before 3.10 accepts self-signed certificates, whi ...) NOT-FOR-US: Openfire CVE-2014-3450 (Unspecified vulnerability in Panda Gold Protection and Global Protecti ...) NOT-FOR-US: Panda CVE-2014-3449 (BSS Continuity CMS 4.2.22640.0 has an Authentication Bypass vulnerabil ...) NOT-FOR-US: BSS Continuity CMS CVE-2014-3448 (BSS Continuity CMS 4.2.22640.0 has a Remote Code Execution vulnerabili ...) NOT-FOR-US: BSS Continuity CMS CVE-2014-3447 (BSS Continuity CMS 4.2.22640.0 has a Remote Denial Of Service vulnerab ...) NOT-FOR-US: BSS Continuity CMS CVE-2014-3446 (SQL injection vulnerability in wcm/system/pages/admin/getnode.aspx in ...) NOT-FOR-US: BSS Continuity CMS CVE-2014-3445 (backup.php in HandsomeWeb SOS Webpages before 1.1.12 does not require ...) NOT-FOR-US: HandsomeWeb SOS Webpages CVE-2014-3730 (The django.util.http.is_safe_url function in Django 1.4 before 1.4.13, ...) {DSA-2934-1} - python-django 1.6.5-1 NOTE: https://www.djangoproject.com/weblog/2014/may/14/security-releases-issued/ CVE-2014-XXXX [data leak during restore] - obnam 1.8-1 (low; bug #745112) [wheezy] - obnam (Minor issue) CVE-2014-3462 (The ".encfs6.xml" configuration file in encfs before 1.7.5 allows remo ...) - encfs 1.8.1-1 (low; bug #736066) [jessie] - encfs (Minor issue) [squeeze] - encfs (Minor issue) [wheezy] - encfs (Minor issue) NOTE: Shortcoming documented in 1.7.4-4 NOTE: https://defuse.ca/audits/encfs.htm NOTE: Upstream issue: https://github.com/vgough/encfs/issues/14 CVE-2014-3453 (Eval injection vulnerability in the flag_import_form_validate function ...) NOT-FOR-US: Drupal module CVE-2014-3444 (The GetGUID function in codecs/dmp4.dll in RealNetworks RealPlayer 16. ...) NOT-FOR-US: RealNetworks RealPlayer CVE-2014-3443 (JetMPAd.ax in JetAudio 8.1.1 and earlier allows remote attackers to ca ...) NOT-FOR-US: JetAudio CVE-2014-3442 (Winamp 5.666 and earlier allows remote attackers to cause a denial of ...) NOT-FOR-US: Winamp CVE-2014-3441 (codec\libpng_plugin.dll in VideoLAN VLC Media Player 2.1.3 allows remo ...) - vlc (VLC in Debian uses the system version of libpng which handles the malformed file correctly as invalid) NOTE: http://packetstormsecurity.com/files/126564/VLC-Player-2.1.3-Memory-Corruption.html CVE-2014-3440 (The Agent Control Interface in the management server in Symantec Criti ...) NOT-FOR-US: Symantec CVE-2014-3439 (ConsoleServlet in Symantec Endpoint Protection Manager (SEPM) 12.1 bef ...) NOT-FOR-US: Symantec Endpoint Protection CVE-2014-3438 (Multiple cross-site scripting (XSS) vulnerabilities in console interfa ...) NOT-FOR-US: Symantec Endpoint Protection CVE-2014-3437 (The management console in Symantec Endpoint Protection Manager (SEPM) ...) NOT-FOR-US: Symantec Endpoint Protection CVE-2014-3436 (Symantec Encryption Desktop 10.3.x before 10.3.2 MP3, and Symantec PGP ...) NOT-FOR-US: Symantec CVE-2014-3435 REJECTED CVE-2014-3434 (Buffer overflow in the sysplant driver in Symantec Endpoint Protection ...) NOT-FOR-US: Symantec CVE-2014-3433 (Cross-site scripting (XSS) vulnerability in the management console in ...) NOT-FOR-US: Symantec CVE-2014-3432 (Cross-site scripting (XSS) vulnerability in the management console in ...) NOT-FOR-US: Symantec CVE-2014-3431 (Symantec PGP Desktop 10.x, and Encryption Desktop Professional 10.3.x ...) NOT-FOR-US: Symantec PGP Desktop CVE-2014-3429 (IPython Notebook 0.12 through 1.x before 1.2 does not validate the ori ...) - ipython 1.2.0~rc1-1 (low) [wheezy] - ipython 0.13.1-2+deb7u1 [squeeze] - ipython (Vulnerable code not present) NOTE: https://github.com/ipython/ipython/pull/4845 CVE-2014-3428 (Cross-site scripting (XSS) vulnerability in Yealink VoIP Phones with f ...) NOT-FOR-US: Yealink VoIP Phones CVE-2014-3427 (CRLF injection vulnerability in Yealink VoIP Phones with firmware 28.7 ...) NOT-FOR-US: Yealink VoIP Phones CVE-2014-3420 RESERVED CVE-2014-3419 (Infoblox NetMRI before 6.8.5 has a default password of admin for the " ...) NOT-FOR-US: Infoblox NetMRI CVE-2014-3418 (config/userAdmin/login.tdf in Infoblox NetMRI before 6.8.5 allows remo ...) NOT-FOR-US: Infoblox NetMRI CVE-2014-3417 (uPortal before 4.0.13.1 does not properly check the CONFIG permission, ...) NOT-FOR-US: uPortal CVE-2014-3416 (uPortal before 4.0.13.1 does not properly check the MANAGE permissions ...) NOT-FOR-US: uPortal CVE-2014-3415 (SQL injection vulnerability in Sharetronix before 3.4 allows remote au ...) NOT-FOR-US: Sharetronix CVE-2014-3414 (Cross-site request forgery (CSRF) vulnerability in Sharetronix before ...) NOT-FOR-US: Sharetronix CVE-2014-3413 (The MySQL server in Juniper Networks Junos Space before 13.3R1.8 has a ...) NOT-FOR-US: Juniper CVE-2014-3412 (Unspecified vulnerability in Juniper Junos Space before 13.3R1.8, when ...) NOT-FOR-US: Juniper Junos Space CVE-2014-3411 (Unspecified vulnerability in the NSM XDB service in Juniper NSM before ...) NOT-FOR-US: Juniper NSM CVE-2014-3410 (The syslog-management subsystem in Cisco Adaptive Security Appliance ( ...) NOT-FOR-US: Cisco CVE-2014-3409 (The Ethernet Connectivity Fault Management (CFM) handling feature in C ...) NOT-FOR-US: Cisco IOS CVE-2014-3408 (Cross-site scripting (XSS) vulnerability in the web framework in Cisco ...) NOT-FOR-US: Cisco Prime Optical CVE-2014-3407 (The SSL VPN implementation in Cisco Adaptive Security Appliance (ASA) ...) NOT-FOR-US: Cisco CVE-2014-3406 (Race condition in the IP logging feature in Cisco Intrusion Prevention ...) NOT-FOR-US: Cisco Intrusion Prevention System CVE-2014-3405 (Cisco IOS XE enables the IPv6 Routing Protocol for Low-Power and Lossy ...) NOT-FOR-US: Cisco IOS CVE-2014-3404 (The Autonomic Networking Infrastructure (ANI) component in Cisco IOS X ...) NOT-FOR-US: Cisco IOS CVE-2014-3403 (The Autonomic Networking Infrastructure (ANI) component in Cisco IOS X ...) NOT-FOR-US: Cisco IOS CVE-2014-3402 (The authentication-manager process in the web framework in Cisco Intru ...) NOT-FOR-US: Cisco Intrusion Prevention System CVE-2014-3401 RESERVED CVE-2014-3400 (Cisco WebEx Meetings Server allows remote authenticated users to obtai ...) NOT-FOR-US: Cisco WebEx CVE-2014-3399 (The SSL VPN implementation in Cisco Adaptive Security Appliance (ASA) ...) NOT-FOR-US: Cisco Adaptive Security Appliance CVE-2014-3398 (The SSL VPN implementation in Cisco Adaptive Security Appliance (ASA) ...) NOT-FOR-US: Cisco Adaptive Security Appliance CVE-2014-3397 (The network stack in Cisco TelePresence MCU Software before 4.3(2.30) ...) NOT-FOR-US: TelePresence MCU CVE-2014-3396 (Cisco IOS XR on ASR 9000 devices does not properly use compression for ...) NOT-FOR-US: Cisco IOS CVE-2014-3395 (Cisco WebEx Meetings Server (WMS) 2.5 allows remote attackers to trigg ...) NOT-FOR-US: Cisco WebEx Meetings Server CVE-2014-3394 (The Smart Call Home (SCH) implementation in Cisco ASA Software 8.2 bef ...) NOT-FOR-US: Cisco ASA CVE-2014-3393 (The Clientless SSL VPN portal customization framework in Cisco ASA Sof ...) NOT-FOR-US: Cisco ASA CVE-2014-3392 (The Clientless SSL VPN portal in Cisco ASA Software 8.2 before 8.2(5.5 ...) NOT-FOR-US: Cisco ASA CVE-2014-3391 (Untrusted search path vulnerability in Cisco ASA Software 8.x before 8 ...) NOT-FOR-US: Cisco ASA CVE-2014-3390 (The Virtual Network Management Center (VNMC) policy implementation in ...) NOT-FOR-US: Cisco ASA CVE-2014-3389 (The VPN implementation in Cisco ASA Software 7.2 before 7.2(5.15), 8.2 ...) NOT-FOR-US: Cisco ASA CVE-2014-3388 (The DNS inspection engine in Cisco ASA Software 9.0 before 9.0(4.13), ...) NOT-FOR-US: Cisco ASA CVE-2014-3387 (The SunRPC inspection engine in Cisco ASA Software 7.2 before 7.2(5.14 ...) NOT-FOR-US: Cisco ASA CVE-2014-3386 (The GPRS Tunneling Protocol (GTP) inspection engine in Cisco ASA Softw ...) NOT-FOR-US: Cisco ASA CVE-2014-3385 (Race condition in the Health and Performance Monitoring (HPM) for ASDM ...) NOT-FOR-US: Cisco ASA CVE-2014-3384 (The IKEv2 implementation in Cisco ASA Software 8.4 before 8.4(7.15), 8 ...) NOT-FOR-US: Cisco ASA CVE-2014-3383 (The IKE implementation in the VPN component in Cisco ASA Software 9.1 ...) NOT-FOR-US: Cisco ASA CVE-2014-3382 (The SQL*Net inspection engine in Cisco ASA Software 7.2 before 7.2(5.1 ...) NOT-FOR-US: Cisco ASA CVE-2014-3381 (The ZIP inspection engine in Cisco AsyncOS 8.5 and earlier on the Cisc ...) NOT-FOR-US: Cisco AsyncOS CVE-2014-3380 (Cisco Unified Communications Domain Manager Platform Software 4.4(.3) ...) NOT-FOR-US: Cisco Unified Communications CVE-2014-3379 (Cisco IOS XR 5.1 and earlier on Network Convergence System 6000 device ...) NOT-FOR-US: Cisco IOS CVE-2014-3378 (tacacsd in Cisco IOS XR 5.1 and earlier allows remote attackers to cau ...) NOT-FOR-US: Cisco IOS CVE-2014-3377 (snmpd in Cisco IOS XR 5.1 and earlier allows remote authenticated user ...) NOT-FOR-US: Cisco IOS CVE-2014-3376 (Cisco IOS XR 5.1 and earlier allows remote attackers to cause a denial ...) NOT-FOR-US: Cisco IOS CVE-2014-3375 (Multiple cross-site scripting (XSS) vulnerabilities in the CCM Service ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2014-3374 (Multiple cross-site scripting (XSS) vulnerabilities in the CCM admin i ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2014-3373 (Multiple cross-site scripting (XSS) vulnerabilities in the CCM Dialed ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2014-3372 (Multiple cross-site scripting (XSS) vulnerabilities in the CCM reports ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2014-3371 REJECTED CVE-2014-3370 (Cisco TelePresence Video Communication Server (VCS) and Expressway Sof ...) NOT-FOR-US: Cisco TelePresence CVE-2014-3369 (The SIP IX implementation in Cisco TelePresence Video Communication Se ...) NOT-FOR-US: Cisco TelePresence CVE-2014-3368 (Cisco TelePresence Video Communication Server (VCS) and Expressway Sof ...) NOT-FOR-US: Cisco TelePresence CVE-2014-3367 (Cross-site scripting (XSS) vulnerability in the vCloud Director compon ...) NOT-FOR-US: Cisco CVE-2014-3366 (SQL injection vulnerability in the administrative web interface in Cis ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2014-3365 (Multiple cross-site scripting (XSS) vulnerabilities in Cisco Prime Sec ...) NOT-FOR-US: Cisco Prime Security Manager CVE-2014-3364 (Multiple cross-site scripting (XSS) vulnerabilities in the web framewo ...) NOT-FOR-US: Cisco CVE-2014-3363 (Cross-site scripting (XSS) vulnerability in the web framework in Cisco ...) NOT-FOR-US: Cisco CVE-2014-3362 (Memory leak in Cisco TelePresence System Edge MXP Series Software F9.3 ...) NOT-FOR-US: Cisco CVE-2014-3361 (The ALG module in Cisco IOS 15.0 through 15.4 does not properly implem ...) NOT-FOR-US: Cisco IOS CVE-2014-3360 (Cisco IOS 12.4 and 15.0 through 15.4 and IOS XE 3.1.xS, 3.2.xS, 3.3.xS ...) NOT-FOR-US: Cisco IOS CVE-2014-3359 (Memory leak in Cisco IOS 15.1 through 15.4 and IOS XE 3.4.xS, 3.5.xS, ...) NOT-FOR-US: Cisco IOS CVE-2014-3358 (Memory leak in Cisco IOS 15.0, 15.1, 15.2, and 15.4 and IOS XE 3.3.xSE ...) NOT-FOR-US: Cisco IOS CVE-2014-3357 (Cisco IOS 15.0, 15.1, 15.2, and 15.4 and IOS XE 3.3.xSE before 3.3.2SE ...) NOT-FOR-US: Cisco IOS CVE-2014-3356 (The metadata flow feature in Cisco IOS 15.1 through 15.3 and IOS XE 3. ...) NOT-FOR-US: Cisco IOS CVE-2014-3355 (The metadata flow feature in Cisco IOS 15.1 through 15.3 and IOS XE 3. ...) NOT-FOR-US: Cisco IOS CVE-2014-3354 (Cisco IOS 12.0, 12.2, 12.4, 15.0, 15.1, 15.2, and 15.3 and IOS XE 2.x ...) NOT-FOR-US: Cisco IOS CVE-2014-3353 (Cisco IOS XR 4.3(.2) and earlier, as used in Cisco Carrier Routing Sys ...) NOT-FOR-US: Cisco CVE-2014-3352 (Cisco Intelligent Automation for Cloud (aka Cisco Cloud Portal) 2008.3 ...) NOT-FOR-US: Cisco CVE-2014-3351 (Cisco Intelligent Automation for Cloud (aka Cisco Cloud Portal) does n ...) NOT-FOR-US: Cisco CVE-2014-3350 (Cisco Intelligent Automation for Cloud (aka Cisco Cloud Portal) does n ...) NOT-FOR-US: Cisco CVE-2014-3349 (Cisco Intelligent Automation for Cloud (aka Cisco Cloud Portal) does n ...) NOT-FOR-US: Cisco CVE-2014-3348 (The SSH module in the Integrated Management Controller (IMC) before 2. ...) NOT-FOR-US: Cisco Unified Computing System CVE-2014-3347 (Cisco IOS 15.1(4)M2 on Cisco 1800 ISR devices, when the ISDN Basic Rat ...) NOT-FOR-US: Cisco CVE-2014-3346 (The web framework in Cisco Transport Gateway for Smart Call Home (aka ...) NOT-FOR-US: Cisco CVE-2014-3345 (The web framework in Cisco Transport Gateway for Smart Call Home (aka ...) NOT-FOR-US: Cisco CVE-2014-3344 (Multiple cross-site scripting (XSS) vulnerabilities in the web framewo ...) NOT-FOR-US: Cisco CVE-2014-3343 (Cisco IOS XR 5.1 allows remote attackers to cause a denial of service ...) NOT-FOR-US: Cisco CVE-2014-3342 (The CLI in Cisco IOS XR allows remote authenticated users to obtain se ...) NOT-FOR-US: Cisco CVE-2014-3341 (The SNMP module in Cisco NX-OS 7.0(3)N1(1) and earlier on Nexus 5000 a ...) NOT-FOR-US: Cisco NX-OS CVE-2014-3340 (Directory traversal vulnerability in an unspecified PHP script in the ...) NOT-FOR-US: Cisco CVE-2014-3339 (Multiple SQL injection vulnerabilities in the administrative web inter ...) NOT-FOR-US: Cisco CVE-2014-3338 (The CTIManager module in Cisco Unified Communications Manager (CM) 10. ...) NOT-FOR-US: Cisco CVE-2014-3337 (The SIP implementation in Cisco Unified Communications Manager (CM) 8. ...) NOT-FOR-US: Cisco CVE-2014-3336 (SQL injection vulnerability in the web framework in Cisco Unity Connec ...) NOT-FOR-US: Cisco CVE-2014-3335 (Cisco IOS XR 4.3(.2) and earlier on ASR 9000 devices does not properly ...) NOT-FOR-US: Cisco CVE-2014-3334 REJECTED CVE-2014-3333 (The server in Cisco Unity Connection 9.1(1) and 9.1(2) allows remote a ...) NOT-FOR-US: Cisco CVE-2014-3332 (Cisco Unified Communications Manager (CM) 8.6(.2) and earlier has an i ...) NOT-FOR-US: Cisco CVE-2014-3331 (The Session Manager component in Packet Data Network Gateway (aka PGW) ...) NOT-FOR-US: Cisco CVE-2014-3330 (Cisco NX-OS 6.1(2)I2(1) on Nexus 9000 switches does not properly proce ...) NOT-FOR-US: Cisco CVE-2014-3329 (Cross-site scripting (XSS) vulnerability in the web-server component i ...) NOT-FOR-US: Cisco Prime Data Center Network Manager CVE-2014-3328 (The Intercluster Sync Agent Service in Cisco Unified Presence Server a ...) NOT-FOR-US: Cisco Unified Presence Server CVE-2014-3327 (The EnergyWise module in Cisco IOS 12.2, 15.0, 15.1, 15.2, and 15.4 an ...) NOT-FOR-US: Cisco CVE-2014-3326 (SQL injection vulnerability in the web framework in Cisco Security Man ...) NOT-FOR-US: Cisco Security Manager CVE-2014-3325 (Multiple cross-site scripting (XSS) vulnerabilities in Cisco Unified C ...) NOT-FOR-US: Cisco CVE-2014-3324 (Multiple cross-site scripting (XSS) vulnerabilities in the login page ...) NOT-FOR-US: Cisco TelePrecence Server CVE-2014-3323 (Directory traversal vulnerability in Cisco Unified Contact Center Ente ...) NOT-FOR-US: Cisco CVE-2014-3322 (Cisco IOS XR 4.3(.2) and earlier on ASR 9000 devices does not properly ...) NOT-FOR-US: Cisco IOS CVE-2014-3321 (Cisco IOS XR 4.3.4 and earlier on ASR 9000 devices, when bridge-group ...) NOT-FOR-US: Cisco CVE-2014-3320 (Multiple open redirect vulnerabilities in the admin web interface in t ...) NOT-FOR-US: Cisco CVE-2014-3319 (Directory traversal vulnerability in the Real-Time Monitoring Tool (RT ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2014-3318 (Directory traversal vulnerability in dna/viewfilecontents.do in the Di ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2014-3317 (Directory traversal vulnerability in the Multiple Analyzer in the Dial ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2014-3316 (The Multiple Analyzer in the Dialed Number Analyzer (DNA) component in ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2014-3315 (Cross-site scripting (XSS) vulnerability in viewfilecontents.do in the ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2014-3314 (Cisco AnyConnect on Android and OS X does not properly verify the host ...) NOT-FOR-US: Cisco AnyConnect CVE-2014-3313 (Cross-site scripting (XSS) vulnerability in the web user interface on ...) NOT-FOR-US: Cisco Small Business phones CVE-2014-3312 (The debug console interface on Cisco Small Business SPA300 and SPA500 ...) NOT-FOR-US: Cisco Small Business phones CVE-2014-3311 (Heap-based buffer overflow in the file-sharing feature in WebEx Meetin ...) NOT-FOR-US: Cisco WebEx CVE-2014-3310 (The File Transfer feature in WebEx Meetings Client in Cisco WebEx Meet ...) NOT-FOR-US: Cisco WebEx CVE-2014-3309 (The NTP implementation in Cisco IOS and IOS XE does not properly suppo ...) NOT-FOR-US: Cisco WebEx CVE-2014-3308 (Cisco IOS XR on Trident line cards in ASR 9000 devices lacks a static ...) NOT-FOR-US: Cisco IOS XR CVE-2014-3307 (The DHCP client implementation in Universal Small Cell firmware on Cis ...) NOT-FOR-US: Cisco Small Cell CVE-2014-3306 (The web server on Cisco DPC3010, DPC3212, DPC3825, DPC3925, DPQ3925, E ...) NOT-FOR-US: Cisco CVE-2014-3305 (Cross-site request forgery (CSRF) vulnerability in the web framework i ...) NOT-FOR-US: Cisco WebEx Meetings Server CVE-2014-3304 (The OutlookAction Class in Cisco WebEx Meetings Server allows remote a ...) NOT-FOR-US: Cisco WebEx Meetings Server CVE-2014-3303 (The web framework in Cisco WebEx Meetings Server does not properly res ...) NOT-FOR-US: Cisco WebEx Meetings Server CVE-2014-3302 (user.php in Cisco WebEx Meetings Server 1.5(.1.131) and earlier does n ...) NOT-FOR-US: Cisco CVE-2014-3301 (The ProfileAction controller in Cisco WebEx Meetings Server (CWMS) 1.5 ...) NOT-FOR-US: Cisco WebEx Meetings Server CVE-2014-3300 (The BVSMWeb portal in the web framework in Cisco Unified Communication ...) NOT-FOR-US: Cisco Unified Communications Domain Manager CVE-2014-3299 (Cisco IOS allows remote authenticated users to cause a denial of servi ...) NOT-FOR-US: Cisco IOS CVE-2014-3298 (Form Data Viewer in Cisco Intelligent Automation for Cloud in Cisco Cl ...) NOT-FOR-US: Cisco CVE-2014-3297 (Cisco Intelligent Automation for Cloud in Cisco Cloud Portal does not ...) NOT-FOR-US: Cisco CVE-2014-3296 (The XML programmatic interface (XML PI) in Cisco WebEx Meeting Server ...) NOT-FOR-US: Cisco WebEx CVE-2014-3295 (The HSRP implementation in Cisco NX-OS 6.2(2a) and earlier allows remo ...) NOT-FOR-US: Cisco NX-OS CVE-2014-3294 (Cisco WebEx Meeting Server does not properly restrict the content of U ...) NOT-FOR-US: Cisco WebEx Meeting Server CVE-2014-3293 (Cisco IOS 15.4(3)S0b on ASR901 devices makes incorrect decisions to us ...) NOT-FOR-US: Cisco IOS CVE-2014-3292 (The Real Time Monitoring Tool (RTMT) implementation in Cisco Unified C ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2014-3291 (Cisco Wireless LAN Controller (WLC) devices allow remote attackers to ...) NOT-FOR-US: Cisco Wireless LAN Controller CVE-2014-3290 (The mDNS implementation in Cisco IOS XE 3.12S does not properly intera ...) NOT-FOR-US: Cisco IOS XE CVE-2014-3289 (Cross-site scripting (XSS) vulnerability in the web management interfa ...) NOT-FOR-US: Cisco CVE-2014-3288 RESERVED CVE-2014-3287 (SQL injection vulnerability in BulkViewFileContentsAction.java in the ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2014-3286 (The web framework in Cisco WebEx Meeting Server does not properly rest ...) NOT-FOR-US: Cisco WebEx Meeting Server CVE-2014-3285 (Cisco Wide Area Application Services (WAAS) 5.3(.5a) and earlier, when ...) NOT-FOR-US: Cisco Wide Area Application Services CVE-2014-3284 (Cisco IOS XE on ASR1000 devices, when PPPoE termination is enabled, al ...) NOT-FOR-US: Cisco IOS CVE-2014-3283 (Open redirect vulnerability in Self-Care Client Portal applications in ...) NOT-FOR-US: Cisco Unified Communications Domain Manager CVE-2014-3282 (The Administration GUI in the web framework in VOSS in Cisco Unified C ...) NOT-FOR-US: Cisco Unified Communications Domain Manager CVE-2014-3281 (The web framework in VOSS in Cisco Unified Communications Domain Manag ...) NOT-FOR-US: Cisco Unified Communications Domain Manager CVE-2014-3280 (The web framework in VOSS in Cisco Unified Communications Domain Manag ...) NOT-FOR-US: Cisco Unified Communications Domain Manager CVE-2014-3279 (The Administration GUI in the web framework in VOSS in Cisco Unified C ...) NOT-FOR-US: Cisco Unified Communications Domain Manager CVE-2014-3278 (The web framework in VOSS in Cisco Unified Communications Domain Manag ...) NOT-FOR-US: Cisco Unified Communications CVE-2014-3277 (The Administration GUI in the web framework in VOSS in Cisco Unified C ...) NOT-FOR-US: Cisco Unified Communications Domain Manager CVE-2014-3276 (Cisco Identity Services Engine (ISE) 1.2(.1 patch 2) and earlier does ...) NOT-FOR-US: Cisco Identity Services Engine CVE-2014-3275 (SQL injection vulnerability in the web framework in Cisco Identity Ser ...) NOT-FOR-US: Cisco Identity Services Engine CVE-2014-3274 (Cisco TelePresence System (CTS) 6.0(.5)(5) and earlier falls back to H ...) NOT-FOR-US: Cisco TelePresence CVE-2014-3273 (The LLDP implementation in Cisco IOS allows remote attackers to cause ...) NOT-FOR-US: Cisco IOS CVE-2014-3272 (The Agent in Cisco Tidal Enterprise Scheduler (TES) 6.1 and earlier al ...) NOT-FOR-US: Cisco CVE-2014-3271 (The DHCPv6 implementation in Cisco IOS XR allows remote attackers to c ...) NOT-FOR-US: Cisco IOS XR CVE-2014-3270 (The DHCPv6 implementation in Cisco IOS XR allows remote attackers to c ...) NOT-FOR-US: Cisco IOS XR CVE-2014-3269 (The SNMP module in Cisco IOS XE 3.5E allows remote authenticated users ...) NOT-FOR-US: Cisco IOS XE CVE-2014-3268 (Cisco IOS 15.2(4)M4 on Cisco Unified Border Element (CUBE) devices all ...) NOT-FOR-US: Cisco Unified Border Element CVE-2014-3267 (Cross-site request forgery (CSRF) vulnerability in the web framework i ...) NOT-FOR-US: Cisco Security Manager CVE-2014-3266 (Cross-site scripting (XSS) vulnerability in the web framework in Cisco ...) NOT-FOR-US: Cisco Security Manager CVE-2014-3265 (Cross-site scripting (XSS) vulnerability in the Auto Update Server (AU ...) NOT-FOR-US: Cisco Security Manager CVE-2014-3264 (Cisco Adaptive Security Appliance (ASA) Software 9.1(.5) and earlier a ...) NOT-FOR-US: Cisco Adaptive Security Appliance CVE-2014-3263 (The ScanSafe module in Cisco IOS 15.3(3)M allows remote attackers to c ...) NOT-FOR-US: Cisco IOS CVE-2014-3262 (The Locator/ID Separation Protocol (LISP) implementation in Cisco IOS ...) NOT-FOR-US: Cisco IOS CVE-2014-3261 (Buffer overflow in the Smart Call Home implementation in Cisco NX-OS o ...) NOT-FOR-US: Cisco NX-OS CVE-2014-3260 (Pacom 1000 CCU and RTU GMS devices allow remote attackers to spoof the ...) NOT-FOR-US: Pacom CVE-2014-3259 RESERVED CVE-2014-3258 RESERVED CVE-2014-3257 RESERVED CVE-2014-3256 RESERVED CVE-2014-3255 RESERVED CVE-2014-3254 RESERVED CVE-2014-3253 RESERVED CVE-2014-3252 RESERVED CVE-2014-3251 (The MCollective aes_security plugin, as used in Puppet Enterprise befo ...) - mcollective 2.6.0+dfsg-1 (low; bug #758701) [wheezy] - mcollective (Minor issue) NOTE: Mcollective are not configured to use the plugin and are not vulnerable by default. NOTE: http://puppetlabs.com/security/cve/cve-2014-3251 CVE-2014-3250 (The default vhost configuration file in Puppet before 3.6.2 does not i ...) - puppet 3.7.0-1 (low) [squeeze] - puppet (Only exploitable in combination with Apache 2.4) [wheezy] - puppet (Only exploitable in combination with Apache 2.4) NOTE: http://puppetlabs.com/security/cve/CVE-2014-3250 CVE-2014-3249 (Puppet Enterprise 2.8.x before 2.8.7 allows remote attackers to obtain ...) - puppet (Only affects Puppet Enterprise) NOTE: http://puppetlabs.com/security/cve/cve-2014-3249 CVE-2014-3248 (Untrusted search path vulnerability in Puppet Enterprise 2.8 before 2. ...) - puppet 3.7.0-1 (low) [wheezy] - puppet (Minor issue) [squeeze] - puppet (Minor issue) - hiera 1.3.4-1 (low) - ruby-hiera (low) [wheezy] - ruby-hiera (Minor issue) - facter 2.0.1-1 (low) [wheezy] - facter (Minor issue) [squeeze] - facter (Minor issue) - mcollective 2.5.2+dfsg-1 (low) [wheezy] - mcollective (Minor issue) NOTE: http://puppetlabs.com/security/cve/cve-2014-3248 NOTE: problem in combination with ruby <= 1.9.1 CVE-2014-3247 (Cross-site scripting (XSS) vulnerability in Collabtive 1.2 allows remo ...) - collabtive 2.0+dfsg-1 (bug #748828) [wheezy] - collabtive (Minor issue) CVE-2014-3246 (SQL injection vulnerability in Collabtive 1.2 allows remote authentica ...) - collabtive 1.2+dfsg-2 (bug #748828) [wheezy] - collabtive (Minor issue) CVE-2014-3245 RESERVED CVE-2014-3244 (XML external entity (XXE) vulnerability in the RSSDashlet dashlet in S ...) NOT-FOR-US: SugarCRM CVE-2014-3241 RESERVED CVE-2014-3240 RESERVED CVE-2014-3239 RESERVED CVE-2014-3238 RESERVED CVE-2014-3237 RESERVED CVE-2014-3236 RESERVED CVE-2014-3235 RESERVED CVE-2014-3234 RESERVED CVE-2014-3233 RESERVED CVE-2014-3232 RESERVED CVE-2014-3231 RESERVED CVE-2014-3229 RESERVED CVE-2014-3228 RESERVED CVE-2014-3227 (dpkg 1.15.9, 1.16.x before 1.16.14, and 1.17.x before 1.17.9 expect th ...) {DSA-2915-2} - dpkg 1.17.9 CVE-2014-3226 RESERVED CVE-2014-3224 (Huawei Quidway S9700 V200R003C00SPC500, Quidway S9300 V200R003C00SPC50 ...) NOT-FOR-US: Huawei CVE-2014-3223 (Huawei S9300 with software before V100R006SPH013 and S2300,S3300,S5300 ...) NOT-FOR-US: Huawei CVE-2014-3222 (In Huawei eSpace Meeting with software V100R001C03SPC201 and the earli ...) NOT-FOR-US: Huawei CVE-2014-3221 (Huawei Eudemon8000E firewall with software V200R001C01SPC800 and earli ...) NOT-FOR-US: Huawei CVE-2014-3220 (F5 BIG-IQ Cloud and Security 4.0.0 through 4.1.0 allows remote authent ...) NOT-FOR-US: F5 BIG-IQ CVE-2013-7383 (x2gocleansessions in X2Go Server before 4.0.0.8 and 4.0.1.x before 4.0 ...) - x2goserver (Fixed with first upload to Debian) NOTE: Fixed by: http://code.x2go.org/gitweb?p=x2goserver.git;a=commit;h=5a2aa0c36ef7a57d87e3bb6f7c6b2558ed5430f7 (4.0.1.10) NOTE: Fixed by: http://code.x2go.org/gitweb?p=x2goserver.git;a=commit;h=b03665513ab1969b069c1351fe17cbb8b5fca256 (4.0.0.8) NOTE: Fixed by: http://code.x2go.org/gitweb?p=x2goserver.git;a=commit;h=8347d3fef0e5cbabe4aa48f503612fa7b9d078f8 (4.0.0.8) NOTE: Fixed by: http://code.x2go.org/gitweb?p=x2goserver.git;a=commit;h=bf44925ecccda436caa1cfc34f89eced9c1bd104 (4.0.0.8) CVE-2013-7375 (SQL injection vulnerability in includes/classes/Authenticate.class.php ...) NOT-FOR-US: PHP-Fusion CVE-2014-3145 (The BPF_S_ANC_NLATTR_NEST extension implementation in the sk_run_filte ...) {DSA-2949-1 DLA-0015-1} - linux 3.14.4-1 - linux-2.6 [squeeze] - linux-2.6 2.6.32-48squeeze8 NOTE: Upstream fix https://git.kernel.org/linus/05ab8f2647e4221cbdb3856dd7d32bd5407316b3 NOTE: Introduced by https://git.kernel.org/linus/4738c1db1593687713869fa69e733eebc7b0d6d8 NOTE: https://git.kernel.org/linus/d214c7537bbf2f247991fb65b3420b0b3d712c67 CVE-2014-3144 (The (1) BPF_S_ANC_NLATTR and (2) BPF_S_ANC_NLATTR_NEST extension imple ...) {DSA-2949-1 DLA-0015-1} - linux 3.14.4-1 - linux-2.6 [squeeze] - linux-2.6 2.6.32-48squeeze8 NOTE: Upstream fix https://git.kernel.org/linus/05ab8f2647e4221cbdb3856dd7d32bd5407316b3 NOTE: Introduced by https://git.kernel.org/linus/4738c1db1593687713869fa69e733eebc7b0d6d8 NOTE: https://git.kernel.org/linus/d214c7537bbf2f247991fb65b3420b0b3d712c67 CVE-2014-3430 (Dovecot 1.1 before 2.2.13 and dovecot-ee before 2.1.7.7 and 2.2.x befo ...) {DSA-2954-1 DLA-0004-1} - dovecot 1:2.2.13~rc1-1 (low; bug #747549) [squeeze] - dovecot 1:1.2.15-7+deb6u1 NOTE: http://permalink.gmane.org/gmane.mail.imap.dovecot/77499 CVE-2014-3426 (NCSA Mosaic 2.1 through 2.7b5 allows local users to cause a denial of ...) NOT-FOR-US: NCSA Mosaic CVE-2014-3425 (NCSA Mosaic 2.0 and earlier allows local users to cause a denial of se ...) NOT-FOR-US: NCSA Mosaic CVE-2014-3424 (lisp/net/tramp-sh.el in GNU Emacs 24.3 and earlier allows local users ...) - emacs23 (bug #747100) [wheezy] - emacs23 (Minor issue) [squeeze] - emacs23 (Minor issue) - emacs24 24.3+1-4 - xemacs21-packages (Vulnerable code not present) NOTE: http://lists.gnu.org/archive/html/emacs-diffs/2014-05/msg00060.html CVE-2014-3423 (lisp/net/browse-url.el in GNU Emacs 24.3 and earlier allows local user ...) - emacs23 (bug #747100) [wheezy] - emacs23 (Minor issue) [squeeze] - emacs23 (Minor issue) - emacs24 24.3+1-4 - xemacs21-packages (Vulnerable code not present) NOTE: http://lists.gnu.org/archive/html/emacs-diffs/2014-05/msg00057.html CVE-2014-3422 (lisp/emacs-lisp/find-gc.el in GNU Emacs 24.3 and earlier allows local ...) - emacs23 (bug #747100) [wheezy] - emacs23 (Minor issue) [squeeze] - emacs23 (Minor issue) - emacs24 24.3+1-4 - xemacs21-packages (Vulnerable code not present) NOTE: http://lists.gnu.org/archive/html/emacs-diffs/2014-05/msg00056.html CVE-2014-3421 (lisp/gnus/gnus-fun.el in GNU Emacs 24.3 and earlier allows local users ...) - emacs23 (bug #747100) [wheezy] - emacs23 (Minor issue) [squeeze] - emacs23 (Minor issue) - emacs24 24.3+1-4 NOTE: http://lists.gnu.org/archive/html/emacs-diffs/2014-05/msg00055.html CVE-2014-9091 (Icecast before 2.4.0 does not change the supplementary group privilege ...) - icecast2 2.4.0-1 (low) [squeeze] - icecast2 (Minor issue) [wheezy] - icecast2 (Minor issue) NOTE: https://trac.xiph.org/changeset/19137/ CVE-2014-3243 (SOAPpy 0.12.5 does not properly detect recursion during entity expansi ...) - python-soappy 0.12.22-1 (low; bug #747280) [squeeze] - python-soappy (Minor issue) [wheezy] - python-soappy (Minor issue) NOTE: http://www.pnigos.com/?p=260 CVE-2014-3242 (SOAPpy 0.12.5 allows remote attackers to read arbitrary files via a SO ...) - python-soappy 0.12.22-1 (low; bug #747280) [squeeze] - python-soappy (Minor issue) [wheezy] - python-soappy (Minor issue) NOTE: http://www.pnigos.com/?p=260 CVE-2014-3225 (Absolute path traversal vulnerability in the web interface in Cobbler ...) - cobbler (Fixed before initial upload) CVE-2014-3219 (fish before 2.1.1 allows local users to write to arbitrary files via a ...) - fish 2.1.1-1 (low; bug #746259) [squeeze] - fish (Minor issue) [wheezy] - fish (Minor issue) CVE-2014-3218 RESERVED CVE-2014-3217 RESERVED CVE-2014-3216 (GOM Media Player 2.2.57.5189 and earlier allows remote attackers to ca ...) NOT-FOR-US: Gretech GOM Media Player CVE-2014-3215 (seunshare in policycoreutils 2.2.5 is owned by root with 4755 permissi ...) - policycoreutils (seunshare not enabled/built in Debian) CVE-2014-3214 (The prefetch implementation in named in ISC BIND 9.10.0, when a recurs ...) - bind9 (prefetch option introduced in BIND 9.10.0b1) NOTE: https://kb.isc.org/article/AA-01161 CVE-2014-3213 RESERVED CVE-2014-3212 RESERVED CVE-2014-3211 (Publify before 8.0.1 is vulnerable to a Denial of Service attack ...) NOT-FOR-US: Publify CVE-2014-3210 (SQL injection vulnerability in dopbs-backend-forms.php in the Booking ...) NOT-FOR-US: WordPress plugin Booking System CVE-2014-3208 (A Denial of Service vulnerability exists in askpop3d 0.7.7 in free (ps ...) NOT-FOR-US: askpop3d CVE-2014-3206 (Seagate BlackArmor NAS allows remote attackers to execute arbitrary co ...) NOT-FOR-US: Seagate CVE-2014-3205 (backupmgt/pre_connect_check.php in Seagate BlackArmor NAS contains a h ...) NOT-FOR-US: Seagate CVE-2014-3204 (Unity before 7.2.1, as used in Ubuntu 14.04, does not properly handle ...) NOT-FOR-US: Unity CVE-2014-3203 (Unity before 7.2.1, as used in Ubuntu 14.04, does not properly restric ...) NOT-FOR-US: Unity CVE-2014-3202 (Unity before 7.2.1 does not properly handle entry activation, which al ...) NOT-FOR-US: Unity CVE-2014-3201 (core/rendering/compositing/RenderLayerCompositor.cpp in Blink, as used ...) - chromium-browser 39.0.2171.71-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2014-3200 (Multiple unspecified vulnerabilities in Google Chrome before 38.0.2125 ...) - chromium-browser 38.0.2125.101-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2014-3199 (The wrap function in bindings/core/v8/custom/V8EventCustom.cpp in the ...) - libv8 [wheezy] - libv8 (Minor issue, Chromium in Wheezy uses its own fixed copy) [squeeze] - libv8 (Unsupported in squeeze-lts) - libv8-3.14 (unimportant; bug #773671) - chromium-browser 38.0.2125.101-1 [wheezy] - chromium-browser [squeeze] - chromium-browser NOTE: libv8 not covered by security support CVE-2014-3198 (The Instance::HandleInputEvent function in pdf/instance.cc in the PDFi ...) - chromium-browser 38.0.2125.101-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2014-3197 (The NavigationScheduler::schedulePageBlock function in core/loader/Nav ...) - chromium-browser 38.0.2125.101-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2014-3196 (base/memory/shared_memory_win.cc in Google Chrome before 38.0.2125.101 ...) - chromium-browser (Only affects Windows) CVE-2014-3195 (Google V8, as used in Google Chrome before 38.0.2125.101, does not pro ...) - libv8 [wheezy] - libv8 (Minor issue, Chromium in Wheezy uses its own fixed copy) [squeeze] - libv8 (Unsupported in squeeze-lts) - libv8-3.14 (unimportant; bug #773671) - chromium-browser 38.0.2125.101-1 [wheezy] - chromium-browser [squeeze] - chromium-browser NOTE: libv8 not covered by security support CVE-2014-3194 (Use-after-free vulnerability in the Web Workers implementation in Goog ...) - chromium-browser 38.0.2125.101-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2014-3193 (The SessionService::GetLastSession function in browser/sessions/sessio ...) - chromium-browser 38.0.2125.101-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2014-3192 (Use-after-free vulnerability in the ProcessingInstruction::setXSLStyle ...) - chromium-browser 38.0.2125.101-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2014-3191 (Use-after-free vulnerability in Blink, as used in Google Chrome before ...) - chromium-browser 38.0.2125.101-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2014-3190 (Use-after-free vulnerability in the Event::currentTarget function in c ...) - chromium-browser 38.0.2125.101-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2014-3189 (The chrome_pdf::CopyImage function in pdf/draw_utils.cc in the PDFium ...) - chromium-browser 38.0.2125.101-1 [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2014-3188 (Google Chrome before 38.0.2125.101 and Chrome OS before 38.0.2125.101 ...) - chromium-browser 38.0.2125.101-1 [wheezy] - chromium-browser [squeeze] - chromium-browser - libv8 [wheezy] - libv8 (Minor issue, Chromium in Wheezy uses its own fixed copy) [squeeze] - libv8 (Unsupported in squeeze-lts) - libv8-3.14 (unimportant; bug #773671) NOTE: libv8 not covered by security support CVE-2014-3187 (Google Chrome before 37.0.2062.60 and 38.x before 38.0.2125.59 on iOS ...) - chromium-browser (only affects versions supporting Apple's facetime) CVE-2014-3186 (Buffer overflow in the picolcd_raw_event function in devices/hid/hid-p ...) - linux 3.16.5-1 [wheezy] - linux 3.2.63-1 - linux-2.6 (Vulnerable code not present) NOTE: https://code.google.com/p/google-security-research/issues/detail?id=101 NOTE: Upstream fix: https://git.kernel.org/linus/844817e47eef14141cf59b8d5ac08dd11c0a9189 (v3.17-rc3) CVE-2014-3185 (Multiple buffer overflows in the command_port_read_callback function i ...) {DLA-118-1} - linux 3.16.2-2 [wheezy] - linux 3.2.63-1 - linux-2.6 NOTE: https://code.google.com/p/google-security-research/issues/detail?id=98 NOTE: Upstream fix: https://git.kernel.org/linus/6817ae225cd650fb1c3295d769298c38b1eba818 (v3.17-rc3) CVE-2014-3184 (The report_fixup functions in the HID subsystem in the Linux kernel be ...) {DLA-246-1} - linux 3.16.2-2 [wheezy] - linux 3.2.63-1 - linux-2.6 NOTE: https://code.google.com/p/google-security-research/issues/detail?id=91 NOTE: Upstream fix: https://git.kernel.org/linus/4ab25786c87eb20857bbb715c3ae34ec8fd6a214 (v3.17-rc2) CVE-2014-3183 (Heap-based buffer overflow in the logi_dj_ll_raw_request function in d ...) - linux 3.16.2-2 [wheezy] - linux 3.2.63-1 - linux-2.6 (Vulnerable code not present) NOTE: https://code.google.com/p/google-security-research/issues/detail?id=90 NOTE: Upstream fix: https://git.kernel.org/linus/51217e69697fba92a06e07e16f55c9a52d8e8945 (v3.17-rc2) CVE-2014-3182 (Array index error in the logi_dj_raw_event function in drivers/hid/hid ...) - linux 3.16.2-2 [wheezy] - linux 3.2.63-1 - linux-2.6 (Vulnerable driver introduced later) NOTE: https://code.google.com/p/google-security-research/issues/detail?id=89 NOTE: Upstream fix: https://git.kernel.org/linus/ad3e14d7c5268c2e24477c6ef54bbdf88add5d36 (v3.17-rc2) CVE-2014-3181 (Multiple stack-based buffer overflows in the magicmouse_raw_event func ...) - linux 3.16.5-1 [wheezy] - linux 3.2.63-1 - linux-2.6 (Vulnerable code not present) NOTE: https://code.google.com/p/google-security-research/issues/detail?id=100 NOTE: Upstream fix: https://git.kernel.org/linus/c54def7bd64d7c0b6993336abcffb8444795bf38 (v3.17-rc3) CVE-2014-3180 (** DISPUTED ** In kernel/compat.c in the Linux kernel before 3.17, as ...) - linux 4.0.2-1 (unimportant) NOTE: https://git.kernel.org/linus/849151dd5481bc8acb1d287a299b5d6a4ca9f1c3 (3.17-rc4) NOTE: https://bugs.chromium.org/p/chromium/issues/detail?id=408827 NOTE: https://lkml.org/lkml/2014/9/7/29 NOTE: The respective code path is unreachable. CVE-2014-3179 (Multiple unspecified vulnerabilities in Google Chrome before 37.0.2062 ...) {DSA-3039-1} - chromium-browser 37.0.2062.120-1 [squeeze] - chromium-browser CVE-2014-3178 (Use-after-free vulnerability in core/dom/Node.cpp in Blink, as used in ...) {DSA-3039-1} - chromium-browser 37.0.2062.120-1 [squeeze] - chromium-browser CVE-2014-3177 (Google Chrome before 37.0.2062.94 does not properly handle the interac ...) {DSA-3039-1} - chromium-browser 37.0.2062.120-1 [squeeze] - chromium-browser CVE-2014-3176 (Google Chrome before 37.0.2062.94 does not properly handle the interac ...) {DSA-3039-1} - chromium-browser 37.0.2062.120-1 [squeeze] - chromium-browser CVE-2014-3175 (Multiple unspecified vulnerabilities in Google Chrome before 37.0.2062 ...) {DSA-3039-1} - chromium-browser 37.0.2062.120-1 [squeeze] - chromium-browser CVE-2014-3174 (modules/webaudio/BiquadDSPKernel.cpp in the Web Audio API implementati ...) {DSA-3039-1} - chromium-browser 37.0.2062.120-1 [squeeze] - chromium-browser CVE-2014-3173 (The WebGL implementation in Google Chrome before 37.0.2062.94 does not ...) {DSA-3039-1} - chromium-browser 37.0.2062.120-1 [squeeze] - chromium-browser CVE-2014-3172 (The Debugger extension API in browser/extensions/api/debugger/debugger ...) {DSA-3039-1} - chromium-browser 37.0.2062.120-1 [squeeze] - chromium-browser CVE-2014-3171 (Use-after-free vulnerability in the V8 bindings in Blink, as used in G ...) {DSA-3039-1} - chromium-browser 37.0.2062.120-1 [squeeze] - chromium-browser CVE-2014-3170 (extensions/common/url_pattern.cc in Google Chrome before 37.0.2062.94 ...) {DSA-3039-1} - chromium-browser 37.0.2062.120-1 [squeeze] - chromium-browser CVE-2014-3169 (Use-after-free vulnerability in core/dom/ContainerNode.cpp in the DOM ...) {DSA-3039-1} - chromium-browser 37.0.2062.120-1 [squeeze] - chromium-browser CVE-2014-3168 (Use-after-free vulnerability in the SVG implementation in Blink, as us ...) {DSA-3039-1} - chromium-browser 37.0.2062.120-1 [squeeze] - chromium-browser CVE-2014-3167 (Multiple unspecified vulnerabilities in Google Chrome before 36.0.1985 ...) {DSA-3039-1} - chromium-browser 37.0.2062.120-1 [squeeze] - chromium-browser CVE-2014-3166 (The Public Key Pinning (PKP) implementation in Google Chrome before 36 ...) {DSA-3039-1} - chromium-browser 37.0.2062.120-1 [squeeze] - chromium-browser CVE-2014-3165 (Use-after-free vulnerability in modules/websockets/WorkerThreadableWeb ...) {DSA-3039-1} - chromium-browser 37.0.2062.120-1 [squeeze] - chromium-browser CVE-2014-3164 (cmds/servicemanager/service_manager.c in Android before commit 7d42a3c ...) NOT-FOR-US: Android CVE-2014-3163 RESERVED CVE-2014-3162 (Multiple unspecified vulnerabilities in Google Chrome before 36.0.1985 ...) {DSA-3039-1} - chromium-browser 37.0.2062.120-1 [squeeze] - chromium-browser CVE-2014-3161 (The WebMediaPlayerAndroid::load function in content/renderer/media/and ...) NOT-FOR-US: Android CVE-2014-3160 (The ResourceFetcher::canRequest function in core/fetch/ResourceFetcher ...) {DSA-3039-1} - chromium-browser 37.0.2062.120-1 [squeeze] - chromium-browser CVE-2014-3159 (The WebContentsDelegateAndroid::OpenURLFromTab function in components/ ...) NOT-FOR-US: Android CVE-2014-3158 (Integer overflow in the getword function in options.c in pppd in Paul' ...) {DSA-3079-1 DLA-74-1} - ppp 2.4.6-3 (medium; bug #762789) NOTE: https://github.com/paulusmack/ppp/commit/7658e8257183f062dc01f87969c140707c7e52cb NOTE: http://marc.info/?l=linux-ppp&m=140764978420764 NOTE: No known exploit yet but potential local privilege escalation to root for users in "dip" group CVE-2014-3157 (Heap-based buffer overflow in the FFmpegVideoDecoder::GetVideoBuffer f ...) {DSA-2959-1} - chromium-browser 35.0.1916.153-1 [squeeze] - chromium-browser CVE-2014-3156 (Buffer overflow in the clipboard implementation in Google Chrome befor ...) {DSA-2959-1} - chromium-browser 35.0.1916.153-1 [squeeze] - chromium-browser CVE-2014-3155 (net/spdy/spdy_write_queue.cc in the SPDY implementation in Google Chro ...) {DSA-2959-1} - chromium-browser 35.0.1916.153-1 [squeeze] - chromium-browser CVE-2014-3154 (Use-after-free vulnerability in the ChildThread::Shutdown function in ...) {DSA-2959-1} - chromium-browser 35.0.1916.153-1 [squeeze] - chromium-browser CVE-2014-3153 (The futex_requeue function in kernel/futex.c in the Linux kernel throu ...) {DSA-2949-1 DLA-0007-1} - linux 3.14.5-1 - linux-2.6 [squeeze] - linux-2.6 2.6.32-48squeeze7 NOTE: http://thread.gmane.org/gmane.linux.kernel.stable/92357 CVE-2014-3152 (Integer underflow in the LCodeGen::PrepareKeyedOperand function in arm ...) {DSA-2939-1} - chromium-browser 35.0.1916.114-1 [squeeze] - chromium-browser - libv8 [wheezy] - libv8 (Minor issue, Chromium in Wheezy uses its own fixed copy) [squeeze] - libv8 (Unsupported in squeeze-lts) - libv8-3.14 (unimportant; bug #773671) NOTE: libv8 not covered by security support CVE-2014-3151 RESERVED CVE-2014-3150 (Livebox 1.1 allows remote authenticated users to upload arbitrary conf ...) NOT-FOR-US: Livebox CVE-2014-3149 (Cross-site scripting (XSS) vulnerability in Invision Power IP.Board (a ...) NOT-FOR-US: Invision Power IP.Board CVE-2014-3148 (Cross-site scripting (XSS) vulnerability in libahttp/err.c in OkCupid ...) NOT-FOR-US: OkCupid CVE-2014-3147 (Cross-site scripting (XSS) vulnerability in the auto-complete feature ...) NOT-FOR-US: Splunk CVE-2014-3146 (Incomplete blacklist vulnerability in the lxml.html.clean module in lx ...) {DSA-2941-1 DLA-0009-1} - lxml 3.3.5-1 (bug #746812) [squeeze] - lxml 2.2.8-2+deb6u1 NOTE: http://lxml.de/3.3/changes-3.3.5.html NOTE: http://seclists.org/fulldisclosure/2014/Apr/210 NOTE: https://github.com/lxml/lxml/commit/e86b294f1f81b899a59925123560ff924a72f1cc CVE-2014-3143 RESERVED CVE-2014-3142 RESERVED CVE-2014-3141 RESERVED CVE-2014-3140 REJECTED CVE-2014-3139 (recoveryconsole/bpl/snmpd.php in Unitrends Enterprise Backup 7.3.0 all ...) NOT-FOR-US: Unitrends Enterprise Backup CVE-2014-3138 (SQL injection vulnerability in Xerox DocuShare before 6.53 Patch 6 Hot ...) NOT-FOR-US: Xerox DocuShare CVE-2014-3136 (Cross-site request forgery (CSRF) vulnerability in D-Link DWR-113 (Rev ...) NOT-FOR-US: D-Link CVE-2014-3135 (Multiple cross-site scripting (XSS) vulnerabilities in vBulletin 5.1.1 ...) NOT-FOR-US: vBulletin CVE-2014-3134 (Cross-site scripting (XSS) vulnerability in the InfoView application i ...) NOT-FOR-US: SAP BusinessObjects CVE-2014-3133 (SAP Netweaver Java Application Server does not properly restrict acces ...) NOT-FOR-US: SAP NetWeaver CVE-2014-3132 (SAP Background Processing does not properly restrict access, which all ...) NOT-FOR-US: SAP Background Processing CVE-2014-3131 (SAP Profile Maintenance does not properly restrict access, which allow ...) NOT-FOR-US: SAP Solution Manager CVE-2014-3130 (The ABAP Help documentation and translation tools (BC-DOC-HLP) in Basi ...) NOT-FOR-US: SAP NetWeaver CVE-2014-3129 (The Java Server Pages in the Software Lifecycle Manager (SLM) in SAP N ...) NOT-FOR-US: SAP NetWeaver CVE-2014-3209 (The ldns-keygen tool in ldns 1.6.x uses the current umask to set the p ...) - ldns 1.6.17-4 (low; bug #746758) [squeeze] - ldns (Minor issue) [wheezy] - ldns 1.6.13-1+deb7u1 CVE-2014-3230 (The libwww-perl LWP::Protocol::https module 6.04 through 6.06 for Perl ...) - liblwp-protocol-https-perl 6.04-3 (bug #746579) [wheezy] - liblwp-protocol-https-perl (Introduced by bcc46ce2dab53d2e2baa583f2243d6fc7d36dcc8 in 6.04) NOTE: Introduced by https://github.com/dagolden/lwp-protocol-https/commit/bcc46ce2dab53d2e2baa583f2243d6fc7d36dcc8 NOTE: CVE assignment for https://github.com/libwww-perl/lwp-protocol-https/pull/14#issuecomment-42328818 CVE-2014-3207 (Cross-site scripting (XSS) vulnerability in wserver.ml in SKS Keyserve ...) - sks 1.1.5-1 (low; bug #746626) [squeeze] - sks (Minor issue) [wheezy] - sks 1.1.3-2+deb7u1 NOTE: https://bitbucket.org/skskeyserver/sks-keyserver/issue/26/unfiltered-xss NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=952077 CVE-2014-3137 (Bottle 0.10.x before 0.10.12, 0.11.x before 0.11.7, and 0.12.x before ...) {DSA-2948-1} - python-bottle 0.12.6-1 (bug #746322) [squeeze] - python-bottle (bug affects versions 0.10.11-1 and 0.12.5-1) CVE-2014-3128 RESERVED CVE-2014-3127 (dpkg 1.15.9 on Debian squeeze introduces support for the "C-style enco ...) {DSA-2915-2} - dpkg 1.17.9 CVE-2014-3126 RESERVED CVE-2014-3125 (Xen 4.4.x, when running on an ARM system, does not properly context sw ...) - xen (Only 32- and 64-bit ARM systems are affected from Xen 4.4 onwards) CVE-2014-3124 (The HVMOP_set_mem_type control in Xen 4.1 through 4.4.x allows local g ...) {DSA-3006-1} - xen 4.4.1-1 (bug #757724) [squeeze] - xen (Xen versions from 4.1 onwards are vulnerable) CVE-2014-3123 (Cross-site scripting (XSS) vulnerability in admin/manage-images.php in ...) NOT-FOR-US: Wordpress plugin CVE-2014-3121 (rxvt-unicode before 9.20 does not properly handle OSC escape sequences ...) {DSA-2925-1} - rxvt-unicode 9.20-1 (bug #746593) CVE-2014-3120 (The default configuration in Elasticsearch before 1.2 enables dynamic ...) - elasticsearch 1.0.3+dfsg-3 (bug #759736) NOTE: https://github.com/elasticsearch/elasticsearch/commit/81e83cca NOTE: https://github.com/elasticsearch/elasticsearch/issues/5853 CVE-2014-3119 (Multiple SQL injection vulnerabilities in web2Project 3.1 and earlier ...) NOT-FOR-US: web2Project CVE-2014-3118 RESERVED CVE-2014-3117 RESERVED CVE-2014-3116 RESERVED CVE-2014-3115 (Multiple cross-site request forgery (CSRF) vulnerabilities in the web ...) NOT-FOR-US: Fortinet Fortiweb CVE-2014-3114 (The EZPZ One Click Backup (ezpz-one-click-backup) plugin 12.03.10 and ...) NOT-FOR-US: WordPress plugin ezpz-one-click-backup CVE-2014-3113 (Multiple buffer overflows in RealNetworks RealPlayer before 17.0.10.8 ...) NOT-FOR-US: RealPlayer CVE-2014-3112 RESERVED CVE-2014-3110 (Multiple cross-site scripting (XSS) vulnerabilities on Honeywell FALCO ...) NOT-FOR-US: Honeywell FALCON XLWeb controllor CVE-2014-3109 RESERVED CVE-2014-3108 RESERVED CVE-2014-3107 RESERVED CVE-2014-3106 (IBM Rational ClearQuest 7.1 before 7.1.2.15, 8.0.0 before 8.0.0.12, an ...) NOT-FOR-US: IBM WebSphere CVE-2014-3105 (The OSLC integration feature in the Web component in IBM Rational Clea ...) NOT-FOR-US: IBM WebSphere CVE-2014-3104 (IBM Rational ClearQuest 7.1 before 7.1.2.15, 8.0.0 before 8.0.0.12, an ...) NOT-FOR-US: IBM WebSphere CVE-2014-3103 (The Web component in IBM Rational ClearQuest 7.1 before 7.1.2.15, 8.0. ...) NOT-FOR-US: IBM WebSphere CVE-2014-3102 (Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 7.0.0 ...) NOT-FOR-US: IBM WebSphere CVE-2014-3101 (The login form in the Web component in IBM Rational ClearQuest 7.1 bef ...) NOT-FOR-US: IBM Rational ClearQuest CVE-2014-3100 (Stack-based buffer overflow in the encode_key function in /system/bin/ ...) NOT-FOR-US: Android service KeyStore CVE-2014-3099 (Unspecified vulnerability in the Security component in IBM Systems Dir ...) NOT-FOR-US: IBM Systems Director CVE-2014-3098 RESERVED CVE-2014-3097 (Open redirect vulnerability in IBM Tivoli Federated Identity Manager ( ...) NOT-FOR-US: IBM Tivoli CVE-2014-3096 (Cross-site scripting (XSS) vulnerability in IBM Curam Social Program M ...) NOT-FOR-US: IBM Curam CVE-2014-3095 (The SQL engine in IBM DB2 9.5 through FP10, 9.7 through FP9a, 9.8 thro ...) NOT-FOR-US: IBM DB2 CVE-2014-3094 (Stack-based buffer overflow in IBM DB2 9.7 through FP9a, 9.8 through F ...) NOT-FOR-US: IBM DB2 CVE-2014-3093 (IBM PowerVC 1.2.0 before FP3 and 1.2.1 before FP2 uses cleartext passw ...) NOT-FOR-US: IBM CVE-2014-3092 (IBM Jazz Team Server, as used in Rational Collaborative Lifecycle Mana ...) NOT-FOR-US: IBM CVE-2014-3091 (Cross-site scripting (XSS) vulnerability in IBM Security QRadar SIEM 7 ...) NOT-FOR-US: IBM Security QRadar SIEM CVE-2014-3090 (IBM Rational ClearCase 7.1 before 7.1.2.15, 8.0.0 before 8.0.0.12, and ...) NOT-FOR-US: IBM Rational ClearCase CVE-2014-3089 (The RDS Java Client library in IBM Rational Directory Server (RDS) 5.1 ...) NOT-FOR-US: IBM Rational Directory Server CVE-2014-3088 (stconf.nsf in IBM Sametime Meeting Server 8.5.1 relies on the client t ...) NOT-FOR-US: IBM Sametime CVE-2014-3087 (callService.do in IBM Business Process Manager (BPM) 7.5 through 8.5.5 ...) NOT-FOR-US: IBM CVE-2014-3086 (Unspecified vulnerability in the IBM Java Virtual Machine, as used in ...) NOT-FOR-US: IBM WebSphere CVE-2014-3085 (systest.php on IBM GCM16 and GCM32 Global Console Manager switches wit ...) NOT-FOR-US: IBM CVE-2014-3084 (IBM Maximo Asset Management 6.1 through 6.5, 7.1 through 7.1.1.13, and ...) NOT-FOR-US: IBM CVE-2014-3083 (IBM WebSphere Application Server (WAS) 7.0.x before 7.0.0.35, 8.0.x be ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2014-3082 RESERVED CVE-2014-3081 (prodtest.php on IBM GCM16 and GCM32 Global Console Manager switches wi ...) NOT-FOR-US: IBM CVE-2014-3080 (Multiple cross-site scripting (XSS) vulnerabilities on IBM GCM16 and G ...) NOT-FOR-US: IBM CVE-2014-3079 (The Administration and Reporting Tool in IBM Rational License Key Serv ...) NOT-FOR-US: IBM CVE-2014-3078 RESERVED CVE-2014-3077 (IBM SONAS and System Storage Storwize V7000 Unified (aka V7000U) 1.3.x ...) NOT-FOR-US: IBM CVE-2014-3076 (IBM Business Process Manager (BPM) 8.5 through 8.5.5 allows remote att ...) NOT-FOR-US: IBM CVE-2014-3075 (Cross-site scripting (XSS) vulnerability in IBM Business Process Manag ...) NOT-FOR-US: IBM CVE-2014-3074 (The runtime linker in IBM AIX 6.1 and 7.1 and VIOS 2.2.x allows local ...) NOT-FOR-US: IBM AIX CVE-2014-3073 (Unspecified vulnerability in IBM Security Access Manager (ISAM) for Mo ...) NOT-FOR-US: Novell Identity Manager CVE-2014-3072 (Unspecified vulnerability in the Automation Server in IBM Security App ...) NOT-FOR-US: IBM Security AppScan CVE-2014-3071 (Cross-site scripting (XSS) vulnerability in the Data Quality Console i ...) NOT-FOR-US: IBM InfoSphere CVE-2014-3070 (The addFileRegistryAccount Virtual Member Manager (VMM) SPI Admin Task ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2014-3069 (Multiple CRLF injection vulnerabilities in the Universal Access compon ...) NOT-FOR-US: IBM Curam Social Program Management CVE-2014-3068 (IBM Java Runtime Environment (JRE) 7 R1 before SR1 FP1 (7.1.1.1), 7 be ...) NOT-FOR-US: IBM JDK CVE-2014-3067 RESERVED CVE-2014-3066 (IBM Tivoli Endpoint Manager 9.1 before 9.1.1088.0 allows remote attack ...) NOT-FOR-US: IBM Tivoli Endpoint Manager CVE-2014-3065 (Unspecified vulnerability in IBM Java Runtime Environment (JRE) 7 R1 b ...) NOT-FOR-US: IBM JDK CVE-2014-3064 (The GDS component in IBM InfoSphere Master Data Management - Collabora ...) NOT-FOR-US: IBM CVE-2014-3063 (IBM InfoSphere Master Data Management - Collaborative Edition 10.x bef ...) NOT-FOR-US: IBM CVE-2014-3062 (Unspecified vulnerability in IBM Security QRadar SIEM 7.1 MR2 and 7.2 ...) NOT-FOR-US: IBM Security QRadar SIEM CVE-2014-3061 (Cross-site request forgery (CSRF) vulnerability in IBM Emptoris Spend ...) NOT-FOR-US: IBM CVE-2014-3060 (Unspecified vulnerability on the IBM WebSphere DataPower XC10 applianc ...) NOT-FOR-US: IBM WebSphere CVE-2014-3059 (Unspecified vulnerability in the Administrative Console on the IBM Web ...) NOT-FOR-US: IBM WebSphere CVE-2014-3058 (Cross-site request forgery (CSRF) vulnerability on the IBM WebSphere D ...) NOT-FOR-US: IBM CVE-2014-3057 (Cross-site scripting (XSS) vulnerability in the Unified Task List (UTL ...) NOT-FOR-US: IBM WebSphere Portal CVE-2014-3056 (The Unified Task List (UTL) Portlet for IBM WebSphere Portal 7.x and 8 ...) NOT-FOR-US: IBM WebSphere Portal CVE-2014-3055 (SQL injection vulnerability in the Unified Task List (UTL) Portlet for ...) NOT-FOR-US: IBM WebSphere Portal CVE-2014-3054 (Multiple open redirect vulnerabilities in the Unified Task List (UTL) ...) NOT-FOR-US: IBM WebSphere Portal CVE-2014-3053 (The Local Management Interface (LMI) in IBM Security Access Manager (I ...) NOT-FOR-US: IBM ISAM CVE-2014-3052 (The reverse-proxy feature in IBM Security Access Manager (ISAM) for We ...) NOT-FOR-US: IBM ISAM CVE-2014-3051 (The Internet Service Monitor (ISM) agent in IBM Tivoli Composite Appli ...) NOT-FOR-US: IBM Tivoli CVE-2014-3050 (IBM Rational Team Concert (RTC) 3.x before 3.0.1.6 IF3 and 4.x before ...) NOT-FOR-US: IBM Rational Team Concert CVE-2014-3049 RESERVED CVE-2014-3048 (Unspecified vulnerability on the IBM System Storage Virtualization Eng ...) NOT-FOR-US: IBM System Storage Virtualization Engine CVE-2014-3047 RESERVED CVE-2014-3046 RESERVED CVE-2014-3045 (IBM Scale Out Network Attached Storage (SONAS) 1.3.x and 1.4.x before ...) NOT-FOR-US: IBM CVE-2014-3044 RESERVED CVE-2014-3043 (IBM Storwize V7000 Unified 1.3.x and 1.4.x before 1.4.3.3 allows remot ...) NOT-FOR-US: IBM CVE-2014-3042 (IBM CICS Transaction Server 3.1, 3.2, 4.1, 4.2, and 5.1 on z/OS does n ...) NOT-FOR-US: IBM CICS Transaction Serve CVE-2014-3041 (SQL injection vulnerability in IBM Emptoris Contract Management 9.5.x ...) NOT-FOR-US: IBM CVE-2014-3040 (Cross-site request forgery (CSRF) vulnerability in IBM Emptoris Contra ...) NOT-FOR-US: IBM CVE-2014-3039 RESERVED CVE-2014-3038 (IBM SPSS Modeler 16.0 before 16.0.0.1 on UNIX does not properly drop g ...) NOT-FOR-US: IBM SPSS Modeler CVE-2014-3037 (Cross-site request forgery (CSRF) vulnerability in IBM Configuration M ...) NOT-FOR-US: IBM CVE-2014-3036 (Unspecified vulnerability in IBM API Management 3.0.0.0, when basic au ...) NOT-FOR-US: IBM API Management CVE-2014-3035 (Cross-site scripting (XSS) vulnerability in IBM Emptoris Spend Analysi ...) NOT-FOR-US: IBM CVE-2014-3034 (Cross-site scripting (XSS) vulnerability in IBM Emptoris Contract Mana ...) NOT-FOR-US: IBM CVE-2014-3033 (Cross-site scripting (XSS) vulnerability in IBM Emptoris Sourcing Port ...) NOT-FOR-US: IBM Emptoris Sourcing Portfolio CVE-2014-3032 (Cross-site scripting (XSS) vulnerability in the Web GUI in IBM Tivoli ...) NOT-FOR-US: IBM Tivoli CVE-2014-3031 (Cross-site scripting (XSS) vulnerability in IBM Tivoli Business Servic ...) NOT-FOR-US: IBM Tivoli Business Service Manager CVE-2014-3030 RESERVED CVE-2014-3029 RESERVED CVE-2014-3028 RESERVED CVE-2014-3027 RESERVED CVE-2014-3026 (CRLF injection vulnerability in IBM Maximo Asset Management 7.5 throug ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2014-3025 (Multiple cross-site scripting (XSS) vulnerabilities in IBM Maximo Asse ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2014-3024 (Cross-site request forgery (CSRF) vulnerability in IBM Maximo Asset Ma ...) NOT-FOR-US: IBM CVE-2014-3023 RESERVED CVE-2014-3022 (IBM WebSphere Application Server (WAS) 7.0.x before 7.0.0.33, 8.0.x be ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2014-3021 (IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.35, 8.0 before ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2014-3020 (install.sh in the Embedded WebSphere Application Server (eWAS) 7.0 bef ...) NOT-FOR-US: IBM Tivoli Integrated Portal CVE-2014-3019 (IBM BladeCenter SAS Connectivity Module (aka NSSM) and SAS RAID Module ...) NOT-FOR-US: IBM CVE-2014-3018 (IBM BladeCenter SAS Connectivity Module (aka NSSM) and SAS RAID Module ...) NOT-FOR-US: IBM CVE-2014-3017 RESERVED CVE-2014-3016 RESERVED CVE-2014-3015 (Cross-site request forgery (CSRF) vulnerability in the Web player in I ...) NOT-FOR-US: IBM Sametime CVE-2014-3014 (Cross-site scripting (XSS) vulnerability in the Meeting Server in IBM ...) NOT-FOR-US: IBM Sametime CVE-2014-3013 (Multiple cross-site scripting (XSS) vulnerabilities in IBM Curam Socia ...) NOT-FOR-US: IBM Curam Social Program Management CVE-2014-3012 (Multiple CRLF injection vulnerabilities in IBM Curam Social Program Ma ...) NOT-FOR-US: IBM Curam Social Program Management CVE-2014-3011 (IBM OpenPages GRC Platform 6.1.0.1 before IF4 allows remote attackers ...) NOT-FOR-US: IBM OpenPages GRC Platform CVE-2014-3010 (Cross-site scripting (XSS) vulnerability in the Web UI in IBM WebSpher ...) NOT-FOR-US: IBM WebSphere CVE-2014-3009 (The GDS component in IBM InfoSphere Master Data Management - Collabora ...) NOT-FOR-US: IBM InfoSphere CVE-2014-3008 (Unitrends Enterprise Backup 7.3.0 allows remote authenticated users to ...) NOT-FOR-US: Unitrends Enterprise Backup CVE-2014-3007 (Python Image Library (PIL) 1.1.7 and earlier and Pillow 2.3 might allo ...) - pillow 2.4.0-1 (bug #737059) - python-imaging [squeeze] - python-imaging (Minor issue) [wheezy] - python-imaging (Minor issue) NOTE: details what is covered exactly by this CVE relating to CVE-2014-1932 and CVE-2014-1933 is missing CVE-2014-3006 (Sitepark Information Enterprise Server (IES) 2.9 before 2.9.6, when up ...) NOT-FOR-US: Sitepark Information Enterprise Server CVE-2014-3005 (XML external entity (XXE) vulnerability in Zabbix 1.8.x before 1.8.21r ...) - zabbix 1:2.2.5+dfsg-1 (bug #751910) [squeeze] - zabbix (Unsupported in squeeze-lts) NOTE: http://seclists.org/fulldisclosure/2014/Jun/87 NOTE: Upstream issue tracking https://support.zabbix.com/browse/ZBX-8151 CVE-2014-3004 (The default configuration for the Xerces SAX Parser in Castor before 1 ...) NOT-FOR-US: Castor CVE-2014-3003 REJECTED CVE-2014-3002 RESERVED CVE-2014-3001 (The device file system (aka devfs) in FreeBSD 10.0 before p2 does not ...) - kfreebsd-10 NOTE: it is called SA-14:07.devfs in the freebsd world NOTE: the devfs rules file is loaded by /etc/init.d/freebsd-utils on boot, so debian never was vulnerable CVE-2014-3000 (The TCP reassembly function in the inet module in FreeBSD 8.3 before p ...) {DSA-2952-1} - kfreebsd-10 10.0-5 (bug #746949) - kfreebsd-9 (bug #746951) - kfreebsd-8 (bug #746952) [wheezy] - kfreebsd-8 (Non standard kernel, will be fixed in a point update) [squeeze] - kfreebsd-8 (Unsupported in squeeze-lts) CVE-2014-2999 RESERVED CVE-2014-2998 RESERVED CVE-2014-2997 RESERVED CVE-2014-2996 (XCloner Standalone 3.5 and earlier, when enable_db_backup and sql_mem ...) NOT-FOR-US: XCloner Standalone CVE-2014-2995 (Multiple cross-site scripting (XSS) vulnerabilities in twitget.php in ...) NOT-FOR-US: WordPress plugin Twitget CVE-2014-2994 (Stack-based buffer overflow in Acunetix Web Vulnerability Scanner (WVS ...) NOT-FOR-US: Acunetix Web Vulnerability Scanner CVE-2014-2993 (The Birebin.com application for Android does not verify X.509 certific ...) NOT-FOR-US: Birebin.com application for Android CVE-2014-2992 (The Misli.com application for Android does not verify X.509 certificat ...) NOT-FOR-US: Misli.com application for Android CVE-2014-2991 RESERVED CVE-2014-2990 RESERVED CVE-2014-2989 (Cross-site request forgery (CSRF) vulnerability in Open Assessment Tec ...) NOT-FOR-US: Open Assessment Technologies TAO CVE-2014-2988 (EGroupware Enterprise Line (EPL) before 1.1.20140505, EGroupware Commu ...) NOT-FOR-US: EGroupware EPL CVE-2014-2987 (Multiple cross-site request forgery (CSRF) vulnerabilities in EGroupwa ...) NOT-FOR-US: EGroupware EPL CVE-2013-7373 (Android before 4.4 does not properly arrange for seeding of the OpenSS ...) NOT-FOR-US: Android CVE-2013-7372 (The engineNextBytes function in classlib/modules/security/src/main/jav ...) NOT-FOR-US: Android CVE-2011-5279 (CRLF injection vulnerability in the CGI implementation in Microsoft In ...) NOT-FOR-US: Microsoft IIS CVE-2014-3122 (The try_to_unmap_cluster function in mm/rmap.c in the Linux kernel bef ...) {DSA-2926-1 DLA-0015-1} - linux 3.14.4-1 (bug #747326) - linux-2.6 [squeeze] - linux-2.6 2.6.32-48squeeze8 NOTE: Introduced by https://git.kernel.org/linus/b291f000393f5a0b679012b39d79fbc85c018233 NOTE: Fixed by https://git.kernel.org/linus/57e68e9cd65b4b8eb4045a1e0d0746458502554c (v3.15-rc1) CVE-2014-3985 (The getHTTPResponse function in miniwget.c in MiniUPnP 1.9 allows remo ...) - miniupnpc 1.6-4 (low; bug #748913) [wheezy] - miniupnpc (Vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1085618 NOTE: https://github.com/miniupnp/miniupnp/commit/3a87aa2f10bd7f1408e1849bdb59c41dd63a9fe9 NOTE: http://www.openwall.com/lists/oss-security/2014/04/30/3 CVE-2014-4338 (cups-browsed in cups-filters before 1.0.53 allows remote attackers to ...) - cups-filters 1.0.53-1 [wheezy] - cups-filters (vulnerable code not present) NOTE: http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7195 CVE-2014-4337 (The process_browse_data function in utils/cups-browsed.c in cups-brows ...) - cups-filters 1.0.53-1 [wheezy] - cups-filters (vulnerable code not present) CVE-2014-4336 (The generate_local_queue function in utils/cups-browsed.c in cups-brow ...) - cups-filters 1.0.53-1 [wheezy] - cups-filters (vulnerable code not present) NOTE: incomplete fix was applied NOTE: http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7194 CVE-2014-3111 (Multiple cross-site scripting (XSS) vulnerabilities in FOG 0.27 throug ...) NOT-FOR-US: fog cloning solution CVE-2014-2985 RESERVED CVE-2014-2984 REJECTED CVE-2014-2982 RESERVED CVE-2014-2981 RESERVED CVE-2014-2979 RESERVED CVE-2014-2978 (The Dispatch_Write function in proxy/dispatcher/idirectfbsurface_dispa ...) - directfb (Vulnerable code was introduced in 1.4.4) CVE-2014-2977 (Multiple integer signedness errors in the Dispatch_Write function in p ...) - directfb (Vulnerable code was introduced in 1.4.13) CVE-2014-2976 (Directory traversal vulnerability in Sixnet SixView Manager 2.4.1 allo ...) NOT-FOR-US: Sixnet SixView CVE-2014-2975 (Cross-site scripting (XSS) vulnerability in php/user_account.php in Si ...) NOT-FOR-US: Silver Peak VX CVE-2014-2974 (Cross-site request forgery (CSRF) vulnerability in php/user_account.ph ...) NOT-FOR-US: Silver Peak VX CVE-2014-2973 REJECTED CVE-2014-2972 (expand.c in Exim before 4.83 expands mathematical comparisons twice, w ...) - exim4 4.82.1-2 (low) [squeeze] - exim4 (Minor issue) [wheezy] - exim4 4.80-7+deb7u1 CVE-2014-2971 (Cross-site scripting (XSS) vulnerability in AddStdLetter.jsp in MicroP ...) NOT-FOR-US: MicroPact iComplaints CVE-2014-2970 REJECTED CVE-2014-2969 (NETGEAR GS108PE Prosafe Plus switches with firmware 1.2.0.5 have a har ...) NOT-FOR-US: NETGEAR GS108PE Prosafe Plus switches CVE-2014-2968 (Cross-site scripting (XSS) vulnerability in the web interface on the H ...) NOT-FOR-US: Huawei E355 CH1E355SM firmware CVE-2014-2967 (Autodesk VRED Professional 2014 before SR1 SP8 allows remote attackers ...) NOT-FOR-US: Autodesk VRED Professional CVE-2014-2966 (The ISO-8859-1 encoder in Resin Pro before 4.0.40 does not properly pe ...) NOT-FOR-US: Resin Pro CVE-2014-2965 (Cross-site scripting (XSS) vulnerability in auth-settings-x.php in Spa ...) NOT-FOR-US: SpamTitan CVE-2014-2964 (Cobham Aviator 700D and 700E satellite terminals have hardcoded passwo ...) NOT-FOR-US: Cobham Aviator 700D and 700E satellite terminals CVE-2014-2963 (Multiple cross-site scripting (XSS) vulnerabilities in group/control_p ...) NOT-FOR-US: Liferay Portal CVE-2014-2962 (Absolute path traversal vulnerability in the webproc cgi module on the ...) NOT-FOR-US: Belkin router CVE-2014-2961 RESERVED CVE-2014-2960 (Vision Critical before 2014-05-30 allows attackers to read arbitrary f ...) NOT-FOR-US: Vision Critical CVE-2014-2959 (logViewer.htm on the Dell ML6000 tape backup system with firmware befo ...) NOT-FOR-US: Quantum Scalar CVE-2014-2958 RESERVED CVE-2014-2957 (The dmarc_process function in dmarc.c in Exim before 4.82.1, when EXPE ...) - exim4 4.82.1-1 (unimportant) [squeeze] - exim4 (Vulnerable code introduced in 4.82) [wheezy] - exim4 (Vulnerable code introduced in 4.82) NOTE: https://lists.exim.org/lurker/message/20140528.122536.a31d60a4.en.html NOTE: EXPERIMENTAL_DMARC not enabled CVE-2014-2956 (ScriptHelperApi in the AVG ScriptHelper ActiveX control in ScriptHelpe ...) NOT-FOR-US: AVG Secure Search toolbar and AVG Safeguard CVE-2014-2955 (Raritan PX before 1.5.11 on DPXR20A-16 devices allows remote attackers ...) NOT-FOR-US: Raritan PX CVE-2014-2954 RESERVED CVE-2014-2953 RESERVED CVE-2014-2952 [Arbitrary File Deletion as Root in Webmin] RESERVED - webmin NOTE: https://sites.utexas.edu/iso/2014/09/09/arbitrary-file-deletion-as-root-in-webmin/ CVE-2014-2951 (Datum Systems SnIP on PSM-500 and PSM-4500 devices has a hardcoded pas ...) NOT-FOR-US: Datum Systems SnIP CVE-2014-2950 (Datum Systems SnIP on PSM-500 and PSM-4500 devices does not require au ...) NOT-FOR-US: Datum Systems SnIP CVE-2014-2949 (SQL injection vulnerability in the web service in F5 ARX Data Manager ...) NOT-FOR-US: F5 ARX Data Manager CVE-2014-2948 (SQL injection vulnerability in workflowenginesoa.asmx in Bizagi BPM Su ...) NOT-FOR-US: Bizagi BPM CVE-2014-2947 (Cross-site scripting (XSS) vulnerability in Login.aspx in Bizagi BPM S ...) NOT-FOR-US: Bizagi BPM CVE-2014-2946 (Cross-site request forgery (CSRF) vulnerability in api/sms/send-sms in ...) NOT-FOR-US: Huawei device CVE-2014-2945 REJECTED CVE-2014-2944 REJECTED CVE-2014-2943 REJECTED CVE-2014-2942 (Cobham Aviator 700D and 700E satellite terminals use an improper algor ...) NOT-FOR-US: Cobham Aviator CVE-2014-2941 (** DISPUTED ** Cobham Sailor 6000 satellite terminals have hardcoded T ...) NOT-FOR-US: Cobham Sailor 6000 satellite terminals CVE-2014-2940 (Cobham Sailor 900 and 6000 satellite terminals with firmware 1.08 MFHF ...) NOT-FOR-US: Cobham Sailor 900 and 6000 satellite terminals CVE-2014-2939 (Multiple cross-site scripting (XSS) vulnerabilities in Alfresco Enterp ...) NOT-FOR-US: Alfresco CVE-2014-2938 (Hanvon FaceID before 1.007.110 does not require authentication, which ...) NOT-FOR-US: Hanvon FaceID CVE-2014-2937 REJECTED CVE-2014-2936 (The directory manager in Caldera 9.20 allows remote attackers to condu ...) NOT-FOR-US: Caldera CVE-2014-2935 (costview3/xmlrpc_server/xmlrpc.php in CostView in Caldera 9.20 allows ...) NOT-FOR-US: Caldera CVE-2014-2934 (Multiple SQL injection vulnerabilities in Caldera 9.20 allow remote at ...) NOT-FOR-US: Caldera CVE-2014-2933 (Directory traversal vulnerability in dirmng/index.php in Caldera 9.20 ...) NOT-FOR-US: Caldera CVE-2014-2932 RESERVED CVE-2014-2931 RESERVED CVE-2014-2930 RESERVED CVE-2014-2929 RESERVED CVE-2014-2928 (The iControl API in F5 BIG-IP LTM, APM, ASM, GTM, Link Controller, and ...) NOT-FOR-US: F5 BIG-IP CVE-2014-2927 (The rsync daemon in F5 BIG-IP 11.6 before 11.6.0, 11.5.1 before HF3, 1 ...) NOT-FOR-US: F5 BIG-IP CVE-2014-2926 (kapfa.sys in Kaseya Virtual System Administrator (VSA) 6.5 before 6.5. ...) NOT-FOR-US: Kaseya Virtual System Administrator CVE-2014-2925 (Cross-site scripting (XSS) vulnerability in Advanced_Wireless_Content. ...) NOT-FOR-US: ASUS RT series CVE-2014-2924 RESERVED CVE-2014-2923 RESERVED CVE-2014-2922 (The getObjectByToken function in Newsletter.php in the Pimcore_Tool_Ne ...) NOT-FOR-US: pimcore CVE-2014-2921 (The getObjectByToken function in Newsletter.php in the Pimcore_Tool_Ne ...) NOT-FOR-US: pimcore CVE-2014-2920 RESERVED CVE-2014-2919 RESERVED CVE-2014-2918 RESERVED CVE-2014-2917 RESERVED CVE-2014-2916 (Cross-site request forgery (CSRF) vulnerability in the subscription pa ...) NOT-FOR-US: subscription page editor CVE-2014-2914 (fish (aka fish-shell) 2.0.0 before 2.1.1 does not restrict access to t ...) - fish 2.1.1-1 (bug #746259) [wheezy] - fish (Web interface not yet present) [squeeze] - fish (Web interface not yet present) NOTE: https://github.com/fish-shell/fish-shell/issues/1438 CVE-2014-2912 RESERVED CVE-2014-2911 RESERVED CVE-2014-2910 RESERVED CVE-2014-2909 (CRLF injection vulnerability in the integrated web server on Siemens S ...) NOT-FOR-US: Siemens CVE-2014-2908 (Cross-site scripting (XSS) vulnerability in the integrated web server ...) NOT-FOR-US: Siemens CVE-2014-2906 (The psub function in fish (aka fish-shell) 1.16.0 before 2.1.1 does no ...) - fish 2.1.1-1 (low; bug #746259) [squeeze] - fish (Minor issue) [wheezy] - fish (Minor issue) NOTE: https://github.com/fish-shell/fish-shell/issues/1437 CVE-2014-2905 (fish (aka fish-shell) 1.16.0 before 2.1.1 does not properly check the ...) - fish 2.1.1-1 (low; bug #746259) [squeeze] - fish (Minor issue) [wheezy] - fish (Minor issue) NOTE: https://github.com/fish-shell/fish-shell/issues/1436 CVE-2014-2895 RESERVED CVE-2014-2891 (strongSwan before 5.1.2 allows remote attackers to cause a denial of s ...) {DSA-2922-1} - strongswan 5.1.2-1 CVE-2014-2887 RESERVED CVE-2014-2886 (GKSu 2.0.2, when sudo-mode is not enabled, uses " (double quote) chara ...) - gksu [stretch] - gksu (Minor issue) [jessie] - gksu (Minor issue) [wheezy] - gksu (Minor issue) [squeeze] - gksu (Minor issue) NOTE: https://community.rapid7.com/community/metasploit/blog/2014/07/07/virtualbox-filename-command-execution-via-gksu NOTE: In Debian libgksu installs two alternatives gconf-defaults.libgksu-sudo NOTE: and gconf-defaults.libgksu-su, where the gconf-defaults.libgksu-su is NOTE: enabled (in auto mode). CVE-2014-2883 RESERVED CVE-2014-2882 (Unspecified vulnerability in the management GUI in Citrix NetScaler Ap ...) NOT-FOR-US: Citrix Netscaler CVE-2014-2881 (Unspecified vulnerability in the Diffie-Hellman key agreement implemen ...) NOT-FOR-US: Citrix Netscaler CVE-2014-2880 (Open redirect vulnerability in the Oracle Identity Manager component i ...) NOT-FOR-US: Oracle Identity Manager CVE-2014-2879 (Multiple cross-site scripting (XSS) vulnerabilities in Dell SonicWALL ...) NOT-FOR-US: SonicWALL CVE-2014-2878 RESERVED CVE-2014-2877 RESERVED CVE-2014-2876 RESERVED CVE-2014-2875 (The session.lua library in CGILua 5.2 alpha 1 and 5.2 alpha 2 uses wea ...) - lua-cgi (unimportant; bug #953037) NOTE: https://github.com/keplerproject/cgilua/issues/17 NOTE: The code itself is broken and thus cannot be exploited per se if not fixed, NOTE: see details in https://bugs.debian.org/954300 CVE-2013-7369 (SQL injection vulnerability in an unspecified DLL in the FSDBCom Activ ...) NOT-FOR-US: F-Secure Anti-Virus CVE-2012-6647 (The futex_wait_requeue_pi function in kernel/futex.c in the Linux kern ...) - linux 3.2.29-1 - linux-2.6 [squeeze] - linux-2.6 2.6.32-47 NOTE: Upstream fix: https://git.kernel.org/linus/6f7b0a2a5c0fb03be7c25bd1745baa50582348ef NOTE: Introduced in https://git.kernel.org/linus/52400ba946759af28442dee6265c5c0180ac7122 CVE-2012-6646 (F-Secure Anti-Virus, Safe Anywhere, and PSB Workstation Security befor ...) NOT-FOR-US: F-Secure CVE-2014-XXXX [Insecure default permissions for ~/.virtualenvs and scripts] - virtualenvwrapper 4.3-1 (low; bug #745580) [wheezy] - virtualenvwrapper (Minor issue) [squeeze] - virtualenvwrapper (Minor issue) CVE-2014-2907 (The srtp_add_address function in epan/dissectors/packet-rtp.c in the R ...) - wireshark 1.10.7-1 (bug #745595) [wheezy] - wireshark (Affects 1.10.x only) [squeeze] - wireshark (Affects 1.10.x only) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9885 NOTE: http://www.wireshark.org/security/wnpa-sec-2014-06.html CVE-2014-2986 (The vgic_distr_mmio_write function in the virtual guest interrupt cont ...) - xen (Only 32-bit and 64-bit ARM systems are vulnerable from Xen 4.4 onwards) CVE-2014-2980 (Tools/gdomap.c in gdomap in GNUstep Base 1.24.6 and earlier, when run ...) - gnustep-base 1.24.6-1 (bug #745470) [wheezy] - gnustep-base 1.22.1-4+deb7u1 [squeeze] - gnustep-base (Minor issue) NOTE: https://savannah.gnu.org/bugs/?41751 CVE-2014-2915 (Xen 4.4.x, when running on ARM systems, does not properly restrict acc ...) - xen (Only 32-bit and 64-bit ARM systems are vulnerable from Xen 4.4 onwards) CVE-2014-2913 (** DISPUTED ** Incomplete blacklist vulnerability in nrpe.c in Nagios ...) - nagios-nrpe 2.15-1 (unimportant; bug #745272) NOTE: This in insecure by design anyway CVE-2014-2983 (Drupal 6.x before 6.31 and 7.x before 7.27 does not properly isolate t ...) {DSA-2914-1 DSA-2913-1} - drupal7 7.27-1 - drupal6 NOTE: https://drupal.org/SA-CORE-2014-002 CVE-2014-2904 (wolfssl before 3.2.0 has a server certificate that is not properly aut ...) - cyassl (bug #770229) - wolfssl 3.4.8+dfsg-1 (bug #792646) NOTE: wolfssl actually fixed with the initial upload to unstable after the rename NOTE: according to maintainer addressed in 3.2.0 upstream CVE-2014-2903 (CyaSSL does not check the key usage extension in leaf certificates, wh ...) - cyassl (bug #770229) - wolfssl 3.4.8+dfsg-1 (bug #792646) NOTE: wolfssl actually fixed with the initial upload to unstable after the rename NOTE: according to maintainer addressed in 3.2.0 upstream CVE-2014-2902 (wolfssl before 3.2.0 does not properly authorize CA certificate for si ...) - cyassl (bug #770229) - wolfssl 3.4.8+dfsg-1 (bug #792646) NOTE: wolfssl actually fixed with the initial upload to unstable after the rename NOTE: according to maintainer addressed in 3.2.0 upstream CVE-2014-2901 (wolfssl before 3.2.0 does not properly issue certificates for a server ...) - cyassl (bug #770229) - wolfssl 3.4.8+dfsg-1 (bug #792646) NOTE: wolfssl actually fixed with the initial upload to unstable after the rename NOTE: according to maintainer addressed in 3.2.0 upstream CVE-2014-2900 (wolfSSL CyaSSL before 2.9.4 does not properly validate X.509 certifica ...) - cyassl 2.9.4+dfsg-1 CVE-2014-2899 (wolfSSL CyaSSL before 2.9.4 allows remote attackers to cause a denial ...) - cyassl 2.9.4+dfsg-1 CVE-2014-2898 (wolfSSL CyaSSL before 2.9.4 allows remote attackers to have unspecifie ...) - cyassl 2.9.4+dfsg-1 CVE-2014-2897 (The SSL 3 HMAC functionality in wolfSSL CyaSSL 2.5.0 before 2.9.4 does ...) - cyassl 2.9.4+dfsg-1 CVE-2014-2896 (The DoAlert function in the (1) TLS and (2) DTLS implementations in wo ...) - cyassl 2.9.4+dfsg-1 CVE-2014-2890 (Cross-site scripting (XSS) vulnerability in the wrap_html function in ...) - phpmyid (bug #492325) CVE-2014-2888 (lib/sfpagent/bsig.rb in the sfpagent gem before 0.4.15 for Ruby allows ...) NOT-FOR-US: Ruby Gem sfpagent CVE-2014-2885 (Multiple integer overflows in TrueCrypt 7.1a allow local users to (1) ...) - truecrypt (bug #364034) CVE-2014-2884 (The ProcessVolumeDeviceControlIrp function in Ntdriver.c in TrueCrypt ...) - truecrypt (bug #364034) CVE-2014-2874 (PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 allows remote a ...) NOT-FOR-US: PaperThin CommonSpot CVE-2014-2873 (PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 does not requir ...) NOT-FOR-US: PaperThin CommonSpot CVE-2014-2872 (PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 allows remote a ...) NOT-FOR-US: PaperThin CommonSpot CVE-2014-2871 (PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 relies on an HT ...) NOT-FOR-US: PaperThin CommonSpot CVE-2014-2870 (The default configuration of PaperThin CommonSpot before 7.0.2 and 8.x ...) NOT-FOR-US: PaperThin CommonSpot CVE-2014-2869 (PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 allows remote a ...) NOT-FOR-US: PaperThin CommonSpot CVE-2014-2868 (PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 allows remote a ...) NOT-FOR-US: PaperThin CommonSpot CVE-2014-2867 (Unrestricted file upload vulnerability in PaperThin CommonSpot before ...) NOT-FOR-US: PaperThin CommonSpot CVE-2014-2866 (PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 relies on clien ...) NOT-FOR-US: PaperThin CommonSpot CVE-2014-2865 (PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 allows remote a ...) NOT-FOR-US: PaperThin CommonSpot CVE-2014-2864 (Multiple directory traversal vulnerabilities in PaperThin CommonSpot b ...) NOT-FOR-US: PaperThin CommonSpot CVE-2014-2863 (Multiple absolute path traversal vulnerabilities in PaperThin CommonSp ...) NOT-FOR-US: PaperThin CommonSpot CVE-2014-2862 (PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 does not check ...) NOT-FOR-US: PaperThin CommonSpot CVE-2014-2861 (Incomplete blacklist vulnerability in PaperThin CommonSpot before 7.0. ...) NOT-FOR-US: PaperThin CommonSpot CVE-2014-2860 (Multiple cross-site scripting (XSS) vulnerabilities in PaperThin Commo ...) NOT-FOR-US: PaperThin CommonSpot CVE-2014-2859 (PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 allows remote a ...) NOT-FOR-US: PaperThin CommonSpot CVE-2014-2858 (Directory traversal vulnerability in the Resources plugin 1.0.0 before ...) - grails (bug #473213) CVE-2014-2857 (The default configuration of the Resources plugin 1.0.0 before 1.2.6 f ...) - grails (bug #473213) CVE-2013-7374 (The Ubuntu Date and Time Indicator (aka indicator-datetime) 13.10.0+13 ...) NOT-FOR-US: indicator-datetime CVE-2013-7371 (node-connects before 2.8.2 has cross site scripting in Sencha Labs Con ...) - node-connect (Only applies when incomplete fix applied) NOTE: CVE for incomplete fix for CVE-2013-7370, fixed in 2.8.2 CVE-2013-7370 (node-connect before 2.8.1 has XSS in the Sencha Labs Connect middlewar ...) - node-connect 3.0.0-1 (bug #744374) CVE-2013-7368 (Multiple cross-site scripting (XSS) vulnerabilities in Gnew 2013.1 all ...) NOT-FOR-US: Gnew CVE-2014-2892 (Heap-based buffer overflow in the get_answer function in mmsh.c in lib ...) {DSA-2916-1} - libmms 0.6.2-4 (bug #745301) - xine-lib (mmsh is libmms-specific) NOTE: http://sourceforge.net/p/libmms/code/ci/03bcfccc22919c72742b7338d02859962861e0e8 CVE-2014-2893 (The GetHTMLRunDir function in the scan-build utility in Clang 3.5 and ...) - llvm-toolchain-snapshot 1:3.5~svn211669-1 (bug #744817) - llvm-toolchain-3.3 - llvm-toolchain-3.4 1:3.4.2-1 CVE-2014-2854 (Cross-site scripting (XSS) vulnerability in the SemanticTitle extensio ...) NOT-FOR-US: MediaWiki extension SemanticTitle CVE-2014-2853 (Cross-site scripting (XSS) vulnerability in includes/actions/InfoActio ...) - mediawiki (Vulnerable code not present) CVE-2014-2852 (OpenAFS before 1.6.7 delays the listen thread when an RXS_CheckRespons ...) {DSA-2899-1} - openafs 1.6.7-1 CVE-2014-2850 (The network interface configuration page (netinterface) in Sophos Web ...) NOT-FOR-US: Sophos Web Appliance CVE-2014-2849 (The Change Password dialog box (change_password) in Sophos Web Applian ...) NOT-FOR-US: Sophos Web Appliance CVE-2014-2848 (A race condition in the wmi_malware_scan.nbin plugin before 2014022622 ...) NOT-FOR-US: Nessus CVE-2014-2847 (SQL injection vulnerability in default.asp in CIS Manager CMS allows r ...) NOT-FOR-US: CIS Manager CMS CVE-2014-2846 (Directory traversal vulnerability in opt/arkeia/wui/htdocs/index.php i ...) NOT-FOR-US: Arkeia Server Backup CVE-2014-2845 (Cyberduck before 4.4.4 on Windows does not properly validate X.509 cer ...) NOT-FOR-US: Cyberduck on Windows CVE-2014-2844 (Cross-site scripting (XSS) vulnerability in F-Secure Messaging Secure ...) NOT-FOR-US: F-Secure Messaging Secure Gateway CVE-2014-2843 (Cross-site scripting (XSS) vulnerability in infoware MapSuite MapAPI 1 ...) NOT-FOR-US: MapSuite MapAPI CVE-2014-2842 (Juniper ScreenOS 6.3 and earlier allows remote attackers to cause a de ...) NOT-FOR-US: Juniper ScreenOS CVE-2014-2841 RESERVED CVE-2014-2840 RESERVED NOT-FOR-US: TR-069 Auto Configuration Servers NOTE: http://mis.fortunecook.ie/misfortune-cookie-tr069-protection-whitepaper.pdf CVE-2014-2839 (SQL injection vulnerability in the GD Star Rating plugin 19.22 for Wor ...) NOT-FOR-US: GD Star Rating plugin for WordPress CVE-2014-2838 (Multiple cross-site request forgery (CSRF) vulnerabilities in the GD S ...) NOT-FOR-US: GD Star Rating plugin for WordPress CVE-2014-2837 RESERVED CVE-2014-2836 RESERVED CVE-2014-2835 RESERVED CVE-2014-2834 RESERVED CVE-2014-2833 RESERVED CVE-2014-2832 RESERVED CVE-2014-2831 RESERVED CVE-2014-2829 (Erlang Solutions MongooseIM through 1.3.1 rev. 2 does not properly res ...) NOT-FOR-US: MongooseIM CVE-2014-2827 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2826 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2825 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2824 (Microsoft Internet Explorer 8 allows remote attackers to execute arbit ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2823 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2822 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2821 (Microsoft Internet Explorer 8 and 9 allows remote attackers to execute ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2820 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2819 (Microsoft Internet Explorer 7 through 11 allows remote attackers to ga ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2818 (Microsoft Internet Explorer 10 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2817 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ga ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2816 (Microsoft SharePoint Server 2013 Gold and SP1 and SharePoint Foundatio ...) NOT-FOR-US: Microsoft CVE-2014-2815 (Microsoft OneNote 2007 SP3 allows remote attackers to execute arbitrar ...) NOT-FOR-US: Microsoft CVE-2014-2814 (Microsoft Service Bus 1.1 on Microsoft Windows Server 2008 R2 SP1 and ...) NOT-FOR-US: Microsoft Server CVE-2014-2813 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2812 REJECTED CVE-2014-2811 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2810 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2809 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2808 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2807 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2806 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2805 REJECTED CVE-2014-2804 (Microsoft Internet Explorer 8 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2803 (Microsoft Internet Explorer 8 through 10 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2802 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2801 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2800 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2799 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2798 (Microsoft Internet Explorer 8 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2797 (Microsoft Internet Explorer 6 through 8 allows remote attackers to exe ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2796 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2795 (Microsoft Internet Explorer 8 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2794 (Microsoft Internet Explorer 6 and 7 allows remote attackers to execute ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2793 REJECTED CVE-2014-2792 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2791 (Microsoft Internet Explorer 9 allows remote attackers to execute arbit ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2790 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2789 (Microsoft Internet Explorer 8 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2788 (Microsoft Internet Explorer 6 and 7 allows remote attackers to execute ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2787 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2786 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2785 (Microsoft Internet Explorer 7 allows remote attackers to execute arbit ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2784 (Microsoft Internet Explorer 8 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2783 (Microsoft Internet Explorer 7 through 11 does not prevent use of wildc ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2782 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2781 (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windo ...) NOT-FOR-US: Microsoft Windows CVE-2014-2780 (DirectShow in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft Windows CVE-2014-2779 (mpengine.dll in Microsoft Malware Protection Engine before 1.1.10701.0 ...) NOT-FOR-US: Microsoft Malware Protection Engine CVE-2014-2778 (Microsoft Word 2007 SP3 and Office Compatibility Pack SP3 allow remote ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2777 (Microsoft Internet Explorer 8 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2776 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2775 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2774 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2773 (Microsoft Internet Explorer 6 through 8 allows remote attackers to exe ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2772 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2771 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2770 (Microsoft Internet Explorer 8 allows remote attackers to execute arbit ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2769 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2768 (Microsoft Internet Explorer 6 through 8 allows remote attackers to exe ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2767 (Microsoft Internet Explorer 6 and 7 allows remote attackers to execute ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2766 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2765 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2764 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2763 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2762 REJECTED CVE-2014-2761 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2760 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2759 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2758 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2757 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2756 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2755 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2754 (Microsoft Internet Explorer 9 allows remote attackers to execute arbit ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2753 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-2752 (SAP Business Object Processing Framework (BOPF) for ABAP has hardcoded ...) NOT-FOR-US: SAP CVE-2014-2751 (SAP Print and Output Management has hardcoded credentials, which makes ...) NOT-FOR-US: SAP CVE-2014-2750 REJECTED CVE-2014-2749 (The HANA ICM process in SAP HANA allows remote attackers to obtain the ...) NOT-FOR-US: SAP CVE-2014-2748 (The Security Audit Log facility in SAP Enhancement Package (EHP) 6 for ...) NOT-FOR-US: SAP CVE-2014-2747 RESERVED CVE-2014-2740 RESERVED CVE-2014-2738 RESERVED CVE-2014-2737 (SQL injection vulnerability in the get_active_session function in the ...) NOT-FOR-US: KnowledgeTree CVE-2014-2736 (Multiple SQL injection vulnerabilities in MODX Revolution before 2.2.1 ...) NOT-FOR-US: MODX Revolution CVE-2014-2735 (WinSCP before 5.5.3, when FTP with TLS is used, does not verify that t ...) NOT-FOR-US: WinSCP CVE-2014-2734 (** DISPUTED ** The openssl extension in Ruby 2.x does not properly mai ...) NOTE: considered invalid and should be rejected, see https://gist.github.com/emboss/91696b56cd227c8a0c13 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1091156#c1 CVE-2014-2733 (Siemens SINEMA Server before 12 SP1 allows remote attackers to cause a ...) NOT-FOR-US: Siemens SINEMA CVE-2014-2732 (Multiple directory traversal vulnerabilities in the integrated web ser ...) NOT-FOR-US: Siemens SINEMA CVE-2014-2731 (Multiple unspecified vulnerabilities in the integrated web server in S ...) NOT-FOR-US: Siemens SINEMA CVE-2013-7367 (SAP Enterprise Portal does not properly restrict access to the Federat ...) NOT-FOR-US: SAP CVE-2013-7366 (The SAP Software Deployment Manager (SDM), in certain unspecified cond ...) NOT-FOR-US: SAP CVE-2013-7365 (Cross-site scripting (XSS) vulnerability in SAP Enterprise Portal allo ...) NOT-FOR-US: SAP CVE-2013-7364 (An unspecified J2EE core service in the J2EE Engine in SAP NetWeaver d ...) NOT-FOR-US: SAP CVE-2013-7363 (Unspecified vulnerability in the Diagnostics (SMD) agent in SAP Soluti ...) NOT-FOR-US: SAP CVE-2013-7362 (An unspecified RFC function in SAP CCMS Agent allows remote attackers ...) NOT-FOR-US: SAP CVE-2013-7361 (Directory traversal vulnerability in SAP CMS and CM Services allows at ...) NOT-FOR-US: SAP CVE-2013-7360 (Unspecified vulnerability in SAP adminadapter allows remote attackers ...) NOT-FOR-US: SAP CVE-2013-7359 (Unspecified vulnerability in SAP Mobile Infrastructure allows remote a ...) NOT-FOR-US: SAP CVE-2013-7358 (Unspecified vulnerability in SAP Guided Procedures Archive Monitor all ...) NOT-FOR-US: SAP CVE-2013-7357 (Unspecified vulnerability in the configuration service in SAP J2EE Eng ...) NOT-FOR-US: SAP CVE-2013-7356 (Unspecified vulnerability in the SAP CCMS / Database Monitors for Orac ...) NOT-FOR-US: SAP CVE-2013-7355 (SQL injection vulnerability in SAP BI Universal Data Integration allow ...) NOT-FOR-US: SAP CVE-2012-6645 (Cross-site scripting (XSS) vulnerability in the autocomplete functiona ...) NOT-FOR-US: Drupal module Finder CVE-2012-6644 (Multiple cross-site scripting (XSS) vulnerabilities in ClipBucket 2.6 ...) NOT-FOR-US: Drupal module ClipBucket CVE-2012-6643 (Multiple SQL injection vulnerabilities in the update_counter function ...) NOT-FOR-US: Drupal module ClipBucket CVE-2012-6642 (Cross-site scripting (XSS) vulnerability in ClipBucket 2.6 allows remo ...) NOT-FOR-US: Drupal module ClipBucket CVE-2011-5278 (SQL injection vulnerability in signature.php in Advanced Forum Signatu ...) NOT-FOR-US: MyBB plugin Advanced Forum Signatures CVE-2011-5277 (Multiple SQL injection vulnerabilities in signature.php in the Advance ...) NOT-FOR-US: MyBB plugin Advanced Forum Signatures CVE-2014-2889 (Off-by-one error in the bpf_jit_compile function in arch/x86/net/bpf_j ...) - linux 3.2.1-1 - linux-2.6 3.2.1-1 [squeeze] - linux-2.6 (Introduced in 3.0) NOTE: introduced by https://git.kernel.org/linus/0a14842f5a3c0e88a1e59fac5c3025db39721f74 NOTE: Upstrem fix in https://git.kernel.org/linus/a03ffcf873fe0f2565386ca8ef832144c42e67fa CVE-2014-2894 (Off-by-one error in the cmd_smart function in the smart self test in h ...) {DSA-2933-1 DSA-2932-1} - qemu 2.0.0+dfsg-1 (bug #745157) [squeeze] - qemu (Vulnerable code not present) - qemu-kvm [squeeze] - qemu-kvm (Vulnerable code not present) NOTE: Upstream fix https://lists.nongnu.org/archive/html/qemu-devel/2014-04/msg02016.html NOTE: Vulnerable code introduced in 0.11.50: http://git.qemu.org/?p=qemu.git;a=commit;h=e8b54394950f975c1b31d2359cf58ca4d9f51b00 CVE-2014-2855 (The check_secret function in authenticate.c in rsync 3.1.0 and earlier ...) - rsync 3.1.0-3 (bug #744791) [wheezy] - rsync (Introduced in 3.1.0) [squeeze] - rsync (Introduced in 3.1.0) NOTE: Introduced with https://git.samba.org/?p=rsync.git;a=commitdiff;h=5ebe9a46d7f3c846a6d665cb8c6ab8b79508a6df NOTE: Fix: https://git.samba.org/?p=rsync.git;a=commitdiff;h=0dedfbce2c1b851684ba658861fe9d620636c56a CVE-2014-2856 (Cross-site scripting (XSS) vulnerability in scheduler/client.c in Comm ...) - cups 1.7.2-1 [squeeze] - cups 1.4.4-7+squeeze5 [wheezy] - cups 1.5.3-5+deb7u2 NOTE: http://www.cups.org/str.php?L4356 CVE-2014-XXXX [node-marked: multiple content injection vulnerabilities] - node-marked 0.3.1+dfsg-1 NOTE: https://nodesecurity.io/advisories/marked_multiple_content_injection_vulnerabilities CVE-2014-2851 (Integer overflow in the ping_init_sock function in net/ipv4/ping.c in ...) {DSA-2926-1} - linux 3.14.4-1 (low) - linux-2.6 (Introduced in 3.0) NOTE: https://lkml.org/lkml/2014/4/10/736 NOTE: Upstream commit: https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=b04c46190219a4f845e46a459e3102137b7f6cac CVE-2014-2830 (Stack-based buffer overflow in cifskey.c or cifscreds.c in cifs-utils ...) - cifs-utils (unimportant) [squeeze] - cifs-utils (Vulnerable code not present) [wheezy] - cifs-utils (pam_cifscreds introduced in 6.3) NOTE: cifscreds PAM not built in unstable CVE-2014-2828 (The V3 API in OpenStack Identity (Keystone) 2013.1 before 2013.2.4 and ...) - keystone 2014.1-1 [wheezy] - keystone (Only affects 2013.1 to 2013.2.3) NOTE: https://launchpad.net/bugs/1300274 CVE-2014-2746 (net/IOService.java in Tigase before 5.2.1 does not properly restrict t ...) NOT-FOR-US: Tigase XMPP Server CVE-2014-2745 (Prosody before 0.9.4 does not properly restrict the processing of comp ...) {DSA-2895-1} - prosody 0.9.4-1 [squeeze] - prosody (Minor issue) NOTE: http://hg.prosody.im/0.9/rev/a97591d2e1ad NOTE: http://hg.prosody.im/0.9/rev/1107d66d2ab2 CVE-2014-2744 (plugins/mod_compression.lua in (1) Prosody before 0.9.4 and (2) Lightw ...) {DSA-2895-1} - prosody 0.9.4-1 - lua-expat 1.3.0-1 [wheezy] - lua-expat 1.2.0-5+deb7u1 [squeeze] - lua-expat (Minor issue) [squeeze] - prosody (Minor issue) NOTE: http://hg.prosody.im/0.9/rev/b3b1c9da38fb CVE-2014-2743 (plugins/mod_compression.lua in Lightwitch Metronome through 3.4 does n ...) NOT-FOR-US: Openfire CVE-2014-2742 (Isode M-Link before 16.0v7 does not properly restrict the processing o ...) NOT-FOR-US: Openfire CVE-2014-2741 (nio/XMLLightweightParser.java in Ignite Realtime Openfire before 3.9.2 ...) NOT-FOR-US: Openfire CVE-2014-2730 (The XML parser in Microsoft Office 2007 SP3, 2010 SP1 and SP2, and 201 ...) NOT-FOR-US: Microsoft Office CVE-2014-2739 (The cma_req_handler function in drivers/infiniband/core/cma.c in the L ...) - linux (Introduced and fixed in 3.14) - linux-2.6 ((Introduced and fixed in 3.14) CVE-2014-2729 (Cross-site scripting (XSS) vulnerability in content.aspx in Ektron CMS ...) NOT-FOR-US: Ektron Web Content Management System CVE-2014-2728 RESERVED CVE-2014-2727 (The STARTTLS implementation in MailMarshal before 7.2 allows plaintext ...) NOT-FOR-US: MailMarshal CVE-2012-6641 (Cross-site scripting (XSS) vulnerability in redirect.php in the Socoli ...) NOT-FOR-US: PrestaShop CVE-2012-6640 (Cross-site scripting (XSS) vulnerability in Horde Internet Mail Progra ...) - php-horde-imp 5.0.22 - horde3 (low) [squeeze] - horde3 (Minor issue) CVE-2014-1985 (Open redirect vulnerability in the redirect_back_or_default function i ...) - redmine 2.5.1-1 (bug #743828) [squeeze] - redmine (Redmine not supported because of rails) [wheezy] - redmine (Redmine not supported because of rails) NOTE: https://github.com/redmine/redmine/commit/7567c3d8b21fe67e5f04e6839c1fce061600f2f3 NOTE: https://jvn.jp/en/jp/JVN93004610/ CVE-2014-2726 RESERVED CVE-2014-2725 RESERVED CVE-2014-2724 RESERVED CVE-2014-2723 (In FortiBalancer 400, 1000, 2000 and 3000, a platform-specific remote ...) NOT-FOR-US: Fortinet CVE-2014-2722 (In FortiBalancer 400, 1000, 2000 and 3000, a platform-specific remote ...) NOT-FOR-US: Fortinet CVE-2014-2721 (In FortiBalancer 400, 1000, 2000 and 3000, a platform-specific remote ...) NOT-FOR-US: Fortinet CVE-2014-2720 (IZArc 4.1.8 displays a file's name on the basis of a ZIP archive's Cen ...) NOT-FOR-US: IZArc Archiver CVE-2014-2719 (Advanced_System_Content.asp in the ASUS RT series routers with firmwar ...) NOT-FOR-US: ASUS RT series routers CVE-2014-2718 (ASUS RT-AC68U, RT-AC66R, RT-AC66U, RT-AC56R, RT-AC56U, RT-N66R, RT-N66 ...) NOT-FOR-US: ASUS routers CVE-2014-2717 (Honeywell FALCON XLWeb Linux controller devices 2.04.01 and earlier an ...) NOT-FOR-US: Honeywell FALCON XLWeb controller CVE-2014-2716 (Ekahau B4 staff badge tag 5.7 with firmware 1.4.52, Real-Time Location ...) NOT-FOR-US: Ekahau Real-Time Location Tracking System CVE-2014-2715 (Multiple cross-site scripting (XSS) vulnerabilities in vwrooms\templat ...) NOT-FOR-US: Drupal plugin CVE-2014-2714 (The Enhanced Web Filtering (EWF) in Juniper Junos before 10.4R15, 11.4 ...) NOT-FOR-US: Juniper Junos CVE-2014-2713 (Juniper Junos before 11.4R11, 12.1 before 12.1R9, 12.2 before 12.2R7, ...) NOT-FOR-US: Juniper Junos CVE-2014-2712 (Cross-site scripting (XSS) vulnerability in J-Web in Juniper Junos bef ...) NOT-FOR-US: Juniper Junos CVE-2014-2711 (Cross-site scripting (XSS) vulnerability in J-Web in Juniper Junos bef ...) NOT-FOR-US: Juniper Junos CVE-2014-2710 (Multiple cross-site scripting (XSS) vulnerabilities in Oliver (formerl ...) NOT-FOR-US: Oliver (formerly Webshar) CVE-2014-2705 RESERVED CVE-2014-2704 RESERVED CVE-2014-2703 RESERVED CVE-2014-2702 RESERVED CVE-2014-2701 RESERVED CVE-2014-2700 RESERVED CVE-2014-2699 RESERVED CVE-2014-2698 RESERVED CVE-2014-2697 RESERVED CVE-2014-2696 RESERVED CVE-2014-2695 RESERVED CVE-2014-2694 RESERVED CVE-2014-2693 RESERVED CVE-2014-2692 RESERVED CVE-2014-2691 RESERVED CVE-2014-2690 (Citrix VDI-in-a-Box 5.3.x before 5.3.6 and 5.4.x before 5.4.3 allows l ...) NOT-FOR-US: Citrix VDI-in-a-Box CVE-2014-2689 (Cross-site scripting (XSS) vulnerability in Offiria 2.1.0 and earlier ...) NOT-FOR-US: Offiria CVE-2014-2688 RESERVED CVE-2014-2687 RESERVED CVE-2013-7354 (Multiple integer overflows in libpng before 1.5.14rc03 allow remote at ...) - libpng (Only affects 1.5 and later) NOTE: http://sourceforge.net/p/png-mng/mailman/message/32215052/ NOTE: http://sourceforge.net/p/libpng/bugs/199/ - libpng1.6 1.6.10-1 CVE-2013-7353 (Integer overflow in the png_set_unknown_chunks function in libpng/pngs ...) - libpng (Only affects 1.5 and later) NOTE: http://sourceforge.net/p/png-mng/mailman/message/32215052/ NOTE: http://sourceforge.net/p/libpng/bugs/199/ - libpng1.6 1.6.10-1 CVE-2013-7352 (Cross-site request forgery (CSRF) vulnerability in blogs/admin.php in ...) NOT-FOR-US: b2evolution CVE-2013-7350 (Multiple unspecified vulnerabilities in Check Point Security Gateway 8 ...) NOT-FOR-US: Check Point Security Gateway CVE-2013-7349 (Multiple SQL injection vulnerabilities in Gnew 2013.1 allow remote att ...) NOT-FOR-US: Gnew CVE-2009-5141 (Format string vulnerability in War FTP Daemon (warftpd) 1.82 RC 12 all ...) NOT-FOR-US: War FTP Daemon CVE-2014-5880 REJECTED CVE-2014-2709 (lib/rrd.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attacke ...) {DSA-2970-1} - cacti 0.8.8b+dfsg-4 (bug #743565) [squeeze] - cacti 0.8.7g-1+squeeze4 (bug #743565) NOTE: http://bugs.cacti.net/view.php?id=2405 (not yet public) NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7439 NOTE: CVE for all changes to lib/rrd.php to add cacti_escapeshellarg calls CVE-2014-2708 (Multiple SQL injection vulnerabilities in graph_xport.php in Cacti 0.8 ...) {DSA-2970-1} - cacti 0.8.8b+dfsg-4 (bug #743565) [squeeze] - cacti 0.8.7g-1+squeeze4 (bug #743565) NOTE: http://bugs.cacti.net/view.php?id=2405 (not yet public) NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7439 NOTE: CVE for all changes to graph_xport.php to ensure that data is numeric CVE-2014-2707 (cups-browsed in cups-filters 1.0.41 before 1.0.51 allows remote IPP pr ...) - cups-filters 1.0.51-1 (bug #743470) [wheezy] - cups-filters (vulnerable code not present) NOTE: Introduced in at least 1.0.41 CVE-2014-2706 (Race condition in the mac80211 subsystem in the Linux kernel before 3. ...) - linux 3.13.7-1 (low) [wheezy] - linux 3.2.57-1 - linux-2.6 (low) [squeeze] - linux-2.6 (Introduced in 2.6.33) NOTE: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=1d147bfa64293b2723c4fec50922168658e613ba CVE-2014-2686 (Ansible prior to 1.5.4 mishandles the evaluation of some strings. ...) - ansible 1.5.4+dfsg-1 CVE-2014-2680 (The update process in Xmind 3.4.1 and earlier allow remote attackers t ...) - xmind (bug #520954; bug #641605) CVE-2014-2679 RESERVED CVE-2014-2677 RESERVED CVE-2014-2676 RESERVED CVE-2014-2675 (Cross-site request forgery (CSRF) vulnerability in inc/AdminPage.php i ...) NOT-FOR-US: WP HTML Sitemap plugin for WordPress CVE-2014-2674 (Directory traversal vulnerability in the Ajax Pagination (twitter Styl ...) NOT-FOR-US: Ajax Pagination (twitter Style) plugin for WordPress CVE-2014-2671 (Microsoft Windows Media Player (WMP) 11.0.5721.5230 allows remote atta ...) NOT-FOR-US: Microsoft Windows Media Player CVE-2014-2670 (Cross-site scripting (XSS) vulnerability in Properties.do in ZOHO Mana ...) NOT-FOR-US: ZOHO ManageEngine OpStor CVE-2014-2666 RESERVED CVE-2014-2664 (Unrestricted file upload vulnerability in the ProfileController::actio ...) NOT-FOR-US: X2Engine X2CR CVE-2014-2663 RESERVED CVE-2014-2662 RESERVED CVE-2014-2661 RESERVED CVE-2014-2660 RESERVED CVE-2014-2659 (Cross-site request forgery (CSRF) vulnerability in the admin UI in Pap ...) NOT-FOR-US: Papercut MF/NG NOTE: This is not the papercut NNTP server. CVE-2014-2658 (Unspecified vulnerability in Papercut MF and NG before 14.1 (Build 269 ...) NOT-FOR-US: PaperCut MF CVE-2014-2657 (Unspecified vulnerability in the print release functionality in PaperC ...) NOT-FOR-US: PaperCut MF CVE-2014-2654 (Multiple SQL injection vulnerabilities in MobFox mAdserve 2.0 and earl ...) NOT-FOR-US: MobFox mAdserve CVE-2013-7346 (Cross-site request forgery (CSRF) vulnerability in Symphony CMS before ...) NOT-FOR-US: Symphony CMS CVE-2013-7351 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Sh ...) - shaarli 0.0.41~beta~dfsg2-4 (bug #743252) NOTE: https://github.com/sebsauvage/Shaarli/commit/53da201749f8f362323ef278bf338f1d9f7a925a CVE-2014-2685 (The GenericConsumer class in the Consumer component in ZendOpenId befo ...) {DSA-3265-1 DLA-251-1} - zendframework 1.12.5-0.1 (bug #743175) NOTE: http://framework.zend.com/security/advisory/ZF2014-02 CVE-2014-2684 (The GenericConsumer class in the Consumer component in ZendOpenId befo ...) {DSA-3265-1 DLA-251-1} - zendframework 1.12.5-0.1 (bug #743175) NOTE: http://framework.zend.com/security/advisory/ZF2014-02 CVE-2014-2683 (Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 an ...) {DSA-3265-1 DLA-251-1} - zendframework 1.12.5-0.1 (bug #743175) NOTE: http://framework.zend.com/security/advisory/ZF2014-01 CVE-2014-2682 (Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 an ...) {DSA-3265-1 DLA-251-1} - zendframework 1.12.5-0.1 (bug #743175) NOTE: http://framework.zend.com/security/advisory/ZF2014-01 CVE-2014-2681 (Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 an ...) {DSA-3265-1 DLA-251-1} - zendframework 1.12.5-0.1 (bug #743175) NOTE: http://framework.zend.com/security/advisory/ZF2014-01 CVE-2014-2678 (The rds_iw_laddr_check function in net/rds/iw.c in the Linux kernel th ...) {DLA-0015-1} - linux 3.13.10-1 [wheezy] - linux 3.2.57-1 - linux-2.6 [squeeze] - linux-2.6 2.6.32-48squeeze8 NOTE: https://lkml.org/lkml/2014/3/29/188 CVE-2014-2673 (The arch_dup_task_struct function in the Transactional Memory (TM) imp ...) - linux 3.13.7-1 [wheezy] - linux (Introduced in 3.4) - linux-2.6 (Introduced in 3.4) NOTE: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=621b5060e823301d0cba4cb52a7ee3491922d291 NOTE: only affects powerpc architecture CVE-2014-2672 (Race condition in the ath_tx_aggr_sleep function in drivers/net/wirele ...) - linux 3.13.7-1 [wheezy] - linux 3.2.57-1 - linux-2.6 (Introduced in 3.0) NOTE: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=21f8aaee0c62708654988ce092838aa7df4d25d8 CVE-2014-2669 (Multiple integer overflows in contrib/hstore/hstore_io.c in PostgreSQL ...) {DSA-2865-1} - postgresql-9.1 9.1.12-1 - postgresql-8.4 [wheezy] - postgresql-8.4 (9.x branch only) [squeeze] - postgresql-8.4 (9.x branch only) - postgresql-9.3 9.3.3-1 CVE-2014-2668 (Apache CouchDB 1.5.0 and earlier allows remote attackers to cause a de ...) - couchdb (low; bug #788962) [wheezy] - couchdb (Minor issue) [squeeze] - couchdb (Minor issue) NOTE: High resource usage in CPU and memory while query is active. No crash for deamon in 1.4.0-3+b1 and 1.2.0-5 versions. NOTE: http://git-wip-us.apache.org/repos/asf?p=couchdb.git;a=commitdiff_plain;h=0fb5aa9e67bd291ca2638dba961f4ddd3f6ccb3e;hp=198bea3479dfecac13ab1a3e95f902b8eba02f7d CVE-2014-2667 (Race condition in the _get_masked_mode function in Lib/os.py in Python ...) - python3.1 [squeeze] - python3.1 (Minor issue) - python3.2 (low) [wheezy] - python3.2 (Minor issue) - python3.3 - python3.4 3.4.1-1 - python2.5 (Only affects Python 3.x) - python2.6 (Only affects Python 3.x) - python2.7 (Only affects Python 3.x) CVE-2014-2665 (includes/specials/SpecialChangePassword.php in MediaWiki before 1.19.1 ...) {DSA-2891-1} - mediawiki 1:1.19.14+dfsg-1 (bug #742857) [squeeze] - mediawiki NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=62497 NOTE: http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-March/000145.html CVE-2014-2656 REJECTED CVE-2014-2655 (SQL injection vulnerability in the gen_show_status function in functio ...) {DSA-2889-1} - postfixadmin 2.3.5-3 NOTE: http://sourceforge.net/p/postfixadmin/code/1650 CVE-2014-2653 (The verify_host_key function in sshconnect.c in the client in OpenSSH ...) {DSA-2894-1} - openssh 1:6.6p1-1 (low; bug #742513) CVE-2014-2652 (SQL injection vulnerability in OpenScape Deployment Service (DLS) befo ...) NOT-FOR-US: OpenScape Deployment Service CVE-2014-2651 (Unify OpenStage/OpenScape Desk Phone IP SIP before V3 R3.11.0 has an a ...) NOT-FOR-US: Unify OpenStage/OpenScape Desk Phone IP SIP CVE-2014-2650 (Unify OpenStage / OpenScape Desk Phone IP before V3 R3.11.0 SIP has an ...) NOT-FOR-US: Unify OpenStage / OpenScape Desk Phone IP CVE-2014-2649 (Unspecified vulnerability in HP Operations Manager 9.20 on UNIX allows ...) NOT-FOR-US: HP Operations Manager CVE-2014-2648 (Unspecified vulnerability in HP Operations Manager 9.10 and 9.11 on UN ...) NOT-FOR-US: HP Operations Manager CVE-2014-2647 (Cross-site scripting (XSS) vulnerability in HP Operations Agent in HP ...) NOT-FOR-US: HP Operations Manager CVE-2014-2646 (Unspecified vulnerability in HP Network Automation 9.10 and 9.20 allow ...) NOT-FOR-US: HP Network Automation CVE-2014-2645 (HP Systems Insight Manager (SIM) before 7.4 allows remote attackers to ...) NOT-FOR-US: HP Systems Insight Manager CVE-2014-2644 (Cross-site scripting (XSS) vulnerability in HP Systems Insight Manager ...) NOT-FOR-US: HP Systems Insight Manager CVE-2014-2643 (Unspecified vulnerability in HP Systems Insight Manager (SIM) before 7 ...) NOT-FOR-US: HP Systems Insight Manager CVE-2014-2642 (HP System Management Homepage (SMH) before 7.4 allows remote attackers ...) NOT-FOR-US: HP System Management Homepage CVE-2014-2641 (Cross-site request forgery (CSRF) vulnerability in HP System Managemen ...) NOT-FOR-US: HP System Management Homepage CVE-2014-2640 (Cross-site scripting (XSS) vulnerability in HP System Management Homep ...) NOT-FOR-US: HP System Management Homepage CVE-2014-2639 (Unspecified vulnerability in HP MPIO Device Specific Module Manager be ...) NOT-FOR-US: HP MPIO Device CVE-2014-2638 (Unspecified vulnerability in HP Sprinter 12.01 allows remote attackers ...) NOT-FOR-US: HP Sprinter CVE-2014-2637 (Unspecified vulnerability in HP Sprinter 12.01 allows remote attackers ...) NOT-FOR-US: HP Sprinter CVE-2014-2636 (Unspecified vulnerability in HP Sprinter 12.01 allows remote attackers ...) NOT-FOR-US: HP Sprinter CVE-2014-2635 (Unspecified vulnerability in HP Sprinter 12.01 allows remote attackers ...) NOT-FOR-US: HP Sprinter CVE-2014-2634 (Unspecified vulnerability in the server in HP Service Manager (SM) 7.2 ...) NOT-FOR-US: HP Service Manager CVE-2014-2633 (Cross-site request forgery (CSRF) vulnerability in the server in HP Se ...) NOT-FOR-US: HP Service Manager CVE-2014-2632 (Unspecified vulnerability in the WebTier component in HP Service Manag ...) NOT-FOR-US: HP Service Manager CVE-2014-2631 (Unspecified vulnerability in HP Application Lifecycle Management (aka ...) NOT-FOR-US: HP Application Lifecycle Management / Quality Center CVE-2014-2630 (Unspecified vulnerability in HP Operations Agent 11.00, when Glance is ...) NOT-FOR-US: HP Operations Agent CVE-2014-2629 (HP NonStop Safeguard Security Software G, H06.03 through H06.28.01, an ...) NOT-FOR-US: HP NonStop Safeguard Security Software CVE-2014-2628 (Unspecified vulnerability in HP Enterprise Maps 1 allows remote authen ...) NOT-FOR-US: HP Enterprise Maps CVE-2014-2627 (Unspecified vulnerability in HP NonStop NetBatch G06.14 through G06.32 ...) NOT-FOR-US: HP NonStop NetBatch CVE-2014-2626 (Directory traversal vulnerability in the toServerObject function in HP ...) NOT-FOR-US: HP Network Virtualization CVE-2014-2625 (Directory traversal vulnerability in the storedNtxFile function in HP ...) NOT-FOR-US: HP Network Virtualization CVE-2014-2624 (Unspecified vulnerability in HP Network Node Manager i (NNMi) 9.0x, 9. ...) NOT-FOR-US: HP Network Node Manager CVE-2014-2623 (Unspecified vulnerability in HP Storage Data Protector 8.x allows remo ...) NOT-FOR-US: HP Data Protector CVE-2014-2622 (Unspecified vulnerability in HP Intelligent Management Center (iMC) be ...) NOT-FOR-US: HP Intelligent Management Center CVE-2014-2621 (Unspecified vulnerability in HP Intelligent Management Center (iMC) be ...) NOT-FOR-US: HP Intelligent Management Center CVE-2014-2620 (Unspecified vulnerability in HP Intelligent Management Center (iMC) be ...) NOT-FOR-US: HP Intelligent Management Center CVE-2014-2619 (Unspecified vulnerability in HP Intelligent Management Center (iMC) be ...) NOT-FOR-US: HP Intelligent Management Center CVE-2014-2618 (Unspecified vulnerability in HP Intelligent Management Center (iMC) be ...) NOT-FOR-US: HP Intelligent Management Center CVE-2014-2617 (Unspecified vulnerability in HP Universal CMDB 10.01 and 10.10 allows ...) NOT-FOR-US: HP Universal CMDB CVE-2014-2616 (Unspecified vulnerability in HP Universal CMDB 10.01 and 10.10 allows ...) NOT-FOR-US: HP Universal CMDB CVE-2014-2615 (Unspecified vulnerability in HP Universal CMDB 10.01 and 10.10 allows ...) NOT-FOR-US: HP Universal CMDB CVE-2014-2614 (Unspecified vulnerability in HP SiteScope 11.1x through 11.13 and 11.2 ...) NOT-FOR-US: HP SiteScope CVE-2014-2613 (Unspecified vulnerability in HP Release Control 9.x before 9.13 p3 and ...) NOT-FOR-US: HP Release Control CVE-2014-2612 (Unspecified vulnerability in HP Release Control 9.x before 9.13 p3 and ...) NOT-FOR-US: HP Release Control CVE-2014-2611 (Directory traversal vulnerability in the fndwar web application in HP ...) NOT-FOR-US: HP Software Executive Scorecard CVE-2014-2610 (Directory traversal vulnerability in the Content Acceleration Pack (CA ...) NOT-FOR-US: HP Software Executive Scorecard CVE-2014-2609 (The Java Glassfish Admin Console in HP Executive Scorecard 9.40 and 9. ...) NOT-FOR-US: HP Software Executive Scorecard CVE-2014-2608 (Unspecified vulnerability in HP Smart Update Manager 6.x before 6.4.1 ...) NOT-FOR-US: HP Smart Update Manager CVE-2014-2607 (Unspecified vulnerability in HP Operations Manager i 9.1 through 9.13 ...) NOT-FOR-US: HP Operations Manager CVE-2014-2606 (Unspecified vulnerability in HP StoreVirtual 4000 Storage and StoreVir ...) NOT-FOR-US: HP StoreVirtual CVE-2014-2605 (Unspecified vulnerability in HP StoreVirtual 4000 Storage and StoreVir ...) NOT-FOR-US: HP StoreVirtual CVE-2014-2604 (Unspecified vulnerability in HP IceWall SSO 10.0 Dfw and IceWall MCRP ...) NOT-FOR-US: HP IceWall CVE-2014-2603 (Unspecified vulnerability on HP 8/20q switches, SN6000 switches, and 8 ...) NOT-FOR-US: HP CVE-2014-2602 (Unspecified vulnerability in HP OneView 1.0 and 1.01 allows remote aut ...) NOT-FOR-US: HP OneView CVE-2014-2601 (The server in HP Integrated Lights-Out 2 (aka iLO 2) 2.23 and earlier ...) NOT-FOR-US: HP CVE-2014-2600 (Unspecified vulnerability in HP IceWall Identity Manager 4.0 through S ...) NOT-FOR-US: HP CVE-2014-2598 (Cross-site request forgery (CSRF) vulnerability in the Quick Page/Post ...) NOT-FOR-US: Quick Page/Post Redirect plugin for WordPress CVE-2014-2597 (PCNetSoftware RAC Server 4.0.4 and 4.0.5 allows local users to cause a ...) NOT-FOR-US: PCNetSoftware RAC Server CVE-2014-2596 RESERVED CVE-2014-2595 (Barracuda Web Application Firewall (WAF) 7.8.1.013 allows remote attac ...) NOT-FOR-US: Barracuda Web Application Firewall (WAF) CVE-2014-2594 RESERVED CVE-2014-2593 (The management console in Aruba Networks ClearPass Policy Manager 6.3. ...) NOT-FOR-US: Aruba Networks ClearPass Policy Manager CVE-2014-2592 (Unrestricted file upload vulnerability in Aruba Web Management portal ...) NOT-FOR-US: Aruba Web Management portal CVE-2014-2591 (Untrusted search path vulnerability in BMC Patrol for AIX 3.9.00 allow ...) NOT-FOR-US: AIX CVE-2014-2590 (The web management interface in Siemens RuggedCom ROS before 3.11, ROS ...) NOT-FOR-US: Siemens RuggedCom ROS CVE-2014-2589 (Cross-site scripting (XSS) vulnerability in the Dashboard Backend serv ...) NOT-FOR-US: SonicWall CVE-2014-2588 (Directory traversal vulnerability in servlet/downloadReport in McAfee ...) NOT-FOR-US: McAfee CVE-2014-2587 (SQL injection vulnerability in jsp/reports/ReportsAudit.jsp in McAfee ...) NOT-FOR-US: McAfee CVE-2014-2586 (Cross-site scripting (XSS) vulnerability in the login audit form in Mc ...) NOT-FOR-US: McAfee CVE-2014-2584 RESERVED CVE-2014-2583 (Multiple directory traversal vulnerabilities in pam_timestamp.c in the ...) - pam 1.1.8-3.1 (low; bug #757555) [wheezy] - pam (Minor issue) [squeeze] - pam (Minor issue) NOTE: Fix: https://git.fedorahosted.org/cgit/linux-pam.git/commit/?id=Linux-PAM-1_1_8-32-g9dcead8 CVE-2014-2582 RESERVED CVE-2014-2579 (Multiple cross-site request forgery (CSRF) vulnerabilities in XCloner ...) NOT-FOR-US: WordPress plugin xcloner CVE-2014-2578 (Cross-site scripting (XSS) vulnerability in Splunk Web in Splunk befor ...) NOT-FOR-US: Splunk Web CVE-2014-2577 (Multiple cross-site scripting (XSS) vulnerabilities in the Transform C ...) NOT-FOR-US: Transform Foundation server CVE-2014-2575 (Directory traversal vulnerability in the File Manager component in Dev ...) NOT-FOR-US: ASP.NET WebForms and MVC CVE-2014-2574 RESERVED CVE-2014-2570 (Cross-site scripting (XSS) vulnerability in www/make_subset.php in PHP ...) - php-font-lib (unimportant) NOTE: make_subset.php installed to examples NOTE: http://seclists.org/bugtraq/2014/Mar/128 CVE-2014-2569 RESERVED CVE-2014-2566 RESERVED CVE-2014-2565 (The commandline interface in Blue Coat Content Analysis System (CAS) 1 ...) NOT-FOR-US: Blue Coat Content Analysis System CVE-2014-2564 RESERVED CVE-2014-2563 RESERVED CVE-2014-2562 RESERVED CVE-2014-2561 RESERVED CVE-2014-2560 (The PhonerLite phone before 2.15 provides hashed credentials in a resp ...) NOT-FOR-US: PhonerLite phone CVE-2014-2559 (Multiple cross-site request forgery (CSRF) vulnerabilities in twitget. ...) NOT-FOR-US: WordPress plugin Twitget CVE-2014-2558 (The File Gallery plugin before 1.7.9.2 for WordPress does not properly ...) NOT-FOR-US: WordPress plugin file-gallery CVE-2014-2557 RESERVED CVE-2014-2556 RESERVED CVE-2014-2555 RESERVED CVE-2014-2554 (OTRS 3.1.x before 3.1.21, 3.2.x before 3.2.16, and 3.3.x before 3.3.6 ...) {DLA-1119-1} - otrs2 3.3.6-1 [squeeze] - otrs2 (Minor issue) NOTE: https://www.otrs.com/security-advisory-2014-05-clickjacking-issue/ CVE-2014-2553 (Cross-site scripting (XSS) vulnerability in Open Ticket Request System ...) {DLA-1119-1} - otrs2 3.3.6-1 [squeeze] - otrs2 (Minor issue) CVE-2014-2552 (Brookins Consulting (BC) Collected Information Export extension for eZ ...) NOT-FOR-US: Brookins Consulting (BC) Collected Information Export extension CVE-2014-2551 RESERVED CVE-2014-2550 (Cross-site request forgery (CSRF) vulnerability in the Disable Comment ...) NOT-FOR-US: Disable Comments plugin for WordPress CVE-2014-2549 RESERVED CVE-2014-2548 RESERVED CVE-2014-2547 RESERVED CVE-2014-2546 RESERVED CVE-2014-2545 (TIBCO Managed File Transfer Internet Server before 7.2.2, Managed File ...) NOT-FOR-US: TIBCO CVE-2014-2544 (Unspecified vulnerability in Spotfire Web Player Engine, Spotfire Desk ...) NOT-FOR-US: Spotfire CVE-2014-2543 (Buffer overflow in the Rendezvous Daemon (rvd), Rendezvous Routing Dae ...) NOT-FOR-US: TIBCO CVE-2014-2542 (Cross-site scripting (XSS) vulnerability in the Rendezvous Daemon (rvd ...) NOT-FOR-US: TIBCO CVE-2014-2541 (The Rendezvous Daemon (rvd), Rendezvous Routing Daemon (rvrd), Rendezv ...) NOT-FOR-US: TIBCO CVE-2014-2540 (SQL injection vulnerability in OrbitScripts Orbit Open Ad Server befor ...) NOT-FOR-US: Orbit Open Ad Server CVE-2014-2539 RESERVED CVE-2014-2537 (Memory leak in the TCP stack in the kernel in Sophos UTM before 9.109 ...) NOT-FOR-US: Sophos UTM CVE-2014-2536 (Directory traversal vulnerability in McAfee Cloud Identity Manager 3.0 ...) NOT-FOR-US: McAfee Cloud Identity Manager CVE-2014-2535 (Directory traversal vulnerability in McAfee Web Gateway (MWG) 7.4.x be ...) NOT-FOR-US: McAfee Web Gateway CVE-2014-2534 (/sbin/pppoectl in BlackBerry QNX Neutrino RTOS 6.4.x and 6.5.x allows ...) NOT-FOR-US: BlackBerry CVE-2014-2533 (/sbin/ifwatchd in BlackBerry QNX Neutrino RTOS 6.4.x and 6.5.x allows ...) NOT-FOR-US: BlackBerry CVE-2014-2531 (SQL injection vulnerability in xhr.php in InterWorx Web Control Panel ...) NOT-FOR-US: InterWorx Control Panel CVE-2014-2530 RESERVED CVE-2014-2529 RESERVED CVE-2014-2526 (Multiple cross-site scripting (XSS) vulnerabilities in BarracudaDrive ...) NOT-FOR-US: BarracudaDrive CVE-2014-2525 (Heap-based buffer overflow in the yaml_parser_scan_uri_escapes functio ...) {DSA-2885-1 DSA-2884-1} - libyaml 0.1.4-3.2 (bug #742732) - libyaml-libyaml-perl 0.41-5 NOTE: http://www.ocert.org/advisories/ocert-2014-003.html CVE-2014-2521 (EMC Documentum Content Server before 6.7 SP2 P16 and 7.x before 7.1 P0 ...) NOT-FOR-US: EMC Documentum Content Server CVE-2014-2520 (EMC Documentum Content Server before 6.7 SP2 P16 and 7.x before 7.1 P0 ...) NOT-FOR-US: EMC Documentum Content Server CVE-2014-2519 (The default configuration of EMC RecoverPoint Appliance (RPA) 4.1 befo ...) NOT-FOR-US: EMC RecoverPoint Appliance CVE-2014-2518 (Multiple cross-site request forgery (CSRF) vulnerabilities in EMC Docu ...) NOT-FOR-US: EMC Documentum CVE-2014-2517 (Unspecified vulnerability in EMC RSA Archer GRC Platform 5.x before 5. ...) NOT-FOR-US: EMC RSA Archer GRC Platform CVE-2014-2516 (Open redirect vulnerability in EMC RSA Authentication Manager 8.x befo ...) NOT-FOR-US: EMC RSA Authentication Manager CVE-2014-2515 (EMC Documentum D2 3.1 before P24, 3.1SP1 before P02, 4.0 before P11, 4 ...) NOT-FOR-US: EMC Documentum CVE-2014-2514 (EMC Documentum Content Server before 6.7 SP1 P28, 6.7 SP2 before P15, ...) NOT-FOR-US: EMC Documentum Content Server CVE-2014-2513 (EMC Documentum Content Server before 6.7 SP1 P28, 6.7 SP2 before P15, ...) NOT-FOR-US: EMC Documentum Content Server CVE-2014-2512 (Multiple cross-site scripting (XSS) vulnerabilities in EMC Documentum ...) NOT-FOR-US: EMC Documentum eRoom CVE-2014-2511 (Multiple cross-site scripting (XSS) vulnerabilities in EMC Documentum ...) NOT-FOR-US: EMC Documentum CVE-2014-2510 (The JAXB XML parser in EMC Documentum Foundation Services (DFS) 6.6 be ...) NOT-FOR-US: EMC Documentum Foundation Services CVE-2014-2509 (Session fixation vulnerability in the Report Advisor (RA) component in ...) NOT-FOR-US: EMC NCM CVE-2014-2508 (EMC Documentum Content Server before 6.7 SP1 P28, 6.7 SP2 before P14, ...) NOT-FOR-US: EMC Documentum Content Server CVE-2014-2507 (EMC Documentum Content Server before 6.7 SP1 P28, 6.7 SP2 before P14, ...) NOT-FOR-US: EMC Documentum Content Server CVE-2014-2506 (EMC Documentum Content Server before 6.7 SP1 P28, 6.7 SP2 before P14, ...) NOT-FOR-US: EMC Documentum Content Server CVE-2014-2505 (EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote attackers ...) NOT-FOR-US: EMC RSA Archer GRC Platform CVE-2014-2504 (EMC Documentum D2 3.1 before P20, 3.1 SP1 before P02, 4.0 before P10, ...) NOT-FOR-US: EMC Documentum D2 CVE-2014-2503 (The thumbnail proxy server in EMC Documentum Digital Asset Manager (DA ...) NOT-FOR-US: EMC Documentum Digital Asset Manager CVE-2014-2502 (Cross-site scripting (XSS) vulnerability in rsa_fso.swf in EMC RSA Ada ...) NOT-FOR-US: EMC RSA Adaptive Authentication CVE-2014-2501 RESERVED CVE-2014-2500 RESERVED CVE-2014-2499 RESERVED CVE-2014-2498 RESERVED CVE-2013-7348 (Double free vulnerability in the ioctx_alloc function in fs/aio.c in t ...) - linux 3.13.4-1 [wheezy] - linux (Introduced and fixed in 3.13 series) - linux-2.6 (Introduced and fixed in 3.13 series) NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d558023207e008a4476a3b7bb8706b2a2bf5d84f CVE-2013-7347 (Luci in Red Hat Conga does not properly enforce the user session timeo ...) NOT-FOR-US: Red Hat Conga CVE-2013-7344 (Unspecified vulnerability in core/settings.php in ownCloud before 4.0. ...) - owncloud 5.0.3+dfsg-1 CVE-2013-7343 (Cross-site scripting (XSS) vulnerability in flowplayer.swf in the Flas ...) NOT-FOR-US: Flowplayer NOTE: Present in the source in some Moodle packages, see #736800 CVE-2013-7342 (Cross-site scripting (XSS) vulnerability in flowplayer.swf in the Flas ...) NOT-FOR-US: Flowplayer NOTE: Present in the source in some Moodle packages, see #736800 CVE-2013-7340 (VideoLAN VLC Media Player before 2.0.7 allows remote attackers to caus ...) - vlc 2.2.0~rc2-1 (unimportant) NOTE: No security impact NOTE: Might be fixed earlier than 2.2.0~rc2, but only that version was checked CVE-2013-7337 RESERVED CVE-2011-5276 (SQL injection vulnerability in the drawAdminTools_PackageInstaller fun ...) - dtc 0.34.1-1 CVE-2011-5275 (The install script in Domain Technologie Control (DTC) before 0.34.1 g ...) - dtc 0.34.1-1 CVE-2011-5274 (The drawAdminTools_PackageInstaller function in shared/inc/forms/packa ...) - dtc 0.34.1-1 CVE-2011-5273 (Directory traversal vulnerability in shared/package-installer in Domai ...) - dtc 0.34.1-1 CVE-2011-5272 (SQL injection vulnerability in Domain Technologie Control (DTC) before ...) - dtc 0.34.1-1 CVE-2009-5140 (The SIP implementation on the Linksys SPA2102 phone adapter provides h ...) NOT-FOR-US: Linksys CVE-2009-5139 (The SIP implementation on the Gizmo5 software phone provides hashed cr ...) NOT-FOR-US: Gizmo5 CVE-2014-2599 (The HVMOP_set_mem_access HVM control operations in Xen 4.1.x for 32-bi ...) {DSA-3006-1} - xen 4.4.1-1 (bug #757724) [squeeze] - xen (Only affects 4.1 and later) CVE-2014-2585 (ownCloud before 5.0.15 and 6.x before 6.0.2, when the file_external ap ...) - owncloud 6.0.2+dfsg-1 CVE-2014-2580 (The netback driver in Xen, when using certain Linux versions that do n ...) - linux 3.13.10-1 [wheezy] - linux (Introduced in 3.12) - linux-2.6 (Introduced in 3.12) NOTE: upstream patch: https://git.kernel.org/cgit/linux/kernel/git/davem/net-next.git/commit/?id=e9d8b2c2968499c1f96563e6522c56958d5a1d0d (first included in v3.15-rc1). CVE-2014-2532 (sshd in OpenSSH before 6.6 does not properly support wildcards on Acce ...) {DSA-2894-1} - openssh 1:6.6p1-1 NOTE: Default sshd_config in Debian has AcceptEnv LANG LC_* NOTE: http://marc.info/?l=openbsd-security-announce&m=139492048027313&w=2 CVE-2014-2581 (Smb4K before 1.1.1 allows remote attackers to obtain credentials via v ...) - smb4k 1.1.2-1 (low; bug #742816) [wheezy] - smb4k (Minor issue) [squeeze] - smb4k (Minor issue) NOTE: http://sourceforge.net/projects/smb4k/files/Smb4K%20%28stable%20releases%29/1.1.1/ CVE-2014-2576 (plugins/rssyl/feed.c in Claws Mail before 3.10.0 disables the CURLOPT_ ...) - claws-mail 3.10.1-1 (bug #742695) [wheezy] - claws-mail (rssyl plugin in separate source package) [squeeze] - claws-mail (rssyl plugin in separate source package) NOTE: http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3106 - claws-mail-extra-plugins [squeeze] - claws-mail-extra-plugins (Minor issue) [wheezy] - claws-mail-extra-plugins (Minor issue) CVE-2014-2573 (The VMWare driver in OpenStack Compute (Nova) 2013.2 through 2013.2.2 ...) - nova 2014.1-9 (bug #750144) [wheezy] - nova (Vulnerable code in 2013.2 to 2013.2.2) NOTE: https://bugs.launchpad.net/nova/+bug/1269418 CVE-2014-2568 (Use-after-free vulnerability in the nfqnl_zcopy function in net/netfil ...) - linux 3.13.7-1 - linux-2.6 (Introduced in 3.10 commit ae08ce002108) [wheezy] - linux (Introduced in 3.10 commit ae08ce002108) NOTE: Upstream path: https://lkml.org/lkml/2014/3/20/421 CVE-2014-2567 (The OpenConnectionTask::handleStateHelper function in Imap/Tasks/OpenC ...) NOT-FOR-US: Trojita CVE-2014-2538 (Cross-site scripting (XSS) vulnerability in lib/rack/ssl.rb in the rac ...) - ruby-rack-ssl 1.3.2-4 (low; bug #742186) [wheezy] - ruby-rack-ssl (Minor issue) NOTE: https://github.com/josh/rack-ssl/commit/9d7d7300b907e496db68d89d07fbc2e0df0b487b CVE-2014-2528 (kcleanup.cpp in KDirStat 2.7.3 does not properly quote strings when de ...) - k4dirstat 2.7.5-1 (bug #741659) [wheezy] - k4dirstat (Minor issue) - kdirstat [squeeze] - kdirstat (Minor issue) CVE-2014-2527 (kcleanup.cpp in KDirStat 2.7.0 does not properly quote strings when de ...) - k4dirstat (Uses single quotes for affected code) - kdirstat (low) [squeeze] - kdirstat (Minor issue) CVE-2014-2571 (Cross-site scripting (XSS) vulnerability in the quiz_question_tostring ...) - moodle 2.6.2-1 [squeeze] - moodle (Vulnerable code not present) CVE-2013-7341 (Multiple cross-site scripting (XSS) vulnerabilities in Flowplayer Flas ...) - moodle 2.6.2-1 [squeeze] - moodle (Vulnerable code not present) CVE-2014-2572 (mod/assign/externallib.php in Moodle 2.6.x before 2.6.2 does not prope ...) - moodle 2.6.2-1 [squeeze] - moodle (Vulnerable code not present) CVE-2014-2524 (The _rl_tropen function in util.c in GNU readline before 6.3 patch 3 a ...) - readline6 6.3-7 (low; bug #741953) [wheezy] - readline6 (Minor issue) [squeeze] - readline6 (Minor issue) CVE-2014-2523 (net/netfilter/nf_conntrack_proto_dccp.c in the Linux kernel through 3. ...) {DSA-2906-1} - linux 3.13.10-1 [wheezy] - linux 3.2.57-1 - linux-2.6 NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/net/netfilter/nf_conntrack_proto_dccp.c?id=b22f5126a24b3b2f15448c3f2a254fc10cbc2b92 CVE-2014-2522 (curl and libcurl 7.27.0 through 7.35.0, when running on Windows and us ...) - curl (Only present in code only running on Windows) CVE-2014-2497 (The gdImageCreateFromXpm function in gdxpm.c in libgd, as used in PHP ...) {DSA-3215-1 DLA-189-1} - php5 5.6.0~rc4+dfsg-1 [wheezy] - php5 (imagecreatefromxpm function not in used gd extension) [squeeze] - php5 (imagecreatefromxpm function not in used gd extension) - libgd2 2.1.0-4 (low; bug #744719) NOTE: http://web.archive.org/web/20150221193227/http://net-ninja-mr.me/2014/03/14/php-gd-v5-4-17-2-color-visual-null-pointer-dereference/ CVE-2014-2496 (Unspecified vulnerability in the PeopleSoft Enterprise PT PeopleTools ...) NOT-FOR-US: Oracle CVE-2014-2495 (Unspecified vulnerability in the PeopleSoft Enterprise SCM Purchasing ...) NOT-FOR-US: Oracle CVE-2014-2494 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) {DSA-2985-1} - mysql-5.5 5.5.39-1 (bug #754941) - mysql-5.1 (Only affects 5.5 and later) - mariadb-5.5 5.5.38-1 (bug #754940) - mariadb-10.0 (Fixed before initial upload) - percona-xtradb-cluster-5.5 5.5.39-25.11+dfsg-1 CVE-2014-2493 (Unspecified vulnerability in the Oracle JDeveloper component in Oracle ...) NOT-FOR-US: Oracle CVE-2014-2492 (Unspecified vulnerability in the Oracle Agile Product Collaboration co ...) NOT-FOR-US: Oracle CVE-2014-2491 (Unspecified vulnerability in the Siebel UI Framework component in Orac ...) NOT-FOR-US: Oracle CVE-2014-2490 (Unspecified vulnerability in the Java SE component in Oracle Java SE 7 ...) {DSA-2987-1 DSA-2980-1 DLA-96-1} - openjdk-6 6b32-1.13.4-1 NOTE: http://hg.openjdk.java.net/jdk6/jdk6/hotspot/rev/dd7d490e72af - openjdk-7 7u65-2.5.1-1 NOTE: http://hg.openjdk.java.net/jdk7u/jdk7u/hotspot/rev/02f12a9d5aec CVE-2014-2489 (Unspecified vulnerability in the Oracle VM VirtualBox component in Ora ...) {DLA-313-1} - virtualbox 4.3.12-dfsg-1 (bug #754939) [wheezy] - virtualbox 4.1.40-dfsg-1+deb7u1 - virtualbox-ose [squeeze] - virtualbox-ose (Specific details withheld, but CVSS score indicates low impact) CVE-2014-2488 (Unspecified vulnerability in the Oracle VM VirtualBox component in Ora ...) {DLA-313-1} - virtualbox 4.3.12-dfsg-1 (bug #754939) [wheezy] - virtualbox 4.1.40-dfsg-1+deb7u1 - virtualbox-ose [squeeze] - virtualbox-ose (Specific details withheld, but CVSS score indicates low impact) CVE-2014-2487 (Unspecified vulnerability in the Oracle VM VirtualBox component in Ora ...) - virtualbox (Only applies if VBox is running on Windows) - virtualbox-ose (Only applies if VBox is running on Windows) CVE-2014-2486 (Unspecified vulnerability in the Oracle VM VirtualBox component in Ora ...) {DLA-313-1} - virtualbox 4.3.12-dfsg-1 (bug #754939) [wheezy] - virtualbox 4.1.40-dfsg-1+deb7u1 - virtualbox-ose [squeeze] - virtualbox-ose (Specific details withheld, but CVSS score indicates low impact) CVE-2014-2485 (Unspecified vulnerability in the Siebel Core - EAI component in Oracle ...) NOT-FOR-US: Oracle CVE-2014-2484 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) - mysql-5.5 (Only affects 5.6) - mysql-5.1 (Only affects 5.6) - mariadb-5.5 (Only affects 5.6) - percona-xtradb-cluster-5.5 (Only affects 5.6) CVE-2014-2483 (Unspecified vulnerability in the Java SE component in Oracle Java SE J ...) {DSA-2987-1} - openjdk-6 (vulnerable code not present) - openjdk-7 7u65-2.5.1-1 NOTE: http://hg.openjdk.java.net/jdk7u/jdk7u/hotspot/rev/848481af9003 CVE-2014-2482 (Unspecified vulnerability in the Oracle Concurrent Processing componen ...) NOT-FOR-US: Oracle CVE-2014-2481 (Unspecified vulnerability in the Oracle WebLogic Server component in O ...) NOT-FOR-US: Oracle CVE-2014-2480 (Unspecified vulnerability in the Oracle WebLogic Server component in O ...) NOT-FOR-US: Oracle CVE-2014-2479 (Unspecified vulnerability in the Oracle WebLogic Server component in O ...) NOT-FOR-US: Oracle CVE-2014-2478 (Unspecified vulnerability in the Core RDBMS component in Oracle Databa ...) NOT-FOR-US: Oracle Database Server CVE-2014-2477 (Unspecified vulnerability in the Oracle VM VirtualBox component in Ora ...) - virtualbox 4.3.12-dfsg-1 (bug #754939) [wheezy] - virtualbox 4.1.40-dfsg-1+deb7u1 - virtualbox-ose (Only affects 4.0 and later) CVE-2014-2476 (Unspecified vulnerability in the Oracle Secure Global Desktop componen ...) NOT-FOR-US: Oracle Virtualization CVE-2014-2475 (Unspecified vulnerability in the Oracle Secure Global Desktop componen ...) NOT-FOR-US: Oracle Virtualization CVE-2014-2474 (Unspecified vulnerability in the Oracle Secure Global Desktop componen ...) NOT-FOR-US: Oracle Virtualization CVE-2014-2473 (Unspecified vulnerability in the Oracle Secure Global Desktop componen ...) NOT-FOR-US: Oracle Virtualization CVE-2014-2472 (Unspecified vulnerability in the Oracle Secure Global Desktop componen ...) NOT-FOR-US: Oracle Virtualization CVE-2014-2471 (Unspecified vulnerability in the Oracle iLearning component in Oracle ...) NOT-FOR-US: Oracle iLearning CVE-2014-2470 (Unspecified vulnerability in the Oracle WebLogic Server component in O ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2014-2469 (Unspecified vulnerability in lighttpd in Oracle Solaris 11.1 allows at ...) - lighttpd (Only affects lighttpd on Oracle Solaris) CVE-2014-2468 (Unspecified vulnerability in the Siebel UI Framework component in Orac ...) NOT-FOR-US: Oracle Siebel CRM CVE-2014-2467 (Unspecified vulnerability in the Oracle Agile PLM Framework component ...) NOT-FOR-US: Oracle Supply Chain Products Suite CVE-2014-2466 (Unspecified vulnerability in the Oracle Agile PLM Framework component ...) NOT-FOR-US: Oracle Supply Chain Products Suite CVE-2014-2465 (Unspecified vulnerability in the Oracle Agile PLM Framework component ...) NOT-FOR-US: Oracle Supply Chain Products Suite CVE-2014-2464 (Unspecified vulnerability in the Oracle Agile PLM Framework component ...) NOT-FOR-US: Oracle Supply Chain Products Suite CVE-2014-2463 (Unspecified vulnerability in the Oracle Secure Global Desktop (SGD) co ...) NOT-FOR-US: Oracle Secure Global Desktop (SGD) CVE-2014-2462 REJECTED CVE-2014-2461 (Unspecified vulnerability in the Oracle Transportation Management comp ...) NOT-FOR-US: Oracle Supply Chain Products Suite CVE-2014-2460 (Unspecified vulnerability in the Oracle Transportation Management comp ...) NOT-FOR-US: Oracle Supply Chain Products Suite CVE-2014-2459 (Unspecified vulnerability in the Oracle Transportation Management comp ...) NOT-FOR-US: Oracle Supply Chain Products Suite CVE-2014-2458 (Unspecified vulnerability in the Oracle Agile Product Lifecycle compon ...) NOT-FOR-US: Oracle Supply Chain Products Suite CVE-2014-2457 (Unspecified vulnerability in the Oracle Agile Product Lifecycle compon ...) NOT-FOR-US: Oracle Supply Chain Products Suite CVE-2014-2456 (Unspecified vulnerability in the PeopleSoft Enterprise ELS Enterprise ...) NOT-FOR-US: Oracle CVE-2014-2455 (Unspecified vulnerability in the Hyperion Common Admin component in Or ...) NOT-FOR-US: Oracle Hyperion CVE-2014-2454 (Unspecified vulnerability in the Hyperion Common Admin component in Or ...) NOT-FOR-US: Oracle Hyperion CVE-2014-2453 (Unspecified vulnerability in the Hyperion Common Admin component in Or ...) NOT-FOR-US: Oracle Hyperion CVE-2014-2452 (Unspecified vulnerability in the Oracle Access Manager component in Or ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2014-2451 (Unspecified vulnerability in Oracle MySQL Server 5.6.15 and earlier al ...) - mysql-5.5 (Only affects Mysql 5.6) - mysql-5.1 (Only affects Mysql 5.6) CVE-2014-2450 (Unspecified vulnerability in Oracle MySQL Server 5.6.15 and earlier al ...) - mysql-5.5 (Only affects Mysql 5.6) - mysql-5.1 (Only affects Mysql 5.6) CVE-2014-2449 (Unspecified vulnerability in the PeopleSoft Enterprise HRMS Talent Acq ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2014-2448 (Unspecified vulnerability in the PeopleSoft Enterprise PT PeopleTools ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2014-2447 (Unspecified vulnerability in the PeopleSoft Enterprise PT PeopleTools ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2014-2446 (Unspecified vulnerability in the PeopleSoft Enterprise PT PeopleTools ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2014-2445 (Unspecified vulnerability in the Oracle Agile PLM Framework component ...) NOT-FOR-US: Oracle Supply Chain Products Suite CVE-2014-2444 (Unspecified vulnerability in Oracle MySQL Server 5.6.15 and earlier al ...) - mysql-5.5 (Only affects Mysql 5.6) - mysql-5.1 (Only affects Mysql 5.6) CVE-2014-2443 (Unspecified vulnerability in the PeopleSoft Enterprise PT PeopleTools ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2014-2442 (Unspecified vulnerability in Oracle MySQL Server 5.6.15 and earlier al ...) - mysql-5.5 (Only affects Mysql 5.6) - mysql-5.1 (Only affects Mysql 5.6) CVE-2014-2441 (Unspecified vulnerability in the Oracle VM VirtualBox component in Ora ...) - virtualbox-guest-additions (Only affects 4.1 and later) - virtualbox-guest-additions-iso 4.3.10-1 [wheezy] - virtualbox-guest-additions-iso (Non-free not supported) NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html CVE-2014-2440 (Unspecified vulnerability in the MySQL Client component in Oracle MySQ ...) {DSA-2919-1} - mysql-5.5 5.5.37-1 (bug #744910) - mariadb-5.5 5.5.37-1 (bug #745330) - mariadb-10.0 (Fixed before initial upload) - mysql-5.1 (Only affects Mysql 5.5/5.6) - percona-xtradb-cluster-5.5 5.5.37-25.10+dfsg-1 NOTE: this is the same issue as CVE-2014-0001, see http://www.openwall.com/lists/oss-security/2014/09/11/23 CVE-2014-2439 (Unspecified vulnerability in the Oracle Secure Global Desktop (SGD) co ...) NOT-FOR-US: Oracle Secure Global Desktop (SGD) CVE-2014-2438 (Unspecified vulnerability in Oracle MySQL Server 5.5.35 and earlier an ...) {DSA-2919-1} - mysql-5.5 5.5.37-1 (bug #744910) - mariadb-5.5 5.5.37-1 (bug #745330) - mariadb-10.0 (Fixed before initial upload) - mysql-5.1 (Only affects Mysql 5.5/5.6) - percona-xtradb-cluster-5.5 5.5.37-25.10+dfsg-1 CVE-2014-2437 (Unspecified vulnerability in the PeopleSoft Enterprise PT PeopleTools ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2014-2436 (Unspecified vulnerability in Oracle MySQL Server 5.5.36 and earlier an ...) {DSA-2919-1} - mysql-5.5 5.5.37-1 (bug #744910) - mariadb-5.5 5.5.37-1 (bug #745330) - mariadb-10.0 (Fixed before initial upload) - mysql-5.1 (Only affects Mysql 5.5/5.6) - percona-xtradb-cluster-5.5 5.5.37-25.10+dfsg-1 CVE-2014-2435 (Unspecified vulnerability in Oracle MySQL Server 5.6.16 and earlier al ...) - mysql-5.5 (Only affects Mysql 5.6) - mysql-5.1 (Only affects Mysql 5.6) CVE-2014-2434 (Unspecified vulnerability in Oracle MySQL Server 5.6.15 and earlier al ...) - mysql-5.5 (Only affects Mysql 5.6) - mysql-5.1 (Only affects Mysql 5.6) CVE-2014-2433 (Unspecified vulnerability in the PeopleSoft Enterprise PT PeopleTools ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2014-2432 (Unspecified vulnerability Oracle the MySQL Server component 5.5.35 and ...) {DSA-2919-1} - mysql-5.5 5.5.37-1 (bug #744910) - mariadb-5.5 5.5.37-1 (bug #745330) - mariadb-10.0 (Fixed before initial upload) - mysql-5.1 (Only affects Mysql 5.5/5.6) - percona-xtradb-cluster-5.5 5.5.37-25.10+dfsg-1 CVE-2014-2431 (Unspecified vulnerability in Oracle MySQL Server 5.5.36 and earlier an ...) {DSA-2919-1} - mysql-5.5 5.5.37-1 (bug #744910) - mariadb-5.5 5.5.37-1 (bug #745330) - mariadb-10.0 (Fixed before initial upload) - mysql-5.1 (Only affects Mysql 5.5/5.6) - percona-xtradb-cluster-5.5 5.5.37-25.10+dfsg-1 CVE-2014-2430 (Unspecified vulnerability in Oracle MySQL Server 5.5.36 and earlier an ...) {DSA-2919-1} - mysql-5.5 5.5.37-1 (bug #744910) - mariadb-5.5 5.5.37-1 (bug #745330) - mariadb-10.0 (Fixed before initial upload) - mysql-5.1 (Only affects Mysql 5.5/5.6) - percona-xtradb-cluster-5.5 5.5.37-25.10+dfsg-1 CVE-2014-2429 (Unspecified vulnerability in the PeopleSoft Enterprise CS Campus Self ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2014-2428 (Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Jav ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2014-2427 (Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8, ...) {DSA-2923-1 DSA-2912-1} - openjdk-7 7u55-2.4.7-1 - openjdk-6 6b31-1.13.3-1 CVE-2014-2426 (Unspecified vulnerability in the Oracle OpenSSO component in Oracle Fu ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2014-2425 (Unspecified vulnerability in the Oracle OpenSSO component in Oracle Fu ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2014-2424 (Unspecified vulnerability in the Oracle Event Processing component in ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2014-2423 (Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Jav ...) {DSA-2923-1 DSA-2912-1} - openjdk-7 7u55-2.4.7-1 - openjdk-6 6b31-1.13.3-1 CVE-2014-2422 (Unspecified vulnerability in Oracle Java SE 7u51 and 8, and JavaFX 2.2 ...) - openjdk-6 (JavaFX not part of OpenJDK) - openjdk-7 (JavaFX not part of OpenJDK) CVE-2014-2421 (Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8; ...) {DSA-2923-1 DSA-2912-1} - openjdk-7 7u55-2.4.7-1 - openjdk-6 6b31-1.13.3-1 CVE-2014-2420 (Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Jav ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2014-2419 (Unspecified vulnerability in Oracle MySQL Server 5.5.35 and earlier an ...) {DSA-2919-1} - mysql-5.5 5.5.37-1 (bug #744910) - mariadb-5.5 5.5.37-1 (bug #745330) - mariadb-10.0 (Fixed before initial upload) - mysql-5.1 (Only affects Mysql 5.5/5.6) - percona-xtradb-cluster-5.5 5.5.37-25.10+dfsg-1 CVE-2014-2418 (Unspecified vulnerability in the Oracle Data Integrator component in O ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2014-2417 (Unspecified vulnerability in the Oracle Data Integrator component in O ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2014-2416 (Unspecified vulnerability in the Oracle Data Integrator component in O ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2014-2415 (Unspecified vulnerability in the Oracle Data Integrator component in O ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2014-2414 (Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Jav ...) {DSA-2923-1 DSA-2912-1} - openjdk-7 7u55-2.4.7-1 - openjdk-6 6b31-1.13.3-1 CVE-2014-2413 (Unspecified vulnerability in Oracle Java SE 7u51 and 8, and Java SE Em ...) {DSA-2923-1} - openjdk-7 7u55-2.4.7-1 - openjdk-6 (Only affects Java 7/8) CVE-2014-2412 (Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, SE 7u51, and ...) {DSA-2923-1 DSA-2912-1} - openjdk-7 7u55-2.4.7-1 - openjdk-6 6b31-1.13.3-1 CVE-2014-2411 (Unspecified vulnerability in the Oracle Identity Analytics component i ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2014-2410 (Unspecified vulnerability in Oracle Java SE 8 allows remote attackers ...) - openjdk-6 (JavaFX not part of OpenJDK) - openjdk-7 (JavaFX not part of OpenJDK) CVE-2014-2409 (Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Jav ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2014-2408 (Unspecified vulnerability in the Core RDBMS component in Oracle Databa ...) NOT-FOR-US: Oracle Database Server CVE-2014-2407 (Unspecified vulnerability in the Oracle Data Integrator component in O ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2014-2406 (Unspecified vulnerability in the Core RDBMS component in Oracle Databa ...) NOT-FOR-US: Oracle Database Server CVE-2014-2405 (Unspecified vulnerability in OpenJDK 6 before 6b31 on Debian GNU/Linux ...) {DSA-2912-1} - openjdk-6 6b31-1.13.3-1 CVE-2014-2404 (Unspecified vulnerability in the Oracle Access Manager component in Or ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2014-2403 (Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Jav ...) {DSA-2923-1 DSA-2912-1} - openjdk-7 7u55-2.4.7-1 - openjdk-6 6b31-1.13.3-1 CVE-2014-2402 (Unspecified vulnerability in Oracle Java SE 7u51 and 8, and Java SE Em ...) {DSA-2923-1} - openjdk-7 7u55-2.4.7-1 - openjdk-6 (Only affects Java 7/8) CVE-2014-2401 (Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8; ...) - openjdk-6 (Specific to Oracle Java, not present in IcedTea) - openjdk-7 (Specific to Oracle Java, not present in IcedTea) NOTE: Due to the vague disclosure policy by Oracle the exact nature is unknown but since no patch landed in icedtea, we consider it not-affected CVE-2014-2400 (Unspecified vulnerability in the Oracle Endeca Server component in Ora ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2014-2399 (Unspecified vulnerability in the Oracle Endeca Server component in Ora ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2014-2398 (Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8; ...) {DSA-2923-1 DSA-2912-1} - openjdk-7 7u55-2.4.7-1 - openjdk-6 6b31-1.13.3-1 CVE-2014-2397 (Unspecified vulnerability in Oracle Java SE 7u51 and 8, and Java SE Em ...) {DSA-2923-1 DSA-2912-1} - openjdk-7 7u55-2.4.7-1 - openjdk-6 6b31-1.13.3-1 CVE-2014-2396 RESERVED CVE-2014-2395 RESERVED CVE-2014-2394 RESERVED CVE-2014-2393 (Cross-site scripting (XSS) vulnerability in Open-Xchange AppSuite 7.4. ...) NOT-FOR-US: Open-Xchange CVE-2014-2392 (The E-Mail autoconfiguration feature in Open-Xchange AppSuite before 7 ...) NOT-FOR-US: Open-Xchange CVE-2014-2391 (The password recovery service in Open-Xchange AppSuite before 7.2.2-re ...) NOT-FOR-US: Open-Xchange CVE-2014-2390 (Cross-site request forgery (CSRF) vulnerability in the User Management ...) NOT-FOR-US: McAfee Network Security Manager CVE-2014-2389 (Stack-based buffer overflow in a certain decryption function in qconnD ...) NOT-FOR-US: BlackBerry Z 10 CVE-2014-2388 (The Storage and Access service in BlackBerry OS 10.x before 10.2.1.192 ...) NOT-FOR-US: BlackBerry OS CVE-2014-2385 (Multiple cross-site scripting (XSS) vulnerabilities in the web UI in S ...) NOT-FOR-US: Sophos Antivirus CVE-2014-2384 (vmx86.sys in VMware Workstation 10.0.1 build 1379776 and VMware Player ...) NOT-FOR-US: VMware on Windows CVE-2014-2383 (dompdf.php in dompdf before 0.6.1, when DOMPDF_ENABLE_PHP is enabled, ...) - php-dompdf 0.6.1+dfsg-2 (unimportant; bug #745619) NOTE: requires DOMPDF_ENABLE_REMOTE (disabled by default) to be enabled CVE-2014-2382 (The DfDiskLo.sys driver in Faronics Deep Freeze Standard and Enterpris ...) NOT-FOR-US: Faronics CVE-2014-2381 (Schneider Electric Wonderware Information Server (WIS) Portal 4.0 SP1 ...) NOT-FOR-US: Schneider Electric CVE-2014-2380 (Schneider Electric Wonderware Information Server (WIS) Portal 4.0 SP1 ...) NOT-FOR-US: Schneider Electric CVE-2014-2379 (Sensys Networks VSN240-F and VSN240-T sensors VDS before 2.10.1 and Tr ...) NOT-FOR-US: Sensys Networks CVE-2014-2378 (Sensys Networks VSN240-F and VSN240-T sensors VDS before 2.10.1 and Tr ...) NOT-FOR-US: Sensys Networks CVE-2014-2377 (Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1 ...) NOT-FOR-US: Ecava IntegraXor SCADA Server CVE-2014-2376 (SQL injection vulnerability in Ecava IntegraXor SCADA Server Stable 4. ...) NOT-FOR-US: Ecava IntegraXor SCADA Server CVE-2014-2375 (Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1 ...) NOT-FOR-US: Ecava IntegraXor SCADA Server CVE-2014-2374 (The AXN-NET Ethernet module accessory 3.04 for the Accuenergy Acuvim I ...) NOT-FOR-US: Accuenergy CVE-2014-2373 (The web server on the AXN-NET Ethernet module accessory 3.04 for the A ...) NOT-FOR-US: Accuenergy CVE-2014-2372 RESERVED CVE-2014-2371 RESERVED CVE-2014-2370 (Cross-site scripting (XSS) vulnerability in the web application on Omr ...) NOT-FOR-US: Omron CVE-2014-2369 (Cross-site request forgery (CSRF) vulnerability in the web application ...) NOT-FOR-US: Omron CVE-2014-2368 (The BrowseFolder method in the bwocxrun ActiveX control in Advantech W ...) NOT-FOR-US: Advantech WebAccess CVE-2014-2367 (The ChkCookie subroutine in an ActiveX control in broadweb/include/gCh ...) NOT-FOR-US: Advantech WebAccess CVE-2014-2366 (upAdminPg.asp in Advantech WebAccess before 7.2 allows remote authenti ...) NOT-FOR-US: Advantech WebAccess CVE-2014-2365 (Unspecified vulnerability in Advantech WebAccess before 7.2 allows rem ...) NOT-FOR-US: Advantech WebAccess CVE-2014-2364 (Multiple stack-based buffer overflows in Advantech WebAccess before 7. ...) NOT-FOR-US: Advantech WebAccess CVE-2014-2363 (Morpho Itemiser 3 8.17 has hardcoded administrative credentials, which ...) NOT-FOR-US: Morpho Itemiser CVE-2014-2362 (OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules rel ...) NOT-FOR-US: OleumTech Wireless Gateway CVE-2014-2361 (OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules, wh ...) NOT-FOR-US: OleumTech Wireless Gateway CVE-2014-2360 (OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules all ...) NOT-FOR-US: OleumTech Wireless Gateway CVE-2014-2359 (OleumTech Wireless Sensor Network devices allow remote attackers to ob ...) NOT-FOR-US: OleumTech Wireless Sensor Network devices CVE-2014-2358 (Multiple cross-site request forgery (CSRF) vulnerabilities in the admi ...) NOT-FOR-US: Fox-IT Fox DataDiode CVE-2014-2357 (The GPT library in the Telegyr 8979 Master Protocol application in SUB ...) NOT-FOR-US: SUBNET SubSTATION Server 2 CVE-2014-2356 (Innominate mGuard before 7.6.4 and 8.x before 8.0.3 does not require a ...) NOT-FOR-US: Innominate mGuard CVE-2014-2355 (The (1) CimView and (2) CimEdit components in GE Proficy HMI/SCADA-CIM ...) NOT-FOR-US: Systems Integrated GE Proficy HMI/SCADA-CIMPLICITY CVE-2014-2354 (Cogent DataHub before 7.3.5 does not use a salt during password hashin ...) NOT-FOR-US: Cogent DataHub CVE-2014-2353 (Cross-site scripting (XSS) vulnerability in Cogent DataHub before 7.3. ...) NOT-FOR-US: Cogent DataHub CVE-2014-2352 (Directory traversal vulnerability in Cogent DataHub before 7.3.5 allow ...) NOT-FOR-US: Cogent DataHub CVE-2014-2351 (SQL injection vulnerability in the LiveData service in CSWorks before ...) NOT-FOR-US: CSWorks CVE-2014-2350 (Emerson DeltaV 10.3.1, 11.3, 11.3.1, and 12.3 uses hardcoded credentia ...) NOT-FOR-US: Emerson DeltaV CVE-2014-2349 (Emerson DeltaV 10.3.1, 11.3, 11.3.1, and 12.3 allows local users to mo ...) NOT-FOR-US: Emerson DeltaV CVE-2014-2348 RESERVED CVE-2014-2347 (Amtelco miSecureMessages (aka MSM) 6.2 does not properly manage sessio ...) NOT-FOR-US: Amtelco miSecureMessages CVE-2014-2346 (COPA-DATA zenon DNP3 NG driver (DNP3 master) 7.10 and 7.11 through 7.1 ...) NOT-FOR-US: COPA-DATA CVE-2014-2345 (COPA-DATA zenon DNP3 NG driver (DNP3 master) 7.10 and 7.11 through 7.1 ...) NOT-FOR-US: COPA-DATA CVE-2014-2344 REJECTED CVE-2014-2343 (Triangle MicroWorks SCADA Data Gateway before 3.00.0635 allows physica ...) NOT-FOR-US: Triangle MicroWorks SCADA CVE-2014-2342 (Triangle MicroWorks SCADA Data Gateway before 3.00.0635 allows remote ...) NOT-FOR-US: Triangle MicroWorks SCADA CVE-2014-2341 (Session fixation vulnerability in CubeCart before 5.2.9 allows remote ...) NOT-FOR-US: CubeCart CVE-2014-2340 (Cross-site request forgery (CSRF) vulnerability in the XCloner plugin ...) NOT-FOR-US: WordPress plugin xcloner-backup-and-restore CVE-2014-2339 (Multiple SQL injection vulnerabilities in bbs/ajax.autosave.php in GNU ...) NOT-FOR-US: GNU Board CVE-2014-2338 (IKEv2 in strongSwan 4.0.7 before 5.1.3 allows remote attackers to bypa ...) {DSA-2903-1} - strongswan 5.1.2-4 CVE-2014-2337 RESERVED CVE-2014-2336 (Multiple cross-site scripting (XSS) vulnerabilities in the Web User In ...) NOT-FOR-US: Fortinet FortiManager CVE-2014-2335 (Multiple cross-site scripting (XSS) vulnerabilities in the Web User In ...) NOT-FOR-US: Fortinet FortiManager CVE-2014-2334 (Multiple cross-site scripting (XSS) vulnerabilities in the Web User In ...) NOT-FOR-US: Fortinet FortiManager CVE-2014-2333 (Cross-site scripting (XSS) vulnerability in the Lazyest Gallery plugin ...) NOT-FOR-US: WordPress plugin Lazyest Gallery CVE-2014-2332 (Check_MK before 1.2.2p3 and 1.2.3x before 1.2.3i5 allows remote authen ...) - check-mk 1.2.2p3-1 (bug #742689) [wheezy] - check-mk (Minor issue) NOTE: http://packetstormsecurity.com/files/125850/DTC-A-20140324-002.txt CVE-2014-2331 (Check_MK 1.2.2p2, 1.2.2p3, and 1.2.3i5 allows remote authenticated use ...) - check-mk 1.2.6p4-1 (bug #742689) [wheezy] - check-mk (Minor issue) NOTE: http://packetstormsecurity.com/files/125850/DTC-A-20140324-002.txt CVE-2014-2330 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Mult ...) - check-mk 1.2.6p4-1 (bug #742689) [wheezy] - check-mk (Minor issue) NOTE: http://packetstormsecurity.com/files/125850/DTC-A-20140324-002.txt CVE-2014-2329 (Multiple cross-site scripting (XSS) vulnerabilities in Check_MK before ...) - check-mk 1.2.2p3-1 (bug #742689) [wheezy] - check-mk (Minor issue) NOTE: http://packetstormsecurity.com/files/125850/DTC-A-20140324-002.txt CVE-2014-2328 (lib/graph_export.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remot ...) {DSA-2970-1} - cacti 0.8.8b+dfsg-4 (bug #742768) [squeeze] - cacti 0.8.7g-1+squeeze4 (bug #742768) NOTE: http://bugs.cacti.net/view.php?id=2433 CVE-2014-2327 (Cross-site request forgery (CSRF) vulnerability in Cacti 0.8.7g, 0.8.8 ...) {DSA-2970-1} - cacti 0.8.8b+dfsg-6 (bug #742768) [squeeze] - cacti 0.8.7g-1+squeeze4 (bug #742768) NOTE: http://bugs.cacti.net/view.php?id=2432 CVE-2014-2326 (Cross-site scripting (XSS) vulnerability in cdef.php in Cacti 0.8.7g, ...) {DSA-2970-1} - cacti 0.8.8b+dfsg-4 (bug #742768) [squeeze] - cacti 0.8.7g-1+squeeze4 (bug #742768) NOTE: http://bugs.cacti.net/view.php?id=2431 CVE-2014-2318 (SQL injection vulnerability in ATCOM Netvolution 3 allows remote attac ...) NOT-FOR-US: ATCOM Netvolution CVE-2014-2317 (SQL injection vulnerability in ajax_udf.php in OpenDocMan before 1.2.7 ...) NOT-FOR-US: OpenDocMan CVE-2014-2316 (SQL injection vulnerability in se_search_default in the Search Everyth ...) NOT-FOR-US: WP plugin search-everything CVE-2014-2315 (Multiple cross-site scripting (XSS) vulnerabilities in the Thank You C ...) NOT-FOR-US: WP plugin thankyoubutton CVE-2014-2314 (Directory traversal vulnerability in the Issue Collector plugin in Atl ...) NOT-FOR-US: Atlassian JIRA CVE-2014-2313 (Directory traversal vulnerability in the Importers plugin in Atlassian ...) NOT-FOR-US: Atlassian JIRA CVE-2013-7339 (The rds_ib_laddr_check function in net/rds/ib.c in the Linux kernel be ...) {DSA-2906-1} - linux 3.13-1 [wheezy] - linux 3.2.57-1 - linux-2.6 NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c2349758acf1874e4c2b93fe41d072336f1a31d0 CVE-2013-7336 (The qemuMigrationWaitForSpice function in qemu/qemu_migration.c in lib ...) - libvirt 1.1.4-1 [wheezy] - libvirt (Vulnerable code not present) [squeeze] - libvirt (Vulnerable code not present) NOTE: http://www.redhat.com/archives/libvir-list/2013-September/msg01208.html CVE-2013-7335 (Open redirect vulnerability in DotNetNuke (DNN) before 6.2.9 and 7.x b ...) NOT-FOR-US: DotNetNuke CVE-2013-7334 (Cross-site request forgery (CSRF) vulnerability in ImageCMS before 4.2 ...) NOT-FOR-US: ImageCMS CVE-2014-2387 (Pen 0.18.0 has Insecure Temporary File Creation vulnerabilities ...) - pen 0.22.1-1 (low; bug #741370) [squeeze] - pen (Minor issue) [wheezy] - pen (Minor issue) CVE-2014-2386 (Multiple off-by-one errors in Icinga, possibly 1.10.2 and earlier, all ...) {DSA-2956-1} - icinga 1.11.0-1 [squeeze] - icinga (Vulnerable code not present) CVE-2014-2325 (Multiple cross-site scripting (XSS) vulnerabilities in Proxmox Mail Ga ...) NOT-FOR-US: Proxmox Mail Gateway CVE-2014-2324 (Multiple directory traversal vulnerabilities in (1) mod_evhost and (2) ...) {DSA-2877-1} - lighttpd 1.4.33-1+nmu3 (bug #741493) CVE-2014-2323 (SQL injection vulnerability in mod_mysql_vhost.c in lighttpd before 1. ...) {DSA-2877-1} - lighttpd 1.4.33-1+nmu3 (bug #741493) CVE-2014-2322 (lib/string_utf_support.rb in the Arabic Prawn 0.0.1 gem for Ruby allow ...) NOT-FOR-US: Ruby Gem Arabic Prawn CVE-2014-2321 (web_shell_cmd.gch on ZTE F460 and F660 cable modems allows remote atta ...) NOT-FOR-US: ZTE F460 and F660 cable modems CVE-2014-2320 RESERVED CVE-2014-2319 (The Encrypt Files feature in ConeXware PowerArchiver before 14.02.05 u ...) NOTE: Non issue NOTE: http://seclists.org/oss-sec/2014/q1/550 CVE-2014-2312 (The main function in android_main.cpp in thermald allows local users t ...) - thermald (android_main.cpp not used for Debian build) CVE-2014-2311 (SQL injection vulnerability in modx.class.php in MODX Revolution 2.0.0 ...) NOT-FOR-US: MODx Revolution CVE-2014-2308 RESERVED CVE-2014-2307 RESERVED CVE-2014-2306 RESERVED CVE-2014-2305 RESERVED CVE-2014-2304 (A vulnerability in version 0.90 of the Open Floodlight SDN controller ...) NOT-FOR-US: Open Floodlight CVE-2014-2303 (Multiple SQL injection vulnerabilities in the file browser component ( ...) NOT-FOR-US: webEdition CMS CVE-2014-2302 (The installer script in webEdition CMS before 6.2.7-s1 and 6.3.x befor ...) NOT-FOR-US: webEdition CMS CVE-2014-2301 (OrbiTeam BSCW before 5.0.8 allows remote attackers to obtain sensitive ...) NOT-FOR-US: OrbiTeam BSCW CVE-2014-2300 RESERVED CVE-2014-2299 (Buffer overflow in the mpeg_read function in wiretap/mpeg.c in the MPE ...) {DSA-2871-1} - wireshark 1.10.6-1 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9843 NOTE: http://www.wireshark.org/security/wnpa-sec-2014-04.html CVE-2014-2298 RESERVED CVE-2014-2297 (Multiple cross-site scripting (XSS) vulnerabilities in the VideoWhispe ...) NOT-FOR-US: VideoWhisper Live Streaming Integration plugin for WordPress CVE-2014-2296 (XML external entity (XXE) vulnerability in java/org/jasig/cas/util/Sam ...) NOT-FOR-US: Jasig CAS CVE-2014-2295 RESERVED CVE-2014-2294 (Open Web Analytics (OWA) before 1.5.7 allows remote attackers to condu ...) NOT-FOR-US: Open Web Analytics CVE-2014-2293 (Zikula Application Framework before 1.3.7 build 11 allows remote attac ...) NOT-FOR-US: Zikula CVE-2014-2292 (Unspecified vulnerability in the Linux Network Connect client in Junip ...) NOT-FOR-US: Junos Pulse Secure Access Service CVE-2014-2291 (Cross-site scripting (XSS) vulnerability in the Pulse Collaboration (S ...) NOT-FOR-US: Junos CVE-2014-2290 RESERVED CVE-2014-2289 (res/res_pjsip_exten_state.c in the PJSIP channel driver in Asterisk Op ...) - asterisk (Only affects Asterisk 12.x) NOTE: http://downloads.asterisk.org/pub/security/AST-2014-004.html CVE-2014-2288 (The PJSIP channel driver in Asterisk Open Source 12.x before 12.1.1, w ...) - asterisk (Only affects Asterisk 12.x) NOTE: http://downloads.asterisk.org/pub/security/AST-2014-003.html CVE-2014-2287 (channels/chan_sip.c in Asterisk Open Source 1.8.x before 1.8.26.1, 11. ...) {DLA-781-1} - asterisk 1:11.8.1~dfsg-1 (bug #741313) [squeeze] - asterisk (Unsupported in squeeze-lts) NOTE: http://downloads.asterisk.org/pub/security/AST-2014-002.html CVE-2014-2286 (main/http.c in Asterisk Open Source 1.8.x before 1.8.26.1, 11.8.x befo ...) {DLA-455-1} - asterisk 1:11.8.1~dfsg-1 (bug #741313) [squeeze] - asterisk (Unsupported in squeeze-lts) NOTE: http://downloads.asterisk.org/pub/security/AST-2014-001.html CVE-2014-2283 (epan/dissectors/packet-rlc in the RLC dissector in Wireshark 1.8.x bef ...) {DSA-2871-1} - wireshark 1.10.6-1 [squeeze] - wireshark (Vulnerable code not present) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9730 NOTE: http://www.wireshark.org/security/wnpa-sec-2014-03.html CVE-2014-2282 (The dissect_protocol_data_parameter function in epan/dissectors/packet ...) - wireshark 1.10.6-1 [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Vulnerable code not present) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9699 NOTE: http://www.wireshark.org/security/wnpa-sec-2014-02.html CVE-2014-2281 (The nfs_name_snoop_add_name function in epan/dissectors/packet-nfs.c i ...) {DSA-2871-1} - wireshark 1.10.6-1 [squeeze] - wireshark (Vulnerable code not present) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9672 NOTE: http://www.wireshark.org/security/wnpa-sec-2014-01.html CVE-2013-7333 (A vulnerability in version 0.90 of the Open Floodlight SDN controller ...) NOT-FOR-US: Open Floodlight CVE-2014-2309 (The ip6_route_add function in net/ipv6/route.c in the Linux kernel thr ...) - linux 3.13.6-1 [wheezy] - linux 3.2.57-1 - linux-2.6 (Introduced in v3.0) NOTE: Introduced by https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=957c665f37007de93ccbe45902a23143724170d0 NOTE: Fix: https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=c88507fbad8055297c1d1e21e599f46960cbee39 CVE-2014-2310 (The AgentX subagent in Net-SNMP before 5.4.4 allows remote attackers t ...) - net-snmp 5.7.2~dfsg-3 (bug #684388) [wheezy] - net-snmp 5.4.3~dfsg-2.8 [squeeze] - net-snmp (Minor issue) NOTE: http://sourceforge.net/p/net-snmp/patches/1113/ CVE-2012-6639 (An privilege elevation vulnerability exists in Cloud-init before 0.7.0 ...) - cloud-init 0.7.1-1 NOTE: http://article.gmane.org/gmane.comp.security.oss.general/12299 CVE-2014-2280 (Cross-site scripting (XSS) vulnerability in the search feature in Seed ...) NOT-FOR-US: SeedDMS CVE-2014-2279 (Multiple directory traversal vulnerabilities in SeedDMS (formerly Leto ...) NOT-FOR-US: SeedDMS CVE-2014-2278 (Unrestricted file upload vulnerability in op/op.AddFile2.php in SeedDM ...) NOT-FOR-US: SeedDMS CVE-2014-2277 (The make_temporary_filename function in perltidy 20120701-1 and earlie ...) - perltidy 20130922-1 (bug #740670) [wheezy] - perltidy (Minor issue) [squeeze] - perltidy (Minor issue) CVE-2014-2276 (The FileUploadController servlet in EMC Connectrix Manager Converged N ...) NOT-FOR-US: EMC CVE-2014-2275 RESERVED CVE-2014-2274 (Cross-site request forgery (CSRF) vulnerability in the Subscribe To Co ...) NOT-FOR-US: Subscribe To Comments Reloaded plugin for WordPress CVE-2014-2273 (The hx170dec device driver in Huawei P2-6011 before V100R001C00B043 al ...) NOT-FOR-US: Huawei Router CVE-2014-2272 RESERVED CVE-2014-2271 (cn.wps.moffice.common.beans.print.CloudPrintWebView in Kingsoft Office ...) NOT-FOR-US: Kingsoft Office CVE-2014-2269 (modules/Users/ForgotPassword.php in vTiger 6.0 before Security Patch 2 ...) NOT-FOR-US: vTiger CRM CVE-2014-2268 (views/Index.php in the Install module in vTiger 6.0 before Security Pa ...) NOT-FOR-US: vTiger CRM CVE-2014-2267 RESERVED CVE-2014-2266 RESERVED CVE-2014-2265 (Rock Lobster Contact Form 7 before 3.7.2 allows remote attackers to by ...) NOT-FOR-US: Rock Lobster Contact Form CVE-2014-2264 (The OpenVPN module in Synology DiskStation Manager (DSM) 4.3-3810 upda ...) NOT-FOR-US: Synology DiskStation Manager CVE-2014-2263 (The mpegts_write_pmt function in the MPEG2 transport stream (aka DVB) ...) {DSA-3003-1} - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg (Backports to 0.5.x not useful, too many checks missing) NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=842b6c14bcfc1c5da1a2d288fd65386eb8c158ad - libav 6:10.4-1 NOTE: Fix in libav: http://git.libav.org/?p=libav.git;a=commit;h=addbaf134836aea4e14f73add8c6d753a1373257 CVE-2014-2262 (Buffer overflow in the client application in Base SAS 9.2 TS2M3, SAS 9 ...) NOT-FOR-US: Base SAS CVE-2014-2261 RESERVED CVE-2014-2260 (Cross-site scripting (XSS) vulnerability in plugins/main/content/js/aj ...) NOT-FOR-US: Ajenti CVE-2014-2259 (Siemens SIMATIC S7-1500 CPU PLC devices with firmware before 1.5.0 all ...) NOT-FOR-US: Siemens CVE-2014-2258 (Siemens SIMATIC S7-1200 CPU PLC devices with firmware before 4.0 allow ...) NOT-FOR-US: Siemens CVE-2014-2257 (Siemens SIMATIC S7-1500 CPU PLC devices with firmware before 1.5.0 all ...) NOT-FOR-US: Siemens CVE-2014-2256 (Siemens SIMATIC S7-1200 CPU PLC devices with firmware before 4.0 allow ...) NOT-FOR-US: Siemens CVE-2014-2255 (Siemens SIMATIC S7-1500 CPU PLC devices with firmware before 1.5.0 all ...) NOT-FOR-US: Siemens CVE-2014-2254 (Siemens SIMATIC S7-1200 CPU PLC devices with firmware before 4.0 allow ...) NOT-FOR-US: Siemens CVE-2014-2253 (Siemens SIMATIC S7-1500 CPU PLC devices with firmware before 1.5.0 all ...) NOT-FOR-US: Siemens CVE-2014-2252 (Siemens SIMATIC S7-1200 CPU PLC devices with firmware before 4.0 allow ...) NOT-FOR-US: Siemens CVE-2014-2251 (The random-number generator on Siemens SIMATIC S7-1500 CPU PLC devices ...) NOT-FOR-US: Siemens CVE-2014-2250 (The random-number generator on Siemens SIMATIC S7-1200 CPU PLC devices ...) NOT-FOR-US: Siemens CVE-2014-2249 (Cross-site request forgery (CSRF) vulnerability on Siemens SIMATIC S7- ...) NOT-FOR-US: Siemens CVE-2014-2248 (Open redirect vulnerability in the integrated web server on Siemens SI ...) NOT-FOR-US: Siemens CVE-2014-2247 (The integrated web server on Siemens SIMATIC S7-1500 CPU PLC devices w ...) NOT-FOR-US: Siemens CVE-2014-2246 (Cross-site scripting (XSS) vulnerability in the integrated web server ...) NOT-FOR-US: Siemens CVE-2014-2241 (The (1) cf2_initLocalRegionBuffer and (2) cf2_initGlobalRegionBuffer f ...) - freetype 2.5.2-1.1 (bug #741299) [wheezy] - freetype (vuln. code introduced around 2.5) [squeeze] - freetype (vuln. code introduced around 2.5) NOTE: http://sourceforge.net/projects/freetype/files/freetype2/2.5.3/ NOTE: https://savannah.nongnu.org/bugs/?41697#comment2 if I understood it right CVE-2014-2240 (Stack-based buffer overflow in the cf2_hintmap_build function in cff/c ...) - freetype 2.5.2-1.1 (bug #741299) [wheezy] - freetype (vuln. code introduced around 2.5) [squeeze] - freetype (vuln. code introduced around 2.5) NOTE: http://sourceforge.net/projects/freetype/files/freetype2/2.5.3/ NOTE: https://savannah.nongnu.org/bugs/?41697#comment0 CVE-2014-2239 RESERVED CVE-2014-2234 (A certain Apple patch for OpenSSL in Apple OS X 10.9.2 and earlier use ...) - openssl (Apple-specific patch) CVE-2014-2233 (Server-side request forgery (SSRF) vulnerability in the MapAPI in Info ...) NOT-FOR-US: Infoware MapSuite CVE-2014-2232 (Absolute path traversal vulnerability in the MapAPI in Infoware MapSui ...) NOT-FOR-US: Infoware MapSuite CVE-2014-2231 (Cross-site scripting (XSS) vulnerability in the API in synetics i-doit ...) NOT-FOR-US: synetics i-doit pro CVE-2014-2230 (Open redirect vulnerability in the header function in adclick.php in O ...) NOT-FOR-US: OpenX CVE-2014-2229 RESERVED CVE-2014-2228 (The XStream extension in HP Fortify SCA before 2.2 RC3 allows remote a ...) NOT-FOR-US: HP Fortify SCA CVE-2014-2227 (The default Flash cross-domain policy (crossdomain.xml) in Ubiquiti Ne ...) NOT-FOR-US: Ubiquiti Networks CVE-2014-2226 (Ubiquiti UniFi Controller before 3.2.1 logs the administrative passwor ...) NOT-FOR-US: Ubiquiti Networks CVE-2014-2225 (Multiple cross-site request forgery (CSRF) vulnerabilities in Ubiquiti ...) NOT-FOR-US: Ubiquiti Networks CVE-2014-2224 (Plogger 1.0 RC1 and earlier, when the Lucid theme is used, does not as ...) NOT-FOR-US: Plogger CVE-2014-2223 (Unrestricted file upload vulnerability in plog-admin/plog-upload.php i ...) NOT-FOR-US: Plogger CVE-2014-2222 RESERVED CVE-2014-2221 RESERVED CVE-2014-2220 RESERVED CVE-2014-2219 (Cross-site scripting (XSS) vulnerability in whizzywig/wb.php in CMSimp ...) NOT-FOR-US: CMSimple CVE-2014-2218 RESERVED CVE-2014-2217 (Absolute path traversal vulnerability in the RadAsyncUpload control in ...) NOT-FOR-US: Telerik UI for ASP.NET AJAX CVE-2014-2216 (The FortiManager protocol service in Fortinet FortiOS before 4.3.16 an ...) NOT-FOR-US: Fortinet FortiOS CVE-2014-2215 REJECTED CVE-2014-2210 (Multiple directory traversal vulnerabilities in CA ERwin Web Portal 9. ...) NOT-FOR-US: Erwin Web Portal CVE-2014-2209 (Facebook HipHop Virtual Machine (HHVM) before 3.1.0 does not drop supp ...) NOT-FOR-US: Facebook HipHop Virtual Machine CVE-2014-2208 (CRLF injection vulnerability in the LightProcess protocol implementati ...) NOT-FOR-US: Facebook HipHop Virtual Machine CVE-2014-2207 RESERVED CVE-2014-2205 (The Import and Export Framework in McAfee ePolicy Orchestrator (ePO) b ...) NOT-FOR-US: McAfee ePolicy Orchestrator CVE-2014-2204 RESERVED CVE-2014-2203 RESERVED CVE-2014-2202 RESERVED CVE-2014-2201 (The Message Transfer Service (MTS) in Cisco NX-OS before 6.2(7) on MDS ...) NOT-FOR-US: Cisco NX-OS CVE-2014-2200 (Cisco NX-OS 5.0 before 5.0(5) on Nexus 7000 devices, when local authen ...) NOT-FOR-US: Cisco CVE-2014-2199 (meetinginfo.do in Cisco WebEx Event Center, WebEx Meeting Center, WebE ...) NOT-FOR-US: Cisco WebEx CVE-2014-2198 (Cisco Unified Communications Domain Manager (CDM) in Unified CDM Platf ...) NOT-FOR-US: Cisco Unified Communications Domain Manager CVE-2014-2197 (The Administration GUI in the web framework in Cisco Unified Communica ...) NOT-FOR-US: Cisco Unified Communications Domain Manager CVE-2014-2196 (Cisco Wide Area Application Services (WAAS) 5.1.1 before 5.1.1e, when ...) NOT-FOR-US: Cisco Wide Area Application Services CVE-2014-2195 (Cisco AsyncOS on Email Security Appliance (ESA) and Content Security M ...) NOT-FOR-US: Cisco AsyncOS CVE-2014-2194 (system/egain/chat/entrypoint in Cisco Unified Web and E-mail Interacti ...) NOT-FOR-US: Cisco Unified Web and E-mail Interaction Manager CVE-2014-2193 (Cisco Unified Web and E-Mail Interaction Manager places session identi ...) NOT-FOR-US: Cisco Unified Web and E-Mail Interaction Manager CVE-2014-2192 (Cross-site scripting (XSS) vulnerability in Cisco Unified Web and E-ma ...) NOT-FOR-US: Cisco Unified Web and E-Mail Interaction Manager CVE-2014-2191 (Cross-site scripting (XSS) vulnerability in the web framework in Cisco ...) NOT-FOR-US: Cisco CVE-2014-2190 (Cross-site request forgery (CSRF) vulnerability in the web framework i ...) NOT-FOR-US: Cisco CVE-2014-2189 REJECTED CVE-2014-2188 REJECTED CVE-2014-2187 RESERVED CVE-2014-2186 (Cross-site request forgery (CSRF) vulnerability in the web framework i ...) NOT-FOR-US: Cisco WebEx Meetings Server CVE-2014-2185 (The Call Detail Records (CDR) Management component in Cisco Unified Co ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2014-2184 (The IP Manager Assistant (IPMA) component in Cisco Unified Communicati ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2014-2183 (The L2TP module in Cisco IOS XE 3.10S(.2) and earlier on ASR 1000 rout ...) NOT-FOR-US: Cisco CVE-2014-2182 (Cisco Adaptive Security Appliance (ASA) Software, when DHCPv6 replay i ...) NOT-FOR-US: Cisco Adaptive Security Appliance CVE-2014-2181 (Cisco Adaptive Security Appliance (ASA) Software allows remote authent ...) NOT-FOR-US: Cisco Adaptive Security Appliance CVE-2014-2180 (The Document Management component in Cisco Unified Contact Center Expr ...) NOT-FOR-US: Cisco Unified Contact Center Express CVE-2014-2179 (The Cisco RV router firmware on RV220W devices, before 1.0.5.9 on RV12 ...) NOT-FOR-US: Cisco RV CVE-2014-2178 (Cross-site request forgery (CSRF) vulnerability in the administrative ...) NOT-FOR-US: Cisco RV CVE-2014-2177 (The network-diagnostics administration interface in the Cisco RV route ...) NOT-FOR-US: Cisco RV CVE-2014-2176 (Cisco IOS XR 4.1.2 through 5.1.1 on ASR 9000 devices, when a Trident-b ...) NOT-FOR-US: Cisco IOS CVE-2014-2175 (Cisco TelePresence TC Software 4.x and 5.x and TE Software 4.x and 6.0 ...) NOT-FOR-US: Cisco CVE-2014-2174 (Cisco TelePresence T, TelePresence TE, and TelePresence TC before 7.1 ...) NOT-FOR-US: Cisco CVE-2014-2173 (Cisco TelePresence TC Software 4.x and 5.x and TE Software 4.x and 6.0 ...) NOT-FOR-US: Cisco CVE-2014-2172 (Buffer overflow in Cisco TelePresence TC Software 4.x and 5.x and TE S ...) NOT-FOR-US: Cisco CVE-2014-2171 (Heap-based buffer overflow in Cisco TelePresence TC Software 4.x throu ...) NOT-FOR-US: Cisco CVE-2014-2170 (Cisco TelePresence TC Software 4.x and 5.x before 5.1.7 and 6.x before ...) NOT-FOR-US: Cisco CVE-2014-2169 (Cisco TelePresence TC Software 4.x through 6.x before 6.2.0 and TE Sof ...) NOT-FOR-US: Cisco CVE-2014-2168 (Buffer overflow in Cisco TelePresence TC Software 4.x and 5.x and TE S ...) NOT-FOR-US: Cisco CVE-2014-2167 (The SIP implementation in Cisco TelePresence TC Software 4.x and 5.x a ...) NOT-FOR-US: Cisco CVE-2014-2166 (The SIP implementation in Cisco TelePresence TC Software 4.x and TE So ...) NOT-FOR-US: Cisco CVE-2014-2165 (The SIP implementation in Cisco TelePresence TC Software 4.x and 5.x a ...) NOT-FOR-US: Cisco CVE-2014-2164 (The SIP implementation in Cisco TelePresence TC Software 4.x and 5.x a ...) NOT-FOR-US: Cisco CVE-2014-2163 (The SIP implementation in Cisco TelePresence TC Software 4.x and 5.x a ...) NOT-FOR-US: Cisco CVE-2014-2162 (The SIP implementation in Cisco TelePresence TC Software 4.x and 5.x a ...) NOT-FOR-US: Cisco CVE-2014-2161 (The H.225 subsystem in Cisco TelePresence System MXP Series Software b ...) NOT-FOR-US: Cisco CVE-2014-2160 (The H.225 subsystem in Cisco TelePresence System MXP Series Software b ...) NOT-FOR-US: Cisco CVE-2014-2159 (The H.225 subsystem in Cisco TelePresence System MXP Series Software b ...) NOT-FOR-US: Cisco CVE-2014-2158 (Cisco TelePresence System MXP Series Software before F9.3.1 allows rem ...) NOT-FOR-US: Cisco CVE-2014-2157 (Cisco TelePresence System MXP Series Software before F9.3.1 allows rem ...) NOT-FOR-US: Cisco CVE-2014-2156 (Cisco TelePresence System MXP Series Software before F9.3.1 allows rem ...) NOT-FOR-US: Cisco CVE-2014-2155 (The DHCPv6 server module in Cisco CNS Network Registrar 7.1 allows rem ...) NOT-FOR-US: Cisco CVE-2014-2154 (Memory leak in the SIP inspection engine in Cisco Adaptive Security Ap ...) NOT-FOR-US: Cisco Adaptive Security Appliance CVE-2014-2153 (Multiple cross-site scripting (XSS) vulnerabilities in INSERT pages in ...) NOT-FOR-US: Cisco Prime Infrastructure CVE-2014-2152 (Cross-site request forgery (CSRF) vulnerability in the INSERT page in ...) NOT-FOR-US: Cisco Prime Infrastructure CVE-2014-2151 (The WebVPN portal in Cisco Adaptive Security Appliance (ASA) Software ...) NOT-FOR-US: Cisco Adaptive Security Appliance CVE-2014-2150 REJECTED CVE-2014-2149 REJECTED CVE-2014-2148 RESERVED CVE-2014-2147 (The web interface in Cisco Prime Infrastructure 2.1 and earlier does n ...) NOT-FOR-US: Cisco Prime Infrastructure CVE-2014-2146 (The Zone-Based Firewall (ZBFW) functionality in Cisco IOS, possibly 15 ...) NOT-FOR-US: Cisco CVE-2014-2145 (Directory traversal vulnerability in the messaging API in Cisco Unity ...) NOT-FOR-US: Cisco CVE-2014-2144 (Cisco IOS XR does not properly throttle ICMPv6 redirect packets, which ...) NOT-FOR-US: Cisco CVE-2014-2143 (The IKE implementation in Cisco IOS 15.4(1)T and earlier and IOS XE al ...) NOT-FOR-US: Cisco CVE-2014-2142 (Cisco ONS 15454 controller cards with software 10.0 and earlier allow ...) NOT-FOR-US: Cisco ONS CVE-2014-2141 (The session-termination functionality on Cisco ONS 15454 controller ca ...) NOT-FOR-US: Cisco ONS CVE-2014-2140 (Cisco ONS 15454 controller cards with software 9.6 and earlier allow r ...) NOT-FOR-US: Cisco ONS CVE-2014-2139 (Cisco ONS 15454 controller cards with software 9.6 and earlier allow r ...) NOT-FOR-US: Cisco ONS CVE-2014-2138 (CRLF injection vulnerability in the web framework in Cisco Security Ma ...) NOT-FOR-US: Cisco Security Manager CVE-2014-2137 (CRLF injection vulnerability in the web framework in Cisco Web Securit ...) NOT-FOR-US: Cisco Web Security Appliance CVE-2014-2136 (Buffer overflow in Cisco Advanced Recording Format (ARF) player T27 LD ...) NOT-FOR-US: Cisco WebEx CVE-2014-2135 (Buffer overflow in Cisco Advanced Recording Format (ARF) player T27 LD ...) NOT-FOR-US: Cisco WebEx CVE-2014-2134 (Heap-based buffer overflow in Cisco WebEx Recording Format (WRF) playe ...) NOT-FOR-US: Cisco WebEx CVE-2014-2133 (Buffer overflow in Cisco Advanced Recording Format (ARF) player T27 LD ...) NOT-FOR-US: Cisco WebEx CVE-2014-2132 (Cisco WebEx Recording Format (WRF) player and Advanced Recording Forma ...) NOT-FOR-US: Cisco WebEx CVE-2014-2131 (The packet driver in Cisco IOS allows remote attackers to cause a deni ...) NOT-FOR-US: Cisco IOS CVE-2014-2130 (Cisco Secure Access Control Server (ACS) provides an unintentional adm ...) NOT-FOR-US: Cisco CVE-2014-2129 (The SIP inspection engine in Cisco Adaptive Security Appliance (ASA) S ...) NOT-FOR-US: Cisco Adaptive Security Appliance CVE-2014-2128 (The SSL VPN implementation in Cisco Adaptive Security Appliance (ASA) ...) NOT-FOR-US: Cisco Adaptive Security Appliance CVE-2014-2127 (Cisco Adaptive Security Appliance (ASA) Software 8.x before 8.2(5.48), ...) NOT-FOR-US: Cisco Adaptive Security Appliance CVE-2014-2126 (Cisco Adaptive Security Appliance (ASA) Software 8.2 before 8.2(5.47), ...) NOT-FOR-US: Cisco Adaptive Security Appliance CVE-2014-2125 (Cross-site scripting (XSS) vulnerability in the Web Inbox in Cisco Uni ...) NOT-FOR-US: Cisco Unity Connection Server CVE-2014-2124 (Cisco IOS 15.1(2)SY3 and earlier, when used with Supervisor Engine 2T ...) NOT-FOR-US: Cisco CVE-2014-2123 RESERVED CVE-2014-2122 (Memory leak in the GUI in the Impact server in Cisco Hosted Collaborat ...) NOT-FOR-US: Cisco CVE-2014-2121 (The Java-based software in Cisco Hosted Collaboration Solution (HCS) a ...) NOT-FOR-US: Cisco CVE-2014-2120 (Cross-site scripting (XSS) vulnerability in the WebVPN login page in C ...) NOT-FOR-US: Cisco Adaptive Security Appliance CVE-2014-2119 (The End User Safelist/Blocklist (aka SLBL) service in Cisco AsyncOS So ...) NOT-FOR-US: Cisco AsyncOS CVE-2014-2118 (Multiple cross-site scripting (XSS) vulnerabilities in dashboard-relat ...) NOT-FOR-US: Cisco PRSM CVE-2014-2117 (Multiple open redirect vulnerabilities in Cisco Emergency Responder (E ...) NOT-FOR-US: Cisco CVE-2014-2116 (Cisco Emergency Responder (ER) 8.6 and earlier allows remote attackers ...) NOT-FOR-US: Cisco CVE-2014-2115 (Multiple cross-site request forgery (CSRF) vulnerabilities in CERUserS ...) NOT-FOR-US: Cisco CVE-2014-2114 (Cross-site scripting (XSS) vulnerability in UserServlet in Cisco Emerg ...) NOT-FOR-US: Cisco CVE-2014-2113 (Cisco IOS 15.1 through 15.3 and IOS XE 3.3 and 3.5 before 3.5.2E; 3.7 ...) NOT-FOR-US: Cisco IOS CVE-2014-2112 (The SSL VPN (aka WebVPN) feature in Cisco IOS 15.1 through 15.4 allows ...) NOT-FOR-US: Cisco IOS CVE-2014-2111 (The Application Layer Gateway (ALG) module in Cisco IOS 12.2 through 1 ...) NOT-FOR-US: Cisco IOS CVE-2014-2110 RESERVED CVE-2014-2109 (The TCP Input module in Cisco IOS 12.2 through 12.4 and 15.0 through 1 ...) NOT-FOR-US: Cisco IOS CVE-2014-2108 (Cisco IOS 12.2 and 15.0 through 15.3 and IOS XE 3.2 through 3.7 before ...) NOT-FOR-US: Cisco IOS CVE-2014-2107 (Cisco IOS 12.2 and 15.0 through 15.3, when used with the Kailash FPGA ...) NOT-FOR-US: Cisco CVE-2014-2106 (Cisco IOS 15.3M before 15.3(3)M2 and IOS XE 3.10.xS before 3.10.2S all ...) NOT-FOR-US: Cisco IOS CVE-2014-2105 RESERVED CVE-2014-2104 (Multiple cross-site scripting (XSS) vulnerabilities in the Business Vo ...) NOT-FOR-US: Cisco Unified Communications Domain Manager CVE-2014-2103 (Cisco Intrusion Prevention System (IPS) Software allows remote attacke ...) NOT-FOR-US: Cisco Intrusion Prevention System CVE-2014-2102 (Cisco Unified Contact Center Express (Unified CCX) does not properly r ...) NOT-FOR-US: Cisco Unified Contact Center Express CVE-2014-2101 RESERVED CVE-2014-2100 RESERVED CVE-2014-2099 (The msrle_decode_frame function in libavcodec/msrle.c in FFmpeg before ...) - ffmpeg (Vulnerable code not present) - libav (Vulnerable code not present) NOTE: [Anton] appears to not be present in any version of libav CVE-2014-2098 (libavcodec/wmalosslessdec.c in FFmpeg before 2.1.4 uses an incorrect d ...) - ffmpeg (Vulnerable code not present) - libav 6:10.4-1 [wheezy] - libav (Vulnerable code not present) NOTE: Fix in libav: http://git.libav.org/?p=libav.git;a=commit;h=849b9d34 (master) NOTE: Fix in libav: http://git.libav.org/?p=libav.git;a=commit;h=6be5a3c0 (release/10) NOTE: Fix in libav: http://git.libav.org/?p=libav.git;a=commit;h=36d8914f (release/9) CVE-2014-2097 (The tak_decode_frame function in libavcodec/takdec.c in FFmpeg before ...) - ffmpeg (Vulnerable code not present) - libav (Vulnerable code not present) NOTE: [Anton] appears to not be present in any version of libav CVE-2014-2092 (Cross-site scripting (XSS) vulnerability in lib/filemanager/ImageManag ...) - cmsms (bug #608888) CVE-2014-2091 (Cross-site scripting (XSS) vulnerability in mods/_standard/forums/admi ...) NOT-FOR-US: ATutor CVE-2014-2090 (Multiple cross-site scripting (XSS) vulnerabilities in ilias.php in IL ...) NOT-FOR-US: ILIAS CVE-2014-2089 (ILIAS 4.4.1 allows remote attackers to execute arbitrary PHP code via ...) NOT-FOR-US: ILIAS CVE-2014-2088 (Unrestricted file upload vulnerability in ilias.php in ILIAS 4.4.1 all ...) NOT-FOR-US: ILIAS CVE-2014-2087 (Stack-based buffer overflow in the CDownloads_Deleted::UpdateDownload ...) NOT-FOR-US: Free Download Manager CVE-2013-7332 (The Microsoft.XMLDOM ActiveX control in Microsoft Windows 8.1 and earl ...) NOT-FOR-US: Microsoft Windows CVE-2013-7331 (The Microsoft.XMLDOM ActiveX control in Microsoft Windows 8.1 and earl ...) NOT-FOR-US: Microsoft Windows CVE-2014-2285 (The perl_trapd_handler function in perl/TrapReceiver/TrapReceiver.xs i ...) - net-snmp 5.7.2.1~dfsg-3 (unimportant) [wheezy] - net-snmp 5.4.3~dfsg-2.8+deb7u1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1072044 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1072778 NOTE: Upstream fix: http://sourceforge.net/p/net-snmp/code/ci/76e8d6d100320629d8a23be4b0128619600c919d/ NOTE: unimportant since it only segfaults with older Perl version NOTE: http://www.nntp.perl.org/group/perl.perl5.porters/2006/09/msg116250.html NOTE: http://perl5.git.perl.org/perl.git/commitdiff/ddfa59c CVE-2014-2284 (The Linux implementation of the ICMP-MIB in Net-SNMP 5.5 before 5.5.2. ...) - net-snmp 5.7.2.1~dfsg-3 (bug #742817) [wheezy] - net-snmp (Only affects code from 5.5 through 5.7.2) [squeeze] - net-snmp (Only affects code from 5.5 through 5.7.2) NOTE: http://sourceforge.net/p/net-snmp/mailman/message/32026655/ NOTE: http://sourceforge.net/p/net-snmp/code/ci/a1fd64716f6794c55c34d77e618210238a73bfa1/ CVE-2014-XXXX [buffer overflow] - mp3gain (low; bug #740268) [squeeze] - mp3gain (Minor issue) [wheezy] - mp3gain (Minor issue) NOTE: http://sourceforge.net/p/mp3gain/bugs/36/ CVE-2014-2270 (softmagic.c in file before 5.17 and libmagic allows context-dependent ...) {DSA-2943-1 DSA-2873-1 DLA-145-1} - file 1:5.17-1 NOTE: http://bugs.gw.com/view.php?id=313 NOTE: https://github.com/glensc/file/commit/447558595a3650db2886cd2f416ad0beba965801 - php5 5.5.10+dfsg-1 (bug #740960) NOTE: http://git.php.net/?p=php-src.git;a=commitdiff;h=a33759fd275b32ed0bbe89796fe2953b3cb0b41f CVE-2013-7345 (The BEGIN regular expression in the awk script detector in magic/Magdi ...) {DSA-3064-1 DSA-2873-1} - file 1:5.17-0.1 (bug #703993) NOTE: http://bugs.gw.com/view.php?id=164 NOTE: fixed in commit ef2329cf71acb59204dd981e2c6cce6c81fe467c - php5 5.6.0+dfsg-1 [squeeze] - php5 (Vulnerable code not present) NOTE: Wheezy's php5 is vulnerable in 5.4.4-14+deb7u14. Verified by rebuilding NOTE: magic.mgc out of ext/fileinfo/data_info.c and "strings magic.mgc |grep BEGIN" NOTE: returns "^\s*BEGIN\s*[{]". Same test in squeeze does not NOTE: report the problematic string. NOTE: Good fix is to regenerate the file with "php5 NOTE: create_data_file.php /usr/share/file/magic.mgc > data_info.c" once NOTE: you have a fixed libmagic1 installed. NOTE: fixed by php5 5.4.27 so DSA 3064-1 also fixed it in Wheezy CVE-2014-5795 REJECTED CVE-2014-2245 (SQL injection vulnerability in the News module in CMS Made Simple (CMS ...) - cmsms (bug #608888) CVE-2014-2244 (Cross-site scripting (XSS) vulnerability in the formatHTML function in ...) - mediawiki (vulnerable code not present) NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=61362 NOTE: https://gerrit.wikimedia.org/r/#/q/Idf985e4e69c2f11778a8a90503914678441cb3fb,n,z CVE-2014-2243 (includes/User.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x befor ...) - mediawiki 1:1.19.12+dfsg-1 [squeeze] - mediawiki NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=61346 NOTE: https://gerrit.wikimedia.org/r/#/q/I2a9e89120f7092015495e638c6fa9f67adc9b84f,n,z CVE-2014-2242 (includes/upload/UploadBase.php in MediaWiki before 1.19.12, 1.20.x and ...) - mediawiki 1:1.19.12+dfsg-1 [squeeze] - mediawiki NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=60771 NOTE: https://gerrit.wikimedia.org/r/#/q/7d923a6b53f7fbcb0cbc3a19797d741bf6f440eb,n,z CVE-2014-2238 (SQL injection vulnerability in the manage configuration page (adm_conf ...) - mantis [wheezy] - mantis (Introduced in 1.2.13) [squeeze] - mantis (Unsupported in squeeze-lts) NOTE: http://www.mantisbt.org/bugs/view.php?id=17055 CVE-2014-2237 (The memcache token backend in OpenStack Identity (Keystone) 2013.1 thr ...) - keystone 2013.2.3-1 [wheezy] - keystone (Minor issue) NOTE: https://launchpad.net/bugs/1260080 CVE-2014-2236 (Multiple cross-site scripting (XSS) vulnerabilities in Askbot before 0 ...) - askbot (bug #687966) CVE-2014-2235 (Cross-site scripting (XSS) vulnerability in Askbot before 0.7.49 allow ...) - askbot (bug #687966) CVE-2014-2214 (Multiple cross-site scripting (XSS) vulnerabilities in POSH (aka Posh ...) NOT-FOR-US: POSH web app (different from src:posh) CVE-2014-2213 (Open redirect vulnerability in the password reset functionality in POS ...) NOT-FOR-US: POSH web app (different from src:posh) CVE-2014-2212 (The remember me feature in portal/scr_authentif.php in POSH (aka Posh ...) NOT-FOR-US: POSH web app (different from src:posh) CVE-2014-2211 (SQL injection vulnerability in portal/addtoapplication.php in POSH (ak ...) NOT-FOR-US: POSH web app (different from src:posh) CVE-2014-2206 (Stack-based buffer overflow in GetGo Download Manager 4.9.0.1982, 4.8. ...) NOT-FOR-US: GetGo Download Manager CVE-2014-2096 (Untrusted search path vulnerability in Catfish 0.6.0 through 1.0.0 all ...) - catfish 1.0.1-1 (low; bug #739958) [squeeze] - catfish 0.3.2-1+deb6u1 [wheezy] - catfish 0.3.2-2+deb7u1 CVE-2014-2095 (Untrusted search path vulnerability in Catfish 0.6.0 through 1.0.0, wh ...) - catfish 1.0.1-1 (low; bug #739958) [squeeze] - catfish 0.3.2-1+deb6u1 [wheezy] - catfish 0.3.2-2+deb7u1 CVE-2014-2094 (Untrusted search path vulnerability in Catfish through 0.4.0.3, when a ...) - catfish 1.0.1-1 (low; bug #739958) [squeeze] - catfish 0.3.2-1+deb6u1 [wheezy] - catfish 0.3.2-2+deb7u1 CVE-2014-2093 (Untrusted search path vulnerability in Catfish through 0.4.0.3 allows ...) - catfish 1.0.1-1 (low; bug #739958) [squeeze] - catfish 0.3.2-1+deb6u1 [wheezy] - catfish 0.3.2-2+deb7u1 CVE-2014-2086 RESERVED CVE-2014-2085 REJECTED CVE-2014-2084 (Skybox View Appliances with ISO 6.3.33-2.14, 6.3.31-2.14, 6.4.42-2.54, ...) NOT-FOR-US: Skybox View Appliances CVE-2014-2083 RESERVED CVE-2014-2082 RESERVED CVE-2014-2081 (Multiple SQL injection vulnerabilities in the login in web_reports/cgi ...) NOT-FOR-US: Innovative vtls-Virtua CVE-2014-2080 (Cross-site scripting (XSS) vulnerability in manager/templates/default/ ...) NOT-FOR-US: MODx Revolution CVE-2014-2079 (X File Explorer (aka xfe) might allow local users to bypass intended a ...) - xfe 1.37-2 (bug #739536) [wheezy] - xfe (Minor issue) [squeeze] - xfe (Minor issue) CVE-2014-2078 (The backend in Open-Xchange (OX) AppSuite 7.4.2 before 7.4.2-rev9 allo ...) NOT-FOR-US: Open-Xchange CVE-2014-2077 (Cross-site scripting (XSS) vulnerability in the frontend in Open-Xchan ...) NOT-FOR-US: Open-Xchange CVE-2014-2076 RESERVED CVE-2014-2075 (TIBCO Enterprise Administrator 1.0.0 and Enterprise Administrator SDK ...) NOT-FOR-US: TIBCO Enterprise Administrator CVE-2014-2074 RESERVED CVE-2014-2073 (Stack-based buffer overflow in Dassault Systemes CATIA V5-6R2013 allow ...) NOT-FOR-US: Dassault Systemes Catia CVE-2014-2072 (Dassault Systemes Catia V5-6R2013: Stack Buffer Overflow due to inadeq ...) NOT-FOR-US: Dassault Systemes Catia CVE-2014-2071 (Aruba Networks ClearPass Policy Manager 6.1.x, 6.2.x before 6.2.5.6164 ...) NOT-FOR-US: Aruba Networks ClearPass Policy Manager CVE-2014-2070 RESERVED CVE-2014-2069 (Absolute path traversal vulnerability in Eshtery CMS allows remote att ...) NOT-FOR-US: Eshtery CMS CVE-2014-2068 (The doIndex function in hudson/util/RemotingDiagnostics.java in CloudB ...) - jenkins 1.565.2-1 (bug #739067) NOTE: https://github.com/jenkinsci/jenkins/commit/0530a6645aac10fec005614211660e98db44b5eb CVE-2014-2067 (Cross-site scripting (XSS) vulnerability in java/hudson/model/Cause.ja ...) - jenkins 1.565.2-1 (bug #739067) NOTE: https://github.com/jenkinsci/jenkins/commit/5d57c855f3147bfc5e7fda9252317b428a700014 CVE-2014-2066 (Session fixation vulnerability in Jenkins before 1.551 and LTS before ...) - jenkins 1.565.2-1 (bug #739067) NOTE: https://github.com/jenkinsci/jenkins/commit/8ac74c350779921598f9d5edfed39dd35de8842a CVE-2014-2065 (Cross-site scripting (XSS) vulnerability in Jenkins before 1.551 and L ...) - jenkins 1.565.2-1 (bug #739067) NOTE: https://github.com/jenkinsci/jenkins/commit/a0b00508eeb74d7033dc4100eb382df4e8fa72e7 CVE-2014-2064 (The loadUserByUsername function in hudson/security/HudsonPrivateSecuri ...) - jenkins 1.565.2-1 (bug #739067) NOTE: https://github.com/jenkinsci/jenkins/commit/fbf96734470caba9364f04e0b77b0bae7293a1ec CVE-2014-2063 (Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to ...) - jenkins 1.565.2-1 (bug #739067) NOTE: https://github.com/jenkinsci/jenkins/commit/16931bd7bf7560e26ef98328b8e95e803d0e90f6 CVE-2014-2062 (Jenkins before 1.551 and LTS before 1.532.2 does not invalidate the AP ...) - jenkins 1.565.2-1 (bug #739067) NOTE: https://github.com/jenkinsci/jenkins/commit/5548b5220cfd496831b5721124189ff18fbb12a3 CVE-2014-2061 (The input control in PasswordParameterDefinition in Jenkins before 1.5 ...) - jenkins 1.565.2-1 (bug #739067) NOTE: https://github.com/jenkinsci/jenkins/commit/bf539198564a1108b7b71a973bf7de963a6213ef CVE-2014-2060 (The Winstone servlet container in Jenkins before 1.551 and LTS before ...) - jenkins 1.565.2-1 (bug #739067) NOTE: https://github.com/jenkinsci/jenkins/commit/29351af4bd01f61715418916fc12c52be46bd9b0 CVE-2014-2059 (Directory traversal vulnerability in the CLI job creation (hudson/cli/ ...) - jenkins 1.565.2-1 (bug #739067) NOTE: https://github.com/jenkinsci/jenkins/commit/ad38d8480f20ce3cbf8fec3e2003bc83efda4f7d CVE-2014-2058 (BuildTrigger in Jenkins before 1.551 and LTS before 1.532.2 allows rem ...) - jenkins 1.565.2-1 (bug #739067) NOTE: https://github.com/jenkinsci/jenkins/commit/b6b2a367a7976be80a799c6a49fa6c58d778b50e CVE-2014-2057 (Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before ...) - owncloud 6.0.2+dfsg-1 NOTE: http://owncloud.org/about/security/advisories/oC-SA-2014-007/ CVE-2014-2056 (PHPDocX, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0 ...) - owncloud 6.0.2+dfsg-1 - phpdocx 3.0+dfsg-2 NOTE: http://owncloud.org/about/security/advisories/oC-SA-2014-006/ CVE-2014-2055 (SabreDAV before 1.7.11, as used in ownCloud Server before 5.0.15 and 6 ...) - owncloud 6.0.2+dfsg-1 - php-sabredav 1.7.11+dfsg-1 NOTE: https://github.com/fruux/sabre-dav/releases/tag/1.7.11 NOTE: http://owncloud.org/about/security/advisories/oC-SA-2014-006/ CVE-2014-2054 (PHPExcel before 1.8.0, as used in ownCloud Server before 5.0.15 and 6. ...) - owncloud 6.0.2+dfsg-1 - dolibarr 3.5.3+dfsg1-1 - moodle 2.7.5+dfsg-3 (bug #775842) [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: dolibarr removed phpexcel in 3.5.3+dfsg1-1 / #729538 NOTE: moodle also contain a copy of PHPExcel NOTE: owncloud does not mention details NOTE: http://owncloud.org/about/security/advisories/oC-SA-2014-006/ NOTE: https://github.com/PHPOffice/PHPExcel/blob/develop/changelog.txt CVE-2014-2053 (getID3() before 1.9.8, as used in ownCloud Server before 5.0.15 and 6. ...) {DSA-3001-1 DLA-56-1} - owncloud 6.0.2+dfsg-1 - php-getid3 1.9.7-2 [wheezy] - php-getid3 1.9.3-1+deb7u1 [squeeze] - php-getid3 (Vulnerable code not present) NOTE: https://github.com/JamesHeinrich/getID3/commit/dc8549079a24bb0619b6124ef2df767704f8d0bc NOTE: http://owncloud.org/about/security/advisories/oC-SA-2014-006/ - wordpress 3.9.2+dfsg-1 (bug #757312) NOTE: https://core.trac.wordpress.org/changeset/29390 CVE-2014-2052 (Zend Framework, as used in ownCloud Server before 5.0.15 and 6.0.x bef ...) - owncloud 6.0.2+dfsg-1 NOTE: owncloud advisory does not mention details for ZendFramework NOTE: http://owncloud.org/about/security/advisories/oC-SA-2014-006/ NOTE: The reference wrt zendframework is for CVE-2012-6532 CVE-2014-2051 (ownCloud Server before 5.0.15 and 6.0.x before 6.0.2 allows remote att ...) - owncloud 6.0.2+dfsg-1 CVE-2014-2050 (Cross-site request forgery (CSRF) vulnerability in ownCloud Server bef ...) - owncloud 6.0.2+dfsg-1 CVE-2014-2049 (The default Flash Cross Domain policies in ownCloud before 5.0.15 and ...) - owncloud 6.0.0+dfsg-1 CVE-2014-2048 (The user_openid app in ownCloud Server before 5.0.15 allows remote att ...) - owncloud CVE-2014-2047 (Session fixation vulnerability in ownCloud before 6.0.2, when PHP is c ...) - owncloud 6.0.2+dfsg-1 CVE-2014-2046 (cgi-bin/rpcBridge in the web interface 1.1 on Broadcom Ltd PIPA C211 r ...) NOT-FOR-US: Broadcom Ltd PIPA C211 CVE-2014-2045 (Multiple cross-site scripting (XSS) vulnerabilities in the old and new ...) NOT-FOR-US: Viprinet CVE-2014-2044 (Incomplete blacklist vulnerability in ajax/upload.php in ownCloud befo ...) - owncloud (Windows-specific) CVE-2014-2043 (SQL injection vulnerability in Resources/System/Templates/Data.aspx in ...) NOT-FOR-US: Procentia IntelliPen CVE-2014-2042 (Unrestricted file upload vulnerability in the Manage Project functiona ...) NOT-FOR-US: Livetecs Timelive CVE-2014-2041 RESERVED CVE-2014-2040 (Multiple cross-site scripting (XSS) vulnerabilities in the (1) callbac ...) NOT-FOR-US: WordPress plugin MediaFileRenamer CVE-2014-2038 (The nfs_can_extend_write function in fs/nfs/write.c in the Linux kerne ...) - linux 3.13.4-1 [wheezy] - linux (Introduced in 3.11) - linux-2.6 (Introduced in 3.11) NOTE: Introduced by https://git.kernel.org/linus/c7559663e42f4294ffe31fe159da6b6a66b35d61 NOTE: Fixed by https://git.kernel.org/linus/263b4509ec4d47e0da3e753f85a39ea12d1eff24 CVE-2014-2036 RESERVED CVE-2014-2035 (Cross-site scripting (XSS) vulnerability in xhr.php in InterWorx Web C ...) NOT-FOR-US: InterWorx Web Control Panel CVE-2014-2034 (Unspecified vulnerability in Sonatype Nexus OSS and Pro 2.4.0 through ...) NOT-FOR-US: Sonatype Nexus OSS CVE-2014-2033 (The caching feature in SGOS in Blue Coat ProxySG 5.5 through 5.5.11.3, ...) NOT-FOR-US: Blue Coat ProxySG CVE-2014-2028 RESERVED CVE-2014-2026 (Cross-site scripting (XSS) vulnerability in the search functionality i ...) NOT-FOR-US: Intrexx CVE-2014-2025 (Unrestricted file upload vulnerability in an unspecified third party t ...) NOT-FOR-US: Intrexx CVE-2014-2024 (Cross-site scripting (XSS) vulnerability in classes/controller/error.p ...) NOT-FOR-US: Open Classifieds CVE-2014-2023 (Multiple SQL injection vulnerabilities in the Tapatalk plugin 4.9.0 an ...) NOT-FOR-US: vBulletin CVE-2014-2022 (SQL injection vulnerability in includes/api/4/breadcrumbs_create.php i ...) NOT-FOR-US: vBulletin CVE-2014-2021 (Cross-site scripting (XSS) vulnerability in admincp/apilog.php in vBul ...) NOT-FOR-US: vBulletin CVE-2014-2020 (ext/gd/gd.c in PHP 5.5.x before 5.5.9 does not check data types, which ...) - php5 5.5.9+dfsg-1 [wheezy] - php5 (Vulnerable code was introduced in 5.5.0) [squeeze] - php5 (Vulnerable code was introduced in 5.5.0) CVE-2014-2019 (The iCloud subsystem in Apple iOS before 7.1 allows physically proxima ...) NOT-FOR-US: Apple iOS CVE-2014-2018 (Cross-site scripting (XSS) vulnerability in Mozilla Thunderbird 17.x t ...) - icedove 24.2.0-1 [squeeze] - icedove CVE-2014-2017 (CRLF injection vulnerability in OXID eShop Professional Edition before ...) NOT-FOR-US: OXID eShop CVE-2014-2016 (Multiple cross-site scripting (XSS) vulnerabilities in OXID eShop Prof ...) NOT-FOR-US: OXID eShop CVE-2014-2012 RESERVED CVE-2014-2011 RESERVED CVE-2014-2010 RESERVED CVE-2014-2009 (The mPAY24 payment module before 1.6 for PrestaShop allows remote atta ...) NOT-FOR-US: mPAY24 payment module for PrestaShop CVE-2014-2008 (SQL injection vulnerability in confirm.php in the mPAY24 payment modul ...) NOT-FOR-US: mPAY24 payment module for PrestaShop CVE-2014-2007 RESERVED CVE-2014-2006 (Cross-site scripting (XSS) vulnerability in Intercom Web Kyukincho 3.x ...) NOT-FOR-US: Intercom Web Kyukincho CVE-2014-2005 (Sophos Disk Encryption (SDE) 5.x in Sophos Enterprise Console (SEC) 5. ...) NOT-FOR-US: Sophos Enterprise Console CVE-2014-2004 (The PPP Access Concentrator (PPPAC) on SEIL SEIL/x86 routers 1.00 thro ...) NOT-FOR-US: SEIL routers CVE-2014-2003 (JustSystems JUST Online Update, as used in Ichitaro through 2014 and o ...) NOT-FOR-US: JustSystems Ichitaro CVE-2014-2002 (Cross-site scripting (XSS) vulnerability in C-BOARD Moyuku 1.01b6 and ...) NOT-FOR-US: C-BOARD Moyuku CVE-2014-2001 (The East Japan Railway Company JR East Japan application before 1.2.0 ...) NOT-FOR-US: Android application for East Japan Railway Company CVE-2014-2000 (The NTT 050 plus application before 4.2.1 for Android allows attackers ...) NOT-FOR-US: NTT application for Android CVE-2014-1999 (The auto-format feature in the Request_Curl class in FuelPHP 1.1 throu ...) NOT-FOR-US: FuelPHP CVE-2014-1998 (Cross-site scripting (XSS) vulnerability in Nippon Institute of Agroin ...) NOT-FOR-US: SOY CMS CVE-2014-1997 (The ATEN CN8000 remote-access unit with firmware 1.6.154 and earlier a ...) NOT-FOR-US: ATEN IP KVM Switch CVE-2014-1996 (Cybozu Garoon 3.7 before SP4 allows remote authenticated users to bypa ...) NOT-FOR-US: Cybozu Garoon CVE-2014-1995 (Cross-site scripting (XSS) vulnerability in the Map search functionali ...) NOT-FOR-US: Cybozu Garoon CVE-2014-1994 (Cross-site scripting (XSS) vulnerability in the Notices portlet in Cyb ...) NOT-FOR-US: Cybozu Garoon CVE-2014-1993 (The Portlets subsystem in Cybozu Garoon 2.x and 3.x before 3.7 SP4 all ...) NOT-FOR-US: Cybozu Garoon CVE-2014-1992 (Cross-site scripting (XSS) vulnerability in the Messages functionality ...) NOT-FOR-US: Cybozu Garoon CVE-2014-1991 (Open redirect vulnerability in WebPlatform / AppFramework 6.0 through ...) NOT-FOR-US: NTT DATA INTRAMART CVE-2014-1990 (Cross-site request forgery (CSRF) vulnerability in TopAccess (aka the ...) NOT-FOR-US: TOSHIBA TEC e-Studio CVE-2014-1989 (Cybozu Garoon 3.0 through 3.7 SP3 allows remote authenticated users to ...) NOT-FOR-US: Cybozu Garoon CVE-2014-1988 (The Phone Messages feature in Cybozu Garoon 2.0.0 through 3.7 SP2 allo ...) NOT-FOR-US: Cybozu Garoon CVE-2014-1987 (The CGI component in Cybozu Garoon 3.1.0 through 3.7 SP3 allows remote ...) NOT-FOR-US: Cybozu Garoon CVE-2014-1986 (The Content Provider in the KOKUYO CamiApp application 1.21.1 and earl ...) NOT-FOR-US: KOKUYO CamiApp application CVE-2014-1984 (Session fixation vulnerability in the management screen in Cybozu Remo ...) NOT-FOR-US: Cybozu Remote Service Manager CVE-2014-1983 (Unspecified vulnerability in Cybozu Remote Service Manager through 2.3 ...) NOT-FOR-US: Cybozu Remote Service Manager CVE-2014-1982 (The administrative interface in Allied Telesis AT-RG634A ADSL Broadban ...) NOT-FOR-US: Allied Telesis AT-RG634A ADSL Broadband router CVE-2014-1981 REJECTED CVE-2014-1980 (Cross-site scripting (XSS) vulnerability in include/functions_metadata ...) - piwigo (low) [squeeze] - piwigo (Unsupported in squeeze-lts) NOTE: Request to mark the package as unsupported in #779104 CVE-2014-1979 (The NTT DOCOMO sp mode mail application 5900 through 6300 for Android ...) NOT-FOR-US: NTT DOCOMO mail app CVE-2014-1978 (The application link interface in the NTT DOCOMO sp mode mail applicat ...) NOT-FOR-US: NTT DOCOMO mail app CVE-2014-1977 (The NTT DOCOMO sp mode mail application 6300 and earlier for Android 4 ...) NOT-FOR-US: NTT DOCOMO mail app CVE-2014-1976 (The Demaecan application 2.1.0 and earlier for Android does not verify ...) NOT-FOR-US: Demaecan Android app CVE-2014-1975 (Directory traversal vulnerability in the R-Company Unzipper applicatio ...) NOT-FOR-US: Unzipper Android app CVE-2014-1974 (Directory traversal vulnerability in the LYSESOFT AndExplorer applicat ...) NOT-FOR-US: LYSESOFT CVE-2014-1973 (Directory traversal vulnerability in the NextApp File Explorer applica ...) NOT-FOR-US: NextApp File Explorer application for Android CVE-2014-1972 (Apache Tapestry before 5.3.6 relies on client-side object storage with ...) NOT-FOR-US: Apache Tapestry CVE-2014-1971 (Cross-site scripting (XSS) vulnerability in Silex before 2.0.0 allows ...) NOT-FOR-US: Silex CVE-2014-1970 (Directory traversal vulnerability in the ES File Explorer File Manager ...) NOT-FOR-US: ES File Explorer File Manager for Android CVE-2014-1969 (Directory traversal vulnerability in the apps4u@android SD Card Manage ...) NOT-FOR-US: apps4u@android SD Card Manager application CVE-2014-1968 (Cross-site scripting (XSS) vulnerability in the XooNIps module 3.47 an ...) NOT-FOR-US: XooNIps module for XOOPS CVE-2014-1967 (The Denny's application before 2.0.1 for Android does not verify X.509 ...) NOT-FOR-US: Denny's application for Android CVE-2014-1966 (The SNMP implementation in Siemens RuggedCom ROS before 3.11, ROS 3.11 ...) NOT-FOR-US: Siemens RuggedCom ROS CVE-2014-1965 (Cross-site scripting (XSS) vulnerability in ISpeakAdapter in the Integ ...) NOT-FOR-US: SAP Exchange Infrastructure CVE-2014-1964 (Cross-site scripting (XSS) vulnerability in the Integration Repository ...) NOT-FOR-US: SAP Exchange Infrastructure CVE-2014-1963 (Unspecified vulnerability in Message Server in SAP NetWeaver 7.20 allo ...) NOT-FOR-US: SAP NetWeaver CVE-2014-1962 (Gwsync in SAP CRM 7.02 EHP 2 allows remote attackers to obtain sensiti ...) NOT-FOR-US: SAP CRM CVE-2014-1961 (Unspecified vulnerability in the Portal WebDynPro in SAP NetWeaver all ...) NOT-FOR-US: SAP NetWeaver CVE-2014-1960 (The Solution Manager in SAP NetWeaver does not properly restrict acces ...) NOT-FOR-US: SAP NetWeaver CVE-2014-1957 (FortiGuard FortiWeb before 5.0.3 allows remote authenticated users to ...) NOT-FOR-US: FortiGuard FortiWeb CVE-2014-1956 (CRLF injection vulnerability in FortiGuard FortiWeb before 5.0.3 allow ...) NOT-FOR-US: FortiGuard FortiWeb CVE-2014-1955 (Cross-site scripting (XSS) vulnerability in FortiGuard FortiWeb before ...) NOT-FOR-US: FortiGuard FortiWeb CVE-2014-1954 RESERVED CVE-2014-1953 RESERVED CVE-2014-1952 RESERVED CVE-2014-1951 RESERVED CVE-2014-1946 (OpenDocMan 1.2.7 and earlier does not properly validate allowed action ...) NOT-FOR-US: OpenDocMan CVE-2014-1945 (SQL injection vulnerability in ajax_udf.php in OpenDocMan before 1.2.7 ...) NOT-FOR-US: OpenDocMan CVE-2014-1944 (Cross-site scripting (XSS) vulnerability in Ilch CMS 2.0 and earlier a ...) NOT-FOR-US: Ilch CMS CVE-2014-1942 (Cross-site scripting (XSS) vulnerability in aal/loginverification.aspx ...) NOT-FOR-US: Pearson eSIS Enterprise Student Information System CVE-2014-1941 RESERVED CVE-2014-1940 RESERVED CVE-2014-1931 (The user login page in Visibility Software Cyber Recruiter before 8.1. ...) NOT-FOR-US: Visibility Software Cyber Recruiter CVE-2014-1930 (Visibility Software Cyber Recruiter before 8.1.00 does not use the app ...) NOT-FOR-US: Visibility Software Cyber Recruiter CVE-2013-7330 (Jenkins before 1.502 allows remote authenticated users to configure an ...) - jenkins 1.565.2-1 (bug #739067) NOTE: https://github.com/jenkinsci/jenkins/commit/36342d71e29e0620f803a7470ce96c61761648d8 CVE-2013-7328 (Multiple integer signedness errors in the gdImageCrop function in ext/ ...) - php5 5.5.9+dfsg-1 [wheezy] - php5 (Vulnerable code was introduced in 5.5.0) [squeeze] - php5 (Vulnerable code was introduced in 5.5.0) CVE-2013-7327 (The gdImageCrop function in ext/gd/gd.c in PHP 5.5.x before 5.5.9 does ...) - php5 5.5.9+dfsg-1 [wheezy] - php5 (Vulnerable code was introduced in 5.5.0) [squeeze] - php5 (Vulnerable code was introduced in 5.5.0) CVE-2013-7326 (Cross-site scripting (XSS) vulnerability in vTiger CRM 5.4.0 allows re ...) NOT-FOR-US: vTiger CRM CVE-2013-7324 (Webkit-GTK 2.x (any version with HTML5 audio/video support based on GS ...) NOT-FOR-US: Historic webkit issue CVE-2012-6638 (The tcp_rcv_state_process function in net/ipv4/tcp_input.c in the Linu ...) - linux 3.2.29-1 - linux-2.6 [squeeze] - linux-2.6 2.6.32-47 NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=fdf5af0daf8019cec2396cdef8fb042d80fe71fa CVE-2014-2039 (arch/s390/kernel/head64.S in the Linux kernel before 3.13.5 on the s39 ...) {DSA-2906-1} - linux 3.13.5-1 [wheezy] - linux 3.2.57-1 - linux-2.6 NOTE: https://git.kernel.org/linus/8d7f6690cedb83456edd41c9bd583783f0703bf0 CVE-2014-2037 (Openswan 2.6.40 allows remote attackers to cause a denial of service ( ...) - openswan (Incomplete fix was never applied) CVE-2014-2032 (Deadwood before 2.3.09, 3.x before 3.2.05, and as used in MaraDNS befo ...) - maradns (Deadwood resolver not enabled) NOTE: https://github.com/samboy/MaraDNS/commit/2cfcd2397cb8168d4aa4594839fabe88420d03c3 CVE-2014-2031 (Deadwood before 2.3.09, 3.x before 3.2.05, and as used in MaraDNS befo ...) - maradns (Deadwood resolver not enabled) NOTE: https://github.com/samboy/MaraDNS/commit/f015495d221f1c2b2f10db38e87cecf3839d6093 CVE-2014-2030 (Stack-based buffer overflow in the WritePSDImage function in coders/ps ...) {DSA-2898-1} - imagemagick 8:6.7.7.10+dfsg-1 (bug #740250) [squeeze] - imagemagick (CVE only for versions with r1448 applied) NOTE: for the issue in newer imagemagick versions using "L%06ld" string. CVE-2014-2029 (The automatic version check functionality in the tools in Percona Tool ...) - percona-toolkit 2.2.7-1~dfsg1 (bug #740846) [wheezy] - percona-toolkit (version-check introduced in 2.1.4) - percona-xtrabackup 2.2.3-1 (bug #751377) CVE-2014-2027 (eGroupware before 1.8.006.20140217 allows remote attackers to conduct ...) - egroupware CVE-2014-2015 (Stack-based buffer overflow in the normify function in the rlm_pap mod ...) {DLA-977-1} - freeradius 2.2.5+dfsg-0.1 (low; bug #742820) [squeeze] - freeradius (Minor issue) NOTE: http://lists.freebsd.org/pipermail/freebsd-bugbusters/2014-February/000610.html NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/0d606cfc29a.patch CVE-2014-2014 (imapsync before 1.584, when running with the --tls option, attempts a ...) - imapsync CVE-2014-1959 (lib/x509/verify.c in GnuTLS before 3.1.21 and 3.2.x before 3.2.11 trea ...) {DSA-2866-1} - gnutls26 2.12.23-12 [squeeze] - gnutls26 (does not allow X.509 v1 certificates by default) - gnutls28 3.2.11-1 NOTE: https://gitlab.com/gnutls/gnutls/commit/b1abfe3d18 NOTE: introduced by https://gitlab.com/gnutls/gnutls/commit/60ee8a0eb9975d123002b1cffbefd60a8cd5fae6 CVE-2014-1958 (Buffer overflow in the DecodePSDPixels function in coders/psd.c in Ima ...) {DSA-2898-1} - imagemagick 8:6.7.7.10+dfsg-1 (bug #740250) [squeeze] - imagemagick (DecodePSDPixels function is not present) NOTE: squeeze: DecodePSDPixels not present but there was a rewrite from DecodeImage? NOTE: http://secunia.com/advisories/56844/ CVE-2014-1950 (Use-after-free vulnerability in the xc_cpupool_getinfo function in Xen ...) {DSA-3006-1} - xen 4.4.0-1 [squeeze] - xen (Xen 4.1 onwards affected) CVE-2014-1949 (GTK+ 3.10.9 and earlier, as used in cinnamon-screensaver, gnome-screen ...) - gtk+3.0 3.11.8-1 [wheezy] - gtk+3.0 (Only affects GTK+ 3.10.9 and later) - gtk+2.0 (Only affects GTK+ 3.10.9 and later) - cinnamon 2.2.14-1 (bug #738828) NOTE: http://www.openwall.com/lists/oss-security/2014/02/12/7 NOTE: https://git.gnome.org/browse/gtk+/commit/?id=1691bb741d50c90ee938f0b73fe81b0ca9bfd6d4 NOTE: The CVE was originally assigned specifically for cinnamon-screensaver, but the underlying fix lies in gtk+3.0 NOTE: and later MITRE assigned the CVE to GTK+ 3.10.9 and later, see official MITRE CVE description. CVE-2014-1948 (OpenStack Image Registry and Delivery Service (Glance) 2013.2 through ...) - glance 2013.2.2-1 (bug #738924) [wheezy] - glance (Only affects Havana) NOTE: https://launchpad.net/bugs/1275062 CVE-2014-1947 (Stack-based buffer overflow in the WritePSDImage function in coders/ps ...) {DSA-2898-1} - imagemagick 8:6.7.7.10+dfsg-1 (bug #740250) NOTE: http://web.archive.org/web/20090120112751/http://trac.imagemagick.org:80/changeset/13736 - graphicsmagick 1.3.20-1 (unimportant) NOTE: for graphicsmagick: https://bugzilla.redhat.com/show_bug.cgi?id=1064098#c13 NOTE: Rendered non-exploitable by fortified source for graphicsmagick CVE-2014-1943 (Fine Free file before 5.17 allows context-dependent attackers to cause ...) {DSA-2868-1 DSA-2861-1} - file 1:5.17-0.1 (bug #738832) NOTE: http://mx.gw.com/pipermail/file/2014/001337.html NOTE: https://github.com/glensc/file/commit/3c081560c23f20b2985c285338b52c7aae9fdb0f NOTE: https://github.com/glensc/file/commit/cc9e74dfeca5265ad725acc926ef0b8d2a18ee70 - php5 5.5.10+dfsg-1 (bug #739012) CVE-2014-1929 (python-gnupg 0.3.5 and 0.3.6 allows context-dependent attackers to hav ...) {DSA-2946-1} - python-gnupg 0.3.6-1 (bug #738509) CVE-2014-1926 RESERVED CVE-2014-1920 RESERVED CVE-2014-1919 RESERVED CVE-2014-1918 RESERVED CVE-2014-1917 RESERVED CVE-2014-1916 (The (1) opus_packet_get_nb_frames and (2) opus_packet_get_samples_per_ ...) NOT-FOR-US: MumbleKit / Mumble for iOS CVE-2014-1915 (Multiple cross-site request forgery (CSRF) vulnerabilities in Command ...) NOT-FOR-US: Command School Student Management System CVE-2014-1914 (Multiple cross-site scripting (XSS) vulnerabilities in Command School ...) NOT-FOR-US: Command School Student Management System CVE-2014-1913 RESERVED CVE-2014-1911 (The Foscam FI8910W camera with firmware before 11.37.2.55 allows remot ...) NOT-FOR-US: Foscam camera CVE-2014-1910 (Citrix ShareFile Mobile and ShareFile Mobile for Tablets before 2.4.4 ...) NOT-FOR-US: Citrix ShareFile Mobile CVE-2014-1908 (The error-handling feature in (1) bp.php, (2) videowhisper_streaming.p ...) NOT-FOR-US: VideoWhisper Live Streaming Integration plugin for WordPress CVE-2014-1907 (Multiple directory traversal vulnerabilities in the VideoWhisper Live ...) NOT-FOR-US: VideoWhisper Live Streaming Integration plugin for WordPress CVE-2014-1906 (Multiple cross-site scripting (XSS) vulnerabilities in the VideoWhispe ...) NOT-FOR-US: VideoWhisper Live Streaming Integration plugin for WordPress CVE-2014-1905 (Unrestricted file upload vulnerability in ls/vw_snapshots.php in the V ...) NOT-FOR-US: VideoWhisper Live Streaming Integration plugin for WordPress CVE-2014-1904 (Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/Form ...) {DSA-2890-1} - libspring-java 3.0.6.RELEASE-13 (bug #741604) NOTE: http://www.gopivotal.com/security/cve-2014-1904 CVE-2014-1903 (admin/libraries/view.functions.php in FreePBX 2.9 before 2.9.0.14, 2.1 ...) NOT-FOR-US: FreePBX CVE-2014-1902 (Multiple cross-site scripting (XSS) vulnerabilities in Y-Cam camera mo ...) NOT-FOR-US: Y-Cam cameras CVE-2014-1901 (Y-Cam camera models SD range YCB003, YCK003, and YCW003; S range YCB00 ...) NOT-FOR-US: Y-Cam cameras CVE-2014-1900 (Y-Cam camera models SD range YCB003, YCK003, and YCW003; S range YCB00 ...) NOT-FOR-US: Y-Cam cameras CVE-2014-1899 (Cross-site scripting (XSS) vulnerability in Citrix NetScaler Gateway ( ...) NOT-FOR-US: Citrix NetScaler Gateway CVE-2014-1898 RESERVED CVE-2014-1897 RESERVED CVE-2014-1890 RESERVED CVE-2014-1889 (The Group creation process in the Buddypress plugin before 1.9.2 for W ...) NOT-FOR-US: Buddypress plugin for WordPress CVE-2014-1888 (Cross-site scripting (XSS) vulnerability in the BuddyPress plugin befo ...) NOT-FOR-US: BuddyPress plugin for WordPress CVE-2014-1880 RESERVED CVE-2014-1879 (Cross-site scripting (XSS) vulnerability in import.php in phpMyAdmin b ...) {DSA-2975-1} - phpmyadmin 4:4.1.7-1 (unimportant) [squeeze] - phpmyadmin (Vulnerable code not present) CVE-2014-1878 (Stack-based buffer overflow in the cmd_submitf function in cgi/cmd.c i ...) {DSA-2956-1 DLA-1615-1 DLA-461-1 DLA-60-1} - icinga 1.10.3-1 - nagios3 (bug #823721) NOTE: Fixed by https://github.com/Icinga/icinga-core/commit/eedf4f7d88cdc50843572224eb38a2f5c78a2dc5 CVE-2014-1873 RESERVED CVE-2014-1872 RESERVED CVE-2014-1871 RESERVED CVE-2014-1870 (Opera before 19 on Mac OS X allows user-assisted remote attackers to s ...) NOT-FOR-US: Opera CVE-2014-1869 (Multiple cross-site scripting (XSS) vulnerabilities in ZeroClipboard.s ...) - db4o (unimportant) - jenkins 1.565.3-1 (bug #763899) NOTE: in -doc package CVE-2013-7329 (The CGI::Application module before 4.50_50 and 4.50_51 for Perl, when ...) - libcgi-application-perl 4.50-2 (bug #739505) [wheezy] - libcgi-application-perl (Minor issue) [squeeze] - libcgi-application-perl (Minor issue) NOTE: suggested fix https://github.com/markstos/CGI--Application/pull/15 CVE-2013-7325 (An issue exists in uscan in devscripts before 2.13.19, which could let ...) {DSA-2836-1} - devscripts 2.13.9 [squeeze] - devscripts (Minor issue) CVE-2013-7321 (Cross-site scripting (XSS) vulnerability in D-Link DAP-2253 Access Poi ...) NOT-FOR-US: D-Link hardware CVE-2013-7320 (Cross-site request forgery (CSRF) vulnerability in D-Link DAP-2253 Acc ...) NOT-FOR-US: D-Link hardware CVE-2013-7319 (Cross-site scripting (XSS) vulnerability in the Download Manager plugi ...) NOT-FOR-US: WordPress plugin Download Manager CVE-2012-6637 (Apache Cordova 3.3.0 and earlier and Adobe PhoneGap 2.9.0 and earlier ...) NOT-FOR-US: Apache Cordova CVE-2012-6636 (The Android API before 17 does not properly restrict the WebView.addJa ...) NOT-FOR-US: Android CVE-2013-7322 (usersfile.c in liboath in OATH Toolkit before 2.4.1 does not properly ...) - oath-toolkit 2.4.1-1 (low; bug #738515) [wheezy] - oath-toolkit (Minor issue) NOTE: http://lists.nongnu.org/archive/html/oath-toolkit-help/2013-12/msg00000.html CVE-2014-1939 (java/android/webkit/BrowserFrame.java in Android before 4.4 uses the a ...) NOT-FOR-US: Android Jelly Bean CVE-2014-1938 (python-rply before 0.7.4 insecurely creates temporary files. ...) - python-rply 0.7.4-1 (unimportant; bug #737627) NOTE: this CVE is for the insecure use of /tmp as followup for CVE-2014-1604 NOTE: https://github.com/alex/rply/issues/42 NOTE: Not exploitable with kernel hardening since wheezy CVE-2014-1937 (Gamera before 3.4.1 insecurely creates temporary files. ...) - gamera 3.4.1-1 (low; bug #737324) [squeeze] - gamera (Minor issue) [wheezy] - gamera 3.3.3-2+deb7u1 CVE-2014-1936 (rc before 1.7.1-5 insecurely creates temporary files. ...) - rc 1.7.1-5 (unimportant; bug #737125) NOTE: Only in the test suite, not part of the standard package CVE-2014-1935 (9base 1:6-6 and 1:6-7 insecurely creates temporary files which results ...) - 9base (unimportant; bug #737206) [squeeze] - 9base (Minor issue) NOTE: Not exploitable with kernel hardening since wheezy CVE-2014-1934 (tag.py in eyeD3 (aka python-eyed3) 7.0.3, 0.6.18, and earlier for Pyth ...) - eyed3 0.6.18-3 (unimportant; bug #737062) [squeeze] - eyed3 (Minor issue) NOTE: Upstream patch: https://bitbucket.org/nicfit/eyed3/commits/372bbacb7a70 NOTE: https://bitbucket.org/nicfit/eyed3/issue/65/tagpy-in-eyed3-allows-local-users-to NOTE: Neutralised by protected_symlinks kernel temp hardening CVE-2014-1933 (The (1) JpegImagePlugin.py and (2) EpsImagePlugin.py scripts in Python ...) - pillow 2.4.0-1 (low; bug #737059) - python-imaging [squeeze] - python-imaging (Minor issue) [wheezy] - python-imaging (Minor issue) CVE-2014-1932 (The (1) load_djpeg function in JpegImagePlugin.py, (2) Ghostscript fun ...) - pillow 2.4.0-1 (low; bug #737059) - python-imaging [squeeze] - python-imaging (Minor issue) [wheezy] - python-imaging (Minor issue) CVE-2014-1928 (The shell_quote function in python-gnupg 0.3.5 does not properly escap ...) {DSA-2946-1} - python-gnupg 0.3.6-1 (bug #738509) CVE-2014-1927 (The shell_quote function in python-gnupg 0.3.5 does not properly quote ...) {DSA-2946-1} - python-gnupg 0.3.6-1 (bug #738509) CVE-2014-1925 (SQL injection vulnerability in the MARC framework import/export functi ...) - koha (bug #702134) CVE-2014-1924 (The MARC framework import/export function (admin/import_export_framewo ...) - koha (bug #702134) CVE-2014-1923 (Multiple directory traversal vulnerabilities in the (1) staff interfac ...) - koha (bug #702134) CVE-2014-1922 (Absolute path traversal vulnerability in tools/pdfViewer.pl in Koha be ...) - koha (bug #702134) CVE-2014-1921 (parcimonie before 0.8.1, when using a large keyring, sleeps for the sa ...) {DSA-2860-1} - parcimonie 0.8.1-1 (bug #738134) CVE-2014-1909 (Integer signedness error in system/core/adb/adb_client.c in Android De ...) - android-tools 4.2.2+git20130529-5.1 (bug #770513) - android-platform-system-core 1:6.0.0+r26-1~stage1 [jessie] - android-platform-system-core (Minor issue) NOTE: http://www.droidsec.org/advisories/2014/02/04/two-security-issues-found-in-the-android-sdk-tools.html CVE-2014-1896 (The (1) do_send and (2) do_recv functions in io.c in libvchan in Xen 4 ...) - xen 4.4.0-1 [squeeze] - xen (Only affects 4.2 and later) [wheezy] - xen (Only affects 4.2 and later) CVE-2014-1895 (Off-by-one error in the flask_security_avc_cachestats function in xsm/ ...) - xen 4.4.0-1 [squeeze] - xen (Only affects 4.2 and later) [wheezy] - xen (Only affects 4.2 and later) CVE-2014-1894 (Multiple integer overflows in unspecified suboperations in the flask h ...) - xen (XSM not enabled in build) NOTE: Debian package not built with XSM_ENABLE, thus resulted binary packages not affected CVE-2014-1893 (Multiple integer overflows in the (1) FLASK_GETBOOL and (2) FLASK_SETB ...) - xen (XSM not enabled in build) NOTE: Debian package not built with XSM_ENABLE, thus resulted binary packages not affected CVE-2014-1892 (Xen 3.3 through 4.1, when XSM is enabled, allows local users to cause ...) - xen (XSM not enabled in build) NOTE: Debian package not built with XSM_ENABLE, thus resulted binary packages not affected CVE-2014-1891 (Multiple integer overflows in the (1) FLASK_GETBOOL, (2) FLASK_SETBOOL ...) - xen (XSM not enabled in build) NOTE: Debian package not built with XSM_ENABLE, thus resulted binary packages not affected CVE-2014-1887 (The DrinkedIn BarFinder application for Android, when Adobe PhoneGap 2 ...) NOT-FOR-US: Apache Cordova CVE-2014-1886 (The Edinburgh by Bus application for Android, when Adobe PhoneGap 2.9. ...) NOT-FOR-US: Apache Cordova CVE-2014-1885 (The ForzeArmate application for Android, when Adobe PhoneGap 2.9.0 or ...) NOT-FOR-US: Apache Cordova CVE-2014-1884 (Apache Cordova 3.3.0 and earlier and Adobe PhoneGap 2.9.0 and earlier ...) NOT-FOR-US: Apache Cordova CVE-2014-1883 (Adobe PhoneGap before 2.6.0 on Android uses the shouldOverrideUrlLoadi ...) NOT-FOR-US: Apache Cordova CVE-2014-1882 (Apache Cordova 3.3.0 and earlier and Adobe PhoneGap 2.9.0 and earlier ...) NOT-FOR-US: Apache Cordova CVE-2014-1881 (Apache Cordova 3.3.0 and earlier and Adobe PhoneGap 2.9.0 and earlier ...) NOT-FOR-US: Apache Cordova CVE-2014-1868 (Restlet Framework 2.1.x before 2.1.7 and 2.x.x before 2.2 RC1, when us ...) - restlet (bug #596472) CVE-2014-1867 (suPHP before 0.7.2 source-highlighting feature allows security bypass ...) - suphp (bug #736969) [squeeze] - suphp (Minor issue) [wheezy] - suphp (Minor issue) CVE-2014-1866 RESERVED CVE-2014-1865 RESERVED CVE-2014-1864 RESERVED CVE-2014-1863 RESERVED CVE-2014-1862 RESERVED CVE-2014-1861 (The client in Jetro COCKPIT Secure Browsing (JCSB) 4.3.1 and 4.3.3 doe ...) NOT-FOR-US: Jetro COCKPIT Secure Browsing CVE-2014-1859 ((1) core/tests/test_memmap.py, (2) core/tests/test_multiarray.py, (3) ...) - python-numpy 1:1.8.1~rc1-1 (low; bug #737778) [squeeze] - python-numpy (Minor issue) [wheezy] - python-numpy (Minor issue) NOTE: issue fixed by https://github.com/numpy/numpy/commit/0bb46c1448b0d3f5453d5182a17ea7ac5854ee15 CVE-2014-1858 (__init__.py in f2py in NumPy before 1.8.1 allows local users to write ...) - python-numpy 1:1.8.1~rc1-1 (low; bug #737778) [squeeze] - python-numpy (Minor issue) [wheezy] - python-numpy (Minor issue) CVE-2014-1857 RESERVED CVE-2014-1856 RESERVED CVE-2014-1855 (Multiple cross-site scripting (XSS) vulnerabilities in Seo Panel befor ...) NOT-FOR-US: Seo Panel CVE-2014-1854 (SQL injection vulnerability in library/clicktracker.php in the AdRotat ...) NOT-FOR-US: AdRotate plugin for WordPress CVE-2014-1853 RESERVED CVE-2014-1852 RESERVED CVE-2014-1851 RESERVED CVE-2014-1850 REJECTED CVE-2014-1849 (Foscam IP camera 11.37.2.49 and other versions, when using the Foscam ...) NOT-FOR-US: Foscam CVE-2014-1848 RESERVED CVE-2014-1847 RESERVED CVE-2014-1844 RESERVED CVE-2014-1843 (Directory traversal vulnerability in the web interface in Titan FTP Se ...) NOT-FOR-US: Titan FTP Server CVE-2014-1842 (Directory traversal vulnerability in the web interface in Titan FTP Se ...) NOT-FOR-US: Titan FTP Server CVE-2014-1841 (Directory traversal vulnerability in the web interface in Titan FTP Se ...) NOT-FOR-US: Titan FTP Server CVE-2014-1840 (Cross-site scripting (XSS) vulnerability in Upload/search.php in MyBB ...) NOT-FOR-US: MyBB CVE-2014-1830 (Requests (aka python-requests) before 2.3.0 allows remote servers to o ...) {DSA-3146-1} - requests 2.3.0-1 (bug #733108) NOTE: https://github.com/kennethreitz/requests/issues/1885 CVE-2014-1829 (Requests (aka python-requests) before 2.3.0 allows remote servers to o ...) {DSA-3146-1} - requests 2.3.0-1 (bug #733108) NOTE: https://github.com/kennethreitz/requests/issues/1885 CVE-2014-1912 (Buffer overflow in the socket.recvfrom_into function in Modules/socket ...) {DSA-2880-1 DLA-25-1} - python2.5 (low) [squeeze] - python2.5 (Minor issue) - python2.6 (low) [wheezy] - python2.6 (Minor issue) - python2.7 2.7.6-6 (low) - python3.1 (low) [squeeze] - python3.1 (Minor issue) - python3.2 (low) [wheezy] - python3.2 (Minor issue) - python3.3 3.3.5-1 (low) - python3.4 3.4.0-1 (low) NOTE: http://bugs.python.org/issue20246 NOTE: https://www.trustedsec.com/february-2014/python-remote-code-execution-socket-recvfrom_into/ CVE-2014-1877 (Multiple cross-site scripting (XSS) vulnerabilities in Dokeos 2.1.1 al ...) NOT-FOR-US: Dokeos CVE-2014-1876 (The unpacker::redirect_stdio function in unpack.cpp in unpack200 in Op ...) {DSA-2923-1 DSA-2912-1} - openjdk-7 7u55-2.4.7-1 (low; bug #737562) - openjdk-6 6b31-1.13.3-1 (low) CVE-2014-1875 (The Capture::Tiny module before 0.24 for Perl allows local users to wr ...) - libcapture-tiny-perl 0.24-1 (bug #737835) [wheezy] - libcapture-tiny-perl (Minor issue) [squeeze] - libcapture-tiny-perl (Minor issue) CVE-2014-1874 (The security_context_to_sid_core function in security/selinux/ss/servi ...) {DSA-2906-1} - linux 3.13.4-1 [wheezy] - linux 3.2.57-1 - linux-2.6 NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=2172fa709ab32ca60e86179dc67d0857be8e2c98, first included in v3.14-rc2 CVE-2014-1860 (Contao CMS through 3.2.4 has PHP Object Injection Vulnerabilities ...) NOT-FOR-US: Contao CMS CVE-2014-1832 (Phusion Passenger 4.0.37 allows local users to write to certain files ...) - ruby-passenger 4.0.37-2 [wheezy] - ruby-passenger (incomplete patch never applied) - passenger (incomplete patch never applied) CVE-2014-1831 (Phusion Passenger before 4.0.37 allows local users to write to certain ...) - ruby-passenger 4.0.37-1 (low; bug #736958) [wheezy] - ruby-passenger 3.0.13debian-1+deb7u2 (low; bug #736958) - passenger 4.0.37-1 [squeeze] - passenger (minor issue) CVE-2001-1593 (The tempname_ensure function in lib/routines.h in a2ps 4.14 and earlie ...) {DSA-2892-1} - a2ps 1:4.14-1.2 (low; bug #737385) CVE-2014-1845 (An unspecified setuid root helper in Enlightenment before 0.17.6 allow ...) - e17 0.17.3-3 (bug #737705) NOTE: https://git.enlightenment.org/core/enlightenment.git/commit/?id=ea605237bb64ee09341121461b3d2c0f5dbe832d NOTE: https://git.enlightenment.org/core/enlightenment.git/commit/?id=126afd0fda493deec8398088e6e928b4d2e5f463 NOTE: https://git.enlightenment.org/core/enlightenment.git/commit/?id=8cabf2708520539cf25ca0a876f9c044f6d56a77 CVE-2014-1846 (Enlightenment before 0.17.6 might allow local users to gain privileges ...) - e17 0.17.3-3 (bug #737705) NOTE: https://git.enlightenment.org/core/enlightenment.git/commit/?id=ea605237bb64ee09341121461b3d2c0f5dbe832d NOTE: https://git.enlightenment.org/core/enlightenment.git/commit/?id=126afd0fda493deec8398088e6e928b4d2e5f463 NOTE: https://git.enlightenment.org/core/enlightenment.git/commit/?id=8cabf2708520539cf25ca0a876f9c044f6d56a77 CVE-2014-1839 (The Execute class in shellutils in logilab-commons before 0.61.0 uses ...) - logilab-common 0.61.0-1 (low; bug #737051) [squeeze] - logilab-common (Minor issue) [wheezy] - logilab-common (Minor issue) CVE-2014-1838 (The (1) extract_keys_from_pdf and (2) fill_pdf functions in pdf_ext.py ...) - logilab-common 0.61.0-1 (low; bug #737051) [squeeze] - logilab-common (Minor issue) [wheezy] - logilab-common (Minor issue) CVE-2014-1837 (Cross-site scripting (XSS) vulnerability in the StackIdeas Komento (co ...) NOT-FOR-US: Joomla com_komento CVE-2014-1836 (Absolute path traversal vulnerability in htdocs/libraries/image-editor ...) NOT-FOR-US: ImpressCMS CVE-2014-1835 (The perform_request function in /lib/echor/backplane.rb in echor 0.1.6 ...) NOT-FOR-US: Echor Ruby Gem CVE-2014-1834 (The perform_request function in /lib/echor/backplane.rb in echor 0.1.6 ...) NOT-FOR-US: Echor Ruby Gem CVE-2014-1833 (Directory traversal vulnerability in uupdate in devscripts 2.14.1 allo ...) - devscripts 2.14.8 (low; bug #737160) [squeeze] - devscripts (Minor issue) [wheezy] - devscripts (Minor issue) CVE-2013-7338 (Python before 3.3.4 RC1 allows remote attackers to cause a denial of s ...) - python2.5 (Only affects 3.x) - python2.6 (Only affects 3.x) - python2.7 (Only affects 3.x) - python3.1 (low) [squeeze] - python3.1 (Minor issue) - python3.2 (low) [wheezy] - python3.2 (Minor issue) - python3.3 3.3.4-1 (low) - python3.4 3.4~b3-1 (low) NOTE: http://bugs.python.org/issue20078 CVE-2014-XXXX [no input validation for search function] - fookebox 0.7.2-1 (low; bug #736821) [wheezy] - fookebox (Minor issue) CVE-2014-2013 (Stack-based buffer overflow in the xps_parse_color function in xps/xps ...) {DSA-2951-1} - mupdf 1.3-2 (bug #738857) NOTE: http://www.hdwsec.fr/blog/mupdf.html NOTE: http://bugs.ghostscript.com/show_bug.cgi?id=694957 NOTE: http://git.ghostscript.com/?p=mupdf.git;a=commitdiff;h=60dabde18d7fe12b19da8b509bdfee9cc886aafc CVE-2013-XXXX [libclamunrar: double-free error libclamunrar_iface/unrar_iface.c] - libclamunrar 0.97.7+dfsg-1 (bug #770647) [wheezy] - libclamunrar (Non-free not supported, also minor issue) NOTE: http://www.openwall.com/lists/oss-security/2013/11/29/6 CVE-2013-XXXX [staden-io-lib buffer overflow] - staden-io-lib 1.13.3-2 (low; bug #729276) [squeeze] - staden-io-lib (Minor issue) [wheezy] - staden-io-lib (Minor issue) CVE-2013-XXXX [cakephp: local file inclusion] - cakephp (AssetDispatcher not present in 1.3) NOTE: http://web.archive.org/web/20140531064939/http://bakery.cakephp.org:80/articles/markstory/2013/07/18/cakephp_2_3_8_2_2_9_released NOTE: http://seclists.org/bugtraq/2013/Aug/97, needs a CVE assignment CVE-2013-XXXX [automysqlbackup code injection] - automysqlbackup 2.6+debian.3-1 (bug #706099) [squeeze] - automysqlbackup (Minor issue) CVE-2013-XXXX [autopostgresqlbackup code injection] - autopostgresqlbackup 1.0-2 (bug #706095) CVE-2013-XXXX [buffer overflow in commandline parsing] - swath 0.4.3-3 (low; bug #698189) [squeeze] - swath 0.4.0-4+squeeze1 CVE-2014-1828 (The iThoughts web server in the iThoughtsHD app 4.19 for iOS on iPad d ...) NOT-FOR-US: iOS iThoughtsHD app CVE-2014-1827 (The iThoughtsHD app 4.19 for iOS on iPad devices, when the WiFi Transf ...) NOT-FOR-US: iOS iThoughtsHD app CVE-2014-1826 (Cross-site scripting (XSS) vulnerability in the iThoughtsHD app 4.19 f ...) NOT-FOR-US: iOS iThoughtsHD app CVE-2014-1825 REJECTED CVE-2014-1824 (Windows Journal in Microsoft Windows Vista SP2, Windows Server 2008 SP ...) NOT-FOR-US: Microsoft Windows CVE-2014-1823 (Cross-site scripting (XSS) vulnerability in the Web Components Server ...) NOT-FOR-US: Microsoft Lync Server CVE-2014-1822 REJECTED CVE-2014-1821 REJECTED CVE-2014-1820 (Cross-site scripting (XSS) vulnerability in Master Data Services (MDS) ...) NOT-FOR-US: Microsoft CVE-2014-1819 (win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 ...) NOT-FOR-US: Microsoft CVE-2014-1818 (GDI+ in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows ...) NOT-FOR-US: Microsoft Windows CVE-2014-1817 (usp10.dll in Uniscribe (aka the Unicode Script Processor) in Microsoft ...) NOT-FOR-US: Microsoft Windows CVE-2014-1816 (Microsoft XML Core Services (aka MSXML) 3.0 and 6.0 does not properly ...) NOT-FOR-US: Microsoft XML Core Services CVE-2014-1815 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-1814 (The Windows Installer in Microsoft Windows Server 2003 SP2, Windows Vi ...) NOT-FOR-US: Microsoft CVE-2014-1813 (Microsoft Web Applications 2010 SP1 and SP2 allows remote authenticate ...) NOT-FOR-US: Microsoft CVE-2014-1812 (The Group Policy implementation in Microsoft Windows Vista SP2, Window ...) NOT-FOR-US: Microsoft CVE-2014-1811 (The TCP implementation in Microsoft Windows Vista SP2, Windows Server ...) NOT-FOR-US: Microsoft Windows CVE-2014-1810 REJECTED CVE-2014-1809 (The MSCOMCTL library in Microsoft Office 2007 SP3, 2010 SP1 and SP2, a ...) NOT-FOR-US: Microsoft CVE-2014-1808 (Microsoft Office 2013 Gold, SP1, RT, and RT SP1 allows remote attacker ...) NOT-FOR-US: Microsoft CVE-2014-1807 (The ShellExecute API in Windows Shell in Microsoft Windows Server 2003 ...) NOT-FOR-US: Microsoft CVE-2014-1806 (The .NET Remoting implementation in Microsoft .NET Framework 1.1 SP1, ...) NOT-FOR-US: Microsoft CVE-2014-1805 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-1804 (Microsoft Internet Explorer 8 allows remote attackers to execute arbit ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-1803 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-1802 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-1801 REJECTED CVE-2014-1800 (Microsoft Internet Explorer 8 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-1799 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-1798 REJECTED CVE-2014-1797 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-1796 (Microsoft Internet Explorer 6 and 8 through 11 allows remote attackers ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-1795 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-1794 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-1793 REJECTED CVE-2014-1792 (Microsoft Internet Explorer 8 allows remote attackers to execute arbit ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-1791 (Microsoft Internet Explorer 7 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-1790 (Microsoft Internet Explorer 10 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-1789 (Microsoft Internet Explorer 10 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-1788 (Microsoft Internet Explorer 9 allows remote attackers to execute arbit ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-1787 REJECTED CVE-2014-1786 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-1785 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-1784 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-1783 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-1782 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-1781 (Microsoft Internet Explorer 8 allows remote attackers to execute arbit ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-1780 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-1779 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-1778 (Microsoft Internet Explorer 8 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-1777 (Microsoft Internet Explorer 10 and 11 allows remote attackers to read ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-1776 (Use-after-free vulnerability in Microsoft Internet Explorer 6 through ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-1775 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-1774 (Microsoft Internet Explorer 9 allows remote attackers to execute arbit ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-1773 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-1772 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-1771 (SChannel in Microsoft Internet Explorer 6 through 11 does not ensure t ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-1770 (Use-after-free vulnerability in Microsoft Internet Explorer 6 through ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-1769 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-1768 REJECTED CVE-2014-1767 (Double free vulnerability in the Ancillary Function Driver (AFD) in af ...) NOT-FOR-US: Microsoft Windows CVE-2014-1766 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Windows CVE-2014-1765 (Multiple use-after-free vulnerabilities in Microsoft Internet Explorer ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-1764 (Microsoft Internet Explorer 7 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-1763 (Use-after-free vulnerability in Microsoft Internet Explorer 9 through ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-1762 (Unspecified vulnerability in Microsoft Internet Explorer 6 through 11 ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-1761 (Microsoft Word 2003 SP3, 2007 SP3, 2010 SP1 and SP2, 2013, and 2013 RT ...) NOT-FOR-US: Microsoft Word CVE-2014-1760 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-1759 (pubconv.dll in Microsoft Publisher 2003 SP3 and 2007 SP3 allows remote ...) NOT-FOR-US: Microsoft Publisher CVE-2014-1758 (Stack-based buffer overflow in Microsoft Word 2003 SP3 allows remote a ...) NOT-FOR-US: Microsoft Word CVE-2014-1757 (Microsoft Word 2007 SP3 and 2010 SP1 and SP2, and Office Compatibility ...) NOT-FOR-US: Microsoft Word CVE-2014-1756 (Untrusted search path vulnerability in Microsoft Office 2007 SP3, 2010 ...) NOT-FOR-US: Microsoft CVE-2014-1755 (Microsoft Internet Explorer 9 allows remote attackers to execute arbit ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-1754 (Cross-site scripting (XSS) vulnerability in Microsoft SharePoint Serve ...) NOT-FOR-US: Microsoft CVE-2014-1753 (Microsoft Internet Explorer 6 through 9 allows remote attackers to exe ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-1752 (Microsoft Internet Explorer 6 and 7 allows remote attackers to execute ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-1751 (Microsoft Internet Explorer 9 allows remote attackers to execute arbit ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-1749 (Multiple unspecified vulnerabilities in Google Chrome before 35.0.1916 ...) {DSA-2939-1} [squeeze] - chromium-browser - chromium-browser 35.0.1916.114-1 CVE-2014-1748 (The ScrollView::paint function in platform/scroll/ScrollView.cpp in Bl ...) {DSA-2939-1} [squeeze] - chromium-browser - chromium-browser 35.0.1916.114-1 CVE-2014-1747 (Cross-site scripting (XSS) vulnerability in the DocumentLoader::maybeC ...) {DSA-2939-1} - chromium-browser 35.0.1916.114-1 [squeeze] - chromium-browser CVE-2014-1746 (The InMemoryUrlProtocol::Read function in media/filters/in_memory_url_ ...) {DSA-2939-1} - chromium-browser 35.0.1916.114-1 [squeeze] - chromium-browser CVE-2014-1745 (Use-after-free vulnerability in the SVG implementation in Blink, as us ...) {DSA-2939-1} - chromium-browser 35.0.1916.114-1 [squeeze] - chromium-browser CVE-2014-1744 (Integer overflow in the AudioInputRendererHost::OnCreateStream functio ...) {DSA-2939-1} - chromium-browser 35.0.1916.114-1 [squeeze] - chromium-browser CVE-2014-1743 (Use-after-free vulnerability in the StyleElement::removedFromDocument ...) {DSA-2939-1} - chromium-browser 35.0.1916.114-1 [squeeze] - chromium-browser CVE-2014-1742 (Use-after-free vulnerability in the FrameSelection::updateAppearance f ...) {DSA-2930-1} - chromium-browser 34.0.1847.137-1 [squeeze] - chromium-browser CVE-2014-1741 (Multiple integer overflows in the replace-data functionality in the Ch ...) {DSA-2930-1} - chromium-browser 34.0.1847.137-1 [squeeze] - chromium-browser CVE-2014-1740 (Multiple use-after-free vulnerabilities in net/websockets/websocket_jo ...) {DSA-2930-1} - chromium-browser 34.0.1847.137-1 [squeeze] - chromium-browser CVE-2014-1739 (The media_device_enum_entities function in drivers/media/media-device. ...) - linux 3.14.7-1 (unimportant) [wheezy] - linux 3.2.60-1 - linux-2.6 [squeeze] - linux-2.6 (Vulnerability introduced in 2.6.38) NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e6a623460e5fc960ac3ee9f946d3106233fd28d8 NOTE: Not exploitable with any sane setup CVE-2014-1738 (The raw_cmd_copyout function in drivers/block/floppy.c in the Linux ke ...) {DSA-2928-1 DSA-2926-1} - linux 3.14.4-1 - linux-2.6 NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=2145e15e0557a01b9195d1c7199a1b92cb9be81f CVE-2014-1737 (The raw_cmd_copyin function in drivers/block/floppy.c in the Linux ker ...) {DSA-2928-1 DSA-2926-1} - linux 3.14.4-1 - linux-2.6 NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ef87dbe7614341c2e7bfe8d32fcb7028cc97442c CVE-2014-1736 (Integer overflow in api.cc in Google V8, as used in Google Chrome befo ...) {DSA-2920-1} - chromium-browser 34.0.1847.132-1 [squeeze] - chromium-browser - libv8 [wheezy] - libv8 (Minor issue, Chromium in Wheezy uses its own fixed copy) [squeeze] - libv8 (Unsupported in squeeze-lts) - libv8-3.14 (unimportant; bug #773671) NOTE: libv8 not covered by security support CVE-2014-1735 (Multiple unspecified vulnerabilities in Google V8 before 3.24.35.33, a ...) {DSA-2920-1} - chromium-browser 34.0.1847.132-1 [squeeze] - chromium-browser - libv8 [wheezy] - libv8 (Minor issue, Chromium in Wheezy uses its own fixed copy) [squeeze] - libv8 (Unsupported in squeeze-lts) - libv8-3.14 (unimportant; bug #773671) NOTE: libv8 not covered by security support CVE-2014-1734 (Multiple unspecified vulnerabilities in Google Chrome before 34.0.1847 ...) {DSA-2920-1} - chromium-browser 34.0.1847.132-1 [squeeze] - chromium-browser CVE-2014-1733 (The PointerCompare function in codegen.cc in Seccomp-BPF, as used in G ...) {DSA-2920-1} - chromium-browser 34.0.1847.132-1 [squeeze] - chromium-browser CVE-2014-1732 (Use-after-free vulnerability in browser/ui/views/speech_recognition_bu ...) {DSA-2920-1} - chromium-browser 34.0.1847.132-1 [squeeze] - chromium-browser CVE-2014-1731 (core/html/HTMLSelectElement.cpp in the DOM implementation in Blink, as ...) {DSA-2920-1} - chromium-browser 34.0.1847.132-1 [squeeze] - chromium-browser CVE-2014-1730 (Google V8, as used in Google Chrome before 34.0.1847.131 on Windows an ...) {DSA-2920-1} - chromium-browser 34.0.1847.132-1 [squeeze] - chromium-browser - libv8 [wheezy] - libv8 (Minor issue, Chromium in Wheezy uses its own fixed copy) [squeeze] - libv8 (Unsupported in squeeze-lts) - libv8-3.14 (unimportant; bug #773671) NOTE: libv8 not covered by security support CVE-2014-1729 (Multiple unspecified vulnerabilities in Google V8 before 3.24.35.22, a ...) {DSA-2905-1} - chromium-browser 34.0.1847.116-1 [squeeze] - chromium-browser - libv8 [wheezy] - libv8 (Minor issue, Chromium in Wheezy uses its own fixed copy) [squeeze] - libv8 (Unsupported in squeeze-lts) - libv8-3.14 (unimportant; bug #773671) NOTE: libv8 not covered by security support CVE-2014-1728 (Multiple unspecified vulnerabilities in Google Chrome before 34.0.1847 ...) {DSA-2905-1} - chromium-browser 34.0.1847.116-1 [squeeze] - chromium-browser CVE-2014-1727 (Use-after-free vulnerability in content/renderer/renderer_webcolorchoo ...) {DSA-2905-1} - chromium-browser 34.0.1847.116-1 [squeeze] - chromium-browser CVE-2014-1726 (The drag implementation in Google Chrome before 34.0.1847.116 allows u ...) {DSA-2905-1} - chromium-browser 34.0.1847.116-1 [squeeze] - chromium-browser CVE-2014-1725 (The base64DecodeInternal function in wtf/text/Base64.cpp in Blink, as ...) {DSA-2905-1} - chromium-browser 34.0.1847.116-1 [squeeze] - chromium-browser CVE-2014-1724 (Use-after-free vulnerability in Free(b)soft Laboratory Speech Dispatch ...) {DSA-2905-1} - chromium-browser 34.0.1847.116-1 [squeeze] - chromium-browser - speech-dispatcher 0.8-7 (low; bug #745808) [squeeze] - speech-dispatcher (Minor issue) [wheezy] - speech-dispatcher (Minor issue) NOTE: no specific information available (possibly already be fixed in 0.8), the fix in chromium was to disable speechd by default CVE-2014-1723 (The UnescapeURLWithOffsetsImpl function in net/base/escape.cc in Googl ...) {DSA-2905-1} - chromium-browser 34.0.1847.116-1 [squeeze] - chromium-browser CVE-2014-1722 (Use-after-free vulnerability in the RenderBlock::addChildIgnoringAnony ...) {DSA-2905-1} - chromium-browser 34.0.1847.116-1 [squeeze] - chromium-browser CVE-2014-1721 (Google V8, as used in Google Chrome before 34.0.1847.116, does not pro ...) {DSA-2905-1} - chromium-browser 34.0.1847.116-1 [squeeze] - chromium-browser CVE-2014-1720 (Use-after-free vulnerability in the HTMLBodyElement::insertedInto func ...) {DSA-2905-1} - chromium-browser 34.0.1847.116-1 [squeeze] - chromium-browser CVE-2014-1719 (Use-after-free vulnerability in the WebSharedWorkerStub::OnTerminateWo ...) {DSA-2905-1} - chromium-browser 34.0.1847.116-1 [squeeze] - chromium-browser CVE-2014-1718 (Integer overflow in the SoftwareFrameManager::SwapToNewFrame function ...) {DSA-2905-1} - chromium-browser 34.0.1847.116-1 [squeeze] - chromium-browser CVE-2014-1717 (Google V8, as used in Google Chrome before 34.0.1847.116, does not pro ...) {DSA-2905-1} - chromium-browser 34.0.1847.116-1 [squeeze] - chromium-browser - libv8 [wheezy] - libv8 (Minor issue, Chromium in Wheezy uses its own fixed copy) [squeeze] - libv8 (Unsupported in squeeze-lts) - libv8-3.14 (unimportant; bug #773671) NOTE: libv8 not covered by security support CVE-2014-1716 (Cross-site scripting (XSS) vulnerability in the Runtime_SetPrototype f ...) {DSA-2905-1} - chromium-browser 34.0.1847.116-1 [squeeze] - chromium-browser - libv8 [wheezy] - libv8 (Minor issue, Chromium in Wheezy uses its own fixed copy) [squeeze] - libv8 (Unsupported in squeeze-lts) - libv8-3.14 (unimportant; bug #773671) NOTE: libv8 not covered by security support CVE-2014-1715 (Directory traversal vulnerability in Google Chrome before 33.0.1750.15 ...) {DSA-2883-1} - chromium-browser 33.0.1750.152-1 [squeeze] - chromium-browser CVE-2014-1714 (The ScopedClipboardWriter::WritePickledData function in ui/base/clipbo ...) - chromium-browser (Windows-specific) CVE-2014-1713 (Use-after-free vulnerability in the AttributeSetter function in bindin ...) {DSA-2883-1} - chromium-browser 33.0.1750.152-1 [squeeze] - chromium-browser CVE-2014-1712 RESERVED CVE-2014-1711 (The GPU driver in the kernel in Google Chrome OS before 33.0.1750.152 ...) NOT-FOR-US: Chrome OS CVE-2014-1710 (The AsyncPixelTransfersCompletedQuery::End function in gpu/command_buf ...) NOT-FOR-US: Chrome OS CVE-2014-1709 RESERVED CVE-2014-1708 (The boot implementation in Google Chrome OS before 33.0.1750.152 does ...) NOT-FOR-US: Chrome OS CVE-2014-1707 (Directory traversal vulnerability in CrosDisks in Google Chrome OS bef ...) NOT-FOR-US: Chrome OS CVE-2014-1706 (crosh in Google Chrome OS before 33.0.1750.152 allows attackers to inj ...) NOT-FOR-US: Chrome OS CVE-2014-1705 (Google V8, as used in Google Chrome before 33.0.1750.152 on OS X and L ...) {DSA-2883-1} - chromium-browser 33.0.1750.152-1 [squeeze] - chromium-browser [wheezy] - libv8 (Minor issue, Chromium in Wheezy uses its own fixed copy) - libv8 [squeeze] - libv8 (Unsupported in squeeze-lts) - libv8-3.14 (unimportant; bug #773671) NOTE: libv8 not covered by security support CVE-2014-1704 (Multiple unspecified vulnerabilities in Google V8 before 3.23.17.18, a ...) {DSA-2883-1} - chromium-browser 33.0.1750.152-1 [squeeze] - chromium-browser - libv8 [wheezy] - libv8 (Minor issue, Chromium in Wheezy uses its own fixed copy) [squeeze] - libv8 (Unsupported in squeeze-lts) - libv8-3.14 (unimportant; bug #773671) NOTE: libv8 not covered by security support CVE-2014-1703 (Use-after-free vulnerability in the WebSocketDispatcherHost::SendOrDro ...) {DSA-2883-1} - chromium-browser 33.0.1750.152-1 [squeeze] - chromium-browser CVE-2014-1702 (Use-after-free vulnerability in the DatabaseThread::cleanupDatabaseThr ...) {DSA-2883-1} - chromium-browser 33.0.1750.152-1 [squeeze] - chromium-browser CVE-2014-1701 (The GenerateFunction function in bindings/scripts/code_generator_v8.pm ...) {DSA-2883-1} - chromium-browser 33.0.1750.152-1 [squeeze] - chromium-browser CVE-2014-1700 (Use-after-free vulnerability in modules/speech/SpeechSynthesis.cpp in ...) {DSA-2883-1} - chromium-browser 33.0.1750.152-1 [squeeze] - chromium-browser CVE-2014-1699 (Siemens SIMATIC WinCC OA before 3.12 P002 January allows remote attack ...) NOT-FOR-US: Siemens SIMATIC CVE-2014-1698 (Directory traversal vulnerability in Siemens SIMATIC WinCC OA before 3 ...) NOT-FOR-US: Siemens SIMATIC WinCC OA CVE-2014-1697 (The integrated web server in Siemens SIMATIC WinCC OA before 3.12 P002 ...) NOT-FOR-US: Siemens SIMATIC WinCC OA CVE-2014-1696 (Siemens SIMATIC WinCC OA before 3.12 P002 January uses a weak hash alg ...) NOT-FOR-US: Siemens SIMATIC WinCC OA CVE-2014-1695 (Cross-site scripting (XSS) vulnerability in Open Ticket Request System ...) {DLA-1119-1} - otrs2 3.3.5-1 [squeeze] - otrs2 (Minor issue) NOTE: https://www.otrs.com/security-advisory-2014-03-xss-issue/ CVE-2013-7323 (python-gnupg before 0.3.5 allows context-dependent attackers to execut ...) {DSA-2946-1} - python-gnupg 0.3.6-1 (bug #738509) CVE-2013-7318 (Cross-site scripting (XSS) vulnerability in BusinessFlow/login in Algo ...) NOT-FOR-US: AlgoSec Firewall Analyzer CVE-2014-1750 (Open redirect vulnerability in nokia-mapsplaces.php in the Nokia Maps ...) NOT-FOR-US: WordPress plugin nokia-mapsplaces CVE-2014-1694 (Multiple cross-site request forgery (CSRF) vulnerabilities in (1) Cust ...) {DSA-2867-1} - otrs2 3.3.4-1 (low) NOTE: https://www.otrs.com/security-advisory-2014-01-csrf-issue-customer-web-interface/ CVE-2014-1693 (Multiple CRLF injection vulnerabilities in the FTP module in Erlang/OT ...) - erlang 1:16.b.3.1-dfsg-3 (low; bug #738132) [squeeze] - erlang (Minor issue) [wheezy] - erlang 1:15.b.1-dfsg-4+deb7u1 CVE-2014-1692 (The hash_buffer function in schnorr.c in OpenSSH through 6.4, when Mak ...) - openssh (J-PAKE not activated) CVE-2014-1691 (The framework/Util/lib/Horde/Variables.php script in the Util library ...) {DSA-2853-1} - horde3 (medium; bug #737149) - php-horde-util 2.3.0-1 NOTE: https://github.com/horde/horde/commit/da6afc7e9f4e290f782eca9dbca794f772caccb3 NOTE: https://github.com/horde/horde/commit/acf67ab4a633037849aca9e4a7592465b999ad93 is also required CVE-2014-1690 (The help function in net/netfilter/nf_nat_irc.c in the Linux kernel be ...) - linux 3.12.8-1 [wheezy] - linux (Introduced in 3.7) - linux-2.6 (Introduced in 3.7) NOTE: https://git.kernel.org/linus/2690d97ade05c5325cbf7c72b94b90d265659886 CVE-2014-1689 RESERVED CVE-2014-1688 RESERVED CVE-2014-1687 RESERVED CVE-2014-1686 (MediaWiki 1.18.0 allows remote attackers to obtain the installation pa ...) - mediawiki (unimportant) NOTE: http://seclists.org/fulldisclosure/2014/Mar/102 NOTE: path disclosure not an issue CVE-2014-1685 (The Frontend in Zabbix before 1.8.20rc2, 2.0.x before 2.0.11rc2, and 2 ...) - zabbix 1:2.2.2+dfsg-1 [squeeze] - zabbix (Unsupported in squeeze-lts) CVE-2014-1684 (The ASF_ReadObject_file_properties function in modules/demux/asf/libas ...) - vlc 2.1.4-1 (unimportant; bug #743033) NOTE: Crash in enduser application, no security impact CVE-2014-1683 (The bashMail function in cms/data/skins/techjunkie/fragments/contacts/ ...) NOT-FOR-US: SkyBlueCanvas CMS CVE-2014-1682 (The API in Zabbix before 1.8.20rc1, 2.0.x before 2.0.11rc1, and 2.2.x ...) - zabbix 1:2.2.2+dfsg-1 (bug #737818) [squeeze] - zabbix (Unsupported in squeeze-lts) NOTE: https://support.zabbix.com/browse/ZBX-7703 CVE-2014-1681 (Multiple unspecified vulnerabilities in Google Chrome before 32.0.1700 ...) {DSA-2811-1} - chromium-browser 31.0.1650.63-1 [squeeze] - chromium-browser CVE-2014-1680 (Untrusted search path vulnerability in Bandisoft Bandizip before 3.10 ...) NOT-FOR-US: Bandisoft Bandizip CVE-2014-1679 (Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite ...) NOT-FOR-US: Open-Xchange CVE-2014-1678 RESERVED CVE-2014-1677 (Technicolor TC7200 with firmware STD6.01.12 could allow remote attacke ...) NOT-FOR-US: Technicolor TC7200 NOTE: https://www.exploit-db.com/exploits/31894/ CVE-2014-1676 RESERVED CVE-2014-1675 RESERVED CVE-2014-1674 RESERVED CVE-2014-1673 (Check Point Session Authentication Agent allows remote attackers to ob ...) NOT-FOR-US: Check Point Session Authentication Agent CVE-2014-1672 (Check Point R75.47 Security Gateway and Management Server does not pro ...) NOT-FOR-US: Check Point R75.47 Security Gateway and Management Server CVE-2014-1671 (Multiple SQL injection vulnerabilities in Dell KACE K1000 5.4.76847 an ...) NOT-FOR-US: Dell KACE K1000 CVE-2014-1670 (The Microsoft Bing application before 4.2.1 for Android allows remote ...) NOT-FOR-US: Microsoft Bing application CVE-2014-1669 RESERVED CVE-2014-1668 RESERVED CVE-2014-1667 RESERVED CVE-2014-1665 (Cross-site scripting (XSS) vulnerability in ownCloud before 6.0.1 allo ...) - owncloud CVE-2014-1663 (Unspecified vulnerability in Citrix XenMobile Device Manager server (f ...) NOT-FOR-US: Citrix XenMobile Device Manager server CVE-2014-1662 REJECTED CVE-2014-1661 REJECTED CVE-2014-1660 REJECTED CVE-2014-1659 REJECTED CVE-2014-1658 REJECTED CVE-2014-1657 REJECTED CVE-2014-1656 REJECTED CVE-2014-1655 REJECTED CVE-2014-1654 REJECTED CVE-2014-1653 REJECTED CVE-2014-1652 (Multiple cross-site scripting (XSS) vulnerabilities in the management ...) NOT-FOR-US: Symantec Web Gateway CVE-2014-1651 (SQL injection vulnerability in clientreport.php in the management cons ...) NOT-FOR-US: Symantec Web Gateway CVE-2014-1650 (SQL injection vulnerability in user.php in the management console in S ...) NOT-FOR-US: Symantec Web Gateway CVE-2014-1649 (The server in Symantec Workspace Streaming (SWS) before 7.5.0.749 allo ...) NOT-FOR-US: Symantec Workspace Streaming CVE-2014-1648 (Cross-site scripting (XSS) vulnerability in brightmail/setting/complia ...) NOT-FOR-US: Symantec Messaging Gateway CVE-2014-1647 (Symantec PGP Desktop 10.0.x through 10.2.x and Encryption Desktop Prof ...) NOT-FOR-US: Symantec CVE-2014-1646 (Symantec PGP Desktop 10.0.x through 10.2.x and Encryption Desktop Prof ...) NOT-FOR-US: Symantec CVE-2014-1645 (SQL injection vulnerability in forcepasswd.do in the management GUI in ...) NOT-FOR-US: Symantec LiveUpdate Administrator CVE-2014-1644 (The forgotten-password feature in forcepasswd.do in the management GUI ...) NOT-FOR-US: Symantec LiveUpdate Administrator CVE-2014-1643 (The Web Email Protection component in Symantec Encryption Management S ...) NOT-FOR-US: Symantec PGP Universal Web Messenger CVE-2013-7317 (Multiple cross-site scripting (XSS) vulnerabilities in CS-Cart before ...) NOT-FOR-US: CS-Cart CVE-2013-7316 (Cross-site scripting (XSS) vulnerability in GitLab 6.0 and other versi ...) - gitlab (Fixed before initial upload to Debian) CVE-2013-7315 (The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4 ...) {DSA-2842-1} - libspring-java 3.0.6.RELEASE-10 (low; bug #720902) CVE-2013-7314 (The OSPF implementation on NEC IP38X, IX1000, IX2000, and IX3000 route ...) NOT-FOR-US: NEC routers CVE-2013-7313 (The OSPF implementation in Juniper Junos through 13.x, JunosE, and Scr ...) NOT-FOR-US: Juniper Junos CVE-2013-7312 (The OSPF implementation on Enterasys switches and routers does not con ...) NOT-FOR-US: Enterasys switches and routers CVE-2013-7311 (The OSPF implementation in Check Point Gaia OS R75.X and R76 and IPSO ...) NOT-FOR-US: Check Point Gaia OS CVE-2013-7310 (The OSPF implementation on Yamaha routers does not consider the possib ...) NOT-FOR-US: Yamaha routers CVE-2013-7309 (The OSPF implementation in Extreme Networks EXOS does not consider the ...) NOT-FOR-US: Extreme Networks EXOS CVE-2013-7308 (The OSPF implementation on the D-Link DES-3810-28 switch with firmware ...) NOT-FOR-US: D-Link DES-3810-28 switch CVE-2013-7307 (The OSPF implementation on the Brocade Vyatta vRouter with software be ...) NOT-FOR-US: Brocade Vyatta vRouter CVE-2013-7306 (The OSPF implementation on Brocade routers does not consider the possi ...) NOT-FOR-US: Brocade routers CVE-2014-1666 (The do_physdev_op function in Xen 4.1.5, 4.1.6.1, 4.2.2 through 4.2.3, ...) - xen 4.4.0-1 [wheezy] - xen (Vulnerable code not present) [squeeze] - xen (Vulnerable code not present) CVE-2014-1664 (The Citrix GoToMeeting application 5.0.799.1238 for Android logs HTTP ...) NOT-FOR-US: GoToMeeting in Android CVE-2014-1641 RESERVED CVE-2014-1637 (Command School Student Management System 1.06.01 does not properly res ...) NOT-FOR-US: Command School Student Management System CVE-2014-1636 (Multiple SQL injection vulnerabilities in Command School Student Manag ...) NOT-FOR-US: Command School Student Management System CVE-2014-1635 (Buffer overflow in login.cgi in MiniHttpd in Belkin N750 Router with f ...) NOT-FOR-US: Belkin router CVE-2014-1634 (SQL Injection exists in Advanced Newsletter Magento extension before 2 ...) NOT-FOR-US: Magento extension CVE-2014-1633 RESERVED CVE-2014-1632 (htdocs/setup/index.php in Eventum before 2.3.5 allows remote attackers ...) NOT-FOR-US: Eventum CVE-2014-1631 (Eventum before 2.3.5 allows remote attackers to reinstall the applicat ...) NOT-FOR-US: Eventum CVE-2014-1630 RESERVED CVE-2014-1629 RESERVED CVE-2014-1628 RESERVED CVE-2014-1627 RESERVED CVE-2014-1625 RESERVED CVE-2014-1623 RESERVED CVE-2014-1622 RESERVED CVE-2014-1621 RESERVED CVE-2014-1620 (Multiple cross-site scripting (XSS) vulnerabilities in add.php in HIOX ...) NOT-FOR-US: HIOX Guest Book CVE-2014-1619 (Multiple SQL injection vulnerabilities in Cubic CMS 5.1.1, 5.1.2, and ...) NOT-FOR-US: Cubic CMS CVE-2014-1618 (Multiple SQL injection vulnerabilities in UAEPD Shopping Cart Script a ...) NOT-FOR-US: UAEPD Shopping Cart Script CVE-2014-1617 (Microsys PROMOTIC 8.2.13 contains an ActiveX Control Start Buffer Over ...) NOT-FOR-US: Microsys CVE-2014-1616 RESERVED CVE-2014-1615 (Multiple cross-site request forgery (CSRF) vulnerabilities in Carbon B ...) NOT-FOR-US: Carbon Black CVE-2014-1614 RESERVED CVE-2014-1613 (Dotclear before 2.6.2 allows remote attackers to execute arbitrary PHP ...) - dotclear 2.6.2+dfsg-1 CVE-2014-1612 (Cross-site scripting (XSS) vulnerability in login.esp in the Web Manag ...) NOT-FOR-US: Mediatrix CVE-2014-1610 (MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5, and 1.19.x befor ...) {DSA-2891-1} - mediawiki 1:1.19.11+dfsg-1 [squeeze] - mediawiki CVE-2014-1609 (Multiple SQL injection vulnerabilities in MantisBT before 1.2.16 allow ...) {DSA-3030-1} - mantis [squeeze] - mantis (Unsupported in squeeze-lts) NOTE: https://github.com/mantisbt/mantisbt/commit/7efe0175f0853e18ebfacedfd2374c4179028b3f CVE-2014-1608 (SQL injection vulnerability in the mci_file_get function in api/soap/m ...) {DSA-3030-1} - mantis [squeeze] - mantis (Unsupported in squeeze-lts) NOTE: https://github.com/mantisbt/mantisbt/commit/00b4c17088fa56594d85fe46b6c6057bb3421102 CVE-2014-1607 (** DISPUTED ** Cross-site scripting (XSS) vulnerability in the EventCa ...) NOT-FOR-US: Drupal EventCalendar CVE-2014-1606 RESERVED CVE-2014-1605 RESERVED CVE-2014-1603 (Multiple cross-site scripting (XSS) vulnerabilities in GetSimple CMS 3 ...) NOT-FOR-US: GetSimple CMS CVE-2014-1602 RESERVED CVE-2014-1601 RESERVED CVE-2014-1600 RESERVED CVE-2014-1599 (Multiple cross-site scripting (XSS) vulnerabilities in the SFR Box rou ...) NOT-FOR-US: SFR Box router CVE-2014-1598 (centurystar 7.12 ActiveX Control has a Stack Buffer Overflow ...) NOT-FOR-US: centurystar CVE-2014-1597 (SQL injection vulnerability in the CMDB web application in synetics i- ...) NOT-FOR-US: i-doit CVE-2014-1596 REJECTED CVE-2014-1595 (Mozilla Firefox before 34.0, Firefox ESR 31.x before 31.3, and Thunder ...) - iceweasel (Specific to MacOS X) - icedove (Specific to MacOS X) CVE-2014-1594 (Mozilla Firefox before 34.0, Firefox ESR 31.x before 31.3, Thunderbird ...) {DSA-3092-1 DSA-3090-1} - iceweasel 31.3.0esr-1 - icedove 31.3.0-1 [squeeze] - iceweasel [squeeze] - icedove CVE-2014-1593 (Stack-based buffer overflow in the mozilla::FileBlockCache::Read funct ...) {DSA-3092-1 DSA-3090-1} - iceweasel 31.3.0esr-1 - icedove 31.3.0-1 [squeeze] - iceweasel [squeeze] - icedove CVE-2014-1592 (Use-after-free vulnerability in the nsHtml5TreeOperation function in x ...) {DSA-3092-1 DSA-3090-1} - iceweasel 31.3.0esr-1 - icedove 31.3.0-1 [squeeze] - iceweasel [squeeze] - icedove CVE-2014-1591 (Mozilla Firefox 33.0 and SeaMonkey before 2.31 include path strings in ...) - iceweasel (Only affects Firefox 33) - icedove (Only affects Firefox 33) CVE-2014-1590 (The XMLHttpRequest.prototype.send method in Mozilla Firefox before 34. ...) {DSA-3092-1 DSA-3090-1} - iceweasel 31.3.0esr-1 - icedove 31.3.0-1 [squeeze] - iceweasel [squeeze] - icedove CVE-2014-1589 (Mozilla Firefox before 34.0 and SeaMonkey before 2.31 provide styleshe ...) - iceweasel (Only affects Firefox 33) - icedove (Only affects Firefox 33) CVE-2014-1588 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - iceweasel (Only affects Firefox 33) - icedove (Only affects Firefox 33) CVE-2014-1587 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-3092-1 DSA-3090-1} - iceweasel 31.3.0esr-1 - icedove 31.3.0-1 [squeeze] - iceweasel [squeeze] - icedove CVE-2014-1586 (content/base/src/nsDocument.cpp in Mozilla Firefox before 33.0, Firefo ...) {DSA-3061-1 DSA-3050-1} - iceweasel 31.2.0esr-1 - icedove 31.2.0-1 [squeeze] - iceweasel [squeeze] - icedove CVE-2014-1585 (The WebRTC video-sharing feature in dom/media/MediaManager.cpp in Mozi ...) {DSA-3061-1 DSA-3050-1} - iceweasel 31.2.0esr-1 - icedove 31.2.0-1 [squeeze] - iceweasel [squeeze] - icedove CVE-2014-1584 (The Public Key Pinning (PKP) implementation in Mozilla Firefox before ...) - iceweasel (Only affects Firefox 32 and later) - icedove (Only affects Firefox 32 and later) [squeeze] - iceweasel [squeeze] - icedove CVE-2014-1583 (The Alarm API in Mozilla Firefox before 33.0 and Firefox ESR 31.x befo ...) {DSA-3050-1} - iceweasel 31.2.0esr-1 [squeeze] - iceweasel CVE-2014-1582 (The Public Key Pinning (PKP) implementation in Mozilla Firefox before ...) - iceweasel (Only affects Firefox 32 and later) - icedove (Only affects Firefox 32 and later) [squeeze] - iceweasel [squeeze] - icedove CVE-2014-1581 (Use-after-free vulnerability in DirectionalityUtils.cpp in Mozilla Fir ...) {DSA-3061-1 DSA-3050-1} - iceweasel 31.2.0esr-1 - icedove 31.2.0-1 [squeeze] - iceweasel [squeeze] - icedove CVE-2014-1580 (Mozilla Firefox before 33.0 does not properly initialize memory for GI ...) - iceweasel (Only affects Firefox 32 and later) - icedove (Only affects Firefox 32 and later) [squeeze] - iceweasel [squeeze] - icedove CVE-2014-1579 REJECTED CVE-2014-1578 (The get_tile function in Mozilla Firefox before 33.0, Firefox ESR 31.x ...) {DSA-3061-1 DSA-3050-1} - iceweasel 31.2.0esr-1 - icedove 31.2.0-1 [squeeze] - iceweasel [squeeze] - icedove - libvpx 1.3.0-3 (bug #765435) [wheezy] - libvpx (vp9 codec not yet present) [squeeze] - libvpx (vp9 codec not yet present) NOTE: https://www.mozilla.org/security/announce/2014/mfsa2014-77.html NOTE: https://hg.mozilla.org/releases/mozilla-esr31/rev/6023f0b4f8ba CVE-2014-1577 (The mozilla::dom::OscillatorNodeEngine::ComputeCustom function in the ...) {DSA-3061-1 DSA-3050-1} - iceweasel 31.2.0esr-1 - icedove 31.2.0-1 [squeeze] - iceweasel [squeeze] - icedove CVE-2014-1576 (Heap-based buffer overflow in the nsTransformedTextRun function in Moz ...) {DSA-3061-1 DSA-3050-1} - iceweasel 31.2.0esr-1 - icedove 31.2.0-1 [squeeze] - iceweasel [squeeze] - icedove CVE-2014-1575 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - iceweasel (Only affects Firefox 32 and later) - icedove (Only affects Firefox 32 and later) [squeeze] - iceweasel [squeeze] - icedove CVE-2014-1574 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-3061-1 DSA-3050-1} - iceweasel 31.2.0esr-1 - icedove 31.2.0-1 [squeeze] - iceweasel [squeeze] - icedove CVE-2014-1573 (Bugzilla 2.x through 4.0.x before 4.0.15, 4.1.x and 4.2.x before 4.2.1 ...) - bugzilla4 (bug #669643) - bugzilla [squeeze] - bugzilla NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1075578 CVE-2014-1572 (The confirm_create_account function in the account-creation feature in ...) - bugzilla4 (bug #669643) - bugzilla [squeeze] - bugzilla NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1074812 CVE-2014-1571 (Bugzilla 2.x through 4.0.x before 4.0.15, 4.1.x and 4.2.x before 4.2.1 ...) - bugzilla4 (bug #669643) - bugzilla [squeeze] - bugzilla NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1064140 CVE-2014-1570 RESERVED CVE-2014-1569 (The definite_length_decoder function in lib/util/quickder.c in Mozilla ...) {DSA-3186-1 DLA-154-1} - nss 2:3.17.2-1.1 (bug #773625) CVE-2014-1568 (Mozilla Network Security Services (NSS) before 3.16.2.1, 3.16.x before ...) {DSA-3037-1 DSA-3034-1 DSA-3033-1 DLA-62-1} - nss 2:3.17.1-1 - iceweasel (uses system nss) - icedove (uses system nss) [squeeze] - iceweasel [squeeze] - icedove NOTE: https://www.mozilla.org/security/announce/2014/mfsa2014-73.html NOTE: http://www.intelsecurity.com/advanced-threat-research/# CVE-2014-1567 (Use-after-free vulnerability in DirectionalityUtils.cpp in Mozilla Fir ...) {DSA-3028-1 DSA-3018-1} - iceweasel 31.1.0esr-1 - icedove 31.2.0-1 [squeeze] - iceweasel [squeeze] - icedove CVE-2014-1566 (Mozilla Firefox before 31.1 on Android does not properly restrict copy ...) - iceweasel (Specific to Android) CVE-2014-1565 (The mozilla::dom::AudioEventTimeline function in the Web Audio API imp ...) - iceweasel 31.1.0esr-1 [wheezy] - iceweasel (Only affects releases after ESR24) [squeeze] - iceweasel - icedove 31.2.0-1 [squeeze] - icedove [wheezy] - icedove (Only affects releases after ESR24) CVE-2014-1564 (Mozilla Firefox before 32.0, Firefox ESR 31.x before 31.1, and Thunder ...) - iceweasel 31.1.0esr-1 [wheezy] - iceweasel (Only affects releases after ESR24) [squeeze] - iceweasel - icedove 31.2.0-1 [squeeze] - icedove [wheezy] - icedove (Only affects releases after ESR24) CVE-2014-1563 (Use-after-free vulnerability in the mozilla::DOMSVGLength::GetTearOff ...) - iceweasel 31.1.0esr-1 [wheezy] - iceweasel (Only affects releases after ESR24) [squeeze] - iceweasel - icedove 31.2.0-1 [squeeze] - icedove [wheezy] - icedove (Only affects releases after ESR24) CVE-2014-1562 (Unspecified vulnerability in the browser engine in Mozilla Firefox bef ...) {DSA-3028-1 DSA-3018-1} - iceweasel 31.1.0esr-1 - icedove 31.2.0-1 [squeeze] - iceweasel [squeeze] - icedove CVE-2014-1561 (Mozilla Firefox before 31.0 does not properly restrict use of drag-and ...) - iceweasel 31.0-1 [wheezy] - iceweasel (Only affects releases after ESR24) [squeeze] - iceweasel NOTE: https://www.mozilla.org/security/announce/2014/mfsa2014-60.html CVE-2014-1560 (Mozilla Firefox before 31.0 and Thunderbird before 31.0 allow remote a ...) - iceweasel 31.0-1 - icedove 31.0-1 [wheezy] - iceweasel (Only affects releases after ESR24) [wheezy] - icedove (Only affects releases after ESR24) [squeeze] - iceweasel [squeeze] - icedove NOTE: https://www.mozilla.org/security/announce/2014/mfsa2014-65.html CVE-2014-1559 (Mozilla Firefox before 31.0 and Thunderbird before 31.0 allow remote a ...) - iceweasel 31.0-1 - icedove 31.0-1 [wheezy] - iceweasel (Only affects releases after ESR24) [wheezy] - icedove (Only affects releases after ESR24) [squeeze] - iceweasel [squeeze] - icedove NOTE: https://www.mozilla.org/security/announce/2014/mfsa2014-65.html CVE-2014-1558 (Mozilla Firefox before 31.0 and Thunderbird before 31.0 allow remote a ...) - iceweasel 31.0-1 - icedove 31.0-1 [wheezy] - iceweasel (Only affects releases after ESR24) [wheezy] - icedove (Only affects releases after ESR24) [squeeze] - iceweasel [squeeze] - icedove NOTE: https://www.mozilla.org/security/announce/2014/mfsa2014-65.html CVE-2014-1557 (The ConvolveHorizontally function in Skia, as used in Mozilla Firefox ...) {DSA-2996-1 DSA-2986-1} - iceweasel 31.0-1 [squeeze] - iceweasel - icedove 31.0-1 [squeeze] - icedove NOTE: http://www.mozilla.org/security/announce/2014/mfsa2014-64.html CVE-2014-1556 (Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunder ...) {DSA-2996-1 DSA-2986-1} - iceweasel 31.0-1 [squeeze] - iceweasel - icedove 31.0-1 [squeeze] - icedove NOTE: https://www.mozilla.org/security/announce/2014/mfsa2014-62.html CVE-2014-1555 (Use-after-free vulnerability in the nsDocLoader::OnProgress function i ...) {DSA-2996-1 DSA-2986-1} - iceweasel 31.0-1 [squeeze] - iceweasel - icedove 31.0-1 [squeeze] - icedove NOTE: http://www.mozilla.org/security/announce/2014/mfsa2014-61.html CVE-2014-1554 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - iceweasel 31.1.0esr-1 [wheezy] - iceweasel (Only affects releases after ESR24) [squeeze] - iceweasel - icedove 31.2.0-1 [squeeze] - icedove [wheezy] - icedove (Only affects releases after ESR24) CVE-2014-1553 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - iceweasel 31.1.0esr-1 [wheezy] - iceweasel (Only affects releases after ESR24) [squeeze] - iceweasel - icedove 31.2.0-1 [squeeze] - icedove [wheezy] - icedove (Only affects releases after ESR24) CVE-2014-1552 (Mozilla Firefox before 31.0 and Thunderbird before 31.0 do not properl ...) - iceweasel 31.0-1 - icedove 31.0-1 [wheezy] - iceweasel (Only affects releases after ESR24) [wheezy] - icedove (Only affects releases after ESR24) [squeeze] - iceweasel [squeeze] - icedove NOTE: https://www.mozilla.org/security/announce/2014/mfsa2014-66.html CVE-2014-1551 (Use-after-free vulnerability in the FontTableRec destructor in Mozilla ...) - iceweasel (Affects only Windows platform) - icedove (Affects only Windows platform) NOTE: https://www.mozilla.org/security/announce/2014/mfsa2014-59.html CVE-2014-1550 (Use-after-free vulnerability in the MediaInputPort class in Mozilla Fi ...) - iceweasel 31.0-1 [wheezy] - iceweasel (Only affects releases after ESR24) [squeeze] - iceweasel - icedove 31.0-1 [squeeze] - icedove [wheezy] - icedove (Only affects releases after ESR24) NOTE: https://www.mozilla.org/security/announce/2014/mfsa2014-58.html CVE-2014-1549 (The mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBuffer fun ...) - iceweasel 31.0-1 [wheezy] - iceweasel (Only affects releases after ESR24) [squeeze] - iceweasel - icedove 31.0-1 [squeeze] - icedove [wheezy] - icedove (Only affects releases after ESR24) NOTE: https://www.mozilla.org/security/announce/2014/mfsa2014-57.html CVE-2014-1548 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - iceweasel 31.0-1 [wheezy] - iceweasel (Only affects releases after ESR24) [squeeze] - iceweasel CVE-2014-1547 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-2996-1 DSA-2986-1} - iceweasel 31.0-1 [squeeze] - iceweasel - icedove 31.0-1 [squeeze] - icedove NOTE: http://www.mozilla.org/security/announce/2014/mfsa2014-56.html CVE-2014-1546 (The response function in the JSONP endpoint in WebService/Server/JSONR ...) - bugzilla4 (bug #669643) - bugzilla [squeeze] - bugzilla NOTE: bugzilla part for Adobe Flash's CVE-2014-4671. CVE-2014-1545 (Mozilla Netscape Portable Runtime (NSPR) before 4.10.6 allows remote a ...) {DSA-2962-1 DSA-2960-1 DSA-2955-1 DLA-32-1} - nspr 2:4.10.6-1 - iceweasel 30.0-1 - icedove 31.0~b1-1 [squeeze] - iceweasel [squeeze] - icedove [squeeze] - nspr 4.8.6-1+squeeze2 NOTE: Only the Wheezy builds use the bundled nspr CVE-2014-1544 (Use-after-free vulnerability in the CERT_DestroyCertificate function i ...) {DSA-3071-1 DSA-2996-1 DSA-2986-1 DLA-89-1} - nss 2:3.16.3-1 - iceweasel 31.0-1 [squeeze] - iceweasel - icedove 31.2.0-1 [squeeze] - icedove NOTE: patch: https://hg.mozilla.org/projects/nss/rev/204f22c527f8 NOTE: http://www.mozilla.org/security/announce/2014/mfsa2014-63.html CVE-2014-1543 (Multiple heap-based buffer overflows in the navigator.getGamepads func ...) - iceweasel (Only affects Windows 8) - icedove (Only affects Windows 8) CVE-2014-1542 (Buffer overflow in the Speex resampler in the Web Audio subsystem in M ...) - iceweasel 30.0-1 - icedove 31.0~b1-1 [wheezy] - iceweasel (Doesn't affect ESR24) [squeeze] - iceweasel [wheezy] - icedove (Doesn't affect ESR24) [squeeze] - icedove CVE-2014-1541 (Use-after-free vulnerability in the RefreshDriverTimer::TickDriver fun ...) {DSA-2960-1 DSA-2955-1} - iceweasel 30.0-1 - icedove 31.0~b1-1 [squeeze] - iceweasel [squeeze] - icedove CVE-2014-1540 (Use-after-free vulnerability in the nsEventListenerManager::CompileEve ...) - iceweasel 30.0-1 - icedove 31.0~b1-1 [wheezy] - iceweasel (Doesn't affect ESR24) [squeeze] - iceweasel [wheezy] - icedove (Doesn't affect ESR24) [squeeze] - icedove CVE-2014-1539 (Mozilla Firefox before 30.0 and Thunderbird through 24.6 on OS X do no ...) - iceweasel (Only affects Mac OS X) - icedove (Only affects Mac OS X) CVE-2014-1538 (Use-after-free vulnerability in the nsTextEditRules::CreateMozBR funct ...) {DSA-2960-1 DSA-2955-1} - iceweasel 30.0-1 - icedove 31.0~b1-1 [squeeze] - iceweasel [squeeze] - icedove CVE-2014-1537 (Use-after-free vulnerability in the mozilla::dom::workers::WorkerPriva ...) - iceweasel 30.0-1 - icedove 31.0~b1-1 [wheezy] - iceweasel (Doesn't affect ESR24) [squeeze] - iceweasel [wheezy] - icedove (Doesn't affect ESR24) [squeeze] - icedove CVE-2014-1536 (The PropertyProvider::FindJustificationRange function in Mozilla Firef ...) - iceweasel 30.0-1 - icedove 31.0~b1-1 [wheezy] - iceweasel (Doesn't affect ESR24) [squeeze] - iceweasel [wheezy] - icedove (Doesn't affect ESR24) [squeeze] - icedove CVE-2014-1535 RESERVED CVE-2014-1534 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - iceweasel 30.0-1 - icedove 31.0~b1-1 [wheezy] - iceweasel (Doesn't affect ESR24) [squeeze] - iceweasel [wheezy] - icedove (Doesn't affect ESR24) [squeeze] - icedove CVE-2014-1533 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-2960-1 DSA-2955-1} - iceweasel 30.0-1 - icedove 31.0~b1-1 [squeeze] - iceweasel [squeeze] - icedove CVE-2014-1532 (Use-after-free vulnerability in the nsHostResolver::ConditionallyRefre ...) {DSA-2924-1 DSA-2918-1} - iceweasel 24.5.0esr-1 - icedove 24.5.0-1 [squeeze] - iceweasel [squeeze] - icedove CVE-2014-1531 (Use-after-free vulnerability in the nsGenericHTMLElement::GetWidthHeig ...) {DSA-2924-1 DSA-2918-1} - iceweasel 24.5.0esr-1 - icedove 24.5.0-1 [squeeze] - iceweasel [squeeze] - icedove CVE-2014-1530 (The docshell implementation in Mozilla Firefox before 29.0, Firefox ES ...) {DSA-2924-1 DSA-2918-1} - iceweasel 24.5.0esr-1 - icedove 24.5.0-1 [squeeze] - iceweasel [squeeze] - icedove CVE-2014-1529 (The Web Notification API in Mozilla Firefox before 29.0, Firefox ESR 2 ...) {DSA-2924-1 DSA-2918-1} - iceweasel 24.5.0esr-1 - icedove 24.5.0-1 [squeeze] - iceweasel [squeeze] - icedove CVE-2014-1528 (The sse2_composite_src_x888_8888 function in Pixman, as used in Cairo ...) - iceweasel (Windows-specific) CVE-2014-1527 (Mozilla Firefox before 29.0 on Android allows remote attackers to spoo ...) - iceweasel (Only affects Firefox on Android) - icedove (Only affects Firefox on Android) CVE-2014-1526 (The XrayWrapper implementation in Mozilla Firefox before 29.0 and SeaM ...) - iceweasel (Only affects Firefox 28) - icedove (Only affects Firefox 28) CVE-2014-1525 (The mozilla::dom::TextTrack::AddCue function in Mozilla Firefox before ...) - iceweasel (Only affects Firefox 28) - icedove (Only affects Firefox 28) CVE-2014-1524 (The nsXBLProtoImpl::InstallImplementation function in Mozilla Firefox ...) {DSA-2924-1 DSA-2918-1} - iceweasel 24.5.0esr-1 - icedove 24.5.0-1 [squeeze] - iceweasel [squeeze] - icedove CVE-2014-1523 (Heap-based buffer overflow in the read_u32 function in Mozilla Firefox ...) {DSA-2924-1 DSA-2918-1} - iceweasel 24.5.0esr-1 - icedove 24.5.0-1 [squeeze] - iceweasel [squeeze] - icedove CVE-2014-1522 (The mozilla::dom::OscillatorNodeEngine::ComputeCustom function in the ...) - iceweasel (Only affects Firefox 28) - icedove (Only affects Firefox 28) CVE-2014-1521 REJECTED CVE-2014-1520 (maintenservice_installer.exe in the Maintenance Service Installer in M ...) - iceweasel (Windows-specific) CVE-2014-1519 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - iceweasel (Only affects Firefox 28) - icedove (Only affects Firefox 28) CVE-2014-1518 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-2924-1 DSA-2918-1} - iceweasel 24.5.0esr-1 - icedove 24.5.0-1 [squeeze] - iceweasel [squeeze] - icedove CVE-2014-1517 (The login form in Bugzilla 2.x, 3.x, 4.x before 4.4.3, and 4.5.x befor ...) - bugzilla (low) [squeeze] - bugzilla (Minor issue) - bugzilla4 (bug #669643) CVE-2014-1516 (The saltProfileName function in base/GeckoProfileDirectories.java in M ...) - iceweasel (Android-specific) CVE-2014-1515 (Mozilla Firefox before 28.0.1 on Android processes a file: URL by copy ...) - iceweasel (Android-specific) CVE-2014-1514 (vmtypedarrayobject.cpp in Mozilla Firefox before 28.0, Firefox ESR 24. ...) {DSA-2911-1 DSA-2881-1} - iceweasel 24.4.0esr-1 - icedove 24.4.0-1 [squeeze] - iceweasel [squeeze] - icedove CVE-2014-1513 (TypedArrayObject.cpp in Mozilla Firefox before 28.0, Firefox ESR 24.x ...) {DSA-2911-1 DSA-2881-1} - iceweasel 24.4.0esr-1 - icedove 24.4.0-1 [squeeze] - iceweasel [squeeze] - icedove CVE-2014-1512 (Use-after-free vulnerability in the TypeObject class in the JavaScript ...) {DSA-2911-1 DSA-2881-1} - iceweasel 24.4.0esr-1 - icedove 24.4.0-1 [squeeze] - iceweasel [squeeze] - icedove CVE-2014-1511 (Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird ...) {DSA-2911-1 DSA-2881-1} - iceweasel 24.4.0esr-1 - icedove 24.4.0-1 [squeeze] - iceweasel [squeeze] - icedove CVE-2014-1510 (The Web IDL implementation in Mozilla Firefox before 28.0, Firefox ESR ...) {DSA-2911-1 DSA-2881-1} - iceweasel 24.4.0esr-1 - icedove 24.4.0-1 [squeeze] - iceweasel [squeeze] - icedove CVE-2014-1509 (Buffer overflow in the _cairo_truetype_index_to_ucs4 function in cairo ...) {DSA-2911-1 DSA-2881-1} - iceweasel 24.4.0esr-1 - icedove 24.4.0-1 [squeeze] - iceweasel [squeeze] - icedove CVE-2014-1508 (The libxul.so!gfxContext::Polygon function in Mozilla Firefox before 2 ...) {DSA-2911-1 DSA-2881-1} - iceweasel 24.4.0esr-1 - icedove 24.4.0-1 [squeeze] - iceweasel [squeeze] - icedove CVE-2014-1507 (Directory traversal vulnerability in the DeviceStorage API in Mozilla ...) NOT-FOR-US: Firefox OS CVE-2014-1506 (Directory traversal vulnerability in Android Crash Reporter in Mozilla ...) - iceweasel (Android-specific) - icedove (Android-specific) CVE-2014-1505 (The SVG filter implementation in Mozilla Firefox before 28.0, Firefox ...) {DSA-2911-1 DSA-2881-1} - iceweasel 24.4.0esr-1 - icedove 24.4.0-1 [squeeze] - iceweasel [squeeze] - icedove CVE-2014-1504 (The session-restore feature in Mozilla Firefox before 28.0 and SeaMonk ...) - iceweasel (Only affects Firefox 27) - icedove (Only affects Firefox 27) CVE-2014-1503 RESERVED CVE-2014-1502 (The (1) WebGL.compressedTexImage2D and (2) WebGL.compressedTexSubImage ...) - iceweasel (Only affects Firefox 27) - icedove (Only affects Firefox 27) CVE-2014-1501 (Mozilla Firefox before 28.0 on Android allows remote attackers to bypa ...) - iceweasel (Android-specific) - icedove (Android-specific) CVE-2014-1500 (Mozilla Firefox before 28.0 and SeaMonkey before 2.25 allow remote att ...) - iceweasel (Only affects Firefox 27) - icedove (Only affects Firefox 27) CVE-2014-1499 (Mozilla Firefox before 28.0 and SeaMonkey before 2.25 allow remote att ...) - iceweasel (Only affects Firefox 27) - icedove (Only affects Firefox 27) CVE-2014-1498 (The crypto.generateCRMFRequest method in Mozilla Firefox before 28.0 a ...) - iceweasel (Only affects Firefox 27) - icedove (Only affects Firefox 27) CVE-2014-1497 (The mozilla::WaveReader::DecodeAudioData function in Mozilla Firefox b ...) {DSA-2911-1 DSA-2881-1} - iceweasel 24.4.0esr-1 - icedove 24.4.0-1 [squeeze] - iceweasel [squeeze] - icedove CVE-2014-1496 (Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird ...) - iceweasel (Online update not used in Debian) - icedove (Online update not used in Debian) CVE-2014-1495 RESERVED CVE-2014-1494 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - iceweasel (Only affects Firefox 27) - icedove (Only affects Firefox 27) CVE-2014-1493 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-2911-1 DSA-2881-1} - iceweasel 24.4.0esr-1 - icedove 24.4.0-1 [squeeze] - iceweasel [squeeze] - icedove CVE-2014-1492 (The cert_TestHostName function in lib/certdb/certdb.c in the certifica ...) {DSA-2994-1 DLA-23-1} - nss 2:3.16-1 [squeeze] - nss 3.12.8-1+squeeze8 - iceweasel (Only affects Firefox 28) - icedove (Only affects Firefox 28) CVE-2014-1491 (Mozilla Network Security Services (NSS) before 3.15.4, as used in Mozi ...) {DSA-2994-1 DSA-2858-1 DLA-23-1} - iceweasel 24.3.0esr-1 - icedove 24.3.0-1 - nss 2:3.15.4-1 [squeeze] - nss 3.12.8-1+squeeze8 [squeeze] - iceweasel [squeeze] - icedove CVE-2014-1490 (Race condition in libssl in Mozilla Network Security Services (NSS) be ...) {DSA-2858-1} - iceweasel 24.3.0esr-1 - icedove 24.3.0-1 - nss 2:3.15.4-1 [squeeze] - nss (Too complex to backport) [wheezy] - nss (complex to backport) [squeeze] - iceweasel [squeeze] - icedove NOTE: session tickets must be enabled by the client (mainly browsers) CVE-2014-1489 (Mozilla Firefox before 27.0 does not properly restrict access to about ...) - iceweasel (Only affects Firefox 26) - icedove (Only affects Firefox 26) CVE-2014-1488 (The Web workers implementation in Mozilla Firefox before 27.0 and SeaM ...) - iceweasel (Only affects Firefox 26) - icedove (Only affects Firefox 26) CVE-2014-1487 (The Web workers implementation in Mozilla Firefox before 27.0, Firefox ...) {DSA-2858-1} - iceweasel 24.3.0esr-1 - icedove 24.3.0-1 [squeeze] - iceweasel [squeeze] - icedove CVE-2014-1486 (Use-after-free vulnerability in the imgRequestProxy function in Mozill ...) {DSA-2858-1} - iceweasel 24.3.0esr-1 - icedove 24.3.0-1 [squeeze] - iceweasel [squeeze] - icedove CVE-2014-1485 (The Content Security Policy (CSP) implementation in Mozilla Firefox be ...) - iceweasel (Only affects Firefox 26) - icedove (Only affects Firefox 26) CVE-2014-1484 (Mozilla Firefox before 27.0 on Android 4.2 and earlier creates system- ...) - iceweasel (Only affects Firefox for Android) - icedove (Only affects Firefox for Android) CVE-2014-1483 (Mozilla Firefox before 27.0 and SeaMonkey before 2.24 allow remote att ...) - iceweasel (Only affects Firefox 26) - icedove (Only affects Firefox 26) CVE-2014-1482 (RasterImage.cpp in Mozilla Firefox before 27.0, Firefox ESR 24.x befor ...) {DSA-2858-1} - iceweasel 24.3.0esr-1 - icedove 24.3.0-1 [squeeze] - iceweasel [squeeze] - icedove CVE-2014-1481 (Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird ...) {DSA-2858-1} - iceweasel 24.3.0esr-1 - icedove 24.3.0-1 [squeeze] - iceweasel [squeeze] - icedove CVE-2014-1480 (The file-download implementation in Mozilla Firefox before 27.0 and Se ...) - iceweasel (Only affects Firefox 26) - icedove (Only affects Firefox 26) CVE-2014-1479 (The System Only Wrapper (SOW) implementation in Mozilla Firefox before ...) {DSA-2858-1} - iceweasel 24.3.0esr-1 - icedove 24.3.0-1 [squeeze] - iceweasel [squeeze] - icedove CVE-2014-1478 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - iceweasel (Only affects Firefox 26) - icedove (Only affects Firefox 26) CVE-2014-1477 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-2858-1} - iceweasel 24.3.0esr-1 - icedove 24.3.0-1 [squeeze] - iceweasel [squeeze] - icedove CVE-2014-1474 (Algorithmic complexity vulnerability in Email::Address::List before 0. ...) - libemail-address-list-perl 0.03-1 NOTE: http://lists.bestpractical.com/pipermail/rt-announce/2014-January/000245.html CVE-2013-7305 (fpw.php in e107 through 1.0.4 does not check the user_ban field, which ...) NOT-FOR-US: e107 CVE-2013-7304 (Check Point Endpoint Security MI Server through R73 3.0.0 HFA2.5 does ...) NOT-FOR-US: Check Point Endpoint Security MI Server CVE-2013-7297 RESERVED CVE-2013-7295 (Tor before 0.2.4.20, when OpenSSL 1.x is used in conjunction with a ce ...) - tor 0.2.4.20-1 (low) [wheezy] - tor (Minor issue) [squeeze] - tor (OpenSSL in oldstable not affected) CVE-2012-6635 (wp-admin/includes/class-wp-posts-list-table.php in WordPress before 3. ...) - wordpress 3.4+dfsg-1 CVE-2012-6634 (wp-admin/media-upload.php in WordPress before 3.3.3 allows remote atta ...) - wordpress 3.4+dfsg-1 CVE-2012-6633 (Cross-site scripting (XSS) vulnerability in wp-includes/default-filter ...) - wordpress 3.4+dfsg-1 CVE-2012-6621 (Multiple cross-site scripting (XSS) vulnerabilities in GetSimple CMS 3 ...) NOT-FOR-US: GetSimple CMS CVE-2012-6620 (Multiple cross-site scripting (XSS) vulnerabilities in the (1) tasks a ...) - php-horde-kronolith 4.0.2-1 - kronolith2 (Vulnerable code not present) NOTE: https://github.com/horde/horde/commit/1228a6825a8dab3333d0a8c8986fc10d1f3d11b2 NOTE: fixed upstream in 3.0.17 CVE-2011-5271 (Pacemaker before 1.1.6 configure script creates temporary files insecu ...) - pacemaker 1.1.6-1 (unimportant; bug #633964) NOTE: https://github.com/ClusterLabs/pacemaker/commit/23ad834 NOTE: Only exploitable at build time CVE-2011-5270 (wp-admin/press-this.php in WordPress before 3.0.6 does not enforce the ...) - wordpress 3.2.1+dfsg-1 CVE-2010-5298 (Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL ...) {DSA-2908-1} - openssl 1.0.1g-3 (unimportant) [squeeze] - openssl (Introduced in 1.0.0) NOTE: Only exploitable with OPENSSL_NO_BUF_FREELIST enabled CVE-2010-5297 (WordPress before 3.0.1, when a Multisite installation is used, permane ...) - wordpress 3.0.1-1 CVE-2010-5296 (wp-includes/capabilities.php in WordPress before 3.0.2, when a Multisi ...) - wordpress 3.0.2-1 CVE-2010-5295 (Cross-site scripting (XSS) vulnerability in wp-admin/plugins.php in Wo ...) - wordpress 3.0.2-1 CVE-2010-5294 (Multiple cross-site scripting (XSS) vulnerabilities in the request_fil ...) - wordpress 3.0.2-1 CVE-2010-5293 (wp-includes/comment.php in WordPress before 3.0.2 does not properly wh ...) - wordpress 3.0.2-1 CVE-2014-1642 (The IRQ setup in Xen 4.2.x and 4.3.x, when using device passthrough an ...) - xen 4.4.0-1 [squeeze] - xen (Only affects 4.2 and later) [wheezy] - xen (Only affects 4.2 and later) NOTE: http://www.openwall.com/lists/oss-security/2014/01/23/2 CVE-2014-1640 (axiom-test.sh in axiom 20100701-1.1 uses tempfile to create a safe tem ...) - axiom 20120501-17 (low; bug #736358) [squeeze] - axiom (Minor issue) [wheezy] - axiom (Minor issue) CVE-2014-1639 (syncevo/installcheck-local.sh in syncevolution before 1.3.99.7 uses mk ...) - syncevolution 1.3.99.7-1 (unimportant; bug #736357) NOTE: Only exploitable during build time CVE-2014-1638 ((1) debian/postrm and (2) debian/localepurge.config in localepurge bef ...) - localepurge 0.7.3.2 (bug #736359) [squeeze] - localepurge 0.6.2+nmu1+squeeze1 [wheezy] - localepurge 0.6.3+deb7u1 CVE-2014-1626 (XML External Entity (XXE) vulnerability in MARC::File::XML module befo ...) - libmarc-xml-perl 1.0.2-1 (bug #736275) [wheezy] - libmarc-xml-perl (Too intrusive to backport) [squeeze] - libmarc-xml-perl (Too intrusive to backport) NOTE: http://sourceforge.net/p/marcpm/code/ci/cf2d36597a56eeeffd53b38182b8557c7bf569ac/ NOTE: older versions do not have the ability to set a user custom parser, trying to fix CVE-2014-1626 not clear yet NOTE: upstream developer contacted and is looking into it; backport fix might be to intrusive due to change in used Module CVE-2014-1624 (Race condition in the xdg.BaseDirectory.get_runtime_dir function in py ...) - pyxdg 0.25-4 (low; bug #736247) [squeeze] - pyxdg (get_runtime_dir introduced in later version) [wheezy] - pyxdg (get_runtime_dir introduced in later version) CVE-2014-1611 (Cross-site scripting (XSS) vulnerability in the Anonymous Posting modu ...) NOT-FOR-US: Drupal contrib CVE-2014-1604 (The parser cache functionality in parsergenerator.py in RPLY (aka pyth ...) - python-rply 0.7.1-1 NOTE: https://github.com/alex/rply/commit/fc9bbcd25b0b4f09bbd6339f710ad24c129d5d7cand CVE-2014-1473 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Ente ...) NOT-FOR-US: McAfee Vulnerability Manager CVE-2014-1472 (Multiple cross-site scripting (XSS) vulnerabilities in the Enterprise ...) NOT-FOR-US: McAfee Vulnerability Manager CVE-2014-1471 (SQL injection vulnerability in the StateGetStatesByType function in Ke ...) {DSA-2867-1} - otrs2 3.3.4-1 (low) NOTE: https://www.otrs.com/security-advisory-2014-02-sql-injection-issue/ CVE-2014-1470 REJECTED CVE-2014-1469 (BlackBerry Enterprise Server 5.x before 5.0.4 MR7 and Enterprise Servi ...) NOT-FOR-US: BlackBerry Enterprise Server CVE-2014-1468 RESERVED CVE-2014-1467 (BlackBerry Enterprise Service 10 before 10.2.1, Universal Device Servi ...) NOT-FOR-US: IBM Domino CVE-2014-1466 (SQL injection vulnerability in CSP MySQL User Manager 2.3 allows remot ...) NOT-FOR-US: CSP MySQL User Manager CVE-2014-1465 RESERVED CVE-2014-1464 RESERVED CVE-2014-1463 RESERVED CVE-2014-1462 RESERVED CVE-2014-1461 RESERVED CVE-2014-1460 RESERVED CVE-2014-1459 (SQL injection vulnerability in dg-admin/index.php in doorGets CMS 5.2 ...) NOT-FOR-US: doorGets CMS CVE-2014-1458 (Cross-site scripting (XSS) vulnerability in the web administration int ...) NOT-FOR-US: FortiGuard FortiWeb CVE-2014-1457 (Open Web Analytics (OWA) before 1.5.6 improperly generates random nonc ...) NOT-FOR-US: Open Web Analytics CVE-2014-1456 (Cross-site scripting (XSS) vulnerability in the login page in Open Web ...) NOT-FOR-US: Open Web Analytics CVE-2014-1455 (SQL injection vulnerability in the password reset functionality in Pea ...) NOT-FOR-US: Pearson eSIS Enterprise Student Information System CVE-2014-1454 (Pearson eSIS (Enterprise Student Information System) message board has ...) NOT-FOR-US: Pearson eSIS (Enterprise Student Information System) message board CVE-2014-1453 (The NFS server (nfsserver) in FreeBSD 8.3 through 10.0 does not acquir ...) {DSA-2952-1} - kfreebsd-8 [wheezy] - kfreebsd-8 (Non standard kernel, will be fixed in a point update) [squeeze] - kfreebsd-8 (Unsupported in squeeze-lts) - kfreebsd-9 (bug #743984) - kfreebsd-10 10.0-4 NOTE: kfreebsd-8 might be affected but NFS implementation isn't the one used there by default CVE-2014-1452 (Stack-based buffer overflow in lib/snmpagent.c in bsnmpd, as used in F ...) NOT-FOR-US: bsnmpd CVE-2014-1451 RESERVED CVE-2014-1450 RESERVED CVE-2014-1449 (The Maxthon Cloud Browser application before 4.1.6.2000 for Android al ...) NOT-FOR-US: Maxthon Cloud Browser application for Android CVE-2014-1443 (Core FTP Server 1.2 before build 515 allows remote authenticated users ...) NOT-FOR-US: Core FTP Server CVE-2014-1442 (Directory traversal vulnerability in Core FTP Server 1.2 before build ...) NOT-FOR-US: Core FTP Server CVE-2014-1441 (Core FTP Server 1.2 before build 515 allows remote attackers to cause ...) NOT-FOR-US: Core FTP Server CVE-2014-1440 RESERVED CVE-2014-1439 (The libxml_disable_entity_loader function in runtime/ext/ext_simplexml ...) NOT-FOR-US: HipHop Virtual Machine for PHP CVE-2014-1437 REJECTED CVE-2014-1436 REJECTED CVE-2014-1435 REJECTED CVE-2014-1434 REJECTED CVE-2014-1433 REJECTED CVE-2014-1432 REJECTED CVE-2014-1431 REJECTED CVE-2014-1430 REJECTED CVE-2014-1429 REJECTED CVE-2014-1428 (A vulnerability in generate_filestorage_key of Ubuntu MAAS allows an a ...) NOT-FOR-US: Ubuntu MAAS CVE-2014-1427 (A vulnerability in the REST API of Ubuntu MAAS allows an attacker to c ...) NOT-FOR-US: Ubuntu MAAS CVE-2014-1426 (A vulnerability in maasserver.api.get_file_by_name of Ubuntu MAAS allo ...) NOT-FOR-US: Ubuntu MAAS CVE-2014-1425 (cmanager 0.32 does not properly enforce nesting when modifying cgroup ...) - cgmanager 0.33-3 [jessie] - cgmanager 0.33-2+deb8u1 CVE-2014-1424 (apparmor_parser in the apparmor package before 2.8.95~2430-0ubuntu5.1 ...) - apparmor (Vulnerable code only in Ubuntu-specific backport of patch) NOTE: Caused by a patch that was added to the Ubuntu packaging before NOTE: it was taken upstream. The one that was merged upstream (and part NOTE: of AppArmor 2.9.0) is not affected. The closest version to the NOTE: affected one that we ever had in Debian (2.8.96~2652) did not NOTE: include the faulty patch. CVE-2014-1423 (signond before 8.57+15.04.20141127.1-0ubuntu1, as used in Ubuntu Touch ...) NOT-FOR-US: signond from Ubuntu Touch CVE-2014-1422 RESERVED CVE-2014-1421 (mountall 1.54, as used in Ubuntu 14.10, does not properly handle the u ...) - mountall (partman-efi in jessie uses secure umask, mount in older releases not affected) NOTE: See https://bugs.launchpad.net/ubuntu/+source/partman-efi/+bug/1390183 NOTE: and http://www.ubuntu.com/usn/usn-2411-1 CVE-2014-1420 RESERVED CVE-2014-1419 (Race condition in the power policy functions in policy-funcs in acpi-s ...) {DSA-2984-1 DLA-30-1} - acpi-support 0.142-2 CVE-2014-1418 (Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 ...) {DSA-2934-1} - python-django 1.6.5-1 NOTE: https://www.djangoproject.com/weblog/2014/may/14/security-releases-issued/ CVE-2014-1417 RESERVED CVE-2014-1416 RESERVED CVE-2014-1415 RESERVED CVE-2014-1414 RESERVED CVE-2014-1413 RESERVED CVE-2014-1412 RESERVED CVE-2014-1411 RESERVED CVE-2014-1410 RESERVED CVE-2013-7303 (Multiple cross-site scripting (XSS) vulnerabilities in (1) squelettes- ...) - spip 3.0.13-1 (bug #736170) [wheezy] - spip 2.1.17-1+deb7u3 [squeeze] - spip (Not supported in Squeeze LTS) CVE-2013-7302 (Session fixation vulnerability in the Ubercart module 6.x-2.x before 6 ...) NOT-FOR-US: Drupal contrib CVE-2013-7301 (Cantata before 1.2.2 does not restrict access to files in the play que ...) - cantata (Vulnerable code introduced with 1.2.0; bug #736154) NOTE: https://code.google.com/p/cantata/issues/detail?id=356 CVE-2013-7300 (Absolute path traversal vulnerability in cantata before 1.2.2 allows l ...) - cantata (Vulnerable code introduced with 1.2.0; bug #736154) NOTE: https://code.google.com/p/cantata/issues/detail?id=356 CVE-2013-7299 (framework/common/messageheaderparser.cpp in Tntnet before 2.2.1 allows ...) - tntnet 2.2.1-1 (low; bug #735881) [wheezy] - tntnet (Minor issue) [squeeze] - tntnet (Minor issue) CVE-2013-7298 (query_params.cpp in cxxtools before 2.2.1 allows remote attackers to c ...) - cxxtools 2.2.1-1 (low; bug #735880) [wheezy] - cxxtools (Issue not present, introduced in v2.2) [squeeze] - cxxtools (Issue not present, introduced in v2.2) CVE-2013-7296 (The JBIG2Stream::readSegments method in JBIG2Stream.cc in Poppler befo ...) - poppler (Introduced in a3cee0e7e9dd292c70fe1fa19a92e70bbc1e1b41) NOTE: http://cgit.freedesktop.org/poppler/poppler/commit/?id=58e04a08afee NOTE: https://bugs.kde.org/show_bug.cgi?id=328511 CVE-2013-7294 (The ikev2parent_inI1outR1 function in pluto/ikev2_parent.c in libreswa ...) NOT-FOR-US: libreswan, strongSwan not affected (pluto never supported ikev2) CVE-2013-7293 (The ASUS WL-330NUL router has a configuration process that relies on a ...) NOT-FOR-US: ASUS router CVE-2014-1476 (The Taxonomy module in Drupal 7.x before 7.26, when upgraded from an e ...) {DSA-2847-1} - drupal6 (Only occurs on Drupal 7 sites which upgraded from Drupal 6 or earlier) - drupal7 7.26-1 CVE-2014-1475 (The OpenID module in Drupal 6.x before 6.30 and 7.x before 7.26 allows ...) {DSA-2851-1 DSA-2847-1} - drupal6 - drupal7 7.26-1 CVE-2014-1446 (The yam_ioctl function in drivers/net/hamradio/yam.c in the Linux kern ...) {DSA-2906-1} - linux 3.12.8-1 (low) - linux-2.6 (low) [wheezy] - linux 3.2.54-1 NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8e3fbf870481eb53b2d3a322d1fc395ad8b367ed CVE-2014-1445 (The wanxl_ioctl function in drivers/net/wan/wanxl.c in the Linux kerne ...) {DSA-2906-1} - linux 3.12.6-1 (low) - linux-2.6 (low) [wheezy] - linux 3.2.53-1 NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=2b13d06c9584b4eb773f1e80bbaedab9a1c344e1 CVE-2014-1444 (The fst_get_iface function in drivers/net/wan/farsync.c in the Linux k ...) {DSA-2906-1} - linux 3.12.6-1 (low) - linux-2.6 (low) [wheezy] - linux 3.2.53-1 NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=96b340406724d87e4621284ebac5e059d67b2194 CVE-2014-1438 (The restore_fpu_checking function in arch/x86/include/asm/fpu-internal ...) {DLA-0007-1} - linux 3.12.8-1 (bug #733551) - linux-2.6 [wheezy] - linux 3.2.54-1 [squeeze] - linux-2.6 2.6.32-48squeeze7 NOTE: http://www.halfdog.net/Security/2013/Vm86SyscallTaskSwitchKernelPanic/ NOTE: http://git.kernel.org/cgit/linux/kernel/git/tip/tip.git/commit/?id=26bef1318adc1b3a530ecc807ef99346db2aa8b0 CVE-2014-1448 REJECTED CVE-2014-1447 (Race condition in the virNetServerClientStartKeepAlive function in lib ...) {DSA-2846-1} - libvirt 1.2.1-1 (bug #735676) [squeeze] - libvirt (Unsupported in squeeze-lts) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1047577 NOTE: http://libvirt.org/git/?p=libvirt.git;a=commit;h=066c8ef6c18bc1faf8b3e10787b39796a7a06cc0 NOTE: http://libvirt.org/git/?p=libvirt.git;a=commit;h=173c2914734eb5c32df6d35a82bf503e12261bcf CVE-2014-1409 (MobileIron VSP versions prior to 5.9.1 and Sentry versions prior to 5. ...) NOT-FOR-US: MobileIron VSP CVE-2014-1404 RESERVED CVE-2014-1403 (Cross-site scripting (XSS) vulnerability in name.html in easyXDM befor ...) NOT-FOR-US: easyXDM CVE-2014-1397 RESERVED CVE-2014-1396 RESERVED CVE-2014-1395 RESERVED CVE-2014-1394 RESERVED CVE-2014-1393 RESERVED CVE-2014-1392 RESERVED CVE-2014-1391 (QT Media Foundation in Apple OS X before 10.9.5 allows remote attacker ...) NOT-FOR-US: Apple Quicktime CVE-2014-1390 (WebKit, as used in Apple Safari before 6.1.6 and 7.x before 7.0.6, all ...) - webkitgtk 2.4.8-1 (unimportant) CVE-2014-1389 (WebKit, as used in Apple Safari before 6.1.6 and 7.x before 7.0.6, all ...) - webkitgtk 2.4.8-1 (unimportant) CVE-2014-1388 (WebKit, as used in Apple Safari before 6.1.6 and 7.x before 7.0.6, all ...) - webkitgtk 2.4.8-1 (unimportant) CVE-2014-1387 (WebKit, as used in Apple Safari before 6.1.6 and 7.x before 7.0.6, all ...) - webkitgtk 2.4.8-1 (unimportant) CVE-2014-1386 (WebKit, as used in Apple Safari before 6.1.6 and 7.x before 7.0.6, all ...) - webkitgtk 2.4.8-1 (unimportant) CVE-2014-1385 (WebKit, as used in Apple Safari before 6.1.6 and 7.x before 7.0.6, all ...) - webkitgtk 2.4.8-1 (unimportant) CVE-2014-1384 (WebKit, as used in Apple Safari before 6.1.6 and 7.x before 7.0.6, all ...) - webkitgtk 2.4.8-1 (unimportant) CVE-2014-1383 (Apple TV before 6.1.2 allows remote authenticated users to bypass an i ...) NOT-FOR-US: Apple TV CVE-2014-1382 (WebKit, as used in Apple iOS before 7.1.2, Apple Safari before 6.1.5 a ...) NOT-FOR-US: WebKit CVE-2014-1381 (Thunderbolt in Apple OS X before 10.9.4 does not properly restrict IOT ...) NOT-FOR-US: Apple OS X Thunderbolt CVE-2014-1380 (The Security - Keychain component in Apple OS X before 10.9.4 does not ...) NOT-FOR-US: Apple OS X CVE-2014-1379 (Graphics Drivers in Apple OS X before 10.9.4 allows attackers to gain ...) NOT-FOR-US: Apple OS X CVE-2014-1378 (IOGraphicsFamily in Apple OS X before 10.9.4 allows local users to byp ...) NOT-FOR-US: Apple OS X CVE-2014-1377 (Array index error in IOAcceleratorFamily in Apple OS X before 10.9.4 a ...) NOT-FOR-US: Apple OS X CVE-2014-1376 (Intel Compute in Apple OS X before 10.9.4 does not properly restrict a ...) NOT-FOR-US: Apple OS X Intel Compute CVE-2014-1375 (Intel Graphics Driver in Apple OS X before 10.9.4 allows local users t ...) NOT-FOR-US: Apple OS X Intel Graphics Driver CVE-2014-1374 REJECTED CVE-2014-1373 (Intel Graphics Driver in Apple OS X before 10.9.4 does not properly re ...) NOT-FOR-US: Apple OS X Intel Graphics Driver CVE-2014-1372 (Graphics Driver in Apple OS X before 10.9.4 does not properly restrict ...) NOT-FOR-US: Apple OS X Graphics Driver CVE-2014-1371 (Array index error in Dock in Apple OS X before 10.9.4 allows attackers ...) NOT-FOR-US: Apple OS X Dock CVE-2014-1370 (The byte-swapping implementation in copyfile in Apple OS X before 10.9 ...) NOT-FOR-US: Apple CVE-2014-1369 (WebKit in Apple Safari before 6.1.5 and 7.x before 7.0.5 allows user-a ...) NOT-FOR-US: WebKit CVE-2014-1368 (WebKit, as used in Apple iOS before 7.1.2, Apple Safari before 6.1.5 a ...) NOT-FOR-US: WebKit CVE-2014-1367 (WebKit, as used in Apple iOS before 7.1.2, Apple Safari before 6.1.5 a ...) NOT-FOR-US: WebKit CVE-2014-1366 (WebKit, as used in Apple iOS before 7.1.2, Apple Safari before 6.1.5 a ...) NOT-FOR-US: WebKit CVE-2014-1365 (WebKit, as used in Apple iOS before 7.1.2, Apple Safari before 6.1.5 a ...) NOT-FOR-US: WebKit CVE-2014-1364 (WebKit, as used in Apple iOS before 7.1.2, Apple Safari before 6.1.5 a ...) NOT-FOR-US: WebKit CVE-2014-1363 (WebKit, as used in Apple iOS before 7.1.2, Apple Safari before 6.1.5 a ...) NOT-FOR-US: WebKit CVE-2014-1362 (WebKit, as used in Apple iOS before 7.1.2, Apple Safari before 6.1.5 a ...) NOT-FOR-US: WebKit CVE-2014-1361 (Secure Transport in Apple iOS before 7.1.2, Apple OS X before 10.9.4, ...) NOT-FOR-US: Apple iOS CVE-2014-1360 (Lockdown in Apple iOS before 7.1.2 does not properly verify data from ...) NOT-FOR-US: Apple iOS CVE-2014-1359 (Integer underflow in launchd in Apple iOS before 7.1.2, Apple OS X bef ...) NOT-FOR-US: Apple iOS CVE-2014-1358 (Integer overflow in launchd in Apple iOS before 7.1.2, Apple OS X befo ...) NOT-FOR-US: Apple iOS CVE-2014-1357 (Heap-based buffer overflow in launchd in Apple iOS before 7.1.2, Apple ...) NOT-FOR-US: Apple iOS CVE-2014-1356 (Heap-based buffer overflow in launchd in Apple iOS before 7.1.2, Apple ...) NOT-FOR-US: Apple iOS CVE-2014-1355 (The IOKit implementation in the kernel in Apple iOS before 7.1.2 and A ...) NOT-FOR-US: Apple iOS CVE-2014-1354 (CoreGraphics in Apple iOS before 7.1.2 does not properly restrict allo ...) NOT-FOR-US: Apple iOS CVE-2014-1353 (Lock Screen in Apple iOS before 7.1.2 does not properly manage the tel ...) NOT-FOR-US: Apple iOS CVE-2014-1352 (Lock Screen in Apple iOS before 7.1.2 does not properly enforce the li ...) NOT-FOR-US: Apple iOS CVE-2014-1351 (Siri in Apple iOS before 7.1.2 allows physically proximate attackers t ...) NOT-FOR-US: Apple iOS CVE-2014-1350 (Settings in Apple iOS before 7.1.2 allows physically proximate attacke ...) NOT-FOR-US: Apple iOS CVE-2014-1349 (Use-after-free vulnerability in Safari in Apple iOS before 7.1.2 allow ...) NOT-FOR-US: Apple iOS CVE-2014-1348 (Mail in Apple iOS before 7.1.2 advertises the availability of data pro ...) NOT-FOR-US: Apple iOS CVE-2014-1347 (Apple iTunes before 11.2.1 on OS X sets world-writable permissions for ...) NOT-FOR-US: Apple iTunes CVE-2014-1346 (WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, doe ...) NOT-FOR-US: Safari / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-1345 (WebKit in Apple iOS before 7.1.2 and Apple Safari before 6.1.5 and 7.x ...) - webkitgtk 2.4.8-1 (unimportant) CVE-2014-1344 (WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, all ...) NOT-FOR-US: Safari / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-1343 (WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, all ...) NOT-FOR-US: Safari / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-1342 (WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, all ...) NOT-FOR-US: Safari / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-1341 (WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, all ...) NOT-FOR-US: Safari / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-1340 (WebKit, as used in Apple Safari before 6.1.5 and 7.x before 7.0.5, all ...) NOT-FOR-US: Safari / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-1339 (WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, all ...) NOT-FOR-US: Safari / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-1338 (WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, all ...) NOT-FOR-US: Safari / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-1337 (WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, all ...) NOT-FOR-US: Safari / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-1336 (WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, all ...) NOT-FOR-US: Safari / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-1335 (WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, all ...) NOT-FOR-US: Safari / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-1334 (WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, all ...) NOT-FOR-US: Safari / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-1333 (WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, all ...) NOT-FOR-US: Safari / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-1332 REJECTED CVE-2014-1331 (WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, all ...) NOT-FOR-US: Safari / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-1330 (WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, all ...) NOT-FOR-US: Safari / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-1329 (WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, all ...) NOT-FOR-US: Safari / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-1328 REJECTED CVE-2014-1327 (WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, all ...) NOT-FOR-US: Safari / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-1326 (WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, all ...) NOT-FOR-US: Safari / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-1325 (WebKit, as used in Apple iOS before 7.1.2, Apple Safari before 6.1.5 a ...) NOT-FOR-US: Safari / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-1324 (WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, all ...) NOT-FOR-US: Safari / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-1323 (WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, all ...) NOT-FOR-US: Safari / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-1322 (The kernel in Apple OS X through 10.9.2 places a kernel pointer into a ...) NOT-FOR-US: Apple CVE-2014-1321 (Power Management in Apple OS X 10.9.x through 10.9.2 allows physically ...) NOT-FOR-US: Apple CVE-2014-1320 (IOKit in Apple iOS before 7.1.1, Apple OS X through 10.9.2, and Apple ...) NOT-FOR-US: Apple CVE-2014-1319 (Buffer overflow in ImageIO in Apple OS X 10.9.x through 10.9.2 allows ...) NOT-FOR-US: Apple CVE-2014-1318 (The Intel Graphics Driver in Apple OS X through 10.9.2 does not proper ...) NOT-FOR-US: Apple CVE-2014-1317 (iBooks Commerce in Apple OS X before 10.9.4 places Apple ID credential ...) NOT-FOR-US: Apple CVE-2014-1316 (Heimdal, as used in Apple OS X through 10.9.2, allows remote attackers ...) NOT-FOR-US: Apple CVE-2014-1315 (Format string vulnerability in CoreServicesUIAgent in Apple OS X 10.9. ...) NOT-FOR-US: Apple CVE-2014-1314 (WindowServer in Apple OS X through 10.9.2 does not prevent session cre ...) NOT-FOR-US: Apple CVE-2014-1313 (WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3, all ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-1312 (WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3, all ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-1311 (WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3, all ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-1310 (WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3, all ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-1309 (WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3, all ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-1308 (WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3, all ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-1307 (WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3, all ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-1306 REJECTED CVE-2014-1305 (WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3, all ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-1304 (WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3, all ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-1303 (Heap-based buffer overflow in Apple Safari 7.0.2 allows remote attacke ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-1302 (WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3, all ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-1301 (WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3, all ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-1300 (Unspecified vulnerability in Apple Safari 7.0.2 on OS X allows remote ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-1299 (WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3, all ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-1298 (WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3, all ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-1297 (WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3, doe ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-1296 (CFNetwork in Apple iOS before 7.1.1, Apple OS X through 10.9.2, and Ap ...) NOT-FOR-US: Apple CVE-2014-1295 (Secure Transport in Apple iOS before 7.1.1, Apple OS X 10.8.x and 10.9 ...) NOT-FOR-US: Apple CVE-2014-1294 (WebKit, as used in Apple iOS before 7.1 and Apple TV before 6.1, allow ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-1293 (WebKit, as used in Apple iOS before 7.1 and Apple TV before 6.1, allow ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-1292 (WebKit, as used in Apple iOS before 7.1 and Apple TV before 6.1, allow ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-1291 (WebKit, as used in Apple iOS before 7.1 and Apple TV before 6.1, allow ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-1290 (WebKit, as used in Apple iOS before 7.1 and Apple TV before 6.1, allow ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-1289 (WebKit, as used in Apple iOS before 7.1 and Apple TV before 6.1, allow ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-1288 REJECTED CVE-2014-1287 (USB Host in Apple iOS before 7.1 and Apple TV before 6.1 allows physic ...) NOT-FOR-US: Apple CVE-2014-1286 (SpringBoard Lock Screen in Apple iOS before 7.1 allows remote attacker ...) NOT-FOR-US: SpringBoard Lock Screen in Apple iOS CVE-2014-1285 (Springboard in Apple iOS before 7.1 allows physically proximate attack ...) NOT-FOR-US: Springboard in Apple iOS CVE-2014-1284 REJECTED CVE-2014-1283 REJECTED CVE-2014-1282 (The Profiles component in Apple iOS before 7.1 and Apple TV before 6.1 ...) NOT-FOR-US: Apple CVE-2014-1281 (Photos Backend in Apple iOS before 7.1 does not properly manage the as ...) NOT-FOR-US: Photos Backend in Apple iOS CVE-2014-1280 (Video Driver in Apple iOS before 7.1 and Apple TV before 6.1 allows re ...) NOT-FOR-US: Apple CVE-2014-1279 (Apple TV before 6.1 does not properly restrict logging, which allows l ...) NOT-FOR-US: Apple TV CVE-2014-1278 (The ptmx_get_ioctl function in the ARM kernel in Apple iOS before 7.1 ...) NOT-FOR-US: Apple CVE-2014-1277 REJECTED CVE-2014-1276 (IOKit HID Event in Apple iOS before 7.1 allows attackers to conduct us ...) NOT-FOR-US: IOKit HID Event in Apple iOS CVE-2014-1275 (Buffer overflow in ImageIO in Apple iOS before 7.1 and Apple TV before ...) NOT-FOR-US: Apple CVE-2014-1274 (FaceTime in Apple iOS before 7.1 allows physically proximate attackers ...) NOT-FOR-US: FaceTime in Apple iOS CVE-2014-1273 (dyld in Apple iOS before 7.1 and Apple TV before 6.1 allows attackers ...) NOT-FOR-US: Apple CVE-2014-1272 (CrashHouseKeeping in Crash Reporting in Apple iOS before 7.1 and Apple ...) NOT-FOR-US: Apple CVE-2014-1271 (CoreCapture in Apple iOS before 7.1 and Apple TV before 6.1 does not p ...) NOT-FOR-US: Apple CVE-2014-1270 (WebKit, as used in Apple Safari before 6.1.2 and 7.x before 7.0.2, all ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-1269 (WebKit, as used in Apple Safari before 6.1.2 and 7.x before 7.0.2, all ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-1268 (WebKit, as used in Apple Safari before 6.1.2 and 7.x before 7.0.2, all ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2014-1267 (The Configuration Profiles component in Apple iOS before 7.1 and Apple ...) NOT-FOR-US: Apple CVE-2014-1266 (The SSLVerifySignedServerKeyExchange function in libsecurity_ssl/lib/s ...) NOT-FOR-US: Apple CVE-2014-1265 (The systemsetup program in the Date and Time subsystem in Apple OS X b ...) NOT-FOR-US: Apple CVE-2014-1264 (Finder in Apple OS X before 10.9.2 does not ensure ACL integrity after ...) NOT-FOR-US: Apple CVE-2014-1263 (curl and libcurl 7.27.0 through 7.35.0, when using the SecureTransport ...) - curl (Only applies to Curl on Mac OS or iOS) NOTE: http://curl.haxx.se/docs/adv_20140326C.html CVE-2014-1262 (Apple Type Services (ATS) in Apple OS X before 10.9.2 allows attackers ...) NOT-FOR-US: Apple CVE-2014-1261 (Integer signedness error in CoreText in Apple OS X before 10.9.2 allow ...) NOT-FOR-US: Apple CVE-2014-1260 (QuickLook in Apple OS X through 10.8.5 allows remote attackers to exec ...) NOT-FOR-US: Apple CVE-2014-1259 (Buffer overflow in File Bookmark in Apple OS X before 10.9.2 allows at ...) NOT-FOR-US: Apple CVE-2014-1258 (Heap-based buffer overflow in CoreAnimation in Apple OS X before 10.9. ...) NOT-FOR-US: Apple CVE-2014-1257 (CFNetwork in Apple OS X through 10.8.5 does not remove session cookies ...) NOT-FOR-US: Apple CVE-2014-1256 (Buffer overflow in Apple Type Services (ATS) in Apple OS X before 10.9 ...) NOT-FOR-US: Apple CVE-2014-1255 (Apple Type Services (ATS) in Apple OS X before 10.9.2 does not properl ...) NOT-FOR-US: Apple CVE-2014-1254 (Apple Type Services (ATS) in Apple OS X before 10.9.2 allows remote at ...) NOT-FOR-US: Apple CVE-2014-1253 (AppleMNT.sys in Apple Boot Camp 5 before 5.1 allows local users to cau ...) NOT-FOR-US: Apple Boot Camp CVE-2014-1252 (Double free vulnerability in Apple Pages 2.x before 2.1 and 5.x before ...) NOT-FOR-US: Apple Pages CVE-2014-1251 (Buffer overflow in Apple QuickTime before 7.7.5 allows remote attacker ...) NOT-FOR-US: Apple QuickTime CVE-2014-1250 (Apple QuickTime before 7.7.5 does not properly perform a byte-swapping ...) NOT-FOR-US: Apple QuickTime CVE-2014-1249 (Buffer overflow in Apple QuickTime before 7.7.5 allows remote attacker ...) NOT-FOR-US: Apple QuickTime CVE-2014-1248 (Buffer overflow in Apple QuickTime before 7.7.5 allows remote attacker ...) NOT-FOR-US: Apple QuickTime CVE-2014-1247 (Apple QuickTime before 7.7.5 allows remote attackers to execute arbitr ...) NOT-FOR-US: Apple QuickTime CVE-2014-1246 (Buffer overflow in Apple QuickTime before 7.7.5 allows remote attacker ...) NOT-FOR-US: Apple QuickTime CVE-2014-1245 (Integer signedness error in Apple QuickTime before 7.7.5 allows remote ...) NOT-FOR-US: Apple QuickTime CVE-2014-1244 (Buffer overflow in Apple QuickTime before 7.7.5 allows remote attacker ...) NOT-FOR-US: Apple QuickTime CVE-2014-1243 (Apple QuickTime before 7.7.5 does not initialize an unspecified pointe ...) NOT-FOR-US: Apple QuickTime CVE-2014-1242 (Apple iTunes before 11.1.4 uses HTTP for the iTunes Tutorials window, ...) NOT-FOR-US: Apple iTunes CVE-2014-1241 RESERVED CVE-2014-1240 RESERVED CVE-2014-1239 RESERVED CVE-2014-1238 (Cross-site scripting (XSS) vulnerability in ui/common/managedlistdialo ...) NOT-FOR-US: Q-Pulse CVE-2014-1237 (Cross-site scripting (XSS) vulnerability in synetics i-doit pro before ...) NOT-FOR-US: i-doit CVE-2014-1232 (Cross-site scripting (XSS) vulnerability in the Foliopress WYSIWYG plu ...) NOT-FOR-US: Foliopress CVE-2014-1231 RESERVED CVE-2014-1230 RESERVED CVE-2014-1229 RESERVED CVE-2014-1228 RESERVED CVE-2014-1227 RESERVED CVE-2014-1226 (The pipe_init_terminal function in main.c in s3dvt allows local users ...) - s3d 0.2.2-13 (unimportant) NOTE: http://hmarco.org/bugs/CVE-2014-1226-s3dvt_0.2.2-root-shell.html NOTE: Additional patch hunk applied in 0.2.2-11 (experimental) only NOTE: Not running with elevated privileges in Debian packaging CVE-2014-1225 RESERVED CVE-2014-1224 (Incomplete blacklist vulnerability in the user registration feature in ...) NOT-FOR-US: rexx Recruitment CVE-2014-1223 (Cross-site scripting (XSS) vulnerability in controlpanel/loading.aspx ...) NOT-FOR-US: Telligent Evolution CVE-2014-1222 (Directory traversal vulnerability in kcfinder/browse.php in Vtiger CRM ...) NOT-FOR-US: vTiger CRM CVE-2014-1221 RESERVED NOT-FOR-US: Dameware CVE-2014-1220 RESERVED NOT-FOR-US: IT2 Workstation CVE-2014-1219 (CA 2E Web Option r8.1.2 accepts a predictable substring of a W2E_SSNID ...) NOT-FOR-US: 2E Web Option CVE-2014-1218 RESERVED CVE-2014-1217 (Livetecs Timelive before 6.2.8 does not properly restrict access to sy ...) NOT-FOR-US: Livetecs Timelive CVE-2014-1216 (FitNesse Wiki 20131110, 20140201, and earlier allows remote attackers ...) NOT-FOR-US: Fitnesse Wiki CVE-2014-1215 (Multiple buffer overflows in Core FTP Server before 1.2 build 508 allo ...) NOT-FOR-US: Core FTP Server CVE-2014-1214 (views/upload.php in the ProJoom Smart Flash Header (NovaSFH) component ...) NOT-FOR-US: Projoom NovaSFH Plugin CVE-2014-1213 (Sophos Anti-Virus engine (SAVi) before 3.50.1, as used in VDL 4.97G 9. ...) NOT-FOR-US: Sophos Anti Virus CVE-2014-1212 RESERVED CVE-2014-1211 (Cross-site request forgery (CSRF) vulnerability in VMware vCloud Direc ...) NOT-FOR-US: VMWare CVE-2014-1210 (VMware vSphere Client 5.0 before Update 3 and 5.1 before Update 2 does ...) NOT-FOR-US: VMware vSphere Client CVE-2014-1209 (VMware vSphere Client 4.0, 4.1, 5.0 before Update 3, and 5.1 before Up ...) NOT-FOR-US: VMware vSphere Client CVE-2014-1208 (VMware Workstation 9.x before 9.0.1, VMware Player 5.x before 5.0.1, V ...) NOT-FOR-US: VMWare CVE-2014-1207 (VMware ESXi 4.0 through 5.1 and ESX 4.0 and 4.1 allow remote attackers ...) NOT-FOR-US: VMWare CVE-2014-1206 (SQL injection vulnerability in the password reset page in Open Web Ana ...) NOT-FOR-US: Open Web Analytics CVE-2014-1205 RESERVED CVE-2014-1204 (SQL injection vulnerability in Tableau Server 8.0.x before 8.0.7 and 8 ...) NOT-FOR-US: Tableau Server CVE-2014-1202 (The WSDL/WADL import functionality in SoapUI before 4.6.4 allows remot ...) NOT-FOR-US: SoapUI CVE-2014-1201 (Buffer overflow in the INetViewX ActiveX control in the Lorex Edge LH3 ...) NOT-FOR-US: Lorex CVE-2014-0999 (Sendio before 7.2.4 includes the session identifier in URLs in emails, ...) NOT-FOR-US: Sendio CVE-2014-0998 (Integer signedness error in the vt console driver (formerly Newcons) i ...) [experimental] - kfreebsd-11 11.0~svn284956-1 - kfreebsd-10 10.1~svn274115-3 (bug #779194) - kfreebsd-9 (don't have newcons) - kfreebsd-8 (don't have newcons) NOTE: https://www.freebsd.org/security/advisories/FreeBSD-SA-15:02.kmem.asc CVE-2014-0997 (WiFiMonitor in Android 4.4.4 as used in the Nexus 5 and 4, Android 4.2 ...) NOT-FOR-US: WiFiMonitor in Android CVE-2014-0996 RESERVED CVE-2014-0995 (The Standalone Enqueue Server in SAP Netweaver 7.20, 7.01, and earlier ...) NOT-FOR-US: SAP Netweaver CVE-2014-0994 (Heap-based buffer overflow in the ReadDIB function in the Vcl.Graphics ...) NOT-FOR-US: Delphi CVE-2014-0993 (Buffer overflow in the Vcl.Graphics.TPicture.Bitmap implementation in ...) NOT-FOR-US: Embarcadero CVE-2014-0992 (Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin ...) NOT-FOR-US: Advantech WebAccess CVE-2014-0991 (Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin ...) NOT-FOR-US: Advantech WebAccess CVE-2014-0990 (Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin ...) NOT-FOR-US: Advantech WebAccess CVE-2014-0989 (Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin ...) NOT-FOR-US: Advantech WebAccess CVE-2014-0988 (Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin ...) NOT-FOR-US: Advantech WebAccess CVE-2014-0987 (Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin ...) NOT-FOR-US: Advantech WebAccess CVE-2014-0986 (Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin ...) NOT-FOR-US: Advantech WebAccess CVE-2014-0985 (Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin ...) NOT-FOR-US: Advantech WebAccess CVE-2014-0984 (The passwordCheck function in SAP Router 721 patch 117, 720 patch 411, ...) NOT-FOR-US: SAP Router CVE-2014-0983 (Multiple array index errors in programs that are automatically generat ...) {DSA-2904-1} - virtualbox 4.3.10-dfsg-1 (bug #741602) - virtualbox-ose (bug #741602) NOTE: http://www.coresecurity.com/advisories/oracle-virtualbox-3d-acceleration-multiple-memory-corruption-vulnerabilities CVE-2014-0982 REJECTED CVE-2014-0981 (VBox/GuestHost/OpenGL/util/net.c in Oracle VirtualBox before 3.2.22, 4 ...) {DSA-2904-1} - virtualbox 4.3.10-dfsg-1 (bug #741602) - virtualbox-ose (bug #741602) NOTE: http://www.coresecurity.com/advisories/oracle-virtualbox-3d-acceleration-multiple-memory-corruption-vulnerabilities CVE-2014-0980 (Buffer overflow in Poster Software PUBLISH-iT 3.6d allows remote attac ...) NOT-FOR-US: Publish-It CVE-2014-0976 RESERVED CVE-2014-0975 RESERVED CVE-2014-0974 (The boot_linux_from_mmc function in app/aboot/aboot.c in the Little Ke ...) NOT-FOR-US: Little Kernel (bootloader) CVE-2014-0973 (The image_verify function in platform/msm_shared/image_verify.c in the ...) NOT-FOR-US: Little Kernel (bootloader) CVE-2014-0972 (The kgsl graphics driver for the Linux kernel 3.x, as used in Qualcomm ...) - linux (affects drivers/gpu/msm, not merged in mainline) CVE-2013-7292 (VASCO IDENTIKEY Authentication Server (IAS) 3.4.x allows remote authen ...) NOT-FOR-US: VASCO IAS CVE-2013-7291 (memcached before 1.4.17, when running in verbose mode, allows remote a ...) {DLA-701-1} - memcached 1.4.20-1 (low; bug #735314) [squeeze] - memcached (Minor issue) NOTE: https://github.com/memcached/memcached/commit/fbe823d9a61b5149cd6e3b5e17bd28dd3b8dd760 CVE-2013-7290 (The do_item_get function in items.c in memcached 1.4.4 and other versi ...) - memcached 1.4.13-0.2 [squeeze] - memcached 1.4.5-1+deb6u1 NOTE: https://github.com/memcached/memcached/commit/fbe823d9a61b5149cd6e3b5e17bd28dd3b8dd760 NOTE: actual patch should be adjusted in case there is a further memcached upload accoring to upstream commit CVE-2013-7289 (Multiple cross-site scripting (XSS) vulnerabilities in register.php in ...) NOT-FOR-US: Andy's PHP Knowledgebase (Aphpkb) CVE-2013-7287 (MobileIron VSP < 5.9.1 and Sentry < 5.0 has an insecure encrypti ...) NOT-FOR-US: MobileIron CVE-2013-7286 (MobileIron VSP < 5.9.1 and Sentry < 5.0 has a weak password obfu ...) NOT-FOR-US: MobileIron CVE-2013-7283 (Race condition in the libreswan.spec files for Red Hat Enterprise Linu ...) - libreswan (Fixed before initial upload in Debian; /tmp-race in libreswan.spec for rpm based systems) CVE-2013-7282 (The management web interface on the Nisuta NS-WIR150NE router with fir ...) NOT-FOR-US: Nisuta NS-WIR150NE router CVE-2013-7280 (Buffer overflow in HansoTools Hanso Player 2.1.0, 2.5.0, and earlier a ...) NOT-FOR-US: HansoTools Hanso Player CVE-2013-7279 (Cross-site scripting (XSS) vulnerability in views/video-management/pre ...) NOT-FOR-US: WordPress plugin S3 Video CVE-2013-7278 (SQL injection vulnerability in Naxtech CMS Afroditi 1.0 allows remote ...) NOT-FOR-US: Naxtech CMS Afroditi CVE-2013-7277 (Multiple cross-site scripting (XSS) vulnerabilities in Andy's PHP Know ...) NOT-FOR-US: Andy's PHP Knowledgebase (Aphpkb) CVE-2013-7276 (Cross-site scripting (XSS) vulnerability in inc/raf_form.php in the Re ...) NOT-FOR-US: WordPress plugin Recommend to a friend CVE-2013-7275 (Cross-site scripting (XSS) vulnerability in misc.php in MyBB (aka MyBu ...) NOT-FOR-US: MyBB CVE-2013-7274 (Cross-site scripting (XSS) vulnerability in Wallpaper Script 3.5.0082 ...) NOT-FOR-US: Wallpaper Script CVE-2013-7272 RESERVED CVE-2010-5292 (Amberdms Billing System (ABS) before 1.4.1, when a multi-instance inst ...) NOT-FOR-US: Amberdms Billing System CVE-2014-1408 (The Conceptronic C54APM access point with runtime code 1.26 has a defa ...) NOT-FOR-US: Conceptronic C54APM access point CVE-2014-1407 (Multiple cross-site scripting (XSS) vulnerabilities on the Conceptroni ...) NOT-FOR-US: Conceptronic C54APM access point CVE-2014-1406 (CRLF injection vulnerability in goform/formWlSiteSurvey on the Concept ...) NOT-FOR-US: Conceptronic C54APM access point CVE-2014-1405 (Multiple open redirect vulnerabilities on the Conceptronic C54APM acce ...) NOT-FOR-US: Conceptronic C54APM access point CVE-2014-1402 (The default configuration for bccache.FileSystemBytecodeCache in Jinja ...) - jinja2 2.7.2-1 (low; bug #734747) [squeeze] - jinja2 (Minor issue) [wheezy] - jinja2 (Minor issue) NOTE: 2.7.2 does not create safely temporary files, new CVE-2014-0012 was assigned for this issue CVE-2014-1401 (Multiple SQL injection vulnerabilities in AuraCMS 2.3 and earlier allo ...) NOT-FOR-US: AuraCMS CVE-2014-1400 (The entity_access API in the Entity API module 7.x-1.x before 7.x-1.3 ...) NOT-FOR-US: Drupal 7 Entity module CVE-2014-1399 (The entity wrapper access API in the Entity API module 7.x-1.x before ...) NOT-FOR-US: Drupal 7 Entity module CVE-2014-1398 (The entity wrapper access API in the Entity API module 7.x-1.x before ...) NOT-FOR-US: Drupal 7 Entity module CVE-2014-1236 (Stack-based buffer overflow in the chkNum function in lib/cgraph/scan. ...) {DSA-2843-1} - graphviz 2.26.3-16.1 (bug #734745) NOTE: fix: https://github.com/ellson/graphviz/commit/1d1bdec6318746f6f19f245db589eddc887ae8ff CVE-2014-1235 (Stack-based buffer overflow in the "yyerror" function in Graphviz 2.34 ...) - graphviz 2.26.3-16.1 (bug #734745) [wheezy] - graphviz (CVE for additional buffer overflow introduced by 7aaddf52cd98589fb0c3ab72a393f8411838438a) [squeeze] - graphviz (CVE for additional buffer overflow introduced by 7aaddf52cd98589fb0c3ab72a393f8411838438a) NOTE: CVE is for buffer overflow introduced by applying only 7aaddf52cd98589fb0c3ab72a393f8411838438a NOTE: fix: https://github.com/ellson/graphviz/commit/d266bb2b4154d11c27252b56d86963aef4434750 CVE-2014-1234 (The paratrooper-newrelic gem 1.0.1 for Ruby allows local users to obta ...) NOT-FOR-US: Paratrooper Newrelic Ruby Gem CVE-2014-1233 (The paratrooper-pingdom gem 1.0.0 for Ruby allows local users to obtai ...) NOT-FOR-US: Paratrooper Pingdom Ruby Gem CVE-2014-1203 (The get_login_ip_config_file function in Eyou Mail System before 3.6 a ...) NOT-FOR-US: Eyou Mail System CVE-2014-0979 (The start_authentication function in lightdm-gtk-greeter.c in LightDM ...) - lightdm-gtk-greeter 1.6.1-5 (bug #734472) NOTE: https://bugs.launchpad.net/lightdm-gtk-greeter/+bug/1266449 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=857303 [wheezy] - lightdm-gtk-greeter (in Wheezy, lightdm restarts when the greeter crashes, so there's no DoS) CVE-2014-0978 (Stack-based buffer overflow in the yyerror function in lib/cgraph/scan ...) {DSA-2843-1} - graphviz 2.26.3-16 (bug #734745) NOTE: https://github.com/ellson/graphviz/commit/7aaddf52cd98589fb0c3ab72a393f8411838438a NOTE: additional commit required (new CVE-2014-1235): https://github.com/ellson/graphviz/commit/d266bb2b4154d11c27252b56d86963aef4434750 NOTE: see: https://bugzilla.redhat.com/show_bug.cgi?id=1049165#c6 CVE-2014-0977 (Cross-site scripting (XSS) vulnerability in the Rich Text Editor in Mo ...) {DSA-2841-1} - movabletype-opensource 5.2.9+dfsg-1 (bug #734304) CVE-2014-0971 RESERVED CVE-2014-0970 (The GDS component in IBM InfoSphere Master Data Management - Collabora ...) NOT-FOR-US: IBM InfoSphere CVE-2014-0969 (Cross-site request forgery (CSRF) vulnerability in the GDS component i ...) NOT-FOR-US: IBM CVE-2014-0968 (Cross-site scripting (XSS) vulnerability in the GDS component in IBM I ...) NOT-FOR-US: IBM InfoSphere CVE-2014-0967 (Cross-site scripting (XSS) vulnerability in the GDS component in IBM I ...) NOT-FOR-US: IBM InfoSphere CVE-2014-0966 (SQL injection vulnerability in the GDS component in IBM InfoSphere Mas ...) NOT-FOR-US: IBM CVE-2014-0965 (IBM WebSphere Application Server (WAS) 7.0.x before 7.0.0.33, 8.0.x be ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2014-0964 (IBM WebSphere Application Server (WAS) 6.1.0.0 through 6.1.0.47 and 6. ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2014-0963 (The Reverse Proxy feature in IBM Global Security Kit (aka GSKit) in IB ...) NOT-FOR-US: IBM Global Security Kit CVE-2014-0962 RESERVED CVE-2014-0961 (Cross-site request forgery (CSRF) vulnerability in IBM Tivoli Identity ...) NOT-FOR-US: IBM Tivoli Identity Manager CVE-2014-0960 (IBM PureApplication System 1.0 before 1.0.0.4 cfix8 and 1.1 before 1.1 ...) NOT-FOR-US: IBM PureApplication System CVE-2014-0959 (IBM WebSphere Portal 6.1.0 through 6.1.0.6 CF27, 6.1.5 through 6.1.5.3 ...) NOT-FOR-US: IBM WebSphere Portal CVE-2014-0958 (Open redirect vulnerability in IBM WebSphere Portal 6.1.0 through 6.1. ...) NOT-FOR-US: IBM WebSphere Portal CVE-2014-0957 (Cross-site scripting (XSS) vulnerability in IBM Business Process Manag ...) NOT-FOR-US: IBM CVE-2014-0956 (Cross-site scripting (XSS) vulnerability in googlemap.jsp in IBM WebSp ...) NOT-FOR-US: IBM WebSphere Portal CVE-2014-0955 (Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 8.0 b ...) NOT-FOR-US: IBM WebSphere Portal CVE-2014-0954 (IBM WebSphere Portal 6.1.0 through 6.1.0.6 CF27, 6.1.5 through 6.1.5.3 ...) NOT-FOR-US: IBM WebSphere Portal CVE-2014-0953 (Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 6.1.0 ...) NOT-FOR-US: IBM WebSphere Portal CVE-2014-0952 (Cross-site scripting (XSS) vulnerability in boot_config.jsp in IBM Web ...) NOT-FOR-US: IBM WebSphere Portal CVE-2014-0951 (Cross-site scripting (XSS) vulnerability in FilterForm.jsp in IBM WebS ...) NOT-FOR-US: IBM WebSphere Portal CVE-2014-0950 (Multiple XML external entity (XXE) vulnerabilities in (1) CQWeb / CM S ...) NOT-FOR-US: IBM CVE-2014-0949 (IBM WebSphere Portal 6.1.0 through 6.1.0.6 CF27, 6.1.5 through 6.1.5.3 ...) NOT-FOR-US: IBM WebSphere Portal CVE-2014-0948 (Unspecified vulnerability in IBM Rational Software Architect Design Ma ...) NOT-FOR-US: IBM Rational Software Architect Design CVE-2014-0947 (Unspecified vulnerability in the server in IBM Rational Software Archi ...) NOT-FOR-US: IBM Rational Software Architect Design CVE-2014-0946 (The RES Console in Rule Execution Server in IBM Operational Decision M ...) NOT-FOR-US: IBM CVE-2014-0945 (Cross-site scripting (XSS) vulnerability in the RES Console in Rule Ex ...) NOT-FOR-US: IBM CVE-2014-0944 (Cross-site request forgery (CSRF) vulnerability in the RES Console in ...) NOT-FOR-US: IBM CVE-2014-0943 (IBM WebSphere Commerce 6.0 Feature Pack 2 through Feature Pack 5, 7.0. ...) NOT-FOR-US: IBM WebSphere Commerce CVE-2014-0942 (Cross-site scripting (XSS) vulnerability in webtop/eventviewer/eventVi ...) NOT-FOR-US: IBM Netcool CVE-2014-0941 (Cross-site scripting (XSS) vulnerability in webtop/eventviewer/eventVi ...) NOT-FOR-US: IBM Netcool CVE-2014-0940 (Multiple cross-site scripting (XSS) vulnerabilities in IBM Tivoli Serv ...) NOT-FOR-US: IBM Tivoli CVE-2014-0939 RESERVED CVE-2014-0938 RESERVED CVE-2014-0937 RESERVED CVE-2014-0936 (IBM Security AppScan Source 8.0 through 9.0, when the publish-assessme ...) NOT-FOR-US: IBM Security AppScan CVE-2014-0935 (Unspecified vulnerability in IBM Smart Analytics System 7700 before FP ...) NOT-FOR-US: IBM Smart Analytics System CVE-2014-0934 RESERVED CVE-2014-0933 (Cross-site request forgery (CSRF) vulnerability in IBM InfoSphere Info ...) NOT-FOR-US: IBM WebSphere Portal CVE-2014-0932 (Cross-site scripting (XSS) vulnerability in IBM Sterling Order Managem ...) NOT-FOR-US: IBM CVE-2014-0931 (Multiple XML external entity (XXE) vulnerabilities in the (1) CCRC WAN ...) NOT-FOR-US: IBM CVE-2014-0930 (The ptrace system call in IBM AIX 5.3, 6.1, and 7.1, and VIOS 2.2.x, a ...) NOT-FOR-US: IBM AIX CVE-2014-0929 (Cross-site request forgery (CSRF) vulnerability in the Profiles compon ...) NOT-FOR-US: IBM Connections CVE-2014-0928 RESERVED CVE-2014-0927 (The ActiveMQ admin user interface in IBM Sterling B2B Integrator 5.1 a ...) NOT-FOR-US: IBM CVE-2014-0926 RESERVED CVE-2014-0925 (Open redirect vulnerability in IBM Sterling Control Center 5.4.0 befor ...) NOT-FOR-US: IBM Sterling Control Center CVE-2014-0924 (IBM MessageSight 1.x before 1.1.0.0-IBM-IMA-IT01015 does not verify th ...) NOT-FOR-US: IBM MessageSight CVE-2014-0923 (IBM MessageSight 1.x before 1.1.0.0-IBM-IMA-IT01015 allows remote atta ...) NOT-FOR-US: IBM MessageSight CVE-2014-0922 (IBM MessageSight 1.x before 1.1.0.0-IBM-IMA-IT01015 allows remote atta ...) NOT-FOR-US: IBM MessageSight CVE-2014-0921 (The server in IBM MessageSight 1.x before 1.1.0.0-IBM-IMA-IT01015 allo ...) NOT-FOR-US: IBM MessageSight CVE-2014-0920 (IBM SPSS Analytic Server 1.0 before IF002 and 1.0.1 before IF004 logs ...) NOT-FOR-US: IBM SPSS Analytic Server CVE-2014-0919 (IBM DB2 9.5 through 10.5 on Linux, UNIX, and Windows stores passwords ...) NOT-FOR-US: IBM DB2 CVE-2014-0918 (Directory traversal vulnerability in IBM Eclipse Help System (IEHS) in ...) NOT-FOR-US: IBM Eclipse Help System CVE-2014-0917 (Cross-site scripting (XSS) vulnerability in IBM Eclipse Help System (I ...) NOT-FOR-US: IBM Eclipse Help System CVE-2014-0916 RESERVED CVE-2014-0915 (Multiple cross-site scripting (XSS) vulnerabilities in IBM Maximo Asse ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2014-0914 (Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Managemen ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2014-0913 (Cross-site scripting (XSS) vulnerability in IBM iNotes and Domino 8.5. ...) NOT-FOR-US: IBM iNotes CVE-2014-0912 (IBM Sterling B2B Integrator 5.1 and 5.2 and Sterling File Gateway 2.1 ...) NOT-FOR-US: IBM CVE-2014-0911 (inetd in IBM WebSphere MQ 7.1.x before 7.1.0.5 and 7.5.x before 7.5.0. ...) NOT-FOR-US: IBM WebSphere MQ CVE-2014-0910 (Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 6.1.0 ...) NOT-FOR-US: IBM WebSphere Portal CVE-2014-0909 (The Administration and Reporting Tool in IBM Rational License Key Serv ...) NOT-FOR-US: IBM CVE-2014-0908 (The User Attribute implementation in IBM Business Process Manager (BPM ...) NOT-FOR-US: IBM Business Process Manager CVE-2014-0907 (Multiple untrusted search path vulnerabilities in unspecified (1) setu ...) NOT-FOR-US: IBM DB2 CVE-2014-0906 (The Meeting Server in IBM Sametime 8.x through 8.5.2.1 and 9.x through ...) NOT-FOR-US: IBM Sametime CVE-2014-0905 (IBM InfoSphere BigInsights 2.0 through 2.1.2 does not set the secure f ...) NOT-FOR-US: IBM CVE-2014-0904 (The update process in IBM Security AppScan Standard 7.9 through 8.8 do ...) NOT-FOR-US: IBM Security AppScan Standard CVE-2014-0903 RESERVED CVE-2014-0902 RESERVED CVE-2014-0901 (Cross-site scripting (XSS) vulnerability in the Social Rendering imple ...) NOT-FOR-US: IBM WebSphere Portal CVE-2014-0900 (The Device Administrator code in Android before 4.4.1_r1 might allow a ...) NOT-FOR-US: Android CVE-2014-0899 (ftpd in IBM AIX 7.1.1 before SP10 and 7.1.2 before SP5, when a Workloa ...) NOT-FOR-US: IBM AIX CVE-2014-0898 RESERVED CVE-2014-0897 (The Configuration Patterns component in IBM Flex System Manager (FSM) ...) NOT-FOR-US: IBM CVE-2014-0896 (IBM WebSphere Application Server (WAS) Liberty Profile 8.5.x before 8. ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2014-0895 (Buffer overflow in the vsflex8l ActiveX control in IBM SPSS SamplePowe ...) NOT-FOR-US: IBM SPSS CVE-2014-0894 (RICOS in IBM Algo Credit Limits (aka ACLM) 4.5.0 through 4.7.0 before ...) NOT-FOR-US: IBM Algo Credit Limits CVE-2014-0893 (Cross-site scripting (XSS) vulnerability in customreport.jsp in IBM Ma ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2014-0892 (IBM Notes and Domino 8.5.x before 8.5.3 FP6 IF3 and 9.x before 9.0.1 F ...) NOT-FOR-US: IBM CVE-2014-0891 (IBM WebSphere Application Server (WAS) 7.0.x before 7.0.0.33, 8.0.x be ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2014-0890 (The Connect client in IBM Sametime 8.5.1, 8.5.1.1, 8.5.1.2, 8.5.2, 8.5 ...) NOT-FOR-US: IBM Sametime CVE-2014-0889 (Multiple cross-site scripting (XSS) vulnerabilities in IBM Atlas Suite ...) NOT-FOR-US: IBM Atlas Suite CVE-2014-0888 (IBM Worklight Foundation 5.x and 6.x before 6.2.0.0, as used in Workli ...) NOT-FOR-US: IBM CVE-2014-0887 (The Admin Web UI in IBM Lotus Protector for Mail Security 2.8.x before ...) NOT-FOR-US: IBM Lotus Protector for Mail Security CVE-2014-0886 (The Admin Web UI in IBM Lotus Protector for Mail Security 2.8.x before ...) NOT-FOR-US: IBM Lotus Protector for Mail Security CVE-2014-0885 (Cross-site request forgery (CSRF) vulnerability in the Admin Web UI in ...) NOT-FOR-US: IBM Lotus Protector for Mail Security CVE-2014-0884 (Cross-site scripting (XSS) vulnerability in the Admin Web UI in IBM Lo ...) NOT-FOR-US: IBM Lotus Protector for Mail Security CVE-2014-0883 (Cross-site scripting (XSS) vulnerability in IBM Power Hardware Managem ...) NOT-FOR-US: IBM CVE-2014-0882 (Integrated Management Module II (IMM2) on IBM Flex System, NeXtScale, ...) NOT-FOR-US: IBM CVE-2014-0881 (The TPM on Integrated Management Module II (IMM2) on IBM Flex System x ...) NOT-FOR-US: IBM CVE-2014-0880 (IBM SAN Volume Controller; Storwize V3500, V3700, V5000, and V7000; an ...) NOT-FOR-US: IBM SAN Volume Controller CVE-2014-0879 (Stack-based buffer overflow in the Taskmaster Capture ActiveX control ...) NOT-FOR-US: IBM Datacap Taskmaster Capture CVE-2014-0878 (The IBMSecureRandom component in the IBMJCE and IBMSecureRandom crypto ...) NOT-FOR-US: IBM JDK CVE-2014-0877 (IBM Cognos TM1 10.2.0.2 before IF1 and 10.2.2.0 before IF1 allows remo ...) NOT-FOR-US: IBM Cognos CVE-2014-0876 (Buffer overflow in the Java GUI Configuration Wizard and Preferences E ...) NOT-FOR-US: IBM CVE-2014-0875 (Active Cloud Engine (ACE) in IBM Storwize V7000 Unified 1.3.0.0 throug ...) NOT-FOR-US: IBM Storwize V7000 Unified CVE-2014-0874 (Cross-site scripting (XSS) vulnerability in IBM Content Navigator 2.x ...) NOT-FOR-US: IBM Content Navigator CVE-2014-0873 (Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) ...) NOT-FOR-US: IBM InfoSphere CVE-2014-0872 (The installation process in IBM Security Key Lifecycle Manager 2.5 sto ...) NOT-FOR-US: IBM CVE-2014-0871 (RICOS in IBM Algo Credit Limits (aka ACLM) 4.5.0 through 4.7.0 before ...) NOT-FOR-US: IBM Algo Credit Limits CVE-2014-0870 (Multiple cross-site scripting (XSS) vulnerabilities in RICOS in IBM Al ...) NOT-FOR-US: IBM Algo Credit Limits CVE-2014-0869 (The decrypt function in RICOS in IBM Algo Credit Limits (aka ACLM) 4.5 ...) NOT-FOR-US: IBM Algo Credit Limits CVE-2014-0868 (RICOS in IBM Algo Credit Limits (aka ACLM) 4.5.0 through 4.7.0 before ...) NOT-FOR-US: IBM Algo Credit Limits CVE-2014-0867 (rcore6/main/addcookie.jsp in RICOS in IBM Algo Credit Limits (aka ACLM ...) NOT-FOR-US: IBM Algo Credit Limits CVE-2014-0866 (RICOS in IBM Algo Credit Limits (aka ACLM) 4.5.0 through 4.7.0 before ...) NOT-FOR-US: IBM Algo Credit Limits CVE-2014-0865 (RICOS in IBM Algo Credit Limits (aka ACLM) 4.5.0 through 4.7.0 before ...) NOT-FOR-US: IBM Algo Credit Limits CVE-2014-0864 (Multiple cross-site request forgery (CSRF) vulnerabilities in Executer ...) NOT-FOR-US: IBM Algo Credit Limits CVE-2014-0863 (The client in IBM Cognos TM1 9.5.2.3 before IF5, 10.1.1.2 before IF1, ...) NOT-FOR-US: IBM CVE-2014-0862 (Unspecified vulnerability in Jazz Team Server in IBM Rational Collabor ...) NOT-FOR-US: IBM Rational Collaborative Lifecycle Management CVE-2014-0861 (Cross-site scripting (XSS) vulnerability in the server in IBM Cognos B ...) NOT-FOR-US: IBM Cognos Business Intelligence CVE-2014-0860 (The firmware before 3.66E in IBM BladeCenter Advanced Management Modul ...) NOT-FOR-US: IBM CVE-2014-0859 (The web-server plugin in IBM WebSphere Application Server (WAS) 7.x be ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2014-0858 (IBM Content Navigator 2.x before 2.0.2.2-ICN-FP002 allows remote authe ...) NOT-FOR-US: IBM Content Navigator CVE-2014-0857 (The Administrative Console in IBM WebSphere Application Server (WAS) 8 ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2014-0856 RESERVED CVE-2014-0855 (Multiple cross-site scripting (XSS) vulnerabilities in IBM Connections ...) NOT-FOR-US: IBM WebSphere Portal CVE-2014-0854 (The server in IBM Cognos Business Intelligence (BI) 8.4.1, 10.1 before ...) NOT-FOR-US: IBM Cognos Business Intelligence CVE-2014-0853 (Multiple cross-site scripting (XSS) vulnerabilities in the (1) Forward ...) NOT-FOR-US: IBM Rational Requirements Composer CVE-2014-0852 (IBM WebSphere DataPower SOA appliances through 4.0.2.15, 5.x through 5 ...) NOT-FOR-US: IBM CVE-2014-0851 RESERVED CVE-2014-0850 (Cross-site scripting (XSS) vulnerability in IBM InfoSphere Master Data ...) NOT-FOR-US: IBM InfoSphere CVE-2014-0849 (IBM Maximo Asset Management 7.x before 7.5.0.3 IFIX027 and SmartCloud ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2014-0848 (The (1) ssl.conf and (2) httpd.conf files in the Apache HTTP Server co ...) NOT-FOR-US: IBM Netezza Performance Portal CVE-2014-0847 RESERVED CVE-2014-0846 (Cross-site scripting (XSS) vulnerability in IBM Rational Requirements ...) NOT-FOR-US: IBM Rational Requirements Composer CVE-2014-0845 (Open redirect vulnerability in IBM Rational Requirements Composer 3.x ...) NOT-FOR-US: IBM Rational Requirements Composer CVE-2014-0844 (Unspecified vulnerability in IBM Rational Requirements Composer 3.x be ...) NOT-FOR-US: IBM Rational Requirements Composer CVE-2014-0843 (Cross-site scripting (XSS) vulnerability in IBM Rational Focal Point 6 ...) NOT-FOR-US: IBM Rational Focal Point CVE-2014-0842 (The account-creation functionality in IBM Rational Focal Point 6.4.x a ...) NOT-FOR-US: IBM Rational Focal Point CVE-2014-0841 (IBM Rational Focal Point 6.4.0, 6.4.1, 6.5.1, 6.5.2, and 6.6.0 use a w ...) NOT-FOR-US: IBM CVE-2014-0840 (Multiple cross-site scripting (XSS) vulnerabilities in IBM Rational Fo ...) NOT-FOR-US: IBM Rational Focal Point CVE-2014-0839 (IBM Rational Focal Point 6.4.x and 6.5.x before 6.5.2.3 and 6.6.x befo ...) NOT-FOR-US: IBM Rational Focal Point CVE-2014-0838 (The AutoUpdate package before 6.4 for IBM Security QRadar SIEM 7.2 MR1 ...) NOT-FOR-US: IBM Security QRadar SIEM CVE-2014-0837 (The AutoUpdate process in IBM Security QRadar SIEM 7.2 MR1 and earlier ...) NOT-FOR-US: IBM Security QRadar SIEM CVE-2014-0836 (Cross-site scripting (XSS) vulnerability in IBM Security QRadar SIEM 7 ...) NOT-FOR-US: IBM Security QRadar SIEM CVE-2014-0835 (Cross-site request forgery (CSRF) vulnerability in IBM Security QRadar ...) NOT-FOR-US: IBM Security QRadar SIEM CVE-2014-0834 (IBM General Parallel File System (GPFS) 3.4 through 3.4.0.27 and 3.5 t ...) NOT-FOR-US: IBM General Parallel File System CVE-2014-0833 (The OAC component in IBM Financial Transaction Manager (FTM) 2.0 befor ...) NOT-FOR-US: IBM Financial Transaction Manager CVE-2014-0832 (Multiple cross-site scripting (XSS) vulnerabilities in configuration-d ...) NOT-FOR-US: IBM Financial Transaction Manager CVE-2014-0831 (Cross-site request forgery (CSRF) vulnerability in the OAC component i ...) NOT-FOR-US: IBM Financial Transaction Manager CVE-2014-0830 (Directory traversal vulnerability in the table-export implementation i ...) NOT-FOR-US: IBM Financial Transaction Manager CVE-2014-0829 (Multiple buffer overflows in IBM Rational ClearCase 7.x before 7.1.2.1 ...) NOT-FOR-US: IBM Rational ClearCase CVE-2014-0828 (Cross-site scripting (XSS) vulnerability in the WCM (Web Content Manag ...) NOT-FOR-US: IBM WebSphere Portal CVE-2014-0827 (Cross-site scripting (XSS) vulnerability in IBM InfoSphere Optim Workl ...) NOT-FOR-US: IBM InfoSphere CVE-2014-0826 RESERVED CVE-2014-0825 (Cross-site scripting (XSS) vulnerability in openreport.jsp in IBM Maxi ...) NOT-FOR-US: IBM Maximo Asset Management and others CVE-2014-0824 (Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Managemen ...) NOT-FOR-US: IBM Maximo Asset Management and others CVE-2014-0823 (IBM WebSphere Application Server (WAS) 8.x before 8.0.0.9 and 8.5.x be ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2014-0822 (The IMAP server in IBM Domino 8.5.x before 8.5.3 FP6 IF1 and 9.0.x bef ...) NOT-FOR-US: IBM Domino CVE-2014-0821 (SQL injection vulnerability in the download feature in Cybozu Garoon 2 ...) NOT-FOR-US: Cybozu Garoon CVE-2014-0820 (Directory traversal vulnerability in the download feature in Cybozu Ga ...) NOT-FOR-US: Cybozu Garoon CVE-2014-0819 (Untrusted search path vulnerability in Autodesk AutoCAD before 2014 al ...) NOT-FOR-US: Autodesk AutoCAD CVE-2014-0818 (Untrusted search path vulnerability in Autodesk AutoCAD before 2014 al ...) NOT-FOR-US: Autodesk AutoCAD CVE-2014-0817 (Cybozu Garoon 2.x through 2.5.4 and 3.x through 3.7 SP3 does not prope ...) NOT-FOR-US: Cybozu Garoon CVE-2014-0816 (Unspecified vulnerability in Norman Security Suite 10.1 and earlier al ...) NOT-FOR-US: Norman Security Suite CVE-2014-0815 (The intent: URL implementation in Opera before 18 on Android allows at ...) NOT-FOR-US: Opera CVE-2014-0814 (Cross-site scripting (XSS) vulnerability in phpMyFAQ before 2.8.6 allo ...) NOT-FOR-US: phpMyFAQ CVE-2014-0813 (Cross-site request forgery (CSRF) vulnerability in phpMyFAQ before 2.8 ...) NOT-FOR-US: phpMyFAQ CVE-2014-0812 (Cross-site scripting (XSS) vulnerability in KENT-WEB Joyful Note 2.8 a ...) NOT-FOR-US: KENT-WEB Joyful Note CVE-2014-0811 (Cross-site scripting (XSS) vulnerability in Blackboard Vista/CE 8.0 SP ...) NOT-FOR-US: Blackboard Vista CVE-2014-0810 (Unspecified vulnerability in JustSystems Sanshiro 2007 before update 3 ...) NOT-FOR-US: JustSystems Sanshiro 2007 CVE-2014-0809 (Directory traversal vulnerability in the Gapless Player SimZip (aka Si ...) NOT-FOR-US: Gapless Player SimZip CVE-2014-0808 (The lfCheckError function in data/class/pages/shopping/LC_Page_Shoppin ...) NOT-FOR-US: LOCKON EC-CUBE CVE-2014-0807 (data/class/pages/shopping/LC_Page_Shopping_Deliv.php in LOCKON EC-CUBE ...) NOT-FOR-US: LOCKON EC-CUBE CVE-2014-0806 (The Sleipnir Mobile application 2.12.1 and earlier and Sleipnir Mobile ...) NOT-FOR-US: Sleipnir Mobile application CVE-2014-0805 (Directory traversal vulnerability in the NeoFiler application 5.4.3 an ...) NOT-FOR-US: NeoFiler CVE-2014-0804 (Directory traversal vulnerability in the CGENE Security File Manager P ...) NOT-FOR-US: CGENE Security File Manager CVE-2014-0803 (Directory traversal vulnerability in the tetra filer application 2.3.1 ...) NOT-FOR-US: tetra filer application CVE-2014-0802 (Directory traversal vulnerability in the aokitaka ZIP with Pass applic ...) NOT-FOR-US: aokitaka ZIP with Pass CVE-2014-0801 RESERVED CVE-2014-0800 RESERVED CVE-2014-0799 RESERVED CVE-2014-0798 RESERVED CVE-2014-0797 RESERVED CVE-2014-0796 RESERVED CVE-2014-0795 RESERVED CVE-2014-0794 (SQL injection vulnerability in the JV Comment (com_jvcomment) componen ...) NOT-FOR-US: JV Comment Joomla Extension CVE-2014-0793 (Multiple cross-site scripting (XSS) vulnerabilities in the StackIdeas ...) NOT-FOR-US: Komento Joomla Extension CVE-2014-0792 (Sonatype Nexus 1.x and 2.x before 2.7.1 allows remote attackers to cre ...) NOT-FOR-US: Sonatype Nexus CVE-2014-0790 RESERVED CVE-2013-7288 (Cross-site scripting (XSS) vulnerability in the mycode_parse_video fun ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2013-7285 (Xstream API versions up to 1.4.6 and version 1.4.10, if the security f ...) - libxstream-java 1.4.7-1 (bug #734821) [wheezy] - libxstream-java (Vulnerability introduced in 1.4.5) [squeeze] - libxstream-java (Vulnerability introduced in 1.4.5) NOTE: http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html NOTE: http://markmail.org/message/kfqoqdfj5fnup5co?q=list:org.codehaus.xstream.dev&page=3 NOTE: initial patch: https://fisheye.codehaus.org/changelog/xstream?cs=2210 CVE-2013-7284 (The PlRPC module, possibly 0.2020 and earlier, for Perl uses the Stora ...) - libplrpc-perl (high; bug #734789) [squeeze] - libplrpc-perl (Unsupported in squeeze-lts) NOTE: Upstream appears dead. CVE-2013-7273 (GNOME Display Manager (gdm) 3.4.1 and earlier, when disable-user-list ...) - gdm3 3.8.3-1 (low; bug #683338) [wheezy] - gdm3 (Minor issue) [squeeze] - gdm3 (Vulnerable code not present) CVE-2013-7271 (The x25_recvmsg function in net/x25/af_x25.c in the Linux kernel befor ...) - linux-2.6 [squeeze] - linux-2.6 (Too intrusive to backport) - linux 3.12.6-1 [wheezy] - linux 3.2.54-1 NOTE: upstream fix: https://git.kernel.org/linus/f3d3342602f8bcbf37d7c46641cb9bca7618eb1c NOTE: included in https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.12.4 CVE-2013-7270 (The packet_recvmsg function in net/packet/af_packet.c in the Linux ker ...) - linux-2.6 [squeeze] - linux-2.6 (Too intrusive to backport) - linux 3.12.6-1 [wheezy] - linux 3.2.54-1 NOTE: upstream fix: https://git.kernel.org/linus/f3d3342602f8bcbf37d7c46641cb9bca7618eb1c NOTE: included in https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.12.4 CVE-2013-7269 (The nr_recvmsg function in net/netrom/af_netrom.c in the Linux kernel ...) - linux-2.6 [squeeze] - linux-2.6 (Too intrusive to backport) - linux 3.12.6-1 [wheezy] - linux 3.2.54-1 NOTE: upstream fix: https://git.kernel.org/linus/f3d3342602f8bcbf37d7c46641cb9bca7618eb1c NOTE: included in https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.12.4 CVE-2013-7268 (The ipx_recvmsg function in net/ipx/af_ipx.c in the Linux kernel befor ...) - linux-2.6 [squeeze] - linux-2.6 (Too intrusive to backport) - linux 3.12.6-1 [wheezy] - linux 3.2.54-1 NOTE: upstream fix: https://git.kernel.org/linus/f3d3342602f8bcbf37d7c46641cb9bca7618eb1c NOTE: included in https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.12.4 CVE-2013-7267 (The atalk_recvmsg function in net/appletalk/ddp.c in the Linux kernel ...) - linux-2.6 [squeeze] - linux-2.6 (Too intrusive to backport) - linux 3.12.6-1 [wheezy] - linux 3.2.54-1 NOTE: upstream fix: https://git.kernel.org/linus/f3d3342602f8bcbf37d7c46641cb9bca7618eb1c NOTE: included in https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.12.4 CVE-2013-7266 (The mISDN_sock_recvmsg function in drivers/isdn/mISDN/socket.c in the ...) {DLA-103-1} - linux-2.6 [squeeze] - linux-2.6 (Too intrusive to backport) - linux 3.12.6-1 [wheezy] - linux 3.2.54-1 NOTE: upstream fix: https://git.kernel.org/linus/f3d3342602f8bcbf37d7c46641cb9bca7618eb1c NOTE: included in https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.12.4 CVE-2013-7262 (SQL injection vulnerability in the msPostGISLayerSetTimeFilter functio ...) - mapserver 6.4.1-1 (low; bug #734565) [wheezy] - mapserver 6.0.1-3.2+deb7u2 [squeeze] - mapserver 5.6.5-2+squeeze3 NOTE: https://github.com/mapserver/mapserver/issues/4834 CVE-2013-7261 RESERVED CVE-2013-7260 (Multiple stack-based buffer overflows in RealNetworks RealPlayer befor ...) NOT-FOR-US: RealPlayer CVE-2014-0791 (Integer overflow in the license_read_scope_list function in libfreerdp ...) - freerdp (unimportant) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=998941 NOTE: https://github.com/FreeRDP/FreeRDP/commit/f1d6afca6ae620f9855a33280bdc6f3ad9153be0#diff-b6d68bbca6e0f5875c57ef225cd65c45 NOTE: A malicous license has simpler means to DoS a RDP client, e.g. by simply stating that no valid license exists etc. CVE-2014-0789 (Multiple buffer overflows in the OPC Automation 2.0 Server Object Acti ...) NOT-FOR-US: OPC Automation 2.0 Server CVE-2014-0788 REJECTED CVE-2014-0787 (Stack-based buffer overflow in WellinTech KingSCADA before 3.1.2.13 al ...) NOT-FOR-US: WellinTech KingSCADA CVE-2014-0786 (Ecava IntegraXor before 4.1.4393 allows remote attackers to read clear ...) NOT-FOR-US: Ecava IntegraXor CVE-2014-0785 REJECTED CVE-2014-0784 (Stack-based buffer overflow in BKBCopyD.exe in Yokogawa CENTUM CS 3000 ...) NOT-FOR-US: Yokogawa CENTUM CS 3000 CVE-2014-0783 (Stack-based buffer overflow in BKHOdeq.exe in Yokogawa CENTUM CS 3000 ...) NOT-FOR-US: Yokogawa CENTUM CS 3000 CVE-2014-0782 (Stack-based buffer overflow in BKESimmgr.exe in the Expanded Test Func ...) NOT-FOR-US: Yokogawa CENTUM CVE-2014-0781 (Heap-based buffer overflow in BKCLogSvr.exe in Yokogawa CENTUM CS 3000 ...) NOT-FOR-US: Yokogawa CENTUM CS 3000 CVE-2014-0780 (Directory traversal vulnerability in NTWebServer in InduSoft Web Studi ...) NOT-FOR-US: InduSoft Web Studio CVE-2014-0779 (The PLC driver in ServerMain.exe in the Kepware KepServerEX 4 componen ...) NOT-FOR-US: Schneider Electric CVE-2014-0778 (The TCPUploader module in Progea Movicon 11.4 before 11.4.1150 allows ...) NOT-FOR-US: Progea Movicon CVE-2014-0777 (The Modbus slave/outstation driver in the OPC Drivers 1.0.20 and earli ...) NOT-FOR-US: IOServer OPC Server CVE-2014-0776 RESERVED CVE-2014-0775 REJECTED CVE-2014-0774 (Stack-based buffer overflow in the C++ sample client in Schneider Elec ...) NOT-FOR-US: Schneider Electric OPC Factory Server CVE-2014-0773 (The CreateProcess method in the BWOCXRUN.BwocxrunCtrl.1 ActiveX contro ...) NOT-FOR-US: Advantech WebAccess CVE-2014-0772 (The OpenUrlToBufferTimeout method in the BWOCXRUN.BwocxrunCtrl.1 Activ ...) NOT-FOR-US: Advantech WebAccess CVE-2014-0771 (The OpenUrlToBuffer method in the BWOCXRUN.BwocxrunCtrl.1 ActiveX cont ...) NOT-FOR-US: Advantech WebAccess CVE-2014-0770 (Stack-based buffer overflow in Advantech WebAccess before 7.2 allows r ...) NOT-FOR-US: Advantech WebAccess CVE-2014-0769 (The Festo CECX-X-C1 Modular Master Controller with CoDeSys and CECX-X- ...) NOT-FOR-US: Festo controller CVE-2014-0768 (Stack-based buffer overflow in Advantech WebAccess before 7.2 allows r ...) NOT-FOR-US: Advantech WebAccess CVE-2014-0767 (Stack-based buffer overflow in Advantech WebAccess before 7.2 allows r ...) NOT-FOR-US: Advantech WebAccess CVE-2014-0766 (Stack-based buffer overflow in Advantech WebAccess before 7.2 allows r ...) NOT-FOR-US: Advantech WebAccess CVE-2014-0765 (Stack-based buffer overflow in Advantech WebAccess before 7.2 allows r ...) NOT-FOR-US: Advantech WebAccess CVE-2014-0764 (Stack-based buffer overflow in Advantech WebAccess before 7.2 allows r ...) NOT-FOR-US: Advantech WebAccess CVE-2014-0763 (Multiple SQL injection vulnerabilities in DBVisitor.dll in Advantech W ...) NOT-FOR-US: Advantech WebAccess CVE-2014-0762 (The DNP3 driver in CG Automation ePAQ-9410 Substation Gateway allows p ...) NOT-FOR-US: CG Automation ePAQ-9410 Substation Gateway CVE-2014-0761 (The DNP3 driver in CG Automation ePAQ-9410 Substation Gateway allows r ...) NOT-FOR-US: CG Automation ePAQ-9410 Substation Gateway CVE-2014-0760 (The Festo CECX-X-C1 Modular Master Controller with CoDeSys and CECX-X- ...) NOT-FOR-US: Festo controller CVE-2014-0759 (Unquoted Windows search path vulnerability in Schneider Electric Float ...) NOT-FOR-US: Schneider Electric Floating License Manager CVE-2014-0758 (An ActiveX control in GenLaunch.htm in ICONICS GENESIS32 8.0, 8.02, 8. ...) NOT-FOR-US: ICONICS CVE-2014-0757 (Smart Software Solutions (3S) CoDeSys Runtime Toolkit before 2.4.7.44 ...) NOT-FOR-US: Smart Software Solutions (3S) CoDeSys Runtime Toolkit CVE-2014-0756 REJECTED CVE-2014-0755 (Rockwell Automation RSLogix 5000 7 through 20.01, and 21.0, does not p ...) NOT-FOR-US: Rockwell Automation RSLogix CVE-2014-0754 (Directory traversal vulnerability in SchneiderWEB on Schneider Electri ...) NOT-FOR-US: SchneiderWEB CVE-2014-0753 (Stack-based buffer overflow in the SCADA server in Ecava IntegraXor be ...) NOT-FOR-US: Ecava IntegraXor CVE-2014-0752 (The SCADA server in Ecava IntegraXor before 4.1.4369 allows remote att ...) NOT-FOR-US: Ecava IntegraXor CVE-2014-0751 (Directory traversal vulnerability in CimWebServer.exe (aka the WebView ...) NOT-FOR-US: GE Intelligent Platforms Proficy CVE-2014-0750 (Directory traversal vulnerability in gefebt.exe in the WebView CimWeb ...) NOT-FOR-US: GE Intelligent Platforms Proficy CVE-2014-0749 (Stack-based buffer overflow in lib/Libdis/disrsi_.c in Terascale Open- ...) {DSA-2936-1} - torque 2.4.16+dfsg-1.4 (bug #748827) CVE-2014-0748 (apinit on Cray devices with CLE before 4.2.UP02 and 5.x before 5.1.UP0 ...) NOT-FOR-US: Aprun/apinit on Cray supercomputers CVE-2014-0747 (The Certificate Authority Proxy Function (CAPF) CLI implementation in ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2014-0746 (The disaster recovery system (DRS) in Cisco Unified Contact Center Exp ...) NOT-FOR-US: Cisco Unified Contact Center CVE-2014-0745 (Cross-site request forgery (CSRF) vulnerability in the Unified Service ...) NOT-FOR-US: Cisco Unified Contact Center Express CVE-2014-0744 REJECTED CVE-2014-0743 (The Certificate Authority Proxy Function (CAPF) component in Cisco Uni ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2014-0742 (The Certificate Authority Proxy Function (CAPF) CLI implementation in ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2014-0741 (The certificate-import feature in the Certificate Authority Proxy Func ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2014-0740 (Cross-site request forgery (CSRF) vulnerability in the Call Detail Rec ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2014-0739 (Race condition in the Phone Proxy component in Cisco Adaptive Security ...) NOT-FOR-US: Cisco ASA CVE-2014-0738 (The Phone Proxy component in Cisco Adaptive Security Appliance (ASA) S ...) NOT-FOR-US: Cisco ASA CVE-2014-0737 (The Cisco Unified IP Phone 7960G 9.2(1) and earlier allows remote atta ...) NOT-FOR-US: The Cisco Unified IP Phone CVE-2014-0736 (Cross-site request forgery (CSRF) vulnerability in the Call Detail Rec ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2014-0735 (Cross-site scripting (XSS) vulnerability in the IP Manager Assistant ( ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2014-0734 (SQL injection vulnerability in the Certificate Authority Proxy Functio ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2014-0733 (The Enterprise License Manager (ELM) component in Cisco Unified Commun ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2014-0732 (The Real Time Monitoring Tool (RTMT) web application in Cisco Unified ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2014-0731 (The administration interface in Cisco Unified Communications Manager ( ...) NOT-FOR-US: Cisco Unified Computing System CVE-2014-0730 (Cisco Unified Computing System (UCS) Central Software 1.1 and earlier ...) NOT-FOR-US: Cisco Unified Computing System CVE-2014-0729 (SQL injection vulnerability in the Enterprise Mobility Application (EM ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2014-0728 (SQL injection vulnerability in the Java database interface in Cisco Un ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2014-0727 (SQL injection vulnerability in the CallManager Interactive Voice Respo ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2014-0726 (SQL injection vulnerability in the IP Manager Assistant (IPMA) interfa ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2014-0725 (Cisco Unified Communications Manager (UCM) does not require authentica ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2014-0724 (The bulk administration interface in Cisco Unified Communications Mana ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2014-0723 (Cross-site scripting (XSS) vulnerability in the IP Manager Assistant ( ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2014-0722 (The log4jinit web application in Cisco Unified Communications Manager ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2014-0721 (The Cisco Unified SIP Phone 3905 with firmware before 9.4(1) allows re ...) NOT-FOR-US: Cisco Unified SIP Phone 3905 CVE-2014-0720 (Cisco IPS Software 7.1 before 7.1(8)E4 and 7.2 before 7.2(2)E4 allows ...) NOT-FOR-US: Cisco IPS CVE-2014-0719 (The control-plane access-list implementation in Cisco IPS Software bef ...) NOT-FOR-US: Cisco IPS CVE-2014-0718 (The produce-verbose-alert feature in Cisco IPS Software 7.1 before 7.1 ...) NOT-FOR-US: Cisco IPS CVE-2014-0717 RESERVED CVE-2014-0716 RESERVED CVE-2014-0715 RESERVED CVE-2014-0714 RESERVED CVE-2014-0713 RESERVED CVE-2014-0712 RESERVED CVE-2014-0711 RESERVED CVE-2014-0710 (Race condition in the cut-through proxy feature in Cisco Firewall Serv ...) NOT-FOR-US: Cisco Firewall Services Module CVE-2014-0709 (Cisco UCS Director (formerly Cloupia) before 4.0.0.3 has a hardcoded p ...) NOT-FOR-US: Cisco UCS Director CVE-2014-0708 (WebEx Meeting Center in Cisco WebEx Business Suite does not properly c ...) NOT-FOR-US: Cisco WebEx Business Suite CVE-2014-0707 (Cisco Wireless LAN Controller (WLC) devices 7.2, 7.3, and 7.4 before 7 ...) NOT-FOR-US: Cisco Wireless LAN Controller CVE-2014-0706 (Cisco Wireless LAN Controller (WLC) devices 7.2 before 7.2.115.2, 7.3, ...) NOT-FOR-US: Cisco Wireless LAN Controller CVE-2014-0705 (The multicast listener discovery (MLD) service on Cisco Wireless LAN C ...) NOT-FOR-US: Cisco Wireless LAN Controller CVE-2014-0704 (The IGMP implementation on Cisco Wireless LAN Controller (WLC) devices ...) NOT-FOR-US: Cisco Wireless LAN Controller CVE-2014-0703 (Cisco Wireless LAN Controller (WLC) devices 7.4 before 7.4.110.0 distr ...) NOT-FOR-US: Cisco Wireless LAN Controller CVE-2014-0702 RESERVED CVE-2014-0701 (Cisco Wireless LAN Controller (WLC) devices 7.0 before 7.0.250.0, 7.2, ...) NOT-FOR-US: Cisco Wireless LAN Controller CVE-2014-0700 RESERVED CVE-2014-0699 RESERVED CVE-2014-0698 RESERVED CVE-2014-0697 RESERVED CVE-2014-0696 RESERVED CVE-2014-0695 RESERVED CVE-2014-0694 (Intelligent Automation for Cloud (IAC) in Cisco Cloud Portal 9.4.1 and ...) NOT-FOR-US: Cisco CVE-2014-0693 RESERVED CVE-2014-0692 RESERVED CVE-2014-0691 (Cisco WebEx Meetings Server before 1.1 uses meeting IDs with insuffici ...) NOT-FOR-US: Cisco WebEx Meetings Server CVE-2014-0690 RESERVED CVE-2014-0689 RESERVED CVE-2014-0688 RESERVED CVE-2014-0687 RESERVED CVE-2014-0686 (Cisco Unified Communications Manager (aka Unified CM) 9.1 (2.10000.28) ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2014-0685 (Cisco Nexus 1000V InterCloud 5.2(1)IC1(1.2) and earlier for VMware all ...) NOT-FOR-US: Cisco CVE-2014-0684 (Cisco NX-OS 6.2(2) on Nexus 7000 switches allows local users to cause ...) NOT-FOR-US: Cisco CVE-2014-0683 (The web management interface on the Cisco RV110W firewall with firmwar ...) NOT-FOR-US: Cisco CVE-2014-0682 (Cisco WebEx Meetings Server allows remote authenticated users to bypas ...) NOT-FOR-US: Cisco WebEx Meetings Server CVE-2014-0681 (Cross-site scripting (XSS) vulnerability in Cisco Identity Services En ...) NOT-FOR-US: Cisco Identity Service Engine CVE-2014-0680 (Cross-site scripting (XSS) vulnerability in the HTTP control interface ...) NOT-FOR-US: Cisco Identity Service Engine CVE-2014-0679 (Cisco Prime Infrastructure 1.2 and 1.3 before 1.3.0.20-2, 1.4 before 1 ...) NOT-FOR-US: Cisco Prime Infrastructure CVE-2014-0678 (The portal interface in Cisco Secure Access Control System (ACS) does ...) NOT-FOR-US: Cisco Secure Access Control System CVE-2014-0677 (The Label Distribution Protocol (LDP) functionality in Cisco NX-OS all ...) NOT-FOR-US: Cisco NX-OS CVE-2014-0676 (Cisco NX-OS allows local users to bypass intended TACACS+ command rest ...) NOT-FOR-US: Cisco NX-OS CVE-2014-0675 (The Expressway component in Cisco TelePresence Video Communication Ser ...) NOT-FOR-US: Cisco CVE-2014-0674 (Cisco Video Surveillance Operations Manager (VSOM) does not require au ...) NOT-FOR-US: Cisco Video Surveillance Operations Manager CVE-2014-0673 (Multiple cross-site scripting (XSS) vulnerabilities in the web interfa ...) NOT-FOR-US: Cisco Video Surveillance CVE-2014-0672 (The Search and Play interface in Cisco MediaSense does not properly en ...) NOT-FOR-US: Cisco MediaSense CVE-2014-0671 (Open redirect vulnerability in Cisco MediaSense allows remote attacker ...) NOT-FOR-US: Cisco MediaSense CVE-2014-0670 (Cross-site scripting (XSS) vulnerability in the Search and Play interf ...) NOT-FOR-US: Cisco MediaSense CVE-2014-0669 (The Wireless Session Protocol (WSP) feature in the Gateway GPRS Suppor ...) NOT-FOR-US: Cisco ASR 5000 CVE-2014-0668 (Cross-site scripting (XSS) vulnerability in the portal in Cisco Secure ...) NOT-FOR-US: Cisco Secure Access Control System CVE-2014-0667 (The RMI interface in Cisco Secure Access Control System (ACS) does not ...) NOT-FOR-US: Cisco Secure Access Control System CVE-2014-0666 (Directory traversal vulnerability in the Send Screen Capture implement ...) NOT-FOR-US: Cisco Jabber CVE-2014-0665 (The RBAC implementation in Cisco Identity Services Engine (ISE) Softwa ...) NOT-FOR-US: Cisco Identity Services Engine CVE-2014-0664 (The server in Cisco Unity Connection allows remote authenticated users ...) NOT-FOR-US: Cisco Unity Connection CVE-2014-0663 (Cross-site scripting (XSS) vulnerability in the web framework in Cisco ...) NOT-FOR-US: Cisco Secure Access Control System CVE-2014-0662 (The SIP module in Cisco TelePresence Video Communication Server (VCS) ...) NOT-FOR-US: Cisco TelePresence CVE-2014-0661 (The System Status Collection Daemon (SSCD) in Cisco TelePresence Syste ...) NOT-FOR-US: Cisco TelePresence CVE-2014-0660 (Cisco TelePresence ISDN Gateway with software before 2.2(1.92) allows ...) NOT-FOR-US: Cisco TelePresence CVE-2014-0659 (The Cisco WAP4410N access point with firmware through 2.0.6.1, WRVS440 ...) NOT-FOR-US: Cisco Small Business Devices CVE-2014-0658 (Cisco 9900 Unified IP phones allow remote attackers to cause a denial ...) NOT-FOR-US: Cisco 9900 Unified IP phones CVE-2014-0657 (The administration portal in Cisco Unified Communications Manager (Uni ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2014-0656 (Cisco Context Directory Agent (CDA) allows remote authenticated users ...) NOT-FOR-US: Cisco Context Directory Agent CVE-2014-0655 (The Identity Firewall (IDFW) functionality in Cisco Adaptive Security ...) NOT-FOR-US: Cisco Adaptive Security Appliance CVE-2014-0654 (Cisco Context Directory Agent (CDA) allows remote attackers to modify ...) NOT-FOR-US: Cisco Context Directory Agent CVE-2014-0653 (The Identity Firewall (IDFW) functionality in Cisco Adaptive Security ...) NOT-FOR-US: Cisco Adaptive Security Appliance CVE-2014-0652 (Cross-site scripting (XSS) vulnerability in the Mappings page in Cisco ...) NOT-FOR-US: Cisco Context Directory Agent CVE-2014-0651 (The administrative interface in Cisco Context Directory Agent (CDA) do ...) NOT-FOR-US: Cisco Context Directory Agent CVE-2014-0650 (The web interface in Cisco Secure Access Control System (ACS) 5.x befo ...) NOT-FOR-US: Cisco Secure ACS RMI CVE-2014-0649 (The RMI interface in Cisco Secure Access Control System (ACS) 5.x befo ...) NOT-FOR-US: Cisco Secure ACS RMI CVE-2014-0648 (The RMI interface in Cisco Secure Access Control System (ACS) 5.x befo ...) NOT-FOR-US: Cisco Secure ACS RMI CVE-2014-0647 (The Starbucks 2.6.1 application for iOS stores sensitive information i ...) NOT-FOR-US: Starbucks iOS application CVE-2014-0646 (The runtime WS component in the server in EMC RSA Access Manager 6.1.3 ...) NOT-FOR-US: EMC CVE-2014-0645 (EMC Cloud Tiering Appliance (CTA) 9.x through 10 SP1 and File Manageme ...) NOT-FOR-US: EMC CVE-2014-0644 (EMC Cloud Tiering Appliance (CTA) 10 through SP1 allows remote attacke ...) NOT-FOR-US: EMC CVE-2014-0643 (EMC RSA NetWitness before 9.8.5.19 and RSA Security Analytics before 1 ...) NOT-FOR-US: EMC RSA NetWitness and RSA Security Analytics CVE-2014-0642 (EMC Documentum Content Server before 6.7 SP1 P26, 6.7 SP2 before P13, ...) NOT-FOR-US: EMC Documentum Content Server CVE-2014-0641 (Cross-site request forgery (CSRF) vulnerability in EMC RSA Archer GRC ...) NOT-FOR-US: EMC RSA Archer GRC Platform CVE-2014-0640 (EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote authentic ...) NOT-FOR-US: EMC RSA Archer GRC Platform CVE-2014-0639 (Multiple cross-site scripting (XSS) vulnerabilities in EMC RSA Archer ...) NOT-FOR-US: RSA Archer CVE-2014-0638 (Cross-site scripting (XSS) vulnerability in RSA Adaptive Authenticatio ...) NOT-FOR-US: RSA Adaptive Authentication CVE-2014-0637 (Cross-site scripting (XSS) vulnerability in the back-office case-manag ...) NOT-FOR-US: RSA Adaptive Authentication CVE-2014-0636 (EMC RSA BSAFE Micro Edition Suite (MES) 3.2.x before 3.2.6 and 4.0.x b ...) NOT-FOR-US: EMC RSA BSAFE Micro Edition Suite CVE-2014-0635 (Session fixation vulnerability in EMC VPLEX GeoSynchrony 4.x and 5.x b ...) NOT-FOR-US: EMC VPLEX CVE-2014-0634 (EMC VPLEX GeoSynchrony 4.x and 5.x before 5.3 does not include the HTT ...) NOT-FOR-US: EMC VPLEX CVE-2014-0633 (The GUI in EMC VPLEX GeoSynchrony 4.x and 5.x before 5.3 does not prop ...) NOT-FOR-US: EMC VPLEX CVE-2014-0632 (Directory traversal vulnerability in EMC VPLEX GeoSynchrony 4.x and 5. ...) NOT-FOR-US: EMC VPLEX CVE-2014-0631 REJECTED CVE-2014-0630 (EMC Documentum TaskSpace (TSP) 6.7SP1 before P25 and 6.7SP2 before P11 ...) NOT-FOR-US: EMC CVE-2014-0629 (EMC Documentum TaskSpace (TSP) 6.7SP1 before P25 and 6.7SP2 before P11 ...) NOT-FOR-US: EMC CVE-2014-0628 (The server in EMC RSA BSAFE Micro Edition Suite (MES) 4.0.x before 4.0 ...) NOT-FOR-US: EMC CVE-2014-0627 (The SSLEngine API implementation in EMC RSA BSAFE SSL-J 5.x before 5.1 ...) NOT-FOR-US: EMC RSA CVE-2014-0626 (The (1) JSAFE and (2) JSSE APIs in EMC RSA BSAFE SSL-J 5.x before 5.1. ...) NOT-FOR-US: EMC RSA CVE-2014-0625 (The SSLSocket implementation in the (1) JSAFE and (2) JSSE APIs in EMC ...) NOT-FOR-US: EMC RSA CVE-2014-0624 (EMC RSA Data Loss Prevention (DLP) 9.x before 9.6-SP2 does not properl ...) NOT-FOR-US: EMC RSA CVE-2014-0623 (Cross-site scripting (XSS) vulnerability in the Self-Service Console i ...) NOT-FOR-US: EMC RSA CVE-2014-0622 (The web service in EMC Documentum Foundation Services (DFS) 6.5 throug ...) NOT-FOR-US: EMC Documentum Foundation Services CVE-2014-0621 (Multiple cross-site request forgery (CSRF) vulnerabilities in Technico ...) NOT-FOR-US: Technicolor TC7200 STD6.01.12 CVE-2014-0620 (Multiple cross-site scripting (XSS) vulnerabilities in Technicolor (fo ...) NOT-FOR-US: Technicolor TC7200 STD6.01.12 CVE-2014-0619 (Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1 ...) NOT-FOR-US: Hamster Free ZIP Archiver CVE-2014-0618 (Juniper Junos before 10.4 before 10.4R16, 11.4 before 11.4R8, 12.1R be ...) NOT-FOR-US: SRX Services Gateways CVE-2014-0617 (Juniper Junos 10.4S before 10.4S15, 10.4R before 10.4R16, 11.4 before ...) NOT-FOR-US: SRX Services Gateways CVE-2014-0616 (Juniper Junos 10.4 before 10.4R16, 11.4 before 11.4R10, 12.1R before 1 ...) NOT-FOR-US: Juniper JunOS CVE-2014-0615 (Juniper Junos 10.4 before 10.4R16, 11.4 before 11.4R10, 12.1R before 1 ...) NOT-FOR-US: JunOS CLI CVE-2014-0614 (Juniper Junos 13.2 before 13.2R3 and 13.3 before 13.3R1, when PIM is e ...) NOT-FOR-US: Juniper Junos CVE-2014-0613 (The XNM command processor in Juniper Junos 10.4 before 10.4R16, 11.4 b ...) NOT-FOR-US: JunOS CVE-2014-0612 (Unspecified vulnerability in Juniper Junos before 11.4R10-S1, before 1 ...) NOT-FOR-US: Juniper Junos CVE-2013-7281 (The dgram_recvmsg function in net/ieee802154/dgram.c in the Linux kern ...) - linux-2.6 (Introduced in 3.10) - linux 3.12.6-1 (low) [wheezy] - linux (Introduced in 3.10) CVE-2013-7265 (The pn_recvmsg function in net/phonet/datagram.c in the Linux kernel b ...) {DSA-2906-1} - linux-2.6 (low) [wheezy] - linux 3.2.54-1 - linux 3.12.6-1 (low) CVE-2013-7264 (The l2tp_ip_recvmsg function in net/l2tp/l2tp_ip.c in the Linux kernel ...) {DSA-2906-1} - linux-2.6 (low) [wheezy] - linux 3.2.54-1 - linux 3.12.6-1 (low) CVE-2013-7263 (The Linux kernel before 3.12.4 updates certain length values before en ...) {DSA-2906-1} - linux-2.6 (low) - linux 3.12.6-1 (low) [wheezy] - linux 3.2.54-1 (low) CVE-2013-7251 (Multiple cross-site request forgery (CSRF) vulnerabilities in ProjectF ...) NOT-FOR-US: ProjectForge CVE-2013-7250 (Cross-site scripting (XSS) vulnerability in the JsonBuilder implementa ...) NOT-FOR-US: ProjectForge CVE-2013-7248 (Franklin Fueling Systems TS-550 evo with firmware 2.0.0.6833 and other ...) NOT-FOR-US: Franklin Fueling Systems TS-550 CVE-2013-7247 (cgi-bin/tsaws.cgi in Franklin Fueling Systems TS-550 evo with firmware ...) NOT-FOR-US: Franklin Fueling Systems TS-550 CVE-2013-7246 (Buffer overflow in the IconCreate method in an ActiveX control in the ...) NOT-FOR-US: DaumGame ActiveX plugin CVE-2013-7245 (The Backup Server component in SAP Sybase ASE 15.7 before SP51 allows ...) NOT-FOR-US: SAP Sybase ASE CVE-2013-7244 RESERVED CVE-2013-7243 (Multiple cross-site scripting (XSS) vulnerabilities in GetSimple CMS 3 ...) NOT-FOR-US: GetSimple CMS CVE-2013-7238 RESERVED CVE-2013-7237 RESERVED CVE-2011-5269 (Cross-site scripting (XSS) vulnerability in ProjectForge before 3.5.3 ...) NOT-FOR-US: ProjectForge CVE-2009-5138 (GnuTLS before 2.7.6, when the GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT flag ...) - gnutls26 2.7.12-1 - gnutls28 (Only affects versions before 2.7.6) NOTE: Only affects version prior of 2.7.6, fix: https://gitlab.com/gnutls/gnutls/commit/c8dcbedd1fdc312f5b1a70fcfbc1afe235d800cd NOTE: and the issue has different root than CVE-2014-1959 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1069301 CVE-2009-5137 (Stack-based buffer overflow in Mini-stream CastRipper 2.50.70 allows r ...) NOT-FOR-US: CastRipper CVE-2014-0611 (Multiple cross-site scripting (XSS) vulnerabilities in WebAccess in No ...) NOT-FOR-US: Novell GroupWise CVE-2014-0610 (The client in Novell GroupWise before 8.0.3 HP4, 2012 before SP3, and ...) NOT-FOR-US: Novell GroupWise CVE-2014-0609 (Unspecified vulnerability in Novell Open Enterprise Server (OES) 11 SP ...) NOT-FOR-US: Novell Open Enterprise Server CVE-2014-0608 RESERVED CVE-2014-0607 (Unrestricted file upload vulnerability in Attachmate Verastream Proces ...) NOT-FOR-US: Attachmate Verastream Process Designer CVE-2014-0606 REJECTED CVE-2014-0605 (Directory traversal vulnerability in the rftpcom.dll ActiveX control i ...) NOT-FOR-US: Attachmate Reflection FTP Client CVE-2014-0604 (Directory traversal vulnerability in the rftpcom.dll ActiveX control i ...) NOT-FOR-US: Attachmate Reflection FTP Client CVE-2014-0603 (The rftpcom.dll ActiveX control in Attachmate Reflection FTP Client be ...) NOT-FOR-US: Attachmate Reflection FTP Client CVE-2014-0602 (Directory traversal vulnerability in the DumpToFile method in the NQMc ...) NOT-FOR-US: NetIQ Security Manager CVE-2014-0601 RESERVED CVE-2014-0600 (FileUploadServlet in the Administration service in Novell GroupWise 20 ...) NOT-FOR-US: Novell GroupWise CVE-2014-0599 (Cross-site scripting (XSS) vulnerability in iPrint in Novell Open Ente ...) NOT-FOR-US: Novell Open Enterprise Server CVE-2014-0598 (Directory traversal vulnerability in iPrint in Novell Open Enterprise ...) NOT-FOR-US: Novell Open Enterprise Server CVE-2014-0597 RESERVED CVE-2014-0596 RESERVED CVE-2014-0595 (/opt/novell/ncl/bin/nwrights in Novell Client for Linux in Novell Open ...) NOT-FOR-US: Novel OES CVE-2014-0594 (In the Open Build Service (OBS) before version 2.4.6 the CSRF protecti ...) - open-build-service (Fixed before initial release to Debian) NOTE: https://github.com/openSUSE/open-build-service/commit/2188c059b67b82171d0e28ef59f77e62d22a09d8 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=870606 CVE-2014-0593 (The set_version script as shipped with obs-service-set_version is a so ...) NOT-FOR-US: script for OBS CVE-2014-0592 (Barclamp (aka barclamp-network) 1.7 for the Crowbar Framework, as used ...) NOT-FOR-US: Crowbar CVE-2014-0591 (The query_findclosestnsec3 function in query.c in named in ISC BIND 9. ...) {DSA-3023-1 DLA-48-1} - bind9 1:9.9.5.dfsg-2 (bug #735190) NOTE: https://kb.isc.org/article/AA-01078 NOTE: https://kb.isc.org/article/AA-01085 CVE-2013-7259 (Multiple cross-site request forgery (CSRF) vulnerabilities in Neo4J 1. ...) - neo4j-community (bug #685615) NOTE: http://blog.diniscruz.com/2013/08/neo4j-csrf-payload-to-start-processes.html CVE-2013-7258 (Cross-site scripting (XSS) vulnerability in web2ldap 1.1.x before 1.1. ...) - web2ldap (low; bug #734107) CVE-2013-7257 (Cross-site scripting (XSS) vulnerability in Codiad 2.0.7 allows remote ...) NOT-FOR-US: Codiad CVE-2013-7256 (Cross-site request forgery (CSRF) vulnerability in Opsview before 4.4. ...) NOT-FOR-US: Ops View CVE-2013-7255 (Open redirect vulnerability in Opsview before 4.4.2 allows remote atta ...) NOT-FOR-US: Ops View CVE-2013-7254 (Cross-site scripting (XSS) vulnerability in Opsview before 4.4.2 allow ...) NOT-FOR-US: Ops View CVE-2013-7253 RESERVED CVE-2013-7252 (kwalletd in KWallet before KDE Applications 14.12.0 uses Blowfish with ...) - kde-runtime 4:4.12.2-1 [wheezy] - kde-runtime (4.12 introduces a GnuPG backend, no backport planned) - kdebase-runtime [squeeze] - kdebase-runtime (4.12 introduces a GnuPG backend, no backport planned) NOTE: http://gaganpreet.in/blog/2013/07/24/kwallet-security-analysis/ NOTE: Upstream advisory: https://www.kde.org/info/security/advisory-20150109-1.txt CVE-2013-7233 (Cross-site request forgery (CSRF) vulnerability in the retrospam compo ...) - wordpress (unimportant) NOTE: issue only allows comments from posts to be moved to "needs moderation" list CVE-2013-7232 (SQL injection vulnerability in ESRI ArcGIS for Server through 10.2 all ...) NOT-FOR-US: ESRI ArcGIS CVE-2013-7231 (Cross-site scripting (XSS) vulnerability in the Mobile Content Server ...) NOT-FOR-US: ESRI ArcGIS CVE-2013-7230 RESERVED CVE-2013-7229 RESERVED CVE-2013-7228 RESERVED CVE-2013-7227 RESERVED CVE-2013-7226 (Integer overflow in the gdImageCrop function in ext/gd/gd.c in PHP 5.5 ...) - php5 5.5.9+dfsg-1 [wheezy] - php5 (Vulnerable code was introduced in 5.5.0) [squeeze] - php5 (Vulnerable code was introduced in 5.5.0) NOTE: https://bugs.php.net/bug.php?id=66356 NOTE: http://www.php.net/manual/en/function.imagecrop.php CVE-2013-7219 (SQL injection vulnerability in vote.php in the 2Glux Sexy Polling (com ...) NOT-FOR-US: Joomla component com_sexypolling CVE-2013-7218 RESERVED CVE-2013-7217 (Unspecified vulnerability in Zimbra Collaboration Server 7.2.5 and ear ...) NOT-FOR-US: Zimbra CVE-2013-7216 (Multiple SQL injection vulnerabilities in Classifieds Creator 2.0 allo ...) NOT-FOR-US: Classifieds Creator CVE-2013-7215 RESERVED CVE-2013-7214 RESERVED CVE-2013-7213 RESERVED CVE-2013-7212 RESERVED CVE-2013-7211 RESERVED CVE-2013-7210 RESERVED CVE-2013-7209 (Cross-site request forgery (CSRF) vulnerability in admBase/login.page ...) NOT-FOR-US: jForum CVE-2013-7208 RESERVED CVE-2013-7207 RESERVED CVE-2013-7206 RESERVED CVE-2013-7204 (Cross-site request forgery (CSRF) vulnerability in set_users.cgi in Co ...) NOT-FOR-US: Conceptronic CIPCAMPTIWL Camera CVE-2013-7202 (The WebHybridClient class in PayPal 5.3 and earlier for Android allows ...) NOT-FOR-US: Paypal for Android CVE-2013-7201 (WebHybridClient.java in PayPal 5.3 and earlier for Android ignores SSL ...) NOT-FOR-US: Paypal for Android CVE-2013-7200 RESERVED CVE-2013-7199 RESERVED CVE-2013-7198 RESERVED CVE-2013-7197 RESERVED CVE-2012-6619 (The default configuration for MongoDB before 2.3.2 does not validate o ...) - mongodb 1:2.4.1-1 [wheezy] - mongodb (Workaround exists, intrusive change) [squeeze] - mongodb (Workaround exists, intrusive change) NOTE: http://article.gmane.org/gmane.comp.security.oss.general/11822 NOTE: https://jira.mongodb.org/browse/SERVER-7769 CVE-2012-6618 (The av_probe_input_buffer function in libavformat/utils.c in FFmpeg be ...) {DSA-2947-1} - libav 6:9.11-1 - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg (Backports to 0.5.x not useful, too many checks missing) NOTE: Fix in ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=e74cd2f4706f71da5e9205003c1d8263b54ed3fb NOTE: Fix in libav: http://git.libav.org/?p=libav.git;a=commit;h=2115a3597457231a6e5c0527fe0ff8550f64b733 CVE-2012-6617 (The prepare_sdp_description function in ffserver.c in FFmpeg before 1. ...) - libav 6:9.11-1 [wheezy] - libav (Introduced in 0.9 with d77f4afa9814b0433be6fdbfd7d8a113592ba680) - ffmpeg (Introduced in 0.9 with d77f4afa9814b0433be6fdbfd7d8a113592ba680) NOTE: Fix in ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=9929991da7b843e7d80154fcacc4e80579b86a2d NOTE: Fix in libav: http://git.libav.org/?p=libav.git;a=commit;h=82b9799bb211ecd117171115e4a8b832c4942314 CVE-2012-6616 (The mov_text_decode_frame function in libavcodec/movtextdec.c in FFmpe ...) - libav (Vulnerable code not present in libav) - ffmpeg (Vulnerable code not present in older ffmpeg) CVE-2012-6615 (The ff_ass_split_override_codes function in libavcodec/ass_split.c in ...) - libav (Vulnerable code not present in libav) - ffmpeg (Vulnerable code not present in older ffmpeg) CVE-2011-5268 (connection.c in Bip before 0.8.9 does not properly close sockets, whic ...) - bip 0.8.9-1 [squeeze] - bip (Minor issue) [wheezy] - bip (Minor issue) NOTE: Difference between CVE-2011-5268 and CVE-2013-4550: http://www.openwall.com/lists/oss-security/2014/01/02/9 CVE-2014-0590 (Adobe Flash Player before 13.0.0.252 and 14.x and 15.x before 15.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2014-0589 (Heap-based buffer overflow in Adobe Flash Player before 13.0.0.252 and ...) NOT-FOR-US: Adobe Flash Player CVE-2014-0588 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.252 a ...) NOT-FOR-US: Adobe Flash Player CVE-2014-0587 (Adobe Flash Player before 13.0.0.259 and 14.x through 16.x before 16.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2014-0586 (Adobe Flash Player before 13.0.0.252 and 14.x and 15.x before 15.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2014-0585 (Adobe Flash Player before 13.0.0.252 and 14.x and 15.x before 15.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2014-0584 (Adobe Flash Player before 13.0.0.252 and 14.x and 15.x before 15.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2014-0583 (Heap-based buffer overflow in Adobe Flash Player before 13.0.0.252 and ...) NOT-FOR-US: Adobe Flash Player CVE-2014-0582 (Heap-based buffer overflow in Adobe Flash Player before 13.0.0.252 and ...) NOT-FOR-US: Adobe Flash Player CVE-2014-0581 (Adobe Flash Player before 13.0.0.252 and 14.x and 15.x before 15.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2014-0580 (Adobe Flash Player before 13.0.0.259 and 14.x through 16.x before 16.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2014-0579 REJECTED CVE-2014-0578 (Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2014-0577 (Adobe Flash Player before 13.0.0.252 and 14.x and 15.x before 15.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2014-0576 (Adobe Flash Player before 13.0.0.252 and 14.x and 15.x before 15.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2014-0575 REJECTED CVE-2014-0574 (Double free vulnerability in Adobe Flash Player before 13.0.0.252 and ...) NOT-FOR-US: Adobe Flash Player CVE-2014-0573 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.252 a ...) NOT-FOR-US: Adobe Flash Player CVE-2014-0572 (Adobe ColdFusion 9.0 before Update 13, 9.0.1 before Update 12, 9.0.2 b ...) NOT-FOR-US: Adobe ColdFusion CVE-2014-0571 (Cross-site scripting (XSS) vulnerability in Adobe ColdFusion 9.0 befor ...) NOT-FOR-US: Adobe ColdFusion CVE-2014-0570 (Cross-site request forgery (CSRF) vulnerability in Adobe ColdFusion 9. ...) NOT-FOR-US: Adobe ColdFusion CVE-2014-0569 (Integer overflow in Adobe Flash Player before 13.0.0.250 and 14.x and ...) NOT-FOR-US: Adobe Flash Player CVE-2014-0568 (The NtSetInformationFile system call hook feature in Adobe Reader and ...) NOT-FOR-US: Adobe Reader CVE-2014-0567 (Heap-based buffer overflow in Adobe Reader and Acrobat 10.x before 10. ...) NOT-FOR-US: Adobe Reader CVE-2014-0566 (Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 o ...) NOT-FOR-US: Adobe Reader CVE-2014-0565 (Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 o ...) NOT-FOR-US: Adobe Reader CVE-2014-0564 (Adobe Flash Player before 13.0.0.250 and 14.x and 15.x before 15.0.0.1 ...) NOT-FOR-US: Adobe Flash Player CVE-2014-0563 (Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 o ...) NOT-FOR-US: Adobe Reader CVE-2014-0562 (Cross-site scripting (XSS) vulnerability in Adobe Reader and Acrobat 1 ...) NOT-FOR-US: Adobe Reader CVE-2014-0561 (Heap-based buffer overflow in Adobe Reader and Acrobat 10.x before 10. ...) NOT-FOR-US: Adobe Reader CVE-2014-0560 (Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 1 ...) NOT-FOR-US: Adobe Reader CVE-2014-0559 (Heap-based buffer overflow in Adobe Flash Player before 13.0.0.244 and ...) NOT-FOR-US: Adobe Flash Player CVE-2014-0558 (Adobe Flash Player before 13.0.0.250 and 14.x and 15.x before 15.0.0.1 ...) NOT-FOR-US: Adobe Flash Player CVE-2014-0557 (Adobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.1 ...) NOT-FOR-US: Adobe Flash Player CVE-2014-0556 (Heap-based buffer overflow in Adobe Flash Player before 13.0.0.244 and ...) NOT-FOR-US: Adobe Flash Player CVE-2014-0555 (Adobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.1 ...) NOT-FOR-US: Adobe Flash Player CVE-2014-0554 (Adobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.1 ...) NOT-FOR-US: Adobe Flash Player CVE-2014-0553 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.244 a ...) NOT-FOR-US: Adobe Flash Player CVE-2014-0552 (Adobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.1 ...) NOT-FOR-US: Adobe Flash Player CVE-2014-0551 (Adobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.1 ...) NOT-FOR-US: Adobe Flash Player CVE-2014-0550 (Adobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.1 ...) NOT-FOR-US: Adobe Flash Player CVE-2014-0549 (Adobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.1 ...) NOT-FOR-US: Adobe Flash Player CVE-2014-0548 (Adobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.1 ...) NOT-FOR-US: Adobe Flash Player CVE-2014-0547 (Adobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.1 ...) NOT-FOR-US: Adobe Flash Player CVE-2014-0546 (Adobe Reader and Acrobat 10.x before 10.1.11 and 11.x before 11.0.08 o ...) NOT-FOR-US: Adobe CVE-2014-0545 (Adobe Flash Player before 13.0.0.241 and 14.x before 14.0.0.176 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2014-0544 (Adobe Flash Player before 13.0.0.241 and 14.x before 14.0.0.176 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2014-0543 (Adobe Flash Player before 13.0.0.241 and 14.x before 14.0.0.176 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2014-0542 (Adobe Flash Player before 13.0.0.241 and 14.x before 14.0.0.176 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2014-0541 (Adobe Flash Player before 13.0.0.241 and 14.x before 14.0.0.176 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2014-0540 (Adobe Flash Player before 13.0.0.241 and 14.x before 14.0.0.176 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2014-0539 (Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2014-0538 (Use-after-free vulnerability in Adobe Flash Player before 13.0.0.241 a ...) NOT-FOR-US: Adobe Flash Player CVE-2014-0537 (Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2014-0536 (Adobe Flash Player before 13.0.0.223 and 14.x before 14.0.0.125 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2014-0535 (Adobe Flash Player before 13.0.0.223 and 14.x before 14.0.0.125 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2014-0534 (Adobe Flash Player before 13.0.0.223 and 14.x before 14.0.0.125 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2014-0533 (Cross-site scripting (XSS) vulnerability in Adobe Flash Player before ...) NOT-FOR-US: Adobe Flash Player CVE-2014-0532 (Cross-site scripting (XSS) vulnerability in Adobe Flash Player before ...) NOT-FOR-US: Adobe Flash Player CVE-2014-0531 (Cross-site scripting (XSS) vulnerability in Adobe Flash Player before ...) NOT-FOR-US: Adobe Flash Player CVE-2014-0530 REJECTED CVE-2014-0529 (Buffer overflow in Adobe Reader and Acrobat 10.x before 10.1.10 and 11 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2014-0528 (Double free vulnerability in Adobe Reader and Acrobat 10.x before 10.1 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2014-0527 (Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 1 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2014-0526 (Adobe Reader and Acrobat 10.x before 10.1.10 and 11.x before 11.0.07 o ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2014-0525 (The API in Adobe Reader and Acrobat 10.x before 10.1.10 and 11.x befor ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2014-0524 (Adobe Reader and Acrobat 10.x before 10.1.10 and 11.x before 11.0.07 o ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2014-0523 (Adobe Reader and Acrobat 10.x before 10.1.10 and 11.x before 11.0.07 o ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2014-0522 (Adobe Reader and Acrobat 10.x before 10.1.10 and 11.x before 11.0.07 o ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2014-0521 (Adobe Reader and Acrobat 10.x before 10.1.10 and 11.x before 11.0.07 o ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2014-0520 (Adobe Flash Player before 13.0.0.214 on Windows and OS X and before 11 ...) NOT-FOR-US: Flash plugin CVE-2014-0519 (Adobe Flash Player before 13.0.0.214 on Windows and OS X and before 11 ...) NOT-FOR-US: Flash plugin CVE-2014-0518 (Adobe Flash Player before 13.0.0.214 on Windows and OS X and before 11 ...) NOT-FOR-US: Flash plugin CVE-2014-0517 (Adobe Flash Player before 13.0.0.214 on Windows and OS X and before 11 ...) NOT-FOR-US: Flash plugin CVE-2014-0516 (Adobe Flash Player before 13.0.0.214 on Windows and OS X and before 11 ...) NOT-FOR-US: Flash plugin CVE-2014-0515 (Buffer overflow in Adobe Flash Player before 11.7.700.279 and 11.8.x t ...) NOT-FOR-US: Flash plugin CVE-2014-0514 (The Adobe Reader Mobile application before 11.2 for Android does not p ...) NOT-FOR-US: Adobe Reader Mobile application CVE-2014-0513 (Stack-based buffer overflow in Adobe Illustrator CS6 before 16.0.5 and ...) NOT-FOR-US: Adobe Illustrator CS6 CVE-2014-0512 (Adobe Reader 11.0.06 allows attackers to bypass a PDF sandbox protecti ...) NOT-FOR-US: Adobe Reader CVE-2014-0511 (Heap-based buffer overflow in Adobe Reader 11.0.06 allows remote attac ...) NOT-FOR-US: Adobe Reader CVE-2014-0510 (Heap-based buffer overflow in Adobe Flash Player 12.0.0.77 allows remo ...) NOT-FOR-US: Flash plugin CVE-2014-0509 (Cross-site scripting (XSS) vulnerability in Adobe Flash Player before ...) NOT-FOR-US: Adobe Flash Player CVE-2014-0508 (Adobe Flash Player before 11.7.700.275 and 11.8.x through 13.0.x befor ...) NOT-FOR-US: Adobe Flash Player CVE-2014-0507 (Buffer overflow in Adobe Flash Player before 11.7.700.275 and 11.8.x t ...) NOT-FOR-US: Adobe Flash Player CVE-2014-0506 (Use-after-free vulnerability in Adobe Flash Player before 11.7.700.275 ...) NOT-FOR-US: Adobe Flash Player CVE-2014-0505 (Adobe Shockwave Player before 12.1.0.150 allows remote attackers to ex ...) NOT-FOR-US: Adobe Shockwave Player CVE-2014-0504 (Adobe Flash Player before 11.7.700.272 and 11.8.x through 12.0.x befor ...) NOT-FOR-US: Flash plugin CVE-2014-0503 (Adobe Flash Player before 11.7.700.272 and 11.8.x through 12.0.x befor ...) NOT-FOR-US: Flash plugin CVE-2014-0502 (Double free vulnerability in Adobe Flash Player before 11.7.700.269 an ...) NOT-FOR-US: Flash plugin CVE-2014-0501 (Adobe Shockwave Player before 12.0.9.149 allows remote attackers to ex ...) NOT-FOR-US: Adobe Shockwave Player CVE-2014-0500 (Adobe Shockwave Player before 12.0.9.149 allows remote attackers to ex ...) NOT-FOR-US: Adobe Shockwave Player CVE-2014-0499 (Adobe Flash Player before 11.7.700.269 and 11.8.x through 12.0.x befor ...) NOT-FOR-US: Flash plugin CVE-2014-0498 (Stack-based buffer overflow in Adobe Flash Player before 11.7.700.269 ...) NOT-FOR-US: Flash plugin CVE-2014-0497 (Integer underflow in Adobe Flash Player before 11.7.700.261 and 11.8.x ...) NOT-FOR-US: Flash plugin CVE-2014-0496 (Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 1 ...) NOT-FOR-US: Adobe Reader CVE-2014-0495 (Adobe Reader and Acrobat 10.x before 10.1.9 and 11.x before 11.0.06 on ...) NOT-FOR-US: Adobe Reader CVE-2014-0494 (Adobe Digital Editions 2.0.1 allows attackers to execute arbitrary cod ...) NOT-FOR-US: Adobe Digital Editions CVE-2014-0493 (Adobe Reader and Acrobat 10.x before 10.1.9 and 11.x before 11.0.06 on ...) NOT-FOR-US: Adobe Reader CVE-2014-0492 (Adobe Flash Player before 11.7.700.260 and 11.8.x and 11.9.x before 12 ...) NOT-FOR-US: Flash plugin CVE-2014-0491 (Adobe Flash Player before 11.7.700.260 and 11.8.x and 11.9.x before 12 ...) NOT-FOR-US: Flash plugin CVE-2014-0490 (The apt-get download command in APT before 1.0.9 does not properly val ...) {DSA-3025-1} - apt 0.9.12 NOTE: fixed with commit http://anonscm.debian.org/cgit/apt/apt.git/commit/?id=d57f6084aaa3972073114973d149ea2291b36682 [squeeze] - apt (apt download command and vulnerable code not present) CVE-2014-0489 (APT before 1.0.9, when the Acquire::GzipIndexes option is enabled, doe ...) {DSA-3025-1 DLA-53-1} - apt 1.0.9 CVE-2014-0488 (APT before 1.0.9 does not "invalidate repository data" when moving fro ...) {DSA-3025-1 DLA-53-1} - apt 1.0.9 CVE-2014-0487 (APT before 1.0.9 does not verify downloaded files if they have been mo ...) {DSA-3025-1 DLA-53-1} - apt 1.0.9 CVE-2014-0486 (Knot DNS before 1.5.2 allows remote attackers to cause a denial of ser ...) - knot 1.5.2-1 CVE-2014-0485 (S3QL 1.18.1 and earlier uses the pickle Python module unsafely, which ...) {DSA-3013-1} - s3ql 2.10.1+dfsg-4 (high) CVE-2014-0484 (The Debian acpi-support package before 0.140-5+deb7u3 allows local use ...) {DSA-3020-1 DLA-49-1} - acpi-support 0.142-4 CVE-2014-0483 (The administrative interface (contrib.admin) in Django before 1.4.14, ...) {DSA-3010-1 DLA-65-1} - python-django 1.6.6-1 CVE-2014-0482 (The contrib.auth.middleware.RemoteUserMiddleware middleware in Django ...) {DSA-3010-1 DLA-65-1} - python-django 1.6.6-1 CVE-2014-0481 (The default configuration for the file upload handling system in Djang ...) {DSA-3010-1 DLA-65-1} - python-django 1.6.6-1 CVE-2014-0480 (The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x ...) {DSA-3010-1 DLA-65-1} - python-django 1.6.6-1 CVE-2014-0479 (reportbug before 6.4.4+deb7u1 and 6.5.x before 6.5.0+nmu1 allows remot ...) {DSA-2997-1 DLA-31-1} - reportbug 6.5.0+nmu1 [squeeze] - reportbug 4.12.6+deb6u1 CVE-2014-0478 (APT before 1.0.4 does not properly validate source packages, which all ...) {DSA-2958-1 DLA-0005-1} - apt 1.0.4 (bug #749795) [squeeze] - apt 0.8.10.3+squeeze2 CVE-2014-0477 (The parse function in Email::Address module before 1.905 for Perl uses ...) {DSA-2969-1 DLA-0011-1} - libemail-address-perl 1.905-1 [squeeze] - libemail-address-perl 1.889-2+deb6u1 CVE-2014-0476 (The slapper function in chkrootkit before 0.50 does not properly quote ...) {DSA-2945-1 DLA-0002-1} - chkrootkit 0.49-5 [squeeze] - chkrootkit 0.49-4+deb6u1 CVE-2014-0475 (Multiple directory traversal vulnerabilities in GNU C Library (aka gli ...) {DSA-2976-1 DLA-43-1} - glibc 2.19-6 - eglibc CVE-2014-0474 (The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressFie ...) {DSA-2934-1} - python-django 1.6.3-1 CVE-2014-0473 (The caching framework in Django before 1.4.11, 1.5.x before 1.5.6, 1.6 ...) {DSA-2934-1} - python-django 1.6.3-1 CVE-2014-0472 (The django.core.urlresolvers.reverse function in Django before 1.4.11, ...) {DSA-2934-1} - python-django 1.6.3-1 CVE-2014-0471 (Directory traversal vulnerability in the unpacking functionality in dp ...) {DSA-2915-1} - dpkg 1.17.8 CVE-2014-0470 (super.c in Super 3.30.0 does not check the return value of the setuid ...) {DSA-2917-1} - super 3.30.0-7 CVE-2014-0469 (Stack-based buffer overflow in a certain Debian patch for xbuffy befor ...) {DSA-2921-1} - xbuffy 3.3.bl.3.dfsg-9 CVE-2014-0468 RESERVED - fusionforge 5.3+20140506-1 [squeeze] - fusionforge (Unsupported in squeeze-lts) NOTE: http://lists.fusionforge.org/pipermail/fusionforge-general/2014-March/002645.html CVE-2014-0467 (Buffer overflow in copy.c in Mutt before 1.5.23 allows remote attacker ...) {DSA-2874-1} - mutt 1.5.22-2 (bug #708731) CVE-2014-0466 (The fixps script in a2ps 4.14 does not use the -dSAFER option when exe ...) {DSA-2892-1} - a2ps 1:4.14-1.3 (bug #742902) CVE-2013-7196 (static/ajax.php in PHPFox 3.7.3, 3.7.4, and 3.7.5 allows remote authen ...) NOT-FOR-US: PHPFox CVE-2013-7195 (PHPFox 3.7.3 and 3.7.4 allows remote authenticated users to bypass int ...) NOT-FOR-US: PHPFox CVE-2013-7194 (Multiple cross-site scripting (XSS) vulnerabilities in www/administrat ...) NOT-FOR-US: eFront CVE-2013-7193 (Multiple SQL injection vulnerabilities in C2C Forward Auction Creator ...) NOT-FOR-US: C2C Forward Auction Creator CVE-2013-7192 (Multiple SQL injection vulnerabilities in Dynamic Biz Website Builder ...) NOT-FOR-US: Dynamic Biz Website Builder CVE-2013-7190 (Multiple directory traversal vulnerabilities in iScripts AutoHoster, p ...) NOT-FOR-US: iScripts AutoHoster CVE-2013-7186 (Buffer overflow in Steinberg MyMp3PRO 5.0 (Build 5.1.0.21) allows remo ...) NOT-FOR-US: Steinberg MyMp3PRO CVE-2013-7185 (PotPlayer 1.5.40688: .avi File Memory Corruption ...) NOT-FOR-US: PotPlayer CVE-2013-7184 (Gretech GOM Media Player 2.2.56.5158 and earlier allows remote attacke ...) NOT-FOR-US: Gretech GOM Media Player CVE-2013-7183 (cgi-bin/reboot.cgi on Seowon Intech SWC-9100 routers allows remote att ...) NOT-FOR-US: Seowon Intech SWC-9100 CVE-2013-7182 (Cross-site scripting (XSS) vulnerability in firewall/schedule/recurrdl ...) NOT-FOR-US: Fortinet FortiOS CVE-2013-7181 (Cross-site scripting (XSS) vulnerability in user/ldap_user/add in Fort ...) NOT-FOR-US: FortiWeb CVE-2013-7180 (Cobham SAILOR 900 VSAT; SAILOR FleetBroadBand 150, 250, and 500; EXPLO ...) NOT-FOR-US: Cobham CVE-2013-7179 (The ping functionality in cgi-bin/diagnostic.cgi on Seowon Intech SWC- ...) NOT-FOR-US: Seowon Intech SWC-9100 routers CVE-2013-7178 RESERVED CVE-2013-7177 (config/filter.d/cyrus-imap.conf in the cyrus-imap filter in Fail2ban b ...) {DSA-2979-1 DLA-0021-1} - fail2ban 0.8.11-1 [squeeze] - fail2ban 0.8.4-3+squeeze3 NOTE: https://github.com/fail2ban/fail2ban/commit/bd175f026737d66e7110868fb50b3760ff75e087 CVE-2013-7176 (config/filter.d/postfix.conf in the postfix filter in Fail2ban before ...) {DSA-2979-1 DLA-0021-1} - fail2ban 0.8.11-1 [squeeze] - fail2ban 0.8.4-3+squeeze3 CVE-2013-7175 (Multiple SQL injection vulnerabilities in Avanset Visual CertExam Mana ...) NOT-FOR-US: Avanset Visual CertExam Manager CVE-2013-7174 (Absolute path traversal vulnerability in cgi-bin/jc.cgi in QNAP QTS be ...) NOT-FOR-US: QNAP QTS CVE-2013-7173 (Belkin n750 routers have a buffer overflow. ...) NOT-FOR-US: Belkin CVE-2013-7172 (Slackware 13.1, 13.37, 14.0 and 14.1 contain world-writable permission ...) - libiodbc2 (RPATH issue slackware specific) CVE-2013-7171 (Slackware 14.0 and 14.1, and Slackware LLVM 3.0-i486-2 and 3.3-i486-2, ...) - llvm-2.9 (RPATH issue slackware specific) - llvm-3.0 (RPATH issue slackware specific) - llvm-3.1 (RPATH issue slackware specific) - llvm-toolchain-3.2 (RPATH issue slackware specific) - llvm-toolchain-3.3 (RPATH issue slackware specific) - llvm-toolchain-3.4 (RPATH issue slackware specific) - llvm-toolchain-snapshot (RPATH issue slackware specific) CVE-2013-7170 RESERVED CVE-2013-7169 REJECTED CVE-2013-7168 REJECTED CVE-2013-7167 REJECTED CVE-2013-7166 REJECTED CVE-2013-7165 REJECTED CVE-2013-7164 REJECTED CVE-2013-7163 RESERVED CVE-2013-7162 RESERVED CVE-2013-7161 RESERVED CVE-2013-7160 RESERVED CVE-2013-7159 RESERVED CVE-2013-7158 RESERVED CVE-2013-7157 RESERVED CVE-2013-7156 RESERVED CVE-2013-7155 RESERVED CVE-2013-7154 RESERVED CVE-2013-7153 RESERVED CVE-2013-7152 RESERVED CVE-2013-7151 RESERVED CVE-2013-7150 RESERVED CVE-2014-0465 (Unspecified vulnerability in the Oracle OpenSSO component in Oracle Fu ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2014-0464 (Unspecified vulnerability in Oracle Java SE 8 allows remote attackers ...) - openjdk-7 (Only affects Java 8) - openjdk-6 (Only affects Java 8) CVE-2014-0463 (Unspecified vulnerability in Oracle Java SE 8 allows remote attackers ...) - openjdk-7 (Only affects Java 8) - openjdk-6 (Only affects Java 8) CVE-2014-0462 (Unspecified vulnerability in OpenJDK 6 before 6b31 on Debian GNU/Linux ...) {DSA-2912-1} - openjdk-6 6b31-1.13.3-1 CVE-2014-0461 (Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Jav ...) {DSA-2923-1 DSA-2912-1} - openjdk-7 7u55-2.4.7-1 - openjdk-6 6b31-1.13.3-1 CVE-2014-0460 (Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8; ...) {DSA-2923-1 DSA-2912-1} - openjdk-7 7u55-2.4.7-1 - openjdk-6 6b31-1.13.3-1 CVE-2014-0459 (Unspecified vulnerability in Oracle Java SE 7u51 and 8, and Java SE Em ...) {DSA-2923-1 DSA-2912-1} - lcms [squeeze] - lcms (Minor issue) [wheezy] - lcms (Minor issue) - lcms2 2.6-1 (low; bug #745471) [wheezy] - lcms2 (Minor issue) CVE-2014-0458 (Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Jav ...) {DSA-2923-1 DSA-2912-1} - openjdk-7 7u55-2.4.7-1 - openjdk-6 6b31-1.13.3-1 CVE-2014-0457 (Unspecified vulnerability in Oracle Java SE 5.0u61, SE 6u71, 7u51, and ...) {DSA-2923-1 DSA-2912-1} - openjdk-7 7u55-2.4.7-1 - openjdk-6 6b31-1.13.3-1 CVE-2014-0456 (Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Jav ...) {DSA-2923-1 DSA-2912-1} - openjdk-7 7u55-2.4.7-1 - openjdk-6 6b31-1.13.3-1 CVE-2014-0455 (Unspecified vulnerability in Oracle Java SE 7u51 and 8, and Java SE Em ...) {DSA-2923-1} - openjdk-7 7u55-2.4.7-1 - openjdk-6 (Only affects Java 7/8) CVE-2014-0454 (Unspecified vulnerability in Oracle Java SE 7u51 and 8, and Java SE Em ...) {DSA-2923-1} - openjdk-7 7u55-2.4.7-1 - openjdk-6 (Only affects Java 7/8) CVE-2014-0453 (Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8; ...) {DSA-2923-1 DSA-2912-1} - openjdk-7 7u55-2.4.7-1 - openjdk-6 6b31-1.13.3-1 CVE-2014-0452 (Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Jav ...) {DSA-2923-1 DSA-2912-1} - openjdk-7 7u55-2.4.7-1 - openjdk-6 6b31-1.13.3-1 CVE-2014-0451 (Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8, ...) {DSA-2923-1 DSA-2912-1} - openjdk-7 7u55-2.4.7-1 - openjdk-6 6b31-1.13.3-1 CVE-2014-0450 (Unspecified vulnerability in the Oracle WebCenter Portal component in ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2014-0449 (Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Jav ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2014-0448 (Unspecified vulnerability in Oracle Java SE 7u51 and 8 allows remote a ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2014-0447 (Unspecified vulnerability in Oracle Solaris 10 and 11.1 allows local u ...) NOT-FOR-US: Solaris CVE-2014-0446 (Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8, ...) {DSA-2923-1 DSA-2912-1} - openjdk-7 7u55-2.4.7-1 - openjdk-6 6b31-1.13.3-1 CVE-2014-0445 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: PeopleSoft Enterprise CVE-2014-0444 (Unspecified vulnerability in the Oracle AutoVue Electro-Mechanical Pro ...) NOT-FOR-US: Oracle Supply Chain Products Suite CVE-2014-0443 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: PeopleSoft Enterprise CVE-2014-0442 (Unspecified vulnerability in Oracle Solaris 9, 10, and 11.1 allows loc ...) NOT-FOR-US: Solaris CVE-2014-0441 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: PeopleSoft Enterprise CVE-2014-0440 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: PeopleSoft Enterprise CVE-2014-0439 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: PeopleSoft Enterprise CVE-2014-0438 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: PeopleSoft Enterprise CVE-2014-0437 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) {DSA-2848-1 DSA-2845-1} - mariadb-5.5 5.5.35-1 - mysql-5.5 5.5.35+dfsg-1 - mariadb-10.0 (Fixed before initial upload) - mysql-5.1 - percona-xtradb-cluster-5.5 5.5.37-25.10+dfsg-1 CVE-2014-0436 (Unspecified vulnerability in the Hyperion BI+ component in Oracle Hype ...) NOT-FOR-US: Oracle CVE-2014-0435 (Unspecified vulnerability in the Oracle Transportation Management comp ...) NOT-FOR-US: Oracle Supply Chain Products Suite CVE-2014-0434 (Unspecified vulnerability in the Oracle Agile Product Lifecycle Manage ...) NOT-FOR-US: Oracle Supply Chain Products Suite CVE-2014-0433 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) - mysql-5.5 (Only affects Mysql 5.6) - mysql-5.1 (Only affects Mysql 5.6) CVE-2014-0432 (Unspecified vulnerability in Oracle Java SE 7u51 and 8, and Java SE Em ...) - openjdk-6 (Specific to Oracle Java, not present in IcedTea) - openjdk-7 (Specific to Oracle Java, not present in IcedTea) NOTE: Due to the vague disclosure policy by Oracle the exact nature is unknown but since no patch landed in icedtea, we consider it not-affected CVE-2014-0431 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) - mysql-5.5 (Only affects Mysql 5.6) - mysql-5.1 (Only affects Mysql 5.6) CVE-2014-0430 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) - mysql-5.5 (Only affects Mysql 5.6) - mysql-5.1 (Only affects Mysql 5.6) CVE-2014-0429 (Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8; ...) {DSA-2923-1 DSA-2912-1} - openjdk-7 7u55-2.4.7-1 - openjdk-6 6b31-1.13.3-1 CVE-2014-0428 (Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Ja ...) - openjdk-6 6b30-1.13.1-1 - openjdk-7 7u51-2.4.4-1 CVE-2014-0427 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) - mysql-5.5 (Only affects Mysql 5.6) - mysql-5.1 (Only affects Mysql 5.6) CVE-2014-0426 (Unspecified vulnerability in the Oracle Containers for J2EE component ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2014-0425 (Unspecified vulnerability in the PeopleSoft Enterprise SCM Services Pr ...) NOT-FOR-US: PeopleSoft Enterprise CVE-2014-0424 (Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remot ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2014-0423 (Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; JR ...) - openjdk-6 6b30-1.13.1-1 - openjdk-7 7u51-2.4.4-1 CVE-2014-0422 (Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Ja ...) - openjdk-6 6b30-1.13.1-1 - openjdk-7 7u51-2.4.4-1 CVE-2014-0421 (Unspecified vulnerability in Oracle Solaris 10, when running on the SP ...) NOT-FOR-US: Solaris CVE-2014-0420 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) {DSA-2848-1} - mariadb-5.5 5.5.35-1 - mysql-5.5 5.5.35+dfsg-1 - mariadb-10.0 (Fixed before initial upload) - mysql-5.1 (Only affects Mysql 5.5 and 5.6) - percona-xtradb-cluster-5.5 5.5.37-25.10+dfsg-1 CVE-2014-0419 (Unspecified vulnerability in the Oracle Secure Global Desktop (SGD) co ...) NOT-FOR-US: Oracle Secure Global Desktop CVE-2014-0418 (Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remot ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2014-0417 (Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Ja ...) - openjdk-6 (Specific to Oracle Java, not present in IcedTea) - openjdk-7 (Specific to Oracle Java, not present in IcedTea) NOTE: Due to the vague disclosure policy by Oracle the exact nature is unknown but since no patch landed in icedtea, we consider it not-affected CVE-2014-0416 (Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Ja ...) - openjdk-6 6b30-1.13.1-1 - openjdk-7 7u51-2.4.4-1 CVE-2014-0415 (Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remot ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2014-0414 (Unspecified vulnerability in the Oracle Containers for J2EE component ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2014-0413 (Unspecified vulnerability in the Oracle Containers for J2EE component ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2014-0412 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) {DSA-2848-1 DSA-2845-1} - mariadb-5.5 5.5.35-1 - mysql-5.5 5.5.35+dfsg-1 - mariadb-10.0 (Fixed before initial upload) - mysql-5.1 - percona-xtradb-cluster-5.5 5.5.37-25.10+dfsg-1 CVE-2014-0411 (Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; JR ...) - openjdk-6 6b30-1.13.1-1 - openjdk-7 7u51-2.4.4-1 CVE-2014-0410 (Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remot ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2014-0409 REJECTED CVE-2014-0408 (Unspecified vulnerability in Oracle Java SE 7u45, when running on OS X ...) - openjdk-6 (Specific to MacOS X) - openjdk-7 (Specific to MacOS X) CVE-2014-0407 (Unspecified vulnerability in the Oracle VM VirtualBox component in Ora ...) {DSA-2878-1} - virtualbox-ose (low) - virtualbox 4.3.6-dfsg-1 (low; bug #735410) CVE-2014-0406 (Unspecified vulnerability in the Oracle VM VirtualBox component in Ora ...) {DSA-2878-1} - virtualbox-ose (low) - virtualbox 4.3.6-dfsg-1 (low; bug #735410) CVE-2014-0405 (Unspecified vulnerability in the Oracle VM VirtualBox component in Ora ...) - virtualbox-guest-additions (bug #735410) [squeeze] - virtualbox-guest-additions (Non-free not supported) - virtualbox-guest-additions-iso 4.3.10-1 (bug #735410) [wheezy] - virtualbox-guest-additions-iso (Non-free not supported) CVE-2014-0404 (Unspecified vulnerability in the Oracle VM VirtualBox component in Ora ...) {DSA-2878-1} - virtualbox-ose (low) - virtualbox 4.3.6-dfsg-1 (low; bug #735410) CVE-2014-0403 (Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remot ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2014-0402 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) {DSA-2848-1 DSA-2845-1} - mariadb-5.5 5.5.35-1 - mariadb-10.0 (Fixed before initial upload) - mysql-5.5 5.5.35+dfsg-1 - mysql-5.1 - percona-xtradb-cluster-5.5 5.5.37-25.10+dfsg-1 CVE-2014-0401 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) {DSA-2848-1 DSA-2845-1} - mariadb-5.5 5.5.35-1 - mariadb-10.0 (Fixed before initial upload) - mysql-5.5 5.5.35+dfsg-1 - mysql-5.1 - percona-xtradb-cluster-5.5 5.5.37-25.10+dfsg-1 CVE-2014-0400 (Unspecified vulnerability in the Oracle Internet Directory component i ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2014-0399 (Unspecified vulnerability in the Oracle Transportation Management comp ...) NOT-FOR-US: Oracle Supply Chain Products Suite CVE-2014-0398 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle E-Business Suite CVE-2014-0397 (Multiple unspecified vulnerabilities in libXtsol in Oracle Solaris 10 ...) NOT-FOR-US: Oracle Solaris CVE-2014-0396 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: PeopleSoft Enterprise CVE-2014-0395 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: PeopleSoft Enterprise CVE-2014-0394 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: PeopleSoft Enterprise CVE-2014-0393 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) {DSA-2848-1 DSA-2845-1} - mariadb-5.5 5.5.35-1 - mariadb-10.0 (Fixed before initial upload) - mysql-5.5 5.5.35+dfsg-1 - mysql-5.1 - percona-xtradb-cluster-5.5 5.5.37-25.10+dfsg-1 CVE-2014-0392 (Unspecified vulnerability in the PeopleSoft Enterprise HRMS component ...) NOT-FOR-US: PeopleSoft Enterprise CVE-2014-0391 (Unspecified vulnerability in the Oracle Identity Manager component in ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2014-0390 (Unspecified vulnerability in Oracle Solaris 10 allows remote attackers ...) NOT-FOR-US: Oracle Solaris CVE-2014-0389 (Unspecified vulnerability in Oracle iLearning 6.0 allows remote attack ...) NOT-FOR-US: Oracle iLearning CVE-2014-0388 (Unspecified vulnerability in the PeopleSoft Enterprise HRMS Human Reso ...) NOT-FOR-US: PeopleSoft Enterprise CVE-2014-0387 (Unspecified vulnerability in Oracle Java SE 6u65 and Java SE 7u45, whe ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2014-0386 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) {DSA-2848-1 DSA-2845-1} - mariadb-5.5 5.5.35-1 - mariadb-10.0 (Fixed before initial upload) - mysql-5.5 5.5.35+dfsg-1 - mysql-5.1 - percona-xtradb-cluster-5.5 5.5.37-25.10+dfsg-1 CVE-2014-0385 (Unspecified vulnerability in Oracle Java SE 7u45, when installing on O ...) - openjdk-6 (Specific to MacOS X) - openjdk-7 (Specific to MacOS X) CVE-2014-0384 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) {DSA-2919-1} - mysql-5.5 5.5.37-1 (bug #744910) - mariadb-5.5 5.5.37-1 (bug #745330) - mariadb-10.0 (Fixed before initial upload) - mysql-5.1 (Only affects Mysql 5.5/5.6) - percona-xtradb-cluster-5.5 5.5.37-25.10+dfsg-1 CVE-2014-0383 (Unspecified vulnerability in the Oracle Identity Manager component in ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2014-0382 (Unspecified vulnerability in Oracle Java SE 7u45 and JavaFX 2.2.45 all ...) - openjdk-6 (JavaFX not part of OpenJDK) - openjdk-7 (JavaFX not part of OpenJDK) CVE-2014-0381 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: PeopleSoft Enterprise CVE-2014-0380 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: PeopleSoft Enterprise CVE-2014-0379 (Unspecified vulnerability in the Oracle Demantra Demand Management com ...) NOT-FOR-US: Oracle Supply Chain Products Suite CVE-2014-0378 (Unspecified vulnerability in the Spatial component in Oracle Database ...) NOT-FOR-US: Oracle Database Server CVE-2014-0377 (Unspecified vulnerability in the Core RDBMS component in Oracle Databa ...) NOT-FOR-US: Oracle Database Server CVE-2014-0376 (Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Ja ...) - openjdk-6 6b30-1.13.1-1 - openjdk-7 7u51-2.4.4-1 CVE-2014-0375 (Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remot ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2014-0374 (Unspecified vulnerability in the Oracle Portal component in Oracle Fus ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2014-0373 (Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45, an ...) - openjdk-6 6b30-1.13.1-1 - openjdk-7 7u51-2.4.4-1 CVE-2014-0372 (Unspecified vulnerability in the Oracle Demantra Demand Management com ...) NOT-FOR-US: Oracle Supply Chain Products Suite CVE-2014-0371 (Unspecified vulnerability in the Oracle Demantra Demand Management com ...) NOT-FOR-US: Oracle Supply Chain Products Suite CVE-2014-0370 (Unspecified vulnerability in the Siebel Life Sciences component in Ora ...) NOT-FOR-US: Oracle Siebel CRM CVE-2014-0369 (Unspecified vulnerability in the Siebel Core - EAI component in Oracle ...) NOT-FOR-US: Oracle Siebel CRM CVE-2014-0368 (Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45, an ...) - openjdk-6 6b30-1.13.1-1 - openjdk-7 7u51-2.4.4-1 CVE-2014-0367 (Unspecified vulnerability in the Hyperion Essbase Administration Servi ...) NOT-FOR-US: Oracle Hyperion CVE-2014-0366 (Unspecified vulnerability in the Oracle Applications Framework compone ...) NOT-FOR-US: Oracle E-Business Suite CVE-2013-7249 (Fat Free CRM before 0.12.1 does not restrict XML serialization, which ...) NOT-FOR-US: Fat Free CRM CVE-2013-7242 (SQL injection vulnerability in zp-core/zp-extensions/wordpress_import. ...) NOT-FOR-US: Zenphoto CVE-2013-7241 (Cross-site scripting (XSS) vulnerability in the export function in zp- ...) NOT-FOR-US: Zenphoto CVE-2013-7240 (Directory traversal vulnerability in download-file.php in the Advanced ...) NOT-FOR-US: Dewplayer CVE-2013-7239 (memcached before 1.4.17 allows remote attackers to bypass authenticati ...) {DSA-2832-1} - memcached 1.4.13-0.3 (bug #733643) [squeeze] - memcached (vulnerable code present, but SASL authentication support not enabled) NOTE: https://code.google.com/p/memcached/wiki/ReleaseNotes1417 NOTE: https://code.google.com/p/memcached/issues/detail?id=316 NOTE: https://github.com/memcached/memcached/commit/87c1cf0f20be20608d3becf854e9cf0910f4ad32 CVE-2013-7236 (Simple Machines Forum (SMF) 2.0.6, 1.1.19, and earlier allows remote a ...) NOT-FOR-US: Simple Machines Forum CVE-2013-7235 (Simple Machines Forum (SMF) before 1.1.19 and 2.x before 2.0.6 allows ...) NOT-FOR-US: Simple Machines Forum CVE-2013-7234 (Simple Machines Forum (SMF) before 1.1.19 and 2.x before 2.0.6 allows ...) NOT-FOR-US: Simple Machines Forum CVE-2013-7225 (Multiple SQL injection vulnerabilities in app/controllers/home_control ...) NOT-FOR-US: Fat Free CRM CVE-2013-7224 (Fat Free CRM before 0.12.1 does not restrict JSON serialization, which ...) NOT-FOR-US: Fat Free CRM CVE-2013-7223 (Multiple cross-site request forgery (CSRF) vulnerabilities in Fat Free ...) NOT-FOR-US: Fat Free CRM CVE-2013-7222 (config/initializers/secret_token.rb in Fat Free CRM before 0.12.1 has ...) NOT-FOR-US: Fat Free CRM CVE-2013-7221 (The automatic screen lock functionality in GNOME Shell (aka gnome-shel ...) - gnome-shell 3.10.1-1 [wheezy] - gnome-shell (Vulnerable code not present) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=708313 NOTE: https://git.gnome.org/browse/gnome-shell/commit/js/ui/main.js?id=efdf1ff755943fba1f8a9aaeff77daa3ed338088 CVE-2013-7220 (js/ui/screenShield.js in GNOME Shell (aka gnome-shell) before 3.8 allo ...) - gnome-shell 3.8.4-1 [wheezy] - gnome-shell (Vulnerable code not present) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=686740 NOTE: https://git.gnome.org/browse/gnome-shell/commit/js/ui/screenShield.js?id=209014b083dbe86ed0e0860a6016735571b56f94 CVE-2013-7205 (Off-by-one error in the process_cgivars function in contrib/daemonchk. ...) {DLA-1615-1} - nagios3 (low; bug #771466) [squeeze] - nagios3 (Minor issue) [wheezy] - nagios3 (Minor issue) NOTE: additional changed files for nagios3, cf. CVE-2013-7108 NOTE: Fixed by https://sourceforge.net/p/nagios/nagioscore/ci/d97e03f32741a7d851826b03ed73ff4c9612a866/ NOTE: See also https://github.com/Icinga/icinga-core/issues/1399 CVE-2013-7203 (gitolite before commit fa06a34 might allow local users to read arbitra ...) - gitolite3 3.5.3.1-1 NOTE: http://marc.info/?l=oss-security&m=138783069700756&w=2 CVE-2013-7191 (Cross-site scripting (XSS) vulnerability in Tenmiles Helpdesk Pilot al ...) NOT-FOR-US: Tenmiles Helpdesk Pilot CVE-2013-7189 (Multiple SQL injection vulnerabilities in iScripts AutoHoster, possibl ...) NOT-FOR-US: iScripts AutoHoster CVE-2013-7188 (Cross-site scripting (XSS) vulnerability in KBKP Software HostBill bef ...) NOT-FOR-US: HostBill CVE-2013-7187 (SQL injection vulnerability in form.php in the FormCraft plugin 1.3.7 ...) NOT-FOR-US: WordPress plugin FormCraft CVE-2013-7149 (SQL injection vulnerability in www/delivery/axmlrpc.php (aka the XML-R ...) NOT-FOR-US: Revive Adserver CVE-2013-7148 REJECTED CVE-2013-7147 REJECTED CVE-2013-7146 REJECTED CVE-2013-7145 REJECTED CVE-2013-7144 (LINE 3.2.1.83 and earlier on Windows and 3.2.1 and earlier on OS X doe ...) NOT-FOR-US: LINE CVE-2013-7143 (Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite ...) NOT-FOR-US: Open-Xchange CVE-2013-7142 (Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite ...) NOT-FOR-US: Open-Xchange CVE-2013-7141 (Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite ...) NOT-FOR-US: Open-Xchange CVE-2013-7140 (XML External Entity (XXE) vulnerability in the CalDAV interface in Ope ...) NOT-FOR-US: Open-Xchange CVE-2013-7139 (SQL injection vulnerability in download.php in Horizon Quick Content M ...) NOT-FOR-US: Horizon CMS CVE-2013-7138 (Directory traversal vulnerability in lib/functions/d-load.php in Horiz ...) NOT-FOR-US: Horizon CMS CVE-2013-7137 (The "remember me" functionality in login.php in Burden before 1.8.1 al ...) NOT-FOR-US: Burden CVE-2013-7136 (The UPC Ireland Cisco EPC 2425 router (aka Horizon Box) does not have ...) NOT-FOR-US: Cisco CVE-2013-7135 (The Proc::Daemon module 0.14 for Perl uses world-writable permissions ...) - libproc-daemon-perl 0.14-2 (low; bug #732283) [wheezy] - libproc-daemon-perl (Minor issue) [squeeze] - libproc-daemon-perl (does not have pid_file option) NOTE: https://rt.cpan.org/Public/Bug/Display.html?id=91450 CVE-2013-7134 (Juvia uses the same secret key for all installations, which allows rem ...) NOT-FOR-US: Juvia CVE-2013-7133 RESERVED CVE-2013-7132 RESERVED CVE-2013-7131 RESERVED CVE-2013-7130 (The i_create_images_and_backing (aka create_images_and_backing) method ...) - nova 2013.2.2 (low; bug #736465) [wheezy] - nova (Minor issue) NOTE: https://bugs.launchpad.net/nova/+bug/1251590 CVE-2013-7129 (Cross-site scripting (XSS) vulnerability in ThemeBeans Blooog theme 1. ...) NOT-FOR-US: WordPress theme CVE-2013-7128 (Valve Bug Reporter in the valve-bugreporter package 2.10+bsos1 in Valv ...) NOT-FOR-US: SteamOS CVE-2013-7127 (Apple Safari 6.0.5 on Mac OS X 10.7.5 and 10.8.5 stores cleartext cred ...) NOT-FOR-US: Apple Safari CVE-2013-7126 REJECTED CVE-2013-7125 REJECTED CVE-2013-7124 REJECTED CVE-2013-7123 REJECTED CVE-2013-7122 REJECTED CVE-2013-7121 REJECTED CVE-2013-7120 REJECTED CVE-2013-7119 REJECTED CVE-2013-7118 REJECTED CVE-2013-7117 REJECTED CVE-2013-7116 REJECTED CVE-2013-7115 REJECTED CVE-2013-7109 (OpenStack Swift as of 2013-12-15 mishandles PYTHON_EGG_CACHE ...) - glance 2012.1~e4-1 NOTE: https://github.com/openstack/glance/commit/804396204e23ebb CVE-2013-7105 (Buffer overflow in the Interstage HTTP Server log functionality, as us ...) NOT-FOR-US: Fujitsu Interstage HTTP Server CVE-2013-7104 (McAfee Email Gateway 7.6 allows remote authenticated administrators to ...) NOT-FOR-US: McAfee Email Gateway CVE-2013-7103 (McAfee Email Gateway 7.6 allows remote authenticated administrators to ...) NOT-FOR-US: McAfee Email Gateway CVE-2013-7102 (Multiple unrestricted file upload vulnerabilities in (1) media-upload. ...) NOT-FOR-US: WordPress theme OptimizePress CVE-2013-7101 RESERVED CVE-2013-7100 (Buffer overflow in the unpacksms16 function in apps/app_sms.c in Aster ...) {DSA-2835-1} NOTE: http://downloads.asterisk.org/pub/security/AST-2013-006.html - asterisk 1:11.7.0~dfsg-1 (bug #732355) CVE-2013-7099 RESERVED CVE-2013-7098 (OpenConnect VPN client with GnuTLS before 5.02 contains a heap overflo ...) - openconnect 5.02-1 CVE-2013-7097 (Directory traversal vulnerability in 7 Media Web Solutions eduTrac bef ...) NOT-FOR-US: eduTrac CVE-2013-7096 (Multiple SQL injection vulnerabilities in SAP EMR Unwired allow remote ...) NOT-FOR-US: Sap EMR CVE-2013-7095 (The XML parser (crm_flex_data) in SAP Customer Relationship Management ...) NOT-FOR-US: Sap CRM CVE-2013-7094 (SQL injection vulnerability in the RSDDCVER_COUNT_TAB_COLS function in ...) NOT-FOR-US: SAP NetWeaver CVE-2013-7093 (SAP Network Interface Router (SAProuter) 39.3 SP4 allows remote attack ...) NOT-FOR-US: SAP Network Interface Router CVE-2013-7092 (Multiple SQL injection vulnerabilities in /admin/cgi-bin/rpc/doReport/ ...) NOT-FOR-US: McAfee Email Gateway CVE-2013-7091 (Directory traversal vulnerability in /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,Aj ...) NOT-FOR-US: Zimbra CVE-2013-7090 RESERVED CVE-2013-7084 RESERVED CVE-2013-7114 (Multiple buffer overflows in the create_ntlmssp_v2_key function in epa ...) {DSA-2825-1} - wireshark 1.10.4-1 [squeeze] - wireshark (Vulnerable code not present) NOTE: https://www.wireshark.org/security/wnpa-sec-2013-68.html CVE-2013-7113 (epan/dissectors/packet-bssgp.c in the BSSGP dissector in Wireshark 1.1 ...) {DSA-2825-1} - wireshark 1.10.4-1 [squeeze] - wireshark (Vulnerable code not present) NOTE: https://www.wireshark.org/security/wnpa-sec-2013-67.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9488 CVE-2013-7112 (The dissect_sip_common function in epan/dissectors/packet-sip.c in the ...) {DLA-497-1} - wireshark 1.10.4-1 (unimportant) NOTE: https://www.wireshark.org/security/wnpa-sec-2013-66.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9388 NOTE: Not suitable for code injection CVE-2013-7111 (The put_call function in the API client (api/api_client.rb) in the Bas ...) NOT-FOR-US: Bio Basespace SDK Ruby Gem CVE-2013-7110 (Transifex command-line client before 0.10 does not validate X.509 cert ...) - transifex-client 0.10-1 [wheezy] - transifex-client (Incomplete patch was never released) NOTE: fix for CVE-2013-2073 was incorrect/incomplete NOTE: https://github.com/transifex/transifex-client/issues/42 NOTE: https://github.com/transifex/transifex-client/commit/6d69d61 CVE-2013-7108 (Multiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier, a ...) {DSA-2956-1 DLA-1615-1 DLA-60-1} - icinga 1.10.2-1 (low) - nagios3 (low; bug #771466) [squeeze] - nagios3 (Minor issue) [wheezy] - nagios3 (Minor issue) NOTE: https://dev.icinga.org/issues/5251 NOTE: separate CVE requested for nagios, http://www.openwall.com/lists/oss-security/2013/12/23/4 NOTE: Fixed by https://sourceforge.net/p/nagios/nagioscore/ci/d97e03f32741a7d851826b03ed73ff4c9612a866/ CVE-2013-7107 (Cross-site request forgery (CSRF) vulnerability in cmd.cgi in Icinga 1 ...) {DSA-2956-1} - icinga 1.10.2-1 (low) [squeeze] - icinga (Minor issue) - nagios3 (low) [jessie] - nagios3 (Minor issue) [squeeze] - nagios3 (Minor issue) [wheezy] - nagios3 (Minor issue) NOTE: https://dev.icinga.org/issues/5346 CVE-2013-7106 (Multiple stack-based buffer overflows in Icinga before 1.8.5, 1.9 befo ...) {DSA-2956-1} - icinga 1.10.2-1 [squeeze] - icinga (Vulnerable code not present) NOTE: https://dev.icinga.org/issues/5250 CVE-2013-7083 RESERVED CVE-2013-7068 (The Organic Groups (OG) module 7.x-2.x before 7.x-2.3 for Drupal allow ...) NOT-FOR-US: Drupal module CVE-2013-7067 (The OG Features module 6.x-1.x before 6.x-1.4 for Drupal does not prop ...) NOT-FOR-US: Drupal module CVE-2013-7066 (The Entity reference module 7.x-1.x before 7.x-1.1-rc1 for Drupal allo ...) NOT-FOR-US: Drupal module CVE-2013-7065 (The Organic Groups (OG) module 7.x-2.x before 7.x-2.3 for Drupal allow ...) NOT-FOR-US: Drupal module CVE-2013-7064 (Cross-site scripting (XSS) vulnerability in the EU Cookie Compliance m ...) NOT-FOR-US: Drupal module CVE-2013-7063 (The Invitation module 7.x-2.x for Drupal does not properly check permi ...) NOT-FOR-US: Drupal module CVE-2013-7059 RESERVED CVE-2013-7058 RESERVED CVE-2013-7057 (Cross-site request forgery (CSRF) vulnerability in Axway SecureTranspo ...) NOT-FOR-US: Axway SecureTransport CVE-2013-7056 RESERVED CVE-2013-7055 (D-Link DIR-100 4.03B07 has PPTP and poe information disclosure ...) NOT-FOR-US: Router D-Link DIR-100 CVE-2013-7054 (D-Link DIR-100 4.03B07: cli.cgi XSS ...) NOT-FOR-US: Router D-Link DIR-100 CVE-2013-7053 (D-Link DIR-100 4.03B07: cli.cgi CSRF ...) NOT-FOR-US: Router D-Link DIR-100 CVE-2013-7052 (D-Link DIR-100 4.03B07: security bypass via an error in the cliget.cgi ...) NOT-FOR-US: Router D-Link DIR-100 CVE-2013-7051 (D-Link DIR-100 4.03B07: cli.cgi security bypass due to failure to chec ...) NOT-FOR-US: Router D-Link DIR-100 CVE-2013-7047 RESERVED CVE-2013-7046 RESERVED CVE-2013-7045 RESERVED CVE-2013-7044 RESERVED CVE-2013-7043 (Multiple cross-site request forgery (CSRF) vulnerabilities on Cisco Sc ...) NOT-FOR-US: Cisco CVE-2013-7042 (SUSE Lifecycle Management Server (SLMS) before 1.3.7 uses world-readab ...) NOT-FOR-US: SUSE Lifecycle Management Server CVE-2013-7037 RESERVED CVE-2013-7036 RESERVED CVE-2013-7035 RESERVED CVE-2013-7034 (The setCookieValue function in _lib/functions.global.inc.php in LiveZi ...) NOT-FOR-US: LiveZilla CVE-2013-7033 (LiveZilla before 5.1.2.1 includes the operator password in plaintext i ...) NOT-FOR-US: LiveZilla CVE-2013-7032 (Multiple cross-site scripting (XSS) vulnerabilities in the web based o ...) NOT-FOR-US: LiveZilla CVE-2013-7031 RESERVED CVE-2013-7030 (** DISPUTED ** The TFTP service in Cisco Unified Communications Manage ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2013-7029 RESERVED CVE-2013-7028 RESERVED CVE-2013-7027 (The ieee80211_radiotap_iterator_init function in net/wireless/radiotap ...) - linux 3.11.7-1 (unimportant) [wheezy] - linux 3.2.53-1 - linux-2.6 (unimportant) NOTE: Non-issue: https://bugzilla.redhat.com/show_bug.cgi?id=1040010#c1 CVE-2013-7026 (Multiple race conditions in ipc/shm.c in the Linux kernel before 3.12. ...) - linux 3.12.5-1 [wheezy] - linux (Introduced in 8b8d52ac382b) - linux-2.6 (Introduced in 8b8d52ac382b) CVE-2013-7089 (ClamAV before 0.97.7: dbg_printhex possible information leak ...) - clamav 0.97.7+dfsg-1 NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=6804 CVE-2013-7088 (ClamAV before 0.97.7 has buffer overflow in the libclamav component ...) - clamav 0.97.7+dfsg-1 NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=6809 NOTE: https://github.com/vrtadmin/clamav-devel/commit/e8e3746266dd3f82054ca137b81b800e54de6ebd CVE-2013-7087 (ClamAV before 0.97.7 has WWPack corrupt heap memory ...) - clamav 0.97.7+dfsg-1 NOTE: https://github.com/vrtadmin/clamav-devel/commit/71990820d01c246e4e61408a3659dd9d92949b38 NOTE: from https://github.com/vrtadmin/clamav-devel/commits/master/libclamav/wwunpack.c CVE-2013-7086 (The message function in lib/webbynode/notify.rb in the Webbynode gem 1 ...) NOT-FOR-US: Ruby Gem Webbynode CVE-2013-7085 (Uscan in devscripts 2.13.5, when USCAN_EXCLUSION is enabled, allows re ...) - devscripts 2.13.9 (bug #732006) [wheezy] - devscripts (does not contain the vulnerable code; introduced in 2.13.5) [squeeze] - devscripts (does not contain the vulnerable code; introduced in 2.13.5) CVE-2013-7082 (Cross-site scripting (XSS) vulnerability in the errorAction method in ...) NOT-FOR-US: TYPO3 Flow NOTE: https://review.typo3.org/#/c/26176/ NOTE: CVE assigned for TYPO3 Flow, correspond to CVE-2013-7078 CVE-2013-7081 (The (old) Form Content Element component in TYPO3 4.5.0 through 4.5.31 ...) {DSA-2834-1} - typo3-src 4.5.32+dfsg1-1 (bug #731999) NOTE: https://review.typo3.org/#/c/26182/ CVE-2013-7080 (The creating record functionality in Extension table administration li ...) {DSA-2834-1} - typo3-src 4.5.32+dfsg1-1 (bug #731999) NOTE: https://review.typo3.org/#/c/26178/ CVE-2013-7079 (Open redirect vulnerability in the OpenID extension in TYPO3 4.5.0 thr ...) {DSA-2834-1} - typo3-src 4.5.32+dfsg1-1 (bug #731999) NOTE: https://review.typo3.org/#/c/26179/ CVE-2013-7078 (Cross-site scripting (XSS) vulnerability in the errorAction method in ...) {DSA-2834-1} - typo3-src 4.5.32+dfsg1-1 (bug #731999) NOTE: https://review.typo3.org/#/c/26176/ CVE-2013-7077 (Cross-site scripting (XSS) vulnerability in the Backend User Administr ...) - typo3-src (Affects versions 6.0.0 to 6.0.11, 6.1.0 to 6.1.6) CVE-2013-7076 (Cross-site scripting (XSS) vulnerability in Extension Manager in TYPO3 ...) {DSA-2834-1} - typo3-src 4.5.32+dfsg1-1 (bug #731999) NOTE: https://review.typo3.org/#/c/26181/ CVE-2013-7075 (The Content Editing Wizards component in TYPO3 4.5.0 through 4.5.31, 4 ...) {DSA-2834-1} - typo3-src 4.5.32+dfsg1-1 (bug #731999) NOTE: https://review.typo3.org/#/c/26175/ CVE-2013-7074 (Multiple cross-site scripting (XSS) vulnerabilities in Content Editing ...) {DSA-2834-1} - typo3-src 4.5.32+dfsg1-1 (bug #731999) NOTE: https://review.typo3.org/#/c/26184/ NOTE: https://review.typo3.org/#/c/26183/ NOTE: https://review.typo3.org/#/c/26177/ CVE-2013-7073 (The Content Editing Wizards component in TYPO3 4.5.0 through 4.5.31, 4 ...) {DSA-2834-1} - typo3-src 4.5.32+dfsg1-1 (bug #731999) NOTE: https://review.typo3.org/#/c/26180/ CVE-2013-7072 REJECTED CVE-2013-7071 (Cross-site scripting (XSS) vulnerability in the handle_request functio ...) NOT-FOR-US: Monitorix CVE-2013-7070 (The handle_request function in lib/HTTPServer.pm in Monitorix before 3 ...) NOT-FOR-US: Monitorix CVE-2013-7062 (Multiple cross-site scripting (XSS) vulnerabilities in Zope, as used i ...) - zope2.12 (low) [wheezy] - zope2.12 (Minor issue) - zope2.13 (Vulnerable code not present) CVE-2013-7061 (Products/CMFPlone/CatalogTool.py in Plone 3.3 through 4.3.2 allows rem ...) NOT-FOR-US: Plone CVE-2013-7060 (Products/CMFPlone/FactoryTool.py in Plone 3.3 through 4.3.2 allows rem ...) NOT-FOR-US: Plone CVE-2013-7049 (Stack-based buffer overflow in fish.cpp in the Fish plugin for ZNC, as ...) NOTE: vulnerable code not found in Debian NOTE: http://www.openwall.com/lists/oss-security/2013/12/11/14 NOT-FOR-US: FiSH Plugin for ZNC IRC Bouncer CVE-2013-7048 (OpenStack Compute (Nova) Grizzly 2013.1.4, Havana 2013.2.1, and earlie ...) - nova 2013.2.2 (bug #732022) [wheezy] - nova (Support for live snapshots added later) NOTE: https://bugs.launchpad.net/nova/+bug/1227027 CVE-2013-7050 (The get_main_source_dir function in scripts/uscan.pl in devscripts bef ...) - devscripts 2.13.8 (bug #731849) [wheezy] - devscripts (does not contain the vulnerable code; introduced in 2.13.5) [squeeze] - devscripts (does not contain the vulnerable code; introduced in 2.13.5) NOTE: http://anonscm.debian.org/gitweb/?p=collab-maint/devscripts.git;a=commitdiff;h=91f05b5 CVE-2013-7069 (ack 2.00 through 2.11_02 allows remote attackers to execute arbitrary ...) - ack-grep 2.12-1 (bug #731848) [wheezy] - ack-grep (don't support per-project .ackrc files) [squeeze] - ack-grep (don't support per-project .ackrc files) NOTE: https://github.com/petdance/ack2/issues/399 CVE-2013-7025 (Multiple cross-site scripting (XSS) vulnerabilities in ematStaticAlert ...) NOT-FOR-US: Dell SonicWALL Global Management System CVE-2013-7007 RESERVED CVE-2013-7006 RESERVED CVE-2013-7005 (D-Link DSR-150 with firmware before 1.08B44; DSR-150N with firmware be ...) NOT-FOR-US: D-Link DSR-150 CVE-2013-7004 (D-Link DSR-150 with firmware before 1.08B44; DSR-150N with firmware be ...) NOT-FOR-US: D-Link DSR-150 CVE-2013-7003 (Multiple cross-site scripting (XSS) vulnerabilities in LiveZilla befor ...) NOT-FOR-US: LiveZilla CVE-2012-6614 (D-Link DSR-250N devices before 1.08B31 allow remote authenticated user ...) NOT-FOR-US: D-Link CVE-2012-6613 (D-Link DSR-250N devices with firmware 1.05B73_WW allow Persistent Root ...) NOT-FOR-US: D-Link CVE-2014-0365 RESERVED CVE-2014-0364 (The ParseRoster component in the Ignite Realtime Smack XMPP API before ...) NOT-FOR-US: smack userspace tools, was once ITPed, but closed (637964) CVE-2014-0363 (The ServerTrustManager component in the Ignite Realtime Smack XMPP API ...) NOT-FOR-US: smack userspace tools, was once ITPed, but closed (637964) CVE-2014-0362 (Cross-site scripting (XSS) vulnerability on Google Search Appliance (G ...) NOT-FOR-US: Google Search Appliance CVE-2014-0361 (The default configuration of IBM 4690 OS, as used in Toshiba Global Co ...) NOT-FOR-US: IBM CVE-2014-0360 REJECTED CVE-2014-0359 (Xangati XSR before 11 and XNR before 7 allows remote attackers to exec ...) NOT-FOR-US: Xangati CVE-2014-0358 (Multiple directory traversal vulnerabilities in Xangati XSR before 11 ...) NOT-FOR-US: Xangati CVE-2014-0357 (Amtelco miSecureMessages allows remote attackers to read the messages ...) NOT-FOR-US: Amtelco miSecureMessages CVE-2014-0356 (The ZyXEL Wireless N300 NetUSB NBG-419N router with firmware 1.00(BFQ. ...) NOT-FOR-US: ZyXEL CVE-2014-0355 (Multiple stack-based buffer overflows on the ZyXEL Wireless N300 NetUS ...) NOT-FOR-US: ZyXEL CVE-2014-0354 (The ZyXEL Wireless N300 NetUSB NBG-419N router with firmware 1.00(BFQ. ...) NOT-FOR-US: ZyXEL CVE-2014-0353 (The ZyXEL Wireless N300 NetUSB NBG-419N router with firmware 1.00(BFQ. ...) NOT-FOR-US: ZyXEL CVE-2014-0352 REJECTED CVE-2014-0351 (The FortiManager protocol service in Fortinet FortiOS before 4.3.16 an ...) NOT-FOR-US: Fortinet FortiOS CVE-2014-0350 (The Poco::Net::X509Certificate::verify method in the NetSSL library in ...) {DLA-1239-1} - poco 1.3.6p1-5 (low; bug #746637) [squeeze] - poco (Minor issue) CVE-2014-0349 (Multiple unspecified vulnerabilities in J2k-Codec allow remote attacke ...) NOT-FOR-US: J2k-Codec CVE-2014-0348 (The Artiva Agency Single Sign-On (SSO) implementation in Artiva Workst ...) NOT-FOR-US: Artiva CVE-2014-0347 (The Settings module in Websense Triton Unified Security Center 7.7.3 b ...) NOT-FOR-US: Websense Triton Unified Security Center CVE-2014-0346 REJECTED CVE-2014-0345 RESERVED CVE-2014-0344 (Properties.do in ZOHO ManageEngine OpStor before build 8500 does not p ...) NOT-FOR-US: ZOHO ManageEngine OpStor CVE-2014-0343 (The web interface on Virtual Access GW6110A routers with software 9.00 ...) NOT-FOR-US: GW6110A routers CVE-2014-0342 (Multiple unrestricted file upload vulnerabilities in fileupload.php in ...) NOT-FOR-US: PivotX CVE-2014-0341 (Multiple cross-site scripting (XSS) vulnerabilities in PivotX before 2 ...) NOT-FOR-US: PivotX CVE-2014-0340 RESERVED CVE-2014-0339 (Cross-site scripting (XSS) vulnerability in view.cgi in Webmin before ...) - webmin CVE-2014-0338 (Multiple cross-site scripting (XSS) vulnerabilities in the firewall po ...) NOT-FOR-US: WatchGuard Fireware XTM CVE-2014-0337 (Cross-site scripting (XSS) vulnerability in the web interface on Huawe ...) NOT-FOR-US: Huawei Echo Life HG8247 CVE-2014-0336 (Cross-site request forgery (CSRF) vulnerability in the web client in S ...) NOT-FOR-US: Serena Dimensions CM CVE-2014-0335 (Multiple cross-site scripting (XSS) vulnerabilities in the web client ...) NOT-FOR-US: Serena Dimensions CM CVE-2014-0334 (Multiple cross-site scripting (XSS) vulnerabilities in CMS Made Simple ...) NOT-FOR-US: CMS Made Simple CVE-2014-0333 (The png_push_read_chunk function in pngpread.c in the progressive deco ...) - libpng (Only affects libpng 1.6.0 through 1.6.9) - libpng1.6 1.6.10-1 CVE-2014-0332 (Cross-site scripting (XSS) vulnerability in mainPage in Dell SonicWALL ...) NOT-FOR-US: Dell SonicWALL GMS CVE-2014-0331 (Cross-site scripting (XSS) vulnerability in the web administration int ...) NOT-FOR-US: Fortinet NGFW CVE-2014-0330 (Cross-site scripting (XSS) vulnerability in adminui/user_list.php on t ...) NOT-FOR-US: Dell KACE K1000 management appliance CVE-2014-0329 (The TELNET service on the ZTE ZXV10 W300 router 2.1.0 has a hardcoded ...) NOT-FOR-US: TELNET service on the ZTE ZXV10 W300 router CVE-2014-0328 (The thraneLINK protocol implementation on Cobham devices does not veri ...) NOT-FOR-US: Cobham CVE-2014-0327 (The Terminal Upgrade Tool in the Pilot Below Deck Equipment (BDE) and ...) NOT-FOR-US: Pilot Below Deck Equipment and OpenPort implementations on Iridium satellite terminals CVE-2014-0326 (The Pilot Below Deck Equipment (BDE) and OpenPort implementations on I ...) NOT-FOR-US: Pilot Below Deck Equipment and OpenPort implementations on Iridium satellite terminals CVE-2013-7041 (The pam_userdb module for Pam uses a case-insensitive method to compar ...) - pam 1.1.8-3.1 (low; bug #731368) [squeeze] - pam (Minor issue) [wheezy] - pam (Minor issue) CVE-2013-7040 (Python 2.7 before 3.4 only uses the last eight bits of the prefix to r ...) - python2.5 (unimportant) - python2.6 (unimportant) - python2.7 (unimportant) - python3.1 (unimportant) - python3.2 (unimportant) - python3.3 (unimportant) - python3.4 3.4.0-1 (unimportant) NOTE: upstream tagged this as wontfix for versions older than 3.4 CVE-2013-7039 (Stack-based buffer overflow in the MHD_digest_auth_check function in l ...) - libmicrohttpd 0.9.32-1 (low; bug #731933) [wheezy] - libmicrohttpd 0.9.20-1+deb7u1 [squeeze] - libmicrohttpd (Minor issue, only expoitable in corner cases) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1039390 CVE-2013-7038 (The MHD_http_unescape function in libmicrohttpd before 0.9.32 might al ...) - libmicrohttpd 0.9.32-1 (low; bug #731933) [squeeze] - libmicrohttpd (Minor issue) [wheezy] - libmicrohttpd (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1039384 CVE-2013-7024 (The jpeg2000_decode_tile function in libavcodec/jpeg2000dec.c in FFmpe ...) - ffmpeg (Vulnerable code not present) - libav (Vulnerable code not present) NOTE: https://github.com/FFmpeg/FFmpeg/commit/fe448cd28d674c3eff3072552eae366d0b659ce9 NOTE: https://trac.ffmpeg.org/ticket/2921 NOTE: Only present in libav trunk CVE-2013-7023 (The ff_combine_frame function in libavcodec/parser.c in FFmpeg before ...) - ffmpeg (max_alloc not present in old ffmpeg/libav) - libav (max_alloc not present in old ffmpeg/libav) NOTE: https://github.com/FFmpeg/FFmpeg/commit/f31011e9abfb2ae75bb32bc44e2c34194c8dc40a NOTE: https://trac.ffmpeg.org/ticket/2982 CVE-2013-7022 (The g2m_init_buffers function in libavcodec/g2meet.c in FFmpeg before ...) - ffmpeg (Vulnerable code not present) - libav (Vulnerable code not present) NOTE: https://github.com/FFmpeg/FFmpeg/commit/e07ac727c1cc9eed39e7f9117c97006f719864bd NOTE: https://trac.ffmpeg.org/ticket/2971 NOTE: Only present in libav trunk CVE-2013-7021 (The filter_frame function in libavfilter/vf_fps.c in FFmpeg before 2.1 ...) - ffmpeg (Vulnerable code not present) - libav (Vulnerable code not present) NOTE: https://github.com/FFmpeg/FFmpeg/commit/cdd5df8189ff1537f7abe8defe971f80602cc2d2 NOTE: https://trac.ffmpeg.org/ticket/2905 CVE-2013-7020 (The read_header function in libavcodec/ffv1dec.c in FFmpeg before 2.1 ...) {DSA-3027-1} - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg (Backports to 0.5.x not useful, too many checks missing) - libav 6:10.4-1 NOTE: https://github.com/FFmpeg/FFmpeg/commit/b05cd1ea7e45a836f7f6071a716c38bb30326e0f CVE-2013-7019 (The get_cox function in libavcodec/jpeg2000dec.c in FFmpeg before 2.1 ...) - ffmpeg (Vulnerable code not present) - libav (Vulnerable code not present) NOTE: https://github.com/FFmpeg/FFmpeg/commit/a1b9004b768bef606ee98d417bceb9392ceb788d NOTE: https://trac.ffmpeg.org/ticket/2898 NOTE: Only present in libav trunk CVE-2013-7018 (libavcodec/jpeg2000dec.c in FFmpeg before 2.1 does not ensure the use ...) - ffmpeg (Vulnerable code not present) - libav (Vulnerable code not present) NOTE: https://github.com/FFmpeg/FFmpeg/commit/9a271a9368eaabf99e6c2046103acb33957e63b7 NOTE: https://trac.ffmpeg.org/ticket/2895 NOTE: Only present in libav trunk CVE-2013-7017 (libavcodec/jpeg2000.c in FFmpeg before 2.1 allows remote attackers to ...) - ffmpeg (Vulnerable code not present) - libav (Vulnerable code not present) NOTE: https://github.com/FFmpeg/FFmpeg/commit/912ce9dd2080c5837285a471d750fa311e09b555 NOTE: Only present in libav trunk CVE-2013-7016 (The get_siz function in libavcodec/jpeg2000dec.c in FFmpeg before 2.1 ...) - ffmpeg (Vulnerable code not present) - libav (Vulnerable code not present) NOTE: https://github.com/FFmpeg/FFmpeg/commit/8bb11c3ca77b52e05a9ed1496a65f8a76e6e2d8f NOTE: https://trac.ffmpeg.org/ticket/2848 NOTE: Only present in libav trunk CVE-2013-7015 (The flashsv_decode_frame function in libavcodec/flashsv.c in FFmpeg be ...) {DSA-2855-1} - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg (Backports to 0.5.x not useful, too many checks missing) - libav 6:9.11-1 NOTE: ffmpeg fix: https://github.com/FFmpeg/FFmpeg/commit/880c73cd76109697447fbfbaa8e5ee5683309446 NOTE: libav fix: http://git.libav.org/?p=libav.git;a=commit;h=57070b1468edc6ac8cb3696c817f3c943975d4c1 NOTE: https://trac.ffmpeg.org/ticket/2844 CVE-2013-7014 (Integer signedness error in the add_bytes_l2_c function in libavcodec/ ...) {DSA-2855-1} - ffmpeg (Vulnerable code not present) - libav 6:9.11-1 NOTE: https://trac.ffmpeg.org/ticket/2919 NOTE: Fix in ffmpeg: https://github.com/FFmpeg/FFmpeg/commit/86736f59d6a527d8bc807d09b93f971c0fe0bb07 NOTE: Fix in libav: http://git.libav.org/?p=libav.git;a=commit;h=d1916d13e28b87f4b1b214231149e12e1d536b4b CVE-2013-7013 (The g2m_init_buffers function in libavcodec/g2meet.c in FFmpeg before ...) - ffmpeg (Vulnerable code not present) - libav (Vulnerable code not present) NOTE: https://github.com/FFmpeg/FFmpeg/commit/821a5938d100458f4d09d634041b05c860554ce0 NOTE: https://trac.ffmpeg.org/ticket/2922 NOTE: Only present in libav trunk CVE-2013-7012 (The get_siz function in libavcodec/jpeg2000dec.c in FFmpeg before 2.1 ...) - ffmpeg (Vulnerable code not present) - libav (Vulnerable code not present) NOTE: https://github.com/FFmpeg/FFmpeg/commit/780669ef7c23c00836a24921fcc6b03be2b8ca4a NOTE: https://trac.ffmpeg.org/ticket/3080 NOTE: Only present in libav trunk CVE-2013-7011 (The read_header function in libavcodec/ffv1dec.c in FFmpeg before 2.1 ...) - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg (Backports to 0.5.x not useful, too many checks missing) - libav (Reproducer fails on libav 0.8.9 and 9.11) NOTE: https://github.com/FFmpeg/FFmpeg/commit/547d690d676064069d44703a1917e0dab7e33445 NOTE: https://trac.ffmpeg.org/ticket/2906 CVE-2013-7010 (Multiple integer signedness errors in libavcodec/dsputil.c in FFmpeg b ...) {DSA-2855-1} - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg (Backports to 0.5.x not useful, too many checks missing) - libav 6:9.11-1 NOTE: ffmpeg fix: https://github.com/FFmpeg/FFmpeg/commit/454a11a1c9c686c78aa97954306fb63453299760 NOTE: libav fix: http://git.libav.org/?p=libav.git;a=commit;h=d1916d13e28b87f4b1b214231149e12e1d536b4b CVE-2013-7009 (The rpza_decode_stream function in libavcodec/rpza.c in FFmpeg before ...) - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg (Backports to 0.5.x not useful, too many checks missing) - libav (Not reproducible with 0.8.9) NOTE: https://github.com/FFmpeg/FFmpeg/commit/3819db745da2ac7fb3faacb116788c32f4753f34 NOTE: https://trac.ffmpeg.org/ticket/2850 CVE-2013-7008 (The decode_slice_header function in libavcodec/h264.c in FFmpeg before ...) - ffmpeg (Vulnerable code not present) - libav (Crash not reproducable, libav code is different) NOTE: https://github.com/FFmpeg/FFmpeg/commit/29ffeef5e73b8f41ff3a3f2242d356759c66f91f NOTE: https://trac.ffmpeg.org/ticket/2927 CVE-2013-7002 (Cross-site scripting (XSS) vulnerability in mobile/php/translation/ind ...) NOT-FOR-US: LiveZilla CVE-2013-7001 (The Multimedia Messaging Centre (MMSC) in NowSMS Now SMS & MMS Gat ...) NOT-FOR-US: NowSMS CVE-2013-7000 (The Multimedia Messaging Centre (MMSC) in NowSMS Now SMS & MMS Gat ...) NOT-FOR-US: NowSMS CVE-2013-6999 (** DISPUTED ** The IsHandleEntrySecure function in win32k.sys in the k ...) NOT-FOR-US: Microsoft Windows Server 2008 SP2 CVE-2013-6998 REJECTED CVE-2013-6997 (Multiple cross-site scripting (XSS) vulnerabilities in Open-Xchange (O ...) NOT-FOR-US: Open-Xchange CVE-2013-6996 RESERVED CVE-2013-6995 REJECTED CVE-2013-6994 (OpenText Exceed OnDemand (EoD) 8 transmits the session ID in cleartext ...) NOT-FOR-US: OpenText Exceed OnDemand CVE-2013-6993 (Cross-site scripting (XSS) vulnerability in the Ad-minister plugin 0.6 ...) NOT-FOR-US: WordPress plugin Ad-minister CVE-2013-6992 (Cross-site request forgery (CSRF) vulnerability in askapache-firefox-a ...) NOT-FOR-US: WordPress plugin AskApache Firefox Adsense CVE-2013-6991 (Cross-site scripting (XSS) vulnerability in the WP-Cron Dashboard plug ...) NOT-FOR-US: WordPress plugin WP-Cron Dashboard CVE-2013-6990 (FortiGuard FortiAuthenticator before 3.0 allows remote administrators ...) NOT-FOR-US: FortiGuard FortiAuthenticator CVE-2013-6989 RESERVED CVE-2013-6988 RESERVED CVE-2013-6987 (Multiple directory traversal vulnerabilities in the FileBrowser compon ...) NOT-FOR-US: Synology DiskStation Manager CVE-2013-6986 (The ZippyYum Subway CA Kiosk app 3.4 for iOS uses cleartext storage in ...) NOT-FOR-US: ZippyYum CVE-2013-6984 RESERVED CVE-2013-6983 (SQL injection vulnerability in the web interface in Cisco Unified Pres ...) NOT-FOR-US: Cisco Unified Presence Server CVE-2013-6982 (The BGP implementation in Cisco NX-OS 6.2(2a) and earlier does not pro ...) NOT-FOR-US: Cisco NX-OS CVE-2013-6981 (Cisco IOS XE 3.7S(.1) and earlier allows remote attackers to cause a d ...) NOT-FOR-US: Cisco IOS XE CVE-2013-6980 RESERVED CVE-2013-6979 (The VTY authentication implementation in Cisco IOS XE 03.02.xxSE and 0 ...) NOT-FOR-US: Cisco IOS XE CVE-2013-6978 (The disaster recovery system (DRS) component in Cisco Unified Communic ...) NOT-FOR-US: Cisco CVE-2013-6977 RESERVED CVE-2013-6976 (Cross-site request forgery (CSRF) vulnerability in goform/Quick_setup ...) NOT-FOR-US: Cisco CVE-2013-6975 (Directory traversal vulnerability in the command-line interface in Cis ...) NOT-FOR-US: Cisco NX-OS CVE-2013-6974 (Cross-site scripting (XSS) vulnerability in the web interface in Cisco ...) NOT-FOR-US: Cisco Secure Access Control System CVE-2013-6973 (Cisco WebEx Training Center allows remote attackers to discover regist ...) NOT-FOR-US: Cisco CVE-2013-6972 (Cisco WebEx Training Center allows remote attackers to discover sessio ...) NOT-FOR-US: Cisco CVE-2013-6971 (Open redirect vulnerability in Cisco WebEx Training Center allows remo ...) NOT-FOR-US: Cisco CVE-2013-6970 (Cisco WebEx Meeting Center allows remote attackers to obtain sensitive ...) NOT-FOR-US: Cisco CVE-2013-6969 (The training-registration page in Cisco WebEx Training Center allows r ...) NOT-FOR-US: Cisco CVE-2013-6968 (Cisco WebEx Training Center provides different error messages for regi ...) NOT-FOR-US: Cisco CVE-2013-6967 (Open redirect vulnerability in the mobile-browser subsystem in Cisco W ...) NOT-FOR-US: Cisco CVE-2013-6966 (Open redirect vulnerability in Cisco WebEx Training Center allows remo ...) NOT-FOR-US: Cisco CVE-2013-6965 (The registration component in Cisco WebEx Training Center provides the ...) NOT-FOR-US: Cisco CVE-2013-6964 (Cisco WebEx Meeting Center allows remote authenticated users to bypass ...) NOT-FOR-US: Cisco CVE-2013-6963 (Cross-site scripting (XSS) vulnerability in the registration component ...) NOT-FOR-US: Cisco CVE-2013-6962 (Cross-site scripting (XSS) vulnerability in the mobile-browser subsyst ...) NOT-FOR-US: Cisco CVE-2013-6961 (Cross-site scripting (XSS) vulnerability in the Collaboration Partner ...) NOT-FOR-US: Cisco CVE-2013-6960 (Multiple cross-site scripting (XSS) vulnerabilities in Cisco WebEx Mee ...) NOT-FOR-US: Cisco CVE-2013-6959 (Open redirect vulnerability in Cisco WebEx Sales Center allows remote ...) NOT-FOR-US: Cisco CVE-2013-6958 (Juniper NetScreen Firewall running ScreenOS 5.4, 6.2, or 6.3, when the ...) NOT-FOR-US: Juniper NetScreen Firewall CVE-2013-6957 (Cross-site scripting (XSS) vulnerability in the web administrative com ...) NOT-FOR-US: Juniper CVE-2013-6956 (Cross-site scripting (XSS) vulnerability in the Secure Access Service ...) NOT-FOR-US: Juniper Junos Pulse Secure Access Service CVE-2013-6955 (webman/imageSelector.cgi in Synology DiskStation Manager (DSM) 4.0 bef ...) NOT-FOR-US: Synology DiskStation Manager CVE-2013-6954 (The png_do_expand_palette function in libpng before 1.6.8 allows remot ...) {DSA-2923-1} - libpng (Vulnerable code introduced in 1.6.1) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1045561 NOTE: http://sourceforge.net/mailarchive/message.php?msg_id=31751422 CVE-2013-6953 (BlogEngine.NET 2.8.0.0 and earlier allows remote attackers to read use ...) NOT-FOR-US: BlogEngine.NET CVE-2013-6952 (The Belkin WeMo Home Automation firmware before 3949 has a hardcoded G ...) NOT-FOR-US: Belkin WeMo CVE-2013-6951 (The Belkin WeMo Home Automation firmware before 3949 does not maintain ...) NOT-FOR-US: Belkin WeMo CVE-2013-6950 (The Belkin WeMo Home Automation firmware before 3949 does not use SSL ...) NOT-FOR-US: Belkin WeMo CVE-2013-6949 (The Belkin WeMo Home Automation firmware before 3949 does not properly ...) NOT-FOR-US: Belkin WeMo CVE-2013-6948 (The peerAddresses API in the Belkin WeMo Home Automation firmware befo ...) NOT-FOR-US: Belkin WeMo CVE-2013-6947 RESERVED CVE-2013-6946 RESERVED CVE-2013-6945 (The M2M Broker in OSEHRA VistA, as distributed before September 30, 20 ...) - vista (bug #541242) CVE-2013-6944 (Cross-site scripting (XSS) vulnerability in the user interface in the ...) NOT-FOR-US: Citrix NetScaler Application Delivery Controller CVE-2013-6943 (Citrix NetScaler Application Delivery Controller (ADC) 9.3.x before 9. ...) NOT-FOR-US: Citrix NetScaler Application Delivery Controller CVE-2013-6942 (Cross-site request forgery (CSRF) vulnerability in Citrix NetScaler Ap ...) NOT-FOR-US: Citrix NetScaler Application Delivery Controller CVE-2013-6941 (Unspecified vulnerability in Citrix NetScaler Application Delivery Con ...) NOT-FOR-US: Citrix NetScaler Application Delivery Controller CVE-2013-6940 (Citrix NetScaler Application Delivery Controller (ADC) 9.3.x before 9. ...) NOT-FOR-US: Citrix NetScaler Application Delivery Controller CVE-2013-6939 (Unspecified vulnerability in Citrix NetScaler Application Delivery Con ...) NOT-FOR-US: Citrix NetScaler Application Delivery Controller CVE-2013-6938 (Unspecified vulnerability in the Service VM in Citrix NetScaler SDX 9. ...) NOT-FOR-US: Citrix NetScaler SDX CVE-2013-6937 (Buffer overflow in VideoCharge Software Watermark Master 2.2.23 allows ...) NOT-FOR-US: VideoCharge CVE-2013-6936 (Multiple SQL injection vulnerabilities in ajaxfs.php in the Ajax forum ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2013-6935 (Buffer overflow in VideoCharge Software Watermark Master 2.2.23 allows ...) NOT-FOR-US: VideoCharge CVE-2013-6934 (The parseRTSPRequestString function in Live Networks Live555 Streaming ...) - liblivemedia (incomplete patch never applied) - vlc (never built against liblivemedia with incomplete patch) - mplayer (never built against liblivemedia with incomplete patch) - mplayer2 (b-d's on liblivemedia but doesn't actually build the support for it) CVE-2013-6933 (The parseRTSPRequestString function in Live Networks Live555 Streaming ...) {DSA-3156-1} - liblivemedia 2014.01.13-1 [squeeze] - liblivemedia (vuln. code introduced in 2011.08.13) - vlc 2.1.4-1 [wheezy] - vlc 2.0.3-5+deb7u2 [squeeze] - vlc (not built against vuln. liblivemedia) - mplayer 2:1.1.1+svn37434-1 (low) [squeeze] - mplayer (Minor issue) - mplayer2 (b-d's on liblivemedia but doesn't actually build the support for it) NOTE: vlc fixed by binNMU 2.1.2-2+b1, but since binNMUs are not visible to the security tracker, the subsequent sid upload is tracked NOTE: for wheezy the version present at release of DSA 3156 is used (2.0.3-5+deb7u2), although strictly speaking it's 2.0.3-5+deb7u2+b1 CVE-2013-6932 (Buffer overflow in IrfanView before 4.37, when a multibyte-character d ...) NOT-FOR-US: IrfanView CVE-2013-6931 (SQL injection vulnerability in the API in Cybozu Garoon 3.7.x before 3 ...) NOT-FOR-US: Cybozu Garoon CVE-2013-6930 (SQL injection vulnerability in the page-navigation implementation in C ...) NOT-FOR-US: Cybozu Garoon CVE-2013-6929 (SQL injection vulnerability in Cybozu Garoon 3.7 SP2 and earlier allow ...) NOT-FOR-US: Cybozu Garoon CVE-2013-6928 RESERVED CVE-2013-6927 (Internet TRiLOGI Server (unknown versions) could allow a local user to ...) NOT-FOR-US: Internet TRiLOGI Server CVE-2013-6926 (The integrated HTTPS server in Siemens RuggedCom ROS before 3.12.2 all ...) NOT-FOR-US: Siemens CVE-2013-6925 (The integrated HTTPS server in Siemens RuggedCom ROS before 3.12.2 all ...) NOT-FOR-US: Siemens CVE-2013-6924 (Seagate BlackArmor NAS devices with firmware sg2000-2000.1331 allow re ...) NOT-FOR-US: Seagate BlackArmor NAS devices CVE-2013-6923 (Multiple cross-site scripting (XSS) vulnerabilities in Seagate BlackAr ...) NOT-FOR-US: Seagate BlackArmor NAS 220 devices CVE-2013-6922 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Seag ...) NOT-FOR-US: Seagate BlackArmor NAS 220 CVE-2013-6921 RESERVED CVE-2012-6612 (The (1) UpdateRequestHandler for XSLT or (2) XPathEntityProcessor in A ...) {DSA-2963-1} - lucene-solr 3.6.2+dfsg-2 (bug #731113) CVE-2014-0325 (Use-after-free vulnerability in Microsoft Internet Explorer 9 allows r ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-0324 (Microsoft Internet Explorer 8 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-0323 (win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and ...) NOT-FOR-US: Microsoft CVE-2014-0322 (Use-after-free vulnerability in Microsoft Internet Explorer 9 and 10 a ...) NOT-FOR-US: Microsoft Internet Explorer 10 CVE-2014-0321 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-0320 REJECTED CVE-2014-0319 (Microsoft Silverlight 5 before 5.1.30214.0 and Silverlight 5 Developer ...) NOT-FOR-US: Microsoft CVE-2014-0318 (win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 ...) NOT-FOR-US: Microsoft CVE-2014-0317 (The Security Account Manager Remote (SAMR) protocol implementation in ...) NOT-FOR-US: Microsoft CVE-2014-0316 (Memory leak in the Local RPC (LRPC) server implementation in Microsoft ...) NOT-FOR-US: Microsoft CVE-2014-0315 (Untrusted search path vulnerability in Microsoft Windows XP SP2 and SP ...) NOT-FOR-US: Microsoft CVE-2014-0314 (Microsoft Internet Explorer 9 and 10 allows remote attackers to execut ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-0313 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-0312 (Microsoft Internet Explorer 8 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-0311 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-0310 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-0309 (Microsoft Internet Explorer 8 through 10 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-0308 (Microsoft Internet Explorer 8 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-0307 (Use-after-free vulnerability in Microsoft Internet Explorer 9 allows r ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-0306 (Microsoft Internet Explorer 8 and 9 allows remote attackers to execute ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-0305 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-0304 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-0303 (Microsoft Internet Explorer 6 through 8 allows remote attackers to exe ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-0302 (Microsoft Internet Explorer 6 through 8 allows remote attackers to exe ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-0301 (Double free vulnerability in qedit.dll in DirectShow in Microsoft Wind ...) NOT-FOR-US: Microsoft CVE-2014-0300 (win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and ...) NOT-FOR-US: Microsoft CVE-2014-0299 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-0298 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-0297 (Microsoft Internet Explorer 8 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-0296 (The Remote Desktop Protocol (RDP) implementation in Microsoft Windows ...) NOT-FOR-US: Microsoft Windows CVE-2014-0295 (VsaVb7rt.dll in Microsoft .NET Framework 2.0 SP2 and 3.5.1 does not im ...) NOT-FOR-US: Microsoft .NET Framework CVE-2014-0294 (Microsoft Forefront Protection 2010 for Exchange Server does not prope ...) NOT-FOR-US: Microsoft Forefront Protection CVE-2014-0293 (Microsoft Internet Explorer 9 through 11 allows remote attackers to re ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-0292 REJECTED CVE-2014-0291 REJECTED CVE-2014-0290 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-0289 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-0288 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-0287 (Microsoft Internet Explorer 8 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-0286 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-0285 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-0284 (Microsoft Internet Explorer 9 and 10 allows remote attackers to execut ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-0283 (Microsoft Internet Explorer 9 allows remote attackers to execute arbit ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-0282 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-0281 (Microsoft Internet Explorer 8 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-0280 (Microsoft Internet Explorer 6 through 8 allows remote attackers to exe ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-0279 (Microsoft Internet Explorer 8 allows remote attackers to execute arbit ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-0278 (Microsoft Internet Explorer 8 allows remote attackers to execute arbit ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-0277 (Microsoft Internet Explorer 8 allows remote attackers to execute arbit ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-0276 (Microsoft Internet Explorer 8 and 9 allows remote attackers to execute ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-0275 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-0274 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-0273 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-0272 (Microsoft Internet Explorer 8 through 10 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-0271 (The VBScript engine in Microsoft Internet Explorer 6 through 11, and V ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-0270 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-0269 (Microsoft Internet Explorer 6 through 10 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-0268 (Microsoft Internet Explorer 8 through 11 does not properly restrict fi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-0267 (Microsoft Internet Explorer 11 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-0266 (The XMLHTTP ActiveX controls in XML Core Services 3.0 in Microsoft Win ...) NOT-FOR-US: Microsoft CVE-2014-0265 REJECTED CVE-2014-0264 REJECTED CVE-2014-0263 (The Direct2D implementation in Microsoft Windows 7 SP1, Windows Server ...) NOT-FOR-US: Microsoft Windows CVE-2014-0262 (win32k.sys in the kernel-mode drivers in Microsoft Windows 7 SP1 and S ...) NOT-FOR-US: Microsoft Windows CVE-2014-0261 (Microsoft Dynamics AX 4.0 SP2, 2009 SP1, 2012, and 2012 R2 allows remo ...) NOT-FOR-US: Microsoft Dynamics CVE-2014-0260 (Microsoft Word 2003 SP3, 2007 SP3, 2010 SP1 and SP2, 2013, and 2013 RT ...) NOT-FOR-US: Microsoft Office CVE-2014-0259 (Microsoft Word 2007 SP3 and Office Compatibility Pack SP3 allow remote ...) NOT-FOR-US: Microsoft Office CVE-2014-0258 (Microsoft Word 2003 SP3 and 2007 SP3, Office Compatibility Pack SP3, a ...) NOT-FOR-US: Microsoft Office CVE-2014-0257 (Microsoft .NET Framework 1.0 SP3, 1.1 SP1, 2.0 SP2, 3.5, 3.5.1, 4, 4.5 ...) NOT-FOR-US: Microsoft .NET Framework CVE-2014-0256 (Microsoft Windows Server 2008 SP2 and R2 SP1 and Server 2012 Gold allo ...) NOT-FOR-US: Microsoft Windows Server CVE-2014-0255 (Microsoft Windows Server 2008 SP2 and R2 SP1 and Server 2012 Gold and ...) NOT-FOR-US: Microsoft Windows Server CVE-2014-0254 (The IPv6 implementation in Microsoft Windows 8, Windows Server 2012, a ...) NOT-FOR-US: Microsoft CVE-2014-0253 (Microsoft .NET Framework 1.1 SP1, 2.0 SP2, 3.5, 3.5.1, 4, 4.5, and 4.5 ...) NOT-FOR-US: Microsoft .NET Framework CVE-2014-0252 REJECTED CVE-2014-0251 (Microsoft Windows SharePoint Services 3.0 SP3; SharePoint Server 2007 ...) NOT-FOR-US: Microsoft SharePoint CVE-2014-0250 (Multiple integer overflows in client/X11/xf_graphics.c in FreeRDP allo ...) - freerdp 1.1.0~git20140809.1.b07a5c1+dfsg-1 (unimportant; bug #749585) NOTE: A malicious RDP server has many more ways to mess with an RDP client CVE-2014-0249 (The System Security Services Daemon (SSSD) 1.11.6 does not properly id ...) - sssd 1.11.7-1 (low; bug #749569) [jessie] - sssd (Minor issue) [squeeze] - sssd (Minor issue) [wheezy] - sssd (Minor issue) CVE-2014-0248 (org.jboss.seam.web.AuthenticationFilter in Red Hat JBoss Web Framework ...) NOT-FOR-US: JBoss Seam CVE-2014-0247 (LibreOffice 4.2.4 executes unspecified VBA macros automatically, which ...) - libreoffice 1:4.2.5-1 [wheezy] - libreoffice (vulnerable code not present) CVE-2014-0246 (SOSreport stores the md5 hash of the GRUB bootloader password in an ar ...) - sosreport (unimportant; bug #749568) NOTE: Non-issue, see https://bugzilla.redhat.com/show_bug.cgi?id=1101393#c5 CVE-2014-0245 (It was found that the implementation of the GTNSubjectCreatingIntercep ...) NOT-FOR-US: GateIn CVE-2014-0244 (The sys_recvfrom function in nmbd in Samba 3.6.x before 3.6.24, 4.0.x ...) {DSA-2966-1} - samba 2:4.1.9+dfsg-1 [squeeze] - samba (Only affects 3.6 and later) - samba4 4.0.0~beta2+dfsg1-3.2+deb7u2 NOTE: AD-related packages removed from src:samba4 in 4.0.0~beta2+dfsg1-3.2+deb7u2 NOTE: https://www.samba.org/samba/security/CVE-2014-0244 CVE-2014-0243 (Check_MK through 1.2.5i2p1 allows local users to read arbitrary files ...) - check-mk (Vulnerable code not present) NOTE: https://www.lsexperts.de/advisories/lse-2014-05-21.txt CVE-2014-0242 (mod_wsgi module before 3.4 for Apache, when used in embedded mode, mig ...) {DSA-2937-1} - mod-wsgi 3.4-3 NOTE: https://github.com/GrahamDumpleton/mod_wsgi/commit/b0a149c1f5e569932325972e2e20176a42e43517 CVE-2014-0241 (rubygem-hammer_cli_foreman: File /etc/hammer/cli.modules.d/foreman.yml ...) NOT-FOR-US: hammer_cli_foreman ruby gem CVE-2014-0240 (The mod_wsgi module before 3.5 for Apache, when daemon mode is enabled ...) {DSA-2937-1} - mod-wsgi 3.5-1 (bug #748910) NOTE: https://github.com/GrahamDumpleton/mod_wsgi/commit/d9d5fea585b23991f76532a9b07de7fcd3b649f4 NOTE: only when running with linux >= 2.6.0 and < 3.1.0 CVE-2014-0239 (The internal DNS server in Samba 4.x before 4.0.18 does not check the ...) - samba 2:4.1.8+dfsg-1 (bug #749845) - samba4 4.0.0~beta2+dfsg1-3.2+deb7u2 [squeeze] - samba (AD feature not present) [wheezy] - samba (AD feature not present) NOTE: AD-related packages removed from src:samba4 in 4.0.0~beta2+dfsg1-3.2+deb7u2 CVE-2014-0238 (The cdf_read_property_info function in cdf.c in the Fileinfo component ...) {DSA-3021-1 DSA-2943-1 DLA-145-1 DLA-27-1} - file 1:5.19-1 [squeeze] - file 5.04-5+squeeze6 NOTE: https://github.com/file/file/commit/f97486ef5dc3e8735440edc4fc8808c63e1a3ef0 - php5 5.6.0~beta4+dfsg-1 (low) NOTE: https://bugs.php.net/bug.php?id=67327 CVE-2014-0237 (The cdf_unpack_summary_info function in cdf.c in the Fileinfo componen ...) {DSA-3021-1 DSA-2943-1 DLA-145-1 DLA-27-1} - file 1:5.19-1 [squeeze] - file 5.04-5+squeeze6 NOTE: https://github.com/file/file/commit/b8acc83781d5a24cc5101e525d15efe0482c280d - php5 5.6.0~beta4+dfsg-1 (low) NOTE: https://bugs.php.net/bug.php?id=67328 CVE-2014-0236 (file before 5.18, as used in the Fileinfo component in PHP before 5.6. ...) - file 1:5.19-1 [wheezy] - file (Introduced in 5.18) [squeeze] - file (Introduced in 5.18) - php5 5.6.0~beta4+dfsg-1 [wheezy] - php5 (Vulnerable code not present) [squeeze] - php5 (Vulnerable code not present) NOTE: https://bugs.php.net/bug.php?id=67329 CVE-2014-0235 REJECTED CVE-2014-0234 (The default configuration of broker.conf in Red Hat OpenShift Enterpri ...) NOT-FOR-US: OpenShift CVE-2014-0233 (Red Hat OpenShift Enterprise 2.0 and 2.1 and OpenShift Origin allow re ...) NOT-FOR-US: OpenShift CVE-2014-0232 (Multiple cross-site scripting (XSS) vulnerabilities in framework/commo ...) NOT-FOR-US: Apache OFBiz CVE-2014-0231 (The mod_cgid module in the Apache HTTP Server before 2.4.10 does not h ...) {DSA-2989-1 DLA-66-1} - apache2 2.4.10-1 CVE-2014-0230 (Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before 8.0 ...) {DSA-3530-1 DLA-232-1} - tomcat6 6.0.41-3 (bug #785316) - tomcat7 7.0.55-1 [wheezy] - tomcat7 7.0.28-4+deb7u3 - tomcat8 8.0.9-1 NOTE: tomcat6 in jessie only builds the servlet API classes NOTE: https://svn.apache.org/viewvc?view=revision&revision=1603781 (7.x) NOTE: https://svn.apache.org/viewvc?view=revision&revision=1659537 (6.x) CVE-2014-0229 (Apache Hadoop 0.23.x before 0.23.11 and 2.x before 2.4.1, as used in C ...) NOT-FOR-US: Hadoop as packaged by Cloudera CVE-2014-0228 (Apache Hive before 0.13.1, when in SQL standards based authorization m ...) NOT-FOR-US: Apache Hive CVE-2014-0227 (java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apach ...) {DSA-3530-1 DLA-232-1} - tomcat6 6.0.41-3 (bug #785312) NOTE: Fixed in https://svn.apache.org/viewvc?view=revision&revision=1603628 (6.x) NOTE: Marked as fixed in 6.0.41-3 which only builds the libservlet2.5-java and libservlet2.5-java-doc packages - tomcat7 7.0.55-1 [wheezy] - tomcat7 7.0.28-4+deb7u3 NOTE: Fixed in https://svn.apache.org/viewvc?view=revision&revision=1601333 (7.x) - tomcat8 8.0.9-1 NOTE: Fixed in https://svn.apache.org/viewvc?view=revision&revision=1600984 (8.x) NOTE: Fixed in https://svn.apache.org/viewvc?view=revision&revision=1601332 (8.x) CVE-2014-0226 (Race condition in the mod_status module in the Apache HTTP Server befo ...) {DSA-2989-1 DLA-66-1} - apache2 2.4.10-1 CVE-2014-0225 (When processing user provided XML documents, the Spring Framework 4.0. ...) - libspring-java 3.0.6.RELEASE-14 (low; bug #753470) [squeeze] - libspring-java (Minor issue) [wheezy] - libspring-java (Minor issue) CVE-2014-0224 (OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h d ...) {DSA-2950-1 DLA-0008-1 DLA-0003-1} - openssl 1.0.1h-1 (bug #750665) [squeeze] - openssl 0.9.8o-4squeeze15 CVE-2014-0223 (Integer overflow in the qcow_open function in block/qcow.c in QEMU bef ...) {DSA-3045-1 DSA-3044-1} - qemu 2.0.0+dfsg-6 (bug #742730) [squeeze] - qemu (Unsupported in squeeze-lts) - qemu-kvm [squeeze] - qemu-kvm (Unsupported in squeeze-lts) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2014-05/msg02156.html CVE-2014-0222 (Integer overflow in the qcow_open function in block/qcow.c in QEMU bef ...) {DSA-3045-1 DSA-3044-1} - qemu 2.0.0+dfsg-6 (bug #742730) [squeeze] - qemu (Unsupported in squeeze-lts) - qemu-kvm [squeeze] - qemu-kvm (Unsupported in squeeze-lts) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2014-05/msg02155.html CVE-2014-0221 (The dtls1_get_message_fragment function in d1_both.c in OpenSSL before ...) {DSA-2950-1 DLA-0003-1} - openssl 1.0.1h-1 (bug #750665) [squeeze] - openssl 0.9.8o-4squeeze15 CVE-2014-0220 (Cloudera Manager before 4.8.3 and 5.x before 5.0.1 allows remote authe ...) NOT-FOR-US: Cloudera Manager CVE-2014-0219 (Apache Karaf before 4.0.10 enables a shutdown port on the loopback int ...) - apache-karaf (bug #881297) CVE-2014-0218 (Cross-site scripting (XSS) vulnerability in the URL downloader reposit ...) - moodle 2.6.3-1 [squeeze] - moodle (Vulnerable code not present) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45332 CVE-2014-0217 (enrol/index.php in Moodle 2.6.x before 2.6.3 does not check for the mo ...) - moodle 2.6.3-1 [squeeze] - moodle (Vulnerable code not present) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45126 CVE-2014-0216 (The My Home implementation in the block_html_pluginfile function in bl ...) - moodle 2.6.3-1 [squeeze] - moodle (Minor issue) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43877 CVE-2014-0215 (The blind-marking implementation in Moodle through 2.3.11, 2.4.x befor ...) - moodle 2.6.3-1 [squeeze] - moodle (Minor issue) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-44750 CVE-2014-0214 (login/token.php in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x b ...) - moodle 2.6.3-1 [squeeze] - moodle (Vulnerable code not present) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43119 CVE-2014-0213 (Multiple cross-site request forgery (CSRF) vulnerabilities in mod/assi ...) - moodle 2.6.3-1 [squeeze] - moodle (Vulnerable code not present) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-44606 CVE-2014-0212 (qpid-cpp: ACL policies only loaded if the acl-file option specified en ...) - qpid-cpp (low; bug #772794) [wheezy] - qpid-cpp (Minor issue) NOTE: Upstream issue: https://issues.apache.org/jira/browse/QPID-4938 NOTE: Commit which does no longer build acl support only as plugin: https://svn.apache.org/viewvc?view=revision&revision=r1494697 CVE-2014-0211 (Multiple integer overflows in the (1) fs_get_reply, (2) fs_alloc_glyph ...) {DSA-2927-1} - libxfont 1:1.4.7-2 (unimportant) NOTE: unimportant, as source affected but libxfont has disabled support to connect to font server since 1:1.4.7-1 CVE-2014-0210 (Multiple buffer overflows in X.Org libXfont before 1.4.8 and 1.4.9x be ...) {DSA-2927-1} - libxfont 1:1.4.7-2 (unimportant) NOTE: unimportant, as source affected but libxfont has disabled support to connect to font server since 1:1.4.7-1 CVE-2014-0209 (Multiple integer overflows in the (1) FontFileAddEntry and (2) lexAlia ...) {DSA-2927-1} - libxfont 1:1.4.7-2 CVE-2014-0208 (Cross-site scripting (XSS) vulnerability in the search auto-completion ...) - foreman (bug #663101) CVE-2014-0207 (The cdf_read_short_sector function in cdf.c in file before 5.19, as us ...) {DSA-3021-1 DSA-2974-1 DLA-27-1 DLA-0018-1} - file 1:5.19-1 [squeeze] - file 5.04-5+squeeze6 NOTE: fixed as part of https://github.com/file/file/commit/6d209c1c489457397a5763bca4b28e43aac90391#diff-0 - php5 5.6.0~beta4+dfsg-1 [squeeze] - php5 5.3.3-7+squeeze21 NOTE: https://bugs.php.net/bug.php?id=67326 CVE-2014-0206 (Array index error in the aio_read_events_ring function in fs/aio.c in ...) - linux 3.14.10-1 [wheezy] - linux (introduced by a31ad380bed817aa25f8830ad23e1a0480fef797) - linux-2.6 (introduced by a31ad380bed817aa25f8830ad23e1a0480fef797) NOTE: Introduced by: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=a31ad380bed817aa25f8830ad23e1a0480fef797 (v3.10) NOTE: Upstream patches: https://lkml.org/lkml/2014/6/24/619 https://lkml.org/lkml/2014/6/24/623 CVE-2014-0205 (The futex_wait function in kernel/futex.c in the Linux kernel before 2 ...) - linux 2.6.37 - linux-2.6 2.6.37-1 [squeeze] - linux-2.6 2.6.32-28 NOTE: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=7ada876a8703f23befbb20a7465a702ee39b1704 (v2.6.37) NOTE: https://lkml.org/lkml/2010/9/16/99 NOTE: Introduced in f801073f87aa2 (around 2.6.31) according to SuSE Bugzilla CVE-2014-0204 (OpenStack Identity (Keystone) before 2014.1.1 does not properly handle ...) - keystone 2014.1-5 (bug #749026) [wheezy] - keystone CVE-2014-0203 (The __do_follow_link function in fs/namei.c in the Linux kernel before ...) {DLA-0015-1} - linux 2.6.33-1 - linux-2.6 2.6.37-1 [squeeze] - linux-2.6 2.6.32-48squeeze8 NOTE: upstream fix: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=86acdca1b63e6890540fa19495cfc708beff3d8b (v2.6.33) CVE-2014-0202 (The setup script in ovirt-engine-dwh, as used in the Red Hat Enterpris ...) NOT-FOR-US: ovirt / RHEV CVE-2014-0201 (ovirt-engine-reports, as used in the Red Hat Enterprise Virtualization ...) NOT-FOR-US: ovirt / RHEV CVE-2014-0200 (The Red Hat Enterprise Virtualization Manager reports (rhevm-reports) ...) NOT-FOR-US: ovirt / RHEV CVE-2014-0199 (The setup script in ovirt-engine-reports, as used in the Red Hat Enter ...) NOT-FOR-US: ovirt / RHEV CVE-2014-0198 (The do_ssl3_write function in s3_pkt.c in OpenSSL 1.x through 1.0.1g, ...) {DSA-2931-1} - openssl 1.0.1g-4 (bug #747432) [squeeze] - openssl (vulnerable code not present) NOTE: http://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=3321 CVE-2014-0197 (CFME: CSRF protection vulnerability via permissive check of the referr ...) NOT-FOR-US: CloudForms Management Engine CVE-2014-0196 (The n_tty_write function in drivers/tty/n_tty.c in the Linux kernel th ...) {DSA-2928-1 DSA-2926-1} - linux 3.14.4-1 (bug #747166) - linux-2.6 NOTE: PoC: http://pastebin.com/yTSFUBgZ CVE-2014-0195 (The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before ...) {DSA-2950-1 DLA-0003-1} - openssl 1.0.1h-1 (bug #750665) [squeeze] - openssl 0.9.8o-4squeeze15 CVE-2014-0194 REJECTED CVE-2014-0193 (WebSocket08FrameDecoder in Netty 3.6.x before 3.6.9, 3.7.x before 3.7. ...) {DLA-2110-1} - netty (WebSocket08FrameDecoder function not present; bug #746639) - netty-3.9 3.9.9.Final-1 NOTE: https://github.com/netty/netty/commit/48edb7802b42b0e2eb5a55d8eca390e0c9066783 CVE-2014-0192 (Foreman 1.4.0 before 1.5.0 does not properly restrict access to provis ...) - foreman (bug #663101) CVE-2014-0191 (The xmlParserHandlePEReference function in parser.c in libxml2 before ...) {DSA-2978-2 DLA-151-1} - libxml2 2.9.1+dfsg1-4 (bug #747309) NOTE: The upstream patch we used in DSA-2978-1 and DLA-16-1 is only half of the fix. The other half is likely https://git.gnome.org/browse/libxml2/commit/?id=4629ee02ac649c27f9c0cf98ba017c6b5526070f which is only in libxml 2.9 and newer. This was found out with the test case given in https://github.com/sparklemotion/nokogiri/issues/693#issuecomment-8935085. NOTE: First patches: https://git.gnome.org/browse/libxml2/commit/?id=9cd1c3cfbd32655d60572c0a413e017260c854df https://git.gnome.org/browse/libxml2/commit/?id=dd8367da17c2948981a51e52c8a6beb445edf825 CVE-2014-0190 (The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to c ...) - qt4-x11 4:4.8.6+dfsg-1 (low) [wheezy] - qt4-x11 (Minor issue) [squeeze] - qt4-x11 (Minor issue) NOTE: https://qt.gitorious.org/qt/qtbase/commit/eb1325047f2697d24e93ebaf924900affc876bc1 NOTE: Possible squeeze backport in http://lists.debian.org/54ca4d0c.4696420a.0f32.4d29@mx.google.com CVE-2014-0189 (virt-who uses world-readable permissions for /etc/sysconfig/virt-who, ...) NOT-FOR-US: RedHat virt-who CVE-2014-0188 (The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2 ...) NOT-FOR-US: OpenShift CVE-2014-0187 (The openvswitch-agent process in OpenStack Neutron 2013.1 before 2013. ...) - neutron 2014.1.2-1 NOTE: https://review.openstack.org/gitweb?p=openstack%2Fneutron.git;a=commitdiff;h=68a24e5f908412b83ca7c3f2d2d2014678e79570 NOTE: https://review.openstack.org/gitweb?p=openstack%2Fneutron.git;a=commitdiff;h=42a8539d497322716df0150c2123befd246d69d8 CVE-2014-0186 (A certain tomcat7 package for Apache Tomcat 7 in Red Hat Enterprise Li ...) - tomcat7 (RHEL-specific regression) CVE-2014-0185 (sapi/fpm/fpm/fpm_unix.c in the FastCGI Process Manager (FPM) in PHP be ...) {DSA-2943-1} - php5 5.5.12+dfsg-1 [squeeze] - php5 (FPM SAPI only enabled in 5.3.5-1) NOTE: https://bugs.php.net/bug.php?id=67060 CVE-2014-0184 (Red Hat CloudForms 3.0 Management Engine (CFME) before 5.2.4.2 logs th ...) NOT-FOR-US: RedHat CloudForms Management Engine CVE-2014-0183 (Versions of Katello as shipped with Red Hat Subscription Asset Manager ...) NOT-FOR-US: Katello CVE-2014-0182 (Heap-based buffer overflow in the virtio_load function in hw/virtio/vi ...) - qemu 2.1+dfsg-1 (bug #739589) - qemu-kvm [wheezy] - qemu (Too intrusive to backport, minor risk) [wheezy] - qemu-kvm (Too intrusive to backport, minor risk) [squeeze] - qemu (Unsupported in squeeze-lts) [squeeze] - qemu-kvm (Unsupported in squeeze-lts) NOTE: Fix: http://git.qemu.org/?p=qemu.git;a=commit;h=a890a2f9137ac3cf5b607649e66a6f3a5512d8dc NOTE: Regression fix needed: http://git.qemu.org/?p=qemu.git;a=commit;h=2f5732e9648fcddc8759a8fd25c0b41a38352be6 CVE-2014-0181 (The Netlink implementation in the Linux kernel through 3.14.1 does not ...) - linux 3.14.9-1 (bug #746738) - linux-2.6 [squeeze] - linux-2.6 (Too intrusive to backport to 2.6.32) [wheezy] - linux (Too intrusive to backport to 3.2) CVE-2014-0180 (The wait_for_task function in app/controllers/application_controller.r ...) NOT-FOR-US: RedHat CloudForms Management Engine CVE-2014-0179 (libvirt 0.7.5 through 1.2.x before 1.2.5 allows local users to cause a ...) {DSA-3038-1} - libvirt 1.2.4-1 (unimportant) NOTE: no ACL mechanism in squeeze and wheezy and all access is root-equivalent NOTE: LSN-2014-0003: https://www.redhat.com/archives/libvir-list/2014-May/msg00209.html CVE-2014-0178 (Samba 3.6.6 through 3.6.23, 4.0.x before 4.0.18, and 4.1.x before 4.1. ...) {DSA-2966-1} - samba 2:4.1.8+dfsg-1 (low) [squeeze] - samba (Vulnerable code not present) - samba4 4.0.0~beta2+dfsg1-3.2+deb7u2 NOTE: server packages removed from src:samba4 in 4.0.0~beta2+dfsg1-3.2+deb7u2 CVE-2014-0177 (The am function in lib/hub/commands.rb in hub before 1.12.1 allows loc ...) NOT-FOR-US: Github client CVE-2014-0176 (Cross-site scripting (XSS) vulnerability in application/panel_control ...) NOT-FOR-US: RedHat CloudForms Management Engine CVE-2014-0175 (mcollective has a default password set at install ...) - mcollective (unimportant) NOTE: Password rotation is documented in README.Debian CVE-2014-0174 (Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG ...) NOT-FOR-US: Cumin CVE-2014-0173 (The Jetpack plugin before 1.9 before 1.9.4, 2.0.x before 2.0.9, 2.1.x ...) NOT-FOR-US: WordPress plugin Jetpack CVE-2014-0172 (Integer overflow in the check_section function in dwarf_begin_elf.c in ...) - elfutils 0.158-1 (low; bug #744017) [squeeze] - elfutils (Affected code introduced in 0.153) [wheezy] - elfutils (Affected code introduced in 0.153) CVE-2014-0171 (XML external entity (XXE) vulnerability in StaxXMLFactoryProvider2 in ...) NOT-FOR-US: Odata4j CVE-2014-0170 (Teiid before 8.4.3 and before 8.7 and Red Hat JBoss Data Virtualizatio ...) NOT-FOR-US: Teiid CVE-2014-0169 (In JBoss EAP 6 a security domain is configured to use a cache that is ...) NOT-FOR-US: JBoss EAP CVE-2014-0168 (Cross-site request forgery (CSRF) vulnerability in Jolokia before 1.2. ...) NOT-FOR-US: Jolokia CVE-2014-0167 (The Nova EC2 API security group implementation in OpenStack Compute (N ...) - nova 2013.2.3-1 (bug #744051) [wheezy] - nova (Only affects 2013.1 to 2013.2.3) CVE-2014-0166 (The wp_validate_auth_cookie function in wp-includes/pluggable.php in W ...) {DSA-2901-1} - wordpress 3.8.2+dfsg-1 (bug #744018) CVE-2014-0165 (WordPress before 3.7.2 and 3.8.x before 3.8.2 allows remote authentica ...) {DSA-2901-1} - wordpress 3.8.2+dfsg-1 (bug #744018) CVE-2014-0164 (openshift-origin-broker-util, as used in Red Hat OpenShift Enterprise ...) - mcollective 1.2.1+dfsg-2 CVE-2014-0163 (Openshift has shell command injection flaws due to unsanitized data be ...) NOT-FOR-US: OpenShift CVE-2014-0162 (The Sheepdog backend in OpenStack Image Registry and Delivery Service ...) - glance 2014.1-1 [wheezy] - glance (Only affects 2013.2 to 2013.2.3) CVE-2014-0161 (ovirt-engine-sdk-python before 3.4.0.7 and 3.5.0.4 does not verify tha ...) NOT-FOR-US: ovirt-engine-sdk-python CVE-2014-0160 (The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1 ...) {DSA-2896-1} - openssl 1.0.1g-1 (bug #743883) [squeeze] - openssl (vulnerable code introduced in upstream commit 4817504) NOTE: fix: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=96db902 NOTE: http://www.openssl.org/news/secadv/20140407.txt NOTE: system reboot is recommended after the upgrade CVE-2014-0159 (Buffer overflow in the GetStatistics64 remote procedure call (RPC) in ...) {DSA-2899-1} - openafs 1.6.7-1 CVE-2014-0157 (Cross-site scripting (XSS) vulnerability in the Horizon Orchestration ...) - horizon 2013.2.3-1 (bug #744019) [wheezy] - horizon (Vulnerable code not present) CVE-2014-0156 RESERVED CVE-2014-0155 (The ioapic_deliver function in virt/kvm/ioapic.c in the Linux kernel t ...) - linux 3.14.4-1 (low) [wheezy] - linux (Vulnerable code not present) - linux-2.6 (Vulnerable code not present) NOTE: fix: https://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?id=5678de3f15010b9022ee45673f33bcfc71d47b60 CVE-2014-0154 (oVirt Engine before 3.5.0 does not include the HTTPOnly flag in a Set- ...) NOT-FOR-US: oVirt web admin interface CVE-2014-0153 (The REST API in oVirt 3.4.0 and earlier stores session IDs in HTML5 lo ...) NOT-FOR-US: oVirt REST API CVE-2014-0152 (Session fixation vulnerability in the web admin interface in oVirt 3.4 ...) NOT-FOR-US: oVirt web admin interface CVE-2014-0151 (Cross-site request forgery (CSRF) vulnerability in oVirt Engine before ...) NOT-FOR-US: ovirt CVE-2014-0150 (Integer overflow in the virtio_net_handle_mac function in hw/net/virti ...) {DSA-2910-1 DSA-2909-1} - qemu 1.7.0+dfsg-8 (bug #744221) - qemu-kvm CVE-2014-0149 (Multiple cross-site scripting (XSS) vulnerabilities in Red Hat JBoss W ...) NOT-FOR-US: JBoss Seam CVE-2014-0148 (Qemu before 2.0 block driver for Hyper-V VHDX Images is vulnerable to ...) - qemu 2.0.0+dfsg-1 (bug #742730) [squeeze] - qemu (vhdx support introduced in 1.5) [wheezy] - qemu (vhdx support introduced in 1.5) - qemu-kvm (vhdx support introduced in 1.5) CVE-2014-0147 (Qemu before 1.6.2 block diver for the various disk image formats used ...) {DSA-3045-1 DSA-3044-1} - qemu 2.0.0+dfsg-1 (bug #742730) - qemu-kvm [squeeze] - qemu (Unsupported in squeeze-lts) [squeeze] - qemu-kvm (Unsupported in squeeze-lts) CVE-2014-0146 (The qcow2_open function in the (block/qcow2.c) in QEMU before 1.7.2 an ...) {DSA-3045-1 DSA-3044-1} - qemu 2.0.0+dfsg-1 (bug #742730) - qemu-kvm [squeeze] - qemu (Unsupported in squeeze-lts) [squeeze] - qemu-kvm (Unsupported in squeeze-lts) NOTE: Upstream commit: http://git.qemu.org/?p=qemu.git;a=commit;h=11b128f4062dd7f89b14abc8877ff20d41b28be9 CVE-2014-0145 (Multiple buffer overflows in QEMU before 1.7.2 and 2.x before 2.0.0, a ...) {DSA-3045-1 DSA-3044-1} - qemu 2.0.0+dfsg-1 (bug #742730) - qemu-kvm [squeeze] - qemu (Unsupported in squeeze-lts) [squeeze] - qemu-kvm (Unsupported in squeeze-lts) CVE-2014-0144 (QEMU before 2.0.0 block drivers for CLOOP, QCOW2 version 2 and various ...) {DSA-3045-1 DSA-3044-1} - qemu 2.0.0+dfsg-1 (bug #742730) - qemu-kvm [squeeze] - qemu (Unsupported in squeeze-lts) [squeeze] - qemu-kvm (Unsupported in squeeze-lts) CVE-2014-0143 (Multiple integer overflows in the block drivers in QEMU, possibly befo ...) {DSA-3045-1 DSA-3044-1} - qemu 2.0.0+dfsg-1 (bug #742730) - qemu-kvm [squeeze] - qemu (Unsupported in squeeze-lts) [squeeze] - qemu-kvm (Unsupported in squeeze-lts) CVE-2014-0142 (QEMU, possibly before 2.0.0, allows local users to cause a denial of s ...) {DSA-3045-1 DSA-3044-1} - qemu 2.0.0+dfsg-1 (bug #742730) - qemu-kvm [squeeze] - qemu (Unsupported in squeeze-lts) [squeeze] - qemu-kvm (Unsupported in squeeze-lts) CVE-2014-0141 (Cross-site scripting (XSS) vulnerability in Red Hat Satellite 6.0.3. ...) NOT-FOR-US: Red Hat Satellite CVE-2014-0140 (Red Hat CloudForms 3.1 Management Engine (CFME) before 5.3 allows remo ...) NOT-FOR-US: Red Hat CloudForms Management Engine CVE-2014-0139 (cURL and libcurl 7.1 before 7.36.0, when using the OpenSSL, axtls, qso ...) {DSA-2902-1} - curl 7.36.0-1 (bug #742728) NOTE: http://curl.haxx.se/libcurl-reject-cert-ip-wildcards.patch CVE-2014-0138 (The default configuration in cURL and libcurl 7.10.6 before 7.36.0 re- ...) {DSA-2902-1} - curl 7.36.0-1 (bug #742728) NOTE: http://curl.haxx.se/libcurl-bad-reuse.patch CVE-2014-0137 (SQL injection vulnerability in the saved_report_delete action in the R ...) NOT-FOR-US: RedHat CloudForms Management Engine CVE-2014-0136 (The (1) get and (2) log methods in the AgentController in Red Hat Clou ...) NOT-FOR-US: RedHat CloudForms Management Engine CVE-2014-0135 (Kafo before 0.3.17 and 0.4.x before 0.5.2, as used by Foreman, uses wo ...) NOT-FOR-US: Kafo NOTE: Might be packaged after foreman (ITP bug #663101) CVE-2014-0134 (The instance rescue mode in OpenStack Compute (Nova) 2013.2 before 201 ...) - nova 2013.2.2-4 (bug #742712) [wheezy] - nova (Introduced in Grizzly) NOTE: https://launchpad.net/bugs/1221190 CVE-2014-0133 (Heap-based buffer overflow in the SPDY implementation in nginx 1.3.15 ...) - nginx 1.4.7-1 (unimportant; bug #742059) [wheezy] - nginx (Vulnerable code not present) [squeeze] - nginx (Vulnerable code not present) NOTE: ngx_http_spdy_module introduced in 1.3.15 NOTE: Debian compiles with --with-http_spdy_module, but also with --with-debug CVE-2014-0132 (The SASL authentication functionality in 389 Directory Server before 1 ...) - 389-ds-base 1.3.2.9-1.1 (bug #741600) CVE-2014-0131 (Use-after-free vulnerability in the skb_segment function in net/core/s ...) - linux 3.13.6-1 [wheezy] - linux 3.2.57-1 - linux-2.6 (Introduced in 3.1) NOTE: http://marc.info/?l=linux-netdev&m=139446896921968&w=2 CVE-2014-0130 (Directory traversal vulnerability in actionpack/lib/abstract_controlle ...) {DSA-2929-1} - ruby-actionpack-2.3 (Vulnerable code not present) - ruby-actionpack-3.2 (bug #747382) - rails-3.2 3.2.18-1 (bug #747382) - rails-4.0 (bug #747380) CVE-2014-0129 (badges/mybadges.php in Moodle 2.5.x before 2.5.5 and 2.6.x before 2.6. ...) - moodle 2.6.2-1 [squeeze] - moodle (Vulnerable code not present) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-44140 CVE-2014-0128 (Squid 3.1 before 3.3.12 and 3.4 before 3.4.4, when SSL-Bump is enabled ...) - squid (All Squid-3.0 and older versions not vulnerable) - squid3 3.4.8-1 (unimportant; bug #741312) NOTE: http://www.squid-cache.org/Advisories/SQUID-2014_1.txt NOTE: only affects package rebuilds with --enable-ssl by users CVE-2014-0127 (The time-validation implementation in (1) mod/feedback/complete.php an ...) - moodle 2.6.2-1 [squeeze] - moodle (Vulnerable code not present) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43656 CVE-2014-0126 (Cross-site request forgery (CSRF) vulnerability in enrol/imsenterprise ...) - moodle 2.6.2-1 [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43146 CVE-2014-0125 (repository/alfresco/lib.php in Moodle through 2.3.11, 2.4.x before 2.4 ...) - moodle 2.6.2-1 [squeeze] - moodle (Vulnerable code not present) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-29409 CVE-2014-0124 (The identity-reporting implementations in mod/forum/renderer.php and m ...) - moodle 2.6.2-1 [squeeze] - moodle (Vulnerable code not present) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43916 CVE-2014-0123 (The wiki subsystem in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x ...) - moodle 2.6.2-1 [squeeze] - moodle (Unsupported in squeeze-lts) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-39990 NOTE: squeeze version unaffected due to lack of fine-grained access control? CVE-2014-0122 (mod/chat/chat_ajax.php in Moodle through 2.3.11, 2.4.x before 2.4.9, 2 ...) - moodle 2.6.2-1 [squeeze] - moodle (Vulnerable code not present) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-44082 CVE-2014-0121 (The admin terminal in Hawt.io does not require authentication, which a ...) NOT-FOR-US: hawtio-karaf-terminal CVE-2014-0120 (Cross-site request forgery (CSRF) vulnerability in the admin terminal ...) NOT-FOR-US: hawtio-karaf-terminal CVE-2014-0119 (Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 d ...) {DSA-3530-1} - tomcat8 8.0.8-1 - tomcat7 7.0.54-1 - tomcat6 6.0.41-1 [wheezy] - tomcat7 7.0.28-4+deb7u4 CVE-2014-0118 (The deflate_in_filter function in mod_deflate.c in the mod_deflate mod ...) {DSA-2989-1 DLA-66-1} - apache2 2.4.10-1 CVE-2014-0117 (The mod_proxy module in the Apache HTTP Server 2.4.x before 2.4.10, wh ...) - apache2 2.4.10-1 [squeeze] - apache2 (Affects 2.4.6 to 2.4.9) [wheezy] - apache2 (Affects 2.4.6 to 2.4.9) CVE-2014-0116 (CookieInterceptor in Apache Struts 2.x before 2.3.20, when a wildcard ...) - libstruts1.2-java (Struts 2.0.0 through to Struts 2.3.16.2) NOTE: https://cwiki.apache.org/confluence/display/WW/S2-022 CVE-2014-0115 (Directory traversal vulnerability in the log viewer in Apache Storm 0. ...) NOT-FOR-US: Apache Storm CVE-2014-0114 (Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8. ...) {DSA-2940-1 DLA-57-1} - libstruts1.2-java 1.2.9-9 (bug #745897) NOTE: http://mail-archives.apache.org/mod_mbox/struts-announcements/201404.mbox/%3C535F5F52.4040108%40apache.org%3E - commons-beanutils 1.9.2-1 (low) [wheezy] - commons-beanutils (Too intrusive to backport; might break existing apps) [squeeze] - commons-beanutils (Too intrusive to backport; might break existing apps) NOTE: https://issues.apache.org/jira/browse/BEANUTILS-463 CVE-2014-0113 (CookieInterceptor in Apache Struts before 2.3.20, when a wildcard cook ...) - libstruts1.2-java (Affects Struts 2.0.0 - Struts 2.3.16) NOTE: https://struts.apache.org/release/2.3.x/docs/s2-021.html CVE-2014-0112 (ParametersInterceptor in Apache Struts before 2.3.20 does not properly ...) - libstruts1.2-java (Affects Struts 2.0.0 - Struts 2.3.16) NOTE: https://struts.apache.org/release/2.3.x/docs/s2-021.html CVE-2014-0111 (Apache Syncope 1.0.0 before 1.0.9 and 1.1.0 before 1.1.7 allows remote ...) NOT-FOR-US: Apache Syncope CVE-2014-0110 (Apache CXF before 2.6.14 and 2.7.x before 2.7.11 allows remote attacke ...) NOT-FOR-US: Apache CXF CVE-2014-0109 (Apache CXF before 2.6.14 and 2.7.x before 2.7.11 allows remote attacke ...) NOT-FOR-US: Apache CXF CVE-2014-0108 REJECTED CVE-2014-0107 (The TransformerFactory in Apache Xalan-Java before 2.7.2 does not prop ...) {DSA-2886-1} - libxalan2-java 2.7.1-9 (bug #742577) NOTE: https://issues.apache.org/jira/browse/XALANJ-2435 NOTE: http://svn.apache.org/viewvc?view=revision&revision=1581058 CVE-2014-0106 (Sudo 1.6.9 before 1.8.5, when env_reset is disabled, does not properly ...) {DLA-160-1} - sudo 1.8.5p2-1 (low) [squeeze] - sudo (environment sanitising is enabled by default and turning it off in insecure anyway) NOTE: http://www.sudo.ws/sudo/alerts/env_add.html CVE-2014-0105 (The auth_token middleware in the OpenStack Python client library for K ...) - python-keystoneclient 1:0.6.0-4 (low; bug #742898) [wheezy] - python-keystoneclient (Vulnerable code yet in src:keystone) - keystone 2013.1.1-2 [wheezy] - keystone (Minor issue) NOTE: From 2013.1.1-2 the auth_token.py is in python-keystoneclient CVE-2014-0104 (In fence-agents before 4.0.17 does not verify remote SSL certificates ...) - fence-agents 4.0.17-1 (low; bug #764801) [jessie] - fence-agents (Minor issue) [wheezy] - fence-agents (Minor issue) CVE-2014-0103 (WebAccess in Zarafa before 7.1.10 and WebApp before 1.6 stores credent ...) - zarafa (bug #658433) CVE-2014-0102 (The keyring_detect_cycle_iterator function in security/keys/keyring.c ...) - linux 3.13.6-1 [wheezy] - linux (Introduced in v3.13) - linux-2.6 (Introduced in v3.13) NOTE: Introduced by http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b2a4df200d570b2c33a57e1ebfa5896e4bc81b69 NOTE: patch: http://www.kernelhub.org/?msg=425013&p=2 CVE-2014-0101 (The sctp_sf_do_5_1D_ce function in net/sctp/sm_statefuns.c in the Linu ...) {DSA-2906-1} - linux 3.13.6-1 [wheezy] - linux 3.2.57-1 - linux-2.6 NOTE: Introduced by https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=bbd0d59809f923ea2b540cbd781b32110e249f6e NOTE: http://patchwork.ozlabs.org/patch/325898/ CVE-2014-0100 (Race condition in the inet_frag_intern function in net/ipv4/inet_fragm ...) - linux 3.13.6-1 [wheezy] - linux (Introduced in v3.9) - linux-2.6 (Introduced in v3.9) NOTE: Introduced by https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=3ef0eb0db4bf92c6d2510fe5c4dc51852746f206 NOTE: http://patchwork.ozlabs.org/patch/325844/ CVE-2014-0099 (Integer overflow in java/org/apache/tomcat/util/buf/Ascii.java in Apac ...) {DSA-3530-1} - tomcat8 8.0.5-1 - tomcat7 7.0.53-1 [wheezy] - tomcat7 7.0.28-4+deb7u3 - tomcat6 6.0.41-1 NOTE: http://svn.apache.org/r1578814 CVE-2014-0098 (The log_cookie function in mod_log_config.c in the mod_log_config modu ...) - apache2 2.4.9-1 [squeeze] - apache2 (Vulnerable code not present) [wheezy] - apache2 (Vulnerable code not present) NOTE: Looks like it was introduced in 2.2.23 which would mean that squeeze+wheezy are not affected. sf: waiting for confirmation. CVE-2014-0097 (The ActiveDirectoryLdapAuthenticator in Spring Security 3.2.0 to 3.2.1 ...) - libspring-java (ActiveDirectoryLdapAuthenticator not yet present, introduced in 3.1) CVE-2014-0096 (java/org/apache/catalina/servlets/DefaultServlet.java in the default s ...) {DSA-3530-1} - tomcat8 8.0.5-1 - tomcat7 7.0.53-1 - tomcat6 6.0.41-1 [wheezy] - tomcat7 7.0.28-4+deb7u4 CVE-2014-0095 (java/org/apache/coyote/ajp/AbstractAjpProcessor.java in Apache Tomcat ...) - tomcat8 8.0.5-1 CVE-2014-0094 (The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remo ...) - libstruts1.2-java (Affects Struts 2.0.0 - Struts 2.3.16) CVE-2014-0093 (Red Hat JBoss Enterprise Application Platform (JBEAP) 6.2.2, when usin ...) NOT-FOR-US: JBoss EAP CVE-2014-0092 (lib/x509/verify.c in GnuTLS before 3.1.22 and 3.2.x before 3.2.12 does ...) {DSA-2869-1} - gnutls26 2.12.23-13 - gnutls28 3.2.11-2 NOTE: http://gnutls.org/security.html#GNUTLS-SA-2014-2 CVE-2014-0091 (Foreman has improper input validation which could lead to partial Deni ...) - foreman (bug #663101) CVE-2014-0090 (Session fixation vulnerability in Foreman before 1.4.2 allows remote a ...) - foreman (bug #663101) CVE-2014-0089 (Cross-site scripting (XSS) vulnerability in app/views/common/500.html. ...) - foreman (bug #663101) CVE-2014-0088 (The SPDY implementation in the ngx_http_spdy_module module in nginx 1. ...) - nginx (Only affects 1.5.10) CVE-2014-0087 (The check_privileges method in vmdb/app/controllers/application_contro ...) NOT-FOR-US: RedHat CloudForms Management Engine CVE-2014-0086 (The doFilter function in webapp/PushHandlerFilter.java in JBoss RichFa ...) NOT-FOR-US: RichFaces NOTE: https://github.com/richfaces/richfaces/commit/4115c103f74e7cb0af6d392e22866e52db2bc4e7 NOTE: https://issues.jboss.org/browse/RF-13250 CVE-2014-0085 (JBoss Fuse did not enable encrypted passwords by default in its usage ...) NOT-FOR-US: Fuse Fabric CVE-2014-0084 (Ruby gem openshift-origin-node before 2014-02-14 does not contain a cr ...) NOT-FOR-US: rubygem-openshift-origin-node CVE-2014-0083 (The Ruby net-ldap gem before 0.11 uses a weak salt when generating SSH ...) - ruby-net-ldap (SSHA support not present) NOTE: SSHA support only from version v0.5.0, see #742706 CVE-2014-0082 (actionpack/lib/action_view/template/text.rb in Action View in Ruby on ...) {DSA-2929-1} - rails-4.0 (only 3.2.x and earlier) - rails-3.2 3.2.17-1 - ruby-actionpack-3.2 - ruby-actionpack-2.3 [wheezy] - ruby-actionpack-2.3 - rails 2.3.14.1 [squeeze] - rails (Unsupported in squeeze-lts) NOTE: Starting with 2.3.14.1 rails is a transition package CVE-2014-0081 (Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/ ...) {DSA-2929-1} - rails-4.0 - rails-3.2 3.2.17-1 - ruby-actionpack-3.2 - ruby-actionpack-2.3 [wheezy] - ruby-actionpack-2.3 - rails 2.3.14.1 [squeeze] - rails (Unsupported in squeeze-lts) NOTE: Starting with 2.3.14.1 rails is a transition package CVE-2014-0080 (SQL injection vulnerability in activerecord/lib/active_record/connecti ...) - rails-4.0 - ruby-activerecord-3.2 (affects only rails 4.0.x) - ruby-activerecord-2.3 (affects only rails 4.0.x) - rails (affects only rails 4.0.x) CVE-2014-0079 (The ValidateUserLogon function in provider/libserver/ECSession.cpp in ...) NOT-FOR-US: Zarafa Collaboration Platform CVE-2014-0078 (The CatalogController in Red Hat CloudForms Management Engine (CFME) b ...) NOT-FOR-US: RedHat CloudForms Management Engine CVE-2014-0077 (drivers/vhost/net.c in the Linux kernel before 3.13.10, when mergeable ...) - linux 3.13.10-1 [wheezy] - linux 3.2.57-1 - linux-2.6 (Vulnerable code not present) NOTE: seems introduced in https://github.com/torvalds/linux/commit/8dd014adfea6f173c1ef6378f7e5e7924866c923 NOTE: qemu is built with support for vhost_net, module loaded post-wheezy when linux < 3.4 but root:root 0600 CVE-2014-0076 (The Montgomery ladder implementation in OpenSSL through 1.0.0l does no ...) {DSA-2908-1 DLA-0003-1} - openssl 1.0.1g-1 (low; bug #742923) [squeeze] - openssl 0.9.8o-4squeeze15 NOTE: http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=f9b6c0ba4c02497782f801e3c45688f3efaac55c CVE-2014-0075 (Integer overflow in the parseChunkHeader function in java/org/apache/c ...) {DSA-3530-1} - tomcat8 8.0.5-1 - tomcat7 7.0.53-1 [wheezy] - tomcat7 7.0.28-4+deb7u3 - tomcat6 6.0.41-1 CVE-2014-0074 (Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthen ...) - shiro 1.2.3-1 CVE-2014-0073 (The CDVInAppBrowser class in the Apache Cordova In-App-Browser standal ...) NOT-FOR-US: Apache Cordova CVE-2014-0072 (ios/CDVFileTransfer.m in the Apache Cordova File-Transfer standalone p ...) NOT-FOR-US: Apache Cordova CVE-2014-0071 (PackStack in Red Hat OpenStack 4.0 does not enforce the default securi ...) - neutron 2014.1-1 CVE-2014-0070 REJECTED CVE-2014-0069 (The cifs_iovec_write function in fs/cifs/file.c in the Linux kernel th ...) - linux 3.13.6-1 (bug #741958) [wheezy] - linux 3.2.57-1 - linux-2.6 (Only affects 2.6.38 and later) NOTE: http://article.gmane.org/gmane.linux.kernel.cifs/9401 NOTE: upstream fix 5d81de8e8667da7135d3a32a964087c0faf5483f included in v3.14-rc4 CVE-2014-0068 RESERVED NOT-FOR-US: OpenShift CVE-2014-0067 (The "make check" command for the test suites in PostgreSQL 9.3.3 and e ...) {DSA-2865-1 DSA-2864-1 DLA-0019-1} - postgresql-9.1 9.1.11-2 - postgresql-8.4 [wheezy] - postgresql-8.4 (postgresql-8.4 in wheezy only provides PL/Perl) - postgresql-9.3 9.3.3-1 CVE-2014-0066 (The chkpass extension in PostgreSQL before 8.4.20, 9.0.x before 9.0.16 ...) {DSA-2865-1 DSA-2864-1} - postgresql-9.1 9.1.11-2 - postgresql-8.4 [wheezy] - postgresql-8.4 (postgresql-8.4 in wheezy only provides PL/Perl) - postgresql-9.3 9.3.3-1 CVE-2014-0065 (Multiple buffer overflows in PostgreSQL before 8.4.20, 9.0.x before 9. ...) {DSA-2865-1 DSA-2864-1} - postgresql-9.1 9.1.11-2 - postgresql-8.4 [wheezy] - postgresql-8.4 (postgresql-8.4 in wheezy only provides PL/Perl) - postgresql-9.3 9.3.3-1 CVE-2014-0064 (Multiple integer overflows in the path_in and other unspecified functi ...) {DSA-2865-1 DSA-2864-1} - postgresql-9.1 9.1.11-2 - postgresql-8.4 [wheezy] - postgresql-8.4 (postgresql-8.4 in wheezy only provides PL/Perl) - postgresql-9.3 9.3.3-1 CVE-2014-0063 (Multiple stack-based buffer overflows in PostgreSQL before 8.4.20, 9.0 ...) {DSA-2865-1 DSA-2864-1} - postgresql-9.1 9.1.11-2 - postgresql-8.4 [wheezy] - postgresql-8.4 (postgresql-8.4 in wheezy only provides PL/Perl) - postgresql-9.3 9.3.3-1 CVE-2014-0062 (Race condition in the (1) CREATE INDEX and (2) unspecified ALTER TABLE ...) {DSA-2865-1 DSA-2864-1} - postgresql-9.1 9.1.11-2 - postgresql-8.4 [wheezy] - postgresql-8.4 (postgresql-8.4 in wheezy only provides PL/Perl) - postgresql-9.3 9.3.3-1 CVE-2014-0061 (The validator functions for the procedural languages (PLs) in PostgreS ...) {DSA-2865-1 DSA-2864-1} - postgresql-9.1 9.1.12-1 (low) - postgresql-8.4 [wheezy] - postgresql-8.4 8.4.20-0wheezy1 - postgresql-9.3 9.3.3-1 - postgresql-plsh 1.20140221-1 [wheezy] - postgresql-plsh (Minor issue) [squeeze] - postgresql-plsh (Minor issue) CVE-2014-0060 (PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9. ...) {DSA-2865-1 DSA-2864-1} - postgresql-9.1 9.1.11-2 - postgresql-8.4 [wheezy] - postgresql-8.4 (postgresql-8.4 in wheezy only provides PL/Perl) - postgresql-9.3 9.3.3-1 CVE-2014-0059 (JBoss SX and PicketBox, as used in Red Hat JBoss Enterprise Applicatio ...) NOT-FOR-US: JBossSX CVE-2014-0058 (The security audit functionality in Red Hat JBoss Enterprise Applicati ...) NOT-FOR-US: JBoss EAP CVE-2014-0057 (The x_button method in the ServiceController (vmdb/app/controllers/ser ...) NOT-FOR-US: RedHat CloudForms Management Engine CVE-2014-0056 (The l3-agent in OpenStack Neutron 2012.2 before 2013.2.3 does not chec ...) - neutron 2013.2.2-4 (bug #742800) CVE-2014-0055 (The get_rx_bufs function in drivers/vhost/net.c in the vhost-net subsy ...) - linux 3.13.10-1 [wheezy] - linux 3.2.57-1 - linux-2.6 (Vulnerable code not present) NOTE: introduced in https://github.com/torvalds/linux/commit/8dd014adfea6f173c1ef6378f7e5e7924866c923 NOTE: qemu is built with support for vhost_net, module loaded post-wheezy when linux < 3.4 but root:root 0600 CVE-2014-0054 (The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Frame ...) {DSA-2890-1} - libspring-java 3.0.6.RELEASE-13 (bug #741604) CVE-2014-0053 (The default configuration of the Resources plugin 1.0.0 before 1.2.6 f ...) - grails (bug #473213) CVE-2014-0052 REJECTED CVE-2014-0051 REJECTED CVE-2014-0050 (MultipartStream.java in Apache Commons FileUpload before 1.3.1, as use ...) {DSA-2897-1 DSA-2856-1} - libcommons-fileupload-java 1.3.1-1 - tomcat7 7.0.52-1 - tomcat6 (access to Manager application limited to authenticated administrators) NOTE: http://svn.apache.org/viewvc?view=revision&revision=1565169 NOTE: CVE might be splitted CVE-2014-0049 (Buffer overflow in the complete_emulated_mmio function in arch/x86/kvm ...) - linux 3.13.6-1 [wheezy] - linux (Introduced in 3.5) - linux-2.6 (Introduced in 3.5) NOTE: fix: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=a08d3b3b99efd509133946056531cdf8f3a0c09b CVE-2014-0048 (An issue was found in Docker before 1.6.0. Some programs and scripts i ...) - docker.io 1.6.0+dfsg1-1 NOTE: According to Red Hat bug no longer present in 1.5 CVE-2014-0047 (Docker before 1.5 allows local users to have unspecified impact via ve ...) - docker.io 1.6.0+dfsg1-1 NOTE: According to Red Hat bug no longer present in 1.5 CVE-2014-0046 (Cross-site scripting (XSS) vulnerability in the link-to helper in Embe ...) NOT-FOR-US: ember.js CVE-2014-0045 (The needSamples method in AudioOutputSpeech.cpp in the client in Mumbl ...) {DSA-2854-1} - mumble 1.2.4-0.2 (bug #737739) [squeeze] - mumble (Opus support not present) CVE-2014-0044 (The opus_packet_get_samples_per_frame function in client in Mumble 1.2 ...) {DSA-2854-1} - mumble 1.2.4-0.2 (bug #737739) [squeeze] - mumble (Opus support not present) CVE-2014-0043 (In Apache Wicket 1.5.10 or 6.13.0, by issuing requests to special urls ...) NOT-FOR-US: Apache Wicket CVE-2014-0042 (OpenStack Heat Templates (heat-templates), as used in Red Hat Enterpri ...) NOT-FOR-US: openstack-heat-templates CVE-2014-0041 (OpenStack Heat Templates (heat-templates), as used in Red Hat Enterpri ...) NOT-FOR-US: openstack-heat-templates CVE-2014-0040 (OpenStack Heat Templates (heat-templates), as used in Red Hat Enterpri ...) NOT-FOR-US: openstack-heat-templates CVE-2014-0039 (Untrusted search path vulnerability in fwsnort before 1.6.4, when not ...) - fwsnort 1.6.4-1 (low; bug #737495) [wheezy] - fwsnort (Minor issue) [squeeze] - fwsnort (Vulnerable code not present) NOTE: https://github.com/mrash/fwsnort/commit/fa977453120cc48e1654f373311f9cac468d3348 CVE-2014-0038 (The compat_sys_recvmmsg function in net/compat.c in the Linux kernel b ...) - linux 3.13.4-1 (unimportant) [wheezy] - linux (Introduced in 3.4+) - linux-2.6 (Introduced in 3.4+) NOTE: introduced by http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/net/compat.c?id=ee4fa23c4bfcc635d077a9633d405610de45bc70 NOTE: Debian does not enable CONFIG_X86_X32, see #708070 CVE-2014-0037 (The ValidateUserLogon function in provider/libserver/ECSession.cpp in ...) NOT-FOR-US: Zarafa Collaboration Platform CVE-2014-0036 (The rbovirt gem before 0.0.24 for Ruby uses the rest-client gem with S ...) NOT-FOR-US: rbovirt CVE-2014-0035 (The SymmetricBinding in Apache CXF before 2.6.13 and 2.7.x before 2.7. ...) NOT-FOR-US: Apache CFX CVE-2014-0034 (The SecurityTokenService (STS) in Apache CXF before 2.6.12 and 2.7.x b ...) NOT-FOR-US: Apache CFX CVE-2014-0033 (org/apache/catalina/connector/CoyoteAdapter.java in Apache Tomcat 6.0. ...) {DSA-3530-1 DLA-91-1} - tomcat6 6.0.39 CVE-2014-0032 (The get_resource function in repos.c in the mod_dav_svn module in Apac ...) {DLA-207-1} - subversion 1.8.8-1 (low; bug #737815) [squeeze] - subversion (Minor issue) [wheezy] - subversion 1.6.17dfsg-4+deb7u5 CVE-2014-0031 (The (1) ListNetworkACL and (2) listNetworkACLLists APIs in Apache Clou ...) NOT-FOR-US: Apache CloudStack CVE-2014-0030 (The XML-RPC protocol support in Apache Roller before 5.0.3 allows atta ...) NOT-FOR-US: Apache Roller CVE-2014-0029 (Multiple cross-site scripting (XSS) vulnerabilities in the SAM web app ...) NOT-FOR-US: Katello CVE-2014-0028 (libvirt 1.1.1 through 1.2.0 allows context-dependent attackers to bypa ...) - libvirt 1.2.1-1 [squeeze] - libvirt (Introduced in 1.1.1) [wheezy] - libvirt (Introduced in 1.1.1) NOTE: https://www.redhat.com/archives/libvir-list/2014-January/msg00684.html CVE-2014-0027 (The play_wave_from_socket function in audio/auserver.c in Flite 1.4 al ...) - flite 1.4-release-8 (low; bug #734746) [wheezy] - flite (Minor issue) [squeeze] - flite (Minor issue) CVE-2014-0026 (katello-headpin is vulnerable to CSRF in REST API ...) NOT-FOR-US: Katello CVE-2014-0025 REJECTED CVE-2014-0024 RESERVED CVE-2014-0023 (OpenShift: Install script has temporary file creation vulnerability wh ...) NOT-FOR-US: OpenShift CVE-2014-0022 (The installUpdates function in yum-cron/yum-cron.py in yum 3.4.3 and e ...) NOT-FOR-US: yum cron CVE-2014-0021 (Chrony before 1.29.1 has traffic amplification in cmdmon protocol ...) - chrony 1.29.1-1 (low; bug #737644) [squeeze] - chrony (Minor issue) [wheezy] - chrony (Minor issue) CVE-2014-0020 (The IRC protocol plugin in libpurple in Pidgin before 2.10.8 does not ...) {DSA-2859-1} - pidgin 2.10.8-1 [squeeze] - pidgin (Not suitable for code injection) CVE-2014-0019 (Stack-based buffer overflow in socat 1.3.0.0 through 1.7.2.2 and 2.0.0 ...) - socat 1.7.2.3-1 (low; bug #736993) [squeeze] - socat (Minor issue) [wheezy] - socat (Minor issue) CVE-2014-0018 (Red Hat JBoss Enterprise Application Platform (JBEAP) 6.2.0 and JBoss ...) NOT-FOR-US: Red Hat JBoss Enterprise Application Platform CVE-2014-0017 (The RAND_bytes function in libssh before 0.6.3, when forking is enable ...) {DSA-2879-1} - libssh 0.5.4-3 NOTE: http://git.libssh.org/projects/libssh.git/commit/?id=e99246246b4061f7e71463f8806b9dcad65affa0 CVE-2014-0016 (stunnel before 5.00, when using fork threading, does not properly upda ...) - stunnel4 (Debian package compiled with --with-threads=pthread) CVE-2014-0015 (cURL and libcurl 7.10.6 through 7.34.0, when more than one authenticat ...) {DSA-2849-1} - curl 7.35.0-1 CVE-2014-0014 (Ember.js 1.0.x before 1.0.1, 1.1.x before 1.1.3, 1.2.x before 1.2.1, 1 ...) NOT-FOR-US: Ember.js CVE-2014-0013 (Ember.js 1.0.x before 1.0.1, 1.1.x before 1.1.3, 1.2.x before 1.2.1, 1 ...) NOT-FOR-US: Ember.js CVE-2014-0012 (FileSystemBytecodeCache in Jinja2 2.7.2 does not properly create tempo ...) - jinja2 2.7.2-2 (bug #734956) [squeeze] - jinja2 (introduced by fix in 2.7.2) [wheezy] - jinja2 (introduced by fix in 2.7.2) NOTE: introduced by https://github.com/mitsuhiko/jinja2/commit/acb672b6a179567632e032f547582f30fa2f4aa7 CVE-2014-0011 (Multiple heap-based buffer overflows in the ZRLE_DECODE function in co ...) - tigervnc (Fixed before initial release in Debian) - vnc4 4.1.1+X4.3.0+t-1 (unimportant) NOTE: may affect related *VNC implementations if built with NDEBUG NOTE: e.g. vnc4 seems to have similar code in common/rfb/zrleDecode.h NOTE: starting with 4.1.1+X4.3.0+t-1 it's a transitional package CVE-2014-0010 (Multiple cross-site request forgery (CSRF) vulnerabilities in user/pro ...) - moodle 2.5.4-1 [squeeze] - moodle (Code correctly checks session key) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-42883 CVE-2014-0009 (course/loginas.php in Moodle through 2.2.11, 2.3.x before 2.3.11, 2.4. ...) - moodle 2.5.4-1 (low) [squeeze] - moodle (Minor issue) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-42643 CVE-2014-0008 (lib/adminlib.php in Moodle through 2.3.11, 2.4.x before 2.4.8, 2.5.x b ...) - moodle 2.5.4-1 (low) [squeeze] - moodle (Vulnerable code not present) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36721 CVE-2014-0007 (The Smart-Proxy in Foreman before 1.4.5 and 1.5.x before 1.5.1 allows ...) - foreman (bug #663101) CVE-2014-0006 (The TempURL middleware in OpenStack Object Storage (Swift) 1.4.6 throu ...) - swift 1.11.0-2 (low; bug #735582) [wheezy] - swift (Minor issue) CVE-2014-0005 (PicketBox and JBossSX, as used in Red Hat JBoss Enterprise Application ...) NOT-FOR-US: PicketBox/JBossSX CVE-2014-0004 (Stack-based buffer overflow in udisks before 1.0.5 and 2.x before 2.1. ...) {DSA-2872-1} - udisks2 2.1.3-1 - udisks 1.0.5-1 CVE-2014-0003 (The XSLT component in Apache Camel 2.11.x before 2.11.4, 2.12.x before ...) NOT-FOR-US: Apache Camel CVE-2014-0002 (The XSLT component in Apache Camel before 2.11.4 and 2.12.x before 2.1 ...) NOT-FOR-US: Apache Camel CVE-2014-0001 (Buffer overflow in client/mysql.cc in Oracle MySQL and MariaDB before ...) {DSA-2919-1 DLA-75-1} - mysql-5.1 (low) [squeeze] - mysql-5.1 (Minor issue, currently not fixed in MySQL, can be included once fixed in 5.1.x) - mysql-5.5 5.5.37-1 (low; bug #737596) - mariadb-5.5 5.5.35-1 (low; bug #737597) - percona-xtradb-cluster-5.5 5.5.37-25.10+dfsg-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1054592 NOTE: http://bazaar.launchpad.net/~maria-captains/maria/5.5/revision/2502.565.64 CVE-2013-6985 (SQL injection vulnerability in m_worklog/log_searchday.jsp in Enorth W ...) NOT-FOR-US: Enorth Webpublisher CMS CVE-2013-6920 (Siemens SINAMICS S/G controllers with firmware before 4.6.11 do not re ...) NOT-FOR-US: Siemens CVE-2013-6919 (The default configuration of phpThumb before 1.7.12 has a false value ...) NOT-FOR-US: phpThumb CVE-2013-6917 RESERVED CVE-2013-6916 (Cross-site scripting (XSS) vulnerability in the Yahoo! User Interface ...) NOT-FOR-US: Cybozu Garoon CVE-2013-6915 (Cross-site scripting (XSS) vulnerability in the system-administration ...) NOT-FOR-US: Cybozu Garoon CVE-2013-6914 (Cross-site scripting (XSS) vulnerability in a calendar component in Cy ...) NOT-FOR-US: Cybozu Garoon CVE-2013-6913 (Cross-site scripting (XSS) vulnerability in a search component in Cybo ...) NOT-FOR-US: Cybozu Garoon CVE-2013-6912 (Cross-site scripting (XSS) vulnerability in a calendar component in Cy ...) NOT-FOR-US: Cybozu Garoon CVE-2013-6911 (Cross-site scripting (XSS) vulnerability in the bulletin-board compone ...) NOT-FOR-US: Cybozu Garoon CVE-2013-6910 (Cross-site scripting (XSS) vulnerability in Ajax components in Cybozu ...) NOT-FOR-US: Cybozu Garoon CVE-2013-6909 (Cross-site scripting (XSS) vulnerability in a report component in Cybo ...) NOT-FOR-US: Cybozu Garoon CVE-2013-6908 (Cross-site scripting (XSS) vulnerability in a mail component in Cybozu ...) NOT-FOR-US: Cybozu Garoon CVE-2013-6907 (Cross-site scripting (XSS) vulnerability in a mail component in Cybozu ...) NOT-FOR-US: Cybozu Garoon CVE-2013-6906 (Cross-site scripting (XSS) vulnerability in a mail component in Cybozu ...) NOT-FOR-US: Cybozu Garoon CVE-2013-6905 (Cross-site scripting (XSS) vulnerability in a phone component in Cyboz ...) NOT-FOR-US: Cybozu Garoon CVE-2013-6904 (Cross-site scripting (XSS) vulnerability in a note component in Cybozu ...) NOT-FOR-US: Cybozu Garoon CVE-2013-6903 (Cross-site scripting (XSS) vulnerability in a schedule component in Cy ...) NOT-FOR-US: Cybozu Garoon CVE-2013-6902 (Cross-site scripting (XSS) vulnerability in the Space function in Cybo ...) NOT-FOR-US: Cybozu Garoon CVE-2013-6901 (Cross-site scripting (XSS) vulnerability in the Space function in Cybo ...) NOT-FOR-US: Cybozu Garoon CVE-2013-6900 (Cross-site scripting (XSS) vulnerability in the system-administration ...) NOT-FOR-US: Cybozu Garoon CVE-2013-6918 (The web interface on the Satechi travel router 1.5, when Wi-Fi is used ...) NOT-FOR-US: Satechi travel router CVE-2013-6899 RESERVED CVE-2013-6898 RESERVED CVE-2013-6897 RESERVED CVE-2013-6896 RESERVED CVE-2013-6895 RESERVED CVE-2013-6894 RESERVED CVE-2013-6893 RESERVED CVE-2013-6892 (WebSVN 2.3.3 allows remote authenticated users to read arbitrary files ...) {DSA-3137-1 DLA-136-1} - websvn 2.3.3-1.2 (bug #775682) CVE-2013-6891 (lppasswd in CUPS before 1.7.1, when running with setuid privileges, al ...) - cups 1.7.1-1 [wheezy] - cups (Vulnerable code introduced with 1.6.4) [squeeze] - cups (Vulnerable code introduced with 1.6.4) NOTE: https://www.cups.org/str.php?L4319 CVE-2013-6890 (denyhosts 2.6 uses an incorrect regular expression when analyzing auth ...) {DSA-2826-1} - denyhosts 2.6-10.1 CVE-2013-6889 (GNU Rush 1.7 does not properly drop privileges, which allows local use ...) - rush 1.7+dfsg-4 (bug #733505) [wheezy] - rush 1.7+dfsg-1+deb7u1 CVE-2013-6888 (Uscan in devscripts before 2.13.9 allows remote attackers to execute a ...) {DSA-2836-1} - devscripts 2.13.9 [squeeze] - devscripts (Minor issue) CVE-2013-6887 (OpenJPEG 1.5.1 allows remote attackers to cause a denial of service vi ...) - openjpeg 1.5.2-1 (bug #731237) [wheezy] - openjpeg (Only affects 1.5) [squeeze] - openjpeg (Only affects 1.5) CVE-2013-6886 (RealVNC VNC 5.0.6 on Mac OS X, Linux, and UNIX allows local users to g ...) - vnc4 (Only affects 5.0.6, binaries in Debian version are not setuid root) CVE-2013-6884 (The write-blocker in CRU Ditto Forensic FieldStation with firmware bef ...) NOT-FOR-US: Ditto Forensic FieldStation CVE-2013-6883 (Cross-site request forgery (CSRF) vulnerability in CRU Ditto Forensic ...) NOT-FOR-US: Ditto Forensic FieldStation CVE-2013-6882 (Multiple cross-site scripting (XSS) vulnerabilities in CRU Ditto Foren ...) NOT-FOR-US: Ditto Forensic FieldStation CVE-2013-6881 (CRU Ditto Forensic FieldStation with firmware before 2013Oct15a allows ...) NOT-FOR-US: Ditto Forensic FieldStation CVE-2013-6880 (Open redirect in proxy.php in FlashCanvas before 1.6 allows remote att ...) NOT-FOR-US: FlashCanvas CVE-2013-6879 (The Mijosoft MijoSearch component 2.0.1 and earlier for Joomla! allows ...) NOT-FOR-US: MijoSearch CVE-2013-6878 (Cross-site scripting (XSS) vulnerability in the Mijosoft MijoSearch co ...) NOT-FOR-US: MijoSearch CVE-2013-6877 (Heap-based buffer overflow in RealNetworks RealPlayer before 17.0.4.61 ...) NOT-FOR-US: RealPlayer CVE-2013-6876 (The (1) pty_init_terminal and (2) pipe_init_terminal functions in main ...) - s3d 0.2.2-9 (unimportant) NOTE: http://hmarco.org/bugs/s3dvt_0.2.2-root-shell.html NOTE: Not running with elevated privileges in Debian packaging CVE-2013-6875 (SQL injection vulnerability in functions/prepend_adm.php in Nagios Cor ...) NOT-FOR-US: Nagios XI CVE-2013-6874 (Stack-based buffer overflow in Vortex Light Alloy before 4.7.4 allows ...) NOT-FOR-US: Vortex Light Alloy CVE-2013-6873 (SQL injection vulnerability in Testa Online Test Management System (OT ...) NOT-FOR-US: Testa Online Test Management System CVE-2013-6872 (SQL injection vulnerability in managetimetracker.php in Collabtive bef ...) - collabtive 1.2-1 (low) [wheezy] - collabtive (Minor issue) CVE-2013-6871 RESERVED CVE-2013-6870 (Cross-site scripting (XSS) vulnerability in Splunk Web in Splunk befor ...) NOT-FOR-US: Splunk Web CVE-2012-6611 (An issue was discovered in Polycom Web Management Interface G3/HDX 800 ...) NOT-FOR-US: Polycom CVE-2012-6610 (Polycom HDX Video End Points before 3.0.4 and UC APL before 2.7.1.J al ...) NOT-FOR-US: Polycom HDX Video End Points CVE-2012-6609 (Directory traversal vulnerability in a_getlog.cgi in Polycom HDX Video ...) NOT-FOR-US: Polycom HDX Video End Points CVE-2012-6608 (Cross-site scripting (XSS) vulnerability in xmlservices/E_book.php in ...) NOT-FOR-US: Elastix CVE-2013-6885 (The microcode on AMD 16h 00h through 0Fh processors does not properly ...) {DSA-3128-1 DLA-155-1} - linux 3.14.2-1 - linux-2.6 NOTE: https://lkml.org/lkml/2014/1/14/198 NOTE: Linux commit: https://git.kernel.org/cgit/linux/kernel/git/tip/tip.git/commit/?id=3b56496865f9f7d9bcb2f93b44c63f274f08e3b6 (v3.14-rc1) NOTE: Might also be fixed in amd64-microcode, but details are not published (https://packages.qa.debian.org/a/amd64-microcode/news/20141218T224849Z.html) NOTE: and since this is fixed on the kernel-side, only track the kernel packages CVE-2013-6857 RESERVED CVE-2013-6856 RESERVED CVE-2013-6855 RESERVED CVE-2013-6854 RESERVED CVE-2013-6853 (Cross-site scripting (XSS) vulnerability in clickstream.js in Y! Toolb ...) NOT-FOR-US: Y! Toolbar plugin CVE-2013-6852 (Cross-site request forgery (CSRF) vulnerability in html/json.html on H ...) NOT-FOR-US: Hewlett-Packard network equipment CVE-2013-6851 RESERVED CVE-2013-6850 RESERVED CVE-2013-6849 RESERVED CVE-2013-6848 RESERVED CVE-2013-6847 RESERVED CVE-2013-6846 RESERVED CVE-2013-6845 RESERVED CVE-2013-6844 RESERVED CVE-2013-6843 RESERVED CVE-2013-6842 RESERVED CVE-2013-6841 RESERVED CVE-2013-6840 (Siemens COMOS before 9.2.0.8.1, 10.0 before 10.0.3.1.40, and 10.1 befo ...) NOT-FOR-US: Siemens COMOS CVE-2013-6839 (SQL injection vulnerability in InstantSoft InstantCMS 1.10.3 and earli ...) NOT-FOR-US: InstantCMS CVE-2013-6838 (An unspecified Enghouse Interactive Professional Services "addon produ ...) NOT-FOR-US: IVR Pro/Contact Center (VIP2000) CVE-2013-6837 (Cross-site scripting (XSS) vulnerability in the setTimeout function in ...) - web2py (unimportant) NOTE: python-web2py contains /usr/share/web2py/applications/examples/static/js/jquery.prettyPhoto.js NOTE: Only an example code CVE-2013-6836 (Heap-based buffer overflow in the ms_escher_get_data function in plugi ...) - gnumeric 1.12.9-1 (low) [wheezy] - gnumeric (Minor issue) [squeeze] - gnumeric (Minor issue) NOTE: https://projects.gnome.org/gnumeric/announcements/1.12/gnumeric-1.12.9.shtml NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=712772 CVE-2013-6835 (TelephonyUI Framework in Apple iOS 7 before 7.1, when Safari is used, ...) NOT-FOR-US: iOS CVE-2013-6834 (The ql_eioctl function in sys/dev/qlxgbe/ql_ioctl.c in the kernel in F ...) - kfreebsd-9 (Only affects 10.x) - kfreebsd-8 (Only affects 10.x) - kfreebsd-10 10.0~svn258623-1 (bug #730519) CVE-2013-6833 (The qls_eioctl function in sys/dev/qlxge/qls_ioctl.c in the kernel in ...) - kfreebsd-9 (Only affects 10.x) - kfreebsd-8 (Only affects 10.x) - kfreebsd-10 10.0~svn258623-1 (bug #730519) CVE-2013-6832 (The nand_ioctl function in sys/dev/nand/nand_geom.c in the nand driver ...) - kfreebsd-9 (Only affects 10.x) - kfreebsd-8 (Only affects 10.x) - kfreebsd-10 10.0~svn258623-1 (bug #730518) CVE-2013-6831 (PineApp Mail-SeCure 3.70 and earlier on 5099SK and earlier platforms h ...) NOT-FOR-US: PineApp Mail-SeCure CVE-2013-6830 (admin/confnetworking.html in PineApp Mail-SeCure 3.70 and earlier on 5 ...) NOT-FOR-US: PineApp Mail-SeCure CVE-2013-6829 (admin/confnetworking.html in PineApp Mail-SeCure allows remote attacke ...) NOT-FOR-US: PineApp Mail-SeCure CVE-2013-6828 (admin/management.html in PineApp Mail-SeCure allows remote attackers t ...) NOT-FOR-US: PineApp Mail-SeCure CVE-2013-6827 (Absolute path traversal vulnerability in admin/viewmsg.php in PineApp ...) NOT-FOR-US: PineApp Mail-SeCure CVE-2013-6826 (cgi-bin/module//sysmanager/admin/SYSAdminUserDialog in Fortinet FortiA ...) NOT-FOR-US: Fortinet FortiAnalyzer CVE-2013-6825 ((1) movescu.cc and (2) storescp.cc in dcmnet/apps/, (3) dcmnet/libsrc/ ...) - dcmtk 3.6.1~20150629-1 (unimportant) NOTE: http://hmarco.org/bugs/dcmtk-3.6.1-privilege-escalation.html NOTE: Not running with elevated privileges in Debian packaging NOTE: http://git.dcmtk.org/web?p=dcmtk.git;a=commitdiff;h=beaf5a5c24101daeeafa48c375120b16197c9e95;hp=5349794c4c458c76609b7aeb53d0ca28cf9fe9f0 CVE-2013-6824 (Zabbix before 1.8.19rc1, 2.0 before 2.0.10rc1, and 2.2 before 2.2.1rc1 ...) - zabbix 1:2.2.0+dfsg-6 (low) [squeeze] - zabbix (Minor issue) [wheezy] - zabbix (Minor issue) NOTE: https://support.zabbix.com/browse/ZBX-7479 CVE-2013-6823 (GRMGApp in SAP NetWeaver allows remote attackers to bypass intended ac ...) NOT-FOR-US: SAP CVE-2013-6822 (GRMGApp in SAP NetWeaver allows remote attackers to have unspecified i ...) NOT-FOR-US: SAP CVE-2013-6821 (Directory traversal vulnerability in the Exportability Check Service i ...) NOT-FOR-US: SAP CVE-2013-6820 (Unrestricted file upload vulnerability in the SAP NetWeaver Developmen ...) NOT-FOR-US: SAP CVE-2013-6819 (Cross-site scripting (XSS) vulnerability in Performance Provider in SA ...) NOT-FOR-US: SAP CVE-2013-6818 (SAP NetWeaver Logviewer 6.30, when running on Windows, allows remote a ...) NOT-FOR-US: SAP CVE-2013-6817 (Heap-based buffer overflow in SAP Network Interface Router (SAProuter) ...) NOT-FOR-US: SAP CVE-2013-6816 (Multiple cross-site scripting (XSS) vulnerabilities in the (1) JavaDum ...) NOT-FOR-US: SAP CVE-2013-6815 (The SHSTI_UPLOAD_XML function in the Application Server for ABAP (AS A ...) NOT-FOR-US: SAP CVE-2013-6814 (The J2EE Engine in SAP NetWeaver 6.40, 7.02, and earlier allows remote ...) NOT-FOR-US: SAP CVE-2013-6813 RESERVED CVE-2013-6812 (The ONEDC app before 1.7 for iOS does not properly verify X.509 certif ...) NOT-FOR-US: ONEDC app CVE-2013-6811 (Multiple cross-site request forgery (CSRF) vulnerabilities in the D-Li ...) NOT-FOR-US: D-Link CVE-2013-6810 (The server in Brocade Network Advisor before 12.1.0, as used in EMC Co ...) NOT-FOR-US: EMC Connectrix Manager Converged Network Edition CVE-2013-6809 (Format string vulnerability in the client in Tftpd32 before 4.50 allow ...) NOT-FOR-US: Tftpd32 CVE-2013-6808 (Cross-site scripting (XSS) vulnerability in lib/NSSDropoff.php in Zend ...) NOT-FOR-US: ZendTo CVE-2012-6607 (The transform_save function in transform.c in Augeas before 1.0.0 allo ...) - augeas 1.0.0-1 (low) [squeeze] - augeas (Minor issue) [wheezy] - augeas (Minor issue) CVE-2013-6869 (SQL injection vulnerability in the SRTT_GET_COUNT_BEFORE_KEY_RFC funct ...) NOT-FOR-US: Sap NetWeaver CVE-2013-6868 (SAP Sybase Adaptive Server Enterprise (ASE) 15.0.3 before 15.0.3 ESD#4 ...) NOT-FOR-US: SAP Sybase Adaptive Server Enterprise CVE-2013-6867 (Unspecified vulnerability in SAP Sybase Adaptive Server Enterprise (AS ...) NOT-FOR-US: SAP Sybase Adaptive Server Enterprise CVE-2013-6866 (SAP Sybase Adaptive Server Enterprise (ASE) before 15.0.3 ESD#4.3, 15. ...) NOT-FOR-US: SAP Sybase Adaptive Server Enterprise CVE-2013-6865 (SAP Sybase Adaptive Server Enterprise (ASE) 15.0.3 before 15.0.3 ESD#4 ...) NOT-FOR-US: SAP Sybase Adaptive Server Enterprise CVE-2013-6864 (Directory traversal vulnerability in SAP Sybase Adaptive Server Enterp ...) NOT-FOR-US: SAP Sybase Adaptive Server Enterprise CVE-2013-6863 (SAP Sybase Adaptive Server Enterprise (ASE) 15.0.3 before 15.0.3 ESD#4 ...) NOT-FOR-US: SAP Sybase Adaptive Server Enterprise CVE-2013-6862 (Unspecified vulnerability in SAP Sybase Adaptive Server Enterprise (AS ...) NOT-FOR-US: SAP Sybase Adaptive Server Enterprise CVE-2013-6861 (Unspecified vulnerability in SAP Sybase Adaptive Server Enterprise (AS ...) NOT-FOR-US: SAP Sybase Adaptive Server Enterprise CVE-2013-6860 (Unspecified vulnerability in SAP Sybase Adaptive Server Enterprise (AS ...) NOT-FOR-US: SAP Sybase Adaptive Server Enterprise CVE-2013-6859 (SAP Sybase Adaptive Server Enterprise (ASE) before 15.0.3 ESD#4.3. 15. ...) NOT-FOR-US: SAP Sybase Adaptive Server Enterprise CVE-2013-6858 (Multiple cross-site scripting (XSS) vulnerabilities in OpenStack Dashb ...) - horizon 2013.2-2 (bug #730752) [wheezy] - horizon (Vulnerable code not present) NOTE: https://github.com/openstack/horizon/commit/6179f70290783e55b10bbd4b3b7ee74db3f8ef70 CVE-2013-6807 (The client in OpenText Exceed OnDemand (EoD) 8 supports anonymous ciph ...) NOT-FOR-US: OpenText Exceed OnDemand CVE-2013-6806 (OpenText Exceed OnDemand (EoD) 8 allows man-in-the-middle attackers to ...) NOT-FOR-US: OpenText Exceed onDemand CVE-2013-6805 (OpenText Exceed OnDemand (EoD) 8 uses weak encryption for passwords, w ...) NOT-FOR-US: OpenText Exceed OnDemand CVE-2013-6804 (Cross-site scripting (XSS) vulnerability in the Search module before 1 ...) NOT-FOR-US: Jamroom Search module CVE-2013-6803 RESERVED CVE-2013-6802 (Google Chrome before 31.0.1650.57 allows remote attackers to bypass in ...) {DSA-2799-1} - chromium-browser 31.0.1650.57-1 [squeeze] - chromium-browser CVE-2013-6801 (Microsoft Word 2003 SP2 and SP3 on Windows XP SP3 allows remote attack ...) NOT-FOR-US: Microsoft CVE-2013-6800 (An unspecified third-party database module for the Key Distribution Ce ...) NOTE: Pointless split from CVE-2013-1418 CVE-2013-6799 (Apple Mac OS X 10.9 allows local users to cause a denial of service (m ...) NOT-FOR-US: Apple Mac OS X CVE-2013-6798 (BlackBerry Link before 1.2.1.31 on Windows and before 1.1.1 build 39 o ...) NOT-FOR-US: BlackBerry Link CVE-2013-6797 (Cross-site request forgery (CSRF) vulnerability in bluewrench-video-wi ...) NOT-FOR-US: Wordpress plugin CVE-2013-6796 (The SMTP server in DeepOfix 3.3 and earlier allows remote attackers to ...) NOT-FOR-US: DeepOfix CVE-2013-6795 (The Updater in Rackspace Openstack Windows Guest Agent for XenServer b ...) NOT-FOR-US: Rackspace Windows Agent and Updater CVE-2013-6794 (Cross-site scripting (XSS) vulnerability in the Calendar module in Ola ...) NOT-FOR-US: Olat CVE-2013-6793 (Multiple cross-site scripting (XSS) vulnerabilities in the Calendar mo ...) NOT-FOR-US: Olat CVE-2013-6792 (Google Android prior to 4.4 has an APK Signature Security Bypass Vulne ...) NOT-FOR-US: Android CVE-2013-6791 (Microsoft Enhanced Mitigation Experience Toolkit (EMET) before 4.0 use ...) NOT-FOR-US: Microsoft Enhanced Mitigation Experience Toolkit CVE-2013-6790 RESERVED CVE-2013-6789 (security/MemberLoginForm.php in SilverStripe 3.0.3 supports credential ...) - silverstripe (bug #528461) CVE-2013-6788 (The Bitrix e-Store module before 14.0.1 for Bitrix Site Manager uses s ...) NOT-FOR-US: Bitrix Site Manager CVE-2013-6787 (SQL injection vulnerability in the check_user_password function in mai ...) NOT-FOR-US: Chamilo LMS CVE-2013-6786 (Cross-site scripting (XSS) vulnerability in Allegro RomPager before 4. ...) NOT-FOR-US: Allegro RomPager CVE-2013-6785 (Directory traversal vulnerability in url_redirect.cgi in Supermicro IP ...) NOT-FOR-US: Supermicro IPMI CVE-2013-6784 RESERVED CVE-2013-6783 RESERVED CVE-2013-6782 RESERVED CVE-2013-6781 RESERVED CVE-2013-6780 (Cross-site scripting (XSS) vulnerability in uploader.swf in the Upload ...) - yui (low; bug #730104) [squeeze] - yui (Not backportable, doesn't build from source in oldstable/stable) [wheezy] - yui (Not backportable, doesn't build from source in oldstable/stable) - yui3 - moodle 2.5.3-1 [squeeze] - moodle (Unsupported in squeeze-lts) CVE-2013-6779 RESERVED CVE-2013-6778 RESERVED CVE-2013-6777 RESERVED CVE-2013-6776 RESERVED CVE-2013-6775 (The Chainfire SuperSU package before 1.69 for Android allows attackers ...) NOT-FOR-US: Chainfire SuperSU package CVE-2013-6774 (Untrusted search path vulnerability in the ChainsDD Superuser package ...) NOT-FOR-US: Chainfire SuperSU package CVE-2013-6773 (Splunk 5.0.3 has an Unquoted Service Path in Windows for Universal For ...) NOT-FOR-US: Splunk CVE-2013-6772 (Splunk before 5.0.4 lacks X-Frame-Options which can allow Clickjacking ...) NOT-FOR-US: Splunk CVE-2013-6771 (Directory traversal vulnerability in the collect script in Splunk befo ...) NOT-FOR-US: Splunk CVE-2013-6770 (The CyanogenMod/ClockWorkMod/Koush Superuser package 1.0.2.1 for Andro ...) NOT-FOR-US: CyanogenMod/ClockWorkMod/Koush CVE-2013-6769 (The CyanogenMod/ClockWorkMod/Koush Superuser package 1.0.2.1 for Andro ...) NOT-FOR-US: CyanogenMod/ClockWorkMod/Koush CVE-2013-6768 (Untrusted search path vulnerability in the CyanogenMod/ClockWorkMod/Ko ...) NOT-FOR-US: CyanogenMod/ClockWorkMod/Koush CVE-2013-6767 (Stack-based buffer overflow in pepoly.dll in Quick Heal AntiVirus Pro ...) NOT-FOR-US: QuickHeal AntiVirus CVE-2013-6764 REJECTED CVE-2013-6763 (The uio_mmap_physical function in drivers/uio/uio.c in the Linux kerne ...) NOTE: Red Hat consider this as a non-issue: NOTE: http://seclists.org/oss-sec/2013/q4/282 CVE-2013-6762 REJECTED CVE-2013-6761 REJECTED CVE-2013-6760 REJECTED CVE-2013-6759 REJECTED CVE-2013-6758 REJECTED CVE-2013-6757 REJECTED CVE-2013-6756 REJECTED CVE-2013-6755 REJECTED CVE-2013-6754 REJECTED CVE-2013-6753 REJECTED CVE-2013-6752 REJECTED CVE-2013-6751 REJECTED CVE-2013-6750 RESERVED CVE-2013-6749 (Buffer overflow in the ActiveX control in qp2.cab in IBM Lotus Quickr ...) NOT-FOR-US: IBM Lotus Quickr CVE-2013-6748 (Buffer overflow in the ActiveX control in qp2.cab in IBM Lotus Quickr ...) NOT-FOR-US: IBM Lotus Quickr CVE-2013-6747 (IBM GSKit 7.x before 7.0.4.48 and 8.x before 8.0.50.16, as used in IBM ...) NOT-FOR-US: IBM GSKit CVE-2013-6746 (Cross-site scripting (XSS) vulnerability in FileNet P8 Platform Docume ...) NOT-FOR-US: IBM FileNet Business Process Manager CVE-2013-6745 (Cross-site scripting (XSS) vulnerability in the IMS server before Ifix ...) NOT-FOR-US: IBM CVE-2013-6744 (The Stored Procedure infrastructure in IBM DB2 9.5, 9.7 before FP9a, 1 ...) NOT-FOR-US: IBM DB2 CVE-2013-6743 (Cross-site scripting (XSS) vulnerability in the Meeting Server in IBM ...) NOT-FOR-US: IBM Sametime CVE-2013-6742 (The Meeting Server in IBM Sametime 8.5.2 through 8.5.2.1 and 9.x throu ...) NOT-FOR-US: IBM Sametime CVE-2013-6741 (IBM Maximo Asset Management 7.x before 7.1.1.7 LAFIX.20140319-0837 and ...) NOT-FOR-US: IBM Maximo Asset Management and others CVE-2013-6740 RESERVED CVE-2013-6739 (IBM SPSS Modeler before 16 on UNIX allows remote authenticated users t ...) NOT-FOR-US: IBM CVE-2013-6738 (Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics L ...) NOT-FOR-US: IBM CVE-2013-6737 (IBM System Storage Storwize V7000 Unified 1.3.x and 1.4.x before 1.4.3 ...) NOT-FOR-US: IBM Storwize V7000 Unified CVE-2013-6736 RESERVED CVE-2013-6735 (IBM WebSphere Portal 6.0.0.x through 6.0.0.1, 6.0.1.x through 6.0.1.7, ...) NOT-FOR-US: IBM WebSphere Portal CVE-2013-6734 (IBM WebSphere eXtreme Scale Client 7.1 through 8.6.0.4 does not proper ...) NOT-FOR-US: IBM WebSphere CVE-2013-6733 (Cross-site scripting (XSS) vulnerability in the Web Application in the ...) NOT-FOR-US: IBM Sametime CVE-2013-6732 (Cross-site scripting (XSS) vulnerability in the server in IBM Cognos B ...) NOT-FOR-US: IBM Cognos CVE-2013-6731 (IBM Netezza Performance Portal 2.x before 2.0.0.3 allows remote authen ...) NOT-FOR-US: IBM Netezza CVE-2013-6730 (IBM WebSphere Portal 6.1.0.x through 6.1.0.6 CF27, 6.1.5.x through 6.1 ...) NOT-FOR-US: IBM WebSphere Portal CVE-2013-6729 (Cross-site scripting (XSS) vulnerability in IBM QuickFile 1.0.0.0 befo ...) NOT-FOR-US: IBM QuickFile CVE-2013-6728 (The charting component in IBM WebSphere Dashboard Framework (WDF) 6.1. ...) NOT-FOR-US: IBM WebSphere Dashboard Framework CVE-2013-6727 (The Connect client in IBM Sametime 8.5.2 through 8.5.2.1 and 9.0 befor ...) NOT-FOR-US: IBM Sametime CVE-2013-6726 (Multiple cross-site scripting (XSS) vulnerabilities in WebProcess.srv ...) NOT-FOR-US: IBM TRIRIGA Application Platform CVE-2013-6725 (Cross-site scripting (XSS) vulnerability in the Administrative Console ...) NOT-FOR-US: IBM WebSphere CVE-2013-6724 (Unspecified vulnerability in the vsflex8l ActiveX control in IBM SPSS ...) NOT-FOR-US: IBM SPSS SamplePower CVE-2013-6723 (IBM WebSphere Portal 8.0.0.1 before CF09 does not properly handle refe ...) NOT-FOR-US: IBM WebSphere Portal CVE-2013-6722 (Unrestricted file upload vulnerability in the Registration/Edit My Pro ...) NOT-FOR-US: IBM WebSphere Portal CVE-2013-6721 (Cross-site scripting (XSS) vulnerability in IBM WebSphere Service Regi ...) NOT-FOR-US: IBM WebSphere Service Registry and Repository CVE-2013-6720 (Directory traversal vulnerability in download.php in the Passive Captu ...) NOT-FOR-US: IBM Tealeaf CVE-2013-6719 (delivery.php in the Passive Capture Application (PCA) web console in I ...) NOT-FOR-US: IBM Tealeaf CX CVE-2013-6718 (The Advanced Management Module (AMM) with firmware 3.64B, 3.64C, and 3 ...) NOT-FOR-US: IBM firmware CVE-2013-6717 (The OLAP query engine in IBM DB2 and DB2 Connect 9.7 through FP9, 9.8 ...) NOT-FOR-US: IBM CVE-2013-6716 REJECTED CVE-2013-6715 RESERVED CVE-2013-6714 (The FlashCopy Manager for VMware component in IBM Tivoli Storage Flash ...) NOT-FOR-US: IBM Tivoli Storage FlashCopy Manager CVE-2013-6713 (The Data Protection for VMware component in IBM Tivoli Storage Manager ...) NOT-FOR-US: IBM Tivoli Storage Manager for Virtual Environments CVE-2013-6712 (The scan function in ext/date/lib/parse_iso_intervals.c in PHP through ...) {DSA-2816-1} - php5 5.5.6+dfsg-2 (bug #731112) NOTE: http://git.php.net/?p=php-src.git;a=commit;h=12fe4e90be7bfa2a763197079f68f5568a14e071 CVE-2013-6711 (Cross-site scripting (XSS) vulnerability in the product-creation admin ...) NOT-FOR-US: Cisco CVE-2013-6710 (Cross-site request forgery (CSRF) vulnerability in Cisco WebEx Trainin ...) NOT-FOR-US: Cisco CVE-2013-6709 (The registration component in Cisco WebEx Training Center provides the ...) NOT-FOR-US: Cisco CVE-2013-6708 (Cisco Cloud Portal 9.4 allows remote attackers to read files of unspec ...) NOT-FOR-US: Cisco CVE-2013-6707 (Memory leak in the connection-manager implementation in Cisco Adaptive ...) NOT-FOR-US: Cisco CVE-2013-6706 (The Cisco Express Forwarding processing module in Cisco IOS XE allows ...) NOT-FOR-US: Cisco IOS XE CVE-2013-6705 (The IP Device Tracking (IPDT) feature in Cisco IOS and IOS XE allows r ...) NOT-FOR-US: Cisco CVE-2013-6704 (Cisco IOS XE does not properly manage memory for TFTP UDP flows, which ...) NOT-FOR-US: Cisco CVE-2013-6703 (The TLS/SSLv3 module on Cisco ONS 15454 controller cards allows remote ...) NOT-FOR-US: Cisco CVE-2013-6702 (The management implementation on Cisco ONS 15454 controller cards with ...) NOT-FOR-US: Cisco CVE-2013-6701 (The tNetTaskLimit process on the Transport Node Controller (TNC) on Ci ...) NOT-FOR-US: Cisco CVE-2013-6700 (The SNMP module in Cisco IOS XR allows remote attackers to cause a den ...) NOT-FOR-US: Cisco IOS XR CVE-2013-6699 (The Control and Provisioning of Wireless Access Points (CAPWAP) protoc ...) NOT-FOR-US: Cisco CVE-2013-6698 (The web interface on Cisco Wireless LAN Controller (WLC) devices does ...) NOT-FOR-US: Cisco CVE-2013-6697 RESERVED CVE-2013-6696 (Cisco Adaptive Security Appliance (ASA) Software does not properly han ...) NOT-FOR-US: Cisco CVE-2013-6695 (The RBAC implementation in Cisco Secure Access Control System (ACS) do ...) NOT-FOR-US: Cisco CVE-2013-6694 (The IPSec implementation in Cisco IOS allows remote attackers to cause ...) NOT-FOR-US: Cisco CVE-2013-6693 (The MLDP implementation in Cisco IOS 15.3(3)S and earlier on 7600 rout ...) NOT-FOR-US: Cisco CVE-2013-6692 (Cisco IOS XE 3.8S(.2) and earlier does not properly use a DHCP pool du ...) NOT-FOR-US: Cisco CVE-2013-6691 (The WebVPN CIFS implementation in Cisco Adaptive Security Appliance (A ...) NOT-FOR-US: Cisco ASA CVE-2013-6690 (Multiple cross-site scripting (XSS) vulnerabilities in the web interfa ...) NOT-FOR-US: Cisco CVE-2013-6689 (Cisco Unified Communications Manager (Unified CM) 9.1(1) and earlier a ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2013-6688 (Directory traversal vulnerability in the license-upload interface in t ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2013-6687 (The web portal in the Enterprise License Manager component in Cisco We ...) NOT-FOR-US: Cisco WebEx Meetings Server CVE-2013-6686 (The SSL VPN implementation in Cisco IOS 15.3(1)T2 and earlier allows r ...) NOT-FOR-US: Cisco IOS CVE-2013-6685 (The firmware on Cisco Unified IP phones 8961, 9951, and 9971 uses weak ...) NOT-FOR-US: Cisco Unified IP phones CVE-2013-6684 (The web framework on Cisco Wireless LAN Controller (WLC) devices does ...) NOT-FOR-US: Cisco Wireless LAN Controller CVE-2013-6683 (The IPv6 implementation in Cisco NX-OS does not properly handle neighb ...) NOT-FOR-US: Cisco NX-OS CVE-2013-6682 (The phone-proxy implementation in Cisco Adaptive Security Appliance (A ...) NOT-FOR-US: Cisco Adaptive Security Appliance CVE-2013-6681 (Tube Map Live Underground for Android before 3.0.22 has an Information ...) NOT-FOR-US: Tube Map Live Underground for Android CVE-2013-6680 REJECTED CVE-2013-6679 REJECTED CVE-2013-6678 REJECTED CVE-2013-6677 REJECTED CVE-2013-6676 REJECTED CVE-2013-6675 REJECTED CVE-2013-6674 (Cross-site scripting (XSS) vulnerability in Mozilla Thunderbird 17.x t ...) - icedove 24.2.0-1 [squeeze] - icedove NOTE: http://www.mozilla.org/security/announce/2014/mfsa2014-14.html CVE-2013-6673 (Mozilla Firefox before 26.0, Firefox ESR 24.x before 24.2, Thunderbird ...) - iceweasel 24.2.0esr-1 [squeeze] - iceweasel - icedove 24.2.0-1 [squeeze] - icedove - iceape [wheezy] - iceape [squeeze] - iceape CVE-2013-6672 (Mozilla Firefox before 26.0 and SeaMonkey before 2.23 on Linux allow u ...) - iceweasel (Only affects Firefox 25) - iceape (Only affects Firefox 25) CVE-2013-6671 (The nsGfxScrollFrameInner::IsLTR function in Mozilla Firefox before 26 ...) - iceweasel 24.2.0esr-1 - icedove 24.2.0-1 - iceape [squeeze] - iceweasel [squeeze] - icedove [wheezy] - iceape [squeeze] - iceape CVE-2013-6670 RESERVED CVE-2013-6669 RESERVED CVE-2013-6668 (Multiple unspecified vulnerabilities in Google V8 before 3.24.35.10, a ...) {DSA-2883-1} - chromium-browser 33.0.1750.152-1 [squeeze] - chromium-browser - libv8 [wheezy] - libv8 (Minor issue, Chromium in Wheezy uses its own fixed copy) [squeeze] - libv8 (Unsupported in squeeze-lts) - libv8-3.14 (unimportant; bug #773671) NOTE: libv8 not covered by security support CVE-2013-6667 (Multiple unspecified vulnerabilities in Google Chrome before 33.0.1750 ...) {DSA-2883-1} - chromium-browser 33.0.1750.152-1 [squeeze] - chromium-browser CVE-2013-6666 (The PepperFlashRendererHost::OnNavigate function in renderer/pepper/pe ...) {DSA-2883-1} - chromium-browser 33.0.1750.152-1 [squeeze] - chromium-browser CVE-2013-6665 (Heap-based buffer overflow in the ResourceProvider::InitializeSoftware ...) {DSA-2883-1} - chromium-browser 33.0.1750.152-1 [squeeze] - chromium-browser CVE-2013-6664 (Use-after-free vulnerability in the FormAssociatedElement::formRemoved ...) {DSA-2883-1} - chromium-browser 33.0.1750.152-1 [squeeze] - chromium-browser CVE-2013-6663 (Use-after-free vulnerability in the SVGImage::setContainerSize functio ...) {DSA-2883-1} - chromium-browser 33.0.1750.152-1 [squeeze] - chromium-browser CVE-2013-6662 (Google Chrome caches TLS sessions before certificate validation occurs ...) NOTE: Chrome issue fixed end of 2013, not really worth figuring out in which version CVE-2013-6661 (Multiple unspecified vulnerabilities in Google Chrome before 33.0.1750 ...) {DSA-2883-1} - chromium-browser 33.0.1750.152-1 [squeeze] - chromium-browser CVE-2013-6660 (The drag-and-drop implementation in Google Chrome before 33.0.1750.117 ...) {DSA-2883-1} - chromium-browser 33.0.1750.152-1 [squeeze] - chromium-browser CVE-2013-6659 (The SSLClientSocketNSS::Core::OwnAuthCertHandler function in net/socke ...) {DSA-2883-1} - chromium-browser 33.0.1750.152-1 [squeeze] - chromium-browser CVE-2013-6658 (Multiple use-after-free vulnerabilities in the layout implementation i ...) {DSA-2883-1} - chromium-browser 33.0.1750.152-1 [squeeze] - chromium-browser CVE-2013-6657 (core/html/parser/XSSAuditor.cpp in the XSS auditor in Blink, as used i ...) {DSA-2883-1} - chromium-browser 33.0.1750.152-1 [squeeze] - chromium-browser CVE-2013-6656 (The XSSAuditor::init function in core/html/parser/XSSAuditor.cpp in th ...) {DSA-2883-1} - chromium-browser 33.0.1750.152-1 [squeeze] - chromium-browser CVE-2013-6655 (Use-after-free vulnerability in Blink, as used in Google Chrome before ...) {DSA-2883-1} - chromium-browser 33.0.1750.152-1 [squeeze] - chromium-browser CVE-2013-6654 (The SVGAnimateElement::calculateAnimatedValue function in core/svg/SVG ...) {DSA-2883-1} - chromium-browser 33.0.1750.152-1 [squeeze] - chromium-browser CVE-2013-6653 (Use-after-free vulnerability in the web contents implementation in Goo ...) {DSA-2883-1} - chromium-browser 33.0.1750.152-1 [squeeze] - chromium-browser CVE-2013-6652 (Directory traversal vulnerability in sandbox/win/src/named_pipe_dispat ...) - chromium-browser (Windows-specific) CVE-2013-6651 RESERVED CVE-2013-6650 (The StoreBuffer::ExemptPopularPages function in store-buffer.cc in Goo ...) {DSA-2862-1} - chromium-browser 32.0.1700.123-1 [squeeze] - chromium-browser - libv8 [wheezy] - libv8 (Minor issue, Chromium in Wheezy uses its own fixed copy) [squeeze] - libv8 (Unsupported in squeeze-lts) - libv8-3.14 (unimportant; bug #773671) NOTE: libv8 not covered by security support CVE-2013-6649 (Use-after-free vulnerability in the RenderSVGImage::paint function in ...) {DSA-2862-1} - chromium-browser 32.0.1700.123-1 [squeeze] - chromium-browser - libv8 [wheezy] - libv8 (Minor issue, Chromium in Wheezy uses its own fixed copy) [squeeze] - libv8 (Unsupported in squeeze-lts) - libv8-3.14 (unimportant; bug #773671) NOTE: libv8 not covered by security support CVE-2013-6648 (SkRegion::setPath in Skia allows remote attackers to cause a denial of ...) - skia (bug #818180) CVE-2013-6647 (A use-after-free in AnimationController::endAnimationUpdate in Google ...) - chromium-browser (According to upstream bug only affected interim version, not a stable release) CVE-2013-6646 (Use-after-free vulnerability in the Web Workers implementation in Goog ...) {DSA-2862-1} - chromium-browser 32.0.1700.123-1 [squeeze] - chromium-browser CVE-2013-6645 (Use-after-free vulnerability in the OnWindowRemovingFromRootWindow fun ...) {DSA-2862-1} - chromium-browser 32.0.1700.123-1 [squeeze] - chromium-browser CVE-2013-6644 (Multiple unspecified vulnerabilities in Google Chrome before 32.0.1700 ...) {DSA-2862-1} - chromium-browser 32.0.1700.123-1 [squeeze] - chromium-browser CVE-2013-6643 (The OneClickSigninBubbleView::WindowClosing function in browser/ui/vie ...) {DSA-2862-1} - chromium-browser 32.0.1700.123-1 [squeeze] - chromium-browser CVE-2013-6642 (Google Chrome through 32.0.1700.23 on Android allows remote attackers ...) - chromium-browser (only affects google chrome on android) CVE-2013-6641 (Use-after-free vulnerability in the FormAssociatedElement::formRemoved ...) {DSA-2862-1} - chromium-browser 32.0.1700.123-1 [squeeze] - chromium-browser CVE-2013-6640 (The DehoistArrayIndex function in hydrogen-dehoist.cc (aka hydrogen.cc ...) {DSA-2811-1} - libv8 [wheezy] - libv8 (Minor issue, Chromium in Wheezy uses its own fixed copy) [squeeze] - libv8 (Unsupported in squeeze-lts) - libv8-3.14 3.14.5.8-5 - chromium-browser 31.0.1650.63-1 [squeeze] - chromium-browser CVE-2013-6639 (The DehoistArrayIndex function in hydrogen-dehoist.cc (aka hydrogen.cc ...) {DSA-2811-1} - libv8 [wheezy] - libv8 (Minor issue, Chromium in Wheezy uses its own fixed copy) [squeeze] - libv8 (Unsupported in squeeze-lts) - libv8-3.14 3.14.5.8-5 - chromium-browser 31.0.1650.63-1 [squeeze] - chromium-browser CVE-2013-6638 (Multiple buffer overflows in runtime.cc in Google V8 before 3.22.24.7, ...) {DSA-2811-1} - libv8 [wheezy] - libv8 (Minor issue, Chromium in Wheezy uses its own fixed copy) [squeeze] - libv8 (Unsupported in squeeze-lts) - libv8-3.14 (unimportant; bug #773671) - chromium-browser 31.0.1650.63-1 [squeeze] - chromium-browser NOTE: libv8 not covered by security support CVE-2013-6637 (Multiple unspecified vulnerabilities in Google Chrome before 31.0.1650 ...) {DSA-2811-1} - chromium-browser 31.0.1650.63-1 [squeeze] - chromium-browser CVE-2013-6636 (The FrameLoader::notifyIfInitialDocumentAccessed function in core/load ...) {DSA-2811-1} - chromium-browser 31.0.1650.63-1 [squeeze] - chromium-browser CVE-2013-6635 (Use-after-free vulnerability in the editing implementation in Blink, a ...) {DSA-2811-1} - chromium-browser 31.0.1650.63-1 [squeeze] - chromium-browser CVE-2013-6634 (The OneClickSigninHelper::ShowInfoBarIfPossible function in browser/ui ...) {DSA-2811-1} - chromium-browser 31.0.1650.63-1 [squeeze] - chromium-browser CVE-2013-6633 RESERVED CVE-2013-6620 RESERVED CVE-2013-6619 RESERVED CVE-2013-6618 (jsdm/ajax/port.php in J-Web in Juniper Junos before 10.4R13, 11.4 befo ...) NOT-FOR-US: Juniper Junos CVE-2013-6617 (The salt master in Salt (aka SaltStack) 0.11.0 through 0.17.0 does not ...) - salt 0.17.1+dfsg-1 CVE-2011-5267 (Multiple cross-site scripting (XSS) vulnerabilities in spell-check-sav ...) NOT-FOR-US: SpellChecker module in Xinha CVE-2013-6766 (OpenVAS Administrator 1.2 before 1.2.2 and 1.3 before 1.3.2 allows rem ...) NOT-FOR-US: OpenVAS Administrator (only uploaded to exp 2.5 years ago) CVE-2013-6765 (OpenVAS Manager 3.0 before 3.0.7 and 4.0 before 4.0.4 allows remote at ...) NOT-FOR-US: OpenVAS Manager (only uploaded to experimental 2.5 years ago) CVE-2013-6632 (Integer overflow in Google Chrome before 31.0.1650.57 allows remote at ...) {DSA-2799-1} - chromium-browser 31.0.1650.57-1 [squeeze] - chromium-browser CVE-2013-6631 (Use-after-free vulnerability in the Channel::SendRTCPPacket function i ...) {DSA-2799-1} - chromium-browser 31.0.1650.57-1 [squeeze] - chromium-browser CVE-2013-6630 (The get_dht function in jdmarker.c in libjpeg-turbo through 1.3.0, as ...) {DSA-2799-1} - chromium-browser 31.0.1650.57-1 [squeeze] - chromium-browser - libjpeg-turbo 1.3.0-3 (low; bug #729873) - libjpeg6b 6b1-4 (low; bug #729867) [squeeze] - libjpeg6b (Minor issue) [wheezy] - libjpeg6b 6b1-3+deb7u1 - libjpeg8 8d-2 (low; bug #729867) [squeeze] - libjpeg8 (Minor issue) [wheezy] - libjpeg8 8d-1+deb7u1 - iceweasel 24.2.0esr-1 [squeeze] - iceweasel - icedove 24.2.0-1 [squeeze] - icedove - iceape [squeeze] - iceape [wheezy] - iceape NOTE: http://packetstormsecurity.com/files/123989/IJG-jpeg6b-libjpeg-turbo-Uninitialized-Memory.html CVE-2013-6629 (The get_sos function in jdmarker.c in (1) libjpeg 6b and (2) libjpeg-t ...) {DSA-2923-1 DSA-2799-1} - chromium-browser 31.0.1650.57-1 [squeeze] - chromium-browser - libjpeg-turbo 1.3.0-3 (low; bug #729873) - libjpeg6b 6b1-4 (low; bug #729867) [wheezy] - libjpeg6b 6b1-3+deb7u1 [squeeze] - libjpeg6b (Minor issue) - libjpeg8 8d-2 (low; bug #729867) [squeeze] - libjpeg8 (Minor issue) [wheezy] - libjpeg8 8d-1+deb7u1 - iceweasel 24.2.0esr-1 [squeeze] - iceweasel - icedove 24.2.0-1 [squeeze] - icedove - iceape [squeeze] - iceape [wheezy] - iceape NOTE: http://packetstormsecurity.com/files/123989/IJG-jpeg6b-libjpeg-turbo-Uninitialized-Memory.html CVE-2013-6628 (net/socket/ssl_client_socket_nss.cc in the TLS implementation in Googl ...) {DSA-2799-1} - chromium-browser 31.0.1650.57-1 [squeeze] - chromium-browser CVE-2013-6627 (net/http/http_stream_parser.cc in Google Chrome before 31.0.1650.48 do ...) {DSA-2799-1} - chromium-browser 31.0.1650.57-1 [squeeze] - chromium-browser CVE-2013-6626 (The WebContentsImpl::AttachInterstitialPage function in content/browse ...) {DSA-2799-1} - chromium-browser 31.0.1650.57-1 [squeeze] - chromium-browser CVE-2013-6625 (Use-after-free vulnerability in core/dom/ContainerNode.cpp in Blink, a ...) {DSA-2799-1} - chromium-browser 31.0.1650.57-1 [squeeze] - chromium-browser CVE-2013-6624 (Use-after-free vulnerability in Google Chrome before 31.0.1650.48 allo ...) {DSA-2799-1} - chromium-browser 31.0.1650.57-1 [squeeze] - chromium-browser CVE-2013-6623 (The SVG implementation in Blink, as used in Google Chrome before 31.0. ...) {DSA-2799-1} - chromium-browser 31.0.1650.57-1 [squeeze] - chromium-browser CVE-2013-6622 (Use-after-free vulnerability in the HTMLMediaElement::didMoveToNewDocu ...) {DSA-2799-1} - chromium-browser 31.0.1650.57-1 [squeeze] - chromium-browser CVE-2013-6621 (Use-after-free vulnerability in Google Chrome before 31.0.1650.48 allo ...) {DSA-2799-1} - chromium-browser 31.0.1650.57-1 [squeeze] - chromium-browser CVE-2013-6616 REJECTED CVE-2013-6615 REJECTED CVE-2013-6614 REJECTED CVE-2013-6613 REJECTED CVE-2013-6612 REJECTED CVE-2013-6611 REJECTED CVE-2013-6610 REJECTED CVE-2013-6609 REJECTED CVE-2013-6608 REJECTED CVE-2013-6607 REJECTED CVE-2013-6606 REJECTED CVE-2013-6605 REJECTED CVE-2013-6604 REJECTED CVE-2013-6603 REJECTED CVE-2013-6602 REJECTED CVE-2013-6601 REJECTED CVE-2013-6600 REJECTED CVE-2013-6599 REJECTED CVE-2013-6598 REJECTED CVE-2013-6597 REJECTED CVE-2013-6596 REJECTED CVE-2013-6595 REJECTED CVE-2013-6594 REJECTED CVE-2013-6593 REJECTED CVE-2013-6592 REJECTED CVE-2013-6591 REJECTED CVE-2013-6590 REJECTED CVE-2013-6589 REJECTED CVE-2013-6588 REJECTED CVE-2013-6587 REJECTED CVE-2013-6586 REJECTED CVE-2013-6585 REJECTED CVE-2013-6584 REJECTED CVE-2013-6583 REJECTED CVE-2013-6582 REJECTED CVE-2013-6581 REJECTED CVE-2013-6580 REJECTED CVE-2013-6579 REJECTED CVE-2013-6578 REJECTED CVE-2013-6577 REJECTED CVE-2013-6576 REJECTED CVE-2013-6575 REJECTED CVE-2013-6574 REJECTED CVE-2013-6573 REJECTED CVE-2013-6572 REJECTED CVE-2013-6571 REJECTED CVE-2013-6570 REJECTED CVE-2013-6569 REJECTED CVE-2013-6568 REJECTED CVE-2013-6567 REJECTED CVE-2013-6566 REJECTED CVE-2013-6565 REJECTED CVE-2013-6564 REJECTED CVE-2013-6563 REJECTED CVE-2013-6562 REJECTED CVE-2013-6561 REJECTED CVE-2013-6560 REJECTED CVE-2013-6559 REJECTED CVE-2013-6558 REJECTED CVE-2013-6557 REJECTED CVE-2013-6556 REJECTED CVE-2013-6555 REJECTED CVE-2013-6554 REJECTED CVE-2013-6553 REJECTED CVE-2013-6552 REJECTED CVE-2013-6551 REJECTED CVE-2013-6550 REJECTED CVE-2013-6549 REJECTED CVE-2013-6548 REJECTED CVE-2013-6547 REJECTED CVE-2013-6546 REJECTED CVE-2013-6545 REJECTED CVE-2013-6544 REJECTED CVE-2013-6543 REJECTED CVE-2013-6542 REJECTED CVE-2013-6541 REJECTED CVE-2013-6540 REJECTED CVE-2013-6539 REJECTED CVE-2013-6538 REJECTED CVE-2013-6537 REJECTED CVE-2013-6536 REJECTED CVE-2013-6535 REJECTED CVE-2013-6534 REJECTED CVE-2013-6533 REJECTED CVE-2013-6532 REJECTED CVE-2013-6531 REJECTED CVE-2013-6530 REJECTED CVE-2013-6529 REJECTED CVE-2013-6528 REJECTED CVE-2013-6527 REJECTED CVE-2013-6526 REJECTED CVE-2013-6525 REJECTED CVE-2013-6524 REJECTED CVE-2013-6523 REJECTED CVE-2013-6522 REJECTED CVE-2013-6521 REJECTED CVE-2013-6520 REJECTED CVE-2013-6519 REJECTED CVE-2013-6518 REJECTED CVE-2013-6517 REJECTED CVE-2013-6516 REJECTED CVE-2013-6515 REJECTED CVE-2013-6514 REJECTED CVE-2013-6513 REJECTED CVE-2013-6512 REJECTED CVE-2013-6511 REJECTED CVE-2013-6510 REJECTED CVE-2013-6509 REJECTED CVE-2013-6508 REJECTED CVE-2013-6507 REJECTED CVE-2013-6506 RESERVED CVE-2013-6505 RESERVED CVE-2013-6504 RESERVED CVE-2013-6503 RESERVED CVE-2013-6502 RESERVED CVE-2013-6501 (The default soap.wsdl_cache_dir setting in (1) php.ini-production and ...) - php5 (unimportant) NOTE: Rendererd unexpoitable by kernel level hardening for tmp races CVE-2013-6500 REJECTED CVE-2013-6499 REJECTED CVE-2013-6498 RESERVED CVE-2013-6497 (clamscan in ClamAV before 0.98.5, when using -a option, allows remote ...) {DLA-95-1} - clamav 0.98.5+dfsg-1 [wheezy] - clamav 0.98.5+dfsg-0+deb7u1 NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11088 CVE-2013-6496 (Red Hat Conga 0.12.2 allows remote attackers to obtain sensitive infor ...) NOT-FOR-US: Red Hat Conga CVE-2013-6495 (JBossWeb Bayeux has reflected XSS ...) NOT-FOR-US: JBossWeb Bayeux CVE-2013-6494 (fedup 0.9.0 in Fedora 19, 20, and 21 uses a temporary directory with a ...) NOT-FOR-US: fedup (Fedora specific) CVE-2013-6493 (The LiveConnect implementation in plugin/icedteanp/IcedTeaNPPlugin.cc ...) - icedtea-web 1.4.2-1 (low) [wheezy] - icedtea-web (Minor issue) CVE-2013-6492 (The Piranha Configuration Tool in Piranha 0.8.6 does not properly rest ...) NOT-FOR-US: Pirhana CVE-2013-6491 (The python-qpid client (common/rpc/impl_qpid.py) in OpenStack Oslo bef ...) - nova 2013.2.3-1 [wheezy] - nova (Minor issue) CVE-2013-6490 (The SIMPLE protocol functionality in Pidgin before 2.10.8 allows remot ...) {DSA-2859-2 DSA-2859-1} - pidgin 2.10.8-1 CVE-2013-6489 (Integer signedness error in the MXit functionality in Pidgin before 2. ...) {DSA-2859-1} - pidgin 2.10.8-1 [squeeze] - pidgin (Support in oldstable is limited to IRC, Jabber/XMPP, Sametime and SIMPLE) CVE-2013-6488 REJECTED CVE-2013-6487 (Integer overflow in libpurple/protocols/gg/lib/http.c in the Gadu-Gadu ...) {DSA-2859-1 DSA-2852-1} - pidgin 2.10.8-1 [squeeze] - pidgin (Support in oldstable is limited to IRC, Jabber/XMPP, Sametime and SIMPLE) - libgadu 1:1.11.3-1 CVE-2013-6486 (gtkutils.c in Pidgin before 2.10.8 on Windows allows user-assisted rem ...) - pidgin (Windows-specific) CVE-2013-6485 (Buffer overflow in util.c in libpurple in Pidgin before 2.10.8 allows ...) {DSA-2859-2 DSA-2859-1} - pidgin 2.10.8-1 CVE-2013-6484 (The STUN protocol implementation in libpurple in Pidgin before 2.10.8 ...) {DSA-2859-1} - pidgin 2.10.8-1 [squeeze] - pidgin (Support in oldstable is limited to IRC, Jabber/XMPP, Sametime and SIMPLE) CVE-2013-6483 (The XMPP protocol plugin in libpurple in Pidgin before 2.10.8 does not ...) {DSA-2859-1} - pidgin 2.10.8-1 [squeeze] - pidgin (Not suitable for code injection) CVE-2013-6482 (Pidgin before 2.10.8 allows remote MSN servers to cause a denial of se ...) {DSA-2859-1} - pidgin 2.10.8-1 [squeeze] - pidgin (Support in oldstable is limited to IRC, Jabber/XMPP, Sametime and SIMPLE) CVE-2013-6481 (libpurple/protocols/yahoo/libymsg.c in Pidgin before 2.10.8 allows rem ...) {DSA-2859-1} - pidgin 2.10.8-1 [squeeze] - pidgin (Support in oldstable is limited to IRC, Jabber/XMPP, Sametime and SIMPLE) CVE-2013-6480 (Libcloud 0.12.3 through 0.13.2 does not set the scrub_data parameter f ...) - libcloud (affects 0.12.3 to 0.13.3) NOTE: version prior to 0.12.3 don't include a DigitalOcean driver CVE-2013-6479 (util.c in libpurple in Pidgin before 2.10.8 does not properly allocate ...) {DSA-2859-1} - pidgin 2.10.8-1 [squeeze] - pidgin (Not suitable for code injection) CVE-2013-6478 (gtkimhtml.c in Pidgin before 2.10.8 does not properly interact with un ...) {DSA-2859-1} - pidgin 2.10.8-1 [squeeze] - pidgin (Support in oldstable is limited to IRC, Jabber/XMPP, Sametime and SIMPLE) CVE-2013-6477 (Multiple integer signedness errors in libpurple in Pidgin before 2.10. ...) {DSA-2859-1} - pidgin 2.10.8-1 [squeeze] - pidgin (Not suitable for code injection) CVE-2013-6476 (The OPVPWrapper::loadDriver function in oprs/OPVPWrapper.cxx in the pd ...) {DSA-2876-1 DSA-2875-1} - cups-filters 1.0.47-1 (bug #741318) - cups 1.5.0-16 (bug #741333) NOTE: cups moved filters to separate package in 1.5.0-16 NOTE: in oldstable present in debian/local/filters/pdf-filters/pdftoopvp NOTE: http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7176 CVE-2013-6475 (Multiple integer overflows in (1) OPVPOutputDev.cxx and (2) oprs/OPVPS ...) {DSA-2876-1 DSA-2875-1} - cups-filters 1.0.47-1 (bug #741318) - cups 1.5.0-16 (bug #741333) NOTE: cups moved filters to separate package in 1.5.0-16 NOTE: in oldstable present in debian/local/filters/pdf-filters/pdftoopvp NOTE: http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7176 CVE-2013-6474 (Heap-based buffer overflow in the pdftoopvp filter in CUPS and cups-fi ...) {DSA-2876-1 DSA-2875-1} - cups-filters 1.0.47-1 (bug #741318) - cups 1.5.0-16 (bug #741333) NOTE: cups moved filters to separate package in 1.5.0-16 NOTE: in oldstable present in debian/local/filters/pdf-filters/pdftoopvp NOTE: http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7176 CVE-2013-6473 (Multiple heap-based buffer overflows in the urftopdf filter in cups-fi ...) - cups-filters 1.0.47-1 (bug #741318) [wheezy] - cups-filters (does not contain urftopdf filter) NOTE: http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7175 CVE-2013-6472 (MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 ...) {DSA-2891-1} - mediawiki 1:1.19.10+dfsg-1 [squeeze] - mediawiki NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=58699 CVE-2013-6471 RESERVED CVE-2013-6470 (The default configuration in the standalone controller quickstack mani ...) NOT-FOR-US: openstack foreman-installer CVE-2013-6469 (JBoss Overlord Run Time Governance (RTGov) 1.0 for JBossAS allows remo ...) NOT-FOR-US: JBoss SOA RTgov CVE-2013-6468 (JBoss Drools, Red Hat JBoss BRMS before 6.0.1, and Red Hat JBoss BPM S ...) NOT-FOR-US: JBoss Drolls CVE-2013-6467 (Libreswan 3.7 and earlier allows remote attackers to cause a denial of ...) - libreswan (Fixed before the initial upload to Debian) NOTE: https://libreswan.org/security/CVE-2013-6467/CVE-2013-6467.txt CVE-2013-6466 (Openswan 2.6.39 and earlier allows remote attackers to cause a denial ...) {DSA-2893-1} - openswan (bug #737406) NOTE: https://libreswan.org/security/CVE-2013-6467/CVE-2013-6467.txt CVE-2013-6465 (Multiple cross-site scripting (XSS) vulnerabilities in JBPM KIE Workbe ...) NOT-FOR-US: JBPM KIE Workbench CVE-2013-6464 RESERVED CVE-2013-6463 REJECTED CVE-2013-6462 (Stack-based buffer overflow in the bdfReadCharacters function in bitma ...) {DSA-2838-1} - libxfont 1:1.4.7-1 CVE-2013-6461 (Nokogiri gem 1.5.x and 1.6.x has DoS while parsing XML entities by fai ...) - ruby-nokogiri (jruby implementation not shiped) - libnokogiri-ruby (1.4 and earlier not affected) NOTE: https://groups.google.com/forum/#!topic/ruby-security-ann/DeJpjTAg1FA CVE-2013-6460 (Nokogiri gem 1.5.x has Denial of Service via infinite loop when parsin ...) - ruby-nokogiri (jruby implementation not shiped) - libnokogiri-ruby (1.4 and earlier not affected) NOTE: https://groups.google.com/forum/#!topic/ruby-security-ann/DeJpjTAg1FA CVE-2013-6459 (Cross-site scripting (XSS) vulnerability in the will_paginate gem befo ...) - ruby-will-paginate 3.0.5-1 (low; bug #733209) [wheezy] - ruby-will-paginate (Minor issue) - libwill-paginate-ruby [squeeze] - libwill-paginate-ruby (Minor issue) NOTE: https://github.com/mislav/will_paginate/releases/tag/v3.0.5 CVE-2013-6458 (Multiple race conditions in the (1) virDomainBlockStats, (2) virDomain ...) {DSA-2846-1} - libvirt 1.2.1-1 (bug #734556) [squeeze] - libvirt (Unsupported in squeeze-lts) NOTE: https://www.redhat.com/archives/libvir-list/2013-December/msg01202.html NOTE: upstream fix: http://libvirt.org/git/?p=libvirt.git;a=commit;h=db86da5ca2109e4006c286a09b6c75bfe10676ad CVE-2013-6457 (The libxlDomainGetNumaParameters function in the libxl driver (libxl/l ...) - libvirt 1.2.1-1 [wheezy] - libvirt (Vulnerable code not present) [squeeze] - libvirt (Vulnerable code not present) NOTE: https://www.redhat.com/archives/libvir-list/2013-December/msg01258.html NOTE: http://libvirt.org/git/?p=libvirt.git;a=commit;h=f9ee91d35510ccbc6fc42cef8864b291b2d220f4 NOTE: Introduced in http://libvirt.org/git/?p=libvirt.git;a=commit;h=261c4f5fb93c5e23b8002f2760d4a7937cdb7f63 CVE-2013-6456 (The LXC driver (lxc/lxc_driver.c) in libvirt 1.0.1 through 1.2.1 allow ...) - libvirt 1.2.3-1 (bug #732394) [wheezy] - libvirt (Vulnerable code not present, introduced in v1.0.1) [squeeze] - libvirt (Vulnerable code not present, introduced in v1.0.1) CVE-2013-6455 (The CentralAuth extension for MediaWiki before 1.19.10, 1.2x before 1. ...) NOT-FOR-US: Mediawiki CentralAuth extension CVE-2013-6454 (Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.10, ...) {DSA-2891-1} - mediawiki 1:1.19.10+dfsg-1 [squeeze] - mediawiki NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=58472 CVE-2013-6453 (MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 ...) {DSA-2891-1} - mediawiki 1:1.19.10+dfsg-1 [squeeze] - mediawiki NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=58553 CVE-2013-6452 (Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.10, ...) {DSA-2891-1} - mediawiki 1:1.19.10+dfsg-1 [squeeze] - mediawiki NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=57550 CVE-2013-6451 (Cross-site scripting (XSS) vulnerability in MediaWiki 1.19.9 before 1. ...) - mediawiki 1:1.19.10+dfsg-1 [squeeze] - mediawiki NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=58088 NOTE: Introduced by the fix for CVE-2013-4568 CVE-2013-6450 (The DTLS retransmission implementation in OpenSSL 1.0.0 before 1.0.0l ...) {DSA-2833-1} - openssl 1.0.1e-5 (low) [squeeze] - openssl (Versions earlier than 1.0.0 are not affected) CVE-2013-6449 (The ssl_get_algorithm2 function in ssl/s3_lib.c in OpenSSL before 1.0. ...) {DSA-2833-1} - openssl 1.0.1e-5 (bug #732754) [squeeze] - openssl (TLS 1.2 support introduced in 1.0.1) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1045363 NOTE: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ca98926 NOTE: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0294b2b CVE-2013-6448 (The InterfaceGenerator handler in JBoss Seam Remoting in JBoss Seam 2 ...) NOT-FOR-US: JBoss Seam CVE-2013-6447 (Multiple XML External Entity (XXE) vulnerabilities in the (1) Executio ...) NOT-FOR-US: JBoss Seam CVE-2013-6446 (The JobHistory Server in Cloudera CDH 4.x before 4.6.0 and 5.x before ...) NOT-FOR-US: Cloudera CVE-2013-6445 (Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG ...) NOT-FOR-US: Cumin CVE-2013-6444 (PyWBEM 0.7 and earlier does not verify that the server hostname matche ...) - pywbem 0.8.0~dev650-1 (bug #732594) [squeeze] - pywbem (Minor issue) [wheezy] - pywbem (Minor issue) NOTE: Fix: https://bugzilla.redhat.com/attachment.cgi?id=851357 CVE-2013-6443 (CloudForms 3.0 Management Engine before 5.2.1.6 allows remote attacker ...) NOT-FOR-US: RedHat CloudForms Management Engine CVE-2013-6442 (The owner_set function in smbcacls.c in smbcacls in Samba 4.0.x before ...) - samba 2:4.1.6+dfsg-1 (low) [squeeze] - samba (Only affects 4.x and later) [wheezy] - samba (Only affects 4.x and later) - samba4 [wheezy] - samba4 4.0.0~beta2+dfsg1-3.2+deb7u1 NOTE: http://www.samba.org/samba/security/CVE-2013-6442 CVE-2013-6441 (The lxc-sshd template (templates/lxc-sshd.in) in LXC before 1.0.0.beta ...) {DLA-442-1} - lxc 1.0.0-1 (unimportant) NOTE: getting root on host, if not using unprivileged containers or NOTE: restricting the containers with apparmor or selinux. NOTE: CVE is kept as no official documentation explicitly document this fact NOTE: https://github.com/lxc/lxc/commit/f4d5cc8e1f39d132b61e110674528cac727ae0e2 (lxc-1.0.0.beta2) CVE-2013-6440 (The (1) BasicParserPool, (2) StaticBasicParserPool, (3) XML Decrypter, ...) - opensaml2 (Debian provides the C-based Shibboleth implementation) NOTE: http://shibboleth.net/community/advisories/secadv_20131213.txt NOTE: http://blog.sendsafely.com/post/69590974866/web-based-single-sign-on-and-the-dangers-of-saml-xml CVE-2013-6439 (Candlepin in Red Hat Subscription Asset Manager 1.0 through 1.3 uses a ...) NOT-FOR-US: Candlepin CVE-2013-6438 (The dav_xml_get_cdata function in main/util.c in the mod_dav module in ...) {DLA-66-1} - apache2 2.4.9-1 [wheezy] - apache2 2.2.22-13+deb7u2 CVE-2013-6437 (The libvirt driver in OpenStack Compute (Nova) before 2013.2.2 and ice ...) - nova 2013.2.2 [wheezy] - nova (Vulnerable code not present) CVE-2013-6436 (The lxcDomainGetMemoryParameters method in lxc/lxc_driver.c in libvirt ...) - libvirt 1.2.0-1 [squeeze] - libvirt (vulnerable code not present, introduced in 1.1) [wheezy] - libvirt (vulnerable code not present, introduced in 1.1) CVE-2013-6435 (Race condition in RPM 4.11.1 and earlier allows remote attackers to ex ...) {DSA-3129-1 DLA-140-1} - rpm 4.11.3-1.1 (bug #773101) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1039811 CVE-2013-6434 (The remote-viewer in Red Hat Enterprise Virtualization Manager (RHEV-M ...) NOT-FOR-US: RHEV Manager CVE-2013-6433 (The default configuration in the Red Hat openstack-neutron package bef ...) - quantum [wheezy] - quantum (Minor issue) - neutron 2014.1-1 NOTE: Likely fixed even earlier than 2014.1-1, but that was the oldest version checked CVE-2013-6432 (The ping_recvmsg function in net/ipv4/ping.c in the Linux kernel befor ...) - linux 3.12.6-1 [wheezy] - linux (Vulnerable code introduced in 3.11) - linux-2.6 (Vulnerable code introduced in 3.11) NOTE: Introduced by https://git.kernel.org/linus/6d0bfe22611602f36617bc7aa2ffa1bbb2f54c67 NOTE: fixed by https://git.kernel.org/linus/cf970c002d270c36202bd5b9c2804d3097a52da0 CVE-2013-6431 (The fib6_add function in net/ipv6/ip6_fib.c in the Linux kernel before ...) - linux-2.6 (Vulnerable code not present) - linux 3.11.5-1 (low) [wheezy] - linux (Vulnerable code not present) NOTE: fixed by https://git.kernel.org/linus/ae7b4e1f213aa659aedf9c6ecad0bf5f0476e1e2 CVE-2013-6430 (The JavaScriptUtils.javaScriptEscape method in web/util/JavaScriptUtil ...) {DSA-2857-1} - libspring-java 3.0.6.RELEASE-11 (bug #735420) CVE-2013-6429 (The SourceHttpMessageConverter in Spring MVC in Spring Framework befor ...) {DSA-2857-1} - libspring-java 3.0.6.RELEASE-11 (bug #735420) CVE-2013-6428 (The ReST API in OpenStack Orchestration API (Heat) before Havana 2013. ...) - heat 2013.2.1-1 (bug #732033) NOTE: https://launchpad.net/bugs/1256983 CVE-2013-6427 (upgrade.py in the hp-upgrade service in HP Linux Imaging and Printing ...) {DSA-2829-1} - hplip 3.13.11-2 (bug #731480) [squeeze] - hplip (Vulnerable code not present) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=853405 CVE-2013-6426 (The cloudformation-compatible API in OpenStack Orchestration API (Heat ...) - heat 2013.2.1-1 (bug #732033) NOTE: https://launchpad.net/bugs/1256049 CVE-2013-6425 (Integer underflow in the pixman_trapezoid_valid macro in pixman.h in P ...) {DSA-2823-1} - pixman 0.30.2-2 CVE-2013-6424 (Integer underflow in the xTrapezoidValid macro in render/picture.h in ...) {DSA-2822-1} - xorg-server 2:1.14.2.901-1 (low; bug #742922) NOTE: Band-aid fix in Wheezy not applicable to upstream code, fixed post-Wheezy NOTE: in pixman: http://cgit.freedesktop.org/pixman/commit/?id=5e14da97f16e421d084a9e735be21b1025150f0c NOTE: Mark the first post-wheezy xorg-server as a pseudo fixed version CVE-2013-6423 RESERVED CVE-2013-6422 (The GnuTLS backend in libcurl 7.21.4 through 7.33.0, when disabling di ...) {DSA-2824-1} - curl 7.34.0-1 [squeeze] - curl (issue introduced with 59cf93cc, 7.21.4) CVE-2013-6421 (The unpack_zip function in archive_unpacker.rb in the sprout gem 0.7.2 ...) NOT-FOR-US: Ruby Gem sprout CVE-2013-6420 (The asn1_time_to_time_t function in ext/openssl/openssl.c in PHP befor ...) {DSA-2816-1} - php5 5.5.6+dfsg-2 (bug #731895) NOTE: http://git.php.net/?p=php-src.git;a=commit;h=c1224573c773b6845e83505f717fbf820fc18415 CVE-2013-6419 (Interaction error in OpenStack Nova and Neutron before Havana 2013.2.1 ...) - neutron 2013.2.1-1 - nova 2013.2.1-1 [wheezy] - nova (Only exploitable in combination in neutron, not in Wheezy) NOTE: https://launchpad.net/bugs/1235450 CVE-2013-6418 (PyWBEM 0.7 and earlier uses a separate connection to validate X.509 ce ...) - pywbem 0.8.0~dev650-1 (low; bug #732594) [squeeze] - pywbem (Minor issue) [wheezy] - pywbem (Minor issue) NOTE: fix: https://bugzilla.redhat.com/attachment.cgi?id=851357 CVE-2013-6417 (actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before ...) {DSA-2888-1} - rails-4.0 4.0.2+dfsg-1 (bug #731290) - rails-3.2 3.2.16-3+0 - ruby-actionpack-3.2 3.2.16-1 (bug #731288) - ruby-actionpack-2.3 (vulnerable code not present) - rails (vulnerable code not present) NOTE: Starting with 2.3.14.1 rails is a transition package NOTE: CVE for incomplete fix for CVE-2013-0155 CVE-2013-6416 (Cross-site scripting (XSS) vulnerability in the simple_format helper i ...) - rails-4.0 4.0.2+dfsg-1 (bug #731290) - ruby-actionpack-3.2 (vulnerable code not present) - ruby-actionpack-2.3 (vulnerable code not present) - rails (vulnerable code not present) NOTE: Starting with 2.3.14.1 rails is a transition package CVE-2013-6415 (Cross-site scripting (XSS) vulnerability in the number_to_currency hel ...) {DSA-2888-1} - rails-4.0 4.0.2+dfsg-1 (bug #731290) - rails-3.2 3.2.16-3+0 - ruby-actionpack-3.2 3.2.16-1 (bug #731288) - ruby-actionpack-2.3 (bug #731289) [wheezy] - ruby-actionpack-2.3 - rails (vulnerable code not present) NOTE: Starting with 2.3.14.1 rails is a transition package CVE-2013-6414 (actionpack/lib/action_view/lookup_context.rb in Action View in Ruby on ...) {DSA-2888-1} - rails-4.0 4.0.2+dfsg-1 (bug #731290) - rails-3.2 3.2.16-3+0 - ruby-actionpack-3.2 3.2.16-1 (bug #731288) - ruby-actionpack-2.3 (vulnerable code not present) - rails (vulnerable code not present) NOTE: Starting with 2.3.14.1 rails is a transition package CVE-2013-6413 (Use-after-free vulnerability in UnrealIRCd 3.2.10 before 3.2.10.2 allo ...) - unrealircd (bug #515130) NOTE: http://forums.unrealircd.com/viewtopic.php?f=2&t=8221 CVE-2013-6412 (The transform_save function in transform.c in Augeas 1.0.0 through 1.1 ...) {DLA-28-1} - augeas 1.2.0-0.1 (bug #731111) [wheezy] - augeas (Affected patch not present/applied) [squeeze] - augeas (Affected patch not present/applied) NOTE: only if applied original patch for CVE-2012-0786 CVE-2013-6411 (The HandleCrashedAircraft function in aircraft_cmd.cpp in OpenTTD 0.3. ...) - openttd 1.3.3-1 (low) [squeeze] - openttd 1.0.4-7 [wheezy] - openttd 1.2.1-3 NOTE: http://bugs.openttd.org/task/5820 CVE-2013-6410 (nbd-server in Network Block Device (nbd) before 3.5 does not properly ...) {DSA-2806-1} - nbd 1:3.5-1 NOTE: http://anonscm.debian.org/gitweb/?p=users/wouter/nbd.git;a=commitdiff;h=0e9bd98c44dd94d9ede92655a36849fbc8cbf5b9 CVE-2013-6409 (Debian adequate before 0.8.1, when run by root with the --user option, ...) - adequate 0.8.1 (bug #730691) NOTE: https://bitbucket.org/jwilk/adequate/commits/94e5fc5d810057bffb673501ed809f7c2dabd9ee CVE-2013-6408 (The DocumentAnalysisRequestHandler in Apache Solr before 4.3.1 does no ...) {DSA-2963-1} - lucene-solr 3.6.2+dfsg-2 (bug #731113) NOTE: https://issues.apache.org/jira/browse/SOLR-4881 CVE-2013-6407 (The UpdateRequestHandler for XML in Apache Solr before 4.1 allows remo ...) {DSA-2963-1} - lucene-solr 3.6.2+dfsg-2 (bug #731113) NOTE: https://issues.apache.org/jira/browse/SOLR-3895 CVE-2013-6406 REJECTED CVE-2013-6405 REJECTED CVE-2013-6404 (Quassel core (server daemon) in Quassel IRC before 0.9.2 does not prop ...) - quassel 0.9.2-1 (low) [wheezy] - quassel 0.8.0-1+deb7u1 [squeeze] - quassel (Minor issue) NOTE: https://github.com/quassel/quassel/commit/a1a24da CVE-2013-6403 (The admin page in ownCloud before 5.0.13 allows remote attackers to by ...) - owncloud 5.0.13+dfsg-1 CVE-2013-6402 (base/pkit.py in HP Linux Imaging and Printing (HPLIP) through 3.13.11 ...) {DSA-2829-1} - hplip 3.13.11-2.1 (bug #725876) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=852368 CVE-2013-6401 (Jansson, possibly 2.4 and earlier, does not restrict the ability to tr ...) - jansson 2.6-1 (bug #738647) [wheezy] - jansson (Minor issue) CVE-2013-6400 (Xen 4.2.x and 4.3.x, when using Intel VT-d and a PCI device has been a ...) - xen 4.4.0-1 [wheezy] - xen (4.2.x and later are vulnerable) [squeeze] - xen (4.2.x and later are vulnerable) CVE-2013-6399 (Array index error in the virtio_load function in hw/virtio/virtio.c in ...) - qemu 2.1+dfsg-1 (low; bug #739589) [squeeze] - qemu (Minor issue, hardly exploitable in practice) [wheezy] - qemu (Minor issue, hardly exploitable in practice) [wheezy] - qemu-kvm (Minor issue, hardly exploitable in practice) - qemu-kvm (low) [squeeze] - qemu-kvm (Minor issue, hardly exploitable in practice) CVE-2013-6398 (The virtual router in Apache CloudStack before 4.2.1 does not preserve ...) NOT-FOR-US: Apache CloudStack CVE-2013-6397 (Directory traversal vulnerability in SolrResourceLoader in Apache Solr ...) {DSA-2963-1} - lucene-solr 3.6.2+dfsg-2 (bug #731113) NOTE: https://issues.apache.org/jira/browse/SOLR-4882 CVE-2013-6396 (The OpenStack Python client library for Swift (python-swiftclient) 1.0 ...) - python-swiftclient 1:2.0.2-1 (bug #730626) NOTE: https://bugs.launchpad.net/python-swiftclient/+bug/1199783 CVE-2013-6395 (Cross-site scripting (XSS) vulnerability in header.php in Ganglia Web ...) - ganglia-web (unimportant; bug #730507) [squeeze] - ganglia (Vulnerable code not present) NOTE: See README.Debian.security, only supported behind an authenticated HTTP zone, #702776 - ganglia 3.6.0-1 [wheezy] - ganglia (Minor issue) NOTE: ganglia-web and ganglia are now two separate source packages NOTE: starting with 3.6.0-1 the web front is no longer built from src:ganglia so marking this version as fixed NOTE: https://github.com/ganglia/ganglia-web/issues/218 CVE-2013-6394 (Percona XtraBackup before 2.1.6 uses a constant string for the initial ...) - percona-xtrabackup 2.1.6-2 (bug #730544) CVE-2013-6393 (The yaml_parser_scan_tag_uri function in scanner.c in LibYAML before 0 ...) {DSA-2870-1 DSA-2850-1} - libyaml 0.1.4-3 (bug #737076) - libyaml-libyaml-perl 0.41-4 CVE-2013-6392 (The genlock_dev_ioctl function in genlock.c in the Genlock driver for ...) - linux-2.6 (Android-specific) - linux (Android-specific) NOTE: https://www.codeaurora.org/cgit/quic/la/kernel/msm/commit/drivers/base/genlock.c?id=e3c43027bdb59f03eec7ead0a01c77e4bf801625&h=jb_3.2.3 CVE-2013-6391 (The ec2tokens API in OpenStack Identity (Keystone) before Havana 2013. ...) - keystone 2013.2.1-1 (bug #731981) [wheezy] - keystone (vulnerable code not present) NOTE: https://launchpad.net/bugs/1242597 CVE-2013-6390 RESERVED CVE-2013-6389 (Open redirect vulnerability in the Overlay module in Drupal 7.x before ...) {DSA-2804-1} - drupal7 7.24-1 CVE-2013-6388 (Cross-site scripting (XSS) vulnerability in the Color module in Drupal ...) {DSA-2804-1} - drupal7 7.24-1 CVE-2013-6387 (Cross-site scripting (XSS) vulnerability in the Image module in Drupal ...) {DSA-2804-1} - drupal7 7.24-1 CVE-2013-6386 (Drupal 6.x before 6.29 and 7.x before 7.24 uses the PHP mt_rand functi ...) {DSA-2828-1 DSA-2804-1} - drupal6 - drupal7 7.24-1 NOTE: https://drupal.org/SA-CORE-2013-003 CVE-2013-6385 (The form API in Drupal 6.x before 6.29 and 7.x before 7.24, when used ...) {DSA-2828-1 DSA-2804-1} - drupal6 - drupal7 7.24-1 NOTE: https://drupal.org/SA-CORE-2013-003 CVE-2013-6384 ((1) impl_db2.py and (2) impl_mongodb.py in OpenStack Ceilometer 2013.2 ...) - ceilometer 2013.2-4 (bug #730227) CVE-2013-6383 (The aac_compat_ioctl function in drivers/scsi/aacraid/linit.c in the L ...) {DSA-2906-1} - linux-2.6 [wheezy] - linux 3.2.53-1 - linux 3.11.8-1 NOTE: https://git.kernel.org/linus/f856567b930dfcdbc3323261bf77240ccdde01f5 CVE-2013-6382 (Multiple buffer underflows in the XFS implementation in the Linux kern ...) {DSA-2906-1} - linux-2.6 (low) - linux 3.11.10-1 (low) [wheezy] - linux 3.2.53-1 CVE-2013-6381 (Buffer overflow in the qeth_snmp_command function in drivers/s390/net/ ...) {DSA-2906-1} - linux-2.6 (low) - linux 3.11.10-1 (low) [wheezy] - linux 3.2.53-1 NOTE: https://git.kernel.org/linus/6fb392b1a63ae36c31f62bc3fc8630b49d602b62 CVE-2013-6380 (The aac_send_raw_srb function in drivers/scsi/aacraid/commctrl.c in th ...) {DSA-2906-1} - linux-2.6 - linux 3.11.10-1 [wheezy] - linux 3.2.53-1 NOTE: https://git.kernel.org/linus/b4789b8e6be3151a955ade74872822f30e8cd914 CVE-2013-6379 REJECTED CVE-2013-6378 (The lbs_debugfs_write function in drivers/net/wireless/libertas/debugf ...) {DSA-2906-1} - linux-2.6 (low) - linux 3.11.10-1 (low) [wheezy] - linux 3.2.53-1 NOTE: https://git.kernel.org/linus/a497e47d4aec37aaf8f13509f3ef3d1f6a717d88 CVE-2013-6377 REJECTED CVE-2013-6376 (The recalculate_apic_map function in arch/x86/kvm/lapic.c in the KVM s ...) - linux 3.12.5-1 [wheezy] - linux (Introduced in 3.7) - linux-2.6 (Introduced in 3.7) CVE-2013-6375 (Xen 4.2.x and 4.3.x, when using Intel VT-d for PCI passthrough, does n ...) - xen 4.4.0-1 (bug #730254) [squeeze] - xen (Only affects >= 4.2) [wheezy] - xen (Only affects >= 4.2) CVE-2013-6374 (Cross-site scripting (XSS) vulnerability in the Build Failure Analyzer ...) - jenkins (Affected plugins are not shipped in Debian, bug #730457) CVE-2013-6373 (The Exclusion plugin before 0.9 for Jenkins does not properly prevent ...) - jenkins (Affected plugins are not shipped in Debian, bug #730457) CVE-2013-6372 (The Subversion plugin before 1.54 for Jenkins stores credentials using ...) - jenkins (Affected plugins are not shipped in Debian, bug #730457) CVE-2013-6371 (The hash functionality in json-c before 0.12 allows context-dependent ...) - json-c 0.11-4 (bug #744008) [wheezy] - json-c (Minor issue) [squeeze] - json-c (Minor issue) NOTE: https://github.com/json-c/json-c/commit/64e36901a0614bf64a19bc3396469c66dcd0b015 CVE-2013-6370 (Buffer overflow in the printbuf APIs in json-c before 0.12 allows remo ...) - json-c 0.11-4 (bug #744008) [wheezy] - json-c (Minor issue) [squeeze] - json-c (Minor issue) NOTE: https://github.com/json-c/json-c/commit/64e36901a0614bf64a19bc3396469c66dcd0b015 CVE-2013-6369 (Stack-based buffer overflow in the jbg_dec_in function in libjbig/jbig ...) {DSA-2900-1} - jbigkit 2.0-2.1 (bug #743960) CVE-2013-6368 (The KVM subsystem in the Linux kernel through 3.12.5 allows local user ...) - linux 3.12.5-1 [squeeze] - linux-2.6 (Too intrusive to backport, KVM server not supported in squeeze-lts) - linux-2.6 [wheezy] - linux 3.2.54-1 CVE-2013-6367 (The apic_get_tmcct function in arch/x86/kvm/lapic.c in the KVM subsyst ...) {DSA-2906-1} - linux 3.12.5-1 - linux-2.6 [wheezy] - linux 3.2.54-1 CVE-2013-6363 RESERVED CVE-2013-6362 (Xerox ColorCube and WorkCenter devices in 2013 had hardcoded FTP and s ...) NOT-FOR-US: Xerox CVE-2013-6361 RESERVED CVE-2013-6360 (TRENDnet TS-S402 has a backdoor to enable TELNET. ...) NOT-FOR-US: TRENDnet CVE-2013-6359 (Munin::Master::Node in Munin before 2.0.18 allows remote attackers to ...) {DSA-2815-1 DLA-20-1} - munin 2.0.18-1 [squeeze] - munin 1.4.5-3+deb6u1 NOTE: http://munin-monitoring.org/ticket/1397 CVE-2013-6358 (PrestaShop 1.5.5 allows remote authenticated attackers to execute arbi ...) NOT-FOR-US: PrestaShop CVE-2013-6357 (** DISPUTED ** Cross-site request forgery (CSRF) vulnerability in the ...) NOT-FOR-US: Disputed non-issue in Tomcat CVE-2013-6356 REJECTED CVE-2013-6355 REJECTED CVE-2013-6354 RESERVED CVE-2013-6353 RESERVED CVE-2013-6352 RESERVED CVE-2013-6351 RESERVED CVE-2013-6350 RESERVED CVE-2013-6349 (McAfee Email Gateway (MEG) 7.0 before 7.0.4 and 7.5 before 7.5.1 allow ...) NOT-FOR-US: McAfee Email Gateway CVE-2013-6348 (Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2 ...) - libstruts1.2-java (Affects Struts 2.0.0 - Struts 2.3.15.3) NOTE: https://issues.apache.org/jira/browse/WW-4213 CVE-2013-6347 (Session fixation vulnerability in Novell ZENworks Configuration Manage ...) NOT-FOR-US: Novell ZENworks Configuration Management CVE-2013-6346 (Cross-site request forgery (CSRF) vulnerability in the ZCC page in Nov ...) NOT-FOR-US: Novell ZENworks Configuration Management CVE-2013-6345 (Unspecified vulnerability in the ZCC page in Novell ZENworks Configura ...) NOT-FOR-US: Novell ZENworks Configuration Management CVE-2013-6344 (The ZCC page in Novell ZENworks Configuration Management (ZCM) before ...) NOT-FOR-US: Novell ZENworks Configuration Management CVE-2013-6343 (Multiple buffer overflows in web.c in httpd on the ASUS RT-N56U and RT ...) NOT-FOR-US: ASUS Router CVE-2013-6342 (Cross-site scripting (XSS) vulnerability in the Tweet Blender plugin b ...) NOT-FOR-US: Tweet Blender plugin for WP CVE-2013-6341 (SQL injection vulnerability in Dokeos 2.2 RC2 and earlier allows remot ...) NOT-FOR-US: Dokeos CVE-2004-XXXX [base-passwd: sets valid shells for system services] - base-passwd 3.5.30 (unimportant; bug #274229) NOTE: Hardening, not a direct vulnerability CVE-2013-6366 (The Groovy script console in VMware Hyperic HQ 4.6.6 allows remote aut ...) NOT-FOR-US: VMware Hyperic HQ CVE-2013-6365 (Horde Groupware Web mail 5.1.2 has CSRF with requests to change permis ...) - php-horde 5.1.5+debian0-1 (bug #730110) - php-horde-kronolith 4.1.4-1 (bug #730980) - kronolith2 (Vulnerable code not present) - horde3 [squeeze] - horde3 (Unsupported in squeeze-lts) NOTE: https://github.com/horde/horde/commit/b79114d08ee8c8e43e74a179741749529f6d885c CVE-2013-6364 (Horde Groupware Webmail Edition has CSRF and XSS when saving search as ...) - php-horde (Vulnerable code in turba) - php-horde-turba 4.1.3-1 (bug #730979) - turba2 [squeeze] - turba2 (Unsupported in squeeze-lts) NOTE: https://github.com/horde/horde/commit/74f9add4ad86c29b608270e33b17426163b3c8cf CVE-2013-6340 (epan/dissectors/packet-tcp.c in the TCP dissector in Wireshark 1.8.x b ...) {DSA-2792-1} - wireshark 1.10.3-1 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9263 CVE-2013-6339 (The dissect_openwire_type function in epan/dissectors/packet-openwire. ...) {DLA-497-1} - wireshark 1.10.3-1 (unimportant) [squeeze] - wireshark (OpenWire dissector introduced in 1.8.0) NOTE: Not suitable for code injection CVE-2013-6338 (The dissect_sip_common function in epan/dissectors/packet-sip.c in the ...) {DSA-2792-1} - wireshark 1.10.3-1 [squeeze] - wireshark (Vulnerable code not present) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9228 CVE-2013-6337 (Unspecified vulnerability in the NBAP dissector in Wireshark 1.8.x bef ...) {DSA-2792-1} - wireshark 1.10.3-1 [squeeze] - wireshark (Vulnerable code not present) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9168 not accessible CVE-2013-6336 (The ieee802154_map_rec function in epan/dissectors/packet-ieee802154.c ...) {DSA-2792-1} - wireshark 1.10.3-1 [squeeze] - wireshark (code introduced in 1.6.0) NOTE: http://anonsvn.wireshark.org/viewvc?view=revision&revision=52036 CVE-2013-6335 (The Backup-Archive client in IBM Tivoli Storage Manager (TSM) for Spac ...) NOT-FOR-US: IBM Tivoli Storage Manager CVE-2013-6334 (IBM Atlas eDiscovery Process Management 6.0.1.5 and earlier and 6.0.2, ...) NOT-FOR-US: IBM CVE-2013-6333 (Cross-site scripting (XSS) vulnerability in IBM Algo One, as used in M ...) NOT-FOR-US: IBM Algo One CVE-2013-6332 (Unrestricted file upload vulnerability in IBM Algo One UDS 4.7.0 throu ...) NOT-FOR-US: IBM Algo One UDS CVE-2013-6331 (SQL injection vulnerability in IBM Algo One, as used in MetaData Manag ...) NOT-FOR-US: IBM Algo One CVE-2013-6330 (IBM WebSphere Application Server 7.x before 7.0.0.31, when simpleFileS ...) NOT-FOR-US: IBM WebSphere CVE-2013-6329 (IBM Global Security Kit (aka GSKit), as used in Content Manager OnDema ...) NOT-FOR-US: IBM Global Security Kit CVE-2013-6328 (Cross-site scripting (XSS) vulnerability in the Web Content Manager (W ...) NOT-FOR-US: IBM WebSphere Portal CVE-2013-6327 (Cross-site scripting (XSS) vulnerability in the HTTP Option in IBM Ste ...) NOT-FOR-US: IBM CVE-2013-6326 RESERVED CVE-2013-6325 (IBM WebSphere Application Server 7.x before 7.0.0.31, 8.0.x before 8.0 ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2013-6324 RESERVED CVE-2013-6323 (Cross-site scripting (XSS) vulnerability in the Administration Console ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2013-6322 (Cross-site scripting (XSS) vulnerability in Sterling Order Management ...) NOT-FOR-US: IBM Sterling Selling and Fulfillment Suite CVE-2013-6321 (SQL injection vulnerability in IBM Atlas eDiscovery Process Management ...) NOT-FOR-US: IBM Atlas eDiscovery Process Management CVE-2013-6320 (Cross-site scripting (XSS) vulnerability in IBM Algo One, as used in M ...) NOT-FOR-US: IBM Algo One CVE-2013-6319 (IBM Algo One, as used in MetaData Management Tools in UDS 4.7.0 throug ...) NOT-FOR-US: IBM Algo One CVE-2013-6318 (Cross-site scripting (XSS) vulnerability in IBM Algo One, as used in M ...) NOT-FOR-US: IBM Algo One CVE-2013-6317 RESERVED CVE-2013-6316 (IBM WebSphere Portal 7.0.0.x before 7.0.0.2 CF26 and 8.0.0.x before 8. ...) NOT-FOR-US: IBM WebSphere Portal CVE-2013-6315 (IBM InfoSphere Enterprise Records 4.5.1 before 4.5.1.7-IER-IF001 and E ...) NOT-FOR-US: IBM InfoSphere Enterprise Records CVE-2013-6314 (Cross-site scripting (XSS) vulnerability in IBM InfoSphere Enterprise ...) NOT-FOR-US: IBM InfoSphere Enterprise Records CVE-2013-6313 RESERVED CVE-2013-6312 (Unspecified vulnerability in IBM Rational Service Tester 8.3.x and 8.5 ...) NOT-FOR-US: IBM CVE-2013-6311 (SQL injection vulnerability in IBM Marketing Platform 9.1 before FP2 a ...) NOT-FOR-US: IBM Marketing Platform CVE-2013-6310 (Cross-site scripting (XSS) vulnerability in IBM Marketing Platform 9.1 ...) NOT-FOR-US: IBM Marketing Platform CVE-2013-6309 (IBM Marketing Platform 9.1 before FP2 allows remote authenticated user ...) NOT-FOR-US: IBM Marketing Platform CVE-2013-6308 (IBM Marketing Platform 9.1 before FP2 allows remote authenticated user ...) NOT-FOR-US: IBM Marketing Platform CVE-2013-6307 (Cross-site scripting (XSS) vulnerability in IBM Security QRadar SIEM 7 ...) NOT-FOR-US: IBM Security QRadar SIEM CVE-2013-6306 (Unspecified vulnerability on IBM Power 7 Systems 740 before 740.70 01A ...) NOT-FOR-US: IBM Power 7 CVE-2013-6305 (IBM Platform Symphony 5.2 before build 229037 and 6.1.0.1 before build ...) NOT-FOR-US: IBM Platform Symphony CVE-2013-6304 (Multiple directory traversal vulnerabilities in Algo Risk Application ...) NOT-FOR-US: IBM Algo One CVE-2013-6303 (Directory traversal vulnerability in IBM Algo One, as used in MetaData ...) NOT-FOR-US: IBM Algo One CVE-2013-6302 (SQL injection vulnerability in IBM Algo One, as used in MetaData Manag ...) NOT-FOR-US: IBM Algo One CVE-2013-6301 (Cross-site scripting (XSS) vulnerability in IBM Algo One, as used in M ...) NOT-FOR-US: IBM Algo One CVE-2013-6300 (Cross-site scripting (XSS) vulnerability in IBM Algo One, as used in M ...) NOT-FOR-US: IBM Algo One CVE-2013-6299 (Cross-site scripting (XSS) vulnerability in IBM Algo One, as used in M ...) NOT-FOR-US: IBM Algo One CVE-2013-6298 RESERVED CVE-2013-6297 RESERVED CVE-2013-6296 RESERVED CVE-2013-6295 (PrestaShop 1.5.5 vulnerable to privilege escalation via a Salesman acc ...) NOT-FOR-US: PrestaShop CVE-2013-6294 RESERVED CVE-2013-6293 RESERVED CVE-2013-6292 RESERVED CVE-2013-6291 RESERVED CVE-2013-6290 RESERVED CVE-2013-6287 RESERVED CVE-2013-6286 RESERVED CVE-2013-6284 (Unspecified vulnerability in the Statutory Reporting for Insurance (FS ...) NOT-FOR-US: Financial Services module for SAP ERP Central Component CVE-2013-6283 (VideoLAN VLC Media Player 2.0.8 and earlier allows remote attackers to ...) - vlc 2.1.0-2 (unimportant) [squeeze] - vlc (Unsupported in squeeze-lts) NOTE: User-assisted DoS for X session (freezes window manager) in 2.0.3-5 CVE-2013-6282 (The (1) get_user and (2) put_user API functions in the Linux kernel be ...) - linux 3.6.4-1~experimental.1 - linux-2.6 (Introduced in 2.6.38) [wheezy] - linux 3.2.53-1 NOTE: https://www.codeaurora.org/projects/security-advisories/missing-access-checks-putusergetuser-kernel-api-cve-2013-6282 NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/arch/arm/include/asm/uaccess.h?id=8404663f81d212918ff85f493649a7991209fa04 CVE-2013-6281 (Cross-site scripting (XSS) vulnerability in codebase/spreadsheet.php i ...) NOT-FOR-US: Wordpress plugin CVE-2013-6280 (Cross-site scripting (XSS) vulnerability in Social Sharing Toolkit plu ...) NOT-FOR-US: Wordpress plugin CVE-2013-6279 RESERVED CVE-2013-6278 RESERVED CVE-2013-6277 (QNAP VioCard 300 has hardcoded RSA private keys. ...) NOT-FOR-US: QNAP CVE-2013-6276 RESERVED CVE-2013-6274 RESERVED CVE-2013-6273 RESERVED CVE-2013-6272 (The NotificationBroadcastReceiver class in the com.android.phone proce ...) NOT-FOR-US: Android CVE-2013-6271 (Android 4.0 through 4.3 allows attackers to bypass intended access res ...) NOT-FOR-US: Android CVE-2013-6270 RESERVED CVE-2013-6269 RESERVED CVE-2013-6268 RESERVED CVE-2013-6267 (Multiple cross-site scripting (XSS) vulnerabilities in Claroline befor ...) NOT-FOR-US: Claroline CVE-2013-6266 REJECTED CVE-2013-6265 REJECTED CVE-2013-6264 REJECTED CVE-2013-6263 REJECTED CVE-2013-6262 REJECTED CVE-2013-6261 REJECTED CVE-2013-6260 REJECTED CVE-2013-6259 REJECTED CVE-2013-6258 REJECTED CVE-2013-6257 REJECTED CVE-2013-6256 REJECTED CVE-2013-6255 REJECTED CVE-2013-6254 REJECTED CVE-2013-6253 REJECTED CVE-2013-6252 REJECTED CVE-2013-6251 REJECTED CVE-2013-6250 REJECTED CVE-2013-6249 REJECTED CVE-2013-6248 REJECTED CVE-2013-6247 REJECTED CVE-2013-6246 (The Dell Quest One Password Manager, possibly 5.0, allows remote attac ...) NOT-FOR-US: Dell Quest One Password Manager CVE-2013-6245 (Unspecified vulnerability in SAP Sybase Adaptive Server Enterprise (AS ...) NOT-FOR-US: SAP Sybase Adaptive Server Enterprise CVE-2013-6244 (The Live Update webdynpro application (webdynpro/dispatcher/sap.com/tc ...) NOT-FOR-US: SAP NetWeaver CVE-2013-6289 (Cross-site scripting (XSS) vulnerability in the Apache Solr for TYPO3 ...) NOT-FOR-US: TYPO3 extension Apache Solr CVE-2013-6288 (Unspecified vulnerability in the Apache Solr for TYPO3 (solr) extensio ...) NOT-FOR-US: TYPO3 extension Apache Solr CVE-2013-6285 (The search component in the Treasurer application in Tyler Technologie ...) NOT-FOR-US: Tyler Technologies TaxWeb CVE-2013-6275 (Multiple CSRF issues in Horde Groupware Webmail Edition 5.1.2 and earl ...) - php-horde-ingo 3.1.3-1 (bug #727669) - ingo1 (Affected code not present) CVE-2013-6242 (Cross-site scripting (XSS) vulnerability in the frontend in Open-Xchan ...) NOT-FOR-US: Open-Xchange CVE-2013-6241 (The Birthday widget in the backend in Open-Xchange (OX) AppSuite 7.2.x ...) NOT-FOR-US: Open-Xchange CVE-2013-6240 RESERVED CVE-2013-6239 (Cross-site scripting (XSS) vulnerability in the photo gallery model in ...) NOT-FOR-US: Exis Contexis CVE-2013-6238 RESERVED CVE-2013-6237 (The ISL Desktop plugin for Windows before 1.4.7 for ISL Light 3.5.4 an ...) NOT-FOR-US: ISL Light CVE-2013-6236 (IZON IP 2.0.2: hard-coded password vulnerability ...) NOT-FOR-US: Stem Innovations IZON CVE-2013-6235 (Multiple cross-site scripting (XSS) vulnerabilities in JAMon (Java App ...) - libjamon-java (jamon.war/JAMon web apps gets excluded by debian/orig-tar.sh) NOTE: http://seclists.org/bugtraq/2014/Jan/92 CVE-2013-6234 (Unrestricted file upload vulnerability in the Worksheet designer in Sp ...) NOT-FOR-US: SpagoBI CVE-2013-6233 (Cross-site scripting (XSS) vulnerability in SpagoBI before 4.1 allows ...) NOT-FOR-US: SpagoBI CVE-2013-6232 (Cross-site scripting (XSS) vulnerability in SpagoBI before 4.1 allows ...) NOT-FOR-US: SpagoBI CVE-2013-6231 (SpagoBI before 4.1 has Privilege Escalation via an error in the Adapte ...) NOT-FOR-US: SpagoBI CVE-2013-6230 (The Winsock WSAIoctl API in Microsoft Windows Server 2008, as used in ...) - bind9 (Affects only Windows systems) NOTE: https://kb.isc.org/article/AA-01062 CVE-2013-6229 (Multiple cross-site scripting (XSS) vulnerabilities in Atmail Webmail ...) - atmailopen CVE-2013-6228 RESERVED CVE-2013-6227 (Unrestricted file upload vulnerability in plugins/editor.zoho/agent/sa ...) NOT-FOR-US: Zoho plugin in Pydio (AjaXplorer) CVE-2013-6226 (Directory traversal vulnerability in plugins/editor.zoho/agent/save_zo ...) NOT-FOR-US: Pydio (AjaXplorer) Zoho Editor plugin CVE-2013-6225 (LiveZilla 5.0.1.4 has a Remote Code Execution vulnerability ...) NOT-FOR-US: LiveZilla CVE-2013-6224 (Multiple cross-site scripting (XSS) vulnerabilities in LiveZilla befor ...) NOT-FOR-US: Livezilla CVE-2013-6223 (LiveZilla before 5.1.1.0 stores the admin Base64 encoded username and ...) NOT-FOR-US: Livezilla CVE-2013-6222 (Cross-site scripting (XSS) vulnerability in the Mobility Web Client an ...) NOT-FOR-US: HP Service Manager CVE-2013-6221 (Directory traversal vulnerability in CommunicationServlet in HP Servic ...) NOT-FOR-US: HP Service Virtualization CVE-2013-6220 (Cross-site scripting (XSS) vulnerability in HP Network Node Manager i ...) NOT-FOR-US: HP CVE-2013-6219 (Unspecified vulnerability in HP HP-UX Whitelisting (aka WLI) before A. ...) NOT-FOR-US: HP-UX CVE-2013-6218 (Unspecified vulnerability in HP Network Node Manager i (NNMi) 9.0x, 9. ...) NOT-FOR-US: HP CVE-2013-6217 REJECTED CVE-2013-6216 (Unspecified vulnerability in HP Array Configuration Utility, Array Dia ...) NOT-FOR-US: HP CVE-2013-6215 (Unspecified vulnerability in the Integration Service in HP Universal C ...) NOT-FOR-US: HP Universal Configuration Management Database Integration Service CVE-2013-6214 (Unspecified vulnerability in the Integration Service in HP Universal C ...) NOT-FOR-US: HP CVE-2013-6213 (Unspecified vulnerability in Virtual User Generator in HP LoadRunner b ...) NOT-FOR-US: HP CVE-2013-6212 (Unspecified vulnerability in HP Database and Middleware Automation 10. ...) NOT-FOR-US: HP CVE-2013-6211 (Unspecified vulnerability in HP StoreOnce Virtual Storage Appliance (V ...) NOT-FOR-US: HP StoreOnce CVE-2013-6210 (Unspecified vulnerability in HP Unified Functional Testing before 12.0 ...) NOT-FOR-US: HP Unified Functional Testing CVE-2013-6209 (Unspecified vulnerability in rpc.lockd in the NFS subsystem in HP HP-U ...) NOT-FOR-US: NFS subsystem in HP HP-UX CVE-2013-6208 (Unspecified vulnerability in HP Smart Update Manager 5.3.5 before buil ...) NOT-FOR-US: HP Smart Update Manager CVE-2013-6207 (Unspecified vulnerability in the loadFileContents function in the SOAP ...) NOT-FOR-US: HP SiteScope CVE-2013-6206 (Unspecified vulnerability in HP Rapid Deployment Pack (RDP) and Insigh ...) NOT-FOR-US: HP CVE-2013-6205 (Unspecified vulnerability in HP Rapid Deployment Pack (RDP) and Insigh ...) NOT-FOR-US: HP CVE-2013-6204 (The Web Console in HP Application Information Optimizer (formerly HP D ...) NOT-FOR-US: HP Application Information Optimizer CVE-2013-6203 (The Web Console in HP Application Information Optimizer (formerly HP D ...) NOT-FOR-US: HP Application Information Optimizer CVE-2013-6202 (Multiple cross-site request forgery (CSRF) vulnerabilities in HP Servi ...) NOT-FOR-US: HP Service Manager CVE-2013-6201 (Unspecified vulnerability in HP Security Management System 3.3.0, 3.5. ...) NOT-FOR-US: HP Security Management System CVE-2013-6200 (Unspecified vulnerability in m4 in HP HP-UX B.11.23 and B.11.31 allows ...) NOT-FOR-US: HP-UX CVE-2013-6199 REJECTED CVE-2013-6198 (Cross-site scripting (XSS) vulnerability in HP Service Manager WebTier ...) NOT-FOR-US: HP Service Manager WebTier and Windows Client CVE-2013-6197 (Unspecified vulnerability in HP Service Manager WebTier and Windows Cl ...) NOT-FOR-US: HP Service Manager WebTier and Windows Client CVE-2013-6196 (Cross-site scripting (XSS) vulnerability in HP Autonomy Ultraseek 5 al ...) NOT-FOR-US: HP Autonomy Ultraseek CVE-2013-6195 (Unspecified vulnerability in HP Storage Data Protector 6.2X allows rem ...) NOT-FOR-US: HP Data Protector CVE-2013-6194 (Unspecified vulnerability in HP Storage Data Protector 6.2X allows rem ...) NOT-FOR-US: HP Data Protector CVE-2013-6193 (Unspecified vulnerability on HP LaserJet M1522n and M2727; LaserJet Pr ...) NOT-FOR-US: HP Printers CVE-2013-6192 (Cross-site request forgery (CSRF) vulnerability in HP Operations Orche ...) NOT-FOR-US: HP Operations Orchestration CVE-2013-6191 (Cross-site scripting (XSS) vulnerability in HP Operations Orchestratio ...) NOT-FOR-US: HP Operations Orchestration CVE-2013-6190 REJECTED CVE-2013-6189 (Unspecified vulnerability in the Archive Query Server in HP Applicatio ...) NOT-FOR-US: HP Application Information Optimizer CVE-2013-6188 (Cross-site request forgery (CSRF) vulnerability in HP System Managemen ...) NOT-FOR-US: HP System Management Homepage CVE-2013-6187 REJECTED CVE-2013-6186 REJECTED CVE-2013-6185 REJECTED CVE-2013-6184 REJECTED CVE-2013-6183 REJECTED CVE-2013-6182 (Unquoted Windows search path vulnerability in EMC Replication Manager ...) NOT-FOR-US: EMC Replication Manager CVE-2013-6181 (EMC Watch4Net before 6.3 stores cleartext polled-device passwords in t ...) NOT-FOR-US: EMC Watch4net CVE-2013-6180 (EMC RSA Security Analytics (SA) 10.x before 10.3, and RSA NetWitness N ...) NOT-FOR-US: RSA Security Analytics CVE-2013-6179 REJECTED CVE-2013-6178 (Multiple cross-site scripting (XSS) vulnerabilities in EMC RSA Archer ...) NOT-FOR-US: EMC RSA Archer GRC CVE-2013-6177 (Directory traversal vulnerability in EMC Document Sciences xPression 4 ...) NOT-FOR-US: EMC CVE-2013-6176 (Multiple SQL injection vulnerabilities in EMC Document Sciences xPress ...) NOT-FOR-US: EMC CVE-2013-6175 (Multiple cross-site scripting (XSS) vulnerabilities in EMC Document Sc ...) NOT-FOR-US: EMC CVE-2013-6174 (Multiple open redirect vulnerabilities in xAdmin in EMC Document Scien ...) NOT-FOR-US: EMC CVE-2013-6173 (Multiple cross-site request forgery (CSRF) vulnerabilities in EMC Docu ...) NOT-FOR-US: EMC CVE-2013-6172 (steps/utils/save_pref.inc in Roundcube webmail before 0.8.7 and 0.9.x ...) {DSA-2787-1} - roundcube 0.9.4-1.1 (bug #727668) [squeeze] - roundcube (Vulnerable code not present) NOTE: http://web.archive.org/web/20160304042345/http://roundcube.net/news/2013/10/21/security-updates-095-and-087/ NOTE: http://trac.roundcube.net/ticket/1489382 CVE-2013-6171 (checkpassword-reply in Dovecot before 2.2.7 performs setuid operations ...) - dovecot 1:2.2.9-1 (low; bug #729063) [wheezy] - dovecot (Minor issue) [squeeze] - dovecot (Minor issue) CVE-2013-6170 (Juniper Junos 10.0 before 10.0S28, 10.4 before 10.4R7, 11.1 before 11. ...) NOT-FOR-US: Juniper Junos CVE-2013-6169 (The TLS driver in ejabberd before 2.1.12 supports (1) SSLv2 and (2) we ...) {DSA-2775-1} - ejabberd 2.1.11-1 (bug #722105) CVE-2013-6168 (Cross-site scripting (XSS) vulnerability in Zikula Application Framewo ...) NOT-FOR-US: Zikula CVE-2013-6165 RESERVED CVE-2013-6164 (SQL injection vulnerability in view/objectDetail.php in Project'Or RIA ...) NOT-FOR-US: Project'Or RIA CVE-2013-6163 (Multiple cross-site scripting (XSS) vulnerabilities in ProjeQtOr (form ...) NOT-FOR-US: Project'Or RIA CVE-2013-6162 (Cross-site scripting (XSS) vulnerability in Code-Crafters Ability Mail ...) NOT-FOR-US: Code-Crafters Ability Mail Server CVE-2013-6161 REJECTED CVE-2013-6160 REJECTED CVE-2013-6159 REJECTED CVE-2013-6158 REJECTED CVE-2013-6157 REJECTED CVE-2013-6156 REJECTED CVE-2013-6155 REJECTED CVE-2013-6154 REJECTED CVE-2013-6153 REJECTED CVE-2013-6152 REJECTED CVE-2013-6151 REJECTED CVE-2013-6150 REJECTED CVE-2013-6149 REJECTED CVE-2013-6148 REJECTED CVE-2013-6147 REJECTED CVE-2013-6146 REJECTED CVE-2013-6145 REJECTED CVE-2013-6144 REJECTED CVE-2013-6143 (The Schneider Electric Telvent SAGE 3030 RTU with firmware C3413-500-0 ...) NOT-FOR-US: Schneider Electric Telvent SAGE 3030 RTU CVE-2013-6142 (DNP3Driver.exe in the DNP3 driver in Schneider Electric ClearSCADA 201 ...) NOT-FOR-US: Schneider Electric ClearSCADA CVE-2013-6141 (Unspecified vulnerability in op5 Monitor before 6.1.3 allows attackers ...) NOT-FOR-US: op5 CVE-2013-6140 RESERVED CVE-2013-6139 RESERVED CVE-2013-6138 RESERVED CVE-2013-6137 RESERVED CVE-2013-6136 RESERVED CVE-2013-6135 RESERVED CVE-2013-6134 RESERVED CVE-2013-6133 RESERVED CVE-2013-6132 RESERVED CVE-2013-6131 RESERVED CVE-2013-6130 RESERVED CVE-2013-6128 (The KCHARTXYLib.KChartXY ActiveX control in KChartXY.ocx before 65.30. ...) NOT-FOR-US: WellinTech KingView CVE-2013-6127 (The SUPERGRIDLib.SuperGrid ActiveX control in SuperGrid.ocx before 65. ...) NOT-FOR-US: WellinTech KingView CVE-2013-6126 REJECTED CVE-2013-6125 REJECTED CVE-2013-6124 (The Qualcomm Innovation Center (QuIC) init scripts in Code Aurora Foru ...) NOT-FOR-US: Qualcomm (Android) CVE-2013-6123 (Multiple array index errors in drivers/media/video/msm/server/msm_cam_ ...) NOT-FOR-US: Android Linux kernel CVE-2013-6122 (goodix_tool.c in the Goodix gt915 touchscreen driver for the Linux ker ...) NOT-FOR-US: Goodix gt915 Android touchscreen driver CVE-2013-6121 RESERVED CVE-2013-6120 RESERVED CVE-2013-6119 RESERVED CVE-2013-6118 RESERVED CVE-2013-6117 (Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to byp ...) NOT-FOR-US: Dahua DVR CVE-2013-6116 RESERVED CVE-2013-6115 RESERVED CVE-2013-6114 (Integer overflow in the OZDocument::parseElement function in Apple Mot ...) NOT-FOR-US: Apple Motion CVE-2013-6113 RESERVED CVE-2013-6112 RESERVED CVE-2013-6111 (Cross-site scripting (XSS) vulnerability in the mod_pagespeed module 0 ...) NOT-FOR-US: mod_pagespeed CVE-2013-6110 RESERVED CVE-2013-6109 RESERVED CVE-2013-6108 RESERVED CVE-2013-6107 RESERVED CVE-2013-6106 RESERVED CVE-2013-6105 RESERVED CVE-2013-6104 REJECTED CVE-2013-6103 REJECTED CVE-2013-6102 REJECTED CVE-2013-6101 REJECTED CVE-2013-6100 REJECTED CVE-2013-6099 REJECTED CVE-2013-6098 REJECTED CVE-2013-6097 REJECTED CVE-2013-6096 REJECTED CVE-2013-6095 REJECTED CVE-2013-6094 REJECTED CVE-2013-6093 REJECTED CVE-2013-6092 REJECTED CVE-2013-6091 REJECTED CVE-2013-6090 REJECTED CVE-2013-6089 REJECTED CVE-2013-6088 REJECTED CVE-2013-6087 REJECTED CVE-2013-6086 REJECTED CVE-2013-6085 REJECTED CVE-2013-6084 REJECTED CVE-2013-6083 REJECTED CVE-2013-6082 REJECTED CVE-2013-6081 REJECTED CVE-2013-6080 REJECTED CVE-2013-6079 (Buffer overflow in MostGear Soft Easy LAN Folder Share 3.2.0.100 allow ...) NOT-FOR-US: MostGear Soft Easy LAN Folder Share CVE-2013-6078 (The default configuration of EMC RSA BSAFE Toolkits and RSA Data Prote ...) NOT-FOR-US: EMC RSA CVE-2013-6077 (Citrix XenDesktop 7.0, when upgraded from XenDesktop 5.x, does not pro ...) NOT-FOR-US: Citrix XenDesktop CVE-2013-6076 (strongSwan 5.0.2 through 5.1.0 allows remote attackers to cause a deni ...) - strongswan 5.1.0-3 [squeeze] - strongswan (Vulnerable Code not present, introduced by upstream commit 30216000d3752026127c2f91470ce165ab3d3926) [wheezy] - strongswan (Vulnerable Code not present, introduced by upstream commit 30216000d3752026127c2f91470ce165ab3d3926) CVE-2013-6075 (The compare_dn function in utils/identification.c in strongSwan 4.3.3 ...) {DSA-2789-1} - strongswan 5.1.0-3 CVE-2013-6074 (Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite ...) NOT-FOR-US: Open-Xchange CVE-2013-6073 RESERVED CVE-2013-6072 RESERVED CVE-2013-6071 RESERVED CVE-2013-6070 RESERVED CVE-2013-6069 RESERVED CVE-2013-6068 RESERVED CVE-2013-6067 RESERVED CVE-2013-6066 RESERVED CVE-2013-6065 RESERVED CVE-2013-6064 RESERVED CVE-2009-5136 (The policy definition evaluator in Condor before 7.4.2 does not proper ...) - condor (Fixed before initial upload) CVE-2007-6755 (The NIST SP 800-90A default statement of the Dual Elliptic Curve Deter ...) - openssl (unimportant) NOTE: Unused/broken in OpenSSL, see http://marc.info/?l=openssl-announce&m=138747119822324&w=2 CVE-2013-6243 (SQL injection vulnerability in the Landing Pages plugin 1.2.3, before ...) NOT-FOR-US: WordPress Landing Pages Plugin CVE-2013-6167 (Mozilla Firefox through 27 sends HTTP Cookie headers without first val ...) - iceweasel (unimportant) NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=858215 CVE-2013-6166 (Google Chrome before 29 sends HTTP Cookie headers without first valida ...) - chromium-browser 31.0.1650.57-1 (low) [squeeze] - chromium-browser NOTE: https://code.google.com/p/chromium/issues/detail?id=238041 CVE-2013-6129 (The install/upgrade.php scripts in vBulletin 4.1 and 5 allow remote at ...) NOT-FOR-US: VBulletin CVE-2013-6063 RESERVED CVE-2013-6062 RESERVED CVE-2013-6061 RESERVED CVE-2013-6060 RESERVED CVE-2013-6059 RESERVED CVE-2013-6058 (SQL injection vulnerability in appRain CMF 3.0.2 and earlier allows re ...) NOT-FOR-US: appRain CMS CVE-2013-6057 RESERVED CVE-2013-6056 (OSSIM before 4.3.3.1 has tele_compress.php path traversal vulnerabilit ...) NOT-FOR-US: AlienVault OSSIM CVE-2013-6055 REJECTED CVE-2013-6054 (Heap-based buffer overflow in OpenJPEG 1.3 has unspecified impact and ...) {DSA-2808-1} - openjpeg 1.3+dfsg-4.7 (bug #731237) CVE-2013-6053 (OpenJPEG 1.5.1 allows remote attackers to obtain sensitive information ...) - openjpeg 1.5.2-1 (bug #731237) [wheezy] - openjpeg (Only affects 1.5) [squeeze] - openjpeg (Only affects 1.5) CVE-2013-6052 (OpenJPEG 1.3 and earlier allows remote attackers to obtain sensitive i ...) {DSA-2808-1} - openjpeg 1.3+dfsg-4.7 (bug #731237) CVE-2013-6051 (The bgp_attr_unknown function in bgp_attr.c in Quagga 0.99.21 does not ...) {DSA-2803-1} - quagga 0.99.22.4-1 (bug #730513) [squeeze] - quagga (Only affects 0.99.21) CVE-2013-6050 (Integer overflow in Links before 2.8 allows remote attackers to cause ...) {DSA-2807-1} - links2 2.8-1 CVE-2013-6049 (apt-listbugs before 0.1.10 creates temporary files insecurely, which a ...) - apt-listbugs 0.1.10 (low) [squeeze] - apt-listbugs (Minor issue) [wheezy] - apt-listbugs 0.1.8+deb7u1 CVE-2013-6048 (The get_group_tree function in lib/Munin/Master/HTMLConfig.pm in Munin ...) {DSA-2815-1 DLA-20-1} - munin 2.0.18-1 [squeeze] - munin 1.4.5-3+deb6u1 CVE-2013-6047 (Multiple cross-site scripting (XSS) vulnerabilities in the site creati ...) - ikiwiki-hosting 0.20131025 [wheezy] - ikiwiki-hosting (Minor XSS) CVE-2013-6046 RESERVED CVE-2016-9675 (openjpeg: A heap-based buffer overflow flaw was found in the patch for ...) - openjpeg 1.5.2-1 [wheezy] - openjpeg 1.3+dfsg-4.8 [squeeze] - openjpeg 1.3+dfsg-4+squeeze3 NOTE: Introduced as well a regression, cf. https://bugs.debian.org/734238 CVE-2013-6045 (Multiple heap-based buffer overflows in OpenJPEG 1.3 and earlier might ...) {DSA-2808-1} - openjpeg 1.3+dfsg-4.7 (bug #731237) CVE-2013-6044 (The is_safe_url function in utils/http.py in Django 1.4.x before 1.4.6 ...) {DSA-2740-1} - python-django 1.5.2-1 CVE-2013-6043 (The login function in Softaculous Webuzo before 2.1.4 provides differe ...) NOT-FOR-US: Softaculous Webuzo CVE-2013-6042 (Cross-site scripting (XSS) vulnerability in filemanager/login.php in t ...) NOT-FOR-US: Softaculous Webuzo CVE-2013-6041 (index.php in Softaculous Webuzo before 2.1.4 allows remote attackers t ...) NOT-FOR-US: Softaculous Webuzo CVE-2013-6040 (Multiple unspecified vulnerabilities in the MW6 Aztec, DataMatrix, and ...) NOT-FOR-US: MW6 Technologies CVE-2013-6039 (Multiple cross-site scripting (XSS) vulnerabilities in NagiosQL 3.2 SP ...) NOT-FOR-US: NagiosQL CVE-2013-6038 (Stack-based buffer overflow in Trimble SketchUp Viewer 13.0.4124 allow ...) NOT-FOR-US: Trimble SketchUp Viewer CVE-2013-6037 (Cross-site scripting (XSS) vulnerability in index.php in Aker Secure M ...) NOT-FOR-US: Aker Secure Mail Gateway CVE-2013-6036 RESERVED CVE-2013-6035 (The firmware on GateHouse; Harris BGAN RF-7800B-VU204 and BGAN RF-7800 ...) NOT-FOR-US: Inmarsat broadband satellite terminals CVE-2013-6034 (The firmware on GateHouse; Harris BGAN RF-7800B-VU204 and BGAN RF-7800 ...) NOT-FOR-US: Inmarsat broadband satellite terminals CVE-2013-6033 (Multiple cross-site scripting (XSS) vulnerabilities on Lexmark W840 th ...) NOT-FOR-US: Lexmark CVE-2013-6032 (cgi-bin/postpf/cgi-bin/dynamic/config/config.html on Lexmark X94x befo ...) NOT-FOR-US: Lexmark CVE-2013-6031 (The Huawei E355 adapter with firmware 21.157.37.01.910 does not requir ...) NOT-FOR-US: Huawei E355 adapter CVE-2013-6030 (Directory traversal vulnerability on the Emerson Network Power Avocent ...) NOT-FOR-US: Emerson Network Power CVE-2013-6029 (Stack-based buffer overflow in the AT&T Connect Participant Applic ...) NOT-FOR-US: AT&T Connect Participant Application CVE-2013-6028 (Multiple cross-site request forgery (CSRF) vulnerabilities in Atmail W ...) NOT-FOR-US: Atmail Webmail Server CVE-2013-6027 (Stack-based buffer overflow in the RuntimeDiagnosticPing function in / ...) NOT-FOR-US: D-Link CVE-2013-6026 (The web interface on D-Link DIR-100, DIR-120, DI-624S, DI-524UP, DI-60 ...) NOT-FOR-US: D-Link CVE-2013-6025 (The XMLParse procedure in SAP Sybase Adaptive Server Enterprise (ASE) ...) NOT-FOR-US: SAP Sybase Adaptive Server Enterprise CVE-2013-6024 (The Edge Client components in F5 BIG-IP APM 10.x, 11.x, 12.x, 13.x, an ...) NOT-FOR-US: F5 BIG-IP CVE-2013-6023 (Directory traversal vulnerability in the TVT TD-2308SS-B DVR with firm ...) NOT-FOR-US: TVT TD-2308SS-B DVR CVE-2013-6022 (A Cross-Site Scripting (XSS) vulnerability exists in Tiki Wiki CMG Gro ...) - tikiwiki CVE-2013-6021 (Buffer overflow in WGagent in WatchGuard WSM and Fireware before 11.8 ...) NOT-FOR-US: WatchGuard WSM and Fireware CVE-2013-6020 (passwordRequestPOST.jsp in Tyler Technologies TaxWeb 3.13.3.1 sends di ...) NOT-FOR-US: Tyler Technologies TaxWeb CVE-2013-6019 (Cross-site scripting (XSS) vulnerability in Tyler Technologies TaxWeb ...) NOT-FOR-US: Tyler Technologies TaxWeb CVE-2013-6018 (Cross-site request forgery (CSRF) vulnerability in login.jsp in Tyler ...) NOT-FOR-US: Tyler Technologies TaxWeb CVE-2013-6017 (Cross-site scripting (XSS) vulnerability in Atmail Webmail Server befo ...) NOT-FOR-US: Atmail Webmail Server CVE-2013-6016 (The Traffic Management Microkernel (TMM) in F5 BIG-IP LTM, APM, ASM, E ...) NOT-FOR-US: F5 CVE-2013-6015 (Juniper Junos before 10.4S14, 11.4 before 11.4R5-S2, 12.1R before 12.1 ...) NOT-FOR-US: Juniper Junos CVE-2013-6014 (Juniper Junos 10.4 before 10.4S15, 11.4 before 11.4R9, 11.4X27 before ...) NOT-FOR-US: Juniper Junos CVE-2013-6013 (Buffer overflow in the flow daemon (flowd) in Juniper Junos 10.4 befor ...) NOT-FOR-US: Juniper Junos CVE-2013-6012 (Juniper Junos 12.1X44 before 12.1.X44-D20 and 12.1X45 before 12.1X45-D ...) NOT-FOR-US: Juniper Junos CVE-2013-6011 (Citrix NetScaler Application Delivery Controller (ADC) 10.0 before 10. ...) NOT-FOR-US: Citrix NetScaler Application Delivery Controller CVE-2013-6010 (Cross-site scripting (XSS) vulnerability in the Comment Attachment plu ...) NOT-FOR-US: Wordpress Comment-Attachment plugin CVE-2013-6009 (CRLF injection vulnerability in Open-Xchange AppSuite before 7.2.2, wh ...) NOT-FOR-US: Open-Xchange CVE-2013-6008 REJECTED CVE-2013-6007 REJECTED CVE-2013-6006 (Cybozu Garoon 3.5 through 3.7 SP2 allows remote attackers to bypass Ke ...) NOT-FOR-US: Cybozu Garoon CVE-2013-6005 (Cross-site scripting (XSS) vulnerability in Cybozu Dezie before 8.1.0 ...) NOT-FOR-US: Cybozu Dezie CVE-2013-6004 (Session fixation vulnerability in Cybozu Garoon before 3.7.2 allows re ...) NOT-FOR-US: Cybozu Garoon CVE-2013-6003 (CRLF injection vulnerability in Cybozu Garoon 3.1 through 3.5 SP5, whe ...) NOT-FOR-US: Cybozu Garoon CVE-2013-6002 (The server in Cybozu Garoon before 3.7 SP1 allows remote attackers to ...) NOT-FOR-US: Cybozu Garoon CVE-2013-6001 (SQL injection vulnerability in the Space function in Cybozu Garoon bef ...) NOT-FOR-US: Cybozu Garoon CVE-2013-6000 (Directory traversal vulnerability in Tattyan HP TOWN before 5_10_1 all ...) NOT-FOR-US: Tattyan HP TOWN CVE-2013-5999 (Kingsoft KDrive Personal before 1.21.0.1880 on Windows does not verify ...) NOT-FOR-US: Kingsoft KDrive Personal CVE-2013-5998 (Unspecified vulnerability in the Web manager implementation on D-Link ...) NOT-FOR-US: D-Link CVE-2013-5997 (Unspecified vulnerability in the SSH implementation on D-Link Japan DE ...) NOT-FOR-US: D-Link CVE-2013-5996 (Multiple cross-site scripting (XSS) vulnerabilities in shopping/paymen ...) NOT-FOR-US: LOCKON EC-CUBE CVE-2013-5995 (data/class/helper/SC_Helper_Address.php in the front-features implemen ...) NOT-FOR-US: LOCKON EC-CUBE CVE-2013-5994 (data/class/pages/mypage/LC_Page_Mypage_DeliveryAddr.php in LOCKON EC-C ...) NOT-FOR-US: LOCKON EC-CUBE CVE-2013-5993 (Cross-site request forgery (CSRF) vulnerability in LOCKON EC-CUBE 2.11 ...) NOT-FOR-US: LOCKON EC-CUBE CVE-2013-5992 (Cross-site scripting (XSS) vulnerability in the displaySystemError fun ...) NOT-FOR-US: LOCKON EC-CUBE CVE-2013-5991 (The displaySystemError function in html/handle_error.php in LOCKON EC- ...) NOT-FOR-US: LOCKON EC-CUBE CVE-2013-5990 (Unspecified vulnerability in JustSystems Ichitaro 2006 through 2011; I ...) NOT-FOR-US: JustSystems Ichitaro CVE-2013-5989 REJECTED CVE-2013-5988 (A Cross-site Scripting (XSS) vulnerability exists in the All in One SE ...) NOT-FOR-US: All in One SEO Pack plugin for WordPress CVE-2013-5987 (Unspecified vulnerability in NVIDIA graphics driver Release 331, 325, ...) - nvidia-graphics-drivers 304.117-1 (bug #735271) [squeeze] - nvidia-graphics-drivers (Non-free not supported) NOTE: http://nvidia.custhelp.com/app/answers/detail/a_id/3377 CVE-2013-5986 (Unspecified vulnerability in NVIDIA graphics driver Release 331, 325, ...) - nvidia-graphics-drivers 304.117-1 (bug #735271) [squeeze] - nvidia-graphics-drivers (Non-free not supported) NOTE: http://nvidia.custhelp.com/app/answers/detail/a_id/3377 CVE-2013-5985 RESERVED CVE-2013-5984 (Directory traversal vulnerability in userfiles/modules/admin/backup/de ...) NOT-FOR-US: Microweber CVE-2013-5983 (Multiple cross-site scripting (XSS) vulnerabilities in GuppY before 4. ...) NOT-FOR-US: GuppY CVE-2013-5982 RESERVED CVE-2013-5981 RESERVED CVE-2013-5980 RESERVED CVE-2013-5979 (Directory traversal vulnerability in Spring Signage Xibo 1.2.x before ...) NOT-FOR-US: Xibo CVE-2013-5978 (Multiple cross-site scripting (XSS) vulnerabilities in products.php in ...) NOT-FOR-US: Cart66 Lite plugin for WordPress CVE-2013-5977 (Cross-site request forgery (CSRF) vulnerability in Cart66Product.php i ...) NOT-FOR-US: Cart66 Lite plugin for WordPress CVE-2013-5976 (Cross-site scripting (XSS) vulnerability in the access policy logout p ...) NOT-FOR-US: F5 BIG-IP APM CVE-2013-5975 (The access policy logon page (logon.inc) in F5 BIG-IP APM 11.1.0 throu ...) NOT-FOR-US: F5 BIG-IP APM CVE-2013-5974 REJECTED CVE-2013-5973 (VMware ESXi 4.0 through 5.5 and ESX 4.0 and 4.1 allow local users to r ...) NOT-FOR-US: VMware ESXi and ESX CVE-2013-5972 (VMware Workstation 9.x before 9.0.3 and VMware Player 5.x before 5.0.3 ...) NOT-FOR-US: VMware CVE-2013-5971 (Session fixation vulnerability in the vSphere Web Client Server in VMw ...) NOT-FOR-US: VMware vSphere CVE-2013-5970 (hostd-vmdb in VMware ESXi 4.0 through 5.0 and ESX 4.0 through 4.1 allo ...) NOT-FOR-US: VMware ESXi and ESX CVE-2013-5969 RESERVED CVE-2013-5968 (Cross-site scripting (XSS) vulnerability in CA SiteMinder 12.0 through ...) NOT-FOR-US: CA SiteMinder CVE-2013-5967 (Multiple SQL injection vulnerabilities in AlienVault Open Source Secur ...) NOT-FOR-US: AlienVault Open Source Security Information Management CVE-2013-5966 (Cross-site scripting (XSS) vulnerability in ZK Framework before 5.0.13 ...) NOT-FOR-US: ZK Framework CVE-2013-5965 (The Node View Permissions module 7.x-1.x before 7.x-1.2 for Drupal doe ...) NOT-FOR-US: Drupal addon CVE-2013-5964 (Cross-site scripting (XSS) vulnerability in the administration page in ...) NOT-FOR-US: Drupal addon CVE-2013-5963 (Unrestricted file upload vulnerability in multi.php in Simple Dropbox ...) NOT-FOR-US: WordPress plugin Simple Dropbox Upload CVE-2013-5962 (Unrestricted file upload vulnerability in frames/upload-images.php in ...) NOT-FOR-US: Complete Gallery Manager plugin for Wordpress CVE-2013-5961 (Unrestricted file upload vulnerability in lazyseo.php in the Lazy SEO ...) NOT-FOR-US: WordPress plugin Lazy SEO CVE-2013-5960 (The authenticated-encryption feature in the symmetric-encryption imple ...) NOT-FOR-US: OWASP Enterprise Security API for Java CVE-2013-5958 (The Security component in Symfony 2.0.x before 2.0.25, 2.1.x before 2. ...) NOT-FOR-US: Symfony TODO: Check if php-symfony-polyfill/1.17.0-1 needs to be tracked CVE-2013-5957 (Multiple SQL injection vulnerabilities in CRM/Core/Page/AJAX/Location. ...) - civicrm (Fixed before initial upload to the archive) CVE-2013-5956 (Cross-site scripting (XSS) vulnerability in includes/flvthumbnail.php ...) NOT-FOR-US: Joomla plugin CVE-2013-5955 (Cross-site scripting (XSS) vulnerability in manage.php in the PBBookin ...) NOT-FOR-US: Joomla plugin CVE-2013-5954 (Multiple cross-site request forgery (CSRF) vulnerabilities in OpenX 2. ...) NOT-FOR-US: OpenX CVE-2013-5953 (Multiple cross-site scripting (XSS) vulnerabilities in tmpl/layout_edi ...) NOT-FOR-US: Joomla component multi calendar CVE-2013-5952 (Multiple cross-site scripting (XSS) vulnerabilities in the Freichat (c ...) NOT-FOR-US: Joomla component Freichat CVE-2013-5951 (Multiple cross-site scripting (XSS) vulnerabilities in eXtplorer 2.1.3 ...) {DSA-2882-1} - extplorer (bug #741908) NOTE: http://seclists.org/fulldisclosure/2014/Mar/273 CVE-2013-5950 RESERVED CVE-2013-5949 RESERVED CVE-2013-5948 (The Network Analysis tab (Main_Analysis_Content.asp) in the ASUS RT-AC ...) NOT-FOR-US: ASUS router CVE-2013-5947 RESERVED CVE-2013-5946 (The runShellCmd function in systemCheck.htm in D-Link DSR-150 with fir ...) NOT-FOR-US: D-Link CVE-2013-5945 (Multiple SQL injection vulnerabilities in D-Link DSR-150 with firmware ...) NOT-FOR-US: D-Link CVE-2013-5944 (The integrated web server on Siemens SCALANCE X-200 switches with firm ...) NOT-FOR-US: web server on Siemens switches CVE-2013-5959 (Blue Coat ProxySG before 6.2.14.1, 6.3.x, 6.4.x, and 6.5 before 6.5.2 ...) NOT-FOR-US: Blue Coat ProxySG CVE-2013-5943 (Multiple cross-site scripting (XSS) vulnerabilities in Graphite before ...) - graphite-web 0.9.12+debian-1 CVE-2013-5942 (Graphite 0.9.5 through 0.9.10 uses the pickle Python module unsafely, ...) - graphite-web 0.9.12+debian-1 CVE-2013-5941 RESERVED CVE-2013-5940 RESERVED CVE-2013-5939 (Multiple cross-site scripting (XSS) vulnerabilities in the Guestbook m ...) NOT-FOR-US: PHPCMS CVE-2013-5938 (Cross-site scripting (XSS) vulnerability in the Click2Sell Suite modul ...) NOT-FOR-US: Click2Sell Suite Drupal contributed module CVE-2013-5937 (Cross-site request forgery (CSRF) vulnerability in the Click2Sell Suit ...) NOT-FOR-US: Click2Sell Suite Drupal contributed module CVE-2013-5936 (The Hazelcast cluster API in Open-Xchange AppSuite 7.0.x before 7.0.2- ...) NOT-FOR-US: Open-Xchange CVE-2013-5935 (The Hazelcast cluster API in Open-Xchange AppSuite 7.0.x before 7.0.2- ...) NOT-FOR-US: Open-Xchange CVE-2013-5934 (Open-Xchange AppSuite 7.0.x before 7.0.2-rev15 and 7.2.x before 7.2.2- ...) NOT-FOR-US: Open-Xchange CVE-2013-5933 (Stack-based buffer overflow in the sub_E110 function in init in a cert ...) NOT-FOR-US: Motorola CVE-2013-5932 (Unspecified vulnerability in WebAdmin in Sophos UTM (aka Astaro Securi ...) NOT-FOR-US: Sophos UTM CVE-2013-5931 (SQL injection vulnerability in property_listings_detail.php in Real Es ...) NOT-FOR-US: Real Estate PHP Script CVE-2013-5930 (Cross-site scripting (XSS) vulnerability in search_residential.php in ...) NOT-FOR-US: Real Estate PHP Script CVE-2013-5929 RESERVED CVE-2013-5928 RESERVED CVE-2013-5927 RESERVED CVE-2013-5926 RESERVED CVE-2013-5925 RESERVED CVE-2013-5924 RESERVED CVE-2013-5923 RESERVED CVE-2013-5922 RESERVED CVE-2013-5921 RESERVED CVE-2013-5920 RESERVED CVE-2013-5919 (Suricata before 1.4.6 allows remote attackers to cause a denial of ser ...) - suricata 2.0-1 (bug #751658) [wheezy] - suricata (Minor issue) [squeeze] - suricata (Minor issue) NOTE: https://github.com/OISF/suricata/commit/cd80dcbfd4616582daa39fa56960208ee8e23262 CVE-2013-5918 (Cross-site scripting (XSS) vulnerability in platinum_seo_pack.php in t ...) NOT-FOR-US: Platinum SEO plugin for WordPress CVE-2013-5917 (SQL injection vulnerability in wp-comments-post.php in the NOSpam PTI ...) NOT-FOR-US: NOSpam PTIa plugin for Wordpress CVE-2013-5916 (Cross-site scripting (XSS) vulnerability in falha.php in the Bradesco ...) NOT-FOR-US: WordPress plugin wp-e-commerce CVE-2013-5915 (The RSA-CRT implementation in PolarSSL before 1.2.9 does not properly ...) {DSA-2782-1} - polarssl 1.3.1-1 (bug #725359) NOTE: https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2013-05 CVE-2013-5914 (Buffer overflow in the ssl_read_record function in ssl_tls.c in PolarS ...) {DSA-2782-1} - polarssl 1.2.0-1 (bug #725359) NOTE: https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2013-04 CVE-2013-5913 (Cross-site scripting (XSS) vulnerability in the getRecommSearch functi ...) NOT-FOR-US: OXID eShop CVE-2013-5912 (VhttpdMgr in Thomson Reuters Velocity Analytics Vhayu Analytic Server ...) NOT-FOR-US: Thomson Reuters Velocity Analytics Vhayu Analytic Server CVE-2013-5911 (Cross-site scripting (XSS) vulnerability in devform.php in Tenable Sec ...) NOT-FOR-US: Tenable SecurityCenter CVE-2013-5910 (Unspecified vulnerability in Oracle Java SE 6u65 and 7u45, Java SE Emb ...) - openjdk-6 6b30-1.13.1-1 - openjdk-7 7u51-2.4.4-1 CVE-2013-5909 (Unspecified vulnerability in the PeopleSoft Enterprise HRMS component ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2013-5908 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) {DSA-2848-1 DSA-2845-1} - mariadb-5.5 5.5.35-1 - mariadb-10.0 (Fixed before initial upload) - mysql-5.5 5.5.35+dfsg-1 - mysql-5.1 - percona-xtradb-cluster-5.5 5.5.37-25.10+dfsg-1 CVE-2013-5907 (Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; JR ...) - openjdk-6 6b30-1.13.1-1 - openjdk-7 7u51-2.4.4-1 CVE-2013-5906 (Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45 all ...) - openjdk-6 (Installation performed differently for Linux distros) - openjdk-7 (Installation performed differently for Linux distros) CVE-2013-5905 (Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45 all ...) - openjdk-6 (Installation performed differently for Linux distros) - openjdk-7 (Installation performed differently for Linux distros) CVE-2013-5904 (Unspecified vulnerability in Oracle Java SE 7u45 allows remote attacke ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2013-5903 REJECTED CVE-2013-5902 (Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remot ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2013-5901 (Unspecified vulnerability in the Oracle Identity Manager component in ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2013-5900 (Unspecified vulnerability in the Oracle Identity Manager component in ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2013-5899 (Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remot ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2013-5898 (Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remot ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2013-5897 (Unspecified vulnerability in the Oracle Agile Product Lifecycle Manage ...) NOT-FOR-US: Oracle Supply Chain Products Suite CVE-2013-5896 (Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Ja ...) - openjdk-6 6b30-1.13.1-1 - openjdk-7 7u51-2.4.4-1 CVE-2013-5895 (Unspecified vulnerability in Oracle Java SE 7u45 and JavaFX 2.2.45 all ...) - openjdk-6 (JavaFX not part of OpenJDK) - openjdk-7 (JavaFX not part of OpenJDK) CVE-2013-5894 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) - mysql-5.5 (Only affects Mysql 5.6) - mysql-5.1 (Only affects Mysql 5.6) CVE-2013-5893 (Unspecified vulnerability in Oracle Java SE 7u45 and Java SE Embedded ...) - openjdk-6 (Only affects OpenJDK 7) - openjdk-7 7u51-2.4.4-1 CVE-2013-5892 (Unspecified vulnerability in the Oracle VM VirtualBox component in Ora ...) {DSA-2878-1} - virtualbox-ose (low) - virtualbox 4.3.6-dfsg-1 (low; bug #735410) CVE-2013-5891 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) {DSA-2848-1} - mariadb-5.5 5.5.35-1 - mariadb-10.0 (Fixed before initial upload) - mysql-5.5 5.5.35+dfsg-1 - mysql-5.1 (Only affects 5.5 and 5.6) - percona-xtradb-cluster-5.5 5.5.37-25.10+dfsg-1 CVE-2013-5890 (Unspecified vulnerability in the Oracle Payroll component in Oracle E- ...) NOT-FOR-US: Oracle E-Business Suite CVE-2013-5889 (Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remot ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2013-5888 (Unspecified vulnerability in Oracle Java SE 6u65 and 7u45, when runnin ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2013-5887 (Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remot ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2013-5886 (Unspecified vulnerability in the PeopleSoft Enterprise HRMS component ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2013-5885 (Unspecified vulnerability in Oracle Solaris 11.1 allows local users to ...) NOT-FOR-US: Oracle Solaris CVE-2013-5884 (Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Ja ...) - openjdk-6 6b30-1.13.1-1 - openjdk-7 7u51-2.4.4-1 CVE-2013-5883 (Unspecified vulnerability in Oracle Solaris 8 allows local users to af ...) NOT-FOR-US: Oracle Solaris CVE-2013-5882 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) - mysql-5.5 (Only affects Mysql 5.6) - mysql-5.1 (Only affects Mysql 5.6) CVE-2013-5881 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) - mysql-5.5 (Only affects Mysql 5.6) - mysql-5.1 (Only affects Mysql 5.6) CVE-2013-5880 (Unspecified vulnerability in the Oracle Demantra Demand Management com ...) NOT-FOR-US: Oracle Supply Chain Products Suite CVE-2013-5879 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2013-5878 (Unspecified vulnerability in Oracle Java SE 6u65 and 7u45, Java SE Emb ...) - openjdk-6 6b30-1.13.1-1 - openjdk-7 7u51-2.4.4-1 CVE-2013-5877 (Unspecified vulnerability in the Oracle Demantra Demand Management com ...) NOT-FOR-US: Oracle Supply Chain Products Suite CVE-2013-5876 (Unspecified vulnerability in Oracle Solaris 10 and 11.1 allows local u ...) NOT-FOR-US: Oracle Solaris CVE-2013-5875 (Unspecified vulnerability in Oracle Solaris 11.1 allows local users to ...) NOT-FOR-US: Oracle Solaris CVE-2013-5874 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle E-Business Suite CVE-2013-5873 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2013-5872 (Unspecified vulnerability in Oracle Solaris 10 and 11.1 allows local u ...) NOT-FOR-US: Oracle Solaris CVE-2013-5871 (Unspecified vulnerability in the Oracle AutoVue Electro-Mechanical Pro ...) NOT-FOR-US: Oracle Supply Chain Products CVE-2013-5870 (Unspecified vulnerability in Oracle Java SE 7u45 and JavaFX 2.2.45 all ...) - openjdk-6 (JavaFX not part of OpenJDK) - openjdk-7 (JavaFX not part of OpenJDK) CVE-2013-5869 (Unspecified vulnerability in the Oracle WebCenter Portal component in ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2013-5868 (Unspecified vulnerability in the Oracle AutoVue Electro-Mechanical Pro ...) NOT-FOR-US: Oracle Supply Chain Products CVE-2013-5867 (Unspecified vulnerability in the Siebel Core - Server Infrastructure c ...) NOT-FOR-US: Oracle Siebel CRM CVE-2013-5866 (Unspecified vulnerability in Oracle Solaris 11.1 allows local users to ...) NOT-FOR-US: Solaris CVE-2013-5865 (Unspecified vulnerability in Oracle Solaris 11.1 allows local users to ...) NOT-FOR-US: Solaris CVE-2013-5864 (Unspecified vulnerability in Oracle Solaris 10 and 11.1 allows local u ...) NOT-FOR-US: Solaris CVE-2013-5863 (Unspecified vulnerability in Oracle Solaris 11.1 allows remote attacke ...) NOT-FOR-US: Solaris CVE-2013-5862 (Unspecified vulnerability in Oracle Solaris 10 and 11.1 allows local u ...) NOT-FOR-US: Solaris CVE-2013-5861 (Unspecified vulnerability in Oracle Solaris 11.1 allows remote attacke ...) NOT-FOR-US: Solaris CVE-2013-5860 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) - mysql-5.5 (Only affects Mysql 5.6) - mysql-5.1 (Only affects Mysql 5.6) CVE-2013-5859 (Unspecified vulnerability in the Instantis EnterpriseTrack component i ...) NOT-FOR-US: Oracle Primavera Products Suite CVE-2013-5858 (Unspecified vulnerability in the Core RDBMS component in Oracle Databa ...) NOT-FOR-US: Oracle Database Server CVE-2013-5857 (Unspecified vulnerability in the Oracle Health Sciences InForm compone ...) NOT-FOR-US: Oracle Industry Applications CVE-2013-5856 (Unspecified vulnerability in the Oracle Health Sciences InForm compone ...) NOT-FOR-US: Oracle Industry Applications CVE-2013-5855 (Oracle Mojarra 2.2.x before 2.2.6 and 2.1.x before 2.1.28 does not per ...) - mojarra 2.2.8-1 (low; bug #740586) [squeeze] - mojarra (Minor issue) [wheezy] - mojarra (Minor issue) NOTE: https://java.net/jira/browse/JAVASERVERFACES-3150 NOTE: https://java.net/projects/mojarra/sources/svn/revision/12793 CVE-2013-5854 (Unspecified vulnerability in Oracle Java SE 7u40 and earlier and JavaF ...) - openjdk-6 (JavaFX not part of OpenJDK) - openjdk-7 (JavaFX not part of OpenJDK) CVE-2013-5853 (Unspecified vulnerability in the Core RDBMS component in Oracle Databa ...) NOT-FOR-US: Oracle Database Server CVE-2013-5852 (Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2013-5851 (Unspecified vulnerability in Oracle Java SE 7u40 and earlier and Java ...) - openjdk-6 (Only affects Java 7) - openjdk-7 7u45-2.4.3-1 CVE-2013-5850 (Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE ...) - openjdk-6 6b27-1.12.7-1 - openjdk-7 7u45-2.4.3-1 CVE-2013-5849 (Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE ...) - openjdk-6 6b27-1.12.7-1 - openjdk-7 7u45-2.4.3-1 CVE-2013-5848 (Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2013-5847 (Unspecified vulnerability in the PeopleSoft Enterprise HRMS eCompensat ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2013-5846 (Unspecified vulnerability in Oracle Java SE 7u40 and earlier, and Java ...) - openjdk-6 (JavaFX not part of OpenJDK) - openjdk-7 (JavaFX not part of OpenJDK) CVE-2013-5845 (Unspecified vulnerability in the Oracle iLearning component in Oracle ...) NOT-FOR-US: Oracle iLearning CVE-2013-5844 (Unspecified vulnerability in Oracle Java SE 7u40 and earlier and JavaF ...) - openjdk-6 (JavaFX not part of OpenJDK) - openjdk-7 (JavaFX not part of OpenJDK) CVE-2013-5843 (Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE ...) - openjdk-6 (Specific to Oracle Java, not present in IcedTea) - openjdk-7 (Specific to Oracle Java, not present in IcedTea) NOTE: Due to the vague disclosure policy by Oracle the exact nature is unknown but since no patch landed in icedtea, we consider it not-affected CVE-2013-5842 (Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE ...) - openjdk-6 6b27-1.12.7-1 - openjdk-7 7u45-2.4.3-1 CVE-2013-5841 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2013-5840 (Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE ...) - openjdk-6 6b27-1.12.7-1 - openjdk-7 7u45-2.4.3-1 CVE-2013-5839 (Unspecified vulnerability in Oracle Solaris 10 allows remote attackers ...) NOT-FOR-US: Solaris CVE-2013-5838 (Unspecified vulnerability in Oracle Java SE 7u25 and earlier, and Java ...) - openjdk-6 (Only affects Java 7) - openjdk-7 7u45-2.4.3-1 CVE-2013-5837 (Unspecified vulnerability in the Oracle Health Sciences InForm compone ...) NOT-FOR-US: Solaris CVE-2013-5836 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2013-5835 (Unspecified vulnerability in the Siebel UI Framework component in Orac ...) NOT-FOR-US: Oracle Siebel CRM CVE-2013-5834 (Unspecified vulnerability in Oracle Solaris 8 allows local users to af ...) NOT-FOR-US: Oracle Solaris CVE-2013-5833 (Unspecified vulnerability in Oracle Solaris 8 and 9 allows local users ...) NOT-FOR-US: Oracle Solaris CVE-2013-5832 (Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE ...) - openjdk-6 (Specific to Oracle Java, not present in IcedTea) - openjdk-7 (Specific to Oracle Java, not present in IcedTea) NOTE: Due to the vague disclosure policy by Oracle the exact nature is unknown but since no patch landed in icedtea, we consider it not-affected CVE-2013-5831 (Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2013-5830 (Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE ...) - openjdk-6 6b27-1.12.7-1 - openjdk-7 7u45-2.4.3-1 CVE-2013-5829 (Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE ...) - openjdk-6 6b27-1.12.7-1 - openjdk-7 7u45-2.4.3-1 CVE-2013-5828 (Unspecified vulnerability in the Enterprise Manager Base Platform comp ...) NOT-FOR-US: Oracle Enterprise Manager Grid Control CVE-2013-5827 (Unspecified vulnerability in the Enterprise Manager Base Platform comp ...) NOT-FOR-US: Oracle Enterprise Manager Grid Control CVE-2013-5826 (Unspecified vulnerability in the Oracle Transportation Management comp ...) NOT-FOR-US: Oracle Supply Chain Products Suite CVE-2013-5825 (Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE ...) - openjdk-6 6b27-1.12.7-1 - openjdk-7 7u45-2.4.3-1 CVE-2013-5824 (Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2013-5823 (Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE ...) - openjdk-6 6b27-1.12.7-1 - openjdk-7 7u45-2.4.3-1 NOTE: http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/a7758faab30d CVE-2013-5822 (Unspecified vulnerability in the Oracle iLearning component in Oracle ...) NOT-FOR-US: Oracle iLearning CVE-2013-5821 (Unspecified vulnerability in Oracle Solaris 8, 9, 10, and 11.1 allows ...) NOT-FOR-US: Oracle Solaris CVE-2013-5820 (Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE ...) - openjdk-6 6b27-1.12.7-1 - openjdk-7 7u45-2.4.3-1 CVE-2013-5819 (Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2013-5818 (Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2013-5817 (Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE ...) - openjdk-6 6b27-1.12.7-1 - openjdk-7 7u45-2.4.3-1 CVE-2013-5816 (Unspecified vulnerability in the Oracle GlassFish Server component in ...) - glassfish (Full application server not packaged) CVE-2013-5815 (Unspecified vulnerability in the Oracle Identity Analytics component i ...) NOT-FOR-US: Oracle Fusion Middleware Oracle Identity Analytics CVE-2013-5814 (Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE ...) - openjdk-6 6b27-1.12.7-1 - openjdk-7 7u45-2.4.3-1 CVE-2013-5813 (Unspecified vulnerability in the Oracle WebCenter Content component in ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2013-5812 (Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2013-5811 (Unspecified vulnerability in the Oracle Health Sciences InForm compone ...) NOT-FOR-US: Oracle Industry Applications CVE-2013-5810 (Unspecified vulnerability in Oracle Java SE 7u40 and earlier and JavaF ...) - openjdk-6 (JavaFX not part of OpenJDK) - openjdk-7 (JavaFX not part of OpenJDK) CVE-2013-5809 (Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE ...) - openjdk-6 6b27-1.12.7-1 - openjdk-7 7u45-2.4.3-1 CVE-2013-5808 (Unspecified vulnerability in the Oracle iPlanet Web Proxy Server compo ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2013-5807 (Unspecified vulnerability in Oracle MySQL Server 5.5.x through 5.5.32 ...) {DSA-2818-1} - mysql-5.5 5.5.33 - mariadb-5.5 5.5.35-1 - mariadb-10.0 (Fixed before initial upload) - mysql-5.1 (Only affects Mysql 5.5 and 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html CVE-2013-5806 (Unspecified vulnerability in Oracle Java SE 7u40 and earlier and Java ...) - openjdk-6 (Specific to MacOS X) - openjdk-7 7u45-2.4.3-1 NOTE: openjdk-7 package mentioned this CVE, specifc to Mac OS X? CVE-2013-5805 (Unspecified vulnerability in Oracle Java SE 7u40 and earlier and Java ...) - openjdk-6 (Specific to MacOS X) - openjdk-7 7u45-2.4.3-1 NOTE: openjdk-7 package mentioned this CVE, specific to MacOS X? CVE-2013-5804 (Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE ...) - openjdk-6 6b27-1.12.7-1 (unimportant) - openjdk-7 7u45-2.4.3-1 (unimportant) NOTE: Javadoc comments can contain arbitrary HTML CVE-2013-5803 (Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE ...) - openjdk-6 6b27-1.12.7-1 - openjdk-7 7u45-2.4.3-1 NOTE: http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/0b84d3b434c2 CVE-2013-5802 (Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE ...) - openjdk-6 6b27-1.12.7-1 - openjdk-7 7u45-2.4.3-1 CVE-2013-5801 (Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE ...) - openjdk-6 (Specific to Oracle Java, not present in IcedTea) - openjdk-7 (Specific to Oracle Java, not present in IcedTea) NOTE: Due to the vague disclosure policy by Oracle the exact nature is unknown but since no patch landed in icedtea, we consider it not-affected CVE-2013-5800 (Unspecified vulnerability in Oracle Java SE 7u40 and earlier and Java ...) - openjdk-6 (Only affects Java 7) - openjdk-7 7u45-2.4.3-1 CVE-2013-5799 (Unspecified vulnerability in the Oracle Agile PLM Framework component ...) NOT-FOR-US: Oracle Supply Chain Products Suite CVE-2013-5798 (Unspecified vulnerability in the Oracle Identity Manager component in ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2013-5797 (Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE ...) - openjdk-6 6b27-1.12.7-1 - openjdk-7 7u45-2.4.3-1 CVE-2013-5796 (Unspecified vulnerability in the Siebel Core - EAI component in Oracle ...) NOT-FOR-US: Oracle Siebel CRM CVE-2013-5795 (Unspecified vulnerability in the Oracle Demantra Demand Management com ...) NOT-FOR-US: Oracle Supply Chain Products Suite CVE-2013-5794 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2013-5793 (Unspecified vulnerability in Oracle MySQL Server 5.6.12 and earlier al ...) - mysql-5.5 (Only affects Mysql 5.6) - mysql-5.1 (Only affects Mysql 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html CVE-2013-5792 (Unspecified vulnerability in the Techstack component in Oracle E-Busin ...) NOT-FOR-US: Oracle E-Business Suite CVE-2013-5791 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2013-5790 (Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE ...) - openjdk-6 6b27-1.12.7-1 - openjdk-7 7u45-2.4.3-1 CVE-2013-5789 (Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2013-5788 (Unspecified vulnerability in Oracle Java SE 7u40 and earlier and Java ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2013-5787 (Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2013-5786 (Unspecified vulnerability in Oracle MySQL Server 5.6.12 and earlier al ...) - mysql-5.5 (Only affects Mysql 5.6) - mysql-5.1 (Only affects Mysql 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html CVE-2013-5785 (Unspecified vulnerability in the Oracle Reports Developer component in ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2013-5784 (Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE ...) - openjdk-6 6b27-1.12.7-1 - openjdk-7 7u45-2.4.3-1 CVE-2013-5783 (Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE ...) - openjdk-6 6b27-1.12.7-1 - openjdk-7 7u45-2.4.3-1 NOTE: http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/2790e9ace697 CVE-2013-5782 (Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE ...) - openjdk-6 6b27-1.12.7-1 - openjdk-7 7u45-2.4.3-1 CVE-2013-5781 (Unspecified vulnerability in Oracle PARC Enterprise T4 Servers running ...) NOT-FOR-US: Oracle PARC Enterprise CVE-2013-5780 (Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE ...) - openjdk-6 6b27-1.12.7-1 - openjdk-7 7u45-2.4.3-1 CVE-2013-5779 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2013-5778 (Unspecified vulnerability in Oracle Java SE 7u40 and earlier, 6u60 and ...) - openjdk-6 6b27-1.12.7-1 - openjdk-7 7u45-2.4.3-1 CVE-2013-5777 (Unspecified vulnerability in the Java SE and JavaFX components in Orac ...) - openjdk-6 (JavaFX not part of OpenJDK) - openjdk-7 (JavaFX not part of OpenJDK) CVE-2013-5776 (Unspecified vulnerability in the Java SE and Java SE Embedded componen ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2013-5775 (Unspecified vulnerability in the Java SE and JavaFX components in Orac ...) - openjdk-6 (JavaFX not part of OpenJDK) - openjdk-7 (JavaFX not part of OpenJDK) CVE-2013-5774 (Unspecified vulnerability in Oracle Java SE 7u40 and earlier, 6u60 and ...) - openjdk-6 6b27-1.12.7-1 - openjdk-7 7u45-2.4.3-1 CVE-2013-5773 (Unspecified vulnerability in the Oracle Containers for J2EE component ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2013-5772 (Unspecified vulnerability in the Java SE component in Oracle Java SE J ...) - openjdk-6 6b27-1.12.7-1 - openjdk-7 7u45-2.4.3-1 CVE-2013-5771 (Unspecified vulnerability in the XML Parser component in Oracle Databa ...) NOT-FOR-US: Oracle Database Server CVE-2013-5770 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) - mysql-5.5 (Only affects Mysql 5.6) - mysql-5.1 (Only affects Mysql 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html CVE-2013-5769 (Unspecified vulnerability in the Siebel Core - EAI component in Oracle ...) NOT-FOR-US: Oracle Siebel CRM CVE-2013-5768 (Unspecified vulnerability in the Siebel UI Framework component in Orac ...) NOT-FOR-US: Oracle Siebel CRM CVE-2013-5767 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) - mysql-5.5 (Only affects Mysql 5.6) - mysql-5.1 (Only affects Mysql 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html CVE-2013-5766 (Unspecified vulnerability in the Enterprise Manager Base Platform comp ...) NOT-FOR-US: Oracle Enterprise Manager Grid Control CVE-2013-5765 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2013-5764 (Unspecified vulnerability in the Core RDBMS component in Oracle Databa ...) NOT-FOR-US: Oracle Database Server CVE-2013-5763 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2013-5762 (Unspecified vulnerability in the Oracle Siebel CTMS component in Oracl ...) NOT-FOR-US: Oracle Siebel CVE-2013-5761 (Unspecified vulnerability in the Siebel Core - Server BizLogic Script ...) NOT-FOR-US: Oracle Siebel CVE-2013-5760 (QNAP Photo Station before firmware 4.0.3 build0912 allows remote attac ...) NOT-FOR-US: QNAP firmware CVE-2013-5759 REJECTED CVE-2013-5758 (cgi-bin/cgiServer.exx in Yealink VoIP Phone SIP-T38G allows remote aut ...) NOT-FOR-US: Yealink VoIP Phone CVE-2013-5757 (Absolute path traversal vulnerability in Yealink VoIP Phone SIP-T38G a ...) NOT-FOR-US: Yealink VoIP Phone CVE-2013-5756 (Directory traversal vulnerability in Yealink VoIP Phone SIP-T38G allow ...) NOT-FOR-US: Yealink VoIP Phone CVE-2013-5755 (config/.htpasswd in Yealink IP Phone SIP-T38G has a hardcoded password ...) NOT-FOR-US: Yealink IP Phone CVE-2013-5754 (The authorization implementation on Dahua DVR appliances accepts a has ...) NOT-FOR-US: Dahua DVR CVE-2013-5753 RESERVED CVE-2013-5752 RESERVED CVE-2013-5751 (Directory traversal vulnerability in SAP NetWeaver 7.x allows remote a ...) NOT-FOR-US: SAP NetWeaver 7.x CVE-2013-5750 (The login form in the FriendsOfSymfony FOSUserBundle bundle before 1.3 ...) NOT-FOR-US: FriendsOfSymfony FOSUserBundle CVE-2013-5749 (Cross-site scripting (XSS) vulnerability in management/prioritize_plan ...) NOT-FOR-US: SimpleRisk CVE-2013-5748 (Cross-site request forgery (CSRF) vulnerability in management/prioriti ...) NOT-FOR-US: SimpleRisk CVE-2013-5747 RESERVED CVE-2013-5746 RESERVED CVE-2013-5744 (Cross-site scripting (XSS) vulnerability in Feng Office 2.3.2-rc and e ...) NOT-FOR-US: Feng Office CVE-2013-5743 (Multiple SQL injection vulnerabilities in Zabbix 1.8.x before 1.8.18rc ...) - zabbix 1:2.0.8+dfsg-2 [squeeze] - zabbix (Not supported in Squeeze LTS) CVE-2013-5742 RESERVED CVE-2013-5741 (Triangle Research International (aka Tri) Nano-10 PLC devices with fir ...) NOT-FOR-US: Triangle Research International Nano-10 PLC CVE-2013-5745 (The vino_server_client_data_pending function in vino-server.c in GNOME ...) - vino 3.10.1-1 (low; bug #724545) [wheezy] - vino (Minor issue) [squeeze] - vino (Minor issue) NOTE: http://seclists.org/fulldisclosure/2013/Sep/105 CVE-2013-5740 (Unspecified vulnerability in the Intel Trusted Execution Technology (T ...) NOT-FOR-US: Intel Trusted Execution Technology CVE-2013-5739 (The default configuration of WordPress before 3.6.1 does not prevent u ...) {DSA-2757-1} - wordpress 3.6.1+dfsg-1 CVE-2013-5738 (The get_allowed_mime_types function in wp-includes/functions.php in Wo ...) {DSA-2757-1} - wordpress 3.6.1+dfsg-1 CVE-2013-5737 RESERVED CVE-2013-5736 RESERVED CVE-2013-5735 RESERVED CVE-2013-5734 RESERVED CVE-2013-5733 RESERVED CVE-2013-5732 RESERVED CVE-2013-5731 RESERVED CVE-2013-5730 (Multiple cross-site request forgery (CSRF) vulnerabilities in D-Link D ...) NOT-FOR-US: D-Link CVE-2013-5729 RESERVED CVE-2013-5728 RESERVED CVE-2013-5727 RESERVED CVE-2013-5726 (Tweetbot 1.3.3 for Mac, and 2.8.5 for iPad and iPhone, does not requir ...) NOT-FOR-US: Tweetbot for iOS and Mac CVE-2013-5725 (The Metaclassy Byword app 2.x before 2.1 for iOS does not require conf ...) NOT-FOR-US: Byword for iOS CVE-2013-5724 (Phpbb3 before 3.0.11-4 for Debian GNU/Linux uses world-writable permis ...) {DSA-2752-1} - phpbb3 3.0.11-4 (bug #711172) CVE-2013-5723 (SQL injection vulnerability in SAP NetWeaver 7.30 allows remote attack ...) NOT-FOR-US: SAP NetWeaver CVE-2013-5716 (Gretech GOM Media Player 2.2.53.5169 and possibly earlier allows remot ...) NOT-FOR-US: Gretech GOM Media Player CVE-2013-5715 (Buffer overflow in Gretech GOM Media Player before 2.2.53.5169 has uns ...) NOT-FOR-US: Gretech GOM Media Player CVE-2013-5714 (Multiple cross-site scripting (XSS) vulnerabilities in ls/htmlchat.php ...) NOT-FOR-US: WordPress plugin videowhisper-live-streaming-integration CVE-2013-5713 RESERVED CVE-2013-5712 RESERVED CVE-2013-5711 (Cross-site scripting (XSS) vulnerability in admin/walkthrough/walkthro ...) NOT-FOR-US: Design-approval-system Plugin for WordPress CVE-2013-5722 (Unspecified vulnerability in the LDAP dissector in Wireshark 1.8.x bef ...) {DSA-2756-1} - wireshark 1.10.2-1 NOTE: https://www.wireshark.org/security/wnpa-sec-2013-59.html CVE-2013-5721 (The dissect_mq_rr function in epan/dissectors/packet-mq.c in the MQ di ...) {DLA-497-1} - wireshark 1.10.2-1 (unimportant) NOTE: Not suitable for code injection NOTE: https://www.wireshark.org/security/wnpa-sec-2013-58.html CVE-2013-5720 (Buffer overflow in the RTPS dissector in Wireshark 1.8.x before 1.8.10 ...) {DSA-2756-1} - wireshark 1.10.2-1 NOTE: https://www.wireshark.org/security/wnpa-sec-2013-57.html CVE-2013-5719 (epan/dissectors/packet-assa_r3.c in the ASSA R3 dissector in Wireshark ...) {DLA-497-1} - wireshark 1.10.2-1 (unimportant) NOTE: Not suitable for code injection NOTE: https://www.wireshark.org/security/wnpa-sec-2013-56.html CVE-2013-5718 (The dissect_nbap_T_dCH_ID function in epan/dissectors/packet-nbap.c in ...) {DSA-2756-1} - wireshark 1.10.2-1 [squeeze] - wireshark (Vulnerable code not present) NOTE: https://www.wireshark.org/security/wnpa-sec-2013-55.html CVE-2013-5717 (The Bluetooth HCI ACL dissector in Wireshark 1.10.x before 1.10.2 does ...) - wireshark 1.10.2-1 [wheezy] - wireshark (Only affects 1.10.x) [squeeze] - wireshark (Only affects 1.10.x) NOTE: https://www.wireshark.org/security/wnpa-sec-2013-54.html CVE-2013-5710 (The nullfs implementation in sys/fs/nullfs/null_vnops.c in the kernel ...) {DSA-2769-1} - kfreebsd-9 9.2~svn255465-1 (bug #722337) - kfreebsd-8 [squeeze] - kfreebsd-8 (Unsupported in squeeze-lts) [wheezy] - kfreebsd-8 8.3-6+deb7u1 CVE-2013-5709 (The authentication implementation in the web server on Siemens SCALANC ...) NOT-FOR-US: Siemens SCALANCE X-200 CVE-2013-5708 (Coursemill Learning Management System (LMS) 6.8 constructs secret toke ...) NOT-FOR-US: Coursemill Learning Management System CVE-2013-5707 (Multiple cross-site scripting (XSS) vulnerabilities in Coursemill Lear ...) NOT-FOR-US: Coursemill Learning Management System CVE-2013-5706 (Multiple cross-site scripting (XSS) vulnerabilities in Coursemill Lear ...) NOT-FOR-US: Coursemill Learning Management System CVE-2013-5705 (apache2/modsecurity.c in ModSecurity before 2.7.6 allows remote attack ...) {DSA-2991-1 DLA-34-1} - modsecurity-apache 2.7.7-1 - libapache-mod-security [squeeze] - libapache-mod-security 2.5.12-1+squeeze4 NOTE: Upstream commit: https://github.com/SpiderLabs/ModSecurity/commit/f8d441cd25172fdfe5b613442fedfc0da3cc333d NOTE: http://martin.swende.se/blog/HTTPChunked.html CVE-2013-5704 (The mod_headers module in the Apache HTTP Server 2.2.22 allows remote ...) {DLA-71-1} - apache2 2.4.10-2 (medium) [wheezy] - apache2 2.2.22-13+deb7u4 NOTE: http://marc.info/?l=apache-httpd-dev&m=139636309822854&w=2 CVE-2013-5703 (The DrayTek Vigor 2700 router 2.8.3 allows remote attackers to execute ...) NOT-FOR-US: DrayTek Vigor 2700 router CVE-2013-5702 (Multiple cross-site scripting (XSS) vulnerabilities in WebCenter in Wa ...) NOT-FOR-US: Watchguard Server Center CVE-2013-5701 (Multiple untrusted search path vulnerabilities in (1) Watchguard Log C ...) NOT-FOR-US: Watchguard Server Center CVE-2013-5700 (The Bloom Filter implementation in bitcoind and Bitcoin-Qt 0.8.x befor ...) - bitcoin 0.8.4-1 NOTE: https://bitcointalk.org/index.php?topic=287351.0 CVE-2013-5699 RESERVED CVE-2013-5698 (Cross-site scripting (XSS) vulnerability in Open-Xchange AppSuite and ...) NOT-FOR-US: Open-Xchange CVE-2013-5697 (SQL injection vulnerability in mod_accounting.c in the mod_accounting ...) - libapache-mod-acct CVE-2013-5696 (inc/central.class.php in GLPI before 0.84.2 does not attempt to make i ...) - glpi 0.84.2-1 (unimportant; bug #723837) NOTE: Only supported behind an authenticated HTTP zone CVE-2013-5695 (Multiple cross-site scripting (XSS) vulnerabilities in Opsview before ...) NOT-FOR-US: Ops View CVE-2013-5694 (SQL injection vulnerability in status/service/acknowledge in Opsview b ...) NOT-FOR-US: Ops View CVE-2013-5693 (Cross-site scripting (XSS) vulnerability in X2Engine X2CRM before 3.5 ...) NOT-FOR-US: X2CRM CVE-2013-5692 (Directory traversal vulnerability in X2Engine X2CRM before 3.5 allows ...) NOT-FOR-US: X2CRM CVE-2013-5691 (The (1) IPv6 and (2) ATM ioctl request handlers in the kernel in FreeB ...) {DSA-2769-1} - kfreebsd-9 9.2~svn255465-1 (bug #722338) - kfreebsd-8 [squeeze] - kfreebsd-8 (Unsupported in squeeze-lts) [wheezy] - kfreebsd-8 8.3-6+deb7u1 CVE-2013-5690 (Multiple cross-site scripting (XSS) vulnerabilities in Open-Xchange Ap ...) NOT-FOR-US: Open-Xchange CVE-2013-5687 (RiskNet Acquirer before hotfix 6.0 b7+ADHOC-443 ApplicationServiceBean ...) NOT-FOR-US: RiskNet Acquirer CVE-2013-5686 RESERVED CVE-2013-5685 RESERVED CVE-2013-5684 RESERVED CVE-2013-5683 RESERVED CVE-2013-5682 RESERVED CVE-2013-5681 RESERVED CVE-2013-5680 (Heap-based buffer overflow in hfaxd in HylaFAX+ 5.2.4 through 5.5.3, w ...) - hylafax (Not built with LDAP support) NOTE: http://www.securityfocus.com/archive/1/528943/30/0/threaded CVE-2013-5679 (The authenticated-encryption feature in the symmetric-encryption imple ...) NOT-FOR-US: OWASP Enterprise Security API for Java CVE-2013-5678 RESERVED CVE-2013-5677 RESERVED CVE-2013-5676 (The Jenkins Plugin for SonarQube 3.7 and earlier allows remote authent ...) NOT-FOR-US: SonarQube Jenkins plugin CVE-2013-5674 (badges/external.php in Moodle 2.5.x before 2.5.2 does not properly han ...) - moodle 2.5.2-1 [squeeze] - moodle (Only affects 2.5.x) CVE-2013-5669 (The Thecus NAS server N8800 with firmware 5.03.01 uses cleartext crede ...) NOT-FOR-US: Thecus NAS server N8800 CVE-2013-5668 (The ADS/NT Support page on the Thecus NAS server N8800 with firmware 5 ...) NOT-FOR-US: Thecus NAS server N8800 CVE-2013-5667 (The Thecus NAS server N8800 with firmware 5.03.01 allows remote attack ...) NOT-FOR-US: Thecus NAS server N8800 CVE-2013-5666 (The sendfile system-call implementation in sys/kern/uipc_syscalls.c in ...) - kfreebsd-9 9.2~svn255465-1 (bug #722336) [wheezy] - kfreebsd-9 (Only affects 9.2.x) CVE-2013-5665 RESERVED CVE-2013-5664 (Cross-site scripting (XSS) vulnerability in the web-based device-manag ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2013-5663 (The App-ID cache feature in Palo Alto Networks PAN-OS before 4.0.14, 4 ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2013-5662 RESERVED CVE-2013-5661 (Cache Poisoning issue exists in DNS Response Rate Limiting. ...) NOTE: DNS protocol flaw NOTE: http://www.certa.ssi.gouv.fr/site/CERTA-2013-AVI-506/index.html NOTE: https://www.isc.org/blogs/cache-poisoning-gets-a-second-wind-from-rrl-probably-not/ CVE-2013-5660 (Buffer overflow in Power Software WinArchiver 3.2 allows remote attack ...) NOT-FOR-US: Power Software WinArchiver CVE-2013-5659 (Wiz 5.0.3 has a user mode write access violation ...) NOT-FOR-US: Wiz CVE-2013-5658 (AultWare pwStore 2010.8.30.0 has XSS ...) NOT-FOR-US: AultWare pwStore CVE-2013-5657 (AultWare pwStore 2010.8.30.0 has DoS via an empty HTTP request ...) NOT-FOR-US: AultWare pwStore CVE-2013-5656 (FuzeZip 1.0.0.131625 has a Local Buffer Overflow vulnerability ...) NOT-FOR-US: FuzeZip CVE-2012-6632 (Multiple cross-site scripting (XSS) vulnerabilities in Vessio NetBill ...) NOT-FOR-US: Vessio NetBill CVE-2012-6631 (Cross-site request forgery (CSRF) vulnerability in accounts/admin/inde ...) NOT-FOR-US: Vessio NetBill CVE-2012-6630 (Multiple cross-site scripting (XSS) vulnerabilities in the Media Libra ...) NOT-FOR-US: WordPress plugin Media Library Categories CVE-2012-6629 (Multiple cross-site request forgery (CSRF) vulnerabilities in the News ...) NOT-FOR-US: WordPress plugin Newsletter Manager CVE-2012-6628 (Multiple cross-site scripting (XSS) vulnerabilities in the Newsletter ...) NOT-FOR-US: WordPress plugin Newsletter Manager CVE-2012-6627 (Cross-site scripting (XSS) vulnerability in admin/test_mail.php in the ...) NOT-FOR-US: WordPress plugin Newsletter Manager CVE-2012-6626 (SQL injection vulnerability in verify-user.php in b2ePMS 1.0 allows re ...) NOT-FOR-US: b2ePMS CVE-2012-6625 (SQL injection vulnerability in fs-admin/fs-admin.php in the ForumPress ...) NOT-FOR-US: WordPress plugin WP Forum Server CVE-2012-6624 (Cross-site scripting (XSS) vulnerability in the SoundCloud Is Gold plu ...) NOT-FOR-US: WordPress plugin SoundCloud Is Gold CVE-2012-6623 (Cross-site scripting (XSS) vulnerability in fs-admin/wpf-add-forum.php ...) NOT-FOR-US: WordPress plugin ForumPress WP Forum Server CVE-2012-6622 (Multiple cross-site scripting (XSS) vulnerabilities in fs-admin/fs-adm ...) NOT-FOR-US: WordPress plugin ForumPress WP Forum Server CVE-2012-6606 (Palo Alto Networks GlobalProtect before 1.1.7, and NetConnect, does no ...) NOT-FOR-US: alo Alto Networks GlobalProtect CVE-2012-6605 (The device-management command-line interface in Palo Alto Networks PAN ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2012-6604 (The device-management command-line interface in Palo Alto Networks PAN ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2012-6603 (The web management UI in Palo Alto Networks PAN-OS before 3.1.12, 4.0. ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2012-6602 (The device-management command-line interface in Palo Alto Networks PAN ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2012-6601 (The device-management command-line interface in Palo Alto Networks PAN ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2012-6600 (The device-management command-line interface in Palo Alto Networks PAN ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2012-6599 (The device-management command-line interface in Palo Alto Networks PAN ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2012-6598 (The device-management command-line interface in Palo Alto Networks PAN ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2012-6597 (Palo Alto Networks PAN-OS before 3.1.11 and 4.0.x before 4.0.9 allows ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2012-6596 (Palo Alto Networks PAN-OS 4.0.x before 4.0.9 and 4.1.x before 4.1.3 st ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2012-6595 (The device-management command-line interface in Palo Alto Networks PAN ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2012-6594 (The device-management command-line interface in Palo Alto Networks PAN ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2012-6593 (Palo Alto Networks PAN-OS before 3.1.10 and 4.0.x before 4.0.4 allows ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2012-6592 (Palo Alto Networks PAN-OS before 3.1.10 and 4.0.x before 4.0.5 allows ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2012-6591 (The device-management command-line interface in Palo Alto Networks PAN ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2012-6590 (The web-based management UI in Palo Alto Networks PAN-OS 4.0.x before ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2013-5689 [Arbitrary File Upload] REJECTED CVE-2013-5688 (Multiple directory traversal vulnerabilities in index.php in AjaXplore ...) - ajaxplorer (bug #668381) CVE-2013-5675 RESERVED NOT-FOR-US: Symantec Endpoint Protection CVE-2013-4298 (The ReadGIFImage function in coders/gif.c in ImageMagick before 6.7.8- ...) {DSA-2750-1} - imagemagick 8:6.7.7.10-6 (bug #721273) [squeeze] - imagemagick (Code not vulnerable) CVE-2013-5673 (SQL injection vulnerability in testimonial.php in the IndiaNIC Testimo ...) NOT-FOR-US: IndiaNIC Testimonial plugin 2.2 for WordPress CVE-2013-5672 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Indi ...) NOT-FOR-US: IndiaNIC Testimonial plugin 2.2 for WordPress CVE-2013-5671 (lib/dragonfly/imagemagickutils.rb in the fog-dragonfly gem 0.8.2 for R ...) NOT-FOR-US: fog-dragonfly Ruby Gem CVE-2013-5670 (Cross-site scripting (XSS) vulnerability in spell-check-savedicts.php ...) - serendipity (Spellcheck plugin not included in 1.5.x) CVE-2013-5653 (The getenv and filenameforall functions in Ghostscript 9.10 ignore the ...) {DSA-3691-1 DLA-674-1} - ghostscript 9.19~dfsg-3.1 (low; bug #839118) NOTE: http://bugs.ghostscript.com/show_bug.cgi?id=694724 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=ab109aaeb3ddba59518b036fb288402a65cf7ce8 CVE-2013-5652 RESERVED CVE-2013-5650 (Junos Pulse Secure Access Service (IVE) 7.1 before 7.1r5, 7.2 before 7 ...) NOT-FOR-US: Junos Pulse Secure Access Service CVE-2013-5649 (Multiple cross-site scripting (XSS) vulnerabilities in Juniper Junos P ...) NOT-FOR-US: Juniper CVE-2013-5655 (Directory traversal vulnerability in the FTP server in YingZhi Python ...) NOT-FOR-US: YingZhi Python for iOS CVE-2013-5654 (Vulnerability in YingZhi Python Programming Language v1.9 allows arbit ...) NOT-FOR-US: YingZhi Python for iOS CVE-2013-5651 (The virBitmapParse function in util/virbitmap.c in libvirt before 1.1. ...) - libvirt 1.1.2~rc1-1 [jessie] - libvirt (vulnerable code not introduced, introduced in v0.10.2-rc1) [wheezy] - libvirt (vulnerable code not introduced, introduced in v0.10.2-rc1) [squeeze] - libvirt (vulnerable code not introduced, introduced in v0.10.2-rc1) NOTE: introduced by: http://libvirt.org/git/?p=libvirt.git;a=commit;h=0fc89098a68f0f6962de8be4fc03ddd960ffbf08 NOTE: Upstream fix: http://libvirt.org/git/?p=libvirt.git;a=commit;h=47b9127e883677a0d60d767030a147450e919a25 CVE-2013-5646 (Cross-site scripting (XSS) vulnerability in Roundcube webmail 1.0-git ...) - roundcube (Unclear, 0.9.2 reported not affected, all other issues covered by CVE-2013-5645) CVE-2013-5645 (Multiple cross-site scripting (XSS) vulnerabilities in Roundcube webma ...) - roundcube 0.9.4-1 (bug #721592) [wheezy] - roundcube (Minor issue) [squeeze] - roundcube (Minor issue) NOTE: http://web.archive.org/web/20160311164159/http://trac.roundcube.net/changeset/93b0a30c1c8aa29d862b587b31e52bcc344b8d16/github NOTE: http://web.archive.org/web/20160311132902/http://trac.roundcube.net/changeset/ce5a6496fd6039962ba7424d153278e41ae8761b/github NOTE: http://trac.roundcube.net/ticket/1489251 CVE-2013-5644 RESERVED CVE-2013-5643 REJECTED CVE-2013-5640 (Multiple SQL injection vulnerabilities in Gnew 2013.1 allow remote att ...) NOT-FOR-US: Gnew CVE-2013-5639 (Directory traversal vulnerability in users/login.php in Gnew 2013.1 an ...) NOT-FOR-US: Gnew CVE-2013-5648 (Absolute path traversal vulnerability in the handleStartDataFile funct ...) - libdigidoc (Fixed before initial upload to the archive) CVE-2013-5647 (lib/sounder/sound.rb in the sounder gem 1.0.1 for Ruby allows remote a ...) NOT-FOR-US: Sounder Ruby Gem CVE-2013-5642 (The SIP channel driver (channels/chan_sip.c) in Asterisk Open Source 1 ...) {DSA-2749-1} - asterisk 1:11.5.1~dfsg-1 (bug #721220) NOTE: http://downloads.asterisk.org/pub/security/AST-2013-005.html CVE-2013-5641 (The SIP channel driver (channels/chan_sip.c) in Asterisk Open Source 1 ...) {DSA-2749-1} - asterisk 1:11.5.1~dfsg-1 (bug #721220) NOTE: http://downloads.asterisk.org/pub/security/AST-2013-004.html CVE-2013-5638 (Transcend WiFiSD 1.8 has persistent XSS ...) NOT-FOR-US: Transcend WiFiSD CVE-2013-5637 (PQI AirCard has persistent XSS ...) NOT-FOR-US: PQI AirCard CVE-2013-5636 (Unlock.exe in Media Encryption EPM Explorer in Check Point Endpoint Se ...) NOT-FOR-US: Check Point Endpoint Security CVE-2013-5635 (Media Encryption EPM Explorer in Check Point Endpoint Security through ...) NOT-FOR-US: Check Point Endpoint Security CVE-2013-5633 REJECTED CVE-2013-5632 REJECTED CVE-2013-5631 REJECTED CVE-2013-5630 REJECTED CVE-2013-5629 REJECTED CVE-2013-5628 REJECTED CVE-2013-5627 REJECTED CVE-2013-5626 REJECTED CVE-2013-5625 REJECTED CVE-2013-5624 REJECTED CVE-2013-5623 REJECTED CVE-2013-5622 REJECTED CVE-2013-5621 REJECTED CVE-2013-5620 REJECTED CVE-2013-5619 (Multiple integer overflows in the binary-search implementation in Spid ...) - iceweasel (Only affects Firefox 25) - iceape (Only affects Firefox 25) CVE-2013-5618 (Use-after-free vulnerability in the nsNodeUtils::LastRelease function ...) - iceweasel 24.2.0esr-1 - icedove 24.2.0-1 - iceape [squeeze] - iceweasel [wheezy] - iceape [squeeze] - icedove [squeeze] - iceape CVE-2013-5617 RESERVED CVE-2013-5616 (Use-after-free vulnerability in the nsEventListenerManager::HandleEven ...) - iceweasel 24.2.0esr-1 - icedove 24.2.0-1 - iceape [squeeze] - iceweasel [wheezy] - iceape [squeeze] - icedove [squeeze] - iceape CVE-2013-5615 (The JavaScript implementation in Mozilla Firefox before 26.0, Firefox ...) - iceweasel 24.2.0esr-1 - icedove 24.2.0-1 - iceape [squeeze] - iceweasel [wheezy] - iceape [squeeze] - icedove [squeeze] - iceape CVE-2013-5614 (Mozilla Firefox before 26.0 and SeaMonkey before 2.23 do not properly ...) - iceweasel (Only affects Firefox 25) CVE-2013-5613 (Use-after-free vulnerability in the PresShell::DispatchSynthMouseMove ...) - iceweasel 24.2.0esr-1 - icedove 24.2.0-1 - iceape [squeeze] - iceweasel [wheezy] - iceape [squeeze] - icedove [squeeze] - iceape CVE-2013-5612 (Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 26. ...) - iceweasel (Only affects Firefox 25) CVE-2013-5611 (Mozilla Firefox before 26.0 does not properly remove the Application I ...) - iceweasel (Only affects Firefox 25) CVE-2013-5610 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - iceweasel (Only affects Firefox 25) - iceape (Only affects Firefox 25) - icedove (Only affects Firefox 25) CVE-2013-5609 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - iceweasel 24.2.0esr-1 - icedove 24.2.0-1 - iceape [squeeze] - iceweasel [wheezy] - iceape [squeeze] - icedove [squeeze] - iceape CVE-2013-5608 RESERVED CVE-2013-5607 (Integer overflow in the PL_ArenaAllocate function in Mozilla Netscape ...) {DSA-2820-1} - nspr 2:4.10.2-1 CVE-2013-5606 (The CERT_VerifyCert function in lib/certhigh/certvfy.c in Mozilla Netw ...) {DSA-2994-1 DLA-23-1} - nss 2:3.15.3-1 (bug #735105) [squeeze] - nss 3.12.8-1+squeeze8 CVE-2013-5605 (Mozilla Network Security Services (NSS) 3.14 before 3.14.5 and 3.15 be ...) {DSA-2800-1} - nss 2:3.15.3-1 CVE-2013-5604 (The txXPathNodeUtils::getBaseURI function in the XSLT processor in Moz ...) {DSA-2797-1 DSA-2788-1} - iceweasel 24.1.0esr-1 [squeeze] - iceweasel - icedove 17.0.10-1 [squeeze] - icedove [wheezy] - iceape [squeeze] - iceape - iceape CVE-2013-5603 (Use-after-free vulnerability in the nsContentUtils::ContentIsHostInclu ...) - iceweasel 24.1.0esr-1 [wheezy] - iceweasel (Only affects Firefox > 17) [squeeze] - iceweasel - icedove (Only affects Firefox > 17) - iceape (Only affects Firefox > 17) CVE-2013-5602 (The Worker::SetEventListener function in the Web workers implementatio ...) {DSA-2797-1 DSA-2788-1} - iceweasel 24.1.0esr-1 [squeeze] - iceweasel [squeeze] - icedove [squeeze] - iceape [wheezy] - iceape - icedove 17.0.10-1 - iceape CVE-2013-5601 (Use-after-free vulnerability in the nsEventListenerManager::SetEventHa ...) {DSA-2797-1 DSA-2788-1} - iceweasel 24.1.0esr-1 [squeeze] - iceweasel - icedove 17.0.10-1 [squeeze] - icedove - iceape [wheezy] - iceape [squeeze] - iceape CVE-2013-5600 (Use-after-free vulnerability in the nsIOService::NewChannelFromURIWith ...) {DSA-2797-1 DSA-2788-1} - iceweasel 24.1.0esr-1 [squeeze] - iceweasel [squeeze] - icedove [wheezy] - iceape [squeeze] - iceape - icedove 17.0.10-1 - iceape CVE-2013-5599 (Use-after-free vulnerability in the nsIPresShell::GetPresContext funct ...) {DSA-2797-1 DSA-2788-1} - iceweasel 24.1.0esr-1 [squeeze] - iceweasel [wheezy] - iceape [squeeze] - icedove [squeeze] - iceape - icedove 17.0.10-1 - iceape CVE-2013-5598 (PDF.js in Mozilla Firefox before 25.0 and Firefox ESR 24.x before 24.1 ...) - iceweasel 24.1.0esr-1 [wheezy] - iceweasel (Only affects Firefox >=24) [squeeze] - iceweasel - icedove (Only affects Firefox >=24) - iceape (Only affects Firefox >=24) CVE-2013-5597 (Use-after-free vulnerability in the nsDocLoader::doStopDocumentLoad fu ...) {DSA-2797-1 DSA-2788-1} - iceweasel 24.1.0esr-1 [squeeze] - iceweasel [wheezy] - iceape [squeeze] - icedove [squeeze] - iceape - icedove 17.0.10-1 - iceape CVE-2013-5596 (The cycle collection (CC) implementation in Mozilla Firefox before 25. ...) - iceweasel 24.1.0esr-1 [wheezy] - iceweasel (Only affects Firefox > 17) [squeeze] - iceweasel - icedove (Only affects Firefox > 17) - iceape (Only affects Firefox > 17) CVE-2013-5595 (The JavaScript engine in Mozilla Firefox before 25.0, Firefox ESR 17.x ...) {DSA-2797-1 DSA-2788-1} - iceweasel 24.1.0esr-1 [squeeze] - iceweasel [squeeze] - icedove [squeeze] - iceape [wheezy] - iceape - icedove 17.0.10-1 - iceape CVE-2013-5594 (Mozilla Firefox before 25 allows modification of anonymous content of ...) - firefox-esr (Fixed before initial upload renamed as src:firefox-esr) NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=914618 CVE-2013-5593 (The SELECT element implementation in Mozilla Firefox before 25.0, Fire ...) - iceweasel 24.1.0esr-1 [wheezy] - iceweasel (Only affects Firefox > 17) [squeeze] - iceweasel - icedove (Only affects Firefox > 17) - iceape (Only affects Firefox > 17) CVE-2013-5592 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - iceweasel 24.1.0esr-1 [wheezy] - iceweasel (Only affects Firefox >=24) [squeeze] - iceweasel - icedove (Only affects Firefox >=24) - iceape (Only affects Firefox >=24) CVE-2013-5591 (Unspecified vulnerability in the browser engine in Mozilla Firefox bef ...) - iceweasel 24.1.0esr-1 [wheezy] - iceweasel (Only affects Firefox >=24) [squeeze] - iceweasel - icedove (Only affects Firefox >=24) - iceape (Only affects Firefox >=24) CVE-2013-5590 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-2797-1 DSA-2788-1} - iceweasel 24.1.0esr-1 [squeeze] - iceweasel [squeeze] - icedove [squeeze] - iceape [wheezy] - iceape - icedove 17.0.10-1 - iceape CVE-2013-5634 (arch/arm/kvm/arm.c in the Linux kernel before 3.10 on the ARM platform ...) - linux 3.11.5-1 [wheezy] - linux (KVM for arm introduced in 3.9) - linux-2.6 (KVM for arm introduced in 3.9) CVE-2013-5586 (Cross-site scripting (XSS) vulnerability in wikka.php in WikkaWiki bef ...) NOT-FOR-US: WikkaWiki CVE-2013-5585 RESERVED CVE-2013-5584 RESERVED CVE-2013-5583 (Cross-site scripting (XSS) vulnerability in libraries/idna_convert/exa ...) NOT-FOR-US: Joomla! CVE-2013-5582 (Ammyy Admin 3.2 and earlier stores the client ID at a fixed memory loc ...) NOT-FOR-US: Ammyy Admin CVE-2013-5581 REJECTED CVE-2013-5579 RESERVED CVE-2013-5578 (Buffer overflow in the ToDot method in the WINGRAPHVIZLib.NEATO Active ...) NOT-FOR-US: StarUML CVE-2013-5577 RESERVED CVE-2013-5574 RESERVED CVE-2013-5573 (Cross-site scripting (XSS) vulnerability in the default markup formatt ...) - jenkins 1.565.2-1 (bug #732708) NOTE: http://seclists.org/fulldisclosure/2013/Dec/159 CVE-2013-5572 (Zabbix 2.0.5 allows remote authenticated users to discover the LDAP bi ...) - zabbix 1:2.2.2+dfsg-1 (unimportant) NOTE: http://seclists.org/fulldisclosure/2013/Sep/151 NOTE: Non-issue CVE-2013-5571 (HMailServer 5.3.x and prior: Memory Corruption which could cause DOS ...) NOT-FOR-US: HMailServer CVE-2013-5570 (Cross-site scripting (XSS) vulnerability in the Javascript and CSS Opt ...) NOT-FOR-US: TYPO3 extension (js_css_optimizer) CVE-2013-5569 (SQL injection vulnerability in the Slideshare extension 0.1.0 for TYPO ...) NOT-FOR-US: TYPO3 extension CVE-2012-6589 (Cross-site scripting (XSS) vulnerability in search.php in MYRE Busines ...) NOT-FOR-US: MYRE Business Directory CVE-2012-6588 (SQL injection vulnerability in links.php in MYRE Business Directory al ...) NOT-FOR-US: MYRE Business Directory CVE-2012-6587 (Cross-site scripting (XSS) vulnerability in vacation/1_mobile/alert_me ...) NOT-FOR-US: MYRE Vacation Rental CVE-2012-6586 (Multiple SQL injection vulnerabilities in MYRE Vacation Rental Softwar ...) NOT-FOR-US: MYRE Vacation Rental CVE-2012-6585 (Cross-site scripting (XSS) vulnerability in search.php in MYRE Realty ...) NOT-FOR-US: MYRE Realty Manager CVE-2012-6584 (Multiple SQL injection vulnerabilities in MYRE Realty Manager allow re ...) NOT-FOR-US: MYRE Realty Manager CVE-2012-6583 (Cross-site scripting (XSS) vulnerability in the Imagemenu module 6.x-1 ...) NOT-FOR-US: Imagemenu Drupal contributed module CVE-2010-5291 (Amberdms Billing System (ABS) before 1.4.1 does not properly implement ...) NOT-FOR-US: Amberdms Billing System CVE-2010-5289 (Buffer overflow in the Authenticate method in the INCREDISPOOLERLib.Po ...) NOT-FOR-US: IncrediMail CVE-2013-5589 (SQL injection vulnerability in cacti/host.php in Cacti 0.8.8b and earl ...) {DSA-2747-1} - cacti 0.8.8b+dfsg-3 CVE-2013-5588 (Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b an ...) {DSA-2747-1} - cacti 0.8.8b+dfsg-3 CVE-2013-5587 (Cross-site scripting (XSS) vulnerability in Request Tracker (RT) 4.x b ...) {DSA-2671-1} - request-tracker3.8 (only covers the issues in 4.x) - request-tracker4 4.0.12-2 (bug #709836) NOTE: This is covered by the patches applied for CVE-2013-3371 in DSA-2760 and DSA-2761. NOTE: NVD explicitly mentions CVE-2013-5587 only for the RT 4.x series. NOTE: patch for 3.8.17: https://github.com/bestpractical/rt/compare/rt-3.8.16...rt-3.8.17 NOTE: patch for 4.0.13: https://github.com/bestpractical/rt/compare/rt-4.0.12...rt-4.0.13 NOTE: still not clear why the split was done, but confirmed by upstream that this issue NOTE: is covered by the fixes applied for CVE-2013-3371 CVE-2013-5580 (The (1) Conn_StartLogin and (2) cb_Read_Resolver_Result functions in c ...) - ngircd (only affects 20, 20.1, and 20.2) NOTE: http://arthur.barton.de/pipermail/ngircd-ml/2013-August/000652.html CVE-2013-5576 (administrator/components/com_media/helpers/media.php in the media mana ...) NOT-FOR-US: Joomla! CVE-2013-5575 REJECTED CVE-2013-5568 (The auto-update implementation in Cisco Adaptive Security Appliance (A ...) NOT-FOR-US: Cisco Adaptive Security Appliance CVE-2013-5567 (Cisco Adaptive Security Appliance (ASA) Software 8.4(.6) and earlier, ...) NOT-FOR-US: Cisco ASA CVE-2013-5566 (Cisco NX-OS 5.0 and earlier on MDS 9000 devices allows remote attacker ...) NOT-FOR-US: Cisco NX-OS CVE-2013-5565 (The OSPFv3 functionality in Cisco IOS XR 5.1 allows remote attackers t ...) NOT-FOR-US: Cisco CVE-2013-5564 (The Java process in the Impact server in Cisco Prime Central for Hoste ...) NOT-FOR-US: Cisco Prime Central for Hosted Collaboration Solution CVE-2013-5563 (Cross-site scripting (XSS) vulnerability in Query/NewQueryResult.jsp i ...) NOT-FOR-US: Cisco CS-MARS CVE-2013-5562 (The ITM web server in Cisco Prime Central for Hosted Collaboration Sol ...) NOT-FOR-US: Cisco CVE-2013-5561 (The Safe Search enforcement feature in Cisco Adaptive Security Applian ...) NOT-FOR-US: Cisco Adaptive Security Appliance CVE-2013-5560 (The IPv6 implementation in Cisco Adaptive Security Appliance (ASA) Sof ...) NOT-FOR-US: Cisco Adaptive Security Appliance CVE-2013-5559 (Buffer overflow in the Active Template Library (ATL) framework in the ...) NOT-FOR-US: Cisco AnyConnect Secure Mobility Client CVE-2013-5558 (The WIL-A module in Cisco TelePresence VX Clinical Assistant 1.2 befor ...) NOT-FOR-US: Cisco CVE-2013-5557 (The Proxy Bypass Content Rewriter feature in the WebVPN subsystem in C ...) NOT-FOR-US: Cisco Adaptive Security Appliance CVE-2013-5556 (The license-installation module on the Cisco Nexus 1000V switch 4.2(1) ...) NOT-FOR-US: Cisco CVE-2013-5555 (Cisco Unified Communications Manager (aka CUCM or Unified CM) allows r ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2013-5554 (Directory traversal vulnerability in the web-management interface in t ...) NOT-FOR-US: Cisco Wide Area Application Services CVE-2013-5553 (Multiple memory leaks in Cisco IOS 15.1 before 15.1(4)M7 allow remote ...) NOT-FOR-US: Cisco IOS CVE-2013-5552 (Cisco IOS 12.4(24)MDB9 and earlier on Content Services Gateway (CSG) d ...) NOT-FOR-US: Cisco CVE-2013-5551 (Cisco Adaptive Security Appliance (ASA) Software, when certain same-se ...) NOT-FOR-US: Cisco Adaptive Security Appliance CVE-2013-5550 (The fabric-interconnect component in Cisco Unified Computing System (U ...) NOT-FOR-US: Cisco Unified Computing System CVE-2013-5549 (Cisco IOS XR 3.8.1 through 4.2.0 does not properly process fragmented ...) NOT-FOR-US: Cisco IOS XR CVE-2013-5548 (The IKEv2 implementation in Cisco IOS, when AES-GCM or AES-GMAC is use ...) NOT-FOR-US: Cisco IOS CVE-2013-5547 (Cisco IOS XE 3.9 before 3.9.2S on 1000 ASR devices allows remote attac ...) NOT-FOR-US: Cisco IOS CVE-2013-5546 (The TCP reassembly feature in Cisco IOS XE 3.7 before 3.7.3S and 3.8 b ...) NOT-FOR-US: Cisco IOS CVE-2013-5545 (The PPTP ALG implementation in Cisco IOS XE 3.9 before 3.9.2S on 1000 ...) NOT-FOR-US: Cisco IOS CVE-2013-5544 (The VPN authentication functionality in Cisco Adaptive Security Applia ...) NOT-FOR-US: Cisco Adaptive Security Appliance CVE-2013-5543 (Cisco IOS XE 3.4 before 3.4.2S and 3.5 before 3.5.1S on 1000 ASR devic ...) NOT-FOR-US: Cisco IOS CVE-2013-5542 (Cisco Adaptive Security Appliance (ASA) Software 8.4 before 8.4(7.2), ...) NOT-FOR-US: Cisco Adaptive Security Appliance CVE-2013-5541 (Cross-site scripting (XSS) vulnerability in the file-upload interface ...) NOT-FOR-US: Cisco Identity Services Engine CVE-2013-5540 (The file-upload feature in Cisco Identity Services Engine (ISE) allows ...) NOT-FOR-US: Cisco Identity Services Engine CVE-2013-5539 (The upload-dialog implementation in Cisco Identity Services Engine (IS ...) NOT-FOR-US: Cisco Identity Services Engine CVE-2013-5538 (The Sponsor Portal in Cisco Identity Services Engine (ISE) uses weak p ...) NOT-FOR-US: Cisco Identity Services Engine CVE-2013-5537 (The web framework on Cisco Web Security Appliance (WSA), Email Securit ...) NOT-FOR-US: Cisco CVE-2013-5536 (Cisco Secure Access Control System (ACS) does not properly implement a ...) NOT-FOR-US: Cisco CVE-2013-5535 (The analytics page on Cisco Video Surveillance 4000 IP cameras has har ...) NOT-FOR-US: Cisco Video Surveillance 4000 IP cameras CVE-2013-5534 (Directory traversal vulnerability in the attachment service in the Voi ...) NOT-FOR-US: Cisco Unity Connection CVE-2013-5533 (The image-upgrade functionality on Cisco 9900 Unified IP phones allows ...) NOT-FOR-US: Cisco CVE-2013-5532 (Buffer overflow in the web-application interface on Cisco 9900 IP phon ...) NOT-FOR-US: Cisco CVE-2013-5531 (Cisco Identity Services Engine (ISE) 1.x before 1.1.1 allows remote at ...) NOT-FOR-US: Cisco CVE-2013-5530 (The web framework in Cisco Identity Services Engine (ISE) 1.0 and 1.1. ...) NOT-FOR-US: Cisco Identity Services Engine CVE-2013-5529 (The deployment module in the server in Cisco WebEx Meeting Center does ...) NOT-FOR-US: Cisco WebEx Meetings Server CVE-2013-5528 (Directory traversal vulnerability in the Tomcat administrative web int ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2013-5527 (The OSPF functionality in Cisco IOS and IOS XE allows remote attackers ...) NOT-FOR-US: Cisco CVE-2013-5526 (Cisco 9900 fourth-generation IP phones do not properly perform SDP neg ...) NOT-FOR-US: Cisco CVE-2013-5525 (SQL injection vulnerability in the web framework in Cisco Identity Ser ...) NOT-FOR-US: Cisco CVE-2013-5524 (Cross-site scripting (XSS) vulnerability in the troubleshooting page i ...) NOT-FOR-US: Cisco CVE-2013-5523 (The Sponsor Portal in Cisco Identity Services Engine (ISE) 1.2 and ear ...) NOT-FOR-US: Cisco CVE-2013-5522 (Cisco IOS on Catalyst 3750X switches has default Service Module creden ...) NOT-FOR-US: Cisco IOS CVE-2013-5521 (Cisco Identity Services Engine does not properly restrict the creation ...) NOT-FOR-US: Cisco CVE-2013-5520 RESERVED CVE-2013-5519 (Cross-site scripting (XSS) vulnerability in the management interface o ...) NOT-FOR-US: Cisco CVE-2013-5518 RESERVED CVE-2013-5517 (SQL injection vulnerability in the web framework in Cisco Unified Comm ...) NOT-FOR-US: Cisco CVE-2013-5516 (The Media Snapshot implementation on Cisco TelePresence Multipoint Swi ...) NOT-FOR-US: Cisco CVE-2013-5515 (The Clientless SSL VPN feature in Cisco Adaptive Security Appliance (A ...) NOT-FOR-US: Cisco Adaptive Security Appliance CVE-2013-5514 RESERVED CVE-2013-5513 (Cisco Adaptive Security Appliance (ASA) Software 8.2.x before 8.2(5.46 ...) NOT-FOR-US: Cisco Adaptive Security Appliance CVE-2013-5512 (Race condition in the HTTP Deep Packet Inspection (DPI) feature in Cis ...) NOT-FOR-US: Cisco Adaptive Security Appliance CVE-2013-5511 (The Adaptive Security Device Management (ASDM) remote-management featu ...) NOT-FOR-US: Cisco Adaptive Security Appliance CVE-2013-5510 (The remote-access VPN implementation in Cisco Adaptive Security Applia ...) NOT-FOR-US: Cisco Adaptive Security Appliance CVE-2013-5509 (The SSL implementation in Cisco Adaptive Security Appliance (ASA) Soft ...) NOT-FOR-US: Cisco Adaptive Security Appliance CVE-2013-5508 (The SQL*Net inspection engine in Cisco Adaptive Security Appliance (AS ...) NOT-FOR-US: Cisco Adaptive Security Appliance CVE-2013-5507 (The IPsec implementation in Cisco Adaptive Security Appliance (ASA) So ...) NOT-FOR-US: Cisco Adaptive Security Appliance CVE-2013-5506 (The authorization functionality in Cisco Firewall Services Module (FWS ...) NOT-FOR-US: Cisco Firewall Services Module CVE-2013-5505 (Cross-site scripting (XSS) vulnerability in an administration page in ...) NOT-FOR-US: Cisco CVE-2013-5504 (Cross-site scripting (XSS) vulnerability in the Mobile Device Manageme ...) NOT-FOR-US: Cisco CVE-2013-5503 (The UDP process in Cisco IOS XR 4.3.1 does not free packet memory upon ...) NOT-FOR-US: Cisco CVE-2013-5502 (The web interface in Cisco MediaSense does not properly protect the cl ...) NOT-FOR-US: Cisco MediaSense CVE-2013-5501 (Cross-site scripting (XSS) vulnerability in the oraservice page in Cis ...) NOT-FOR-US: Cisco MediaSense CVE-2013-5500 (Multiple cross-site scripting (XSS) vulnerabilities in the oraadmin se ...) NOT-FOR-US: Cisco MediaSense CVE-2013-5499 (The remember feature in the DHCP server in Cisco IOS allows remote att ...) NOT-FOR-US: Cisco CVE-2013-5498 (The PPTP-ALG component in CRS Carrier Grade Services Engine (CGSE) and ...) NOT-FOR-US: Cisco IOS XR CVE-2013-5497 (The authentication manager process in the web framework in Cisco Intru ...) NOT-FOR-US: Cisco Intrusion Prevention System CVE-2013-5496 (Open Network Environment Platform (ONEP) in Cisco NX-OS allows remote ...) NOT-FOR-US: Cisco NX-OS CVE-2013-5495 (Cross-site scripting (XSS) vulnerability in the web framework in the A ...) NOT-FOR-US: Cisco Unified MeetingPlace CVE-2013-5494 (Cross-site request forgery (CSRF) vulnerability in the web framework i ...) NOT-FOR-US: Cisco Unified MeetingPlace CVE-2013-5493 (The diagnostic module in the firmware on Cisco Virtualization Experien ...) NOT-FOR-US: Cisco CVE-2013-5492 (administration.jsp in Cisco SocialMiner allows remote attackers to obt ...) NOT-FOR-US: Cisco CVE-2013-5491 RESERVED CVE-2013-5490 (Cisco Prime Data Center Network Manager (DCNM) before 6.2(1) allows re ...) NOT-FOR-US: Cisco Prime Data Center Network Manager CVE-2013-5489 (The gadget implementation in Cisco SocialMiner does not properly restr ...) NOT-FOR-US: Cisco CVE-2013-5488 (Cisco Common Services, as used in Cisco Prime LAN Management Solution ...) NOT-FOR-US: Cisco CVE-2013-5487 (DCNM-SAN Server in Cisco Prime Data Center Network Manager (DCNM) befo ...) NOT-FOR-US: Cisco Prime Data Center Network Manager CVE-2013-5486 (Directory traversal vulnerability in processImageSave.jsp in DCNM-SAN ...) NOT-FOR-US: Cisco Prime Data Center Network Manager CVE-2013-5485 RESERVED CVE-2013-5484 RESERVED CVE-2013-5483 (Cross-site scripting (XSS) vulnerability in bookmarklet.jsp in Cisco S ...) NOT-FOR-US: Cisco CVE-2013-5482 (Cisco Prime LAN Management Solution (LMS) does not properly restrict u ...) NOT-FOR-US: Cisco CVE-2013-5481 (The PPTP implementation in Cisco IOS 12.2 and 15.0 through 15.3, when ...) NOT-FOR-US: Cisco IOS CVE-2013-5480 (The DNS-over-TCP implementation in Cisco IOS 12.2 and 15.0 through 15. ...) NOT-FOR-US: Cisco IOS CVE-2013-5479 (The DNS-over-TCP implementation in Cisco IOS 12.2 and 15.0 through 15. ...) NOT-FOR-US: Cisco IOS CVE-2013-5478 (Cisco IOS 15.0 through 15.3 and IOS XE 3.2 through 3.8, when a VRF int ...) NOT-FOR-US: Cisco IOS CVE-2013-5477 (The T1/E1 driver-queue functionality in Cisco IOS 12.2 and 15.0 throug ...) NOT-FOR-US: Cisco IOS CVE-2013-5476 (The Zone-Based Firewall (ZFW) feature in Cisco IOS 15.1 through 15.2, ...) NOT-FOR-US: Cisco IOS CVE-2013-5475 (Cisco IOS 12.2 through 12.4 and 15.0 through 15.3, and IOS XE 2.1 thro ...) NOT-FOR-US: Cisco IOS CVE-2013-5474 (Race condition in the IPv6 virtual fragmentation reassembly (VFR) impl ...) NOT-FOR-US: Cisco IOS CVE-2013-5473 (Memory leak in Cisco IOS 12.2, 15.1, and 15.2; IOS XE 3.4.2S through 3 ...) NOT-FOR-US: Cisco IOS CVE-2013-5472 (The NTP implementation in Cisco IOS 12.0 through 12.4 and 15.0 through ...) NOT-FOR-US: Cisco IOS CVE-2013-5471 (Cross-site request forgery (CSRF) vulnerability in the web framework i ...) NOT-FOR-US: Cisco Global Site Selector CVE-2013-5470 (Cisco Secure Access Control System (ACS) does not properly handle requ ...) NOT-FOR-US: Cisco Secure Access Control System CVE-2013-5469 (The TCP implementation in Cisco IOS does not properly implement the tr ...) NOT-FOR-US: Cisco IOS CVE-2013-5468 (IBM Algo One, as used in MetaData Management Tools in UDS 4.7.0 throug ...) NOT-FOR-US: IBM Algo One CVE-2013-5467 (Monitoring Agent for UNIX Logs 6.2.0 through FP03, 6.2.1 through FP04, ...) NOT-FOR-US: IBM Tivoli Monitoring CVE-2013-5466 (The XSLT library in IBM DB2 and DB2 Connect 9.5 through 10.5, and the ...) NOT-FOR-US: IBM DB2 and DB2 Connect CVE-2013-5465 (IBM Maximo Asset Management 7.x before 7.1.1.7 LAFIX.20140319-0837, 7. ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2013-5464 (IBM Maximo Asset Management 7.5.x before 7.5.0.3 IFIX027, 7.5.0.4 befo ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2013-5463 (The WinCollect agent in IBM Security QRadar SIEM before 7.1.1.569824 a ...) NOT-FOR-US: IBM Security QRadar SIEM CVE-2013-5462 (IBM/ECMClient/configure/explodedformat/navigator/header.jsp in IBM Con ...) NOT-FOR-US: IBM CVE-2013-5461 (IBM Endpoint Manager for Remote Control 9.0.0 and 9.0.1 and Tivoli Rem ...) NOT-FOR-US: IBM CVE-2013-5460 (IBM Maximo Asset Management 7.x before 7.5.0.6 and SmartCloud Control ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2013-5459 (Unspecified vulnerability in IBM Rational Software Architect (RSA) Des ...) NOT-FOR-US: IBM CVE-2013-5458 (Unspecified vulnerability in IBM Java SDK 7.0.0 before SR6 allows remo ...) NOT-FOR-US: IBM JDK CVE-2013-5457 (Unspecified vulnerability in IBM Java SDK 7.0.0 before SR6, 6.0.1 befo ...) NOT-FOR-US: IBM JDK CVE-2013-5456 (The com.ibm.rmi.io.SunSerializableFactory class in IBM Java SDK 7.0.0 ...) NOT-FOR-US: IBM JDK CVE-2013-5455 (IBM SmartCloud Provisioning 2.1 before FP3 IF0001 allows remote authen ...) NOT-FOR-US: IBM SmartCloud Provisioning CVE-2013-5454 (IBM WebSphere Portal 6.0 through 6.0.1.7, 6.1.0 through 6.1.0.6 CF27, ...) NOT-FOR-US: IBM WebSphere CVE-2013-5453 (IBM Security AppScan Enterprise 5.6 through 8.7.0.1 allows remote auth ...) NOT-FOR-US: IBM CVE-2013-5452 (IBM FileNet Business Process Framework 4.1.0 allows remote authenticat ...) NOT-FOR-US: IBM FileNet Business Process Framework CVE-2013-5451 RESERVED CVE-2013-5450 (IBM Security AppScan Enterprise 8.5 through 8.7.0.1, when Jazz authent ...) NOT-FOR-US: IBM CVE-2013-5449 (Cross-site scripting (XSS) vulnerability in workingSet.jsp in IBM Ecli ...) NOT-FOR-US: IBM CVE-2013-5448 (Cross-site scripting (XSS) vulnerability in the Right Click Plugin con ...) NOT-FOR-US: IBM Security QRadar SIEM CVE-2013-5447 (Stack-based buffer overflow in IBM Forms Viewer 4.x before 4.0.0.3 and ...) NOT-FOR-US: IBM Forms Viewer CVE-2013-5446 (The console on IBM WebSphere DataPower XC10 appliances 2.1.0 and 2.5.0 ...) NOT-FOR-US: IBM WebSphere DataPower XC10 appliances CVE-2013-5445 (IBM Cognos Express 9.0 before IFIX 2, 9.5 before IFIX 2, 10.1 before I ...) NOT-FOR-US: IBM Cognos CVE-2013-5444 (The server in IBM Cognos Express 9.0 before IFIX 2, 9.5 before IFIX 2, ...) NOT-FOR-US: IBM Cognos CVE-2013-5443 (Cross-site request forgery (CSRF) vulnerability in IBM Cognos Express ...) NOT-FOR-US: IBM Cognos CVE-2013-5442 (Cross-site scripting (XSS) vulnerability in the Local Management Inter ...) NOT-FOR-US: IBM CVE-2013-5441 RESERVED CVE-2013-5440 (IBM InfoSphere Information Server 8.0, 8.1, 8.5, 8.7, and 9.1 allows l ...) NOT-FOR-US: IBM InfoSphere Information Server CVE-2013-5439 RESERVED CVE-2013-5438 (Cross-site scripting (XSS) vulnerability in the web server in IBM Flex ...) NOT-FOR-US: IBM Flex System Manager CVE-2013-5437 RESERVED CVE-2013-5436 RESERVED CVE-2013-5435 RESERVED CVE-2013-5434 RESERVED CVE-2013-5433 (The Data Growth Solution for JD Edwards EnterpriseOne in IBM InfoSpher ...) NOT-FOR-US: IBM CVE-2013-5432 RESERVED CVE-2013-5431 (Open redirect vulnerability in IBM Tivoli Federated Identity Manager ( ...) NOT-FOR-US: IBM Tivoli Federated Identity Manager CVE-2013-5430 (The Jazz Team Server component in IBM Security AppScan Enterprise 8.x ...) NOT-FOR-US: IBM Security AppScan Enterprise CVE-2013-5429 (The Risk Based Access functionality in IBM Tivoli Federated Identity M ...) NOT-FOR-US: IBM Tivoli Federated Identity Manager CVE-2013-5428 (IBM WebSphere DataPower XC10 appliances 2.5.0 do not require authentic ...) NOT-FOR-US: IBM WebSphere DataPower XC10 appliances CVE-2013-5427 (Cross-site request forgery (CSRF) vulnerability in IBM InfoSphere Mast ...) NOT-FOR-US: IBM InfoSphere Master Data Management CVE-2013-5426 (Session fixation vulnerability in IBM InfoSphere Master Data Managemen ...) NOT-FOR-US: IBM CVE-2013-5425 (Cross-site scripting (XSS) vulnerability in the Administration Console ...) NOT-FOR-US: IBM WebSphere CVE-2013-5424 (IBM Flex System Manager (FSM) 1.3.0 allows remote attackers to bypass ...) NOT-FOR-US: IBM Flex System Manager CVE-2013-5423 (IBM Flex System Manager (FSM) 1.1 through 1.3 before 1.3.2.0 allows re ...) NOT-FOR-US: IBM Flex System Manager CVE-2013-5422 (The Web Client in IBM Rational ClearQuest 7.1 through 7.1.2.12, 8.0.0. ...) NOT-FOR-US: IBM Rational ClearQuest CVE-2013-5421 (Cross-site scripting (XSS) vulnerability in the IMS server before Ifix ...) NOT-FOR-US: IBM CVE-2013-5420 (The IMS server before Ifix 6 in IBM Security Access Manager for Enterp ...) NOT-FOR-US: IBM Security Access Manager CVE-2013-5419 (Multiple buffer overflows in (1) mkque and (2) mkquedev in bos.rte.pri ...) NOT-FOR-US: IBM AIX CVE-2013-5418 (Cross-site scripting (XSS) vulnerability in the Administrative console ...) NOT-FOR-US: IBM WebSphere CVE-2013-5417 (Cross-site scripting (XSS) vulnerability in IBM WebSphere Application ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2013-5416 (Unspecified vulnerability in IBM Rational ClearCase through 7.1.2.12, ...) NOT-FOR-US: IBM Rational ClearCase CVE-2013-5415 (Buffer overflow in IBM Rational ClearCase through 7.1.2.12, 8.0.0.x be ...) NOT-FOR-US: IBM Rational ClearCase CVE-2013-5414 (The migration functionality in IBM WebSphere Application Server (WAS) ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2013-5413 (IBM Sterling B2B Integrator 5.2 and Sterling File Gateway 2.2 do not i ...) NOT-FOR-US: IBM CVE-2013-5412 RESERVED CVE-2013-5411 (IBM Sterling B2B Integrator 5.2 and Sterling File Gateway 2.2 allow re ...) NOT-FOR-US: IBM CVE-2013-5410 RESERVED CVE-2013-5409 (Multiple SQL injection vulnerabilities in IBM Sterling B2B Integrator ...) NOT-FOR-US: IBM CVE-2013-5408 RESERVED CVE-2013-5407 (IBM Sterling B2B Integrator 5.2 and Sterling File Gateway 2.2 do not p ...) NOT-FOR-US: IBM CVE-2013-5406 (Multiple cross-site scripting (XSS) vulnerabilities in IBM Sterling B2 ...) NOT-FOR-US: IBM CVE-2013-5405 (Multiple cross-site scripting (XSS) vulnerabilities in IBM Sterling B2 ...) NOT-FOR-US: IBM CVE-2013-5404 (Cross-site scripting (XSS) vulnerability in the search implementation ...) NOT-FOR-US: IBM Rational Quality Manager CVE-2013-5403 (Unspecified vulnerability on the IBM WebSphere DataPower XC10 applianc ...) NOT-FOR-US: IBM WebSphere CVE-2013-5402 (Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Managemen ...) NOT-FOR-US: IBM CVE-2013-5401 (The command-port listener in IBM WebSphere MQ Internet Pass-Thru (MQIP ...) NOT-FOR-US: IBM WebSphere MQ CVE-2013-5400 (An unspecified servlet in IBM Platform Symphony Developer Edition (DE) ...) NOT-FOR-US: IBM Platform Symphony Developer Edition CVE-2013-5399 RESERVED CVE-2013-5398 (Unspecified vulnerability in the Webservice Axis Gateway in IBM Ration ...) NOT-FOR-US: IBM CVE-2013-5397 (Unspecified vulnerability in the Webservice Axis Gateway in IBM Ration ...) NOT-FOR-US: IBM CVE-2013-5396 RESERVED CVE-2013-5395 (IBM Maximo Asset Management 6.2 through 6.2.8, 7.1 before 7.1.1.12, an ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2013-5394 (The monitoring console in IBM WebSphere eXtreme Scale 7.1.0, 7.1.1, 8. ...) NOT-FOR-US: IBM WebSphere eXtreme Scale CVE-2013-5393 (The monitoring console in IBM WebSphere eXtreme Scale 7.1.0, 7.1.1, 8. ...) NOT-FOR-US: IBM WebSphere eXtreme Scale CVE-2013-5392 RESERVED CVE-2013-5391 (IBM Worklight Consumer and Enterprise Editions 5.0.x before 5.0.6 Fix ...) NOT-FOR-US: IBM CVE-2013-5390 (Cross-site scripting (XSS) vulnerability in the monitoring console in ...) NOT-FOR-US: IBM WebSphere eXtreme Scale CVE-2013-5389 (Cross-site scripting (XSS) vulnerability in iNotes in IBM Domino 8.5.3 ...) NOT-FOR-US: IBM Domino CVE-2013-5388 (Cross-site scripting (XSS) vulnerability in iNotes in IBM Domino 8.5.3 ...) NOT-FOR-US: IBM Domino CVE-2013-5387 (Buffer overflow in IBM Platform Symphony 5.2, 6.1, and 6.1.1 allows re ...) NOT-FOR-US: IBM CVE-2013-5386 RESERVED CVE-2013-5385 (The OSPF implementation in IBM i 6.1 and 7.1, in z/OS on zSeries serve ...) NOT-FOR-US: IBM CVE-2013-5384 RESERVED CVE-2013-5383 (IBM Maximo Asset Management 6.2 through 6.2.8, 7.1 before 7.1.1.12, an ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2013-5382 (IBM Maximo Asset Management 6.2 through 6.2.8, 7.1 before 7.1.1.12, an ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2013-5381 (IBM Maximo Asset Management 6.2 through 6.2.8, 7.1 through 7.1.1.12, a ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2013-5380 (IBM Maximo Asset Management 6.2 through 6.2.8, 7.1 before 7.1.1.12, an ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2013-5379 (Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 7.x b ...) NOT-FOR-US: IBM WebSphere Portal CVE-2013-5378 (Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 8.x b ...) NOT-FOR-US: IBM WebSphere Portal CVE-2013-5377 RESERVED CVE-2013-5376 (Cross-site scripting (XSS) vulnerability in IBM Storwize V7000 Unified ...) NOT-FOR-US: IBM Storwize V7000 Unified CVE-2013-5375 (Unspecified vulnerability in IBM Java SDK 7.0.0 before SR6, 6.0.1 befo ...) NOT-FOR-US: IBM JDK CVE-2013-5374 RESERVED CVE-2013-5373 (The RemoteClient component in IBM Rational ClearCase 8.0.0.03 through ...) NOT-FOR-US: IBM Rational ClearCase CVE-2013-5372 (The XML4J parser in IBM WebSphere Message Broker 6.1 before 6.1.0.12, ...) NOT-FOR-US: IBM CVE-2013-5371 (The client in IBM Tivoli Storage Manager (TSM) 6.3.1 and 6.4.0 on Wind ...) NOT-FOR-US: IBM Tivoli Storage Manager CVE-2013-5370 (Unspecified vulnerability in IBM SPSS Collaboration and Deployment Ser ...) NOT-FOR-US: IBM SPSS Collaboration and Deployment Services CVE-2013-5369 (IBM SPSS Analytical Decision Management 6.1 before IF1, 6.2 before IF1 ...) NOT-FOR-US: IBM SPSS Analytical Decision Management CVE-2013-5368 RESERVED CVE-2013-5367 RESERVED CVE-2013-5366 RESERVED CVE-2013-5365 (Heap-based buffer overflow in Autodesk SketchBook for Enterprise 2014, ...) NOT-FOR-US: Autodesk SketchBook CVE-2013-5364 (Secunia CSI Agent 6.0.0.15017 and earlier, 6.0.1.1007 and earlier, and ...) NOT-FOR-US: Secunia CSI Agent CVE-2013-5363 RESERVED CVE-2013-5362 RESERVED CVE-2013-5361 RESERVED CVE-2013-5360 RESERVED CVE-2013-5359 (Stack-based buffer overflow in Picasa3.exe in Google Picasa before 3.9 ...) NOT-FOR-US: Google Picasa CVE-2013-5358 (Picasa3.exe in Google Picasa before 3.9.0 Build 137.69 allows remote a ...) NOT-FOR-US: Google Picasa CVE-2013-5357 (Integer overflow in Picasa3.exe in Google Picasa before 3.9.0 Build 13 ...) NOT-FOR-US: Google Picasa CVE-2013-5356 (Sharetronix 3.1.1.3, 3.1.1, and earlier does not properly restrict acc ...) NOT-FOR-US: Sharetronix CVE-2013-5355 (Multiple cross-site request forgery (CSRF) vulnerabilities in Sharetro ...) NOT-FOR-US: Sharetronix CVE-2013-5354 (Multiple SQL injection vulnerabilities in Sharetronix 3.1.1 allow remo ...) NOT-FOR-US: Sharetronix CVE-2013-5353 (Unrestricted file upload vulnerability in system/controllers/ajax/atta ...) NOT-FOR-US: Sharetronix CVE-2013-5352 (Sharetronix 3.1.1.3, 3.1.1, and earlier allows remote attackers to exe ...) NOT-FOR-US: Sharetronix CVE-2013-5351 (Heap-based buffer overflow in IrfanView before 4.37 allows remote atta ...) NOT-FOR-US: IrfanView CVE-2013-5350 (The "Remember me" feature in the opSecurityUser::getRememberLoginCooki ...) NOT-FOR-US: OpenPNE CVE-2013-5349 (Integer underflow in Picasa3.exe in Google Picasa before 3.9.0 Build 1 ...) NOT-FOR-US: Google Picasa CVE-2013-5348 REJECTED CVE-2013-5347 REJECTED CVE-2013-5346 REJECTED CVE-2013-5345 REJECTED CVE-2013-5344 REJECTED CVE-2013-5343 REJECTED CVE-2013-5342 REJECTED CVE-2013-5341 REJECTED CVE-2013-5340 REJECTED CVE-2013-5339 REJECTED CVE-2013-5338 REJECTED CVE-2013-5337 REJECTED CVE-2013-5336 REJECTED CVE-2013-5335 REJECTED CVE-2013-5334 (Adobe Shockwave Player before 12.0.7.148 allows attackers to execute a ...) NOT-FOR-US: Adobe Shockwave Player CVE-2013-5333 (Adobe Shockwave Player before 12.0.7.148 allows attackers to execute a ...) NOT-FOR-US: Adobe Shockwave Player CVE-2013-5332 (Adobe Flash Player before 11.7.700.257 and 11.8.x and 11.9.x before 11 ...) NOT-FOR-US: Adobe Flash Player CVE-2013-5331 (Adobe Flash Player before 11.7.700.257 and 11.8.x and 11.9.x before 11 ...) NOT-FOR-US: Adobe Flash Player CVE-2013-5330 (Adobe Flash Player before 11.7.700.252 and 11.8.x and 11.9.x before 11 ...) NOT-FOR-US: Adobe Flash Player CVE-2013-5329 (Adobe Flash Player before 11.7.700.252 and 11.8.x and 11.9.x before 11 ...) NOT-FOR-US: Adobe Flash Player CVE-2013-5328 (Adobe ColdFusion 10 before Update 12 allows remote attackers to read a ...) NOT-FOR-US: Adobe ColdFusion CVE-2013-5327 (MDBMS.dll in Adobe RoboHelp 10 allows attackers to execute arbitrary c ...) NOT-FOR-US: Adobe RoboHelp CVE-2013-5326 (Cross-site scripting (XSS) vulnerability in Adobe ColdFusion 9.0 befor ...) NOT-FOR-US: Adobe ColdFusion CVE-2013-5325 (Adobe Reader and Acrobat 11.x before 11.0.05 on Windows allow remote a ...) NOT-FOR-US: Adobe CVE-2013-5324 (Adobe Flash Player before 11.7.700.242 and 11.8.x before 11.8.800.168 ...) NOT-FOR-US: Adobe Flash Player CVE-2013-5323 (Cross-site scripting (XSS) vulnerability in the Static Info Tables (st ...) NOT-FOR-US: TYPO3 extension (Static Info Tables) CVE-2013-5322 (SQL injection vulnerability in the CoolURI extension before 1.0.30 for ...) NOT-FOR-US: TYPO3 extension (CoolURI) CVE-2013-5321 (Multiple SQL injection vulnerabilities in AlienVault Open Source Secur ...) NOT-FOR-US: AlienVault Open Source Security Information Management CVE-2013-5320 (Cross-site scripting (XSS) vulnerability in Forums/EditPost.aspx in mo ...) NOT-FOR-US: mojoPortal CVE-2013-5319 (Cross-site scripting (XSS) vulnerability in secure/admin/user/views/de ...) NOT-FOR-US: Atlassian JIRA CVE-2013-5318 (SQL injection vulnerability in Ginkgo CMS 5.0 allows remote attackers ...) NOT-FOR-US: Ginkgo CMS CVE-2013-5317 (Cross-site scripting (XSS) vulnerability in RiteCMS 1.0.0 allows remot ...) NOT-FOR-US: RiteCMS CVE-2013-5316 (Cross-site request forgery (CSRF) vulnerability in RiteCMS 1.0.0 allow ...) NOT-FOR-US: RiteCMS CVE-2012-6582 (Cross-site scripting (XSS) vulnerability in the Spambot module 6.x-3.x ...) NOT-FOR-US: Spambot Drupal contributed module CVE-2013-5313 (Cross-site request forgery (CSRF) vulnerability in core/admin/modules/ ...) NOT-FOR-US: BigTree CMS CVE-2013-5312 (Multiple cross-site scripting (XSS) vulnerabilities in Vastal I-Tech p ...) NOT-FOR-US: Vastal I-Tech phpVID CVE-2013-5311 (Multiple SQL injection vulnerabilities in Vastal I-Tech phpVID 1.2.3 a ...) NOT-FOR-US: Vastal I-Tech phpVID CVE-2013-5315 (Cross-site scripting (XSS) vulnerability in the Resource Manager in th ...) NOT-FOR-US: Drupal module CVE-2013-5314 (Cross-site scripting (XSS) vulnerability in serendipity_admin_image_se ...) - serendipity [squeeze] - serendipity (Unsupported in squeeze-lts) CVE-2013-5310 (SQL injection vulnerability in the DB Integration (wfqbe) extension be ...) NOT-FOR-US: TYPO3 extension CVE-2013-5309 (Cross-site scripting (XSS) vulnerability in install/forum_data/src/cus ...) NOT-FOR-US: FUDforum CVE-2013-5308 (Cross-site scripting (XSS) vulnerability in the RealURL Management (re ...) NOT-FOR-US: TYPO3 extension CVE-2013-5307 (Cross-site scripting (XSS) vulnerability in the Faceted Search (ke_sea ...) NOT-FOR-US: Faceted Search TYPO3 extension CVE-2013-5306 (SQL injection vulnerability in the Browser - TYPO3 without PHP (browse ...) NOT-FOR-US: TYPO3 Extension CVE-2013-5305 (Cross-site scripting (XSS) vulnerability in the Store Locator (locator ...) NOT-FOR-US: typo3 third party component (locator) CVE-2013-5304 (SQL injection vulnerability in the Store Locator (locator) extension b ...) NOT-FOR-US: typo3 third party component (locator) CVE-2013-5303 (Unspecified vulnerability in the Store Locator (locator) extension bef ...) NOT-FOR-US: typo3 third party component (locator) CVE-2013-5302 (SQL injection vulnerability in the Faceted Search (ke_search) extensio ...) NOT-FOR-US: Faceted Search TYPO3 extension CVE-2013-5301 (Directory traversal vulnerability in help.php in Trustport Webfilter 5 ...) NOT-FOR-US: Trustport Webfilter CVE-2013-5300 (Multiple cross-site scripting (XSS) vulnerabilities in AlienVault Open ...) NOT-FOR-US: AlienVault OSSIM CVE-2013-5299 RESERVED CVE-2013-5298 RESERVED CVE-2013-5297 RESERVED CVE-2013-5296 RESERVED CVE-2013-5295 RESERVED CVE-2013-5294 RESERVED CVE-2013-5293 RESERVED CVE-2013-5292 RESERVED CVE-2013-5291 RESERVED CVE-2013-5290 RESERVED CVE-2013-5289 RESERVED CVE-2013-5288 RESERVED CVE-2013-5287 RESERVED CVE-2013-5286 RESERVED CVE-2013-5285 RESERVED CVE-2013-5284 RESERVED CVE-2013-5283 RESERVED CVE-2013-5282 RESERVED CVE-2013-5281 RESERVED CVE-2013-5280 RESERVED CVE-2013-5279 RESERVED CVE-2013-5278 RESERVED CVE-2013-5277 RESERVED CVE-2013-5276 RESERVED CVE-2013-5275 RESERVED CVE-2013-5274 RESERVED CVE-2013-5273 RESERVED CVE-2013-5272 RESERVED CVE-2013-5271 RESERVED CVE-2013-5270 RESERVED CVE-2013-5269 RESERVED CVE-2013-5268 RESERVED CVE-2013-5267 RESERVED CVE-2013-5266 RESERVED CVE-2013-5265 RESERVED CVE-2013-5264 RESERVED CVE-2013-5263 RESERVED CVE-2013-5262 RESERVED CVE-2013-5261 RESERVED CVE-2013-5260 RESERVED CVE-2013-5259 RESERVED CVE-2013-5258 RESERVED CVE-2013-5257 RESERVED CVE-2013-5256 RESERVED CVE-2013-5255 RESERVED CVE-2013-5254 RESERVED CVE-2013-5253 RESERVED CVE-2013-5252 RESERVED CVE-2013-5251 RESERVED CVE-2013-5250 RESERVED CVE-2013-5249 RESERVED CVE-2013-5248 RESERVED CVE-2013-5247 RESERVED CVE-2013-5246 RESERVED CVE-2013-5245 RESERVED CVE-2013-5244 RESERVED CVE-2013-5243 RESERVED CVE-2013-5242 RESERVED CVE-2013-5241 RESERVED CVE-2013-5240 RESERVED CVE-2013-5239 RESERVED CVE-2013-5238 RESERVED CVE-2013-5237 RESERVED CVE-2013-5236 RESERVED CVE-2013-5235 RESERVED CVE-2013-5234 RESERVED CVE-2013-5233 RESERVED CVE-2013-5232 RESERVED CVE-2013-5231 RESERVED CVE-2013-5230 RESERVED CVE-2013-5229 (The Remote Desktop full-screen feature in Apple OS X before 10.9 and A ...) NOT-FOR-US: Apple CVE-2013-5228 (WebKit, as used in Apple Safari before 6.1.1 and 7.x before 7.0.1, all ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2013-5227 (Apple Safari before 6.1.1 and 7.x before 7.0.1 allows remote attackers ...) NOT-FOR-US: Safari CVE-2013-5226 RESERVED CVE-2013-5225 (WebKit, as used in Apple Safari before 6.1.1 and 7.x before 7.0.1, all ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2013-5224 RESERVED CVE-2013-5223 (Multiple cross-site scripting (XSS) vulnerabilities in D-Link DSL-2760 ...) NOT-FOR-US: D-Link DSL-2760U Gateway CVE-2013-5222 (Multiple cross-site scripting (XSS) vulnerabilities in ESRI ArcGIS for ...) NOT-FOR-US: ESRI ArcGIS CVE-2013-5221 (The mobile-upload feature in Esri ArcGIS for Server 10.1 through 10.2 ...) NOT-FOR-US: Esri ArcGIS CVE-2013-5220 (goform/login on the HOT HOTBOX router with software 2.1.11 allows remo ...) NOT-FOR-US: HOT HOTBOX router CVE-2013-5219 (Directory traversal vulnerability on the HOT HOTBOX router with softwa ...) NOT-FOR-US: HOT HOTBOX router CVE-2013-5218 (Cross-site scripting (XSS) vulnerability on the HOT HOTBOX router with ...) NOT-FOR-US: HOT HOTBOX router CVE-2013-5216 (Directory traversal vulnerability in logreader/uploadreader.jsp in Cap ...) NOT-FOR-US: Performance Guard CVE-2013-5215 (Cross-site scripting (XSS) vulnerability in the web interface "WiFi sc ...) NOT-FOR-US: FOSCAM Wireless IP Camera CVE-2013-5214 RESERVED CVE-2013-5213 RESERVED CVE-2013-5212 (Cross-site Scripting (XSS) in EasyXDM before 2.4.18 allows remote atta ...) NOT-FOR-US: easyXDM CVE-2013-5211 (The monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 al ...) - ntp 1:4.2.8p3+dfsg-1 (low; bug #733940) [jessie] - ntp (No backportable code fix exists, default configuration is safe, tiny subsection of affected users can run a backport) [wheezy] - ntp (No backportable code fix exists, default configuration is safe, tiny subsection of affected users can run a backport) [squeeze] - ntp (No backportable code fix exists, default configuration is safe, tiny subsection of affected users can run a backport) NOTE: http://bugs.ntp.org/show_bug.cgi?id=1532 NOTE: mitigated if noquery used. Only a problem for (public) ntp servers allowing NOTE: querying ntpd status, so allowing monlist CVE-2013-5210 (Cross-site scripting (XSS) vulnerability in the GUI login page in ADTR ...) NOT-FOR-US: Adtran Netvanta CVE-2013-5209 (The sctp_send_initiate_ack function in sys/netinet/sctp_output.c in th ...) {DSA-2743-1} - kfreebsd-8 (bug #720476) [wheezy] - kfreebsd-8 8.3-6+deb7u1 [squeeze] - kfreebsd-8 (Unsupported in squeeze-lts) - kfreebsd-9 9.2~svn254368-2 (bug #720475) - kfreebsd-10 10.0~svn254663-1 (bug #720478) CVE-2013-5208 (HR Systems Strategies info:HR HRIS 7.9 does not properly protect the d ...) NOT-FOR-US: HR Systems Strategies CVE-2013-5207 RESERVED CVE-2013-5206 RESERVED CVE-2013-5205 RESERVED CVE-2013-5204 RESERVED CVE-2013-5203 RESERVED CVE-2013-5202 RESERVED CVE-2013-5201 RESERVED CVE-2013-5200 (The (1) REST and (2) memcache interfaces in the Hazelcast cluster API ...) NOT-FOR-US: Open-Xchange CVE-2013-5199 (WebKit, as used in Apple Safari before 6.1.1 and 7.x before 7.0.1, all ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2013-5198 (WebKit, as used in Apple Safari before 6.1.1 and 7.x before 7.0.1, all ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2013-5197 (WebKit, as used in Apple Safari before 6.1.1 and 7.x before 7.0.1, all ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2013-5196 (WebKit, as used in Apple Safari before 6.1.1 and 7.x before 7.0.1, all ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2013-5195 (WebKit, as used in Apple Safari before 6.1.1 and 7.x before 7.0.1, all ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2013-5194 RESERVED CVE-2013-5193 (The App Store component in Apple iOS before 7.0.4 does not properly en ...) NOT-FOR-US: Apple CVE-2013-5192 (The USB hub controller in Apple Mac OS X before 10.9 allows local user ...) NOT-FOR-US: Apple Mac OS X CVE-2013-5191 (The syslog implementation in Apple Mac OS X before 10.9 allows local u ...) NOT-FOR-US: Apple Mac OS X CVE-2013-5190 (Smart Card Services in Apple Mac OS X before 10.9 does not properly im ...) NOT-FOR-US: Apple Mac OS X CVE-2013-5189 (Apple Mac OS X before 10.9 does not preserve a certain administrative ...) NOT-FOR-US: Apple Mac OS X CVE-2013-5188 (The Screen Lock implementation in Apple Mac OS X before 10.9, when hib ...) NOT-FOR-US: Apple Mac OS X CVE-2013-5187 (The Screen Lock implementation in Apple Mac OS X before 10.9 does not ...) NOT-FOR-US: Apple Mac OS X CVE-2013-5186 (Power Management in Apple Mac OS X before 10.9 does not properly handl ...) NOT-FOR-US: Apple Mac OS X CVE-2013-5185 (The ldapsearch command-line program in OpenLDAP in Apple Mac OS X befo ...) NOT-FOR-US: Apple Mac OS X CVE-2013-5184 (The kernel in Apple Mac OS X before 10.9 does not properly check for e ...) NOT-FOR-US: Apple Mac OS X CVE-2013-5183 (Mail in Apple Mac OS X before 10.9, when Kerberos authentication is en ...) NOT-FOR-US: Apple Mac OS X CVE-2013-5182 (Mail in Apple Mac OS X before 10.9 allows remote attackers to spoof th ...) NOT-FOR-US: Apple Mac OS X CVE-2013-5181 (The auto-configuration feature in Mail in Apple Mac OS X before 10.9 s ...) NOT-FOR-US: Apple Mac OS X CVE-2013-5180 (The srandomdev function in Libc in Apple Mac OS X before 10.9, when th ...) NOT-FOR-US: Apple Mac OS X CVE-2013-5179 (App Sandbox in Apple Mac OS X before 10.9 allows attackers to bypass i ...) NOT-FOR-US: Apple Mac OS X CVE-2013-5178 (LaunchServices in Apple Mac OS X before 10.9 does not properly restric ...) NOT-FOR-US: Apple Mac OS X CVE-2013-5177 (The kernel in Apple Mac OS X before 10.9 allows local users to cause a ...) NOT-FOR-US: Apple Mac OS X CVE-2013-5176 (The kernel in Apple Mac OS X before 10.9 does not properly handle inte ...) NOT-FOR-US: Apple Mac OS X CVE-2013-5175 (The kernel in Apple Mac OS X before 10.9 allows local users to obtain ...) NOT-FOR-US: Apple Mac OS X CVE-2013-5174 (Integer signedness error in the kernel in Apple Mac OS X before 10.9 a ...) NOT-FOR-US: Apple Mac OS X CVE-2013-5173 (The random-number generator in the kernel in Apple Mac OS X before 10. ...) NOT-FOR-US: Apple Mac OS X CVE-2013-5172 (The kernel in Apple Mac OS X before 10.9 does not properly determine t ...) NOT-FOR-US: Apple Mac OS X CVE-2013-5171 (CoreGraphics in Apple Mac OS X before 10.9 allows local users to bypas ...) NOT-FOR-US: Apple Mac OS X CVE-2013-5170 (Buffer underflow in CoreGraphics in Apple Mac OS X before 10.9 allows ...) NOT-FOR-US: Apple Mac OS X CVE-2013-5169 (CoreGraphics in Apple Mac OS X before 10.9, when display-sleep mode is ...) NOT-FOR-US: Apple Mac OS X CVE-2013-5168 (Console in Apple Mac OS X before 10.9 allows user-assisted remote atta ...) NOT-FOR-US: Apple Mac OS X CVE-2013-5167 (CFNetwork in Apple Mac OS X before 10.9 does not properly support Safa ...) NOT-FOR-US: Apple Mac OS X CVE-2013-5166 (The Bluetooth USB host controller in Apple Mac OS X before 10.9 premat ...) NOT-FOR-US: Apple Mac OS X CVE-2013-5165 (socketfilterfw in Application Firewall in Apple Mac OS X before 10.9 d ...) NOT-FOR-US: Apple Mac OS X CVE-2013-5164 (Multiple race conditions in the Phone app in Apple iOS before 7.0.3 al ...) NOT-FOR-US: Apple iOS CVE-2013-5163 (Directory Services in Apple Mac OS X before 10.8.5 Supplemental Update ...) NOT-FOR-US: Apple OS X CVE-2013-5162 (Passcode Lock in Apple iOS before 7.0.3 on iPhone devices allows physi ...) NOT-FOR-US: Apple iOS CVE-2013-5161 (Passcode Lock in Apple iOS before 7.0.2 does not properly manage the l ...) NOT-FOR-US: Apple iOS CVE-2013-5160 (Passcode Lock in Apple iOS before 7.0.2 on iPhone devices allows physi ...) NOT-FOR-US: Apple iOS CVE-2013-5159 (WebKit in Apple iOS before 7 allows remote attackers to bypass the Sam ...) NOT-FOR-US: Apple iOS CVE-2013-5158 (The Social subsystem in Apple iOS before 7 does not properly restrict ...) NOT-FOR-US: Apple iOS CVE-2013-5157 (The Twitter subsystem in Apple iOS before 7 does not require API confo ...) NOT-FOR-US: Apple iOS CVE-2013-5156 (The Telephony subsystem in Apple iOS before 7 does not require API con ...) NOT-FOR-US: Apple iOS CVE-2013-5155 (The Sandbox subsystem in Apple iOS before 7 allows attackers to cause ...) NOT-FOR-US: Apple iOS CVE-2013-5154 (The Sandbox subsystem in Apple iOS before 7 determines the sandboxing ...) NOT-FOR-US: Apple iOS CVE-2013-5153 (Springboard in Apple iOS before 7 does not properly manage the lock st ...) NOT-FOR-US: Apple iOS CVE-2013-5152 (Mobile Safari in Apple iOS before 7 allows remote attackers to spoof t ...) NOT-FOR-US: Apple iOS CVE-2013-5151 (Mobile Safari in Apple iOS before 7 does not prevent HTML interpretati ...) NOT-FOR-US: Apple iOS CVE-2013-5150 (The history-clearing feature in Safari in Apple iOS before 7 does not ...) NOT-FOR-US: Apple iOS CVE-2013-5149 (The Push Notifications subsystem in Apple iOS before 7 provides the pu ...) NOT-FOR-US: Apple iOS CVE-2013-5148 (Apple Keynote before 6.0 does not properly handle the interaction betw ...) NOT-FOR-US: Apple Keynote CVE-2013-5147 (Passcode Lock in Apple iOS before 7 does not properly manage the lock ...) NOT-FOR-US: Apple iOS CVE-2013-5146 RESERVED CVE-2013-5145 (kextd in Kext Management in Apple iOS before 7 does not properly verif ...) NOT-FOR-US: Apple iOS CVE-2013-5144 (Passcode Lock in Apple iOS before 7.0.3 on iPhone devices allows physi ...) NOT-FOR-US: Apple iOS CVE-2013-5143 (The RADIUS service in Server App in Apple OS X Server before 3.0 selec ...) NOT-FOR-US: Apple OS X Server CVE-2013-5142 (The kernel in Apple iOS before 7 does not initialize unspecified kerne ...) NOT-FOR-US: Apple iOS CVE-2013-5141 (The kernel in Apple iOS before 7 uses an incorrect data size for a cer ...) NOT-FOR-US: Apple iOS CVE-2013-5140 (The kernel in Apple iOS before 7 allows remote attackers to cause a de ...) NOT-FOR-US: Apple iOS CVE-2013-5139 (The IOSerialFamily driver in Apple iOS before 7 allows attackers to ex ...) NOT-FOR-US: Apple iOS CVE-2013-5138 (IOCatalogue in IOKitUser in Apple iOS before 7 allows attackers to cau ...) NOT-FOR-US: Apple iOS CVE-2013-5137 (IOKit in Apple iOS before 7 allows attackers to send user-interface ev ...) NOT-FOR-US: Apple iOS CVE-2013-5136 (Apple Remote Desktop before 3.7 does not properly use server authentic ...) NOT-FOR-US: Apple Remote Desktop CVE-2013-5135 (Format string vulnerability in Screen Sharing Server in Apple Mac OS X ...) NOT-FOR-US: Apple Mac OS X CVE-2013-5134 REJECTED CVE-2013-5133 (Backup in Apple iOS before 7.1 does not properly restrict symlinks, wh ...) NOT-FOR-US: Apple CVE-2013-5132 (Apple AirPort Base Station Firmware before 7.6.4 does not properly han ...) NOT-FOR-US: Apple AirPort CVE-2013-5131 (Cross-site scripting (XSS) vulnerability in WebKit in Apple iOS before ...) NOT-FOR-US: Apple iOS CVE-2013-5130 (WebKit in Apple Safari before 6.1 disables the Private Browsing featur ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2013-5129 (Multiple cross-site scripting (XSS) vulnerabilities in WebKit in Apple ...) NOT-FOR-US: Apple iOS CVE-2013-5128 (WebKit, as used in Apple iOS before 7, allows remote attackers to exec ...) NOT-FOR-US: Apple iOS CVE-2013-5127 (WebKit, as used in Apple iOS before 7, allows remote attackers to exec ...) NOT-FOR-US: Apple iOS CVE-2013-5126 (WebKit, as used in Apple iOS before 7, allows remote attackers to exec ...) NOT-FOR-US: Apple iOS CVE-2013-5125 (WebKit, as used in Apple iOS before 7, allows remote attackers to exec ...) NOT-FOR-US: Apple iOS CVE-2013-5124 RESERVED CVE-2013-5123 (The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 use ...) - python-pip 1.4.1-1 (unimportant) [squeeze] - python-pip (Support for mirroring introduced in 0.8.1) NOTE: This is additional hardening / security feature, not a vulnerabily (despite NOTE: the discussion on oss-sec) CVE-2013-5122 (Cisco Linksys Routers EA2700, EA3500, E4200, EA4500: A bug can cause a ...) NOT-FOR-US: Linksys CVE-2013-5121 (SQL injection vulnerability in PHPFox before 3.6.0 (build6) allows rem ...) NOT-FOR-US: PHPFox CVE-2013-5120 (SQL injection vulnerability in PHPFox before 3.6.0 (build4) allows rem ...) NOT-FOR-US: PHPFox CVE-2013-5119 (Zimbra Collaboration Suite (ZCS) 6.0.16 and earlier allows man-in-the- ...) NOT-FOR-US: Zimbra Collaboration Suite CVE-2013-5118 (Cross-site scripting (XSS) vulnerability in the Good for Enterprise ap ...) NOT-FOR-US: Good for Enterprise app for iOS CVE-2013-5117 (SQL injection vulnerability in the RSS page (DNNArticleRSS.aspx) in th ...) NOT-FOR-US: DotNetNuke CVE-2013-5116 (Evernote prior to 5.5.1 has insecure password change ...) NOT-FOR-US: Evernote CVE-2013-5115 RESERVED CVE-2013-5114 (LastPass prior to 2.5.1 allows secure wipe bypass. ...) NOT-FOR-US: LastPass CVE-2013-5113 (LastPass prior to 2.5.1 has an insecure PIN implementation. ...) NOT-FOR-US: LastPass CVE-2013-5112 (Evernote before 5.5.1 has insecure PIN storage ...) NOT-FOR-US: Evernote CVE-2013-5111 RESERVED CVE-2013-5110 RESERVED CVE-2013-5109 RESERVED CVE-2013-5108 (Multiple cross-site scripting (XSS) vulnerabilities in the xn function ...) - rockmongo (bug #702961) CVE-2013-5107 (Directory traversal vulnerability in RockMongo 1.1.5 and earlier allow ...) - rockmongo (bug #702961) CVE-2013-5106 (A Code Execution vulnerability exists in select.py when using python-m ...) NOT-FOR-US: python vim mode, different from src:python-mode, which is for emacs CVE-2013-5105 RESERVED CVE-2013-5104 RESERVED CVE-2013-5103 RESERVED CVE-2013-5102 RESERVED CVE-2013-5101 RESERVED CVE-2013-5100 (Cross-site scripting (XSS) vulnerability in the Static Methods since 2 ...) NOT-FOR-US: TYPO3 extension Static Methods CVE-2013-5099 (Cross-site scripting (XSS) vulnerability in article.php in Anchor CMS ...) NOT-FOR-US: Anchor CMS CVE-2013-5098 (Cross-site scripting (XSS) vulnerability in admin/admin.php in the Dow ...) NOT-FOR-US: WordPress plugin download-monitor CVE-2013-5097 (Juniper Junos Space before 13.1R1.6, as used on the JA1500 appliance a ...) NOT-FOR-US: Juniper Junos Space CVE-2013-5096 (Juniper Junos Space before 13.1R1.6, as used on the JA1500 appliance a ...) NOT-FOR-US: Juniper Junos Space CVE-2013-5095 (Cross-site scripting (XSS) vulnerability in the web-based interface in ...) NOT-FOR-US: Juniper Junos Space CVE-2013-5094 (Cross-site scripting (XSS) vulnerability in index.exp in McAfee Vulner ...) NOT-FOR-US: McAfee Vulnerability Manager CVE-2013-5093 (The renderLocalView function in render/views.py in graphite-web in Gra ...) - graphite-web 0.9.12+debian-1 (bug #720454) NOTE: http://ceriksen.com/2013/08/20/graphite-remote-code-execution-vulnerability-advisory/ CVE-2013-5092 (Cross-site scripting (XSS) vulnerability in afa/php/Login.php in AlgoS ...) NOT-FOR-US: AlgoSec Firewall Analyzer CVE-2013-5091 (SQL injection vulnerability in CalendarCommon.php in vTiger CRM 5.4.0 ...) NOT-FOR-US: vTiger CRM CVE-2013-5090 REJECTED CVE-2013-5089 REJECTED CVE-2013-5088 REJECTED CVE-2013-5087 REJECTED CVE-2013-5086 REJECTED CVE-2013-5085 REJECTED CVE-2013-5084 REJECTED CVE-2013-5083 REJECTED CVE-2013-5082 REJECTED CVE-2013-5081 REJECTED CVE-2013-5080 REJECTED CVE-2013-5079 REJECTED CVE-2013-5078 REJECTED CVE-2013-5077 REJECTED CVE-2013-5076 REJECTED CVE-2013-5075 REJECTED CVE-2013-5074 REJECTED CVE-2013-5073 REJECTED CVE-2013-5072 (Cross-site scripting (XSS) vulnerability in Outlook Web Access in Micr ...) NOT-FOR-US: Microsoft Exchange Server OWA CVE-2013-5071 REJECTED CVE-2013-5070 REJECTED CVE-2013-5069 REJECTED CVE-2013-5068 REJECTED CVE-2013-5067 REJECTED CVE-2013-5066 REJECTED CVE-2013-5065 (NDProxy.sys in the kernel in Microsoft Windows XP SP2 and SP3 and Serv ...) NOT-FOR-US: Microsoft Windows CVE-2013-5064 REJECTED CVE-2013-5063 REJECTED CVE-2013-5062 REJECTED CVE-2013-5061 REJECTED CVE-2013-5060 REJECTED CVE-2013-5059 (Microsoft SharePoint Server 2010 SP1 and SP2 and 2013, and Office Web ...) NOT-FOR-US: Microsoft SharePoint Server CVE-2013-5058 (Integer overflow in the kernel-mode drivers in Microsoft Windows XP SP ...) NOT-FOR-US: Microsoft Windows Kernel CVE-2013-5057 (hxds.dll in Microsoft Office 2007 SP3 and 2010 SP1 and SP2 does not im ...) NOT-FOR-US: Microsoft Windows Kernel CVE-2013-5056 (Use-after-free vulnerability in the Scripting Runtime Object Library i ...) NOT-FOR-US: Microsoft Windows CVE-2013-5055 REJECTED CVE-2013-5054 (Microsoft Office 2013 and 2013 RT allows remote attackers to discover ...) NOT-FOR-US: Microsoft Office CVE-2013-5053 REJECTED CVE-2013-5052 (Microsoft Internet Explorer 7 allows remote attackers to execute arbit ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-5051 (Microsoft Internet Explorer 10 and 11 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-5050 REJECTED CVE-2013-5049 (Microsoft Internet Explorer 6 through 9 allows remote attackers to exe ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-5048 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-5047 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-5046 (Microsoft Internet Explorer 7 through 11 allows local users to bypass ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-5045 (Microsoft Internet Explorer 10 and 11 allows local users to bypass the ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-5044 REJECTED CVE-2013-5043 REJECTED CVE-2013-5042 (Cross-site scripting (XSS) vulnerability in Microsoft ASP.NET SignalR ...) NOT-FOR-US: Microsoft ASP.NET SignalR CVE-2013-5041 REJECTED CVE-2013-5040 RESERVED CVE-2013-5039 (Cross-site request forgery (CSRF) vulnerability in goform/wlanBasicSec ...) NOT-FOR-US: HOT HOTBOX router CVE-2013-5038 (The HOT HOTBOX router with software 2.1.11 allows remote attackers to ...) NOT-FOR-US: HOT HOTBOX router CVE-2013-5037 (The HOT HOTBOX router with software 2.1.11 has a default WPS PIN of 12 ...) NOT-FOR-US: HOT HOTBOX router CVE-2013-5036 (The Square Squash allows remote attackers to execute arbitrary code vi ...) NOT-FOR-US: Square Squash CVE-2013-5035 (Multiple race conditions in HtmlCleaner before 2.6, as used in Open-Xc ...) NOT-FOR-US: Open-Xchange CVE-2013-5034 (Unspecified vulnerability in Atmail before 6.6.4, and 7.x before 7.1.2 ...) NOT-FOR-US: Atmail CVE-2013-5033 (Unspecified vulnerability in Atmail before 6.6.4, and 7.x before 7.1.2 ...) NOT-FOR-US: Atmail CVE-2013-5032 (Unspecified vulnerability in Atmail before 6.6.4, and 7.x before 7.1.2 ...) NOT-FOR-US: Atmail CVE-2013-5031 (Unspecified vulnerability in Atmail before 6.6.4, and 7.x before 7.1.2 ...) NOT-FOR-US: Atmail CVE-2013-5030 (Ruckus Wireless Zoneflex 2942 devices with firmware 9.6.0.0.267 allow ...) NOT-FOR-US: Ruckus Wireless Zoneflex CVE-2013-5029 (phpMyAdmin 3.5.x and 4.0.x before 4.0.5 allows remote attackers to byp ...) - phpmyadmin 4:4.0.5-1 [squeeze] - phpmyadmin (Backport not feasible and X-Frame-Options protection enough on any modern browser) [wheezy] - phpmyadmin (Backport not feasible and X-Frame-Options protection enough on any modern browser) CVE-2013-5028 (SQL injection vulnerability in IT/hardware-list.dll in Kwoksys Kwok In ...) NOT-FOR-US: Kwok Information Server CVE-2013-5027 (Collabtive 1.0 has incorrect access control ...) - collabtive [jessie] - collabtive (fixed in version 1.1) CVE-2013-5026 (An ActiveX control in lookout650.ocx, lookout660.ocx, and lookout670.o ...) NOT-FOR-US: National Instruments Lookout CVE-2013-5025 (An ActiveX control in exlauncher.dll in the Help subsystem in National ...) NOT-FOR-US: National Instruments CVE-2013-5024 (An ActiveX control in NationalInstruments.Help2.dll in National Instru ...) NOT-FOR-US: National Instruments CVE-2013-5023 (The ActiveX controls in the HelpAsst component in NI Help Links in Nat ...) NOT-FOR-US: National Instruments CVE-2013-5022 (Absolute path traversal vulnerability in the 3D Graph ActiveX control ...) NOT-FOR-US: National Instruments CVE-2013-5021 (Multiple absolute path traversal vulnerabilities in National Instrumen ...) NOT-FOR-US: National Instruments CVE-2013-5020 (Multiple cross-site scripting (XSS) vulnerabilities in bb_admin.php in ...) NOT-FOR-US: miniBB CVE-2013-5019 (Stack-based buffer overflow in Ultra Mini HTTPD 1.21 allows remote att ...) NOT-FOR-US: Ultra Mini HTTPD CVE-2013-5018 (The is_asn1 function in strongSwan 4.1.11 through 5.0.4 does not prope ...) - strongswan (Only affects 5.0.4 from experimental) NOTE: The PEM aspect is under control of the administrator, so not a security issue NOTE: The XAuth / EAP Issue only affects 5.0.3/5.0.4 CVE-2013-5017 (SNMPConfig.php in the management console in Symantec Web Gateway (SWG) ...) NOT-FOR-US: Symantec Web Gateway CVE-2013-5016 (Symantec Critical System Protection (SCSP) before 5.2.9, when installe ...) NOT-FOR-US: Symantec CVE-2013-5015 (SQL injection vulnerability in the management console in Symantec Endp ...) NOT-FOR-US: Symantec Endpoint Protection CVE-2013-5014 (The management console in Symantec Endpoint Protection Manager (SEPM) ...) NOT-FOR-US: Symantec Endpoint Protection CVE-2013-5013 (Multiple cross-site scripting (XSS) vulnerabilities in the management ...) NOT-FOR-US: Symantec WEB Gateway CVE-2013-5012 (Multiple SQL injection vulnerabilities in the management console on th ...) NOT-FOR-US: Symantec Web Gateway CVE-2013-5011 (Unquoted Windows search path vulnerability in the client in Symantec E ...) NOT-FOR-US: Symantec Endpoint Protection CVE-2013-5010 (The Application/Device Control (ADC) component in the client in Symant ...) NOT-FOR-US: Symantec Endpoint Protection CVE-2013-5009 (The Management Console in Symantec Endpoint Protection (SEP) 11.x befo ...) NOT-FOR-US: Symantec Endpoint Protection CVE-2013-5008 (The agent and task-agent components in Symantec Management Platform 7. ...) NOT-FOR-US: Symantec CVE-2013-5007 RESERVED CVE-2013-5006 (main_internet.php on the Western Digital My Net N600 and N750 with fir ...) NOT-FOR-US: Western Digital Router CVE-2013-5005 (Multiple cross-site scripting (XSS) vulnerabilities in ajaxRequest/met ...) NOT-FOR-US: Tripwire Enterprise CVE-2013-5004 RESERVED CVE-2013-4994 RESERVED CVE-2013-4993 RESERVED CVE-2013-4992 RESERVED CVE-2013-4991 RESERVED CVE-2013-4990 RESERVED CVE-2013-4989 RESERVED CVE-2013-4988 (Stack-based buffer overflow in IcoFX 2.5 and earlier allows remote att ...) NOT-FOR-US: IcoFX CVE-2013-4987 (PineApp Mail-SeCure before 3.70 allows remote authenticated users to g ...) NOT-FOR-US: PinApp CVE-2013-4986 (Stack-based buffer overflow in PDFAX0722_IconCool.dll 7.22.1125.2121 i ...) NOT-FOR-US: PDFCool CVE-2013-4985 (Multiple Vivotek IP Cameras remote authentication bypass that could al ...) NOT-FOR-US: Vivotek IP Cameras CVE-2013-4984 (The close_connections function in /opt/cma/bin/clear_keys.pl in Sophos ...) NOT-FOR-US: Sophos Web Protection Appliance CVE-2013-4983 (The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appl ...) NOT-FOR-US: Sophos Web Protection Appliance CVE-2013-4982 (AVTECH AVN801 DVR has a security bypass via the administration login c ...) NOT-FOR-US: AVTECH DVR CVE-2013-4981 (Buffer overflow in cgi-bin/user/Config.cgi in AVTECH AVN801 DVR with f ...) NOT-FOR-US: AVTECH DVR CVE-2013-4980 (Buffer overflow in the RTSP Packet Handler in AVTECH AVN801 DVR with f ...) NOT-FOR-US: AVTECH DVR CVE-2013-4979 (Buffer overflow in the gldll32.dll module in EPS Viewer 3.2 and earlie ...) NOT-FOR-US: EPS Viewer CVE-2013-4978 (Stack-based buffer overflow in AloahaPDFViewer 5.0.0.7 and earlier in ...) NOT-FOR-US: Aloaha PDF Suite CVE-2013-4977 (Buffer overflow in the RTSP Packet Handler in Hikvision DS-2CD7153-E I ...) NOT-FOR-US: Hikvision IP camera CVE-2013-4976 (Hikvision DS-2CD7153-E IP Camera has security bypass via hardcoded cre ...) NOT-FOR-US: Hikvision DS-2CD7153-E IP Camera CVE-2013-4975 (Hikvision DS-2CD7153-E IP Camera has Privilege Escalation ...) NOT-FOR-US: Hikvision DS-2CD7153-E IP Camera CVE-2013-4974 (RealNetworks RealPlayer before 16.0.3.51, and RealPlayer SP 1.0 throug ...) NOT-FOR-US: RealPlayer CVE-2013-4973 (Stack-based buffer overflow in RealNetworks RealPlayer before 16.0.3.5 ...) NOT-FOR-US: RealPlayer CVE-2013-4972 RESERVED CVE-2013-4971 (Puppet Enterprise before 3.2.0 does not properly restrict access to no ...) - puppet (Only affects Puppet Enterprise) CVE-2013-4970 RESERVED CVE-2013-4969 (Puppet before 3.3.3 and 3.4 before 3.4.1 and Puppet Enterprise (PE) be ...) {DSA-2831-1} - puppet 3.4.1-1 NOTE: http://puppetlabs.com/security/cve/cve-2013-4969 CVE-2013-4968 (Puppet Enterprise before 3.0.1 allows remote attackers to (1) conduct ...) - puppet (Only affects Puppet Enterprise) CVE-2013-4967 (Puppet Enterprise before 3.0.1 allows remote attackers to obtain the d ...) - puppet (Only affects Puppet Enterprise) CVE-2013-4966 (The master external node classification script in Puppet Enterprise be ...) - puppet (Only affects Puppet Enterprise) CVE-2013-4965 (Puppet Enterprise before 3.1.0 does not properly restrict the number o ...) - puppet (Only affects Puppet Enterprise) CVE-2013-4964 (Puppet Enterprise before 3.0.1 does not set the secure flag for the se ...) - puppet (Only affects Puppet Enterprise) CVE-2013-4963 (Multiple cross-site request forgery (CSRF) vulnerabilities in Puppet E ...) - puppet (Only affects Puppet Enterprise) CVE-2013-4962 (The reset password page in Puppet Enterprise before 3.0.1 does not for ...) - puppet (Only affects Puppet Enterprise) CVE-2013-4961 (Puppet Enterprise before 3.0.1 includes version information for the Ap ...) - puppet (Only affects Puppet Enterprise) CVE-2013-4960 RESERVED CVE-2013-4959 (Puppet Enterprise before 3.0.1 uses HTTP responses that contain sensit ...) - puppet (Only affects Puppet Enterprise) CVE-2013-4958 (Puppet Enterprise before 3.0.1 does not use a session timeout, which m ...) - puppet (Only affects Puppet Enterprise) CVE-2013-4957 (The dashboard report in Puppet Enterprise before 3.0.1 allows attacker ...) NOT-FOR-US: puppet-dashboard CVE-2013-4956 (Puppet Module Tool (PMT), as used in Puppet 2.7.x before 2.7.23 and 3. ...) {DSA-2761-1} - puppet 3.2.4-1 [squeeze] - puppet (puppet module not yet present) CVE-2013-4955 (Open redirect vulnerability in the login page in Puppet Enterprise bef ...) - puppet (Only affects Puppet Enterprise) CVE-2013-4954 (Multiple cross-site scripting (XSS) vulnerabilities in wp-login.php in ...) NOT-FOR-US: Genetech Solutions Pie-Register CVE-2013-4953 (SQL injection vulnerability in play.php in Top Games Script 1.2 allows ...) NOT-FOR-US: Top Games Script CVE-2013-4952 (SQL injection vulnerability in functions/global.php in Elemata CMS RC ...) NOT-FOR-US: Elemata CMS CVE-2013-4951 (Multiple cross-site scripting (XSS) vulnerabilities in Mintboard 0.3 a ...) NOT-FOR-US: Mintboard CVE-2013-4950 (Cross-site scripting (XSS) vulnerability in view.php in Machform 2 all ...) NOT-FOR-US: Machform CVE-2013-4949 (Unrestricted file upload vulnerability in view.php in Machform 2 allow ...) NOT-FOR-US: Machform CVE-2013-4948 (SQL injection vulnerability in view.php in Machform 2 allows remote at ...) NOT-FOR-US: Machform CVE-2013-4947 (Unspecified vulnerability in the update and build database page in Saw ...) NOT-FOR-US: Sawmill CVE-2013-4946 (Multiple cross-site scripting (XSS) vulnerabilities in BMC Service Des ...) NOT-FOR-US: BMC Service Desk Express CVE-2013-4945 (Multiple SQL injection vulnerabilities in BMC Service Desk Express (SD ...) NOT-FOR-US: BMC Service Desk Express CVE-2013-4944 (Cross-site scripting (XSS) vulnerability in the BuddyPress Extended Fr ...) NOT-FOR-US: BuddyPress CVE-2013-4943 (The client application in Siemens COMOS before 9.1 Update 458, 9.2 bef ...) NOT-FOR-US: Siemens COMOS CVE-2013-4942 (Cross-site scripting (XSS) vulnerability in flashuploader.swf in the U ...) - moodle 2.5.1-1 [squeeze] - moodle (Vulnerable code not present) CVE-2013-4941 (Cross-site scripting (XSS) vulnerability in uploader.swf in the Upload ...) - moodle 2.5.1-1 [squeeze] - moodle (Vulnerable code not installed in package) CVE-2013-4940 (Cross-site scripting (XSS) vulnerability in io.swf in the IO Utility c ...) - moodle 2.5.1-1 [squeeze] - moodle (Vulnerable code not present) CVE-2013-4939 (Cross-site scripting (XSS) vulnerability in io.swf in the IO Utility c ...) - moodle 2.5.1-1 [squeeze] - moodle (Vulnerable code not present) CVE-2013-4938 (The LTI (aka IMS-LTI) mod_form implementation in Moodle through 2.1.10 ...) - moodle 2.5.1-1 [squeeze] - moodle (Vulnerable code not present) CVE-2013-4995 (Cross-site scripting (XSS) vulnerability in phpMyAdmin 3.5.x before 3. ...) {DSA-2975-1 DLA-0014-1} - phpmyadmin 4:4.0.4.2-1 (low) [squeeze] - phpmyadmin 4:3.3.7-8 CVE-2013-4996 (Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.5. ...) {DSA-2975-1 DLA-0014-1} - phpmyadmin 4:4.0.4.2-1 [squeeze] - phpmyadmin 4:3.3.7-8 CVE-2013-4997 (Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.5. ...) - phpmyadmin 4:4.0.4.2-1 [wheezy] - phpmyadmin (Vulnerable code not present) [squeeze] - phpmyadmin (Vulnerable code not present) CVE-2013-4998 (phpMyAdmin 3.5.x before 3.5.8.2 and 4.0.x before 4.0.4.2 allows remote ...) - phpmyadmin 4:4.0.4.2-1 (unimportant) NOTE: Full path disclosure irrelevant in Debian packages CVE-2013-4999 (phpMyAdmin 4.0.x before 4.0.4.2 allows remote attackers to obtain sens ...) - phpmyadmin 4:4.0.4.2-1 (unimportant) NOTE: Full path disclosure irrelevant in Debian packages CVE-2013-5000 (phpMyAdmin 3.5.x before 3.5.8.2 allows remote attackers to obtain sens ...) - phpmyadmin 4:4.0.4.2-1 (unimportant) NOTE: Full path disclosure irrelevant in Debian packages CVE-2013-5001 (Cross-site scripting (XSS) vulnerability in libraries/plugins/transfor ...) - phpmyadmin 4:4.0.4.2-1 (low) [squeeze] - phpmyadmin (Vulnerable code not present) [wheezy] - phpmyadmin (Vulnerable code not present) CVE-2013-5002 (Cross-site scripting (XSS) vulnerability in libraries/schema/Export_Re ...) {DSA-2975-1} - phpmyadmin 4:4.0.4.2-1 (low) [squeeze] - phpmyadmin (Vulnerable code not present) CVE-2013-5003 (Multiple SQL injection vulnerabilities in phpMyAdmin 3.5.x before 3.5. ...) {DSA-2975-1 DLA-0014-1} - phpmyadmin 4:4.0.4.2-1 [squeeze] - phpmyadmin 4:3.3.7-8 CVE-2013-4937 (Multiple unspecified vulnerabilities in the AiCloud feature on the ASU ...) NOT-FOR-US: Asus firmware CVE-2013-4936 (The IsDFP_Frame function in plugins/profinet/packet-pn-rt.c in the PRO ...) - wireshark 1.10.1-1 [wheezy] - wireshark (Only affects 1.10.x) [squeeze] - wireshark (Only affects 1.10.x) CVE-2013-4935 (The dissect_per_length_determinant function in epan/dissectors/packet- ...) {DSA-2734-1} - wireshark 1.10.1-1 CVE-2013-4934 (The netmon_open function in wiretap/netmon.c in the Netmon file parser ...) {DSA-2734-1} - wireshark 1.10.1-1 CVE-2013-4933 (The netmon_open function in wiretap/netmon.c in the Netmon file parser ...) {DSA-2734-1} - wireshark 1.10.1-1 CVE-2013-4932 (Multiple array index errors in epan/dissectors/packet-gsm_a_common.c i ...) {DSA-2734-1} - wireshark 1.10.1-1 CVE-2013-4931 (epan/proto.c in Wireshark 1.8.x before 1.8.9 and 1.10.x before 1.10.1 ...) {DLA-497-1} - wireshark 1.10.1-1 (unimportant) NOTE: Not suitable for code injection CVE-2013-4930 (The dissect_dvbci_tpdu_hdr function in epan/dissectors/packet-dvbci.c ...) {DSA-2734-1} - wireshark 1.10.1-1 [squeeze] - wireshark (Affected dissector not yet present) CVE-2013-4929 (The parseFields function in epan/dissectors/packet-dis-pdus.c in the D ...) {DLA-497-1} - wireshark 1.10.1-1 (unimportant) NOTE: Not suitable for code injection CVE-2013-4928 (Integer signedness error in the dissect_headers function in epan/disse ...) - wireshark 1.10.1-1 (unimportant) [wheezy] - wireshark (Only affects 1.10.x) [squeeze] - wireshark (Only affects 1.10.x) NOTE: Not suitable for code injection CVE-2013-4927 (Integer signedness error in the get_type_length function in epan/disse ...) {DLA-497-1} - wireshark 1.10.1-1 (unimportant) NOTE: Not suitable for code injection CVE-2013-4926 (epan/dissectors/packet-dcom-sysact.c in the DCOM ISystemActivator diss ...) - wireshark 1.10.1-1 [wheezy] - wireshark (Only affects 1.10.x) [squeeze] - wireshark (Only affects 1.10.x) CVE-2013-4925 (Integer signedness error in epan/dissectors/packet-dcom-sysact.c in th ...) - wireshark 1.10.1-1 [wheezy] - wireshark (Only affects 1.10.x) [squeeze] - wireshark (Only affects 1.10.x) CVE-2013-4924 (epan/dissectors/packet-dcom-sysact.c in the DCOM ISystemActivator diss ...) - wireshark 1.10.1-1 [wheezy] - wireshark (Only affects 1.10.x) [squeeze] - wireshark (Only affects 1.10.x) CVE-2013-4923 (Memory leak in the dissect_dcom_ActivationProperties function in epan/ ...) - wireshark 1.10.1-1 [wheezy] - wireshark (Only affects 1.10.x) [squeeze] - wireshark (Only affects 1.10.x) CVE-2013-4922 (Double free vulnerability in the dissect_dcom_ActivationProperties fun ...) - wireshark 1.10.1-1 [wheezy] - wireshark (Only affects 1.10.x) [squeeze] - wireshark (Only affects 1.10.x) CVE-2013-4921 (Off-by-one error in the dissect_radiotap function in epan/dissectors/p ...) - wireshark 1.10.1-1 [wheezy] - wireshark (Only affects 1.10.x) [squeeze] - wireshark (Only affects 1.10.x) CVE-2013-4920 (The P1 dissector in Wireshark 1.10.x before 1.10.1 does not properly i ...) - wireshark 1.10.1-1 [wheezy] - wireshark (Only affects 1.10.x) [squeeze] - wireshark (Only affects 1.10.x) CVE-2013-4919 RESERVED CVE-2013-4918 RESERVED CVE-2013-4917 RESERVED CVE-2013-4916 RESERVED CVE-2013-4915 RESERVED CVE-2013-4914 RESERVED CVE-2013-4913 RESERVED CVE-2013-4912 (Open redirect vulnerability in Siemens WinCC (TIA Portal) 11 and 12 be ...) NOT-FOR-US: Siemens CVE-2013-4911 (Cross-site request forgery (CSRF) vulnerability in Siemens WinCC (TIA ...) NOT-FOR-US: Siemens CVE-2013-4910 RESERVED CVE-2013-4909 RESERVED CVE-2013-4908 RESERVED CVE-2013-4907 RESERVED CVE-2013-4906 RESERVED CVE-2013-4905 RESERVED CVE-2013-4904 RESERVED CVE-2013-4903 RESERVED CVE-2013-4902 RESERVED CVE-2013-4901 RESERVED CVE-2013-4900 (Directory traversal vulnerability in DeWeS web server 0.4.2 and possib ...) NOT-FOR-US: DeWeS web server (Twilight CMS) CVE-2013-4899 (Cross-site scripting (XSS) vulnerability in Twilight CMS 5.17 and poss ...) NOT-FOR-US: Twilight CMS CVE-2013-4898 (Unrestricted file upload vulnerability in the user profile page featur ...) NOT-FOR-US: Timeline Plugin for SocialEngine CVE-2013-4897 REJECTED CVE-2013-4896 RESERVED CVE-2013-4895 RESERVED CVE-2013-4894 RESERVED CVE-2013-4893 RESERVED CVE-2013-4892 RESERVED CVE-2013-4891 (The xss_clean function in CodeIgniter before 2.1.4 might allow remote ...) - codeigniter (bug #471583) CVE-2013-4889 (Multiple cross-site request forgery (CSRF) vulnerabilities in index.ph ...) NOT-FOR-US: Digital Signage Xibo CVE-2013-4888 (Cross-site scripting (XSS) vulnerability in index.php in Digital Signa ...) NOT-FOR-US: Digital Signage Xibo CVE-2013-4887 (SQL injection vulnerability in index.php in Digital Signage Xibo 1.4.2 ...) NOT-FOR-US: Digital Signage Xibo CVE-2013-4886 RESERVED CVE-2013-4885 (The http-domino-enum-passwords.nse script in NMap before 6.40, when do ...) - nmap 6.40-0.1 (low; bug #719289) [squeeze] - nmap (Vulnerable code not present) [wheezy] - nmap 6.00-0.3+deb7u1 CVE-2013-4884 (Cross-site scripting (XSS) vulnerability in McAfee SuperScan 4.0 allow ...) NOT-FOR-US: McAfee SuperScan CVE-2013-5217 REJECTED CVE-2013-4890 (The DMCRUIS/0.1 web server on the Samsung PS50C7700 TV allows remote a ...) NOT-FOR-US: Samsung TV CVE-2013-4883 (Multiple cross-site scripting (XSS) vulnerabilities in McAfee ePolicy ...) NOT-FOR-US: McAfee ePolicy Orchestrator CVE-2013-4882 (Multiple SQL injection vulnerabilities in McAfee ePolicy Orchestrator ...) NOT-FOR-US: McAfee ePolicy Orchestrator CVE-2013-4881 (Cross-site request forgery (CSRF) vulnerability in core/admin/modules/ ...) NOT-FOR-US: BigTree CMS CVE-2013-4880 (Cross-site scripting (XSS) vulnerability in core/admin/modules/develop ...) NOT-FOR-US: BigTree CMS CVE-2013-4879 (SQL injection vulnerability in core/inc/bigtree/cms.php in BigTree CMS ...) NOT-FOR-US: BigTree CMS CVE-2013-4878 (The default configuration of Parallels Plesk Panel 9.0.x and 9.2.x on ...) NOT-FOR-US: Parallels Plesk Panel CVE-2013-4877 (The Verizon Wireless Network Extender SCS-26UC4 and SCS-2U01 does not ...) NOT-FOR-US: Verizon Wireless Network Extender CVE-2013-4876 (The Verizon Wireless Network Extender SCS-2U01 has a hardcoded passwor ...) NOT-FOR-US: Verizon Wireless Network Extender CVE-2013-4875 (The Uboot bootloader on the Verizon Wireless Network Extender SCS-2U01 ...) NOT-FOR-US: Verizon Wireless Network Extender SCS-2U01 CVE-2013-4874 (The Uboot bootloader on the Verizon Wireless Network Extender SCS-26UC ...) NOT-FOR-US: Verizon Wireless Network Extender CVE-2013-4873 (The Yahoo! Tumblr app before 3.4.1 for iOS sends cleartext credentials ...) NOT-FOR-US: iOS app CVE-2013-4872 (Google Glass before XE6 does not properly restrict the processing of Q ...) NOT-FOR-US: Google Glass CVE-2013-4871 (Cross-site request forgery (CSRF) vulnerability in the TEQneers SEO En ...) NOT-FOR-US: TYPO3 extension tq_seo CVE-2013-4870 (SQL injection vulnerability in the News Search (news_search) extension ...) NOT-FOR-US: TYPO3 extension news_search CVE-2013-4869 (Cisco Unified Communications Manager (CUCM) 7.1(x) through 9.1(2) and ...) NOT-FOR-US: Cisco CVE-2013-4868 (Karotz API 12.07.19.00: Session Token Information Disclosure ...) NOT-FOR-US: Karotz API CVE-2013-4867 (Electronic Arts Karotz Smart Rabbit 12.07.19.00 allows Python module h ...) NOT-FOR-US: Electronic Arts Karotz Smart Rabbit CVE-2013-4866 (The LIXIL Corporation My SATIS Genius Toilet application for Android h ...) NOT-FOR-US: LIXIL Corporation My SATIS Genius Toilet application for Android CVE-2013-4865 (Cross-site request forgery (CSRF) vulnerability in upgrade_step2.sh in ...) NOT-FOR-US: MiCasaVerde VeraLite CVE-2013-4864 (MiCasaVerde VeraLite with firmware 1.5.408 allows remote attackers to ...) NOT-FOR-US: MiCasaVerde VeraLite CVE-2013-4863 (The HomeAutomationGateway service in MiCasaVerde VeraLite with firmwar ...) NOT-FOR-US: MiCasaVerde VeraLite CVE-2013-4862 (MiCasaVerde VeraLite with firmware 1.5.408 does not properly restrict ...) NOT-FOR-US: MiCasaVerde VeraLite CVE-2013-4861 (Directory traversal vulnerability in cgi-bin/cmh/get_file.sh in MiCasa ...) NOT-FOR-US: MiCasaVerde VeraLite CVE-2013-4860 (Radio Thermostat CT80 And CT50 with firmware 1.4.64 and earlier does n ...) NOT-FOR-US: Radio Thermostat CVE-2013-4859 (INSTEON Hub 2242-222 lacks Web and API authentication ...) NOT-FOR-US: INSTEON Hub CVE-2013-4858 (Microsoft Windows Movie Maker 2.1.4026.0 on Windows XP SP3 allows remo ...) NOT-FOR-US: Microsoft Windows Movie Maker CVE-2013-4857 (D-Link DIR-865L has PHP File Inclusion in the router xml file. ...) NOT-FOR-US: D-Link CVE-2013-4856 (D-Link DIR-865L has Information Disclosure. ...) NOT-FOR-US: D-Link CVE-2013-4855 (D-Link DIR-865L has SMB Symlink Traversal due to misconfiguration in t ...) NOT-FOR-US: D-Link CVE-2013-4854 (The RFC 5011 implementation in rdata.c in ISC BIND 9.7.x and 9.8.x bef ...) {DSA-2728-1} - bind9 1:9.8.4.dfsg.P1-6+nmu3 (bug #717936) NOTE: https://kb.isc.org/article/AA-01015/0 CVE-2013-4853 RESERVED CVE-2013-4852 (Integer overflow in PuTTY 0.62 and earlier, WinSCP before 5.1.6, and o ...) {DSA-2736-1} - putty 0.63-1 (bug #718779) - filezilla 3.7.3-1 (low; bug #718800) [squeeze] - filezilla (Minor issue) [wheezy] - filezilla (Minor issue) NOTE: http://www.securityfocus.com/archive/1/527763/30/0 NOTE: http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9896 CVE-2013-4851 (The vfs_hang_addrlist function in sys/kern/vfs_export.c in the NFS ser ...) {DSA-2743-1} - kfreebsd-9 9.1-4 (bug #717958) - kfreebsd-8 8.3-7 (bug #717959) [wheezy] - kfreebsd-8 8.3-6+deb7u1 [squeeze] - kfreebsd-8 (FreeBSD NFS server implementation was not supported in squeeze) CVE-2013-4850 RESERVED CVE-2013-4849 RESERVED CVE-2013-4848 (TP-Link TL-WDR4300 version 3.13.31 has multiple CSRF vulnerabilities. ...) NOT-FOR-US: TP-Link CVE-2013-4847 RESERVED CVE-2013-4846 (Unspecified vulnerability in HP System Management Homepage (SMH) befor ...) NOT-FOR-US: HP System Management Homepage CVE-2013-4845 (Cross-site scripting (XSS) vulnerability on HP Officejet Pro 8500 (aka ...) NOT-FOR-US: HP Officejet Pro CVE-2013-4844 (Unspecified vulnerability in HP Service Manager 7.11, 9.21, 9.30, 9.31 ...) NOT-FOR-US: HP Service Manager and ServiceCenter CVE-2013-4843 (Unspecified vulnerability in HP Integrated Lights-Out 4 (iLO4) with fi ...) NOT-FOR-US: HP iLO CVE-2013-4842 (Cross-site scripting (XSS) vulnerability in HP Integrated Lights-Out 4 ...) NOT-FOR-US: HP iLO CVE-2013-4841 (Unspecified vulnerability in dbd_manager in LeftHand OS before 11.0 in ...) NOT-FOR-US: HP StoreVirtual CVE-2013-4840 (Unspecified vulnerability in HP and H3C VPN Firewall Module products S ...) NOT-FOR-US: HP and H3C VPN Firewall Module CVE-2013-4839 (Unspecified vulnerability in Virtual User Generator in HP LoadRunner b ...) NOT-FOR-US: HP LoadRunner CVE-2013-4838 (Unspecified vulnerability in Virtual User Generator in HP LoadRunner b ...) NOT-FOR-US: HP LoadRunner CVE-2013-4837 (Unspecified vulnerability in Virtual User Generator in HP LoadRunner b ...) NOT-FOR-US: HP LoadRunner CVE-2013-4836 (Unspecified vulnerability in the GossipService SOAP Request implementa ...) NOT-FOR-US: HP Application LifeCycle Management CVE-2013-4835 (The APISiteScopeImpl SOAP service in HP SiteScope 10.1x and 11.x befor ...) NOT-FOR-US: HP SiteScope CVE-2013-4834 (Unspecified vulnerability in the client component in HP Application Li ...) NOT-FOR-US: HP Application LifeCycle Management CVE-2013-4833 (Cross-site scripting (XSS) vulnerability in HP Service Manager 9.30 th ...) NOT-FOR-US: HP CVE-2013-4832 (HP Service Manager 9.30 through 9.32 allows remote authenticated users ...) NOT-FOR-US: HP CVE-2013-4831 (HP Service Manager 9.30 through 9.32 does not properly manage privileg ...) NOT-FOR-US: HP CVE-2013-4830 (HP Service Manager 9.30 through 9.32 allows remote attackers to execut ...) NOT-FOR-US: HP CVE-2013-4829 (HP LaserJet M4555, M525, and M725; LaserJet flow MFP M525c; LaserJet E ...) NOT-FOR-US: HP CVE-2013-4828 (HP LaserJet M4555, M525, and M725; LaserJet flow MFP M525c; LaserJet E ...) NOT-FOR-US: HP CVE-2013-4827 (SQL injection vulnerability in HP Intelligent Management Center (iMC) ...) NOT-FOR-US: HP Intelligent Management Center CVE-2013-4826 (Unspecified vulnerability in HP Intelligent Management Center (iMC) an ...) NOT-FOR-US: HP Intelligent Management Center CVE-2013-4825 (Unspecified vulnerability in HP Intelligent Management Center (iMC) an ...) NOT-FOR-US: HP Intelligent Management Center CVE-2013-4824 (Unspecified vulnerability in HP Intelligent Management Center (iMC) an ...) NOT-FOR-US: HP Intelligent Management Center CVE-2013-4823 (Unspecified vulnerability in HP Intelligent Management Center (iMC) an ...) NOT-FOR-US: HP Intelligent Management Center CVE-2013-4822 (Unspecified vulnerability in HP Intelligent Management Center (iMC) an ...) NOT-FOR-US: HP Intelligent Management Center CVE-2013-4821 (Unspecified vulnerability in HP System Management Homepage (SMH) befor ...) NOT-FOR-US: HP System Management Homepage CVE-2013-4820 (Unspecified vulnerability in HP IceWall SSO 8.0 through 10.0, IceWall ...) NOT-FOR-US: HP CVE-2013-4819 (Unspecified vulnerability in HP IceWall SSO Agent Option 8.0 through 1 ...) NOT-FOR-US: HP CVE-2013-4818 (Unspecified vulnerability in HP IceWall SSO 8.0 through 10.0, IceWall ...) NOT-FOR-US: HP CVE-2013-4817 (Unspecified vulnerability in HP IceWall SSO Agent Option 8.0 through 1 ...) NOT-FOR-US: HP CVE-2013-4816 REJECTED CVE-2013-4815 (Cross-site scripting (XSS) vulnerability in the web interface in HP Ar ...) NOT-FOR-US: HP CVE-2013-4814 (Cross-site scripting (XSS) vulnerability in HP XP P9000 Command View A ...) NOT-FOR-US: HP CVE-2013-4813 (The Agent (aka AgentController) servlet in HP ProCurve Manager (PCM) 3 ...) NOT-FOR-US: HP CVE-2013-4812 (UpdateCertificatesServlet in the SNAC registration server in HP ProCur ...) NOT-FOR-US: HP CVE-2013-4811 (UpdateDomainControllerServlet in the SNAC registration server in HP Pr ...) NOT-FOR-US: HP CVE-2013-4810 (HP ProCurve Manager (PCM) 3.20 and 4.0, PCM+ 3.20 and 4.0, Identity Dr ...) NOT-FOR-US: HP CVE-2013-4809 (Multiple SQL injection vulnerabilities in GetEventsServlet in HP ProCu ...) NOT-FOR-US: HP CVE-2013-4808 (Unspecified vulnerability in HP Service Manager 7.11, 9.21, 9.30, and ...) NOT-FOR-US: HP CVE-2013-4807 (Unspecified vulnerability on the HP LaserJet Pro P1102w, P1606dn, M121 ...) NOT-FOR-US: HP CVE-2013-4806 (The OSPF implementation on HP JD9##A routers; HP J4###A, J484#B, J8### ...) NOT-FOR-US: HP routers CVE-2013-4805 (Unspecified vulnerability in HP Integrated Lights-Out 3 (aka iLO3) fir ...) NOT-FOR-US: HP Integrated Lights-Out firmware CVE-2013-4804 (Unspecified vulnerability in HP Business Process Monitor 9.13.1 patch ...) NOT-FOR-US: HP Business Process Monitor CVE-2013-4803 REJECTED CVE-2013-4802 (Cross-site scripting (XSS) vulnerability in HP Application Lifecycle M ...) NOT-FOR-US: HP CVE-2013-4801 (Unspecified vulnerability in HP LoadRunner before 11.52 allows remote ...) NOT-FOR-US: HP LoadRunner CVE-2013-4800 (Unspecified vulnerability in HP LoadRunner before 11.52 allows remote ...) NOT-FOR-US: HP LoadRunner CVE-2013-4799 (Unspecified vulnerability in HP LoadRunner before 11.52 allows remote ...) NOT-FOR-US: HP LoadRunner CVE-2013-4798 (Unspecified vulnerability in HP LoadRunner before 11.52 allows remote ...) NOT-FOR-US: HP LoadRunner CVE-2013-4797 (Unspecified vulnerability in HP LoadRunner before 11.52 allows remote ...) NOT-FOR-US: HP LoadRunner CVE-2013-4796 (ReviewBoard 1.6.17 allows code execution by attaching PHP scripts to r ...) - reviewboard (bug #653113) CVE-2013-4795 (Cross-site scripting (XSS) vulnerability in the Submitters list in Rev ...) - reviewboard (bug #653113) CVE-2013-4794 RESERVED CVE-2013-4793 (The update function in umbraco.webservices/templates/templateService.c ...) NOT-FOR-US: Umbraco CVE-2011-5266 (Imperva SecureSphere Web Application Firewall (WAF) before 12-august-2 ...) NOT-FOR-US: Imperva SecureSphere Web Application Firewall (WAF) CVE-2013-4792 (PrestaShop before 1.4.11 allows logout CSRF. ...) NOT-FOR-US: PrestaShop CVE-2013-4791 (PrestaShop before 1.4.11 allows Logistician, translators and other low ...) NOT-FOR-US: PrestaShop CVE-2013-4790 (Open-Xchange AppSuite before 7.0.2 rev14, 7.2.0 before rev11, 7.2.1 be ...) NOT-FOR-US: Open-Xchange CVE-2013-4789 (SQL injection vulnerability in modules/rss/rss.php in Cotonti before 0 ...) NOT-FOR-US: Cotonti CVE-2013-4788 (The PTR_MANGLE implementation in the GNU C Library (aka glibc or libc6 ...) {DLA-165-1} - glibc 2.17-94 (low; bug #717178) - eglibc [wheezy] - eglibc 2.13-38+deb7u1 CVE-2013-4787 (Android 1.6 Donut through 4.2 Jelly Bean does not properly check crypt ...) NOT-FOR-US: Android CVE-2013-4786 (The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange P ...) NOTE: Design flaw in the IPMI 2.0 specification. Any correctly implemented device is vulnerable. NOTE: Contacted relevant maintainers: Since few to no devices do mutual authentication, tools shipped by Debian are generally not affected. At best, the tools can print a warning for vulnerable devices. CVE-2013-4784 (The HP Integrated Lights-Out (iLO) BMC implementation allows remote at ...) NOT-FOR-US: HP IPMI device CVE-2013-4781 (core/getLog.php on the Siemens Enterprise OpenScape Branch appliance a ...) NOT-FOR-US: Siemens Enterprise OpenScape CVE-2013-4780 (core/getLog.php on the Siemens Enterprise OpenScape Branch appliance a ...) NOT-FOR-US: Siemens Enterprise OpenScape CVE-2013-4779 (Cross-site scripting (XSS) vulnerability in core/handleTw.php on the S ...) NOT-FOR-US: Siemens Enterprise OpenScape CVE-2013-4778 (core/getLog.php on the Siemens Enterprise OpenScape Branch appliance a ...) NOT-FOR-US: Siemens Enterprise OpenScape CVE-2013-4777 (A certain configuration of Android 2.3.7 on the Motorola Defy XT phone ...) NOT-FOR-US: Motorola CVE-2013-4776 (NETGEAR ProSafe GS724Tv3 and GS716Tv2 with firmware 5.4.1.13 and earli ...) NOT-FOR-US: NETGEAR CVE-2013-4775 (NETGEAR ProSafe GS724Tv3 and GS716Tv2 with firmware 5.4.1.13 and earli ...) NOT-FOR-US: NETGEAR CVE-2013-4785 (The web interface on the Dell iDRAC6 with firmware before 1.95 allows ...) NOT-FOR-US: Dell CVE-2013-4783 (The Dell iDRAC6 with firmware 1.x before 1.92 and 2.x and 3.x before 3 ...) NOT-FOR-US: Dell CVE-2013-4782 (The Supermicro BMC implementation allows remote attackers to bypass au ...) NOT-FOR-US: Supermicro CVE-2013-4774 RESERVED CVE-2013-4773 RESERVED CVE-2013-4772 (D-Link DIR-505L SharePort Mobile Companion 1.01 and DIR-826L Wireless ...) NOT-FOR-US: D-Link CVE-2013-4771 RESERVED CVE-2013-4770 (Cross-site scripting (XSS) vulnerability in Eucalyptus Management Cons ...) NOT-FOR-US: Eucalyptus Management Console CVE-2013-4769 (The cloud controller (aka CLC) component in Eucalyptus 3.3.x and 3.4.x ...) - eucalyptus CVE-2013-4768 (The web services APIs in Eucalyptus 2.0 through 3.4.1 allow remote att ...) - eucalyptus CVE-2013-4767 (Unspecified vulnerability in Eucalyptus before 3.3.2 has unknown impac ...) - eucalyptus CVE-2013-4766 (The gather log service in Eucalyptus before 3.3.1 allows remote attack ...) - eucalyptus CVE-2013-4765 RESERVED CVE-2013-4764 (Samsung Galaxy S3/S4 exposes an unprotected component allowing an unpr ...) NOT-FOR-US: Samsung CVE-2013-4763 (Samsung Galaxy S3/S4 exposes an unprotected component allowing arbitra ...) NOT-FOR-US: Samsung CVE-2013-4762 (Puppet Enterprise before 3.0.1 does not sufficiently invalidate a sess ...) - puppet (Only affects Puppet Enterprise) CVE-2013-4761 (Unspecified vulnerability in Puppet 2.7.x before 2.7.23 and 3.2.x befo ...) {DSA-2761-1} - puppet 3.2.4-1 (low) [squeeze] - puppet (non-standard config and attacker requires local access to master) CVE-2013-4760 RESERVED CVE-2013-4759 (Multiple cross-site scripting (XSS) vulnerabilities in the Magnolia Fo ...) NOT-FOR-US: Magnolia CMS CVE-2013-4757 RESERVED CVE-2013-4756 RESERVED CVE-2013-4758 (Double free vulnerability in the writeDataError function in the Elasti ...) - rsyslog (omelasticsearch plugin not enabled; see #715009) [squeeze] - rsyslog (omelasticsearch plugin not yet present) [wheezy] - rsyslog (omelasticsearch plugin not yet present) NOTE: http://bugzilla.adiscon.com/show_bug.cgi?id=461 NOTE: http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=80f88242982c9c6ad6ce8628fc5b94ea74051cf4 CVE-2013-4755 RESERVED CVE-2013-4754 (Multiple cross-site scripting (XSS) vulnerabilities in Owl Intranet Kn ...) NOT-FOR-US: Owl Intranet Knowledgebase CVE-2013-4753 (Multiple cross-site scripting (XSS) vulnerabilities in Claroline 1.11. ...) NOT-FOR-US: Claroline CVE-2013-4752 (Symfony 2.0.X before 2.0.24, 2.1.X before 2.1.12, 2.2.X before 2.2.5, ...) NOT-FOR-US: Symfony HttpFoundation component CVE-2013-4751 (php-symfony2-Validator has loss of information during serialization ...) NOT-FOR-US: Symfony Validator component CVE-2013-4750 RESERVED CVE-2013-4749 (Cross-site scripting (XSS) vulnerability in the UserTask Center, Messa ...) NOT-FOR-US: sys_messages TYPO3 extension CVE-2013-4748 (SQL injection vulnerability in the News system (news) extension before ...) NOT-FOR-US: News system TYPO3 extension CVE-2013-4747 (Cross-site scripting (XSS) vulnerability in the Accessible browse resu ...) NOT-FOR-US: Accessible browse results TYPO3 extension CVE-2013-4746 (Cross-site scripting (XSS) vulnerability in the My quiz and poll (myqu ...) NOT-FOR-US: My quiz and poll TYPO3 extension CVE-2013-4745 (SQL injection vulnerability in the My quiz and poll (myquizpoll) exten ...) NOT-FOR-US: My quiz and poll TYPO3 extension CVE-2013-4744 (Cross-site scripting (XSS) vulnerability in the PHPUnit extension befo ...) NOT-FOR-US: PHPUnit TYPO3 extension CVE-2013-4743 (Static HTTP Server 1.0 has a Local Overflow ...) NOT-FOR-US: Static HTTP Server CVE-2013-4742 (Buffer overflow in NetWin SurgeFTP before 23d2 allows remote attackers ...) NOT-FOR-US: SurgeFTP CVE-2013-4741 RESERVED CVE-2013-4740 (goodix_tool.c in the Goodix gt915 touchscreen driver for the Linux ker ...) NOT-FOR-US: Goodix gt915 Android touchscreen driver CVE-2013-4739 (The MSM camera driver for the Linux kernel 3.x, as used in Qualcomm In ...) - linux (Android-specific camera drivers) CVE-2013-4738 (Multiple stack-based buffer overflows in the MSM camera driver for the ...) - linux (Android-specific camera drivers) CVE-2013-4737 (The CONFIG_STRICT_MEMORY_RWX implementation for the Linux kernel 3.x, ...) - linux (Affected code not in mainline kernel) - linux-2.6 (Affected code not in mainline kernel) NOTE: https://www.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=4256415b296348ff16cd17a5b8f8dce4dea37328 CVE-2013-4736 (Multiple integer overflows in the JPEG engine drivers in the MSM camer ...) NOTE: https://www.codeaurora.org/projects/security-advisories/integer-overflow-and-signedness-issue-camera-jpeg-engines-cve-2013-4736 NOT-FOR-US: camera JPEG engines on Android Linux kernels CVE-2013-4735 (The Digital Alert Systems DASDEC EAS device before 2.0-2 and the Monro ...) NOT-FOR-US: Digital Alert Systems and Monroe Electronics CVE-2013-4734 (dasdec_mkuser on the Digital Alert Systems DASDEC EAS device before 2. ...) NOT-FOR-US: Alert Systems and Monroe Electronics CVE-2013-4733 (The web server on the Digital Alert Systems DASDEC EAS device before 2 ...) NOT-FOR-US: Alert Systems and Monroe Electronics CVE-2013-4732 (** DISPUTED ** The administrative web server on the Digital Alert Syst ...) NOT-FOR-US: Alert Systems and Monroe Electronics CVE-2013-4731 (ajax.cgi in the web interface on the Choice Wireless Green Packet WIXF ...) NOT-FOR-US: Choice Wireless Green Packet modem CVE-2013-4730 (Buffer overflow in PCMan's FTP Server 2.0.7 allows remote attackers to ...) NOT-FOR-US: PCMan FTP Server CVE-2013-4729 (import.php in phpMyAdmin 4.x before 4.0.4.1 does not properly restrict ...) - phpmyadmin 4:4.0.4.1-1 [wheezy] - phpmyadmin (vulnerable code not present) [squeeze] - phpmyadmin (vulnerable code not present) CVE-2013-4728 (DDSN Interactive cm3 Acora CMS 6.0.6/1a, 6.0.2/1a, 5.5.7/12b, 5.5.0/1b ...) NOT-FOR-US: Acora CMS CVE-2013-4727 (DDSN Interactive cm3 Acora CMS 6.0.6/1a, 6.0.2/1a, 5.5.7/12b, 5.5.0/1b ...) NOT-FOR-US: Acora CMS CVE-2013-4726 (Cross-site request forgery (CSRF) vulnerability in DDSN Interactive cm ...) NOT-FOR-US: Acora CMS CVE-2013-4725 (DDSN Interactive cm3 Acora CMS 6.0.6/1a, 6.0.2/1a, 5.5.7/12b, 5.5.0/1b ...) NOT-FOR-US: Acora CMS CVE-2013-4724 (DDSN Interactive cm3 Acora CMS 6.0.6/1a, 6.0.2/1a, 5.5.7/12b, 5.5.0/1b ...) NOT-FOR-US: Acora CMS CVE-2013-4723 (Open redirect vulnerability in DDSN Interactive cm3 Acora CMS 6.0.6/1a ...) NOT-FOR-US: Acora CMS CVE-2013-4722 (Multiple cross-site scripting (XSS) vulnerabilities in Admin/login/def ...) NOT-FOR-US: Acora CMS CVE-2010-5288 (Buffer overflow in the lsConnectionCached function in editcp in EDItra ...) NOT-FOR-US: EDItran Communications Platform CVE-2013-4721 (SQL injection vulnerability in the RSS feed from records extension 1.0 ...) NOT-FOR-US: records extension for TYPO3 CVE-2013-4720 (SQL injection vulnerability in the WEC Discussion Forum extension befo ...) NOT-FOR-US: WEC Discussion Forum CVE-2013-4719 (SQL injection vulnerability in the SEO Pack for tt_news extension befo ...) NOT-FOR-US: SEO Pack for tt_news extension for TYPO3 CVE-2013-4718 [XSS] RESERVED NOT-FOR-US: OTRS ITSM CVE-2013-4717 [SQL injection] RESERVED {DSA-2733-1} - otrs2 3.2.9-1 NOTE: http://web.archive.org/web/20131023033811/http://www.otrs.com:80/en/open-source/community-news/security-advisories/security-advisory-2013-05/ CVE-2012-6581 (Best Practical Solutions RT 3.8.x before 3.8.15 and 4.0.x before 4.0.8 ...) {DSA-2567-1} - request-tracker3.8 - request-tracker4 4.0.7-2 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=870406#c3 CVE-2012-6580 (Best Practical Solutions RT 3.8.x before 3.8.15 and 4.0.x before 4.0.8 ...) {DSA-2567-1} - request-tracker3.8 - request-tracker4 4.0.7-2 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=870406#c3 CVE-2012-6579 (Best Practical Solutions RT 3.8.x before 3.8.15 and 4.0.x before 4.0.8 ...) {DSA-2567-1} - request-tracker3.8 - request-tracker4 4.0.7-2 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=870406#c3 CVE-2012-6578 (Best Practical Solutions RT 3.8.x before 3.8.15 and 4.0.x before 4.0.8 ...) {DSA-2567-1} - request-tracker3.8 - request-tracker4 4.0.7-2 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=870406#c3 CVE-2012-6577 (SQL injection vulnerability in the Formhandler extension before 1.4.1 ...) NOT-FOR-US: Formhandler TYPO3 extension CVE-2012-6576 (Cross-site scripting (XSS) vulnerability in the PRH Search module 7.x- ...) NOT-FOR-US: Drupal module PRH Search CVE-2012-6575 (Cross-site scripting (XSS) vulnerability in the Exposed Filter Data mo ...) NOT-FOR-US: Drupal module Exposed Filter Data CVE-2012-6574 (Cross-site scripting (XSS) vulnerability in the Fonecta verify module ...) NOT-FOR-US: Drupal module Fonecta verify CVE-2013-4716 (Cross-site scripting (XSS) vulnerability in Tattyan HP TOWN 5_9_3 and ...) NOT-FOR-US: Tattyan HP TOWN CVE-2013-4715 (SQL injection vulnerability in Tiki Wiki CMS Groupware 6 LTS before 6. ...) NOT-FOR-US: Tiki Wiki CVE-2013-4714 (Cross-site scripting (XSS) vulnerability in Tiki Wiki CMS Groupware 6 ...) NOT-FOR-US: Tiki Wiki CVE-2013-4713 (Cross-site scripting (XSS) vulnerability in I-O DATA DEVICE RockDisk w ...) NOT-FOR-US: I-O DATA DEVICE RockDisk CVE-2013-4712 (I-O DATA DEVICE HDL-A and HDL2-A devices with firmware 1.07 and earlie ...) NOT-FOR-US: I-O DATA DEVICE HDL-A and HDL2-A devices CVE-2013-4711 (Cross-site scripting (XSS) vulnerability in Accela BizSearch 3.2 on Li ...) NOT-FOR-US: Accela Bizsearch CVE-2013-4710 (Android 3.0 through 4.1.x on Disney Mobile, eAccess, KDDI, NTT DOCOMO, ...) NOT-FOR-US: Android CVE-2013-4709 (Buffer overflow in the PPP Access Concentrator (PPPAC) on the SEIL/x86 ...) NOT-FOR-US: PPP Access Concentrator CVE-2013-4708 (The PPP Access Concentrator (PPPAC) in Internet Initiative Japan Inc. ...) NOT-FOR-US: Internet Initiative Japan Inc CVE-2013-4707 (The SSH implementation on D-Link Japan DES-3810 devices with firmware ...) NOT-FOR-US: D-Link CVE-2013-4706 (The SSH implementation on the D-Link Japan DWL-2100AP with firmware be ...) NOT-FOR-US: D-Link CVE-2013-4705 (Cross-site scripting (XSS) vulnerability in Opera before 15.00 allows ...) NOT-FOR-US: Opera CVE-2013-4704 (Cross-site scripting (XSS) vulnerability in ChamaNet ChamaCargo 7.0000 ...) NOT-FOR-US: ChamaNet ChamaCargo CVE-2013-4703 (Cross-site scripting (XSS) vulnerability in the top-page customization ...) NOT-FOR-US: Cybozu Office CVE-2013-4702 (Multiple directory traversal vulnerabilities in the doApiAction functi ...) NOT-FOR-US: EC-CUBE CVE-2013-4701 (Auth/Yadis/XML.php in PHP OpenID Library 2.2.2 and earlier allows remo ...) - php-openid 2.2.2-1.2 (low; bug #721221) [wheezy] - php-openid (Minor issue) [squeeze] - php-openid (Minor issue) CVE-2013-4700 (The Yahoo! Japan Shopping application 1.4 and earlier for Android does ...) NOT-FOR-US: Yahoo shopping app CVE-2013-4699 (The Yahoo! Japan Yafuoku! application 4.3.0 and earlier for iOS and An ...) NOT-FOR-US: Yahoo shopping app CVE-2013-4698 (Cybozu Mailwise 5.0.4 and 5.0.5 allows remote authenticated users to o ...) NOT-FOR-US: Cybozu Mailwise CVE-2013-4697 (Multiple unspecified vulnerabilities in Hitachi JP1/IT Desktop Managem ...) NOT-FOR-US: Hitachi CVE-2013-4695 (Winamp 5.63: Invalid Pointer Dereference leading to Arbitrary Code Exe ...) NOT-FOR-US: Winamp CVE-2013-4694 (Stack-based buffer overflow in gen_jumpex.dll in Winamp before 5.64 Bu ...) NOT-FOR-US: Winamp CVE-2013-4693 (WordPress Xorbin Digital Flash Clock 1.0 has XSS ...) NOT-FOR-US: WordPress Xorbin Digital Flash Clock CVE-2013-4692 (Xorbin Analog Flash Clock 1.0 extension for Joomia has XSS ...) NOT-FOR-US: Xorbin Analog Flash Clock CVE-2013-4691 (Sencha Labs Connect has XSS with connect.methodOverride() ...) NOT-FOR-US: Sencha Labs Connect CVE-2013-4690 (Juniper Junos 10.4 before 10.4S13, 11.4 before 11.4R7-S1, 12.1 before ...) NOT-FOR-US: Juniper Junos CVE-2013-4689 (J-Web in Juniper Junos before 10.4R13, 11.4 before 11.4R7, 12.1R befor ...) NOT-FOR-US: Juniper Junos CVE-2013-4688 (flowd in Juniper Junos 10.4 before 10.4R11 on SRX devices, when the MS ...) NOT-FOR-US: Juniper Junos CVE-2013-4687 (flowd in Juniper Junos 10.4 before 10.4S14, 11.2 and 11.4 before 11.4R ...) NOT-FOR-US: Juniper Junos CVE-2013-4686 (The kernel in Juniper Junos 10.4 before 10.4R14, 11.4 before 11.4R8, 1 ...) NOT-FOR-US: Juniper Junos CVE-2013-4685 (Buffer overflow in flowd in Juniper Junos 10.4 before 10.4S14, 11.4 be ...) NOT-FOR-US: Juniper Junos CVE-2013-4684 (flowd in Juniper Junos 10.4 before 10.4S14, 11.4 before 11.4R8, 12.1 b ...) NOT-FOR-US: Juniper Junos CVE-2013-4683 (SQL injection vulnerability in the meta_feedit extension 0.1.10 and ea ...) NOT-FOR-US: meta_feedit extension for TYPO3 CVE-2013-4682 (SQL injection vulnerability in the Multishop extension before 2.0.39 f ...) NOT-FOR-US: Multishop extension for TYPO3 CVE-2013-4681 (SQL injection vulnerability in the sofortueberweisung2commerce extensi ...) NOT-FOR-US: sofortueberweisung2commerce extension TYPO3 CVE-2013-4680 (Open redirect vulnerability in Maag Form Captcha extension 2.0.0 and e ...) NOT-FOR-US: meta_feedit extension for TYPO3 CVE-2013-4679 (Symantec Workspace Virtualization before 6.x before 6.4.1953.0, when a ...) NOT-FOR-US: Symantec Workspace Virtualization CVE-2013-4678 (The NDMP protocol implementation in Symantec Backup Exec 2010 R3 befor ...) NOT-FOR-US: Symantec Backup Exec CVE-2013-4677 (Symantec Backup Exec 2010 R3 before 2010 R3 SP3 and 2012 before SP2 us ...) NOT-FOR-US: Symantec Backup Exec CVE-2013-4676 (Multiple cross-site scripting (XSS) vulnerabilities in Symantec Backup ...) NOT-FOR-US: Symantec Backup Exec CVE-2013-4675 RESERVED CVE-2013-4674 (Cross-site scripting (XSS) vulnerability in the Web Email Protection c ...) NOT-FOR-US: Symantec CVE-2013-4673 (The management console on the Symantec Web Gateway (SWG) appliance bef ...) NOT-FOR-US: Symantec CVE-2013-4672 (The management console on the Symantec Web Gateway (SWG) appliance bef ...) NOT-FOR-US: Symantec CVE-2013-4671 (Cross-site request forgery (CSRF) vulnerability in the management cons ...) NOT-FOR-US: Symantec CVE-2013-4670 (Multiple cross-site scripting (XSS) vulnerabilities in the management ...) NOT-FOR-US: Symantec CVE-2013-4668 (Directory traversal vulnerability in File Roller 3.6.x before 3.6.4, 3 ...) - file-roller 3.8.3-1 [squeeze] - file-roller (Doesn't use libarchive) [wheezy] - file-roller (Doesn't use libarchive) NOTE: http://www.ocert.org/advisories/ocert-2013-001.html CVE-2013-4667 RESERVED CVE-2013-4666 RESERVED CVE-2013-4665 (SPBAS Business Automation Software 2012 has CSRF. ...) NOT-FOR-US: SPBAS Business Automation Software CVE-2013-4664 (SPBAS Business Automation Software 2012 has XSS. ...) NOT-FOR-US: SPBAS Business Automation Software CVE-2013-4663 (git_http_controller.rb in the redmine_git_hosting plugin for Redmine a ...) NOT-FOR-US: Redmine plugin redmine_git_hosting CVE-2013-4662 (The Quick Search API in CiviCRM 4.2.0 through 4.2.9 and 4.3.0 through ...) - civicrm (Fixed before initial upload to the archive) CVE-2013-4661 (CiviCRM 2.0.0 through 4.2.9 and 4.3.0 through 4.3.3 does not properly ...) - civicrm (Fixed before initial upload to the archive) CVE-2013-4660 (The JS-YAML module before 2.0.5 for Node.js parses input without prope ...) NOT-FOR-US: js-yaml CVE-2013-4659 (Buffer overflow in Broadcom ACSD allows remote attackers to execute ar ...) NOT-FOR-US: Broadcom ACSD CVE-2013-4658 (Linksys EA6500 has SMB Symlink Traversal allowing symbolic links to be ...) NOT-FOR-US: Linksys CVE-2013-4657 (Symlink Traversal vulnerability in NETGEAR WNR3500U and WNR3500L due t ...) NOT-FOR-US: NETGEAR CVE-2013-4656 (Symlink Traversal vulnerability in ASUS RT-AC66U and RT-N56U due to mi ...) NOT-FOR-US: ASUS CVE-2013-4655 (Symlink Traversal vulnerability in Belkin N900 due to misconfiguration ...) NOT-FOR-US: Belkin CVE-2013-4654 (Symlink Traversal vulnerability in TP-LINK TL-WDR4300 and TL-1043ND.. ...) NOT-FOR-US: TP-LINK CVE-2013-4653 (Multiple cross-site scripting (XSS) vulnerabilities in the signin func ...) NOT-FOR-US: Alcatel-Lucent Omnitouch CVE-2013-4652 (Unspecified vulnerability in the command-line management interface on ...) NOT-FOR-US: Siemens CVE-2013-4651 (Siemens Scalance W7xx devices with firmware before 4.5.4 use the same ...) NOT-FOR-US: Siemens CVE-2013-4650 (MongoDB 2.4.x before 2.4.5 and 2.5.x before 2.5.1 allows remote authen ...) - mongodb 1:2.4.5-1 (bug #715007) [squeeze] - mongodb (Only affects 2.4.x) [wheezy] - mongodb (Only affects 2.4.x) CVE-2013-4649 (Cross-site scripting (XSS) vulnerability in DotNetNuke (DNN) before 6. ...) NOT-FOR-US: DotNetNuke CVE-2013-4648 RESERVED CVE-2013-4647 RESERVED CVE-2013-4646 RESERVED CVE-2013-4645 RESERVED CVE-2013-4644 RESERVED CVE-2013-4643 RESERVED CVE-2013-4642 RESERVED CVE-2013-4641 RESERVED CVE-2013-4640 RESERVED CVE-2013-4639 RESERVED CVE-2013-4638 RESERVED CVE-2013-4637 RESERVED CVE-2013-4669 (FortiClient before 4.3.5.472 on Windows, before 4.0.3.134 on Mac OS X, ...) NOT-FOR-US: FortiClient CVE-2013-4636 (The mget function in libmagic/softmagic.c in the Fileinfo component in ...) - php5 5.5.0+dfsg-1 [squeeze] - php5 (Introduced with 10367fa7c6a4a2cf9bee02d8905e284185428f09) [wheezy] - php5 (Introduced with 10367fa7c6a4a2cf9bee02d8905e284185428f09) - file (bug in code modified for PHP) NOTE: Tested with the squeeze and wheezy versions CVE-2013-4635 (Integer overflow in the SdnToJewish function in jewish.c in the Calend ...) - php5 5.5.0+dfsg-1 (unimportant) NOTE: exploitable by malicious scripts only CVE-2012-6572 (Cross-site scripting (XSS) vulnerability in the phptemplate_preprocess ...) NOT-FOR-US: Inf08 theme for Drupal CVE-2013-4634 (SQL injection vulnerability in the jQuery autocomplete for indexed_sea ...) NOT-FOR-US: rzautocomplete extension for TYPO3 CVE-2013-4633 (Huawei Seco Versatile Security Manager (VSM) before V200R002C00SPC300 ...) NOT-FOR-US: Huawei Seco Versatile Security Manager CVE-2013-4632 (The Huawei Access Router (AR) before V200R002SPC003 allows remote atta ...) NOT-FOR-US: The Huawei Access Router CVE-2013-4631 (Huawei AR 150, 200, 1200, 2200, and 3200 routers, when SNMPv3 is enabl ...) NOT-FOR-US: Huawei AR 150, 200, 1200, 2200, and 3200 routers, CVE-2013-4630 (Stack-based buffer overflow on Huawei AR 150, 200, 1200, 2200, and 320 ...) NOT-FOR-US: Huawei routers CVE-2013-4629 (The Huawei viewpoint VP9610 and VP9620 units for the Huawei Video Conf ...) NOT-FOR-US: Huawei viewpoint CVE-2013-4628 (The firewall module on the Huawei Quidway Service Process Unit (SPU) b ...) NOT-FOR-US: Huawei Quidway Service Process Unit CVE-2013-4627 (Unspecified vulnerability in bitcoind and Bitcoin-Qt 0.8.x allows remo ...) - bitcoin 0.8.3-1 CVE-2012-6571 (The HTTP module in the (1) Branch Intelligent Management System (BIMS) ...) NOT-FOR-US: Branch Intelligent Management System, Huawei routers CVE-2012-6570 (The HTTP module in the (1) Branch Intelligent Management System (BIMS) ...) NOT-FOR-US: Branch Intelligent Management System, Huawei routers CVE-2012-6569 (Stack-based buffer overflow in the HTTP module in the (1) Branch Intel ...) NOT-FOR-US: Branch Intelligent Management System, Huawei routers CVE-2012-6568 (Buffer overflow in the back-end component in Huawei UTPS 1.0 allows lo ...) NOT-FOR-US: Huawei UTPS CVE-2013-4626 (Cross-site scripting (XSS) vulnerability in the BackWPup plugin before ...) NOT-FOR-US: WordPress plugin BackWPup CVE-2013-4625 (Cross-site scripting (XSS) vulnerability in files/installer.cleanup.ph ...) NOT-FOR-US: WordPress plugin Duplicator CVE-2013-4624 (Multiple cross-site scripting (XSS) vulnerabilities in Jahia xCM 6.6.1 ...) NOT-FOR-US: Jahia xCM CVE-2013-4623 (The x509parse_crt function in x509.h in PolarSSL 1.1.x before 1.1.7 an ...) {DSA-2782-1} - polarssl 1.2.8-1 (low; bug #719954) CVE-2013-4622 (The 3G Mobile Hotspot feature on the HTC Droid Incredible has a defaul ...) NOT-FOR-US: HTC Droid Incredible CVE-2013-4621 (Magnolia CMS before 4.5.9 has multiple access bypass vulnerabilities ...) NOT-FOR-US: Magnolia CMS CVE-2013-4620 (Cross-site scripting (XSS) vulnerability in interface/main/onotes/offi ...) NOT-FOR-US: OpenEMR CVE-2013-4619 (Multiple SQL injection vulnerabilities in OpenEMR 4.1.1 allow remote a ...) NOT-FOR-US: OpenEMR CVE-2013-4618 RESERVED CVE-2013-4617 (Jahia xCM before 6.6.2 does not include the HTTPOnly flag in a Set-Coo ...) NOT-FOR-US: Jahia xCM CVE-2013-4616 (The WifiPasswordController generateDefaultPassword method in Preferenc ...) NOT-FOR-US: Apple iOS CVE-2013-4615 (The Canon MG3100, MG5300, MG6100, MP495, MX340, MX870, MX890, MX920, a ...) NOT-FOR-US: EMC Smarts Network Configuration Manager CVE-2013-4614 (English/pages_MacUS/wls_set_content.html on the Canon MG3100, MG5300, ...) NOT-FOR-US: EMC Smarts Network Configuration Manager CVE-2013-4613 (The default configuration of the administrative interface on the Canon ...) NOT-FOR-US: EMC RSA Data Protection Manager Appliance CVE-2013-4612 (Multiple cross-site scripting (XSS) vulnerabilities in REDCap before 5 ...) NOT-FOR-US: REDCap CVE-2013-4611 (Multiple unspecified vulnerabilities in REDCap before 5.1.1 allow remo ...) NOT-FOR-US: REDCap CVE-2013-4610 (Unspecified vulnerability in the Data Search utility in data-entry for ...) NOT-FOR-US: REDCap CVE-2013-4609 (REDCap before 5.0.4 and 5.1.x before 5.1.3 does not reject certain und ...) NOT-FOR-US: REDCap CVE-2013-4608 (Cross-site scripting (XSS) vulnerability in REDCap before 5.0.6 allows ...) NOT-FOR-US: REDCap CVE-2013-4607 RESERVED CVE-2013-4606 RESERVED CVE-2013-4605 RESERVED CVE-2012-6567 (REDCap before 4.14.0 allows remote authenticated users to execute arbi ...) NOT-FOR-US: REDCap CVE-2012-6566 (Cross-site scripting (XSS) vulnerability in REDCap before 4.14.2 allow ...) NOT-FOR-US: REDCap CVE-2012-6565 (Cross-site scripting (XSS) vulnerability in REDCap before 4.14.3 allow ...) NOT-FOR-US: REDCap CVE-2012-6564 (Cross-site scripting (XSS) vulnerability in REDCap before 4.14.5 allow ...) NOT-FOR-US: REDCap CVE-2013-4604 (Fortinet FortiOS before 5.0.3 on FortiGate devices does not properly r ...) NOT-FOR-US: Fortinet FortiOS CVE-2013-4603 RESERVED CVE-2013-4602 (A Denial of Service (infinite loop) vulnerability exists in Avira Anti ...) NOT-FOR-US: Avira CVE-2013-4601 RESERVED CVE-2013-4600 (Multiple cross-site scripting (XSS) vulnerabilities in Alkacon OpenCms ...) NOT-FOR-US: Alkacon OpenCms CVE-2013-4599 (The Misery module 6.x-2.x before 6.x-2.5 and 7.x-2.x before 7.x-2.2 fo ...) NOT-FOR-US: Drupal module misery CVE-2013-4598 (The Groups, Communities and Co (GCC) module 7.x-1.x before 7.x-1.1 for ...) NOT-FOR-US: Drupal module GCC CVE-2013-4597 (The Revisioning module 7.x-1.x before 7.x-1.6 for Drupal does not prop ...) NOT-FOR-US: Drupal module Revisioning CVE-2013-4596 (The Node Access Keys module 7.x-1.x before 7.x-1.1 for Drupal does not ...) NOT-FOR-US: Drupal module Node Access Keys CVE-2013-4595 (The Secure Pages module 6.x-2.x before 6.x-2.0 for Drupal does not pro ...) NOT-FOR-US: Drupal module Secure Pages CVE-2013-4594 (The Payment for Webform module 7.x-1.x before 7.x-1.5 for Drupal does ...) NOT-FOR-US: Drupal module Payment for Webform CVE-2013-4593 (RubyGem omniauth-facebook has an access token security vulnerability ...) - ruby-omniauth-facebook (Fixed before initial release) CVE-2013-4592 (Memory leak in the __kvm_set_memory_region function in virt/kvm/kvm_ma ...) - linux 3.8-1 - linux-2.6 [squeeze] - linux-2.6 (Too intrusive to backport, KVM server not supported in squeeze-lts) [wheezy] - linux 3.2.53-1 CVE-2013-4591 (Buffer overflow in the __nfs4_get_acl_uncached function in fs/nfs/nfs4 ...) - linux 3.8-1 [wheezy] - linux (Introduced in 3.6) - linux-2.6 (Introduced in 3.6) NOTE: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=12d6e7538e2d418c08f082b1b44ffa5fb7270ed8 NOTE: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e40f193f5bb022e927a57a4f5d5194e4f12ddb74 CVE-2013-4590 (Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-R ...) {DSA-3530-1 DLA-91-1} - tomcat6 6.0.39 (low) [squeeze] - tomcat6 (Minor issue) - tomcat7 7.0.50 (low) [wheezy] - tomcat7 (Minor issue) - tomcat8 8.0.0 CVE-2013-4589 (The ExportAlphaQuantumType function in export.c in GraphicsMagick befo ...) - graphicsmagick 1.3.18-1 (low; bug #729661) [squeeze] - graphicsmagick (Minor issue) [wheezy] - graphicsmagick (Minor issue) CVE-2013-4588 (Multiple stack-based buffer overflows in net/netfilter/ipvs/ip_vs_ctl. ...) {DSA-2906-1} - linux (fixed in 2.6.33) - linux-2.6 2.6.37-1 NOTE: 2.6.37-1 first version including 2.6.33 in unstable for linux-2.6 NOTE: https://git.kernel.org/linus/04bcef2a83f40c6db24222b27a52892cba39dffb NOTE: http://seclists.org/fulldisclosure/2013/Nov/77 CVE-2013-4587 (Array index error in the kvm_vm_ioctl_create_vcpu function in virt/kvm ...) {DSA-2906-1} - linux 3.12.5-1 - linux-2.6 [wheezy] - linux 3.2.54-1 CVE-2013-4586 RESERVED CVE-2013-4585 RESERVED CVE-2013-4584 (Perdition before 2.2 may have weak security when handling outbound con ...) - perdition 2.1-1 (low; bug #729028) [wheezy] - perdition (Minor issue) [squeeze] - perdition (Minor issue) CVE-2013-4583 (The parse_cmd function in lib/gitlab_shell.rb in GitLab 5.0 before 5.4 ...) - gitlab (Fixed before initial upload to Debian) CVE-2013-4582 (The (1) create_branch, (2) create_tag, (3) import_project, and (4) for ...) - gitlab (Fixed before initial upload to Debian) CVE-2013-4581 (GitLab 5.0 before 5.4.2, Community Edition before 6.2.4, Enterprise Ed ...) - gitlab (Fixed before initial upload to Debian) CVE-2013-4580 (GitLab before 5.4.2, Community Edition before 6.2.4, and Enterprise Ed ...) - gitlab (Fixed before initial upload to Debian) CVE-2013-4579 (The ath9k_htc_set_bssid_mask function in drivers/net/wireless/ath/ath9 ...) - linux-2.6 (ath9k not yet present) - linux 3.12.8-1 (bug #729573) [wheezy] - linux 3.2.54-1 NOTE: http://www.mathyvanhoef.com/2013/11/unmasking-spoofed-mac-address.html CVE-2013-4578 (jarsigner in OpenJDK and Oracle Java SE before 7u51 allows remote atta ...) - openjdk-7 7u51-2.4.4-1 - openjdk-6 6b30-1.13.1-1 CVE-2013-4577 (A certain Debian patch for GNU GRUB uses world-readable permissions fo ...) - grub2 2.00-20 (unimportant; bug #632598) NOTE: Additional hardening for rare setups, not a vulnerability CVE-2013-4576 (GnuPG 1.x before 1.4.16 generates RSA keys using sequences of introduc ...) {DSA-2821-1} - gnupg 1.4.15-3 CVE-2013-4575 (Heap-based buffer overflow in the utility program in the Linux agent i ...) NOT-FOR-US: Symantec Backup Exec CVE-2013-4574 (Cross-site scripting (XSS) vulnerability in the TimeMediaHandler exten ...) NOT-FOR-US: TimedMediaHandler mediawiki extension NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=56699 CVE-2013-4573 (Cross-site scripting (XSS) vulnerability in the ZeroRatedMobileAccess ...) NOT-FOR-US: mediawiki extension ZeroRatedMobileAccess CVE-2013-4572 (The CentralNotice extension for MediaWiki before 1.19.9, 1.20.x before ...) {DSA-2891-1} - mediawiki 1:1.19.8+dfsg-2.2 (bug #729629) [squeeze] - mediawiki NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=53032 CVE-2013-4571 (Buffer overflow in php-luasandbox in the Scribuntu extension for Media ...) NOT-FOR-US: php-luasandbox / Scribunto mediawiki extension NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=49705 CVE-2013-4570 (The zend_inline_hash_func function in php-luasandbox in the Scribuntu ...) NOT-FOR-US: php-luasandbox / Scribunto mediawiki extension NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=54527 CVE-2013-4569 (The CleanChanges extension for MediaWiki before 1.19.9, 1.20.x before ...) NOT-FOR-US: mediawiki extension CleanChanges CVE-2013-4568 (Incomplete blacklist vulnerability in Sanitizer::checkCss in MediaWiki ...) {DSA-2891-1} - mediawiki 1:1.19.8+dfsg-2.2 (bug #729629) [squeeze] - mediawiki NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=55332 CVE-2013-4567 (Incomplete blacklist vulnerability in Sanitizer::checkCss in MediaWiki ...) {DSA-2891-1} - mediawiki 1:1.19.8+dfsg-2.2 (bug #729629) [squeeze] - mediawiki NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=55332 CVE-2013-4566 (mod_nss 1.0.8 and earlier, when NSSVerifyClient is set to none for the ...) - libapache2-mod-nss 1.0.8-4 (low; bug #731627) [wheezy] - libapache2-mod-nss (Minor issue) CVE-2013-4565 (Heap-based buffer overflow in the __OLEdecode function in ppthtml 0.5. ...) - xlhtml (low; bug #729279) [wheezy] - xlhtml (Minor issue) [squeeze] - xlhtml (Minor issue) CVE-2013-4564 (Libreswan 3.6 allows remote attackers to cause a denial of service (cr ...) - libreswan (Fixed before initial upload to Debian) NOTE: https://libreswan.org/security/CVE-2013-4564/CVE-2013-4564.txt.asc NOTE: https://github.com/libreswan/libreswan/commit/9b31deafbdbf0c2206358dfbf2d4e343e365f23f CVE-2013-4563 (The udp6_ufo_fragment function in net/ipv6/udp_offload.c in the Linux ...) - linux-2.6 (Introduced in v3.10-rc5) - linux 3.11.10-1 [wheezy] - linux (Introduced in v3.10-rc5) NOTE: Introduced: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=1e2bd517c108816220f262d7954b697af03b5f9c NOTE: fixed in: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0e033e0 CVE-2013-4562 (The omniauth-facebook gem 1.4.1 before 1.5.0 does not properly store t ...) - ruby-omniauth-facebook (Fixed before initial release) NOTE: https://github.com/mkdynamic/omniauth-facebook/commit/ccfcc26fe7e34acbd75ad4a095fd01ce5ff48ee7 CVE-2013-4561 RESERVED NOT-FOR-US: OpenShift CVE-2013-4560 (Use-after-free vulnerability in lighttpd before 1.4.33 allows remote a ...) {DSA-2795-1} - lighttpd 1.4.33-1+nmu1 (bug #729453) CVE-2013-4559 (lighttpd before 1.4.33 does not check the return value of the (1) setu ...) {DSA-2795-1} - lighttpd 1.4.33-1+nmu1 (bug #729453) CVE-2013-4558 (The get_parent_resource function in repos.c in mod_dav_svn Apache HTTP ...) - subversion 1.7.14-1 [squeeze] - subversion (Only affects 1.7.11 through 1.7.13 and 1.8.1 through 1.8.4) [wheezy] - subversion (Only affects 1.7.11 through 1.7.13 and 1.8.1 through 1.8.4) NOTE: http://subversion.apache.org/security/CVE-2013-4558-advisory.txt CVE-2013-4557 (The Security Screen (_core_/securite/ecran_securite.php) before 1.1.8 ...) {DSA-2794-1} - spip 2.1.24-1 (bug #729172) CVE-2013-4556 (Cross-site scripting (XSS) vulnerability in the author page (prive/for ...) {DSA-2794-1} - spip 2.1.24-1 (bug #729172) CVE-2013-4555 (Cross-site request forgery (CSRF) vulnerability in ecrire/action/logou ...) {DSA-2794-1} - spip 2.1.24-1 (bug #729172) CVE-2013-4554 (Xen 3.0.3 through 4.1.x (possibly 4.1.6.1), 4.2.x (possibly 4.2.3), an ...) - xen (Doesn't affect Linux) CVE-2013-4553 (The XEN_DOMCTL_getmemlist hypercall in Xen 3.4.x through 4.3.x (possib ...) {DSA-3006-1} - xen 4.4.0-1 [squeeze] - xen (Unsupported in squeeze-lts) CVE-2013-4552 (lib/Auth/Source/External.php in the drupalauth module before 1.2.2 for ...) NOT-FOR-US: drupalauth module for simpleSAMLphp CVE-2013-4551 (Xen 4.2.x and 4.3.x, when nested virtualization is disabled, does not ...) - xen 4.4.0-1 [wheezy] - xen (Only affects 4.2.x and later) [squeeze] - xen (Only affects 4.2.x and later) CVE-2013-4550 (Bip before 0.8.9, when running as a daemon, writes SSL handshake error ...) - bip 0.8.9-1 (low) [wheezy] - bip (Minor issue) [squeeze] - bip (Minor issue) NOTE: Upstream commit: https://projects.duckcorp.org/projects/bip/repository/revisions/df45c4c2d6f892e3e1dec23ce0ed2575b53a7d8c NOTE: https://projects.duckcorp.org/issues/261 NOTE: Difference between CVE-2011-5268 and CVE-2013-4550: http://www.openwall.com/lists/oss-security/2014/01/02/9 CVE-2013-4549 (QXmlSimpleReader in Qt before 5.2 allows context-dependent attackers t ...) - qtbase-opensource-src 5.1.1+dfsg-6 - qt4-x11 4:4.8.5+git192-g085f851+dfsg-1 (low; bug #750141) [wheezy] - qt4-x11 (Minor issue) [squeeze] - qt4-x11 (Minor issue) NOTE: https://codereview.qt-project.org/#change,70708 CVE-2013-4548 (The mm_newkeys_from_blob function in monitor_wrap.c in sshd in OpenSSH ...) - openssh 1:6.4p1-1 (bug #729029) [wheezy] - openssh (AES-GCM support introduced in 6.2) [squeeze] - openssh (AES-GCM support introduced in 6.2) CVE-2013-4547 (nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attack ...) {DSA-2802-1} - nginx 1.4.4-1 (bug #730012) [squeeze] - nginx (Only applies to 0.8.41 - 1.5.6) CVE-2013-4546 (The repository import feature in gitlab-shell before 1.7.4, as used in ...) - gitlab (Fixed before initial upload to Debian) CVE-2013-4545 (cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disab ...) {DSA-2798-1} - curl 7.33.0-1 CVE-2013-4544 (hw/net/vmxnet3.c in QEMU 2.0.0-rc0, 1.7.1, and earlier allows local gu ...) - qemu 2.0.0+dfsg-1 [wheezy] - qemu (Introduced in 1.4) [squeeze] - qemu (Introduced in 1.4) - qemu-kvm (Introduced in 1.4) NOTE: see BTS bug #744213 CVE-2013-4543 REJECTED CVE-2013-4542 (The virtio_scsi_load_request function in hw/scsi/scsi-bus.c in QEMU be ...) - qemu 2.1+dfsg-1 (low; bug #739589) [wheezy] - qemu (Minor issue, hardly exploitable in practice) [squeeze] - qemu (Minor issue, hardly exploitable in practice) [wheezy] - qemu-kvm (Minor issue, hardly exploitable in practice) - qemu-kvm (low) [squeeze] - qemu-kvm (Minor issue, hardly exploitable in practice) NOTE: virtio-scsi support introduced in v1.1: http://wiki.qemu.org/ChangeLog/1.1 CVE-2013-4541 (The usb_device_post_load function in hw/usb/bus.c in QEMU before 1.7.2 ...) - qemu 2.1+dfsg-1 (low; bug #739589) [wheezy] - qemu (Minor issue, hardly exploitable in practice) [squeeze] - qemu (Minor issue, hardly exploitable in practice) [wheezy] - qemu-kvm (Minor issue, hardly exploitable in practice) - qemu-kvm (low) [squeeze] - qemu-kvm (Minor issue, hardly exploitable in practice) CVE-2013-4540 (Buffer overflow in scoop_gpio_handler_update in QEMU before 1.7.2 migh ...) - qemu 2.1+dfsg-1 (low; bug #739589) [wheezy] - qemu (Minor issue, hardly exploitable in practice) [squeeze] - qemu (Minor issue, hardly exploitable in practice) [wheezy] - qemu-kvm (Minor issue, hardly exploitable in practice) - qemu-kvm (low) [squeeze] - qemu-kvm (Minor issue, hardly exploitable in practice) CVE-2013-4539 (Multiple buffer overflows in the tsc210x_load function in hw/input/tsc ...) - qemu 2.1+dfsg-1 (low; bug #739589) [wheezy] - qemu (Minor issue, hardly exploitable in practice) [squeeze] - qemu (Minor issue, hardly exploitable in practice) [wheezy] - qemu-kvm (Minor issue, hardly exploitable in practice) - qemu-kvm (low) [squeeze] - qemu-kvm (Minor issue, hardly exploitable in practice) CVE-2013-4538 (Multiple buffer overflows in the ssd0323_load function in hw/display/s ...) - qemu 2.1+dfsg-1 (low; bug #739589) [wheezy] - qemu (Minor issue, hardly exploitable in practice) [squeeze] - qemu (Minor issue, hardly exploitable in practice) [wheezy] - qemu-kvm (Minor issue, hardly exploitable in practice) - qemu-kvm (low) [squeeze] - qemu-kvm (Minor issue, hardly exploitable in practice) CVE-2013-4537 (The ssi_sd_transfer function in hw/sd/ssi-sd.c in QEMU before 1.7.2 al ...) - qemu 2.1+dfsg-1 (low; bug #739589) [wheezy] - qemu (Minor issue, hardly exploitable in practice) [squeeze] - qemu (Minor issue, hardly exploitable in practice) [wheezy] - qemu-kvm (Minor issue, hardly exploitable in practice) - qemu-kvm (low) [squeeze] - qemu-kvm (Minor issue, hardly exploitable in practice) CVE-2013-4536 RESERVED - qemu 2.1+dfsg-1 (low; bug #739589) [wheezy] - qemu (Minor issue, hardly exploitable in practice) [squeeze] - qemu (Minor issue, hardly exploitable in practice) [wheezy] - qemu-kvm (Minor issue, hardly exploitable in practice) - qemu-kvm (low) [squeeze] - qemu-kvm (Minor issue, hardly exploitable in practice) CVE-2013-4535 (The virtqueue_map_sg function in hw/virtio/virtio.c in QEMU before 1.7 ...) - qemu 2.1+dfsg-1 (low; bug #739589) [wheezy] - qemu (Minor issue, hardly exploitable in practice) [squeeze] - qemu (Minor issue, hardly exploitable in practice) [wheezy] - qemu-kvm (Minor issue, hardly exploitable in practice) - qemu-kvm (low) [squeeze] - qemu-kvm (Minor issue, hardly exploitable in practice) CVE-2013-4534 (Buffer overflow in hw/intc/openpic.c in QEMU before 1.7.2 allows remot ...) - qemu 2.1+dfsg-1 (low; bug #739589) [wheezy] - qemu (Minor issue, hardly exploitable in practice) [squeeze] - qemu (Minor issue, hardly exploitable in practice) [wheezy] - qemu-kvm (Minor issue, hardly exploitable in practice) - qemu-kvm (low) [squeeze] - qemu-kvm (Minor issue, hardly exploitable in practice) CVE-2013-4533 (Buffer overflow in the pxa2xx_ssp_load function in hw/arm/pxa2xx.c in ...) - qemu 2.1+dfsg-1 (low; bug #739589) [wheezy] - qemu (Minor issue, hardly exploitable in practice) [squeeze] - qemu (Minor issue, hardly exploitable in practice) [wheezy] - qemu-kvm (Minor issue, hardly exploitable in practice) - qemu-kvm (low) [squeeze] - qemu-kvm (Minor issue, hardly exploitable in practice) CVE-2013-4532 (Qemu 1.1.2+dfsg to 2.1+dfsg suffers from a buffer overrun which could ...) - qemu 2.1+dfsg-1 (low; bug #739589) [squeeze] - qemu (Minor issue, hardly exploitable in practice) [wheezy] - qemu (Minor issue, hardly exploitable in practice) [wheezy] - qemu-kvm (Minor issue, hardly exploitable in practice) - qemu-kvm (low) [squeeze] - qemu-kvm (Minor issue, hardly exploitable in practice) CVE-2013-4531 (Buffer overflow in target-arm/machine.c in QEMU before 1.7.2 allows re ...) - qemu 2.1+dfsg-1 (low; bug #739589) [wheezy] - qemu (Minor issue, hardly exploitable in practice) [squeeze] - qemu (Minor issue, hardly exploitable in practice) [wheezy] - qemu-kvm (Minor issue, hardly exploitable in practice) - qemu-kvm (low) [squeeze] - qemu-kvm (Minor issue, hardly exploitable in practice) CVE-2013-4530 (Buffer overflow in hw/ssi/pl022.c in QEMU before 1.7.2 allows remote a ...) - qemu 2.1+dfsg-1 (low; bug #739589) [wheezy] - qemu (Minor issue, hardly exploitable in practice) [wheezy] - qemu-kvm (Minor issue, hardly exploitable in practice) [squeeze] - qemu-kvm (Minor issue, hardly exploitable in practice) [squeeze] - qemu (Minor issue, hardly exploitable in practice) - qemu-kvm CVE-2013-4529 (Buffer overflow in hw/pci/pcie_aer.c in QEMU before 1.7.2 allows remot ...) - qemu 2.1+dfsg-1 (low; bug #739589) [wheezy] - qemu (Minor issue, hardly exploitable in practice) [wheezy] - qemu-kvm (Minor issue, hardly exploitable in practice) [squeeze] - qemu (Minor issue, hardly exploitable in practice) - qemu-kvm (low) [squeeze] - qemu-kvm (Minor issue, hardly exploitable in practice) CVE-2013-4528 REJECTED CVE-2013-4527 (Buffer overflow in hw/timer/hpet.c in QEMU before 1.7.2 might allow re ...) - qemu 2.1+dfsg-1 (low; bug #739589) [wheezy] - qemu (Minor issue, hardly exploitable in practice) [squeeze] - qemu (Minor issue, hardly exploitable in practice) [wheezy] - qemu-kvm (Minor issue, hardly exploitable in practice) - qemu-kvm (low) [squeeze] - qemu-kvm (Minor issue, hardly exploitable in practice) CVE-2013-4526 (Buffer overflow in hw/ide/ahci.c in QEMU before 1.7.2 allows remote at ...) - qemu 2.1+dfsg-1 (low; bug #739589) [squeeze] - qemu (Minor issue, hardly exploitable in practice) [wheezy] - qemu (Minor issue, hardly exploitable in practice) [wheezy] - qemu-kvm (Minor issue, hardly exploitable in practice) - qemu-kvm (low) [squeeze] - qemu-kvm (Minor issue, hardly exploitable in practice) CVE-2013-4525 (Cross-site scripting (XSS) vulnerability in mod/quiz/report/responses/ ...) - moodle 2.5.3-1 [squeeze] - moodle (Vulnerable code not present) CVE-2013-4524 (Directory traversal vulnerability in repository/filesystem/lib.php in ...) - moodle 2.5.3-1 [squeeze] - moodle (Vulnerable code not present) CVE-2013-4523 (Cross-site scripting (XSS) vulnerability in message/lib.php in Moodle ...) - moodle 2.5.3-1 [squeeze] - moodle (Unsupported in squeeze-lts) CVE-2013-4522 (lib/filelib.php in Moodle through 2.2.11, 2.3.x before 2.3.10, 2.4.x b ...) - moodle 2.5.3-1 (low) [squeeze] - moodle (Vulnerable code not present) CVE-2013-4521 (RichFaces implementation in Nuxeo Platform 5.6.0 before HF27 and 5.8.0 ...) NOT-FOR-US: Nuxeo CVE-2013-4520 (xslt.c in libxslt before 1.1.25 allows context-dependent attackers to ...) - libxslt (The versions in wheezy and squeeze contain the full patch) CVE-2013-4519 (Multiple cross-site scripting (XSS) vulnerabilities in Review Board 1. ...) - reviewboard (bug #653113) CVE-2013-4518 (RHUI (Red Hat Update Infrastructure) 2.1.3 has world readable PKI enti ...) NOT-FOR-US: Red Hat Update Infrastructure CVE-2013-4517 (Apache Santuario XML Security for Java before 1.5.6, when applying Tra ...) - libxml-security-java 1.5.6-1 (bug #733938) [squeeze] - libxml-security-java (Minor issue, too intrusive to backport) [wheezy] - libxml-security-java (Minor issue, too intrusive to backport) NOTE: http://santuario.apache.org/secadv.data/cve-2013-4517.txt.asc CVE-2013-4516 (The mp_get_count function in drivers/staging/sb105x/sb_pci_mp.c in the ...) - linux 3.12-1 (unimportant) [wheezy] - linux (Affected code not present yet) - linux-2.6 (Affected code not present yet) NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=a8b33654b1e3b0c74d4a1fed041c9aae50b3c427 NOTE: Not enabled in Debian kernels; staging drivers are not supported CVE-2013-4515 (The bcm_char_ioctl function in drivers/staging/bcm/Bcmchar.c in the Li ...) - linux 3.12-1 (unimportant) NOTE: bcm driver not built - linux-2.6 (Affected code not present yet) NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8d1e72250c847fa96498ec029891de4dc638a5ba NOTE: Not enabled in Debian kernels; staging drivers are not supported CVE-2013-4514 (Multiple buffer overflows in drivers/staging/wlags49_h2/wl_priv.c in t ...) - linux 3.12-1 (unimportant) NOTE: wlags49_h2 driver not built - linux-2.6 (Affected code not present yet) NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b5e2f339865fb443107e5b10603e53bbc92dc054 NOTE: Not enabled in Debian kernels; staging drivers are not supported CVE-2013-4513 (Buffer overflow in the oz_cdev_write function in drivers/staging/ozwpa ...) - linux 3.12-1 (unimportant) [wheezy] - linux (Affected code not present yet) - linux-2.6 (Affected code not present yet) NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c2c65cd2e14ada6de44cb527e7f1990bede24e15 NOTE: Not enabled in Debian kernels; staging drivers are not supported CVE-2013-4512 (Buffer overflow in the exitcode_proc_write function in arch/um/kernel/ ...) {DSA-2906-1} - linux 3.11.8-1 (low) - linux-2.6 (low) [wheezy] - linux 3.2.53-1 NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=201f99f170df14ba52ea4c52847779042b7a623b CVE-2013-4511 (Multiple integer overflows in Alchemy LCD frame-buffer drivers in the ...) {DSA-2906-1} - linux 3.11.8-1 - linux-2.6 [wheezy] - linux 3.2.53-1 NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=7314e613d CVE-2013-4510 (Directory traversal vulnerability in the client in Tryton 3.0.0, as di ...) {DSA-2791-1} - tryton-client 2.8.4-1 NOTE: https://bugs.tryton.org/issue3446 CVE-2013-4509 (The default configuration of IBUS 1.5.4, and possibly 1.5.2 and earlie ...) - mozc 1.12.1599.102-1 (low; bug #729065) [wheezy] - mozc (Only in combination with Ibus 1.5.4, which is not in stable) - ibus-anthy 1.5.4-1 (low; bug #729065) [wheezy] - ibus-anthy (Only in combination with Ibus 1.5.4, which is not in stable) [squeeze] - ibus-anthy (Only in combination with Ibus 1.5.4, which is not in oldstable) - ibus-pinyin 1.5.0-1 (low; bug #729065) [wheezy] - ibus-pinyin (Only in combination with Ibus 1.5.4, which is not in stable) [squeeze] - ibus-pinyin (Only in combination with Ibus 1.5.4, which is not in oldstable) - ibus-chewing 1.4.3-4 (low; bug #730781) [wheezy] - ibus-chewing (Only in combination with Ibus 1.5.4, which is not in stable) [squeeze] - ibus-chewing (Only in combination with Ibus 1.5.4, which is not in oldstable) NOTE: http://www.openwall.com/lists/oss-security/2013/11/04/2 NOTE: This is rather a bug in the various IBus engines not in ibus itself, asked maintainers to investigate affected engines, NOTE: can be assigned to affected engines once more info is available NOTE: Introduced in 1.5, so stable/oldstable not affected CVE-2013-4508 (lighttpd before 1.4.34, when SNI is enabled, configures weak SSL ciphe ...) {DSA-2795-1} - lighttpd 1.4.33-1+nmu1 (bug #729453) NOTE: http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_01.txt NOTE: http://redmine.lighttpd.net/issues/2525 CVE-2013-4507 (Cross-site scripting (XSS) vulnerability in CollectiveAccess Providenc ...) NOT-FOR-US: CollectiveAccess CVE-2013-4506 RESERVED CVE-2013-4505 (The is_this_legal function in mod_dontdothat for Apache Subversion 1.4 ...) - subversion 1.7.14-1 (bug #730541; unimportant) NOTE: Not built in the binary packages CVE-2013-4504 (The Monster Menus module 7.x-1.x before 7.x-1.15 allows remote attacke ...) NOT-FOR-US: Drupal contrib module CVE-2013-4503 (Cross-site scripting (XSS) vulnerability in the Feed Element Mapper mo ...) NOT-FOR-US: Drupal contrib module CVE-2013-4502 (The FileField Sources module 6.x-1.x before 6.x-1.9 and 7.x-1.x before ...) NOT-FOR-US: Drupal contrib module CVE-2013-4501 (The default views in the Quiz module 6.x-4.x before 6.x-4.5 for Drupal ...) NOT-FOR-US: Drupal contrib module CVE-2013-4500 (The Quiz module 6.x-4.x before 6.x-4.5 for Drupal allows remote authen ...) NOT-FOR-US: Drupal contrib module CVE-2013-4499 (Cross-site scripting (XSS) vulnerability in the Bean module 7.x-1.x be ...) NOT-FOR-US: Drupal contrib module CVE-2013-4498 (The Spaces OG submodule in the Spaces module 6.x-3.x before 6.x-3.7 fo ...) NOT-FOR-US: Drupal contrib module CVE-2013-4497 (The XenAPI backend in OpenStack Compute (Nova) Folsom, Grizzly, and Ha ...) - nova 2013.2-1 [wheezy] - nova (OpenStack Essex is not affected) NOTE: https://bugs.launchpad.net/nova/+bug/1073306 NOTE: https://github.com/openstack/nova/commit/ba0d007fb78bd1182c3c0b808dbd7ccc84640e80 NOTE: https://bugs.launchpad.net/nova/+bug/1202266 NOTE: https://github.com/openstack/nova/commit/5cced7a6dd32d231c606e25dbf762d199bf9cca7 CVE-2013-4496 (Samba 3.x before 3.6.23, 4.0.x before 4.0.16, and 4.1.x before 4.1.6 d ...) - samba 2:4.1.6+dfsg-1 (low) [wheezy] - samba 2:3.6.6-6+deb7u3 [squeeze] - samba (Minor issue) - samba4 [wheezy] - samba4 4.0.0~beta2+dfsg1-3.2+deb7u1 NOTE: http://www.samba.org/samba/security/CVE-2013-4496 CVE-2013-4495 (The send_the_mail function in server/svr_mail.c in Terascale Open-Sour ...) {DSA-2796-1} - torque 2.4.16+dfsg-1.3 (bug #729333) CVE-2013-4494 (Xen before 4.1.x, 4.2.x, and 4.3.x does not take the page_alloc_lock a ...) {DSA-3006-1} - xen 4.4.0-1 [squeeze] - xen (Unsupported in squeeze-lts) CVE-2013-4493 RESERVED CVE-2013-4492 (Cross-site scripting (XSS) vulnerability in exceptions.rb in the i18n ...) {DSA-2830-1} - ruby-i18n 0.6.9-1 - libi18n-ruby [squeeze] - libi18n-ruby (vulnerable code not present) CVE-2013-4491 (Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view ...) {DSA-2888-1} - rails-4.0 4.0.2+dfsg-1 (bug #731290) - rails-3.2 3.2.16-3+0 - ruby-actionpack-3.2 3.2.16-1 (bug #731288) - ruby-actionpack-2.3 (vulnerable code not present) - rails (Vulnerable code not present) NOTE: Starting with 2.3.14.1 rails is a transition package CVE-2013-4490 (The SSH key upload feature (lib/gitlab_keys.rb) in gitlab-shell before ...) - gitlab (Fixed before initial release to Debian) CVE-2013-4489 (The Grit gem for Ruby, as used in GitLab 5.2 before 5.4.1 and 6.x befo ...) - gitlab (Fixed before initial release to Debian) CVE-2013-4488 (libgadu before 1.12.0 does not verify X.509 certificates from SSL serv ...) - libgadu (unimportant) NOTE: Intentional design decision CVE-2013-4487 (Off-by-one error in the dane_raw_tlsa in the DANE library (libdane) in ...) - gnutls28 (libdane is not built; original patch for CVE-2013-4466 not applied) - gnutls26 (only 3.1.x and 3.2.x) NOTE: off-by one issue in original fix for CVE-2013-4466 CVE-2013-4486 (Zanata 3.0.0 through 3.1.2 has RCE due to EL interpolation in logging ...) NOT-FOR-US: Zanata CVE-2013-4485 (389 Directory Server 1.2.11.15 (aka Red Hat Directory Server before 8. ...) - 389-ds-base 1.3.2.9-1 (bug #730115) CVE-2013-4484 (Varnish before 3.0.5 allows remote attackers to cause a denial of serv ...) {DSA-2814-1} - varnish 3.0.5-1 (medium; bug #728989) NOTE: https://www.varnish-cache.org/trac/ticket/1367 CVE-2013-4483 (The ipc_rcu_putref function in ipc/util.c in the Linux kernel before 3 ...) - linux 3.11.8-1 (low) [wheezy] - linux 3.2.57-1 - linux-2.6 (low) [squeeze] - linux-2.6 (Minor issue, too intrusive to backport) NOTE: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6062a8 CVE-2013-4482 (Untrusted search path vulnerability in python-paste-script (aka paster ...) NOT-FOR-US: LuCi CVE-2013-4481 (Race condition in Luci 0.26.0 creates /var/lib/luci/etc/luci.ini with ...) NOT-FOR-US: LuCi CVE-2013-4480 (Red Hat Satellite 5.6 and earlier does not disable the web interface t ...) NOT-FOR-US: Red Hat Satellite CVE-2013-4479 (lib/sup/message_chunks.rb in Sup before 0.13.2.1 and 0.14.x before 0.1 ...) {DSA-2805-1} - sup-mail 0.12.1+git20120407.aaa852f-1+deb7u1 (bug #728232) NOTE: https://github.com/sup-heliotrope/sup/commit/ca0302e0c716682d2de22e9136400c704cc93e42 CVE-2013-4478 (Sup before 0.13.2.1 and 0.14.x before 0.14.1.1 allows remote attackers ...) {DSA-2805-1} - sup-mail 0.12.1+git20120407.aaa852f-1+deb7u1 (bug #728232) NOTE: http://rubyforge.org/pipermail/sup-talk/2013-October/004996.html NOTE: https://github.com/sup-heliotrope/sup/commit/8b46cdbfc14e07ca07d403aa28b0e7bc1c544785 CVE-2013-4477 (The LDAP backend in OpenStack Identity (Keystone) Grizzly and Havana, ...) - keystone 2013.2-2 (bug #728233) [wheezy] - keystone (Vulnerable code not present) NOTE: https://bugs.launchpad.net/keystone/+bug/1242855 CVE-2013-4476 (Samba 4.0.x before 4.0.11 and 4.1.x before 4.1.1, when LDAP or HTTP is ...) - samba 2:4.0.11+dfsg-1 (low) [wheezy] - samba (Doesn't provide AD functionality) [squeeze] - samba (Doesn't provide AD functionality) - samba4 (low) [wheezy] - samba4 4.0.0~beta2+dfsg1-3.2+deb7u1 CVE-2013-4475 (Samba 3.2.x through 3.6.x before 3.6.20, 4.0.x before 4.0.11, and 4.1. ...) {DSA-2812-1} - samba 2:4.0.11+dfsg-1 (low) - samba4 (low) [wheezy] - samba4 4.0.0~beta2+dfsg1-3.2+deb7u1 CVE-2013-4474 (Format string vulnerability in the extractPages function in utils/pdfs ...) {DLA-1074-1} - poppler 0.18.4-9 (low; bug #729064) [squeeze] - poppler (pdfseparate not yet present) CVE-2013-4473 (Stack-based buffer overflow in the extractPages function in utils/pdfs ...) {DLA-1074-1} - poppler 0.18.4-9 (low; bug #729064) [squeeze] - poppler (pdfseparate not yet present) CVE-2013-4472 (The openTempFile function in goo/gfile.cc in Xpdf and Poppler 0.24.3 a ...) - poppler (unimportant) - xpdf (unimportant) NOTE: specific to non-*NIX systems CVE-2013-4471 (The Identity v3 API in OpenStack Dashboard (Horizon) before 2013.2 doe ...) - horizon 2013.2-1 [wheezy] - horizon (v3 API introduced in Grizzly) NOTE: https://bugs.launchpad.net/horizon/+bug/1237989 CVE-2013-4470 (The Linux kernel before 3.12, when UDP Fragmentation Offload (UFO) is ...) {DLA-0015-1} - linux 3.11.7-1 - linux-2.6 [squeeze] - linux-2.6 2.6.32-48squeeze8 [wheezy] - linux 3.2.53-1 CVE-2013-4469 (OpenStack Compute (Nova) Folsom, Grizzly, and Havana, when use_cow_ima ...) - nova 2013.2-3 (low; bug #728605) [wheezy] - nova (Minor issue) NOTE: CVE for incomplete fix of CVE-2013-2096 CVE-2013-4468 (VICIDIAL dialer (aka Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1, and e ...) NOT-FOR-US: VICIDIAL CVE-2013-4467 (Multiple SQL injection vulnerabilities in the agent interface (agc/) i ...) NOT-FOR-US: VICIDIAL CVE-2013-4466 (Buffer overflow in the dane_query_tlsa function in the DANE library (l ...) - gnutls26 (only 3.1.x and 3.2.x) - gnutls28 (libdane is not built) NOTE: http://www.gnutls.org/security.html#GNUTLS-SA-2013-3 NOTE: Upstream commit for 3.2.x: https://gitlab.com/gnutls/gnutls/commit/ed51e5e53cfbab3103d6b7b85b7ba4515e4f30c3 CVE-2013-4465 (Unrestricted file upload vulnerability in the avatar upload functional ...) NOT-FOR-US: Simple Machines Forum CVE-2013-4464 RESERVED CVE-2013-4463 (OpenStack Compute (Nova) Folsom, Grizzly, and Havana does not properly ...) - nova 2013.2-3 (low; bug #728605) [wheezy] - nova (Minor issue) CVE-2013-4462 (WordPress Portable phpMyAdmin Plugin has an authentication bypass vuln ...) NOT-FOR-US: WordPress plugin CVE-2013-4461 (SQL injection vulnerability in the web interface for cumin in Red Hat ...) NOT-FOR-US: Cumin CVE-2013-4460 (Cross-site scripting (XSS) vulnerability in account_sponsor_page.php i ...) {DSA-3120-1} - mantis (low; bug #727180) [squeeze] - mantis (Unsupported in squeeze-lts) NOTE: http://www.mantisbt.org/bugs/view.php?id=16513 CVE-2013-4459 (LightDM 1.7.5 through 1.8.3 and 1.9.x before 1.9.2 does not apply the ...) - lightdm (Only in combination with guest profile, apparmor and 1.8.x branch) CVE-2013-4458 (Stack-based buffer overflow in the getaddrinfo function in sysdeps/pos ...) {DLA-165-1} - eglibc - glibc 2.18-1 (low; bug #727181) [wheezy] - eglibc 2.13-38+deb7u1 NOTE: https://sourceware.org/ml/libc-alpha/2013-10/msg00733.html NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=16072 CVE-2013-4457 (The Cocaine gem 0.4.0 through 0.5.2 for Ruby allows context-dependent ...) NOT-FOR-US: Cocaine rubygem CVE-2013-4456 RESERVED CVE-2013-4455 (Katello Installer before 0.0.18 uses world-readable permissions for /e ...) NOT-FOR-US: Katello CVE-2013-4454 (WordPress Portable phpMyAdmin Plugin 1.4.1 has Multiple Security Bypas ...) NOT-FOR-US: WordPress plugin CVE-2013-4453 (Cross-site scripting (XSS) vulnerability in templates/login.php in LDA ...) - ldap-account-manager 4.4-1 (medium; bug #726976) [wheezy] - ldap-account-manager (Minor issue) [squeeze] - ldap-account-manager (Minor issue) CVE-2013-4452 (Red Hat JBoss Operations Network 3.1.2 uses world-readable permissions ...) NOT-FOR-US: JBoss Operation Network CVE-2013-4451 (gitolite commit fa06a34 through 3.5.3 might allow attackers to have un ...) - gitolite (vulnerable code introduced for v3.5.3) - gitolite3 (vulnerable code introduced for v3.5.3) CVE-2013-4450 (The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8. ...) - nodejs 0.10.21~dfsg1-1 (medium) NOTE: https://github.com/joyent/node/commit/085dd30e93da67362f044ad1b3b6b2d997064692 NOTE: http://blog.nodejs.org/2013/10/18/node-v0-10-21-stable/ CVE-2013-4449 (The rwm overlay in OpenLDAP 2.4.23, 2.4.36, and earlier does not prope ...) {DSA-3209-1 DLA-203-1} - openldap 2.4.39-1.1 (low; bug #729367) [wheezy] - openldap (Minor issue) [squeeze] - openldap (Minor issue) NOTE: http://www.openldap.org/its/index.cgi/Incoming?id=7723 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1019490 CVE-2013-4448 REJECTED CVE-2013-4447 (Cross-site scripting (XSS) vulnerability in the API in the Simplenews ...) NOT-FOR-US: Simplenews Drupal contributed module CVE-2013-4446 (The _json_decode function in plugins/context_reaction_block.inc in the ...) NOT-FOR-US: Context Drupal contributed module CVE-2013-4445 (The json rendering functionality in the Context module 6.x-2.x before ...) NOT-FOR-US: Context Drupal contributed module CVE-2013-4444 (Unrestricted file upload vulnerability in Apache Tomcat 7.x before 7.0 ...) - tomcat7 7.0.40-1 [wheezy] - tomcat7 7.0.28-4+deb7u3 NOTE: https://svn.apache.org/viewvc?view=revision&revision=1470435 CVE-2013-4443 REJECTED CVE-2013-4442 (Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated ...) - pwgen 2.07-1 (unimportant; bug #767008) NOTE: /dev/random is universally available, if an attacker can create an environment NOTE: where it's not available that opens a far bigger can of worms CVE-2013-4441 (The Phonemes mode in Pwgen 2.06 generates predictable passwords, which ...) - pwgen (unimportant; bug #726578) NOTE: pwgen is documented to generate memorable passwords, so this is by design CVE-2013-4440 (Password Generator (aka Pwgen) before 2.07 generates weak non-tty pass ...) - pwgen 2.07-1 (unimportant; bug #725507) NOTE: Documented shortcoming CVE-2013-4439 (Salt (aka SaltStack) before 0.15.0 through 0.17.0 allows remote authen ...) - salt 0.17.1+dfsg-1 (bug #726480) CVE-2013-4438 (Salt (aka SaltStack) before 0.17.1 allows remote attackers to execute ...) - salt 0.17.1+dfsg-1 (bug #726480) CVE-2013-4437 (Unspecified vulnerability in salt-ssh in Salt (aka SaltStack) 0.17.0 h ...) - salt 0.17.1+dfsg-1 (bug #726480) CVE-2013-4436 (The default configuration for salt-ssh in Salt (aka SaltStack) 0.17.0 ...) - salt 0.17.1+dfsg-1 (bug #726480) CVE-2013-4435 (Salt (aka SaltStack) 0.15.0 through 0.17.0 allows remote authenticated ...) - salt 0.17.1+dfsg-1 (bug #726480) CVE-2013-4434 (Dropbear SSH Server before 2013.59 generates error messages for a fail ...) - dropbear 2012.55-1.4 (low; bug #726118) [squeeze] - dropbear (Minor issue) [wheezy] - dropbear (Minor issue) CVE-2013-4433 (Cross-site scripting (XSS) vulnerability in XHProf before 0.9.4 allows ...) - xhprof 0.9.4-1 (bug #726284) CVE-2013-4432 (Mahara before 1.5.13, 1.6.x before 1.6.8, and 1.7.x before 1.7.4 does ...) - mahara (low; bug #727539) [squeeze] - mahara (Minor issue) NOTE: https://bazaar.launchpad.net/~mahara-release/mahara/1.7_STABLE/revision/5831 NOTE: https://gitorious.org/mahara/mahara/commit/0b4952e063f50c001e4c2dfc5749f55258bff952 CVE-2013-4431 (Mahara before 1.5.12, 1.6.x before 1.6.7, and 1.7.x before 1.7.3 does ...) - mahara (low; bug #727552) [squeeze] - mahara (Minor issue) NOTE: https://bazaar.launchpad.net/~mahara-release/mahara/1.7_STABLE/revision/5832 NOTE: https://bazaar.launchpad.net/~mahara-release/mahara/1.5_STABLE/revision/5542 NOTE: https://bugs.launchpad.net/mahara/+bug/1233500 CVE-2013-4430 (Cross-site scripting (XSS) vulnerability in Mahara before 1.5.12, 1.6. ...) - mahara (unimportant; bug #727548) NOTE: https://bazaar.launchpad.net/~mahara-release/mahara/1.7_STABLE/revision/5830 NOTE: https://bugs.launchpad.net/mahara/+bug/1175446 NOTE: Only exploitable during installation CVE-2013-4429 (Mahara before 1.5.12, 1.6.x before 1.6.7, and 1.7.x before 1.7.3 does ...) - mahara (low; bug #727545) NOTE: https://bazaar.launchpad.net/~mahara-release/mahara/1.7_STABLE/revision/5833 NOTE: https://bazaar.launchpad.net/~mahara-release/mahara/1.5_STABLE/revision/5543 NOTE: https://bugs.launchpad.net/mahara/+bug/1211758 [squeeze] - mahara (Minor issue) CVE-2013-4428 (OpenStack Image Registry and Delivery Service (Glance) Folsom, Grizzly ...) - glance 2013.2-1 (bug #726478) [wheezy] - glance (does not have the download_image) CVE-2013-4427 (pyxtrlock before 0.2 does not properly check the return values of the ...) NOT-FOR-US: pyxtrlock CVE-2013-4426 (pyxtrlock before 0.1 uses an incorrect variable name, which allows phy ...) NOT-FOR-US: pyxtrlock CVE-2013-4425 (The DICOM listener in OsiriX before 5.8 and before 2.5-MD, when starti ...) NOT-FOR-US: Osirix CVE-2013-4424 (Multiple cross-site scripting (XSS) vulnerabilities in the GateIn Port ...) NOT-FOR-US: GateIn CVE-2013-4423 (CloudForms stores user passwords in recoverable format ...) NOT-FOR-US: Red Hat CloudForms CVE-2013-4422 (SQL injection vulnerability in Quassel IRC before 0.9.1, when Qt 4.8.5 ...) - quassel 0.9.1-1 [wheezy] - quassel (Issue only relevant if the Qt 4.8.5 fix would be backported) [squeeze] - quassel (qt4-x11 is too old) NOTE: Issue when used with Qt >= 4.8.5 and PostgreSQL >= 8.2 NOTE: http://quassel-irc.org/node/120 NOTE: http://bugs.quassel-irc.org/issues/1244 NOTE: https://github.com/quassel/quassel/commit/aa1008be162cb27da938cce93ba533f54d228869 NOTE: Caused by a change in Qt's postgres driver: NOTE: https://bugreports.qt-project.org/browse/QTBUG-30076 NOTE: https://qt.gitorious.org/qt/qtbase/commit/e3c5351d06ce8a12f035cd0627356bc64d8c334a CVE-2013-4421 (The buf_decompress function in packet.c in Dropbear SSH Server before ...) - dropbear 2012.55-1.4 (low; bug #726019) [squeeze] - dropbear (Minor issue) [wheezy] - dropbear (Minor issue) NOTE: https://secure.ucc.asn.au/hg/dropbear/rev/0bf76f54de6f CVE-2013-4420 (Multiple directory traversal vulnerabilities in the (1) tar_extract_gl ...) {DSA-2863-1} - libtar 1.2.20-2 (bug #731860) CVE-2013-4419 (The guestfish command in libguestfs 1.20.12, 1.22.7, and earlier, when ...) - libguestfs 1:1.22.7-1 [wheezy] - libguestfs 1:1.18.1-1+deb7u3 CVE-2013-4418 REJECTED CVE-2013-4417 REJECTED CVE-2013-4416 (The Ocaml xenstored implementation (oxenstored) in Xen 4.1.x, 4.2.x, a ...) - xen (ocaml version of the xenstore daemon not used in Debian) CVE-2013-4415 (Multiple cross-site scripting (XSS) vulnerabilities in Spacewalk and R ...) NOT-FOR-US: Red Hat Satellite CVE-2013-4414 (Cross-site scripting (XSS) vulnerability in the web interface for cumi ...) NOT-FOR-US: Cumin CVE-2013-4413 (Directory traversal vulnerability in controller/concerns/render_redire ...) NOT-FOR-US: Wicked Ruby Gem CVE-2013-4412 (slim has NULL pointer dereference when using crypt() method from glibc ...) - slim 1.3.6-0.1 (bug #725902) [wheezy] - slim (Only exploitable with eglibc 2.17 and later) [squeeze] - slim (Only exploitable with eglibc 2.17 and later) NOTE: Upstream fix: http://git.berlios.de/cgi-bin/cgit.cgi/slim/commit/?id=fbdfae3b406b1bb6f4e5e440e79b9b8bb8f071f CVE-2013-4411 (Review Board: URL processing gives unauthorized users access to review ...) - reviewboard (bug #653113) CVE-2013-4410 (ReviewBoard: has an access-control problem in REST API ...) - reviewboard (bug #653113) CVE-2013-4409 (An eval() vulnerability exists in Python Software Foundation Djblets 0 ...) - djblets (low; bug #726039) - python-django-djblets (low) [squeeze] - python-django-djblets (Minor issue) NOTE: Fix: https://github.com/djblets/djblets/commit/36cd15763742652ca990f913b44e91c69c707269 CVE-2013-4408 (Heap-based buffer overflow in the dcerpc_read_ncacn_packet_done functi ...) {DSA-2812-1} - samba 2:4.0.13+dfsg-1 - samba4 [wheezy] - samba4 4.0.0~beta2+dfsg1-3.2+deb7u1 CVE-2013-4407 (HTTP::Body::Multipart in the HTTP-Body 1.08, 1.17, and earlier module ...) {DSA-2801-1} - libhttp-body-perl 1.17-2 (bug #721634) [squeeze] - libhttp-body-perl (Vulnerable code introduced in 1.08) CVE-2013-4406 (The Quick Tabs module 6.x-2.x before 6.x-2.2, 6.x-3.x before 6.x-3.2, ...) NOT-FOR-US: Quick Tabs Drupal contributed module CVE-2013-4405 (Multiple cross-site request forgery (CSRF) vulnerabilities in the web ...) NOT-FOR-US: Cumin CVE-2013-4404 (cumin in Red Hat Enterprise MRG Grid 2.4 does not properly enforce use ...) NOT-FOR-US: Cumin CVE-2013-4403 REJECTED CVE-2013-4402 (The compressed packet parser in GnuPG 1.4.x before 1.4.15 and 2.0.x be ...) {DSA-2774-1 DSA-2773-1} - gnupg2 2.0.22-1 (bug #725433) - gnupg 1.4.15-1 (bug #725439) CVE-2013-4401 (The virConnectDomainXMLToNative API function in libvirt 1.1.0 through ...) - libvirt 1.1.4-1 (bug #727101) [squeeze] - libvirt (Introduced in 1.1.0, REMOTE_PROC_CONNECT_DOMAIN_XML_TO|FROM_NATIVE not yet present) [wheezy] - libvirt (Introduced in 1.1.0, REMOTE_PROC_CONNECT_DOMAIN_XML_TO|FROM_NATIVE not yet present) NOTE: http://libvirt.org/git/?p=libvirt.git;a=commit;h=57687fd6bf7f6e1b3662c52f3f26c06ab19dc96c CVE-2013-4400 (virt-login-shell in libvirt 1.1.2 through 1.1.3 allows local users to ...) - libvirt 1.1.4-1 (bug #727101) [squeeze] - libvirt (Introduced in 1.1.2, virt-login-shell not yet present) [wheezy] - libvirt (Introduced in 1.1.2, virt-login-shell not yet present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1015228#c3 CVE-2013-4399 (The remoteClientFreeFunc function in daemon/remote.c in libvirt before ...) - libvirt 1.1.4-1 [wheezy] - libvirt (Introduced in 1.1.0) [squeeze] - libvirt (Introduced in 1.1.0) CVE-2013-4398 REJECTED CVE-2013-4397 (Multiple integer overflows in the th_read function in lib/block.c in l ...) {DSA-2817-1} - libtar 1.2.20-1 (bug #725938) CVE-2013-4396 (Use-after-free vulnerability in the doImageText function in dix/dixfon ...) {DSA-2784-1} - xorg-server 2:1.14.3-4 CVE-2013-4395 (Simple Machines Forum (SMF) through 2.0.5 has XSS ...) NOT-FOR-US: Simple Machines Forum CVE-2013-4394 (The SetX11Keyboard function in systemd, when PolicyKit Local Authority ...) {DSA-2777-1} - systemd 204-5 (bug #725357) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=862324 NOTE: http://cgit.freedesktop.org/systemd/systemd/commit/?id=0b507b17a760b21e33fc52ff377db6aa5086c680 CVE-2013-4393 (journald in systemd, when the origin of native messages is set to file ...) - systemd 204-5 (bug #725357) [wheezy] - systemd (Vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=859104 NOTE: http://cgit.freedesktop.org/systemd/systemd/commit/?id=1dfa7e79a60de680086b1d93fcc3629b463f58bd CVE-2013-4392 (systemd, when updating file permissions, allows local users to change ...) - systemd (unimportant; bug #725357) [wheezy] - systemd (/etc/tmpfiles.d not supported in Wheezy) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=859060 NOTE: only relevant to systems running systemd along with selinux CVE-2013-4391 (Integer overflow in the valid_user_field function in journal/journald- ...) {DSA-2777-1} - systemd 204-5 (bug #725357) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=859051 NOTE: http://cgit.freedesktop.org/systemd/systemd/commit/?id=505b6a61c22d5565e9308045c7b9bf79f7d0517e CVE-2013-4390 (Open redirect vulnerability in the AbstractAuthenticationFormServlet i ...) NOT-FOR-US: Apache Sling CVE-2013-4389 (Multiple format string vulnerabilities in log_subscriber.rb files in t ...) {DSA-2888-1 DSA-2887-1} - rails-4.0 (Only affects 3.x) - ruby-actionmailer-3.2 3.2.16-1 (bug #726576) - ruby-actionmailer-2.3 (Only affects 3.x) - rails (Only affects 3.x) NOTE: Starting with 2.3.14.1 rails is a transition package CVE-2013-4388 (Buffer overflow in the mp4a packetizer (modules/packetizer/mpeg4audio. ...) {DSA-2973-1} - vlc 2.1.0-1 (bug #726528) [squeeze] - vlc (Unsupported in squeeze-lts) NOTE: http://git.videolan.org/?p=vlc.git;a=commitdiff;h=9794ec1cd268c04c8bca13a5fae15df6594dff3e CVE-2013-4387 (net/ipv6/ip6_output.c in the Linux kernel through 3.11.4 does not prop ...) {DLA-0015-1} - linux-2.6 [squeeze] - linux-2.6 2.6.32-48squeeze8 - linux 3.11.5-1 [wheezy] - linux 3.2.53-1 CVE-2013-4386 (Multiple SQL injection vulnerabilities in app/models/concerns/host_com ...) - foreman (bug #663101) CVE-2013-4385 (Buffer overflow in the "read-string!" procedure in the "extras" unit i ...) - chicken 4.8.0.5-1 (bug #724740; low) [wheezy] - chicken (Minor issue) [squeeze] - chicken (Minor issue) NOTE: http://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commit;h=cd1b9775005ebe220ba11265dbf5396142e65f26 CVE-2013-4384 (Cross-site scripting (XSS) vulnerability in Google Site Search module ...) NOT-FOR-US: Drupal module CVE-2013-4383 (Cross-site scripting (XSS) vulnerability in the jQuery Countdown modul ...) NOT-FOR-US: Drupal module CVE-2013-4382 REJECTED CVE-2013-4381 REJECTED CVE-2013-4380 (Cross-site scripting (XSS) vulnerability in the MediaFront module 6.x- ...) NOT-FOR-US: Drupal module CVE-2013-4379 (The Make Meeting Scheduler module 6.x-1.x before 6.x-1.3 for Drupal al ...) NOT-FOR-US: Drupal module CVE-2013-4378 (Cross-site scripting (XSS) vulnerability in HtmlSessionInformationsRep ...) NOT-FOR-US: Javamelody CVE-2013-4377 (Use-after-free vulnerability in the virtio-pci implementation in Qemu ...) - qemu 1.7.0+dfsg-4 [wheezy] - qemu (Introduced in 1.4) [squeeze] - qemu (Introduced in 1.4) - qemu-kvm (Introduced in 1.4) NOTE: patches: http://thread.gmane.org/gmane.comp.emulators.qemu/234440 CVE-2013-4376 (The setgid wrapper libx2go-server-db-sqlite3-wrapper.c in X2Go Server ...) - x2goserver (Fixed with first upload to Debian) NOTE: Fixed by: https://code.x2go.org/gitweb?p=x2goserver.git;a=commitdiff;h=42264c88d7885474ebe3763b2991681ddfcfa69a CVE-2013-4375 (The qdisk PV disk backend in qemu-xen in Xen 4.2.x and 4.3.x before 4. ...) - xen 4.2 [squeeze] - xen (Only affects 4.2 and later) [wheezy] - xen (Only affects 4.2 and later) - qemu 1.7.0+dfsg-1 [jessie] - qemu (Xen in Wheezy uses it's internal copy of qemu) [wheezy] - qemu (Xen in Wheezy uses it's internal copy of qemu) [squeeze] - qemu (vulnerable from version 1.1 onwards) - qemu-kvm (This only affects Qemu in combination with Xen) - xen-qemu-dm-4.0 (Affected code not yet present) NOTE: This is only exploitable in combination with Xen. NOTE: Xen in Squeeze uses a separate source package: xen-qemu-dm-4.0 NOTE: Xen in Wheezy includes qemu NOTE: Xen after Wheezy uses qemu-system-x86 from qemu, marking 4.2 as pseudo fixed CVE-2013-4374 (An insecurity temporary file vulnerability exists in RHQ Mongo DB Drif ...) NOT-FOR-US: RHQ MondoDB Drift Server CVE-2013-4373 (The storeFiles method in JPADriftServerBean in Red Hat JBoss Operation ...) NOT-FOR-US: Red Hat JBoss Operations Network CVE-2013-4372 (Multiple cross-site scripting (XSS) vulnerabilities in Fuse Management ...) NOT-FOR-US: JBoss Fuse CVE-2013-4371 (Use-after-free vulnerability in the libxl_list_cpupool function in the ...) - xen 4.4.0-1 [wheezy] - xen (Vulnerable code only present from 4.2 onwards) [squeeze] - xen (Vulnerable code only present from 4.2 onwards) CVE-2013-4370 (The ocaml binding for the xc_vcpu_getaffinity function in Xen 4.2.x an ...) - xen 4.4.0-1 [wheezy] - xen (Vulnerable code only present from 4.2 onwards) [squeeze] - xen (Vulnerable code only present from 4.2 onwards) CVE-2013-4369 (The xlu_vif_parse_rate function in the libxlu library in Xen 4.2.x and ...) - xen 4.4.0-1 [wheezy] - xen (Vulnerable code only present from 4.2 onwards) [squeeze] - xen (Vulnerable code only present from 4.2 onwards) CVE-2013-4368 (The outs instruction emulation in Xen 3.1.x, 4.2.x, 4.3.x, and earlier ...) {DSA-3006-1} - xen 4.4.0-1 [squeeze] - xen (Unsupported in squeeze-lts) CVE-2013-4367 (ovirt-engine 3.2 running on Linux kernel 3.1 and newer creates certain ...) NOT-FOR-US: ovirt CVE-2013-4366 (http/impl/client/HttpClientBuilder.java in Apache HttpClient 4.3.x bef ...) - httpcomponents-client 4.3.2-1 [wheezy] - httpcomponents-client (vulnerable code not present) NOTE: http://svn.apache.org/r1528614 CVE-2013-4365 (Heap-based buffer overflow in the fcgid_header_bucket_read function in ...) {DSA-2778-1} - libapache2-mod-fcgid 1:2.3.9-1 (bug #725942) CVE-2013-4364 ((1) oo-analytics-export and (2) oo-analytics-import in the openshift-o ...) NOT-FOR-US: OpenShift CVE-2013-4363 (Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION ...) - rubygems (unimportant; bug #722361) - libgems-ruby (unimportant; bug #722361) NOTE: Non-issue, you trust the site providing the gem with installing arbitrary code, allowing NOTE: it a potential elevated CPU consumption doesn't add any extra harm NOTE: CVE for incomplete fix for CVE-2013-4287 CVE-2013-4362 (WEB-DAV Linux File System (davfs2) 1.4.6 and 1.4.7 allow local users t ...) {DSA-2765-1} - davfs2 1.4.7-3 (bug #723034) NOTE: http://savannah.nongnu.org/bugs/?40034 CVE-2013-4361 (The fbld instruction emulation in Xen 3.3.x through 4.3.x does not use ...) {DSA-3006-1} - xen 4.4.0-1 [squeeze] - xen (Unsupported in squeeze-lts) CVE-2013-4360 REJECTED CVE-2013-4359 (Integer overflow in kbdint.c in mod_sftp in ProFTPD 1.3.4d and 1.3.5r3 ...) {DSA-2767-1} - proftpd-dfsg 1.3.5~rc3-2.1 (bug #723179) CVE-2013-4358 (libavcodec/h264.c in FFmpeg before 0.11.4 allows remote attackers to c ...) - libav 6:9.1-1 [wheezy] - libav (Vulnerable code not present) - ffmpeg (Vulnerable code not present) NOTE: libav fix: http://git.libav.org/?p=libav.git;a=commit;h=072be3e8969f24113d599444be4d6a0ed04a6602 CVE-2013-4357 (The eglibc package before 2.14 incorrectly handled the getaddrinfo() f ...) {DLA-165-1} - eglibc 2.17-1 (unimportant; bug #742925) [wheezy] - eglibc 2.13-38+deb7u6 NOTE: http://sourceware.org/bugzilla/show_bug.cgi?id=12671 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=797096 NOTE: https://sourceware.org/git/?p=glibc.git;a=commit;h=f2962a71959fd254a7a223437ca4b63b9e81130c NOTE: https://sourceware.org/git/?p=glibc.git;a=commit;h=34a9094f49241ebb72084c536cf468fd51ebe3ec NOTE: https://sourceware.org/git/?p=glibc.git;a=commit;h=c8fc0c91695b1c7003c7170861274161f9224817 NOTE: Fixed upstream in 2.14 CVE-2013-4356 (Xen 4.3.x writes hypervisor mappings to certain shadow pagetables when ...) - xen 4.4.0-1 [wheezy] - xen (Only affects 4.3+) [squeeze] - xen (Only affects 4.3+) CVE-2013-4355 (Xen 4.3.x and earlier does not properly handle certain errors, which a ...) {DSA-3006-1} - xen 4.4.0-1 [squeeze] - xen (Unsupported in squeeze-lts) CVE-2013-4354 (The API before 2.1 in OpenStack Image Registry and Delivery Service (G ...) - glance (unimportant) NOTE: https://bugs.launchpad.net/glance/+bug/1226078 NOTE: according to upstream bug there will probably not be a patch for this issue CVE-2013-4353 (The ssl3_take_mac function in ssl/s3_both.c in OpenSSL 1.0.1 before 1. ...) {DSA-2837-1} - openssl 1.0.1f-1 [squeeze] - openssl (Only affects 1.0.1 to 1.0.1e) CVE-2013-4352 (The cache_invalidate function in modules/cache/cache_storage.c in the ...) - apache2 2.4.7-1 (low) [wheezy] - apache2 (Only affects 2.4.[56]) [squeeze] - apache2 (Only affects 2.4.[56]) CVE-2013-4351 (GnuPG 1.4.x, 2.0.x, and 2.1.x treats a key flags subpacket with all bi ...) {DSA-2774-1 DSA-2773-1} - gnupg 1.4.15-1 (low; bug #722722) - gnupg2 2.0.22-1 (low; bug #722724) CVE-2013-4350 (The IPv6 SCTP implementation in net/sctp/ipv6.c in the Linux kernel th ...) - linux-2.6 (Vulnerable code not present) - linux 3.11.5-1 [wheezy] - linux 3.2.53-1 NOTE: http://www.openwall.com/lists/oss-security/2013/09/13/2 NOTE: http://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=95ee62083cb6453e056562d91f597552021e6ae7 CVE-2013-4349 REJECTED CVE-2013-4348 (The skb_flow_dissect function in net/core/flow_dissector.c in the Linu ...) - linux 3.11.6-2 - linux-2.6 (Introduced in 3.2) [wheezy] - linux 3.2.53-2 CVE-2013-4347 (The (1) make_nonce, (2) generate_nonce, and (3) generate_verifier func ...) - python-oauth2 (low; bug #722657) [wheezy] - python-oauth2 (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2013/09/12/5 NOTE: https://github.com/simplegeo/python-oauth2/issues/9 CVE-2013-4346 (The Server.verify_request function in SimpleGeo python-oauth2 does not ...) - python-oauth2 (low; bug #722656) [wheezy] - python-oauth2 (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2013/09/12/5 NOTE: https://github.com/simplegeo/python-oauth2/issues/129 CVE-2013-4345 (Off-by-one error in the get_prng_bytes function in crypto/ansi_cprng.c ...) {DSA-2906-1} - linux-2.6 - linux 3.11.5-1 [wheezy] - linux 3.2.53-1 CVE-2013-4344 (Buffer overflow in the SCSI implementation in QEMU, as used in Xen, wh ...) {DSA-2933-1 DSA-2932-1} - xen 4.2-1 [wheezy] - xen (Vulnerable code not present in the bundled 0.10 qemu) [squeeze] - xen (Unsupported in squeeze-lts) - qemu 1.6.0+dfsg-2 (unimportant; bug #725944) - qemu-kvm (unimportant) - xen-qemu-dm-4.0 [squeeze] - xen-qemu-dm-4.0 (Unsupported in squeeze-lts) NOTE: Qemu only exploitable by privileged administrator with malicious configuration NOTE: Xen in Squeeze uses a separate source package: xen-qemu-dm-4.0 NOTE: Xen in Wheezy includes qemu NOTE: Xen after Wheezy uses qemu-system-x86 from qemu, marking 4.2 as pseudo fixed CVE-2013-4343 (Use-after-free vulnerability in drivers/net/tun.c in the Linux kernel ...) - linux 3.11.5-1 [wheezy] - linux (Introduced in 3.8) - linux-2.6 (Introduced in 3.8) CVE-2013-4342 (xinetd does not enforce the user and group configuration directives fo ...) - xinetd 1:2.3.15-2 (bug #324678) [wheezy] - xinetd 1:2.3.14-7.1+deb7u1 [squeeze] - xinetd (Minor issue) CVE-2013-4341 (Multiple cross-site scripting (XSS) vulnerabilities in Moodle through ...) - moodle 2.5.2-1 [squeeze] - moodle (Unsupported in squeeze-lts) CVE-2013-4340 (wp-admin/includes/post.php in WordPress before 3.6.1 allows remote aut ...) {DSA-2757-1} - wordpress 3.6.1+dfsg-1 (bug #722537) NOTE: http://core.trac.wordpress.org/changeset/25321 CVE-2013-4339 (WordPress before 3.6.1 does not properly validate URLs before use in a ...) {DSA-2757-1} - wordpress 3.6.1+dfsg-1 (bug #722537) NOTE: http://core.trac.wordpress.org/changeset/25323 NOTE: http://core.trac.wordpress.org/changeset/25324 CVE-2013-4338 (wp-includes/functions.php in WordPress before 3.6.1 does not properly ...) {DSA-2757-1} - wordpress 3.6.1+dfsg-1 (bug #722537) NOTE: http://core.trac.wordpress.org/changeset/25325 CVE-2013-4337 REJECTED CVE-2013-4336 REJECTED CVE-2013-4335 (opOpenSocialPlugin 0.8.2.1, > 0.9.9.2, 0.9.13, 1.2.6: Multiple XML ...) NOT-FOR-US: opOpenSocialPlugin CVE-2013-4334 (opWebAPIPlugin 0.5.1, 0.4.0, and 0.1.0: XXE Vulnerabilities ...) NOT-FOR-US: opWebAPIPlugin CVE-2013-4333 (OpenPNE 3 versions 3.8.7, 3.6.11, 3.4.21.1, 3.2.7.6, 3.0.8.5 has an Ex ...) NOT-FOR-US: OpenPNE CVE-2013-4332 (Multiple integer overflows in malloc/malloc.c in the GNU C Library (ak ...) {DLA-165-1} - glibc 2.17-93 (bug #722536) - eglibc [wheezy] - eglibc 2.13-38+deb7u1 CVE-2013-4331 (Light Display Manager (aka LightDM) 1.4.x before 1.4.3, 1.6.x before 1 ...) - lightdm 1.6.2-1 (bug #721744) [wheezy] - lightdm (Introduced in 1.4) CVE-2013-4330 (Apache Camel before 2.9.7, 2.10.0 before 2.10.7, 2.11.0 before 2.11.2, ...) NOT-FOR-US: Apache Camel CVE-2013-4329 (The xenlight library (libxl) in Xen 4.0.x through 4.2.x, when IOMMU is ...) {DSA-3006-1} - xen 4.3.0-1 [squeeze] - xen (libxl not packaged in squeeze) NOTE: http://lists.xen.org/archives/html/xen-announce/2013-09/msg00001.html CVE-2013-4328 REJECTED CVE-2013-4327 (systemd does not properly use D-Bus for communication with a polkit au ...) {DSA-2777-1} - systemd 204-5 (bug #723713) CVE-2013-4326 (RealtimeKit (aka rtkit) 0.5 does not properly use D-Bus for communicat ...) - rtkit 0.10-3 (bug #723714) [wheezy] - rtkit 0.10-2+wheezy1 CVE-2013-4325 (The check_permission_v1 function in base/pkit.py in HP Linux Imaging a ...) {DSA-2829-1} - hplip 3.13.9-1 (bug #723716) CVE-2013-4324 (spice-gtk 0.14, and possibly other versions, invokes the polkit author ...) - spice-gtk 0.21-0nocelt1 (low) [wheezy] - spice-gtk (Minor issue) CVE-2013-4323 RESERVED CVE-2013-4322 (Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-R ...) {DSA-3530-1 DSA-2897-1 DLA-91-1} - tomcat6 6.0.39 - tomcat7 7.0.50 - tomcat8 8.0.0 CVE-2013-4321 (The File Abstraction Layer (FAL) in TYPO3 6.0.x before 6.0.8 and 6.1.x ...) - typo3-src (All versions from 6.0.0 up to the development branch of 6.2) CVE-2013-4320 (The File Abstraction Layer (FAL) in TYPO3 6.0.x before 6.0.9 and 6.1.x ...) - typo3-src (All versions from 6.0.0 up to the development branch of 6.2) CVE-2013-4319 (pbs_mom in Terascale Open-Source Resource and Queue Manager (aka TORQU ...) {DSA-2770-1} - torque 2.4.16+dfsg-1.1 (bug #722306) NOTE: http://www.supercluster.org/pipermail/torqueusers/2013-September/016098.html CVE-2013-4318 (File injection vulnerability in Ruby gem Features 0.3.0 allows remote ...) NOT-FOR-US: Ruby gem Features NOTE: http://www.openwall.com/lists/oss-security/2013/09/09/9 CVE-2013-4317 (In Apache CloudStack 4.1.0 and 4.1.1, when calling the CloudStack API ...) NOT-FOR-US: CloudStack CVE-2013-4316 (Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation ...) - libstruts1.2-java (Affects Struts 2.0.0 - Struts 2.3.15.1) NOTE: http://struts.apache.org/release/2.3.x/docs/s2-019.html CVE-2013-4315 (Directory traversal vulnerability in Django 1.4.x before 1.4.7, 1.5.x ...) {DSA-2755-1} - python-django 1.5.3-1 (bug #722605) CVE-2013-4314 (The X509Extension in pyOpenSSL before 0.13.1 does not properly handle ...) {DSA-2763-1} - pyopenssl 0.13-2.1 (bug #722055) CVE-2013-4313 (Moodle through 2.2.11, 2.3.x before 2.3.9, 2.4.x before 2.4.6, and 2.5 ...) - moodle 2.5.2-1 [squeeze] - moodle CVE-2016-2847 (fs/pipe.c in the Linux kernel before 4.5 does not limit the amount of ...) {DSA-3503-1} - linux 4.3.5-1 NOTE: https://git.kernel.org/linus/759c01142a5d0f364a462346168a56de28a80f52 (v4.5-rc1) CVE-2013-4312 (The Linux kernel before 4.4.1 allows local users to bypass file-descri ...) {DSA-3503-1 DSA-3448-1} - linux 4.3.3-6 - linux-2.6 NOTE: https://git.kernel.org/linus/712f4aad406bb1ed67f3f98d04c044191f0ff593 (v4.5-rc1) NOTE: First patch for mitigation in 4.3.3-6, 4.3.5-1 adds a second bit required, that is CVE-2016-2847 CVE-2013-4311 (libvirt 1.0.5.x before 1.0.5.6, 0.10.2.x before 0.10.2.8, and 0.9.12.x ...) - libvirt 1.1.3~rc1-1 (unimportant) NOTE: polkit support not activated in Debian build prior to 1.2.9. NOTE: sourcewise support for 3-arg pkcheck syntax in libvirt is included NOTE: since 0.9.12.3-1 in wheezy-security (and 1.1.3~rc1-1 in unstable). But we need NOTE: to wait for the pu in #726558 for policykit-1/0.105-3+deb7u1 and have a rebuild NOTE: of libvirt then. NOTE: Needs a build dependency on libpolkit-gobject-1-dev CVE-2013-4310 (Apache Struts 2.0.0 through 2.3.15.1 allows remote attackers to bypass ...) - libstruts1.2-java (Affects Struts 2.0.0 - Struts 2.3.15.1) NOTE: http://struts.apache.org/release/2.3.x/docs/s2-018.html CVE-2013-4309 RESERVED CVE-2013-4308 (Cross-site scripting (XSS) vulnerability in pages/TalkpageHistoryView. ...) NOT-FOR-US: Mediawiki LiquidThreads extension CVE-2013-4307 (Multiple cross-site scripting (XSS) vulnerabilities in repo/includes/E ...) NOT-FOR-US: Mediawiki Wikibase CVE-2013-4306 (Cross-site request forgery (CSRF) vulnerability in api/ApiQueryCheckUs ...) NOT-FOR-US: Mediawiki CheckUser extension CVE-2013-4305 (Cross-site scripting (XSS) vulnerability in contrib/example.php in the ...) - mediawiki-extensions (unimportant) NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=49070 NOTE: Just an example file CVE-2013-4304 (The CentralAuth extension for MediaWiki 1.19.x before 1.19.8, 1.20.x b ...) NOT-FOR-US: Mediawiki CentralAuth extension CVE-2013-4303 (includes/libs/IEUrlExtension.php in the MediaWiki API in MediaWiki 1.1 ...) - mediawiki 1:1.19.8+dfsg-1 (unimportant) [squeeze] - mediawiki NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=52746 NOTE: IE6 lacks so many security features that this doesn't matter CVE-2013-4302 ((1) ApiBlock.php, (2) ApiCreateAccount.php, (3) ApiLogin.php, (4) ApiM ...) {DSA-2753-1} - mediawiki 1:1.19.8+dfsg-1 [squeeze] - mediawiki NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=49090 CVE-2013-4301 (includes/resourceloader/ResourceLoaderContext.php in MediaWiki 1.19.x ...) - mediawiki 1:1.19.8+dfsg-1 (unimportant) [squeeze] - mediawiki NOTE: Full path disclosure irrelevant in Debian NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=46332 CVE-2013-4300 (The scm_check_creds function in net/core/scm.c in the Linux kernel bef ...) - linux 3.11.5-1 [wheezy] - linux (Not exploitable by unprivileged users in 3.2) - linux-2.6 (Not exploitable by unprivileged users in 2.6.32) CVE-2013-4299 (Interpretation conflict in drivers/md/dm-snap-persistent.c in the Linu ...) {DSA-2906-1} - linux-2.6 - linux 3.11.6-2 [wheezy] - linux 3.2.53-1 NOTE: upstream commit: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e9c6a182649f4259db704ae15a91ac820e63b0ca CVE-2013-4297 (The virFileNBDDeviceAssociate function in util/virfile.c in libvirt 1. ...) - libvirt 1.1.2-2 [jessie] - libvirt (Introduced with 8aabd597b379db5ae1655e36dff4f10d5622830a) [wheezy] - libvirt (Introduced with 8aabd597b379db5ae1655e36dff4f10d5622830a) [squeeze] - libvirt (Introduced with 8aabd597b379db5ae1655e36dff4f10d5622830a) NOTE: http://libvirt.org/git/?p=libvirt.git;a=commitdiff;h=2dba0323ff0cec31bdcea9dd3b2428af297401f2 NOTE: Introduced with 8aabd597b379db5ae1655e36dff4f10d5622830a, 1.0.6 CVE-2013-4296 (The remoteDispatchDomainMemoryStats function in daemon/remote.c in lib ...) {DSA-2764-1} - libvirt 1.1.4-1 [squeeze] - libvirt (Vulnerable code not present, introduced by commit 158ba8730e44b7dd07a21ab90499996c5dec080a) NOTE: http://libvirt.org/git/?p=libvirt.git;a=commit;h=158ba8730e44b7dd07a21ab90499996c5dec080a NOTE: Fix: http://libvirt.org/git/?p=libvirt.git;a=commitdiff;h=e7f400a110e2e3673b96518170bfea0855dd82c0 CVE-2013-4295 (The gadget renderer in Apache Shindig 2.5.0 for PHP allows remote atta ...) NOT-FOR-US: Apache Shindig CVE-2013-4294 (The (1) mamcache and (2) KVS token backends in OpenStack Identity (Key ...) - keystone 2013.1.3-2 (bug #722505) [wheezy] - keystone (only affects Folsom release and above) CVE-2013-4293 (The server in Red Hat JBoss Operations Network (JON) 3.1.2 logs passwo ...) NOT-FOR-US: Red Hat JBoss Operations Network CVE-2013-4292 (libvirt 1.1.0 and 1.1.1 allows local users to cause a denial of servic ...) - libvirt 1.1.2~rc2-1 (bug #721325) [jessie] - libvirt (Introduced with 1.1.0) [wheezy] - libvirt (Introduced with 1.1.0) [squeeze] - libvirt (Introduced with 1.1.0) CVE-2013-4291 (The virSecurityManagerSetProcessLabel function in libvirt 0.10.2.7, 1. ...) - libvirt 1.1.2-2 [jessie] - libvirt (vulnerable code not introduced, introduced in 1.1.1) [wheezy] - libvirt (vulnerable code not introduced, introduced in 1.1.1) [squeeze] - libvirt (vulnerable code not introduced, introduced in 1.1.1) NOTE: http://libvirt.org/git/?p=libvirt.git;a=commit;h=745aa55fbf3e076c4288d5ec3239f5a5d43508a6 CVE-2013-4290 (Stack-based buffer overflow in OpenJPEG before 1.5.2 allows remote att ...) - openjpeg (unimportant; bug #722540) NOTE: JP3D code not built in the binary package, see #722540 CVE-2013-4289 (Multiple integer overflows in lib/openjp3d/jp3d.c in OpenJPEG before 1 ...) - openjpeg (unimportant; bug #722540) NOTE: JP3D code not built in the binary package, see #722540 CVE-2013-4288 (Race condition in PolicyKit (aka polkit) allows local users to bypass ...) - policykit-1 0.105-3+nmu1 (low; bug #723717) [squeeze] - policykit-1 (The update only deprecates an API and introduces a new option for pkcheck, no src package uses this API) [wheezy] - policykit-1 (The update only deprecates an API and introduces a new option for pkcheck, no src package uses this API) CVE-2013-4287 (Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN ...) - rubygems (unimportant; bug #722361) - libgems-ruby (unimportant; bug #722361) NOTE: Non-issue, you trust the site providing the gem with installing arbitrary code, allowing NOTE: it a potential elevated CPU consumption doesn't add any extra harm CVE-2013-4286 (Apache Tomcat before 6.0.39, 7.x before 7.0.47, and 8.x before 8.0.0-R ...) {DSA-3530-1 DSA-2897-1 DLA-91-1} - tomcat6 6.0.39 - tomcat7 7.0.47 - tomcat8 8.0.0 CVE-2013-4285 (A certain Gentoo patch for the PAM S/Key module does not properly clea ...) NOT-FOR-US: pam_skey CVE-2013-4284 (Cumin, as used in Red Hat Enterprise MRG 2.4, allows remote attackers ...) NOT-FOR-US: Cumin CVE-2013-4283 (ns-slapd in 389 Directory Server before 1.3.0.8 allows remote attacker ...) - 389-ds-base 1.3.2.9-1 (bug #721222) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=999634 CVE-2013-4282 (Stack-based buffer overflow in the reds_handle_ticket function in serv ...) {DSA-2839-1} - spice 0.12.4-0nocelt2 (bug #728314) NOTE: http://cgit.freedesktop.org/spice/spice/commit/?id=8af619009660b24e0b41ad26b30289eea288fcc2 CVE-2013-4281 RESERVED CVE-2013-4280 (Insecure temporary file vulnerability in RedHat vsdm 4.9.6. ...) - vdsm (bug #668538) CVE-2013-4279 (imapsync 1.564 and earlier performs a release check by default, which ...) - imapsync CVE-2013-4278 (The "create an instance" API in OpenStack Compute (Nova) Folsom, Grizz ...) - nova 2013.1.3-1 (bug #720602) [wheezy] - nova (Affected code not present) NOTE: incomplete fix for CVE-2013-2256 CVE-2013-4277 (Svnserve in Apache Subversion 1.4.0 through 1.7.12 and 1.8.0 through 1 ...) - subversion 1.7.13-1 (low; bug #721542) [squeeze] - subversion (Minor issue, PID file not created by default) [wheezy] - subversion (Minor issue, PID file not created by default) NOTE: http://subversion.apache.org/security/CVE-2013-4277-advisory.txt CVE-2013-4276 (Multiple stack-based buffer overflows in LittleCMS (aka lcms or liblcm ...) - lcms 1.19.dfsg1-1.3 (low; bug #718682) [squeeze] - lcms (Minor issue) [wheezy] - lcms 1.19.dfsg2-1.2+deb7u1 - lcms2 (Vulnerable code not present) CVE-2013-4275 (Cross-site scripting (XSS) vulnerability in the zen_breadcrumb functio ...) NOT-FOR-US: Drupal contributed module Zen CVE-2013-4274 (Cross-site scripting (XSS) vulnerability in the password_policy_admin_ ...) NOT-FOR-US: Drupal addon CVE-2013-4273 (The Entity API module 7.x-1.x before 7.x-1.2 for Drupal does not prope ...) NOT-FOR-US: Drupal contributed module Entity API CVE-2013-4272 (The BOTCHA Spam Prevention module 7.x-1.x before 7.x-1.6, 7.x-2.x befo ...) NOT-FOR-US: Drupal addon CVE-2013-4271 (The default configuration of the ObjectRepresentation class in Restlet ...) - restlet (bug #596472) CVE-2013-4270 (The net_ctl_permissions function in net/sysctl_net.c in the Linux kern ...) - linux-2.6 (Introduced in 3.8) - linux 3.11.5-1 [wheezy] - linux (Introduced in 3.8) NOTE: Introduced with http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=cff109768b2d9c03095848f4cd4b0754117262aa NOTE: Fixed by http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=2433c8f094a008895e66f25bd1773cdb01c91d01 CVE-2013-4269 REJECTED CVE-2013-4268 REJECTED CVE-2013-4267 (Ajaxeplorer before 5.0.1 allows remote attackers to execute arbitrary ...) - ajaxplorer (bug #668381) CVE-2013-4266 REJECTED CVE-2013-4265 (The av_reallocp_array function in libavutil/mem.c in FFmpeg before 2.0 ...) - ffmpeg (Affected function codec not present in 0.5 ffmpeg) - libav (Affected function not present in libav) NOTE: https://github.com/FFmpeg/FFmpeg/commit/c94f9e854228e0ea00e1de8769d8d3f7cab84a55 CVE-2013-4264 (The kempf_decode_tile function in libavcodec/g2meet.c in FFmpeg before ...) - ffmpeg (g2meet codec not present in 0.5 ffmpeg) - libav (g2meet codec not present in libav) NOTE: https://github.com/FFmpeg/FFmpeg/commit/2960576378d17d71cc8dccc926352ce568b5eec1 CVE-2013-4263 (libavfilter in FFmpeg before 2.0.1 has unspecified impact and remote v ...) - ffmpeg (Affected video filters not present in ffmpeg 0.5) - libav (Vulnerable code not present) NOTE: https://github.com/FFmpeg/FFmpeg/commit/e43a0a232dbf6d3c161823c2e07c52e76227a1bc NOTE: [Anton] the report and the fix appear completely bogus, likely working around bugs from completely different parts of the code; most probably not present in any libav release CVE-2013-4262 (svnwcsub.py in Subversion 1.8.0 before 1.8.3, when using the --pidfile ...) - subversion 1.8.5-1 (unimportant) NOTE: Optional admin-side utilities in Subversion 1.8.x CVE-2013-4261 (OpenStack Compute (Nova) Folsom, Grizzly, and earlier, when using Apac ...) - nova 2013.2-1 (low) [wheezy] - nova (Will be fixed in a point update) NOTE: https://bugs.launchpad.net/nova/+bug/1215091/comments/10 (relevant question for other components) NOTE: probably does not affect Essex/2012.1, see https://bugs.launchpad.net/nova/+bug/1215091/comments/6 CVE-2013-4260 (lib/ansible/playbook/__init__.py in Ansible 1.2.x before 1.2.3, when p ...) - ansible (affected code introduced with ansible 1.2) CVE-2013-4259 (runner/connection_plugins/ssh.py in Ansible before 1.2.3, when using C ...) - ansible 1.3.4+dfsg-1 (bug #721766) NOTE: upstream commit: https://github.com/ansible/ansible/commit/6bf5d195065bc23b5fc72ba690d7ed45f228aaf0 CVE-2013-4258 (Format string vulnerability in the osLogMsg function in server/os/aulo ...) {DSA-2771-1} - nas 1.9.3-6 (bug #720287) CVE-2013-4257 [Heap Overflow] REJECTED CVE-2013-4256 (Multiple stack-based and heap-based buffer overflows in Network Audio ...) {DSA-2771-1} - nas 1.9.3-6 (bug #720287) CVE-2013-4255 (The policy definition evaluator in Condor 7.5.4, 8.0.0, and earlier do ...) - condor 8.0.5~dfsg.1-1 (bug #721693) [wheezy] - condor (Minor issue) CVE-2013-4254 (The validate_event function in arch/arm/kernel/perf_event.c in the Lin ...) - linux 3.10.11-1 [wheezy] - linux 3.2.51-1 - linux-2.6 (No perf support on arm) CVE-2013-4253 RESERVED CVE-2013-4252 RESERVED CVE-2013-4251 (The scipy.weave component in SciPy before 0.12.1 creates insecure temp ...) {DLA-26-1} - python-scipy 0.12.0-3 (bug #726093) [wheezy] - python-scipy (Minor issue) [squeeze] - python-scipy 0.7.2+dfsg1-1+deb6u1 NOTE: https://github.com/scipy/scipy/commit/bd296e0336420b840fcd2faabb97084fd252a973 CVE-2013-4250 (The (1) file upload component and (2) File Abstraction Layer (FAL) in ...) - typo3-src (All versions from 6.0.0 up to the development branch of 6.2) CVE-2013-4249 (Cross-site scripting (XSS) vulnerability in the AdminURLFieldWidget wi ...) - python-django 1.5.2-1 [wheezy] - python-django (1.4.x not affected) [squeeze] - python-django (1.2.x not affected) NOTE: problem introduced with https://github.com/django/django/commit/ac2052ebc84c45709ab5f0f25e685bf656ce79bc CVE-2013-4248 (The openssl_x509_parse function in openssl.c in the OpenSSL module in ...) {DSA-2742-1} - php5 5.5.3+dfsg-1 (bug #719765) NOTE: fix in 5.5.2 incomplete, see http://php.net/ChangeLog-5.php CVE-2013-4247 (Off-by-one error in the build_unc_path_to_root function in fs/cifs/con ...) - linux-2.6 (Introduced in 3.8) - linux 3.9.6-1 [wheezy] - linux (Introduced in 3.8) CVE-2013-4246 (libsvn_fs_fs/fs_fs.c in Apache Subversion 1.8.x before 1.8.2 might all ...) - subversion (only affects 1.8.0 and 1.8.1) CVE-2013-4245 (Orca has arbitrary code execution due to insecure Python module load ...) - gnome-orca (unimportant) NOTE: Negligible security impact CVE-2013-4244 (The LZW decompressor in the gif2tiff tool in libtiff 4.0.3 and earlier ...) {DSA-2744-1} - tiff 4.0.3-3 - tiff3 (The tiff3 source package doesn't build the TIFF tools) CVE-2013-4243 (Heap-based buffer overflow in the readgifimage function in the gif2tif ...) {DSA-2965-1 DLA-0013-1} - tiff 4.0.3-9 (low; bug #742917) - tiff3 (The tiff3 source package doesn't build the TIFF tools) [squeeze] - tiff 3.9.4-5+squeeze11 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2451 CVE-2013-4242 (GnuPG before 1.4.14, and Libgcrypt before 1.5.3 as used in GnuPG 2.0.x ...) {DSA-2731-1 DSA-2730-1} - gnupg 1.4.14-1 (bug #717880) - libgcrypt11 1.5.3-1 CVE-2013-4241 (Multiple cross-site scripting (XSS) vulnerabilities in the HMS Testimo ...) NOT-FOR-US: WordPress plugin HMS Testimonials CVE-2013-4240 (Multiple cross-site request forgery (CSRF) vulnerabilities in the HMS ...) NOT-FOR-US: WordPress plugin HMS Testimonials CVE-2013-4239 (The xenDaemonListDefinedDomains function in xen/xend_internal.c in lib ...) - libvirt 1.1.2~rc1-1 (bug #719533) [wheezy] - libvirt (Introduced in 1.1.1) [squeeze] - libvirt (Introduced in 1.1.1) NOTE: Introduced by: http://libvirt.org/git/?p=libvirt.git;a=commit;h=632180d1 NOTE: Fixed by: http://libvirt.org/git/?p=libvirt.git;a=commit;h=0e671a16 CVE-2013-4238 (The ssl.match_hostname function in the SSL module in Python 2.6 throug ...) {DSA-2880-1 DLA-25-1} - python2.5 (low) [squeeze] - python2.5 (Minor issue) - python2.6 (low) [wheezy] - python2.6 (Minor issue) - python2.7 2.7.5-8 (low; bug #719566) - python3.1 (low) [squeeze] - python3.1 (Minor issue) - python3.2 (low; bug #719568) [wheezy] - python3.2 (Minor issue) - python3.3 3.3.2-6 (low; bug #719567) NOTE: http://bugs.python.org/issue18709 NOTE: https://bugs.mageia.org/show_bug.cgi?id=10989 CVE-2013-4237 (sysdeps/posix/readdir_r.c in the GNU C Library (aka glibc or libc6) 2. ...) {DLA-165-1} - eglibc - glibc 2.17-94 (bug #719558) [wheezy] - eglibc 2.13-38+deb7u1 NOTE: http://sourceware.org/bugzilla/show_bug.cgi?id=14699 NOTE: http://sourceware.org/ml/libc-alpha/2013-05/msg00445.html CVE-2013-4236 (VDSM in Red Hat Enterprise Virtualization 3 and 3.2 allows privileged ...) - vdsm (bug #668538) CVE-2013-4235 (shadow: TOCTOU (time-of-check time-of-use) race condition when copying ...) - shadow (unimportant; bug #778950) CVE-2013-4234 (Multiple heap-based buffer overflows in the (1) abc_MIDI_drum and (2) ...) {DSA-2751-1} - libmodplug 1:0.8.8.4-4 (bug #719462) CVE-2013-4233 (Integer overflow in the abc_set_parts function in load_abc.cpp in libm ...) {DSA-2751-1} - libmodplug 1:0.8.8.4-4 (bug #719462) CVE-2013-4232 (Use-after-free vulnerability in the t2p_readwrite_pdf_image function i ...) {DSA-2744-1} - tiff 4.0.3-2 (bug #719303) - tiff3 (The tiff3 source package doesn't build the TIFF tools) CVE-2013-4231 (Multiple buffer overflows in libtiff before 4.0.3 allow remote attacke ...) {DSA-2744-1} - tiff 4.0.3-2 (bug #719303) - tiff3 (The tiff3 source package doesn't build the TIFF tools) CVE-2013-4230 (The mm_webform submodule in the Monster Menus module 6.x-6.x before 6. ...) NOT-FOR-US: Monster Menus Drupal contributed module CVE-2013-4229 (Cross-site scripting (XSS) vulnerability in the Monster Menus module 7 ...) NOT-FOR-US: Monster Menus Drupal contributed module CVE-2013-4228 (The OG access fields (visibility fields) implementation in Organic Gro ...) NOT-FOR-US: Organic Group Drupal contributed module CVE-2013-4227 (Cross-site request forgery (CSRF) vulnerability in the persona_xsrf_to ...) NOT-FOR-US: Persona Drupal contributed module CVE-2013-4226 (The Authenticated User Page Caching (Authcache) module 7.x-1.x before ...) NOT-FOR-US: Authenticated User Page Caching Drupal contributed module CVE-2013-4225 (The RESTful Web Services (restws) module 7.x-1.x before 7.x-1.4 and 7. ...) NOT-FOR-US: RESTful Web Services (RESTWS) Drupal cotributed module CVE-2013-4224 REJECTED CVE-2013-4223 (The Gentoo Nullmailer package before 1.11-r2 uses world-readable permi ...) - nullmailer 1:1.11-2 (low; bug #684619) [squeeze] - nullmailer (Minor issue) NOTE: CVE originally for /etc/nullmailer/remotes permissions in gentoo, but Debian NOTE: had the same problem until 1:1.11-2 CVE-2013-4222 (OpenStack Identity (Keystone) Folsom, Grizzly 2013.1.3 and earlier, an ...) - keystone 2013.1.3-1 (bug #719290) [wheezy] - keystone (Vulnerable code not present in Openstack Essex) NOTE: http://lists.openstack.org/pipermail/openstack-security/2013-August/000263.html CVE-2013-4221 (The default configuration of the ObjectRepresentation class in Restlet ...) - restlet (bug #596472) NOTE: http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html NOTE: https://github.com/o2platform/DefCon_RESTing CVE-2013-4220 (The bad_mode function in arch/arm64/kernel/traps.c in the Linux kernel ...) - linux-2.6 (ARM64 not supported) - linux (ARM64 not yet supported) CVE-2013-4219 (Multiple integer overflows in the Intel WiMAX Network Service through ...) - wimax-tools (bug #627975) CVE-2013-4218 (The InitMethodAndPassword function in InfraStack/OSAgnostic/WiMax/Agen ...) - wimax-tools (bug #627975) CVE-2013-4217 (The OSAL_Crypt_SetEncryptedPassword function in InfraStack/OSDependent ...) - wimax-tools (bug #627975) CVE-2013-4216 (The Trace_OpenLogFile function in InfraStack/OSDependent/Linux/InfraSt ...) - wimax-tools (bug #627975) CVE-2013-4215 (The IPXPING_COMMAND in contrib/check_ipxping.c in Nagios Plugins 1.4.1 ...) - nagios-plugins 1.4.16+git20130902-1 (unimportant) NOTE: vulnerable code present, but check_ipxping is neither built nor installed - monitoring-plugins (Fixed before initial upload to Debian) NOTE: contrib/check_ipxping removed from src:monitoring-pluging before the NOTE: initial upload to Debian after the source package rename. CVE-2013-4214 (rss-newsfeed.php in Nagios Core 3.4.4, 3.5.1, and earlier, when MAGPIE ...) - nagios3 3.5.1-1 (low; bug #719056) [wheezy] - nagios3 (Minor issue) [squeeze] - nagios3 (html/rss-newsfeed.php not present) NOTE: fixed by removing html/rss-newsfeed.php completely NOTE: http://anonscm.debian.org/gitweb/?p=pkg-nagios/pkg-nagios3.git;a=commit;h=c88bef82308c99601732bb9517a1af5bc6928282 CVE-2013-4213 (Red Hat JBoss Enterprise Application Platform (EAP) 6.1.0 does not pro ...) - jbossas4 (Only builds a few libraries, not the full application server, #581226) CVE-2013-4212 (Certain getText methods in the ActionSupport controller in Apache Roll ...) NOT-FOR-US: Apache Roller CVE-2013-4211 (A Code Execution Vulnerability exists in OpenX Ad Server 2.8.10 due to ...) NOT-FOR-US: OpenX CVE-2013-4210 (The org.jboss.remoting.transport.socket.ServerThread class in Red Hat ...) NOT-FOR-US: JBoss Remoting CVE-2013-4209 (Automatic Bug Reporting Tool (ABRT) before 2.1.6 allows local users to ...) NOT-FOR-US: abrt is Red Hat / Fedora specific CVE-2013-4208 (The rsa_verify function in PuTTY before 0.63 (1) does not clear sensit ...) {DSA-2736-1} - putty 0.63-1 - filezilla 3.7.3-1 (low; bug #719070) [squeeze] - filezilla (Minor issue) [wheezy] - filezilla (Minor issue) NOTE: http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/private-key-not-wiped.html CVE-2013-4207 (Buffer overflow in sshbn.c in PuTTY before 0.63 allows remote SSH serv ...) {DSA-2736-1} - putty 0.63-1 - filezilla 3.7.3-1 (low; bug #719070) [squeeze] - filezilla (Minor issue) [wheezy] - filezilla (Minor issue) NOTE: http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-bignum-division-by-zero.html CVE-2013-4206 (Heap-based buffer underflow in the modmul function in sshbn.c in PuTTY ...) {DSA-2736-1} - putty 0.63-1 - filezilla 3.7.3-1 (low; bug #719070) [squeeze] - filezilla (Minor issue) [wheezy] - filezilla (Minor issue) NOTE: http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-modmul.html CVE-2013-4205 (Memory leak in the unshare_userns function in kernel/user_namespace.c ...) - linux 3.10.7-1 [wheezy] - linux (Introduced in 3.8) - linux-2.6 (Introduced in 3.8) CVE-2013-4204 (Multiple cross-site scripting (XSS) vulnerabilities in the JUnit files ...) - gwt (low) [squeeze] - gwt (Minor issue) NOTE: http://www.gwtproject.org/release-notes.html#Release_Notes_2_5_1_RC1 CVE-2013-4203 (The self.run_gpg function in lib/rgpg/gpg_helper.rb in the rgpg gem be ...) NOT-FOR-US: Ruby Rgpg Gem CVE-2013-4202 (The (1) backup (api/contrib/backups.py) and (2) volume transfer (contr ...) - cinder 2013.1.2-4 (bug #719118) CVE-2013-4201 (Katello allows remote authenticated users to call the "system remove_d ...) NOT-FOR-US: Katello CVE-2013-4200 (The isURLInPortal method in the URLTool class in in_portal.py in Plone ...) NOT-FOR-US: Plone CVE-2013-4199 ((1) cb_decode.py and (2) linkintegrity.py in Plone 2.1 through 4.1, 4. ...) NOT-FOR-US: Plone CVE-2013-4198 (mail_password.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4. ...) NOT-FOR-US: Plone CVE-2013-4197 (member_portrait.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and ...) NOT-FOR-US: Plone CVE-2013-4196 (The object manager implementation (objectmanager.py) in Plone 2.1 thro ...) NOT-FOR-US: Plone CVE-2013-4195 (Multiple open redirect vulnerabilities in (1) marmoset_patch.py, (2) p ...) NOT-FOR-US: Plone CVE-2013-4194 (The WYSIWYG component (wysiwyg.py) in Plone 2.1 through 4.1, 4.2.x thr ...) NOT-FOR-US: Plone CVE-2013-4193 (typeswidget.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3. ...) NOT-FOR-US: Plone CVE-2013-4192 (sendto.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x thr ...) NOT-FOR-US: Plone CVE-2013-4191 (zip.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x throug ...) NOT-FOR-US: Plone CVE-2013-4190 (Multiple cross-site scripting (XSS) vulnerabilities in (1) spamProtect ...) NOT-FOR-US: Plone CVE-2013-4189 (Multiple unspecified vulnerabilities in (1) dataitems.py, (2) get.py, ...) NOT-FOR-US: Plone CVE-2013-4188 (traverser.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x ...) NOT-FOR-US: Plone CVE-2013-4187 (The Flippy module 7.x-1.x before 7.x-1.2 for Drupal does not properly ...) NOT-FOR-US: Flippy Contributed Drupal module CVE-2013-4186 REJECTED CVE-2013-4185 (Algorithmic complexity vulnerability in OpenStack Compute (Nova) befor ...) - nova 2013.1.2-3 (low; bug #718907) [wheezy] - nova (Minor issue) CVE-2013-4184 (Perl module Data::UUID from CPAN version 1.219 vulnerable to symlink a ...) - libdata-uuid-perl (unimportant; bug #718949) NOTE: https://github.com/rjbs/Data-UUID/issues/5 NOTE: Neutralised by kernel temp hardening CVE-2013-4183 (The clear_volume function in LVMVolumeDriver driver in OpenStack Cinde ...) - cinder 2013.1.2-4 (bug #719010) CVE-2013-4182 (app/controllers/api/v1/hosts_controller.rb in Foreman before 1.2.2 doe ...) - foreman (bug #663101) CVE-2013-4181 (Cross-site scripting (XSS) vulnerability in the addAlert function in t ...) NOT-FOR-US: ovirt CVE-2013-4180 (The (1) power and (2) ipmi_boot actions in the HostController in Forem ...) - foreman (bug #663101) CVE-2013-4179 (The security group extension in OpenStack Compute (Nova) Grizzly 2013. ...) - nova 2013.1.3-1 [wheezy] - nova (Vulnerable code not present) NOTE: CVE for incomplete fix applied for CVE-2013-1664 CVE-2013-4178 (The Google Authenticator login module 6.x-1.x before 6.x-1.2 and 7.x-1 ...) NOT-FOR-US: GA Login Drupal contributed module CVE-2013-4177 (The Google Authenticator login module 6.x-1.x before 6.x-1.2 and 7.x-1 ...) NOT-FOR-US: GA Login Drupal contributed module CVE-2013-4176 (mysecureshell 1.31: Local Information Disclosure Vulnerability ...) NOT-FOR-US: MySecureShell CVE-2013-4175 (MySecureShell 1.31 has a Local Denial of Service Vulnerability ...) NOT-FOR-US: MySecureShell CVE-2013-4174 (Multiple cross-site scripting (XSS) vulnerabilities in the Scald modul ...) NOT-FOR-US: Scald Drupal contributed module CVE-2013-4173 (Directory traversal vulnerability in the trend-data daemon (xymond_rrd ...) - xymon 4.3.17-2 (bug #717895) [wheezy] - xymon (Not remotely exploitable in Debian default config) [squeeze] - xymon (Not remotely exploitable in Debian default config) CVE-2013-4172 (The Red Hat CloudForms Management Engine 5.1 allow remote administrato ...) NOT-FOR-US: RedHat CloudForms Management Engine CVE-2013-4171 (Multiple cross-site scripting (XSS) vulnerabilities in Apache Roller b ...) NOT-FOR-US: Apache Roller CVE-2013-4170 RESERVED CVE-2013-4169 (GNOME Display Manager (gdm) before 2.21.1 allows local users to change ...) - gdm (unimportant) - gdm3 (Only affected older gdm < 2.21.1) NOTE: In Debian /tmp/.X11-unix is created by /etc/init.d/x11-common CVE-2013-4168 (Cross-site scripting (XSS) vulnerability in SmokePing 2.6.9 in the sta ...) {DLA-348-1} - smokeping 2.6.8-2 (low) [squeeze] - smokeping (Minor issue) NOTE: https://github.com/oetiker/SmokePing/commit/bad9f9c28f0939b269f90072aa4cf41f20f15563 CVE-2013-4167 (Cross-site scripting (XSS) vulnerability in CMS Made Simple (CMSMS) be ...) - cmsms (bug #608888) CVE-2013-4166 (The gpg_ctx_add_recipient function in camel/camel-gpg-context.c in GNO ...) - evolution (unimportant) NOTE: Regular UI bug, not a security issue. CVE-2013-4165 (The HTTPAuthorized function in bitcoinrpc.cpp in bitcoind 0.8.1 provid ...) - bitcoin 0.8.4-1 (bug #717828) NOTE: https://github.com/bitcoin/bitcoin/issues/2838 CVE-2013-4164 (Heap-based buffer overflow in Ruby 1.8, 1.9 before 1.9.3-p484, 2.0 bef ...) {DSA-2810-1 DSA-2809-1} - ruby1.8 1.8.7.358-9 (bug #730189) - ruby1.9.1 1.9.3.484-1 (bug #730178) - ruby2.0 2.0.0.353-1 (bug #730190) NOTE: https://www.ruby-lang.org/en/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164/ CVE-2013-4163 (The ip6_append_data_mtu function in net/ipv6/ip6_output.c in the IPv6 ...) {DSA-2745-1} - linux 3.10.5-1 - linux-2.6 (Introduced in 3.5) CVE-2013-4162 (The udp_v6_push_pending_frames function in net/ipv6/udp.c in the IPv6 ...) {DSA-2906-1 DSA-2745-1} - linux 3.10.5-1 (low) - linux-2.6 (low) CVE-2013-4161 (gksu-polkit-0.0.3-6.fc18 was reported as fixing the issue in CVE-2012- ...) - gksu-polkit (CVE for improperly applied fix for CVE-2012-5617 on Red Hat) CVE-2013-4160 (Little CMS (lcms2) before 2.5, as used in OpenJDK 7 and possibly other ...) - lcms 1.19.dfsg1-1.3 (low; bug #728208) [squeeze] - lcms (Minor issue) [wheezy] - lcms 1.19.dfsg2-1.2+deb7u1 - lcms2 2.2+git20110628-2.3 (bug #714529) [wheezy] - lcms2 2.2+git20110628-2.2+deb7u1 NOTE: https://github.com/mm2/Little-CMS/commit/91c2db7f2559be504211b283bc3a2c631d6f06d9 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=826097#c9 CVE-2013-4159 (ctdb before 2.3 in OpenSUSE 12.3 and 13.1 does not create temporary fi ...) - ctdb 2.5.1+debian0-1 (bug #749840) [wheezy] - ctdb (Minor issue) [squeeze] - ctdb (Minor issue) CVE-2013-4158 (smokeping before 2.6.9 has XSS (incomplete fix for CVE-2012-0790) ...) - smokeping (fix for CVE-2012-0790/DSA-2651-1 uses regexp from 2.6.9 upstream release) NOTE: CVE is for incomplete fix for CVE-2012-0790 NOTE: Debian package applied already the more complete fix, see #659899 CVE-2013-4157 (Red Hat Storage 2.0 allows local users to overwrite arbitrary files vi ...) NOT-FOR-US: Red Hat Storage Server CVE-2013-4156 (Apache OpenOffice.org (OOo) before 4.0 allows remote attackers to caus ...) - libreoffice 1:4.1.0-1 (unimportant) [wheezy] - libreoffice (Minor issue) - openoffice.org (unimportant) NOTE: Harmless crash CVE-2013-4155 (OpenStack Swift before 1.9.1 in Folsom, Grizzly, and Havana allows aut ...) {DSA-2737-1} - swift 1.8.0-7 (bug #719008) CVE-2013-4154 (The qemuAgentCommand function in libvirt before 1.1.1, when a guest ag ...) - libvirt 1.1.0-4 (low; bug #717355) [squeeze] - libvirt (only affects >= 1.1.0) [wheezy] - libvirt (only affects >= 1.1.0) NOTE: Introduced by http://libvirt.org/git/?p=libvirt.git;a=commitdiff;h=d47eff88fe50e43a36671f6d8d0eeda52835d5e0 (v1.1.0) NOTE: http://openwall.com/lists/oss-security/2013/07/19/12 CVE-2013-4153 (Double free vulnerability in the qemuAgentGetVCPUs function in qemu/qe ...) - libvirt 1.1.0-4 (bug #717354) [squeeze] - libvirt (Introduced in 1.0.6) [wheezy] - libvirt (Introduced in 1.0.6) NOTE: http://openwall.com/lists/oss-security/2013/07/19/11 CVE-2013-4152 (The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, ...) {DSA-2842-1} - libspring-java 3.0.6.RELEASE-10 (low; bug #720902) CVE-2013-4151 (The virtio_load function in virtio/virtio.c in QEMU 1.x before 1.7.2 a ...) - qemu 2.1+dfsg-1 (low; bug #739589) [wheezy] - qemu (Minor issue, hardly exploitable in practice) [squeeze] - qemu (Minor issue, hardly exploitable in practice) - qemu-kvm (low) [wheezy] - qemu-kvm (Minor issue, hardly exploitable in practice) [squeeze] - qemu-kvm (Minor issue, hardly exploitable in practice) CVE-2013-4150 (The virtio_net_load function in hw/net/virtio-net.c in QEMU 1.5.0 thro ...) - qemu 2.1+dfsg-1 (low; bug #739589) [wheezy] - qemu (Minor issue, hardly exploitable in practice) [wheezy] - qemu-kvm (Minor issue, hardly exploitable in practice) [squeeze] - qemu (Minor issue, hardly exploitable in practice) - qemu-kvm (low) [squeeze] - qemu-kvm (Minor issue, hardly exploitable in practice) CVE-2013-4149 (Buffer overflow in virtio_net_load function in net/virtio-net.c in QEM ...) - qemu 2.1+dfsg-1 (low; bug #739589) [wheezy] - qemu (Minor issue, hardly exploitable in practice) [wheezy] - qemu-kvm (Minor issue, hardly exploitable in practice) [squeeze] - qemu (Minor issue, hardly exploitable in practice) - qemu-kvm (low) [squeeze] - qemu-kvm (Minor issue, hardly exploitable in practice) CVE-2013-4148 (Integer signedness error in the virtio_net_load function in hw/net/vir ...) - qemu 2.1+dfsg-1 (low; bug #739589) [wheezy] - qemu (Minor issue, hardly exploitable in practice) [wheezy] - qemu-kvm (Minor issue, hardly exploitable in practice) [squeeze] - qemu (Minor issue, hardly exploitable in practice) - qemu-kvm (low) [squeeze] - qemu-kvm (Minor issue, hardly exploitable in practice) CVE-2013-4147 (Multiple format string vulnerabilities in Yet Another Radius Daemon (Y ...) - yardradius (low; bug #714612) [squeeze] - yardradius (Minor issue) [wheezy] - yardradius (Minor issue) CVE-2013-4146 RESERVED CVE-2013-4145 REJECTED CVE-2013-4144 RESERVED CVE-2013-4143 (The (1) checkPasswd and (2) checkGroupXlockPasswds functions in xlockm ...) - xlockmore NOTE: http://openwall.com/lists/oss-security/2013/07/16/8 CVE-2013-4142 REJECTED CVE-2013-4141 REJECTED CVE-2013-4140 (Cross-site scripting (XSS) vulnerability in the TinyBox (Simple Splash ...) NOT-FOR-US: TinyBox Drupal contributed module CVE-2013-4139 (The Stage File Proxy module 7.x-1.x before 7.x-1.4 for Drupal allows r ...) NOT-FOR-US: Stage File Proxy Drupal contributed module CVE-2013-4138 (Cross-site scripting (XSS) vulnerability in the Hatch theme 7.x-1.x be ...) NOT-FOR-US: Hatch Drupal contributed module CVE-2013-4137 (Multiple SQL injection vulnerabilities in StatusNet 1.0 before 1.0.2 a ...) - statusnet (bug #491723) CVE-2013-4136 (ext/common/ServerInstanceDir.h in Phusion Passenger gem before 4.0.6 f ...) - passenger 3.0.13debian-1.2 - ruby-passenger 3.0.13debian-1.2 (low; bug #717176) [squeeze] - passenger (minor, local, issue) [wheezy] - ruby-passenger 3.0.13debian-1+deb7u1 CVE-2013-4135 (The vos command in OpenAFS 1.6.x before 1.6.5, when using the -encrypt ...) {DSA-2729-1} - openafs 1.6.5-1 CVE-2013-4134 (OpenAFS before 1.4.15, 1.6.x before 1.6.5, and 1.7.x before 1.7.26 use ...) {DSA-2729-1} - openafs 1.6.5-1 CVE-2013-4133 (kde-workspace before 4.10.5 has a memory leak in plasma desktop ...) - kde-workspace 4:4.10.5-3 (unimportant; bug #717180) NOTE: https://bugs.kde.org/show_bug.cgi?id=314919 NOTE: Plain bug, security implication rather far-fetched CVE-2013-4132 (KDE-Workspace 4.10.5 and earlier does not properly handle the return v ...) - kde-workspace 4:4.10.5-3 (bug #717180) [wheezy] - kde-workspace (Only exploitable with glibc 2.17) - kdebase-workspace (Only exploitable with glibc 2.17) NOTE: https://git.reviewboard.kde.org/r/111261/ NOTE: https://projects.kde.org/projects/kde/kde-workspace/repository/revisions/45b7f137fbc0b942fd2c9b4e8d8c1f0293e64ba7 NOTE: only relevant with eglibc >= 2.17. CVE-2013-4131 (The mod_dav_svn Apache HTTPD server module in Subversion 1.7.0 through ...) - subversion 1.7.13-1 (bug #717794) [squeeze] - subversion (Only affects >= 1.7) [wheezy] - subversion (Only affects >= 1.7) CVE-2013-4130 (The (1) red_channel_pipes_add_type and (2) red_channel_pipes_add_empty ...) {DSA-2839-1} - spice 0.12.4-0nocelt1 (low; bug #717030) [wheezy] - spice (Minor issue) CVE-2013-4129 (The bridge multicast implementation in the Linux kernel through 3.10.3 ...) - linux (Introduced in 3.11-rc1) - linux-2.6 (Introduced in 3.11-rc1) CVE-2013-4128 (Red Hat JBoss Enterprise Application Platform (EAP) 6.1.0 does not pro ...) - jbossas4 (Only builds a few libraries, not the full application server, #581226) CVE-2013-4127 (Use-after-free vulnerability in the vhost_net_set_backend function in ...) - linux 3.10.5-1 [wheezy] - linux (Introduced in 3.8) - linux-2.6 (Introduced in 3.8) CVE-2013-4126 RESERVED CVE-2013-4125 (The fib6_add_rt2node function in net/ipv6/ip6_fib.c in the IPv6 stack ...) - linux 3.10.5-1 [wheezy] - linux (Introduced in 3.7) - linux-2.6 (Introduced in 3.7) CVE-2013-4124 (Integer overflow in the read_nttrans_ea_list function in nttrans.c in ...) - samba 2:3.6.17-1 (low) [wheezy] - samba 2:3.6.6-6+deb7u1 [squeeze] - samba 2:3.5.6~dfsg-3squeeze10 - samba4 (low) [wheezy] - samba4 4.0.0~beta2+dfsg1-3.2+deb7u1 NOTE: https://www.samba.org/samba/security/CVE-2013-4124 NOTE: samba as per 2:4.0.9+dfsg-2 is the first upload of the unified samba 4.x package to unstable. NOTE: Issue also fixed in 4.0.8 upstream, thus the fix still contained in 4.x in unstable CVE-2013-4123 (client_side_request.cc in Squid 3.2.x before 3.2.13 and 3.3.x before 3 ...) - squid (Only affects 3.2 onwards) - squid3 3.3.8-1 (bug #716743) [wheezy] - squid3 (Only affects 3.2 onwards) [squeeze] - squid3 (Only affects 3.2 onwards) NOTE: http://www.squid-cache.org/Advisories/SQUID-2013_3.txt CVE-2013-4122 (Cyrus SASL 2.1.23, 2.1.26, and earlier does not properly handle when a ...) {DSA-3368-1} - cyrus-sasl2 2.1.26.dfsg1-14 (bug #716835; bug #784112) [wheezy] - cyrus-sasl2 (Only exploitable with eglibc 2.17 and later) [squeeze] - cyrus-sasl2 (Only exploitable with eglibc 2.17 and later) NOTE: http://openwall.com/lists/oss-security/2013/07/12/3 NOTE: http://git.cyrusimap.org/cyrus-sasl/commit/?id=dedad73e5e7a75d01a5f3d5a6702ab8ccd2ff40d NOTE: https://bugzilla.cyrusimap.org/show_bug.cgi?id=3803 NOTE: https://bugzilla.cyrusimap.org/show_bug.cgi?id=3806 NOTE: Was originally already fixed in 2.1.25.dfsg1-14 (cf. #716835) CVE-2013-4121 REJECTED CVE-2013-4120 (Katello has a Denial of Service vulnerability in API OAuth authenticat ...) NOT-FOR-US: Katello CVE-2013-4119 (FreeRDP before 1.1.0-beta+2013071101 allows remote attackers to cause ...) - freerdp (The server part is not build) NOTE: https://github.com/FreeRDP/FreeRDP/commit/0773bb9303d24473fe1185d85a424dfe159aff53 NOTE: Server disabled: option(WITH_SERVER "Build server binaries" OFF) in CMakeLists.txt CVE-2013-4118 (FreeRDP before 1.1.0-beta1 allows remote attackers to cause a denial o ...) - freerdp (The server part is not build) NOTE: https://github.com/FreeRDP/FreeRDP/commit/7d58aac24fe20ffaad7bd9b40c9ddf457c1b06e7 NOTE: Server disabled: option(WITH_SERVER "Build server binaries" OFF) in CMakeLists.txt CVE-2013-4117 (Cross-site scripting (XSS) vulnerability in includes/CatGridPost.php i ...) NOT-FOR-US: WordPress plugin category-grid-view-gallery CVE-2013-4116 (lib/npm.js in Node Packaged Modules (npm) before 1.3.3 allows local us ...) - npm 1.3.10~dfsg-1 (bug #715325) NOTE: Upstream fix https://github.com/isaacs/npm/commit/f4d31693 NOTE: https://github.com/isaacs/npm/issues/3635 CVE-2013-4115 (Buffer overflow in the idnsALookup function in dns_internal.cc in Squi ...) - squid (Only affects 3.2 onwards) - squid3 3.3.8-1 (bug #716743) [wheezy] - squid3 (Only affects 3.2 onwards) [squeeze] - squid3 (Only affects 3.2 onwards) NOTE: http://www.squid-cache.org/Advisories/SQUID-2013_2.txt CVE-2013-4114 (The automatic update request in Nagstamont before 0.9.10 uses a cleart ...) - nagstamon 0.9.9-2 (low; bug #716718) [wheezy] - nagstamon (Minor issue) [squeeze] - nagstamon (Minor issue) NOTE: update checks are disabled in Debian by default, see debian/patches/check-for-new-version.patch CVE-2013-4113 (ext/xml/xml.c in PHP before 5.3.27 does not properly consider parsing ...) {DSA-2723-1} - php5 5.5.0+dfsg-15 (bug #717139) CVE-2013-4112 (The DiagnosticsHandler in JGroup 3.0.x, 3.1.x, 3.2.x before 3.2.9, and ...) - libjgroups-java 2.12.2.Final-4 (bug #717031) [wheezy] - libjgroups-java (Minor issue) [squeeze] - libjgroups-java (Minor issue) NOTE: libjgroups-java/2.12.2.Final-4 disables diagnostic probing by default CVE-2013-4111 (The Python client library for Glance (python-glanceclient) before 0.10 ...) - python-glanceclient 1:0.9.0-2 (bug #718282) CVE-2013-4110 (Cryptocat has an Unspecified Chat Participant User List Disclosure ...) NOT-FOR-US: Cryptocat CVE-2013-4109 (An unspecified cross-site scripting (XSS) vulnerability exists in Cryp ...) NOT-FOR-US: Cryptocat CVE-2013-4108 (Multiple unspecified vulnerabilities in Cryptocat Project Cryptocat 2. ...) NOT-FOR-US: Cryptocat CVE-2013-4107 (Cryptocat before 2.0.22: cryptocat.js handlePresence() has cross site ...) NOT-FOR-US: Cryptocat CVE-2013-4106 (A Cross-site scripting (XSS) vulnerability exists in Conversation Over ...) NOT-FOR-US: Cryptocat CVE-2013-4105 (Cryptocat before 2.0.22 has Multiparty Encryption Scheme Information D ...) NOT-FOR-US: Cryptocat CVE-2013-4104 (Cryptocat before 2.0.22 has weak encryption in the Socialist Millionna ...) NOT-FOR-US: Cryptocat CVE-2013-4103 (Cryptocat before 2.0.22 has Remote Script Injection due to improperly ...) NOT-FOR-US: Cryptocat CVE-2013-4102 (Cryptocat before 2.0.22 strophe.js Math.random() Random Number Generat ...) NOT-FOR-US: Cryptocat CVE-2013-4101 (Cryptocat before 2.0.22 Link Markup Decorator HTML Handling Weakness ...) NOT-FOR-US: Cryptocat CVE-2013-4100 (Cryptocat before 2.0.22 has Remote Denial of Service via username ...) NOT-FOR-US: Cryptocat CVE-2013-4099 (Multiple unspecified vulnerabilities in OpenAL32.dll in JOAL 2.0-rc11, ...) NOT-FOR-US: JOGAMP CVE-2013-4098 (ServerAdmin/ErrorViewer.jsp in DS3 Authentication Server allow remote ...) NOT-FOR-US: DS3 Authentication Server CVE-2013-4097 (ServerAdmin/TestDRConnection.jsp in DS3 Authentication Server allows r ...) NOT-FOR-US: DS3 Authentication Server CVE-2013-4096 (ServerAdmin/TestTelnetConnection.jsp in DS3 Authentication Server allo ...) NOT-FOR-US: DS3 Authentication Server CVE-2013-4095 (plain/actionsets.html in the SecureSphere Operations Manager (SOM) Man ...) NOT-FOR-US: Imperva SecureSphere CVE-2013-4094 (The Key Management feature in the SecureSphere Operations Manager (SOM ...) NOT-FOR-US: Imperva SecureSphere CVE-2013-4093 (The SecureSphere Operations Manager (SOM) Management Server in Imperva ...) NOT-FOR-US: Imperva SecureSphere CVE-2013-4092 (The SecureSphere Operations Manager (SOM) Management Server in Imperva ...) NOT-FOR-US: Imperva SecureSphere CVE-2013-4091 (The SecureSphere Operations Manager (SOM) Management Server in Imperva ...) NOT-FOR-US: Imperva SecureSphere CVE-2013-4090 (Varnish HTTP cache before 3.0.4: ACL bug ...) - varnish 3.0.4-1 NOTE: https://varnish-cache.org/lists/pipermail/varnish-announce/2013-June/000684.html CVE-2013-4089 RESERVED CVE-2013-4088 (Kernel/Modules/AgentTicketWatcher.pm in Open Ticket Request System (OT ...) {DSA-2712-1} - otrs2 3.2.8-1 [squeeze] - otrs2 2.4.9+dfsg1-3+squeeze4 NOTE: DSA-2733-1 NOTE: http://web.archive.org/web/20130827134500/http://www.otrs.com:80/en/open-source/community-news/security-advisories/security-advisory-2013-04/ CVE-2013-4087 RESERVED CVE-2013-4086 RESERVED CVE-2013-4085 RESERVED CVE-2013-4084 RESERVED CVE-2013-4083 (The dissect_pft function in epan/dissectors/packet-dcp-etsi.c in the D ...) {DSA-2709-1} - wireshark 1.10.0-1 (bug #711918) [squeeze] - wireshark 1.2.11-6+squeeze11 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8717 CVE-2013-4082 (The vwr_read function in wiretap/vwr.c in the Ixia IxVeriWave file par ...) {DSA-2709-1} - wireshark 1.10.0-1 (bug #711918) [squeeze] - wireshark (Only affects 1.8+) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8760 CVE-2013-4081 (The http_payload_subdissector function in epan/dissectors/packet-http. ...) {DSA-2709-1} - wireshark 1.10.0-1 (unimportant; bug #711918) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8733 NOTE: Not suitable for code injection CVE-2013-4080 (The dissect_r3_upstreamcommand_queryconfig function in epan/dissectors ...) {DLA-497-1} - wireshark 1.10.0-1 (unimportant; bug #711918) NOTE: no code injection, not treated as a security issue, see README.Debian.security [squeeze] - wireshark (Only affects 1.8+) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8764 CVE-2013-4079 (The dissect_schedule_message function in epan/dissectors/packet-gsm_cb ...) {DLA-497-1} - wireshark 1.10.0-1 (unimportant; bug #711918) NOTE: no code injection, not treated as a security issue, see README.Debian.security [squeeze] - wireshark (Only affects 1.8+) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8730 CVE-2013-4078 (epan/dissectors/packet-rdp.c in the RDP dissector in Wireshark 1.8.x b ...) {DSA-2709-1} - wireshark 1.10.0-1 (bug #711918) [squeeze] - wireshark (Only affects 1.8+) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7862 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8729 CVE-2013-4077 (Array index error in the NBAP dissector in Wireshark 1.8.x before 1.8. ...) {DSA-2709-1} - wireshark 1.10.0-1 (bug #711918) [squeeze] - wireshark (Only affects 1.8+) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8697 CVE-2013-4076 (Buffer overflow in the dissect_iphc_crtp_fh function in epan/dissector ...) {DSA-2709-1} - wireshark 1.10.0-1 (bug #711918) [squeeze] - wireshark (Only affects 1.8+) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7880 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8727 CVE-2013-4075 (epan/dissectors/packet-gmr1_bcch.c in the GMR-1 BCCH dissector in Wire ...) {DSA-2709-1} - wireshark 1.10.0-1 (bug #711918) [squeeze] - wireshark (Only affects 1.8+) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7664 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8726 CVE-2013-4074 (The dissect_capwap_data function in epan/dissectors/packet-capwap.c in ...) {DSA-2709-1} - wireshark 1.10.0-1 (bug #711918) [squeeze] - wireshark (Vulnerable code not present) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8725 CVE-2013-4073 (The OpenSSL::SSL.verify_certificate_identity function in lib/openssl/s ...) {DSA-2809-1 DSA-2738-1} - ruby1.8 1.8.7.358-7.1 (bug #714541) - ruby1.9.1 1.9.3.194-8.2 (bug #714543) - puppet (Only affects Puppet Enterprise) NOTE: http://www.ruby-lang.org/en/news/2013/06/27/hostname-check-bypassing-vulnerability-in-openssl-client-cve-2013-4073/ NOTE: https://github.com/ruby/ruby/commit/2669b84d407ab431e965145c827db66c91158f89 (1.9.3) NOTE: https://github.com/ruby/ruby/commit/961bf7496ded3acfe847cf56fa90bbdcfd6e614f (1.8.7) NOTE: Regression with patch: https://bugs.ruby-lang.org/issues/8575 NOTE: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?revision=41812&view=revision CVE-2013-4072 RESERVED CVE-2013-4071 RESERVED CVE-2013-4070 (The Portal application in IBM SPSS Collaboration and Deployment Servic ...) NOT-FOR-US: IBM SPSS Collaboration and Deployment Services CVE-2013-4069 (The Portal application in IBM SPSS Collaboration and Deployment Servic ...) NOT-FOR-US: IBM SPSS Collaboration and Deployment Services CVE-2013-4068 (Buffer overflow in iNotes in IBM Domino 8.5.3 before FP5 IF1 and 9.0 b ...) NOT-FOR-US: IBM CVE-2013-4067 (IBM InfoSphere Information Server 8.0, 8.1, 8.5 through FP3, 8.7, and ...) NOT-FOR-US: IBM InfoSphere Information Server CVE-2013-4066 (IBM InfoSphere Information Server 8.0, 8.1, 8.5 through FP3, 8.7, and ...) NOT-FOR-US: IBM InfoSphere Information Server CVE-2013-4065 (Cross-site scripting (XSS) vulnerability in iNotes in IBM Domino 8.5.x ...) NOT-FOR-US: iNotes in IBM Domino CVE-2013-4064 (Cross-site scripting (XSS) vulnerability in iNotes in IBM Domino 8.5.x ...) NOT-FOR-US: iNotes in IBM Domino CVE-2013-4063 (Cross-site scripting (XSS) vulnerability in iNotes in IBM Domino 8.5.x ...) NOT-FOR-US: iNotes in IBM Domino CVE-2013-4062 (IBM Rational Policy Tester 8.5 before 8.5.0.5 does not verify X.509 ce ...) NOT-FOR-US: IBM CVE-2013-4061 (IBM Rational Policy Tester 8.5 before 8.5.0.5 does not properly check ...) NOT-FOR-US: IBM CVE-2013-4060 RESERVED CVE-2013-4059 (Multiple cross-site scripting (XSS) vulnerabilities in IBM InfoSphere ...) NOT-FOR-US: IBM InfoSphere CVE-2013-4058 (Multiple SQL injection vulnerabilities in IBM InfoSphere Information S ...) NOT-FOR-US: IBM InfoSphere CVE-2013-4057 (Cross-site request forgery (CSRF) vulnerability in the XML Pack in IBM ...) NOT-FOR-US: IBM InfoSphere CVE-2013-4056 (Cross-site request forgery (CSRF) vulnerability in the Data Quality Co ...) NOT-FOR-US: IBM CVE-2013-4055 (Cross-site scripting (XSS) vulnerability in webadmin.nsf in Domino Web ...) NOT-FOR-US: IBM Domino CVE-2013-4054 (Directory traversal vulnerability in WMQ Telemetry in IBM WebSphere MQ ...) NOT-FOR-US: WebSphere CVE-2013-4053 (The WS-Security implementation in IBM WebSphere Application Server (WA ...) NOT-FOR-US: WebSphere CVE-2013-4052 (Cross-site scripting (XSS) vulnerability in the UDDI Administrative co ...) NOT-FOR-US: WebSphere CVE-2013-4051 (Cross-site scripting (XSS) vulnerability in webadmin.nsf in Domino Web ...) NOT-FOR-US: IBM Domino CVE-2013-4050 (Cross-site request forgery (CSRF) vulnerability in webadmin.nsf in Dom ...) NOT-FOR-US: IBM Domino CVE-2013-4049 (Unrestricted file upload vulnerability in IBM SPSS Analytical Decision ...) NOT-FOR-US: IBM SPSS CVE-2013-4048 (Cross-site scripting (XSS) vulnerability in IBM SPSS Analytical Decisi ...) NOT-FOR-US: IBM SPSS CVE-2013-4047 (Cross-site scripting (XSS) vulnerability in IBM SPSS Analytical Decisi ...) NOT-FOR-US: IBM SPSS CVE-2013-4046 (Open redirect vulnerability in IBM SPSS Collaboration and Deployment S ...) NOT-FOR-US: IBM SPSS Collaboration and Deployment Services CVE-2013-4045 (Cross-site scripting (XSS) vulnerability in the Portal application in ...) NOT-FOR-US: IBM SPSS Collaboration and Deployment Services CVE-2013-4044 (IBM SPSS Collaboration and Deployment Services 4.2.1 before 4.2.1.3 IF ...) NOT-FOR-US: IBM SPSS Collaboration and Deployment Services CVE-2013-4043 (The server in IBM SPSS Collaboration and Deployment Services 4.x befor ...) NOT-FOR-US: IBM SPSS Collaboration and Deployment Services CVE-2013-4042 (Unspecified vulnerability in IBM SPSS Collaboration and Deployment Ser ...) NOT-FOR-US: IBM SPSS Collaboration and Deployment Services CVE-2013-4041 (Unspecified vulnerability in IBM Java SDK 5.0.0 before SR16 FP4, 7.0.0 ...) NOT-FOR-US: IBM JDK CVE-2013-4040 (IBM Tivoli Application Dependency Discovery Manager (TADDM) 7.1.2.x be ...) NOT-FOR-US: IBM Tivoli Application Dependency Discovery Manager CVE-2013-4039 (IBM WebSphere Extended Deployment Compute Grid 8.0 before 8.0.0.3 allo ...) NOT-FOR-US: IBM WebSphere CVE-2013-4038 (The Intelligent Platform Management Interface (IPMI) implementation in ...) NOT-FOR-US: IBM BladeCenter CVE-2013-4037 (The RAKP protocol support in the Intelligent Platform Management Inter ...) NOT-FOR-US: IBM BladeCenter CVE-2013-4036 (Cross-site scripting (XSS) vulnerability in IBM InfoSphere Master Data ...) NOT-FOR-US: IBM CVE-2013-4035 (IBM Sterling Connect:Direct for OpenVMS 3.4.00, 3.4.01, 3.5.00, 3.6.0, ...) NOT-FOR-US: IBM Sterling CVE-2013-4034 (IBM Cognos Business Intelligence 8.4.1 before IF3, 10.1.0 before IF4, ...) NOT-FOR-US: IBM CVE-2013-4033 (IBM DB2 and DB2 Connect 9.7 through FP8, 9.8 through FP5, 10.1 through ...) NOT-FOR-US: IBM DB2 CVE-2013-4032 (The Fast Communications Manager (FCM) in IBM DB2 Enterprise Server Edi ...) NOT-FOR-US: IBM CVE-2013-4031 (The Intelligent Platform Management Interface (IPMI) implementation in ...) NOT-FOR-US: IBM BladeCenter CVE-2013-4030 (Integrated Management Module (IMM) 2 1.00 through 2.00 on IBM System X ...) NOT-FOR-US: IBM System X and Flex System CVE-2013-4029 RESERVED CVE-2013-4028 RESERVED CVE-2013-4027 (IBM Maximo Asset Management 6.2 through 6.2.8, 7.1 through 7.1.1.12, a ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2013-4026 RESERVED CVE-2013-4025 (IBM Data Studio Web Console 3.x before 3.2, Optim Performance Manager ...) NOT-FOR-US: IBM CVE-2013-4024 (IBM Data Studio Web Console 3.x before 3.2, Optim Performance Manager ...) NOT-FOR-US: IBM CVE-2013-4023 RESERVED CVE-2013-4022 (IBM Data Studio Web Console 3.x before 3.2, Optim Performance Manager ...) NOT-FOR-US: IBM CVE-2013-4021 (IBM Maximo Asset Management 6.2 through 6.2.8, 7.1 before 7.1.1.12, an ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2013-4020 (IBM Maximo Asset Management 6.2 through 6.2.8, 7.1 through 7.1.1.12, a ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2013-4019 (Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Managemen ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2013-4018 (IBM Maximo Asset Management 6.2 through 6.2.8, 7.1 before 7.1.1.12, an ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2013-4017 (SQL injection vulnerability in IBM Maximo Asset Management 7.1 before ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2013-4016 (SQL injection vulnerability in IBM Maximo Asset Management 7.x before ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2013-4015 (Microsoft Internet Explorer 6 through 10 allows local users to bypass ...) NOT-FOR-US: MS IE CVE-2013-4014 (Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Managemen ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2013-4013 (IBM Maximo Asset Management 6.2 through 6.2.8, 7.1 through 7.1.1.12, a ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2013-4012 (IBM WebSphere Portal 8.0.0.x before 8.0.0.1 CF09, when Content Templat ...) NOT-FOR-US: IBM WebSphere Portal CVE-2013-4011 (Multiple unspecified vulnerabilities in the InfiniBand subsystem in IB ...) NOT-FOR-US: IBM AIX CVE-2013-4010 RESERVED CVE-2013-4009 RESERVED CVE-2013-4008 RESERVED CVE-2013-4007 (Cross-site scripting (XSS) vulnerability in adv_sw.php in the Advanced ...) NOT-FOR-US: IBM CVE-2013-4006 (IBM WebSphere Application Server (WAS) Liberty Profile 8.5 before 8.5. ...) NOT-FOR-US: IBM CVE-2013-4005 (Cross-site scripting (XSS) vulnerability in the Administrative console ...) NOT-FOR-US: IBM WebSphere CVE-2013-4004 (Cross-site scripting (XSS) vulnerability in the Administrative console ...) NOT-FOR-US: IBM WebSphere CVE-2013-4003 (Multiple cross-site scripting (XSS) vulnerabilities in IBM TRIRIGA App ...) NOT-FOR-US: IBM TRIRIGA CVE-2013-4002 (XMLscanner.java in Apache Xerces2 Java Parser before 2.12.0, as used i ...) - openjdk-6 6b27-1.12.7-1 - openjdk-7 7u45-2.4.3-1 CVE-2013-4001 (Session fixation vulnerability in IBM Cognos Command Center before 10. ...) NOT-FOR-US: IBM Cognos Command Center CVE-2013-4000 (Multiple cross-site request forgery (CSRF) vulnerabilities in IBM Cogn ...) NOT-FOR-US: IBM Cognos Command Center CVE-2013-3999 (Cross-site scripting (XSS) vulnerability in IBM Social Media Analytics ...) NOT-FOR-US: IBM Social Media Analytics CVE-2013-3998 (CRLF injection vulnerability in the Web Application Enterprise Console ...) NOT-FOR-US: IBM InfoSphere CVE-2013-3997 (Open redirect vulnerability in the Web Application Enterprise Console ...) NOT-FOR-US: IBM InfoSphere CVE-2013-3996 (IBM InfoSphere BigInsights 1.1 through 2.1 does not properly handle FR ...) NOT-FOR-US: IBM CVE-2013-3995 (Cross-site scripting (XSS) vulnerability in IBM InfoSphere BigInsights ...) NOT-FOR-US: IBM CVE-2013-3994 RESERVED CVE-2013-3993 (IBM InfoSphere BigInsights before 2.1.0.3 allows remote authenticated ...) NOT-FOR-US: IBM InfoSphere BigInsights CVE-2013-3992 (Cross-site request forgery (CSRF) vulnerability in IBM InfoSphere BigI ...) NOT-FOR-US: IBM CVE-2013-3991 RESERVED CVE-2013-3990 (Cross-site scripting (XSS) vulnerability in the MIME e-mail functional ...) NOT-FOR-US: IBM CVE-2013-3989 (IBM Security AppScan Enterprise 8.x before 8.8 sends a cleartext AppSc ...) NOT-FOR-US: IBM Security AppScan Enterprise CVE-2013-3988 (The Meeting Server in IBM Sametime 8.5.2 through 8.5.2.1 and 9.x throu ...) NOT-FOR-US: IBM Sametime CVE-2013-3987 RESERVED CVE-2013-3986 (IBM Lotus Sametime 8.5.2 and 8.5.2.1 allows remote attackers to cause ...) NOT-FOR-US: IBM CVE-2013-3985 (The Enterprise Meeting Server in IBM Lotus Sametime 8.5.2 and 8.5.2.1 ...) NOT-FOR-US: IBM CVE-2013-3984 (The Meeting Server in IBM Sametime 8.x through 8.5.2.1 and 9.x through ...) NOT-FOR-US: IBM Sametime CVE-2013-3983 (The Meeting Server in IBM Sametime 8.5.2 through 8.5.2.1 and 9.x throu ...) NOT-FOR-US: IBM Sametime CVE-2013-3982 (The Meeting Server in IBM Sametime 8.x through 8.5.2.1 and 9.x through ...) NOT-FOR-US: IBM Sametime CVE-2013-3981 (The Meeting Server in IBM Sametime 8.x through 8.5.2.1 and 9.x through ...) NOT-FOR-US: IBM Sametime CVE-2013-3980 (The Meeting Server in IBM Sametime 8.x through 8.5.2.1 and 9.x through ...) NOT-FOR-US: IBM Sametime CVE-2013-3979 (Multiple cross-site scripting (XSS) vulnerabilities in the help pages ...) NOT-FOR-US: IBM Cognos Command Center CVE-2013-3978 (The Meeting Server in IBM Sametime 8.5.2 through 8.5.2.1 and 9.x throu ...) NOT-FOR-US: IBM Sametime CVE-2013-3977 (The Meeting Server in IBM Sametime 8.x through 8.5.2.1 and 9.x through ...) NOT-FOR-US: IBM Sametime CVE-2013-3976 (The (1) Data Protection for Exchange component 6.1 before 6.1.3.4 and ...) NOT-FOR-US: IBM Tivoli CVE-2013-3975 (Unspecified vulnerability in the Meeting Server in IBM Sametime 8.x th ...) NOT-FOR-US: IBM Sametime CVE-2013-3974 RESERVED CVE-2013-3973 (SQL injection vulnerability in IBM Maximo Asset Management 7.1 before ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2013-3972 (IBM Maximo Asset Management 7.1 before 7.1.1.12 and 7.5 before 7.5.0.5 ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2013-3971 (IBM Maximo Asset Management 7.1 through 7.1.1.12 and 7.5 before 7.5.0. ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2013-3970 (Juniper Junos Pulse Secure Access Service (aka SSL VPN) with IVE OS 7. ...) NOT-FOR-US: Juniper Junos Pulse Secure Access Service CVE-2013-3969 (The find prototype in scripting/engine_v8.h in MongoDB 2.4.0 through 2 ...) - mongodb 1:2.4.5-1 (bug #715007; bug #717173) [squeeze] - mongodb (Only affects 2.4.x) [wheezy] - mongodb (Only affects 2.4.x) NOTE: http://www.mongodb.org/about/alerts/ SERVER-9878 CVE-2013-3968 RESERVED CVE-2013-3967 RESERVED CVE-2013-3966 RESERVED CVE-2013-3965 RESERVED CVE-2013-3964 (Cross-site scripting (XSS) vulnerability in Samsung SHR-5162, SHR-5082 ...) NOT-FOR-US: Samsung CVE-2013-3963 (Cross-site request forgery (CSRF) vulnerability in goform/usermanage i ...) NOT-FOR-US: Grandstream CVE-2013-3962 (Cross-site scripting (XSS) vulnerability in Grandstream GXV3501, GXV35 ...) NOT-FOR-US: Grandstream CVE-2013-3961 (SQL injection vulnerability in edit_event.php in Simple PHP Agenda bef ...) NOT-FOR-US: Simple PHP Agenda CVE-2013-3960 (Easytime Studio Easy File Manager 1.1 has a HTTP request security bypa ...) NOT-FOR-US: Easytime Studio Easy File Manager CVE-2013-3959 (The Web Navigator in Siemens WinCC before 7.2 Update 1, as used in SIM ...) NOT-FOR-US: Siemens WinCC CVE-2013-3958 (The login implementation in the Web Navigator in Siemens WinCC before ...) NOT-FOR-US: Siemens WinCC CVE-2013-3957 (SQL injection vulnerability in the login screen in the Web Navigator i ...) NOT-FOR-US: Siemens WinCC CVE-2013-3956 (The NICM.SYS kernel driver 3.1.11.0 in Novell Client 4.91 SP5 on Windo ...) NOT-FOR-US: Novell Client on Windows CVE-2013-3955 (The get_xattrinfo function in the XNU kernel in Apple iOS 5.x and 6.x ...) NOT-FOR-US: Apple iOS CVE-2013-3954 (The posix_spawn system call in the XNU kernel in Apple Mac OS X 10.8.x ...) NOT-FOR-US: Apple Mac OS X CVE-2013-3953 (The mach_port_space_info function in osfmk/ipc/mach_debug.c in the XNU ...) NOT-FOR-US: Apple Mac OS X CVE-2013-3952 (The fill_pipeinfo function in bsd/kern/sys_pipe.c in the XNU kernel in ...) NOT-FOR-US: Apple Mac OS X CVE-2013-3951 (sys/openbsd/stack_protector.c in libc in Apple iOS 6.1.3 and Mac OS X ...) NOT-FOR-US: Apple iOS CVE-2013-3950 (Stack-based buffer overflow in the openSharedCacheFile function in dyl ...) NOT-FOR-US: Apple iOS CVE-2013-3949 (The posix_spawn system call in the XNU kernel in Apple Mac OS X 10.8.x ...) NOT-FOR-US: Apple Mac OS X CVE-2013-3948 (Apple iOS 6.1.3 does not follow redirects during determination of the ...) NOT-FOR-US: Apple iOS CVE-2013-3947 (Buffer overflow in MedCoreD.sys in AhnLab V3 Internet Security 8.0.7.5 ...) NOT-FOR-US: AhnLab V3 Internet Security CVE-2013-3946 (Heap-based buffer overflow in the MrSID plugin (MrSID.dll) before 4.37 ...) NOT-FOR-US: MrSID plugin (MrSID.dll) for IrfanView CVE-2013-3945 (The MrSID plugin (MrSID.dll) before 4.37 for IrfanView allows remote a ...) NOT-FOR-US: MrSID plugin (MrSID.dll) for IrfanView CVE-2013-3944 (Stack-based buffer overflow in the MrSID plugin (MrSID.dll) before 4.3 ...) NOT-FOR-US: MrSID plugin (MrSID.dll) for IrfanView CVE-2013-3943 (Cross-site scripting (XSS) vulnerability in DotNetNuke (DNN) before 6. ...) NOT-FOR-US: DotNetNukeDot CVE-2013-3942 (Potplayer prior to 1.5.39659: DLL Loading Arbitrary Code Execution Vul ...) NOT-FOR-US: Potplayer CVE-2013-3941 (Xjp2.dll in XnView before 2.13 allows remote attackers to execute arbi ...) NOT-FOR-US: XnView CVE-2013-3940 (Integer overflow in the Graphics Device Interface (GDI) in Microsoft W ...) NOT-FOR-US: Microsoft CVE-2013-3939 (xnview.exe in XnView before 2.13 does not properly handle RLE strip le ...) NOT-FOR-US: XnView CVE-2013-3938 (Integer overflow in xnview.exe in XnView 2.13 allows remote attackers ...) NOT-FOR-US: XnView CVE-2013-3937 (Heap-based buffer overflow in xnview.exe in XnView before 2.13 allows ...) NOT-FOR-US: XnView CVE-2013-3936 (Multiple cross-site scripting (XSS) vulnerabilities in Opsview before ...) NOT-FOR-US: Opsview CVE-2013-3935 (Cross-site request forgery (CSRF) vulnerability in Opsview before 4.4. ...) NOT-FOR-US: Opsview CVE-2013-3934 (Stack-based buffer overflow in Kingsoft Writer 2012 8.1.0.3030, as use ...) NOT-FOR-US: Kingsoft Office 2013 CVE-2013-3933 (Cross-site scripting (XSS) vulnerability in the JoomShopping (com_joom ...) NOT-FOR-US: Joomla component com_joomshopping CVE-2013-3932 (SQL injection vulnerability in the Jomres (com_jomres) component befor ...) NOT-FOR-US: Jomres (com_jomres) component for Joomla! CVE-2013-3931 (Cross-site scripting (XSS) vulnerability in the Jomres (com_jomres) co ...) NOT-FOR-US: Jomres (com_jomres) component for Joomla! CVE-2013-3930 (Stack-based buffer overflow in Core FTP before 2.2 build 1785 allows r ...) NOT-FOR-US: Core FTP (client) CVE-2013-3929 (Cross-site scripting (XSS) vulnerability in admin/editevent.php in CMS ...) NOT-FOR-US: CMS Made Simple CVE-2013-3928 (Stack-based buffer overflow in the ReadFile function in flt_BMP.dll in ...) NOT-FOR-US: Chasys Draw IES CVE-2013-3927 (Unspecified vulnerability in the client library in Siemens COMOS 9.2 b ...) NOT-FOR-US: Siemens COMOS CVE-2013-3926 (** DISPUTED ** Atlassian Crowd 2.6.3 allows remote attackers to execut ...) NOT-FOR-US: Atlassian Crowd CVE-2013-3925 (Atlassian Crowd 2.5.x before 2.5.4, 2.6.x before 2.6.3, 2.3.8, and 2.4 ...) NOT-FOR-US: Atlassian Crowd CVE-2013-3924 RESERVED CVE-2013-3923 (Directory traversal vulnerability in SavySoda WiFi HD Free before 7.0 ...) NOT-FOR-US: SavySoda WiFi HD Free CVE-2013-3922 (Directory traversal vulnerability in Gummy Bear Studios FTP Drive + HT ...) NOT-FOR-US: Gummy Bear Studios FTP Drive + HTTP Server CVE-2013-3921 (Directory traversal vulnerability in Easytime Studio Easy File Manager ...) NOT-FOR-US: Easytime Studio Easy File Manager CVE-2013-3920 (Cross-site scripting (XSS) vulnerability in Jahia xCM before 6.6.2 all ...) NOT-FOR-US: Jahia xCM CVE-2013-3918 (The InformationCardSigninHelper Class ActiveX control in icardie.dll i ...) NOT-FOR-US: Microsoft CVE-2013-3917 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft CVE-2013-3916 (Microsoft Internet Explorer 8 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft CVE-2013-3915 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft CVE-2013-3914 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft CVE-2013-3913 REJECTED CVE-2013-3912 (Microsoft Internet Explorer 8 through 11 allows remote attackers to ex ...) NOT-FOR-US: Microsoft CVE-2013-3911 (Microsoft Internet Explorer 9 and 10 allows remote attackers to execut ...) NOT-FOR-US: Microsoft CVE-2013-3910 (Microsoft Internet Explorer 6 through 9 allows remote attackers to exe ...) NOT-FOR-US: Microsoft CVE-2013-3909 (Microsoft Internet Explorer 6 through 8 allows remote attackers to rea ...) NOT-FOR-US: Microsoft CVE-2013-3908 (Microsoft Internet Explorer 6 through 10 allows user-assisted remote a ...) NOT-FOR-US: Microsoft CVE-2013-3907 (portcls.sys in the kernel-mode drivers in Microsoft Windows Vista SP2, ...) NOT-FOR-US: Microsoft Windows Vista CVE-2013-3906 (GDI+ in Microsoft Windows Vista SP2 and Server 2008 SP2; Office 2003 S ...) NOT-FOR-US: Microsoft CVE-2013-3905 (Microsoft Outlook 2007 SP3, 2010 SP1 and SP2, 2013, and 2013 RT does n ...) NOT-FOR-US: Microsoft CVE-2013-3904 REJECTED CVE-2013-3903 (Array index error in win32k.sys in the kernel-mode drivers in Microsof ...) NOT-FOR-US: Microsoft Windows CVE-2013-3902 (Use-after-free vulnerability in win32k.sys in the kernel-mode drivers ...) NOT-FOR-US: Microsoft Windows CVE-2013-3901 REJECTED CVE-2013-3900 (The WinVerifyTrust function in Microsoft Windows XP SP2 and SP3, Windo ...) NOT-FOR-US: Microsoft Windows CVE-2013-3899 (win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and ...) NOT-FOR-US: Microsoft Windows CVE-2013-3898 (Microsoft Windows 8 and Windows Server 2012, when Hyper-V is used, doe ...) NOT-FOR-US: Microsoft CVE-2013-3897 (Use-after-free vulnerability in the CDisplayPointer class in mshtml.dl ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3896 (Microsoft Silverlight 5 before 5.1.20913.0 does not properly validate ...) NOT-FOR-US: Microsoft Silverlight CVE-2013-3895 (Microsoft SharePoint Server 2007 SP3 and 2010 SP1 and SP2 allows remot ...) NOT-FOR-US: Microsoft SharePoint Server CVE-2013-3894 (The kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows S ...) NOT-FOR-US: Microsoft Windows CVE-2013-3893 (Use-after-free vulnerability in the SetMouseCapture implementation in ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3892 (Microsoft Word 2007 SP3 and Office Compatibility Pack SP3 allow remote ...) NOT-FOR-US: Microsoft Word CVE-2013-3891 (Microsoft Word 2003 SP3 allows remote attackers to execute arbitrary c ...) NOT-FOR-US: Microsoft Word CVE-2013-3890 (Microsoft Excel 2007 SP3, Excel Viewer, and Office Compatibility Pack ...) NOT-FOR-US: Microsoft CVE-2013-3889 (Microsoft Excel 2007 SP3, 2010 SP1 and SP2, 2013, and 2013 RT; Office ...) NOT-FOR-US: Microsoft CVE-2013-3888 (dxgkrnl.sys in the kernel-mode drivers in Microsoft Windows Vista SP2, ...) NOT-FOR-US: Microsoft Windows CVE-2013-3887 (The Ancillary Function Driver (AFD) in afd.sys in the kernel-mode driv ...) NOT-FOR-US: Microsoft CVE-2013-3886 (Microsoft Internet Explorer 9 and 10 allows remote attackers to execut ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3885 (Microsoft Internet Explorer 10 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3884 REJECTED CVE-2013-3883 REJECTED CVE-2013-3882 (Microsoft Internet Explorer 10 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3881 (win32k.sys in the kernel-mode drivers in Microsoft Windows 7 SP1 and W ...) NOT-FOR-US: Microsoft Windows CVE-2013-3880 (The App Container feature in the kernel-mode drivers in Microsoft Wind ...) NOT-FOR-US: Microsoft Windows CVE-2013-3879 (Use-after-free vulnerability in win32k.sys in the kernel-mode drivers ...) NOT-FOR-US: Microsoft Windows CVE-2013-3878 (Stack-based buffer overflow in the LRPC client in Microsoft Windows XP ...) NOT-FOR-US: Microsoft Windows CVE-2013-3877 REJECTED CVE-2013-3876 (DirectAccess in Microsoft Windows XP SP2 and SP3, Windows Server 2003 ...) NOT-FOR-US: Microsoft CVE-2013-3875 (Microsoft Internet Explorer 8 and 9 allows remote attackers to execute ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3874 (Microsoft Internet Explorer 9 allows remote attackers to execute arbit ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3873 (Microsoft Internet Explorer 10 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3872 (Microsoft Internet Explorer 10 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3871 (Microsoft Internet Explorer 6 through 10 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3870 (Double free vulnerability in Microsoft Outlook 2007 SP3 and 2010 SP1 a ...) NOT-FOR-US: Microsoft Outlook CVE-2013-3869 (Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vis ...) NOT-FOR-US: Microsoft CVE-2013-3868 (Microsoft Active Directory Lightweight Directory Service (AD LDS) on W ...) NOT-FOR-US: Microsoft CVE-2013-3867 REJECTED CVE-2013-3866 (win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and ...) NOT-FOR-US: Microsoft Windows CVE-2013-3865 (win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and ...) NOT-FOR-US: Microsoft Windows CVE-2013-3864 (win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and ...) NOT-FOR-US: Microsoft Windows CVE-2013-3863 (Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 allow remote atta ...) NOT-FOR-US: Microsoft CVE-2013-3862 (Double free vulnerability in Microsoft Windows 7 and Server 2008 R2 SP ...) NOT-FOR-US: Microsoft CVE-2013-3861 (Microsoft .NET Framework 2.0 SP2, 3.5, 3.5 SP1, 3.5.1, 4, and 4.5 allo ...) NOT-FOR-US: Microsoft .NET Framework CVE-2013-3860 (Microsoft .NET Framework 2.0 SP2, 3.5, 3.5 SP1, 3.5.1, 4, and 4.5 does ...) NOT-FOR-US: Microsoft .NET Framework CVE-2013-3859 (Microsoft Pinyin IME 2010, when used in conjunction with Microsoft Off ...) NOT-FOR-US: Microsoft Pinyin IME CVE-2013-3858 (Microsoft Word Automation Services in SharePoint Server 2010 SP1, Word ...) NOT-FOR-US: Microsoft CVE-2013-3857 (Microsoft Word Automation Services in SharePoint Server 2010 SP1 and S ...) NOT-FOR-US: Microsoft CVE-2013-3856 (Microsoft Word 2003 SP3 and Word Viewer allow remote attackers to exec ...) NOT-FOR-US: Microsoft CVE-2013-3855 (Microsoft Word 2003 SP3 and 2007 SP3, Office Compatibility Pack SP3, a ...) NOT-FOR-US: Microsoft CVE-2013-3854 (Microsoft Office 2007 SP3 and Word 2007 SP3 allow remote attackers to ...) NOT-FOR-US: Microsoft CVE-2013-3853 (Microsoft Office 2007 SP3 and Word 2007 SP3 allow remote attackers to ...) NOT-FOR-US: Microsoft CVE-2013-3852 (Microsoft Word 2003 SP3, 2007 SP3, and 2010 SP1; Office Compatibility ...) NOT-FOR-US: Microsoft CVE-2013-3851 (Microsoft Office 2003 SP3 and 2007 SP3, Word 2003 SP3 and 2007 SP3, Of ...) NOT-FOR-US: Microsoft CVE-2013-3850 (Microsoft Word 2003 SP3, 2007 SP3, and 2010 SP1 and SP2; Office Compat ...) NOT-FOR-US: Microsoft Word CVE-2013-3849 (Microsoft Word Automation Services in SharePoint Server 2010 SP1, Word ...) NOT-FOR-US: Microsoft CVE-2013-3848 (Microsoft Word Automation Services in SharePoint Server 2010 SP1, Word ...) NOT-FOR-US: Microsoft CVE-2013-3847 (Microsoft Word Automation Services in SharePoint Server 2010 SP1, Word ...) NOT-FOR-US: Microsoft CVE-2013-3846 (Use-after-free vulnerability in Microsoft Internet Explorer 9 and 10 a ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3845 (Microsoft Internet Explorer 8 and 9 allows remote attackers to execute ...) NOT-FOR-US: Microsoft CVE-2013-3844 REJECTED CVE-2013-3842 (Unspecified vulnerability Oracle Solaris 10 allows local users to affe ...) NOT-FOR-US: Solaris CVE-2013-3841 (Unspecified vulnerability in the Siebel Core - EAI component in Oracle ...) NOT-FOR-US: Oracle Siebel CRM CVE-2013-3840 (Unspecified vulnerability in the Siebel Core - EAI component in Oracle ...) NOT-FOR-US: Oracle Siebel CRM CVE-2013-3839 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) {DSA-2818-1 DSA-2780-1} - mysql-5.5 5.5.33 - mysql-5.1 - mariadb-5.5 5.5.35-1 - mariadb-10.0 (Fixed before initial upload) NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html CVE-2013-3838 (Unspecified vulnerability in Oracle SPARC Enterprise T & M Series ...) NOT-FOR-US: Oracle SPARC Enterprise CVE-2013-3837 (Unspecified vulnerability in Oracle Solaris 10 and 11.1 allows remote ...) NOT-FOR-US: Oracle Solaris CVE-2013-3836 (Unspecified vulnerability in the Oracle Web Cache component in Oracle ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2013-3835 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2013-3834 (Unspecified vulnerability in the Oracle Secure Global Desktop componen ...) NOT-FOR-US: Oracle Secure Global Desktop CVE-2013-3833 (Unspecified vulnerability in the Oracle Access Manager component in Or ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2013-3832 (Unspecified vulnerability in the Siebel Server Remote component in Ora ...) NOT-FOR-US: Oracle Siebel CRM CVE-2013-3831 (Unspecified vulnerability in the Oracle Portal component in Oracle Fus ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2013-3830 (Unspecified vulnerability in the Hyperion Strategic Finance component ...) NOT-FOR-US: Oracle Hyperion CVE-2013-3829 (Unspecified vulnerability in the Java SE, Java SE Embedded component i ...) - openjdk-6 6b27-1.12.7-1 - openjdk-7 7u45-2.4.3-1 CVE-2013-3828 (Unspecified vulnerability in the Oracle Web Services component in Orac ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2013-3827 (Unspecified vulnerability in the Oracle GlassFish Server component in ...) - glassfish (Full application server not packaged) CVE-2013-3826 (Unspecified vulnerability in the Core RDBMS component in Oracle Databa ...) NOT-FOR-US: Oracle Database Server CVE-2013-3825 (Unspecified vulnerability in the Oracle Agile Product Collaboration co ...) NOT-FOR-US: Oracle Supply Chain Products Suite CVE-2013-3824 (Unspecified vulnerability in the Oracle Agile Collaboration Framework ...) NOT-FOR-US: Oracle Supply Chain Products Suite CVE-2013-3823 (Unspecified vulnerability in the Oracle Agile PLM Framework component ...) NOT-FOR-US: Oracle Supply Chain Products Suite CVE-2013-3822 (Unspecified vulnerability in the Oracle Agile PLM Framework component ...) NOT-FOR-US: Oracle Supply Chain Products Suite CVE-2013-3821 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2013-3820 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2013-3819 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2013-3818 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2013-3817 REJECTED CVE-2013-3816 (Unspecified vulnerability in the Oracle Policy Automation component in ...) NOT-FOR-US: Oracle Industry Applications CVE-2013-3815 REJECTED CVE-2013-3814 (Unspecified vulnerability in the Oracle Retail Invoice Matching compon ...) NOT-FOR-US: Oracle Industry Applications CVE-2013-3813 (Unspecified vulnerability in Oracle Solaris 10 allows remote attackers ...) NOT-FOR-US: Oracle Solaris CVE-2013-3812 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) {DSA-2818-1} - mysql-5.5 5.5.33+dfsg-1 - mysql-5.1 (Only affects 5.5 and 5.6) - mariadb-5.5 (Fixed before initial upload) - mariadb-10.0 (Fixed before initial upload) NOTE: http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html CVE-2013-3811 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) - mysql-5.5 (Only affects Mysql 5.6) - mysql-5.1 (Only affects Mysql 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html CVE-2013-3810 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) - mysql-5.5 (Only affects Mysql 5.6) - mysql-5.1 (Only affects Mysql 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html CVE-2013-3809 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) {DSA-2818-1} - mysql-5.5 5.5.33+dfsg-1 - mysql-5.1 (Only affects 5.5 and 5.6) - mariadb-5.5 (Fixed before initial upload) - mariadb-10.0 (Fixed before initial upload) NOTE: http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html CVE-2013-3808 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) {DSA-2780-1} - mysql-5.5 5.5.31 - mysql-5.1 - mariadb-5.5 (Fixed before initial upload) - mariadb-10.0 (Fixed before initial upload) NOTE: http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html CVE-2013-3807 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) - mysql-5.5 (Only affects Mysql 5.6) - mysql-5.1 (Only affects Mysql 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html CVE-2013-3806 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) - mysql-5.5 (Only affects Mysql 5.6) - mysql-5.1 (Only affects Mysql 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html CVE-2013-3805 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) - mysql-5.5 5.5.31 - mysql-5.1 (Only affects Mysql 5.5 and 5.6) - mariadb-5.5 (Fixed before initial upload) - mariadb-10.0 (Fixed before initial upload) NOTE: http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html CVE-2013-3804 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) {DSA-2818-1 DSA-2780-1} - mysql-5.5 5.5.33+dfsg-1 - mysql-5.1 - mariadb-5.5 (Fixed before initial upload) - mariadb-10.0 (Fixed before initial upload) NOTE: http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html CVE-2013-3803 (Unspecified vulnerability in the Hyperion BI+ component in Oracle Hype ...) NOT-FOR-US: Oracle Hyperion CVE-2013-3802 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) {DSA-2818-1 DSA-2780-1} - mysql-5.5 5.5.33+dfsg-1 - mysql-5.1 - mariadb-5.5 (Fixed before initial upload) - mariadb-10.0 (Fixed before initial upload) NOTE: http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html CVE-2013-3801 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) - mysql-5.5 5.5.31 - mysql-5.1 (Only affects 5.5 and 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html CVE-2013-3800 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2013-3799 (Unspecified vulnerability in Oracle Solaris 10 and 11, when running on ...) NOT-FOR-US: Oracle Solaris CVE-2013-3798 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) - mysql-5.5 (Only affects Mysql 5.6) - mysql-5.1 (Only affects Mysql 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html CVE-2013-3797 (Unspecified vulnerability in Oracle Solaris 11 allows local users to a ...) NOT-FOR-US: Oracle Solaris CVE-2013-3796 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) - mysql-5.5 (Only affects Mysql 5.6) - mysql-5.1 (Only affects Mysql 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html CVE-2013-3795 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) - mysql-5.5 (Only affects 5.5 and 5.6) - mysql-5.1 (Only affects 5.5 and 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html CVE-2013-3794 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) - mysql-5.5 5.5.31 - mysql-5.1 (Only affects 5.5 and 5.6) - mariadb-10.0 (Fixed before initial upload) - mariadb-5.5 (Fixed before initial upload) NOTE: http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html CVE-2013-3793 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) {DSA-2818-1} - mysql-5.5 5.5.33+dfsg-1 - mysql-5.1 (Only affects 5.5 and 5.6) - mariadb-10.0 (Fixed before initial upload) - mariadb-5.5 (Fixed before initial upload) NOTE: http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html CVE-2013-3792 (Unspecified vulnerability in the Oracle VM VirtualBox component in Ora ...) {DLA-313-1} - virtualbox-ose [squeeze] - virtualbox-ose (Minor issue) - virtualbox 4.2.16-dfsg-1 (bug #715327) [wheezy] - virtualbox 4.1.40-dfsg-1+deb7u1 NOTE: https://www.virtualbox.org/ticket/11863 NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html CVE-2013-3791 (Unspecified vulnerability in Enterprise Manager (EM) Base Platform 10. ...) NOT-FOR-US: Oracle Enterprise Manager CVE-2013-3790 (Unspecified vulnerability in the Core RDBMS component in Oracle Databa ...) NOT-FOR-US: Oracle Database Server CVE-2013-3789 (Unspecified vulnerability in the Core RDBMS component in Oracle Databa ...) NOT-FOR-US: Oracle Database Server CVE-2013-3788 (Unspecified vulnerability in the Oracle iSupplier Portal component in ...) NOT-FOR-US: Oracle E-Business Suite CVE-2013-3787 (Unspecified vulnerability in Oracle Solaris 10 and 11 allows remote at ...) NOT-FOR-US: Oracle Solaris CVE-2013-3786 (Unspecified vulnerability in Oracle Solaris 9, 10, and 11 allows local ...) NOT-FOR-US: Oracle Solaris CVE-2013-3785 (Unspecified vulnerability in the PeopleSoft Enterprise HRMS component ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2013-3784 (Unspecified vulnerability in the PeopleSoft Enterprise HRMS component ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2013-3783 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) {DSA-2818-1} - mysql-5.5 5.5.33+dfsg-1 - mysql-5.1 (Only affects 5.5) - mariadb-10.0 (Fixed before initial upload) - mariadb-5.5 (Fixed before initial upload) NOTE: http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html CVE-2013-3782 (Unspecified vulnerability in the Secure Global Desktop component in Or ...) NOT-FOR-US: Oracle Virtualization CVE-2013-3781 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2013-3780 (Unspecified vulnerability in the PeopleSoft Enterprise Portal componen ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2013-3779 (Unspecified vulnerability in the Secure Global Desktop component in Or ...) NOT-FOR-US: Oracle Virtualization CVE-2013-3778 (Unspecified vulnerability in the Oracle Applications Technology Stack ...) NOT-FOR-US: Oracle E-Business Suite CVE-2013-3777 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle E-Business Suite CVE-2013-3776 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2013-3775 (Unspecified vulnerability in the Oracle iLearning component in Oracle ...) NOT-FOR-US: Oracle iLearning CVE-2013-3774 (Unspecified vulnerability in the Network Layer component in Oracle Dat ...) NOT-FOR-US: Oracle Database Server CVE-2013-3773 (Unspecified vulnerability in the SPARC Enterprise M Series Servers com ...) NOT-FOR-US: Oracle and Sun Systems Products Suite CVE-2013-3772 (Unspecified vulnerability in the Oracle WebCenter Content component in ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2013-3771 (Unspecified vulnerability in the Oracle executable component in Oracle ...) NOT-FOR-US: Oracle Database Server CVE-2013-3770 (Unspecified vulnerability in the Oracle WebCenter Content component in ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2013-3769 (Unspecified vulnerability in the Oracle WebCenter Content component in ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2013-3768 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2013-3767 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle E-Business Suite Access Gate CVE-2013-3766 (Unspecified vulnerability in the Primavera P6 Enterprise Project Portf ...) NOT-FOR-US: Oracle Primavera Products Suite CVE-2013-3765 (Unspecified vulnerability in Oracle Solaris 11 allows local users to a ...) NOT-FOR-US: Oracle Solaris CVE-2013-3764 (Unspecified vulnerability in the Oracle Endeca Server component in Ora ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2013-3763 (Unspecified vulnerability in the Oracle Endeca Server component in Ora ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2013-3762 (Unspecified vulnerability in the Enterprise Manager Base Platform comp ...) NOT-FOR-US: Oracle Enterprise Manager Grid Control CVE-2013-3761 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Products Portal CVE-2013-3760 (Unspecified vulnerability in the Oracle executable component in Oracle ...) NOT-FOR-US: Oracle Database Server CVE-2013-3759 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2013-3758 (Unspecified vulnerability in the Enterprise Manager (EM) Base Platform ...) NOT-FOR-US: Oracle Enterprise Manager CVE-2013-3757 (Unspecified vulnerability in Oracle Solaris 8, 9, 10, and 11 allows re ...) NOT-FOR-US: Oracle Solaris CVE-2013-3756 (Unspecified vulnerability in the Oracle Landed Cost Management compone ...) NOT-FOR-US: Oracle E-Business Suite CVE-2013-3755 (Unspecified vulnerability in the Oracle Access Manager component in Or ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2013-3754 (Unspecified vulnerability in the Solaris Cluster component in Oracle a ...) NOT-FOR-US: Solaris CVE-2013-3753 (Unspecified vulnerability in Oracle Solaris 11 allows remote attackers ...) NOT-FOR-US: Oracle Solaris CVE-2013-3752 (Unspecified vulnerability in Oracle Solaris 11 allows remote attackers ...) NOT-FOR-US: Oracle Solaris CVE-2013-3751 (Unspecified vulnerability in the XML Parser component in Oracle Databa ...) NOT-FOR-US: Oracle Database Server CVE-2013-3750 (Unspecified vulnerability in Oracle Solaris 11 allows local users to a ...) NOT-FOR-US: Oracle Solaris CVE-2013-3749 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle E-Business Suite CVE-2013-3748 (Unspecified vulnerability in Oracle Solaris 11 allows remote attackers ...) NOT-FOR-US: Oracle Solaris CVE-2013-3747 (Unspecified vulnerability in the Oracle Applications Technology Stack ...) NOT-FOR-US: Oracle E-Business Suite CVE-2013-3746 (Unspecified vulnerability in the Solaris Cluster component in Oracle a ...) NOT-FOR-US: Solaris CVE-2013-3745 (Unspecified vulnerability in Oracle Solaris 8, 9, 10, and 11 allows lo ...) NOT-FOR-US: Oracle Solaris CVE-2013-3744 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 (Only affects Java 7) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2013-3743 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 (Specific to Oracle Java, not present in IcedTea) NOTE: Due to the vague disclosure policy by Oracle the exact nature is unknown but since no patch landed in icedtea, we consider it not-affected - openjdk-7 (Only affects Java 5 and Java 6) CVE-2013-3741 RESERVED CVE-2013-3740 RESERVED CVE-2013-3739 (Directory traversal vulnerability in editor.php in Network Weathermap ...) NOT-FOR-US: Network Weathermap CVE-2013-3738 (A File Inclusion vulnerability exists in Zabbix 2.0.6 due to inadequat ...) - zabbix 1:2.0.7+dfsg-1 NOTE: http://support.zabbix.com/browse/ZBX-6652 CVE-2013-3843 (Stack-based buffer overflow in the mk_request_header_process function ...) - monkey [squeeze] - monkey (Minor issue) CVE-2013-3919 (resolver.c in ISC BIND 9.8.5 before 9.8.5-P1, 9.9.3 before 9.9.3-P1, a ...) - bind9 (vulnerable code not present) NOTE: https://kb.isc.org/article/AA-00967 CVE-2013-3742 (Cross-site scripting (XSS) vulnerability in view_create.php (aka the C ...) - phpmyadmin 4:4.0.1-3 (low) [wheezy] - phpmyadmin (Vulnerable code not present) [squeeze] - phpmyadmin (Vulnerable code not present) CVE-2013-3737 (The MobileUI (aka RT-Extension-MobileUI) extension before 1.04 in Requ ...) NOT-FOR-US: Request Tracker extension MobileUI CVE-2013-3736 (Cross-site scripting (XSS) vulnerability in the MobileUI (aka RT-Exten ...) NOT-FOR-US: Request Tracker extension MobileUI CVE-2013-3735 (** DISPUTED ** The Zend Engine in PHP before 5.4.16 RC1, and 5.5.0 bef ...) - php5 (unimportant) NOTE: exploitable by malicious scripts only CVE-2013-3734 (** DISPUTED ** The Embedded Jopr component in JBoss Application Server ...) NOT-FOR-US: Embedded Jopr CVE-2013-3733 RESERVED CVE-2013-3732 RESERVED CVE-2013-3731 RESERVED CVE-2013-3730 RESERVED CVE-2013-3729 (Multiple cross-site request forgery (CSRF) vulnerabilities in Kasseler ...) NOT-FOR-US: Kasseler CMS CVE-2013-3728 (Cross-site scripting (XSS) vulnerability in Kasseler CMS before 2 r123 ...) NOT-FOR-US: Kasseler CMS CVE-2013-3727 (SQL injection vulnerability in Kasseler CMS before 2 r1232 allows remo ...) NOT-FOR-US: Kasseler CMS CVE-2013-3726 REJECTED CVE-2013-3725 (Invision Power Board (IPB) through 3.x allows admin account takeover l ...) NOT-FOR-US: Invision Power Board CVE-2013-3724 (The mk_request_header_process function in mk_request.c in Monkey 1.1.1 ...) - monkey (low) [squeeze] - monkey (Minor issue) CVE-2013-3723 RESERVED CVE-2013-3722 (A Denial of Service (infinite loop) exists in OpenSIPS before 1.10 in ...) - opensips (Fixed before initial upload to Debian) NOTE: https://github.com/OpenSIPS/opensips/commit/54e027adfa486cfcf993828512b2e273aeb163c2 CVE-2013-3721 (SQL injection vulnerability in awards.php in PsychoStats 3.2.2b allows ...) NOT-FOR-US: PsychoStats CVE-2013-3720 (Cross-site scripting (XSS) vulnerability in widget_remove.php in the F ...) NOT-FOR-US: Wordpress plugin Feedweb CVE-2013-3719 (Cross-site scripting (XSS) vulnerability in the aiContactSafe componen ...) NOT-FOR-US: Joomla! CVE-2013-3718 (evince is missing a check on number of pages which can lead to a segme ...) - evince 3.10.0-1 [wheezy] - evince [squeeze] - evince (Vulnerable code not present) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=701302 CVE-2013-3717 RESERVED CVE-2013-3716 RESERVED CVE-2013-3715 RESERVED CVE-2013-3714 RESERVED CVE-2013-3713 (The image creation configuration in aaa_base before 16.26.1 for openSU ...) NOT-FOR-US: openSUSE live installer CVE-2013-3712 (SUSE Studio Onsite 1.3.x before 1.3.6 and SUSE Studio Extension for Sy ...) NOT-FOR-US: SUSE Studio Onsite CVE-2013-3711 RESERVED CVE-2013-3710 (SUSE Lifecycle Management Server (SLMS) before 1.3.7 does not generate ...) NOT-FOR-US: SUSE Lifecycle Management Server CVE-2013-3709 (WebYaST 1.3 uses weak permissions for config/initializers/secret_token ...) NOT-FOR-US: WebYast CVE-2013-3708 (The id1.GetPrinterURLList function in Novell iPrint Client before 5.93 ...) NOT-FOR-US: Novell iPrint Client CVE-2013-3707 (The HTTPSTK service in the novell-nrm package before 2.0.2-297.305.302 ...) NOT-FOR-US: Novell Open Enterprise Server 2 CVE-2013-3706 (Directory traversal vulnerability in the PreBoot service in Novell ZEN ...) NOT-FOR-US: Novell ZENworks Configuration Management CVE-2013-3705 (The VBA32 AntiRootKit component for Novell Client 2 SP3 before IR5 on ...) NOT-FOR-US: Novell Client CVE-2013-3704 (The RPM GPG key import and handling feature in libzypp 12.15.0 and ear ...) - libzypp (Fixed before initial upload) CVE-2013-3703 (The controller of the Open Build Service API prior to version 2.4.4 is ...) NOT-FOR-US: Open Build Service CVE-2013-3702 REJECTED CVE-2013-3701 REJECTED CVE-2013-3700 RESERVED CVE-2013-3699 REJECTED CVE-2013-3698 REJECTED CVE-2013-3697 (Integer overflow in the NWFS.SYS kernel driver 4.91.5.8 in Novell Clie ...) NOT-FOR-US: Novell Client on Windows CVE-2013-3696 RESERVED CVE-2013-3695 RESERVED CVE-2013-3694 (BlackBerry Link before 1.2.1.31 on Windows and before 1.1.1 build 39 o ...) NOT-FOR-US: BlackBerry Link CVE-2013-3693 (The BlackBerry Universal Device Service in BlackBerry Enterprise Servi ...) NOT-FOR-US: BlackBerry CVE-2013-3692 (BlackBerry 10 OS before 10.0.10.648 on BlackBerry Z10 smartphones uses ...) NOT-FOR-US: Blackberry OS CVE-2013-3691 (AirLive POE-2600HD allows remote attackers to cause a denial of servic ...) NOT-FOR-US: AirLive POE-2600HD CVE-2013-3690 (Cross-site request forgery (CSRF) vulnerability in cgi-bin/users.cgi i ...) NOT-FOR-US: Brickcom CVE-2013-3689 (Brickcom FB-100Ap, WCB-100Ap, MD-100Ap, WFB-100Ap, OB-100Ae, OSD-040E, ...) NOT-FOR-US: Brickcom CVE-2013-3688 (The TP-Link IP Cameras TL-SC3171, TL-SC3130, TL-SC3130G, TL-SC3171G, a ...) NOT-FOR-US: TP-Link CVE-2013-3687 (AirLive POE2600HD, POE250HD, POE200HD, OD-325HD, OD-2025HD, OD-2060HD, ...) NOT-FOR-US: AirLive cameras CVE-2013-3686 (cgi-bin/operator/param in AirLive WL2600CAM and possibly other camera ...) NOT-FOR-US: AirLive CVE-2013-3685 (A Privilege Escalation Vulnerability exists in Sprite Software Spriteb ...) NOT-FOR-US: Sprite Software's backup softare for Android CVE-2013-3684 (NextGEN Gallery plugin before 1.9.13 for WordPress: ngggallery.php fil ...) NOT-FOR-US: NextGEN Gallery plugin for WordPress CVE-2013-3683 RESERVED CVE-2013-3682 RESERVED CVE-2013-3681 RESERVED CVE-2013-3680 RESERVED CVE-2013-3679 RESERVED CVE-2013-3678 (Multiple unspecified vulnerabilities in SAP Governance, Risk, and Comp ...) NOT-FOR-US: SAP CVE-2013-3677 RESERVED CVE-2013-3676 RESERVED CVE-2013-3675 (The process_frame_obj function in sanm.c in libavcodec in FFmpeg befor ...) - ffmpeg (Smush codec not present in 0.5 ffmpeg) - libav (Smush codec not present in libav) CVE-2013-3674 (The cdg_decode_frame function in cdgraphics.c in libavcodec in FFmpeg ...) {DSA-3003-1} - ffmpeg (CD Graphics Video Decoder not present in 0.5 ffmpeg) - libav 6:10.4-1 NOTE: Fix in ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=7ef2dbd2392e3e4d430e0173e1e5c4df9f18b6dd NOTE: Fix in libav: http://git.libav.org/?p=libav.git;a=commit;h=a1599f3f7ea8478d1f6a95e59e3bc6bc86d5f812 CVE-2013-3673 (The gif_decode_frame function in gifdec.c in libavcodec in FFmpeg befo ...) - ffmpeg (Doesn't affect libav, specific to current ffmpeg) - libav (Doesn't affect libav, specific to current ffmpeg) CVE-2013-3672 (The mm_decode_inter function in mmvideo.c in libavcodec in FFmpeg befo ...) {DSA-3003-1} - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg (Backports to 0.5.x not useful, too many checks missing) - libav 6:10.4-1 NOTE: Fix in ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=7fa6db2545643efb4fe2e0bb501fa50af35a6330 NOTE: Fix in libav: http://git.libav.org/?p=libav.git;a=commit;h=70cd3b8e659c3522eea5c16a65d14b8658894a94 CVE-2013-3671 (The format_line function in log.c in libavutil in FFmpeg before 1.2.1 ...) - ffmpeg (Doesn't affect libav, specific to current ffmpeg) - libav (Doesn't affect libav, specific to current ffmpeg) CVE-2013-3670 (The rle_unpack function in vmdav.c in libavcodec in FFmpeg git 2013032 ...) - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg (Backports to 0.5.x not useful, too many checks missing) - libav 6:10-1 [wheezy] - libav (Vulnerable code not present in 0.8) NOTE: Fix in ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=0baa0a5a02e16ef097ed9f72bc8a7d7b585c7652 NOTE: [Anton] not present in 0.8, 10 or master; possibly present in 9 CVE-2013-3669 RESERVED CVE-2013-3668 RESERVED CVE-2013-3667 (The software update mechanism as used in Bare Bones Software Yojimbo b ...) NOT-FOR-US: Various proprietary software updaters CVE-2013-3666 (The LG Hidden Menu component for Android on the LG Optimus G E973 allo ...) NOT-FOR-US: LG Hidden Menu CVE-2013-3665 (Unspecified vulnerability in Autodesk AutoCAD through 2014, AutoCAD LT ...) NOT-FOR-US: AutoCAD CVE-2013-3664 (Trimble SketchUp (formerly Google SketchUp) before 2013 (13.0.3689) al ...) NOT-FOR-US: Trimble SketchUp CVE-2013-3663 (Heap-based buffer overflow in paintlib, as used in Trimble SketchUp (f ...) NOT-FOR-US: Trimble SketchUp CVE-2013-3662 (Timbre SketchUp (formerly Google SketchUp) before 8 Maintenance 2 allo ...) NOT-FOR-US: Trimble SketchUp CVE-2013-3661 (The EPATHOBJ::bFlatten function in win32k.sys in Microsoft Windows XP ...) NOT-FOR-US: Microsoft Windows CVE-2013-3660 (The EPATHOBJ::pprFlattenRec function in win32k.sys in the kernel-mode ...) NOT-FOR-US: Microsoft Windows CVE-2012-6563 (engine/lib/access.php in Elgg before 1.8.5 does not properly clear cac ...) - elgg (bug #526197) CVE-2012-6562 (engine/lib/users.php in Elgg before 1.8.5 does not properly specify pe ...) - elgg (bug #526197) CVE-2012-6561 (Cross-site scripting (XSS) vulnerability in engine/lib/views.php in El ...) - elgg (bug #526197) CVE-2012-6560 (SQL injection vulnerability in deviceadd.php in FreeNAC 3.02 allows re ...) NOT-FOR-US: FreeNAC CVE-2012-6559 (Multiple cross-site scripting (XSS) vulnerabilities in FreeNAC 3.02 al ...) NOT-FOR-US: FreeNAC CVE-2012-6558 (Heap-based buffer overflow in HeavenTools PE Explorer 1.99 R6 allows r ...) NOT-FOR-US: HeavenTools PE Explorer CVE-2012-6557 (Multiple cross-site scripting (XSS) vulnerabilities in the AboutMe plu ...) NOT-FOR-US: Vanilla Forums CVE-2012-6556 (Multiple cross-site scripting (XSS) vulnerabilities in the FirstLastNa ...) NOT-FOR-US: Vanilla Forums CVE-2012-6555 (Cross-site scripting (XSS) vulnerability in the LatestComment plugin 1 ...) NOT-FOR-US: Vanilla Forums CVE-2012-6554 (functions/html_to_text.php in the Chat module before 1.5.2 for activeC ...) NOT-FOR-US: activeCollab CVE-2012-6553 (Heap-based buffer overflow in Resource Hacker 3.6.0.92 allows remote a ...) NOT-FOR-US: Resource Hacker CVE-2013-3659 (The NTT DOCOMO overseas usage application 2.0.0 through 2.0.4 for Andr ...) NOT-FOR-US: Android application NTT DOCOMO CVE-2013-3658 (Directory traversal vulnerability in VMware ESXi 4.0 through 5.0, and ...) NOT-FOR-US: VMware CVE-2013-3657 (Buffer overflow in VMware ESXi 4.0 through 5.0, and ESX 4.0 and 4.1, a ...) NOT-FOR-US: VMware CVE-2013-3656 (Cybozu Office 9.1.0 and earlier does not properly manage sessions, whi ...) NOT-FOR-US: Cybozu Office CVE-2013-3655 (The Sharp AQUOS PhotoPlayer HN-PP150 with firmware before 1.04.00.04 a ...) NOT-FOR-US: Sharp AQUOS PhotoPlayer CVE-2013-3654 (Directory traversal vulnerability in LOCKON EC-CUBE 2.12.0 through 2.1 ...) NOT-FOR-US: EC-CUBE CVE-2013-3653 (Multiple cross-site scripting (XSS) vulnerabilities in the RecommendSe ...) NOT-FOR-US: EC-CUBE CVE-2013-3652 (Cross-site scripting (XSS) vulnerability in data/class/pages/products/ ...) NOT-FOR-US: EC-CUBE CVE-2013-3651 (LOCKON EC-CUBE 2.11.2 through 2.12.4 allows remote attackers to conduc ...) NOT-FOR-US: EC-CUBE CVE-2013-3650 (Directory traversal vulnerability in the lfCheckFileName function in d ...) NOT-FOR-US: EC-CUBE CVE-2013-3649 (Cross-site scripting (XSS) vulnerability in KENT-WEB CLIP-MAIL before ...) NOT-FOR-US: KENT-WEB CLIP-MAIL CVE-2013-3648 (Cross-site scripting (XSS) vulnerability in KENT-WEB POST-MAIL before ...) NOT-FOR-US: KENT-WEB POST-MAIL CVE-2013-3647 (The WebView class in the Cybozu Live application before 2.0.1 for Andr ...) NOT-FOR-US: Cybozu Live for Android CVE-2013-3646 (The Cybozu Live application before 2.0.1 for Android allows remote att ...) NOT-FOR-US: Cybozu Live for Android CVE-2013-3645 (Cross-site scripting (XSS) vulnerability in the Orchard.Comments modul ...) NOT-FOR-US: Orchard CVE-2013-3644 (Unspecified vulnerability in JustSystems Ichitaro 2006 through 2013; I ...) NOT-FOR-US: JustSystems Ichitaro CVE-2013-3643 (The Galapagos Browser application for Android does not properly implem ...) NOT-FOR-US: Galapagos Browser application for Android CVE-2013-3642 (The Angel Browser application 1.47b and earlier for Android 1.6 throug ...) NOT-FOR-US: Angel Browser application CVE-2013-3641 (The Pizza Hut Japan Official Order application before 1.1.1.a for Andr ...) NOT-FOR-US: The Pizza Hut Japan Official Order for Android CVE-2013-3640 (Cross-site scripting (XSS) vulnerability in the Instant Web Publish fu ...) NOT-FOR-US: FileMaker Pro CVE-2013-3639 (Multiple cross-site scripting (XSS) vulnerabilities in Xaraya 2.4.0-b1 ...) NOT-FOR-US: Xaraya CVE-2013-3638 (SQL injection vulnerability in Boonex Dolphin before 7.1.3 allows remo ...) NOT-FOR-US: Boonex Dolphin CVE-2013-3637 (ProjectPier 0.8.8 does not use the Secure flag for cookies ...) NOT-FOR-US: ProjectPier CVE-2013-3636 (ProjectPier 0.8.8 has a Remote Information Disclosure Weakness because ...) NOT-FOR-US: ProjectPier CVE-2013-3635 (ProjectPier 0.8.8 has stored XSS ...) NOT-FOR-US: ProjectPier CVE-2013-3634 (A vulnerability has been identified in SCALANCE X-200 switch family (i ...) NOT-FOR-US: Siemens switches CVE-2013-3633 (A vulnerability has been identified in SCALANCE X-200 switch family (i ...) NOT-FOR-US: Siemens CVE-2013-3632 (The Cron service in rpc.php in OpenMediaVault allows remote authentica ...) NOT-FOR-US: OpenMediaVault CVE-2013-3631 (NAS4Free 9.1.0.1.804 and earlier allows remote authenticated users to ...) NOT-FOR-US: NAS4Free CVE-2013-3630 (Moodle through 2.5.2 allows remote authenticated administrators to exe ...) NOTE: For Moodle: Not a securiy issue according to upstream, only applicable to administrators, see bug #775842 NOTE: https://tracker.moodle.org/browse/MDL-41449 NOTE: https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats CVE-2013-3629 (ISPConfig 3.0.5.2 has Arbitrary PHP Code Execution ...) NOT-FOR-US: ISPConfig CVE-2013-3628 (Zabbix 2.0.9 has an Arbitrary Command Execution Vulnerability ...) NOTE: Historic Zabbix issue CVE-2013-3627 (FrameworkService.exe in McAfee Framework Service in McAfee Managed Age ...) NOT-FOR-US: McAfee CVE-2013-3626 (Directory traversal vulnerability in the Session Server in Attachmate ...) NOT-FOR-US: Attachmate Verastream Host Integrator CVE-2013-3625 (An unspecified DLL file in Baramundi Management Suite 7.5 through 8.9 ...) NOT-FOR-US: Baramundi Management Suite CVE-2013-3624 (The OS deployment feature in Baramundi Management Suite 7.5 through 8. ...) NOT-FOR-US: Baramundi Management Suite CVE-2013-3623 (Multiple stack-based buffer overflows in cgi/close_window.cgi in the w ...) NOT-FOR-US: Intelligent Platform Management Interface CVE-2013-3622 (Buffer overflow in logout.cgi in the Intelligent Platform Management I ...) NOT-FOR-US: Intelligent Platform Management Interface CVE-2013-3621 REJECTED CVE-2013-3620 (Hardcoded WSMan credentials in Intelligent Platform Management Interfa ...) NOT-FOR-US: Supermicro CVE-2013-3619 (Intelligent Platform Management Interface (IPMI) with firmware for Sup ...) NOT-FOR-US: Supermicro CVE-2013-3618 RESERVED CVE-2013-3617 (The XML API in Openbravo ERP 2.5, 3.0, and earlier allows remote authe ...) NOT-FOR-US: Openbravo ERP CVE-2013-3616 (Cross-site scripting (XSS) vulnerability in the KnowledgeView Editoria ...) NOT-FOR-US: KnowledgeView Editorial and Management application CVE-2013-3615 (Dahua DVR appliances use a password-hash algorithm with a short hash l ...) NOT-FOR-US: Dahua DVR CVE-2013-3614 (Dahua DVR appliances have a small value for the maximum password lengt ...) NOT-FOR-US: Dahua DVR CVE-2013-3613 (Dahua DVR appliances do not properly restrict UPnP requests, which mak ...) NOT-FOR-US: Dahua DVR CVE-2013-3612 (Dahua DVR appliances have a hardcoded password for (1) the root accoun ...) NOT-FOR-US: Dahua DVR CVE-2013-3611 REJECTED CVE-2013-3610 (qis/QIS_finish.htm on the ASUS RT-N10E router with firmware before 2.0 ...) NOT-FOR-US: ASUS router CVE-2013-3609 (The web interface in the Intelligent Platform Management Interface (IP ...) NOT-FOR-US: Intelligent Platform Management Interface CVE-2013-3608 (The web interface in the Intelligent Platform Management Interface (IP ...) NOT-FOR-US: Intelligent Platform Management Interface CVE-2013-3607 (Multiple stack-based buffer overflows in the web interface in the Inte ...) NOT-FOR-US: Intelligent Platform Management Interface CVE-2013-3606 (The login page in the GoAhead web server on Dell PowerConnect 3348 1.2 ...) NOT-FOR-US: GoAhead web server on Dell PowerConnect CVE-2013-3605 (Cross-site request forgery (CSRF) vulnerability in Coursemill Learning ...) NOT-FOR-US: Coursemill Learning Management System CVE-2013-3604 (Multiple cross-site scripting (XSS) vulnerabilities in Coursemill Lear ...) NOT-FOR-US: Coursemill Learning Management System CVE-2013-3603 (Cross-site scripting (XSS) vulnerability in Coursemill Learning Manage ...) NOT-FOR-US: Coursemill Learning Management System CVE-2013-3602 (SQL injection vulnerability in admindocumentworker.jsp in Coursemill L ...) NOT-FOR-US: Coursemill Learning Management System CVE-2013-3601 (Coursemill Learning Management System (LMS) 6.6 does not properly rest ...) NOT-FOR-US: Coursemill Learning Management System CVE-2013-3600 (Coursemill Learning Management System (LMS) 6.6 allows remote authenti ...) NOT-FOR-US: Coursemill Learning Management System CVE-2013-3599 (userlogin.jsp in Coursemill Learning Management System (LMS) 6.6 and 6 ...) NOT-FOR-US: Coursemill Learning Management System CVE-2013-3598 (Directory traversal vulnerability in servlet/CreateTemplateServlet in ...) NOT-FOR-US: SearchBlox CVE-2013-3597 (servlet/CollectionListServlet in SearchBlox before 7.5 build 1 allows ...) NOT-FOR-US: SearchBlox CVE-2013-3596 (AdvancePro Advanceware allows remote authenticated users to obtain sen ...) NOT-FOR-US: AdvancePro Advanceware CVE-2013-3595 (The OpenManage web application 2.5 build 1.19 on Dell PowerConnect 334 ...) NOT-FOR-US: Dell PowerConnect CVE-2013-3594 (The SSH service on Dell PowerConnect 3348 1.2.1.3, 3524p 2.0.0.48, and ...) NOT-FOR-US: Dell PowerConnect CVE-2013-3593 (Baramundi Management Suite 7.5 through 8.9 uses cleartext for (1) clie ...) NOT-FOR-US: Baramundi Management Suite CVE-2013-3592 RESERVED CVE-2013-3591 (vTiger CRM 5.3 and 5.4: 'files' Upload Folder Arbitrary PHP Code Execu ...) NOT-FOR-US: vTiger CRM CVE-2013-3590 (Unrestricted file upload vulnerability in admin/uploadImage.html in Se ...) NOT-FOR-US: SearchBlox CVE-2013-3589 (Cross-site scripting (XSS) vulnerability in the login page in the Admi ...) NOT-FOR-US: Dell iDRAC6 CVE-2013-3588 (The web management interface on Zyxel P660 devices allows remote attac ...) NOT-FOR-US: Zyxel CVE-2013-3587 (The HTTPS protocol, as used in unspecified web applications, can encry ...) NOTE: not something we can concretely fix somewhere NOTE: mitigations must be done in webapps NOTE: http://web.archive.org/web/20160304210825/http://breachattack.com/ NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=995168 NOTE: https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/ NOTE: https://www.mail-archive.com/dev@httpd.apache.org/msg57592.html CVE-2013-3586 (Samsung Web Viewer for Samsung DVR devices allows remote attackers to ...) NOT-FOR-US: Samsung DVR devices CVE-2013-3585 (Samsung Web Viewer for Samsung DVR devices stores credentials in clear ...) NOT-FOR-US: Samsung DVR devices CVE-2013-3584 (Cross-site scripting (XSS) vulnerability in Corporater EPM Suite allow ...) NOT-FOR-US: Corporater EPM Suite CVE-2013-3583 (Cross-site request forgery (CSRF) vulnerability in saveProperties.html ...) NOT-FOR-US: Corporater EPM Suite CVE-2013-3582 (Buffer overflow in Dell BIOS on Dell Latitude D###, E####, XT2, and Z6 ...) NOT-FOR-US: Dell CVE-2013-3581 (ajax.cgi in the web interface on the Choice Wireless Green Packet WIXF ...) NOT-FOR-US: Choice Wireless Green Packet WIXFMR-111 4G WiMax modem CVE-2013-3580 (The TrustGo Antivirus & Mobile Security application before 1.3.6 f ...) NOT-FOR-US: TrustGo CVE-2013-3579 (The Lookout Mobile Security application before 8.17-8a39d3f for Androi ...) NOT-FOR-US: Lookout Mobile Security application for Android CVE-2013-3578 (SQL injection vulnerability in the Help Desk application in Wave EMBAS ...) NOT-FOR-US: ERAS CVE-2013-3577 (SQL injection vulnerability in the Help Desk application in Wave EMBAS ...) NOT-FOR-US: ERAS CVE-2013-3576 (ginkgosnmp.inc in HP System Management Homepage (SMH) allows remote au ...) NOT-FOR-US: HP System Management Homepage CVE-2013-3575 (hpdiags/frontend2/help/pageview.php in HP Insight Diagnostics 9.4.0.47 ...) NOT-FOR-US: HP Insight Diagnostics CVE-2013-3574 (Absolute path traversal vulnerability in hpdiags/frontend2/commands/sa ...) NOT-FOR-US: HP Insight Diagnostics CVE-2013-3573 (HP Insight Diagnostics 9.4.0.4710 allows remote attackers to conduct u ...) NOT-FOR-US: HP Insight Diagnostics CVE-2013-3572 (Cross-site scripting (XSS) vulnerability in the administer interface i ...) NOT-FOR-US: Ubiquiti Networks UniFi CVE-2013-3571 (socat 1.2.0.0 before 1.7.2.2 and 2.0.0-b1 before 2.0.0-b6, when used f ...) - socat 1.7.1.3-1.5 (low; bug #709931) [squeeze] - socat (Minor issue) [wheezy] - socat (Minor issue) NOTE: http://www.dest-unreach.org/socat/contrib/socat-secadv4.html CVE-2013-3570 RESERVED CVE-2013-3569 RESERVED CVE-2013-3568 (Cross-site request forgery (CSRF) vulnerability in Cisco Linksys WRT11 ...) NOT-FOR-US: Cisco CVE-2013-3567 (Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterpri ...) {DSA-2715-1} - puppet 3.2.2-1 (bug #712745) CVE-2013-3566 RESERVED CVE-2013-3565 (Multiple cross-site scripting (XSS) vulnerabilities in the HTTP Interf ...) - vlc 2.0.7-1 (unimportant) NOTE: Negligible impact CVE-2013-3564 (The web interface in VideoLAN VLC media player before 2.0.7 has no acc ...) - vlc 2.0.7-1 NOTE: https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=18864 CVE-2013-3563 (Stack-based buffer overflow in db_netserver in Lianja SQL Server befor ...) NOT-FOR-US: Lianja SQL Server CVE-2013-3562 (Multiple integer signedness errors in the tvb_unmasked function in epa ...) {DSA-2700-1} - wireshark 1.8.7-1 (bug #709167) [squeeze] - wireshark (Only affects 1.8.x) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8499 NOTE: http://www.wireshark.org/security/wnpa-sec-2013-29.html CVE-2013-3561 (Multiple integer overflows in Wireshark 1.8.x before 1.8.7 allow remot ...) - wireshark (This CVE ID is for the Wireshark trunk, the fix 1.8 is CVE-2013-3562) CVE-2013-3560 (The dissect_dsmcc_un_download function in epan/dissectors/packet-mpeg- ...) {DSA-2700-1} - wireshark 1.8.7-1 (unimportant; bug #709167) [squeeze] - wireshark (Only affects 1.8.x) NOTE: http://www.wireshark.org/security/wnpa-sec-2013-28.html NOTE: Not suitable for code injection CVE-2013-3559 (epan/dissectors/packet-dcp-etsi.c in the DCP ETSI dissector in Wiresha ...) {DSA-2700-1} - wireshark 1.8.7-1 (bug #709167) [squeeze] - wireshark (Only affects 1.8.x) NOTE: http://www.wireshark.org/security/wnpa-sec-2013-27.html CVE-2013-3558 (The dissect_ccp_bsdcomp_opt function in epan/dissectors/packet-ppp.c i ...) {DSA-2700-1} - wireshark 1.8.7-1 (bug #709167) [squeeze] - wireshark (Only affects 1.8.x) NOTE: http://www.wireshark.org/security/wnpa-sec-2013-26.html CVE-2013-3557 (The dissect_ber_choice function in epan/dissectors/packet-ber.c in the ...) {DSA-2700-1} - wireshark 1.8.7-1 (unimportant; bug #709167) [squeeze] - wireshark 1.2.11-6+squeeze11 NOTE: Not suitable for code injection CVE-2013-3556 (The fragment_add_seq_common function in epan/reassemble.c in the ASN.1 ...) - wireshark (Only affected the dev trunk) NOTE: http://www.wireshark.org/security/wnpa-sec-2013-25.html (r48943) CVE-2013-3555 (epan/dissectors/packet-gtpv2.c in the GTPv2 dissector in Wireshark 1.8 ...) {DSA-2700-1} - wireshark 1.8.7-1 (bug #709167) [squeeze] - wireshark (Only affects 1.8.x) NOTE: http://www.wireshark.org/security/wnpa-sec-2013-24.html CVE-2013-3554 RESERVED CVE-2013-3553 (Nitro Pro 7.5.0.22 and earlier and Nitro Reader 2.5.0.36 and earlier a ...) NOT-FOR-US: Nitro Pro CVE-2013-3552 (Nitro Pro 7.5.0.29 and earlier and Nitro Reader 2.5.0.45 and earlier a ...) NOT-FOR-US: Nitro Pro CVE-2013-3551 (Kernel/Modules/AgentTicketPhone.pm in Open Ticket Request System (OTRS ...) {DSA-2696-1} - otrs2 3.2.7-1 [squeeze] - otrs2 CVE-2013-3550 REJECTED CVE-2013-3549 RESERVED CVE-2013-3548 RESERVED CVE-2013-3547 RESERVED CVE-2013-3546 RESERVED CVE-2013-3545 RESERVED CVE-2013-3544 REJECTED CVE-2013-3543 (The AXIS Media Control (AMC) ActiveX control (AxisMediaControlEmb.dll) ...) NOT-FOR-US: AXIS Media Control CVE-2013-3542 (Grandstream GXV3501, GXV3504, GXV3601, GXV3601HD/LL, GXV3611HD/LL, GXV ...) NOT-FOR-US: Grandstream CVE-2013-3541 (Directory traversal vulnerability in cgi-bin/admin/fileread in AirLive ...) NOT-FOR-US: AirLive CVE-2013-3540 (Cross-site request forgery (CSRF) vulnerability in cgi-bin/admin/usrgr ...) NOT-FOR-US: AirLive CVE-2013-3539 (Cross-site request forgery (CSRF) vulnerability in the command/user.cg ...) NOT-FOR-US: Sony CVE-2013-3538 (Multiple cross-site scripting (XSS) vulnerabilities in todooforum.php ...) NOT-FOR-US: Todoo Forum CVE-2013-3537 (Multiple SQL injection vulnerabilities in todooforum.php in Todoo Foru ...) NOT-FOR-US: Todoo Forum CVE-2013-3536 (SQL injection vulnerability in the gp_LoadUserFromHash function in fun ...) NOT-FOR-US: grouppay plugin CVE-2013-3535 (Multiple cross-site scripting (XSS) vulnerabilities in CMSLogik 1.2.0 ...) NOT-FOR-US: CMSLogik CVE-2013-3534 (Cross-site scripting (XSS) vulnerability in the aiContactSafe componen ...) NOT-FOR-US: aiContactSafe CVE-2013-3533 (Multiple SQL injection vulnerabilities in Virtual Access Monitor 3.10. ...) NOT-FOR-US: Virtual Access Monitor CVE-2013-3532 (SQL injection vulnerability in settings.php in the Web Dorado Spider V ...) NOT-FOR-US: WordPress plugin CVE-2013-3531 (SQL injection vulnerability in meneger.php in RadioCMS 2.2 allows remo ...) NOT-FOR-US: RadioCMS CVE-2013-3530 (SQL injection vulnerability in playlist.php in the Spiffy XSPF Player ...) NOT-FOR-US: WordPress plugin CVE-2013-3529 (Multiple cross-site scripting (XSS) vulnerabilities in user/obits.php ...) NOT-FOR-US: WordPress plugin CVE-2013-3528 (Unspecified vulnerability in the update check in Vanilla Forums before ...) NOT-FOR-US: Vanilla Forums CVE-2013-3527 (Multiple SQL injection vulnerabilities in Vanilla Forums before 2.0.18 ...) NOT-FOR-US: Vanilla Forums CVE-2013-3526 (Cross-site scripting (XSS) vulnerability in js/ta_loaded.js.php in the ...) NOT-FOR-US: WordPress plugin CVE-2013-3525 NOTE: http://web.archive.org/web/20151225141212/http://blog.bestpractical.com/2013/04/on-our-security-policies.html CVE-2013-3524 (SQL injection vulnerability in popupnewsitem/ in the Pop Up News modul ...) NOT-FOR-US: phpVMS CVE-2013-3523 (SQL injection vulnerability in This HTML Is Simple (THIS) before 1.2.4 ...) NOT-FOR-US: This HTML Is Simple CVE-2013-3522 (SQL injection vulnerability in index.php/ajax/api/reputation/vote in v ...) NOT-FOR-US: vBulletin CVE-2012-6552 (Unspecified vulnerability in admin/action.php in phpVMS 2.1.x before 2 ...) NOT-FOR-US: phpVMS CVE-2013-3521 REJECTED CVE-2013-3520 (VMware vCenter Chargeback Manager (aka CBM) before 2.5.1 does not prop ...) NOT-FOR-US: VMware vCenter Chargeback Manager CVE-2013-3519 (lgtosync.sys in VMware Workstation 9.x before 9.0.3, VMware Player 5.x ...) NOT-FOR-US: VMware CVE-2013-3518 RESERVED CVE-2013-3517 (Cross-site scripting (XSS) vulnerability in NETGEAR WNR3500U and WNR35 ...) NOT-FOR-US: NETGEAR CVE-2013-3516 (NETGEAR WNR3500U and WNR3500L routers uses form tokens abased solely o ...) NOT-FOR-US: NETGEAR CVE-2013-3515 (Multiple cross-site scripting (XSS) vulnerabilities in OpenX Source 2. ...) NOT-FOR-US: OpenX CVE-2013-3514 (Multiple directory traversal vulnerabilities in OpenX before 2.8.10 re ...) NOT-FOR-US: OpenX CVE-2013-3513 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Noma ...) NOT-FOR-US: GroundWork Monitor Enterprise CVE-2013-3512 (The Cacti component in GroundWork Monitor Enterprise 6.7.0 does not pr ...) NOT-FOR-US: GroundWork Monitor Enterprise CVE-2013-3511 (Open redirect vulnerability in the NeDi component in GroundWork Monito ...) NOT-FOR-US: GroundWork Monitor Enterprise CVE-2013-3510 (Multiple SQL injection vulnerabilities in GroundWork Monitor Enterpris ...) NOT-FOR-US: GroundWork Monitor Enterprise CVE-2013-3509 (html/System-NeDi.php in the NeDi component in GroundWork Monitor Enter ...) NOT-FOR-US: GroundWork Monitor Enterprise CVE-2013-3508 (html/System-Files.php in the System File Overview feature in the NeDi ...) NOT-FOR-US: GroundWork Monitor Enterprise CVE-2013-3507 (The NeDi component in GroundWork Monitor Enterprise 6.7.0 allows remot ...) NOT-FOR-US: GroundWork Monitor Enterprise CVE-2013-3506 (cgi-bin/performance/perfchart.cgi in the Performance component in Grou ...) NOT-FOR-US: GroundWork Monitor Enterprise CVE-2013-3505 (The Nagios-App component in GroundWork Monitor Enterprise 6.7.0 allows ...) NOT-FOR-US: GroundWork Monitor Enterprise CVE-2013-3504 (Directory traversal vulnerability in monarch.cgi in the MONARCH compon ...) NOT-FOR-US: GroundWork Monitor Enterprise CVE-2013-3503 (The Profile Importer feature in monarch.cgi in the MONARCH component i ...) NOT-FOR-US: GroundWork Monitor Enterprise CVE-2013-3502 (monarch_scan.cgi in the MONARCH component in GroundWork Monitor Enterp ...) NOT-FOR-US: GroundWork Monitor Enterprise CVE-2013-3501 (Multiple cross-site scripting (XSS) vulnerabilities in GroundWork Moni ...) NOT-FOR-US: GroundWork Monitor Enterprise CVE-2013-3500 (The Foundation webapp admin interface in GroundWork Monitor Enterprise ...) NOT-FOR-US: GroundWork Monitor Enterprise CVE-2013-3499 (GroundWork Monitor Enterprise 6.7.0 performs authentication on the bas ...) NOT-FOR-US: GroundWork Monitor Enterprise CVE-2013-3498 (Cross-site scripting (XSS) vulnerability in Juniper SmartPass WLAN Sec ...) NOT-FOR-US: Juniper CVE-2013-3497 (Juniper Junos Space before 12.3P2.8, as used on the JA1500 appliance a ...) NOT-FOR-US: Juniper CVE-2013-3496 (Infotecs ViPNet Client 3.2.10 (15632) and earlier, ViPNet Coordinator ...) NOT-FOR-US: Infotecs ViPNet Client CVE-2013-3495 (The Intel VT-d Interrupt Remapping engine in Xen 3.3.x through 4.3.x a ...) - xen 4.4.1-3 (unimportant) NOTE: Hardware design flaw, no software solution CVE-2013-3494 (A Code Execution Vulnerability exists in UMPlayer 0.98 in wintab32.dll ...) NOT-FOR-US: UMPlayer CVE-2013-3493 (XnView 2.03 has an integer overflow vulnerability ...) NOT-FOR-US: XnView CVE-2013-3492 (XnView 2.03 has a stack-based buffer overflow vulnerability ...) NOT-FOR-US: XnView CVE-2013-3491 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Shar ...) NOT-FOR-US: WordPress plugin sharebar CVE-2013-3490 RESERVED CVE-2013-3489 (Buffer overflow in Media Player Classic - Home Cinema (MPC-HC) before ...) NOT-FOR-US: Media Player Classic - Home Cinema (MPC-HC) CVE-2013-3488 (Stack-based buffer overflow in Media Player Classic - Home Cinema (MPC ...) NOT-FOR-US: Media Player Classic - Home Cinema (MPC-HC) CVE-2013-3487 (Multiple cross-site scripting (XSS) vulnerabilities in the security lo ...) NOT-FOR-US: BulletProof Security plugin for WordPress CVE-2013-3486 (IrfanView FlashPix Plugin 4.3.4 0 has an Integer Overflow Vulnerabilit ...) NOT-FOR-US: IrfanView FlashPix Plugin CVE-2013-3485 (Multiple untrusted search path vulnerabilities in Soda PDF 5.1.183.105 ...) NOT-FOR-US: Soda PDF CVE-2013-3484 (Multiple cross-site scripting (XSS) vulnerabilities in dotCMS before 2 ...) NOT-FOR-US: dotCMS CVE-2013-3483 (Stack-based buffer overflow in ermapper_u.dll in Intergraph ERDAS ER V ...) NOT-FOR-US: ERADAS ER Viewer CVE-2013-3482 (Stack-based buffer overflow in the rf_report_error function in ermappe ...) NOT-FOR-US: ERADAS ER Viewer CVE-2013-3481 (Stack-based buffer overflow in Artweaver Plus and Free before 3.1.5 al ...) NOT-FOR-US: Artweaver CVE-2013-3480 (Integer overflow in Sagelight 4.4 and earlier allows remote attackers ...) NOT-FOR-US: Sagelight CVE-2013-3479 (Cross-site request forgery (CSRF) vulnerability in the ShareThis plugi ...) NOT-FOR-US: WordPress plugin ShareThis CVE-2013-3478 (SQL injection vulnerability in Apptha WordPress Video Gallery 2.0, 1.6 ...) NOT-FOR-US: Apptha WordPress Video Gallery CVE-2013-3477 (Cross-site request forgery (CSRF) vulnerability in the Related Posts b ...) NOT-FOR-US: WordPress plugin related-posts-by-zemanta CVE-2013-3476 (Cross-site request forgery (CSRF) vulnerability in the WordPress Relat ...) NOT-FOR-US: WordPress plugin wordpress-23-related-posts-plugin CVE-2013-3475 (Stack-based buffer overflow in db2aud in the Audit Facility in IBM DB2 ...) NOT-FOR-US: IBM CVE-2013-3474 (The Web Administrator Interface on Cisco Wireless LAN Controller (WLC) ...) NOT-FOR-US: Cisco CVE-2013-3473 (The web framework in Cisco Prime Central for Hosted Collaboration Solu ...) NOT-FOR-US: Cisco CVE-2013-3472 (Cross-site request forgery (CSRF) vulnerability in the Enterprise Lice ...) NOT-FOR-US: Cisco CVE-2013-3471 (The captive portal application in Cisco Identity Services Engine (ISE) ...) NOT-FOR-US: Cisco CVE-2013-3470 (The RIP process in Cisco IOS XR allows remote attackers to cause a den ...) NOT-FOR-US: Cisco IOS XR CVE-2013-3469 (Cisco Mobility Services Engine does not properly set up the Oracle SSL ...) NOT-FOR-US: Cisco CVE-2013-3468 (The Cisco Unified IP Phone 8945 with software 9.3(2) allows remote att ...) NOT-FOR-US: Cisco CVE-2013-3467 (Memory leak in the CLI component on Cisco Unified Computing System (UC ...) NOT-FOR-US: Cisco CVE-2013-3466 (The EAP-FAST authentication module in Cisco Secure Access Control Serv ...) NOT-FOR-US: Cisco CVE-2013-3465 RESERVED CVE-2013-3464 (Cisco IOS XR allows local users to cause a denial of service (Silicon ...) NOT-FOR-US: Cisco IOS XR CVE-2013-3463 (The protocol-inspection feature on Cisco Adaptive Security Appliances ...) NOT-FOR-US: Cisco CVE-2013-3462 (Buffer overflow in Cisco Unified Communications Manager (Unified CM) 7 ...) NOT-FOR-US: Cisco CVE-2013-3461 (Cisco Unified Communications Manager (Unified CM) 8.5(x) and 8.6(x) be ...) NOT-FOR-US: Cisco CVE-2013-3460 (Memory leak in Cisco Unified Communications Manager (Unified CM) 8.5(x ...) NOT-FOR-US: Cisco CVE-2013-3459 (Cisco Unified Communications Manager (Unified CM) 7.1(x) before 7.1(5b ...) NOT-FOR-US: Cisco CVE-2013-3458 (Cisco Adaptive Security Appliances (ASA) devices, when SMP is used, do ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2013-3457 (Absolute path traversal vulnerability in the web interface in Cisco Fi ...) NOT-FOR-US: Cisco Finesse CVE-2013-3456 RESERVED CVE-2013-3455 (Cisco Finesse allows remote attackers to obtain sensitive information ...) NOT-FOR-US: Cisco CVE-2013-3454 (Cisco TelePresence System Software 1.10.1 and earlier on 500, 13X0, 1X ...) NOT-FOR-US: Cisco CVE-2013-3453 (Memory leak in Cisco Unified Communications Manager IM and Presence Se ...) NOT-FOR-US: Cisco CVE-2013-3452 RESERVED CVE-2013-3451 (Multiple cross-site request forgery (CSRF) vulnerabilities in Cisco Un ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2013-3450 (Cross-site request forgery (CSRF) vulnerability in the User WebDialer ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2013-3449 RESERVED CVE-2013-3448 (Cisco WebEx Meetings Server does not check whether a user account is a ...) NOT-FOR-US: Cisco CVE-2013-3447 RESERVED CVE-2013-3446 (Open redirect vulnerability in the login page in Cisco Digital Media M ...) NOT-FOR-US: Cisco CVE-2013-3445 (The firewall subsystem in Cisco Identity Services Engine has an incorr ...) NOT-FOR-US: Cisco Identity Services Engine CVE-2013-3444 (The web framework in Cisco WAAS Software before 4.x and 5.x before 5.0 ...) NOT-FOR-US: Cisco CVE-2013-3443 (The web service framework in Cisco WAAS Software 4.x and 5.x before 5. ...) NOT-FOR-US: Cisco CVE-2013-3442 (The web portal in Cisco Unified Communications Manager (Unified CM) al ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2013-3441 (Cisco Aironet 3600 access points allow remote attackers to cause a den ...) NOT-FOR-US: Cisco CVE-2013-3440 (Multiple cross-site scripting (XSS) vulnerabilities in the administrat ...) NOT-FOR-US: Cisco CVE-2013-3439 (Cross-site scripting (XSS) vulnerability in Cisco Unified Operations M ...) NOT-FOR-US: Cisco CVE-2013-3438 (The web framework in the server in Cisco Unified MeetingPlace Web Conf ...) NOT-FOR-US: Cisco CVE-2013-3437 (SQL injection vulnerability in the management application in Cisco Uni ...) NOT-FOR-US: Cisco CVE-2013-3436 (The default configuration of the Group Encrypted Transport VPN (GET VP ...) NOT-FOR-US: Cisco IOS CVE-2013-3435 (The Cisco Unified IP Conference Station 7937G allows remote attackers ...) NOT-FOR-US: Cisco CVE-2013-3434 (Untrusted search path vulnerability in Cisco Unified Communications Ma ...) NOT-FOR-US: Cisco CVE-2013-3433 (Untrusted search path vulnerability in Cisco Unified Communications Ma ...) NOT-FOR-US: Cisco CVE-2013-3432 RESERVED CVE-2013-3431 (Cisco Video Surveillance Manager (VSM) before 7.0.0 does not require a ...) NOT-FOR-US: Cisco CVE-2013-3430 (Cisco Video Surveillance Manager (VSM) before 7.0.0 allows remote atta ...) NOT-FOR-US: Cisco CVE-2013-3429 (Multiple directory traversal vulnerabilities in Cisco Video Surveillan ...) NOT-FOR-US: Cisco CVE-2013-3428 (The web interface in Cisco Secure Access Control System (ACS) does not ...) NOT-FOR-US: Cisco CVE-2013-3427 RESERVED CVE-2013-3426 (The Serviceability servlet on Cisco 9900 IP phones does not properly r ...) NOT-FOR-US: Cisco CVE-2013-3425 (The Meeting Center component in Cisco WebEx 11 generates different err ...) NOT-FOR-US: Cisco WebEx 11 CVE-2013-3424 (Cross-site request forgery (CSRF) vulnerability in Administration and ...) NOT-FOR-US: Cisco CVE-2013-3423 (Cross-site scripting (XSS) vulnerability in the web interface in Cisco ...) NOT-FOR-US: Cisco CVE-2013-3422 (Cross-site scripting (XSS) vulnerability in Administration pages in Ci ...) NOT-FOR-US: Cisco CVE-2013-3421 (Cross-site scripting (XSS) vulnerability in the Help index page in Cis ...) NOT-FOR-US: Cisco CVE-2013-3420 (Cross-site request forgery (CSRF) vulnerability in the web framework o ...) NOT-FOR-US: Cisco Identity Services Engine CVE-2013-3419 (Cross-site scripting (XSS) vulnerability in Cisco Unified MeetingPlace ...) NOT-FOR-US: Cisco CVE-2013-3418 (Cisco Unified Communications Domain Manager does not properly allocate ...) NOT-FOR-US: Cisco CVE-2013-3417 (The administrative web interface in Cisco Video Surveillance Operation ...) NOT-FOR-US: Cisco CVE-2013-3416 (Cross-site scripting (XSS) vulnerability in the web framework in the u ...) NOT-FOR-US: Cisco CVE-2013-3415 (Cisco Adaptive Security Appliance (ASA) Software 8.4.x before 8.4(3) a ...) NOT-FOR-US: Cisco Adaptive Security Appliance CVE-2013-3414 (Cross-site scripting (XSS) vulnerability in the WebVPN portal login pa ...) NOT-FOR-US: Cisco CVE-2013-3413 (Cross-site scripting (XSS) vulnerability in the search form in the adm ...) NOT-FOR-US: Cisco CVE-2013-3412 (SQL injection vulnerability in Cisco Unified Communications Manager (C ...) NOT-FOR-US: Cisco CVE-2013-3411 (The IDSM-2 drivers in Cisco Intrusion Prevention System (IPS) Software ...) NOT-FOR-US: Cisco CVE-2013-3410 (Cisco Intrusion Prevention System (IPS) Software on IPS NME devices be ...) NOT-FOR-US: Cisco CVE-2013-3409 (The portal in Cisco Prime Central for Hosted Collaboration Solution (H ...) NOT-FOR-US: Cisco CVE-2013-3408 (The firmware on Cisco Virtualization Experience Client 6000 devices se ...) NOT-FOR-US: Cisco CVE-2013-3407 (The web interface in Cisco Server Provisioner 6.4.0 Patch 5-1301292331 ...) NOT-FOR-US: Cisco CVE-2013-3406 (The "Files Available for Download" implementation in the Cisco Intelli ...) NOT-FOR-US: Cisco CVE-2013-3405 (The web portal in TC software on Cisco TelePresence endpoints does not ...) NOT-FOR-US: Cisco CVE-2013-3404 (SQL injection vulnerability in Cisco Unified Communications Manager (C ...) NOT-FOR-US: Cisco CVE-2013-3403 (Multiple untrusted search path vulnerabilities in Cisco Unified Commun ...) NOT-FOR-US: Cisco CVE-2013-3402 (An unspecified function in Cisco Unified Communications Manager (CUCM) ...) NOT-FOR-US: Cisco CVE-2013-3401 (The SIP implementation in Cisco TelePresence TC Software allows remote ...) NOT-FOR-US: Cisco CVE-2013-3400 (The license-installation module in Cisco NX-OS on Nexus 1000V devices ...) NOT-FOR-US: Cisco CVE-2013-3399 (Buffer overflow in an unspecified Android API on the Cisco Desktop Col ...) NOT-FOR-US: Cisco CVE-2013-3398 (The web framework in Cisco Prime Central for Hosted Collaboration Solu ...) NOT-FOR-US: Cisco CVE-2013-3397 (Cross-site request forgery (CSRF) vulnerability in the Unified Service ...) NOT-FOR-US: Cisco CVE-2013-3396 (Cross-site scripting (XSS) vulnerability in the web framework in Cisco ...) NOT-FOR-US: Cisco CVE-2013-3395 (Cross-site request forgery (CSRF) vulnerability in the web framework o ...) NOT-FOR-US: Cisco IronPort Web Security Appliance CVE-2013-3394 (Cross-site scripting (XSS) vulnerability in the web interface in Cisco ...) NOT-FOR-US: Cisco CVE-2013-3393 (The Precision Video Engine component in Cisco Jabber for Windows and C ...) NOT-FOR-US: Cisco CVE-2013-3392 (Multiple cross-site request forgery (CSRF) vulnerabilities in Cisco We ...) NOT-FOR-US: Cisco WebEx Social CVE-2013-3391 RESERVED CVE-2013-3390 (Memory leak in Cisco Prime Central for Hosted Collaboration Solution ( ...) NOT-FOR-US: Cisco Prime Central CVE-2013-3389 (Cisco Prime Central for Hosted Collaboration Solution (HCS) Assurance ...) NOT-FOR-US: Cisco Prime Central CVE-2013-3388 (Cisco Prime Central for Hosted Collaboration Solution (HCS) Assurance ...) NOT-FOR-US: Cisco Prime Central CVE-2013-3387 (Cisco Prime Central for Hosted Collaboration Solution (HCS) Assurance ...) NOT-FOR-US: Cisco Prime Central CVE-2013-3386 (The IronPort Spam Quarantine (ISQ) component in the web framework in I ...) NOT-FOR-US: Cisco CVE-2013-3385 (The management GUI in the web framework in IronPort AsyncOS on Cisco W ...) NOT-FOR-US: Cisco CVE-2013-3384 (The web framework in IronPort AsyncOS on Cisco Web Security Appliance ...) NOT-FOR-US: Cisco CVE-2013-3383 (The web framework in IronPort AsyncOS on Cisco Web Security Appliance ...) NOT-FOR-US: Cisco CVE-2013-3382 (The Next-Generation Firewall (aka NGFW, formerly CX Context-Aware Secu ...) NOT-FOR-US: Cisco ASA CVE-2013-3381 (Cisco Hosted Collaboration Mediation allows remote attackers to cause ...) NOT-FOR-US: Cisco Hosted Collaboration Mediation CVE-2013-3380 (The administrative web interface in the Access Control Server in Cisco ...) NOT-FOR-US: Cisco Secure Access Control System CVE-2013-3379 (The firewall subsystem in Cisco TelePresence TC Software before 4.2 do ...) NOT-FOR-US: Cisco TelePresence TC Software CVE-2013-3378 (Cisco TelePresence TC Software before 6.1 and TE Software before 4.1.3 ...) NOT-FOR-US: Cisco TelePresence TC Software CVE-2013-3377 (Cisco TelePresence TC Software before 5.1.7 and TE Software before 4.1 ...) NOT-FOR-US: Cisco TelePresence TC Software CVE-2013-3376 (Open redirect vulnerability in the help page in Cisco Video Surveillan ...) NOT-FOR-US: Cisco CVE-2013-3375 (Cross-site scripting (XSS) vulnerability in the portal page in Cisco P ...) NOT-FOR-US: Cisco CVE-2013-3374 (Unspecified vulnerability in Request Tracker (RT) 3.8.x before 3.8.17 ...) {DSA-2671-1 DSA-2670-1} - request-tracker3.8 - request-tracker4 4.0.12-2 (bug #709836) CVE-2013-3373 (CRLF injection vulnerability in Request Tracker (RT) 3.8.x before 3.8. ...) {DSA-2671-1 DSA-2670-1} - request-tracker3.8 - request-tracker4 4.0.12-2 (bug #709836) CVE-2013-3372 (Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allow ...) {DSA-2671-1 DSA-2670-1} - request-tracker3.8 - request-tracker4 4.0.12-2 (bug #709836) CVE-2013-3371 (Cross-site scripting (XSS) vulnerability in Request Tracker (RT) 3.8.3 ...) {DSA-2671-1 DSA-2670-1} - request-tracker3.8 - request-tracker4 4.0.12-2 (bug #709836) CVE-2013-3370 (Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 does ...) {DSA-2671-1 DSA-2670-1} - request-tracker3.8 - request-tracker4 4.0.12-2 (bug #709836) CVE-2013-3369 (Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allow ...) {DSA-2671-1 DSA-2670-1} - request-tracker3.8 - request-tracker4 4.0.12-2 (bug #709836) CVE-2013-3368 (bin/rt in Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4. ...) {DSA-2671-1 DSA-2670-1} - request-tracker3.8 - request-tracker4 4.0.12-2 (bug #709836) CVE-2013-3367 (Undocumented TELNET service in TRENDnet TEW-691GR and TEW-692GR when a ...) NOT-FOR-US: TRENDnet CVE-2013-3366 (Undocumented TELNET service in TRENDnet TEW-812DRU when a web page nam ...) NOT-FOR-US: TRENDnet CVE-2013-3365 (TRENDnet TEW-812DRU router allows remote authenticated users to execut ...) NOT-FOR-US: TRENDnet TEW-812DRU router CVE-2013-3364 RESERVED CVE-2013-3363 (Adobe Flash Player before 11.7.700.242 and 11.8.x before 11.8.800.168 ...) NOT-FOR-US: Adobe Flash Player CVE-2013-3362 (Adobe Flash Player before 11.7.700.242 and 11.8.x before 11.8.800.168 ...) NOT-FOR-US: Adobe Flash Player CVE-2013-3361 (Adobe Flash Player before 11.7.700.242 and 11.8.x before 11.8.800.168 ...) NOT-FOR-US: Adobe Flash Player CVE-2013-3360 (Adobe Shockwave Player before 12.0.4.144 allows attackers to execute a ...) NOT-FOR-US: Adobe Shockwave Player CVE-2013-3359 (Adobe Shockwave Player before 12.0.4.144 allows attackers to execute a ...) NOT-FOR-US: Adobe Shockwave Player CVE-2013-3358 (Integer overflow in Adobe Reader and Acrobat before 10.1.8 and 11.x be ...) NOT-FOR-US: Adobe Reader CVE-2013-3357 (Integer overflow in Adobe Reader and Acrobat before 10.1.8 and 11.x be ...) NOT-FOR-US: Adobe Reader CVE-2013-3356 (Buffer overflow in Adobe Reader and Acrobat before 10.1.8 and 11.x bef ...) NOT-FOR-US: Adobe Reader CVE-2013-3355 (Adobe Reader and Acrobat before 10.1.8 and 11.x before 11.0.04 on Wind ...) NOT-FOR-US: Adobe Reader CVE-2013-3354 (Adobe Reader and Acrobat before 10.1.8 and 11.x before 11.0.04 on Wind ...) NOT-FOR-US: Adobe Reader CVE-2013-3353 (Buffer overflow in Adobe Reader and Acrobat before 10.1.8 and 11.x bef ...) NOT-FOR-US: Adobe Reader CVE-2013-3352 (Adobe Reader and Acrobat before 10.1.8 and 11.x before 11.0.04 on Wind ...) NOT-FOR-US: Adobe Reader CVE-2013-3351 (Multiple stack-based buffer overflows in Adobe Reader and Acrobat befo ...) NOT-FOR-US: Adobe Reader CVE-2013-3350 (Adobe ColdFusion 10 before Update 11 allows remote attackers to call C ...) NOT-FOR-US: Adobe ColdFusion CVE-2013-3349 (Unspecified vulnerability in Adobe ColdFusion 9.0 through 9.0.2, when ...) NOT-FOR-US: Adobe ColdFusion CVE-2013-3348 (Adobe Shockwave Player before 12.0.3.133 allows attackers to execute a ...) NOT-FOR-US: Adobe Shockwave Player CVE-2013-3347 (Integer overflow in Adobe Flash Player before 11.7.700.232 and 11.8.x ...) NOT-FOR-US: Adobe Flash Player CVE-2013-3346 (Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11. ...) NOT-FOR-US: Adobe Reader CVE-2013-3345 (Adobe Flash Player before 11.7.700.232 and 11.8.x before 11.8.800.94 o ...) NOT-FOR-US: Adobe Flash Player CVE-2013-3344 (Heap-based buffer overflow in Adobe Flash Player before 11.7.700.232 a ...) NOT-FOR-US: Adobe Flash Player CVE-2013-3343 (Adobe Flash Player before 10.3.183.90 and 11.x before 11.7.700.224 on ...) NOT-FOR-US: Adobe Flash Player CVE-2013-3342 (Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11. ...) NOT-FOR-US: Adobe Reader CVE-2013-3341 (Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11. ...) NOT-FOR-US: Adobe Reader CVE-2013-3340 (Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11. ...) NOT-FOR-US: Adobe Reader CVE-2013-3339 (Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11. ...) NOT-FOR-US: Adobe Reader CVE-2013-3338 (Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11. ...) NOT-FOR-US: Adobe Reader CVE-2013-3337 (Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11. ...) NOT-FOR-US: Adobe Reader CVE-2013-3336 (Unspecified vulnerability in Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 1 ...) NOT-FOR-US: Adobe ColdFusion CVE-2013-3335 (Adobe Flash Player before 10.3.183.86 and 11.x before 11.7.700.202 on ...) NOT-FOR-US: Adobe Flash Player CVE-2013-3334 (Adobe Flash Player before 10.3.183.86 and 11.x before 11.7.700.202 on ...) NOT-FOR-US: Adobe Flash Player CVE-2013-3333 (Adobe Flash Player before 10.3.183.86 and 11.x before 11.7.700.202 on ...) NOT-FOR-US: Adobe Flash Player CVE-2013-3332 (Adobe Flash Player before 10.3.183.86 and 11.x before 11.7.700.202 on ...) NOT-FOR-US: Adobe Flash Player CVE-2013-3331 (Adobe Flash Player before 10.3.183.86 and 11.x before 11.7.700.202 on ...) NOT-FOR-US: Adobe Flash Player CVE-2013-3330 (Adobe Flash Player before 10.3.183.86 and 11.x before 11.7.700.202 on ...) NOT-FOR-US: Adobe Flash Player CVE-2013-3329 (Adobe Flash Player before 10.3.183.86 and 11.x before 11.7.700.202 on ...) NOT-FOR-US: Adobe Flash Player CVE-2013-3328 (Adobe Flash Player before 10.3.183.86 and 11.x before 11.7.700.202 on ...) NOT-FOR-US: Adobe Flash Player CVE-2013-3327 (Adobe Flash Player before 10.3.183.86 and 11.x before 11.7.700.202 on ...) NOT-FOR-US: Adobe Flash Player CVE-2013-3326 (Adobe Flash Player before 10.3.183.86 and 11.x before 11.7.700.202 on ...) NOT-FOR-US: Adobe Flash Player CVE-2013-3325 (Adobe Flash Player before 10.3.183.86 and 11.x before 11.7.700.202 on ...) NOT-FOR-US: Adobe Flash Player CVE-2013-3324 (Adobe Flash Player before 10.3.183.86 and 11.x before 11.7.700.202 on ...) NOT-FOR-US: Adobe Flash Player CVE-2013-3323 (A Privilege Escalation Vulnerability exists in IBM Maximo Asset Manage ...) NOT-FOR-US: IBM CVE-2013-3322 (NetApp OnCommand System Manager 2.1 and earlier allows remote attacker ...) NOT-FOR-US: NetApp OnCommand System Manager CVE-2013-3321 (NetApp OnCommand System Manager 2.1 and earlier allows remote attacker ...) NOT-FOR-US: NetApp CVE-2013-3320 (Cross-site Scripting (XSS) vulnerability in NetApp OnCommand System Ma ...) NOT-FOR-US: NetApp CVE-2013-3319 (The GetComputerSystem method in the HostControl service in SAP Netweav ...) NOT-FOR-US: SAP Netweaver CVE-2013-3318 REJECTED CVE-2013-3317 (Netgear WNR1000v3 with firmware before 1.0.2.60 contains an Authentica ...) NOT-FOR-US: Netgear CVE-2013-3316 (Netgear WNR1000v3 with firmware before 1.0.2.60 contains an Authentica ...) NOT-FOR-US: Netgear CVE-2013-3315 (The server in TIBCO Silver Mobile 1.1.0 does not properly verify acces ...) NOT-FOR-US: TIBCO CVE-2013-3314 (The Loftek Nexus 543 IP Camera allows remote attackers to obtain (1) I ...) NOT-FOR-US: Loftek Nexus 543 IP Camera CVE-2013-3313 (The Loftek Nexus 543 IP Camera stores passwords in cleartext, which al ...) NOT-FOR-US: Loftek Nexus 543 IP Camera CVE-2013-3312 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Loft ...) NOT-FOR-US: Loftek Nexus 543 IP Camera CVE-2013-3311 (Directory traversal vulnerability in the Loftek Nexus 543 IP Camera al ...) NOT-FOR-US: Loftek Nexus 543 IP Camera CVE-2013-3310 RESERVED CVE-2009-5135 (The Java XML parser in Echo before 2.1.1 and 3.x before 3.0.b6 allows ...) NOT-FOR-US: Echo CVE-2013-3309 RESERVED CVE-2013-3308 RESERVED CVE-2013-3307 RESERVED CVE-2013-3306 RESERVED CVE-2013-3305 RESERVED CVE-2013-3304 (Directory traversal vulnerability in Dell EqualLogic PS4000 with firmw ...) NOT-FOR-US: Dell EqualLogic PS4000 CVE-2013-3303 RESERVED CVE-2013-3300 (The JsonParser class in json/JsonParser.scala in Lift before 2.5 inter ...) NOT-FOR-US: Lift Framework CVE-2013-3299 (RealNetworks RealPlayer 16.0.2.32 and earlier allows remote attackers ...) NOT-FOR-US: RealPlayer CVE-2013-3298 RESERVED CVE-2013-3297 RESERVED CVE-2013-3296 RESERVED CVE-2013-3295 (Directory traversal vulnerability in install/popup.php in Exponent CMS ...) NOT-FOR-US: Exponent CMS CVE-2013-3294 (Multiple SQL injection vulnerabilities in Exponent CMS before 2.2.0 re ...) NOT-FOR-US: Exponent CMS CVE-2013-3293 RESERVED CVE-2013-3292 RESERVED CVE-2013-3291 RESERVED CVE-2013-3290 RESERVED CVE-2013-3289 REJECTED CVE-2013-3288 (Cross-site scripting (XSS) vulnerability on the EMC RSA Data Protectio ...) NOT-FOR-US: EMC CVE-2013-3287 (EMC Unisphere for VMAX before 1.6.1.6, when using an unspecified level ...) NOT-FOR-US: EMC Unisphere for VMAX CVE-2013-3286 (Multiple cross-site scripting (XSS) vulnerabilities in EMC Documentum ...) NOT-FOR-US: EMC Documentum CVE-2013-3285 (The NetWorker Management Console (NMC) in EMC NetWorker 8.0.x before 8 ...) NOT-FOR-US: EMC NetWorker CVE-2013-3284 REJECTED CVE-2013-3283 REJECTED CVE-2013-3282 REJECTED CVE-2013-3281 (Cross-site scripting (XSS) vulnerability in EMC Documentum Webtop befo ...) NOT-FOR-US: EMC Documentum CVE-2013-3280 (EMC RSA Authentication Agent 7.1.x before 7.1.2 for Web for Internet I ...) NOT-FOR-US: RSA Authentication Agent for Web for Internet Information Services CVE-2013-3279 (EMC Atmos before 2.1.4 has a blank password for the PostgreSQL account ...) NOT-FOR-US: EMC CVE-2013-3278 (EMC VPLEX before VPLEX GeoSynchrony 5.2 SP1 uses cleartext for storage ...) NOT-FOR-US: EMC CVE-2013-3277 (Open redirect vulnerability in EMC RSA Archer GRC 5.x before 5.4 allow ...) NOT-FOR-US: EMC CVE-2013-3276 (EMC RSA Archer GRC 5.x before 5.4 allows remote authenticated users to ...) NOT-FOR-US: EMC CVE-2013-3275 (EMC Avamar Server and Avamar Virtual Edition before 7.0 on Data Store ...) NOT-FOR-US: EMC CVE-2013-3274 (EMC Avamar Server and Avamar Virtual Edition before 7.0 on Data Store ...) NOT-FOR-US: EMC CVE-2013-3273 (EMC RSA Authentication Manager 8.0 before P2 and 7.1 before SP4 P26, a ...) NOT-FOR-US: EMC CVE-2013-3272 (EMC Replication Manager (RM) before 5.4.4 places encoded passwords in ...) NOT-FOR-US: EMC CVE-2013-3271 (EMC RSA Authentication Agent for PAM 7.0 before 7.0.2.1 enforces the m ...) NOT-FOR-US: EMC CVE-2013-3270 (EMC VNX Control Station before 7.1.70.2 and Celerra Control Station be ...) NOT-FOR-US: EMC CVE-2013-3302 (Race condition in the smb_send_rqst function in fs/cifs/transport.c in ...) - linux-2.6 (Introduced in 3.7) - linux 3.8-1 [wheezy] - linux (Introduced in 3.7) CVE-2013-3301 (The ftrace implementation in the Linux kernel before 3.8.8 allows loca ...) {DSA-2669-1} - linux-2.6 (Vulnerable code not present) - linux 3.8.11-1 (low) NOTE: https://git.kernel.org/linus/6a76f8c0ab19f215af2a3442870eeb5f0e81998d NOTE: Not enabled in default kernels CVE-2013-3269 (Cross-site request forgery (CSRF) vulnerability in Cybozu Office befor ...) NOT-FOR-US: Cybozu Office CVE-2013-3268 (Novell iManager 2.7 before SP6 Patch 1 does not refresh a token after ...) NOT-FOR-US: Novell iManager CVE-2013-3267 (Cross-site scripting (XSS) vulnerability in the highlighter plugin in ...) NOT-FOR-US: Joomla! CVE-2013-3266 (The nfsrvd_readdir function in sys/fs/nfsserver/nfs_nfsdport.c in the ...) {DSA-2672-1} - kfreebsd-9 9.0-11 (bug #706414) - kfreebsd-8 (bug #706418) [wheezy] - kfreebsd-8 (new NFS server is not enabled) [squeeze] - kfreebsd-8 (new NFS server is not enabled) NOTE: http://www.freebsd.org/security/advisories/FreeBSD-SA-13:05.nfsserver.asc CVE-2013-3265 RESERVED CVE-2013-3264 (The WP Ultimate Email Marketer plugin 1.1.0 and possibly earlier for W ...) NOT-FOR-US: WP Ultimate Email Marketer CVE-2013-3263 (Multiple cross-site scripting (XSS) vulnerabilities in the WP Ultimate ...) NOT-FOR-US: WP Ultimate Email Marketer CVE-2013-3262 (Cross-site scripting (XSS) vulnerability in admin/admin.php in the Dow ...) NOT-FOR-US: WordPress plugin download-monitor CVE-2013-3261 (Cross-site scripting (XSS) vulnerability in wp-admin/admin.php in the ...) NOT-FOR-US: WordPress plugin flash-album-gallery CVE-2013-3260 (Heap-based buffer overflow in INMATRIX Zoom Player before 8.7 beta 11 ...) NOT-FOR-US: INMATRIX Zoom Player CVE-2013-3259 (Stack-based buffer overflow in INMATRIX Zoom Player before 8.7 beta 11 ...) NOT-FOR-US: INMATRIX Zoom Player CVE-2013-3258 (Cross-site request forgery (CSRF) vulnerability in he Digg Digg plugin ...) NOT-FOR-US: WordPress plugin digg-digg CVE-2013-3257 (Cross-site request forgery (CSRF) vulnerability in the Related Posts p ...) NOT-FOR-US: WordPress plugin related-posts CVE-2013-3256 (Cross-site request forgery (CSRF) vulnerability in the Shareaholic Sex ...) NOT-FOR-US: WordPress plugin sexybookmarks CVE-2013-3255 RESERVED CVE-2013-3254 (Cross-site scripting (XSS) vulnerability in wp-admin/admin.php in the ...) NOT-FOR-US: WordPress plugin CVE-2013-3253 (Cross-site request forgery (CSRF) vulnerability in admin/setting.php i ...) NOT-FOR-US: WordPress plugin CVE-2013-3252 (Cross-site request forgery (CSRF) vulnerability in the options admin p ...) NOT-FOR-US: WordPress plugin WP-PostViews CVE-2013-3251 (Cross-site request forgery (CSRF) vulnerability in the qTranslate plug ...) NOT-FOR-US: WordPress plugin qTranslate CVE-2013-3250 (Cross-site request forgery (CSRF) vulnerability in the WP Maintenance ...) NOT-FOR-US: WP Maintenance Mode plugin for Wordpress CVE-2013-3249 (Stack-based buffer overflow in the "Add from text file" feature in the ...) NOT-FOR-US: DameWare Remote Support CVE-2013-3248 (Untrusted search path vulnerability in Corel PDF Fusion 1.11 allows lo ...) NOT-FOR-US: Corel PDF Fusion CVE-2013-3247 (Heap-based buffer overflow in xnview.exe in XnView before 2.03 allows ...) NOT-FOR-US: XnView CVE-2013-3246 (Stack-based buffer overflow in xnview.exe in XnView before 2.03 allows ...) NOT-FOR-US: XnView CVE-2013-3245 (** DISPUTED ** plugins/demux/libmkv_plugin.dll in VideoLAN VLC Media P ...) - vlc 2.0.7-1 (unimportant) NOTE: Harmless crasher NOTE: http://git.videolan.org/?p=vlc.git;a=commit;h=59c9e8309d5b435a2d85c2c9eaae979ba56ccdd9 NOTE: http://secunia.com/blog/372/ NOTE: http://www.jbkempf.com/blog/post/2013/More-lies-from-Secunia CVE-2013-3244 (Multiple unspecified vulnerabilities in the CJDB_FILL_MEMORY_FROM_PPB ...) NOT-FOR-US: SAP ERP Central Component CVE-2013-3243 (Unspecified vulnerability in OpenText/IXOS ECM for SAP NetWeaver allow ...) NOT-FOR-US: SAP NetWeaver CVE-2013-3242 (plugins/system/remember/remember.php in Joomla! 2.5.x before 2.5.10 an ...) NOT-FOR-US: Joomla! CVE-2013-3241 (export.php (aka the export script) in phpMyAdmin 4.x before 4.0.0-rc3 ...) - phpmyadmin (Vulnerable code not present) CVE-2013-3240 (Directory traversal vulnerability in the Export feature in phpMyAdmin ...) - phpmyadmin (Vulnerable code not present) CVE-2013-3239 (phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3, when a SaveDir ...) {DLA-0014-1} - phpmyadmin 4:3.4.11.1-2 [squeeze] - phpmyadmin 4:3.3.7-8 NOTE: Requires non-default option saveDir to be enabled, an authenticated untrusted user and Apache mod_mime CVE-2013-3238 (phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3 allows remote a ...) - phpmyadmin (exploitable PHP on Windows only) NOTE: code patched in 4:3.4.11.1-2 nonetheless CVE-2013-3237 (The vsock_stream_sendmsg function in net/vmw_vsock/af_vsock.c in the L ...) - linux-2.6 ((net/vmw_vsock/af_vsock.c not present) - linux (net/vmw_vsock/af_vsock.c not present) - open-vm-tools 2:9.2.2-893683-8 (low; bug #706557) [wheezy] - open-vm-tools (Minor information leak) [squeeze] - open-vm-tools (Contrib not supported, minor information leak) CVE-2013-3236 (The vmci_transport_dgram_dequeue function in net/vmw_vsock/vmci_transp ...) - linux-2.6 (VM Sockets only introduced in 3.9-rc1) - linux (VM Sockets introduced in 3.9-rc1) CVE-2013-3235 (net/tipc/socket.c in the Linux kernel before 3.9-rc7 does not initiali ...) {DSA-2669-1 DSA-2668-1} - linux-2.6 (low) - linux 3.8.11-1 (low) CVE-2013-3234 (The rose_recvmsg function in net/rose/af_rose.c in the Linux kernel be ...) {DSA-2669-1 DSA-2668-1} - linux-2.6 (low) - linux 3.8.11-1 (low) CVE-2013-3233 (The llcp_sock_recvmsg function in net/nfc/llcp/sock.c in the Linux ker ...) - linux-2.6 (net/nfc/llcp/sock.c not present, introduced in 3.3) - linux (net/nfc/llcp/sock.c not present, introduced in 3.3) CVE-2013-3232 (The nr_recvmsg function in net/netrom/af_netrom.c in the Linux kernel ...) - linux-2.6 (Introduced and fixed during 3.9 cycle) - linux (Introduced and fixed during 3.9 cycle) CVE-2013-3231 (The llc_ui_recvmsg function in net/llc/af_llc.c in the Linux kernel be ...) {DSA-2669-1 DSA-2668-1} - linux-2.6 (low) - linux 3.8.11-1 (low) CVE-2013-3230 (The l2tp_ip6_recvmsg function in net/l2tp/l2tp_ip6.c in the Linux kern ...) - linux-2.6 (net/l2tp/l2tp_ip6.c not present) - linux (net/l2tp/l2tp_ip6.c introduced in 3.5) CVE-2013-3229 (The iucv_sock_recvmsg function in net/iucv/af_iucv.c in the Linux kern ...) {DSA-2669-1 DSA-2668-1} - linux-2.6 (low) - linux 3.8.11-1 (low) CVE-2013-3228 (The irda_recvmsg_dgram function in net/irda/af_irda.c in the Linux ker ...) {DSA-2669-1 DSA-2668-1} - linux-2.6 (low) - linux 3.8.11-1 (low) CVE-2013-3227 (The caif_seqpkt_recvmsg function in net/caif/caif_socket.c in the Linu ...) {DSA-2669-1} - linux-2.6 (net/caif/caif_socket.c introduced in v2.6.35) - linux 3.8.11-1 (low) CVE-2013-3226 (The sco_sock_recvmsg function in net/bluetooth/sco.c in the Linux kern ...) - linux-2.6 (Vulnerable code not yet present) - linux (Vulnerable code not yet present) NOTE: sco_sock_recvmsg only introduced with v3.8, bt_sock_recvmsg has its own CVE ID CVE-2013-3225 (The rfcomm_sock_recvmsg function in net/bluetooth/rfcomm/sock.c in the ...) {DSA-2669-1 DSA-2668-1} - linux-2.6 (low) - linux 3.8.11-1 (low) CVE-2013-3224 (The bt_sock_recvmsg function in net/bluetooth/af_bluetooth.c in the Li ...) {DSA-2669-1 DSA-2668-1} - linux-2.6 (low) - linux 3.8.11-1 (low) CVE-2013-3223 (The ax25_recvmsg function in net/ax25/af_ax25.c in the Linux kernel be ...) {DSA-2669-1 DSA-2668-1} - linux-2.6 (low) - linux 3.8.11-1 (low) CVE-2013-3222 (The vcc_recvmsg function in net/atm/common.c in the Linux kernel befor ...) {DSA-2669-1 DSA-2668-1} - linux-2.6 (low) - linux 3.8.11-1 (low) CVE-2013-3221 (The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x, and ...) - rails-3.2 (unimportant) - ruby-activerecord-3.2 (unimportant) - ruby-activerecord-2.3 (unimportant) [wheezy] - ruby-activerecord-2.3 - rails 2.3.14.1 (unimportant) NOTE: Starting with 2.3.14.1 rails is a transition package NOTE: This is a general design problem and only mitigated by documented best practices CVE-2013-3220 (bitcoind and Bitcoin-Qt before 0.4.9rc2, 0.5.x before 0.5.8rc2, 0.6.x ...) - bitcoin 0.8.1-1 CVE-2013-3219 (bitcoind and Bitcoin-Qt 0.8.x before 0.8.1 do not enforce a certain bl ...) - bitcoin 0.8.1-1 CVE-2013-3218 RESERVED CVE-2013-3217 RESERVED CVE-2013-3216 RESERVED CVE-2013-3215 (vtiger CRM 5.4.0 and earlier contain an Authentication Bypass Vulnerab ...) NOT-FOR-US: vtiger CRM CVE-2013-3214 (vtiger CRM 5.4.0 and earlier contain a PHP Code Injection Vulnerabilit ...) NOT-FOR-US: vtiger CRM CVE-2013-3213 (Multiple SQL injection vulnerabilities in vTiger CRM 5.0.0 through 5.4 ...) NOT-FOR-US: vTiger CRM CVE-2013-3212 (vtiger CRM 5.4.0 and earlier contain local file-include vulnerabilitie ...) NOT-FOR-US: vtiger CRM CVE-2012-6551 (The default configuration of Apache ActiveMQ before 5.8.0 enables a sa ...) - activemq (Example code not shipped in .deb) CVE-2013-3211 (Unspecified vulnerability in Opera before 12.15 has unknown impact and ...) NOT-FOR-US: Opera CVE-2013-3210 (Opera before 12.15 does not properly block top-level domains in Set-Co ...) NOT-FOR-US: Opera CVE-2013-3209 (Microsoft Internet Explorer 9 and 10 allows remote attackers to execut ...) NOT-FOR-US: Microsoft CVE-2013-3208 (Microsoft Internet Explorer 8 through 10 allows remote attackers to ex ...) NOT-FOR-US: Microsoft CVE-2013-3207 (Microsoft Internet Explorer 9 and 10 allows remote attackers to execut ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3206 (Microsoft Internet Explorer 9 and 10 allows remote attackers to execut ...) NOT-FOR-US: Microsoft CVE-2013-3205 (Microsoft Internet Explorer 6 through 8 allows remote attackers to exe ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3204 (Microsoft Internet Explorer 7 through 10 allows remote attackers to ex ...) NOT-FOR-US: Microsoft CVE-2013-3203 (Microsoft Internet Explorer 9 and 10 allows remote attackers to execut ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3202 (Microsoft Internet Explorer 10 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft CVE-2013-3201 (Microsoft Internet Explorer 9 and 10 allows remote attackers to execut ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3200 (The USB drivers in the kernel-mode drivers in Microsoft Windows XP SP2 ...) NOT-FOR-US: Microsoft Windows CVE-2013-3199 (Microsoft Internet Explorer 6 through 10 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3198 (The NT Virtual DOS Machine (NTVDM) subsystem in the kernel in Microsof ...) NOT-FOR-US: Microsoft Windows CVE-2013-3197 (The NT Virtual DOS Machine (NTVDM) subsystem in the kernel in Microsof ...) NOT-FOR-US: Microsoft Windows CVE-2013-3196 (The NT Virtual DOS Machine (NTVDM) subsystem in the kernel in Microsof ...) NOT-FOR-US: Microsoft Windows CVE-2013-3195 (The DSA_InsertItem function in Comctl32.dll in the Windows common cont ...) NOT-FOR-US: Microsoft Windows CVE-2013-3194 (Microsoft Internet Explorer 9 allows remote attackers to execute arbit ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3193 (Microsoft Internet Explorer 9 and 10 allows remote attackers to execut ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3192 (Cross-site scripting (XSS) vulnerability in Microsoft Internet Explore ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3191 (Microsoft Internet Explorer 9 and 10 allows remote attackers to execut ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3190 (Microsoft Internet Explorer 8 through 10 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3189 (Microsoft Internet Explorer 8 and 9 allows remote attackers to execute ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3188 (Microsoft Internet Explorer 8 and 9 allows remote attackers to execute ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3187 (Microsoft Internet Explorer 9 and 10 allows remote attackers to execut ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3186 (The Protected Mode feature in Microsoft Internet Explorer 7 through 10 ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3185 (Microsoft Active Directory Federation Services (AD FS) 1.x through 2.1 ...) NOT-FOR-US: Microsoft Active Directory Federation Services CVE-2013-3184 (Microsoft Internet Explorer 7 through 10 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3183 (The TCP/IP implementation in Microsoft Windows Vista SP2, Windows Serv ...) NOT-FOR-US: Microsoft Windows CVE-2013-3182 (The Windows NAT Driver (aka winnat) service in Microsoft Windows Serve ...) NOT-FOR-US: Microsoft Windows CVE-2013-3181 (usp10.dll in the Unicode Scripts Processor in Microsoft Windows XP SP2 ...) NOT-FOR-US: Microsoft Windows CVE-2013-3180 (Cross-site scripting (XSS) vulnerability in Microsoft SharePoint Serve ...) NOT-FOR-US: Microsoft SharePoint Server CVE-2013-3179 (Cross-site scripting (XSS) vulnerability in Microsoft SharePoint Serve ...) NOT-FOR-US: Microsoft SharePoint Server CVE-2013-3178 (Microsoft Silverlight 5 before 5.1.20513.0 does not properly initializ ...) NOT-FOR-US: Microsoft Silverlight CVE-2013-3177 REJECTED CVE-2013-3176 REJECTED CVE-2013-3175 (Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vis ...) NOT-FOR-US: Microsoft CVE-2013-3174 (DirectShow in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP ...) NOT-FOR-US: Microsoft CVE-2013-3173 (Buffer overflow in win32k.sys in the kernel-mode drivers in Microsoft ...) NOT-FOR-US: Microsoft CVE-2013-3172 (Buffer overflow in win32k.sys in the kernel-mode drivers in Microsoft ...) NOT-FOR-US: Microsoft CVE-2013-3171 (The serialization functionality in Microsoft .NET Framework 2.0 SP2, 3 ...) NOT-FOR-US: Microsoft CVE-2013-3170 REJECTED CVE-2013-3169 REJECTED CVE-2013-3168 REJECTED CVE-2013-3167 (win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and ...) NOT-FOR-US: Microsoft CVE-2013-3166 (Cross-site scripting (XSS) vulnerability in Microsoft Internet Explore ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3165 REJECTED CVE-2013-3164 (Microsoft Internet Explorer 8 allows remote attackers to execute arbit ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3163 (Microsoft Internet Explorer 8 through 10 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3162 (Microsoft Internet Explorer 7 through 10 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3161 (Microsoft Internet Explorer 9 and 10 allows remote attackers to execut ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3160 (Microsoft Office 2003 SP3 and 2007 SP3, Word 2003 SP3 and 2007 SP3, an ...) NOT-FOR-US: Microsoft Office CVE-2013-3159 (Microsoft Excel 2003 SP3, 2007 SP3, and 2010 SP1 and SP2; Excel Viewer ...) NOT-FOR-US: Microsoft Excel CVE-2013-3158 (Microsoft Excel 2003 SP3 and 2007 SP3 allows remote attackers to execu ...) NOT-FOR-US: Microsoft Excel CVE-2013-3157 (Microsoft Access 2007 SP3, 2010 SP1 and SP2, and 2013 in Microsoft Off ...) NOT-FOR-US: Microsoft CVE-2013-3156 (Microsoft Access 2007 SP3, 2010 SP1 and SP2, and 2013 in Microsoft Off ...) NOT-FOR-US: Microsoft Access CVE-2013-3155 (Microsoft Access 2007 SP3, 2010 SP1 and SP2, and 2013 in Microsoft Off ...) NOT-FOR-US: Microsoft CVE-2013-3154 (The signature-update functionality in Windows Defender on Microsoft Wi ...) NOT-FOR-US: Microsoft Windows CVE-2013-3153 (Microsoft Internet Explorer 6 through 10 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3152 (Microsoft Internet Explorer 10 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3151 (Microsoft Internet Explorer 8 through 10 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3150 (Microsoft Internet Explorer 9 allows remote attackers to execute arbit ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3149 (Microsoft Internet Explorer 7 and 8 allows remote attackers to execute ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3148 (Microsoft Internet Explorer 6 through 10 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3147 (Microsoft Internet Explorer 6 through 9 allows remote attackers to exe ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3146 (Microsoft Internet Explorer 10 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3145 (Microsoft Internet Explorer 9 allows remote attackers to execute arbit ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3144 (Microsoft Internet Explorer 8 through 10 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3143 (Microsoft Internet Explorer 9 and 10 allows remote attackers to execut ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3142 (Microsoft Internet Explorer 6 through 10 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3141 (Microsoft Internet Explorer 8 and 9 allows remote attackers to execute ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3140 (Use-after-free vulnerability in Microsoft Internet Explorer 9 allows r ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3139 (Microsoft Internet Explorer 6 through 10 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3138 (Integer overflow in the TCP/IP kernel-mode driver in Microsoft Windows ...) NOT-FOR-US: Microsoft CVE-2013-3137 (Microsoft FrontPage 2003 SP3 does not properly parse DTDs, which allow ...) NOT-FOR-US: Microsoft FrontPage CVE-2013-3136 (The kernel in Microsoft Windows XP SP3, Windows Server 2003 SP2, Windo ...) NOT-FOR-US: Microsoft CVE-2013-3135 REJECTED CVE-2013-3134 (The Common Language Runtime (CLR) in Microsoft .NET Framework 2.0 SP2, ...) NOT-FOR-US: Microsoft .NET Framework CVE-2013-3133 (Microsoft .NET Framework 2.0 SP2, 3.5, 3.5.1, 4, and 4.5 does not prop ...) NOT-FOR-US: Microsoft .NET Framework CVE-2013-3132 (Microsoft .NET Framework 1.0 SP3, 1.1 SP1, 2.0 SP2, 3.5, 3.5.1, 4, and ...) NOT-FOR-US: Microsoft .NET Framework CVE-2013-3131 (Microsoft .NET Framework 2.0 SP2, 3.5, 3.5.1, 4, and 4.5, and Silverli ...) NOT-FOR-US: Microsoft CVE-2013-3130 REJECTED CVE-2013-3129 (Microsoft .NET Framework 3.0 SP2, 3.5, 3.5.1, 4, and 4.5; Silverlight ...) NOT-FOR-US: Microsoft CVE-2013-3128 (The kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows S ...) NOT-FOR-US: Microsoft Windows CVE-2013-3127 (The Microsoft WMV video codec in wmv9vcm.dll, wmvdmod.dll in Windows M ...) NOT-FOR-US: Microsoft CVE-2013-3126 (Microsoft Internet Explorer 9 and 10, when script debugging is enabled ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3125 (Microsoft Internet Explorer 10 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3124 (Microsoft Internet Explorer 9 allows remote attackers to execute arbit ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3123 (Microsoft Internet Explorer 8 through 10 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3122 (Microsoft Internet Explorer 9 allows remote attackers to execute arbit ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3121 (Microsoft Internet Explorer 6 through 10 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3120 (Microsoft Internet Explorer 10 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3119 (Microsoft Internet Explorer 9 and 10 allows remote attackers to execut ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3118 (Microsoft Internet Explorer 10 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3117 (Microsoft Internet Explorer 9 allows remote attackers to execute arbit ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3116 (Microsoft Internet Explorer 7 through 9 allows remote attackers to exe ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3115 (Microsoft Internet Explorer 7 through 10 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3114 (Microsoft Internet Explorer 9 and 10 allows remote attackers to execut ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3113 (Microsoft Internet Explorer 6 through 10 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3112 (Microsoft Internet Explorer 6 through 10 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3111 (Microsoft Internet Explorer 8 through 10 allows remote attackers to ex ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3110 (Microsoft Internet Explorer 8 and 9 allows remote attackers to execute ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3109 RESERVED CVE-2013-3108 RESERVED CVE-2013-3107 (VMware vCenter Server 5.1 before Update 1, when anonymous LDAP binding ...) NOT-FOR-US: vCenter CVE-2013-3106 (Multiple cross-site scripting (XSS) vulnerabilities in Open-Xchange Ap ...) NOT-FOR-US: Open-Xchange CVE-2013-3105 RESERVED CVE-2013-3104 RESERVED CVE-2013-3103 RESERVED CVE-2013-3102 RESERVED CVE-2013-3101 RESERVED CVE-2013-3100 RESERVED CVE-2013-3099 RESERVED CVE-2013-3098 (Multiple cross-site request forgery (CSRF) vulnerabilities in TRENDnet ...) NOT-FOR-US: TRENDnet TEW-812DRU router CVE-2013-3097 (Unspecified Cross-site scripting (XSS) vulnerability in the Verizon FI ...) NOT-FOR-US: Verizon CVE-2013-3096 (D-Link DIR865L v1.03 suffers from an "Unauthenticated Hardware Linking ...) NOT-FOR-US: D-Link CVE-2013-3095 (Multiple cross-site request forgery (CSRF) vulnerabilities in D-Link D ...) NOT-FOR-US: D-Link CVE-2013-3094 RESERVED CVE-2013-3093 (ASUS RT-N56U devices allow CSRF. ...) NOT-FOR-US: ASUS RT-N56U devices CVE-2013-3092 (The Belkin N300 (F7D7301v1) router allows remote attackers to bypass a ...) NOT-FOR-US: Belkin router CVE-2013-3091 (An Authentication Bypass vulnerability in Belkin N300 (F7D7301v1) rout ...) NOT-FOR-US: Belkin N300 router CVE-2013-3090 (Multiple cross-site scripting (XSS) vulnerabilities in Belkin N300 rou ...) NOT-FOR-US: Belkin N300 router CVE-2013-3089 (Cross-site request forgery (CSRF) vulnerability in apply.cgi in Belkin ...) NOT-FOR-US: Belkin N300 CVE-2013-3088 (Belkin N900 router (F9K1104v1) contains an Authentication Bypass using ...) NOT-FOR-US: Belkin N900 router CVE-2013-3087 (Multiple cross-site scripting (XSS) vulnerabilities in Belkin N900 rou ...) NOT-FOR-US: Belkin N900 router CVE-2013-3086 (Cross-site request forgery (CSRF) vulnerability in util_system.html in ...) NOT-FOR-US: Belkin N900 CVE-2013-3085 (An authentication bypass exists in the web management interface in Bel ...) NOT-FOR-US: Belkin CVE-2013-3084 (Multiple cross-site scripting (XSS) vulnerabilities in Belkin Model F5 ...) NOT-FOR-US: Belkin router CVE-2013-3083 (Cross-site request forgery (CSRF) vulnerability in cgi-bin/system_sett ...) NOT-FOR-US: Belkin CVE-2013-3082 (Cross-site scripting (XSS) vulnerability in plugins/jojo_core/forgot_p ...) NOT-FOR-US: Jojo CMS CVE-2013-3081 (SQL injection vulnerability in the checkEmailFormat function in plugin ...) NOT-FOR-US: Jojo CMS CVE-2013-3080 (VMware vCenter Server Appliance (vCSA) 5.1 before Update 1 allows remo ...) NOT-FOR-US: vCenter CVE-2013-3079 (VMware vCenter Server Appliance (vCSA) 5.1 before Update 1 allows remo ...) NOT-FOR-US: vCenter CVE-2013-3078 RESERVED CVE-2013-3077 (Multiple integer overflows in the IP_MSFILTER and IPV6_MSFILTER featur ...) {DSA-2743-1} - kfreebsd-8 (bug #720470) [wheezy] - kfreebsd-8 8.3-6+deb7u1 [squeeze] - kfreebsd-8 (Unsupported in squeeze-lts) - kfreebsd-9 9.2~svn254368-2 (bug #720468) - kfreebsd-10 10.0~svn254663-1 (bug #720471) CVE-2013-3076 (The crypto API in the Linux kernel through 3.9-rc8 does not initialize ...) {DSA-2669-1} - linux 3.8.11-1 (low) - linux-2.6 (Vulnerable code not present) CVE-2013-3075 (Multiple buffer overflows in ActUWzd.dll 1.0.0.1 in Mitsubishi MX Comp ...) NOT-FOR-US: Mitsubishi MX Component 3 CVE-2013-3074 (NetGear WNDR4700 Media Server devices with firmware 1.0.0.34 allow rem ...) NOT-FOR-US: NetGear WNDR4700 Media Server devices CVE-2013-3073 (A Symlink Traversal vulnerability exists in NETGEAR Centria WNDR4700 F ...) NOT-FOR-US: NETGEAR CVE-2013-3072 (An Authentication Bypass vulnerability exists in NETGEAR Centria WNDR4 ...) NOT-FOR-US: NETGEAR CVE-2013-3071 (NETGEAR Centria WNDR4700 devices with firmware 1.0.0.34 allow authenti ...) NOT-FOR-US: NETGEAR Centria WNDR4700 devices CVE-2013-3070 (An Information Disclosure vulnerability exists in Netgear WNDR4700 run ...) NOT-FOR-US: NETGEAR CVE-2013-3069 (Multiple cross-site scripting (XSS) vulnerabilities in NETGEAR WNDR470 ...) NOT-FOR-US: NETGEAR devices CVE-2013-3068 (Cross-site request forgery (CSRF) vulnerability in apply.cgi in Linksy ...) NOT-FOR-US: Linksys CVE-2013-3067 (Linksys WRT310Nv2 2.0.0.1 is vulnerable to XSS. ...) NOT-FOR-US: Linksys CVE-2013-3066 (Linksys EA6500 with firmware 1.1.28.147876 does not properly restrict ...) NOT-FOR-US: Linksys CVE-2013-3065 (Cross-site scripting (XSS) vulnerability in the Parental Controls sect ...) NOT-FOR-US: Linksys CVE-2013-3064 (Open redirect vulnerability in ui/dynamic/unsecured.html in Linksys EA ...) NOT-FOR-US: Linksys CVE-2013-3063 (SAP BASIS Communication Services 4.6B through 7.30 allows remote authe ...) NOT-FOR-US: SAP BASIS Communication Services CVE-2013-3062 (The CP_RC_TRANSACTION_CALL_BY_SET function in the Engineering Workbenc ...) NOT-FOR-US: SAP CVE-2013-3061 (The ISHMED-PATRED_TRANSACT_RFCCALL function in the IS-H Industry-Speci ...) NOT-FOR-US: SAP CVE-2013-3060 (The web console in Apache ActiveMQ before 5.8.0 does not require authe ...) - activemq (Web console not provided in Debian package, see #702670) CVE-2013-3059 (Cross-site scripting (XSS) vulnerability in the Voting plugin in Jooml ...) NOT-FOR-US: Joomla! CVE-2013-3058 (Cross-site scripting (XSS) vulnerability in Joomla! 2.5.x before 2.5.1 ...) NOT-FOR-US: Joomla! CVE-2013-3057 (Joomla! 2.5.x before 2.5.10 and 3.0.x before 3.0.4 allows remote authe ...) NOT-FOR-US: Joomla! CVE-2013-3056 (Joomla! 2.5.x before 2.5.10 and 3.0.x before 3.0.4 allows remote authe ...) NOT-FOR-US: Joomla! CVE-2013-3055 (Lexmark Markvision Enterprise before 1.8 provides a diagnostic interfa ...) NOT-FOR-US: Lexmark Markvision Enterprise CVE-2013-3054 RESERVED CVE-2013-3053 RESERVED CVE-2013-3052 RESERVED CVE-2013-3051 (The TrustZone kernel, when used in conjunction with a certain Motorola ...) NOT-FOR-US: TrustZone kernel CVE-2013-3050 (SQL injection vulnerability in ZAPms 1.41 and earlier allows remote at ...) NOT-FOR-US: ZAPms CVE-2013-3049 (IBM Maximo Asset Management 7.1 through 7.1.1.12 and 7.5 before 7.5.0. ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2013-3048 (Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Managemen ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2013-3047 (IBM Maximo Asset Management 7.1 before 7.1.1.12 and 7.5 before 7.5.0.5 ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2013-3046 (The Meeting Server in IBM Sametime 8.x through 8.5.2.1 and 9.x through ...) NOT-FOR-US: IBM Sametime CVE-2013-3045 (The Enterprise Meeting Server in IBM Lotus Sametime 8.5.2 and 8.5.2.1 ...) NOT-FOR-US: IBM CVE-2013-3044 (The Enterprise Meeting Server in IBM Lotus Sametime 8.5.2 and 8.5.2.1 ...) NOT-FOR-US: IBM CVE-2013-3043 (Directory traversal vulnerability in the client in IBM Rational Softwa ...) NOT-FOR-US: IBM CVE-2013-3042 (Directory traversal vulnerability in the server in IBM Rational Softwa ...) NOT-FOR-US: IBM CVE-2013-3041 (The Web Client in IBM Rational ClearQuest 7.1 before 7.1.2.12, 8.0 bef ...) NOT-FOR-US: IBM CVE-2013-3040 (IBM InfoSphere Information Server through 8.5 FP3, 8.7 through FP2, an ...) NOT-FOR-US: IBM InfoSphere Information Server CVE-2013-3039 (IBM Rational Requirements Composer before 4.0.4 does not properly perf ...) NOT-FOR-US: IBM Rational Requirements Composer CVE-2013-3038 (Unspecified vulnerability in IBM Rational Requirements Composer before ...) NOT-FOR-US: IBM Rational Requirements Composer CVE-2013-3037 (Unspecified vulnerability in IBM Rational Requirements Composer before ...) NOT-FOR-US: IBM Rational Requirements Composer CVE-2013-3036 (Open redirect vulnerability in IBM Rational Requirements Composer befo ...) NOT-FOR-US: IBM Rational Requirements Composer CVE-2013-3035 (The IPv6 implementation in the inet subsystem in IBM AIX 6.1 and 7.1, ...) NOT-FOR-US: IBM AIX CVE-2013-3034 (Cross-site scripting (XSS) vulnerability in IBM InfoSphere Information ...) NOT-FOR-US: IBM InfoSphere Information Server CVE-2013-3033 (SQL injection vulnerability in the server component in IBM Tivoli Remo ...) NOT-FOR-US: IBM Tivoli Remote Control CVE-2013-3032 (Cross-site scripting (XSS) vulnerability in the MIME e-mail functional ...) NOT-FOR-US: IBM Domino CVE-2013-3031 (A SQL stored procedure in the Universal Cache component in IBM solidDB ...) NOT-FOR-US: IBM CVE-2013-3030 (The servlet gateway in IBM Cognos Business Intelligence 8.4.1 before I ...) NOT-FOR-US: IBM CVE-2013-3029 (Cross-site request forgery (CSRF) vulnerability in the Administrative ...) NOT-FOR-US: IBM WebSphere CVE-2013-3028 (Multiple buffer overflows in mqm programs in IBM WebSphere MQ 7.0.x be ...) NOT-FOR-US: IBM WebSphere CVE-2013-3027 (Integer overflow in the DWA9W ActiveX control in iNotes in IBM Domino ...) NOT-FOR-US: IBM Domino CVE-2013-3026 (Buffer overflow in the Lotus Quickr for Domino ActiveX control in qp2. ...) NOT-FOR-US: Lotus Quickr for Domino ActiveX CVE-2013-3025 (Multiple cross-site scripting (XSS) vulnerabilities in IBM Rational Fo ...) NOT-FOR-US: IBM CVE-2013-3024 (IBM WebSphere Application Server (WAS) 8.5 through 8.5.0.2 on UNIX all ...) NOT-FOR-US: IBM CVE-2013-3023 (IBM Tivoli Application Dependency Discovery Manager (TADDM) 7.1.2 and ...) NOT-FOR-US: IBM CVE-2013-3022 REJECTED CVE-2013-3021 RESERVED CVE-2013-3020 (IBM Sterling B2B Integrator 5.1 and 5.2 and Sterling File Gateway 2.1 ...) NOT-FOR-US: IBM CVE-2013-3019 RESERVED CVE-2013-3018 (The AXIS webapp in deploy-tomcat/axis in IBM Tivoli Application Depend ...) NOT-FOR-US: IBM CVE-2013-3017 (IBM Tivoli Application Dependency Discovery Manager (TADDM) before 7.2 ...) NOT-FOR-US: IBM CVE-2013-3016 (IBM WebSphere Portal 6.1, 7.0, and 8.0 allows remote attackers to acce ...) NOT-FOR-US: IBM WebSphere CVE-2013-3015 RESERVED CVE-2013-3014 RESERVED CVE-2013-3013 RESERVED CVE-2013-3012 (Unspecified vulnerability in the Java Runtime Environment (JRE) in IBM ...) NOT-FOR-US: IBM JDK CVE-2013-3011 (Unspecified vulnerability in the Java Runtime Environment (JRE) in IBM ...) NOT-FOR-US: IBM JDK CVE-2013-3010 (Unspecified vulnerability in the Java Runtime Environment (JRE) in IBM ...) NOT-FOR-US: IBM JDK CVE-2013-3009 (The com.ibm.CORBA.iiop.ClientDelegate class in IBM Java 1.4.2 before 1 ...) NOT-FOR-US: IBM JDK CVE-2013-3008 (Unspecified vulnerability in the Java Runtime Environment (JRE) in IBM ...) NOT-FOR-US: IBM JDK CVE-2013-3007 (Unspecified vulnerability in the Java Runtime Environment (JRE) in IBM ...) NOT-FOR-US: IBM JDK CVE-2013-3006 (Unspecified vulnerability in the Java Runtime Environment (JRE) in IBM ...) NOT-FOR-US: IBM JDK CVE-2013-3005 (The TFTP client in IBM AIX 6.1 and 7.1, and VIOS 2.2.2.2-FP-26 SP-02, ...) NOT-FOR-US: TFTP client in IBM AIX CVE-2013-3004 (Directory traversal vulnerability in BIRT-Report Viewer in IBM Tivoli ...) NOT-FOR-US: IBM Tivoli Application Dependency Discovery Manager CVE-2013-3003 (Unspecified vulnerability in SOAP Gateway in IBM IMS Enterprise Suite ...) NOT-FOR-US: IBM CVE-2013-3002 RESERVED CVE-2013-3001 (Directory traversal vulnerability in IBM InfoSphere Data Replication D ...) NOT-FOR-US: IBM CVE-2013-3000 (SQL injection vulnerability in IBM InfoSphere Data Replication Dashboa ...) NOT-FOR-US: IBM CVE-2013-2999 (Cross-site scripting (XSS) vulnerability in IBM InfoSphere Data Replic ...) NOT-FOR-US: IBM CVE-2013-2998 (frontcontroller.jsp in IBM Maximo Asset Management 7.x before 7.5.0.6 ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2013-2997 (IBM Security AppScan Enterprise before 8.7 does not invalidate the ses ...) NOT-FOR-US: IBM CVE-2013-2996 RESERVED CVE-2013-2995 RESERVED CVE-2013-2994 (IBM WebSphere Commerce 7.0 Feature Pack 4 and Feature Pack 5 incorrect ...) NOT-FOR-US: IBM CVE-2013-2993 (IBM WebSphere Commerce 6.x through 6.0.0.11 and 7.x through 7.0.0.7 do ...) NOT-FOR-US: IBM CVE-2013-2992 (The Search component in IBM WebSphere Commerce 7.0 FP4 through FP6, in ...) NOT-FOR-US: IBM CVE-2013-2991 REJECTED CVE-2013-2990 REJECTED CVE-2013-2989 (The file-copying functionality in IBM Sterling Connect:Direct 3.8.00, ...) NOT-FOR-US: IBM CVE-2013-2988 (Absolute path traversal vulnerability in the server in IBM Cognos Busi ...) NOT-FOR-US: IBM Cognos CVE-2013-2987 (IBM Sterling B2B Integrator 5.1 and 5.2 and Sterling File Gateway 2.1 ...) NOT-FOR-US: IBM CVE-2013-2986 REJECTED CVE-2013-2985 (IBM Sterling B2B Integrator 5.1 and 5.2 and Sterling File Gateway 2.1 ...) NOT-FOR-US: IBM CVE-2013-2984 (Directory traversal vulnerability in IBM Sterling B2B Integrator 5.1 a ...) NOT-FOR-US: IBM CVE-2013-2983 (Multiple cross-site scripting (XSS) vulnerabilities in IBM Sterling Fi ...) NOT-FOR-US: IBM CVE-2013-2982 (IBM Sterling B2B Integrator 5.1 and 5.2 and Sterling File Gateway 2.1 ...) NOT-FOR-US: IBM CVE-2013-2981 (Directory traversal vulnerability in the Web Console in IBM Data Studi ...) NOT-FOR-US: IBM Data Studio CVE-2013-2980 (Cross-site request forgery (CSRF) vulnerability in the Web Console in ...) NOT-FOR-US: IBM Data Studio CVE-2013-2979 (Directory traversal vulnerability in IBM Optim Performance Manager 4.1 ...) NOT-FOR-US: IBM CVE-2013-2978 (Absolute path traversal vulnerability in the server in IBM Cognos Busi ...) NOT-FOR-US: IBM Cognos CVE-2013-2977 (Integer overflow in IBM Notes 8.5.x before 8.5.3 FP4 Interim Fix 1 and ...) NOT-FOR-US: IBM Notes CVE-2013-2976 (The Administrative console in IBM WebSphere Application Server (WAS) 6 ...) NOT-FOR-US: IBM CVE-2013-2975 RESERVED CVE-2013-2974 (The BIRT viewer in IBM Tivoli Application Dependency Discovery Manager ...) NOT-FOR-US: IBM Tivoli Application Dependency Discovery Manager CVE-2013-2973 REJECTED CVE-2013-2972 (IBM WebSphere Cast Iron 6.3 allows remote attackers to bypass intended ...) NOT-FOR-US: IBM CVE-2013-2971 REJECTED CVE-2013-2970 (Unspecified vulnerability in IBM QRadar Security Information and Event ...) NOT-FOR-US: IBM CVE-2013-2969 (Cross-site scripting (XSS) vulnerability in IBM Sterling Control Cente ...) NOT-FOR-US: IBM Sterling Control Center CVE-2013-2968 (An unspecified buffer-read method in IBM Sterling Control Center (SCC) ...) NOT-FOR-US: IBM Sterling Control Center CVE-2013-2967 (Cross-site scripting (XSS) vulnerability in the Administrative console ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2013-2966 RESERVED CVE-2013-2965 RESERVED CVE-2013-2964 (Buffer overflow in dsmtca in IBM Tivoli Storage Manager (TSM) through ...) NOT-FOR-US: IBM Tivoli Storage Manager CVE-2013-2963 RESERVED CVE-2013-2962 (Buffer overflow in the Launcher in IBM WebSphere Transformation Extend ...) NOT-FOR-US: IBM WebSphere Transformation Extender CVE-2013-2961 (The internal web server in the Basic Services component in IBM Tivoli ...) NOT-FOR-US: IBM Tivoli CVE-2013-2960 (Buffer overflow in KDSMAIN in the Basic Services component in IBM Tivo ...) NOT-FOR-US: IBM Tivoli CVE-2013-2959 (The Console in IBM InfoSphere Optim Data Growth for Oracle E-Business ...) NOT-FOR-US: IBM CVE-2013-2958 RESERVED CVE-2013-2957 (Cross-site scripting (XSS) vulnerability in IBM InfoSphere Optim Data ...) NOT-FOR-US: IBM CVE-2013-2956 (SQL injection vulnerability in the Console in IBM InfoSphere Optim Dat ...) NOT-FOR-US: IBM CVE-2013-2955 (Cross-site scripting (XSS) vulnerability in IBM InfoSphere Optim Data ...) NOT-FOR-US: IBM CVE-2013-2954 (The login page in the Console in IBM InfoSphere Optim Data Growth for ...) NOT-FOR-US: IBM CVE-2013-2953 (IBM InfoSphere Optim Data Growth for Oracle E-Business Suite 6.x, 7.x, ...) NOT-FOR-US: IBM CVE-2013-2952 RESERVED CVE-2013-2951 (IBM WebSphere Portal 7.0.0.x and 8.0.0.x write passwords to a trace fi ...) NOT-FOR-US: IBM CVE-2013-2950 (CRLF injection vulnerability in IBM WebSphere Portal 6.1.0.x before 6. ...) NOT-FOR-US: IBM WebSphere CVE-2013-2949 RESERVED CVE-2013-2948 RESERVED CVE-2013-2947 RESERVED CVE-2013-2946 RESERVED CVE-2013-2945 (SQL injection vulnerability in blogs/admin.php in b2evolution before 4 ...) NOT-FOR-US: b2evolution CVE-2013-2944 (strongSwan 4.3.5 through 5.0.3, when using the OpenSSL plugin for ECDS ...) {DSA-2665-1} - strongswan 4.6.4-7 CVE-2013-2943 RESERVED CVE-2013-2942 RESERVED CVE-2013-2941 RESERVED CVE-2013-2940 (Unspecified vulnerability in Citrix CloudPortal Services Manager (aka ...) NOT-FOR-US: Citrix CloudPortal Services Manager CVE-2013-2939 (Unspecified vulnerability in Citrix CloudPortal Services Manager (aka ...) NOT-FOR-US: Citrix CloudPortal Services Manager CVE-2013-2938 (Unspecified vulnerability in Citrix CloudPortal Services Manager (aka ...) NOT-FOR-US: Citrix CloudPortal Services Manager CVE-2013-2937 (Unspecified vulnerability in Citrix CloudPortal Services Manager (aka ...) NOT-FOR-US: Citrix CloudPortal Services Manager CVE-2013-2936 (Unspecified vulnerability in Citrix CloudPortal Services Manager (aka ...) NOT-FOR-US: Citrix CloudPortal Services Manager CVE-2013-2935 (Unspecified vulnerability in Citrix CloudPortal Services Manager (aka ...) NOT-FOR-US: Citrix CloudPortal Services Manager CVE-2013-2934 (Citrix CloudPortal Services Manager (aka Cortex) 10.0 before Cumulativ ...) NOT-FOR-US: Citrix CloudPortal Services Manager CVE-2013-2933 (Unspecified vulnerability in Citrix CloudPortal Services Manager (aka ...) NOT-FOR-US: Citrix CloudPortal Services Manager CVE-2013-2932 RESERVED CVE-2013-2931 (Multiple unspecified vulnerabilities in Google Chrome before 31.0.1650 ...) {DSA-2799-1} - chromium-browser 31.0.1650.57-1 [squeeze] - chromium-browser CVE-2013-2930 (The perf_trace_event_perm function in kernel/trace/trace_event_perf.c ...) - linux-2.6 (Introduced in v3.4) [wheezy] - linux (Introduced in v3.4) - linux 3.11.8-1 NOTE: Introduced by ced39002f5ea CVE-2013-2929 (The Linux kernel before 3.12.2 does not properly use the get_dumpable ...) {DSA-2906-1} - linux-2.6 - linux 3.11.10-1 [wheezy] - linux 3.2.53-2 CVE-2013-2928 (Multiple unspecified vulnerabilities in Google Chrome before 30.0.1599 ...) {DSA-2785-1} - chromium-browser 30.0.1599.101-1 [squeeze] - chromium-browser CVE-2013-2927 (Use-after-free vulnerability in the HTMLFormElement::prepareForSubmiss ...) {DSA-2785-1} - chromium-browser 30.0.1599.101-1 [squeeze] - chromium-browser CVE-2013-2926 (Use-after-free vulnerability in the IndentOutdentCommand::tryIndenting ...) {DSA-2785-1} - chromium-browser 30.0.1599.101-1 [squeeze] - chromium-browser CVE-2013-2925 (Use-after-free vulnerability in core/xml/XMLHttpRequest.cpp in Blink, ...) {DSA-2785-1} - chromium-browser 30.0.1599.101-1 [squeeze] - chromium-browser CVE-2013-2924 (Use-after-free vulnerability in International Components for Unicode ( ...) {DSA-2786-1 DSA-2785-1} - chromium-browser 30.0.1599.101-1 [squeeze] - chromium-browser - icu 4.8.1.1-13+nmu1 (bug #726477) CVE-2013-2923 (Multiple unspecified vulnerabilities in Google Chrome before 30.0.1599 ...) {DSA-2785-1} - chromium-browser 30.0.1599.101-1 [squeeze] - chromium-browser CVE-2013-2922 (Use-after-free vulnerability in core/html/HTMLTemplateElement.cpp in B ...) {DSA-2785-1} - chromium-browser 30.0.1599.101-1 [squeeze] - chromium-browser CVE-2013-2921 (Double free vulnerability in the ResourceFetcher::didLoadResource func ...) {DSA-2785-1} - chromium-browser 30.0.1599.101-1 [squeeze] - chromium-browser CVE-2013-2920 (The DoResolveRelativeHost function in url/url_canon_relative.cc in Goo ...) {DSA-2785-1} - chromium-browser 30.0.1599.101-1 [squeeze] - chromium-browser CVE-2013-2919 (Google V8, as used in Google Chrome before 30.0.1599.66, allows remote ...) {DSA-2785-1} - chromium-browser 30.0.1599.101-1 [squeeze] - chromium-browser - libv8 [wheezy] - libv8 (Minor issue, Chromium in Wheezy uses its own fixed copy) [squeeze] - libv8 (Unsupported in squeeze-lts) - libv8-3.14 (unimportant; bug #773671) NOTE: libv8 not covered by security support CVE-2013-2918 (Use-after-free vulnerability in the RenderBlock::collapseAnonymousBloc ...) {DSA-2785-1} - chromium-browser 30.0.1599.101-1 [squeeze] - chromium-browser CVE-2013-2917 (The ReverbConvolverStage::ReverbConvolverStage function in core/platfo ...) {DSA-2785-1} - chromium-browser 30.0.1599.101-1 [squeeze] - chromium-browser CVE-2013-2916 (Blink, as used in Google Chrome before 30.0.1599.66, allows remote att ...) {DSA-2785-1} - chromium-browser 30.0.1599.101-1 [squeeze] - chromium-browser CVE-2013-2915 (Google Chrome before 30.0.1599.66 preserves pending NavigationEntry ob ...) {DSA-2785-1} - chromium-browser 30.0.1599.101-1 [squeeze] - chromium-browser CVE-2013-2914 (Use-after-free vulnerability in the color-chooser dialog in Google Chr ...) - chromium-browser (windows-specific issue) CVE-2013-2913 (Use-after-free vulnerability in the XMLDocumentParser::append function ...) {DSA-2785-1} - chromium-browser 30.0.1599.101-1 [squeeze] - chromium-browser CVE-2013-2912 (Use-after-free vulnerability in the PepperInProcessRouter::SendToHost ...) {DSA-2785-1} - chromium-browser 30.0.1599.101-1 [squeeze] - chromium-browser CVE-2013-2911 (Use-after-free vulnerability in the XSLStyleSheet::compileStyleSheet f ...) {DSA-2785-1} - chromium-browser 30.0.1599.101-1 [squeeze] - chromium-browser CVE-2013-2910 (Use-after-free vulnerability in modules/webaudio/AudioScheduledSourceN ...) {DSA-2785-1} - chromium-browser 30.0.1599.101-1 [squeeze] - chromium-browser CVE-2013-2909 (Use-after-free vulnerability in Blink, as used in Google Chrome before ...) {DSA-2785-1} - chromium-browser 30.0.1599.101-1 [squeeze] - chromium-browser CVE-2013-2908 (Google Chrome before 30.0.1599.66 uses incorrect function calls to det ...) {DSA-2785-1} - chromium-browser 30.0.1599.101-1 [squeeze] - chromium-browser CVE-2013-2907 (The Window.prototype object implementation in Google Chrome before 30. ...) {DSA-2785-1} - chromium-browser 30.0.1599.101-1 [squeeze] - chromium-browser CVE-2013-2906 (Multiple race conditions in the Web Audio implementation in Blink, as ...) {DSA-2785-1} - chromium-browser 30.0.1599.101-1 [squeeze] - chromium-browser CVE-2013-2905 (The SharedMemory::Create function in memory/shared_memory_posix.cc in ...) {DSA-2741-1} - chromium-browser 29.0.1547.57-1 [squeeze] - chromium-browser CVE-2013-2904 (Use-after-free vulnerability in the Document::finishedParsing function ...) {DSA-2741-1} - chromium-browser 29.0.1547.57-1 [squeeze] - chromium-browser CVE-2013-2903 (Use-after-free vulnerability in the HTMLMediaElement::didMoveToNewDocu ...) {DSA-2741-1} - chromium-browser 29.0.1547.57-1 [squeeze] - chromium-browser CVE-2013-2902 (Use-after-free vulnerability in the XSLT ProcessingInstruction impleme ...) {DSA-2741-1} - chromium-browser 29.0.1547.57-1 [squeeze] - chromium-browser - libxslt (according to https://chromiumcodereview.appspot.com/20856002 this is an issue on chromium's side of xslt handling) CVE-2013-2901 (Multiple integer overflows in (1) libGLESv2/renderer/Renderer9.cpp and ...) {DSA-2741-1} - chromium-browser 29.0.1547.57-1 [squeeze] - chromium-browser CVE-2013-2900 (The FilePath::ReferencesParent function in files/file_path.cc in Googl ...) {DSA-2741-1} - chromium-browser 29.0.1547.57-1 [squeeze] - chromium-browser CVE-2013-2899 (drivers/hid/hid-picolcd_core.c in the Human Interface Device (HID) sub ...) - linux 3.10.11-1 (low) [wheezy] - linux 3.2.51-1 - linux-2.6 (driver introduced in 2.6.35) CVE-2013-2898 (drivers/hid/hid-sensor-hub.c in the Human Interface Device (HID) subsy ...) - linux 3.10.11-1 (low) [wheezy] - linux (driver introduced in 3.7) - linux-2.6 (driver introduced in 3.7) CVE-2013-2897 (Multiple array index errors in drivers/hid/hid-multitouch.c in the Hum ...) - linux 3.11.5-1 (low) - linux-2.6 (driver introduced in 2.6.38) [wheezy] - linux 3.2.53-1 CVE-2013-2896 (drivers/hid/hid-ntrig.c in the Human Interface Device (HID) subsystem ...) - linux 3.10.11-1 (low) [wheezy] - linux 3.2.51-1 - linux-2.6 (Vulnerable feature probing code not present) CVE-2013-2895 (drivers/hid/hid-logitech-dj.c in the Human Interface Device (HID) subs ...) - linux 3.11.5-1 (low) - linux-2.6 (driver introduced in 3.2) [wheezy] - linux 3.2.53-1 CVE-2013-2894 (drivers/hid/hid-lenovo-tpkbd.c in the Human Interface Device (HID) sub ...) - linux 3.11.5-1 (low) [wheezy] - linux (driver introduced in 3.6) - linux-2.6 (driver introduced in 3.6) CVE-2013-2893 (The Human Interface Device (HID) subsystem in the Linux kernel through ...) {DSA-2906-1} - linux 3.11.5-1 (low) - linux-2.6 (low) [wheezy] - linux 3.2.53-1 CVE-2013-2892 (drivers/hid/hid-pl.c in the Human Interface Device (HID) subsystem in ...) {DSA-2766-1} - linux 3.10.11-1 (low) [wheezy] - linux 3.2.51-1 - linux-2.6 (low) CVE-2013-2891 (drivers/hid/hid-steelseries.c in the Human Interface Device (HID) subs ...) - linux 3.11.5-1 (low) [wheezy] - linux (steelseries driver introduced in 3.9) - linux-2.6 (steelseries driver introduced in 3.9) CVE-2013-2890 (drivers/hid/hid-sony.c in the Human Interface Device (HID) subsystem i ...) - linux (buzz driver introduced in 3.11 cycle, only in experimental) - linux-2.6 (buzz driver introduced in 3.11 cycle) CVE-2013-2889 (drivers/hid/hid-zpff.c in the Human Interface Device (HID) subsystem i ...) {DSA-2906-1} - linux 3.11.5-1 (low) - linux-2.6 (low) [wheezy] - linux 3.2.53-1 CVE-2013-2888 (Multiple array index errors in drivers/hid/hid-core.c in the Human Int ...) {DSA-2766-1} - linux 3.10.11-1 - linux-2.6 [wheezy] - linux 3.2.51-1 CVE-2013-2887 (Multiple unspecified vulnerabilities in Google Chrome before 29.0.1547 ...) {DSA-2741-1} - chromium-browser 29.0.1547.57-1 [squeeze] - chromium-browser CVE-2013-2886 (Multiple unspecified vulnerabilities in Google Chrome before 28.0.1500 ...) {DSA-2732-1} - chromium-browser 28.0.1500.95-1 [squeeze] - chromium-browser CVE-2013-2885 (Use-after-free vulnerability in Google Chrome before 28.0.1500.95 allo ...) {DSA-2732-1} - chromium-browser 28.0.1500.95-1 [squeeze] - chromium-browser CVE-2013-2884 (Use-after-free vulnerability in the DOM implementation in Google Chrom ...) {DSA-2732-1} - chromium-browser 28.0.1500.95-1 [squeeze] - chromium-browser CVE-2013-2883 (Use-after-free vulnerability in Google Chrome before 28.0.1500.95 allo ...) {DSA-2732-1} - chromium-browser 28.0.1500.95-1 [squeeze] - chromium-browser CVE-2013-2882 (Google V8, as used in Google Chrome before 28.0.1500.95, allows remote ...) {DSA-2732-1} - chromium-browser 28.0.1500.95-1 [squeeze] - chromium-browser - libv8 [wheezy] - libv8 (Minor issue, Chromium in Wheezy uses its own fixed copy) [squeeze] - libv8 (Unsupported in squeeze-lts) - libv8-3.14 (unimportant; bug #773671) NOTE: libv8 not covered by security support CVE-2013-2881 (Google Chrome before 28.0.1500.95 does not properly handle frames, whi ...) {DSA-2732-1} - chromium-browser 28.0.1500.95-1 [squeeze] - chromium-browser CVE-2013-2880 (Multiple unspecified vulnerabilities in Google Chrome before 28.0.1500 ...) {DSA-2724-1} - chromium-browser 28.0.1500.71-1 [squeeze] - chromium-browser CVE-2013-2879 (Google Chrome before 28.0.1500.71 does not properly determine the circ ...) {DSA-2724-1} - chromium-browser 28.0.1500.71-1 [squeeze] - chromium-browser CVE-2013-2878 (Google Chrome before 28.0.1500.71 allows remote attackers to cause a d ...) {DSA-2724-1} - chromium-browser 28.0.1500.71-1 [squeeze] - chromium-browser CVE-2013-2877 (parser.c in libxml2 before 2.9.0, as used in Google Chrome before 28.0 ...) {DSA-2779-1 DSA-2724-1} - libxml2 2.9.1+dfsg1-1 (bug #715531) - chromium-browser 28.0.1500.71-1 [squeeze] - chromium-browser CVE-2013-2876 (browser/extensions/api/tabs/tabs_api.cc in Google Chrome before 28.0.1 ...) {DSA-2724-1} - chromium-browser 28.0.1500.71-1 [squeeze] - chromium-browser CVE-2013-2875 (core/rendering/svg/SVGInlineTextBox.cpp in the SVG implementation in B ...) {DSA-2724-1} - chromium-browser 28.0.1500.71-1 [squeeze] - chromium-browser CVE-2013-2874 (Google Chrome before 28.0.1500.71 on Windows, when an Nvidia GPU is us ...) - chromium-browser (Windows-specific) [squeeze] - chromium-browser CVE-2013-2873 (Use-after-free vulnerability in Google Chrome before 28.0.1500.71 allo ...) {DSA-2724-1} - chromium-browser 28.0.1500.71-1 [squeeze] - chromium-browser CVE-2013-2872 (Google Chrome before 28.0.1500.71 on Mac OS X does not ensure a suffic ...) - chromium-browser (MacOS specific) CVE-2013-2871 (Use-after-free vulnerability in Google Chrome before 28.0.1500.71 allo ...) {DSA-2724-1} - chromium-browser 28.0.1500.71-1 [squeeze] - chromium-browser CVE-2013-2870 (Use-after-free vulnerability in Google Chrome before 28.0.1500.71 allo ...) {DSA-2724-1} - chromium-browser 28.0.1500.71-1 [squeeze] - chromium-browser CVE-2013-2869 (Google Chrome before 28.0.1500.71 allows remote attackers to cause a d ...) {DSA-2724-1} - chromium-browser 28.0.1500.71-1 [squeeze] - chromium-browser CVE-2013-2868 (common/extensions/sync_helper.cc in Google Chrome before 28.0.1500.71 ...) {DSA-2724-1} - chromium-browser 28.0.1500.71-1 [squeeze] - chromium-browser CVE-2013-2867 (Google Chrome before 28.0.1500.71 does not properly prevent pop-under ...) {DSA-2724-1} - chromium-browser 28.0.1500.71-1 [squeeze] - chromium-browser CVE-2013-2866 (The Flash plug-in in Google Chrome before 27.0.1453.116, as used on Go ...) - chromium-browser (Flash plugin not included in Chromium) CVE-2013-2865 (Multiple unspecified vulnerabilities in Google Chrome before 27.0.1453 ...) {DSA-2706-1} - chromium-browser 27.0.1453.110-1 [squeeze] - chromium-browser CVE-2013-2864 (The PDF functionality in Google Chrome before 27.0.1453.110 allows rem ...) - chromium-browser (PDF viewer not included in Chromium) CVE-2013-2863 (Google Chrome before 27.0.1453.110 does not properly handle SSL socket ...) {DSA-2706-1} - chromium-browser 27.0.1453.110-1 [squeeze] - chromium-browser CVE-2013-2862 (Skia, as used in Google Chrome before 27.0.1453.110, does not properly ...) {DSA-2706-1} - chromium-browser 27.0.1453.110-1 [squeeze] - chromium-browser CVE-2013-2861 (Use-after-free vulnerability in the SVG implementation in Google Chrom ...) {DSA-2706-1} - chromium-browser 27.0.1453.110-1 [squeeze] - chromium-browser CVE-2013-2860 (Use-after-free vulnerability in Google Chrome before 27.0.1453.110 all ...) {DSA-2706-1} - chromium-browser 27.0.1453.110-1 [squeeze] - chromium-browser CVE-2013-2859 (Google Chrome before 27.0.1453.110 allows remote attackers to bypass t ...) {DSA-2706-1} - chromium-browser 27.0.1453.110-1 [squeeze] - chromium-browser CVE-2013-2858 (Use-after-free vulnerability in the HTML5 Audio implementation in Goog ...) {DSA-2706-1} - chromium-browser 27.0.1453.110-1 [squeeze] - chromium-browser CVE-2013-2857 (Use-after-free vulnerability in Google Chrome before 27.0.1453.110 all ...) {DSA-2706-1} - chromium-browser 27.0.1453.110-1 [squeeze] - chromium-browser CVE-2013-2856 (Use-after-free vulnerability in Google Chrome before 27.0.1453.110 all ...) {DSA-2706-1} - chromium-browser 27.0.1453.110-1 [squeeze] - chromium-browser CVE-2013-2855 (The Developer Tools API in Google Chrome before 27.0.1453.110 allows r ...) {DSA-2706-1} - chromium-browser 27.0.1453.110-1 [squeeze] - chromium-browser CVE-2013-2854 (Google Chrome before 27.0.1453.110 on Windows provides an incorrect ha ...) - chromium-browser (Windows-specific) CVE-2013-2853 (The HTTPS implementation in Google Chrome before 28.0.1500.71 does not ...) {DSA-2724-1} - chromium-browser 28.0.1500.71-1 [squeeze] - chromium-browser CVE-2013-2852 (Format string vulnerability in the b43_request_firmware function in dr ...) {DSA-2766-1 DSA-2745-1} - linux 3.9.8-1 (low) - linux-2.6 (low) CVE-2013-2851 (Format string vulnerability in the register_disk function in block/gen ...) {DSA-2766-1 DSA-2745-1} - linux 3.9.8-1 (low) - linux-2.6 (low) CVE-2013-2850 (Heap-based buffer overflow in the iscsi_add_notunderstood_response fun ...) - linux 3.9.4-1 - linux-2.6 (Introduced in 3.1) [wheezy] - linux 3.2.46-1 CVE-2013-2849 (Multiple cross-site scripting (XSS) vulnerabilities in Google Chrome b ...) {DSA-2695-1} - chromium-browser 27.0.1453.93-1 [squeeze] - chromium-browser CVE-2013-2848 (The XSS Auditor in Google Chrome before 27.0.1453.93 might allow remot ...) {DSA-2695-1} - chromium-browser 27.0.1453.93-1 [squeeze] - chromium-browser CVE-2013-2847 (Race condition in the workers implementation in Google Chrome before 2 ...) {DSA-2695-1} - chromium-browser 27.0.1453.93-1 [squeeze] - chromium-browser CVE-2013-2846 (Use-after-free vulnerability in the media loader in Google Chrome befo ...) {DSA-2695-1} - chromium-browser 27.0.1453.93-1 [squeeze] - chromium-browser CVE-2013-2845 (The Web Audio implementation in Google Chrome before 27.0.1453.93 allo ...) {DSA-2695-1} - chromium-browser 27.0.1453.93-1 [squeeze] - chromium-browser CVE-2013-2844 (Use-after-free vulnerability in the Cascading Style Sheets (CSS) imple ...) {DSA-2695-1} - chromium-browser 27.0.1453.93-1 [squeeze] - chromium-browser CVE-2013-2843 (Use-after-free vulnerability in Google Chrome before 27.0.1453.93 allo ...) {DSA-2695-1} - chromium-browser 27.0.1453.93-1 [squeeze] - chromium-browser CVE-2013-2842 (Use-after-free vulnerability in Google Chrome before 27.0.1453.93 allo ...) {DSA-2695-1} - chromium-browser 27.0.1453.93-1 [squeeze] - chromium-browser CVE-2013-2841 (Use-after-free vulnerability in Google Chrome before 27.0.1453.93 allo ...) {DSA-2695-1} - chromium-browser 27.0.1453.93-1 [squeeze] - chromium-browser CVE-2013-2840 (Use-after-free vulnerability in the media loader in Google Chrome befo ...) {DSA-2695-1} - chromium-browser 27.0.1453.93-1 [squeeze] - chromium-browser CVE-2013-2839 (Google Chrome before 27.0.1453.93 does not properly perform a cast of ...) {DSA-2695-1} - chromium-browser 27.0.1453.93-1 [squeeze] - chromium-browser CVE-2013-2838 (Google V8, as used in Google Chrome before 27.0.1453.93, allows remote ...) {DSA-2695-1} - chromium-browser 27.0.1453.93-1 [squeeze] - chromium-browser - libv8 [wheezy] - libv8 (Minor issue, Chromium in Wheezy uses its own fixed copy) [squeeze] - libv8 (Unsupported in squeeze-lts) - libv8-3.14 (unimportant; bug #773671) NOTE: libv8 not covered by security support CVE-2013-2837 (Use-after-free vulnerability in the SVG implementation in Google Chrom ...) {DSA-2695-1} - chromium-browser 27.0.1453.93-1 [squeeze] - chromium-browser CVE-2013-2836 (Multiple unspecified vulnerabilities in Google Chrome before 27.0.1453 ...) - chromium-browser 27.0.1453.93-1 [squeeze] - chromium-browser CVE-2013-2835 (Google Chrome OS before 26.0.1410.57 does not properly enforce origin ...) NOT-FOR-US: Google Chrome OS CVE-2013-2834 (Google Chrome OS before 26.0.1410.57 does not properly enforce origin ...) NOT-FOR-US: Google Chrome OS CVE-2013-2833 (Use-after-free vulnerability in the O3D plug-in in Google Chrome OS be ...) NOT-FOR-US: Google Chrome OS CVE-2013-2832 (The Buffer::Set function in core/cross/buffer.cc in the O3D plug-in in ...) NOT-FOR-US: Google Chrome OS CVE-2013-2831 RESERVED CVE-2013-2830 (Use-after-free vulnerability in SumatraPDF Reader 2.x before 2.2.1 all ...) NOT-FOR-US: SumatraPDF Reader CVE-2013-2829 (MatrikonOPC SCADA DNP3 OPC Server 1.2.2.0 and earlier allows remote at ...) NOT-FOR-US: MatrikonOPC SCADA DNP3 OPC Server CVE-2013-2828 (The DNP Master Driver in the OSIsoft PI Interface before 3.1.2.54 for ...) NOT-FOR-US: OSIsoft PI Interface CVE-2013-2827 (An unspecified ActiveX control in WellinTech KingSCADA before 3.1.2, K ...) NOT-FOR-US: WellinTech KingSCADA CVE-2013-2826 (WellinTech KingSCADA before 3.1.2, KingAlarm&Event before 3.1, and ...) NOT-FOR-US: WellinTech KingSCADA CVE-2013-2825 (The DNP3 service in the Outstation component on Elecsys Director Gatew ...) NOT-FOR-US: Elecsys Director Gateway CVE-2013-2824 (Schneider Electric StruxureWare SCADA Expert Vijeo Citect 7.40, Vijeo ...) NOT-FOR-US: Schneider Electric StruxureWare SCADA Expert Vijeo Citect CVE-2013-2823 (The (1) Catapult DNP3 I/O driver before 7.2.0.60 and the (2) GE Intell ...) NOT-FOR-US: Catapult DNP3 I/O driver CVE-2013-2822 (NovaTech Orion Substation Automation Platform OrionLX DNP Master 1.27. ...) NOT-FOR-US: NovaTech CVE-2013-2821 (NovaTech Orion Substation Automation Platform OrionLX DNP Master 1.27. ...) NOT-FOR-US: NovaTech CVE-2013-2820 (The Sierra Wireless AirLink Raven X EV-DO gateway 4221_4.0.11.003 and ...) NOT-FOR-US: Sierra Wireless AirLink Raven X EV-DO gateways CVE-2013-2819 (The Sierra Wireless AirLink Raven X EV-DO gateway 4221_4.0.11.003 and ...) NOT-FOR-US: Sierra Wireless AirLink Raven X EV-DO gateways CVE-2013-2818 (The DNP Master Driver in Alstom e-terracontrol 3.5, 3.6, and 3.7 allow ...) NOT-FOR-US: e-terracontrol CVE-2013-2817 (An ActiveX control in IcoLaunch.dll in Mitsubishi Electric Automation ...) NOT-FOR-US: Mitsubishi Electric Automation MC-WorX Suite CVE-2013-2816 (The DNP3 component in Cooper Power Systems SMP 4, 4/DP, and 16 gateway ...) NOT-FOR-US: Cooper Power Systems CVE-2013-2815 REJECTED CVE-2013-2814 (Cooper Power Systems Cybectec DNP3 Master OPC Server allows remote att ...) NOT-FOR-US: Cooper Power Systems CVE-2013-2813 (The DNP3 component in Cooper Power Systems SMP 4, 4/DP, and 16 gateway ...) NOT-FOR-US: Cooper Power Systems CVE-2013-2812 RESERVED CVE-2013-2811 (The (1) Catapult DNP3 I/O driver before 7.2.0.60 and the (2) GE Intell ...) NOT-FOR-US: Catapult DNP3 I/O driver CVE-2013-2810 (Emerson Process Management ROC800 RTU with software 3.50 and earlier, ...) NOT-FOR-US: Emerson CVE-2013-2809 (The DNP Master Driver in the OSIsoft PI Interface before 3.1.2.54 for ...) NOT-FOR-US: OSIsoft PI Interface CVE-2013-2808 (Heap-based buffer overflow in Xper in Philips Xper Information Managem ...) NOT-FOR-US: Xper CVE-2013-2807 (Rockwell Automation RSLinx Enterprise Software (LogReceiver.exe) CPR9, ...) NOT-FOR-US: Rockwell Automation CVE-2013-2806 (Rockwell Automation RSLinx Enterprise Software (LogReceiver.exe) CPR9, ...) NOT-FOR-US: Rockwell Automation CVE-2013-2805 (Rockwell Automation RSLinx Enterprise Software (LogReceiver.exe) CPR9, ...) NOT-FOR-US: Rockwell Automation CVE-2013-2804 (The DNP Master Driver in Software Toolbox TOP Server before 5.12.140.0 ...) NOT-FOR-US: TOP Server OPC Server CVE-2013-2803 (ProSoft RadioLinx ControlScape before 6.00.040 uses a deficient PRNG a ...) NOT-FOR-US: ProSoft RadioLinx ControlScape CVE-2013-2802 (The universal protocol implementation in Sixnet UDR before 2.0 and RTU ...) NOT-FOR-US: Sixnet CVE-2013-2801 (The OSIsoft PI Interface for IEEE C37.118 before 1.0.6.158 allows remo ...) NOT-FOR-US: OSIsoft PI Interface CVE-2013-2800 (The OSIsoft PI Interface for IEEE C37.118 before 1.0.6.158 allows remo ...) NOT-FOR-US: OSIsoft PI Interface CVE-2013-2799 REJECTED CVE-2013-2798 (Schweitzer Engineering Laboratories (SEL) SEL-2241, SEL-3505, and SEL- ...) NOT-FOR-US: Schweitzer Engineering Laboratories CVE-2013-2797 RESERVED CVE-2013-2796 (Schneider Electric Vijeo Citect 7.20 and earlier, CitectSCADA 7.20 and ...) NOT-FOR-US: Schneider Electric Vijeo Citect CVE-2013-2795 REJECTED CVE-2013-2794 (Triangle MicroWorks SCADA Data Gateway 2.50.0309 through 3.00.0616, DN ...) NOT-FOR-US: Triangle MicroWorks SCADA CVE-2013-2793 (Triangle MicroWorks SCADA Data Gateway 2.50.0309 through 3.00.0616, DN ...) NOT-FOR-US: Triangle MicroWorks SCADA CVE-2013-2792 (Schweitzer Engineering Laboratories (SEL) SEL-2241, SEL-3505, and SEL- ...) NOT-FOR-US: Schweitzer Engineering Laboratories CVE-2013-2791 (MatrikonOPC SCADA DNP3 OPC Server 1.2.0 allows remote attackers to cau ...) NOT-FOR-US: MatrikonOPC CVE-2013-2790 (The master-station DNP3 driver before driver19.exe, and Beta2041.exe, ...) NOT-FOR-US: IOServer CVE-2013-2789 (The Kepware DNP Master Driver for the KEPServerEX Communications Platf ...) NOT-FOR-US: Kepware CVE-2013-2788 (The DNP3 Slave service in SUBNET Solutions SubSTATION Server 2.7.0033 ...) NOT-FOR-US: SUBNET Solutions SubSTATION Server CVE-2013-2787 (Alstom e-terracontrol 3.5, 3.6, and 3.7 allows remote attackers to cau ...) NOT-FOR-US: Alstom e-terracontrol CVE-2013-2786 (Alstom Grid MiCOM S1 Agile before 1.0.3 and Alstom Grid MiCOM S1 Studi ...) NOT-FOR-US: Alstom Grid MiCOM S1 CVE-2013-2785 (Multiple buffer overflows in CimWebServer.exe in the WebView component ...) NOT-FOR-US: GE Intelligent Platforms CVE-2013-2784 (Triangle Research International (aka Tri) Nano-10 PLC devices with fir ...) NOT-FOR-US: Triangle Research International CVE-2013-2783 (The DNP3 driver in IOServer drivers 1.0.19.0 allows remote attackers t ...) NOT-FOR-US: IOServer DNP3 drivers CVE-2013-2782 (Schneider Electric Trio J-Series License Free Ethernet Radio with firm ...) NOT-FOR-US: Schneider Electric CVE-2013-2781 (Use-after-free vulnerability in the server application in 3S CODESYS G ...) NOT-FOR-US: 3S CODESYS Gateway CVE-2013-2780 (Siemens SIMATIC S7-1200 PLCs 2.x and 3.x allow remote attackers to cau ...) NOT-FOR-US: Siemens SIMATIC CVE-2013-2779 (Cisco IOS XE 3.4 before 3.4.5S, and 3.5 through 3.7 before 3.7.1S, on ...) NOT-FOR-US: Cisco IOS XE CVE-2013-2778 (Cross-site request forgery (CSRF) vulnerability in addressbook/registe ...) NOT-FOR-US: PHP Address Book CVE-2013-2777 (sudo before 1.7.10p5 and 1.8.x before 1.8.6p6, when the tty_tickets op ...) {DSA-2642-1} - sudo 1.8.5p2-1+nmu1 (bug #701839) CVE-2013-2776 (sudo 1.3.5 through 1.7.10p5 and 1.8.0 through 1.8.6p6, when running on ...) {DSA-2642-1} - sudo 1.8.5p2-1+nmu1 (bug #701839) CVE-2013-2775 RESERVED CVE-2013-2774 RESERVED CVE-2013-2773 (Nitro PDF 8.5.0.26: A specially crafted DLL file can facilitate Arbitr ...) NOT-FOR-US: Nitro PDF CVE-2013-2772 RESERVED CVE-2013-2771 RESERVED CVE-2013-2770 (The installation functionality in the Novell Kanaka component before 2 ...) NOT-FOR-US: Novell Open Enterprise Server (OES) on Mac OS X CVE-2013-2769 RESERVED CVE-2013-2768 RESERVED CVE-2013-2767 (Unspecified vulnerability in Citrix NetScaler Access Gateway Enterpris ...) NOT-FOR-US: Citrix NetScaler Access Gateway CVE-2013-2766 (Cross-site scripting (XSS) vulnerability in Splunk Web in Splunk 4.3.0 ...) NOT-FOR-US: Splunk CVE-2013-2765 (The ModSecurity module before 2.7.4 for the Apache HTTP Server allows ...) - modsecurity-apache 2.6.6-9 (bug #710217) - libapache-mod-security (bug #710217) [wheezy] - modsecurity-apache 2.6.6-6+deb7u1 [squeeze] - libapache-mod-security 2.5.12-1+squeeze2 NOTE: https://raw.github.com/SpiderLabs/ModSecurity/master/CHANGES NOTE: https://github.com/SpiderLabs/ModSecurity/commit/0840b13612a0b7ef1ce7441cf811dcfc6b463fba CVE-2013-2764 (Secure Entry Server before 4.7.0 contains a URI Redirection vulnerabil ...) NOT-FOR-US: Secure Entry Server CVE-2013-2763 (** DISPUTED ** The Schneider Electric M340 PLC modules allow remote at ...) NOT-FOR-US: Schneider Electric M340 modules CVE-2013-2762 (The Schneider Electric Magelis XBT HMI controller has a default passwo ...) NOT-FOR-US: Schneider Electric CVE-2013-2761 (The Schneider Electric M340 BMXNOE01xx and BMXP3420xx PLC modules allo ...) NOT-FOR-US: Schneider Electric CVE-2013-2760 (Buffer overflow in Groovy Media Player 3.2.0 allows remote attackers t ...) NOT-FOR-US: Groovy Media Player CVE-2013-2759 RESERVED CVE-2013-2758 (Apache CloudStack 4.0.0 before 4.0.2 and Citrix CloudPlatform (formerl ...) NOT-FOR-US: CloudStack CVE-2013-2757 (Citrix CloudPlatform (formerly Citrix CloudStack) 3.0.x before 3.0.6 P ...) NOT-FOR-US: Citrix CVE-2013-2756 (Apache CloudStack 4.0.0 before 4.0.2 and Citrix CloudPlatform (formerl ...) NOT-FOR-US: CloudStack CVE-2013-2755 RESERVED CVE-2013-2754 (Cross-site request forgery (CSRF) vulnerability in Umisoft UMI.CMS bef ...) NOT-FOR-US: Umisoft UMI.CMS CVE-2013-2753 RESERVED CVE-2013-2752 (Cross-site request forgery (CSRF) vulnerability in frontview/lib/np_ha ...) NOT-FOR-US: NETGEAR ReadyNAS RAIDiator CVE-2013-2751 (Eval injection vulnerability in frontview/lib/np_handler.pl in the Fro ...) NOT-FOR-US: NETGEAR ReadyNAS RAIDiator CVE-2013-2750 (Cross-site scripting (XSS) vulnerability in e107_plugins/content/handl ...) NOT-FOR-US: e107 CVE-2013-2749 REJECTED CVE-2013-2748 (Belkin Wemo Switch before WeMo_US_2.00.2176.PVT could allow remote att ...) NOT-FOR-US: Belkin CVE-2013-2747 (The password reset feature in Courion Access Risk Management Suite Ver ...) NOT-FOR-US: Courion Access Risk Management Suite CVE-2013-2746 RESERVED CVE-2013-2745 (An SQL Injection vulnerability exists in MiniDLNA prior to 1.1.0 ...) - minidlna 1.1.2+dfsg-1 (low; bug #717131) [wheezy] - minidlna (Minor issue, DLNA only used in a trusted context) NOTE: http://www.securityfocus.com/archive/1/527299/30/0 CVE-2013-2744 (importbuddy.php in the BackupBuddy plugin 2.2.25 for WordPress allows ...) NOT-FOR-US: BackupBuddy plugin for WordPress CVE-2013-2743 (importbuddy.php in the BackupBuddy plugin 1.3.4, 2.1.4, 2.2.25, 2.2.28 ...) NOT-FOR-US: BackupBuddy plugin for WordPress CVE-2013-2742 (importbuddy.php in the BackupBuddy plugin 1.3.4, 2.1.4, 2.2.25, 2.2.28 ...) NOT-FOR-US: BackupBuddy plugin for WordPress CVE-2013-2741 (importbuddy.php in the BackupBuddy plugin 1.3.4, 2.1.4, 2.2.25, 2.2.28 ...) NOT-FOR-US: BackupBuddy plugin for WordPress CVE-2013-2740 RESERVED CVE-2013-2739 (MiniDLNA has heap-based buffer overflow ...) - minidlna 1.1.2+dfsg-1 (low; bug #717131) [wheezy] - minidlna (Minor issue, DLNA only used in a trusted context) NOTE: http://www.securityfocus.com/archive/1/527299/30/0 CVE-2013-2738 (minidlna has SQL Injection that may allow retrieval of arbitrary files ...) - minidlna 1.1.2+dfsg-1 (low; bug #717131) NOTE: http://www.securityfocus.com/archive/1/527299/30/0 [wheezy] - minidlna (Minor issue, DLNA only used in a trusted context) CVE-2013-2737 (A JavaScript API in Adobe Reader and Acrobat 9.x before 9.5.5, 10.x be ...) NOT-FOR-US: Adobe Reader CVE-2013-2736 (Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11. ...) NOT-FOR-US: Adobe Reader CVE-2013-2735 (Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11. ...) NOT-FOR-US: Adobe Reader CVE-2013-2734 (Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11. ...) NOT-FOR-US: Adobe Reader CVE-2013-2733 (Buffer overflow in Adobe Reader and Acrobat 9.x before 9.5.5, 10.x bef ...) NOT-FOR-US: Adobe Reader CVE-2013-2732 (Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11. ...) NOT-FOR-US: Adobe Reader CVE-2013-2731 (Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11. ...) NOT-FOR-US: Adobe Reader CVE-2013-2730 (Buffer overflow in Adobe Reader and Acrobat 9.x before 9.5.5, 10.x bef ...) NOT-FOR-US: Adobe Reader CVE-2013-2729 (Integer overflow in Adobe Reader and Acrobat 9.x before 9.5.5, 10.x be ...) NOT-FOR-US: Adobe Reader CVE-2013-2728 (Adobe Flash Player before 10.3.183.86 and 11.x before 11.7.700.202 on ...) NOT-FOR-US: Adobe Flash Player CVE-2013-2727 (Integer overflow in Adobe Reader and Acrobat 9.x before 9.5.5, 10.x be ...) NOT-FOR-US: Adobe Reader CVE-2013-2726 (Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11. ...) NOT-FOR-US: Adobe Reader CVE-2013-2725 (Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11. ...) NOT-FOR-US: Adobe Reader CVE-2013-2724 (Stack-based buffer overflow in Adobe Reader and Acrobat 9.x before 9.5 ...) NOT-FOR-US: Adobe Reader CVE-2013-2723 (Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11. ...) NOT-FOR-US: Adobe Reader CVE-2013-2722 (Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11. ...) NOT-FOR-US: Adobe Reader CVE-2013-2721 (Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11. ...) NOT-FOR-US: Adobe Reader CVE-2013-2720 (Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11. ...) NOT-FOR-US: Adobe Reader CVE-2013-2719 (Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11. ...) NOT-FOR-US: Adobe Reader CVE-2013-2718 (Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11. ...) NOT-FOR-US: Adobe Reader CVE-2013-2717 (Multiple unspecified vulnerabilities in the System Management (aka Sys ...) NOT-FOR-US: EMC CVE-2012-6573 (Cross-site scripting (XSS) vulnerability in the Apache Solr Autocomple ...) NOT-FOR-US: DRUPAL-SA-CONTRIB-2012-136 CVE-2012-6550 (Cross-site scripting (XSS) vulnerability in ZeroClipboard before 1.1.4 ...) - db4o (unimportant) NOTE: in doc package only CVE-2013-2716 (Puppet Labs Puppet Enterprise before 2.8.0 does not use a "randomized ...) NOT-FOR-US: Puppet Labs Puppet Enterprise CVE-2013-2715 (Cross-site scripting (XSS) vulnerability in the admin view in the Sear ...) NOT-FOR-US: Drupal module search_api CVE-2013-2714 (Cross-site Scripting (XSS) in WordPress podPress Plugin 8.8.10.13 coul ...) NOT-FOR-US: WordPress podPress Plugin CVE-2013-2713 (Cross-site request forgery (CSRF) vulnerability in users_maint.html in ...) NOT-FOR-US: KrisonAV CVE-2013-2712 (Cross-site scripting (XSS) vulnerability in services/get_article.php i ...) NOT-FOR-US: KrisonAV CVE-2013-2711 RESERVED CVE-2013-2710 (Cross-site request forgery (CSRF) vulnerability in the Contextual Rela ...) NOT-FOR-US: WordPress plugin Contextual Related Posts CVE-2013-2709 (Cross-site request forgery (CSRF) vulnerability in the FourSquare Chec ...) NOT-FOR-US: WordPress plugin FourSquare Checkins CVE-2013-2708 (Cross-site request forgery (CSRF) vulnerability in the Content Slide p ...) NOT-FOR-US: WordPress plugin Content Slide CVE-2013-2707 (Cross-site request forgery (CSRF) vulnerability in the Login With Ajax ...) NOT-FOR-US: WordPress plugin CVE-2013-2706 (Cross-site request forgery (CSRF) vulnerability in the Stream Video Pl ...) NOT-FOR-US: WordPress plugin Stream Video Player CVE-2013-2705 (Cross-site request forgery (CSRF) vulnerability in the WordPress Simpl ...) NOT-FOR-US: WordPress plugin Simple Paypal Shopping Cart CVE-2013-2704 (Cross-site request forgery (CSRF) vulnerability in the Dropdown Menu W ...) NOT-FOR-US: WordPress plugin Dropdown Menu Widget CVE-2013-2703 (Cross-site request forgery (CSRF) vulnerability in the Facebook Member ...) NOT-FOR-US: Facebook Members plugin for WordPres CVE-2013-2702 (Cross-site request forgery (CSRF) vulnerability in the Easy AdSense Li ...) NOT-FOR-US: Easy AdSense Lite plugin for WordPress CVE-2013-2701 (Cross-site request forgery (CSRF) vulnerability in the Social Sharing ...) NOT-FOR-US: social sharing toolkit plugin for wp CVE-2013-2700 (Cross-site request forgery (CSRF) vulnerability in the Add/Edit page ( ...) NOT-FOR-US: WordPress plugin WP125 CVE-2013-2699 (Cross-site request forgery (CSRF) vulnerability in the underConstructi ...) NOT-FOR-US: WordPress plugin underConstruction CVE-2013-2698 (Cross-site request forgery (CSRF) vulnerability in the Calendar plugin ...) NOT-FOR-US: WordPress plugin calendar CVE-2013-2697 (Cross-site request forgery (CSRF) vulnerability in the WP-DownloadMana ...) NOT-FOR-US: Wordpress plugin Downloadmanager CVE-2013-2696 (Cross-site request forgery (CSRF) vulnerability in the All in One Webm ...) NOT-FOR-US: WordPress plugin All in One Webmaster CVE-2013-2695 (Cross-site scripting (XSS) vulnerability in invite.php in the WP Sympo ...) NOT-FOR-US: WordPress plugin wp-symposium CVE-2013-2694 (Open redirect vulnerability in invite.php in the WP Symposium plugin 1 ...) NOT-FOR-US: WordPress plugin wp-symposium CVE-2013-2693 (Cross-site request forgery (CSRF) vulnerability in the Options in the ...) NOT-FOR-US: WordPress plugin WP-Print CVE-2013-2692 (Cross-site request forgery (CSRF) vulnerability in the Admin web inter ...) NOT-FOR-US: OpenVPN Access Server CVE-2013-2691 (Stack-based buffer overflow in the JetMPG.ax module in jetAudio 8.0.17 ...) NOT-FOR-US: jetAudio CVE-2013-2690 (SQL injection vulnerability in index.php in Synchroweb Technology SynC ...) NOT-FOR-US: Synchroweb Technology SynConnect 2.0 CVE-2013-2689 RESERVED CVE-2013-2688 (Buffer overflow in phrelay in BlackBerry QNX Neutrino RTOS through 6.5 ...) NOT-FOR-US: QNX Software Development Platform CVE-2013-2687 (Stack-based buffer overflow in the bpe_decompress function in (1) Blac ...) NOT-FOR-US: QNX CVE-2013-2686 (main/http.c in the HTTP server in Asterisk Open Source 1.8.x before 1. ...) - asterisk 1:1.8.13.1~dfsg-2 (bug #704114) [squeeze] - asterisk (httpd code does not read HTTP POST variables) NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-20967 CVE-2013-2685 (Stack-based buffer overflow in res/res_format_attr_h264.c in Asterisk ...) - asterisk (H264 code not yet present) NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-20901 CVE-2013-2684 (Cross-site Scripting (XSS) in Cisco Linksys E4200 1.0.05 Build 7 devic ...) NOT-FOR-US: Cisco CVE-2013-2683 (Cisco Linksys E4200 1.0.05 Build 7 devices contain an Information Disc ...) NOT-FOR-US: Cisco CVE-2013-2682 (Cisco Linksys E4200 1.0.05 Build 7 devices contain a Clickjacking Vuln ...) NOT-FOR-US: Cisco CVE-2013-2681 (Cisco Linksys E4200 1.0.05 Build 7 devices contain a Security Bypass V ...) NOT-FOR-US: Cisco CVE-2013-2680 (Cisco Linksys E4200 1.0.05 Build 7 devices store passwords in cleartex ...) NOT-FOR-US: Cisco CVE-2013-2679 (Multiple cross-site scripting (XSS) vulnerabilities in Cisco Linksys E ...) NOT-FOR-US: Cisco CVE-2013-2678 (Cisco Linksys E4200 1.0.05 Build 7 routers contain a Local File Includ ...) NOT-FOR-US: Cisco CVE-2013-2677 RESERVED CVE-2013-2676 (Brother MFC-9970CDW 1.10 firmware L devices contain an information dis ...) NOT-FOR-US: Brother CVE-2013-2675 (Brother MFC-9970CDW 1.10 devices with Firmware L contain a Frameable r ...) NOT-FOR-US: Brother devices CVE-2013-2674 (Brother MFC-9970CDW 1.10 firmware L devices contain an information dis ...) NOT-FOR-US: Brother MFC-9970CDW 1.10 firmware L devices CVE-2013-2673 (Brother MFC-9970CDW 1.10 firmware L devices contain a security bypass ...) NOT-FOR-US: Brother MFC-9970CDW 1.10 firmware L devices CVE-2013-2672 (Brother MFC-9970CDW devices with firmware 0D allow cleartext submissio ...) NOT-FOR-US: Brother MFC-9970CDW devices CVE-2013-2671 (Multiple cross-site scripting (XSS) vulnerabilities in the Brother MFC ...) NOT-FOR-US: Brother printer CVE-2013-2670 (Cross-site scripting (XSS) vulnerability in the Brother MFC-9970CDW pr ...) NOT-FOR-US: Brother printer CVE-2013-2669 RESERVED CVE-2013-2668 RESERVED CVE-2013-2667 RESERVED CVE-2013-2666 RESERVED CVE-2013-2665 RESERVED CVE-2013-2664 RESERVED CVE-2013-2663 RESERVED CVE-2013-2662 RESERVED CVE-2013-2661 RESERVED CVE-2013-2660 RESERVED CVE-2013-2659 RESERVED CVE-2013-2658 RESERVED CVE-2013-2657 RESERVED CVE-2013-2656 RESERVED CVE-2013-2655 RESERVED CVE-2013-2654 RESERVED CVE-2013-2653 (security/MemberLoginForm.php in SilverStripe 3.0.3 supports login usin ...) - silverstripe (bug #528461) CVE-2013-2652 (CRLF injection vulnerability in help/help_language.php in WebCollab 3. ...) NOT-FOR-US: WebCollab CVE-2013-2651 (Multiple cross-site scripting (XSS) vulnerabilities in BoltWire 3.5 an ...) NOT-FOR-US: Boltwire CVE-2013-2650 RESERVED CVE-2013-2649 RESERVED CVE-2013-2648 RESERVED CVE-2013-2647 RESERVED CVE-2013-2646 (TP-LINK TL-WR1043ND V1_120405 devices contain an unspecified denial of ...) NOT-FOR-US: TP-LINK CVE-2013-2645 (Multiple cross-site request forgery (CSRF) vulnerabilities on the TP-L ...) NOT-FOR-US: TP-LINK Router CVE-2013-2644 REJECTED CVE-2013-2643 (Multiple cross-site scripting (XSS) vulnerabilities in Sophos Web Appl ...) NOT-FOR-US: Sophos Web Appliance CVE-2013-2642 (Sophos Web Appliance before 3.7.8.2 allows (1) remote attackers to exe ...) NOT-FOR-US: Sophos Web Appliance CVE-2013-2641 (Directory traversal vulnerability in patience.cgi in Sophos Web Applia ...) NOT-FOR-US: Sophos Web Appliance CVE-2013-2640 (ajax.functions.php in the MailUp plugin before 1.3.2 for WordPress doe ...) NOT-FOR-US: MailUp plugin for Wordpress CVE-2013-2639 (Cross-site scripting (XSS) vulnerability in CTERA Cloud Storage OS bef ...) NOT-FOR-US: CTERA Cloud Storage OS CVE-2013-2638 RESERVED CVE-2013-2637 (A Cross-Site Scripting (XSS) Vulnerability exists in OTRS ITSM prior t ...) NOT-FOR-US: OTRS ITSM and OTRS FAQ CVE-2013-2636 (net/bridge/br_mdb.c in the Linux kernel before 3.8.4 does not initiali ...) - linux (Introduced in 3.8) - linux-2.6 (Introduced in 3.8) CVE-2013-2635 (The rtnl_fill_ifinfo function in net/core/rtnetlink.c in the Linux ker ...) - linux 3.2.41-2 - linux-2.6 [squeeze] - linux-2.6 (Introduced in 2.6.34) CVE-2013-2634 (net/dcb/dcbnl.c in the Linux kernel before 3.8.4 does not initialize c ...) {DSA-2668-1} - linux 3.2.41-2 - linux-2.6 CVE-2013-2633 (Piwik before 1.11 accepts input from a POST request instead of a GET r ...) - piwik (bug #506933) CVE-2013-2632 (Google V8 before 3.17.13, as used in Google Chrome before 27.0.1444.3, ...) - libv8 [squeeze] - libv8 (Unsupported in squeeze-lts) [wheezy] - libv8 (Minor issue, Chromium in Wheezy uses its own fixed copy) - libv8-3.14 (unimportant; bug #773671) NOTE: libv8 not covered by security support CVE-2013-2631 (TinyWebGallery (TWG) 1.8.9 and earlier contains a full path disclosure ...) NOT-FOR-US: TinyWebGallery CVE-2013-2630 (Cross-site scripting (XSS) vulnerability in CA Service Desk Manager 12 ...) NOT-FOR-US: CA Service Desk Manager CVE-2013-2629 (Leed (Light Feed), possibly before 1.5 Stable, allows remote attackers ...) NOT-FOR-US: Leed CVE-2013-2628 (Multiple cross-site request forgery (CSRF) vulnerabilities in action.p ...) NOT-FOR-US: Leed CVE-2013-2627 (SQL injection vulnerability in action.php in Leed (Light Feed), possib ...) NOT-FOR-US: Leed CVE-2013-2626 RESERVED CVE-2013-2625 (An Access Bypass issue exists in OTRS Help Desk before 3.2.4, 3.1.14, ...) - otrs2 3.1.7+dfsg1-8 [squeeze] - otrs2 2.4.9+dfsg1-3+squeeze4 NOTE: DSA-2733-1 NOTE: http://web.archive.org/web/20130716120019/http://www.otrs.com:80/en/open-source/community-news/security-advisories/security-advisory-2013-01/ CVE-2013-2624 (Telean before 1.3.1 contains a full path disclosure vulnerability whic ...) NOT-FOR-US: Telean CVE-2013-2623 (Cross-site Scripting (XSS) in Telaen before 1.3.1 allows remote attack ...) NOT-FOR-US: Uebimiau Webmail CVE-2013-2622 (Cross-site Scripting (XSS) in UebiMiau 2.7.11 and earlier allows remot ...) NOT-FOR-US: Uebimiau Webmail CVE-2013-2621 (Open Redirection Vulnerability in the redir.php script in Telaen befor ...) NOT-FOR-US: Uebimiau Webmail CVE-2013-2620 RESERVED CVE-2013-2619 (Directory traversal vulnerability in Aspen before 0.22 allows remote a ...) NOT-FOR-US: Aspen CVE-2013-2618 (Cross-site scripting (XSS) vulnerability in editor.php in Network Weat ...) NOT-FOR-US: Network Weathermap CVE-2013-2617 (lib/curl.rb in the Curl Gem for Ruby allows remote attackers to execut ...) NOT-FOR-US: Ruby Curl gem CVE-2013-2616 (lib/mini_magick.rb in the MiniMagick Gem 1.3.1 for Ruby allows remote ...) NOT-FOR-US: Ruby MiniMagick gem CVE-2013-2615 (lib/entry_controller.rb in the fastreader Gem 1.0.8 for Ruby allows re ...) NOT-FOR-US: Ruby fastreader gem CVE-2013-2614 RESERVED CVE-2013-2613 RESERVED CVE-2013-2612 (Command-injection vulnerability in Huawei E587 3G Mobile Hotspot 11.20 ...) NOT-FOR-US: Huawei CVE-2013-2611 RESERVED CVE-2013-2610 RESERVED CVE-2013-2609 RESERVED CVE-2013-2608 RESERVED CVE-2013-2607 RESERVED CVE-2013-2606 RESERVED CVE-2013-2605 RESERVED CVE-2013-2604 (RealNetworks GameHouse RealArcade Installer (aka ActiveMARK Game Insta ...) NOT-FOR-US: RealNetworks GameHouse RealArcade Installer CVE-2013-2603 (The RACInstaller.StateCtrl.1 ActiveX control in InstallerDlg.dll in Re ...) NOT-FOR-US: RealNetworks GameHouse RealArcade Installer CVE-2013-2602 (Multiple array index errors in the MyHeritage SEQueryObject ActiveX co ...) NOT-FOR-US: MyHeritage SEQueryObject ActiveX control CVE-2013-2601 (The NDVM in Citrix XenClient XT before 2.1.3 and 3.x before 3.1.4 allo ...) NOT-FOR-US: Citrix XenClient XT CVE-2013-2600 (MiniUPnPd has information disclosure use of snprintf() ...) - miniupnpd 1.8.20130730-1 (bug #716936) CVE-2013-2599 (A certain Qualcomm Innovation Center (QuIC) patch to the NativeDaemonC ...) NOT-FOR-US: Qualcomm (Android) CVE-2013-2598 (app/aboot/aboot.c in the Little Kernel (LK) bootloader, as distributed ...) NOT-FOR-US: Little Kernel (bootloader) CVE-2013-2597 (Stack-based buffer overflow in the acdb_ioctl function in audio_acdb.c ...) NOT-FOR-US: Android Linux kernel (affects {sound/soc/,arch/arm/mach-}msm/qdsp6v2) NOTE: https://www.codeaurora.org/projects/security-advisories/stack-based-buffer-overflow-acdb-audio-driver-cve-2013-2597 CVE-2013-2596 (Integer overflow in the fb_mmap function in drivers/video/fbmem.c in t ...) - linux 3.9-1 [wheezy] - linux 3.2.46-1 NOTE: the issue comes from fbmem code from linux mainline, the exploit was just targetting motorola NOTE: phones that ship code that is based on the original linux code, but both are affected. NOTE: an exploit needs access to /dev/fb0 which is not world readable/writable on Debian CVE-2013-2595 (The device-initialization functionality in the MSM camera driver for t ...) NOT-FOR-US: Qualcomm MSM Camera driver CVE-2013-2594 (SQL injection vulnerability in reports/calldiary.php in Hornbill Suppo ...) NOT-FOR-US: Supportworks ITSM CVE-2013-2593 RESERVED CVE-2013-2592 RESERVED CVE-2013-2591 RESERVED CVE-2013-2590 RESERVED CVE-2013-2589 RESERVED CVE-2013-2588 RESERVED CVE-2013-2587 RESERVED CVE-2013-2586 (XAMPP 1.8.1 does not properly restrict access to xampp/lang.php, which ...) NOT-FOR-US: XAMPPP CVE-2013-2585 (Cross-site scripting (XSS) vulnerability in Atmail Webmail Server 6.6. ...) - atmailopen CVE-2013-2584 RESERVED CVE-2013-2583 (Multiple cross-site scripting (XSS) vulnerabilities in Open-Xchange Ap ...) NOT-FOR-US: Open-Xchange CVE-2013-2582 (CRLF injection vulnerability in the redirect servlet in Open-Xchange A ...) NOT-FOR-US: Open-Xchange CVE-2013-2581 (cgi-bin/firmwareupgrade in TP-Link IP Cameras TL-SC3130, TL-SC3130G, T ...) NOT-FOR-US: TP-Link IP Cameras CVE-2013-2580 (Unrestricted file upload vulnerability in cgi-bin/uploadfile in TP-Lin ...) NOT-FOR-US: TP-Link IP Cameras CVE-2013-2579 (TP-Link IP Cameras TL-SC3130, TL-SC3130G, TL-SC3171, TL-SC3171G, and p ...) NOT-FOR-US: TP-Link IP Cameras CVE-2013-2578 (cgi-bin/admin/servetest in TP-Link IP Cameras TL-SC3130, TL-SC3130G, T ...) NOT-FOR-US: TP-Link IP Cameras CVE-2013-2577 (Buffer overflow in XnView before 2.04 allows remote attackers to execu ...) NOT-FOR-US: XnView CVE-2013-2576 (Buffer overflow in Artweaver before 3.1.6 allows remote attackers to c ...) NOT-FOR-US: Artweaver CVE-2013-2575 RESERVED CVE-2013-2574 (An Access vulnerability exists in FOSCAM IP Camera FI8620 due to insuf ...) NOT-FOR-US: Foscam CVE-2013-2573 (A Command Injection vulnerability exists in the ap parameter to the /c ...) NOT-FOR-US: TP-Link CVE-2013-2572 (A Security Bypass vulnerability exists in TP-LINK IP Cameras TL-SC 313 ...) NOT-FOR-US: TP-Link CVE-2013-2571 (Iris 3.8 before build 1548, as used in Xpient point of sale (POS) syst ...) NOT-FOR-US: Xpient point of sale (POS) CVE-2013-2570 (A Command Injection vulnerability exists in Zavio IP Cameras through 1 ...) NOT-FOR-US: Zavio CVE-2013-2569 (A Security Bypass vulnerability exists in Zavio IP Cameras through 1.6 ...) NOT-FOR-US: Zavio CVE-2013-2568 (A Command Injection vulnerability exists in Zavio IP Cameras through 1 ...) NOT-FOR-US: Zavio CVE-2013-2567 (An Authentication Bypass vulnerability exists in the web interface in ...) NOT-FOR-US: Zavio CVE-2013-2566 (The RC4 algorithm, as used in the TLS protocol and SSL protocol, has m ...) NOTE: Generic protocol flaw in RC4 CVE-2012-6549 (The isofs_export_encode_fh function in fs/isofs/export.c in the Linux ...) {DSA-2668-1} - linux 3.2.41-1 (low) - linux-2.6 (low) CVE-2012-6548 (The udf_encode_fh function in fs/udf/namei.c in the Linux kernel befor ...) {DSA-2668-1} - linux 3.2.41-1 (low) - linux-2.6 (low) CVE-2012-6547 (The __tun_chr_ioctl function in drivers/net/tun.c in the Linux kernel ...) - linux 3.2.29-1 (low) - linux-2.6 (low) [squeeze] - linux-2.6 2.6.32-47 CVE-2012-6546 (The ATM implementation in the Linux kernel before 3.6 does not initial ...) {DSA-2668-1} - linux 3.2.30-1 (low) - linux-2.6 (low) CVE-2012-6545 (The Bluetooth RFCOMM implementation in the Linux kernel before 3.6 doe ...) {DSA-2668-1} - linux 3.2.30-1 (low) - linux-2.6 (low) CVE-2012-6544 (The Bluetooth protocol stack in the Linux kernel before 3.6 does not p ...) {DSA-2668-1} - linux 3.2.30-1 (low) - linux-2.6 (low) CVE-2012-6543 (The l2tp_ip6_getname function in net/l2tp/l2tp_ip6.c in the Linux kern ...) - linux (Affected code introduced in 3.5) - linux-2.6 (Affected code introduced in 3.5) CVE-2012-6542 (The llc_ui_getname function in net/llc/af_llc.c in the Linux kernel be ...) {DSA-2668-1} - linux 3.2.30-1 (low) - linux-2.6 (low) CVE-2012-6541 (The ccid3_hc_tx_getsockopt function in net/dccp/ccids/ccid3.c in the L ...) - linux 3.2.30-1 (low) - linux-2.6 (low) [squeeze] - linux-2.6 (Introduced in 2.6.37) CVE-2012-6540 (The do_ip_vs_get_ctl function in net/netfilter/ipvs/ip_vs_ctl.c in the ...) {DSA-2668-1} - linux 3.2.30-1 (low) - linux-2.6 (low) CVE-2012-6539 (The dev_ifconf function in net/socket.c in the Linux kernel before 3.6 ...) {DSA-2668-1} - linux 3.2.30-1 (low) - linux-2.6 (low) CVE-2012-6538 (The copy_to_user_auth function in net/xfrm/xfrm_user.c in the Linux ke ...) - linux 3.2.32-1 (low) - linux-2.6 (low) [squeeze] - linux-2.6 (Introduced in 2.6.33) CVE-2012-6537 (net/xfrm/xfrm_user.c in the Linux kernel before 3.6 does not initializ ...) {DSA-2668-1} - linux 3.2.32-1 (low) - linux-2.6 (low) CVE-2012-6536 (net/xfrm/xfrm_user.c in the Linux kernel before 3.6 does not verify th ...) - linux 3.2.32-1 (low) - linux-2.6 (low) [squeeze] - linux-2.6 (Introduced in 2.6.39) CVE-2012-XXXX [null pointer dereference] - chromium-browser 21.0.1180.57~r148591-1 [squeeze] - chromium-browser NOTE: http://seclists.org/fulldisclosure/2013/Mar/134 NOTE: full disclosure post dosn't make it clear if a CVE was assigned for this or not, but it is fixed in the above version CVE-2013-2565 (A vulnerability in Mambo CMS v4.6.5 where the scripts thumbs.php, edit ...) NOT-FOR-US: Mambo CMS CVE-2013-2564 (Mambo CMS 4.6.5 allows remote attackers to cause a denial of service ( ...) NOT-FOR-US: Mambo CMS CVE-2013-2563 (Mambo CMS 4.6.5 uses world-readable permissions on configuration.php, ...) NOT-FOR-US: Mambo CMS CVE-2013-2562 (Mambo CMS 4.6.5 stores the MySQL database password in cleartext in the ...) NOT-FOR-US: Mambo CMS CVE-2013-2561 (OpenFabrics ibutils 1.5.7 allows local users to overwrite arbitrary fi ...) - ibutils 1.5.7-2 (low; bug #704063) [squeeze] - ibutils (Minor issue) [wheezy] - ibutils (Minor issue) CVE-2013-2560 (Directory traversal vulnerability in the web interface on Foscam devic ...) NOT-FOR-US: Foscam CVE-2013-2559 (SQL injection vulnerability in Symphony CMS before 2.3.2 allows remote ...) NOT-FOR-US: Symphony CMS CVE-2013-2558 (Unspecified vulnerability in Microsoft Windows 8 allows remote attacke ...) NOT-FOR-US: Windows 8 CVE-2013-2557 (The sandbox protection mechanism in Microsoft Internet Explorer 9 allo ...) NOT-FOR-US: Internet Explorer CVE-2013-2556 (Unspecified vulnerability in Microsoft Windows Vista SP2, Windows Serv ...) NOT-FOR-US: Windows 7 CVE-2013-2555 (Integer overflow in Adobe Flash Player before 10.3.183.75 and 11.x bef ...) NOT-FOR-US: Adobe Flash plugin CVE-2013-2554 (Unspecified vulnerability in Microsoft Windows 7 allows attackers to b ...) NOT-FOR-US: Windows 7 CVE-2013-2553 (Unspecified vulnerability in the kernel in Microsoft Windows 7 allows ...) NOT-FOR-US: Windows 7 CVE-2013-2552 (Unspecified vulnerability in Microsoft Internet Explorer 10 on Windows ...) NOT-FOR-US: Internet Explorer CVE-2013-2551 (Use-after-free vulnerability in Microsoft Internet Explorer 6 through ...) NOT-FOR-US: Internet Explorer CVE-2013-2550 (Unspecified vulnerability in Adobe Reader 11.0.02 allows attackers to ...) NOT-FOR-US: Adobe Reader CVE-2013-2549 (Unspecified vulnerability in Adobe Reader 11.0.02 allows remote attack ...) NOT-FOR-US: Adobe Reader CVE-2013-2548 (The crypto_report_one function in crypto/crypto_user.c in the report A ...) - linux 3.2.41-1 (low) - linux-2.6 (Introduced in 3.2) CVE-2013-2547 (The crypto_report_one function in crypto/crypto_user.c in the report A ...) - linux 3.2.41-1 (low) - linux-2.6 (Introduced in 3.2) CVE-2013-2546 (The report API in the crypto user configuration API in the Linux kerne ...) - linux 3.2.41-1 (low) - linux-2.6 (Introduced in 3.2) CVE-2013-2545 RESERVED CVE-2013-2544 RESERVED CVE-2013-2543 RESERVED CVE-2013-2542 RESERVED CVE-2013-2541 RESERVED CVE-2013-2540 RESERVED CVE-2013-2539 RESERVED CVE-2013-2538 RESERVED CVE-2013-2537 RESERVED CVE-2013-2536 RESERVED CVE-2013-2535 RESERVED CVE-2013-2534 RESERVED CVE-2013-2533 RESERVED CVE-2013-2532 RESERVED CVE-2013-2531 RESERVED CVE-2013-2530 RESERVED CVE-2013-2529 RESERVED CVE-2013-2528 RESERVED CVE-2013-2527 RESERVED CVE-2013-2526 RESERVED CVE-2013-2525 RESERVED CVE-2013-2524 RESERVED CVE-2013-2523 RESERVED CVE-2013-2522 RESERVED CVE-2013-2521 RESERVED CVE-2013-2520 RESERVED CVE-2013-2519 RESERVED CVE-2013-2518 REJECTED CVE-2013-2517 REJECTED CVE-2013-2516 (Vulnerability in FileUtils v0.7, Ruby Gem Fileutils <= v0.7 Command ...) - ruby-fileutils (bug #900515) CVE-2013-2515 RESERVED CVE-2013-2514 RESERVED CVE-2013-2513 RESERVED CVE-2013-2512 RESERVED CVE-2013-2511 RESERVED CVE-2013-2510 RESERVED CVE-2013-2509 RESERVED CVE-2013-2508 RESERVED CVE-2013-2507 (Multiple cross-site scripting (XSS) vulnerabilities in the Brother MFC ...) NOT-FOR-US: Brother CVE-2013-2506 (app/models/spree/user.rb in spree_auth_devise in Spree 1.1.x before 1. ...) NOT-FOR-US: Spree CVE-2012-6535 (DjVuLibre before 3.5.25.3, as used in Evince, Sumatra PDF Reader, VuDr ...) {DSA-2844-1} - djvulibre 3.5.25.3-1 NOTE: http://sourceforge.net/p/djvu/djvulibre-git/ci/d4f0f6d37fe6a1fb427cfa33a64ead1eff32d28e/ NOTE: evince doesnt use an embedded version of this CVE-2013-2505 RESERVED CVE-2013-2504 (Cross-site scripting (XSS) vulnerability in SPS/Portal/default.aspx in ...) NOT-FOR-US: Matrix42 Service Store CVE-2013-2503 (Privoxy before 3.0.21 does not properly handle Proxy-Authenticate and ...) - privoxy 3.0.21-1 (low; bug #702896) [wheezy] - privoxy (Minor issue) [squeeze] - privoxy (Minor issue) NOTE: http://blog.c22.cc/2013/03/11/privoxy-proxy-authentication-credential-exposure-cve-2013-2503/ NOTE: http://ijbswa.cvs.sourceforge.net/viewvc/ijbswa/current/ChangeLog?revision=1.188&view=markup CVE-2013-2502 RESERVED CVE-2013-2501 (Cross-site scripting (XSS) vulnerability in the Terillion Reviews plug ...) NOT-FOR-US: Terillion Reviews plugin for Wordpress CVE-2013-2500 RESERVED CVE-2013-2499 (SimpleHRM 2.3 and earlier could allow remote attackers to bypass the a ...) NOT-FOR-US: SimpleHRM CVE-2013-2498 (SQL injection vulnerability in the login page in flexycms/modules/user ...) NOT-FOR-US: SimpleHRM CVE-2013-2497 RESERVED CVE-2013-2496 (The msrle_decode_8_16_24_32 function in msrledec.c in libavcodec in FF ...) - libav 6:0.8.6-1 (bug #703200) - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg (Backports to 0.5.x not useful, too many checks missing) CVE-2013-2495 (The iff_read_header function in iff.c in libavformat in FFmpeg through ...) - libav 6:0.8.6-1 (bug #703200) - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg (Backports to 0.5.x not useful, too many checks missing) CVE-2013-2494 (libdns in ISC DHCP 4.2.x before 4.2.5-P1 allows remote name servers to ...) - isc-dhcp 4.2.4-6 (low; bug #704426) [wheezy] - isc-dhcp 4.2.2.dfsg.1-5+deb70u6 [squeeze] - isc-dhcp (Only affects 4.2.x) CVE-2013-2493 (The Hook_Terminate function in chrome_frame/protocol_sink_wrap.cc in t ...) NOT-FOR-US: Google Chrome Frame plugin for Internet Explorer CVE-2013-2492 (Stack-based buffer overflow in Firebird 2.1.3 through 2.1.5 before 185 ...) {DSA-2648-1 DSA-2647-1} - firebird2.1 (bug #702735) - firebird2.5 2.5.2~svn+54698.ds4-2 (bug #702736) NOTE: http://tracker.firebirdsql.org/browse/CORE-4058 CVE-2013-2491 RESERVED CVE-2013-2490 RESERVED CVE-2013-2489 RESERVED CVE-2013-2488 (The DTLS dissector in Wireshark 1.6.x before 1.6.14 and 1.8.x before 1 ...) {DSA-2644-1} - wireshark 1.8.2-5 [wheezy] - wireshark 1.8.2-5wheezy1 NOTE: http://www.wireshark.org/security/wnpa-sec-2013-22.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8380 NOTE: Versions affected: 1.8.0 to 1.8.X, 1.6.0 to 1.6.X CVE-2013-2487 (epan/dissectors/packet-reload.c in the REsource LOcation And Discovery ...) {DLA-497-1} - wireshark 1.8.6-1 (unimportant) [squeeze] - wireshark (only 1.8.x series) NOTE: http://www.wireshark.org/security/wnpa-sec-2013-21.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8364 NOTE: Versions affected: 1.8.0 to 1.8.5 NOTE: Not suitable for code injection CVE-2013-2486 (The dissect_diagnosticrequest function in epan/dissectors/packet-reloa ...) {DLA-497-1} - wireshark 1.8.6-1 (unimportant) [squeeze] - wireshark (only 1.8.x series) NOTE: http://www.wireshark.org/security/wnpa-sec-2013-21.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8364 NOTE: Versions affected: 1.8.0 to 1.8.5 NOTE: Not suitable for code injection CVE-2013-2485 (The FCSP dissector in Wireshark 1.6.x before 1.6.14 and 1.8.x before 1 ...) {DLA-497-1} - wireshark 1.8.6-1 (unimportant) NOTE: http://www.wireshark.org/security/wnpa-sec-2013-20.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8359 NOTE: Versions affected: 1.8.0 to 1.8.5, 1.6.0 to 1.6.13 NOTE: Not suitable for code injection CVE-2013-2484 (The CIMD dissector in Wireshark 1.6.x before 1.6.14 and 1.8.x before 1 ...) {DSA-2644-1} - wireshark 1.8.2-5 [wheezy] - wireshark 1.8.2-5wheezy1 NOTE: http://www.wireshark.org/security/wnpa-sec-2013-19.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8346 NOTE: Versions affected: 1.8.0 to 1.8.5, 1.6.0 to 1.6.13 CVE-2013-2483 (The acn_add_dmp_data function in epan/dissectors/packet-acn.c in the A ...) {DSA-2644-1} - wireshark 1.8.2-5 (unimportant) [wheezy] - wireshark 1.8.2-5wheezy1 NOTE: http://www.wireshark.org/security/wnpa-sec-2013-18.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8340 NOTE: Versions affected: 1.8.0 to 1.8.5, 1.6.0 to 1.6.13 NOTE: Not suitable for code injection CVE-2013-2482 (The AMPQ dissector in Wireshark 1.6.x before 1.6.14 and 1.8.x before 1 ...) {DLA-497-1} - wireshark 1.8.6-1 (unimportant) NOTE: http://www.wireshark.org/security/wnpa-sec-2013-17.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8337 NOTE: Versions affected: 1.8.0 to 1.8.5, 1.6.0 to 1.6.13 NOTE: Not suitable for code injection CVE-2013-2481 (Integer signedness error in the dissect_mount_dirpath_call function in ...) {DSA-2644-1} - wireshark 1.8.2-5 (unimportant) [wheezy] - wireshark 1.8.2-5wheezy1 NOTE: http://www.wireshark.org/security/wnpa-sec-2013-16.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8335 NOTE: Versions affected: 1.8.0 to 1.8.5, 1.6.0 to 1.6.13 NOTE: Not suitable for code injection CVE-2013-2480 (The RTPS and RTPS2 dissectors in Wireshark 1.6.x before 1.6.14 and 1.8 ...) {DSA-2644-1} - wireshark 1.8.2-5 [wheezy] - wireshark 1.8.2-5wheezy1 NOTE: http://www.wireshark.org/security/wnpa-sec-2013-15.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8332 NOTE: Versions affected: 1.8.0 to 1.8.5, 1.6.0 to 1.6.13 CVE-2013-2479 (The dissect_mpls_echo_tlv_dd_map function in epan/dissectors/packet-mp ...) {DLA-497-1} - wireshark 1.8.6-1 (unimportant) [squeeze] - wireshark (only affecting 1.8.x) NOTE: http://www.wireshark.org/security/wnpa-sec-2013-14.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8039 NOTE: Versions affected: 1.8.0 to 1.8.5 NOTE: Not suitable for code injection CVE-2013-2478 (The dissect_server_info function in epan/dissectors/packet-ms-mms.c in ...) {DSA-2644-1} - wireshark 1.8.2-5 [wheezy] - wireshark 1.8.2-5wheezy1 NOTE: http://www.wireshark.org/security/wnpa-sec-2013-13.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8382 NOTE: announce mentions: Versions affected: 1.8.0 to 1.8.5, 1.6.0 to 1.6.13 CVE-2013-2477 (The CSN.1 dissector in Wireshark 1.8.x before 1.8.6 does not properly ...) - wireshark 1.8.2-5 [squeeze] - wireshark (only affecting 1.8.x) [wheezy] - wireshark 1.8.2-5wheezy1 NOTE: http://www.wireshark.org/security/wnpa-sec-2013-12.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8383 NOTE: Versions affected: 1.8.0 to 1.8.5 CVE-2013-2476 (The dissect_hartip function in epan/dissectors/packet-hartip.c in the ...) {DLA-497-1} - wireshark 1.8.6-1 (unimportant) [squeeze] - wireshark (only affecting 1.8.x) NOTE: http://www.wireshark.org/security/wnpa-sec-2013-11.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8360 NOTE: Versions affected: 1.8.0 to 1.8.5 NOTE: Not suitable for code injection CVE-2013-2475 (The TCP dissector in Wireshark 1.8.x before 1.8.6 allows remote attack ...) - wireshark 1.8.2-5 [squeeze] - wireshark (only affecting 1.8.x) [wheezy] - wireshark 1.8.2-5wheezy1 NOTE: http://www.wireshark.org/security/wnpa-sec-2013-10.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8274 NOTE: Versions affected: 1.8.0 to 1.8.5 CVE-2013-2474 (Directory traversal vulnerability in AWS XMS 2.5 allows remote attacke ...) NOT-FOR-US: AWS XMS CVE-2013-2473 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) {DSA-2727-1 DSA-2722-1} - openjdk-6 6b27-1.12.6-1 - openjdk-7 7u25-2.3.10-1 CVE-2013-2472 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) {DSA-2727-1 DSA-2722-1} - openjdk-6 6b27-1.12.6-1 - openjdk-7 7u25-2.3.10-1 CVE-2013-2471 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) {DSA-2727-1 DSA-2722-1} - openjdk-6 6b27-1.12.6-1 - openjdk-7 7u25-2.3.10-1 CVE-2013-2470 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) {DSA-2727-1 DSA-2722-1} - openjdk-6 6b27-1.12.6-1 - openjdk-7 7u25-2.3.10-1 CVE-2013-2469 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) {DSA-2727-1 DSA-2722-1} - openjdk-6 6b27-1.12.6-1 - openjdk-7 7u25-2.3.10-1 CVE-2013-2468 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2013-2467 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 (Only affects Java 5) - openjdk-7 (Only affects Java 5) CVE-2013-2466 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2013-2465 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) {DSA-2727-1 DSA-2722-1} - openjdk-6 6b27-1.12.6-1 - openjdk-7 7u25-2.3.10-1 CVE-2013-2464 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 (Specific to Oracle Java, not present in IcedTea) - openjdk-7 (Specific to Oracle Java, not present in IcedTea) NOTE: Due to the vague disclosure policy by Oracle the exact nature is unknown but since no patch landed in icedtea, we consider it not-affected CVE-2013-2463 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) {DSA-2727-1 DSA-2722-1} - openjdk-6 6b27-1.12.6-1 - openjdk-7 7u25-2.3.10-1 CVE-2013-2462 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 (Only affects Java 7) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2013-2461 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) {DSA-2727-1 DSA-2722-1} - openjdk-6 6b27-1.12.6-1 - openjdk-7 7u25-2.3.10-1 CVE-2013-2460 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) {DSA-2722-1} - openjdk-6 (Only affects Java 7) - openjdk-7 7u25-2.3.10-1 CVE-2013-2459 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) {DSA-2727-1 DSA-2722-1} - openjdk-6 6b27-1.12.6-1 - openjdk-7 7u25-2.3.10-1 CVE-2013-2458 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) {DSA-2722-1} - openjdk-6 (Only affects Java 7) - openjdk-7 7u25-2.3.10-1 CVE-2013-2457 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) {DSA-2727-1 DSA-2722-1} - openjdk-6 (Only applies to Java 7) - openjdk-7 7u25-2.3.10-1 CVE-2013-2456 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) {DSA-2727-1 DSA-2722-1} - openjdk-6 6b27-1.12.6-1 - openjdk-7 7u25-2.3.10-1 CVE-2013-2455 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) {DSA-2727-1 DSA-2722-1} - openjdk-6 6b27-1.12.6-1 - openjdk-7 7u25-2.3.10-1 CVE-2013-2454 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) {DSA-2722-1} - openjdk-6 (Only affects Java 7) - openjdk-7 7u25-2.3.10-1 CVE-2013-2453 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) {DSA-2727-1 DSA-2722-1} - openjdk-7 7u25-2.3.10-1 - openjdk-6 6b27-1.12.6-1 CVE-2013-2452 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) {DSA-2727-1 DSA-2722-1} - openjdk-6 6b27-1.12.6-1 - openjdk-7 7u25-2.3.10-1 CVE-2013-2451 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) {DSA-2727-1 DSA-2722-1} - openjdk-6 6b27-1.12.6-1 - openjdk-7 7u25-2.3.10-1 CVE-2013-2450 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) {DSA-2727-1 DSA-2722-1} - openjdk-6 6b27-1.12.6-1 - openjdk-7 7u25-2.3.10-1 CVE-2013-2449 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) {DSA-2722-1} - openjdk-6 (Only affects Java 7) - openjdk-7 7u25-2.3.10-1 CVE-2013-2448 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) {DSA-2727-1 DSA-2722-1} - openjdk-6 6b27-1.12.6-1 - openjdk-7 7u25-2.3.10-1 CVE-2013-2447 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) {DSA-2727-1 DSA-2722-1} - openjdk-6 6b27-1.12.6-1 - openjdk-7 7u25-2.3.10-1 CVE-2013-2446 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) {DSA-2727-1 DSA-2722-1} - openjdk-6 6b27-1.12.6-1 - openjdk-7 7u25-2.3.10-1 CVE-2013-2445 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) {DSA-2727-1 DSA-2722-1} - openjdk-6 6b27-1.12.6-1 - openjdk-7 7u25-2.3.10-1 CVE-2013-2444 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) {DSA-2727-1 DSA-2722-1} - openjdk-6 6b27-1.12.6-1 - openjdk-7 7u25-2.3.10-1 CVE-2013-2443 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) {DSA-2727-1 DSA-2722-1} - openjdk-7 7u25-2.3.10-1 - openjdk-6 6b27-1.12.6-1 CVE-2013-2442 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2013-2441 (Unspecified vulnerability in the Agile EDM component in Oracle Supply ...) NOT-FOR-US: Oracle Supply Chain Products Suite CVE-2013-2440 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2013-2439 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 (Installation performed differently for Linux distros) - openjdk-7 (Installation performed differently for Linux distros) CVE-2013-2438 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 (JavaFX not part of OpenJDK) - openjdk-7 (JavaFX not part of OpenJDK) CVE-2013-2437 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2013-2436 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-7 7u21-2.3.9-1 - openjdk-6 (Only affects Java7) CVE-2013-2435 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2013-2434 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 (Only affects Java 7) - openjdk-7 (Specific to Oracle Java, not present in IcedTea) NOTE: Due to the vague disclosure policy by Oracle the exact nature is unknown but since no patch landed in icedtea, we consider it not-affected CVE-2013-2433 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2013-2432 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 (Specific to Oracle Java, not present in IcedTea) - openjdk-7 (Specific to Oracle Java, not present in IcedTea) NOTE: Due to the vague disclosure policy by Oracle the exact nature is unknown but since no patch landed in icedtea, we consider it not-affected CVE-2013-2431 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-7 7u21-2.3.9-1 - openjdk-6 (Only affects Java7) CVE-2013-2430 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-7 7u21-2.3.9-1 - openjdk-6 6b27-1.12.5-1 CVE-2013-2429 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-7 7u21-2.3.9-1 - openjdk-6 6b27-1.12.5-1 CVE-2013-2428 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 (JavaFX not part of OpenJDK) - openjdk-7 (JavaFX not part of OpenJDK) CVE-2013-2427 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 (JavaFX not part of OpenJDK) - openjdk-7 (JavaFX not part of OpenJDK) CVE-2013-2426 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-7 7u21-2.3.9-1 - openjdk-6 (Only affects Java 7) CVE-2013-2425 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 (Only applies to Java 7) - openjdk-7 (Installation performed differently for Linux distros) CVE-2013-2424 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-7 7u21-2.3.9-1 - openjdk-6 6b27-1.12.5-1 CVE-2013-2423 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-7 7u21-2.3.9-1 - openjdk-6 (Only applies to Java 7) CVE-2013-2422 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-7 7u21-2.3.9-1 - openjdk-6 6b27-1.12.5-1 CVE-2013-2421 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-7 7u21-2.3.9-1 - openjdk-6 (Only affects Java 7) CVE-2013-2420 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-7 7u21-2.3.9-1 - openjdk-6 6b27-1.12.5-1 CVE-2013-2419 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) {DSA-3187-1 DLA-219-1} - openjdk-7 7u21-2.3.9-1 - openjdk-6 6b27-1.12.5-1 - icu 52.1-1 CVE-2013-2418 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2013-2417 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-7 7u21-2.3.9-1 - openjdk-6 6b27-1.12.5-1 CVE-2013-2416 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 (Only affects Java 7) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2013-2415 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 (Only affects Java 7) CVE-2013-2414 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 (JavaFX not part of OpenJDK) - openjdk-7 (JavaFX not part of OpenJDK) CVE-2013-2413 (Unspecified vulnerability in the Siebel Enterprise Application Integra ...) NOT-FOR-US: Oracle Siebel CRM CVE-2013-2412 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) {DSA-2727-1 DSA-2722-1} - openjdk-7 7u25-2.3.10-1 - openjdk-6 6b27-1.12.6-1 CVE-2013-2411 (Unspecified vulnerability in the Primavera P6 Enterprise Project Portf ...) NOT-FOR-US: Oracle Primavera Products CVE-2013-2410 (Unspecified vulnerability in the PeopleSoft Enterprise HRMS component ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2013-2409 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2013-2408 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2013-2407 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) {DSA-2727-1 DSA-2722-1} - openjdk-6 6b27-1.12.6-1 - openjdk-7 7u25-2.3.10-1 CVE-2013-2406 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2013-2405 (Unspecified vulnerability in the Primavera P6 Enterprise Project Portf ...) NOT-FOR-US: Oracle Primavera Products CVE-2013-2404 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2013-2403 (Unspecified vulnerability in the Siebel Enterprise Application Integra ...) NOT-FOR-US: Oracle Siebel CRM CVE-2013-2402 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2013-2401 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2013-2400 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 (Only affects Java 7) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2013-2399 (Unspecified vulnerability in the Siebel Call Center component in Oracl ...) NOT-FOR-US: Oracle Siebel CRM CVE-2013-2398 (Unspecified vulnerability in the Siebel UI Framework component in Orac ...) NOT-FOR-US: Oracle Siebel CRM CVE-2013-2397 (Unspecified vulnerability in the Oracle Retail Central Office componen ...) NOT-FOR-US: Oracle Industry Applications CVE-2013-2396 (Unspecified vulnerability in the Oracle Applications Manager component ...) NOT-FOR-US: Oracle E-Business Suite CVE-2013-2395 (Unspecified vulnerability in Oracle MySQL 5.6.10 and earlier allows re ...) - mysql-5.5 (Only affects MySQL 5.6) - mysql-5.1 (Only affects MySQL 5.6) CVE-2013-2394 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 (Specific to Oracle Java, not present in IcedTea) - openjdk-7 (Specific to Oracle Java, not present in IcedTea) NOTE: Due to the vague disclosure policy by Oracle the exact nature is unknown but since no patch landed in icedtea, we consider it not-affected CVE-2013-2393 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2013-2392 (Unspecified vulnerability in Oracle MySQL 5.1.68 and earlier, 5.5.30 a ...) {DSA-2780-1 DSA-2667-1} - mysql-5.5 5.5.31+dfsg-1 - mysql-5.1 - mariadb-10.0 (Fixed before initial upload) - mariadb-5.5 (Fixed before initial upload) CVE-2013-2391 (Unspecified vulnerability in Oracle MySQL 5.1.68 and earlier, 5.5.30 a ...) {DSA-2780-1 DSA-2667-1} - mysql-5.5 5.5.31+dfsg-1 - mysql-5.1 - mariadb-10.0 (Fixed before initial upload) - mariadb-5.5 (Fixed before initial upload) CVE-2013-2390 (Unspecified vulnerability in the Oracle WebLogic Server component in O ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2013-2389 (Unspecified vulnerability in Oracle MySQL 5.1.68 and earlier, 5.5.30 a ...) {DSA-2780-1 DSA-2667-1} - mysql-5.5 5.5.31+dfsg-1 - mysql-5.1 CVE-2013-2388 (Unspecified vulnerability in the Oracle Applications Technology Stack ...) NOT-FOR-US: Oracle E-Business Suite CVE-2013-2387 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking compon ...) NOT-FOR-US: Oracle Financial Services Software CVE-2013-2386 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking compon ...) NOT-FOR-US: Oracle Financial Services Software CVE-2013-2385 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking compon ...) NOT-FOR-US: Oracle Financial Services Software CVE-2013-2384 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) {DSA-3187-1 DLA-219-1} - openjdk-7 7u21-2.3.9-1 - openjdk-6 6b27-1.12.5-1 - icu 52.1-1 CVE-2013-2383 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) {DSA-3187-1 DLA-219-1} - openjdk-7 7u21-2.3.9-1 - openjdk-6 6b27-1.12.5-1 - icu 52.1-1 CVE-2013-2382 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking compon ...) NOT-FOR-US: Oracle Financial Services Software CVE-2013-2381 (Unspecified vulnerability in Oracle MySQL 5.6.10 and earlier allows re ...) - mysql-5.1 (Only affects MySQL 5.6) - mysql-5.5 (Only affects MySQL 5.6) CVE-2013-2380 (Unspecified vulnerability in the Oracle JRockit component in Oracle Fu ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2013-2379 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking compon ...) NOT-FOR-US: Oracle Financial Services Software CVE-2013-2378 (Unspecified vulnerability in Oracle MySQL 5.1.67 and earlier, 5.5.29 a ...) {DSA-2780-1} - mysql-5.5 5.5.30+dfsg-1 - mysql-5.1 - mariadb-10.0 (Fixed before initial upload) - mariadb-5.5 (Fixed before initial upload) CVE-2013-2377 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking compon ...) NOT-FOR-US: Oracle Financial Services Software CVE-2013-2376 (Unspecified vulnerability in Oracle MySQL 5.5.30 and earlier and 5.6.1 ...) {DSA-2667-1} - mysql-5.5 5.5.31+dfsg-1 - mysql-5.1 (Only affects MySQL 5.5 and 5.6) - mariadb-10.0 (Fixed before initial upload) - mariadb-5.5 (Fixed before initial upload) CVE-2013-2375 (Unspecified vulnerability in Oracle MySQL 5.1.68 and earlier, 5.5.30 a ...) {DSA-2780-1 DSA-2667-1} - mysql-5.5 5.5.31+dfsg-1 - mysql-5.1 - mariadb-10.0 (Fixed before initial upload) - mariadb-5.5 (Fixed before initial upload) CVE-2013-2374 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2013-2373 (The Engine in TIBCO Spotfire Web Player 3.3.x before 3.3.3, 4.0.x befo ...) NOT-FOR-US: TIBCO Spotfire Web Player CVE-2013-2372 (Cross-site scripting (XSS) vulnerability in the Engine in TIBCO Spotfi ...) NOT-FOR-US: TIBCO Spotfire Web Player CVE-2013-2371 (The Web API in the Statistics Server in TIBCO Spotfire Statistics Serv ...) NOT-FOR-US: TIBCO Spotfire Statistics CVE-2013-2370 (Unspecified vulnerability in HP LoadRunner before 11.52 allows remote ...) NOT-FOR-US: HP LoadRunner CVE-2013-2369 (Unspecified vulnerability in HP LoadRunner before 11.52 allows remote ...) NOT-FOR-US: HP LoadRunner CVE-2013-2368 (Unspecified vulnerability in HP LoadRunner before 11.52 allows remote ...) NOT-FOR-US: HP LoadRunner CVE-2013-2367 (Multiple unspecified vulnerabilities in HP SiteScope 11.20 and 11.21, ...) NOT-FOR-US: HP SiteScope CVE-2013-2366 (Unspecified vulnerability in HP Business Process Monitor 9.13.1 patch ...) NOT-FOR-US: HP Business Process Monitor CVE-2013-2365 (HP Database and Middleware Automation (DMA) 10.x before 10.10, when SS ...) NOT-FOR-US: HP DMA CVE-2013-2364 (Cross-site scripting (XSS) vulnerability in HP System Management Homep ...) NOT-FOR-US: HP SMH CVE-2013-2363 (HP System Management Homepage (SMH) before 7.2.1 allows remote attacke ...) NOT-FOR-US: HP SMH CVE-2013-2362 (Unspecified vulnerability in HP System Management Homepage (SMH) befor ...) NOT-FOR-US: HP SMH CVE-2013-2361 (Cross-site scripting (XSS) vulnerability in HP System Management Homep ...) NOT-FOR-US: HP SMH CVE-2013-2360 (Unspecified vulnerability in HP System Management Homepage (SMH) befor ...) NOT-FOR-US: HP SMH CVE-2013-2359 (Unspecified vulnerability in HP System Management Homepage (SMH) befor ...) NOT-FOR-US: HP SMH CVE-2013-2358 (Unspecified vulnerability in HP System Management Homepage (SMH) befor ...) NOT-FOR-US: HP SMH CVE-2013-2357 (Unspecified vulnerability in HP System Management Homepage (SMH) befor ...) NOT-FOR-US: HP SMH CVE-2013-2356 (HP System Management Homepage (SMH) before 7.2.1 allows remote attacke ...) NOT-FOR-US: HP SMH CVE-2013-2355 (HP System Management Homepage (SMH) before 7.2.1 allows remote attacke ...) NOT-FOR-US: HP SMH CVE-2013-2354 REJECTED CVE-2013-2353 (Unspecified vulnerability in HP StoreOnce D2D Backup System 1.x before ...) NOT-FOR-US: HP CVE-2013-2352 (LeftHand OS (aka SAN iQ) 10.5 and earlier on HP StoreVirtual Storage d ...) NOT-FOR-US: HP CVE-2013-2351 (Unspecified vulnerability in HP Network Node Manager i (NNMi) 9.00, 9. ...) NOT-FOR-US: HP Network Node Manager CVE-2013-2350 (Unspecified vulnerability in HP Storage Data Protector 6.2X allows rem ...) NOT-FOR-US: Data Protector CVE-2013-2349 (Unspecified vulnerability in HP Storage Data Protector 6.2X allows rem ...) NOT-FOR-US: Data Protector CVE-2013-2348 (Unspecified vulnerability in HP Storage Data Protector 6.2X allows rem ...) NOT-FOR-US: Data Protector CVE-2013-2347 (The Backup Client Service (OmniInet.exe) in HP Storage Data Protector ...) NOT-FOR-US: Data Protector CVE-2013-2346 (Unspecified vulnerability in HP Storage Data Protector 6.2X allows rem ...) NOT-FOR-US: Data Protector CVE-2013-2345 (Unspecified vulnerability in HP Storage Data Protector 6.2X allows rem ...) NOT-FOR-US: Data Protector CVE-2013-2344 (Unspecified vulnerability in HP Storage Data Protector 6.2X allows rem ...) NOT-FOR-US: Data Protector CVE-2013-2343 (Unspecified vulnerability on the HP LeftHand Virtual SAN Appliance hyd ...) NOT-FOR-US: HP CVE-2013-2342 (The HP StoreOnce D2D backup system with software before 3.0.0 has a de ...) NOT-FOR-US: HP StoreOnce D2D backup system CVE-2013-2341 (Unspecified vulnerability on the HP ProCurve JC###A, JC###B, JD###A, J ...) NOT-FOR-US: HP CVE-2013-2340 (Unspecified vulnerability on the HP ProCurve JC###A, JC###B, JD###A, J ...) NOT-FOR-US: HP CVE-2013-2339 (HP Smart Zero Core 4.3 and 4.3.1 on the t410 All-in-One Smart Zero Cli ...) NOT-FOR-US: HP Smart Zero Client CVE-2013-2338 (Unspecified vulnerability on HP Integrated Lights-Out 3 (aka iLO3) car ...) NOT-FOR-US: HP Integrated Lights-Out CVE-2013-2337 (Cross-site scripting (XSS) vulnerability in HP Service Manager 7.11, 9 ...) NOT-FOR-US: HP Service Manager CVE-2013-2336 (HP Service Manager 7.11, 9.21, 9.30, and 9.31, and ServiceCenter 6.2.8 ...) NOT-FOR-US: HP Service Manager CVE-2013-2335 (Unspecified vulnerability in HP Storage Data Protector 6.20, 6.21, 7.0 ...) NOT-FOR-US: HP Storage Data Protector CVE-2013-2334 (Unspecified vulnerability in HP Storage Data Protector 6.20, 6.21, 7.0 ...) NOT-FOR-US: HP Storage Data Protector CVE-2013-2333 (Unspecified vulnerability in HP Storage Data Protector 6.20, 6.21, 7.0 ...) NOT-FOR-US: HP Storage Data Protector CVE-2013-2332 (Unspecified vulnerability in HP Storage Data Protector 6.20, 6.21, 7.0 ...) NOT-FOR-US: HP Storage Data Protector CVE-2013-2331 (Unspecified vulnerability in HP Storage Data Protector 6.20, 6.21, 7.0 ...) NOT-FOR-US: HP Storage Data Protector CVE-2013-2330 (Unspecified vulnerability in HP Storage Data Protector 6.20, 6.21, 7.0 ...) NOT-FOR-US: HP Storage Data Protector CVE-2013-2329 (Unspecified vulnerability in HP Storage Data Protector 6.20, 6.21, 7.0 ...) NOT-FOR-US: HP Storage Data Protector CVE-2013-2328 (Unspecified vulnerability in HP Storage Data Protector 6.20, 6.21, 7.0 ...) NOT-FOR-US: HP Storage Data Protector CVE-2013-2327 (Unspecified vulnerability in HP Storage Data Protector 6.20, 6.21, 7.0 ...) NOT-FOR-US: HP Storage Data Protector CVE-2013-2326 (Unspecified vulnerability in HP Storage Data Protector 6.20, 6.21, 7.0 ...) NOT-FOR-US: HP Storage Data Protector CVE-2013-2325 (Unspecified vulnerability in HP Storage Data Protector 6.20, 6.21, 7.0 ...) NOT-FOR-US: HP Storage Data Protector CVE-2013-2324 (Unspecified vulnerability in HP Storage Data Protector 6.20, 6.21, 7.0 ...) NOT-FOR-US: HP Storage Data Protector CVE-2013-2323 (HP SQL/MX 3.0 through 3.2 on NonStop servers, when SQL/MP Objects are ...) NOT-FOR-US: HP CVE-2013-2322 (HP SQL/MX 3.2 and earlier on NonStop servers, when SQL/MP Objects are ...) NOT-FOR-US: HP CVE-2013-2321 (Cross-site scripting (XSS) vulnerability in HP Service Manager Web Tie ...) NOT-FOR-US: HP Service Manager CVE-2013-2320 RESERVED CVE-2013-2319 (FileMaker Pro before 12 and Pro Advanced before 12 does not verify X.5 ...) NOT-FOR-US: FileMaker Pro CVE-2013-2318 (The Content Provider in the MovatwiTouch application before 1.793 and ...) NOT-FOR-US: MovatwiTouch CVE-2013-2317 (The Sleipnir Mobile application 2.9.1 and earlier and Sleipnir Mobile ...) NOT-FOR-US: Sleipnir Mobile CVE-2013-2316 (The Yahoo! Browser application 1.4.4 and earlier for Android allows re ...) NOT-FOR-US: Yahoo! Browser application for Android CVE-2013-2315 (data/class/pages/forgot/LC_Page_Forgot.php in LOCKON EC-CUBE 2.11.0 th ...) NOT-FOR-US: LOCKON EC-CUBE CVE-2013-2314 (Cross-site scripting (XSS) vulnerability in the adminAuthorization fun ...) NOT-FOR-US: LOCKON EC-CUBE CVE-2013-2313 (Session fixation vulnerability in LOCKON EC-CUBE 2.11.0 through 2.12.3 ...) NOT-FOR-US: LOCKON EC-CUBE CVE-2013-2312 (Cross-site scripting (XSS) vulnerability in the shopping-cart screen i ...) NOT-FOR-US: LOCKON EC-CUBE CVE-2013-2311 (Cross-site scripting (XSS) vulnerability in static/js/share.js (aka th ...) - web2py (Vulnerable code not present) CVE-2013-2310 (SoftBank Wi-Fi Spot Configuration Software, as used on SoftBank SHARP ...) NOT-FOR-US: SoftBank Wi-Fi Spot Configuration Software CVE-2013-2309 (Cross-site scripting (XSS) vulnerability in the management screen in O ...) NOT-FOR-US: OpenPNE CVE-2013-2308 (The (1) OWA Helper and (2) OSG Lite programs in SoftBank Online Servic ...) NOT-FOR-US: SoftBank Online Service Gate CVE-2013-2307 (The Yahoo! Browser application before 1.4.3 for Android allows remote ...) NOT-FOR-US: Yahoo! Browser application for Android CVE-2013-2306 (The jigbrowser+ application before 1.6.4 for Android does not properly ...) NOT-FOR-US: jigbrowser+ application for Android CVE-2013-2305 (Cross-site request forgery (CSRF) vulnerability in Cybozu Office befor ...) NOT-FOR-US: Cybozu CVE-2013-2304 (The Sleipnir Mobile application 2.8.0 and earlier and Sleipnir Mobile ...) NOT-FOR-US: Sleipnir CVE-2013-2303 (Sleipnir 4.0.0.4000 and earlier on Windows allows remote attackers to ...) NOT-FOR-US: Sleipnir CVE-2013-2302 (TransWARE Active! mail 6, when an external public interface is used, a ...) NOT-FOR-US: TransWARE Active! mail CVE-2013-2301 (The OMRON OpenWnn application before 1.3.6 for Android uses weak permi ...) NOT-FOR-US: OpenWnn application CVE-2013-2300 (The FlickWnn (aka OpenWnn/Flick support) application 2.02 and earlier ...) NOT-FOR-US: FlickWnn Android App CVE-2013-2299 (Cross-site scripting (XSS) vulnerability in Advantech WebAccess (forme ...) NOT-FOR-US: Advantech WebAccess CVE-2013-2298 (Multiple stack-based buffer overflows in the XML parser in BOINC 7.x a ...) - boinc 7.0.65+dfsg-1 (low) [wheezy] - boinc (Minor issue, only exploitable by a rogue BOINC server) [squeeze] - boinc (Minor issue, only exploitable by a rogue BOINC server) NOTE: http://boinc.berkeley.edu/gitweb/?p=boinc-v2.git;a=commitdiff;h=2fea03824925cbcb976f4191f4d8321e41a4d95b CVE-2013-2297 (Eucalyptus EuStore sets a blank root password in the default configura ...) - eucalyptus CVE-2013-2296 (Walrus in Eucalyptus before 3.2.2 does not verify authorization for th ...) - eucalyptus (bug #707592) NOTE: commit: https://github.com/eucalyptus/eucalyptus/commit/da7bb8b7c15d453e62df38eff5c12d0998e6eab1 NOTE: https://eucalyptus.atlassian.net/browse/EUCA-3074 CVE-2013-2295 RESERVED CVE-2013-2294 (Multiple cross-site scripting (XSS) vulnerabilities in ViewGit before ...) NOT-FOR-US: ViewGit CVE-2013-2293 (The CTransaction::FetchInputs method in bitcoind and Bitcoin-Qt before ...) - bitcoin 0.8.1-2 (bug #705265) CVE-2013-2292 (bitcoind and Bitcoin-Qt 0.8.0 and earlier allow remote attackers to ca ...) - bitcoin 0.8.1-1 CVE-2013-2291 RESERVED CVE-2013-2290 (Cross-site scripting (XSS) vulnerability in the dashboard of the Aruba ...) NOT-FOR-US: Aruba Networks ArubaOS CVE-2013-2289 (Cross-site scripting (XSS) vulnerability in admin/templates/default.ph ...) NOT-FOR-US: Batavi CVE-2013-2288 RESERVED CVE-2013-2287 (Multiple cross-site scripting (XSS) vulnerabilities in views/notify.ph ...) NOT-FOR-US: WordPress plugin Uploader CVE-2013-2286 RESERVED CVE-2013-2285 RESERVED CVE-2013-2284 RESERVED CVE-2013-2283 RESERVED CVE-2013-2282 RESERVED CVE-2013-2281 RESERVED CVE-2013-2280 RESERVED CVE-2013-2279 (CA SiteMinder Federation (FSS) 12.5, 12.0, and r6; Federation (Standal ...) NOT-FOR-US: CA SiteMinder CVE-2013-2278 (Unspecified vulnerability in War FTP Daemon (warftpd) 1.82, when runni ...) NOT-FOR-US: War FTP Daemon CVE-2013-2277 (The ff_h264_decode_seq_parameter_set function in h264_ps.c in libavcod ...) - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg (Backports to 0.5.x not useful, too many checks missing) - libav 6:0.8.6-1 (bug #703200) CVE-2013-2276 (The avcodec_decode_audio4 function in utils.c in libavcodec in FFmpeg ...) - ffmpeg (Doesn't affect libav, specific to current ffmpeg) - libav (Doesn't affect libav, specific to current ffmpeg) CVE-2013-2275 (The default configuration for puppet masters 0.25.0 and later in Puppe ...) {DSA-2643-1} - puppet 2.7.18-3 CVE-2013-2274 (Puppet 2.6.x before 2.6.18 and Puppet Enterprise 1.2.x before 1.2.7 al ...) {DSA-2643-1} - puppet 2.7-1 NOTE: Only affects puppet 2.6.x CVE-2013-2273 (bitcoind and Bitcoin-Qt before 0.4.9rc1, 0.5.x before 0.5.8rc1, 0.6.0 ...) - bitcoin 0.8.1-1 CVE-2013-2272 (The penny-flooding protection mechanism in the CTxMemPool::accept meth ...) - bitcoin 0.8.1-2 (bug #705266) CVE-2013-2271 (The D-Link DSL-2740B Gateway with firmware EU_1.0, when an active admi ...) NOT-FOR-US: D-Link DSL-2740B Gateway CVE-2013-2270 (Cross-site scripting (XSS) vulnerability in the administration page in ...) NOT-FOR-US: Airvana CVE-2013-2269 (The Sponsorship Confirmation functionality in Aruba Networks ClearPass ...) NOT-FOR-US: Aruba Networks ClearPass CVE-2013-2268 (Unspecified vulnerability in the MathML implementation in WebKit in Go ...) - chromium-browser 25.0.1364.97-1 [squeeze] - chromium-browser (Vulnerable code not present) NOTE: MathML added in chromium 24.x, disabled again in 25.x CVE-2012-6534 (Novell Sentinel Log Manager before 1.2.0.3 allows remote attackers to ...) NOT-FOR-US: Novell Sentinel Log Manager CVE-2013-2267 (PHP Code Injection vulnerability in FUDforum Bulletin Board Software 3 ...) NOT-FOR-US: FUDforum CVE-2013-2266 (libdns in ISC BIND 9.7.x and 9.8.x before 9.8.4-P2, 9.8.5 before 9.8.5 ...) {DSA-2656-1} - bind9 1:9.8.4.dfsg.P1-6+nmu1 (bug #704174) CVE-2013-2265 RESERVED CVE-2013-2264 (The SIP channel driver in Asterisk Open Source 1.8.x before 1.8.20.2, ...) - asterisk 1:1.8.13.1~dfsg-2 (low; bug #704114) [squeeze] - asterisk (Minor information leak) NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-21013 CVE-2013-2263 (Unspecified vulnerability in Citrix Access Gateway Standard Edition 5. ...) NOT-FOR-US: Citrix Access Gateway CVE-2013-2262 (Cryptocat strophe.js before 2.0.22 has information disclosure ...) NOT-FOR-US: Cryptocat CVE-2013-2261 (Cryptocat before 2.0.22 Chrome Extension 'img/keygen.gif' has Informat ...) NOT-FOR-US: Cryptocat CVE-2013-2260 (Cryptocat before 2.0.22: Cryptocat.random() Function Array Key has Ent ...) NOT-FOR-US: Cryptocat CVE-2013-2259 (Cryptocat before 2.0.22 has Arbitrary Code Execution on Firefox Conver ...) NOT-FOR-US: Cryptocat CVE-2013-2258 (Cryptocat before 2.0.22 has Nickname User Impersonation ...) NOT-FOR-US: Cryptocat CVE-2013-2257 (Cryptocat before 2.0.42 has Group Chat ECC Private Key Generation Brut ...) NOT-FOR-US: Cryptocat CVE-2013-2256 (OpenStack Compute (Nova) before 2013.1.3 and Havana before havana-2 do ...) - nova 2013.1.2-3 (bug #718905) [wheezy] - nova (Affected code not present) CVE-2013-2255 (HTTPSConnections in OpenStack Keystone 2013, OpenStack Compute 2013.1, ...) - keystone 2014.1-1 [wheezy] - keystone (Minor issue) - swift (See https://bugs.launchpad.net/keystone/+bug/1188189/comments/5) NOTE: Fixes for keystone: https://review.openstack.org/#/c/76476/ CVE-2013-2254 (The deepGetOrCreateNode function in impl/operations/AbstractCreateOper ...) NOT-FOR-US: Apache Sling CVE-2013-2253 RESERVED CVE-2013-2252 RESERVED CVE-2013-2251 (Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute ...) - libstruts1.2-java (Only affect 2.x) CVE-2013-2250 (Apache Open For Business Project (aka OFBiz) 10.04.01 through 10.04.05 ...) NOT-FOR-US: Apache OFBiz CVE-2013-2249 (mod_session_dbd.c in the mod_session_dbd module in the Apache HTTP Ser ...) - apache2 2.4.6-1 [wheezy] - apache2 (mod_session_dbd available apache 2.3 and later only) [squeeze] - apache2 (mod_session_dbd available apache 2.3 and later only) CVE-2013-2248 (Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through ...) - libstruts1.2-java (Only affect 2.x) CVE-2013-2247 (The Fast Permissions Administration module 6.x-2.x before 6.x-2.5 and ...) NOT-FOR-US: Fast Permissions Administration Drupal contributed module CVE-2013-2246 (mod/feedback/lib.php in Moodle through 2.1.10, 2.2.x before 2.2.11, 2. ...) - moodle 2.5.1-1 (low) [squeeze] - moodle (Minor issue) NOTE: https://moodle.org/mod/forum/discuss.php?d=232503 CVE-2013-2245 (rss/file.php in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x befo ...) - moodle 2.5.1-1 (low) [squeeze] - moodle (Minor issue) NOTE: https://moodle.org/mod/forum/discuss.php?d=232502 CVE-2013-2244 (Multiple cross-site scripting (XSS) vulnerabilities in lib/conditionli ...) - moodle (Only affects 2.4.x and 2.5.x) NOTE: https://moodle.org/mod/forum/discuss.php?d=232501 CVE-2013-2243 (mod/lesson/pagetypes/matching.php in Moodle through 2.2.11, 2.3.x befo ...) - moodle 2.5.1-1 (low) [squeeze] - moodle (Minor issue) NOTE: https://moodle.org/mod/forum/discuss.php?d=232500 CVE-2013-2242 (mod/chat/gui_sockets/index.php in Moodle through 2.1.10, 2.2.x before ...) - moodle 2.5.1-1 (low) [squeeze] - moodle (Minor issue) NOTE: https://moodle.org/mod/forum/discuss.php?d=232498 CVE-2013-2241 (modules/gallery/helpers/data_rest.php in Gallery 3 before 3.0.9 allows ...) - gallery3 (bug #511715) CVE-2013-2240 (lib/flowplayer.swf.php in Gallery 3 before 3.0.9 does not properly rem ...) - gallery3 (bug #511715) CVE-2013-2239 (vzkernel before 042stab080.2 in the OpenVZ modification for the Linux ...) {DSA-2766-1} - linux-2.6 (low) - linux (openvz flavour no longer included after Squeeze) CVE-2013-2238 (Multiple buffer overflows in the switch_perform_substitution function ...) - freeswitch (bug #389591) CVE-2013-2237 (The key_notify_policy_flush function in net/key/af_key.c in the Linux ...) {DSA-2766-1 DSA-2745-1} - linux-2.6 (low) - linux 3.9.4-1 (low) NOTE: https://github.com/torvalds/linux/commit/85dfb745ee40232876663ae206cba35f24ab2a40 CVE-2013-2236 (Stack-based buffer overflow in the new_msg_lsa_change_notify function ...) {DSA-2803-1} - quagga 0.99.22.4-1 (bug #726724) NOTE: http://lists.quagga.net/pipermail/quagga-dev/2013-July/010621.html CVE-2013-2235 RESERVED CVE-2013-2234 (The (1) key_notify_sa_flush and (2) key_notify_policy_flush functions ...) {DSA-2766-1 DSA-2745-1} - linux-2.6 - linux 3.10.1-1 CVE-2013-2233 (Ansible before 1.2.1 makes it easier for remote attackers to conduct m ...) - ansible 1.3.4+dfsg-1 (bug #714822) NOTE: https://github.com/ansible/ansible/issues/857 CVE-2013-2232 (The ip6_sk_dst_check function in net/ipv6/ip6_output.c in the Linux ke ...) {DSA-2766-1 DSA-2745-1} - linux-2.6 - linux 3.10.1-1 CVE-2013-2231 (Unquoted Windows search path vulnerability in the QEMU Guest Agent ser ...) - qemu (Only affects win32 build) CVE-2013-2230 (The qemu driver (qemu/qemu_driver.c) in libvirt before 1.1.1 allows re ...) - libvirt 1.1.0-3 (bug #715559) [jessie] - libvirt (Vulnerable code introduced in with commit abf75aea) [wheezy] - libvirt (Vulnerable code introduced in with commit abf75aea) [squeeze] - libvirt (Vulnerable code introduced in with commit abf75aea) CVE-2013-2229 REJECTED CVE-2013-2228 (SaltStack RSA Key Generation allows remote users to decrypt communicat ...) - salt 0.15.1-1 NOTE: https://github.com/saltstack/salt/commit/e8ce66cf688b43aeb3e716e78b1af3a08e9940e3 CVE-2013-2227 (GLPI 0.83.7 has Local File Inclusion in common.tabs.php. ...) - glpi 0.83.91-1 (bug #714720; unimportant) NOTE: Only supported behind an authenticated HTTP zone CVE-2013-2226 (Multiple SQL injection vulnerabilities in GLPI before 0.83.9 allow rem ...) - glpi 0.83.91-1 (bug #714720; unimportant) NOTE: Only supported behind an authenticated HTTP zone CVE-2013-2225 (inc/ticket.class.php in GLPI 0.83.9 and earlier allows remote attacker ...) - glpi 0.83.91-1 (bug #714720; unimportant) NOTE: Only supported behind an authenticated HTTP zone CVE-2013-2224 (A certain Red Hat patch for the Linux kernel 2.6.32 on Red Hat Enterpr ...) - linux-2.6 (Caused by RHEL backport) - linux (Caused by RHEL backport) CVE-2013-2223 (GNU ZRTPCPP before 3.2.0 allows remote attackers to obtain sensitive i ...) - libzrtpcpp 2.3.4-1 (bug #714650) [squeeze] - libzrtpcpp (Minor issue) [wheezy] - libzrtpcpp (Minor issue) CVE-2013-2222 (Multiple stack-based buffer overflows in GNU ZRTPCPP before 3.2.0 allo ...) - libzrtpcpp 2.3.4-1 (bug #714650) [squeeze] - libzrtpcpp (Minor issue) [wheezy] - libzrtpcpp (Minor issue) CVE-2013-2221 (Heap-based buffer overflow in the ZRtp::storeMsgTemp function in GNU Z ...) - libzrtpcpp 2.3.4-1 (bug #714650) [squeeze] - libzrtpcpp (Minor issue) [wheezy] - libzrtpcpp (Minor issue) CVE-2013-2220 (Buffer overflow in the radius_get_vendor_attr function in the Radius e ...) {DSA-2726-1} - php-radius 1.2.5-2.4 (bug #714362) NOTE: http://www.openwall.com/lists/oss-security/2013/06/28/2 CVE-2013-2219 (The Red Hat Directory Server before 8.2.11-13 and 389 Directory Server ...) - 389-ds-base 1.3.2.9-1 (bug #718325) CVE-2013-2218 (Double free vulnerability in the virConnectListAllInterfaces method in ...) - libvirt 1.1.0-1 (bug #714699) [jessie] - libvirt (Vulnerable code introduced in 1.0.6) [wheezy] - libvirt (Vulnerable code introduced in 1.0.6) [squeeze] - libvirt (Vulnerable code introduced in 1.0.6) NOTE: http://libvirt.org/git/?p=libvirt.git;a=commit;h=244e0b8cf15ca2ef48d82058e728656e6c4bad11 NOTE: Vulnerable code introduced in http://libvirt.org/git/?p=libvirt.git;a=commit;h=7ac2c4fe624f30f2c8270116513fa2ddab07631f CVE-2013-2217 (cache.py in Suds 0.4, when tempdir is set to None, allows local users ...) - suds 0.4.1-8 (low; bug #714340) [squeeze] - suds 0.3.9-1+deb6u1 [wheezy] - suds 0.4.1-5+deb7u1 CVE-2013-2216 RESERVED CVE-2013-2215 REJECTED CVE-2013-2214 (status.cgi in Nagios 4.0 before 4.0 beta4 and 3.x before 3.5.1 does no ...) - nagios3 3.4.1-4 (low) [wheezy] - nagios3 3.4.1-3+deb7u1 [squeeze] - nagios3 (disputed, minor issue) NOTE: Disputed issue; claimed work as designed, may be rejected CVE-2013-2213 (The KRandom::random function in KDE Paste Applet after 4.10.5 in kdepl ...) - kdeplasma-addons (only affects if incomplete patch for CVE-2013-2120 is applied) CVE-2013-2212 (The vmx_set_uc_mode function in Xen 3.3 through 4.3, when disabling ca ...) - xen 4.3.0-1 (unimportant) NOTE: Hardware design flaw, no software solution NOTE: http://xenbits.xen.org/xsa/advisory-60.html CVE-2013-2211 (The libxenlight (libxl) toolstack library in Xen 4.0.x, 4.1.x, and 4.2 ...) {DSA-3006-1} - xen 4.3.0-1 [squeeze] - xen (libxl not packaged in squeeze) CVE-2013-2210 (Heap-based buffer overflow in the XML Signature Reference functionalit ...) {DSA-2717-1} - xml-security-c 1.6.1-7 (bug #714241) NOTE: http://santuario.apache.org/secadv.data/CVE-2013-2210.txt CVE-2013-2209 (Cross-site scripting (XSS) vulnerability in the auto-complete widget i ...) NOT-FOR-US: Reviewboard (this was once in experimental, but removed later on) CVE-2013-2208 (tpp 1.3.1 allows remote attackers to execute arbitrary commands via a ...) - tpp 1.3.1-3 (low; bug #706644) [squeeze] - tpp (Minor issue) [wheezy] - tpp (Minor issue) CVE-2016-2856 (pt_chown in the glibc package before 2.19-18+deb8u4 on Debian jessie; ...) - eglibc [squeeze] - eglibc (Minor issue) [wheezy] - eglibc (Minor issue) - glibc 2.21-1 (low) [jessie] - glibc 2.19-18+deb8u4 NOTE: http://anonscm.debian.org/cgit/pkg-glibc/glibc.git/commit/?h=jessie&id=09f7764882a81e13e7b5d87d715412283a6ce403 NOTE: http://anonscm.debian.org/cgit/pkg-glibc/glibc.git/commit/?h=jessie&id=11475c083282c1582c4dd72eecfcb2b7d308c958 NOTE: http://www.openwall.com/lists/oss-security/2016/03/07/2 CVE-2013-2207 (pt_chown in GNU C Library (aka glibc or libc6) before 2.18 does not pr ...) - eglibc [squeeze] - eglibc (Minor issue) [wheezy] - eglibc (Minor issue) - glibc 2.21-1 (low; bug #717544) [jessie] - glibc 2.19-18+deb8u4 NOTE: Patch: https://sourceware.org/git/?p=glibc.git;a=commit;h=e4608715e6e1dd2adc91982fd151d5ba4f761d69 CVE-2013-2206 (The sctp_sf_do_5_2_4_dupcook function in net/sctp/sm_statefuns.c in th ...) {DSA-2766-1} - linux-2.6 - linux 3.9.4-1 [wheezy] - linux 3.2.46-1 CVE-2013-2205 (The default configuration of SWFUpload in WordPress before 3.5.2 has a ...) {DSA-2718-1} - wordpress 3.5.2+dfsg-1 (bug #713947) CVE-2013-2204 (moxieplayer.as in Moxiecode moxieplayer, as used in the TinyMCE Media ...) {DSA-2718-1} - wordpress 3.5.2+dfsg-1 (bug #713947) CVE-2013-2203 (WordPress before 3.5.2, when the uploads directory forbids write acces ...) {DSA-2718-1} - wordpress 3.5.2+dfsg-1 (bug #713947) CVE-2013-2202 (WordPress before 3.5.2 allows remote attackers to read arbitrary files ...) {DSA-2718-1} - wordpress 3.5.2+dfsg-1 (bug #713947) CVE-2013-2201 (Multiple cross-site scripting (XSS) vulnerabilities in WordPress befor ...) {DSA-2718-1} - wordpress 3.5.2+dfsg-1 (bug #713947) CVE-2013-2200 (WordPress before 3.5.2 does not properly check the capabilities of rol ...) {DSA-2718-1} - wordpress 3.5.2+dfsg-1 (bug #713947) CVE-2013-2199 (The HTTP API in WordPress before 3.5.2 allows remote attackers to send ...) {DSA-2718-1} - wordpress 3.5.2+dfsg-1 (bug #713947) CVE-2013-2198 (The Login Security module 6.x-1.x before 6.x-1.3 and 7.x-1.x before 7. ...) NOT-FOR-US: Login Security Drupal contributed module CVE-2013-2197 (The Login Security module 6.x-1.x before 6.x-1.3 and 7.x-1.x before 7. ...) NOT-FOR-US: Login Security Drupal contributed module CVE-2013-2196 (Multiple unspecified vulnerabilities in the Elf parser (libelf) in Xen ...) {DSA-3006-1} - xen 4.3.0-1 [squeeze] - xen (Unsupported in squeeze-lts) CVE-2013-2195 (The Elf parser (libelf) in Xen 4.2.x and earlier allow local guest adm ...) {DSA-3006-1} - xen 4.3.0-1 [squeeze] - xen (Unsupported in squeeze-lts) CVE-2013-2194 (Multiple integer overflows in the Elf parser (libelf) in Xen 4.2.x and ...) {DSA-3006-1} - xen 4.3.0-1 [squeeze] - xen (Unsupported in squeeze-lts) CVE-2013-2193 (Apache HBase 0.92.x before 0.92.3 and 0.94.x before 0.94.9, when the K ...) NOT-FOR-US: Apache HBase NOTE: There was the package in unstable, but never in a release, see #630821 CVE-2013-2192 (The RPC protocol implementation in Apache Hadoop 2.x before 2.0.6-alph ...) NOT-FOR-US: Apache Hadoop NOTE: There was the package in unstable, but never in a release, see 630820 CVE-2013-2191 (python-bugzilla before 0.9.0 does not validate X.509 certificates, whi ...) NOT-FOR-US: python-bugzilla CVE-2013-2190 (The translate_hierarchy_event function in x11/clutter-device-manager-x ...) - clutter-1.0 1.14.4-3 (low; bug #714264) [squeeze] - clutter-1.0 (Minor issue) [wheezy] - clutter-1.0 (Minor issue) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=701974 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=954054 CVE-2013-2189 (Apache OpenOffice.org (OOo) before 4.0 allows remote attackers to caus ...) - libreoffice 1:3.4.3-1 (unimportant) - openoffice.org 1:3.3.0-1 (unimportant) NOTE: Since 3.3.0 openoffice.org is a transitional source package NOTE: Plain crasher, not treated as security issue CVE-2013-2188 (A certain Red Hat patch to the do_filp_open function in fs/namei.c in ...) - linux-2.6 (RHEL-specific issue) - linux (RHEL-specific issue) CVE-2013-2187 (Cross-site scripting (XSS) vulnerability in Apache Archiva 1.2 through ...) NOT-FOR-US: Apache Archiva CVE-2013-2186 (The DiskFileItem class in Apache Commons FileUpload, as used in Red Ha ...) {DSA-2827-1} - libcommons-fileupload-java 1.3-2.1 (bug #726601) - jenkins 1.565.3-1 (bug #763899) CVE-2013-2185 (** DISPUTED ** The readObject method in the DiskFileItem class in Apac ...) NOT-FOR-US: Red Hat JBoss Enterprise Application Platform NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=974813 NOTE: http://www.openwall.com/lists/oss-security/2013/09/05/4 CVE-2013-2184 (Movable Type before 5.2.6 does not properly use the Storable::thaw fun ...) {DSA-3183-1} - movabletype-opensource 5.2.7+dfsg-1 (bug #712602) [squeeze] - movabletype-opensource (Minor issue) NOTE: http://seclists.org/oss-sec/2013/q2/568 NOTE: http://www.movabletype.org/documentation/appendices/release-notes/movable-type-526-release-notes.html CVE-2013-2183 (Monkey HTTP Daemon has local security bypass ...) - monkey (low) [squeeze] - monkey (Minor issue) CVE-2013-2182 (The Mandril security plugin in Monkey HTTP Daemon (monkeyd) before 1.5 ...) - monkey (low) [squeeze] - monkey (Minor issue) CVE-2013-2181 (Cross-site scripting (XSS) vulnerability in the Directory Listing plug ...) - monkey (low) [squeeze] - monkey (Minor issue) CVE-2013-2180 RESERVED NOT-FOR-US: uk-cookie Wordpress plugin CVE-2013-2179 (X.Org xdm 1.1.10, 1.1.11, and possibly other versions, when performing ...) - xdm (Not affected when PAM is used) [squeeze] - xdm (same as above and glibc too old) [wheezy] - xdm (same as above and glibc too old) NOTE: http://www.openwall.com/lists/oss-security/2013/06/11/5 CVE-2013-2178 (The apache-auth.conf, apache-nohome.conf, apache-noscript.conf, and ap ...) {DSA-2708-1} - fail2ban 0.8.10-1 CVE-2013-2177 (Cross-site scripting (XSS) vulnerability in the Display Suite module 7 ...) NOT-FOR-US: third party drupal module (Display Suite) CVE-2013-2176 (Unquoted Windows search path vulnerability in the Red Hat Enterprise V ...) NOT-FOR-US: Red Hat Enterprise Virtualization Apt service CVE-2013-2175 (HAProxy 1.4 before 1.4.24 and 1.5 before 1.5-dev19, when configured to ...) {DSA-2711-1} - haproxy 1.4.24-1 CVE-2013-2174 (Heap-based buffer overflow in the curl_easy_unescape function in lib/e ...) {DSA-2713-1} - curl 7.31.0-1 CVE-2013-2173 (wp-includes/class-phpass.php in WordPress 3.5.1, when a password-prote ...) {DSA-2718-1} - wordpress 3.5.2+dfsg-1 (bug #713947) CVE-2013-2172 (jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache San ...) {DSA-3065-1 DLA-85-1} - libxml-security-java 1.5.5-2 (bug #720375) NOTE: http://santuario.apache.org/secadv.data/CVE-2013-2172.txt.asc CVE-2013-2171 (The vm_map_lookup function in sys/vm/vm_map.c in the mmap implementati ...) {DSA-2714-1} - kfreebsd-9 9.0-12 (bug #712664) - kfreebsd-8 (Only affects 9.x) CVE-2013-2170 REJECTED CVE-2013-2169 REJECTED CVE-2013-2168 (The _dbus_printf_string_upper_bound function in dbus/dbus-sysdeps-unix ...) {DSA-2707-1} - dbus 1.6.12-1 [squeeze] - dbus (Introduced in 1.4.16) CVE-2013-2167 (python-keystoneclient version 0.2.3 to 0.2.5 has middleware memcache s ...) - python-keystoneclient 1:0.2.5-2 (bug #713819) [wheezy] - python-keystoneclient (Vulnerable code not present) CVE-2013-2166 (python-keystoneclient version 0.2.3 to 0.2.5 has middleware memcache e ...) - python-keystoneclient 1:0.2.5-2 (bug #713819) [wheezy] - python-keystoneclient (Vulnerable code not present) CVE-2013-2165 (ResourceBuilderImpl.java in the RichFaces 3.x through 5.x implementati ...) - jbossas4 (Only builds a few libraries, not the full application server, #581226) CVE-2013-2164 (The mmc_ioctl_cdrom_read_data function in drivers/cdrom/cdrom.c in the ...) {DSA-2766-1 DSA-2745-1} - linux-2.6 (low) - linux 3.9.8-1 (low) CVE-2013-2163 (Monkey HTTP Daemon (monkeyd) before 1.2.2 allows remote attackers to c ...) - monkey (low) [squeeze] - monkey (Minor issue) CVE-2013-2162 (Race condition in the post-installation script (mysql-server-5.5.posti ...) {DSA-2818-1 DLA-75-1} - mysql-5.5 5.5.35+dfsg-1 (low; bug #711600) - mysql-5.1 (low) [squeeze] - mysql-5.1 (Minor issue, can be included in a future DSA) CVE-2013-2161 (XML injection vulnerability in account/utils.py in OpenStack Swift Fol ...) {DSA-2737-1} - swift 1.8.0-6 (low; bug #712202) [wheezy] - swift 1.4.8-2+deb7u1 CVE-2013-2160 (The streaming XML parser in Apache CXF 2.5.x before 2.5.10, 2.6.x befo ...) NOT-FOR-US: Apache CXF CVE-2013-2159 (Monkey HTTP Daemon: broken user name authentication ...) - monkey [squeeze] - monkey (Minor issue) CVE-2013-2158 (Cross-site request forgery (CSRF) vulnerability in the Services module ...) NOT-FOR-US: Services Drupal contributed modules CVE-2013-2157 (OpenStack Keystone Folsom, Grizzly before 2013.1.3, and Havana, when u ...) - keystone 2013.1.2-1 (bug #712160) [wheezy] - keystone (Vulnerable code not present) CVE-2013-2156 (Heap-based buffer overflow in the Exclusive Canonicalization functiona ...) {DSA-2710-1} - xml-security-c 1.6.1-6 CVE-2013-2155 (Apache Santuario XML Security for C++ (aka xml-security-c) before 1.7. ...) {DSA-2710-1} - xml-security-c 1.6.1-6 CVE-2013-2154 (Stack-based buffer overflow in the XML Signature Reference functionali ...) {DSA-2710-1} - xml-security-c 1.6.1-6 CVE-2013-2153 (The XML digital signature functionality (xsec/dsig/DSIGReference.cpp) ...) {DSA-2710-1} - xml-security-c 1.6.1-6 CVE-2013-2152 (Unquoted Windows search path vulnerability in the SPICE service, as us ...) NOT-FOR-US: Spice service for Windows CVE-2013-2151 (Unquoted Windows search path vulnerability in Red Hat Enterprise Virtu ...) NOT-FOR-US: RHEV Agent for Windows CVE-2013-2150 (Multiple cross-site scripting (XSS) vulnerabilities in js/viewer.js in ...) - owncloud (affects only experimental version) CVE-2013-2149 (Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before ...) - owncloud 4.0.16debian-1 (bug #711517) CVE-2013-2148 (The fill_event_metadata function in fs/notify/fanotify/fanotify_user.c ...) {DSA-2745-1} - linux-2.6 (low) [squeeze] - linux-2.6 (fanotify introduced in 2.6.36) - linux 3.9.8-1 (low) CVE-2013-2147 (The HP Smart Array controller disk-array driver and Compaq SMART2 cont ...) {DSA-2906-1} - linux-2.6 (low) - linux 3.11.5-1 (low) [wheezy] - linux 3.2.53-1 CVE-2013-2146 (arch/x86/kernel/cpu/perf_event_intel.c in the Linux kernel before 3.8. ...) - linux-2.6 (Introduced in 3.1) - linux 3.9.4-1 [wheezy] - linux 3.2.46-1 CVE-2013-2145 (The cpansign verify functionality in the Module::Signature module befo ...) - libmodule-signature-perl 0.73-1 (bug #711239) [wheezy] - libmodule-signature-perl 0.68-1+deb7u1 [squeeze] - libmodule-signature-perl 0.63-1+squeeze1 CVE-2013-2144 (Red Hat Enterprise Virtualization Manager (RHEVM) before 3.2 does not ...) NOT-FOR-US: RHEV Manager CVE-2013-2143 (The users controller in Katello 1.5.0-14 and earlier, and Red Hat Sate ...) NOT-FOR-US: Katello CVE-2013-2142 (userpref.c in libimobiledevice 1.1.4, when $HOME and $XDG_CONFIG_HOME ...) - libimobiledevice 1.1.5-0.1 (low; bug #710885) [squeeze] - libimobiledevice (Vulnerable code was introduced later) [wheezy] - libimobiledevice (Vulnerable code was introduced later) CVE-2013-2141 (The do_tkill function in kernel/signal.c in the Linux kernel before 3. ...) {DSA-2766-1 DSA-2669-1} - linux-2.6 - linux 3.9.4-1 CVE-2013-2140 (The dispatch_discard_io function in drivers/block/xen-blkback/blkback. ...) - linux-2.6 (Vulnerable code not present) - linux 3.10.1-1 [wheezy] - linux (Vulnerable code not present) CVE-2013-2139 (Buffer overflow in srtp.c in libsrtp in srtp 1.4.5 and earlier allows ...) {DSA-2840-1} - srtp 1.4.5~20130609~dfsg-1 (bug #711163) CVE-2013-2138 (The (1) uploadify and (2) flowplayer SWF files in Gallery 3 before 3.0 ...) - gallery (Old 1.5 version not affected) CVE-2013-2137 (Cross-site scripting (XSS) vulnerability in the "View Log" screen in t ...) NOT-FOR-US: Apache OFBiz CVE-2013-2136 (Multiple cross-site scripting (XSS) vulnerabilities in Apache CloudSta ...) NOT-FOR-US: Apache CloudStack CVE-2013-2135 (Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arb ...) - libstruts1.2-java (Only affects 2.x) NOTE: http://struts.apache.org/release/2.3.x/docs/s2-015.html CVE-2013-2134 (Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arb ...) - libstruts1.2-java (Only affects 2.x) NOTE: http://struts.apache.org/release/2.3.x/docs/s2-015.html CVE-2013-2133 (The EJB invocation handler implementation in Red Hat JBossWS, as used ...) NOT-FOR-US: JBoss WS CVE-2013-2132 (bson/_cbsonmodule.c in the mongo-python-driver (aka. pymongo) before 2 ...) {DSA-2705-1} - pymongo 2.5.2-1 (bug #710597) [squeeze] - pymongo (bson module not present) NOTE: https://jira.mongodb.org/browse/PYTHON-532 NOTE: https://github.com/mongodb/mongo-python-driver/commit/a060c15ef87e0f0e72974c7c0e57fe811bbd06a2 CVE-2013-2131 (Format string vulnerability in the rrdtool module 1.4.7 for Python, as ...) - rrdtool 1.4.8-1 (unimportant; bug #708866) NOTE: Non-issue, calling application need to perform sanitising CVE-2013-2130 (ZNC 1.0 allows remote authenticated users to cause a denial of service ...) - znc 1.0-5 (bug #720632) [squeeze] - znc (Vulnerable code not present) [wheezy] - znc (Vulnerable code not present) CVE-2013-2129 (Cross-site scripting (XSS) vulnerability in the Webform module 6.x-3.x ...) NOT-FOR-US: Webform Drupal contributed module CVE-2013-2128 (The tcp_read_sock function in net/ipv4/tcp.c in the Linux kernel befor ...) - linux-2.6 [squeeze] - linux-2.6 2.6.32-24 - linux 2.6.35-1~experimental.1 NOTE: https://git.kernel.org/linus/baff42ab1494528907bf4d5870359e31711746ae CVE-2013-2127 (Buffer overflow in the exposure correction code in LibRaw before 0.15. ...) - libraw (Only affects 0.15, 0.15 was only in experimental) - libkdcraw (embeds libraw 0.14) - darktable (embeds libraw 0.14) NOTE: http://www.openwall.com/lists/oss-security/2013/05/28/3 NOTE: https://github.com/LibRaw/LibRaw/commit/2f912f5b33582961b1cdbd9fd828589f8b78f21d CVE-2013-2126 (Multiple double free vulnerabilities in the LibRaw::unpack function in ...) - libraw 0.15.3-1 (low; bug #710353) [wheezy] - libraw (Not suitable for code injection, minor issue) [squeeze] - libraw (Vulnerable code not present) - libkdcraw 4:4.8.4-2 (low; bug #711317) [wheezy] - libkdcraw (Not suitable for code injection, minor issue) - darktable 1.2.1-2 (unimportant; bug #711316) NOTE: Not suitable for code injection, no security impact for an enduser application like Darktable - kdegraphics [squeeze] - kdegraphics (embedded version of kdcraw+libraw too old) NOTE: http://www.openwall.com/lists/oss-security/2013/05/28/3 NOTE: https://github.com/LibRaw/LibRaw/commit/19ffddb0fe1a4ffdb459b797ffcf7f490d28b5a6 CVE-2013-2125 (OpenSMTPD before 5.3.2 does not properly handle SSL sessions, which al ...) - opensmtpd 5.3.3p1-1 NOTE: http://www.openwall.com/lists/oss-security/2013/05/18/8 CVE-2013-2124 (Double free vulnerability in inspect-fs.c in LibguestFS 1.20.x before ...) - libguestfs 1:1.20.8-1 (bug #710290) [wheezy] - libguestfs (Vulnerable code not present) NOTE: Introduced with commit https://github.com/libguestfs/libguestfs/commit/5a3da366268825b26b470cde35658b67c1d11cd4 CVE-2013-2123 (The Node access user reference module 6.x-3.x before 6.x-3.5 and 7.x-3 ...) NOT-FOR-US: Node access user reference Drupal contributed module CVE-2013-2122 (The Edit Limit module 7.x-1.x before 7.x-1.3 for Drupal does not prope ...) NOT-FOR-US: Edit Limit Drupal contributed module CVE-2013-2121 (Eval injection vulnerability in the create method in the Bookmarks con ...) - foreman (bug #663101) CVE-2013-2120 (The %{password(...)} macro in pastemacroexpander.cpp in the KDE Paste ...) - kdeplasma-addons 4:5.3.2-2 (low; bug #710497) [jessie] - kdeplasma-addons (Minor issue) [wheezy] - kdeplasma-addons (Minor issue) [squeeze] - kdeplasma-addons (Minor issue) NOTE: Original fix https://projects.kde.org/projects/kde/kdeplasma-addons/repository/revisions/36a1fe49cb70f717c4a6e9eeee2c9186503a8dce not sufficient CVE-2013-2119 (Phusion Passenger gem before 3.0.21 and 4.0.x before 4.0.5 for Ruby al ...) - ruby-passenger 3.0.13debian-1.1 (low; bug #710351) [wheezy] - ruby-passenger 3.0.13debian-1+deb7u1 CVE-2013-2118 (SPIP 3.0.x before 3.0.9, 2.1.x before 2.1.22, and 2.0.x before 2.0.23 ...) {DSA-2694-1} - spip 2.1.22-1 (bug #709674) CVE-2013-2117 (Directory traversal vulnerability in the cgit_parse_readme function in ...) - cgit (Fixed before the initial upload into the archive) CVE-2013-2116 (The _gnutls_ciphertext2compressed function in lib/gnutls_cipher.c in G ...) {DSA-2697-1} - gnutls26 2.12.23-5 (bug #709301) [squeeze] - gnutls26 (vulnerable code not backported) CVE-2013-2115 (Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arb ...) - libstruts1.2-java (Only affects Struts 2) CVE-2013-2114 (Unrestricted file upload vulnerability in the chunk upload API in Medi ...) - mediawiki 1:1.19.7+dfsg-1 [squeeze] - mediawiki (Vulnerable code not present) CVE-2013-2113 (The create method in app/controllers/users_controller.rb in Foreman be ...) - foreman (bug #663101) CVE-2013-2112 (The svnserve server in Subversion before 1.6.23 and 1.7.x before 1.7.1 ...) {DSA-2703-1} - subversion 1.7.9-1+nmu2 (bug #711033) NOTE: http://subversion.apache.org/security/CVE-2013-2112-advisory.txt CVE-2013-2111 (The IMAP functionality in Dovecot before 2.2.2 allows remote attackers ...) - dovecot (vulnerable code appeared in 2.2) [squeeze] - dovecot (vulnerable code appeared in 2.2) [wheezy] - dovecot (vulnerable code appeared in 2.2) CVE-2013-2110 (Heap-based buffer overflow in the php_quot_print_encode function in ex ...) - php5 5.5.0~rc3+dfsg-1 [wheezy] - php5 (Vulnerable code not present) [squeeze] - php5 (Vulnerable code not present) NOTE: https://github.com/php/php-src/commit/93e0d78ec655f59ebfa82b2c6f8486c43651c1d0 NOTE: vulnerability introduced with commit http://git.php.net/?p=php-src.git;a=commitdiff;h=18bb426587d62f93c54c40bf8535eb8416603629 CVE-2013-2109 (WordPress plugin wp-cleanfix has Remote Code Execution ...) NOT-FOR-US: WordPress plugin wp-cleanfix CVE-2013-2108 (WordPress WP Cleanfix Plugin 2.4.4 has CSRF ...) NOT-FOR-US: WordPress plugin wp-cleanfix CVE-2013-2107 (Cross-site request forgery (CSRF) vulnerability in the Mail On Update ...) NOT-FOR-US: WordPress plugin mail-on-update CVE-2013-2106 (webauth before 4.6.1 has authentication credential disclosure ...) - webauth (vulnerable code only in 4.4.1 up to 4.5.2) CVE-2013-2105 (The Show In Browser (show_in_browser) gem 0.0.3 for Ruby allows local ...) NOT-FOR-US: Show In Browser Ruby Gem CVE-2013-2104 (python-keystoneclient before 0.2.4, as used in OpenStack Keystone (Fol ...) - keystone (Vulnerable code only in experimental versions of keystone) [wheezy] - keystone (PKI token support not yet present) - python-keystoneclient 1:0.2.5-1 [wheezy] - python-keystoneclient (vulnerable code not present) NOTE: Keystone Folsom fix: https://review.openstack.org/#/c/30743/ NOTE: python-keystoneclient fix: https://review.openstack.org/#/c/30742/ NOTE: Starting with 2013.1-1 code in keystone/middleware/auth_token.py moved to python-keystoneclient CVE-2013-2103 (OpenShift cartridge allows remote URL retrieval ...) NOT-FOR-US: OpenShift CVE-2013-2102 (The default configuration of Red Hat JBoss Portal before 6.1.0 enables ...) NOT-FOR-US: GateIn Portal CVE-2013-2101 (Katello has multiple XSS issues in various entities ...) NOT-FOR-US: Katello CVE-2013-2100 (The urlopen function in pym/portage/util/_urlopen.py in Gentoo Portage ...) NOT-FOR-US: Gentoo Portage binary package installer CVE-2013-2099 (Algorithmic complexity vulnerability in the ssl.match_hostname functio ...) {DLA-1107-1} - python2.7 2.7.5-5 (low; bug #709066) [wheezy] - python2.7 (Backport was introduced in 2.7.3-11) - linkchecker 8.5-1 (low; bug #709067) [wheezy] - linkchecker (Minor issue) [squeeze] - linkchecker (Minor issue) - python3.2 (low; bug #708530) [wheezy] - python3.2 (Minor issue) - python3.3 3.3.2-3 (low; bug #708530) - python2.6 (Introduced in Python 3.2) - python2.5 (Introduced in Python 3.2) - python3.1 (Introduced in Python 3.2) - bzr 2.6.0~bzr6574-1 (low; bug #709068) [squeeze] - bzr (Minor issue) - python-urllib3 1.6-2 (low; bug #709070) [wheezy] - python-urllib3 (Minor issue) - python-tornado 2.4.1-3 (low; bug #709069) [wheezy] - python-tornado (Minor issue) [squeeze] - python-tornado (Minor issue) - w3af (low; bug #709071) [jessie] - w3af (Minor issue) [wheezy] - w3af (Minor issue) [squeeze] - w3af (Minor issue) - u1db 13.10-1 (low; bug #709486) CVE-2013-2098 REJECTED CVE-2013-2097 (ZPanel through 10.1.0 has Remote Command Execution ...) NOT-FOR-US: zPanel CVE-2013-2096 (OpenStack Compute (Nova) Folsom, Grizzly, and Havana does not verify t ...) - nova 2013.1.2-2 (low; bug #710157) [wheezy] - nova (Minor issue) CVE-2013-2095 (rubygem-openshift-origin-controller: API can be used to create applica ...) NOT-FOR-US: openshift-origin-controller Ruby Gem CVE-2013-2094 (The perf_swevent_init function in kernel/events/core.c in the Linux ke ...) {DSA-2669-1} - linux 3.8.11-1 [squeeze] - linux-2.6 (Vulnerable code not present) CVE-2013-2093 (Dolibarr ERP/CRM 3.3.1 does not properly validate user input in viewim ...) - dolibarr 3.3.4-1 (high) CVE-2013-2092 (Cross-site Scripting (XSS) in Dolibarr ERP/CRM 3.3.1 allows remote att ...) - dolibarr 3.3.4-1 CVE-2013-2091 (SQL injection vulnerability in Dolibarr ERP/CRM 3.3.1 allows remote at ...) - dolibarr 3.3.4-1 CVE-2013-2090 (The set_meta_data function in lib/cremefraiche.rb in the Creme Fraiche ...) NOT-FOR-US: Creme Fraiche Ruby Gem CVE-2013-2089 (Incomplete blacklist vulnerability in ownCloud before 5.0.6 allows rem ...) - owncloud (Only affects 5.0.x) CVE-2013-2088 (contrib/hook-scripts/svn-keyword-check.pl in Subversion before 1.6.23 ...) - subversion 1.7.5-1 (unimportant) NOTE: 1.7.5 upstream does not ship anymore the contrib/ directory NOTE: both affected tools not installed into the binary packages CVE-2013-2087 (Multiple cross-site scripting (XSS) vulnerabilities in Gallery 3 befor ...) - gallery (Vulnerable code not present) CVE-2013-2086 (The configuration loader in ownCloud 5.0.x before 5.0.6 allows remote ...) - owncloud (Only owncloud 5.0.x) CVE-2013-2085 (Directory traversal vulnerability in apps/files_trashbin/index.php in ...) - owncloud (Only affects 5.0.x) CVE-2013-2084 RESERVED CVE-2013-2083 (The MoodleQuickForm class in lib/formslib.php in Moodle through 2.1.10 ...) - moodle 2.5-1 (low) [squeeze] - moodle (Minor issue) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38885 CVE-2013-2082 (Moodle through 2.1.10, 2.2.x before 2.2.10, 2.3.x before 2.3.7, and 2. ...) - moodle 2.5-1 (low) [squeeze] - moodle (Minor issue) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37245 CVE-2013-2081 (Moodle through 2.1.10, 2.2.x before 2.2.10, 2.3.x before 2.3.7, and 2. ...) - moodle 2.5-1 (low) [squeeze] - moodle (Minor issue) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37822 CVE-2013-2080 (The core_grade component in Moodle through 2.2.10, 2.3.x before 2.3.7, ...) - moodle 2.5-1 (low) [squeeze] - moodle (Minor issue) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37475 CVE-2013-2079 (mod/assign/locallib.php in the assignment module in Moodle 2.3.x befor ...) - moodle (Only affects 2.3 and later) NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38443 CVE-2013-2078 (Xen 4.0.2 through 4.0.4, 4.1.x, and 4.2.x allows local PV guest users ...) {DSA-3006-1} - xen 4.2.2-1 [squeeze] - xen (No PVSAVE support in squeeze) NOTE: http://lists.xen.org/archives/html/xen-announce/2013-06/msg00000.html CVE-2013-2077 (Xen 4.0.x, 4.1.x, and 4.2.x does not properly restrict the contents of ...) {DSA-3006-1} - xen 4.2.2-1 [squeeze] - xen (Unsupported in squeeze-lts) NOTE: http://lists.xen.org/archives/html/xen-announce/2013-06/msg00001.html CVE-2013-2076 (Xen 4.0.x, 4.1.x, and 4.2.x, when running on AMD64 processors, only sa ...) {DSA-3006-1} - xen 4.2.2-1 [squeeze] - xen (Unsupported in squeeze-lts) NOTE: http://lists.xen.org/archives/html/xen-announce/2013-06/msg00002.html CVE-2013-2075 (Multiple buffer overflows in the (1) R5RS char-ready, (2) tcp-accept-r ...) - chicken (Incomplete fix was never applied) CVE-2013-2074 (kioslave/http/http.cpp in KIO in kdelibs 4.10.3 and earlier allows att ...) {DLA-952-1} - kde4libs 4:4.10.5-1 (low; bug #707776) [squeeze] - kde4libs (Minor issue) NOTE: https://bugs.kde.org/show_bug.cgi?id=319428 NOTE: https://cgit.kde.org/kdelibs.git/commit/?h=KDE/4.14&id=65d736dab592bced4410ccfa4699de89f78c96ca NOTE: https://cgit.kde.org/kdelibs.git/commit/?h=KDE/4.14&id=898135a59d91184692ed1bcee8bb4c6d80d6f7b9 CVE-2013-2073 (Transifex command-line client before 0.9 does not validate X.509 certi ...) - transifex-client 0.9-1 (low) [wheezy] - transifex-client (Minor issue) NOTE: http://seclists.org/oss-sec/2013/q2/394 CVE-2013-2072 (Buffer overflow in the Python bindings for the xc_vcpu_setaffinity cal ...) {DSA-3041-1} - xen 4.2.2-1 (low) [squeeze] - xen (Minor issue, can be postponed to the next Xen DSA) [wheezy] - xen (Minor issue, can be postponed to the next Xen DSA) CVE-2013-2071 (java/org/apache/catalina/core/AsyncContextImpl.java in Apache Tomcat 7 ...) {DSA-2897-1} - tomcat7 7.0.40-1 (bug #707704) NOTE: https://issues.apache.org/bugzilla/show_bug.cgi?id=54178 CVE-2013-2070 (http/modules/ngx_http_proxy_module.c in nginx 1.1.4 through 1.2.8 and ...) {DSA-2721-1} - nginx 1.4.1-1 (bug #708164) [squeeze] - nginx (Vulnerable code not present) CVE-2013-2069 (Red Hat livecd-tools before 13.4.4, 17.x before 17.17, 18.x before 18. ...) NOT-FOR-US: Red Hat livecd-tools NOTE: http://www.openwall.com/lists/oss-security/2013/05/23/2 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=964299 CVE-2013-2068 (Multiple directory traversal vulnerabilities in the AgentController in ...) NOT-FOR-US: RedHat CloudForms Management Engine CVE-2013-2067 (java/org/apache/catalina/authenticator/FormAuthenticator.java in the f ...) {DSA-2897-1 DSA-2725-1} - tomcat7 7.0.33 - tomcat6 6.0.37 CVE-2013-2066 (Buffer overflow in X.org libXv 1.0.7 and earlier allows X servers to c ...) {DSA-2674-1} - libxv 2:1.0.7-1+deb7u1 CVE-2013-2065 ((1) DL and (2) Fiddle in Ruby 1.9 before 1.9.3 patchlevel 426, and 2.0 ...) {DLA-235-1} - ruby1.9.1 1.9.3.448-1 (low) [wheezy] - ruby1.9.1 1.9.3.194-8.1+deb7u1 - ruby1.8 (Only affects 1.9 and 2.x) NOTE: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=40732 CVE-2013-2064 (Integer overflow in X.org libxcb 1.9 and earlier allows X servers to t ...) {DSA-2686-1} - libxcb 1.8.1-2+deb7u1 CVE-2013-2063 (Integer overflow in X.org libXtst 1.2.1 and earlier allows X servers t ...) {DSA-2689-1} - libxtst 2:1.2.1-1+deb7u1 CVE-2013-2062 (Multiple integer overflows in X.org libXp 1.0.1 and earlier allow X se ...) {DSA-2685-1} - libxp 1:1.0.1-2+deb7u1 CVE-2013-2061 (The openvpn_decrypt function in crypto.c in OpenVPN 2.3.0 and earlier, ...) - openvpn 2.3.1-1 (low; bug #707329) [squeeze] - openvpn 2.1.3-2+squeeze2 [wheezy] - openvpn 2.2.1-8+deb7u1 NOTE: https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-f375aa67cc CVE-2013-2060 (The download_from_url function in OpenShift Origin allows remote attac ...) NOT-FOR-US: OpenShift CVE-2013-2059 (OpenStack Identity (Keystone) Folsom 2012.2.4 and earlier, Grizzly bef ...) - keystone 2013.1.1-2 (bug #707598) [wheezy] - keystone 2012.1.1-13+wheezy1 NOTE: http://lists.openstack.org/pipermail/openstack-announce/2013-May/000099.html CVE-2013-2058 (The host_start function in drivers/usb/chipidea/host.c in the Linux ke ...) - linux-2.6 (Vulnerable code not present) - linux 3.8-1 [wheezy] - linux (Vulnerable code not present) NOTE: http://www.openwall.com/lists/oss-security/2013/05/03/2 CVE-2013-2057 (YaBB through 2.5.2: 'guestlanguage' Cookie Parameter Local File Includ ...) NOT-FOR-US: YaBB CVE-2013-2056 (The Inter-Satellite Sync (ISS) operation in Red Hat Network (RHN) Sate ...) NOT-FOR-US: RHN Satellite CVE-2013-2055 (Unspecified vulnerability in Apache Wicket 1.4.x before 1.4.23, 1.5.x ...) NOT-FOR-US: Apache Wicket CVE-2013-2054 (Buffer overflow in the atodn function in strongSwan 2.0.0 through 4.3. ...) - strongswan 4.3.4-1 NOTE: http://download.strongswan.org/patches/11_pluto_atodn_patch/CVE-2013-2054.txt CVE-2013-2053 (Buffer overflow in the atodn function in Openswan before 2.6.39, when ...) {DSA-2893-1} - openswan (low; bug #709144) CVE-2013-2052 (Buffer overflow in the atodn function in libreswan 3.0 and 3.1, when O ...) - libreswan (Fixed before the initial upload to Debian) NOTE: https://libreswan.org/security/CVE-2013-2052/CVE-2013-2052.txt CVE-2013-2051 (The Tomcat 6 DIGEST authentication functionality as used in Red Hat En ...) - tomcat6 (RedHat-specific issue) - tomcat7 (RedHat-specific issue) CVE-2013-2050 (SQL injection vulnerability in the miq_policy controller in Red Hat Cl ...) NOT-FOR-US: CloudForms Management Engine CVE-2013-2049 (Red Hat CloudForms 2 Management Engine (CFME) allows remote attackers ...) NOT-FOR-US: CloudForms Management Engine CVE-2013-2048 (ownCloud before 5.0.6 does not properly check permissions, which allow ...) - owncloud (Only affects 5.0.x) CVE-2013-2047 (The login page (aka index.php) in ownCloud before 5.0.6 does not disab ...) - owncloud (Only 5.0.x) CVE-2013-2046 (SQL injection vulnerability in lib/bookmarks.php in ownCloud Server 4. ...) - owncloud (Only affects 4.5.x) CVE-2013-2045 (SQL injection vulnerability in lib/db.php in ownCloud Server 5.0.x bef ...) - owncloud (Only affects 5.0.x) CVE-2013-2044 (Open redirect vulnerability in the Login Page (index.php) in ownCloud ...) - owncloud (Only 5.0.x) CVE-2013-2043 (apps/calendar/ajax/events.php in ownCloud before 4.5.11 and 5.x before ...) - owncloud (Only 5.0.x and 4.5.x) CVE-2013-2042 (Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before ...) - owncloud 4.0.15debian-1 CVE-2013-2041 (Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 5.0.x ...) - owncloud (Only affects 5.0.x) CVE-2013-2040 (Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before ...) - owncloud 4.0.15debian-1 CVE-2013-2039 (Directory traversal vulnerability in lib/files/view.php in ownCloud be ...) - owncloud 4.0.15debian-1 CVE-2013-2038 (The NMEA0183 driver in gpsd before 3.9 allows remote attackers to caus ...) - gpsd 3.6-5 (bug #706665) [wheezy] - gpsd 3.6-4+deb7u1 [squeeze] - gpsd (Minor issue) NOTE: http://lists.nongnu.org/archive/html/gpsd-dev/2013-05/msg00000.html CVE-2013-2037 (httplib2 0.7.2, 0.8, and earlier, after an initial connection is made, ...) - python-httplib2 0.8-2 (low; bug #706602) [squeeze] - python-httplib2 (Minor issue) [wheezy] - python-httplib2 0.7.4-2+deb7u1 NOTE: http://openwall.com/lists/oss-security/2013/05/01/5 CVE-2013-2036 (Cross-site scripting (XSS) vulnerability in the Filebrowser module 6.x ...) NOT-FOR-US: Drupal module Filebrowser CVE-2013-2035 (Race condition in hawtjni-runtime/src/main/java/org/fusesource/hawtjni ...) - hawtjni 1.10-1 (low; bug #708293) [wheezy] - hawtjni 1.0~+git0c502e20c4-3+deb7u1 CVE-2013-2034 (Multiple cross-site request forgery (CSRF) vulnerabilities in Jenkins ...) - jenkins 1.509.2+dfsg-1 (bug #706725) CVE-2013-2033 (Cross-site scripting (XSS) vulnerability in Jenkins before 1.514, LTS ...) - jenkins 1.509.2+dfsg-1 (bug #706725) CVE-2013-2032 (MediaWiki before 1.19.6 and 1.20.x before 1.20.5 does not allow extens ...) {DSA-2891-1} - mediawiki 1:1.19.6-1 (low; bug #706601) [squeeze] - mediawiki NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=46590 CVE-2013-2031 (MediaWiki before 1.19.6 and 1.20.x before 1.20.5 allows remote attacke ...) {DSA-2891-1} - mediawiki 1:1.19.6-1 (bug #706601) [squeeze] - mediawiki NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=47304 CVE-2013-2030 (keystone/middleware/auth_token.py in OpenStack Nova Folsom, Grizzly, a ...) - nova (Option not present in nova/2012.1.1) NOTE: http://lists.openstack.org/pipermail/openstack-announce/2013-May/000098.html CVE-2013-2029 (nagios.upgrade_to_v3.sh, as distributed by Red Hat and possibly others ...) - nagios3 (Affected file nagios.upgrade_to_v3.sh not in Debian) NOTE: http://www.openwall.com/lists/oss-security/2013/04/30/8 CVE-2013-2028 (The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx ...) - nginx (Vulnerable code not present) CVE-2013-2027 (Jython 2.2.1 uses the current umask to set the privileges of the class ...) [experimental] - jython 2.7.0+repack-1 - jython 2.7.1+repack-1 (low; bug #777079) [stretch] - jython (Minor issue) [jessie] - jython (Minor issue) [wheezy] - jython (Minor issue) [squeeze] - jython (Minor issue) NOTE: http://bugs.jython.org/issue2044 NOTE: The original issue seem addressed in 2.7.0+repack-1, but still files NOTE: might be created/written to /usr/share/jython/cachedir/packages NOTE: which should not be in /usr beeing a cachedir. CVE-2013-2026 REJECTED CVE-2013-2025 (Cross-site scripting (XSS) vulnerability in Ushahidi Platform 2.5.x th ...) NOT-FOR-US: Ushahidi CVE-2013-2024 (OS command injection vulnerability in the "qs" procedure from the "uti ...) - chicken 4.8.0.3-1 (bug #706525) [wheezy] - chicken (Minor issue) [squeeze] - chicken (Minor issue) NOTE: http://lists.nongnu.org/archive/html/chicken-announce/2013-04/msg00000.html CVE-2013-2023 (Cross-site scripting (XSS) vulnerability in actionscript/Jplayer.as in ...) - jquery-jplayer 2.1.0-2 NOTE: used for jPlayer 2.2.23 XSS NOTE: http://www.openwall.com/lists/oss-security/2013/05/05/3 CVE-2013-2022 (Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jp ...) - jquery-jplayer 2.1.0-2 NOTE: https://github.com/happyworm/jPlayer/commit/c5fe17bb4459164bd59153b57248cf94b8867373 NOTE: used for jPlayer 2.2.20 XSS NOTE: http://www.openwall.com/lists/oss-security/2013/05/05/3 CVE-2013-2021 (pdf.c in ClamAV 0.97.1 through 0.97.7 allows remote attackers to cause ...) - clamav 0.97.8+dfsg-1 [squeeze] - clamav 0.97.8+dfsg-1~squeeze1 CVE-2013-2020 (Integer underflow in the cli_scanpe function in pe.c in ClamAV before ...) - clamav 0.97.8+dfsg-1 [squeeze] - clamav 0.97.8+dfsg-1~squeeze1 CVE-2013-2019 (Stack-based buffer overflow in BOINC 6.10.58 and 6.12.34 allows remote ...) - boinc 6.13.6+dfsg-1 (low) [squeeze] - boinc (Minor issue) NOTE: http://boinc.berkeley.edu/gitweb/?p=boinc-v2.git;a=commitdiff;h=9a4140ae30a72e5175f3f31646d91f2d58df7156 CVE-2013-2018 (Multiple SQL injection vulnerabilities in BOINC allow remote attackers ...) - boinc 7.0.65+dfsg-1 (low) [squeeze] - boinc (Vulnerable code not present) [wheezy] - boinc (Minor issue) NOTE: server-maker not shipped in squeeze CVE-2013-2017 (The veth (aka virtual Ethernet) driver in the Linux kernel before 2.6. ...) - linux 2.6.34-1 - linux-2.6 2.6.34-1 [squeeze] - linux-2.6 (Introduced in 2.6.33) NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6ec82562ffc6f297d0de36d65776cff8e5704867 NOTE: http://marc.info/?l=linux-netdev&m=127310770900442&w=3 CVE-2013-2016 (A flaw was found in the way qemu v1.3.0 and later (virtio-rng) validat ...) - qemu 1.5.0+dfsg-1 (bug #710822) [jessie] - qemu (vulnerability introduced in 1.3.0) [wheezy] - qemu (vulnerability introduced in 1.3.0) [squeeze] - qemu (vulnerability introduced in 1.3.0) - qemu-kvm (vulnerability introduced in 1.3.0) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2013-04/msg05013.html NOTE: https://lists.gnu.org/archive/html/qemu-devel/2013-04/msg05254.html NOTE: http://marc.info/?l=oss-security&m=136722323931507&w=2 NOTE: Only pratically affects virtio-rng according to oss-reference (and if mmap_min_addr = 0) CVE-2013-2015 (The ext4_orphan_del function in fs/ext4/namei.c in the Linux kernel be ...) {DSA-2669-1 DSA-2668-1} - linux 3.8-1 (low) - linux-2.6 (low) CVE-2013-2014 (OpenStack Identity (Keystone) before 2013.1 allows remote attackers to ...) - keystone 2013.1.1-2 (bug #708515) [wheezy] - keystone (Minor issue) CVE-2013-2013 (The user-password-update command in python-keystoneclient before 0.2.4 ...) - python-keystoneclient 1:0.2.5-1 (bug #709535) [wheezy] - python-keystoneclient 2012.1-3+deb7u1 NOTE: https://bugs.launchpad.net/python-keystoneclient/+bug/938315 NOTE: https://review.openstack.org/28702 CVE-2013-2012 (autojump before 21.5.8 allows local users to gain privileges via a Tro ...) - autojump (vulnerable code not present for unstable) NOTE: experimental affected as per 21.5.1-1, see #706252 NOTE: experimental fixed as 21.5.1-2 CVE-2013-2011 (WordPress W3 Super Cache Plugin before 1.3.2 contains a PHP code-execu ...) NOT-FOR-US: WP Super Cache NOTE: this issue exists because of an incomplete fix for CVE-2013-2009 CVE-2013-2010 (WordPress W3 Total Cache Plugin 0.9.2.8 has a Remote PHP Code Executio ...) NOT-FOR-US: W3 Total Cache CVE-2013-2009 (WordPress WP Super Cache Plugin 1.2 has Remote PHP Code Execution ...) NOT-FOR-US: WP Super Cache CVE-2013-2008 (WordPress Super Cache Plugin 1.3 has XSS. ...) NOT-FOR-US: WP Super Cache CVE-2013-2007 (The qemu guest agent in Qemu 1.4.1 and earlier, as used by Xen, when s ...) - qemu (qemu guest agent introduced in 1.4, vulnerable versions were only in experimental) - qemu-kvm (qemu guest agent introduced in 1.4) CVE-2013-2006 (OpenStack Identity (Keystone) Grizzly 2013.1.1, when DEBUG mode loggin ...) - keystone 2013.1.1-2 [wheezy] - keystone (Minor issue) NOTE: https://review.openstack.org/#/c/26826/2/keystone/common/config.py NOTE: https://bugs.launchpad.net/keystone/+bug/1172195 CVE-2013-2005 (X.org libXt 1.1.3 and earlier does not check the return value of the X ...) {DSA-2680-1} - libxt 1:1.1.3-1+deb7u1 CVE-2013-2004 (The (1) GetDatabase and (2) _XimParseStringFile functions in X.org lib ...) {DSA-2693-1} - libx11 2:1.5.0-1+deb7u1 CVE-2013-2003 (Integer overflow in X.org libXcursor 1.1.13 and earlier allows X serve ...) {DSA-2681-1} - libxcursor 1:1.1.13-1+deb7u1 CVE-2013-2002 (Buffer overflow in X.org libXt 1.1.3 and earlier allows X servers to c ...) {DSA-2680-1} - libxt 1:1.1.3-1+deb7u1 CVE-2013-2001 (Buffer overflow in X.org libXxf86vm 1.1.2 and earlier allows X servers ...) {DSA-2692-1} - libxxf86vm 1:1.1.2-1+deb7u1 CVE-2013-2000 (Multiple buffer overflows in X.org libXxf86dga 1.1.3 and earlier allow ...) {DSA-2690-1} - libxxf86dga 2:1.1.3-2+deb7u1 CVE-2013-1999 (Buffer overflow in X.org libXvMC 1.0.7 and earlier allows X servers to ...) {DSA-2675-1} - libxvmc 2:1.0.8-1 CVE-2013-1998 (Multiple buffer overflows in X.org libXi 1.7.1 and earlier allow X ser ...) {DSA-2683-1} - libxi 2:1.6.1-1+deb7u1 CVE-2013-1997 (Multiple buffer overflows in X.org libX11 1.5.99.901 (1.6 RC1) and ear ...) {DSA-2693-1} - libx11 2:1.5.0-1+deb7u1 CVE-2013-1996 (X.org libFS 1.0.4 and earlier allows X servers to trigger allocation o ...) {DSA-2687-1} - libfs 2:1.0.4-1+deb7u1 CVE-2013-1995 (X.org libXi 1.7.1 and earlier allows X servers to trigger allocation o ...) {DSA-2683-1} - libxi 2:1.6.1-1+deb7u1 CVE-2013-1994 (Multiple integer overflows in X.org libchromeXvMC and libchromeXvMCPro ...) {DSA-2679-1} - xserver-xorg-video-openchrome 1:0.2.906-2+deb7u1 CVE-2013-1993 (Multiple integer overflows in X.org libGLX in Mesa 9.1.1 and earlier a ...) {DSA-2678-1} - mesa 8.0.5-6 CVE-2013-1992 (Multiple integer overflows in X.org libdmx 1.1.2 and earlier allow X s ...) {DSA-2673-1} - libdmx 1:1.1.2-1+deb7u1 CVE-2013-1991 (Multiple integer overflows in X.org libXxf86dga 1.1.3 and earlier allo ...) {DSA-2690-1} - libxxf86dga 2:1.1.3-2+deb7u1 CVE-2013-1990 (Multiple integer overflows in X.org libXvMC 1.0.7 and earlier allow X ...) {DSA-2675-1} - libxvmc 2:1.0.8-1 CVE-2013-1989 (Multiple integer overflows in X.org libXv 1.0.7 and earlier allow X se ...) {DSA-2674-1} - libxv 2:1.0.7-1+deb7u1 CVE-2013-1988 (Multiple integer overflows in X.org libXRes 1.0.6 and earlier allow X ...) {DSA-2688-1} - libxres 2:1.0.6-1+deb7u1 CVE-2013-1987 (Multiple integer overflows in X.org libXrender 0.9.7 and earlier allow ...) {DSA-2677-1} - libxrender 1:0.9.7-1+deb7u1 CVE-2013-1986 (Multiple integer overflows in X.org libXrandr 1.4.0 and earlier allow ...) {DSA-2684-1} - libxrandr 2:1.3.2-2+deb7u1 CVE-2013-1985 (Integer overflow in X.org libXinerama 1.1.2 and earlier allows X serve ...) {DSA-2691-1} - libxinerama 2:1.1.2-1+deb7u1 CVE-2013-1984 (Multiple integer overflows in X.org libXi 1.7.1 and earlier allow X se ...) {DSA-2683-1} - libxi 2:1.6.1-1+deb7u1 CVE-2013-1983 (Integer overflow in X.org libXfixes 5.0 and earlier allows X servers t ...) {DSA-2676-1} - libxfixes 1:5.0-4+deb7u1 CVE-2013-1982 (Multiple integer overflows in X.org libXext 1.3.1 and earlier allow X ...) {DSA-2682-1} - libxext 2:1.3.1-2+deb7u1 CVE-2013-1981 (Multiple integer overflows in X.org libX11 1.5.99.901 (1.6 RC1) and ea ...) {DSA-2693-1} - libx11 2:1.5.0-1+deb7u1 CVE-2013-1980 (Buffer overflow in the get_dsmp function in loaders/masi_load.c in lib ...) - xmp 3.4.0-3 (low; bug #706667) [wheezy] - xmp (Minor issue) [squeeze] - xmp (Minor issue) CVE-2013-1979 (The scm_set_cred function in include/net/scm.h in the Linux kernel bef ...) {DSA-2669-1} - linux 3.8.11-1 - linux-2.6 (Introduced in 2.6.36) CVE-2013-1978 (Heap-based buffer overflow in the read_xwd_cols function in file-xwd.c ...) {DSA-2813-1} - gimp 2.8.10-0.1 (bug #731305) CVE-2013-1977 (OpenStack devstack uses world-readable permissions for keystone.conf, ...) - keystone (permissions to /etc/keystone/keystone.conf restricted in postinst) NOTE: http://www.openwall.com/lists/oss-security/2013/04/19/2 CVE-2013-1976 (The (1) tomcat5, (2) tomcat6, and (3) tomcat7 init scripts, as used in ...) - tomcat6 (RedHat-specific issue) - tomcat7 (RedHat-specific issue) CVE-2013-1975 RESERVED CVE-2013-1974 RESERVED CVE-2013-1973 (The autocomplete callback in Autocomplete Widgets for Text and Number ...) NOT-FOR-US: Drupal contributed module CVE-2013-1972 (Cross-site request forgery (CSRF) vulnerability in the elFinder file m ...) NOT-FOR-US: Drupal contributed module CVE-2013-1971 (Cross-site scripting (XSS) vulnerability in the MP3 Player module for ...) NOT-FOR-US: Drupal contributed module CVE-2013-1970 REJECTED CVE-2013-1969 (Multiple use-after-free vulnerabilities in libxml2 2.9.0 and possibly ...) - libxml2 (Affecting only 2.9.x, see bug #705722) NOTE: https://git.gnome.org/browse/libxml2/commit/?id=de0cc20c29cb3f056062925395e0f68d2250a46f CVE-2013-1968 (Subversion before 1.6.23 and 1.7.x before 1.7.10 allows remote authent ...) {DSA-2703-1} - subversion 1.7.9-1+nmu2 (bug #711033) NOTE: https://subversion.apache.org/security/CVE-2013-1968-advisory.txt CVE-2013-1967 (Cross-site scripting (XSS) vulnerability in flashmediaelement.swf in M ...) - owncloud (Vulnerable code not present) NOTE: oC >= 4.5 only CVE-2013-1966 (Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arb ...) - libstruts1.2-java (Only affects Struts 2) CVE-2013-1965 (Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 b ...) - libstruts1.2-java (Only affects Struts 2) CVE-2013-1964 (Xen 4.0.x and 4.1.x incorrectly releases a grant reference when releas ...) {DSA-2666-1} - xen 4.1.4-3 NOTE: http://lists.xen.org/archives/html/xen-announce/2013-04/msg00006.html CVE-2013-1963 (The contacts application in ownCloud before 4.5.10 and 5.x before 5.0. ...) - owncloud (Vulnerable code not present) NOTE: oC >= 4.5 only CVE-2013-1962 (The remoteDispatchStoragePoolListAllVolumes function in the storage po ...) - libvirt (Vulnerable code not present) NOTE: http://libvirt.org/git/?p=libvirt.git;a=commitdiff;h=ca697e90d5bd6a6dfb94bfb6d4438bdf9a44b739 CVE-2013-1961 (Stack-based buffer overflow in the t2p_write_pdf_page function in tiff ...) {DSA-2698-1 DLA-610-1} - tiff 4.0.2-6+nmu1 (bug #706674) - tiff3 3.9.7-1 (bug #712840) CVE-2013-1960 (Heap-based buffer overflow in the t2p_process_jpeg_strip function in t ...) {DSA-2698-1} - tiff 4.0.2-6+nmu1 (bug #706675) - tiff3 (tiff command line tools not build in tiff3) CVE-2013-1959 (kernel/user_namespace.c in the Linux kernel before 3.8.9 does not have ...) - linux 3.8.11-1 [wheezy] - linux (Introduced in 3.7) - linux-2.6 (Introduced in 3.7) CVE-2013-1958 (The scm_check_creds function in net/core/scm.c in the Linux kernel bef ...) - linux 3.8.13-1 [wheezy] - linux (Not exploitable by unprivileged users) - linux-2.6 (Not exploitable by unprivileged users) CVE-2013-1957 (The clone_mnt function in fs/namespace.c in the Linux kernel before 3. ...) - linux 3.8.13-1 [wheezy] - linux (Not exploitable by unprivileged users) - linux-2.6 (Not exploitable by unprivileged users) CVE-2013-1956 (The create_user_ns function in kernel/user_namespace.c in the Linux ke ...) - linux 3.8.11-1 [wheezy] - linux (Not exploitable by unprivileged users) - linux-2.6 (Not exploitable by unprivileged users) CVE-2013-1955 (Multiple cross-site scripting (XSS) vulnerabilities in (1) index.php a ...) NOT-FOR-US: Easy PHP Calendar CVE-2013-1954 (The ASF Demuxer (modules/demux/asf/asf.c) in VideoLAN VLC media player ...) {DSA-2973-1} - vlc 2.0.6-1 (bug #705136) [squeeze] - vlc (Unsupported in squeeze-lts) NOTE: http://www.videolan.org/security/sa1302.html CVE-2013-1953 (Integer underflow in the input_bmp_reader function in input-bmp.c in A ...) - autotrace 0.31.1-16+nmu1 (low; bug #742873) [wheezy] - autotrace (Minor issue) [squeeze] - autotrace (Minor issue) - gimp 2.6.10-1 NOTE: Gimp was fixed earlier, but only Squeeze version was checked NOTE: In gimp code introduced with d9c6f88141aecf956c5d721168f795de0e3027b8 NOTE: and fixed with 57f805a159874107c6c98065f9aa648c3634b8fd NOTE: https://git.gnome.org/browse/gimp/commit/?h=d9c6f88141aecf956c5d7 NOTE: https://git.gnome.org/browse/gimp/commit/?h=57f805a159874107c6c98 CVE-2013-1952 (Xen 4.x, when using Intel VT-d for a bus mastering capable PCI device, ...) {DSA-2666-1} - xen 4.1.4-4 CVE-2013-1951 (A cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.5 ...) - mediawiki 1:1.19.5-1 [squeeze] - mediawiki CVE-2013-1950 (The svc_dg_getargs function in libtirpc 0.2.3 and earlier allows remot ...) - libtirpc (regression code not present) NOTE: Regression introduced with 82cc2e6129c872c8be09381055f2fb5641c5e6fe NOTE: Regression fixed with a9f437119d79a438cb12e510f3cadd4060102c9f NOTE: http://www.openwall.com/lists/oss-security/2013/04/22/9 CVE-2013-1949 (Social Media Widget (social-media-widget) plugin 4.0 for WordPress con ...) NOT-FOR-US: Wordpress Social Media Widget CVE-2013-1948 (converter.rb in the md2pdf gem 0.0.1 for Ruby allows context-dependent ...) NOT-FOR-US: Ruby gem md2pdf CVE-2013-1947 (kelredd-pruview gem 0.3.8 for Ruby allows context-dependent attackers ...) NOT-FOR-US: Ruby Gem kelredd-pruview CVE-2013-1946 (The RESTful Web Services (RESTWS) module 7.x-1.x before 7.x-1.3 and 7. ...) NOT-FOR-US: RESTful Web Services (RESTWS) Drupal cotributed module CVE-2013-1945 (ruby193 uses an insecure LD_LIBRARY_PATH setting. ...) NOT-FOR-US: Red Hat specific packaging flaw of Ruby in Red Hat OpenShift Enterprise CVE-2013-1944 (The tailMatch function in cookie.c in cURL and libcurl before 7.30.0 d ...) {DSA-2660-1} - curl 7.29.0-2.1 (bug #705274) [wheezy] - curl 7.26.0-1+wheezy2 NOTE: http://curl.haxx.se/docs/adv_20130412.html CVE-2013-1943 (The KVM subsystem in the Linux kernel before 3.0 does not check whethe ...) - linux (RHEL-specific backport regression) - linux-2.6 (RHEL-specific backport regression) CVE-2013-1942 (Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jp ...) - owncloud (Depends on libjs-jquery-jplayer) - jquery-jplayer 2.1.0-2 NOTE: http://owncloud.org/about/security/advisories/oC-SA-2013-014/ NOTE: https://github.com/happyworm/jPlayer/commit/e8ca190f7f972a6a421cb95f09e138720e40ed6d CVE-2013-1941 (The installation routine in ownCloud Server before 4.0.14, 4.5.x befor ...) - owncloud 5.0.4~rc1+dfsg-1 NOTE: http://owncloud.org/about/security/advisories/oC-SA-2013-015/ CVE-2013-1940 (X.Org X server before 1.13.4 and 1.4.x before 1.14.1 does not properly ...) {DSA-2661-1} - xorg-server 2:1.12.4-6 CVE-2013-1939 (The HTML\Browser plugin in SabreDAV before 1.6.9, 1.7.x before 1.7.7, ...) - owncloud (Windows version only) - php-sabredav (running in Windows hosts) NOTE: http://owncloud.org/about/security/advisories/oC-SA-2013-016/ CVE-2013-1938 (Zimbra 2013 has XSS in aspell.php ...) NOT-FOR-US: Zimbra CVE-2013-1937 (** DISPUTED ** Multiple cross-site scripting (XSS) vulnerabilities in ...) - phpmyadmin (Affected are versions 3.5.0 to 3.5.7, older versions not vulnerable) NOTE: http://seclists.org/fulldisclosure/2013/Apr/100 NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/79089c9bc02c82c15419fd9d6496b8781ae08a5a CVE-2013-1936 REJECTED CVE-2013-1935 (A certain Red Hat patch to the KVM subsystem in the kernel package bef ...) - linux (RHEL-specific backport regression) - linux-2.6 (RHEL-specific backport regression) CVE-2013-1934 (A cross-site scripting (XSS) vulnerability in the configuration report ...) {DSA-3120-1} - mantis (low; bug #717482) [squeeze] - mantis (Unsupported in squeeze-lts) CVE-2013-1933 (The extract_from_ocr function in lib/docsplit/text_extractor.rb in the ...) NOT-FOR-US: Karteek Docsplit Ruby Gem CVE-2013-1932 (A cross-site scripting (XSS) vulnerability in the configuration report ...) - mantis (affects Mantis 1.2.13 only) NOTE: http://www.openwall.com/lists/oss-security/2013/04/04/8 CVE-2013-1931 (A cross-site scripting (XSS) vulnerability in MantisBT 1.2.14 allows r ...) - mantis (affects Mantis 1.2.14 only) NOTE: http://www.openwall.com/lists/oss-security/2013/04/04/8 CVE-2013-1930 (MantisBT 1.2.12 before 1.2.15 allows authenticated users to by the wor ...) - mantis (affects only Mantis 1.2.12 and later) NOTE: http://www.openwall.com/lists/oss-security/2013/04/04/8 CVE-2013-1929 (Heap-based buffer overflow in the tg3_read_vpd function in drivers/net ...) {DSA-2669-1 DSA-2668-1} - linux 3.8.11-1 - linux-2.6 CVE-2013-1928 (The do_video_set_spu_palette function in fs/compat_ioctl.c in the Linu ...) {DSA-2668-1} - linux 3.2.35-1 - linux-2.6 CVE-2013-1927 (The IcedTea-Web plugin before 1.2.3 and 1.3.x before 1.3.2 allows remo ...) - icedtea-web 1.3.2-1 CVE-2013-1926 (The IcedTea-Web plugin before 1.2.3 and 1.3.x before 1.3.2 uses the sa ...) - icedtea-web 1.3.2-1 CVE-2013-1925 (The Chaos Tool Suite (ctools) module 7.x-1.x before 7.x-1.3 for Drupal ...) NOT-FOR-US: CTools module for Drupal CVE-2013-1924 (Commerce Skrill (Formerly Moneybookers) has an Access bypass vulnerabi ...) NOT-FOR-US: Commerce Skrill Drupal module CVE-2013-1923 (rpc-gssd in nfs-utils before 1.2.8 performs reverse DNS resolution for ...) - nfs-utils 1:1.2.8-1 (low; bug #707401) [squeeze] - nfs-utils (Minor issue) [wheezy] - nfs-utils 1:1.2.6-4 CVE-2013-1922 (qemu-nbd in QEMU, as used in Xen 4.2.x, determines the format of a raw ...) - xen (qemu-nbd-xen built, but not installed into the binary packages) - qemu 1.5.0+dfsg-1 (low; bug #705544) [squeeze] - qemu (Minor issue) [wheezy] - qemu (Minor issue) - xen-qemu-dm-4.0 (qemu-nbd not installed by the binary package) CVE-2013-1921 (PicketBox, as used in Red Hat JBoss Enterprise Application Platform be ...) NOT-FOR-US: Red Hat JBoss Enterprise Application Platform (Debian's jboss only provides some classes) CVE-2013-1920 (Xen 4.2.x, 4.1.x, and earlier, when the hypervisor is running "under m ...) - xen (XSM not enabled in build) NOTE: Debian package not build with XSM_ENABLE, thus resulted binary packages not affected CVE-2013-1919 (Xen 4.2.x and 4.1.x does not properly restrict access to IRQs, which a ...) {DSA-2662-1} - xen 4.1.4-3 NOTE: http://lists.xen.org/archives/html/xen-announce/2013-04/msg00003.html CVE-2013-1918 (Certain page table manipulation operations in Xen 4.1.x, 4.2.x, and ea ...) {DSA-2666-1} - xen 4.1.4-4 CVE-2013-1917 (Xen 3.1 through 4.x, when running 64-bit hosts on Intel CPUs, does not ...) {DSA-2662-1} - xen 4.1.4-3 NOTE: http://lists.xen.org/archives/html/xen-announce/2013-04/msg00005.html CVE-2013-1916 RESERVED NOT-FOR-US: WordPress plugin CVE-2013-1915 (ModSecurity before 2.7.3 allows remote attackers to read arbitrary fil ...) {DSA-2659-1} - modsecurity-apache 2.6.6-6 (bug #704625) - libapache-mod-security NOTE: https://github.com/SpiderLabs/ModSecurity/commit/d4d80b38aa85eccb26e3c61b04d16e8ca5de76fe NOTE: http://marc.info/?l=oss-security&m=136499182131283&w=2 CVE-2013-1914 (Stack-based buffer overflow in the getaddrinfo function in sysdeps/pos ...) {DLA-165-1} - eglibc - glibc 2.17-2 (low; bug #704623) [wheezy] - eglibc 2.13-38+deb7u1 CVE-2013-1913 (Integer overflow in the load_image function in file-xwd.c in the X Win ...) {DSA-2813-1} - gimp 2.8.10-0.1 (bug #731305) CVE-2013-1912 (Buffer overflow in HAProxy 1.4 through 1.4.22 and 1.5-dev through 1.5- ...) {DSA-2711-1} - haproxy 1.4.23-1 (bug #704611) NOTE: http://git.1wt.eu/web?p=haproxy-1.4.git;a=commitdiff;h=dc80672211 CVE-2013-1911 (lib/ldoce/word.rb in the ldoce 0.0.2 gem for Ruby allows remote attack ...) NOT-FOR-US: ldoce ruby gem CVE-2013-1910 (yum does not properly handle bad metadata, which allows an attacker to ...) - yum (unimportant) NOTE: http://yum.baseurl.org/gitweb?p=yum.git;a=commitdiff;h=c148eb10b798270b3d15087433c8efb2a79a69d0 NOTE: Only used for bootstraps of chroots, see README.Debian CVE-2013-1909 (The Python client in Apache Qpid before 2.2 does not verify that the s ...) - qpid-python 0.22-1 (low; bug #714133) [wheezy] - qpid-python (Minor issue) CVE-2013-1908 (The Commons Wikis module before 7.x-3.1 for Drupal, as used in the Com ...) NOT-FOR-US: Drupal module CVE-2013-1907 (The Commons Group module before 7.x-3.1 for Drupal, as used in the Com ...) NOT-FOR-US: Drupal module CVE-2013-1906 (Cross-site scripting (XSS) vulnerability in the Rules module 7.x-2.x b ...) NOT-FOR-US: Drupal module Rules CVE-2013-1905 (Cross-site scripting (XSS) vulnerability in the Zero Point theme 7.x-1 ...) NOT-FOR-US: Drupal theme Zero Point CVE-2013-1904 (Absolute path traversal vulnerability in steps/mail/sendmail.inc in Ro ...) - roundcube 0.7.2-9 [squeeze] - roundcube (Vulnerable code not present) CVE-2013-1903 (PostgreSQL, possibly 9.2.x before 9.2.4, 9.1.x before 9.1.9, 9.0.x bef ...) - postgresql-9.1 (installer related) - postgresql-8.4 (installer related) CVE-2013-1902 (PostgreSQL, 9.2.x before 9.2.4, 9.1.x before 9.1.9, 9.0.x before 9.0.1 ...) - postgresql-9.1 (installer related) - postgresql-8.4 (installer related) CVE-2013-1901 (PostgreSQL 9.2.x before 9.2.4 and 9.1.x before 9.1.9 does not properly ...) {DSA-2658-1} - postgresql-9.1 9.1.9-1 CVE-2013-1900 (PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, 9.0.x before 9.0.13 ...) {DSA-2658-1 DSA-2657-1} - postgresql-9.1 9.1.9-1 - postgresql-8.4 8.4.17-1 CVE-2013-1899 (Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1 ...) {DSA-2658-1} - postgresql-9.1 9.1.9-1 (bug #704479) CVE-2013-1898 (lib/thumbshooter.rb in the Thumbshooter 0.1.5 gem for Ruby allows remo ...) NOT-FOR-US: Ruby gem Thumbshooter CVE-2013-1897 (The do_search function in ldap/servers/slapd/search.c in 389 Directory ...) - 389-ds-base 1.3.2.9-1 (bug #704421) NOTE: http://git.fedorahosted.org/cgit/389/ds.git/commit/?h=389-ds-base-1.2.11&id=5a18c828533a670e7143327893f8171a19062286 NOTE: https://fedorahosted.org/389/ticket/47308 CVE-2013-1896 (mod_dav.c in the Apache HTTP Server before 2.2.25 does not properly de ...) - apache2 2.4.6-1 (low; bug #717272) [wheezy] - apache2 2.2.22-13+deb7u1 [squeeze] - apache2 2.2.16-6+squeeze12 NOTE: http://www.gossamer-threads.com/lists/apache/announce/427633 CVE-2013-1895 (The py-bcrypt module before 0.3 for Python does not properly handle co ...) - python-bcrypt 0.4-1 (bug #704030) [squeeze] - python-bcrypt (thread support only introduced after 0.1 release) NOTE: https://code.google.com/p/py-bcrypt/source/detail?r=b03cc5246ea21a839fd027da5616d8d470247558 CVE-2013-1894 REJECTED CVE-2013-1893 (SQL injection vulnerability in addressbookprovider.php in ownCloud Ser ...) - owncloud (only affecting 5.0 branch) CVE-2013-1892 (MongoDB before 2.0.9 and 2.2.x before 2.2.4 does not properly validate ...) - mongodb 1:2.4.1-1 (bug #704042) [wheezy] - mongodb 1:2.0.6-1.1 [squeeze] - mongodb (Minor isue, Spidermonkey in Lenny is EOLed) NOTE: http://www.openwall.com/lists/oss-security/2013/03/25/7 CVE-2013-1891 RESERVED CVE-2013-1890 (Multiple cross-site scripting (XSS) vulnerabilities in ownCloud Server ...) - owncloud (only affecting 5.0 branch) CVE-2013-1889 (mod_ruid2 before 0.9.8 improperly handles file descriptors which allow ...) - libapache2-mod-ruid2 0.9.8-1 (low; bug #704066) [wheezy] - libapache2-mod-ruid2 (Minor issue) NOTE: Fix: https://github.com/mind04/mod-ruid2/commit/1fed9dda70cd44d54301df19730a29ae0989e0a2 CVE-2013-1888 (pip before 1.3 allows local users to overwrite arbitrary files via a s ...) - python-pip [squeeze] - python-pip NOTE: https://github.com/pypa/pip/pull/780/files NOTE: Not-affected as vulnerable code only in 1.3, and 1.3.1-1 fixed the issue. CVE-2013-1887 (Multiple cross-site scripting (XSS) vulnerabilities in the Views modul ...) - drupal6 (only affects 7.x-3.x to 7.x-3.6) - drupal7 (views module not packaged) CVE-2013-1886 (Format string vulnerability in the token processing system (pki-tps) i ...) NOT-FOR-US: Red Hat Certificate System CVE-2013-1885 (Multiple cross-site scripting (XSS) vulnerabilities in the token proce ...) NOT-FOR-US: Red Hat Certificate System CVE-2013-1884 (The mod_dav_svn Apache HTTPD server module in Subversion 1.7.0 through ...) - subversion 1.7.9-1 (bug #704940) [wheezy] - subversion (Subversion HTTPD servers 1.7.0 through 1.7.8 (inclusive)) [squeeze] - subversion (Subversion HTTPD servers 1.7.0 through 1.7.8 (inclusive)) NOTE: http://bugs.debian.org/704940#32 NOTE: http://subversion.apache.org/security/CVE-2013-1884-advisory.txt CVE-2013-1883 (Mantis Bug Tracker (aka MantisBT) 1.2.12 before 1.2.15 allows remote a ...) - mantis (only affects 1.2.12 to 1.2.14) NOTE: http://www.openwall.com/lists/oss-security/2013/03/21/3 CVE-2013-1882 RESERVED CVE-2013-1881 (GNOME libsvg before 2.39.0 allows remote attackers to read arbitrary f ...) - librsvg 2.40.0-1 (bug #724741) [wheezy] - librsvg 2.36.1-2 [squeeze] - librsvg 2.26.3-1+deb6u2 CVE-2013-1880 (Cross-site scripting (XSS) vulnerability in the Portfolio publisher se ...) - activemq (portfolio demo app not shipped in Debian package) NOTE: https://issues.apache.org/jira/browse/AMQ-4398 CVE-2013-1879 (Cross-site scripting (XSS) vulnerability in scheduled.jsp in Apache Ac ...) - activemq (scheduler not shipped in Debian package) NOTE: https://issues.apache.org/jira/browse/AMQ-4397 CVE-2013-1878 REJECTED CVE-2013-1877 REJECTED CVE-2013-1876 REJECTED CVE-2013-1875 (command_wrap.rb in the command_wrap Gem for Ruby allows remote attacke ...) NOT-FOR-US: ruby gem command_wrap CVE-2013-1874 (Untrusted search path vulnerability in csi in Chicken before 4.8.2 all ...) - chicken 4.8.0.3-1 (low; bug #702410) [squeeze] - chicken (Minor issue) [wheezy] - chicken (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2013/03/19/11 CVE-2013-1873 [linux kernel kernel stack memory disclosure] REJECTED CVE-2013-1872 (The Intel drivers in Mesa 8.0.x and 9.0.x allow context-dependent atta ...) {DSA-2704-1} - mesa 8.0.5-7 [squeeze] - mesa (Vulnerable code not present) CVE-2013-1871 (Cross-site scripting (XSS) vulnerability in account/EditAddress.do in ...) NOT-FOR-US: Red Hat Satellite CVE-2013-1870 REJECTED CVE-2013-1869 (CRLF injection vulnerability in spacewalk-java before 2.1.148-1 and Re ...) NOT-FOR-US: Red Hat Satellite CVE-2013-1868 (Multiple buffer overflows in VideoLAN VLC media player 2.0.4 and earli ...) {DSA-2973-1} - vlc 2.0.5-1 [squeeze] - vlc (Unsupported in squeeze-lts) NOTE: http://www.videolan.org/security/sa1301.html NOTE: The freetype issue is a harmless NULL deref and won't be fixed CVE-2013-1867 (Gemalto Tokend 2013 has an Arbitrary File Creation/Overwrite Vulnerabi ...) NOT-FOR-US: Gemalto Tokend CVE-2013-1866 (OpenSC OpenSC.tokend has an Arbitrary File Creation/Overwrite Vulnerab ...) NOT-FOR-US: OpenSC.tokend (different from src:opensc) CVE-2013-1865 (OpenStack Keystone Folsom (2012.2) does not properly perform revocatio ...) - keystone (only affects folsom) NOTE: fixed in experimental with keystone/2012.2.3-2 CVE-2013-1864 (The Portable Tool Library (aka PTLib) before 2.10.10, as used in Ekiga ...) NOTE: http://www.openwall.com/lists/oss-security/2013/03/15/6 - ekiga 4.0.1-1 (low; bug #704133) [wheezy] - ekiga (Minor issue) [squeeze] - ekiga (Minor issue) CVE-2013-1863 (Samba 4.x before 4.0.4, when configured as an Active Directory domain ...) - samba4 (Debian package only uses ntvfs, see #679678) NOTE: http://www.samba.org/samba/history/samba-4.0.4.html NOTE: http://www.samba.org/samba/security/CVE-2013-1863 CVE-2013-1862 (mod_rewrite.c in the mod_rewrite module in the Apache HTTP Server 2.2. ...) - apache2 2.4.1-1 (unimportant) [wheezy] - apache2 2.2.22-13+deb7u1 [squeeze] - apache2 2.2.16-6+squeeze12 NOTE: Such injection issues are not treated as security issues CVE-2013-1861 (MariaDB 5.5.x before 5.5.30, 5.3.x before 5.3.13, 5.2.x before 5.2.15, ...) {DSA-2818-1 DSA-2780-1} - mariadb-5.5 (Fixed before initial upload to archive) - mariadb-10.0 (Fixed before initial upload) - mysql-5.5 5.5.33+dfsg-1 (low; bug #706715) - mysql-5.1 (low; bug #706715) NOTE: https://mariadb.atlassian.net/browse/MDEV-4252 CVE-2013-1860 (Heap-based buffer overflow in the wdm_in_callback function in drivers/ ...) {DSA-2668-1} - linux 3.2.41-1 - linux-2.6 CVE-2013-1859 (The Node Parameter Control module 6.x-1.x for Drupal does not properly ...) NOT-FOR-US: Drupal module Node Parameter Control CVE-2013-1858 (The clone system-call implementation in the Linux kernel before 3.8.3 ...) - linux (Only exploitable starting with 3.7) - linux-2.6 (Only exploitable starting with 3.7) NOTE: http://stealth.openwall.net/xSports/clown-newuser.c CVE-2013-1857 (The sanitize helper in lib/action_controller/vendor/html-scanner/html/ ...) {DSA-2655-1} - ruby-actionpack-3.2 3.2.6-6 (bug #703349) - ruby-actionpack-2.3 2.3.14-5 - rails 2.3.14.1 NOTE: Starting with 2.3.14.1 rails is a transition package CVE-2013-1856 (The ActiveSupport::XmlMini_JDOM backend in lib/active_support/xml_mini ...) - ruby-activesupport-2.3 (Only affects 3.x and later) - ruby-activesupport-3.2 3.2.6-6 (bug #703350) - rails (Only affects 3.x and later) NOTE: Starting with 2.3.14.1 rails is a transition package CVE-2013-1855 (The sanitize_css method in lib/action_controller/vendor/html-scanner/h ...) {DSA-2655-1} - ruby-actionpack-3.2 3.2.6-6 (bug #703349) - ruby-actionpack-2.3 2.3.14-5 - rails 2.3.14.1 NOTE: Starting with 2.3.14.1 rails is a transition package CVE-2013-1854 (The Active Record component in Ruby on Rails 2.3.x before 2.3.18, 3.1. ...) {DSA-2655-1} - ruby-activerecord-3.2 3.2.6-5 (bug #703348) - ruby-activerecord-2.3 2.3.14-6 - ruby-activesupport-2.3 2.3.14-7 - rails 2.3.14.1 NOTE: Starting with 2.3.14.1 rails is a transition package CVE-2013-1853 (Almanah Diary 0.9.0 and 0.10.0 does not encrypt the database when clos ...) - almanah 0.9.1-1 (bug #702905) [squeeze] - almanah (Only affect Almanah used in combination with glib 2.32) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=695117 CVE-2013-1852 (SQL injection vulnerability in leaguemanager.php in the LeagueManager ...) NOT-FOR-US: WordPress plugin LeagueManager CVE-2013-1851 (Incomplete blacklist vulnerability in lib/migrate.php in ownCloud befo ...) - owncloud 4.0.8debian-1.6 (bug #703094) NOTE: https://owncloud.org/about/security/advisories/oC-SA-2013-010/ NOTE: http://www.openwall.com/lists/oss-security/2013/03/14/8 CVE-2013-1850 (Multiple incomplete blacklist vulnerabilities in (1) import.php and (2 ...) - owncloud 4.0.8debian-1.6 (bug #703094) NOTE: https://owncloud.org/about/security/advisories/oC-SA-2013-009/ NOTE: http://www.openwall.com/lists/oss-security/2013/03/14/8 CVE-2013-1849 (The mod_dav_svn Apache HTTPD server module in Subversion 1.6.x through ...) {DLA-207-1} - subversion 1.7.9-1 (bug #704940) [squeeze] - subversion (Minor issue) [wheezy] - subversion 1.6.17dfsg-4+deb7u2 NOTE: http://seclists.org/fulldisclosure/2013/Mar/56 CVE-2013-1848 (fs/ext3/super.c in the Linux kernel before 3.8.4 uses incorrect argume ...) - linux 3.2.41-1 - linux-2.6 [squeeze] - linux-2.6 (Introduced in 2.6.33) NOTE: http://www.openwall.com/lists/oss-security/2013/03/20/8 CVE-2013-1847 (The mod_dav_svn Apache HTTPD server module in Subversion 1.6.0 through ...) {DLA-207-1} - subversion 1.7.9-1 (bug #704940) [squeeze] - subversion (Minor issue) [wheezy] - subversion 1.6.17dfsg-4+deb7u2 NOTE: http://subversion.apache.org/security/CVE-2013-1847-advisory.txt CVE-2013-1846 (The mod_dav_svn Apache HTTPD server module in Subversion 1.6.x before ...) {DLA-207-1} - subversion 1.7.9-1 (bug #704940) [squeeze] - subversion (Minor issue) [wheezy] - subversion 1.6.17dfsg-4+deb7u2 NOTE: http://subversion.apache.org/security/CVE-2013-1846-advisory.txt CVE-2013-1845 (The mod_dav_svn Apache HTTPD server module in Subversion 1.6.x before ...) {DLA-207-1} - subversion 1.7.9-1 (bug #704940) [squeeze] - subversion (Minor issue) [wheezy] - subversion 1.6.17dfsg-4+deb7u2 NOTE: http://subversion.apache.org/security/CVE-2013-1845-advisory.txt CVE-2013-1844 (Cross-site scripting (XSS) vulnerability in Piwik before 1.11 allows r ...) - piwik (bug #506933) CVE-2013-1843 (Open redirect vulnerability in the Access tracking mechanism in TYPO3 ...) {DSA-2646-1} - typo3-src 4.5.19+dfsg1-5 (bug #702574) CVE-2013-1842 (SQL injection vulnerability in the Extbase Framework in TYPO3 4.5.x be ...) {DSA-2646-1} - typo3-src 4.5.19+dfsg1-5 (bug #702574) CVE-2013-1841 (Net-Server, when the reverse-lookups option is enabled, does not check ...) - libnet-server-perl (low; bug #702914) [buster] - libnet-server-perl (Minor issue) [stretch] - libnet-server-perl (Minor issue) [jessie] - libnet-server-perl (Minor issue) [wheezy] - libnet-server-perl (Minor issue) [squeeze] - libnet-server-perl (Minor issue) NOTE: https://rt.cpan.org/Ticket/Display.html?id=83909 CVE-2013-1840 (The v1 API in OpenStack Glance Essex (2012.1), Folsom (2012.2), and Gr ...) - glance 2012.1.1-5 (bug #703063) CVE-2013-1839 (The strHdrAcptLangGetItem function in errorpage.cc in Squid 3.2.x befo ...) - squid3 (the errors were introduced in trunk rev.11496 in 3.2.0.9) NOTE: According to http://seclists.org/bugtraq/2013/Mar/68 not affecting 3.1? NOTE: http://bazaar.launchpad.net/~squid/squid/3.2/revision/11796 CVE-2013-1838 (OpenStack Compute (Nova) Grizzly, Folsom (2012.2), and Essex (2012.1) ...) - nova 2012.1.1-15 (bug #703064) CVE-2013-1837 RESERVED CVE-2013-1836 (Moodle 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and ...) - moodle 2.5-1 (bug #703870) [squeeze] - moodle (Vulnerable code not present) CVE-2013-1835 (Moodle 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and ...) - moodle 2.5-1 (bug #703870) [squeeze] - moodle (Vulnerable code not present) CVE-2013-1834 (notes/edit.php in Moodle 1.9.x through 1.9.19, 2.x through 2.1.10, 2.2 ...) - moodle 2.5-1 (low; bug #703870) [squeeze] - moodle (Minor issue) CVE-2013-1833 (Multiple cross-site scripting (XSS) vulnerabilities in the File Picker ...) - moodle 2.5-1 (bug #703870) [squeeze] - moodle (Vulnerable code not present) CVE-2013-1832 (repository/webdav/lib.php in Moodle 2.x through 2.1.10, 2.2.x before 2 ...) - moodle 2.5-1 (bug #703870) [squeeze] - moodle (Vulnerable code not present) CVE-2013-1831 (lib/setuplib.php in Moodle through 2.1.10, 2.2.x before 2.2.8, 2.3.x b ...) - moodle 2.5-1 (low; bug #703870) [squeeze] - moodle (Minor issue) CVE-2013-1830 (user/view.php in Moodle through 2.1.10, 2.2.x before 2.2.8, 2.3.x befo ...) - moodle 2.5-1 (low; bug #703870) [squeeze] - moodle (Minor issue) CVE-2013-1829 (calendar/managesubscriptions.php in Moodle 2.4.x before 2.4.2 does not ...) - moodle (Only in 2.4 to 2.4.1) CVE-2013-1828 (The sctp_getsockopt_assoc_stats function in net/sctp/socket.c in the L ...) - linux (Introduced in 3.8) - linux-2.6 (Introduced in 3.8) CVE-2013-1827 (net/dccp/ccid.h in the Linux kernel before 3.5.4 allows local users to ...) - linux 3.2.29-1 - linux-2.6 [squeeze] - linux-2.6 2.6.32-47 CVE-2013-1826 (The xfrm_state_netlink function in net/xfrm/xfrm_user.c in the Linux k ...) {DSA-2668-1} - linux 3.2.32-1 (low) - linux-2.6 (low) NOTE: Probably gone since 3.2.32-1, but I checked 3.2.41-2 CVE-2013-1825 REJECTED CVE-2013-1824 (The SOAP parser in PHP before 5.3.22 and 5.4.x before 5.4.12 allows re ...) {DSA-2639-1} - php5 5.4.4-14 NOTE: See CVE-2013-1643 NOTE: http://git.php.net/?p=web/php.git;a=commitdiff;h=e8432b34ee7a196a14a6e0191a00fe73b5a095e7 CVE-2013-1823 (Cross-site scripting (XSS) vulnerability in the Notifications form in ...) NOT-FOR-US: Katello CVE-2013-1822 (Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.x ...) - owncloud (owncloud stable4 (4.0.x) is not affected) NOTE: https://owncloud.org/about/security/advisories/oC-SA-2013-008/ NOTE: http://www.openwall.com/lists/oss-security/2013/03/14/8 CVE-2013-1821 (lib/rexml/text.rb in the REXML parser in Ruby before 1.9.3-p392 allows ...) {DSA-2809-1 DSA-2738-1} - ruby1.9.1 1.9.3.194-8.1 (bug #702525) - ruby1.8 1.8.7.358-7 (bug #702526) NOTE: http://www.ruby-lang.org/en/news/2013/02/22/rexml-dos-2013-02-22/ CVE-2013-1820 (tuned before 2.x allows local users to kill running processes due to i ...) - tuned (Fixed before initial release to Debian) CVE-2013-1819 (The _xfs_buf_find function in fs/xfs/xfs_buf.c in the Linux kernel bef ...) - linux 3.8-1 - linux-2.6 (low) [squeeze] - linux-2.6 (Too risky to backport, minor impact) [wheezy] - linux (Too risky to backport, minor impact) CVE-2013-1818 (maintenance/mwdoc-filter.php in MediaWiki before 1.20.3 allows remote ...) - mediawiki (mwdoc-filter.php introduced in 1.20) NOTE: register_globals is not supported in Debian anyway, see PHP's README.Debian.security CVE-2013-1817 (MediaWiki before 1.19.4 and 1.20.x before 1.20.3 contains an error in ...) - mediawiki 1:1.19.4-1 (bug #702305) [squeeze] - mediawiki CVE-2013-1816 (MediaWiki before 1.19.4 and 1.20.x before 1.20.3 allows remote attacke ...) - mediawiki 1:1.19.4-1 [squeeze] - mediawiki CVE-2013-1815 (PackStack 2012.2.3 in Red Hat OpenStack Essex and Folsom can create th ...) NOT-FOR-US: OpenStack PackStack CVE-2013-1814 (The users/get program in the User RPC API in Apache Rave 0.11 through ...) NOT-FOR-US: Apache Rave CVE-2013-1813 (util-linux/mdev.c in BusyBox before 1.21.0 uses 0777 permissions for p ...) - busybox 1:1.20.0-8 (low; bug #701965) [wheezy] - busybox (Minor issue) [squeeze] - busybox (Minor issue) CVE-2013-1812 (The ruby-openid gem before 2.2.2 for Ruby allows remote OpenID provide ...) - ruby-openid 2.1.8debian-6 (bug #702217) - libopenid-ruby (bug #702217) [squeeze] - libopenid-ruby 2.1.8debian-1+squeeze1 CVE-2013-1811 (An access control issue in MantisBT before 1.2.13 allows users with "R ...) {DSA-3120-1} - mantis (low; bug #698481) [squeeze] - mantis (Unsupported in squeeze-lts) CVE-2013-1810 (Multiple cross-site scripting (XSS) vulnerabilities in core/summary_ap ...) - mantis (only affects MantisBT 1.2.12) CVE-2013-1809 (Gambas before 3.4.0 allows remote attackers to move or manipulate dire ...) - gambas3 3.5.1-1 (low; bug #702184) - gambas2 [wheezy] - gambas3 (Minor issue) [squeeze] - gambas2 (Minor issue) NOTE: https://code.google.com/p/gambas/issues/detail?id=365 CVE-2013-1808 (Cross-site scripting (XSS) vulnerability in ZeroClipboard.swf and Zero ...) - db4o (unimportant) - jenkins 1.509.2+dfsg-1 (bug #706725) CVE-2013-1807 (PHP-Fusion before 7.02.06 stores backup files with predictable filenam ...) NOT-FOR-US: PHP-Fusion CVE-2013-1806 (Multiple directory traversal vulnerabilities in PHP-Fusion before 7.02 ...) NOT-FOR-US: PHP-Fusion CVE-2013-1805 REJECTED CVE-2013-1804 (Multiple cross-site scripting (XSS) vulnerabilities in PHP-Fusion befo ...) NOT-FOR-US: PHP-Fusion CVE-2013-1803 (Multiple SQL injection vulnerabilities in PHP-Fusion before 7.02.06 al ...) NOT-FOR-US: PHP-Fusion CVE-2013-1802 (The extlib gem 0.9.15 and earlier for Ruby does not properly restrict ...) {DLA-172-1} - ruby-extlib 0.9.15-3 (bug #697895) - libextlib-ruby (bug #697895) CVE-2013-1801 (The httparty gem 0.9.0 and earlier for Ruby does not properly restrict ...) NOT-FOR-US: httparty Ruby gem CVE-2013-1800 (The crack gem 0.3.1 and earlier for Ruby does not properly restrict ca ...) - ruby-crack 0.3.2-1 CVE-2013-1799 (Gnome Online Accounts (GOA) 3.6.x before 3.6.3 and 3.7.x before 3.7.91 ...) - gnome-online-accounts (Incomplete patch wasn't applied in Debian) CVE-2013-1798 (The ioapic_read_indirect function in virt/kvm/ioapic.c in the Linux ke ...) {DSA-2668-1} - linux 3.2.41-2 - linux-2.6 NOTE: http://www.openwall.com/lists/oss-security/2013/03/20/9 CVE-2013-1797 (Use-after-free vulnerability in arch/x86/kvm/x86.c in the Linux kernel ...) - linux 3.2.41-2 - linux-2.6 [squeeze] - linux-2.6 (Too intrusive to backport, KVM server not supported in squeeze-lts) NOTE: http://www.openwall.com/lists/oss-security/2013/03/20/9 CVE-2013-1796 (The kvm_set_msr_common function in arch/x86/kvm/x86.c in the Linux ker ...) {DSA-2669-1 DSA-2668-1} - linux 3.2.41-2 - linux-2.6 NOTE: http://www.openwall.com/lists/oss-security/2013/03/20/9 CVE-2013-1795 (Integer overflow in ptserver in OpenAFS before 1.6.2 allows remote att ...) {DSA-2638-1} - openafs 1.6.1-3 CVE-2013-1794 (Buffer overflow in certain client utilities in OpenAFS before 1.6.2 al ...) {DSA-2638-1} - openafs 1.6.1-3 CVE-2013-1793 (openstack-utils openstack-db has insecure password creation ...) NOT-FOR-US: openstack-utils CVE-2013-1792 (Race condition in the install_user_keyrings function in security/keys/ ...) {DSA-2668-1} - linux 3.2.41-1 - linux-2.6 CVE-2013-1791 RESERVED CVE-2013-1790 (poppler/Stream.cc in poppler before 0.22.1 allows context-dependent at ...) {DSA-2719-1} - poppler 0.18.4-6 (low; bug #702071) CVE-2013-1789 (splash/Splash.cc in poppler before 0.22.1 allows context-dependent att ...) - poppler (vulnerable code introduced in a later version) CVE-2013-1788 (poppler before 0.22.1 allows context-dependent attackers to cause a de ...) {DSA-2719-1} - poppler 0.18.4-6 (low; bug #702071) CVE-2013-1787 (Cross-site scripting (XSS) vulnerability in the 3 slide gallery in the ...) NOT-FOR-US: Drupal addon CVE-2013-1786 (Cross-site scripting (XSS) vulnerability in the 3 slide gallery in the ...) NOT-FOR-US: Drupal addon CVE-2013-1785 (Cross-site scripting (XSS) vulnerability in the 3 slide gallery in the ...) NOT-FOR-US: Drupal addon CVE-2013-1784 (Cross-site scripting (XSS) vulnerability in the 3 slide gallery in the ...) NOT-FOR-US: Drupal addon CVE-2013-1783 (Cross-site scripting (XSS) vulnerability in the 3 slide gallery in pag ...) NOT-FOR-US: Drupal addon CVE-2013-1782 (Cross-site scripting (XSS) vulnerability in the Responsive Blog Theme ...) NOT-FOR-US: Drupal addon CVE-2013-1781 (Cross-site scripting (XSS) vulnerability in the 3 slide gallery in the ...) NOT-FOR-US: Drupal addon CVE-2013-1780 (Cross-site scripting (XSS) vulnerability in the Best Responsive Theme ...) NOT-FOR-US: Drupal addon CVE-2013-1779 (Cross-site scripting (XSS) vulnerability in the 3 slide gallery in the ...) NOT-FOR-US: Drupal addon CVE-2013-1778 (Cross-site scripting (XSS) vulnerability in the Creative Theme 7.x-1.x ...) NOT-FOR-US: Drupal addon CVE-2013-1777 (The JMX Remoting functionality in Apache Geronimo 3.x before 3.0.1, as ...) NOT-FOR-US: JMX componenent of Apache Geronimo is not packaged CVE-2013-1776 (sudo 1.3.5 through 1.7.10 and 1.8.0 through 1.8.5, when the tty_ticket ...) {DSA-2642-1} - sudo 1.8.5p2-1+nmu1 (bug #701839) CVE-2013-1775 (sudo 1.6.0 through 1.7.10p6 and sudo 1.8.0 through 1.8.6p6 allows loca ...) {DSA-2642-1} - sudo 1.8.5p2-1+nmu1 (bug #701838) NOTE: severity depends a lot on the environment CVE-2013-1774 (The chase_port function in drivers/usb/serial/io_ti.c in the Linux ker ...) {DSA-2668-1} - linux 3.2.38-1 - linux-2.6 CVE-2013-1773 (Buffer overflow in the VFAT filesystem implementation in the Linux ker ...) {DSA-2668-1} - linux 3.2.15-1 - linux-2.6 NOTE: Probably gone since 3.2.15-1, but I checked 3.2.41-2 CVE-2013-1772 (The log_prefix function in kernel/printk.c in the Linux kernel 3.x bef ...) - linux 3.2.39-1 - linux-2.6 (Vulnerability exposed since 3.0) CVE-2013-1771 (The web server Monkeyd produces a world-readable log (/var/log/monkeyd ...) - monkey (low) [squeeze] - monkey (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2013/02/24/5 CVE-2013-1770 (Cross-site scripting (XSS) vulnerability in views_view.php in Ganglia ...) - ganglia 3.6.0-1 (low; bug #700158) [squeeze] - ganglia (Minor issue) [wheezy] - ganglia (Minor issue) - ganglia-web 3.5.8-3 (bug #700159) NOTE: starting with 3.6.0-1 the web front is no longer built from src:ganglia so marking this version as fixed NOTE: Upstream non-verified fix https://github.com/ganglia/ganglia-web/commit/552965f33bf79d41ccbec3f1f26840c8bab54ad6 CVE-2013-1769 (A certain hashing algorithm in Telepathy Gabble 0.16.x before 0.16.5 a ...) - telepathy-gabble 0.16.5-1 (low; bug #702252) [squeeze] - telepathy-gabble (Minor issue) CVE-2013-1768 (The BrokerFactory functionality in Apache OpenJPA 1.x before 1.2.3 and ...) - openjpa 2.2.2-1 (bug #716937) [squeeze] - openjpa (Minor issue) [wheezy] - openjpa (Minor issue) CVE-2013-1767 (Use-after-free vulnerability in the shmem_remount_fs function in mm/sh ...) {DSA-2668-1} - linux 3.2.41-1 - linux-2.6 CVE-2013-1766 (libvirt 1.0.2 and earlier sets the group owner to kvm for device files ...) {DSA-2650-1} - libvirt 0.9.12-8 (bug #701649) CVE-2013-1765 (Multiple cross-site scripting (XSS) vulnerabilities in jwplayer.swf in ...) NOT-FOR-US: WordPress plugin smart-flv CVE-2013-1764 (The Zypper (aka zypp) backend in PackageKit before 0.8.8 allows local ...) - packagekit (Zypp backend specific to SuSE) CVE-2013-1763 (Array index error in the __sock_diag_rcv_msg function in net/core/sock ...) - linux (Introduced in 3.3) NOTE: 3.6.9 and 3.7.8 in experimental are affected, 3.8 will be fixed. CVE-2013-1762 (stunnel 4.21 through 4.54, when CONNECT protocol negotiation and NTLM ...) {DSA-2664-1} - stunnel4 3:4.53-1.1 (bug #702267) CVE-2013-1761 RESERVED CVE-2013-1760 (The Bug Genie before 3.2.6 has Multiple XSS and HTML Injection Vulnera ...) NOT-FOR-US: Bug Genie CVE-2013-1759 (Cross-site scripting (XSS) vulnerability in the Responsive Logo Slides ...) NOT-FOR-US: WordPress plugin responsive-logo-slideshow CVE-2013-1758 (Cross-site scripting (XSS) vulnerability in the Marekkis Watermark plu ...) NOT-FOR-US: WordPress plugin marekkis-watermark CVE-2013-1757 RESERVED CVE-2013-1756 (The Dragonfly gem 0.7 before 0.8.6 and 0.9.x before 0.9.13 for Ruby, w ...) NOT-FOR-US: Dragonfly Ruby gem CVE-2013-1755 RESERVED CVE-2013-1754 RESERVED CVE-2013-1753 (The gzip_decode function in the xmlrpc client library in Python 3.4 an ...) - python2.5 (low) - python2.6 (low) - python2.7 2.7.9-1 (low; bug #742929) - python3.1 (low) - python3.2 (low) - python3.3 (low; bug #742928) - python3.4 3.4.2-4 (low; bug #742927) [jessie] - python3.4 (Minor issue) [squeeze] - python2.5 (Minor issue) [squeeze] - python2.6 (Minor issue) [wheezy] - python2.6 (Minor issue) [wheezy] - python2.7 (Minor issue) [squeeze] - python3.1 (Minor issue) [wheezy] - python3.2 (Minor issue) NOTE: http://bugs.python.org/issue16043 NOTE: https://github.com/python/cpython/commit/eca72d47f5a639a0ac66a98a2d63b30df2ce310f (3.4) CVE-2013-1752 REJECTED CVE-2013-1751 (TWiki before 5.1.4 allows remote attackers to execute arbitrary shell ...) - twiki NOTE: http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2013-1751 CVE-2013-1750 (Heap-based buffer overflow in RealNetworks RealPlayer before 16.0.1.18 ...) NOT-FOR-US: RealPlayer CVE-2013-1749 (Cross-site scripting (XSS) vulnerability in edit.php in PHP Address Bo ...) NOT-FOR-US: PHP Address Book CVE-2013-1748 (Multiple SQL injection vulnerabilities in PHP Address Book 8.2.5 allow ...) NOT-FOR-US: PHP Address Book CVE-2012-6533 (Buffer overflow in pgpwded.sys in Symantec PGP Desktop 10.x and Encryp ...) NOT-FOR-US: Symantec PGP Desktop CVE-2013-1747 (channel.c in ngIRCd 20 and 20.1 allows remote attackers to cause a den ...) - ngircd (Vulnerable version was only in experimental, introduced in 20.1-1~exp1 and fixed in 20.2-1~exp1) CVE-2013-1746 RESERVED CVE-2013-1745 RESERVED CVE-2013-1744 (IRIS citations management tool through 1.3 allows remote attackers to ...) NOT-FOR-US: IRIS citations management tool CVE-2013-1743 (Multiple cross-site scripting (XSS) vulnerabilities in report.cgi in B ...) - bugzilla (Only affects 4.1 to 4.4) - bugzilla4 (bug #669643) NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=924932 CVE-2013-1742 (Multiple cross-site scripting (XSS) vulnerabilities in editflagtypes.c ...) - bugzilla (low) [squeeze] - bugzilla (Minor issue) - bugzilla4 (bug #669643) NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=924802 CVE-2013-1741 (Integer overflow in Mozilla Network Security Services (NSS) 3.15 befor ...) {DSA-2994-1 DLA-23-1} - nss 2:3.15.3-1 (bug #735105) [squeeze] - nss 3.12.8-1+squeeze8 NOTE: https://hg.mozilla.org/projects/nss/rev/612d7d1eb9e7 CVE-2013-1740 (The ssl_Do1stHandshake function in sslsecur.c in libssl in Mozilla Net ...) - nss 2:3.15.4-1 [squeeze] - nss (false start disabled by default, needs to be enabled by clients) [wheezy] - nss (false start disabled by default, needs to be enabled by clients) NOTE: false start must be enabled by the client (mainly browsers) CVE-2013-1739 (Mozilla Network Security Services (NSS) before 3.15.2 does not ensure ...) {DSA-2790-1} - nss 2:3.15.2-1 (bug #726473) [squeeze] - nss (Introduced in 3.14.3) NOTE: https://developer.mozilla.org/en-US/docs/NSS/NSS_3.15.2_release_notes NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1012656 CVE-2013-1738 (Use-after-free vulnerability in the JS_GetGlobalForScopeChain function ...) - iceweasel 24.0-1 [wheezy] - iceweasel (Only affects Firefox > 17) [squeeze] - iceweasel - icedove (Only affects Firefox > 17) - iceape (Only affects Firefox > 17) CVE-2013-1737 (Mozilla Firefox before 24.0, Firefox ESR 17.x before 17.0.9, Thunderbi ...) {DSA-2762-1 DSA-2759-1} - iceweasel 24.0-1 [squeeze] - iceweasel - icedove 17.0.9-1 [squeeze] - icedove CVE-2013-1736 (The nsGfxScrollFrameInner::IsLTR function in Mozilla Firefox before 24 ...) {DSA-2762-1 DSA-2759-1} - iceweasel 24.0-1 [squeeze] - iceweasel - icedove 17.0.9-1 [squeeze] - icedove - iceape [squeeze] - iceape [wheezy] - iceape CVE-2013-1735 (Use-after-free vulnerability in the mozilla::layout::ScrollbarActivity ...) {DSA-2762-1 DSA-2759-1} - iceweasel 24.0-1 [squeeze] - iceweasel - icedove 17.0.9-1 [squeeze] - icedove - iceape [squeeze] - iceape [wheezy] - iceape CVE-2013-1734 (Cross-site request forgery (CSRF) vulnerability in attachment.cgi in B ...) - bugzilla (low) [squeeze] - bugzilla (Minor issue) - bugzilla4 (bug #669643) NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=913904 CVE-2013-1733 (Cross-site request forgery (CSRF) vulnerability in process_bug.cgi in ...) - bugzilla (Only affects 4.4) - bugzilla4 (bug #669643) NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=911593 CVE-2013-1732 (Buffer overflow in the nsFloatManager::GetFlowArea function in Mozilla ...) {DSA-2762-1 DSA-2759-1} - iceweasel 24.0-1 [squeeze] - iceweasel - icedove 17.0.9-1 [squeeze] - icedove - iceape [squeeze] - iceape [wheezy] - iceape CVE-2013-1731 (Untrusted search path vulnerability in the GL tracing functionality in ...) - iceweasel (Android-specific) - icedove (Android-specific) - iceape (Android-specific) CVE-2013-1730 (Mozilla Firefox before 24.0, Firefox ESR 17.x before 17.0.9, Thunderbi ...) {DSA-2762-1 DSA-2759-1} - iceweasel 24.0-1 [squeeze] - iceweasel - icedove 17.0.9-1 [squeeze] - icedove - iceape [squeeze] - iceape [wheezy] - iceape CVE-2013-1729 (The WebGL implementation in Mozilla Firefox before 24.0, when NVIDIA g ...) - iceweasel (MacOS-specific) - icedove (MacOS-specific) - iceape (MacOS-specific) CVE-2013-1728 (The IonMonkey JavaScript engine in Mozilla Firefox before 24.0, Thunde ...) - iceweasel 24.0-1 [wheezy] - iceweasel (Only affects Firefox > 17) [squeeze] - iceweasel - icedove (Only affects Firefox > 17) - iceape (Only affects Firefox > 17) CVE-2013-1727 (Mozilla Firefox before 24.0 on Android allows attackers to bypass the ...) - iceweasel (Android-specific) - icedove (Android-specific) - iceape (Android-specific) CVE-2013-1726 (Mozilla Updater in Mozilla Firefox before 24.0, Firefox ESR 17.x befor ...) - iceweasel (Updater not used in Debian) - icedove (Updater not used in Debian) - iceape (Updater not used in Debian) CVE-2013-1725 (Mozilla Firefox before 24.0, Firefox ESR 17.x before 17.0.9, Thunderbi ...) {DSA-2762-1 DSA-2759-1} - iceweasel 24.0-1 [squeeze] - iceweasel - icedove 17.0.9-1 [squeeze] - icedove - iceape [squeeze] - iceape [wheezy] - iceape CVE-2013-1724 (Use-after-free vulnerability in the mozilla::dom::HTMLFormElement::IsD ...) - iceweasel 24.0-1 [wheezy] - iceweasel (Only affects Firefox > 17) [squeeze] - iceweasel - icedove (Only affects Firefox > 17) - iceape (Only affects Firefox > 17) CVE-2013-1723 (The NativeKey widget in Mozilla Firefox before 24.0, Thunderbird befor ...) - iceweasel 24.0-1 [wheezy] - iceweasel (Only affects Firefox > 17) [squeeze] - iceweasel - icedove (Only affects Firefox > 17) - iceape (Only affects Firefox > 17) CVE-2013-1722 (Use-after-free vulnerability in the nsAnimationManager::BuildAnimation ...) {DSA-2762-1 DSA-2759-1} - iceweasel 24.0-1 [squeeze] - iceweasel - icedove 17.0.9-1 [squeeze] - icedove - iceape [squeeze] - iceape [wheezy] - iceape CVE-2013-1721 (Integer overflow in the drawLineLoop function in the libGLESv2 library ...) - iceweasel 24.0-1 [wheezy] - iceweasel (Only affects Firefox > 17) [squeeze] - iceweasel - iceape (Only affects Firefox > 17) CVE-2013-1720 (The nsHtml5TreeBuilder::resetTheInsertionMode function in the HTML5 Tr ...) - iceweasel 24.0-1 [wheezy] - iceweasel (Only affects Firefox > 17) [squeeze] - iceweasel - icedove (Only affects Firefox > 17) - iceape (Only affects Firefox > 17) CVE-2013-1719 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - iceweasel 24.0-1 [wheezy] - iceweasel (Only affects Firefox > 17) [squeeze] - iceweasel - icedove (Only affects Firefox > 17) - iceape (Only affects Firefox > 17) CVE-2013-1718 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-2762-1 DSA-2759-1} - iceweasel 24.0-1 [squeeze] - iceweasel - icedove 17.0.9-1 [squeeze] - icedove - iceape [squeeze] - iceape [wheezy] - iceape CVE-2013-1717 (Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbi ...) {DSA-2746-1 DSA-2735-1} - iceweasel 17.0.8esr-1 [squeeze] - iceweasel - icedove 17.0.8-1 [squeeze] - icedove - iceape [squeeze] - iceape [wheezy] - iceape CVE-2013-1716 RESERVED CVE-2013-1715 (Multiple untrusted search path vulnerabilities in the (1) full install ...) - iceweasel (Windows-specific) CVE-2013-1714 (The Web Workers implementation in Mozilla Firefox before 23.0, Firefox ...) {DSA-2746-1 DSA-2735-1} - iceweasel 17.0.8esr-1 [squeeze] - iceweasel - icedove 17.0.8-1 [squeeze] - icedove - iceape [squeeze] - iceape [wheezy] - iceape CVE-2013-1713 (Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbi ...) {DSA-2746-1 DSA-2735-1} - iceweasel 17.0.8esr-1 [squeeze] - iceweasel - icedove 17.0.8-1 [squeeze] - icedove - iceape [squeeze] - iceape [wheezy] - iceape CVE-2013-1712 (Multiple untrusted search path vulnerabilities in updater.exe in Mozil ...) - iceweasel (Windows-specific) - icedove (Windows-specific) - iceape (Windows-specific) CVE-2013-1711 (The XrayWrapper implementation in Mozilla Firefox before 23.0 and SeaM ...) - iceweasel (Only affects Firefox > 17) - iceape (Only affects Firefox > 17) CVE-2013-1710 (The crypto.generateCRMFRequest function in Mozilla Firefox before 23.0 ...) {DSA-2746-1 DSA-2735-1} - iceweasel 17.0.8esr-1 [squeeze] - iceweasel - icedove 17.0.8-1 [squeeze] - icedove - iceape [squeeze] - iceape [wheezy] - iceape CVE-2013-1709 (Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbi ...) {DSA-2746-1 DSA-2735-1} - iceweasel 17.0.8esr-1 [squeeze] - iceweasel - icedove 17.0.8-1 [squeeze] - icedove - iceape [squeeze] - iceape [wheezy] - iceape CVE-2013-1708 (Mozilla Firefox before 23.0 and SeaMonkey before 2.20 allow remote att ...) - iceweasel (Only affects Firefox > 17) - iceape (Only affects Firefox > 17) CVE-2013-1707 (Stack-based buffer overflow in Mozilla Updater in Mozilla Firefox befo ...) - iceweasel (Windows-specific) - icedove (Windows-specific) - iceape (Windows-specific) CVE-2013-1706 (Stack-based buffer overflow in maintenanceservice.exe in the Mozilla M ...) - iceweasel (Windows-specific) - icedove (Windows-specific) - iceape (Windows-specific) CVE-2013-1705 (Heap-based buffer underflow in the cryptojs_interpret_key_gen_type fun ...) - iceweasel 23.0-1 [wheezy] - iceweasel (Only affects Firefox > 17) [squeeze] - iceweasel (Only affects Firefox > 17) - iceape (Only affects Firefox > 17) CVE-2013-1704 (Use-after-free vulnerability in the nsINode::GetParentNode function in ...) - iceweasel (Only affects Firefox > 17) - iceape (Only affects Firefox > 17) CVE-2013-1703 RESERVED CVE-2013-1702 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - iceweasel (Only affects Firefox > 17) - icedove (Only affects Firefox > 17) - iceape (Only affects Firefox > 17) CVE-2013-1701 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-2746-1 DSA-2735-1} - iceweasel 17.0.8esr-1 [squeeze] - iceweasel - icedove 17.0.8-1 [squeeze] - icedove - iceape [squeeze] - iceape [wheezy] - iceape CVE-2013-1700 (The Mozilla Maintenance Service in Mozilla Firefox before 22.0 on Wind ...) - iceweasel (Only affects Firefox > 17) CVE-2013-1699 (The Internationalized Domain Name (IDN) display algorithm in Mozilla F ...) - iceweasel (Only affects Firefox > 17) CVE-2013-1698 (The getUserMedia permission implementation in Mozilla Firefox before 2 ...) - iceweasel (Only affects Firefox > 17) CVE-2013-1697 (The XrayWrapper implementation in Mozilla Firefox before 22.0, Firefox ...) {DSA-2720-1 DSA-2716-1} - iceweasel 17.0.7esr-1 [squeeze] - iceweasel - icedove 17.0.7-1 [squeeze] - icedove - iceape [squeeze] - iceape [wheezy] - iceape CVE-2013-1696 (Mozilla Firefox before 22.0 does not properly enforce the X-Frame-Opti ...) - iceweasel (Only affects Firefox > 17) CVE-2013-1695 (Mozilla Firefox before 22.0 does not properly implement certain DocShe ...) - iceweasel (Only affects Firefox > 17) CVE-2013-1694 (The PreserveWrapper implementation in Mozilla Firefox before 22.0, Fir ...) {DSA-2720-1 DSA-2716-1} - iceweasel 17.0.7esr-1 [squeeze] - iceweasel - icedove 17.0.7-1 [squeeze] - icedove - iceape [squeeze] - iceape [wheezy] - iceape CVE-2013-1693 (The SVG filter implementation in Mozilla Firefox before 22.0, Firefox ...) {DSA-2720-1 DSA-2716-1} - iceweasel 17.0.7esr-1 [squeeze] - iceweasel - icedove 17.0.7-1 [squeeze] - icedove - iceape [squeeze] - iceape [wheezy] - iceape CVE-2013-1692 (Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbi ...) {DSA-2720-1 DSA-2716-1} - iceweasel 17.0.7esr-1 [squeeze] - iceweasel - icedove 17.0.7-1 [squeeze] - icedove - iceape [squeeze] - iceape [wheezy] - iceape CVE-2013-1691 RESERVED CVE-2013-1690 (Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbi ...) {DSA-2720-1 DSA-2716-1} - iceweasel 17.0.7esr-1 [squeeze] - iceweasel - icedove 17.0.7-1 [squeeze] - icedove - iceape [squeeze] - iceape [wheezy] - iceape CVE-2013-1689 (Mozilla Firefox 20.0a1 and earlier allows remote attackers to cause a ...) [wheezy] - iceape CVE-2013-1688 (The Profiler implementation in Mozilla Firefox before 22.0 parses untr ...) - iceweasel (Only affects Firefox > 17) CVE-2013-1687 (The System Only Wrapper (SOW) and Chrome Object Wrapper (COW) implemen ...) {DSA-2720-1 DSA-2716-1} - iceweasel 17.0.7esr-1 [squeeze] - iceweasel - icedove 17.0.7-1 [squeeze] - icedove - iceape [squeeze] - iceape [wheezy] - iceape CVE-2013-1686 (Use-after-free vulnerability in the mozilla::ResetDir function in Mozi ...) {DSA-2720-1 DSA-2716-1} - iceweasel 17.0.7esr-1 [squeeze] - iceweasel - icedove 17.0.7-1 [squeeze] - icedove - iceape [squeeze] - iceape [wheezy] - iceape CVE-2013-1685 (Use-after-free vulnerability in the nsIDocument::GetRootElement functi ...) {DSA-2720-1 DSA-2716-1} - iceweasel 17.0.7esr-1 [squeeze] - iceweasel - icedove 17.0.7-1 [squeeze] - icedove - iceape [squeeze] - iceape [wheezy] - iceape CVE-2013-1684 (Use-after-free vulnerability in the mozilla::dom::HTMLMediaElement::Lo ...) {DSA-2720-1 DSA-2716-1} - iceweasel 17.0.7esr-1 [squeeze] - iceweasel - icedove 17.0.7-1 [squeeze] - icedove - iceape [squeeze] - iceape [wheezy] - iceape CVE-2013-1683 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - iceweasel (Only affects Firefox 21) - icedove (Only affects Firefox 21) - iceape (Only affects Firefox 21) CVE-2013-1682 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-2720-1 DSA-2716-1} - iceweasel 17.0.7esr-1 [squeeze] - iceweasel - icedove 17.0.7-1 [squeeze] - icedove - iceape [squeeze] - iceape [wheezy] - iceape CVE-2013-1681 (Use-after-free vulnerability in the nsContentUtils::RemoveScriptBlocke ...) {DSA-2720-1 DSA-2699-1} - iceweasel 17.0.6esr-1 [squeeze] - iceweasel - icedove 17.0.7-1 [squeeze] - icedove - iceape [squeeze] - iceape [wheezy] - iceape CVE-2013-1680 (Use-after-free vulnerability in the nsFrameList::FirstChild function i ...) {DSA-2720-1 DSA-2699-1} [squeeze] - iceweasel - iceweasel 17.0.6esr-1 - icedove 17.0.7-1 [squeeze] - icedove - iceape [squeeze] - iceape [wheezy] - iceape CVE-2013-1679 (Use-after-free vulnerability in the mozilla::plugins::child::_geturlno ...) {DSA-2720-1 DSA-2699-1} - iceweasel 17.0.6esr-1 [squeeze] - iceweasel - icedove 17.0.7-1 [squeeze] - icedove - iceape [squeeze] - iceape [wheezy] - iceape CVE-2013-1678 (The _cairo_xlib_surface_add_glyph function in Mozilla Firefox before 2 ...) {DSA-2720-1 DSA-2699-1} - iceweasel 17.0.6esr-1 [squeeze] - iceweasel - icedove 17.0.7-1 [squeeze] - icedove - iceape [squeeze] - iceape [wheezy] - iceape CVE-2013-1677 (The gfxSkipCharsIterator::SetOffsets function in Mozilla Firefox befor ...) {DSA-2720-1 DSA-2699-1} - iceweasel 17.0.6esr-1 [squeeze] - iceweasel - icedove 17.0.7-1 [squeeze] - icedove - iceape [squeeze] - iceape [wheezy] - iceape CVE-2013-1676 (The SelectionIterator::GetNextSegment function in Mozilla Firefox befo ...) {DSA-2720-1 DSA-2699-1} - iceweasel 17.0.6esr-1 [squeeze] - iceweasel - icedove 17.0.7-1 [squeeze] - icedove - iceape [squeeze] - iceape [wheezy] - iceape CVE-2013-1675 (Mozilla Firefox before 21.0, Firefox ESR 17.x before 17.0.6, Thunderbi ...) {DSA-2720-1 DSA-2699-1} - iceweasel 17.0.6esr-1 [squeeze] - iceweasel - icedove 17.0.7-1 [squeeze] - icedove - iceape [squeeze] - iceape [wheezy] - iceape CVE-2013-1674 (Use-after-free vulnerability in Mozilla Firefox before 21.0, Firefox E ...) {DSA-2720-1 DSA-2699-1} - iceweasel 17.0.6esr-1 [squeeze] - iceweasel - icedove 17.0.7-1 [squeeze] - icedove - iceape [squeeze] - iceape [wheezy] - iceape CVE-2013-1673 (The Mozilla Updater in Mozilla Firefox before 21.0 on Windows does not ...) - iceweasel (Windows build only) CVE-2013-1672 (The Mozilla Maintenance Service in Mozilla Firefox before 21.0, Firefo ...) - iceweasel (Windows build only) - icedove (Windows build only) - iceape (Windows build only) CVE-2013-1671 (Mozilla Firefox before 21.0 does not properly implement the INPUT elem ...) - iceweasel (Doesn't affect ESR 17 series, only later versions in experimental) CVE-2013-1670 (The Chrome Object Wrapper (COW) implementation in Mozilla Firefox befo ...) {DSA-2720-1 DSA-2699-1} - iceweasel 17.0.6esr-1 [squeeze] - iceweasel - icedove 17.0.7-1 [squeeze] - icedove - iceape [squeeze] - iceape [wheezy] - iceape CVE-2013-1669 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - iceweasel (Only affects Firefox 20) - icedove (Only affects Firefox 20) - iceape (Only affects Firefox 20) CVE-2013-1668 (The uploadFile function in upload/index.php in CosCMS before 1.822 all ...) NOT-FOR-US: CosCMS CVE-2013-1667 (The rehash mechanism in Perl 5.8.2 through 5.16.x allows context-depen ...) {DSA-2641-1} - perl 5.14.2-19 (bug #702296) NOTE: http://www.nntp.perl.org/group/perl.perl5.porters/2013/03/msg199755.html CVE-2013-1666 (Foswiki before 1.1.8 contains a code injection vulnerability in the MA ...) - foswiki (bug #509864) CVE-2013-1665 (The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used ...) {DSA-2634-1} - keystone 2012.1.1-13 (bug #700948) - python-django 1.4.4-1 CVE-2013-1664 (The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used ...) - keystone 2012.1.1-13 (bug #700948) - nova 2012.1.1-13 (bug #700949) - cinder 2012.2.3-1 (bug #700950) CVE-2012-6532 ((1) Zend_Dom, (2) Zend_Feed, (3) Zend_Soap, and (4) Zend_XmlRpc in Zen ...) {DLA-251-1} - zendframework 1.11.13-1 CVE-2012-6531 ((1) Zend_Dom, (2) Zend_Feed, and (3) Zend_Soap in Zend Framework 1.x b ...) {DLA-251-1} - zendframework 1.11.13-1 CVE-2013-1663 RESERVED CVE-2013-1662 (vmware-mount in VMware Workstation 8.x and 9.x and VMware Player 4.x a ...) NOT-FOR-US: VMware CVE-2013-1661 (VMware ESXi 4.0 through 5.1, and ESX 4.0 and 4.1, does not properly im ...) NOT-FOR-US: VMware ESXi CVE-2013-1660 REJECTED CVE-2013-1659 (VMware vCenter Server 4.0 before Update 4b, 5.0 before Update 2, and 5 ...) NOT-FOR-US: vCenter CVE-2013-1658 RESERVED CVE-2013-1657 RESERVED CVE-2011-5265 (Cross-site scripting (XSS) vulnerability in cached_image.php in the Fe ...) NOT-FOR-US: Wordpress plugin CVE-2011-5264 (Cross-site scripting (XSS) vulnerability in lazyest-backup.php in the ...) NOT-FOR-US: Wordpress plugin CVE-2011-5263 (Cross-site scripting (XSS) vulnerability in RetrieveMailExamples in SA ...) NOT-FOR-US: SAP NetWeaver CVE-2011-5262 (SQL injection vulnerability in prodpage.cfm in SonicWALL Aventail allo ...) NOT-FOR-US: SonicWALL Aventail CVE-2011-5261 (Cross-site scripting (XSS) vulnerability in serverreport.cgi in Axis M ...) NOT-FOR-US: Axis M10 Series Network Cameras CVE-2011-5260 (Cross-site scripting (XSS) vulnerability in SAP/BW/DOC/METADATA in SAP ...) NOT-FOR-US: NetWeaver CVE-2011-5259 (SQL injection vulnerability in lib/controllers/CentralController.php i ...) NOT-FOR-US: OrangehRM CVE-2011-5258 (Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM befor ...) NOT-FOR-US: OrangehRM CVE-2011-5257 (Multiple cross-site scripting (XSS) vulnerabilities in the Classipress ...) NOT-FOR-US: WordPress theme CVE-2011-5256 (Cross-site scripting (XSS) vulnerability in the tooltips in LimeSurvey ...) - limesurvey (bug #472802) CVE-2013-1656 (Spree Commerce 1.0.x through 1.3.2 allows remote authenticated adminis ...) NOT-FOR-US: Spree CVE-2013-1655 (Puppet 2.7.x before 2.7.21 and 3.1.x before 3.1.1, when running Ruby 1 ...) {DSA-2643-1} - puppet 2.7.18-3 CVE-2013-1654 (Puppet 2.7.x before 2.7.21 and 3.1.x before 3.1.1, and Puppet Enterpri ...) {DSA-2643-1} - puppet 2.7.18-3 CVE-2013-1653 (Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and ...) {DSA-2643-1} - puppet 2.7.18-3 CVE-2013-1652 (Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and ...) {DSA-2643-1} - puppet 2.7.18-3 CVE-2013-1651 (OXUpdater in Open-Xchange Server before 6.20.7 rev14, 6.22.0 before re ...) NOT-FOR-US: Open-Xchange CVE-2013-1650 (Open-Xchange Server before 6.20.7 rev14, 6.22.0 before rev13, and 6.22 ...) NOT-FOR-US: Open-Xchange CVE-2013-1649 (Open-Xchange Server before 6.20.7 rev14, 6.22.0 before rev13, and 6.22 ...) NOT-FOR-US: Open-Xchange CVE-2013-1648 (The Subscriptions feature in Open-Xchange Server before 6.20.7 rev14, ...) NOT-FOR-US: Open-Xchange CVE-2013-1647 (Multiple CRLF injection vulnerabilities in Open-Xchange Server before ...) NOT-FOR-US: Open-Xchange CVE-2013-1646 (Multiple cross-site scripting (XSS) vulnerabilities in Open-Xchange Se ...) NOT-FOR-US: Open-Xchange CVE-2013-1645 (Directory traversal vulnerability in Open-Xchange Server before 6.20.7 ...) NOT-FOR-US: Open-Xchange CVE-2013-1644 RESERVED CVE-2013-1643 (The SOAP parser in PHP before 5.3.23 and 5.4.x before 5.4.13 allows re ...) {DSA-2639-1} - php5 5.4.4-14 (bug #702221) NOTE: http://git.php.net/?p=php-src.git;a=commitdiff;h=c737b89473df9dba6742b8fc8fbf6d009bf05c36 CVE-2013-1642 (Multiple cross-site scripting (XSS) vulnerabilities in QuiXplorer befo ...) NOT-FOR-US: QuiXplorer CVE-2013-1641 (Directory traversal vulnerability in the zip download functionality in ...) NOT-FOR-US: QuiXplorer CVE-2013-1640 (The (1) template and (2) inline_template functions in the master serve ...) {DSA-2643-1} - puppet 2.7.18-3 CVE-2013-1639 (Opera before 12.13 does not send CORS preflight requests in all requir ...) NOT-FOR-US: Opera CVE-2013-1638 (Opera before 12.13 allows remote attackers to execute arbitrary code v ...) NOT-FOR-US: Opera CVE-2013-1637 (Opera before 12.13 allows remote attackers to execute arbitrary code v ...) NOT-FOR-US: Opera CVE-2013-1636 (Cross-site scripting (XSS) vulnerability in open-flash-chart.swf in Op ...) - biomaj-watcher 1.2.2-1 (low; bug #742859) [wheezy] - biomaj-watcher (Minor issue) CVE-2013-1635 (ext/soap/soap.c in PHP before 5.3.22 and 5.4.x before 5.4.13 does not ...) {DSA-2639-1} - php5 5.4.4-14 (unimportant; bug #702221) NOTE: open_basedir not supported NOTE: http://git.php.net/?p=php-src.git;a=commitdiff;h=702b436ef470cc02f8e2cc21f2fadeee42103c74 CVE-2013-1634 (A denial of service vulnerability exists in some motherboard implement ...) NOT-FOR-US: Intel CVE-2013-1633 (easy_install in setuptools before 0.7 uses HTTP to retrieve packages f ...) - distribute (unimportant) NOTE: Lack of a security feature, not a vulnerability CVE-2013-1632 RESERVED CVE-2013-1631 (Verax NMS prior to 2.1.0 leaks connection details when any user execut ...) NOT-FOR-US: Verax NMS CVE-2013-1630 (pyshop before 0.7.1 uses HTTP to retrieve packages from the PyPI repos ...) NOT-FOR-US: pyshop CVE-2013-1629 (pip before 1.3 uses HTTP to retrieve packages from the PyPI repository ...) - python-pip 1.3.1-1 (low; bug #710163) [wheezy] - python-pip (Minor issue) [squeeze] - python-pip (Minor issue) - python-virtualenv 1.9.1-1 (medium; bug #710164) [wheezy] - python-virtualenv (Minor issue) [squeeze] - python-virtualenv (Minor issue) CVE-2013-1628 REJECTED CVE-2013-1627 (Absolute path traversal vulnerability in NTWebServer.exe in Indusoft S ...) NOT-FOR-US: Indusoft Studio, Advantech Studio CVE-2013-1626 RESERVED CVE-2013-1625 RESERVED CVE-2013-1624 (The TLS implementation in the Bouncy Castle Java library before 1.48 a ...) - bouncycastle 1.48+dfsg-2 (low; bug #699885) [squeeze] - bouncycastle (Minor issue) [wheezy] - bouncycastle (Minor issue) CVE-2013-1623 (The TLS and DTLS implementations in wolfSSL CyaSSL before 2.5.0 do not ...) {DSA-2780-1} - mysql-5.1 - mysql-5.5 5.5.30+dfsg-1.1 (bug #699886) - cyassl (Fixed before initial upload to archive) NOTE: cyassl: fixed upstream in 2.5.0 CVE-2013-1622 REJECTED CVE-2013-1621 (Array index error in the SSL module in PolarSSL before 1.2.5 might all ...) {DSA-2622-1} - polarssl 1.1.4-2 (bug #699887) CVE-2013-1620 (The TLS implementation in Mozilla Network Security Services (NSS) does ...) - nss 2:3.14.3-1 (low; bug #699888) [squeeze] - nss (Minor issue) CVE-2013-1619 (The TLS implementation in GnuTLS before 2.12.23, 3.0.x before 3.0.28, ...) - gnutls26 2.12.20-4 [squeeze] - gnutls26 (Too intrusive to backport) - gnutls28 3.0.22-3 CVE-2013-1618 (The TLS implementation in Opera before 12.13 does not properly conside ...) NOT-FOR-US: Opera CVE-2013-1617 (Multiple SQL injection vulnerabilities in the management console on th ...) NOT-FOR-US: Symantec CVE-2013-1616 (The management console on the Symantec Web Gateway (SWG) appliance bef ...) NOT-FOR-US: Symantec CVE-2013-1615 (The management console (aka Java console) on the Symantec Security Inf ...) NOT-FOR-US: Symantec CVE-2013-1614 (Multiple cross-site scripting (XSS) vulnerabilities in the management ...) NOT-FOR-US: Symantec CVE-2013-1613 (SQL injection vulnerability in the management console (aka Java consol ...) NOT-FOR-US: Symantec CVE-2013-1612 (Buffer overflow in secars.dll in the management console in Symantec En ...) NOT-FOR-US: Symantec CVE-2013-1611 (Multiple cross-site scripting (XSS) vulnerabilities in administrative- ...) NOT-FOR-US: Symantec Brightmail Gateway CVE-2013-1610 (Unquoted Windows search path vulnerability in RDDService in Symantec P ...) NOT-FOR-US: Symantec CVE-2013-1609 (Multiple unquoted Windows search path vulnerabilities in the (1) File ...) NOT-FOR-US: Symantec CVE-2013-1608 (Directory traversal vulnerability in the Management Console on the Sym ...) NOT-FOR-US: Symantec CVE-2013-1607 (Ruby PDFKit gem prior to 0.5.3 has a Code Execution Vulnerability ...) NOT-FOR-US: Ruby PDFKit gem CVE-2013-1606 (Buffer overflow in the ubnt-streamer RTSP service on the Ubiquiti UBNT ...) NOT-FOR-US: Ubiquiti UBNT AirCam CVE-2013-1605 (Buffer overflow in MayGion IP Cameras with firmware before 2013.04.22 ...) NOT-FOR-US: MayGion IP Cameras CVE-2013-1604 (Directory traversal vulnerability in MayGion IP Cameras with firmware ...) NOT-FOR-US: MayGion IP Cameras CVE-2013-1603 (An Authentication vulnerability exists in D-LINK WCS-1100 1.02, TESCO ...) NOT-FOR-US: D-LINK CVE-2013-1602 (An Information Disclosure vulnerability exists due to insufficient val ...) NOT-FOR-US: D-LINK CVE-2013-1601 (An Information Disclosure vulnerability exists due to a failure to res ...) NOT-FOR-US: D-LINK CVE-2013-1600 (An Authentication Bypass vulnerability exists in upnp/asf-mp4.asf when ...) NOT-FOR-US: D-Link CVE-2013-1599 (A Command Injection vulnerability exists in the /var/www/cgi-bin/rtpd. ...) NOT-FOR-US: D-Link CVE-2013-1598 (A Command Injection vulnerability exists in Vivotek PT7135 IP Cameras ...) NOT-FOR-US: Vivotek PT7135 IP Cameras CVE-2013-1597 (A Directory Traversal vulnerability exists in Vivotek PT7135 IP Camera ...) NOT-FOR-US: Vivotek PT7135 IP Cameras CVE-2013-1596 (An Authentication Bypass Vulnerability exists in Vivotek PT7135 IP Cam ...) NOT-FOR-US: Vivotek PT7135 IP Cameras CVE-2013-1595 (A Buffer Overflow vulnerability exists in Vivotek PT7135 IP Camera 030 ...) NOT-FOR-US: Vivotek PT7135 IP Cameras CVE-2013-1594 (An Information Disclosure vulnerability exists via a GET request in Vi ...) NOT-FOR-US: Vivotek PT7135 IP Cameras CVE-2013-1593 (A Denial of Service vulnerability exists in the WRITE_C function in th ...) NOT-FOR-US: SAP CVE-2013-1592 (A Buffer Overflow vulnerability exists in the Message Server service _ ...) NOT-FOR-US: SAP CVE-2013-1591 (Stack-based buffer overflow in libpixman, as used in Pale Moon before ...) - pixman 0.26.0-4 (bug #700308) [squeeze] - pixman (Vulnerable code not present) CVE-2013-1590 (Buffer overflow in the NTLMSSP dissector in Wireshark 1.6.x before 1.6 ...) {DSA-2625-1} - wireshark 1.8.6-1 [wheezy] - wireshark 1.8.2-5wheezy1 CVE-2013-1589 (Double free vulnerability in epan/proto.c in the dissection engine in ...) - wireshark 1.8.6-1 (unimportant) [wheezy] - wireshark 1.8.2-5wheezy1 NOTE: Not suitable for code injection CVE-2013-1588 (Multiple buffer overflows in the dissect_pft_fec_detailed function in ...) {DSA-2625-1} - wireshark 1.8.6-1 [wheezy] - wireshark 1.8.2-5wheezy1 NOTE: Upstream bug: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8213 NOTE: Upstream patch: http://anonsvn.wireshark.org/viewvc?view=revision&revision=47098 CVE-2013-1587 (The dissect_rohc_ir_packet function in epan/dissectors/packet-rohc.c i ...) - wireshark 1.8.6-1 [squeeze] - wireshark (Vulnerable code not present) [wheezy] - wireshark 1.8.2-5wheezy1 NOTE: Upstream bug: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7679 NOTE: Upstream patch: http://anonsvn.wireshark.org/viewvc?view=revision&revision=44700 CVE-2013-1586 (The fragment_set_tot_len function in epan/reassemble.c in Wireshark 1. ...) {DSA-2625-1} - wireshark 1.8.6-1 [wheezy] - wireshark 1.8.2-5wheezy1 NOTE: Upstream bug: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8111 NOTE: http://anonsvn.wireshark.org/viewvc?view=revision&revision=46999 NOTE: http://anonsvn.wireshark.org/viewvc?view=revision&revision=47000 CVE-2013-1585 (epan/tvbuff.c in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 ...) - wireshark 1.8.6-1 [squeeze] - wireshark (Vulnerable code not present) [wheezy] - wireshark 1.8.2-5wheezy1 NOTE: Upstream bug: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8112 NOTE: http://anonsvn.wireshark.org/viewvc?view=revision&revision=46705 NOTE: http://anonsvn.wireshark.org/viewvc?view=revision&revision=46678 CVE-2013-1584 (The dissect_version_5_and_6_primary_header function in epan/dissectors ...) - wireshark 1.8.6-1 [squeeze] - wireshark (Vulnerable code not present) [wheezy] - wireshark 1.8.2-5wheezy1 NOTE: Upstream bug: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7945 NOTE: http://anonsvn.wireshark.org/viewvc?view=revision&revision=46579 CVE-2013-1583 (The dissect_version_4_primary_header function in epan/dissectors/packe ...) - wireshark 1.8.6-1 [squeeze] - wireshark (Vulnerable code not present) [wheezy] - wireshark 1.8.2-5wheezy1 NOTE: Upstream bug: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7945 NOTE: http://anonsvn.wireshark.org/viewvc?view=revision&revision=46577 CVE-2013-1582 (The dissect_clnp function in epan/dissectors/packet-clnp.c in the CLNP ...) {DSA-2625-1} - wireshark 1.8.6-1 [wheezy] - wireshark 1.8.2-5wheezy1 NOTE: Upstream bug: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7871 NOTE: http://anonsvn.wireshark.org/viewvc?view=revision&revision=45646 CVE-2013-1571 (Unspecified vulnerability in the Javadoc component in Oracle Java SE 7 ...) {DSA-2727-1 DSA-2722-1} - openjdk-6 6b27-1.12.6-1 - openjdk-7 7u25-2.3.10-1 CVE-2013-1570 (Unspecified vulnerability in Oracle MySQL 5.6.10 and earlier allows re ...) - mysql-5.5 (Only affects MySQL 5.6) - mysql-5.1 (Only affects MySQL 5.6) CVE-2013-1569 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) {DSA-3187-1 DLA-219-1} - openjdk-7 7u21-2.3.9-1 - openjdk-6 6b27-1.12.5-1 - icu 52.1-1 CVE-2013-1568 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking compon ...) NOT-FOR-US: Oracle Financial Services Software CVE-2013-1567 (Unspecified vulnerability in Oracle MySQL 5.6.10 and earlier allows re ...) - mysql-5.5 (Only affects MySQL 5.6) - mysql-5.1 (Only affects MySQL 5.6) CVE-2013-1566 (Unspecified vulnerability in Oracle MySQL 5.6.10 and earlier allows re ...) - mysql-5.5 (Only affects MySQL 5.6) - mysql-5.1 (Only affects MySQL 5.6) CVE-2013-1565 (Unspecified vulnerability in the Oracle GoldenGate Veridata component ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2013-1564 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 (JavaFX not part of OpenJDK) - openjdk-7 (JavaFX not part of OpenJDK) CVE-2013-1563 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 (Installation component of Oracle Java doesn't apply to IcedTea/OpenJDK) - openjdk-7 (Installation component of Oracle Java doesn't apply to IcedTea/OpenJDK) CVE-2013-1562 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking compon ...) NOT-FOR-US: Oracle Financial Services CVE-2013-1561 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 (JavaFX not part of OpenJDK) - openjdk-7 (JavaFX not part of OpenJDK) CVE-2013-1560 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking compon ...) NOT-FOR-US: Oracle Financial Services CVE-2013-1559 (Unspecified vulnerability in the Oracle WebCenter Content component in ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2013-1558 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-7 7u21-2.3.9-1 - openjdk-6 6b27-1.12.5-1 CVE-2013-1557 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-7 7u21-2.3.9-1 - openjdk-6 6b27-1.12.5-1 CVE-2013-1556 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking compon ...) NOT-FOR-US: Oracle Financial Services Software CVE-2013-1555 (Unspecified vulnerability in Oracle MySQL 5.1.67 and earlier, and 5.5. ...) {DSA-2780-1} - mysql-5.5 5.5.30+dfsg-1 - mysql-5.1 - mariadb-10.0 (Fixed before initial upload) - mariadb-5.5 (Fixed before initial upload) CVE-2013-1554 (Unspecified vulnerability in the Network Layer component in Oracle Dat ...) NOT-FOR-US: Oracle Database Server CVE-2013-1553 (Unspecified vulnerability in the Oracle Web Services Manager component ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2013-1552 (Unspecified vulnerability in Oracle MySQL 5.1.67 and earlier and 5.5.2 ...) {DSA-2780-1} - mysql-5.5 5.5.30+dfsg-1 - mysql-5.1 - mariadb-10.0 (Fixed before initial upload) - mariadb-5.5 (Fixed before initial upload) CVE-2013-1551 (Unspecified vulnerability in the Siebel Enterprise Application Integra ...) NOT-FOR-US: Oracle Siebel CRM CVE-2013-1550 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2013-1549 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking compon ...) NOT-FOR-US: Oracle Financial Services Software CVE-2013-1548 (Unspecified vulnerability in Oracle MySQL 5.1.63 and earlier allows re ...) {DSA-2780-1} - mysql-5.5 (Only affects MySQL 5.1) - mysql-5.1 - mariadb-10.0 (Fixed before initial upload) - mariadb-5.5 (Fixed before initial upload) CVE-2013-1547 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking compon ...) NOT-FOR-US: Oracle Financial Services Software CVE-2013-1546 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking compon ...) NOT-FOR-US: Oracle Financial Services Software CVE-2013-1545 (Unspecified vulnerability in the Oracle HTTP Server component in Oracl ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2013-1544 (Unspecified vulnerability in Oracle MySQL 5.1.68 and earlier, 5.5.30 a ...) {DSA-2780-1 DSA-2667-1} - mysql-5.5 5.5.31+dfsg-1 - mysql-5.1 - mariadb-10.0 (Fixed before initial upload) - mariadb-5.5 (Fixed before initial upload) CVE-2013-1543 (Unspecified vulnerability in the Siebel UI Framework component in Orac ...) NOT-FOR-US: Oracle Siebel CRM CVE-2013-1542 (Unspecified vulnerability in the Oracle Containers for J2EE component ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2013-1541 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking compon ...) NOT-FOR-US: Oracle Finacial Services CVE-2013-1540 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2013-1539 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking compon ...) NOT-FOR-US: Oracle Financial Services CVE-2013-1538 (Unspecified vulnerability in the Network Layer component in Oracle Dat ...) NOT-FOR-US: Oracle Database Server CVE-2013-1537 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-7 7u21-2.3.9-1 - openjdk-6 6b27-1.12.5-1 CVE-2013-1536 (Unspecified vulnerability in the Oracle Transportation Management comp ...) NOT-FOR-US: Oracle Supply Chain Products CVE-2013-1535 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking compon ...) NOT-FOR-US: Oracle Financial Services Software CVE-2013-1534 (Unspecified vulnerability in the Workload Manager component in Oracle ...) NOT-FOR-US: Oracle Database Server CVE-2013-1533 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking compon ...) NOT-FOR-US: Oracle financial Services Software CVE-2013-1532 (Unspecified vulnerability in Oracle MySQL 5.1.68 and earlier, 5.5.30 a ...) {DSA-2780-1 DSA-2667-1} - mysql-5.5 5.5.31+dfsg-1 - mysql-5.1 - mariadb-10.0 (Fixed before initial upload) - mariadb-5.5 (Fixed before initial upload) CVE-2013-1531 (Unspecified vulnerability in Oracle MySQL 5.1.66 and earlier and 5.5.2 ...) {DSA-2780-1} - mysql-5.5 5.5.30+dfsg-1 - mysql-5.1 - mariadb-10.0 (Fixed before initial upload) - mariadb-5.5 (Fixed before initial upload) CVE-2013-1530 (Unspecified vulnerability in Oracle Sun Solaris 10 allows local users ...) NOT-FOR-US: Oracle Solaris CVE-2013-1529 (Unspecified vulnerability in the Oracle WebCenter Interaction componen ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2013-1528 (Unspecified vulnerability in the Oracle HRMS component in Oracle E-Bus ...) NOT-FOR-US: Oracle E-Business Suite CVE-2013-1527 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2013-1526 (Unspecified vulnerability in Oracle MySQL 5.5.29 and earlier allows re ...) - mysql-5.5 5.5.30+dfsg-1 - mysql-5.1 (Only affects MySQL 5.5) - mariadb-10.0 (Fixed before initial upload) - mariadb-5.5 (Fixed before initial upload) CVE-2013-1525 (Unspecified vulnerability in the Oracle Retail Integration Bus compone ...) NOT-FOR-US: Oracle Industry Applications CVE-2013-1524 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle E-Business Suite CVE-2013-1523 (Unspecified vulnerability in Oracle MySQL 5.5.29 and earlier and 5.6.1 ...) - mysql-5.5 5.5.30+dfsg-1 - mysql-5.1 (Only affects MySQL 5.5 and 5.6) - mariadb-10.0 (Fixed before initial upload) - mariadb-5.5 (Fixed before initial upload) CVE-2013-1522 (Unspecified vulnerability in the Oracle WebCenter Content component in ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2013-1521 (Unspecified vulnerability in Oracle MySQL 5.1.67 and earlier and 5.5.2 ...) {DSA-2780-1} - mysql-5.5 5.5.30+dfsg-1 - mysql-5.1 - mariadb-10.0 (Fixed before initial upload) - mariadb-5.5 (Fixed before initial upload) CVE-2013-1520 (Unspecified vulnerability in the Oracle Clinical Remote Data Capture O ...) NOT-FOR-US: Oracle Industry Applications CVE-2013-1519 (Unspecified vulnerability in the Application Express component in Orac ...) NOT-FOR-US: Oracle Database Server CVE-2013-1518 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-7 7u21-2.3.9-1 - openjdk-6 6b27-1.12.5-1 CVE-2013-1517 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle E-Business Suite CVE-2013-1516 (Unspecified vulnerability in the Oracle WebCenter Capture component in ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2013-1515 (Unspecified vulnerability in the Oracle GlassFish Server component in ...) - glassfish (Only affects 3.x) CVE-2013-1514 (Unspecified vulnerability in the Oracle Containers for J2EE component ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2013-1513 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2013-1512 (Unspecified vulnerability in Oracle MySQL 5.5.29 and earlier allows re ...) - mysql-5.5 5.5.30+dfsg-1 - mysql-5.1 (Only affects MySQL 5.5) - mariadb-10.0 (Fixed before initial upload) - mariadb-5.5 (Fixed before initial upload) CVE-2013-1511 (Unspecified vulnerability in Oracle MySQL 5.5.30 and earlier and 5.6.1 ...) {DSA-2667-1} - mysql-5.5 5.5.31+dfsg-1 - mysql-5.1 (Only affects MySQL 5.5 and 5.6) - mariadb-10.0 (Fixed before initial upload) - mariadb-5.5 (Fixed before initial upload) CVE-2013-1510 (Unspecified vulnerability in the Siebel UI Framework component in Orac ...) NOT-FOR-US: Oracle Siebel CVE-2013-1509 (Unspecified vulnerability in the Oracle WebCenter Sites component in O ...) NOT-FOR-US: Oracle Fusion CVE-2013-1508 (Unspecified vulnerability in the Oracle GlassFish Server component in ...) - glassfish (Only affects 3.x) CVE-2013-1507 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11 allows local ...) NOT-FOR-US: Solaris CVE-2013-1506 (Unspecified vulnerability in Oracle MySQL 5.1.67 and earlier, 5.5.29 a ...) {DSA-2780-1} - mysql-5.5 5.5.30+dfsg-1 - mysql-5.1 - mariadb-10.0 (Fixed before initial upload) - mariadb-5.5 (Fixed before initial upload) CVE-2013-1505 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking compon ...) NOT-FOR-US: Oracle FLEXCUBE CVE-2013-1504 (Unspecified vulnerability in the Oracle WebLogic Server component in O ...) NOT-FOR-US: Oracle Fusion CVE-2013-1503 (Unspecified vulnerability in the Oracle WebCenter Content component in ...) NOT-FOR-US: Oracle Fusion CVE-2013-1502 (Unspecified vulnerability in Oracle MySQL 5.5.30 and earlier and 5.6.9 ...) {DSA-2667-1} - mysql-5.5 5.5.31+dfsg-1 - mysql-5.1 (Only affects MySQL 5.5 and 5.6) - mariadb-10.0 (Fixed before initial upload) - mariadb-5.5 (Fixed before initial upload) CVE-2013-1501 (Unspecified vulnerability in the Oracle iStore component in Oracle E-B ...) NOT-FOR-US: Oracle E-Business Suite CVE-2013-1500 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) {DSA-2727-1 DSA-2722-1} - openjdk-6 6b27-1.12.6-1 - openjdk-7 7u25-2.3.10-1 CVE-2013-1499 (Unspecified vulnerability in Oracle Sun Solaris 11 allows local users ...) NOT-FOR-US: Solaris CVE-2013-1498 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11 allows local ...) NOT-FOR-US: Solaris CVE-2013-1497 (Unspecified vulnerability in the Oracle COREid Access component in Ora ...) NOT-FOR-US: Oracle Fusion CVE-2013-1496 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11 allows local ...) NOT-FOR-US: Solaris CVE-2013-1495 (asr in Oracle Auto Service Request in Oracle Support Tools before 4.3. ...) NOT-FOR-US: Oracle Auto Service Request CVE-2013-1494 (Unspecified vulnerability in Oracle Sun Solaris 10, when running on SP ...) NOT-FOR-US: Solaris CVE-2013-1493 (The color management (CMM) functionality in the 2D component in Oracle ...) - openjdk-6 6b27-1.12.4-1 - openjdk-7 7u3-2.1.7-1 CVE-2013-1492 (Buffer overflow in yaSSL, as used in MySQL 5.1.x before 5.1.68 and 5.5 ...) {DSA-2780-1} - mysql-5.1 (bug #712059) - mysql-5.5 5.5.30+dfsg-1 - cyassl (Fixed before initial upload to archive) NOTE: https://blogs.oracle.com/sunsecurity/entry/cve_2013_1492_buffer_overflow CVE-2013-1491 (The Java Runtime Environment (JRE) component in Oracle Java SE 7 Updat ...) - openjdk-6 (Specific to Oracle Java, not present in IcedTea) - openjdk-7 (Specific to Oracle Java, not present in IcedTea) NOTE: Due to the vague disclosure policy by Oracle the exact nature is unknown but since no patch landed in icedtea, we consider it not-affected CVE-2013-1490 (Unspecified vulnerability in Oracle Java SE 7 Update 11 (JRE 1.7.0_11- ...) - openjdk-6 (Not exploitable in OpenJDK6) - openjdk-7 (Icedtea 2.3 not affected) CVE-2013-1489 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 (Only affects Java7) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2013-1488 (The Java Runtime Environment (JRE) component in Oracle Java SE 7 Updat ...) - openjdk-7 7u21-2.3.9-1 - openjdk-6 (Only affects Java7) CVE-2013-1487 (Unspecified vulnerability in the Java Runtime Environment component in ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2013-1486 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-7 7u3-2.1.6-1 - openjdk-6 6b27-1.12.3-1 CVE-2013-1485 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-7 7u3-2.1.6-1 - openjdk-6 (Only affects Java7) CVE-2013-1484 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-7 7u3-2.1.6-1 - openjdk-6 (Only affects Java7) CVE-2013-1483 (Unspecified vulnerability in the JavaFX component in Oracle Java SE Ja ...) - openjdk-6 (JavaFX not part of OpenJDK) - openjdk-7 (JavaFX not part of OpenJDK) CVE-2013-1482 (Unspecified vulnerability in the JavaFX component in Oracle Java SE Ja ...) - openjdk-6 (JavaFX not part of OpenJDK) - openjdk-7 (JavaFX not part of OpenJDK) CVE-2013-1481 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 (Icedtea uses a different sound implementation than Oracle Java) - openjdk-7 (Icedtea uses a different sound implementation than Oracle Java) CVE-2013-1480 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 6b27-1.12-1 - openjdk-7 7u3-2.1.6-1 CVE-2013-1479 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 (JavaFX not part of OpenJDK) - openjdk-7 (JavaFX not part of OpenJDK) CVE-2013-1478 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 6b27-1.12-1 - openjdk-7 7u3-2.1.6-1 CVE-2013-1477 (Unspecified vulnerability in the JavaFX component in Oracle Java SE Ja ...) - openjdk-6 (JavaFX not part of OpenJDK) - openjdk-7 (JavaFX not part of OpenJDK) CVE-2013-1476 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 6b27-1.12-1 - openjdk-7 7u3-2.1.6-1 CVE-2013-1475 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 6b27-1.12-1 - openjdk-7 7u3-2.1.6-1 CVE-2013-1474 (Unspecified vulnerability in the JavaFX component in Oracle Java SE Ja ...) - openjdk-6 (JavaFX not part of OpenJDK) - openjdk-7 (JavaFX not part of OpenJDK) CVE-2013-1473 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2013-1472 (Unspecified vulnerability in the JavaFX component in Oracle Java SE Ja ...) - openjdk-6 (JavaFX not part of OpenJDK) - openjdk-7 (JavaFX not part of OpenJDK) CVE-2013-1471 (Multiple cross-site scripting (XSS) vulnerabilities in admin/FEAdmin.h ...) NOT-FOR-US: Fortinet FortiMail CVE-2012-6530 (Stack-based buffer overflow in Sysax Multi Server before 5.52, when HT ...) NOT-FOR-US: Sysax Multi Server CVE-2012-6529 (Multiple SQL injection vulnerabilities in Marinet CMS allow remote att ...) NOT-FOR-US: Marinet CMS CVE-2012-6528 (Multiple cross-site scripting (XSS) vulnerabilities in ATutor before 2 ...) NOT-FOR-US: ATutor CVE-2012-6527 (Cross-site scripting (XSS) vulnerability in the My Calendar plugin bef ...) NOT-FOR-US: WordPress plugin My Calendar CVE-2012-6526 (SQL injection vulnerability in show_code.php in Vastal I-Tech Freelanc ...) NOT-FOR-US: Vastal I-Tech Freelance Zone CVE-2012-6525 (SQL injection vulnerability in members.php in PHPBridges allows remote ...) NOT-FOR-US: PHPBridges CVE-2012-6524 (SQL injection vulnerability in kommentar.php in pGB 2.12 allows remote ...) NOT-FOR-US: pGB CVE-2012-6523 (Multiple cross-site scripting (XSS) vulnerabilities in w-CMS 2.01 allo ...) NOT-FOR-US: w-CMS 2.01 CVE-2012-6522 (Directory traversal vulnerability in the getContent function in codes/ ...) NOT-FOR-US: w-CMS 2.01 CVE-2011-5255 (Multiple cross-site scripting (XSS) vulnerabilities in admin/login in ...) NOT-FOR-US: X3 CMS CVE-2010-5290 (The authentication process in Adobe ColdFusion before 10 does not requ ...) NOT-FOR-US: Adobe ColdFusion CVE-2010-5287 (SQL injection vulnerability in default.php in Cornerstone Technologies ...) NOT-FOR-US: Cornerstone Technologies webConductor CVE-2013-1581 (The dissect_pft_fec_detailed function in epan/dissectors/packet-dcp-et ...) {DLA-497-1} - wireshark 1.8.6-1 (unimportant) NOTE: Not suitable for code injection CVE-2013-1580 (The dissect_cmstatus_tlv function in plugins/docsis/packet-cmstatus.c ...) {DLA-497-1} - wireshark 1.8.6-1 (unimportant) NOTE: Not suitable for code injection CVE-2013-1579 (The rtps_util_add_bitmap function in epan/dissectors/packet-rtps.c in ...) {DLA-497-1} - wireshark 1.8.6-1 (unimportant) NOTE: Not suitable for code injection CVE-2013-1578 (The dissect_pw_eth_heuristic function in epan/dissectors/packet-pw-eth ...) {DLA-497-1} - wireshark 1.8.6-1 (unimportant) NOTE: Not suitable for code injection CVE-2013-1577 (The dissect_sip_p_charging_func_addresses function in epan/dissectors/ ...) {DLA-497-1} - wireshark 1.8.6-1 (unimportant) NOTE: Not suitable for code injection CVE-2013-1576 (The dissect_sdp_media_attribute function in epan/dissectors/packet-sdp ...) {DLA-497-1} - wireshark 1.8.6-1 (unimportant) NOTE: Not suitable for code injection CVE-2013-1575 (The dissect_r3_cmd_alarmconfigure function in epan/dissectors/packet-a ...) {DLA-497-1} - wireshark 1.8.6-1 (unimportant) NOTE: Not suitable for code injection CVE-2013-1574 (The dissect_bthci_eir_ad_data function in epan/dissectors/packet-bthci ...) {DLA-497-1} - wireshark 1.8.6-1 (unimportant) NOTE: Not suitable for code injection CVE-2013-1573 (The csnStreamDissector function in epan/dissectors/packet-csn1.c in th ...) {DLA-497-1} - wireshark 1.8.6-1 (unimportant) NOTE: Not suitable for code injection CVE-2013-1572 (The dissect_oampdu_event_notification function in epan/dissectors/pack ...) {DLA-497-1} - wireshark 1.8.6-1 (unimportant) NOTE: Not suitable for code injection CVE-2013-1470 (Cross-site scripting (XSS) vulnerability in calendar/index.php in the ...) NOTE: There was a RFP long time ago, bug #203818 NOTE: https://www.htbridge.com/advisory/HTB23143 NOT-FOR-US: Geeklog CVE-2013-1469 (Directory traversal vulnerability in install.php in Piwigo before 2.4. ...) - piwigo [squeeze] - piwigo (Unsupported in squeeze-lts) NOTE: Request to mark the package as unsupported in #779104 NOTE: https://www.htbridge.com/advisory/HTB23144 CVE-2013-1468 (Cross-site request forgery (CSRF) vulnerability in the LocalFiles Edit ...) - piwigo [squeeze] - piwigo (Unsupported in squeeze-lts) NOTE: Request to mark the package as unsupported in #779104 NOTE: https://www.htbridge.com/advisory/HTB23144 CVE-2013-1467 RESERVED CVE-2013-1466 (Multiple cross-site scripting (XSS) vulnerabilities in glFusion before ...) NOT-FOR-US: glFusion CVE-2013-1465 (The Cubecart::_basket method in classes/cubecart.class.php in CubeCart ...) NOT-FOR-US: CubeCart CVE-2013-1464 (Cross-site scripting (XSS) vulnerability in assets/player.swf in the A ...) {DSA-2772-1} - typo3-src 4.5.29+dfsg1-1 [squeeze] - typo3-src (Unsupported in squeeze-lts) CVE-2013-1463 (Cross-site scripting (XSS) vulnerability in js/tabletools/zeroclipboar ...) NOT-FOR-US: WordPress plugin CVE-2013-1462 (Integer signedness error in the ExecuteSoapAction function in the SOAP ...) - miniupnpd (Fixed before initial upload to archive) CVE-2013-1461 (The ExecuteSoapAction function in the SOAPAction handler in the HTTP s ...) - miniupnpd (Fixed before initial upload to archive) CVE-2013-1460 RESERVED CVE-2013-1459 RESERVED CVE-2013-1458 RESERVED CVE-2013-1457 RESERVED CVE-2013-1456 RESERVED CVE-2013-1455 (Joomla! 3.0.x through 3.0.2 allows attackers to obtain sensitive infor ...) NOT-FOR-US: Joomla! CVE-2013-1454 (Joomla! 3.0.x through 3.0.2 allows attackers to obtain sensitive infor ...) NOT-FOR-US: Joomla! CVE-2013-1453 (plugins/system/highlight/highlight.php in Joomla! 3.0.x through 3.0.2 ...) NOT-FOR-US: Joomla! CVE-2013-1452 RESERVED CVE-2013-4696 REJECTED CVE-2013-1451 (Microsoft Internet Explorer 8 and 9, when the Proxy Settings configura ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-1450 (Microsoft Internet Explorer 8 and 9, when the Proxy Settings configura ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-1449 RESERVED CVE-2013-1448 RESERVED CVE-2014-0158 (Heap-based buffer overflow in the JPEG2000 image tile decoder in OpenJ ...) - openjpeg 1.3+dfsg-4.7 NOTE: Not considering a duplicate of CVE-2013-1447 following NOTE: http://www.openwall.com/lists/oss-security/2014/04/02/2 . A query NOTE: to MITRE though indicated that CVE-2014-0158 will not be REJECTED NOTE: since people might have tracked CVE-2014-0158 of the much higher NOTE: impact as due https://bugzilla.redhat.com/show_bug.cgi?id=1082925 NOTE: and https://bugzilla.suse.com/show_bug.cgi?id=871412 CVE-2013-1447 (OpenJPEG 1.3 and earlier allows remote attackers to cause a denial of ...) {DSA-2808-1} - openjpeg 1.3+dfsg-4.7 (bug #731237) CVE-2013-1446 RESERVED CVE-2013-1445 (The Crypto.Random.atfork function in PyCrypto before 2.6.1 does not pr ...) {DSA-2781-1} - python-crypto 2.6.1-1 CVE-2013-1444 (A certain Debian patch for txt2man 1.5.5, as used in txt2man 1.5.5-2, ...) - txt2man 1.5.5-4.1 (bug #724614) [wheezy] - txt2man (Minor issue) [squeeze] - txt2man (Minor issue) CVE-2013-1443 (The authentication framework (django.contrib.auth) in Django 1.4.x bef ...) {DSA-2758-1} - python-django 1.5.4-1 (bug #723043) CVE-2013-1442 (Xen 4.0 through 4.3.x, when using AVX or LWP capable CPUs, does not pr ...) {DSA-3006-1} - xen 4.4.0-1 [squeeze] - xen (Unsupported in squeeze-lts) NOTE: advisory say: In Xen 4.0.2 through 4.0.4 as well as in Xen 4.1.x XSAVE support is disabled by default CVE-2013-1441 (econvert in ExactImage 0.8.9 and earlier does not properly initialize ...) {DSA-2754-1} - exactimage 0.8.9-2 NOTE: a different issue than CVE-2013-1438 CVE-2013-1440 RESERVED CVE-2013-1439 (The "faster LJPEG decoder" in libraw 0.13.x, 0.14.x, and 0.15.x before ...) - libraw 0.15.4-1 (bug #721338) [wheezy] - libraw (Minor issue) [squeeze] - libraw (Minor issue) - libkdcraw 4:4.10.5-2 (bug #721340) [wheezy] - libkdcraw (Minor issue) - darktable 1.2.2-2 (bug #721339) [wheezy] - darktable 1.0.4-1+deb7u2 CVE-2013-1438 (Unspecified vulnerability in dcraw 0.8.x through 0.8.9, as used in lib ...) {DSA-2748-1} - libraw 0.15.4-1 (bug #721231) [wheezy] - libraw (Minor issue) [squeeze] - libraw (Minor issue) - libkdcraw 4:4.10.5-2 (bug #721239) [wheezy] - libkdcraw (Minor issue) - darktable 1.2.2-2 (bug #721233) [wheezy] - darktable 1.0.4-1+deb7u2 - dcraw 9.28-1 (unimportant; bug #721232) - ufraw 0.19.2-2 (bug #721234) [wheezy] - ufraw (end-user app) [squeeze] - ufraw (end-user app) - xbmc 2:13.2+dfsg1-5 (unimportant; bug #721235) - exactimage 0.8.9-1 (bug #721236) - rawstudio (unimportant; bug #721237) - rawtherapee (unimportant; bug #721238) NOTE: Starting with 2:13.2+dfsg1-5 xbmc is a transitional package CVE-2013-1437 (Eval injection vulnerability in the Module-Metadata module before 1.00 ...) - perl 5.18.1-2 [wheezy] - perl (Bug was introduced later) [squeeze] - perl (Does not yet contain Module::Metadata) - libmodule-metadata-perl 1.000015-1 [wheezy] - libmodule-metadata-perl 1.000009-1+deb7u1 NOTE: this is by 'design', but previous to version Module::Metadata 1.000015 NOTE: the statement was This module provides a standard way to gather metadata NOTE: about a .pm file *without* executing unsafe code. CVE-2013-1436 (The XMonad.Hooks.DynamicLog module in xmonad-contrib before 0.11.2 all ...) - xmonad-contrib 0.11.2-1 (low) [squeeze] - xmonad-contrib (Minor issue) [wheezy] - xmonad-contrib 0.10-4~deb7u1 CVE-2013-1435 ((1) snmp.php and (2) rrd.php in Cacti before 0.8.8b allows remote atta ...) {DSA-2739-1} - cacti 0.8.8b+dfsg-1 NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7392 NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7393 CVE-2013-1434 (Multiple SQL injection vulnerabilities in (1) api_poller.php and (2) u ...) {DSA-2739-1} - cacti 0.8.8b+dfsg-1 NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7394 CVE-2013-1433 REJECTED CVE-2013-1432 (Xen 4.1.x and 4.2.x, when the XSA-45 patch is in place, does not prope ...) {DSA-3006-1} - xen 4.3.0-1 [squeeze] - xen (Unsupported in squeeze-lts) NOTE: All Xen versions having the XSA-45/CVE-2013-1918 fixes applied are vulnerable CVE-2013-1431 (The Wocky module in Telepathy Gabble before 0.16.6 and 0.17.x before 0 ...) {DSA-2702-1} - telepathy-gabble 0.16.6-1 CVE-2013-1430 (An issue was discovered in xrdp before 0.9.1. When successfully loggin ...) - xrdp 0.9.1~2016121126+git5171fa7-1 [jessie] - xrdp (Minor issue) [wheezy] - xrdp (Minor issue) NOTE: https://github.com/neutrinolabs/xrdp/pull/497 NOTE: When successfully logging in using RDP into a xrdp session, the file NOTE: ~/.vnc/sesman_${username}_passwd is created. Its content is the NOTE: equivalent of the users clear text password, DES encrypted with a known NOTE: key. CVE-2013-1429 (Lintian before 2.5.12 allows remote attackers to gather information ab ...) - lintian 2.5.10.5 (bug #705553; unimportant) CVE-2013-1428 (Stack-based buffer overflow in the receive_tcppacket function in net_p ...) {DSA-2663-1} - tinc 1.0.19-3 CVE-2013-1427 (The configuration file for the FastCGI PHP support for lighttpd before ...) {DSA-2649-1} - lighttpd 1.4.31-4 CVE-2013-1426 (Cross-site Scripting (XSS) in Mahara before 1.5.9 and 1.6.x before 1.6 ...) - mahara (low) [wheezy] - mahara (Minor issue) [squeeze] - mahara (Minor issue) NOTE: https://bugs.launchpad.net/mahara/+bug/1153423 CVE-2013-1425 (ldap-git-backup before 1.0.4 exposes password hashes due to incorrect ...) - ldap-git-backup 1.0.4-1 (bug #699227) CVE-2013-1424 [matplotlib buffer overrun] RESERVED - matplotlib 1.4.2-3.1 (low; bug #775691) [wheezy] - matplotlib (Minor issue) [squeeze] - matplotlib (Minor issue) CVE-2013-1423 ((1) contrib/gforge-3.0-cronjobs.patch, (2) cronjobs/homedirs.php, (3) ...) {DSA-2633-1} - fusionforge 5.2.1+20130227-1 CVE-2013-1422 (webcalendar before 1.2.7 shows the reason for a failed login (e.g., "n ...) - webcalendar CVE-2013-1421 (Cross-site scripting (XSS) vulnerability in Craig Knudsen WebCalendar ...) - webcalendar CVE-2013-1420 (Multiple cross-site scripting (XSS) vulnerabilities in GetSimple CMS b ...) NOT-FOR-US: GetSimple CMS CVE-2013-1419 RESERVED CVE-2013-1418 (The setup_server_realm function in main.c in the Key Distribution Cent ...) {DLA-1265-1} - krb5 1.11.3+dfsg-3+nmu1 (low; bug #728845) [squeeze] - krb5 (Minor issue) NOTE: http://krbdev.mit.edu/rt/Ticket/Display.html?id=7757 NOTE: https://github.com/krb5/krb5/commit/5d2d9a1abe46a2c1a8614d4672d08d9d30a5f8bf CVE-2013-1417 (do_tgs_req.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (a ...) - krb5 1.11.3+dfsg-3+nmu1 (low; bug #730085) [squeeze] - krb5 (Vulnerable code only present in 1.11.x) [wheezy] - krb5 (Vulnerable code only present in 1.11.x) NOTE: https://github.com/krb5/krb5/commit/4c023ba43c16396f0d199e2df1cfa59b88b62acc CVE-2013-1416 (The prep_reprocess_req function in do_tgs_req.c in the Key Distributio ...) - krb5 1.10.1+dfsg-5 (low; bug #704775) [squeeze] - krb5 (Minor issue) CVE-2013-1415 (The pkinit_check_kdc_pkid function in plugins/preauth/pkinit/pkinit_cr ...) - krb5 1.10.1+dfsg-4 (low) [squeeze] - krb5 (Minor issue) NOTE: https://github.com/krb5/krb5/commit/c773d3c775e9b2d88bcdff5f8a8ba88d7ec4e8ed NOTE: https://github.com/krb5/krb5/commit/b71f8c4aacea8849ceaf31a2fa95e143f3943097 CVE-2013-1414 (Multiple cross-site request forgery (CSRF) vulnerabilities in Fortinet ...) NOT-FOR-US: Fortinet FortiOS on FortiGate firewall devices CVE-2012-6521 (Cross-site scripting (XSS) vulnerability in apps/admin/handlers/versio ...) NOT-FOR-US: Elefant CMS CVE-2012-6520 (Multiple SQL injection vulnerabilities in the advanced search in Wikid ...) NOT-FOR-US: Wikidforum CVE-2012-6519 (SQL injection vulnerability in modules/poll/index.php in DIY-CMS 1.0 a ...) NOT-FOR-US: DIY-CMS CVE-2012-6518 (Cross-site request forgery (CSRF) vulnerability in mod.php in DiY-CMS ...) NOT-FOR-US: DiY-CMS CVE-2012-6517 (Multiple cross-site scripting (XSS) vulnerabilities in DiY-CMS 1.0 all ...) NOT-FOR-US: DiY-CMS CVE-2012-6516 (SQL injection vulnerability in PHP Ticket System Beta 1 allows remote ...) NOT-FOR-US: PHP Ticket System Beta CVE-2012-6515 (eFront 3.6.10, 3.6.11 build 15059, and earlier allows remote attackers ...) NOT-FOR-US: eFront CVE-2012-6514 (Cross-site scripting (XSS) vulnerability in the nBill (com_nbill) comp ...) NOT-FOR-US: nBill for Joomla! CVE-2012-6513 (Cross-site scripting (XSS) vulnerability in index.php/Admin_Preference ...) NOT-FOR-US: gpEasy CMS CVE-2012-6512 (The Organizer plugin 1.2.1 for WordPress allows remote attackers to ob ...) NOT-FOR-US: Organizer wordpress plugin not in Debian CVE-2012-6511 (Multiple cross-site scripting (XSS) vulnerabilities in organizer/page/ ...) NOT-FOR-US: Organizer wordpress plugin not in Debian CVE-2012-6510 (Multiple cross-site scripting (XSS) vulnerabilities in NetArt Media Ca ...) NOT-FOR-US: NetArt Media Car Portal CVE-2012-6509 (Unrestricted file upload vulnerability in NetArt Media Car Portal 3.0 ...) NOT-FOR-US: NetArt Media Car Portal CVE-2012-6508 (Multiple cross-site request forgery (CSRF) vulnerabilities in NetArt M ...) NOT-FOR-US: NetArt Media Car Portal CVE-2012-6507 (Multiple SQL injection vulnerabilities in admin.php in ChurchCMS 0.0.1 ...) NOT-FOR-US: ChurchCMS CVE-2012-6506 (Multiple cross-site scripting (XSS) vulnerabilities in the Zingiri Web ...) NOT-FOR-US: Zingiri Web Shop wordpress plugin not in Debian CVE-2012-6505 (Cross-site scripting (XSS) vulnerability in mods/hours/data/get_hours. ...) NOT-FOR-US: PHP Volunteer Management not in Debian CVE-2012-6504 (SQL injection vulnerability in mods/hours/data/get_hours.php in PHP Vo ...) NOT-FOR-US: PHP Volunteer Management not in Debian CVE-2012-6503 (Unspecified vulnerability in the NinjaXplorer component before 1.0.7 f ...) NOT-FOR-US: NinjaXplorer for Joomla! CVE-2012-6502 (Microsoft Internet Explorer before 10 allows remote attackers to obtai ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-1413 (Multiple cross-site scripting (XSS) vulnerabilities in synetics i-doit ...) NOT-FOR-US: synetics i-doit CVE-2013-1412 (DataLife Engine (DLE) 9.7 allows remote attackers to execute arbitrary ...) NOT-FOR-US: DataLife Engine CVE-2013-1411 RESERVED CVE-2013-1410 (Perforce P4web 2011.1 and 2012.1 has multiple XSS vulnerabilities ...) NOT-FOR-US: Perforce CVE-2013-1409 (Cross-site scripting (XSS) vulnerability in the CommentLuv plugin befo ...) NOT-FOR-US: CommentLuv plugin for Wordpress CVE-2013-1408 (Multiple SQL injection vulnerabilities in the Wysija Newsletters plugi ...) NOT-FOR-US: WordPress plugin wysija-newsletters CVE-2013-1407 (Multiple cross-site scripting (XSS) vulnerabilities in the Events Mana ...) NOT-FOR-US: WordPress plugin Events Master Pro CVE-2013-1406 (The Virtual Machine Communication Interface (VMCI) implementation in v ...) NOT-FOR-US: VMware Workstation, Fusion, View, ESXi, ESX CVE-2013-1405 (VMware vCenter Server 4.0 before Update 4b and 4.1 before Update 3a, V ...) NOT-FOR-US: VMware CVE-2013-1404 RESERVED CVE-2013-1403 RESERVED CVE-2013-1402 (DigiLIBE 3.4 and possibly other versions sends a redirect but does not ...) NOT-FOR-US: DigiLIBE CVE-2013-1401 (Multiple security bypass vulnerabilities in the editAnswer, deleteAnsw ...) NOT-FOR-US: WordPress Poll Plugin for WordPress CVE-2013-1400 (Multiple SQL injection vulnerabilities in CWPPoll.js in WordPress Poll ...) NOT-FOR-US: WordPress Poll Plugin for WordPress CVE-2009-5134 (Buffer overflow in the "create torrent dialog" functionality in uTorre ...) NOT-FOR-US: uTorrent CVE-2013-0243 (haskell-tls-extra before 0.6.1 has Basic Constraints attribute vulnera ...) - haskell-tls-extra 0.4.6.1-1 (bug #698545) CVE-2013-1399 (Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) ...) - puppet (Only affects Puppet Enterprise) CVE-2013-1398 (The pe_mcollective module in Puppet Enterprise (PE) before 2.7.1 does ...) - puppet (Only affects Puppet Enterprise) CVE-2013-1397 (Symfony 2.0.x before 2.0.22, 2.1.x before 2.1.7, and 2.2.x remote atta ...) - php-symfony2-yaml (Only affects versions 2.0, 2.1, 2.2) CVE-2013-1396 RESERVED CVE-2013-1395 RESERVED CVE-2013-1394 RESERVED CVE-2013-1393 (Cross-site scripting (XSS) vulnerability in the CurvyCorners module 6. ...) NOT-FOR-US: Drupal module CurvyCorners CVE-2013-1392 RESERVED CVE-2013-1391 (Authentication bypass vulnerability in the the web interface in Hunt C ...) NOT-FOR-US: DVR systems CVE-2013-1390 RESERVED CVE-2013-1389 (Unspecified vulnerability in Adobe ColdFusion 9.0 before Update 11, 9. ...) NOT-FOR-US: Adobe ColdFusion 9.0 CVE-2013-1388 (Unspecified vulnerability in Adobe ColdFusion 9.0 before Update 10, 9. ...) NOT-FOR-US: Adobe ColdFusion CVE-2013-1387 (Unspecified vulnerability in Adobe ColdFusion 9.0 before Update 10, 9. ...) NOT-FOR-US: Adobe ColdFusion CVE-2013-1386 (Adobe Shockwave Player before 12.0.2.122 allows attackers to execute a ...) NOT-FOR-US: Adobe Shockwave Player CVE-2013-1385 (Adobe Shockwave Player before 12.0.2.122 does not prevent access to ad ...) NOT-FOR-US: Adobe Shockwave Player CVE-2013-1384 (Adobe Shockwave Player before 12.0.2.122 allows attackers to execute a ...) NOT-FOR-US: Adobe Shockwave Player CVE-2013-1383 (Buffer overflow in Adobe Shockwave Player before 12.0.2.122 allows att ...) NOT-FOR-US: Adobe Shockwave Player CVE-2013-1382 REJECTED CVE-2013-1381 REJECTED CVE-2013-1380 (Adobe Flash Player before 10.3.183.75 and 11.x before 11.7.700.169 on ...) NOT-FOR-US: Adobe Flash Plugin CVE-2013-1379 (Adobe Flash Player before 10.3.183.75 and 11.x before 11.7.700.169 on ...) NOT-FOR-US: Adobe Flash Plugin CVE-2013-1378 (Adobe Flash Player before 10.3.183.75 and 11.x before 11.7.700.169 on ...) NOT-FOR-US: Adobe Flash Plugin CVE-2013-1377 (Adobe Digital Editions 2.x before 2.0.1 allows attackers to execute ar ...) NOT-FOR-US: Adobe Digital Editions CVE-2013-1376 (Buffer overflow in Adobe Reader and Acrobat 9.x before 9.5.3, 10.x bef ...) NOT-FOR-US: Adobe Reader CVE-2013-1375 (Heap-based buffer overflow in Adobe Flash Player before 10.3.183.68 an ...) NOT-FOR-US: Adobe Flash Plugin CVE-2013-1374 (Use-after-free vulnerability in Adobe Flash Player before 10.3.183.63 ...) NOT-FOR-US: Adobe Flash Plugin CVE-2013-1373 (Buffer overflow in Adobe Flash Player before 10.3.183.63 and 11.x befo ...) NOT-FOR-US: Adobe Flash Plugin CVE-2013-1372 (Buffer overflow in Adobe Flash Player before 10.3.183.63 and 11.x befo ...) NOT-FOR-US: Adobe Flash Plugin CVE-2013-1371 (Adobe Flash Player before 10.3.183.68 and 11.x before 11.6.602.180 on ...) NOT-FOR-US: Adobe Flash Plugin CVE-2013-1370 (Buffer overflow in Adobe Flash Player before 10.3.183.63 and 11.x befo ...) NOT-FOR-US: Adobe Flash Plugin CVE-2013-1369 (Buffer overflow in Adobe Flash Player before 10.3.183.63 and 11.x befo ...) NOT-FOR-US: Adobe Flash Plugin CVE-2013-1368 (Buffer overflow in Adobe Flash Player before 10.3.183.63 and 11.x befo ...) NOT-FOR-US: Adobe Flash Plugin CVE-2013-1367 (Buffer overflow in Adobe Flash Player before 10.3.183.63 and 11.x befo ...) NOT-FOR-US: Adobe Flash Plugin CVE-2013-1366 (Buffer overflow in Adobe Flash Player before 10.3.183.63 and 11.x befo ...) NOT-FOR-US: Adobe Flash Plugin CVE-2013-1365 (Buffer overflow in Adobe Flash Player before 10.3.183.63 and 11.x befo ...) NOT-FOR-US: Adobe Flash Plugin CVE-2012-6110 (bcron-exec in bcron before 0.10 does not close file descriptors associ ...) - bcron 0.09-13 (low; bug #686650) [squeeze] - bcron 0.09-11+squeeze1 CVE-2013-1364 (The user.login function in Zabbix before 1.8.16 and 2.x before 2.0.5rc ...) - zabbix 1:2.0.4+dfsg-2 (bug #698541) [squeeze] - zabbix (Not supported in Squeeze LTS) NOTE: patches in https://support.zabbix.com/browse/ZBX-6097 CVE-2013-1363 RESERVED CVE-2013-1362 (Incomplete blacklist vulnerability in nrpc.c in Nagios Remote Plug-In ...) - nagios-nrpe 2.13-3 (low; bug #701227) [squeeze] - nagios-nrpe (Minor issue) CVE-2013-1361 (Untrusted search path vulnerability in Lenovo Thinkpad Bluetooth with ...) NOT-FOR-US: Lenovo Thinkpad Bluetooth with Enhanced Data Rate Software CVE-2013-1360 (An Authentication Bypass vulnerability exists in DELL SonicWALL Global ...) NOT-FOR-US: DELL SonicWALL Global Management System (GMS) CVE-2013-1359 (An Authentication Bypass Vulnerability exists in DELL SonicWALL Analyz ...) NOT-FOR-US: DELL SonicWALL CVE-2013-1358 RESERVED CVE-2013-1357 RESERVED CVE-2013-1356 RESERVED CVE-2013-1355 REJECTED CVE-2013-1354 RESERVED CVE-2013-1353 (Orange HRM 2.7.1 allows XSS via the vacancy name. ...) NOT-FOR-US: Orange HRM CVE-2013-1352 (Verax NMS prior to 2.1.0 uses an encryption key that is hardcoded in a ...) NOT-FOR-US: Verax NMS CVE-2013-1351 (Verax NMS prior to 2.10 allows authentication via the encrypted passwo ...) NOT-FOR-US: Verax NMS CVE-2013-1350 (Verax NMS prior to 2.1.0 has multiple security bypass vulnerabilities ...) NOT-FOR-US: Verax NMS CVE-2013-1349 (Eval injection vulnerability in ajax.php in openSIS 4.5 through 5.2 al ...) NOT-FOR-US: openSIS CVE-2013-1348 (The Yaml::parse function in Symfony 2.0.x before 2.0.22 remote attacke ...) - php-symfony2-yaml (Only affects version 2.0) CVE-2013-1347 (Microsoft Internet Explorer 8 does not properly handle objects in memo ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-1346 (mpengine.dll in Microsoft Malware Protection Engine before 1.1.9506.0 ...) NOT-FOR-US: Microsoft Malware Protection Engine CVE-2013-1345 (win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and ...) NOT-FOR-US: Microsoft CVE-2013-1344 (win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and ...) NOT-FOR-US: Microsoft Windows CVE-2013-1343 (win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and ...) NOT-FOR-US: Microsoft Windows CVE-2013-1342 (win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and ...) NOT-FOR-US: Microsoft Windows CVE-2013-1341 (win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and ...) NOT-FOR-US: Microsoft CVE-2013-1340 (win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and ...) NOT-FOR-US: Microsoft CVE-2013-1339 (The Print Spooler in Microsoft Windows Vista SP2, Windows Server 2008 ...) NOT-FOR-US: Microsoft CVE-2013-1338 (Use-after-free vulnerability in Microsoft Internet Explorer 6 through ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-1337 (Microsoft .NET Framework 4.5 does not properly create policy requireme ...) NOT-FOR-US: Microsoft .NET Framework 4.5 CVE-2013-1336 (The Common Language Runtime (CLR) in Microsoft .NET Framework 2.0 SP2, ...) NOT-FOR-US: Microsoft .NET Framework CVE-2013-1335 (Microsoft Word 2003 SP3 and Word Viewer allow remote attackers to exec ...) NOT-FOR-US: Microsoft Word CVE-2013-1334 (win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and ...) NOT-FOR-US: Microsoft Windows CVE-2013-1333 (Buffer overflow in win32k.sys in the kernel-mode drivers in Microsoft ...) NOT-FOR-US: Microsoft Windows CVE-2013-1332 (dxgkrnl.sys (aka the DirectX graphics kernel subsystem) in the kernel- ...) NOT-FOR-US: Microsoft Windows CVE-2013-1331 (Buffer overflow in Microsoft Office 2003 SP3 and Office 2011 for Mac a ...) NOT-FOR-US: Microsoft CVE-2013-1330 (The default configuration of Microsoft SharePoint Portal Server 2003 S ...) NOT-FOR-US: Microsoft SharePoint CVE-2013-1329 (Integer signedness error in Microsoft Publisher 2003 SP3 allows remote ...) NOT-FOR-US: Microsoft Publisher CVE-2013-1328 (Microsoft Publisher 2003 SP3, 2007 SP3, and 2010 SP1 allows remote att ...) NOT-FOR-US: Microsoft Publisher CVE-2013-1327 (Integer signedness error in Microsoft Publisher 2003 SP3 allows remote ...) NOT-FOR-US: Microsoft Publisher CVE-2013-1326 REJECTED CVE-2013-1325 (Heap-based buffer overflow in Microsoft Office 2003 SP3 and 2007 SP3 a ...) NOT-FOR-US: Microsoft CVE-2013-1324 (Stack-based buffer overflow in Microsoft Office 2003 SP3, 2007 SP3, 20 ...) NOT-FOR-US: Microsoft CVE-2013-1323 (Microsoft Publisher 2003 SP3 does not properly handle NULL values for ...) NOT-FOR-US: Microsoft Publisher CVE-2013-1322 (Microsoft Publisher 2003 SP3 does not properly check table range data, ...) NOT-FOR-US: Microsoft Publisher CVE-2013-1321 (Microsoft Publisher 2003 SP3 does not properly check the data type of ...) NOT-FOR-US: Microsoft Publisher CVE-2013-1320 (Buffer overflow in Microsoft Publisher 2003 SP3 allows remote attacker ...) NOT-FOR-US: Microsoft Publisher CVE-2013-1319 (Microsoft Publisher 2003 SP3 does not properly check the return value ...) NOT-FOR-US: Microsoft Publisher CVE-2013-1318 (Microsoft Publisher 2003 SP3 allows remote attackers to execute arbitr ...) NOT-FOR-US: Microsoft Publisher CVE-2013-1317 (Integer overflow in Microsoft Publisher 2003 SP3 allows remote attacke ...) NOT-FOR-US: Microsoft Publisher CVE-2013-1316 (Microsoft Publisher 2003 SP3 does not properly validate the size of an ...) NOT-FOR-US: Microsoft Publisher CVE-2013-1315 (Microsoft SharePoint Server 2007 SP3, 2010 SP1 and SP2, and 2013; Offi ...) NOT-FOR-US: Microsoft CVE-2013-1314 REJECTED CVE-2013-1313 (Object Linking and Embedding (OLE) Automation in Microsoft Windows XP ...) NOT-FOR-US: Microsoft Windows XP CVE-2013-1312 (Use-after-free vulnerability in Microsoft Internet Explorer 9 and 10 a ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-1311 (Use-after-free vulnerability in Microsoft Internet Explorer 8 allows r ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-1310 (Use-after-free vulnerability in Microsoft Internet Explorer 6 and 7 al ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-1309 (Use-after-free vulnerability in Microsoft Internet Explorer 6 through ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-1308 (Use-after-free vulnerability in Microsoft Internet Explorer 6 through ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-1307 (Use-after-free vulnerability in Microsoft Internet Explorer 8 and 9 al ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-1306 (Use-after-free vulnerability in Microsoft Internet Explorer 9 allows r ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-1305 (HTTP.sys in Microsoft Windows 8, Windows Server 2012, and Windows RT a ...) NOT-FOR-US: Microsoft CVE-2013-1304 (Use-after-free vulnerability in Microsoft Internet Explorer 6 through ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-1303 (Use-after-free vulnerability in Microsoft Internet Explorer 6 through ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-1302 (Microsoft Communicator 2007 R2, Lync 2010, Lync 2010 Attendee, and Lyn ...) NOT-FOR-US: Microsoft CVE-2013-1301 (Microsoft Visio 2003 SP3 2007 SP3, and 2010 SP1 allows remote attacker ...) NOT-FOR-US: Microsoft Visio CVE-2013-1300 (win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and ...) NOT-FOR-US: Microsoft CVE-2013-1299 (Microsoft Windows Modern Mail allows remote attackers to spoof link ta ...) NOT-FOR-US: Microsoft Windows Modern Mail CVE-2013-1298 REJECTED CVE-2013-1297 (Microsoft Internet Explorer 6 through 8 does not properly restrict dat ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-1296 (The Remote Desktop ActiveX control in mstscax.dll in Microsoft Remote ...) NOT-FOR-US: Microsoft Remote Desktop Connection Client CVE-2013-1295 (The Client/Server Run-time Subsystem (CSRSS) in Microsoft Windows XP S ...) NOT-FOR-US: Microsoft Windows CVE-2013-1294 (Race condition in the kernel in Microsoft Windows XP SP2 and SP3, Wind ...) NOT-FOR-US: Microsoft Windows CVE-2013-1293 (The NTFS kernel-mode driver in Microsoft Windows Vista SP2, Windows Se ...) NOT-FOR-US: Microsoft Windows CVE-2013-1292 (Race condition in win32k.sys in the kernel-mode drivers in Microsoft W ...) NOT-FOR-US: Microsoft Windows CVE-2013-1291 (win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP3, Win ...) NOT-FOR-US: Microsoft Windows CVE-2013-1290 (Microsoft SharePoint Server 2013, in certain configurations involving ...) NOT-FOR-US: Microsoft SharePoint Server CVE-2013-1289 (Cross-site scripting (XSS) vulnerability in Microsoft SharePoint Serve ...) NOT-FOR-US: Microsoft SharePoint Server CVE-2013-1288 (Use-after-free vulnerability in Microsoft Internet Explorer 8 allows r ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-1287 (The USB kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windo ...) NOT-FOR-US: Microsoft Windows CVE-2013-1286 (The USB kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windo ...) NOT-FOR-US: Microsoft Windows CVE-2013-1285 (The USB kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windo ...) NOT-FOR-US: Microsoft Windows CVE-2013-1284 (Race condition in the kernel in Microsoft Windows 8, Windows Server 20 ...) NOT-FOR-US: Microsoft Windows CVE-2013-1283 (Race condition in win32k.sys in the kernel-mode drivers in Microsoft W ...) NOT-FOR-US: Microsoft Windows CVE-2013-1282 (The LDAP service in Microsoft Active Directory, Active Directory Appli ...) NOT-FOR-US: Microsoft CVE-2013-1281 (The NFS server in Microsoft Windows Server 2008 R2 and R2 SP1 and Serv ...) NOT-FOR-US: Microsoft Windows CVE-2013-1280 (The kernel in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP ...) NOT-FOR-US: Microsoft Windows CVE-2013-1279 (Race condition in the kernel in Microsoft Windows XP SP2 and SP3, Wind ...) NOT-FOR-US: Microsoft Windows CVE-2013-1278 (Race condition in the kernel in Microsoft Windows XP SP2 and SP3, Wind ...) NOT-FOR-US: Microsoft Windows CVE-2013-1277 (Race condition in win32k.sys in the kernel-mode drivers in Microsoft W ...) NOT-FOR-US: Microsoft Windows CVE-2013-1276 (Race condition in win32k.sys in the kernel-mode drivers in Microsoft W ...) NOT-FOR-US: Microsoft Windows CVE-2013-1275 (Race condition in win32k.sys in the kernel-mode drivers in Microsoft W ...) NOT-FOR-US: Microsoft Windows CVE-2013-1274 (Race condition in win32k.sys in the kernel-mode drivers in Microsoft W ...) NOT-FOR-US: Microsoft Windows CVE-2013-1273 (Race condition in win32k.sys in the kernel-mode drivers in Microsoft W ...) NOT-FOR-US: Microsoft Windows CVE-2013-1272 (Race condition in win32k.sys in the kernel-mode drivers in Microsoft W ...) NOT-FOR-US: Microsoft Windows CVE-2013-1271 (Race condition in win32k.sys in the kernel-mode drivers in Microsoft W ...) NOT-FOR-US: Microsoft Windows CVE-2013-1270 (Race condition in win32k.sys in the kernel-mode drivers in Microsoft W ...) NOT-FOR-US: Microsoft Windows CVE-2013-1269 (Race condition in win32k.sys in the kernel-mode drivers in Microsoft W ...) NOT-FOR-US: Microsoft Windows CVE-2013-1268 (Race condition in win32k.sys in the kernel-mode drivers in Microsoft W ...) NOT-FOR-US: Microsoft Windows CVE-2013-1267 (Race condition in win32k.sys in the kernel-mode drivers in Microsoft W ...) NOT-FOR-US: Microsoft Windows CVE-2013-1266 (Race condition in win32k.sys in the kernel-mode drivers in Microsoft W ...) NOT-FOR-US: Microsoft Windows CVE-2013-1265 (Race condition in win32k.sys in the kernel-mode drivers in Microsoft W ...) NOT-FOR-US: Microsoft Windows CVE-2013-1264 (Race condition in win32k.sys in the kernel-mode drivers in Microsoft W ...) NOT-FOR-US: Microsoft Windows CVE-2013-1263 (Race condition in win32k.sys in the kernel-mode drivers in Microsoft W ...) NOT-FOR-US: Microsoft Windows CVE-2013-1262 (Race condition in win32k.sys in the kernel-mode drivers in Microsoft W ...) NOT-FOR-US: Microsoft Windows CVE-2013-1261 (Race condition in win32k.sys in the kernel-mode drivers in Microsoft W ...) NOT-FOR-US: Microsoft Windows CVE-2013-1260 (Race condition in win32k.sys in the kernel-mode drivers in Microsoft W ...) NOT-FOR-US: Microsoft Windows CVE-2013-1259 (Race condition in win32k.sys in the kernel-mode drivers in Microsoft W ...) NOT-FOR-US: Microsoft Windows CVE-2013-1258 (Race condition in win32k.sys in the kernel-mode drivers in Microsoft W ...) NOT-FOR-US: Microsoft Windows CVE-2013-1257 (Race condition in win32k.sys in the kernel-mode drivers in Microsoft W ...) NOT-FOR-US: Microsoft Windows CVE-2013-1256 (Race condition in win32k.sys in the kernel-mode drivers in Microsoft W ...) NOT-FOR-US: Microsoft Windows CVE-2013-1255 (Race condition in win32k.sys in the kernel-mode drivers in Microsoft W ...) NOT-FOR-US: Microsoft Windows CVE-2013-1254 (Race condition in win32k.sys in the kernel-mode drivers in Microsoft W ...) NOT-FOR-US: Microsoft Windows CVE-2013-1253 (Race condition in win32k.sys in the kernel-mode drivers in Microsoft W ...) NOT-FOR-US: Microsoft Windows CVE-2013-1252 (Race condition in win32k.sys in the kernel-mode drivers in Microsoft W ...) NOT-FOR-US: Microsoft Windows CVE-2013-1251 (Race condition in win32k.sys in the kernel-mode drivers in Microsoft W ...) NOT-FOR-US: Microsoft Windows CVE-2013-1250 (Race condition in win32k.sys in the kernel-mode drivers in Microsoft W ...) NOT-FOR-US: Microsoft Windows CVE-2013-1249 (Race condition in win32k.sys in the kernel-mode drivers in Microsoft W ...) NOT-FOR-US: Microsoft Windows CVE-2013-1248 (Race condition in win32k.sys in the kernel-mode drivers in Microsoft W ...) NOT-FOR-US: Microsoft Windows CVE-2012-6501 (The KillProcess method in the HP PKI ActiveX control (HPPKI.ocx) befor ...) NOT-FOR-US: HP PKI ActiveX CVE-2012-6500 (Directory traversal vulnerability in download.lib.php in Pragyan CMS 3 ...) NOT-FOR-US: Pragyan CMS CVE-2012-6499 (Open redirect vulnerability in age-verification.php in the Age Verific ...) NOT-FOR-US: Age Verification plugin for WordPress CVE-2011-5254 (Unspecified vulnerability in the Connections plugin before 0.7.1.6 for ...) NOT-FOR-US: Connections plugin for WordPress CVE-2011-5253 (Dl Download Ticket Service 0.3 through 0.9 allows remote attackers to ...) NOT-FOR-US: Dl Download Ticket Service CVE-2011-5252 (Open redirect vulnerability in Users/Account/LogOff in Orchard 1.0.x b ...) NOT-FOR-US: Orchard CVE-2012-0722 REJECTED CVE-2013-1247 (Cross-site scripting (XSS) vulnerability in the wireless configuration ...) NOT-FOR-US: Cisco CVE-2013-1246 (Cisco TelePresence System Software does not properly handle inactive t ...) NOT-FOR-US: Cisco CVE-2013-1245 (The user-management page in Cisco WebEx Social relies on client-side v ...) NOT-FOR-US: Cisco WebEx Social CVE-2013-1244 (Cross-site scripting (XSS) vulnerability in the portal module in Cisco ...) NOT-FOR-US: Cisco WebEx Social CVE-2013-1243 (The IP stack in Cisco Intrusion Prevention System (IPS) Software in AS ...) NOT-FOR-US: Cisco CVE-2013-1242 (Memory leak in the web framework in the server in Cisco Unified Presen ...) NOT-FOR-US: Cisco CVE-2013-1241 (The ISM module in Cisco IOS on ISR G2 routers does not properly handle ...) NOT-FOR-US: Cisco IOS CVE-2013-1240 (The command-line interface in Cisco Unified Communications Manager (CU ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2013-1239 RESERVED CVE-2013-1238 RESERVED CVE-2013-1237 RESERVED CVE-2013-1236 (Cisco TelePresence Supervisor MSE 8050 before 2.3(1.31) allows remote ...) NOT-FOR-US: Cisco TelePresence Supervisor CVE-2013-1235 (Cisco Wireless LAN Controller (WLC) devices do not properly address th ...) NOT-FOR-US: Cisco Wireless LAN Controller CVE-2013-1234 (The SNMP module in Cisco IOS XR allows remote authenticated users to c ...) NOT-FOR-US: Cisco IOS XR CVE-2013-1233 REJECTED CVE-2013-1232 (The HTTP implementation in Cisco WebEx Node for MCS, WebEx Meetings Se ...) NOT-FOR-US: Cisco WebEx CVE-2013-1231 (The HTTP implementation in Cisco WebEx Node for MCS and WebEx Meetings ...) NOT-FOR-US: Cisco WebEx CVE-2013-1230 (Cisco Unified Communications Domain Manager allows remote attackers to ...) NOT-FOR-US: Cisco CVE-2013-1229 (TMSSNMPService.exe in TelePresence Manager in Cisco TelePresence Manag ...) NOT-FOR-US: Cisco CVE-2013-1228 (Cisco Jabber on Windows does not verify X.509 certificates from SSL se ...) NOT-FOR-US: Cisco Jabber CVE-2013-1227 (Cross-site scripting (XSS) vulnerability in the web framework in Cisco ...) NOT-FOR-US: Cisco Unified Communications Domain Manager CVE-2013-1226 (The Ethernet frame-forwarding implementation in Cisco NX-OS on Nexus 7 ...) NOT-FOR-US: Cisco NX-OS CVE-2013-1225 (Cisco Unified Customer Voice Portal (CVP) Software before 9.0.1 ES 11 ...) NOT-FOR-US: Cisco Unified Customer Voice Portal CVE-2013-1224 (Directory traversal vulnerability in the Resource Manager in Cisco Uni ...) NOT-FOR-US: Cisco Unified Customer Voice Portal CVE-2013-1223 (The log viewer in Cisco Unified Customer Voice Portal (CVP) Software b ...) NOT-FOR-US: Cisco Unified Customer Voice Portal CVE-2013-1222 (The Tomcat Web Management feature in Cisco Unified Customer Voice Port ...) NOT-FOR-US: Cisco Unified Customer Voice Portal CVE-2013-1221 (The Tomcat Web Management feature in Cisco Unified Customer Voice Port ...) NOT-FOR-US: Cisco Unified Customer Voice Portal CVE-2013-1220 (The CallServer component in Cisco Unified Customer Voice Portal (CVP) ...) NOT-FOR-US: Cisco Unified Customer Voice Portal CVE-2013-1219 (SensorApp in Cisco Intrusion Prevention System (IPS) allows local user ...) NOT-FOR-US: Cisco Intrusion Prevention System CVE-2013-1218 (Cisco Intrusion Prevention System (IPS) Software in ASA 5500-X IPS-SSP ...) NOT-FOR-US: Cisco CVE-2013-1217 (The generic input/output control implementation in Cisco IOS does not ...) NOT-FOR-US: Cisco IOS CVE-2013-1216 (Memory leak in the SNMP module in Cisco IOS XR allows remote authentic ...) NOT-FOR-US: Cisco IOS XR CVE-2013-1215 (The vpnclient program in the Easy VPN component on Cisco Adaptive Secu ...) NOT-FOR-US: Cisco CVE-2013-1214 (The scripts editor in Cisco Unified Contact Center Express (aka Unifie ...) NOT-FOR-US: Cisco Unified Contact Center Express CVE-2013-1213 (Cisco NX-OS on the Nexus 1000V does not assign the proper priority to ...) NOT-FOR-US: Cisco CVE-2013-1212 (The SSL functionality in Cisco NX-OS on the Nexus 1000V does not prope ...) NOT-FOR-US: Cisco CVE-2013-1211 (Cisco NX-OS on the Nexus 1000V does not properly handle authentication ...) NOT-FOR-US: Cisco CVE-2013-1210 (Array index error in the Virtual Ethernet Module (VEM) kernel driver f ...) NOT-FOR-US: Cisco CVE-2013-1209 (The encryption functionality in the Virtual Supervisor Module (VSM) to ...) NOT-FOR-US: Cisco CVE-2013-1208 (The encryption functionality in Cisco NX-OS on the Nexus 1000V does no ...) NOT-FOR-US: Cisco CVE-2013-1207 RESERVED CVE-2013-1206 RESERVED CVE-2013-1205 (The Event Center module in Cisco WebEx Meetings Server does not perfor ...) NOT-FOR-US: Cisco WebEx Meetings Server CVE-2013-1204 (Memory leak in the SNMP process in Cisco IOS XR allows remote attacker ...) NOT-FOR-US: Cisco IOS XR CVE-2013-1203 (Cisco ASA CX Context-Aware Security Software allows remote attackers t ...) NOT-FOR-US: Cisco ASA CVE-2013-1202 (Cisco ACE A2(3.6) allows log retention DoS. ...) NOT-FOR-US: Cisco CVE-2013-1201 RESERVED CVE-2013-1200 (Session fixation vulnerability in Cisco Secure Access Control System ( ...) NOT-FOR-US: Cisco Secure Access Control System CVE-2013-1199 (Race condition in the CIFS implementation in the rewriter module in th ...) NOT-FOR-US: Cisco CVE-2013-1198 (Cross-site scripting (XSS) vulnerability in a Flash component in Cisco ...) NOT-FOR-US: Cisco Unified Computing System CVE-2013-1197 (The XML parser in the server in Cisco Unified Presence (CUP) allows re ...) NOT-FOR-US: Cisco Unified Presence CVE-2013-1196 (The command-line interface in Cisco Secure Access Control System (ACS) ...) NOT-FOR-US: Cisco CVE-2013-1195 (The time-based ACL implementation on Cisco Adaptive Security Appliance ...) NOT-FOR-US: isco Adaptive Security Appliances CVE-2013-1194 (The ISAKMP implementation on Cisco Adaptive Security Appliances (ASA) ...) NOT-FOR-US: Cisco CVE-2013-1193 (The Secure Shell (SSH) implementation on Cisco Adaptive Security Appli ...) NOT-FOR-US: Cisco CVE-2013-1192 (The JAR files on Cisco Device Manager for Cisco MDS 9000 devices befor ...) NOT-FOR-US: Cisco Device Manager CVE-2013-1191 (Cisco NX-OS 6.1 before 6.1(5) on Nexus 7000 devices, when local authen ...) NOT-FOR-US: Cisco CVE-2013-1190 (The C-Series Rack Server component 1.4 in Cisco Unified Computing Syst ...) NOT-FOR-US: Cisco CVE-2013-1189 (Cisco Universal Broadband (aka uBR) 10000 series routers, when an IPv4 ...) NOT-FOR-US: Cisco Universal Broadband 10000 series routers CVE-2013-1188 (Cisco Unified Communications Manager (CUCM) does not properly limit th ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2013-1187 (The Connection Manager in Cisco Jabber Extensible Communications Platf ...) NOT-FOR-US: Cisco CVE-2013-1186 (Cisco Unified Computing System (UCS) 1.x before 1.4(4) and 2.x before ...) NOT-FOR-US: Cisco Unified Computing System CVE-2013-1185 (The web interface in the Manager component in Cisco Unified Computing ...) NOT-FOR-US: Cisco Unified Computing System CVE-2013-1184 (The management API in the XML API management service in the Manager co ...) NOT-FOR-US: Cisco Unified Computing System CVE-2013-1183 (Buffer overflow in the Intelligent Platform Management Interface (IPMI ...) NOT-FOR-US: Cisco Unified Computing System CVE-2013-1182 (The login page in the Web Console in the Manager component in Cisco Un ...) NOT-FOR-US: Cisco Unified Computing System CVE-2013-1181 (Cisco NX-OS on Nexus 5500 devices 4.x and 5.x before 5.0(3)N2(2), Nexu ...) NOT-FOR-US: Cisco CVE-2013-1180 (Buffer overflow in the SNMP implementation in Cisco NX-OS on Nexus 700 ...) NOT-FOR-US: Cisco NX-OS CVE-2013-1179 (Multiple buffer overflows in the (1) SNMP and (2) License Manager impl ...) NOT-FOR-US: Cisco NX-OS CVE-2013-1178 (Multiple buffer overflows in the Cisco Discovery Protocol (CDP) implem ...) NOT-FOR-US: Cisco NX-OS CVE-2013-1177 (SQL injection vulnerability in Cisco Network Admission Control (NAC) M ...) NOT-FOR-US: Cisco Network Admission Control Manager CVE-2013-1176 (The DSP card on Cisco TelePresence MCU 4500 and 4501 devices before 4. ...) NOT-FOR-US: Cisco CVE-2013-1175 REJECTED CVE-2013-1174 (Cisco Tivoli Business Service Manager (TBSM) in Hosted Collaboration M ...) NOT-FOR-US: Cisco Tivoli Business Service Manager CVE-2013-1173 (Heap-based buffer overflow in ciscod.exe in the Cisco Security Service ...) NOT-FOR-US: Cisco AnyConnect CVE-2013-1172 (The Cisco Security Service in Cisco AnyConnect Secure Mobility Client ...) NOT-FOR-US: Cisco AnyConnect CVE-2013-1171 (Multiple cross-site scripting (XSS) vulnerabilities in the element-lis ...) NOT-FOR-US: Cisco Connected Grid Network Management System (CG-NMS) CVE-2013-1170 (The Cisco Prime Network Control System (NCS) appliance with software b ...) NOT-FOR-US: Cisco Prime Network Control System CVE-2013-1169 (Cisco Unified MeetingPlace Web Conferencing Server 7.x before 7.1MR1 P ...) NOT-FOR-US: Cisco Unified MeetingPlace Web Conferencing Server CVE-2013-1168 (The web server in Cisco Unified MeetingPlace Application Server 7.x be ...) NOT-FOR-US: Cisco Unified MeetingPlace Application Server CVE-2013-1167 (Cisco IOS XE 3.2 through 3.4 before 3.4.2S, and 3.5, on 1000 series Ag ...) NOT-FOR-US: Cisco IOS XE CVE-2013-1166 (Cisco IOS XE 3.2 through 3.4 before 3.4.5S, and 3.5 through 3.7 before ...) NOT-FOR-US: Cisco IOS XE CVE-2013-1165 (Cisco IOS XE 2.x and 3.x before 3.4.5S, and 3.5 through 3.7 before 3.7 ...) NOT-FOR-US: Cisco IOS XE CVE-2013-1164 (Cisco IOS XE 3.4 before 3.4.4S, 3.5, and 3.6 on 1000 series Aggregatio ...) NOT-FOR-US: Cisco IOS XE CVE-2013-1163 (Multiple SQL injection vulnerabilities in the device-management implem ...) NOT-FOR-US: Cisco CVE-2013-1162 (The traffic engineering (TE) processing subsystem in Cisco IOS XR allo ...) NOT-FOR-US: Cisco CVE-2013-1161 (The XML parser in the Cisco Jabber IM application for Android allows r ...) NOT-FOR-US: Cisco CVE-2013-1160 (Cross-site scripting (XSS) vulnerability in the OpenView web menus in ...) NOT-FOR-US: Cisco CVE-2013-1159 (Cross-site scripting (XSS) vulnerability in the Netcool Impact (NCI) w ...) NOT-FOR-US: Cisco CVE-2013-1158 (Cross-site scripting (XSS) vulnerability in the IBM Tivoli Monitoring ...) NOT-FOR-US: IBM CVE-2013-1157 (Cross-site scripting (XSS) vulnerability in the IBM Tivoli Monitoring ...) NOT-FOR-US: IBM CVE-2013-1156 (Directory traversal vulnerability in Cisco Prime Central for Hosted Co ...) NOT-FOR-US: Cisco CVE-2013-1155 (The auth-proxy functionality in Cisco Firewall Services Module (FWSM) ...) NOT-FOR-US: Cisco Firewall Services Module CVE-2013-1154 (The Cisco Small Business 200 Series Smart Switch 1.2.7.76 and earlier, ...) NOT-FOR-US: Cisco Small Business switches CVE-2013-1153 (Cross-site request forgery (CSRF) vulnerability in the web interface i ...) NOT-FOR-US: Cisco Prime Infrastructure CVE-2013-1152 (Cisco Adaptive Security Appliances (ASA) devices with software 9.0 bef ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2013-1151 (Cisco Adaptive Security Appliances (ASA) devices with software 7.x bef ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2013-1150 (The authentication-proxy implementation on Cisco Adaptive Security App ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2013-1149 (Cisco Adaptive Security Appliances (ASA) devices with software 7.x bef ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2013-1148 (The General Responder implementation in the IP Service Level Agreement ...) NOT-FOR-US: Cisco IOS CVE-2013-1147 (The Protocol Translation (PT) functionality in Cisco IOS 12.3 through ...) NOT-FOR-US: Cisco IOS CVE-2013-1146 (The Smart Install client functionality in Cisco IOS 12.2 and 15.0 thro ...) NOT-FOR-US: Cisco IOS CVE-2013-1145 (Memory leak in Cisco IOS 12.2, 12.4, 15.0, and 15.1, when Zone-Based P ...) NOT-FOR-US: Cisco IOS CVE-2013-1144 (Memory leak in the IKEv1 implementation in Cisco IOS 15.1 allows remot ...) NOT-FOR-US: Cisco IOS CVE-2013-1143 (The RSVP protocol implementation in Cisco IOS 12.2 and 15.0 through 15 ...) NOT-FOR-US: Cisco IOS CVE-2013-1142 (Race condition in the VRF-aware NAT feature in Cisco IOS 12.2 through ...) NOT-FOR-US: Cisco IOS CVE-2013-1141 (The mDNS snooping functionality on Cisco Wireless LAN Controller (WLC) ...) NOT-FOR-US: Cisco Wireless LAN Controller CVE-2013-1140 (The XML parser in Cisco Security Monitoring, Analysis, and Response Sy ...) NOT-FOR-US: Cisco Security MARS CVE-2013-1139 (The nsAPI interface in Cisco Cloud Portal 9.1 SP1 and SP2, and 9.3 thr ...) NOT-FOR-US: Cisco Cloud Portal CVE-2013-1138 (The NAT process on Cisco Adaptive Security Appliances (ASA) devices al ...) NOT-FOR-US: Cisco CVE-2013-1137 (Cisco Unified Presence Server (CUPS) 8.6, 9.0, and 9.1 before 9.1.1 al ...) NOT-FOR-US: Cisco Unified Presence Server CVE-2013-1136 (The crypto engine process in Cisco IOS on Aggregation Services Router ...) NOT-FOR-US: Cisco IOS CVE-2013-1135 (Cisco Prime Central for Hosted Collaboration Solution (HCS) Assurance ...) NOT-FOR-US: Cisco Prime Central CVE-2013-1134 (The Location Bandwidth Manager (LBM) Intracluster-communication featur ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2013-1133 (Cisco Unified Communications Manager (CUCM) 8.6 before 8.6(2a)su2, 8.6 ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2013-1132 (Multiple cross-site scripting (XSS) vulnerabilities in Cisco Unified C ...) NOT-FOR-US: Cisco CVE-2013-1131 (Cisco Small Business Wireless Access Points WAP200, WAP2000, WAP200E, ...) NOT-FOR-US: Cisco Small Business Wireless Access Points CVE-2013-1130 (Cisco AnyConnect Secure Mobility Client on Mac OS X uses weak permissi ...) NOT-FOR-US: Cisco CVE-2013-1129 (Memory leak in Cisco Unity Connection 9.x allows remote attackers to c ...) NOT-FOR-US: Cisco CVE-2013-1128 (Multiple cross-site request forgery (CSRF) vulnerabilities in the serv ...) NOT-FOR-US: Cisco Unified MeetingPlace CVE-2013-1127 RESERVED CVE-2013-1126 RESERVED CVE-2013-1125 (The command-line interface in Cisco Identity Services Engine Software, ...) NOT-FOR-US: Cisco CVE-2013-1124 (The Cisco Network Admission Control (NAC) agent on Mac OS X does not v ...) NOT-FOR-US: Cisco Network Admission Control CVE-2013-1123 (Multiple cross-site scripting (XSS) vulnerabilities in the server in C ...) NOT-FOR-US: Cisco Unified MeetingPlace CVE-2013-1122 (Cisco NX-OS on the Nexus 7000, when a certain Overlay Transport Virtua ...) NOT-FOR-US: Cisco NX-OS CVE-2013-1121 (The regex engine in the BGP implementation in Cisco NX-OS, when a comp ...) NOT-FOR-US: Cisco NX-OS CVE-2013-1120 (Multiple cross-site request forgery (CSRF) vulnerabilities on the Cisc ...) NOT-FOR-US: Cisco Unity Express CVE-2013-1119 (Buffer overflow in Cisco WebEx Recording Format (WRF) player T27 LD be ...) NOT-FOR-US: Cisco WebEx CVE-2013-1118 (Stack-based buffer overflow in Cisco WebEx Recording Format (WRF) play ...) NOT-FOR-US: Cisco WebEx CVE-2013-1117 (Buffer overflow in the exception handler in Cisco WebEx Recording Form ...) NOT-FOR-US: Cisco WebEx CVE-2013-1116 (Buffer overflow in Cisco WebEx Advanced Recording Format (ARF) player ...) NOT-FOR-US: Cisco WebEx CVE-2013-1115 (Buffer overflow in Cisco WebEx Advanced Recording Format (ARF) player ...) NOT-FOR-US: Cisco WebEx CVE-2013-1114 (Multiple cross-site scripting (XSS) vulnerabilities in Cisco Unity Exp ...) NOT-FOR-US: Cisco Unity Express CVE-2013-1113 (Cross-site scripting (XSS) vulnerability in Cisco Unified Communicatio ...) NOT-FOR-US: Cisco Unified Communications Domain Manager CVE-2013-1112 (Cisco Carrier Routing System (CRS) allows remote attackers to cause a ...) NOT-FOR-US: Cisco Carrier Routing System CVE-2013-1111 (The Cisco ATA 187 Analog Telephone Adaptor with firmware 9.2.1.0 and 9 ...) NOT-FOR-US: Cisco ATA 187 Analog Telephone Adaptor CVE-2013-1110 (Cisco WebEx Training Center allow remote authenticated users to bypass ...) NOT-FOR-US: Cisco WebEx Training Center CVE-2013-1109 (Cross-site request forgery (CSRF) vulnerability in testingLibraryActio ...) NOT-FOR-US: Cisco WebEx Training Center CVE-2013-1108 (Cisco WebEx Training Center allows remote authenticated users to remov ...) NOT-FOR-US: Cisco WebEx Training Center CVE-2013-1107 (The search function in Cisco Webex Social (formerly Cisco Quad) allows ...) NOT-FOR-US: Cisco Webex Social CVE-2013-1106 RESERVED CVE-2013-1105 (Cisco Wireless LAN Controller (WLC) devices with software 7.0 before 7 ...) NOT-FOR-US: Cisco Wireless LAN Controller CVE-2013-1104 (The HTTP Profiling functionality on Cisco Wireless LAN Controller (WLC ...) NOT-FOR-US: Cisco Wireless LAN Controller CVE-2013-1103 (Cisco Wireless LAN Controller (WLC) devices with software 7.0 before 7 ...) NOT-FOR-US: Cisco Wireless LAN Controller CVE-2013-1102 (The Wireless Intrusion Prevention System (wIPS) component on Cisco Wir ...) NOT-FOR-US: Cisco Wireless LAN Controller CVE-2013-1101 RESERVED CVE-2013-1100 (The HTTP server in Cisco IOS on Catalyst switches does not properly ha ...) NOT-FOR-US: Cisco IOS CVE-2013-1099 REJECTED CVE-2013-1098 RESERVED CVE-2013-1097 (Cross-site scripting (XSS) vulnerability in a ZCC page in njwc.jar in ...) NOT-FOR-US: Novell ZENworks Configuration Management CVE-2013-1096 (Cross-site scripting (XSS) vulnerability in the Roles Based Provisioni ...) NOT-FOR-US: Novell Identity Manager CVE-2013-1095 (Cross-site scripting (XSS) vulnerability in a ZCC page in njwc.jar in ...) NOT-FOR-US: Novell ZENworks Configuration Management CVE-2013-1094 (Cross-site scripting (XSS) vulnerability in a ZCC page in zenworks-cor ...) NOT-FOR-US: Novell ZENworks Configuration Management CVE-2013-1093 (Open redirect vulnerability in the fwdToURL function in the ZCC login ...) NOT-FOR-US: Novell ZENworks Configuration Management CVE-2013-1092 (Multiple unquoted Windows search path vulnerabilities in Novell ZENwor ...) NOT-FOR-US: Novell ZENworks Desktop Management CVE-2013-1091 (Stack-based buffer overflow in Novell iPrint Client before 5.90 allows ...) NOT-FOR-US: Novell iPrint Client CVE-2013-1090 (The SUSE horde5 package before 5.0.2-2.4.1 sets incorrect ownership fo ...) - php-horde (SuSE specific packaging flaw) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=811369 CVE-2013-1089 RESERVED CVE-2013-1088 (Cross-site request forgery (CSRF) vulnerability in Novell iManager 2.7 ...) NOT-FOR-US: Novell iManager CVE-2013-1087 (Cross-site scripting (XSS) vulnerability in the client in Novell Group ...) NOT-FOR-US: Novell GroupWise CVE-2013-1086 (Cross-site scripting (XSS) vulnerability in WebAccess in Novell GroupW ...) NOT-FOR-US: Novell GroupWise CVE-2013-1085 (Stack-based buffer overflow in the nim: protocol handler in Novell Gro ...) NOT-FOR-US: Novell Messenger CVE-2013-1084 (Directory traversal vulnerability in the GetFle method in the umaninv ...) NOT-FOR-US: Novell ZENworks Configuration Management CVE-2013-1083 (Unspecified vulnerability in the login functionality in the Reporting ...) NOT-FOR-US: Novell Identity Manager CVE-2013-1082 (Directory traversal vulnerability in DUSAP.php in Novell ZENworks Mobi ...) NOT-FOR-US: Novell ZENworks CVE-2013-1081 (Directory traversal vulnerability in MDM.php in Novell ZENworks Mobile ...) NOT-FOR-US: Novell ZENworks CVE-2013-1080 (The web server in Novell ZENworks Configuration Management (ZCM) 10.3 ...) NOT-FOR-US: Novell ZENworks CVE-2013-1079 (Directory traversal vulnerability in the ISCreateObject method in an A ...) NOT-FOR-US: Novell ZENworks CVE-2013-1078 RESERVED CVE-2013-1077 REJECTED CVE-2013-1076 REJECTED CVE-2013-1075 REJECTED CVE-2013-1074 REJECTED CVE-2013-1073 REJECTED CVE-2013-1072 REJECTED CVE-2013-1071 REJECTED CVE-2013-1070 (Cross-site scripting (XSS) vulnerability in the API in Ubuntu Metal as ...) NOT-FOR-US: Ubuntu MAAS CVE-2013-1069 (Ubuntu Metal as a Service (MaaS) 1.2 and 1.4 uses world-readable permi ...) NOT-FOR-US: Ubuntu MAAS CVE-2013-1068 (The OpenStack Nova (python-nova) package 1:2013.2.3-0 before 1:2013.2. ...) - nova 2014.1.1-4 (bug #753579) [wheezy] - nova (Vulnerable code not present) - cinder 2014.1.1-3 (bug #753585) [wheezy] - cinder (Vulnerable code not present) NOTE: Requires includedir to be defined in /etc/sudoers file CVE-2013-1067 (Apport 2.12.5 and earlier uses weak permissions for core dump files cr ...) NOT-FOR-US: Apport CVE-2013-1066 (language-selector 0.110.x before 0.110.1, 0.90.x before 0.90.1, and 0. ...) NOT-FOR-US: language-selector CVE-2013-1065 (backend.py in Jockey before 0.9.7-0ubuntu7.11 does not properly use D- ...) NOT-FOR-US: jockey CVE-2013-1064 (apt-xapian-index before 0.45ubuntu2.1, 0.44ubuntu7.1, and 0.44ubuntu5. ...) - apt-xapian-index 0.47 (low; bug #724837) [wheezy] - apt-xapian-index (Minor issue, only allows a possibly prohibited update of the Xapian package index) [squeeze] - apt-xapian-index (Minor issue, only allows a possibly prohibited update of the Xapian package index) CVE-2013-1063 (usb-creator 0.2.47 before 0.2.47.1, 0.2.40 before 0.2.40ubuntu2, and 0 ...) NOT-FOR-US: usb-creator CVE-2013-1062 (ubuntu-system-service 0.2.4 before 0.2.4.1. 0.2.3 before 0.2.3.1, and ...) NOT-FOR-US: ubuntu-system-service CVE-2013-1061 (dbus/SoftwarePropertiesDBus.py in Software Properties 0.92.17 before 0 ...) - software-properties 0.92.18 (low) [wheezy] - software-properties (Minor issue) [squeeze] - software-properties (Vulnerable code not present) CVE-2013-1060 (A certain Ubuntu build procedure for perf, as distributed in the Linux ...) NOT-FOR-US: Ubuntu packaging specific CVE-2013-1059 (net/ceph/auth_none.c in the Linux kernel through 3.10 allows remote at ...) {DSA-2745-1} - linux 3.10.1-1 (low) - linux-2.6 (low) [squeeze] - linux-2.6 (CEPH was introduced in 2.6.34) CVE-2013-1058 (maas-import-pxe-files in MAAS before 13.10 does not verify the integri ...) NOT-FOR-US: Ubuntu MAAS CVE-2013-1057 (Untrusted search path vulnerability in maas-import-pxe-files in MAAS b ...) NOT-FOR-US: Ubuntu MAAS CVE-2013-1056 (X.org X server 1.13.3 and earlier, when not run as root, allows local ...) - xorg-server (Ubuntu-specific patch, see http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-1056.html) CVE-2013-1055 RESERVED CVE-2013-1054 RESERVED CVE-2013-1053 RESERVED CVE-2013-1052 (pam-xdg-support, as used in Ubuntu 12.10, does not properly handle the ...) NOT-FOR-US: pam-xdg-support (Ubuntu-specific package) CVE-2013-1051 (apt 0.8.16, 0.9.7, and possibly other versions does not properly handl ...) - apt 0.9.7.8 [squeeze] - apt (InRelease support not used) CVE-2013-1050 (The default configuration in gnome-screensaver 3.5.4 through 3.6.0 set ...) - gnome-screensaver (Ubuntu-specific Unity patch) CVE-2013-1049 (Buffer overflow in the RFC1413 (ident) client in cfingerd 1.4.3-3 allo ...) {DSA-2635-1} - cfingerd 1.4.3-3.1 (bug #700098) NOTE: https://bugs.launchpad.net/ubuntu/+source/cfingerd/+bug/1104425 CVE-2013-1048 (The Debian apache2ctl script in the apache2 package squeeze before 2.2 ...) {DSA-2637-1} - apache2 2.2.22-13 CVE-2013-1047 (WebKit, as used in Apple iOS before 7, allows remote attackers to exec ...) NOT-FOR-US: Apple iOS CVE-2013-1046 (WebKit, as used in Apple iOS before 7, allows remote attackers to exec ...) NOT-FOR-US: Apple iOS CVE-2013-1045 (WebKit, as used in Apple iOS before 7, allows remote attackers to exec ...) NOT-FOR-US: Apple iOS CVE-2013-1044 (WebKit, as used in Apple iOS before 7, allows remote attackers to exec ...) NOT-FOR-US: Apple iOS CVE-2013-1043 (WebKit, as used in Apple iOS before 7, allows remote attackers to exec ...) NOT-FOR-US: Apple iOS CVE-2013-1042 (WebKit, as used in Apple iOS before 7, allows remote attackers to exec ...) NOT-FOR-US: Apple iOS CVE-2013-1041 (WebKit, as used in Apple iOS before 7, allows remote attackers to exec ...) NOT-FOR-US: Apple iOS CVE-2013-1040 (WebKit, as used in Apple iOS before 7, allows remote attackers to exec ...) NOT-FOR-US: Apple iOS CVE-2013-1039 (WebKit, as used in Apple iOS before 7, allows remote attackers to exec ...) NOT-FOR-US: Apple iOS CVE-2013-1038 (WebKit, as used in Apple iOS before 7, allows remote attackers to exec ...) NOT-FOR-US: Apple iOS CVE-2013-1037 (WebKit, as used in Apple iOS before 7, allows remote attackers to exec ...) NOT-FOR-US: Apple iOS CVE-2013-1036 (Safari in Apple iOS before 7 allows remote attackers to execute arbitr ...) NOT-FOR-US: Apple iOS CVE-2013-1035 (The iTunes ActiveX control in Apple iTunes before 11.1 allows remote a ...) NOT-FOR-US: Apple iTunes CVE-2013-1034 (Multiple cross-site scripting (XSS) vulnerabilities in Wiki Server in ...) NOT-FOR-US: Apple Mac OS X Server CVE-2013-1033 (Screen Lock in Apple Mac OS X before 10.8.5 does not properly track se ...) NOT-FOR-US: Screen Lock in Apple Mac OS X CVE-2013-1032 (QuickTime in Apple Mac OS X before 10.8.5 allows remote attackers to e ...) NOT-FOR-US: QuickTime in Apple Mac OS X CVE-2013-1031 (Power Management in Apple Mac OS X before 10.8.5 does not properly per ...) NOT-FOR-US: Power Management in Apple Mac OS X CVE-2013-1030 (mdmclient in Mobile Device Management in Apple Mac OS X before 10.8.5 ...) NOT-FOR-US: Mobile Device Management in Apple Mac OS X CVE-2013-1029 (The kernel in Apple Mac OS X before 10.8.5 allows remote attackers to ...) NOT-FOR-US: Apple Mac OS X CVE-2013-1028 (The IPSec implementation in Apple Mac OS X before 10.8.5, when Hybrid ...) NOT-FOR-US: Apple Mac OS X CVE-2013-1027 (Installer in Apple Mac OS X before 10.8.5 provides an option to contin ...) NOT-FOR-US: Apple Mac OS X CVE-2013-1026 (Buffer overflow in ImageIO in Apple Mac OS X before 10.8.5 allows remo ...) NOT-FOR-US: Apple Mac OS X CVE-2013-1025 (Buffer overflow in CoreGraphics in Apple Mac OS X before 10.8.5 allows ...) NOT-FOR-US: Apple Mac OS X CVE-2013-1024 (CoreMedia Playback in Apple Mac OS X before 10.8.4 does not properly i ...) NOT-FOR-US: CoreMedia Playback CVE-2013-1023 (WebKit, as used in Apple Safari before 6.0.5, allows remote attackers ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2013-1022 (Buffer overflow in Apple QuickTime before 7.7.4 allows remote attacker ...) NOT-FOR-US: Apple QuickTime CVE-2013-1021 (Buffer overflow in Apple QuickTime before 7.7.4 allows remote attacker ...) NOT-FOR-US: Apple QuickTime CVE-2013-1020 (Apple QuickTime before 7.7.4 allows remote attackers to execute arbitr ...) NOT-FOR-US: Apple QuickTime CVE-2013-1019 (Buffer overflow in Apple QuickTime before 7.7.4 allows remote attacker ...) NOT-FOR-US: Apple QuickTime CVE-2013-1018 (Buffer overflow in Apple QuickTime before 7.7.4 allows remote attacker ...) NOT-FOR-US: Apple QuickTime CVE-2013-1017 (Buffer overflow in Apple QuickTime before 7.7.4 allows remote attacker ...) NOT-FOR-US: Apple QuickTime CVE-2013-1016 (Buffer overflow in Apple QuickTime before 7.7.4 allows remote attacker ...) NOT-FOR-US: Apple QuickTime CVE-2013-1015 (Apple QuickTime before 7.7.4 allows remote attackers to execute arbitr ...) NOT-FOR-US: Apple QuickTime CVE-2013-1014 (Apple iTunes before 11.0.3 does not properly verify X.509 certificates ...) NOT-FOR-US: Apple iTunes CVE-2013-1013 (XSS Auditor in WebKit in Apple Safari before 6.0.5 does not properly r ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2013-1012 (Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari bef ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2013-1011 (WebKit, as used in Apple iTunes before 11.0.3, allows man-in-the-middl ...) NOT-FOR-US: Apple iTunes CVE-2013-1010 (WebKit, as used in Apple iTunes before 11.0.3, allows man-in-the-middl ...) NOT-FOR-US: Apple iTunes CVE-2013-1009 (WebKit, as used in Apple Safari before 6.0.5, allows remote attackers ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2013-1008 (WebKit, as used in Apple iTunes before 11.0.3, allows man-in-the-middl ...) NOT-FOR-US: Apple iTunes CVE-2013-1007 (WebKit, as used in Apple iTunes before 11.0.3, allows man-in-the-middl ...) NOT-FOR-US: Apple iTunes CVE-2013-1006 (WebKit, as used in Apple iTunes before 11.0.3, allows man-in-the-middl ...) NOT-FOR-US: Apple iTunes CVE-2013-1005 (WebKit, as used in Apple iTunes before 11.0.3, allows man-in-the-middl ...) NOT-FOR-US: Apple iTunes CVE-2013-1004 (WebKit, as used in Apple iTunes before 11.0.3, allows man-in-the-middl ...) NOT-FOR-US: Apple iTunes CVE-2013-1003 (WebKit, as used in Apple iTunes before 11.0.3, allows man-in-the-middl ...) NOT-FOR-US: Apple iTunes CVE-2013-1002 (WebKit, as used in Apple iTunes before 11.0.3, allows man-in-the-middl ...) NOT-FOR-US: Apple iTunes CVE-2013-1001 (WebKit, as used in Apple iTunes before 11.0.3, allows man-in-the-middl ...) NOT-FOR-US: Apple iTunes CVE-2013-1000 (WebKit, as used in Apple iTunes before 11.0.3, allows man-in-the-middl ...) NOT-FOR-US: Apple iTunes CVE-2013-0999 (WebKit, as used in Apple iTunes before 11.0.3, allows man-in-the-middl ...) NOT-FOR-US: Apple iTunes CVE-2013-0998 (WebKit, as used in Apple iTunes before 11.0.3, allows man-in-the-middl ...) NOT-FOR-US: Apple iTunes CVE-2013-0997 (WebKit, as used in Apple iTunes before 11.0.3, allows man-in-the-middl ...) NOT-FOR-US: Apple iTunes CVE-2013-0996 (WebKit, as used in Apple iTunes before 11.0.3, allows man-in-the-middl ...) NOT-FOR-US: Apple iTunes CVE-2013-0995 (WebKit, as used in Apple iTunes before 11.0.3, allows man-in-the-middl ...) NOT-FOR-US: Apple iTunes CVE-2013-0994 (WebKit, as used in Apple iTunes before 11.0.3, allows man-in-the-middl ...) NOT-FOR-US: Apple iTunes CVE-2013-0993 (WebKit, as used in Apple iTunes before 11.0.3, allows man-in-the-middl ...) NOT-FOR-US: Apple iTunes CVE-2013-0992 (WebKit, as used in Apple iTunes before 11.0.3, allows man-in-the-middl ...) NOT-FOR-US: Apple iTunes CVE-2013-0991 (WebKit, as used in Apple iTunes before 11.0.3, allows man-in-the-middl ...) NOT-FOR-US: Apple iTunes CVE-2013-0990 (SMB in Apple Mac OS X before 10.8.4, when file sharing is enabled, all ...) NOT-FOR-US: Apple CVE-2013-0989 (Buffer overflow in Apple QuickTime before 7.7.4 allows remote attacker ...) NOT-FOR-US: Apple QuickTime CVE-2013-0988 (Buffer overflow in Apple QuickTime before 7.7.4 allows remote attacker ...) NOT-FOR-US: Apple QuickTime CVE-2013-0987 (Apple QuickTime before 7.7.4 allows remote attackers to execute arbitr ...) NOT-FOR-US: Apple QuickTime CVE-2013-0986 (Buffer overflow in Apple QuickTime before 7.7.4 allows remote attacker ...) NOT-FOR-US: Apple QuickTime CVE-2013-0985 (Disk Management in Apple Mac OS X before 10.8.4 does not properly auth ...) NOT-FOR-US: Apple Mac OS X CVE-2013-0984 (Directory Service in Apple Mac OS X through 10.6.8 allows remote attac ...) NOT-FOR-US: Mac OS Server CVE-2013-0983 (Stack consumption vulnerability in CoreAnimation in Apple Mac OS X bef ...) NOT-FOR-US: Apple Mac OS X CVE-2013-0982 (The Private Browsing feature in CFNetwork in Apple Mac OS X before 10. ...) NOT-FOR-US: Apple Mac OS X CVE-2013-0981 (The IOUSBDeviceFamily driver in the USB implementation in the kernel i ...) NOT-FOR-US: Apple iOS CVE-2013-0980 (The Passcode Lock implementation in Apple iOS before 6.1.3 does not pr ...) NOT-FOR-US: Apple iOS CVE-2013-0979 (lockdownd in Lockdown in Apple iOS before 6.1.3 does not properly cons ...) NOT-FOR-US: Apple iOS CVE-2013-0978 (The ARM prefetch abort handler in the kernel in Apple iOS before 6.1.3 ...) NOT-FOR-US: Apple iOS CVE-2013-0977 (dyld in Apple iOS before 6.1.3 and Apple TV before 5.2.1 does not prop ...) NOT-FOR-US: Apple iOS CVE-2013-0976 (IOAcceleratorFamily in Apple Mac OS X before 10.8.3 allows remote atta ...) NOT-FOR-US: Mac OS X CVE-2013-0975 (Buffer overflow in QuickDraw Manager in Apple Mac OS X before 10.8.4 a ...) NOT-FOR-US: Apple Mac OS X CVE-2013-0974 (StoreKit in Apple iOS before 6.1 does not properly handle the disablin ...) NOT-FOR-US: Apple StoreKit CVE-2013-0973 (Software Update in Apple Mac OS X through 10.7.5 does not prevent plug ...) NOT-FOR-US: Mac OS X CVE-2013-0972 RESERVED CVE-2013-0971 (Use-after-free vulnerability in PDFKit in Apple Mac OS X before 10.8.3 ...) NOT-FOR-US: Mac OS X CVE-2013-0970 (Messages in Apple Mac OS X before 10.8.3 allows remote attackers to by ...) NOT-FOR-US: Mac OS X CVE-2013-0969 (Login Window in Apple Mac OS X before 10.8.3 does not prevent applicat ...) NOT-FOR-US: Mac OS X CVE-2013-0968 (WebKit, as used in Apple iOS before 6.1, allows remote attackers to ex ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2013-0967 (CoreTypes in Apple Mac OS X before 10.8.3 includes JNLP files in the l ...) NOT-FOR-US: Mac OS X CVE-2013-0966 (The Apple mod_hfs_apple module for the Apache HTTP Server in Apple Mac ...) NOT-FOR-US: Apple mod_hfs_apple CVE-2013-0965 RESERVED CVE-2013-0964 (The kernel in Apple iOS before 6.1 and Apple TV before 5.2 does not pr ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2013-0963 (Identity Services in Apple iOS before 6.1 does not properly handle val ...) NOT-FOR-US: Identity Services in Apple iOS CVE-2013-0962 (Cross-site scripting (XSS) vulnerability in WebKit in Apple iOS before ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2013-0961 (WebKit in Apple Safari before 6.0.3 allows remote attackers to execute ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2013-0960 (WebKit in Apple Safari before 6.0.3 allows remote attackers to execute ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2013-0959 (WebKit, as used in Apple iOS before 6.1, allows remote attackers to ex ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2013-0958 (WebKit, as used in Apple iOS before 6.1, allows remote attackers to ex ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2013-0957 (Data Protection in Apple iOS before 7 allows attackers to bypass inten ...) NOT-FOR-US: Apple iOS CVE-2013-0956 (WebKit, as used in Apple iOS before 6.1, allows remote attackers to ex ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2013-0955 (WebKit, as used in Apple iOS before 6.1, allows remote attackers to ex ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2013-0954 (WebKit, as used in Apple iOS before 6.1, allows remote attackers to ex ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2013-0953 (WebKit, as used in Apple iOS before 6.1, allows remote attackers to ex ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2013-0952 (WebKit, as used in Apple iOS before 6.1, allows remote attackers to ex ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2013-0951 (WebKit, as used in Apple iOS before 6.1, allows remote attackers to ex ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2013-0950 (WebKit, as used in Apple iOS before 6.1, allows remote attackers to ex ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2013-0949 (WebKit, as used in Apple iOS before 6.1, allows remote attackers to ex ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2013-0948 (WebKit, as used in Apple iOS before 6.1, allows remote attackers to ex ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2013-0947 (EMC RSA Authentication Manager 8.0 before P1 allows local users to dis ...) NOT-FOR-US: EMC CVE-2013-0946 (Buffer overflow in the Library Control Program (LCP) in EMC AlphaStor ...) NOT-FOR-US: EMC CVE-2013-0945 (EMC Avamar Client before 6.1.101-89 does not verify that the server ho ...) NOT-FOR-US: EMC Avamar CVE-2013-0944 (The web-based file-restore interface in EMC Avamar Server before 6.1.0 ...) NOT-FOR-US: EMC Avamar CVE-2013-0943 (EMC NetWorker 7.6.x and 8.x before 8.1 allows local users to obtain se ...) NOT-FOR-US: EMC CVE-2013-0942 (Cross-site scripting (XSS) vulnerability in EMC RSA Authentication Age ...) NOT-FOR-US: EMC RSA Authentication Agent CVE-2013-0941 (EMC RSA Authentication API before 8.1 SP1, RSA Web Agent before 5.3.5 ...) NOT-FOR-US: EMC CVE-2013-0940 (The nsrpush process in the client in EMC NetWorker before 7.6.5.3 and ...) NOT-FOR-US: EMC NetWorker CVE-2013-0939 (EMC Documentum Webtop before 6.7 SP2, Documentum WDK before 6.7 SP2, D ...) NOT-FOR-US: EMC CVE-2013-0938 (Cross-site scripting (XSS) vulnerability in EMC Documentum Webtop befo ...) NOT-FOR-US: EMC CVE-2013-0937 (Session fixation vulnerability in EMC Documentum Webtop before 6.7 SP2 ...) NOT-FOR-US: EMC CVE-2013-0936 (Cross-site scripting (XSS) vulnerability in EMC Smarts IP Manager, Sma ...) NOT-FOR-US: EMC CVE-2013-0935 (EMC Smarts Network Configuration Manager (NCM) before 9.2 does not req ...) NOT-FOR-US: EMC CVE-2013-0934 (EMC RSA Archer 5.x before GRC 5.3SP1, and Archer Smart Suite Framework ...) NOT-FOR-US: EMC CVE-2013-0933 (Multiple cross-site scripting (XSS) vulnerabilities in EMC RSA Archer ...) NOT-FOR-US: EMC CVE-2013-0932 (EMC RSA Archer 5.x before GRC 5.3SP1, and Archer Smart Suite Framework ...) NOT-FOR-US: EMC CVE-2013-0931 (EMC RSA Authentication Agent 7.1.x before 7.1.2 on Windows does not en ...) NOT-FOR-US: EMC RSA CVE-2013-0930 (Buffer overflow in Drive Control Program (DCP) in EMC AlphaStor 4.0 be ...) NOT-FOR-US: EMC AlphaStor CVE-2013-0929 (Format string vulnerability in the _vsnsprintf function in rrobotd.exe ...) NOT-FOR-US: EMC AlphaStor CVE-2013-0928 (The NetWorker command processor in rrobotd.exe in the Device Manager i ...) NOT-FOR-US: EMC AlphaStor CVE-2013-0927 (Google Chrome OS before 26.0.1410.57 relies on a Pango pango-utils.c r ...) NOT-FOR-US: Chrome OS CVE-2013-0926 (Google Chrome before 26.0.1410.43 does not properly handle active cont ...) - chromium-browser 26.0.1410.43-1 [squeeze] - chromium-browser CVE-2013-0925 (Google Chrome before 26.0.1410.43 does not ensure that an extension ha ...) - chromium-browser 26.0.1410.43-1 [squeeze] - chromium-browser CVE-2013-0924 (The extension functionality in Google Chrome before 26.0.1410.43 does ...) - chromium-browser 26.0.1410.43-1 [squeeze] - chromium-browser CVE-2013-0923 (The USB Apps API in Google Chrome before 26.0.1410.43 allows remote at ...) - chromium-browser 26.0.1410.43-1 [squeeze] - chromium-browser CVE-2013-0922 (Google Chrome before 26.0.1410.43 does not properly restrict brute-for ...) - chromium-browser 26.0.1410.43-1 [squeeze] - chromium-browser CVE-2013-0921 (The Isolated Sites feature in Google Chrome before 26.0.1410.43 does n ...) - chromium-browser 26.0.1410.43-1 [squeeze] - chromium-browser CVE-2013-0920 (Use-after-free vulnerability in the extension bookmarks API in Google ...) - chromium-browser 26.0.1410.43-1 [squeeze] - chromium-browser CVE-2013-0919 (Use-after-free vulnerability in Google Chrome before 26.0.1410.43 on L ...) - chromium-browser 26.0.1410.43-1 [squeeze] - chromium-browser CVE-2013-0918 (Google Chrome before 26.0.1410.43 does not prevent navigation to devel ...) - chromium-browser 26.0.1410.43-1 [squeeze] - chromium-browser CVE-2013-0917 (The URL loader in Google Chrome before 26.0.1410.43 allows remote atta ...) - chromium-browser 26.0.1410.43-1 [squeeze] - chromium-browser CVE-2013-0916 (Use-after-free vulnerability in the Web Audio implementation in Google ...) - chromium-browser 26.0.1410.43-1 [squeeze] - chromium-browser CVE-2013-0915 (The GPU process in Google Chrome OS before 25.0.1364.173 allows attack ...) NOT-FOR-US: Overflow in Chrome-specific libs CVE-2013-0914 (The flush_signal_handlers function in kernel/signal.c in the Linux ker ...) {DSA-2668-1} - linux 3.2.41-1 (low) - linux-2.6 (low) CVE-2013-0913 (Integer overflow in drivers/gpu/drm/i915/i915_gem_execbuffer.c in the ...) - linux 3.2.41-2 - linux-2.6 [squeeze] - linux-2.6 (Vulnerable code was introduced later) CVE-2013-0912 (WebKit in Google Chrome before 25.0.1364.160 allows remote attackers t ...) - chromium-browser 25.0.1364.160-1 [squeeze] - chromium-browser CVE-2013-0911 (Directory traversal vulnerability in Google Chrome before 25.0.1364.15 ...) - chromium-browser 25.0.1364.152-1 [squeeze] - chromium-browser CVE-2013-0910 (Google Chrome before 25.0.1364.152 does not properly manage the intera ...) - chromium-browser 25.0.1364.152-1 [squeeze] - chromium-browser CVE-2013-0909 (The XSS Auditor in Google Chrome before 25.0.1364.152 allows remote at ...) - chromium-browser 25.0.1364.152-1 [squeeze] - chromium-browser CVE-2013-0908 (Google Chrome before 25.0.1364.152 does not properly manage bindings o ...) - chromium-browser 25.0.1364.152-1 [squeeze] - chromium-browser CVE-2013-0907 (Race condition in Google Chrome before 25.0.1364.152 allows remote att ...) - chromium-browser 25.0.1364.152-1 [squeeze] - chromium-browser CVE-2013-0906 (The IndexedDB implementation in Google Chrome before 25.0.1364.152 all ...) - chromium-browser 25.0.1364.152-1 [squeeze] - chromium-browser CVE-2013-0905 (Use-after-free vulnerability in Google Chrome before 25.0.1364.152 all ...) - chromium-browser 25.0.1364.152-1 [squeeze] - chromium-browser CVE-2013-0904 (The Web Audio implementation in Google Chrome before 25.0.1364.152 all ...) - chromium-browser 25.0.1364.152-1 [squeeze] - chromium-browser CVE-2013-0903 (Use-after-free vulnerability in Google Chrome before 25.0.1364.152 all ...) - chromium-browser 25.0.1364.152-1 [squeeze] - chromium-browser CVE-2013-0902 (Use-after-free vulnerability in the frame-loader implementation in Goo ...) - chromium-browser 25.0.1364.152-1 [squeeze] - chromium-browser CVE-2013-0901 RESERVED CVE-2013-0900 (Race condition in the International Components for Unicode (ICU) funct ...) {DSA-2786-1} - chromium-browser 25.0.1364.97-1 [squeeze] - chromium-browser - icu 4.8.1.1-12 (low; bug #702346) [squeeze] - icu (Minor issue for standalone ICU outside of browser context) CVE-2013-0899 (Integer overflow in the padding implementation in the opus_packet_pars ...) - chromium-browser 25.0.1364.97-1 [squeeze] - chromium-browser - opus 0.9.14+20120615-1+nmu1 (bug #704870) CVE-2013-0898 (Use-after-free vulnerability in Google Chrome before 25.0.1364.97 on W ...) - chromium-browser 25.0.1364.97-1 [squeeze] - chromium-browser CVE-2013-0897 (Off-by-one error in the PDF functionality in Google Chrome before 25.0 ...) - chromium-browser (PDF viewer not included in Chromium) [squeeze] - chromium-browser CVE-2013-0896 (Google Chrome before 25.0.1364.97 on Windows and Linux, and before 25. ...) - chromium-browser 25.0.1364.97-1 [squeeze] - chromium-browser CVE-2013-0895 (Google Chrome before 25.0.1364.97 on Linux, and before 25.0.1364.99 on ...) - chromium-browser 25.0.1364.97-1 [squeeze] - chromium-browser CVE-2013-0894 (Buffer overflow in the vorbis_parse_setup_hdr_floors function in the V ...) - chromium-browser 25.0.1364.97-1 [squeeze] - chromium-browser - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg (Backports to 0.5.x not useful, too many checks missing) - libav 6:0.8.6-1 (bug #703200) CVE-2013-0893 (Race condition in Google Chrome before 25.0.1364.97 on Windows and Lin ...) - chromium-browser 25.0.1364.97-1 [squeeze] - chromium-browser CVE-2013-0892 (Multiple unspecified vulnerabilities in the IPC layer in Google Chrome ...) - chromium-browser 25.0.1364.97-1 [squeeze] - chromium-browser CVE-2013-0891 (Integer overflow in Google Chrome before 25.0.1364.97 on Windows and L ...) - chromium-browser 25.0.1364.97-1 [squeeze] - chromium-browser CVE-2013-0890 (Multiple unspecified vulnerabilities in the IPC layer in Google Chrome ...) - chromium-browser 25.0.1364.97-1 [squeeze] - chromium-browser CVE-2013-0889 (Google Chrome before 25.0.1364.97 on Windows and Linux, and before 25. ...) - chromium-browser 25.0.1364.97-1 [squeeze] - chromium-browser CVE-2013-0888 (Skia, as used in Google Chrome before 25.0.1364.97 on Windows and Linu ...) - chromium-browser 25.0.1364.97-1 [squeeze] - chromium-browser CVE-2013-0887 (The developer-tools process in Google Chrome before 25.0.1364.97 on Wi ...) - chromium-browser 25.0.1364.97-1 [squeeze] - chromium-browser CVE-2013-0886 (Google Chrome before 25.0.1364.99 on Mac OS X does not properly implem ...) - chromium-browser (Mac OS X only) [squeeze] - chromium-browser CVE-2013-0885 (Google Chrome before 25.0.1364.97 on Windows and Linux, and before 25. ...) - chromium-browser 25.0.1364.97-1 [squeeze] - chromium-browser CVE-2013-0884 (Google Chrome before 25.0.1364.97 on Windows and Linux, and before 25. ...) - chromium-browser 25.0.1364.97-1 [squeeze] - chromium-browser CVE-2013-0883 (Skia, as used in Google Chrome before 25.0.1364.97 on Windows and Linu ...) - chromium-browser 25.0.1364.97-1 [squeeze] - chromium-browser CVE-2013-0882 (Google Chrome before 25.0.1364.97 on Windows and Linux, and before 25. ...) - chromium-browser 25.0.1364.97-1 [squeeze] - chromium-browser CVE-2013-0881 (Google Chrome before 25.0.1364.97 on Windows and Linux, and before 25. ...) - chromium-browser 25.0.1364.97-1 [squeeze] - chromium-browser CVE-2013-0880 (Use-after-free vulnerability in Google Chrome before 25.0.1364.97 on W ...) - chromium-browser 25.0.1364.97-1 [squeeze] - chromium-browser CVE-2013-0879 (Google Chrome before 25.0.1364.97 on Windows and Linux, and before 25. ...) - chromium-browser 25.0.1364.97-1 [squeeze] - chromium-browser CVE-2013-0878 (The advance_line function in libavcodec/targa.c in FFmpeg before 1.1.3 ...) - ffmpeg (Affected code not present in 0.5 ffmpeg) - libav (Affected code not present in libav) CVE-2013-0877 (The old_codec37 function in libavcodec/sanm.c in FFmpeg before 1.1.3 a ...) - ffmpeg (Smush codec not present in 0.5 ffmpeg) - libav (Smush codec not present in libav) CVE-2013-0876 (Multiple integer overflows in the (1) old_codec37 and (2) old_codec47 ...) - ffmpeg (Smush codec not present in 0.5 ffmpeg) - libav (Smush codec not present in libav) CVE-2013-0875 (The ff_add_png_paeth_prediction function in libavcodec/pngdec.c in FFm ...) - ffmpeg (Affected code not present in 0.5 ffmpeg) - libav (Affected code not present in libav) CVE-2013-0874 (The (1) doubles2str and (2) shorts2str functions in libavcodec/tiff.c ...) - ffmpeg (Affected code not present in 0.5 ffmpeg) - libav (Affected code not present in libav) CVE-2013-0873 (The read_header function in libavcodec/shorten.c in FFmpeg before 1.1. ...) - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg (Backports to 0.5.x not useful, too many checks missing) - libav 6:0.8.6-1 (bug #717009) NOTE: Commit in libav trunk http://git.libav.org/?p=libav.git;a=commit;h=c10da30d8426a1f681d99a780b6e311f7fb4e5c5 NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=4f1279154ee9baf2078241bf5619774970d18b25 NOTE: Fix needed for ffmpeg 0.5 CVE-2013-0872 (The swr_init function in libswresample/swresample.c in FFmpeg before 1 ...) - ffmpeg (libswresample not yet present in ffmpeg/0.5) - libav (libswresample not present in libav, linavresamle not affected) CVE-2013-0871 (Race condition in the ptrace functionality in the Linux kernel before ...) {DSA-2632-1} - linux 3.2.39-1 - linux-2.6 CVE-2013-0870 (The 'vp3_decode_frame' function in FFmpeg 1.1.4 moves threads check ou ...) - ffmpeg (No threading support in vp3 from ffmpeg 0.5) - libav (Vulnerable code added in ffmpeg post-merge) CVE-2013-0869 (The field_end function in libavcodec/h264.c in FFmpeg before 1.1.2 all ...) - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg (Backports to 0.5.x not useful, too many checks missing) - libav 6:0.8.5-1 NOTE: libav fix: http://git.libav.org/?p=libav.git;a=commit;h=706acb558a38eba633056773280155d66c2f4b24 NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=695af8eed642ff0104834495652d1ee784a4c14d NOTE: Fix needed in ffmpeg 0.5 CVE-2013-0868 (libavcodec/huffyuvdec.c in FFmpeg before 1.1.2 allows remote attackers ...) {DSA-3003-1} - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg (Backports to 0.5.x not useful, too many checks missing) - libav 6:10.3-1 NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=f67a0d115254461649470452058fa3c28c0df294 NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=0dfc01c2bbf4b71bb56201bc4a393321e15d1b31 CVE-2013-0867 (The decode_slice_header function in libavcodec/h264.c in FFmpeg before ...) - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg (Backports to 0.5.x not useful, too many checks missing) - libav (Code in libav is different/not affect as per libav h264 maintainer) NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=11c99c78bafa77f679a1a3ba06ad00984b9a4cae CVE-2013-0866 (The aac_decode_init function in libavcodec/aacdec.c in FFmpeg before 1 ...) {DSA-2793-1} - ffmpeg (Code in 0.5 is different/not affected) - libav 6:0.8.7-1 (bug #717009) NOTE: Fix in ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=96f452ac647dae33c53c242ef3266b65a9beafb6 NOTE: Fix in libav: http://git.libav.org/?p=libav.git;a=commit;h=a943a132f36f4df8fe2f749744677b71984abce7 CVE-2013-0865 (The vqa_decode_chunk function in libavcodec/vqavideo.c in FFmpeg befor ...) {DSA-2855-1} - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg (Backports to 0.5.x not useful, too many checks missing) - libav 6:9.8-1 (bug #717009) NOTE: libav commit: http://git.libav.org/?p=libav.git;a=commit;h=f7d18deb73d1dd1b27b2c7062c9a10d168a6c62a CVE-2013-0864 (The gif_copy_img_rect function in libavcodec/gifdec.c in FFmpeg before ...) - ffmpeg (These changes are specific to current ffmpeg and don't affect ffmpeg 0.5) - libav ((These changes are specific to ffmpeg and don't affect libav) CVE-2013-0863 (Buffer overflow in the rle_decode function in libavcodec/sanm.c in FFm ...) - ffmpeg (Smush codec not present in 0.5 ffmpeg) - libav (Smush codec not present in libav) CVE-2013-0862 (Multiple integer overflows in the process_frame_obj function in libavc ...) - ffmpeg (Smush codec not present in 0.5 ffmpeg) - libav (Smush codec not present in libav) CVE-2013-0861 (The avcodec_decode_audio4 function in libavcodec/utils.c in FFmpeg bef ...) - ffmpeg (These changes are specific to current ffmpeg and don't affect ffmpeg 0.5) - libav (Affected code not present in libav 0.8.x) NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=d270c3202539e8364c46410e15f7570800e33343 NOTE: Affects the libav version in experimental CVE-2013-0860 (The ff_er_frame_end function in libavcodec/error_resilience.c in FFmpe ...) {DSA-3003-1} - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg (Backports to 0.5.x not useful, too many checks missing) - libav 6:10.1-1 NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=23318a57358358e7a4dc551e830e4503f0638cfe NOTE: [Vittorio] not present in master and 10, fix pushed to 9 and 0.8 CVE-2013-0859 (The add_doubles_metadata function in libavcodec/tiff.c in FFmpeg befor ...) - ffmpeg (These changes are specific to current ffmpeg and don't affect ffmpeg 0.5) - libav ((These changes are specific to ffmpeg and don't affect libav) CVE-2013-0858 (The atrac3_decode_init function in libavcodec/atrac3.c in FFmpeg befor ...) {DSA-2793-1} - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg (Backports to 0.5.x not useful, too many checks missing) - libav 6:9.9-1 (bug #717009) NOTE: Fix in ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=13451f5520ce6b0afde861b2285dda659f8d4fb4 NOTE: Fix in libav: http://git.libav.org/?p=libav.git;a=commit;h=50cf5a7fb78846fc39b3ecdaa896a10bcd74da2a NOTE: Fixed in 0.8.9 CVE-2013-0857 (The decode_frame_ilbm function in libavcodec/iff.c in FFmpeg before 1. ...) {DSA-2793-1} - ffmpeg (IFF PBM/ILBM bitmap decoder not present in 0.5 ffmpeg) - libav 6:9.9-1 (bug #717009) NOTE: Fix in ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=2fbb37b51bbea891392ad357baf8f3dff00bac05 NOTE: Fix in libav: http://git.libav.org/?p=libav.git;a=commit;h=7d65e960c72f36b73ae7fe84f8e427d758e61da9 NOTE: Fixed in 0.8.9 CVE-2013-0856 (The lpc_prediction function in libavcodec/alac.c in FFmpeg before 1.1 ...) - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg (Backports to 0.5.x not useful, too many checks missing) - libav 6:9.10-1 [wheezy] - libav (Vulnerable code not present) NOTE: Fix in ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=fd4f4923cce6a2cbf4f48640b4ac706e614a1594 NOTE: Fix in libav: http://git.libav.org/?p=libav.git;a=commit;h=78aa2ed620178044a227fbbe48f749c0dc86023f CVE-2013-0855 (Integer overflow in the alac_decode_close function in libavcodec/alac. ...) - ffmpeg (0.5 series not affected) - libav 6:9.9-1 (bug #717009) [wheezy] - libav (0.8 series not affected) NOTE: Fix in ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=3920d1387834e2bc334aff9f518f4beb24e470bd NOTE: Fix in libav: http://git.libav.org/?p=libav.git;a=commit;h=f7c5883126f9440547933eefcf000aa78af4821c CVE-2013-0854 (The mjpeg_decode_scan_progressive_ac function in libavcodec/mjpegdec.c ...) {DSA-2793-1} - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg (Backports to 0.5.x not useful, too many checks missing) - libav 6:0.8.8-1 (bug #717009) NOTE: Fix in ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=1f41cffe1e3e79620f587545bdfcbd7e6e68ed29 NOTE: Fix in libav: http://git.libav.org/?p=libav.git;a=commit;h=cfbd98abe82cfcb9984a18d08697251b72b110c8 CVE-2013-0853 (The wavpack_decode_frame function in libavcodec/wavpack.c in FFmpeg be ...) {DSA-2793-1} - ffmpeg (Vulnerability introduced later) - libav 6:0.8.8-1 (bug #717009) NOTE: Fix in ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=be818df547c3b0ae4fadb50fd210139a8636706a NOTE: Fix in libav: http://git.libav.org/?p=libav.git;a=commit;h=ed50673066956d6f2201a57c3254569f2ab08d9d CVE-2013-0852 (The parse_picture_segment function in libavcodec/pgssubdec.c in FFmpeg ...) {DSA-3003-1} - ffmpeg (PGS subtitle decoder not present) - libav 6:10.3-1 NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=c0d68be555f5858703383040e04fcd6529777061 CVE-2013-0851 (The decode_frame function in libavcodec/eamad.c in FFmpeg before 1.1 a ...) {DSA-3003-1} - ffmpeg (Electronic Arts Madcow Video decoder not present in ffmpeg 0.5) - libav 6:10.3-1 NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=63ac64864c6e0e84355aa3caa5b92208997a9a8d NOTE: https://git.libav.org/?p=libav.git;a=commit;h=f9204ec56a4cf73843d1e5b8563d3584c2c05b47 (v10) NOTE: https://git.libav.org/?p=libav.git;a=commit;h=e8ff7972064631afbdf240ec6bfd9dec30cf2ce8 (v9) NOTE: https://git.libav.org/?p=libav.git;a=commit;h=187cfd3c13a1deb47661486824a5b8f41e158a7a (v0.8) CVE-2013-0850 (The decode_slice_header function in libavcodec/h264.c in FFmpeg before ...) {DSA-2793-1} - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg (Backports to 0.5.x not useful, too many checks missing) - libav 6:0.8.7-1 (bug #717009) NOTE: Fix in ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=d6c184880ee2e09fd68c0ae217173832cee5afc1 NOTE: Fix in libav: http://git.libav.org/?p=libav.git;a=commit;h=6e5cdf26281945ddea3aaf5eca4d127791f23ca8 CVE-2013-0849 (The roq_decode_init function in libavcodec/roqvideodec.c in FFmpeg bef ...) {DSA-2855-1} - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg (Backports to 0.5.x not useful, too many checks missing) - libav 6:9.3-1 (bug #717009) NOTE: Fix in ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=3ae610451170cd5a28b33950006ff0bd23036845 NOTE: Fix in libav: http://git.libav.org/?p=libav.git;a=commit;h=488f87be873506abb01d67708a67c10a4dd29283 CVE-2013-0848 (The decode_init function in libavcodec/huffyuv.c in FFmpeg before 1.1 ...) {DSA-3003-1} - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg (Backports to 0.5.x not useful, too many checks missing) - libav 6:10.4-1 NOTE: Fix in ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=6abb9a901fca27da14d4fffbb01948288b5da3ba NOTE: Fix in libav: http://git.libav.org/?p=libav.git;a=commit;h=a7153444df9040bf6ae103e0bbf6104b66f974cb CVE-2013-0847 (The ff_id3v2_parse function in libavformat/id3v2.c in FFmpeg before 1. ...) - ffmpeg (Affected code not present in ffmpeg 0.5) - libav (Code in libav is different, read_ttag) NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=10416a4d56fa8a89784e4fb62099c3cab17a9952 CVE-2013-0846 (Array index error in the qdm2_decode_super_block function in libavcode ...) {DSA-2855-1} - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg (Backports to 0.5.x not useful, too many checks missing) - libav 6:9.3-1 (bug #717009) NOTE: ffmpeg commit: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=a7ee6281f7ef1c29284e3a4cadfe0f227ffde1ed NOTE: libav commit: http://git.libav.org/?p=libav.git;a=commit;h=39bec05ed42e505d17877b0c23f16322f9b5883b NOTE: Needed for ffmpeg 0.5 CVE-2013-0845 (libavcodec/alsdec.c in FFmpeg before 1.0.4 allows remote attackers to ...) {DSA-2855-1} - ffmpeg (MPEG-4 ALS decoder not present in ffmpeg/0.5) - libav 6:9.11-1 NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=0ceca269b66ec12a23bf0907bd2c220513cdbf16 NOTE: Fixed in revisions: v9-2748-g2a0fb72, v9.10-7-g3f7d890 NOTE: http://git.libav.org/?p=libav.git;a=commitdiff;h=2a0fb72 NOTE: http://git.libav.org/?p=libav.git;a=commitdiff;h=3f7d890 CVE-2013-0844 (Off-by-one error in the adpcm_decode_frame function in libavcodec/adpc ...) {DSA-2793-1} - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg (Backports to 0.5.x not useful, too many checks missing) - libav 6:9.10-1 NOTE: ffmpeg commit: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=f18c873ab5ee3c78d00fdcc2582b39c133faecb4 NOTE: libav commit: https://git.libav.org/?p=libav.git;a=commitdiff;h=12576afe206d35231ccd61f9033c5fdab6a11e NOTE: Fixed in 0.8.9 CVE-2013-0843 (content/renderer/media/webrtc_audio_renderer.cc in Google Chrome befor ...) - chromium-browser (MacOS-specific) [squeeze] - chromium-browser CVE-2013-0842 (Google Chrome before 24.0.1312.56 does not properly handle %00 charact ...) - chromium-browser 24.0.1312.68-1 [squeeze] - chromium-browser CVE-2013-0841 (Array index error in the content-blocking functionality in Google Chro ...) - chromium-browser 24.0.1312.68-1 [squeeze] - chromium-browser CVE-2013-0840 (Google Chrome before 24.0.1312.56 does not validate URLs during the op ...) - chromium-browser 24.0.1312.68-1 [squeeze] - chromium-browser CVE-2013-0839 (Use-after-free vulnerability in Google Chrome before 24.0.1312.56 allo ...) - chromium-browser 24.0.1312.68-1 [squeeze] - chromium-browser CVE-2013-0838 (Google Chrome before 24.0.1312.52 on Linux uses weak permissions for s ...) - chromium-browser 24.0.1312.68-1 [squeeze] - chromium-browser CVE-2013-0837 (Google Chrome before 24.0.1312.52 allows remote attackers to cause a d ...) - chromium-browser 24.0.1312.68-1 [squeeze] - chromium-browser CVE-2013-0836 (Google V8 before 3.14.5.3, as used in Google Chrome before 24.0.1312.5 ...) - chromium-browser 24.0.1312.68-1 [squeeze] - chromium-browser - libv8 (bug #702261; vulnerablility was fixed by reverting to old implementation as found in version 3.8.9.20) CVE-2013-0835 (Unspecified vulnerability in the Geolocation implementation in Google ...) - chromium-browser 24.0.1312.68-1 [squeeze] - chromium-browser CVE-2013-0834 (Google Chrome before 24.0.1312.52 allows remote attackers to cause a d ...) - chromium-browser 24.0.1312.68-1 [squeeze] - chromium-browser CVE-2013-0833 (Google Chrome before 24.0.1312.52 allows remote attackers to cause a d ...) - chromium-browser 24.0.1312.68-1 [squeeze] - chromium-browser CVE-2013-0832 (Use-after-free vulnerability in Google Chrome before 24.0.1312.52 allo ...) - chromium-browser 24.0.1312.68-1 [squeeze] - chromium-browser CVE-2013-0831 (Directory traversal vulnerability in Google Chrome before 24.0.1312.52 ...) - chromium-browser 24.0.1312.68-1 [squeeze] - chromium-browser CVE-2013-0830 (The IPC layer in Google Chrome before 24.0.1312.52 on Windows omits a ...) - chromium-browser (Only affects Windows) [squeeze] - chromium-browser CVE-2013-0829 (Google Chrome before 24.0.1312.52 does not properly maintain database ...) - chromium-browser 24.0.1312.68-1 [squeeze] - chromium-browser CVE-2013-0828 (The PDF functionality in Google Chrome before 24.0.1312.52 does not pr ...) - chromium-browser (PDF functionality not available in Chromium) [squeeze] - chromium-browser CVE-2012-6498 (Unrestricted file upload vulnerability in index.php in Atomymaxsite 2. ...) NOT-FOR-US: Atomymaxsite CVE-2013-0827 RESERVED CVE-2013-0826 RESERVED CVE-2013-0825 RESERVED CVE-2013-0824 RESERVED CVE-2013-0823 RESERVED CVE-2013-0822 RESERVED CVE-2013-0821 RESERVED CVE-2013-0820 RESERVED CVE-2013-0819 RESERVED CVE-2013-0818 RESERVED CVE-2013-0817 RESERVED CVE-2013-0816 RESERVED CVE-2013-0815 RESERVED CVE-2013-0814 RESERVED CVE-2013-0813 RESERVED CVE-2013-0812 RESERVED CVE-2013-0811 (Use-after-free vulnerability in Microsoft Internet Explorer 8 and 9 al ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-0810 (Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vis ...) NOT-FOR-US: Microsoft CVE-2013-0809 (Unspecified vulnerability in the 2D component in the Java Runtime Envi ...) - openjdk-6 6b27-1.12.4-1 - openjdk-7 7u3-2.1.7-1 CVE-2013-0808 RESERVED CVE-2013-0807 (Cross-site scripting (XSS) vulnerability in the NewSectionPrompt funct ...) NOT-FOR-US: gpEasy CMS CVE-2013-0806 RESERVED CVE-2013-0805 (Multiple cross-site scripting (XSS) vulnerabilities in the search feat ...) NOT-FOR-US: IT Operations Portal CVE-2013-0804 (The client in Novell GroupWise 8.0 before 8.0.3 HP2 and 2012 before SP ...) NOT-FOR-US: GroupWise CVE-2013-0803 (A PHP File Upload Vulnerability exists in PolarBear CMS 2.5 via upload ...) NOT-FOR-US: PolarBear CMS CVE-2012-6497 (The Authlogic gem for Ruby on Rails, when used with certain versions b ...) {DSA-2597-1} - ruby-activerecord-3.2 3.2.6-3 - ruby-activerecord-2.3 2.3.14-3 - rails 2.3.14.1 NOTE: Starting with 2.3.14.1 rails is a transition package CVE-2012-6496 (SQL injection vulnerability in the Active Record component in Ruby on ...) {DSA-2597-1} - ruby-activerecord-3.2 3.2.6-3 - ruby-activerecord-2.3 2.3.14-3 - rails 2.3.14.1 NOTE: Starting with 2.3.14.1 rails is a transition package CVE-2013-0802 RESERVED CVE-2013-0801 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-2720-1 DSA-2699-1} - iceweasel 17.0.6esr-1 [squeeze] - iceweasel - icedove 17.0.7-1 [squeeze] - icedove - iceape [squeeze] - iceape [wheezy] - iceape CVE-2013-0800 (Integer signedness error in the pixman_fill_sse2 function in pixman-ss ...) {DSA-2699-1} - iceweasel 17.0.5esr-1 [squeeze] - iceweasel - icedove 17.0.5-1 [squeeze] - icedove - iceape [squeeze] - iceape [wheezy] - iceape - wine-gecko-1.4 (unimportant) NOTE: The description is misleading: Firefox embeds a copy of Cairo, the interdiff NOTE: shows the respective change at mozilla-esr17/gfx/cairo/cairo/src/cairo-image-surface.c NOTE: Apparently the forked copy has changed, the code isn't present in vanilla Cairo CVE-2013-0799 (Buffer overflow in the Mozilla Maintenance Service in Mozilla Firefox ...) - iceweasel (Only affects Firefox on Windows) CVE-2013-0798 (Mozilla Firefox before 20.0 on Android uses world-writable and world-r ...) - iceweasel (Only affects Firefox on Android) CVE-2013-0797 (Untrusted search path vulnerability in the Mozilla Updater in Mozilla ...) - iceweasel (Only affects Firefox on Windows) CVE-2013-0796 (The WebGL subsystem in Mozilla Firefox before 20.0, Firefox ESR 17.x b ...) {DSA-2699-1} - iceweasel 17.0.5esr-1 [squeeze] - iceweasel - icedove 17.0.5-1 [squeeze] - icedove - iceape [squeeze] - iceape [wheezy] - iceape CVE-2013-0795 (The System Only Wrapper (SOW) implementation in Mozilla Firefox before ...) {DSA-2720-1 DSA-2699-1} - icedove 17.0.7-1 [squeeze] - icedove - iceape [squeeze] - iceape - iceweasel 17.0.5esr-1 [squeeze] - iceweasel [wheezy] - iceape CVE-2013-0794 (Mozilla Firefox before 20.0 and SeaMonkey before 2.17 do not prevent o ...) - iceweasel 17.0.5esr-1 (low) [squeeze] - iceweasel - iceape (low) [squeeze] - iceape [wheezy] - iceape CVE-2013-0793 (Mozilla Firefox before 20.0, Firefox ESR 17.x before 17.0.5, Thunderbi ...) {DSA-2699-1} - iceweasel 17.0.5esr-1 [squeeze] - iceweasel - icedove 17.0.5-1 [squeeze] - icedove - iceape [squeeze] - iceape [wheezy] - iceape CVE-2013-0792 (Mozilla Firefox before 20.0 and SeaMonkey before 2.17, when gfx.color_ ...) - iceweasel 17.0.5esr-1 (low) [squeeze] - iceweasel - iceape (low) [squeeze] - iceape [wheezy] - iceape CVE-2013-0791 (The CERT_DecodeCertPackage function in Mozilla Network Security Servic ...) - nss 2:3.14.3-1 (unimportant) NOTE: client crash only CVE-2013-0790 (Unspecified vulnerability in the browser engine in Mozilla Firefox bef ...) - iceweasel (Only affects Firefox on Android) CVE-2013-0789 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - iceweasel (Only affects Firefox 19) - icedove (Only affects Firefox 19) - iceape (Only affects Firefox 19) CVE-2013-0788 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-2699-1} - iceweasel 17.0.5esr-1 [squeeze] - iceweasel - iceape [squeeze] - iceape - icedove 17.0.5-1 [squeeze] - icedove [wheezy] - iceape CVE-2013-0787 (Use-after-free vulnerability in the nsEditor::IsPreformatted function ...) {DSA-2699-1} [squeeze] - iceweasel - iceweasel 17.0.5esr-1 - icedove 17.0.5-1 [squeeze] - icedove - iceape [squeeze] - iceape [wheezy] - iceape CVE-2013-0786 (The Bugzilla::Search::build_subselect function in Bugzilla 2.x and 3.x ...) - bugzilla (low) [squeeze] - bugzilla (Minor issue) - bugzilla4 (bug #669643) CVE-2013-0785 (Cross-site scripting (XSS) vulnerability in show_bug.cgi in Bugzilla b ...) - bugzilla (low) [squeeze] - bugzilla (Minor issue) - bugzilla4 (bug #669643) CVE-2013-0784 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - iceape (Doesn't affect the ESR series, only releases from experimental) - iceweasel (Doesn't affect the ESR series, only releases from experimental) - icedove (Doesn't affect the ESR series, only releases from experimental) CVE-2013-0783 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-2699-1} - iceweasel 17.0.5esr-1 (bug #703071) [squeeze] - iceweasel - icedove 17.0.5-1 [squeeze] - icedove - iceape [squeeze] - iceape [wheezy] - iceape CVE-2013-0782 (Heap-based buffer overflow in the nsSaveAsCharset::DoCharsetConversion ...) {DSA-2699-1} - iceweasel 17.0.5esr-1 (bug #703071) [squeeze] - iceweasel - icedove 17.0.5-1 [squeeze] - icedove - iceape [squeeze] - iceape [wheezy] - iceape CVE-2013-0781 (Use-after-free vulnerability in the nsPrintEngine::CommonPrint functio ...) - iceape (Doesn't affect the ESR series, only releases from experimental) - iceweasel (Doesn't affect the ESR series, only releases from experimental) - icedove (Doesn't affect the ESR series, only releases from experimental) CVE-2013-0780 (Use-after-free vulnerability in the nsOverflowContinuationTracker::Fin ...) {DSA-2699-1} - iceweasel 17.0.5esr-1 (bug #703071) [squeeze] - iceweasel - icedove 17.0.5-1 [squeeze] - icedove - iceape [squeeze] - iceape [wheezy] - iceape CVE-2013-0779 (The nsCodingStateMachine::NextState function in Mozilla Firefox before ...) - iceape (Doesn't affect the ESR series, only releases from experimental) - iceweasel (Doesn't affect the ESR series, only releases from experimental) - icedove (Doesn't affect the ESR series, only releases from experimental) CVE-2013-0778 (The ClusterIterator::NextCluster function in Mozilla Firefox before 19 ...) - iceape (Doesn't affect the ESR series, only releases from experimental) - iceweasel (Doesn't affect the ESR series, only releases from experimental) - icedove (Doesn't affect the ESR series, only releases from experimental) CVE-2013-0777 (Use-after-free vulnerability in the nsDisplayBoxShadowOuter::Paint fun ...) - iceape (Doesn't affect the ESR series, only releases from experimental) - iceweasel (Doesn't affect the ESR series, only releases from experimental) - icedove (Doesn't affect the ESR series, only releases from experimental) CVE-2013-0776 (Mozilla Firefox before 19.0, Firefox ESR 17.x before 17.0.3, Thunderbi ...) {DSA-2699-1} - iceweasel 17.0.5esr-1 (bug #703071) [squeeze] - iceweasel - icedove 17.0.5-1 [squeeze] - icedove - iceape [squeeze] - iceape [wheezy] - iceape CVE-2013-0775 (Use-after-free vulnerability in the nsImageLoadingContent::OnStopConta ...) {DSA-2699-1} - iceweasel 17.0.5esr-1 (bug #703071) [squeeze] - iceweasel - icedove 17.0.5-1 [squeeze] - icedove - iceape [squeeze] - iceape [wheezy] - iceape CVE-2013-0774 (Mozilla Firefox before 19.0, Firefox ESR 17.x before 17.0.3, Thunderbi ...) - iceape (Introduced in Firefox 15) - iceweasel (Introduced in Firefox 15) - icedove (Introduced in Firefox 15) CVE-2013-0773 (The Chrome Object Wrapper (COW) and System Only Wrapper (SOW) implemen ...) {DSA-2699-1} - iceweasel 17.0.5esr-1 (bug #703071) [squeeze] - iceweasel - icedove 17.0.5-1 [squeeze] - icedove - iceape [squeeze] - iceape [wheezy] - iceape CVE-2013-0772 (The RasterImage::DrawFrameTo function in Mozilla Firefox before 19.0, ...) - iceape (Doesn't affect the ESR series, only releases from experimental) - iceweasel (Doesn't affect the ESR series, only releases from experimental) - icedove (Doesn't affect the ESR series, only releases from experimental) CVE-2013-0771 (Heap-based buffer overflow in the gfxTextRun::ShrinkToLigatureBoundari ...) - iceape (Doesn't affect the ESR series, only releases from experimental) - iceweasel (Doesn't affect the ESR series, only releases from experimental) - icedove (Doesn't affect the ESR series, only releases from experimental) CVE-2013-0770 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - iceape (Doesn't affect the ESR series, only releases from experimental) - iceweasel (Doesn't affect the ESR series, only releases from experimental) - icedove (Doesn't affect the ESR series, only releases from experimental) CVE-2013-0769 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - iceweasel 10.0.12esr-1 [squeeze] - iceweasel - icedove 10.0.12-1 [squeeze] - icedove - iceape 2.7.12-1 [squeeze] - iceape CVE-2013-0768 (Stack-based buffer overflow in the Canvas implementation in Mozilla Fi ...) - iceape (Doesn't affect the ESR series, only releases from experimental) - iceweasel (Doesn't affect the ESR series, only releases from experimental) - icedove (Doesn't affect the ESR series, only releases from experimental) CVE-2013-0767 (The nsSVGPathElement::GetPathLengthScale function in Mozilla Firefox b ...) [squeeze] - iceweasel - iceweasel 10.0.12esr-1 [squeeze] - icedove - icedove 10.0.12-1 - iceape 2.7.12-1 [squeeze] - iceape CVE-2013-0766 (Use-after-free vulnerability in the ~nsHTMLEditRules implementation in ...) - iceweasel 10.0.12esr-1 [squeeze] - iceweasel [squeeze] - icedove - icedove 10.0.12-1 - iceape 2.7.12-1 [squeeze] - iceape CVE-2013-0765 (Mozilla Firefox before 19.0, Thunderbird before 17.0.3, and SeaMonkey ...) - iceape (Doesn't affect the ESR series, only releases from experimental) - iceweasel (Doesn't affect the ESR series, only releases from experimental) - icedove (Doesn't affect the ESR series, only releases from experimental) CVE-2013-0764 (The nsSOCKSSocketInfo::ConnectToProxy function in Mozilla Firefox befo ...) - iceape (Doesn't affect the ESR series, only releases from experimental) - iceweasel (Doesn't affect the ESR series, only releases from experimental) - icedove (Doesn't affect the ESR series, only releases from experimental) CVE-2013-0763 (Use-after-free vulnerability in Mozilla Firefox before 18.0, Firefox E ...) - iceape (Doesn't affect the ESR series, only releases from experimental) - iceweasel (Doesn't affect the ESR series, only releases from experimental) - icedove (Doesn't affect the ESR series, only releases from experimental) CVE-2013-0762 (Use-after-free vulnerability in the imgRequest::OnStopFrame function i ...) - iceweasel 10.0.12esr-1 [squeeze] - iceweasel [squeeze] - icedove - icedove 10.0.12-1 - iceape 2.7.12-1 [squeeze] - iceape CVE-2013-0761 (Use-after-free vulnerability in the mozilla::TrackUnionStream::EndTrac ...) - iceape (Doesn't affect the ESR series, only releases from experimental) - iceweasel (Doesn't affect the ESR series, only releases from experimental) - icedove (Doesn't affect the ESR series, only releases from experimental) CVE-2013-0760 (Buffer overflow in the CharDistributionAnalysis::HandleOneChar functio ...) - iceape (Doesn't affect the ESR series, only releases from experimental) - iceweasel (Doesn't affect the ESR series, only releases from experimental) - icedove (Doesn't affect the ESR series, only releases from experimental) CVE-2013-0759 (Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x ...) - iceweasel 10.0.12esr-1 [squeeze] - iceweasel [squeeze] - icedove - icedove 10.0.12-1 - iceape 2.7.12-1 [squeeze] - iceape CVE-2013-0758 (Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x ...) - iceweasel 10.0.12esr-1 [squeeze] - iceweasel [squeeze] - icedove - icedove 10.0.12-1 - iceape 2.7.12-1 [squeeze] - iceape CVE-2013-0757 (The Chrome Object Wrapper (COW) implementation in Mozilla Firefox befo ...) - iceape (Doesn't affect the ESR series, only releases from experimental) - iceweasel (Doesn't affect the ESR series, only releases from experimental) - icedove (Doesn't affect the ESR series, only releases from experimental) CVE-2013-0756 (Use-after-free vulnerability in the obj_toSource function in Mozilla F ...) - iceape (Doesn't affect the ESR series, only releases from experimental) - iceweasel (Doesn't affect the ESR series, only releases from experimental) - icedove (Doesn't affect the ESR series, only releases from experimental) CVE-2013-0755 (Use-after-free vulnerability in the mozVibrate implementation in the V ...) - iceape (Doesn't affect the ESR series, only releases from experimental) - iceweasel (Doesn't affect the ESR series, only releases from experimental) - icedove (Doesn't affect the ESR series, only releases from experimental) CVE-2013-0754 (Use-after-free vulnerability in the ListenerManager implementation in ...) - iceweasel 10.0.12esr-1 [squeeze] - iceweasel [squeeze] - icedove - icedove 10.0.12-1 - iceape 2.7.12-1 [squeeze] - iceape CVE-2013-0753 (Use-after-free vulnerability in the serializeToStream implementation i ...) - iceweasel 10.0.12esr-1 [squeeze] - iceweasel - icedove 10.0.12-1 [squeeze] - icedove - iceape 2.7.12-1 [squeeze] - iceape CVE-2013-0752 (Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbi ...) - iceape (Doesn't affect the ESR series, only releases from experimental) - iceweasel (Doesn't affect the ESR series, only releases from experimental) - icedove (Doesn't affect the ESR series, only releases from experimental) CVE-2013-0751 (Mozilla Firefox before 18.0 on Android and SeaMonkey before 2.15 do no ...) - iceape (Android-specific) - iceweasel (Android-specific) - icedove (Android-specific) CVE-2013-0750 (Integer overflow in the JavaScript implementation in Mozilla Firefox b ...) - iceweasel 10.0.12esr-1 [squeeze] - iceweasel [squeeze] - icedove - icedove 10.0.12-1 - iceape 2.7.12-1 [squeeze] - iceape CVE-2013-0749 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - iceape (Doesn't affect the ESR series, only releases from experimental) - iceweasel (Doesn't affect the ESR series, only releases from experimental) - icedove (Doesn't affect the ESR series, only releases from experimental) CVE-2013-0748 (The XBL.__proto__.toString implementation in Mozilla Firefox before 18 ...) - iceweasel 10.0.12esr-1 [squeeze] - iceweasel [squeeze] - icedove - icedove 10.0.12-1 - iceape 2.7.12-1 [squeeze] - iceape CVE-2013-0747 (The gPluginHandler.handleEvent function in the plugin handler in Mozil ...) - iceape (Doesn't affect the ESR series, only releases from experimental) - iceweasel (Doesn't affect the ESR series, only releases from experimental) - icedove (Doesn't affect the ESR series, only releases from experimental) CVE-2013-0746 (Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x ...) - iceweasel 10.0.12esr-1 [squeeze] - iceweasel [squeeze] - icedove - icedove 10.0.12-1 - iceape 2.7.12-1 [squeeze] - iceape CVE-2013-0745 (The AutoWrapperChanger class in Mozilla Firefox before 18.0, Firefox E ...) - iceape (Doesn't affect the ESR series, only releases from experimental) - iceweasel (Doesn't affect the ESR series, only releases from experimental) - icedove (Doesn't affect the ESR series, only releases from experimental) CVE-2013-0744 (Use-after-free vulnerability in the TableBackgroundPainter::TableBackg ...) - iceweasel 10.0.12esr-1 [squeeze] - iceweasel - icedove 10.0.12-1 [squeeze] - icedove - iceape 2.7.12-1 [squeeze] - iceape CVE-2013-0743 REJECTED CVE-2013-0742 (Stack-based buffer overflow in Corel PDF Fusion 1.11 allows remote att ...) NOT-FOR-US: Corel PDF Fusion CVE-2013-0741 (Cross-site scripting (XSS) vulnerability in imagegen.ashx in Percipien ...) NOT-FOR-US: Percipient Studios ImageGen CVE-2013-0740 (Open redirect vulnerability in Dell OpenManage Server Administrator (O ...) NOT-FOR-US: Dell OpenManage Server Administrator CVE-2013-0739 (Chamilo 1.9.4 has XSS due to improper validation of user-supplied inpu ...) NOT-FOR-US: Chamilo LMS CVE-2013-0738 (Chamilo 1.9.4 has Multiple XSS and HTML Injection Vulnerabilities: blo ...) NOT-FOR-US: Chamilo LMS CVE-2013-0737 (Cross-site scripting (XSS) vulnerability in BoltWire 3.5 and earlier a ...) NOT-FOR-US: BoltWire CVE-2013-0736 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Ming ...) NOT-FOR-US: mingle forum plugin for wp CVE-2013-0735 (Multiple SQL injection vulnerabilities in wpf.class.php in the Mingle ...) NOT-FOR-US: Mingle Forum Wordpress plugin CVE-2013-0734 (Multiple cross-site scripting (XSS) vulnerabilities in the Mingle Foru ...) NOT-FOR-US: Mingle Forum Wordpress plugin CVE-2013-0733 (Untrusted search path vulnerability in Corel PaintShop Pro X5 and X6 1 ...) NOT-FOR-US: Corel PaintShop Pro CVE-2013-0732 (Heap-based buffer overflow in PDFCore8.dll in Nuance PDF Reader before ...) NOT-FOR-US: Nuance PDF Reader CVE-2013-0731 (ajax.functions.php in the MailUp plugin before 1.3.3 for WordPress doe ...) NOT-FOR-US: MailUp plugin for Wordpress CVE-2013-0730 (Multiple cross-site scripting (XSS) vulnerabilities in Newscoop 4.x th ...) NOT-FOR-US: Newscoop CVE-2013-0729 (Heap-based buffer overflow in Tracker Software PDF-XChange before 2.5. ...) NOT-FOR-US: Tracker Software PDF-XChange CVE-2013-0728 (Multiple stack-based buffer overflows in NCSAddOn.dll in the ERDAS APO ...) NOT-FOR-US: ERDAS ECWP Browser Plugin CVE-2013-0727 (Multiple untrusted search path vulnerabilities in Global Mapper 14.1.0 ...) NOT-FOR-US: Global Mapper CVE-2013-0726 (Stack-based buffer overflow in the ERM_convert_to_correct_webpath func ...) NOT-FOR-US: ERDAS ER Viewer CVE-2013-0725 (ERDAS ER Viewer 13.0 has dwmapi.dll and irml.dll libraries arbitrary c ...) NOT-FOR-US: ERDAS ER Viewer CVE-2013-0724 (PHP remote file inclusion vulnerability in includes/generate-pdf.php i ...) NOT-FOR-US: Wordpress plugin ecommerce Shop Styling CVE-2013-0723 (Multiple heap-based buffer overflows in etxrw.dll in Kingsoft Spreadsh ...) NOT-FOR-US: Kingsoft Spreadsheets CVE-2013-0722 (Stack-based buffer overflow in the scan_load_hosts function in ec_scan ...) - ettercap 1:0.7.5.1-2 (low; bug #697987) [squeeze] - ettercap 1:0.7.3-2.1+squeeze1 NOTE: http://www.openwall.com/lists/oss-security/2013/01/10/2 NOTE: http://www.exploit-db.com/exploits/23945/ NOTE: https://secunia.com/advisories/51731/ NOTE: Proposed patch http://www.securation.com/files/2013/01/ec.patch CVE-2012-6495 (Multiple directory traversal vulnerabilities in the (1) twikidraw (act ...) {DSA-2593-1} - moin 1.9.5-3 [wheezy] - moin 1.9.4-8+deb7u1 CVE-2012-6494 (Rapid7 Nexpose before 5.5.4 contains a session hijacking vulnerability ...) NOT-FOR-US: Rapid7 Nexpose CVE-2012-6493 (Cross-site request forgery (CSRF) vulnerability in Rapid7 Nexpose Secu ...) NOT-FOR-US: Rapid7 Nexpose Security Console CVE-2012-6492 RESERVED CVE-2012-6491 RESERVED CVE-2012-6490 RESERVED CVE-2012-6489 RESERVED CVE-2012-6488 RESERVED CVE-2012-6487 RESERVED CVE-2012-6486 RESERVED CVE-2012-6485 RESERVED CVE-2012-6484 RESERVED CVE-2012-6483 RESERVED CVE-2012-6482 RESERVED CVE-2012-6481 RESERVED CVE-2012-6480 RESERVED CVE-2012-6479 RESERVED CVE-2012-6478 RESERVED CVE-2012-6477 RESERVED CVE-2012-6476 RESERVED CVE-2012-6475 RESERVED CVE-2012-6474 RESERVED CVE-2012-6473 RESERVED CVE-2013-0721 (wp-php-widget.php in the WP PHP widget plugin 1.0.2 for WordPress allo ...) NOT-FOR-US: WordPress plugin CVE-2013-0720 (The COBIME application before 0.9.4 for Android uses weak permissions ...) NOT-FOR-US: COBIME CVE-2013-0719 (The ArtIME Japanese Input application 1.1.2 and earlier for Android us ...) NOT-FOR-US: ArtIME Japanese Input application CVE-2013-0718 (The Simeji application 4.8.1 and earlier for Android uses weak permiss ...) NOT-FOR-US: Simeji CVE-2013-0717 (Multiple cross-site request forgery (CSRF) vulnerabilities in the web- ...) NOT-FOR-US: NEC Aterm routers CVE-2013-0716 (The web server in Wind River VxWorks 5.5 through 6.9 allows remote att ...) NOT-FOR-US: Wind River VxWorks CVE-2013-0715 (The WebCLI component in Wind River VxWorks 5.5 through 6.9 allows remo ...) NOT-FOR-US: Wind River VxWorks CVE-2013-0714 (IPSSH (aka the SSH server) in Wind River VxWorks 6.5 through 6.9 allow ...) NOT-FOR-US: Wind River VxWorks CVE-2013-0713 (IPSSH (aka the SSH server) in Wind River VxWorks 6.5 through 6.9 allow ...) NOT-FOR-US: Wind River VxWorks CVE-2013-0712 (IPSSH (aka the SSH server) in Wind River VxWorks 6.5 through 6.9 allow ...) NOT-FOR-US: Wind River VxWorks CVE-2013-0711 (IPSSH (aka the SSH server) in Wind River VxWorks 6.5 through 6.9 allow ...) NOT-FOR-US: Wind River VxWorks CVE-2013-0710 (Buffer overflow in Kingsoft Writer 2007 and 2010 before 2724 allows re ...) NOT-FOR-US: Kingsoft Writer CVE-2013-0709 (Cross-site scripting (XSS) vulnerability in dopvSTAR* 0091 allows remo ...) NOT-FOR-US: Bayashi dopvSTAR CVE-2013-0708 (Cross-site scripting (XSS) vulnerability in dopvCOMET* 0009b allows re ...) NOT-FOR-US: Bayashi dopvCOMET CVE-2013-0707 (Unspecified vulnerability in JustSystems Ichitaro 2006 and 2007, Ichit ...) NOT-FOR-US: JustSystems Ichitaro CVE-2013-0706 (NEC Universal RAID Utility 1.40 Rev 680 and earlier, 2.31 Rev 1492 and ...) NOT-FOR-US: NEC Universal RAID Utility CVE-2013-0705 (Directory traversal vulnerability in LSI 3ware Disk Manager (3DM) befo ...) NOT-FOR-US: LSI 3ware Disk Manager CVE-2013-0704 (Directory traversal vulnerability in the GREE application before 1.3.3 ...) NOT-FOR-US: GREE Android app CVE-2013-0703 (Cross-site scripting (XSS) vulnerability in imgboard.com imgboard befo ...) NOT-FOR-US: imgboard CVE-2013-0702 (Cross-site scripting (XSS) vulnerability in Cybozu Garoon 2.0.0 throug ...) NOT-FOR-US: Cybozu Garoon CVE-2013-0701 (SQL injection vulnerability in Cybozu Garoon 2.5.0 through 3.5.3 allow ...) NOT-FOR-US: Cybozu Garoon CVE-2012-6472 (Opera before 12.12 on UNIX uses weak permissions for the profile direc ...) NOT-FOR-US: Opera CVE-2012-6471 (Opera before 12.12 allows remote attackers to spoof the address field ...) NOT-FOR-US: Opera CVE-2012-6470 (Opera before 12.12 does not properly allocate memory for GIF images, w ...) NOT-FOR-US: Opera CVE-2012-6469 (Opera before 12.11 allows remote attackers to determine the existence ...) NOT-FOR-US: Opera CVE-2012-6468 (Heap-based buffer overflow in Opera before 12.11 allows remote attacke ...) NOT-FOR-US: Opera CVE-2012-6467 (Opera before 12.10 follows Internet shortcuts that are referenced by a ...) NOT-FOR-US: Opera CVE-2012-6466 (Opera before 12.10 does not properly handle incorrect size data in a W ...) NOT-FOR-US: Opera CVE-2012-6465 (Opera before 12.10 allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Opera CVE-2012-6464 (Cross-site scripting (XSS) vulnerability in Opera before 12.10 allows ...) NOT-FOR-US: Opera CVE-2012-6463 (Cross-site scripting (XSS) vulnerability in Opera before 12.10 allows ...) NOT-FOR-US: Opera CVE-2012-6462 (Opera before 12.10 does not properly implement the Cross-Origin Resour ...) NOT-FOR-US: Opera CVE-2012-6461 (The X.509 certificate-validation functionality in the https implementa ...) NOT-FOR-US: Opera CVE-2012-6460 (Opera before 11.67 and 12.x before 12.02 allows remote attackers to ca ...) NOT-FOR-US: Opera CVE-2012-6459 (ConnMan 1.3 on Tizen continues to list the bluetooth service after off ...) - connman 1.0-1.1 (bug #697580) [wheezy] - connman 1.0-1.1+wheezy1 [squeeze] - connman (Minor issue) CVE-2012-6458 (Multiple cross-site scripting (XSS) vulnerabilities in the SilverStrip ...) - silverstripe (bug #528461) CVE-2012-6457 RESERVED CVE-2012-6456 RESERVED CVE-2012-6455 RESERVED CVE-2012-6454 RESERVED CVE-2012-6452 (Axway Secure Messenger before 6.5 Updated Release 7, as used in Axway ...) NOT-FOR-US: Axway Secure Messenger CVE-2012-6451 (Lorex LNC116 and LNC104 IP Cameras have a Remote Authentication Bypass ...) NOT-FOR-US: Lorex LNC116 and LNC104 IP Cameras CVE-2012-6450 RESERVED CVE-2012-6449 (The clientconf.html and detailbw.html pages in x3 in cPanel & WHM ...) NOT-FOR-US: cPanel CVE-2012-6448 (Cross-site Scripting (XSS) in cPanel WebHost Manager (WHM) 11.34.0 all ...) NOT-FOR-US: cPanel CVE-2012-6447 (Cross-site scripting (XSS) vulnerability in Splunk Web in Splunk 5.0.0 ...) NOT-FOR-US: Splunk CVE-2012-6446 RESERVED CVE-2012-6445 RESERVED CVE-2012-6444 RESERVED CVE-2012-6443 RESERVED CVE-2012-6453 (Cross-site scripting (XSS) vulnerability in the RSS Reader extension b ...) {DSA-2596-1} - mediawiki-extensions 2.11 (bug #696179) CVE-2012-6442 (Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-E ...) NOT-FOR-US: Rockwell Automation EtherNet/IP CVE-2012-6441 (Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-E ...) NOT-FOR-US: Rockwell Automation EtherNet/IP CVE-2012-6440 (The web-server password-authentication functionality in Rockwell Autom ...) NOT-FOR-US: Rockwell Automation EtherNet/IP CVE-2012-6439 (Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-E ...) NOT-FOR-US: Rockwell Automation EtherNet/IP CVE-2012-6438 (Buffer overflow in Rockwell Automation EtherNet/IP products; 1756-ENBT ...) NOT-FOR-US: Rockwell Automation EtherNet/IP CVE-2012-6437 (Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-E ...) NOT-FOR-US: Rockwell Automation EtherNet/IP CVE-2012-6436 (Buffer overflow in Rockwell Automation EtherNet/IP products; 1756-ENBT ...) NOT-FOR-US: Rockwell Automation EtherNet/IP CVE-2012-6435 (Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-E ...) NOT-FOR-US: Rockwell Automation EtherNet/IP CVE-2012-6434 (Multiple cross-site request forgery (CSRF) vulnerabilities in e107_adm ...) NOT-FOR-US: e107 CVE-2012-6433 (Cross-site request forgery (CSRF) vulnerability in e107_admin/newspost ...) NOT-FOR-US: e107 CVE-2013-0700 (Siemens SIMATIC S7-1200 PLCs 2.x and 3.x allow remote attackers to cau ...) NOT-FOR-US: Siemens SIMATIC CVE-2013-0699 (The Galil RIO-47100 Pocket PLC allows remote attackers to cause a deni ...) NOT-FOR-US: Galil RIO-47100 CVE-2013-0698 REJECTED CVE-2013-0697 REJECTED CVE-2013-0696 REJECTED CVE-2013-0695 REJECTED CVE-2013-0694 (The Emerson Process Management ROC800 RTU with software 3.50 and earli ...) NOT-FOR-US: Emerson Process Management CVE-2013-0693 (The kernel in ENEA OSE on the Emerson Process Management ROC800 RTU wi ...) NOT-FOR-US: Emerson Process Management CVE-2013-0692 (The kernel in ENEA OSE on the Emerson Process Management ROC800 RTU wi ...) NOT-FOR-US: Emerson Process Management CVE-2013-0691 REJECTED CVE-2013-0690 REJECTED CVE-2013-0689 (The TFTP server on the Emerson Process Management ROC800 RTU with soft ...) NOT-FOR-US: Emerson Process Management CVE-2013-0688 (Cross-site scripting (XSS) vulnerability in Invensys Wonderware Inform ...) NOT-FOR-US: Invensys Wonderware Information Server CVE-2013-0687 (The installer routine in Schneider Electric MiCOM S1 Studio uses world ...) NOT-FOR-US: Schneider Electric CVE-2013-0686 (Invensys Wonderware Information Server (WIS) 4.0 SP1SP1, 4.5- Portal, ...) NOT-FOR-US: Invensys Wonderware Information Server CVE-2013-0685 (Invensys Wonderware Information Server (WIS) 4.0 SP1SP1, 4.5- Portal, ...) NOT-FOR-US: Invensys Wonderware Information Server CVE-2013-0684 (SQL injection vulnerability in Invensys Wonderware Information Server ...) NOT-FOR-US: Invensys Wonderware Information Server CVE-2013-0683 (The DataSim and DataPid demonstration clients in Cogent Real-Time Syst ...) NOT-FOR-US: DataSim and DataPid demonstration clients CVE-2013-0682 (Cogent Real-Time Systems Cogent DataHub before 7.3.0, OPC DataHub befo ...) NOT-FOR-US: Cogent DataHub CVE-2013-0681 (Cogent Real-Time Systems Cogent DataHub before 7.3.0, OPC DataHub befo ...) NOT-FOR-US: Cogent DataHub CVE-2013-0680 (Stack-based buffer overflow in the web server in Cogent Real-Time Syst ...) NOT-FOR-US: Cogent DataHub CVE-2013-0679 (Directory traversal vulnerability in the web server in Siemens WinCC b ...) NOT-FOR-US: Siemens WinCC CVE-2013-0678 (Siemens WinCC before 7.2, as used in SIMATIC PCS7 before 8.0 SP1 and o ...) NOT-FOR-US: Siemens WinCC CVE-2013-0677 (The web server in Siemens WinCC before 7.2, as used in SIMATIC PCS7 be ...) NOT-FOR-US: Siemens WinCC CVE-2013-0676 (Siemens WinCC before 7.2, as used in SIMATIC PCS7 before 8.0 SP1 and o ...) NOT-FOR-US: Siemens WinCC CVE-2013-0675 (Buffer overflow in CCEServer (aka the central communications component ...) NOT-FOR-US: Siemens WinCC CVE-2013-0674 (Buffer overflow in the RegReader ActiveX control in Siemens WinCC befo ...) NOT-FOR-US: Siemens WinCC CVE-2013-0673 (Directory traversal vulnerability in the web interface in the Health M ...) NOT-FOR-US: MatrikonOPC CVE-2013-0672 (Cross-site scripting (XSS) vulnerability in the HMI web application in ...) NOT-FOR-US: Siemens WinCC CVE-2013-0671 (Directory traversal vulnerability in Siemens WinCC (TIA Portal) 11 all ...) NOT-FOR-US: Siemens WinCC CVE-2013-0670 (CRLF injection vulnerability in the HMI web application in Siemens Win ...) NOT-FOR-US: Siemens WinCC CVE-2013-0669 (The HMI web application in Siemens WinCC (TIA Portal) 11 allows remote ...) NOT-FOR-US: Siemens WinCC CVE-2013-0668 (Multiple cross-site scripting (XSS) vulnerabilities in the HMI web app ...) NOT-FOR-US: Siemens WinCC CVE-2013-0667 (Cross-site scripting (XSS) vulnerability in the HMI web application in ...) NOT-FOR-US: Siemens WinCC CVE-2013-0666 (The configuration utility in MatrikonOPC Security Gateway 1.0 allows r ...) NOT-FOR-US: MatrikonOPC CVE-2013-0665 (Schweitzer Engineering Laboratories (SEL) AcSELerator QuickSet before ...) NOT-FOR-US: Schweitzer Engineering Laboratories AcSELerator QuickSet CVE-2013-0664 (The FactoryCast service on the Schneider Electric Quantum 140NOE77111 ...) NOT-FOR-US: Schneider Electric Quantum modules CVE-2013-0663 (Cross-site request forgery (CSRF) vulnerability on the Schneider Elect ...) NOT-FOR-US: Schneider Electric Quantum modules CVE-2013-0662 (Multiple stack-based buffer overflows in ModbusDrv.exe in Schneider El ...) NOT-FOR-US: Schneider Electric CVE-2013-0661 RESERVED CVE-2013-0660 RESERVED CVE-2013-0659 (The debugging feature on the Siemens CP 1604 and CP 1616 interface car ...) NOT-FOR-US: Siemens Interface Card CVE-2013-0658 (Heap-based buffer overflow in RFManagerService.exe in Schneider Electr ...) NOT-FOR-US: Schneider Electric Accutech Manager CVE-2013-0657 (Stack-based buffer overflow in Schneider Electric Interactive Graphica ...) NOT-FOR-US: Schneider Electric IGSS CVE-2013-0656 (Buffer overflow in a third-party ActiveX component in Siemens SIMATIC ...) NOT-FOR-US: Siemens SIMATIC CVE-2013-0655 (The client in Schneider Electric Software Update (SESU) Utility 1.0.x ...) NOT-FOR-US: Schneider Electric SESU CVE-2013-0654 (CimWebServer in GE Intelligent Platforms Proficy HMI/SCADA - CIMPLICIT ...) NOT-FOR-US: GE Intelligent Platforms Proficy CVE-2013-0653 (Directory traversal vulnerability in substitute.bcl in the WebView Cim ...) NOT-FOR-US: GE Intelligent Platforms Proficy CVE-2013-0652 (GE Intelligent Platforms Proficy Real-Time Information Portal does not ...) NOT-FOR-US: GE Intelligent Platforms Proficy CVE-2013-0651 (The Portal installation process in GE Intelligent Platforms Proficy Re ...) NOT-FOR-US: GE Intelligent Platforms Proficy CVE-2012-6432 (Symfony 2.0.x before 2.0.20, 2.1.x before 2.1.5, and 2.2-dev, when the ...) NOT-FOR-US: Symfony CVE-2012-6431 (Symfony 2.0.x before 2.0.20 does not process URL encoded data consiste ...) NOT-FOR-US: Symfony CVE-2012-6430 (Cross-site scripting (XSS) vulnerability in Open Solution Quick.Cms 5. ...) NOT-FOR-US: Open Solution Quick.Cart and Quick.Cms CVE-2012-6429 (Buffer overflow in the PrepareSync method in the SyncService.dll Activ ...) NOT-FOR-US: Samsung Kies CVE-2013-0650 (Use-after-free vulnerability in Adobe Flash Player before 10.3.183.68 ...) NOT-FOR-US: Adobe Flash Plugin CVE-2013-0649 (Use-after-free vulnerability in Adobe Flash Player before 10.3.183.63 ...) NOT-FOR-US: Adobe Flash Plugin CVE-2013-0648 (Unspecified vulnerability in the ExternalInterface ActionScript functi ...) NOT-FOR-US: Adobe Flash Plugin CVE-2013-0647 (Adobe Flash Player before 10.3.183.63 and 11.x before 11.6.602.168 on ...) NOT-FOR-US: Adobe Flash Plugin CVE-2013-0646 (Integer overflow in Adobe Flash Player before 10.3.183.68 and 11.x bef ...) NOT-FOR-US: Adobe Flash Plugin CVE-2013-0645 (Buffer overflow in Adobe Flash Player before 10.3.183.63 and 11.x befo ...) NOT-FOR-US: Adobe Flash Plugin CVE-2013-0644 (Use-after-free vulnerability in Adobe Flash Player before 10.3.183.63 ...) NOT-FOR-US: Adobe Flash Plugin CVE-2013-0643 (The Firefox sandbox in Adobe Flash Player before 10.3.183.67 and 11.x ...) NOT-FOR-US: Adobe Flash Plugin CVE-2013-0642 (Buffer overflow in Adobe Flash Player before 10.3.183.63 and 11.x befo ...) NOT-FOR-US: Adobe Flash Plugin CVE-2013-0641 (Buffer overflow in Adobe Reader and Acrobat 9.x before 9.5.4, 10.x bef ...) NOT-FOR-US: Adobe Reader CVE-2013-0640 (Adobe Reader and Acrobat 9.x before 9.5.4, 10.x before 10.1.6, and 11. ...) NOT-FOR-US: Adobe Reader CVE-2013-0639 (Integer overflow in Adobe Flash Player before 10.3.183.63 and 11.x bef ...) NOT-FOR-US: Adobe Flash Plugin CVE-2013-0638 (Adobe Flash Player before 10.3.183.63 and 11.x before 11.6.602.168 on ...) NOT-FOR-US: Adobe Flash Plugin CVE-2013-0637 (Adobe Flash Player before 10.3.183.63 and 11.x before 11.6.602.168 on ...) NOT-FOR-US: Adobe Flash Plugin CVE-2013-0636 (Stack-based buffer overflow in Adobe Shockwave Player before 12.0.0.11 ...) NOT-FOR-US: Adobe Shockwave Player CVE-2013-0635 (Adobe Shockwave Player before 12.0.0.112 allows attackers to execute a ...) NOT-FOR-US: Adobe Shockwave Player CVE-2013-0634 (Adobe Flash Player before 10.3.183.51 and 11.x before 11.5.502.149 on ...) NOT-FOR-US: Adobe Flash Plugin CVE-2013-0633 (Buffer overflow in Adobe Flash Player before 10.3.183.51 and 11.x befo ...) NOT-FOR-US: Adobe Flash Plugin CVE-2013-0632 (administrator.cfc in Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows ...) NOT-FOR-US: Adobe ColdFusion CVE-2013-0631 (Adobe ColdFusion 9.0, 9.0.1, and 9.0.2 allows attackers to obtain sens ...) NOT-FOR-US: Adobe ColdFusion CVE-2013-0630 (Buffer overflow in Adobe Flash Player before 10.3.183.50 and 11.x befo ...) NOT-FOR-US: Adobe Flash Player CVE-2013-0629 (Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10, when a password is not con ...) NOT-FOR-US: Adobe ColdFusion CVE-2013-0628 REJECTED CVE-2013-0627 (Unspecified vulnerability in Adobe Reader and Acrobat 9.x before 9.5.3 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2013-0626 (Stack-based buffer overflow in Adobe Reader and Acrobat 9.x before 9.5 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2013-0625 (Adobe ColdFusion 9.0, 9.0.1, and 9.0.2, when a password is not configu ...) NOT-FOR-US: Adobe ColdFusion CVE-2013-0624 (Adobe Reader and Acrobat 9.x before 9.5.3, 10.x before 10.1.5, and 11. ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2013-0623 (Adobe Reader and Acrobat 9.x before 9.5.3, 10.x before 10.1.5, and 11. ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2013-0622 (Adobe Reader and Acrobat 9.x before 9.5.3, 10.x before 10.1.5, and 11. ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2013-0621 (Buffer overflow in Adobe Reader and Acrobat 9.x before 9.5.3, 10.x bef ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2013-0620 (Adobe Reader and Acrobat 9.x before 9.5.3, 10.x before 10.1.5, and 11. ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2013-0619 (Adobe Reader and Acrobat 9.x before 9.5.3, 10.x before 10.1.5, and 11. ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2013-0618 (Adobe Reader and Acrobat 9.x before 9.5.3, 10.x before 10.1.5, and 11. ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2013-0617 (Buffer overflow in Adobe Reader and Acrobat 9.x before 9.5.3, 10.x bef ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2013-0616 (Adobe Reader and Acrobat 9.x before 9.5.3, 10.x before 10.1.5, and 11. ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2013-0615 (Buffer overflow in Adobe Reader and Acrobat 9.x before 9.5.3, 10.x bef ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2013-0614 (Adobe Reader and Acrobat 9.x before 9.5.3, 10.x before 10.1.5, and 11. ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2013-0613 (Integer overflow in Adobe Reader and Acrobat 9.x before 9.5.3, 10.x be ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2013-0612 (Buffer overflow in Adobe Reader and Acrobat 9.x before 9.5.3, 10.x bef ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2013-0611 (Adobe Reader and Acrobat 9.x before 9.5.3, 10.x before 10.1.5, and 11. ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2013-0610 (Stack-based buffer overflow in Adobe Reader and Acrobat 9.x before 9.5 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2013-0609 (Integer overflow in Adobe Reader and Acrobat 9.x before 9.5.3, 10.x be ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2013-0608 (Adobe Reader and Acrobat 9.x before 9.5.3, 10.x before 10.1.5, and 11. ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2013-0607 (Adobe Reader and Acrobat 9.x before 9.5.3, 10.x before 10.1.5, and 11. ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2013-0606 (Buffer overflow in Adobe Reader and Acrobat 9.x before 9.5.3, 10.x bef ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2013-0605 (Adobe Reader and Acrobat 9.x before 9.5.3, 10.x before 10.1.5, and 11. ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2013-0604 (Heap-based buffer overflow in Adobe Reader and Acrobat 9.x before 9.5. ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2013-0603 (Heap-based buffer overflow in Adobe Reader and Acrobat 9.x before 9.5. ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2013-0602 (Use-after-free vulnerability in Adobe Reader and Acrobat 9.x before 9. ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2013-0601 (Adobe Reader and Acrobat 9.x before 9.5.3, 10.x before 10.1.5, and 11. ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2012-6428 (Carlo Gavazzi EOS-Box with firmware before 1.0.0.1080_2.1.10 establish ...) NOT-FOR-US: Carlo Gavazzi EOS-Box CVE-2012-6427 (Multiple SQL injection vulnerabilities in Carlo Gavazzi EOS-Box with f ...) NOT-FOR-US: Carlo Gavazzi EOS-Box CVE-2012-6426 (LemonLDAP::NG before 1.2.3 does not use the signature-verification cap ...) - lemonldap-ng 1.2.2-3 (bug #696329) [wheezy] - lemonldap-ng 1.1.2-5+deb7u1 [squeeze] - lemonldap-ng (SAML code not present) CVE-2013-0600 (Unspecified vulnerability on IBM WebSphere DataPower XC10 Appliance de ...) NOT-FOR-US: IBM WebSphere DataPower XC10 Appliance devices CVE-2013-0599 (IBM Eclipse Help System (IEHS), as used in IBM Rational Directory Serv ...) NOT-FOR-US: IBM CVE-2013-0598 (Cross-site request forgery (CSRF) vulnerability in the Web Client in I ...) NOT-FOR-US: IBM Rational ClearQuest CVE-2013-0597 (Cross-site scripting (XSS) vulnerability in IBM WebSphere Application ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2013-0596 (Cross-site scripting (XSS) vulnerability in the Administrative console ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2013-0595 (Multiple cross-site scripting (XSS) vulnerabilities in iNotes 8.5.x in ...) NOT-FOR-US: IBM Lotus Domino CVE-2013-0594 (Open redirect vulnerability in IBM iNotes before 8.5.3 Fix Pack 6 and ...) NOT-FOR-US: IBM CVE-2013-0593 (Unspecified vulnerability in the olch2x32 ActiveX control in IBM SPSS ...) NOT-FOR-US: IBM SPSS SamplePower CVE-2013-0592 (Cross-site scripting (XSS) vulnerability in IBM iNotes before 8.5.3 Fi ...) NOT-FOR-US: IBM CVE-2013-0591 (Cross-site scripting (XSS) vulnerability in iNotes 8.5.x in IBM Lotus ...) NOT-FOR-US: IBM Lotus Domino CVE-2013-0590 (Cross-site scripting (XSS) vulnerability in iNotes 8.5.x in IBM Lotus ...) NOT-FOR-US: IBM Lotus Domino CVE-2013-0589 (IBM iNotes before 8.5.3 Fix Pack 6 and 9.x before 9.0.1 allows remote ...) NOT-FOR-US: IBM CVE-2013-0588 RESERVED CVE-2013-0587 (Multiple cross-site scripting (XSS) vulnerabilities in IBM WebSphere P ...) NOT-FOR-US: IBM InfoSphere CVE-2013-0586 (Cross-site scripting (XSS) vulnerability in the server in IBM Cognos B ...) NOT-FOR-US: IBM Cognos CVE-2013-0585 (Multiple cross-site scripting (XSS) vulnerabilities in IBM InfoSphere ...) NOT-FOR-US: IBM InfoSphere CVE-2013-0584 (The Data Replication Dashboard component in IBM InfoSphere Replication ...) NOT-FOR-US: IBM InfoSphere Replication Server CVE-2013-0583 RESERVED CVE-2013-0582 (Cross-site scripting (XSS) vulnerability in IBM Tivoli Federated Ident ...) NOT-FOR-US: IBM Tivoli Federated Identity Manager CVE-2013-0581 (Multiple cross-site scripting (XSS) vulnerabilities in IBM Business Pr ...) NOT-FOR-US: IBM CVE-2013-0580 (Cross-site request forgery (CSRF) vulnerability in the Optim E-Busines ...) NOT-FOR-US: IBM CVE-2013-0579 (The Optim E-Business Console in IBM Data Growth Solution for Oracle E- ...) NOT-FOR-US: IBM CVE-2013-0578 (The Sterling Order Management APIs in IBM Sterling Multi-Channel Fulfi ...) NOT-FOR-US: IBM CVE-2013-0577 (The Optim E-Business Console in IBM Data Growth Solution for Oracle E- ...) NOT-FOR-US: IBM CVE-2013-0576 (Cross-site scripting (XSS) vulnerability in the Tivoli Enterprise Port ...) NOT-FOR-US: IBM Tivoli Monitoring CVE-2013-0575 RESERVED CVE-2013-0574 RESERVED CVE-2013-0573 RESERVED CVE-2013-0572 (Cross-site scripting (XSS) vulnerability in IBM Document Connect for A ...) NOT-FOR-US: IBM Document Connect for Application Support Facility CVE-2013-0571 (Cross-site scripting (XSS) vulnerability in IBM Document Connect for A ...) NOT-FOR-US: IBM Document Connect for Application Support Facility CVE-2013-0570 (The Fibre Channel over Ethernet (FCoE) feature in IBM System Networkin ...) NOT-FOR-US: IBM CVE-2013-0569 (Cross-site scripting (XSS) vulnerability in the Communities component ...) NOT-FOR-US: IBM Connections CVE-2013-0568 (IBM Sterling B2B Integrator 5.1 and 5.2 and Sterling File Gateway 2.1 ...) NOT-FOR-US: IBM CVE-2013-0567 (IBM Sterling B2B Integrator 5.1 and 5.2 and Sterling File Gateway 2.1 ...) NOT-FOR-US: IBM CVE-2013-0566 (Multiple cross-site scripting (XSS) vulnerabilities in the (1) Acceler ...) NOT-FOR-US: IBM WebSphere Commerce CVE-2013-0565 (Cross-site scripting (XSS) vulnerability in the RPC adapter for the We ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2013-0564 RESERVED CVE-2013-0563 RESERVED CVE-2013-0562 RESERVED CVE-2013-0561 RESERVED CVE-2013-0560 (Multiple SQL injection vulnerabilities in IBM Sterling B2B Integrator ...) NOT-FOR-US: IBM CVE-2013-0559 (Unspecified vulnerability in IBM API Management 2.0 before 2.0.0.1 all ...) NOT-FOR-US: IBM CVE-2013-0558 (IBM Sterling B2B Integrator 5.1 and 5.2 and Sterling File Gateway 2.1 ...) NOT-FOR-US: IBM CVE-2013-0557 RESERVED CVE-2013-0556 RESERVED CVE-2013-0555 RESERVED CVE-2013-0554 RESERVED CVE-2013-0553 (The client implementation in IBM Sametime 8.5.1 through 8.5.2.1, as us ...) NOT-FOR-US: IBM Sametime CVE-2013-0552 RESERVED CVE-2013-0551 (The Basic Services component in IBM Tivoli Monitoring (ITM) 6.2.0 thro ...) NOT-FOR-US: IBM Tivoli Monitoring CVE-2013-0550 REJECTED CVE-2013-0549 (Cross-site scripting (XSS) vulnerability in the Web Content Manager - ...) NOT-FOR-US: IBM WebSphere Portal CVE-2013-0548 (Multiple cross-site scripting (XSS) vulnerabilities in the Basic Servi ...) NOT-FOR-US: IBM Tivoli CVE-2013-0547 RESERVED CVE-2013-0546 RESERVED CVE-2013-0545 RESERVED CVE-2013-0544 (Directory traversal vulnerability in the Administrative Console in IBM ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2013-0543 (IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.47, 7.0 before ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2013-0542 (Cross-site scripting (XSS) vulnerability in the Administrative console ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2013-0541 (Buffer overflow in IBM WebSphere Application Server (WAS) 6.1 before 6 ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2013-0540 (IBM WebSphere Application Server (WAS) Liberty Profile 8.5 before 8.5. ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2013-0539 (An unspecified third-party component in IBM Sterling B2B Integrator 5. ...) NOT-FOR-US: IBM CVE-2013-0538 (Cross-site scripting (XSS) vulnerability in IBM Lotus Notes 8.x before ...) NOT-FOR-US: IBM Lotus Notes CVE-2013-0537 (The Enterprise Meeting Server in IBM Lotus Sametime 8.5.2 and 8.5.2.1 ...) NOT-FOR-US: IBM CVE-2013-0536 (ntmulti.exe in the Multi User Profile Cleanup service in IBM Notes 8.0 ...) NOT-FOR-US: IBM Notes CVE-2013-0535 (Multiple cross-site scripting (XSS) vulnerabilities in the Classic Mee ...) NOT-FOR-US: IBM Sametime CVE-2013-0534 (The Connect client in IBM Sametime 8.5.1, 8.5.1.1, 8.5.1.2, 8.5.2, and ...) NOT-FOR-US: IBM Sametime CVE-2013-0533 (Cross-site scripting (XSS) vulnerability in the Sametime Links server ...) NOT-FOR-US: IBM Sametime CVE-2013-0532 (Cross-site request forgery (CSRF) vulnerability in IBM Security AppSca ...) NOT-FOR-US: IBM Security AppScan Enterprise CVE-2013-0531 (The SSL implementation in IBM Security AppScan Enterprise before 8.7.0 ...) NOT-FOR-US: IBM CVE-2013-0530 RESERVED CVE-2013-0529 (The Browser in IBM Sterling Connect:Direct 1.4 before 1.4.0.11 and 1.5 ...) NOT-FOR-US: IBM Sterling Connect:Direct CVE-2013-0528 REJECTED CVE-2013-0527 (The Browser in IBM Sterling Connect:Direct 1.4 before 1.4.0.11 and 1.5 ...) NOT-FOR-US: IBM Sterling Connect:Direct CVE-2013-0526 (ping.php in Global Console Manager 16 (GCM16) and Global Console Manag ...) NOT-FOR-US: IBM GCM16 CVE-2013-0525 (Multiple cross-site scripting (XSS) vulnerabilities in IBM iNotes 8.5. ...) NOT-FOR-US: IBM Domino CVE-2013-0524 RESERVED CVE-2013-0523 (IBM WebSphere Commerce Enterprise 5.6.x through 5.6.1.5, 6.0.x through ...) NOT-FOR-US: IBM WebSphere CVE-2013-0522 (The Notes Client Single Logon feature in IBM Notes 8.0, 8.0.1, 8.0.2, ...) NOT-FOR-US: IBM CVE-2013-0521 RESERVED CVE-2013-0520 (IBM Sterling Secure Proxy 3.2.0 and 3.3.01 before 3.3.01.23 Interim Fi ...) NOT-FOR-US: IBM CVE-2013-0519 (IBM Sterling Secure Proxy 3.2.0 and 3.3.01 before 3.3.01.23 Interim Fi ...) NOT-FOR-US: IBM CVE-2013-0518 (IBM Sterling Secure Proxy 3.2.0 and 3.3.01 before 3.3.01.23 Interim Fi ...) NOT-FOR-US: IBM CVE-2013-0517 (A Command Execution Vulnerability exists in IBM Sterling External Auth ...) NOT-FOR-US: IBM CVE-2013-0516 REJECTED CVE-2013-0515 RESERVED CVE-2013-0514 RESERVED CVE-2013-0513 (IBM Security AppScan Enterprise 5.6 and 8.x before 8.7 and IBM Rationa ...) NOT-FOR-US: IBM Security AppScan Enterprise, Rational Policy Tester CVE-2013-0512 (Stack-based buffer overflow in the Manual Explore browser plug-in for ...) NOT-FOR-US: IBM Security AppScan Enterprise, Rational Policy Tester CVE-2013-0511 (Multiple SQL injection vulnerabilities in IBM Security AppScan Enterpr ...) NOT-FOR-US: IBM Security AppScan Enterprise CVE-2013-0510 (IBM Security AppScan Enterprise 5.6 and 8.x before 8.7 includes a secu ...) NOT-FOR-US: IBM Security AppScan Enterprise CVE-2013-0509 (Buffer overflow in the Transaction MIB agent in IBM Tivoli Netcool Sys ...) NOT-FOR-US: IBM CVE-2013-0508 (Multiple buffer overflows in IBM Tivoli Netcool System Service Monitor ...) NOT-FOR-US: IBM CVE-2013-0507 (IBM InfoSphere Information Server 8.1, 8.5, 8.7, 9.1 has a Session Fix ...) NOT-FOR-US: IBM CVE-2013-0506 (Cross-site scripting (XSS) vulnerability in IBM Sterling Order Managem ...) NOT-FOR-US: IBM Sterling Order Management CVE-2013-0505 (IBM Sterling Order Management 8.0 before HF127, 8.5 before HF89, 9.0 b ...) NOT-FOR-US: IBM Sterling Order Management CVE-2013-0504 (Buffer overflow in the broker service in Adobe Flash Player before 10. ...) NOT-FOR-US: Adobe Flash Plugin CVE-2013-0503 (Cross-site scripting (XSS) vulnerability in the Bookmarks component in ...) NOT-FOR-US: IBM Lotus Connections CVE-2013-0502 (Cross-site scripting (XSS) vulnerability in IBM InfoSphere Information ...) NOT-FOR-US: IBM InfoSphere Information Server CVE-2013-0501 (The EdrawSoft EDOFFICE.EDOfficeCtrl.1 ActiveX control, as used in Edra ...) NOT-FOR-US: IBM Cognos Disclosure Management CVE-2013-0500 (IBM Storwize V7000 Unified 1.3.x and 1.4.x before 1.4.2.0 does not pro ...) NOT-FOR-US: IBM Storwize V7000 Unified CVE-2013-0499 (Cross-site scripting (XSS) vulnerability in the echo functionality on ...) NOT-FOR-US: IBM CVE-2013-0498 RESERVED CVE-2013-0497 RESERVED CVE-2013-0496 RESERVED CVE-2013-0495 RESERVED CVE-2013-0494 (IBM Sterling B2B Integrator 5.0 and 5.1 allows remote attackers to cau ...) NOT-FOR-US: IBM Sterling Integrator CVE-2013-0493 RESERVED CVE-2013-0492 (Cross-site scripting (XSS) vulnerability in IBM Informix Open Admin To ...) NOT-FOR-US: IBM Informix CVE-2013-0491 RESERVED CVE-2013-0490 (Unspecified vulnerability in IBM InfoSphere Guardium S-TAP 8.1 for DB2 ...) NOT-FOR-US: IBM InfoSphere Guardium CVE-2013-0489 (Cross-site request forgery (CSRF) vulnerability in webadmin.nsf (aka t ...) NOT-FOR-US: IBM Domino CVE-2013-0488 (Cross-site scripting (XSS) vulnerability in webadmin.nsf (aka the Web ...) NOT-FOR-US: IBM Domino CVE-2013-0487 (The Java Console in IBM Domino 8.5.x allows remote authenticated users ...) NOT-FOR-US: IBM Domino CVE-2013-0486 (Memory leak in the HTTP server in IBM Domino 8.5.x allows remote attac ...) NOT-FOR-US: IBM Domino CVE-2013-0485 (Unspecified vulnerability in IBM Java SDK 7 before SR4-FP1, 6 before S ...) NOT-FOR-US: IBM Java SDK CVE-2013-0484 (The server process in IBM Cognos TM1 10.1.x before 10.1.1 FP1 allows r ...) NOT-FOR-US: IBM Cognos TM1 CVE-2013-0483 (The login component in SOAP Gateway in IBM IMS Enterprise Suite 1.1, 2 ...) NOT-FOR-US: IBM IMS Enterprise Suite CVE-2013-0482 (IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.29, 8.0 before ...) NOT-FOR-US: IBM CVE-2013-0481 (The console in IBM Sterling B2B Integrator 5.1 and 5.2 and Sterling Fi ...) NOT-FOR-US: IBM CVE-2013-0480 RESERVED CVE-2013-0479 (IBM Sterling B2B Integrator 5.1 and 5.2 and Sterling File Gateway 2.1 ...) NOT-FOR-US: IBM CVE-2013-0478 (Cross-site scripting (XSS) vulnerability in IBM InfoSphere Master Data ...) NOT-FOR-US: IBM CVE-2013-0477 (Multiple cross-site scripting (XSS) vulnerabilities in IBM InfoSphere ...) NOT-FOR-US: IBM CVE-2013-0476 (IBM Sterling B2B Integrator 5.1 and 5.2 and Sterling File Gateway 2.1 ...) NOT-FOR-US: IBM CVE-2013-0475 (IBM Sterling B2B Integrator 5.1 and 5.2 and Sterling File Gateway 2.1 ...) NOT-FOR-US: IBM CVE-2013-0474 (The Manual Explore browser plug-in in IBM Security AppScan Enterprise ...) NOT-FOR-US: IBM Security AppScan Enterprise CVE-2013-0473 (Multiple cross-site scripting (XSS) vulnerabilities in IBM Security Ap ...) NOT-FOR-US: IBM Security AppScan Enterprise CVE-2013-0472 (The Web GUI in the client in IBM Tivoli Storage Manager (TSM) 6.3 befo ...) NOT-FOR-US: IBM CVE-2013-0471 (The traditional scheduler in the client in IBM Tivoli Storage Manager ...) NOT-FOR-US: IBM CVE-2013-0470 (HTTPD in IBM Netezza Performance Portal 1.0.2 allows remote authentica ...) NOT-FOR-US: IBM CVE-2013-0469 RESERVED CVE-2013-0468 (Cross-site scripting (XSS) vulnerability in IBM Sterling B2B Integrato ...) NOT-FOR-US: IBM CVE-2013-0467 (IBM Eclipse Help System (IEHS), as used in IBM Data Studio 3.1 and 3.1 ...) NOT-FOR-US: IBM CVE-2013-0466 (Cross-site scripting (XSS) vulnerability in IBM WebSphere Message Brok ...) NOT-FOR-US: IBM CVE-2013-0465 (Unspecified vulnerability in the IBM WebSphere Cast Iron physical and ...) NOT-FOR-US: IBM CVE-2013-0464 (Multiple cross-site scripting (XSS) vulnerabilities in IBM Eclipse Hel ...) NOT-FOR-US: IBM CVE-2013-0463 (IBM Sterling B2B Integrator 5.1 and 5.2 and Sterling File Gateway 2.1 ...) NOT-FOR-US: IBM CVE-2013-0462 (Unspecified vulnerability in IBM WebSphere Application Server (WAS) 6. ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2013-0461 (Cross-site scripting (XSS) vulnerability in the virtual member manager ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2013-0460 (Cross-site request forgery (CSRF) vulnerability in the portlet subsyst ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2013-0459 (Cross-site scripting (XSS) vulnerability in the Administrative console ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2013-0458 (Cross-site scripting (XSS) vulnerability in the Administrative console ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2013-0457 (Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Managemen ...) NOT-FOR-US: IBM CVE-2013-0456 (IBM Sterling B2B Integrator 5.1 and 5.2 and Sterling File Gateway 2.1 ...) NOT-FOR-US: IBM CVE-2013-0455 (Multiple cross-site scripting (XSS) vulnerabilities in IBM Sterling B2 ...) NOT-FOR-US: IBM CVE-2013-0454 (The SMB2 implementation in Samba 3.6.x before 3.6.6, as used on the IB ...) - samba 2:3.6.6-1 [squeeze] - samba (only Samba 3.6.0 - 3.6.5 (inclusive) affected) NOTE: https://www.samba.org/samba/security/CVE-2013-0454 CVE-2013-0453 (Cross-site scripting (XSS) vulnerability in Web Reports in IBM Tivoli ...) NOT-FOR-US: IBM Tivoli Endpoint Manager CVE-2013-0452 (Cross-site request forgery (CSRF) vulnerability in the Software Use An ...) NOT-FOR-US: IBM Tivoli Endpoint Manager CVE-2013-0451 (SQL injection vulnerability in IBM Maximo Asset Management 6.2 through ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2012-6425 RESERVED CVE-2012-6424 RESERVED CVE-2012-6423 RESERVED CVE-2012-6422 (The kernel in Samsung Galaxy S2, Galaxy Note 2, MEIZU MX, and possibly ...) NOT-FOR-US: Android kernel CVE-2012-6421 REJECTED CVE-2012-6420 REJECTED CVE-2012-6419 REJECTED CVE-2012-6418 REJECTED CVE-2012-6417 REJECTED CVE-2012-6416 REJECTED CVE-2012-6415 REJECTED CVE-2012-6414 REJECTED CVE-2012-6413 REJECTED CVE-2012-6412 REJECTED CVE-2012-6411 REJECTED CVE-2012-6410 REJECTED CVE-2012-6409 REJECTED CVE-2012-6408 REJECTED CVE-2012-6407 REJECTED CVE-2012-6406 REJECTED CVE-2012-6405 REJECTED CVE-2012-6404 REJECTED CVE-2012-6403 REJECTED CVE-2012-6402 REJECTED CVE-2012-6401 REJECTED CVE-2012-6400 RESERVED CVE-2012-6399 (Cisco WebEx 4.1 on iOS does not verify that the server hostname matche ...) NOT-FOR-US: Cisco CVE-2012-6398 RESERVED CVE-2012-6397 (Cross-site scripting (XSS) vulnerability in Cisco WebEx Social (former ...) NOT-FOR-US: Cisco WebEx Social CVE-2012-6396 (Cisco NX-OS on Nexus 7000 series switches does not properly handle cer ...) NOT-FOR-US: Cisco NX-OS CVE-2012-6395 (Cisco Adaptive Security Appliances (ASA) devices with firmware 8.4 do ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2012-6394 RESERVED CVE-2012-6393 RESERVED CVE-2012-6392 (Cisco Prime LAN Management Solution (LMS) 4.1 through 4.2.2 on Linux d ...) NOT-FOR-US: Cisco Prime LMS CVE-2012-6391 RESERVED CVE-2012-6390 RESERVED CVE-2012-6389 RESERVED CVE-2012-6388 RESERVED CVE-2012-6387 RESERVED CVE-2012-6386 RESERVED CVE-2012-6385 RESERVED CVE-2012-6384 RESERVED CVE-2012-6383 RESERVED CVE-2012-6382 RESERVED CVE-2012-6381 RESERVED CVE-2012-6380 RESERVED CVE-2012-6379 RESERVED CVE-2012-6378 RESERVED CVE-2012-6377 RESERVED CVE-2012-6376 RESERVED CVE-2012-6375 RESERVED CVE-2012-6374 RESERVED CVE-2012-6373 RESERVED CVE-2012-6372 RESERVED CVE-2012-6371 (The WPA2 implementation on the Belkin N900 F9K1104v1 router establishe ...) NOT-FOR-US: Belkin router CVE-2012-6370 RESERVED CVE-2012-6369 (Cross-site scripting (XSS) vulnerability in the Troubleshooting Report ...) NOT-FOR-US: AgileBits 1Password CVE-2012-6368 REJECTED CVE-2012-6367 REJECTED CVE-2012-6366 REJECTED CVE-2012-6365 REJECTED CVE-2012-6364 REJECTED CVE-2012-6363 REJECTED CVE-2012-6362 REJECTED CVE-2012-6361 RESERVED CVE-2012-6360 (Cross-site scripting (XSS) vulnerability in IBM Intelligent Operations ...) NOT-FOR-US: IBM Intelligent Operations Center CVE-2012-6359 (IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before 6.2.0.11, 6. ...) NOT-FOR-US: IBM Tivoli CVE-2012-6358 RESERVED CVE-2012-6357 (IBM Maximo Asset Management 7.5, Maximo Asset Management Essentials 7. ...) NOT-FOR-US: IBM CVE-2012-6356 (IBM Maximo Asset Management 7.5, Maximo Asset Management Essentials 7. ...) NOT-FOR-US: IBM CVE-2012-6355 (IBM Maximo Asset Management 6.2 through 7.5, Maximo Asset Management E ...) NOT-FOR-US: IBM CVE-2012-6354 (The management GUI on the IBM SAN Volume Controller and Storwize V7000 ...) NOT-FOR-US: IBM CVE-2012-6353 RESERVED CVE-2012-6352 (The Session Manager in IBM Sterling Connect:Direct through 4.1.0.3 on ...) NOT-FOR-US: IBM Sterling Connect:Direct CVE-2012-6351 RESERVED CVE-2012-6350 (Cross-site scripting (XSS) vulnerability in the Web component in IBM C ...) NOT-FOR-US: IBM Cognos TM1 CVE-2012-6349 (Buffer overflow in the .mdb parser in Autonomy KeyView IDOL, as used i ...) NOT-FOR-US: IBM Notes CVE-2012-6348 (Centrify Deployment Manager 2.1.0.283, as distributed in Centrify Suit ...) NOT-FOR-US: Centrify CVE-2012-6347 (Multiple cross-site scripting (XSS) vulnerabilities in Java number for ...) NOT-FOR-US: FortiGate CVE-2012-6346 (Multiple cross-site scripting (XSS) vulnerabilities in FortiWeb before ...) NOT-FOR-US: FortiWeb CVE-2012-6345 (Novell ZENworks Configuration Management before 11.2.4 allows obtainin ...) NOT-FOR-US: CyberArk Vault CVE-2012-6344 (Novell ZENworks Configuration Management before 11.2.4 allows XSS. ...) NOT-FOR-US: CyberArk Vault CVE-2012-6343 RESERVED CVE-2012-6342 (Cross-site request forgery (CSRF) vulnerability in logout.action in At ...) NOT-FOR-US: Atlassian Confluence CVE-2012-6341 (An Information Disclosure vulnerability exists in the my config file i ...) NOT-FOR-US: Netgear CVE-2012-6340 (An Authentication vulnerability exists in NETGEAR WGR614 v7 and v9 due ...) NOT-FOR-US: Netgear CVE-2012-6339 (Multiple cross-site scripting (XSS) vulnerabilities in the administrat ...) NOT-FOR-US: Cerberus FTP Server CVE-2012-6338 RESERVED CVE-2012-6337 (The Track My Mobile feature in the SamsungDive subsystem for Android o ...) NOT-FOR-US: SamsungDive on Samsung Galaxy CVE-2012-6336 (The Missing Device feature in Lookout allows physically proximate atta ...) NOT-FOR-US: Lookout CVE-2012-6335 (The Anti-theft service in AVG AntiVirus for Android allows physically ...) NOT-FOR-US: AVG AntiVirus for Android CVE-2012-6334 (The Track My Mobile feature in the SamsungDive subsystem for Android o ...) NOT-FOR-US: SamsungDive subsystem for Android CVE-2011-5251 (Open redirect vulnerability in forum/login.php in vBulletin 4.1.3 and ...) NOT-FOR-US: vBulletin CVE-2012-6333 (Multiple HVM control operations in Xen 3.4 through 4.2 allow local HVM ...) {DSA-2636-1} - xen 4.1.3-8 CVE-2012-6332 RESERVED CVE-2012-6331 RESERVED CVE-2012-6330 (The localization functionality in TWiki before 5.1.3, and Foswiki 1.0. ...) - foswiki (bug #509864) CVE-2012-6329 (The _compile function in Maketext.pm in the Locale::Maketext implement ...) - perl 5.14.2-16 (bug #695224) [squeeze] - perl 5.10.1-17squeeze5 - foswiki (bug #509864) CVE-2012-6328 REJECTED CVE-2012-6327 REJECTED CVE-2012-6326 (VMware vCenter Server 4.1 before Update 3 and 5.0 before Update 2, and ...) NOT-FOR-US: vCenter CVE-2012-6325 (VMware vCenter Server Appliance (vCSA) 5.0 before Update 2 does not pr ...) NOT-FOR-US: VMware vCenter Server Appliance CVE-2012-6324 (Directory traversal vulnerability in VMware vCenter Server Appliance ( ...) NOT-FOR-US: VMware vCenter Server Appliance CVE-2013-0450 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 6b27-1.12-1 - openjdk-7 7u3-2.1.6-1 CVE-2013-0449 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 (Only affects Java 7) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2013-0448 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 (Only affects Java7) - openjdk-7 (Specific to Oracle Java, not present in IcedTea) NOTE: Due to the vague disclosure policy by Oracle the exact nature is unknown but since no patch landed in icedtea, we consider it not-affected CVE-2013-0447 (Unspecified vulnerability in the JavaFX component in Oracle Java SE Ja ...) - openjdk-6 (JavaFX not part of OpenJDK) - openjdk-7 (JavaFX not part of OpenJDK) CVE-2013-0446 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2013-0445 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 6b27-1.12.1-1 - openjdk-7 7u17-2.3.8-1 NOTE: icedtea fix: http://icedtea.classpath.org/hg/release/icedtea7-forest-2.3/jdk/rev/6527ae06da69 NOTE: openjdk-7 fixed in experimental: 7u13-2.3.6-1 CVE-2013-0444 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 (Only affects Java7) - openjdk-7 7u3-2.1.6-1 NOTE: IcedTea commit: http://icedtea.classpath.org/hg/release/icedtea7-forest-2.3/jdk/rev/ce04db4aba39 CVE-2013-0443 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 6b27-1.12-1 - openjdk-7 7u3-2.1.6-1 CVE-2013-0442 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 6b27-1.12-1 - openjdk-7 7u3-2.1.6-1 NOTE: icedtea fix: http://icedtea.classpath.org/hg/release/icedtea7-forest-2.3/jdk/rev/6527ae06da69 CVE-2013-0441 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 6b27-1.12-1 - openjdk-7 7u3-2.1.6-1 CVE-2013-0440 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 6b27-1.12-1 - openjdk-7 7u3-2.1.6-1 CVE-2013-0439 (Unspecified vulnerability in the JavaFX component in Oracle Java SE Ja ...) - openjdk-6 (JavaFX not part of OpenJDK) - openjdk-7 (JavaFX not part of OpenJDK) CVE-2013-0438 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2013-0437 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 (Only affects Java7) - openjdk-7 (JavaFX not part of OpenJDK) CVE-2013-0436 (Unspecified vulnerability in the JavaFX component in Oracle Java SE Ja ...) - openjdk-6 (JavaFX not part of OpenJDK) - openjdk-7 (JavaFX not part of OpenJDK) CVE-2013-0435 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 6b27-1.12-1 - openjdk-7 7u3-2.1.6-1 CVE-2013-0434 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 6b27-1.12-1 - openjdk-7 7u3-2.1.6-1 CVE-2013-0433 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 6b27-1.12-1 - openjdk-7 7u3-2.1.6-1 CVE-2013-0432 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 6b27-1.12-1 - openjdk-7 7u3-2.1.6-1 CVE-2013-0431 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 (Only affects Java7) - openjdk-7 7u3-2.1.6-1 NOTE: IcedTea commit: http://icedtea.classpath.org/hg/release/icedtea7-forest-2.3/jdk/rev/b09c28ff798f CVE-2013-0430 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2013-0429 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 6b27-1.12-1 - openjdk-7 7u3-2.1.6-1 CVE-2013-0428 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 6b27-1.12-1 - openjdk-7 7u3-2.1.6-1 CVE-2013-0427 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 6b27-1.12-1 - openjdk-7 7u3-2.1.6-1 CVE-2013-0426 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 6b27-1.12-1 - openjdk-7 7u3-2.1.6-1 CVE-2013-0425 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 6b27-1.12-1 - openjdk-7 7u3-2.1.6-1 CVE-2013-0424 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 6b27-1.12-1 - openjdk-7 7u3-2.1.6-1 CVE-2013-0423 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2013-0422 (Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remot ...) - openjdk-6 (Only affects Java 7) - openjdk-7 7u3-2.1.4-1 NOTE: Exploitable on Linux http://www.openwall.com/lists/oss-security/2013/01/11/1 CVE-2013-0421 REJECTED CVE-2013-0420 (Unspecified vulnerability in the VirtualBox component in Oracle Virtua ...) - virtualbox 4.1.18-dfsg-2 (bug #698292) - virtualbox-ose (Vulnerable code not present) CVE-2013-0419 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2013-0418 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle Outside In CVE-2013-0417 (Unspecified vulnerability in the Sun Storage Common Array Manager (CAM ...) NOT-FOR-US: Sun Storage Common Array Manager CVE-2013-0416 (Unspecified vulnerability in the Siebel Enterprise Application Integra ...) NOT-FOR-US: Oracle Siebel CVE-2013-0415 (Unspecified vulnerability in Oracle Sun Solaris 10 allows local users ...) NOT-FOR-US: Solaris CVE-2013-0414 (Unspecified vulnerability in Oracle Sun Solaris 11 allows local users ...) NOT-FOR-US: Solaris CVE-2013-0413 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11 allows local ...) NOT-FOR-US: Solaris CVE-2013-0412 (Unspecified vulnerability in Oracle Sun Solaris 8, 9, 10, and 11 allow ...) NOT-FOR-US: Solaris CVE-2013-0411 (Unspecified vulnerability in Oracle Sun Solaris 8, 9, and 10 allows lo ...) NOT-FOR-US: Solaris CVE-2013-0410 (Unspecified vulnerability in the Agile EDM component in Oracle Supply ...) NOT-FOR-US: Oracle Supply Chain CVE-2013-0409 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 (Specific to Oracle Java, not present in IcedTea) - openjdk-7 (Specific to Oracle Java, not present in IcedTea) NOTE: Due to the vague disclosure policy by Oracle the exact nature is unknown but since no patch landed in icedtea, we consider it not-affected CVE-2013-0408 (Unspecified vulnerability in Oracle Sun Solaris 10 allows local users ...) NOT-FOR-US: Solaris CVE-2013-0407 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11 allows local ...) NOT-FOR-US: Solaris CVE-2013-0406 (Unspecified vulnerability in Oracle Sun Solaris 10 allows remote attac ...) NOT-FOR-US: Solaris CVE-2013-0405 (Unspecified vulnerability in Oracle Sun Solaris 8, 9, 10, and 11 allow ...) NOT-FOR-US: Solaris CVE-2013-0404 (Unspecified vulnerability in Oracle Sun Solaris 10 allows local users ...) NOT-FOR-US: Solaris CVE-2013-0403 (Unspecified vulnerability in Oracle Sun Solaris 8, 9, 10, and 11 allow ...) NOT-FOR-US: Solaris CVE-2013-0402 (Heap-based buffer overflow in the Java Runtime Environment (JRE) compo ...) - openjdk-6 (JavaFX not part of OpenJDK) - openjdk-7 (JavaFX not part of OpenJDK) CVE-2013-0401 (The Java Runtime Environment (JRE) component in Oracle Java SE 7 Updat ...) - openjdk-7 7u21-2.3.9-1 - openjdk-6 6b27-1.12.5-1 CVE-2013-0400 (Unspecified vulnerability in Oracle Sun Solaris 9 and 10 allows local ...) NOT-FOR-US: Solaris CVE-2013-0399 (Unspecified vulnerability in Oracle Sun Solaris 9 and 10 allows local ...) NOT-FOR-US: Solaris CVE-2013-0398 (Unspecified vulnerability in Oracle Solaris 8, 9, 10, and 11 allows re ...) NOT-FOR-US: Oracle Solaris CVE-2013-0397 (Unspecified vulnerability in the Oracle Applications Framework compone ...) NOT-FOR-US: Oracle Applications Framework CVE-2013-0396 (Unspecified vulnerability in the Application Performance Management (A ...) NOT-FOR-US: Oracle Enterprise Manager Grid Control CVE-2013-0395 (Unspecified vulnerability in the PeopleSoft PeopleTools component in O ...) NOT-FOR-US: Oracle PeopleSoft CVE-2013-0394 (Unspecified vulnerability in the PeopleSoft HRMS component in Oracle P ...) NOT-FOR-US: Oracle PeopleSoft CVE-2013-0393 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle Outside In CVE-2013-0392 (Unspecified vulnerability in the PeopleSoft PeopleTools component in O ...) NOT-FOR-US: Oracle PeopleSoft CVE-2013-0391 (Unspecified vulnerability in the PeopleSoft PeopleTools component in O ...) NOT-FOR-US: Oracle PeopleSoft CVE-2013-0390 (Unspecified vulnerability in the Oracle Applications Framework compone ...) NOT-FOR-US: Oracle Applications Framework CVE-2013-0389 (Unspecified vulnerability in the Server component in Oracle MySQL 5.1. ...) {DSA-2780-1} - mysql-5.1 - mysql-5.5 5.5.29+dfsg-1 CVE-2013-0388 (Unspecified vulnerability in the PeopleSoft HRMS component in Oracle P ...) NOT-FOR-US: Oracle PeopleSoft CVE-2013-0387 (Unspecified vulnerability in the PeopleSoft PeopleTools component in O ...) NOT-FOR-US: Oracle PeopleSoft CVE-2013-0386 (Unspecified vulnerability in the Server component in Oracle MySQL 5.5. ...) - mysql-5.1 (Only affects 5.5) - mysql-5.5 5.5.29+dfsg-1 CVE-2013-0385 (Unspecified vulnerability in the Server component in Oracle MySQL 5.1. ...) {DSA-2780-1} - mysql-5.1 - mysql-5.5 5.5.29+dfsg-1 CVE-2013-0384 (Unspecified vulnerability in the Server component in Oracle MySQL 5.1. ...) {DSA-2780-1} - mysql-5.1 - mysql-5.5 5.5.29+dfsg-1 CVE-2013-0383 (Unspecified vulnerability in the Server component in Oracle MySQL 5.1. ...) {DSA-2780-1} - mysql-5.1 - mysql-5.5 5.5.29+dfsg-1 CVE-2013-0382 (Unspecified vulnerability in the Oracle Marketing component in Oracle ...) NOT-FOR-US: Oracle E Business suite CVE-2013-0381 (Unspecified vulnerability in the Oracle CRM Technical Foundation compo ...) NOT-FOR-US: Oracle E Business suite CVE-2013-0380 (Unspecified vulnerability in the Oracle Payroll component in Oracle E- ...) NOT-FOR-US: Oracle E Business suite CVE-2013-0379 (Unspecified vulnerability in the Siebel CRM component in Oracle Siebel ...) NOT-FOR-US: Oracle Siebel CRM CVE-2013-0378 (Unspecified vulnerability in the Siebel CRM component in Oracle Siebel ...) NOT-FOR-US: Oracle Siebel CRM CVE-2013-0377 (Unspecified vulnerability in the Oracle Applications Technology Stack ...) NOT-FOR-US: Oracle E Business suite CVE-2013-0376 (Unspecified vulnerability in the Oracle Applications Framework compone ...) NOT-FOR-US: Oracle E Business suite CVE-2013-0375 (Unspecified vulnerability in the Server component in Oracle MySQL 5.1. ...) {DSA-2780-1} - mysql-5.1 5.1.67 - mysql-5.5 5.5.29+dfsg-1 CVE-2013-0374 (Unspecified vulnerability in the Enterprise Manager Base Platform comp ...) NOT-FOR-US: Oracle Enterprise Manager CVE-2013-0373 (Unspecified vulnerability in the Enterprise Manager Base Platform comp ...) NOT-FOR-US: Oracle Enterprise Manager CVE-2013-0372 (Unspecified vulnerability in the Enterprise Manager Base Platform comp ...) NOT-FOR-US: Oracle Enterprise Manager CVE-2013-0371 (Unspecified vulnerability in the Server component in Oracle MySQL 5.5. ...) - mysql-5.1 (Only affects 5.5) - mysql-5.5 5.5.29+dfsg-1 CVE-2013-0370 (Unspecified vulnerability in the Oracle Agile PLM Framework component ...) NOT-FOR-US: Oracle Supply Chain product suite CVE-2013-0369 (Unspecified vulnerability in the PeopleSoft PeopleTools component in O ...) NOT-FOR-US: Oracle PeopleSoft CVE-2013-0368 (Unspecified vulnerability in the Server component in Oracle MySQL 5.5. ...) - mysql-5.1 (Only affects 5.5) - mysql-5.5 5.5.29+dfsg-1 CVE-2013-0367 (Unspecified vulnerability in the Server component in Oracle MySQL 5.5. ...) - mysql-5.1 (Only affects 5.5) - mysql-5.5 5.5.29+dfsg-1 CVE-2013-0366 (Unspecified vulnerability in the Mobile Server component in Oracle Dat ...) NOT-FOR-US: Oracle Database Mobile/Lite Server CVE-2013-0365 (Unspecified vulnerability in the Siebel CRM component in Oracle Siebel ...) NOT-FOR-US: Oracle Siebel CRM CVE-2013-0364 (Unspecified vulnerability in the Mobile Server component in Oracle Dat ...) NOT-FOR-US: Oracle Database Mobile/Lite Server CVE-2013-0363 (Unspecified vulnerability in the Mobile Server component in Oracle Dat ...) NOT-FOR-US: Oracle Database Mobile/Lite Server CVE-2013-0362 (Unspecified vulnerability in the Mobile Server component in Oracle Dat ...) NOT-FOR-US: Oracle Database Mobile/Lite Server CVE-2013-0361 (Unspecified vulnerability in the Mobile Server component in Oracle Dat ...) NOT-FOR-US: Oracle Database Mobile/Lite Server CVE-2013-0360 (Unspecified vulnerability in the Application Performance Management (A ...) NOT-FOR-US: Oracle Enterprise Manager Grid Control CVE-2013-0359 (Unspecified vulnerability in the APM - Application Performance Managem ...) NOT-FOR-US: Oracle Enterprise Manager Grid Control CVE-2013-0358 (Unspecified vulnerability in the Enterprise Manager Base Platform comp ...) NOT-FOR-US: Oracle Enterprise Manager Grid Control CVE-2013-0357 (Unspecified vulnerability in the PeopleSoft PeopleTools component in O ...) NOT-FOR-US: Oracle PeopleSoft CVE-2013-0356 (Unspecified vulnerability in the PeopleSoft PeopleTools component in O ...) NOT-FOR-US: Oracle PeopleSoft CVE-2013-0355 (Unspecified vulnerability in the Enterprise Manager Base Platform comp ...) NOT-FOR-US: Oracle Enterprise Manager Grid Control CVE-2013-0354 (Unspecified vulnerability in the Enterprise Manager Base Platform comp ...) NOT-FOR-US: Oracle Enterprise Manager Grid Control CVE-2013-0353 (Unspecified vulnerability in the Enterprise Manager Base Platform comp ...) NOT-FOR-US: Oracle Enterprise Manager Grid Control CVE-2013-0352 (Unspecified vulnerability in the Enterprise Manager Base Platform comp ...) NOT-FOR-US: Oracle Enterprise Manager Grid Control CVE-2013-0351 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2013-0350 (tmp_smtp.c in pktstat 1.8.5 allows local users to overwrite arbitrary ...) - pktstat 1.8.5-3 (bug #701211) [squeeze] - pktstat (Vulnerable code not present) CVE-2013-0349 (The hidp_setup_hid function in net/bluetooth/hidp/core.c in the Linux ...) {DSA-2668-1} - linux 3.2.39-1 - linux-2.6 CVE-2013-0348 (thttpd.c in sthttpd before 2.26.4-r2 and thttpd 2.25b use world-readab ...) - thttpd (low) [squeeze] - thttpd (Minor issue) NOTE: http://blogs.gentoo.org/blueness/2014/10/03/sthttpd-a-very-tiny-and-very-fast-http-server-with-a-mature-codebase/ CVE-2013-0347 (The Gentoo init script for webfs uses world-readable permissions for / ...) - webfs 1.21+ds1-9 (low; bug #701638) [wheezy] - webfs (Minor issue) [squeeze] - webfs (Minor issue) CVE-2013-0346 (** DISPUTED ** Apache Tomcat 7.x uses world-readable permissions for t ...) - tomcat6 (Log files are owned by tomcat:tomcat) CVE-2013-0345 (varnish 3.0.3 uses world-readable permissions for the /var/log/varnish ...) - varnish (Logfiles are owned by varnishlog:varnishlog) CVE-2013-0344 RESERVED CVE-2013-0343 (The ipv6_create_tempaddr function in net/ipv6/addrconf.c in the Linux ...) {DSA-2906-1} - linux 3.10.11-1 (low) [wheezy] - linux 3.2.51-1 - linux-2.6 (low) CVE-2013-0342 (The CreateID function in packet.py in pyrad before 2.1 uses sequential ...) - pyrad (low; bug #701151) [buster] - pyrad (Minor issue) [stretch] - pyrad (Minor issue) [jessie] - pyrad (Minor issue) [wheezy] - pyrad (Minor issue) [squeeze] - pyrad (Minor issue) NOTE: this is initially related to #700669 CVE-2013-0341 [external entity expansion] REJECTED CVE-2013-0340 (expat 2.1.0 and earlier does not properly handle entities expansion un ...) - expat (unimportant) NOTE: Expat provides API to mitigate expansion attacks, ultimately under control of the app using Expat NOTE: https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-0340.html CVE-2013-0339 (libxml2 through 2.9.1 does not properly handle external entities expan ...) {DSA-2652-1} - libxml2 2.8.0+dfsg1-7+nmu1 (bug #702260) CVE-2013-0338 (libxml2 2.9.0 and earlier allows context-dependent attackers to cause ...) {DSA-2652-1} - libxml2 2.8.0+dfsg1-7+nmu1 (bug #702260) CVE-2013-0337 (The default configuration of nginx, possibly 1.3.13 and earlier, uses ...) - nginx (low; bug #701112) [buster] - nginx (Minor issue) [stretch] - nginx (Minor issue) [jessie] - nginx (Minor issue) [wheezy] - nginx (Minor issue) [squeeze] - nginx (Minor issue) NOTE: Can only be fixed properly once https://trac.nginx.org/nginx/ticket/376 NOTE: resolved upstream. NOTE: Originally fixed in 1.4.4-2 but reintroduced with DSA-3701-1 fixes. CVE-2013-0336 (The ipapwd_chpwop function in daemons/ipa-slapi-plugins/ipa-pwd-extop/ ...) - 389-ds-base 1.3.2.9-1 (bug #704077) CVE-2013-0335 (OpenStack Compute (Nova) Grizzly, Folsom (2012.2), and Essex (2012.1) ...) - nova 2012.1.1-14 (bug #701773) CVE-2013-0334 (Bundler before 1.7, when multiple top-level source lines are used, all ...) - bundler 1.7.2-1 (low; bug #762739) [wheezy] - bundler (Minor issue) CVE-2013-0333 (lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before ...) {DSA-2613-1} - rails 2.3.14.1 (bug #699226) - ruby-activesupport-2.3 2.3.14-6 (bug #699249) NOTE: Starting with 2.3.14.1 rails is a transition package NOTE: https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/1h2DR63ViGo CVE-2013-0332 (Multiple directory traversal vulnerabilities in ZoneMinder 1.24.x befo ...) {DSA-2640-1} - zoneminder 1.25.0-1 (bug #700912) CVE-2013-0331 (Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticate ...) - jenkins 1.480.3+dfsg-1 (bug #700761) CVE-2013-0330 (Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480 ...) - jenkins 1.480.3+dfsg-1 (bug #700761) CVE-2013-0329 (Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480 ...) - jenkins 1.480.3+dfsg-1 (bug #700761) CVE-2013-0328 (Cross-site scripting (XSS) vulnerability in Jenkins before 1.502 and L ...) - jenkins 1.480.3+dfsg-1 (bug #700761) CVE-2013-0327 (Cross-site request forgery (CSRF) vulnerability in Jenkins master in J ...) - jenkins 1.480.3+dfsg-1 (bug #700761) CVE-2013-0326 (OpenStack nova base images permissions are world readable ...) - nova (unimportant) NOTE: Unfixed upstream, typical installation not multi-user anyway CVE-2013-0325 (Multiple cross-site scripting (XSS) vulnerabilities in the Varnish mod ...) NOT-FOR-US: Drupal addon CVE-2013-0324 (Cross-site scripting (XSS) vulnerability in the Rendered links formatt ...) NOT-FOR-US: Drupal addon CVE-2013-0323 (Cross-site scripting (XSS) vulnerability in the Display Suite module 7 ...) NOT-FOR-US: Drupal addon CVE-2013-0322 (Cross-site scripting (XSS) vulnerability in Views in the Ubercart modu ...) NOT-FOR-US: Drupal addon CVE-2013-0321 (Cross-site scripting (XSS) vulnerability in Views in the Ubercart View ...) NOT-FOR-US: Drupal addon CVE-2013-0320 (Cross-site request forgery (CSRF) vulnerability in the Taxonomy Manage ...) NOT-FOR-US: Drupal addon CVE-2013-0319 (Cross-site scripting (XSS) vulnerability in the Yandex.Metrics module ...) NOT-FOR-US: Drupal addon CVE-2013-0318 (The admin page in the Banckle Chat module for Drupal does not properly ...) NOT-FOR-US: Drupal addon CVE-2013-0317 (Cross-site scripting (XSS) vulnerability in the Manager Change for Org ...) NOT-FOR-US: Drupal addon CVE-2013-0316 (The Image module in Drupal 7.x before 7.20 allows remote attackers to ...) - drupal7 7.14-2 (bug #701165) - drupal6 (Only affects Drupal 7) CVE-2013-0315 (The GateIn Portal export/import gadget in JBoss Enterprise Portal Plat ...) NOT-FOR-US: GateIn Portal CVE-2013-0314 (The GateIn Portal export/import gadget in JBoss Enterprise Portal Plat ...) NOT-FOR-US: GateIn Portal CVE-2013-0313 (The evm_update_evmxattr function in security/integrity/evm/evm_crypto. ...) - linux 3.2.39-1 - linux-2.6 (Vulnerable code not present) CVE-2013-0312 (389 Directory Server before 1.3.0.4 allows remote attackers to cause a ...) - 389-ds-base 1.3.0.3-1 CVE-2013-0311 (The translate_desc function in drivers/vhost/vhost.c in the Linux kern ...) - linux 3.2.41-1 - linux-2.6 (Vulnerable code not present) CVE-2013-0310 (The cipso_v4_validate function in net/ipv4/cipso_ipv4.c in the Linux k ...) - linux 3.2.29-1 - linux-2.6 (Vulnerable code not present) CVE-2013-0309 (arch/x86/include/asm/pgtable.h in the Linux kernel before 3.6.2, when ...) - linux 3.2.32-1 - linux-2.6 (THP not in Squeeze) NOTE: Probably gone since 3.2.32, but I checked 3.2.41-2 CVE-2013-0308 (The imap-send command in GIT before 1.8.1.4 does not verify that the s ...) - git (OpenSSL support is not enabled in Debian, see bug #701586) NOTE: http://marc.info/?l=git&m=136134619013145&w=2 NOTE: Further reference about SSL support in imap-send #434599 needs to be adressed first CVE-2013-0307 (Cross-site scripting (XSS) vulnerability in settings.php in ownCloud b ...) - owncloud 4.0.8debian-1.5 (bug #701115) NOTE: http://owncloud.org/about/security/advisories/oC-SA-2013-003/ CVE-2013-0306 (The form library in Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and ...) {DSA-2634-1} - python-django 1.4.4-1 (bug #701186) CVE-2013-0305 (The administrative interface for Django 1.3.x before 1.3.6, 1.4.x befo ...) {DSA-2634-1} - python-django 1.4.4-1 (bug #701186) NOTE: https://www.djangoproject.com/weblog/2013/feb/19/security/ CVE-2013-0304 (ownCloud Server before 4.5.7 does not properly check ownership of cale ...) - owncloud 5.0.3+dfsg-1 CVE-2013-0303 (Unspecified vulnerability in core/ajax/translations.php in ownCloud be ...) - owncloud 4.0.8debian-1.5 (bug #701115) NOTE: http://owncloud.org/about/security/advisories/oC-SA-2013-006/ CVE-2013-0302 (Unspecified vulnerability in ownCloud Server before 4.0.12 allows remo ...) - owncloud 5.0.3+dfsg-1 CVE-2013-0301 (Cross-site request forgery (CSRF) vulnerability in apps/calendar/ajax/ ...) - owncloud 4.0.8debian-1.5 (bug #701115) NOTE: http://owncloud.org/about/security/advisories/oC-SA-2013-004/ CVE-2013-0300 (Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud ...) - owncloud (Vulnerably code not present, only affects 4.5 branch) NOTE: http://owncloud.org/about/security/advisories/oC-SA-2013-004/ CVE-2013-0299 (Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud ...) - owncloud 4.0.8debian-1.5 (bug #701115) NOTE: http://owncloud.org/about/security/advisories/oC-SA-2013-004/ CVE-2013-0298 (Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.x ...) - owncloud (Vulnerably code not present, only affects 4.5 branch) NOTE: http://owncloud.org/about/security/advisories/oC-SA-2013-003/ CVE-2013-0297 (Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before ...) - owncloud 4.0.8debian-1.5 (bug #701115) NOTE: http://owncloud.org/about/security/advisories/oC-SA-2013-003/ CVE-2013-0296 (Race condition in pigz before 2.2.5 uses permissions derived from the ...) - pigz 2.2.4-2 (low; bug #700608) [squeeze] - pigz 2.1.6-1+squeeze1 CVE-2013-0295 REJECTED CVE-2013-0294 (packet.py in pyrad before 2.1 uses weak random numbers to generate RAD ...) - pyrad 2.0-2 (low; bug #700669) [wheezy] - pyrad 1.2-1+deb7u2 [squeeze] - pyrad 1.2-1+deb6u1 CVE-2013-0293 (oVirt Node: Lock screen accepts F2 to drop to shell causing privilege ...) - ovirt-node (bug #502024) CVE-2013-0292 (The dbus_g_proxy_manager_filter function in dbus-gproxy in Dbus-glib b ...) - dbus-glib 0.100.1-1 (bug #700638; high) [squeeze] - dbus-glib 0.88-2.1+squeeze1 CVE-2013-0291 (NextGEN Gallery Plugin for WordPress 1.9.10 and 1.9.11 has a Path Disc ...) NOT-FOR-US: NextGEN Gallery Plugin for WordPress CVE-2013-0290 (The __skb_recv_datagram function in net/core/datagram.c in the Linux k ...) - linux (Introduced in 3.4, fixed in 3.8) - linux-2.6 (Introduced in 3.4) CVE-2013-0289 (Isync 0.4 before 1.0.6, does not verify that the server hostname match ...) - isync 1.0.4-2.2 (low; bug #701052) [squeeze] - isync (Minor issue) NOTE: http://isync.git.sourceforge.net/git/gitweb.cgi?p=isync/isync;a=patch;h=914ede18664980925628a9ed2a73ad05f85aeedb CVE-2013-0288 (nss-pam-ldapd before 0.7.18 and 0.8.x before 0.8.11 allows context-dep ...) {DSA-2628-1} - nss-pam-ldapd 0.8.10-3 (bug #690319) CVE-2013-0287 (The Simple Access Provider in System Security Services Daemon (SSSD) 1 ...) - sssd (Introduced in 1.9.0) NOTE: http://www.openwall.com/lists/oss-security/2013/03/20/12 CVE-2013-0286 (Pinboard 1.0.6 theme for Wordpress has XSS. ...) NOT-FOR-US: Wordpress theme CVE-2013-0285 (The nori gem 2.0.x before 2.0.2, 1.1.x before 1.1.4, and 1.0.x before ...) NOT-FOR-US: nori Ruby gem CVE-2013-0284 (Ruby agent 3.2.0 through 3.5.2 serializes sensitive data when communic ...) NOT-FOR-US: newrelic_rpm Ruby gem CVE-2013-0283 (Katello: Username in Notification page has cross site scripting ...) NOT-FOR-US: Red Hat CloudForms CVE-2013-0282 (OpenStack Keystone Grizzly before 2013.1, Folsom 2012.1.3 and earlier, ...) - keystone 2012.1.1-13 (bug #700947) CVE-2013-0281 (Pacemaker 1.1.10, when remote Cluster Information Base (CIB) configura ...) - pacemaker 1.1.10-1 (low; bug #700923) [squeeze] - pacemaker (Minor issue) [wheezy] - pacemaker (Minor issue) NOTE: https://github.com/ClusterLabs/pacemaker/commit/564f7cc2a51dcd2f28ab12a13394f31be5aa3c93 CVE-2013-0280 REJECTED CVE-2013-0279 REJECTED CVE-2013-0278 REJECTED CVE-2013-0277 (ActiveRecord in Ruby on Rails before 2.3.17 and 3.x before 3.1.0 allow ...) {DSA-2620-1} - ruby-activerecord-2.3 2.3.14-5 - rails 2.3.14.1 NOTE: Starting with 2.3.14.1 rails is a transition package CVE-2013-0276 (ActiveRecord in Ruby on Rails before 2.3.17, 3.1.x before 3.1.11, and ...) {DSA-2620-1} - ruby-activemodel-3.2 3.2.6-3 - ruby-activerecord-2.3 2.3.14-5 - rails 2.3.14.1 NOTE: Starting with 2.3.14.1 rails is a transition package NOTE: The fix for 3.2 is present in ruby-activemodel-3.2, not ruby-activerecord-3.2 CVE-2013-0275 (Multiple cross-site scripting (XSS) vulnerabilities in Ganglia Web bef ...) - ganglia 3.6.0-1 (low; bug #700158) [squeeze] - ganglia (Minor issue) [wheezy] - ganglia (Minor issue) - ganglia-web 3.5.8-3 (bug #700159) NOTE: starting with 3.6.0-1 the web front is no longer built from src:ganglia so marking this version as fixed NOTE: https://github.com/ganglia/ganglia-web/commit/31d348947419058c43b8dfcd062e2988abd5058e NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=892823 CVE-2013-0274 (upnp.c in libpurple in Pidgin before 2.10.7 does not properly terminat ...) - pidgin 2.10.6-3 NOTE: http://www.pidgin.im/news/security/?id=68 [squeeze] - pidgin (Support in oldstable is limited to IRC, Jabber/XMPP, Sametime and SIMPLE) CVE-2013-0273 (sametime.c in the Sametime protocol plugin in libpurple in Pidgin befo ...) - pidgin 2.10.6-3 [squeeze] - pidgin (Not suitable for code injection) NOTE: http://pidgin.im/news/security/?id=67 CVE-2013-0272 (Buffer overflow in http.c in the MXit protocol plugin in libpurple in ...) - pidgin 2.10.6-3 NOTE: http://pidgin.im/news/security/?id=66 [squeeze] - pidgin (Support in oldstable is limited to IRC, Jabber/XMPP, Sametime and SIMPLE) CVE-2013-0271 (The MXit protocol plugin in libpurple in Pidgin before 2.10.7 might al ...) - pidgin 2.10.6-3 [squeeze] - pidgin (Support in oldstable is limited to IRC, Jabber/XMPP, Sametime and SIMPLE) NOTE: http://pidgin.im/news/security/?id=65 CVE-2013-0270 (OpenStack Keystone Grizzly before 2013.1, Folsom, and possibly earlier ...) - keystone 2013.1.1-2 [wheezy] - keystone (Too intrusive to backport) NOTE: https://bugs.launchpad.net/keystone/+bug/1099025 NOTE: See notes on ubuntu security tracker, change too intrusive to be backported CVE-2013-0269 (The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 ...) {DLA-263-1 DLA-215-1} - ruby-json 1.7.3-3 (bug #700436) - libjson-ruby - ruby1.9.1 1.9.3.194-7 (bug #700471) - ruby1.8 (json ext not present in 1.8) CVE-2013-0268 (The msr_open function in arch/x86/kernel/msr.c in the Linux kernel bef ...) - linux 3.2.39-1 - linux-2.6 2.6.32-48squeeze1 CVE-2013-0267 (The Privileges portion of the web GUI and the XMLRPC API in Apache VCL ...) NOT-FOR-US: Apache VCL CVE-2013-0266 (manifests/base.pp in the puppetlabs-cinder module, as used in PackStac ...) NOT-FOR-US: Openstack Packstack CVE-2013-0265 (The redirect_stderr function in xnbd_common.c in xnbd-server and xndb- ...) - xnbd 0.1.0-pre-hg20-e75b93a47722-3 (low) NOTE: http://seclists.org/oss-sec/2013/q1/248 CVE-2013-0264 (An import error was introduced in Cumin in the code refactoring in r53 ...) NOT-FOR-US: Cumin CVE-2013-0263 (Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, ...) {DSA-2783-1} - ruby-rack 1.4.1-2.1 (bug #700226) - librack-ruby (bug #700226) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=802794 NOTE: Patches in git, commits 0cd7e9aa397f8ebb3b8481d67dbac8b4863a7f07 and 9a81b961457805f6d1a5c275d053068440421e11 CVE-2013-0262 (rack/file.rb (Rack::File) in Rack 1.5.x before 1.5.2 and 1.4.x before ...) - ruby-rack 1.4.1-2.1 (bug #700173) - librack-ruby (Introduced in 1.4.0, see #700226) NOTE: Patches in git, commit 6f237e4c9fab649d3750482514f0fde76c56ab30 CVE-2013-0261 ((1) installer/basedefs.py and (2) modules/ospluginutils.py in PackStac ...) NOT-FOR-US: Openstack Packstack CVE-2013-0260 (Unspecified vulnerability in the Drush Debian Packaging module for Dru ...) NOT-FOR-US: Drupal module debuild NOTE: This is a different thing from the drush package. CVE-2013-0259 (Cross-site scripting (XSS) vulnerability in the Boxes module 7.x-1.x b ...) NOT-FOR-US: Drupal module Boxes CVE-2013-0258 (The Google Authenticator login (ga_login) module 7.x before 7.x-1.3 fo ...) NOT-FOR-US: Drupal module ga_login CVE-2013-0257 (The email2image module 6.x-1.x and 6.x-2.x for Drupal does not properl ...) NOT-FOR-US: Drupal module email2image CVE-2013-0256 (darkfish.js in RDoc 2.3.0 through 3.12 and 4.x before 4.0.0.preview2.1 ...) {DLA-235-1} - ruby1.9.1 1.9.3.194-6 (low; bug #699929) - ruby1.8 (Only affects 1.9 and 2.0) NOTE: http://marc.info/?l=oss-security&m=136021623726440&w=2 NOTE: https://github.com/rdoc/rdoc/commit/ffa87887ee0517793df7541629a470e331f9fe60 CVE-2013-0255 (PostgreSQL 9.2.x before 9.2.3, 9.1.x before 9.1.8, 9.0.x before 9.0.12 ...) {DSA-2630-1} - postgresql-9.1 9.1.8-1 - postgresql-8.4 8.4.16-1 CVE-2013-0254 (The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before ...) {DLA-210-1} - qt4-x11 4:4.8.2+dfsg-11 (bug #699870) NOTE: possible follow-up problem if patch is applied: http://bugs.debian.org/700530 NOTE: but bug in xorg server, needs checking CVE-2013-0253 (The default configuration of Apache Maven 3.0.4, when using Maven Wago ...) - wagon2 2.2-3+nmu1 (bug #701991) CVE-2013-0252 (boost::locale::utf::utf_traits in the Boost.Locale library in Boost 1. ...) - boost1.50 (bug #699650) - boost1.49 1.49.0-3.2 (bug #699649) - boost1.42 (Boost.Locale was not part of boost until 1.48.0, bug #699719) CVE-2013-0251 (Stack-based buffer overflow in llogincircuit.cc in latd 1.25 through 1 ...) - latd 1.31 (low; bug #699625) [squeeze] - latd (Minor issue) CVE-2013-0250 (The init_nss_hash function in exec/totemcrypto.c in Corosync 2.0 befor ...) - corosync (Introduced in v1.99.8-2-ge925f42; bug #699615) NOTE: https://github.com/corosync/corosync/commit/4378915a33ab7fbbb5874f79dd7cd71b014ef44e#L0R407 NOTE: http://www.openwall.com/lists/oss-security/2013/02/01/1 CVE-2013-0249 (Stack-based buffer overflow in the Curl_sasl_create_digest_md5_message ...) - curl 7.29.0-1 (bug #700002) [squeeze] - curl (Only affects 7.26.0 to 7.28.1) [wheezy] - curl 7.26.0-1+wheezy1 CVE-2013-0248 (The default configuration of javax.servlet.context.tempdir in Apache C ...) - libcommons-fileupload-java 1.3-1 (unimportant) NOTE: Only affects example code CVE-2013-0247 (OpenStack Keystone Essex 2012.1.3 and earlier, Folsom 2012.2.3 and ear ...) - keystone 2012.1.1-12 (bug #699835) NOTE: https://bugs.launchpad.net/keystone/+bug/1098307 CVE-2013-0246 (The Image module in Drupal 7.x before 7.19, when a private file system ...) - drupal7 7.14-1.3 (bug #698334) NOTE: https://drupal.org/SA-CORE-2013-001 CVE-2013-0245 (The printer friendly version functionality in the Book module in Drupa ...) {DSA-2776-1} - drupal6 (bug #698333) - drupal7 7.14-1.3 (bug #698334) NOTE: https://drupal.org/SA-CORE-2013-001 CVE-2013-0244 (Cross-site scripting (XSS) vulnerability in Drupal 6.x before 6.28 and ...) {DSA-2776-1} - drupal6 (bug #698333) - drupal7 7.14-1.3 (bug #698334) NOTE: https://drupal.org/SA-CORE-2013-001 CVE-2013-0242 (Buffer overflow in the extend_buffers function in the regular expressi ...) {DLA-165-1} - eglibc - glibc 2.17-2 (low; bug #699399) [wheezy] - eglibc 2.13-38+deb7u1 NOTE: http://seclists.org/oss-sec/2013/q1/202 CVE-2013-0241 (The QXL display driver in QXL Virtual GPU 0.1.0 allows local users to ...) - xserver-xorg-video-qxl 0.0.17-1 (bug #699396) [squeeze] - xserver-xorg-video-qxl (minor denial of service issue) NOTE: squeeze is affected since it could be a guest of an affected qemu-kvm version CVE-2013-0240 (Gnome Online Accounts (GOA) 3.4.x, 3.6.x before 3.6.3, and 3.7.x befor ...) - gnome-online-accounts 3.4.2-2 (bug #699825) CVE-2013-0239 (Apache CXF before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3, w ...) - jbossas4 (Only builds a few libraries, not the full application server, #581226) CVE-2013-0238 (The try_parse_v4_netmask function in hostmask.c in IRCD-Hybrid before ...) {DSA-2618-1} - ircd-hybrid 1:7.2.2.dfsg.2-10 (bug #699267; high) [squeeze] - ircd-hybrid 7.2.2.dfsg.2-6.2+squeeze1 - oftc-hybrid CVE-2013-0237 (Cross-site scripting (XSS) vulnerability in Plupload.as in Moxiecode p ...) - wordpress 3.5.1+dfsg-1 (bug #698929) NOTE: http://wordpress.org/news/2013/01/wordpress-3-5-1/ NOTE: http://www.openwall.com/lists/oss-security/2013/01/25/7 CVE-2013-0236 (Multiple cross-site scripting (XSS) vulnerabilities in WordPress befor ...) - wordpress 3.5.1+dfsg-1 (bug #698927) NOTE: http://wordpress.org/news/2013/01/wordpress-3-5-1/ NOTE: http://www.openwall.com/lists/oss-security/2013/01/25/7 CVE-2013-0235 (The XMLRPC API in WordPress before 3.5.1 allows remote attackers to se ...) - wordpress 3.5.1+dfsg-1 (bug #698916) NOTE: http://wordpress.org/news/2013/01/wordpress-3-5-1/ NOTE: http://www.openwall.com/lists/oss-security/2013/01/25/7 CVE-2013-0234 (Cross-site scripting (XSS) vulnerability in the Twitter widget in Elgg ...) - elgg (bug #526197) CVE-2013-0233 (Devise gem 2.2.x before 2.2.3, 2.1.x before 2.1.3, 2.0.x before 2.0.5, ...) - ruby-devise 3.4.1-1 CVE-2013-0232 (includes/functions.php in ZoneMinder Video Server 1.24.0, 1.25.0, and ...) {DSA-2640-1} - zoneminder 1.25.0-4 (bug #698910) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=904103 NOTE: Upstream forum post: http://www.zoneminder.com/forums/viewtopic.php?f=29&t=20771 CVE-2013-0231 (The pciback_enable_msi function in the PCI backend driver (drivers/xen ...) {DSA-2632-1} - linux 3.2.41-1 - linux-2.6 CVE-2013-0230 (Stack-based buffer overflow in the ExecuteSoapAction function in the S ...) - miniupnpd (Fixed before initial upload to archive) CVE-2013-0229 (The ProcessSSDPRequest function in minissdp.c in the SSDP handler in M ...) - miniupnpd (Fixed before initial upload to archive) CVE-2013-0228 (The xen_iret function in arch/x86/xen/xen-asm_32.S in the Linux kernel ...) {DLA-103-1} - linux 3.2.39-1 - linux-2.6 [squeeze] - linux-2.6 2.6.32-48 NOTE: was actually fixed in 2.6.32-46squeeze1 but upload was done and no DSA was released for that version. CVE-2013-0227 (Cross-site scripting (XSS) vulnerability in the Search API Sorts modul ...) NOT-FOR-US: Drupal addon CVE-2013-0226 (The Keyboard Shortcut Utility module 7.x-1.x before 7.x-1.1 for Drupal ...) NOT-FOR-US: Drupal addon CVE-2013-0225 (Cross-site scripting (XSS) vulnerability in the User Relationships mod ...) NOT-FOR-US: Drupal addon CVE-2013-0224 (The Video module 7.x-2.x before 7.x-2.9 for Drupal, when using the FFm ...) NOT-FOR-US: Drupal addon CVE-2013-0223 (The SUSE coreutils-i18n.patch for GNU coreutils allows context-depende ...) - coreutils (Affected patch not added to Debian package) NOTE: http://www.openwall.com/lists/oss-security/2013/01/21/14 CVE-2013-0222 (The SUSE coreutils-i18n.patch for GNU coreutils allows context-depende ...) - coreutils (Affected patch not added to Debian package) NOTE: http://www.openwall.com/lists/oss-security/2013/01/21/14 CVE-2013-0221 (The SUSE coreutils-i18n.patch for GNU coreutils allows context-depende ...) - coreutils (Affected patch not added to Debian package) NOTE: http://www.openwall.com/lists/oss-security/2013/01/21/14 CVE-2013-0220 (The (1) sss_autofs_cmd_getautomntent and (2) sss_autofs_cmd_getautomnt ...) - sssd 1.8.4-2 (low; bug #698871) [squeeze] - sssd (autofs and ssh responders not yet present) CVE-2013-0219 (System Security Services Daemon (SSSD) before 1.9.4, when (1) creating ...) - sssd 1.8.4-2 (low; bug #698871) [squeeze] - sssd (Minor issue) CVE-2013-0218 (The GUI installer in JBoss Enterprise Application Platform (EAP) and E ...) - jbossas4 (Only builds a few libraries, not the full application server, #581226) CVE-2013-0217 (Memory leak in drivers/net/xen-netback/netback.c in the Xen netback fu ...) - linux 3.2.39-1 - linux-2.6 [squeeze] - linux-2.6 2.6.32-48 CVE-2013-0216 (The Xen netback functionality in the Linux kernel before 3.7.8 allows ...) - linux 3.2.39-1 - linux-2.6 [squeeze] - linux-2.6 2.6.32-48 CVE-2013-0215 (oxenstored in Xen 4.1.x, Xen 4.2.x, and xen-unstable does not properly ...) - xen (ocaml version of the xenstore daemon not used in Debian) CVE-2013-0214 (Cross-site request forgery (CSRF) vulnerability in the Samba Web Admin ...) {DSA-2617-1} - samba 2:3.6.6-5 CVE-2013-0213 (The Samba Web Administration Tool (SWAT) in Samba 3.x before 3.5.21, 3 ...) {DSA-2617-1} - samba 2:3.6.6-5 CVE-2013-0212 (store/swift.py in OpenStack Glance Essex (2012.1), Folsom (2012.2) bef ...) - glance 2012.1.1-4 CVE-2013-0211 (Integer signedness error in the archive_write_zip_data function in arc ...) - libarchive 3.0.4-3 (bug #703957) [squeeze] - libarchive (Vulnerable code not present) CVE-2013-0210 (The smart proxy Puppet run API in Foreman before 1.2.0 allows remote a ...) - foreman (bug #663101) CVE-2013-0209 (lib/MT/Upgrade.pm in mt-upgrade.cgi in Movable Type 4.2x and 4.3x thro ...) {DSA-2611-1} - movabletype-opensource 5.1.2+dfsg-1 (bug #697666) NOTE: Versions 5.0 or higher not affected CVE-2013-0208 (The boot-from-volume feature in OpenStack Compute (Nova) Folsom and Es ...) - nova 2012.1.1-12 CVE-2013-0207 (Cross-site request forgery (CSRF) vulnerability in the Mark Complete m ...) NOT-FOR-US: module for Drupal CVE-2013-0206 (Unrestricted file upload vulnerability in the Live CSS module 6.x-2.x ...) NOT-FOR-US: module for Drupal CVE-2013-0205 (Cross-site request forgery (CSRF) vulnerability in the RESTful Web Ser ...) NOT-FOR-US: module for Drupal CVE-2013-0204 (settings/personal.php in ownCloud 4.5.x before 4.5.6 allows remote aut ...) - owncloud (Vulnerably code not present, only affects 4.5 branch) NOTE: http://owncloud.org/about/security/advisories/oC-SA-2013-002/ CVE-2013-0203 (Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.5, ...) - owncloud 4.0.8debian-1.4 (bug #698737) [wheezy] - owncloud 4.0.4debian2-3.3 NOTE: http://owncloud.org/about/security/advisories/oC-SA-2013-001/ CVE-2013-0202 (Cross-site scripting (XSS) vulnerability in ownCloud 4.5.5, 4.0.10, an ...) - owncloud 4.0.8debian-1.4 (bug #698737) [wheezy] - owncloud 4.0.4debian2-3.3 NOTE: http://owncloud.org/about/security/advisories/oC-SA-2013-001/ CVE-2013-0201 (Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.5, ...) - owncloud 4.0.8debian-1.4 (bug #698737) [wheezy] - owncloud 4.0.4debian2-3.3 NOTE: http://owncloud.org/about/security/advisories/oC-SA-2013-001/ CVE-2013-0200 (HP Linux Imaging and Printing (HPLIP) through 3.12.4 allows local user ...) {DSA-2829-1} - hplip 3.12.6-3.1 (low; bug #701185) [squeeze] - hplip (Minor issue) CVE-2013-0199 (The default LDAP ACIs in FreeIPA 3.0 before 3.1.2 do not restrict acce ...) NOT-FOR-US: FreeIPA CVE-2013-0198 (Dnsmasq before 2.66test2, when used with certain libvirt configuration ...) - dnsmasq 2.66-1 (low) [wheezy] - dnsmasq (Minor issue) [squeeze] - dnsmasq (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2013/01/18/2 CVE-2013-0197 (Cross-site scripting (XSS) vulnerability in the filter_draw_selection_ ...) - mantis (This only affects the 1.2.12 version, which isn't present in Debian, bug #698481) NOTE: http://www.mantisbt.org/bugs/view.php?id=15373 CVE-2013-0196 (A CSRF issue was found in OpenShift Enterprise 1.2. The web console is ...) NOT-FOR-US: OpenShift CVE-2013-0195 (Cross-site Scripting (XSS) in Piwik before 1.10.1 allows remote attack ...) - piwik (bug #506933) NOTE: http://piwik.org/blog/2013/01/piwik-1-10/ CVE-2013-0194 (Cross-site Scripting (XSS) in Piwik before 1.10.1 allows remote attack ...) - piwik (bug #506933) NOTE: http://piwik.org/blog/2013/01/piwik-1-10/ CVE-2013-0193 (Cross-site Scripting (XSS) in Piwik before 1.10.1 allows remote attack ...) - piwik (bug #506933) NOTE: http://piwik.org/blog/2013/01/piwik-1-10/ CVE-2013-0192 (File Disclosure in SMF (SimpleMachines Forum) <= 2.0.3: Forum admin ...) NOT-FOR-US: Simple Machines Forum CVE-2013-0188 REJECTED CVE-2013-0190 (The xen_failsafe_callback function in Xen for the Linux kernel 2.6.23 ...) - linux 3.2.39-1 - linux-2.6 [squeeze] - linux-2.6 2.6.32-47 CVE-2013-0189 (cachemgr.cgi in Squid 3.1.x and 3.2.x, possibly 3.1.22, 3.2.4, and oth ...) {DSA-2631-1} - squid 2.7.STABLE9-2 NOTE: squid-cgi was removed in 2.7.STABLE9-2 - squid3 3.1.20-2.1 (bug #696187) NOTE: possible regression, see #701123 CVE-2013-0191 (libpam-pgsql (aka pam_pgsql) 0.7 does not properly handle a NULL value ...) - pam-pgsql 0.7.3.1-4 (bug #698241) [squeeze] - pam-pgsql 0.7.1-4+squeeze2 NOTE: patch: https://sourceforge.net/u/lvella/pam-pgsql/ci/9361f5970e5dd90a747319995b67c2f73b91448c/ NOTE: bugreport: https://sourceforge.net/p/pam-pgsql/bugs/13/ CVE-2013-0187 (Foreman before 1.1 allows remote authenticated users to gain privilege ...) - foreman (bug #663101) CVE-2013-0186 (Multiple cross-site scripting (XSS) vulnerabilities in ManageIQ EVM al ...) NOT-FOR-US: ManageIQ EVM (CloudForms) CVE-2013-0185 (Cross-site request forgery (CSRF) vulnerability in ManageIQ Enterprise ...) NOT-FOR-US: ManageIQ EVM (CloudForms) CVE-2013-0184 (Unspecified vulnerability in Rack::Auth::AbstractRequest in Rack 1.1.x ...) {DSA-2783-1} - ruby-rack 1.4.1-2.1 (bug #698440) - librack-ruby CVE-2013-0183 (multipart/parser.rb in Rack 1.3.x before 1.3.8 and 1.4.x before 1.4.3 ...) {DSA-2783-1} - ruby-rack 1.4.1-2.1 (bug #698440) - librack-ruby NOTE: commit 24d512531bd88f2d6ce94b3a3d9798fde8fbb713 refactored the multipart module NOTE: and introduced the fast_forward_to_first_boundry function. NOTE: https://github.com/rack/rack/commit/24d512531bd88f2d6ce94b3a3d9798fde8fbb713 CVE-2013-0182 (The Payment module 7.x-1.x before 7.x-1.3 for Drupal does not properly ...) NOT-FOR-US: Drupal module Payment CVE-2013-0181 (Cross-site scripting (XSS) vulnerability in Views in the Search API (s ...) NOT-FOR-US: Drupal module search_api CVE-2013-0180 (Insecure temporary file vulnerability in Redis 2.6 related to /tmp/red ...) - redis 2:2.6.7-1 NOTE: https://www.openwall.com/lists/oss-security/2013/01/14/3 NOTE: Issue introduced to (incorrect) fix the CVE-2013-0178 temporary file issue, NOTE: where the fix introduced a new issue. CVE-2013-0179 (The process_bin_delete function in memcached.c in memcached 1.4.4 and ...) - memcached 1.4.13-0.2 (low; bug #698231) [squeeze] - memcached 1.4.5-1+deb6u1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=895054 NOTE: https://code.google.com/p/memcached/issues/detail?id=306 NOTE: https://code.google.com/p/memcached/issues/attachmentText?id=306&aid=3060004000&name=0001-Fix-buffer-overrun-when-logging-key-to-delete-in-bin.patch CVE-2013-0178 (Insecure temporary file vulnerability in Redis before 2.6 related to / ...) - redis 2:2.6.0-1 (low) [squeeze] - redis (Minor issue) [wheezy] - redis (Minor issue) NOTE: RedHat bugreport mentions 2.4 is affected, but not 2.6 CVE-2013-0177 (Multiple cross-site scripting (XSS) vulnerabilities in widget/screen/M ...) NOT-FOR-US: OFBiz CVE-2013-0176 (The publickey_from_privatekey function in libssh before 0.5.4, when no ...) - libssh 0.5.4-1 (low; bug #698963) [squeeze] - libssh (Minor issue) NOTE: http://www.libssh.org/2013/01/22/libssh-0-5-4-security-release/ NOTE: http://git.libssh.org/projects/libssh.git/commit/?h=v0-5&id=55b09f426417406bb25c0b9c474fbab1398b0dc8 CVE-2013-0175 (multi_xml gem 0.5.2 for Ruby, as used in Grape before 0.2.6 and possib ...) - ruby-multi-xml (Vulnerable version never in the archive) NOTE: fixed in https://rubygems.org/gems/multi_xml/versions/0.5.2 CVE-2013-0174 (The external node classifier (ENC) API in Foreman before 1.1 allows re ...) - foreman (bug #663101) CVE-2013-0173 (Foreman before 1.1 uses a salt of "foreman" to hash root passwords, wh ...) - foreman (bug #663101) CVE-2013-0172 (Samba 4.0.x before 4.0.1, in certain Active Directory domain-controlle ...) - samba4 4.0.0~beta2+dfsg1-3.1 (high; bug #699188) - samba (Only affects Active Directory functionality) NOTE: https://lists.samba.org/archive/samba-technical/2013-January/089911.html CVE-2013-0171 (Foreman before 1.1 allows remote attackers to execute arbitrary code v ...) - foreman (bug #663101) CVE-2013-0170 (Use-after-free vulnerability in the virNetMessageFree function in rpc/ ...) - libvirt 0.9.12-6 (bug #699224) [squeeze] - libvirt (Vulnerable code not present, see bug #699224) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=893450 NOTE: http://libvirt.org/git/?p=libvirt.git;a=commit;h=46532e3e8ed5f5a736a02f67d6c805492f9ca720 CVE-2013-0169 (The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as use ...) {DSA-2622-1 DSA-2621-1} - openssl 1.0.1e-1 (bug #699889) - bouncycastle 1.48+dfsg-2 (low; bug #699885) [wheezy] - bouncycastle (Minor issue) [squeeze] - bouncycastle (Minor issue) - polarssl 1.1.4-2 (bug #699887) - nss 2:3.14.3-1 (bug #699888) [squeeze] - nss (Minor issue) - openjdk-7 7u3-2.1.6-1 - openjdk-6 6b27-1.12.3-1 - gnutls26 2.12.20-4 [squeeze] - gnutls26 (Too intrusive to backport) - gnutls28 3.0.22-3 - cyassl 2.9.4+dfsg-1 - matrixssl (low) [squeeze] - matrixssl (Minor issue) [wheezy] - matrixssl (Minor issue) NOTE: matrixssl fixed this upstream in 3.4.1 - tlslite [wheezy] - tlslite (Minor issue) NOTE: http://www.isg.rhul.ac.uk/tls/TLStiming.pdf CVE-2013-0168 (The MoveDisk command in Red Hat Enterprise Virtualization Manager (RHE ...) NOTE: RHEV management tool CVE-2013-0167 (VDSM in Red Hat Enterprise Virtualization 3 and 3.2 allows privileged ...) - vdsm (bug #668538) CVE-2013-0166 (OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d do ...) {DSA-2621-1} - openssl 1.0.1e-1 (bug #699889) CVE-2013-0165 (cartridges/openshift-origin-cartridge-mongodb-2.2/info/bin/dump.sh in ...) NOT-FOR-US: OpenShift CVE-2013-0164 (The lockwrap function in port-proxy/bin/openshift-port-proxy-cfg in Re ...) NOT-FOR-US: OpenShift CVE-2013-0163 (OpenShift haproxy cartridge: predictable /tmp in set-proxy connection ...) NOT-FOR-US: OpenShift haproxy cartridge CVE-2013-0162 (The diff_pp function in lib/gauntlet_rubyparser.rb in the ruby_parser ...) - ruby-parser 2.3.1-2 (bug #701637) NOTE: http://www.openwall.com/lists/oss-security/2013/02/22/5 CVE-2013-0161 (Havalite CMS 1.1.7 has a stored XSS vulnerability ...) NOT-FOR-US: Havalite CMS CVE-2013-0160 (The Linux kernel through 3.7.9 allows local users to obtain sensitive ...) {DSA-2669-1} - linux 3.8.12-1 (unimportant) - linux-2.6 (unimportant) NOTE: Minor information leak, rather a missing hardening feature than a security vulnerability. CVE-2013-0159 (The fedora-business-cards package before 1-0.1.beta1.fc17 on Fedora 17 ...) NOT-FOR-US: Fedora build script CVE-2013-0158 (Unspecified vulnerability in Jenkins before 1.498, Jenkins LTS before ...) - jenkins 1.480.2+dfsg-1~exp1 (bug #697617) NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-01-04 CVE-2013-0157 ((a) mount and (b) umount in util-linux 2.14.1, 2.17.2, and probably ot ...) - util-linux 2.20.1-5.5 (bug #697464; low) [squeeze] - util-linux (Minor issue) [wheezy] - util-linux (Minor issue) CVE-2013-0156 (active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2. ...) {DSA-2604-1} - rails 2.3.14.1 (bug #697722; high) - ruby-activesupport-2.3 2.3.14-5 (bug #697789) - ruby-activesupport-3.2 3.2.6-5 (bug #697790) NOTE: Starting with 2.3.14.1 rails is a transition package NOTE: http://www.insinuator.net/2013/01/rails-yaml/ NOTE: http://www.openwall.com/lists/oss-security/2013/01/08/14 NOTE: experimental has 3.2.8-1 and should be affected too CVE-2013-0155 (Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x befo ...) {DSA-2609-1} - ruby-activerecord-3.2 3.2.6-4 (bug #697744) - ruby-activerecord-2.3 2.3.14-4 - ruby-actionpack-3.2 3.2.6-5 (bug #697802) - rails 2.3.14.1 NOTE: Starting with 2.3.14.1 rails is a transition package NOTE: http://www.openwall.com/lists/oss-security/2013/01/08/13 CVE-2013-0154 (The get_page_type function in xen/arch/x86/mm.c in Xen 4.2, when debug ...) - xen (Only applies to Xen 4.2, which is only available in experimental) CVE-2013-0153 (The AMD IOMMU support in Xen 4.2.x, 4.1.x, 3.3, and other versions, wh ...) {DSA-2636-1} - xen 4.1.4-2 CVE-2013-0152 (Memory leak in Xen 4.2 and unstable allows local HVM guests to cause a ...) - xen (Only applies to Xen 4.2, which is only available in experimental) CVE-2013-0151 (The do_hvm_op function in xen/arch/x86/hvm/hvm.c in Xen 4.2.x on the x ...) - xen (Only applies to Xen 4.2, which is only available in experimental) CVE-2013-0150 (Directory traversal vulnerability in an unspecified signed Java applet ...) NOT-FOR-US: F5 BIG-IP APM, FirePass and other F5 products CVE-2013-0149 (The OSPF implementation in Cisco IOS 12.0 through 12.4 and 15.0 throug ...) - quagga NOTE: OSPF protocol vulnerability, quagga implementation not affected CVE-2013-0148 (The Data Camouflage (aka FairCom Standard Encryption) algorithm in Fai ...) NOT-FOR-US: FairCom c-treeACE CVE-2013-0147 RESERVED CVE-2013-0146 RESERVED CVE-2013-0145 (Buffer overflow in the TFTPD service in Serva32 2.1.0 allows remote at ...) NOT-FOR-US: Serva32 CVE-2013-0144 (Cross-site request forgery (CSRF) vulnerability in cgi-bin/create_user ...) NOT-FOR-US: QNAP CVE-2013-0143 (cgi-bin/pingping.cgi on QNAP VioStor NVR devices with firmware 4.0.3, ...) NOT-FOR-US: QNAP CVE-2013-0142 (QNAP VioStor NVR devices with firmware 4.0.3, and the Surveillance Sta ...) NOT-FOR-US: QNAP CVE-2013-0141 (Directory traversal vulnerability in McAfee ePolicy Orchestrator (ePO) ...) NOT-FOR-US: McAfee ePolicy Orchestrator CVE-2013-0140 (SQL injection vulnerability in the Agent-Handler component in McAfee e ...) NOT-FOR-US: McAfee ePolicy Orchestrator CVE-2013-0139 (The Arecont Vision AV1355DN MegaDome camera allows remote attackers to ...) NOT-FOR-US: Arecont Vision CVE-2013-0138 (BitZipper 2013 before Update 1 allows remote attackers to execute arbi ...) NOT-FOR-US: BitZipper CVE-2013-0137 (The default configuration of the Digital Alert Systems DASDEC EAS devi ...) NOT-FOR-US: Digital Alert Systems and Monroe Electronics CVE-2013-0136 (Multiple directory traversal vulnerabilities in the EditDocument servl ...) NOT-FOR-US: Mutiny CVE-2013-0135 (Multiple SQL injection vulnerabilities in PHP Address Book 8.2.5 allow ...) NOT-FOR-US: PHP Address Book CVE-2013-0134 (Cross-site scripting (XSS) vulnerability in the web interface in AirDr ...) NOT-FOR-US: AirDroid CVE-2013-0133 (Untrusted search path vulnerability in /usr/local/psa/admin/sbin/wrapp ...) NOT-FOR-US: Parallels Plesk Panel CVE-2013-0132 (The suexec implementation in Parallels Plesk Panel 11.0.9 contains a c ...) NOT-FOR-US: Parallels Plesk Panel CVE-2013-0131 (Buffer overflow in the NVIDIA GPU driver before 304.88, 310.x before 3 ...) - nvidia-graphics-drivers 304.88-1 (bug #704547) [wheezy] - nvidia-graphics-drivers (Non-free not supported) [squeeze] - nvidia-graphics-drivers (Non-free not supported) NOTE: http://nvidia.custhelp.com/app/answers/detail/a_id/3290 CVE-2013-0130 (Multiple buffer overflows in Core FTP before 2.2 build 1769 allow remo ...) NOT-FOR-US: Core FTP CVE-2013-0129 (Multiple cross-site scripting (XSS) vulnerabilities in pd-admin before ...) NOT-FOR-US: pd-admin CVE-2013-0128 (The Contact Customer Support feature in the TigerText Free Private Tex ...) NOT-FOR-US: TigerText CVE-2013-0127 (IBM Lotus Notes 8.x before 8.5.3 FP4 Interim Fix 1 and 9.0 before Inte ...) NOT-FOR-US: IBM Lotus Notes CVE-2013-0126 (Multiple cross-site request forgery (CSRF) vulnerabilities in index.cg ...) NOT-FOR-US: Verizon router CVE-2013-0125 (Cross-site scripting (XSS) vulnerability in fileview.asp in C2 WebReso ...) NOT-FOR-US: C2 WebResource CVE-2013-0124 (Multiple cross-site scripting (XSS) vulnerabilities in the administrat ...) NOT-FOR-US: ASKIA CVE-2013-0123 (Multiple SQL injection vulnerabilities in the administration interface ...) NOT-FOR-US: ASKIA CVE-2013-0122 (The avast! Mobile Security application before 2.0.4400 for Android all ...) NOT-FOR-US: avast! Mobile Security application CVE-2013-0121 RESERVED CVE-2013-0120 (The web interface on Dell PowerConnect 6248P switches allows remote at ...) NOT-FOR-US: Dell Switches CVE-2013-0119 RESERVED CVE-2013-0118 (CS-Cart before 3.0.6, when PayPal Standard Payments is configured, all ...) NOT-FOR-US: CS-Cart CVE-2013-0117 RESERVED CVE-2013-0116 RESERVED CVE-2013-0115 RESERVED CVE-2013-0114 RESERVED CVE-2013-0113 (Nuance PDF Reader 7.0 and PDF Viewer Plus 7.1 allow remote attackers t ...) NOT-FOR-US: Nuance PDF Reader CVE-2013-0112 RESERVED CVE-2013-0111 (daemonu.exe (aka the NVIDIA Update Service Daemon), as distributed wit ...) NOT-FOR-US: NVIDIA Update Service Daemon CVE-2013-0110 (nvSCPAPISvr.exe in the NVIDIA Stereoscopic 3D Driver service, as distr ...) NOT-FOR-US: NVIDIA Stereoscopic 3D Driver service CVE-2013-0109 (The NVIDIA driver before 307.78, and Release 310 before 311.00, in the ...) NOT-FOR-US: NVIDIA Display Driver service on Windows CVE-2013-0108 (An ActiveX control in HscRemoteDeploy.dll in Honeywell Enterprise Buil ...) NOT-FOR-US: Honeywell CVE-2013-0107 (Stack-based buffer overflow in Foxit Advanced PDF Editor 3 before 3.04 ...) NOT-FOR-US: Foxit Advanced PDF Editor CVE-2013-0106 RESERVED CVE-2013-0105 RESERVED CVE-2013-0104 RESERVED CVE-2013-0103 RESERVED CVE-2013-0102 RESERVED CVE-2013-0101 RESERVED CVE-2012-6323 RESERVED CVE-2012-6322 RESERVED CVE-2012-6321 RESERVED CVE-2012-6320 RESERVED CVE-2012-6319 RESERVED CVE-2012-6318 RESERVED CVE-2012-6317 RESERVED CVE-2012-6316 (Multiple cross-site scripting (XSS) vulnerabilities in the TP-LINK TL- ...) NOT-FOR-US: TP-LINK CVE-2012-6315 REJECTED CVE-2012-6314 (Citrix XenDesktop Virtual Desktop Agent (VDA) 5.6.x before 5.6.200, wh ...) NOT-FOR-US: Citrix XenDesktop CVE-2012-6313 (simple-gmail-login.php in the Simple Gmail Login plugin before 1.1.4 f ...) NOT-FOR-US: Wordpress plugin CVE-2012-6312 (Cross-site scripting (XSS) vulnerability in the Video Lead Form plugin ...) NOT-FOR-US: Wordpress plugin CVE-2012-6311 RESERVED CVE-2012-6310 RESERVED CVE-2012-6309 (A vulnerability exists in Arctic Torrent 1.4 via unspecified vectors i ...) NOT-FOR-US: Arctic Torrent CVE-2012-6308 RESERVED CVE-2012-6307 (A vulnerability exists in JPEGsnoop 1.5.2 due to an unspecified issue ...) NOT-FOR-US: JPEGsnoop CVE-2012-6306 (A vulnerability exists in HCView (aka Hardcoreview) 1.4 due to a write ...) NOT-FOR-US: HCView (aka Hardcoreview) CVE-2012-6305 RESERVED CVE-2012-6304 RESERVED CVE-2012-6303 (Heap-based buffer overflow in the GetWavHeader function in generic/jkS ...) - snack 2.2.10-dfsg1-12.1 (low; bug #695614) [squeeze] - snack 2.2.10-dfsg1-9+squeeze1 - wavesurfer (originally reported in wavesurfer, but actually a bug in libsnack, see bug #695615) NOTE: http://secunia.com/advisories/49889/ NOTE: http://www.openwall.com/lists/oss-security/2012/12/10/2 CVE-2012-6302 (Soapbox through 0.3.1: Sandbox bypass - runs a second instance of Soap ...) NOT-FOR-US: Soapbox CVE-2012-6301 (The Browser application in Android 4.0.3 allows remote attackers to ca ...) NOT-FOR-US: Android browser CVE-2012-6300 RESERVED CVE-2012-6299 (Unspecified vulnerability in CA IdentityMinder r12.0 through CR16, r12 ...) NOT-FOR-US: CA IdentityMinder CVE-2012-6298 (Unspecified vulnerability in CA IdentityMinder r12.0 through CR16, r12 ...) NOT-FOR-US: CA IdentityMinder CVE-2012-6297 (Command Injection vulnerability exists via a CSRF in DD-WRT 24-sp2 fro ...) NOT-FOR-US: DD-WRT CVE-2012-6296 RESERVED CVE-2012-6295 RESERVED CVE-2012-6294 RESERVED CVE-2012-6293 RESERVED CVE-2012-6292 RESERVED CVE-2012-6291 RESERVED CVE-2012-6290 (SQL injection vulnerability in ImageCMS before 4.2 allows remote authe ...) NOT-FOR-US: ImageCMS CVE-2012-6289 REJECTED CVE-2012-6288 REJECTED CVE-2012-6287 REJECTED CVE-2012-6286 REJECTED CVE-2012-6285 REJECTED CVE-2012-6284 REJECTED CVE-2012-6283 REJECTED CVE-2012-6282 REJECTED CVE-2012-6281 REJECTED CVE-2012-6280 REJECTED CVE-2012-6279 REJECTED CVE-2012-6278 REJECTED CVE-2012-6277 (Multiple unspecified vulnerabilities in Autonomy KeyView IDOL before 1 ...) NOT-FOR-US: IBM CVE-2012-6276 (Directory traversal vulnerability in the web-based management interfac ...) NOT-FOR-US: TP-LINK TL-WR841N CVE-2012-6275 (Multiple stack-based buffer overflows in AntDS.exe in BigAntSoft BigAn ...) NOT-FOR-US: BigAnt IM Server CVE-2012-6274 (BigAntSoft BigAnt IM Message Server does not require authentication fo ...) NOT-FOR-US: BigAnt IM Server CVE-2012-6273 (SQL injection vulnerability in BigAntSoft BigAnt IM Message Server all ...) NOT-FOR-US: BigAnt IM Server CVE-2012-6272 (Multiple cross-site scripting (XSS) vulnerabilities in Dell OpenManage ...) NOT-FOR-US: Dell OpenManage Server Administrator CVE-2012-6271 (Adobe Shockwave Player through 11.6.8.638 allows remote attackers to t ...) NOT-FOR-US: Adobe Shockwave CVE-2012-6270 (Adobe Shockwave Player through 11.6.8.638 allows remote attackers to t ...) NOT-FOR-US: Adobe Shockwave CVE-2012-6269 REJECTED CVE-2012-6268 REJECTED CVE-2012-6267 REJECTED CVE-2012-6266 REJECTED CVE-2012-6265 REJECTED CVE-2012-6264 REJECTED CVE-2012-6263 REJECTED CVE-2012-6262 REJECTED CVE-2012-6261 REJECTED CVE-2012-6260 REJECTED CVE-2012-6259 REJECTED CVE-2012-6258 REJECTED CVE-2012-6257 REJECTED CVE-2012-6256 REJECTED CVE-2012-6255 REJECTED CVE-2012-6254 REJECTED CVE-2012-6253 REJECTED CVE-2012-6252 REJECTED CVE-2012-6251 REJECTED CVE-2012-6250 REJECTED CVE-2012-6249 REJECTED CVE-2012-6248 REJECTED CVE-2012-6247 REJECTED CVE-2012-6246 REJECTED CVE-2012-6245 REJECTED CVE-2012-6244 REJECTED CVE-2012-6243 REJECTED CVE-2012-6242 REJECTED CVE-2012-6241 REJECTED CVE-2012-6240 REJECTED CVE-2012-6239 REJECTED CVE-2012-6238 REJECTED CVE-2012-6237 REJECTED CVE-2012-6236 REJECTED CVE-2012-6235 REJECTED CVE-2012-6234 REJECTED CVE-2012-6233 REJECTED CVE-2012-6232 REJECTED CVE-2012-6231 REJECTED CVE-2012-6230 REJECTED CVE-2012-6229 REJECTED CVE-2012-6228 REJECTED CVE-2012-6227 REJECTED CVE-2012-6226 REJECTED CVE-2012-6225 REJECTED CVE-2012-6224 REJECTED CVE-2012-6223 REJECTED CVE-2012-6222 REJECTED CVE-2012-6221 REJECTED CVE-2012-6220 REJECTED CVE-2012-6219 REJECTED CVE-2012-6218 REJECTED CVE-2012-6217 REJECTED CVE-2012-6216 REJECTED CVE-2012-6215 REJECTED CVE-2012-6214 REJECTED CVE-2012-6213 REJECTED CVE-2012-6212 REJECTED CVE-2012-6211 REJECTED CVE-2012-6210 REJECTED CVE-2012-6209 REJECTED CVE-2012-6208 REJECTED CVE-2012-6207 REJECTED CVE-2012-6206 REJECTED CVE-2012-6205 REJECTED CVE-2012-6204 REJECTED CVE-2012-6203 REJECTED CVE-2012-6202 REJECTED CVE-2012-6201 REJECTED CVE-2012-6200 REJECTED CVE-2012-6199 REJECTED CVE-2012-6198 REJECTED CVE-2012-6197 REJECTED CVE-2012-6196 REJECTED CVE-2012-6195 REJECTED CVE-2012-6194 REJECTED CVE-2012-6193 REJECTED CVE-2012-6192 REJECTED CVE-2012-6191 REJECTED CVE-2012-6190 REJECTED CVE-2012-6189 REJECTED CVE-2012-6188 REJECTED CVE-2012-6187 REJECTED CVE-2012-6186 REJECTED CVE-2012-6185 REJECTED CVE-2012-6184 REJECTED CVE-2012-6183 REJECTED CVE-2012-6182 REJECTED CVE-2012-6181 REJECTED CVE-2012-6180 REJECTED CVE-2012-6179 REJECTED CVE-2012-6178 REJECTED CVE-2012-6177 REJECTED CVE-2012-6176 REJECTED CVE-2012-6175 REJECTED CVE-2012-6174 REJECTED CVE-2012-6173 REJECTED CVE-2012-6172 REJECTED CVE-2012-6171 REJECTED CVE-2012-6170 REJECTED CVE-2012-6169 REJECTED CVE-2012-6168 REJECTED CVE-2012-6167 REJECTED CVE-2012-6166 REJECTED CVE-2012-6165 REJECTED CVE-2012-6164 REJECTED CVE-2012-6163 REJECTED CVE-2012-6162 REJECTED CVE-2012-6161 REJECTED CVE-2012-6160 REJECTED CVE-2012-6159 REJECTED CVE-2012-6158 REJECTED CVE-2012-6157 RESERVED CVE-2012-6156 RESERVED CVE-2012-6155 RESERVED CVE-2012-6154 RESERVED CVE-2012-6153 (http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient befor ...) {DLA-222-1} - commons-httpclient 3.1-10.2 (bug #692442) NOTE: References to upstream patches for 4.x can be found in https://issues.apache.org/jira/browse/HTTPCLIENT-1549 CVE-2012-6152 (The Yahoo! protocol plugin in libpurple in Pidgin before 2.10.8 does n ...) - pidgin 2.10.8-1 [squeeze] - pidgin (Support in oldstable is limited to IRC, Jabber/XMPP, Sametime and SIMPLE) CVE-2012-6151 (Net-SNMP 5.7.1 and earlier, when AgentX is registering to handle a MIB ...) - net-snmp 5.7.2.1~dfsg-3 (low; bug #731625) [wheezy] - net-snmp 5.4.3~dfsg-2.8+deb7u1 [squeeze] - net-snmp (Minor issue) NOTE: http://sourceforge.net/p/net-snmp/bugs/2411/ NOTE: Upstream patch: http://sourceforge.net/p/net-snmp/code/ci/793d596838ff7cb48a73b675d62897c56c9e62df/ CVE-2012-6150 (The winbind_name_list_to_sid_string_list function in nsswitch/pam_winb ...) - samba 2:4.0.13+dfsg-1 (low) [wheezy] - samba 2:3.6.6-6+deb7u3 [squeeze] - samba (Can be fixed along in a future DSA) - samba4 (Samba 4 winbind does not implement this feature) NOTE: introduced http://git.samba.org/?p=samba.git;a=commit;h=31f1a36901b5b8959dc51401c09c114829b50392 NOTE: fixed by http://git.samba.org/?p=samba.git;a=commitdiff;h=f62683956a3b182f6a61cc7a2b4ada2e74cde243 NOTE: https://bugzilla.samba.org/show_bug.cgi?id=10300 CVE-2012-6149 (Multiple cross-site scripting (XSS) vulnerabilities in systems/sdc/not ...) NOT-FOR-US: Red Hat Satellite CVE-2012-6148 (Cross-site scripting (XSS) vulnerability in the function menu API in T ...) - typo3-src 4.5.19+dfsg1-4 (bug #692775) [squeeze] - typo3-src (Vulnerable code not present) NOTE: https://review.typo3.org/16300 CVE-2012-6147 (Cross-site scripting (XSS) vulnerability in the tree render API (TCA-T ...) {DSA-2574-1} - typo3-src 4.5.19+dfsg1-4 (bug #692775) NOTE: https://review.typo3.org/16305 CVE-2012-6146 (The Backend History Module in TYPO3 4.5.x before 4.5.21, 4.6.x before ...) {DSA-2574-1} - typo3-src 4.5.19+dfsg1-4 (bug #692775) NOTE: https://review.typo3.org/16304 CVE-2012-6145 (Cross-site scripting (XSS) vulnerability in the Backend History module ...) {DSA-2574-1} - typo3-src 4.5.19+dfsg1-4 (bug #692775) NOTE: https://review.typo3.org/16304 CVE-2012-6144 (SQL injection vulnerability in the Backend History module in TYPO3 4.5 ...) {DSA-2574-1} - typo3-src 4.5.19+dfsg1-4 (bug #692775) NOTE: https://review.typo3.org/16304 CVE-2012-6143 (Spoon::Cookie in the Spoon module 0.24 for Perl does not properly use ...) - libspoon-perl (bug #715371; low) [squeeze] - libspoon-perl (Minor issue) [wheezy] - libspoon-perl (Minor issue) NOTE: https://rt.cpan.org/Public/Bug/Display.html?id=85217 CVE-2012-6142 (Session::Cookie in the HTML::EP module 0.2011 for Perl does not proper ...) NOT-FOR-US: HTML-EP CPAN module NOTE: https://rt.cpan.org/Public/Bug/Display.html?id=85216 CVE-2012-6141 (The App::Context module 0.01 through 0.968 for Perl does not properly ...) NOT-FOR-US: App-Context CPAN module NOTE: https://rt.cpan.org/Public/Bug/Display.html?id=85215 CVE-2012-6140 (pam_google_authenticator.c in the PAM module in Google Authenticator b ...) - google-authenticator 20130529-1 (bug #666129) CVE-2012-6139 (libxslt before 1.1.28 allows remote attackers to cause a denial of ser ...) {DSA-2654-1} - libxslt 1.1.26-14.1 (bug #703933) NOTE: http://git.gnome.org/browse/libxslt/commit/?id=6c99c519d97e5fcbec7a9537d190efb442e4e833 NOTE: http://git.gnome.org/browse/libxslt/commit/?id=dc11b6b379a882418093ecc8adf11f6166682e8d CVE-2012-6138 REJECTED CVE-2012-6137 (rhn-migrate-classic-to-rhsm tool in Red Hat subscription-manager does ...) NOT-FOR-US: Red Hat subscription-manager CVE-2012-6136 (tuned 2.10.0 creates its PID file with insecure permissions which allo ...) - tuned (Fixed before initial release to Debian) CVE-2012-6135 (RubyGems passenger 4.0.0 betas 1 and 2 allows remote attackers to dele ...) - ruby-passenger (Vulnerable code not present; bug #702219) NOTE: 4.0.0 betas only CVE-2012-6134 (Cross-site request forgery (CSRF) vulnerability in the omniauth-oauth2 ...) - ruby-omniauth-oauth2 (Fixed in the first version uploaded to Debian) CVE-2012-6133 (Multiple cross-site scripting (XSS) vulnerabilities in Roundup before ...) {DLA-298-1} - roundup 1.4.20-1 NOTE: http://issues.roundup-tracker.org/issue2550724 CVE-2012-6132 (Cross-site scripting (XSS) vulnerability in Roundup before 1.4.20 allo ...) {DLA-298-1} - roundup 1.4.20-1 CVE-2012-6131 (Cross-site scripting (XSS) vulnerability in cgi/client.py in Roundup b ...) {DLA-298-1} - roundup 1.4.20-1 NOTE: http://issues.roundup-tracker.org/issue2550711 CVE-2012-6130 (Cross-site scripting (XSS) vulnerability in the history display in Rou ...) {DLA-298-1} - roundup 1.4.20-1 NOTE: http://issues.roundup-tracker.org/issue2550684 CVE-2012-6129 (Stack-based buffer overflow in utp.cpp in libutp, as used in Transmiss ...) - transmission 2.52-3+nmu1 (bug #700234) [squeeze] - transmission (UTP code not present) CVE-2012-6128 (Multiple stack-based buffer overflows in http.c in OpenConnect before ...) {DSA-2623-1} - openconnect 3.20-3 (bug #700794) NOTE: http://git.infradead.org/users/dwmw2/openconnect.git/commitdiff/26f752c3dbf69227679fc6bebb4ae071aecec491 NOTE: The fix seems to introduce a possible memory leak as regression, see BTS #700805 CVE-2012-6127 REJECTED CVE-2012-6126 REJECTED CVE-2012-6125 (Chicken before 4.8.0 is susceptible to algorithmic complexity attacks ...) - chicken 4.8.0-1 (low; bug #702410) [wheezy] - chicken (Minor issue) [squeeze] - chicken (Minor issue) CVE-2012-6124 (A casting error in Chicken before 4.8.0 on 64-bit platform caused the ...) - chicken 4.8.0-1 (low; bug #702410) [wheezy] - chicken (Minor issue) [squeeze] - chicken (Minor issue) CVE-2012-6123 (Chicken before 4.8.0 does not properly handle NUL bytes in certain str ...) - chicken 4.8.0-1 (low; bug #702410) [wheezy] - chicken (Minor issue) [squeeze] - chicken (Minor issue) CVE-2012-6122 (Buffer overflow in the thread scheduler in Chicken before 4.8.0.1 allo ...) - chicken 4.8.0.3-1 (low; bug #702410) [wheezy] - chicken (Minor issue) [squeeze] - chicken (Minor issue) CVE-2012-6121 (Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 0 ...) - roundcube (vulnerable code not in stable or testing) NOTE: http://trac.roundcube.net/ticket/1488850 NOTE: Upstream patch: https://github.com/roundcube/roundcubemail/commit/74cd0a9b62f11bc07c5a1d3ba0098b54883eb0ba CVE-2012-6120 (Red Hat OpenStack Essex and Folsom creates the /var/log/puppet directo ...) {DLA-29-1} - puppet 2.6.4-2 [squeeze] - puppet (Minor issue) NOTE: puppet-common postinst in unstable sets dpkg-statoverride --update --add puppet puppet 0750 /var/log/puppet NOTE: After starting puppetmaster permissions on directory are restricted CVE-2012-6119 (Candlepin before 0.7.24, as used in Red Hat Subscription Asset Manager ...) NOTE: Candlepin CVE-2012-6118 (The Administer tab in Aeolus Conductor allows remote authenticated use ...) NOT-FOR-US: Aeolus Cloud Configuration tool (not the pipe organ simulator in Debian) CVE-2012-6117 (Aeolus Configuration Server, as used in Red Hat CloudForms Cloud Engin ...) NOT-FOR-US: Aeolus Cloud Configuration tool (not the pipe organ simulator in Debian) CVE-2012-6116 (modules/certs/manifests/config.pp in katello-configure before 1.3.3.pu ...) NOTE: Candlepin CVE-2012-6115 (The domain management tool (rhevm-manage-domains) in Red Hat Enterpris ...) NOTE: RHEV management tool CVE-2012-6114 (The git-changelog utility in git-extras 1.7.0 allows local users to ov ...) - git-extras 1.7.0-1.2 (bug #698490) CVE-2012-6113 (The openssl_encrypt function in ext/openssl/openssl.c in PHP 5.3.9 thr ...) - php5 5.4.0~beta2-1 [squeeze] - php5 (Introduced in 5.3.9) NOTE: Introduced in http://git.php.net/?p=php-src.git;a=commitdiff;h=095cbc48a8f0090f3b0abc6155f2b61943c9eafb NOTE: Fixed in 5.3.14 http://git.php.net/?p=php-src.git;a=commitdiff;h=270a406ac94b5fc5cc9ef59fc61e3b4b95648a3e NOTE: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1099793 NOTE: https://bugs.php.net/bug.php?id=61413 CVE-2012-6112 (classes/GoogleSpell.php in the PHP Spellchecker (aka Google Spellcheck ...) - tinymce (TinyMCE Google spellchecker plugin) - wordpress 3.5.1+dfsg-2 - moodle 2.5-1 (bug #702387) [squeeze] - wordpress 3.5.2+dfsg-1~deb6u1 (bug #701667) [squeeze] - moodle (Only affects 2.1 and above) [wheezy] - wordpress 3.5.2+dfsg-1~deb7u1 (bug #701667) [wheezy] - moodle 2.2.3.dfsg-2.6~wheezy2 NOTE: http://www.tinymce.com/develop/changelog/?type=phpspell NOTE: patch: https://github.com/tinymce/tinymce_spellchecker_php/commit/22910187bfb9edae90c26e10100d8145b505b974 NOTE: http://www.tinymce.com/forum/viewtopic.php?id=30036 CVE-2012-6111 (gnome-keyring does not discard stored secrets when using gnome_keyring ...) - gnome-keyring 3.8.2-1 (low; bug #697896) [squeeze] - gnome-keyring (Minor issue) [wheezy] - gnome-keyring (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2013/01/11/5 CVE-2012-6109 (lib/rack/multipart.rb in Rack before 1.1.4, 1.2.x before 1.2.6, 1.3.x ...) - ruby-rack 1.4.1-2.1 (bug #698440) - librack-ruby [squeeze] - librack-ruby (vulnerable code not present) NOTE: https://github.com/rack/rack/commit/4fc44671b3cad569421f4f8b775c0590b86f575e NOTE: https://groups.google.com/forum/#!msg/rack-devel/1w4_fWEgTdI/XAkSNHjtdTsJ CVE-2012-6108 (HP Linux Imaging and Printing (HPLIP) before 3.13.2 uses world-writabl ...) - hplip (permissions are 755 on wheezy, sid and experimental) CVE-2012-6107 (Apache Axis2/C does not verify that the server hostname matches a doma ...) - axis2c (bug #697974) [squeeze] - axis2c (Unsupported in squeeze-lts) NOTE: https://issues.apache.org/jira/browse/AXIS2C-1619 CVE-2012-6106 (calendar/managesubscriptions.php in the Manage Subscriptions implement ...) - moodle (Only affects 2.4) CVE-2012-6105 (blog/rsslib.php in Moodle 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3 ...) - moodle 2.5-1 (low; bug #702387) [squeeze] - moodle (Only affects 2.1 and above) [wheezy] - moodle 2.2.3.dfsg-2.6~wheezy2 CVE-2012-6104 (blog/rsslib.php in Moodle 2.2.x before 2.2.7, 2.3.x before 2.3.4, and ...) - moodle 2.5-1 (low; bug #702387) [squeeze] - moodle (Only affects 2.2 and above) [wheezy] - moodle 2.2.3.dfsg-2.6~wheezy2 CVE-2012-6103 (Multiple cross-site request forgery (CSRF) vulnerabilities in user/mes ...) - moodle 2.5-1 (low; bug #702387) [squeeze] - moodle (Only affects 2.2 and above) [wheezy] - moodle 2.2.3.dfsg-2.6~wheezy2 CVE-2012-6102 (lib.php in the Submission comments plugin in the Assignment module in ...) - moodle (Only affects 2.3 and above) CVE-2012-6101 (Multiple open redirect vulnerabilities in Moodle 2.2.x before 2.2.7, 2 ...) - moodle 2.5-1 (low; bug #702387) [squeeze] - moodle (Only affects 2.2 and above) [wheezy] - moodle 2.2.3.dfsg-2.6~wheezy2 CVE-2012-6100 (report/outline/index.php in Moodle 2.2.x before 2.2.7, 2.3.x before 2. ...) - moodle 2.5-1 (low; bug #702387) [squeeze] - moodle (Only affects 2.2 and above) [wheezy] - moodle 2.2.3.dfsg-2.6~wheezy2 CVE-2012-6099 (The moodle1 backup converter in backup/converter/moodle1/lib.php in Mo ...) - moodle 2.5-1 [squeeze] - moodle (Only affects 2.1 and above) [wheezy] - moodle 2.2.3.dfsg-2.6~wheezy2 CVE-2012-6098 (grade/edit/outcome/edit_form.php in Moodle 1.9.x through 1.9.19, 2.1.x ...) - moodle 2.5-1 (low; bug #702387) [squeeze] - moodle (Minor issue) [wheezy] - moodle 2.2.3.dfsg-2.6~wheezy2 CVE-2012-6097 (File descriptor leak in cronie 1.4.8, when running in certain environm ...) [experimental] - cronie 1.5.4-final-1 (low; bug #697811) NOTE: Only present in experimental NOTE: https://bugzilla.suse.com/show_bug.cgi?id=786096 CVE-2012-6096 (Multiple stack-based buffer overflows in the get_history function in h ...) {DSA-2653-1 DSA-2616-1} - icinga 1.7.1-5 (bug #697931) - nagios3 3.4.1-3 (bug #697930) CVE-2012-6095 (ProFTPD before 1.3.5rc1, when using the UserOwner directive, allows lo ...) {DSA-2606-1} - proftpd-dfsg 1.3.4a-3 (bug #697524) CVE-2012-6094 (cups (Common Unix Printing System) 'Listen localhost:631' option not h ...) - cups (systemd patch not applied in Debian, see bug #697584) CVE-2012-6093 (The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4. ...) - qt4-x11 (Only affects environments where a different OpenSSL is used, doesn't apply to Debian; bug #697582) NOTE: http://lists.qt-project.org/pipermail/announce/2013-January/000020.html NOTE: https://codereview.qt-project.org/#change,42461 NOTE: Fixed in 4:4.8.2+dfsg-10 CVE-2012-6092 (Multiple cross-site scripting (XSS) vulnerabilities in the web demos i ...) - activemq (Example code not shipped in .deb) CVE-2012-6091 (Zend_XmlRpc Class in Magento before 1.7.0.2 contains an information di ...) NOT-FOR-US: Magento CVE-2012-6090 (Multiple stack-based buffer overflows in the expand function in os/pl- ...) - swi-prolog 5.10.4-5 (low; bug #697416) [squeeze] - swi-prolog 5.10.1-1+squeeze1 NOTE: http://web.archive.org/web/20130309013536/http://web.archive.org/web/20130309013536/https://lists.iai.uni-bonn.de/pipermail/swi-prolog/2012/009428.html NOTE: http://www.swi-prolog.org/git/pl.git/commitdiff/b2c88972e7515ada025e97e7d3ce3e34f81cf33e CVE-2012-6089 (Multiple stack-based buffer overflows in the canoniseFileName function ...) - swi-prolog 5.10.4-5 (low; bug #697416) [squeeze] - swi-prolog 5.10.1-1+squeeze1 NOTE: http://web.archive.org/web/20130309013536/http://web.archive.org/web/20130309013536/https://lists.iai.uni-bonn.de/pipermail/swi-prolog/2012/009428.html NOTE: http://www.swi-prolog.org/git/pl.git/commitdiff/a9a6fc8a2a9cf3b9154b490a4b1ffaa8be4d723c CVE-2012-6088 (The rpmpkgRead function in lib/package.c in RPM 4.10.x before 4.10.2 d ...) - rpm 4.10.1-2.1 (bug #697375) [squeeze] - rpm (Introduced in rpm 4.10.0) [wheezy] - rpm 4.10.0-5+deb7u1 CVE-2012-6087 (repository/s3/S3.php in the Amazon S3 library in Moodle through 2.2.11 ...) - moodle 2.2.7.dfsg-1 [squeeze] - moodle (Vulnerable code not present) [wheezy] - moodle 2.2.3.dfsg-2.6~wheezy1 NOTE: https://github.com/tpyo/amazon-s3-php-class/pull/36 NOTE: https://tracker.moodle.org/browse/MDL-40615 CVE-2012-6086 (libs/zbxmedia/eztexting.c in Zabbix 1.8.x before 1.8.18rc1, 2.0.x befo ...) - zabbix 1:2.0.7+dfsg-1 (bug #697443) [squeeze] - zabbix (Will be handled through point update) NOTE: https://support.zabbix.com/browse/ZBX-5924 CVE-2012-6085 (The read_block function in g10/import.c in GnuPG 1.4.x before 1.4.13 a ...) {DSA-2601-1} - gnupg 1.4.12-7 (bug #697108) - gnupg2 2.0.19-2 (bug #697251) CVE-2012-6084 (modules/m_capab.c in (1) ircd-ratbox before 3.0.8 and (2) Charybdis be ...) {DSA-2612-1} - charybdis 3.3.0-7.1 (bug #697092) - ircd-ratbox 3.0.7.dfsg-3 (bug #697093) NOTE: http://www.openwall.com/lists/oss-security/2013/01/01/1 NOTE: http://www.openwall.com/lists/oss-security/2013/01/01/2 CVE-2012-6083 (Freeciv before 2.3.3 allows remote attackers to cause a denial of serv ...) - freeciv 2.3.4-1 (low; bug #696306) [squeeze] - freeciv (Minor issue) [wheezy] - freeciv 2.3.2-1+deb7u1 CVE-2012-6082 (Cross-site scripting (XSS) vulnerability in the rsslink function in th ...) {DSA-2593-1} - moin 1.9.5-2 [wheezy] - moin 1.9.4-8+deb7u1 NOTE: Fix http://hg.moinmo.in/moin/1.9/rev/c98ec456e493 CVE-2012-6081 (Multiple unrestricted file upload vulnerabilities in the (1) twikidraw ...) {DSA-2593-1} [wheezy] - moin 1.9.4-8+deb7u1 - moin 1.9.5-3 (bug #696948) NOTE: Fix http://hg.moinmo.in/moin/1.9/rev/7e7e1cbb9d3f CVE-2012-6080 (Directory traversal vulnerability in the _do_attachment_move function ...) {DSA-2593-1} [wheezy] - moin 1.9.4-8+deb7u1 - moin 1.9.5-4 (bug #696949) NOTE: Fix http://hg.moinmo.in/moin/1.9/rev/3c27131a3c52 CVE-2012-6079 (W3 Total Cache before 0.9.2.5 exposes sensitive cached database inform ...) NOT-FOR-US: W3 Total Cache NOTE: http://www.openwall.com/lists/oss-security/2012/12/30/3 CVE-2012-6078 (W3 Total Cache before 0.9.2.5 generates hash keys insecurely which all ...) NOT-FOR-US: W3 Total Cache NOTE: http://www.openwall.com/lists/oss-security/2012/12/30/3 CVE-2012-6077 (W3 Total Cache before 0.9.2.5 allows remote attackers to retrieve pass ...) NOT-FOR-US: W3 Total Cache NOTE: http://www.openwall.com/lists/oss-security/2012/12/30/3 CVE-2012-6076 (Inkscape before 0.48.4 reads .eps files from /tmp instead of the curre ...) - inkscape 0.48.3.1-1.3 (low; bug #654341) [squeeze] - inkscape (Minor issue) NOTE: https://bugs.launchpad.net/inkscape/+bug/911146 CVE-2012-6075 (Buffer overflow in the e1000_receive function in the e1000 device driv ...) {DSA-2619-1 DSA-2608-1 DSA-2607-1} - qemu 1.1.2+dfsg-4 (bug #696051) - qemu-kvm 1.1.2+dfsg-4 (bug #696051) - xen 4.1.3-8 [squeeze] - xen (In Squeeze the code is in the package xen-qemu-dm-4.0) NOTE: http://www.openwall.com/lists/oss-security/2012/12/30/1 CVE-2012-6074 (Cross-site scripting (XSS) vulnerability in Jenkins before 1.491, Jenk ...) - jenkins 1.447.2+dfsg-3 (bug #696816) NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2012-11-20 NOTE: http://www.openwall.com/lists/oss-security/2012/12/28/1 CVE-2012-6073 (Open redirect vulnerability in Jenkins before 1.491, Jenkins LTS befor ...) - jenkins 1.447.2+dfsg-3 (bug #696816) NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2012-11-20 NOTE: http://www.openwall.com/lists/oss-security/2012/12/28/1 CVE-2012-6072 (CRLF injection vulnerability in Jenkins before 1.491, Jenkins LTS befo ...) - jenkins 1.447.2+dfsg-3 (bug #696816) - jenkins-winstone 0.9.10-jenkins-37+dfsg-2 (bug #696974) NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2012-11-20 NOTE: http://www.openwall.com/lists/oss-security/2012/12/28/1 CVE-2012-6071 (nuSOAP before 0.7.3-5 does not properly check the hostname of a cert. ...) - nusoap 0.7.3-5 (low; bug #696707) [squeeze] - nusoap (Minor issue) CVE-2012-6070 (Falconpl before 0.9.6.9-git20120606 misuses the libcurl API which may ...) - falconpl 0.9.6.9-git20120606-2 (bug #696681) CVE-2011-5250 (Snare for Linux before 1.7.0 has CSRF in the web interface. ...) NOT-FOR-US: Snare for Linux CVE-2011-5249 (Cross-site scripting (XSS) vulnerability in the events page in the Sys ...) NOT-FOR-US: SNARE CVE-2011-5248 RESERVED CVE-2011-5247 (Snare for Linux before 1.7.0 has password disclosure because the rende ...) NOT-FOR-US: Snare for Linux CVE-2009-5133 RESERVED CVE-2012-6069 (Directory traversal vulnerability in the Runtime Toolkit in CODESYS Ru ...) NOT-FOR-US: CODESYS Runtime System CVE-2012-6068 (The Runtime Toolkit in CODESYS Runtime System 2.3.x and 2.4.x does not ...) NOT-FOR-US: CODESYS Runtime System CVE-2012-6067 (freeFTPd.exe in freeFTPd through 1.0.11 allows remote attackers to byp ...) NOT-FOR-US: freeFTPd CVE-2012-6066 (freeSSHd.exe in freeSSHd through 1.2.6 allows remote attackers to bypa ...) NOT-FOR-US: freeFTPd CVE-2012-6065 (The OM Maximenu module 6.x-1.43 and earlier for Drupal, when the "Titl ...) NOT-FOR-US: Drupal plugin CVE-2012-6064 (Directory traversal vulnerability in lib/filemanager/imagemanager/imag ...) NOT-FOR-US: CMS Made Simple CVE-2012-6063 (Double free vulnerability in the sftp_mkdir function in sftp.c in libs ...) {DSA-2577-1} - libssh 0.5.3-1 [squeeze] - libssh 0.4.5-3+squeeze1 NOTE: Fix included in CVE-2012-4559 patch NOTE: https://red.libssh.org/issues/84 NOTE: http://git.libssh.org/projects/libssh.git/commit/?h=v0-5&id=4d8420f3282ed07fc99fc5e930c17df27ef1e9b2 CVE-2012-6062 (The dissect_rtcp_app function in epan/dissectors/packet-rtcp.c in the ...) {DLA-497-1} - wireshark 1.8.6-1 (unimportant) NOTE: not suitable for code injection CVE-2012-6061 (The dissect_wtp_common function in epan/dissectors/packet-wtp.c in the ...) {DLA-497-1} - wireshark 1.8.6-1 (unimportant) NOTE: not suitable for code injection CVE-2012-6060 (Integer overflow in the dissect_iscsi_pdu function in epan/dissectors/ ...) {DLA-497-1} - wireshark 1.8.6-1 (unimportant) NOTE: not suitable for code injection CVE-2012-6059 (The dissect_isakmp function in epan/dissectors/packet-isakmp.c in the ...) {DLA-497-1} - wireshark 1.8.6-1 (unimportant) NOTE: not suitable for code injection CVE-2012-6058 (Integer overflow in the dissect_icmpv6 function in epan/dissectors/pac ...) {DLA-497-1} - wireshark 1.8.6-1 (unimportant) NOTE: not suitable for code injection CVE-2012-6057 (The dissect_eigrp_metric_comm function in epan/dissectors/packet-eigrp ...) {DLA-497-1} - wireshark 1.8.6-1 (unimportant) NOTE: not suitable for code injection CVE-2012-6056 (Integer overflow in the dissect_sack_chunk function in epan/dissectors ...) {DLA-497-1} - wireshark 1.8.6-1 (unimportant) NOTE: not suitable for code injection CVE-2012-6055 (epan/dissectors/packet-3g-a11.c in the 3GPP2 A11 dissector in Wireshar ...) {DLA-497-1} - wireshark 1.8.6-1 (unimportant) NOTE: not suitable for code injection CVE-2012-6054 (The dissect_sflow_245_address_type function in epan/dissectors/packet- ...) {DLA-497-1} - wireshark 1.8.6-1 (unimportant) NOTE: not suitable for code injection CVE-2012-6053 (epan/dissectors/packet-usb.c in the USB dissector in Wireshark 1.6.x b ...) {DLA-497-1} - wireshark 1.8.6-1 (unimportant) NOTE: not suitable for code injection CVE-2012-6052 (Wireshark 1.8.x before 1.8.4 allows remote attackers to obtain sensiti ...) {DLA-497-1} - wireshark 1.8.6-1 (unimportant) NOTE: not suitable for code injection NOTE: Upstream patch: http://anonsvn.wireshark.org/viewvc?view=revision&revision=45511 CVE-2011-5246 RESERVED CVE-2013-0100 REJECTED CVE-2013-0099 REJECTED CVE-2013-0098 REJECTED CVE-2013-0097 REJECTED CVE-2013-0096 (Writer in Microsoft Windows Essentials 2011 and 2012 allows remote att ...) NOT-FOR-US: Microsoft CVE-2013-0095 (Outlook in Microsoft Office for Mac 2008 before 12.3.6 and Office for ...) NOT-FOR-US: Outlook in Microsoft Office for Mac CVE-2013-0094 (Use-after-free vulnerability in Microsoft Internet Explorer 6 through ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-0093 (Use-after-free vulnerability in Microsoft Internet Explorer 6 through ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-0092 (Use-after-free vulnerability in Microsoft Internet Explorer 6 through ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-0091 (Use-after-free vulnerability in Microsoft Internet Explorer 8 allows r ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-0090 (Use-after-free vulnerability in Microsoft Internet Explorer 6 through ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-0089 (Use-after-free vulnerability in Microsoft Internet Explorer 6 through ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-0088 (Use-after-free vulnerability in Microsoft Internet Explorer 6 through ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-0087 (Use-after-free vulnerability in Microsoft Internet Explorer 6 through ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-0086 (Microsoft OneNote 2010 SP1 does not properly determine buffer sizes du ...) NOT-FOR-US: Microsoft OneNote CVE-2013-0085 (Buffer overflow in Microsoft SharePoint Server 2010 SP1 and SharePoint ...) NOT-FOR-US: Microsoft SharePoint CVE-2013-0084 (Directory traversal vulnerability in Microsoft SharePoint Server 2010 ...) NOT-FOR-US: Microsoft SharePoint CVE-2013-0083 (Cross-site scripting (XSS) vulnerability in Microsoft SharePoint Serve ...) NOT-FOR-US: Microsoft SharePoint CVE-2013-0082 (Microsoft Office 2003 SP3 and 2007 SP3 allows remote attackers to exec ...) NOT-FOR-US: Microsoft CVE-2013-0081 (Microsoft SharePoint Portal Server 2003 SP3 and SharePoint Server 2007 ...) NOT-FOR-US: Microsoft CVE-2013-0080 (Microsoft SharePoint Server 2010 SP1 and SharePoint Foundation 2010 SP ...) NOT-FOR-US: Microsoft SharePoint CVE-2013-0079 (Microsoft Visio Viewer 2010 SP1 allows remote attackers to execute arb ...) NOT-FOR-US: Microsoft Visio Viewer CVE-2013-0078 (The Microsoft Antimalware Client in Windows Defender on Windows 8 and ...) NOT-FOR-US: Microsoft Antimalware Client CVE-2013-0077 (Quartz.dll in DirectShow in Microsoft Windows XP SP2 and SP3, Server 2 ...) NOT-FOR-US: Microsoft Windows CVE-2013-0076 (The Client/Server Run-time Subsystem (CSRSS) in Microsoft Windows Serv ...) NOT-FOR-US: Microsoft Windows CVE-2013-0075 (The TCP/IP implementation in Microsoft Windows Vista SP2, Windows Serv ...) NOT-FOR-US: Microsoft Windows CVE-2013-0074 (Microsoft Silverlight 5, and 5 Developer Runtime, before 5.1.20125.0 d ...) NOT-FOR-US: Microsoft Silverlight CVE-2013-0073 (The Windows Forms (aka WinForms) component in Microsoft .NET Framework ...) NOT-FOR-US: Microsoft .NET Framework CVE-2013-0072 REJECTED CVE-2013-0071 REJECTED CVE-2013-0070 REJECTED CVE-2013-0069 REJECTED CVE-2013-0068 REJECTED CVE-2013-0067 REJECTED CVE-2013-0066 REJECTED CVE-2013-0065 REJECTED CVE-2013-0064 REJECTED CVE-2013-0063 REJECTED CVE-2013-0062 REJECTED CVE-2013-0061 REJECTED CVE-2013-0060 REJECTED CVE-2013-0059 REJECTED CVE-2013-0058 REJECTED CVE-2013-0057 REJECTED CVE-2013-0056 REJECTED CVE-2013-0055 REJECTED CVE-2013-0054 REJECTED CVE-2013-0053 REJECTED CVE-2013-0052 REJECTED CVE-2013-0051 REJECTED CVE-2013-0050 REJECTED CVE-2013-0049 REJECTED CVE-2013-0048 REJECTED CVE-2013-0047 REJECTED CVE-2013-0046 REJECTED CVE-2013-0045 REJECTED CVE-2013-0044 REJECTED CVE-2013-0043 REJECTED CVE-2013-0042 REJECTED CVE-2013-0041 REJECTED CVE-2013-0040 REJECTED CVE-2013-0039 REJECTED CVE-2013-0038 REJECTED CVE-2013-0037 REJECTED CVE-2013-0036 REJECTED CVE-2013-0035 REJECTED NOT-FOR-US: Apache CXF CVE-2013-0034 REJECTED NOT-FOR-US: Apache CXF CVE-2013-0033 REJECTED CVE-2013-0032 REJECTED CVE-2013-0031 REJECTED CVE-2013-0030 (The Vector Markup Language (VML) implementation in Microsoft Internet ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-0029 (Use-after-free vulnerability in Microsoft Internet Explorer 6 through ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-0028 (Use-after-free vulnerability in Microsoft Internet Explorer 6 through ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-0027 (Use-after-free vulnerability in Microsoft Internet Explorer 6 through ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-0026 (Use-after-free vulnerability in Microsoft Internet Explorer 9 allows r ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-0025 (Use-after-free vulnerability in Microsoft Internet Explorer 8 allows r ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-0024 (Use-after-free vulnerability in Microsoft Internet Explorer 8 and 9 al ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-0023 (Use-after-free vulnerability in Microsoft Internet Explorer 9 and 10 a ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-0022 (Use-after-free vulnerability in Microsoft Internet Explorer 9 allows r ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-0021 (Use-after-free vulnerability in Microsoft Internet Explorer 6 through ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-0020 (Use-after-free vulnerability in Microsoft Internet Explorer 9 allows r ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-0019 (Use-after-free vulnerability in Microsoft Internet Explorer 7 through ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-0018 (Use-after-free vulnerability in Microsoft Internet Explorer 6 through ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-0017 REJECTED CVE-2013-0016 REJECTED CVE-2013-0015 (Microsoft Internet Explorer 6 through 9 does not properly perform auto ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-0014 REJECTED CVE-2013-0013 (The SSL provider component in Microsoft Windows Vista SP2, Windows Ser ...) NOT-FOR-US: Microsoft Windows CVE-2013-0012 REJECTED CVE-2013-0011 (The Print Spooler in Microsoft Windows Server 2008 R2 and R2 SP1 and W ...) NOT-FOR-US: Microsoft Windows CVE-2013-0010 (Cross-site scripting (XSS) vulnerability in Microsoft System Center Op ...) NOT-FOR-US: Microsoft System Center Opera Manager CVE-2013-0009 (Cross-site scripting (XSS) vulnerability in Microsoft System Center Op ...) NOT-FOR-US: Microsoft System Center Opera Manager CVE-2013-0008 (win32k.sys in the kernel-mode drivers in Microsoft Windows Vista SP2, ...) NOT-FOR-US: Microsoft Windows CVE-2013-0007 (Microsoft XML Core Services (aka MSXML) 4.0, 5.0, and 6.0 does not pro ...) NOT-FOR-US: Microsoft XML Core Services CVE-2013-0006 (Microsoft XML Core Services (aka MSXML) 3.0, 5.0, and 6.0 does not pro ...) NOT-FOR-US: Microsoft XML Core Services CVE-2013-0005 (The WCF Replace function in the Open Data (aka OData) protocol impleme ...) NOT-FOR-US: Microsoft .NET Framework CVE-2013-0004 (Microsoft .NET Framework 1.0 SP3, 1.1 SP1, 2.0 SP2, 3.0 SP2, 3.5, 3.5. ...) NOT-FOR-US: Microsoft .NET Framework CVE-2013-0003 (Buffer overflow in a System.DirectoryServices.Protocols (S.DS.P) names ...) NOT-FOR-US: Microsoft .NET Framework CVE-2013-0002 (Buffer overflow in the Windows Forms (aka WinForms) component in Micro ...) NOT-FOR-US: Microsoft .NET Framework CVE-2013-0001 (The Windows Forms (aka WinForms) component in Microsoft .NET Framework ...) NOT-FOR-US: Microsoft .NET Framework CVE-2012-6051 (Google CityHash computes hash values without properly restricting the ...) - cityhash (bug #694999) CVE-2011-5373 REJECTED CVE-2011-5372 REJECTED CVE-2011-5371 REJECTED CVE-2011-5370 REJECTED CVE-2012-6050 (The winbox service in MikroTik RouterOS 5.15 and earlier allows remote ...) NOT-FOR-US: MikroTik RouterOS CVE-2012-6049 (Open Solution Quick.Cart 5.0 allows remote attackers to obtain sensiti ...) NOT-FOR-US: Open Solution Quick.Cart 5.0 CVE-2012-6048 (Guitar Pro 6.1.1 r10791 allows remote attackers to cause a denial of s ...) NOT-FOR-US: Guitar Pro 6.1.1 CVE-2012-6047 (Cross-site request forgery (CSRF) vulnerability in X7 Chat 2.0.5.1 and ...) NOT-FOR-US: X7 Chat 2.0.5.1 CVE-2012-6046 (Static code injection vulnerability in admin/banners.php in PHP Enter ...) NOT-FOR-US: PHP Enter CVE-2012-6045 (Cross-site scripting (XSS) vulnerability in gb/user/index.php in Ramui ...) NOT-FOR-US: Ramui Forum CVE-2012-6044 (M-Player 0.4 allows remote attackers to cause a denial of service (cra ...) NOT-FOR-US: M-Player (different from mplayer in the archive) CVE-2012-6043 (Cross-site scripting (XSS) vulnerability in downloads.php in PHP-Fusio ...) NOT-FOR-US: phpFusion CVE-2012-6042 (GPSMapEdit 1.1.73.2 allows user-assisted remote attackers to cause a d ...) NOT-FOR-US: GPSMapEdit CVE-2012-6041 (Double free vulnerability in GreenBrowser before 6.0.1002, when the ke ...) NOT-FOR-US: GreenBrowser CVE-2012-6040 (Cross-site scripting (XSS) vulnerability in users.php in File King Adv ...) NOT-FOR-US: File King Advanced File Management 1.4 CVE-2012-6039 (SQL injection vulnerability in view_comments.php in YABSoft Advanced I ...) NOT-FOR-US: YABSoft Advanced Image Hosting CVE-2012-6038 (admin/core/admin_func.php in razorCMS before 1.2.1 does not properly r ...) NOT-FOR-US: razorCMS CVE-2010-5286 (Directory traversal vulnerability in Jstore (com_jstore) component for ...) NOT-FOR-US: Joomla jstore CVE-2010-5285 (Cross-site request forgery (CSRF) vulnerability in admin.php in Collab ...) NOTE: Old report against collabtive, Poc has vanished and likely fixed in current release, see #695348 CVE-2010-5284 (Multiple cross-site scripting (XSS) vulnerabilities in Collabtive 0.6. ...) - collabtive 0.7.6-1 (bug #695348) NOTE: Might be fixed earlier, but 0.7.6 was tested CVE-2010-5283 (Cross-site request forgery (CSRF) vulnerability in OpenText ECM (forme ...) NOT-FOR-US: OpenText ECM CVE-2010-5282 (Multiple cross-site scripting (XSS) vulnerabilities in OpenText ECM (f ...) NOT-FOR-US: OpenText ECM CVE-2010-5281 (Directory traversal vulnerability in ibrowser.php in the CMScout 2.09 ...) NOT-FOR-US: CMScout IBrowser TinyMCE Plugin CVE-2010-5280 (Directory traversal vulnerability in the Community Builder Enhanced (C ...) NOT-FOR-US: CBE for Joomla CVE-2012-6037 (Multiple cross-site scripting (XSS) vulnerabilities in Mahara 1.4.x be ...) {DSA-2591-1} - mahara 1.5.1-3 CVE-2012-6036 (The (1) memc_save_get_next_page, (2) tmemc_restore_put_page and (3) tm ...) - xen 4.1.4-1 (unimportant; bug #686764) [squeeze] - xen (Experimental/unsupported feature) NOTE: CVE-2012-3497 has been SPLIT into this ID and others NOTE: TMEM not supported for production systems (technology preview) CVE-2012-6035 (The do_tmem_destroy_pool function in the Transcendent Memory (TMEM) in ...) - xen 4.1.4-1 (unimportant; bug #686764) [squeeze] - xen (Experimental/unsupported feature) NOTE: CVE-2012-3497 has been SPLIT into this ID and others NOTE: TMEM not supported for production systems (technology preview) CVE-2012-6034 (The (1) tmemc_save_get_next_page and (2) tmemc_save_get_next_inv funct ...) - xen 4.1.4-1 (unimportant; bug #686764) [squeeze] - xen (Experimental/unsupported feature) NOTE: CVE-2012-3497 has been SPLIT into this ID and others NOTE: TMEM not supported for production systems (technology preview) CVE-2012-6033 (The do_tmem_control function in the Transcendent Memory (TMEM) in Xen ...) - xen 4.1.4-1 (unimportant; bug #686764) [squeeze] - xen (Experimental/unsupported feature) NOTE: CVE-2012-3497 has been SPLIT into this ID and others NOTE: TMEM not supported for production systems (technology preview) CVE-2012-6032 (Multiple integer overflows in the (1) tmh_copy_from_client and (2) tmh ...) - xen 4.1.4-1 (unimportant; bug #686764) [squeeze] - xen (Experimental/unsupported feature) NOTE: CVE-2012-3497 has been SPLIT into this ID and others NOTE: TMEM not supported for production systems (technology preview) CVE-2012-6031 (The do_tmem_get function in the Transcendent Memory (TMEM) in Xen 4.0, ...) - xen 4.1.4-1 (unimportant; bug #686764) [squeeze] - xen (Experimental/unsupported feature) NOTE: CVE-2012-3497 has been SPLIT into this ID and others NOTE: TMEM not supported for production systems (technology preview) CVE-2012-6030 (The do_tmem_op function in the Transcendent Memory (TMEM) in Xen 4.0, ...) - xen 4.1.4-1 (unimportant; bug #686764) [squeeze] - xen (Experimental/unsupported feature) NOTE: CVE-2012-3497 has been SPLIT into this ID and others NOTE: TMEM not supported for production systems (technology preview) CVE-2012-6029 (Multiple cross-site scripting (XSS) vulnerabilities in the web-authent ...) NOT-FOR-US: Cisco NAC Appliance CVE-2012-6028 RESERVED CVE-2012-6027 RESERVED CVE-2012-6026 (The HTTP Profiler on the Cisco Aironet Access Point with software 15.2 ...) NOT-FOR-US: Cisco Aironet Access Point CVE-2012-6025 RESERVED CVE-2012-6024 RESERVED CVE-2012-6023 RESERVED CVE-2012-6022 RESERVED CVE-2012-6021 RESERVED CVE-2012-6020 RESERVED CVE-2012-6019 RESERVED CVE-2012-6018 RESERVED CVE-2012-6017 RESERVED CVE-2012-6016 RESERVED CVE-2012-6015 RESERVED CVE-2012-6014 RESERVED CVE-2012-6013 RESERVED CVE-2012-6012 RESERVED CVE-2012-6011 RESERVED CVE-2012-6010 RESERVED CVE-2012-6009 RESERVED CVE-2012-6008 RESERVED CVE-2012-6007 (Cross-site scripting (XSS) vulnerability in screens/base/web_auth_cust ...) NOT-FOR-US: Cisco CVE-2012-6006 RESERVED CVE-2012-6005 RESERVED CVE-2012-6004 RESERVED CVE-2012-6003 RESERVED CVE-2012-6002 RESERVED CVE-2012-6001 RESERVED CVE-2012-6000 RESERVED CVE-2012-5999 RESERVED CVE-2012-5998 RESERVED CVE-2012-5997 RESERVED CVE-2012-5996 RESERVED CVE-2012-5995 RESERVED CVE-2012-5994 RESERVED CVE-2012-5993 RESERVED CVE-2012-5992 (Multiple cross-site request forgery (CSRF) vulnerabilities on Cisco Wi ...) NOT-FOR-US: Cisco CVE-2012-5991 (screens/base/web_auth_custom.html on Cisco Wireless LAN Controller (WL ...) NOT-FOR-US: Cisco CVE-2012-5990 (Multiple cross-site scripting (XSS) vulnerabilities in Health Monitor ...) NOT-FOR-US: Cisco CVE-2012-5989 RESERVED CVE-2012-5988 RESERVED CVE-2012-5987 RESERVED CVE-2012-5986 RESERVED CVE-2012-5985 RESERVED CVE-2012-5984 RESERVED CVE-2012-5983 RESERVED CVE-2012-5982 RESERVED CVE-2012-5981 RESERVED CVE-2012-5980 RESERVED CVE-2012-5978 (Multiple directory traversal vulnerabilities in the (1) View Connectio ...) NOT-FOR-US: VMware View CVE-2012-5977 (Asterisk Open Source 1.8.x before 1.8.19.1, 10.x before 10.11.1, and 1 ...) {DSA-2605-1} - asterisk 1:1.8.13.1~dfsg-2 (bug #697230) NOTE: http://downloads.asterisk.org/pub/security/AST-2012-015.pdf CVE-2012-5976 (Multiple stack consumption vulnerabilities in Asterisk Open Source 1.8 ...) {DSA-2605-1} - asterisk 1:1.8.13.1~dfsg-2 (bug #697230) NOTE: http://downloads.digium.com/pub/security/AST-2012-014.pdf CVE-2012-5975 (The SSH USERAUTH CHANGE REQUEST feature in SSH Tectia Server 6.0.4 thr ...) NOT-FOR-US: Tectia SSH CVE-2012-5974 RESERVED CVE-2012-5973 (CA XCOM Data Transport r11.0 and r11.5 on UNIX and Linux allows remote ...) NOT-FOR-US: CA XCOM Data Transport CVE-2012-5972 (Directory traversal vulnerability in the web server in SpecView 2.5 bu ...) NOT-FOR-US: SpecView 2.5 CVE-2012-5971 RESERVED CVE-2012-5970 (The Huawei E585 device allows remote attackers to cause a denial of se ...) NOT-FOR-US: Huawei device CVE-2012-5969 (Multiple directory traversal vulnerabilities on the Huawei E585 device ...) NOT-FOR-US: Huawei device CVE-2012-5968 (The Huawei E585 device does not validate the status of admin sessions, ...) NOT-FOR-US: Huawei device CVE-2012-5967 (SQL injection vulnerability in menuXML.php in Centreon 2.3.3 through 2 ...) - centreon-web (bug #913903) CVE-2012-5966 (The restricted telnet shell on the D-Link DSL2730U router allows remot ...) NOT-FOR-US: D-Link DSL2730U router CVE-2012-5965 (Stack-based buffer overflow in the unique_service_name function in ssd ...) {DSA-2615-1 DSA-2614-1} - libupnp 1:1.6.17-1.2 (bug #699316) - libupnp4 1.8.0~svn20100507-1.2 (bug #699459) CVE-2012-5964 (Stack-based buffer overflow in the unique_service_name function in ssd ...) {DSA-2615-1 DSA-2614-1} - libupnp 1:1.6.17-1.2 (bug #699316) - libupnp4 1.8.0~svn20100507-1.2 (bug #699459) CVE-2012-5963 (Stack-based buffer overflow in the unique_service_name function in ssd ...) {DSA-2615-1 DSA-2614-1} - libupnp 1:1.6.17-1.2 (bug #699316) - libupnp4 1.8.0~svn20100507-1.2 (bug #699459) CVE-2012-5962 (Stack-based buffer overflow in the unique_service_name function in ssd ...) {DSA-2615-1 DSA-2614-1} - libupnp 1:1.6.17-1.2 (bug #699316) - libupnp4 1.8.0~svn20100507-1.2 (bug #699459) CVE-2012-5961 (Stack-based buffer overflow in the unique_service_name function in ssd ...) {DSA-2615-1 DSA-2614-1} - libupnp 1:1.6.17-1.2 (bug #699316) - libupnp4 1.8.0~svn20100507-1.2 (bug #699459) CVE-2012-5960 (Stack-based buffer overflow in the unique_service_name function in ssd ...) {DSA-2615-1 DSA-2614-1} - libupnp 1:1.6.17-1.2 (bug #699316) - libupnp4 1.8.0~svn20100507-1.2 (bug #699459) CVE-2012-5959 (Stack-based buffer overflow in the unique_service_name function in ssd ...) {DSA-2615-1 DSA-2614-1} - libupnp 1:1.6.17-1.2 (bug #699316) - libupnp4 1.8.0~svn20100507-1.2 (bug #699459) CVE-2012-5958 (Stack-based buffer overflow in the unique_service_name function in ssd ...) {DSA-2615-1 DSA-2614-1} - libupnp 1:1.6.17-1.2 (bug #699316) - libupnp4 1.8.0~svn20100507-1.2 (bug #699459) CVE-2012-5957 RESERVED CVE-2012-5956 (Multiple cross-site scripting (XSS) vulnerabilities in ManageEngine As ...) NOT-FOR-US: ManageEngine AssetExplorer 5.6 CVE-2012-5955 (Unspecified vulnerability in the IBM HTTP Server component 5.3 in IBM ...) NOT-FOR-US: WebSphere CVE-2012-5954 (Unspecified vulnerability in IBM Tivoli Storage Manager for Space Mana ...) NOT-FOR-US: IBM Tivoli Storage Manager CVE-2012-5953 (IBM WebSphere Message Broker 6.1 before 6.1.0.12, 7.0 before 7.0.0.6, ...) NOT-FOR-US: IBM CVE-2012-5952 (IBM WebSphere Message Broker 6.1 before 6.1.0.12, 7.0 before 7.0.0.6, ...) NOT-FOR-US: IBM CVE-2012-5951 (Unspecified vulnerability in IBM Tivoli NetView 1.4, 5.1 through 5.4, ...) NOT-FOR-US: IBM Tivoli NetView CVE-2012-5950 (Multiple cross-site request forgery (CSRF) vulnerabilities in IBM TRIR ...) NOT-FOR-US: IBM TRIRIGA Application Platform CVE-2012-5949 (Multiple cross-site scripting (XSS) vulnerabilities in IBM TRIRIGA App ...) NOT-FOR-US: IBM TRIRIGA Application Platform CVE-2012-5948 (Multiple cross-site scripting (XSS) vulnerabilities in IBM TRIRIGA App ...) NOT-FOR-US: IBM TRIRIGA Application Platform CVE-2012-5947 (Buffer overflow in the vsflex7l ActiveX control in IBM SPSS SamplePowe ...) NOT-FOR-US: IBM SPSS SamplePower CVE-2012-5946 (Buffer overflow in the c1sizer ActiveX control in C1sizer.ocx in IBM S ...) NOT-FOR-US: IBM SPSS SamplePower CVE-2012-5945 (Multiple buffer overflows in the Vsflex8l ActiveX control in IBM SPSS ...) NOT-FOR-US: IBM SPSS SamplePower CVE-2012-5944 RESERVED CVE-2012-5943 (Cross-site scripting (XSS) vulnerability in IBM iNotes 8.5.x before 8. ...) NOT-FOR-US: IBM iNotes CVE-2012-5942 (Cross-site scripting (XSS) vulnerability in the Data Management Portal ...) NOT-FOR-US: IBM Tivoli TADDM CVE-2012-5941 (Cross-site scripting (XSS) vulnerability in the WebAdmin application 6 ...) NOT-FOR-US: IBM CVE-2012-5940 (The WebAdmin application 6.0.5, 6.0.8, and 7.0 before P2 in IBM Netezz ...) NOT-FOR-US: IBM CVE-2012-5939 (Cross-site scripting (XSS) vulnerability in Welcome.do in the Data Man ...) NOT-FOR-US: IBM Tivoli TADDM CVE-2012-5938 (The installation process in IBM InfoSphere Information Server 8.1, 8.5 ...) NOT-FOR-US: IBM InfoSphere Information Server CVE-2012-5937 (Unspecified vulnerability in the CLA2 server in IBM Gentran Integratio ...) NOT-FOR-US: IBM Gentran Integration CVE-2012-5936 (IBM Sterling B2B Integrator 5.1 and 5.2 and Sterling File Gateway 2.1 ...) NOT-FOR-US: IBM CVE-2011-5245 (The readFrom function in providers.jaxb.JAXBXmlTypeProvider in RESTEas ...) NOT-FOR-US: RESTEasy framework for JBoss CVE-2012-5935 RESERVED CVE-2012-5934 RESERVED CVE-2012-5933 RESERVED CVE-2012-5932 (Eval injection vulnerability in the ldapagnt_eval function in ldapagnt ...) NOT-FOR-US: NetIQ Privileged User Manager 2.3.x CVE-2012-5931 (Directory traversal vulnerability in the set_log_config function in re ...) NOT-FOR-US: NetIQ Privileged User Manager 2.3.x CVE-2012-5930 (The pa_modify_accounts function in auth.dll in unifid.exe in NetIQ Pri ...) NOT-FOR-US: NetIQ Privileged User Manager 2.3.x CVE-2012-5929 RESERVED CVE-2012-5928 RESERVED CVE-2012-5927 RESERVED CVE-2012-5926 RESERVED CVE-2012-5925 RESERVED CVE-2012-5924 RESERVED CVE-2012-5923 RESERVED CVE-2012-5922 RESERVED CVE-2012-5921 RESERVED CVE-2012-5920 (Cross-site scripting (XSS) vulnerability in Google Web Toolkit (GWT) 2 ...) - gwt (bug #691900) [squeeze] - gwt (Vulnerable code not present) CVE-2012-5919 (Multiple cross-site scripting (XSS) vulnerabilities in Havalite 1.0.4 ...) NOT-FOR-US: havalite CVE-2012-5918 (razorCMS 1.2 allows remote authenticated users to access administrator ...) NOT-FOR-US: razorCMS CVE-2012-5917 (SnackAmp 3.1.3 allows remote attackers to cause a denial of service (a ...) NOT-FOR-US: SnackAmp CVE-2012-5916 (Neocrome Seditio build 161 allows remote attackers to obtain sensitive ...) NOT-FOR-US: Neocrome Seditio CVE-2012-5915 (Neocrome Seditio build 161 and earlier allows remote attackers to obta ...) NOT-FOR-US: Neocrome Seditio CVE-2012-5914 (Multiple cross-site scripting (XSS) vulnerabilities in the sed_import ...) NOT-FOR-US: Neocrome Seditio CVE-2012-5913 (Cross-site scripting (XSS) vulnerability in wp-integrator.php in the W ...) NOT-FOR-US: Wordpress Integrator plugin CVE-2012-5912 (Multiple SQL injection vulnerabilities in PicoPublisher 2.0 allow remo ...) NOT-FOR-US: PicoPublisher CVE-2012-5911 (Cross-site scripting (XSS) vulnerability in blogs/blog1.php in b2evolu ...) NOT-FOR-US: b2evolution CVE-2012-5910 (SQL injection vulnerability in blogs/htsrv/viewfile.php in b2evolution ...) NOT-FOR-US: b2evolution CVE-2012-5909 (SQL injection vulnerability in admin/modules/user/users.php in MyBB (a ...) NOT-FOR-US: MyBB CVE-2012-5908 (Cross-site scripting (XSS) vulnerability in admin/modules/user/users.p ...) NOT-FOR-US: MyBB CVE-2012-5907 (Directory traversal vulnerability in json.php in TomatoCart 1.2.0 Alph ...) NOT-FOR-US: TomatoCart CVE-2012-5906 (Multiple cross-site scripting (XSS) vulnerabilities in GreenBrowser 6. ...) NOT-FOR-US: GreenBrowser CVE-2012-5905 (Buffer overflow in KnFTPd 1.0.0 allows remote authenticated users to c ...) NOT-FOR-US: KnFTPd CVE-2012-5904 (Heap-based buffer overflow in IrfanView before 4.33 allows remote atta ...) NOT-FOR-US: IrfanView CVE-2012-5903 (Cross-site scripting (XSS) vulnerability in Simple Machines Forum (SMF ...) NOT-FOR-US: Simple Machine Forum CVE-2012-5902 (Cross-site scripting (XSS) vulnerability in ptk/lib/modal_bookmark.php ...) NOT-FOR-US: DFLabs PTK CVE-2012-5901 (DFLabs PTK 1.0.5 stores data files with predictable names under the we ...) NOT-FOR-US: DFLabs PTK CVE-2012-5900 (Multiple SQL injection vulnerabilities in SAMEDIA LandShop 0.9.2 allow ...) NOT-FOR-US: SAMEDIA LandShop CVE-2012-5899 (Cross-site scripting (XSS) vulnerability in admin/action/objects.php i ...) NOT-FOR-US: SAMEDIA LandShop CVE-2012-5898 (Cross-site request forgery (CSRF) vulnerability in SAMEDIA LandShop 0. ...) NOT-FOR-US: SAMEDIA LandShop CVE-2012-5897 (The (1) SimpleTree and (2) ReportTree classes in the ARDoc ActiveX con ...) NOT-FOR-US: Quest in Trust CVE-2012-5896 (The Annotation Objects Extension ActiveX control in AnnotateX.dll in Q ...) NOT-FOR-US: Quest in Trust CVE-2012-5895 (Multiple unspecified vulnerabilities in iRODS before 3.1 have unknown ...) NOT-FOR-US: iRODS CVE-2012-5894 (SQL injection vulnerability in hava_post.php in Havalite CMS 1.1.0 and ...) NOT-FOR-US: Havalite CMS CVE-2012-5893 (Unrestricted file upload vulnerability in hava_upload.php in Havalite ...) NOT-FOR-US: Havalite CMS CVE-2012-5892 (Havalite CMS 1.1.0 and earlier stores sensitive information under the ...) NOT-FOR-US: Havalite CMS CVE-2012-5891 (Multiple cross-site request forgery (CSRF) vulnerabilities in photo/pa ...) NOT-FOR-US: Dalbum CVE-2012-5890 (The Front End User Registration (sr_feuser_register) extension before ...) NOT-FOR-US: TYPO3 extension (sr_feuser_register) CVE-2012-5889 (Cross-site scripting (XSS) vulnerability in the powermail extension be ...) NOT-FOR-US: TYPO3 extension (powermail) CVE-2012-5888 (Cross-site scripting (XSS) vulnerability in Basic SEO Features (seo_ba ...) NOT-FOR-US: TYPO3 extension (seo_basics) CVE-2012-5887 (The HTTP Digest Access Authentication implementation in Apache Tomcat ...) - tomcat6 6.0.35-5+nmu1 (bug #692439) [squeeze] - tomcat6 6.0.35-1+squeeze3 NOTE: DSA 2725 - tomcat7 7.0.28-3+nmu1 (bug #692440) CVE-2012-5886 (The HTTP Digest Access Authentication implementation in Apache Tomcat ...) - tomcat6 6.0.35-5+nmu1 (bug #692439) [squeeze] - tomcat6 6.0.35-1+squeeze3 NOTE: DSA 2725 - tomcat7 7.0.28-3+nmu1 (bug #692440) CVE-2012-5885 (The replay-countermeasure functionality in the HTTP Digest Access Auth ...) - tomcat6 6.0.35-5+nmu1 (bug #692439) [squeeze] - tomcat6 6.0.35-1+squeeze3 NOTE: DSA 2725 - tomcat7 7.0.28-3+nmu1 (bug #692440) CVE-2011-5244 (Multiple off-by-one errors in the (1) token and (2) linetoken function ...) {DSA-2357-1} - evince 2.32.0-1 [squeeze] - evince 2.30.3-2+squeeze1 NOTE: This issue was already fixed in DSA-2357-1 by shipping the correct fix from the start CVE-2012-5884 (The User.get method in Bugzilla/WebService/User.pm in Bugzilla 4.3.2 a ...) - bugzilla (low) [squeeze] - bugzilla (vulnerable code not present in 3.x) - bugzilla4 (bug #669643) CVE-2012-5883 (Cross-site scripting (XSS) vulnerability in the Flash component infras ...) - yui3 - yui 2.9.0.dfsg.0.1-0.1 (bug #693608) [squeeze] - yui (Minor issue, Flash not build from source in oldstable) - icinga-web 1.7.1+dfsg2-6 (bug #694641) CVE-2012-5882 (Cross-site scripting (XSS) vulnerability in the Flash component infras ...) - yui3 - yui 2.9.0.dfsg.0.1-0.1 (bug #693608) [squeeze] - yui (Minor issue, Flash not build from source in oldstable) - icinga-web 1.7.1+dfsg2-6 (bug #694641) CVE-2012-5881 (Cross-site scripting (XSS) vulnerability in the Flash component infras ...) - yui3 - yui 2.9.0.dfsg.0.1-0.1 (bug #693608) [squeeze] - yui (Minor issue, Flash not build from source in oldstable) - icinga-web 1.7.1+dfsg2-6 (bug #694641) CVE-2012-5880 RESERVED CVE-2012-5879 (An ActiveX control in McHealthCheck.dll in McAfee Virtual Technician ( ...) NOT-FOR-US: McAfee Virtual Technician CVE-2012-5878 (Bulb Security Smartphone Pentest Framework (SPF) 0.1.2 through 0.1.4 a ...) NOT-FOR-US: Bulb Security Smartphone Pentest Framework CVE-2012-5877 (Nero MediaHome 4.5.8.0 and earlier allows remote attackers to cause a ...) NOT-FOR-US: Nero MediaHome CVE-2012-5876 (Multiple off-by-one errors in NMMediaServerService.dll in Nero MediaHo ...) NOT-FOR-US: Nero MediaHome CVE-2012-5875 (Firefly Media Server 1.0.0.1359 allows remote attackers to cause a den ...) NOT-FOR-US: Firefly Media Server CVE-2012-5874 (Multiple SQL injection vulnerabilities in the (1) update_whosonline_re ...) NOT-FOR-US: Elite Bulletin Board CVE-2012-5873 RESERVED CVE-2012-5872 RESERVED CVE-2012-5871 RESERVED CVE-2012-5870 RESERVED CVE-2012-5869 RESERVED CVE-2012-5868 (WordPress 3.4.2 does not invalidate a wordpress_sec session cookie upo ...) - wordpress (unimportant; bug #696868) NOTE: non-issue, see https://wordpress.org/support/topic/old-bug-cve-2012-5868 CVE-2012-5867 (HT Editor 2.0.20 has a Remote Stack Buffer Overflow Vulnerability ...) NOT-FOR-US: HT Editor CVE-2012-5866 (Cross-site scripting (XSS) vulnerability in include.php in Achievo 1.4 ...) NOT-FOR-US: Achievo CVE-2012-5865 (SQL injection vulnerability in dispatch.php in Achievo 1.4.5 allows re ...) NOT-FOR-US: Achievo CVE-2012-5864 (The management web pages on the Sinapsi eSolar Light Photovoltaic Syst ...) NOT-FOR-US: Sinapsi eSolar Light Photovoltaic System Monitor CVE-2012-5863 (ping.php on the Sinapsi eSolar Light Photovoltaic System Monitor (aka ...) NOT-FOR-US: Sinapsi eSolar Light Photovoltaic System Monitor CVE-2012-5862 (login.php on the Sinapsi eSolar Light Photovoltaic System Monitor (aka ...) NOT-FOR-US: Sinapsi eSolar Light Photovoltaic System Monitor CVE-2012-5861 (Multiple SQL injection vulnerabilities on the Sinapsi eSolar Light Pho ...) NOT-FOR-US: Sinapsi eSolar Light Photovoltaic System Monitor CVE-2012-5860 (Unspecified vulnerability on Oberthur ID-One COSMO 5.2, 5.2a, and 64 s ...) NOT-FOR-US: ID-One COSMO CVE-2012-5859 (Samsung Kies Air 2.1.207051 and 2.1.210161 allows remote attackers to ...) NOT-FOR-US: Samsung Kies Air CVE-2012-5858 (Samsung Kies Air 2.1.207051 and 2.1.210161 relies on the IP address fo ...) NOT-FOR-US: Samsung Kies Air CVE-2012-5857 RESERVED CVE-2012-5856 (Cross-site scripting (XSS) vulnerability in the Uk Cookie (aka uk-cook ...) NOT-FOR-US: Wordpress plugin (uk cookie) CVE-2012-5855 (The SHAddToRecentDocs function in VideoLAN VLC media player 2.0.4 and ...) - vlc (Windows only issue) NOTE: Harmless crasher without security relevance CVE-2012-5853 (SQL injection vulnerability in the "the_search_function" function in c ...) NOT-FOR-US: "the_search_function" function in cardoza_ajax_search.php in the AJAX Post Search (cardoza-ajax-search) plugin for WordPress CVE-2012-5852 RESERVED CVE-2012-5851 (html/parser/XSSAuditor.cpp in WebCore in WebKit, as used in Google Chr ...) - chromium-browser (unimportant) - webkit (unimportant) NOTE: https://bugs.webkit.org/show_bug.cgi?id=92692 NOTE: Incomplete mitigation feature, not a security vulnerability per se CVE-2012-5850 RESERVED CVE-2012-5849 (Multiple SQL injection vulnerabilities in ClipBucket 2.6 Revision 738 ...) NOT-FOR-US: ClipBucket CVE-2012-5854 (Heap-based buffer overflow in WeeChat 0.3.6 through 0.3.9 allows remot ...) - weechat 0.3.9.1-1 (bug #693026) [wheezy] - weechat 0.3.8-1+deb7u1 [squeeze] - weechat (Vulnerable code not present) CVE-2012-5848 REJECTED CVE-2012-5847 REJECTED CVE-2012-5846 REJECTED CVE-2012-5845 REJECTED CVE-2012-5844 REJECTED CVE-2012-5843 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - iceape (Doesn't affect the ESR series, only releases from experimental) - iceweasel (Doesn't affect the ESR series, only releases from experimental) - icedove (Doesn't affect the ESR series, only releases from experimental) CVE-2012-5842 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-2588-1 DSA-2584-1 DSA-2583-1} - iceweasel 10.0.11esr-1 - icedove 10.0.11-1 - iceape 2.7.11-1 CVE-2012-5841 (Mozilla Firefox before 17.0, Firefox ESR 10.x before 10.0.11, Thunderb ...) - iceweasel 10.0.11esr-1 - icedove 10.0.11-1 - iceape 2.7.11-1 [squeeze] - iceweasel (Vulnerable code not present) [squeeze] - icedove (Vulnerable code not present) [squeeze] - iceape (Vulnerable code not present) CVE-2012-5840 (Use-after-free vulnerability in the nsTextEditorState::PrepareEditor f ...) - iceweasel 10.0.11esr-1 - icedove 10.0.11-1 - iceape 2.7.11-1 [squeeze] - iceweasel (Vulnerable code not present) [squeeze] - icedove (Vulnerable code not present) [squeeze] - iceape (Vulnerable code not present) CVE-2012-5839 (Heap-based buffer overflow in the gfxShapedWord::CompressedGlyph::IsCl ...) - iceweasel 10.0.11esr-1 - icedove 10.0.11-1 - iceape 2.7.11-1 [squeeze] - iceweasel (Vulnerable code not present) [squeeze] - icedove (Vulnerable code not present) [squeeze] - iceape (Vulnerable code not present) CVE-2012-5838 (The copyTexImage2D implementation in the WebGL subsystem in Mozilla Fi ...) - iceape (Doesn't affect the ESR series, only releases from experimental) - iceweasel (Doesn't affect the ESR series, only releases from experimental) - icedove (Doesn't affect the ESR series, only releases from experimental) CVE-2012-5837 (The Web Developer Toolbar in Mozilla Firefox before 17.0 executes scri ...) - iceweasel (Doesn't affect the ESR series, only releases from experimental) CVE-2012-5836 (Mozilla Firefox before 17.0, Thunderbird before 17.0, and SeaMonkey be ...) - iceape (Doesn't affect the ESR series, only releases from experimental) - iceweasel (Doesn't affect the ESR series, only releases from experimental) - icedove (Doesn't affect the ESR series, only releases from experimental) CVE-2012-5835 (Integer overflow in the WebGL subsystem in Mozilla Firefox before 17.0 ...) - iceweasel 10.0.11esr-1 - icedove 10.0.11-1 - iceape 2.7.11-1 [squeeze] - iceweasel (Vulnerable code not present) [squeeze] - icedove (Vulnerable code not present) [squeeze] - iceape (Vulnerable code not present) CVE-2012-5834 REJECTED CVE-2012-5833 (The texImage2D implementation in the WebGL subsystem in Mozilla Firefo ...) - iceweasel 10.0.11esr-1 - icedove 10.0.11-1 - iceape 2.7.11-1 [squeeze] - iceweasel (Vulnerable code not present) [squeeze] - icedove (Vulnerable code not present) [squeeze] - iceape (Vulnerable code not present) CVE-2012-5832 REJECTED CVE-2012-5831 REJECTED CVE-2012-5830 (Use-after-free vulnerability in Mozilla Firefox before 17.0, Firefox E ...) - iceweasel 10.0.11esr-1 - icedove 10.0.11-1 - iceape 2.7.11-1 [squeeze] - iceweasel (Vulnerable code not present) [squeeze] - icedove (Vulnerable code not present) [squeeze] - iceape (Vulnerable code not present) CVE-2012-5829 (Heap-based buffer overflow in the nsWindow::OnExposeEvent function in ...) {DSA-2588-1 DSA-2584-1 DSA-2583-1} - iceweasel 10.0.11esr-1 - icedove 10.0.11-1 - iceape 2.7.11-1 CVE-2012-5828 (BlackBerry PlayBook before 2.1 has an Information Disclosure Vulnerabi ...) NOT-FOR-US: BlackBerry PlayBook CVE-2012-5827 (Joomla! 2.5.x before 2.5.8 and 3.0.x before 3.0.2 allows remote attack ...) NOT-FOR-US: Joomla! CVE-2012-5826 RESERVED CVE-2011-5243 (TwitterOAuth does not verify that the server hostname matches a domain ...) NOT-FOR-US: TwitterOAuth CVE-2011-5242 (tmhOAuth before 0.61 does not verify that the server hostname matches ...) NOT-FOR-US: tmhOAuth CVE-2011-5241 (Services_Twitter 0.6.3 does not verify that the server hostname matche ...) NOT-FOR-US: PEAR module for Twitter CVE-2011-5240 (Magento 1.5 and 1.6.2 does not verify that the server hostname matches ...) NOT-FOR-US: Magento CVE-2011-5239 (CiviCRM 4.0.5 and 4.1.1 does not verify that the server hostname match ...) - civicrm (Fixed before initial upload to the archive) CVE-2011-5238 (google-checkout-php-sample-code before 1.3.2 does not verify that the ...) NOT-FOR-US: google-checkout-php-sample-code CVE-2011-5237 (PayPal WPS ToolKit does not verify that the server hostname matches a ...) NOT-FOR-US: PayPal WPS ToolKit CVE-2011-5236 (Moneris eSelectPlus 2.03 PHP API does not verify that the server hostn ...) NOT-FOR-US: Moneris eSelectPlus 2.03 PHP API CVE-2012-5825 (Tweepy does not verify that the server hostname matches a domain name ...) - tweepy 3.1.0-2 (low; bug #692444) [jessie] - tweepy (Minor issue) [wheezy] - tweepy (Minor issue) CVE-2012-5824 (Trillian 5.1.0.19 does not verify that the server hostname matches a d ...) NOT-FOR-US: Trillian CVE-2012-5823 (Open Source Classifieds does not verify that the server hostname match ...) NOT-FOR-US: Open Source Classifieds CVE-2012-5822 (The contribution feature in Zamboni does not verify that the server ho ...) NOT-FOR-US: Zamboni CVE-2012-5821 (Lynx does not verify that the server's certificate is signed by a trus ...) - lynx-cur 2.8.8dev.15-1 (low; bug #692443) [squeeze] - lynx-cur (Minor issue) [wheezy] - lynx-cur (Minor issue) CVE-2012-5820 (The developer-account sample code in Google AdMob does not verify that ...) NOT-FOR-US: Google AdMob CVE-2012-5819 (FilesAnywhere does not verify that the server hostname matches a domai ...) NOT-FOR-US: FilesAnywhere CVE-2012-5818 (ElephantDrive does not verify that the server hostname matches a domai ...) NOT-FOR-US: ElephantDrive CVE-2012-5817 (Codehaus XFire 1.2.6 and earlier, as used in the Amazon EC2 API Tools ...) NOT-FOR-US: Codehaus XFire CVE-2012-5816 (AOL Instant Messenger (AIM) 1.0.1.2 does not verify that the server ho ...) NOT-FOR-US: AOL Instant Messenger CVE-2012-5815 (The Rackspace app 2.1.5 for iOS does not verify that the server hostna ...) NOT-FOR-US: Rackspace app for iOS CVE-2012-5814 (Weberknecht, as used in GitHub Gaug.es and other products, does not ve ...) NOT-FOR-US: Weberknecht CVE-2012-5813 (The Android_Pusher library for Android does not verify that the server ...) NOT-FOR-US: Android app/lib CVE-2012-5812 (The ACRA library for Android does not verify that the server hostname ...) NOT-FOR-US: Android app/lib CVE-2012-5811 (The Breezy application for Android does not verify that the server hos ...) NOT-FOR-US: Android app/lib CVE-2012-5810 (The Chase mobile banking application for Android does not verify that ...) NOT-FOR-US: Android app/lib CVE-2012-5809 (The Groupon Redemptions application for Android does not verify that t ...) NOT-FOR-US: Android app/lib CVE-2012-5808 (The LinkPoint module in Zen Cart does not verify that the server hostn ...) NOT-FOR-US: Zen Cart module CVE-2012-5807 (The Authorize.Net eCheck module in Zen Cart does not verify that the s ...) NOT-FOR-US: Zen Cart module CVE-2012-5806 (The PayPal Payments Pro module in Zen Cart does not verify that the se ...) NOT-FOR-US: Zen Cart module CVE-2012-5805 (The PayPal IPN functionality in Zen Cart does not verify that the serv ...) NOT-FOR-US: Zen Cart module CVE-2012-5804 (The CyberSource module in Ubercart does not verify that the server hos ...) NOT-FOR-US: Ubercart module CVE-2012-5803 (The Authorize.Net module in Ubercart does not verify that the server h ...) NOT-FOR-US: Ubercart module CVE-2012-5802 (The PayPal module in Ubercart does not verify that the server hostname ...) NOT-FOR-US: Ubercart module CVE-2012-5801 (The PayPal module in PrestaShop does not verify that the server hostna ...) NOT-FOR-US: PrestaShop module CVE-2012-5800 (The eBay module in PrestaShop does not verify that the server hostname ...) NOT-FOR-US: PrestaShop module CVE-2012-5799 (The Canada Post (aka CanadaPost) module in PrestaShop does not verify ...) NOT-FOR-US: PrestaShop module CVE-2012-5798 (The PayPal Pro PayFlow EC module in osCommerce does not verify that th ...) NOT-FOR-US: osCommerce module CVE-2012-5797 (The PayPal Pro PayFlow module in osCommerce does not verify that the s ...) NOT-FOR-US: osCommerce module CVE-2012-5796 (The PayPal Pro module in osCommerce does not verify that the server ho ...) NOT-FOR-US: osCommerce module CVE-2012-5795 (The PayPal Express module in osCommerce does not verify that the serve ...) NOT-FOR-US: osCommerce module CVE-2012-5794 (The MoneyBookers module in osCommerce does not verify that the server ...) NOT-FOR-US: osCommerce module CVE-2012-5793 (The Authorize.Net module in osCommerce does not verify that the server ...) NOT-FOR-US: osCommerce module CVE-2012-5792 (The Sage Pay Direct module in osCommerce does not verify that the serv ...) NOT-FOR-US: osCommerce module CVE-2012-5791 (PayPal Invoicing does not verify that the server hostname matches a do ...) NOT-FOR-US: PayPal Invoicing CVE-2012-5790 (PayPal Payments Standard PHP Library 20120427 does not verify that the ...) NOT-FOR-US: PayPal Payments Standard PHP Library CVE-2012-5789 (PayPal Payments Standard PHP Library before 20120427 does not verify t ...) NOT-FOR-US: PayPal Payments Standard PHP Library CVE-2012-5788 (The PayPal IPN utility does not verify that the server hostname matche ...) NOT-FOR-US: The PayPal IPN utility CVE-2012-5787 (The PayPal merchant SDK does not verify that the server hostname match ...) NOT-FOR-US: The PayPal merchant SDK CVE-2012-5786 (** DISPUTED ** The wsdl_first_https sample code in distribution/src/ma ...) NOT-FOR-US: Apache CXF CVE-2012-5785 (Apache Axis2/Java 1.6.2 and earlier does not verify that the server ho ...) NOT-FOR-US: Axis2/Java NOTE: Axis2/C is packaged as axis2c, but this is a different software. CVE-2012-5784 (Apache Axis 1.4 and earlier, as used in PayPal Payments Pro, PayPal Ma ...) {DLA-169-1} - axis 1.4-16.1 (low; bug #692650) [squeeze] - axis (Minor issue) CVE-2012-5783 (Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Ser ...) {DLA-222-1} - commons-httpclient 3.1-10.1 (bug #692442) [wheezy] - commons-httpclient (Minor issue) [squeeze] - commons-httpclient (Minor issue) CVE-2012-5782 (Amazon Flexible Payments Service (FPS) PHP Library does not verify tha ...) NOT-FOR-US: Amazon Flexible Payments Service CVE-2012-5781 (Amazon Elastic Load Balancing API Tools does not verify that the serve ...) NOT-FOR-US: Amazon Elastic Load Balancing API Tools CVE-2012-5780 (The Amazon merchant SDK does not verify that the server hostname match ...) NOT-FOR-US: The Amazon merchant SDK CVE-2012-5779 RESERVED CVE-2012-5778 RESERVED CVE-2012-5777 (Eval injection vulnerability in the ReplaceListVars function in the te ...) NOT-FOR-US: EmpireCMS CVE-2012-5776 (Dokeos 2.1.1 has multiple XSS issues involving "extra_" parameters in ...) NOT-FOR-US: Dokeos CVE-2012-5775 REJECTED CVE-2012-5774 REJECTED CVE-2012-5773 REJECTED CVE-2012-5772 REJECTED CVE-2012-5771 REJECTED CVE-2012-5770 (The SSL configuration in IBM Tivoli Application Dependency Discovery M ...) NOT-FOR-US: IBM CVE-2012-5769 (IBM SPSS Modeler 14.0, 14.1, 14.2 through FP3, and 15.0 before FP2 all ...) NOT-FOR-US: IBM SPSS Modeler CVE-2012-5768 RESERVED CVE-2012-5767 (Unspecified vulnerability in the web interface on the IBM TS3500 Tape ...) NOT-FOR-US: IBM TS3500 Tape Library CVE-2012-5766 (Multiple SQL injection vulnerabilities in IBM Sterling B2B Integrator ...) NOT-FOR-US: IBM CVE-2012-5765 (The Web Client (aka CQ Web) in IBM Rational ClearQuest 7.1.2.x before ...) NOT-FOR-US: IBM Rational ClearQuest CVE-2012-5764 RESERVED CVE-2012-5763 (Cross-site request forgery (CSRF) vulnerability in the WebAdmin applic ...) NOT-FOR-US: IBM CVE-2012-5762 (Cross-site scripting (XSS) vulnerability in the WebAdmin application 6 ...) NOT-FOR-US: IBM CVE-2012-5761 (Cross-site scripting (XSS) vulnerability in the WebAdmin application 6 ...) NOT-FOR-US: IBM CVE-2012-5760 (SQL injection vulnerability in the WebAdmin application 6.0.5, 6.0.8, ...) NOT-FOR-US: IBM CVE-2012-5759 (The IBM WebSphere DataPower XC10 Appliance 2.0.0.0 through 2.0.0.3 and ...) NOT-FOR-US: Websphere CVE-2012-5758 (The IBM WebSphere DataPower XC10 Appliance 2.0.0.0 through 2.0.0.3 and ...) NOT-FOR-US: Websphere CVE-2012-5757 (Cross-site scripting (XSS) vulnerability in the Web Client in IBM Rati ...) NOT-FOR-US: IBM Rational ClearQuest CVE-2012-5756 (The IBM WebSphere DataPower XC10 Appliance 2.0.0.0 through 2.0.0.3 and ...) NOT-FOR-US: Websphere CVE-2012-5755 RESERVED CVE-2012-5754 RESERVED CVE-2012-5753 RESERVED CVE-2012-5752 RESERVED CVE-2012-5751 RESERVED CVE-2012-5750 RESERVED CVE-2012-5749 RESERVED CVE-2012-5748 RESERVED CVE-2012-5747 RESERVED CVE-2012-5746 RESERVED CVE-2012-5745 RESERVED CVE-2012-5744 (Multiple cross-site scripting (XSS) vulnerabilities in the guest porta ...) NOT-FOR-US: Cisco Identity Services Engine CVE-2012-5743 RESERVED CVE-2012-5742 RESERVED CVE-2012-5741 RESERVED CVE-2012-5740 RESERVED CVE-2012-5739 RESERVED CVE-2012-5738 RESERVED CVE-2012-5737 RESERVED CVE-2012-5736 RESERVED CVE-2012-5735 RESERVED CVE-2012-5734 RESERVED CVE-2012-5733 RESERVED CVE-2012-5732 RESERVED CVE-2012-5731 RESERVED CVE-2012-5730 RESERVED CVE-2012-5729 RESERVED CVE-2012-5728 RESERVED CVE-2012-5727 RESERVED CVE-2012-5726 RESERVED CVE-2012-5725 RESERVED CVE-2012-5724 RESERVED CVE-2012-5723 (Cisco ASR 1000 devices with software before 3.8S, when BDI routing is ...) NOT-FOR-US: Cisco devices CVE-2012-5722 RESERVED CVE-2012-5721 RESERVED CVE-2012-5720 RESERVED CVE-2012-5719 RESERVED CVE-2012-5718 RESERVED CVE-2012-5717 (Cisco Adaptive Security Appliances (ASA) devices with firmware 8.x thr ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2012-5716 RESERVED CVE-2012-5715 RESERVED CVE-2012-5714 RESERVED CVE-2012-5713 RESERVED CVE-2012-5712 RESERVED CVE-2012-5711 RESERVED CVE-2012-5710 RESERVED CVE-2012-5709 RESERVED CVE-2012-5708 RESERVED CVE-2012-5707 RESERVED CVE-2012-5706 RESERVED CVE-2012-5705 (Cross-site scripting (XSS) vulnerability in the settings page (admin/s ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2012-5704 (The Hotblocks module 6.x-1.x before 6.x-1.8 for Drupal allows remote a ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2012-5703 (The vSphere API in VMware ESXi 4.1 and ESX 4.1 allows remote attackers ...) NOT-FOR-US: VMware ESXi CVE-2012-5702 (Multiple cross-site scripting (XSS) vulnerabilities in dotProject befo ...) NOT-FOR-US: dotProject CVE-2012-5701 (Multiple SQL injection vulnerabilities in dotProject before 2.1.7 allo ...) NOT-FOR-US: dotProject CVE-2012-5700 (Multiple cross-site scripting (XSS) vulnerabilities in Baby Gekko befo ...) NOT-FOR-US: Baby Gekko CVE-2012-5699 (BabyGekko before 1.2.4 allows PHP file inclusion. ...) NOT-FOR-US: BabyGekko CVE-2012-5698 (BabyGekko before 1.2.4 has SQL injection. ...) NOT-FOR-US: BabyGekko CVE-2012-5979 REJECTED CVE-2012-5697 (The btinstall installation script in Bulb Security Smartphone Pentest ...) NOT-FOR-US: Smartphone Pentest Framework CVE-2012-5696 (Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 does not ...) NOT-FOR-US: Smartphone Pentest Framework CVE-2012-5695 (Multiple cross-site request forgery (CSRF) vulnerabilities in Bulb Sec ...) NOT-FOR-US: Smartphone Pentest Framework CVE-2012-5694 (Multiple SQL injection vulnerabilities in Bulb Security Smartphone Pen ...) NOT-FOR-US: Smartphone Pentest Framework CVE-2012-5693 (Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 allows r ...) NOT-FOR-US: Bulb Security Smartphone Pentest Framework CVE-2012-5692 (Unspecified vulnerability in admin/sources/base/core.php in Invision P ...) NOT-FOR-US: Invision Power Board CVE-2012-5691 (Buffer overflow in RealNetworks RealPlayer before 16.0.0.282 and RealP ...) NOT-FOR-US: RealPlayer CVE-2012-5690 (RealNetworks RealPlayer before 16.0.0.282 and RealPlayer SP 1.0 throug ...) NOT-FOR-US: RealPlayer CVE-2012-5689 (ISC BIND 9.8.x through 9.8.4-P1 and 9.9.x through 9.9.2-P1, in certain ...) - bind9 1:9.8.4.dfsg.P1-6+nmu1 (bug #699145) [squeeze] - bind9 (Only affects Bind 9.8 and 9.9) - isc-dhcp (issue only affects the named service, which isn't used by isc-dhcp) CVE-2012-5688 (ISC BIND 9.8.x before 9.8.4-P1 and 9.9.x before 9.9.2-P1, when DNS64 i ...) - bind9 1:9.8.4.dfsg.P1-1 (bug #695192) [squeeze] - bind9 (Only affects 9.8 and 9.9) - isc-dhcp (issue only affects the named service, which isn't used by isc-dhcp) CVE-2012-5687 (Directory traversal vulnerability in the web-based management feature ...) NOT-FOR-US: TP-LINK TL-WR841N router CVE-2012-5686 (ZPanel 10.0.1 has insufficient entropy for its password reset process. ...) NOT-FOR-US: ZPanel CVE-2012-5685 (SQL injection vulnerability in ZPanel 10.0.1 and earlier allows remote ...) NOT-FOR-US: ZPanel CVE-2012-5684 (Cross-site scripting (XSS) vulnerability in ZPanel 10.0.1 and earlier ...) NOT-FOR-US: ZPanel CVE-2012-5683 (Multiple cross-site request forgery (CSRF) vulnerabilities in ZPanel 1 ...) NOT-FOR-US: ZPanel CVE-2012-5682 REJECTED CVE-2012-5681 REJECTED CVE-2012-5680 (Buffer overflow in Adobe Photoshop Camera Raw before 7.3 allows attack ...) NOT-FOR-US: Adobe Photoshop Camera Raw CVE-2012-5679 (Buffer underflow in Adobe Photoshop Camera Raw before 7.3 allows attac ...) NOT-FOR-US: Adobe Photoshop Camera Raw CVE-2012-5678 (Adobe Flash Player before 10.3.183.48 and 11.x before 11.5.502.135 on ...) NOT-FOR-US: Adobe Flash Player CVE-2012-5677 (Integer overflow in Adobe Flash Player before 10.3.183.48 and 11.x bef ...) NOT-FOR-US: Adobe Flash Player CVE-2012-5676 (Buffer overflow in Adobe Flash Player before 10.3.183.48 and 11.x befo ...) NOT-FOR-US: Adobe Flash Player CVE-2012-5675 (Adobe ColdFusion 9.0 through 9.0.2, and 10, allows local users to bypa ...) NOT-FOR-US: Adobe ColdFusion CVE-2012-5674 (Unspecified vulnerability in Adobe ColdFusion 10 before Update 5, when ...) NOT-FOR-US: Adobe ColdFusion CVE-2012-5673 (Unspecified vulnerability in Adobe Flash Player before 10.3.183.29 and ...) NOT-FOR-US: Adobe Flash Player CVE-2011-5235 (SQL injection vulnerability in mnoGoSearch before 3.3.12 allows remote ...) NOT-FOR-US: mnoGoSearch CVE-2011-5234 (SQL injection vulnerability in user.php in Social Network Community 2 ...) NOT-FOR-US: Social Network Community CVE-2011-5233 (Heap-based buffer overflow in IrfanView before 4.32 allows remote atta ...) NOT-FOR-US: IrfanView CVE-2011-5232 REJECTED CVE-2011-5231 REJECTED CVE-2011-5230 (Multiple SQL injection vulnerabilities in the selectUserIdByLoginPass ...) NOT-FOR-US: Seotoaster CVE-2011-5229 (SQL injection vulnerability in quickstart/profile/index.php in the For ...) NOT-FOR-US: appRain CMF CVE-2011-5228 (Cross-site scripting (XSS) vulnerability in the Search module (quickst ...) NOT-FOR-US: appRain CMF CVE-2011-5227 (Stack-based buffer overflow in the Syslog service (nssyslogd.exe) in E ...) NOT-FOR-US: Enterasys Network Management Suite CVE-2011-5226 (Cross-site request forgery (CSRF) vulnerability in wordpress_sentinel. ...) NOT-FOR-US: WordPress plugin Sentinel CVE-2011-5225 (Cross-site scripting (XSS) vulnerability in wordpress_sentinel.php in ...) NOT-FOR-US: WordPress plugin Sentinel CVE-2011-5224 (SQL injection vulnerability in the Sentinel plugin 1.0.0 for WordPress ...) NOT-FOR-US: WordPress plugin Sentinel CVE-2011-5223 (Cross-site request forgery (CSRF) vulnerability in logout.php in Cacti ...) - cacti 0.8.7i-1 (low) [squeeze] - cacti 0.8.7g-1+squeeze4 CVE-2011-5222 (SQL injection vulnerability in rub2_w.php in PHP Flirt-Projekt 4.8 and ...) NOT-FOR-US: PHP Flirt-Projekt CVE-2011-5221 (Cross-site scripting (XSS) vulnerability in the getLog function in svn ...) - websvn 2.3.1-1 CVE-2011-5220 (Cross-site scripting (XSS) vulnerability in templates/default/Admin/Lo ...) NOT-FOR-US: PHP-SCMS CVE-2011-5219 (Directory traversal vulnerability in examples/show_code.php in mPDF 5. ...) NOT-FOR-US: mPDF CVE-2011-5218 (SQL injection vulnerability in DotA OpenStats 1.3.9 and earlier allows ...) NOT-FOR-US: DotA OpenStats CVE-2011-5217 (Directory traversal vulnerability in the PXE Mtftp service in Hitachi ...) NOT-FOR-US: Hitachi JP1/ServerConductor/DeploymentManager CVE-2011-5216 (SQL injection vulnerability in ajax.php in SCORM Cloud For WordPress p ...) NOT-FOR-US: WordPress plugin SCORM Cloud CVE-2011-5215 (SQL injection vulnerability in index.php in Video Community Portal all ...) NOT-FOR-US: Video Community Portal CVE-2011-5214 (Multiple cross-site scripting (XSS) vulnerabilities in BrowserCRM 5.10 ...) NOT-FOR-US: BrowserCRM CVE-2011-5213 (Multiple SQL injection vulnerabilities in BrowserCRM 5.100.01 and earl ...) NOT-FOR-US: BrowserCRM CVE-2012-5672 (Microsoft Excel Viewer (aka Xlview.exe) and Excel in Microsoft Office ...) NOT-FOR-US: Microsoft Office CVE-2012-5671 (Heap-based buffer overflow in the dkim_exim_query_dns_txt function in ...) {DSA-2566-1} - exim4 4.80-5.1 (medium) CVE-2012-5670 (The _bdf_parse_glyphs function in FreeType before 2.4.11 allows contex ...) - freetype 2.4.9-1.1 (bug #696691) [squeeze] - freetype (Version in Squeeze doesn't parse alternative encoding format yet) NOTE: https://savannah.nongnu.org/bugs/?37907 NOTE: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=7f2e4f4f553f6836be7683f66226afac3fa979b8 CVE-2012-5669 (The _bdf_parse_glyphs function in FreeType before 2.4.11 allows contex ...) - freetype 2.4.9-1.1 (unimportant; bug #696691) NOTE: https://savannah.nongnu.org/bugs/?37906 NOTE: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=07bdb6e289c7954e2a533039dc93c1c136099d2d CVE-2012-5668 (FreeType before 2.4.11 allows context-dependent attackers to cause a d ...) - freetype 2.4.9-1.1 (unimportant; bug #696691) NOTE: https://savannah.nongnu.org/bugs/?37905 NOTE: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=9b6b5754b57c12b820e01305eb69b8863a161e5a CVE-2012-5667 (Multiple integer overflows in GNU Grep before 2.11 might allow context ...) - grep 2.11-1 (low; bug #701897) [squeeze] - grep 2.6.3-3+squeeze1 NOTE: https://bugs.launchpad.net/ubuntu/+source/grep/+bug/1091473 NOTE: patch http://git.savannah.gnu.org/cgit/grep.git/commit/?id=cbbc1a45b9f843c811905c97c90a5d31f8e6c189 NOTE: http://www.openwall.com/lists/oss-security/2012/12/22/1 CVE-2012-5666 (Cross-site scripting (XSS) vulnerability in bookmarks/js/bookmarks.js ...) - owncloud 4.0.8debian-1.3 (bug #696574) [wheezy] - owncloud 4.0.4debian2-3.2 CVE-2012-5665 (ownCloud 4.0.x before 4.0.10 and 4.5.x before 4.5.5 does not properly ...) - owncloud 4.0.8debian-1.3 (bug #696574) [wheezy] - owncloud 4.0.4debian2-3.2 CVE-2012-5664 REJECTED CVE-2012-5663 (The isearch package (textproc/isearch) before 1.47.01nb1 uses the temp ...) NOT-FOR-US: Isearch NOTE: http://www.openwall.com/lists/oss-security/2012/12/21/1 CVE-2012-5662 (x3270 before 3.3.12ga12 does not verify that the server hostname match ...) - ibm-3270 3.3.14ga11-1 (bug #706547) [wheezy] - ibm-3270 (Non-free not supported) [squeeze] - ibm-3270 (Non-free not supported) CVE-2012-5661 REJECTED CVE-2012-5660 (abrt-action-install-debuginfo in Automatic Bug Reporting Tool (ABRT) 2 ...) NOT-FOR-US: abrt is Red Hat / Fedora specific CVE-2012-5659 (Untrusted search path vulnerability in plugins/abrt-action-install-deb ...) NOT-FOR-US: abrt is Red Hat / Fedora specific CVE-2012-5658 (rhc-chk.rb in Red Hat OpenShift Origin before 1.1, when -d (debug mode ...) NOT-FOR-US: OpenShift CVE-2012-5657 (The (1) Zend_Feed_Rss and (2) Zend_Feed_Atom classes in Zend_Feed in Z ...) {DSA-2602-1} - zendframework 1.11.13-1.1 (bug #696483) NOTE: http://www.openwall.com/lists/oss-security/2012/12/20/2 NOTE: http://framework.zend.com/security/advisory/ZF2012-05 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=889037 NOTE: http://secunia.com/advisories/51583 CVE-2012-5656 (The rasterization process in Inkscape before 0.48.4 allows local users ...) - inkscape 0.48.3.1-1.2 (bug #696485) [squeeze] - inkscape (Minor issue) CVE-2012-5655 (The Context module 6.x-3.x before 6.x-3.1 and 7.x-3.x before 7.x-3.0-b ...) NOT-FOR-US: Context module for Drupal CVE-2012-5654 (The Nodewords: D6 Meta Tags module before 6.x-1.14 for Drupal, when co ...) NOT-FOR-US: Nodewords: D6 Meta Tags module for Drupal CVE-2012-5653 (The file upload feature in Drupal 6.x before 6.27 and 7.x before 7.18 ...) {DSA-2776-1} - drupal6 (bug #696343) - drupal7 7.14-1.2 (bug #696342) NOTE: http://drupal.org/SA-CORE-2012-004 CVE-2012-5652 (Drupal 6.x before 6.27 allows remote attackers to obtain sensitive inf ...) {DSA-2776-1} - drupal6 (bug #696343) NOTE: http://drupal.org/SA-CORE-2012-004 CVE-2012-5651 (Drupal 6.x before 6.27 and 7.x before 7.18 displays information for bl ...) {DSA-2776-1} - drupal6 (bug #696343) - drupal7 7.14-1.2 (bug #696342) NOTE: http://drupal.org/SA-CORE-2012-004 CVE-2012-5650 (Cross-site scripting (XSS) vulnerability in the Futon UI in Apache Cou ...) - couchdb 1.2.0-5 (bug #698439) [squeeze] - couchdb (Unsupported in squeeze-lts) CVE-2012-5649 (Apache CouchDB before 1.0.4, 1.1.x before 1.1.2, and 1.2.x before 1.2. ...) - couchdb 1.2.0-5 (bug #698439) [squeeze] - couchdb (Unsupported in squeeze-lts) CVE-2012-5648 (Multiple SQL injection vulnerabilities in Foreman before 1.0.2 allow r ...) - foreman (bug #663101) CVE-2012-5647 (Open redirect vulnerability in node-util/www/html/restorer.php in Red ...) NOT-FOR-US: OpenShift CVE-2012-5646 (node-util/www/html/restorer.php in the Red Hat OpenShift Origin before ...) NOT-FOR-US: OpenShift CVE-2012-5645 (A denial of service flaw was found in the way the server component of ...) - freeciv 2.3.4-1 (low; bug #696306) [squeeze] - freeciv (Minor issue) [wheezy] - freeciv 2.3.2-1+deb7u1 CVE-2012-5644 (libuser has information disclosure when moving user's home directory ...) - libuser 1:0.60~dfsg-1 (low; bug #705690) [wheezy] - libuser (Minor issue) [squeeze] - libuser (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=885724#c7 CVE-2012-5643 (Multiple memory leaks in tools/cachemgr.cc in cachemgr.cgi in Squid 2. ...) {DSA-2631-1} - squid 2.7.STABLE9-2 NOTE: squid-cgi was removed in 2.7.STABLE9-2 - squid3 3.1.20-2.1 (bug #696187) NOTE: possible regression, see #701123 CVE-2012-5642 (server/action.py in Fail2ban before 0.8.8 does not properly handle the ...) - fail2ban 0.8.6-3wheezy1 (low; bug #696184) [squeeze] - fail2ban (Introduced in 0.8.6, see #696187) CVE-2012-5641 (Directory traversal vulnerability in the partition2 function in mochiw ...) - couchdb (Only affects CouchDB on Windows) CVE-2012-5640 (thttpd has a local DoS vulnerability via specially-crafted .htpasswd f ...) - thttpd (low) [squeeze] - thttpd (Minor issue) CVE-2012-5639 (LibreOffice and OpenOffice automatically open embedded content ...) - libreoffice (unimportant) [wheezy] - libreoffice (Minor issue) - openoffice.org 1:3.3.0-1 (unimportant) NOTE: Since 3.3.0 openoffice.org is a transitional source package NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=58295 NOTE: Additional hardening/UI improvement, not a direct vulnerability NOTE: For 4.2: http://whatofhow.wordpress.com/2013/12/02/stealth-mode/ CVE-2012-5638 (The setup_logging function in log.h in SANLock uses world-writable per ...) - sanlock 2.2-2 (bug #696424) CVE-2012-5637 REJECTED CVE-2012-5636 (Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before ...) NOT-FOR-US: Apache Wicket CVE-2012-5635 (The GlusterFS functionality in Red Hat Storage Management Console 2.0, ...) - glusterfs 3.5.0-1 (unimportant; bug #704944) NOTE: http://git.gluster.org/cgit/glusterfs.git/commit/?id=b8d5fd2b88db7e18a10e57a0edf1a41eda4f5314 (v3.4.0qa8) NOTE: http://git.gluster.org/cgit/glusterfs.git/commit/?id=11bb1fc5849a557d1a26e59bd651fbd0d07a1b8d (v3.5.0qa1) NOTE: Neutralised by kernel hardening CVE-2012-5634 (Xen 4.2.x, 4.1.x, and 4.0, when using Intel VT-d for PCI passthrough, ...) {DSA-2636-1} - xen 4.1.3-8 (low) CVE-2012-5633 (The URIMappingInterceptor in Apache CXF before 2.5.8, 2.6.x before 2.6 ...) - jbossas4 (Only builds a few libraries, not the full application server, #581226) CVE-2012-5632 RESERVED CVE-2012-5631 (ipa 3.0 does not properly check server identity before sending credent ...) NOT-FOR-US: FreeIPA CVE-2012-5630 (libuser 0.56 and 0.57 has a TOCTOU (time-of-check time-of-use) race co ...) - libuser 1:0.60~dfsg-1 (low; bug #705690) [wheezy] - libuser (Minor issue) [squeeze] - libuser (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=884685#c31 CVE-2012-5629 (The default configuration of the (1) LdapLoginModule and (2) LdapExtLo ...) - jbossas4 (Only builds a few libraries, not the full application server, #581226) CVE-2012-5628 (gofer before 0.68 uses world-writable permissions for /var/lib/gofer/j ...) NOT-FOR-US: gofer component of PULP project CVE-2012-5627 (Oracle MySQL and MariaDB 5.5.x before 5.5.29, 5.3.x before 5.3.12, and ...) - mariadb-5.5 (Fixed before initial upload to archive) - mysql-5.1 (unimportant) - mysql-5.5 (unimportant) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=883719 NOTE: https://mariadb.atlassian.net/browse/MDEV-3915 CVE-2012-5626 (EJB method in Red Hat JBoss BRMS 5; Red Hat JBoss Enterprise Applicati ...) - jbossas4 (Only builds a few libraries, not the full application server, #581226) CVE-2012-5625 (OpenStack Compute (Nova) Folsom before 2012.2.2 and Grizzly, when usin ...) - nova (Only affects OpenStack Folsom, bug #695830) CVE-2012-5624 (The XMLHttpRequest object in Qt before 4.8.4 enables http redirection ...) - qt4-x11 4:4.8.2+dfsg-7 (bug #695156) [squeeze] - qt4-x11 (Vulnerable code not present) NOTE: http://lists.qt-project.org/pipermail/announce/2012-November/000014.html CVE-2012-5623 (Squirrelmail 4.0 uses the outdated MD5 hash algorithm for passwords. ...) NOT-FOR-US: change_passwd plugin for Squirrelmail CVE-2012-5622 (Cross-site request forgery (CSRF) vulnerability in the management cons ...) NOT-FOR-US: OpenShift CVE-2012-5621 (lib/engine/components/opal/opal-call.cpp in ekiga before 4.0.0 allows ...) - ekiga 3.2.7-6 (bug #702282; low) [squeeze] - ekiga (Minor issue) CVE-2012-5620 REJECTED CVE-2012-5619 (The Sleuth Kit (TSK) 4.0.1 does not properly handle "." (dotfile) file ...) - sleuthkit 4.1.2-1 (unimportant; bug #695097) CVE-2012-5618 (Ushahidi before 2.6.1 has insufficient entropy for forgot-password tok ...) NOT-FOR-US: Ushahidi CVE-2012-5617 (gksu-polkit: permissive PolicyKit policy configuration file allows pri ...) - gksu-polkit (bug #695807) [squeeze] - gksu-polkit (Unsupported in squeeze-lts) NOTE: http://www.openwall.com/lists/oss-security/2012/12/12/8 CVE-2012-5616 (Apache CloudStack 4.0.0-incubating and Citrix CloudPlatform (formerly ...) NOT-FOR-US: CloudStack CVE-2012-5615 (Oracle MySQL 5.5.38 and earlier, 5.6.19 and earlier, and MariaDB 5.5.2 ...) {DSA-3054-1} - mariadb-5.5 (Fixed before initial upload to archive) - mysql-5.1 (low; bug #695001) [squeeze] - mysql-5.1 (Minor issue, currently not fixed in MySQL, can be included once fixed in 5.1.x) - mysql-5.5 5.5.39-1 (low; bug #695001) NOTE: http://bazaar.launchpad.net/~mysql/mysql-server/5.5/revision/4676 NOTE: https://mariadb.atlassian.net/browse/MDEV-3909 NOTE: http://seclists.org/fulldisclosure/2012/Dec/9 CVE-2012-5614 (Oracle MySQL 5.1.67 and earlier and 5.5.29 and earlier, and MariaDB 5. ...) - mariadb-5.5 (Fixed before initial upload to archive) - mysql-5.5 (The affected versions were only in experimental) - mysql-5.1 (low) [squeeze] - mysql-5.1 5.1.73-1 NOTE: https://mariadb.atlassian.net/browse/MDEV-3910 NOTE: http://seclists.org/fulldisclosure/2012/Dec/7 NOTE: http://www.openwall.com/lists/oss-security/2013/02/28/10 CVE-2012-5613 - mysql-5.1 (unimportant; bug #695001) - mysql-5.5 (unimportant; bug #695001) NOTE: Disputed as incorrect configuration NOTE: http://seclists.org/fulldisclosure/2012/Dec/6 CVE-2012-5612 (Heap-based buffer overflow in Oracle MySQL 5.5.19 and other versions t ...) - mysql-5.1 (MDL was introduced in 5.5) - mysql-5.5 5.5.29+dfsg-1 (bug #695001) NOTE: https://mariadb.atlassian.net/browse/MDEV-3908 CVE-2012-5611 (Stack-based buffer overflow in the acl_get function in Oracle MySQL 5. ...) {DSA-2581-1} - mysql-5.1 (bug #695001) - mysql-5.5 5.5.29+dfsg-1 (bug #695001) NOTE: http://seclists.org/fulldisclosure/2012/Dec/4 CVE-2012-5610 (Incomplete blacklist vulnerability in lib/filesystem.php in ownCloud b ...) - owncloud 4.0.8debian-1.1 (bug #693990) [wheezy] - owncloud 4.0.4debian2-3.1 NOTE: http://www.openwall.com/lists/oss-security/2012/11/30/2 CVE-2012-5609 (Incomplete blacklist vulnerability in lib/migrate.php in ownCloud befo ...) - owncloud 4.0.8debian-1.1 (bug #693990) [wheezy] - owncloud 4.0.4debian2-3.1 NOTE: http://www.openwall.com/lists/oss-security/2012/11/30/2 CVE-2012-5608 (Cross-site scripting (XSS) vulnerability in apps/user_webdavauth/setti ...) - owncloud 4.0.8debian-1.1 (bug #693990) [wheezy] - owncloud 4.0.4debian2-3.1 NOTE: http://www.openwall.com/lists/oss-security/2012/11/30/2 CVE-2012-5607 (The "Lost Password" reset functionality in ownCloud before 4.0.9 and 4 ...) - owncloud 4.0.8debian-1.1 (bug #693990) [wheezy] - owncloud 4.0.4debian2-3.1 NOTE: http://www.openwall.com/lists/oss-security/2012/11/30/2 CVE-2012-5606 (Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before ...) - owncloud 4.0.8debian-1.1 (bug #693990) [wheezy] - owncloud 4.0.4debian2-3.1 NOTE: http://www.openwall.com/lists/oss-security/2012/11/30/2 CVE-2012-5605 (Grinder in Red Hat CloudForms before 1.1 uses world-writable permissio ...) NOT-FOR-US: Red Hat CloudForms CVE-2012-5604 (The ldap_fluff gem for Ruby, as used in Red Hat CloudForms 1.1, when u ...) NOT-FOR-US: Red Hat CloudForms CVE-2012-5603 (proxies_controller.rb in Katello in Red Hat CloudForms before 1.1 does ...) NOT-FOR-US: Red Hat CloudForms CVE-2012-5602 REJECTED CVE-2012-5601 REJECTED CVE-2012-5600 REJECTED CVE-2012-5599 REJECTED CVE-2012-5598 REJECTED CVE-2012-5597 REJECTED CVE-2012-5596 REJECTED CVE-2012-5595 REJECTED CVE-2012-5594 REJECTED CVE-2012-5593 REJECTED CVE-2012-5592 REJECTED CVE-2012-5591 (Cross-site scripting (XSS) vulnerability in the Zero Point module 6.x- ...) NOT-FOR-US: Drupal Zero Point module CVE-2012-5590 (SQL injection vulnerability in the Webmail Plus module for Drupal allo ...) NOT-FOR-US: Drupal Webmail Plus module CVE-2012-5589 (The MultiLink module 6.x-2.x before 6.x-2.7 and 7.x-2.x before 7.x-2.7 ...) NOT-FOR-US: Drupal MultiLink module CVE-2012-5588 (The Email Field module 6.x-1.x before 6.x-1.3 for Drupal, when using a ...) NOT-FOR-US: Drupal Email Field module CVE-2012-5587 (Cross-site scripting (XSS) vulnerability in the Email Field module 6.x ...) NOT-FOR-US: Drupal Email Field module CVE-2012-5586 (The Services module 6.x-3.x before 6.x-3.3 and 7.x-3.x before 7.x-3.3 ...) NOT-FOR-US: Drupal Services module CVE-2012-5585 (Cross-site scripting (XSS) vulnerability in the Mixpanel module 6.x-1. ...) NOT-FOR-US: Drupal Mixpanel module CVE-2012-5584 (The Table of Contents module 6.x-3.x before 6.x-3.8 for Drupal does no ...) NOT-FOR-US: Drupal Table of Contents module CVE-2012-5583 (phpCAS before 1.3.2 does not verify that the server hostname matches a ...) - php-cas 1.3.1-2 - moodle 2.2.7.dfsg-1 [squeeze] - moodle (Minor issue) [wheezy] - moodle 2.2.3.dfsg-2.6~wheezy1 NOTE: https://github.com/Jasig/phpCAS/pull/58 CVE-2012-5582 (opendnssec misuses libcurl API ...) - opendnssec (eppclient not built in Debian package) NOTE: http://lists.opendnssec.org/pipermail/opendnssec-user/2012-November/002296.html CVE-2012-5581 (Stack-based buffer overflow in tif_dir.c in LibTIFF before 4.0.2 allow ...) {DSA-2589-1} - tiff 4.0.2-1 (bug #694693) - tiff3 3.9.6-10 NOTE: http://www.openwall.com/lists/oss-security/2012/11/28/1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=867235 CVE-2012-5580 (Format string vulnerability in the print_proxies function in bin/proxy ...) - libproxy 0.3.1-4 (low) [squeeze] - libproxy (Minor issue) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=791086 NOTE: https://code.google.com/p/libproxy/source/detail?r=475 CVE-2012-5579 REJECTED CVE-2012-5578 (Python keyring has insecure permissions on new databases allowing worl ...) - python-keyring 0.9.2-1.1 (bug #696736) [wheezy] - python-keyring 0.7.1-1+deb7u1 [squeeze] - python-keyring (Minor issue) CVE-2012-5577 (Python keyring lib before 0.10 created keyring files with world-readab ...) - python-keyring 0.9.2-1.1 (bug #696736) [wheezy] - python-keyring 0.7.1-1+deb7u1 [squeeze] - python-keyring (Minor issue) CVE-2012-5576 (Multiple stack-based buffer overflows in file-xwd.c in the X Window Du ...) - gimp 2.8.2-2 (bug #693977) [squeeze] - gimp 2.6.10-1+squeeze4 NOTE: Upstream fix http://git.gnome.org/browse/gimp/commit/?id=2873262fccba12af144ed96ed91be144d92ff2e1 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=687392 NOTE: http://www.openwall.com/lists/oss-security/2012/11/21/2 CVE-2012-5575 (Apache CXF 2.5.x before 2.5.10, 2.6.x before CXF 2.6.7, and 2.7.x befo ...) NOT-FOR-US: Apache CXF CVE-2012-5574 (lib/form/sfForm.class.php in Symfony CMS before 1.4.20 allows remote a ...) NOT-FOR-US: Symfony CVE-2012-5573 (The connection_edge_process_relay_cell function in or/relay.c in Tor b ...) {DLA-17-1} - tor 0.2.3.25-1 (low) [squeeze] - tor 0.2.4.23-1~deb6u1 CVE-2012-5572 (CRLF injection vulnerability in the cookie method (lib/Dancer/Cookie.p ...) - libdancer-perl 1.3114+dfsg-1 (low; bug #694279) [wheezy] - libdancer-perl (Minor issue) NOTE: https://github.com/PerlDancer/Dancer/issues/859 CVE-2012-5571 (OpenStack Keystone Essex (2012.1) and Folsom (2012.2) does not properl ...) - keystone 2012.1.1-11 (bug #694433) CVE-2012-5570 (The Basic webmail module 6.x-1.x before 6.x-1.2 for Drupal allows remo ...) NOT-FOR-US: Drupal addon CVE-2012-5569 (Multiple cross-site scripting (XSS) vulnerabilities in the Basic webma ...) NOT-FOR-US: Drupal Webmail module CVE-2012-5568 (Apache Tomcat through 7.0.x allows remote attackers to cause a denial ...) - tomcat6 6.0.41-3 (unimportant) NOTE: Since 6.0.41-3, src:tomcat6 only builds a servlet and docs - tomcat7 (unimportant) NOTE: No fix planned, can be mitigated by config changes: NOTE: http://mail-archives.apache.org/mod_mbox/tomcat-users/200906.mbox/%3C4A3D0884.5080309@apache.org%3E CVE-2012-5567 (Multiple cross-site scripting (XSS) vulnerabilities in Horde Kronolith ...) - kronolith2 (Vulnerable code not present in 2.x codebase and later versions not yet packaged in sid) CVE-2012-5566 (Multiple cross-site scripting (XSS) vulnerabilities in Horde Kronolith ...) - kronolith2 (Vulnerable code not present in 2.x codebase and later versions not yet packaged in sid) CVE-2012-5565 (Cross-site scripting (XSS) vulnerability in js/compose-dimp.js in Hord ...) - php-horde-imp (This doesn't seem to be packaged in sid's Horde and the imp3 and dimp1 packages from stable do not include the affected code) CVE-2012-5564 (android-tools 4.1.1 in Android Debug Bridge (ADB) allows local users t ...) - android-tools (unimportant; bug #688280) NOTE: Since android-tools/5.1.1.r38-1 the android-tools-adb binary package NOTE: is not built anymore which used to contain /usr/bin/adb. NOTE: Package still affected source-wise - android-platform-system-core (unimportant; bug #823792) NOTE: Neutralised by kernel hardening CVE-2012-5563 (OpenStack Keystone, as used in OpenStack Folsom 2012.2, does not prope ...) - keystone (Folsom branch not packaged yet) CVE-2012-5562 (rhn-proxy: may transmit credentials over clear-text when accessing RHN ...) NOT-FOR-US: Red Hat Satellite CVE-2012-5561 (script/katello-generate-passphrase in Katello 1.1 uses world-readable ...) NOT-FOR-US: Katello CVE-2012-5560 (The default configuration in mate-settings-daemon 1.5.3 allows local u ...) - mate-settings-daemon (Fixed before initial release) NOTE: https://github.com/mate-desktop/mate-settings-daemon/commit/c7d634acd12814a1fe298118e65f1c688b3a9f74#diff-52ccb9f1be1c09e2f24b64d37b56c2f4 CVE-2012-5559 (Cross-site scripting (XSS) vulnerability in the page manager node view ...) NOT-FOR-US: Drupal chaos tool addon CVE-2012-5558 (Cross-site scripting (XSS) vulnerability in the Smiley module 6.x-1.x ...) NOT-FOR-US: Drupal contributed-module CVE-2012-5557 (The User Read-Only module 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7. ...) NOT-FOR-US: Drupal contributed-module CVE-2012-5556 (Multiple cross-site request forgery (CSRF) vulnerabilities in the REST ...) NOT-FOR-US: Drupal contributed-module CVE-2012-5555 RESERVED CVE-2012-5554 (The default configuration for the Webform CiviCRM Integration module 7 ...) NOT-FOR-US: Drupal contributed-module CVE-2012-5553 (Multiple cross-site scripting (XSS) vulnerabilities in the OM Maximenu ...) NOT-FOR-US: Drupal contributed-module CVE-2012-5552 (The Password policy module 6.x-1.x before 6.x-1.5 and 7.x-1.x before 7 ...) NOT-FOR-US: Drupal contributed-module CVE-2012-5551 (Multiple cross-site scripting (XSS) vulnerabilities in the MailChimp m ...) NOT-FOR-US: Drupal contributed-module CVE-2012-5550 (SQL injection vulnerability in the Time Spent module 6.x and 7.x for D ...) NOT-FOR-US: Drupal contributed-module CVE-2012-5549 (Cross-site request forgery (CSRF) vulnerability in the Time Spent modu ...) NOT-FOR-US: Drupal contributed-module CVE-2012-5548 (Cross-site scripting (XSS) vulnerability in the Time Spent module 6.x ...) NOT-FOR-US: Drupal contributed-module CVE-2012-5547 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Sear ...) NOT-FOR-US: Drupal contributed-module CVE-2012-5546 REJECTED CVE-2012-5545 (Multiple cross-site scripting (XSS) vulnerabilities in the ShareThis m ...) NOT-FOR-US: Drupal contributed-module CVE-2012-5544 (The Mandrill module 7.x-1.x before 7.x-1.2 for Drupal allows remote au ...) NOT-FOR-US: Drupal contributed-module CVE-2012-5543 (The Feeds module 7.x-2.x before 7.x-2.0-alpha6 for Drupal, when a fiel ...) NOT-FOR-US: Drupal contributed-module CVE-2012-5542 (Cross-site request forgery (CSRF) vulnerability in the Commerce Extra ...) NOT-FOR-US: Drupal contributed-module CVE-2012-5541 (Cross-site scripting (XSS) vulnerability in the Twitter Pull module 6. ...) NOT-FOR-US: Drupal contributed-module CVE-2012-5540 (Multiple cross-site scripting (XSS) vulnerabilities in the Hostip modu ...) NOT-FOR-US: Drupal contributed-module CVE-2012-5539 (The Organic Groups (OG) module 7.x-1.x before 7.x-1.5 for Drupal does ...) NOT-FOR-US: Drupal contributed-module CVE-2012-5538 (Cross-site scripting (XSS) vulnerability in the FileField Sources modu ...) NOT-FOR-US: Drupal contributed-module CVE-2012-5537 (The Simplenews Scheduler module 6.x-2.x before 6.x-2.4 for Drupal allo ...) NOT-FOR-US: Drupal contributed-module CVE-2012-5536 (A certain Red Hat build of the pam_ssh_agent_auth module on Red Hat En ...) NOT-FOR-US: Red Hat-specific packaging flaw CVE-2012-5535 (gnome-system-log polkit policy allows arbitrary files on the system to ...) - gnome-system-log (Fedora-specific issue) CVE-2012-5534 (The hook_process function in the plugin API for WeeChat 0.3.0 through ...) {DSA-2598-1} - weechat 0.3.9.2-1 [wheezy] - weechat 0.3.8-1+deb7u1 CVE-2012-5533 (The http_request_split_value function in request.c in lighttpd before ...) - lighttpd 1.4.31-2 [squeeze] - lighttpd (Introduced in 1.4.31) CVE-2012-5532 (The main function in tools/hv/hv_kvp_daemon.c in hypervkvpd, as distri ...) - linux-tools (userspace daemon not built until later) - linux-2.6 (userspace daemon not yet present) CVE-2012-5531 (Multiple cross-site scripting (XSS) vulnerabilities in the GateIn Port ...) NOT-FOR-US: GateIn Portal CVE-2012-5530 (The (1) pcmd and (2) pmlogger init scripts in Performance Co-Pilot (PC ...) - pcp 3.7.1 (bug #698735; low) NOTE: first package in unstable is 3.7.1 (package has no debian revision) [squeeze] - pcp 3.3.3-squeeze3 CVE-2012-5529 (TraceManager in Firebird 2.5.0 and 2.5.1, when trace is enabled, allow ...) {DSA-2648-1} - firebird2.5 2.5.2~svn+54698.ds4-2 (low; bug #693210) - firebird2.1 (Only affects 2.5.x) CVE-2012-5528 RESERVED CVE-2012-5527 (Claws Mail vCalendar plugin: credentials exposed on interface ...) - claws-mail-extra-plugins 3.8.1-2 (unimportant; bug #693391) NOTE: More of a plain bug than a security vulnerability CVE-2012-5526 (CGI.pm module before 3.63 for Perl does not properly escape newlines i ...) {DSA-2587-1 DSA-2586-1} - perl 5.14.2-16 (bug #693420) - libcgi-pm-perl 3.61-2 (bug #693421) NOTE: http://cpansearch.perl.org/src/MARKSTOS/CGI.pm-3.63/Changes NOTE: https://github.com/markstos/CGI.pm/pull/23 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=877015 CVE-2012-5525 (The get_page_from_gfn hypercall function in Xen 4.2 allows local PV gu ...) - xen (Only affects Xen 4.2 and xen-unstable) CVE-2012-5524 (The _ssl_verify_callback function in tls_nb.py in Gajim before 0.15.3 ...) - gajim 0.15.4-1 (low; bug #693282) [wheezy] - gajim 0.15.1-4.1 [squeeze] - gajim (Minor issue) CVE-2012-5523 (core/email_api.php in MantisBT before 1.2.12 does not properly manage ...) - mantis 1.2.11-1.2 (bug #693283) [squeeze] - mantis (Unsupported in squeeze-lts) NOTE: http://www.mantisbt.org/bugs/view.php?id=14704 CVE-2012-5522 (MantisBT before 1.2.12 does not use an expected default value during d ...) - mantis 1.2.11-1.2 (bug #693283) [squeeze] - mantis (Unsupported in squeeze-lts) NOTE: http://www.mantisbt.org/bugs/view.php?id=14496 CVE-2012-5521 (quagga (ospf6d) 0.99.21 has a DoS flaw in the way the ospf6d daemon pe ...) - quagga (unimportant; bug #693102) NOTE: Not reproducible so far CVE-2012-5520 (The send_to_sourcefire function in manage_sql.c in OpenVAS Manager 3.x ...) NOT-FOR-US: OpenVAS Manager CVE-2012-5519 (CUPS 1.4.4, when running in certain Linux distributions such as Debian ...) {DSA-2600-1} - cups 1.5.3-2.7 (bug #692791) NOTE: http://seclists.org/oss-sec/2012/q4/253 CVE-2012-5518 (vdsm: certificate generation upon node creation allowing vdsm to start ...) NOT-FOR-US: ovirt / vsdm CVE-2012-5517 (The online_pages function in mm/memory_hotplug.c in the Linux kernel b ...) - linux 3.2.41-1 - linux-2.6 [squeeze] - linux-2.6 (Vulnerable code not present) CVE-2012-5516 (Red Hat Enterprise Virtualization Manager (RHEV-M) before 3.1, when mo ...) NOT-FOR-US: Red Hat Enterprise Virtualisation Manager CVE-2012-5515 (The (1) XENMEM_decrease_reservation, (2) XENMEM_populate_physmap, and ...) {DSA-2582-1} - xen 4.1.3-5 CVE-2012-5514 (The guest_physmap_mark_populate_on_demand function in Xen 4.2 and earl ...) {DSA-2582-1} - xen 4.1.3-6 CVE-2012-5513 (The XENMEM_exchange handler in Xen 4.2 and earlier does not properly c ...) {DSA-2582-1} - xen 4.1.3-5 CVE-2012-5512 (Array index error in the HVMOP_set_mem_access handler in Xen 4.1 allow ...) - xen 4.1.3-5 [squeeze] - xen (Only affects Xen 4.1) CVE-2012-5511 (Stack-based buffer overflow in the dirty video RAM tracking functional ...) {DSA-2636-1} - xen 4.1.3-5 CVE-2012-5510 (Xen 4.x, when downgrading the grant table version, does not properly r ...) {DSA-2582-1} - xen 4.1.3-5 CVE-2012-5509 (aeolus-configserver-setup in the Aeolas Configuration Server, as used ...) NOT-FOR-US: Aeolus Cloud Configuration tool (not the pipe organ simulator in Debian) CVE-2012-5508 (The error pages in Plone before 4.2.3 and 4.3 before beta 1 allow remo ...) - zope2.12 2.12.26-1 (bug #692899) NOTE: https://plone.org/products/plone/security/advisories/20121106/24 CVE-2012-5507 (AccessControl/AuthEncoding.py in Zope before 2.13.19, as used in Plone ...) - zope2.12 2.12.26-1 (bug #692899) NOTE: https://plone.org/products/plone/security/advisories/20121106/23 CVE-2012-5506 (python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows r ...) NOT-FOR-US: Plone not packaged in Debian, see bug #692899 CVE-2012-5505 (atat.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote atta ...) - zope2.12 2.12.26-1 (bug #692899) NOTE: https://plone.org/products/plone/security/advisories/20121106/21 CVE-2012-5504 (Cross-site scripting (XSS) vulnerability in widget_traversal.py in Plo ...) NOT-FOR-US: Plone not packaged in Debian, see bug #692899 CVE-2012-5503 (ftp.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attac ...) NOT-FOR-US: Plone not packaged in Debian, see bug #692899 CVE-2012-5502 (Cross-site scripting (XSS) vulnerability in safe_html.py in Plone befo ...) NOT-FOR-US: Plone not packaged in Debian, see bug #692899 CVE-2012-5501 (at_download.py in Plone before 4.2.3 and 4.3 before beta 1 allows remo ...) NOT-FOR-US: Plone not packaged in Debian, see bug #692899 CVE-2012-5500 (The batch id change script (renameObjectsByPaths.py) in Plone before 4 ...) NOT-FOR-US: Plone not packaged in Debian, see bug #692899 CVE-2012-5499 (python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows r ...) NOT-FOR-US: Plone not packaged in Debian, see bug #692899 CVE-2012-5498 (queryCatalog.py in Plone before 4.2.3 and 4.3 before beta 1 allows rem ...) NOT-FOR-US: Plone not packaged in Debian, see bug #692899 CVE-2012-5497 (membership_tool.py in Plone before 4.2.3 and 4.3 before beta 1 allows ...) NOT-FOR-US: Plone not packaged in Debian, see bug #692899 CVE-2012-5496 (kupu_spellcheck.py in Kupu in Plone before 4.0 allows remote attackers ...) NOT-FOR-US: Plone not packaged in Debian, see bug #692899 CVE-2012-5495 (python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows r ...) NOT-FOR-US: Plone not packaged in Debian, see bug #692899 CVE-2012-5494 (Cross-site scripting (XSS) vulnerability in python_scripts.py in Plone ...) NOT-FOR-US: Plone not packaged in Debian, see bug #692899 CVE-2012-5493 (gtbn.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote auth ...) NOT-FOR-US: Plone not packaged in Debian, see bug #692899 CVE-2012-5492 (uid_catalog.py in Plone before 4.2.3 and 4.3 before beta 1 allows remo ...) NOT-FOR-US: Plone not packaged in Debian, see bug #692899 CVE-2012-5491 (z3c.form, as used in Plone before 4.2.3 and 4.3 before beta 1, allows ...) NOT-FOR-US: Plone not packaged in Debian, see bug #692899 CVE-2012-5490 (Cross-site scripting (XSS) vulnerability in kssdevel.py in Plone befor ...) NOT-FOR-US: Plone not packaged in Debian, see bug #692899 CVE-2012-5489 (The App.Undo.UndoSupport.get_request_var_or_attr function in Zope befo ...) - zope2.12 (bug #692899) [wheezy] - zope2.12 (Minor issue) NOTE: https://plone.org/products/plone/security/advisories/20121106/05 CVE-2012-5488 (python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows r ...) NOT-FOR-US: Plone not packaged in Debian, see bug #692899 CVE-2012-5487 (The sandbox whitelisting function (allowmodule.py) in Plone before 4.2 ...) - zope2.12 (unimportant; bug #692899) NOTE: Non-issue, see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692899#20 CVE-2012-5486 (ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used ...) - zope2.12 2.12.26-1 (bug #692899) NOTE: https://plone.org/products/plone/security/advisories/20121106/02 CVE-2012-5485 (registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allow ...) NOT-FOR-US: Plone not packaged in Debian, see bug #692899 NOTE: https://plone.org/products/plone/security/advisories/20121106/01 CVE-2012-5484 (The client in FreeIPA 2.x and 3.x before 3.1.2 does not properly obtai ...) NOT-FOR-US: FreeIPA CVE-2012-5483 (tools/sample_data.sh in OpenStack Keystone 2012.1.3, when access to Am ...) - keystone (Debian packaging enforces correct permissions) CVE-2012-5482 (The v2 API in OpenStack Glance Grizzly, Folsom (2012.2), and Essex (20 ...) - glance 2012.1.1-3 (bug #692641) CVE-2012-5481 (Moodle 2.3.x before 2.3.3 allows remote authenticated users to bypass ...) - moodle (Doesn't affect 1.9 or 2.2) CVE-2012-5480 (The Database activity module in Moodle 2.1.x before 2.1.9, 2.2.x befor ...) - moodle 2.2.3.dfsg-2.6 [wheezy] - moodle 2.2.3.dfsg-2.6~wheezy0 [squeeze] - moodle (Doesn't affect 1.9) CVE-2012-5479 (The Portfolio plugin in Moodle 2.1.x before 2.1.9, 2.2.x before 2.2.6, ...) - moodle 2.2.3.dfsg-2.6 [wheezy] - moodle 2.2.3.dfsg-2.6~wheezy0 [squeeze] - moodle (Doesn't affect 1.9) CVE-2012-5478 (The AuthorizationInterceptor in JBoss Enterprise Application Platform ...) - jbossas4 (Only builds a few libraries, not the full application server, #581226) CVE-2012-5477 (The smart proxy in Foreman before 1.1 uses a umask set to 0, which all ...) - foreman (bug #663101) CVE-2012-5476 (Within the RHOS Essex Preview (2012.2) of the OpenStack dashboard pack ...) - horizon (File is installed with 0700 perms in Debian) CVE-2012-5475 [YUI 2.x security issue regarding embedded SWF files] REJECTED CVE-2012-5474 (The file /etc/openstack-dashboard/local_settings within Red Hat OpenSt ...) - horizon 2012.1.1-7 CVE-2012-5473 (The Database activity module in Moodle 2.1.x before 2.1.9, 2.2.x befor ...) - moodle 2.2.3.dfsg-2.6 [wheezy] - moodle 2.2.3.dfsg-2.6~wheezy0 [squeeze] - moodle (Doesn't affect 1.9) CVE-2012-5472 (lib/formslib.php in Moodle 2.2.x before 2.2.6 and 2.3.x before 2.3.3 a ...) - moodle 2.2.3.dfsg-2.6 [wheezy] - moodle 2.2.3.dfsg-2.6~wheezy0 [squeeze] - moodle (Doesn't affect 1.9) CVE-2012-5471 (The Dropbox Repository File Picker in Moodle 2.1.x before 2.1.9, 2.2.x ...) - moodle 2.2.3.dfsg-2.6 [wheezy] - moodle 2.2.3.dfsg-2.6~wheezy0 [squeeze] - moodle (Doesn't affect 1.9) CVE-2012-5470 (libpng_plugin in VideoLAN VLC media player 2.0.3 allows remote attacke ...) - vlc 2.0.4-1 (bug #692130) [wheezy] - vlc 2.0.3-4 [squeeze] - vlc (Minor issue) CVE-2012-5469 (The Portable phpMyAdmin plugin before 1.3.1 for WordPress allows remot ...) NOT-FOR-US: Wordpress plugin CVE-2012-5468 (Heap-based buffer overflow in iconvert.c in the bogolexer component in ...) {DSA-2585-1} - bogofilter 1.2.2+dfsg1-2 (bug #695139) CVE-2012-5467 RESERVED CVE-2012-5466 RESERVED CVE-2012-5465 RESERVED CVE-2012-5464 RESERVED CVE-2012-5463 RESERVED CVE-2012-5462 RESERVED CVE-2012-5461 RESERVED CVE-2012-5460 (Cross-site scripting (XSS) vulnerability in the help page in Juniper S ...) NOT-FOR-US: Juniper IVE OS CVE-2012-5459 (Untrusted search path vulnerability in VMware Workstation 8.x before 8 ...) NOT-FOR-US: VMware CVE-2012-5458 (VMware Workstation 8.x before 8.0.5 and VMware Player 4.x before 4.0.5 ...) NOT-FOR-US: VMware CVE-2012-5457 RESERVED CVE-2012-5456 (The Zoner AntiVirus Free application for Android does not verify that ...) NOT-FOR-US: Zoner AntiVirus Free CVE-2012-5455 (Cross-site scripting (XSS) vulnerability in the language search compon ...) NOT-FOR-US: Joomla! component CVE-2012-5454 (user/index_inline_editor_submit.php in ATutor AContent 1.2-1 does not ...) NOT-FOR-US: ATutor AContent CVE-2012-5453 (SQL injection vulnerability in user/index_inline_editor_submit.php in ...) NOT-FOR-US: ATutor AContent CVE-2012-5452 (Multiple cross-site scripting (XSS) vulnerabilities in Subrion CMS 2.2 ...) NOT-FOR-US: Subrion CMS CVE-2011-5212 (SQL injection vulnerability in admin/index.php in Subrion CMS 2.0.4 al ...) NOT-FOR-US: Subrion CMS CVE-2011-5211 (Cross-site scripting (XSS) vulnerability in the poll module in Subrion ...) NOT-FOR-US: Subrion CMS CVE-2012-5451 (Multiple stack-based buffer overflows in HttpUtils.dll in TVMOBiLi bef ...) NOT-FOR-US: TVMOBiLi CVE-2012-5450 (Cross-site request forgery (CSRF) vulnerability in lib/filemanager/ima ...) NOT-FOR-US: CMS Made Simple CVE-2012-5449 RESERVED CVE-2012-5448 RESERVED CVE-2012-5447 RESERVED CVE-2012-5446 RESERVED CVE-2012-5445 (The kernel in Cisco Native Unix (CNU) on Cisco Unified IP Phone 7900 s ...) NOT-FOR-US: Cisco Native Unix CVE-2012-5444 (Cisco TelePresence Video Communication Server (VCS) X7.0.3 does not pr ...) NOT-FOR-US: Cisco TelePresence Video Communication Server CVE-2012-5443 RESERVED CVE-2012-5442 RESERVED CVE-2012-5441 RESERVED CVE-2012-5440 RESERVED CVE-2012-5439 RESERVED CVE-2012-5438 RESERVED CVE-2012-5437 RESERVED CVE-2012-5436 RESERVED CVE-2012-5435 RESERVED CVE-2012-5434 RESERVED CVE-2012-5433 RESERVED CVE-2012-5432 RESERVED CVE-2012-5431 RESERVED CVE-2012-5430 RESERVED CVE-2012-5429 (The VPN driver in Cisco VPN Client on Windows does not properly intera ...) NOT-FOR-US: Cisco VPN Client CVE-2012-5428 RESERVED CVE-2012-5427 (Cisco IOS Unified Border Element (CUBE) in Cisco IOS before 15.3(2)T a ...) NOT-FOR-US: Cisco IOS CVE-2012-5426 RESERVED CVE-2012-5425 RESERVED CVE-2012-5424 (Cisco Secure Access Control System (ACS) 5.x before 5.2 Patch 11 and 5 ...) NOT-FOR-US: Cisco CVE-2012-5423 RESERVED CVE-2012-5422 (Unspecified vulnerability in Cisco IOS before 15.3(2)T on AS5400 devic ...) NOT-FOR-US: Cisco IOS CVE-2012-5421 RESERVED CVE-2012-5420 RESERVED CVE-2012-5419 (Cisco Adaptive Security Appliance (ASA) software 8.7.1 and 8.7.1.1 for ...) NOT-FOR-US: Cisco Adaptive Security Appliance CVE-2012-5418 RESERVED CVE-2012-5417 (Cisco Prime Data Center Network Manager (DCNM) before 6.1(1) does not ...) NOT-FOR-US: Cisco CVE-2012-5416 (Buffer overflow in Cisco Unified MeetingPlace Web Conferencing before ...) NOT-FOR-US: Cisco CVE-2012-5415 (Race condition on Cisco Adaptive Security Appliances (ASA) devices all ...) NOT-FOR-US: Cisco CVE-2012-5414 RESERVED CVE-2012-5413 RESERVED CVE-2012-5412 RESERVED CVE-2012-5411 RESERVED CVE-2012-5410 RESERVED CVE-2012-5409 (AscoServer.exe in the server in Siemens SiPass integrated MP2.6 and ea ...) NOT-FOR-US: Siemens SiPass CVE-2012-5408 RESERVED CVE-2012-5407 RESERVED CVE-2012-5406 RESERVED CVE-2012-5405 RESERVED CVE-2012-5404 RESERVED CVE-2012-5403 RESERVED CVE-2012-5402 RESERVED CVE-2012-5401 RESERVED CVE-2012-5400 RESERVED CVE-2012-5399 RESERVED CVE-2012-5398 RESERVED CVE-2012-5397 RESERVED CVE-2012-5396 RESERVED CVE-2012-5395 (Session fixation vulnerability in the CentralAuth extension for MediaW ...) NOT-FOR-US: Mediawiki extension CentralAuth CVE-2012-5394 (Cross-site request forgery (CSRF) vulnerability in the CentralAuth ext ...) NOT-FOR-US: mediawiki extension CentralAuth CVE-2012-5393 RESERVED CVE-2012-5392 RESERVED CVE-2012-5391 (Session fixation vulnerability in Special:UserLogin in MediaWiki befor ...) - mediawiki 1:1.19.3-1 (bug #694998) [squeeze] - mediawiki 1:1.15.5-2squeeze5 CVE-2012-5390 (The standard universe shadow (condor_shadow.std) component in Condor 7 ...) - condor (standard universe is disabled in the Debian package, see bug #697936) NOTE: http://research.cs.wisc.edu/htcondor/security/vulnerabilities/CONDOR-2012-0003.html CVE-2012-5389 (NULL Pointer Dereference in PowerTCP WebServer for ActiveX 1.9.2 and e ...) NOT-FOR-US: PowerTCP WebServer for ActiveX CVE-2012-5388 (Cross-site scripting (XSS) vulnerability in wlcms-plugin.php in the Wh ...) NOT-FOR-US: White Label CMS CVE-2012-5387 (Cross-site request forgery (CSRF) vulnerability in wlcms-plugin.php in ...) NOT-FOR-US: WordPress plugin White Label CMS CVE-2012-5386 (Directory traversal vulnerability in index.php in phpPaleo 4.8b180 all ...) NOT-FOR-US: phpPaleo CVE-2012-5385 (install/index.php in Craig Knudsen WebCalendar before 1.2.5 allows rem ...) - webcalendar CVE-2012-5384 (Multiple cross-site scripting (XSS) vulnerabilities in Craig Knudsen W ...) - webcalendar CVE-2012-5376 (The Inter-process Communication (IPC) implementation in Google Chrome ...) - chromium-browser 22.0.1229.94~r161065-1 [squeeze] - chromium-browser CVE-2012-5375 (The CRC32C feature in the Btrfs implementation in the Linux kernel bef ...) - linux 3.8-1 (unimportant) - linux-2.6 (unimportant) NOTE: btrfs support in Squeeze/Wheezy is not ready for production use CVE-2012-5374 (The CRC32C feature in the Btrfs implementation in the Linux kernel bef ...) - linux 3.8-1 (unimportant) - linux-2.6 (unimportant) NOTE: btrfs support in Squeeze/Wheezy is not ready for production use CVE-2012-5373 (Oracle Java SE 7 and earlier, and OpenJDK 7 and earlier, computes hash ...) - openjdk-6 (low) [wheezy] - openjdk-6 (Minor issue, no icedtea fix, too complex to backport) [squeeze] - openjdk-6 (Minor issue, no icedtea fix, too complex to backport) - openjdk-7 (low) [jessie] - openjdk-7 (Minor issue, no icedtea fix, too complex to backport) [wheezy] - openjdk-7 (Minor issue, no icedtea fix, too complex to backport) CVE-2012-5372 (Rubinius computes hash values without properly restricting the ability ...) - rubinius (bug #591817) CVE-2012-5371 (Ruby (aka CRuby) 1.9 before 1.9.3-p327 and 2.0 before r37575 computes ...) {DLA-263-1} - ruby1.8 (Only affects 1.9.x) - ruby1.9.1 1.9.3.194-4 (bug #693024) CVE-2012-5370 (JRuby computes hash values without properly restricting the ability to ...) {DLA-209-1} - jruby 1.5.6-5 (bug #694694) CVE-2012-5369 RESERVED CVE-2012-5368 (phpMyAdmin 3.5.x before 3.5.3 uses JavaScript code that is obtained th ...) - phpmyadmin (Only affects 3.5.x, not packaged yet, see #691728) CVE-2012-5367 (Multiple SQL injection vulnerabilities in OrangeHRM 2.7.1 RC 1 allow r ...) NOT-FOR-US: OrangeHRM CVE-2012-5366 (The IPv6 implementation in Apple Mac OS X (unknown versions, year 2012 ...) NOT-FOR-US: Mac OS X CVE-2012-5365 (The IPv6 implementation in FreeBSD and NetBSD (unknown versions, year ...) - kfreebsd-8 (low; bug #690986) - kfreebsd-9 (low) [squeeze] - kfreebsd-8 (Minor issue) [squeeze] - kfreebsd-9 (Minor issue) [wheezy] - kfreebsd-8 (Minor issue) [wheezy] - kfreebsd-9 (Minor issue) CVE-2012-5364 (The IPv6 implementation in Microsoft Windows 7 and earlier allows remo ...) NOT-FOR-US: Microsoft Windows CVE-2012-5363 (The IPv6 implementation in FreeBSD and NetBSD (unknown versions, year ...) - kfreebsd-8 (low; bug #690986) [squeeze] - kfreebsd-8 (Minor issue) [squeeze] - kfreebsd-9 (Minor issue) [wheezy] - kfreebsd-8 (Minor issue) [wheezy] - kfreebsd-9 (Minor issue) - kfreebsd-9 (low) CVE-2012-5362 (The IPv6 implementation in Microsoft Windows 7 and earlier allows remo ...) NOT-FOR-US: Microsoft Windows CVE-2012-5361 (Libavcodec in FFmpeg before 0.11 allows remote attackers to execute ar ...) - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg (Backports to 0.5.x not useful, too many checks missing) - libav 6:0.8.5-1 (bug #694483) NOTE: http://technet.microsoft.com/en-us/security/msvr/msvr12-017 NOTE: upstream needs a proper sample to reproduce the issue CVE-2012-5360 (Libavcodec in FFmpeg before 0.11 allows remote attackers to execute ar ...) - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg (Backports to 0.5.x not useful, too many checks missing) - libav 6:0.8.5-1 (bug #694483) NOTE: http://technet.microsoft.com/en-us/security/msvr/msvr12-017 NOTE: upstream needs a proper sample to reproduce the issue CVE-2012-5359 (Libavcodec in FFmpeg before 0.11 allows remote attackers to execute ar ...) - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg (Backports to 0.5.x not useful, too many checks missing) - libav 6:0.8.5-1 (bug #694483) NOTE: http://technet.microsoft.com/en-us/security/msvr/msvr12-017 NOTE: upstream needs a proper sample to reproduce the issue CVE-2012-5358 (The XSLTCompiledTransform function in Ektron Content Management System ...) NOT-FOR-US: Ektron Content Management System CVE-2012-5357 (Ektron Content Management System (CMS) before 8.02 SP5 uses the XslCom ...) NOT-FOR-US: Ektron Content Management System CVE-2012-5356 (The apt-add-repository tool in Ubuntu Software Properties 0.75.x befor ...) NOT-FOR-US: apt-add-repository CVE-2012-5355 (welcome.py in xdiagnose before 2.5.2ubuntu0.1 allows local users to ov ...) NOT-FOR-US: xdiagnose CVE-2012-5354 (Mozilla Firefox before 16.0, Thunderbird before 16.0, and SeaMonkey be ...) - iceape (Only affects 16.x release from experimental) - iceweasel (Only affects 16.x release from experimental) - icedove (Only affects 16.x release from experimental) CVE-2012-5383 (** DISPUTED ** Untrusted search path vulnerability in the installation ...) - mysql-5.1 (Windows issue only) - mysql-5.5 (Windows issue only) CVE-2012-5382 (** DISPUTED ** Untrusted search path vulnerability in the installation ...) NOT-FOR-US: Zend Server CVE-2012-5381 (** DISPUTED ** Untrusted search path vulnerability in the installation ...) - php5 (Windows issue only) CVE-2012-5380 (** DISPUTED ** Untrusted search path vulnerability in the installation ...) - ruby1.8 (Windows issue only) - ruby1.9.1 (Windows issue only) CVE-2012-5379 (** DISPUTED ** Untrusted search path vulnerability in the installation ...) NOT-FOR-US: ActivePython CVE-2012-5378 (Untrusted search path vulnerability in the installation functionality ...) NOT-FOR-US: ActiveTcl CVE-2012-5377 (Untrusted search path vulnerability in the installation functionality ...) NOT-FOR-US: ActivePerl CVE-2012-5353 (Eduserv OpenAthens SP 2.0 for Java allows remote attackers to forge me ...) NOT-FOR-US: Eduserv CVE-2012-5352 (Java Open Single Sign-On Project Home (JOSSO) allows remote attackers ...) NOT-FOR-US: josso CVE-2012-5351 (Apache Axis2 allows remote attackers to forge messages and bypass auth ...) - axis2c (low; bug #690421) [squeeze] - axis2c (Unsupported in squeeze-lts) NOTE: https://issues.apache.org/jira/browse/AXIS2C-1607 CVE-2012-5350 (SQL injection vulnerability in the Pay With Tweet plugin before 1.2 fo ...) NOT-FOR-US: wp Pay With Tweet plugin CVE-2012-5349 (Multiple cross-site scripting (XSS) vulnerabilities in pay.php in the ...) NOT-FOR-US: wp Pay With Tweet plugin CVE-2012-5348 (SQL injection vulnerability in MangosWeb Enhanced 3.0.3 allows remote ...) NOT-FOR-US: MangosWeb CVE-2012-5347 (TinyWebGallery 1.8.3 allows remote attackers to execute arbitrary code ...) NOT-FOR-US: TinyWebGallery CVE-2012-5346 (Cross-site scripting (XSS) vulnerability in wp-live.php in the WP Live ...) NOT-FOR-US: WP live plugin CVE-2012-5345 (Buffer overflow in the Remote command server (Rcmd.bat) in IpTools (ak ...) NOT-FOR-US: batch file CVE-2012-5344 (Directory traversal vulnerability in the WebServer (Thttpd.bat) in IpT ...) NOT-FOR-US: batch file CVE-2012-5343 (Cross-site scripting (XSS) vulnerability in admin/login.php in Limny 3 ...) NOT-FOR-US: Limny CVE-2012-5342 (Multiple SQL injection vulnerabilities in SenseSites CommonSense CMS a ...) NOT-FOR-US: SenseSites CommonSense CVE-2012-5341 (Multiple cross-site scripting (XSS) vulnerabilities in statistik.php i ...) NOT-FOR-US: Otterware StatIt CVE-2011-5210 (Directory traversal vulnerability in admin/preview.php in Limny 3.0.0 ...) NOT-FOR-US: Limny CVE-2011-5209 (Cross-site scripting (XSS) vulnerability in search/ in GraphicsClone S ...) NOT-FOR-US: GraphicsClone CVE-2012-5340 (SumatraPDF 2.1.1/MuPDF 1.0 allows remote attackers to cause an Integer ...) - mupdf 1.2-2 NOTE: https://git.ghostscript.com/?p=mupdf.git;a=commitdiff;h=f919270b6a732ff45c3ba2d0c105e2b39e9c9bc9 (1.1) CVE-2012-5339 (Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.5. ...) - phpmyadmin (Only affects 3.5.x, not packaged yet, see #691728) CVE-2012-5338 (Open redirect vulnerability in JForum 2.1.9 allows remote attackers to ...) NOT-FOR-US: JForum CVE-2012-5337 (Multiple cross-site scripting (XSS) vulnerabilities in jforum.page in ...) NOT-FOR-US: jForum CVE-2012-5336 (lib/base.php in ownCloud before 4.0.8 does not properly validate the u ...) - owncloud 4.0.8debian-1 CVE-2012-5335 (Directory traversal vulnerability in Tiny Server 1.1.5 allows remote a ...) NOT-FOR-US: Tiny Server CVE-2012-5334 (SQL injection vulnerability in product_desc.php in Pre Printing Press ...) NOT-FOR-US: Pre Printing Press CVE-2012-5333 (SQL injection vulnerability in page.php in Pre Printing Press allows r ...) NOT-FOR-US: Pre Printing Press CVE-2012-5332 (at32 Reverse Proxy 1.060.310 allows remote attackers to cause a denial ...) NOT-FOR-US: at32 Reverse Proxy CVE-2012-5331 (Directory traversal vulnerability in asaanCart 0.9 allows remote attac ...) NOT-FOR-US: asaanCart CVE-2012-5330 (Multiple cross-site scripting (XSS) vulnerabilities in asaanCart 0.9 a ...) NOT-FOR-US: asaanCart CVE-2012-5329 (Buffer overflow in TYPSoft FTP Server 1.1 allows remote authenticated ...) NOT-FOR-US: TYPSoft FTP CVE-2012-5328 (Multiple SQL injection vulnerabilities in the Mingle Forum plugin 1.0. ...) NOT-FOR-US: WP Mingle Forum CVE-2012-5327 (Multiple SQL injection vulnerabilities in fs-admin/fs-admin.php in the ...) NOT-FOR-US: WP Mingle Forum CVE-2012-5326 (Cross-site request forgery (CSRF) vulnerability in admin/function.php ...) NOT-FOR-US: IDevSpot iSupport CVE-2012-5325 (Multiple cross-site scripting (XSS) vulnerabilities in the scr_do_redi ...) NOT-FOR-US: WP Shortcode CVE-2012-5324 (Multiple buffer overflows in the Pdf Printer Preferences ActiveX Contr ...) NOT-FOR-US: PDF-XChange CVE-2012-5323 (Cross-site request forgery (CSRF) vulnerability in webconfig/admin_pas ...) NOT-FOR-US: Xavi ADSL router CVE-2012-5322 (Multiple cross-site scripting (XSS) vulnerabilities in Xavi X7968 allo ...) NOT-FOR-US: Xavi ADSL router CVE-2012-5321 (tiki-featured_link.php in TikiWiki CMS/Groupware 8.3 allows remote att ...) - tikiwiki CVE-2012-5320 (Cross-site request forgery (CSRF) vulnerability in password.cgi in Sag ...) NOT-FOR-US: Sagem CVE-2012-5319 (Cross-site request forgery (CSRF) vulnerability in setup/security.cgi ...) NOT-FOR-US: D-link CVE-2012-5318 (Unrestricted file upload vulnerability in uploadify/scripts/uploadify. ...) NOT-FOR-US: WP Kish CVE-2012-5317 (SQL injection vulnerability in main_bigware_43.php in Bigware Shop bef ...) NOT-FOR-US: Bigware Shop CVE-2012-5316 (Multiple cross-site scripting (XSS) vulnerabilities in Barracuda Spam ...) NOT-FOR-US: Barracuda CVE-2012-5315 (Multiple cross-site scripting (XSS) vulnerabilities in php ireport 1.0 ...) NOT-FOR-US: iReport CVE-2012-5314 (Cross-site scripting (XSS) vulnerability in ViewGit 0.0.6 and earlier ...) NOT-FOR-US: ViewGit CVE-2012-5313 (SQL injection vulnerability in forum.asp in Snitz Forums 2000 allows r ...) NOT-FOR-US: Snitz Forums CVE-2012-5312 (SQL injection vulnerability in Tribiq CMS allows remote attackers to e ...) NOT-FOR-US: Tribiq CMS CVE-2012-5311 REJECTED CVE-2012-5310 (SQL injection vulnerability in the WP e-Commerce plugin before 3.8.7.6 ...) NOT-FOR-US: WP e-Commerce plugin CVE-2012-5309 (servlet/traveler in IBM Lotus Notes Traveler through 8.5.3.3 Interim F ...) NOT-FOR-US: Lotus Notes CVE-2012-5308 (Cross-site request forgery (CSRF) vulnerability in servlet/traveler in ...) NOT-FOR-US: Lotus Notes CVE-2012-5307 (Cross-site scripting (XSS) vulnerability in servlet/traveler in IBM Lo ...) NOT-FOR-US: Lotus Notes CVE-2012-5306 (Stack-based buffer overflow in the SelectDirectory method in DcsCliCtr ...) NOT-FOR-US: D-Link CVE-2012-5305 (Cross-site scripting (XSS) vulnerability in CMD_DOMAIN in JBMC Softwar ...) NOT-FOR-US: DirectAdmin CVE-2012-5304 (Static code injection vulnerability in administration/install.php in Y ...) NOT-FOR-US: YVS CVE-2012-5303 (Monkey HTTP Daemon 0.9.3 might allow local users to overwrite arbitrar ...) - monkey (unimportant) CVE-2012-5302 (The server in TIBCO Formvine 3.1.x and 3.2.x before 3.2.1 does not pro ...) NOT-FOR-US: TIBCO Formvine CVE-2011-5208 (Multiple directory traversal vulnerabilities in the BackWPup plugin be ...) NOT-FOR-US: BackWPup CVE-2010-5279 (article.php in Virtual War (aka VWar) 1.6.1 R2 allows remote attackers ...) NOT-FOR-US: VWar CVE-2010-5278 (Directory traversal vulnerability in manager/controllers/default/resou ...) NOT-FOR-US: MODx Revolution CVE-2010-5277 (Unspecified vulnerability in the Views Bulk Operations module 6 before ...) NOT-FOR-US: Drupal Views Bulk Operations CVE-2010-5276 (The Memcache module 5.x before 5.x-1.10 and 6.x before 6.x-1.6 for Dru ...) NOT-FOR-US: Drupal Memcache CVE-2010-5275 (Cross-site scripting (XSS) vulnerability in memcache_admin in the Memc ...) NOT-FOR-US: Drupal Memcache CVE-2012-5301 (The default configuration of Cerberus FTP Server before 5.0.4.0 suppor ...) NOT-FOR-US: Cerberus CVE-2012-5300 (SQL injection vulnerability in art_catalogo.php in MyStore Xpress Tien ...) NOT-FOR-US: MyStore Xpress CVE-2012-5299 (Mavili Guestbook, as released in November 2007, allows remote attacker ...) NOT-FOR-US: Mavili Guestbook CVE-2012-5298 (Mavili Guestbook, as released in November 2007, stores guestbook.mdb u ...) NOT-FOR-US: Mavili Guestbook CVE-2012-5297 (SQL injection vulnerability in edit.asp in Mavili Guestbook, as releas ...) NOT-FOR-US: Mavili Guestbook CVE-2012-5296 (Multiple cross-site scripting (XSS) vulnerabilities in Mavili Guestboo ...) NOT-FOR-US: Mavili Guestbook CVE-2012-5295 (Cross-site scripting (XSS) vulnerability in login.cfm in FuseTalk Foru ...) NOT-FOR-US: FuseTalk CVE-2012-5294 (SQL injection vulnerability in art_detalle.php in MyStore Xpress Tiend ...) NOT-FOR-US: MyStore Xpress CVE-2012-5293 (Multiple PHP remote file inclusion vulnerabilities in SAPID CMS 1.2.3 ...) NOT-FOR-US: SAPID CMS CVE-2012-5292 (Multiple SQL injection vulnerabilities in Atar2b CMS 4.0.1 allow remot ...) NOT-FOR-US: Atar2b CVE-2012-5291 (SQL injection vulnerability in team.php in Posse Softball Director CMS ...) NOT-FOR-US: Posse Softball Director CVE-2012-5290 (Multiple SQL injection vulnerabilities in EasyWebRealEstate allow remo ...) NOT-FOR-US: EasyWebRealEstate CVE-2012-5289 (Multiple SQL injection vulnerabilities in Plogger 1.0 RC1 allow remote ...) NOT-FOR-US: Plogger CVE-2012-5288 (SQL injection vulnerability in page.php in phpMyDirectory 1.3.3 allows ...) NOT-FOR-US: phpMyDirectory CVE-2011-5207 (Cross-site scripting (XSS) vulnerability in admin/OptionsPostsList.php ...) NOT-FOR-US: WP TheCartPress CVE-2011-5206 (Cross-site scripting (XSS) vulnerability in notes.php in Rapidleech be ...) NOT-FOR-US: Rapidleech CVE-2011-5205 (Cross-site scripting (XSS) vulnerability in audl.php in Rapidleech 2.3 ...) NOT-FOR-US: Rapidleech CVE-2011-5204 (Akiva WebBoard 8.x stores passwords in plaintext, which allows local u ...) NOT-FOR-US: Akiva WebBoard CVE-2011-5203 (SQL injection vulnerability in WB/Default.asp in Akiva WebBoard before ...) NOT-FOR-US: Akiva WebBoard CVE-2012-XXXX [gunicorn fails to drop supplemental groups] - gunicorn 0.14.5-3 (low) [squeeze] - gunicorn (Minor issue) CVE-2012-5287 (Buffer overflow in Adobe Flash Player before 10.3.183.29 and 11.x befo ...) NOT-FOR-US: Adobe Flash Player CVE-2012-5286 (Buffer overflow in Adobe Flash Player before 10.3.183.29 and 11.x befo ...) NOT-FOR-US: Adobe Flash Player CVE-2012-5285 (Buffer overflow in Adobe Flash Player before 10.3.183.29 and 11.x befo ...) NOT-FOR-US: Adobe Flash Player CVE-2012-5284 REJECTED CVE-2012-5283 REJECTED CVE-2012-5282 REJECTED CVE-2012-5281 REJECTED CVE-2012-5280 (Buffer overflow in Adobe Flash Player before 10.3.183.43 and 11.x befo ...) NOT-FOR-US: Adobe Flash Player CVE-2012-5279 (Adobe Flash Player before 10.3.183.43 and 11.x before 11.5.502.110 on ...) NOT-FOR-US: Adobe Flash Player CVE-2012-5278 (Adobe Flash Player before 10.3.183.43 and 11.x before 11.5.502.110 on ...) NOT-FOR-US: Adobe Flash Player CVE-2012-5277 (Buffer overflow in Adobe Flash Player before 10.3.183.43 and 11.x befo ...) NOT-FOR-US: Adobe Flash Player CVE-2012-5276 (Buffer overflow in Adobe Flash Player before 10.3.183.43 and 11.x befo ...) NOT-FOR-US: Adobe Flash Player CVE-2012-5275 (Buffer overflow in Adobe Flash Player before 10.3.183.43 and 11.x befo ...) NOT-FOR-US: Adobe Flash Player CVE-2012-5274 (Buffer overflow in Adobe Flash Player before 10.3.183.43 and 11.x befo ...) NOT-FOR-US: Adobe Flash Player CVE-2012-5273 (Buffer overflow in Adobe Shockwave Player before 11.6.8.638 allows att ...) NOT-FOR-US: Adobe Shockwave CVE-2012-5272 (Adobe Flash Player before 10.3.183.29 and 11.x before 11.4.402.287 on ...) NOT-FOR-US: Adobe Flash Player CVE-2012-5271 (Adobe Flash Player before 10.3.183.29 and 11.x before 11.4.402.287 on ...) NOT-FOR-US: Adobe Flash Player CVE-2012-5270 (Adobe Flash Player before 10.3.183.29 and 11.x before 11.4.402.287 on ...) NOT-FOR-US: Adobe Flash Player CVE-2012-5269 (Adobe Flash Player before 10.3.183.29 and 11.x before 11.4.402.287 on ...) NOT-FOR-US: Adobe Flash Player CVE-2012-5268 (Adobe Flash Player before 10.3.183.29 and 11.x before 11.4.402.287 on ...) NOT-FOR-US: Adobe Flash Player CVE-2012-5267 (Adobe Flash Player before 10.3.183.29 and 11.x before 11.4.402.287 on ...) NOT-FOR-US: Adobe Flash Player CVE-2012-5266 (Buffer overflow in Adobe Flash Player before 10.3.183.29 and 11.x befo ...) NOT-FOR-US: Adobe Flash Player CVE-2012-5265 (Buffer overflow in Adobe Flash Player before 10.3.183.29 and 11.x befo ...) NOT-FOR-US: Adobe Flash Player CVE-2012-5264 (Buffer overflow in Adobe Flash Player before 10.3.183.29 and 11.x befo ...) NOT-FOR-US: Adobe Flash Player CVE-2012-5263 (Adobe Flash Player before 10.3.183.29 and 11.x before 11.4.402.287 on ...) NOT-FOR-US: Adobe Flash Player CVE-2012-5262 (Buffer overflow in Adobe Flash Player before 10.3.183.29 and 11.x befo ...) NOT-FOR-US: Adobe Flash Player CVE-2012-5261 (Adobe Flash Player before 10.3.183.29 and 11.x before 11.4.402.287 on ...) NOT-FOR-US: Adobe Flash Player CVE-2012-5260 (Buffer overflow in Adobe Flash Player before 10.3.183.29 and 11.x befo ...) NOT-FOR-US: Adobe Flash Player CVE-2012-5259 (Buffer overflow in Adobe Flash Player before 10.3.183.29 and 11.x befo ...) NOT-FOR-US: Adobe Flash Player CVE-2012-5258 (Adobe Flash Player before 10.3.183.29 and 11.x before 11.4.402.287 on ...) NOT-FOR-US: Adobe Flash Player CVE-2012-5257 (Buffer overflow in Adobe Flash Player before 10.3.183.29 and 11.x befo ...) NOT-FOR-US: Adobe Flash Player CVE-2012-5256 (Adobe Flash Player before 10.3.183.29 and 11.x before 11.4.402.287 on ...) NOT-FOR-US: Adobe Flash Player CVE-2012-5255 (Buffer overflow in Adobe Flash Player before 10.3.183.29 and 11.x befo ...) NOT-FOR-US: Adobe Flash Player CVE-2012-5254 (Buffer overflow in Adobe Flash Player before 10.3.183.29 and 11.x befo ...) NOT-FOR-US: Adobe Flash Player CVE-2012-5253 (Buffer overflow in Adobe Flash Player before 10.3.183.29 and 11.x befo ...) NOT-FOR-US: Adobe Flash Player CVE-2012-5252 (Adobe Flash Player before 10.3.183.29 and 11.x before 11.4.402.287 on ...) NOT-FOR-US: Adobe Flash Player CVE-2012-5251 (Buffer overflow in Adobe Flash Player before 10.3.183.29 and 11.x befo ...) NOT-FOR-US: Adobe Flash Player CVE-2012-5250 (Buffer overflow in Adobe Flash Player before 10.3.183.29 and 11.x befo ...) NOT-FOR-US: Adobe Flash Player CVE-2012-5249 (Buffer overflow in Adobe Flash Player before 10.3.183.29 and 11.x befo ...) NOT-FOR-US: Adobe Flash Player CVE-2012-5248 (Buffer overflow in Adobe Flash Player before 10.3.183.29 and 11.x befo ...) NOT-FOR-US: Adobe Flash Player CVE-2012-5247 RESERVED CVE-2012-5246 RESERVED CVE-2012-5245 RESERVED CVE-2012-5244 (Multiple SQL injection vulnerabilities in Banana Dance B.2.6 and earli ...) NOT-FOR-US: Banana Dance CVE-2012-5243 (functions/suggest.php in Banana Dance B.2.6 and earlier allows remote ...) NOT-FOR-US: Banana Dance CVE-2012-5242 (Directory traversal vulnerability in functions/suggest.php in Banana D ...) NOT-FOR-US: Banana Dance CVE-2012-5241 RESERVED NOT-FOR-US: PEAR module for Twitter CVE-2012-5240 (Buffer overflow in the dissect_tlv function in epan/dissectors/packet- ...) - wireshark 1.8.2-2 (bug #689972) [squeeze] - wireshark (Only affects 1.8.x) CVE-2012-5239 REJECTED CVE-2012-5238 (epan/dissectors/packet-ppp.c in the PPP dissector in Wireshark 1.8.x b ...) - wireshark 1.8.2-2 (bug #689972) [squeeze] - wireshark (Only affects 1.8.x) CVE-2012-5237 (The dissect_hsrp function in epan/dissectors/packet-hsrp.c in the HSRP ...) - wireshark 1.8.2-2 (bug #689972) [squeeze] - wireshark (Only affects 1.8.x) CVE-2012-5236 REJECTED CVE-2012-5235 RESERVED CVE-2012-5234 (Open redirect vulnerability in index.php in ocPortal before 7.1.6 allo ...) - ocportal (bug #625865) CVE-2012-5233 (Cross-site scripting (XSS) vulnerability in the stickynote module befo ...) NOT-FOR-US: Drupal stickynote CVE-2012-5232 (Cross-site scripting (XSS) vulnerability in the Quickl Form component ...) NOT-FOR-US: Joomla component CVE-2012-5231 (miniCMS 1.0 and 2.0 allows remote attackers to execute arbitrary PHP c ...) NOT-FOR-US: miniCMS CVE-2012-5230 (Unspecified vulnerability in the JE Story Submit (com_jesubmit) compon ...) NOT-FOR-US: Joomla jesusmit CVE-2012-5229 (Cross-site scripting (XSS) vulnerability in css/gallery-css.php in the ...) NOT-FOR-US: WP Gallery2 CVE-2012-5228 (Cross-site scripting (XSS) vulnerability in admin/index.php in phplist ...) - phplist (bug #612288) CVE-2012-5227 (SQL injection vulnerability in administrer/tva.php in Peel SHOPPING 2. ...) NOT-FOR-US: Peel Shopping CVE-2012-5226 (Multiple cross-site scripting (XSS) vulnerabilities in Peel SHOPPING 2 ...) NOT-FOR-US: Peel Shopping CVE-2012-5225 (Cross-site scripting (XSS) vulnerability in webscr.php in xClick Cart ...) NOT-FOR-US: xClick CVE-2012-5224 (PHP remote file inclusion vulnerability in vb/includes/vba_cmps_includ ...) NOT-FOR-US: vbadvanced CMPS CVE-2012-5223 (The proc_deutf function in includes/functions_vbseocp_abstract.php in ...) NOT-FOR-US: vBSEO CVE-2012-5222 (HP Service Manager Web Tier 9.31 before 9.31.2004 p2 allows remote att ...) NOT-FOR-US: HP Service Manager CVE-2012-5221 (Directory traversal vulnerability in the PostScript Interpreter, as us ...) NOT-FOR-US: HP LaserJet CVE-2012-5220 (Unspecified vulnerability in HP Storage Data Protector 6.20, 6.21, 7.0 ...) NOT-FOR-US: HP Storage Data Protector CVE-2012-5219 (Cross-site scripting (XSS) vulnerability in HP Managed Printing Admini ...) NOT-FOR-US: HP Managed Printing Administration CVE-2012-5218 (HP ElitePad 900 PCs with BIOS F.0x before F.01 Update 1.0.0.8 do not e ...) NOT-FOR-US: HP ElitePad 900 CVE-2012-5217 (HP System Management Homepage (SMH) before 7.2.1 allows remote attacke ...) NOT-FOR-US: HP System Management Homepage CVE-2012-5216 (Cross-site request forgery (CSRF) vulnerability on HP ProCurve 1700-8 ...) NOT-FOR-US: HP ProCurve CVE-2012-5215 (Unspecified vulnerability on the HP LaserJet Pro M1212nf, M1213nf, M12 ...) NOT-FOR-US: HP LaserJet Pro CVE-2012-5214 (Unspecified vulnerability in HP ServiceCenter 6.2.8 before 6.2.8.10 al ...) NOT-FOR-US: HP ServiceCenter CVE-2012-5213 (Unspecified vulnerability in HP Intelligent Management Center (iMC) an ...) NOT-FOR-US: HP Intelligent Management Center CVE-2012-5212 (Unspecified vulnerability in HP Intelligent Management Center (iMC) an ...) NOT-FOR-US: HP Intelligent Management Center CVE-2012-5211 (Unspecified vulnerability in HP Intelligent Management Center (iMC) Us ...) NOT-FOR-US: HP Intelligent Management Center CVE-2012-5210 (Unspecified vulnerability in HP Intelligent Management Center (iMC) TA ...) NOT-FOR-US: HP Intelligent Management Center CVE-2012-5209 (Unspecified vulnerability in HP Intelligent Management Center (iMC) an ...) NOT-FOR-US: HP Intelligent Management Center CVE-2012-5208 (Unspecified vulnerability in HP Intelligent Management Center (iMC) an ...) NOT-FOR-US: HP Intelligent Management Center CVE-2012-5207 (Unspecified vulnerability in HP Intelligent Management Center (iMC) an ...) NOT-FOR-US: HP Intelligent Management Center CVE-2012-5206 (Unspecified vulnerability in HP Intelligent Management Center (iMC) an ...) NOT-FOR-US: HP Intelligent Management Center CVE-2012-5205 (Unspecified vulnerability in HP Intelligent Management Center (iMC) an ...) NOT-FOR-US: HP Intelligent Management Center CVE-2012-5204 (Unspecified vulnerability in HP Intelligent Management Center (iMC) an ...) NOT-FOR-US: HP Intelligent Management Center CVE-2012-5203 (Unspecified vulnerability in HP Intelligent Management Center (iMC) an ...) NOT-FOR-US: HP Intelligent Management Center CVE-2012-5202 (Unspecified vulnerability in HP Intelligent Management Center (iMC) an ...) NOT-FOR-US: HP Intelligent Management Center CVE-2012-5201 (Unspecified vulnerability in HP Intelligent Management Center (iMC) an ...) NOT-FOR-US: HP Intelligent Management Center CVE-2012-5200 (Cross-site scripting (XSS) vulnerability in HP Intelligent Management ...) NOT-FOR-US: HP Intelligent Management Center CVE-2012-5199 (Unspecified vulnerability in HP ArcSight Connector Appliance 6.3 and e ...) NOT-FOR-US: HP ArcSight Connector Appliance CVE-2012-5198 (Unspecified vulnerability in HP ArcSight Connector Appliance before 6. ...) NOT-FOR-US: HP ArcSight Connector Appliance CVE-2011-5202 (BazisVirtualCDBus.sys in WinCDEmu 3.6 allows local users to cause a de ...) NOT-FOR-US: WinCDEmu CVE-2012-5197 (Multiple unspecified vulnerabilities in Condor 7.6.x before 7.6.10 and ...) - condor 7.8.2~dfsg.1-1+deb7u1 (unimportant) NOTE: Not exploitable according to upstream CVE-2012-5196 (Multiple buffer overflows in Condor 7.6.x before 7.6.10 and 7.8.x befo ...) - condor 7.8.2~dfsg.1-1+deb7u1 (unimportant) NOTE: Not exploitable according to upstream CVE-2012-5195 (Heap-based buffer overflow in the Perl_repeatcpy function in util.c in ...) {DSA-2586-1} - perl 5.14.2-14 (bug #689314) CVE-2012-5194 RESERVED CVE-2012-5193 (Multiple cross-site scripting (XSS) vulnerabilities in Bitweaver 2.8.1 ...) NOT-FOR-US: Bitweaver CVE-2012-5192 (Directory traversal vulnerability in gmap/view_overlay.php in Bitweave ...) NOT-FOR-US: Bitweaver CVE-2012-5191 RESERVED CVE-2012-5190 (Prizm Content Connect 5.1 has an Arbitrary File Upload Vulnerability ...) NOT-FOR-US: Prizm Content Connect CVE-2012-5189 REJECTED CVE-2012-5188 (Untrusted search path vulnerability in mora Downloader before 1.0.0.1 ...) NOT-FOR-US: mora Downloader CVE-2012-5187 (The Weathernews Touch application 2.3.2 and earlier for Android allows ...) NOT-FOR-US: Android CVE-2012-5186 (Cross-site scripting (XSS) vulnerability in FLUGELz netmania myu-s and ...) NOT-FOR-US: FLUGELz netmania myu-s, PHP WeblogSystem CVE-2012-5185 (Directory traversal vulnerability in the Olive Toast Documents Pro Fil ...) NOT-FOR-US: Olive Toast Documents Pro File Viewer CVE-2012-5184 (Cross-site scripting (XSS) vulnerability in the Olive Toast Documents ...) NOT-FOR-US: Olive Toast Documents Pro File Viewer CVE-2012-5183 (The Loctouch application 3.4.6 and earlier for Android allows attacker ...) NOT-FOR-US: Loctouch application for Android CVE-2012-5182 (The Loctouch application 3.4.6 and earlier for Android does not proper ...) NOT-FOR-US: Loctouch application for Android CVE-2012-5181 (Cross-site scripting (XSS) vulnerability in concrete5 Japanese 5.5.1 t ...) NOT-FOR-US: concrete5 CVE-2012-5180 (The Opera Mobile application before 12.1 and Opera Mini application be ...) NOT-FOR-US: Opera Mobile application for Android CVE-2012-5179 (The Boat Browser application before 4.2 and Boat Browser Mini applicat ...) NOT-FOR-US: Boat Browser application for Android CVE-2012-5178 (Cross-site request forgery (CSRF) vulnerability in the Welcart plugin ...) NOT-FOR-US: WordPress Welcart plugin CVE-2012-5177 (Cross-site scripting (XSS) vulnerability in the Welcart plugin before ...) NOT-FOR-US: WordPress Welcart plugin CVE-2012-5176 (Cross-site scripting (XSS) vulnerability in KENT-WEB ACCESS REPORT 5.0 ...) NOT-FOR-US: KENT-WEB ACCESS REPORT CVE-2012-5175 (Cross-site scripting (XSS) vulnerability in KENT-WEB ACCESS REPORT 4.2 ...) NOT-FOR-US: KENT-WEB ACCESS REPORT CVE-2012-5174 (The KYOCERA AH-K3001V, AH-K3002V, WX300K, WX310K, WX320K, and WX320KR ...) NOT-FOR-US: KYOCERA CVE-2012-5173 (Session fixation vulnerability in BIGACE before 2.7.8 allows remote at ...) NOT-FOR-US: BIGACE CVE-2012-5172 (The Asial Monaca Debugger application before 1.4.2 for Android allows ...) NOT-FOR-US: Asial Monaca Debugger CVE-2012-5171 (Directory traversal vulnerability in Be Graph BeZIP before 3.10 allows ...) NOT-FOR-US: Be Graph's BeZIP CVE-2012-5170 (Open redirect vulnerability in Pebble before 2.6.4 allows remote attac ...) NOT-FOR-US: Pebble blog CVE-2012-5169 (Multiple cross-site scripting (XSS) vulnerabilities in file_manager/pr ...) NOT-FOR-US: ATutor AContent CVE-2012-5168 (ATutor AContent before 1.2-1 allows remote attackers to modify arbitra ...) NOT-FOR-US: ATutor AContent CVE-2012-5167 (Multiple SQL injection vulnerabilities in ATutor AContent before 1.2-1 ...) NOT-FOR-US: ATutor AContent CVE-2012-5166 (ISC BIND 9.x before 9.7.6-P4, 9.8.x before 9.8.3-P4, 9.9.x before 9.9. ...) {DSA-2560-1} - bind9 1:9.8.1.dfsg.P1-4.3 (bug #690118) - isc-dhcp (issue only affects the named service, which isn't used by isc-dhcp) CVE-2012-5165 RESERVED CVE-2012-5164 (Multiple cross-site scripting (XSS) vulnerabilities in Fork CMS before ...) NOT-FOR-US: Fork CMS CVE-2012-5163 (Cross-site scripting (XSS) vulnerability in oc-admin/ajax/ajax.php in ...) NOT-FOR-US: OSClass not in Debian CVE-2012-5162 (Multiple SQL injection vulnerabilities in oc-admin/ajax/ajax.php in OS ...) NOT-FOR-US: OSClass not in Debian CVE-2012-5161 (The XML Service interface in Citrix XenApp 6.5 and 6.5 Feature Pack 1 ...) NOT-FOR-US: Citrix XenApp CVE-2012-5160 RESERVED CVE-2012-5158 (Puppet Enterprise (PE) before 2.6.1 does not properly invalidate sessi ...) - puppet (Only affects Puppet Enterprise) CVE-2012-5157 (Google Chrome before 24.0.1312.52 does not properly handle image data ...) - chromium-browser (PDF functionality not available in Chromium) CVE-2012-5156 (Use-after-free vulnerability in Google Chrome before 24.0.1312.52 allo ...) - chromium-browser (PDF functionality not available in Chromium) CVE-2012-5155 (Google Chrome before 24.0.1312.52 on Mac OS X does not use an appropri ...) - chromium-browser (Only affects MacOS X) CVE-2012-5154 (Integer overflow in Google Chrome before 24.0.1312.52 on Windows allow ...) - chromium-browser (Only affects Windows) CVE-2012-5153 (Google V8 before 3.14.5.3, as used in Google Chrome before 24.0.1312.5 ...) - libv8 (bug #702261; kMinFixedIndex and kMaxFixedIndex are hard-coded to the correct values in 3.8.9.20, a later commit introduced a caclulation that produced incorrect values) - chromium-browser 24.0.1312.68-1 [squeeze] - chromium-browser CVE-2012-5152 (Google Chrome before 24.0.1312.52 allows remote attackers to cause a d ...) [squeeze] - chromium-browser - chromium-browser 24.0.1312.68-1 CVE-2012-5151 (Integer overflow in Google Chrome before 24.0.1312.52 allows remote at ...) - chromium-browser (PDF functionality not available in Chromium) CVE-2012-5150 (Use-after-free vulnerability in Google Chrome before 24.0.1312.52 allo ...) - chromium-browser 24.0.1312.68-1 [squeeze] - chromium-browser - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg (Backports to 0.5.x not useful, too many checks missing) - libav 6:0.8.6-1 CVE-2012-5149 (Integer overflow in the audio IPC layer in Google Chrome before 24.0.1 ...) - chromium-browser 24.0.1312.68-1 [squeeze] - chromium-browser CVE-2012-5148 (The hyphenation functionality in Google Chrome before 24.0.1312.52 doe ...) - chromium-browser 24.0.1312.68-1 [squeeze] - chromium-browser CVE-2012-5147 (Use-after-free vulnerability in Google Chrome before 24.0.1312.52 allo ...) - chromium-browser 24.0.1312.68-1 [squeeze] - chromium-browser CVE-2012-5146 (Google Chrome before 24.0.1312.52 allows remote attackers to bypass th ...) - chromium-browser 24.0.1312.68-1 [squeeze] - chromium-browser CVE-2012-5145 (Use-after-free vulnerability in Google Chrome before 24.0.1312.52 allo ...) - chromium-browser 24.0.1312.68-1 [squeeze] - chromium-browser CVE-2012-5144 (Google Chrome before 23.0.1271.97, and Libav 0.7.x before 0.7.7 and 0. ...) - chromium-browser 24.0.1312.68-1 [squeeze] - chromium-browser - ffmpeg (Vulnerable code not present) - libav 6:0.8.5-1 (bug #694483) NOTE: libav fix: http://git.libav.org/?p=libav.git;a=commitdiff;h=6d5b0092678b2a95dfe209a207550bd2fe9ef646 CVE-2012-5143 (Integer overflow in Google Chrome before 23.0.1271.97 allows remote at ...) - chromium-browser 24.0.1312.68-1 [squeeze] - chromium-browser CVE-2012-5142 (Google Chrome before 23.0.1271.97 does not properly handle history nav ...) - chromium-browser 24.0.1312.68-1 [squeeze] - chromium-browser CVE-2012-5141 (Google Chrome before 23.0.1271.97 does not properly restrict instantia ...) - chromium-browser 24.0.1312.68-1 [squeeze] - chromium-browser CVE-2012-5140 (Use-after-free vulnerability in Google Chrome before 23.0.1271.97 allo ...) - chromium-browser 24.0.1312.68-1 [squeeze] - chromium-browser CVE-2012-5139 (Use-after-free vulnerability in Google Chrome before 23.0.1271.97 allo ...) - chromium-browser 24.0.1312.68-1 [squeeze] - chromium-browser CVE-2012-5138 (Google Chrome before 23.0.1271.95 does not properly handle file paths, ...) - chromium-browser 24.0.1312.68-1 [squeeze] - chromium-browser CVE-2012-5137 (Use-after-free vulnerability in Google Chrome before 23.0.1271.95 allo ...) - chromium-browser 24.0.1312.68-1 [squeeze] - chromium-browser CVE-2012-5136 (Google Chrome before 23.0.1271.91 does not properly perform a cast of ...) - chromium-browser 24.0.1312.68-1 [squeeze] - chromium-browser CVE-2012-5135 (Use-after-free vulnerability in Google Chrome before 23.0.1271.91 allo ...) - chromium-browser 24.0.1312.68-1 [squeeze] - chromium-browser CVE-2012-5134 (Heap-based buffer underflow in the xmlParseAttValueComplex function in ...) {DSA-2580-1} - libxml2 2.8.0+dfsg1-7 (bug #694521) CVE-2012-5133 (Use-after-free vulnerability in Google Chrome before 23.0.1271.91 allo ...) - chromium-browser 24.0.1312.68-1 [squeeze] - chromium-browser CVE-2012-5132 (Google Chrome before 23.0.1271.91 allows remote attackers to cause a d ...) - chromium-browser 24.0.1312.68-1 [squeeze] - chromium-browser CVE-2012-5131 (Google Chrome before 23.0.1271.91 on Mac OS X does not properly mitiga ...) - chromium-browser (MacOS-specific) CVE-2012-5130 (Skia, as used in Google Chrome before 23.0.1271.91, allows remote atta ...) - chromium-browser 24.0.1312.68-1 [squeeze] - chromium-browser CVE-2012-5129 (Heap-based buffer overflow in the WebGL subsystem in Google Chrome OS ...) - mesa 8.0.5-3 (bug #695248) [squeeze] - mesa (Vulnerable code not present) CVE-2012-5128 (Google V8 before 3.13.7.5, as used in Google Chrome before 23.0.1271.6 ...) - libv8 (Doesn't affect 3.8.9, see bug #694808) CVE-2012-5127 (Integer overflow in Google Chrome before 23.0.1271.64 allows remote at ...) - chromium-browser 24.0.1312.68-1 [squeeze] - chromium-browser - libwebp 0.1.3-3+nmu1 (bug #704573) NOTE: fixed in experimental version 0.2.1-1 NOTE: https://bugs.gentoo.org/show_bug.cgi?id=442152 NOTE: Upstream announce: https://groups.google.com/a/webmproject.org/forum/?fromgroups=#!topic/webp-discuss/QTtgi8YfgkE CVE-2012-5126 (Use-after-free vulnerability in Google Chrome before 23.0.1271.64 allo ...) - chromium-browser 24.0.1312.68-1 [squeeze] - chromium-browser CVE-2012-5125 (Use-after-free vulnerability in Google Chrome before 23.0.1271.64 allo ...) - chromium-browser 24.0.1312.68-1 [squeeze] - chromium-browser CVE-2012-5124 (Google Chrome before 23.0.1271.64 does not properly handle textures, w ...) - chromium-browser 24.0.1312.68-1 [squeeze] - chromium-browser CVE-2012-5123 (Skia, as used in Google Chrome before 23.0.1271.64, allows remote atta ...) - chromium-browser 24.0.1312.68-1 [squeeze] - chromium-browser CVE-2012-5122 (Google Chrome before 23.0.1271.64 does not properly perform a cast of ...) - chromium-browser 24.0.1312.68-1 [squeeze] - chromium-browser CVE-2012-5121 (Use-after-free vulnerability in Google Chrome before 23.0.1271.64 allo ...) - chromium-browser 24.0.1312.68-1 [squeeze] - chromium-browser CVE-2012-5120 (Google V8 before 3.13.7.5, as used in Google Chrome before 23.0.1271.6 ...) - libv8 (Doesn't affect 3.8.9, see bug #694808) CVE-2012-5119 (Race condition in Pepper, as used in Google Chrome before 23.0.1271.64 ...) - chromium-browser 24.0.1312.68-1 [squeeze] - chromium-browser CVE-2012-5118 (Google Chrome before 23.0.1271.64 on Mac OS X does not properly valida ...) - chromium-browser (MacOS-specific) CVE-2012-5117 (Google Chrome before 23.0.1271.64 does not properly restrict the loadi ...) - chromium-browser 24.0.1312.68-1 [squeeze] - chromium-browser CVE-2012-5116 (Use-after-free vulnerability in Google Chrome before 23.0.1271.64 allo ...) - chromium-browser 24.0.1312.68-1 [squeeze] - chromium-browser CVE-2012-5115 (Google Chrome before 23.0.1271.64 on Mac OS X does not properly mitiga ...) - chromium-browser (MacOS-specific) CVE-2012-5114 RESERVED CVE-2012-5113 RESERVED CVE-2012-5112 (Use-after-free vulnerability in the SVG implementation in WebKit, as u ...) - chromium-browser 22.0.1229.94~r161065-1 [squeeze] - chromium-browser CVE-2012-5111 (Google Chrome before 22.0.1229.92 does not monitor for crashes of Pepp ...) - chromium-browser 22.0.1229.94~r161065-1 [squeeze] - chromium-browser CVE-2012-5110 (The compositor in Google Chrome before 22.0.1229.92 allows remote atta ...) - chromium-browser 22.0.1229.94~r161065-1 [squeeze] - chromium-browser CVE-2012-5109 (The International Components for Unicode (ICU) functionality in Google ...) - chromium-browser 22.0.1229.94~r161065-1 [squeeze] - chromium-browser CVE-2012-5108 (Race condition in Google Chrome before 22.0.1229.92 allows remote atta ...) - chromium-browser 22.0.1229.94~r161065-1 [squeeze] - chromium-browser CVE-2012-5107 RESERVED CVE-2012-5106 (Stack-based buffer overflow in FreeFloat FTP Server 1.0 allows remote ...) NOT-FOR-US: FreeFloat FTP Server CVE-2012-5159 (phpMyAdmin 3.5.2.2, as distributed by the cdnetworks-kr-1 mirror durin ...) - phpmyadmin CVE-2012-5105 (Multiple cross-site scripting (XSS) vulnerabilities in SQLiteManager 1 ...) NOT-FOR-US: SQLiteManager CVE-2012-5104 (Cross-site scripting (XSS) vulnerability in forums/ubbthreads.php in U ...) NOT-FOR-US: UBB.threads CVE-2012-5103 (Multiple cross-site scripting (XSS) vulnerabilities in action/add-subm ...) NOT-FOR-US: Ggb guestbook CVE-2012-5102 (Cross-site scripting (XSS) vulnerability in inc/extensions.php in Vert ...) NOT-FOR-US: VertigoServ CVE-2012-5101 (SQL injection vulnerability in the JExtensions JE Poll component befor ...) NOT-FOR-US: Joomla! extension CVE-2012-5100 (Directory traversal vulnerability in HServer 0.1.1 allows remote attac ...) NOT-FOR-US: HServer CVE-2012-5099 (Cross-site scripting (XSS) vulnerability in list.php in PHPB2B 4.1 and ...) NOT-FOR-US: PHPB2B CVE-2012-5098 (Multiple SQL injection vulnerabilities in Php-X-Links, possibly 1.0, a ...) NOT-FOR-US: PHP-X-Links CVE-2012-5097 (Unspecified vulnerability in the Oracle Access Manager component in Or ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2012-5096 (Unspecified vulnerability in the Server component in Oracle MySQL 5.5. ...) - mysql-5.1 (Only affects 5.5) - mysql-5.5 5.5.29+dfsg-1 CVE-2012-5095 (Unspecified vulnerability in Oracle Sun Solaris 10 allows local users ...) NOT-FOR-US: Oracle Sun Solaris 10 CVE-2012-5094 (Unspecified vulnerability in the Oracle Agile PLM for Process componen ...) NOT-FOR-US: Oracle Agile PLM CVE-2012-5093 (Unspecified vulnerability in the Oracle Agile PLM for Process componen ...) NOT-FOR-US: Oracle Agile PLM CVE-2012-5092 (Unspecified vulnerability in the Oracle Agile PLM for Process componen ...) NOT-FOR-US: Oracle Agile PLM CVE-2012-5091 (Unspecified vulnerability in the Oracle Agile Product Supplier Collabo ...) NOT-FOR-US: Oracle Supply Chain CVE-2012-5090 (Unspecified vulnerability in the Oracle Agile PLM for Process componen ...) NOT-FOR-US: Oracle Supply Chain CVE-2012-5089 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 6b24-1.11.5-0ubuntu1 (bug #690774) - openjdk-7 7u3-2.1.3-1 (bug #690774) CVE-2012-5088 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-7 7u3-2.1.3-1 (bug #690774) CVE-2012-5087 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-7 7u3-2.1.3-1 (bug #690774) CVE-2012-5086 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-7 7u3-2.1.3-1 (bug #690774) - openjdk-6 6b24-1.11.5-0ubuntu1 (bug #690774) CVE-2012-5085 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 6b24-1.11.5-0ubuntu1 (bug #690774) - openjdk-7 7u3-2.1.3-1 (bug #690774) CVE-2012-5084 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 6b24-1.11.5-0ubuntu1 (bug #690774) - openjdk-7 7u3-2.1.3-1 (bug #690774) CVE-2012-5083 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 (Specific to Oracle Java, not present in IcedTea) - openjdk-7 (Specific to Oracle Java, not present in IcedTea) NOTE: Due to the vague disclosure policy by Oracle the exact nature is unknown but since no patch landed in icedtea, we consider it not-affected CVE-2012-5082 (Unspecified vulnerability in the JavaFX component in Oracle Java SE Ja ...) - openjdk-6 (JavaFX not part of OpenJDK) - openjdk-7 (JavaFX not part of OpenJDK) CVE-2012-5081 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 6b24-1.11.5-0ubuntu1 (bug #690774) - openjdk-7 7u3-2.1.3-1 (bug #690774) NOTE: https://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html NOTE: https://robotattack.org/ CVE-2012-5080 (Unspecified vulnerability in the JavaFX component in Oracle Java SE Ja ...) - openjdk-6 (JavaFX not part of OpenJDK) - openjdk-7 (JavaFX not part of OpenJDK) CVE-2012-5079 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 6b24-1.11.5-0ubuntu1 (bug #690774) - openjdk-7 7u3-2.1.3-1 (bug #690774) CVE-2012-5078 (Unspecified vulnerability in the JavaFX component in Oracle Java SE Ja ...) - openjdk-6 (JavaFX not part of OpenJDK) - openjdk-7 (JavaFX not part of OpenJDK) CVE-2012-5077 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 6b24-1.11.5-0ubuntu1 (bug #690774) - openjdk-7 7u3-2.1.3-1 (bug #690774) CVE-2012-5076 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-7 7u3-2.1.3-1 (bug #690774) CVE-2012-5075 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 6b24-1.11.5-0ubuntu1 (bug #690774) - openjdk-7 7u3-2.1.3-1 (bug #690774) CVE-2012-5074 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-7 7u3-2.1.3-1 (bug #690774) CVE-2012-5073 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 6b24-1.11.5-0ubuntu1 (bug #690774) - openjdk-7 7u3-2.1.3-1 (bug #690774) CVE-2012-5072 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 6b24-1.11.5-0ubuntu1 (bug #690774) - openjdk-7 7u3-2.1.3-1 (bug #690774) CVE-2012-5071 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 6b24-1.11.5-0ubuntu1 (bug #690774) - openjdk-7 7u3-2.1.3-1 (bug #690774) CVE-2012-5070 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-7 7u3-2.1.3-1 (bug #690774) CVE-2012-5069 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 6b24-1.11.5-0ubuntu1 (bug #690774) - openjdk-7 7u3-2.1.3-1 (bug #690774) CVE-2012-5068 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 6b24-1.11.5-0ubuntu1 (bug #690774) - openjdk-7 7u3-2.1.3-1 (bug #690774) CVE-2012-5067 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2012-5066 (Unspecified vulnerability in the Oracle Central Designer component in ...) NOT-FOR-US: Oracle Industry Applications CVE-2012-5065 (Unspecified vulnerability in the Oracle WebCenter Sites component in O ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2012-5064 (Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking com ...) NOT-FOR-US: Oracle Financial Services Software CVE-2012-5063 (Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking com ...) NOT-FOR-US: Oracle Financial Services Software CVE-2012-5062 (Unspecified vulnerability in the Enterprise Manager Base Platform comp ...) NOT-FOR-US: Oracle CVE-2012-5061 (Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking com ...) NOT-FOR-US: Oracle Financial Services Software CVE-2012-5060 (Unspecified vulnerability in the Server component in Oracle MySQL 5.1. ...) {DSA-2780-1} - mysql-5.1 - mysql-5.5 5.5.29+dfsg-1 CVE-2012-5059 (Unspecified vulnerability in the PeopleSoft PeopleTools component in O ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2012-5058 (Unspecified vulnerability in the Oracle iStore component in Oracle E-B ...) NOT-FOR-US: Oracle E-Business Suite CVE-2012-5057 (CRLF injection vulnerability in ownCloud Server before 4.0.8 allows re ...) - owncloud 4.0.8debian-1 CVE-2012-5056 (Multiple cross-site scripting (XSS) vulnerabilities in ownCloud Server ...) - owncloud 4.0.8debian-1 CVE-2012-5055 (DaoAuthenticationProvider in VMware SpringSource Spring Security befor ...) NOT-FOR-US: VMware CVE-2012-5054 (Integer overflow in the copyRawDataTo method in the Matrix3D class in ...) NOT-FOR-US: Adobe Flash player CVE-2012-5053 (Cross-site scripting (XSS) vulnerability in the Receiver Web User Inte ...) NOT-FOR-US: Trimble Infrastructure GNSS Series Receivers CVE-2012-5052 RESERVED CVE-2012-5051 (Directory traversal vulnerability in VMware CapacityIQ 1.5.x allows re ...) NOT-FOR-US: VMware CVE-2012-5050 (Cross-site scripting (XSS) vulnerability in the server in VMware vCent ...) NOT-FOR-US: VMware CVE-2012-5049 (APIFTP Server in Optimalog Optima PLC 1.5.2 and earlier allows remote ...) NOT-FOR-US: Optimalog Optima PLC CVE-2012-5048 (APIFTP Server in Optimalog Optima PLC 1.5.2 and earlier allows remote ...) NOT-FOR-US: Optimalog Optima PLC CVE-2012-5047 RESERVED CVE-2012-5046 RESERVED CVE-2012-5045 RESERVED CVE-2012-5044 (Cisco IOS before 15.3(1)T, when media flow-around is not used, allows ...) NOT-FOR-US: Cisco IOS CVE-2012-5043 RESERVED CVE-2012-5042 RESERVED CVE-2012-5041 RESERVED CVE-2012-5040 RESERVED CVE-2012-5039 (The BGP Router process in Cisco IOS before 12.2(50)SY1 allows remote a ...) NOT-FOR-US: Cisco IOS CVE-2012-5038 RESERVED CVE-2012-5037 (The ACL implementation in Cisco IOS before 15.1(1)SY on Catalyst 6500 ...) NOT-FOR-US: Cisco IOS CVE-2012-5036 (Cisco IOS before 12.2(50)SY1 allows remote authenticated users to caus ...) NOT-FOR-US: Cisco IOS CVE-2012-5035 RESERVED CVE-2012-5034 RESERVED CVE-2012-5033 RESERVED CVE-2012-5032 (The Flex-VPN load-balancing feature in the ipsec-ikev2 implementation ...) NOT-FOR-US: Cisco IOS CVE-2012-5031 RESERVED CVE-2012-5030 (Cisco IOS before 15.2(4)S6 does not initialize an unspecified variable ...) NOT-FOR-US: Cisco IOS CVE-2012-5029 RESERVED CVE-2012-5028 RESERVED CVE-2012-5027 RESERVED CVE-2012-5026 RESERVED CVE-2012-5025 RESERVED CVE-2012-5024 RESERVED CVE-2012-5023 RESERVED CVE-2012-5022 RESERVED CVE-2012-5021 RESERVED CVE-2012-5020 RESERVED CVE-2012-5019 RESERVED CVE-2012-5018 RESERVED CVE-2012-5017 (Cisco IOS before 15.1(1)SY1 allows remote authenticated users to cause ...) NOT-FOR-US: Cisco IOS CVE-2012-5016 RESERVED CVE-2012-5015 RESERVED CVE-2012-5014 (Cisco IOS before 15.1(2)SY allows remote authenticated users to cause ...) NOT-FOR-US: Cisco IOS CVE-2012-5013 RESERVED CVE-2012-5012 RESERVED CVE-2012-5011 RESERVED CVE-2012-5010 (ASA 5515-X Adaptive Security Appliance Adaptive Security Appliance (AS ...) NOT-FOR-US: Adaptive Security Appliance Adaptive Security Appliance (ASA) CVE-2012-5009 RESERVED CVE-2012-5008 RESERVED CVE-2011-5201 (Multiple SQL injection vulnerabilities in sign.php in tinyguestbook al ...) NOT-FOR-US: tinyguestbook CVE-2011-5200 (Multiple SQL injection vulnerabilities in DeDeCMS, possibly 5.6, allow ...) NOT-FOR-US: DeDeCMS CVE-2011-5199 (Cross-site scripting (XSS) vulnerability in sign.php in tinyguestbook ...) NOT-FOR-US: tinyguestbook CVE-2011-5198 (SQL injection vulnerability in search.php in Neturf eCommerce Shopping ...) NOT-FOR-US: Neturf eCommerce Shopping Cart CVE-2011-5197 (Cross-site request forgery (CSRF) vulnerability in index/manager/fileU ...) NOT-FOR-US: Public Knowledge Project Open Harvester Systems CVE-2011-5196 (Cross-site request forgery (CSRF) vulnerability in index/manager/fileU ...) - ojs (low) [squeeze] - ojs (Minor issue) CVE-2011-5195 (Cross-site request forgery (CSRF) vulnerability in index/manager/fileU ...) NOT-FOR-US: Public Knowledge Project Open Conference Systems CVE-2011-5194 (Cross-site scripting (XSS) vulnerability in vendors/samswhois/samswhoi ...) NOT-FOR-US: Wordpress Whois search plugin CVE-2011-5193 (Cross-site scripting (XSS) vulnerability in vendors/samswhois/samswhoi ...) NOT-FOR-US: Wordpress Whois search plugin CVE-2011-5192 (Cross-site scripting (XSS) vulnerability in pretty-bar.php in Pretty L ...) NOT-FOR-US: Wordpress Pretty Link Lite plugin CVE-2011-5191 (Cross-site scripting (XSS) vulnerability in pretty-bar.php in Pretty L ...) NOT-FOR-US: Wordpress Pretty Link Lite plugin CVE-2012-5007 (The Fill PDF module 7.x-1.x before 7.x-1.2 for Drupal allows remote at ...) NOT-FOR-US: Drupal addon Fill PDF CVE-2012-5006 (Heap-based buffer overflow in npdjvu.dll in Caminova DjVu Browser Plug ...) NOT-FOR-US: Caminova DjVu Browser CVE-2012-5005 (Cross-site request forgery (CSRF) vulnerability in admin/admin_options ...) NOT-FOR-US: VR GPub CVE-2012-5004 (Multiple cross-site request forgery (CSRF) vulnerabilities in Parallel ...) NOT-FOR-US: Parallels H-Sphere CVE-2012-5003 (nxapplet.jar in No Machine NX Web Companion 3.x and earlier does not p ...) NOT-FOR-US: No Machine NX Web Companion CVE-2012-5002 (Stack-based buffer overflow in SR10 FTP server (SR10.exe) 1.1.0.6 in R ...) NOT-FOR-US: SR10 FTP server in Ricoh DC Software CVE-2012-5001 (Multiple unspecified vulnerabilities in Hitachi JP1/Cm2/Network Node M ...) NOT-FOR-US: Hitachi JP1/Cm2/Network Node Manager CVE-2012-5000 (SQL injection vulnerability in jokes/index.php in the Witze addon 0.9 ...) NOT-FOR-US: deV!L'z Clanportal CVE-2012-4999 (Mercury MR804 Router 8.0 3.8.1 Build 101220 Rel.53006nB allows remote ...) NOT-FOR-US: Mercury MR804 Router CVE-2012-4998 (Cross-site scripting (XSS) vulnerability in index.php in starCMS allow ...) NOT-FOR-US: starCMS CVE-2012-4997 (Directory traversal vulnerability in acp/index.php in AneCMS allows re ...) NOT-FOR-US: AneCMS CVE-2012-4996 (Multiple SQL injection vulnerabilities in RivetTracker 1.03 and earlie ...) NOT-FOR-US: RivetTracker CVE-2012-4995 (Cross-site scripting (XSS) vulnerability in admin/userrighthandling.ph ...) - limesurvey (bug #472802) CVE-2012-4994 (SQL injection vulnerability in admin/admin.php in LimeSurvey before 1. ...) - limesurvey (bug #472802) CVE-2012-4993 (torrent_functions.php in RivetTracker 1.03 and earlier does not proper ...) NOT-FOR-US: RivetTracker CVE-2012-4992 (Multiple buffer overflows in FlashFXP.exe in FlashFXP 4.2 allow remote ...) NOT-FOR-US: FlashFXP CVE-2012-4991 (Multiple directory traversal vulnerabilities in Axway SecureTransport ...) NOT-FOR-US: Axway SecureTransport CVE-2012-4990 (SQL injection vulnerability in admin/campaign-zone-link.php in OpenX 2 ...) NOT-FOR-US: OpenX CVE-2012-4989 (Cross-site scripting (XSS) vulnerability in admin/plugin-index.php in ...) NOT-FOR-US: OpenX CVE-2012-4988 (Heap-based buffer overflow in the xjpegls.dll (aka JLS, JPEG-LS, or JP ...) NOT-FOR-US: XnView CVE-2012-4987 (Stack-based buffer overflow in RealNetworks RealPlayer 15.0.5.109 allo ...) NOT-FOR-US: RealPlayer CVE-2012-4986 RESERVED CVE-2012-4985 (The Forescout CounterACT NAC device 6.3.4.1 does not block ARP and ICM ...) NOT-FOR-US: Forescout device CVE-2012-4984 RESERVED CVE-2012-4983 (Multiple cross-site scripting (XSS) vulnerabilities on the Forescout C ...) NOT-FOR-US: Forescout device CVE-2012-4982 (Open redirect vulnerability in assets/login on the Forescout CounterAC ...) NOT-FOR-US: Forescout device CVE-2012-4981 (Toshiba ConfigFree 8.0.38 has a CF7 File Remote Command Execution Vuln ...) NOT-FOR-US: Toshiba ConfigFree CVE-2012-4980 (Multiple stack-based buffer overflows in CFProfile.exe in Toshiba Conf ...) NOT-FOR-US: Toshiba ConfigFree Utility CVE-2012-4979 RESERVED CVE-2012-4978 RESERVED CVE-2012-4977 (Layton Helpbox 4.4.0 allows remote attackers to discover cleartext cre ...) NOT-FOR-US: Layton Helpbox CVE-2012-4976 (selectawasset.asp in Layton Helpbox 4.4.0 allows remote attackers to d ...) NOT-FOR-US: Layton Helpbox CVE-2012-4975 (editrequestuser.asp in Layton Helpbox 4.4.0 allows remote authenticate ...) NOT-FOR-US: Layton Helpbox CVE-2012-4974 (Layton Helpbox 4.4.0 allows remote authenticated users to change the l ...) NOT-FOR-US: Layton Helpbox CVE-2012-4973 RESERVED CVE-2012-4972 (Multiple cross-site scripting (XSS) vulnerabilities in Layton Helpbox ...) NOT-FOR-US: Layton Helpbox CVE-2012-4971 (Multiple SQL injection vulnerabilities in Layton Helpbox 4.4.0 allow r ...) NOT-FOR-US: Layton Helpbox CVE-2012-4970 (Cross-site scripting (XSS) vulnerability in the web management interfa ...) NOT-FOR-US: Polycom HDX Video End Points CVE-2011-5190 (Multiple cross-site scripting (XSS) vulnerabilities in Social Book Fac ...) NOT-FOR-US: Social Book Facebook Clone 2010 CVE-2011-5189 (Cross-site scripting (XSS) vulnerability in the Webform Validation mod ...) NOT-FOR-US: Drupal addon CVE-2011-5187 (Cross-site scripting (XSS) vulnerability in the Support Ticketing Syst ...) NOT-FOR-US: Drupal addon CVE-2011-5186 (Cross-site scripting (XSS) vulnerability in jbshop.php in the jbShop p ...) NOT-FOR-US: jbShop plugin for e107 CVE-2011-5185 (Cross-site scripting (XSS) vulnerability in video_comments.php in Onli ...) NOT-FOR-US: Online Subtitles Workshop CVE-2011-5184 (Multiple cross-site scripting (XSS) vulnerabilities in HP Network Node ...) NOT-FOR-US: HP Network Node Manager CVE-2011-5182 NOT-FOR-US: Wordpress Lanoba Social plugin CVE-2011-5181 (Cross-site scripting (XSS) vulnerability in clickdesk.php in ClickDesk ...) NOT-FOR-US: Wordpress ClickDesk Live Support - Live Chat plugin CVE-2011-5180 (Cross-site scripting (XSS) vulnerability in wp-1pluginjquery.php in th ...) NOT-FOR-US: Wordpress ZooEffect plugin CVE-2011-5179 (Cross-site scripting (XSS) vulnerability in skysa-official/skysa.php i ...) NOT-FOR-US: Skysa App Bar CVE-2011-5177 (Multiple cross-site scripting (XSS) vulnerabilities in admin/controlle ...) NOT-FOR-US: eSyndiCat Pro CVE-2012-4969 (Use-after-free vulnerability in the CMshtmlEd::Exec function in mshtml ...) NOT-FOR-US: Internet Explorer CVE-2012-4968 (Multiple cross-site scripting (XSS) vulnerabilities in SilverStripe 2. ...) - silverstripe (bug #528461) CVE-2012-4967 REJECTED CVE-2012-4966 REJECTED CVE-2012-4965 REJECTED CVE-2012-4964 (The Samsung printer firmware before 20121031 has a hardcoded read-writ ...) NOT-FOR-US: Samsung printer firmware CVE-2012-4963 RESERVED CVE-2012-4962 RESERVED CVE-2012-4961 RESERVED CVE-2012-4960 (The Huawei NE5000E, MA5200G, NE40E, NE80E, ATN, NE40, NE80, NE20E-X6, ...) NOT-FOR-US: Huawei devices CVE-2012-4959 (Directory traversal vulnerability in NFRAgent.exe in Novell File Repor ...) NOT-FOR-US: Novell File Reporter CVE-2012-4958 (Directory traversal vulnerability in NFRAgent.exe in Novell File Repor ...) NOT-FOR-US: Novell File Reporter CVE-2012-4957 (Absolute path traversal vulnerability in NFRAgent.exe in Novell File R ...) NOT-FOR-US: Novell File Reporter CVE-2012-4956 (Heap-based buffer overflow in NFRAgent.exe in Novell File Reporter 1.0 ...) NOT-FOR-US: Novell File Reporter CVE-2012-4955 (Cross-site scripting (XSS) vulnerability in Dell OpenManage Server Adm ...) NOT-FOR-US: Dell OpenManage SA CVE-2012-4954 (The edit-profile page in Vanilla Forums before 2.1a32 allows remote au ...) NOT-FOR-US: Vanilla Forums CVE-2012-4953 (The decomposer engine in Symantec Endpoint Protection (SEP) 11.0, Syma ...) NOT-FOR-US: Symantec Endpoint Protection CVE-2012-4952 (Henry Schein Dentrix G5 before 15.1.294 has a single internal-database ...) NOT-FOR-US: Dentrix CVE-2012-4951 (Multiple SQL injection vulnerabilities in terminal/paramedit.aspx in V ...) NOT-FOR-US: VeriFone VeriCentre Web Console CVE-2012-4950 (Cross-site scripting (XSS) vulnerability in the Keyword Search page in ...) NOT-FOR-US: Pattern Insight CVE-2012-4949 (SQL injection vulnerability in ESRI ArcGIS 10.1 allows remote authenti ...) NOT-FOR-US: ESRI ArcGIS CVE-2012-4948 (The default configuration of Fortinet Fortigate UTM appliances uses th ...) NOT-FOR-US: Fortinet Fortigate UTM applianced CVE-2012-4947 (Agile FleetCommander and FleetCommander Kiosk before 4.08 store databa ...) NOT-FOR-US: FleetCommander CVE-2012-4946 (Agile FleetCommander and FleetCommander Kiosk before 4.08 use an XOR f ...) NOT-FOR-US: FleetCommander CVE-2012-4945 (Agile FleetCommander and FleetCommander Kiosk before 4.08 allow remote ...) NOT-FOR-US: FleetCommander CVE-2012-4944 (Multiple unrestricted file upload vulnerabilities in Agile FleetComman ...) NOT-FOR-US: FleetCommander CVE-2012-4943 (Multiple cross-site request forgery (CSRF) vulnerabilities in Agile Fl ...) NOT-FOR-US: FleetCommander CVE-2012-4942 (Multiple cross-site scripting (XSS) vulnerabilities in Agile FleetComm ...) NOT-FOR-US: FleetCommander CVE-2012-4941 (Multiple SQL injection vulnerabilities in Agile FleetCommander and Fle ...) NOT-FOR-US: FleetCommander CVE-2012-4940 (Multiple directory traversal vulnerabilities in the View Log Files com ...) NOT-FOR-US: Axigen Free Mail Server CVE-2012-4939 (Cross-site scripting (XSS) vulnerability in IPAMSummaryView.aspx in th ...) NOT-FOR-US: SolarWinds Orion Network Performance Monitor CVE-2012-4938 (Cross-site scripting (XSS) vulnerability in the web interface in Patte ...) NOT-FOR-US: Pattern Insight CVE-2012-4937 (Session fixation vulnerability in the web interface in Pattern Insight ...) NOT-FOR-US: Pattern Insight CVE-2012-4936 (The web interface in Pattern Insight 2.3 allows remote attackers to co ...) NOT-FOR-US: Pattern Insight CVE-2012-4935 (Cross-site request forgery (CSRF) vulnerability in the web interface i ...) NOT-FOR-US: Pattern Insight CVE-2012-4934 (TomatoCart 1.1.7, when the PayPal Express Checkout module is enabled i ...) NOT-FOR-US: TomatoCart CVE-2012-4933 (The rtrlet web application in the Web Console in Novell ZENworks Asset ...) NOT-FOR-US: Novell ZENworks CVE-2012-4932 (Multiple cross-site scripting (XSS) vulnerabilities in SimpleInvoices ...) NOT-FOR-US: SimpleInvoices CVE-2012-4931 RESERVED CVE-2012-4930 (The SPDY protocol 3 and earlier, as used in Mozilla Firefox, Google Ch ...) - iceweasel (Firefox ESV not support SDPY) - chromium-browser 21.0.1180.57~r148591-1 [squeeze] - chromium-browser NOTE: http://www.imperialviolet.org/2012/09/21/crime.html CVE-2012-4929 (The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google C ...) {DSA-3253-1 DSA-2627-1 DSA-2626-1 DSA-2579-1 DLA-400-1 DLA-0008-1} - iceweasel (Firefox ESV not use TLS/SSL compression) - chromium-browser 22.0.1229.94~r161065-1 NOTE: Chromium fix: https://chromiumcodereview.appspot.com/10825183/ [squeeze] - chromium-browser - qt4-x11 4:4.8.2+dfsg-3 - apache2 2.2.22-12 (bug #689936) - lighttpd 1.4.30-1 (bug #700399) - nginx 1.2.1-2.2 (bug #700426) [squeeze] - qt4-x11 (Minor issue) - openssl 1.0.1e-5 (low; bug #728055) [wheezy] - openssl 1.0.1e-2+deb7u11 [squeeze] - openssl 0.9.8o-4squeeze16 NOTE: openssl redhat announcement https://rhn.redhat.com/errata/RHSA-2013-0587.html NOTE: openssl disables compression by default since dc5744cb78da6f2bcafeeefe22c604a51b52dfc5 - pound 2.6-3 (bug #727197) CVE-2012-4928 (Cross-site scripting (XSS) vulnerability in ow_updates/index.php in Ox ...) NOT-FOR-US: Oxwall 1.1.1 CVE-2012-4927 (SQL injection vulnerability in Limesurvey (a.k.a PHPSurveyor) before 1 ...) - limesurvey (bug #472802) CVE-2012-4926 (approve.php in Img Pals Photo Host 1.0 does not authenticate requests, ...) NOT-FOR-US: Img Pals Photo Host 1.0 CVE-2012-4925 (Multiple SQL injection vulnerabilities in approve.php in Img Pals Phot ...) NOT-FOR-US: Img Pals Photo Host 1.0 CVE-2012-4924 (Buffer overflow in the CxDbgPrint function in the ipswcom.dll ActiveX ...) NOT-FOR-US: ASUS Net4Switch CVE-2012-4923 (Multiple cross-site scripting (XSS) vulnerabilities in Endian Firewall ...) NOT-FOR-US: Endian Firewall 2.4 CVE-2012-4922 (The tor_timegm function in common/util.c in Tor before 0.2.2.39, and 0 ...) {DSA-2548-1} - tor 0.2.3.22-rc-1 CVE-2012-4921 (Multiple cross-site request forgery (CSRF) vulnerabilities in the DVS ...) NOT-FOR-US: WordPress plugin DVS Custom Notification CVE-2012-4920 (Directory traversal vulnerability in the zing_forum_output function in ...) NOT-FOR-US: Wordpress plugin Zingiri Forum CVE-2012-4919 (Gallery Plugin1.4 for WordPress has a Remote File Include Vulnerabilit ...) NOT-FOR-US: Gallery Plugin1.4 for WordPress CVE-2012-4918 (Call of Duty Elite for iOS 2.0.1 does not properly validate the server ...) NOT-FOR-US: Call of Duty Elite for iOS CVE-2012-4917 (The TripAdvisor app 6.6 for iOS sends cleartext credentials, which all ...) NOT-FOR-US: The TripAdvisor app 6.6 for iOS CVE-2012-4916 RESERVED CVE-2012-4915 (Directory traversal vulnerability in the Google Doc Embedder plugin be ...) NOT-FOR-US: WordPress plugin Google Doc Embedder CVE-2012-4914 (Stack-based buffer overflow in the reader in CoolPDF 3.0.2.256 allows ...) NOT-FOR-US: CoolPDF CVE-2012-4913 RESERVED CVE-2012-4912 (Cross-site scripting (XSS) vulnerability in the WebAccess component in ...) NOT-FOR-US: Novell GroupWise CVE-2011-5188 (Cross-site scripting (XSS) vulnerability in the Support Timer module 6 ...) NOT-FOR-US: Drupal module CVE-2011-5183 (Multiple SQL injection vulnerabilities in OrderSys 1.6.4 and earlier a ...) NOT-FOR-US: OrderSys CVE-2011-5178 (Multiple cross-site scripting (XSS) vulnerabilities in netmri/config/u ...) NOT-FOR-US: Infoblox NetMRI CVE-2011-5176 (Multiple cross-site scripting (XSS) vulnerabilities in search.php in B ...) NOT-FOR-US: Banana Dance CVE-2011-5175 (SQL injection vulnerability in search.php in Banana Dance, possibly B. ...) NOT-FOR-US: Banana Dance CVE-2011-5174 (Buffer overflow in Intel Trusted Execution Technology (TXT) SINIT Auth ...) NOT-FOR-US: Intel Trusted Execution Technology CVE-2011-5173 (Buffer overflow in Bugbear Entertainment FlatOut 2005 allows user-assi ...) NOT-FOR-US: Bugbear Entertainment FlatOut 2005 CVE-2011-5172 (Stack-based buffer overflow in StoryBoard Quick 6 Build 3786, and poss ...) NOT-FOR-US: StoryBoard Quick 6 Build, StoryBoard Artist and StoryBoard Studio CVE-2011-5171 (Multiple stack-based buffer overflows in CyberLink Power2Go 7 (build 1 ...) NOT-FOR-US: CyberLink Power2Go CVE-2011-5170 (Stack-based buffer overflow in Castillo Bueno Systems CCMPlayer 1.5 al ...) NOT-FOR-US: Castillo Bueno Systems CCMPlayer CVE-2011-5169 (SQL injection vulnerability in sgms/reports/scheduledreports/configure ...) NOT-FOR-US: SonicWall ViewPoint CVE-2011-5168 (SQL injection vulnerability in user.php in Banana Dance before B.1.5 a ...) NOT-FOR-US: Banana Dance CVE-2011-5167 (Heap-based buffer overflow in the SetDevNames method of the Tidestone ...) NOT-FOR-US: Oracle Hyperion Strategic Finance CVE-2011-5166 (Multiple stack-based buffer overflows in KnFTP 1.0.0 allow remote atta ...) NOT-FOR-US: KnFTP CVE-2011-5165 (Stack-based buffer overflow in Free MP3 CD Ripper 1.1, 2.6 and earlier ...) NOT-FOR-US: Free MP3 CD Ripper CVE-2011-5164 (Stack-based buffer overflow in VanDyke Software AbsoluteFTP 1.9.6 thro ...) NOT-FOR-US: VanDyke Software AbsoluteFTP CVE-2011-5163 (Buffer overflow in an unspecified third-party component in the Batch m ...) NOT-FOR-US: Schneider Electric CitectSCADA CVE-2011-5162 (Stack-based buffer overflow in GOM Player 2.1.33.5071 allows user-assi ...) NOT-FOR-US: GOM Player CVE-2012-4911 REJECTED CVE-2012-4910 REJECTED CVE-2012-4909 (Google Chrome before 18.0.1025308 on Android allows remote attackers t ...) - chromium-browser (Chrome on Android) CVE-2012-4908 (Google Chrome before 18.0.1025308 on Android allows remote attackers t ...) - chromium-browser (Chrome on Android) CVE-2012-4907 (Google Chrome before 18.0.1025308 on Android does not properly restric ...) - chromium-browser (Chrome on Android) CVE-2012-4906 (Google Chrome before 18.0.1025308 on Android does not properly restric ...) - chromium-browser (Chrome on Android) CVE-2012-4905 (Cross-site scripting (XSS) vulnerability in Google Chrome before 18.0. ...) - chromium-browser (Chrome on Android) CVE-2012-4904 (Cross-application scripting vulnerability in Google Chrome before 18.0 ...) - chromium-browser (Chrome on Android) CVE-2012-4903 (Google Chrome before 18.0.1025308 on Android does not properly restric ...) - chromium-browser (Chrome on Android) CVE-2012-4902 (Multiple cross-site request forgery (CSRF) vulnerabilities in Template ...) NOT-FOR-US: Template CMS (http://template-cms.ru) CVE-2012-4901 (Cross-site scripting (XSS) vulnerability in Template CMS 2.1.1 and ear ...) NOT-FOR-US: Template CMS (http://template-cms.ru) CVE-2012-4900 (Corel WordPerfect Office X6 16.0.0.388 has a DoS Vulnerability via unt ...) NOT-FOR-US: Corel WordPerfect Office X6 CVE-2012-4899 (WellinTech KingView 6.5.3 and earlier uses a weak password-hashing alg ...) NOT-FOR-US: WellinTech KingView CVE-2012-4898 (Mesh OS before 7.9.1.1 on Tropos wireless mesh routers does not use a ...) NOT-FOR-US: Mesh OS CVE-2012-4897 (Untrusted search path vulnerability in the installer in VMware Movie D ...) NOT-FOR-US: VMware CVE-2012-4896 (Heap-based buffer overflow in SumatraPDF before 2.1 allows remote atta ...) NOT-FOR-US: SumatraPDF CVE-2012-4895 (Heap-based buffer overflow in SumatraPDF before 2.1 allows remote atta ...) NOT-FOR-US: SumatraPDF CVE-2012-4894 (Google SketchUp before 8.0.14346 (aka 8 Maintenance 3) allows user-ass ...) NOT-FOR-US: Google SketchUp CVE-2012-4893 (Multiple cross-site request forgery (CSRF) vulnerabilities in file/sho ...) - webmin CVE-2012-4892 (Multiple cross-site scripting (XSS) vulnerabilities in FlatnuX CMS 201 ...) NOT-FOR-US: FlatnuX CMS CVE-2012-4891 (Cross-site scripting (XSS) vulnerability in fw/index2.do in ManageEngi ...) NOT-FOR-US: ManageEngine Firewall Analyzer CVE-2012-4890 (Multiple cross-site scripting (XSS) vulnerabilities in FlatnuX CMS 201 ...) NOT-FOR-US: FlatnuX CMS CVE-2012-4889 (Multiple cross-site scripting (XSS) vulnerabilities in ManageEngine Fi ...) NOT-FOR-US: ManageEngine Firewall Analyzer CVE-2012-4888 RESERVED CVE-2012-4887 RESERVED CVE-2012-4886 (Stack-based buffer overflow in wpsio.dll in Kingsoft WPS Office 2012 p ...) NOT-FOR-US: WPS Office CVE-2012-4885 (The wikitext parser in MediaWiki 1.17.x before 1.17.3 and 1.18.x befor ...) - mediawiki 1:1.19.0-1 (low) [squeeze] - mediawiki CVE-2012-4884 (Argument injection vulnerability in Request Tracker (RT) 3.8.x before ...) {DSA-2567-1} - request-tracker3.8 - request-tracker4 4.0.7-2 CVE-2011-5161 (Unrestricted file upload vulnerability in the patient photograph funct ...) NOT-FOR-US: OpenEMR CVE-2011-5160 (Cross-site scripting (XSS) vulnerability in setup.php in OpenEMR 4 all ...) NOT-FOR-US: OpenEMR CVE-2011-5159 (Cross-site scripting (XSS) vulnerability in admin/configuration.php in ...) NOT-FOR-US: Geeklog CVE-2012-4883 (Multiple untrusted search path vulnerabilities in 3DVIA Composer V6R20 ...) NOT-FOR-US: 3DVIA Composer V6R2012 CVE-2012-4882 (Multiple untrusted search path vulnerabilities in 3D XML Player 6.212. ...) NOT-FOR-US: 3D XML Player CVE-2012-4881 (Untrusted search path vulnerability in moviEZ HD 1.0 Build 2554-29894- ...) NOT-FOR-US: moviEZ CVE-2012-4880 (Multiple untrusted search path vulnerabilities in DVD Architect Pro 5. ...) NOT-FOR-US: DVD Architect Pro CVE-2012-4879 (The Linux Console on the WAGO I/O System 758 model 758-870, 758-874, 7 ...) NOT-FOR-US: WAGO I/O System 758 CVE-2012-4878 (Absolute path traversal vulnerability in controlcenter.php in FlatnuX ...) NOT-FOR-US: FlatnuX CMS CVE-2012-4877 (Cross-site request forgery (CSRF) vulnerability in controlcenter.php i ...) NOT-FOR-US: FlatnuX CMS CVE-2012-4876 (Stack-based buffer overflow in the UltraMJCam ActiveX Control in TREND ...) NOT-FOR-US: TRENDnet SecurView TV-IP121WN Wireless Internet Camera CVE-2012-4875 - ghostscript (Even if it's genuine, it's Windows-code) CVE-2012-4874 (Unspecified vulnerability in the Another WordPress Classifieds Plugin ...) NOT-FOR-US: Another WordPress Classifieds Plugin for Wordpress CVE-2012-4873 (Cross-site scripting (XSS) vulnerability in the file_download function ...) NOT-FOR-US: GNU Board CVE-2012-4872 (Cross-site scripting (XSS) vulnerability in Tickets/Submit in Kayako F ...) NOT-FOR-US: Kayako Fusion CVE-2012-4871 (Cross-site scripting (XSS) vulnerability in service/graph_html.php in ...) NOT-FOR-US: LiteSpeed Web Server CVE-2012-4870 (Multiple cross-site scripting (XSS) vulnerabilities in FreePBX 2.9 and ...) NOT-FOR-US: FreePBX CVE-2012-4869 (The callme_startcall function in recordings/misc/callme_page.php in Fr ...) NOT-FOR-US: FreePBX CVE-2012-4868 (SQL injection vulnerability in news.php in the Kunena component 1.7.2 ...) NOT-FOR-US: Kunena component for Joomla! CVE-2012-4867 (Directory traversal vulnerability in modules/com_vtiger_workflow/sortf ...) NOT-FOR-US: vtiger CRM CVE-2012-4866 (Untrusted search path vulnerability in Xtreme RAT 3.5 allows local use ...) NOT-FOR-US: Xtreme RAT CVE-2012-4865 (Buffer overflow in Oreans Themida 2.1.8.0 allows remote attackers to e ...) NOT-FOR-US: Oreans Themida CVE-2012-4864 (Oreans WinLicense 2.1.8.0 allows remote attackers to cause a denial of ...) NOT-FOR-US: Oreans WinLicense CVE-2012-4863 (IBM WebSphere MQ 7.1 and 7.5: Queue manager has a DoS vulnerability ...) NOT-FOR-US: IBM CVE-2012-4862 (The Host Connect emulator in IBM Rational Developer for System z 7.1 t ...) NOT-FOR-US: IBM Rational CVE-2012-4861 (The web server in InfoSphere Data Replication Dashboard in IBM InfoSph ...) NOT-FOR-US: IBM InfoSphere CVE-2012-4860 RESERVED CVE-2012-4859 (Unspecified vulnerability in IBM Tivoli Storage Manager for Space Mana ...) NOT-FOR-US: IBM Tivoli Storage Manager CVE-2012-4858 (IBM Cognos Business Intelligence (BI) 8.4.1 before IF1, 10.1 before IF ...) NOT-FOR-US: IBM Cognos Business Intelligence CVE-2012-4857 (Buffer overflow in IBM Informix 11.50 through 11.50.xC9W2 and 11.70 be ...) NOT-FOR-US: IBM Informix CVE-2012-4856 (The Service Processor in the IBM Power 5 91##-### and 940#-### before ...) NOT-FOR-US: IBM Power 5 CVE-2012-4855 (Unspecified vulnerability in the web services framework in IBM WebSphe ...) NOT-FOR-US: IBM WebSphere Commerce CVE-2012-4854 RESERVED CVE-2012-4853 (Cross-site request forgery (CSRF) vulnerability in IBM WebSphere Appli ...) NOT-FOR-US: Websphere CVE-2012-4852 RESERVED CVE-2012-4851 (Cross-site scripting (XSS) vulnerability in IBM WebSphere Application ...) NOT-FOR-US: Websphere CVE-2012-4850 (IBM WebSphere Application Server 8.5 Liberty Profile before 8.5.0.1, w ...) NOT-FOR-US: Websphere CVE-2012-4849 RESERVED CVE-2012-4848 (Multiple cross-site scripting (XSS) vulnerabilities in IBM Lotus Found ...) NOT-FOR-US: IBM Lotus Foundations Start CVE-2012-4847 (IBM Cognos Business Intelligence (BI) 8.4 and 8.4.1 allows remote auth ...) NOT-FOR-US: IBM Cognos Business Intelligence CVE-2012-4846 (IBM Lotus Notes 8.5.x before 8.5.3 FP3 does not include the HTTPOnly f ...) NOT-FOR-US: IBM Lotus Notes CVE-2012-4845 (The FTP client in IBM AIX 6.1 and 7.1, and VIOS 2.2.1.4-FP-25 SP-02, d ...) NOT-FOR-US: AIX CVE-2012-4844 (Cross-site scripting (XSS) vulnerability in the web server in IBM Lotu ...) NOT-FOR-US: IBM Lotus Domino CVE-2012-4843 RESERVED CVE-2012-4842 (Open redirect vulnerability in the web server in IBM Lotus Domino 8.5. ...) NOT-FOR-US: IBM Lotus Domino CVE-2012-4841 (Unspecified vulnerability in Tivoli Endpoint Manager for Remote Contro ...) NOT-FOR-US: Tivoli CVE-2012-4840 (IBM Cognos Business Intelligence (BI) 8.4.1 before IF1, 10.1 before IF ...) NOT-FOR-US: IBM Cognos Business Intelligence CVE-2012-4839 (The OSLC interface in the Web Client (aka CQ Web) in IBM Rational Clea ...) NOT-FOR-US: IBM Rational ClearQuest CVE-2012-4838 (IBM Flex System Chassis Management Module (CMM) and Integrated Managem ...) NOT-FOR-US: IBM Flex CVE-2012-4837 (IBM Cognos Business Intelligence (BI) 8.4.1 before IF1, 10.1 before IF ...) NOT-FOR-US: IBM Cognos Business Intelligence CVE-2012-4836 (Cross-site scripting (XSS) vulnerability in IBM Cognos Business Intell ...) NOT-FOR-US: IBM Cognos Business Intelligence CVE-2012-4835 (Cross-site scripting (XSS) vulnerability in IBM Cognos Business Intell ...) NOT-FOR-US: IBM Cognos Business Intelligence CVE-2012-4834 (Directory traversal vulnerability in LayerLoader.jsp in the theme comp ...) NOT-FOR-US: IBM WebSphere Portal CVE-2012-4833 (fuser in IBM AIX 6.1 and 7.1, and VIOS 2.2.1.4-FP-25 SP-02, does not p ...) NOT-FOR-US: AIX CVE-2012-4832 (Information Services Framework (ISF) in IBM InfoSphere Information Ser ...) NOT-FOR-US: IBM InfoSphere CVE-2012-4831 RESERVED CVE-2012-4830 (Unspecified vulnerability in IBM WebSphere Commerce 6.0 through 6.0.0. ...) NOT-FOR-US: WebSphere CVE-2012-4829 (IBM XIV Storage System Gen3 before 11.2 relies on a default X.509 v3 c ...) NOT-FOR-US: IBM CVE-2012-4828 RESERVED CVE-2012-4827 RESERVED CVE-2012-4826 (Stack-based buffer overflow in the SQL/PSM (aka SQL Persistent Stored ...) NOT-FOR-US: IBM DB2 CVE-2012-4825 (Multiple cross-site scripting (XSS) vulnerabilities in servlet/travele ...) NOT-FOR-US: Lotus Notes CVE-2012-4824 (Open redirect vulnerability in servlet/traveler in IBM Lotus Notes Tra ...) NOT-FOR-US: Lotus Notes CVE-2012-4823 (Unspecified vulnerability in the JRE component in IBM Java 7 SR2 and e ...) - openjdk-6 (Vulnerabilities specific to IBM Java) - openjdk-7 (Vulnerabilities specific to IBM Java) CVE-2012-4822 (Multiple unspecified vulnerabilities in the JRE component in IBM Java ...) - openjdk-6 (Vulnerabilities specific to IBM Java) - openjdk-7 (Vulnerabilities specific to IBM Java) CVE-2012-4821 (Multiple unspecified vulnerabilities in the JRE component in IBM Java ...) - openjdk-6 (Vulnerabilities specific to IBM Java) - openjdk-7 (Vulnerabilities specific to IBM Java) CVE-2012-4820 (Unspecified vulnerability in the JRE component in IBM Java 7 SR2 and e ...) - openjdk-6 (Vulnerabilities specific to IBM Java) - openjdk-7 (Vulnerabilities specific to IBM Java) CVE-2012-4819 (Cross-site scripting (XSS) vulnerability in InfoSphere Business Glossa ...) NOT-FOR-US: IBM InfoSphere CVE-2012-4818 RESERVED CVE-2012-4817 (The NFSv4 client implementation in IBM AIX 5.3, 6.1, and 7.1, and VIOS ...) NOT-FOR-US: IBM AIX, VIOS CVE-2012-4816 (IBM Rational Automation Framework (RAF) 3.x through 3.0.0.5 allows rem ...) NOT-FOR-US: IBM Rational Automation Framework CVE-2012-4815 RESERVED CVE-2012-4814 RESERVED CVE-2012-4813 REJECTED CVE-2012-4812 REJECTED CVE-2012-4811 REJECTED CVE-2012-4810 REJECTED CVE-2012-4809 REJECTED CVE-2012-4808 REJECTED CVE-2012-4807 REJECTED CVE-2012-4806 REJECTED CVE-2012-4805 REJECTED CVE-2012-4804 REJECTED CVE-2012-4803 REJECTED CVE-2012-4802 REJECTED CVE-2012-4801 REJECTED CVE-2012-4800 REJECTED CVE-2012-4799 REJECTED CVE-2012-4798 REJECTED CVE-2012-4797 REJECTED CVE-2012-4796 REJECTED CVE-2012-4795 REJECTED CVE-2012-4794 REJECTED CVE-2012-4793 REJECTED CVE-2012-4792 (Use-after-free vulnerability in Microsoft Internet Explorer 6 through ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2012-4791 (Microsoft Exchange Server 2007 SP3 and 2010 SP1 and SP2 allows remote ...) NOT-FOR-US: Microsoft Exchange Server CVE-2012-4790 REJECTED CVE-2012-4789 REJECTED CVE-2012-4788 REJECTED CVE-2012-4787 (Use-after-free vulnerability in Microsoft Internet Explorer 9 and 10 a ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2012-4786 (The kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows S ...) NOT-FOR-US: Microsoft Windows CVE-2012-4785 REJECTED CVE-2012-4784 REJECTED CVE-2012-4783 REJECTED CVE-2012-4782 (Use-after-free vulnerability in Microsoft Internet Explorer 9 and 10 a ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2012-4781 (Use-after-free vulnerability in Microsoft Internet Explorer 6 through ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2012-4780 REJECTED CVE-2012-4779 REJECTED CVE-2012-4778 REJECTED CVE-2012-4777 (The code-optimization feature in the reflection implementation in Micr ...) NOT-FOR-US: Microsoft .NET Framework CVE-2012-4776 (The Web Proxy Auto-Discovery (WPAD) functionality in Microsoft .NET Fr ...) NOT-FOR-US: Microsoft .NET Framework CVE-2012-4775 (Use-after-free vulnerability in Microsoft Internet Explorer 9 allows r ...) NOT-FOR-US: Internet Explorer CVE-2012-4774 (Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vis ...) NOT-FOR-US: Microsoft Windows CVE-2012-4773 (Multiple cross-site request forgery (CSRF) vulnerabilities in Subrion ...) NOT-FOR-US: Subrion CMS CVE-2012-4772 (SQL injection vulnerability in register/ in Subrion CMS before 2.2.3 a ...) NOT-FOR-US: Subrion CMS CVE-2012-4771 (Multiple cross-site scripting (XSS) vulnerabilities in Subrion CMS bef ...) NOT-FOR-US: Subrion CMS CVE-2012-4770 RESERVED CVE-2012-4769 RESERVED CVE-2012-4768 (Cross-site scripting (XSS) vulnerability in the Download Monitor plugi ...) NOT-FOR-US: Download Monitor plugin for WordPress CVE-2012-4767 (An issue exists in Safend Data Protector Agent 3.4.5586.9772 in the se ...) NOT-FOR-US: Safend Data Protector Agent CVE-2012-4766 RESERVED CVE-2012-4765 RESERVED CVE-2012-4764 RESERVED CVE-2012-4763 RESERVED CVE-2012-4762 RESERVED CVE-2012-4761 (A Privilege Escalation vulnerability exists in the unquoted Service Bi ...) NOT-FOR-US: Safend CVE-2012-4760 (A Privilege Escalation vulnerability exists in the SDBagent service in ...) NOT-FOR-US: Safend CVE-2011-5158 (Multiple untrusted search path vulnerabilities in the DMTGUI2.EXE and ...) NOT-FOR-US: DATEV Grundpaket Basis CVE-2010-5274 (Untrusted search path vulnerability in PKZIP before 12.50.0014 allows ...) NOT-FOR-US: PKZIP CVE-2010-5273 (Untrusted search path vulnerability in Altova DiffDog 2011 Enterprise ...) NOT-FOR-US: Altova DiffDog 2011 Enterprise CVE-2010-5272 (Untrusted search path vulnerability in Altova DatabaseSpy 2011 Enterpr ...) NOT-FOR-US: Altova DatabaseSpy 2011 CVE-2010-5271 (Untrusted search path vulnerability in Altova MapForce 2011 Enterprise ...) NOT-FOR-US: Altova MapForce 2011 CVE-2010-5270 (Multiple untrusted search path vulnerabilities in Adobe Device Central ...) NOT-FOR-US: Adobe Device Central CVE-2010-5269 (Untrusted search path vulnerability in tbb.dll in Intel Threading Buil ...) NOT-FOR-US: Intel Threading Building Blocks CVE-2010-5268 (Untrusted search path vulnerability in Amazon Kindle for PC 1.3.0 3088 ...) NOT-FOR-US: Amazon Kindle for PC CVE-2010-5267 (Untrusted search path vulnerability in MunSoft Easy Office Recovery 1. ...) NOT-FOR-US: MunSoft Easy Office Recovery CVE-2010-5266 (Untrusted search path vulnerability in VideoCharge Studio 2.9.0.632 al ...) NOT-FOR-US: VideoCharge Studio CVE-2010-5265 (Untrusted search path vulnerability in SmartSniff 1.71 allows local us ...) NOT-FOR-US: SmartSniff CVE-2010-5264 (Untrusted search path vulnerability in the CExtDWM::CExtDWM method in ...) NOT-FOR-US: Prof-UIS CVE-2010-5263 (Untrusted search path vulnerability in Sothink SWF Decompiler 6.0 Buil ...) NOT-FOR-US: Sothink SWF Decompiler CVE-2010-5262 (Multiple untrusted search path vulnerabilities in libmcl-5.4.0.dll in ...) NOT-FOR-US: Gromada Multimedia Conversion Library CVE-2010-5261 (Untrusted search path vulnerability in SnowFox Total Video Converter 2 ...) NOT-FOR-US: SnowFox Total Video Converter CVE-2010-5260 (Untrusted search path vulnerability in Agrin All DVD Ripper 4.0 allows ...) NOT-FOR-US: Agrin All DVD Ripper CVE-2010-5259 (Multiple untrusted search path vulnerabilities in IsoBuster 2.8 allow ...) NOT-FOR-US: IsoBuster CVE-2010-5258 (Untrusted search path vulnerability in Adobe Audition 3.0 build 7283.0 ...) NOT-FOR-US: Adobe Audition CVE-2010-5257 (Multiple untrusted search path vulnerabilities in ArchiCAD 13 and 14 a ...) NOT-FOR-US: ArchiCAD CVE-2010-5256 (Untrusted search path vulnerability in CDisplay 1.8.1 allows local use ...) NOT-FOR-US: CDisplay CVE-2010-5255 (Untrusted search path vulnerability in UltraISO 9.3.6.2750 allows loca ...) NOT-FOR-US: UltraISO CVE-2010-5254 (Untrusted search path vulnerability in GFI Backup 3.1 Build 20100730 2 ...) NOT-FOR-US: GFI Backup CVE-2010-5253 (Untrusted search path vulnerability in WinImage 8.50 allows local user ...) NOT-FOR-US: WinImage CVE-2010-5252 (Untrusted search path vulnerability in HTTrack 3.43-9 allows local use ...) - httrack (Only affects Windows) CVE-2010-5251 (Multiple untrusted search path vulnerabilities in IBM Lotus Notes 8.5 ...) NOT-FOR-US: IBM Lotus Notes CVE-2010-5250 (Untrusted search path vulnerability in the pthread_win32_process_attac ...) NOT-FOR-US: Pthreads-win32 CVE-2010-5249 (Untrusted search path vulnerability in Sophos Free Encryption 2.40.1.1 ...) NOT-FOR-US: Sophos Free Encryption CVE-2010-5248 (Untrusted search path vulnerability in UltraVNC 1.0.8.2 allows local u ...) NOT-FOR-US: UltraVNC CVE-2010-5247 (Untrusted search path vulnerability in QtWeb Browser 3.3 build 043 all ...) NOT-FOR-US: QtWeb Browser CVE-2010-5246 (Multiple untrusted search path vulnerabilities in Maxthon Browser 1.6. ...) NOT-FOR-US: Maxthon Browser CVE-2010-5245 (Untrusted search path vulnerability in PDF-XChange Viewer 2.0 Build 54 ...) NOT-FOR-US: PDF-XChange Viewer CVE-2010-5244 (Untrusted search path vulnerability in SiSoftware Sandra 2010 Lite 201 ...) NOT-FOR-US: SiSoftware Sandra CVE-2010-5243 (Multiple untrusted search path vulnerabilities in Cyberlink Power2Go 7 ...) NOT-FOR-US: Cyberlink Power2Go CVE-2010-5242 (Untrusted search path vulnerability in Sound Forge Pro 10.0b Build 474 ...) NOT-FOR-US: Sound Forge Pro CVE-2010-5241 (Multiple untrusted search path vulnerabilities in Autodesk AutoCAD 201 ...) NOT-FOR-US: Autodesk AutoCAD CVE-2010-5240 (Multiple untrusted search path vulnerabilities in Corel PHOTO-PAINT an ...) NOT-FOR-US: Corel PHOTO-PAINT and CorelDRAW CVE-2010-5239 (Untrusted search path vulnerability in DAEMON Tools Lite 4.35.6.0091 a ...) NOT-FOR-US: DAEMON Tools Lite and Pro Standard CVE-2010-5238 (Untrusted search path vulnerability in CyberLink PowerDirector 8.00.30 ...) NOT-FOR-US: CyberLink PowerDirector CVE-2010-5237 (Untrusted search path vulnerability in CyberLink PowerDirector 7 allow ...) NOT-FOR-US: CyberLink PowerDirector CVE-2010-5236 (Untrusted search path vulnerability in Roxio Easy Media Creator Home 9 ...) NOT-FOR-US: Roxio Easy Media Creator Home CVE-2010-5235 (Untrusted search path vulnerability in IZArc Archiver 4.1.2 allows loc ...) NOT-FOR-US: IZArc Archiver CVE-2010-5234 (Multiple untrusted search path vulnerabilities in Camtasia Studio 7.0. ...) NOT-FOR-US: Camtasia Studio CVE-2010-5233 (Untrusted search path vulnerability in Virtual DJ 6.1.2 Trial b301 all ...) NOT-FOR-US: Virtual DJ CVE-2010-5232 (Untrusted search path vulnerability in DivX Plus Player 8.1.0 allows l ...) NOT-FOR-US: DivX Plus Player CVE-2010-5231 (Untrusted search path vulnerability in DivX Player 7.2.019 allows loca ...) NOT-FOR-US: DivX Player CVE-2010-5230 (Multiple untrusted search path vulnerabilities in MicroStation 7.1 all ...) NOT-FOR-US: MicroStation CVE-2010-5229 (Untrusted search path vulnerability in 010 Editor before 3.1.3 allows ...) NOT-FOR-US: 010 Editor CVE-2010-5228 (Untrusted search path vulnerability in RealPlayer SP 1.1.5 12.0.0.879 ...) NOT-FOR-US: RealPlayer SP CVE-2010-5227 (Untrusted search path vulnerability in Opera before 10.62 allows local ...) NOT-FOR-US: Opera CVE-2010-5226 (Multiple untrusted search path vulnerabilities in Autodesk Design Revi ...) NOT-FOR-US: Autodesk Design Review CVE-2012-4759 (Untrusted search path vulnerability in facebook_plugin.fpi in the Face ...) NOT-FOR-US: Foxit Reader CVE-2012-4758 (Multiple untrusted search path vulnerabilities in CyberLink PowerProdu ...) NOT-FOR-US: CyberLink PowerProducer CVE-2012-4757 (Multiple untrusted search path vulnerabilities in CyberLink StreamAuth ...) NOT-FOR-US: CyberLink StreamAuthor CVE-2012-4756 (Multiple untrusted search path vulnerabilities in CyberLink LabelPrint ...) NOT-FOR-US: CyberLink LabelPrint CVE-2012-4755 (Untrusted search path vulnerability in SciTools Understand before 2.6 ...) NOT-FOR-US: SciTools Unterstand CVE-2012-4754 (Multiple untrusted search path vulnerabilities in MindManager 2012 10. ...) NOT-FOR-US: MindManager CVE-2011-5157 (Untrusted search path vulnerability in Attachmate Reflection before 14 ...) NOT-FOR-US: Attachmate Reflection CVE-2011-5156 (Untrusted search path vulnerability in Effective File Search 6.7 allow ...) NOT-FOR-US: Effective File Search CVE-2011-5155 (Untrusted search path vulnerability in Help & Manual 5.5.1 Build 1 ...) NOT-FOR-US: Help & Manual 5.5.1 Build CVE-2011-5154 (Multiple untrusted search path vulnerabilities in (1) SAPGui.exe and ( ...) NOT-FOR-US: SAP GUI CVE-2011-5153 (Untrusted search path vulnerability in FotoSlate 4.0 Build 146 allows ...) NOT-FOR-US: FotoSlate CVE-2011-5152 (Multiple untrusted search path vulnerabilities in ACDSee Photo Editor ...) NOT-FOR-US: ACDSee Photo Editor CVE-2011-5151 (Untrusted search path vulnerability in ACDSee Picture Frame Manager 1. ...) NOT-FOR-US: ACDSee Picture Frame Manager CVE-2010-5225 (Untrusted search path vulnerability in Babylon 8.1.0 r16 allows local ...) NOT-FOR-US: Babylon 8.1.0 CVE-2010-5224 (Untrusted search path vulnerability in Cool iPhone Ringtone Maker 2.2. ...) NOT-FOR-US: Cool iPhone Ringtone Maker CVE-2010-5223 (Multiple untrusted search path vulnerabilities in Phoenix Project Mana ...) NOT-FOR-US: Phoenix Project Manager CVE-2010-5222 (Untrusted search path vulnerability in Ease Jukebox 1.40 allows local ...) NOT-FOR-US: Ease Jukebox CVE-2010-5221 (Untrusted search path vulnerability in STDU Explorer 1.0.201 allows lo ...) NOT-FOR-US: STDU Explorer CVE-2010-5220 (Untrusted search path vulnerability in MEO Encryption Software 2.02 al ...) NOT-FOR-US: MEO Encryption Software CVE-2010-5219 (Untrusted search path vulnerability in SmartFTP 4.0.1140.0 allows loca ...) NOT-FOR-US: SmartFTP CVE-2010-5218 (Untrusted search path vulnerability in Dupehunter 9.0.0.3911 allows lo ...) NOT-FOR-US: Dupehunter CVE-2010-5217 (Multiple untrusted search path vulnerabilities in TuneUp Utilities 200 ...) NOT-FOR-US: TuneUp Utilities CVE-2010-5216 (Untrusted search path vulnerability in LINGO 11.0.1.6 and 12.0.2.20 al ...) NOT-FOR-US: LINGO CVE-2010-5215 (Multiple untrusted search path vulnerabilities in SWiSH Max3 3.0 2009. ...) NOT-FOR-US: SWiSH Max3 CVE-2010-5214 (Untrusted search path vulnerability in Fotobook Editor 5.0 2.8.0.1 all ...) NOT-FOR-US: Fotobook Editor CVE-2010-5213 (Untrusted search path vulnerability in Adobe LiveCycle Designer 8.2.1. ...) NOT-FOR-US: Adobe LiveCycle Designer CVE-2010-5212 (Untrusted search path vulnerability in Adobe LiveCycle Designer ES2 9. ...) NOT-FOR-US: Adobe LiveCycle Designer ES2 CVE-2010-5211 (Untrusted search path vulnerability in ALSee 6.20.0.1 allows local use ...) NOT-FOR-US: ALSee CVE-2010-5210 (Untrusted search path vulnerability in Sorax Reader 2.0.3129.70 allows ...) NOT-FOR-US: Sorax Reader CVE-2010-5209 (Multiple untrusted search path vulnerabilities in Nuance PDF Reader 6. ...) NOT-FOR-US: Nuance PDF Reader CVE-2010-5208 (Multiple untrusted search path vulnerabilities in the (1) Presentation ...) NOT-FOR-US: Kingsoft Office CVE-2010-5207 (Multiple untrusted search path vulnerabilities in CelFrame Office 2008 ...) NOT-FOR-US: CelFrame Office CVE-2010-5206 (Multiple untrusted search path vulnerabilities in e-press ONE Office E ...) NOT-FOR-US: ONE Office CVE-2010-5205 (Multiple untrusted search path vulnerabilities in e-press ONE Office A ...) NOT-FOR-US: ONE Office CVE-2010-5204 (Multiple untrusted search path vulnerabilities in IBM Lotus Symphony 1 ...) NOT-FOR-US: IBM Lotus Symphony CVE-2010-5203 (Multiple untrusted search path vulnerabilities in NCP Secure Enterpris ...) NOT-FOR-US: NCP Secure Enterprise CVE-2010-5202 (Untrusted search path vulnerability in JetAudio 8.0.7.1000 Basic allow ...) NOT-FOR-US: JetAudio CVE-2010-5201 (Untrusted search path vulnerability in MAGIX Samplitude Producer 11 al ...) NOT-FOR-US: MAGIX Samplitude Producer CVE-2010-5200 (Untrusted search path vulnerability in KeePass Password Safe before 1. ...) NOT-FOR-US: KeePass 1 (a Windows only program) is not in Debian, only KeePass 2 (multi-OS version of KeePass) and KeePassX (port/rewrite of KeePass) CVE-2010-5199 (Untrusted search path vulnerability in PhotoImpact X3 13.00.0000.0 all ...) NOT-FOR-US: PhotoImpact CVE-2010-5198 (Multiple untrusted search path vulnerabilities in Intuit QuickBooks 20 ...) NOT-FOR-US: Intuit QuickBooks CVE-2010-5197 (Untrusted search path vulnerability in Pixia 4.70j allows local users ...) NOT-FOR-US: Pixia 4.70j CVE-2010-5196 (Untrusted search path vulnerability in KeePass Password Safe before 2. ...) - keepass2 (only affects Windows) CVE-2010-5195 (Untrusted search path vulnerability in Roxio MyDVD 9 allows local user ...) NOT-FOR-US: Roxio MyDVD 9 CVE-2012-4410 REJECTED CVE-2012-4753 (Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud ...) NOTE: http://www.openwall.com/lists/oss-security/2012/09/05/17 NOTE: False assignment, will be rejected, see #688123 CVE-2012-4752 (appconfig.php in ownCloud before 4.0.6 does not properly restrict acce ...) - owncloud 4.0.7debian-1 [wheezy] - owncloud 4.0.4debian2-2 NOTE: http://www.openwall.com/lists/oss-security/2012/09/05/17 CVE-2012-4751 (Cross-site scripting (XSS) vulnerability in Open Ticket Request System ...) - otrs2 3.1.7+dfsg1-6 [squeeze] - otrs2 2.4.9+dfsg1-3+squeeze4 NOTE: DSA-2733-1 CVE-2012-4750 (A Code Execution vulnerability exists in the memcpy function when proc ...) NOT-FOR-US: Ezhometech EzServer CVE-2012-4749 RESERVED CVE-2012-4748 RESERVED CVE-2011-3090 (Race condition in Google Chrome before 19.0.1084.46 allows remote atta ...) - chromium-browser 20.0.1132.21~r139451-1 [squeeze] - chromium-browser CVE-2012-4746 (Cross-site request forgery (CSRF) vulnerability in accessaccount.cgi i ...) NOT-FOR-US: ZTE ZXDSL CVE-2012-4745 (Cross-site scripting (XSS) vulnerability in admin/login.asp in Acuity ...) NOT-FOR-US: Acuity CMS CVE-2012-4744 (Cross-site scripting (XSS) vulnerability in ssearch.php in the Siche s ...) NOT-FOR-US: Zeroboard CVE-2012-4743 (Multiple SQL injection vulnerabilities in ssearch.php in Siche search ...) NOT-FOR-US: Zeroboard CVE-2012-4742 (The web_node_register function in web.pm in PacketFence before 3.0.2 m ...) NOT-FOR-US: PacketFence CVE-2012-4741 (The RADIUS extension in PacketFence before 3.3.0 uses a different user ...) NOT-FOR-US: PacketFence CVE-2012-4740 (Cross-site scripting (XSS) vulnerability in the captive portal in Pack ...) NOT-FOR-US: PacketFence CVE-2012-4739 (Multiple cross-site scripting (XSS) vulnerabilities in Barracuda SSL V ...) NOT-FOR-US: Barracuda SSL VPN CVE-2012-4738 RESERVED CVE-2011-5150 (Multiple cross-site scripting (XSS) vulnerabilities in SpamTitan 5.07 ...) NOT-FOR-US: SpamTitan 5.07 CVE-2011-5149 (Multiple cross-site scripting (XSS) vulnerabilities in SpamTitan 5.08 ...) NOT-FOR-US: SpamTitan 5.08 CVE-2011-5148 (Multiple incomplete blacklist vulnerabilities in the Simple File Uploa ...) NOT-FOR-US: Simple File Upload CVE-2011-5147 (Static code injection vulnerability in ajax_save_name.php in the Ajax ...) NOT-FOR-US: tinymce plugin CVE-2011-5145 (Multiple SQL injection vulnerabilities in Open Business Management (OB ...) NOT-FOR-US: Open Business Management CVE-2011-5144 (Open Business Management (OBM) 2.4.0-rc13 and earlier allows remote at ...) NOT-FOR-US: Open Business Management CVE-2011-5143 (Multiple cross-site scripting (XSS) vulnerabilities in Open Business M ...) NOT-FOR-US: Open Business Management CVE-2011-5142 (Multiple cross-site scripting (XSS) vulnerabilities in Open Business M ...) NOT-FOR-US: Open Business Management CVE-2011-5141 (Directory traversal vulnerability in exportcsv/exportcsv_index.php in ...) NOT-FOR-US: Open Business Management CVE-2011-5140 (Multiple SQL injection vulnerabilities in the blog module 1.0 for DiY- ...) NOT-FOR-US: DIY CMS CVE-2011-5139 (SQL injection vulnerability in page.php in Pre Studio Business Cards D ...) NOT-FOR-US: Pre Studio Business Cards Designer CVE-2011-5138 (Cross-site scripting (XSS) vulnerability in member.php in tForum b0.91 ...) NOT-FOR-US: tForum CVE-2011-5137 (Multiple SQL injection vulnerabilities in tForum b0.915 allow remote a ...) NOT-FOR-US: tForum CVE-2010-5194 (Stack-based buffer overflow in the Image2PDF function in the SCRIBBLE. ...) NOT-FOR-US: Viscom Image Viewer CP Pro CVE-2010-5193 (Stack-based buffer overflow in the TIFMergeMultiFiles function in the ...) NOT-FOR-US: Viscom Image Viewer CP Pro CVE-2012-4736 (The Device Encryption Client component in Sophos SafeGuard Enterprise ...) NOT-FOR-US: Sophos SafeGuard Enterprise CVE-2012-4735 REJECTED CVE-2012-4734 (Request Tracker (RT) 3.8.x before 3.8.15 and 4.0.x before 4.0.8 allows ...) {DSA-2567-1} - request-tracker3.8 - request-tracker4 4.0.7-2 CVE-2012-4733 (Request Tracker (RT) 4.x before 4.0.13 does not properly enforce the D ...) {DSA-2671-1} - request-tracker4 4.0.12-2 (bug #709836) CVE-2012-4732 (Cross-site request forgery (CSRF) vulnerability in Request Tracker (RT ...) {DSA-2567-1} - request-tracker3.8 - request-tracker4 4.0.7-2 CVE-2012-4731 (FAQ manager for Request Tracker (RTFM) before 2.4.5 does not properly ...) {DSA-2568-1} - rtfm - request-tracker4 4.0.7-2 CVE-2012-4730 (Request Tracker (RT) 3.8.x before 3.8.15 and 4.0.x before 4.0.8 allows ...) {DSA-2567-1} - request-tracker3.8 - request-tracker4 4.0.7-2 CVE-2012-4729 (Wing FTP Server before 4.1.1 allows remote authenticated users to caus ...) NOT-FOR-US: Wing FTP Server CVE-2012-4728 (The (1) QProGetNotebookWindowHandle and (2) Ordinal132 functions in QP ...) NOT-FOR-US: Corel Quattro Pro CVE-2012-4727 RESERVED CVE-2012-4726 REJECTED CVE-2012-4725 REJECTED CVE-2012-4724 REJECTED CVE-2012-4723 REJECTED CVE-2012-4722 REJECTED CVE-2012-4721 REJECTED CVE-2012-4720 REJECTED CVE-2012-4719 REJECTED CVE-2012-4718 REJECTED CVE-2012-4717 REJECTED CVE-2012-4716 (N-Tron 702-W Industrial Wireless Access Point devices use the same (1) ...) NOT-FOR-US: N-Tron 702-W Industrial Wireless Access Point CVE-2012-4715 (Buffer overflow in LogReceiver.exe in Rockwell Automation RSLinx Enter ...) NOT-FOR-US: Rockwell Automation RSLinx Enterprise CVE-2012-4714 (Integer overflow in RNADiagnostics.dll in Rockwell Automation FactoryT ...) NOT-FOR-US: Rockwell Automation FactoryTalk Services Platform CVE-2012-4713 (Integer signedness error in RNADiagnostics.dll in Rockwell Automation ...) NOT-FOR-US: Rockwell Automation FactoryTalk Services Platform CVE-2012-4712 (Moxa EDR-G903 series routers with firmware before 2.11 have a hardcode ...) NOT-FOR-US: Moxa EDR-G903 CVE-2012-4711 (Buffer overflow in kingMess.exe 65.20.2003.10300 in WellinTech KingVie ...) NOT-FOR-US: WellinTech KingView CVE-2012-4710 (Invensys Wonderware Win-XML Exporter 1522.148.0.0 allows remote attack ...) NOT-FOR-US: Invensys Wonderware Win-XML Exporter CVE-2012-4709 (Invensys Wonderware InTouch HMI 2012 R2 and earlier allows remote atta ...) NOT-FOR-US: Invensys CVE-2012-4708 (Stack-based buffer overflow in 3S CODESYS Gateway-Server before 2.3.9. ...) NOT-FOR-US: 3S CODESYS Gateway-Server CVE-2012-4707 (3S CODESYS Gateway-Server before 2.3.9.27 allows remote attackers to e ...) NOT-FOR-US: 3S CODESYS Gateway-Server CVE-2012-4706 (Integer signedness error in 3S CODESYS Gateway-Server before 2.3.9.27 ...) NOT-FOR-US: 3S CODESYS Gateway-Server CVE-2012-4705 (Directory traversal vulnerability in 3S CODESYS Gateway-Server before ...) NOT-FOR-US: 3S CODESYS Gateway-Server CVE-2012-4704 (Array index error in 3S CODESYS Gateway-Server before 2.3.9.27 allows ...) NOT-FOR-US: 3S CODESYS Gateway-Server CVE-2012-4703 (The Emerson DeltaV SE3006 through 11.3.1, DeltaV VE3005 through 10.3.1 ...) NOT-FOR-US: Emerson DeltaV CVE-2012-4702 (360 Systems Maxx, Image Server Maxx, and Image Server 2000 have a hard ...) NOT-FOR-US: 360 Systems Maxx, Image Server Maxx, and Image Server CVE-2012-4701 (Directory traversal vulnerability in Tridium Niagara AX 3.5, 3.6, and ...) NOT-FOR-US: Tridium Niagara CVE-2012-4700 (Multiple buffer overflows in an ActiveX control in PE3DO32A.ocx in Int ...) NOT-FOR-US: IntegraXor SCADA Server CVE-2012-4699 REJECTED CVE-2012-4698 (Siemens RuggedCom Rugged Operating System (ROS) before 3.12, ROX I OS ...) NOT-FOR-US: Siemens RuggedCom Rugged Operating System CVE-2012-4697 (TURCK BL20 Programmable Gateway and BL67 Programmable Gateway have har ...) NOT-FOR-US: TURCK Programmable Gateway CVE-2012-4696 (Buffer overflow in Beijer ADP 6.5.0-180_R1967 and 6.5.1-186_R2942, and ...) NOT-FOR-US: Beijer CVE-2012-4695 (LogReceiver.exe in Rockwell Automation RSLinx Enterprise CPR9, CPR9-SR ...) NOT-FOR-US: Rockwell Automation RSLinx Enterprise CVE-2012-4694 (Moxa EDR-G903 series routers with firmware before 2.11 do not use a su ...) NOT-FOR-US: Moxa EDR-G903 CVE-2012-4693 (Invensys Wonderware InTouch 2012 R2 and earlier and Siemens ProcessSui ...) NOT-FOR-US: Invensys Wonderware InTouch CVE-2012-4692 REJECTED CVE-2012-4691 (Memory leak in Siemens Automation License Manager (ALM) 4.x and 5.x be ...) NOT-FOR-US: Siemens Automation License Manager CVE-2012-4690 (Rockwell Automation Allen-Bradley MicroLogix controller 1100, 1200, 14 ...) NOT-FOR-US: Rockwell CVE-2012-4689 (Integer overflow in CimWebServer.exe in GE Intelligent Platforms Profi ...) NOT-FOR-US: Proficy CVE-2012-4688 (The Central application in i-GEN opLYNX before 2.01.9 allows remote at ...) NOT-FOR-US: Central application in i-GEN opLYNX CVE-2012-4687 (Post Oak AWAM Bluetooth Reader Traffic System does not use a sufficien ...) NOT-FOR-US: Post Oak CVE-2012-4686 (SQL injection vulnerability in announcement.php in vBulletin 4.1.10 al ...) NOT-FOR-US: vBulletin CVE-2012-4685 (Cross-site scripting (XSS) vulnerability in Arbor Networks Peakflow SP ...) NOT-FOR-US: Arbor Networks Peakflow SP CVE-2012-4684 (The alert functionality in bitcoind and Bitcoin-Qt before 0.7.0 suppor ...) - bitcoin 0.7.2-1 CVE-2012-4683 (Unspecified vulnerability in bitcoind and Bitcoin-Qt allows attackers ...) - bitcoin 0.7.2-1 (bug #688813) CVE-2012-4682 (Unspecified vulnerability in bitcoind and Bitcoin-Qt allows attackers ...) - bitcoin 0.7.2-1 (bug #688813) CVE-2011-5136 (showImg.php in EPractize Labs Subscription Manager, possibly 1.0, allo ...) NOT-FOR-US: EPractize Labs Subscription Manager CVE-2011-5135 (Multiple SQL injection vulnerabilities in the save_connection function ...) NOT-FOR-US: DoceboLMS CVE-2011-5134 (Unrestricted file upload vulnerability in editor/extensions/browser/fi ...) NOT-FOR-US: JCE component for Joomla! CVE-2011-5133 (Unspecified vulnerability in MyBB before 1.6.5 has unknown impact and ...) NOT-FOR-US: MyBB CVE-2011-5132 (Cross-site scripting (XSS) vulnerability in MyBB before 1.6.5 allows r ...) NOT-FOR-US: MyBB CVE-2011-5131 (Cross-site request forgery (CSRF) vulnerability in global.php in MyBB ...) NOT-FOR-US: MyBB CVE-2011-5130 (dev/less.php in Family Connections CMS (FCMS) 2.5.0 - 2.7.1, when regi ...) NOT-FOR-US: Family Connections CMS CVE-2011-5129 (Heap-based buffer overflow in XChat 2.8.9 and earlier allows remote at ...) - xchat (unimportant; bug #686454) CVE-2011-5128 (Multiple cross-site scripting (XSS) vulnerabilities in the Adminimize ...) NOT-FOR-US: Adminimize plugin for Wordpress CVE-2012-4737 (channels/chan_iax2.c in Asterisk Open Source 1.8.x before 1.8.15.1 and ...) {DSA-2550-1} - asterisk 1:1.8.13.1~dfsg-1 (bug #680470) CVE-2012-XXXX - juju 0.5.1-2 (bug #685728) CVE-2012-4681 (Multiple vulnerabilities in the Java Runtime Environment (JRE) compone ...) - openjdk-7 7u3-2.1.2-1 - openjdk-6 CVE-2012-4680 (Directory traversal vulnerability in the XML Server in IOServer before ...) NOT-FOR-US: IOServer CVE-2012-4679 (Cross-site scripting (XSS) vulnerability in admin/login.php in Newscoo ...) - newscoop (bug #604113) CVE-2012-4678 (munin-cgi-graph for Munin 2.0 rc4 does not delete temporary files, whi ...) - munin 2.0~rc6-1 (low; bug #668667) [squeeze] - munin (Only affects 2.x branch) CVE-2012-4677 (Tunnelblick 3.3beta20 and earlier allows local users to gain privilege ...) NOT-FOR-US: Tunnelblick CVE-2012-4676 (The errorExitIfAttackViaString function in Tunnelblick 3.3beta20 and e ...) NOT-FOR-US: Tunnelblick CVE-2012-4675 (Cross-site scripting (XSS) vulnerability in PluXml 5.1.6 allows remote ...) NOT-FOR-US: PluXml CVE-2012-4674 (PluXml before 5.1.6 allows remote attackers to obtain the installation ...) NOT-FOR-US: PluXml CVE-2012-4673 (SQL injection vulnerability in application/controllers/invoice.php in ...) NOT-FOR-US: Neoinvoice CVE-2012-4672 (Apple iChat Server does not verify that a request was made for an XMPP ...) NOT-FOR-US: Apple iChat Server CVE-2012-4671 (psyced before 20120821 does not verify that a request was made for an ...) NOT-FOR-US: psyced CVE-2012-4670 (Tigase XMPP Server before 5.1.0 does not verify that a request was mad ...) NOT-FOR-US: Tigase CVE-2012-4669 (M-Link R14.6 before R14.6v14 and R15.1 before R15.1v10 does not verify ...) NOT-FOR-US: M-Link CVE-2012-4666 RESERVED CVE-2012-4665 RESERVED CVE-2012-4664 RESERVED CVE-2012-4663 (The DCERPC inspection engine on Cisco Adaptive Security Appliances (AS ...) NOT-FOR-US: Cisco CVE-2012-4662 (The DCERPC inspection engine on Cisco Adaptive Security Appliances (AS ...) NOT-FOR-US: Cisco CVE-2012-4661 (Stack-based buffer overflow in the DCERPC inspection engine on Cisco A ...) NOT-FOR-US: Cisco CVE-2012-4660 (The SIP inspection engine on Cisco Adaptive Security Appliances (ASA) ...) NOT-FOR-US: Cisco CVE-2012-4659 (The AAA functionality in the IPv4 SSL VPN implementations on Cisco Ada ...) NOT-FOR-US: Cisco CVE-2012-4658 (The ios-authproxy implementation in Cisco IOS before 15.1(1)SY3 allows ...) NOT-FOR-US: Cisco IOS CVE-2012-4657 RESERVED CVE-2012-4656 RESERVED CVE-2012-4655 (The WebLaunch feature in Cisco Secure Desktop before 3.6.6020 does not ...) NOT-FOR-US: Cisco Secure Desktop CVE-2012-4654 RESERVED CVE-2012-4653 RESERVED CVE-2012-4652 RESERVED CVE-2012-4651 (Cisco IOS before 15.3(2)T, when scansafe is enabled, allows remote att ...) NOT-FOR-US: Cisco IOS CVE-2012-4650 RESERVED CVE-2012-4649 RESERVED CVE-2012-4648 RESERVED CVE-2012-4647 RESERVED CVE-2012-4646 RESERVED CVE-2012-4645 RESERVED CVE-2012-4644 RESERVED CVE-2012-4643 (The DHCP server on Cisco Adaptive Security Appliances (ASA) 5500 serie ...) NOT-FOR-US: Cisco CVE-2012-4642 RESERVED CVE-2012-4641 RESERVED CVE-2012-4640 RESERVED CVE-2012-4639 RESERVED CVE-2012-4638 (Cisco IOS before 15.1(1)SY allows local users to cause a denial of ser ...) NOT-FOR-US: Cisco IOS CVE-2012-4637 RESERVED CVE-2012-4636 RESERVED CVE-2012-4635 RESERVED CVE-2012-4634 RESERVED CVE-2012-4633 RESERVED CVE-2012-4632 RESERVED CVE-2012-4631 RESERVED CVE-2012-4630 RESERVED CVE-2012-4629 (The Cisco ASA-CX Context-Aware Security module before 9.0.2-103 for Ad ...) NOT-FOR-US: Cisco ASA CVE-2012-4628 RESERVED CVE-2012-4627 RESERVED CVE-2012-4626 RESERVED CVE-2012-4625 RESERVED CVE-2012-4624 RESERVED CVE-2012-4623 (The DHCPv6 server in Cisco IOS 12.2 through 12.4 and 15.0 through 15.2 ...) NOT-FOR-US: Cisco IOS CVE-2012-4622 (Cisco IOS XE 03.02.00.XO.15.0(2)XO on Catalyst 4500E series switches, ...) NOT-FOR-US: Cisco IOS CVE-2012-4621 (The Device Sensor feature in Cisco IOS 15.0 through 15.2 allows remote ...) NOT-FOR-US: Cisco IOS CVE-2012-4620 (Cisco IOS 12.2 and 15.0 through 15.2 on Cisco 10000 series routers, wh ...) NOT-FOR-US: Cisco IOS CVE-2012-4619 (The NAT implementation in Cisco IOS 12.2, 12.4, and 15.0 through 15.2 ...) NOT-FOR-US: Cisco IOS CVE-2012-4618 (The SIP ALG feature in the NAT implementation in Cisco IOS 12.2, 12.4, ...) NOT-FOR-US: Cisco IOS CVE-2012-4617 (The BGP implementation in Cisco IOS 15.2, IOS XE 3.5.xS before 3.5.2S, ...) NOT-FOR-US: Cisco IOS CVE-2012-4616 (Directory traversal vulnerability in the Web UI in EMC Data Protection ...) NOT-FOR-US: EMC Data Protection Advisor CVE-2012-4615 (EMC Smarts Network Configuration Manager (NCM) before 9.1 uses a hardc ...) NOT-FOR-US: EMC CVE-2012-4614 (The default configuration of EMC Smarts Network Configuration Manager ...) NOT-FOR-US: EMC CVE-2012-4613 (EMC RSA Data Protection Manager Appliance 2.7.x and 3.x before 3.2.1 d ...) NOT-FOR-US: EMC RSA Data Protection Manager Appliance CVE-2012-4612 (Cross-site scripting (XSS) vulnerability in EMC RSA Data Protection Ma ...) NOT-FOR-US: EMC RSA Data Protection Manager Appliance CVE-2012-4611 (Multiple cross-site scripting (XSS) vulnerabilities in EMC RSA Adaptiv ...) NOT-FOR-US: EMC CVE-2012-4610 (EMC Avamar Client for VMware 6.1 stores the cleartext server root pass ...) NOT-FOR-US: VMware CVE-2012-4609 (The web interface in EMC RSA NetWitness Informer before 2.0.5.6 allows ...) NOT-FOR-US: EMC RSA NetWitness Informer CVE-2012-4608 (Cross-site request forgery (CSRF) vulnerability in the web interface i ...) NOT-FOR-US: EMC RSA NetWitness Informer CVE-2012-4607 (Buffer overflow in nsrindexd in EMC NetWorker 7.5.x and 7.6.x before 7 ...) NOT-FOR-US: EMC NetWorker CVE-2011-5127 (Directory traversal vulnerability in Blue Coat Reporter 9.x before 9.2 ...) NOT-FOR-US: Blue Coat CVE-2011-5126 (Blue Coat ProxySG 6.1 before SGOS 6.1.5.1 and 6.2 before SGOS 6.2.2.1 ...) NOT-FOR-US: Blue Coat CVE-2011-5125 (Cross-site scripting (XSS) vulnerability in Blue Coat Director before ...) NOT-FOR-US: Blue Coat CVE-2011-5124 (Stack-based buffer overflow in the BCAAA component before build 60258, ...) NOT-FOR-US: Blue Coat CVE-2011-5123 (The Antivirus component in Comodo Internet Security before 5.3.175888. ...) NOT-FOR-US: Comodo Internet Security CVE-2011-5122 (The Antivirus component in Comodo Internet Security before 5.3.175888. ...) NOT-FOR-US: Comodo Internet Security CVE-2011-5121 (The Antivirus component in Comodo Internet Security before 5.3.175888. ...) NOT-FOR-US: Comodo Internet Security CVE-2011-5120 (The Antivirus component in Comodo Internet Security before 5.4.189822. ...) NOT-FOR-US: Comodo Internet Security CVE-2011-5119 (Multiple race conditions in Comodo Internet Security before 5.8.211697 ...) NOT-FOR-US: Comodo Internet Security CVE-2011-5118 (Multiple race conditions in Comodo Internet Security before 5.8.213334 ...) NOT-FOR-US: Comodo Internet Security CVE-2010-5192 (Cross-site scripting (XSS) vulnerability in the Java Management Consol ...) NOT-FOR-US: Blue Coat CVE-2010-5191 (Multiple cross-site request forgery (CSRF) vulnerabilities on the Blue ...) NOT-FOR-US: Blue Coat CVE-2010-5190 (The Active Content Transformation functionality in Blue Coat ProxySG b ...) NOT-FOR-US: Blue Coat CVE-2010-5189 (Blue Coat ProxySG before SGOS 4.3.4.1, 5.x before SGOS 5.4.5.1, 5.5 be ...) NOT-FOR-US: Blue Coat CVE-2010-5188 (SilverStripe 2.3.x before 2.3.6 allows remote attackers to obtain sens ...) - silverstripe (bug #528461) CVE-2010-5187 (SilverStripe 2.3.x before 2.3.8 and 2.4.x before 2.4.1, when running o ...) - silverstripe (bug #528461) CVE-2010-5186 (The Antivirus component in Comodo Internet Security before 4.1.150349. ...) NOT-FOR-US: Comodo Internet Security CVE-2010-5185 (The Antivirus component in Comodo Internet Security before 5.3.174622. ...) NOT-FOR-US: Comodo Internet Security CVE-2010-5184 (** DISPUTED ** Race condition in ZoneAlarm Extreme Security 9.1.507.00 ...) NOT-FOR-US: Anti virus snake oil CVE-2010-5183 (** DISPUTED ** Race condition in Webroot Internet Security Essentials ...) NOT-FOR-US: Anti virus snake oil CVE-2010-5182 (** DISPUTED ** Race condition in VirusBuster Internet Security Suite 3 ...) NOT-FOR-US: Anti virus snake oil CVE-2010-5181 (** DISPUTED ** Race condition in VIPRE Antivirus Premium 4.0.3272 on W ...) NOT-FOR-US: Anti virus snake oil CVE-2010-5180 (** DISPUTED ** Race condition in VBA32 Personal 3.12.12.4 on Windows X ...) NOT-FOR-US: Anti virus snake oil CVE-2010-5179 (** DISPUTED ** Race condition in Trend Micro Internet Security Pro 201 ...) NOT-FOR-US: Anti virus snake oil CVE-2010-5178 (** DISPUTED ** Race condition in ThreatFire 4.7.0.17 on Windows XP all ...) NOT-FOR-US: Anti virus snake oil CVE-2010-5177 (** DISPUTED ** Race condition in Sophos Endpoint Security and Control ...) NOT-FOR-US: Anti virus snake oil CVE-2010-5176 (** DISPUTED ** Race condition in Security Shield 2010 13.0.16.313 on W ...) NOT-FOR-US: Anti virus snake oil CVE-2010-5175 (** DISPUTED ** Race condition in PrivateFirewall 7.0.20.37 on Windows ...) NOT-FOR-US: Anti virus snake oil CVE-2010-5174 (** DISPUTED ** Race condition in Prevx 3.0.5.143 on Windows XP allows ...) NOT-FOR-US: Anti virus snake oil CVE-2010-5173 (** DISPUTED ** Race condition in PC Tools Firewall Plus 6.0.0.88 on Wi ...) NOT-FOR-US: Anti virus snake oil CVE-2010-5172 (** DISPUTED ** Race condition in Panda Internet Security 2010 15.01.00 ...) NOT-FOR-US: Anti virus snake oil CVE-2010-5171 (** DISPUTED ** Race condition in Outpost Security Suite Pro 6.7.3.3063 ...) NOT-FOR-US: Anti virus snake oil CVE-2010-5170 (** DISPUTED ** Race condition in Online Solutions Security Suite 1.5.1 ...) NOT-FOR-US: Anti virus snake oil CVE-2010-5169 (** DISPUTED ** Race condition in Online Armor Premium 4.0.0.35 on Wind ...) NOT-FOR-US: Anti virus snake oil CVE-2010-5168 (** DISPUTED ** Race condition in Symantec Norton Internet Security 201 ...) NOT-FOR-US: Anti virus snake oil CVE-2010-5167 (** DISPUTED ** Race condition in Norman Security Suite PRO 8.0 on Wind ...) NOT-FOR-US: Anti virus snake oil CVE-2010-5166 (** DISPUTED ** Race condition in McAfee Total Protection 2010 10.0.580 ...) NOT-FOR-US: Anti virus snake oil CVE-2010-5165 (** DISPUTED ** Race condition in Malware Defender 2.6.0 on Windows XP ...) NOT-FOR-US: Anti virus snake oil CVE-2010-5164 (** DISPUTED ** Race condition in KingSoft Personal Firewall 9 Plus 200 ...) NOT-FOR-US: Anti virus snake oil CVE-2010-5163 (** DISPUTED ** Race condition in Kaspersky Internet Security 2010 9.0. ...) NOT-FOR-US: Anti virus snake oil CVE-2010-5162 (** DISPUTED ** Race condition in G DATA TotalCare 2010 on Windows XP a ...) NOT-FOR-US: Anti virus snake oil CVE-2010-5161 (** DISPUTED ** Race condition in F-Secure Internet Security 2010 10.00 ...) NOT-FOR-US: Anti virus snake oil CVE-2010-5160 (** DISPUTED ** Race condition in ESET Smart Security 4.2.35.3 on Windo ...) NOT-FOR-US: Anti virus snake oil CVE-2010-5159 (** DISPUTED ** Race condition in Dr.Web Security Space Pro 6.0.0.03100 ...) NOT-FOR-US: Anti virus snake oil CVE-2010-5158 (** DISPUTED ** Race condition in DefenseWall Personal Firewall 3.00 on ...) NOT-FOR-US: Anti virus snake oil CVE-2010-5157 (Race condition in Comodo Internet Security before 4.1.149672.916 on Wi ...) NOT-FOR-US: Comodo Internet Security CVE-2010-5156 (** DISPUTED ** Race condition in CA Internet Security Suite Plus 2010 ...) NOT-FOR-US: Anti virus snake oil CVE-2010-5155 (** DISPUTED ** Race condition in Blink Professional 4.6.1 on Windows X ...) NOT-FOR-US: Anti virus snake oil CVE-2010-5154 (** DISPUTED ** Race condition in BitDefender Total Security 2010 13.0. ...) NOT-FOR-US: Anti virus snake oil CVE-2010-5153 (** DISPUTED ** Race condition in Avira Premium Security Suite 10.0.0.5 ...) NOT-FOR-US: Anti virus snake oil CVE-2010-5152 (** DISPUTED ** Race condition in AVG Internet Security 9.0.791 on Wind ...) NOT-FOR-US: Anti virus snake oil CVE-2010-5151 (** DISPUTED ** Race condition in avast! Internet Security 5.0.462 on W ...) NOT-FOR-US: Anti virus snake oil CVE-2010-5150 (** DISPUTED ** Race condition in 3D EQSecure Professional Edition 4.2 ...) NOT-FOR-US: Anti virus snake oil CVE-2009-5132 (The Filtering Service in Websense Web Security and Web Filter before 6 ...) NOT-FOR-US: Websense CVE-2009-5131 (The Receive Service in Websense Email Security before 7.1 does not rec ...) NOT-FOR-US: Websense CVE-2009-5130 (The Rules Service in Websense Email Security before 7.1 allows remote ...) NOT-FOR-US: Websense CVE-2009-5129 (The Websense V10000 appliance before 1.0.1 allows remote attackers to ...) NOT-FOR-US: Websense CVE-2009-5128 (The Websense V10000 appliance before 1.0.1 allows remote attackers to ...) NOT-FOR-US: Websense CVE-2009-5127 (The Antivirus component in Comodo Internet Security before 3.8.64739.4 ...) NOT-FOR-US: Comodo Internet Security CVE-2009-5126 (The Antivirus component in Comodo Internet Security before 3.8.65951.4 ...) NOT-FOR-US: Comodo Internet Security CVE-2009-5125 (Comodo Internet Security before 3.9.95478.509 allows remote attackers ...) NOT-FOR-US: Comodo Internet Security CVE-2009-5124 (The Antivirus component in Comodo Internet Security before 3.11.108364 ...) NOT-FOR-US: Comodo Internet Security CVE-2009-5123 (The Antivirus component in Comodo Internet Security before 3.11.108364 ...) NOT-FOR-US: Comodo Internet Security CVE-2012-4667 (Multiple cross-site scripting (XSS) vulnerabilities in SquidClamav 5.x ...) - squidclamav (bug #685398) CVE-2012-4606 (Citrix XenServer 4.1, 6.0, 5.6 SP2, 5.6 Feature Pack 1, 5.6 Common Cri ...) NOT-FOR-US: Citrix XenServer CVE-2011-5117 (Sophos SafeGuard Enterprise Device Encryption 5.x through 5.50.8.13, S ...) NOT-FOR-US: Sophos SafeGuard CVE-2011-5116 (SQL injection vulnerability in setseed-hub in SetSeed CMS 5.8.20, 5.11 ...) NOT-FOR-US: SetSeed CMS CVE-2011-5115 (Cross-site scripting (XSS) vulnerability in DLGuard, possibly 4.6 and ...) NOT-FOR-US: DLguard CVE-2011-5114 (Multiple cross-site scripting (XSS) vulnerabilities in the Authoritati ...) NOT-FOR-US: DLguard CVE-2011-5113 (SQL injection vulnerability in frontend/models/techfoliodetail.php in ...) NOT-FOR-US: Joomla addon CVE-2011-5112 (SQL injection vulnerability in Alameda (com_alameda) component before ...) NOT-FOR-US: Joomla addon CVE-2011-5111 (Multiple SQL injection vulnerabilities in Kajian Website CMS Balitbang ...) NOT-FOR-US: Kajian Website CMS CVE-2011-5110 (Multiple SQL injection vulnerabilities in Blogs Manager 1.101 and earl ...) NOT-FOR-US: Blogs Manager CVE-2011-5109 (Multiple SQL injection vulnerabilities in Freelancer calendar 1.01 and ...) NOT-FOR-US: Freelancer calendar CVE-2011-5108 (Cross-site scripting (XSS) vulnerability in config.php in AdaptCMS 2.0 ...) NOT-FOR-US: AdaptCMS CVE-2011-5107 (Cross-site scripting (XSS) vulnerability in post_alert.php in Alert Be ...) NOT-FOR-US: Wordpress plugin CVE-2011-5106 (Cross-site scripting (XSS) vulnerability in edit-post.php in the Flexi ...) NOT-FOR-US: Wordpress plugin CVE-2011-5105 (Multiple cross-site scripting (XSS) vulnerabilities in EmployeeSearch. ...) NOT-FOR-US: ZOHO ManageEngine ADSelfService Plus CVE-2011-5104 (Cross-site scripting (XSS) vulnerability in wpsc-admin/display-sales-l ...) NOT-FOR-US: Wordpress plugin CVE-2011-5103 (SQL injection vulnerability in Alurian Prismotube PHP Video Script all ...) NOT-FOR-US: Alurian Prismotube PHP Video Script CVE-2012-4605 (The default configuration of the SMTP component in Websense Email Secu ...) NOT-FOR-US: Websense Email Security CVE-2012-4604 (The TRITON management console in Websense Web Security before 7.6 Hotf ...) NOT-FOR-US: Websense Web Security CVE-2012-4603 (Citrix XenApp Online Plug-in for Windows 12.1 and earlier, and Citrix ...) NOT-FOR-US: Citrix CVE-2012-4602 (Multiple cross-site scripting (XSS) vulnerabilities in admin/code/tce_ ...) NOT-FOR-US: Nicola Asuni TCExam CVE-2012-4601 (Multiple SQL injection vulnerabilities in Nicola Asuni TCExam before 1 ...) NOT-FOR-US: Nicola Asuni TCExam CVE-2012-4600 (Cross-site scripting (XSS) vulnerability in Open Ticket Request System ...) {DSA-2536-1} - otrs2 3.1.7+dfsg1-5 CVE-2011-5102 (The Investigative Reports web interface in the TRITON management conso ...) NOT-FOR-US: Websense CVE-2010-5149 (Websense Web Security and Web Filter before 6.3.3 Hotfix 27 and 7.x be ...) NOT-FOR-US: Websense CVE-2010-5148 (Websense Web Security and Web Filter before 7.1 Hotfix 21 do not set t ...) NOT-FOR-US: Websense CVE-2010-5147 (The Remote Filtering component in Websense Web Security and Web Filter ...) NOT-FOR-US: Websense CVE-2010-5146 (The Remote Filtering component in Websense Web Security and Web Filter ...) NOT-FOR-US: Websense CVE-2010-5145 (The Filtering Service in Websense Web Security and Web Filter before 6 ...) NOT-FOR-US: Websense CVE-2010-5144 (The ISAPI Filter plug-in in Websense Enterprise, Websense Web Security ...) NOT-FOR-US: Websense CVE-2009-5122 (The Personal Email Manager component in Websense Email Security before ...) NOT-FOR-US: Websense CVE-2009-5121 (Websense Email Security 7.1 before Hotfix 4 allows remote attackers to ...) NOT-FOR-US: Websense CVE-2009-5120 (The default configuration of Apache Tomcat in Websense Manager in Webs ...) NOT-FOR-US: Websense CVE-2009-5119 (The default configuration of Apache Tomcat in Websense Manager in Webs ...) NOT-FOR-US: Websense CVE-2008-7313 (The _httpsrequest function in Snoopy allows remote attackers to execut ...) {DSA-3248-1 DLA-357-1} - libphp-snoopy 2.0.0-1 (bug #778634) NOTE: additional commit missing, so fix for CVE-2008-4796 was incomplete NOTE: http://snoopy.cvs.sourceforge.net/viewvc/snoopy/Snoopy/Snoopy.class.php?view=log#rev1.27 CVE-2008-7312 (The Filtering Service in Websense Enterprise 5.2 through 6.3 does not ...) NOT-FOR-US: Websense CVE-2012-4599 (McAfee SmartFilter Administration, and SmartFilter Administration Bess ...) NOT-FOR-US: McAfee SmartFilter Administration CVE-2012-4598 (An unspecified ActiveX control in McAfee Virtual Technician (MVT) befo ...) NOT-FOR-US: McAfee Virtual Technician CVE-2012-4597 (Cross-site scripting (XSS) vulnerability in McAfee Email and Web Secur ...) NOT-FOR-US: McAfee Email and Web Security CVE-2012-4596 (Directory traversal vulnerability in McAfee Email Gateway (MEG) 7.0.0 ...) NOT-FOR-US: McAfee Email Gateway CVE-2012-4595 (McAfee Email and Web Security (EWS) 5.5 through Patch 6 and 5.6 throug ...) NOT-FOR-US: McAfee Email and Web Security CVE-2012-4594 (McAfee ePolicy Orchestrator (ePO) 4.6.1 and earlier allows remote auth ...) NOT-FOR-US: McAfee ePolicy Orchestrator CVE-2012-4593 (McAfee Application Control and Change Control 5.1.x and 6.0.0 do not e ...) NOT-FOR-US: McAfee Application Control and Change Control CVE-2012-4592 (The Portal in McAfee Enterprise Mobility Manager (EMM) before 10.0 doe ...) NOT-FOR-US: McAfee Enterprise Mobility Manager CVE-2012-4591 (About.aspx in the Portal in McAfee Enterprise Mobility Manager (EMM) b ...) NOT-FOR-US: McAfee Enterprise Mobility Manager CVE-2012-4590 (Multiple cross-site scripting (XSS) vulnerabilities in About.aspx in t ...) NOT-FOR-US: McAfee Enterprise Mobility Manager CVE-2012-4589 (Login.aspx in the Portal in McAfee Enterprise Mobility Manager (EMM) b ...) NOT-FOR-US: McAfee Enterprise Mobility Manager CVE-2012-4588 (McAfee Enterprise Mobility Manager (EMM) Agent before 4.8 and Server b ...) NOT-FOR-US: McAfee Enterprise Mobility Manager CVE-2012-4587 (McAfee Enterprise Mobility Manager (EMM) Agent before 4.8 and Server b ...) NOT-FOR-US: McAfee Enterprise Mobility Manager CVE-2012-4586 (McAfee Email and Web Security (EWS) 5.x before 5.5 Patch 6 and 5.6 bef ...) NOT-FOR-US: McAfee Email and Web Security CVE-2012-4585 (McAfee Email and Web Security (EWS) 5.x before 5.5 Patch 6 and 5.6 bef ...) NOT-FOR-US: McAfee Email and Web Security CVE-2012-4584 (McAfee Email and Web Security (EWS) 5.x before 5.5 Patch 6 and 5.6 bef ...) NOT-FOR-US: McAfee Email and Web Security CVE-2012-4583 (McAfee Email and Web Security (EWS) 5.x before 5.5 Patch 6 and 5.6 bef ...) NOT-FOR-US: McAfee Email and Web Security CVE-2012-4582 (McAfee Email and Web Security (EWS) 5.x before 5.5 Patch 6 and 5.6 bef ...) NOT-FOR-US: McAfee Email and Web Security CVE-2012-4581 (McAfee Email and Web Security (EWS) 5.x before 5.5 Patch 6 and 5.6 bef ...) NOT-FOR-US: McAfee Email and Web Security CVE-2012-4580 (Cross-site scripting (XSS) vulnerability in McAfee Email and Web Secur ...) NOT-FOR-US: McAfee Email and Web Security CVE-2012-4579 (Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.5. ...) - phpmyadmin 4:3.4.11.1-1 [squeeze] - phpmyadmin (Vulnerable code not present) CVE-2012-4578 (The geli encryption provider 7 before r239184 on FreeBSD 10 uses a wea ...) - freebsd-utils (only affects dev version of 10) NOTE: not sure if the bug is in the userland tool or in the kernel device CVE-2012-4577 (The Linux firmware image on (1) Korenix Jetport 5600 series serial-dev ...) NOT-FOR-US: Korenix Jetport 5600 CVE-2012-4576 (FreeBSD: Input Validation Flaw allows local users to gain elevated pri ...) - kfreebsd-8 8.3-6 (bug #694096) - kfreebsd-9 9.0-9 (bug #694097) - kfreebsd-10 10.0~svn252032-1 (bug #694098) [squeeze] - kfreebsd-8 8.1+dfsg-8+squeeze4 CVE-2012-4575 (The add_database function in objects.c in the pgbouncer pooler 1.5.2 f ...) - pgbouncer 1.5.2-4 [squeeze] - pgbouncer (Minor issue) CVE-2012-4574 (Pulp in Red Hat CloudForms before 1.1 uses world-readable permissions ...) NOT-FOR-US: Red Hat CloudForms CVE-2012-4573 (The v1 API in OpenStack Glance Grizzly, Folsom (2012.2), and Essex (20 ...) - glance 2012.1.1-2 (bug #692641) CVE-2012-4572 (Red Hat JBoss Enterprise Application Platform (EAP) before 6.1.0 and J ...) - jbossas4 (Only builds a few libraries, not the full application server, #581226) CVE-2012-4571 (Python Keyring 0.9.1 does not securely initialize the cipher when encr ...) - python-keyring 0.9.2-1 (bug #675379) [wheezy] - python-keyring 0.7.1-1+deb7u1 [squeeze] - python-keyring (Minor issue) CVE-2012-4570 (SQL injection vulnerability in LetoDMS_Core/Core/inc.ClassDMS.php in L ...) - php-letodms-core 3.3.8-1 CVE-2012-4569 (Multiple cross-site scripting (XSS) vulnerabilities in out/out.UsrMgr. ...) - letodms 3.3.9+dfsg-1 CVE-2012-4568 (Multiple cross-site request forgery (CSRF) vulnerabilities in LetoDMS ...) - letodms 3.3.9+dfsg-1 CVE-2012-4567 (Multiple cross-site scripting (XSS) vulnerabilities in LetoDMS (former ...) - letodms 3.3.9+dfsg-1 CVE-2012-4566 (The DTLS support in radsecproxy before 1.6.2 does not properly verify ...) {DSA-2573-1} - radsecproxy 1.6.2-1 CVE-2012-4565 (The tcp_illinois_info function in net/ipv4/tcp_illinois.c in the Linux ...) - linux 3.2.35-1 - linux-2.6 [squeeze] - linux-2.6 2.6.32-48 CVE-2012-4564 (ppm2tiff does not check the return value of the TIFFScanlineSize funct ...) {DSA-2575-1} - tiff3 (The tiff-tools package is only built from the tiff source package) - tiff 4.0.2-5 (bug #692345) CVE-2012-4563 (Cross-site scripting (XSS) vulnerability in Google Web Toolkit (GWT) 2 ...) - gwt (bug #691900) [squeeze] - gwt (Vulnerable code not present) CVE-2012-4562 (Multiple integer overflows in libssh before 0.5.3 allow remote attacke ...) {DSA-2577-1} - libssh 0.5.3-1 CVE-2012-4561 (The (1) publickey_make_dss, (2) publickey_make_rsa, (3) signature_from ...) {DSA-2577-1} - libssh 0.5.3-1 CVE-2012-4560 (Multiple buffer overflows in libssh before 0.5.3 allow remote attacker ...) - libssh 0.5.3-1 [squeeze] - libssh (Vulnerable code not present) CVE-2012-4559 (Multiple double free vulnerabilities in the (1) agent_sign_data functi ...) {DSA-2577-1} - libssh 0.5.3-1 CVE-2012-4558 (Multiple cross-site scripting (XSS) vulnerabilities in the balancer_ha ...) {DSA-2637-1} - apache2 2.2.22-13 (low) CVE-2012-4557 (The mod_proxy_ajp module in the Apache HTTP Server 2.2.12 through 2.2. ...) {DSA-2579-1} - apache2 2.2.22-1 CVE-2012-4556 (The token processing system (pki-tps) in Red Hat Certificate System (R ...) NOT-FOR-US: Red Hat Certificate System CVE-2012-4555 (The token processing system (pki-tps) in Red Hat Certificate System (R ...) NOT-FOR-US: Red Hat Certificate System CVE-2012-4554 (The OpenID module in Drupal 7.x before 7.16 allows remote OpenID serve ...) - drupal7 7.14-1.1 (bug #690817) - drupal6 (according to upstream) NOTE: http://drupal.org/node/1815912 CVE-2012-4553 (Drupal 7.x before 7.16 allows remote attackers to obtain sensitive inf ...) - drupal7 7.14-1.1 (bug #690817) - drupal6 (according to upstream) NOTE: http://drupal.org/node/1815912 CVE-2012-4552 (Stack-based buffer overflow in the error function in ssg/ssgParser.cxx ...) - plib 1.8.5-6 (low; bug #694810) [squeeze] - plib (Minor issue) CVE-2012-4551 (Use-after-free vulnerability in libunity-webapps before 2.4.1 allows r ...) NOT-FOR-US: libunity-webapps CVE-2012-4550 (JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) before ...) - jbossas4 (Only builds a few libraries, not the full application server) CVE-2012-4549 (The processInvocation function in org.jboss.as.ejb3.security.Authoriza ...) - jbossas4 (Only builds a few libraries, not the full application server) CVE-2012-4548 (Argument injection vulnerability in syntax-highlighting.sh in cgit 9.0 ...) - cgit (Fixed before the initial upload into the archive) CVE-2012-4547 (Unspecified vulnerability in awredir.pl in AWStats before 7.1 has unkn ...) - awstats NOTE: awredir.pl is not installed into the binary package CVE-2012-4546 (The default configuration for IPA servers in Red Hat Enterprise Linux ...) NOT-FOR-US: FreeIPA CVE-2012-4545 (The http_negotiate_create_context function in protocol/http/http_negot ...) {DSA-2592-1} - elinks 0.12~pre5-9 CVE-2012-4544 (The PV domain builder in Xen 4.2 and earlier does not validate the siz ...) {DSA-2636-1} - xen 4.1.3-4 (low; bug #688125) CVE-2012-4543 (Multiple cross-site scripting (XSS) vulnerabilities in Red Hat Certifi ...) NOT-FOR-US: Red Hat Certificate System CVE-2012-4542 (block/scsi_ioctl.c in the Linux kernel through 3.8 does not properly c ...) - linux (unimportant) - linux-2.6 (unimportant) [squeeze] - linux-2.6 (Too intrusive to backport) NOTE: No upstream fix seems to be planned/treated as non-issue. Marking as unimportant CVE-2012-4541 (Cross-site scripting (XSS) vulnerability in Piwik before 1.9 allows re ...) - piwik (bug #506933) CVE-2012-4540 (Off-by-one error in the invoke function in IcedTeaScriptablePluginObje ...) {DSA-2768-1} - icedtea-web 1.3.1-1 (bug #692608) NOTE: http://seclists.org/oss-sec/2012/q4/237 CVE-2012-4539 (Xen 4.0 through 4.2, when running 32-bit x86 PV guests on 64-bit hyper ...) {DSA-2582-1} - xen 4.1.3-4 CVE-2012-4538 (The HVMOP_pagetable_dying hypercall in Xen 4.0, 4.1, and 4.2 does not ...) {DSA-2582-1} - xen 4.1.3-4 CVE-2012-4537 (Xen 3.4 through 4.2, and possibly earlier versions, does not properly ...) {DSA-2582-1} - xen 4.1.3-4 CVE-2012-4536 (The (1) domain_pirq_to_emuirq and (2) physdev_unmap_pirq functions in ...) - xen 4.1.3-4 [squeeze] - xen (Only affects 4.1.x) CVE-2012-4535 (Xen 3.4 through 4.2, and possibly earlier versions, allows local guest ...) {DSA-2582-1} - xen 4.1.3-4 CVE-2012-4534 (org/apache/tomcat/util/net/NioEndpoint.java in Apache Tomcat 6.x befor ...) - tomcat7 7.0.28-1 (bug #695251) - tomcat6 6.0.35-6 (bug #695250) [squeeze] - tomcat6 6.0.35-1+squeeze3 NOTE: DSA 2725 CVE-2012-4533 (Cross-site scripting (XSS) vulnerability in the "extra" details in the ...) {DSA-2563-1} - viewvc 1.1.5-1.4 (low; bug #691062) CVE-2012-4532 (Cross-site scripting (XSS) vulnerability in modules/mod_languages/tmpl ...) NOT-FOR-US: Joomla addon CVE-2012-4531 (Cross-site scripting (XSS) vulnerability in Joomla! 2.5.x before 2.5.7 ...) NOT-FOR-US: Joomla! CVE-2012-4530 (The load_script function in fs/binfmt_script.c in the Linux kernel bef ...) - linux 3.2.35-1 - linux-2.6 [squeeze] - linux-2.6 2.6.32-48 CVE-2012-4529 (The org.apache.catalina.connector.Response.encodeURL method in Red Hat ...) - jbossas4 (Only builds a few libraries, not the full application server) CVE-2012-4528 (The mod_security2 module before 2.7.0 for the Apache HTTP Server allow ...) - modsecurity-apache 2.6.6-5 (bug #691146) - libapache-mod-security [squeeze] - libapache-mod-security (Minor issue) CVE-2012-4527 (Stack-based buffer overflow in mcrypt 2.6.8 and earlier allows user-as ...) - mcrypt 2.6.8-1.3 (unimportant; bug #690924) NOTE: patch proposed by submitter at RH bugzilla is incorrect NOTE: Only occurs in cmdline parsing, no priv escalation. Only a security issue in constructed setups CVE-2012-4526 (piwigo has XSS in password.php (incomplete fix for CVE-2012-4525) ...) - piwigo (incomplete fix not applied to Debian package) [squeeze] - piwigo (vulnerable code not present) CVE-2012-4525 (piwigo has XSS in password.php ...) - piwigo [squeeze] - piwigo (vulnerable code not present) CVE-2012-4524 (xlockmore before 5.43 'dclock' security bypass vulnerability ...) - xlockmore (low) CVE-2012-4523 (radsecproxy before 1.6.1 does not properly verify certificates when th ...) {DSA-2573-1} - radsecproxy 1.6.2-1 CVE-2012-4522 (The rb_get_path_check function in file.c in Ruby 1.9.3 before patchlev ...) {DLA-235-1} - ruby1.8 (Only affects 1.9.x, see bug #690670) - ruby1.9.1 1.9.3.194-3 (bug #690670) CVE-2012-4521 [rejected dupe assignment] REJECTED CVE-2012-4520 (The django.http.HttpRequest.get_host function in Django 1.3.x before 1 ...) {DSA-2634-1} - python-django 1.4.2-1 (bug #691145) CVE-2012-4519 (Zenphoto before 1.4.3.4 admin-news-articles.php date parameter XSS. ...) NOT-FOR-US: Zenphoto CVE-2012-4518 (ibacm 1.0.7 creates files with world-writable permissions, which allow ...) NOT-FOR-US: ibacm CVE-2012-4517 (ibacm before 1.0.6 does not properly manage reference counts for multi ...) NOT-FOR-US: ibacm CVE-2012-4516 (librdmacm 1.0.16, when ibacm.port is not specified, connects to port 6 ...) - librdmacm 1.0.16-1 (bug #690672) [squeeze] - librdmacm (Introduced in 1.0.12) [wheezy] - librdmacm 1.0.15-1+deb7u1 CVE-2012-4515 (Use-after-free vulnerability in khtml/rendering/render_replaced.cpp in ...) - kdebase (unimportant) - kde-baseapps (unimportant) NOTE: Konqueror not supported security-wise CVE-2012-4514 (rendering/render_replaced.cpp in Konqueror in KDE before 4.9.3 allows ...) - kdebase (unimportant) - kde-baseapps (unimportant) NOTE: Konqueror not supported security-wise CVE-2012-4513 (khtml/imload/scaledimageplane.h in Konqueror in KDE 4.7.3 allows remot ...) - kdebase (unimportant) - kde-baseapps (unimportant) NOTE: Konqueror not supported security-wise CVE-2012-4512 (The CSS parser (khtml/css/cssparser.cpp) in Konqueror in KDE 4.7.3 all ...) - kdebase (unimportant) - kde-baseapps (unimportant) NOTE: Konqueror not supported security-wise CVE-2012-4511 (services/flickr/flickr.c in libsocialweb before 0.25.21 automatically ...) - libsocialweb 0.25.20-3.1 (low; bug #690675) [wheezy] - libsocialweb 0.25.20-2.1 CVE-2012-4510 (cups-pk-helper before 0.2.3 does not properly wrap the (1) cupsGetFile ...) {DSA-2562-1} - cups-pk-helper 0.2.3-1 CVE-2012-4509 RESERVED CVE-2012-4508 (Race condition in fs/ext4/extents.c in the Linux kernel before 3.4.16 ...) {DSA-2668-1} - linux 3.2.35-1 - linux-2.6 CVE-2012-4507 (The strchr function in procmime.c in Claws Mail (aka claws-mail) 3.8.1 ...) - claws-mail 3.8.1-2 (low; bug #690151) [squeeze] - claws-mail 3.7.6-4+squeeze1 NOTE: http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2743 NOTE: www.thewildbeast.co.uk/claws-mail/bugzilla/attachment.cgi?id=1165 CVE-2012-4506 (Directory traversal vulnerability in gitolite 3.x before 3.1, when wil ...) - gitolite (Only affects 3.x releases) NOTE: https://groups.google.com/forum/#!topic/gitolite/K9SnQNhCQ-0/discussion NOTE: https://github.com/sitaramc/gitolite/commit/f636ce3ba3e340569b26d1e47b9d9b62dd8a3bf2 CVE-2012-4505 (Heap-based buffer overflow in the px_pac_reload function in lib/pac.c ...) {DSA-2571-1} - libproxy 0.3.1-5.1 (bug #690376) CVE-2012-4504 (Stack-based buffer overflow in the url::get_pac function in url.cpp in ...) - libproxy (Vulnerable code not present) NOTE: 0.4-only issue, fixed in newest upstream 0.4.9 CVE-2012-4503 (cmdmon.c in Chrony before 1.29 allows remote attackers to obtain poten ...) {DSA-2760-1} - chrony 1.29-1 (bug #719203) CVE-2012-4502 (Multiple integer overflows in pktlength.c in Chrony before 1.29 allow ...) {DSA-2760-1} - chrony 1.29-1 (bug #719203) CVE-2012-4501 (Citrix Cloud.com CloudStack, and Apache CloudStack pre-release, allows ...) NOT-FOR-US: CloudStack CVE-2012-4500 (The Announcements module 6.x-1.x before 6.x-1.5 for Drupal allows remo ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2012-4499 (The contact formatter page in the Email Field module 6.x-1.x before 6. ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2012-4498 (The Activism module 6.x-2.x before 6.x-2.1 for Drupal does not properl ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2012-4497 (Cross-site scripting (XSS) vulnerability in the "3 slide gallery" in t ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2012-4496 (Cross-site scripting (XSS) vulnerability in the Custom Publishing Opti ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2012-4495 (The Mime Mail module 6.x-1.x before 6.x-1.1 for Drupal does not proper ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2012-4494 (The Shibboleth authentication module 7.x-4.0 for Drupal does not prope ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2012-4493 (Cross-site scripting (XSS) vulnerability in the administrative interfa ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2012-4492 (Multiple cross-site scripting (XSS) vulnerabilities in the Shorten URL ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2012-4491 (The Monthly Archive by Node Type module 6.x for Drupal does not proper ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2012-4490 (Multiple cross-site scripting (XSS) vulnerabilities in the Excluded Us ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2012-4489 (Open redirect vulnerability in the securelogin_secure_redirect functio ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2012-4488 (The Location module 6.x before 6.x-3.2 and 7.x before 7.x-3.0-alpha1 f ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2012-4487 (The Subuser module before 6.x-1.8 for Drupal does not properly check " ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2012-4486 (Cross-site request forgery (CSRF) vulnerability in the Subuser module ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2012-4485 (Multiple cross-site scripting (XSS) vulnerabilities in the galleryform ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2012-4484 (Cross-site scripting (XSS) vulnerability in the administrative interfa ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2012-4483 (The commons_discussion_views_default_views function in modules/feature ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2012-4482 (The Ubercart SecureTrading Payment Method module 6.x for Drupal does n ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2012-4481 (The safe-level feature in Ruby 1.8.7 allows context-dependent attacker ...) - ruby1.8 1.8.7.358-5 (bug #689945) [squeeze] - ruby1.8 (problematic code not present) CVE-2012-4480 (mom creates world-writable pid files in /var/run ...) NOT-FOR-US: mom CVE-2012-4479 (SQL injection vulnerability in the Drag & Drop Gallery module 6.x ...) NOT-FOR-US: Drupal contributed-module CVE-2012-4478 (Cross-site request forgery (CSRF) vulnerability in the Drag & Drop ...) NOT-FOR-US: Drupal contributed-module CVE-2012-4477 (Unspecified vulnerability in the Drag & Drop Gallery module 6.x fo ...) NOT-FOR-US: Drupal contributed-module CVE-2012-4476 (Cross-site scripting (XSS) vulnerability in the Drag & Drop Galler ...) NOT-FOR-US: Drupal contributed-module CVE-2012-4475 (The Security Questions module for Drupal 6.x-1.x before 6.x-1.1 and 7. ...) NOT-FOR-US: Drupal contributed-module CVE-2012-4474 (Multiple cross-site scripting (XSS) vulnerabilities in the Colorbox No ...) NOT-FOR-US: Drupal contributed-module CVE-2012-4473 (The Restrict node page view module 7.x-1.x before 7.x-1.2 for Drupal a ...) NOT-FOR-US: Drupal contributed-module CVE-2012-4472 (Unrestricted file upload vulnerability in upload.php in the Drag & ...) NOT-FOR-US: Drupal contributed-module CVE-2012-4471 (The Search Autocomplete module 7.x-2.x before 7.x-2.4 for Drupal does ...) NOT-FOR-US: Drupal contributed-module CVE-2012-4470 (The Listhandler module 6.x-1.x before 6.x-1.1 for Drupal does not prop ...) NOT-FOR-US: Drupal contributed-module CVE-2012-4469 (Cross-site scripting (XSS) vulnerability in the Hashcash module 6.x-2. ...) NOT-FOR-US: Drupal contributed-module CVE-2012-4468 (Cross-site scripting (XSS) vulnerability in the Privatemsg module 7.x- ...) NOT-FOR-US: Drupal contributed-module CVE-2012-4467 (The (1) do_siocgstamp and (2) do_siocgstampns functions in net/socket. ...) - linux-2.6 (Vulnerable code introduced in 3.3) - linux (Vulnerable code introduced in 3.3) CVE-2012-4466 (Ruby 1.8.7 before patchlevel 371, 1.9.3 before patchlevel 286, and 2.0 ...) - ruby1.9.1 1.9.3.194-2 (low; bug #689075) [squeeze] - ruby1.9.1 (Minor issue, please recheck) CVE-2012-4465 (Heap-based buffer overflow in the substr function in parsing.c in cgit ...) - cgit (Fixed before the initial upload into the archive) CVE-2012-4464 (Ruby 1.9.3 before patchlevel 286 and 2.0 before revision r37068 allows ...) - ruby1.9.1 1.9.3.194-2 (low; bug #689075) [squeeze] - ruby1.9.1 (Introduced in 1.9.3) CVE-2012-4463 (Midnight Commander (mc) 4.8.5 does not properly handle the (1) MC_EXT_ ...) - mc 3:4.8.8-1 (low; bug #689571) [wheezy] - mc (Minor issue) [squeeze] - mc (Minor issue) CVE-2012-4462 (aviary/jobcontrol.py in Condor, as used in Red Hat Enterprise MRG 2.3, ...) - condor (This bug only affects the Aviary contrib module, which isn't built in the Debian condor package, #690556) CVE-2012-4461 (The KVM subsystem in the Linux kernel before 3.6.9, when running on ho ...) {DSA-2668-1} - linux-2.6 - linux 3.2.35-1 CVE-2012-4460 (The serializing/deserializing functions in the qpid::framing::Buffer c ...) - qpid-cpp (low; bug #772794) [wheezy] - qpid-cpp (Minor issue) CVE-2012-4459 (Integer overflow in the qpid::framing::Buffer::checkAvailable function ...) - qpid-cpp (low; bug #772794) [wheezy] - qpid-cpp (Minor issue) CVE-2012-4458 (The AMQP type decoder in Apache Qpid 0.20 and earlier allows remote at ...) - qpid-cpp (low; bug #772794) [wheezy] - qpid-cpp (Minor issue) CVE-2012-4457 (OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-3 do ...) - keystone 2012.1.1-9 (bug #689210) CVE-2012-4456 (The (1) OS-KSADM/services and (2) tenant APIs in OpenStack Keystone Es ...) - keystone 2012.1.1-9 (bug #689210) CVE-2012-4455 (openCryptoki 2.4.1 allows local users to create or set world-writable ...) - opencryptoki 3.4.1+dfsg-1 (low; bug #689417) [jessie] - opencryptoki (Minor issue) [squeeze] - opencryptoki (Minor issue) [wheezy] - opencryptoki (Minor issue) CVE-2012-4454 (openCryptoki before 2.4.1, when using spinlocks, allows local users to ...) - opencryptoki 3.4.1+dfsg-1 (low; bug #689417) [jessie] - opencryptoki (Minor issue) [squeeze] - opencryptoki (Minor issue) [wheezy] - opencryptoki (Minor issue) CVE-2012-4453 (dracut.sh in dracut, as used in Red Hat Enterprise Linux 6, Fedora 16 ...) - dracut 020-1.1 (low; bug #688956) [squeeze] - dracut (Minor issue) CVE-2012-4452 (MySQL 5.0.88, and possibly other versions and platforms, allows local ...) - mysql-dfsg-5.0 (Debian never included that 5.0.88 release) CVE-2012-4451 (Multiple cross-site scripting (XSS) vulnerabilities in Zend Framework ...) - zendframework (Vulnerable code introduced in 2.x, #688946) CVE-2012-4450 (389 Directory Server 1.2.10 does not properly update the ACL when a DN ...) - 389-ds-base 1.2.11.15-1 (bug #688942) NOTE: Upstream ticket https://fedorahosted.org/389/ticket/340 NOTE: Upstream patch http://git.fedorahosted.org/cgit/389/ds.git/commit/?id=5beb93d42efb807838c09c5fab898876876f8d09 CVE-2012-4449 (Apache Hadoop before 0.23.4, 1.x before 1.0.4, and 2.x before 2.0.2 ge ...) - hadoop (bug #793644) CVE-2012-4448 (Cross-site request forgery (CSRF) vulnerability in wp-admin/index.php ...) - wordpress 3.5.1+dfsg-2 (low; bug #689031) [squeeze] - wordpress (Minor issue) [wheezy] - wordpress (Minor issue) CVE-2012-4447 (Heap-based buffer overflow in tif_pixarlog.c in LibTIFF before 4.0.3 a ...) {DSA-2561-1} - tiff 4.0.2-4 (bug #688944) - tiff3 3.9.6-9 (bug #688944) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=860198 CVE-2012-4446 (The default configuration for Apache Qpid 0.20 and earlier, when the f ...) - qpid-cpp (low; bug #772794) [wheezy] - qpid-cpp (Minor issue) CVE-2012-4445 (Heap-based buffer overflow in the eap_server_tls_process_fragment func ...) {DSA-2557-1} - hostapd - wpa 1.0-3 (bug #689990) CVE-2012-4444 (The ip6_frag_queue function in net/ipv6/reassembly.c in the Linux kern ...) - linux 2.6.36-1~experimental.1 - linux-2.6 [squeeze] - linux-2.6 2.6.32-48 CVE-2012-4443 (Monkey HTTP Daemon 0.9.3 uses a real UID of root and a real GID of roo ...) - monkey (unimportant; bug #688008) CVE-2012-4442 (Monkey HTTP Daemon 0.9.3 retains the supplementary group IDs of the ro ...) - monkey (unimportant; bug #688007) CVE-2012-4441 (Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before ...) - jenkins (Plugin not built in Debian source package) NOTE: http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2012-09-17.cb CVE-2012-4440 (Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before ...) - jenkins (Plugin not built in Debian source package) NOTE: http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2012-09-17.cb CVE-2012-4439 (Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before ...) - jenkins 1.447.2+dfsg-2 (bug #688298) NOTE: http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2012-09-17.cb CVE-2012-4438 (Jenkins main before 1.482 and LTS before 1.466.2 allows remote attacke ...) - jenkins 1.447.2+dfsg-2 (bug #688298) NOTE: http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2012-09-17.cb CVE-2012-4437 (Cross-site scripting (XSS) vulnerability in the SmartyException class ...) - smarty3 3.1.10-2 (bug #688153) - smarty (bug #702710) [squeeze] - smarty 2.6.26-0.2+squeeze1 [squeeze] - smarty3 (Unsupported in squeeze-lts) NOTE: http://www.openwall.com/lists/oss-security/2012/09/19/1 NOTE: http://secunia.com/advisories/50589/ NOTE: http://code.google.com/p/smarty-php/source/browse/trunk/distribution/change_log.txt NOTE: http://code.google.com/p/smarty-php/source/detail?r=4658 NOTE: https://code.google.com/p/smarty-php/source/detail?r=4660 CVE-2012-4436 (Buffer overflow in the run_last_args function in client/fwknop.c in fw ...) - fwknop 2.0.3-1 (bug #688151) [squeeze] - fwknop (Vulnerable code not present) [wheezy] - fwknop 2.0.0rc2-2+deb7u1 NOTE: http://seclists.org/oss-sec/2012/q3/509 NOTE: http://www.cipherdyne.org/cgi-bin/gitweb.cgi?p=fwknop.git;a=commitdiff;h=a60f05ad44e824f6230b22f8976399340cb535dc CVE-2012-4435 (fwknop before 2.0.3 does not properly validate IP addresses, which all ...) - fwknop 2.0.3-1 (bug #688151) [squeeze] - fwknop (Vulnerable code not present) [wheezy] - fwknop 2.0.0rc2-2+deb7u1 NOTE: http://seclists.org/oss-sec/2012/q3/509 NOTE: http://www.cipherdyne.org/cgi-bin/gitweb.cgi?p=fwknop.git;a=commitdiff;h=f4c16bc47fc24a96b63105556b62d61c1ba7d799 CVE-2012-4434 (fwknop before 2.0.3 allow remote authenticated users to cause a denial ...) - fwknop 2.0.3-1 (bug #688151) [squeeze] - fwknop (Vulnerable code not present) [wheezy] - fwknop 2.0.0rc2-2+deb7u1 NOTE: http://seclists.org/oss-sec/2012/q3/509 NOTE: http://www.cipherdyne.org/cgi-bin/gitweb.cgi?p=fwknop.git;a=commitdiff;h=d46ba1c027a11e45821ba897a4928819bccc8f22 CVE-2012-4433 (Multiple integer overflows in operations/external/ppm-load.c in GEGL ( ...) - gegl 0.2.0-2+nmu1 (bug #692435) [squeeze] - gegl (PPM code not yet present) NOTE: http://seclists.org/oss-sec/2012/q4/215 CVE-2012-4432 (Use-after-free vulnerability in opngreduc.c in OptiPNG Hg and 0.7.x be ...) - optipng (Introduced in 0.7, bug #687998) CVE-2012-4431 (org/apache/catalina/filters/CsrfPreventionFilter.java in Apache Tomcat ...) - tomcat7 7.0.28-4 (bug #695251) - tomcat6 6.0.35-6 (bug #695250) [squeeze] - tomcat6 6.0.35-1+squeeze3 NOTE: DSA 2725 CVE-2012-4430 (The dump_resource function in dird/dird_conf.c in Bacula before 5.2.11 ...) {DSA-2558-1} - bacula 5.2.6+dfsg-4 (bug #687923) [wheezy] - bacula 5.2.6+dfsg-2.1 NOTE: http://www.bacula.org/git/cgit.cgi/bacula/commit/?id=67debcecd3d530c429e817e1d778e79dcd1db905 CVE-2012-4429 (Vino 2.28, 2.32, 3.4.2, and earlier allows remote attackers to read cl ...) - vino 3.8.1-1 (bug #687596; low) [squeeze] - vino (Minor issue) [wheezy] - vino (Minor issue) CVE-2012-4428 (openslp: SLPIntersectStringList()' Function has a DoS vulnerability ...) {DLA-304-1} - openslp-dfsg 1.2.1-10 (bug #687597; low) [squeeze] - openslp-dfsg (Minor issue) [wheezy] - openslp-dfsg (Minor issue) CVE-2012-4427 (The gnome-shell plugin 3.4.1 in GNOME allows remote attackers to force ...) - gnome-shell (unimportant) NOTE: I don't see much of a problem here, if you install from a repo, you need to trust it NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=684215 NOTE: As far as I can see there is still a yes/no prompt for the user. I suggest unfixed unimportant. -- helmut CVE-2012-4426 (Multiple format string vulnerabilities in mcrypt 2.6.8 and earlier mig ...) - mcrypt 2.6.8-1.1 [squeeze] - mcrypt (minor issue, it doesn't affect libmcrypt) CVE-2012-4425 (libgio, when used in setuid or other privileged programs in spice-gtk ...) - spice-gtk 0.12-5 (bug #689155) NOTE: http://www.openwall.com/lists/oss-security/2012/09/13/18 CVE-2012-4424 (Stack-based buffer overflow in string/strcoll_l.c in the GNU C Library ...) {DLA-165-1} - eglibc - glibc 2.17-94 (low; bug #689423) [wheezy] - eglibc 2.13-38+deb7u1 CVE-2012-4423 (The virNetServerProgramDispatchCall function in libvirt before 0.10.2 ...) - libvirt 0.9.12-5 (bug #687598) [squeeze] - libvirt (Vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=857133 NOTE: http://www.openwall.com/lists/oss-security/2012/09/13/11 CVE-2012-4422 (wp-admin/plugins.php in WordPress before 3.4.2, when the multisite fea ...) - wordpress 3.4.2+dfsg-1 CVE-2012-4421 (The create_post function in wp-includes/class-wp-atom-server.php in Wo ...) - wordpress 3.4.2+dfsg-1 CVE-2012-4420 (An information disclosure flaw was found in the way the Java Virtual M ...) NOT-FOR-US: Duplicate of CVE-2012-4416 CVE-2012-4419 (The compare_tor_addr_to_addr_policy function in or/policies.c in Tor b ...) {DSA-2548-1} - tor 0.2.3.22-rc-1 NOTE: http://www.openwall.com/lists/oss-security/2012/09/12/5 NOTE: https://gitweb.torproject.org/tor.git/blob/release-0.2.2:/ReleaseNotes NOTE: https://gitweb.torproject.org/tor.git/commitdiff/973c18bf0e84d14d8006a9ae97fde7f7fb97e404 NOTE: https://gitweb.torproject.org/tor.git/commitdiff/62d96284f7e0f81c40d5df7e53dd7b4dfe7e56a5 CVE-2012-4418 (Apache Axis2 allows remote attackers to forge messages and bypass auth ...) NOT-FOR-US: We only provide Axis 1(Java) and the C-version of Axis CVE-2012-4417 (GlusterFS 3.3.0, as used in Red Hat Storage server 2.0, allows local u ...) - glusterfs 3.2.7-5 (low; bug #693112) [wheezy] - glusterfs (Minor issue) [squeeze] - glusterfs (Minor issue) CVE-2012-4416 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-7 7u3-2.1.3-1 (bug #690774) - openjdk-6 6b24-1.11.5-0ubuntu1 (bug #690774) CVE-2012-4415 (Stack-based buffer overflow in the guac_client_plugin_open function in ...) - libguac 0.6.0-2 (medium) NOTE: maintainer contacted us, working on update NOTE: http://guac-dev.org/trac/changeset/7dcefa744b4a38825619c00ae8b47e5bae6e38c0/libguac CVE-2012-4414 (Multiple SQL injection vulnerabilities in the replication code in Orac ...) - mysql-5.1 5.1.72-1 (low; bug #687484) [squeeze] - mysql-5.1 (Minor issue, currently not fixed in MySQL, can be included once fixed in 5.1.x) - mysql-5.5 5.5.30+dfsg-1 (bug #687485) CVE-2012-4413 (OpenStack Keystone 2012.1.3 does not invalidate existing tokens when g ...) - keystone 2012.1.1-6 (bug #687428) NOTE: http://www.openwall.com/lists/oss-security/2012/09/12/7 CVE-2012-4412 (Integer overflow in string/strcoll_l.c in the GNU C Library (aka glibc ...) {DLA-165-1} - eglibc - glibc 2.17-94 (low; bug #687530) [wheezy] - eglibc 2.13-38+deb7u1 CVE-2012-4411 (The graphical console in Xen 4.0, 4.1 and 4.2 allows local OS guest ad ...) {DSA-2543-1} - xen 4.1.3-2 - xen-qemu-dm-4.0 [squeeze] - xen (In Squeeze the code is in the package xen-qemu-dm-4.0) CVE-2012-4409 (Stack-based buffer overflow in the check_file_head function in extra.c ...) - mcrypt 2.6.8-1.1 [squeeze] - mcrypt (minor issue, it doesn't affect libmcrypt) NOTE: http://packetstormsecurity.org/files/116268/mcrypt-2.6.8-Buffer-Overflow-Proof-Of-Concept.html CVE-2012-4408 (course/reset.php in Moodle 2.1.x before 2.1.8, 2.2.x before 2.2.5, and ...) - moodle 2.2.3.dfsg-2.3 (low; bug #687924) [squeeze] - moodle (Only affects >= 2.1) CVE-2012-4407 (lib/filelib.php in Moodle 2.1.x before 2.1.8, 2.2.x before 2.2.5, and ...) - moodle 2.2.3.dfsg-2.3 (low; bug #687924) [squeeze] - moodle (Only affects >= 2.1) CVE-2012-4406 (OpenStack Object Storage (swift) before 1.7.0 uses the loads function ...) - swift 1.4.8-2 (bug #686812) CVE-2012-4405 (Multiple integer underflows in the icmLut_allocate function in Interna ...) {DSA-2595-1} - argyll 1.4.0-7 (bug #687275) [squeeze] - argyll (Only standalone binary in squeeze, minor impact) - ghostscript 9.05~dfsg-6.1 (bug #687274) CVE-2012-4404 (security/__init__.py in MoinMoin 1.9 through 1.9.4 does not properly h ...) {DSA-2538-1} - moin 1.9.4-8 NOTE: http://hg.moinmo.in/moin/1.9/rev/7b9f39289e16 CVE-2012-4403 (theme/yui_combo.php in Moodle 2.3.x before 2.3.2 does not properly con ...) - moodle (Only affects >= 2.3) CVE-2012-4402 (webservice/lib.php in Moodle 2.1.x before 2.1.8, 2.2.x before 2.2.5, a ...) - moodle 2.2.3.dfsg-2.3 (bug #687924) [squeeze] - moodle (Only affects >= 2.1) CVE-2012-4401 (Moodle 2.2.x before 2.2.5 and 2.3.x before 2.3.2 allows remote authent ...) - moodle 2.2.3.dfsg-2.3 (low; bug #687924) [squeeze] - moodle (Only affects >= 2.2) CVE-2012-4400 (repository/repository_ajax.php in Moodle 2.2.x before 2.2.5 and 2.3.x ...) - moodle 2.2.3.dfsg-2.3 (low; bug #687924) [squeeze] - moodle (Only affects >= 2.2) CVE-2012-4399 (The Xml class in CakePHP 2.1.x before 2.1.5 and 2.2.x before 2.2.1 all ...) - cakephp (Does not affect 1.3) NOTE: http://seclists.org/bugtraq/2012/Jul/101 NOTE: http://web.archive.org/web/20140822011643/http://bakery.cakephp.org:80/articles/markstory/2012/07/14/security_release_-_cakephp_2_1_5_2_2_1 CVE-2012-4398 (The __request_module function in kernel/kmod.c in the Linux kernel bef ...) - linux 3.2.35-1 (low) - linux-2.6 [squeeze] - linux-2.6 2.6.32-48 CVE-2012-4397 (Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before ...) - owncloud 4.0.1debian-1 CVE-2012-4396 (Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before ...) - owncloud 4.0.2debian-1 CVE-2012-4395 (Cross-site scripting (XSS) vulnerability in index.php in ownCloud befo ...) - owncloud 4.0.3debian-1 CVE-2012-4394 (Cross-site scripting (XSS) vulnerability in apps/files/js/filelist.js ...) - owncloud 4.0.5debian-1 (bug #686567) [wheezy] - owncloud 4.0.4debian2-2 CVE-2012-4393 (Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud ...) - owncloud 4.0.7debian-1 (bug #686567) [wheezy] - owncloud 4.0.4debian2-2 CVE-2012-4392 (index.php in ownCloud 4.0.7 does not properly validate the oc_token co ...) - owncloud 4.0.7debian-1 (bug #686567) [wheezy] - owncloud 4.0.4debian2-2 CVE-2012-4391 (Cross-site request forgery (CSRF) vulnerability in core/ajax/appconfig ...) - owncloud 4.0.7debian-1 (bug #686567) [wheezy] - owncloud 4.0.4debian2-2 CVE-2012-4390 ((1) apps/calendar/appinfo/remote.php and (2) apps/contacts/appinfo/rem ...) - owncloud 4.0.7debian-1 (bug #686567) [wheezy] - owncloud 4.0.4debian2-2 CVE-2012-4389 (Incomplete blacklist vulnerability in lib/migrate.php in ownCloud befo ...) - owncloud 4.0.7debian-1 (bug #686567) [wheezy] - owncloud 4.0.4debian2-2 CVE-2012-4388 (The sapi_header_op function in main/SAPI.c in PHP 5.4.0RC2 through 5.4 ...) - php5 5.4.1~rc1-1 [squeeze] - php5 (CVE-2011-1398 was never fixed in squeeze) CVE-2012-4387 (Apache Struts 2.0.0 through 2.3.4 allows remote attackers to cause a d ...) - libstruts1.2-java (Only affects Struts 2) NOTE: http://struts.apache.org/2.x/docs/s2-011.html CVE-2012-4386 (The token check mechanism in Apache Struts 2.0.0 through 2.3.4 does no ...) - libstruts1.2-java (Only affects Struts 2) NOTE: http://struts.apache.org/2.x/docs/s2-010.html CVE-2012-4385 (letodms 3.3.6 has CSRF via change password ...) - letodms 3.3.7+dfsg-1 (bug #689664) CVE-2012-4384 (letodms has multiple XSS issues: Reflected XSS in Login Page, Stored X ...) - letodms 3.3.7+dfsg-1 (bug #689664) CVE-2012-4383 (contao prior to 2.11.4 has a sql injection vulnerability ...) NOT-FOR-US: Contao CVE-2012-4382 (MediaWiki before 1.18.5, and 1.19.x before 1.19.2 does not properly pr ...) - mediawiki 1:1.19.2-1 (bug #686330) [squeeze] - mediawiki NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=39823 NOTE: http://www.openwall.com/lists/oss-security/2012/08/31/6 CVE-2012-4381 (MediaWiki before 1.18.5, and 1.19.x before 1.19.2 saves passwords in t ...) - mediawiki 1:1.19.2-1 (bug #686330) [squeeze] - mediawiki NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=39184 NOTE: http://www.openwall.com/lists/oss-security/2012/08/31/6 CVE-2012-4380 (MediaWiki before 1.18.5, and 1.19.x before 1.19.2 allows remote attack ...) - mediawiki 1:1.19.2-1 (bug #686330) [squeeze] - mediawiki NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=39824 NOTE: http://www.openwall.com/lists/oss-security/2012/08/31/6 CVE-2012-4379 (MediaWiki before 1.18.5, and 1.19.x before 1.19.2 does not send a rest ...) - mediawiki 1:1.19.2-1 (bug #686330) [squeeze] - mediawiki NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=39180 NOTE: http://www.openwall.com/lists/oss-security/2012/08/31/6 CVE-2012-4378 (Multiple cross-site scripting (XSS) vulnerabilities in MediaWiki befor ...) - mediawiki 1:1.19.2-1 (bug #686330) [squeeze] - mediawiki NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=37587 NOTE: http://www.openwall.com/lists/oss-security/2012/08/31/6 CVE-2012-4377 (Cross-site scripting (XSS) vulnerability in MediaWiki before 1.18.5 an ...) - mediawiki 1:1.19.2-1 (bug #686330) [squeeze] - mediawiki (Introduced in 1.16) NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=39700 NOTE: http://www.openwall.com/lists/oss-security/2012/08/31/6 CVE-2012-4376 RESERVED CVE-2012-4375 RESERVED CVE-2012-4374 RESERVED CVE-2012-4373 RESERVED CVE-2012-4372 RESERVED CVE-2012-4371 RESERVED CVE-2012-4370 RESERVED CVE-2012-4369 RESERVED CVE-2012-4368 RESERVED CVE-2012-4367 RESERVED CVE-2012-4366 (Belkin wireless routers Surf N150 Model F7D1301v1, N900 Model F9K1104v ...) NOT-FOR-US: Belkin wireless routers CVE-2012-4365 RESERVED CVE-2012-4364 RESERVED CVE-2011-5101 (The Rumor technology in McAfee SaaS Endpoint Protection before 5.2.4 a ...) NOT-FOR-US: McAfee CVE-2011-5100 (The web interface in McAfee Firewall Reporter before 5.1.0.13 does not ...) NOT-FOR-US: McAfee CVE-2010-5143 (McAfee VirusScan Enterprise before 8.8 allows local users to disable t ...) NOT-FOR-US: McAfee CVE-2009-5118 (Untrusted search path vulnerability in McAfee VirusScan Enterprise bef ...) NOT-FOR-US: McAfee CVE-2009-5117 (The Web Post Protection feature in McAfee Host Data Loss Prevention (D ...) NOT-FOR-US: McAfee CVE-2009-5116 (McAfee LinuxShield 1.5.1 and earlier does not properly implement clien ...) NOT-FOR-US: McAfee CVE-2009-5115 (McAfee Common Management Agent (CMA) 3.5.5 through 3.5.5.588 and 3.6.0 ...) NOT-FOR-US: McAfee CVE-2012-4363 (Multiple unspecified vulnerabilities in Adobe Reader through 10.1.4 al ...) NOT-FOR-US: Adobe Reader CVE-2012-4362 (hydra.exe in HP SAN/iQ before 9.5 on the HP Virtual SAN Appliance has ...) NOT-FOR-US: HP Virtual SAN Appliance CVE-2012-4361 (lhn/public/network/ping in HP SAN/iQ before 9.5 on the HP Virtual SAN ...) NOT-FOR-US: HP Virtual SAN Appliance CVE-2012-4360 (Cross-site scripting (XSS) vulnerability in the mod_pagespeed module 0 ...) NOT-FOR-US: mod_pagespeed CVE-2012-4359 (Sielco Sistemi Winlog Pro SCADA before 2.07.18 and Winlog Lite SCADA b ...) NOT-FOR-US: Sielco Sistemi Winlog SCADA CVE-2012-4358 (Sielco Sistemi Winlog Pro SCADA before 2.07.17 and Winlog Lite SCADA b ...) NOT-FOR-US: Sielco Sistemi Winlog SCADA CVE-2012-4357 (Array index error in Sielco Sistemi Winlog Pro SCADA before 2.07.17 an ...) NOT-FOR-US: Sielco Sistemi Winlog SCADA CVE-2012-4356 (Multiple directory traversal vulnerabilities in Sielco Sistemi Winlog ...) NOT-FOR-US: Sielco Sistemi Winlog SCADA CVE-2012-4355 (TCPIPS_Story.dll in Sielco Sistemi Winlog Pro SCADA before 2.07.18 and ...) NOT-FOR-US: Sielco Sistemi Winlog SCADA CVE-2012-4354 (TCPIPS_Story.dll in Sielco Sistemi Winlog Pro SCADA before 2.07.17 and ...) NOT-FOR-US: Sielco Sistemi Winlog SCADA CVE-2012-4353 (Stack-based buffer overflow in RunTime.exe in Sielco Sistemi Winlog Pr ...) NOT-FOR-US: Sielco Sistemi Winlog SCADA CVE-2012-4352 (Multiple cross-site scripting (XSS) vulnerabilities in Stoneware webNe ...) NOT-FOR-US: Stoneware webNetwork CVE-2012-4351 (Integer overflow in pgpwded.sys in Symantec PGP Desktop 10.x and Encry ...) NOT-FOR-US: Symantec CVE-2012-4350 (Multiple unquoted Windows search path vulnerabilities in the (1) Manag ...) NOT-FOR-US: Symantec Enterprise Security Manager CVE-2012-4349 (Unquoted Windows search path vulnerability in Symantec Network Access ...) NOT-FOR-US: Symantec Network Access Control CVE-2012-4348 (The management console in Symantec Endpoint Protection (SEP) 11.0 befo ...) NOT-FOR-US: Symantec Endpoint Protection CVE-2012-4347 (Multiple directory traversal vulnerabilities in the management console ...) NOT-FOR-US: Symantec CVE-2012-4346 RESERVED CVE-2012-4345 (Multiple cross-site scripting (XSS) vulnerabilities in the Database St ...) - phpmyadmin 4:3.4.11.1-1 [squeeze] - phpmyadmin (Vulnerable code not present) CVE-2012-4344 (Cross-site scripting (XSS) vulnerability in Ipswitch WhatsUp Gold 15.0 ...) NOT-FOR-US: Ipswitch CVE-2012-4343 (Multiple unspecified vulnerabilities in Gallery 3 before 3.0.4 allow a ...) - gallery3 (bug #511715) CVE-2012-4342 (Multiple cross-site scripting (XSS) vulnerabilities in Gallery 3 befor ...) - gallery3 (bug #511715) CVE-2012-4341 (Multiple stack-based buffer overflows in msg_server.exe in SAP NetWeav ...) NOT-FOR-US: SAP NetWeaver ABAP CVE-2012-4340 (Cross-site scripting (XSS) vulnerability in Sybase EAServer before 6.1 ...) NOT-FOR-US: Sybase CVE-2012-4339 RESERVED CVE-2012-4338 RESERVED CVE-2012-4337 (Foxit Reader before 5.3 on Windows XP and Windows 7 allows remote atta ...) NOT-FOR-US: Foxit Reader CVE-2012-4336 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Fl ...) NOT-FOR-US: Flogr 2.5.6 CVE-2012-4335 (Samsung NET-i viewer 1.37.120316 allows remote attackers to cause a de ...) NOT-FOR-US: Samsung NET-i CVE-2012-4334 (The ConnectDDNS method in the (1) STWConfigNVR 1.1.13.15 and (2) STWCo ...) NOT-FOR-US: Samsung NET-i CVE-2012-4333 (Multiple stack-based buffer overflows in the BackupToAvi method in the ...) NOT-FOR-US: Samsung NET-i CVE-2012-4332 (The ShareYourCart plugin 1.7.1 for WordPress allows remote attackers t ...) NOT-FOR-US: Wordpress plugin CVE-2012-4331 (Multiple unspecified vulnerabilities in SPIP before 1.9.2.o, 2.0.x bef ...) {DSA-2461-1} - spip 2.1.13-1 CVE-2012-4330 (The Samsung D6000 TV and possibly other products allows remote attacke ...) NOT-FOR-US: Samsung D6000 TV CVE-2012-4329 (The Samsung D6000 TV and possibly other products allow remote attacker ...) NOT-FOR-US: Samsung D6000 TV CVE-2012-4328 (Unspecified vulnerability in the MAPI in vBulletin Suite 4.1.2 through ...) NOT-FOR-US: vBulletin CVE-2012-4327 (Unspecified vulnerability in the Image News slider plugin before 3.3 f ...) NOT-FOR-US: Image News slider plugin for WordPress CVE-2012-4326 (Cross-site request forgery (CSRF) vulnerability in commonsettings.php ...) NOT-FOR-US: AlstraSoft Site Uptime Enterprise CVE-2012-4325 (Cross-site request forgery (CSRF) vulnerability in upload/users.php in ...) NOT-FOR-US: Utopia News Pro CVE-2012-4324 (Cross-site request forgery (CSRF) vulnerability in PHPJabbers Vacation ...) NOT-FOR-US: PHPJabbers Vacation Rental Script CVE-2012-4323 RESERVED CVE-2012-4322 RESERVED CVE-2012-4321 RESERVED CVE-2012-4320 RESERVED CVE-2012-4319 RESERVED CVE-2012-4318 RESERVED CVE-2012-4317 RESERVED CVE-2012-4316 RESERVED CVE-2012-4315 RESERVED CVE-2012-4314 RESERVED CVE-2012-4313 RESERVED CVE-2012-4312 RESERVED CVE-2012-4311 RESERVED CVE-2012-4310 RESERVED CVE-2012-4309 RESERVED CVE-2012-4308 RESERVED CVE-2012-4307 RESERVED CVE-2012-4306 RESERVED CVE-2012-4305 (Unspecified vulnerability in the JavaFX component in Oracle Java SE Ja ...) - openjdk-6 (JavaFX not part of OpenJDK) - openjdk-7 (JavaFX not part of OpenJDK) CVE-2012-4304 RESERVED CVE-2012-4303 (Unspecified vulnerability in the Oracle WebCenter Content component in ...) NOT-FOR-US: Oracle Fusion CVE-2012-4302 RESERVED CVE-2012-4301 (Unspecified vulnerability in the JavaFX component in Oracle Java SE Ja ...) - openjdk-6 (JavaFX not part of OpenJDK) - openjdk-7 (JavaFX not part of OpenJDK) CVE-2012-4300 RESERVED CVE-2012-4299 RESERVED CVE-2012-4298 (Integer signedness error in the vwr_read_rec_data_ethernet function in ...) - wireshark 1.8.2-1 [squeeze] - wireshark (Only affects 1.8.x) CVE-2012-4297 (Buffer overflow in the dissect_gsm_rlcmac_downlink function in epan/di ...) - wireshark 1.8.2-1 [squeeze] - wireshark (Only affects 1.6.x and 1.8.x) CVE-2012-4296 (Buffer overflow in epan/dissectors/packet-rtps2.c in the RTPS2 dissect ...) {DSA-2590-1} - wireshark 1.8.2-1 CVE-2012-4295 (Array index error in the channelised_fill_sdh_g707_format function in ...) - wireshark 1.8.2-1 [squeeze] - wireshark (Only affects 1.8.x) CVE-2012-4294 (Buffer overflow in the channelised_fill_sdh_g707_format function in ep ...) - wireshark 1.8.2-1 [squeeze] - wireshark (Only affects 1.8.x) CVE-2012-4293 (plugins/ethercat/packet-ecatmb.c in the EtherCAT Mailbox dissector in ...) - wireshark 1.8.2-1 (unimportant) NOTE: not suitable for code injection CVE-2012-4292 (The dissect_stun_message function in epan/dissectors/packet-stun.c in ...) - wireshark 1.8.2-1 (unimportant) NOTE: not suitable for code injection CVE-2012-4291 (The CIP dissector in Wireshark 1.4.x before 1.4.15, 1.6.x before 1.6.1 ...) - wireshark 1.8.2-1 (unimportant) NOTE: not suitable for code injection CVE-2012-4290 (The CTDB dissector in Wireshark 1.4.x before 1.4.15, 1.6.x before 1.6. ...) - wireshark 1.8.2-1 (unimportant) NOTE: not suitable for code injection CVE-2012-4289 (epan/dissectors/packet-afp.c in the AFP dissector in Wireshark 1.4.x b ...) - wireshark 1.8.2-1 (unimportant) NOTE: not suitable for code injection CVE-2012-4288 (Integer overflow in the dissect_xtp_ecntl function in epan/dissectors/ ...) - wireshark 1.8.2-1 (unimportant) NOTE: not suitable for code injection CVE-2012-4287 (epan/dissectors/packet-mongo.c in the MongoDB dissector in Wireshark 1 ...) - wireshark 1.8.2-1 [squeeze] - wireshark (Only affects 1.8.x) CVE-2012-4286 (The pcapng_read_packet_block function in wiretap/pcapng.c in the pcap- ...) - wireshark 1.8.2-1 [squeeze] - wireshark (Only affects 1.8.x) CVE-2012-4285 (The dissect_pft function in epan/dissectors/packet-dcp-etsi.c in the D ...) - wireshark 1.8.2-1 (unimportant) NOTE: not suitable for code injection CVE-2012-4284 (A Privilege Escalation vulnerability exists in Viscosity 1.4.1 on Mac ...) NOT-FOR-US: Viscosity CVE-2011-5099 (SQL injection vulnerability in helper/popup.php in the ccNewsletter (m ...) NOT-FOR-US: Joomla addon CVE-2012-4283 (Cross-site scripting (XSS) vulnerability in the Login With Ajax plugin ...) NOT-FOR-US: Login With Ajax plugin for Wordpress CVE-2012-4282 (SQL injection vulnerability in photo.php in Trombinoscope 3.5 allows r ...) NOT-FOR-US: Trombinoscope 3.5 CVE-2012-4281 (Multiple SQL injection vulnerabilities in Travelon Express 6.2.2 allow ...) NOT-FOR-US: Travelon Express 6.2.2 CVE-2012-4280 (Multiple cross-site request forgery (CSRF) vulnerabilities in admin/ag ...) NOT-FOR-US: Free Realty 3.1-0.6 CVE-2012-4279 (Multiple SQL injection vulnerabilities in Free Realty 3.1-0.6 allow re ...) NOT-FOR-US: Free Realty 3.1-0.6 CVE-2012-4278 (Multiple cross-site scripting (XSS) vulnerabilities in Free Realty 3.1 ...) NOT-FOR-US: Free Realty CVE-2012-4277 (Cross-site scripting (XSS) vulnerability in the smarty_function_html_o ...) - smarty3 3.1.10-1 - smarty (low) [squeeze] - smarty (Unsupported in squeeze-lts) [squeeze] - smarty3 (Unsupported in squeeze-lts) CVE-2012-4276 (Unspecified vulnerability in Hitachi IT Operations Director 02-50-01 t ...) NOT-FOR-US: Hitachi IT Operations Director CVE-2012-4275 (Cross-site scripting (XSS) vulnerability in Hitachi IT Operations Dire ...) NOT-FOR-US: Hitachi IT Operations Director CVE-2012-4274 (Unspecified vulnerability in Hitachi Cobol GUI Option 06-00, 06-01 thr ...) NOT-FOR-US: Hitachi Cobol GUI Option CVE-2012-4273 (Cross-site scripting (XSS) vulnerability in libs/xing.php in the 2 Cli ...) NOT-FOR-US: 2 Click Social Media Buttons plugin for Wordpress CVE-2012-4272 (Multiple cross-site scripting (XSS) vulnerabilities in the 2 Click Soc ...) NOT-FOR-US: 2 Click Social Media Buttons plugin for WordPress CVE-2012-4271 (Multiple cross-site scripting (XSS) vulnerabilities in bad-behavior-wo ...) NOT-FOR-US: Wordpress plugin CVE-2012-4270 (Cross-site scripting (XSS) vulnerability in eFront 3.6.11 allows remot ...) NOT-FOR-US: eFront CVE-2012-4269 (Unrestricted file upload vulnerability in eFront 3.6.11 allows remote ...) NOT-FOR-US: eFront CVE-2012-4268 (Cross-site scripting (XSS) vulnerability in bulletproof-security/admin ...) NOT-FOR-US: BulletProof Security plugin for WordPress CVE-2012-4267 (Cross-site scripting (XSS) vulnerability in user/register in Sockso 1. ...) NOT-FOR-US: Sockso CVE-2012-4266 (Cross-site scripting (XSS) vulnerability in client_details.php in Prom ...) NOT-FOR-US: Proman Xpress CVE-2012-4265 (SQL injection vulnerability in category_edit.php in Proman Xpress 5.0. ...) NOT-FOR-US: Proman Xpress CVE-2012-4264 (Multiple cross-site scripting (XSS) vulnerabilities in the Better WP S ...) NOT-FOR-US: Better WP Security plugin for WordPress CVE-2012-4263 (Cross-site scripting (XSS) vulnerability in inc/admin/content.php in t ...) NOT-FOR-US: Better WP Security plugin for Wordpress CVE-2012-4262 (Multiple cross-site scripting (XSS) vulnerabilities in myCare2x allow ...) NOT-FOR-US: myCare2x CVE-2012-4261 (SQL injection vulnerability in modules/patient/mycare2x_pat_info.php i ...) NOT-FOR-US: myCare2x CVE-2012-4260 (Multiple SQL injection vulnerabilities in myCare2x allow remote attack ...) NOT-FOR-US: myCare2x CVE-2012-4259 (Cross-site scripting (XSS) vulnerability in the contacts in (1) XPhone ...) NOT-FOR-US: XPhone Virtual Directory CVE-2012-4258 (Multiple SQL injection vulnerabilities in MYRE Real Estate Software (2 ...) NOT-FOR-US: MYRE Real Estate Software CVE-2012-4257 (Yaqas (Yet Another Question & Answer System) 1.0 Alpha 1 allows re ...) NOT-FOR-US: Yaqas CVE-2012-4256 (The jNews (com_jnews) component 7.5.1 for Joomla! allows remote attack ...) NOT-FOR-US: jNews for Joomla! CVE-2012-4255 (MySQLDumper 1.24.4 allows remote attackers to obtain sensitive informa ...) NOT-FOR-US: MySQLDumper CVE-2012-4254 (MySQLDumper 1.24.4 allows remote attackers to obtain sensitive informa ...) NOT-FOR-US: MySQLDumper CVE-2012-4253 (Multiple directory traversal vulnerabilities in MySQLDumper 1.24.4 all ...) NOT-FOR-US: MySQLDumper CVE-2012-4252 (Multiple cross-site request forgery (CSRF) vulnerabilities in MySQLDum ...) NOT-FOR-US: MySQLDumper CVE-2012-4251 (Multiple cross-site scripting (XSS) vulnerabilities in MySQLDumper 1.2 ...) NOT-FOR-US: MySQLDumper CVE-2012-4250 (Stack-based buffer overflow in the RequestScreenOptimization function ...) NOT-FOR-US: Samsung NET-i viewer CVE-2012-4249 (The Amazon Lab126 com.lab126.system sendEvent implementation on the Ki ...) NOT-FOR-US: Kindle Touch CVE-2012-4248 (The Amazon Kindle Touch before 5.1.2 does not properly restrict access ...) NOT-FOR-US: Kindle Touch CVE-2012-4247 (Multiple cross-site scripting (XSS) vulnerabilities in lists/admin/ind ...) - phplist (bug #612288) CVE-2012-4246 (Multiple cross-site scripting (XSS) vulnerabilities in lists/admin/ind ...) - phplist (bug #612288) CVE-2012-4245 (The scriptfu network server in GIMP 2.6 does not require authenticatio ...) - gimp (unimportant) NOTE: The interface isn't designed or advertised to be secure, this is hardly a security issue in practice CVE-2012-4244 (ISC BIND 9.x before 9.7.6-P3, 9.8.x before 9.8.3-P3, 9.9.x before 9.9. ...) {DSA-2547-1} - bind9 1:9.8.4.dfsg-1 (bug #693015) [wheezy] - bind9 1:9.8.1.dfsg.P1-4.4 - isc-dhcp (issue only affects the named service, which isn't used by isc-dhcp) CVE-2012-4243 RESERVED CVE-2012-4242 (Cross-site scripting (XSS) vulnerability in the MF Gig Calendar plugin ...) NOT-FOR-US: MF Gig Calendar CVE-2012-4241 (Multiple cross-site scripting (XSS) vulnerabilities in Microcart 1.0 a ...) NOT-FOR-US: Microcart CVE-2012-4240 (SQL injection vulnerability in modules/calendar/json.php in Group-Offi ...) NOT-FOR-US: Group-Office CVE-2012-4239 RESERVED CVE-2012-4238 (Cross-site scripting (XSS) vulnerability in admin/code/tce_edit_answer ...) NOT-FOR-US: TCExam CVE-2012-4237 (Multiple SQL injection vulnerabilities in TCExam before 11.3.008 allow ...) NOT-FOR-US: TCExam CVE-2012-4236 (Cross-site scripting (XSS) vulnerability in the refresh_page function ...) NOT-FOR-US: Total Shop UK eCommerce CVE-2012-4235 (The RSGallery2 (com_rsgallery2) component before 3.2.0 for Joomla! 2.5 ...) NOT-FOR-US: Joomla addon CVE-2012-4234 (Cross-site scripting (XSS) vulnerability in the group moderation scree ...) NOT-FOR-US: Phorum CVE-2012-4233 (LibreOffice 3.5.x before 3.5.7.2 and 3.6.x before 3.6.1, and OpenOffic ...) {DSA-2570-1} - libreoffice 1:3.5.4+dfsg-3 (low) - openoffice.org 1:3.3.0-1 (low) NOTE: Since 3.3.0 openoffice.org is a transitional source package NOTE: https://www.htbridge.com/advisory/HTB23106 CVE-2012-4232 (SQL injection vulnerability in admin/index.php in jCore before 1.0pre2 ...) NOT-FOR-US: jCore CVE-2012-4231 (Cross-site scripting (XSS) vulnerability in admin/index.php in jCore b ...) NOT-FOR-US: jCore CVE-2012-4230 (The bbcode plugin in TinyMCE 3.5.8 does not properly enforce the TinyM ...) - tinymce (low; bug #796117) [buster] - tinymce (Minor issue) [stretch] - tinymce (Minor issue) [jessie] - tinymce (Minor issue) [squeeze] - tinymce (Minor issue) [wheezy] - tinymce (Minor issue) CVE-2012-4229 RESERVED CVE-2012-4228 RESERVED CVE-2012-4227 RESERVED CVE-2012-4226 (Multiple cross-site scripting (XSS) vulnerabilities in Quick Post Widg ...) NOT-FOR-US: WordPress plugin Quick Post Widget CVE-2012-4225 (NVIDIA UNIX graphics driver before 295.71 and before 304.32 allows loc ...) - nvidia-graphics-drivers 304.37-1 (bug #684781) - nvidia-graphics-drivers-legacy-173xx 173.14.35-3 [squeeze] - nvidia-graphics-drivers 195.36.31-6squeeze2 [squeeze] - nvidia-graphics-drivers-legacy-173xx (Non-free not supported) NOTE: http://seclists.org/fulldisclosure/2012/Aug/4 NOTE: http://nvidia.custhelp.com/app/answers/detail/a_id/3140 CVE-2012-4224 REJECTED CVE-2012-4223 REJECTED CVE-2012-4222 (drivers/gpu/msm/kgsl.c in the Qualcomm Innovation Center (QuIC) Graphi ...) - linux (Android-specific drivers) - linux-2.6 (Android-specific drivers) CVE-2012-4221 (Integer overflow in diagchar_core.c in the Qualcomm Innovation Center ...) - linux (Android-specific drivers) - linux-2.6 (Android-specific drivers) CVE-2012-4220 (diagchar_core.c in the Qualcomm Innovation Center (QuIC) Diagnostics ( ...) - linux (Android-specific drivers) - linux-2.6 (Android-specific drivers) CVE-2012-4219 (show_config_errors.php in phpMyAdmin 3.5.x before 3.5.2.1 allows remot ...) - phpmyadmin 4:4.0.1-1 (unimportant) NOTE: Path disclosure irrelevant in Debian CVE-2012-4218 (Use-after-free vulnerability in the BuildTextRunsScanner::BreakSink::S ...) - iceape (Doesn't affect the ESR series, only releases from experimental) - iceweasel (Doesn't affect the ESR series, only releases from experimental) - icedove (Doesn't affect the ESR series, only releases from experimental) CVE-2012-4217 (Use-after-free vulnerability in the nsViewManager::ProcessPendingUpdat ...) - iceape (Doesn't affect the ESR series, only releases from experimental) - iceweasel (Doesn't affect the ESR series, only releases from experimental) - icedove (Doesn't affect the ESR series, only releases from experimental) CVE-2012-4216 (Use-after-free vulnerability in the gfxFont::GetFontEntry function in ...) {DSA-2588-1 DSA-2584-1 DSA-2583-1} - iceweasel 10.0.11esr-1 - icedove 10.0.11-1 - iceape 2.7.11-1 CVE-2012-4215 (Use-after-free vulnerability in the nsPlaintextEditor::FireClipboardEv ...) - iceweasel 10.0.11esr-1 - icedove 10.0.11-1 - iceape 2.7.11-1 [squeeze] - iceweasel (Vulnerable code not present) [squeeze] - icedove (Vulnerable code not present) [squeeze] - iceape (Vulnerable code not present) CVE-2012-4214 (Use-after-free vulnerability in the nsTextEditorState::PrepareEditor f ...) - iceweasel 10.0.11esr-1 - icedove 10.0.11-1 - iceape 2.7.11-1 [squeeze] - iceweasel (Vulnerable code not present) [squeeze] - icedove (Vulnerable code not present) [squeeze] - iceape (Vulnerable code not present) CVE-2012-4213 (Use-after-free vulnerability in the nsEditor::FindNextLeafNode functio ...) - iceape (Doesn't affect the ESR series, only releases from experimental) - iceweasel (Doesn't affect the ESR series, only releases from experimental) - icedove (Doesn't affect the ESR series, only releases from experimental) CVE-2012-4212 (Use-after-free vulnerability in the XPCWrappedNative::Mark function in ...) - iceape (Doesn't affect the ESR series, only releases from experimental) - iceweasel (Doesn't affect the ESR series, only releases from experimental) - icedove (Doesn't affect the ESR series, only releases from experimental) CVE-2012-4211 REJECTED CVE-2012-4210 (The Style Inspector in Mozilla Firefox before 17.0 and Firefox ESR 10. ...) - iceweasel 10.0.11esr-1 [squeeze] - iceweasel (Vulnerable code not present) CVE-2012-4209 (Mozilla Firefox before 17.0, Firefox ESR 10.x before 10.0.11, Thunderb ...) - iceweasel 10.0.11esr-1 - icedove 10.0.11-1 - iceape 2.7.11-1 [squeeze] - iceweasel (Vulnerable code not present) [squeeze] - icedove (Vulnerable code not present) [squeeze] - iceape (Vulnerable code not present) CVE-2012-4208 (The XrayWrapper implementation in Mozilla Firefox before 17.0, Thunder ...) - iceape (Doesn't affect the ESR series, only releases from experimental) - iceweasel (Doesn't affect the ESR series, only releases from experimental) - icedove (Doesn't affect the ESR series, only releases from experimental) CVE-2012-4207 (The HZ-GB-2312 character-set implementation in Mozilla Firefox before ...) {DSA-2588-1 DSA-2584-1 DSA-2583-1} - iceweasel 10.0.11esr-1 - icedove 10.0.11-1 - iceape 2.7.11-1 CVE-2012-4206 (Untrusted search path vulnerability in the installer in Mozilla Firefo ...) - iceweasel (Windows-specific) CVE-2012-4205 (Mozilla Firefox before 17.0, Thunderbird before 17.0, and SeaMonkey be ...) - iceape (Doesn't affect the ESR series, only releases from experimental) - iceweasel (Doesn't affect the ESR series, only releases from experimental) - icedove (Doesn't affect the ESR series, only releases from experimental) CVE-2012-4204 (The str_unescape function in the JavaScript engine in Mozilla Firefox ...) - iceape (Doesn't affect the ESR series, only releases from experimental) - iceweasel (Doesn't affect the ESR series, only releases from experimental) - icedove (Doesn't affect the ESR series, only releases from experimental) CVE-2012-4203 (The New Tab page in Mozilla Firefox before 17.0 uses a privileged cont ...) - iceweasel (Doesn't affect the ESR series, only releases from experimental) CVE-2012-4202 (Heap-based buffer overflow in the image::RasterImage::DrawFrameTo func ...) - iceweasel 10.0.11esr-1 - icedove 10.0.11-1 - iceape 2.7.11-1 [squeeze] - iceweasel (Vulnerable code not present) [squeeze] - icedove (Vulnerable code not present) [squeeze] - iceape (Vulnerable code not present) CVE-2012-4201 (The evalInSandbox implementation in Mozilla Firefox before 17.0, Firef ...) {DSA-2588-1 DSA-2584-1 DSA-2583-1} - iceweasel 10.0.11esr-1 - icedove 10.0.11-1 - iceape 2.7.11-1 CVE-2012-4200 RESERVED CVE-2012-4199 (template/en/default/bug/field-events.js.tmpl in Bugzilla 3.x before 3. ...) - bugzilla (low) [squeeze] - bugzilla (Minor issue) - bugzilla4 (bug #669643) CVE-2012-4198 (The User.get method in Bugzilla/WebService/User.pm in Bugzilla 3.7.x a ...) - bugzilla (Only affects 3.7 onwards) - bugzilla4 (bug #669643) CVE-2012-4197 (Bugzilla/Attachment.pm in attachment.cgi in Bugzilla 2.x and 3.x befor ...) - bugzilla (low) [squeeze] - bugzilla (Minor issue) - bugzilla4 (bug #669643) CVE-2012-4196 (Mozilla Firefox before 16.0.2, Firefox ESR 10.x before 10.0.10, Thunde ...) - iceweasel 10.0.10esr-1 - icedove 10.0.10-1 - iceape 2.7.10-1 [squeeze] - iceape (vulnerable code not present) [squeeze] - iceweasel (vulnerable code not present) [squeeze] - icedove (vulnerable code not present) CVE-2012-4195 (The nsLocation::CheckURL function in Mozilla Firefox before 16.0.2, Fi ...) - iceape (Only affects 16.x release from experimental) - iceweasel (Only affects 16.x release from experimental) - icedove (Only affects 16.x release from experimental) CVE-2012-4194 (Mozilla Firefox before 16.0.2, Firefox ESR 10.x before 10.0.10, Thunde ...) - iceape 2.7.10-1 - icedove 10.0.10-1 - iceweasel 10.0.10esr-1 [squeeze] - iceape (vulnerable code not present) [squeeze] - iceweasel (vulnerable code not present) [squeeze] - icedove (vulnerable code not present) CVE-2012-4193 (Mozilla Firefox before 16.0.1, Firefox ESR 10.x before 10.0.9, Thunder ...) - iceweasel 10.0.9esr-1 - icedove 10.0.9-1 - iceape 2.7.9-1 [squeeze] - iceape (vulnerable code not present) [squeeze] - iceweasel (vulnerable code not present) [squeeze] - icedove (vulnerable code not present) CVE-2012-4192 (Mozilla Firefox 16.0, Thunderbird 16.0, and SeaMonkey 2.13 allow remot ...) - iceweasel 10.0.9esr-1 - icedove 10.0.9-1 - iceape 2.7.9-1 [squeeze] - iceape (Regression not present in Squeeze) [squeeze] - iceweasel (Regression not present in Squeeze) [squeeze] - icedove (Regression not present in Squeeze) CVE-2012-4191 (The mozilla::net::FailDelayManager::Lookup function in the WebSockets ...) - iceweasel (Doesn't affect ESR series) CVE-2012-4190 (The FT2FontEntry::CreateFontEntry function in FreeType, as used in the ...) - iceweasel (Only affects Firefox Mobile) CVE-2012-4189 (Cross-site scripting (XSS) vulnerability in Bugzilla 4.1.x and 4.2.x b ...) - bugzilla (Only affects 4.1 onwards) - bugzilla4 (bug #669643) CVE-2012-4188 (Heap-based buffer overflow in the Convolve3x3 function in Mozilla Fire ...) {DSA-2572-1 DSA-2569-1 DSA-2565-1} - iceweasel 10.0.8esr-1 - icedove 10.0.9-1 - iceape 2.7.9-1 CVE-2012-4187 (Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbi ...) - iceweasel 10.0.8esr-1 - icedove 10.0.9-1 - iceape 2.7.9-1 [squeeze] - iceape (Vulnerable code not present) [squeeze] - icedove (Vulnerable code not present) [squeeze] - iceweasel (Vulnerable code not present) CVE-2012-4186 (Heap-based buffer overflow in the nsWaveReader::DecodeAudioData functi ...) {DSA-2572-1 DSA-2569-1 DSA-2565-1} - iceweasel 10.0.8esr-1 - icedove 10.0.9-1 - iceape 2.7.9-1 CVE-2012-4185 (Buffer overflow in the nsCharTraits::length function in Mozilla Firefo ...) - iceweasel 10.0.8esr-1 - icedove 10.0.9-1 - iceape 2.7.9-1 [squeeze] - iceape (Vulnerable code not present) [squeeze] - icedove (Vulnerable code not present) [squeeze] - iceweasel (Vulnerable code not present) CVE-2012-4184 (The Chrome Object Wrapper (COW) implementation in Mozilla Firefox befo ...) - iceweasel 10.0.8esr-1 - icedove 10.0.9-1 - iceape 2.7.9-1 [squeeze] - iceape (Vulnerable code not present) [squeeze] - icedove (Vulnerable code not present) [squeeze] - iceweasel (Vulnerable code not present) CVE-2012-4183 (Use-after-free vulnerability in the DOMSVGTests::GetRequiredFeatures f ...) - iceweasel 10.0.8esr-1 - icedove 10.0.9-1 - iceape 2.7.9-1 [squeeze] - iceape (Vulnerable code not present) [squeeze] - icedove (Vulnerable code not present) [squeeze] - iceweasel (Vulnerable code not present) CVE-2012-4182 (Use-after-free vulnerability in the nsTextEditRules::WillInsert functi ...) {DSA-2572-1 DSA-2569-1 DSA-2565-1} - iceweasel 10.0.8esr-1 - icedove 10.0.9-1 - iceape 2.7.9-1 CVE-2012-4181 (Use-after-free vulnerability in the nsSMILAnimationController::DoSampl ...) - iceweasel 10.0.8esr-1 - icedove 10.0.9-1 - iceape 2.7.9-1 [squeeze] - iceape (Vulnerable code not present) [squeeze] - icedove (Vulnerable code not present) [squeeze] - iceweasel (Vulnerable code not present) CVE-2012-4180 (Heap-based buffer overflow in the nsHTMLEditor::IsPrevCharInNodeWhites ...) {DSA-2572-1 DSA-2569-1 DSA-2565-1} - iceweasel 10.0.8esr-1 - icedove 10.0.9-1 - iceape 2.7.9-1 CVE-2012-4179 (Use-after-free vulnerability in the nsHTMLCSSUtils::CreateCSSPropertyT ...) {DSA-2572-1 DSA-2569-1 DSA-2565-1} - iceweasel 10.0.8esr-1 - icedove 10.0.9-1 - iceape 2.7.9-1 CVE-2012-4178 (SQL injection vulnerability in spywall/includes/deptUploads_data.php i ...) NOT-FOR-US: Symantec Web Gateway CVE-2012-4177 (The web browser plugin for Ubisoft Uplay PC before 2.0.4 allows remote ...) NOT-FOR-US: Ubisoft Uplay PC CVE-2012-4176 (Array index error in Adobe Shockwave Player before 11.6.8.638 allows a ...) NOT-FOR-US: Adobe Shockwave CVE-2012-4175 (Buffer overflow in Adobe Shockwave Player before 11.6.8.638 allows att ...) NOT-FOR-US: Adobe Shockwave CVE-2012-4174 (Buffer overflow in Adobe Shockwave Player before 11.6.8.638 allows att ...) NOT-FOR-US: Adobe Shockwave CVE-2012-4173 (Buffer overflow in Adobe Shockwave Player before 11.6.8.638 allows att ...) NOT-FOR-US: Adobe Shockwave CVE-2012-4172 (Buffer overflow in Adobe Shockwave Player before 11.6.8.638 allows att ...) NOT-FOR-US: Adobe Shockwave CVE-2012-4171 (Adobe Flash Player before 10.3.183.23 and 11.x before 11.4.402.265 on ...) NOT-FOR-US: Adobe Flash Player CVE-2012-4170 (Buffer overflow in Adobe Photoshop CS6 13.x before 13.0.1 allows remot ...) NOT-FOR-US: Adobe Photoshop CS6 CVE-2012-4169 REJECTED CVE-2012-4168 (Adobe Flash Player before 10.3.183.23 and 11.x before 11.4.402.265 on ...) NOT-FOR-US: Adobe Flash Player CVE-2012-4167 (Integer overflow in Adobe Flash Player before 10.3.183.23 and 11.x bef ...) NOT-FOR-US: Adobe Flash Player CVE-2012-4166 REJECTED CVE-2012-4165 (Adobe Flash Player before 10.3.183.23 and 11.x before 11.4.402.265 on ...) NOT-FOR-US: Adobe Flash Player CVE-2012-4164 (Adobe Flash Player before 10.3.183.23 and 11.x before 11.4.402.265 on ...) NOT-FOR-US: Adobe Flash Player CVE-2012-4163 (Adobe Flash Player before 10.3.183.23 and 11.x before 11.4.402.265 on ...) NOT-FOR-US: Adobe Flash Player CVE-2012-4162 (Adobe Reader and Acrobat 9.x before 9.5.2 and 10.x before 10.1.4 on Ma ...) NOT-FOR-US: Adobe Reader CVE-2012-4161 (Adobe Reader and Acrobat 9.x before 9.5.2 and 10.x before 10.1.4 on Ma ...) NOT-FOR-US: Adobe Reader CVE-2012-4160 (Adobe Reader and Acrobat 9.x before 9.5.2 and 10.x before 10.1.4 on Wi ...) NOT-FOR-US: Adobe Reader CVE-2012-4159 (Adobe Reader and Acrobat 9.x before 9.5.2 and 10.x before 10.1.4 on Wi ...) NOT-FOR-US: Adobe Reader CVE-2012-4158 (Adobe Reader and Acrobat 9.x before 9.5.2 and 10.x before 10.1.4 on Wi ...) NOT-FOR-US: Adobe Reader CVE-2012-4157 (Adobe Reader and Acrobat 9.x before 9.5.2 and 10.x before 10.1.4 on Wi ...) NOT-FOR-US: Adobe Reader CVE-2012-4156 (Adobe Reader and Acrobat 9.x before 9.5.2 and 10.x before 10.1.4 on Wi ...) NOT-FOR-US: Adobe Reader CVE-2012-4155 (Adobe Reader and Acrobat 9.x before 9.5.2 and 10.x before 10.1.4 on Wi ...) NOT-FOR-US: Adobe Reader CVE-2012-4154 (Adobe Reader and Acrobat 9.x before 9.5.2 and 10.x before 10.1.4 on Wi ...) NOT-FOR-US: Adobe Reader CVE-2012-4153 (Adobe Reader and Acrobat 9.x before 9.5.2 and 10.x before 10.1.4 on Wi ...) NOT-FOR-US: Adobe Reader CVE-2012-4152 (Adobe Reader and Acrobat 9.x before 9.5.2 and 10.x before 10.1.4 on Wi ...) NOT-FOR-US: Adobe Reader CVE-2012-4151 (Adobe Reader and Acrobat 9.x before 9.5.2 and 10.x before 10.1.4 on Wi ...) NOT-FOR-US: Adobe Reader CVE-2012-4150 (Adobe Reader and Acrobat 9.x before 9.5.2 and 10.x before 10.1.4 on Wi ...) NOT-FOR-US: Adobe Reader CVE-2012-4149 (Adobe Reader and Acrobat 9.x before 9.5.2 and 10.x before 10.1.4 on Wi ...) NOT-FOR-US: Adobe Reader CVE-2012-4148 (Adobe Reader and Acrobat 9.x before 9.5.2 and 10.x before 10.1.4 on Wi ...) NOT-FOR-US: Adobe Reader CVE-2012-4147 (Adobe Reader and Acrobat 9.x before 9.5.2 and 10.x before 10.1.4 on Wi ...) NOT-FOR-US: Adobe Reader CVE-2011-5098 (chef-server-api/app/controllers/clients.rb in Chef Server in Chef befo ...) - chef 0.10.10-1 CVE-2011-5097 (chef-server-api/app/controllers/cookbooks.rb in Chef Server in Chef be ...) - chef 0.10.10-1 CVE-2010-5142 (chef-server-api/app/controllers/users.rb in the API in Chef before 0.9 ...) - chef 0.10.10-1 CVE-2012-4146 (Opera before 12.01 allows remote attackers to cause a denial of servic ...) NOT-FOR-US: Opera CVE-2012-4145 (Unspecified vulnerability in Opera before 12.01 on Windows and UNIX, a ...) NOT-FOR-US: Opera CVE-2012-4144 (Opera before 12.01 on Windows and UNIX, and before 11.66 and 12.x befo ...) NOT-FOR-US: Opera CVE-2012-4143 (Opera before 12.01 on Windows and UNIX, and before 11.66 and 12.x befo ...) NOT-FOR-US: Opera CVE-2012-4142 (Opera before 12.01 on Windows and UNIX, and before 11.66 and 12.x befo ...) NOT-FOR-US: Opera CVE-2012-XXXX [redeclipse code execution through map files] - redeclipse 1.2-3 (bug #684143) CVE-2012-XXXX [base name disclosure] - spip 2.1.17-1 (bug #683667) [squeeze] - spip 2.1.1-3squeeze5 CVE-2012-XXXX [insecure default configuration / authentication bypass] - munin 2.0.5-1 (bug #682869) [squeeze] - munin (Minor issue) CVE-2012-4141 (Directory traversal vulnerability in the CLI parser in Cisco NX-OS all ...) NOT-FOR-US: Cisco CVE-2012-4140 REJECTED CVE-2012-4139 REJECTED CVE-2012-4138 REJECTED CVE-2012-4137 REJECTED CVE-2012-4136 (The high-availability service in the Fabric Interconnect component in ...) NOT-FOR-US: Cisco CVE-2012-4135 (Directory traversal vulnerability in filesys in Cisco NX-OS 6.1(2) and ...) NOT-FOR-US: Cisco CVE-2012-4134 REJECTED CVE-2012-4133 REJECTED CVE-2012-4132 REJECTED CVE-2012-4131 (Directory traversal vulnerability in tar in Cisco NX-OS allows local u ...) NOT-FOR-US: Cisco CVE-2012-4130 REJECTED CVE-2012-4129 REJECTED CVE-2012-4128 REJECTED CVE-2012-4127 REJECTED CVE-2012-4126 REJECTED CVE-2012-4125 REJECTED CVE-2012-4124 REJECTED CVE-2012-4123 REJECTED CVE-2012-4122 (The CLI parser in Cisco NX-OS allows local users to bypass intended ac ...) NOT-FOR-US: Cisco CVE-2012-4121 (Cisco NX-OS allows local users to gain privileges, and read or modify ...) NOT-FOR-US: Cisco CVE-2012-4120 REJECTED CVE-2012-4119 REJECTED CVE-2012-4118 REJECTED CVE-2012-4117 (The fabric-interconnect component in Cisco Unified Computing System (U ...) NOT-FOR-US: Cisco CVE-2012-4116 (The fabric-interconnect component in Cisco Unified Computing System (U ...) NOT-FOR-US: Cisco CVE-2012-4115 (The fabric-interconnect component in Cisco Unified Computing System (U ...) NOT-FOR-US: Cisco CVE-2012-4114 (The fabric-interconnect KVM module in Cisco Unified Computing System ( ...) NOT-FOR-US: Cisco CVE-2012-4113 (The fabric-interconnect component in Cisco Unified Computing System (U ...) NOT-FOR-US: Cisco CVE-2012-4112 (The Baseboard Management Controller (BMC) in Cisco Unified Computing S ...) NOT-FOR-US: Cisco CVE-2012-4111 (The create certreq command in the fabric-interconnect component in Cis ...) NOT-FOR-US: Cisco CVE-2012-4110 (run-script in the fabric-interconnect component in Cisco Unified Compu ...) NOT-FOR-US: Cisco CVE-2012-4109 (The clear sshkey command in the fabric-interconnect component in Cisco ...) NOT-FOR-US: Cisco CVE-2012-4108 (The fabric-interconnect component in Cisco Unified Computing System (U ...) NOT-FOR-US: Cisco Unified Computing System CVE-2012-4107 (The fabric-interconnect component in Cisco Unified Computing System (U ...) NOT-FOR-US: Cisco Unified Computing System CVE-2012-4106 (The fabric-interconnect component in Cisco Unified Computing System (U ...) NOT-FOR-US: Cisco Unified Computing System CVE-2012-4105 (The fabric-interconnect component in Cisco Unified Computing System (U ...) NOT-FOR-US: Cisco Unified Computing System CVE-2012-4104 (Absolute path traversal vulnerability in the image-download process in ...) NOT-FOR-US: Cisco CVE-2012-4103 (ethanalyzer in the fabric-interconnect component in Cisco Unified Comp ...) NOT-FOR-US: Cisco CVE-2012-4102 (The activate firmware command in the fabric-interconnect component in ...) NOT-FOR-US: Cisco CVE-2012-4101 REJECTED CVE-2012-4100 REJECTED CVE-2012-4099 (The BGP implementation in Cisco NX-OS does not properly filter AS path ...) NOT-FOR-US: Cisco CVE-2012-4098 (The BGP implementation in Cisco NX-OS does not properly filter AS path ...) NOT-FOR-US: Cisco CVE-2012-4097 (The BGP implementation in Cisco NX-OS does not properly filter segment ...) NOT-FOR-US: Cisco CVE-2012-4096 (The local file editor in the Baseboard Management Controller (BMC) in ...) NOT-FOR-US: Cisco CVE-2012-4095 (The local file editor in the fabric-interconnect component in Cisco Un ...) NOT-FOR-US: Cisco CVE-2012-4094 (Buffer overflow in the Smart Call Home feature in the fabric interconn ...) NOT-FOR-US: Cisco Unified Computing System CVE-2012-4093 (The Manager component in Cisco Unified Computing System (UCS) allows l ...) NOT-FOR-US: Cisco Unified Computing System CVE-2012-4092 (The management interface in the Central Software component in Cisco Un ...) NOT-FOR-US: Cisco Unified Computing System CVE-2012-4091 (The RIP service engine in Cisco NX-OS allows remote attackers to cause ...) NOT-FOR-US: Cisco CVE-2012-4090 (The management interface in Cisco NX-OS on Nexus 7000 devices allows r ...) NOT-FOR-US: Cisco CVE-2012-4089 (MCTOOLS in the fabric interconnect in Cisco Unified Computing System ( ...) NOT-FOR-US: Cisco Unified Computing System CVE-2012-4088 (The FTP server in Cisco Unified Computing System (UCS) has a hardcoded ...) NOT-FOR-US: Cisco Unified Computing System CVE-2012-4087 (A cluster setup script for fabric interconnect devices in Cisco Unifie ...) NOT-FOR-US: Cisco Unified Computing System CVE-2012-4086 (A setup script for fabric interconnect devices in Cisco Unified Comput ...) NOT-FOR-US: Cisco Unified Computing System CVE-2012-4085 (The Intelligent Platform Management Interface (IPMI) implementation in ...) NOT-FOR-US: Cisco Unified Computing System CVE-2012-4084 (Cross-site request forgery (CSRF) vulnerability in the web-management ...) NOT-FOR-US: Cisco CVE-2012-4083 (Multiple buffer overflows in the administrative web interface in Cisco ...) NOT-FOR-US: Cisco Unified Computing System CVE-2012-4082 (MCTools in the Cisco Management Controller in Cisco Unified Computing ...) NOT-FOR-US: Cisco CVE-2012-4081 (MCServer in the Cisco Management Controller in Cisco Unified Computing ...) NOT-FOR-US: Cisco CVE-2012-4080 REJECTED CVE-2012-4079 (The XML API service in the Fabric Interconnect component in Cisco Unif ...) NOT-FOR-US: Cisco Unified Computing System CVE-2012-4078 (The Baseboard Management Controller (BMC) in Cisco Unified Computing S ...) NOT-FOR-US: Cisco Unified Computing System CVE-2012-4077 (Cisco NX-OS allows local users to gain privileges and execute arbitrar ...) NOT-FOR-US: Cisco CVE-2012-4076 (Cisco NX-OS allows local users to gain privileges and execute arbitrar ...) NOT-FOR-US: Cisco NX-OS CVE-2012-4075 (Cisco NX-OS allows local users to gain privileges and execute arbitrar ...) NOT-FOR-US: Cisco CVE-2012-4074 (The Board Management Controller (BMC) in the Serial over LAN (SoL) sub ...) NOT-FOR-US: Cisco Unified Computing System CVE-2012-4073 (The KVM subsystem in the client in Cisco Unified Computing System (UCS ...) NOT-FOR-US: Cisco Unified Computing System CVE-2012-4072 (The KVM subsystem in Cisco Unified Computing System (UCS) relies on a ...) NOT-FOR-US: Cisco Unified Computing System CVE-2012-4071 (Cross-site scripting (XSS) vulnerability in the comments module in the ...) NOT-FOR-US: Joomla addon CVE-2012-4070 (SQL injection vulnerability in system/src/dispatcher.php in Dir2web 3. ...) NOT-FOR-US: Dir2Web CVE-2012-4069 (Dir2web 3.0 stores sensitive information under the web root with insuf ...) NOT-FOR-US: Dir2Web CVE-2012-4068 (Heap-based buffer overflow in the SoapServer service in Citrix Provisi ...) NOT-FOR-US: Citrix CVE-2012-4067 (Walrus in Eucalyptus before 3.2.2 allows remote attackers to cause a d ...) - eucalyptus (bug #707592) NOTE: https://github.com/eucalyptus/eucalyptus/commit/e958e60 NOTE: https://eucalyptus.atlassian.net/browse/EUCA-5277 CVE-2012-4066 (The internal message protocol for Walrus in Eucalyptus 3.2.0 and earli ...) - eucalyptus (bug #702388) CVE-2012-4065 (Eucalyptus before 3.1.1 does not properly restrict the binding of exte ...) - eucalyptus 3.1.0-9 (bug #689599) CVE-2012-4064 (Eucalyptus before 3.1.1 does not properly restrict the binding of exte ...) - eucalyptus 3.1.0-9 (bug #689599) CVE-2012-4063 (The Apache Santuario configuration in Eucalyptus before 3.1.1 does not ...) - eucalyptus 3.1.0-9 (bug #689599) CVE-2012-4062 RESERVED CVE-2012-4061 (Multiple SQL injection vulnerabilities in ASP-DEv XM Diary allow remot ...) NOT-FOR-US: ASP-DEv XM Diary CVE-2012-4060 (Multiple SQL injection vulnerabilities in ASP-DEv XM Forums RC3 allow ...) NOT-FOR-US: ASP-DEv XM Diary CVE-2012-4059 (Cross-site request forgery (CSRF) vulnerability in home/secretqtn.php ...) NOT-FOR-US: Socketmail not in Debian CVE-2012-4058 (Cross-site scripting (XSS) vulnerability in SocketMail Pro 2.2.9 allow ...) NOT-FOR-US: Socketmail not in Debian CVE-2012-4057 (Buffer overflow in the Player in Remote-Anything 5.60.15 allows remote ...) NOT-FOR-US: Remote-Anything not in Debian CVE-2012-4056 (SQL injection vulnerability in index2.php in Uiga Personal Portal allo ...) NOT-FOR-US: Uiga personal portal CVE-2012-4055 (SQL injection vulnerability in index2.php in Uiga Fan Club allows remo ...) NOT-FOR-US: Uiga Fan Club CVE-2012-4054 (Buffer overflow in the readfile function in CPE17 Autorun Killer 1.7.1 ...) NOT-FOR-US: CPE17 Autorun Killer not in Debian CVE-2012-4053 (Cross-site request forgery (CSRF) vulnerability in eZOE flash player i ...) NOT-FOR-US: eZOE flash player not in Debian CVE-2012-4052 (Multiple cross-site scripting (XSS) vulnerabilities in Jease before 2. ...) NOT-FOR-US: Jease CVE-2012-4051 (Multiple cross-site request forgery (CSRF) vulnerabilities in editAcco ...) NOT-FOR-US: JAMF Casper suite CVE-2007-6754 (The ipalloc function in libc/stdlib/malloc.c in jemalloc in libc for F ...) NOT-FOR-US: NetBSD/FreeBSD libc CVE-2006-7252 (Integer overflow in the calloc function in libc/stdlib/malloc.c in jem ...) NOT-FOR-US: NetBSD/FreeBSD libc CVE-2005-4895 (Multiple integer overflows in TCMalloc (tcmalloc.cc) in gperftools bef ...) - google-perftools 0.7-1 CVE-2012-4047 RESERVED CVE-2012-4046 (The D-Link DCS-932L camera with firmware 1.02 allows remote attackers ...) NOT-FOR-US: D-Link DCS-932L camera CVE-2012-4045 (Multiple heap-based buffer overflows in bmp.w5s in Winamp before 5.63 ...) NOT-FOR-US: Winamp CVE-2012-4044 RESERVED CVE-2012-4043 (Cross-site scripting (XSS) vulnerability in global-protect/login.esp i ...) NOT-FOR-US: Palo Alto Networks software CVE-2012-4042 RESERVED CVE-2012-4041 RESERVED CVE-2012-4040 RESERVED CVE-2012-4039 RESERVED CVE-2012-4038 RESERVED CVE-2012-4037 (Multiple cross-site scripting (XSS) vulnerabilities in the web client ...) - transmission 2.52-3 (bug #683380) [squeeze] - transmission (Version in Stable not affected) CVE-2012-4036 (Unrestricted file upload vulnerability in admin.php in PBBoard 2.1.4 a ...) NOT-FOR-US: PBBoard CVE-2012-4035 (The new_password page in PBBoard 2.1.4 allows remote attackers to chan ...) NOT-FOR-US: PBBoard CVE-2012-4034 (Multiple SQL injection vulnerabilities in PBBoard 2.1.4 allow remote a ...) NOT-FOR-US: PBBoard CVE-2012-4050 (Multiple unspecified vulnerabilities in Google Chrome OS before 21.0.1 ...) NOT-FOR-US: Google Chrome OS CVE-2012-4049 (epan/dissectors/packet-nfs.c in the NFS dissector in Wireshark 1.4.x b ...) - wireshark 1.8.2-1 [squeeze] - wireshark (Vulnerable code not present) NOTE: http://www.wireshark.org/security/wnpa-sec-2012-12.html NOTE: http://www.openwall.com/lists/oss-security/2012/07/24/1 NOTE: http://www.openwall.com/lists/oss-security/2012/07/24/2 CVE-2012-4048 (The PPP dissector in Wireshark 1.4.x before 1.4.14, 1.6.x before 1.6.9 ...) {DSA-2590-1} - wireshark 1.8.2-1 (bug #680056) NOTE: http://www.wireshark.org/security/wnpa-sec-2012-11.html NOTE: http://www.openwall.com/lists/oss-security/2012/07/24/1 NOTE: http://www.openwall.com/lists/oss-security/2012/07/24/2 CVE-2012-4033 (Multiple unspecified vulnerabilities in the Zingiri Web Shop plugin be ...) NOT-FOR-US: Zingiri not in Debian CVE-2012-4032 (Open redirect vulnerability in the login page in WebsitePanel before 1 ...) NOT-FOR-US: WebsitePanel not in Debian CVE-2012-4031 (Multiple directory traversal vulnerabilities in src/acloglogin.php in ...) NOT-FOR-US: Wangkongbao not in Debian CVE-2012-4030 (Chamilo before 1.8.8.6 does not adequately handle user supplied input ...) NOT-FOR-US: Chamilo LMS CVE-2012-4029 (Cross-site scripting (XSS) vulnerability in main/dropbox/index.php in ...) NOT-FOR-US: Chamilo LMS CVE-2012-4028 (Tridium Niagara AX Framework does not properly store credential data, ...) NOT-FOR-US: Tridium Niagara AX Framework CVE-2012-4027 (Directory traversal vulnerability in Tridium Niagara AX Framework allo ...) NOT-FOR-US: Tridium Niagara AX Framework CVE-2012-4026 (The Johnson Controls Pegasys P2000 server with software before 3.11 al ...) NOT-FOR-US: The Johnson Controls Pegasys P2000 CVE-2012-4025 (Integer overflow in the queue_init function in unsquashfs.c in unsquas ...) - squashfs-tools 1:4.2+20121212-1 (low; bug #683371) [squeeze] - squashfs-tools (Minor issue) [wheezy] - squashfs-tools (Minor issue) CVE-2012-4024 (Stack-based buffer overflow in the get_component function in unsquashf ...) - squashfs-tools 1:4.2+20121212-1 (low; bug #683371) [squeeze] - squashfs-tools (Minor issue) [wheezy] - squashfs-tools (Minor issue) CVE-2012-4023 (CRLF injection vulnerability in Pebble before 2.6.4 allows remote atta ...) NOT-FOR-US: Pebble blog CVE-2012-4022 (Pebble before 2.6.4 allows remote attackers to trigger loss of blog-en ...) NOT-FOR-US: Pebble blog CVE-2012-4021 (MosP kintai kanri before 4.1.0 does not properly perform authenticatio ...) NOT-FOR-US: MosP kintai kanri CVE-2012-4020 (MosP kintai kanri before 4.1.0 does not enforce privilege requirements ...) NOT-FOR-US: MosP kintai kanri CVE-2012-4019 (Cross-site scripting (XSS) vulnerability in tokyo_bbs.cgi in Come on G ...) NOT-FOR-US: Come on Girls Interface (CGI) Tokyo BBS CVE-2012-4018 (Cross-site scripting (XSS) vulnerability in Final Beta Laboratory MyWe ...) NOT-FOR-US: Final Beta Laboratory MyWebSearch CVE-2012-4017 (The jigbrowser+ application before 1.5.0 for Android does not properly ...) NOT-FOR-US: Android application CVE-2012-4016 (The ATOK application before 1.0.4 for Android allows remote attackers ...) NOT-FOR-US: Android application CVE-2012-4015 (Cross-site scripting (XSS) vulnerability in the management screen in m ...) NOT-FOR-US: My Little tool / My little admin SQL server 2000 CVE-2012-4014 (Unspecified vulnerability in McAfee Email Anti-virus (formerly WebShie ...) NOT-FOR-US: McAfee Email Anti-virus CVE-2012-4013 (The WebView class in the Cybozu KUNAI Browser for Remote Service appli ...) NOT-FOR-US: Cybozu KUNAI Browser CVE-2012-4012 (The WebView class in the Cybozu KUNAI application before 2.0.6 for And ...) NOT-FOR-US: Cybozu KUNAI CVE-2012-4011 (The Cybozu KUNAI application before 2.0.6 for Android allows remote at ...) NOT-FOR-US: Cybozu KUNAI CVE-2012-4010 (Opera before 11.60 allows remote attackers to spoof the address bar vi ...) NOT-FOR-US: Opera CVE-2012-4009 (The WebView class in the Cybozu Live application 1.0.4 and earlier for ...) NOT-FOR-US: Cybozu Live CVE-2012-4008 (The Cybozu Live application 1.0.4 and earlier for Android allows remot ...) NOT-FOR-US: Cybozu Live CVE-2012-4007 (The mixi application before 4.3.0 for Android allows remote attackers ...) NOT-FOR-US: mixi application for Android CVE-2012-4006 (The GREE application before 1.4.0, GREE Tanken Dorirando application b ...) NOT-FOR-US: GREE application for Android CVE-2012-4005 (The NHN Japan NAVER LINE application before 2.5.5 for Android does not ...) NOT-FOR-US: NHN Japan NAVER LINE CVE-2012-4004 (Cross-site scripting (XSS) vulnerability in the Sleipnir Mobile applic ...) NOT-FOR-US: Sleipnir Mobile CVE-2012-4003 (Multiple cross-site scripting (XSS) vulnerabilities in GLPI-PROJECT GL ...) - glpi 0.83.31-1 (unimportant) NOTE: Only supported behind an authenticated HTTP zone NOTE: https://forge.indepnet.net/projects/glpi/versions/771 NOTE: http://www.openwall.com/lists/oss-security/2012/07/13/1 CVE-2012-4002 (Cross-site request forgery (CSRF) vulnerability in GLPI-PROJECT GLPI b ...) - glpi 0.83.31-1 (unimportant) NOTE: Only supported behind an authenticated HTTP zone NOTE: https://forge.indepnet.net/projects/glpi/versions/771 NOTE: http://www.openwall.com/lists/oss-security/2012/07/13/1 CVE-2012-4001 (The mod_pagespeed module before 0.10.22.6 for the Apache HTTP Server d ...) NOT-FOR-US: mod_pagespeed CVE-2012-4000 (Cross-site scripting (XSS) vulnerability in the print_textinputs_var f ...) {DSA-2522-1} - fckeditor 1:2.6.6-3 (bug #683418) NOTE: http://disse.cting.org/2012/06/22/fckeditor-reflected-xss-vulnerability/ CVE-2012-3999 (Cross-site scripting (XSS) vulnerability in admin/login.php in Sticky ...) NOT-FOR-US: Sticky Notes CVE-2012-3998 (Multiple SQL injection vulnerabilities in Sticky Notes before 0.2.2705 ...) NOT-FOR-US: Sticky Notes CVE-2012-3997 (Multiple cross-site scripting (XSS) vulnerabilities in Sticky Notes be ...) NOT-FOR-US: Sticky Notes CVE-2012-3996 (TikiWiki CMS/Groupware 8.3 and earlier allows remote attackers to obta ...) - tikiwiki CVE-2012-3995 (The IsCSSWordSpacingSpace function in Mozilla Firefox before 16.0, Fir ...) - iceweasel 10.0.8esr-1 - icedove 10.0.9-1 - iceape 2.7.9-1 [squeeze] - iceape (Vulnerable code not present) [squeeze] - icedove (Vulnerable code not present) [squeeze] - iceweasel (Vulnerable code not present) CVE-2012-3994 (Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbi ...) - iceweasel 10.0.8esr-1 - icedove 10.0.9-1 - iceape 2.7.9-1 [squeeze] - iceape (Vulnerable code not present) [squeeze] - icedove (Vulnerable code not present) [squeeze] - iceweasel (Vulnerable code not present) CVE-2012-3993 (The Chrome Object Wrapper (COW) implementation in Mozilla Firefox befo ...) - iceweasel 10.0.8esr-1 - icedove 10.0.9-1 - iceape 2.7.9-1 [squeeze] - iceape (Vulnerable code not present) [squeeze] - icedove (Vulnerable code not present) [squeeze] - iceweasel (Vulnerable code not present) CVE-2012-3992 (Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbi ...) - iceweasel 10.0.8esr-1 - icedove 10.0.9-1 - iceape 2.7.9-1 [squeeze] - iceape (Vulnerable code not present) [squeeze] - icedove (Vulnerable code not present) [squeeze] - iceweasel (Vulnerable code not present) CVE-2012-3991 (Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbi ...) {DSA-2572-1 DSA-2569-1 DSA-2565-1} - iceweasel 10.0.8esr-1 - icedove 10.0.9-1 - iceape 2.7.9-1 CVE-2012-3990 (Use-after-free vulnerability in the IME State Manager implementation i ...) {DSA-2572-1 DSA-2569-1 DSA-2565-1} - iceweasel 10.0.8esr-1 - icedove 10.0.9-1 - iceape 2.7.9-1 CVE-2012-3989 (Mozilla Firefox before 16.0, Thunderbird before 16.0, and SeaMonkey be ...) - iceweasel (Only affects Firefox >= 10) - icedove (Only affects Firefox >= 10) - iceape (Only affects Firefox >= 10) CVE-2012-3988 (Use-after-free vulnerability in Mozilla Firefox before 16.0, Firefox E ...) - iceweasel 10.0.8esr-1 - icedove 10.0.9-1 - iceape 2.7.9-1 [squeeze] - iceape (Vulnerable code not present) [squeeze] - icedove (Vulnerable code not present) [squeeze] - iceweasel (Vulnerable code not present) CVE-2012-3987 (Mozilla Firefox before 16.0 on Android assigns chrome privileges to Re ...) - iceweasel (Android-specific) CVE-2012-3986 (Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbi ...) {DSA-2572-1 DSA-2569-1 DSA-2565-1} - iceweasel 10.0.8esr-1 - icedove 10.0.9-1 - iceape 2.7.9-1 CVE-2012-3985 (Mozilla Firefox before 16.0, Thunderbird before 16.0, and SeaMonkey be ...) - iceweasel (Only affects Firefox >= 10) - icedove (Only affects Firefox >= 10) - iceape (Only affects Firefox >= 10) CVE-2012-3984 (Mozilla Firefox before 16.0, Thunderbird before 16.0, and SeaMonkey be ...) - iceweasel (Only affects Firefox >= 10) - icedove (Only affects Firefox >= 10) - iceape (Only affects Firefox >= 10) CVE-2012-3983 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - iceweasel (Only affects Firefox >= 10) - icedove (Only affects Firefox >= 10) - iceape (Only affects Firefox >= 10) CVE-2012-3982 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-2572-1 DSA-2569-1 DSA-2565-1} - iceweasel 10.0.8esr-1 - icedove 10.0.9-1 - iceape 2.7.9-1 [squeeze] - iceape (Vulnerable code not present) [squeeze] - icedove (Vulnerable code not present) [squeeze] - iceweasel (Vulnerable code not present) CVE-2012-4747 (Bugzilla 2.x and 3.x through 3.6.11, 3.7.x and 4.0.x before 4.0.8, 4.1 ...) - bugzilla (low) [squeeze] - bugzilla (Minor issue) - bugzilla4 (bug #669643) NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=785522 NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=785511 CVE-2012-3981 (Auth/Verify/LDAP.pm in Bugzilla 2.x and 3.x before 3.6.11, 3.7.x and 4 ...) - bugzilla (low) [squeeze] - bugzilla (Minor issue) - bugzilla4 (bug #669643) CVE-2012-3980 (The web console in Mozilla Firefox before 15.0, Firefox ESR 10.x befor ...) - iceweasel 10.0.7esr-1 - icedove 10.0.7-1 - iceape 2.7.7-1 [squeeze] - iceape (Vulnerable code not present) [squeeze] - icedove (Vulnerable code not present) [squeeze] - iceweasel (Vulnerable code not present) CVE-2012-3979 (Mozilla Firefox before 15.0 on Android does not properly implement uns ...) - iceweasel (Only affects Firefox for Android) CVE-2012-3978 (The nsLocation::CheckURL function in Mozilla Firefox before 15.0, Fire ...) {DSA-2556-1 DSA-2554-1 DSA-2553-1} - iceweasel 10.0.7esr-1 - icedove 10.0.7-1 - iceape 2.7.7-1 CVE-2012-3977 REJECTED CVE-2012-3976 (Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, and SeaMo ...) - iceweasel 10.0.7esr-1 - iceape 2.7.7-1 [squeeze] - iceape (Vulnerable code not present) [squeeze] - iceweasel (Vulnerable code not present) CVE-2012-3975 (The DOMParser component in Mozilla Firefox before 15.0, Thunderbird be ...) - iceweasel (Only affects Firefox >= 10) - icedove (Only affects Firefox >= 10) - iceape (Only affects Firefox >= 10) CVE-2012-3974 (Untrusted search path vulnerability in the installer in Mozilla Firefo ...) - iceweasel (Only affects Firefox for Windows) CVE-2012-3973 (The debugger in the developer-tools subsystem in Mozilla Firefox befor ...) - iceweasel (Only affects Firefox >= 10) CVE-2012-3972 (The format-number functionality in the XSLT implementation in Mozilla ...) {DSA-2556-1 DSA-2554-1 DSA-2553-1} - iceweasel 10.0.7esr-1 - icedove 10.0.7-1 - iceape 2.7.7-1 CVE-2012-3971 (Summer Institute of Linguistics (SIL) Graphite 2, as used in Mozilla F ...) - iceweasel (Only affects Firefox >= 10) - icedove (Only affects Firefox >= 10) - iceape (Only affects Firefox >= 10) CVE-2012-3970 (Use-after-free vulnerability in the nsTArray_base::Length function in ...) - iceweasel (Vulnerable code not present in Firefox 10.x codebase) - icedove (Vulnerable code not present in Firefox 10.x codebase) - iceape (Vulnerable code not present in Firefox 10.x codebase) CVE-2012-3969 (Integer overflow in the nsSVGFEMorphologyElement::Filter function in M ...) {DSA-2556-1 DSA-2554-1 DSA-2553-1} - iceweasel 10.0.7esr-1 - icedove 10.0.7-1 - iceape 2.7.7-1 CVE-2012-3968 (Use-after-free vulnerability in the WebGL implementation in Mozilla Fi ...) - iceweasel (Vulnerable code not present in Firefox 10.x codebase) - icedove (Vulnerable code not present in Firefox 10.x codebase) - iceape (Vulnerable code not present in Firefox 10.x codebase) CVE-2012-3967 (The WebGL implementation in Mozilla Firefox before 15.0, Firefox ESR 1 ...) - iceweasel 10.0.7esr-1 - icedove 10.0.7-1 - iceape 2.7.7-1 [squeeze] - iceape (Vulnerable code not present) [squeeze] - icedove (Vulnerable code not present) [squeeze] - iceweasel (Vulnerable code not present) CVE-2012-3966 (Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbi ...) - iceweasel 10.0.7esr-1 - icedove 10.0.7-1 - iceape 2.7.7-1 [squeeze] - iceape (Vulnerable code not present) [squeeze] - icedove (Vulnerable code not present) [squeeze] - iceweasel (Vulnerable code not present) CVE-2012-3965 (Mozilla Firefox before 15.0 does not properly restrict navigation to t ...) - iceweasel (Only affects Firefox >= 10) CVE-2012-3964 (Use-after-free vulnerability in the gfxTextRun::GetUserData function i ...) - iceweasel (Vulnerable code not present in Firefox 10.x codebase) - icedove (Vulnerable code not present in Firefox 10.x codebase) - iceape (Vulnerable code not present in Firefox 10.x codebase) CVE-2012-3963 (Use-after-free vulnerability in the js::gc::MapAllocToTraceKind functi ...) - iceweasel (Vulnerable code not present in Firefox 10.x codebase) - icedove (Vulnerable code not present in Firefox 10.x codebase) - iceape (Vulnerable code not present in Firefox 10.x codebase) CVE-2012-3962 (Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbi ...) {DSA-2556-1 DSA-2554-1 DSA-2553-1} - iceweasel 10.0.7esr-1 - icedove 10.0.7-1 - iceape 2.7.7-1 CVE-2012-3961 (Use-after-free vulnerability in the RangeData implementation in Mozill ...) - iceweasel (Vulnerable code not present in Firefox 10.x codebase) - icedove (Vulnerable code not present in Firefox 10.x codebase) - iceape (Vulnerable code not present in Firefox 10.x codebase) CVE-2012-3960 (Use-after-free vulnerability in the mozSpellChecker::SetCurrentDiction ...) - iceweasel 10.0.7esr-1 - icedove 10.0.7-1 - iceape 2.7.7-1 [squeeze] - iceape (Vulnerable code not present) [squeeze] - icedove (Vulnerable code not present) [squeeze] - iceweasel (Vulnerable code not present) CVE-2012-3959 (Use-after-free vulnerability in the nsRangeUpdater::SelAdjDeleteNode f ...) {DSA-2556-1 DSA-2554-1 DSA-2553-1} - iceweasel 10.0.7esr-1 - icedove 10.0.7-1 - iceape 2.7.7-1 CVE-2012-3958 (Use-after-free vulnerability in the nsHTMLEditRules::DeleteNonTableEle ...) - iceweasel (Vulnerable code not present in Firefox 10.x codebase) - icedove (Vulnerable code not present in Firefox 10.x codebase) - iceape (Vulnerable code not present in Firefox 10.x codebase) CVE-2012-3957 (Heap-based buffer overflow in the nsBlockFrame::MarkLineDirty function ...) - iceweasel 10.0.7esr-1 - icedove 10.0.7-1 - iceape 2.7.7-1 [squeeze] - iceape (Vulnerable code not present) [squeeze] - icedove (Vulnerable code not present) [squeeze] - iceweasel (Vulnerable code not present) CVE-2012-3956 (Use-after-free vulnerability in the MediaStreamGraphThreadRunnable::Ru ...) - iceweasel (Vulnerable code not present in Firefox 10.x codebase) - icedove (Vulnerable code not present in Firefox 10.x codebase) - iceape (Vulnerable code not present in Firefox 10.x codebase) CVE-2012-3955 (ISC DHCP 4.1.x before 4.1-ESV-R7 and 4.2.x before 4.2.4-P2 allows remo ...) {DSA-2551-1} - isc-dhcp 4.2.4-2 [wheezy] - isc-dhcp 4.2.2.dfsg.1-5+deb70u1 CVE-2012-3954 (Multiple memory leaks in ISC DHCP 4.1.x and 4.2.x before 4.2.4-P1 and ...) {DSA-2519-2 DSA-2519-1 DSA-2516-1} - isc-dhcp 4.2.4-2 (bug #686174) [wheezy] - isc-dhcp 4.2.2.dfsg.1-5+deb70u1 CVE-2012-3953 (SQL injection vulnerability in admin/index.php in phpList before 2.10. ...) - phplist (bug #612288) CVE-2012-3952 (Cross-site scripting (XSS) vulnerability in admin/index.php in phpList ...) - phplist (bug #612288) CVE-2012-3951 (The MySQL component in Plixer Scrutinizer (aka Dell SonicWALL Scrutini ...) NOT-FOR-US: Plixer Scrutinizer CVE-2012-3950 (The Intrusion Prevention System (IPS) feature in Cisco IOS 12.3 throug ...) NOT-FOR-US: Cisco IOS CVE-2012-3949 (The SIP implementation in Cisco Unified Communications Manager (CUCM) ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2012-3948 RESERVED CVE-2012-3947 RESERVED CVE-2012-3946 (Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ...) NOT-FOR-US: Cisco IOS CVE-2012-3945 RESERVED CVE-2012-3944 RESERVED CVE-2012-3943 RESERVED CVE-2012-3942 RESERVED CVE-2012-3941 (Heap-based buffer overflow in the Cisco WebEx Recording Format (WRF) p ...) NOT-FOR-US: Cisco WebEx CVE-2012-3940 (Buffer overflow in the Cisco WebEx Recording Format (WRF) player T27 b ...) NOT-FOR-US: Cisco WebEx CVE-2012-3939 (Buffer overflow in the Cisco WebEx Recording Format (WRF) player T27 b ...) NOT-FOR-US: Cisco WebEx CVE-2012-3938 (Buffer overflow in the Cisco WebEx Recording Format (WRF) player T27 b ...) NOT-FOR-US: Cisco WebEx CVE-2012-3937 (Buffer overflow in the Cisco WebEx Recording Format (WRF) player T27 b ...) NOT-FOR-US: Cisco WebEx CVE-2012-3936 (Buffer overflow in the Cisco WebEx Recording Format (WRF) player T27 b ...) NOT-FOR-US: Cisco WebEx CVE-2012-3935 (Cisco Unified Presence (CUP) before 8.6(3) and Jabber Extensible Commu ...) NOT-FOR-US: Cisco Unified Presence, Jabber Extensible Communications Platform CVE-2012-3934 RESERVED CVE-2012-3933 RESERVED CVE-2012-3932 RESERVED CVE-2012-3931 RESERVED CVE-2012-3930 RESERVED CVE-2012-3929 RESERVED CVE-2012-3928 RESERVED CVE-2012-3927 RESERVED CVE-2012-3926 RESERVED CVE-2012-3925 RESERVED CVE-2012-3924 (The SSLVPN implementation in Cisco IOS 15.1 and 15.2, when DTLS is ena ...) NOT-FOR-US: Cisco IOS CVE-2012-3923 (The SSLVPN implementation in Cisco IOS 12.4, 15.0, 15.1, and 15.2, whe ...) NOT-FOR-US: Cisco IOS CVE-2012-3922 RESERVED CVE-2012-3921 RESERVED CVE-2012-3920 RESERVED CVE-2012-3919 (The Cisco Application Control Engine (ACE) module 3.0 for Cisco Cataly ...) NOT-FOR-US: Cisco Application Control Engine CVE-2012-3918 (Cisco IOS before 15.3(1)T on Cisco 2900 devices, when a VWIC2-2MFT-T1/ ...) NOT-FOR-US: Cisco IOS CVE-2012-3917 RESERVED CVE-2012-3916 RESERVED CVE-2012-3915 (The DMVPN tunnel implementation in Cisco IOS 15.2 allows remote attack ...) NOT-FOR-US: Cisco IOS CVE-2012-3914 RESERVED CVE-2012-3913 (The Cisco VC220 and VC240 cameras allow remote attackers to cause a de ...) NOT-FOR-US: Cisco CVE-2012-3912 RESERVED CVE-2012-3911 RESERVED CVE-2012-3910 RESERVED CVE-2012-3909 RESERVED CVE-2012-3908 (Multiple cross-site request forgery (CSRF) vulnerabilities in the ISE ...) NOT-FOR-US: Cisco Identity Services Engine CVE-2012-3907 RESERVED CVE-2012-3906 RESERVED CVE-2012-3905 RESERVED CVE-2012-3904 RESERVED CVE-2012-3903 RESERVED CVE-2012-3902 RESERVED CVE-2012-3901 (The updateTime function in sensorApp on Cisco IPS 4200 series sensors ...) NOT-FOR-US: Cisco IPS 4200 CVE-2012-3900 RESERVED CVE-2012-3899 (sensorApp on Cisco IPS 4200 series sensors 6.0, 6.2, and 7.0 does not ...) NOT-FOR-US: Cisco IPS 4200 CVE-2012-3898 RESERVED CVE-2012-3897 RESERVED CVE-2012-3896 RESERVED CVE-2012-3895 (Cisco IOS 15.0 through 15.3 allows remote authenticated users to cause ...) NOT-FOR-US: Cisco IOS CVE-2012-3894 RESERVED CVE-2012-3893 (The FlexVPN implementation in Cisco IOS 15.2 and 15.3 allows remote au ...) NOT-FOR-US: Cisco IOS CVE-2012-3892 RESERVED CVE-2012-3891 RESERVED CVE-2012-3890 (The in_mod plugin in Winamp before 5.63 allows remote attackers to cau ...) NOT-FOR-US: Winamp CVE-2012-3889 (The in_mod plugin in Winamp before 5.63 allows remote attackers to cau ...) NOT-FOR-US: Winamp CVE-2012-3888 (The login implementation in AirDroid 1.0.4 beta allows remote attacker ...) NOT-FOR-US: AirDroid CVE-2012-3887 (AirDroid before 1.0.7 beta uses a cleartext base64 format for data tra ...) NOT-FOR-US: AirDroid CVE-2012-3886 (AirDroid 1.0.4 beta uses the MD5 algorithm for values in the checklogi ...) NOT-FOR-US: AirDroid CVE-2012-3885 (The default configuration of AirDroid 1.0.4 beta uses a four-character ...) NOT-FOR-US: AirDroid CVE-2012-3884 (AirDroid 1.0.4 beta implements authentication through direct transmiss ...) NOT-FOR-US: AirDroid CVE-2012-3883 RESERVED CVE-2012-3882 RESERVED CVE-2012-3881 (Multiple SQL injection vulnerabilities in RTG 0.7.4 and RTG2 0.9.2 all ...) NOT-FOR-US: RTG, RTG2 CVE-2012-3880 RESERVED CVE-2012-3879 RESERVED CVE-2012-3878 REJECTED CVE-2012-3877 RESERVED CVE-2012-3876 RESERVED CVE-2012-3875 RESERVED CVE-2012-3874 RESERVED CVE-2012-3873 (Multiple SQL injection vulnerabilities in Open Constructor 3.12.0 allo ...) NOT-FOR-US: Open Constructor CVE-2012-3872 (Multiple cross-site scripting (XSS) vulnerabilities in Open Constructo ...) NOT-FOR-US: Open Constructor CVE-2012-3871 (Cross-site scripting (XSS) vulnerability in data/hybrid/i_hybrid.php i ...) NOT-FOR-US: Open Constructor CVE-2012-3870 (Multiple cross-site scripting (XSS) vulnerabilities in objects/createo ...) NOT-FOR-US: Open Constructor CVE-2012-3869 (Cross-site scripting (XSS) vulnerability in include/classes/class.rex_ ...) NOT-FOR-US: REDAXO CVE-2012-3868 (Race condition in the ns_client structure management in ISC BIND 9.9.x ...) NOTE: https://kb.isc.org/article/AA-00730 - bind9 (Vulnerable code not present, only affects 9.9.x) - isc-dhcp (embeds bind 9.8.x; this issue only affects 9.9.x) CVE-2012-3867 (lib/puppet/ssl/certificate_authority.rb in Puppet before 2.6.17 and 2. ...) {DSA-2511-1} - puppet 2.7.18-1 CVE-2012-3866 (lib/puppet/defaults.rb in Puppet 2.7.x before 2.7.18, and Puppet Enter ...) {DSA-2511-1} - puppet 2.7.18-1 CVE-2012-3865 (Directory traversal vulnerability in lib/puppet/reports/store.rb in Pu ...) {DSA-2511-1} - puppet 2.7.18-1 CVE-2012-3864 (Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise be ...) {DSA-2511-1} - puppet 2.7.18-1 CVE-2012-3862 RESERVED CVE-2012-3861 RESERVED CVE-2012-3860 RESERVED CVE-2012-3859 (Unspecified vulnerability in the WebAdmin Portal in Netsweeper has unk ...) NOT-FOR-US: Netsweeper WebAdmin Portal CVE-2012-3858 RESERVED CVE-2012-3857 RESERVED CVE-2012-3856 RESERVED CVE-2012-3855 RESERVED CVE-2012-3854 RESERVED CVE-2012-3853 RESERVED CVE-2012-3852 RESERVED CVE-2012-3851 RESERVED CVE-2012-3850 RESERVED CVE-2012-3849 RESERVED CVE-2012-3848 (Multiple cross-site scripting (XSS) vulnerabilities in the web console ...) NOT-FOR-US: Plixer Scrutinizer CVE-2012-3863 (channels/chan_sip.c in Asterisk Open Source 1.8.x before 1.8.13.1 and ...) {DSA-2550-1} - asterisk 1:1.8.13.1~dfsg-1 CVE-2012-3847 (slssvc.exe in Invensys Wonderware SuiteLink in Invensys InTouch 2012 a ...) NOT-FOR-US: Windows utility CVE-2012-3846 (Cross-site scripting (XSS) vulnerability in index.php in PHP-pastebin ...) NOT-FOR-US: php-pastebin not in Debian CVE-2012-3845 (Buffer overflow in LAN Messenger 1.2.28 and earlier allows remote atta ...) NOT-FOR-US: LAN Messenger not in Debian CVE-2012-3844 (Cross-site scripting (XSS) vulnerability in vBulletin 4.1.12 allows re ...) NOT-FOR-US: vBulletin not in Debian CVE-2012-3843 (Cross-site scripting (XSS) vulnerability in the registration page in e ...) NOT-FOR-US: e107 not in Debian CVE-2012-3842 (Multiple cross-site scripting (XSS) vulnerabilities in CMD_DOMAIN in J ...) NOT-FOR-US: DirectAdmin not in Debian CVE-2012-3841 (Untrusted search path vulnerability in KMPlayer 3.2.0.19 allows local ...) NOT-FOR-US: KMPlayer not in Debian (not the KDE interface to mplayer) CVE-2012-3840 (Multiple cross-site scripting (XSS) vulnerabilities in index.php/users ...) NOT-FOR-US: MyClientBase not in Debian CVE-2012-3839 (Multiple SQL injection vulnerabilities in application/core/MY_Model.ph ...) NOT-FOR-US: MyClientBase not in Debian CVE-2012-3838 (Gekko before 1.2.0 allows remote attackers to obtain the installation ...) NOT-FOR-US: Baby Gekko not in Debian CVE-2012-3837 (Multiple cross-site scripting (XSS) vulnerabilities in apps/users/regi ...) NOT-FOR-US: Baby Gekko not in Debian CVE-2012-3836 (Multiple cross-site scripting (XSS) vulnerabilities in Baby Gekko befo ...) NOT-FOR-US: Baby Gekko not in Debian CVE-2012-3835 (Multiple cross-site scripting (XSS) vulnerabilities in AlienVault Open ...) NOT-FOR-US: OSSIM not in Debian (different from Open Source Software Image Map) CVE-2012-3834 (SQL injection vulnerability in forensics/base_qry_main.php in AlienVau ...) NOT-FOR-US: OSSIM not in Debian (different from Open Source Software Image Map) CVE-2012-3833 (Cross-site scripting (XSS) vulnerability in the default index page in ...) NOT-FOR-US: Quick.CMS not in Debian CVE-2012-3832 (Cross-site scripting (XSS) vulnerability in decoda/Decoda.php in Decod ...) NOT-FOR-US: Decoda not in Debian CVE-2012-3831 (Cross-site scripting (XSS) vulnerability in decoda/templates/video.php ...) NOT-FOR-US: Decoda not in Debian CVE-2012-3830 (Cross-site scripting (XSS) vulnerability in decoda/templates/video.php ...) NOT-FOR-US: Decoda not in Debian CVE-2012-3829 (Joomla! 2.5.3 allows remote attackers to obtain the installation path ...) NOT-FOR-US: Joomla! CVE-2012-3828 (Cross-site scripting (XSS) vulnerability in Joomla! 2.5.3 allows remot ...) NOT-FOR-US: Joomla! CVE-2012-3827 RESERVED CVE-2011-5096 (Stack-based buffer overflow in cstore.exe in the Media Application Ser ...) NOT-FOR-US: Avaya Aura Application Server CVE-2012-3826 (Multiple integer underflows in Wireshark 1.4.x before 1.4.13 and 1.6.x ...) - wireshark 1.6.8-1 (unimportant) [squeeze] - wireshark (vulnerable code appeared in 1.4/1.6) NOTE: not suitable for code injection NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7125 NOTE: leftover of CVE-2012-2392 CVE-2012-3825 (Multiple integer overflows in Wireshark 1.4.x before 1.4.13 and 1.6.x ...) - wireshark 1.6.8-1 (unimportant) [squeeze] - wireshark (vulnerable code appeared in 1.4/1.6) NOTE: not suitable for code injection NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7125 NOTE: leftover of CVE-2012-2392 CVE-2012-3824 (In Arial Campaign Enterprise before 11.0.551, multiple pages are acces ...) NOT-FOR-US: Arial Campaign Enterprise CVE-2012-3823 (Arial Campaign Enterprise before 11.0.551 stores passwords in clear te ...) NOT-FOR-US: Arial Campaign Enterprise CVE-2012-3822 (Arial Campaign Enterprise before 11.0.551 has unauthorized access to t ...) NOT-FOR-US: Arial Campaign Enterprise CVE-2012-3821 (A Security Bypass vulnerability exists in the activate.asp page in Ari ...) NOT-FOR-US: Arial Software Campaign Enterprise CVE-2012-3820 (Multiple SQL injection vulnerabilities in Campaign11.exe in Arial Soft ...) NOT-FOR-US: Arial Software Campaign Enterprise CVE-2012-3819 (Stack consumption vulnerability in dartwebserver.dll 1.9 and earlier, ...) NOT-FOR-US: dartwebserver.dll CVE-2012-3818 (The fpm exporter in Revelation 0.4.13-2 and earlier encrypts the versi ...) - revelation 0.4.13-1.2 (bug #680059) [squeeze] - revelation (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3818 NOTE: http://knoxin.blogspot.co.uk/2012/06/revelation-password-manager-considered.html NOTE: http://als.regnet.cz/fpm2/feedback/2 CVE-2012-3817 (ISC BIND 9.4.x, 9.5.x, 9.6.x, and 9.7.x before 9.7.6-P2; 9.8.x before ...) {DSA-2517-1} - bind9 1:9.8.1.dfsg.P1-4.2 (bug #683259) - isc-dhcp (issue only affects the named service, which isn't used by isc-dhcp) NOTE: https://kb.isc.org/article/AA-00729 CVE-2012-XXXX [packagekit insecure temp file] - packagekit 0.7.6-1 (bug #678189) CVE-2012-3816 (WinRadius Server 2009 allows remote attackers to cause a denial of ser ...) NOT-FOR-US: WinRadius CVE-2012-3815 (Buffer overflow in RunTime.exe in Sielco Sistemi Winlog Pro SCADA befo ...) NOT-FOR-US: Sielco Sistemi Winlog CVE-2012-3814 (Unrestricted file upload vulnerability in font-upload.php in the Font ...) NOT-FOR-US: Wordpress plugin CVE-2012-3813 RESERVED CVE-2012-3812 (Double free vulnerability in apps/app_voicemail.c in Asterisk Open Sou ...) {DSA-2550-1} - asterisk 1:1.8.13.1~dfsg-1 (bug #680470) [squeeze] - asterisk (Vulnerable code not present) CVE-2012-3811 (Unrestricted file upload vulnerability in ImageUpload.ashx in the Wall ...) NOT-FOR-US: Avaya IP Office Customer Call Reporter CVE-2012-3810 (Samsung Kies before 2.5.0.12094_27_11 has registry modification. ...) NOT-FOR-US: Samsung CVE-2012-3809 (Samsung Kies before 2.5.0.12094_27_11 has arbitrary directory modifica ...) NOT-FOR-US: Samsung CVE-2012-3808 (Samsung Kies before 2.5.0.12094_27_11 has arbitrary file modification. ...) NOT-FOR-US: Samsung CVE-2012-3807 (Samsung Kies before 2.5.0.12094_27_11 has arbitrary file execution. ...) NOT-FOR-US: Samsung CVE-2012-3806 (Samsung Kies before 2.5.0.12094_27_11 contains a NULL pointer derefere ...) NOT-FOR-US: Samsung CVE-2012-3805 (Multiple cross-site scripting (XSS) vulnerabilities in the getAllPasse ...) NOT-FOR-US: Kajona CVE-2012-3804 RESERVED CVE-2012-3803 RESERVED CVE-2012-3802 (Unspecified vulnerability in the Post Affiliate Pro (PAP) module for D ...) NOT-FOR-US: Drupal module CVE-2012-3801 REJECTED CVE-2012-3800 (Cross-site scripting (XSS) vulnerability in og.js in the Organic Group ...) NOT-FOR-US: Drupal module CVE-2012-3799 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Maes ...) NOT-FOR-US: Drupal module CVE-2012-3798 (The Janrain Capture module 6.x-1.0 and 7.x-1.0 for Drupal, when creati ...) NOT-FOR-US: Drupal module CVE-2012-3797 (Pro-face WinGP PC Runtime 3.1.00 and earlier, and ProServr.exe in Pro- ...) NOT-FOR-US: Pro-face WinGP PC Runtime CVE-2012-3796 (Pro-face WinGP PC Runtime 3.1.00 and earlier, and ProServr.exe in Pro- ...) NOT-FOR-US: Pro-face WinGP PC Runtime CVE-2012-3795 (Pro-face WinGP PC Runtime 3.1.00 and earlier, and ProServr.exe in Pro- ...) NOT-FOR-US: Pro-face WinGP PC Runtime CVE-2012-3794 (Pro-face WinGP PC Runtime 3.1.00 and earlier, and ProServr.exe in Pro- ...) NOT-FOR-US: Pro-face WinGP PC Runtime CVE-2012-3793 (Integer overflow in Pro-face WinGP PC Runtime 3.1.00 and earlier, and ...) NOT-FOR-US: Pro-face WinGP PC Runtime CVE-2012-3792 (Pro-face WinGP PC Runtime 3.1.00 and earlier, and ProServr.exe in Pro- ...) NOT-FOR-US: Pro-face WinGP PC Runtime CVE-2012-3791 (Multiple SQL injection vulnerabilities in Simple Web Content Managemen ...) NOT-FOR-US: Simple Web Content Management System CVE-2012-3790 (Cross-site scripting (XSS) vulnerability in index.php in Adiscon LogAn ...) NOT-FOR-US: Adiscon LogAnalyzer CVE-2011-5095 (The Diffie-Hellman key-exchange implementation in OpenSSL 0.9.8, when ...) - openssl 0.9.8a-1 (bug #684527) NOTE: fips version not used in Debian CVE-2012-3789 (Unspecified vulnerability in bitcoind and Bitcoin-Qt before 0.4.7rc3, ...) - bitcoin 0.5.0~rc1-1 CVE-2012-3788 RESERVED CVE-2012-3787 RESERVED CVE-2012-3786 RESERVED CVE-2012-3785 RESERVED CVE-2012-3784 RESERVED CVE-2012-3783 RESERVED CVE-2012-3782 RESERVED CVE-2012-3781 RESERVED CVE-2012-3780 RESERVED CVE-2012-3779 RESERVED CVE-2012-3778 RESERVED CVE-2012-3777 RESERVED CVE-2012-3776 RESERVED CVE-2012-3775 RESERVED CVE-2012-3774 RESERVED CVE-2012-3773 RESERVED CVE-2012-3772 RESERVED CVE-2012-3771 RESERVED CVE-2012-3770 RESERVED CVE-2012-3769 RESERVED CVE-2012-3768 RESERVED CVE-2012-3767 RESERVED CVE-2012-3766 RESERVED CVE-2012-3765 RESERVED CVE-2012-3764 RESERVED CVE-2012-3763 RESERVED CVE-2012-3762 RESERVED CVE-2012-3761 RESERVED CVE-2012-3760 RESERVED CVE-2012-3759 RESERVED CVE-2012-3758 (Buffer overflow in Apple QuickTime before 7.7.3 allows remote attacker ...) NOT-FOR-US: QuickTime CVE-2012-3757 (Apple QuickTime before 7.7.3 allows remote attackers to execute arbitr ...) NOT-FOR-US: QuickTime CVE-2012-3756 (Buffer overflow in Apple QuickTime before 7.7.3 allows remote attacker ...) NOT-FOR-US: QuickTime CVE-2012-3755 (Buffer overflow in Apple QuickTime before 7.7.3 allows remote attacker ...) NOT-FOR-US: QuickTime CVE-2012-3754 (Use-after-free vulnerability in the Clear method in the ActiveX contro ...) NOT-FOR-US: QuickTime CVE-2012-3753 (Buffer overflow in the plugin in Apple QuickTime before 7.7.3 allows r ...) NOT-FOR-US: QuickTime CVE-2012-3752 (Multiple buffer overflows in Apple QuickTime before 7.7.3 allow remote ...) NOT-FOR-US: QuickTime CVE-2012-3751 (Use-after-free vulnerability in the plugin in Apple QuickTime before 7 ...) NOT-FOR-US: QuickTime CVE-2012-3750 (The Passcode Lock implementation in Apple iOS before 6.0.1 does not pr ...) NOT-FOR-US: iOS CVE-2012-3749 (The extensions APIs in the kernel in Apple iOS before 6.0.1 provide ke ...) NOT-FOR-US: iOS CVE-2012-3748 (Race condition in WebKit in Apple iOS before 6.0.1 and Safari before 6 ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3747 (WebKit, as used in Apple iOS before 6, allows remote attackers to exec ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3746 (UIWebView in UIKit in Apple iOS before 6 does not properly use the Dat ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3745 (Off-by-one error in Telephony in Apple iOS before 6 allows remote atta ...) NOT-FOR-US: Telephony in Apple iOS CVE-2012-3744 (Telephony in Apple iOS before 6 uses an SMS message's return address a ...) NOT-FOR-US: Telephony in Apple iOS CVE-2012-3743 (The System Logs implementation in Apple iOS before 6 does not restrict ...) NOT-FOR-US: Apple iOS CVE-2012-3742 (Safari in Apple iOS before 6 does not properly restrict use of an unsp ...) NOT-FOR-US: Apple Safari / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3741 (The Restrictions (aka Parental Controls) implementation in Apple iOS b ...) NOT-FOR-US: Apple iOS CVE-2012-3740 (The Passcode Lock implementation in Apple iOS before 6 does not proper ...) NOT-FOR-US: Apple iOS CVE-2012-3739 (The Passcode Lock implementation in Apple iOS before 6 allows physical ...) NOT-FOR-US: Apple iOS CVE-2012-3738 (The Emergency Dialer screen in the Passcode Lock implementation in App ...) NOT-FOR-US: Apple iOS CVE-2012-3737 (The Passcode Lock implementation in Apple iOS before 6 does not proper ...) NOT-FOR-US: Apple iOS CVE-2012-3736 (The Passcode Lock implementation in Apple iOS before 6 allows physical ...) NOT-FOR-US: Apple iOS CVE-2012-3735 (The Passcode Lock implementation in Apple iOS before 6 does not proper ...) NOT-FOR-US: Apple iOS CVE-2012-3734 (Office Viewer in Apple iOS before 6 writes cleartext document data to ...) NOT-FOR-US: Apple iOS CVE-2012-3733 (Messages in Apple iOS before 6, when multiple iMessage e-mail addresse ...) NOT-FOR-US: Apple iOS CVE-2012-3732 (Mail in Apple iOS before 6 uses an S/MIME message's From address as th ...) NOT-FOR-US: Apple iOS CVE-2012-3731 (Mail in Apple iOS before 6 does not properly implement the Data Protec ...) NOT-FOR-US: Apple iOS CVE-2012-3730 (Mail in Apple iOS before 6 does not properly handle reuse of Content-I ...) NOT-FOR-US: Apple iOS CVE-2012-3729 (The Berkeley Packet Filter (BPF) interpreter implementation in the ker ...) NOT-FOR-US: Apple iOS CVE-2012-3728 (The kernel in Apple iOS before 6 dereferences invalid pointers during ...) NOT-FOR-US: Apple iOS CVE-2012-3727 (Buffer overflow in the IPsec component in Apple iOS before 6 allows re ...) NOT-FOR-US: Apple iOS CVE-2012-3726 (Double free vulnerability in ImageIO in Apple iOS before 6 allows remo ...) NOT-FOR-US: Apple iOS CVE-2012-3725 (The DNAv4 protocol implementation in the DHCP component in Apple iOS b ...) NOT-FOR-US: Apple iOS CVE-2012-3724 (CFNetwork in Apple iOS before 6 does not properly identify the host po ...) NOT-FOR-US: Apple iOS CVE-2012-3723 (Apple Mac OS X before 10.7.5 does not properly handle the bNbrPorts fi ...) NOT-FOR-US: Apple Mac OS X CVE-2012-3722 (The Sorenson codec in QuickTime in Apple Mac OS X before 10.7.5, and i ...) NOT-FOR-US: QuickTime in Apple Mac OS X CVE-2012-3721 (Profile Manager in Apple Mac OS X before 10.7.5 does not properly perf ...) NOT-FOR-US: Apple Mac OS X CVE-2012-3720 (Mobile Accounts in Apple Mac OS X before 10.7.5 and 10.8.x before 10.8 ...) NOT-FOR-US: Apple Mac OS X CVE-2012-3719 (Mail in Apple Mac OS X before 10.7.5 does not properly handle embedded ...) NOT-FOR-US: Apple Mac OS X CVE-2012-3718 (Apple Mac OS X before 10.7.5 and 10.8.x before 10.8.2 allows local use ...) NOT-FOR-US: Apple Mac OS X CVE-2012-3717 RESERVED CVE-2012-3716 (CoreText in Apple Mac OS X 10.7.x before 10.7.5 allows remote attacker ...) NOT-FOR-US: Apple Mac OS X CVE-2012-3715 (Apple Safari before 6.0.1 makes http requests for https URIs in certai ...) NOT-FOR-US: Apple Safari / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3714 (The Form Autofill feature in Apple Safari before 6.0.1 does not restri ...) NOT-FOR-US: Apple Safari / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3713 (Apple Safari before 6.0.1 does not properly handle the Quarantine attr ...) NOT-FOR-US: Apple Safari / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3712 (WebKit, as used in Apple iTunes before 10.7, allows remote attackers t ...) NOT-FOR-US: Apple iTunes / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3711 (WebKit, as used in Apple iTunes before 10.7, allows remote attackers t ...) NOT-FOR-US: Apple iTunes / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3710 (WebKit, as used in Apple iTunes before 10.7, allows remote attackers t ...) NOT-FOR-US: Apple iTunes / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3709 (WebKit, as used in Apple iTunes before 10.7, allows remote attackers t ...) NOT-FOR-US: Apple iTunes / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3708 (WebKit, as used in Apple iTunes before 10.7, allows remote attackers t ...) NOT-FOR-US: Apple iTunes / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3707 (WebKit, as used in Apple iTunes before 10.7, allows remote attackers t ...) NOT-FOR-US: Apple iTunes / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3706 (WebKit, as used in Apple iTunes before 10.7, allows remote attackers t ...) NOT-FOR-US: Apple iTunes / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3705 (WebKit, as used in Apple iTunes before 10.7, allows remote attackers t ...) NOT-FOR-US: Apple iTunes / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3704 (WebKit, as used in Apple iTunes before 10.7, allows remote attackers t ...) NOT-FOR-US: Apple iTunes / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3703 (WebKit, as used in Apple iTunes before 10.7, allows remote attackers t ...) NOT-FOR-US: Apple iTunes / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3702 (WebKit, as used in Apple iTunes before 10.7, allows remote attackers t ...) NOT-FOR-US: Apple iTunes / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3701 (WebKit, as used in Apple iTunes before 10.7, allows remote attackers t ...) NOT-FOR-US: Apple iTunes / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3700 (WebKit, as used in Apple iTunes before 10.7, allows remote attackers t ...) NOT-FOR-US: Apple iTunes / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3699 (WebKit, as used in Apple iTunes before 10.7, allows remote attackers t ...) NOT-FOR-US: Apple iTunes / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3698 (Apple Xcode before 4.4 does not properly compose a designated requirem ...) NOT-FOR-US: Apple Xcode CVE-2012-3697 (WebKit in Apple Safari before 6.0 does not properly handle file: URLs, ...) NOT-FOR-US: Apple Safari/ if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3696 (CRLF injection vulnerability in WebKit in Apple Safari before 6.0 allo ...) NOT-FOR-US: Apple Safari/ if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3695 (Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari bef ...) NOT-FOR-US: Apple Safari/ if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3694 (WebKit in Apple Safari before 6.0 does not properly handle drag-and-dr ...) NOT-FOR-US: Apple Safari/ if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3693 (Incomplete blacklist vulnerability in WebKit in Apple Safari before 6. ...) NOT-FOR-US: Apple Safari/ if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3692 (WebKit, as used in Apple iTunes before 10.7, allows remote attackers t ...) NOT-FOR-US: Apple iTunes / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3691 (WebKit in Apple Safari before 6.0 does not properly handle Cascading S ...) NOT-FOR-US: Apple Safari/ if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3690 (WebKit in Apple Safari before 6.0 does not properly handle drag-and-dr ...) NOT-FOR-US: Apple Safari/ if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3689 (WebKit in Apple Safari before 6.0 does not properly handle drag-and-dr ...) NOT-FOR-US: Apple Safari/ if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3688 (WebKit, as used in Apple iTunes before 10.7, allows remote attackers t ...) NOT-FOR-US: Apple iTunes / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3687 (WebKit, as used in Apple iTunes before 10.7, allows remote attackers t ...) NOT-FOR-US: Apple iTunes / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3686 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple Safari/ if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3685 (WebKit, as used in Apple iTunes before 10.7, allows remote attackers t ...) NOT-FOR-US: Apple iTunes / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3684 (WebKit, as used in Apple iTunes before 10.7, allows remote attackers t ...) NOT-FOR-US: Apple iTunes / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3683 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple Safari/ if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3682 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple Safari/ if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3681 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple Safari/ if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3680 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple Safari/ if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3679 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple Safari/ if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3678 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple Safari/ if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3677 (WebKit, as used in Apple iTunes before 10.7, allows remote attackers t ...) NOT-FOR-US: Apple iTunes / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3676 (WebKit, as used in Apple iTunes before 10.7, allows remote attackers t ...) NOT-FOR-US: Apple iTunes / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3675 (WebKit, as used in Apple iTunes before 10.7, allows remote attackers t ...) NOT-FOR-US: Apple iTunes / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3674 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple Safari/ if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3673 (WebKit, as used in Apple iTunes before 10.7, allows remote attackers t ...) NOT-FOR-US: Apple iTunes / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3672 (WebKit, as used in Apple iTunes before 10.7, allows remote attackers t ...) NOT-FOR-US: Apple iTunes / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3671 (WebKit, as used in Apple iTunes before 10.7, allows remote attackers t ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3670 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3669 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3668 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3667 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3666 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3665 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3664 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3663 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3662 RESERVED CVE-2012-3661 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3660 (WebKit, as used in Apple iTunes before 10.7, allows remote attackers t ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3659 (WebKit, as used in Apple iTunes before 10.7, allows remote attackers t ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3658 (WebKit, as used in Apple iTunes before 10.7, allows remote attackers t ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3657 (WebKit, as used in Apple iTunes before 10.7, allows remote attackers t ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3656 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3655 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3654 (WebKit, as used in Apple iTunes before 10.7, allows remote attackers t ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3653 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3652 (WebKit, as used in Apple iTunes before 10.7, allows remote attackers t ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3651 (WebKit, as used in Apple iTunes before 10.7, allows remote attackers t ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3650 (WebKit in Apple Safari before 6.0 accesses uninitialized memory locati ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3649 (WebKit, as used in Apple iTunes before 10.7, allows remote attackers t ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3648 (WebKit, as used in Apple iTunes before 10.7, allows remote attackers t ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3647 (WebKit, as used in Apple iTunes before 10.7, allows remote attackers t ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3646 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3645 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3644 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3643 (WebKit, as used in Apple iTunes before 10.7, allows remote attackers t ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3642 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3641 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3640 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3639 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3638 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3637 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3636 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3635 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3634 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3633 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3632 (WebKit, as used in Apple iTunes before 10.7, allows remote attackers t ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3631 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3630 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3629 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3628 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3627 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3626 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3625 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3624 (WebKit, as used in Apple iTunes before 10.7, allows remote attackers t ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3623 (WebKit, as used in Apple iTunes before 10.7, allows remote attackers t ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3622 (WebKit, as used in Apple iTunes before 10.7, allows remote attackers t ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3621 (WebKit, as used in Apple iTunes before 10.7, allows remote attackers t ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3620 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3619 RESERVED CVE-2012-3618 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3617 (WebKit, as used in Apple iTunes before 10.7, allows remote attackers t ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3616 (WebKit, as used in Apple iTunes before 10.7, allows remote attackers t ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3615 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3614 (WebKit, as used in Apple iTunes before 10.7, allows remote attackers t ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3613 (WebKit, as used in Apple iTunes before 10.7, allows remote attackers t ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3612 (WebKit, as used in Apple iTunes before 10.7, allows remote attackers t ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3611 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3610 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3609 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3608 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3607 (WebKit, as used in Apple iTunes before 10.7, allows remote attackers t ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3606 (WebKit, as used in Apple iTunes before 10.7, allows remote attackers t ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3605 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3604 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3603 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3602 (WebKit, as used in Apple iTunes before 10.7, allows remote attackers t ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3601 (WebKit, as used in Apple iTunes before 10.7, allows remote attackers t ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3600 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3599 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3598 (WebKit, as used in Apple iTunes before 10.7, allows remote attackers t ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3597 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3596 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3595 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3594 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3593 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3592 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3591 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3590 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3589 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple iTunes / Safari; if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-3588 (Directory traversal vulnerability in preview.php in the Plugin Newslet ...) NOT-FOR-US: Wordpress plugin CVE-2012-3587 (APT 0.7.x before 0.7.25 and 0.8.x before 0.8.16, when using the apt-ke ...) - apt 0.7.25 (unimportant) NOTE: net-update is disabled by default on Debian CVE-2012-3586 RESERVED CVE-2012-3585 (Heap-based buffer overflow in jpeg_ls.dll in the Jpeg_LS (aka JLS) plu ...) NOT-FOR-US: IrfanView PlugIns CVE-2012-3584 RESERVED CVE-2012-3583 REJECTED CVE-2012-3582 (Symantec PGP Universal Server 3.2.x before 3.2.1 MP2 does not properly ...) NOT-FOR-US: Symantec PGP Universal Server CVE-2012-3581 (Symantec Messaging Gateway (SMG) before 10.0 allows remote attackers t ...) NOT-FOR-US: Symantec Messaging Gateway CVE-2012-3580 (Symantec Messaging Gateway (SMG) before 10.0 allows remote authenticat ...) NOT-FOR-US: Symantec Messaging Gateway CVE-2012-3579 (Symantec Messaging Gateway (SMG) before 10.0 has a default password fo ...) NOT-FOR-US: Symantec Messaging Gateway CVE-2012-3578 (Unrestricted file upload vulnerability in html/Upload.php in the FCCha ...) NOT-FOR-US: Wordpress plugin CVE-2012-3577 (Unrestricted file upload vulnerability in doupload.php in the Nmedia M ...) NOT-FOR-US: Wordpress plugin CVE-2012-3576 (Unrestricted file upload vulnerability in php/upload.php in the wpStor ...) NOT-FOR-US: Wordpress plugin CVE-2012-3575 (Unrestricted file upload vulnerability in uploader.php in the RBX Gall ...) NOT-FOR-US: Wordpress plugin CVE-2012-3574 (Unrestricted file upload vulnerability in includes/doajaxfileupload.ph ...) NOT-FOR-US: Wordpress plugin CVE-2012-3573 REJECTED CVE-2012-3572 (Open Source Competency Center (OSCC) MyMeeting 3.0.1 and earlier, and ...) NOT-FOR-US: Open Source Competency Center (OSCC) MyMeeting CVE-2011-5094 (** DISPUTED ** Mozilla Network Security Services (NSS) 3.x, with certa ...) NOTE: Disputed NSS issue CVE-2012-3571 (ISC DHCP 4.1.2 through 4.2.4 and 4.1-ESV before 4.1-ESV-R6 allows remo ...) {DSA-2519-2 DSA-2519-1 DSA-2516-1} - isc-dhcp 4.2.4-2 (bug #686174) [wheezy] - isc-dhcp 4.2.2.dfsg.1-5+deb70u1 CVE-2012-3570 (Buffer overflow in ISC DHCP 4.2.x before 4.2.4-P1, when DHCPv6 mode is ...) - isc-dhcp 4.2.4-2 (bug #686174) [squeeze] - isc-dhcp (Vulnerable code not present) [wheezy] - isc-dhcp 4.2.2.dfsg.1-5+deb70u1 CVE-2012-3569 (Format string vulnerability in VMware OVF Tool 2.1 on Windows, as used ...) NOT-FOR-US: VMware OVF Tool CVE-2012-3568 (Opera before 12.00 Beta allows remote attackers to cause a denial of s ...) NOT-FOR-US: Opera CVE-2012-3567 (Opera before 12.00 Beta allows remote attackers to cause a denial of s ...) NOT-FOR-US: Opera CVE-2012-3566 (Opera before 12.00 Beta allows user-assisted remote attackers to cause ...) NOT-FOR-US: Opera CVE-2012-3565 (Opera before 12.00 Beta allows remote attackers to cause a denial of s ...) NOT-FOR-US: Opera CVE-2012-3564 (Opera before 12.00 Beta allows remote attackers to cause a denial of s ...) NOT-FOR-US: Opera CVE-2012-3563 (Opera before 12.00 Beta allows remote attackers to cause a denial of s ...) NOT-FOR-US: Opera CVE-2012-3562 (Opera before 12.00 Beta allows user-assisted remote attackers to cause ...) NOT-FOR-US: Opera CVE-2012-3561 (Opera before 11.64 does not properly allocate memory for URL strings, ...) NOT-FOR-US: Opera CVE-2012-3560 (Opera before 11.65 does not ensure that the address field corresponds ...) NOT-FOR-US: Opera CVE-2012-3559 (Unspecified vulnerability in Opera before 12.00 on Mac OS X has unknow ...) NOT-FOR-US: Opera CVE-2012-3558 (Opera before 11.65 does not ensure that the address field corresponds ...) NOT-FOR-US: Opera CVE-2012-3557 (Opera before 11.65 does not properly restrict the reading of JSON stri ...) NOT-FOR-US: Opera CVE-2012-3556 (Opera before 11.65 does not properly restrict the opening of a pop-up ...) NOT-FOR-US: Opera CVE-2012-3555 (Opera before 11.65 does not ensure that keyboard sequences are associa ...) NOT-FOR-US: Opera CVE-2012-3554 (SQL injection vulnerability in the RSGallery2 (com_rsgallery2) compone ...) NOT-FOR-US: Joomla addon CVE-2012-3552 (Race condition in the IP implementation in the Linux kernel before 3.0 ...) {DSA-2668-1} - linux 3.0-1 - linux-2.6 CVE-2012-3551 (Cross-site scripting (XSS) vulnerability in crowbar_framework/app/view ...) NOT-FOR-US: Crowbar CVE-2012-3550 REJECTED CVE-2012-3549 (The SCTP implementation in FreeBSD 8.2 allows remote attackers to caus ...) - kfreebsd-8 8.3-5 (bug #686961) [squeeze] - kfreebsd-8 (Minor issue) - kfreebsd-9 9.0-7 (bug #686962) - kfreebsd-10 10.0~svn242489-1 (bug #686963) NOTE: http://www.exploit-db.com/exploits/20226/ CVE-2012-3548 (The dissect_drda function in epan/dissectors/packet-drda.c in Wireshar ...) - wireshark 1.8.2-2 (unimportant; bug #686225) [squeeze] - wireshark (Vulnerable code not present) NOTE: Doesn't allow code injection NOTE: debian changelog contains CVE-2012-5239, but this was rejected in favour of CVE-2012-3548 CVE-2012-3547 (Stack-based buffer overflow in the cbtls_verify function in FreeRADIUS ...) {DSA-2546-1} - freeradius 2.1.12+dfsg-1.1 (medium; bug #687175) CVE-2012-3546 (org/apache/catalina/realm/RealmBase.java in Apache Tomcat 6.x before 6 ...) - tomcat7 7.0.28-4 (bug #695251) - tomcat6 6.0.35-6 (bug #695250) [squeeze] - tomcat6 6.0.35-1+squeeze3 NOTE: DSA 2725 CVE-2012-3545 REJECTED CVE-2012-3544 (Apache Tomcat 6.x before 6.0.37 and 7.x before 7.0.30 does not properl ...) {DSA-2897-1 DSA-2725-1} - tomcat6 6.0.37 - tomcat7 7.0.30 CVE-2012-3543 (mono 2.10.x ASP.NET Web Form Hash collision DoS ...) - mono 2.10.8.1-7 (bug #686562) [squeeze] - mono (Minor issue) CVE-2012-3542 (OpenStack Keystone, as used in OpenStack Folsom before folsom-rc1 and ...) - keystone 2012.1.1-5 CVE-2012-3541 REJECTED CVE-2012-3540 (Open redirect vulnerability in views/auth_forms.py in OpenStack Dashbo ...) - horizon 2012.1.1-4 (bug #686050) CVE-2012-3539 REJECTED CVE-2012-3538 (Pulp in Red Hat CloudForms before 1.1 logs administrative passwords in ...) NOT-FOR-US: Red Hat CloudForms CVE-2012-3537 (The Crowbar Ohai plugin (chef/cookbooks/ohai/files/default/plugins/cro ...) NOT-FOR-US: crowbar ohai plugin NOTE: https://github.com/SUSE-Cloud/barclamp-deployer/commit/b6454268a067fc77ff5de82057b5b53b3cc38b87 CVE-2012-3536 (Two XSS vulnerabilities were fixed in message list and view in the Hup ...) NOT-FOR-US: Apache James CVE-2012-3535 (Heap-based buffer overflow in OpenJPEG 1.5.0 and earlier allows remote ...) {DSA-2629-1} - openjpeg 1.3+dfsg-4.6 (bug #685970) CVE-2012-3534 (GNU Gatekeeper before 3.1 does not limit the number of connections to ...) - gnugk 2:3.0.2-3 (low; bug #685969) [squeeze] - gnugk (Minor issue) CVE-2012-3533 (The python SDK before 3.1.0.6 and CLI before 3.1.0.8 for oVirt 3.1 doe ...) NOT-FOR-US: ovirt CVE-2012-3532 (Cross-site request forgery (CSRF) vulnerability in the GateIn Portal c ...) - jbossas4 (Only builds a few libraries, not the full application server, #581226) CVE-2012-3531 (Cross-site scripting (XSS) vulnerability in the Install Tool in TYPO3 ...) {DSA-2537-1} - typo3-src 4.5.19+dfsg1-1 (bug #685011) CVE-2012-3530 (Incomplete blacklist vulnerability in the t3lib_div::quoteJSvalue API ...) {DSA-2537-1} - typo3-src 4.5.19+dfsg1-1 (bug #685011) CVE-2012-3529 (The configuration module in the backend in TYPO3 4.5.x before 4.5.19, ...) {DSA-2537-1} - typo3-src 4.5.19+dfsg1-1 (bug #685011) CVE-2012-3528 (Multiple cross-site scripting (XSS) vulnerabilities in the backend in ...) {DSA-2537-1} - typo3-src 4.5.19+dfsg1-1 (bug #685011) CVE-2012-3527 (view_help.php in the backend help system in TYPO3 4.5.x before 4.5.19, ...) {DSA-2537-1} - typo3-src 4.5.19+dfsg1-1 (bug #685011) CVE-2012-3526 (The reverse proxy add forward module (mod_rpaf) 0.5 and 0.6 for the Ap ...) {DSA-2532-1} - libapache2-mod-rpaf 0.6-1 (bug #683984) CVE-2012-3525 (s2s/out.c in jabberd2 2.2.16 and earlier does not verify that a reques ...) - jabberd2 2.2.17-1 (bug #685666) CVE-2012-3524 (libdbus 1.5.x and earlier, when used in setuid or other privileged pro ...) - dbus 1.6.8-1 (bug #689070) [squeeze] - dbus 1.2.24-4+squeeze2 - glib2.0 2.33.12+really2.32.4-2 [squeeze] - glib2.0 (Vulnerable code not present) NOTE: fixed in 2.34.0-1 from experimental NOTE: http://www.openwall.com/lists/oss-security/2012/09/12/6 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=697105 NOTE: http://stealth.openwall.net/null/dzug.c CVE-2012-3523 (The STARTTLS implementation in nnrpd in INN before 2.5.3 does not prop ...) - inn (STARTTLS was introduced in 2.3, see bug #685581) - inn2 2.5.3-1 (low; bug #685581) [squeeze] - inn2 (Minor issue) CVE-2012-3522 (Cross-site scripting (XSS) vulnerability in contrib/langwiz.php in GeS ...) - geshi (Vulnerable code not present, see bug #685323) [squeeze] - geshi (shipped as example/.gz) CVE-2012-3521 (Multiple directory traversal vulnerabilities in the cssgen contrib mod ...) - geshi 1.0.8.4-2 (bug #685324) [squeeze] - geshi 1.0.8.4-1+squeeze1 CVE-2012-3520 (The Netlink implementation in the Linux kernel before 3.2.30 does not ...) - linux 3.2.29-1 - linux-2.6 (Introduced in 3.1) CVE-2012-3519 (routerlist.c in Tor before 0.2.2.38 uses a different amount of time fo ...) {DSA-2548-1} - tor 0.2.3.20-rc-1 (low) CVE-2012-3518 (The networkstatus_parse_vote_from_string function in routerparse.c in ...) {DSA-2548-1} - tor 0.2.3.20-rc-1 (low) CVE-2012-3517 (Use-after-free vulnerability in dns.c in Tor before 0.2.2.38 might all ...) {DLA-17-1} - tor 0.2.3.20-rc-1 (low) [squeeze] - tor 0.2.4.23-1~deb6u1 CVE-2012-3516 (The GNTTABOP_swap_grant_ref sub-operation in the grant table hypercall ...) - xen (Only affects >= 4.2) CVE-2012-3515 (Qemu, as used in Xen 4.0, 4.1 and possibly other products, when emulat ...) {DSA-2545-1 DSA-2543-1 DSA-2542-1} - xen 4.1.3-2 (bug #686764) [squeeze] - xen (Vulnerable code not present) - xen-qemu-dm-4.0 - qemu 1.1.2+dfsg-1 - qemu-kvm 1.1.2+dfsg-1 CVE-2012-3514 (OCaml Xml-Light Library before r234 computes hash values without restr ...) - xml-light 2.2-15 (low; bug #685584) [squeeze] - xml-light (Minor issue) CVE-2012-3513 (munin-cgi-graph in Munin before 2.0.6, when running as a CGI module un ...) - munin 2.0.6-1 (bug #684076) [squeeze] - munin (vulnerable code introduced in 2.x) NOTE: http://www.munin-monitoring.org/ticket/1238 CVE-2012-3512 (Munin before 2.0.6 stores plugin state files that run as root in the s ...) {DLA-20-1} - munin 2.0.6-1 (bug #684075) [squeeze] - munin 1.4.5-3+deb6u1 NOTE: http://www.munin-monitoring.org/ticket/1234 CVE-2012-3511 (Multiple race conditions in the madvise_remove function in mm/madvise. ...) - linux 3.2.23-1 - linux-2.6 [squeeze] - linux-2.6 2.6.32-47 CVE-2012-3510 (Use-after-free vulnerability in the xacct_add_tsk function in kernel/t ...) - linux 2.6.20-1 - linux-2.6 2.6.20-1 CVE-2012-3509 (Multiple integer overflows in the (1) _objalloc_alloc function in obja ...) {DLA-324-1} - binutils 2.22-8 (low; bug #688951) CVE-2012-4668 (Cross-site scripting (XSS) vulnerability in Roundcube Webmail 0.8.1 an ...) - roundcube 0.7.2-4 (bug #685475) [squeeze] - roundcube (Vulnerable code not present) NOTE: http://trac.roundcube.net/ticket/1488613 CVE-2012-3508 (Cross-site scripting (XSS) vulnerability in program/lib/washtml.php in ...) - roundcube 0.7.2-4 (bug #685475) [squeeze] - roundcube (Vulnerable code not present) NOTE: http://trac.roundcube.net/ticket/1488613 CVE-2012-3507 (Cross-site scripting (XSS) vulnerability in program/steps/mail/func.in ...) - roundcube (only affects rc versions of 0.8) NOTE: http://trac.roundcube.net/ticket/1488519 CVE-2012-3506 (Unspecified vulnerability in the Apache Open For Business Project (aka ...) NOT-FOR-US: OFBiz CVE-2012-3505 (Tinyproxy 1.8.3 and earlier allows remote attackers to cause a denial ...) {DSA-2564-1} - tinyproxy 1.8.3-3 (bug #685281) NOTE: https://bugs.launchpad.net/ubuntu/+source/tinyproxy/+bug/1036985 CVE-2012-3504 (The nssconfigFound function in genkey.pl in crypto-utils 2.4.1-34 allo ...) NOT-FOR-US: genkey script from Red Hat, not present in Debian CVE-2012-3503 (The installation script in Katello 1.0 and earlier does not properly g ...) NOT-FOR-US: Katello CVE-2012-3502 (The proxy functionality in (1) mod_proxy_ajp.c in the mod_proxy_ajp mo ...) - apache2 (Only affects 2.4 from experimental) NOTE: https://issues.apache.org/bugzilla/show_bug.cgi?id=53727 CVE-2012-3501 (The squidclamav_check_preview_handler function in squidclamav.c in Squ ...) - squidclamav (bug #685398) CVE-2012-3500 (scripts/annotate-output.sh in devscripts before 2.12.2, as used in rpm ...) {DSA-2549-1} - devscripts 2.12.2 CVE-2012-3499 (Multiple cross-site scripting (XSS) vulnerabilities in the Apache HTTP ...) {DSA-2637-1} - apache2 2.2.22-13 (low) CVE-2012-3498 (PHYSDEVOP_map_pirq in Xen 4.1 and 4.2 and Citrix XenServer 6.0.2 and e ...) - xen 4.1.3-2 (bug #686764) [squeeze] - xen (Vulnerable code not present) CVE-2012-3497 ((1) TMEMC_SAVE_GET_CLIENT_WEIGHT, (2) TMEMC_SAVE_GET_CLIENT_CAP, (3) T ...) - xen 4.1.4-1 (unimportant; bug #686764) [squeeze] - xen (Experimental/unsupported feature) NOTE: TMEM not supported for production systems (technology preview) CVE-2012-3496 (XENMEM_populate_physmap in Xen 4.0, 4.1, and 4.2, and Citrix XenServer ...) {DSA-2544-1} - xen 4.1.3-2 (bug #686764) CVE-2012-3495 (The physdev_get_free_pirq hypercall in arch/x86/physdev.c in Xen 4.1.x ...) - xen 4.1.3-2 (bug #686764) [squeeze] - xen (Vulnerable code not present) CVE-2012-3494 (The set_debugreg hypercall in include/asm-x86/debugreg.h in Xen 4.0, 4 ...) {DSA-2544-1} - xen 4.1.3-2 (bug #686764) CVE-2012-3493 (The command_give_request_ad function in condor_startd.V6/command.cpp C ...) - condor 7.8.2~dfsg.1-1+deb7u1 (bug #688210) CVE-2012-3492 (The filesystem authentication (condor_io/condor_auth_fs.cpp) in Condor ...) - condor 7.8.2~dfsg.1-1+deb7u1 (bug #688210) CVE-2012-3491 (src/condor_schedd.V6/schedd.cpp in Condor 7.6.x before 7.6.10 and 7.8. ...) - condor 7.8.2~dfsg.1-1+deb7u1 (bug #688210) CVE-2012-3490 (The (1) my_popenv_impl and (2) my_spawnv functions in src/condor_utils ...) - condor 7.8.2~dfsg.1-1+deb7u1 (bug #688210) CVE-2012-3489 (The xml_parse function in the libxml2 support in the core server compo ...) {DSA-2534-1} - postgresql-9.1 9.1.5-1 - postgresql-8.4 8.4.12-2 CVE-2012-3488 (The libxslt support in contrib/xml2 in PostgreSQL 8.3 before 8.3.20, 8 ...) {DSA-2534-1} - postgresql-9.1 9.1.5-1 - postgresql-8.4 8.4.12-2 CVE-2012-3487 (Race condition in Tunnelblick 3.3beta20 and earlier allows local users ...) NOT-FOR-US: Tunnelblick CVE-2012-3486 (Tunnelblick 3.3beta20 and earlier allows local users to gain privilege ...) NOT-FOR-US: Tunnelblick CVE-2012-3485 (Tunnelblick 3.3beta20 and earlier relies on argv[0] to determine the n ...) NOT-FOR-US: Tunnelblick CVE-2012-3484 (Tunnelblick 3.3beta20 and earlier relies on a test for specific owners ...) NOT-FOR-US: Tunnelblick CVE-2012-3483 (Race condition in the runScript function in Tunnelblick 3.3beta20 and ...) NOT-FOR-US: Tunnelblick CVE-2012-3482 (Fetchmail 5.0.8 through 6.3.21, when using NTLM authentication in debu ...) - fetchmail 6.3.22-1 (low) [wheezy] - fetchmail (Minor issue) [squeeze] - fetchmail (Minor issue) CVE-2012-3481 (Integer overflow in the ReadImage function in plug-ins/common/file-gif ...) - gimp 2.8.2-1 (bug #685397) [squeeze] - gimp 2.6.10-1+squeeze4 NOTE: http://www.openwall.com/lists/oss-security/2012/08/20/8 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=776572 CVE-2012-3480 (Multiple integer overflows in the (1) strtod, (2) strtof, (3) strtold, ...) {DLA-165-1} - eglibc 2.13-36 (bug #684889) - glibc 2.13-36 CVE-2012-3479 (lisp/files.el in Emacs 23.2, 23.3, 23.4, and 24.1 automatically execut ...) {DSA-2603-1} - emacs23 23.4+1-4 (bug #684695) - emacs24 24.2+1-1 (bug #684694) NOTE: http://www.openwall.com/lists/oss-security/2012/08/13/1 NOTE: http://www.openwall.com/lists/oss-security/2012/08/13/2 CVE-2012-3478 (rssh 2.3.3 and earlier allows local users to bypass intended restricte ...) {DSA-2530-1} - rssh 2.3.3-5 CVE-2012-3477 (SQL injection vulnerability in signup_check.php in NeoInvoice allows r ...) NOT-FOR-US: Neoinvoice CVE-2012-3476 (Multiple cross-site scripting (XSS) vulnerabilities in (1) application ...) NOT-FOR-US: Ushahidi CVE-2012-3475 (The installer in the Ushahidi Platform before 2.5 omits certain calls ...) NOT-FOR-US: Ushahidi CVE-2012-3474 (The comments API in application/libraries/api/MY_Comments_Api_Object.p ...) NOT-FOR-US: Ushahidi CVE-2012-3473 (The (1) reports API and (2) administration feature in the comments API ...) NOT-FOR-US: Ushahidi CVE-2012-3472 (The email API in application/libraries/api/MY_Email_Api_Object.php in ...) NOT-FOR-US: Ushahidi CVE-2012-3471 (Multiple SQL injection vulnerabilities in the edit functions in (1) ap ...) NOT-FOR-US: Ushahidi CVE-2012-3470 (Multiple SQL injection vulnerabilities in application/libraries/api/MY ...) NOT-FOR-US: Ushahidi CVE-2012-3469 (Multiple SQL injection vulnerabilities in the Ushahidi Platform before ...) NOT-FOR-US: Ushahidi CVE-2012-3468 (Multiple SQL injection vulnerabilities in the Ushahidi Platform before ...) NOT-FOR-US: Ushahidi CVE-2012-3467 (Apache QPID 0.14, 0.16, and earlier uses a NullAuthenticator mechanism ...) - qpid-cpp 0.16-7 (bug #684456) [wheezy] - qpid-cpp 0.16-6+deb7u1 CVE-2012-3466 (GNOME gnome-keyring 3.4.0 through 3.4.1, when gpg-cache-method is set ...) - gnome-keyring 3.4.1-5 (bug #683655) [squeeze] - gnome-keyring (Only affects gnome-keyring 3.4.x) CVE-2012-3465 (Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view ...) {DSA-2655-1} - rails 2.3.14.1 (low) - ruby-actionpack-3.2 3.2.6-4 (bug #684454) NOTE: Starting with 2.3.14.1 rails is a transition package CVE-2012-3464 (Cross-site scripting (XSS) vulnerability in activesupport/lib/active_s ...) {DSA-2655-1} - rails 2.3.14.1 (low) - ruby-actionpack-3.2 3.2.6-4 (bug #684454) NOTE: Starting with 2.3.14.1 rails is a transition package CVE-2012-3463 (Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view ...) - rails (Only affects RoR 3.x) - ruby-actionpack-3.2 3.2.6-4 (bug #684454) NOTE: http://www.openwall.com/lists/oss-security/2012/08/09/8 CVE-2012-3462 (A flaw was found in SSSD version 1.9.0. The SSSD's access-provider log ...) - sssd 1.10.0-1 NOTE: https://pagure.io/SSSD/sssd/issue/1470 NOTE: https://pagure.io/SSSD/sssd/c/ffcf27b0b773b580289d596f796aaf86c45ba920 (master) CVE-2012-3461 (The (1) otrl_base64_otr_decode function in src/b64.c; (2) otrl_proto_d ...) {DSA-2526-1} - libotr 3.2.1-1 (medium; bug #684121) CVE-2012-3460 (cumin: At installation postgresql database user created without passwo ...) NOT-FOR-US: Cumin CVE-2012-3459 (Cumin before 0.1.5444, as used in Red Hat Enterprise Messaging, Realti ...) NOT-FOR-US: Cumin CVE-2012-3458 (Beaker before 1.6.4, when using PyCrypto to encrypt sessions, uses AES ...) {DSA-2541-1} - beaker 1.6.3-1.1 (bug #684890) CVE-2012-3457 (PNP4Nagios 0.6 through 0.6.16 uses world-readable permissions for proc ...) - pnp4nagios (unimportant; bug #683879) NOTE: The permissions of this file are under the control of the admin CVE-2012-3456 (Heap-based buffer overflow in the read function in filters/words/mswor ...) - calligra 1:2.4.3-2 (bug #684004) - wv2 0.4.2.dfsg.1-9.1 (low) [squeeze] - wv2 (Minor issue) CVE-2012-3455 (Heap-based buffer overflow in the read function in filters/words/mswor ...) - koffice (low) [squeeze] - koffice (Minor issue) CVE-2012-3454 (eXtplorer 2.1.0b6 uses world writable permissions for the /var/lib/ext ...) - extplorer 2.1.0b6+dfsg.3-4 (low; bug #683649) [squeeze] - extplorer (Minor issue) CVE-2012-3453 (logol 1.5.0 uses world writable permissions for the /var/lib/logol/res ...) - logol 1.5.0-4 (bug #683647) CVE-2012-3452 (gnome-screensaver 3.4.x before 3.4.4 and 3.5.x before 3.5.4, when mult ...) - gnome-screensaver (vulnerable code not present) CVE-2012-3451 (Apache CXF before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 al ...) NOT-FOR-US: Apache CXF CVE-2012-3450 (pdo_sql_parser.re in the PDO extension in PHP before 5.3.14 and 5.4.x ...) {DSA-2527-1} - php5 5.4.4-1 (bug #683694) NOTE: http://seclists.org/bugtraq/2012/Jun/60 NOTE: https://bugs.php.net/bug.php?id=61755 NOTE: http://www.openwall.com/lists/oss-security/2012/08/02/3 NOTE: http://www.openwall.com/lists/oss-security/2012/08/02/7 CVE-2012-3449 (Open vSwitch 1.4.2 uses world writable permissions for (1) /var/lib/op ...) - openvswitch 1.4.2+git20120612-8 (bug #683665) CVE-2012-3448 (Unspecified vulnerability in Ganglia Web before 3.5.1 allows remote at ...) {DSA-2610-1} - ganglia 3.3.8-1 (bug #683584) CVE-2012-3447 (virt/disk/api.py in OpenStack Compute (Nova) 2012.1.x before 2012.1.2 ...) - nova 2012.1.1-6 (bug #684256) CVE-2012-3446 (Apache Libcloud before 0.11.1 uses an incorrect regular expression dur ...) - libcloud 0.5.0-1.1 (bug #683927) CVE-2012-3445 (The virTypedParameterArrayClear function in libvirt 0.9.13 does not pr ...) - libvirt 0.9.12-4 (bug #683483) [squeeze] - libvirt (Vulnerable code not present) NOTE: https://www.redhat.com/archives/libvir-list/2012-July/msg01650.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=844734 CVE-2012-3444 (The get_image_dimensions function in the image-handling functionality ...) {DSA-2529-1} - python-django 1.4.1-1 (bug #683364) NOTE: https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/ NOTE: http://www.openwall.com/lists/oss-security/2012/07/31/1 NOTE: http://www.openwall.com/lists/oss-security/2012/07/31/2 CVE-2012-3443 (The django.forms.ImageField class in the form system in Django before ...) {DSA-2529-1} - python-django 1.4.1-1 (bug #683364) NOTE: https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/ NOTE: http://www.openwall.com/lists/oss-security/2012/07/31/1 NOTE: http://www.openwall.com/lists/oss-security/2012/07/31/2 CVE-2012-3442 (The (1) django.http.HttpResponseRedirect and (2) django.http.HttpRespo ...) {DSA-2529-1} - python-django 1.4.1-1 (bug #683364) NOTE: https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/ NOTE: http://www.openwall.com/lists/oss-security/2012/07/31/1 NOTE: http://www.openwall.com/lists/oss-security/2012/07/31/2 CVE-2012-3441 (The database creation script (module/idoutils/db/scripts/create_mysqld ...) - icinga (Debian uses dbconfig, which does the right thing, bug #683320) CVE-2012-3440 (A certain Red Hat script for sudo 1.7.2 on Red Hat Enterprise Linux (R ...) - sudo (Red Hat-specific postinst script) CVE-2012-3439 REJECTED CVE-2012-3438 (The Magick_png_malloc function in coders/png.c in GraphicsMagick 6.7.8 ...) - graphicsmagick 1.3.16-1.1 (low; bug #683284) [squeeze] - graphicsmagick (Minor issue) CVE-2012-3437 (The Magick_png_malloc function in coders/png.c in ImageMagick 6.7.8 an ...) {DLA-242-1} - imagemagick 8:6.7.7.10-3 (low; bug #683285) [squeeze] - imagemagick (Minor issue) CVE-2012-3436 (OpenTTD 0.6.0 through 1.2.1 does not properly validate requests to cle ...) {DSA-2524-1} - openttd 1.2.1-2 (low; bug #683258) CVE-2012-3435 (SQL injection vulnerability in frontends/php/popup_bitem.php in Zabbix ...) {DSA-2539-1} - zabbix 1:2.0.2+dfsg-1 (bug #683273) NOTE: http://seclists.org/oss-sec/2012/q3/127 CVE-2012-3434 (Multiple cross-site scripting (XSS) vulnerabilities in userperspan.php ...) NOT-FOR-US: WordPress plugin Count Per Day CVE-2012-3433 (Xen 4.0 and 4.1 allows local HVM guest OS kernels to cause a denial of ...) {DSA-2531-1} - xen 4.1.3-1 (bug #683279) CVE-2012-3432 (The handle_mmio function in arch/x86/hvm/io.c in the MMIO operations e ...) {DSA-2531-1} - xen 4.1.3-1 (bug #683279) CVE-2012-3431 (The Teiid Java Database Connectivity (JDBC) socket, as used in JBoss E ...) NOT-FOR-US: Teeid CVE-2012-3430 (The rds_recvmsg function in net/rds/recv.c in the Linux kernel before ...) - linux 3.2.29-1 - linux-2.6 [squeeze] - linux-2.6 2.6.32-36 NOTE: http://www.openwall.com/lists/oss-security/2012/07/26/3 CVE-2012-3429 (The dns_to_ldap_dn_escape function in src/ldap_convert.c in bind-dyndb ...) NOT-FOR-US: Dynamic LDAP backend plugin for BIND CVE-2012-3428 (The IronJacamar container before 1.0.12.Final for JBoss Application Se ...) - jbossas4 (Only builds a few libraries, not the full application server) CVE-2012-3427 (EC2 Amazon Machine Image (AMI) in JBoss Enterprise Application Platfor ...) - jbossas4 (Only builds a few libraries, not the full application server) CVE-2012-3426 (OpenStack Keystone before 2012.1.1, as used in OpenStack Folsom before ...) - keystone 2012.1.1-1 CVE-2012-3425 (The png_push_read_zTXt function in pngpread.c in libpng 1.0.x before 1 ...) {DLA-375-1} - libpng 1.2.49-1 (low; bug #668082) CVE-2012-3424 (The decode_credentials method in actionpack/lib/action_controller/meta ...) - rails (Only affects RoR 3.x) - ruby-actionpack-3.2 3.2.6-3 (bug #683370) CVE-2012-3423 (The IcedTea-Web plugin before 1.2.1 does not properly handle NPVariant ...) - icedtea-web 1.3-1 CVE-2012-3422 (The getFirstInTableInstance function in the IcedTea-Web plugin before ...) - icedtea-web 1.3-1 CVE-2012-3421 (The pduread function in pdu.c in libpcp in Performance Co-Pilot (PCP) ...) {DSA-2533-1} - pcp 3.6.5 (bug #685476) CVE-2012-3420 (Multiple memory leaks in Performance Co-Pilot (PCP) before 3.6.5 allow ...) {DSA-2533-1} - pcp 3.6.5 (bug #685476) CVE-2012-3419 (Performance Co-Pilot (PCP) before 3.6.5 exports some of the /proc file ...) {DSA-2533-1} - pcp 3.6.5 (bug #685476) CVE-2012-3418 (libpcp in Performance Co-Pilot (PCP) before 3.6.5 allows remote attack ...) {DSA-2533-1} - pcp 3.6.5 (bug #685476) CVE-2012-3417 (The good_client function in rquotad (rquota_svc.c) in Linux DiskQuota ...) - quota 4.00~pre1-1 NOTE: this is at least fixed in 4.00, I could not trace this back to an exact version CVE-2012-3416 (Condor before 7.8.2 allows remote attackers to bypass host-based authe ...) - condor 7.8.2~dfsg.1-1 (bug #685366) CVE-2012-3415 REJECTED CVE-2012-3414 (Cross-site scripting (XSS) vulnerability in swfupload.swf in SWFUpload ...) - libjs-swfupload 2.2.0.1+ds1-2 (low; bug #681323) - wordpress 3.5.1+dfsg-1 (bug #698934) NOTE: https://nealpoole.com/blog/2012/05/xss-and-csrf-via-swf-applets-swfupload-plupload/ CVE-2012-3413 (The HTMLQuoteColorer::process function in messageviewer/htmlquotecolor ...) - kdepim (Only affects kdepim >= 4.6) NOTE: CVE-request http://www.openwall.com/lists/oss-security/2012/07/13/3 NOTE: https://projects.kde.org/projects/kde/kdepim/repository/revisions/dbb2f72f4745e00f53031965a9c10b2d6862bd54 NOTE: https://bugs.launchpad.net/ubuntu/+source/kdepim/+bug/1022690 CVE-2012-3412 (The sfc (aka Solarflare Solarstorm) driver in the Linux kernel before ...) - linux 3.2.29-1 - linux-2.6 [squeeze] - linux-2.6 2.6.32-36 CVE-2012-3411 (Dnsmasq before 2.63test1, when used with certain libvirt configuration ...) - dnsmasq 2.63-1 (low; bug #683372) [wheezy] - dnsmasq (Minor issue) [squeeze] - dnsmasq (Minor issue) NOTE: Please see CVE-2013-0198 CVE-2012-3410 (Stack-based buffer overflow in lib/sh/eaccess.c in GNU Bash before 4.2 ...) - bash 4.2-4 (low; bug #681278) [squeeze] - bash (Minor issue) CVE-2012-3409 (ecryptfs-utils: suid helper does not restrict mounting filesystems wit ...) - ecryptfs-utils 99-1 (bug #682220) [squeeze] - ecryptfs-utils (home src/dest mountpoints hardcoded in that version) CVE-2012-3408 (lib/puppet/network/authstore.rb in Puppet before 2.7.18, and Puppet En ...) - puppet 2.7.18-1 (low) [squeeze] - puppet (Minor issue) NOTE: http://puppetlabs.com/security/cve/cve-2012-3408/ NOTE: There's no code fix, but this should be addressed in stable with a NEWS file warning about this NOTE: Fixed in 2.7.18 by updated docs CVE-2012-3407 (plow has local buffer overflow vulnerability ...) NOT-FOR-US: plow NOTE: http://www.openwall.com/lists/oss-security/2012/07/11/6 NOTE: http://www.openwall.com/lists/oss-security/2012/07/11/16 CVE-2012-3406 (The vfprintf function in stdio-common/vfprintf.c in GNU C Library (aka ...) {DSA-3169-1 DLA-165-1} - eglibc - glibc 2.19-14 (low; bug #681888) NOTE: Upstream fix: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5985c6ea868db23380977a35a2167549f9a3653b NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=826943 NOTE: http://www.openwall.com/lists/oss-security/2012/07/11/5 NOTE: http://www.openwall.com/lists/oss-security/2012/07/11/17 CVE-2012-3405 (The vfprintf function in stdio-common/vfprintf.c in libc in GNU C Libr ...) {DLA-165-1} - glibc 2.13-35 (low; bug #681473) - eglibc 2.13-35 (low; bug #681473) NOTE: http://sourceware.org/bugzilla/show_bug.cgi?id=13446 NOTE: http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=a4647e727a2a52e1259474c13f4b13288938bed4 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=833704 NOTE: http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=1d498daa95384e5c9ad5bcb35e7a996e5869ac39 NOTE: http://www.openwall.com/lists/oss-security/2012/07/11/5 NOTE: http://www.openwall.com/lists/oss-security/2012/07/11/17 CVE-2012-3404 (The vfprintf function in stdio-common/vfprintf.c in libc in GNU C Libr ...) - glibc 2.13-35 (low; bug #681473) - eglibc 2.13-35 (low; bug #681473) [squeeze] - eglibc 2.11.3-1 NOTE: http://sourceware.org/bugzilla/show_bug.cgi?id=12445 NOTE: http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=84a4211850e3d23a9d3a4f3b294752a3b30bc0ff NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=833703 NOTE: http://www.openwall.com/lists/oss-security/2012/07/11/5 NOTE: http://www.openwall.com/lists/oss-security/2012/07/11/17 CVE-2012-3403 (Heap-based buffer overflow in the KiSS CEL file format plug-in in GIMP ...) - gimp 2.8.2-1 (bug #685397) [squeeze] - gimp 2.6.10-1+squeeze4 CVE-2012-3402 (Integer overflow in plug-ins/common/psd.c in the Adobe Photoshop PSD p ...) - gimp 2.4.0~rc1-1 NOTE: Only affects 2.2 series CVE-2012-3401 (The t2p_read_tiff_init function in tiff2pdf (tools/tiff2pdf.c) in LibT ...) {DSA-2552-1} - tiff 4.0.2-2 (bug #682115) - tiff3 3.9.6-7 (bug #682195) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=837577 CVE-2012-3400 (Heap-based buffer overflow in the udf_load_logicalvol function in fs/u ...) - linux 3.2.23-1 - linux-2.6 [squeeze] - linux-2.6 2.6.32-36 CVE-2012-3399 (Config/diff.php in Basilic 1.5.14 allows remote attackers to execute a ...) NOT-FOR-US: Basilic CVE-2012-3398 (Algorithmic complexity vulnerability in Moodle 1.9.x before 1.9.19, 2. ...) - moodle 2.2.3.dfsg-1 (bug #682203) [squeeze] - moodle (Minor issue) CVE-2012-3397 (lib/modinfolib.php in Moodle 2.0.x before 2.0.10, 2.1.x before 2.1.7, ...) - moodle 2.2.3.dfsg-2.1 (bug #682203) [squeeze] - moodle (Only affects >= 2.0) CVE-2012-3396 (Cross-site scripting (XSS) vulnerability in cohort/edit_form.php in Mo ...) - moodle 2.2.3.dfsg-2.1 (bug #682203) [squeeze] - moodle (Only affects >= 2.0) CVE-2012-3395 (SQL injection vulnerability in mod/feedback/complete.php in Moodle 2.0 ...) - moodle 2.2.3.dfsg-2.1 (bug #682203) [squeeze] - moodle (Only affects >= 2.0) CVE-2012-3394 (auth/ldap/ntlmsso_attempt.php in Moodle 2.0.x before 2.0.10, 2.1.x bef ...) - moodle 2.2.3.dfsg-2.1 (bug #682203) [squeeze] - moodle (Only affects >= 2.1) CVE-2012-3393 (Cross-site scripting (XSS) vulnerability in repository/lib.php in Mood ...) - moodle 2.2.3.dfsg-2.1 (bug #682203) [squeeze] - moodle (Only affects >= 2.1) CVE-2012-3392 (mod/forum/unsubscribeall.php in Moodle 2.1.x before 2.1.7 and 2.2.x be ...) - moodle 2.2.3.dfsg-1 (bug #682203) [squeeze] - moodle (Only affects >= 2.1) CVE-2012-3391 (mod/forum/rsslib.php in Moodle 2.1.x before 2.1.7 and 2.2.x before 2.2 ...) - moodle 2.2.3.dfsg-1 (bug #682203) [squeeze] - moodle (Only affects >= 2.1) CVE-2012-3390 (lib/filelib.php in Moodle 2.1.x before 2.1.7 and 2.2.x before 2.2.4 do ...) - moodle 2.2.3.dfsg-1 (bug #682203) [squeeze] - moodle (Only affects >= 2.1) CVE-2012-3389 (Multiple cross-site scripting (XSS) vulnerabilities in mod/lti/typesse ...) - moodle 2.2.3.dfsg-2.2 (bug #682203) [squeeze] - moodle (Only affects >= 2.2) CVE-2012-3388 (The is_enrolled function in lib/accesslib.php in Moodle 2.2.x before 2 ...) - moodle 2.2.3.dfsg-2.2 (bug #682203) [squeeze] - moodle (Only affects >= 2.2) CVE-2012-3387 (Moodle 2.3.x before 2.3.1 uses only a client-side check for whether re ...) - moodle (Only affects 2.3) CVE-2012-3386 (The "make distcheck" rule in GNU Automake before 1.11.6 and 1.12.x bef ...) - automake 1:1.4-p6-13.1 - automake1.10 1:1.10.3-3 [squeeze] - automake1.10 1:1.10.3-1+squeeze1 - automake1.11 1:1.11.6-1 (bug #681097) [squeeze] - automake1.11 1:1.11.1-1+squeeze1 - automake1.7 1.7.9-10 [squeeze] - automake1.7 1.7.9-9.1+squeeze1 - automake1.9 1.9.6+nogfdl-4 [squeeze] - automake1.9 1.9.6+nogfdl-3.1+squeeze1 CVE-2012-3385 (WordPress before 3.4.1 does not properly restrict access to post conte ...) - wordpress 3.4.1+dfsg-1 (bug #680721) NOTE: http://www.openwall.com/lists/oss-security/2012/07/02/1 NOTE: http://www.openwall.com/lists/oss-security/2012/07/08/1 CVE-2012-3384 (Cross-site request forgery (CSRF) vulnerability in the customizer in W ...) - wordpress 3.4.1+dfsg-1 (bug #680721) NOTE: http://www.openwall.com/lists/oss-security/2012/07/02/1 NOTE: http://www.openwall.com/lists/oss-security/2012/07/08/1 CVE-2012-3383 (The map_meta_cap function in wp-includes/capabilities.php in WordPress ...) - wordpress 3.4.1+dfsg-1 (bug #680721) NOTE: http://www.openwall.com/lists/oss-security/2012/07/02/1 NOTE: http://www.openwall.com/lists/oss-security/2012/07/08/1 CVE-2012-3382 (Cross-site scripting (XSS) vulnerability in the ProcessRequest functio ...) {DSA-2512-1} - mono 2.10.8.1-5 (bug #681095) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=769799 NOTE: https://github.com/mono/mono/commit/d16d4623edb210635bec3ca3786481b82cde25a2 CVE-2012-3381 (sfcb in sblim-sfcb places a zero-length directory name in the LD_LIBRA ...) NOT-FOR-US: sblim-sfcb NOTE: https://bugzilla.suse.com/show_bug.cgi?id=770234 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=838160 NOTE: http://www.openwall.com/lists/oss-security/2012/07/06/7 NOTE: http://www.openwall.com/lists/oss-security/2012/07/06/8 CVE-2012-3380 (Directory traversal vulnerability in naxsi-ui/nx_extract.py in the Nax ...) - nginx 1.2.1-2 [squeeze] - nginx (naxsi package was introduced in 1.1.18-1) CVE-2012-3379 [as31: insecure file creation in /tmp] REJECTED CVE-2012-3378 (The register_application function in atk-adaptor/bridge.c in GNOME at- ...) - at-spi2-atk 2.5.3-1 (bug #678026) CVE-2012-3377 (Heap-based buffer overflow in the Ogg_DecodePacket function in the OGG ...) - vlc 2.0.2-1 (bug #680665) [squeeze] - vlc (Unsupported in squeeze-lts) NOTE: http://git.videolan.org/?p=vlc/vlc-2.0.git;a=commitdiff;h=16e9e126333fb7acb47d363366fee3deadc8331e NOTE: http://securitytracker.com/id/1027224 CVE-2012-3376 (DataNodes in Apache Hadoop 2.0.0 alpha does not check the BlockTokens ...) - hadoop (bug #535861) NOTE: http://seclists.org/bugtraq/2012/Jul/48 CVE-2012-3375 (The epoll_ctl system call in fs/eventpoll.c in the Linux kernel before ...) - linux 3.2.23-1 - linux-2.6 (Introduced in 3.2) CVE-2012-3374 (Buffer overflow in markup.c in the MXit protocol plugin in libpurple i ...) {DSA-2509-1} - pidgin 2.10.6-1 (bug #680661) [squeeze] - pidgin 2.7.3-1+squeeze3 NOTE: http://www.pidgin.im/news/security/index.php?id=64 NOTE: http://hg.pidgin.im/pidgin/main/rev/ded93865ef42 CVE-2012-3373 (Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before ...) NOT-FOR-US: Apache Wicket CVE-2012-3372 (** DISPUTED ** The default configuration of Cyberoam UTM appliances us ...) NOT-FOR-US: Cyberoam DPI devices NOTE: https://blog.torproject.org/blog/security-vulnerability-found-cyberoam-dpi-devices-cve-2012-3372 NOTE: http://seclists.org/bugtraq/2012/Jul/20 CVE-2012-3371 (The Nova scheduler in OpenStack Compute (Nova) Folsom (2012.2) and Ess ...) - nova 2012.1.1-5 (bug #681301) NOTE: http://www.openwall.com/lists/oss-security/2012/07/11/13 NOTE: https://github.com/openstack/nova/commit/034762e8060dcf0a11cb039b9d426b0d0bb1801d NOTE: https://github.com/openstack/nova/commit/25f5bd31805bd21d7b7e3583c775252aa8f737e9 NOTE: https://bugs.launchpad.net/nova/+bug/1017795 CVE-2012-3370 (The SecurityAssociation.getCredential method in JBoss Enterprise Appli ...) - jbossas4 (Only builds a few libraries, not the full application server, #581226) CVE-2012-3369 (The CallerIdentityLoginModule in JBoss Enterprise Application Platform ...) - jbossas4 (Only builds a few libraries, not the full application server, #581226) CVE-2012-3368 (Integer signedness error in attach.c in dtach 0.8 allows remote attack ...) - dtach 0.8-2.1 (low; bug #625302) [squeeze] - dtach 0.8-2+squeeze1 NOTE: http://sourceforge.net/tracker/?func=detail&aid=3517812&group_id=36489&atid=417357 NOTE: http://sourceforge.net/tracker/download.php?group_id=36489&atid=417357&file_id=441195&aid=3517812 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=812551 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=835849 CVE-2012-3367 (Red Hat Certificate System (RHCS) before 8.1.1 and Dogtag Certificate ...) NOT-FOR-US: Red Hat Certificate System CVE-2012-3366 (The Trigger plugin in bcfg2 1.2.x before 1.2.3 allows remote attackers ...) {DSA-2503-1} - bcfg2 1.2.2-2 (bug #679272) CVE-2012-3365 (The SQLite functionality in PHP before 5.3.15 allows remote attackers ...) - php5 (unimportant) NOTE: open_basedir not supported CVE-2012-3364 (Multiple stack-based buffer overflows in the Near Field Communication ...) - linux 3.2.23-1 [squeeze] - linux-2.6 (Vulnerable code not present) CVE-2012-3363 (Zend_XmlRpc in Zend Framework 1.x before 1.11.12 and 1.12.x before 1.1 ...) {DSA-2505-1} - zendframework 1.11.12-1 (bug #679215) - moodle 2.5-1 (bug #703870) [squeeze] - moodle (Vulnerable code not present) CVE-2012-3362 (Cross-site request forgery (CSRF) vulnerability in eXtplorer 2.1 RC3 a ...) {DSA-2510-1} - extplorer 2.1.0b6+dfsg.3-3 (bug #678737) CVE-2012-3361 (virt/disk/api.py in OpenStack Compute (Nova) Folsom (2012.2), Essex (2 ...) - nova 2012.1.1-2 (bug #680110) CVE-2012-3360 (Directory traversal vulnerability in virt/disk/api.py in OpenStack Com ...) - nova 2012.1.1-2 (bug #680110) CVE-2012-3359 (Luci in Red Hat Conga stores the user's username and password in a Bas ...) NOT-FOR-US: Red Hat Conga CVE-2012-3358 (Multiple heap-based buffer overflows in the j2k_read_sot function in j ...) {DSA-2629-1} - openjpeg 1.3+dfsg-4.4 (bug #681075) NOTE: http://www.openwall.com/lists/oss-security/2012/07/11/1 NOTE: Upstream patch: http://code.google.com/p/openjpeg/source/detail?r=1727 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=835767 CVE-2012-3357 (The SVN revision view (lib/vclib/svn/svn_repos.py) in ViewVC before 1. ...) {DSA-2563-1} - viewvc 1.1.5-1.3 (bug #679069) NOTE: http://viewvc.tigris.org/issues/show_bug.cgi?id=353 NOTE: http://viewvc.tigris.org/source/browse/viewvc?view=rev&revision=2755 NOTE: http://viewvc.tigris.org/source/browse/viewvc?view=rev&revision=2756 NOTE: http://viewvc.tigris.org/source/browse/viewvc?view=rev&revision=2757 NOTE: http://viewvc.tigris.org/source/browse/viewvc?view=rev&revision=2759 NOTE: http://viewvc.tigris.org/source/browse/viewvc?view=rev&revision=2760 CVE-2012-3356 (The remote SVN views functionality (lib/vclib/svn/svn_ra.py) in ViewVC ...) {DSA-2563-1} - viewvc 1.1.5-1.3 (bug #679069) NOTE: http://viewvc.tigris.org/source/browse/viewvc?view=rev&revision=2758 CVE-2012-3355 ((1) AlbumTab.py, (2) ArtistTab.py, (3) LinksTab.py, and (4) LyricsTab. ...) - rhythmbox 2.97-2.1 (low; bug #616673) [squeeze] - rhythmbox (Minor issue) NOTE: Upstream bug report https://bugzilla.gnome.org/show_bug.cgi?id=678661 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=835076 CVE-2012-3354 (doku.php in DokuWiki, as used in Fedora 16, 17, and 18, when certain P ...) - dokuwiki 0.0.20130510a-1 (unimportant) NOTE: http://www.openwall.com/lists/oss-security/2012/06/24/2 CVE-2012-3353 (The Apache Sling JCR ContentLoader 2.1.4 XmlReader used in the Sling J ...) NOT-FOR-US: Apache Sling CVE-2012-3553 (chan_skinny.c in the Skinny (aka SCCP) channel driver in Asterisk Open ...) - asterisk (Only affects Asterisk 10) CVE-2012-3352 RESERVED CVE-2012-3351 (Multiple cross-site scripting (XSS) vulnerabilities in LongTail Video ...) NOT-FOR-US: LongTail Video JW Player CVE-2012-3350 (SQL injection vulnerability in index.php in Webmatic 3.1.1 allows remo ...) NOT-FOR-US: WebMatic NOTE: http://seclists.org/bugtraq/2012/Jul/25 CVE-2012-3349 RESERVED CVE-2012-3348 RESERVED CVE-2012-3347 (AutoFORM PDM Archive before 7.0 implements user accounts in a way that ...) NOT-FOR-US: AutoFORM PDM Archive CVE-2012-3346 RESERVED CVE-2012-3345 (ioquake3 before r2253 allows local users to overwrite arbitrary files ...) - ioquake3 1.36+svn2224-4 NOTE: http://www.openwall.com/lists/oss-security/2012/06/15/3 CVE-2012-3344 RESERVED CVE-2012-3343 (Cross-site request forgery (CSRF) vulnerability in Microdasys before 3 ...) NOT-FOR-US: Microdasys CVE-2010-5141 (wxBitcoin and bitcoind before 0.3.5 do not properly handle script opco ...) - bitcoin (Fixed before initial release) CVE-2012-3342 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2012-3341 RESERVED CVE-2012-3340 RESERVED CVE-2012-3339 RESERVED CVE-2012-3338 RESERVED CVE-2012-3337 RESERVED CVE-2012-3336 RESERVED CVE-2012-3335 RESERVED CVE-2012-3334 (Stack-based buffer overflow in IBM Informix Dynamic Server (IDS) 11.50 ...) NOT-FOR-US: IBM Informix Dynamic Server CVE-2012-3333 (CRLF injection vulnerability in IBM Maximo Asset Management 7.x before ...) NOT-FOR-US: IBM Maximo Asset Management and others CVE-2012-3332 RESERVED CVE-2012-3331 (IBM Sametime allows remote attackers to obtain sensitive information f ...) NOT-FOR-US: IBM Sametime CVE-2012-3330 (The proxy server in IBM WebSphere Application Server 7.0 before 7.0.0. ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2012-3329 (IBM Advanced Settings Utility (ASU) through 3.62 and 3.70 through 9.21 ...) NOT-FOR-US: IBM Advanced Settings Utility, Bootable Media Creator CVE-2012-3328 (Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Managemen ...) NOT-FOR-US: IBM CVE-2012-3327 (Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Managemen ...) NOT-FOR-US: IBM CVE-2012-3326 (Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Managemen ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2012-3325 (IBM WebSphere Application Server (WAS) 6.1.x before 6.1.0.45, 7.0.x be ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2012-3324 (Directory traversal vulnerability in the UTL_FILE module in IBM DB2 an ...) NOT-FOR-US: IBM DB2 CVE-2012-3323 (IBM Maximo Asset Management 6.2 before 6.2.8, 7.1 before 7.1.1.12, and ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2012-3322 (Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Managemen ...) NOT-FOR-US: IBM CVE-2012-3321 (IBM SmartCloud Control Desk 7.5 allows remote authenticated users to b ...) NOT-FOR-US: IBM CVE-2012-3320 RESERVED CVE-2012-3319 (IBM Rational Business Developer 8.x before 8.0.1.4 allows remote attac ...) NOT-FOR-US: IBM Rational Business Developer CVE-2012-3318 RESERVED CVE-2012-3317 (IBM WebSphere Message Broker 6.1 before 6.1.0.11, 7.0 before 7.0.0.5, ...) NOT-FOR-US: IBM WebSphere CVE-2012-3316 (Cross-site scripting (XSS) vulnerability in the Tivoli Process Automat ...) NOT-FOR-US: IBM CVE-2012-3315 (The Java servlets in the management console in IBM Tivoli Federated Id ...) NOT-FOR-US: IBM Tivoli CVE-2012-3314 (IBM Tivoli Federated Identity Manager (TFIM) and Tivoli Federated Iden ...) NOT-FOR-US: IBM Tivoli CVE-2012-3313 (Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Managemen ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2012-3312 (The datasource definition editor in IBM InfoSphere Guardium 8.2 and ea ...) NOT-FOR-US: IBM InfoSphere Guardium CVE-2012-3311 (IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.45, 7.0 before ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2012-3310 (IBM Tivoli Federated Identity Manager (TFIM) before 6.1.1.14, 6.2.0 be ...) NOT-FOR-US: IBM Tivoli CVE-2012-3309 (Cross-site request forgery (CSRF) vulnerability in the account-creatio ...) NOT-FOR-US: IBM InfoSphere Guardium CVE-2012-3308 (Cross-site scripting (XSS) vulnerability in IBM Sametime 8.0.2 through ...) NOT-FOR-US: IBM Sametime CVE-2012-3307 RESERVED CVE-2012-3306 (IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.45, 7.0 before ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2012-3305 (Directory traversal vulnerability in IBM WebSphere Application Server ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2012-3304 (The Administrative Console in IBM WebSphere Application Server (WAS) 6 ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2012-3303 RESERVED CVE-2012-3302 (Multiple cross-site scripting (XSS) vulnerabilities in IBM Lotus Domin ...) NOT-FOR-US: IBM Lotus Domino CVE-2012-3301 (Multiple CRLF injection vulnerabilities in the HTTP server in IBM Lotu ...) NOT-FOR-US: IBM Lotus Domino CVE-2012-3300 (IBM WebSphere Commerce 7.0 before 7.0.0.6, when persistent sessions an ...) NOT-FOR-US: IBM WebSphere Commerce CVE-2012-3299 RESERVED CVE-2012-3298 (Unspecified vulnerability in the REST services framework in IBM WebSph ...) NOT-FOR-US: IBM WebSphere Commerce CVE-2012-3297 (Cross-site scripting (XSS) vulnerability in the embedded HTTP server i ...) NOT-FOR-US: IBM Tivoli CVE-2012-3296 (Cross-site scripting (XSS) vulnerability in the Help link in the login ...) NOT-FOR-US: IBM Power Hardware Management Console CVE-2012-3295 (IBM WebSphere MQ 7.1, when an SVRCONN channel is used, allows remote a ...) NOT-FOR-US: IBM WebSphere MQ CVE-2012-3294 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Web ...) NOT-FOR-US: IBM WebSphere CVE-2012-3293 (Cross-site scripting (XSS) vulnerability in the Administrative Console ...) NOT-FOR-US: IBM WebSphere CVE-2012-3292 (The GridFTP in Globus Toolkit (GT) before 5.2.2, when certain autoconf ...) {DSA-2523-1} - globus-gridftp-server 6.5-1 CVE-2012-3291 (Heap-based buffer overflow in OpenConnect 3.18 allows remote servers t ...) {DSA-2495-1} - openconnect 3.18-1 (bug #677594) CVE-2012-3290 (Multiple unspecified vulnerabilities in Google Chrome before 20.0.1132 ...) NOT-FOR-US: Chrome books CVE-2012-3289 (VMware Workstation 8.x before 8.0.4, VMware Player 4.x before 4.0.4, V ...) NOT-FOR-US: VMware CVE-2012-3288 (VMware Workstation 7.x before 7.1.6 and 8.x before 8.0.4, VMware Playe ...) NOT-FOR-US: VMware CVE-2012-3287 (Poul-Henning Kamp md5crypt has insufficient algorithmic complexity and ...) NOT-FOR-US: md5crypt CVE-2012-3286 (Unspecified vulnerability in HP ArcSight Connector Appliance 6.3 and e ...) NOT-FOR-US: HP ArcSight appliance CVE-2012-3285 (Unspecified vulnerability on the HP LeftHand Virtual SAN Appliance hyd ...) NOT-FOR-US: HP LeftHand Virtual SAN Appliance CVE-2012-3284 (Unspecified vulnerability on the HP LeftHand Virtual SAN Appliance hyd ...) NOT-FOR-US: HP LeftHand Virtual SAN Appliance CVE-2012-3283 (Unspecified vulnerability on the HP LeftHand Virtual SAN Appliance hyd ...) NOT-FOR-US: HP LeftHand Virtual SAN Appliance CVE-2012-3282 (Unspecified vulnerability on the HP LeftHand Virtual SAN Appliance hyd ...) NOT-FOR-US: HP LeftHand Virtual SAN Appliance CVE-2012-3281 (Unspecified vulnerability in Device Manager in HP XP P9000 Command Vie ...) NOT-FOR-US: HP XP P9000 Command View CVE-2012-3280 (Multiple unspecified vulnerabilities on HP NonStop Servers H06.x and J ...) NOT-FOR-US: HP NonStop Servers CVE-2012-3279 (Multiple cross-site scripting (XSS) vulnerabilities in HP Network Node ...) NOT-FOR-US: HP Network Node Manager i CVE-2012-3278 (Stack-based buffer overflow in magentservice.exe in HP Diagnostics Ser ...) NOT-FOR-US: HP Diagnostics Server CVE-2012-3277 (HP OpenVMS 8.3, 8.3-1H1, and 8.4 on the Itanium platform and 7.3-2, 8. ...) NOT-FOR-US: HP OpenVMS CVE-2012-3276 (HP OpenVMS 8.3, 8.3-1H1, and 8.4 on the Itanium platform and 7.3-2, 8. ...) NOT-FOR-US: HP OpenVMS CVE-2012-3275 (Unspecified vulnerability in HP Network Node Manager i (NNMi) 9.1x and ...) NOT-FOR-US: HP Network Node Manager CVE-2012-3274 (Stack-based buffer overflow in uam.exe in the User Access Manager (UAM ...) NOT-FOR-US: HP Intelligent Management Center CVE-2012-3273 (Multiple unspecified vulnerabilities on the HP LaserJet Pro 400 MFP M4 ...) NOT-FOR-US: HP LaserJet CVE-2012-3272 (Cross-site scripting (XSS) vulnerability on the HP Color LaserJet CM35 ...) NOT-FOR-US: HP LaserJet CVE-2012-3271 (Unspecified vulnerability on the HP Integrated Lights-Out 3 (aka iLO3) ...) NOT-FOR-US: HP ILO CVE-2012-3270 (Unspecified vulnerability in HP Performance Insight 5.31, 5.40, and 5. ...) NOT-FOR-US: HP Performance Insight CVE-2012-3269 (Unspecified vulnerability in HP Performance Insight 5.31, 5.40, and 5. ...) NOT-FOR-US: HP Performance Insight CVE-2012-3268 (Certain HP Access Controller, Fabric Module, Firewall, Router, Switch, ...) NOT-FOR-US: HP network devices CVE-2012-3267 (Unspecified vulnerability in HP Network Node Manager i (NNMi) 9.20 all ...) NOT-FOR-US: HP NNMi CVE-2012-3266 (Unspecified vulnerability in IBRIX 6.1.196 through 6.1.251 on HP IBRIX ...) NOT-FOR-US: HP IBRIX CVE-2012-3265 REJECTED CVE-2012-3264 (Unspecified vulnerability in a SOAP feature in HP SiteScope 11.10 thro ...) NOT-FOR-US: HP SiteScope CVE-2012-3263 (Unspecified vulnerability in a SOAP feature in HP SiteScope 11.10 thro ...) NOT-FOR-US: HP SiteScope CVE-2012-3262 (Unspecified vulnerability in a SOAP feature in HP SiteScope 11.10 thro ...) NOT-FOR-US: HP SiteScope CVE-2012-3261 (Unspecified vulnerability in a SOAP feature in HP SiteScope 11.10 thro ...) NOT-FOR-US: HP SiteScope CVE-2012-3260 (Unspecified vulnerability in a SOAP feature in HP SiteScope 11.10 thro ...) NOT-FOR-US: HP SiteScope CVE-2012-3259 (Unspecified vulnerability in a SOAP feature in HP SiteScope 11.10 thro ...) NOT-FOR-US: HP SiteScope CVE-2012-3258 (Unspecified vulnerability in HP Operations Orchestration 9.0 before 9. ...) NOT-FOR-US: HP Operations Orchestration CVE-2012-3257 (HP Business Availability Center (BAC) 8.07 allows remote authenticated ...) NOT-FOR-US: HP Business Availability Center CVE-2012-3256 (Cross-site request forgery (CSRF) vulnerability in HP Business Availab ...) NOT-FOR-US: HP Business Availability Center CVE-2012-3255 (Cross-site scripting (XSS) vulnerability in HP Business Availability C ...) NOT-FOR-US: HP Business Availability Center CVE-2012-3254 (Multiple unspecified vulnerabilities in HP iNode Management Center bef ...) NOT-FOR-US: HP iNode Management Center CVE-2012-3253 (Multiple unspecified vulnerabilities in HP Intelligent Management Cent ...) NOT-FOR-US: HP Intelligent Management CVE-2012-3252 (Unspecified vulnerability in HP Serviceguard A.11.19 and A.11.20 allow ...) NOT-FOR-US: HP Serviceguard CVE-2012-3251 (Cross-site scripting (XSS) vulnerability in HP Service Manager Web Tie ...) NOT-FOR-US: HP Service Manager CVE-2012-3250 (Unspecified vulnerability in HP Service Manager Server 7.11, 9.21, and ...) NOT-FOR-US: HP Service Manager CVE-2012-3249 (HP Fortify Software Security Center 3.1, 3.3, 3.4, and 3.5 allows remo ...) NOT-FOR-US: HP Fortify Software Security Center CVE-2012-3248 (HP Fortify Software Security Center 3.1, 3.3, 3.4, and 3.5 allows remo ...) NOT-FOR-US: HP Fortify Software Security Center CVE-2012-3247 (Unspecified vulnerability on the HP Integrity Server BL860c i2, BL870c ...) NOT-FOR-US: HP Integrity Server CVE-2012-3246 RESERVED CVE-2012-3245 RESERVED CVE-2012-3244 RESERVED CVE-2012-3243 (Cross-site scripting (XSS) vulnerability in the SEOgento plugin for Ma ...) NOT-FOR-US: SEOgento plugin for Magento CVE-2012-3242 RESERVED CVE-2012-3241 (The VMware Broker in Eucalyptus 2.0.3 and 3.0.x before 3.0.2 does not ...) - eucalyptus (Fixed before initial release) CVE-2012-3240 (The Walrus service in Eucalyptus 2.0.3 and 3.0.x before 3.0.2 allows r ...) - eucalyptus (Fixed before initial release) CVE-2012-3239 RESERVED CVE-2012-3238 (Cross-site scripting (XSS) vulnerability in the Backup/Restore compone ...) NOT-FOR-US: Astaro appliance CVE-2012-3237 RESERVED CVE-2012-3236 (fits-io.c in GIMP before 2.8.1 allows remote attackers to cause a deni ...) - gimp 2.8.2-1 (unimportant) NOTE: Harmless crasher w/o security impact NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=676804 NOTE: https://git.gnome.org/browse/gimp/commit/?id=0474376d234bc3d0901fd5e86f89d778a6473dd8 (GIMP_2_8_2) CVE-2012-3235 RESERVED CVE-2012-3234 (RealNetworks RealPlayer before 15.0.6.14, RealPlayer SP 1.0 through 1. ...) NOT-FOR-US: RealNetworks RealPlayer CVE-2012-3233 (Cross-site scripting (XSS) vulnerability in __swift/thirdparty/PHPExce ...) NOT-FOR-US: Kayako Fusion 4.40.1148 CVE-2012-3232 (Cross-site scripting (XSS) vulnerability in search.php in web@all 2.0, ...) NOT-FOR-US: web@all CVE-2012-3231 (Multiple cross-site request forgery (CSRF) vulnerabilities in web@all ...) NOT-FOR-US: web@all CVE-2012-3230 (Unspecified vulnerability in the Siebel UI Framework component in Orac ...) NOT-FOR-US: Oracle Siebel CRM CVE-2012-3229 (Unspecified vulnerability in the Siebel UI Framework component in Orac ...) NOT-FOR-US: Oracle Siebel CRM CVE-2012-3228 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking compon ...) NOT-FOR-US: Oracle Financial Services Software CVE-2012-3227 (Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking com ...) NOT-FOR-US: Oracle Financial Services Software CVE-2012-3226 (Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking com ...) NOT-FOR-US: Oracle Financial Services Software CVE-2012-3225 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking compon ...) NOT-FOR-US: Oracle Financial Services Software CVE-2012-3224 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking compon ...) NOT-FOR-US: Oracle Financial Services Software CVE-2012-3223 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking compon ...) NOT-FOR-US: Oracle Financial Services Software CVE-2012-3222 (Unspecified vulnerability in the Oracle iRecruitment component in Orac ...) NOT-FOR-US: Oracle E-Business Suite CVE-2012-3221 (Unspecified vulnerability in the Oracle VM Virtual Box component in Or ...) {DSA-2594-1} - virtualbox 4.1.18-dfsg-1.1 (bug #690777) - virtualbox-ose NOTE: http://www.halfdog.net/Security/2012/VirtualBoxSoftwareInterrupt0x8GuestCrash/ CVE-2012-3220 (Unspecified vulnerability in the Spatial component in Oracle Database ...) NOT-FOR-US: Oracle Database Server CVE-2012-3219 (Unspecified vulnerability in the Enterprise Manager Base Platform comp ...) NOT-FOR-US: Oracle CVE-2012-3218 (Unspecified vulnerability in the Human Resources component in Oracle E ...) NOT-FOR-US: Oracle CVE-2012-3217 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2012-3216 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 6b24-1.11.5-0ubuntu1 (bug #690774) - openjdk-7 7u3-2.1.3-1 (bug #690774) CVE-2012-3215 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11, when runnin ...) NOT-FOR-US: Oracle Sun Solaris CVE-2012-3214 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2012-3213 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 (Specific to Oracle Java, not present in IcedTea) - openjdk-7 (Specific to Oracle Java, not present in IcedTea) NOTE: Due to the vague disclosure policy by Oracle the exact nature is unknown but since no patch landed in icedtea, we consider it not-affected CVE-2012-3212 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11, when runnin ...) NOT-FOR-US: Oracle Sun Solaris CVE-2012-3211 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11 allows local ...) NOT-FOR-US: Oracle Sun Solaris CVE-2012-3210 (Unspecified vulnerability in Oracle Sun Solaris 11 allows remote attac ...) NOT-FOR-US: Oracle Sun Solaris CVE-2012-3209 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11, when runnin ...) NOT-FOR-US: Oracle Sun Solaris CVE-2012-3208 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11 allows local ...) NOT-FOR-US: Oracle Sun Solaris CVE-2012-3207 (Unspecified vulnerability in Oracle Sun Solaris 9, 10, and 11 allows l ...) NOT-FOR-US: Oracle Sun Solaris CVE-2012-3206 (Unspecified vulnerability in the Integrated Lights Out Manager CLI in ...) NOT-FOR-US: Oracle Sun Products Suite SysFW CVE-2012-3205 (Unspecified vulnerability in Oracle Sun Solaris 11 allows local users ...) NOT-FOR-US: Oracle Sun Solaris CVE-2012-3204 (Unspecified vulnerability in Oracle Sun Solaris 11 allows local users ...) NOT-FOR-US: Oracle Sun Solaris CVE-2012-3203 (Unspecified vulnerability in Oracle Sun Solaris 11 allows local users ...) NOT-FOR-US: Oracle Sun Solaris CVE-2012-3202 (Multiple unspecified vulnerabilities in the Oracle JRockit component i ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2012-3201 (Unspecified vulnerability in the PeopleSoft Enterprise Campus Solution ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2012-3200 (Unspecified vulnerability in the Oracle Agile PLM Framework component ...) NOT-FOR-US: Oracle Supply Chain Products Suite CVE-2012-3199 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11 allows local ...) NOT-FOR-US: Oracle Sun Solaris CVE-2012-3198 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2012-3197 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) {DSA-2581-1} - mysql-5.1 - mysql-5.5 5.5.28+dfsg-1 (bug #690778) CVE-2012-3196 (Unspecified vulnerability in the Oracle Human Resources component in O ...) NOT-FOR-US: Oracle E-Business Suite CVE-2012-3195 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2012-3194 (Unspecified vulnerability in the Oracle BI Publisher component in Orac ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2012-3193 (Unspecified vulnerability in the Oracle BI Publisher component in Orac ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2012-3192 (Unspecified vulnerability in the PeopleSoft PeopleTools component in O ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2012-3191 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2012-3190 (Unspecified vulnerability in the Oracle Universal Work Queue component ...) NOT-FOR-US: Oracle E-Business Suite CVE-2012-3189 (Unspecified vulnerability in Oracle Sun Solaris 11 allows remote attac ...) NOT-FOR-US: Oracle Sun Solaris CVE-2012-3188 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2012-3187 (Unspecified vulnerability in Oracle Sun Solaris 10 allows local users ...) NOT-FOR-US: Oracle Sun Solaris CVE-2012-3186 (Unspecified vulnerability in the Oracle WebCenter Sites component in O ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2012-3185 (Unspecified vulnerability in the Oracle WebCenter Sites component in O ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2012-3184 (Unspecified vulnerability in the Oracle WebCenter Sites component in O ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2012-3183 (Unspecified vulnerability in the Oracle WebCenter Sites component in O ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2012-3182 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2012-3181 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2012-3180 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) {DSA-2581-1} - mysql-5.1 - mysql-5.5 5.5.28+dfsg-1 (bug #690778) CVE-2012-3179 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2012-3178 (Unspecified vulnerability in the kernel in Oracle Sun Solaris 11 allow ...) NOT-FOR-US: Oracle Sun Solaris CVE-2012-3177 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) {DSA-2581-1} - mysql-5.1 - mysql-5.5 5.5.28+dfsg-1 (bug #690778) CVE-2012-3176 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2012-3175 (Unspecified vulnerability in the Oracle Application Server Single Sign ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2012-3174 (Unspecified vulnerability in Oracle Java 7 before Update 11 allows rem ...) - openjdk-6 (Only affects Java 7) - openjdk-7 7u3-2.1.4-1 CVE-2012-3173 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) {DSA-2581-1} - mysql-5.1 - mysql-5.5 5.5.28+dfsg-1 (bug #690778) CVE-2012-3172 (Unspecified vulnerability in the Siebel CRM component in Oracle Siebel ...) NOT-FOR-US: Oracle Siebel CRM CVE-2012-3171 (Unspecified vulnerability in the Oracle Applications Technology Stack ...) NOT-FOR-US: Oracle E-Business Suite CVE-2012-3170 (Unspecified vulnerability in the Siebel CRM component in Oracle Siebel ...) NOT-FOR-US: Oracle Siebel CRM CVE-2012-3169 (Unspecified vulnerability in the Siebel CRM component in Oracle Siebel ...) NOT-FOR-US: Oracle Siebel CRM CVE-2012-3168 (Unspecified vulnerability in the Siebel CRM component in Oracle Siebel ...) NOT-FOR-US: Oracle Siebel CRM CVE-2012-3167 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) {DSA-2581-1} - mysql-5.1 - mysql-5.5 5.5.28+dfsg-1 (bug #690778) CVE-2012-3166 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) {DSA-2581-1} - mysql-5.1 - mysql-5.5 5.5.28+dfsg-1 (bug #690778) CVE-2012-3165 (Unspecified vulnerability in Oracle Sun Solaris 8, 9, 10, and 11 allow ...) NOT-FOR-US: Oracle Sun Solaris CVE-2012-3164 (Unspecified vulnerability in the Oracle Marketing component in Oracle ...) NOT-FOR-US: Oracle E-Business Suite CVE-2012-3163 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) {DSA-2581-1} - mysql-5.1 - mysql-5.5 5.5.28+dfsg-1 (bug #690778) CVE-2012-3162 (Unspecified vulnerability in the Oracle Applications Framework compone ...) NOT-FOR-US: Oracle E-Business Suite CVE-2012-3161 (Unspecified vulnerability in the Oracle Agile PLM Framework component ...) NOT-FOR-US: Oracle Supply Chain Products Suite CVE-2012-3160 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) {DSA-2581-1} - mysql-5.1 - mysql-5.5 5.5.28+dfsg-1 (bug #690778) CVE-2012-3159 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2012-3158 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) {DSA-2581-1} - mysql-5.1 - mysql-5.5 5.5.28+dfsg-1 (bug #690778) CVE-2012-3157 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking compon ...) NOT-FOR-US: Oracle Financial Services Software CVE-2012-3156 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) - mysql-5.5 5.5.28+dfsg-1 (bug #690778) CVE-2012-3155 (Unspecified vulnerability in the CORBA ORB component in Sun GlassFish ...) - glassfish (bug #692035) [stretch] - glassfish (Only used a build dep, specific details withheld) [jessie] - glassfish [wheezy] - glassfish NOTE: Oracle doesn't provide any useful public information to fix the package without importing a new upstream version. CVE-2012-3154 (Unspecified vulnerability in the Oracle Agile PLM Framework component ...) NOT-FOR-US: Oracle Supply Chain Products Suite CVE-2012-3153 (Unspecified vulnerability in the Oracle Reports Developer component in ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2012-3152 (Unspecified vulnerability in the Oracle Reports Developer component in ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2012-3151 (Unspecified vulnerability in the Core RDBMS component in Oracle Databa ...) NOT-FOR-US: Oracle Database Server CVE-2012-3150 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) {DSA-2581-1} - mysql-5.1 - mysql-5.5 5.5.28+dfsg-1 (bug #690778) CVE-2012-3149 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) - mysql-5.5 5.5.28+dfsg-1 (bug #690778) CVE-2012-3148 (Unspecified vulnerability in the Oracle Field Service component in Ora ...) NOT-FOR-US: Oracle E-Business Suite CVE-2012-3147 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) - mysql-5.5 5.5.28+dfsg-1 (bug #690778) CVE-2012-3146 (Unspecified vulnerability in the Core RDBMS component in Oracle Databa ...) NOT-FOR-US: Oracle Database Server CVE-2012-3145 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking compon ...) NOT-FOR-US: Oracle Financial Services Software CVE-2012-3144 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) - mysql-5.5 5.5.28+dfsg-1 (bug #690778) CVE-2012-3143 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 (Specific to Oracle Java, not present in IcedTea) - openjdk-7 (Specific to Oracle Java, not present in IcedTea) NOTE: Due to the vague disclosure policy by Oracle the exact nature is unknown but since no patch landed in icedtea, we consider it not-affected CVE-2012-3142 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking compon ...) NOT-FOR-US: Oracle Financial Services Software CVE-2012-3141 (Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking com ...) NOT-FOR-US: Oracle Financial Services Software CVE-2012-3140 (Unspecified vulnerability in the Oracle Agile PLM For Process componen ...) NOT-FOR-US: Oracle Supply Chain Products Suite CVE-2012-3139 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle E-Business Suite CVE-2012-3138 (Unspecified vulnerability in the Oracle iStore component in Oracle E-B ...) NOT-FOR-US: Oracle E-Business Suite CVE-2012-3137 (The authentication protocol in Oracle Database Server 10.2.0.3, 10.2.0 ...) NOT-FOR-US: Oracle Database CVE-2012-3136 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-7 7u3-2.1.2-1 - openjdk-6 CVE-2012-3135 (Unspecified vulnerability in the Oracle JRockit component in Oracle Fu ...) NOT-FOR-US: Oracle Fusion CVE-2012-3134 (Unspecified vulnerability in the Core RDBMS component in Oracle Databa ...) NOT-FOR-US: Oracle Database Server CVE-2012-3133 (Buffer overflow in the DataDirect ODBC driver, as used in Oracle Hyper ...) NOT-FOR-US: Oracle CVE-2012-3132 (SQL injection vulnerability in Oracle Database Server 10.2.0.3, 10.2.0 ...) NOT-FOR-US: Oracle Database CVE-2012-3131 (Unspecified vulnerability in Oracle Sun Solaris 9, 10, and 11 allows r ...) NOT-FOR-US: Oracle Sun Solaris CVE-2012-3130 (Unspecified vulnerability in Oracle Sun Solaris 11 allows remote attac ...) NOT-FOR-US: Oracle Sun Solaris CVE-2012-3129 (Unspecified vulnerability in Oracle Sun Solaris 10 allows remote attac ...) NOT-FOR-US: Oracle Sun Solaris CVE-2012-3128 (Unspecified vulnerability in Oracle SPARC T-Series Servers running Sys ...) NOT-FOR-US: ILO firmware CVE-2012-3127 (Unspecified vulnerability in Oracle Sun Solaris 10 allows remote attac ...) NOT-FOR-US: Oracle Sun Solaris CVE-2012-3126 (Unspecified vulnerability in the Solaris Cluster component in Oracle S ...) NOT-FOR-US: Solaris Cluster CVE-2012-3125 (Unspecified vulnerability in Oracle Sun Solaris 8, 9, and 10 allows re ...) NOT-FOR-US: Oracle Sun Solaris CVE-2012-3124 (Unspecified vulnerability in Oracle Sun Solaris 10 allows remote attac ...) NOT-FOR-US: Oracle Sun Solaris CVE-2012-3123 (Unspecified vulnerability in Oracle Sun Solaris 10 allows remote attac ...) NOT-FOR-US: Oracle Sun Solaris CVE-2012-3122 (Unspecified vulnerability in Oracle Sun Solaris 8 and 9 allows local u ...) NOT-FOR-US: Oracle Sun Solaris CVE-2012-3121 (Unspecified vulnerability in Oracle Sun Solaris 9 and 10 allows remote ...) NOT-FOR-US: Oracle Sun Solaris CVE-2012-3120 (Unspecified vulnerability in Oracle Sun Solaris 8 allows remote attack ...) NOT-FOR-US: Oracle Sun Solaris CVE-2012-3119 (Unspecified vulnerability in the PeopleSoft Enterprise HRMS component ...) NOT-FOR-US: Oracle PeopleSoft Products (PeopleSoft Enterprise HRMS) CVE-2012-3118 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Products (PeopleSoft Enterprise PeopleTools) CVE-2012-3117 (Unspecified vulnerability in the Oracle Transportation Management comp ...) NOT-FOR-US: Oracle Supply Chain Products Suite CVE-2012-3116 (Unspecified vulnerability in the Oracle Transportation Management comp ...) NOT-FOR-US: Oracle Supply Chain Products Suite CVE-2012-3115 (Unspecified vulnerability in the Oracle MapViewer component in Oracle ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2012-3114 (Unspecified vulnerability in the Oracle Transportation Management comp ...) NOT-FOR-US: Oracle Supply Chain Products Suite CVE-2012-3113 (Unspecified vulnerability in the PeopleSoft Enterprise HRMS component ...) NOT-FOR-US: Oracle PeopleSoft Products (PeopleSoft Enterprise HRMS) CVE-2012-3112 (Unspecified vulnerability in Oracle Sun Solaris 10 allows remote attac ...) NOT-FOR-US: Oracle Sun Solaris CVE-2012-3111 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Products (PeopleSoft Enterprise HRMS) CVE-2012-3110 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2012-3109 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2012-3108 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2012-3107 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2012-3106 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2012-3105 (The glBufferData function in the WebGL implementation in Mozilla Firef ...) - iceweasel 10.0.5esr-1 [squeeze] - iceweasel (Vulnerable code not present) CVE-2012-3104 REJECTED CVE-2011-5093 (Best Practical Solutions RT 4.x before 4.0.6 does not properly impleme ...) NOTE: Dupe of CVE-2011-4458 CVE-2011-5092 (Best Practical Solutions RT 3.8.x before 3.8.12 and 4.x before 4.0.6 a ...) NOTE: Dupe of CVE-2011-4458 CVE-2012-3103 RESERVED CVE-2012-3102 RESERVED CVE-2012-3101 RESERVED CVE-2012-3100 RESERVED CVE-2012-3099 RESERVED CVE-2012-3098 RESERVED CVE-2012-3097 RESERVED CVE-2012-3096 (Cisco Unity Connection (UC) 7.1, 8.0, and 8.5 allows remote authentica ...) NOT-FOR-US: Cisco Unity Connection CVE-2012-3095 RESERVED CVE-2012-3094 (The VPN downloader in the download_install component in Cisco AnyConne ...) NOT-FOR-US: Cisco AnyConnect Secure Mobility Client CVE-2012-3093 RESERVED CVE-2012-3092 RESERVED CVE-2012-3091 RESERVED CVE-2012-3090 RESERVED CVE-2012-3089 RESERVED CVE-2012-3088 (Cisco AnyConnect Secure Mobility Client 3.1.x before 3.1.00495, and 3. ...) NOT-FOR-US: Cisco AnyConnect Secure Mobility Client CVE-2012-3087 RESERVED CVE-2012-3086 RESERVED CVE-2012-3085 RESERVED CVE-2012-3084 RESERVED CVE-2012-3083 RESERVED CVE-2012-3082 RESERVED CVE-2012-3081 RESERVED CVE-2012-3080 RESERVED CVE-2012-3079 (Cisco IOS 12.2 allows remote attackers to cause a denial of service (C ...) NOT-FOR-US: Cisco IOS CVE-2012-3078 RESERVED CVE-2012-3077 RESERVED CVE-2012-3076 (The administrative web interface on Cisco TelePresence Recording Serve ...) NOT-FOR-US: Cisco Telepresence CVE-2012-3075 (The administrative web interface on Cisco TelePresence Immersive Endpo ...) NOT-FOR-US: Cisco Telepresence CVE-2012-3074 (An unspecified API on Cisco TelePresence Immersive Endpoint Devices be ...) NOT-FOR-US: Cisco Telepresence CVE-2012-3073 (The IP implementation on Cisco TelePresence Multipoint Switch before 1 ...) NOT-FOR-US: Cisco Telepresence CVE-2012-3072 RESERVED CVE-2012-3071 RESERVED CVE-2012-3070 RESERVED CVE-2012-3069 RESERVED CVE-2012-3068 RESERVED CVE-2012-3067 RESERVED CVE-2012-3066 RESERVED CVE-2012-3065 RESERVED CVE-2012-3064 RESERVED CVE-2012-3063 (Cisco Application Control Engine (ACE) before A4(2.3) and A5 before A5 ...) NOT-FOR-US: Cisco CVE-2012-3062 (Cisco IOS before 15.1(1)SY, when Multicast Listener Discovery (MLD) sn ...) NOT-FOR-US: Cisco IOS CVE-2012-3061 RESERVED CVE-2012-3060 (Cisco Unity Connection (UC) 8.6, 9.0, and 9.5 allows remote attackers ...) NOT-FOR-US: Cisco Unity Connection CVE-2012-3059 RESERVED CVE-2012-3058 (Cisco Adaptive Security Appliances (ASA) 5500 series devices, and the ...) NOT-FOR-US: Cisco CVE-2012-3057 (Heap-based buffer overflow in the Cisco WebEx Recording Format (WRF) p ...) NOT-FOR-US: Cisco WebEx Player CVE-2012-3056 (Buffer overflow in the Cisco WebEx Recording Format (WRF) player T27 L ...) NOT-FOR-US: Cisco WebEx Player CVE-2012-3055 (Stack-based buffer overflow in the Cisco WebEx Recording Format (WRF) ...) NOT-FOR-US: Cisco WebEx Player CVE-2012-3054 (Heap-based buffer overflow in the Cisco WebEx Recording Format (WRF) p ...) NOT-FOR-US: Cisco WebEx Player CVE-2012-3053 (Buffer overflow in the Cisco WebEx Advanced Recording Format (ARF) pla ...) NOT-FOR-US: Cisco WebEx Player CVE-2012-3052 (Untrusted search path vulnerability in Cisco VPN Client 5.0 allows loc ...) NOT-FOR-US: Cisco VPN Client CVE-2012-3051 (Cisco NX-OS 5.2 and 6.1 on Nexus 7000 series switches allows remote at ...) NOT-FOR-US: Cisco NX-OS CVE-2012-3050 RESERVED CVE-2012-3049 RESERVED CVE-2012-3048 RESERVED CVE-2012-3047 (Cross-site scripting (XSS) vulnerability in the web-wizard setup page ...) NOT-FOR-US: Cisco CVE-2012-3046 RESERVED CVE-2012-3045 RESERVED CVE-2012-3044 RESERVED CVE-2012-3043 RESERVED CVE-2012-3042 REJECTED CVE-2012-3041 RESERVED CVE-2012-3040 (Cross-site scripting (XSS) vulnerability in the web server on Siemens ...) NOT-FOR-US: Siemens CVE-2012-3039 (Moxa OnCell Gateway G3111, G3151, G3211, and G3251 devices with firmwa ...) NOT-FOR-US: Moxa OnCell Gateway CVE-2012-3038 RESERVED CVE-2012-3037 (The Siemens SIMATIC S7-1200 2.x PLC does not properly protect the priv ...) NOT-FOR-US: Siemens SIMATIC PLC CVE-2012-3036 REJECTED CVE-2012-3035 (Buffer overflow in Emerson DeltaV 9.3.1 and 10.3 through 11.3.1 allows ...) NOT-FOR-US: Emerson DeltaV CVE-2012-3034 (WebNavigator in Siemens WinCC 7.0 SP3 and earlier, as used in SIMATIC ...) NOT-FOR-US: Siemens WinCC CVE-2012-3033 REJECTED CVE-2012-3032 (SQL injection vulnerability in WebNavigator in Siemens WinCC 7.0 SP3 a ...) NOT-FOR-US: Siemens WinCC CVE-2012-3031 (Multiple cross-site scripting (XSS) vulnerabilities in WebNavigator in ...) NOT-FOR-US: Siemens WinCC CVE-2012-3030 (WebNavigator in Siemens WinCC 7.0 SP3 and earlier, as used in SIMATIC ...) NOT-FOR-US: Siemens WinCC CVE-2012-3029 REJECTED CVE-2012-3028 (Cross-site request forgery (CSRF) vulnerability in WebNavigator in Sie ...) NOT-FOR-US: Siemens WinCC CVE-2012-3027 REJECTED CVE-2012-3026 (rifsrvd.exe in the Remote Interface Service in GE Intelligent Platform ...) NOT-FOR-US: GE Intelligent Platforms Proficy Real-Time Information Portal CVE-2012-3025 (The default configuration of Tridium Niagara AX Framework through 3.6 ...) NOT-FOR-US: Tridium Niagara AX Framework CVE-2012-3024 (Tridium Niagara AX Framework through 3.6 uses predictable values for ( ...) NOT-FOR-US: Tridium Niagara AX Framework CVE-2012-3023 RESERVED CVE-2012-3022 (The SaveToFile method in a certain ActiveX control in TrendDisplay.dll ...) NOT-FOR-US: Canary Labs TrendLink CVE-2012-3021 (rifsrvd.exe in the Remote Interface Service in GE Intelligent Platform ...) NOT-FOR-US: GE Intelligent Platforms Proficy Real-Time Information Portal CVE-2012-3020 (The Siemens Synco OZW Web Server devices OZW672.*, OZW772.*, and OZW77 ...) NOT-FOR-US: Siemens Synco OZW Web Server CVE-2012-3019 RESERVED CVE-2012-3018 (The lockout-recovery feature in the Security Configurator component in ...) NOT-FOR-US: ICONICS GENESIS32 CVE-2012-3017 (Siemens SIMATIC S7-400 PN CPU devices with firmware 5.x allow remote a ...) NOT-FOR-US: Siemens SIMATIC CVE-2012-3016 (Siemens SIMATIC S7-400 PN CPU devices with firmware 6 before 6.0.3 all ...) NOT-FOR-US: Siemens SIMATIC CVE-2012-3015 (Untrusted search path vulnerability in Siemens SIMATIC STEP7 before 5. ...) NOT-FOR-US: Siemens SIMATIC CVE-2012-3014 (The Management Software application in GarrettCom Magnum MNS-6K before ...) NOT-FOR-US: GarrettCom Magnum MNS-6K CVE-2012-3013 (WAGO I/O System 758 model 758-870, 758-874, 758-875, and 758-876 Indus ...) NOT-FOR-US: WAGO I/O System 758 CVE-2012-3012 (The Arbiter Power Sentinel 1133A device with firmware before 11Jun2012 ...) NOT-FOR-US: Arbiter Power Sentinel 1133A CVE-2012-3011 (Directory traversal vulnerability in the web server in Fultek WinTr Sc ...) NOT-FOR-US: Fultek WinTr Scada web server CVE-2012-3010 (rifsrvd.exe in the Remote Interface Service in GE Intelligent Platform ...) NOT-FOR-US: GE Intelligent Platforms Proficy Real-Time Information Portal CVE-2012-3009 (Siemens COMOS before 9.1 Patch 413, 9.2 before Update 03 Patch 023, an ...) NOT-FOR-US: Siemens COMOS CVE-2012-3008 (Stack-based buffer overflow in OSIsoft PI OPC DA Interface before 2.3. ...) NOT-FOR-US: OSIsoft PI OPC DA Interface CVE-2012-3007 (Stack-based buffer overflow in slssvc.exe before 58.x in Invensys Wond ...) NOT-FOR-US: Invensys Wonderware SuiteLink CVE-2012-3006 (The Innominate mGuard Smart HW before HW-101130 and BD before BD-10103 ...) NOT-FOR-US: Innominate mGuard Smart CVE-2012-3005 (Untrusted search path vulnerability in Invensys Wonderware InTouch 201 ...) NOT-FOR-US: Wonderwar CVE-2012-3004 (Multiple untrusted search path vulnerabilities in RealFlex RealWin bef ...) NOT-FOR-US: RealFlex RealWin CVE-2012-3003 (Open redirect vulnerability in an unspecified web application in Sieme ...) NOT-FOR-US: WinCC CVE-2012-3002 (The web interface on (1) Foscam and (2) Wansview IP cameras allows rem ...) NOT-FOR-US: Foscam, Wansview IP cameras CVE-2012-3001 (Mutiny Standard before 4.5-1.12 allows remote attackers to execute arb ...) NOT-FOR-US: Mutiny Standard CVE-2012-3000 (Multiple SQL injection vulnerabilities in sam/admin/reports/php/saveSe ...) NOT-FOR-US: F5 BIG-IP CVE-2012-2999 (Multiple cross-site request forgery (CSRF) vulnerabilities in the web ...) NOT-FOR-US: Cerberus FTP CVE-2012-2998 (SQL injection vulnerability in the ad hoc query module in Trend Micro ...) NOT-FOR-US: Trend Micro Control Manager CVE-2012-2997 (XML External Entity (XXE) vulnerability in sam/admin/vpe2/public/php/s ...) NOT-FOR-US: F5 BIG-IP CVE-2012-2996 (Cross-site request forgery (CSRF) vulnerability in saveAccountSubTab.i ...) NOT-FOR-US: Trend Micro CVE-2012-2995 (Multiple cross-site scripting (XSS) vulnerabilities in Trend Micro Int ...) NOT-FOR-US: Trend Micro CVE-2012-2994 (The CoSoSys Endpoint Protector 4 appliance establishes an EPProot pass ...) NOT-FOR-US: CoSoSys Endpoint Protector CVE-2012-2993 (Microsoft Windows Phone 7 does not verify the domain name in the subje ...) NOT-FOR-US: Microsoft Windows Phone CVE-2012-2992 RESERVED CVE-2012-2991 (The PayPal (aka MODULE_PAYMENT_PAYPAL_STANDARD) module before 1.1 in o ...) NOT-FOR-US: PayPal module in osCommerce Online Merchant CVE-2012-2990 (The MASetupCaller ActiveX control before 1.4.2012.508 in MASetupCaller ...) NOT-FOR-US: MarkAny ContentSAFER CVE-2012-2989 RESERVED CVE-2012-2988 RESERVED CVE-2012-2987 RESERVED CVE-2012-2986 (lhn/public/network/ping in HP SAN/iQ 9.5 on the HP Virtual SAN Applian ...) NOT-FOR-US: HP Virtual SAN Appliance CVE-2012-2985 (Cross-site scripting (XSS) vulnerability in InsertDocument.aspx in Cut ...) NOT-FOR-US: CuteSoft Cute Editor CVE-2012-2984 (Multiple cross-site scripting (XSS) vulnerabilities in monitor/m_overv ...) NOT-FOR-US: Websense CVE-2012-2983 (file/edit_html.cgi in Webmin 1.590 and earlier does not perform an aut ...) - webmin CVE-2012-2982 (file/show.cgi in Webmin 1.590 and earlier allows remote authenticated ...) - webmin CVE-2012-2981 (Webmin 1.590 and earlier allows remote authenticated users to execute ...) - webmin CVE-2012-2980 (The Samsung and HTC onTouchEvent method implementation for Android on ...) NOT-FOR-US: Samsung and HTC Android CVE-2012-2979 (FreeBSD NSD before 3.2.13 allows remote attackers to crash a NSD child ...) - nsd3 (Debian version not affected) CVE-2012-2978 (query.c in NSD 3.0.x through 3.0.8, 3.1.x through 3.1.1, and 3.2.x bef ...) {DSA-2515-1} - nsd3 3.2.12-1 CVE-2012-2977 (The management console in Symantec Web Gateway 5.0.x before 5.0.3.18 a ...) NOT-FOR-US: Symantec Web Gateway CVE-2012-2976 (The management console in Symantec Web Gateway 5.0.x before 5.0.3.18 a ...) NOT-FOR-US: Symantec Web Gateway CVE-2012-2975 (Cross-site scripting (XSS) vulnerability in the traffic overview page ...) NOT-FOR-US: F5 ASM CVE-2012-2974 (The web interface on the SMC SMC8024L2 switch allows remote attackers ...) NOT-FOR-US: SMC SMC8024L2 switch CVE-2012-2973 RESERVED CVE-2012-2972 (The (1) server and (2) agent components in CA ARCserve Backup r12.5, r ...) NOT-FOR-US: CA ARCserve Backup CVE-2012-2971 (The server in CA ARCserve Backup r12.5, r15, and r16 on Windows does n ...) NOT-FOR-US: CA ARCserve Backup CVE-2012-2970 (The Synel SY-780/A Time & Attendance terminal allows remote attack ...) NOT-FOR-US: Synel terminal CVE-2012-2969 (Caucho Quercus, as distributed in Resin before 4.0.29, allows remote a ...) NOT-FOR-US: Caucho Quercus CVE-2012-2968 (Directory traversal vulnerability in Caucho Quercus, as distributed in ...) NOT-FOR-US: Caucho Quercus CVE-2012-2967 (Caucho Quercus, as distributed in Resin before 4.0.29, does not proper ...) NOT-FOR-US: Caucho Quercus CVE-2012-2966 (Caucho Quercus, as distributed in Resin before 4.0.29, overwrites entr ...) NOT-FOR-US: Caucho Quercus CVE-2012-2965 (Caucho Quercus, as distributed in Resin before 4.0.29, does not proper ...) NOT-FOR-US: Caucho Quercus CVE-2012-2964 (The BreakingPoint Storm appliance before 3.0 requires cleartext creden ...) NOT-FOR-US: BreakingPoint Storm appliance CVE-2012-2963 (The administrative interface in the embedded web server on the Breakin ...) NOT-FOR-US: BreakingPoint Storm appliance CVE-2012-2962 (SQL injection vulnerability in d4d/statusFilter.php in Plixer Scrutini ...) NOT-FOR-US: Dell SonicWALL Scrutinizer CVE-2012-2961 (SQL injection vulnerability in the management console in Symantec Web ...) NOT-FOR-US: Symantec Web Gateway CVE-2012-2960 (Cross-site scripting (XSS) vulnerability in the import functionality i ...) NOT-FOR-US: HP ArcSight Connector, ArcSight Logger CVE-2012-2959 (Cross-site request forgery (CSRF) vulnerability in password-manager/ch ...) NOT-FOR-US: BMC CVE-2012-2958 RESERVED CVE-2012-2957 (The management console in Symantec Web Gateway 5.0.x before 5.0.3.18 a ...) NOT-FOR-US: Symantec Web Gateway CVE-2012-2956 (SQL injection vulnerability in SpiceWorks 5.3.75941 allows remote auth ...) NOT-FOR-US: SpiceWorks CVE-2012-2955 (Multiple cross-site scripting (XSS) vulnerabilities in the administrat ...) NOT-FOR-US: IBM Lotus Protector, IBM ISS Proventia Network Mail Security CVE-2012-2954 RESERVED CVE-2012-2953 (The management console in Symantec Web Gateway 5.0.x before 5.0.3.18 a ...) NOT-FOR-US: Symantec Web Gateway CVE-2012-2952 (SQL injection vulnerability in add_ons.php in Jaow 2.4.5 and earlier a ...) NOT-FOR-US: Jaow CVE-2012-2951 REJECTED CVE-2012-2950 (Gateway Geomatics MapServer for Windows before 3.0.6 contains a Local ...) NOT-FOR-US: Gateway Geomatics MapServer CVE-2012-2949 (The ZTE sync_agent program for Android 2.3.4 on the Score M device use ...) NOT-FOR-US: Android CVE-2012-2948 (chan_skinny.c in the Skinny (aka SCCP) channel driver in Certified Ast ...) {DSA-2493-1} - asterisk 1:1.8.13.0~dfsg-1 (bug #675210) CVE-2012-2947 (chan_iax2.c in the IAX2 channel driver in Certified Asterisk 1.8.11-ce ...) {DSA-2493-1} - asterisk 1:1.8.13.0~dfsg-1 (bug #675204) CVE-2012-2946 RESERVED CVE-2012-2945 (Hadoop 1.0.3 contains a symlink vulnerability. ...) - hadoop (bug #535861) CVE-2010-5140 (wxBitcoin and bitcoind before 0.3.13 do not properly handle bitcoins a ...) - bitcoin (Fixed before initial release) CVE-2010-5139 (Integer overflow in wxBitcoin and bitcoind before 0.3.11 allows remote ...) - bitcoin (Fixed before initial release) CVE-2010-5138 (wxBitcoin and bitcoind 0.3.x allow remote attackers to cause a denial ...) - bitcoin 0.4.0-1 CVE-2010-5137 (wxBitcoin and bitcoind before 0.3.5 allow remote attackers to cause a ...) - bitcoin (Fixed before initial release) CVE-2012-2944 (Buffer overflow in the addchar function in common/parseconf.c in upsd ...) {DSA-2484-1} - nut 2.6.4-1 NOTE: https://alioth.debian.org/tracker/index.php?func=detail&aid=313636&group_id=30602&atid=411542 CVE-2012-2943 (CRLF injection vulnerability in cryptographp.inc.php in Cryptographp a ...) NOT-FOR-US: Cryptographp CVE-2012-2942 (Buffer overflow in the trash buffer in the header capture functionalit ...) {DSA-2711-1} - haproxy 1.4.23-1 (bug #674447) NOTE: According to upstream information this only was fixed in 1.4.21 NOTE: only a issue if using non-default value for global.tune.bufsize configuration option NOTE: Reported as duplicate with CVE-2012-2391 http://seclists.org/oss-sec/2012/q2/417 CVE-2012-2941 (Cross-site scripting (XSS) vulnerability in search/ in Yandex.Server 2 ...) NOT-FOR-US: Yandex.Server 2010 9.0 Enterprise CVE-2012-2940 (MediaChance Real-DRAW PRO 5.2.4 allows remote attackers to cause a den ...) NOT-FOR-US: MediaChance Real-DRAW PRO CVE-2012-2939 (Multiple unrestricted file upload vulnerabilities in Travelon Express ...) NOT-FOR-US: Travelon Express CVE-2012-2938 (Multiple cross-site scripting (XSS) vulnerabilities in Travelon Expres ...) NOT-FOR-US: Travelon Express CVE-2012-2937 (Multiple SQL injection vulnerabilities in Pligg CMS before 1.2.2 allow ...) NOT-FOR-US: Pligg CVE-2012-2936 (Multiple cross-site scripting (XSS) vulnerabilities in Pligg CMS befor ...) NOT-FOR-US: Pligg CVE-2012-2935 (Cross-site scripting (XSS) vulnerability in osCommerce/OM/Core/Site/Sh ...) NOT-FOR-US: OSCommerce Online Merchant CVE-2012-2934 (Xen 4.0, and 4.1, when running a 64-bit PV guest on "older" AMD CPUs, ...) {DSA-2501-1} - xen 4.1.3~rc1+hg-20120614.a9c0a89c08f2-1 CVE-2012-2933 RESERVED CVE-2012-2932 (Multiple cross-site scripting (XSS) vulnerabilities in TinyWebGallery ...) NOT-FOR-US: TinyWebGallery CVE-2012-2931 (PHP code injection in TinyWebGallery before 1.8.8 allows remote authen ...) NOT-FOR-US: TinyWebGallery CVE-2012-2930 (Multiple cross-site request forgery (CSRF) vulnerabilities in TinyWebG ...) NOT-FOR-US: TinyWebGallery CVE-2012-2929 RESERVED CVE-2011-5091 (Multiple SQL injection vulnerabilities in GR Board (aka grboard) 1.8.6 ...) NOT-FOR-US: GR Board CVE-2011-5090 (GR Board (aka grboard) 1.8.6.5 Community Edition does not require auth ...) NOT-FOR-US: GR Board CVE-2012-2928 (The Gliffy plugin before 3.7.1 for Atlassian JIRA, and before 4.2 for ...) NOT-FOR-US: JIRA plugin CVE-2012-2927 (The TM Software Tempo plugin before 6.4.3.1, 6.5.x before 6.5.0.2, and ...) NOT-FOR-US: Atlassian JIRA CVE-2012-2926 (Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0. ...) NOT-FOR-US: Atlassian JIRA CVE-2012-2925 (SQL injection vulnerability in engine.php in Simple PHP Agenda 2.2.8 a ...) NOT-FOR-US: Simple PHP Agenda CVE-2012-2924 (PHP remote file inclusion vulnerability in admin/setup.inc.php in Hype ...) NOT-FOR-US: Hypermethod eLearning Server 4G CVE-2012-2923 (SQL injection vulnerability in news.php4 in Hypermethod eLearning Serv ...) NOT-FOR-US: Hypermethod eLearning Server 4G CVE-2012-2922 (The request_path function in includes/bootstrap.inc in Drupal 7.14 and ...) - drupal7 7.22-1 (unimportant) NOTE: Path disclosure irrelevant for Debian CVE-2012-2921 (Universal Feed Parser (aka feedparser or python-feedparser) before 5.1 ...) - feedparser 5.1.2-1 (low; bug #674167) [squeeze] - feedparser (Minor issue) CVE-2012-2920 (Cross-site scripting (XSS) vulnerability in the userphoto_options_page ...) NOT-FOR-US: WordPress User Photo plugin CVE-2012-2919 (Directory traversal vulnerability in Upload/engine.php in Chevereto 1. ...) NOT-FOR-US: Chevereto CVE-2012-2918 (Cross-site scripting (XSS) vulnerability in Upload/engine.php in Cheve ...) NOT-FOR-US: Chevereto CVE-2012-2917 (Cross-site scripting (XSS) vulnerability in the Share and Follow plugi ...) NOT-FOR-US: WordPress Share and Follow plugin CVE-2012-2916 (Cross-site scripting (XSS) vulnerability in sabre_class_admin.php in t ...) NOT-FOR-US: WordPress SABRE plugin CVE-2012-2915 (Stack-based buffer overflow in Lattice Semiconductor PAC-Designer 6.2. ...) NOT-FOR-US: Lattice Semiconductor PAC-Designer CVE-2012-2914 (Cross-site scripting (XSS) vulnerability in captchademo.php in Unijimp ...) NOT-FOR-US: Unijimpe Captcha CVE-2012-2913 (Multiple cross-site scripting (XSS) vulnerabilities in the Leaflet plu ...) NOT-FOR-US: WordPress Leaflet plugin CVE-2012-2912 (Multiple cross-site scripting (XSS) vulnerabilities in the LeagueManag ...) NOT-FOR-US: WordPress LeagueManager plugin CVE-2012-2911 (Cross-site scripting (XSS) vulnerability in backupDB.php in SiliSoftwa ...) NOT-FOR-US: SiliSoftware backupDB CVE-2012-2910 (Multiple cross-site scripting (XSS) vulnerabilities in SiliSoftware ph ...) NOT-FOR-US: SiliSoftware phpThumb CVE-2012-2909 (Multiple cross-site scripting (XSS) vulnerabilities in Viscacha 0.8.1. ...) NOT-FOR-US: Viscacha CVE-2012-2908 (Multiple SQL injection vulnerabilities in admin/bbcodes.php in Viscach ...) NOT-FOR-US: Viscacha CVE-2012-2907 (Cross-site scripting (XSS) vulnerability in the aberdeen_breadcrumb fu ...) NOT-FOR-US: Drupal Aberdeen theme CVE-2012-2906 (Multiple cross-site scripting (XSS) vulnerabilities in artpublic/recom ...) NOT-FOR-US: Artiphp CMS 5.5.0 Neo CVE-2012-2905 (Artiphp CMS 5.5.0 Neo (r422) stores database backups with predictable ...) NOT-FOR-US: Artiphp CMS CVE-2012-2904 (player.swf in LongTail JW Player 5.9 allows remote attackers to conduc ...) NOT-FOR-US: LongTail JW Player CVE-2012-2903 (Multiple cross-site scripting (XSS) vulnerabilities in PHP Address Boo ...) NOT-FOR-US: PHP Address Book CVE-2012-2902 (Unrestricted file upload vulnerability in editor/extensions/browser/fi ...) NOT-FOR-US: Joomla JCE CVE-2012-2901 (Cross-site scripting (XSS) vulnerability in the Profile List in the Jo ...) NOT-FOR-US: Joomla JCE CVE-2012-2900 (Skia, as used in Google Chrome before 22.0.1229.92, does not properly ...) - chromium-browser 22.0.1229.94~r161065-1 [squeeze] - chromium-browser CVE-2012-2899 (Google Chrome before 21.0.1180.82 on iOS makes certain incorrect calls ...) - chromium-browser (iOS-specific) CVE-2012-2898 (Google Chrome before 21.0.1180.82 on iOS on iPad devices allows remote ...) - chromium-browser (iOS-specific) CVE-2012-2897 (The kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows S ...) - chromium-browser (Windows-specific) CVE-2012-2896 (Integer overflow in the WebGL implementation in Google Chrome before 2 ...) - chromium-browser (MacOS X-specific) CVE-2012-2895 (The PDF functionality in Google Chrome before 22.0.1229.79 allows remo ...) - chromium-browser (PDF viewer not included in Chromium) CVE-2012-2894 (Google Chrome before 22.0.1229.79 does not properly handle graphics-co ...) - chromium-browser 22.0.1229.94~r161065-1 [squeeze] - chromium-browser CVE-2012-2893 (Double free vulnerability in libxslt, as used in Google Chrome before ...) {DSA-2555-1} - chromium-browser 22.0.1229.94~r161065-1 [squeeze] - chromium-browser - libxslt 1.1.26-14 (bug #689422) CVE-2012-2892 (Unspecified vulnerability in Google Chrome before 22.0.1229.79 allows ...) - chromium-browser 22.0.1229.94~r161065-1 [squeeze] - chromium-browser CVE-2012-2891 (The IPC implementation in Google Chrome before 22.0.1229.79 allows att ...) - chromium-browser 22.0.1229.94~r161065-1 [squeeze] - chromium-browser CVE-2012-2890 (Use-after-free vulnerability in the PDF functionality in Google Chrome ...) - chromium-browser (PDF viewer not included in Chromium) CVE-2012-2889 (Cross-site scripting (XSS) vulnerability in Google Chrome before 22.0. ...) - chromium-browser 22.0.1229.94~r161065-1 [squeeze] - chromium-browser CVE-2012-2888 (Use-after-free vulnerability in Google Chrome before 22.0.1229.79 allo ...) - chromium-browser 22.0.1229.94~r161065-1 [squeeze] - chromium-browser CVE-2012-2887 (Use-after-free vulnerability in Google Chrome before 22.0.1229.79 allo ...) - chromium-browser 22.0.1229.94~r161065-1 [squeeze] - chromium-browser CVE-2012-2886 (Cross-site scripting (XSS) vulnerability in Google Chrome before 22.0. ...) - chromium-browser 22.0.1229.94~r161065-1 [squeeze] - chromium-browser CVE-2012-2885 (Double free vulnerability in Google Chrome before 22.0.1229.79 allows ...) - chromium-browser 22.0.1229.94~r161065-1 [squeeze] - chromium-browser CVE-2012-2884 (Skia, as used in Google Chrome before 22.0.1229.79, allows remote atta ...) - chromium-browser 22.0.1229.94~r161065-1 [squeeze] - chromium-browser CVE-2012-2883 (Skia, as used in Google Chrome before 22.0.1229.79, allows remote atta ...) - chromium-browser 22.0.1229.94~r161065-1 [squeeze] - chromium-browser CVE-2012-2882 (FFmpeg, as used in Google Chrome before 22.0.1229.79, does not properl ...) - chromium-browser 22.0.1229.94~r161065-1 [squeeze] - chromium-browser - libav 6:0.8.5-1 (bug #694483) - ffmpeg (vulnerable code not present) NOTE: https://chromiumcodereview.appspot.com/10829204 NOTE: fixed with http://git.libav.org/?p=libav.git;a=commitdiff;h=7751e4693dd10ec98c20fbd9887233b575034272 CVE-2012-2881 (Google Chrome before 22.0.1229.79 does not properly handle plug-ins, w ...) - chromium-browser 22.0.1229.94~r161065-1 [squeeze] - chromium-browser CVE-2012-2880 (Race condition in Google Chrome before 22.0.1229.79 allows remote atta ...) - chromium-browser 22.0.1229.94~r161065-1 [squeeze] - chromium-browser CVE-2012-2879 (Google Chrome before 22.0.1229.79 allows remote attackers to cause a d ...) - chromium-browser 22.0.1229.94~r161065-1 [squeeze] - chromium-browser CVE-2012-2878 (Use-after-free vulnerability in Google Chrome before 22.0.1229.79 allo ...) - chromium-browser 22.0.1229.94~r161065-1 [squeeze] - chromium-browser CVE-2012-2877 (The extension system in Google Chrome before 22.0.1229.79 does not pro ...) - chromium-browser 22.0.1229.94~r161065-1 [squeeze] - chromium-browser CVE-2012-2876 (Buffer overflow in the SSE2 optimization functionality in Google Chrom ...) - chromium-browser 22.0.1229.94~r161065-1 [squeeze] - chromium-browser CVE-2012-2875 (Multiple unspecified vulnerabilities in the PDF functionality in Googl ...) - chromium-browser (PDF viewer not included in Chromium) [squeeze] - chromium-browser CVE-2012-2874 (Skia, as used in Google Chrome before 22.0.1229.79, allows remote atta ...) [squeeze] - chromium-browser - chromium-browser 22.0.1229.94~r161065-1 CVE-2012-2873 RESERVED CVE-2012-2872 (Cross-site scripting (XSS) vulnerability in an SSL interstitial page i ...) - chromium-browser 21.0.1180.89~r154005-1 [squeeze] - chromium-browser CVE-2012-2871 (libxml2 2.9.0-rc1 and earlier, as used in Google Chrome before 21.0.11 ...) {DSA-2555-1} - chromium-browser 21.0.1180.89~r154005-1 [squeeze] - chromium-browser - libxslt 1.1.26-14 (bug #689422) CVE-2012-2870 (libxslt 1.1.26 and earlier, as used in Google Chrome before 21.0.1180. ...) {DSA-2555-1} - chromium-browser 21.0.1180.89~r154005-1 [squeeze] - chromium-browser - libxslt 1.1.26-14 (bug #689422) CVE-2012-2869 (Google Chrome before 21.0.1180.89 does not properly load URLs, which a ...) - chromium-browser 21.0.1180.89~r154005-1 [squeeze] - chromium-browser CVE-2012-2868 (Race condition in Google Chrome before 21.0.1180.89 allows remote atta ...) - chromium-browser 21.0.1180.89~r154005-1 [squeeze] - chromium-browser CVE-2012-2867 (The SPDY implementation in Google Chrome before 21.0.1180.89 allows re ...) - chromium-browser 21.0.1180.89~r154005-1 [squeeze] - chromium-browser CVE-2012-2866 (Google Chrome before 21.0.1180.89 does not properly perform a cast of ...) - chromium-browser 21.0.1180.89~r154005-1 [squeeze] - chromium-browser CVE-2012-2865 (Google Chrome before 21.0.1180.89 does not properly perform line break ...) - chromium-browser 21.0.1180.89~r154005-1 [squeeze] - chromium-browser CVE-2012-2864 (Mesa, as used in Google Chrome before 21.0.1183.0 on the Acer AC700, C ...) - mesa 8.0.4-2 (bug #685667) [squeeze] - mesa (Vulnerable code not present) CVE-2012-2863 (The PDF functionality in Google Chrome before 21.0.1180.75 allows remo ...) - chromium-browser (PDF functionality not present in Chromium) CVE-2012-2862 (Use-after-free vulnerability in the PDF functionality in Google Chrome ...) - chromium-browser (PDF functionality not present in Chromium) CVE-2012-2861 RESERVED CVE-2012-2860 (The date-picker implementation in Google Chrome before 21.0.1180.57 on ...) - chromium-browser 21.0.1180.57~r148591 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/122918 CVE-2012-2859 (Google Chrome before 21.0.1180.57 on Linux does not properly handle ta ...) - chromium-browser 21.0.1180.57~r148591 [squeeze] - chromium-browser CVE-2012-2858 (Buffer overflow in the WebP decoder in Google Chrome before 21.0.1180. ...) - chromium-browser 21.0.1180.57~r148591 [squeeze] - chromium-browser CVE-2012-2857 (Use-after-free vulnerability in the Cascading Style Sheets (CSS) DOM i ...) - chromium-browser 21.0.1180.57~r148591 [squeeze] - chromium-browser CVE-2012-2856 (The PDF functionality in Google Chrome before 21.0.1180.57 on Mac OS X ...) - chromium-browser (PDF functionality not present in Chromium) CVE-2012-2855 (Use-after-free vulnerability in the PDF functionality in Google Chrome ...) - chromium-browser (PDF functionality not present in Chromium) CVE-2012-2854 (Google Chrome before 21.0.1180.57 on Mac OS X and Linux, and before 21 ...) - chromium-browser 21.0.1180.57~r148591 [squeeze] - chromium-browser CVE-2012-2853 (The webRequest API in Google Chrome before 21.0.1180.57 on Mac OS X an ...) - chromium-browser 21.0.1180.57~r148591 [squeeze] - chromium-browser CVE-2012-2852 (The PDF functionality in Google Chrome before 21.0.1180.57 on Mac OS X ...) - chromium-browser (PDF functionality not present in Chromium) CVE-2012-2851 (Multiple integer overflows in the PDF functionality in Google Chrome b ...) - chromium-browser (PDF functionality not present in Chromium) CVE-2012-2850 (Multiple unspecified vulnerabilities in the PDF functionality in Googl ...) - chromium-browser (PDF functionality not present in Chromium) CVE-2012-2849 (Off-by-one error in the GIF decoder in Google Chrome before 21.0.1180. ...) - chromium-browser 21.0.1180.57~r148591 [squeeze] - chromium-browser CVE-2012-2848 (The drag-and-drop implementation in Google Chrome before 21.0.1180.57 ...) - chromium-browser 21.0.1180.57~r148591 [squeeze] - chromium-browser CVE-2012-2847 (Google Chrome before 21.0.1180.57 on Mac OS X and Linux, and before 21 ...) - chromium-browser 21.0.1180.57~r148591 [squeeze] - chromium-browser CVE-2012-2846 (Google Chrome before 21.0.1180.57 on Linux does not properly isolate r ...) - chromium-browser 21.0.1180.57~r148591 [squeeze] - chromium-browser CVE-2012-2845 (Integer overflow in the jpeg_data_load_data function in jpeg-data.c in ...) - exif 0.6.20-2 (low; bug #681465) [squeeze] - exif (Minor crasher) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=771229 NOTE: http://seclists.org/oss-sec/2012/q3/74 CVE-2012-2844 (The PDF functionality in Google Chrome before 20.0.1132.57 does not pr ...) - chromium-browser CVE-2012-2843 (Use-after-free vulnerability in Google Chrome before 20.0.1132.57 allo ...) - chromium-browser 20.0.1132.57~r145807-1 [squeeze] - chromium-browser CVE-2012-2842 (Use-after-free vulnerability in Google Chrome before 20.0.1132.57 allo ...) - chromium-browser 20.0.1132.57~r145807-1 [squeeze] - chromium-browser CVE-2012-2841 (Integer underflow in the exif_entry_get_value function in exif-entry.c ...) {DSA-2559-1} - libexif 0.6.20-3 (bug #681454) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=771229 NOTE: http://seclists.org/oss-sec/2012/q3/74 CVE-2012-2840 (Off-by-one error in the exif_convert_utf16_to_utf8 function in exif-en ...) {DSA-2559-1} - libexif 0.6.20-3 (bug #681454) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=771229 NOTE: http://seclists.org/oss-sec/2012/q3/74 CVE-2012-2839 RESERVED CVE-2012-2838 RESERVED CVE-2012-2837 (The mnote_olympus_entry_get_value function in olympus/mnote-olympus-en ...) {DSA-2559-1} - libexif 0.6.20-3 (bug #681454) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=771229 NOTE: http://seclists.org/oss-sec/2012/q3/74 CVE-2012-2836 (The exif_data_load_data function in exif-data.c in the EXIF Tag Parsin ...) {DSA-2559-1} - libexif 0.6.20-3 (bug #681454) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=771229 NOTE: http://seclists.org/oss-sec/2012/q3/74 CVE-2012-2835 RESERVED CVE-2012-2834 (Integer overflow in Google Chrome before 20.0.1132.43 allows remote at ...) - chromium-browser 20.0.1132.43~r143823-1 [squeeze] - chromium-browser CVE-2012-2833 (Buffer overflow in the JS API in the PDF functionality in Google Chrom ...) - chromium-browser (PDF functionality not present in Chromium) CVE-2012-2832 (The image-codec implementation in the PDF functionality in Google Chro ...) - chromium-browser (PDF functionality not present in Chromium) CVE-2012-2831 (Use-after-free vulnerability in Google Chrome before 20.0.1132.43 allo ...) - chromium-browser 20.0.1132.43~r143823-1 [squeeze] - chromium-browser CVE-2012-2830 (Google Chrome before 20.0.1132.43 does not properly set array values, ...) - chromium-browser 20.0.1132.43~r143823-1 [squeeze] - chromium-browser CVE-2012-2829 (Use-after-free vulnerability in the Cascading Style Sheets (CSS) imple ...) - chromium-browser 20.0.1132.43~r143823-1 [squeeze] - chromium-browser CVE-2012-2828 (Multiple integer overflows in the PDF functionality in Google Chrome b ...) - chromium-browser (PDF functionality not present in Chromium) CVE-2012-2827 (Use-after-free vulnerability in the UI in Google Chrome before 20.0.11 ...) - chromium-browser (MacOS specific) CVE-2012-2826 (Google Chrome before 20.0.1132.43 does not properly implement texture ...) - chromium-browser 20.0.1132.43~r143823-1 [squeeze] - chromium-browser CVE-2012-2825 (The XSL implementation in Google Chrome before 20.0.1132.43 allows rem ...) - libxslt 1.1.26-13 (low; bug #679283) [squeeze] - libxslt 1.1.26-6+squeeze1 CVE-2012-2824 (Use-after-free vulnerability in Google Chrome before 20.0.1132.43 allo ...) - chromium-browser 20.0.1132.43~r143823-1 [squeeze] - chromium-browser CVE-2012-2823 (Use-after-free vulnerability in Google Chrome before 20.0.1132.43 allo ...) - chromium-browser 20.0.1132.43~r143823-1 [squeeze] - chromium-browser CVE-2012-2822 (The PDF functionality in Google Chrome before 20.0.1132.43 allows remo ...) - chromium-browser (PDF functionality not present in Chromium) CVE-2012-2821 (The autofill implementation in Google Chrome before 20.0.1132.43 does ...) - chromium-browser 20.0.1132.43~r143823-1 [squeeze] - chromium-browser CVE-2012-2820 (Google Chrome before 20.0.1132.43 does not properly implement SVG filt ...) - chromium-browser 20.0.1132.43~r143823-1 [squeeze] - chromium-browser CVE-2012-2819 (The texSubImage2D implementation in the WebGL subsystem in Google Chro ...) - chromium-browser 20.0.1132.43~r143823-1 [squeeze] - chromium-browser CVE-2012-2818 (Use-after-free vulnerability in Google Chrome before 20.0.1132.43 allo ...) - chromium-browser 20.0.1132.43~r143823-1 [squeeze] - chromium-browser CVE-2012-2817 (Use-after-free vulnerability in Google Chrome before 20.0.1132.43 allo ...) - chromium-browser 20.0.1132.43~r143823-1 [squeeze] - chromium-browser CVE-2012-2816 (Google Chrome before 20.0.1132.43 on Windows does not properly isolate ...) - chromium-browser (windows-only) CVE-2012-2815 (Google Chrome before 20.0.1132.43 allows remote attackers to obtain po ...) - chromium-browser 20.0.1132.43~r143823-1 [squeeze] - chromium-browser CVE-2012-2814 (Buffer overflow in the exif_entry_format_value function in exif-entry. ...) {DSA-2559-1} - libexif 0.6.20-3 (bug #681454) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=771229 NOTE: http://seclists.org/oss-sec/2012/q3/74 CVE-2012-2813 (The exif_convert_utf16_to_utf8 function in exif-entry.c in the EXIF Ta ...) {DSA-2559-1} - libexif 0.6.20-3 (bug #681454) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=771229 NOTE: http://seclists.org/oss-sec/2012/q3/74 CVE-2012-2812 (The exif_entry_get_value function in exif-entry.c in the EXIF Tag Pars ...) {DSA-2559-1} - libexif 0.6.20-3 (bug #681454) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=771229 NOTE: http://seclists.org/oss-sec/2012/q3/74 CVE-2012-2811 RESERVED CVE-2012-2810 RESERVED CVE-2012-2809 RESERVED CVE-2012-2808 (The PRNG implementation in the DNS resolver in Bionic in Android befor ...) - iceweasel (Only affects 37.x; only on Android) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-41/ CVE-2012-2807 (Multiple integer overflows in libxml2, as used in Google Chrome before ...) {DSA-2521-1} - libxml2 2.8.0+dfsg1-5 (bug #679280) NOTE: https://git.gnome.org/browse/libxml2/commit/?id=459eeb9dc752d5185f57ff6b135027f11981a626 CVE-2012-2806 (Heap-based buffer overflow in the get_sos function in jdmarker.c in li ...) - libjpeg-turbo (Fixed before initial release) CVE-2012-2805 (Unspecified vulnerability in FFMPEG 0.10 allows remote attackers to ca ...) - ffmpeg 7:2.4.1-1 CVE-2012-2804 (Unspecified vulnerability in libavcodec/indeo3.c in FFmpeg before 0.11 ...) - ffmpeg 7:2.4.1-1 - libav 6:0.8.5-1 (bug #688847) [squeeze] - ffmpeg (vulnerable code not present) CVE-2012-2803 (Double free vulnerability in the mpeg_decode_frame function in libavco ...) {DSA-2624-1} - ffmpeg 7:2.4.1-1 - libav 6:0.8.5-1 (bug #688847) [squeeze] - ffmpeg 4:0.5.10-1 (bug #688849) CVE-2012-2802 (Unspecified vulnerability in the ac3_decode_frame function in libavcod ...) - ffmpeg (bug #688849) - libav 6:0.8.4-1 (bug #688847) CVE-2012-2801 (Unspecified vulnerability in libavcodec/avs.c in FFmpeg before 0.11, a ...) {DSA-2624-1} - libav 6:0.8.4-1 (bug #688847) - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg 4:0.5.10-1 (bug #688849) CVE-2012-2800 (Unspecified vulnerability in the ff_ivi_process_empty_tile function in ...) - libav 6:0.8.4-1 (bug #688847) CVE-2012-2799 (Unspecified vulnerability in libavcodec/wmalosslessdec.c in FFmpeg bef ...) - libav (Vulnerable code not present in 0.8 version from unstable, fixed in 0.9 version in experimental) - ffmpeg (Vulnerable code not present) CVE-2012-2798 (Unspecified vulnerability in the decode_dds1 function in libavcodec/df ...) - libav 6:0.8.4-1 (bug #688847) CVE-2012-2797 (Unspecified vulnerability in the decode_frame_mp3on4 function in libav ...) - ffmpeg 7:2.4.1-1 - libav 6:0.8.5-1 (bug #688847) [squeeze] - ffmpeg (vulnerable code not present) NOTE: patch proposed: http://patches.libav.org/patch/32642/ CVE-2012-2796 (Unspecified vulnerability in the vc1_decode_frame function in libavcod ...) - ffmpeg (bug #688849) - libav 6:0.8.4-1 (bug #688847) CVE-2012-2795 (Multiple unspecified vulnerabilities in libavcodec/wmalosslessdec.c in ...) - libav (Vulnerable code not present in 0.8 version from unstable, fixed in 0.9 version in experimental) - ffmpeg (Vulnerable code not present) CVE-2012-2794 (Unspecified vulnerability in the decode_mb_info function in libavcodec ...) - ffmpeg (bug #688849) - libav 6:0.8.4-1 (bug #688847) CVE-2012-2793 (Unspecified vulnerability in the lag_decode_zero_run_line function in ...) - ffmpeg (bug #688849) - libav 6:0.8.4-1 (bug #688847) CVE-2012-2792 (Unspecified vulnerability in the decode_init function in libavcodec/wm ...) - libav (Vulnerable code not present in 0.8 version from unstable, fixed in 0.9 version in experimental) - ffmpeg (Vulnerable code not present) CVE-2012-2791 (Multiple unspecified vulnerabilities in the (1) decode_band_hdr functi ...) - libav 6:0.8.5-1 (bug #688847) CVE-2012-2790 (Unspecified vulnerability in the read_var_block_data function in libav ...) - ffmpeg (bug #688849) - libav 6:0.8.4-1 (bug #688847) CVE-2012-2789 (Unspecified vulnerability in the avi_read_packet function in libavform ...) - ffmpeg (bug #688849) - libav 6:0.8.4-1 (bug #688847) NOTE: contrary to the description, this issue is about the decode_subframe in libavcodec/wmaprodec.c CVE-2012-2788 (Unspecified vulnerability in the avi_read_packet function in libavform ...) {DSA-2624-1} [squeeze] - ffmpeg 4:0.5.10-1 (bug #688849) - libav 6:0.8.4-1 (bug #688847) - ffmpeg 7:2.4.1-1 CVE-2012-2787 (Unspecified vulnerability in the decode_frame function in libavcodec/i ...) - ffmpeg (bug #688849) - libav 6:0.8.4-1 (bug #688847) CVE-2012-2786 (Unspecified vulnerability in the decode_wdlt function in libavcodec/df ...) - ffmpeg (bug #688849) - libav 6:0.8.4-1 (bug #688847) CVE-2012-2785 (Multiple unspecified vulnerabilities in libavcodec/wmalosslessdec.c in ...) - libav (Vulnerable code not present in 0.8 version from unstable, fixed in 0.9 version in experimental) - ffmpeg (Vulnerable code not present) CVE-2012-2784 (Unspecified vulnerability in the decode_pic function in libavcodec/cav ...) {DSA-2624-1} [squeeze] - ffmpeg 4:0.5.10-1 (bug #688849) - libav 6:0.8.4-1 (bug #688847) - ffmpeg 7:2.4.1-1 NOTE: duplicate of CVE-2012-2777 CVE-2012-2783 (Unspecified vulnerability in libavcodec/vp56.c in FFmpeg before 0.11, ...) {DSA-2624-1} - ffmpeg 7:2.4.1-1 (bug #688849) - libav 6:0.8.5-1 (bug #688847) [squeeze] - ffmpeg 4:0.5.10-1 (bug #688849) CVE-2012-2782 (Unspecified vulnerability in the decode_slice_header function in libav ...) - libav (Doesn't affect libav) CVE-2012-2781 (Unspecified vulnerability in FFmpeg before 0.10.3 has unknown impact a ...) - ffmpeg 7:2.4.1-1 CVE-2012-2780 (Unspecified vulnerability in FFmpeg before 0.10.3 has unknown impact a ...) - ffmpeg 7:2.4.1-1 CVE-2012-2779 (Unspecified vulnerability in the decode_frame function in libavcodec/i ...) - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg (Vulnerable code not present, bug #688849) - libav 6:0.8.4-1 (bug #688847) CVE-2012-2778 (Unspecified vulnerability in FFmpeg before 0.10.3 has unknown impact a ...) - ffmpeg 7:2.4.1-1 CVE-2012-2777 (Unspecified vulnerability in the decode_pic function in libavcodec/cav ...) {DSA-2624-1} [squeeze] - ffmpeg 4:0.5.9-1 (bug #688849) - libav 6:0.8.4-1 (bug #688847) - ffmpeg 7:2.4.1-1 CVE-2012-2776 (Unspecified vulnerability in the decode_cell_data function in libavcod ...) - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg (Vulnerable code not present, bug #688849) - libav 6:0.8.4-1 (bug #688847) CVE-2012-2775 (Unspecified vulnerability in the read_var_block_data function in libav ...) - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg (Vulnerable code not present, bug #688849) - libav 6:0.8.4-1 (bug #688847) CVE-2012-2774 (The ff_MPV_frame_start function in libavcodec/mpegvideo.c in FFmpeg be ...) - ffmpeg (there is no crash, just a couple uninitialized reads, harmless according to Janne) - libav (there is no crash, just a couple uninitialized reads, harmless according to Janne) NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=59a4b73531428d2f420b4dad545172c8483ced0f NOTE: patch proposed: http://patches.libav.org/patch/32644/ CVE-2012-2773 (Unspecified vulnerability in FFmpeg before 0.10.3 has unknown impact a ...) - ffmpeg 7:2.4.1-1 CVE-2012-2772 (Unspecified vulnerability in the ff_rv34_decode_frame function in liba ...) - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg (Vulnerable code not present, bug #688849) - libav 6:0.8.4-1 (bug #688847) CVE-2012-2771 (Unspecified vulnerability in FFmpeg before 0.10.3 has unknown impact a ...) - ffmpeg 7:2.4.1-1 CVE-2012-2770 (The Authen::ExternalAuth extension before 0.11 for Best Practical Solu ...) - rt-authen-externalauth 0.10-2 (bug #683288) CVE-2012-2769 (Multiple cross-site scripting (XSS) vulnerabilities in the topic admin ...) - request-tracker4 4.0.6-1 NOTE: bundled in RT4 CVE-2012-2768 (Multiple cross-site scripting (XSS) vulnerabilities in the topic admin ...) {DSA-2535-1} - rtfm (bug #683290) - request-tracker4 4.0.6-1 NOTE: bundled in RT4 CVE-2012-2767 RESERVED CVE-2012-2766 RESERVED CVE-2012-2765 RESERVED CVE-2012-2764 (Untrusted search path vulnerability in Google Chrome before 20.0.1132. ...) - chromium-browser (Windows specific) CVE-2012-2763 (Buffer overflow in the readstr_upto function in plug-ins/script-fu/tin ...) - gimp 2.8.0-1 (unimportant) NOTE: Only exploitable in rare/theoretical setups NOTE: http://www.openwall.com/lists/oss-security/2012/05/31/1 NOTE: http://www.reactionpenetrationtesting.co.uk/advisories/scriptfu-buffer-overflow-GIMP-2.6.html NOTE: http://www.reactionpenetrationtesting.co.uk/advisories/scriptfubof.c CVE-2012-2762 (SQL injection vulnerability in include/functions_trackbacks.inc.php in ...) - serendipity (vulnerable code not present in 1.5.1, see bug #678139) CVE-2012-2761 RESERVED CVE-2012-2760 (mod_auth_openid before 0.7 for Apache uses world-readable permissions ...) - libapache2-mod-auth-openid 0.7-0.1 (low; bug #674165) [squeeze] - libapache2-mod-auth-openid (Minor issue) CVE-2012-2759 (Cross-site scripting (XSS) vulnerability in login-with-ajax.php in the ...) NOT-FOR-US: Wordpress plugin CVE-2012-2758 RESERVED CVE-2012-2757 RESERVED CVE-2012-2756 RESERVED CVE-2012-2755 RESERVED CVE-2012-2754 RESERVED CVE-2012-2753 (Untrusted search path vulnerability in TrGUI.exe in the Endpoint Conne ...) NOT-FOR-US: Endpoint Connect CVE-2012-2752 (Untrusted search path vulnerability in VMware vMA 4.x and 5.x before 5 ...) NOT-FOR-US: VMware CVE-2012-2751 (ModSecurity before 2.6.6, when used with PHP, does not properly handle ...) {DSA-2506-1} - modsecurity-apache 2.6.6-1 (bug #678527) - libapache-mod-security (bug #678529) NOTE: http://www.openwall.com/lists/oss-security/2012/06/22/1 NOTE: http://www.openwall.com/lists/oss-security/2012/06/22/2 CVE-2012-2750 (Unspecified vulnerability in MySQL 5.5.x before 5.5.23 has unknown imp ...) {DSA-2780-1} - mysql-5.5 5.5.23-1 - mysql-5.1 NOTE: http://bugs.mysql.com/bug.php?id=59533 NOTE: http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html CVE-2012-2749 (MySQL 5.1.x before 5.1.63 and 5.5.x before 5.5.24 allows remote authen ...) {DSA-2496-1} - mysql-5.1 - mysql-5.5 5.5.24+dfsg-1 CVE-2012-2748 (Unspecified vulnerability in Joomla! 2.5.x before 2.5.5 allows remote ...) NOT-FOR-US: Joomla! CVE-2012-2747 (Unspecified vulnerability in Joomla! 2.5.x before 2.5.5 allows remote ...) NOT-FOR-US: Joomla! CVE-2012-2746 (389 Directory Server before 1.2.11.6 (aka Red Hat Directory Server bef ...) - 389-ds-base (Fixed before initial upload) CVE-2012-2745 (The copy_creds function in kernel/cred.c in the Linux kernel before 3. ...) - linux 3.2.15-1 - linux-2.6 [squeeze] - linux-2.6 2.6.32-46 CVE-2012-2744 (net/ipv6/netfilter/nf_conntrack_reasm.c in the Linux kernel before 2.6 ...) - linux 2.6.34-1 - linux-2.6 [squeeze] - linux-2.6 2.6.32-36 CVE-2012-2743 (Revelation 0.4.13-2 and earlier does not iterate through SHA hashing a ...) - revelation 0.4.11-10 (low; bug #633088) [squeeze] - revelation (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2012/06/18/1 CVE-2012-2742 (Revelation 0.4.13-2 and earlier uses only the first 32 characters of a ...) - revelation 0.4.11-10 (bug #633088) [squeeze] - revelation (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2012/06/18/1 CVE-2012-2741 (Cross-site scripting (XSS) vulnerability in public_html/lists/admin/ i ...) - phplist (bug #612288) CVE-2012-2740 (SQL injection vulnerability in public_html/lists/admin in phpList befo ...) - phplist (bug #612288) CVE-2012-2739 (Oracle Java SE before 7 Update 6, and OpenJDK 7 before 7u6 build 12 an ...) - openjdk-6 (unimportant) - openjdk-7 (unimportant) NOTE: Upstream disputes this and states it needs to be fixed in Java apps itself NOTE: http://mail.openjdk.java.net/pipermail/core-libs-dev/2012-May/010238.html NOTE: http://armoredbarista.blogspot.de/2012/02/investigating-hashdos-issue.html NOTE: http://www.openwall.com/lists/oss-security/2012/06/15/12 NOTE: http://www.openwall.com/lists/oss-security/2012/06/17/1 CVE-2012-2738 (The VteTerminal in gnome-terminal (vte) before 0.32.2 allows remote au ...) - vte 1:0.28.2-5 (bug #677717) - vte3 1:0.32.2-1 [squeeze] - vte 1:0.24.3-4 CVE-2012-2737 (The user_change_icon_file_authorized_cb function in /usr/libexec/accou ...) - accountsservice 0.6.21-6 (bug #679429) NOTE: http://www.openwall.com/lists/oss-security/2012/06/28/9 NOTE: http://cgit.freedesktop.org/accountsservice/commit/?id=69b526a6cd4c078732068de2ba393cf9242a404b NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=832532 CVE-2012-2736 (In NetworkManager 0.9.2.0, when a new wireless network was created wit ...) - network-manager 0.9.4.0-1 (low; bug #655972) [squeeze] - network-manager 0.8.1-6+squeeze2 CVE-2012-2735 (Session fixation vulnerability in Cumin before 0.1.5444, as used in Re ...) NOT-FOR-US: Cumin CVE-2012-2734 (Multiple cross-site request forgery (CSRF) vulnerabilities in Cumin be ...) NOT-FOR-US: Cumin CVE-2012-2733 (java/org/apache/coyote/http11/InternalNioInputBuffer.java in the HTTP ...) - tomcat6 6.0.35-5+nmu1 (bug #692439) [squeeze] - tomcat6 6.0.35-1+squeeze3 NOTE: DSA 2725 - tomcat7 7.0.28-1 (bug #692440) CVE-2012-2732 REJECTED CVE-2012-2731 (The Ubercart AJAX Cart 6.x-2.x before 6.x-2.1 for Drupal stores the PH ...) NOT-FOR-US: Drupal module CVE-2012-2730 (The Protected Node module 6.x-1.x before 6.x-1.6 for Drupal does not p ...) NOT-FOR-US: Drupal module CVE-2012-2729 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Simp ...) NOT-FOR-US: Drupal module CVE-2012-2728 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Node ...) NOT-FOR-US: Drupal module CVE-2012-2727 (Open redirect vulnerability in the Janrain Capture module 6.x-1.0 and ...) NOT-FOR-US: Drupal module CVE-2012-2726 (Cross-site scripting (XSS) vulnerability in the Protest module 6.x-1.x ...) NOT-FOR-US: Drupal module CVE-2012-2725 (classes/Filter/WhitelistedExternalFilter.php in the Authoring HTML mod ...) NOT-FOR-US: Drupal module CVE-2012-2724 (The Simplenews module 6.x-1.x before 6.x-1.4, 6.x-2.x before 6.x-2.0-a ...) NOT-FOR-US: Drupal module CVE-2012-2723 (Cross-site scripting (XSS) vulnerability in the Maestro module 7.x-1.x ...) NOT-FOR-US: Drupal module CVE-2012-2722 (The node selection interface in the WYSIWYG editor (CKEditor) in the N ...) NOT-FOR-US: Drupal module CVE-2012-2721 (The default views in the Organic Groups (OG) module 6.x-2.x before 6.x ...) NOT-FOR-US: Drupal module CVE-2012-2720 (The Token Authentication (tokenauth) module 6.x-1.x before 6.x-1.7 for ...) NOT-FOR-US: Drupal module CVE-2012-2719 (The filedepot module 6.x-1.x before 6.x-1.3 for Drupal, when accessed ...) NOT-FOR-US: Drupal module CVE-2012-2718 (SQL injection vulnerability in the Counter module for Drupal allows re ...) NOT-FOR-US: Drupal module CVE-2012-2717 (Multiple cross-site scripting (XSS) vulnerabilities in the Mobile Tool ...) NOT-FOR-US: Drupal module CVE-2012-2716 (Cross-site request forgery (CSRF) vulnerability in the Comment Moderat ...) NOT-FOR-US: Drupal module CVE-2012-2715 (Cross-site scripting (XSS) vulnerability in the themes_links function ...) NOT-FOR-US: Drupal module CVE-2012-2714 (The BrowserID (Mozilla Persona) module 7.x-1.x before 7.x-1.3 for Drup ...) NOT-FOR-US: Drupal module CVE-2012-2713 (Cross-site request forgery (CSRF) vulnerability in the BrowserID (Mozi ...) NOT-FOR-US: Drupal module CVE-2012-2712 (Multiple cross-site scripting (XSS) vulnerabilities in the Search API ...) NOT-FOR-US: Drupal module CVE-2012-2711 (Multiple cross-site scripting (XSS) vulnerabilities in the Taxonomy Li ...) NOT-FOR-US: Drupal module CVE-2012-2710 (Cross-site scripting (XSS) vulnerability in the Zen module 6.x-1.x bef ...) NOT-FOR-US: Drupal module CVE-2012-2709 REJECTED CVE-2012-2708 (Cross-site scripting (XSS) vulnerability in the _hosting_task_log_tabl ...) NOT-FOR-US: Drupal module CVE-2012-2707 (The Hostmaster (Aegir) module 6.x-1.x before 6.x-1.9 for Drupal does n ...) NOT-FOR-US: Drupal module CVE-2012-2706 (Cross-site scripting (XSS) vulnerability in the Post Affiliate Pro (PA ...) NOT-FOR-US: Drupal module CVE-2012-2705 (The filter_titles function in the Smart Breadcrumb module 6.x-1.x befo ...) NOT-FOR-US: Drupal module CVE-2012-2704 (The Advertisement module 6.x-2.x before 6.x-2.3 for Drupal does not pr ...) NOT-FOR-US: Drupal Module CVE-2012-2703 (Cross-site scripting (XSS) vulnerability in the Advertisement module 6 ...) NOT-FOR-US: Drupal module CVE-2012-2702 (The Ubercart Product Keys module 6.x-1.x before 6.x-1.1 for Drupal doe ...) NOT-FOR-US: Drupal module CVE-2012-2701 REJECTED CVE-2012-2700 REJECTED CVE-2012-2699 REJECTED CVE-2012-2698 (Cross-site scripting (XSS) vulnerability in the outputPage function in ...) [squeeze] - mediawiki (bug #677895; only affects experimental version 1.9.0) - mediawiki 1:1.19.1-1 CVE-2012-2697 (Unspecified vulnerability in autofs, as used in Red Hat Enterprise Lin ...) - autofs 5.0.6-1 NOTE: Fixed upstream with "fix paged ldap map read" CVE-2012-2696 (The backend in Red Hat Enterprise Virtualization Manager (RHEV-M) befo ...) NOT-FOR-US: Red Hat Enterprise Virtualisation CVE-2012-2695 (The Active Record component in Ruby on Rails before 3.0.14, 3.1.x befo ...) - ruby-activerecord-3.2 3.2.6-1 (bug #675429) CVE-2012-2694 (actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before ...) - ruby-activerecord-3.2 3.2.6-1 (bug #675429) CVE-2012-2693 (libvirt, possibly before 0.9.12, does not properly assign USB devices ...) - libvirt 0.9.12-1 (bug #677496) [squeeze] - libvirt (Unsupported in squeeze-lts) CVE-2012-2692 (MantisBT before 1.2.11 does not check the delete_attachments_threshold ...) {DSA-2500-1} - mantis 1.2.11-1 (bug #676783) CVE-2012-2691 (The mc_issue_note_update function in the SOAP API in MantisBT before 1 ...) - mantis 1.2.11-1 (bug #676783) [squeeze] - mantis (according to maintainer) CVE-2012-2690 (virt-edit in libguestfs before 1.18.0 does not preserve the permission ...) - libguestfs 1:1.18.0-1 NOTE: Upstream patch https://www.redhat.com/archives/libguestfs/2012-February/msg00034.html NOTE: https://www.redhat.com/archives/libguestfs/2012-February/msg00033.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=788642 NOTE: http://www.openwall.com/lists/oss-security/2012/06/11/1 NOTE: http://www.openwall.com/lists/oss-security/2012/06/11/5 CVE-2012-2689 RESERVED CVE-2012-2688 (Unspecified vulnerability in the _php_stream_scandir function in the s ...) {DSA-2527-1} - php5 5.4.4-4 (low; bug #683274) CVE-2012-2687 (Multiple cross-site scripting (XSS) vulnerabilities in the make_varian ...) - apache2 2.2.22-8 (low) [squeeze] - apache2 2.2.16-6+squeeze8 CVE-2012-2686 (crypto/evp/e_aes_cbc_hmac_sha1.c in the AES-NI functionality in the TL ...) - openssl 1.0.1e-1 (bug #699889) [squeeze] - openssl (Vulnerable code not present) NOTE: DoS in specific protocol + cpu type combination CVE-2012-2685 (Cumin before 0.1.5444, as used in Red Hat Enterprise Messaging, Realti ...) NOT-FOR-US: Cumin CVE-2012-2684 (Multiple SQL injection vulnerabilities in the get_sample_filters_by_si ...) NOT-FOR-US: Cumin CVE-2012-2683 (Multiple cross-site scripting (XSS) vulnerabilities in Cumin before 0. ...) NOT-FOR-US: Cumin CVE-2012-2682 (Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG ...) NOT-FOR-US: Cumin CVE-2012-2681 (Cumin before 0.1.5444, as used in Red Hat Enterprise Messaging, Realti ...) NOT-FOR-US: Cumin CVE-2012-2680 (Cumin before 0.1.5444, as used in Red Hat Enterprise Messaging, Realti ...) NOT-FOR-US: Cumin CVE-2012-2679 (Red Hat Network (RHN) Configuration Client (rhncfg-client) in rhncfg b ...) NOT-FOR-US: Red Hat Network configuration client CVE-2012-2678 (389 Directory Server before 1.2.11.6 (aka Red Hat Directory Server bef ...) - 389-ds-base (Fixed before initial upload) CVE-2012-2677 (Integer overflow in the ordered_malloc function in boost/pool/pool.hpp ...) - boost1.42 (low; bug #688331) [squeeze] - boost1.42 (Minor issue) - boost1.49 1.49.0-3.1 (low; bug #677197) CVE-2012-2676 (Multiple integer overflows in the (1) malloc and (2) calloc functions ...) NOT-FOR-US: Hoard memory allocator CVE-2012-2675 (Multiple integer overflows in the (1) CallMalloc (malloc) and (2) nedp ...) NOT-FOR-US: nedmalloc CVE-2012-2674 (Multiple integer overflows in the (1) chk_malloc, (2) leak_malloc, and ...) NOT-FOR-US: Android libc CVE-2012-2673 (Multiple integer overflows in the (1) GC_generic_malloc and (2) calloc ...) - libgc 1:7.1-9 (bug #677195) [squeeze] - libgc 1:6.8-2 CVE-2012-2672 (Oracle Mojarra 2.1.7 does not properly "clean up" the FacesContext ref ...) - mojarra 2.2.8-1 (bug #677194) [wheezy] - mojarra (Only affected in combination with EAP6/AS7 application servers, not shipped in Debian) [squeeze] - mojarra (Only affected in combination with EAP6/AS7 application servers, not shipped in Debian) CVE-2012-2671 (The Rack::Cache rubygem 0.3.0 through 1.1 caches Set-Cookie and other ...) NOTE: https://github.com/rtomayko/rack-cache/blob/master/CHANGES - ruby-rack-cache 1.2-1 CVE-2012-2670 (manageuser.php in Collabtive before 0.7.6 allows remote authenticated ...) - collabtive 0.7.6-1 (bug #676311) NOTE: http://www.securityfocus.com/archive/1/522973/30/0/threaded NOTE: http://xync.org/2012/06/04/Arbitrary-File-Upload-in-Collabtive.html NOTE: http://www.collabtive.o-dyn.de/blog/?p=426 CVE-2012-2669 (The main function in tools/hv/hv_kvp_daemon.c in hypervkvpd, as distri ...) - linux 3.2.23-1 [squeeze] - linux-2.6 (userspace daemon not yet present) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=761200 CVE-2012-2668 (libraries/libldap/tls_m.c in OpenLDAP, possibly 2.4.31 and earlier, wh ...) - openldap (OpenLDAP in Debian uses GNUTLS instead of Mozilla NSS) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=825875 NOTE: http://www.openldap.org/its/index.cgi?findid=7285 NOTE: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=2c2bb2e CVE-2012-2667 (Session fixation vulnerability in lib/user/sfBasicSecurityUser.class.p ...) NOT-FOR-US: Symfony NOTE: https://bugs.gentoo.org/show_bug.cgi?id=418427 NOTE: http://symfony.com/blog/security-release-symfony-1-4-18-released NOTE: http://trac.symfony-project.org/browser/tags/RELEASE_1_4_18/CHANGELOG NOTE: http://trac.symfony-project.org/changeset/33466?format=diff&new=33466 CVE-2012-2666 RESERVED CVE-2012-2665 (Multiple heap-based buffer overflows in the XML manifest encryption ta ...) {DSA-2520-1} - libreoffice 1:3.5.4-7 - openoffice.org 1:3.3.0-1 NOTE: Since 3.3.0 openoffice.org is a transitional source package CVE-2012-2664 (The sosreport utility in the Red Hat sos package before 2.2-29 does no ...) NOT-FOR-US: sosreport (Red Hat tool) CVE-2012-2663 (extensions/libxt_tcp.c in iptables through 1.4.21 does not match TCP S ...) - iptables (unimportant; bug #675445) CVE-2012-2662 (Multiple cross-site scripting (XSS) vulnerabilities in Red Hat Certifi ...) NOT-FOR-US: Red Hat Certificate System CVE-2012-2661 (The Active Record component in Ruby on Rails 3.0.x before 3.0.13, 3.1. ...) - rails (Doesn't affects RoR in Squeeze) - ruby-activerecord-3.2 3.2.6-1 (bug #675396; bug #675429) NOTE: http://seclists.org/oss-sec/2012/q2/448 CVE-2012-2660 (actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before ...) - ruby-activerecord-3.2 3.2.6-1 (bug #675429) NOTE: http://seclists.org/oss-sec/2012/q2/449 CVE-2012-2659 RESERVED CVE-2012-2658 - unixodbc 2.3.6-0.1 (unimportant; bug #675058) NOTE: Only triggerable by trusted input, not a security issue CVE-2012-2657 - unixodbc 2.3.6-0.1 (unimportant; bug #675058) NOTE: Only triggerable by trusted input, not a security issue CVE-2012-2656 (An XML eXternal Entity (XXE) issue exists in Restlet 1.1.10 in an endp ...) - restlet (bug #596472) CVE-2012-2655 (PostgreSQL 8.3.x before 8.3.19, 8.4.x before 8.4.12, 9.0.x before 9.0. ...) {DSA-2491-1} - postgresql-9.1 9.1.4-1 - postgresql-8.4 8.4.12-1 CVE-2012-2654 (The (1) EC2 and (2) OS APIs in OpenStack Compute (Nova) Folsom (2012.2 ...) - nova 2012.1-6 (bug #676465) CVE-2012-2653 (arpwatch 2.1a15, as used by Red Hat, Debian, Fedora, and possibly othe ...) {DSA-2481-1} - arpwatch 2.1a15-1.2 (bug #674715) NOTE: Debian build includes the vulnerable patch (in .diff.gz) CVE-2012-2652 (The bdrv_open function in Qemu 1.0 does not properly handle the failur ...) {DSA-2545-1 DSA-2542-1} - qemu 1.1.0+dfsg-1 (bug #678280) - qemu-kvm 1.1.0+dfsg-1 CVE-2012-2651 RESERVED CVE-2012-2650 RESERVED CVE-2012-2649 (The Sleipnir Mobile application 2.2.0 and earlier and Sleipnir Mobile ...) NOT-FOR-US: Sleipnir Mobile CVE-2012-2648 (Cross-site scripting (XSS) vulnerability in the GoodReader app 3.16 an ...) NOT-FOR-US: GoodReader CVE-2012-2647 (Yahoo! Toolbar 1.0.0.5 and earlier for Chrome and Safari allows remote ...) NOT-FOR-US: Yahoo! Toolbar CVE-2012-2646 (The Sleipnir Mobile application before 2.1.0 and Sleipnir Mobile Black ...) NOT-FOR-US: Sleipnir Mobile CVE-2012-2645 (The Yahoo! Japan Yahoo! Browser application 1.2.0 and earlier for Andr ...) NOT-FOR-US: The Yahoo! Japan Yahoo! Browser application CVE-2012-2644 (Cross-site scripting (XSS) vulnerability in the MT4i plugin 3.1 beta 4 ...) NOT-FOR-US: Movable Type MT4i plugin CVE-2012-2643 (Cross-site scripting (XSS) vulnerability in KENT-WEB YY-BOARD before 6 ...) NOT-FOR-US: KENT-WEB YY-BOARD CVE-2012-2642 (Cross-site scripting (XSS) vulnerability in the MT4i plugin 3.1 beta 4 ...) NOT-FOR-US: Movable Type MT4i plugin CVE-2012-2641 (Cross-site scripting (XSS) vulnerability in Zenphoto before 1.4.3 allo ...) NOT-FOR-US: Zenphoto CVE-2012-2640 (The NEC BIGLOBE Yome Collection application 1.8.3 and earlier for Andr ...) NOT-FOR-US: The NEC BIGLOBE Yome Collection CVE-2012-2639 REJECTED CVE-2012-2638 (Cross-site scripting (XSS) vulnerability in SmallPICT.cgi in SmallPICT ...) NOT-FOR-US: SmallPICT CVE-2012-2637 (Cross-site scripting (XSS) vulnerability in KENT-WEB WEB PATIO 4.04 an ...) NOT-FOR-US: KENT-WEB WEB PATIO CVE-2012-2636 (Cross-site scripting (XSS) vulnerability in KENT-WEB WEB PATIO 4.04 an ...) NOT-FOR-US: KENT-WEB WEB PATIO CVE-2012-2635 (The Dolphin Browser HD application before 7.6 and Dolphin for Pad appl ...) NOT-FOR-US: Dolphin CVE-2012-2634 (Cross-site scripting (XSS) vulnerability in FeedDemon before 4.0, when ...) NOT-FOR-US: FeedDemon CVE-2012-2633 (Cross-site scripting (XSS) vulnerability in wassup.php in the WassUp p ...) NOT-FOR-US: WassUp CVE-2012-2632 (SEIL routers with firmware SEIL/x86 1.00 through 2.35, SEIL/X1 2.30 th ...) NOT-FOR-US: SEIL routers CVE-2012-2631 (Cross-site scripting (XSS) vulnerability in WEBLOGIC @WEB ShoppingCart ...) NOT-FOR-US: WEBLOGIC CVE-2012-2630 (The Puella Magi Madoka Magica iP application 1.05 and earlier for Andr ...) NOT-FOR-US: Puella Magi Madoka Magica iP (Android application) CVE-2012-2629 (Multiple cross-site request forgery (CSRF) and cross-site scripting (X ...) NOT-FOR-US: Axous CVE-2012-2628 RESERVED CVE-2012-2627 (d4d/uploader.php in the web console in Plixer Scrutinizer (aka Dell So ...) NOT-FOR-US: Plixer Scrutinizer CVE-2012-2626 (cgi-bin/admin.cgi in the web console in Plixer Scrutinizer (aka Dell S ...) NOT-FOR-US: Plixer Scrutinizer CVE-2012-2625 (The PyGrub boot loader in Xen unstable before changeset 25589:60f09d1a ...) {DSA-2636-1} - xen 4.1.3-4 (low; bug #688125) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2625 CVE-2012-2624 (Stack-based buffer overflow in Logica HotScan allows remote attackers ...) NOT-FOR-US: Logica HotScan CVE-2012-XXXX [two XSS] - spip 2.1.14-1 (low; bug #672961) [squeeze] - spip 2.1.1-3squeeze4 CVE-2012-1675 (The TNS Listener, as used in Oracle Database 11g 11.1.0.7, 11.2.0.2, a ...) NOT-FOR-US: Oracle Database CVE-2012-2623 RESERVED CVE-2012-2622 RESERVED CVE-2012-2621 RESERVED CVE-2012-2620 RESERVED CVE-2012-2619 (The Broadcom BCM4325 and BCM4329 Wi-Fi chips, as used in certain Acer, ...) - firmware-nonfree (Affects different chipset combination, see bug #694716) CVE-2012-2618 RESERVED CVE-2012-2617 RESERVED CVE-2012-2616 RESERVED CVE-2012-2615 REJECTED CVE-2012-2614 (Buffer overflow in programmer.exe in Lattice Diamond Programmer 1.4.2 ...) NOT-FOR-US: Lattice Diamond Programmer CVE-2012-2613 RESERVED CVE-2012-2612 (The DiagTraceHex function in disp+work.exe 7010.29.15.58313 and 7200.7 ...) NOT-FOR-US: SAP NetWeaver CVE-2012-2611 (The DiagTraceR3Info function in the Dialog processor in disp+work.exe ...) NOT-FOR-US: SAP NetWeaver CVE-2012-2610 RESERVED CVE-2012-2609 RESERVED CVE-2012-2608 RESERVED CVE-2012-2607 (The Johnson Controls CK721-A controller with firmware before SSM4388_0 ...) NOT-FOR-US: The Johnson Controls CK721-A CVE-2012-2606 (The agent in Bradford Network Sentry before 5.3.3 does not require aut ...) NOT-FOR-US: Bradford Network Sentry CVE-2012-2605 (Multiple cross-site request forgery (CSRF) vulnerabilities in the admi ...) NOT-FOR-US: Bradford Network Sentry CVE-2012-2604 (Multiple cross-site scripting (XSS) vulnerabilities in GuestAccess.jsp ...) NOT-FOR-US: Bradford Network Sentry CVE-2012-2603 (The server in CollabNet ScrumWorks Pro before 6.0 allows remote authen ...) NOT-FOR-US: CollabNet ScrumWorks Pro CVE-2012-2602 (Multiple cross-site request forgery (CSRF) vulnerabilities in SolarWin ...) NOT-FOR-US: SolarWinds Orion Network Performance Monitor CVE-2012-2601 (SQL injection vulnerability in WrVMwareHostList.asp in Ipswitch WhatsU ...) NOT-FOR-US: Ipswitch WhatsUp Gold CVE-2012-2600 RESERVED CVE-2012-2599 REJECTED CVE-2012-2598 (Buffer overflow in the DiagAgent web server in Siemens WinCC 7.0 SP3 t ...) NOT-FOR-US: Siemens WinCC CVE-2012-2597 (Multiple directory traversal vulnerabilities in Siemens WinCC 7.0 SP3 ...) NOT-FOR-US: Siemens WinCC CVE-2012-2596 (The XPath functionality in unspecified web applications in Siemens Win ...) NOT-FOR-US: Siemens WinCC CVE-2012-2595 (Multiple cross-site scripting (XSS) vulnerabilities in unspecified web ...) NOT-FOR-US: Siemens WinCC CVE-2012-2594 RESERVED CVE-2012-2593 (Cross-site scripting (XSS) vulnerability in the administrative interfa ...) NOT-FOR-US: Atmail Webmail Server CVE-2012-2592 (Cross-site scripting (XSS) vulnerability in Axigen Mail Server 8.0.1 a ...) NOT-FOR-US: AXIGEN Mail Server CVE-2012-2591 (Multiple cross-site scripting (XSS) vulnerabilities in EmailArchitect ...) NOT-FOR-US: EmailArchitect CVE-2012-2590 (Multiple cross-site scripting (XSS) vulnerabilities in ESCON SupportPo ...) NOT-FOR-US: ESCON SupportPortal Professional Edition CVE-2012-2589 REJECTED CVE-2012-2588 (Multiple cross-site scripting (XSS) vulnerabilities in MailEnable Ente ...) NOT-FOR-US: MailEnable Enterprise CVE-2012-2587 (Multiple cross-site scripting (XSS) vulnerabilities in AfterLogic Mail ...) NOT-FOR-US: AfterLogic MailSuite Pro CVE-2012-2586 (Multiple cross-site scripting (XSS) vulnerabilities in Mailtraq 2.17.3 ...) NOT-FOR-US: Mailtraq CVE-2012-2585 (Multiple cross-site scripting (XSS) vulnerabilities in ManageEngine Se ...) NOT-FOR-US: ManageEngine ServiceDesk Plus CVE-2012-2584 (Multiple cross-site scripting (XSS) vulnerabilities in Alt-N MDaemon F ...) NOT-FOR-US: Alt-N MDaemon Free CVE-2012-2583 (Cross-site scripting (XSS) vulnerability in Mini Mail Dashboard Widget ...) NOT-FOR-US: WordPress plugin Mini Mail Dashboard Widget CVE-2012-2582 (Multiple cross-site scripting (XSS) vulnerabilities in Open Ticket Req ...) {DSA-2536-1} - otrs2 3.1.7+dfsg1-4 CVE-2012-2581 RESERVED CVE-2012-2580 (Cross-site scripting (XSS) vulnerability in the Postie plugin 1.4.3, a ...) NOT-FOR-US: WordPress plugin Postie CVE-2012-2579 (Multiple cross-site scripting (XSS) vulnerabilities in the WP SimpleMa ...) NOT-FOR-US: WordPress plugin SimpleMail CVE-2012-2578 (Multiple cross-site scripting (XSS) vulnerabilities in SmarterMail 9.2 ...) NOT-FOR-US: SmarterMail CVE-2012-2577 (Multiple cross-site scripting (XSS) vulnerabilities in SolarWinds Orio ...) NOT-FOR-US: SolarWinds Orion Network Performance Monitor CVE-2012-2576 (SQL injection vulnerability in the LoginServlet page in SolarWinds Sto ...) NOT-FOR-US: SolarWinds CVE-2012-2575 (Cross-site scripting (XSS) vulnerability in NetWin SurgeMail 6.0a4 all ...) NOT-FOR-US: NetWin SurgeMail CVE-2012-2574 (SQL injection vulnerability in the management console in Symantec Web ...) NOT-FOR-US: Symantec Web Gateway CVE-2012-2573 (Multiple cross-site scripting (XSS) vulnerabilities in T-dah WebMail 3 ...) NOT-FOR-US: Symantec Web Gateway CVE-2012-2572 (Cross-site scripting (XSS) vulnerability in the ThreeWP Email Reflecto ...) NOT-FOR-US: WordPress plugin ThreeWP Email Reflector CVE-2012-2571 (Multiple cross-site scripting (XSS) vulnerabilities in WinWebMail Serv ...) NOT-FOR-US: WinWebMail CVE-2012-2570 (Cross-site scripting (XSS) vulnerability in products_map.php in X-Cart ...) NOT-FOR-US: X-Cart Gold CVE-2012-2569 (Cross-site scripting (XSS) vulnerability in Synametrics Technologies X ...) NOT-FOR-US: Synametrics Technologies Xeams CVE-2012-2568 (d41d8cd98f00b204e9800998ecf8427e.php in the management web server on t ...) NOT-FOR-US: Seagate BlackArmor CVE-2012-2567 (The Xelex MobileTrack application 2.3.7 and earlier for Android uses h ...) NOT-FOR-US: Xelex MobileTrack application CVE-2012-2566 (Bloxx Web Filtering before 5.0.14 does not properly interpret X-Forwar ...) NOT-FOR-US: Bloxx Web Filtering CVE-2012-2565 (Bloxx Web Filtering before 5.0.14 does not use a salt during calculati ...) NOT-FOR-US: Bloxx Web Filtering CVE-2012-2564 (Multiple cross-site request forgery (CSRF) vulnerabilities in the admi ...) NOT-FOR-US: Bloxx Web Filtering CVE-2012-2563 (Multiple cross-site scripting (XSS) vulnerabilities in Bloxx Web Filte ...) NOT-FOR-US: Bloxx Web Filtering CVE-2012-2562 (The Xelex MobileTrack application 2.3.7 and earlier for Android does n ...) NOT-FOR-US: Xelex MobileTrack application CVE-2012-2561 (HP Business Service Management (BSM) 9.12 does not properly restrict t ...) NOT-FOR-US: HP Business Service Management CVE-2012-2560 (Directory traversal vulnerability in WellinTech KingView 6.53 allows r ...) NOT-FOR-US: WellinTech KingView CVE-2012-2559 (WellinTech KingHistorian 3.0 allows remote attackers to execute arbitr ...) NOT-FOR-US: WellinTech KingHistorian CVE-2012-2558 RESERVED CVE-2012-2557 (Use-after-free vulnerability in Microsoft Internet Explorer 6 through ...) NOT-FOR-US: Internet Explorer CVE-2012-2556 (The OpenType Font (OTF) driver in the kernel-mode drivers in Microsoft ...) NOT-FOR-US: Microsoft Windows CVE-2012-2555 REJECTED CVE-2012-2554 REJECTED CVE-2012-2553 (Use-after-free vulnerability in win32k.sys in the kernel-mode drivers ...) NOT-FOR-US: Microsoft Windows CVE-2012-2552 (Cross-site scripting (XSS) vulnerability in the SQL Server Report Mana ...) NOT-FOR-US: Microsoft SQL Server CVE-2012-2551 (The server in Kerberos in Microsoft Windows Server 2008 R2 and R2 SP1, ...) NOT-FOR-US: Microsoft Windows Server CVE-2012-2550 (Microsoft Works 9 allows remote attackers to execute arbitrary code or ...) NOT-FOR-US: Microsoft Works CVE-2012-2549 (The IP-HTTPS server in Windows Server 2008 R2 and R2 SP1 and Server 20 ...) NOT-FOR-US: Windows Server CVE-2012-2548 (Use-after-free vulnerability in Microsoft Internet Explorer 9 allows r ...) NOT-FOR-US: Internet Explorer CVE-2012-2547 REJECTED CVE-2012-2546 (Use-after-free vulnerability in Microsoft Internet Explorer 9 allows r ...) NOT-FOR-US: Internet Explorer CVE-2012-2545 REJECTED CVE-2012-2544 REJECTED CVE-2012-2543 (Stack-based buffer overflow in Microsoft Excel 2007 SP2 and SP3 and 20 ...) NOT-FOR-US: Microsoft Excel CVE-2012-2542 REJECTED CVE-2012-2541 REJECTED CVE-2012-2540 REJECTED CVE-2012-2539 (Microsoft Word 2003 SP3, 2007 SP2 and SP3, and 2010 SP1; Word Viewer; ...) NOT-FOR-US: Microsoft Office CVE-2012-2538 REJECTED CVE-2012-2537 REJECTED CVE-2012-2536 (Cross-site scripting (XSS) vulnerability in Microsoft Systems Manageme ...) NOT-FOR-US: Microsoft Systems Management Server CVE-2012-2535 REJECTED CVE-2012-2534 REJECTED CVE-2012-2533 REJECTED CVE-2012-2532 (Microsoft FTP Service 7.0 and 7.5 for Internet Information Services (I ...) NOT-FOR-US: Microsoft FTP Service CVE-2012-2531 (Microsoft Internet Information Services (IIS) 7.5 uses weak permission ...) NOT-FOR-US: Microsoft IIS CVE-2012-2530 (Use-after-free vulnerability in win32k.sys in the kernel-mode drivers ...) NOT-FOR-US: Microsoft Windows CVE-2012-2529 (Integer overflow in the kernel in Microsoft Windows XP SP2 and SP3, Wi ...) NOT-FOR-US: Microsoft Windows CVE-2012-2528 (Use-after-free vulnerability in Microsoft Word 2003 SP3, 2007 SP2 and ...) NOT-FOR-US: Microsoft Word CVE-2012-2527 (Use-after-free vulnerability in win32k.sys in the kernel-mode drivers ...) NOT-FOR-US: Microsoft Windows CVE-2012-2526 (The Remote Desktop Protocol (RDP) implementation in Microsoft Windows ...) NOT-FOR-US: Microsoft Windows CVE-2012-2525 REJECTED CVE-2012-2524 (Microsoft Office 2007 SP2 and SP3 and 2010 SP1 allows remote attackers ...) NOT-FOR-US: Microsoft Office CVE-2012-2523 (Integer overflow in Microsoft Internet Explorer 8 and 9, JScript 5.8, ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2012-2522 (Microsoft Internet Explorer 6 through 9 does not properly handle objec ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2012-2521 (Microsoft Internet Explorer 6 through 9 does not properly handle objec ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2012-2520 (Cross-site scripting (XSS) vulnerability in Microsoft InfoPath 2007 SP ...) NOT-FOR-US: Microsoft Infopath CVE-2012-2519 (Untrusted search path vulnerability in Entity Framework in ADO.NET in ...) NOT-FOR-US: Microsoft .NET framework CVE-2012-2518 REJECTED CVE-2012-2517 (Cross-site scripting (XSS) vulnerability in PrestaShop before 1.4.9 al ...) NOT-FOR-US: PrestaShop CVE-2012-2516 (An ActiveX control in KeyHelp.ocx in KeyWorks KeyHelp Module (aka the ...) NOT-FOR-US: KeyWorks not in Debian CVE-2012-2515 (Multiple stack-based buffer overflows in the KeyHelp.KeyCtrl.1 ActiveX ...) NOT-FOR-US: KeyWorks not in Debian CVE-2012-2514 (The DiagiEventSource function in disp+work.exe 7010.29.15.58313 and 72 ...) NOT-FOR-US: SAP NetWeaver CVE-2012-2513 (The Diaginput function in disp+work.exe 7010.29.15.58313 and 7200.70.1 ...) NOT-FOR-US: SAP NetWeaver CVE-2012-2512 (The DiagTraceStreamI function in disp+work.exe 7010.29.15.58313 and 72 ...) NOT-FOR-US: SAP NetWeaver CVE-2012-2511 (The DiagTraceAtoms function in disp+work.exe 7010.29.15.58313 and 7200 ...) NOT-FOR-US: SAP NetWeaver CVE-2012-2510 RESERVED CVE-2012-2509 RESERVED CVE-2012-2508 RESERVED CVE-2012-2507 RESERVED CVE-2012-2506 RESERVED CVE-2012-2505 RESERVED CVE-2012-2504 RESERVED CVE-2012-2503 RESERVED CVE-2012-2502 RESERVED CVE-2012-2501 RESERVED CVE-2012-2500 (Cisco AnyConnect Secure Mobility Client 3.0 before 3.0.08057 does not ...) NOT-FOR-US: Cisco CVE-2012-2499 (The IPsec implementation in Cisco AnyConnect Secure Mobility Client 3. ...) NOT-FOR-US: Cisco CVE-2012-2498 (Cisco AnyConnect Secure Mobility Client 3.0 through 3.0.08066 does not ...) NOT-FOR-US: Cisco CVE-2012-2497 REJECTED CVE-2012-2496 (A certain Java applet in the VPN downloader implementation in the WebL ...) NOT-FOR-US: Cisco CVE-2012-2495 (The HostScan downloader implementation in Cisco AnyConnect Secure Mobi ...) NOT-FOR-US: Cisco CVE-2012-2494 (The VPN downloader implementation in the WebLaunch feature in Cisco An ...) NOT-FOR-US: Cisco CVE-2012-2493 (The VPN downloader implementation in the WebLaunch feature in Cisco An ...) NOT-FOR-US: Cisco CVE-2012-2492 RESERVED CVE-2012-2491 RESERVED CVE-2012-2490 (Cisco IP Communicator 8.6 allows man-in-the-middle attackers to modify ...) NOT-FOR-US: Cisco CVE-2012-2489 RESERVED CVE-2012-2488 (Cisco IOS XR before 4.2.1 on ASR 9000 series devices and CRS series de ...) NOT-FOR-US: Cisco IOS CVE-2012-2487 RESERVED CVE-2012-2486 (The Cisco Discovery Protocol (CDP) implementation on Cisco TelePresenc ...) NOT-FOR-US: Cisco Telepresence CVE-2012-2485 RESERVED CVE-2012-2484 RESERVED CVE-2012-2483 RESERVED CVE-2012-2482 RESERVED CVE-2012-2481 RESERVED CVE-2012-2480 RESERVED CVE-2012-2479 RESERVED CVE-2012-2478 RESERVED CVE-2012-2477 RESERVED CVE-2012-2476 RESERVED CVE-2012-2475 RESERVED CVE-2012-2474 (Memory leak on Cisco Adaptive Security Appliances (ASA) 5500 series de ...) NOT-FOR-US: Cisco CVE-2012-2473 RESERVED CVE-2012-2472 (Cisco Adaptive Security Appliances (ASA) 5500 series devices with soft ...) NOT-FOR-US: Cisco CVE-2012-2471 RESERVED CVE-2012-2470 RESERVED CVE-2012-2469 (Cisco NX-OS 4.2, 5.0, 5.1, and 5.2 on Nexus 7000 series switches, when ...) NOT-FOR-US: Cisco CVE-2012-2468 RESERVED CVE-2012-2467 RESERVED CVE-2012-2466 RESERVED CVE-2012-2465 RESERVED CVE-2012-2464 RESERVED CVE-2012-2463 RESERVED CVE-2012-2462 RESERVED CVE-2012-2461 RESERVED CVE-2012-2460 RESERVED CVE-2012-2459 (Unspecified vulnerability in bitcoind and Bitcoin-Qt before 0.4.6, 0.5 ...) - bitcoin 0.6.2.1-1 NOTE: https://bitcointalk.org/index.php?topic=81749.0 CVE-2012-2458 RESERVED CVE-2012-2457 RESERVED CVE-2012-2456 REJECTED CVE-2012-2455 (Advanced Productivity Software DTE Axiom before 12.3.3 does not valida ...) NOT-FOR-US: Advanced Productivity Software DTE Axiom CVE-2012-2454 RESERVED CVE-2012-2453 RESERVED CVE-2012-2452 (Multiple cross-site scripting (XSS) vulnerabilities in pragmaMx 1.x be ...) NOT-FOR-US: pragmaMx CVE-2012-2450 (VMware Workstation 8.x before 8.0.3, VMware Player 4.x before 4.0.3, V ...) NOT-FOR-US: VMware CVE-2012-2449 (VMware Workstation 8.x before 8.0.3, VMware Player 4.x before 4.0.3, V ...) NOT-FOR-US: VMware CVE-2012-2448 (VMware ESXi 3.5 through 5.0 and ESX 3.5 through 4.1 allow remote attac ...) NOT-FOR-US: VMware CVE-2012-2447 (Cross-site request forgery (CSRF) vulnerability in accountmgr/adminupd ...) NOT-FOR-US: Netsweeper WebAdmin Portal CVE-2012-2446 (Cross-site scripting (XSS) vulnerability in tools/local_lookup.php in ...) NOT-FOR-US: Netsweeper WebAdmin Portal CVE-2012-2451 (The Config::IniFiles module before 2.71 for Perl creates temporary fil ...) - libconfig-inifiles-perl 2.72-1 (bug #671255; low) [squeeze] - libconfig-inifiles-perl 2.52-1+squeeze1 NOTE: https://bitbucket.org/shlomif/perl-config-inifiles/changeset/a08fa26f4f59 NOTE: http://seclists.org/oss-sec/2012/q2/225 CVE-2012-2445 RESERVED CVE-2012-2444 RESERVED CVE-2012-2443 RESERVED CVE-2012-2442 (Buffer overflow in the Video Manager in Nokia PC Suite 7.1.180.64 and ...) NOT-FOR-US: Nokia PC Suite CVE-2012-2441 (RuggedCom Rugged Operating System (ROS) before 3.3 has a factory accou ...) NOT-FOR-US: RuggedCom Rugged Operating System CVE-2012-2440 (The default configuration of the TP-Link 8840T router enables web-base ...) NOT-FOR-US: TP-Link router CVE-2012-2439 (The default configuration of the NETGEAR ProSafe FVS318N firewall enab ...) NOT-FOR-US: NETGEAR appliance CVE-2012-2438 (ar web content manager (AWCM) 2.2 does not restrict the number of comm ...) NOT-FOR-US: ar web content manager CVE-2012-2437 (cookie_gen.php in ar web content manager (AWCM) 2.2 does not require a ...) NOT-FOR-US: ar web content manager CVE-2012-2436 (Multiple cross-site scripting (XSS) vulnerabilities in Pligg CMS befor ...) NOT-FOR-US: Pligg CVE-2012-2435 (Directory traversal vulnerability in the captcha module in Pligg CMS b ...) NOT-FOR-US: Pligg CVE-2012-2434 RESERVED CVE-2012-2433 RESERVED CVE-2012-2432 RESERVED CVE-2012-2431 RESERVED CVE-2012-2430 RESERVED CVE-2012-2429 (The server in xArrow before 3.4.1 performs an invalid read operation, ...) NOT-FOR-US: xArrow CVE-2012-2428 (Integer overflow in the server in xArrow before 3.4.1 allows remote at ...) NOT-FOR-US: xArrow CVE-2012-2427 (Heap-based buffer overflow in the server in xArrow before 3.4.1 allows ...) NOT-FOR-US: xArrow CVE-2012-2426 (The server in xArrow before 3.4.1 does not properly allocate memory, w ...) NOT-FOR-US: xArrow CVE-2012-2425 (The intu-help-qb (aka Intuit Help System Async Pluggable Protocol) han ...) NOT-FOR-US: Intuit CVE-2012-2424 (The intu-help-qb (aka Intuit Help System Async Pluggable Protocol) han ...) NOT-FOR-US: Intuit CVE-2012-2423 (The intu-help-qb (aka Intuit Help System Async Pluggable Protocol) han ...) NOT-FOR-US: Intuit CVE-2012-2422 (Intuit QuickBooks 2009 through 2012 might allow remote attackers to ob ...) NOT-FOR-US: Intuit CVE-2012-2421 (Absolute path traversal vulnerability in the intu-help-qb (aka Intuit ...) NOT-FOR-US: Intuit CVE-2012-2420 (The intu-help-qb (aka Intuit Help System Async Pluggable Protocol) han ...) NOT-FOR-US: Intuit CVE-2012-2419 (Memory leak in the intu-help-qb (aka Intuit Help System Async Pluggabl ...) NOT-FOR-US: Intuit CVE-2012-2418 (Heap-based buffer overflow in the intu-help-qb (aka Intuit Help System ...) NOT-FOR-US: Intuit CVE-2012-2417 (PyCrypto before 2.6 does not produce appropriate prime numbers when us ...) {DSA-2502-1} - python-crypto 2.6-1 NOTE: https://bugs.launchpad.net/pycrypto/+bug/985164 CVE-2012-2413 (Cross-site scripting (XSS) vulnerability in the ja_purity template for ...) NOT-FOR-US: Joomla template CVE-2012-2412 REJECTED CVE-2012-2411 (Buffer overflow in RealNetworks RealPlayer before 15.0.4.53, and RealP ...) NOT-FOR-US: RealNetworks RealPlayer CVE-2012-2410 (Buffer overflow in RealNetworks RealPlayer before 15.0.6.14, RealPlaye ...) NOT-FOR-US: RealNetworks RealPlayer CVE-2012-2409 (Buffer overflow in RealNetworks RealPlayer before 15.0.6.14, RealPlaye ...) NOT-FOR-US: RealNetworks RealPlayer CVE-2012-2408 (The AAC SDK in RealNetworks RealPlayer before 15.0.6.14, RealPlayer SP ...) NOT-FOR-US: RealNetworks RealPlayer CVE-2012-2407 (Buffer overflow in RealNetworks RealPlayer before 15.0.6.14, RealPlaye ...) NOT-FOR-US: RealNetworks RealPlayer CVE-2012-2406 (RealNetworks RealPlayer before 15.0.4.53, and RealPlayer SP 1.0 throug ...) NOT-FOR-US: RealPlayer CVE-2012-2405 (Gallery 2 before 2.3.2 and 3 before 3.0.3 does not properly implement ...) - gallery2 CVE-2012-2404 (wp-comments-post.php in WordPress before 3.3.2 supports offsite redire ...) {DSA-2470-1} - wordpress 3.3.2+dfsg-1 (bug #670124) CVE-2012-2403 (wp-includes/formatting.php in WordPress before 3.3.2 attempts to enabl ...) {DSA-2470-1} - wordpress 3.3.2+dfsg-1 (bug #670124) CVE-2012-2402 (wp-admin/plugins.php in WordPress before 3.3.2 allows remote authentic ...) {DSA-2470-1} - wordpress 3.3.2+dfsg-1 (bug #670124) CVE-2012-2401 (Plupload before 1.5.4, as used in wp-includes/js/plupload/ in WordPres ...) {DSA-2470-1} - wordpress 3.3.2+dfsg-1 (bug #670124) CVE-2012-2400 (Unspecified vulnerability in wp-includes/js/swfobject.js in WordPress ...) {DSA-2470-1} - wordpress 3.3.2+dfsg-1 (bug #670124) CVE-2012-2399 (Cross-site scripting (XSS) vulnerability in swfupload.swf in SWFupload ...) {DSA-2470-1} - wordpress 3.3.2+dfsg-1 (bug #670124) CVE-2010-5136 REJECTED CVE-2010-5135 REJECTED CVE-2010-5134 REJECTED CVE-2010-5133 REJECTED CVE-2010-5132 REJECTED CVE-2010-5131 REJECTED CVE-2010-5130 REJECTED CVE-2010-5129 REJECTED CVE-2010-5128 REJECTED CVE-2010-5127 REJECTED CVE-2010-5126 REJECTED CVE-2010-5125 REJECTED CVE-2010-5124 REJECTED CVE-2010-5123 REJECTED CVE-2010-5122 REJECTED CVE-2010-5121 REJECTED CVE-2010-5120 REJECTED CVE-2010-5119 REJECTED CVE-2010-5118 REJECTED CVE-2010-5117 REJECTED CVE-2010-5116 RESERVED CVE-2010-5115 RESERVED CVE-2010-5114 RESERVED CVE-2010-5113 RESERVED CVE-2010-5112 RESERVED CVE-2010-5111 (Multiple buffer overflows in readline.c in Echoping 6.0.2 allow remote ...) - echoping 6.0.2-4 (low; bug #606808) [squeeze] - echoping (Minor issue) NOTE: Upstream fix http://sourceforge.net/p/echoping/bugs/55/ NOTE: https://bugs.gentoo.org/show_bug.cgi?id=349569 NOTE: http://xforce.iss.net/xforce/xfdb/64141 NOTE: http://secunia.com/advisories/42619/ CVE-2010-5110 (DCTStream.cc in Poppler before 0.13.3 allows remote attackers to cause ...) {DLA-24-1} - poppler 0.16.3-1 (bug #722705) [squeeze] - poppler 0.12.4-1.2+squeeze4 CVE-2010-5109 (Off-by-one error in the DecompressRTF function in ytnef.c in Yerase's ...) - libytnef 1.5-5 (low; bug #705468) [squeeze] - libytnef (Minor issue) [wheezy] - libytnef (Minor issue) - claws-mail-extra-plugins (low) [squeeze] - claws-mail-extra-plugins (Minor issue) [wheezy] - claws-mail-extra-plugins (Minor issue) - claws-mail 3.11.1-2 (bug #771360) [squeeze] - claws-mail (In Squeeze, the problematic package claws-mail-tnef-parser is built by claws-mail-extra-plugins) [wheezy] - claws-mail (In Wheezy, the problematic package claws-mail-tnef-parser is built by claws-mail-extra-plugins) CVE-2010-5108 (Trac 0.11.6 does not properly check workflow permissions before modify ...) - trac 0.11.7-1 (bug #573260) CVE-2010-5107 (The default configuration of OpenSSH through 6.1 enforces a fixed time ...) - openssh 1:6.0p1-4 (low; bug #700102) [squeeze] - openssh 1:5.5p1-6+squeeze3 CVE-2010-5106 (The XML-RPC remote publishing interface in xmlrpc.php in WordPress bef ...) - wordpress 3.0.3-1 CVE-2010-5105 (The undo save quit routine in the kernel in Blender 2.5, 2.63a, and ea ...) - blender (unimportant; bug #584621) [squeeze] - blender (Minor issue) [wheezy] - blender (Minor issue) NOTE: Neutralised by kernel temp hardening CVE-2010-5104 (The escapeStrForLike method in TYPO3 4.2.x before 4.2.16, 4.3.x before ...) - typo3-src 4.3.9+dfsg1-1 (bug #607286) CVE-2010-5103 (SQL injection vulnerability in the list module in TYPO3 4.2.x before 4 ...) - typo3-src 4.3.9+dfsg1-1 (bug #607286) CVE-2010-5102 (Directory traversal vulnerability in mod/tools/em/class.em_unzip.php i ...) - typo3-src 4.3.9+dfsg1-1 (bug #607286) CVE-2010-5101 (Directory traversal vulnerability in the TypoScript setup in TYPO3 4.2 ...) - typo3-src 4.3.9+dfsg1-1 (bug #607286) CVE-2010-5100 (Multiple cross-site scripting (XSS) vulnerabilities in the Install Too ...) - typo3-src 4.3.9+dfsg1-1 (bug #607286) CVE-2010-5099 (The fileDenyPattern functionality in the PHP file inclusion protection ...) - typo3-src 4.3.9+dfsg1-1 (bug #607286) CVE-2010-5098 (Cross-site scripting (XSS) vulnerability in the FORM content object in ...) - typo3-src 4.3.9+dfsg1-1 (bug #607286) CVE-2010-5097 (Cross-site scripting (XSS) vulnerability in the click enlarge function ...) - typo3-src 4.3.9+dfsg1-1 (bug #607286) CVE-2010-5096 NOT-FOR-US: MyBB CVE-2010-5095 (Cross-site scripting (XSS) vulnerability in SilverStripe 2.3.x before ...) - silverstripe (bug #528461) NOTE: http://seclists.org/oss-sec/2012/q2/209 CVE-2010-5094 (The deleteinstallfiles function in control/ContentController.php in Si ...) - silverstripe (bug #528461) NOTE: http://seclists.org/oss-sec/2012/q2/209 CVE-2010-5093 (Member_ProfileForm in security/Member.php in SilverStripe 2.3.x before ...) - silverstripe (bug #528461) NOTE: http://seclists.org/oss-sec/2012/q2/209 CVE-2010-5092 (The Add Member dialog in the Security admin page in SilverStripe 2.4.0 ...) - silverstripe (bug #528461) NOTE: http://seclists.org/oss-sec/2012/q2/209 CVE-2010-5091 (The setName function in filesystem/File.php in SilverStripe 2.3.x befo ...) - silverstripe (bug #528461) NOTE: http://seclists.org/oss-sec/2012/q2/209 CVE-2010-5090 (SilverStripe before 2.4.2 allows remote authenticated users to change ...) - silverstripe (bug #528461) NOTE: http://seclists.org/oss-sec/2012/q2/209 CVE-2010-5089 (SilverStripe before 2.4.2 does not properly restrict access to pages i ...) - silverstripe (bug #528461) NOTE: http://seclists.org/oss-sec/2012/q2/209 CVE-2010-5088 (Multiple cross-site request forgery (CSRF) vulnerabilities in SilverSt ...) - silverstripe (bug #528461) NOTE: http://seclists.org/oss-sec/2012/q2/209 CVE-2010-5087 (SilverStripe 2.3.x before 2.3.10 and 2.4.x before 2.4.4 allows remote ...) - silverstripe (bug #528461) NOTE: http://seclists.org/oss-sec/2012/q2/209 CVE-2012-2416 (chan_sip.c in the SIP channel driver in Asterisk Open Source 1.8.x bef ...) - asterisk 1:1.8.11.1~dfsg-1 (bug #670180) [squeeze] - asterisk (Vulnerable code not present) CVE-2012-2415 (Heap-based buffer overflow in chan_skinny.c in the Skinny channel driv ...) {DSA-2460-1} - asterisk 1:1.8.11.1~dfsg-1 (bug #670180) CVE-2012-2414 (main/manager.c in the Manager Interface in Asterisk Open Source 1.6.2. ...) {DSA-2460-1} - asterisk 1:1.8.11.1~dfsg-1 (bug #670180) CVE-2012-2398 (Cross-site scripting (XSS) vulnerability in files/ajax/download.php in ...) - owncloud 3.0.3-1 CVE-2012-2397 (Cross-site request forgery (CSRF) vulnerability in ownCloud before 3.0 ...) - owncloud 3.0.3-1 CVE-2012-2396 (VideoLAN VLC media player 2.0.1 allows remote attackers to cause a den ...) - vlc (Not used, see bug #671727) - taglib 1.7.2-1 (unimportant) CVE-2012-2395 (Incomplete blacklist vulnerability in action_power.py in Cobbler 2.2.0 ...) - cobbler (Fixed before initial upload) CVE-2012-2394 (Wireshark 1.4.x before 1.4.13 and 1.6.x before 1.6.8 on the SPARC and ...) - wireshark 1.6.8-1 (unimportant) NOTE: Not suitable for code injection NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7221 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=824419 CVE-2012-2393 (epan/dissectors/packet-diameter.c in the DIAMETER dissector in Wiresha ...) - wireshark 1.6.8-1 (unimportant) NOTE: Not suitable for code injection NOTE: http://www.wireshark.org/security/wnpa-sec-2012-09.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7133 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=824413 CVE-2012-2392 (Wireshark 1.4.x before 1.4.13 and 1.6.x before 1.6.8 allows remote att ...) - wireshark 1.6.8-1 (unimportant) NOTE: Not suitable for code injection NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6805 Squeeze: vulnerable code not present NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7118 Squeeze: vulnerable code present NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7119 Squeeze: vulnerable code present NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7120 Squeeze: vulnerable code not present NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7121 Squeeze: vulnerable code present NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7122 Squeeze: vulnerable code present NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7124 Squeeze: vulnerable code not present NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7125 is CVE-2012-3825 and CVE-2012-3826 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=824411 CVE-2012-2391 REJECTED CVE-2012-2390 (Memory leak in mm/hugetlb.c in the Linux kernel before 3.4.2 allows lo ...) - linux 3.2.19-1 (low) - linux-2.6 [squeeze] - linux-2.6 2.6.32-46 CVE-2012-2389 (hostapd 0.7.3, and possibly other versions before 1.0, uses 0644 permi ...) - hostapd (Debian package provides no default config file) - wpa (Debian package provides no default config file) CVE-2012-2388 (The GMP Plugin in strongSwan 4.2.0 through 4.6.3 allows remote attacke ...) {DSA-2483-1} - strongswan 4.5.2-1.4 CVE-2012-2387 (devotee 0.1 patch 2 uses a 32-bit seed for generating 48-bit random nu ...) - devotee (bug #470995) CVE-2012-2386 (Integer overflow in the phar_parse_tarfile function in tar.c in the ph ...) {DSA-2492-1} - php5 5.4.4~rc1-1 CVE-2012-2385 (The terminal dispatcher in mosh before 1.2.1 allows remote authenticat ...) - mosh 1.2.1-1 (low; bug #673871) [squeeze] - mosh 1.2.1-1 (low; bug #673871) NOTE: https://github.com/keithw/mosh/issues/271 NOTE: https://github.com/keithw/mosh/commit/9791768705528e911bfca6c4d8aa88139035060e CVE-2012-2384 (Integer overflow in the i915_gem_do_execbuffer function in drivers/gpu ...) - linux-2.6 3.2.17-1 [squeeze] - linux-2.6 (Vulnerable code not present) CVE-2012-2383 (Integer overflow in the i915_gem_execbuffer2 function in drivers/gpu/d ...) - linux-2.6 3.2.17-1 [squeeze] - linux-2.6 (Vulnerable code not present) CVE-2012-2382 REJECTED CVE-2012-2381 (Multiple cross-site scripting (XSS) vulnerabilities in Apache Roller b ...) NOT-FOR-US: Apache Roller CVE-2012-2380 (Multiple cross-site request forgery (CSRF) vulnerabilities in the admi ...) NOT-FOR-US: Apache Roller CVE-2012-2379 (Apache CXF 2.4.x before 2.4.8, 2.5.x before 2.5.4, and 2.6.x before 2. ...) NOT-FOR-US: Apache CXF CVE-2012-2378 (Apache CXF 2.4.5 through 2.4.7, 2.5.1 through 2.5.3, and 2.6.x before ...) NOT-FOR-US: Apache CXF CVE-2012-2377 (JGroups diagnostics service in JBoss Enterprise Portal Platform before ...) - jbossas4 (Only builds a few libraries, not the full application server) CVE-2012-2376 (Buffer overflow in the com_print_typeinfo function in PHP 5.4.3 and ea ...) - php5 (Windows-specific vulnerability) CVE-2012-2375 (The __nfs4_get_acl_uncached function in fs/nfs/nfs4proc.c in the NFSv4 ...) - linux 3.2.19-1 - linux-2.6 [squeeze] - linux-2.6 (Incomplete patch was not released) CVE-2012-2374 (CRLF injection vulnerability in the tornado.web.RequestHandler.set_hea ...) - python-tornado 2.1.0-3 (low; bug #673987) [squeeze] - python-tornado (Vulnerable code not present) CVE-2012-2373 (The Linux kernel before 3.4.5 on the x86 platform, when Physical Addre ...) - linux-2.6 3.2.19-1 [squeeze] - linux-2.6 (Vulnerable code not present) CVE-2012-2372 (The rds_ib_xmit function in net/rds/ib_send.c in the Reliable Datagram ...) - linux 3.11.10-1 (unimportant) [wheezy] - linux 3.2.53-1 NOTE: rds is not included in distributed kernel images, only marked as "experimental" CVE-2012-2371 (Cross-site scripting (XSS) vulnerability in index.php in the WP-FaceTh ...) NOT-FOR-US: WP-FaceThumb plugin for WordPress CVE-2012-2370 (Multiple integer overflows in the read_bitmap_file_data function in io ...) - gdk-pixbuf 2.26.1-1 (low) CVE-2012-2369 (Format string vulnerability in the log_message_cb function in otr-plug ...) {DSA-2476-1} - pidgin-otr 3.2.1-1 (medium; bug #673154) NOTE: libotr not affected CVE-2012-2368 (Bytemark Symbiosis before Revision 1322 does not properly validate pas ...) NOT-FOR-US: Bytemark Symbiosis CVE-2012-2367 (Moodle 1.9.x before 1.9.18, 2.0.x before 2.0.9, 2.1.x before 2.1.6, an ...) - moodle 2.2.3.dfsg-1 (low; bug #674163) [squeeze] - moodle 1.9.9.dfsg2-2.1+squeeze4 CVE-2012-2366 (mod/data/preset.php in Moodle 2.1.x before 2.1.6 and 2.2.x before 2.2. ...) - moodle 2.2.3.dfsg-1 (bug #674163) [squeeze] - moodle (Only affects 2.1 to 2.2) CVE-2012-2365 (Cross-site scripting (XSS) vulnerability in Moodle 2.0.x before 2.0.9, ...) - moodle 2.2.3.dfsg-1 (bug #674163) [squeeze] - moodle (Only affects 2.0 to 2.2) CVE-2012-2364 (Cross-site scripting (XSS) vulnerability in lib/filelib.php in Moodle ...) - moodle 2.2.3.dfsg-1 (bug #674163) [squeeze] - moodle (Only affects 2.0 to 2.2) CVE-2012-2363 (SQL injection vulnerability in calendar/event.php in the calendar impl ...) - moodle 2.0-1 (bug #674163) [squeeze] - moodle 1.9.9.dfsg2-2.1+squeeze4 NOTE: Only affects Moodle 1.9.x CVE-2012-2362 (Cross-site scripting (XSS) vulnerability in blog/lib.php in the blog i ...) - moodle 2.0-1 (bug #674163) [squeeze] - moodle 1.9.9.dfsg2-2.1+squeeze4 NOTE: Only affects Moodle 1.9.x CVE-2012-2361 (Cross-site scripting (XSS) vulnerability in admin/webservice/forms.php ...) - moodle 2.2.3.dfsg-1 (bug #674163) [squeeze] - moodle (Only affects 2.0 to 2.2) CVE-2012-2360 (Cross-site scripting (XSS) vulnerability in the Wiki subsystem in Mood ...) - moodle 2.2.3.dfsg-1 (bug #674163) [squeeze] - moodle (Only affects 2.0 to 2.2) CVE-2012-2359 (admin/roles/override.php in Moodle 2.0.x before 2.0.9, 2.1.x before 2. ...) - moodle 2.2.3.dfsg-1 (bug #674163) [squeeze] - moodle (Only affects 2.0 to 2.2) CVE-2012-2358 (Moodle 2.0.x before 2.0.9, 2.1.x before 2.1.6, and 2.2.x before 2.2.3 ...) - moodle 2.2.3.dfsg-1 (bug #674163) [squeeze] - moodle (Only affects 2.0 to 2.2) CVE-2012-2357 (The Multi-Authentication feature in the Central Authentication Service ...) - moodle 2.2.3.dfsg-1 (bug #674163) [squeeze] - moodle (Only affects 2.1 to 2.2) CVE-2012-2356 (The question-bank functionality in Moodle 2.1.x before 2.1.6 and 2.2.x ...) - moodle 2.2.3.dfsg-1 (bug #674163) [squeeze] - moodle (Only affects 2.1 to 2.2) CVE-2012-2355 (Moodle 2.1.x before 2.1.6 and 2.2.x before 2.2.3 allows remote authent ...) - moodle 2.2.3.dfsg-1 (bug #674163) [squeeze] - moodle (Only affects 2.1 to 2.2) CVE-2012-2354 (Moodle 2.1.x before 2.1.6 and 2.2.x before 2.2.3 allows remote authent ...) - moodle 2.2.3.dfsg-1 (bug #674163) [squeeze] - moodle (Only affects 2.1 to 2.2) CVE-2012-2353 (Moodle 2.1.x before 2.1.6 and 2.2.x before 2.2.3 allows remote authent ...) - moodle 2.2.3.dfsg-1 (bug #674163) [squeeze] - moodle (Only affects 2.1 to 2.2) CVE-2012-2352 (The archive management (arc_manage) page in wwsympa/wwsympa.fcgi.in in ...) {DSA-2477-1} - sympa 6.1.11~dfsg-1 (bug #672893; high) NOTE: http://www.openwall.com/lists/oss-security/2012/05/12/8 CVE-2012-2351 (The default configuration of the auth/saml plugin in Mahara before 1.4 ...) {DSA-2467-1} - mahara 1.4.2-1 CVE-2012-2350 (pam_shield before 0.9.4: Default configuration does not perform protec ...) - pam-shield 0.9.2-3.3 (low; bug #658830) [squeeze] - pam-shield 0.9.2-3.3~squeeze1 CVE-2012-2349 REJECTED CVE-2012-2348 REJECTED CVE-2012-2347 REJECTED CVE-2012-2346 REJECTED CVE-2012-2345 REJECTED CVE-2012-2344 REJECTED CVE-2012-2343 REJECTED CVE-2012-2342 REJECTED CVE-2012-2341 (Cross-site request forgery (CSRF) vulnerability in the Take Control mo ...) NOTE: http://www.openwall.com/lists/oss-security/2012/05/10/6 NOTE: http://www.openwall.com/lists/oss-security/2012/05/11/2 NOT-FOR-US: Drupal Take Control CVE-2012-2340 (The Contact Forms module 7.x-1.x before 7.x-1.2 for Drupal does not sp ...) NOTE: http://www.openwall.com/lists/oss-security/2012/05/10/6 NOTE: http://www.openwall.com/lists/oss-security/2012/05/11/2 NOT-FOR-US: Drupal Contact Forms CVE-2012-2339 (Cross-site scripting (XSS) vulnerability in the Glossary module 6.x-1. ...) NOTE: http://www.openwall.com/lists/oss-security/2012/05/10/6 NOTE: http://www.openwall.com/lists/oss-security/2012/05/11/2 NOT-FOR-US: Drupal Glossary CVE-2012-2338 (SQL injection vulnerability in includes/picture.class.php in Galette 0 ...) NOT-FOR-US: Galette NOTE: http://redmine.ulysses.fr/issues/250 NOTE: http://redmine.ulysses.fr/projects/galette/repository/revisions/8c13ec159ba NOTE: http://www.openwall.com/lists/oss-security/2012/05/10/5 NOTE: http://www.openwall.com/lists/oss-security/2012/05/11/1 CVE-2012-2337 (sudo 1.6.x and 1.7.x before 1.7.9p1, and 1.8.x before 1.8.4p5, does no ...) {DSA-2478-1} - sudo 1.8.3p2-1.1 (bug #673766) CVE-2012-2336 (sapi/cgi/cgi_main.c in PHP before 5.3.13 and 5.4.x before 5.4.3, when ...) - php5 5.4.3 (unimportant) NOTE: Rather harmless bug CVE-2012-2335 (php-wrapper.fcgi does not properly handle command-line arguments, whic ...) NOT-FOR-US: Incomplete wrapper provided by PHP as workaround for CVE-2012-1823/CVE-2012-2311 CVE-2012-2334 (Integer overflow in filter/source/msfilter/msdffimp.cxx in OpenOffice. ...) {DSA-2487-1} - libreoffice 1:3.5.2~rc2-1 - openoffice.org 1:3.3.0-1 NOTE: Since 3.3.0 openoffice.org is a transitional source package CVE-2012-2333 (Integer underflow in OpenSSL before 0.9.8x, 1.0.0 before 1.0.0j, and 1 ...) {DSA-2475-1} - openssl 1.0.1c-1 (bug #672452) NOTE: http://seclists.org/oss-sec/2012/q2/299 NOTE: http://www.openssl.org/news/secadv/20120510.txt CVE-2012-2332 (SQL injection vulnerability in serendipity/serendipity_admin.php in Se ...) - serendipity (bug #671937; low) [squeeze] - serendipity (Minor issue) NOTE: http://web.archive.org/web/20120527103654/http://www.koramis.com:80/advisories/2012/KORAMIS-ADV2012-001.txt NOTE: http://blog.s9y.org/archives/240-Serendipity-1.6.1-released.html NOTE: CVE id requested http://seclists.org/oss-sec/2012/q2/276 CVE-2012-2331 (Cross-site scripting (XSS) vulnerability in serendipity/serendipity_ad ...) - serendipity (bug #671937; low) [squeeze] - serendipity (Minor issue) NOTE: http://web.archive.org/web/20120527103654/http://www.koramis.com:80/advisories/2012/KORAMIS-ADV2012-001.txt NOTE: http://blog.s9y.org/archives/240-Serendipity-1.6.1-released.html NOTE: CVE id requested http://seclists.org/oss-sec/2012/q2/276 CVE-2012-2330 (The Update method in src/node_http_parser.cc in Node.js before 0.6.17 ...) - nodejs 0.6.17~dfsg1-1 NOTE: http://blog.nodejs.org/2012/05/07/http-server-security-vulnerability-please-upgrade-to-0-6-17/ NOTE: https://github.com/joyent/node/commit/c9a231d CVE-2012-2329 (Buffer overflow in the apache_request_headers function in sapi/cgi/cgi ...) - php5 5.4.3-1 [squeeze] - php5 (Vulnerable code not present) NOTE: 5.4.x only CVE-2012-2328 (internal/cimxml/sax/NodeFactory.java in Standards-Based Linux Instrume ...) NOT-FOR-US: sblim CVE-2012-2327 (MyBB (aka MyBulletinBoard) before 1.6.7 allows remote attackers to obt ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) NOTE: http://blog.mybb.com/2012/04/01/mybb-1-6-7-update-1-8-development/ NOTE: http://www.openwall.com/lists/oss-security/2012/05/07/14 CVE-2012-2326 (Cross-site scripting (XSS) vulnerability in the Admin Control Panel (A ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) NOTE: http://blog.mybb.com/2012/04/01/mybb-1-6-7-update-1-8-development/ NOTE: http://www.openwall.com/lists/oss-security/2012/05/07/14 CVE-2012-2325 (SQL injection vulnerability in the User Inline Moderation feature in t ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) NOTE: http://blog.mybb.com/2012/04/01/mybb-1-6-7-update-1-8-development/ NOTE: http://www.openwall.com/lists/oss-security/2012/05/07/14 CVE-2012-2324 (Multiple SQL injection vulnerabilities in MyBB (aka MyBulletinBoard) b ...) NOT-FOR-US: MyBB CVE-2012-2323 REJECTED CVE-2012-2322 (Integer overflow in the dhcpv6_get_option function in gdhcp/client.c i ...) - connman 1.0-1 (bug #672989) [squeeze] - connman (Vulnerable code not present) CVE-2012-2321 (The loopback plug-in in ConnMan before 0.85 allows remote attackers to ...) - connman 1.0-1 (low; bug #672989) [squeeze] - connman (Minor issue) CVE-2012-2320 (ConnMan before 0.85 does not ensure that netlink messages originate fr ...) - connman 1.0-1 (low; bug #672989) [squeeze] - connman (Minor issue) CVE-2012-2319 (Multiple buffer overflows in the hfsplus filesystem implementation in ...) - linux 3.2.17-1 (low) - linux-2.6 [squeeze] - linux-2.6 2.6.32-46 CVE-2012-2318 (msg.c in the MSN protocol plugin in libpurple in Pidgin before 2.10.4 ...) - pidgin 2.10.4-1 [squeeze] - pidgin (Support in oldstable is limited to IRC, Jabber/XMPP, Sametime and SIMPLE) CVE-2012-2317 (The Debian php_crypt_revamped.patch patch for PHP 5.3.x, as used in th ...) - php5 5.3.6-1 (bug #581170) [squeeze] - php5 5.3.3-7+squeeze4 CVE-2012-2316 (Cross-site request forgery (CSRF) vulnerability in servlet/admin/AuthS ...) NOT-FOR-US: OpenKM CVE-2012-2315 (admin/Auth in OpenKM 5.1.7 and other versions before 5.1.8-2 does not ...) NOT-FOR-US: OpenKM CVE-2012-2314 (The bootloader configuration module (pyanaconda/bootloader.py) in Anac ...) NOT-FOR-US: The anaconda installer CVE-2012-2313 (The rio_ioctl function in drivers/net/ethernet/dlink/dl2k.c in the Lin ...) - linux 3.2.19-1 - linux-2.6 [squeeze] - linux-2.6 2.6.32-46 CVE-2012-2312 (An Elevated Privileges issue exists in JBoss AS 7 Community Release du ...) - jbossas4 (Only affects JBoss 7) CVE-2012-2311 (sapi/cgi/cgi_main.c in PHP before 5.3.13 and 5.4.x before 5.4.3, when ...) {DSA-2465-1} - php5 5.4.3-1 (bug #671880) NOTE: This CVE ID is for the initial incomplete fix for CVE-2012-1823 NOTE: http://www.kb.cert.org/vuls/id/520827 CVE-2012-2310 (Cross-site scripting (XSS) vulnerability in the cctags module for Drup ...) NOT-FOR-US: Drupal addon not packaged CVE-2012-2309 (Cross-site scripting (XSS) vulnerability in the Glossify Internal Link ...) NOT-FOR-US: Drupal addon not packaged CVE-2012-2308 (Cross-site scripting (XSS) vulnerability in the Taxonomy Grid : Catalo ...) NOT-FOR-US: Drupal addon not packaged CVE-2012-2307 (Cross-site request forgery (CSRF) vulnerability in the Addressbook mod ...) NOT-FOR-US: Drupal addon not packaged CVE-2012-2306 (SQL injection vulnerability in the Addressbook module for Drupal 6.x-4 ...) NOT-FOR-US: Drupal addon not packaged CVE-2012-2305 (Cross-site request forgery (CSRF) vulnerability in the Node Gallery mo ...) NOT-FOR-US: Drupal addon not packaged CVE-2012-2304 (The Linkit module 7.x-2.x before 7.x-2.3 for Drupal, when using an ent ...) NOT-FOR-US: Drupal addon not packaged CVE-2012-2303 (The Spaces module 6.x-3.x before 6.x-3.4 for Drupal does not enforce p ...) NOT-FOR-US: Drupal addon not packaged CVE-2012-2302 (Site Documentation (Sitedoc) module for Drupal 6.x-1.x before 6.x-1.4 ...) NOT-FOR-US: Drupal addon not packaged CVE-2012-2301 (The Ubercart module 6.x-2.x before 6.x-2.8 for Drupal allows remote au ...) NOT-FOR-US: Drupal addon not packaged CVE-2012-2300 (Multiple cross-site scripting (XSS) vulnerabilities in the Ubercart mo ...) NOT-FOR-US: Drupal addon not packaged CVE-2012-2299 (The Ubercart module 6.x-2.x before 6.x-2.8 and 7.x-3.x before 7.x-3.1 ...) NOT-FOR-US: Drupal addon not packaged CVE-2012-2298 (Multiple cross-site scripting (XSS) vulnerabilities in the RealName mo ...) NOT-FOR-US: Drupal addon not packaged CVE-2012-2297 (Multiple cross-site scripting (XSS) vulnerabilities in the Creative Co ...) NOT-FOR-US: Drupal addon not packaged CVE-2012-2296 (The Janrain Engage (formerly RPX) module for Drupal 6.x-1.x. 6.x-2.x b ...) NOT-FOR-US: Drupal addon not packaged CVE-2012-2295 REJECTED CVE-2012-2294 (EMC RSA Archer SmartSuite Framework 4.x and RSA Archer GRC 5.x before ...) NOT-FOR-US: EMC RSA Archer CVE-2012-2293 (Directory traversal vulnerability in EMC RSA Archer SmartSuite Framewo ...) NOT-FOR-US: EMC RSA Archer CVE-2012-2292 (The Silverlight cross-domain policy in EMC RSA Archer SmartSuite Frame ...) NOT-FOR-US: EMC RSA Archer CVE-2012-2291 (EMC Avamar Client 4.x, 5.x, and 6.x on HP-UX and Mac OS X, and the EMC ...) NOT-FOR-US: EMC Avamar CVE-2012-2290 (The client in EMC NetWorker Module for Microsoft Applications (NMM) 2. ...) NOT-FOR-US: EMC NetWorker Module for Microsoft Applications CVE-2012-2289 (EMC ApplicationXtender Desktop before 6.5 SP2 and ApplicationXtender W ...) NOT-FOR-US: EMC CVE-2012-2288 (Format string vulnerability in the nsrd RPC service in EMC NetWorker 7 ...) NOT-FOR-US: EMC NetWorker CVE-2012-2287 (The authentication functionality in EMC RSA Authentication Agent 7.1 a ...) NOT-FOR-US: EMC RSA Authentication agent CVE-2012-2286 (Unspecified vulnerability in EMC RSA Adaptive Authentication On-Premis ...) NOT-FOR-US: EMC RSA Authentication agent CVE-2012-2285 (EMC Cloud Tiering Appliance (aka CTA, formerly FMA) 9.0 and earlier, a ...) NOT-FOR-US: EMC Cloud Tiering Appliance CVE-2012-2284 (The (1) install and (2) upgrade processes in EMC NetWorker Module for ...) NOT-FOR-US: EMC NetWorker Module for Microsoft Applications CVE-2012-2283 (The Iomega Home Media Network Hard Drive with EMC Lifeline firmware be ...) NOT-FOR-US: Iomega Home Media Network Hard Drive CVE-2012-2282 (EMC Celerra Network Server 6.x before 6.0.61.0, VNX 7.x before 7.0.53. ...) NOT-FOR-US: EMC Celerra/VNX/VNXe CVE-2012-2281 (EMC RSA Access Manager Server 6.x before 6.1 SP4 and RSA Access Manage ...) NOT-FOR-US: RSA Access Manager NOTE: http://seclists.org/bugtraq/2012/Jul/36 CVE-2012-2280 (EMC RSA Authentication Manager 7.1 before SP4 P14 and RSA SecurID Appl ...) NOT-FOR-US: RSA Authentication Agent CVE-2012-2279 (Open redirect vulnerability in the Security Console in EMC RSA Authent ...) NOT-FOR-US: RSA Authentication Agent CVE-2012-2278 (Multiple cross-site scripting (XSS) vulnerabilities in the (1) Self-Se ...) NOT-FOR-US: RSA Authentication Agent CVE-2012-2277 (The IRM Server in EMC Documentum Information Rights Management 4.x bef ...) NOT-FOR-US: EMC Documentum Information Rights Management CVE-2012-2276 (The IRM Server in EMC Documentum Information Rights Management 4.x bef ...) NOT-FOR-US: EMC Documentum Information Rights Management CVE-2012-2275 (Multiple cross-site request forgery (CSRF) vulnerabilities in TestLink ...) NOT-FOR-US: TestLink CVE-2012-2274 (Cross-site scripting (XSS) vulnerability in pivotx/ajaxhelper.php in P ...) NOT-FOR-US: PivotX CVE-2012-2273 (Comodo Internet Security before 5.10.228257.2253 on Windows 7 x64 allo ...) NOT-FOR-US: Comodo Internet Security CVE-2012-2272 RESERVED CVE-2012-2271 (Buffer overflow in the InitLicenKeys function in a certain ActiveX con ...) NOT-FOR-US: SkinCrafter CVE-2012-2270 (Open redirect vulnerability in index.php (aka the Login Page) in ownCl ...) - owncloud 3.0.3-1 CVE-2012-2269 (Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before ...) - owncloud 3.0.2-1 CVE-2011-5089 (Buffer overflow in the Security Login ActiveX controls in ICONICS GENE ...) NOT-FOR-US: ICONICS, BizViz CVE-2011-5088 (The GENESIS32 IcoSetServer ActiveX control in ICONICS GENESIS32 9.21 a ...) NOT-FOR-US: ICONICS GENESIS32, BizViz CVE-2011-5087 (Unspecified vulnerability in AdAstrA TRACE MODE Data Center allows rem ...) NOT-FOR-US: AdAstrA TRACE MODE Data Center CVE-2011-5086 (https50.ocx in IP*Works! SSL in the server in Unitronics UniOPC before ...) NOT-FOR-US: Unitronics UniOPC CVE-2012-2268 (master.exe in the SNMP Master Agent in RealNetworks Helix Server and H ...) NOT-FOR-US: RealNetworks Helix CVE-2012-2267 (master.exe in the SNMP Master Agent in RealNetworks Helix Server and H ...) NOT-FOR-US: RealNetworks Helix CVE-2012-2266 REJECTED CVE-2012-2265 REJECTED CVE-2012-2264 REJECTED CVE-2012-2263 REJECTED CVE-2012-2262 REJECTED CVE-2012-2261 REJECTED CVE-2012-2260 REJECTED CVE-2012-2259 REJECTED CVE-2012-2258 REJECTED CVE-2012-2257 REJECTED CVE-2012-2256 REJECTED CVE-2012-2255 REJECTED CVE-2012-2254 REJECTED CVE-2012-2253 (Cross-site scripting (XSS) vulnerability in group/members.php in Mahar ...) {DSA-2591-1} - mahara 1.5.1-3.1 (bug #695789) CVE-2012-2252 (Incomplete blacklist vulnerability in rssh before 2.3.4, when the rsyn ...) {DSA-2578-1} - rssh 2.3.3-6 CVE-2012-2251 (rssh 2.3.2, as used by Debian, Fedora, and others, when the rsync prot ...) {DSA-2578-1} - rssh 2.3.3-6 CVE-2012-2250 (Tor before 0.2.3.24-rc allows remote attackers to cause a denial of se ...) {DLA-17-1} - tor 0.2.3.24-rc-1 (low) [squeeze] - tor 0.2.4.23-1~deb6u1 CVE-2012-2249 (Tor before 0.2.3.23-rc allows remote attackers to cause a denial of se ...) {DLA-17-1} - tor 0.2.3.23-rc-1 (low) [squeeze] - tor 0.2.4.23-1~deb6u1 CVE-2012-2248 (An issue was discovered in dhclient 4.3.1-6 due to an embedded path va ...) - isc-dhcp 4.2.4-3 (bug #690532) [wheezy] - isc-dhcp 4.2.2.dfsg.1-5+deb70u2 [squeeze] - isc-dhcp (CLIENT_PATH is not correctly defined) NOTE: Debian-specific CVE-2012-2247 (Cross-site scripting (XSS) vulnerability in Mahara 1.4.x before 1.4.5 ...) {DSA-2591-1} - mahara 1.5.1-3 NOTE: https://mahara.org/interaction/forum/topic.php?id=4938 NOTE: https://bugs.launchpad.net/mahara/+bug/1061980 CVE-2012-2246 (Mahara 1.4.x before 1.4.5 and 1.5.x before 1.5.4 allows remote attacke ...) {DSA-2591-1} - mahara 1.5.1-3 NOTE: https://mahara.org/interaction/forum/topic.php?id=493 NOTE: https://bugs.launchpad.net/mahara/+bug/1057240 CVE-2012-2245 REJECTED CVE-2012-2244 (Mahara 1.4.x before 1.4.5 and 1.5.x before 1.5.4 allows remote authent ...) {DSA-2591-1} - mahara 1.5.1-3 NOTE: https://mahara.org/interaction/forum/topic.php?id=4936 NOTE: https://bugs.launchpad.net/mahara/+bug/1057238 CVE-2012-2243 (Cross-site scripting (XSS) vulnerability in Mahara 1.4.x before 1.4.5 ...) {DSA-2591-1} - mahara 1.5.1-3 NOTE: https://mahara.org/interaction/forum/topic.php?id=4937 NOTE: https://bugs.launchpad.net/mahara/+bug/1055232 NOTE: https://bugs.launchpad.net/mahara/+bug/1063480 CVE-2012-2242 (scripts/dget.pl in devscripts before 2.10.73 allows remote attackers t ...) {DSA-2549-1} - devscripts 2.12.3 CVE-2012-2241 (scripts/dget.pl in devscripts before 2.12.3 allows remote attackers to ...) {DSA-2549-1} - devscripts 2.12.3 CVE-2012-2240 (scripts/dscverify.pl in devscripts before 2.12.3 allows remote attacke ...) {DSA-2549-1} - devscripts 2.12.3 CVE-2012-2239 (Mahara 1.4.x before 1.4.4 and 1.5.x before 1.5.3 allows remote attacke ...) {DSA-2591-1} - mahara 1.5.1-3 CVE-2012-2238 (trytond 2.4: ModelView.button fails to validate authorization ...) - tryton-server (only affected 2.4, in experimental) CVE-2012-2237 (Multiple cross-site scripting (XSS) vulnerabilities in Mahara 1.4.x be ...) {DSA-2540-1} - mahara 1.5.1-2 CVE-2012-2236 (SQL injection vulnerability in users.php in PHP Gift Registry 1.5.5 al ...) NOT-FOR-US: PHP Gift Registry CVE-2012-2235 (Cross-site scripting (XSS) vulnerability in Support Incident Tracker ( ...) NOT-FOR-US: Support Incident Tracker CVE-2012-2234 (Cross-site scripting (XSS) vulnerability in sources/users.queries.php ...) - teampass (bug #730180) CVE-2012-2233 RESERVED CVE-2012-2232 RESERVED CVE-2012-2231 RESERVED CVE-2012-2230 (Cloudera Manager 3.7.x before 3.7.5 and Service and Configuration Mana ...) NOT-FOR-US: Cloudera Manager CVE-2012-2229 RESERVED CVE-2012-2228 RESERVED CVE-2012-2227 (Directory traversal vulnerability in update/index.php in PluXml before ...) NOT-FOR-US: PluXml CVE-2012-2226 (Invision Power Board before 3.3.1 fails to sanitize user-supplied inpu ...) NOT-FOR-US: Invision Power Board CVE-2012-2225 (360zip 1.93beta allows remote attackers to execute arbitrary code via ...) NOT-FOR-US: 360zip CVE-2012-2224 (Xunlei Thunder before 7.2.6 allows remote attackers to execute arbitra ...) NOT-FOR-US: Xunlei Thunder CVE-2012-2223 (The xplat agent in Novell ZENworks Configuration Management (ZCM) 10.3 ...) NOT-FOR-US: Novell ZENworks Configuration Management CVE-2012-2222 RESERVED CVE-2012-2221 RESERVED CVE-2012-2220 RESERVED CVE-2012-2219 RESERVED CVE-2012-2218 RESERVED CVE-2012-2217 (The HTC IQRD service for Android on the HTC EVO 4G before 4.67.651.3, ...) NOT-FOR-US: Android CVE-2012-2216 REJECTED CVE-2012-2095 (The SetWiredProperty function in the D-Bus interface in WICD before 1. ...) - wicd 1.7.2.4-1 (low; bug #668397) [squeeze] - wicd 1.7.0+ds1-5+squeeze2 CVE-2012-2215 (Directory traversal vulnerability in the Preboot Service in Novell ZEN ...) NOT-FOR-US: Novell ZENworks Configuration Management CVE-2012-2214 (proxy.c in libpurple in Pidgin before 2.10.4 does not properly handle ...) - pidgin 2.10.4-1 [squeeze] - pidgin (Update not feasible, updated packages are provided through backports) NOTE: http://www.pidgin.im/news/security/?id=62 CVE-2012-2213 (** DISPUTED ** Squid 3.1.9 allows remote attackers to bypass the acces ...) NOT-FOR-US: Disputed Squid access bypass, probably user error and minor impact anyway CVE-2012-2212 (** DISPUTED ** McAfee Web Gateway 7.0 allows remote attackers to bypas ...) NOT-FOR-US: McAfee Web Gateway CVE-2012-2211 (Cross-site scripting (XSS) vulnerability in phpgwapi/inc/common_functi ...) - egroupware CVE-2012-2210 (The Sony Bravia TV KDL-32CX525 allows remote attackers to cause a deni ...) NOT-FOR-US: Sony Bravia CVE-2012-2209 (Multiple cross-site scripting (XSS) vulnerabilities in admin.php in Pi ...) - piwigo (bug #685364) [squeeze] - piwigo (Unsupported in squeeze-lts) NOTE: Request to mark the package as unsupported in #779104 CVE-2012-2208 (Directory traversal vulnerability in upgrade.php in Piwigo before 2.3. ...) - piwigo (bug #685364) [squeeze] - piwigo (Unsupported in squeeze-lts) NOTE: Request to mark the package as unsupported in #779104 CVE-2012-2207 RESERVED CVE-2012-2206 (The Web Gateway component in IBM WebSphere MQ File Transfer Edition 7. ...) NOT-FOR-US: IBM WebSphere MQ File Transfer Edition CVE-2012-2205 (Cross-site scripting (XSS) vulnerability in IBM Rational ClearQuest 7. ...) NOT-FOR-US: IBM Rational ClearQuest CVE-2012-2204 (InfoSphere Guardium aix_ktap module: DoS ...) NOT-FOR-US: InfoSphere Guardium aix_ktap module CVE-2012-2203 (IBM Global Security Kit (aka GSKit) before 8.0.14.22, as used in IBM R ...) NOT-FOR-US: IBM Global Security Kit CVE-2012-2202 (Directory traversal vulnerability in javatester_init.php in IBM Lotus ...) NOT-FOR-US: IBM Lotus Protector, IBM ISS Proventia Network Mail Security System CVE-2012-2201 RESERVED CVE-2012-2200 (The default configuration of sendmail in IBM AIX 6.1 and 7.1, and VIOS ...) NOT-FOR-US: sendmail configuration in AIX CVE-2012-2199 (The server message channel agent in the queue manager in the server in ...) NOT-FOR-US: IBM WebSphere MQ CVE-2012-2198 RESERVED CVE-2012-2197 (Stack-based buffer overflow in the Java Stored Procedure infrastructur ...) NOT-FOR-US: IBM DB2 CVE-2012-2196 (IBM DB2 9.1 before FP12, 9.5 through FP9, 9.7 through FP6, 9.8 through ...) NOT-FOR-US: IBM DB2 CVE-2012-2195 RESERVED CVE-2012-2194 (Directory traversal vulnerability in the SQLJ.DB2_INSTALL_JAR stored p ...) NOT-FOR-US: IBM DB2 CVE-2012-2193 (Cross-site scripting (XSS) vulnerability in Query Studio in IBM Cognos ...) NOT-FOR-US: IBM Cognos Business Intelligence CVE-2012-2192 (The socketpair function in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.1.4- ...) NOT-FOR-US: AIX CVE-2012-2191 (IBM Global Security Kit (aka GSKit) before 8.0.14.22, as used in IBM R ...) NOT-FOR-US: IBM Global Security Kit CVE-2012-2190 (IBM Global Security Kit (aka GSKit), as used in IBM HTTP Server in IBM ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2012-2189 RESERVED CVE-2012-2188 (IBM Power Hardware Management Console (HMC) 7R3.5.0 before SP4, 7R7.1. ...) NOT-FOR-US: IBM Power Hardware Management Console CVE-2012-2187 (IBM Remote Supervisor Adapter II firmware for System x3650, x3850 M2, ...) NOT-FOR-US: IBM Remote Supervisor Adapter CVE-2012-2186 (Incomplete blacklist vulnerability in main/manager.c in Asterisk Open ...) {DSA-2550-1} - asterisk 1:1.8.13.1~dfsg-1 (bug #680470) CVE-2012-2185 (IBM Maximo Asset Management 6.2 through 7.5, as used in SmartCloud Con ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2012-2184 (Session fixation vulnerability in IBM Maximo Asset Management 7.1 thro ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2012-2183 (Session fixation vulnerability in IBM Maximo Asset Management 6.2 thro ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2012-2182 RESERVED CVE-2012-2181 (Directory traversal vulnerability in the Dojo module in IBM WebSphere ...) NOT-FOR-US: IBM WebSphere not in Debian CVE-2012-2180 (The chaining functionality in the Distributed Relational Database Arch ...) NOT-FOR-US: IBM DB2 CVE-2012-2179 (libodm.a in IBM AIX 5.3, 6.1, and 7.1 allows local users to overwrite ...) NOT-FOR-US: AIX CVE-2012-2178 RESERVED CVE-2012-2177 (Cross-site scripting (XSS) vulnerability in IBM Cognos Business Intell ...) NOT-FOR-US: IBM Cognos Business Intelligence CVE-2012-2176 (Multiple stack-based buffer overflows in a certain ActiveX control in ...) NOT-FOR-US: IBM Lotus Quickr CVE-2012-2175 (Buffer overflow in the Attachment_Times method in a certain ActiveX co ...) NOT-FOR-US: IBM Lotus iNotes CVE-2012-2174 (The URL handler in IBM Lotus Notes 8.x before 8.5.3 FP2 allows remote ...) NOT-FOR-US: Notes CVE-2012-2173 (The ODBC driver in IBM Security AppScan Source 7.x and 8.x before 8.6 ...) NOT-FOR-US: AppScan CVE-2012-2172 (Cross-site scripting (XSS) vulnerability in SoftwareRegistration.do in ...) NOT-FOR-US: IBM System Storage DS Storage Manager CVE-2012-2171 (SQL injection vulnerability in ModuleServlet.do in the Storage Manager ...) NOT-FOR-US: IBM System Storage DS Storage Manager CVE-2012-2170 (The Application Snoop Servlet in IBM WebSphere Application Server 7.0 ...) NOT-FOR-US: WebSphere CVE-2012-2169 (Cross-site scripting (XSS) vulnerability in the file-upload functional ...) NOT-FOR-US: IBM Rational ClearQuest CVE-2012-2168 (IBM Rational ClearQuest 7.1.x before 7.1.2.7 and 8.x before 8.0.0.3 al ...) NOT-FOR-US: IBM Rational ClearQuest CVE-2012-2167 (The IBM XIV Storage System Gen3 before 11.1.0.a allows remote attacker ...) NOT-FOR-US: IBM XIV Storage System Gen3 CVE-2012-2166 (IBM XIV Storage System 2810-A14 and 2812-A14 devices before level 10.2 ...) NOT-FOR-US: IBM XIV Storage System CVE-2012-2165 (IBM Rational ClearQuest 7.1.x before 7.1.2.7 and 8.x before 8.0.0.3, w ...) NOT-FOR-US: IBM Rational ClearQuest CVE-2012-2164 (The Web client in IBM Rational ClearQuest 7.1.x before 7.1.2.7 and 8.x ...) NOT-FOR-US: IBM Rational ClearQuest CVE-2012-2163 (IBM Scale Out Network Attached Storage (SONAS) 1.1 through 1.3.1 allow ...) NOT-FOR-US: IBM Scale Out Network Attached Storage CVE-2012-2162 (The Web Server Plug-in in IBM WebSphere Application Server (WAS) 8.0 a ...) NOT-FOR-US: WebSphere CVE-2012-2161 (Cross-site scripting (XSS) vulnerability in deferredView.jsp in IBM Ec ...) NOT-FOR-US: IBM Security AppScan Source CVE-2012-2160 RESERVED CVE-2012-2159 (Open redirect vulnerability in IBM Eclipse Help System (IEHS), as used ...) NOT-FOR-US: IBM Eclipse Help System CVE-2012-2158 RESERVED CVE-2012-2157 RESERVED CVE-2012-2156 (Multiple cross-site scripting (XSS) vulnerabilities in Plume CMS 1.2.4 ...) NOT-FOR-US: Plume CMS CVE-2012-2155 (Cross-site request forgery (CSRF) vulnerability in the CDN2 Video modu ...) NOT-FOR-US: Drupal addon not packaged CVE-2012-2154 (Cross-site scripting (XSS) vulnerability in the CDN2 Video module 6.x ...) NOT-FOR-US: Drupal addon not packaged CVE-2012-2153 (Drupal 7.x before 7.14 does not properly restrict access to nodes in a ...) - drupal7 7.14-1 CVE-2012-2152 (Stack-based buffer overflow in the get_packet method in socket.c in dh ...) {DSA-2498-1} - dhcpcd 1:3.2.3-11 (bug #671265) NOTE: http://www.openwall.com/lists/oss-security/2012/05/02/4 CVE-2012-2151 (Multiple cross-site scripting (XSS) vulnerabilities in SPIP 1.9.x befo ...) {DSA-2461-1} - spip 2.1.13-1 (low; bug #671264) CVE-2012-2150 (xfs_metadump in xfsprogs before 3.2.4 does not properly obfuscate file ...) - xfsprogs 3.2.4-1 (low; bug #793495) [jessie] - xfsprogs (Minor issue, too intrusive to backport) [wheezy] - xfsprogs (Minor issue) [squeeze] - xfsprogs (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=817696 NOTE: http://oss.sgi.com/pipermail/xfs/2015-July/042726.html CVE-2012-2149 (The WPXContentListener::_closeTableRow function in WPXContentListener. ...) - libwpd 0.8.14-1 NOTE: http://permalink.gmane.org/gmane.comp.security.full-disclosure/85789 NOTE: http://sourceforge.net/p/libwpd/code/ci/437bf6702164e30761a10771f95dd1c796f474b7 NOTE: http://sourceforge.net/p/libwpd/code/ci/5969b8f3f73418ebba2a722513a4cb285e7b9c23 CVE-2012-2148 (An issue exists in the property replacements feature in any descriptor ...) - jbossas4 (Only builds a few libraries, not the full application server) CVE-2012-2147 (munin-cgi-graph in Munin 2.0 rc4 allows remote attackers to cause a de ...) - munin 2.0~rc6-1 (bug #670811) [squeeze] - munin (Vulnerable code not present) CVE-2012-2146 (Elixir 0.8.0 uses Blowfish in CFB mode without constructing a unique i ...) - elixir 0.7.1-4 (low; bug #670919) [jessie] - elixir (Minor issue) [squeeze] - elixir (Minor issue) [wheezy] - elixir (Minor issue) CVE-2012-2145 (Apache Qpid 0.17 and earlier does not properly restrict incoming clien ...) - qpid-cpp 0.16-1 (bug #672124) CVE-2012-2144 (Session fixation vulnerability in OpenStack Dashboard (Horizon) folsom ...) - horizon 2012.1-4 (bug #671604) CVE-2012-2143 (The crypt_des (aka DES-based crypt) function in FreeBSD before 9.0-REL ...) {DSA-2491-1} - postgresql-9.1 9.1.4-1 - postgresql-8.4 8.4.12-1 - php5 5.3.3-1 NOTE: Uses the unaffected system libraries since 5.3.3 CVE-2012-2142 (The error function in Error.cc in poppler before 0.21.4 allows remote ...) - xpdf (uses poppler's Error.cc) - poppler 0.18.4-7 (unimportant; bug #487773) NOTE: poppler upstream patch http://cgit.freedesktop.org/poppler/poppler/commit/?id=71bad47ed6a36d825b0d08992c8db56845c71e40 CVE-2012-2141 (Array index error in the handle_nsExtendOutput2Table function in agent ...) - net-snmp 5.4.3~dfsg-2.5 (low; bug #672492) [squeeze] - net-snmp 5.4.3~dfsg-2+squeeze1 NOTE: Red Hat patch: https://bugzilla.redhat.com/attachment.cgi?id=580443&action=diff CVE-2012-2140 (The Mail gem before 2.4.3 for Ruby allows remote attackers to execute ...) - ruby-mail 2.4.4-1 CVE-2012-2139 (Directory traversal vulnerability in lib/mail/network/delivery_methods ...) - ruby-mail 2.4.4-1 CVE-2012-2138 (The @CopyFrom operation in the POST servlet in the org.apache.sling.se ...) NOT-FOR-US: Apache Sling CVE-2012-2137 (Buffer overflow in virt/kvm/irq_comm.c in the KVM subsystem in the Lin ...) - linux 3.2.20-1 CVE-2012-2136 (The sock_alloc_send_pskb function in net/core/sock.c in the Linux kern ...) - linux 3.2.20-1 - linux-2.6 [squeeze] - linux-2.6 2.6.32-46 CVE-2012-2135 (The utf-16 decoder in Python 3.1 through 3.3 does not update the align ...) - python3.1 (bug #670389) [squeeze] - python3.1 (Minor issue) - python3.2 3.2.3-1 (bug #670389) - python3.3 3.3.1-1 NOTE: http://bugs.python.org/issue14579 CVE-2012-2134 (The handle_connection_error function in ldap_helper.c in bind-dyndb-ld ...) NOT-FOR-US: Dynamic LDAP backend plugin for BIND CVE-2012-2133 (Use-after-free vulnerability in the Linux kernel before 3.3.6, when hu ...) {DSA-2469-1} - linux-2.6 3.2.19-1 CVE-2012-2132 (libsoup 2.32.2 and earlier does not validate certificates or clear the ...) - midori (unimportant; bug #672880) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=758431 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=817692 CVE-2012-2131 (Multiple integer signedness errors in crypto/buffer/buffer.c in OpenSS ...) {DSA-2454-2} - openssl (only affected patch against 0.9.8) NOTE: http://marc.info/?l=openssl-dev&m=133525318514423&w=2 CVE-2012-2130 (A Security Bypass vulnerability exists in PolarSSL 0.99pre4 through 1. ...) - polarssl 1.1.2-1 [squeeze] - polarssl (Introduced in 0.99-pre4) CVE-2012-2129 (Cross-site scripting (XSS) vulnerability in doku.php in DokuWiki 2012- ...) - dokuwiki 0.0.20120125a-1 (low; bug #670917) [squeeze] - dokuwiki NOTE: http://secunia.com/advisories/48848/ CVE-2012-2128 - dokuwiki 0.0.20120125a-1 (unimportant) NOTE: http://bugs.dokuwiki.org/index.php?do=details&task_id=2488 CVE-2012-2127 (fs/proc/root.c in the procfs implementation in the Linux kernel before ...) - linux-2.6 3.2-1 [squeeze] - linux-2.6 (Introduced in 3.1) CVE-2012-2126 (RubyGems before 1.8.23 does not verify an SSL certificate, which allow ...) - rubygems 1.8.24-1 (bug #670228) CVE-2012-2125 (RubyGems before 1.8.23 can redirect HTTPS connections to HTTP, which m ...) - rubygems 1.8.24-1 (bug #670228) CVE-2012-2124 (functions/imap_general.php in SquirrelMail, as used in Red Hat Enterpr ...) - squirrelmail (Incorrect RedHat security update) CVE-2012-2123 (The cap_bprm_set_creds function in security/commoncap.c in the Linux k ...) {DSA-2469-1} - linux-2.6 3.2.16-1 CVE-2012-2122 (sql/password.c in Oracle MySQL 5.1.x before 5.1.63, 5.5.x before 5.5.2 ...) {DSA-2496-1} - mysql-5.1 (bug #677018) - mysql-5.5 5.5.24+dfsg-1 NOTE: https://www.secmaniac.com/blog/2012/06/11/massive-mysql-authentication-bypass-exploit/ NOTE: http://seclists.org/oss-sec/2012/q2/493 NOTE: Issue only triggered with specific optimisation in glibc enabled; no builds in Debian known to be affected. NOTE: Fixed versions indicate application of upstream patch which prevents issue regardless of opt.settings. CVE-2012-2121 (The KVM implementation in the Linux kernel before 3.3.4 does not prope ...) {DSA-2668-1} - linux-2.6 3.2.17-1 CVE-2012-2120 (latex2man in texlive-extra-utils 2011.20120322, and possibly other ver ...) - texlive-extra 2012.20130315-1 (low; bug #668779) [wheezy] - texlive-extra (Minor issue) [squeeze] - texlive-extra 2009-10+squeeze1 CVE-2012-2119 (Buffer overflow in the macvtap device driver in the Linux kernel befor ...) - linux 3.2.20-1 [squeeze] - linux-2.6 (Vulnerable code not present, was added in 3.1) CVE-2012-2118 (Format string vulnerability in the LogVHdrMessageVerb function in os/l ...) - xorg-server 2:1.12.1.902-1 (bug #673148) [squeeze] - xorg-server (Introduced in 1.10) NOTE: http://lists.x.org/pipermail/xorg-devel/2012-May/031411.html CVE-2012-2117 (Cross-site scripting (XSS) vulnerability in the Gigya - Social optimiz ...) NOT-FOR-US: Drupal plugin (Gigya - Social Optimization) not in Debian CVE-2012-2116 (Cross-site request forgery (CSRF) vulnerability in the Commerce Reorde ...) NOT-FOR-US: Drupal plugin (Commerce Reorder) not in Debian CVE-2012-2115 (SQL injection vulnerability in interface/login/validateUser.php in Ope ...) NOT-FOR-US: OpenEMR CVE-2012-2114 (Stack-based buffer overflow in fprintf in musl before 0.8.8 and earlie ...) NOT-FOR-US: musl libc not in Debian CVE-2012-2113 (Multiple integer overflows in tiff2pdf in libtiff before 4.0.2 allow r ...) {DSA-2552-1} - tiff 4.0.2-1 (bug #678140) - tiff3 (The tiff-tools package is only built from the tiff source package) CVE-2012-2112 (Cross-site scripting (XSS) vulnerability in the Exception Handler in T ...) {DSA-2455-1} - typo3-src 4.5.15+dfsg1-1 (bug #669158) NOTE: http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-002/ CVE-2012-2111 (The (1) CreateAccount, (2) OpenAccount, (3) AddAccountRights, and (4) ...) {DSA-2463-1} - samba 2:3.6.5-1 NOTE: http://www.samba.org/samba/history/samba-3.6.5.html NOTE: According to the release notes Samba 3.4.x to 3.6.4 are affected CVE-2012-2110 (The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in OpenSSL be ...) {DSA-2454-1} - openssl 1.0.1a-1 NOTE: http://www.openssl.org/news/secadv/20120419.txt CVE-2012-2109 (SQL injection vulnerability in wp-load.php in the BuddyPress plugin 1. ...) NOT-FOR-US: wordpress buddypress plugin CVE-2012-2108 (Stack-based buffer overflow in the main function in util/lpci_main.c i ...) - csound 1:5.17.6~dfsg-1 (low; bug #661197) [squeeze] - csound (Minor issue) CVE-2012-2107 (Integer overflow in the main function in util/lpci_main.c in Csound be ...) - csound 1:5.17.6~dfsg-1 (bug #661197) [squeeze] - csound (Minor issue) CVE-2012-2106 (Integer overflow in the pv_import function in util/pv_import.c in Csou ...) - csound 1:5.17.6~dfsg-1 (bug #661197) [squeeze] - csound (Minor issue) CVE-2012-2105 (Multiple SQL injection vulnerabilities in login.php in Timesheet Next ...) NOT-FOR-US: tsheetx CVE-2012-2104 (cgi-bin/munin-cgi-graph in Munin 2.x writes data to a log file without ...) - munin 2.0~rc6-1 (bug #668666) [squeeze] - munin (Vulnerable code not present) [lenny] - munin (Vulnerable code not present) CVE-2012-2103 (The qmailscan plugin for Munin 1.4.5 allows local users to overwrite a ...) - munin 2.0~rc6-1 (bug #668778) [squeeze] - munin (Vulnerable code not present) [lenny] - munin (Vulnerable code not present) CVE-2012-2102 (MySQL 5.1.x before 5.1.62 and 5.5.x before 5.5.22 allows remote authen ...) {DSA-2496-1} - mysql-5.1 5.1.62-1 (low; bug #670636) - mysql-5.5 5.5.24+dfsg-1 (low) CVE-2012-2101 (Openstack Compute (Nova) Folsom, 2012.1, and 2011.3 does not limit the ...) - nova 2012.1-2 (bug #670637) CVE-2012-2100 (The ext4_fill_flex_info function in fs/ext4/super.c in the Linux kerne ...) - linux-2.6 3.2.2-1 [squeeze] - linux-2.6 2.6.32-41squeeze1 NOTE: incomplete fix of CVE-2009-4307, introducing another issue: NOTE: https://lkml.org/lkml/2012/2/20/422 CVE-2012-2099 (Multiple cross-site scripting (XSS) vulnerabilities in Wikidforum 2.10 ...) NOT-FOR-US: Wikidforum CVE-2012-2098 (Algorithmic complexity vulnerability in the sorting algorithms in bzip ...) - libcommons-compress-java 1.4.1-1 (low; bug #674448) [squeeze] - libcommons-compress-java (Minor issue) CVE-2012-2097 (Cross-site request forgery (CSRF) vulnerability in the Autosave module ...) NOT-FOR-US: Drupal module Autosave CVE-2012-2096 (The Fivestar module 6.x-1.x before 6.x-1.20 for Drupal does not proper ...) NOT-FOR-US: Drupal module Fivestar CVE-2012-2094 (Cross-site scripting (XSS) vulnerability in the refresh mechanism in t ...) - horizon 2012.1-3 CVE-2012-2093 (src/common/latex.py in Gajim 0.15 allows local users to overwrite arbi ...) {DSA-2453-2 DSA-2453-1} - gajim 0.15-1.1 (low; bug #668710) CVE-2012-2092 (A Security Bypass vulnerability exists in Ubuntu Cobbler before 2,2,2 ...) - cobbler (Ubuntu specific cobbler-ubuntu-import script not present) CVE-2012-2091 (Multiple buffer overflows in FlightGear 2.6 and earlier and SimGear 2. ...) - simgear 2.10.0-3 (unimportant; bug #669024) - flightgear 2.6.0-1.1 (unimportant; bug #669025) NOTE: Negligible security impact, very obscure attack vector CVE-2012-2090 (Multiple format string vulnerabilities in FlightGear 2.6 and earlier a ...) - simgear 2.10.0-2 (unimportant; bug #669024) - flightgear 2.6.0-1.1 (unimportant; bug #669025) NOTE: Negligible security impact, very obscure attack vector CVE-2012-2089 (Buffer overflow in ngx_http_mp4_module.c in the ngx_http_mp4_module mo ...) - nginx 1.1.19-1 [squeeze] - nginx (Vulnerable code not present) CVE-2012-2088 (Integer signedness error in the TIFFReadDirectory function in tif_dirr ...) {DSA-2552-1} - tiff 4.0-1 (bug #678140) - tiff3 3.9.6-6 CVE-2012-2087 (ISPConfig 3.0.4.3: the "Add new Webdav user" can chmod and chown entir ...) NOT-FOR-US: ISPConfig CVE-2012-2086 (SQL injection vulnerability in the get_last_conversation_lines functio ...) {DSA-2453-2 DSA-2453-1} - gajim 0.15-1 (low; bug #668038) CVE-2012-2085 (The exec_command function in common/helpers.py in Gajim before 0.15 al ...) {DSA-2453-2 DSA-2453-1} - gajim 0.15-1 (medium; bug #668038) CVE-2012-2084 (Cross-site scripting (XSS) vulnerability in the Printer, email and PDF ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-2083 (Cross-site scripting (XSS) vulnerability in the fusion_core_preprocess ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-2082 (Cross-site scripting (XSS) vulnerability in the Chaos tool suite (aka ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-2081 (The Organic Groups (OG) module 6.x-2.x before 6.x-2.3 for Drupal does ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-2080 (Cross-site request forgery (CSRF) vulnerability in the Node Limit Numb ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-2079 (A cross-site request forgery (CSRF) vulnerability in the Activity modu ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-2078 (Cross-site scripting (XSS) vulnerability in the Activity module 6.x-1. ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-2077 (Cross-site request forgery (CSRF) vulnerability in the ShareThis modul ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-2076 (Cross-site scripting (XSS) vulnerability in the administration forms i ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-2075 (Cross-site scripting (XSS) vulnerability in the Contact Save module 6. ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-2074 (Unspecified vulnerability in certain default views in the Ubercart Vie ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-2073 (The Bundle copy module 7.x-1.x before 7.x-1.1 for Drupal does not chec ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-2072 (Cross-site scripting (XSS) vulnerability in the Share Buttons (AddToAn ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-2071 (Cross-site scripting (XSS) vulnerability in the Contact Forms module 6 ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-2070 (Cross-site scripting (XSS) vulnerability in the MultiBlock module 6.x- ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-2069 (Cross-site request forgery (CSRF) vulnerability in the Wishlist module ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-2068 (Multiple cross-site scripting (XSS) vulnerabilities in fancy_slide.mod ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-2067 (Unspecified vulnerability in the CKeditor module 6.x-2.x before 6.x-2. ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-2066 (Cross-site scripting (XSS) vulnerability in the FCKeditor module 6.x-2 ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-2065 (Cross-site scripting (XSS) vulnerability in the Language Icons module ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-2064 (Cross-site scripting (XSS) vulnerability in theme/views_lang_switch.th ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-2063 (The Slidebox module before 7.x-1.4 for Drupal does not properly check ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-2062 (Open redirect vulnerability in the Redirecting click bouncer module fo ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-2061 (Cross-site request forgery (CSRF) vulnerability in the Admin tools mod ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-2060 (Cross-site scripting (XSS) vulnerability in the Admin tools module for ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-2059 (Cross-site scripting (XSS) vulnerability in the ticketyboo News Ticker ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-2058 (The Ubercart Payflow module for Drupal does not use a secure token, wh ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-2057 (Cross-site request forgery (CSRF) vulnerability in the Ubercart Bulk S ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-2056 (Cross-site request forgery (CSRF) vulnerability in the Content Lock mo ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2008-7311 (The session cookie store implementation in Spree 0.2.0 uses a hardcode ...) NOT-FOR-US: Spree CVE-2008-7310 (Spree 0.2.0 does not properly restrict the use of a hash to provide va ...) NOT-FOR-US: Spree CVE-2008-7309 (Insoshi before 20080920 does not properly restrict the use of a hash t ...) NOT-FOR-US: Insoshi CVE-2012-2055 (GitHub Enterprise before 20120304 does not properly restrict the use o ...) NOT-FOR-US: GitHub Enterprise CVE-2012-2054 (Redmine before 1.3.2 does not properly restrict the use of a hash to p ...) - redmine 1.3.2+dfsg1-1 [squeeze] - redmine (Redmine not supported because of rails) NOTE: http://www.redmine.org/issues/10390 NOTE: git mirror patch would be 5141f1e..177ff05 CVE-2012-2053 (The sudoers file in the Linux system configuration in F5 FirePass 6.0. ...) NOT-FOR-US: F5 Firepass CVE-2012-2052 (Stack-based buffer overflow in the U3D.8BI library plugin in Adobe Pho ...) NOT-FOR-US: Adobe Photoshop plugin U3D.8BI library CVE-2012-2051 (Adobe Reader and Acrobat 9.x before 9.5.2 and 10.x before 10.1.4 on Wi ...) NOT-FOR-US: Adobe Reader CVE-2012-2050 (Buffer overflow in Adobe Reader and Acrobat 9.x before 9.5.2 and 10.x ...) NOT-FOR-US: Adobe Reader CVE-2012-2049 (Stack-based buffer overflow in Adobe Reader and Acrobat 9.x before 9.5 ...) NOT-FOR-US: Adobe Reader CVE-2012-2048 (Unspecified vulnerability in Adobe ColdFusion 10 and earlier allows at ...) NOT-FOR-US: Adobe ColdFusion CVE-2012-2047 (Adobe Shockwave Player before 11.6.6.636 allows attackers to execute a ...) NOT-FOR-US: Adobe Shockwave Player CVE-2012-2046 (Adobe Shockwave Player before 11.6.6.636 allows attackers to execute a ...) NOT-FOR-US: Adobe Shockwave Player CVE-2012-2045 (Adobe Shockwave Player before 11.6.6.636 allows attackers to execute a ...) NOT-FOR-US: Adobe Shockwave Player CVE-2012-2044 (Adobe Shockwave Player before 11.6.6.636 allows attackers to execute a ...) NOT-FOR-US: Adobe Shockwave Player CVE-2012-2043 (Adobe Shockwave Player before 11.6.6.636 allows attackers to execute a ...) NOT-FOR-US: Adobe Shockwave Player CVE-2012-2042 (Adobe Illustrator before CS6 allows attackers to execute arbitrary cod ...) NOT-FOR-US: Adobe Illustrator CVE-2012-2041 (CRLF injection vulnerability in the Component Browser in Adobe ColdFus ...) NOT-FOR-US: Adobe ColdFusion CVE-2012-2040 (Untrusted search path vulnerability in the installer in Adobe Flash Pl ...) NOT-FOR-US: Adobe Flash Player CVE-2012-2039 (Adobe Flash Player before 10.3.183.20 and 11.x before 11.3.300.257 on ...) NOT-FOR-US: Adobe Flash Player CVE-2012-2038 (Adobe Flash Player before 10.3.183.20 and 11.x before 11.3.300.257 on ...) NOT-FOR-US: Adobe Flash Player CVE-2012-2037 (Adobe Flash Player before 10.3.183.20 and 11.x before 11.3.300.257 on ...) NOT-FOR-US: Adobe Flash Player CVE-2012-2036 (Integer overflow in Adobe Flash Player before 10.3.183.20 and 11.x bef ...) NOT-FOR-US: Adobe Flash Player CVE-2012-2035 (Stack-based buffer overflow in Adobe Flash Player before 10.3.183.20 a ...) NOT-FOR-US: Adobe Flash Player CVE-2012-2034 (Adobe Flash Player before 10.3.183.20 and 11.x before 11.3.300.257 on ...) NOT-FOR-US: Adobe Flash Player CVE-2012-2033 (Adobe Shockwave Player before 11.6.5.635 allows attackers to execute a ...) NOT-FOR-US: Adobe Shockwave Player CVE-2012-2032 (Adobe Shockwave Player before 11.6.5.635 allows attackers to execute a ...) NOT-FOR-US: Adobe Shockwave Player CVE-2012-2031 (Adobe Shockwave Player before 11.6.5.635 allows attackers to execute a ...) NOT-FOR-US: Adobe Shockwave Player CVE-2012-2030 (Adobe Shockwave Player before 11.6.5.635 allows attackers to execute a ...) NOT-FOR-US: Adobe Shockwave Player CVE-2012-2029 (Adobe Shockwave Player before 11.6.5.635 allows attackers to execute a ...) NOT-FOR-US: Adobe Shockwave Player CVE-2012-2028 (Buffer overflow in Adobe Photoshop CS5 12.x before 12.0.5 and CS5.1 12 ...) NOT-FOR-US: Adobe Photoshop CVE-2012-2027 (Use-after-free vulnerability in Adobe Photoshop CS5 12.x before 12.0.5 ...) NOT-FOR-US: Adobe Photoshop CVE-2012-2026 (Adobe Illustrator before CS6 allows attackers to execute arbitrary cod ...) NOT-FOR-US: Adobe Illustrator CVE-2012-2025 (Adobe Illustrator before CS6 allows attackers to execute arbitrary cod ...) NOT-FOR-US: Adobe Illustrator CVE-2012-2024 (Adobe Illustrator before CS6 allows attackers to execute arbitrary cod ...) NOT-FOR-US: Adobe Illustrator CVE-2012-2023 (Adobe Illustrator before CS6 allows attackers to execute arbitrary cod ...) NOT-FOR-US: Adobe Illustrator CVE-2012-2022 (Multiple cross-site scripting (XSS) vulnerabilities in HP Network Node ...) NOT-FOR-US: HP Network Node Manager CVE-2012-2021 (Multiple cross-site scripting (XSS) vulnerabilities in HP AssetManager ...) NOT-FOR-US: HP AssetManager CVE-2012-2020 (Unspecified vulnerability in HP Operations Agent before 11.03.12 allow ...) NOT-FOR-US: HP Operations Agent CVE-2012-2019 (Unspecified vulnerability in HP Operations Agent before 11.03.12 allow ...) NOT-FOR-US: HP Operations Agent CVE-2012-2018 (Cross-site scripting (XSS) vulnerability in HP Network Node Manager i ...) NOT-FOR-US: HP Network Node Manager CVE-2012-2017 (Unspecified vulnerability on HP Photosmart Wireless e-All-in-One B110, ...) NOT-FOR-US: HP Photosmart Wireless e-All-in-One CVE-2012-2016 (Unspecified vulnerability in HP System Management Homepage (SMH) befor ...) NOT-FOR-US: HP System Management Homepage CVE-2012-2015 (Unspecified vulnerability in HP System Management Homepage (SMH) befor ...) NOT-FOR-US: HP System Management Homepage CVE-2012-2014 (HP System Management Homepage (SMH) before 7.1.1 does not properly val ...) NOT-FOR-US: HP System Management Homepage CVE-2012-2013 (Unspecified vulnerability in HP System Management Homepage (SMH) befor ...) NOT-FOR-US: HP System Management Homepage CVE-2012-2012 (HP System Management Homepage (SMH) before 7.1.1 does not have an off ...) NOT-FOR-US: HP System Management Homepage CVE-2012-2011 (Multiple cross-site scripting (XSS) vulnerabilities in HP Web Jetadmin ...) NOT-FOR-US: HP Web Jetadmin CVE-2012-2010 (The ACMELOGIN implementation in HP OpenVMS 8.3 and 8.4 on the Alpha pl ...) NOT-FOR-US: OpenVMS CVE-2012-2009 (Unspecified vulnerability in HP Performance Insight for Networks 5.3.x ...) NOT-FOR-US: HP Performance Insight CVE-2012-2008 (Cross-site scripting (XSS) vulnerability in HP Performance Insight for ...) NOT-FOR-US: HP Performance Insight CVE-2012-2007 (SQL injection vulnerability in HP Performance Insight for Networks 5.3 ...) NOT-FOR-US: HP Performance Insight CVE-2012-2006 (Unspecified vulnerability in HP Insight Management Agents before 9.0.0 ...) NOT-FOR-US: Proprietary HP monitoring tools CVE-2012-2005 (Cross-site scripting (XSS) vulnerability in HP Insight Management Agen ...) NOT-FOR-US: Proprietary HP monitoring tools CVE-2012-2004 (Open redirect vulnerability in HP Insight Management Agents before 9.0 ...) NOT-FOR-US: Proprietary HP monitoring tools CVE-2012-2003 (Cross-site request forgery (CSRF) vulnerability in HP Insight Manageme ...) NOT-FOR-US: Proprietary HP monitoring tools CVE-2012-2002 (Open redirect vulnerability in HP SNMP Agents for Linux before 9.0.0 a ...) NOT-FOR-US: Proprietary HP monitoring tools CVE-2012-2001 (Cross-site scripting (XSS) vulnerability in HP SNMP Agents for Linux b ...) NOT-FOR-US: Proprietary HP monitoring tools CVE-2012-2000 (Multiple unspecified vulnerabilities in HP System Health Application a ...) NOT-FOR-US: Proprietary HP monitoring tools CVE-2012-1999 (Unspecified vulnerability in HP Systems Insight Manager (SIM) before 7 ...) NOT-FOR-US: HP Systems Insight Manager CVE-2012-1998 (Unspecified vulnerability in HP Systems Insight Manager (SIM) before 7 ...) NOT-FOR-US: HP Systems Insight Manager CVE-2012-1997 (Unspecified vulnerability in HP Systems Insight Manager (SIM) before 7 ...) NOT-FOR-US: HP Systems Insight Manager CVE-2012-1996 (Unspecified vulnerability in HP Systems Insight Manager (SIM) before 7 ...) NOT-FOR-US: HP Systems Insight Manager CVE-2012-1995 (Unspecified vulnerability in HP Systems Insight Manager (SIM) before 7 ...) NOT-FOR-US: HP Systems Insight Manager CVE-2012-1994 (HP Systems Insight Manager before 7.0 allows a remote user on adjacent ...) NOT-FOR-US: HP Systems Insight Manager CVE-2012-1993 (Unspecified vulnerability in HP System Management Homepage (SMH) befor ...) NOT-FOR-US: HP System Management Homepage CVE-2012-1992 (Cross-site scripting (XSS) vulnerability in admin/edituser.php in CMS ...) NOT-FOR-US: CMD Made Simple CVE-2012-1991 RESERVED CVE-2012-1990 (Multiple cross-site scripting (XSS) vulnerabilities in Schneider Elect ...) NOT-FOR-US: Schneider Electric Kerweb CVE-2012-1989 (telnet.rb in Puppet 2.7.x before 2.7.13 and Puppet Enterprise (PE) 1.2 ...) - puppet 2.7.13-1 [squeeze] - puppet (Only affects 2.7.x) CVE-2012-1988 (Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterpr ...) {DSA-2451-1} - puppet 2.7.13-1 CVE-2012-1987 (Unspecified vulnerability in Puppet 2.6.x before 2.6.15 and 2.7.x befo ...) {DSA-2451-1} - puppet 2.7.13-1 CVE-2012-1986 (Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterpr ...) {DSA-2451-1} - puppet 2.7.13-1 CVE-2011-5085 (Unspecified vulnerability in Movable Type 4.x before 4.36 and 5.x befo ...) {DSA-2423-1} - movabletype-opensource 5.1.2+dfsg-1 CVE-2011-5084 (Cross-site scripting (XSS) vulnerability in Movable Type 4.x before 4. ...) {DSA-2423-1} - movabletype-opensource 5.1.2+dfsg-1 CVE-2012-1985 (Cross-site request forgery (CSRF) vulnerability in RealNetworks Helix ...) NOT-FOR-US: RealNetworks Helix CVE-2012-1984 (Multiple cross-site scripting (XSS) vulnerabilities in RealNetworks He ...) NOT-FOR-US: RealNetworks Helix CVE-2012-1983 RESERVED CVE-2012-1982 (Cross-site scripting (XSS) vulnerability in my_admin/admin1_list_pages ...) NOT-FOR-US: SocialCMS CVE-2012-1981 RESERVED CVE-2012-1980 RESERVED CVE-2012-1979 (Cross-site scripting (XSS) vulnerability in starnet/index.php in Synde ...) NOT-FOR-US: SyndeoCMS CVE-2012-1978 (Multiple cross-site request forgery (CSRF) vulnerabilities in Simple P ...) NOT-FOR-US: Simple PHP Agenda CVE-2012-1977 (WellinTech KingSCADA 3.0 uses a cleartext base64 format for storage of ...) NOT-FOR-US: WellinTech KingSCADA CVE-2012-1976 (Use-after-free vulnerability in the nsHTMLSelectElement::SubmitNamesVa ...) {DSA-2556-1 DSA-2554-1 DSA-2553-1} - iceweasel 10.0.7esr-1 - icedove 10.0.7-1 - iceape 2.7.7-1 CVE-2012-1975 (Use-after-free vulnerability in the PresShell::CompleteMove function i ...) {DSA-2556-1 DSA-2554-1 DSA-2553-1} - iceweasel 10.0.7esr-1 - icedove 10.0.7-1 - iceape 2.7.7-1 CVE-2012-1974 (Use-after-free vulnerability in the gfxTextRun::CanBreakLineBefore fun ...) {DSA-2556-1 DSA-2554-1 DSA-2553-1} - iceweasel 10.0.7esr-1 - icedove 10.0.7-1 - iceape 2.7.7-1 CVE-2012-1973 (Use-after-free vulnerability in the nsObjectLoadingContent::LoadObject ...) {DSA-2556-1 DSA-2554-1 DSA-2553-1} - iceweasel 10.0.7esr-1 - icedove 10.0.7-1 - iceape 2.7.7-1 CVE-2012-1972 (Use-after-free vulnerability in the nsHTMLEditor::CollapseAdjacentText ...) {DSA-2556-1 DSA-2554-1 DSA-2553-1} - iceweasel 10.0.7esr-1 - icedove 10.0.7-1 - iceape 2.7.7-1 CVE-2012-1971 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - iceweasel (Only affects Firefox >= 10) CVE-2012-1970 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-2556-1 DSA-2554-1 DSA-2553-1} - iceweasel 10.0.7esr-1 - iceape 2.7.7-1 - icedove 10.0.7-1 CVE-2012-1969 (The get_attachment_link function in Template.pm in Bugzilla 2.x and 3. ...) - bugzilla (low) - bugzilla4 (bug #669643) [squeeze] - bugzilla (Minor issue) CVE-2012-1968 (Bugzilla 4.1.x and 4.2.x before 4.2.2 and 4.3.x before 4.3.2 uses bug- ...) - bugzilla (Only affects 4.1 to 4.3) - bugzilla4 (bug #669643) CVE-2012-1967 (Mozilla Firefox 4.x through 13.0, Firefox ESR 10.x before 10.0.6, Thun ...) {DSA-2528-1 DSA-2514-1 DSA-2513-1} - iceweasel 10.0.6esr-1 - icedove 10.0.6-1 - iceape 2.7.6-1 CVE-2012-1966 (Mozilla Firefox 4.x through 13.0 and Firefox ESR 10.x before 10.0.6 do ...) {DSA-2514-1} - iceweasel 10.0.6esr-1 CVE-2012-1965 (Mozilla Firefox 4.x through 13.0 and Firefox ESR 10.x before 10.0.6 do ...) - iceweasel 10.0.6esr-1 [squeeze] - iceweasel CVE-2012-1964 (The certificate-warning functionality in browser/components/certerror/ ...) - iceweasel 10.0.6esr-1 - icedove 10.0.6-1 - iceape 2.7.6-1 [squeeze] - iceweasel (Vulnerable code not present) [squeeze] - icedove (Vulnerable code not present) [squeeze] - iceape (Vulnerable code not present) CVE-2012-1963 (The Content Security Policy (CSP) functionality in Mozilla Firefox 4.x ...) - iceweasel 10.0.6esr-1 [squeeze] - iceweasel (CSP not yet available) - icedove 10.0.6-1 [squeeze] - icedove (CSP not yet available) - iceape 2.7.6-1 [squeeze] - iceape (CSP not yet available) CVE-2012-1962 (Use-after-free vulnerability in the JSDependentString::undepend functi ...) - iceweasel 10.0.6esr-1 - icedove 10.0.6-1 - iceape 2.7.6-1 [squeeze] - iceweasel (Vulnerable code not present) [squeeze] - icedove (Vulnerable code not present) [squeeze] - iceape (Vulnerable code not present) CVE-2012-1961 (Mozilla Firefox 4.x through 13.0, Firefox ESR 10.x before 10.0.6, Thun ...) - iceweasel 10.0.6esr-1 - icedove 10.0.6-1 - iceape 2.7.6-1 [squeeze] - iceweasel (Vulnerable code not present) [squeeze] - icedove (Vulnerable code not present) [squeeze] - iceape (Vulnerable code not present) CVE-2012-1960 (The qcms_transform_data_rgb_out_lut_sse2 function in the QCMS implemen ...) - iceweasel (Only affects Firefox > 10) CVE-2012-1959 (Mozilla Firefox 4.x through 13.0, Firefox ESR 10.x before 10.0.6, Thun ...) - iceweasel 10.0.6esr-1 - icedove 10.0.6-1 - iceape 2.7.6-1 [squeeze] - iceweasel (Vulnerable code not present) [squeeze] - icedove (Vulnerable code not present) [squeeze] - iceape (Vulnerable code not present) CVE-2012-1958 (Use-after-free vulnerability in the nsGlobalWindow::PageHidden functio ...) - iceweasel 10.0.6esr-1 - icedove 10.0.6-1 - iceape 2.7.6-1 [squeeze] - iceweasel (Vulnerable code not present) [squeeze] - icedove (Vulnerable code not present) [squeeze] - iceape (Vulnerable code not present) CVE-2012-1957 (An unspecified parser-utility class in Mozilla Firefox 4.x through 13. ...) - iceweasel 10.0.6esr-1 - icedove 10.0.6-1 - iceape 2.7.6-1 [squeeze] - iceweasel (Vulnerable code not present) [squeeze] - icedove (Vulnerable code not present) [squeeze] - iceape (Vulnerable code not present) CVE-2012-1956 (Mozilla Firefox before 15.0, Thunderbird before 15.0, and SeaMonkey be ...) - iceweasel (Only affects Firefox >= 10) - icedove (Only affects Firefox >= 10) - iceape (Only affects Firefox >= 10) CVE-2012-1955 (Mozilla Firefox 4.x through 13.0, Firefox ESR 10.x before 10.0.6, Thun ...) - iceweasel 10.0.6esr-1 - icedove 10.0.6-1 - iceape 2.7.6-1 [squeeze] - iceweasel (Vulnerable code not present) [squeeze] - icedove (Vulnerable code not present) [squeeze] - iceape (Vulnerable code not present) CVE-2012-1954 (Use-after-free vulnerability in the nsDocument::AdoptNode function in ...) {DSA-2528-1 DSA-2514-1 DSA-2513-1} - iceweasel 10.0.6esr-1 - icedove 10.0.6-1 - iceape 2.7.6-1 CVE-2012-1953 (The ElementAnimations::EnsureStyleRuleFor function in Mozilla Firefox ...) - iceweasel 10.0.6esr-1 - icedove 10.0.6-1 - iceape 2.7.6-1 [squeeze] - iceweasel (Vulnerable code not present) [squeeze] - icedove (Vulnerable code not present) [squeeze] - iceape (Vulnerable code not present) CVE-2012-1952 (The nsTableFrame::InsertFrames function in Mozilla Firefox 4.x through ...) - iceweasel 10.0.6esr-1 - icedove 10.0.6-1 - iceape 2.7.6-1 [squeeze] - iceweasel (Vulnerable code not present) [squeeze] - icedove (Vulnerable code not present) [squeeze] - iceape (Vulnerable code not present) CVE-2012-1951 (Use-after-free vulnerability in the nsSMILTimeValueSpec::IsEventBased ...) - iceweasel 10.0.6esr-1 - icedove 10.0.6-1 - iceape 2.7.6-1 [squeeze] - iceweasel (Vulnerable code not present) [squeeze] - icedove (Vulnerable code not present) [squeeze] - iceape (Vulnerable code not present) CVE-2012-1950 (The drag-and-drop implementation in Mozilla Firefox 4.x through 13.0 a ...) {DSA-2528-1 DSA-2514-1} - iceweasel 10.0.6esr-1 - icedove 10.0.6-1 CVE-2012-1949 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - iceweasel (Only affects Firefox 13) CVE-2012-1948 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-2528-1 DSA-2514-1 DSA-2513-1} - iceweasel 10.0.6esr-1 - icedove 10.0.6-1 - iceape 2.7.6-1 CVE-2012-1947 (Heap-based buffer overflow in the utf16_to_isolatin1 function in Mozil ...) {DSA-2499-1 DSA-2489-1 DSA-2488-1} - iceweasel 10.0.5esr-1 - icedove 10.0.5-1 [squeeze] - iceweasel (Vulnerable code not present) [squeeze] - icedove (Vulnerable code not present) CVE-2012-1946 (Use-after-free vulnerability in the nsINode::ReplaceOrInsertBefore fun ...) - iceweasel 10.0.5esr-1 - icedove 10.0.5-1 [squeeze] - iceweasel (Vulnerable code not present) [squeeze] - icedove (Vulnerable code not present) CVE-2012-1945 (Mozilla Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5, Thun ...) - iceweasel 10.0.5esr-1 - icedove 10.0.5-1 [squeeze] - iceweasel (Vulnerable code not present) [squeeze] - icedove (Vulnerable code not present) CVE-2012-1944 (The Content Security Policy (CSP) implementation in Mozilla Firefox 4. ...) - iceweasel 10.0.5esr-1 [squeeze] - iceweasel (CSP not yet available) - icedove 10.0.5-1 [squeeze] - icedove (CSP not yet available) CVE-2012-1943 (Untrusted search path vulnerability in Updater.exe in the Windows Upda ...) - iceweasel (windows-specific) CVE-2012-1942 (The Mozilla Updater and Windows Updater Service in Mozilla Firefox 12. ...) - iceweasel (windows-specific) CVE-2012-1941 (Heap-based buffer overflow in the nsHTMLReflowState::CalculateHypothet ...) - iceweasel 10.0.5esr-1 - icedove 10.0.5-1 [squeeze] - iceweasel (Vulnerable code not present) [squeeze] - icedove (Vulnerable code not present) CVE-2012-1940 (Use-after-free vulnerability in the nsFrameList::FirstChild function i ...) {DSA-2499-1 DSA-2489-1 DSA-2488-1} - iceweasel 10.0.5esr-1 - icedove 10.0.5-1 CVE-2012-1939 (jsinfer.cpp in Mozilla Firefox ESR 10.x before 10.0.5 and Thunderbird ...) - iceweasel 10.0.5esr-1 - icedove 10.0.5-1 [squeeze] - iceweasel (Vulnerable code not present) [squeeze] - icedove (Vulnerable code not present) CVE-2012-1938 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - iceweasel (Only affects iceweasel from experimental) CVE-2012-1937 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-2499-1 DSA-2489-1 DSA-2488-1} - iceweasel 10.0.5esr-1 - icedove 10.0.5-1 CVE-2012-1936 (** DISPUTED ** The wp_create_nonce function in wp-includes/pluggable.p ...) NOT-FOR-US: Disputed Wordpress issue CVE-2012-1935 (Multiple cross-site scripting (XSS) vulnerabilities in Newscoop 3.5.x ...) - newscoop (bug #604113) CVE-2012-1934 (SQL injection vulnerability in admin/country/edit.php in Newscoop befo ...) - newscoop (bug #604113) CVE-2012-1933 (Multiple PHP remote file inclusion vulnerabilities in Newscoop 3.5.x b ...) - newscoop (bug #604113) CVE-2012-1932 (A cross-site scripting (XSS) vulnerability in Wolf CMS 0.75 and earlie ...) NOT-FOR-US: Wolf CMS CVE-2007-6753 (Untrusted search path vulnerability in Shell32.dll in Microsoft Window ...) NOT-FOR-US: Microsoft Windows CVE-2012-1931 (Opera before 11.62 on UNIX, when used in conjunction with an unspecifi ...) NOT-FOR-US: Opera CVE-2012-1930 (Opera before 11.62 on UNIX uses world-readable permissions for tempora ...) NOT-FOR-US: Opera CVE-2012-1929 (Opera before 11.62 on Mac OS X allows remote attackers to spoof the ad ...) NOT-FOR-US: Opera CVE-2012-1928 (Opera before 11.62 allows remote attackers to spoof the address field ...) NOT-FOR-US: Opera CVE-2012-1927 (Opera before 11.62 allows remote attackers to spoof the address field ...) NOT-FOR-US: Opera CVE-2012-1926 (Opera before 11.62 allows remote attackers to bypass the Same Origin P ...) NOT-FOR-US: Opera CVE-2012-1925 (Opera before 11.62 does not ensure that a dialog window is placed on t ...) NOT-FOR-US: Opera CVE-2012-1924 (Opera before 11.62 allows user-assisted remote attackers to trick user ...) NOT-FOR-US: Opera CVE-2012-1923 (RealNetworks Helix Server and Helix Mobile Server 14.x before 14.3.x s ...) NOT-FOR-US: RealNetworks Helix CVE-2012-1922 (Multiple cross-site request forgery (CSRF) vulnerabilities in Sitecom ...) NOT-FOR-US: Sitecom WLM-2501 CVE-2012-1921 (Cross-site request forgery (CSRF) vulnerability in goform/admin/formWl ...) NOT-FOR-US: Sitecom CVE-2012-1920 (@Mail WebMail Client in AtMail Open-Source 1.04 and earlier allows rem ...) - atmailopen CVE-2012-1919 (CRLF injection vulnerability in mime.php in @Mail WebMail Client in At ...) - atmailopen CVE-2012-1918 (Multiple directory traversal vulnerabilities in (1) compose.php and (2 ...) - atmailopen CVE-2012-1917 (compose.php in @Mail WebMail Client in AtMail Open-Source before 1.05 ...) - atmailopen CVE-2012-1916 (@Mail WebMail Client in AtMail Open-Source before 1.05 allows remote a ...) - atmailopen CVE-2007-6752 (** DISPUTED ** Cross-site request forgery (CSRF) vulnerability in Drup ...) - drupal7 (unimportant) CVE-2012-1915 (EllisLab CodeIgniter 2.1.2 allows remote attackers to bypass the xss_c ...) NOT-FOR-US: EllisLab CodeIgniter CVE-2012-1914 RESERVED CVE-2012-1913 REJECTED CVE-2012-1912 (Cross-site scripting (XSS) vulnerability in preferences.php in PHP Add ...) NOT-FOR-US: PHP Address Book CVE-2012-1911 (Multiple SQL injection vulnerabilities in PHP Address Book 6.2.12 and ...) NOT-FOR-US: PHP Address Book CVE-2012-1910 (Bitcoin-Qt 0.5.0.x before 0.5.0.5; 0.5.1.x, 0.5.2.x, and 0.5.3.x befor ...) - bitcoin (windows-only, qt gui not built) CVE-2012-1909 (The Bitcoin protocol, as used in bitcoind before 0.4.4, wxBitcoin, Bit ...) - bitcoin 0.6.0-1 CVE-2012-1908 (Cross-site scripting (XSS) vulnerability in Splunk 4.0 through 4.3 all ...) NOT-FOR-US: Splunk CVE-2012-1907 (The scanner engine in PrivaWall Antivirus 5.6 and earlier does not rec ...) NOT-FOR-US: PrivaWall Antivirus CVE-2012-1906 (Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterpr ...) {DSA-2451-1} - puppet 2.7.13-1 CVE-2012-1905 RESERVED CVE-2012-1904 (mp4fformat.dll in the QuickTime File Format plugin in RealNetworks Rea ...) NOT-FOR-US: RealPlayer CVE-2012-1903 (XSS in Telligent Community 5.6.583.20496 via a flash file and related ...) NOT-FOR-US: Telligent Community CVE-2012-1902 (show_config_errors.php in phpMyAdmin 3.4.x before 3.4.10.2, when a con ...) - phpmyadmin 4:3.4.10.2-1 (unimportant) CVE-2012-1901 (Multiple cross-site request forgery (CSRF) vulnerabilities in FlexCMS ...) NOT-FOR-US: FlexCMS CVE-2012-1900 (Cross-site request forgery (CSRF) vulnerability in admin/index.php in ...) NOT-FOR-US: RazorCMS CVE-2012-1899 (Multiple cross-site scripting (XSS) vulnerabilities in webfolio/admin/ ...) NOT-FOR-US: Webfolio CMS CVE-2012-1898 (Multiple cross-site scripting (XSS) vulnerabilities in wolfcms/admin/u ...) NOT-FOR-US: Wolf CMS CVE-2012-1897 (Multiple cross-site request forgery (CSRF) vulnerabilities in Wolf CMS ...) NOT-FOR-US: Wolf CMS CVE-2012-1586 (mount.cifs in cifs-utils 2.6 allows local users to determine the exist ...) - cifs-utils 2:5.3-2 (unimportant; bug #665923) NOTE: Harmless information leak, if a user can perform arbitrary CIFS mounts they probably NOTE: can do a lot more with this CVE-2012-1896 (Microsoft .NET Framework 2.0 SP2 and 3.5.1 does not properly consider ...) NOT-FOR-US: Microsoft .NET Framework CVE-2012-1895 (The reflection implementation in Microsoft .NET Framework 1.0 SP3, 1.1 ...) NOT-FOR-US: Microsoft .NET Framework CVE-2012-1894 (Microsoft Office for Mac 2011 uses world-writable permissions for the ...) NOT-FOR-US: Microsoft Office CVE-2012-1893 (win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and ...) NOT-FOR-US: Microsoft Windows CVE-2012-1892 (Cross-site scripting (XSS) vulnerability in Microsoft Visual Studio Te ...) NOT-FOR-US: Microsoft Visual Studio Team Foundation Server CVE-2012-1891 (Heap-based buffer overflow in Microsoft Data Access Components (MDAC) ...) NOT-FOR-US: Microsoft Data Access Components CVE-2012-1890 (win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and ...) NOT-FOR-US: Microsoft Windows CVE-2012-1889 (Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0 accesses uninitiali ...) NOT-FOR-US: Microsoft XML Core Services CVE-2012-1888 (Buffer overflow in Microsoft Visio 2010 SP1 and Visio Viewer 2010 SP1 ...) NOT-FOR-US: Microsoft Visio CVE-2012-1887 (Use-after-free vulnerability in Microsoft Excel 2003 SP3, 2007 SP2 and ...) NOT-FOR-US: Microsoft Excel CVE-2012-1886 (Microsoft Excel 2003 SP3, 2007 SP2 and SP3, and 2010 SP1; Excel Viewer ...) NOT-FOR-US: Microsoft Excel CVE-2012-1885 (Heap-based buffer overflow in Microsoft Excel 2003 SP3, 2007 SP2 and S ...) NOT-FOR-US: Microsoft Excel CVE-2012-1884 REJECTED CVE-2012-1883 REJECTED CVE-2012-1882 (Microsoft Internet Explorer 6 through 9 does not block cross-domain sc ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2012-1881 (Microsoft Internet Explorer 8 and 9 does not properly handle objects i ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2012-1880 (Microsoft Internet Explorer 6 through 9 does not properly handle objec ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2012-1879 (Microsoft Internet Explorer 6 through 9 does not properly handle objec ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2012-1878 (Microsoft Internet Explorer 6 through 9 does not properly handle objec ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2012-1877 (Microsoft Internet Explorer 6 through 9 does not properly handle objec ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2012-1876 (Microsoft Internet Explorer 6 through 9, and 10 Consumer Preview, does ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2012-1875 (Microsoft Internet Explorer 8 does not properly handle objects in memo ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2012-1874 (Microsoft Internet Explorer 8 and 9 does not properly handle objects i ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2012-1873 (Microsoft Internet Explorer 7 through 9 does not properly create and i ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2012-1872 (Cross-site scripting (XSS) vulnerability in Microsoft Internet Explore ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2012-1871 REJECTED CVE-2012-1870 (The CBC mode in the TLS protocol, as used in Microsoft Windows XP SP2 ...) NOT-FOR-US: Microsoft Windows XP CVE-2012-1869 REJECTED CVE-2012-1868 (Race condition in the thread-creation implementation in win32k.sys in ...) NOT-FOR-US: Microsoft Windows XP CVE-2012-1867 (Integer overflow in win32k.sys in the kernel-mode drivers in Microsoft ...) NOT-FOR-US: Windows Windows CVE-2012-1866 (win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and ...) NOT-FOR-US: Microsoft Windows CVE-2012-1865 (win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and ...) NOT-FOR-US: Microsoft Windows CVE-2012-1864 (win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and ...) NOT-FOR-US: Microsoft Windows CVE-2012-1863 (Cross-site scripting (XSS) vulnerability in Microsoft Office SharePoin ...) NOT-FOR-US: Microsoft Office CVE-2012-1862 (Open redirect vulnerability in Microsoft Office SharePoint Server 2007 ...) NOT-FOR-US: Microsoft SharePoint CVE-2012-1861 (Cross-site scripting (XSS) vulnerability in Microsoft SharePoint Serve ...) NOT-FOR-US: Microsoft SharePoint CVE-2012-1860 (Microsoft Office SharePoint Server 2007 SP2 and SP3, SharePoint Server ...) NOT-FOR-US: Microsoft SharePoint CVE-2012-1859 (Cross-site scripting (XSS) vulnerability in scriptresx.ashx in Microso ...) NOT-FOR-US: Microsoft SharePoint CVE-2012-1858 (The toStaticHTML API (aka the SafeHTML component) in Microsoft Interne ...) NOT-FOR-US: MicrosoftInternet Explorer, Communicator, Lync CVE-2012-1857 (Cross-site scripting (XSS) vulnerability in the Enterprise Portal comp ...) NOT-FOR-US: Microsoft Dynamics AX CVE-2012-1856 (The TabStrip ActiveX control in the Common Controls in MSCOMCTL.OCX in ...) NOT-FOR-US: Microsoft CVE-2012-1855 (Microsoft .NET Framework 2.0 SP2, 3.5, 3.5.1, 4, and 4.5 does not prop ...) NOT-FOR-US: Microsoft .NET Framework CVE-2012-1854 (Untrusted search path vulnerability in VBE6.dll in Microsoft Office 20 ...) NOT-FOR-US: Microsoft Office CVE-2012-1853 (Stack-based buffer overflow in the Remote Administration Protocol (RAP ...) NOT-FOR-US: Microsoft Windows XP CVE-2012-1852 (Heap-based buffer overflow in the Remote Administration Protocol (RAP) ...) NOT-FOR-US: Microsoft Windows XP CVE-2012-1851 (Format string vulnerability in the Print Spooler service in Microsoft ...) NOT-FOR-US: Microsoft Windows CVE-2012-1850 (The Remote Administration Protocol (RAP) implementation in the LanmanW ...) NOT-FOR-US: Microsoft Windows CVE-2012-1849 (Untrusted search path vulnerability in Microsoft Lync 2010, 2010 Atten ...) NOT-FOR-US: Microsoft Lync, Attendee,, Attendant CVE-2012-1848 (win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and ...) NOT-FOR-US: Microsoft Windows CVE-2012-1847 (Microsoft Excel 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Off ...) NOT-FOR-US: Microsoft Excel CVE-2012-1846 (Google Chrome 17.0.963.66 and earlier allows remote attackers to bypas ...) - chromium-browser 20.0.1132.21~r139451-1 [squeeze] - chromium-browser CVE-2012-1845 (Use-after-free vulnerability in Google Chrome 17.0.963.66 and earlier ...) - chromium-browser 20.0.1132.21~r139451-1 [squeeze] - chromium-browser CVE-2012-1844 (The Quantum Scalar i500 tape library with firmware before i7.0.3 (604G ...) NOT-FOR-US: Quantum Scalar CVE-2012-1843 (Cross-site request forgery (CSRF) vulnerability in saveRestore.htm on ...) NOT-FOR-US: Quantum Scalar CVE-2012-1842 (Cross-site scripting (XSS) vulnerability in checkQKMProg.htm on the Qu ...) NOT-FOR-US: Quantum Scalar CVE-2012-1841 (Absolute path traversal vulnerability in logShow.htm on the Quantum Sc ...) NOT-FOR-US: Quantum Scalar CVE-2012-1840 (AjaXplorer 3.2.x before 3.2.5 and 4.0.x before 4.0.4 does not properly ...) - ajaxplorer (bug #668381) CVE-2012-1839 (Multiple directory traversal vulnerabilities in the Get Template featu ...) - ajaxplorer (bug #668381) CVE-2012-1838 (The web management interface on the LG-Nortel ELO GS24M switch allows ...) NOT-FOR-US: Nortel switch CVE-2012-1837 (The (1) webreports, (2) post/create-role, and (3) post/update-role pro ...) NOT-FOR-US: Tivoli CVE-2012-1836 (Heap-based buffer overflow in dns.cpp in InspIRCd 2.0.5 might allow re ...) {DSA-2448-1} - inspircd 2.0.5-0.1 (bug #667914) CVE-2012-1835 (Multiple cross-site scripting (XSS) vulnerabilities in the All-in-One ...) NOT-FOR-US: All-in-One Event Calendar plugin for WordPress CVE-2012-1834 (Cross-site scripting (XSS) vulnerability in the cms_tpv_admin_head fun ...) NOT-FOR-US: WordPress plugin CMS Tree Page View CVE-2012-1833 (VMware SpringSource Grails before 1.3.8, and 2.x before 2.0.2, does no ...) NOT-FOR-US: Grails CVE-2012-1832 (WellinTech KingView 6.53 allows remote attackers to execute arbitrary ...) NOT-FOR-US: WellinTech KingView not in Debian CVE-2012-1831 (Heap-based buffer overflow in WellinTech KingView 6.53 allows remote a ...) NOT-FOR-US: WellinTech KingView not in Debian CVE-2012-1830 (Stack-based buffer overflow in WellinTech KingView 6.53 allows remote ...) NOT-FOR-US: WellinTech KingView not in Debian CVE-2012-1829 (Multiple cross-site scripting (XSS) vulnerabilities in AutoFORM PDM Ar ...) NOT-FOR-US: AutoFORM PDM Archive CVE-2012-1828 (The administrative functions in AutoFORM PDM Archive before 7.1 do not ...) NOT-FOR-US: AutoFORM PDM Archive CVE-2012-1827 (The web service in AutoFORM PDM Archive before 7.1 does not have autho ...) NOT-FOR-US: AutoFORM PDM Archive CVE-2012-1826 (dotCMS 1.9 before 1.9.5.1 allows remote authenticated users to execute ...) NOT-FOR-US: dotCMS not in Debian CVE-2012-1825 (Multiple cross-site scripting (XSS) vulnerabilities in the status prog ...) NOT-FOR-US: ForeScout CounterACT CVE-2012-1824 (Untrusted search path vulnerability in Measuresoft ScadaPro Client bef ...) NOT-FOR-US: Measuresoft ScadaPro CVE-2012-1823 (sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when ...) {DSA-2465-1} - php5 5.4.3-1 NOTE: http://ompldr.org/vZGxxaQ NOTE: https://bugs.php.net/bug.php?id=61910 NOTE: 5.4.2-1 'fixed' this, but fix is incomplete: CVE-2012-2311 CVE-2012-1822 RESERVED CVE-2012-1821 (The Network Threat Protection module in the Manager component in Syman ...) NOT-FOR-US: Symantec Endpoint Protection on Windows Server 2003 CVE-2012-1820 (The bgp_capability_orf function in bgpd in Quagga 0.99.20.1 and earlie ...) {DSA-2497-1} - quagga 0.99.21-3 (bug #676510) CVE-2012-1819 (Untrusted search path vulnerability in WellinTech KingView 6.53 allows ...) NOT-FOR-US: WellinTech KingView CVE-2012-1818 (An unspecified ActiveX control in Emerson DeltaV and DeltaV Workstatio ...) NOT-FOR-US: DeltaV (SCADA system) not in Debian CVE-2012-1817 (Buffer overflow in Emerson DeltaV and DeltaV Workstations 9.3.1, 10.3. ...) NOT-FOR-US: DeltaV (SCADA system) not in Debian CVE-2012-1816 (PORTSERV.exe in Emerson DeltaV and DeltaV Workstations 9.3.1, 10.3.1, ...) NOT-FOR-US: DeltaV (SCADA system) not in Debian CVE-2012-1815 (SQL injection vulnerability in Emerson DeltaV and DeltaV Workstations ...) NOT-FOR-US: DeltaV (SCADA system) not in Debian CVE-2012-1814 (Cross-site scripting (XSS) vulnerability in Emerson DeltaV and DeltaV ...) NOT-FOR-US: DeltaV (SCADA system) not in Debian CVE-2012-1813 (eosfailoverservice.exe in C3-ilex EOScada before 11.0.19.2 allows remo ...) NOT-FOR-US: C3-ilex EOScada CVE-2012-1812 (eosfailoverservice.exe in C3-ilex EOScada before 11.0.19.2 allows remo ...) NOT-FOR-US: C3-ilex EOScada CVE-2012-1811 (EOSDataServer.exe in C3-ilex EOScada before 11.0.19.2 allows remote at ...) NOT-FOR-US: C3-ilex EOScada CVE-2012-1810 (EOSCoreScada.exe in C3-ilex EOScada before 11.0.19.2 allows remote att ...) NOT-FOR-US: C3-ilex EOScada CVE-2012-1809 (The web server in the ECOM Ethernet module in Koyo H0-ECOM, H0-ECOM100 ...) NOT-FOR-US: Koyo ECOM CVE-2012-1808 (The web server in the ECOM Ethernet module in Koyo H0-ECOM, H0-ECOM100 ...) NOT-FOR-US: Koyo ECOM CVE-2012-1807 (Cross-site scripting (XSS) vulnerability in the web server in the ECOM ...) NOT-FOR-US: Koyo ECOM CVE-2012-1806 (The ECOM Ethernet module in Koyo H0-ECOM, H0-ECOM100, H2-ECOM, H2-ECOM ...) NOT-FOR-US: Koyo ECOM CVE-2012-1805 (Buffer overflow in the ECOM Ethernet module in Koyo H0-ECOM, H0-ECOM10 ...) NOT-FOR-US: Koyo ECOM CVE-2012-1804 (The OPC server in Progea Movicon before 11.3 allows remote attackers t ...) NOT-FOR-US: Progea Movicon CVE-2012-1803 (RuggedCom Rugged Operating System (ROS) 3.10.x and earlier has a facto ...) NOT-FOR-US: RuggedCom Rugged Operating System CVE-2012-1802 (Buffer overflow in the embedded web server on the Siemens Scalance X I ...) NOT-FOR-US: Siemens Scalance X CVE-2012-1801 (Multiple stack-based buffer overflows in (1) COM and (2) ActiveX contr ...) NOT-FOR-US: ABB WebWare CVE-2012-1800 (Stack-based buffer overflow in the Profinet DCP protocol implementatio ...) NOT-FOR-US: Siemens Scalance S CVE-2012-1799 (The web server on the Siemens Scalance S Security Module firewall S602 ...) NOT-FOR-US: Siemens Scalance S CVE-2012-1798 (The TIFFGetEXIFProperties function in coders/tiff.c in ImageMagick bef ...) {DSA-2462-1} - imagemagick 8:6.7.4.0-4 (bug #667635) CVE-2012-1797 (IBM DB2 9.5 uses world-writable permissions for nodes.reg, which has u ...) NOT-FOR-US: IBM DB2 CVE-2012-1796 (Unspecified vulnerability in IBM Tivoli Monitoring Agent (ITMA), as us ...) NOT-FOR-US: Tivoli CVE-2012-1795 (webglimpse.cgi in Webglimpse before 2.20.0 allows remote attackers to ...) NOT-FOR-US: Webglimpse CVE-2012-1794 RESERVED CVE-2012-1793 RESERVED CVE-2012-1792 (Cross-site scripting (XSS) vulnerability in osCommerce/OM/Core/Site/Se ...) NOT-FOR-US: OSCommerce Online Merchant CVE-2012-1791 RESERVED CVE-2012-1777 (SQL injection vulnerability in my.activation.php3 in F5 FirePass 6.0.0 ...) NOT-FOR-US: F5 Firepass CVE-2012-1776 (Multiple heap-based buffer overflows in VideoLAN VLC media player befo ...) - vlc 2.0.1-1 (low) [squeeze] - vlc (Unsupported in squeeze-lts) CVE-2012-1775 (Stack-based buffer overflow in VideoLAN VLC media player before 2.0.1 ...) - vlc 2.0.1-1 (low) [squeeze] - vlc (Unsupported in squeeze-lts) CVE-2011-5083 (Unrestricted file upload vulnerability in inc/swf/swfupload.swf in Dot ...) - dotclear 2.5+dfsg-1 (low; bug #670227) NOTE: Post-authentication; vulnerability is actually in admin/media.php. CVE-2012-1790 (Absolute path traversal vulnerability in Webgrind 1.0 and 1.0.2 allows ...) NOT-FOR-US: Webgrind CVE-2012-1789 (Multiple cross-site scripting (XSS) vulnerabilities in Kongreg8 1.7.3 ...) NOT-FOR-US: Kongreg8 CVE-2012-1788 (Multiple cross-site scripting (XSS) vulnerabilities in wonderdesk.cgi ...) NOT-FOR-US: WonderDesk SQL CVE-2012-1787 (Multiple cross-site scripting (XSS) vulnerabilities in wgarcmin.cgi in ...) NOT-FOR-US: Webglimpse CVE-2012-1786 (The Media Upload form in the Video Embed & Thumbnail Generator plu ...) NOT-FOR-US: Media Upload form in the Video Embed & Thumbnail Generator plugin for WordPress CVE-2012-1785 (kg_callffmpeg.php in the Video Embed & Thumbnail Generator plugin ...) NOT-FOR-US: Video Embed & Thumbnail Generator plugin for WordPress CVE-2012-1784 (SQL injection vulnerability in MyJobList 0.1.3 allows remote attackers ...) NOT-FOR-US: MyJobList CVE-2012-1783 (Tiny Server 1.1.9 and earlier allows remote attackers to cause a denia ...) NOT-FOR-US: Tiny Server CVE-2012-1782 (Multiple cross-site scripting (XSS) vulnerabilities in questions/ask i ...) NOT-FOR-US: OSQA CVE-2012-1781 (Multiple cross-site scripting (XSS) vulnerabilities in ajax/commentaja ...) NOT-FOR-US: SocialCMS CVE-2012-1780 (SQL injection vulnerability in search.php in SocialCMS 1.0.5 allows re ...) NOT-FOR-US: SocialCMS CVE-2012-1779 (Cross-site scripting (XSS) vulnerability in IDevSpot idev-BusinessDire ...) NOT-FOR-US: IDevSpot idev-BusinessDirectory CVE-2012-1778 (SQL injection vulnerability in artykul_print.php in CreateVision CMS a ...) NOT-FOR-US: CreateVision CMS CVE-2011-5082 (Cross-site scripting (XSS) vulnerability in the s2Member Pro plugin be ...) NOT-FOR-US: s2Member Pro plugin for WordPress CVE-2010-5086 (Directory traversal vulnerability in wiki/rankings.php in Bitweaver 2. ...) NOT-FOR-US: Bitweaver CVE-2009-5114 (Directory traversal vulnerability in wgarcmin.cgi in WebGlimpse 2.18.7 ...) NOT-FOR-US: WebGlimpse CVE-2009-5113 (Cross-site scripting (XSS) vulnerability in wgarcmin.cgi in WebGlimpse ...) NOT-FOR-US: WebGlimpse CVE-2009-5112 (wgarcmin.cgi in WebGlimpse 2.18.7 and earlier allows remote attackers ...) NOT-FOR-US: WebGlimpse CVE-2012-1774 (Unspecified vulnerability in the Open URL feature in Gretech GOM Media ...) NOT-FOR-US: Gretech GOM Media Player CVE-2012-1773 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2012-1772 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2012-1771 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2012-1770 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2012-1769 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2012-1768 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2012-1767 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2012-1766 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2012-1765 (Unspecified vulnerability in Oracle Sun Solaris 10 allows local users ...) NOT-FOR-US: Oracle Sun Solaris 10 CVE-2012-1764 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2012-1763 (Unspecified vulnerability in the Oracle Clinical/Remote Data Capture c ...) NOT-FOR-US: Oracle Industry Applications CVE-2012-1762 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2012-1761 (Unspecified vulnerability in Oracle Siebel CRM 8.1.1 and 8.2.2 allows ...) NOT-FOR-US: Oracle Siebel CRM CVE-2012-1760 (Unspecified vulnerability in Oracle Siebel CRM 8.1.1 and 8.2.2 allows ...) NOT-FOR-US: Oracle Siebel CRM CVE-2012-1759 (Unspecified vulnerability in the Oracle AutoVue component in Oracle Su ...) NOT-FOR-US: Oracle Supply Chain Products Suite CVE-2012-1758 (Unspecified vulnerability in the Oracle AutoVue component in Oracle Su ...) NOT-FOR-US: Oracle Supply Chain Products Suite CVE-2012-1757 (Unspecified vulnerability in Oracle MySQL Server 5.5.23 and earlier al ...) - mysql-5.1 (Only affects 5.5) - mysql-5.5 5.5.24+dfsg-1 (bug #682210) CVE-2012-1756 (Unspecified vulnerability in Oracle MySQL Server 5.5.23 and earlier al ...) - mysql-5.1 (Only affects 5.5) - mysql-5.5 5.5.24+dfsg-1 (bug #682210) CVE-2012-1755 (Unspecified vulnerability in the PeopleSoft PeopleTools component in O ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2012-1754 (Unspecified vulnerability in Oracle Siebel CRM 8.1.1 and 8.2.2 allows ...) NOT-FOR-US: Oracle Siebel CRM CVE-2012-1753 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2012-1752 (Unspecified vulnerability in Oracle Sun Solaris 11 allows local users ...) NOT-FOR-US: Oracle Sun Solaris 11 CVE-2012-1751 (Unspecified vulnerability in the Core RDBMS component in Oracle Databa ...) NOT-FOR-US: Oracle Database Server CVE-2012-1750 (Unspecified vulnerability in Oracle Sun Solaris 8, 9, 10, and 11 allow ...) NOT-FOR-US: Oracle Sun Solaris 8, 9, 10, and 11 CVE-2012-1749 (Unspecified vulnerability in the Oracle MapViewer component in Oracle ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2012-1748 (Unspecified vulnerability in the PeopleSoft Enterprise HRMS component ...) NOT-FOR-US: Oracle PeopleSoft Products 9.1 CVE-2012-1747 (Unspecified vulnerability in the Network Layer component in Oracle Dat ...) NOT-FOR-US: Oracle Database Server CVE-2012-1746 (Unspecified vulnerability in the Network Layer component in Oracle Dat ...) NOT-FOR-US: Oracle Database Server CVE-2012-1745 (Unspecified vulnerability in the Network Layer component in Oracle Dat ...) NOT-FOR-US: Oracle Database Server CVE-2012-1744 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2012-1743 (Unspecified vulnerability in the Oracle Clinical Remote Data Capture O ...) NOT-FOR-US: Oracle Industry Applications CVE-2012-1742 (Unspecified vulnerability in Oracle Siebel CRM 8.1.1 and 8.2.2 allows ...) NOT-FOR-US: Oracle Siebel CRM CVE-2012-1741 (Unspecified vulnerability in the Enterprise Manager for Fusion Middlew ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2012-1740 (Unspecified vulnerability in the Oracle Application Express Listener c ...) NOT-FOR-US: Oracle Application Express Listener CVE-2012-1739 (Unspecified vulnerability in the Oracle E-Business Intelligence compon ...) NOT-FOR-US: Oracle E-Business Suite CVE-2012-1738 (Unspecified vulnerability in the Oracle iPlanet Web Server component i ...) NOT-FOR-US: Oracle Sun Products Suite, iPlanet Web Server CVE-2012-1737 (Unspecified vulnerability in the Enterprise Manager for Oracle Databas ...) NOT-FOR-US: Oracle CVE-2012-1736 (Unspecified vulnerability in the Oracle MapViewer component in Oracle ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2012-1735 (Unspecified vulnerability in Oracle MySQL Server 5.5.23 and earlier al ...) - mysql-5.1 (Only affects 5.5) - mysql-5.5 5.5.24+dfsg-1 (bug #682210) CVE-2012-1734 (Unspecified vulnerability in Oracle MySQL Server 5.1.62 and earlier, a ...) {DSA-2496-1} - mysql-5.1 (bug #682212) - mysql-5.5 5.5.24+dfsg-1 (bug #682210) CVE-2012-1733 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2012-1732 (Unspecified vulnerability in Oracle Siebel CRM 8.1.1 and 8.2.2 allows ...) NOT-FOR-US: Oracle Siebel CRM CVE-2012-1731 (Unspecified vulnerability in Oracle Siebel CRM 8.1.1 and 8.2.2 allows ...) NOT-FOR-US: Oracle Siebel CRM CVE-2012-1730 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle E-Business Suite CVE-2012-1729 (Unspecified vulnerability in the Hyperion BI+ component in Oracle Hype ...) NOT-FOR-US: Oracle Hyperion CVE-2012-1728 (Unspecified vulnerability in the Oracle Siebel CRM 8.1.1 and 8.2.2 all ...) NOT-FOR-US: Oracle Siebel CRM CVE-2012-1727 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle E-Business Suite CVE-2012-1726 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-7 7~u3-2.1.1-1 (bug #677486) CVE-2012-1725 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) {DSA-2507-1} - openjdk-6 6b24-1.11.3-1 (bug #677487) - openjdk-7 7~u3-2.1.1-1 (bug #677486) CVE-2012-1724 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) {DSA-2507-1} - openjdk-6 6b24-1.11.3-1 (bug #677487) - openjdk-7 7~u3-2.1.1-1 (bug #677486) CVE-2012-1723 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) {DSA-2507-1} - openjdk-6 6b24-1.11.3-1 (bug #677487) - openjdk-7 7~u3-2.1.1-1 (bug #677486) CVE-2012-1722 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 (specific to Oracle Java) - openjdk-7 (specific to Oracle Java) CVE-2012-1721 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 (specific to Oracle Java) - openjdk-7 (specific to Oracle Java) CVE-2012-1720 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 (Only affects Java on Solaris) - openjdk-7 (Only affects Java on Solaris) CVE-2012-1719 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) {DSA-2507-1} - openjdk-6 6b24-1.11.3-1 (bug #677487) - openjdk-7 7~u3-2.1.1-1 (bug #677486) CVE-2012-1718 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) {DSA-2507-1} - openjdk-6 6b24-1.11.3-1 (bug #677487) - openjdk-7 7~u3-2.1.1-1 (bug #677486) CVE-2012-1717 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) {DSA-2507-1} - openjdk-6 6b24-1.11.3-1 (bug #677487) - openjdk-7 7~u3-2.1.1-1 (bug #677486) CVE-2012-1716 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) {DSA-2507-1} - openjdk-6 6b24-1.11.3-1 (bug #677487) - openjdk-7 7~u3-2.1.1-1 (bug #677486) CVE-2012-1715 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle E-Business Suite CVE-2012-1714 (Unspecified vulnerability in a TList 6 ActiveX control in Oracle Hyper ...) NOT-FOR-US: Oracle Hyperion Financial Management CVE-2012-1713 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) {DSA-2507-1} - openjdk-6 6b24-1.11.3-1 (bug #677487) - openjdk-7 7~u3-2.1.1-1 (bug #677486) CVE-2012-1712 (Directory traversal vulnerability in the Liferay component in Oracle S ...) NOT-FOR-US: Oracle Sun GlassFish Web Space Server CVE-2012-1711 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) {DSA-2507-1} - openjdk-6 6b24-1.11.3-1 (bug #677487) - openjdk-7 7~u3-2.1.1-1 (bug #677486) CVE-2012-1710 (Unspecified vulnerability in the Oracle WebCenter Forms Recognition co ...) NOT-FOR-US: Oracle Fusion CVE-2012-1709 (Unspecified vulnerability in the Oracle WebCenter Forms Recognition co ...) NOT-FOR-US: Oracle Fusion CVE-2012-1708 (Unspecified vulnerability in the Application Express component in Orac ...) NOT-FOR-US: Oracle Database CVE-2012-1707 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking compon ...) NOT-FOR-US: Oracle Financial Services Software CVE-2012-1706 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking compon ...) NOT-FOR-US: Oracle Financial Services Software CVE-2012-1705 (Unspecified vulnerability in the Server component in Oracle MySQL 5.1. ...) {DSA-2780-1} - mysql-5.1 - mysql-5.5 5.5.29+dfsg-1 CVE-2012-1704 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking compon ...) NOT-FOR-US: Oracle Financial Services Software CVE-2012-1703 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) {DSA-2496-1} - mysql-5.1 5.1.62-1 (bug #670636) - mysql-5.5 5.5.23-1 CVE-2012-1702 (Unspecified vulnerability in the Server component in Oracle MySQL 5.1. ...) {DSA-2780-1} - mysql-5.1 - mysql-5.5 5.5.29+dfsg-1 CVE-2012-1701 (Unspecified vulnerability in the Siebel CRM component in Oracle Siebel ...) NOT-FOR-US: Oracle Siebel CRM CVE-2012-1700 (Unspecified vulnerability in the Siebel CRM component in Oracle Siebel ...) NOT-FOR-US: Oracle Siebel CRM CVE-2012-1699 (The ProcSetEventMask function in difs/events.c in the xfs font server ...) - xfs 1:1.0.1-1 CVE-2012-1698 (Unspecified vulnerability in Oracle Sun Solaris 11 allows remote authe ...) NOT-FOR-US: Solaris CVE-2012-1697 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) - mysql-5.5 5.5.23-1 CVE-2012-1696 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) - mysql-5.5 5.5.23-1 CVE-2012-1695 (Unspecified vulnerability in the Oracle JRockit component in Oracle Fu ...) NOT-FOR-US: Oracle Fusion CVE-2012-1694 (Unspecified vulnerability in Oracle Sun Solaris 10 allows remote attac ...) NOT-FOR-US: Solaris CVE-2012-1693 (Unspecified vulnerability in Oracle SPARC Enterprise M Series Servers ...) NOT-FOR-US: Oracle SPARC Enterprise M Series Servers CVE-2012-1692 (Unspecified vulnerability in Oracle Sun Solaris 10 allows local users ...) NOT-FOR-US: Solaris CVE-2012-1691 (Unspecified vulnerability in Oracle Sun Solaris 11 allows local users ...) NOT-FOR-US: Solaris CVE-2012-1690 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) {DSA-2496-1} - mysql-5.1 5.1.62-1 (bug #670636) - mysql-5.5 5.5.23-1 CVE-2012-1689 (Unspecified vulnerability in Oracle MySQL Server 5.1.62 and earlier, a ...) {DSA-2496-1} - mysql-5.1 (bug #682212) - mysql-5.5 5.5.24+dfsg-1 (bug #682210) CVE-2012-1688 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) {DSA-2496-1} - mysql-5.1 5.1.62-1 (bug #670636) - mysql-5.5 5.5.23-1 CVE-2012-1687 (Unspecified vulnerability in Oracle Solaris 10 and 11 allows local use ...) NOT-FOR-US: Oracle Solaris 10 and 11 CVE-2012-1686 (Unspecified vulnerability in the Oracle Business Intelligence Enterpri ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2012-1685 (Unspecified vulnerability in the Secure Global Desktop component in Or ...) NOT-FOR-US: Oracle Virtualization CVE-2012-1684 (Unspecified vulnerability in Oracle Sun Solaris 8, 9, 10, and 11 allow ...) NOT-FOR-US: Solaris CVE-2012-1683 (Unspecified vulnerability in Oracle Sun Solaris 8, 9, 10, and 11 allow ...) NOT-FOR-US: Solaris CVE-2012-1682 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-7 7u3-2.1.2-1 CVE-2012-1681 (Unspecified vulnerability in Oracle Sun Solaris 8, 9, 10, and 11 allow ...) NOT-FOR-US: Solaris CVE-2012-1680 (Unspecified vulnerability in the Siebel CRM component in Oracle Siebel ...) NOT-FOR-US: Oracle Siebel CRM CVE-2012-1679 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking compon ...) NOT-FOR-US: Oracle FLEXCUBE CVE-2012-1678 (Unspecified vulnerability in the JD Edwards EnterpriseOne Tools compon ...) NOT-FOR-US: Oracle JD Edwards Products CVE-2012-1677 (Unspecified vulnerability in the Oracle Application Server Single Sign ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2012-1676 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking compon ...) NOT-FOR-US: Oracle FLEXCUBE CVE-2012-1674 (Unspecified vulnerability in the Siebel Clinical component in Oracle I ...) NOT-FOR-US: Oracle Siebel CVE-2012-1673 (SQL injection vulnerability in loginscript.php in e-ticketing allows r ...) NOT-FOR-US: e-ticketing CVE-2012-1672 (SQL injection vulnerability in getcity.php in Hotel Booking Portal 0.1 ...) NOT-FOR-US: Hotel Booking Portal CVE-2012-1671 (Directory traversal vulnerability in index.php in phpPaleo 4.8b155 and ...) NOT-FOR-US: phpPaleo CVE-2012-1670 (admin/index.php in PHP Grade Book before 1.9.5 BETA allows remote atta ...) NOT-FOR-US: PHP Grade Book CVE-2012-1669 (Directory traversal vulnerability in index.php in phpMoneyBooks before ...) NOT-FOR-US: phpMoneyBooks CVE-2012-1668 RESERVED CVE-2012-1667 (ISC BIND 9.x before 9.7.6-P1, 9.8.x before 9.8.3-P1, 9.9.x before 9.9. ...) {DSA-2486-1} - bind9 1:9.8.1.dfsg.P1-4.1 - isc-dhcp (issue only affects the named service, which isn't used by isc-dhcp) CVE-2012-1666 (Untrusted search path vulnerability in VMware Tools in VMware Workstat ...) NOT-FOR-US: VMware Tools CVE-2012-1665 (Multiple SQL injection vulnerabilities in the admin panel in osCMax be ...) NOT-FOR-US: osCMax CVE-2012-1664 (Multiple cross-site scripting (XSS) vulnerabilities in the admin panel ...) NOT-FOR-US: osCMax CVE-2012-1663 (Double free vulnerability in libgnutls in GnuTLS before 3.0.14 allows ...) - gnutls28 3.0.14-1 - gnutls26 (only GNUTLS 3.0 is affected) CVE-2012-1662 (CA ARCserve Backup r12.0 through SP2, r12.5 before SP2, r15 through SP ...) NOT-FOR-US: CA ARCserve Backup CVE-2012-1661 (ESRI ArcMap 9 and ArcGIS 10.0.2.3200 and earlier does not properly pro ...) NOT-FOR-US: ESRI ArcMap, ArcGIS CVE-2012-1660 (Multiple cross-site scripting (XSS) vulnerabilities in components/sele ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-1659 (Cross-site scripting (XSS) vulnerability in the Node Recommendation mo ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-1658 (Cross-site scripting (XSS) vulnerability in the Read More Link module ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-1657 (Cross-site scripting (XSS) vulnerability in block_class.module in the ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-1656 (SQL injection vulnerability in the Multisite Search module 6.x-2.2 for ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-1655 (Unspecified vulnerability in the UC PayDutchGroup / WeDeal payment mod ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-1654 (Multiple cross-site scripting (XSS) vulnerabilities in the Data module ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-1653 (Cross-site scripting (XSS) vulnerability in the Taxonomy Views Integra ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-1652 (Cross-site scripting (XSS) vulnerability in the Hierarchical Select mo ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-1651 (Cross-site scripting (XSS) vulnerability in the Submenu Tree module be ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-1650 (The ZipCart module 6.x before 6.x-1.4 for Drupal checks the "access co ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-1649 (Cool Aid module before 6.x-1.9 for Drupal does not enforce access rest ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-1648 (Cross-site scripting (XSS) vulnerability in the Cool Aid module before ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-1647 (Multiple cross-site scripting (XSS) vulnerabilities in the "stand alon ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-1646 (Multiple cross-site scripting (XSS) vulnerabilities in the FAQ module ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-1645 (The CDN module 6.x-2.2 and 7.x-2.2 for Drupal, when running in Origin ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-1644 (The Organic Groups (OG) Vocabulary module 6.x-1.x before 6.x-1.2 for D ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-1643 (The Faster Permissions module 7.x-2.x before 7.x-1.2 for Drupal does n ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-1642 (includes/linkchecker.pages.inc in the Link checker module 6.x-2.x befo ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-1641 (The finder_import function in the Finder module 6.x-1.x before 6.x-1.2 ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-1640 (Multiple cross-site scripting (XSS) vulnerabilities in the Managesite ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-1639 (Multiple cross-site scripting (XSS) vulnerabilities in product/commerc ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-1638 (SQL injection vulnerability in the Search Autocomplete module before 7 ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-1637 (Cross-site scripting vulnerability (XSS) in the Quick Tabs module 6.x- ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-1636 (Cross-site request forgery (CSRF) vulnerability in the stickynote modu ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-1635 (The hook_node_access function in the revisioning module 7.x-1.x before ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-1634 (Cross-site scripting (XSS) vulnerability in video_filter.codecs.inc in ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-1633 (Cross-site request forgery (CSRF) vulnerability in the Password Policy ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-1632 (Cross-site scripting (XSS) vulnerability in password_policy.admin.inc ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-1631 (Cross-site request forgery (CSRF) vulnerability in the Admin:hover mod ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-1630 (Cross-site scripting (XSS) vulnerability in the Taxonomy Navigator mod ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-1629 (Cross-site scripting (XSS) vulnerability in the Taxotouch module for D ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-1628 (Cross-site scripting (XSS) vulnerability in the SuperCron module for D ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-1627 (Cross-site scripting (XSS) vulnerability in vud_term.module in the Vot ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-1626 (SQL injection vulnerability in the conversion form for Events in the D ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-1625 (Eval injection vulnerability in the fillpdf_form_export_decode functio ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-1624 (Multiple cross-site scripting (XSS) vulnerabilities in the Lingotek mo ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-1623 (The Registration Codes module before 6.x-2.4 for Drupal does not restr ...) NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-1622 (Apache OFBiz 10.04.x before 10.04.02 allows remote attackers to execut ...) NOT-FOR-US: Apache OFBiz CVE-2012-1621 (Multiple cross-site scripting (XSS) vulnerabilities in Apache Open For ...) NOT-FOR-US: Apache OFBiz CVE-2012-1620 (slock 0.9 does not properly handle the XRaiseWindow event when the scr ...) - suckless-tools 39-1 (unimportant; bug #667796) CVE-2012-1619 REJECTED CVE-2012-1618 (Interaction error in the PostgreSQL JDBC driver before 8.2, when used ...) - libpgjava (Even the version in oldstable had 8.2) CVE-2012-1617 (Directory traversal vulnerability in combine.php in OSClass before 2.3 ...) NOT-FOR-US: OSClass not in Debian CVE-2012-1616 (Use-after-free vulnerability in icclib before 2.13, as used by Argyll ...) - argyll 1.4.0-1 [squeeze] - argyll (Only standalone binary in squeeze, minor impact) NOTE: Starting with 1.4.0 argyll includes icclib 2.13, but it's hard to identify the NOTE: isolated security fix CVE-2012-1615 (A Privilege Escalation vulnerability exits in Fedoraproject Sectool du ...) NOT-FOR-US: sectool CVE-2012-1614 (Coppermine Photo Gallery before 1.5.20 allows remote attackers to obta ...) NOT-FOR-US: Coppermine CVE-2012-1613 (Cross-site scripting (XSS) vulnerability in edit_one_pic.php in Copper ...) NOT-FOR-US: Coppermine CVE-2012-1612 (Cross-site scripting (XSS) vulnerability in the update manager in Joom ...) NOT-FOR-US: Joomla! CVE-2012-1611 (Joomla! 2.5.x before 2.5.4 does not properly check permissions, which ...) NOT-FOR-US: Joomla! CVE-2012-1610 (Integer overflow in the GetEXIFProperty function in magick/property.c ...) {DSA-2462-1} - imagemagick 8:6.7.4.0-4 (bug #667635) CVE-2012-1609 RESERVED CVE-2012-1608 (The t3lib_div::RemoveXSS API method in TYPO3 4.4.0 through 4.4.13, 4.5 ...) {DSA-2445-1} - typo3-src 4.5.14+dfsg1-1 CVE-2012-1607 (The Command Line Interface (CLI) script in TYPO3 4.4.0 through 4.4.13, ...) {DSA-2445-1} - typo3-src 4.5.14+dfsg1-1 CVE-2012-1606 (Multiple cross-site scripting (XSS) vulnerabilities in the Backend com ...) {DSA-2445-1} - typo3-src 4.5.14+dfsg1-1 CVE-2012-1605 (The Extbase Framework in TYPO3 4.6.x through 4.6.6, 4.7, and 6.0 unser ...) - typo3-src (vulnerable code not yet present) CVE-2012-1604 (Cross-site scripting (XSS) vulnerability in NextBBS 0.6 allows remote ...) NOT-FOR-US: NextBBS CVE-2012-1603 (Multiple SQL injection vulnerabilities in ajaxserver.php in NextBBS 0. ...) NOT-FOR-US: NextBBS CVE-2012-1602 (user.php in NextBBS 0.6 allows remote attackers to bypass authenticati ...) NOT-FOR-US: NextBBS CVE-2012-1601 (The KVM implementation in the Linux kernel before 3.3.6 allows host OS ...) {DSA-2469-1} - linux-2.6 3.2.17-1 (low) CVE-2012-1600 (Multiple cross-site scripting (XSS) vulnerabilities in functions.php i ...) - phppgadmin 5.0.4-1 [squeeze] - phppgadmin (Minor issue, will be fixed through a point update) CVE-2012-1599 (Joomla! 1.5.x before 1.5.26 does not properly check permissions, which ...) NOT-FOR-US: Joomla! CVE-2012-1598 (Joomla! 1.5.x before 1.5.26 has unspecified impact and attack vectors ...) NOT-FOR-US: Joomla! CVE-2012-1597 (Cross-site scripting (XSS) vulnerability in the textEncode function in ...) NOT-FOR-US: eZ Publish CVE-2012-1596 (The mp2t_process_fragmented_payload function in epan/dissectors/packet ...) - wireshark 1.6.6-1 (unimportant; bug #666058) NOTE: Not suitable for code injection CVE-2012-1595 (The pcap_process_pseudo_header function in wiretap/pcap-common.c in Wi ...) - wireshark 1.6.6-1 (bug #666058) [squeeze] - wireshark 1.2.11-6+squeeze7 CVE-2012-1594 (epan/dissectors/packet-ieee80211.c in the IEEE 802.11 dissector in Wir ...) - wireshark 1.6.6-1 (unimportant; bug #666058) NOTE: Not suitable for code injection CVE-2012-1593 (epan/dissectors/packet-ansi_a.c in the ANSI A dissector in Wireshark 1 ...) - wireshark 1.6.6-1 (unimportant; bug #666058) [squeeze] - wireshark 1.2.11-6+squeeze7 NOTE: Not suitable for code injection CVE-2012-1592 (A local code execution issue exists in Apache Struts2 when processing ...) - libstruts1.2-java (Only applies to Struts 2, see bug #657870) CVE-2012-1591 (The image module in Drupal 7.x before 7.14 does not properly check per ...) - drupal7 7.14-1 (bug #671402) CVE-2012-1590 (The forum list in Drupal 7.x before 7.14 does not properly check user ...) - drupal7 7.14-1 (bug #671402) CVE-2012-1589 (Open redirect vulnerability in the Form API in Drupal 7.x before 7.13 ...) - drupal7 7.14-1 (bug #671402) CVE-2012-1588 (Algorithmic complexity vulnerability in the _filter_url function in th ...) - drupal7 7.14-1 (bug #671402) CVE-2012-1587 REJECTED CVE-2012-1585 (OpenStack Compute (Nova) Essex before 2011.3 allows remote authenticat ...) - nova 2012-1~rc3-1 (bug #666888) CVE-2012-1584 (Integer overflow in the mid function in toolkit/tbytevector.cpp in Tag ...) - taglib 1.7.1-1 (low; bug #662705) [squeeze] - taglib (Minor issue) CVE-2012-1583 (Double free vulnerability in the xfrm6_tunnel_rcv function in net/ipv6 ...) - linux-2.6 2.6.22-1 CVE-2012-1582 (Cross-site scripting (XSS) vulnerability in the wikitext parser in Med ...) - mediawiki 1:1.15.5-9 (bug #666269) [squeeze] - mediawiki CVE-2012-1581 (MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 uses weak rand ...) - mediawiki 1:1.15.5-9 (bug #666269) [squeeze] - mediawiki CVE-2012-1580 (Cross-site request forgery (CSRF) vulnerability in Special:Upload in M ...) - mediawiki (Vulnerable code not present, see bug #666269) CVE-2012-1579 (The resource loader in MediaWiki 1.17.x before 1.17.3 and 1.18.x befor ...) - mediawiki (Vulnerable code not present, see bug #666269) CVE-2012-1578 (Multiple cross-site request forgery (CSRF) vulnerabilities in MediaWik ...) - mediawiki (Vulnerable code not present, see bug #666269) CVE-2012-1577 (lib/libc/stdlib/random.c in OpenBSD returns 0 when seeded with 0. ...) - dietlibc 0.33~cvs20120325-1 (unimportant) CVE-2012-1576 (The myuser_delete function in libathemecore/account.c in Atheme 5.x be ...) NOT-FOR-US: atheme CVE-2012-1575 (Multiple cross-site scripting (XSS) vulnerabilities in Cumin before r5 ...) NOT-FOR-US: cumin CVE-2012-1574 (The Kerberos/MapReduce security functionality in Apache Hadoop 0.20.20 ...) - hadoop (bug #535861) CVE-2012-1573 (gnutls_cipher.c in libgnutls in GnuTLS before 2.12.17 and 3.x before 3 ...) {DSA-2441-1} - gnutls26 2.12.18-1 (high) - gnutls28 3.0.17-2 (high) CVE-2012-1572 (OpenStack Keystone: extremely long passwords can crash Keystone by exh ...) - keystone 2012.1~rc2-1 CVE-2012-1571 (file before 5.11 and libmagic allow remote attackers to cause a denial ...) {DSA-2422-1} - file 5.11-1 (low; bug #664263) CVE-2012-1570 (The resolver in MaraDNS before 1.3.0.7.15 and 1.4.x before 1.4.12 over ...) - maradns 1.4.12-1 (bug #665012) [squeeze] - maradns 1.4.03-1.1+squeeze1 CVE-2012-1569 (The asn1_get_length_der function in decoding.c in GNU Libtasn1 before ...) {DSA-2440-1} - libtasn1-3 2.12-1 (high) CVE-2012-1568 (The ExecShield feature in a certain Red Hat patch for the Linux kernel ...) - linux-2.6 (execshield issue) CVE-2012-1567 (LinuxMint as of 2012-03-19 has temporary file creation vulnerabilities ...) NOT-FOR-US: LinuxMint CVE-2012-1566 (LinuxMint as of 2012-03-19 has temporary file creation vulnerabilities ...) NOT-FOR-US: LinuxMint CVE-2012-1565 (Unspecified vulnerability in ez Publish 4.1.4, 4.2, 4.3, 4.4, 4.5, and ...) NOT-FOR-US: eZ Publish CVE-2012-1564 (Cross-site scripting (XSS) vulnerability in administration/create_albu ...) NOT-FOR-US: YVS CVE-2012-1563 (Joomla! before 2.5.3 allows Admin Account Creation. ...) NOT-FOR-US: Joomla! CVE-2012-1562 (Joomla! core before 2.5.3 allows unauthorized password change. ...) NOT-FOR-US: Joomla! CVE-2012-1561 (Cross-site scripting (XSS) vulnerability in the Finder module 6.x-1.x ...) NOT-FOR-US: Drupal Finder CVE-2012-1560 RESERVED CVE-2012-1559 RESERVED CVE-2012-1558 (yaSSL CyaSSL before 2.0.8 allows remote attackers to cause a denial of ...) - cyassl (Fixed before initial upload) NOTE: https://github.com/cyassl/cyassl/commit/6b77c8967aa34f2a0bae85e90a469c4170cb2bb1 CVE-2012-1557 (SQL injection vulnerability in admin/plib/api-rpc/Agent.php in Paralle ...) NOT-FOR-US: Parallels Plesk Panel CVE-2012-1556 (Cross-site scripting (XSS) vulnerability in Synology Photo Station 5 f ...) NOT-FOR-US: Synology DiskStation Manager extension CVE-2012-1555 RESERVED CVE-2012-1554 RESERVED CVE-2012-1553 RESERVED CVE-2012-1552 RESERVED CVE-2012-1551 RESERVED CVE-2012-1550 RESERVED CVE-2012-1549 RESERVED CVE-2012-1548 RESERVED CVE-2012-1547 RESERVED CVE-2012-1546 RESERVED CVE-2012-1545 (Microsoft Internet Explorer 6 through 9, and 10 Consumer Preview, allo ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2012-1544 REJECTED CVE-2012-1543 (Unspecified vulnerability in the JavaFX component in Oracle Java SE Ja ...) - openjdk-6 (JavaFX not part of OpenJDK) - openjdk-7 (JavaFX not part of OpenJDK) CVE-2012-1542 RESERVED CVE-2012-1541 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2012-1540 RESERVED CVE-2012-1539 (Use-after-free vulnerability in Microsoft Internet Explorer 9 allows r ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2012-1538 (Use-after-free vulnerability in Microsoft Internet Explorer 9 allows r ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2012-1537 (Heap-based buffer overflow in DirectPlay in DirectX 9.0 through 11.1 i ...) NOT-FOR-US: DirectX 9.0 in Microsoft Windows CVE-2012-1536 RESERVED CVE-2012-1535 (Unspecified vulnerability in Adobe Flash Player before 11.3.300.271 on ...) NOT-FOR-US: Adobe Flash Player CVE-2012-1534 REJECTED CVE-2012-1533 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2012-1532 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2012-1531 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 (Specific to Oracle Java, not present in IcedTea) - openjdk-7 (Specific to Oracle Java, not present in IcedTea) NOTE: Due to the vague disclosure policy by Oracle the exact nature is unknown but since no patch landed in icedtea, we consider it not-affected CVE-2012-1530 (Heap-based buffer overflow in the XSLT engine in Adobe Reader and Acro ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2012-1529 (Use-after-free vulnerability in Microsoft Internet Explorer 8 and 9 al ...) NOT-FOR-US: Internet Explorer CVE-2012-1528 (Integer overflow in Windows Shell in Microsoft Windows XP SP2 and SP3, ...) NOT-FOR-US: Microsoft Windows CVE-2012-1527 (Integer underflow in Windows Shell in Microsoft Windows XP SP2 and SP3 ...) NOT-FOR-US: Microsoft Windows CVE-2012-1526 (Microsoft Internet Explorer 6 and 7 does not properly handle objects i ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2012-1525 (Heap-based buffer overflow in Adobe Reader and Acrobat 9.x before 9.5. ...) NOT-FOR-US: Adobe Reader CVE-2012-1524 (Microsoft Internet Explorer 9 does not properly handle objects in memo ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2012-1523 (Microsoft Internet Explorer 6 through 8 does not properly handle objec ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2012-1522 (Microsoft Internet Explorer 9 does not properly handle objects in memo ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2012-1521 (Use-after-free vulnerability in the XML parser in Google Chrome before ...) - chromium-browser 18.0.1025.168~r134367-1 [squeeze] - chromium-browser CVE-2012-1520 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple Safari/ if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-1519 RESERVED CVE-2012-1518 (VMware Workstation 8.x before 8.0.2, VMware Player 4.x before 4.0.2, V ...) NOT-FOR-US: VMware CVE-2012-1517 (The VMX process in VMware ESXi 4.1 and ESX 4.1 does not properly handl ...) NOT-FOR-US: VMware CVE-2012-1516 (The VMX process in VMware ESXi 3.5 through 4.1 and ESX 3.5 through 4.1 ...) NOT-FOR-US: VMware CVE-2012-1515 (VMware ESXi 3.5, 4.0, and 4.1 and ESX 3.5, 4.0, and 4.1 do not properl ...) NOT-FOR-US: VMware ESXi CVE-2012-1514 (Cross-site request forgery (CSRF) vulnerability in VMware vShield Mana ...) NOT-FOR-US: VMware vShield Manager CVE-2012-1513 (The Web Configuration tool in VMware vCenter Orchestrator (vCO) 4.0 be ...) NOT-FOR-US: VMware vCenter Orchestrator CVE-2012-1512 (Cross-site scripting (XSS) vulnerability in the internal browser in vS ...) NOT-FOR-US: VMware vSphere CVE-2012-1511 (Cross-site scripting (XSS) vulnerability in View Manager Portal in VMw ...) NOT-FOR-US: VMware View CVE-2012-1510 (Buffer overflow in the WDDM display driver in VMware ESXi 4.0, 4.1, an ...) NOT-FOR-US: VMware ESXi CVE-2012-1509 (Buffer overflow in the XPDM display driver in VMware View before 4.6.1 ...) NOT-FOR-US: VMware View CVE-2012-1508 (The XPDM display driver in VMware ESXi 4.0, 4.1, and 5.0; VMware ESX 4 ...) NOT-FOR-US: VMware ESXi CVE-2012-1507 (Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM befor ...) NOT-FOR-US: OrangeHRM CVE-2012-1506 (SQL injection vulnerability in the updateStatus function in lib/models ...) NOT-FOR-US: OrangeHRM CVE-2012-1505 RESERVED CVE-2012-1504 RESERVED CVE-2012-1503 (Cross-site scripting (XSS) vulnerability in Six Apart (formerly Six Ap ...) NOT-FOR-US: Six Apart CVE-2012-1502 (Double free vulnerability in the PyPAM_conv in PAMmodule.c in PyPam 0. ...) {DSA-2430-1} - python-pam 0.4.2-13 CVE-2012-1501 REJECTED CVE-2012-1500 (Stored XSS vulnerability in UpdateFieldJson.jspa in JIRA 4.4.3 and Gre ...) NOT-FOR-US: Atlassian CVE-2012-1499 (The JPEG 2000 codec (jp2.c) in OpenJPEG before 1.5 allows remote attac ...) - openjpeg (vulnerable code introduced after 1.3) CVE-2012-1498 (Multiple cross-site request forgery (CSRF) vulnerabilities in Webfolio ...) NOT-FOR-US: Webfolio CMS CVE-2012-1497 (The default configuration of Movable Type before 4.38, 5.0x before 5.0 ...) {DSA-2423-1} - movabletype-opensource 5.1.3+dfsg-1 CVE-2012-1496 (Local file inclusion in WebCalendar before 1.2.5. ...) - webcalendar CVE-2012-1495 (install/index.php in WebCalendar before 1.2.5 allows remote attackers ...) - webcalendar CVE-2012-1102 [XML::Atom Perl module XML entity expansion] RESERVED {DSA-2424-1} - libxml-atom-perl 0.39-1 (medium) CVE-2012-1494 RESERVED CVE-2012-1493 (F5 BIG-IP appliances 9.x before 9.4.8-HF5, 10.x before 10.2.4, 11.0.x ...) NOT-FOR-US: F5 BIG-IP appliances CVE-2012-1492 RESERVED CVE-2012-1491 RESERVED CVE-2012-1490 RESERVED CVE-2012-1489 RESERVED CVE-2012-1488 RESERVED CVE-2012-1487 RESERVED CVE-2012-1486 RESERVED CVE-2012-1485 (Unspecified vulnerability in the NetFront Life Browser (com.access_com ...) NOT-FOR-US: NetFront Life Browser for Android CVE-2012-1484 (Unspecified vulnerability in the WaliSMS CN (cn.com.wali.walisms) appl ...) NOT-FOR-US: WaliSMS CN (cn.com.wali.walisms) application CVE-2012-1483 (Unspecified vulnerability in the Message Forwarder (com.gmail.zbnetium ...) NOT-FOR-US: Message Forwarder for Android CVE-2012-1482 (Unspecified vulnerability in the TouchPal Contacts (com.cootek.smartdi ...) NOT-FOR-US: TouchPal Contacts for Android CVE-2012-1481 (Unspecified vulnerability in the Textdroid (com.app.android.textdroid) ...) NOT-FOR-US: Textdroid for Android CVE-2012-1480 (Unspecified vulnerability in the Pansi SMS (com.pansi.msg) application ...) NOT-FOR-US: Pansi SMS CVE-2012-1479 (Unspecified vulnerability in the AContact (com.movester.quickcontact) ...) NOT-FOR-US: AContact CVE-2012-1478 (Unspecified vulnerability in the UCMobile BloveStorm (com.blovestorm) ...) NOT-FOR-US: UCMobile BloveStorm CVE-2012-1477 (Unspecified vulnerability in the Cnectd (mci.cnectd) application 3.1.0 ...) NOT-FOR-US: Cnectd CVE-2012-1476 (Unspecified vulnerability in the KKtalk (com.kkliaotian.android) appli ...) NOT-FOR-US: KKtalk CVE-2012-1475 (Unspecified vulnerability in the YagattaTalk Messenger (com.iskoot.yag ...) NOT-FOR-US: YagattaTalk Messenge CVE-2012-1474 (Unspecified vulnerability in the Youni SMS (com.snda.youni) applicatio ...) NOT-FOR-US: Youni SMS CVE-2012-1473 RESERVED CVE-2012-1472 (VMware vCenter Chargeback Manager (aka CBM) before 2.0.1 does not prop ...) NOT-FOR-US: VMware vCenter Chargeback Manager CVE-2012-1471 (Directory traversal vulnerability in catalogue_file.php in ocPortal be ...) - ocportal (bug #625865) CVE-2012-1470 (Multiple cross-site scripting (XSS) vulnerabilities in code_editor.php ...) - ocportal (bug #625865) CVE-2012-1469 (Multiple cross-site scripting (XSS) vulnerabilities in Open Journal Sy ...) - ojs (low) [squeeze] - ojs (Minor issue) CVE-2012-1468 (Incomplete blacklist vulnerability in Open Journal Systems before 2.3. ...) - ojs (low) [squeeze] - ojs (Minor issue) CVE-2012-1467 (Multiple directory traversal vulnerabilities in the iBrowser plugin li ...) - ojs (low) [squeeze] - ojs (Minor issue) CVE-2012-1466 (The Traffic Grapher Server for NetMechanica NetDecision before 4.6.1 a ...) NOT-FOR-US: NetMechanica NetDecision CVE-2012-1465 (Stack-based buffer overflow in the HTTP Server in NetMechanica NetDeci ...) NOT-FOR-US: NetMechanica NetDecision CVE-2012-1464 (Dashboard Server for NetMechanica NetDecision before 4.6.1 allows remo ...) NOT-FOR-US: NetMechanica NetDecision CVE-2012-1463 (The ELF file parser in AhnLab V3 Internet Security 2011.01.18.00, Bitd ...) NOT-FOR-US: multiple Anti-Virus applications CVE-2012-1462 (The ZIP file parser in AhnLab V3 Internet Security 2011.01.18.00, AVG ...) NOT-FOR-US: multiple Anti-Virus applications CVE-2012-1461 (The Gzip file parser in AVG Anti-Virus 10.0.0.1190, Bitdefender 7.2, C ...) NOT-FOR-US: multiple Anti-Virus applications CVE-2012-1460 (The Gzip file parser in Antiy Labs AVL SDK 2.0.3.7, Quick Heal (aka Ca ...) NOT-FOR-US: multiple Anti-Virus applications CVE-2012-1459 (The TAR file parser in AhnLab V3 Internet Security 2011.01.18.00, Avir ...) - clamav 0.97.5+dfsg-1 (low; bug #668273) [squeeze] - clamav 0.97.5+dfsg-3~squeeze1 CVE-2012-1458 (The Microsoft CHM file parser in ClamAV 0.96.4 and Sophos Anti-Virus 4 ...) - clamav 0.97.5+dfsg-1 (low; bug #668273) [squeeze] - clamav 0.97.5+dfsg-3~squeeze1 CVE-2012-1457 (The TAR file parser in Avira AntiVir 7.11.1.163, Antiy Labs AVL SDK 2. ...) - clamav 0.97.5+dfsg-1 (low; bug #668273) [squeeze] - clamav 0.97.5+dfsg-3~squeeze1 CVE-2012-1456 (The TAR file parser in AVG Anti-Virus 10.0.0.1190, Quick Heal (aka Cat ...) NOT-FOR-US: multiple Anti-Virus applications CVE-2012-1455 (The CAB file parser in NOD32 Antivirus 5795 and Rising Antivirus 22.83 ...) NOT-FOR-US: NOD32 Antivirus, Rising Antivirus CVE-2012-1454 (The ELF file parser in Dr.Web 5.0.2.03300, eSafe 7.0.17.0, McAfee Gate ...) NOT-FOR-US: multiple Anti-Virus applications CVE-2012-1453 (The CAB file parser in Dr.Web 5.0.2.03300, Trend Micro HouseCall 9.120 ...) NOT-FOR-US: multiple Anti-Virus applications CVE-2012-1452 (The CAB file parser in Emsisoft Anti-Malware 5.1.0.1, Ikarus Virus Uti ...) NOT-FOR-US: multiple Anti-Virus applications CVE-2012-1451 (The CAB file parser in Emsisoft Anti-Malware 5.1.0.1 and Ikarus Virus ...) NOT-FOR-US: multiple Anti-Virus applications CVE-2012-1450 (The CAB file parser in Emsisoft Anti-Malware 5.1.0.1, Sophos Anti-Viru ...) NOT-FOR-US: multiple Anti-Virus applications CVE-2012-1449 (The CAB file parser in NOD32 Antivirus 5795 and Rising Antivirus 22.83 ...) NOT-FOR-US: multiple Anti-Virus applications CVE-2012-1448 (The CAB file parser in Quick Heal (aka Cat QuickHeal) 11.00, Trend Mic ...) NOT-FOR-US: multiple Anti-Virus applications CVE-2012-1447 (The ELF file parser in Fortinet Antivirus 4.2.254.0, eSafe 7.0.17.0, D ...) NOT-FOR-US: multiple Anti-Virus applications CVE-2012-1446 (The ELF file parser in Quick Heal (aka Cat QuickHeal) 11.00, McAfee An ...) NOT-FOR-US: multiple Anti-Virus applications CVE-2012-1445 (The ELF file parser in eSafe 7.0.17.0, Rising Antivirus 22.83.00.03, F ...) NOT-FOR-US: multiple Anti-Virus applications CVE-2012-1444 (The ELF file parser in eSafe 7.0.17.0, Prevx 3.0, Fortinet Antivirus 4 ...) NOT-FOR-US: multiple Anti-Virus applications CVE-2012-1443 (The RAR file parser in ClamAV 0.96.4, Rising Antivirus 22.83.00.03, Qu ...) NOTE: clamav, but upstream evaluated it as invalid (#668273) CVE-2012-1442 (The ELF file parser in Quick Heal (aka Cat QuickHeal) 11.00, McAfee An ...) NOT-FOR-US: Multiple Antivirus applications CVE-2012-1441 (The Microsoft EXE file parser in eSafe 7.0.17.0 and Prevx 3.0 allows r ...) NOT-FOR-US: eSafe, Prevx CVE-2012-1440 (The ELF file parser in Norman Antivirus 6.06.12, eSafe 7.0.17.0, CA eT ...) NOT-FOR-US: multiple Antivirus applications CVE-2012-1439 (The ELF file parser in eSafe 7.0.17.0, Rising Antivirus 22.83.00.03, F ...) NOT-FOR-US: multiple Antivirus applications CVE-2012-1438 (The Microsoft Office file parser in Comodo Antivirus 7425 and Sophos A ...) NOT-FOR-US: multiple Anti-Virus applications CVE-2012-1437 (The Microsoft Office file parser in Comodo Antivirus 7425 allows remot ...) NOT-FOR-US: Comodo Antivirus 7425 CVE-2012-1436 (The Microsoft EXE file parser in AhnLab V3 Internet Security 2011.01.1 ...) NOT-FOR-US: multiple Anti-Virus applications CVE-2012-1435 (The Microsoft EXE file parser in AhnLab V3 Internet Security 2011.01.1 ...) NOT-FOR-US: multiple Anti-Virus applications CVE-2012-1434 (The Microsoft EXE file parser in AhnLab V3 Internet Security 2011.01.1 ...) NOT-FOR-US: multiple Anti-Virus applications CVE-2012-1433 (The Microsoft EXE file parser in AhnLab V3 Internet Security 2011.01.1 ...) NOT-FOR-US: multiple Anti-Virus applications CVE-2012-1432 (The Microsoft EXE file parser in Emsisoft Anti-Malware 5.1.0.1, eSafe ...) NOT-FOR-US: multiple Anti-Virus applications CVE-2012-1431 (The ELF file parser in Bitdefender 7.2, Command Antivirus 5.2.11.5, Co ...) NOT-FOR-US: multiple Anti-Virus applications CVE-2012-1430 (The ELF file parser in Bitdefender 7.2, Comodo Antivirus 7424, eSafe 7 ...) NOT-FOR-US: multiple Anti-Virus applications CVE-2012-1429 (The ELF file parser in Bitdefender 7.2, Comodo Antivirus 7424, Emsisof ...) NOT-FOR-US: multiple Anti-Virus applications CVE-2012-1428 (The TAR file parser in Quick Heal (aka Cat QuickHeal) 11.00, Norman An ...) NOT-FOR-US: multiple Anti-Virus applications CVE-2012-1427 (The TAR file parser in Quick Heal (aka Cat QuickHeal) 11.00, Norman An ...) NOT-FOR-US: multiple Anti-Virus applications CVE-2012-1426 (The TAR file parser in Quick Heal (aka Cat QuickHeal) 11.00, Command A ...) NOT-FOR-US: multiple Anti-Virus applications CVE-2012-1425 (The TAR file parser in Avira AntiVir 7.11.1.163, Antiy Labs AVL SDK 2. ...) NOT-FOR-US: Multiple Antivirus applications CVE-2012-1424 (The TAR file parser in Antiy Labs AVL SDK 2.0.3.7, Quick Heal (aka Cat ...) NOT-FOR-US: multiple Antivirus applications CVE-2012-1423 (The TAR file parser in Command Antivirus 5.2.11.5, Emsisoft Anti-Malwa ...) NOT-FOR-US: multiple Antivirus applications CVE-2012-1422 (The TAR file parser in Quick Heal (aka Cat QuickHeal) 11.00, NOD32 Ant ...) NOT-FOR-US: multiple Antivirus applications CVE-2012-1421 (The TAR file parser in Quick Heal (aka Cat QuickHeal) 11.00, Norman An ...) NOT-FOR-US: multiple Antivirus applications CVE-2012-1420 (The TAR file parser in Quick Heal (aka Cat QuickHeal) 11.00, Command A ...) NOT-FOR-US: multiple Antivirus applications CVE-2012-1419 (The TAR file parser in ClamAV 0.96.4 and Quick Heal (aka Cat QuickHeal ...) - clamav 0.97.5+dfsg-1 (low; bug #668273) [squeeze] - clamav 0.97.5+dfsg-3~squeeze1 CVE-2012-1418 (Multiple unspecified vulnerabilities in Google Chrome before 17.0.963. ...) NOT-FOR-US: Chrome books CVE-2012-1417 (Multiple cross-site scripting (XSS) vulnerabilities in Local Phone boo ...) NOT-FOR-US: Yealink VoIP Phone CVE-2012-1416 (Multiple cross-site request forgery (CSRF) vulnerabilities in SocialCM ...) NOT-FOR-US: SocialCMS CVE-2012-1415 (Cross-site request forgery (CSRF) vulnerability in lib/logout.php in D ...) NOT-FOR-US: DFLabs PTK CVE-2012-1414 (Cross-site request forgery (CSRF) vulnerability in manager/news.php in ...) NOT-FOR-US: Plume CMS CVE-2012-1413 (Cross-site scripting (XSS) vulnerability in zc_install/includes/module ...) NOT-FOR-US: Zen Cart CVE-2012-1412 RESERVED CVE-2012-1411 RESERVED CVE-2012-1410 (Multiple cross-site scripting (XSS) vulnerabilities in the History Win ...) - kadu 0.11.0-1 [squeeze] - kadu (Only affects >= 0.9) CVE-2012-1409 (Unspecified vulnerability in the Tiny Password (com.tinycouch.android. ...) NOT-FOR-US: Tiny Password CVE-2012-1408 (Unspecified vulnerability in the App Lock (com.cc.applock) application ...) NOT-FOR-US: App Lock CVE-2012-1407 (Unspecified vulnerability in the GO Message Widget (com.gau.go.launche ...) NOT-FOR-US: GO Message Widget CVE-2012-1406 (Unspecified vulnerability in the GO Bookmark Widget (com.gau.go.launch ...) NOT-FOR-US: GO Bookmark Widget CVE-2012-1405 (Unspecified vulnerability in the GO Note Widget (com.gau.go.launcherex ...) NOT-FOR-US: GO Note Widget CVE-2012-1404 (Unspecified vulnerability in the Dolphin Browser Mini (com.dolphin.bro ...) NOT-FOR-US: Dolphin Browser Mini CVE-2012-1403 (Unspecified vulnerability in the Dolphin Browser CN (com.dolphin.brows ...) NOT-FOR-US: Dolphin Browser CN CVE-2012-1402 (Unspecified vulnerability in the QianXun YingShi (com.qianxun.yingshi) ...) NOT-FOR-US: QianXun YingShi CVE-2012-1401 (Unspecified vulnerability in the CamScanner (com.intsig.camscanner) ap ...) NOT-FOR-US: CamScanner CVE-2012-1400 (Unspecified vulnerability in the U+Box 2.0 Pad (lg.uplusbox.pad) appli ...) NOT-FOR-US: U+Box CVE-2012-1399 (Unspecified vulnerability in the U+Box 2.0 (lg.uplusbox) application 2 ...) NOT-FOR-US: U+Box CVE-2012-1398 (Unspecified vulnerability in the GO WeiboWidget (com.gau.go.launcherex ...) NOT-FOR-US: GO WeiboWidget CVE-2012-1397 (Unspecified vulnerability in the GO QQWeiboWidget (com.gau.go.launcher ...) NOT-FOR-US: GO QQWeiboWidget CVE-2012-1396 (Unspecified vulnerability in the GO FBWidget (com.gau.go.launcherex.go ...) NOT-FOR-US: GO FBWidget CVE-2012-1395 (Unspecified vulnerability in the GO TwiWidget (com.gau.go.launcherex.g ...) NOT-FOR-US: GO TwiWidget CVE-2012-1394 (Unspecified vulnerability in the GO Email Widget (com.gau.go.launchere ...) NOT-FOR-US: GO Email Widget CVE-2012-1393 (Unspecified vulnerability in the GO SMS Pro (com.jb.gosms) application ...) NOT-FOR-US: GO SMS Pro CVE-2012-1392 (Unspecified vulnerability in the Dolphin Browser HD (mobi.mgeek.TunnyB ...) NOT-FOR-US: Dolphin Browser HD CVE-2012-1391 (Unspecified vulnerability in the mOffice - Outlook sync (com.innov8tio ...) NOT-FOR-US: mOffice - Outlook sync CVE-2012-1390 (Unspecified vulnerability in the Miso (com.bazaarlabs.miso) applicatio ...) NOT-FOR-US: Miso CVE-2012-1389 (Unspecified vulnerability in the Di Long Weibo (com.icekirin.weibos) a ...) NOT-FOR-US: Di Long Weibo CVE-2012-1388 (Unspecified vulnerability in the XiXunTianTian (com.xixun.tiantian) ap ...) NOT-FOR-US: XiXunTianTian CVE-2012-1387 (Unspecified vulnerability in the RealTalk (com.tmsmanager.tms) applica ...) NOT-FOR-US: RealTalk CVE-2012-1386 (Unspecified vulnerability in the YouMail Visual Voicemail Plus (com.yo ...) NOT-FOR-US: YouMail Visual Voicemail Plus CVE-2012-1385 (Unspecified vulnerability in the NetEase WeiboHD (com.netease.wbhd) ap ...) NOT-FOR-US: NetEase WeiboHD CVE-2012-1384 (Unspecified vulnerability in the NetEase Pmail (com.netease.rpmms) app ...) NOT-FOR-US: NetEase Pmail CVE-2012-1383 (Unspecified vulnerability in the NetEase Reader (com.netease.pris) app ...) NOT-FOR-US: NetEase Reader CVE-2012-1382 (Unspecified vulnerability in the Youdao Dictionary (com.youdao.dict) a ...) NOT-FOR-US: Youdao Dictionary CVE-2012-1381 (Unspecified vulnerability in the NetEase CloudAlbum (com.netease.cloud ...) NOT-FOR-US: NetEase CloudAlbum CVE-2012-1380 (Unspecified vulnerability in the NetEaseWeibo (com.netease.wb) applica ...) NOT-FOR-US: NetEaseWeibo CVE-2012-1379 RESERVED CVE-2012-1378 RESERVED CVE-2012-1377 RESERVED CVE-2012-1376 RESERVED CVE-2012-1375 RESERVED CVE-2012-1374 RESERVED CVE-2012-1373 RESERVED CVE-2012-1372 RESERVED CVE-2012-1371 RESERVED CVE-2012-1370 (Cisco AnyConnect Secure Mobility Client 3.0 before 3.0.08057 allows re ...) NOT-FOR-US: Cisco CVE-2012-1369 RESERVED CVE-2012-1368 RESERVED CVE-2012-1367 (The MallocLite implementation in Cisco IOS 12.0, 12.2, 15.0, 15.1, and ...) NOT-FOR-US: Cisco CVE-2012-1366 (Cisco IOS before 15.1(1)SY on ASR 1000 devices, when Multicast Listene ...) NOT-FOR-US: Cisco IOS CVE-2012-1365 (Cisco Unified Computing System (UCS) 1.4 and 2.0 allows remote authent ...) NOT-FOR-US: Cisco CVE-2012-1364 (Cisco Unified Computing System (UCS) 1.4 and 2.0 allows remote authent ...) NOT-FOR-US: Cisco CVE-2012-1363 RESERVED CVE-2012-1362 RESERVED CVE-2012-1361 (Cisco IOS 15.1 and 15.2, when the Multicast Music-on-Hold (MMoH) featu ...) NOT-FOR-US: Cisco CVE-2012-1360 RESERVED CVE-2012-1359 RESERVED CVE-2012-1358 RESERVED CVE-2012-1357 (The igmp_snoop_orib_fill_source_update function in the IGMP process in ...) NOT-FOR-US: NX-OS CVE-2012-1356 RESERVED CVE-2012-1355 RESERVED CVE-2012-1354 RESERVED CVE-2012-1353 RESERVED CVE-2012-1352 RESERVED CVE-2012-1351 RESERVED CVE-2012-1350 (Cisco IOS 12.3 and 12.4 on Aironet access points allows remote attacke ...) NOT-FOR-US: Cisco IOS CVE-2012-1349 RESERVED CVE-2012-1348 (Cisco Wide Area Application Services (WAAS) appliances with software 4 ...) NOT-FOR-US: Cisco Wide Area Application Services CVE-2012-1347 RESERVED CVE-2012-1346 (Cisco Emergency Responder 8.6 and 9.2 allows remote attackers to cause ...) NOT-FOR-US: Cisco Emergency Responder CVE-2012-1345 RESERVED CVE-2012-1344 (Cisco IOS 15.1 and 15.2, when a clientless SSL VPN is configured, allo ...) NOT-FOR-US: Cisco IOS CVE-2012-1343 RESERVED CVE-2012-1342 (Cisco Carrier Routing System (CRS) 3.9, 4.0, and 4.1 allows remote att ...) NOT-FOR-US: Cisco Carrier Routing System CVE-2012-1341 RESERVED CVE-2012-1340 (The Fibre Channel over IP (FCIP) implementation in Cisco MDS NX-OS 4.2 ...) NOT-FOR-US: Cisco MDS NX-OS CVE-2012-1339 (The Fabric Interconnect component in Cisco Unified Computing System (U ...) NOT-FOR-US: Cisco Unified Computing System CVE-2012-1338 (Cisco IOS 15.0 and 15.1 on Catalyst 3560 and 3750 series switches allo ...) NOT-FOR-US: Cisco IOS CVE-2012-1337 (Buffer overflow in the Cisco WebEx Recording Format (WRF) player T27 L ...) NOT-FOR-US: Cisco WebEx CVE-2012-1336 (Buffer overflow in the Cisco WebEx Recording Format (WRF) player T27 L ...) NOT-FOR-US: Cisco WebEx CVE-2012-1335 (Buffer overflow in the Cisco WebEx Recording Format (WRF) player T27 L ...) NOT-FOR-US: Cisco WebEx CVE-2012-1334 RESERVED CVE-2012-1333 RESERVED CVE-2012-1332 RESERVED CVE-2012-1331 RESERVED CVE-2012-1330 RESERVED CVE-2012-1329 RESERVED CVE-2012-1328 (Cisco Unified IP Phones 9900 series devices with firmware 9.1 and 9.2 ...) NOT-FOR-US: Cisco IP Phone CVE-2012-1327 (dot11t/t_if_dot11_hal_ath.c in Cisco IOS 12.3, 12.4, 15.0, and 15.1 al ...) NOT-FOR-US: Cisco IOS CVE-2012-1326 (Cisco IronPort Web Security Appliance up to and including 7.5 does not ...) NOT-FOR-US: Cisco CVE-2012-1325 RESERVED CVE-2012-1324 (Race condition in the Zone-Based Firewall in Cisco IOS 15.1 and 15.2, ...) NOT-FOR-US: Cisco IOS CVE-2012-1323 RESERVED CVE-2012-1322 RESERVED CVE-2012-1321 RESERVED CVE-2012-1320 RESERVED CVE-2012-1319 RESERVED CVE-2012-1318 RESERVED CVE-2012-1317 (The multicast implementation in Cisco IOS before 15.1(1)SY allows remo ...) NOT-FOR-US: Cisco IOS CVE-2012-1316 (Cisco IronPort Web Security Appliance does not check for certificate r ...) NOT-FOR-US: Cisco CVE-2012-1315 (Memory leak in the SIP inspection feature in the Zone-Based Firewall i ...) NOT-FOR-US: Cisco IOS CVE-2012-1314 (The WAAS Express feature in Cisco IOS 15.1 and 15.2 allows remote atta ...) NOT-FOR-US: Cisco IOS CVE-2012-1313 (The remote debug shell on the PALO adapter card in Cisco Unified Compu ...) NOT-FOR-US: Cisco Unified Computing System CVE-2012-1312 (The MACE feature in Cisco IOS 15.1 and 15.2 allows remote attackers to ...) NOT-FOR-US: Cisco IOS CVE-2012-1311 (The RSVP feature in Cisco IOS 15.0 and 15.1 and IOS XE 3.2.xS through ...) NOT-FOR-US: Cisco IOS CVE-2012-1310 (Memory leak in the Zone-Based Firewall in Cisco IOS 12.4, 15.0, 15.1, ...) NOT-FOR-US: Cisco IOS CVE-2012-1309 RESERVED CVE-2012-1308 (Cross-site request forgery (CSRF) vulnerability in redpass.cgi in D-Li ...) NOT-FOR-US: D-Link CVE-2012-1307 RESERVED CVE-2012-1306 RESERVED CVE-2012-1305 RESERVED CVE-2012-1304 RESERVED CVE-2012-1303 (Multiple cross-site scripting (XSS) vulnerabilities in amCharts Flash ...) NOT-FOR-US: amCharts Flash CVE-2012-1302 (Multiple cross-site scripting (XSS) vulnerabilities in amMap 2.6.3 all ...) NOT-FOR-US: amMap CVE-2012-1301 (The FeedProxy.aspx script in Umbraco 4.7.0 allows remote attackers to ...) NOT-FOR-US: Umbraco CVE-2012-1300 RESERVED CVE-2012-1299 RESERVED CVE-2012-1298 RESERVED CVE-2012-1297 (Multiple cross-site request forgery (CSRF) vulnerabilities in main.php ...) NOT-FOR-US: Contao CVE-2012-1296 (Multiple cross-site scripting (XSS) vulnerabilities in apps/admin/hand ...) NOT-FOR-US: Elefant CMS CVE-2012-1295 RESERVED CVE-2012-1294 (SQL injection vulnerability in CONTIMEX Impulsio CMS allows remote att ...) NOT-FOR-US: CONTIMEX Impulsio CMS CVE-2012-1292 (Unspecified vulnerability in the MessagingSystem servlet in SAP NetWea ...) NOT-FOR-US: SAP NetWeaver CVE-2012-1291 (Unspecified vulnerability in the com.sap.aii.mdt.amt.web.AMTPageProces ...) NOT-FOR-US: SAP NetWeaver CVE-2012-1290 (Cross-site scripting (XSS) vulnerability in b2b/auction/container.jsp ...) NOT-FOR-US: SAP NetWeaver CVE-2012-1289 (Multiple directory traversal vulnerabilities in SAP NetWeaver 7.0 allo ...) NOT-FOR-US: SAP NetWeaver CVE-2012-1293 (Multiple cross-site scripting (XSS) vulnerabilities in fup in Frams' F ...) {DSA-2414-1} - fex 20120215-1 (low; bug #660621) CVE-2012-1288 (The UTC Fire & Security GE-MC100-NTP/GPS-ZB Master Clock device us ...) NOT-FOR-US: UTC Fire & Security GE-MC100-NTP/GPS-ZB Master Clock CVE-2012-1287 RESERVED CVE-2012-1286 RESERVED CVE-2012-1285 RESERVED CVE-2012-1284 RESERVED CVE-2012-1283 RESERVED CVE-2012-1282 RESERVED CVE-2012-1281 RESERVED CVE-2012-1280 RESERVED CVE-2012-1279 RESERVED CVE-2012-1278 RESERVED CVE-2012-1277 RESERVED CVE-2012-1276 RESERVED CVE-2012-1275 RESERVED CVE-2012-1274 RESERVED CVE-2012-1273 RESERVED CVE-2012-1272 RESERVED CVE-2012-1271 RESERVED CVE-2012-1270 RESERVED CVE-2012-1269 RESERVED CVE-2012-1268 RESERVED CVE-2012-1267 RESERVED CVE-2012-1266 RESERVED CVE-2012-1265 RESERVED CVE-2012-1264 (Unspecified vulnerability in Gretech GOM Media Player before 2.1.37.50 ...) NOT-FOR-US: Gretech GOM Media Player CVE-2012-1263 RESERVED CVE-2012-1262 (Cross-site scripting (XSS) vulnerability in cgi-bin/mt/mt-wizard.cgi i ...) {DSA-2423-1} - movabletype-opensource 5.1.3+dfsg-1 CVE-2012-1261 (Cross-site scripting (XSS) vulnerability in cgi-bin/scrut_fa_exclusion ...) NOT-FOR-US: Plixer CVE-2012-1260 (Cross-site scripting (XSS) vulnerability in cgi-bin/userprefs.cgi in P ...) NOT-FOR-US: Plixer CVE-2012-1259 (Multiple SQL injection vulnerabilities in Plixer International Scrutin ...) NOT-FOR-US: Plixer CVE-2012-1258 (cgi-bin/userprefs.cgi in Plixer International Scrutinizer NetFlow & ...) NOT-FOR-US: Plixer CVE-2012-1257 (Pidgin 2.10.0 uses DBUS for certain cleartext communication, which all ...) - pidgin (unimportant) NOTE: Negligible local information disclosure CVE-2012-1256 (The single sign-on (SSO) implementation in EasyVista before 2010.1.1.8 ...) NOT-FOR-US: EasyVista CVE-2012-1255 (SQL injection vulnerability in Segue 2.2.10.2 and earlier allows remot ...) NOT-FOR-US: Segue (CMS) CVE-2012-1254 (Cross-site scripting (XSS) vulnerability in Segue 2.2.10.2 and earlier ...) NOT-FOR-US: Segue (CMS) CVE-2012-1253 (Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 0 ...) - roundcube 0.7-1 (low) [squeeze] - roundcube (Minor issue) CVE-2012-1252 (Cross-site scripting (XSS) vulnerability in RSSOwl before 2.1.1 allows ...) - rssowl (bug #346541) CVE-2012-1251 (Opera before 9.63 does not properly verify X.509 certificates from SSL ...) NOT-FOR-US: Opera CVE-2012-1250 (Logitec LAN-W300N/R routers with firmware before 2.27 do not properly ...) NOT-FOR-US: Logitec LAN-W300N/R device CVE-2012-1249 (The iLunascape application 1.0.4.0 and earlier for Android does not pr ...) NOT-FOR-US: iLunascape CVE-2012-1248 (app/config/core.php in baserCMS 1.6.15 and earlier does not properly h ...) NOT-FOR-US: BaserCMS CVE-2012-1247 (Cross-site scripting (XSS) vulnerability in KENT-WEB WEB MART 1.7 and ...) NOT-FOR-US: KENT-WEB WEB MART CVE-2012-1246 (Cross-site scripting (XSS) vulnerability in KENT-WEB WEB MART 1.7 and ...) NOT-FOR-US: KENT-WEB WEB MART CVE-2012-1245 (Cross-site scripting (XSS) vulnerability in the cleanup_urls function ...) NOT-FOR-US: OSQA CVE-2012-1244 (The NTT DOCOMO sp mode mail application 5400 and earlier for Android d ...) NOT-FOR-US: Android app CVE-2012-1243 (The TwitRocker2 application before 1.0.23 for Android does not properl ...) NOT-FOR-US: Android app CVE-2012-1242 (Untrusted search path vulnerability in JustSystems Ichitaro 2011 Sou, ...) NOT-FOR-US: various Ichitaro products CVE-2012-1241 (GRScript18.dll before 1.2.2.0 in ActiveScriptRuby (ASR) before 1.8.7 d ...) NOT-FOR-US: ActiveScriptRuby CVE-2012-1240 (Cross-site scripting (XSS) vulnerability in the RECRUIT Dokodemo Rikun ...) NOT-FOR-US: RECRUIT Dokodemo CVE-2012-1239 (The TopAccess web-based management interface on TOSHIBA TEC e-Studio m ...) NOT-FOR-US: TOSHIBA TEC e-Studio CVE-2012-1238 (Session fixation vulnerability in SENCHA SNS before 1.0.2 allows remot ...) NOT-FOR-US: SENCHA SNS CVE-2012-1237 (Cross-site request forgery (CSRF) vulnerability in SENCHA SNS before 1 ...) NOT-FOR-US: SENCHA SNS CVE-2012-1236 (Multiple cross-site request forgery (CSRF) vulnerabilities in Janetter ...) NOT-FOR-US: Janetter CVE-2012-1235 (Cross-site request forgery (CSRF) vulnerability in Advantech/BroadWin ...) NOT-FOR-US: Advantech/BroadWin WebAccess CVE-2012-1234 (SQL injection vulnerability in Advantech/BroadWin WebAccess 7.0 allows ...) NOT-FOR-US: Advantech/BroadWin WebAccess CVE-2012-1233 RESERVED CVE-2012-1232 RESERVED CVE-2012-1231 RESERVED CVE-2012-1230 RESERVED CVE-2012-1229 RESERVED CVE-2012-1228 RESERVED CVE-2012-1227 (Multiple cross-site request forgery (CSRF) vulnerabilities in admin.ph ...) NOT-FOR-US: pluck CVE-2012-1226 (Multiple directory traversal vulnerabilities in Dolibarr CMS 3.2.0 Alp ...) - dolibarr 3.3.4-1 CVE-2012-1225 (Multiple SQL injection vulnerabilities in Dolibarr CMS 3.2.0 Alpha and ...) - dolibarr 3.3.4-1 CVE-2012-1224 (Cross-site scripting (XSS) vulnerability in system/classes/login.php i ...) NOT-FOR-US: ContentLion Alpha CVE-2012-1223 (RabidHamster R2/Extreme 1.65 and earlier uses a small search space of ...) NOT-FOR-US: RabidHamster CVE-2012-1222 (Stack-based buffer overflow in RabidHamster R2/Extreme 1.65 and earlie ...) NOT-FOR-US: RabidHamster CVE-2012-1221 (Directory traversal vulnerability in the telnet server in RabidHamster ...) NOT-FOR-US: RabidHamster CVE-2012-1220 (Cross-site request forgery (CSRF) vulnerability in modules/config/admi ...) NOT-FOR-US: GAzie CVE-2012-1219 (Multiple cross-site scripting (XSS) vulnerabilities in freelancerKit 2 ...) NOT-FOR-US: freelancerKit CVE-2012-1218 (Multiple SQL injection vulnerabilities in freelancerKit 2.35 allow rem ...) NOT-FOR-US: freelancerKit CVE-2012-1217 (Multiple cross-site scripting (XSS) vulnerabilities in STHS v2 Web Por ...) NOT-FOR-US: STHS CVE-2012-1216 (Multiple cross-site request forgery (CSRF) vulnerabilities in admin.ph ...) NOT-FOR-US: PBBoard CVE-2012-1215 (Cross-site scripting (XSS) vulnerability in the Add friends module in ...) NOT-FOR-US: Yoono extension CVE-2012-1214 (Cross-site scripting (XSS) vulnerability in the Add friends module in ...) NOT-FOR-US: Yoono Desktop Application CVE-2012-1213 (Cross-site scripting (XSS) vulnerability in zimbra/h/calendar in Zimbr ...) NOT-FOR-US: Zimbra Web Client CVE-2012-1212 (Cross-site scripting (XSS) vulnerability in the smwfOnSfSetTargetName ...) NOT-FOR-US: Semantic Enterprise Wiki CVE-2012-1211 (Cross-site scripting (XSS) vulnerability in pfile/kommentar.php in Pow ...) NOT-FOR-US: Powie pFile CVE-2012-1210 (SQL injection vulnerability in pfile/file.php in Powie pFile 1.02 allo ...) NOT-FOR-US: Powie pFile CVE-2012-1209 (Cross-site scripting (XSS) vulnerability in backend/core/engine/base.p ...) NOT-FOR-US: Fork CMS CVE-2012-1208 (Multiple cross-site scripting (XSS) vulnerabilities in backend/core/en ...) NOT-FOR-US: Fork CMS CVE-2012-1207 (Directory traversal vulnerability in frontend/core/engine/javascript.p ...) NOT-FOR-US: Fork CMS CVE-2012-1206 (Multiple integer overflows in Hancom Office 2010 SE 8.5.5 allow remote ...) NOT-FOR-US: Hancom Office CVE-2012-1205 (PHP remote file inclusion vulnerability in relocate-upload.php in Relo ...) NOT-FOR-US: Relocate Upload plugin CVE-2012-1204 RESERVED CVE-2012-1203 (Cross-site request forgery (CSRF) vulnerability in starnet/index.php i ...) NOT-FOR-US: SyndeoCMS CVE-2012-1202 RESERVED CVE-2012-1201 RESERVED CVE-2012-1200 (Multiple PHP remote file inclusion vulnerabilities in Nova CMS allow r ...) NOT-FOR-US: Nova CMS CVE-2012-1199 (Multiple PHP remote file inclusion vulnerabilities in Basic Analysis a ...) - acidbase (unimportant) NOTE: requires register_globals to be on CVE-2012-1198 (base_ag_main.php in Basic Analysis and Security Engine (BASE) 1.4.5 al ...) - acidbase (unimportant; bug #661020) NOTE: unreproducible issue, extremely low on details in original report CVE-2012-1197 (Integer overflow in the IDE_ACDStd.apl module for ACDSee 14.1 Build 13 ...) NOT-FOR-US: ACDSee CVE-2012-1196 (Directory traversal vulnerability in the VulCore web service (WSVulner ...) NOT-FOR-US: Lenovo ThinkManagement Console CVE-2012-1195 (Unrestricted file upload vulnerability in andesk/managementsuite/core/ ...) NOT-FOR-US: Lenovo ThinkManagement Console CVE-2012-1194 (The resolver in the DNS Server service in Microsoft Windows Server 200 ...) NOTE: DNS protocol flaw CVE-2012-1193 (The resolver in PowerDNS Recursor (aka pdns_recursor) 3.3 overwrites c ...) NOTE: DNS protocol flaw CVE-2012-1192 (The resolver in Unbound before 1.4.11 overwrites cached server names a ...) NOTE: DNS protocol flaw CVE-2012-1191 (The resolver in dnscache in Daniel J. Bernstein djbdns 1.05 overwrites ...) - djbdns NOTE: DNS protocol flaw NOTE: RH made an update: https://bugzilla.redhat.com/show_bug.cgi?id=838761 CVE-2011-5081 (Cross-site scripting (XSS) vulnerability in RestoreFile.pm in BackupPC ...) - backuppc 3.1.0-9.1 (low; bug #661011) [squeeze] - backuppc 3.1.0-9.1 [lenny] - backuppc (Minor issue) CVE-2012-0869 (Cross-site scripting (XSS) vulnerability in fup in Frams' Fast File EX ...) {DSA-2414-1} - fex 20120215-1 (low; bug #660621) CVE-2012-1190 (Cross-site scripting (XSS) vulnerability in the replication-setup func ...) - phpmyadmin 4:3.4.10.1-1 (unimportant) [lenny] - phpmyadmin [squeeze] - phpmyadmin NOTE: hypothetical issue CVE-2012-1189 (Stack-based buffer overflow in modules/graphic/ssgraph/grsound.cpp in ...) - torcs 1.3.3-1 (low; bug #660555) [squeeze] - torcs (Minor issue) - speed-dreams (bug #599884) CVE-2012-1188 (Multiple cross-site scripting (XSS) vulnerabilities in Fork CMS before ...) NOT-FOR-US: Fork CMS CVE-2012-1187 (Bitlbee does not drop extra group privileges correctly in unix.c ...) - bitlbee 3.0.4+bzr855-1 (low) [squeeze] - bitlbee (Minor issue) CVE-2012-1186 (Integer overflow in the SyncImageProfiles function in profile.c in Ima ...) {DSA-2462-1} - imagemagick 8:6.6.9.7-7 (bug #665007) CVE-2012-1185 (Multiple integer overflows in (1) magick/profile.c or (2) magick/prope ...) {DSA-2462-1} - imagemagick 8:6.6.9.7-7 (bug #665007) CVE-2012-1184 (Stack-based buffer overflow in the ast_parse_digest function in main/u ...) - asterisk 1:1.8.10.0~dfsg-1 (bug #664411) [squeeze] - asterisk (HTTP digest authentication code not present) NOTE: http://www.openwall.com/lists/oss-security/2012/03/16/10 CVE-2012-1183 (Stack-based buffer overflow in the milliwatt_generate function in the ...) {DSA-2460-1} - asterisk 1:1.8.10.0~dfsg-1 (bug #664411) NOTE: http://www.openwall.com/lists/oss-security/2012/03/16/10 CVE-2012-1182 (The RPC code generator in Samba 3.x before 3.4.16, 3.5.x before 3.5.14 ...) {DSA-2450-1} - samba 2:3.6.4-1 (bug #668309) - samba4 4.0.0~alpha19+dfsg1-1 (bug #668309) CVE-2012-1181 (fcgid_spawn_ctl.c in the mod_fcgid module 2.3.6 for the Apache HTTP Se ...) {DSA-2436-1} - libapache2-mod-fcgid 1:2.3.6-1.1 (bug #615814) CVE-2012-1180 (Use-after-free vulnerability in nginx before 1.0.14 and 1.1.x before 1 ...) {DSA-2434-1} - nginx 1.1.17-1 (bug #664137) NOTE: http://seclists.org/oss-sec/2012/q1/644 CVE-2012-1179 (The Linux kernel before 3.3.1, when KVM is used, allows guest OS users ...) - linux-2.6 3.2.14-1 [squeeze] - linux-2.6 (Vulnerable code not present) CVE-2012-1178 (The msn_oim_report_to_user function in oim.c in the MSN protocol plugi ...) - pidgin 2.10.2-1 (low; bug #664030) [squeeze] - pidgin (Only exploitable by malicious server) NOTE: http://pidgin.im/news/security/?id=61 CVE-2012-1177 (libgdata before 0.10.2 and 0.11.x before 0.11.1 does not validate SSL ...) {DSA-2482-1} - libgdata 0.10.2-1 (bug #664032) NOTE: http://www.openwall.com/lists/oss-security/2012/03/14/3 CVE-2012-1176 (Buffer overflow in the fribidi_utf8_to_unicode function in PyFriBidi b ...) - pyfribidi 0.11.0-1 (bug #663189) [squeeze] - pyfribidi (Minor issue) CVE-2012-1175 (Integer overflow in the GnashImage::size method in libbase/GnashImage. ...) {DSA-2435-1} - gnash 0.8.10-5 (bug #664023) NOTE: http://www.openwall.com/lists/oss-security/2012/03/14/5 CVE-2012-1174 (The rm_rf_children function in util.c in the systemd-logind login mana ...) - systemd 44-1 (bug #664364) CVE-2012-1173 (Multiple integer overflows in tiff_getimage.c in LibTIFF 3.9.4 allow r ...) {DSA-2447-1} - tiff3 3.9.6-2 - tiff 4.0.1-2 CVE-2012-1172 (The file-upload implementation in rfc1867.c in PHP before 5.4.0 does n ...) {DSA-2465-1} - php5 5.4.0-1 (bug #663760) CVE-2012-1171 (The libxml RSHUTDOWN function in PHP 5.x allows remote attackers to by ...) - php5 (unimportant) NOTE: according to php's security statement, safemode bypass issues are not treated as security-relevant CVE-2012-1170 (Moodle before 2.2.2 has an external enrolment plugin context check iss ...) - moodle (Only affects 2.2) CVE-2012-1169 (Moodle before 2.2.2 has Personal information disclosure, when administ ...) - moodle (Only affects 2.0 to 2.2) CVE-2012-1168 (Moodle before 2.2.2 has a password and web services issue where when t ...) - moodle (Only affects 2.0 to 2.2) CVE-2012-1167 (The JBoss Server in JBoss Enterprise Application Platform 5.1.x before ...) - jbossas4 (Only builds a few libraries, not the full application server) CVE-2012-1166 (The default keybindings for wwm in LTSP Display Manager (ldm) 2.2.x be ...) - ldm 2:2.2.7-1 (bug #663645) [squeeze] - ldm (Introduced in 2.2) NOTE: https://bugs.launchpad.net/ubuntu/+source/ldm/+bug/953340 CVE-2012-1165 (The mime_param_cmp function in crypto/asn1/asn_mime.c in OpenSSL befor ...) {DSA-2454-1} - openssl 1.0.0h-1 (low; bug #663642) NOTE: http://www.openwall.com/lists/oss-security/2012/03/12/3 CVE-2012-1164 (slapd in OpenLDAP before 2.4.30 allows remote attackers to cause a den ...) {DLA-203-1} - openldap 2.4.31-1 (low; bug #663644) [squeeze] - openldap (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2012/03/12/4 CVE-2012-1163 (Integer overflow in the _zip_readcdir function in zip_open.c in libzip ...) - libzip 0.10.1-1 (bug #664990) [squeeze] - libzip (Only affects 0.10.x) CVE-2012-1162 (Heap-based buffer overflow in the _zip_readcdir function in zip_open.c ...) - libzip 0.10.1-1 (bug #664990) [squeeze] - libzip (Only affects 0.10.x) CVE-2012-1161 (Moodle before 2.2.2: Course information leak via hidden courses being ...) - moodle (Only affects 2.1 to 2.2) CVE-2012-1160 (Moodle before 2.2.2 has a permission issue in Forum Subscriptions wher ...) - moodle (Only affects 2.1 to 2.2) CVE-2012-1159 (Moodle before 2.2.2: Overview report allows users to see hidden course ...) - moodle (Only affects 2.1 to 2.2) CVE-2012-1158 (Moodle before 2.2.2 has a course information leak in gradebook where u ...) - moodle (Only affects 2.1 to 2.2) CVE-2012-1157 (Moodle before 2.2.2 has a default repository capabilities issue where ...) - moodle (Only affects 2.0 to 2.2) CVE-2012-1156 (Moodle before 2.2.2 has users' private files included in course backup ...) - moodle (Only affects 2.0 to 2.2) CVE-2012-1155 (Moodle has a database activity export permission issue where the expor ...) - moodle 1.9.9.dfsg2-6 (low; bug #668411) [squeeze] - moodle 1.9.9.dfsg2-2.1+squeeze4 CVE-2012-1154 (mod_cluster 1.0.10 before 1.0.10 CP03 and 1.1.x before 1.1.4, as used ...) - libapache2-mod-cluster (bug #731410) CVE-2012-1153 (Unrestricted file upload vulnerability in addons/uploadify/uploadify.p ...) NOT-FOR-US: AppRain CMS CVE-2012-1152 (Multiple format string vulnerabilities in the error reporting function ...) {DSA-2432-1} - libyaml-libyaml-perl 0.38-2 (bug #661548) CVE-2012-1151 (Multiple format string vulnerabilities in dbdimp.c in DBD::Pg (aka DBD ...) {DSA-2431-1} - libdbd-pg-perl 2.19.0-1 (bug #661536) CVE-2012-1150 (Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x b ...) {DLA-25-1} - python2.5 (low) - python2.6 2.6.8-0.1 (low) - python2.7 2.7.3~rc1-1 (low) - python3.2 3.2.3-1 (low) - python3.1 (low) [squeeze] - python2.5 (Minor issue) [squeeze] - python3.1 (Minor issue) CVE-2012-1149 (Integer overflow in the vclmi.dll module in OpenOffice.org (OOo) 3.3, ...) {DSA-2487-1 DSA-2473-1} - libreoffice 1:3.4.5-1 - openoffice.org 1:3.3.0-1 NOTE: Since 3.3.0 openoffice.org is a transitional source package to migrate to libreoffice CVE-2012-1148 (Memory leak in the poolGrow function in expat/lib/xmlparse.c in expat ...) {DSA-2525-1} - xmlrpc-c 1.16.33-3.2 (low; bug #687672) [squeeze] - xmlrpc-c (Minor issue) - expat 2.1.0~beta3-1 (bug #663579) CVE-2012-1147 (readfilemap.c in expat before 2.1.0 allows context-dependent attackers ...) - expat (readfilemap.c is not used in *IX) CVE-2012-1146 (The mem_cgroup_usage_unregister_event function in mm/memcontrol.c in t ...) - linux-2.6 3.2.10-1 (low) [squeeze] - linux-2.6 (Vulnerable code not present) CVE-2012-1145 (spacewalk-backend in Red Hat Network Satellite 5.4 on Red Hat Enterpri ...) NOT-FOR-US: RHN Satellite CVE-2012-1144 (FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 ...) {DSA-2428-1} - freetype 2.4.9-1 (bug #662864) CVE-2012-1143 (FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 ...) - freetype 2.4.9-1 (unimportant; bug #662864) NOTE: Crash only CVE-2012-1142 (FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 ...) {DSA-2428-1} - freetype 2.4.9-1 (bug #662864) CVE-2012-1141 (FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 ...) - freetype 2.4.9-1 (unimportant; bug #662864) NOTE: Crash only CVE-2012-1140 (FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 ...) - freetype 2.4.9-1 (unimportant; bug #662864) NOTE: Crash only CVE-2012-1139 (Array index error in FreeType before 2.4.9, as used in Mozilla Firefox ...) - freetype 2.4.9-1 (unimportant; bug #662864) NOTE: Crash only CVE-2012-1138 (FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 ...) - freetype 2.4.9-1 (unimportant; bug #662864) NOTE: Crash only CVE-2012-1137 (FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 ...) - freetype 2.4.9-1 (unimportant; bug #662864) NOTE: Crash only CVE-2012-1136 (FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 ...) {DSA-2428-1} - freetype 2.4.9-1 (bug #662864) CVE-2012-1135 (FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 ...) - freetype 2.4.9-1 (unimportant; bug #662864) NOTE: Crash only CVE-2012-1134 (FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 ...) {DSA-2428-1} - freetype 2.4.9-1 (bug #662864) CVE-2012-1133 (FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 ...) {DSA-2428-1} - freetype 2.4.9-1 (bug #662864) CVE-2012-1132 (FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 ...) - freetype 2.4.9-1 (unimportant; bug #662864) NOTE: Crash only CVE-2012-1131 (FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 ...) - freetype 2.4.9-1 (unimportant; bug #662864) NOTE: Crash only CVE-2012-1130 (FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 ...) - freetype 2.4.9-1 (unimportant; bug #662864) NOTE: Crash only CVE-2012-1129 (FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 ...) - freetype 2.4.9-1 (unimportant; bug #662864) NOTE: Crash only CVE-2012-1128 (FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 ...) - freetype 2.4.9-1 (unimportant; bug #662864) NOTE: Crash only CVE-2012-1127 (FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 ...) - freetype 2.4.9-1 (unimportant; bug #662864) NOTE: Crash only CVE-2012-1126 (FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 ...) - freetype 2.4.9-1 (unimportant; bug #662864) NOTE: Crash only CVE-2012-1125 (Unrestricted file upload vulnerability in uploadify/scripts/uploadify. ...) NOT-FOR-US: Kish Guest Posting Plugin for WordPress (not in Debian) CVE-2012-1124 (SQL injection vulnerability in search.php in phxEventManager 2.0 beta ...) NOT-FOR-US: phxEventManager not in Debian CVE-2012-1123 (The mci_check_login function in api/soap/mc_api.php in the SOAP API in ...) {DSA-2500-1} - mantis 1.2.10-1 (bug #662858) CVE-2012-1122 (bug_actiongroup.php in MantisBT before 1.2.9 does not properly check t ...) {DSA-2500-1} - mantis 1.2.10-1 (low; bug #669927) CVE-2012-1121 (MantisBT before 1.2.9 does not properly check permissions, which allow ...) - mantis 1.2.10-1 (low; bug #669926) [squeeze] - mantis (according to maintainer) CVE-2012-1120 (The SOAP API in MantisBT before 1.2.9 does not properly enforce the bu ...) {DSA-2500-1} - mantis 1.2.10-1 (low; bug #669925) CVE-2012-1119 (MantisBT before 1.2.9 does not audit when users copy or clone a bug re ...) {DSA-2500-1} - mantis 1.2.10-1 (low; bug #669928) CVE-2012-1118 (The access_has_bug_level function in core/access_api.php in MantisBT b ...) {DSA-2500-1} - mantis 1.2.10-1 (low; bug #669924) CVE-2012-1117 (Cross-site scripting (XSS) vulnerability in Joomla! 2.5.0 and 2.5.1 al ...) NOT-FOR-US: Joomla! CVE-2012-1116 (SQL injection vulnerability in Joomla! 1.7.x and 2.5.x before 2.5.2 al ...) NOT-FOR-US: Joomla! CVE-2012-1115 (A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Mana ...) - phpldapadmin 1.2.2-3 (low; bug #662050) [squeeze] - phpldapadmin (Minor issue) - ldap-account-manager 3.6-2 (low; bug #661904) [squeeze] - ldap-account-manager (Minor issue) CVE-2012-1114 (A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Mana ...) - phpldapadmin 1.2.2-3 (low; bug #662050) [squeeze] - phpldapadmin (Minor issue) - ldap-account-manager 3.6-2 (low; bug #661904) [squeeze] - ldap-account-manager (Minor issue) CVE-2012-1113 (Multiple cross-site scripting (XSS) vulnerabilities in the administrat ...) - gallery2 2.3.2.dfsg-1 (low) [squeeze] - gallery2 (Minor issue) CVE-2012-1112 (Directory traversal vulnerability in Open-Realty CMS 2.5.8 and earlier ...) NOT-FOR-US: OpenRealty CMS not in Debian CVE-2012-1111 (lightdm before 1.0.9 does not properly close file descriptors before o ...) - lightdm 1.0.9-1 (bug #658678) CVE-2012-1110 (Multiple cross-site scripting (XSS) vulnerabilities in Etano 1.22 and ...) NOT-FOR-US: etano not in Debian CVE-2012-1109 (mwlib 0.13 through 0.13.4 has a denial of service vulnerability when p ...) NOT-FOR-US: mwlib not in Debian CVE-2012-1108 (The parse function in ogg/xiphcomment.cpp in TagLib 1.7 and earlier al ...) - taglib 1.7.1-1 (low; bug #662705) [squeeze] - taglib (Minor issue) CVE-2012-1107 (The analyzeCurrent function in ape/apeproperties.cpp in TagLib 1.7 and ...) - taglib 1.7.1-1 (low; bug #662705) [squeeze] - taglib (Minor issue) CVE-2012-1106 (The C handler plug-in in Automatic Bug Reporting Tool (ABRT), possibly ...) NOT-FOR-US: abrt is Red Hat / Fedora specific CVE-2012-1105 (An Information Disclosure vulnerability exists in the Jasig Project ph ...) - moodle 2.2.7.dfsg-1 (low; bug #662945) [squeeze] - moodle (Minor issue) - glpi 0.80.7-2 (unimportant; bug #662944) NOTE: Only supported behind an authenticated HTTP zone CVE-2012-1104 (A Security Bypass vulnerability exists in the phpCAS 1.2.2 library fro ...) - moodle 2.2.7.dfsg-1 (low; bug #662945) [squeeze] - moodle (Minor issue) - glpi 0.80.7-2 (unimportant; bug #662944) NOTE: Only supported behind an authenticated HTTP zone CVE-2012-1103 (emacs/notmuch-mua.el in Notmuch before 0.11.1, when using the Emacs in ...) {DSA-2416-1} - notmuch 0.11.1-1 CVE-2012-1101 (systemd 37-1 does not properly handle non-existent services, which cau ...) - systemd 43-1 (bug #662029) CVE-2012-1100 (Red Hat JBoss Operations Network (JON) 3.0.x before 3.0.1, 2.4.2, and ...) NOT-FOR-US: JBoss Operations Network CVE-2012-1099 (Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view ...) {DSA-2466-1} - ruby-actionpack-2.3 2.3.14-3 (bug #668607) - rails 2.3.14 NOTE: (code lives within ruby-actionpack in unstable) CVE-2012-1098 (Cross-site scripting (XSS) vulnerability in Ruby on Rails 3.0.x before ...) - ruby-actionpack-2.3 2.3.14-3 (bug #668977) - rails 2.3.14 [squeeze] - rails (Vulnerable code not present) NOTE: (code lives within ruby-actionpack in unstable) CVE-2012-1097 (The regset (aka register set) feature in the Linux kernel before 3.2.1 ...) {DSA-2443-1} - linux-2.6 3.2.10-1 (low) CVE-2012-1096 (NetworkManager 0.9 and earlier allows local users to use other users' ...) - network-manager (low; bug #684259) [buster] - network-manager (Minor issue) [stretch] - network-manager (Minor issue) [jessie] - network-manager (Minor issue) [wheezy] - network-manager (Minor issue) [squeeze] - network-manager (Minor issue) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=793329 CVE-2012-1095 (osc before 0.134 might allow remote OBS repository servers or package ...) - osc (unimportant) NOTE: This is ultimately a bug in the respectice terminal emulations and not a vulnerability in osc CVE-2012-1094 (JBoss AS 7 prior to 7.1.1 and mod_cluster do not handle default hostna ...) - libapache2-mod-cluster (bug #731410) CVE-2012-1093 (The init script in the Debian x11-common package before 1:7.6+12 is vu ...) - xorg 1:7.6+12 (bug #661627) [squeeze] - xorg (maintainer suggests no-dsa; confirm) CVE-2012-1092 REJECTED CVE-2012-1091 REJECTED CVE-2012-1090 (The cifs_lookup function in fs/cifs/dir.c in the Linux kernel before 3 ...) {DSA-2443-1} - linux-2.6 3.2.10-1 CVE-2012-1089 (Directory traversal vulnerability in Apache Wicket 1.4.x before 1.4.20 ...) NOT-FOR-US: Apache Wicket CVE-2012-1088 (iproute2 before 3.3.0 allows local users to overwrite arbitrary files ...) - iproute 20120319-1 (unimportant) NOTE: 1st issue only exploitable at build time / 2nd issue just example script in iproute-doc CVE-2012-1087 (Cross-site scripting (XSS) vulnerability in the Post data records to f ...) NOT-FOR-US: bc_post2facebook extension for TYPO3 CVE-2012-1086 (Cross-site scripting (XSS) vulnerability in the UrlTool (aeurltool) ex ...) NOT-FOR-US: aeurltool extension for TYPO3 CVE-2012-1085 (Unspecified vulnerability in the BE User Switch (beuserswitch) extensi ...) NOT-FOR-US: beuserswitch for TYPO3 CVE-2012-1084 (Cross-site scripting (XSS) vulnerability in the BE User Switch (beuser ...) NOT-FOR-US: beuserswitch for TYPO3 CVE-2012-1083 (Cross-site request forgery (CSRF) vulnerability in the Terminal PHP Sh ...) NOT-FOR-US: terminal extension TYPO3 CVE-2012-1082 (Cross-site scripting (XSS) vulnerability in the Terminal PHP Shell (te ...) NOT-FOR-US: terminal extension TYPO3 CVE-2012-1081 (Cross-site scripting (XSS) vulnerability in the Yet another Google sea ...) NOT-FOR-US: ya_googlesearch extension for TYPO3 CVE-2012-1080 (Cross-site scripting (XSS) vulnerability in the Euro Calculator (skt_e ...) NOT-FOR-US: skt_eurocalc extension for TYPO3 CVE-2012-1079 (Unspecified vulnerability in the Webservices for TYPO3 (typo3_webservi ...) NOT-FOR-US: typo3_webservice extension for TYPO3 CVE-2012-1078 (The System Utilities (sysutils) extension 1.0.3 and earlier for TYPO3 ...) NOT-FOR-US: sysutils extension for TYPO3 CVE-2012-1077 (SQL injection vulnerability in the Post data records to facebook (bc_p ...) NOT-FOR-US: bc_post2facebook extension for TYPO3 CVE-2012-1076 (Cross-site scripting (XSS) vulnerability in the Documents download (rt ...) NOT-FOR-US: rtg_files extension for TYPO3 CVE-2012-1075 (SQL injection vulnerability in the Documents download (rtg_files) exte ...) NOT-FOR-US: rtg_files extension for TYPO3 CVE-2012-1074 (SQL injection vulnerability in the White Papers (mm_whtppr) extension ...) NOT-FOR-US: mm_whtppr extension for TYPO3 CVE-2012-1073 (Cross-site scripting (XSS) vulnerability in the Category-System (toi_c ...) NOT-FOR-US: toi_category extension for TYPO3 CVE-2012-1072 (SQL injection vulnerability in the Category-System (toi_category) exte ...) NOT-FOR-US: toi_category extension for TYPO3 CVE-2012-1071 (SQL injection vulnerability in the Kitchen recipe (mv_cooking) extensi ...) NOT-FOR-US: mv_cooking extension for TYPO3 CVE-2012-1070 (Cross-site scripting (XSS) vulnerability in the Modern FAQ (irfaq) ext ...) NOT-FOR-US: irfaq extension for TYPO3 CVE-2012-1069 (Cross-site scripting (XSS) vulnerability in module/kb/search_word in t ...) NOT-FOR-US: lknSupport CVE-2012-1068 (Cross-site scripting (XSS) vulnerability in the rc_ajax function in co ...) NOT-FOR-US: WP-RecentComments plugin for WordPress CVE-2012-1067 (SQL injection vulnerability in the WP-RecentComments plugin 2.0.7 for ...) NOT-FOR-US: WP-RecentComments plugin for WordPress CVE-2012-1066 (Cross-site scripting (XSS) vulnerability in the template module in Sma ...) NOT-FOR-US: SmartyCMS CVE-2012-1065 (Insecure method vulnerability in TuxScripting.dll in the TuxSystem Act ...) NOT-FOR-US: TuxSystem CVE-2012-1064 (Multiple cross-site scripting (XSS) vulnerabilities in EMC RSA Archer ...) NOT-FOR-US: EMC RSA Archer CVE-2011-5080 (Cross-site scripting (XSS) vulnerability in lib/class.tx_jftcaforms_tc ...) NOT-FOR-US: jftcaforms extension for TYPO3 CVE-2011-5079 (Open redirect vulnerability in the Modern FAQ (irfaq) extension 1.1.2 ...) NOT-FOR-US: irfaq extension for TYPO3 CVE-2010-5085 (Multiple cross-site request forgery (CSRF) vulnerabilities in admin/up ...) NOT-FOR-US: Hulihan Amethyst CVE-2010-5084 (The cross-site request forgery (CSRF) protection mechanism in e107 bef ...) NOT-FOR-US: e107 CVE-2010-5083 (SQL injection vulnerability in the Web_Links module for PHP-Nuke 8.0 a ...) NOT-FOR-US: PHP-Nuke CVE-2012-1063 (Multiple SQL injection vulnerabilities in ManageEngine Applications Ma ...) NOT-FOR-US: ManageEngine Applications Manager CVE-2012-1062 (Multiple cross-site scripting (XSS) vulnerabilities in ManageEngine Ap ...) NOT-FOR-US: ManageEngine Applications Manager CVE-2012-1061 (SQL injection vulnerability in GForge Advanced Server 6.0.0 and other ...) NOT-FOR-US: GForge Advanced Server CVE-2012-1060 (Multiple cross-site scripting (XSS) vulnerabilities in revisioning_the ...) NOT-FOR-US: Taxonomy module for Drupal CVE-2012-1059 (Cross-site scripting (XSS) vulnerability in osCommerce/OM/Core/Site/Sh ...) NOT-FOR-US: shirt module in OSCommerce CVE-2012-1058 (Cross-site request forgery (CSRF) vulnerability in Flyspray 0.9.9.6 al ...) NOT-FOR-US: Flyspray CVE-2012-1057 (Cross-site request forgery (CSRF) vulnerability in the clickthrough tr ...) NOT-FOR-US: Forward module for Drupal CVE-2012-1056 (The Forward module 6.x-1.x before 6.x-1.21 and 7.x-1.x before 7.x-1.3 ...) NOT-FOR-US: Forward module for Drupal CVE-2012-1055 (Heap-based buffer overflow in PhotoLine 17.01 and possibly other versi ...) NOT-FOR-US: PhotoLine CVE-2012-1054 (Puppet 2.6.x before 2.6.14 and 2.7.x before 2.7.11, and Puppet Enterpr ...) {DSA-2419-1} - puppet 2.7.11-1 CVE-2012-1053 (The change_user method in the SUIDManager (lib/puppet/util/suidmanager ...) {DSA-2419-1} - puppet 2.7.11-1 CVE-2012-1052 (Buffer overflow in IvanView 1.2.15 allows remote attackers to execute ...) NOT-FOR-US: IvanView CVE-2012-1051 (Heap-based buffer overflow in Xjp2.dll in the JPEG2000 plug-in in XnVi ...) NOT-FOR-US: XnView CVE-2012-1050 (Directory traversal vulnerability in Mathopd 1.4.x and 1.5.x before 1. ...) - mathopd (low; bug #660627) [lenny] - mathopd (Minor issue, configuration specific) [squeeze] - mathopd (Minor issue, configuration specific) NOTE: this is only an issue in specific configurations but not in the Debian configuration CVE-2012-1049 (Multiple cross-site scripting (XSS) vulnerabilities in ManageEngine AD ...) NOT-FOR-US: ManageEngine ADManager Plus CVE-2012-1048 (Cross-site scripting (XSS) vulnerability in communityplusplus/www/admi ...) NOT-FOR-US: eFront Community++ CVE-2012-1047 (Directory traversal vulnerability in the WWWHELP Service (js/html/wwhe ...) NOT-FOR-US: Cyberoam Central Console CVE-2012-1046 (Cross-site scripting (XSS) vulnerability in TM1 Web in IBM Cognos TM1 ...) NOT-FOR-US: IBM Cognos CVE-2012-1045 RESERVED CVE-2012-1044 RESERVED CVE-2012-1043 RESERVED CVE-2012-1042 RESERVED CVE-2012-1041 RESERVED CVE-2012-1040 RESERVED CVE-2012-1039 (Multiple cross-site scripting (XSS) vulnerabilities in Dotclear before ...) - dotclear 2.4.2+dfsg-1 CVE-2012-1038 (Cross-site scripting (XSS) vulnerability in the WebAAA login functiona ...) NOT-FOR-US: Juniper CVE-2012-1037 (PHP remote file inclusion vulnerability in front/popup.php in GLPI 0.7 ...) - glpi 0.80.7-1 (bug #659383; unimportant) [squeeze] - glpi (Introduced in 0.78) NOTE: Only supported behind an authenticated HTTP zone CVE-2012-1036 (Cross-site scripting (XSS) vulnerability in the telerik HTML editor in ...) NOT-FOR-US: telerik CVE-2012-1035 (AdaCore Ada Web Services (AWS) before 2.10.2 computes hash values for ...) NOT-FOR-US: AdaCore Ada Web Services CVE-2011-5078 (The web administration interface in the server in Sybase M-Business An ...) NOT-FOR-US: Sybase CVE-2012-1034 (Multiple cross-site scripting (XSS) vulnerabilities in the admin inter ...) NOT-FOR-US: EPiServer CMS CVE-2012-1033 (The resolver in ISC BIND 9 through 9.8.1-P1 overwrites cached server n ...) - bind9 1:9.8.1.dfsg.P1-4.1 (low) [squeeze] - bind9 (low-severity dns protocol design flaw) CVE-2012-1032 (Cross-site scripting (XSS) vulnerability in the Euroling SiteSeeker mo ...) NOT-FOR-US: EPiServer CMS module Euroling SiteSeeker CVE-2012-1031 (Unspecified vulnerability in EPiServer CMS 5 and 6 through 6R2, in cer ...) NOT-FOR-US: EPiServer CMS CVE-2012-1030 (Cross-site scripting (XSS) vulnerability in DotNetNuke 6.x through 6.0 ...) NOT-FOR-US: DotNetNuke CVE-2012-1029 (SQL injection vulnerability in mobile/search/index.php in Tube Ace (Ad ...) NOT-FOR-US: Tube Ace CVE-2012-1028 (Cross-site scripting (XSS) vulnerability in bin/index.php in SimpleGro ...) NOT-FOR-US: SimpleGroupWare CVE-2012-1027 (Cross-site scripting (XSS) vulnerability in account-closed.tcl in ]pro ...) NOT-FOR-US: project-open CVE-2012-1026 (Multiple SQL injection vulnerabilities in login2.php in XRay CMS 1.1.1 ...) NOT-FOR-US: XRay CMS CVE-2012-1025 (Absolute path traversal vulnerability in file in Enigma2 Webinterface ...) NOT-FOR-US: Enigma2 CVE-2012-1024 (Directory traversal vulnerability in file in Enigma2 Webinterface 1.5r ...) NOT-FOR-US: Enigma2 CVE-2012-1023 (Open redirect vulnerability in admin/index.php in 4images 1.7.10 allow ...) NOT-FOR-US: 4images CVE-2012-1022 (SQL injection vulnerability in admin/categories.php in 4images 1.7.10 ...) NOT-FOR-US: 4images CVE-2012-1021 (Cross-site scripting (XSS) vulnerability in admin/categories.php in 4i ...) NOT-FOR-US: 4images CVE-2012-1020 (Multiple cross-site scripting (XSS) vulnerabilities in login.php in Ne ...) NOT-FOR-US: NexorONE Online Banking CVE-2012-1019 (Multiple cross-site scripting (XSS) vulnerabilities in XWiki Enterpris ...) NOT-FOR-US: Xwiki Enterprise CVE-2012-1018 (Cross-site scripting (XSS) vulnerability in includes/convert.php in D- ...) NOT-FOR-US: Joomla addon CVE-2012-1017 (Multiple SQL injection vulnerabilities in base_qry_main.php in Basic A ...) - acidbase (low; bug #659287) [squeeze] - acidbase (Minor issue) CVE-2012-1016 (The pkinit_server_return_padata function in plugins/preauth/pkinit/pki ...) - krb5 1.10.1+dfsg-4+nmu1 (bug #702633) [squeeze] - krb5 (introduced upstream with 3725d22140c23a376dd79b69d130be8e2b91005f, not affecting 1.8.x) CVE-2012-1015 (The kdc_handle_protected_negotiation function in the Key Distribution ...) {DSA-2518-1} - krb5 1.10.1+dfsg-2 (bug #683429) NOTE: http://seclists.org/bugtraq/2012/Jul/171 CVE-2012-1014 (The process_as_req function in the Key Distribution Center (KDC) in MI ...) {DSA-2518-1} - krb5 1.10.1+dfsg-2 (bug #683429) NOTE: http://seclists.org/bugtraq/2012/Jul/171 CVE-2012-1013 (The check_1_6_dummy function in lib/kadm5/srv/svr_principal.c in kadmi ...) - krb5 1.10.1+dfsg-3 (low; bug #687647) [squeeze] - krb5 (Minor issue) NOTE: DoS only triggered by clients with admin permissions CVE-2012-1012 (server/server_stubs.c in the kadmin protocol implementation in MIT Ker ...) - krb5 1.10.1+dfsg-1 (bug #670918) [squeeze] - krb5 (vulnerable code not present) NOTE: bug was introduced in krb5 1.10 CVE-2012-1011 (actions.php in the AllWebMenus plugin 1.1.8 for WordPress allows remot ...) NOT-FOR-US: Wordpress plugin CVE-2012-1010 (Unrestricted file upload vulnerability in actions.php in the AllWebMen ...) NOT-FOR-US: Wordpress plugin CVE-2011-5077 (Unrestricted file upload vulnerability in attachement.php in HDWiki 5. ...) NOT-FOR-US: HDWiki CVE-2011-5076 (SQL injection vulnerability in model/comment.class.php in HDWiki 5.0, ...) NOT-FOR-US: HDWiki CVE-2012-1009 (NetSarang Xlpd 4 Build 0100 and NetSarang Xmanager Enterprise 4 Build ...) NOT-FOR-US: NetSarang CVE-2012-1008 (OfficeSIP Server 3.1 allows remote attackers to cause a denial of serv ...) NOT-FOR-US: OfficeSIP Server CVE-2012-1007 (Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 1 ...) - libstruts1.2-java (unimportant; bug #657870) NOTE: Just examples CVE-2012-1006 (Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2 ...) - libstruts1.2-java (Only affects Struts 2) CVE-2012-1005 (Multiple cross-site scripting (XSS) vulnerabilities in Sphinx Software ...) NOT-FOR-US: Sphinx Software Mobile Web Server CVE-2012-1004 (Multiple cross-site scripting (XSS) vulnerabilities in UI/Register.pm ...) - foswiki (bug #509864) CVE-2012-1003 (Multiple integer overflows in Opera 11.60 and earlier allow remote att ...) NOT-FOR-US: Opera CVE-2002-2483 - linux-2.6 2.4.20 CVE-2012-1002 (SQL injection vulnerability in author/edit.php in OpenConf 4.x before ...) NOT-FOR-US: OpenConf CVE-2012-1001 (Multiple cross-site scripting (XSS) vulnerabilities in Chyrp before 2. ...) NOT-FOR-US: Chyrp CVE-2012-1000 (Multiple cross-site scripting (XSS) vulnerabilities in LEPTON 1.1.3 an ...) NOT-FOR-US: LEPTON CVE-2012-0999 (SQL injection vulnerability in modules/news/rss.php in LEPTON before 1 ...) NOT-FOR-US: LEPTON CVE-2012-0998 (Directory traversal vulnerability in account/preferences.php in LEPTON ...) NOT-FOR-US: LEPTON CVE-2012-0997 (Cross-site request forgery (CSRF) vulnerability in admin/index.php in ...) NOT-FOR-US: 11in1 CVE-2012-0996 (Multiple directory traversal vulnerabilities in 11in1 1.2.1 stable 12- ...) NOT-FOR-US: 11in1 CVE-2012-0995 (Multiple cross-site scripting (XSS) vulnerabilities in ZENphoto 1.4.2 ...) NOT-FOR-US: ZENphoto CVE-2012-0994 (SQL injection vulnerability in the Manage Albums feature in zp-core/ad ...) NOT-FOR-US: ZENphoto CVE-2012-0993 (Eval injection vulnerability in zp-core/zp-extensions/viewer_size_imag ...) NOT-FOR-US: ZENphoto CVE-2012-0992 (interface/fax/fax_dispatch.php in OpenEMR 4.1.0 allows remote authenti ...) NOT-FOR-US: OpenEMR CVE-2012-0991 (Multiple directory traversal vulnerabilities in OpenEMR 4.1.0 allow re ...) NOT-FOR-US: OpenEMR CVE-2012-0990 (Cross-site request forgery (CSRF) vulnerability in admin/settings/upda ...) NOT-FOR-US: DClassifieds CVE-2012-0989 (Cross-site scripting (XSS) vulnerability in OneOrZero AIMS 2.8.0 Trial ...) NOT-FOR-US: OneOrZero AIMS CVE-2012-0988 (Multiple cross-site scripting (XSS) vulnerabilities in config/dmsDefau ...) NOT-FOR-US: KnowledgeTree CVE-2012-0987 (Directory traversal vulnerability in edituser.php in ImpressCMS 1.2.x ...) NOT-FOR-US: ImpressCMS CVE-2012-0986 (Multiple cross-site scripting (XSS) vulnerabilities in ImpressCMS 1.2. ...) NOT-FOR-US: ImpressCMS CVE-2012-0985 (Multiple buffer overflows in the Wireless Manager ActiveX control 4.0. ...) NOT-FOR-US: Sony VAIO wireless LAN management ActiveX CVE-2012-0984 (Multiple cross-site scripting (XSS) vulnerabilities in XOOPS before 2. ...) NOT-FOR-US: Xoops CVE-2012-0983 (SQL injection vulnerability in Scriptsez.net Ez Album allows remote at ...) NOT-FOR-US: Ez Album CVE-2012-0982 (SQL injection vulnerability in search.php in Vastal I-Tech Agent Zone ...) NOT-FOR-US: Vastal I-Tech Agent Zone CVE-2012-0981 (Directory traversal vulnerability in phpShowtime 2.0 allows remote att ...) NOT-FOR-US: phpShowtime CVE-2012-0980 (SQL injection vulnerability in download.php in phux Download Manager a ...) NOT-FOR-US: phux.org Download Manager CVE-2012-0979 (Cross-site scripting (XSS) vulnerability in TWiki allows remote attack ...) - twiki CVE-2012-0978 (Stack-based buffer overflow in npjp2.dll in LuraWave JP2 Browser Plug- ...) NOT-FOR-US: LuraWave JP2 Browser Plug-In CVE-2012-0977 (Stack-based buffer overflow in jp2_x.dll in LuraWave JP2 ActiveX Contr ...) NOT-FOR-US: LuraWave JP2 ActiveX Control CVE-2012-0976 (Cross-site scripting (XSS) vulnerability in admin/EditForm in SilverSt ...) - silverstripe (bug #528461) CVE-2012-0975 (Cross-site scripting (XSS) vulnerability in misc.php in Image Hosting ...) NOT-FOR-US: Image Hosting Script DPI CVE-2012-0974 (Multiple cross-site scripting (XSS) vulnerabilities in the getParam fu ...) NOT-FOR-US: OSClass CVE-2012-0973 (Multiple SQL injection vulnerabilities in OSClass before 2.3.5 allow r ...) NOT-FOR-US: OSClass CVE-2012-0972 REJECTED CVE-2012-0971 REJECTED CVE-2012-0970 REJECTED CVE-2012-0969 REJECTED CVE-2012-0968 REJECTED CVE-2012-0967 REJECTED CVE-2012-0966 REJECTED CVE-2012-0965 REJECTED CVE-2012-0964 REJECTED CVE-2012-0963 REJECTED CVE-2012-0962 (Aptdaemon 0.43 in Ubuntu 11.10 and 12.04 LTS uses short IDs when impor ...) - aptdaemon 0.45-2 (low) [squeeze] - aptdaemon (Vulnerable code not present) NOTE: https://bugs.launchpad.net/software-center-agent/+bug/1052789 CVE-2012-0961 (Apt 0.8.16~exp5ubuntu13.x before 0.8.16~exp5ubuntu13.6, 0.8.16~exp12ub ...) - apt 0.9.7.7 (bug #695832) [squeeze] - apt (Logged as 0600 in Squeeze) CVE-2012-0960 (Unity integration extension (unity-firefox-extension) before 2.4.1 for ...) NOT-FOR-US: Ubuntu Unity extension CVE-2012-0959 (Remote Login Service (RLS) 1.0.0 does not properly clear account infor ...) NOT-FOR-US: Ubuntu remote login service CVE-2012-0958 (content/unity-api.js in the unity-firefox-extension extension 2.4.1 fo ...) NOT-FOR-US: Firefox unity-firefox extension CVE-2012-0957 (The override_release function in kernel/sys.c in the Linux kernel befo ...) - linux 3.2.32-1 - linux-2.6 [squeeze] - linux-2.6 (Introduced in 3.0) NOTE: https://lkml.org/lkml/2012/10/9/550 CVE-2012-0956 (ubiquity-slideshow-ubuntu before 58.2, during installation, allows rem ...) NOT-FOR-US: ubiquity-slideshow-ubuntu CVE-2012-0955 RESERVED CVE-2012-0954 (APT 0.7.x before 0.7.25 and 0.8.x before 0.8.16, when using the apt-ke ...) - apt 0.7.25 (unimportant) NOTE: net-update is not enabled by default in Debian CVE-2012-0953 (A race condition was discovered in the Linux drivers for Nvidia graphi ...) - nvidia-graphics-drivers 295.53-1 CVE-2012-0952 (A heap buffer overflow was discovered in the device control ioctl in t ...) - nvidia-graphics-drivers 295.53-1 CVE-2012-0951 (A Memory Corruption Vulnerability exists in NVIDIA Graphics Drivers 29 ...) - nvidia-graphics-drivers 295.53-1 CVE-2012-0950 (The Apport hook (DistUpgradeApport.py) in Update Manager, as used by U ...) - update-manager (Ubuntu-specific) CVE-2012-0949 (The Apport hook in Update Manager as used by Ubuntu 12.04 LTS, 11.10, ...) - update-manager (Ubuntu-specific) CVE-2012-0948 (DistUpgrade/DistUpgradeMain.py in Update Manager, as used by Ubuntu 12 ...) - update-manager (Ubuntu-specific) CVE-2012-0947 (Heap-based buffer overflow in the vqa_decode_chunk function in the VQA ...) {DSA-2471-1} - libav 6:0.8.2-1 - ffmpeg 7:2.4.1-1 NOTE: https://bugs.launchpad.net/ubuntu/+source/libav/+bug/980963 NOTE: http://www.openwall.com/lists/oss-security/2012/05/03/4 CVE-2012-0946 (The NVIDIA UNIX driver before 295.40 allows local users to access arbi ...) - nvidia-graphics-drivers 295.40-1 [squeeze] - nvidia-graphics-drivers 195.36.31-6squeeze1 CVE-2012-0945 (whoopsie-daisy before 0.1.26: Root user can remove arbitrary files ...) NOT-FOR-US: whoopsie-daisy CVE-2012-0944 (Aptdaemon 0.43 and earlier in Ubuntu 11.04, 11.10, and 12.04 LTS does ...) - aptdaemon 0.43+bzr790-1 [squeeze] - aptdaemon (Vulnerable code not present) CVE-2012-0943 (debian/guest-account in Light Display Manager (lightdm) 1.0.x before 1 ...) - lightdm (Ubuntu-specific script) CVE-2012-0942 (Buffer overflow in rn5auth.dll in RealNetworks Helix Server and Helix ...) NOT-FOR-US: RealNetworks Helix CVE-2012-0941 (Multiple cross-site scripting (XSS) vulnerabilities in Fortinet FortiG ...) NOT-FOR-US: Fortinet CVE-2012-0940 RESERVED CVE-2012-0939 (Multiple SQL injection vulnerabilities in TestLink 1.8.5b and earlier ...) NOT-FOR-US: TestLink CVE-2012-0938 (Multiple SQL injection vulnerabilities in TestLink 1.9.3, 1.8.5b, and ...) NOT-FOR-US: TestLink CVE-2012-0937 (** DISPUTED ** wp-admin/setup-config.php in the installation component ...) - wordpress (unimportant) CVE-2012-0936 (Cross-site scripting (XSS) vulnerability in web/springframework/securi ...) - opennms (bug #450615) CVE-2012-0935 (SQL injection vulnerability in Default.aspx in Aryadad CMS allows remo ...) NOT-FOR-US: Aryadad CMS CVE-2012-0934 (PHP remote file inclusion vulnerability in ajax/savetag.php in the The ...) NOT-FOR-US: Wordpress plug-in CVE-2012-0933 (Multiple cross-site scripting (XSS) vulnerabilities in Acidcat CMS 3.5 ...) NOT-FOR-US: Acidcat CMS CVE-2012-0932 (Cross-site scripting (XSS) vulnerability in admin/login.php in Lead Ca ...) NOT-FOR-US: Lead Capture Page System CVE-2012-0931 (Schneider Electric Modicon Quantum PLC does not perform authentication ...) NOT-FOR-US: Schneider Electric Modicon Quantum PLC CVE-2012-0930 (Cross-site scripting (XSS) vulnerability in Schneider Electric Modicon ...) NOT-FOR-US: Schneider Electric Modicon Quantum PLC CVE-2012-0929 (Multiple buffer overflows in Schneider Electric Modicon Quantum PLC al ...) NOT-FOR-US: Schneider Electric Modicon Quantum PLC CVE-2012-0928 (The ATRAC codec in RealNetworks RealPlayer 11.x and 14.x through 14.0. ...) NOT-FOR-US: RealPlayer CVE-2012-0927 (Unspecified vulnerability in RealNetworks RealPlayer 11.x, 14.x, and 1 ...) NOT-FOR-US: RealPlayer CVE-2012-0926 (The RV10 codec in RealNetworks RealPlayer 11.x, 14.x, and 15.x before ...) NOT-FOR-US: RealPlayer CVE-2012-0925 (Unspecified vulnerability in the RV40 codec in RealNetworks RealPlayer ...) NOT-FOR-US: RealPlayer CVE-2012-0924 (RealNetworks RealPlayer 11.x, 14.x, and 15.x before 15.02.71, and Real ...) NOT-FOR-US: RealPlayer CVE-2012-0923 (The RV20 codec in RealNetworks RealPlayer 11.x, 14.x, and 15.x before ...) NOT-FOR-US: RealPlayer CVE-2012-0922 (rvrender.dll in RealNetworks RealPlayer 11.x, 14.x, and 15.x before 15 ...) NOT-FOR-US: RealPlayer CVE-2011-5075 (translate.php in Support Incident Tracker (aka SiT!) 3.45 through 3.65 ...) NOT-FOR-US: Support Incident Tracker CVE-2011-5074 (Multiple cross-site request forgery (CSRF) vulnerabilities in Support ...) NOT-FOR-US: Support Incident Tracker CVE-2011-5073 (Multiple cross-site scripting (XSS) vulnerabilities in Support Inciden ...) NOT-FOR-US: Support Incident Tracker CVE-2011-5072 (Multiple SQL injection vulnerabilities in Support Incident Tracker (ak ...) NOT-FOR-US: Support Incident Tracker CVE-2011-5071 (Multiple SQL injection vulnerabilities in Support Incident Tracker (ak ...) NOT-FOR-US: Support Incident Tracker CVE-2011-5070 (Multiple cross-site scripting (XSS) vulnerabilities in Support Inciden ...) NOT-FOR-US: Support Incident Tracker CVE-2011-5069 (Unrestricted file upload vulnerability in incident_attachments.php in ...) NOT-FOR-US: Support Incident Tracker CVE-2011-5068 (Multiple cross-site request forgery (CSRF) vulnerabilities in Support ...) NOT-FOR-US: Support Incident Tracker CVE-2011-5067 (move_uploaded_file.php in Support Incident Tracker (aka SiT!) 3.65 all ...) NOT-FOR-US: Support Incident Tracker CVE-2012-0921 RESERVED CVE-2012-0920 (Use-after-free vulnerability in Dropbear SSH Server 0.52 through 2012. ...) {DSA-2456-1} - dropbear 2012.55-1 (low; bug #661150) NOTE: this is limited to authenticated users with enforced command restrictions CVE-2012-0919 (Cross-site scripting (XSS) vulnerability in Hitachi IT Operations Dire ...) NOT-FOR-US: Hitachi IT Operations Director CVE-2012-0918 (Unspecified vulnerability in Hitachi COBOL2002 Net Developer, Net Serv ...) NOT-FOR-US: Hitachi CVE-2012-0917 (Cross-site scripting (XSS) vulnerability in Hitachi IT Operations Anal ...) NOT-FOR-US: Hitachi IT Operations Analyzer CVE-2012-0916 (Heap-based buffer overflow in RenRen Talk 2.9 allows remote attackers ...) NOT-FOR-US: RenRen Talk CVE-2012-0915 (Integer signedness error in RenRen Talk 2.9 allows remote attackers to ...) NOT-FOR-US: RenRen Talk CVE-2012-0914 (Cross-site scripting (XSS) vulnerability in display_renderers/panels_r ...) NOT-FOR-US: admin view in the Panels module for Drupal CVE-2012-0913 (SQL injection vulnerability in checklogin.aspx in ICloudCenter ICTimeA ...) NOT-FOR-US: ICloudCenter ICTimeAttendance CVE-2012-0912 (SQL injection vulnerability in Stoneware webNetwork before 6.0.8.0 all ...) NOT-FOR-US: Stoneware webNetwork CVE-2012-0911 (TikiWiki CMS/Groupware before 6.7 LTS and before 8.4 allows remote att ...) - tikiwiki NOTE: http://seclists.org/bugtraq/2012/Jul/19 CVE-2012-0910 RESERVED CVE-2012-0909 (Cross-site scripting (XSS) vulnerability in Horde_Form in Horde Groupw ...) - horde3 3.3.12+debian0-2.2 (low) [squeeze] - horde3 (Minor issue) CVE-2012-0907 (Directory traversal vulnerability in the web player in NeoAxis NeoAxis ...) NOT-FOR-US: NeoAxis NeoAxis web player CVE-2012-0906 (SQL injection vulnerability in the Moviebase addon for deV!L'z Clanpor ...) NOT-FOR-US: deV!L'z Clanportal CVE-2012-0905 (SQL injection vulnerability in deV!L'z Clanportal (DZCP) Gamebase addo ...) NOT-FOR-US: deV!L'z Clanportal CVE-2012-0904 (VLC media player 1.1.11 allows remote attackers to cause a denial of s ...) - vlc (not reproducible, no public fix from the vlc team either) CVE-2012-0903 (Multiple cross-site scripting (XSS) vulnerabilities in Zimbra Desktop ...) NOT-FOR-US: Zimbra Desktop CVE-2012-0902 (AirTies Air 4450 1.1.2.18 allows remote attackers to cause a denial of ...) NOT-FOR-US: AirTies Air CVE-2012-0901 (Cross-site scripting (XSS) vulnerability in yousaytoo.php in YouSayToo ...) NOT-FOR-US: YouSayToo auto-publishing plugin for WordPress CVE-2012-0900 (Multiple cross-site scripting (XSS) vulnerabilities in Beehive Forum 1 ...) NOT-FOR-US: Beehive Forum CVE-2012-0899 (Cross-site scripting (XSS) vulnerability in referencement/sites_inscri ...) NOT-FOR-US: Annuaire PHP CVE-2012-0898 (Directory traversal vulnerability in meb_download.php in the myEASYbac ...) NOT-FOR-US: myEASYbackup plugin for WordPress CVE-2012-0897 (Stack-based buffer overflow in the JPEG2000 plugin in IrfanView PlugIn ...) NOT-FOR-US: IrfanView PlugIns CVE-2012-0896 (Absolute path traversal vulnerability in download.php in the Count Per ...) NOT-FOR-US: Count Per Day module for WordPress CVE-2012-0895 (Cross-site scripting (XSS) vulnerability in map/map.php in the Count P ...) NOT-FOR-US: Count Per Day module for WordPress CVE-2012-0894 RESERVED CVE-2012-0893 RESERVED CVE-2012-0892 RESERVED CVE-2012-0891 (Multiple cross-site scripting (XSS) vulnerabilities in Puppet Dashboar ...) NOT-FOR-US: puppet-dashboard CVE-2012-0890 RESERVED CVE-2012-0889 RESERVED CVE-2012-0888 RESERVED CVE-2012-0887 RESERVED CVE-2012-0886 RESERVED CVE-2012-0908 (Cross-site scripting (XSS) vulnerability in logout.php in SimpleSAMLph ...) {DSA-2387-1} - simplesamlphp 1.8.2-1 NOTE: http://code.google.com/p/simplesamlphp/issues/detail?id=468 CVE-2012-0884 (The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 i ...) {DSA-2454-1} - openssl 1.0.0h-1 (low) NOTE: "If a Linux distribution picks up the fix for CVE-2012-0884 then they will want to pick up change 22161 at the same time" -- http://www.openwall.com/lists/oss-security/2012/03/23/12 CVE-2012-0883 (envvars (aka envvars-std) in the Apache HTTP Server before 2.4.2 place ...) - apache2 (LD_LIBRARY_PATH not set in debian package) CVE-2012-0882 (Buffer overflow in yaSSL, as used in MySQL 5.5.20 and possibly other v ...) - mysql-5.5 5.5.22 (bug #675872) - cyassl (Fixed before initial upload to archive) NOTE: limited information about issue, only a video of exploit taking place CVE-2012-0881 (Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to ca ...) - libxerces2-java (unimportant) NOTE: Negligible impact for Xerces CVE-2012-0880 (Apache Xerces-C++ allows remote attackers to cause a denial of service ...) - xerces-c (unimportant) NOTE: Negligible impact for Xerces CVE-2012-0879 (The I/O implementation for block devices in the Linux kernel before 2. ...) {DSA-2469-1} - linux-2.6 2.6.33-1 CVE-2012-0878 (Paste Script 1.7.5 and earlier does not properly set group memberships ...) - pastescript 1.7.5-2 (low; bug #661061) [squeeze] - pastescript (Minor issue) NOTE: https://groups.google.com/d/topic/paste-users/KqZRujMcJHE/discussion CVE-2012-0877 (PyXML: Hash table collisions CPU usage Denial of Service ...) - python-xml CVE-2012-0876 (The XML parser (xmlparse.c) in expat before 2.1.0 computes hash values ...) {DSA-2525-1} - expat 2.1.0~beta3-1 (bug #663579) - xmlrpc-c 1.16.33-3.2 (low; bug #687672) [squeeze] - xmlrpc-c (Minor issue) - python2.6 (configured with --with-system-expat since 2.6.6-4) CVE-2012-0875 (SystemTap 1.7, 1.6.7, and probably other versions, when unprivileged m ...) - systemtap 1.7-1 (low; bug #660929; bug #660886) [squeeze] - systemtap (Vulnerable code not present) [lenny] - systemtap (Vulnerable code not present) CVE-2012-0874 (The (1) JMXInvokerHAServlet and (2) EJBInvokerHAServlet invoker servle ...) - jbossas4 (Only builds a few libraries, not the full application server, #581226) CVE-2012-0873 (Multiple cross-site scripting (XSS) vulnerabilities in Boonex Dolphin ...) NOT-FOR-US: Boonex Dolphin CVE-2012-0872 (Multiple cross-site scripting (XSS) vulnerabilities in OxWall 1.1.1 an ...) NOT-FOR-US: OxWall CVE-2012-0871 (The session_link_x11_socket function in login/logind-session.c in syst ...) - systemd 43-1 CVE-2012-0870 (Heap-based buffer overflow in process.c in smbd in Samba 3.0, as used ...) - samba 2:3.4.0~pre1-1 [lenny] - samba (pre-release issue) [squeeze] - samba (pre-release issue) CVE-2012-0868 (CRLF injection vulnerability in pg_dump in PostgreSQL 8.3.x before 8.3 ...) {DSA-2418-1} - postgresql-9.1 9.1.3-1 - postgresql-8.4 8.4.11-1 CVE-2012-0867 (PostgreSQL 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9 ...) {DSA-2418-1} - postgresql-9.1 9.1.3-1 - postgresql-8.4 8.4.11-1 CVE-2012-0866 (CREATE TRIGGER in PostgreSQL 8.3.x before 8.3.18, 8.4.x before 8.4.11, ...) {DSA-2418-1} - postgresql-9.1 9.1.3-1 - postgresql-8.4 8.4.11-1 CVE-2012-0865 (Multiple open redirect vulnerabilities in CubeCart 3.0.20 and earlier ...) NOT-FOR-US: CubeCart CVE-2012-0864 (Integer overflow in the vfprintf function in stdio-common/vfprintf.c i ...) - eglibc 2.13-31 (low; bug #660611) [squeeze] - eglibc 2.11.3-4 CVE-2012-0863 (Mumble 1.2.3 and earlier uses world-readable permissions for .local/sh ...) {DSA-2411-1} - mumble 1.2.3-3 (bug #659039) CVE-2012-0862 (builtins.c in Xinetd before 2.3.15 does not check the service type whe ...) - xinetd 1:2.3.14-7.1 (bug #672381) [squeeze] - xinetd (Minor issue) CVE-2012-0861 (The vds_installer in Red Hat Enterprise Virtualization Manager (RHEV-M ...) NOT-FOR-US: Red Hat Enterprise Virtualisation CVE-2012-0860 (Multiple untrusted search path vulnerabilities in Red Hat Enterprise V ...) NOT-FOR-US: Red Hat Enterprise Virtualisation CVE-2012-0859 (The render_line function in the vorbis codec (vorbis.c) in libavcodec ...) {DSA-2471-1} - libav 6:0.8.3-1 - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg 4:0.5.10-1 (bug #688849) CVE-2012-0858 (The Shorten codec (shorten.c) in libavcodec in FFmpeg 0.7.x before 0.7 ...) {DSA-2624-1} - libav 4:0.8.1-1 - ffmpeg 7:2.2.1-1 [squeeze] - ffmpeg 4:0.5.9-1 CVE-2012-0857 (Multiple buffer overflows in the get_qcx function in the J2K decoder ( ...) - libav (Vulnerable code not present) - ffmpeg (Vulnerable code not present) CVE-2012-0856 (Heap-based buffer overflow in the MPV_frame_start function in libavcod ...) - libav (Vulnerable code not present) - ffmpeg (Vulnerable code not present) CVE-2012-0855 (Heap-based buffer overflow in the get_sot function in the J2K decoder ...) - libav (Vulnerable code not present) - ffmpeg (Vulnerable code not present) CVE-2012-0854 (The dpcm_decode_frame function in libavcodec/dpcm.c in FFmpeg before 0 ...) - libav 4:0.8.1-1 - ffmpeg (Vulnerable code not present) CVE-2012-0853 (The decodeTonalComponents function in the Actrac3 codec (atrac3.c) in ...) {DSA-2471-1} - libav 4:0.8.1-1 - ffmpeg 7:2.4.1-1 CVE-2012-0852 (The adpcm_decode_frame function in adpcm.c in libavcodec in FFmpeg bef ...) {DSA-2494-1} - libav 4:0.8.1-1 - ffmpeg 7:2.4.1-1 CVE-2012-0851 (The ff_h264_decode_seq_parameter_set function in h264_ps.c in libavcod ...) {DSA-2494-1} - libav 6:0.8.3-1 - ffmpeg 7:2.4.1-1 CVE-2012-0850 (The sbr_qmf_synthesis function in libavcodec/aacsbr.c in FFmpeg before ...) - libav 4:0.8.1-1 - ffmpeg (Vulnerable code not present) CVE-2012-0849 (Integer overflow in the ff_j2k_dwt_init function in libavcodec/j2k_dwt ...) - libav (Vulnerable code not present) - ffmpeg (Vulnerable code not present) CVE-2012-0848 (Heap-based buffer overflow in the ws_snd_decode_frame function in liba ...) - libav 4:0.8.1-1 - ffmpeg (Code in 0.5 not affected per upstream) CVE-2012-0847 (Heap-based buffer overflow in the avfilter_filter_samples function in ...) - libav (Vulnerable code not present) - ffmpeg (Vulnerable code not present) CVE-2012-0846 (Cross-site scripting (XSS) vulnerability in Craig Knudsen WebCalendar ...) - webcalendar CVE-2012-0845 (SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2. ...) {DLA-25-1} - python3.1 (low) [squeeze] - python3.1 (Minor issue) - python3.2 3.2.3~rc1-1 - python2.7 2.7.3~rc1-1 - python2.6 2.6.8-0.1 - python2.5 [squeeze] - python2.5 (Minor issue) CVE-2012-0844 (Information-disclosure vulnerability in Netsurf through 2.8 due to a w ...) - netsurf 2.8-2 (bug #659376) CVE-2012-0843 (uzbl: Information disclosure via world-readable cookies storage file ...) - uzbl 0.0.0~git.20111128-2 (bug #659379) [squeeze] - uzbl (Minor issue) CVE-2012-0842 (surf: cookie jar has read access from other local user ...) - surf 0.4.1-6 (bug #659296) CVE-2012-0841 (libxml2 before 2.8.0 computes hash values without restricting the abil ...) {DSA-2417-1} - libxml2 2.7.8.dfsg-8 (bug #660846) CVE-2012-0840 (tables/apr_hash.c in the Apache Portable Runtime (APR) library through ...) - apr 1.4.6-1 (low; bug #655435) [squeeze] - apr (exploitability in httpd extremely limited, not known to be exploitable in svn) NOTE: Commit http://mail-archives.apache.org/mod_mbox/apr-commits/201201.mbox/%3C20120115003715.071D423888FD@eris.apache.org%3E seems to cause regressions CVE-2012-0839 (OCaml 3.12.1 and earlier computes hash values without restricting the ...) - ocaml 4.00.0~beta2-1 (low; bug #659149) [wheezy] - ocaml (Minor issue) [squeeze] - ocaml (Minor issue) CVE-2012-0838 (Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expressio ...) - libstruts1.2-java (struts 2 issue) CVE-2012-0837 (Joomla! 1.7.x before 1.7.5 and 2.5.x before 2.5.1 allows attackers to ...) NOT-FOR-US: Joomla! CVE-2012-0836 (Unspecified vulnerability in Joomla! 1.7.x before 1.7.5 allows attacke ...) NOT-FOR-US: Joomla! CVE-2012-0835 (Unspecified vulnerability in Joomla! 1.7.x before 1.7.5 and 2.5.x befo ...) NOT-FOR-US: Joomla! CVE-2012-0834 (Cross-site scripting (XSS) vulnerability in lib/QueryRender.php in php ...) - phpldapadmin 1.2.2-1 (low; bug #658907) [squeeze] - phpldapadmin (Minor issue) CVE-2012-0833 (The acllas__handle_group_entry function in servers/plugins/acl/acllas. ...) - 389-ds-base (Fixed before initial upload) CVE-2012-0832 RESERVED CVE-2012-0831 (PHP before 5.3.10 does not properly perform a temporary change to the ...) {DSA-2408-1} - php5 5.3.10-1 CVE-2012-0830 (The php_register_variable_ex function in php_variables.c in PHP 5.3.9 ...) {DSA-2403-1} - php5 5.3.10-1 NOTE: http://thexploit.com/sec/critical-php-remote-vulnerability-introduced-in-fix-for-php-hashtable-collision-dos/ CVE-2012-0829 (Multiple cross-site request forgery (CSRF) vulnerabilities in Mibew Me ...) NOT-FOR-US: Mibew Messenger CVE-2012-0828 (Heap-based buffer overflow in Xchat-WDK before 1499-4 (2012-01-18) xch ...) - xchat (Only affects Xchat on Windows and Maemo) CVE-2012-0827 (The File module in Drupal 7.x before 7.11, when using unspecified fiel ...) - drupal7 7.11-1 - drupal6 CVE-2012-0826 (Cross-site request forgery (CSRF) vulnerability in the Aggregator modu ...) {DSA-2776-1} - drupal7 7.11-1 - drupal6 6.26-1 CVE-2012-0825 (Drupal 6.x before 6.23 and 7.x before 7.11 does not verify that Attrib ...) {DSA-2776-1} - drupal7 7.11-1 - drupal6 6.26-1 CVE-2012-0824 (gnusound 0.7.5 has format string issue ...) - gnusound (low; bug #654270) [squeeze] - gnusound 0.7.5-3+squeeze1 CVE-2012-0823 (VP8 Codec SDK (libvpx) before 1.0.0 "Duclair" allows remote attackers ...) - libvpx 1.0.0-1 [squeeze] - libvpx (Introduced in 0.9.7) NOTE: http://blog.webmproject.org/2012/01/vp8-codec-sdk-duclair-released.html CVE-2012-0822 (Cross-site scripting (XSS) vulnerability in Joomla! 1.6 and 1.7.x befo ...) NOT-FOR-US: Joomla! CVE-2012-0821 (Unspecified vulnerability in Joomla! 1.6.x and 1.7.x before 1.7.4 allo ...) NOT-FOR-US: Joomla! CVE-2012-0820 (Cross-site scripting (XSS) vulnerability in Joomla! 1.6.x and 1.7.x be ...) NOT-FOR-US: Joomla! CVE-2012-0819 (Unspecified vulnerability in Joomla! 1.6.x and 1.7.x before 1.7.4 allo ...) NOT-FOR-US: Joomla! CVE-2012-0818 (RESTEasy before 2.3.1 allows remote attackers to read arbitrary files ...) NOT-FOR-US: RESTEasy framework for JBoss CVE-2012-0817 (Memory leak in smbd in Samba 3.6.x before 3.6.3 allows remote attacker ...) - samba 2:3.6.3-1 (low) - samba4 4.0.0~alpha18.dfsg1-1 [squeeze] - samba (Only affects 3.6.x) [lenny] - samba (Only affects 3.6.x) CVE-2012-0816 RESERVED CVE-2012-0815 (The headerVerifyInfo function in lib/header.c in RPM before 4.9.1.3 al ...) {DLA-140-1} - rpm 4.9.1.3-1 (bug #667031) [squeeze] - rpm (Minor issue) CVE-2012-0814 (The auth_parse_options function in auth-options.c in sshd in OpenSSH b ...) - openssh 1:5.6p1-1 (low; bug #657445) [squeeze] - openssh 1:5.5p1-6+squeeze2 CVE-2012-0813 (Wicd before 1.7.1 saves sensitive information in log files in /var/log ...) - wicd 1.7.1~b3-4 (unimportant; bug #652417) NOTE: Not a security issue per se, logfile only accessible by root:adm CVE-2012-0812 (PostfixAdmin 2.3.4 has multiple XSS vulnerabilities ...) - postfixadmin 2.3.5-1 NOTE: http://seclists.org/oss-sec/2012/q1/285 CVE-2012-0811 (Multiple SQL injection vulnerabilities in Postfix Admin (aka postfixad ...) - postfixadmin 2.3.5-1 NOTE: http://seclists.org/oss-sec/2012/q1/285 CVE-2012-0810 (The int3 handler in the Linux kernel before 3.3 relies on a per-CPU de ...) - linux-2.6 3.2.16-1 (bug #672660) [squeeze] - linux-2.6 (rt patchset not yet present) NOTE: Ben Hutchings said it was fixed in 3.2.9-1, I checked it for 3.2.16-1 CVE-2012-0809 (Format string vulnerability in the sudo_debug function in Sudo 1.8.0 t ...) - sudo 1.8.3p2-1 (bug #657985) [squeeze] - sudo (Vulnerable code not present) [lenny] - sudo (Vulnerable code not present) CVE-2012-0808 (as31 2.3.1-4 does not seed the random number generator and generates p ...) - as31 2.3.1-5 (bug #655496) [squeeze] - as31 (The maintainer consider it a minor issue. Check comments in the bug report) CVE-2012-0807 (Stack-based buffer overflow in the suhosin_encrypt_single_cookie funct ...) - php-suhosin 0.9.33-1 (low; bug #657190) [squeeze] - php-suhosin (Exploitable in rare setups) NOTE: https://github.com/stefanesser/suhosin/commit/73b1968ee30f6d9d2dae497544b910e68e114bfa CVE-2012-0806 (Buffer overflow in Bip 0.8.8 and earlier might allow remote authentica ...) {DSA-2393-1} - bip 0.8.8-2 (bug #657217) [lenny] - bip (Maintainer reports vulnerable code not present) CVE-2012-0805 (Multiple SQL injection vulnerabilities in SQLAlchemy before 0.7.0b4, a ...) {DSA-2449-1} - sqlalchemy 0.6.7-1 CVE-2012-0804 (Heap-based buffer overflow in the proxy_connect function in src/client ...) {DSA-2407-1} - cvs 2:1.12.13+real-7 CVE-2012-0803 (The WS-SP UsernameToken policy in Apache CXF 2.4.5 and 2.5.1 allows re ...) NOT-FOR-US: Apache CXF CVE-2012-0802 (Multiple buffer overflows in Spamdyke before 4.3.0 might allow remote ...) NOT-FOR-US: spamdyke CVE-2012-0801 (lib/formslib.php in Moodle 2.1.x before 2.1.4 and 2.2.x before 2.2.1 d ...) - moodle (Only affects 2.x) CVE-2012-0800 (The form-autocompletion functionality in Moodle 2.0.x before 2.0.7, 2. ...) - moodle (Only affects 2.x) CVE-2012-0799 (Moodle 2.0.x before 2.0.7 and 2.1.x before 2.1.4, when an anonymous fr ...) - moodle (Only affects 2.x) CVE-2012-0798 (The self-enrolment functionality in Moodle 2.1.x before 2.1.4 and 2.2. ...) - moodle (Only affects 2.x) CVE-2012-0797 (The webservices functionality in Moodle 2.0.x before 2.0.7, 2.1.x befo ...) - moodle (Only affects 2.x) CVE-2012-0796 (class.phpmailer.php in the PHPMailer library, as used in Moodle 1.9.x ...) {DSA-2421-1} - moodle 1.9.9.dfsg2-5 CVE-2012-0795 (Moodle 1.9.x before 1.9.16, 2.0.x before 2.0.7, 2.1.x before 2.1.4, an ...) {DSA-2421-1} - moodle 1.9.9.dfsg2-5 CVE-2012-0794 (The rc4encrypt function in lib/moodlelib.php in Moodle 1.9.x before 1. ...) {DSA-2421-1} - moodle 1.9.9.dfsg2-5 CVE-2012-0793 (Moodle 1.9.x before 1.9.16, 2.0.x before 2.0.7, 2.1.x before 2.1.4, an ...) {DSA-2421-1} - moodle 1.9.9.dfsg2-5 CVE-2012-0792 (mod/forum/user.php in Moodle 1.9.x before 1.9.16 allows remote authent ...) {DSA-2421-1} - moodle 1.9.9.dfsg2-5 CVE-2012-0791 (Multiple cross-site scripting (XSS) vulnerabilities in Horde IMP befor ...) {DSA-2485-1} - imp4 4.3.10+debian0-1.1 (bug #659392) CVE-2012-0790 (Cross-site scripting (XSS) vulnerability in smokeping_cgi in Smokeping ...) {DSA-2651-1} - smokeping 2.6.8-2 (bug #659899) CVE-2012-0789 (Memory leak in the timezone functionality in PHP before 5.3.9 allows r ...) - php5 5.3.9-1 (low) [squeeze] - php5 (Too intrusive to backport) CVE-2012-0788 (The PDORow implementation in PHP before 5.3.9 does not properly intera ...) {DSA-2408-1} - php5 5.3.9-1 CVE-2012-0787 (The clone_file function in transfer.c in Augeas before 1.0.0, when cop ...) {DLA-28-1} - augeas 1.0.0-1 (low; bug #731132) [wheezy] - augeas (Minor issue) CVE-2012-0786 (The transform_save function in transform.c in Augeas before 1.0.0 allo ...) {DLA-28-1} - augeas 1.0.0-1 (low; bug #731132) [wheezy] - augeas (Minor issue) CVE-2012-0885 (chan_sip.c in Asterisk Open Source 1.8.x before 1.8.8.2 and 10.x befor ...) - asterisk 1:1.8.8.2~dfsg-1 (bug #656596) [squeeze] - asterisk (Vulnerable code not present) [lenny] - asterisk (Vulnerable code not present) NOTE: AST-2012-001 http://downloads.asterisk.org/pub/security/AST-2012-001.html CVE-2012-0784 RESERVED CVE-2012-0783 RESERVED CVE-2012-0782 (** DISPUTED ** Multiple cross-site scripting (XSS) vulnerabilities in ...) - wordpress (unimportant) NOTE: https://www.trustwave.com/spiderlabs/advisories/TWSL2012-002.txt CVE-2012-0781 (The tidy_diagnose function in PHP 5.3.8 might allow remote attackers t ...) {DSA-2408-1} - php5 5.3.9-1 (low) CVE-2012-0780 (Adobe Illustrator before CS6 allows attackers to execute arbitrary cod ...) NOT-FOR-US: Adobe Illustrator CVE-2012-0779 (Adobe Flash Player before 10.3.183.19 and 11.x before 11.2.202.235 on ...) NOT-FOR-US: Adobe Flash Player CVE-2012-0778 (Buffer overflow in Adobe Flash Professional before CS6 allows attacker ...) NOT-FOR-US: Adobe Flash Player CVE-2012-0777 (The JavaScript API in Adobe Reader and Acrobat 9.x before 9.5.1 and 10 ...) NOT-FOR-US: Adobe Reader CVE-2012-0776 (The installer in Adobe Reader 9.x before 9.5.1 and 10.x before 10.1.3 ...) NOT-FOR-US: Adobe Reader CVE-2012-0775 (The JavaScript implementation in Adobe Reader and Acrobat 9.x before 9 ...) NOT-FOR-US: Adobe Reader CVE-2012-0774 (Integer overflow in Adobe Reader and Acrobat 9.x before 9.5.1 and 10.x ...) NOT-FOR-US: Adobe Reader CVE-2012-0773 (The NetStream class in Adobe Flash Player before 10.3.183.18 and 11.x ...) NOT-FOR-US: Adobe Flash Player CVE-2012-0772 (An unspecified ActiveX control in Adobe Flash Player before 10.3.183.1 ...) NOT-FOR-US: Adobe Flash Player CVE-2012-0771 (Adobe Shockwave Player before 11.6.4.634 allows attackers to execute a ...) NOT-FOR-US: Adobe Flash Player CVE-2012-0770 (Adobe ColdFusion 8.0, 8.0.1, 9.0, and 9.0.1 computes hash values for f ...) NOT-FOR-US: Adobe ColdFusion CVE-2012-0769 (Adobe Flash Player before 10.3.183.16 and 11.x before 11.1.102.63 on W ...) NOT-FOR-US: Adobe Flash Player CVE-2012-0768 (The Matrix3D component in Adobe Flash Player before 10.3.183.16 and 11 ...) NOT-FOR-US: Adobe Flash Player CVE-2012-0767 (Cross-site scripting (XSS) vulnerability in Adobe Flash Player before ...) NOT-FOR-US: Adobe Flash Player CVE-2012-0766 (The Shockwave 3D Asset component in Adobe Shockwave Player before 11.6 ...) NOT-FOR-US: Adobe Shockwave Player CVE-2012-0765 (Multiple cross-site scripting (XSS) vulnerabilities in Adobe RoboHelp ...) NOT-FOR-US: Adobe Shockwave Player CVE-2012-0764 (The Shockwave 3D Asset component in Adobe Shockwave Player before 11.6 ...) NOT-FOR-US: Adobe Shockwave Player CVE-2012-0763 (The Shockwave 3D Asset component in Adobe Shockwave Player before 11.6 ...) NOT-FOR-US: Adobe Shockwave Player CVE-2012-0762 (The Shockwave 3D Asset component in Adobe Shockwave Player before 11.6 ...) NOT-FOR-US: Adobe Shockwave Player CVE-2012-0761 (The Shockwave 3D Asset component in Adobe Shockwave Player before 11.6 ...) NOT-FOR-US: Adobe Shockwave Player CVE-2012-0760 (The Shockwave 3D Asset component in Adobe Shockwave Player before 11.6 ...) NOT-FOR-US: Adobe Shockwave Player CVE-2012-0759 (Adobe Shockwave Player before 11.6.4.634 allows attackers to execute a ...) NOT-FOR-US: Adobe Shockwave Player CVE-2012-0758 (Heap-based buffer overflow in Adobe Shockwave Player before 11.6.4.634 ...) NOT-FOR-US: Adobe Shockwave Player CVE-2012-0757 (The Shockwave 3D Asset component in Adobe Shockwave Player before 11.6 ...) NOT-FOR-US: Adobe Shockwave Player CVE-2012-0756 (Adobe Flash Player before 10.3.183.15 and 11.x before 11.1.102.62 on W ...) NOT-FOR-US: Adobe Flash Player CVE-2012-0755 (Adobe Flash Player before 10.3.183.15 and 11.x before 11.1.102.62 on W ...) NOT-FOR-US: Adobe Flash Player CVE-2012-0754 (Adobe Flash Player before 10.3.183.15 and 11.x before 11.1.102.62 on W ...) NOT-FOR-US: Adobe Flash Player CVE-2012-0753 (Adobe Flash Player before 10.3.183.15 and 11.x before 11.1.102.62 on W ...) NOT-FOR-US: Adobe Flash Player CVE-2012-0752 (Adobe Flash Player before 10.3.183.15 and 11.x before 11.1.102.62 on W ...) NOT-FOR-US: Adobe Flash Player CVE-2012-0751 (The ActiveX control in Adobe Flash Player before 10.3.183.15 and 11.x ...) NOT-FOR-US: Adobe Flash Player CVE-2012-0750 RESERVED CVE-2012-0749 RESERVED CVE-2012-0748 (Multiple cross-site request forgery (CSRF) vulnerabilities in unspecif ...) NOT-FOR-US: IBM Rational Team Concert CVE-2012-0747 (SQL injection vulnerability in IBM Maximo Asset Management 6.2 through ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2012-0746 (Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Managemen ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2012-0745 (The getpwnam function in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.1.0.10 t ...) NOT-FOR-US: IBM AIX CVE-2012-0744 (IBM Rational ClearQuest 7.1.x through 7.1.2.7 and 8.x through 8.0.0.3 ...) NOT-FOR-US: IBM Rational ClearQuest CVE-2012-0743 (IBM Tivoli Directory Server (TDS) 6.3 and earlier allows remote attack ...) NOT-FOR-US: IBM Tivoli Directory Server CVE-2012-0742 (IBM Tivoli Event Pump 4.2.2, when the LOG_REQUESTS and VALIDATE_SOAP_U ...) NOT-FOR-US: IBM Tivoli Event Pump CVE-2012-0741 (IBM Security AppScan Enterprise before 8.6.0.2 and Rational Policy Tes ...) NOT-FOR-US: (IBM Security AppScan Enterprise CVE-2012-0740 (Cross-site scripting (XSS) vulnerability in the Web Admin Tool in IBM ...) NOT-FOR-US: IBM Tivoli Directory Server CVE-2012-0739 RESERVED CVE-2012-0738 (IBM Security AppScan Enterprise before 8.6.0.2 and Rational Policy Tes ...) NOT-FOR-US: (IBM Security AppScan Enterprise CVE-2012-0737 (Cross-site scripting (XSS) vulnerability in IBM Rational AppScan Enter ...) NOT-FOR-US: IBM Rational AppScan CVE-2012-0736 (IBM Rational AppScan Enterprise 5.x and 8.x before 8.5.0.1 does not pr ...) NOT-FOR-US: IBM Rational AppScan CVE-2012-0735 (IBM Rational AppScan Enterprise 5.x and 8.x before 8.5.0.1 does not pr ...) NOT-FOR-US: IBM Rational AppScan CVE-2012-0734 (IBM Rational AppScan Enterprise 5.x and 8.x before 8.5.0.1 does not pr ...) NOT-FOR-US: IBM Rational AppScan CVE-2012-0733 (IBM Rational AppScan Enterprise 5.x and 8.x before 8.5.0.1, when Integ ...) NOT-FOR-US: IBM Rational AppScan CVE-2012-0732 (The Enterprise Console client in IBM Rational AppScan Enterprise 5.x a ...) NOT-FOR-US: IBM Rational AppScan CVE-2012-0731 (IBM Rational AppScan Enterprise 5.x and 8.x before 8.5.0.1 does not pr ...) NOT-FOR-US: IBM Rational AppScan CVE-2012-0730 (Multiple cross-site request forgery (CSRF) vulnerabilities in IBM Rati ...) NOT-FOR-US: IBM Rational AppScan CVE-2012-0729 (Unrestricted file upload vulnerability in IBM Rational AppScan Enterpr ...) NOT-FOR-US: IBM Rational AppScan CVE-2012-0728 (SQL injection vulnerability in IBM Maximo Asset Management 7.1 through ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2012-0727 (SQL injection vulnerability in IBM Maximo Asset Management 7.5, as use ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2012-0726 (The default configuration of TLS in IBM Tivoli Directory Server (TDS) ...) NOT-FOR-US: IBM Tivoli Directory Server CVE-2012-0725 (Adobe Flash Player before 11.2.202.229 in Google Chrome before 18.0.10 ...) NOT-FOR-US: Adobe Flash Player CVE-2012-0724 (Adobe Flash Player before 11.2.202.229 in Google Chrome before 18.0.10 ...) NOT-FOR-US: Adobe Flash Player CVE-2012-0723 (The kernel in IBM AIX 5.3, 6.1, and 7.1, and VIOS 2.2.1.4-FP-25 SP-02, ...) NOT-FOR-US: IBM AIX, VIOS CVE-2012-0721 REJECTED CVE-2012-0720 (Cross-site scripting (XSS) vulnerability in the Integration Solution C ...) NOT-FOR-US: IBM WebSphere Application CVE-2012-0719 (Cross-site scripting (XSS) vulnerability in IBM Tivoli Endpoint Manage ...) NOT-FOR-US: IBM Tivoli Endpoint Manager CVE-2012-0718 (IBM Tivoli Endpoint Manager 8 does not set the HttpOnly flag on cookie ...) NOT-FOR-US: IBM CVE-2012-0717 (IBM WebSphere Application Server 7.0 before 7.0.0.23, when a certain S ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2012-0716 (Cross-site scripting (XSS) vulnerability in the Administration Console ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2012-0715 (Cross-site scripting (XSS) vulnerability in the Gantt applet viewer in ...) NOT-FOR-US: IBM Tivoli Change and Configuration Management Database CVE-2012-0714 (Cross-site request forgery (CSRF) vulnerability in IBM Maximo Asset Ma ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2012-0713 (Unspecified vulnerability in the XML feature in IBM DB2 9.7 before FP6 ...) NOT-FOR-US: IBM DB2 CVE-2012-0712 (The XML feature in IBM DB2 9.5 before FP9, 9.7 through FP5, and 9.8 th ...) NOT-FOR-US: IBM DB2 CVE-2012-0711 (Integer signedness error in the db2dasrrm process in the DB2 Administr ...) NOT-FOR-US: IBM DB2 CVE-2012-0710 (IBM DB2 9.1 before FP11, 9.5 before FP9, 9.7 before FP5, and 9.8 befor ...) NOT-FOR-US: IBM DB2 CVE-2012-0709 (IBM DB2 9.5 before FP9, 9.7 through FP5, and 9.8 through FP4 does not ...) NOT-FOR-US: IBM DB2 CVE-2012-0708 (Heap-based buffer overflow in the Ole API in the CQOle ActiveX control ...) NOT-FOR-US: IBM Rational ClearQuest CVE-2012-0707 (Cross-site scripting (XSS) vulnerability in IBM WebSphere Lombardi Edi ...) NOT-FOR-US: IBM WebSphere CVE-2012-0706 (IBM Scale Out Network Attached Storage (SONAS) 1.3 before 1.3.2.3 requ ...) NOT-FOR-US: IBM Scale Out network Attached Storage (SONAS) CVE-2012-0705 (InfoSphere Import Export Manager in InfoSphere Information Server Meta ...) NOT-FOR-US: InfoSphere Information Server CVE-2012-0704 RESERVED CVE-2012-0703 (Open redirect vulnerability in Information Services Framework (ISF) in ...) NOT-FOR-US: IBM InfoSphere Information Server CVE-2012-0702 (Information Services Framework (ISF) in IBM InfoSphere Information Ser ...) NOT-FOR-US: IBM InfoSphere Information Server CVE-2012-0701 (The client applications in the DataStage Administrator client in InfoS ...) NOT-FOR-US: IBM InfoSphere Information Server CVE-2012-0700 (The client in InfoSphere FastTrack 8.1 through 8.7 in IBM InfoSphere I ...) NOT-FOR-US: IBM InfoSphere Information Server CVE-2012-0699 (Multiple cross-site request forgery (CSRF) vulnerabilities in Family C ...) NOT-FOR-US: Family Connections CMS CVE-2012-0698 (tcsd in TrouSerS before 0.3.10 allows remote attackers to cause a deni ...) {DSA-2576-1} - trousers 0.3.9-1 (low; bug #692649) CVE-2011-5066 (The SibRaRecoverableSiXaResource class in the Default Messaging Compon ...) NOT-FOR-US: WebSphere CVE-2011-5065 (Cross-site scripting (XSS) vulnerability in IBM WebSphere Application ...) NOT-FOR-US: WebSphere CVE-2011-5064 (DigestAuthenticator.java in the HTTP Digest Access Authentication impl ...) {DSA-2401-1} - tomcat6 6.0.32-7 - tomcat7 7.0.12 - tomcat5.5 CVE-2011-5063 (The HTTP Digest Access Authentication implementation in Apache Tomcat ...) {DSA-2401-1} - tomcat6 6.0.32-7 - tomcat7 7.0.12 - tomcat5.5 CVE-2011-5062 (The HTTP Digest Access Authentication implementation in Apache Tomcat ...) {DSA-2401-1} - tomcat6 6.0.32-7 - tomcat7 7.0.12 - tomcat5.5 CVE-2011-5061 (functions.php in WHMCompleteSolution (WHMCS) 4.0.x through 5.0.x allow ...) NOT-FOR-US: WHMCompleteSolution CVE-2011-5060 (The par_mktmpdir function in the PAR module before 1.003 for Perl crea ...) - libpar-perl 1.005-1 (bug #650707) [squeeze] - libpar-perl 1.000-1+squeeze1 CVE-2010-5082 (Untrusted search path vulnerability in colorcpl.exe 6.0.6000.16386 in ...) NOT-FOR-US: Windows Server CVE-2012-0697 (HP StorageWorks P2000 G3 MSA array systems have a default account, whi ...) NOT-FOR-US: HP StorageWorks CVE-2012-0696 (Multiple cross-site scripting (XSS) vulnerabilities in the Executive V ...) NOT-FOR-US: IBM Cognos CVE-2012-0695 (Multiple unspecified vulnerabilities in Google Chrome before 17.0.963. ...) NOT-FOR-US: Google Chrome books CVE-2012-0694 (SugarCRM CE <= 6.3.1 contains scripts that use "unserialize()" with ...) - sugarcrm-ce-5.0 (bug #457876) NOTE: http://seclists.org/bugtraq/2012/Jun/165 CVE-2012-0693 (** DISPUTED ** submitticket.php in WHMCompleteSolution (WHMCS) 5.03 al ...) NOT-FOR-US: WHMCompleteSolution CVE-2012-0692 (CA License (aka CA Licensing) before 1.90.03 allows local users to mod ...) NOT-FOR-US: CA License CVE-2012-0691 (CA License (aka CA Licensing) before 1.90.03 does not properly restric ...) NOT-FOR-US: CA License CVE-2012-0690 (TIBCO Spotfire Web Application, Web Player Application, Automation Ser ...) NOT-FOR-US: TIBCO Spotfire CVE-2012-0689 (The server in TIBCO ActiveMatrix Platform in TIBCO Silver Fabric Activ ...) NOT-FOR-US: TIBCO ActiveMatrix CVE-2012-0688 (Cross-site scripting (XSS) vulnerability in TIBCO ActiveMatrix Platfor ...) NOT-FOR-US: TIBCO ActiveMatrix CVE-2012-0687 (TIBCO ActiveMatrix Runtime Platform in Service Grid and Service Bus 2. ...) NOT-FOR-US: TIBCO ActiveMatrix CVE-2012-0686 RESERVED CVE-2012-0685 (Integer overflow in XnViewer (aka XnView) before 1.98.5 allows remote ...) NOT-FOR-US: XnView CVE-2012-0684 (Integer overflow in XnViewer (aka XnView) before 1.98.5 allows remote ...) NOT-FOR-US: XnView CVE-2012-0683 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple Safari/ if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0682 (WebKit, as used in Apple Safari before 6.0, allows remote attackers to ...) NOT-FOR-US: Apple Safari/ if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0681 (Apple Remote Desktop before 3.6.1 does not recognize the "Encrypt all ...) NOT-FOR-US: Apple Remote Desktop CVE-2012-0680 (Apple Safari before 6.0 does not properly handle the autocomplete attr ...) NOT-FOR-US: Apple Safari CVE-2012-0679 (Apple Safari before 6.0 allows remote attackers to read arbitrary file ...) NOT-FOR-US: Apple Safari CVE-2012-0678 (Cross-site scripting (XSS) vulnerability in Apple Safari before 6.0 al ...) NOT-FOR-US: Apple Safari CVE-2012-0677 (Heap-based buffer overflow in Apple iTunes before 10.6.3 allows remote ...) NOT-FOR-US: Apple iTunes CVE-2012-0676 (WebKit in Apple Safari before 5.1.7 does not properly track state info ...) NOT-FOR-US: Apple Safari CVE-2012-0675 (Time Machine in Apple Mac OS X before 10.7.4 does not require continue ...) NOT-FOR-US: Time Machine CVE-2012-0674 (Safari in Apple iOS before 5.1.1 allows remote attackers to spoof the ...) NOT-FOR-US: Apple Safari CVE-2012-0673 RESERVED CVE-2012-0672 (WebKit in Apple iOS before 5.1.1 allows remote attackers to execute ar ...) NOTE: http://dl.packetstormsecurity.net/1205-advisories/APPLE-SA-2012-05-09-2.txt CVE-2012-0671 (Apple QuickTime before 7.7.2 allows remote attackers to execute arbitr ...) NOT-FOR-US: Apple QuickTime CVE-2012-0670 (Integer overflow in Apple QuickTime before 7.7.2 allows remote attacke ...) NOT-FOR-US: Apple QuickTime CVE-2012-0669 (Buffer overflow in Apple QuickTime before 7.7.2 on Windows allows remo ...) NOT-FOR-US: Apple QuickTime CVE-2012-0668 (Buffer overflow in Apple QuickTime before 7.7.2 allows remote attacker ...) NOT-FOR-US: Apple QuickTime CVE-2012-0667 (Integer signedness error in Apple QuickTime before 7.7.2 on Windows al ...) NOT-FOR-US: Apple QuickTime CVE-2012-0666 (Stack-based buffer overflow in the plugin in Apple QuickTime before 7. ...) NOT-FOR-US: Apple QuickTime CVE-2012-0665 (Heap-based buffer overflow in Apple QuickTime before 7.7.2 allows remo ...) NOT-FOR-US: Apple QuickTime CVE-2012-0664 (Heap-based buffer overflow in Apple QuickTime before 7.7.2 on Windows ...) NOT-FOR-US: Apple QuickTime CVE-2012-0663 (Multiple stack-based buffer overflows in Apple QuickTime before 7.7.2 ...) NOT-FOR-US: Apple QuickTime CVE-2012-0662 (Integer overflow in the Security Framework in Apple Mac OS X before 10 ...) NOT-FOR-US: Apple Mac OS X CVE-2012-0661 (Use-after-free vulnerability in QuickTime in Apple Mac OS X 10.7.x bef ...) NOT-FOR-US: Apple Mac OS X CVE-2012-0660 (Buffer underflow in QuickTime in Apple Mac OS X before 10.7.4 allows r ...) NOT-FOR-US: Apple Mac OS X CVE-2012-0659 (Integer overflow in QuickTime in Apple Mac OS X before 10.7.4 allows r ...) NOT-FOR-US: Apple Mac OS X CVE-2012-0658 (Buffer overflow in QuickTime in Apple Mac OS X before 10.7.4 allows re ...) NOT-FOR-US: Apple Mac OS X CVE-2012-0657 (Quartz Composer in Apple Mac OS X before 10.7.4, when the RSS Visualiz ...) NOT-FOR-US: Apple Mac OS X CVE-2012-0656 (Race condition in LoginUIFramework in Apple Mac OS X 10.7.x before 10. ...) NOT-FOR-US: Apple Mac OS X CVE-2012-0655 (libsecurity in Apple Mac OS X before 10.7.4 does not properly restrict ...) NOT-FOR-US: Apple Mac OS X CVE-2012-0654 (libsecurity in Apple Mac OS X before 10.7.4 accesses uninitialized mem ...) NOT-FOR-US: Apple Mac OS X CVE-2012-0653 RESERVED CVE-2012-0652 (Login Window in Apple Mac OS X 10.7.3, when Legacy File Vault or netwo ...) NOT-FOR-US: Apple Mac OS X CVE-2012-0651 (The directory server in Directory Service in Apple Mac OS X 10.6.8 all ...) NOT-FOR-US: Apple Mac OS X CVE-2012-0650 (Buffer overflow in the DirectoryService Proxy in DirectoryService in A ...) NOT-FOR-US: Apple Mac OS X CVE-2012-0649 (Race condition in the initialization routine in blued in Bluetooth in ...) NOT-FOR-US: Apple Mac OS X CVE-2012-0648 (WebKit, as used in Apple iTunes before 10.6, allows man-in-the-middle ...) NOT-FOR-US: Apple Safari/iTunes if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0647 (WebKit in Apple Safari before 5.1.4 does not properly handle redirects ...) NOT-FOR-US: Apple Safari/ if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0646 (Format string vulnerability in VPN in Apple iOS before 5.1 allows remo ...) NOT-FOR-US: VPN in Apple iOS CVE-2012-0645 (Siri in Apple iOS before 5.1 does not properly restrict the ability of ...) NOT-FOR-US: Siri CVE-2012-0644 (Race condition in the Passcode Lock feature in Apple iOS before 5.1 al ...) NOT-FOR-US: Passcode Lock in Apple iOS CVE-2012-0643 (The kernel in Apple iOS before 5.1 does not properly handle debug syst ...) NOT-FOR-US: kernel in Apple iOS CVE-2012-0642 (Integer underflow in Apple iOS before 5.1 allows remote attackers to e ...) NOT-FOR-US: Apple iOS CVE-2012-0641 (CFNetwork in Apple iOS before 5.1 does not properly construct request ...) NOT-FOR-US: Apple iOS CVE-2012-0640 (WebKit in Apple Safari before 5.1.4 does not properly implement "From ...) NOT-FOR-US: Apple Safari/iTunes if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0639 (WebKit, as used in Apple iTunes before 10.6, allows man-in-the-middle ...) NOT-FOR-US: Apple Safari/iTunes if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0638 (WebKit, as used in Apple iTunes before 10.6, allows man-in-the-middle ...) NOT-FOR-US: Apple Safari/iTunes if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0637 (WebKit, as used in Apple iTunes before 10.6, allows man-in-the-middle ...) NOT-FOR-US: Apple Safari/iTunes if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0636 (WebKit, as used in Apple iTunes before 10.6, allows man-in-the-middle ...) NOT-FOR-US: Apple Safari/iTunes if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0635 (WebKit, as used in Apple iOS before 5.1 and iTunes before 10.6, allows ...) NOT-FOR-US: Apple Safari/iTunes if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0634 (WebKit, as used in Apple iTunes before 10.6, allows man-in-the-middle ...) NOT-FOR-US: Apple Safari/iTunes if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0633 (WebKit, as used in Apple iOS before 5.1 and iTunes before 10.6, allows ...) NOT-FOR-US: Apple Safari/iTunes if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0632 (WebKit, as used in Apple iOS before 5.1 and iTunes before 10.6, allows ...) NOT-FOR-US: Apple Safari/iTunes if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0631 (WebKit, as used in Apple iOS before 5.1 and iTunes before 10.6, allows ...) NOT-FOR-US: Apple Safari/iTunes if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0630 (WebKit, as used in Apple iOS before 5.1 and iTunes before 10.6, allows ...) NOT-FOR-US: Apple Safari/iTunes if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0629 (WebKit, as used in Apple iOS before 5.1 and iTunes before 10.6, allows ...) NOT-FOR-US: Apple Safari/iTunes if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0628 (WebKit, as used in Apple iOS before 5.1 and iTunes before 10.6, allows ...) NOT-FOR-US: Apple Safari/iTunes if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0627 (WebKit, as used in Apple iOS before 5.1 and iTunes before 10.6, allows ...) NOT-FOR-US: Apple Safari/iTunes if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0626 (WebKit, as used in Apple iOS before 5.1 and iTunes before 10.6, allows ...) NOT-FOR-US: Apple Safari/iTunes if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0625 (WebKit, as used in Apple iOS before 5.1 and iTunes before 10.6, allows ...) NOT-FOR-US: Apple Safari/iTunes if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0624 (WebKit, as used in Apple iOS before 5.1 and iTunes before 10.6, allows ...) NOT-FOR-US: Apple Safari/iTunes if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0623 (WebKit, as used in Apple iOS before 5.1 and iTunes before 10.6, allows ...) NOT-FOR-US: Apple Safari/iTunes if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0622 (WebKit, as used in Apple iOS before 5.1 and iTunes before 10.6, allows ...) NOT-FOR-US: Apple Safari/iTunes if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0621 (WebKit, as used in Apple iOS before 5.1 and iTunes before 10.6, allows ...) NOT-FOR-US: Apple Safari/iTunes if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0620 (WebKit, as used in Apple iOS before 5.1 and iTunes before 10.6, allows ...) NOT-FOR-US: Apple Safari/iTunes if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0619 (WebKit, as used in Apple iOS before 5.1 and iTunes before 10.6, allows ...) NOT-FOR-US: Apple Safari/iTunes if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0618 (WebKit, as used in Apple iOS before 5.1 and iTunes before 10.6, allows ...) NOT-FOR-US: Apple Safari/iTunes if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0617 (WebKit, as used in Apple iOS before 5.1 and iTunes before 10.6, allows ...) NOT-FOR-US: Apple Safari/iTunes if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0616 (WebKit, as used in Apple iOS before 5.1 and iTunes before 10.6, allows ...) NOT-FOR-US: Apple Safari/iTunes if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0615 (WebKit, as used in Apple iOS before 5.1 and iTunes before 10.6, allows ...) NOT-FOR-US: Apple Safari/iTunes if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0614 (WebKit, as used in Apple iOS before 5.1 and iTunes before 10.6, allows ...) NOT-FOR-US: Apple Safari/iTunes if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0613 (WebKit, as used in Apple iOS before 5.1 and iTunes before 10.6, allows ...) NOT-FOR-US: Apple Safari/iTunes if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0612 (WebKit, as used in Apple iOS before 5.1 and iTunes before 10.6, allows ...) NOT-FOR-US: Apple Safari/iTunes if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0611 (WebKit, as used in Apple iOS before 5.1 and iTunes before 10.6, allows ...) NOT-FOR-US: Apple Safari/iTunes if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0610 (WebKit, as used in Apple iOS before 5.1 and iTunes before 10.6, allows ...) NOT-FOR-US: Apple Safari/iTunes if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0609 (WebKit, as used in Apple iOS before 5.1 and iTunes before 10.6, allows ...) NOT-FOR-US: Apple Safari/iTunes if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0608 (WebKit, as used in Apple iOS before 5.1 and iTunes before 10.6, allows ...) NOT-FOR-US: Apple Safari/iTunes if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0607 (WebKit, as used in Apple iOS before 5.1 and iTunes before 10.6, allows ...) NOT-FOR-US: Apple Safari/iTunes if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0606 (WebKit, as used in Apple iOS before 5.1 and iTunes before 10.6, allows ...) NOT-FOR-US: Apple Safari/iTunes if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0605 (WebKit, as used in Apple iOS before 5.1 and iTunes before 10.6, allows ...) NOT-FOR-US: Apple Safari/iTunes if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0604 (WebKit, as used in Apple iOS before 5.1 and iTunes before 10.6, allows ...) NOT-FOR-US: Apple Safari/iTunes if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0603 (WebKit, as used in Apple iOS before 5.1 and iTunes before 10.6, allows ...) NOT-FOR-US: Apple Safari/iTunes if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0602 (WebKit, as used in Apple iOS before 5.1 and iTunes before 10.6, allows ...) NOT-FOR-US: Apple Safari/iTunes if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0601 (WebKit, as used in Apple iOS before 5.1 and iTunes before 10.6, allows ...) NOT-FOR-US: Apple Safari/iTunes if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0600 (WebKit, as used in Apple iOS before 5.1 and iTunes before 10.6, allows ...) NOT-FOR-US: Apple Safari/iTunes if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0599 (WebKit, as used in Apple iOS before 5.1 and iTunes before 10.6, allows ...) NOT-FOR-US: Apple Safari/iTunes if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0598 (WebKit, as used in Apple iOS before 5.1 and iTunes before 10.6, allows ...) NOT-FOR-US: Apple Safari/iTunes if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0597 (WebKit, as used in Apple iOS before 5.1 and iTunes before 10.6, allows ...) NOT-FOR-US: Apple Safari/iTunes if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0596 (WebKit, as used in Apple iOS before 5.1 and iTunes before 10.6, allows ...) NOT-FOR-US: Apple Safari/iTunes if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0595 (WebKit, as used in Apple iOS before 5.1 and iTunes before 10.6, allows ...) NOT-FOR-US: Apple Safari/iTunes if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0594 (WebKit, as used in Apple iOS before 5.1 and iTunes before 10.6, allows ...) NOT-FOR-US: Apple Safari/iTunes if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0593 (WebKit, as used in Apple iOS before 5.1 and iTunes before 10.6, allows ...) NOT-FOR-US: Apple Safari/iTunes if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0592 (WebKit, as used in Apple iOS before 5.1 and iTunes before 10.6, allows ...) NOT-FOR-US: Apple Safari/iTunes if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0591 (WebKit, as used in Apple iOS before 5.1 and iTunes before 10.6, allows ...) NOT-FOR-US: Apple Safari/iTunes if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0590 (Cross-site scripting (XSS) vulnerability in WebKit, as used in Apple i ...) NOT-FOR-US: Apple Safari/iTunes if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0589 (Cross-site scripting (XSS) vulnerability in WebKit, as used in Apple i ...) NOT-FOR-US: Apple Safari/iTunes if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0588 (Cross-site scripting (XSS) vulnerability in WebKit, as used in Apple i ...) NOT-FOR-US: Apple Safari/iTunes if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0587 (Cross-site scripting (XSS) vulnerability in WebKit, as used in Apple i ...) NOT-FOR-US: Apple Safari/iTunes if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0586 (Cross-site scripting (XSS) vulnerability in WebKit, as used in Apple i ...) NOT-FOR-US: Apple Safari/iTunes if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0585 (The Private Browsing feature in Safari in Apple iOS before 5.1 allows ...) NOT-FOR-US: Apple Safari/iTunes if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2012-0584 (The Internationalized Domain Name (IDN) feature in Apple Safari before ...) NOT-FOR-US: Apple Safari CVE-2012-0583 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) {DSA-2496-1} - mysql-5.1 5.1.62-1 (bug #670636) - mysql-5.5 5.5.23-1 CVE-2012-0582 (Unspecified vulnerability in the Siebel Clinical component in Oracle I ...) NOT-FOR-US: Oracle Industry Applications CVE-2012-0581 (Unspecified vulnerability in the Oracle Agile component in Oracle Supp ...) NOT-FOR-US: Oracle Supply Chain Products Suite CVE-2012-0580 (Unspecified vulnerability in the Oracle Agile PLM for Process componen ...) NOT-FOR-US: Oracle Supply Chain Products Suite CVE-2012-0579 (Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking com ...) NOT-FOR-US: Oracle Financial Services Software CVE-2012-0578 (Unspecified vulnerability in the Server component in Oracle MySQL 5.5. ...) - mysql-5.1 (Only affects 5.5) - mysql-5.5 5.5.29+dfsg-1 CVE-2012-0577 (Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking com ...) NOT-FOR-US: Oracle Financial Services Software CVE-2012-0576 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking compon ...) NOT-FOR-US: Oracle Financial Services Software CVE-2012-0575 (Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking com ...) NOT-FOR-US: Oracle Financial Services Software CVE-2012-0574 (Unspecified vulnerability in the Server component in Oracle MySQL 5.1. ...) {DSA-2780-1} - mysql-5.1 - mysql-5.5 5.5.29+dfsg-1 CVE-2012-0573 (Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking com ...) NOT-FOR-US: Oracle Financial Services Software CVE-2012-0572 (Unspecified vulnerability in the Server component in Oracle MySQL 5.1. ...) {DSA-2780-1} - mysql-5.1 - mysql-5.5 5.5.29+dfsg-1 CVE-2012-0571 (Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking com ...) NOT-FOR-US: Oracle Financial Services Software CVE-2012-0570 (Unspecified vulnerability in Oracle Sun Solaris 8, 9, 10, and 11 allow ...) NOT-FOR-US: Solaris CVE-2012-0569 (Unspecified vulnerability Oracle Sun Solaris 10 allows local users to ...) NOT-FOR-US: Oracle Sun Solaris CVE-2012-0568 (Unspecified vulnerability in Oracle Sun Solaris 8, 9, and 10 allows lo ...) NOT-FOR-US: Solaris CVE-2012-0567 (Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking com ...) NOT-FOR-US: Oracle Financial Services Software CVE-2012-0566 (Unspecified vulnerability in the Oracle Agile component in Oracle Supp ...) NOT-FOR-US: Oracle Supply Chain Products Suite CVE-2012-0565 (Unspecified vulnerability in the Oracle Agile component in Oracle Supp ...) NOT-FOR-US: Oracle Supply Chain Products Suite CVE-2012-0564 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2012-0563 (Unspecified vulnerability in Oracle Solaris 9, 10, and 11 allows local ...) NOT-FOR-US: Oracle Solaris CVE-2012-0562 (Unspecified vulnerability in the PeopleSoft Enterprise HRMS component ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2012-0561 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2012-0560 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2012-0559 (Unspecified vulnerability in the PeopleSoft Enterprise SCM component i ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2012-0558 (Unspecified vulnerability in the Primavera P6 Enterprise Project Portf ...) NOT-FOR-US: Oracle Primavera Products Suite CVE-2012-0557 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2012-0556 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2012-0555 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2012-0554 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2012-0553 (Buffer overflow in yaSSL, as used in MySQL 5.1.x before 5.1.68 and 5.5 ...) {DSA-2780-1} - mysql-5.1 (bug #712059) - mysql-5.5 5.5.28+dfsg-1 - cyassl (Fixed before initial upload to archive) NOTE: https://blogs.oracle.com/sunsecurity/entry/cve_2012_0553_buffer_overflow CVE-2012-0552 (Unspecified vulnerability in the Oracle Spatial component in Oracle Da ...) NOT-FOR-US: Oracle Database Server CVE-2012-0551 (Unspecified vulnerability in the Java Runtime Environment (JRE) in Ora ...) - glassfish (Debian only builds some core libs, not the full application stack) - openjdk-6 (specific to Oracle Java) - openjdk-7 (specific to Oracle Java) CVE-2012-0550 (Unspecified vulnerability in the GlassFish Enterprise Server component ...) - glassfish (Debian only builds some core libs, not the full application stack) CVE-2012-0549 (Unspecified vulnerability in the Oracle AutoVue Office component in Or ...) NOT-FOR-US: Oracle Supply Chain Products Suite CVE-2012-0548 (Unspecified vulnerability in Oracle SPARC Enterprise M Series Servers ...) NOT-FOR-US: Oracle SPARC Enterprise M Series Servers XCP 1110 CVE-2012-0547 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-7 7u3-2.1.2-1 (low) - openjdk-6 6b24-1.11.4-1 (low) CVE-2012-0546 (Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking com ...) NOT-FOR-US: Oracle Financial Services Software CVE-2012-0545 (Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking com ...) NOT-FOR-US: Oracle Financial Services Software CVE-2012-0544 (Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking com ...) NOT-FOR-US: Oracle Financial Services Software CVE-2012-0543 (Unspecified vulnerability in the BI Publisher (formerly XML Publisher) ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2012-0542 (Unspecified vulnerability in the Oracle iStore component in Oracle E-B ...) NOT-FOR-US: Oracle E-Business Suite CVE-2012-0541 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking compon ...) NOT-FOR-US: Oracle Financial Services Software CVE-2012-0540 (Unspecified vulnerability in Oracle MySQL Server 5.1.62 and earlier an ...) {DSA-2496-1} - mysql-5.1 (bug #682212) - mysql-5.5 5.5.24+dfsg-1 (bug #682210) CVE-2012-0539 (Unspecified vulnerability in Oracle Sun Solaris 8, 9, and 10 allows lo ...) NOT-FOR-US: Oracle Sun Solaris CVE-2012-0538 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2012-0537 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle E-Business Suite CVE-2012-0536 (Unspecified vulnerability in the PeopleSoft Enterprise HRMS component ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2012-0535 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle E-Business Suite CVE-2012-0534 (Unspecified vulnerability in the RDBMS Core component in Oracle Databa ...) NOT-FOR-US: Oracle Database Server CVE-2012-0533 (Unspecified vulnerability in the PeopleSoft Enterprise FCSM component ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2012-0532 (Unspecified vulnerability in the Identity Manager component in Oracle ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2012-0531 (Unspecified vulnerability in the PeopleSoft Enterprise Portal componen ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2012-0530 (Unspecified vulnerability in the PeopleSoft Enterprise SCM component i ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2012-0529 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2012-0528 (Unspecified vulnerability in the Enterprise Manager Base Platform comp ...) NOT-FOR-US: Oracle Database Server CVE-2012-0527 (Unspecified vulnerability in the Enterprise Manager Base Platform comp ...) NOT-FOR-US: Oracle Database Server CVE-2012-0526 (Unspecified vulnerability in the Enterprise Manager Base Platform comp ...) NOT-FOR-US: Oracle Database Server CVE-2012-0525 (Unspecified vulnerability in the Enterprise Manager Base Platform comp ...) NOT-FOR-US: Oracle Database Server CVE-2012-0524 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2012-0523 (Unspecified vulnerability in the Oracle Grid Engine component in Oracl ...) - gridengine 6.2u5-7.1 [squeeze] - gridengine (Unsupported in squeeze-lts) NOTE: http://www.securityfocus.com/bid/53132 NOTE: http://gridscheduler.sourceforge.net/security.html CVE-2012-0522 (Unspecified vulnerability in the Oracle JDeveloper component in Oracle ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2012-0521 (Unspecified vulnerability in the PeopleSoft Enterprise HCM component i ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2012-0520 (Unspecified vulnerability in the Enterprise Manager Base Platform comp ...) NOT-FOR-US: Oracle Database Server CVE-2012-0519 (Unspecified vulnerability in the Core RDBMS component in Oracle Databa ...) NOT-FOR-US: Oracle Database Server CVE-2012-0518 (Unspecified vulnerability in the Oracle Application Server Single Sign ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2012-0517 (Unspecified vulnerability in the PeopleSoft Enterprise HRMS component ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2012-0516 (Unspecified vulnerability in the Oracle iPlanet Web Server component i ...) NOT-FOR-US: Oracle Sun Products Suite CVE-2012-0515 (Unspecified vulnerability in the Identity Manager Connector component ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2012-0514 (Unspecified vulnerability in the PeopleSoft Enterprise CRM component i ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2012-0513 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle E-Business Suite CVE-2012-0512 (Unspecified vulnerability in the Enterprise Manager Base Platform comp ...) NOT-FOR-US: Oracle Database Server CVE-2012-0511 (Unspecified vulnerability in the OCI component in Oracle Database Serv ...) NOT-FOR-US: Oracle Database Server CVE-2012-0510 (Unspecified vulnerability in the Core RDBMS component in Oracle Databa ...) NOT-FOR-US: Oracle Database Server CVE-2012-0509 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking compon ...) NOT-FOR-US: Oracle Financial Services Software CVE-2012-0508 (Unspecified vulnerability in the JavaFX component in Oracle Java SE Ja ...) - openjdk-6 (JavaFX not part of OpenJDK) - openjdk-7 (JavaFX not part of OpenJDK) - sun-java6 [squeeze] - sun-java6 (Non-free not supported) CVE-2012-0507 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) {DSA-2420-1} - openjdk-6 6b24-1.11.1-1 - openjdk-7 7~u3-2.1-1 - sun-java6 [squeeze] - sun-java6 (Non-free not supported) NOTE: Replacement for misused CVE-2011-3571. CVE-2012-0506 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) {DSA-2420-1} - openjdk-6 6b24-1.11.1-1 - openjdk-7 7~u3-2.1-1 - sun-java6 [squeeze] - sun-java6 (Non-free not supported) CVE-2012-0505 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) {DSA-2420-1} - openjdk-6 6b24-1.11.1-1 - openjdk-7 7~u3-2.1-1 CVE-2012-0504 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - openjdk-6 (Only applies to the Windows-specific update tool) - openjdk-7 (Only applies to the Windows-specific update tool) - sun-java6 (Only applies to the Windows-specific update tool) CVE-2012-0503 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) {DSA-2420-1} - openjdk-6 6b24-1.11.1-1 - openjdk-7 7~u3-2.1-1 - sun-java6 [squeeze] - sun-java6 (Non-free not supported) CVE-2012-0502 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) {DSA-2420-1} - openjdk-6 6b24-1.11.1-1 - openjdk-7 7~u3-2.1-1 - sun-java6 [squeeze] - sun-java6 (Non-free not supported) CVE-2012-0501 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) {DSA-2420-1} - openjdk-6 6b24-1.11.1-1 - openjdk-7 7~u3-2.1-1 - sun-java6 [squeeze] - sun-java6 (Non-free not supported) CVE-2012-0500 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - sun-java6 [squeeze] - sun-java6 (Non-free not supported) NOTE: OpenJDK browser plugin is a different code base. CVE-2012-0499 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - sun-java6 [squeeze] - sun-java6 (Non-free not supported) NOTE: According to the Red Hat bug tracker, this vulnerability does not affect Iced Tea/OpenJDK. CVE-2012-0498 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) - sun-java6 [squeeze] - sun-java6 (Non-free not supported) NOTE: According to the Red Hat bug tracker, this vulnerability does not affect Iced Tea/OpenJDK. CVE-2012-0497 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) {DSA-2420-1} - openjdk-6 6b24-1.11.1-1 - openjdk-7 7~u3-2.1-1 - sun-java6 [squeeze] - sun-java6 (Non-free not supported) CVE-2012-0496 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) - mysql-5.1 (Only affects MySQL 5.5 from experimental) CVE-2012-0495 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) - mysql-5.1 (Only affects MySQL 5.5 from experimental) CVE-2012-0494 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) - mysql-5.1 (Only affects MySQL 5.5 from experimental) CVE-2012-0493 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) - mysql-5.1 (Only affects MySQL 5.5 from experimental) CVE-2012-0492 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) {DSA-2429-1} - mysql-5.1 5.1.61-2 (bug #659687) CVE-2012-0491 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) - mysql-5.1 (Only affects MySQL 5.5 from experimental) CVE-2012-0490 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) {DSA-2429-1} - mysql-5.1 5.1.61-2 (bug #659687) CVE-2012-0489 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) - mysql-5.1 (Only affects MySQL 5.5 from experimental) CVE-2012-0488 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) - mysql-5.1 (Only affects MySQL 5.5 from experimental) CVE-2012-0487 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) - mysql-5.1 (Only affects MySQL 5.5 from experimental) CVE-2012-0486 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) - mysql-5.1 (Only affects MySQL 5.5 from experimental) CVE-2012-0485 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) {DSA-2429-1} - mysql-5.1 5.1.61-2 (bug #659687) CVE-2012-0484 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) {DSA-2429-1} - mysql-5.1 5.1.61-2 (bug #659687) CVE-2012-0483 RESERVED CVE-2012-0482 RESERVED CVE-2012-0481 RESERVED CVE-2012-0480 RESERVED CVE-2011-5059 (Stack-based buffer overflow in Final Draft 8 before 8.02 allows remote ...) NOT-FOR-US: Final Draft CVE-2011-5058 (The CmbWebserver.dll module of the Control service in 3S CoDeSys 3.4 S ...) NOT-FOR-US: 3S CoDeSys CVE-2012-0479 (Mozilla Firefox 4.x through 11.0, Firefox ESR 10.x before 10.0.4, Thun ...) {DSA-2464-1 DSA-2458-1 DSA-2457-1} - icedove 10.0.4-1 [squeeze] - icedove (Vulnerable code not present) - iceweasel 10.0.4esr-1 [squeeze] - iceweasel (Vulnerable code not present) - iceape 2.7.4-1 [squeeze] - iceape (Vulnerable code not present) CVE-2012-0478 (The texImage2D implementation in the WebGL subsystem in Mozilla Firefo ...) - icedove 10.0.4-1 [squeeze] - icedove (Vulnerable code not present) - iceweasel 10.0.4esr-1 [squeeze] - iceweasel (Vulnerable code not present) - iceape 2.7.4-1 [squeeze] - iceape (Vulnerable code not present) CVE-2012-0477 (Multiple cross-site scripting (XSS) vulnerabilities in Mozilla Firefox ...) {DSA-2464-1 DSA-2458-1 DSA-2457-1} - icedove 10.0.4-1 [squeeze] - icedove (Vulnerable code not present) - iceweasel 10.0.4esr-1 [squeeze] - iceweasel (Vulnerable code not present) - iceape 2.7.4-1 [squeeze] - iceape (Vulnerable code not present) CVE-2012-0476 RESERVED CVE-2012-0475 (Mozilla Firefox 4.x through 11.0, Thunderbird 5.0 through 11.0, and Se ...) - icedove 10.0.4-1 [wheezy] - icedove (Minor issue, also not fixed in ESV branch) [squeeze] - icedove (Minor issue, also not fixed in ESV branch) - iceweasel 12.0-1 (low; bug #703071) [squeeze] - iceweasel (Minor issue, also not fixed in ESV branch) [wheezy] - iceweasel (Minor issue, also not fixed in ESV branch) - iceape (low) [squeeze] - iceape (Minor issue, also not fixed in ESV branch) [wheezy] - iceape (Minor issue, also not fixed in ESV branch) NOTE: Fixed in Thunderbird 12 and Seamonkey 2.9 CVE-2012-0474 (Cross-site scripting (XSS) vulnerability in the docshell implementatio ...) - icedove 10.0.4-1 [squeeze] - icedove (Vulnerable code not present) - iceweasel 10.0.4esr-1 [squeeze] - iceweasel (Vulnerable code not present) - iceape 2.7.4-1 [squeeze] - iceape (Vulnerable code not present) CVE-2012-0473 (The WebGLBuffer::FindMaxUshortElement function in Mozilla Firefox 4.x ...) - icedove 10.0.4-1 [squeeze] - icedove (Vulnerable code not present) - iceweasel 10.0.4esr-1 [squeeze] - iceweasel (Vulnerable code not present) - iceape 2.7.4-1 [squeeze] - iceape (Vulnerable code not present) CVE-2012-0472 (The cairo-dwrite implementation in Mozilla Firefox 4.x through 11.0, F ...) - icedove (Windows-specific) - iceweasel (Windows-specific) - iceape (Windows-specific) CVE-2012-0471 (Cross-site scripting (XSS) vulnerability in Mozilla Firefox 4.x throug ...) {DSA-2464-1 DSA-2458-1 DSA-2457-1} - icedove 10.0.4-1 [squeeze] - icedove (Vulnerable code not present) - iceweasel 10.0.4esr-1 [squeeze] - iceweasel (Vulnerable code not present) - iceape 2.7.4-1 [squeeze] - iceape (Vulnerable code not present) CVE-2012-0470 (Heap-based buffer overflow in the nsSVGFEDiffuseLightingElement::Light ...) {DSA-2464-1 DSA-2458-1 DSA-2457-1} - icedove 10.0.4-1 [squeeze] - icedove (Vulnerable code not present) - iceweasel 10.0.4esr-1 [squeeze] - iceweasel (Vulnerable code not present) - iceape 2.7.4-1 [squeeze] - iceape (Vulnerable code not present) CVE-2012-0469 (Use-after-free vulnerability in the mozilla::dom::indexedDB::IDBKeyRan ...) - icedove 10.0.4-1 [squeeze] - icedove (Vulnerable code not present) - iceweasel 10.0.4esr-1 [squeeze] - iceweasel (Vulnerable code not present) - iceape 2.7.4-1 [squeeze] - iceape (Vulnerable code not present) CVE-2012-0468 (The browser engine in Mozilla Firefox 4.x through 11.0, Thunderbird 5. ...) - icedove (Only affects Firefox 11 and above) - iceweasel (Only affects Firefox 11 and above) - iceape (Only affects Firefox 11 and above) CVE-2012-0467 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-2464-1 DSA-2458-1 DSA-2457-1} - icedove 10.0.4-1 [squeeze] - icedove (Vulnerable code not present) - iceweasel 10.0.4esr-1 [squeeze] - iceweasel (Vulnerable code not present) - iceape 2.7.4-1 [squeeze] - iceape (Vulnerable code not present) CVE-2012-0466 (template/en/default/list/list.js.tmpl in Bugzilla 2.x and 3.x before 3 ...) - bugzilla (low) - bugzilla4 (bug #669643) [squeeze] - bugzilla (Minor issue) CVE-2012-0465 (Bugzilla 3.5.x and 3.6.x before 3.6.9, 3.7.x and 4.0.x before 4.0.6, a ...) - bugzilla (low) - bugzilla4 (bug #669643) [squeeze] - bugzilla (Minor issue) CVE-2012-0464 (Use-after-free vulnerability in the browser engine in Mozilla Firefox ...) - icedove 10.0.3-1 [squeeze] - icedove (Vulnerable code not present) - iceweasel 10.0.3esr-1 [squeeze] - iceweasel (Vulnerable code not present) - iceape 2.7.3-1 [squeeze] - iceape (Vulnerable code not present) CVE-2012-0463 (The nsWindow implementation in the browser engine in Mozilla Firefox b ...) - iceweasel (Only affects Firefox Mobile on Android) CVE-2012-0462 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - icedove 10.0.3-1 [squeeze] - icedove (Vulnerable code not present) - iceweasel 10.0.3esr-1 [squeeze] - iceweasel (Vulnerable code not present) - iceape 2.7.3-1 [squeeze] - iceape (Vulnerable code not present) CVE-2012-0461 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-2458-1 DSA-2437-1 DSA-2433-1} - icedove 10.0.3-1 - iceweasel 10.0.3esr-1 - iceape 2.7.3-1 CVE-2012-0460 (Mozilla Firefox 4.x through 10.0, Firefox ESR 10.x before 10.0.3, Thun ...) - icedove 10.0.3-1 [squeeze] - icedove (Vulnerable code not present) - iceweasel 10.0.3esr-1 [squeeze] - iceweasel (Vulnerable code not present) - iceape 2.7.3-1 [squeeze] - iceape (Vulnerable code not present) CVE-2012-0459 (The Cascading Style Sheets (CSS) implementation in Mozilla Firefox 4.x ...) - icedove 10.0.3-1 [squeeze] - icedove (Vulnerable code not present) - iceweasel 10.0.3esr-1 [squeeze] - iceweasel (Vulnerable code not present) - iceape 2.7.3-1 [squeeze] - iceape (Vulnerable code not present) CVE-2012-0458 (Mozilla Firefox before 3.6.28 and 4.x through 10.0, Firefox ESR 10.x b ...) {DSA-2458-1 DSA-2437-1 DSA-2433-1} - icedove 10.0.3-1 - iceweasel 10.0.3esr-1 - iceape 2.7.3-1 CVE-2012-0457 (Use-after-free vulnerability in the nsSMILTimeValueSpec::ConvertBetwee ...) - icedove 10.0.3-1 [squeeze] - icedove (Vulnerable code not present) - iceweasel 10.0.3esr-1 [squeeze] - iceweasel (Vulnerable code not present) - iceape 2.7.3-1 [squeeze] - iceape (Vulnerable code not present) CVE-2012-0456 (The SVG Filters implementation in Mozilla Firefox before 3.6.28 and 4. ...) {DSA-2458-1 DSA-2437-1 DSA-2433-1} - icedove 10.0.3-1 - iceweasel 10.0.3esr-1 - iceape 2.7.3-1 CVE-2012-0455 (Mozilla Firefox before 3.6.28 and 4.x through 10.0, Firefox ESR 10.x b ...) {DSA-2458-1 DSA-2437-1 DSA-2433-1} - icedove 10.0.3-1 - iceweasel 10.0.3esr-1 - iceape 2.7.3-1 CVE-2012-0454 (Use-after-free vulnerability in Mozilla Firefox 4.x through 10.0, Fire ...) - iceweasel (Only affects Firefox on Windows) CVE-2012-0453 (Cross-site request forgery (CSRF) vulnerability in xmlrpc.cgi in Bugzi ...) - bugzilla - bugzilla4 (bug #669643) [squeeze] - bugzilla (Minor issue) CVE-2012-0452 (Use-after-free vulnerability in Mozilla Firefox 10.x before 10.0.1, Th ...) - icedove (Introduced in Thunderbird 10) - iceweasel 10.0.1-1 [squeeze] - iceweasel (Only affects Firefox >= 10) - iceape (Vulnerable version never uploaded to the archive) CVE-2012-0451 (CRLF injection vulnerability in Mozilla Firefox 4.x through 10.0, Fire ...) - icedove 10.0.3-1 [squeeze] - icedove (CSP introduced in Thunderbird 3.3) - iceweasel 10.0.3esr-1 [squeeze] - iceweasel (CSP introduced in Firefox 4) - iceape 2.7.3-1 [squeeze] - iceape (CSP introduced in Seamonkey 2.1) CVE-2012-0450 (Mozilla Firefox 4.x through 9.0 and SeaMonkey before 2.7 on Linux and ...) - icedove 10.0.3-1 [squeeze] - icedove (Only affects Firefox >= 4) - xulrunner (Only affects Firefox >= 4) - iceweasel 10.0-1 [lenny] - iceweasel (Only affects Firefox >= 4) [squeeze] - iceweasel (Only affects Firefox >= 4) - iceape (Only affects Firefox >= 4) CVE-2012-0449 (Mozilla Firefox before 3.6.26 and 4.x through 9.0, Thunderbird before ...) {DSA-2406-1 DSA-2402-1 DSA-2400-1} - icedove 10.0.3-1 [lenny] - icedove - xulrunner (unimportant) - iceweasel 10.0-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.14-10 [lenny] - iceape (Only a stub package) NOTE: xulrunner in wheezy is not covered by security support CVE-2012-0448 (Bugzilla 2.x and 3.x before 3.4.14, 3.5.x and 3.6.x before 3.6.8, 3.7. ...) - bugzilla (low) - bugzilla4 (bug #669643) [squeeze] - bugzilla (Minor issue) CVE-2012-0447 (Mozilla Firefox 4.x through 9.0, Thunderbird 5.0 through 9.0, and SeaM ...) - icedove 10.0.3-1 [squeeze] - icedove (Only affects Firefox >= 4) - xulrunner (Only affects Firefox >= 4) - iceweasel 10.0-1 [lenny] - iceweasel (Only affects Firefox >= 4) [squeeze] - iceweasel (Only affects Firefox >= 4) - iceape (Only affects Firefox >= 4) CVE-2012-0446 (Multiple cross-site scripting (XSS) vulnerabilities in Mozilla Firefox ...) - icedove 10.0.3-1 [squeeze] - icedove (Only affects Firefox >= 4) - xulrunner (Only affects Firefox >= 4) - iceweasel 10.0-1 [lenny] - iceweasel (Only affects Firefox >= 4) [squeeze] - iceweasel (Only affects Firefox >= 4) - iceape (Only affects Firefox >= 4) CVE-2012-0445 (Mozilla Firefox 4.x through 9.0, Thunderbird 5.0 through 9.0, and SeaM ...) - icedove 10.0.3-1 [squeeze] - icedove (Only affects Firefox >= 4) - xulrunner (Only affects Firefox >= 4) - iceweasel 10.0-1 [lenny] - iceweasel (Only affects Firefox >= 4) [squeeze] - iceweasel (Only affects Firefox >= 4) - iceape (Only affects Firefox >= 4) CVE-2012-0444 (Mozilla Firefox before 3.6.26 and 4.x through 9.0, Thunderbird before ...) {DSA-2412-1 DSA-2406-1 DSA-2402-1 DSA-2400-1} - libvorbisidec 1.0.2+svn18153-0.1 (bug #669196) [squeeze] - libvorbisidec (Minor issue, no dev-deps) - libvorbis 1.3.2-1.2 (bug #664197) - icedove 10.0.3-1 [lenny] - icedove (Vulnerable code not present) - xulrunner (Vulnerable code not present) - iceweasel 10.0-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.14-10 [lenny] - iceape (Only a stub package) CVE-2012-0443 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - xulrunner (Only affects Firefox >= 4) - iceweasel 10.0-1 [lenny] - iceweasel (Only affects Firefox >= 4) [squeeze] - iceweasel (Only affects Firefox >= 4) - iceape (Only affects Firefox >= 4) CVE-2012-0442 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-2406-1 DSA-2402-1 DSA-2400-1} - icedove 10.0.3-1 [lenny] - icedove - xulrunner (unimportant) - iceweasel 10.0-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.14-10 [lenny] - iceape (Only a stub package) NOTE: xulrunner in wheezy is not covered by security support CVE-2012-0441 (The ASN.1 decoder in the QuickDER decoder in Mozilla Network Security ...) {DSA-2490-1} - nss 3.13.4-1 CVE-2012-0440 (Cross-site request forgery (CSRF) vulnerability in jsonrpc.cgi in Bugz ...) - bugzilla (low) - bugzilla4 (bug #669643) [squeeze] - bugzilla (Minor issue) CVE-2012-0439 (An ActiveX control in gwcls1.dll in the client in Novell GroupWise 8.0 ...) NOT-FOR-US: GroupWise CVE-2012-0438 RESERVED CVE-2012-0437 RESERVED CVE-2012-0436 RESERVED CVE-2012-0435 (SUSE WebYaST before 1.2 0.2.63-0.6.1 allows remote attackers to modify ...) NOT-FOR-US: YAST CVE-2012-0434 (The server in Crowbar, as used in SUSE Cloud 1.0, uses weak permission ...) NOT-FOR-US: Crowbar CVE-2012-0433 (The install-chef-suse.sh script shipped with crowbar before 2012-10-02 ...) NOT-FOR-US: crowbar CVE-2012-0432 (Stack-based buffer overflow in the Novell NCP implementation in NetIQ ...) NOT-FOR-US: NetIQ eDirectory CVE-2012-0431 RESERVED CVE-2012-0430 (Unspecified vulnerability in NetIQ eDirectory 8.8.6.x before 8.8.6.7 a ...) NOT-FOR-US: NetIQ eDirectory CVE-2012-0429 (dhost in NetIQ eDirectory 8.8.6.x before 8.8.6.7 and 8.8.7.x before 8. ...) NOT-FOR-US: NetIQ eDirectory CVE-2012-0428 (Cross-site scripting (XSS) vulnerability in NetIQ eDirectory 8.8.6.x b ...) NOT-FOR-US: NetIQ eDirectory CVE-2012-0427 (yast2-add-on-creator in SUSE inst-source-utils 2008.11.26 before 2008. ...) NOT-FOR-US: inst-source-utils CVE-2012-0426 (Race condition in sap_suse_cluster_connector before 1.0.0-0.8.1 in SUS ...) NOT-FOR-US: SUSE Linux Enterprise for SAP Applications CVE-2012-0425 (LanItems.ycp in save_y2logs in yast2-network before 2.24.4 in SUSE YaS ...) NOT-FOR-US: SUSE YaST CVE-2012-0424 RESERVED CVE-2012-0423 RESERVED CVE-2012-0422 RESERVED CVE-2012-0421 (The SUSE Audit Log Keeper daemon before 0.2.1-0.4.6.1 for SUSE Manager ...) NOT-FOR-US: SUSE Audit Log Keeper daemon CVE-2012-0420 (zypp-refresh-wrapper in SUSE Zypper before 1.3.20 and 1.6.x before 1.6 ...) NOT-FOR-US: SUSE Zypper CVE-2012-0419 (Directory traversal vulnerability in the agent HTTP interfaces in Nove ...) NOT-FOR-US: Novell GroupWise CVE-2012-0418 (Unspecified vulnerability in the client in Novell GroupWise 8.0 before ...) NOT-FOR-US: Novell GroupWise CVE-2012-0417 (Integer overflow in GroupWise Internet Agent (GWIA) in Novell GroupWis ...) NOT-FOR-US: Novell GroupWise CVE-2012-0416 RESERVED CVE-2012-0415 RESERVED CVE-2012-0414 (Cross-site scripting (XSS) vulnerability in the Spacewalk service in S ...) NOT-FOR-US: SuSE extension to Spacewalk CVE-2012-0413 RESERVED CVE-2012-0412 RESERVED CVE-2012-0411 (Unspecified vulnerability in Novell iPrint Client before 5.82 allows r ...) NOT-FOR-US: Novell iPrint Client CVE-2012-0410 (Directory traversal vulnerability in WebAccess in Novell GroupWise bef ...) NOT-FOR-US: Groupwise CVE-2012-0409 (Multiple buffer overflows in EMC AutoStart 5.3.x and 5.4.x before 5.4. ...) NOT-FOR-US: EMC CVE-2012-0408 REJECTED CVE-2012-0407 (Integer overflow in the DPA_Utilities library in EMC Data Protection A ...) NOT-FOR-US: emc.com Data Protection Advisor CVE-2012-0406 (The DPA_Utilities.cProcessAuthenticationData function in EMC Data Prot ...) NOT-FOR-US: emc.com Data Protection Advisor CVE-2012-0405 REJECTED CVE-2012-0404 (Cross-site scripting (XSS) vulnerability in EMC Documentum eRoom befor ...) NOT-FOR-US: EMC Documentum eRoom CVE-2012-0403 (Directory traversal vulnerability in EMC RSA enVision 4.x before 4.1 P ...) NOT-FOR-US: EMC RSA enVision CVE-2012-0402 (EMC RSA enVision 4.x before 4.1 Patch 4 uses unspecified hardcoded cre ...) NOT-FOR-US: EMC RSA enVision CVE-2012-0401 (Multiple SQL injection vulnerabilities in EMC RSA enVision 4.x before ...) NOT-FOR-US: EMC RSA enVision CVE-2012-0400 (EMC RSA enVision 4.x before 4.1 Patch 4 does not properly restrict the ...) NOT-FOR-US: EMC RSA enVision CVE-2012-0399 (Multiple cross-site scripting (XSS) vulnerabilities in EMC RSA enVisio ...) NOT-FOR-US: EMC RSA enVision CVE-2012-0398 (EMC Documentum eRoom before 7.4.4 does not properly validate session c ...) NOT-FOR-US: EMC Documentum eRoom CVE-2012-0397 (Buffer overflow in EMC RSA SecurID Software Token Converter before 2.6 ...) NOT-FOR-US: EMC RSA SecurID Software Token Converter CVE-2012-0396 (EMC Documentum xPlore 1.0, 1.1 before P07, and 1.2 does not properly e ...) NOT-FOR-US: EMC CVE-2012-0395 (Buffer overflow in the server in EMC NetWorker 7.5.x and 7.6.x before ...) NOT-FOR-US: EMC CVE-2012-0394 (** DISPUTED ** The DebuggingInterceptor component in Apache Struts bef ...) - libstruts1.2-java (Affects Struts 2, #657870) CVE-2012-0393 (The ParameterInterceptor component in Apache Struts before 2.3.1.1 doe ...) - libstruts1.2-java (Affects Struts 2, #657870) CVE-2012-0392 (The CookieInterceptor component in Apache Struts before 2.3.1.1 does n ...) - libstruts1.2-java (Affects Struts 2, #657870) CVE-2012-0391 (The ExceptionDelegator component in Apache Struts before 2.2.3.1 inter ...) - libstruts1.2-java (Affects Struts 2, #657870) CVE-2011-5057 (Apache Struts 2.3.1.2 and earlier, 2.3.19-2.3.23, provides interfaces ...) - libstruts1.2-java (Affects Struts 2, #657870) CVE-2011-5056 (The authoritative server in MaraDNS through 2.0.04 computes hash value ...) - maradns (Only affects 2.x, see #653838) CVE-2011-5055 (MaraDNS 1.3.07.12 and 1.4.08 computes hash values for DNS data without ...) - maradns 1.4.09-1 (low) [squeeze] - maradns (Minor issue) CVE-2011-5054 (kcheckpass passes a user-supplied argument to the pam_start function, ...) - kdebase-workspace (unimportant) NOTE: the kcheckpass utility is not present in sid (still present in src package, will check with KDE maints) NOTE: Not exploitable without OpenPAM CVE-2011-5053 (The Wi-Fi Protected Setup (WPS) protocol, when the "external registrar ...) NOT-FOR-US: This vulnerability affects a protocol, not a product. More information can be found at http://www.kb.cert.org/vuls/id/723755 . All products listed there are not part of Debian. CVE-2012-0390 (The DTLS implementation in GnuTLS 3.0.10 and earlier executes certain ...) - gnutls28 3.0.11-1 - gnutls26 (lacks DTLS support and is not affected) CVE-2012-0389 (Cross-site scripting (XSS) vulnerability in ForgottenPassword.aspx in ...) NOT-FOR-US: MailEnable Professional CVE-2012-0388 (Memory leak in the H.323 inspection feature in the Zone-Based Firewall ...) NOT-FOR-US: Cisco IOS CVE-2012-0387 (Memory leak in the HTTP Inspection Engine feature in the Zone-Based Fi ...) NOT-FOR-US: Cisco IOS CVE-2012-0386 (The SSHv2 implementation in Cisco IOS 12.2, 12.4, 15.0, 15.1, and 15.2 ...) NOT-FOR-US: Cisco IOS CVE-2012-0385 (The Smart Install feature in Cisco IOS 12.2, 15.0, 15.1, and 15.2 allo ...) NOT-FOR-US: Cisco IOS CVE-2012-0384 (Cisco IOS 12.2 through 12.4 and 15.0 through 15.2 and IOS XE 2.1.x thr ...) NOT-FOR-US: Cisco IOS CVE-2012-0383 (Memory leak in the NAT feature in Cisco IOS 12.4, 15.0, and 15.1 allow ...) NOT-FOR-US: Cisco IOS CVE-2012-0382 (The Multicast Source Discovery Protocol (MSDP) implementation in Cisco ...) NOT-FOR-US: Cisco IOS CVE-2012-0381 (The IKEv1 implementation in Cisco IOS 12.2 through 12.4 and 15.0 throu ...) NOT-FOR-US: Cisco IOS CVE-2012-0380 RESERVED CVE-2012-0379 RESERVED CVE-2012-0378 (Cisco Adaptive Security Appliances (ASA) 5500 series devices with soft ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2012-0377 RESERVED CVE-2012-0376 (The voice-sipstack component in Cisco Unified Communications Manager ( ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2012-0375 RESERVED CVE-2012-0374 RESERVED CVE-2012-0373 RESERVED CVE-2012-0372 RESERVED CVE-2012-0371 (Cisco Wireless LAN Controller (WLC) devices with software 4.x, 5.x, 6. ...) NOT-FOR-US: Cisco Wireless LAN Controller CVE-2012-0370 (Cisco Wireless LAN Controller (WLC) devices with software 4.x, 5.x, 6. ...) NOT-FOR-US: Cisco Wireless LAN Controller CVE-2012-0369 (Cisco Wireless LAN Controller (WLC) devices with software 6.0 and 7.0 ...) NOT-FOR-US: Cisco Wireless LAN Controller CVE-2012-0368 (The administrative management interface on Cisco Wireless LAN Controll ...) NOT-FOR-US: Cisco Wireless LAN Controller CVE-2012-0367 (Cisco Unity Connection before 7.1.5b(Su5), 8.0 and 8.5 before 8.5.1(Su ...) NOT-FOR-US: Cisco Unity Connection CVE-2012-0366 (Cisco Unity Connection before 7.1.3b(Su2) allows remote authenticated ...) NOT-FOR-US: Cisco Unity Connection CVE-2012-0365 (Directory traversal vulnerability in the Local TFTP file-upload applic ...) NOT-FOR-US: Cisco SRP 520 series devices CVE-2012-0364 (Cisco SRP 520 series devices with firmware before 1.1.26 and SRP 520W- ...) NOT-FOR-US: Cisco SRP devices CVE-2012-0363 (The web interface on Cisco SRP 520 series devices with firmware before ...) NOT-FOR-US: Cisco SRP devices CVE-2012-0362 (The extended ACL functionality in Cisco IOS 12.2(58)SE2 and 15.0(1)SE ...) NOT-FOR-US: Cisco IOS CVE-2012-0361 (The sccp-protocol component in Cisco IP Communicator (CIPC) 7.0 throug ...) NOT-FOR-US: Cisco CVE-2012-0360 (Memory leak in Cisco IOS before 15.1(1)SY, when IKEv2 debugging is ena ...) NOT-FOR-US: Cisco IOS CVE-2012-0359 (The Cisco Cius with software before 9.2(1) SR2 allows remote attackers ...) NOT-FOR-US: Cisco Cius CVE-2012-0358 (Buffer overflow in the Cisco Port Forwarder ActiveX control in cscopf. ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2012-0357 RESERVED CVE-2012-0356 (Cisco Adaptive Security Appliances (ASA) 5500 series devices, and the ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2012-0355 (Cisco Adaptive Security Appliances (ASA) 5500 series devices, and the ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2012-0354 (The Threat Detection feature on Cisco Adaptive Security Appliances (AS ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2012-0353 (The UDP inspection engine on Cisco Adaptive Security Appliances (ASA) ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2012-0352 (Cisco NX-OS 4.2.x before 4.2(1)SV1(5.1) on Nexus 1000v series switches ...) NOT-FOR-US: Cisco NX-OS CVE-2012-0351 RESERVED CVE-2012-0350 RESERVED CVE-2012-0349 RESERVED CVE-2012-0348 RESERVED CVE-2012-0347 RESERVED CVE-2012-0346 RESERVED CVE-2012-0345 RESERVED CVE-2012-0344 RESERVED CVE-2012-0343 RESERVED CVE-2012-0342 RESERVED CVE-2012-0341 RESERVED CVE-2012-0340 (Cross-site scripting (XSS) vulnerability in the management interface o ...) NOT-FOR-US: Cisco IronPort Encryption Appliance CVE-2012-0339 (Cisco IOS 12.2 through 12.4 and 15.0 does not recognize the vrf-also k ...) NOT-FOR-US: Cisco IOS CVE-2012-0338 (Cisco IOS 12.2 through 12.4 and 15.0 does not recognize the vrf-also k ...) NOT-FOR-US: Cisco IOS CVE-2012-0337 (SQL injection vulnerability in the web component in Cisco Unified Meet ...) NOT-FOR-US: Cisco CVE-2012-0336 RESERVED CVE-2012-0335 (Cisco Adaptive Security Appliances (ASA) 5500 series devices with soft ...) NOT-FOR-US: Cisco CVE-2012-0334 (Cisco IronPort Web Security Appliance AsyncOS software prior to 7.5 ha ...) NOT-FOR-US: Cisco CVE-2012-0333 (Cisco Small Business IP phones with SPA 500 series firmware 7.4.9 and ...) NOT-FOR-US: Cisco CVE-2012-0332 RESERVED CVE-2012-0331 (Cisco TelePresence Video Communication Server with software before X7. ...) NOT-FOR-US: Cisco TelePresence Video Communication Server CVE-2012-0330 (Cisco TelePresence Video Communication Server with software before X7. ...) NOT-FOR-US: Cisco TelePresence Video Communication Server CVE-2012-0329 (Cisco Digital Media Manager 5.2.2 and earlier, and 5.2.3, allows remot ...) NOT-FOR-US: Cisco Digital Media Manager CVE-2012-0328 (Janetter before 3.3.0.0 (aka 3.3.0) allows remote attackers to obtain ...) NOT-FOR-US: Janetter CVE-2012-0327 (Cross-site scripting (XSS) vulnerability in Redmine before 1.3.2 allow ...) - redmine 1.3.2+dfsg1-1 [squeeze] - redmine (Redmine not supported because of rails) NOTE: http://jvn.jp/en/jp/JVN93406632/ NOTE: patch unclear: difficult to find the patch in 1.3.2 release CVE-2012-0326 (The twicca application 0.7.0 through 0.9.30 for Android does not prope ...) NOT-FOR-US: twicca application for Android CVE-2012-0325 (Cross-site scripting (XSS) vulnerability in Jenkins before 1.454, Jenk ...) - jenkins 1.424.6+dfsg-1 CVE-2012-0324 (Cross-site scripting (XSS) vulnerability in Jenkins before 1.454, Jenk ...) - jenkins 1.424.6+dfsg-1 CVE-2012-0323 (Cross-site scripting (XSS) vulnerability in the Autocomplete plugin be ...) NOT-FOR-US: Autocomplete plugin for SquirrelMail CVE-2012-0322 (The EStrongs ES File Explorer application 1.6.0.2 through 1.6.1.1 for ...) NOT-FOR-US: EStrongs ES File Explorer CVE-2012-0321 (Unspecified vulnerability in the device driver in Kingsoft Internet Se ...) NOT-FOR-US: Kingsoft Internet Security 2011 CVE-2012-0320 (Movable Type before 4.38, 5.0x before 5.07, and 5.1x before 5.13 allow ...) {DSA-2423-1} - movabletype-opensource 5.1.3+dfsg-1 CVE-2012-0319 (The file-management system in Movable Type before 4.38, 5.0x before 5. ...) {DSA-2423-1} - movabletype-opensource 5.1.3+dfsg-1 CVE-2012-0318 (Multiple cross-site scripting (XSS) vulnerabilities in Movable Type be ...) {DSA-2423-1} - movabletype-opensource 5.1.3+dfsg-1 CVE-2012-0317 (Multiple cross-site request forgery (CSRF) vulnerabilities in Movable ...) {DSA-2423-1} - movabletype-opensource 5.1.3+dfsg-1 CVE-2012-0316 (The Cookpad 1.5.16 and earlier and Cookpad Noseru 1.1.1 and earlier ap ...) NOT-FOR-US: Cookpad CVE-2012-0315 (Untrusted search path vulnerability in ALFTP before 5.31 allows local ...) NOT-FOR-US: ALFTP CVE-2012-0314 (Multiple cross-site request forgery (CSRF) vulnerabilities on the eAcc ...) NOT-FOR-US: eAccess Pocket WiFi CVE-2012-0313 (Cross-site scripting (XSS) vulnerability in glucose 2 before stage 6.2 ...) NOT-FOR-US: glucose CVE-2012-0312 (Cross-site scripting (XSS) vulnerability in osCommerce 2.2MS1J before ...) NOT-FOR-US: osCommerce CVE-2012-0311 (Cross-site scripting (XSS) vulnerability in osCommerce 2.2MS1J before ...) NOT-FOR-US: osCommerce CVE-2012-0310 (CRLF injection vulnerability in Cogent DataHub 7.1.2 and earlier, Casc ...) NOT-FOR-US: Cogent DataHub CVE-2012-0309 (Cross-site scripting (XSS) vulnerability in Cogent DataHub 7.1.2 and e ...) NOT-FOR-US: Cogent DataHub CVE-2012-0308 (Cross-site request forgery (CSRF) vulnerability in Symantec Messaging ...) NOT-FOR-US: Symantec Messaging Gateway CVE-2012-0307 (Multiple cross-site scripting (XSS) vulnerabilities in Symantec Messag ...) NOT-FOR-US: Symantec Messaging Gateway CVE-2012-0306 (Symantec Ghost Solution Suite 2.x through 2.5.1 allows remote attacker ...) NOT-FOR-US: Symantec Ghost Solution Suite CVE-2012-0305 (Untrusted search path vulnerability in Symantec System Recovery 2011 b ...) NOT-FOR-US: Symantec System Recovery 2011 before SP2 and Backup Exec System Recovery 2010 before SP5 CVE-2012-0304 (Symantec LiveUpdate Administrator before 2.3.1 uses weak permissions ( ...) NOT-FOR-US: Symantec LiveUpdate Administrator CVE-2012-0303 (Multiple cross-site request forgery (CSRF) vulnerabilities in Brightma ...) NOT-FOR-US: Symantec Message Filter CVE-2012-0302 (Cross-site scripting (XSS) vulnerability in Brightmail Control Center ...) NOT-FOR-US: Symantec Message Filter CVE-2012-0301 (Session fixation vulnerability in Brightmail Control Center in Symante ...) NOT-FOR-US: Symantec Message Filter CVE-2012-0300 (Brightmail Control Center in Symantec Message Filter 6.3 does not prop ...) NOT-FOR-US: Symantec Message Filter CVE-2012-0299 (The file-management scripts in the management GUI in Symantec Web Gate ...) NOT-FOR-US: Symantec Web Gateway CVE-2012-0298 (The file-management scripts in the management GUI in Symantec Web Gate ...) NOT-FOR-US: Symantec Web Gateway CVE-2012-0297 (The management GUI in Symantec Web Gateway 5.0.x before 5.0.3 does not ...) NOT-FOR-US: Symantec Web Gateway CVE-2012-0296 (Multiple cross-site scripting (XSS) vulnerabilities in the management ...) NOT-FOR-US: Symantec Web Gateway CVE-2012-0295 (The Manager service in the management console in Symantec Endpoint Pro ...) NOT-FOR-US: Symantec Endpoint Protection CVE-2012-0294 (Directory traversal vulnerability in the Manager service in the manage ...) NOT-FOR-US: Symantec Endpoint Protection CVE-2012-0293 (Multiple SQL injection vulnerabilities in Symantec Altiris WISE Packag ...) NOT-FOR-US: Symantec Altiris WISE Package Studio CVE-2012-0292 (The awhost32 service in Symantec pcAnywhere through 12.5.3, Altiris IT ...) NOT-FOR-US: Symantec pcAnywhere CVE-2012-0291 (Symantec pcAnywhere through 12.5.3, Altiris IT Management Suite pcAnyw ...) NOT-FOR-US: pcAnywhere CVE-2012-0290 (Symantec pcAnywhere through 12.5.3, Altiris IT Management Suite pcAnyw ...) NOT-FOR-US: Symantec pcAnywhere CVE-2012-0289 (Buffer overflow in Symantec Endpoint Protection (SEP) 11.0.600x throug ...) NOT-FOR-US: Symantec Network Access Control CVE-2011-5052 (Stack-based buffer overflow in CoCSoft Stream Down 6.8.0 allows remote ...) NOT-FOR-US: CoCSoft Stream Down CVE-2011-5051 (Multiple unrestricted file upload vulnerabilities in the WP Symposium ...) NOT-FOR-US: Symposium plugin for Wordpress CVE-2011-5050 (SQL injection vulnerability in corporate/Controller in Elitecore Techn ...) NOT-FOR-US: Elitecore Technologies Cyberoam UTM CVE-2011-5049 (MySQL 5.5.8, when running on Windows, allows remote attackers to cause ...) NOT-FOR-US: MySQL on Windows CVE-2007-6751 (Cross-site scripting (XSS) vulnerability in the MailForm plugin before ...) NOT-FOR-US: MailForm plugin for Movable Type CVE-2004-2776 (go.cgi in GoScript 2.0 allows remote attackers to execute arbitrary co ...) NOT-FOR-US: Montitorix CVE-2004-2775 RESERVED CVE-2004-2774 RESERVED CVE-2004-2773 RESERVED CVE-2004-2772 RESERVED CVE-2004-2771 (The expand function in fio.c in Heirloom mailx 12.5 and earlier and BS ...) {DSA-3105-1 DLA-114-1} - heirloom-mailx 12.5-3.1 (bug #773417) - bsd-mailx 8.1.2-0.20071201cvs-1 - mailx 1:8.1.2-0.20040524cvs-2 (bug #278748) CVE-2003-1604 (The redirect_target function in net/ipv4/netfilter/ipt_REDIRECT.c in t ...) - linux (Fixed before rename to src:linux) - linux-2.6 (Fixed before initial upload of linux-2.6 in Debian) NOTE: https://marc.info/?l=netfilter-devel&m=106668497403047&w=2 CVE-2003-1602 RESERVED CVE-2003-1601 RESERVED CVE-2003-1600 RESERVED CVE-2003-1599 (PHP remote file inclusion vulnerability in wp-links/links.all.php in W ...) NOT-FOR-US: WordPress plugin wp-links CVE-2003-1598 (SQL injection vulnerability in log.header.php in WordPress 0.7 and ear ...) - wordpress 1.0.1-1 CVE-2002-2444 (Snoopy before 2.0.0 has a security hole in exec cURL ...) - libphp-snoopy (affected version never was in the repo) NOTE: http://www.openwall.com/lists/oss-security/2014/07/18/2 NOTE: http://sourceforge.net/p/snoopy/bugs/13/ CVE-2002-2443 (schpw.c in the kpasswd service in kadmind in MIT Kerberos 5 (aka krb5) ...) {DSA-2701-1} - krb5 1.10.1+dfsg-6 (bug #708267) NOTE: http://krbdev.mit.edu/rt/Ticket/Display.html?id=7637 NOTE: https://github.com/krb5/krb5/commit/cf1a0c411b2668c57c41e9c4efd15ba17b6b322c CVE-2002-2442 RESERVED CVE-2002-2441 RESERVED CVE-2002-2440 RESERVED CVE-2002-2439 (Integer overflow in the new[] operator in gcc before 4.8.0 allows atta ...) - gcc-4.1 [squeeze] - gcc-4.1 (Potentially affected apps need to be recompiled, if such issues are spotted in apps, these cases can be fixed on a case-by-case basis) - gcc-4.3 [squeeze] - gcc-4.3 (Potentially affected apps need to be recompiled, if such issues are spotted in apps, these cases can be fixed on a case-by-case basis) - gcc-4.4 (low) [squeeze] - gcc-4.4 (Potentially affected apps need to be recompiled, if such issues are spotted in apps, these cases can be fixed on a case-by-case basis) [wheezy] - gcc-4.4 (Potentially affected apps need to be recompiled, if such issues are spotted in apps, these cases can be fixed on a case-by-case basis) - gcc-4.6 (low) [wheezy] - gcc-4.6 (Potentially affected apps need to be recompiled, if such issues are spotted in apps, these cases can be fixed on a case-by-case basis) - gcc-4.7 (low; bug #710830) [wheezy] - gcc-4.7 (Potentially affected apps need to be recompiled, if such issues are spotted in apps, these cases can be fixed on a case-by-case basis) - gcc-4.8 4.8.0-1 (low) NOTE: Are there apps known to be exploitable through this? NOTE: Any application using unguarded memory allocation would be susceptible to DoS anyway? NOTE: This should be addressed in jessie by getting this fixed in gcc 4.7, so that the archive is NOTE: properly rebuild with a fixed version from the start NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2002-2439 CVE-2002-2438 RESERVED NOT-FOR-US: ancient linux 2.4 issue CVE-2001-1592 RESERVED CVE-2001-1591 RESERVED CVE-2001-1590 RESERVED CVE-2001-1589 RESERVED CVE-2001-1588 RESERVED CVE-2000-1252 RESERVED CVE-2000-1251 RESERVED CVE-2000-1250 RESERVED CVE-2000-1249 RESERVED CVE-2000-1248 RESERVED CVE-1999-1598 RESERVED CVE-1999-1597 RESERVED CVE-1999-1596 RESERVED CVE-1999-1595 RESERVED CVE-1999-1594 RESERVED CVE-2012-0288 RESERVED CVE-2011-5048 (Multiple cross-site scripting (XSS) vulnerabilities in IBM Web Experie ...) NOT-FOR-US: IBM Web Experience Factory CVE-2011-5047 (Cross-site scripting (XSS) vulnerability in status_rrd_graph.php in pf ...) NOT-FOR-US: pfSense CVE-2012-0287 (Cross-site scripting (XSS) vulnerability in wp-comments-post.php in Wo ...) - wordpress 3.3.1+dfsg-1 [squeeze] - wordpress (only 3.3.x vulnerable) [lenny] - wordpress (only 3.3.x vulnerable) CVE-2012-0286 (Cross-site request forgery (CSRF) vulnerability in Stoneware webNetwor ...) NOT-FOR-US: Stoneware webNetwork CVE-2012-0285 (Multiple cross-site scripting (XSS) vulnerabilities in Stoneware webNe ...) NOT-FOR-US: Stoneware webNetwork CVE-2012-0284 (Stack-based buffer overflow in the SetSource method in the Cisco Links ...) NOT-FOR-US: Cisco CVE-2012-0283 (Cross-site scripting (XSS) vulnerability in the tpl_mediaFileList func ...) - dokuwiki 0.0.20120125b-1 (low; bug #683378) [squeeze] - dokuwiki (Vulnerable functionality not present, see #683378) CVE-2012-0282 (Heap-based buffer overflow in XnView before 1.99 allows remote attacke ...) NOT-FOR-US: XnView CVE-2012-0281 RESERVED CVE-2012-0280 RESERVED CVE-2012-0279 (Quest Toad for Data Analysts 3.0.1 uses weak permissions (Everyone: Fu ...) NOT-FOR-US: Quest (quest.com) Toad CVE-2012-0278 (Heap-based buffer overflow in the FlashPix PlugIn before 4.3.4.0 for I ...) NOT-FOR-US: IrfanView CVE-2012-0277 (Heap-based buffer overflow in XnView before 1.99 allows remote attacke ...) NOT-FOR-US: XnView CVE-2012-0276 (Multiple heap-based buffer overflows in XnView before 1.99 allow remot ...) NOT-FOR-US: XnView CVE-2012-0275 (Heap-based buffer overflow in Photoshop.exe in Adobe Photoshop CS5 12. ...) NOT-FOR-US: Adobe Photoshop CS5 CVE-2012-0274 RESERVED CVE-2012-0273 (Multiple stack-based buffer overflows in MinaliC 2.0.0 allow remote at ...) NOT-FOR-US: MinaliC (Webserver) CVE-2012-0272 (Cross-site scripting (XSS) vulnerability in the WebAccess component in ...) NOT-FOR-US: Novell GroupWise CVE-2012-0271 (Integer overflow in the WebConsole component in gwia.exe in GroupWise ...) NOT-FOR-US: Novell GroupWise CVE-2012-0270 (Multiple stack-based buffer overflows in Csound before 5.16.6 allow re ...) - csound 1:5.16.6~dfsg-1 (low; bug #661197) [squeeze] - csound (Minor issue) NOTE: http://secunia.com/secunia_research/2012-3/ NOTE: http://csound.git.sourceforge.net/git/gitweb.cgi?p=csound/csound5.git;a=commitdiff;h=7d617a9551fb6c552ba16874b71266fcd90f3a6f CVE-2012-0269 (Buffer overflow in JustSystems Ichitaro 2011 Sou, Ichitaro 2006 throug ...) NOT-FOR-US: various Ichitaro products CVE-2012-0268 (Integer overflow in the CYImage::LoadJPG method in YImage.dll in Yahoo ...) NOT-FOR-US: Yahoo! Messenger CVE-2012-0267 (The StopModule method in the NTR ActiveX control before 2.0.4.8 allows ...) NOT-FOR-US: NTR ActiveX control CVE-2012-0266 (Multiple stack-based buffer overflows in the NTR ActiveX control befor ...) NOT-FOR-US: NTR ActiveX control CVE-2012-0265 (Stack-based buffer overflow in Apple QuickTime before 7.7.2 on Windows ...) NOT-FOR-US: Apple QuickTime CVE-2011-5046 (The Graphics Device Interface (GDI) in win32k.sys in the kernel-mode d ...) NOT-FOR-US: Microsoft Windows 7 CVE-2011-5045 (Cross-site scripting (XSS) vulnerability in details_view.php in PHP Bo ...) NOT-FOR-US: PHP Booking Calendar 10e (not in Debian) CVE-2011-5044 (SopCast 3.4.7.45585 uses weak permissions (Everyone:Full Control) for ...) NOT-FOR-US: SopCast (not in Debian) CVE-2011-5043 (TomatoSoft Free Mp3 Player 1.0 allows remote attackers to cause a deni ...) NOT-FOR-US: TomatoSoft Free Mp3 Player (not in Debian) CVE-2011-5042 (Cross-site scripting (XSS) vulnerability in inc/lib/lib.base.php in SA ...) NOT-FOR-US: SASHA (not in Debian) CVE-2011-5041 (Multiple cross-site scripting (XSS) vulnerabilities in Pulse Pro CMS 1 ...) NOT-FOR-US: Pulse Pro CMS (not in Debian) CVE-2011-5040 (Multiple cross-site scripting (XSS) vulnerabilities in Infoproject Biz ...) NOT-FOR-US: Infoproject Biznis Heroj (not in Debian) CVE-2011-5039 (Multiple SQL injection vulnerabilities in Infoproject Biznis Heroj all ...) NOT-FOR-US: Infoproject Biznis Heroj (not in Debian) CVE-2011-5038 (SQL injection vulnerability in hitCode hitAppoint 4.5.17 and possibly ...) NOT-FOR-US: hitAppoint (not in Debian) CVE-2011-5037 (Google V8 computes hash values for form parameters without restricting ...) - libv8 3.6.6.14-2 (bug #653962) [squeeze] - libv8 (Unsupported in squeeze-lts) CVE-2011-5036 (Rack before 1.1.3, 1.2.x before 1.2.5, and 1.3.x before 1.3.6 computes ...) {DSA-2783-1} - ruby-rack 1.4.0-1 (bug #653963) - librack-ruby NOTE: https://github.com/rack/rack/commit/5b9d09a81a9fdc9475f0ab0095cb2a33bf2a8f91 CVE-2011-5035 (Oracle Glassfish 2.1.1, 3.0.1, and 3.1.1, as used in Communications Se ...) {DSA-2420-1} - openjdk-6 6b24-1.11.1-1 - openjdk-7 7~u3-2.1-1 - sun-java6 [squeeze] - sun-java6 (Non-free not supported) - glassfish (Debian only builds some core libs, not the full application stack) CVE-2011-5034 (Apache Geronimo 2.2.1 and earlier computes hash values for form parame ...) NOT-FOR-US: Apache Geronimo CVE-2011-5033 (Stack-based buffer overflow in CFS.c in ConfigServer Security & Fi ...) NOT-FOR-US: ConfigServer Security & Firewall CVE-2011-5032 (WMDrive.sys 3.4.181.224 in WinMount 3.5.1018 allows local users to cau ...) NOT-FOR-US: WinMount CVE-2011-5031 (Multiple SQL injection vulnerabilities in servlet/capexweb.parentvalid ...) NOT-FOR-US: cApexWEB CVE-2011-5030 (Cross-site scripting (XSS) vulnerability in the Meta tags quick module ...) NOT-FOR-US: Meta tags quick module for Drupal CVE-2011-5029 (Multiple cross-site scripting (XSS) vulnerabilities in Simple PHP Blog ...) NOT-FOR-US: Sumple PHP Blog CVE-2011-5028 (Directory traversal vulnerability in novelllogmanager/FileDownload in ...) NOT-FOR-US: Novell Sentinel Log Manager CVE-2011-5027 (Cross-site scripting (XSS) vulnerability in ZABBIX before 1.8.10 allow ...) - zabbix 1:1.8.10-1 (bug #652664) [squeeze] - zabbix (Will be handled through point update) CVE-2011-5026 (Cross-site scripting (XSS) vulnerability in the addPost function in da ...) NOT-FOR-US: Winn Guestbook CVE-2011-5025 (Multiple cross-site scripting (XSS) vulnerabilities in the wiki applic ...) - yaws 1.92-1 (low; bug #653966) [squeeze] - yaws (Minor issue) CVE-2011-5024 (Cross-site scripting (XSS) vulnerability in mmsearch/design in the Mai ...) NOT-FOR-US: ht://Dig integration for Mailman CVE-2011-5023 (Cross-site scripting (XSS) vulnerability in Pligg CMS 1.1.4 allows rem ...) NOT-FOR-US: Pligg CMS CVE-2011-5022 (SQL injection vulnerability in search.php in Pligg CMS 1.1.2 allows re ...) NOT-FOR-US: Pligg CMS CVE-2011-5021 (PHPIDS before 0.7 does not properly implement Regular Expression Denia ...) - php-ids (bug #488848) CVE-2011-5020 (An SQL Injection vulnerability exists in the ID parameter in Online TV ...) NOT-FOR-US: Online TV Database CVE-2011-5019 (Cross-site scripting (XSS) vulnerability in setup/index.php in Textpat ...) - textpattern (low) [squeeze] - textpattern (Vulnerability is in setup.php, which becomes inaccessible after installation) CVE-2011-5018 (Koala Framework before 2011-11-21 has XSS via the request_uri paramete ...) NOT-FOR-US: Koala Framework CVE-2011-5017 RESERVED CVE-2011-5016 RESERVED CVE-2011-5015 RESERVED CVE-2011-5014 RESERVED CVE-2011-5013 RESERVED CVE-2011-5012 (Heap-based buffer overflow in the Reflection FTP Client (rftpcom.dll 7 ...) NOT-FOR-US: Attachmate Reflection CVE-2011-5011 (Multiple cross-site request forgery (CSRF) vulnerabilities in xt:Comme ...) NOT-FOR-US: xt:Commerce CVE-2011-5010 (apps/a3/cfg_ethping.cgi in the Ctek SkyRouter 4200 and 4300 allows rem ...) NOT-FOR-US: Ctek SkyRouter CVE-2011-5009 (The CmpWebServer.dll module in the Control service in 3S CoDeSys 3.4 S ...) NOT-FOR-US: 3S CoDeSys CVE-2011-5008 (Integer overflow in the GatewayService component in 3S CoDeSys 3.4 SP4 ...) NOT-FOR-US: 3S CoDeSys CVE-2011-5007 (Stack-based buffer overflow in the CmpWebServer component in 3S CoDeSy ...) NOT-FOR-US: 3S CoDeSys CVE-2011-5006 (Stack-based buffer overflow in QQPlayer 3.2.845 allows remote attacker ...) NOT-FOR-US: QQPlayer CVE-2011-5005 (Unrestricted file upload vulnerability in QuiXplorer 2.3 and earlier a ...) NOT-FOR-US: QuiXplorer CVE-2011-5004 (Unrestricted file upload vulnerability in models/importcsv.php in the ...) NOT-FOR-US: Joomla extension CVE-2011-5003 (Stack-based buffer overflow in the Phonetic Indexer (AvidPhoneticIndex ...) NOT-FOR-US: Avid Media Composer CVE-2011-5002 (Multiple stack-based buffer overflows in Final Draft 8 before 8.02 all ...) NOT-FOR-US: Final Draft CVE-2011-5001 (Stack-based buffer overflow in the CGenericScheduler::AddTask function ...) NOT-FOR-US: Trend Micro Control Manager CVE-2011-5000 (The ssh_gssapi_parse_ename function in gss-serv.c in OpenSSH 5.8 and e ...) - openssh 1:5.9p1-1 [squeeze] - openssh 1:5.5p1-6+squeeze4 NOTE: looking at the code an additional integer overflow check was added in at least 5.9 CVE-2011-4999 REJECTED CVE-2011-4998 REJECTED CVE-2011-4997 REJECTED CVE-2011-4996 REJECTED CVE-2011-4995 REJECTED CVE-2011-4994 REJECTED CVE-2011-4993 REJECTED CVE-2011-4992 REJECTED CVE-2011-4991 REJECTED CVE-2011-4990 REJECTED CVE-2011-4989 REJECTED CVE-2011-4988 REJECTED CVE-2011-4987 REJECTED CVE-2011-4986 REJECTED CVE-2011-4985 REJECTED CVE-2011-4984 REJECTED CVE-2011-4983 REJECTED CVE-2011-4982 REJECTED CVE-2011-4981 REJECTED CVE-2011-4980 REJECTED CVE-2011-4979 REJECTED CVE-2011-4978 RESERVED CVE-2011-4977 RESERVED CVE-2011-4976 RESERVED CVE-2011-4975 RESERVED CVE-2011-4974 RESERVED CVE-2011-4973 (Authentication bypass vulnerability in mod_nss 1.0.8 allows remote att ...) - libapache2-mod-nss 1.0.8-4 (low; bug #729626) [wheezy] - libapache2-mod-nss (Minor issue) NOTE: https://www.redhat.com/archives/mod_nss-list/2011-May/msg00001.html NOTE: https://git.fedorahosted.org/cgit/mod_nss.git/commit/?id=a6c3370491ae1d3bc552e8de9353c82f73e510e3 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1017197 CVE-2011-4972 (hook_file_download in the CKEditor module 7.x-1.4 for Drupal does not ...) NOT-FOR-US: Drupal module CVE-2011-4971 (Multiple integer signedness errors in the (1) process_bin_sasl_auth, ( ...) {DSA-2832-1} - memcached 1.4.13-0.3 (bug #706426) NOTE: https://github.com/memcached/memcached/commit/6695ccbc525c36d693aaa3e8337b36aa0c784424 CVE-2011-4970 (Multiple SQL injection vulnerabilities in LCG Disk Pool Manager (DPM) ...) - lcgdm 1.8.6-1 (low; bug #702895) [wheezy] - lcgdm (Minor issue) - dpm [squeeze] - dpm (Minor issue) CVE-2011-4969 (Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when ...) - jquery 1.6.4-1 (low; bug #699482) [squeeze] - jquery (Minor issue) NOTE: http://blog.jquery.com/2011/09/01/jquery-1-6-3-released/ NOTE: https://github.com/jquery/jquery/commit/db9e023e62c1ff5d8f21ed9868ab6878da2005e9 CVE-2011-4968 (nginx http proxy module does not verify peer identity of https origin ...) - nginx 1.9.1-1 (low; bug #697940) [jessie] - nginx (Minor issue) [squeeze] - nginx (Minor issue) [wheezy] - nginx (Minor issue) NOTE: http://trac.nginx.org/nginx/ticket/13 NOTE: Upstream commit: http://trac.nginx.org/nginx/changeset/060c2e692b96a150b584b8e30d596be1f2defa9c/nginx CVE-2011-4967 (tog-Pegasus has a package hash collision DoS vulnerability ...) NOT-FOR-US: OpenPegasus CVE-2011-4966 (modules/rlm_unix/rlm_unix.c in FreeRADIUS before 2.2.0, when unix mode ...) - freeradius 2.1.12+dfsg-1.2 (low; bug #694407) [squeeze] - freeradius (Minor issue) CVE-2011-4965 REJECTED CVE-2011-4964 REJECTED CVE-2011-4963 (nginx/Windows 1.3.x before 1.3.1 and 1.2.x before 1.2.1 allows remote ...) - nginx (Only affects Nginx on Windows) CVE-2011-4962 (code/sitefeatures/PageCommentInterface.php in SilverStripe 2.4.x befor ...) - silverstripe (bug #528461) NOTE: http://seclists.org/oss-sec/2012/q2/209 CVE-2011-4961 (SilverStripe 2.3.x before 2.3.12 and 2.4.x before 2.4.6 allows remote ...) - silverstripe (bug #528461) NOTE: http://seclists.org/oss-sec/2012/q2/209 CVE-2011-4960 (SQL injection vulnerability in the Folder::findOrMake method in Silver ...) - silverstripe (bug #528461) NOTE: http://seclists.org/oss-sec/2012/q2/209 CVE-2011-4959 (SQL injection vulnerability in the addslashes method in SilverStripe 2 ...) - silverstripe (bug #528461) NOTE: http://seclists.org/oss-sec/2012/q2/209 CVE-2011-4958 (Cross-site scripting (XSS) vulnerability in the process function in SS ...) - silverstripe (bug #528461) NOTE: http://seclists.org/oss-sec/2012/q2/209 CVE-2011-4957 (The make_clickable function in wp-includes/formatting.php in WordPress ...) {DSA-2470-1} - wordpress 3.2.1+dfsg-1 CVE-2011-4956 (Cross-site scripting (XSS) vulnerability in WordPress before 3.1.1 all ...) {DSA-2470-1} - wordpress 3.2.1+dfsg-1 CVE-2011-4955 (Multiple cross-site scripting (XSS) vulnerabilities in ui_stats.php in ...) NOT-FOR-US: wordpress bsuite plugin CVE-2011-4954 (cobbler has local privilege escalation via the use of insecure locatio ...) - cobbler (Fixed before initial upload) CVE-2011-4953 (The set_mgmt_parameters function in item.py in cobbler before 2.2.2 al ...) - cobbler (Fixed before initial upload) CVE-2011-4952 (cobbler: Web interface lacks CSRF protection when using Django framewo ...) - cobbler (Fixed before initial upload) CVE-2011-4951 (Open redirect vulnerability in phpgwapi/ntlm/index.php in EGroupware E ...) NOT-FOR-US: EGroupware CVE-2011-4950 (Cross-site scripting (XSS) vulnerability in phpgwapi/js/jscalendar/tes ...) NOT-FOR-US: EGroupware CVE-2011-4949 (SQL injection vulnerability in phpgwapi/js/dhtmlxtree/samples/with_db/ ...) NOT-FOR-US: EGroupware CVE-2011-4948 (Directory traversal vulnerability in admin/remote.php in EGroupware En ...) NOT-FOR-US: EGroupware CVE-2011-4947 (Cross-site request forgery (CSRF) vulnerability in e107_admin/users_ex ...) NOT-FOR-US: e107 CVE-2011-4946 (SQL injection vulnerability in e107_admin/users_extended.php in e107 b ...) NOT-FOR-US: e107 CVE-2011-4945 (PolicyKit 0.103 sets the AdminIdentities to "wheel" by default, which ...) - policykit-1 0.103-1 [squeeze] - policykit-1 (vulnerable code introduced in 0.103) CVE-2011-4944 (Python 2.6 through 3.2 creates ~/.pypirc with world-readable permissio ...) {DLA-25-1} - python2.7 2.7.3~rc2-2 (low; bug #650555) - python2.6 2.6.8-1 (unimportant; bug #615118) NOTE: Negligible impact CVE-2011-4943 (ImpressPages CMS v1.0.12 has Unspecified Remote Code Execution (fixed ...) NOT-FOR-US: ImpressPages CMS CVE-2011-4942 (Multiple cross-site scripting (XSS) vulnerabilities in admin/configura ...) NOT-FOR-US: Geeklog CVE-2011-4941 (Unspecified vulnerability in Piwik 1.2 through 1.4 allows remote attac ...) - piwik (bug #506933) CVE-2011-4940 (The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPSe ...) {DLA-25-1} - python2.7 2.7.2-8 (unimportant) - python2.6 (unimportant; bug #664135) - python2.5 (unimportant) NOTE: http://www.openwall.com/lists/oss-security/2012/03/14/11 NOTE: This only affects IE7, which is inherently insecure anyway CVE-2011-4939 (The pidgin_conv_chat_rename_user function in gtkconv.c in Pidgin befor ...) - pidgin 2.10.2-1 (bug #664028) [squeeze] - pidgin (vulnerable code not present) NOTE: http://pidgin.im/news/security/?id=60 CVE-2011-4938 (Multiple cross-site scripting (XSS) vulnerabilities in Ariadne 2.7.6 a ...) NOT-FOR-US: Ariadne CMS not in Debian CVE-2011-4937 (Joomla! 1.7.1 has core information disclosure due to inadequate error ...) NOT-FOR-US: Joomla! CVE-2011-4936 REJECTED CVE-2011-4935 REJECTED CVE-2011-4934 REJECTED CVE-2011-4933 REJECTED CVE-2011-4932 (Eval injection vulnerability in ip_cms/modules/standard/content_manage ...) NOT-FOR-US: ImpressPages CMS not in Debian CVE-2011-4931 (gpw generates shorter passwords than required ...) - gpw (unimportant; bug #651510) NOTE: This has only marginal security impact CVE-2011-4930 (Multiple format string vulnerabilities in Condor 7.2.0 through 7.6.4, ...) - condor (Fixed before initial release) CVE-2011-4929 (Unspecified vulnerability in the bazaar repository adapter in Redmine ...) {DSA-2261-1} - redmine 1.0.5-1 (bug #608397) NOTE: http://www.redmine.org/news/49 CVE-2011-4928 (Cross-site scripting (XSS) vulnerability in the textile formatter in R ...) {DSA-2261-1} - redmine 1.0.5-1 (bug #608397) NOTE: http://www.redmine.org/news/49 CVE-2011-4927 (Unspecified vulnerability in the bazaar repository adapter in Redmine ...) {DSA-2261-1} - redmine 1.0.5-1 (bug #608397) NOTE: http://www.redmine.org/news/49 CVE-2011-4926 (Cross-site scripting (XSS) vulnerability in adminimize/adminimize_page ...) NOT-FOR-US: WordPress plugin Adminimize CVE-2011-4925 (Terascale Open-Source Resource and Queue Manager (aka TORQUE Resource ...) - torque (The version in Debian doesn't yet have MUNGE support) CVE-2011-4924 (Cross-site scripting (XSS) vulnerability in Zope 2.8.x before 2.8.12, ...) - zope2.12 2.12.22-1 - zope3 (low) - zope2.10 (low) [lenny] - zope2.10 (Minor issue) [lenny] - zope3 (Minor issue) - zope2.11 - zope2.9 NOTE: http://openwall.com/lists/oss-security/2012/01/19/16 CVE-2011-4923 (Cross-site scripting (XSS) vulnerability in View.pm in BackupPC 3.0.0, ...) - backuppc 3.2.1-2 (bug #646865) [squeeze] - backuppc 3.1.0-9.1 CVE-2011-4922 (cipher.c in the Cipher API in libpurple in Pidgin before 2.7.10 retain ...) - pidgin 2.7.11-1 (low) [lenny] - pidgin (Minor issue) [squeeze] - pidgin (Minor issue) NOTE: http://www.pidgin.im/news/security/?id=50 CVE-2011-4921 (SQL injection vulnerability in usersettings.php in e107 0.7.26, and po ...) NOT-FOR-US: e107 CVE-2011-4920 (Multiple cross-site scripting (XSS) vulnerabilities in e107 0.7.26, an ...) NOT-FOR-US: e107 CVE-2011-4919 (mpack 1.6 has information disclosure via eavesdropping on mails sent b ...) - mpack 1.6-8 (low; bug #655971) [squeeze] - mpack (Minor issue) NOTE: http://openwall.com/lists/oss-security/2011/12/31/1 CVE-2011-4918 (Multiple cross-site scripting (XSS) vulnerabilities in Elxis CMS 2009. ...) NOT-FOR-US: Elxis CMS, Aphrodite CVE-2011-4917 RESERVED - linux (unimportant) - linux-2.6 (unimportant) NOTE: Minor info leak, unlikely to be fixed upstream CVE-2011-4916 RESERVED CVE-2011-4915 (fs/proc/base.c in the Linux kernel through 3.1 allows local users to o ...) - linux (unimportant) - linux-2.6 (unimportant) NOTE: Minor info leak, unlikely to be fixed upstream CVE-2011-4914 (The ROSE protocol implementation in the Linux kernel before 2.6.39 doe ...) {DSA-2389-1} - linux-2.6 2.6.38-4 CVE-2011-4913 (The rose_parse_ccitt function in net/rose/rose_subr.c in the Linux ker ...) {DSA-2264-1 DSA-2240-1} - linux-2.6 2.6.38-4 CVE-2011-4912 (Joomla! com_mailto 1.5.x through 1.5.13 has an automated mail timeout ...) NOT-FOR-US: Joomla! CVE-2011-4911 (Joomla! before 1.5.12 does not perform a JEXEC check in unspecified fi ...) NOT-FOR-US: Joomla! CVE-2011-4910 (Cross-site scripting (XSS) vulnerability in Joomla! before 1.5.12 allo ...) NOT-FOR-US: Joomla! CVE-2011-4909 (Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before ...) NOT-FOR-US: Joomla! CVE-2011-4908 (TinyBrowser plugin for Joomla! before 1.5.13 allows arbitrary file upl ...) NOT-FOR-US: Joomla! CVE-2011-4907 (Joomla! 1.5x through 1.5.12: Missing JEXEC Check ...) NOT-FOR-US: Joomla! CVE-2011-4906 (Tiny browser in TinyMCE 3.0 editor in Joomla! before 1.5.13 allows fil ...) NOT-FOR-US: Joomla! CVE-2011-4905 (Apache ActiveMQ before 5.6.0 allows remote attackers to cause a denial ...) - activemq 5.5.0+dfsg-5 (bug #655495) CVE-2011-4899 (** DISPUTED ** wp-admin/setup-config.php in the installation component ...) - wordpress (unimportant) NOTE: https://www.trustwave.com/spiderlabs/advisories/TWSL2012-002.txt CVE-2011-4898 (** DISPUTED ** wp-admin/setup-config.php in the installation component ...) - wordpress (unimportant) NOTE: https://www.trustwave.com/spiderlabs/advisories/TWSL2012-002.txt CVE-2010-5081 (Stack-based buffer overflow in Mini-Stream RM-MP3 Converter 3.1.2.1 al ...) NOT-FOR-US: Mini-Stream RM-MP3 Converter CVE-2009-5111 (GoAhead WebServer allows remote attackers to cause a denial of service ...) NOT-FOR-US: GoAhead WebServer CVE-2009-5110 (dhttpd allows remote attackers to cause a denial of service (daemon ou ...) - dhttpd (low; bug #533665) [squeeze] - dhttpd (Minor issue) [lenny] - dhttpd (Minor issue) CVE-2009-5109 (Stack-based buffer overflow in Mini-Stream Ripper 3.0.1.1 allows remot ...) NOT-FOR-US: Mini-Stream Ripper CVE-2007-6750 (The Apache HTTP Server 1.x and 2.x allows remote attackers to cause a ...) - apache2 2.2.15-3 (medium; bug #533661) - apache (medium; bug #533662) [lenny] - apache2 (Minor issue) CVE-2011-4904 (TYPO3 before 4.4.9 and 4.5.x before 4.5.4 does not apply proper access ...) {DSA-2289-1} - typo3-src 4.5.4+dfsg1-1 (bug #635937) CVE-2011-4903 (Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, ...) {DSA-2289-1} - typo3-src 4.5.4+dfsg1-1 (bug #635937) CVE-2011-4902 (TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows ...) {DSA-2289-1} - typo3-src 4.5.4+dfsg1-1 (bug #635937) CVE-2011-4901 (TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows ...) {DSA-2289-1} - typo3-src 4.5.4+dfsg1-1 (bug #635937) CVE-2011-4900 (TYPO3 before 4.5.4 allows Information Disclosure in the backend. ...) {DSA-2289-1} - typo3-src 4.5.4+dfsg1-1 (bug #635937) CVE-2012-0264 (op5 Monitor and op5 Appliance before 5.5.0 do not properly manage sess ...) NOT-FOR-US: op5 CVE-2012-0263 (monitor/index.php in op5 Monitor and op5 Appliance before 5.5.1 allows ...) NOT-FOR-US: op5 CVE-2012-0262 (op5config/welcome in system-op5config before 2.0.3 in op5 Monitor and ...) NOT-FOR-US: op5 CVE-2012-0261 (license.php in system-portal before 1.6.2 in op5 Monitor and op5 Appli ...) NOT-FOR-US: op5 CVE-2012-0260 (The JPEGWarningHandler function in coders/jpeg.c in ImageMagick before ...) {DSA-2462-1} - imagemagick 8:6.7.4.0-4 (bug #667635) CVE-2012-0259 (The GetEXIFProperty function in magick/property.c in ImageMagick befor ...) {DSA-2462-1} - imagemagick 8:6.7.4.0-4 (bug #667635) CVE-2012-0258 (Heap-based buffer overflow in the WWCabFile ActiveX component in the W ...) NOT-FOR-US: Invensys Wonderware Application Server CVE-2012-0257 (Heap-based buffer overflow in the WWCabFile ActiveX component in the W ...) NOT-FOR-US: Invensys Wonderware Application Server CVE-2012-0256 (Apache Traffic Server 2.0.x and 3.0.x before 3.0.4 and 3.1.x before 3. ...) - trafficserver 3.0.4-1 CVE-2012-0255 (The BGP implementation in bgpd in Quagga before 0.99.20.1 does not pro ...) {DSA-2459-1} - quagga 0.99.20.1-1 CVE-2012-0254 (Stack-based buffer overflow in the HMIWeb Browser HSCDSPRenderDLL Acti ...) NOT-FOR-US: Honeywell CVE-2012-0253 (Multiple cross-site scripting (XSS) vulnerabilities in Demand Media Pl ...) NOT-FOR-US: Demand Media Pluck SiteLife CVE-2012-0252 RESERVED CVE-2012-0251 RESERVED CVE-2012-0250 (Buffer overflow in the OSPFv2 implementation in ospfd in Quagga before ...) {DSA-2459-1} - quagga 0.99.20.1-1 CVE-2012-0249 (Buffer overflow in the ospf_ls_upd_list_lsa function in ospf_packet.c ...) {DSA-2459-1} - quagga 0.99.20.1-1 CVE-2012-0248 (ImageMagick 6.7.5-7 and earlier allows remote attackers to cause a den ...) {DSA-2427-1} - imagemagick 8:6.6.9.7-6 (low; bug #659339) CVE-2012-0247 (ImageMagick 6.7.5-7 and earlier allows remote attackers to cause a den ...) {DSA-2427-1} - imagemagick 8:6.6.9.7-6 (bug #659339) CVE-2012-0246 (Directory traversal vulnerability in an unspecified ActiveX control in ...) NOT-FOR-US: Ecava IntegraXor CVE-2012-0245 (Multiple stack-based buffer overflows in RobNetScanHost.exe in ABB Rob ...) NOT-FOR-US: ABB Robot Communications Runtime CVE-2012-0244 (Multiple SQL injection vulnerabilities in Advantech/BroadWin WebAccess ...) NOT-FOR-US: Advantech/BroadWin WebAccess CVE-2012-0243 (Buffer overflow in an ActiveX control in bwocxrun.ocx in Advantech/Bro ...) NOT-FOR-US: ActiveX CVE-2012-0242 (Format string vulnerability in Advantech/BroadWin WebAccess before 7.0 ...) NOT-FOR-US: Advantech/BroadWin WebAccess CVE-2012-0241 (Advantech/BroadWin WebAccess before 7.0 allows remote attackers to cau ...) NOT-FOR-US: Advantech/BroadWin WebAccess CVE-2012-0240 (GbScriptAddUp.asp in Advantech/BroadWin WebAccess before 7.0 does not ...) NOT-FOR-US: Advantech/BroadWin WebAccess CVE-2012-0239 (uaddUpAdmin.asp in Advantech/BroadWin WebAccess before 7.0 does not pr ...) NOT-FOR-US: Advantech/BroadWin WebAccess CVE-2012-0238 (Stack-based buffer overflow in opcImg.asp in Advantech/BroadWin WebAcc ...) NOT-FOR-US: Advantech/BroadWin WebAccess CVE-2012-0237 (Advantech/BroadWin WebAccess before 7.0 allows remote attackers to (1) ...) NOT-FOR-US: Advantech/BroadWin WebAccess CVE-2012-0236 (Advantech/BroadWin WebAccess 7.0 and earlier allows remote attackers t ...) NOT-FOR-US: Advantech/BroadWin WebAccess CVE-2012-0235 (Cross-site request forgery (CSRF) vulnerability in Advantech/BroadWin ...) NOT-FOR-US: Advantech/BroadWin WebAccess CVE-2012-0234 (SQL injection vulnerability in Advantech/BroadWin WebAccess before 7.0 ...) NOT-FOR-US: Advantech/BroadWin WebAccess CVE-2012-0233 (Cross-site scripting (XSS) vulnerability in Advantech/BroadWin WebAcce ...) NOT-FOR-US: Advantech/BroadWin WebAccess CVE-2012-0232 (Directory traversal vulnerability in rifsrvd.exe in the Remote Interfa ...) NOT-FOR-US: GE Intelligent Platforms Proficy Real-Time Information Portal CVE-2012-0231 (PRLicenseMgr.exe in the Proficy Server License Manager in GE Intellige ...) NOT-FOR-US: GE Intelligent Platforms Proficy Plant Applications CVE-2012-0230 (PRRDS.exe in the Proficy Remote Data Service in GE Intelligent Platfor ...) NOT-FOR-US: GE Intelligent Platforms Proficy Plant Applications CVE-2012-0229 (The Data Archiver service in GE Intelligent Platforms Proficy Historia ...) NOT-FOR-US: GE Intelligent Platforms Proficy Historian CVE-2012-0228 (Invensys Wonderware Information Server 4.0 SP1 and 4.5 does not proper ...) NOT-FOR-US: Invensys Wonderware Information Server CVE-2012-0227 (Buffer overflow in the VSFlex7.VSFlexGrid ActiveX control in Component ...) NOT-FOR-US: Open Automation Software OPC Systems.NET CVE-2012-0226 (SQL injection vulnerability in Invensys Wonderware Information Server ...) NOT-FOR-US: Invensys Wonderware Information Server CVE-2012-0225 (Cross-site scripting (XSS) vulnerability in Invensys Wonderware Inform ...) NOT-FOR-US: Invensys Wonderware Information Server CVE-2012-0224 (Untrusted search path vulnerability in 7-Technologies (7T) AQUIS 1.5 a ...) NOT-FOR-US: 7-Technologies (7T) AQUIS CVE-2012-0223 (Untrusted search path vulnerability in 7-Technologies (7T) TERMIS 2.10 ...) NOT-FOR-US: TERMIS CVE-2012-0222 (The FactoryTalk (FT) RNADiagReceiver service in Rockwell Automation Al ...) NOT-FOR-US: Rockwell Automation Allen-Bradley FactoryTalk CVE-2012-0221 (The FactoryTalk (FT) RNADiagReceiver service in Rockwell Automation Al ...) NOT-FOR-US: Rockwell Automation Allen-Bradley FactoryTalk CVE-2011-4897 (Tor before 0.2.2.25-alpha, when configured as a relay without the Nick ...) - tor 0.2.2.27-beta-1 (unimportant) CVE-2011-4896 (Tor before 0.2.2.24-alpha continues to use a reachable bridge that was ...) - tor 0.2.2.27-beta-1 (unimportant) CVE-2011-4895 (Tor before 0.2.2.34, when configured as a bridge, sets up circuits thr ...) - tor 0.2.2.34-1 (unimportant) CVE-2011-4894 (Tor before 0.2.2.34, when configured as a bridge, uses direct DirPort ...) - tor 0.2.2.34-1 (unimportant) CVE-2011-4893 REJECTED CVE-2011-4892 REJECTED CVE-2011-4891 REJECTED CVE-2011-4890 (The server in IBM solidDB 6.5 before FP9 and 7.0 before FP1 allows rem ...) NOT-FOR-US: IBM solidDB CVE-2011-4889 (The javax.naming.directory.AttributeInUseException class in the Virtua ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2011-4888 RESERVED CVE-2011-4887 (Cross-site scripting (XSS) vulnerability in the Violations Table in th ...) NOT-FOR-US: Imperva SecureSphere Web Application Firewall CVE-2011-4886 RESERVED CVE-2011-4885 (PHP before 5.3.9 computes hash values for form parameters without rest ...) {DSA-2399-1} - php5 5.3.9-1 (low) CVE-2011-4884 RESERVED CVE-2011-4883 (The web server in Certec atvise webMI2ADS (aka webMI) before 2.0.2 doe ...) NOT-FOR-US: atvise.com webMI CVE-2011-4882 (The web server in Certec atvise webMI2ADS (aka webMI) before 2.0.2 all ...) NOT-FOR-US: atvise.com webMI CVE-2011-4881 (The web server in Certec atvise webMI2ADS (aka webMI) before 2.0.2 doe ...) NOT-FOR-US: atvise.com webMI CVE-2011-4880 (Directory traversal vulnerability in the web server in Certec atvise w ...) NOT-FOR-US: atvise.com webMI CVE-2011-4879 (miniweb.exe in the HMI web server in Siemens WinCC flexible 2004, 2005 ...) NOT-FOR-US: Siemens WinCC CVE-2011-4878 (Directory traversal vulnerability in miniweb.exe in the HMI web server ...) NOT-FOR-US: Siemens WinCC CVE-2011-4877 (HmiLoad in the runtime loader in Siemens WinCC flexible 2004, 2005, 20 ...) NOT-FOR-US: Siemens WinCC CVE-2011-4876 (Directory traversal vulnerability in HmiLoad in the runtime loader in ...) NOT-FOR-US: Siemens WinCC CVE-2011-4875 (Stack-based buffer overflow in HmiLoad in the runtime loader in Siemen ...) NOT-FOR-US: Siemens WinCC CVE-2011-4874 (Use-after-free vulnerability in MICROSYS PROMOTIC before 8.1.7 allows ...) NOT-FOR-US: MICROSYS PROMOTIC CVE-2011-4873 (Unspecified vulnerability in the server in Certec EDV atvise before 2. ...) NOT-FOR-US: Certec EDV atvise CVE-2011-4872 (Multiple HTC Android devices including Desire HD FRG83D and GRI40, Gla ...) NOT-FOR-US: Android devices CVE-2011-4871 (Open Automation Software OPC Systems.NET before 5.0 allows remote atta ...) NOT-FOR-US: opcsystems.com CVE-2011-4870 (Multiple buffer overflows in the (1) GUIControls, (2) BatchObjSrv, and ...) NOT-FOR-US: Invensys Wonderware CVE-2011-4869 (validator/val_nsec3.c in Unbound before 1.4.13p2 does not properly per ...) {DSA-2370-1} - unbound 1.4.14-1 (medium) CVE-2011-4868 (The logging functionality in dhcpd in ISC DHCP before 4.2.3-P2, when u ...) - isc-dhcp 4.2.2.dfsg.1-5 (low; bug #655746) [squeeze] - isc-dhcp (vulnerable code not present) CVE-2011-4867 (The Tencent QQPhoto (com.tencent.qqphoto) application 0.97 for Android ...) NOT-FOR-US: Tencent QQPhoto (com.tencent.qqphoto) application CVE-2011-4866 (The Kaixin001 (com.kaixin001.activity) application 1.3.1 and 1.3.3 for ...) NOT-FOR-US: Kaixin001 (com.kaixin001.activity) application CVE-2011-4865 (The Tencent WBlog (com.tencent.WBlog) 3.3.1 and MicroBlogPad 1.4.0 app ...) NOT-FOR-US: Tencent WBlog CVE-2011-4864 (The Tencent MobileQQ (com.tencent.mobileqq) application 2.2 for Androi ...) NOT-FOR-US: Tencent MobileQQ (com.tencent.mobileqq) application CVE-2011-4863 (The Tencent QQPimSecure (com.tencent.qqpimsecure) application 3.0.2 fo ...) NOT-FOR-US: Tencent QQPimSecure (com.tencent.qqpimsecure) application CVE-2011-4862 (Buffer overflow in libtelnet/encrypt.c in telnetd in FreeBSD 7.3 throu ...) {DSA-2375-1 DSA-2373-1 DSA-2372-1} - heimdal 1.5.dfsg.1-1 (high) - inetutils 2:1.8-6 (high) - krb5 1.8+dfsg~aa+r23527-1 (high) - krb5-appl 1:1.0.1-1.2 (high; bug #654231) NOTE: krb5 fixed through move of code to krb5-appl. CVE-2011-4861 (The modbus_125_handler function in the Schneider Electric Quantum Ethe ...) NOT-FOR-US: Schneider Electric Quantum Ethernet Module CVE-2011-4860 (The ComputePassword function in the Schneider Electric Quantum Etherne ...) NOT-FOR-US: Schneider Electric Quantum Ethernet Module CVE-2011-4859 (The Schneider Electric Quantum Ethernet Module, as used in the Quantum ...) NOT-FOR-US: Schneider Electric Quantum Ethernet Module CVE-2011-4858 (Apache Tomcat before 5.5.35, 6.x before 6.0.35, and 7.x before 7.0.23 ...) {DSA-2401-1} - tomcat5 - tomcat6 6.0.35-1 - tomcat7 7.0.26-1 CVE-2011-4857 (Heap-based buffer overflow in the in_mod.dll plugin in Winamp before 5 ...) NOT-FOR-US: Winamp CVE-2010-5080 (The Security/changepassword URL action in SilverStripe 2.3.x before 2. ...) - silverstripe (bug #528461) NOTE: http://seclists.org/oss-sec/2012/q2/209 CVE-2010-5079 (SilverStripe 2.3.x before 2.3.10 and 2.4.x before 2.4.4 uses weak entr ...) - silverstripe (bug #528461) NOTE: http://seclists.org/oss-sec/2012/q2/209 CVE-2010-5078 (SilverStripe 2.3.x before 2.3.10 and 2.4.x before 2.4.4 stores sensiti ...) - silverstripe (bug #528461) NOTE: http://seclists.org/oss-sec/2012/q2/209 CVE-2010-5077 (server/sv_main.c in Quake3 Arena, as used in ioquake3 before r1762, Op ...) {DSA-2442-1} - openarena 0.8.5-6 (medium; bug #665656) - ioquake3 (fixed before upload) - tremulous 1.1.0-8 (bug #665842) [squeeze] - tremulous 1.1.0-7~squeeze1 CVE-2010-5076 (QSslSocket in Qt before 4.7.0-rc1 recognizes a wildcard IP address in ...) - qt4-x11 4:4.6.3-1 NOTE: Might be fixed earlier, but Squeeze version has been validated to be fixed CVE-2009-5108 REJECTED CVE-2009-5107 REJECTED CVE-2009-5106 RESERVED CVE-2009-5105 RESERVED CVE-2009-5104 RESERVED CVE-2008-7308 RESERVED CVE-2008-7307 RESERVED CVE-2008-7306 RESERVED CVE-2008-7305 RESERVED CVE-2008-7304 RESERVED CVE-2007-6749 RESERVED CVE-2007-6748 RESERVED CVE-2007-6747 RESERVED CVE-2007-6746 (telepathy-idle before 0.1.15 does not verify (1) that the issuer is a ...) - telepathy-idle 0.1.15-1 (low; bug #706094) [wheezy] - telepathy-idle (Minor issue) [squeeze] - telepathy-idle (Minor issue) CVE-2007-6745 (clamav 0.91.2 suffers from a floating point exception when using ScanO ...) - clamav 0.91.2-1~volatile1 [etch] - clamav (Vulnerable code not present) [sarge] - clamav (Vulnerable code not present) CVE-2006-7251 RESERVED CVE-2006-7250 (The mime_hdr_cmp function in crypto/asn1/asn_mime.c in OpenSSL 0.9.8t ...) {DSA-2454-1} - openssl 1.0.0h-1 NOTE: DSA addressed it in patch for CVE-2012-1165 CVE-2006-7249 REJECTED CVE-2006-7248 REJECTED CVE-2006-7247 (SQL injection vulnerability in the Weblinks (com_weblinks) component f ...) NOT-FOR-US: Joomla! CVE-2005-4894 RESERVED CVE-2005-4893 RESERVED CVE-2005-4892 RESERVED CVE-2005-4891 (Simple Machine Forum (SMF) versions 1.0.4 and earlier have an SQL inje ...) NOT-FOR-US: Simple Machine Forum (SMF) CVE-2011-4856 (The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 sen ...) NOT-FOR-US: Plesk CVE-2011-4855 (The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 omi ...) NOT-FOR-US: Plesk CVE-2011-4854 (The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 doe ...) NOT-FOR-US: Plesk CVE-2011-4853 (The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 inc ...) NOT-FOR-US: Plesk CVE-2011-4852 (The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 gen ...) NOT-FOR-US: Plesk CVE-2011-4851 (The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 gen ...) NOT-FOR-US: Plesk CVE-2011-4850 (The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 doe ...) NOT-FOR-US: Plesk CVE-2011-4849 (The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 doe ...) NOT-FOR-US: Plesk CVE-2011-4848 (The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 inc ...) NOT-FOR-US: Plesk CVE-2011-4847 (SQL injection vulnerability in the Control Panel in Parallels Plesk Pa ...) NOT-FOR-US: Plesk CVE-2011-4846 RESERVED CVE-2011-4845 RESERVED CVE-2011-4844 RESERVED CVE-2011-4843 RESERVED CVE-2011-4842 RESERVED CVE-2011-4841 RESERVED CVE-2011-4840 RESERVED CVE-2011-4839 RESERVED CVE-2011-4838 (JRuby before 1.6.5.1 computes hash values without restricting the abil ...) {DLA-209-1} - jruby 1.5.6-4 (low; bug #686867) CVE-2012-0220 (Multiple cross-site scripting (XSS) vulnerabilities in the meta plugin ...) {DSA-2474-1} - ikiwiki 3.20120516 CVE-2012-0219 (Heap-based buffer overflow in the xioscan_readline function in xio-rea ...) - socat 1.7.1.3-1.3 (low; bug #672994) [squeeze] - socat (Minor issue) NOTE: http://www.dest-unreach.org/socat/contrib/socat-secadv3.html CVE-2012-0218 (Xen 3.4, 4.0, and 4.1, when the guest OS has not registered a handler ...) {DSA-2501-1} - xen 4.1.3~rc1+hg-20120614.a9c0a89c08f2-1 CVE-2012-0217 (The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, ...) {DSA-2508-1 DSA-2501-1} - xen 4.1.3~rc1+hg-20120614.a9c0a89c08f2-1 - kfreebsd-8 8.3-4 (bug #677297) - kfreebsd-9 9.0-4 (bug #677298) - kfreebsd-10 10.0~svn237137-1 (bug #677299) NOTE: apparently this code is included in freebsd, xen, as well as NOTE: microsoft windows, which is also a part of this id assignment (and a NOTE: bit strangely the only os currently called out in the mitre description). NOTE: also affected the linux kernel, and was fixed 6 years earlier as CVE-2006-0744. CVE-2012-0216 (The default configuration of the apache2 package in Debian GNU/Linux s ...) {DSA-2452-1} - apache2 2.2.22-4 (low) CVE-2012-0215 (model/modelstorage.py in the Tryton application framework (trytond) be ...) {DSA-2444-1} - tryton-server 2.2.2-1 (medium) CVE-2012-0214 (The pkgAcqMetaClearSig::Failed method in apt-pkg/acquire-item.cc in Ad ...) - apt 0.8.15.10 [squeeze] - apt (Vulnerable code not present) [lenny] - apt (Vulnerable code not present) CVE-2012-0213 (The UnhandledDataStructure function in hwpf/model/UnhandledDataStructu ...) {DSA-2468-1} - libjakarta-poi-java CVE-2012-0212 (debdiff.pl in devscripts 2.10.x before 2.10.69 and 2.11.x before 2.11. ...) {DSA-2409-1} - devscripts 2.11.4 CVE-2012-0211 (debdiff.pl in devscripts 2.10.x before 2.10.69 and 2.11.x before 2.11. ...) {DSA-2409-1} - devscripts 2.11.4 CVE-2012-0210 (debdiff.pl in devscripts 2.10.x before 2.10.69 and 2.11.x before 2.11. ...) {DSA-2409-1} - devscripts 2.11.4 CVE-2012-0209 (Horde 3.3.12, Horde Groupware 1.2.10, and Horde Groupware Webmail Edit ...) - horde3 3.3.12+debian0-2 (bug #660077) [squeeze] - horde3 (Introduced in 3.3.12) [lenny] - horde3 (Introduced in 3.3.12) CVE-2012-0208 (Unspecified vulnerability in the Oracle Grid Engine component in Oracl ...) {DSA-2472-1} - gridengine 6.2u5-6 NOTE: http://www.securityfocus.com/bid/53123/info NOTE: http://gridscheduler.sourceforge.net/security.html CVE-2012-0207 (The igmp_heard_query function in net/ipv4/igmp.c in the Linux kernel b ...) - linux-2.6 3.1.8-2 (bug #654876) [lenny] - linux-2.6 (Introduced in 2.6.36) [squeeze] - linux-2.6 (Introduced in 2.6.36) CVE-2012-0206 (common_startup.cc in PowerDNS (aka pdns) Authoritative Server before 2 ...) {DSA-2385-1} - pdns 3.0-1.1 (high) CVE-2012-0205 (InfoSphere Metadata Workbench (MWB) 8.1 through 8.7 in IBM InfoSphere ...) NOT-FOR-US: IBM InfoSphere Information Server CVE-2012-0204 (Untrusted search path vulnerability in InfoSphere Import Export Manage ...) NOT-FOR-US: IBM InfoSphere Information Server CVE-2012-0203 (Cross-site scripting (XSS) vulnerability in InfoSphere Metadata Workbe ...) NOT-FOR-US: IBM InfoSphere Information Server CVE-2012-0202 (Multiple stack-based buffer overflows in tm1admsd.exe in the Admin Ser ...) NOT-FOR-US: Admin Server in IBM Cognos TM1 CVE-2012-0201 (Stack-based buffer overflow in pcspref.dll in pcsws.exe in IBM Persona ...) NOT-FOR-US: IBM Personal Communications CVE-2012-0200 (The server in IBM solidDB 6.5 before Interim Fix 6 does not properly i ...) NOT-FOR-US: IBM solidDB CVE-2012-0199 (Multiple SQL injection vulnerabilities in IBM Tivoli Provisioning Mana ...) NOT-FOR-US: IBM Tivoli Provisioning Manager Express CVE-2012-0198 (Stack-based buffer overflow in the RunAndUploadFile method in the Isig ...) NOT-FOR-US: IBM Tivoli Provisioning Manager Express CVE-2012-0197 RESERVED CVE-2012-0196 RESERVED CVE-2012-0195 (Cross-site scripting (XSS) vulnerability in the Start Center Layout an ...) NOT-FOR-US: IBM Maximo Asset Management and others CVE-2012-0194 (The TCP implementation in IBM AIX 5.3, 6.1, and 7.1, when the Large Se ...) NOT-FOR-US: AIX CVE-2012-0193 (IBM WebSphere Application Server (WAS) 6.0 through 6.0.2.43, 6.1 befor ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2012-0192 (Multiple integer overflows in vclmi.dll in the visual class library mo ...) NOT-FOR-US: IBM Lotus Symphony CVE-2012-0191 (The web container in IBM Lotus Expeditor 6.1.x and 6.2.x before 6.2 FP ...) NOT-FOR-US: IBM Lotus Expeditor CVE-2012-0190 (Unspecified vulnerability in the Render method in the ExportHTML.ocx A ...) NOT-FOR-US: IBM SPSS Dimensions CVE-2012-0189 (Multiple unspecified vulnerabilities in the (1) PrintFile and (2) Save ...) NOT-FOR-US: IBM SPSS SamplePower CVE-2012-0188 (Unspecified vulnerability in the SetLicenseInfoEx method in an ActiveX ...) NOT-FOR-US: IBM SPSS Dimensions CVE-2012-0187 (Untrusted search path vulnerability in IBM Lotus Expeditor 6.1.x and 6 ...) NOT-FOR-US: IBM Lotus Expeditor CVE-2012-0186 (Directory traversal vulnerability in the Eclipse Help component in IBM ...) NOT-FOR-US: IBM Lotus Expeditor CVE-2011-4837 (Cross-site request forgery (CSRF) vulnerability in /ctrl in the web in ...) NOT-FOR-US: HomeSeer CVE-2011-4836 (Cross-site scripting (XSS) vulnerability in the web interface in HomeS ...) NOT-FOR-US: HomeSeer CVE-2011-4835 (Directory traversal vulnerability in the web interface in HomeSeer HS2 ...) NOT-FOR-US: HomeSeer CVE-2011-4834 (The GetInstalledPackages function in the configuration tool in HP Appl ...) NOT-FOR-US: HP Application Lifestyle Management CVE-2011-4833 (Multiple SQL injection vulnerabilities in the Leads module in SugarCRM ...) - sugarcrm-ce-5.0 (bug #457876) CVE-2011-4832 (Directory traversal vulnerability in CaupoShop Pro 2.x, CaupoShop Clas ...) NOT-FOR-US: CaupoShop CVE-2011-4831 (Directory traversal vulnerability in webFileBrowser.php in Web File Br ...) NOT-FOR-US: Web File Browser CVE-2011-4830 (Multiple cross-site scripting (XSS) vulnerabilities in the com_listing ...) NOT-FOR-US: Joomla extension CVE-2011-4829 (SQL injection vulnerability in the com_listing component in Barter Sit ...) NOT-FOR-US: Joomla extension CVE-2011-4828 (Unrestricted file upload vulnerability in includes/inline_image_upload ...) NOT-FOR-US: AutoSec Tools V-CMS CVE-2011-4827 (Multiple cross-site scripting (XSS) vulnerabilities in AutoSec Tools V ...) NOT-FOR-US: AutoSec Tools V-CMS CVE-2011-4826 (SQL injection vulnerability in session.php in AutoSec Tools V-CMS 1.0 ...) NOT-FOR-US: AutoSec Tools V-CMS CVE-2011-4825 (Static code injection vulnerability in inc/function.base.php in Ajax F ...) NOT-FOR-US: Ajax File and Image Manager CVE-2011-4824 (SQL injection vulnerability in auth_login.php in Cacti before 0.8.7h a ...) {DSA-2384-1} - cacti 0.8.7i-1 (high; bug #652371) CVE-2011-4823 (Multiple SQL injection vulnerabilities in Vik Real Estate (com_vikreal ...) NOT-FOR-US: Joomla extension CVE-2011-4822 (Multiple cross-site scripting (XSS) vulnerabilities in the user profil ...) NOT-FOR-US: Atlassian FishEye CVE-2011-4821 (Directory traversal vulnerability in the TFTP server in D-Link DIR-601 ...) NOT-FOR-US: D-Link router CVE-2011-4820 RESERVED CVE-2011-4819 (Multiple cross-site scripting (XSS) vulnerabilities in IBM Maximo Asse ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2011-4818 (Open redirect vulnerability in IBM Maximo Asset Management and Asset M ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2011-4817 (The About option on the Help menu in IBM Maximo Asset Management and A ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2011-4816 (SQL injection vulnerability in the KPI component in IBM Maximo Asset M ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2011-4815 (Ruby (aka CRuby) before 1.8.7-p357 computes hash values without restri ...) {DLA-88-1} - ruby1.8 1.8.7.358-1 - ruby1.9 (Includes randomisation of the hash function) - ruby1.9.1 (Includes randomisation of the hash function) CVE-2012-0185 (Heap-based buffer overflow in Microsoft Excel 2007 SP2 and SP3 and 201 ...) NOT-FOR-US: Microsoft Excel CVE-2012-0184 (Microsoft Excel 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Off ...) NOT-FOR-US: Microsoft Excel CVE-2012-0183 (Microsoft Word 2003 SP3 and 2007 SP2 and SP3, Office 2008 and 2011 for ...) NOT-FOR-US: Microsoft Word CVE-2012-0182 (Microsoft Word 2007 SP2 and SP3 does not properly handle memory during ...) NOT-FOR-US: Microsoft Word CVE-2012-0181 (win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and ...) NOT-FOR-US: Microsoft Windows CVE-2012-0180 (win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and ...) NOT-FOR-US: Microsoft Windows CVE-2012-0179 (Double free vulnerability in tcpip.sys in Microsoft Windows Server 200 ...) NOT-FOR-US: Microsoft Windows CVE-2012-0178 (Race condition in partmgr.sys in Windows Partition Manager in Microsof ...) NOT-FOR-US: Microsoft Windows CVE-2012-0177 (Heap-based buffer overflow in the Office Works File Converter in Micro ...) NOT-FOR-US: Microsoft CVE-2012-0176 (Double free vulnerability in Microsoft Silverlight 4 before 4.1.10329 ...) NOT-FOR-US: Microsoft Silverlight CVE-2012-0175 (The Shell in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2 ...) NOT-FOR-US: Microsoft Windows CVE-2012-0174 (Windows Firewall in tcpip.sys in Microsoft Windows Vista SP2, Windows ...) NOT-FOR-US: Microsoft Windows CVE-2012-0173 (The Remote Desktop Protocol (RDP) implementation in Microsoft Windows ...) NOT-FOR-US: Microsoft Windows CVE-2012-0172 (Microsoft Internet Explorer 6 through 8 does not properly handle objec ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2012-0171 (Microsoft Internet Explorer 6 through 9 does not properly handle objec ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2012-0170 (Microsoft Internet Explorer 6 and 7 does not properly handle objects i ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2012-0169 (Microsoft Internet Explorer 9 does not properly handle objects in memo ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2012-0168 (Microsoft Internet Explorer 6 through 9 allows user-assisted remote at ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2012-0167 (Heap-based buffer overflow in the Office GDI+ library in Microsoft Off ...) NOT-FOR-US: Microsoft Windows CVE-2012-0166 REJECTED CVE-2012-0165 (GDI+ in Microsoft Windows Vista SP2 and Server 2008 SP2 and Office 200 ...) NOT-FOR-US: Microsoft Windows CVE-2012-0164 (Microsoft .NET Framework 4 does not properly compare index values, whi ...) NOT-FOR-US: Microsoft .NET Framework CVE-2012-0163 (Microsoft .NET Framework 1.0 SP3, 1.1 SP1, 2.0 SP2, 3.5, 3.5.1, 4, and ...) NOT-FOR-US: Microsoft .NET Framework CVE-2012-0162 (Microsoft .NET Framework 4 does not properly allocate buffers, which a ...) NOT-FOR-US: Microsoft .NET Framework CVE-2012-0161 (Microsoft .NET Framework 1.0 SP3, 1.1 SP1, 2.0 SP2, 3.0 SP2, 3.5 SP1, ...) NOT-FOR-US: Microsoft .NET Framework CVE-2012-0160 (Microsoft .NET Framework 1.0 SP3, 1.1 SP1, 2.0 SP2, 3.0 SP2, 3.5 SP1, ...) NOT-FOR-US: Microsoft .NET Framework CVE-2012-0159 (Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vis ...) NOT-FOR-US: Microsoft Windows CVE-2012-0158 (The (1) ListView, (2) ListView2, (3) TreeView, and (4) TreeView2 Activ ...) NOT-FOR-US: Microsoft CVE-2012-0157 (win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and ...) NOT-FOR-US: Microsoft Windows CVE-2012-0156 (DirectWrite in Microsoft Windows Vista SP2, Windows Server 2008 SP2, R ...) NOT-FOR-US: Microsoft Windows CVE-2012-0155 (Microsoft Internet Explorer 9 does not properly handle objects in memo ...) NOT-FOR-US: Microsoft CVE-2012-0154 (Use-after-free vulnerability in win32k.sys in the kernel-mode drivers ...) NOT-FOR-US: Microsoft CVE-2012-0153 REJECTED CVE-2012-0152 (The Remote Desktop Protocol (RDP) service in Microsoft Windows Server ...) NOT-FOR-US: Microsoft Windows CVE-2012-0151 (The Authenticode Signature Verification function in Microsoft Windows ...) NOT-FOR-US: Microsoft CVE-2012-0150 (Buffer overflow in msvcrt.dll in Microsoft Windows Vista SP2, Windows ...) NOT-FOR-US: Microsoft CVE-2012-0149 (afd.sys in the Ancillary Function Driver in Microsoft Windows Server 2 ...) NOT-FOR-US: Microsoft CVE-2012-0148 (afd.sys in the Ancillary Function Driver in Microsoft Windows XP SP2, ...) NOT-FOR-US: Microsoft CVE-2012-0147 (Microsoft Forefront Unified Access Gateway (UAG) 2010 SP1 and SP1 Upda ...) NOT-FOR-US: Microsoft CVE-2012-0146 (Open redirect vulnerability in Microsoft Forefront Unified Access Gate ...) NOT-FOR-US: Microsoft CVE-2012-0145 (Cross-site scripting (XSS) vulnerability in wizardlist.aspx in Microso ...) NOT-FOR-US: Microsoft CVE-2012-0144 (Cross-site scripting (XSS) vulnerability in themeweb.aspx in Microsoft ...) NOT-FOR-US: Microsoft CVE-2012-0143 (Microsoft Excel 2003 SP3 and Office 2008 for Mac do not properly handl ...) NOT-FOR-US: Microsoft CVE-2012-0142 (Microsoft Excel 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Off ...) NOT-FOR-US: Microsoft CVE-2012-0141 (Microsoft Excel 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Off ...) NOT-FOR-US: Microsoft CVE-2012-0140 REJECTED CVE-2012-0139 REJECTED CVE-2012-0138 (Microsoft Visio Viewer 2010 Gold and SP1 does not properly handle memo ...) NOT-FOR-US: Microsoft CVE-2012-0137 (Microsoft Visio Viewer 2010 Gold and SP1 does not properly handle memo ...) NOT-FOR-US: Microsoft CVE-2012-0136 (Microsoft Visio Viewer 2010 Gold and SP1 does not properly handle memo ...) NOT-FOR-US: Microsoft CVE-2012-0135 (Unspecified vulnerability in HP System Management Homepage (SMH) befor ...) NOT-FOR-US: HP System Management Homepage CVE-2012-0134 (Unspecified vulnerability in HP OpenVMS 7.3-2 on the Alpha platform, 8 ...) NOT-FOR-US: HP OpenVMS CVE-2012-0133 (HP ProCurve 5400 zl switches with certain serial numbers include a com ...) NOT-FOR-US: HP ProCurve CVE-2012-0132 (Cross-site scripting (XSS) vulnerability in HP Business Availability C ...) NOT-FOR-US: HP Business Availability CVE-2012-0131 (Distributed Computing Environment (DCE) 1.8 and 1.9 on HP HP-UX B.11.1 ...) NOT-FOR-US: HP HP-UX CVE-2012-0130 (HP Onboard Administrator (OA) before 3.50 allows remote attackers to o ...) NOT-FOR-US: HP Onboard Administrator CVE-2012-0129 (HP Onboard Administrator (OA) before 3.50 allows remote attackers to b ...) NOT-FOR-US: HP Onboard Administrator CVE-2012-0128 (HP Onboard Administrator (OA) before 3.50 allows remote attackers to r ...) NOT-FOR-US: HP Onboard Administrator CVE-2012-0127 (Unspecified vulnerability in HP Performance Manager 9.00 allows remote ...) NOT-FOR-US: HP Performance Manager CVE-2012-0126 (Unspecified vulnerability in the WBEM implementation in HP HP-UX 11.11 ...) NOT-FOR-US: HP HP-UX CVE-2012-0125 (Unspecified vulnerability in the WBEM implementation in HP HP-UX 11.31 ...) NOT-FOR-US: HP HP-UX CVE-2012-0124 (Unspecified vulnerability in HP Data Protector Express (aka DPX) 5.0.0 ...) NOT-FOR-US: HP Data Protector Express CVE-2012-0123 (Unspecified vulnerability in HP Data Protector Express (aka DPX) 5.0.0 ...) NOT-FOR-US: HP Data Protector Express CVE-2012-0122 (Unspecified vulnerability in HP Data Protector Express (aka DPX) 5.0.0 ...) NOT-FOR-US: HP Data Protector Express CVE-2012-0121 (Unspecified vulnerability in HP Data Protector Express (aka DPX) 5.0.0 ...) NOT-FOR-US: HP Data Protector Express CVE-2011-4814 (Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr 3.1.0 ...) - dolibarr 3.3.4-1 (low) CVE-2011-4813 (Directory traversal vulnerability in clientarea.php in WHMCompleteSolu ...) NOT-FOR-US: WHMCompleteSolution CVE-2011-4812 (Cross-site scripting (XSS) vulnerability in nowosci.php in BestShopPro ...) NOT-FOR-US: BestShopPro CVE-2011-4811 (SQL injection vulnerability in pokaz_podkat.php in BestShopPro allows ...) NOT-FOR-US: BestShopPro CVE-2011-4810 (Multiple directory traversal vulnerabilities in WHMCompleteSolution (W ...) NOT-FOR-US: WHMCompleteSolution CVE-2011-4809 (Multiple cross-site scripting (XSS) vulnerabilities in the HM Communit ...) NOT-FOR-US: Joomla extension CVE-2011-4808 (SQL injection vulnerability in the HM Community (com_hmcommunity) comp ...) NOT-FOR-US: Joomla extension CVE-2011-4807 (Directory traversal vulnerability in main.php in phpAlbum 0.4.1.16 and ...) NOT-FOR-US: phpAlbum CVE-2011-4806 (Multiple cross-site scripting (XSS) vulnerabilities in main.php in php ...) NOT-FOR-US: phpAlbum CVE-2011-4805 (Cross-site scripting (XSS) vulnerability in pubDBLogon.jsp in SAP Crys ...) NOT-FOR-US: SAP Crystal Report Server CVE-2011-4804 (Directory traversal vulnerability in the obSuggest (com_obsuggest) com ...) NOT-FOR-US: Joomla extension CVE-2011-4803 (SQL injection vulnerability in wptouch/ajax.php in the WPTouch plugin ...) NOT-FOR-US: WPTouch WordPress plugin CVE-2011-4802 (Multiple SQL injection vulnerabilities in Dolibarr 3.1.0 RC and probab ...) - dolibarr 3.3.4-1 CVE-2011-4801 (SQL injection vulnerability in akeyActivationLogin.do in Authenex Web ...) NOT-FOR-US: Authenex Strong Authentication System CVE-2011-4800 (Directory traversal vulnerability in Serv-U FTP Server before 11.1.0.5 ...) NOT-FOR-US: Serv-U FTP Server CVE-2011-4799 REJECTED CVE-2011-4798 REJECTED CVE-2011-4797 REJECTED CVE-2011-4796 REJECTED CVE-2011-4795 REJECTED CVE-2011-4794 REJECTED CVE-2011-4793 REJECTED CVE-2011-4792 REJECTED CVE-2011-4791 (DBServer.exe in HP Data Protector Media Operations 6.11 and earlier al ...) NOT-FOR-US: HP Data Protector CVE-2011-4790 (Unspecified vulnerability in HP Network Automation 7.5x, 7.6x, 9.0, an ...) NOT-FOR-US: HP Network Automation CVE-2011-4789 (Stack-based buffer overflow in magentservice.exe in the server in HP L ...) NOT-FOR-US: HP Diagnostics CVE-2011-4788 (Absolute path traversal vulnerability in the web interface on HP Stora ...) NOT-FOR-US: HP StorageWorks CVE-2011-4787 (A certain ActiveX control in HPTicketMgr.dll in HP Easy Printer Care S ...) NOT-FOR-US: HP Easy Printer Care CVE-2011-4786 (A certain ActiveX control in HPTicketMgr.dll in HP Easy Printer Care S ...) NOT-FOR-US: HP Easy Printer Care CVE-2011-4785 (Directory traversal vulnerability in the HP-ChaiSOE/1.0 web server on ...) NOT-FOR-US: HP-ChaiSOE/1.0 web server CVE-2011-4784 (The NVIDIA Stereoscopic 3D driver before 7.17.12.7565 does not properl ...) NOT-FOR-US: NVIDIA Windows driver CVE-2011-4783 (The IDAPython plugin before 1.5.2.3 in IDA Pro allows user-assisted re ...) NOT-FOR-US: IDA Pro CVE-2011-4782 (Cross-site scripting (XSS) vulnerability in libraries/config/ConfigFil ...) - phpmyadmin 4:3.4.9-1 (unimportant) [squeeze] - phpmyadmin (Vulnerable code not present) [lenny] - phpmyadmin (Vulnerable code not present) NOTE: unlikely exploitation scenario CVE-2011-4781 RESERVED CVE-2011-4780 (Multiple cross-site scripting (XSS) vulnerabilities in libraries/displ ...) - phpmyadmin 4:3.4.9-1 (unimportant) [squeeze] - phpmyadmin (Vulnerable code not present) [lenny] - phpmyadmin (Vulnerable code not present) NOTE: unlikely exploitation scenario CVE-2011-4779 REJECTED CVE-2011-4778 (Cross-site scripting (XSS) vulnerability in Splunk Web in Splunk 4.2.x ...) NOT-FOR-US: Splunk Web CVE-2011-4777 (Cross-site scripting (XSS) vulnerability in the Site Editor (aka SiteB ...) NOT-FOR-US: Plesk CVE-2011-4776 (Multiple cross-site scripting (XSS) vulnerabilities in the Control Pan ...) NOT-FOR-US: Plesk CVE-2011-4775 RESERVED CVE-2011-4774 RESERVED CVE-2011-5146 (Bokken before 1.6 and 1.5-x before 1.5-3 for Debian allows local users ...) - bokken 1.5-3 (bug #651931) CVE-2012-0120 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) {DSA-2429-1} - mysql-5.1 5.1.61-2 (bug #659687) CVE-2012-0119 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) {DSA-2429-1} - mysql-5.1 5.1.61-2 (bug #659687) CVE-2012-0118 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) {DSA-2429-1} - mysql-5.1 5.1.61-2 (bug #659687) CVE-2012-0117 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) - mysql-5.1 (Only affects MySQL 5.5 from experimental) CVE-2012-0116 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) {DSA-2429-1} - mysql-5.1 5.1.61-2 (bug #659687) CVE-2012-0115 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) {DSA-2429-1} - mysql-5.1 5.1.61-2 (bug #659687) CVE-2012-0114 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) {DSA-2429-1} - mysql-5.1 5.1.61-2 (bug #659687) CVE-2012-0113 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) {DSA-2429-1} - mysql-5.1 5.1.61-2 (bug #659687) CVE-2012-0112 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) {DSA-2429-1} - mysql-5.1 5.1.61-2 (bug #659687) CVE-2012-0111 (Unspecified vulnerability in the Oracle VM VirtualBox component in Ora ...) - virtualbox 4.1.8-dfsg-1 (bug #659950) [squeeze] - virtualbox (Vulnerable code not present, see #659950) CVE-2012-0110 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2012-0109 (Unspecified vulnerability in Oracle Solaris 8, 9, 10, and 11 Express a ...) NOT-FOR-US: Oracle Solaris CVE-2012-0108 (Unspecified vulnerability in the Oracle Imaging and Process Management ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2012-0107 (Unspecified vulnerability in the Oracle Imaging and Process Management ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2012-0106 (Unspecified vulnerability in the Oracle Imaging and Process Management ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2012-0105 (Unspecified vulnerability in the Oracle VM VirtualBox component in Ora ...) - virtualbox-guest-additions-iso 4.1.8-1 (bug #659951) [squeeze] - virtualbox-guest-additions-iso (Vulnerable code not present, see #659950) CVE-2012-0104 (Unspecified vulnerability in Oracle GlassFish Enterprise Server 3.0.1 ...) - glassfish (Debian package only builds a few API elements) CVE-2012-0103 (Unspecified vulnerability in Oracle Solaris 11 Express allows local us ...) NOT-FOR-US: Oracle Solaris Kernel CVE-2012-0102 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) {DSA-2429-1} - mysql-5.1 5.1.61-2 (bug #659687) CVE-2012-0101 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) {DSA-2429-1} - mysql-5.1 5.1.61-2 (bug #659687) CVE-2012-0100 (Unspecified vulnerability in Oracle Solaris 9, 10, and 11 Express allo ...) NOT-FOR-US: Oracle Solaris CVE-2012-0099 (Unspecified vulnerability in Oracle Solaris 9, 10, and 11 Express allo ...) NOT-FOR-US: Oracle Solaris CVE-2012-0098 (Unspecified vulnerability in Oracle Solaris 8, 9, 10, and 11 Express a ...) NOT-FOR-US: Oracle Solaris CVE-2012-0097 (Unspecified vulnerability in Oracle Solaris 11 Express allows local us ...) NOT-FOR-US: Oracle Solaris CVE-2012-0096 (Unspecified vulnerability in Oracle Solaris 8, 9, 10, and 11 Express a ...) NOT-FOR-US: Oracle Solaris CVE-2012-0095 (Unspecified vulnerability in the Oracle Imaging and Process Management ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2012-0094 (Unspecified vulnerability in Oracle Solaris 9, 10, and 11 Express allo ...) NOT-FOR-US: Oracle Solaris CVE-2012-0093 (Unspecified vulnerability in the Oracle Imaging and Process Management ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2012-0092 (Unspecified vulnerability in the Oracle Imaging and Process Management ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2012-0091 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2012-0090 (Unspecified vulnerability in the Oracle Imaging and Process Management ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2012-0089 (Unspecified vulnerability in the PeopleSoft Enterprise HCM component i ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2012-0088 (Unspecified vulnerability in the PeopleSoft Enterprise HCM component i ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2012-0087 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) {DSA-2429-1} - mysql-5.1 5.1.61-2 (bug #659687) CVE-2012-0086 (Unspecified vulnerability in the Oracle Imaging and Process Management ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2012-0085 (Unspecified vulnerability in the Oracle WebCenter Content component in ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2012-0084 (Unspecified vulnerability in the Oracle WebCenter Content component in ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2012-0083 (Unspecified vulnerability in the Oracle WebCenter Content component in ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2012-0082 (Unspecified vulnerability in the Core RDBMS component in Oracle Databa ...) NOT-FOR-US: Oracle Database Server CVE-2012-0081 (Unspecified vulnerability in Oracle GlassFish Enterprise Server 3.1.1 ...) - glassfish (Debian package only builds a few API elements) CVE-2012-0080 (Unspecified vulnerability in the PeopleSoft Enterprise HCM component i ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2012-0079 (Unspecified vulnerability in Oracle OpenSSO 7.1 and 8.0 allows remote ...) NOT-FOR-US: Oracle OpenSSO CVE-2012-0078 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle E-Business Suite CVE-2012-0077 (Unspecified vulnerability in the Oracle WebLogic Server component in O ...) NOT-FOR-US: Oracle WebLogic Server CVE-2012-0076 (Unspecified vulnerability in the PeopleSoft Enterprise HCM component i ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2012-0075 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) {DSA-2429-1} - mysql-5.1 5.1.61-2 (bug #659687) CVE-2012-0074 (Unspecified vulnerability in the PeopleSoft Enterprise CRM component i ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2012-0073 (Unspecified vulnerability in the Oracle Forms component in Oracle E-Bu ...) NOT-FOR-US: Oracle E-Business Suite CVE-2012-0072 (Unspecified vulnerability in the Listener component in Oracle Database ...) NOT-FOR-US: Oracle Database Server CVE-2012-0071 (Unspecified vulnerability in the Oracle Imaging and Process Management ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2011-4773 (The AnGuanJia (com.anguanjia.safe) application 2.10.343 for Android do ...) NOT-FOR-US: AnGuanJia (com.anguanjia.safe) application CVE-2011-4772 (The 360 KouXin (com.qihoo360.kouxin) application 1.5.3 for Android doe ...) NOT-FOR-US: 360 KouXin (com.qihoo360.kouxin) application CVE-2011-4771 (The Scan to PDF Free (com.scan.to.pdf.trial) application 2.0.4 for And ...) NOT-FOR-US: Scan to PDF Free (com.scan.to.pdf.trial) application CVE-2011-4770 (The QIWI Wallet (ru.mw) application before 1.14.2 for Android does not ...) NOT-FOR-US: QIWI Wallet (ru.mw) application CVE-2011-4769 (The 360 MobileSafe (com.qihoo360.mobilesafe) application 2.x before 2. ...) NOT-FOR-US: 360 MobileSafe (com.qihoo360.mobilesafe) application CVE-2011-4768 (The Site Editor (aka SiteBuilder) feature in Parallels Plesk Small Bus ...) NOT-FOR-US: Plesk CVE-2011-4767 (The Site Editor (aka SiteBuilder) feature in Parallels Plesk Small Bus ...) NOT-FOR-US: Plesk CVE-2011-4766 (** DISPUTED ** The Site Editor (aka SiteBuilder) feature in Parallels ...) NOT-FOR-US: Plesk CVE-2011-4765 (The Site Editor (aka SiteBuilder) feature in Parallels Plesk Small Bus ...) NOT-FOR-US: Plesk CVE-2011-4764 (Multiple cross-site scripting (XSS) vulnerabilities in the Site Editor ...) NOT-FOR-US: Plesk CVE-2011-4763 (Multiple SQL injection vulnerabilities in the Site Editor (aka SiteBui ...) NOT-FOR-US: Plesk CVE-2011-4762 (Parallels Plesk Small Business Panel 10.2.0 sends incorrect Content-Ty ...) NOT-FOR-US: Plesk CVE-2011-4761 (Parallels Plesk Small Business Panel 10.2.0 omits the Content-Type hea ...) NOT-FOR-US: Plesk CVE-2011-4760 (Parallels Plesk Small Business Panel 10.2.0 has web pages containing e ...) NOT-FOR-US: Plesk CVE-2011-4759 (Parallels Plesk Small Business Panel 10.2.0 generates web pages contai ...) NOT-FOR-US: Plesk CVE-2011-4758 (Parallels Plesk Small Business Panel 10.2.0 receives cleartext passwor ...) NOT-FOR-US: Plesk CVE-2011-4757 (Parallels Plesk Small Business Panel 10.2.0 generates a password form ...) NOT-FOR-US: Plesk CVE-2011-4756 (Parallels Plesk Small Business Panel 10.2.0 does not include the HTTPO ...) NOT-FOR-US: Plesk CVE-2011-4755 (Parallels Plesk Small Business Panel 10.2.0 does not properly validate ...) NOT-FOR-US: Plesk CVE-2011-4754 (Multiple cross-site scripting (XSS) vulnerabilities in Parallels Plesk ...) NOT-FOR-US: Plesk CVE-2011-4753 (Multiple SQL injection vulnerabilities in Parallels Plesk Small Busine ...) NOT-FOR-US: Plesk CVE-2011-4752 (SmarterTools SmarterStats 6.2.4100 sends incorrect Content-Type header ...) NOT-FOR-US: SmarterTools SmaterStats CVE-2011-4751 (SmarterTools SmarterStats 6.2.4100 generates web pages containing exte ...) NOT-FOR-US: SmarterTools SmaterStats CVE-2011-4750 (Multiple cross-site scripting (XSS) vulnerabilities in SmarterTools Sm ...) NOT-FOR-US: SmarterTools SmaterStats CVE-2011-4749 (The billing system for Parallels Plesk Panel 10.3.1_build1013110726.09 ...) NOT-FOR-US: Plesk CVE-2011-4748 (The billing system for Parallels Plesk Panel 10.3.1_build1013110726.09 ...) NOT-FOR-US: Plesk CVE-2011-4747 (The billing system for Parallels Plesk Panel 10.3.1_build1013110726.09 ...) NOT-FOR-US: Plesk CVE-2011-4746 (The billing system for Parallels Plesk Panel 10.3.1_build1013110726.09 ...) NOT-FOR-US: Plesk CVE-2011-4745 (Multiple cross-site scripting (XSS) vulnerabilities in the billing sys ...) NOT-FOR-US: Plesk CVE-2011-4744 (The Control Panel in Parallels Plesk Panel 10.2.0 build 20110407.20 se ...) NOT-FOR-US: Plesk CVE-2011-4743 (The Control Panel in Parallels Plesk Panel 10.2.0 build 20110407.20 om ...) NOT-FOR-US: Plesk CVE-2011-4742 (The Control Panel in Parallels Plesk Panel 10.2.0 build 20110407.20 ha ...) NOT-FOR-US: Plesk CVE-2011-4741 (The Control Panel in Parallels Plesk Panel 10.2.0 build 20110407.20 in ...) NOT-FOR-US: Plesk CVE-2011-4740 (The Control Panel in Parallels Plesk Panel 10.2.0 build 20110407.20 ge ...) NOT-FOR-US: Plesk CVE-2011-4739 (The Control Panel in Parallels Plesk Panel 10.2.0 build 20110407.20 ge ...) NOT-FOR-US: Plesk CVE-2011-4738 (The Control Panel in Parallels Plesk Panel 10.2.0 build 20110407.20 do ...) NOT-FOR-US: Plesk CVE-2011-4737 (The Control Panel in Parallels Plesk Panel 10.2.0 build 20110407.20 in ...) NOT-FOR-US: Plesk CVE-2011-4736 (The Control Panel in Parallels Plesk Panel 10.2.0 build 20110407.20 re ...) NOT-FOR-US: Plesk CVE-2011-4735 (Multiple cross-site scripting (XSS) vulnerabilities in the Control Pan ...) NOT-FOR-US: Plesk CVE-2011-4734 (Multiple SQL injection vulnerabilities in the Control Panel in Paralle ...) NOT-FOR-US: Plesk CVE-2011-4733 (The Server Administration Panel in Parallels Plesk Panel 10.2.0_build1 ...) NOT-FOR-US: Plesk CVE-2011-4732 (The Server Administration Panel in Parallels Plesk Panel 10.2.0_build1 ...) NOT-FOR-US: Plesk CVE-2011-4731 (The Server Administration Panel in Parallels Plesk Panel 10.2.0_build1 ...) NOT-FOR-US: Plesk CVE-2011-4730 (The Server Administration Panel in Parallels Plesk Panel 10.2.0_build1 ...) NOT-FOR-US: Plesk CVE-2011-4729 (The Server Administration Panel in Parallels Plesk Panel 10.2.0_build1 ...) NOT-FOR-US: Plesk CVE-2011-4728 (The Server Administration Panel in Parallels Plesk Panel 10.2.0_build1 ...) NOT-FOR-US: Plesk CVE-2011-4727 (The Server Administration Panel in Parallels Plesk Panel 10.2.0_build1 ...) NOT-FOR-US: Plesk CVE-2011-4726 (Multiple cross-site scripting (XSS) vulnerabilities in the Server Admi ...) NOT-FOR-US: Plesk CVE-2011-4725 (Multiple SQL injection vulnerabilities in the Server Administration Pa ...) NOT-FOR-US: Plesk CVE-2011-4724 RESERVED CVE-2011-4723 (The D-Link DIR-300 router stores cleartext passwords, which allows con ...) NOT-FOR-US: D-Link DIR-300 router CVE-2011-4722 (Directory traversal vulnerability in the TFTP Server 1.0.0.24 in Ipswi ...) NOT-FOR-US: Ipswitch WhatsUp Gold CVE-2011-4721 RESERVED CVE-2011-4720 (Hillstone HS TFTP Server 1.3.2 allows remote attackers to cause a deni ...) NOT-FOR-US: Hillstone HS TFTP Server CVE-2011-4719 (Multiple unspecified vulnerabilities in Google Chrome before 16.0.912. ...) - chromium-browser - webkit NOTE: Duplicate for chromebooks CVE-2011-4718 (Session fixation vulnerability in the Sessions subsystem in PHP before ...) - php5 5.5.2+dfsg-1 (low) [wheezy] - php5 (Too intrusive to backport, mitigations exists) [squeeze] - php5 (Too intrusive to backport, mitigations exists) NOTE: 5.5.2 implements strict sessions RFC (https://wiki.php.net/rfc/strict_sessions) CVE-2011-4717 (Directory traversal vulnerability in zFTPServer Suite 6.0.0.52 allows ...) NOT-FOR-US: zFTPServer Suite CVE-2011-4716 (Directory traversal vulnerability in file in DreamBox DM800 1.6rc3, 1. ...) NOT-FOR-US: DreamBox CVE-2011-4715 (Directory traversal vulnerability in cgi-bin/koha/mainpage.pl in Koha ...) - koha (bug #389876) CVE-2011-4714 (Directory traversal vulnerability in Virtual Vertex Muster before 6.20 ...) NOT-FOR-US: Virtual Vertex Muster CVE-2011-4713 (Directory traversal vulnerability in catalog/content.php in osCSS2 2.1 ...) NOT-FOR-US: osCSS2 CVE-2011-4712 (Directory traversal vulnerability in Oxide WebServer allows remote att ...) NOT-FOR-US: Oxide CVE-2011-4711 (Multiple directory traversal vulnerabilities in namazu.cgi in Namazu b ...) - namazu2 (Windows-specific issue) CVE-2011-4710 (Multiple SQL injection vulnerabilities in Pixie CMS 1.01 through 1.04 ...) NOT-FOR-US: Pixie CMS CVE-2011-4709 (Multiple cross-site scripting (XSS) vulnerabilities in Hotaru.php in t ...) NOT-FOR-US: Hotaru CVE-2011-4708 (Cross-site scripting (XSS) vulnerability in IBM Rational Asset Manager ...) NOT-FOR-US: IBM Rational Asset Manager CVE-2011-4707 (Multiple cross-site scripting (XSS) vulnerabilities in the Virus Scan ...) NOT-FOR-US: SAP Netweaver CVE-2011-4706 RESERVED CVE-2011-4705 (The Ming Blacklist Free (vc.software.blacklist) application 1.8.1 and ...) NOT-FOR-US: Ming Blacklist Free (vc.software.blacklist) application CVE-2011-4704 (The Voxofon (com.voxofon) application before 2.5.2 for Android does no ...) NOT-FOR-US: Voxofon (com.voxofon) application CVE-2011-4703 (The Limit My Call (com.limited.call.view) application 2.11 for Android ...) NOT-FOR-US: Limit My Call (com.limited.call.view) application CVE-2011-4702 (The Nimbuzz (com.nimbuzz) application 2.0.8 and 2.0.10 for Android doe ...) NOT-FOR-US: Nimbuzz (com.nimbuzz) application CVE-2011-4701 (The CallConfirm (jp.gr.java_conf.ofnhwx.callconfirm) application 2.0.0 ...) NOT-FOR-US: CallConfirm (jp.gr.java_conf.ofnhwx.callconfirm) application CVE-2011-4700 (The UberMedia UberSocial (com.twidroid) application 7.x before 7.2.4 f ...) NOT-FOR-US: UberMedia UberSocial (com.twidroid) application CVE-2011-4699 (The Ubermedia Twidroyd Legacy (com.twidroydlegacy) application 4.3.11 ...) NOT-FOR-US: Ubermedia Twidroyd Legacy (com.twidroydlegacy) application CVE-2011-4698 (The AndroidAppTools Easy Filter (com.phoneblocker.android) application ...) NOT-FOR-US: AndroidAppTools Easy Filter (com.phoneblocker.android) CVE-2011-4697 (The Xiaomi MiTalk Messenger (com.xiaomi.channel) application before 2. ...) NOT-FOR-US: Xiaomi MiTalk Messenger (com.xiaomi.channel) application CVE-2011-4696 (Directory traversal vulnerability in Eye-Fi Helper before 3.4.23 allow ...) NOT-FOR-US: Eye-Fi Helper CVE-2010-5075 (Integer overflow in aswFW.sys 5.0.594.0 in Avast! Internet Security 5. ...) NOT-FOR-US: Avast! Internet Security CVE-2012-0785 (Hash collision attack vulnerability in Jenkins before 1.447, Jenkins L ...) - jenkins-winstone 0.9.10-jenkins-31+dfsg-1 (bug #655553) - jenkins-executable-war 1.25-1 (bug #655554) - jenkins 1.409.3+dfsg-2 CVE-2012-0070 (spamdyke prior to 4.2.1: STARTTLS reveals plaintext ...) NOT-FOR-US: spamdyke not in Debian CVE-2012-0069 (SQL injection vulnerability in ajax.php in Batavi before 1.2.1 allows ...) NOT-FOR-US: batavi not in Debian CVE-2012-0068 (The lanalyzer_read function in wiretap/lanalyzer.c in Wireshark 1.4.x ...) {DSA-2395-1} - wireshark 1.6.5-1 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6670 CVE-2012-0067 (wiretap/iptrace.c in Wireshark 1.4.x before 1.4.11 and 1.6.x before 1. ...) {DSA-2395-1} - wireshark 1.6.5-1 (unimportant) NOTE: Not suitable for code injection NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6668 CVE-2012-0066 (Wireshark 1.4.x before 1.4.11 and 1.6.x before 1.6.5 allows remote att ...) {DSA-2395-1} - wireshark 1.6.5-1 (unimportant) NOTE: Not suitable for code injection NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6666 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6667 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6669 CVE-2012-0065 (Heap-based buffer overflow in the receive_packet function in libusbmux ...) - usbmuxd 1.0.7-2 (medium; bug #656581) [lenny] - usbmuxd (introduced in 1.0.7) [squeeze] - usbmuxd (introduced in 1.0.7) CVE-2012-0064 (xkeyboard-config before 2.5 in X.Org before 7.6 enables certain XKB de ...) - xorg-server 2:1.11.3.901-2 (high; bug #656410) [squeeze] - xorg-server (introduced in 1.11) [lenny] - xorg-server (introduced in 1.11) NOTE: actually unfixed in experimental, not marked because of version numbering CVE-2012-0063 (Insecure plugin update mechanism in tucan through 0.3.10 could allow r ...) - tucan (bug #656388) [squeeze] - tucan (Minor issue) CVE-2012-0062 (Red Hat JBoss Operations Network (JON) before 2.4.2 and 3.0.x before 3 ...) NOT-FOR-US: JBoss Operations Network CVE-2012-0061 (The headerLoad function in lib/header.c in RPM before 4.9.1.3 does not ...) {DLA-140-1} - rpm 4.9.1.3-1 (bug #667031) [squeeze] - rpm (Minor issue) CVE-2012-0060 (RPM before 4.9.1.3 does not properly validate region tags, which allow ...) {DLA-140-1} - rpm 4.9.1.3-1 (bug #667031) [squeeze] - rpm (Minor issue) CVE-2012-0059 (Spacewalk-backend in Red Hat Network (RHN) Satellite and Proxy 5.4 inc ...) NOT-FOR-US: RHN Satellite CVE-2012-0058 (The kiocb_batch_free function in fs/aio.c in the Linux kernel before 3 ...) - linux-2.6 3.2.2-1 [wheezy] - linux-2.6 (introduced in 3.2-rc1) [squeeze] - linux-2.6 (introduced in 3.2-rc1) [lenny] - linux-2.6 (introduced in 3.2-rc1) CVE-2012-0057 (PHP before 5.3.9 has improper libxslt security settings, which allows ...) {DSA-2399-1} - php5 5.3.9-1 (bug #656308) CVE-2012-0056 (The mem_write function in the Linux kernel before 3.2.2, when ASLR is ...) - linux-2.6 3.2.1-2 [squeeze] - linux-2.6 (introduced in 2.6.39) [lenny] - linux-2.6 (introduced in 2.6.39) NOTE: fix is http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc (queued for 3.3) CVE-2012-0055 (OverlayFS in the Linux kernel before 3.0.0-16.28, as used in Ubuntu 10 ...) NOT-FOR-US: overlayfs is not (yet) in the Debian kernel CVE-2012-0054 (libs/updater.py in GoLismero 0.6.3, and other versions before Git revi ...) NOT-FOR-US: golismero not in Debian CVE-2012-0053 (protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not pro ...) {DSA-2405-1} - apache2 2.2.22-1 (low) CVE-2012-0052 (Red Hat JBoss Operations Network (JON) before 2.4.2 and 3.0.x before 3 ...) NOT-FOR-US: JBoss Operations Network CVE-2012-0051 (Tahoe-LAFS 1.9.0 fails to ensure integrity which allows remote attacke ...) - tahoe-lafs (Only affects 1.9.0, not uploaded to the archive) CVE-2012-0050 (OpenSSL 0.9.8s and 1.0.0f does not properly support DTLS applications, ...) {DSA-2392-1} - openssl 1.0.0g-1 NOTE: http://www.openssl.org/news/secadv/20120118.txt CVE-2012-0049 (OpenTTD before 1.1.5 contains a Denial of Service (slow read attack) t ...) {DSA-2524-1} - openttd 1.1.5-1 (low) NOTE: http://vcs.openttd.org/svn/changeset/23764 NOTE: http://security.openttd.org/en/CVE-2012-0049 CVE-2012-0048 (OpenTTD 0.3.5 through 1.1.4 allows remote attackers to cause a denial ...) NOTE: contacted MITRE, will be rejected CVE-2012-0047 (Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before ...) NOT-FOR-US: Apache Wicket CVE-2012-0046 (mediawiki allows deleted text to be exposed ...) - mediawiki 1:1.15.5-6 (low; bug #655694) [squeeze] - mediawiki 1:1.15.5-2squeeze3 [lenny] - mediawiki (Vulnerable code not present) CVE-2012-0045 (The em_syscall function in arch/x86/kvm/emulate.c in the KVM implement ...) {DSA-2443-1} - linux-2.6 3.2.2-1 [lenny] - linux-2.6 (Vulnerable code not present) CVE-2012-0044 (Integer overflow in the drm_mode_dirtyfb_ioctl function in drivers/gpu ...) - linux-2.6 3.1.5-1 [squeeze] - linux-2.6 2.6.32-40 CVE-2012-0043 (Buffer overflow in the reassemble_message function in epan/dissectors/ ...) - wireshark 1.6.5-1 [squeeze] - wireshark (Vulnerable code not present) CVE-2012-0042 (Wireshark 1.4.x before 1.4.11 and 1.6.x before 1.6.5 does not properly ...) {DSA-2395-1} - wireshark 1.6.5-1 (unimportant) NOTE: Not suitable for code injection CVE-2012-0041 (The dissect_packet function in epan/packet.c in Wireshark 1.4.x before ...) {DSA-2395-1} - wireshark 1.6.5-1 (unimportant) NOTE: Not suitable for code injection NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6663 CVE-2012-0040 (Cross-site scripting (XSS) vulnerability in modules/core/www/no_cookie ...) {DSA-2387-1} - simplesamlphp 1.8.2-1 NOTE: http://groups.google.com/group/simplesamlphp-announce/browse_thread/thread/cb96723ee3c6751e CVE-2012-0039 (** DISPUTED ** GLib 2.31.8 and earlier, when the g_str_hash function i ...) - glib2.0 (unimportant; bug #655044) CVE-2012-0038 (Integer overflow in the xfs_acl_from_disk function in fs/xfs/xfs_acl.c ...) - linux-2.6 3.2.1-1 [squeeze] - linux-2.6 2.6.32-41 CVE-2012-0037 (Redland Raptor (aka libraptor) before 2.0.7, as used by OpenOffice 3.3 ...) {DSA-2438-1} - raptor 1.4.21-7.1 (bug #677427) CVE-2012-0036 (curl and libcurl 7.2x before 7.24.0 do not properly consider special c ...) {DSA-2398-1} - curl 7.24.0-1 [lenny] - curl (Only affects 7.20.0 to 7.23.1) NOTE: http://curl.haxx.se/docs/adv_20120124.html CVE-2012-0035 (Untrusted search path vulnerability in EDE in CEDET before 1.0.1, as u ...) - cedet (low; bug #655299) [squeeze] - cedet (Minor issue) - emacs23 23.3+1-5 (low; bug #655300) [squeeze] - emacs23 (Minor issue) CVE-2012-0034 (The NonManagedConnectionFactory in JBoss Enterprise Application Platfo ...) NOT-FOR-US: JBoss Enterprise Application Platform CVE-2012-0033 (The CBounceDCCMod::OnPrivCTCP function in bouncedcc.cpp in the bounced ...) - znc 0.202-2 [squeeze] - znc (Only affects 0.200 and 0.202) [lenny] - znc (Only affects 0.200 and 0.202) CVE-2012-0032 (Red Hat JBoss Operations Network (JON) before 3.0.1 uses 0777 permissi ...) NOT-FOR-US: JBoss Operations Network CVE-2012-0031 (scoreboard.c in the Apache HTTP Server 2.2.21 and earlier might allow ...) {DSA-2405-1} - apache2 2.2.22-1 (low) CVE-2012-0030 (Nova 2011.3 and Essex, when using the OpenStack API, allows remote aut ...) - nova 2012.1~rc1-1 CVE-2012-0029 (Heap-based buffer overflow in the process_tx_desc function in the e100 ...) {DSA-2404-1 DSA-2396-1} - qemu-kvm 1.0+dfsg-5 - xen-qemu-dm-4.0 [squeeze] - xen (vulnerable code not present) - xen 4.1.3~rc1+hg-20120614.a9c0a89c08f2-1 (medium) CVE-2012-0028 (The robust futex implementation in the Linux kernel before 2.6.28 does ...) - linux-2.6 2.6.32-1 CVE-2012-0027 (The GOST ENGINE in OpenSSL before 1.0.0f does not properly handle inva ...) - openssl 1.0.0f-1 [lenny] - openssl (no GOST support) [squeeze] - openssl (no GOST support) CVE-2012-0026 REJECTED CVE-2012-0025 (Double free vulnerability in the Free_All_Memory function in jpeg/dect ...) NOT-FOR-US: libfpx CVE-2012-0024 (MaraDNS before 1.3.07.12 and 1.4.x before 1.4.08 computes hash values ...) - maradns 1.4.09-1 [squeeze] - maradns (Minor issue) [lenny] - maradns (Minor issue) NOTE: a DoS that requires being able to do recursive queries. Allowing recursive queries to the general public is already a security issue to begin with, so this issue can better be addressed in a point update. CVE-2012-0023 (Double free vulnerability in the get_chunk_header function in modules/ ...) - vlc 1.1.13-1 [squeeze] - vlc (Unsupported in squeeze-lts) CVE-2012-0022 (Apache Tomcat 5.5.x before 5.5.35, 6.x before 6.0.34, and 7.x before 7 ...) {DSA-2401-1} - tomcat5 - tomcat6 6.0.35-1 - tomcat7 7.0.23-1 CVE-2012-0021 (The log_cookie function in mod_log_config.c in the mod_log_config modu ...) - apache2 2.2.22-1 [squeeze] - apache2 (Introduced in 2.2.17) [lenny] - apache2 (Introduced in 2.2.17) CVE-2011-4695 (Unspecified vulnerability in Microsoft Windows 7 SP1, when Java is ins ...) NOT-FOR-US: Microsoft Windows CVE-2011-4694 (Unspecified vulnerability in Adobe Flash Player 11.1.102.55 on Windows ...) NOT-FOR-US: Adobe Flash Player CVE-2011-4693 (Unspecified vulnerability in Adobe Flash Player 11.1.102.55 on Windows ...) NOT-FOR-US: Adobe Flash Player CVE-2011-4692 (WebKit, as used in Apple Safari 5.1.1 and earlier and Google Chrome 15 ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-4691 (Google Chrome 15.0.874.121 and earlier does not prevent capture of dat ...) - chromium-browser 17.0.963.56~r121963-1 (unimportant) CVE-2011-4690 (Opera 11.60 and earlier does not prevent capture of data about the tim ...) NOT-FOR-US: Opera CVE-2011-4689 (Microsoft Internet Explorer 6 through 9 does not prevent capture of da ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2011-4688 (Mozilla Firefox 8.0.1 and earlier does not prevent capture of data abo ...) - iceweasel (unimportant) CVE-2011-4687 (Opera before 11.60 allows remote attackers to cause a denial of servic ...) NOT-FOR-US: Opera CVE-2011-4686 (Unspecified vulnerability in the Web Workers implementation in Opera b ...) NOT-FOR-US: Opera CVE-2011-4685 (Dragonfly in Opera before 11.60 allows remote attackers to cause a den ...) NOT-FOR-US: Opera CVE-2011-4684 (Opera before 11.60 does not properly handle certificate revocation, wh ...) NOT-FOR-US: Opera CVE-2011-4683 (Unspecified vulnerability in Opera before 11.60 has unknown impact and ...) NOT-FOR-US: Opera CVE-2011-4682 (The JavaScript engine in Opera before 11.60 does not properly implemen ...) NOT-FOR-US: Opera CVE-2011-4681 (Opera before 11.60 does not properly consider the number of . (dot) ch ...) NOT-FOR-US: Opera CVE-2011-4680 (Multiple cross-site scripting (XSS) vulnerabilities in the customer po ...) NOT-FOR-US: vtiger CRM CVE-2011-4679 (vtiger CRM before 5.3.0 does not properly recognize the disabled statu ...) NOT-FOR-US: vtiger CRM CVE-2010-5074 (The layout engine in Mozilla Firefox before 4.0, Thunderbird before 3. ...) - iceweasel 4.0-1 (unimportant) CVE-2010-5073 (The JavaScript implementation in Google Chrome 4 does not properly res ...) - chromium-browser - webkit CVE-2010-5072 (The JavaScript implementation in Opera 10.5 does not properly restrict ...) NOT-FOR-US: Opera CVE-2010-5071 (The JavaScript implementation in Microsoft Internet Explorer 8.0 and e ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2010-5070 (The JavaScript implementation in Apple Safari 4 does not properly rest ...) NOT-FOR-US: Safari CVE-2010-5069 (The Cascading Style Sheets (CSS) implementation in Google Chrome 4 doe ...) - chromium-browser - webkit CVE-2010-5068 (The Cascading Style Sheets (CSS) implementation in Opera 10.5 does not ...) NOT-FOR-US: Opera CVE-2002-2437 (The JavaScript implementation in Mozilla Firefox before 4.0, Thunderbi ...) - iceweasel 4.0-1 (unimportant) CVE-2002-2436 (The Cascading Style Sheets (CSS) implementation in Mozilla Firefox bef ...) - iceweasel 4.0-1 (unimportant) CVE-2002-2435 (The Cascading Style Sheets (CSS) implementation in Microsoft Internet ...) NOT-FOR-US: Internet Explorer CVE-2011-4678 (The password reset feature in One Click Orgs before 1.2.3 generates di ...) NOT-FOR-US: One Click Orgs CVE-2011-4677 (One Click Orgs before 1.2.3 does not have an off autocomplete attribut ...) NOT-FOR-US: One Click Orgs CVE-2011-4676 RESERVED CVE-2011-4675 (The pathname canonicalization functionality in io/filesystem/filesyste ...) - widelands 1:15-3 (low) NOTE: Nearly a duplicate of CVE-2011-1932. NOTE: CVE's SPLIT decision is unclear. CVE-2011-4674 (SQL injection vulnerability in popup.php in Zabbix 1.8.3 and 1.8.4, an ...) - zabbix 1:1.8.9-1 (bug #651225) [squeeze] - zabbix (Will be handled through point update) CVE-2011-4673 (SQL injection vulnerability in modules/sharedaddy.php in the Jetpack p ...) NOT-FOR-US: Jetpack plugin for Wordpress CVE-2011-4672 (Multiple SQL injection vulnerabilities in Valid tiny-erp 1.6 and earli ...) NOT-FOR-US: Valid tiny-erp, different from TinyERP, the former name of OpenERP CVE-2011-4671 (SQL injection vulnerability in adrotate/adrotate-out.php in the AdRota ...) NOT-FOR-US: Adrorate plugin for Wordpress CVE-2011-4670 (Multiple cross-site scripting (XSS) vulnerabilities in vTiger CRM 5.2. ...) NOT-FOR-US: vTiger CRM CVE-2011-4669 (SQL injection vulnerability in wp-users.php in WordPress Users plugin ...) NOT-FOR-US: Wordpress plugin CVE-2011-4668 (IBM Tivoli Netcool/Reporter 2.2 before 2.2.0.8 allows remote attackers ...) NOT-FOR-US: Tivoli CVE-2011-4667 (The encryption library in Cisco IOS Software 15.2(1)T, 15.2(1)T1, and ...) NOT-FOR-US: Cisco CVE-2011-4666 RESERVED CVE-2011-4665 RESERVED CVE-2011-4664 RESERVED CVE-2011-4663 RESERVED CVE-2011-4662 RESERVED CVE-2011-4661 (A memory leak vulnerability exists in Cisco IOS before 15.2(1)T due to ...) NOT-FOR-US: Cisco CVE-2011-4660 RESERVED CVE-2011-4659 (Cisco TelePresence Software before TE 4.1.1 on the Cisco IP Video Phon ...) NOT-FOR-US: Cisco TelePresence Software CVE-2011-4658 RESERVED CVE-2011-4657 RESERVED CVE-2011-4656 RESERVED CVE-2011-4655 RESERVED CVE-2011-4654 RESERVED CVE-2011-4653 RESERVED CVE-2011-4652 RESERVED CVE-2011-4651 RESERVED CVE-2011-4650 (Cisco Data Center Network Manager is affected by Excessive Logging Dur ...) NOT-FOR-US: Cisco CVE-2011-4649 RESERVED CVE-2011-4648 RESERVED CVE-2011-4647 (Multiple cross-site scripting (XSS) vulnerabilities in the story creat ...) NOT-FOR-US: Geeklog CVE-2011-4646 (SQL injection vulnerability in wp-postratings.php in the WP-PostRating ...) NOT-FOR-US: Wordpress plugin CVE-2011-4645 RESERVED CVE-2011-4644 (Splunk 4.2.5 and earlier, when a Free license is selected, enables pot ...) NOT-FOR-US: Splunk Web CVE-2011-4643 (Multiple directory traversal vulnerabilities in Splunk 4.x before 4.2. ...) NOT-FOR-US: Splunk Web CVE-2011-4642 (mappy.py in Splunk Web in Splunk 4.2.x before 4.2.5 does not properly ...) NOT-FOR-US: Splunk Web CVE-2003-1597 RESERVED CVE-2011-4641 RESERVED CVE-2011-4640 (Directory traversal vulnerability in logs-x.php in SpamTitan WebTitan ...) NOT-FOR-US: SpamTitan CVE-2011-4639 (The (1) Traceroute and (2) Ping implementations in tools.php in SpamTi ...) NOT-FOR-US: SpamTitan CVE-2011-4638 (Multiple SQL injection vulnerabilities in SpamTitan WebTitan before 3. ...) NOT-FOR-US: SpamTitan CVE-2011-4637 RESERVED CVE-2011-4636 RESERVED CVE-2011-4635 RESERVED CVE-2011-4634 (Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.4. ...) - phpmyadmin 4:3.4.8-1 (low) [squeeze] - phpmyadmin (Vulnerable code not present) [lenny] - phpmyadmin (Vulnerable code not present) CVE-2011-4633 RESERVED CVE-2011-4632 (Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, ...) {DSA-2289-1} - typo3-src 4.5.4+dfsg1-1 (bug #635937) CVE-2011-4631 (Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, ...) {DSA-2289-1} - typo3-src 4.5.4+dfsg1-1 (bug #635937) CVE-2011-4630 (Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, ...) {DSA-2289-1} - typo3-src 4.5.4+dfsg1-1 (bug #635937) CVE-2011-4629 (Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, ...) {DSA-2289-1} - typo3-src 4.5.4+dfsg1-1 (bug #635937) CVE-2011-4628 (TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows ...) {DSA-2289-1} - typo3-src 4.5.4+dfsg1-1 (bug #635937) CVE-2011-4627 (TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows ...) {DSA-2289-1} - typo3-src 4.5.4+dfsg1-1 (bug #635937) CVE-2011-4626 (Cross-site Scripting (XSS) in TYPO3 before 4.3.12, 4.4.x before 4.4.9, ...) {DSA-2289-1} - typo3-src 4.5.4+dfsg1-1 (bug #635937) CVE-2011-4625 (simplesamlphp before 1.6.3 (squeeze) and before 1.8.2 (sid) incorrectl ...) {DSA-2330-1} - simplesamlphp 1.8.1-1 CVE-2011-4624 (Cross-site scripting (XSS) vulnerability in facebook.php in the GRAND ...) NOT-FOR-US: WordPress flash-album-gallery CVE-2011-4623 (Integer overflow in the rsCStrExtendBuf function in runtime/stringbuf. ...) - rsyslog 5.7.4-1 [squeeze] - rsyslog (Minor issue) CVE-2011-4622 (The create_pit_timer function in arch/x86/kvm/i8254.c in KVM 83, and p ...) {DSA-2389-1} - linux-2.6 3.1.8-1 CVE-2011-4621 (The Linux kernel before 2.6.37 does not properly implement a certain c ...) - linux-2.6 2.6.37-1 [squeeze] - linux-2.6 (Vulnerable code introduced in 2.6.35) CVE-2011-4620 (Buffer overflow in the ulSetError function in util/ulError.cxx in PLIB ...) {DSA-2425-1} - plib 1.8.5-5.1 (bug #654785) CVE-2011-4619 (The Server Gated Cryptography (SGC) implementation in OpenSSL before 0 ...) {DSA-2390-1} - openssl 1.0.0h-1 CVE-2011-4618 (Cross-site scripting (XSS) vulnerability in advancedtext.php in Advanc ...) NOT-FOR-US: WordPress advanced-text-widget CVE-2011-4617 (virtualenv.py in virtualenv before 1.5 allows local users to overwrite ...) - python-virtualenv 1.6-1 (low; bug #652653) [lenny] - python-virtualenv (Minor issue) [squeeze] - python-virtualenv 1.4.9-3squeeze1 CVE-2011-4616 (Cross-site scripting (XSS) vulnerability in the HTML-Template-Pro modu ...) - libhtml-template-pro-perl 0.9507-1 (low; bug #652587) [squeeze] - libhtml-template-pro-perl 0.9502-1+squeeze1 CVE-2011-4615 (Multiple cross-site scripting (XSS) vulnerabilities in Zabbix before 1 ...) - zabbix 1:1.8.10-1 (bug #652664) [squeeze] - zabbix (Will be handled through point update) CVE-2011-4614 (PHP remote file inclusion vulnerability in Classes/Controller/Abstract ...) - typo3-src 4.5.9+dfsg1-1 (bug #652365) [squeeze] - typo3-src (Only affects 4.5 onwards) [lenny] - typo3-src (Only affects 4.5 onwards) CVE-2011-4613 (The X.Org X wrapper (xserver-wrapper.c) in Debian GNU/Linux and Ubuntu ...) {DSA-2364-1} - xorg 1:7.6+10 (low; bug #652249) [lenny] - xorg (Introduced in 1:7.4~4) CVE-2011-XXXX [X launcher doesn't drop group privileges] - xorg 1:7.6+10 (low) [squeeze] - xorg 1:7.5+8+squeeze1 [lenny] - xorg (potential privilege handling weakness, no known attack vector) NOTE: http://anonscm.debian.org/gitweb/?p=pkg-xorg/debian/xorg.git;a=commitdiff;h=e81b3943be75ca6674867fc7756905490e979522 CVE-2011-4612 (icecast before 2.3.3 allows remote attackers to inject control charact ...) - icecast2 2.3.3-1 (bug #652663) [lenny] - icecast2 (Minor issue) [squeeze] - icecast2 (Minor issue) [wheezy] - icecast2 2.3.2-9+deb7u2 CVE-2011-4611 (Integer overflow in the perf_event_interrupt function in arch/powerpc/ ...) {DSA-2389-1} - linux-2.6 3.0.0-1 CVE-2011-4610 (JBoss Web, as used in Red Hat JBoss Communications Platform before 5.1 ...) - jbossas4 (Only builds a few libraries, not the full application server) CVE-2011-4609 (The svc_run function in the RPC implementation in glibc before 2.15 al ...) - eglibc 2.13-33 (low; bug #671478) [squeeze] - eglibc 2.11.3-4 CVE-2011-4608 (mod_cluster in JBoss Enterprise Application Platform 5.1.2 for Red Hat ...) - jbossas4 (Only builds a few libraries, not the full application server) CVE-2011-4607 (PuTTY 0.59 through 0.61 does not clear sensitive process memory when m ...) - putty 0.62-1 (unimportant) [squeeze] - putty 0.60+2010-02-20-1+squeeze2 NOTE: DSA-2736-1 NOTE: http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/password-not-wiped.html NOTE: Hardening measure, not a vulnerability CVE-2011-4606 (Artsoft Entertainment Rocks'n'Diamonds (aka rocksndiamonds) 3.3.0.1 al ...) - rocksndiamonds 3.3.0.1+dfsg1-2.2 (bug #651620) [squeeze] - rocksndiamonds (Contrib not supported) [lenny] - rocksndiamonds (Contrib not supported) CVE-2011-4605 (The (1) JNDI service, (2) HA-JNDI service, and (3) HAJNDIFactory invok ...) - jbossas4 (Only builds a few libraries, not the full application server, #581226) CVE-2011-4604 (The bat_socket_read function in net/batman-adv/icmp_socket.c in the Li ...) - batmand-adv-kernelland [squeeze] - batmand-adv-kernelland (Vulnerable code not present) - linux-2.6 [squeeze] - linux-2.6 (Vulnerable code not present) [lenny] - linux-2.6 (Vulnerable code not present) CVE-2011-4603 (The silc_channel_message function in ops.c in the SILC protocol plugin ...) - pidgin 2.10.1-1 (low) [squeeze] - pidgin 2.7.3-1+squeeze2 CVE-2011-4602 (The XMPP protocol plugin in libpurple in Pidgin before 2.10.1 does not ...) - pidgin 2.10.1-1 (low) [squeeze] - pidgin 2.7.3-1+squeeze2 CVE-2011-4601 (family_feedbag.c in the oscar protocol plugin in libpurple in Pidgin b ...) - pidgin 2.10.1-1 (low) [squeeze] - pidgin 2.7.3-1+squeeze2 CVE-2011-4600 (The networkReloadIptablesRules function in network/bridge_driver.c in ...) - libvirt 0.9.9-1 (low) [squeeze] - libvirt (Unsupported in squeeze-lts) CVE-2011-4599 (Stack-based buffer overflow in the _canonicalize function in common/ul ...) {DSA-2397-1} - icu 4.8.1.1-3 (bug #654883) CVE-2011-4598 (The handle_request_info function in channels/chan_sip.c in Asterisk Op ...) {DSA-2367-1} - asterisk 1:1.8.8.0~dfsg-1 (bug #651552) [lenny] - asterisk (Vulnerable code not present) CVE-2011-4597 (The SIP over UDP implementation in Asterisk Open Source 1.4.x before 1 ...) {DSA-2367-1} - asterisk 1:1.8.8.0~dfsg-1 (bug #651552) CVE-2011-4596 (Multiple directory traversal vulnerabilities in OpenStack Nova before ...) - nova 2012.1~e1-4 CVE-2011-4595 (Pretty-Link WordPress plugin 1.5.2 has XSS ...) NOT-FOR-US: WordPress pretty-link plugin CVE-2011-4594 (The __sys_sendmsg function in net/socket.c in the Linux kernel before ...) - linux-2.6 3.1-1 [squeeze] - linux-2.6 (Introduced and fixed during 3.1 dev cycle) [lenny] - linux-2.6 (Introduced and fixed during 3.1 dev cycle) CVE-2011-4593 (Moodle 1.9.x before 1.9.15, 2.0.x before 2.0.6, and 2.1.x before 2.1.3 ...) - moodle (Only affects 2.x) CVE-2011-4592 (The command-line cron implementation in Moodle 2.0.x before 2.0.6 and ...) - moodle (Only affects 2.x) CVE-2011-4591 (Cross-site scripting (XSS) vulnerability in the print_object function ...) - moodle (Only affects 2.x) CVE-2011-4590 (The web services implementation in Moodle 2.0.x before 2.0.6 and 2.1.x ...) - moodle (Only affects 2.x) CVE-2011-4589 (backup/moodle2/restore_stepslib.php in Moodle 2.0.x before 2.0.6 and 2 ...) - moodle (Only affects 2.x) CVE-2011-4588 (The ip_in_range function in mnet/lib.php in MNET in Moodle 1.9.x befor ...) {DSA-2421-1} - moodle 1.9.9.dfsg2-5 (bug #652235) CVE-2011-4587 (lib/moodlelib.php in Moodle 1.9.x before 1.9.15, 2.0.x before 2.0.6, a ...) {DSA-2421-1} - moodle 1.9.9.dfsg2-5 (bug #652235) CVE-2011-4586 (CRLF injection vulnerability in calendar/set.php in the Calendar subsy ...) {DSA-2421-1} - moodle 1.9.9.dfsg2-5 (bug #652235) CVE-2011-4585 (login/change_password.php in Moodle 1.9.x before 1.9.15 does not use h ...) {DSA-2421-1} - moodle 1.9.9.dfsg2-5 (bug #652235) CVE-2011-4584 (The MNET authentication functionality in Moodle 1.9.x before 1.9.15, 2 ...) {DSA-2421-1} - moodle 1.9.9.dfsg2-5 (bug #652235) CVE-2011-4583 (Moodle 2.0.x before 2.0.6 and 2.1.x before 2.1.3 displays web service ...) - moodle (Only affects 2.x) CVE-2011-4582 (Open redirect vulnerability in the Calendar set page in Moodle 2.1.x b ...) - moodle (Only affects 2.x) CVE-2011-4581 (mod/wiki/pagelib.php in Moodle 2.0.x before 2.0.6 and 2.1.x before 2.1 ...) - moodle (Only affects 2.x) CVE-2011-4580 (Multiple cross-site scripting (XSS) vulnerabilities in Red Hat JBoss E ...) NOT-FOR-US: JBoss Enterprise Portal Platform CVE-2011-4579 (The svq1_decode_frame function in the SVQ1 decoder (svq1dec.c) in liba ...) {DSA-2378-1} - libav 4:0.7.3-1 - ffmpeg 7:2.4.1-1 - ffmpeg-debian NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=4931c8f0f10bf8dedcf626104a6b85bfefadc6f2 CVE-2011-4578 (event.c in acpid (aka acpid2) before 2.0.11 does not have an appropria ...) {DSA-2362-1} - acpid 1:2.0.11-1 CVE-2011-4577 (OpenSSL before 0.9.8s and 1.x before 1.0.0f, when RFC 3779 support is ...) - openssl 1.0.0f-1 (unimportant) NOTE: RFC 3779 support has not been enabled at compile time. CVE-2011-4576 (The SSL 3.0 implementation in OpenSSL before 0.9.8s and 1.x before 1.0 ...) {DSA-2390-1} - openssl 1.0.0f-1 CVE-2011-4575 (Cross-site scripting (XSS) vulnerability in the JMX console in JBoss E ...) NOT-FOR-US: JMX Console CVE-2011-4574 RESERVED CVE-2011-4573 (Red Hat JBoss Operations Network (JON) before 2.4.2 does not properly ...) NOT-FOR-US: JBoss Operations Network CVE-2011-4572 (Cross-site scripting (XSS) vulnerability in inc/tesmodrewite.php in CF ...) NOT-FOR-US: CF Image Hosting Script CVE-2011-4571 (SQL injection vulnerability in the Estate Agent (com_estateagent) comp ...) NOT-FOR-US: Joomla extension CVE-2011-4570 (SQL injection vulnerability in the Time Returns (com_timereturns) comp ...) NOT-FOR-US: Joomla extension CVE-2011-4569 (SQL injection vulnerability in userbarsettings.php in the Userbar plug ...) NOT-FOR-US: MyBB extension CVE-2011-4568 (Cross-site scripting (XSS) vulnerability in view/frontend-head.php in ...) NOT-FOR-US: Wordpress extension CVE-2011-4567 (Cross-site scripting (XSS) vulnerability in includes/templates/templat ...) NOT-FOR-US: Zen Cart CVE-2011-4566 (Integer overflow in the exif_process_IFD_TAG function in exif.c in the ...) {DSA-2399-1} - php5 5.3.9-1 CVE-2011-4565 (Multiple cross-site scripting (XSS) vulnerabilities in XOOPS 2.5.1.a, ...) NOT-FOR-US: XOOPS CVE-2011-4564 (Cross-site scripting (XSS) vulnerability in the admin script in Active ...) NOT-FOR-US: Active CMS CVE-2011-4563 (Cross-site scripting (XSS) vulnerability in index.php in JAKCMS 2.0.4. ...) NOT-FOR-US: JAKCMS CVE-2011-4562 (Multiple cross-site scripting (XSS) vulnerabilities in (1) view/admin/ ...) NOT-FOR-US: Wordpress plugin CVE-2011-4561 (Cross-site scripting (XSS) vulnerability in admin.php in Phorum 5.2.18 ...) NOT-FOR-US: Phorum CVE-2011-4560 (Cross-site scripting (XSS) vulnerability in the Petition Node module 6 ...) NOT-FOR-US: Petition node module for Drupal CVE-2011-4559 (SQL injection vulnerability in the Calendar module in vTiger CRM 5.2.1 ...) NOT-FOR-US: vTiger CVE-2011-4558 (Tiki 8.2 and earlier allows remote administrators to execute arbitrary ...) - tikiwiki NOTE: http://dev.tiki.org/item4059 NOTE: http://info.tiki.org/article185-Tiki-Security-Patches-Available-for-8-3-and-6-6-LTS CVE-2011-4557 RESERVED CVE-2011-4556 RESERVED CVE-2011-4555 (One Click Orgs before 1.2.3 does not require unique e-mail addresses f ...) NOT-FOR-US: One Click Orgs CVE-2011-4554 (One Click Orgs before 1.2.3 allows remote authenticated users to trigg ...) NOT-FOR-US: One Click Orgs CVE-2011-4553 (Multiple open redirect vulnerabilities in One Click Orgs before 1.2.3 ...) NOT-FOR-US: One Click Orgs CVE-2011-4552 (Multiple cross-site scripting (XSS) vulnerabilities in One Click Orgs ...) NOT-FOR-US: One Click Orgs CVE-2011-4551 (Cross-site scripting (XSS) vulnerability in tiki-cookie-jar.php in Tik ...) - tikiwiki CVE-2011-4550 RESERVED CVE-2011-4549 RESERVED CVE-2010-5067 (Virtual War (aka VWar) 1.6.1 R2 uses static session cookies that depen ...) NOT-FOR-US: Virtual War CVE-2010-5066 (The createRandomPassword function in includes/functions_common.php in ...) NOT-FOR-US: Virtual War CVE-2010-5065 (popup.php in Virtual War (aka VWar) 1.6.1 R2 allows remote attackers t ...) NOT-FOR-US: Virtual War CVE-2010-5064 (Multiple cross-site scripting (XSS) vulnerabilities in Virtual War (ak ...) NOT-FOR-US: Virtual War CVE-2010-5063 (SQL injection vulnerability in article.php in Virtual War (aka VWar) 1 ...) NOT-FOR-US: Virtual War CVE-2011-4548 (Multiple unspecified vulnerabilities in Google Chrome before 16.0.912. ...) - chromium-browser - webkit NOTE: duplicate for chromebooks CVE-2011-4547 (Multiple cross-site scripting (XSS) vulnerabilities in includes/templa ...) NOT-FOR-US: Zen Cart CVE-2011-4546 RESERVED CVE-2011-4545 (CRLF injection vulnerability in admin/displayImage.php in Prestashop 1 ...) NOT-FOR-US: Prestashop CVE-2011-4544 (Multiple cross-site scripting (XSS) vulnerabilities in Prestashop befo ...) NOT-FOR-US: Prestashop CVE-2011-4543 (Multiple directory traversal vulnerabilities in osCommerce 3.0.2 allow ...) NOT-FOR-US: osCommerce CVE-2011-4542 (Hastymail2 2.1.1 before RC2 allows remote attackers to execute arbitra ...) - hastymail CVE-2011-4541 (Cross-site scripting (XSS) vulnerability in index.php in Hastymail2 2. ...) - hastymail CVE-2011-4540 (Multiple cross-site scripting (XSS) vulnerabilities in AtMail Open (ak ...) - atmailopen CVE-2011-4539 (dhcpd in ISC DHCP 4.x before 4.2.3-P1 and 4.1-ESV before 4.1-ESV-R4 do ...) {DSA-2519-2 DSA-2519-1} - dhcp3 (Only affects DHCP 4.x) - isc-dhcp 4.2.2.dfsg.1-5 (bug #652259; low) CVE-2011-4538 (Lexmark X, W, T, E, and C devices before 2012-02-09 allow attackers to ...) NOT-FOR-US: Lexmark CVE-2011-4537 (Multiple buffer overflows in 7-Technologies (7T) Interactive Graphical ...) NOT-FOR-US: 7-Technologies IGSS CVE-2011-4536 (Heap-based buffer overflow in nettransdll.dll in HistorySvr.exe (aka H ...) NOT-FOR-US: WellinTech KingView CVE-2011-4535 (Buffer overflow in TurboPower Abbrevia before 4.0, as used in ScadaTEC ...) NOT-FOR-US: TurboPower Abbrevia CVE-2011-4534 (ZenSysSrv.exe in Ing. Punzenberger COPA-DATA zenon 6.51 SP0 allows rem ...) NOT-FOR-US: COPA-DATA CVE-2011-4533 (zenAdminSrv.exe in Ing. Punzenberger COPA-DATA zenon 6.51 SP0 allows r ...) NOT-FOR-US: COPA-DATA CVE-2011-4532 (Absolute path traversal vulnerability in the ALMListView.ALMListCtrl A ...) NOT-FOR-US: Siemens Automation License Manager CVE-2011-4531 (Siemens Automation License Manager (ALM) 4.0 through 5.1+SP1+Upd1 allo ...) NOT-FOR-US: Siemens Automation License Manager CVE-2011-4530 (Siemens Automation License Manager (ALM) 4.0 through 5.1+SP1+Upd1 does ...) NOT-FOR-US: Siemens Automation License Manager CVE-2011-4529 (Multiple buffer overflows in Siemens Automation License Manager (ALM) ...) NOT-FOR-US: Siemens Automation License Manager CVE-2011-4528 (Unbound before 1.4.13p2 attempts to free unallocated memory during pro ...) {DSA-2370-1} - unbound 1.4.14-1 (medium) CVE-2011-4527 RESERVED CVE-2011-4526 (Buffer overflow in an ActiveX control in Advantech/BroadWin WebAccess ...) NOT-FOR-US: Advantech/BroadWin WebAccess CVE-2011-4525 (Advantech/BroadWin WebAccess before 7.0 allows remote attackers to tri ...) NOT-FOR-US: Advantech/BroadWin WebAccess CVE-2011-4524 (Buffer overflow in Advantech/BroadWin WebAccess before 7.0 allows remo ...) NOT-FOR-US: Advantech/BroadWin WebAccess CVE-2011-4523 (Cross-site scripting (XSS) vulnerability in bwview.asp in Advantech/Br ...) NOT-FOR-US: Advantech/BroadWin WebAccess CVE-2011-4522 (Cross-site scripting (XSS) vulnerability in bwerrdn.asp in Advantech/B ...) NOT-FOR-US: Advantech/BroadWin WebAccess CVE-2011-4521 (SQL injection vulnerability in Advantech/BroadWin WebAccess before 7.0 ...) NOT-FOR-US: Advantech/BroadWin WebAccess CVE-2011-4520 (Heap-based buffer overflow in an ActiveX component in MICROSYS PROMOTI ...) NOT-FOR-US: MICROSYS PROMOTIC CVE-2011-4519 (Stack-based buffer overflow in an ActiveX component in MICROSYS PROMOT ...) NOT-FOR-US: MICROSYS PROMOTIC CVE-2011-4518 (Directory traversal vulnerability in the PmWebDir object in the web se ...) NOT-FOR-US: MICROSYS PROMOTIC CVE-2011-4517 (The jpc_crg_getparms function in libjasper/jpc/jpc_cs.c in JasPer 1.90 ...) {DSA-2371-1} - jasper 1.900.1-13 (bug #652649) - ghostscript 8.64~dfsg-2 NOTE: ghostscript using system jasper since this version CVE-2011-4516 (Heap-based buffer overflow in the jpc_cox_getcompparms function in lib ...) {DSA-2371-1} - jasper 1.900.1-13 (bug #652649) - ghostscript 8.64~dfsg-2 NOTE: ghostscript using system jasper since this version CVE-2011-4515 (Siemens WinCC (TIA Portal) 11 uses a reversible algorithm for storing ...) NOT-FOR-US: Siemens WinCC CVE-2011-4514 (The TELNET daemon in Siemens WinCC flexible 2004, 2005, 2007, and 2008 ...) NOT-FOR-US: Siemens WinCC CVE-2011-4513 (Siemens WinCC flexible 2004, 2005, 2007, and 2008; WinCC V11 (aka TIA ...) NOT-FOR-US: Siemens WinCC CVE-2011-4512 (CRLF injection vulnerability in the HMI web server in Siemens WinCC fl ...) NOT-FOR-US: Siemens WinCC CVE-2011-4511 (Cross-site scripting (XSS) vulnerability in the HMI web server in Siem ...) NOT-FOR-US: Siemens WinCC CVE-2011-4510 (Cross-site scripting (XSS) vulnerability in the HMI web server in Siem ...) NOT-FOR-US: Siemens WinCC CVE-2011-4509 (The HMI web server in Siemens WinCC flexible 2004, 2005, 2007, and 200 ...) NOT-FOR-US: Siemens WinCC CVE-2011-4508 (The HMI web server in Siemens WinCC flexible 2004, 2005, 2007, and 200 ...) NOT-FOR-US: Siemens WinCC CVE-2010-5062 (SQL injection vulnerability in search.php in MH Products kleinanzeigen ...) NOT-FOR-US: MH Products kleinanzeigenmarkt CVE-2010-5061 (SQL injection vulnerability in index.php in RSStatic allows remote att ...) NOT-FOR-US: RSStatic CVE-2010-5060 (SQL injection vulnerability in Nus.php in NUs Newssystem 1.02 allows r ...) NOT-FOR-US: NUs Newssystem CVE-2010-5059 (SQL injection vulnerability in index.php in CMScout 2.0.8 allows remot ...) NOT-FOR-US: CMScout CVE-2010-5058 (SQL injection vulnerability in detResolucion.php in CMS Ariadna 1.1 al ...) NOT-FOR-US: CMS Ariadna CVE-2010-5057 (SQL injection vulnerability in detResolucion.php in CMS Ariadna 1.1 al ...) NOT-FOR-US: CMS Ariadna CVE-2010-5056 (SQL injection vulnerability in the GBU Facebook (com_gbufacebook) comp ...) NOT-FOR-US: GBU Facebook CVE-2010-5055 (SQL injection vulnerability in index.php in Almnzm 2.1 allows remote a ...) NOT-FOR-US: Almnzm CVE-2010-5054 (Cross-site scripting (XSS) vulnerability in Special:Login in JAMWiki b ...) NOT-FOR-US: JAMWiki CVE-2010-5053 (SQL injection vulnerability in the XOBBIX (com_xobbix) component 1.0.1 ...) NOT-FOR-US: Joomla extension CVE-2010-5052 (Cross-site scripting (XSS) vulnerability in admin/components.php in Ge ...) NOT-FOR-US: GetSimple CMS CVE-2010-5051 (Cross-site scripting (XSS) vulnerability in admin/core/admin_func.php ...) NOT-FOR-US: razorCMS CVE-2010-5050 (Cross-site scripting (XSS) vulnerability in jsp/admin/tools/remote_sha ...) NOT-FOR-US: ManageEngine ADManager Plus CVE-2010-5049 (SQL injection vulnerability in events.php in Zabbix 1.8.1 and earlier ...) - zabbix 1:1.8.2-1 CVE-2010-5048 (Cross-site scripting (XSS) vulnerability in admin.jcomments.php in the ...) NOT-FOR-US: Joomla extension CVE-2010-5047 (SQL injection vulnerability in page.php in V-EVA Press Release Script ...) NOT-FOR-US: V-EVA Press Release Script CVE-2010-5046 (Cross-site scripting (XSS) vulnerability in admin.php in ecoCMS allows ...) NOT-FOR-US: ecoCMS CVE-2011-4507 (The D-Link DIR-685 router, when certain WPA and WPA2 configurations ar ...) NOT-FOR-US: D-Link DIR-685 router CVE-2011-4506 (The UPnP IGD implementation on the Thomson (aka Technicolor) TG585 wit ...) NOT-FOR-US: hardware device with broken UPnP UGD implementation CVE-2011-4505 (The UPnP IGD implementation on SpeedTouch 5x6 devices with firmware be ...) NOT-FOR-US: hardware device with broken UPnP UGD implementation CVE-2011-4504 (The UPnP IGD implementation in the Pseudo ICS UPnP software on the ZyX ...) NOT-FOR-US: hardware device with broken UPnP UGD implementation CVE-2011-4503 (The UPnP IGD implementation in Broadcom Linux on the Sitecom WL-111 al ...) NOT-FOR-US: hardware device with broken UPnP UGD implementation CVE-2011-4502 (The UPnP IGD implementation in Edimax EdiLinux on the Edimax BR-6104K ...) NOT-FOR-US: hardware device with broken UPnP UGD implementation CVE-2011-4501 (The UPnP IGD implementation in Edimax EdiLinux on the Edimax BR-6104K ...) NOT-FOR-US: hardware device with broken UPnP UGD implementation CVE-2011-4500 (The UPnP IGD implementation on the Cisco Linksys WRT54GX with firmware ...) NOT-FOR-US: hardware device with broken UPnP UGD implementation CVE-2011-4499 (The UPnP IGD implementation in the Broadcom UPnP stack on the Cisco Li ...) NOT-FOR-US: hardware device with broken UPnP UGD implementation CVE-2011-4498 (Cross-site request forgery (CSRF) vulnerability in the web console in ...) NOT-FOR-US: Zenprise Device Manager CVE-2011-4497 (QIS_wizard.htm on the ASUS RT-N56U router with firmware before 1.0.1.4 ...) NOT-FOR-US: Asus device CVE-2011-4496 (Buffer overflow in Aviosoft DTV Player 1.0.1.2 allows remote attackers ...) NOT-FOR-US: Aviosoft DTV Player CVE-2011-4495 RESERVED CVE-2011-4494 RESERVED CVE-2011-4493 RESERVED CVE-2011-4492 RESERVED CVE-2011-4491 RESERVED CVE-2011-4490 RESERVED CVE-2011-4489 RESERVED CVE-2011-4488 RESERVED CVE-2011-4487 (SQL injection vulnerability in Cisco Unified Communications Manager (C ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2011-4486 (Cisco Unified Communications Manager (CUCM) with software 6.x and 7.x ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2011-4485 RESERVED CVE-2011-4484 RESERVED CVE-2011-4483 RESERVED CVE-2011-4482 RESERVED CVE-2011-4481 RESERVED CVE-2011-4480 RESERVED CVE-2011-4479 RESERVED CVE-2011-4478 RESERVED CVE-2011-4477 RESERVED CVE-2011-4476 RESERVED CVE-2011-4475 RESERVED CVE-2011-4474 RESERVED CVE-2011-4473 RESERVED CVE-2011-4472 RESERVED CVE-2011-4471 RESERVED CVE-2011-4470 RESERVED CVE-2011-4469 RESERVED CVE-2011-4468 RESERVED CVE-2011-4467 RESERVED CVE-2011-4466 RESERVED CVE-2011-4465 (Cross-site scripting (XSS) vulnerability in IBM Lotus Mobile Connect ( ...) NOT-FOR-US: IBM Lotus Mobile Connect CVE-2011-4464 RESERVED CVE-2011-4463 RESERVED CVE-2011-4462 (Plone 4.1.3 and earlier computes hash values for form parameters witho ...) - plone3 CVE-2011-4461 (Jetty 8.1.0.RC2 and earlier computes hash values for form parameters w ...) - jetty 6.1.26-1 [squeeze] - jetty (Minor issue) CVE-2011-4460 (SQL injection vulnerability in Best Practical Solutions RT 2.x and 3.x ...) {DSA-2480-1} - request-tracker4 4.0.5-3 CVE-2011-4459 (Best Practical Solutions RT 3.x before 3.8.12 and 4.x before 4.0.6 doe ...) {DSA-2480-1} - request-tracker4 4.0.5-3 CVE-2011-4458 (Best Practical Solutions RT 3.6.x, 3.7.x, and 3.8.x before 3.8.12 and ...) {DSA-2480-1} - request-tracker4 4.0.5-3 CVE-2011-4457 (OWASP HTML Sanitizer (aka owasp-java-html-sanitizer) before 88, when J ...) NOT-FOR-US: OWASP HTML Sanitizer CVE-2011-4456 REJECTED CVE-2011-4455 (Multiple cross-site scripting vulnerabilities in Tiki 7.2 and earlier ...) - tikiwiki NOTE: http://secunia.com/advisories/46740/ CVE-2011-4454 (Multiple cross-site scripting vulnerabilities in Tiki 8.0 RC1 and earl ...) - tikiwiki NOTE: http://secunia.com/advisories/46740/ CVE-2011-4453 (The PageListSort function in scripts/pagelist.php in PmWiki 2.x before ...) - pmwiki (bug #330117) CVE-2011-4452 (Cross-site request forgery (CSRF) vulnerability in the AdminUsers comp ...) NOT-FOR-US: WikkaWiki CVE-2011-4451 (** DISPUTED ** libs/Wakka.class.php in WikkaWiki 1.3.1 and 1.3.2, when ...) NOT-FOR-US: WikkaWiki CVE-2011-4450 (Directory traversal vulnerability in handlers/files.xml/files.xml.php ...) NOT-FOR-US: WikkaWiki CVE-2011-4449 (actions/files/files.php in WikkaWiki 1.3.1 and 1.3.2, when INTRANET_MO ...) NOT-FOR-US: WikkaWiki CVE-2011-4448 (SQL injection vulnerability in actions/usersettings/usersettings.php i ...) NOT-FOR-US: WikkaWiki CVE-2008-7303 (The nonet and nointernet sandbox profiles in Apple Mac OS X 10.5.x do ...) NOT-FOR-US: Apple Mac OS X CVE-2011-4447 (The "encrypt wallet" feature in wxBitcoin and bitcoind 0.4.x before 0. ...) - bitcoin 0.5.1-1 CVE-2011-4446 RESERVED CVE-2011-4445 RESERVED CVE-2011-4444 RESERVED CVE-2011-4443 RESERVED CVE-2011-4442 RESERVED CVE-2011-4441 RESERVED CVE-2011-4440 RESERVED CVE-2011-4439 RESERVED CVE-2011-4438 RESERVED CVE-2011-4437 RESERVED CVE-2012-0020 (Microsoft Visio Viewer 2010 Gold and SP1 does not properly handle memo ...) NOT-FOR-US: Microsoft CVE-2012-0019 (Microsoft Visio Viewer 2010 Gold and SP1 does not properly handle memo ...) NOT-FOR-US: Microsoft CVE-2012-0018 (Microsoft Visio Viewer 2010 Gold and SP1 does not properly validate at ...) NOT-FOR-US: Microsoft Visio CVE-2012-0017 (Cross-site scripting (XSS) vulnerability in inplview.aspx in Microsoft ...) NOT-FOR-US: Microsoft CVE-2012-0016 (Untrusted search path vulnerability in Microsoft Expression Design; Ex ...) NOT-FOR-US: Microsoft Expression Design CVE-2012-0015 (Microsoft .NET Framework 2.0 SP2 and 3.5.1 does not properly calculate ...) NOT-FOR-US: Microsoft CVE-2012-0014 (Microsoft .NET Framework 2.0 SP2, 3.5.1, and 4, and Silverlight 4 befo ...) NOT-FOR-US: Microsoft CVE-2012-0013 (Incomplete blacklist vulnerability in the Windows Packager configurati ...) NOT-FOR-US: Microsoft Windows CVE-2012-0012 (Microsoft Internet Explorer 9 does not properly handle the creation an ...) NOT-FOR-US: Microsoft CVE-2012-0011 (Microsoft Internet Explorer 7 through 9 does not properly handle objec ...) NOT-FOR-US: Microsoft CVE-2012-0010 (Microsoft Internet Explorer 6 through 9 does not properly perform copy ...) NOT-FOR-US: Microsoft CVE-2012-0009 (Untrusted search path vulnerability in the Windows Object Packager con ...) NOT-FOR-US: Microsoft Windows CVE-2012-0008 (Untrusted search path vulnerability in Microsoft Visual Studio 2008 SP ...) NOT-FOR-US: Microsoft Visual Studio 2008 CVE-2012-0007 (The Microsoft Anti-Cross Site Scripting (AntiXSS) Library 3.x and 4.0 ...) NOT-FOR-US: Microsoft Anti-Cross Site Scripting Library CVE-2012-0006 (The DNS server in Microsoft Windows Server 2003 SP2 and Server 2008 SP ...) NOT-FOR-US: Microsoft Windows CVE-2012-0005 (The Client/Server Run-time Subsystem (aka CSRSS) in the Win32 subsyste ...) NOT-FOR-US: Microsoft Windows CVE-2012-0004 (Unspecified vulnerability in DirectShow in DirectX in Microsoft Window ...) NOT-FOR-US: DirectX CVE-2012-0003 (Unspecified vulnerability in winmm.dll in Windows Multimedia Library i ...) NOT-FOR-US: Microsoft Windows CVE-2012-0002 (The Remote Desktop Protocol (RDP) implementation in Microsoft Windows ...) NOT-FOR-US: Microsoft Windows CVE-2012-0001 (The kernel in Microsoft Windows XP SP2, Windows Server 2003 SP2, Windo ...) NOT-FOR-US: Microsoft Windows CVE-2011-4436 (Multiple cross-site scripting (XSS) vulnerabilities in the administrat ...) NOT-FOR-US: Dell appliance CVE-2011-4435 (The web-server component in the Consolidation and Analysis Engine (CAE ...) NOT-FOR-US: IBM DB2 CVE-2011-4434 (Microsoft Windows Server 2008 R2 and R2 SP1 and Windows 7 Gold and SP1 ...) NOT-FOR-US: Microsoft Windows CVE-2011-4433 REJECTED CVE-2011-4432 (www/include/configuration/nconfigObject/contact/DB-Func.php in Merethi ...) NOT-FOR-US: Merethis Centreon CVE-2011-4431 (Directory traversal vulnerability in main.php in Merethis Centreon bef ...) NOT-FOR-US: Merethis Centreon CVE-2011-4430 REJECTED CVE-2011-4429 REJECTED CVE-2011-4428 REJECTED CVE-2011-4427 REJECTED CVE-2011-4426 REJECTED CVE-2011-4425 REJECTED CVE-2011-4424 REJECTED CVE-2011-4423 REJECTED CVE-2011-4422 REJECTED CVE-2011-4421 REJECTED CVE-2011-4420 REJECTED CVE-2011-4419 REJECTED CVE-2011-4418 REJECTED CVE-2011-4417 REJECTED CVE-2011-4416 REJECTED CVE-2011-4415 (The ap_pregsub function in server/util.c in the Apache HTTP Server 2.0 ...) - apache2 2.4.1-1 (unimportant) NOTE: apache2 does not protect or claim to protect against DoS through .htaccess CVE-2011-4414 REJECTED CVE-2011-4413 REJECTED CVE-2011-4412 REJECTED CVE-2011-4411 REJECTED CVE-2011-4410 REJECTED CVE-2011-4409 (The Ubuntu One Client for Ubuntu 10.04 LTS, 11.04, 11.10, and 12.04 LT ...) NOT-FOR-US: Ubuntu One CVE-2011-4408 (The Single Sign On Client (ubuntu-sso-client) for Ubuntu 11.04 and 11. ...) - ubuntu-sso-client (bug #680492) CVE-2011-4407 (ppa.py in Software Properties before 0.81.13.3 does not validate the s ...) - software-properties 0.76.7debian2+nmu2 [squeeze] - software-properties (Vulnerable code not present) [lenny] - software-properties (Vulnerable code not present) NOTE: https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/915210/ CVE-2011-4406 (The Ubuntu AccountsService package before 0.6.14-1git1ubuntu1.1 does n ...) - accountsservice 0.6.15-3 CVE-2011-4405 (The cupshelpers scripts in system-config-printer in Ubuntu 11.04 and 1 ...) - system-config-printer 1.3.7-1 (low; bug #651204) [squeeze] - system-config-printer (Minor issue) CVE-2011-4404 (The default configuration of the HTTP server in Jetty in vSphere Updat ...) - jetty 6.1.19-1 (low; bug #528389) NOTE: duplicate of CVE-2009-1523 CVE-2011-4403 (Multiple cross-site request forgery (CSRF) vulnerabilities in Zen Cart ...) NOT-FOR-US: Zen Cart CVE-2011-4402 REJECTED CVE-2011-4401 REJECTED CVE-2011-4400 REJECTED CVE-2011-4399 REJECTED CVE-2011-4398 REJECTED CVE-2011-4397 REJECTED CVE-2011-4396 REJECTED CVE-2011-4395 REJECTED CVE-2011-4394 REJECTED CVE-2011-4393 REJECTED CVE-2011-4392 REJECTED CVE-2011-4391 REJECTED CVE-2011-4390 REJECTED CVE-2011-4389 REJECTED CVE-2011-4388 REJECTED CVE-2011-4387 REJECTED CVE-2011-4386 REJECTED CVE-2011-4385 REJECTED CVE-2011-4384 REJECTED CVE-2011-4383 REJECTED CVE-2011-4382 REJECTED CVE-2011-4381 REJECTED CVE-2011-4380 REJECTED CVE-2011-4379 REJECTED CVE-2011-4378 REJECTED CVE-2011-4377 REJECTED CVE-2011-4376 REJECTED CVE-2011-4375 REJECTED CVE-2011-4374 (Integer overflow in Adobe Reader 9.x before 9.4.6 on Linux allows atta ...) NOT-FOR-US: Adobe Reader CVE-2011-4373 (Adobe Reader and Acrobat before 9.5, and 10.x before 10.1.2, on Window ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2011-4372 (Adobe Reader and Acrobat before 9.5, and 10.x before 10.1.2, on Window ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2011-4371 (Adobe Reader and Acrobat before 9.5, and 10.x before 10.1.2, on Window ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2011-4370 (Adobe Reader and Acrobat before 9.5, and 10.x before 10.1.2, on Window ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2011-4369 (Unspecified vulnerability in the PRC component in Adobe Reader and Acr ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2011-4368 (Cross-site scripting (XSS) vulnerability in Remote Development Service ...) NOT-FOR-US: Adobe Cold Fusion CVE-2011-4367 (Multiple directory traversal vulnerabilities in MyFaces JavaServer Fac ...) - mojarra (The Debian package only ships some API classes) CVE-2011-4366 REJECTED CVE-2011-4365 REJECTED CVE-2011-4364 (Buffer overflow in the Sierra VMD decoder in libavcodec in FFmpeg 0.5. ...) {DSA-2378-1} - libav 4:0.7.3-1 - ffmpeg 7:2.4.1-1 - ffmpeg-debian NOTE: http://www.usenix.org/events/woot11/tech/final_files/Yamaguchi.pdf NOTE: http://git.libav.org/?p=libav.git;a=commitdiff;h=494cfacdb9ba3f0549e37f76b3a2f86a7aeeac3c CVE-2011-4363 (ProcessTable.pm in the Proc::ProcessTable module 0.45 for Perl, when T ...) - libproc-processtable-perl 0.45-6 (low; bug #650500) [squeeze] - libproc-processtable-perl 0.45-1+squeeze1 CVE-2011-4362 (Integer signedness error in the base64_decode function in the HTTP aut ...) {DSA-2368-1} - lighttpd 1.4.30-1 (low; bug #652726) NOTE: http://openwall.com/lists/oss-security/2011/11/29/8 NOTE: http://redmine.lighttpd.net/issues/2370 NOTE: the announcement says that the debian package is not affected, but there are no additional patches that would cause different behavior (i.e. the base64_reverse_table is the same in debian and upstream), so if upstream is affected, so too is the debian package CVE-2011-4361 (MediaWiki before 1.17.1 does not check for read permission before hand ...) {DSA-2366-1} - mediawiki 1:1.15.5-4 (bug #650434) NOTE: http://lists.wikimedia.org/pipermail/mediawiki-announce/2011-November/000104.html CVE-2011-4360 (MediaWiki before 1.17.1 allows remote attackers to obtain the page tit ...) {DSA-2366-1} - mediawiki 1:1.15.5-4 (bug #650434) [squeeze] - mediawiki (Vulnerable code not present) NOTE: http://lists.wikimedia.org/pipermail/mediawiki-announce/2011-November/000104.html CVE-2011-4359 [MyFaces - includeViewParameters re-evaluates param/model values as EL expressions] REJECTED CVE-2011-4358 (Unspecified vulnerability in Oracle GlassFish Enterprise Server 3.0.1 ...) {DSA-2359-1} - mojarra 2.0.3-2 (bug #650430) CVE-2011-4357 (Format string vulnerability in the p_cgi_error function in python/neo_ ...) {DSA-2355-1} - clearsilver 0.10.5-1.3 (bug #649322) CVE-2011-4356 (Celery 2.1 and 2.2 before 2.2.8, 2.3 before 2.3.4, and 2.4 before 2.4. ...) - celery 2.4.6-1 - django-celery (Vulnerable code not present) CVE-2011-4355 (GNU Project Debugger (GDB) before 7.5, when .debug_gdb_scripts is defi ...) - gdb 7.6-1 (unimportant) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=703238 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=blob_plain;f=gdb/NEWS;hb=HEAD (lists "auto-load safe-path" under "Changes in GDB 7.5") CVE-2011-4354 (crypto/bn/bn_nist.c in OpenSSL before 0.9.8h on 32-bit platforms, as u ...) {DSA-2390-1} - openssl 0.9.8o-4squeeze3 (bug #650621) CVE-2011-4353 (The (1) av_image_fill_pointers, (2) vp5_parse_coeff, and (3) vp6_parse ...) {DSA-2378-1} - libav 4:0.7.3-1 - ffmpeg 7:2.4.1-1 - ffmpeg-debian NOTE: http://git.libav.org/?p=libav.git;a=commitdiff;h=67a7ed6 NOTE: http://git.libav.org/?p=libav.git;a=commitdiff;h=c76505e NOTE: http://git.libav.org/?p=libav.git;a=commitdiff;h=30c08e2 NOTE: http://git.libav.org/?p=libav.git;a=commitdiff;h=7367cbe NOTE: http://git.libav.org/?p=libav.git;a=commitdiff;h=28acce2 CVE-2011-4352 (Integer overflow in the vp3_dequant function in the VP3 decoder (vp3.c ...) - libav 4:0.7.3-1 - ffmpeg (Was introduced in 0.6) - ffmpeg-debian (Was introduced in 0.6) NOTE: http://article.gmane.org/gmane.comp.video.libav.devel/15182 CVE-2011-4351 (Buffer overflow in FFmpeg before 0.5.6, 0.6.x before 0.6.4, 0.7.x befo ...) {DSA-2378-1} - libav 4:0.7.3-1 - ffmpeg 7:2.4.1-1 - ffmpeg-debian NOTE: http://git.libav.org/?p=libav.git;a=commitdiff;h=a31ccacb1a9b2abc0e140a812fb0ffca6f7c2591 NOTE: http://git.libav.org/?p=libav.git;a=commitdiff;h=0d93d5c4614fafea74bdac681673f5b32eb49063 NOTE: http://git.libav.org/?p=libav.git;a=commitdiff;h=73472053516f82b7d273a3d42c583f894077a191 CVE-2011-4350 (Yaws 1.91 has a directory traversal vulnerability in the way certain U ...) - yaws 1.91-2 (bug #650009) [lenny] - yaws (Vulnerable code not present) [squeeze] - yaws (Vulnerable code not present) CVE-2011-4349 (Multiple SQL injection vulnerabilities in (1) cd-mapping-db.c and (2) ...) - colord 0.1.15-1 (medium; bug #650021) CVE-2011-4348 (Race condition in the sctp_rcv function in net/sctp/input.c in the Lin ...) - linux-2.6 (Incomplete fix for RHEL5-specific backport regression) NOTE: incomplete fix for CVE-2011-2482 CVE-2011-4347 (The kvm_vm_ioctl_assign_device function in virt/kvm/assigned-dev.c in ...) {DSA-2443-1} - linux-2.6 CVE-2011-4346 (Cross-site scripting (XSS) vulnerability in the web interface in Red H ...) NOT-FOR-US: Red Hat Satellite CVE-2011-4345 (Cross-site scripting (XSS) vulnerability in Namazu before 2.0.21, when ...) - namazu2 2.0.21-1 (low) [squeeze] - namazu2 (Minor issue) CVE-2011-4344 (Cross-site scripting (XSS) vulnerability in Jenkins Core in Jenkins be ...) - jenkins-winstone 0.9.10-jenkins-29+dfsg-1 (bug #649900) CVE-2011-4343 (Information disclosure vulnerability in Apache MyFaces Core 2.0.1 thro ...) NOT-FOR-US: Apache MyFaces CVE-2011-4342 (PHP remote file inclusion vulnerability in wp_xml_export.php in the Ba ...) NOT-FOR-US: Wordpress plugin CVE-2011-4341 (Multiple SQL injection vulnerabilities in symphony/content/content.pub ...) NOT-FOR-US: Symphony CMS CVE-2011-4340 (Multiple cross-site scripting (XSS) vulnerabilities in Symphony CMS 2. ...) NOT-FOR-US: Symphony CMS CVE-2011-4339 (ipmievd (aka the IPMI event daemon) in OpenIPMI, as used in the ipmito ...) {DSA-2376-2 DSA-2376-1} - ipmitool 1.8.11-5 (bug #651917) CVE-2011-4338 (Shaman 1.0.9: Users can add the line askforpwd=false to his shaman.con ...) NOT-FOR-US: Arch-Linux specific tool CVE-2011-4337 (Static code injection vulnerability in translate.php in Support Incide ...) NOT-FOR-US: Support Incident Tracker CVE-2011-4336 (Tiki Wiki CMS Groupware 7.0 has XSS via the GET "ajax" parameter to sn ...) NOT-FOR-US: Tiki Wiki CVE-2011-4335 (Multiple cross-site scripting (XSS) vulnerabilities in Contao before 2 ...) NOT-FOR-US: Contao CVE-2011-4334 (edit.php in LabWiki 1.1 and earlier does not properly verify uploaded ...) NOT-FOR-US: LabWiki CVE-2011-4333 (Multiple cross-site scripting (XSS) vulnerabilities in LabWiki 1.1 and ...) NOT-FOR-US: LabWiki CVE-2011-4332 (Multiple cross-site scripting (XSS) vulnerabilities in Joomla! 1.6.3 a ...) NOT-FOR-US: Joomla! CVE-2011-4331 REJECTED CVE-2011-4330 (Stack-based buffer overflow in the hfs_mac2asc function in fs/hfs/tran ...) - linux-2.6 3.1.4-1 [squeeze] - linux-2.6 2.6.32-40 CVE-2011-4329 (Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr 3.1.0 ...) - dolibarr 3.3.4-1 (low) CVE-2011-4328 (plugin/npapi/plugin.cpp in Gnash before 0.8.10 uses weak permissions ( ...) {DSA-2435-1} - gnash 0.8.10-1 (low; bug #649384) CVE-2011-4327 (ssh-keysign.c in ssh-keysign in OpenSSH before 5.8p2 on certain platfo ...) - openssh (Only affects platforms w/o /dev/random) NOTE: http://www.openssh.com/txt/portable-keysign-rand-helper.adv CVE-2011-4326 (The udp6_ufo_fragment function in net/ipv6/udp.c in the Linux kernel b ...) - linux-2.6 2.6.39-1 [squeeze] - linux-2.6 2.6.32-40 [lenny] - linux-2.6 (Vulnerable code not present) CVE-2011-4325 (The NFS implementation in Linux kernel before 2.6.31-rc6 calls certain ...) - linux-2.6 2.6.32-1 CVE-2011-4324 (The encode_share_access function in fs/nfs/nfs4xdr.c in the Linux kern ...) - linux-2.6 (RHEL5-specific backport error) CVE-2011-4323 REJECTED CVE-2011-4322 (websitebaker prior to and including 2.8.1 has an authentication error ...) NOT-FOR-US: websitebaker CVE-2011-4321 (The password reset functionality in Joomla! 1.5.x through 1.5.24 uses ...) NOT-FOR-US: Joomla! CVE-2011-4320 (The mod_pubsub module (mod_pubsub.erl) in ejabberd 2.1.8 and 3.0.0-alp ...) - ejabberd 2.1.9-1 (low) [squeeze] - ejabberd (Only triggerable with malformed config file) NOTE: https://support.process-one.net/browse/EJAB-1498 CVE-2011-4319 (Cross-site scripting (XSS) vulnerability in the i18n translations help ...) - rails (Only affects RoR 3.0 and above) CVE-2011-4318 (Dovecot 2.0.x before 2.0.16, when ssl or starttls is enabled and hostn ...) - dovecot 1:2.0.18-1 (unimportant; bug #649511) NOTE: Additional hardening CVE-2011-4317 (The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2 ...) {DSA-2405-1} - apache2 2.2.21-3 NOTE: Related to CVE-2011-3368 and CVE-2011-3639 but a different issue CVE-2011-4316 (Red Hat Enterprise Virtualization Manager (RHEV-M) before 3.1, in cert ...) NOT-FOR-US: ovirt NOTE: While the Red Hat advisory refers to SPICE, this is a vulnerability in NOTE: the server-side ovirt logic (contacted Red Hat for clarification) CVE-2011-4315 (Heap-based buffer overflow in compression-pointer processing in core/n ...) - nginx 1.1.8-1 (low) [squeeze] - nginx 0.7.67-3+squeeze1 [lenny] - nginx (Minor issue) NOTE: http://trac.nginx.org/nginx/changeset/4268/nginx CVE-2011-4314 (message/ax/AxMessage.java in OpenID4Java before 0.9.6 final, as used i ...) - openid4java 0.9.6.662-1 - jbossas4 (Only builds a few libraries, not the full application server, #581226) CVE-2011-4313 (query.c in ISC BIND 9.0.x through 9.6.x, 9.4-ESV through 9.4-ESV-R5, 9 ...) {DSA-2347-1} - bind9 1:9.8.1.dfsg.P1-1 (high; bug #649099) CVE-2011-4312 (Multiple cross-site scripting (XSS) vulnerabilities in the commenting ...) NOT-FOR-US: Review Board CVE-2011-4311 (ResourceSpace before 4.2.2833 does not properly validate access keys, ...) NOT-FOR-US: ResourceSpace CVE-2011-4310 (The news module in CMSMS before 1.9.4.3 allows remote attackers to cor ...) - cmsms (bug #608888) CVE-2011-4309 (Moodle 2.0.x before 2.0.5 and 2.1.x before 2.1.2 allows remote attacke ...) - moodle (Only affects 2.x) CVE-2011-4308 (mod/forum/user.php in Moodle 1.9.x before 1.9.14, 2.0.x before 2.0.5, ...) {DSA-2421-1} - moodle 1.9.9.dfsg2-5 CVE-2011-4307 (Cross-site scripting (XSS) vulnerability in mod/wiki/lang/en/wiki.php ...) - moodle (Only affects 2.x) CVE-2011-4306 (Cross-site scripting (XSS) vulnerability in course/editsection.html in ...) {DSA-2338-1} - moodle 1.9.9.dfsg2-4 CVE-2011-4305 (message/refresh.php in Moodle 1.9.x before 1.9.14 allows remote authen ...) {DSA-2338-1} - moodle 1.9.9.dfsg2-4 CVE-2011-4304 (The chat functionality in Moodle 2.0.x before 2.0.5 and 2.1.x before 2 ...) - moodle (Only affects 2.x) CVE-2011-4303 (lib/db/upgrade.php in Moodle 2.0.x before 2.0.5 and 2.1.x before 2.1.2 ...) - moodle (Only affects 2.x) CVE-2011-4302 (mnet/xmlrpc/client.php in MNET in Moodle 1.9.x before 1.9.14, 2.0.x be ...) {DSA-2338-1} - moodle 1.9.9.dfsg2-4 CVE-2011-4301 (The MoodleQuickForm class in the Forms Library in lib/formslib.php in ...) {DSA-2338-1} - moodle 1.9.9.dfsg2-4 CVE-2011-4300 (The file_browser component in Moodle 2.0.x before 2.0.5 and 2.1.x befo ...) - moodle (Only affects 2.x) CVE-2011-4299 (Cross-site scripting (XSS) vulnerability in mod/wiki/pagelib.php in Mo ...) - moodle (Only affects 2.x) CVE-2011-4298 (Multiple cross-site request forgery (CSRF) vulnerabilities in mod/wiki ...) - moodle (Only affects 2.x) CVE-2011-4297 (comment/lib.php in Moodle 2.0.x before 2.0.4 and 2.1.x before 2.1.1 do ...) - moodle (Only affects 2.x) CVE-2011-4296 (lib/db/access.php in Moodle 2.0.x before 2.0.4 and 2.1.x before 2.1.1 ...) - moodle (Only affects 2.x) CVE-2011-4295 (The moodle_enrol_external:role_assign function in enrol/externallib.ph ...) - moodle (Only affects 2.x) CVE-2011-4294 (The error-message functionality in Moodle 1.9.x before 1.9.13, 2.0.x b ...) {DSA-2338-1} - moodle 1.9.9.dfsg2-4 CVE-2011-4293 (The theme implementation in Moodle 2.0.x before 2.0.4 and 2.1.x before ...) - moodle (Only affects 2.x) CVE-2011-4292 (Moodle 2.0.x before 2.0.3 allows remote authenticated users to cause a ...) - moodle (Only affects 2.x) CVE-2011-4291 (Moodle 2.0.x before 2.0.3 allows remote authenticated users to cause a ...) - moodle (Only affects 2.x) CVE-2011-4290 (Multiple cross-site scripting (XSS) vulnerabilities in lib/weblib.php ...) {DSA-2262-1} - moodle 1.9.9.dfsg2-3 CVE-2011-4289 (Moodle 2.0.x before 2.0.3 does not recognize the configuration setting ...) - moodle (Only affects 2.x) CVE-2011-4288 (Moodle 1.9.x before 1.9.12 and 2.0.x before 2.0.3 does not properly im ...) {DSA-2262-1} - moodle 1.9.9.dfsg2-3 CVE-2011-4287 (admin/uploaduser_form.php in Moodle 2.0.x before 2.0.3 does not force ...) - moodle (Only affects 2.x) CVE-2011-4286 (Multiple cross-site scripting (XSS) vulnerabilities in the media-filte ...) {DSA-2262-1} - moodle 1.9.9.dfsg2-3 CVE-2011-4285 (The default configuration of Moodle 2.0.x before 2.0.2 has an incorrec ...) - moodle (Only affects 2.x) CVE-2011-4284 (Moodle 2.0.x before 2.0.2 allows remote attackers to obtain sensitive ...) - moodle (Only affects 2.x) CVE-2011-4283 (Moodle 1.9.x before 1.9.11 and 2.0.x before 2.0.2 places an IMS enterp ...) {DSA-2262-1} - moodle 1.9.9.dfsg2-3 CVE-2011-4282 (Multiple cross-site scripting (XSS) vulnerabilities in the course-tags ...) - moodle (Only affects 2.x) CVE-2011-4281 (Multiple cross-site request forgery (CSRF) vulnerabilities in Moodle 2 ...) - moodle (Only affects 2.x) CVE-2011-4280 (Cross-site scripting (XSS) vulnerability in the Spike PHPCoverage (aka ...) - moodle (Only affects 2.x) CVE-2011-4279 (Moodle 2.0.x before 2.0.2 does not use the forceloginforprofiles setti ...) - moodle (Only affects 2.x) CVE-2011-4278 (Cross-site scripting (XSS) vulnerability in the tag autocomplete funct ...) {DSA-2262-1} - moodle 1.9.9.dfsg2-3 CVE-2011-4277 (Cross-site scripting (XSS) vulnerability in CourseForum ProjectForum 7 ...) NOT-FOR-US: CourseForum CVE-2011-4276 (The Bluetooth service (com/android/phone/BluetoothHeadsetService.java) ...) NOT-FOR-US: Android CVE-2011-4275 (Multiple cross-site scripting (XSS) vulnerabilities in iTop (aka IT Op ...) NOT-FOR-US: IT Operations Portal CVE-2011-4274 (Cross-site scripting (XSS) vulnerability in the A-Form PC and PC/Mobil ...) NOT-FOR-US: Movable Type plugin CVE-2011-4273 (Multiple cross-site scripting (XSS) vulnerabilities in GoAhead Webserv ...) NOT-FOR-US: GoAhead Webserver CVE-2011-4272 REJECTED CVE-2011-4271 REJECTED CVE-2011-4270 REJECTED CVE-2011-4269 REJECTED CVE-2011-4268 REJECTED CVE-2011-4267 REJECTED CVE-2011-4266 (Untrusted search path vulnerability in FFFTP before 1.98d allows local ...) NOT-FOR-US: FFFTP CVE-2011-4265 (Cross-site scripting (XSS) vulnerability in phpWebSite before 1.0.0 al ...) NOT-FOR-US: phpWebSite CVE-2011-4264 (Cross-site scripting (XSS) vulnerability in Etomite before 1.1 allows ...) NOT-FOR-US: Etomite CVE-2011-4263 (Cross-site scripting (XSS) vulnerability in Schneider Electric PowerCh ...) NOT-FOR-US: Schneider Electric PowerChute Business Edition CVE-2010-5045 (Cross-site scripting (XSS) vulnerability in poll/default.asp in Smart ...) NOT-FOR-US: Smart ASP Survey CVE-2010-5044 (SQL injection vulnerability in models/log.php in the Search Log (com_s ...) NOT-FOR-US: Search log Joomla addon CVE-2010-5043 (SQL injection vulnerability in the DJ-ArtGallery (com_djartgallery) co ...) NOT-FOR-US: Joomla extension CVE-2010-5042 (Cross-site scripting (XSS) vulnerability in the DJ-ArtGallery (com_dja ...) NOT-FOR-US: Joomla extension CVE-2010-5041 (SQL injection vulnerability in index.php in the NP_Gallery plugin 0.94 ...) NOT-FOR-US: Nucleus CMS extension CVE-2010-5040 (PHP remote file inclusion vulnerability in nucleus/plugins/NP_gallery. ...) NOT-FOR-US: Nucleus CMS extension CVE-2010-5039 (SQL injection vulnerability in control/admin_login.php in ScriptsFeed ...) NOT-FOR-US: ScriptsFeed Recipes Listing Portal CVE-2010-5038 (PHP remote file inclusion vulnerability in contact/contact.php in Groo ...) NOT-FOR-US: Groone's Simple Contact Form CVE-2010-5037 (SQL injection vulnerability in article.php in SenseSites CommonSense C ...) NOT-FOR-US: SenseSites CommonSense CMS CVE-2010-5036 (SQL injection vulnerability in addsale.php in iScripts eSwap 2.0 allow ...) NOT-FOR-US: iScripts eSwap CVE-2010-5035 (Cross-site scripting (XSS) vulnerability in search.php in iScripts eSw ...) NOT-FOR-US: iScripts eSwap CVE-2010-5034 (SQL injection vulnerability in viewhistorydetail.php in iScripts EasyB ...) NOT-FOR-US: iScripts EasyBiller CVE-2010-5033 (SQL injection vulnerability in ProductList.cfm in Fusebox 5.5.1 allows ...) NOT-FOR-US: Fusebox CVE-2010-5032 (SQL injection vulnerability in the BF Quiz (com_bfquiztrial) component ...) NOT-FOR-US: Joomla extension CVE-2010-5031 (Cross-site scripting (XSS) vulnerability in index.php in fileNice 1.1 ...) NOT-FOR-US: fileNice CVE-2010-5030 (Cross-site scripting (XSS) vulnerability in index.php in Ecomat CMS 5. ...) NOT-FOR-US: Ecomat CMS CVE-2010-5029 (SQL injection vulnerability in index.php in Ecomat CMS 5.0 allows remo ...) NOT-FOR-US: Ecomat CMS CVE-2010-5028 (SQL injection vulnerability in the JExtensions JE Job (com_jejob) comp ...) NOT-FOR-US: Joomla extension CVE-2010-5027 (Cross-site scripting (XSS) vulnerability in winners.php in Science Fai ...) NOT-FOR-US: Science Fair In A Box (SFIAB) CVE-2010-5026 (SQL injection vulnerability in winners.php in Science Fair In A Box (S ...) NOT-FOR-US: Science Fair In A Box (SFIAB) CVE-2010-5025 (Cross-site scripting (XSS) vulnerability in manage/main.php in CuteSIT ...) NOT-FOR-US: CuteSITE CMS CVE-2010-5024 (SQL injection vulnerability in manage/add_user.php in CuteSITE CMS 1.2 ...) NOT-FOR-US: CuteSITE CMS CVE-2010-5023 (SQL injection vulnerability in index.asp in Digital Interchange Calend ...) NOT-FOR-US: Digital Interchange Calendar CVE-2010-5022 (SQL injection vulnerability in the JExtensions JE Story Submit (com_je ...) NOT-FOR-US: Joomla extension CVE-2010-5021 (SQL injection vulnerability in view_group.asp in Digital Interchange D ...) NOT-FOR-US: Digital Interchange Calendar CVE-2010-5020 (SQL injection vulnerability in index.php in NetArt Media iBoutique 4.0 ...) NOT-FOR-US: NetArt Media iBoutique CVE-2010-5019 (SQL injection vulnerability in view_photo.php in 2daybiz Online Classi ...) NOT-FOR-US: 2daybiz Online Classified Script CVE-2010-5018 (Cross-site scripting (XSS) vulnerability in products/classified/header ...) NOT-FOR-US: 2daybiz Online Classified Script CVE-2010-5017 (SQL injection vulnerability in stats.php in Elite Gaming Ladders 3.0 a ...) NOT-FOR-US: Elite Gaming Ladders CVE-2010-5016 (SQL injection vulnerability in matchdb.php in Elite Gaming Ladders 3.5 ...) NOT-FOR-US: Elite Gaming Ladders CVE-2010-5015 (SQL injection vulnerability in view_photo.php in 2daybiz Network Commu ...) NOT-FOR-US: 2daybiz Network Community Script CVE-2010-5014 (SQL injection vulnerability in standings.php in Elite Gaming Ladders 3 ...) NOT-FOR-US: Elite Gaming Ladders CVE-2010-5013 (SQL injection vulnerability in listing_detail.asp in Mckenzie Creation ...) NOT-FOR-US: Mckenzie Creations Virtual Real Estate Manager CVE-2010-5012 (SQL injection vulnerability in new.php in DaLogin 2.2 and 2.2.5 allows ...) NOT-FOR-US: DaLogin CVE-2010-5011 (SQL injection vulnerability in schoolmv2/html/studentmain.php in Schoo ...) NOT-FOR-US: SchoolMation CVE-2010-5010 (Cross-site scripting (XSS) vulnerability in schoolmv2/html/studentmain ...) NOT-FOR-US: SchoolMation CVE-2010-5009 (SQL injection vulnerability in index.php in UTStats Beta 4 and earlier ...) NOT-FOR-US: UTStats CVE-2010-5008 (SQL injection vulnerability in pages/contact_list_mail_form.asp in Bri ...) NOT-FOR-US: BrightSuite Groupware CVE-2010-5007 (Cross-site scripting (XSS) vulnerability in pages/match_report.php in ...) NOT-FOR-US: UTStats CVE-2010-5006 (SQL injection vulnerability in googlemap/index.php in EMO Realty Manag ...) NOT-FOR-US: EMO Realty Manager CVE-2010-5005 (Cross-site scripting (XSS) vulnerability in members/profileCommentsRes ...) NOT-FOR-US: Rayzz Photoz CVE-2010-5004 (SQL injection vulnerability in searchvote.php in 2daybiz Polls (aka Ad ...) NOT-FOR-US: 2daybiz Polls CVE-2010-5000 (SQL injection vulnerability in login/login_index.php in MCLogin System ...) NOT-FOR-US: MCLogin System CVE-2010-4998 (PHP remote file inclusion vulnerability in ardeaCore/lib/core/ardeaIni ...) NOT-FOR-US: ardeaCore PHP Framework CVE-2010-4997 (SQL injection vulnerability in index.php in OlyKit Swoopo Clone 2010 a ...) NOT-FOR-US: OlyKit Swoopo Clone 2010 CVE-2010-4971 (Cross-site scripting (XSS) vulnerability in VideoWhisper PHP 2 Way Vid ...) NOT-FOR-US: VideoWhisper PHP 2 Way Video Chat CVE-2011-4262 (Unspecified vulnerability in RealNetworks RealPlayer before 15.0.0 all ...) NOT-FOR-US: RealNetworks RealPlayer CVE-2011-4261 (RealNetworks RealPlayer before 15.0.0 allows remote attackers to execu ...) NOT-FOR-US: RealNetworks RealPlayer CVE-2011-4260 (RealNetworks RealPlayer before 15.0.0 allows remote attackers to execu ...) NOT-FOR-US: RealNetworks RealPlayer CVE-2011-4259 (Integer underflow in RealNetworks RealPlayer before 15.0.0 allows remo ...) NOT-FOR-US: RealNetworks RealPlayer CVE-2011-4258 (RealNetworks RealPlayer before 15.0.0 allows remote attackers to execu ...) NOT-FOR-US: RealNetworks RealPlayer CVE-2011-4257 (The Cook codec in RealNetworks RealPlayer before 15.0.0 allows remote ...) NOT-FOR-US: RealNetworks RealPlayer CVE-2011-4256 (The RV30 codec in RealNetworks RealPlayer before 15.0.0 and Mac RealPl ...) NOT-FOR-US: RealNetworks RealPlayer CVE-2011-4255 (Unspecified vulnerability in RealNetworks RealPlayer before 15.0.0 and ...) NOT-FOR-US: RealNetworks RealPlayer CVE-2011-4254 (RealNetworks RealPlayer before 15.0.0 allows remote attackers to execu ...) NOT-FOR-US: RealNetworks RealPlayer CVE-2011-4253 (Unspecified vulnerability in the RV20 codec in RealNetworks RealPlayer ...) NOT-FOR-US: RealNetworks RealPlayer CVE-2011-4252 (The RV10 codec in RealNetworks RealPlayer before 15.0.0 and Mac RealPl ...) NOT-FOR-US: RealNetworks RealPlayer CVE-2011-4251 (RealNetworks RealPlayer before 15.0.0 allows remote attackers to execu ...) NOT-FOR-US: RealNetworks RealPlayer CVE-2011-4250 (Unspecified vulnerability in the ATRC codec in RealNetworks RealPlayer ...) NOT-FOR-US: RealNetworks RealPlayer CVE-2011-4249 (Array index error in the RV30 codec in RealNetworks RealPlayer before ...) NOT-FOR-US: RealNetworks RealPlayer CVE-2011-4248 (RealNetworks RealPlayer before 15.0.0 allows remote attackers to execu ...) NOT-FOR-US: RealNetworks RealPlayer CVE-2011-4247 (RealNetworks RealPlayer before 15.0.0 allows remote attackers to execu ...) NOT-FOR-US: RealNetworks RealPlayer CVE-2011-4246 (The AAC codec in RealNetworks RealPlayer before 15.0.0 and Mac RealPla ...) NOT-FOR-US: RealNetworks RealPlayer CVE-2011-4245 (The RealVideo renderer in RealNetworks RealPlayer before 15.0.0 and Ma ...) NOT-FOR-US: RealNetworks RealPlayer CVE-2011-4244 (Heap-based buffer overflow in the RealVideo renderer in RealNetworks R ...) NOT-FOR-US: RealNetworks RealPlayer CVE-2011-4243 RESERVED CVE-2011-4242 RESERVED CVE-2011-4241 RESERVED CVE-2011-4240 RESERVED CVE-2011-4239 RESERVED CVE-2011-4238 RESERVED CVE-2011-4237 (CRLF injection vulnerability in autologin.jsp in Cisco CiscoWorks Comm ...) NOT-FOR-US: Cisco CVE-2011-4236 RESERVED CVE-2011-4235 RESERVED CVE-2011-4234 RESERVED CVE-2011-4233 RESERVED CVE-2011-4232 (The web server in Cisco Unified MeetingPlace 6.1 and 8.5 produces diff ...) NOT-FOR-US: Cisco CVE-2011-4231 (Cisco IOS 15.1 and 15.2 and IOS XE 3.x, when configured as an IPsec hu ...) NOT-FOR-US: Cisco IOS CVE-2011-4230 RESERVED CVE-2011-4229 RESERVED CVE-2011-4228 RESERVED CVE-2011-4227 RESERVED CVE-2011-4226 RESERVED CVE-2011-4225 RESERVED CVE-2011-4224 RESERVED CVE-2011-4223 (Unspecified vulnerability in Investintech.com Absolute PDF Server allo ...) NOT-FOR-US: Investintech.com Absolute PDF Server CVE-2011-4222 (Unspecified vulnerability in Investintech.com Able2Extract and Able2Ex ...) NOT-FOR-US: Investintech.com Able2Extract CVE-2011-4221 (Unspecified vulnerability in Investintech.com Able2Doc and Able2Doc Pr ...) NOT-FOR-US: Investintech.com Able2Doc CVE-2011-4220 (Investintech.com SlimPDF Reader does not properly restrict the argumen ...) NOT-FOR-US: Investintech.com SlimPDF CVE-2011-4219 (Investintech.com SlimPDF Reader does not prevent faulting-address data ...) NOT-FOR-US: Investintech.com SlimPDF CVE-2011-4218 (Investintech.com SlimPDF Reader does not prevent faulting-instruction ...) NOT-FOR-US: Investintech.com SlimPDF CVE-2011-4217 (Investintech.com SlimPDF Reader does not properly restrict read operat ...) NOT-FOR-US: Investintech.com SlimPDF CVE-2011-4216 (Investintech.com SlimPDF Reader does not properly restrict write opera ...) NOT-FOR-US: Investintech.com SlimPDF CVE-2011-4215 (SQL injection vulnerability in lib/ooz_access.php in OneOrZero Action ...) NOT-FOR-US: OneOrZero Action & Information Management System (AIMS) CVE-2011-4214 (OneOrZero Action & Information Management System (AIMS) 2.7.0 allo ...) NOT-FOR-US: OneOrZero Action & Information Management System (AIMS) CVE-2010-5003 (SQL injection vulnerability in the AutarTimonial (com_autartimonial) c ...) NOT-FOR-US: Joomla extension CVE-2010-5002 (Cross-site scripting (XSS) vulnerability in modules/slideshowmodule/sl ...) NOT-FOR-US: Exponent CMS CVE-2010-5001 (SQL injection vulnerability in view.php in esoftpro Online Contact Man ...) NOT-FOR-US: esoftpro Online Contact Manager CVE-2010-4999 (SQL injection vulnerability in index.php in esoftpro Online Photo Pro ...) NOT-FOR-US: esoftpro Online Photo Pro CVE-2010-4996 (SQL injection vulnerability in ogp_show.php in esoftpro Online Guestbo ...) NOT-FOR-US: esoftpro Online Guestbook Pro CVE-2010-4995 (SQL injection vulnerability in the NeoRecruit (com_neorecruit) compone ...) NOT-FOR-US: Joomla extension CVE-2010-4994 (SQL injection vulnerability in the Jobs Pro component 1.6.4 for Joomla ...) NOT-FOR-US: Joomla extension CVE-2010-4993 (SQL injection vulnerability in the eventcal (com_eventcal) component 1 ...) NOT-FOR-US: Joomla extension CVE-2010-4992 (SQL injection vulnerability in the Payments Plus component 2.1.5 for J ...) NOT-FOR-US: Joomla extension CVE-2010-4991 (SQL injection vulnerability in the NinjaMonials (com_ninjamonials) com ...) NOT-FOR-US: Joomla extension CVE-2010-4990 (SQL injection vulnerability in the Front-edit Address Book (com_addres ...) NOT-FOR-US: Joomla extension CVE-2010-4989 (SQL injection vulnerability in main.asp in Ziggurat Farsi CMS allows r ...) NOT-FOR-US: Ziggurat Farsi CMS CVE-2010-4988 (PHP remote file inclusion vulnerability in mod_chatting/themes/default ...) NOT-FOR-US: Family Connections Who is Chatting CVE-2010-4987 (SQL injection vulnerability in default.asp in KMSoft Guestbook (aka GB ...) NOT-FOR-US: KMSoft Guestbook (aka GBook) CVE-2010-4986 (SQL injection vulnerability in detail.php in Simple Document Managemen ...) NOT-FOR-US: Simple Document Management System (SDMS) CVE-2010-4985 (Cross-site scripting (XSS) vulnerability in notes.php in My Kazaam Not ...) NOT-FOR-US: My Kazaam Notes Management System CVE-2010-4984 (SQL injection vulnerability in notes.php in My Kazaam Notes Management ...) NOT-FOR-US: My Kazaam Notes Management System CVE-2010-4983 (SQL injection vulnerability in profile.php in iScripts CyberMatch 1.0 ...) NOT-FOR-US: iScripts CyberMatch CVE-2010-4982 (SQL injection vulnerability in address_book/contacts.php in My Kazaam ...) NOT-FOR-US: My Kazaam Address & Contact Organizer CVE-2010-4981 (SQL injection vulnerability in trackads.php in YourFreeWorld Banner Ma ...) NOT-FOR-US: YourFreeWorld Banner Management CVE-2010-4980 (SQL injection vulnerability in packagedetails.php in iScripts ReserveL ...) NOT-FOR-US: iScripts ReserveLogic CVE-2010-4979 (SQL injection vulnerability in image/view.php in CANDID allows remote ...) NOT-FOR-US: CANDID CVE-2010-4978 (Cross-site scripting (XSS) vulnerability in image/view.php in CANDID a ...) NOT-FOR-US: CANDID CVE-2010-4977 (SQL injection vulnerability in menu.php in the Canteen (com_canteen) c ...) NOT-FOR-US: Joomla extension CVE-2010-4976 (Cross-site scripting (XSS) vulnerability in search/search.php in MetIn ...) NOT-FOR-US: MetInfo CVE-2010-4975 (SQL injection vulnerability in the Techjoomla SocialAds For JomSocial ...) NOT-FOR-US: Joomla extension CVE-2010-4974 (SQL injection vulnerability in info.php in BrotherScripts (BS) and Scr ...) NOT-FOR-US: BrotherScripts (BS) and ScriptsFeed Auto Dealer CVE-2010-4973 (Cross-site scripting (XSS) vulnerability in the search feature in Camp ...) NOT-FOR-US: Campsite CVE-2010-4972 (SQL injection vulnerability in index.php in YPNinc JokeScript allows r ...) NOT-FOR-US: YPNinc JokeScript CVE-2010-4970 (SQL injection vulnerability in handlers/getpage.php in Wiki Web Help 0 ...) NOT-FOR-US: Wiki Web Help CVE-2010-4969 (SQL injection vulnerability in articlesdetails.php in BrotherScripts ( ...) NOT-FOR-US: BrotherScripts (BS) Business Directory CVE-2010-4968 (SQL injection vulnerability in the webmaster-tips.net Flash Gallery (c ...) NOT-FOR-US: Joomla extension CVE-2011-4213 (The sandbox environment in the Google App Engine Python SDK before 1.5 ...) NOT-FOR-US: Google App Engine CVE-2011-4212 (The sandbox environment in the Google App Engine Python SDK before 1.5 ...) NOT-FOR-US: Google App Engine CVE-2011-4211 (The FakeFile implementation in the sandbox environment in the Google A ...) NOT-FOR-US: Google App Engine CVE-2011-4210 RESERVED CVE-2011-4209 RESERVED CVE-2011-4208 RESERVED CVE-2011-4207 RESERVED CVE-2011-4206 RESERVED CVE-2011-4205 RESERVED CVE-2011-4204 RESERVED CVE-2011-4203 (CRLF injection vulnerability in calendar/set.php in the Calendar compo ...) NOT-FOR-US: Moodle addon CVE-2011-4202 (The Tadasoft Restorepoint 3.2 evaluation image uses weak permissions ( ...) NOT-FOR-US: Tadasoft Restorepoint CVE-2011-4201 (remote_support.cgi in the Tadasoft Restorepoint 3.2 evaluation image a ...) NOT-FOR-US: Tadasoft Restorepoint CVE-2011-4200 RESERVED CVE-2011-4199 RESERVED CVE-2011-4198 RESERVED CVE-2011-4197 (etc/inc/certs.inc in the PKI implementation in pfSense before 2.0.1 cr ...) NOT-FOR-US: pfSense CVE-2011-XXXX [spip privilege escalation] - spip 2.1.12-1 (bug #649113) [squeeze] - spip 2.1.1-3squeeze2 CVE-2011-XXXX [spip XSS] - spip 2.1.12-1 (bug #649113) [squeeze] - spip 2.1.1-3squeeze2 CVE-2011-XXXX [spip path disclosure] - spip 2.1.12-1 (unimportant; bug #646758) NOTE: http://archives.rezo.net/archives/spip-ann.mbox/5XCQ4RYDCYRXQSQQK42DT7IO2GVT7ZSI/ NOTE: Path disclosure not an issue for Debian CVE-2011-4196 RESERVED CVE-2011-4195 (kiwi before 4.98.05, as used in SUSE Studio Onsite 1.2 before 1.2.1 an ...) NOT-FOR-US: Suse kiwi (different from python-kiwi) CVE-2011-4194 (Buffer overflow in Novell iPrint Server in Novell Open Enterprise Serv ...) NOT-FOR-US: Novell iPrint CVE-2011-4193 (Cross-site scripting (XSS) vulnerability in the overlay files tab in S ...) NOT-FOR-US: Suse kiwi (different from python-kiwi) CVE-2011-4192 (kiwi before 4.85.1, as used in SUSE Studio Onsite 1.2 before 1.2.1 and ...) NOT-FOR-US: Suse kiwi (different from python-kiwi) CVE-2011-4191 (Stack-based buffer overflow in the xdrDecodeString function in XNFS.NL ...) NOT-FOR-US: Novell NetWare CVE-2011-4190 (The kdump implementation is missing the host key verification in the k ...) NOT-FOR-US: kdump as used in SuSE CVE-2011-4189 (The client in Novell GroupWise 8.0x through 8.02HP3 allows remote atta ...) NOT-FOR-US: Novell GroupWise CVE-2011-4188 (Buffer overflow in the Create Attribute function in jclient in Novell ...) NOT-FOR-US: Novell iManager CVE-2011-4187 (Buffer overflow in the GetDriverSettings function in nipplib.dll in No ...) NOT-FOR-US: Novell iPrint Client CVE-2011-4186 (Heap-based buffer overflow in nipplib.dll in Novell iPrint Client befo ...) NOT-FOR-US: Novell iPrint Client CVE-2011-4185 (The GetPrinterURLList2 method in the ActiveX control in Novell iPrint ...) NOT-FOR-US: ActiveX CVE-2011-4184 RESERVED CVE-2011-4183 (A vulnerability in open build service allows remote attackers to uploa ...) - open-build-service (Fixed before initial upload to Debian) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=736243 NOTE: https://github.com/openSUSE/open-build-service/commit/5281e4bff9df31f1f91e22a0d1e9086b93b23d7e CVE-2011-4182 (Missing escaping of ESSID values in sysconfig of SUSE Linux Enterprise ...) NOT-FOR-US: sysconfig in SUSE Linux Enterprise CVE-2011-4181 (A vulnerability in open build service allows remote attackers to gain ...) - open-build-service (Fixed before initial upload to Debian) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=734003 NOTE: https://github.com/openSUSE/open-build-service/commit/5281e4bff9df31f1f91e22a0d1e9086b93b23d7e CVE-2011-4180 RESERVED CVE-2011-4179 RESERVED CVE-2011-4178 RESERVED CVE-2011-4177 RESERVED CVE-2011-4176 RESERVED CVE-2011-4175 RESERVED CVE-2011-4174 RESERVED CVE-2011-4173 (Cross-site request forgery (CSRF) vulnerability in Simple Machines For ...) NOT-FOR-US: Simple Machines Forum CVE-2011-4172 (Multiple cross-site scripting (XSS) vulnerabilities in KENT-WEB WEB FO ...) NOT-FOR-US: KENT WEB FORUM CVE-2011-4171 (Cross-site scripting (XSS) vulnerability in content/error.jsp in IBM W ...) NOT-FOR-US: WebSphere CVE-2011-4170 (Cross-site scripting (XSS) vulnerability in the theme_adium_append_mes ...) - empathy 3.2.1.1-1 [squeeze] - empathy (Minor issue) [lenny] - empathy (only affects webkit theming, not present in Lenny) CVE-2011-4169 (Unspecified vulnerability in HP Managed Printing Administration before ...) NOT-FOR-US: HP Managed Printing Administration CVE-2011-4168 (Directory traversal vulnerability in hpmpa/jobDelivery/Default.asp in ...) NOT-FOR-US: HP Managed Printing Administration CVE-2011-4167 (Stack-based buffer overflow in MPAUploader.dll in HP Managed Printing ...) NOT-FOR-US: HP Managed Printing Administration CVE-2011-4166 (Directory traversal vulnerability in the MPAUploader.Uploader.1.Upload ...) NOT-FOR-US: HP Managed Printing Administration CVE-2011-4165 (Unspecified vulnerability in HP Database Archiving Software 6.31 allow ...) NOT-FOR-US: HP Database Archiving Software CVE-2011-4164 (Unspecified vulnerability in HP Database Archiving Software 6.31 allow ...) NOT-FOR-US: HP Database Archiving Software CVE-2011-4163 (Unspecified vulnerability in HP Database Archiving Software 6.31 allow ...) NOT-FOR-US: HP Database Archiving Software CVE-2011-4162 (The (1) AddUser, (2) AddUserEx, (3) RemoveUser, (4) RemoveUserByGuide, ...) NOT-FOR-US: HP Protect Tools Device Access Manager CVE-2011-4161 (The default configuration of the HP CM8060 Color MFP with Edgeline; Co ...) NOT-FOR-US: HP CM8060 Color MFP CVE-2011-4160 (Unspecified vulnerability in HP Operations Agent 11.00 and Performance ...) NOT-FOR-US: HP Operations Agent CVE-2011-4159 (Unspecified vulnerability in System Administration Manager (SAM) in EM ...) NOT-FOR-US: HP-UX CVE-2011-4158 (Unspecified vulnerability in HP Directories Support for ProLiant Manag ...) NOT-FOR-US: HP Directories Support CVE-2011-4157 (Stack-based buffer overflow in hydra.exe in HP SAN/iQ before 9.5 on th ...) NOT-FOR-US: HP SAN/iQ CVE-2011-4156 (Cross-site scripting (XSS) vulnerability in HP Network Node Manager i ...) NOT-FOR-US: HP Network Node Manager CVE-2011-4155 (Cross-site scripting (XSS) vulnerability in HP Network Node Manager i ...) NOT-FOR-US: HP Network Node Manager CVE-2011-4154 RESERVED CVE-2011-4153 (PHP 5.3.8 does not always check the return value of the zend_strndup f ...) {DSA-2408-1} - php5 5.3.9-1 (low) CVE-2011-4152 RESERVED CVE-2011-4151 (The krb5_db2_lockout_audit function in the Key Distribution Center (KD ...) - krb5 1.10+dfsg~alpha1-1 (low; bug #646367) [squeeze] - krb5 (Minor issue) [lenny] - krb5 (introduced in 1.8) CVE-2010-4967 (SQL injection vulnerability in default.asp in ATCOM Netvolution 2.5.6 ...) NOT-FOR-US: ATCOM Netvolution CVE-2010-4966 (Cross-site scripting (XSS) vulnerability in default.asp in ATCOM Netvo ...) NOT-FOR-US: ATCOM Netvolution CVE-2009-5103 (Cross-site scripting (XSS) vulnerability in ATCOM Netvolution 1.0 ASP ...) NOT-FOR-US: ATCOM Netvolution CVE-2009-5102 (SQL injection vulnerability in default.asp in ATCOM Netvolution 1.0 AS ...) NOT-FOR-US: ATCOM Netvolution CVE-2011-4150 REJECTED CVE-2011-4149 REJECTED CVE-2011-4148 REJECTED CVE-2011-4147 REJECTED CVE-2011-4146 REJECTED CVE-2011-4145 REJECTED CVE-2011-4144 (Unspecified vulnerability in EMC Documentum Content Server 6.0, 6.5 be ...) NOT-FOR-US: EMC CVE-2011-4143 (EMC RSA enVision 4.0 before SP4 P5 and 4.1 before P3 allows remote att ...) NOT-FOR-US: EMC CVE-2011-4142 (The Web Search feature in EMC SourceOne Email Management 6.5 before 6. ...) NOT-FOR-US: EMC SourceOne Email Management CVE-2011-4141 (Untrusted search path vulnerability in EMC RSA SecurID Software Token ...) NOT-FOR-US: RSA SecurID CVE-2011-4140 (The CSRF protection mechanism in Django through 1.2.7 and 1.3.x throug ...) {DSA-2332-1} - python-django 1.3.1-1 (bug #641405) CVE-2011-4139 (Django before 1.2.7 and 1.3.x before 1.3.1 uses a request's HTTP Host ...) {DSA-2332-1} - python-django 1.3.1-1 (bug #641405) CVE-2011-4138 (The verify_exists functionality in the URLField implementation in Djan ...) {DSA-2332-1} - python-django 1.3.1-1 (bug #641405) CVE-2011-4137 (The verify_exists functionality in the URLField implementation in Djan ...) {DSA-2332-1} - python-django 1.3.1-1 (bug #641405) CVE-2011-4136 (django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, ...) {DSA-2332-1} - python-django 1.3.1-1 (bug #641405) CVE-2011-4135 (Multiple directory traversal vulnerabilities in lmgrd in Flexera FlexN ...) NOT-FOR-US: Flexera FlexNet Publisher CVE-2011-4134 (Heap-based buffer overflow in lmadmin in Flexera FlexNet Publisher 11. ...) NOT-FOR-US: Flexera FlexNet Publisher CVE-2011-4133 (Cross-site request forgery (CSRF) vulnerability in Moodle 1.9.x before ...) {DSA-2262-1} - moodle 1.9.9.dfsg2-3 CVE-2011-4132 (The cleanup_journal_tail function in the Journaling Block Device (JBD) ...) - linux-2.6 3.1.6-1 [squeeze] - linux-2.6 2.6.32-40 CVE-2011-4131 (The NFSv4 implementation in the Linux kernel before 3.2.2 does not pro ...) - linux 3.2.9-1 (low) - linux-2.6 [squeeze] - linux-2.6 (Too intrusive to backport, minor impact) CVE-2011-4130 (Use-after-free vulnerability in the Response API in ProFTPD before 1.3 ...) {DSA-2346-2 DSA-2346-1} - proftpd-dfsg 1.3.4~rc3-2 (high; bug #648373) [lenny] - proftpd-dfsg (vulnerable functionality not present) NOTE: http://bugs.proftpd.org/show_bug.cgi?id=3711 CVE-2011-4129 ((1) services/twitter/twitter-contact-view.c and (2) services/twitter/t ...) - libsocialweb 0.25.20-1 CVE-2011-4128 (Buffer overflow in the gnutls_session_get_data function in lib/gnutls_ ...) - gnutls26 2.12.14-1 (low; bug #648441) [squeeze] - gnutls26 2.8.6-1+squeeze1 [lenny] - gnutls26 (Minor issue) CVE-2011-4127 (The Linux kernel before 3.2.2 does not properly restrict SG_IO ioctl c ...) {DSA-2443-1 DSA-2389-1} - libguestfs 1:1.14.8-1 - linux-2.6 CVE-2011-4126 RESERVED CVE-2011-4125 RESERVED CVE-2011-4124 RESERVED CVE-2011-4123 REJECTED CVE-2011-4122 (Directory traversal vulnerability in openpam_configure.c in OpenPAM be ...) NOT-FOR-US: OpenPAM CVE-2011-4121 (The OpenSSL extension of Ruby (Git trunk) versions after 2011-09-01 up ...) - ruby1.9.1 (Only affected trunk versions) CVE-2011-4120 (Yubico PAM Module before 2.10 performed user authentication when 'use_ ...) - yubico-pam 2.10-1 CVE-2011-4119 RESERVED CVE-2011-4117 (The Batch::BatchRun module 1.03 for Perl does not properly handle temp ...) NOT-FOR-US: perl Batch::BatchRun CPAN module CVE-2011-4116 (_is_safe in the File::Temp module for Perl does not properly handle sy ...) - perl (unimportant; bug #776268) NOTE: http://thread.gmane.org/gmane.comp.security.oss.general/6174/focus=6177 NOTE: https://github.com/Perl-Toolchain-Gang/File-Temp/issues/14 CVE-2011-4115 (Parallel::ForkManager module before 1.0.0 for Perl does not properly h ...) - libparallel-forkmanager-perl (issue introduced in 0.7.6 upstream, never in Debian) NOTE: affected code was never in Debian. Upstream fixed in 1.0.0 NOTE: https://rt.cpan.org/Public/Bug/Display.html?id=68298 CVE-2011-4114 (The par_mktmpdir function in the PAR::Packer module before 1.012 for P ...) - libpar-packer-perl 1.012-1 (bug #650706) [squeeze] - libpar-packer-perl 1.006-1+squeeze1 CVE-2011-4113 (SQL injection vulnerability in the Views module before 6.x-2.13 for Dr ...) - drupal6-mod-views 2.14-1 CVE-2011-4112 (The net subsystem in the Linux kernel before 3.1 does not properly res ...) - linux-2.6 3.1-1 (unimportant) NOTE: Turned out to be a non-issue, http://www.openwall.com/lists/oss-security/2011/11/24/3 CVE-2011-4111 (Buffer overflow in the ccid_card_vscard_handle_message function in hw/ ...) - qemu 0.15.1+dfsg-2 [lenny] - qemu (Vulnerable CCID code not present) [squeeze] - qemu (Vulnerable CCID code not present) - xen 4.4.0-1 [wheezy] - xen (Vulnerable code introduced after 0.14.50, embedded version is 0.10.2) NOTE: Xen switched to qemu-system in 4.4.0-1 NOTE: Vulnerable code introduced after 0.14.50: http://git.qemu.org/?p=qemu.git;a=commit;h=edbb21363fbfe40e050f583df921484cbc31c79d CVE-2011-4110 (The user_update function in security/keys/user_defined.c in the Linux ...) {DSA-2389-1} - linux-2.6 3.1.4-1 CVE-2011-4109 (Double free vulnerability in OpenSSL 0.9.8 before 0.9.8s, when X509_V_ ...) {DSA-2390-1} - openssl 1.0.0c-1 CVE-2011-4108 (The DTLS implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f ...) {DSA-2390-1} - openssl 1.0.0f-1 (low; bug #645805) NOTE: http://rt.openssl.org/Ticket/Display.html?id=2625&user=guest&pass=guest CVE-2011-4107 (The simplexml_load_string function in the XML import plug-in (librarie ...) {DSA-2391-1} - phpmyadmin 4:3.4.7.1-1 (bug #656247) [lenny] - phpmyadmin (Vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=751112 CVE-2011-4106 (TimThumb (timthumb.php) before 2.0 does not validate the entire source ...) NOT-FOR-US: wordpress plugin timthumb CVE-2011-4105 (LightDM before 1.0.6 allows local users to change ownership of arbitra ...) - lightdm 1.0.6-2 CVE-2011-4104 (The from_yaml method in serializers.py in Django Tastypie before 0.9.1 ...) - django-tastypie 0.9.10-1 (bug #647314) CVE-2011-4103 (emitters.py in Django Piston before 0.2.3 and 0.2.x before 0.2.2.1 doe ...) {DSA-2344-1} - python-django-piston 0.2.2-2 (high; bug #647315) CVE-2011-4102 (Heap-based buffer overflow in the erf_read_header function in wiretap/ ...) {DSA-2351-1} - wireshark 1.6.3-1 NOTE: http://www.wireshark.org/security/wnpa-sec-2011-19.html NOTE: http://anonsvn.wireshark.org/viewvc/trunk/wiretap/erf.c?r1=39508&r2=39507&pathrev=39508&view=patch NOTE: Affects 1.0 and 1.2, the versions listed in the advisory are relative to the supported upstream branches CVE-2011-4101 (The dissect_infiniband_common function in epan/dissectors/packet-infin ...) - wireshark 1.6.3-1 (unimportant) NOTE: no code injection, not treated as a security issue, see README.Debian.security NOTE: http://www.wireshark.org/security/wnpa-sec-2011-18.html CVE-2011-4100 (The csnStreamDissector function in epan/dissectors/packet-csn1.c in th ...) - wireshark 1.6.3-1 [squeeze] - wireshark (Affects only 1.6.0-1.6.2) [lenny] - wireshark (Affects only 1.6.0-1.6.2) NOTE: http://www.wireshark.org/security/wnpa-sec-2011-17.html CVE-2011-4099 (The capsh program in libcap before 2.22 does not change the current wo ...) - libcap2 1:2.22-1 (low) [squeeze] - libcap2 (Minor issue) CVE-2011-4098 (The fallocate implementation in the GFS2 filesystem in the Linux kerne ...) - linux 3.2.1-1 - linux-2.6 [squeeze] - linux-2.6 (fallocate support was added to GFS2 in 2.37) CVE-2011-4097 (Integer overflow in the oom_badness function in mm/oom_kill.c in the L ...) - linux-2.6 3.0.0-6 [squeeze] - linux-2.6 (Introduced in 2.6.39) [lenny] - linux-2.6 (Introduced in 2.6.39) CVE-2011-4096 (The idnsGrokReply function in Squid before 3.1.16 does not properly fr ...) {DSA-2381-1} - squid3 3.1.16-1 [lenny] - squid3 (no IPv6 support) CVE-2011-4095 (Jara 1.6 has an XSS vulnerability ...) NOT-FOR-US: Jara CVE-2011-4094 (Jara 1.6 has a SQL injection vulnerability. ...) NOT-FOR-US: Jara CVE-2011-4093 (Integer overflow in inc/server.hpp in libnet6 (aka net6) before 1.3.14 ...) - net6 1:1.3.14-1 (low; bug #647318) [squeeze] - net6 (Minor issue) [lenny] - net6 (Minor issue) CVE-2011-4092 (obby (aka libobby) does not verify SSL server certificates, which allo ...) - obby (low; bug #647317) [wheezy] - obby (Minor design limitation) [lenny] - obby (Minor design limitation) [squeeze] - obby (Minor design limitation) CVE-2011-4091 (The libobby server in inc/server.hpp in libnet6 (aka net6) before 1.3. ...) [squeeze] - net6 (Minor issue) [lenny] - net6 (Minor issue) - net6 1:1.3.14-1 (low; bug #647318) CVE-2011-4090 (Serendipity before 1.6 has an XSS issue in the karma plugin which may ...) - serendipity (bug #650937) [squeeze] - serendipity (Minor issue) NOTE: http://seclists.org/oss-sec/2011/q4/192 CVE-2011-4089 (The bzexe command in bzip2 1.0.5 and earlier generates compressed exec ...) - bzip2 1.0.6-1 (low; bug #632862) [squeeze] - bzip2 1.0.5-6+squeeze1 [lenny] - bzip2 (Minor issue) CVE-2011-4088 (ABRT might allow attackers to obtain sensitive information from crash ...) NOT-FOR-US: abrt/libreport CVE-2011-4087 (The br_parse_ip_options function in net/bridge/br_netfilter.c in the L ...) - linux-2.6 3.0.0-1 [squeeze] - linux-2.6 (Introduced in 2.6.37) [lenny] - linux-2.6 (Introduced in 2.6.37) CVE-2011-4086 (The journal_unmap_buffer function in fs/jbd2/transaction.c in the Linu ...) {DSA-2469-1} - linux-2.6 (low) CVE-2011-4085 (The servlets invoked by httpha-invoker in JBoss Enterprise Application ...) NOT-FOR-US: JBoss Enterprise SOA Platform CVE-2011-4084 REJECTED CVE-2011-4083 (The sosreport utility in the Red Hat sos package before 1.7-9 and 2.x ...) NOT-FOR-US: RedHat sos CVE-2011-4082 (A local file inclusion flaw was found in the way the phpLDAPadmin befo ...) - phpldapadmin 0.9.8-1 CVE-2011-4081 (crypto/ghash-generic.c in the Linux kernel before 3.1 allows local use ...) - linux-2.6 3.0.0-6 [squeeze] - linux-2.6 (CRYPTO_GHASH Introduced in 2.6.32) CVE-2011-4080 (The sysrq_sysctl_handler function in kernel/sysctl.c in the Linux kern ...) - linux-2.6 2.6.39-1 [lenny] - linux-2.6 (introduced in 2.6.37 with eaf06b241b091357e72b76863ba16e89610d31bd) [squeeze] - linux-2.6 (introduced in 2.6.37 with eaf06b241b091357e72b76863ba16e89610d31bd) CVE-2011-4079 (Off-by-one error in the UTF8StringNormalize function in OpenLDAP 2.4.2 ...) - openldap 2.4.28-1 (unimportant; bug #647610) NOTE: Not exploitable with glibc, see NOTE: http://www.openldap.org/its/index.cgi/Software%20Bugs?id=7059;selectid=7059 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4079 CVE-2011-4078 (include/iniset.php in Roundcube Webmail 0.5.4 and earlier, when PHP 5. ...) - roundcube 0.6+dfsg-1 (bug #646675) [squeeze] - roundcube (squeeze PHP version does not expose the issue) NOTE: http://trac.roundcube.net/ticket/1488086 NOTE: This is arguably a PHP issue, but will probably not be fixed upstream. CVE-2011-4077 (Buffer overflow in the xfs_readlink function in fs/xfs/xfs_vnodeops.c ...) {DSA-2389-1} - linux-2.6 3.0.0-6 CVE-2011-4076 (OpenStack Nova before 2012.1 allows someone with access to an EC2_ACCE ...) - nova 2012.1~e1-1 NOTE: https://bugs.launchpad.net/nova/+bug/868360 NOTE: the patch for this bug is available at https://review.openstack.org/#/c/794/ CVE-2011-4075 (The masort function in lib/functions.php in phpLDAPadmin 1.2.x before ...) {DSA-2333-1} - phpldapadmin 1.2.0.5-2.1 (bug #646754) CVE-2011-4074 (Cross-site scripting (XSS) vulnerability in cmd.php in phpLDAPadmin 1. ...) {DSA-2333-1} - phpldapadmin 1.2.0.5-2.1 (bug #646769) CVE-2011-4073 (Use-after-free vulnerability in the cryptographic helper handler funct ...) {DSA-2374-1} - openswan 1:2.6.37-1 (low; bug #650674) CVE-2007-6744 (Flexera Macrovision InstallShield before 2008 sends a digital-signatur ...) NOT-FOR-US: Flexera Macrovision InstallShield CVE-2006-7246 (NetworkManager 0.9.x does not pin a certificate's subject to an ESSID ...) - wpasupplicant 0.7.3-1 [squeeze] - wpasupplicant (Minor issue) - network-manager 0.9.4.0-1 [squeeze] - network-manager (Minor issue) NOTE: might be fixed earlier; I checked the source versions in Wheezy CVE-2011-4072 REJECTED CVE-2011-4071 RESERVED CVE-2011-4070 RESERVED CVE-2011-4069 (html/admin/login.php in PacketFence before 3.0.2 allows remote attacke ...) NOT-FOR-US: PacketFence CVE-2011-4068 (The check_password function in html/admin/login.php in PacketFence bef ...) NOT-FOR-US: PacketFence CVE-2011-4067 RESERVED CVE-2011-4066 (SQL injection vulnerability in bbs/tb.php in Gnuboard 4.33.02 and earl ...) NOT-FOR-US: GNU Board CVE-2011-4065 RESERVED CVE-2011-4063 (chan_sip.c in the SIP channel driver in Asterisk Open Source 1.8.x bef ...) - asterisk 1:1.8.7.1~dfsg-1 (bug #647252) [lenny] - asterisk (Only affects >= 1.8) [squeeze] - asterisk (Only affects >= 1.8) CVE-2011-4062 (Buffer overflow in the kernel in FreeBSD 7.3 through 9.0-RC1 allows lo ...) {DSA-2325-1} - kfreebsd-10 10.0~svn226224-1 - kfreebsd-9 9.0~svn225873-1 - kfreebsd-8 8.2-11 (bug #645377) - kfreebsd-7 CVE-2011-4061 (Multiple untrusted search path vulnerabilities in (1) db2rspgn and (2) ...) NOT-FOR-US: DB2 CVE-2011-4060 (The runtime linker in QNX Neutrino RTOS 6.5.0 before Service Pack 1 do ...) NOT-FOR-US: QNX CVE-2011-4059 RESERVED CVE-2011-4058 RESERVED CVE-2010-4965 (/etc/rc.d/rc.local on the D-Link DCS-2121 camera with firmware 1.04 co ...) NOT-FOR-US: D-Link DCS-2121 CVE-2010-4964 (recorder_test.cgi on the D-Link DCS-2121 camera with firmware 1.04 all ...) NOT-FOR-US: D-Link DCS-2121 CVE-2011-4064 (Cross-site scripting (XSS) vulnerability in the setup interface in php ...) - phpmyadmin 4:3.4.6-1 (unimportant) CVE-2011-4057 (Wibu-Systems AG CodeMeter Runtime 4.30c, 4.10b, and possibly other ver ...) NOT-FOR-US: Wibu-Systems AG CodeMeter Runtime CVE-2011-4056 (An unspecified ActiveX control in ActBar.ocx in Siemens Tecnomatix Fac ...) NOT-FOR-US: Siemens Tecnomatix CVE-2011-4055 (Buffer overflow in the WebClient ActiveX control in Siemens Tecnomatix ...) NOT-FOR-US: Siemens Tecnomatix CVE-2011-4054 (Cross-site scripting (XSS) vulnerability in login.fcc in CA SiteMinder ...) NOT-FOR-US: CA SiteMinder CVE-2011-4053 (Untrusted search path vulnerability in 7-Technologies (7T) Interactive ...) NOT-FOR-US: 7-Technologies (7T) Interactive Graphical SCADA System CVE-2011-4052 (Stack-based buffer overflow in CEServer.exe in the CEServer component ...) NOT-FOR-US: InduSoft Web Studio CVE-2011-4051 (CEServer.exe in the CEServer component in the Remote Agent module in I ...) NOT-FOR-US: InduSoft Web Studio CVE-2011-4050 (Buffer overflow in 7-Technologies (7T) Interactive Graphical SCADA Sys ...) NOT-FOR-US: Interactive Graphical SCADA System CVE-2011-4049 RESERVED CVE-2011-4048 (The Dell KACE K2000 System Deployment Appliance has a default username ...) NOT-FOR-US: Dell appliance CVE-2011-4047 (The Dell KACE K2000 System Deployment Appliance allows remote attacker ...) NOT-FOR-US: Dell appliance CVE-2011-4046 (The Dell KACE K2000 System Deployment Appliance stores the recovery ac ...) NOT-FOR-US: Dell appliance CVE-2011-4045 (Buffer overflow in an unspecified ActiveX control in aipgctl.ocx in AR ...) NOT-FOR-US: ARC Informatique CVE-2011-4044 (An unspecified ActiveX control in SVUIGrd.ocx in ARC Informatique PcVu ...) NOT-FOR-US: ARC Informatique CVE-2011-4043 (Integer overflow in an unspecified ActiveX control in SVUIGrd.ocx in A ...) NOT-FOR-US: ARC Informatique CVE-2011-4042 (An unspecified ActiveX control in SVUIGrd.ocx in ARC Informatique PcVu ...) NOT-FOR-US: ARC Informatique CVE-2011-4041 (webvrpcs.exe in Advantech/BroadWin WebAccess allows remote attackers t ...) NOT-FOR-US: Advantech WebAccess CVE-2011-4040 (Buffer overflow in MiniSmtp 3.0.11818 in NJStar Communicator allows re ...) NOT-FOR-US: NJStar Communicator CVE-2011-4039 (Invensys Wonderware HMI Reports 3.42.835.0304 and earlier, as used in ...) NOT-FOR-US: Invensys Wonderware HMI Reports CVE-2011-4038 (Cross-site scripting (XSS) vulnerability in Invensys Wonderware HMI Re ...) NOT-FOR-US: Invensys Wonderware HMI Reports CVE-2011-4037 (Buffer overflow in Sielco Sistemi Winlog PRO before 2.07.09 and Winlog ...) NOT-FOR-US: Sielco Sistemi Winlog PRO CVE-2011-4036 (Directory traversal vulnerability in Schneider Electric Vijeo Historia ...) NOT-FOR-US: Schneider Electric Vijeo CVE-2011-4035 (Cross-site scripting (XSS) vulnerability in Schneider Electric Vijeo H ...) NOT-FOR-US: Schneider Electric Vijeo CVE-2011-4034 (Buffer overflow in the Steema TeeChart ActiveX control, as used in Sch ...) NOT-FOR-US: Steema TeeChart CVE-2011-4033 (Buffer overflow in the Steema TeeChart ActiveX control, as used in Sch ...) NOT-FOR-US: Steema TeeChart CVE-2011-4032 RESERVED CVE-2011-4031 (Integer underflow in the asfrtp_parse_packet function in libavformat/r ...) - libav 0.8-1 (bug #675767) - ffmpeg (Vulnerable code not present) CVE-2011-4030 (The CMFEditions component 2.x in Plone 4.0.x through 4.0.9, 4.1, and 4 ...) - plone3 (Only affects Plone 4.x) CVE-2011-4029 (The LockServer function in os/utils.c in X.Org xserver before 1.11.2 a ...) - xorg-server 2:1.11.1.901-2 (low) [squeeze] - xorg-server 2:1.7.7-14 [lenny] - xorg-server (Minor issue) NOTE: http://cgit.freedesktop.org/xorg/xserver/commit/?id=b67581cf825940fdf52bf2e0af4330e695d724a4 NOTE: this has a poc now: http://web.archive.org/web/20111204204028/http://vladz.devzero.fr:80/Xorg-CVE-2011-4029.txt CVE-2011-4028 (The LockServer function in os/utils.c in X.Org xserver before 1.11.2 a ...) - xorg-server 2:1.11.1.901-2 (low) [squeeze] - xorg-server 2:1.7.7-14 [lenny] - xorg-server (Minor issue) NOTE: http://cgit.freedesktop.org/xorg/xserver/commit/?id=6ba44b91e37622ef8c146d8f2ac92d708a18ed34 CVE-2011-4027 RESERVED CVE-2011-4026 (SQL injection vulnerability in thanks.php in NexusPHP 1.5 allows remot ...) NOT-FOR-US: NexusPHP CVE-2010-4963 (SQL injection vulnerability in folder/list in Hulihan BXR 0.6.8 allows ...) NOT-FOR-US: Hulihan BXR CVE-2010-4962 (Unspecified vulnerability in the Webkit PDFs (webkitpdf) extension bef ...) NOT-FOR-US: TYPO3 extension CVE-2010-4961 (SQL injection vulnerability in the Webkit PDFs (webkitpdf) extension b ...) NOT-FOR-US: TYPO3 extension CVE-2010-4960 (Cross-site scripting (XSS) vulnerability in the Branchenbuch (aka Yell ...) NOT-FOR-US: Branchenbuch CVE-2010-4959 (SQL injection vulnerability in the login feature in Pre Projects Pre P ...) NOT-FOR-US: Pre Projects Pre Podcast Portal CVE-2010-4958 (SQL injection vulnerability in index.php in Prado Portal 1.2.0 allows ...) NOT-FOR-US: Prado Portal CVE-2010-4957 (SQL injection vulnerability in the Questionnaire (ke_questionnaire) ex ...) NOT-FOR-US: TYPO3 extension CVE-2010-4956 (Cross-site scripting (XSS) vulnerability in the Questionnaire (ke_ques ...) NOT-FOR-US: TYPO3 extension CVE-2010-4955 (SQL injection vulnerability in board/board.php in APBoard Developers A ...) NOT-FOR-US: APBoard Developers APBoard CVE-2010-4954 (SQL injection vulnerability in product_reviews_info.php in xt:Commerce ...) NOT-FOR-US: xt:Commerce Gambio CVE-2010-4953 (Unspecified vulnerability in the JW Calendar (jw_calendar) extension 1 ...) NOT-FOR-US: TYPO3 extension CVE-2010-4952 (SQL injection vulnerability in the FE user statistic (festat) extensio ...) NOT-FOR-US: TYPO3 extension CVE-2010-4951 (Cross-site scripting (XSS) vulnerability in the xaJax Shoutbox (vx_xaj ...) NOT-FOR-US: TYPO3 extension CVE-2010-4950 (SQL injection vulnerability in the Event (event) extension before 0.3. ...) NOT-FOR-US: TYPO3 extension CVE-2010-4949 (Cross-site scripting (XSS) vulnerability in the (1) FreiChat component ...) NOT-FOR-US: Joomla extension CVE-2010-4948 (PHP remote file inclusion vulnerability in libs/adodb/adodb.inc.php in ...) NOT-FOR-US: PHP Free Photo Gallery CVE-2010-4947 (Cross-site scripting (XSS) vulnerability in advanced_search_result.php ...) NOT-FOR-US: ALLPC CVE-2010-4946 (SQL injection vulnerability in product_info.php in ALLPC 2.5 allows re ...) NOT-FOR-US: ALLPC CVE-2010-4945 (SQL injection vulnerability in the CamelcityDB (com_camelcitydb2) comp ...) NOT-FOR-US: CamelcityDB CVE-2010-4944 (SQL injection vulnerability in the Elite Experts (com_elite_experts) c ...) NOT-FOR-US: Joomla extension CVE-2010-4943 (Multiple PHP remote file inclusion vulnerabilities in Saurus CMS 4.7.0 ...) NOT-FOR-US: Saurus CMS CVE-2010-4942 (SQL injection vulnerability in location.php in the eCal module in E-Xo ...) NOT-FOR-US: E-Xoopport Samsara CVE-2010-4941 (SQL injection vulnerability in the Teams (com_teams) component 1_1028_ ...) NOT-FOR-US: Joomla extension CVE-2010-4940 (SQL injection vulnerability in index.php in WAnewsletter 2.1.2 allows ...) NOT-FOR-US: WAnewsletter CVE-2010-4939 (PHP remote file inclusion vulnerability in index.php in MailForm 1.2 a ...) NOT-FOR-US: MailForm CVE-2010-4938 (SQL injection vulnerability in the Weblinks (com_weblinks) component i ...) NOT-FOR-US: Joomla extension CVE-2010-4937 (Multiple SQL injection vulnerabilities in the Amblog (com_amblog) comp ...) NOT-FOR-US: Amblog CVE-2010-4936 (SQL injection vulnerability in the Slide Show (com_slideshow) componen ...) NOT-FOR-US: Slide Show extension for Joomla CVE-2010-4935 (SQL injection vulnerability in poll.php in Entrans 0.3.2 and earlier a ...) NOT-FOR-US: Entrans CVE-2010-4934 (SQL injection vulnerability in video.php in Get Tube 4.51 and earlier ...) NOT-FOR-US: Get Tube CVE-2010-4933 (SQL injection vulnerability in filemgmt/singlefile.php in Geeklog 1.3. ...) NOT-FOR-US: Geeklog CVE-2010-4932 (Cross-site scripting (XSS) vulnerability in search.php in Entrans befo ...) NOT-FOR-US: Entrans CVE-2010-4931 (** DISPUTED ** Directory traversal vulnerability in maincore.php in PH ...) NOT-FOR-US: PHP-Fusion CVE-2010-4930 (Cross-site scripting (XSS) vulnerability in index.php in @mail Webmail ...) NOT-FOR-US: @mail Webmail CVE-2010-4929 (SQL injection vulnerability in the Joostina (com_ezautos) component fo ...) NOT-FOR-US: Joomla extension CVE-2010-4928 (Cross-site scripting (XSS) vulnerability in the Restaurant Guide (com_ ...) NOT-FOR-US: Joomla extension CVE-2010-4927 (SQL injection vulnerability in the Restaurant Guide (com_restaurantgui ...) NOT-FOR-US: Joomla extension CVE-2010-4926 (SQL injection vulnerability in the TimeTrack (com_timetrack) component ...) NOT-FOR-US: Joomla extension CVE-2010-4925 (SQL injection vulnerability in clic.php in the Partenaires module 1.5 ...) NOT-FOR-US: Nuked Klan CVE-2010-4924 (** DISPUTED ** PHP remote file inclusion vulnerability in logic/contro ...) NOT-FOR-US: clearBudget CVE-2010-4923 (SQL injection vulnerability in book/detail.php in Virtue Netz Virtue B ...) NOT-FOR-US: Virtue Netz Virtue CVE-2010-4922 (Multiple SQL injection vulnerabilities in Allinta CMS 22.07.2010 allow ...) NOT-FOR-US: Allinta CMS CVE-2010-4921 (SQL injection vulnerability in inc_pollingboothmanager.asp in DMXReady ...) NOT-FOR-US: DMXReady Polling Booth Manager CVE-2010-4920 (SQL injection vulnerability in detail.asp in Micronetsoft Rental Prope ...) NOT-FOR-US: Micronetsoft CVE-2010-4919 (SQL injection vulnerability in detail.asp in Micronetsoft RV Dealer We ...) NOT-FOR-US: Micronetsoft CVE-2010-4918 (PHP remote file inclusion vulnerability in iJoomla Magazine (com_magaz ...) NOT-FOR-US: Joomla extension CVE-2010-4917 (SQL injection vulnerability in sources/search.php in A-Blog 2.0 allows ...) NOT-FOR-US: A-Blog CVE-2010-4916 (Multiple SQL injection vulnerabilities in index.cfm in ColdGen ColdUse ...) NOT-FOR-US: ColdGen ColdUserGroup CVE-2010-4915 (SQL injection vulnerability in index.cfm in ColdGen ColdBookmarks 1.22 ...) NOT-FOR-US: ColdGen ColdBookmarks CVE-2010-4914 (PHP remote file inclusion vulnerability in tools/phpmailer/class.phpma ...) NOT-FOR-US: PHP Classifieds CVE-2010-4913 (Cross-site scripting (XSS) vulnerability in the search feature in Cold ...) NOT-FOR-US: ColdGen ColdUserGroup CVE-2010-4912 (SQL injection vulnerability in shop.php in UCenter Home 2.0 allows rem ...) NOT-FOR-US: UCenter CVE-2010-4911 (SQL injection vulnerability in classi/detail.php in PHP Classifieds Ad ...) NOT-FOR-US: PHP Classifieds CVE-2010-4910 (SQL injection vulnerability in index.cfm in ColdGen ColdCalendar 2.06 ...) NOT-FOR-US: ColdGen ColdCalendar CVE-2010-4909 (Multiple cross-site scripting (XSS) vulnerabilities in PaysiteReviewCM ...) NOT-FOR-US: PaysiteReviewCMS CVE-2010-4908 (SQL injection vulnerability in detail.php in Virtue Shopping Mall allo ...) NOT-FOR-US: Virtue Shopping Mall CVE-2010-4907 (Cross-site scripting (XSS) vulnerability in zp-core/admin.php in Zenph ...) NOT-FOR-US: Zenphoto CVE-2010-4906 (SQL injection vulnerability in zp-core/full-image.php in Zenphoto 1.3 ...) NOT-FOR-US: Zenphoto CVE-2010-4905 (SQL injection vulnerability in article_details.php in Softbiz Article ...) NOT-FOR-US: Softbiz CVE-2010-4904 (SQL injection vulnerability in the Aardvertiser (com_aardvertiser) com ...) NOT-FOR-US: Aardvertiser CVE-2010-4903 (SQL injection vulnerability in index.php in CubeCart 4.3.3 allows remo ...) NOT-FOR-US: CubeCart CVE-2010-4902 (Multiple SQL injection vulnerabilities in the Clantools (com_clantools ...) NOT-FOR-US: Joomla extension CVE-2010-4901 (Multiple cross-site scripting (XSS) vulnerabilities in char_map.php in ...) NOT-FOR-US: MySource Matrix CVE-2010-4900 (Open redirect vulnerability in c.php in CMS WebManager-Pro 8.1 and ear ...) NOT-FOR-US: CMS WebManager-Pro CVE-2010-4899 (SQL injection vulnerability in c.php in CMS WebManager-Pro before 8.1 ...) NOT-FOR-US: CMS WebManager-Pro CVE-2010-4898 (SQL injection vulnerability in the Gantry (com_gantry) component 3.0.1 ...) NOT-FOR-US: Joomla extension CVE-2010-4897 (SQL injection vulnerability in comment.php in BlueCMS 1.6 allows remot ...) NOT-FOR-US: BlueCMS CVE-2010-4896 (Cross-site scripting (XSS) vulnerability in admin/index.asp in Member ...) NOT-FOR-US: Member Management System CVE-2010-4895 (Cross-site scripting (XSS) vulnerability in core/showsite.php in chill ...) NOT-FOR-US: chillyCMS CVE-2010-4894 (SQL injection vulnerability in core/showsite.php in chillyCMS 1.1.3 al ...) NOT-FOR-US: chillyCMS CVE-2010-4893 (Cross-site scripting (XSS) vulnerability in foodvendors.php in FestOS ...) NOT-FOR-US: FestOS CVE-2011-XXXX [lintian disclosure of file presense] - lintian 2.5.2 (unimportant) [squeeze] - lintian 2.4.3+squeeze1 CVE-2011-XXXX [0.1.1+dfsg-1 multiple issues] - ibid 0.1.1+dfsg-1 [squeeze] - ibid 0.1.0+dfsg-2+squeeze1 CVE-2011-4025 RESERVED CVE-2010-4892 (Cross-site scripting (XSS) vulnerability in the powermail extension be ...) NOT-FOR-US: TYPO3 extension CVE-2010-4891 (SQL injection vulnerability in the Yet Another Calendar (ke_yac) exten ...) NOT-FOR-US: TYPO3 extension CVE-2010-4890 (Cross-site scripting (XSS) vulnerability in the Yet Another Calendar ( ...) NOT-FOR-US: TYPO3 extension CVE-2010-4889 (Unspecified vulnerability in the Tiny Market (hm_tinymarket) extension ...) NOT-FOR-US: TYPO3 extension CVE-2010-4888 (SQL injection vulnerability in the Tiny Market (hm_tinymarket) extensi ...) NOT-FOR-US: TYPO3 extension CVE-2010-4887 (SQL injection vulnerability in the Commenting system Backend Module (c ...) NOT-FOR-US: TYPO3 extension CVE-2010-4886 (Cross-site scripting (XSS) vulnerability in the "official twitter twee ...) NOT-FOR-US: TYPO3 extension CVE-2010-4885 (Cross-site scripting (XSS) vulnerability in the XING Button (xing) ext ...) NOT-FOR-US: TYPO3 extension CVE-2010-4884 (PHP remote file inclusion vulnerability in guestbook/gbook.php in Gaes ...) NOT-FOR-US: Gaestebuch CVE-2010-4883 (Cross-site scripting (XSS) vulnerability in manager/index.php in MODx ...) NOT-FOR-US: MODx Revolution CVE-2010-4882 (Cross-site scripting (XSS) vulnerability in autocms.php in Auto CMS 1. ...) NOT-FOR-US: Auto CMS CVE-2010-4881 (Multiple cross-site request forgery (CSRF) vulnerabilities in calendar ...) NOT-FOR-US: ApPHP Calendar CVE-2010-4880 (Multiple cross-site scripting (XSS) vulnerabilities in calendar.class. ...) NOT-FOR-US: ApPHP Calendar CVE-2010-4879 (PHP remote file inclusion vulnerability in dompdf.php in dompdf 0.6.0 ...) - php-dompdf 0.6.1+dfsg-1 CVE-2010-4878 (PHP remote file inclusion vulnerability in formmailer.php in Kontakt F ...) NOT-FOR-US: Kontakt Formular CVE-2010-4877 (Cross-site scripting (XSS) vulnerability in index.php in OneCMS 2.6.1 ...) NOT-FOR-US: OneCMS CVE-2010-4876 (SQL injection vulnerability in viewpost.php in mBlogger 1.0.04 allows ...) NOT-FOR-US: mBlogger CVE-2010-4875 (Cross-site scripting (XSS) vulnerability in vodpod-video-gallery/vodpo ...) NOT-FOR-US: Wordpress plugin CVE-2010-4874 (Multiple cross-site scripting (XSS) vulnerabilities in users.php in Ni ...) NOT-FOR-US: NinkoBB CVE-2010-4873 (Cross-site scripting (XSS) vulnerability in confirm.php in WeBid 0.8.5 ...) NOT-FOR-US: WeBid CVE-2010-4872 (SQL injection vulnerability in newsroom.asp in ASPilot Pilot Cart 7.3 ...) NOT-FOR-US: ASPilot Pilot Cart CVE-2010-4871 (Unspecified vulnerability in SmartFTP before 4.0 Build 1142 allows att ...) NOT-FOR-US: SmartFTP CVE-2010-4870 (SQL injection vulnerability in index.php in BloofoxCMS 0.3.5 allows re ...) NOT-FOR-US: BloofoxCMS CVE-2011-4024 (Cross-site scripting (XSS) vulnerability in ocsinventory in OCS Invent ...) - ocsinventory-server 2.0.2-1 (unimportant) NOTE: Authentication is needed, only supported in trusted environments, see debtags CVE-2011-4023 (Memory leak in libcmd in Cisco NX-OS 5.0 on Nexus switches allows remo ...) NOT-FOR-US: Cisco CVE-2011-4022 (The sensor in Cisco Intrusion Prevention System (IPS) 7.0 and 7.1 allo ...) NOT-FOR-US: Cisco CVE-2011-4021 RESERVED CVE-2011-4020 RESERVED CVE-2011-4019 (Memory leak in Cisco IOS 12.4 and 15.0 through 15.2, and Cisco Unified ...) NOT-FOR-US: Cisco IOS CVE-2011-4018 RESERVED CVE-2011-4017 RESERVED CVE-2011-4016 (The PPP implementation in Cisco IOS 12.2 and 15.0 through 15.2, when P ...) NOT-FOR-US: Cisco IOS CVE-2011-4015 (Cisco IOS 15.2S allows remote attackers to cause a denial of service ( ...) NOT-FOR-US: Cisco IOS CVE-2011-4014 (The TAC Case Attachment tool in Cisco Wireless Control System (WCS) 7. ...) NOT-FOR-US: Cisco CVE-2011-4013 RESERVED CVE-2011-4012 (Cisco IOS 12.0, 15.0, and 15.1, when a Policy Feature Card 3C (PFC3C) ...) NOT-FOR-US: Cisco IOS CVE-2011-4011 RESERVED CVE-2011-4010 RESERVED CVE-2011-4009 RESERVED CVE-2011-4008 RESERVED CVE-2011-4007 (Cisco IOS 15.0 and 15.1 and IOS XE 3.x do not properly handle the "set ...) NOT-FOR-US: Cisco IOS CVE-2011-4006 (The ESMTP inspection feature on Cisco Adaptive Security Appliances (AS ...) NOT-FOR-US: Cisco CVE-2011-4005 (Cross-site request forgery (CSRF) vulnerability in the Services Ready ...) NOT-FOR-US: Cisco SRP CVE-2011-4004 (Buffer overflow in the ATAS32 processing functionality in the Cisco We ...) NOT-FOR-US: Cisco Webex CVE-2011-4003 RESERVED CVE-2011-4002 (HP no Mawashimono Nikki 6.6 and earlier allows remote attackers to exe ...) NOT-FOR-US: HP no Mawashimono Nikki CVE-2011-4001 (Directory traversal vulnerability in HP no Mawashimono Nikki 6.6 and e ...) NOT-FOR-US: HP no Mawashimono Nikki CVE-2011-4000 (Buffer overflow in ChaSen 2.4.x allows remote attackers to execute arb ...) {DSA-2361-1} - chasen 2.4.4-17 (medium; bug #648359) CVE-2011-3999 (Cross-site scripting (XSS) vulnerability in the RSS/Atom feed-reader i ...) NOT-FOR-US: Iwate Portal Bar CVE-2011-3998 (Cross-site scripting (XSS) vulnerability in Apple WebObjects 5.2 and e ...) NOT-FOR-US: Apple WebObjects CVE-2011-3997 (Opengear console servers with firmware before 2.2.1 allow remote attac ...) NOT-FOR-US: Opengear CVE-2011-3996 (The LiveData Service in CSWorks before 2.0.4115.1 allows remote attack ...) NOT-FOR-US: CSWorks CVE-2011-3995 (Unspecified vulnerability in Twilight Frontier Touhou Hisouten 1.06 an ...) NOT-FOR-US: Twilight Frontier Touhou Hisouten CVE-2011-3994 (Cross-site request forgery (CSRF) vulnerability in SKYARC MTCMS before ...) NOT-FOR-US: Movable Type plugin CVE-2011-3993 (SKYARC MTCMS before 5.252, and the MultiFileUploader 0.44 and earlier, ...) NOT-FOR-US: Movable Type plugin CVE-2011-3992 (Buffer overflow in the SSH server functionality on the D-Link DES-3800 ...) NOT-FOR-US: D-Link device CVE-2011-3991 (Untrusted search path vulnerability in FFFTP 1.98a and earlier allows ...) NOT-FOR-US: FFFTP CVE-2011-3990 (Cross-site scripting (XSS) vulnerability in plugin/comment.inc.php in ...) NOT-FOR-US: PukiWiki CVE-2011-3989 (SQL injection vulnerability in DBD::mysqlPP 0.04 and earlier allows re ...) NOT-FOR-US: DBD::mysqlPP Perl module CVE-2011-3988 (SQL injection vulnerability in data/class/SC_Query.php in EC-CUBE 2.11 ...) NOT-FOR-US: EC-CUBE CVE-2011-3987 (dtsoftbus01.sys in DAEMON Tools Lite before 4.41.3, Pro Standard befor ...) NOT-FOR-US: DAEMON Tools CVE-2011-3986 (Cross-site scripting (XSS) vulnerability in Pligg before 1.2.0 allows ...) NOT-FOR-US: Pligg CVE-2011-3985 (Cross-site scripting (XSS) vulnerability in Plume before 1.2.3 allows ...) NOT-FOR-US: Plume CVE-2011-3984 (Cross-site scripting (XSS) vulnerability in KENT-WEB WEB FORUM 5.1 and ...) NOT-FOR-US: KENT-WEB WEB FORUM CVE-2011-3983 (Cross-site scripting (XSS) vulnerability in KENT-WEB WEB FORUM 5.1 and ...) NOT-FOR-US: KENT-WEB WEB FORUM CVE-2011-3982 (The Fibre Channel driver for QLogic adapters in IBM AIX 6.1 and 7.1 do ...) NOT-FOR-US: IBM AIX driver CVE-2010-4869 (SQL injection vulnerability in index.php in DBHcms 1.1.4 allows remote ...) NOT-FOR-US: DBHcms CVE-2010-4868 (Cross-site scripting (XSS) vulnerability in search.php3 (aka search.ph ...) NOT-FOR-US: W-Agora CVE-2010-4867 (Directory traversal vulnerability in search.php3 (aka search.php) in W ...) NOT-FOR-US: W-Agora CVE-2010-4866 (SQL injection vulnerability in index.php in Chipmunk Board 1.3 allows ...) NOT-FOR-US: Chipmunk Board CVE-2010-4865 (SQL injection vulnerability in the JE Guestbook (com_jeguestbook) comp ...) NOT-FOR-US: Joomla extension CVE-2010-4864 (SQL injection vulnerability in the Club Manager (com_clubmanager) comp ...) NOT-FOR-US: Joomla extension CVE-2010-4863 (Cross-site scripting (XSS) vulnerability in admin/changedata.php in Ge ...) NOT-FOR-US: GetSimple CMS CVE-2010-4862 (SQL injection vulnerability in the JExtensions JE Directory (com_jedir ...) NOT-FOR-US: Joomla extension CVE-2010-4861 (SQL injection vulnerability in asearch.php in webSPELL 4.2.1 allows re ...) NOT-FOR-US: webSPELL CVE-2010-4860 (SQL injection vulnerability in product_desc.php in MyPhpAuction 2010 a ...) NOT-FOR-US: MyPhpAuction CVE-2010-4859 (SQL injection vulnerability in index.php in WebAsyst Shop-Script allow ...) NOT-FOR-US: WebAsyst Shop-Script CVE-2010-4858 (Directory traversal vulnerability in team.rc5-72.php in DNET Live-Stat ...) NOT-FOR-US: DNET Live-Stats CVE-2010-4857 (SQL injection vulnerability in click.php in CAG CMS 0.2 Beta allows re ...) NOT-FOR-US: CAG CMS CVE-2010-4856 (SQL injection vulnerability in arsiv.asp in xWeblog 2.2 allows remote ...) NOT-FOR-US: xWeblog CVE-2010-4855 (SQL injection vulnerability in oku.asp in xWeblog 2.2 allows remote at ...) NOT-FOR-US: xWebLog CVE-2010-4854 (SQL injection vulnerability in ajax/coupon.php in Zuitu 1.6, when magi ...) NOT-FOR-US: Zuitu CVE-2010-4853 (SQL injection vulnerability in the ccInvoices (com_ccinvoices) compone ...) NOT-FOR-US: Joomla extension CVE-2008-7302 (SQL injection vulnerability in netinvoice.php in the nBill (com_netinv ...) NOT-FOR-US: Joomla extension CVE-2008-7301 (SQL injection vulnerability in admin/login.php in jSite 1.0 OE allows ...) NOT-FOR-US: jSite CVE-2008-7300 (The labeled networking implementation in Solaris Trusted Extensions in ...) NOT-FOR-US: Oracle Solaris CVE-2000-1247 (The default configuration of the jserv-status handler in jserv.conf in ...) - apache CVE-2011-3981 (PHP remote file inclusion vulnerability in actions.php in the Allwebme ...) NOT-FOR-US: Wordpress plugin CVE-2011-3980 (Unspecified vulnerability in the Drag Drop Mass Upload (ameos_dragndro ...) NOT-FOR-US: TYPO3 extension CVE-2011-3979 (Cross-site scripting (XSS) vulnerability in ztemp/view_compiled/Theme/ ...) NOT-FOR-US: Zikula Application Framework CVE-2011-3978 (Multiple cross-site scripting (XSS) vulnerabilities in LightNEasy.php ...) NOT-FOR-US: LightNEasy CVE-2011-3977 (Unspecified vulnerability in nxconfigure.sh in NoMachine NX Node 3.x b ...) NOT-FOR-US: NoMachine NX components CVE-2011-3976 (Stack-based buffer overflow in AmmSoft ScriptFTP 3.3 allows remote FTP ...) NOT-FOR-US: AmmSoft ScriptFTP CVE-2011-3975 (A certain HTC update for Android 2.3.4 build GRJ22, when the Sense int ...) NOT-FOR-US: HTC Android CVE-2011-3974 (Integer signedness error in the decode_residual_inter function in cavs ...) {DSA-2336-1} - libav 4:0.7.1-7 (bug #641478) - ffmpeg 7:2.4.1-1 - ffmpeg-debian CVE-2011-3973 (cavsdec.c in libavcodec in FFmpeg before 0.7.4 and 0.8.x before 0.8.3 ...) {DSA-2336-1} - libav 4:0.7.1-7 (bug #641478) - ffmpeg 7:2.4.1-1 - ffmpeg-debian CVE-2011-3972 (The shader translator implementation in Google Chrome before 17.0.963. ...) - chromium-browser 17.0.963.56~r121963-1 [squeeze] - chromium-browser CVE-2011-3971 (Use-after-free vulnerability in Google Chrome before 17.0.963.46 allow ...) - chromium-browser 17.0.963.56~r121963-1 [squeeze] - chromium-browser CVE-2011-3970 (libxslt, as used in Google Chrome before 17.0.963.46, allows remote at ...) - libxslt 1.1.26-11 (low; bug #660650) [squeeze] - libxslt 1.1.26-6+squeeze1 CVE-2011-3969 (Use-after-free vulnerability in Google Chrome before 17.0.963.46 allow ...) - chromium-browser 17.0.963.56~r121963-1 [squeeze] - chromium-browser CVE-2011-3968 (Use-after-free vulnerability in Google Chrome before 17.0.963.46 allow ...) - chromium-browser 17.0.963.56~r121963-1 [squeeze] - chromium-browser CVE-2011-3967 (Unspecified vulnerability in Google Chrome before 17.0.963.46 allows r ...) - chromium-browser 17.0.963.56~r121963-1 [squeeze] - chromium-browser CVE-2011-3966 (Use-after-free vulnerability in Google Chrome before 17.0.963.46 allow ...) - chromium-browser 17.0.963.56~r121963-1 [squeeze] - chromium-browser CVE-2011-3965 (Google Chrome before 17.0.963.46 does not properly check signatures, w ...) - chromium-browser 17.0.963.56~r121963-1 [squeeze] - chromium-browser CVE-2011-3964 (Google Chrome before 17.0.963.46 does not properly implement the drag- ...) - chromium-browser 17.0.963.56~r121963-1 [squeeze] - chromium-browser CVE-2011-3963 (Google Chrome before 17.0.963.46 does not properly handle PDF FAX imag ...) - chromium-browser (Only affects proprietary Chrome) [squeeze] - chromium-browser CVE-2011-3962 (Google Chrome before 17.0.963.46 does not properly perform path clippi ...) - chromium-browser 17.0.963.56~r121963-1 [squeeze] - chromium-browser CVE-2011-3961 (Race condition in Google Chrome before 17.0.963.46 allows remote attac ...) - chromium-browser 17.0.963.56~r121963-1 [squeeze] - chromium-browser CVE-2011-3960 (Google Chrome before 17.0.963.46 does not properly decode audio data, ...) - chromium-browser 17.0.963.56~r121963-1 [squeeze] - chromium-browser CVE-2011-3959 (Buffer overflow in the locale implementation in Google Chrome before 1 ...) - chromium-browser 17.0.963.56~r121963-1 [squeeze] - chromium-browser CVE-2011-3958 (Google Chrome before 17.0.963.46 does not properly perform casts of va ...) - chromium-browser 17.0.963.56~r121963-1 [squeeze] - chromium-browser CVE-2011-3957 (Use-after-free vulnerability in the garbage-collection functionality i ...) - chromium-browser 17.0.963.56~r121963-1 [squeeze] - chromium-browser CVE-2011-3956 (The extension implementation in Google Chrome before 17.0.963.46 does ...) - chromium-browser 17.0.963.56~r121963-1 [squeeze] - chromium-browser CVE-2011-3955 (Google Chrome before 17.0.963.46 allows remote attackers to cause a de ...) - chromium-browser 17.0.963.56~r121963-1 [squeeze] - chromium-browser CVE-2011-3954 (Google Chrome before 17.0.963.46 allows remote attackers to cause a de ...) - chromium-browser 17.0.963.56~r121963-1 [squeeze] - chromium-browser CVE-2011-3953 (Google Chrome before 17.0.963.46 does not prevent monitoring of the cl ...) - chromium-browser 17.0.963.56~r121963-1 [squeeze] - chromium-browser CVE-2011-3952 (The decode_init function in kmvc.c in libavcodec in FFmpeg before 0.10 ...) {DSA-2494-1} - libav 4:0.8.1-1 - ffmpeg 7:2.4.1-1 CVE-2011-3951 (The dpcm_decode_frame function in dpcm.c in libavcodec in FFmpeg befor ...) {DSA-2494-1} - libav 4:0.8.1-1 - ffmpeg 7:2.4.1-1 CVE-2011-3950 (The dirac_decode_data_unit function in libavcodec/diracdec.c in FFmpeg ...) - libav (Specific to newer ffmpeg after split) - ffmpeg (Specific to newer ffmpeg after split) CVE-2011-3949 (The dirac_unpack_idwt_params function in libavcodec/diracdec.c in FFmp ...) - libav (Specific to newer ffmpeg after split) - ffmpeg (Specific to newer ffmpeg after split) CVE-2011-3948 RESERVED CVE-2011-3947 (Buffer overflow in mjpegbdec.c in libavcodec in FFmpeg 0.7.x before 0. ...) {DSA-2471-1} - libav 4:0.8.1-1 - ffmpeg 7:2.4.1-1 CVE-2011-3946 (The ff_h264_decode_sei function in libavcodec/h264_sei.c in FFmpeg bef ...) {DSA-3003-1} - libav 6:10.3-1 (unimportant) - ffmpeg 7:2.4.1-1 (unimportant) NOTE: Not suitable for code injection, not treated as security issue CVE-2011-3945 (The decode_frame function in the KVG1 decoder (kgv1dec.c) in libavcode ...) - libav 4:0.8.1-1 - ffmpeg (Vulnerable code not present) CVE-2011-3944 (The smacker_decode_header_tree function in libavcodec/smacker.c in FFm ...) {DSA-2855-1} - libav 6:9.10-1 - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg (Backports to 0.5.x not useful, too many checks missing) NOTE: Fix in libav: http://git.libav.org/?p=libav.git;a=commitdiff;h=0679cec6e8802643bbe6d5f68ca1110a7d3171da CVE-2011-3943 RESERVED CVE-2011-3942 RESERVED CVE-2011-3941 (The decode_mb function in libavcodec/error_resilience.c in FFmpeg befo ...) - libav 4:0.8.1-1 - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg (Backports to 0.5.x not useful, too many checks missing) NOTE: Fix in libav: http://git.libav.org/?p=libav.git;a=commit;h=6193ff68549ecbaf1a4d63a0e06964ec580ac620 CVE-2011-3940 (nsvdec.c in libavcodec in FFmpeg 0.7.x before 0.7.12 and 0.8.x before ...) {DSA-2471-1} - libav 4:0.8.1-1 - ffmpeg 7:2.4.1-1 CVE-2011-3939 RESERVED CVE-2011-3938 RESERVED CVE-2011-3937 (The H.263 codec (libavcodec/h263dec.c) in FFmpeg 0.7.x before 0.7.12, ...) - libav 6:0.8.3-1 - ffmpeg (Vulnerable code not present, introduced in 0.7) CVE-2011-3936 (The dv_extract_audio function in libavcodec in FFmpeg 0.7.x before 0.7 ...) {DSA-2471-1} - libav 4:0.8.1-1 - ffmpeg 7:2.4.1-1 CVE-2011-3935 (The codec_get_buffer function in ffmpeg.c in FFmpeg before 0.10 allows ...) {DSA-3003-1} - libav 6:10-1 - ffmpeg (vuln. code not present, introduced later) NOTE: [Diego] applies to 0.8 and 9 only, cherrypicked fixes on ML CVE-2011-3934 (Double free vulnerability in the vp3_update_thread_context function in ...) {DSA-3003-1} - libav 6:10-1 (unimportant) - ffmpeg 7:2.4.1-1 (unimportant) NOTE: Fixed in libav trunk: http://git.libav.org/?p=libav.git;a=commit;h=759001c534287a96dc96d1e274665feb7059145d NOTE: only a crasher CVE-2011-3933 RESERVED CVE-2011-3932 RESERVED CVE-2011-3931 RESERVED CVE-2011-3930 RESERVED CVE-2011-3929 (The avpriv_dv_produce_packet function in libavcodec in FFmpeg 0.7.x be ...) {DSA-2471-1} - libav 4:0.8.1-1 - ffmpeg 7:2.4.1-1 CVE-2011-3928 (Use-after-free vulnerability in Google Chrome before 16.0.912.77 allow ...) - chromium-browser 16.0.912.77~r118311-1 [squeeze] - chromium-browser CVE-2011-3927 (Skia, as used in Google Chrome before 16.0.912.77, does not perform al ...) - chromium-browser 16.0.912.77~r118311-1 [squeeze] - chromium-browser CVE-2011-3926 (Heap-based buffer overflow in the tree builder in Google Chrome before ...) - chromium-browser 16.0.912.77~r118311-1 [squeeze] - chromium-browser CVE-2011-3925 (Use-after-free vulnerability in the Safe Browsing feature in Google Ch ...) - chromium-browser 16.0.912.77~r118311-1 [squeeze] - chromium-browser CVE-2011-3924 (Use-after-free vulnerability in Google Chrome before 16.0.912.77 allow ...) - chromium-browser 16.0.912.77~r118311-1 [squeeze] - chromium-browser CVE-2011-3923 (Apache Struts before 2.3.1.2 allows remote attackers to bypass securit ...) - libstruts1.2-java (Only affects 2.x) NOTE: https://cwiki.apache.org/confluence/display/WW/S2-009 NOTE: http://blog.o0o.nu/2012/01/cve-2011-3923-yet-another-struts2.html CVE-2011-3922 (Stack-based buffer overflow in Google Chrome before 16.0.912.75 allows ...) - chromium-browser 16.0.912.75~r116452-1 [squeeze] - chromium-browser CVE-2011-3921 (Use-after-free vulnerability in Google Chrome before 16.0.912.75 allow ...) - chromium-browser 16.0.912.75~r116452-1 [squeeze] - chromium-browser CVE-2011-3920 RESERVED CVE-2011-3919 (Heap-based buffer overflow in libxml2, as used in Google Chrome before ...) {DSA-2394-1} - chromium-browser 16.0.912.75~r116452-1 [squeeze] - chromium-browser - libxml2 2.7.8.dfsg-7 (bug #656377) CVE-2011-3918 (The Zygote process in Android 4.0.3 and earlier accepts fork requests ...) NOT-FOR-US: Android CVE-2011-3917 (Stack-based buffer overflow in FileWatcher in Google Chrome before 16. ...) - chromium-browser 16.0.912.63~r113337-1 [squeeze] - chromium-browser CVE-2011-3916 (Google Chrome before 16.0.912.63 does not properly handle PDF cross re ...) - chromium-browser (Chrome pdf plugin) CVE-2011-3915 (Buffer overflow in Google Chrome before 16.0.912.63 allows remote atta ...) - chromium-browser (Chrome pdf plugin) - webkit (Chrome pdf plugin) CVE-2011-3914 (The internationalization (aka i18n) functionality in Google V8, as use ...) - chromium-browser 16.0.912.63~r113337-1 [squeeze] - chromium-browser - webkit (v8-i18n chrome issue) CVE-2011-3913 (Use-after-free vulnerability in Google Chrome before 16.0.912.63 allow ...) - chromium-browser 16.0.912.63~r113337-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/100827 CVE-2011-3912 (Use-after-free vulnerability in Google Chrome before 16.0.912.63 allow ...) - chromium-browser 16.0.912.63~r113337-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/100502 CVE-2011-3911 (Google Chrome before 16.0.912.63 does not properly handle PDF document ...) - chromium-browser (Chrome pdf plugin) - webkit (Chrome pdf plugin) CVE-2011-3910 (Google Chrome before 16.0.912.63 does not properly handle YUV video fr ...) - chromium-browser 16.0.912.63~r113337-1 - webkit (Chrome issue) [squeeze] - chromium-browser CVE-2011-3909 (The Cascading Style Sheets (CSS) implementation in Google Chrome befor ...) - chromium-browser 16.0.912.63~r113337-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/98374 CVE-2011-3908 (Google Chrome before 16.0.912.63 does not properly parse SVG documents ...) - chromium-browser 16.0.912.63~r113337-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/99025 CVE-2011-3907 (The view-source feature in Google Chrome before 16.0.912.63 allows rem ...) - chromium-browser 16.0.912.63~r113337-1 - webkit (Chrome issue) [squeeze] - chromium-browser CVE-2011-3906 (The PDF parser in Google Chrome before 16.0.912.63 allows remote attac ...) - chromium-browser (Chrome pdf plugin) - webkit (Chrome pdf plugin) CVE-2011-3905 (libxml2, as used in Google Chrome before 16.0.912.63, allows remote at ...) {DSA-2394-1} - libxml2 2.7.8.dfsg-5.1 (bug #652352) CVE-2011-3904 (Use-after-free vulnerability in Google Chrome before 16.0.912.63 allow ...) - chromium-browser 16.0.912.63~r113337-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/99462 CVE-2011-3903 (Google Chrome before 16.0.912.63 does not properly perform regex match ...) - chromium-browser 16.0.912.63~r113337-1 - webkit (Chrome issue) [squeeze] - chromium-browser CVE-2011-3902 RESERVED CVE-2011-3901 (Android SQLite Journal before 4.0.1 has an information disclosure vuln ...) NOT-FOR-US: Android SQLite Journal CVE-2011-3900 (Google V8, as used in Google Chrome before 15.0.874.121, allows remote ...) - chromium-browser 15.0.874.121~r109964-1 - webkit (Chrome issue) - libv8 3.5.10.24 [squeeze] - chromium-browser [squeeze] - libv8 CVE-2011-3899 RESERVED CVE-2011-3898 (Google Chrome before 15.0.874.120, when Java Runtime Environment (JRE) ...) - chromium-browser 15.0.874.121~r109964-1 (unimportant) - webkit (Chrome issue) CVE-2011-3897 (Use-after-free vulnerability in Google Chrome before 15.0.874.120 allo ...) - chromium-browser 15.0.874.121~r109964-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/99023 CVE-2011-3896 (Buffer overflow in Google Chrome before 15.0.874.120 allows remote att ...) - chromium-browser 15.0.874.121~r109964-1 - webkit (Chrome issue) [squeeze] - chromium-browser CVE-2011-3895 (Heap-based buffer overflow in the Vorbis decoder in Google Chrome befo ...) {DSA-2471-1} - chromium-browser 15.0.874.121~r109964-1 [squeeze] - chromium-browser - webkit (Chrome issue) - ffmpeg 7:2.4.1-1 - libav 4:0.8~beta2-1 (bug #654534; bug #654573) CVE-2011-3894 (Google Chrome before 15.0.874.120 does not properly perform VP8 decodi ...) - chromium-browser 15.0.874.121~r109964-1 - webkit (Chrome issue) [squeeze] - chromium-browser CVE-2011-3893 (Google Chrome before 15.0.874.120 does not properly implement the MKV ...) {DSA-2471-1} - chromium-browser 15.0.874.121~r109964-1 - webkit (Chrome issue) - libav 4:0.8~beta2-1 (bug #654534; bug #654572) - ffmpeg 7:2.4.1-1 [squeeze] - chromium-browser NOTE: this is due to http://llvm.org/bugs/show_bug.cgi?id=7554 NOTE: http://src.chromium.org/viewvc/chrome?view=rev&revision=106599 NOTE: http://src.chromium.org/viewvc/chrome?view=rev&revision=106621 CVE-2011-3892 (Double free vulnerability in the Theora decoder in Google Chrome befor ...) {DSA-2471-1} - chromium-browser 15.0.874.121~r109964-1 - webkit (Chrome issue) [squeeze] - chromium-browser - libav 4:0.8~beta2-1 (bug #654534; bug #654571) - ffmpeg 7:2.4.1-1 NOTE: http://src.chromium.org/viewvc/chrome?view=rev&revision=107489 CVE-2011-3891 (Google Chrome before 15.0.874.102 does not properly restrict access to ...) - chromium-browser 15.0.874.106~r107270-1 - webkit (Chrome issue) [squeeze] - chromium-browser CVE-2011-3890 (Use-after-free vulnerability in Google Chrome before 15.0.874.102 allo ...) - chromium-browser 15.0.874.106~r107270-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/97451 CVE-2011-3889 (Heap-based buffer overflow in the Web Audio implementation in Google C ...) - chromium-browser 15.0.874.106~r107270-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/96843 CVE-2011-3888 (Use-after-free vulnerability in Google Chrome before 15.0.874.102 allo ...) - chromium-browser 15.0.874.106~r107270-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/96868 CVE-2011-3887 (Google Chrome before 15.0.874.102 does not properly handle javascript: ...) - chromium-browser 15.0.874.106~r107270-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/96260 CVE-2011-3886 (Google V8, as used in Google Chrome before 15.0.874.102, allows remote ...) - chromium-browser 15.0.874.106~r107270-1 - webkit (Chrome issue) - libv8 3.6 [squeeze] - libv8 [squeeze] - chromium-browser CVE-2011-3885 (Use-after-free vulnerability in Google Chrome before 15.0.874.102 allo ...) - chromium-browser 15.0.874.106~r107270-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/97402 CVE-2011-3884 (Google Chrome before 15.0.874.102 does not properly address timing iss ...) - chromium-browser 15.0.874.106~r107270-1 - webkit (Chrome issue) [squeeze] - chromium-browser CVE-2011-3883 (Use-after-free vulnerability in Google Chrome before 15.0.874.102 allo ...) - chromium-browser 15.0.874.106~r107270-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/96632 CVE-2011-3882 (Use-after-free vulnerability in Google Chrome before 15.0.874.102 allo ...) - chromium-browser 15.0.874.106~r107270-1 - webkit (Chrome issue) [squeeze] - chromium-browser CVE-2011-3881 (WebKit, as used in Google Chrome before 15.0.874.102 and Android befor ...) - chromium-browser 15.0.874.106~r107270-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/97353 CVE-2011-3880 (Google Chrome before 15.0.874.102 does not prevent use of an unspecifi ...) - chromium-browser 15.0.874.106~r107270-1 (unimportant) - webkit (Chrome issue) CVE-2011-3879 (Google Chrome before 15.0.874.102 does not prevent redirects to chrome ...) - chromium-browser 15.0.874.106~r107270-1 (unimportant) NOTE: http://trac.webkit.org/changeset/96610 CVE-2011-3878 (Race condition in Google Chrome before 15.0.874.102 allows remote atta ...) - chromium-browser 15.0.874.106~r107270-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/96999 CVE-2011-3877 (Cross-site scripting (XSS) vulnerability in the appcache internals pag ...) - chromium-browser 15.0.874.106~r107270-1 - webkit (Chrome issue) [squeeze] - chromium-browser CVE-2011-3876 (Google Chrome before 15.0.874.102 does not properly handle downloading ...) - chromium-browser 15.0.874.106~r107270-1 [squeeze] - chromium-browser CVE-2011-3875 (Google Chrome before 15.0.874.102 does not properly handle drag and dr ...) - chromium-browser 15.0.874.106~r107270-1 (unimportant) - webkit (Chrome issue) CVE-2011-3874 (Stack-based buffer overflow in libsysutils in Android 2.2.x through 2. ...) NOT-FOR-US: Android CVE-2011-3873 (Google Chrome before 14.0.835.202 does not properly implement shader t ...) - chromium-browser 14.0.835.202~r103287-1 [squeeze] - chromium-browser - webkit (chromium specific) CVE-2011-XXXX [Fix file indirectory injection] - puppet 2.7.3-3 (unimportant) [squeeze] - puppet 2.6.2-5+squeeze1 NOTE: Only exploitable during build/test suite run NOTE: DSA-2314-1 CVE-2011-3872 (Puppet 2.6.x before 2.6.12 and 2.7.x before 2.7.6, and Puppet Enterpri ...) {DSA-2352-1} - puppet 2.7.6-1 CVE-2011-3871 (Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x, when runni ...) {DSA-2314-1} - puppet 2.7.3-3 CVE-2011-3870 (Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x allows loca ...) {DSA-2314-1} - puppet 2.7.3-3 CVE-2011-3869 (Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x allows loca ...) {DSA-2314-1} - puppet 2.7.3-3 CVE-2011-3868 (Buffer overflow in VMware Workstation 7.x before 7.1.5, VMware Player ...) NOT-FOR-US: Vmware CVE-2011-3867 REJECTED CVE-2011-3866 (Mozilla Firefox before 7.0 and SeaMonkey before 2.4 do not properly re ...) - xulrunner (Only affects Firefox >= 4) - iceweasel 7.0-1 [lenny] - iceweasel (Only affects Firefox >= 4) [squeeze] - iceweasel (Only affects Firefox >= 4) - iceape (Only affects Firefox >= 4) CVE-2011-3865 (Cross-site scripting (XSS) vulnerability in the Black-LetterHead theme ...) NOT-FOR-US: Wordpress theme CVE-2011-3864 (Cross-site scripting (XSS) vulnerability in the The Erudite theme befo ...) NOT-FOR-US: Wordpress theme CVE-2011-3863 (Cross-site scripting (XSS) vulnerability in the RedLine theme before 1 ...) NOT-FOR-US: Wordpress theme CVE-2011-3862 (Cross-site scripting (XSS) vulnerability in the Morning Coffee theme b ...) NOT-FOR-US: Wordpress theme CVE-2011-3861 (Cross-site scripting (XSS) vulnerability in the Web Minimalist 200901 ...) NOT-FOR-US: Wordpress theme CVE-2011-3860 (Cross-site scripting (XSS) vulnerability in the Cover WP theme before ...) NOT-FOR-US: Wordpress theme CVE-2011-3859 (Cross-site scripting (XSS) vulnerability in the Trending theme before ...) NOT-FOR-US: Wordpress theme CVE-2011-3858 (Cross-site scripting (XSS) vulnerability in the Pixiv Custom theme bef ...) NOT-FOR-US: Wordpress theme CVE-2011-3857 (Cross-site scripting (XSS) vulnerability in the Antisnews theme before ...) NOT-FOR-US: Wordpress theme CVE-2011-3856 (Cross-site scripting (XSS) vulnerability in the Elegant Grunge theme b ...) NOT-FOR-US: Wordpress theme CVE-2011-3855 (Cross-site scripting (XSS) vulnerability in the F8 Lite theme before 4 ...) NOT-FOR-US: Wordpress theme CVE-2011-3854 (Cross-site scripting (XSS) vulnerability in the ZenLite theme before 4 ...) NOT-FOR-US: Wordpress theme CVE-2011-3853 (Cross-site scripting (XSS) vulnerability in the Hybrid theme before 0. ...) NOT-FOR-US: Wordpress theme CVE-2011-3852 (Cross-site scripting (XSS) vulnerability in the EvoLve theme before 1. ...) NOT-FOR-US: Wordpress theme CVE-2011-3851 (Cross-site scripting (XSS) vulnerability in the News theme before 0.2 ...) NOT-FOR-US: Wordpress theme CVE-2011-3850 (Cross-site scripting (XSS) vulnerability in the Atahualpa theme before ...) NOT-FOR-US: Wordpress theme CVE-2011-3849 (Unspecified vulnerability in dxserver before 6279 in CA Directory 8.1 ...) NOT-FOR-US: CA Directory CVE-2011-3848 (Directory traversal vulnerability in Puppet 2.6.x before 2.6.10 and 2. ...) {DSA-2314-1} - puppet 2.7.3-2 CVE-2011-3847 RESERVED CVE-2011-3846 (Cross-site request forgery (CSRF) vulnerability in HP System Managemen ...) NOT-FOR-US: HP System Management Homepage CVE-2011-3845 (Use-after-free vulnerability in Apple Safari 5.1.2, when a plug-in wit ...) NOT-FOR-US: Apple Safari CVE-2011-3844 (Apple Safari 5.0.5 does not properly implement the setInterval functio ...) NOT-FOR-US: Apple Safari CVE-2011-3843 RESERVED CVE-2011-3842 RESERVED CVE-2011-3841 (Cross-site scripting (XSS) vulnerability in uploadify/get_profile_avat ...) NOT-FOR-US: Wordpress plugin CVE-2011-3840 RESERVED CVE-2011-3839 (The administration functionality in Wuzly 2.0 allows remote attackers ...) NOT-FOR-US: Wuzly CVE-2011-3838 (Multiple SQL injection vulnerabilities in Wuzly 2.0 allow remote attac ...) NOT-FOR-US: Wuzly CVE-2011-3837 (Directory traversal vulnerability in blog_system/data_functions.php in ...) NOT-FOR-US: Wuzly CVE-2011-3836 (Multiple cross-site request forgery (CSRF) vulnerabilities in Wuzly 2. ...) NOT-FOR-US: Wuzly CVE-2011-3835 (Multiple cross-site scripting (XSS) vulnerabilities in Wuzly 2.0 allow ...) NOT-FOR-US: Wuzly CVE-2011-3834 (Multiple integer overflows in the in_avi.dll plugin in Winamp before 5 ...) NOT-FOR-US: Winamp CVE-2011-3833 (Unrestricted file upload vulnerability in ftp_upload_file.php in Suppo ...) NOT-FOR-US: Support Incident Tracker CVE-2011-3832 (Eval injection vulnerability in config.php in Support Incident Tracker ...) NOT-FOR-US: Support Incident Tracker CVE-2011-3831 (SQL injection vulnerability in incident_attachments.php in Support Inc ...) NOT-FOR-US: Support Incident Tracker CVE-2011-3830 (Cross-site scripting (XSS) vulnerability in search.php in Support Inci ...) NOT-FOR-US: Support Incident Tracker CVE-2011-3829 (ftp_upload_file.php in Support Incident Tracker (aka SiT!) 3.65 allows ...) NOT-FOR-US: Support Incident Tracker CVE-2011-3828 (DVRemoteAx.ax 2.1.0.39 in the DVR Remote ActiveX control allows remote ...) NOT-FOR-US: DVR Remote CVE-2011-3827 (The iCalendar component in gwwww1.dll in GroupWise Internet Agent (GWI ...) NOT-FOR-US: Novell GroupWise CVE-2010-4852 (Cross-site scripting (XSS) vulnerability in login.php in Eclime 1.1.2b ...) NOT-FOR-US: Eclime CVE-2010-4851 (Multiple SQL injection vulnerabilities in Eclime 1.1.2b allow remote a ...) NOT-FOR-US: Eclime CVE-2010-4850 (Multiple cross-site scripting (XSS) vulnerabilities in Diferior 8.03 a ...) NOT-FOR-US: Diferior CVE-2010-4849 (SQL injection vulnerability in countrydetails.php in Alibaba Clone B2B ...) NOT-FOR-US: Alibaba Clone B2B CVE-2010-4848 (Multiple cross-site scripting (XSS) vulnerabilities in addlink.php in ...) NOT-FOR-US: AXScripts AxsLinks CVE-2010-4847 (SQL injection vulnerability in view_item.php in MH Products MHP Downlo ...) NOT-FOR-US: MH Products MHP Downloadshop CVE-2010-4846 (SQL injection vulnerability in view_item.php in MH Products Pay Pal Sh ...) NOT-FOR-US: MH Products Pay Pal Shop Digital CVE-2010-4845 (Multiple SQL injection vulnerabilities in MH Products Projekt Shop all ...) NOT-FOR-US: MH Products Projekt Shop CVE-2010-4844 (SQL injection vulnerability in content.php in MH Products Easy Online ...) NOT-FOR-US: MH Products Easy Online Shop CVE-2010-4843 (SQL injection vulnerability in website-page.php in PHP Web Scripts Ad ...) NOT-FOR-US: PHP Web Scripts Ad Manager Pro CVE-2010-4842 (SQL injection vulnerability in admin/login.php in MHP DownloadScript ( ...) NOT-FOR-US: MH Products Download Center CVE-2011-3826 (Zikula 1.2.4 allows remote attackers to obtain sensitive information v ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3825 (Zend Framework 1.11.3 in Zend Server CE 5.1.0 allows remote attackers ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3824 (Your Own URL Shortener (YOURLS) 1.5 allows remote attackers to obtain ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3823 (Yamamah 1.0 allows remote attackers to obtain sensitive information vi ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3822 (XOOPS 2.5.0 allows remote attackers to obtain sensitive information vi ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3821 (xajax 0.6 beta1 allows remote attackers to obtain sensitive informatio ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3820 (WSN Software 6.0.6 allows remote attackers to obtain sensitive informa ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3819 (WoW Server Status 4.1 allows remote attackers to obtain sensitive info ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3818 (WordPress 2.9.2 and 3.0.4 allows remote attackers to obtain sensitive ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3817 (Website Baker 2.8.1 allows remote attackers to obtain sensitive inform ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3816 (WEBinsta mailing list manager 1.3e allows remote attackers to obtain s ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3815 (WeBid 1.0.0 allows remote attackers to obtain sensitive information vi ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3814 (WebCalendar 1.2.3, and other versions before 1.2.5, allows remote atta ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3813 (Virtual War (aka VWar) 1.5.0r15 allows remote attackers to obtain sens ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3812 (Vanilla 2.0.16 allows remote attackers to obtain sensitive information ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3811 (TomatoCart 1.1.3 allows remote attackers to obtain sensitive informati ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3810 (TinyWebGallery (TWG) 1.8.3 allows remote attackers to obtain sensitive ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3809 (TheHostingTool (THT) 1.2.3 allows remote attackers to obtain sensitive ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3808 (The Bug Genie 2.1.2 allows remote attackers to obtain sensitive inform ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3807 (Textpattern 4.2.0 allows remote attackers to obtain sensitive informat ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3806 (TCExam 11.1.015 allows remote attackers to obtain sensitive informatio ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3805 (TaskFreak! multi-mysql-0.6 allows remote attackers to obtain sensitive ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3804 (SweetRice 0.7.1 allows remote attackers to obtain sensitive informatio ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3803 (SugarCRM 6.1.0 allows remote attackers to obtain sensitive information ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3802 (StatusNet 0.9.6 allows remote attackers to obtain sensitive informatio ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3801 (SimpleTest 1.0.1 allows remote attackers to obtain sensitive informati ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3800 (Serendipity 1.5.5 allows remote attackers to obtain sensitive informat ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3799 (ReOS 2.0.5 allows remote attackers to obtain sensitive information via ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3798 (Rapid Leech 2.3-v42-svn322 allows remote attackers to obtain sensitive ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3797 (ProjectPier 0.8.0.3 allows remote attackers to obtain sensitive inform ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3796 (PrestaShop 1.4.0.6 allows remote attackers to obtain sensitive informa ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3795 (Podcast Generator 1.3 allows remote attackers to obtain sensitive info ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3794 (Pligg CMS 1.1.3 allows remote attackers to obtain sensitive informatio ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3793 (Pixie 1.04 allows remote attackers to obtain sensitive information via ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3792 (Pixelpost 1.7.3 allows remote attackers to obtain sensitive informatio ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3791 (Piwik 1.1 allows remote attackers to obtain sensitive information via ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3790 (Piwigo 2.1.5 allows remote attackers to obtain sensitive information v ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3789 (phpwcms 1.4.7 r412 allows remote attackers to obtain sensitive informa ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3788 (PhpSecInfo 0.2.1 allows remote attackers to obtain sensitive informati ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3787 (phpScheduleIt 1.2.12 allows remote attackers to obtain sensitive infor ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3786 (PHProjekt 6.0.5 allows remote attackers to obtain sensitive informatio ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3785 (PHP Point Of Sale (POS) 10.7 allows remote attackers to obtain sensiti ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3784 (Francisco Burzi PHP-Nuke 8.0 allows remote attackers to obtain sensiti ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3783 (phpMyFAQ 2.6.13 allows remote attackers to obtain sensitive informatio ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3782 (phpLD 2-151.2.0 allows remote attackers to obtain sensitive informatio ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3781 (PHPIDS 0.6.5 allows remote attackers to obtain sensitive information v ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3780 (PHP iCalendar 2.4 allows remote attackers to obtain sensitive informat ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3779 (PhpHostBot 2.0 allows remote attackers to obtain sensitive information ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3778 (PhpGedView 4.2.3 allows remote attackers to obtain sensitive informati ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3777 (phpFreeChat 1.3 allows remote attackers to obtain sensitive informatio ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3776 (phpFormGenerator 2.09 allows remote attackers to obtain sensitive info ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3775 (PHPfileNavigator 2.3.3 allows remote attackers to obtain sensitive inf ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3774 (php Easy Survey Package (phpESP) 2.1.1 allows remote attackers to obta ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3773 (PHPDevShell 3.0.0-Beta-4b allows remote attackers to obtain sensitive ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3772 (phpCollab 2.5 allows remote attackers to obtain sensitive information ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3771 (phpBook 2.1.0 allows remote attackers to obtain sensitive information ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3770 (phpAlbum 0.4.1.14 allows remote attackers to obtain sensitive informat ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3769 (PHPads 2.0 allows remote attackers to obtain sensitive information via ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3768 (Phorum 5.2.15a allows remote attackers to obtain sensitive information ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3767 (osCommerce 3.0a5 allows remote attackers to obtain sensitive informati ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3766 (OrangeHRM 2.6.0.2 allows remote attackers to obtain sensitive informat ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3765 (Open-Realty 2.5.8 allows remote attackers to obtain sensitive informat ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3764 (OpenDocMan 1.2.6-svn-2011-01-21 allows remote attackers to obtain sens ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3763 (OpenCart 1.4.9.3 allows remote attackers to obtain sensitive informati ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3762 (OpenBlog 1.2.1 allows remote attackers to obtain sensitive information ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3761 (NuSOAP 0.9.5 allows remote attackers to obtain sensitive information v ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3760 (Nucleus 3.61 allows remote attackers to obtain sensitive information v ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3759 (MyBB (aka MyBulletinBoard) 1.6 allows remote attackers to obtain sensi ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3758 (::mound:: 2.1.6 allows remote attackers to obtain sensitive informatio ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3757 (Moodle 2.0.1 allows remote attackers to obtain sensitive information v ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3756 (MicroBlog 0.9.5 allows remote attackers to obtain sensitive informatio ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3755 (MantisBT 1.2.4 allows remote attackers to obtain sensitive information ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3754 (Mambo 4.6.5 allows remote attackers to obtain sensitive information vi ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3753 (LinPHA 1.3.4 allows remote attackers to obtain sensitive information v ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3752 (LimeSurvey 1.90+ build9642-20101214 allows remote attackers to obtain ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3751 (LifeType 1.2.10 allows remote attackers to obtain sensitive informatio ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3750 (kPlaylist 1.8.502 allows remote attackers to obtain sensitive informat ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3749 (ka-Map 1.0-20070205 allows remote attackers to obtain sensitive inform ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3748 (Kamads Classifieds 2_B3 allows remote attackers to obtain sensitive in ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3747 (Joomla! 1.6.0 allows remote attackers to obtain sensitive information ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3746 (Jcow 4.2.1 allows remote attackers to obtain sensitive information via ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3745 (HycusCMS 1.0.3 allows remote attackers to obtain sensitive information ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3744 (HTML Purifier 4.2.0 allows remote attackers to obtain sensitive inform ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3743 (Hesk 2.2 allows remote attackers to obtain sensitive information via a ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3742 (HelpCenter Live 2.1.7 allows remote attackers to obtain sensitive info ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3741 (Ganglia 3.1.7 allows remote attackers to obtain sensitive information ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3740 (FrontAccounting 2.3.1 allows remote attackers to obtain sensitive info ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3739 (Freeway 1.5 Alpha allows remote attackers to obtain sensitive informat ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3738 (Feng Office 1.7.2 allows remote attackers to obtain sensitive informat ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3737 (eyeOS 2.2.0.0 allows remote attackers to obtain sensitive information ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3736 (ExoPHPDesk 1.2.1 allows remote attackers to obtain sensitive informati ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3735 (Escort Agency CMS (aka escort-agency-cms) allows remote attackers to o ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3734 (Energine 2.3.8 allows remote attackers to obtain sensitive information ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3733 (Elgg 1.7.6 allows remote attackers to obtain sensitive information via ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3732 (eggBlog 4.1.2 allows remote attackers to obtain sensitive information ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3731 (e107 0.7.24 allows remote attackers to obtain sensitive information vi ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3730 (Drupal 7.0 allows remote attackers to obtain sensitive information via ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3729 (dotproject 2.1.4 allows remote attackers to obtain sensitive informati ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3728 (Dolphin 7.0.4 allows remote attackers to obtain sensitive information ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3727 (DokuWiki 2009-12-25c allows remote attackers to obtain sensitive infor ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3726 (DoceboLMS 4.0.4 allows remote attackers to obtain sensitive informatio ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3725 (DeluxeBB 1.3 allows remote attackers to obtain sensitive information v ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3724 (CubeCart 4.4.3 allows remote attackers to obtain sensitive information ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3723 (Crafty Syntax 3.0.2 allows remote attackers to obtain sensitive inform ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3722 (Coppermine Photo Gallery (CPG) 1.5.12 allows remote attackers to obtai ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3721 (concrete 5.4.0.5, 5.4.1, and 5.4.1.1 allows remote attackers to obtain ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3720 (conceptcms 5.3.1, 5.3.3, and possibly other versions allows remote att ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3719 (CodeIgniter 1.7.2 allows remote attackers to obtain sensitive informat ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3718 (CMS Made Simple (CMSMS) 1.9.2 allows remote attackers to obtain sensit ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3717 (ClipBucket 2.0.9 allows remote attackers to obtain sensitive informati ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3716 (Claroline 1.9.7 allows remote attackers to obtain sensitive informatio ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3715 (ClanTiger 1.1.3 allows remote attackers to obtain sensitive informatio ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3714 (ClanSphere 2010.0 allows remote attackers to obtain sensitive informat ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3713 (cFTP r80 allows remote attackers to obtain sensitive information via a ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3712 (CakePHP 1.3.7 allows remote attackers to obtain sensitive information ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3711 (BIGACE 2.7.5 allows remote attackers to obtain sensitive information v ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3710 (bbPress 1.0.2 allows remote attackers to obtain sensitive information ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3709 (b2evolution 3.3.3 allows remote attackers to obtain sensitive informat ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3708 (Automne 4.0.2 allows remote attackers to obtain sensitive information ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3707 (JanRain PHP OpenID library (aka php-openid) 2.2.2 allows remote attack ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3706 (ATutor 2.0 allows remote attackers to obtain sensitive information via ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3705 (Arctic Fox CMS 0.9.4 allows remote attackers to obtain sensitive infor ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3704 (appRain 0.1.0 allows remote attackers to obtain sensitive information ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3703 (AneCMS 1.0 allows remote attackers to obtain sensitive information via ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3702 (Ananta Gazelle 1.0 allows remote attackers to obtain sensitive informa ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3701 (AlegroCart 1.2.3 allows remote attackers to obtain sensitive informati ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3700 (Advanced Electron Forum (AEF) 1.0.8 allows remote attackers to obtain ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3699 (John Lim ADOdb Library for PHP 5.11 allows remote attackers to obtain ...) - libphp-adodb (unimportant) NOTE: path is already known CVE-2011-3698 (AdaptCMS 2.0.2 Beta allows remote attackers to obtain sensitive inform ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3697 (Achievo 1.4.5 allows remote attackers to obtain sensitive information ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3696 (60cycleCMS 2.5.2 allows remote attackers to obtain sensitive informati ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3695 (111WebCalendar 1.2.3 allows remote attackers to obtain sensitive infor ...) NOT-FOR-US: Web app path disclosure, not an issue (path is known anyway) CVE-2011-3694 (The Server Administration Console in NetSaro Enterprise Messenger Serv ...) NOT-FOR-US: NetSaro Enterprise Messenger CVE-2011-3693 (NetSaro Enterprise Messenger Server 2.0 allows local users to discover ...) NOT-FOR-US: NetSaro Enterprise Messenger CVE-2011-3692 (NetSaro Enterprise Messenger Server 2.0 stores cleartext console crede ...) NOT-FOR-US: NetSaro Enterprise Messenger CVE-2011-3691 (Untrusted search path vulnerability in Foxit Reader before 5.0.2.0718 ...) NOT-FOR-US: Foxit Reader CVE-2011-3690 (Untrusted search path vulnerability in PlotSoft PDFill PDF Editor 8.0 ...) NOT-FOR-US: PlotSoft PDFill PDF Editor CVE-2011-3689 (Cross-site scripting (XSS) vulnerability in Licenses.html in Wibu-Syst ...) NOT-FOR-US: Wibu-Systems CodeMeter WebAdmin CVE-2011-3688 (Multiple SQL injection vulnerabilities in Sonexis ConferenceManager 9. ...) NOT-FOR-US: Sonexis ConferenceManager CVE-2011-3687 (Multiple cross-site scripting (XSS) vulnerabilities in Sonexis Confere ...) NOT-FOR-US: Sonexis ConferenceManager CVE-2011-3686 (Multiple cross-site scripting (XSS) vulnerabilities in myAddressBook.a ...) NOT-FOR-US: Sonexis ConferenceManager CVE-2011-3685 (Tembria Server Monitor before 6.0.5 Build 2252 uses a substitution cip ...) NOT-FOR-US: Tembria Server Monitor CVE-2011-3684 (Multiple cross-site scripting (XSS) vulnerabilities in Tembria Server ...) NOT-FOR-US: Tembria Server Monitor CVE-2011-3683 RESERVED CVE-2011-3682 RESERVED CVE-2011-3681 REJECTED CVE-2011-3680 REJECTED CVE-2011-3679 REJECTED CVE-2011-3678 REJECTED CVE-2011-3677 REJECTED CVE-2011-3676 REJECTED CVE-2011-3675 REJECTED CVE-2011-3674 REJECTED CVE-2011-3673 REJECTED CVE-2011-3672 REJECTED CVE-2011-3671 (Use-after-free vulnerability in the nsHTMLSelectElement function in ns ...) - xulrunner (Only affects Firefox >= 4) - iceweasel 9.0-1 [lenny] - iceweasel (Only affects Firefox >= 4) [squeeze] - iceweasel (Only affects Firefox >= 4) - iceape (Only affects Firefox >= 4) CVE-2011-3670 (Mozilla Firefox before 3.6.26 and 4.x through 6.0, Thunderbird before ...) {DSA-2406-1 DSA-2402-1 DSA-2400-1} - icedove 7.0-1 [lenny] - icedove - xulrunner (unimportant) - iceweasel 7.0-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.14-10 [lenny] - iceape (Only a stub package) NOTE: xulrunner in wheezy is not covered by security support CVE-2011-3669 (Cross-site request forgery (CSRF) vulnerability in attachment.cgi in B ...) - bugzilla (low) [squeeze] - bugzilla (Minor issue) [lenny] - bugzilla (Minor issue) CVE-2011-3668 (Cross-site request forgery (CSRF) vulnerability in post_bug.cgi in Bug ...) - bugzilla (low) [squeeze] - bugzilla (Minor issue) [lenny] - bugzilla (Minor issue) CVE-2011-3667 (The User.offer_account_by_email WebService method in Bugzilla 2.x and ...) - bugzilla (low) [squeeze] - bugzilla (Not supported in Squeeze LTS) [lenny] - bugzilla (Minor issue) CVE-2011-3666 (Mozilla Firefox before 3.6.25 and Thunderbird before 3.1.17 on Mac OS ...) - iceweasel (MacOS specific) CVE-2011-3665 (Mozilla Firefox 4.x through 8.0, Thunderbird 5.0 through 8.0, and SeaM ...) - xulrunner (Only affects Firefox >= 4) - iceweasel 9.0-1 [lenny] - iceweasel (Only affects Firefox >= 4) [squeeze] - iceweasel (Only affects Firefox >= 4) - iceape (Only affects Firefox >= 4) CVE-2011-3664 (Mozilla Firefox before 9.0, Thunderbird before 9.0, and SeaMonkey befo ...) - iceweasel (MacOS specific) CVE-2011-3663 (Mozilla Firefox 4.x through 8.0, Thunderbird 5.0 through 8.0, and SeaM ...) - xulrunner (Only affects Firefox >= 4) - iceweasel 9.0-1 [lenny] - iceweasel (Only affects Firefox >= 4) [squeeze] - iceweasel (Only affects Firefox >= 4) - iceape (Only affects Firefox >= 4) CVE-2011-3662 RESERVED CVE-2011-3661 (YARR, as used in Mozilla Firefox 4.x through 8.0, Thunderbird 5.0 thro ...) - xulrunner (Only affects Firefox >= 4) - iceweasel 9.0-1 [lenny] - iceweasel (Only affects Firefox >= 4) [squeeze] - iceweasel (Only affects Firefox >= 4) - iceape (Only affects Firefox >= 4) CVE-2011-3660 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - xulrunner (Only affects Firefox >= 4) - iceweasel 9.0-1 [lenny] - iceweasel (Only affects Firefox >= 4) [squeeze] - iceweasel (Only affects Firefox >= 4) - iceape (Only affects Firefox >= 4) CVE-2011-3659 (Use-after-free vulnerability in Mozilla Firefox before 3.6.26 and 4.x ...) - xulrunner (Only affects Firefox >= 4) - iceweasel 10.0-1 [lenny] - iceweasel (Only affects Firefox >= 4) [squeeze] - iceweasel (Only affects Firefox >= 4) - iceape (Only affects Firefox >= 4) CVE-2011-3658 (The SVG implementation in Mozilla Firefox 8.0, Thunderbird 8.0, and Se ...) - iceweasel 9.0-1 - iceape 2.7.1-1 [squeeze] - iceweasel (Only affects Firefox >= 4) [squeeze] - iceape (Only affects Firefox >= 4) CVE-2011-3657 (Multiple cross-site scripting (XSS) vulnerabilities in Bugzilla 2.x an ...) - bugzilla (low) [squeeze] - bugzilla (Not supported in Squeeze LTS) [lenny] - bugzilla (Minor issue) CVE-2011-3656 RESERVED - iceweasel 4.0-1 [squeeze] - iceweasel (Iceweasel not supported in Squeeze LTS) CVE-2011-3655 (Mozilla Firefox 4.x through 7.0 and Thunderbird 5.0 through 7.0 perfor ...) - xulrunner (Only affects Firefox >= 4) - iceweasel 8.0-1 [lenny] - iceweasel (Only affects Firefox >= 4) [squeeze] - iceweasel (Only affects Firefox >= 4) - iceape (Only affects Firefox >= 4) CVE-2011-3654 (The browser engine in Mozilla Firefox before 8.0 and Thunderbird befor ...) - xulrunner (Only affects Firefox >= 4) - iceweasel 8.0-1 [lenny] - iceweasel (Only affects Firefox >= 4) [squeeze] - iceweasel (Only affects Firefox >= 4) - iceape (Only affects Firefox >= 4) CVE-2011-3653 (Mozilla Firefox before 8.0 and Thunderbird before 8.0 on Mac OS X do n ...) - iceweasel (MacOS X-specific) CVE-2011-3652 (The browser engine in Mozilla Firefox before 8.0 and Thunderbird befor ...) - xulrunner (Only affects Firefox >= 4) - iceweasel 8.0-1 [lenny] - iceweasel (Only affects Firefox >= 4) [squeeze] - iceweasel (Only affects Firefox >= 4) - iceape (Only affects Firefox >= 4) CVE-2011-3651 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - xulrunner (Only affects Firefox >= 4) - iceweasel 8.0-1 [lenny] - iceweasel (Only affects Firefox >= 4) [squeeze] - iceweasel (Only affects Firefox >= 4) - iceape (Only affects Firefox >= 4) CVE-2011-3650 (Mozilla Firefox before 3.6.24 and 4.x through 7.0 and Thunderbird befo ...) {DSA-2345-1 DSA-2342-1 DSA-2341-1} - icedove 3.1.16-1 [lenny] - icedove - xulrunner (unimportant) - iceweasel 8.0-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.14-9 [lenny] - iceape (Only a stub package) NOTE: xulrunner in wheezy is not covered by security support CVE-2011-3649 (Mozilla Firefox 7.0 and Thunderbird 7.0, when the Direct2D (aka D2D) A ...) - iceweasel (Windows-specific) CVE-2011-3648 (Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 3.6 ...) {DSA-2345-1 DSA-2342-1 DSA-2341-1} - icedove 3.1.16-1 [lenny] - icedove - xulrunner (unimportant) - iceweasel 8.0-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.14-9 [lenny] - iceape (Only a stub package) NOTE: xulrunner in wheezy is not covered by security support CVE-2011-3647 (The JSSubScriptLoader in Mozilla Firefox before 3.6.24 and Thunderbird ...) {DSA-2345-1 DSA-2342-1 DSA-2341-1} - icedove 3.1.16-1 [lenny] - icedove - xulrunner (unimportant) - iceweasel 7.0-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.14-9 [lenny] - iceape (Only a stub package) NOTE: xulrunner in wheezy is not covered by security support CVE-2011-3646 (phpmyadmin.css.php in phpMyAdmin 3.4.x before 3.4.6 allows remote atta ...) - phpmyadmin 4:3.4.6-1 (unimportant) CVE-2011-3645 (Newgen OmniDocs allows remote attackers to bypass intended access rest ...) NOT-FOR-US: Newgen OmniDocs CVE-2010-4841 (Multiple cross-site scripting (XSS) vulnerabilities in ManageEngine Ev ...) NOT-FOR-US: ManageEngine EventLog Analyzer CVE-2010-4840 (Multiple buffer overflows in the Syslog server in ManageEngine EventLo ...) NOT-FOR-US: ManageEngine EventLog Analyzer CVE-2011-XXXX [atftp DoS] - atftp 0.7.dfsg-11 (low) [squeeze] - atftp (Minor issue) [lenny] - atftp (Introduced with ipv6 patch) CVE-2011-3644 RESERVED CVE-2011-3643 RESERVED CVE-2011-3642 (Cross-site scripting (XSS) vulnerability in Flowplayer Flash 3.2.7 thr ...) - mahara (low; bug #699230) [squeeze] - mahara (Minor issue) NOTE: https://code.google.com/p/flowplayer-core/issues/detail?id=441 CVE-2011-3641 RESERVED CVE-2011-3640 (** DISPUTED ** Untrusted search path vulnerability in Mozilla Network ...) {DSA-2339-1} - nss 3.13.1.with.ckbi.1.88-1 (low; bug #647614) [lenny] - nss (Minor issue) [squeeze] - nss (Minor issue) - chromium-browser (unimportant) NOTE: attacker needs to get malicious file into cwd first NOTE: http://seclists.org/fulldisclosure/2011/Oct/734 CVE-2011-3639 (The mod_proxy module in the Apache HTTP Server 2.0.x through 2.0.64 an ...) {DSA-2405-1} - apache2 2.2.18-1 NOTE: Related to CVE-2011-3368 and CVE-2011-4317 but a different issue CVE-2011-3638 (fs/ext4/extents.c in the Linux kernel before 3.0 does not mark a modif ...) - linux-2.6 3.0.0-1 [squeeze] - linux-2.6 2.6.32-40 CVE-2011-3637 (The m_stop function in fs/proc/task_mmu.c in the Linux kernel before 2 ...) - linux-2.6 2.6.39-1 [squeeze] - linux-2.6 (Introduced in 2.6.39) [lenny] - linux-2.6 (Introduced in 2.6.39) CVE-2011-3636 (Cross-site request forgery (CSRF) vulnerability in the management inte ...) NOT-FOR-US: FreeIPA CVE-2011-3635 (Cross-site scripting (XSS) vulnerability in the theme_adium_append_mes ...) - empathy 3.2.1.1-1 [squeeze] - empathy (Minor issue) [lenny] - empathy (only affects webkit theming, not present in Lenny) CVE-2011-3634 (methods/https.cc in apt before 0.8.11 accepts connections when the cer ...) {DLA-0005-1} - apt 0.8.11 (low) [squeeze] - apt 0.8.10.3+squeeze2 NOTE: Minor issue, apt is only affected if apt-transport-https is installed NOTE: http://bazaar.launchpad.net/~donkult/apt/sid/revision/2053.1.28 NOTE: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/868353 CVE-2011-3633 REJECTED CVE-2011-3632 (Hardlink before 0.1.2 operates on full file system objects path names ...) - hardlink (Only the C version, ours are written in Python) CVE-2011-3631 (Hardlink before 0.1.2 has multiple integer overflows leading to heap-b ...) - hardlink (Only the C version, ours are written in Python) CVE-2011-3630 (Hardlink before 0.1.2 suffer from multiple stack-based buffer overflow ...) - hardlink (Only the C version, ours are written in Python) CVE-2011-3629 (Joomla! core 1.7.1 allows information disclosure due to weak encryptio ...) NOT-FOR-US: Joomla! CVE-2011-3628 (Untrusted search path vulnerability in pam_motd (aka the MOTD module) ...) - pam 1.1.3-7 (low; bug #670076) [squeeze] - pam (Minor issue) [lenny] - pam (Minor issue) NOTE: https://bugs.launchpad.net/ubuntu/%2Bsource/pam/%2Bbug/610125 NOTE: https://launchpadlibrarian.net/82729670/610125.patch NOTE: its not clear which version fixed this, but its present in the checked version 1.1.3-7 CVE-2011-3627 (The bytecode engine in ClamAV before 0.97.3 allows remote attackers to ...) - clamav 0.97.3+dfsg-1 (low) [squeeze] - clamav 0.97.3+dfsg-1~squeeze1 CVE-2011-3626 (Double free vulnerability in the prepare_exec function in src/exec.c i ...) NOT-FOR-US: Logsurfer CVE-2011-3625 (Stack-based buffer overflow in the sub_read_line_sami function in subr ...) - mplayer 2:1.0~rc4.dfsg1+svn33713-2 (bug #645987) [squeeze] - mplayer (Malformed SMI file correctly rejected, possibly introduced by later changes) - mplayer2 2.0-134-g84d8671-9 (bug #646937) CVE-2011-3624 (Various methods in WEBrick::HTTPRequest in Ruby 1.9.2 and 1.8.7 and ea ...) - ruby1.8 (low; bug #646020) [lenny] - ruby1.8 (Minor issue) [squeeze] - ruby1.8 (Minor issue) [wheezy] - ruby1.8 (Minor issue) - ruby1.9 (low; bug #646020) [lenny] - ruby1.9 (Minor issue) - ruby1.9.1 (low; bug #646020) [squeeze] - ruby1.9.1 (Minor issue, there seems to be no patch upstream) [wheezy] - ruby1.9.1 (Minor issue) CVE-2011-3623 (Multiple stack-based buffer overflows in VideoLAN VLC media player bef ...) - vlc 1.1.3-1 NOTE: https://bugs.gentoo.org/show_bug.cgi?id=285370 CVE-2011-3622 (A Cross-Site Scripting (XSS) vulnerability exists in the admin login s ...) NOT-FOR-US: phorum CVE-2011-3621 (A reverse proxy issue exists in FluxBB before 1.4.7 when FORUM_BEHIND_ ...) NOT-FOR-US: fluxbb CVE-2011-3620 (Apache Qpid 0.12 does not properly verify credentials during the joini ...) - qpid-cpp (Red Hat-specific extension, see bug #672124) CVE-2011-3619 (The apparmor_setprocattr function in security/apparmor/lsm.c in the Li ...) - linux-2.6 3.0.0-1 [squeeze] - linux-2.6 (Introduced in 2.6.36) [lenny] - linux-2.6 (Introduced in 2.6.36) CVE-2011-3618 (atop: symlink attack possible due to insecure tempfile handling ...) - atop 1.23-1.1 (low; bug #622794) [lenny] - atop 1.23-1+lenny1 (bug #622794) [squeeze] - atop 1.23-1+squeeze1 (bug #622794) CVE-2011-3617 (Tahoe-LAFS v1.3.0 through v1.8.2 could allow unauthorized users to del ...) - tahoe-lafs 1.8.3-1 (bug #641540) CVE-2011-3616 (The getSkillname function in the eve module in Conky 1.8.1 and earlier ...) - conky 1.8.0-1.1 (low; bug #612033) [squeeze] - conky 1.8.0-1+squeeze1 [lenny] - conky 1.6.0-2+lenny1 CVE-2011-3615 (Multiple SQL injection vulnerabilities in Simple Machines Forum (SMF) ...) NOT-FOR-US: Simple Machines Forum CVE-2011-3614 (An Access Control vulnerability exists in the Facebook, Twitter, and E ...) NOT-FOR-US: Vanilla Forums CVE-2011-3613 (An issue exists in Vanilla Forums before 2.0.17.9 due to the way cooki ...) NOT-FOR-US: Vanilla Forums CVE-2011-3612 (Cross-Site Request Forgery (CSRF) vulnerability exists in panel.php in ...) NOT-FOR-US: UseBB CVE-2011-3611 (A File Inclusion vulnerability exists in act parameter to admin.php in ...) NOT-FOR-US: UseBB CVE-2011-3610 (A Cross-site Scripting (XSS) vulnerability exists in the Serendipity f ...) NOT-FOR-US: Serendipity plugin CVE-2011-3609 (A CSRF issue was found in JBoss Application Server 7 before 7.1.0. JBo ...) - jbossas4 (Only builds a few libraries, not the full application server, #581226) CVE-2011-3608 REJECTED CVE-2011-3607 (Integer overflow in the ap_pregsub function in server/util.c in the Ap ...) {DSA-2405-1} - apache2 2.2.21-4 CVE-2011-3606 (A DOM based cross-site scripting flaw was found in the JBoss Applicati ...) - jbossas4 (Only builds a few libraries, not the full application server, #581226) CVE-2011-3605 (The process_rs function in the router advertisement daemon (radvd) bef ...) {DSA-2323-1} - radvd 1:1.8-1.1 (bug #644614) NOTE: http://seclists.org/oss-sec/2011/q4/30 CVE-2011-3604 (The process_ra function in the router advertisement daemon (radvd) bef ...) {DSA-2323-1} - radvd 1:1.8-1.1 (bug #644614) NOTE: http://seclists.org/oss-sec/2011/q4/30 CVE-2011-3603 (The router advertisement daemon (radvd) before 1.8.2 does not properly ...) NOTE: http://seclists.org/oss-sec/2011/q4/30 NOTE: should be rejected (http://seclists.org/oss-sec/2011/q4/72) CVE-2011-3602 (Directory traversal vulnerability in device-linux.c in the router adve ...) {DSA-2323-1} - radvd 1:1.8-1.1 (bug #644614) NOTE: http://seclists.org/oss-sec/2011/q4/30 CVE-2011-3601 (Buffer overflow in the process_ra function in the router advertisement ...) {DSA-2323-1} - radvd 1:1.8-1.2 (bug #644614) [squeeze] - radvd (No support for ND_OPT_DNSSL_INFORMATION) [lenny] - radvd (No support for ND_OPT_DNSSL_INFORMATION) NOTE: http://seclists.org/oss-sec/2011/q4/30 CVE-2011-3600 (The /webtools/control/xmlrpc endpoint in OFBiz XML-RPC event handler i ...) - libxmlrpc3-java 3.1.3-1 (low) [lenny] - libxmlrpc3-java (Minor issue) CVE-2011-3599 (The Crypt::DSA (aka Crypt-DSA) module 1.17 and earlier for Perl, when ...) - libcrypt-dsa-perl 1.17-3 (unimportant; bug #644189) NOTE: All supported Debian kernels have /dev/random, so severity unimportant CVE-2011-3598 (Multiple cross-site scripting (XSS) vulnerabilities in phpPgAdmin befo ...) - phppgadmin 5.0.3-1 (low; bug #644290) [squeeze] - phppgadmin 4.2.3-1.1squeeze1 [lenny] - phppgadmin 4.2.2-1lenny1 CVE-2011-3597 (Eval injection vulnerability in the Digest module before 1.17 for Perl ...) - libdigest-perl 1.17-1 (low; bug #644108) [squeeze] - libdigest-perl 1.16-1+squeeze1 [lenny] - libdigest-perl 1.15-2+lenny1 - perl 5.12.4-6 (low; bug #644108) [squeeze] - perl 5.10.1-17squeeze3 [lenny] - perl (Minor issue) NOTE: https://github.com/gisle/digest/commit/33800e83550bcad19c4fc593874ec3497841fa1e CVE-2011-3596 (Polipo before 1.0.4.1 suffers from a DoD vulnerability via specially-c ...) - polipo 1.0.4.1-1.2 (bug #644289) [squeeze] - polipo (Minor issue) NOTE: http://seclists.org/fulldisclosure/2011/Oct/10 CVE-2011-3595 (Multiple Cross-site Scripting (XSS) vulnerabilities exist in Joomla! t ...) NOT-FOR-US: Joomla! CVE-2011-3594 (The g_markup_escape_text function in the SILC protocol plug-in in libp ...) - pidgin 2.10.1-1 (unimportant) [squeeze] - pidgin 2.7.3-1+squeeze2 NOTE: relatively obscure client crash CVE-2011-3593 (A certain Red Hat patch to the vlan_hwaccel_do_receive function in net ...) - linux-2.6 (RHEL6 only because of badly backported patches) CVE-2011-3592 (Multiple cross-site scripting (XSS) vulnerabilities in the PMA_unInlin ...) - phpmyadmin 4:3.4.5-1 [squeeze] - phpmyadmin (Vulnerable code not present) [lenny] - phpmyadmin (Vulnerable code not present) CVE-2011-3591 (Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.4. ...) - phpmyadmin 4:3.4.5-1 [squeeze] - phpmyadmin (Vulnerable code not present) [lenny] - phpmyadmin (Vulnerable code not present) CVE-2011-3590 (The Red Hat mkdumprd script for kexec-tools, as distributed in the kex ...) - kexec-tools (The flaw exists in kdump.init and mkdumprd scrits, shipped only with Red Hat and Fedora) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=716439 CVE-2011-3589 (The Red Hat mkdumprd script for kexec-tools, as distributed in the kex ...) - kexec-tools (The flaw exists in kdump.init and mkdumprd scrits, shipped only with Red Hat and Fedora) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=716439 CVE-2011-3588 (The SSH configuration in the Red Hat mkdumprd script for kexec-tools, ...) - kexec-tools (The flaw exists in kdump.init and mkdumprd scrits, shipped only with Red Hat and Fedora) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=716439 CVE-2011-3587 (Unspecified vulnerability in Zope 2.12.x and 2.13.x, as used in Plone ...) - zope2.10 (Introduced in 2.12) - zope2.12 2.12.20-2 CVE-2011-3586 REJECTED CVE-2011-3585 (Multiple race conditions in the (1) mount.cifs and (2) umount.cifs pro ...) - samba 2:3.4.7~dfsg-2 (low) - cifs-utils 2:4.5-1 (low) NOTE: cifs-utils was split off from the samba source package with 2:3.4.7~dfsg-2, so marking it as fixed NOTE: http://git.samba.org/?p=cifs-utils.git;a=commitdiff;h=810f7e4e0f2dbcbee0294d9b371071cb08268200 CVE-2011-3584 (The TYPO3 Core wec_discussion extension before 2.1.1 is vulnerable to ...) - typo3-src 4.5.6+dfsg1-1 (low; bug #641683) [squeeze] - typo3-src 4.3.9+dfsg1-1+squeeze2 [lenny] - typo3-src 4.2.5-1+lenny9 CVE-2011-3583 (It was found that Typo3 Core versions 4.5.0 - 4.5.5 uses prepared stat ...) - typo3-src 4.5.6+dfsg1-1 (low; bug #641682) [squeeze] - typo3-src (Only affects 4.5.x) [lenny] - typo3-src (Only affects 4.5.x) CVE-2011-3582 (A Cross-site Request Forgery (CSRF) vulnerability exists in Advanced E ...) NOT-FOR-US: Advanced Electron Forums CVE-2011-3581 (Heap-based buffer overflow in the ldns_rr_new_frm_str_internal functio ...) {DSA-2353-1} - ldns 1.6.11-1 (bug #647297) CVE-2011-3580 (IceWarp WebMail in IceWarp Mail Server before 10.3.3 allows remote att ...) NOT-FOR-US: IceWarp Mail Server CVE-2011-3579 (server/webmail.php in IceWarp WebMail in IceWarp Mail Server before 10 ...) NOT-FOR-US: IceWarp Mail Server CVE-2011-3578 (Cross-site scripting (XSS) vulnerability in bug_actiongroup_ext_page.p ...) - mantis 1.2.7-1 [squeeze] - mantis 1.1.8+dfsg-10squeeze1 CVE-2004-2770 REJECTED CVE-2011-3577 (IBM WebSphere Commerce 6.x through 6.0.0.11 and 7.x through 7.0.0.3 do ...) NOT-FOR-US: IBM WebSphere Commerce CVE-2011-3576 (Cross-site scripting (XSS) vulnerability in IBM Lotus Domino 8.5.2 all ...) NOT-FOR-US: IBM Lotus Domino CVE-2011-3575 (Stack-based buffer overflow in the NSFComputeEvaluateExt function in N ...) NOT-FOR-US: IBM Lotus Domino CVE-2011-3574 (Unspecified vulnerability in Oracle Communications Unified 7.0 allows ...) NOT-FOR-US: Oracle Communications Unified CVE-2011-3573 (Unspecified vulnerability in Oracle Communications Unified 7.0 allows ...) NOT-FOR-US: Oracle Communications Unified CVE-2011-3572 REJECTED CVE-2011-3571 (Unspecified vulnerability in the Virtual Desktop Infrastructure (VDI) ...) NOTE: CVE was misused by Oracle. Replaced by CVE-2012-0507. CVE-2011-3570 (Unspecified vulnerability in Oracle Communications Unified 7.0 allows ...) NOT-FOR-US: Oracle Communications Unified CVE-2011-3569 (Unspecified vulnerability in the Oracle Web Services Manager component ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2011-3568 (Unspecified vulnerability in the Oracle Web Services Manager component ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2011-3567 REJECTED CVE-2011-3566 (Unspecified vulnerability in the Oracle WebLogic Server component in O ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2011-3565 (Unspecified vulnerability in Oracle Communications Unified 7.0 allows ...) NOT-FOR-US: Oracle Communications Unified CVE-2011-3564 (Unspecified vulnerability in Oracle GlassFish Enterprise Server 2.1.1 ...) - glassfish (administration component not shipped) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=783897 CVE-2011-3563 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) {DSA-2420-1} - openjdk-6 6b24-1.11.1-1 - openjdk-7 7~u3-2.1-1 CVE-2011-3562 (Unspecified vulnerability in the Portal component in Oracle Fusion Mid ...) NOT-FOR-US: Oracle Fusion CVE-2011-3561 (Unspecified vulnerability in the Java Runtime Environment component in ...) - sun-java6 (bug #645881) [lenny] - sun-java6 (Non-free not supported) [squeeze] - sun-java6 (Non-free not supported) CVE-2011-3560 (Unspecified vulnerability in the Java Runtime Environment component in ...) {DSA-2358-1 DSA-2356-1} - sun-java6 (bug #645881) [lenny] - sun-java6 (Non-free not supported) [squeeze] - sun-java6 (Non-free not supported) - openjdk-6 6b23~pre11-1 - openjdk-7 7~b147-2.0-1 CVE-2011-3559 (Unspecified vulnerability in Oracle Communications Server 2.0; GlassFi ...) NOT-FOR-US: Oracle Communications Server, GlassFish Enterprise Server, Sun Java System App Server CVE-2011-3558 (Unspecified vulnerability in the Java Runtime Environment component in ...) - sun-java6 (bug #645881) [lenny] - sun-java6 (Non-free not supported) [squeeze] - sun-java6 (Non-free not supported) [lenny] - openjdk-6 (Hotspot version too old) [squeeze] - openjdk-6 (Hotspot version too old) - openjdk-6 6b23~pre11-1 - openjdk-7 7~b147-2.0-1 CVE-2011-3557 (Unspecified vulnerability in the Java Runtime Environment component in ...) {DSA-2358-1 DSA-2356-1} - sun-java6 (bug #645881) [lenny] - sun-java6 (Non-free not supported) [squeeze] - sun-java6 (Non-free not supported) - openjdk-6 6b23~pre11-1 - openjdk-7 7~b147-2.0-1 CVE-2011-3556 (Unspecified vulnerability in the Java Runtime Environment component in ...) {DSA-2358-1 DSA-2356-1} - sun-java6 (bug #645881) [lenny] - sun-java6 (Non-free not supported) [squeeze] - sun-java6 (Non-free not supported) - openjdk-6 6b23~pre11-1 - openjdk-7 7~b147-2.0-1 CVE-2011-3555 (Unspecified vulnerability in the Java Runtime Environment component in ...) - sun-java6 (bug #645881) [lenny] - sun-java6 (Non-free not supported) [squeeze] - sun-java6 (Non-free not supported) CVE-2011-3554 (Unspecified vulnerability in the Java Runtime Environment component in ...) {DSA-2358-1 DSA-2356-1} - sun-java6 (bug #645881) [lenny] - sun-java6 (Non-free not supported) [squeeze] - sun-java6 (Non-free not supported) - openjdk-6 6b23~pre11-1 - openjdk-7 7~b147-2.0-1 CVE-2011-3553 (Unspecified vulnerability in the Java Runtime Environment component in ...) {DSA-2358-1 DSA-2356-1} - sun-java6 (bug #645881) [lenny] - sun-java6 (Non-free not supported) [squeeze] - sun-java6 (Non-free not supported) - openjdk-6 6b23~pre11-1 - openjdk-7 7~b147-2.0-1 CVE-2011-3552 (Unspecified vulnerability in the Java Runtime Environment component in ...) {DSA-2358-1 DSA-2356-1} - sun-java6 (bug #645881) [lenny] - sun-java6 (Non-free not supported) [squeeze] - sun-java6 (Non-free not supported) - openjdk-6 6b23~pre11-1 - openjdk-7 7~b147-2.0-1 CVE-2011-3551 (Unspecified vulnerability in the Java Runtime Environment component in ...) {DSA-2358-1 DSA-2356-1} - sun-java6 (bug #645881) [lenny] - sun-java6 (Non-free not supported) [squeeze] - sun-java6 (Non-free not supported) - openjdk-6 6b23~pre11-1 - openjdk-7 7~b147-2.0-1 CVE-2011-3550 (Unspecified vulnerability in the Java Runtime Environment component in ...) - sun-java6 (bug #645881) [lenny] - sun-java6 (Non-free not supported) [squeeze] - sun-java6 (Non-free not supported) CVE-2011-3549 (Unspecified vulnerability in the Java Runtime Environment component in ...) - sun-java6 (bug #645881) [lenny] - sun-java6 (Non-free not supported) [squeeze] - sun-java6 (Non-free not supported) CVE-2011-3548 (Unspecified vulnerability in the Java Runtime Environment component in ...) {DSA-2358-1 DSA-2356-1} - sun-java6 (bug #645881) [lenny] - sun-java6 (Non-free not supported) [squeeze] - sun-java6 (Non-free not supported) - openjdk-6 6b23~pre11-1 - openjdk-7 7~b147-2.0-1 CVE-2011-3547 (Unspecified vulnerability in the Java Runtime Environment component in ...) {DSA-2358-1 DSA-2356-1} - sun-java6 (bug #645881) [lenny] - sun-java6 (Non-free not supported) [squeeze] - sun-java6 (Non-free not supported) - openjdk-6 6b23~pre11-1 - openjdk-7 7~b147-2.0-1 CVE-2011-3546 (Unspecified vulnerability in the Java Runtime Environment component in ...) - sun-java6 (bug #645881) [lenny] - sun-java6 (Non-free not supported) [squeeze] - sun-java6 (Non-free not supported) CVE-2011-3545 (Unspecified vulnerability in the Java Runtime Environment component in ...) - sun-java6 (bug #645881) [lenny] - sun-java6 (Non-free not supported) [squeeze] - sun-java6 (Non-free not supported) CVE-2011-3544 (Unspecified vulnerability in the Java Runtime Environment component in ...) {DSA-2358-1 DSA-2356-1} - sun-java6 (bug #645881) [lenny] - sun-java6 (Non-free not supported) [squeeze] - sun-java6 (Non-free not supported) - openjdk-6 6b23~pre11-1 - openjdk-7 7~b147-2.0-1 CVE-2011-3543 (Unspecified vulnerability in Oracle Solaris 11 Express allows remote a ...) NOT-FOR-US: Oracle Solaris 11 Express CVE-2011-3542 (Unspecified vulnerability in Oracle Solaris 10 and 11 Express allows l ...) NOT-FOR-US: Oracle Solaris CVE-2011-3541 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2011-3540 REJECTED CVE-2011-3539 (Unspecified vulnerability in Oracle Solaris 10 and 11 Express allows l ...) NOT-FOR-US: Oracle Solaris CVE-2011-3538 (Unspecified vulnerability in the Sun Ray component in Oracle Virtualiz ...) NOT-FOR-US: Oracle Virtualization CVE-2011-3537 (Unspecified vulnerability in Oracle Solaris 8, 9, 10, and 11 Express a ...) NOT-FOR-US: Oracle Solaris CVE-2011-3536 (Unspecified vulnerability in Oracle Solaris 10 allows local users to a ...) NOT-FOR-US: Oracle Solaris CVE-2011-3535 (Unspecified vulnerability in the Solaris component in Oracle Sun Produ ...) NOT-FOR-US: Oracle Solaris CVE-2011-3534 (Unspecified vulnerability in Oracle Solaris 8, 9, 10, and 11 Express a ...) NOT-FOR-US: Oracle Solaris CVE-2011-3533 (Unspecified vulnerability in the PeopleSoft Enterprise HRMS component ...) NOT-FOR-US: Oracle PeopleSoft CVE-2011-3532 (Unspecified vulnerability in the Oracle Agile Product Supplier Collabo ...) NOT-FOR-US: Oracle Supply Chain CVE-2011-3531 (Unspecified vulnerability in the Oracle Web Services Manager component ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2011-3530 (Unspecified vulnerability in the PeopleSoft Enterprise HRMS component ...) NOT-FOR-US: Oracle PeopleSoft CVE-2011-3529 (Unspecified vulnerability in the PeopleSoft Enterprise HRMS component ...) NOT-FOR-US: Oracle PeopleSoft CVE-2011-3528 (Unspecified vulnerability in the PeopleSoft Enterprise HRMS component ...) NOT-FOR-US: Oracle PeopleSoft CVE-2011-3527 (Unspecified vulnerability in the PeopleSoft Enterprise HRMS component ...) NOT-FOR-US: Oracle PeopleSoft CVE-2011-3526 (Unspecified vulnerability in the Siebel Core - UIF Server component in ...) NOT-FOR-US: Oracle Siebel CVE-2011-3525 (Unspecified vulnerability in the Application Express component in Orac ...) NOT-FOR-US: Oracle Database Server CVE-2011-3524 (Unspecified vulnerability in the EnterpriseOne Tools component in Orac ...) NOT-FOR-US: Oracle JD Edwards Products CVE-2011-3523 (Unspecified vulnerability in the Oracle Web Services Manager component ...) NOT-FOR-US: Oracle Fusion CVE-2011-3522 (Unspecified vulnerability in SysFW 8.0 on certain SPARC T3, Netra SPAR ...) NOT-FOR-US: SPARC T3, Netra SPARC T3, Sun Fire, and Sun Blade CVE-2011-3521 (Unspecified vulnerability in the Java Runtime Environment component in ...) {DSA-2358-1 DSA-2356-1} - sun-java6 (bug #645881) [lenny] - sun-java6 (Non-free not supported) [squeeze] - sun-java6 (Non-free not supported) - openjdk-6 6b23~pre11-1 - openjdk-7 7~b147-2.0-1 CVE-2011-3520 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: PeopleSoft Enterprise PeopleTools CVE-2011-3519 (Unspecified vulnerability in the Oracle Applications Framework compone ...) NOT-FOR-US: Oracle E-Business Suite CVE-2011-3518 (Unspecified vulnerability in the Siebel Core - UIF Client component in ...) NOT-FOR-US: Oracle Siebel CVE-2011-3517 (Unspecified vulnerability in the Oracle OpenSSO component in Oracle Su ...) NOT-FOR-US: Oracle Sun Products Suite CVE-2011-3516 (Unspecified vulnerability in the Java Runtime Environment component in ...) - sun-java6 (Windows-specific) - openjdk-6 (Windows-specific) CVE-2011-3515 (Unspecified vulnerability in the Oracle Solaris 10 and 11 Express allo ...) NOT-FOR-US: Oracle Solaris CVE-2011-3514 (Unspecified vulnerability in the EnterpriseOne Tools component in Orac ...) NOT-FOR-US: Oracle JD Edwards Products CVE-2011-3513 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle E-Business Suite CVE-2011-3512 (Unspecified vulnerability in the Core RDBMS component in Oracle Databa ...) NOT-FOR-US: Oracle Database Server CVE-2011-3511 (Unspecified vulnerability in the Database Vault component in Oracle Da ...) NOT-FOR-US: Oracle Database Server CVE-2011-3510 (Unspecified vulnerability in the Oracle Business Intelligence Enterpri ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2011-3509 (Unspecified vulnerability in the EnterpriseOne Tools component in Orac ...) NOT-FOR-US: Oracle JD Edwards Products CVE-2011-3508 (Unspecified vulnerability in Oracle Solaris 8, 9, 10, and 11 Express a ...) NOT-FOR-US: Oracle Solaris CVE-2011-3507 (Unspecified vulnerability in the Oracle Communications Unified compone ...) NOT-FOR-US: Oracle Sun Products Suite CVE-2011-3506 (Unspecified vulnerability in the Oracle OpenSSO component in Oracle Su ...) NOT-FOR-US: Oracle Sun Products Suite CVE-2011-3505 REJECTED CVE-2011-3504 (The Matroska format decoder in FFmpeg before 0.8.3 does not properly a ...) {DSA-2336-1} - libav 4:0.7.2-1 (bug #643859) - ffmpeg 7:2.4.1-1 - ffmpeg-debian CVE-2011-3503 (Untrusted search path vulnerability in eSignal 10.6.2425.1208, and pos ...) NOT-FOR-US: eSignal CVE-2011-3502 (The web server in Cogent DataHub 7.1.1.63 and earlier allows remote at ...) NOT-FOR-US: Cogent DataHub CVE-2011-3501 (Integer overflow in Cogent DataHub 7.1.1.63 and earlier allows remote ...) NOT-FOR-US: Cogent DataHub CVE-2011-3500 (Directory traversal vulnerability in the web server in Cogent DataHub ...) NOT-FOR-US: Cogent DataHub CVE-2011-3499 (Progea Movicon / PowerHMI 11.2.1085 and earlier allows remote attacker ...) NOT-FOR-US: Progea Movicon / PowerHMI CVE-2011-3498 (Heap-based buffer overflow in Progea Movicon / PowerHMI 11.2.1085 and ...) NOT-FOR-US: Progea Movicon / PowerHMI CVE-2011-3497 (service.exe in Measuresoft ScadaPro 4.0.0 and earlier allows remote at ...) NOT-FOR-US: Measuresoft ScadaPro CVE-2011-3496 (service.exe in Measuresoft ScadaPro 4.0.0 and earlier allows remote at ...) NOT-FOR-US: Measuresoft ScadaPro CVE-2011-3495 (Multiple directory traversal vulnerabilities in service.exe in Measure ...) NOT-FOR-US: Measuresoft ScadaPro CVE-2011-3494 (WinSig.exe in eSignal 10.6.2425 and earlier allows remote attackers to ...) NOT-FOR-US: eSignal CVE-2011-3493 (Multiple stack-based buffer overflows in the DH_OneSecondTick function ...) NOT-FOR-US: Cogent DataHub CVE-2011-3492 (Stack-based buffer overflow in Azeotech DAQFactory 5.85 build 1853 and ...) NOT-FOR-US: Azeotech DAQFactory CVE-2011-3491 (Heap-based buffer overflow in Progea Movicon / PowerHMI 11.2.1085 and ...) NOT-FOR-US: Progea Movicon / PowerHMI CVE-2011-3490 (Multiple stack-based buffer overflows in service.exe in Measuresoft Sc ...) NOT-FOR-US: Measuresoft ScadaPro CVE-2011-3489 (RnaUtility.dll in RsvcHost.exe 2.30.0.23 in Rockwell RSLogix 19 and ea ...) NOT-FOR-US: Rockwell RSLogix CVE-2011-3488 (Use-after-free vulnerability in Equis MetaStock 11 and earlier allows ...) NOT-FOR-US: Equis MetaStock CVE-2011-3487 (Directory traversal vulnerability in CarelDataServer.exe in Carel Plan ...) NOT-FOR-US: Carel PlantVisor CVE-2011-3486 (Beckhoff TwinCAT 2.11.0.2004 and earlier allows remote attackers to ca ...) NOT-FOR-US: Beckhoff TwinCAT CVE-2011-3485 RESERVED CVE-2011-3481 (The index_get_ids function in index.c in imapd in Cyrus IMAP Server be ...) {DSA-2377-1} - cyrus-imapd-2.2 - cyrus-imapd-2.4 2.4.11-1 - kolab-cyrus-imapd [squeeze] - kolab-cyrus-imapd (Unsupported in squeeze-lts) CVE-2011-3480 REJECTED CVE-2011-3479 (Symantec pcAnywhere 12.5.x through 12.5.3, and IT Management Suite pcA ...) NOT-FOR-US: Symantec pcAnywhere CVE-2011-3478 (The host-services component in Symantec pcAnywhere 12.5.x through 12.5 ...) NOT-FOR-US: Symantec pcAnywhere CVE-2011-3477 (GEAR Software CD DVD Filter driver (aka GEARAspiWDM.sys), as used in S ...) NOT-FOR-US: Symantec CVE-2011-3476 REJECTED CVE-2011-3475 RESERVED CVE-2011-3474 RESERVED CVE-2011-3473 RESERVED CVE-2011-3472 RESERVED CVE-2011-3471 RESERVED CVE-2011-3470 RESERVED CVE-2011-3469 RESERVED CVE-2011-3468 RESERVED CVE-2011-3467 RESERVED CVE-2011-3466 RESERVED CVE-2011-3465 RESERVED CVE-2011-3464 (Off-by-one error in the png_formatted_warning function in pngerror.c i ...) - libpng (Only affects libpng 1.5, which is only in experimental) CVE-2011-3463 (WebDAV Sharing in Apple Mac OS X 10.7.x before 10.7.3 does not properl ...) NOT-FOR-US: Mac OS X CVE-2011-3462 (Time Machine in Apple Mac OS X before 10.7.3 does not verify the uniqu ...) NOT-FOR-US: Mac OS X CVE-2011-3461 RESERVED CVE-2011-3460 (Buffer overflow in QuickTime in Apple Mac OS X before 10.7.3 allows re ...) NOT-FOR-US: QuickTime CVE-2011-3459 (Off-by-one error in QuickTime in Apple Mac OS X before 10.7.3 allows r ...) NOT-FOR-US: QuickTime CVE-2011-3458 (QuickTime in Apple Mac OS X before 10.7.3 does not prevent access to u ...) NOT-FOR-US: QuickTime CVE-2011-3457 (The OpenGL implementation in Apple Mac OS X before 10.7.3 does not pro ...) NOT-FOR-US: Mac OS X CVE-2011-3456 RESERVED CVE-2011-3455 RESERVED CVE-2011-3454 RESERVED CVE-2011-3453 (Integer overflow in libresolv in Apple Mac OS X before 10.7.3 allows r ...) NOT-FOR-US: Mac OS X CVE-2011-3452 (Internet Sharing in Apple Mac OS X before 10.7.3 does not preserve the ...) NOT-FOR-US: Mac OS X CVE-2011-3451 RESERVED CVE-2011-3450 (CoreUI in Apple Mac OS X 10.7.x before 10.7.3 does not properly restri ...) NOT-FOR-US: Mac OS X CVE-2011-3449 (Use-after-free vulnerability in CoreText in Apple Mac OS X before 10.7 ...) NOT-FOR-US: Mac OS X CVE-2011-3448 (Heap-based buffer overflow in CoreMedia in Apple Mac OS X before 10.7. ...) NOT-FOR-US: Mac OS X CVE-2011-3447 (CFNetwork in Apple Mac OS X 10.7.x before 10.7.3 does not properly con ...) NOT-FOR-US: Mac OS X CVE-2011-3446 (Apple Type Services (ATS) in Apple Mac OS X before 10.7.3 does not pro ...) NOT-FOR-US: Mac OS X CVE-2011-3445 RESERVED CVE-2011-3444 (Address Book in Apple Mac OS X before 10.7.3 automatically switches to ...) NOT-FOR-US: Mac OS X CVE-2011-3443 (Use-after-free vulnerability in WebKit, as used in Apple Safari before ...) NOT-FOR-US: Webspecidied Safari webkit issue, likely a Apple dupe CVE-2011-3442 (The kernel in Apple iOS before 5.0.1 does not ensure the validity of f ...) NOT-FOR-US: Apple iOS CVE-2011-3441 (libinfo in Apple iOS before 5.0.1 does not properly formulate domain-n ...) NOT-FOR-US: Apple iOS CVE-2011-3440 (The Passcode Lock feature in Apple iOS before 5.0.1 on the iPad 2 does ...) NOT-FOR-US: Apple iOS CVE-2011-3439 (FreeType in CoreGraphics in Apple iOS before 5.0.1 allows remote attac ...) {DSA-2350-1} - freetype 2.4.8-1 (bug #649122) CVE-2011-3438 (WebKit, as used in Safari 5.0.6, allows remote attackers to cause a de ...) NOT-FOR-US: Apple Safari CVE-2011-3437 (Integer signedness error in Apple Type Services (ATS) in Apple Mac OS ...) NOT-FOR-US: Apple Type Services (ATS) in Apple Mac OS CVE-2011-3436 (Open Directory in Apple Mac OS X 10.7 before 10.7.2 does not require a ...) NOT-FOR-US: Open Directory in Apple Mac OS CVE-2011-3435 (Open Directory in Apple Mac OS X 10.7 before 10.7.2 allows local users ...) NOT-FOR-US: Open Directory in Apple Mac OS CVE-2011-3434 (The WiFi component in Apple iOS before 5 stores WiFi credentials in an ...) NOT-FOR-US: WiFi component in Apple iOS CVE-2011-3433 RESERVED CVE-2011-3432 (The UIKit Alerts component in Apple iOS before 5 allows remote attacke ...) NOT-FOR-US: UIKit Alerts component in Apple iOS CVE-2011-3431 (The Home screen component in Apple iOS before 5 does not properly supp ...) NOT-FOR-US: Home screen component in Apple iOS CVE-2011-3430 (The Settings component in Apple iOS before 5, when a configuration pro ...) NOT-FOR-US: Apple iOS CVE-2011-3429 (The Settings component in Apple iOS before 5 stores a cleartext parent ...) NOT-FOR-US: Apple iOS CVE-2011-3428 (Buffer overflow in QuickTime before 7.7.1 for Windows allows remote at ...) NOT-FOR-US: Apple Quicktime CVE-2011-3427 (The Data Security component in Apple iOS before 5 and Apple TV before ...) NOT-FOR-US: Apple iOS CVE-2011-3426 (Cross-site scripting (XSS) vulnerability in Safari in Apple iOS before ...) NOT-FOR-US: Apple iOS CVE-2011-3425 RESERVED CVE-2011-3424 (Session fixation vulnerability in the Managed File Transfer server in ...) NOT-FOR-US: TIBCO Managed File Transfer Internet Server CVE-2011-3423 (Cross-site scripting (XSS) vulnerability in the Managed File Transfer ...) NOT-FOR-US: TIBCO Managed File Transfer Internet Server CVE-2010-4839 (SQL injection vulnerability in the Event Registration plugin 5.32 and ...) NOT-FOR-US: Wordpress plugin Event Registration CVE-2010-4838 (SQL injection vulnerability in the JSupport (com_jsupport) component 1 ...) NOT-FOR-US: Joomla! CVE-2010-4837 (Cross-site scripting (XSS) vulnerability in the JSupport (com_jsupport ...) NOT-FOR-US: Joomla! CVE-2010-4836 (Cross-site scripting (XSS) vulnerability in register.html in PHPShop 2 ...) NOT-FOR-US: PHPShop CVE-2010-4835 (Directory traversal vulnerability in index.php in OneOrZero AIMS 2.6.0 ...) NOT-FOR-US: OneOrZero AIMS CVE-2010-4834 (Multiple SQL injection vulnerabilities in index.php in OneOrZero AIMS ...) NOT-FOR-US: OneOrZero AIMS CVE-2009-5101 (Pentaho BI Server 1.7.0.1062 and earlier includes the session ID (JSES ...) NOT-FOR-US: Pentaho BI Server CVE-2009-5100 (Pentaho BI Server 1.7.0.1062 and earlier does not set the autocomplete ...) NOT-FOR-US: Pentaho BI Server CVE-2009-5099 (Cross-site scripting (XSS) vulnerability in ViewAction in Pentaho BI S ...) NOT-FOR-US: Pentaho BI Server CVE-2009-5098 (The LunaSysMgr process in Palm Pre WebOS 1.1 and earlier, when not vie ...) NOT-FOR-US: Palm WebOS CVE-2009-5097 (Palm Pre WebOS 1.1 and earlier processes JavaScript in email messages, ...) NOT-FOR-US: Palm WebOS CVE-2009-5096 (Cross-site scripting (XSS) vulnerability in the Flag Content module 5. ...) NOT-FOR-US: Drupal module Flag Content NOTE: might get packaged CVE-2011-3482 (The csnStreamDissector function in epan/dissectors/packet-csn1.c in th ...) - wireshark 1.6.2-1 [squeeze] - wireshark (Affects only 1.6.0 and 1.6.1) [lenny] - wireshark (Affects only 1.6.0 and 1.6.1) NOTE: http://www.wireshark.org/security/wnpa-sec-2011-16.html CVE-2011-3483 (Wireshark 1.6.x before 1.6.2 allows remote attackers to cause a denial ...) {DSA-2395-1} - wireshark 1.6.2-1 [lenny] - wireshark (Affects only 1.6.0 and 1.6.1) NOTE: http://www.wireshark.org/security/wnpa-sec-2011-14.html CVE-2011-3484 (The unxorFrame function in epan/dissectors/packet-opensafety.c in the ...) - wireshark 1.6.2-1 [squeeze] - wireshark (Affects only 1.6.0 and 1.6.1) [lenny] - wireshark (Affects only 1.6.0 and 1.6.1) NOTE: http://www.wireshark.org/security/wnpa-sec-2011-12.html CVE-2011-3422 (The Keychain implementation in Apple Mac OS X 10.6.8 and earlier does ...) NOT-FOR-US: Apple Mac OS X CVE-2011-3421 (Multiple unspecified vulnerabilities in Google Chrome before 14.0.835. ...) - chromium-browser 14.0.835.163~r101024-1 (unimportant) NOTE: duplicate CVE-2011-3420 (Multiple unspecified vulnerabilities in Google Chrome before 14.0.835. ...) - chromium-browser 14.0.835.163~r101024-1 (unimportant) NOTE: duplicate CVE-2011-3419 REJECTED CVE-2011-3418 REJECTED CVE-2011-3417 (The Forms Authentication feature in the ASP.NET subsystem in Microsoft ...) NOT-FOR-US: Microsoft ASP.NET CVE-2011-3416 (The Forms Authentication feature in the ASP.NET subsystem in Microsoft ...) NOT-FOR-US: Microsoft ASP.NET CVE-2011-3415 (Open redirect vulnerability in the Forms Authentication feature in the ...) NOT-FOR-US: Microsoft ASP.NET CVE-2011-3414 (The CaseInsensitiveHashProvider.getHashCode function in the HashTable ...) NOT-FOR-US: Microsoft .NET Framework NOTE: Might affect Mono, pinged maintainers CVE-2011-3413 (Microsoft PowerPoint 2007 SP2; Office 2008 for Mac; Office Compatibili ...) NOT-FOR-US: Microsoft PowerPoint CVE-2011-3412 (Microsoft Publisher 2003 SP3, and 2007 SP2 and SP3, allows remote atta ...) NOT-FOR-US: Microsoft Publisher CVE-2011-3411 (Microsoft Publisher 2003 SP3 allows remote attackers to execute arbitr ...) NOT-FOR-US: Microsoft Publisher CVE-2011-3410 (Array index error in Microsoft Publisher 2003 SP3, and 2007 SP2 and SP ...) NOT-FOR-US: Microsoft Publisher CVE-2011-3409 REJECTED CVE-2011-3408 (Csrsrv.dll in the Client/Server Run-time Subsystem (aka CSRSS) in the ...) NOT-FOR-US: Microsoft Windows XP CVE-2011-3407 REJECTED CVE-2011-3406 (Buffer overflow in Active Directory, Active Directory Application Mode ...) NOT-FOR-US: Microsoft Active Directory CVE-2011-3405 REJECTED CVE-2011-3404 (Microsoft Internet Explorer 6 through 9 does not properly use the Cont ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2011-3403 (Microsoft Excel 2003 SP3 and Office 2004 for Mac do not properly handl ...) NOT-FOR-US: Microsoft Excel CVE-2011-3402 (Unspecified vulnerability in the TrueType font parsing engine in win32 ...) NOT-FOR-US: Microsoft Windows CVE-2011-3401 (ENCDEC.DLL in Windows Media Player and Media Center in Microsoft Windo ...) NOT-FOR-US: Microsoft Media Player CVE-2011-3400 (Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 do not properly h ...) NOT-FOR-US: Microsoft Windows XP CVE-2011-3399 REJECTED CVE-2011-3398 REJECTED CVE-2011-3397 (The Microsoft Time component in DATIME.DLL in Microsoft Windows XP SP2 ...) NOT-FOR-US: Microsoft Windows XP CVE-2011-3396 (Untrusted search path vulnerability in Microsoft PowerPoint 2007 SP2 a ...) NOT-FOR-US: Microsoft PowerPoint CVE-2011-3395 REJECTED CVE-2011-3394 (SQL injection vulnerability in findagent.php in MYRE Real Estate Softw ...) NOT-FOR-US: MYRE Real Estate CVE-2011-3393 (Multiple cross-site scripting (XSS) vulnerabilities in findagent.php i ...) NOT-FOR-US: MYRE Real Estate CVE-2009-5095 (PHP remote file inclusion vulnerability in index_inc.php in ea gBook 0 ...) NOT-FOR-US: ea gBook CVE-2009-5094 (SQL injection vulnerability in info.php in CMS Faethon 2.2.0 Ultimate ...) NOT-FOR-US: CMS Faethon CVE-2009-5093 (Directory traversal vulnerability in gastbuch.php in Gästebuch (G ...) NOT-FOR-US: Gastebuch CVE-2009-5092 (Cross-site scripting (XSS) vulnerability in the management interface i ...) NOT-FOR-US: Microsoft FAST ESP CVE-2009-5091 (SQL injection vulnerability in page.php in Vlinks 1.0.3 and 1.1.6 allo ...) NOT-FOR-US: Vlinks CVE-2009-5090 (SQL injection vulnerability in editcomments.php in Bloggeruniverse Bet ...) NOT-FOR-US: Bloggeruniverse Beta 2 CVE-2009-5089 (Directory traversal vulnerability in index.php in IdeaCart 0.02 and 0. ...) NOT-FOR-US: IdeaCart CVE-2009-5088 (SQL injection vulnerability in secure/index.php in IdeaCart 0.02 allow ...) NOT-FOR-US: IdeaCart CVE-2009-5087 (Directory traversal vulnerability in geohttpserver in Geovision Digita ...) NOT-FOR-US: Geovision Digital Video Surveillance System CVE-2011-3392 (Cross-site scripting (XSS) vulnerability in control.php in the control ...) NOT-FOR-US: Phorum CVE-2011-3391 (IBM Rational Build Forge 7.1.2 relies on client-side JavaScript code t ...) NOT-FOR-US: IBM Rational Build Forge CVE-2011-3354 (The CtcpParser::packedReply method in core/ctcpparser.cpp in Quassel b ...) - quassel 0.7.3-1 (low; bug #640960) [squeeze] - quassel 0.6.3-2+squeeze1 (bug #640960) NOTE: http://git.quassel-irc.org/?p=quassel.git;a=commit;h=da215fcb9cd3096a3e223c87577d5d4ab8f8518b CVE-2011-3390 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in IB ...) NOT-FOR-US: IBM OpenAdmin Too CVE-2010-4833 (Untrusted search path vulnerability in modules/engines/ms-windows/xp_t ...) - gtk+2.0 (win32 specific) CVE-2011-3350 (masqmail 0.2.21 through 0.2.30 improperly calls seteuid() in src/log.c ...) - masqmail 0.2.30-1 (low; bug #638002) [lenny] - masqmail (no security issue by itself) [squeeze] - masqmail 0.2.27-1.1+squeeze1 CVE-2011-3389 (The SSL protocol, as used in certain configurations in Microsoft Windo ...) {DSA-2398-1 DSA-2368-1 DSA-2358-1 DSA-2356-1 DLA-400-1 DLA-154-1} - sun-java6 (bug #645881) [lenny] - sun-java6 (Non-free not supported) [squeeze] - sun-java6 (Non-free not supported) - openjdk-6 6b23~pre11-1 - openjdk-7 7~b147-2.0-1 - iceweasel NOTE: http://blog.mozilla.com/security/2011/09/27/attack-against-tls-protected-communications/ - chromium-browser 15.0.874.106~r107270-1 [squeeze] - chromium-browser - lighttpd 1.4.30-1 NOTE: strictly speaking this is no lighttpd issue, but lighttpd adds a workaround - curl 7.24.0-1 NOTE: http://curl.haxx.se/docs/adv_20120124B.html - python2.6 2.6.8-0.1 (bug #684511) [squeeze] - python2.6 (Minor issue) - python2.7 2.7.3~rc1-1 - python3.1 (bug #678998) [squeeze] - python3.1 (Minor issue) - python3.2 3.2.3~rc1-1 NOTE: http://bugs.python.org/issue13885 NOTE: python3.1 is fixed starting 3.1.5 - cyassl - gnutls26 (unimportant) - gnutls28 (unimportant) NOTE: No mitigation for gnutls, it is recommended to use TLS 1.1 or 1.2 which is supported since 2.0.0 - haskell-tls (unimportant) NOTE: No mitigation for haskell-tls, it is recommended to use TLS 1.1, which is supported since 0.2 - matrixssl (low) [squeeze] - matrixssl (Minor issue) [wheezy] - matrixssl (Minor issue) NOTE: matrixssl fix this upstream in 3.2.2 - bouncycastle 1.49+dfsg-1 [squeeze] - bouncycastle (Minor issue) [wheezy] - bouncycastle (Minor issue) NOTE: No mitigation for bouncycastle, it is recommended to use TLS 1.1, which is supported since 1.4.9 - nss 3.13.1.with.ckbi.1.88-1 NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=665814 NOTE: https://hg.mozilla.org/projects/nss/rev/7f7446fcc7ab - polarssl (unimportant) NOTE: No mitigation for polarssl, it is recommended to use TLS 1.1, which is supported in all releases - tlslite [wheezy] - tlslite (Minor issue) - pound 2.6-2 NOTE: Pound 2.6-2 added an anti_beast.patch to mitigate BEAST attacks. - erlang 1:15.b-dfsg-1 [squeeze] - erlang (Minor issue) - asterisk 1:13.7.2~dfsg-1 [jessie] - asterisk 1:11.13.1~dfsg-2+deb8u1 [wheezy] - asterisk (Minor issue) [squeeze] - asterisk (Not supported in Squeeze LTS) NOTE: http://downloads.digium.com/pub/security/AST-2016-001.html NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-24972 NOTE: patch for 11 (jessie): https://code.asterisk.org/code/changelog/asterisk?cs=f233bcd81d85626ce5bdd27b05bc95d131faf3e4 NOTE: all versions vulnerable, backport required for wheezy CVE-2011-3388 (Opera before 11.51 allows remote attackers to cause an insecure site t ...) NOT-FOR-US: Opera CVE-2011-3387 (The class file parser in IBM Java 1.4.2 SR13 FP9 allows remote authent ...) NOT-FOR-US: IBM Java CVE-2011-3386 (Unspecified vulnerability in Medtronic Paradigm wireless insulin pump ...) NOT-FOR-US: Medtronic Paradigm wireless insulin pump CVE-2011-3385 (Cross-site scripting (XSS) vulnerability in WebsiteBaker before 2.8, a ...) NOT-FOR-US: WebsiteBaker CVE-2011-3384 (Cross-site scripting (XSS) vulnerability in the Sage add-on 1.3.10 and ...) NOT-FOR-US: Sage CVE-2011-3383 (Cross-site scripting (XSS) vulnerability in KENT-WEB WEB FORUM 5.1 and ...) NOT-FOR-US: KENT-WEB WEB FORUM CVE-2011-3382 (Cross-site scripting (XSS) vulnerability in Phorum before 5.2.16 allow ...) NOT-FOR-US: Phorum CVE-2011-3381 (Cross-site request forgery (CSRF) vulnerability in Phorum before 5.2.1 ...) NOT-FOR-US: Phorum CVE-2011-3380 (Openswan 2.6.29 through 2.6.35 allows remote attackers to cause a deni ...) - openswan (vulnerable versions never uploaded to the archive) CVE-2011-3379 (The is_a function in PHP 5.3.7 and 5.3.8 triggers a call to the __auto ...) - php5 5.3.9-1 [squeeze] - php5 (Introduced in 5.3.7) [lenny] - php5 (Introduced in 5.3.7) CVE-2011-3378 (RPM 4.4.x through 4.9.x, probably before 4.9.1.2, allows remote attack ...) - rpm 4.9.1.2-1 (low; bug #645325) [squeeze] - rpm 4.8.1-6+squeeze1 [lenny] - rpm (rpm isn't used a a package manager, very limited attack vector) CVE-2011-3377 (The web browser plug-in in IcedTea-Web 1.0.x before 1.0.6 and 1.1.x be ...) {DSA-2420-1} - openjdk-6 6b21~pre1-1 - icedtea-web 1.1.4-1 NOTE: Browser plugin was removed in openjdk-6 6b21~pre1-1. CVE-2011-3376 (org/apache/catalina/core/DefaultInstanceManager.java in Apache Tomcat ...) - tomcat7 7.0.22-1 CVE-2011-3375 (Apache Tomcat 6.0.30 through 6.0.33 and 7.x before 7.0.22 does not pro ...) {DSA-2401-1} - tomcat6 6.0.33-1 - tomcat7 7.0.22-1 CVE-2011-3374 (It was found that apt-key in apt, all versions, do not correctly valid ...) - apt (unimportant; bug #642480) NOTE: Not exploitable in Debian, since no keyring URI is defined CVE-2011-3373 (Drupal Views Builk Operations (VBO) module 6.x-1.0 through 6.x-1.10 do ...) NOT-FOR-US: Views Bulk Operations module for Drupal CVE-2011-3372 (imap/nntpd.c in the NNTP server (nntpd) for Cyrus IMAPd 2.4.x before 2 ...) {DSA-2318-1} - cyrus-imapd-2.2 2.4.11-1 (medium) - cyrus-imapd-2.4 2.4.11-1 (medium) - kolab-cyrus-imapd (medium) [squeeze] - kolab-cyrus-imapd (Unsupported in squeeze-lts) CVE-2011-3371 (Multiple cross-site scripting (XSS) vulnerabilities in include/functio ...) NOT-FOR-US: PunBB CVE-2011-3370 (statusnet before 0.9.9 has XSS ...) - statusnet (bug #491723) CVE-2011-3369 (The add_conversation function in conversations.c in EtherApe before 0. ...) - etherape 0.9.12-1 (low; bug #645324) [lenny] - etherape (Minor issue) [squeeze] - etherape 0.9.8-1+squeeze1 CVE-2011-3368 (The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2 ...) {DSA-2405-1} - apache2 2.2.21-2 (medium) NOTE: http://article.gmane.org/gmane.comp.apache.announce/61 CVE-2011-3367 (Arora, possibly 0.11 and other versions, does not use a certain font w ...) - arora (unimportant) NOTE: Requires CA compromise to exploit, browser still displays warning. CVE-2011-3366 (Rekonq 0.7.0 and earlier does not use a certain font when rendering ce ...) - rekonq (Only affected the 0.8.x devel versions and was fixed before final 0.8 release, see bug #647298) NOTE: http://www.kde.org/info/security/advisory-20111003-1.txt CVE-2011-3365 (The KDE SSL Wrapper (KSSL) API in KDE SC 4.6.0 through 4.7.1, and poss ...) - kde4libs 4:4.7.2-1 [squeeze] - kde4libs (only 4.6.0 - 4.7.1 are vulnerable) [lenny] - kde4libs (only 4.6.0 - 4.7.1 are vulnerable) CVE-2011-3364 (Incomplete blacklist vulnerability in the svEscape function in setting ...) - network-manager-applet (ifcfg-rh plugin not built/included in Debian) CVE-2011-3363 (The setup_cifs_sb function in fs/cifs/connect.c in the Linux kernel be ...) - linux-2.6 2.6.39-1 [squeeze] - linux-2.6 2.6.32-34 [lenny] - linux-2.6 (vulnerability introduced in commit 1bfe73c2) CVE-2011-3362 (Integer signedness error in the decode_residual_block function in cavs ...) {DSA-2336-1} - libav 4:0.7.1-7 (bug #641478) - ffmpeg 7:2.4.1-1 - ffmpeg-debian NOTE: http://www.ocert.org/advisories/ocert-2011-002.html CVE-2011-3361 (Cross-site scripting (XSS) vulnerability in CGI/Browse.pm in BackupPC ...) - backuppc 3.2.1-2 (bug #641450) [squeeze] - backuppc 3.1.0-9.1 NOTE: http://sourceforge.net/mailarchive/forum.php?thread_name=f1f1ef74-716d-4af8-b1bf-c1ba6d9a98a1%40SC1EXHC-02.global.atheros.com&forum_name=backuppc-devel NOTE: http://backuppc.cvs.sourceforge.net/viewvc/backuppc/BackupPC/lib/BackupPC/CGI/Browse.pm?r1=1.23&r2=1.24 CVE-2011-3360 (Untrusted search path vulnerability in Wireshark 1.4.x before 1.4.9 an ...) {DSA-2324-1} - wireshark 1.6.2-1 (low) NOTE: http://www.wireshark.org/security/wnpa-sec-2011-15.html CVE-2011-3359 (The dma_rx function in drivers/net/wireless/b43/dma.c in the Linux ker ...) - linux-2.6 2.6.39-1 [squeeze] - linux-2.6 2.6.32-34 [lenny] - linux-2.6 (b43 allocate recieve buffer is 2404 bytes, which is already larger than the upstream fix of increasing it to 2382 bytes) CVE-2011-3358 (Multiple cross-site scripting (XSS) vulnerabilities in MantisBT before ...) {DSA-2308-1} - mantis 1.2.7-1 (low; bug #640297) [squeeze] - mantis (Vulnerable code not present) CVE-2011-3357 (Directory traversal vulnerability in bug_actiongroup_ext_page.php in M ...) {DSA-2308-1} - mantis 1.2.7-1 (medium; bug #640297) CVE-2011-3356 (Multiple cross-site scripting (XSS) vulnerabilities in config_defaults ...) - mantis 1.2.7-1 (low; bug #640297) [squeeze] - mantis (Vulnerable code not present) [lenny] - mantis (Vulnerable code not present) CVE-2011-3355 (evolution-data-server3 3.0.3 through 3.2.1 used insecure (non-SSL) con ...) - evolution-data-server3 3.2.1-1 (bug #641052) CVE-2011-3353 (Buffer overflow in the fuse_notify_inval_entry function in fs/fuse/dev ...) {DSA-2389-1} - linux-2.6 3.1.0~rc4-1~experimental.1 (low) [lenny] - linux-2.6 (vulnerable code introduced in commit 3b463ae0) [squeeze] - linux-2.6 2.6.32-36 CVE-2011-3352 (Zikula 1.3.0 build #3168 and probably prior has XSS flaw due to improp ...) NOT-FOR-US: Zikula CVE-2011-3351 (openvas-scanner before 2011-09-11 creates a temporary file insecurely ...) - openvas-server (low; bug #641327) [squeeze] - openvas-server (Minor issue) NOTE: openvas-scanner in experimental also affected according to #671327 CVE-2011-3349 (lightdm before 0.9.6 writes in .dmrc and Xauthority files using root p ...) - lightdm 0.9.6-1 (bug #639151) CVE-2011-3348 (The mod_proxy_ajp module in the Apache HTTP Server before 2.2.21, when ...) - apache2 2.2.21-1 [squeeze] - apache2 2.2.16-6+squeeze4 [lenny] - apache2 (introduced in 2.2.12) CVE-2011-3347 (A certain Red Hat patch to the be2net implementation in the kernel pac ...) - linux-2.6 3.2-1 [squeeze] - linux-2.6 (Vulnerable code not present) CVE-2011-3346 (Buffer overflow in hw/scsi-disk.c in the SCSI subsystem in QEMU before ...) - qemu-kvm 0.15.1+dfsg-1 (bug #646118) [squeeze] - qemu-kvm (SCSI support in 0.12 generally broken, no complete fix other than updating to 0.15) CVE-2011-3345 (ulp/sdp/sdp_proc.c in the ib_sdp module (aka ib_sdp.ko) in the ofa_ker ...) - ofa-kernel (bug #541849) CVE-2011-3344 (Cross-site scripting (XSS) vulnerability in the Lookup Login/Password ...) NOT-FOR-US: Red Hat Network Satellite server CVE-2011-3343 (Multiple buffer overflows in OpenTTD before 1.1.3 allow local users to ...) {DSA-2386-1} - openttd 1.1.3-1 NOTE: http://www.openwall.com/lists/oss-security/2011/09/02/4 CVE-2011-3342 (Multiple buffer overflows in OpenTTD before 1.1.3 allow remote attacke ...) {DSA-2386-1} - openttd 1.1.3-1 NOTE: http://www.openwall.com/lists/oss-security/2011/09/02/4 CVE-2011-3341 (Multiple off-by-one errors in order_cmd.cpp in OpenTTD before 1.1.3 al ...) {DSA-2386-1} - openttd 1.1.3-1 NOTE: http://www.openwall.com/lists/oss-security/2011/09/02/4 CVE-2011-3340 (SQL injection vulnerability in ATCOM Netvolution 2.5.8 ASP allows remo ...) NOT-FOR-US: ATCOM Netvolution CVE-2010-4832 (Android OS before 2.2 does not display the correct SSL certificate in ...) NOT-FOR-US: Android CVE-2010-4831 (Untrusted search path vulnerability in gdk/win32/gdkinput-win32.c in G ...) - gtk+2.0 (Win32-specific) CVE-2009-5086 (Cross-site scripting (XSS) vulnerability in Appliance Configuration Ma ...) NOT-FOR-US: Juniper IDP CVE-2011-3339 (Cross-site scripting (XSS) vulnerability in the Admin Control Center i ...) NOT-FOR-US: Sentinel HASP Run-time Environment CVE-2011-3338 RESERVED CVE-2011-3337 (eEye Audit ID 2499 in eEye Digital Security Audits 2406 through 2423 f ...) NOT-FOR-US: eEye Digital Security Audits CVE-2011-3336 (regcomp in the BSD implementation of libc is vulnerable to denial of s ...) NOT-FOR-US: BSD CVE-2011-3335 RESERVED CVE-2011-3334 RESERVED CVE-2011-3333 RESERVED CVE-2011-3332 (Stack-based buffer overflow in Iceni Argus 6.20 and earlier and Infix ...) NOT-FOR-US: Iceni Argus CVE-2011-3331 RESERVED CVE-2011-3330 (Buffer overflow in the UnitelWay Windows Device Driver, as used in Sch ...) NOT-FOR-US: Schneider Electric CVE-2011-3329 RESERVED CVE-2011-3328 (The png_handle_cHRM function in pngrutil.c in libpng 1.5.4, when color ...) - libpng (Introduced in 1.5.4, which was only in experimental and which has been fixed since then) CVE-2011-3327 (Heap-based buffer overflow in the ecommunity_ecom2str function in bgp_ ...) {DSA-2316-1} - quagga 0.99.19-1 CVE-2011-3326 (The ospf_flood function in ospf_flood.c in ospfd in Quagga before 0.99 ...) {DSA-2316-1} - quagga 0.99.19-1 CVE-2011-3325 (ospf_packet.c in ospfd in Quagga before 0.99.19 allows remote attacker ...) {DSA-2316-1} - quagga 0.99.19-1 CVE-2011-3324 (The ospf6_lsa_is_changed function in ospf6_lsa.c in the OSPFv3 impleme ...) {DSA-2316-1} - quagga 0.99.19-1 CVE-2011-3323 (The OSPFv3 implementation in ospf6d in Quagga before 0.99.19 allows re ...) {DSA-2316-1} - quagga 0.99.19-1 CVE-2011-3322 (Core Server HMI Service (Coreservice.exe) in Scadatec Limited Procyon ...) NOT-FOR-US: Scadatec Limited Procyon SCADA CVE-2011-3321 (Heap-based buffer overflow in the Siemens WinCC Runtime Advanced Loade ...) NOT-FOR-US: SIMATIC WinCC CVE-2011-3320 (Cross-site scripting (XSS) vulnerability in the Web Administrator comp ...) NOT-FOR-US: GE Intelligent Platforms Proficy Historian CVE-2011-3319 (Buffer overflow in the WRF parsing functionality in the Cisco WebEx Re ...) NOT-FOR-US: WebEx CVE-2011-3318 (Cisco Video Surveillance 2421 and 2500 series cameras with software 1. ...) NOT-FOR-US: Cisco CVE-2011-3317 (Multiple cross-site scripting (XSS) vulnerabilities in the Solution En ...) NOT-FOR-US: Cisco CVE-2011-3316 RESERVED CVE-2011-3315 (Directory traversal vulnerability in Cisco Unified Communications Mana ...) NOT-FOR-US: Cisco CVE-2011-3314 RESERVED CVE-2011-3313 RESERVED CVE-2011-3312 RESERVED CVE-2011-3311 RESERVED CVE-2011-3310 (The Home Page component in Cisco CiscoWorks Common Services before 4.1 ...) NOT-FOR-US: Cisco CiscoWorks CVE-2011-3309 (Cisco Adaptive Security Appliances (ASA) 5500 series devices with soft ...) NOT-FOR-US: Cisco CVE-2011-3308 RESERVED CVE-2011-3307 RESERVED CVE-2011-3306 RESERVED CVE-2011-3305 (Directory traversal vulnerability in Cisco Network Admission Control ( ...) NOT-FOR-US: Cisco Network Admission Control CVE-2011-3304 (Cisco Adaptive Security Appliances (ASA) 5500 series devices, and the ...) NOT-FOR-US: Cisco CVE-2011-3303 (Cisco Adaptive Security Appliances (ASA) 5500 series devices, and the ...) NOT-FOR-US: Cisco CVE-2011-3302 (Cisco Adaptive Security Appliances (ASA) 5500 series devices, and the ...) NOT-FOR-US: Cisco CVE-2011-3301 (Cisco Adaptive Security Appliances (ASA) 5500 series devices, and the ...) NOT-FOR-US: Cisco CVE-2011-3300 (Cisco Adaptive Security Appliances (ASA) 5500 series devices, and the ...) NOT-FOR-US: Cisco CVE-2011-3299 (Cisco Adaptive Security Appliances (ASA) 5500 series devices, and the ...) NOT-FOR-US: Cisco CVE-2011-3298 (Cisco Adaptive Security Appliances (ASA) 5500 series devices, and the ...) NOT-FOR-US: Cisco CVE-2011-3297 (Cisco Firewall Services Module (aka FWSM) 3.1 before 3.1(21), 3.2 befo ...) NOT-FOR-US: Cisco CVE-2011-3296 (Cisco Firewall Services Module (aka FWSM) 3.1 before 3.1(21), 3.2 befo ...) NOT-FOR-US: Cisco CVE-2011-3295 (The NETIO and IPV4_IO processes in Cisco IOS XR 3.8 through 4.1, as us ...) NOT-FOR-US: Cisco IOS XR CVE-2011-3294 (Cross-site scripting (XSS) vulnerability in the login page in the admi ...) NOT-FOR-US: Cisco TelePresence CVE-2011-3293 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Solu ...) NOT-FOR-US: Cisco CVE-2011-3292 RESERVED CVE-2011-3291 RESERVED CVE-2011-3290 (Cisco Identity Services Engine (ISE) before 1.0.4.MR2 has default Orac ...) NOT-FOR-US: Cisco CVE-2011-3289 (Cisco IOS 12.4 and 15.0 through 15.2 allows physically proximate attac ...) NOT-FOR-US: Cisco IOS CVE-2011-3288 (Cisco Unified Presence before 8.5(4) does not properly detect recursio ...) NOT-FOR-US: Cisco CVE-2011-3287 (Cisco Jabber Extensible Communications Platform (aka Jabber XCP) 2.x t ...) NOT-FOR-US: Cisco CVE-2011-3286 RESERVED CVE-2011-3285 (CRLF injection vulnerability in /+CSCOE+/logon.html on Cisco Adaptive ...) NOT-FOR-US: Cisco CVE-2011-3284 RESERVED CVE-2011-3283 (Cisco Carrier Routing System 3.9.1 allows remote attackers to cause a ...) NOT-FOR-US: Cisco CVE-2011-3282 (Unspecified vulnerability in Cisco IOS 12.2SRE before 12.2(33)SRE4, 15 ...) NOT-FOR-US: Cisco CVE-2011-3281 (Unspecified vulnerability in Cisco IOS 15.0 through 15.1, in certain H ...) NOT-FOR-US: Cisco CVE-2011-3280 (Memory leak in the NAT implementation in Cisco IOS 12.1 through 12.4 a ...) NOT-FOR-US: Cisco CVE-2011-3279 (The provider-edge MPLS NAT implementation in Cisco IOS 12.1 through 12 ...) NOT-FOR-US: Cisco CVE-2011-3278 (Unspecified vulnerability in the NAT implementation in Cisco IOS 12.1 ...) NOT-FOR-US: Cisco CVE-2011-3277 (Unspecified vulnerability in the NAT implementation in Cisco IOS 12.1 ...) NOT-FOR-US: Cisco CVE-2011-3276 (Unspecified vulnerability in the NAT implementation in Cisco IOS 12.1 ...) NOT-FOR-US: Cisco CVE-2011-3275 (Memory leak in Cisco IOS 12.4, 15.0, and 15.1, and IOS XE 2.5.x throug ...) NOT-FOR-US: Cisco CVE-2011-3274 (Unspecified vulnerability in Cisco IOS 12.2SRE before 12.2(33)SRE4, 15 ...) NOT-FOR-US: Cisco CVE-2011-3273 (Memory leak in Cisco IOS 15.0 through 15.1, when IPS or Zone-Based Fir ...) NOT-FOR-US: Cisco CVE-2011-3272 (The IP Service Level Agreement (IP SLA) functionality in Cisco IOS 15. ...) NOT-FOR-US: Cisco CVE-2011-3271 (Unspecified vulnerability in the Smart Install functionality in Cisco ...) NOT-FOR-US: Cisco CVE-2011-3270 (Unspecified vulnerability in Cisco IOS 12.2SB before 12.2(33)SB10 and ...) NOT-FOR-US: Cisco CVE-2011-3269 (Lexmark X, W, T, E, C, 6500e, and 25xxN devices before 2011-11-15 allo ...) NOT-FOR-US: Lexmark CVE-2011-3268 (Buffer overflow in the crypt function in PHP before 5.3.7 allows conte ...) - php5 5.3.8-1 [squeeze] - php5 (Only affected 5.3.7) [lenny] - php5 (Only affected 5.3.7) CVE-2011-3267 (PHP before 5.3.7 does not properly implement the error_log function, w ...) {DSA-2408-1} - php5 5.3.7-1 [squeeze] - php5 (Vulnerable code not present) [lenny] - php5 (Vulnerable code not present) CVE-2011-3266 (The proto_tree_add_item function in Wireshark 1.6.0 through 1.6.1 and ...) - wireshark 1.6.2-1 (unimportant) NOTE: no code injection, not treated as a security issue, see README.Debian.security CVE-2010-4830 (SQL injection vulnerability in Resumes/TD_RESUME_Indlist.asp in Techno ...) NOT-FOR-US: Techno Dreams (T-Dreams) Job Career Package CVE-2010-4829 (SQL injection vulnerability in processview.asp in Techno Dreams (T-Dre ...) NOT-FOR-US: Techno Dreams CVE-2010-4828 (Multiple cross-site scripting (XSS) vulnerabilities in SolarWinds Orio ...) NOT-FOR-US: SolarWinds Orion Network Performance Monitor CVE-2010-4827 (Cross-site scripting (XSS) vulnerability in members.asp in Snitz Forum ...) NOT-FOR-US: Snitz Forums CVE-2010-4826 (SQL injection vulnerability in members.asp in Snitz Forums 2000 3.4.07 ...) NOT-FOR-US: Snitz Forums CVE-2010-4825 (Cross-site scripting (XSS) vulnerability in magpie_debug.php in the Tw ...) NOT-FOR-US: Wordpress plugin CVE-2011-3265 (popup.php in Zabbix before 1.8.7 allows remote attackers to read the c ...) - zabbix 1:1.8.9-1 [squeeze] - zabbix (Not supported in Squeeze LTS) CVE-2011-3264 (Zabbix before 1.8.6 allows remote attackers to obtain sensitive inform ...) - zabbix 1:1.8.6-1 (unimportant) [squeeze] - zabbix (Not supported in Squeeze LTS) NOTE: Installation path is known anyway for the Debian package CVE-2011-3263 (zabbix_agentd in Zabbix before 1.8.6 and 1.9.x before 1.9.4 allows con ...) - zabbix 1:1.8.6-1 [squeeze] - zabbix (Not supported in Squeeze LTS) CVE-2011-3262 (tools/libxc/xc_dom_bzimageloader.c in Xen 3.2, 3.3, 4.0, and 4.1 allow ...) {DSA-2337-1} - xen 4.1.1-1 - xen-3 [lenny] - xen-3 (Minor issue; only marginally affected) CVE-2011-3261 (Double free vulnerability in OfficeImport in Apple iOS before 5 allows ...) NOT-FOR-US: Apple iOS CVE-2011-3260 (Buffer overflow in OfficeImport in Apple iOS before 5 allows remote at ...) NOT-FOR-US: Apple iOS CVE-2011-3259 (The kernel in Apple iOS before 5 and Apple TV before 4.4 does not prop ...) NOT-FOR-US: Apple iOS CVE-2011-3258 RESERVED CVE-2011-3257 (The Data Access component in Apple iOS before 5 does not properly hand ...) NOT-FOR-US: Apple iOS CVE-2011-3256 (FreeType 2 before 2.4.7, as used in CoreGraphics in Apple iOS before 5 ...) {DSA-2328-1} - freetype 2.4.7-1 (bug #646120) CVE-2011-3255 (CFNetwork in Apple iOS before 5 stores AppleID credentials in an unspe ...) NOT-FOR-US: Apple iOS CVE-2011-3254 (Cross-site scripting (XSS) vulnerability in Calendar in Apple iOS befo ...) NOT-FOR-US: Apple iOS CVE-2011-3253 (CalDAV in Apple iOS before 5 does not validate X.509 certificates for ...) NOT-FOR-US: Apple iOS CVE-2011-3252 (Buffer overflow in CoreAudio, as used in Apple iTunes before 10.5, all ...) NOT-FOR-US: Apple iTunes CVE-2011-3251 (Apple QuickTime before 7.7.1 on Windows allows remote attackers to exe ...) NOT-FOR-US: Apple QuickTime CVE-2011-3250 (Integer overflow in Apple QuickTime before 7.7.1 allows remote attacke ...) NOT-FOR-US: Apple QuickTime CVE-2011-3249 (Buffer overflow in Apple QuickTime before 7.7.1 allows remote attacker ...) NOT-FOR-US: Apple QuickTime CVE-2011-3248 (Integer signedness error in Apple QuickTime before 7.7.1 allows remote ...) NOT-FOR-US: Apple QuickTime CVE-2011-3247 (Integer overflow in Apple QuickTime before 7.7.1 on Windows allows rem ...) NOT-FOR-US: Apple QuickTime CVE-2011-3246 (CFNetwork in Apple iOS before 5.0.1 and Mac OS X 10.7 before 10.7.2 do ...) NOT-FOR-US: Apple iOS CVE-2011-3245 (The Keyboards component in Apple iOS before 5 displays the final chara ...) NOT-FOR-US: Apple iOS CVE-2011-3244 (WebKit, as used in Apple iTunes before 10.5, allows man-in-the-middle ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-3243 (Cross-site scripting (XSS) vulnerability in WebKit, as used in Apple i ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-3242 (The Private Browsing feature in Apple Safari before 5.1.1 on Mac OS X ...) NOT-FOR-US: Apple Safari CVE-2011-3241 (WebKit, as used in Apple iTunes before 10.5, allows man-in-the-middle ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-3240 RESERVED CVE-2011-3239 (WebKit, as used in Apple iTunes before 10.5, allows man-in-the-middle ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-3238 (WebKit, as used in Apple iTunes before 10.5, allows man-in-the-middle ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-3237 (WebKit, as used in Apple iTunes before 10.5, allows man-in-the-middle ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-3236 (WebKit, as used in Apple iTunes before 10.5, allows man-in-the-middle ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-3235 (WebKit, as used in Apple iTunes before 10.5, allows man-in-the-middle ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-3234 (Google Chrome before 14.0.835.163 does not properly handle boxes, whic ...) - chromium-browser 14.0.835.163~r101024-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/92132 CVE-2011-3233 (WebKit, as used in Apple iTunes before 10.5, allows man-in-the-middle ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-3232 (YARR, as used in Mozilla Firefox before 7.0, Thunderbird before 7.0, a ...) - xulrunner (Only affects Firefox >= 4) - iceweasel 7.0-1 [lenny] - iceweasel (Only affects Firefox >= 4) [squeeze] - iceweasel (Only affects Firefox >= 4) - iceape (Only affects Firefox >= 4) - icedove (Only affects Thunderbird 5) CVE-2011-3231 (The SSL implementation in Apple Safari before 5.1.1 on Mac OS X before ...) NOT-FOR-US: Apple Safari CVE-2011-3230 (Apple Safari before 5.1.1 on Mac OS X does not enforce an intended pol ...) NOT-FOR-US: Apple Safari CVE-2011-3229 (Directory traversal vulnerability in Apple Safari before 5.1.1 allows ...) NOT-FOR-US: Apple Safari CVE-2011-3228 (QuickTime in Apple Mac OS X before 10.7.2 allows remote attackers to e ...) NOT-FOR-US: QuickTime in Apple Mac OS X CVE-2011-3227 (libsecurity in Apple Mac OS X before 10.7.2 does not properly handle e ...) NOT-FOR-US: libsecurity in Apple Mac OS X CVE-2011-3226 (Open Directory in Apple Mac OS X 10.7 before 10.7.2, when an LDAPv3 se ...) NOT-FOR-US: Open Directory in Apple Mac OS X CVE-2011-3225 (The SMB File Server component in Apple Mac OS X 10.7 before 10.7.2 doe ...) NOT-FOR-US: SMB File Server component in Apple Mac OS X CVE-2011-3224 (The User Documentation component in Apple Mac OS X through 10.6.8 uses ...) NOT-FOR-US: User Documentation component in Apple Mac OS X CVE-2011-3223 (Buffer overflow in QuickTime in Apple Mac OS X before 10.7.2 allows re ...) NOT-FOR-US: QuickTime in Apple Mac OS X CVE-2011-3222 (Buffer overflow in QuickTime in Apple Mac OS X before 10.7.2 allows re ...) NOT-FOR-US: QuickTime in Apple Mac OS X CVE-2011-3221 (QuickTime in Apple Mac OS X before 10.7.2 does not properly handle the ...) NOT-FOR-US: QuickTime in Apple Mac OS X CVE-2011-3220 (QuickTime in Apple Mac OS X before 10.7.2 does not properly process UR ...) NOT-FOR-US: QuickTime in Apple Mac OS X CVE-2011-3219 (Buffer overflow in CoreMedia, as used in Apple iTunes before 10.5, all ...) NOT-FOR-US: Apple CoreMedia CVE-2011-3218 (The "Save for Web" selection in QuickTime Player in Apple Mac OS X thr ...) NOT-FOR-US: QuickTime in Apple Mac OS X CVE-2011-3217 (MediaKit in Apple Mac OS X through 10.6.8 allows remote attackers to e ...) NOT-FOR-US: Mac OS X CVE-2011-3216 (The kernel in Apple Mac OS X before 10.7.2 does not properly implement ...) NOT-FOR-US: kernel in Apple Mac OS X CVE-2011-3215 (The kernel in Apple Mac OS X before 10.7.2 does not properly prevent F ...) NOT-FOR-US: kernel in Apple Mac OS X CVE-2011-3214 (IOGraphics in Apple Mac OS X through 10.6.8 does not properly handle a ...) NOT-FOR-US: IOGraphics in Apple Mac OS X CVE-2011-3213 (The File Systems component in Apple Mac OS X before 10.7.2 does not pr ...) NOT-FOR-US: File Systems component in Apple Mac OS X CVE-2011-3212 (CoreStorage in Apple Mac OS X 10.7 before 10.7.2 does not ensure that ...) NOT-FOR-US: CoreStorage in Apple Mac OS X CVE-2011-3211 (The server in Bcfg2 1.1.2 and earlier, and 1.2 prerelease, allows remo ...) {DSA-2302-1} - bcfg2 1.1.2-2 (bug #640028) NOTE: information as reported by maintainer CVE-2011-3210 (The ephemeral ECDH ciphersuite functionality in OpenSSL 0.9.8 through ...) - openssl 1.0.0e-1 [lenny] - openssl 0.9.8g-15+lenny13 [squeeze] - openssl 0.9.8o-4squeeze3 CVE-2011-3209 (The div_long_long_rem implementation in include/asm-x86/div64.h in the ...) - linux-2.6 2.6.26-1 CVE-2011-3208 (Stack-based buffer overflow in the split_wildmats function in nntpd.c ...) {DSA-2318-1} - cyrus-imapd-2.2 2.4.11-1 (medium) - cyrus-imapd-2.4 2.4.11-1 (medium) - kolab-cyrus-imapd (medium) [squeeze] - kolab-cyrus-imapd (Unsupported in squeeze-lts) CVE-2011-3207 (crypto/x509/x509_vfy.c in OpenSSL 1.0.x before 1.0.0e does not initial ...) - openssl 1.0.0e-1 [squeeze] - openssl (only affects 1.0.0 through 1.0.0d) [lenny] - openssl (only affects 1.0.0 through 1.0.0d) CVE-2011-3206 (Multiple cross-site scripting (XSS) vulnerabilities in the administrat ...) NOT-FOR-US: RHQ CVE-2011-3205 (Buffer overflow in the gopherToHTML function in gopher.cc in the Gophe ...) {DSA-2304-1} - squid3 3.1.15-1 (low; bug #639755) - squid (Only a buffer overflow in Squid 3, see https://bugzilla.redhat.com/show_bug.cgi?id=734583#c4) NOTE: http://www.squid-cache.org/Advisories/SQUID-2011_3.txt CVE-2011-3204 (hammerhead.cc in Hammerhead 2.1.4 allows local users to write to arbit ...) - hammerhead (bug #639890) [lenny] - hammerhead (Minor issue) [squeeze] - hammerhead (Minor issue) NOTE: https://launchpad.net/bugs/826679 CVE-2011-3203 (A Code Execution vulnerability exists the attachment parameter to inde ...) NOT-FOR-US: Jcow CVE-2011-3202 (A Cross-Site Scripting (XSS) vulnerability exists in the g parameter t ...) NOT-FOR-US: Jcow CVE-2011-3201 (GNOME Evolution before 3.2.3 allows user-assisted remote attackers to ...) - evolution (unimportant) NOTE: Any attacks still involve quite some social engineering CVE-2011-3200 (Stack-based buffer overflow in the parseLegacySyslogMsg function in to ...) - rsyslog 5.8.5-1 (low; bug #644611) [squeeze] - rsyslog (Minor issue) [lenny] - rsyslog (Minor issue) NOTE: off-by-one/-two limited to 0 or :0 CVE-2011-3199 (Multiple cross-site scripting (XSS) vulnerabilities in Domain Technolo ...) {DSA-2365-1} - dtc 0.34.1-1 (bug #637584) CVE-2011-3198 (Domain Technologie Control (DTC) before 0.34.1 includes a password in ...) {DSA-2365-1} - dtc 0.34.1-1 (bug #637537) CVE-2011-3197 (SQL injection vulnerability in Domain Technologie Control (DTC) before ...) {DSA-2365-1} - dtc 0.34.1-1 (bug #637487; bug #637498) CVE-2011-3196 (The setup script in Domain Technologie Control (DTC) before 0.34.1 use ...) {DSA-2365-1} - dtc 0.34.1-1 (bug #637485) CVE-2011-3195 (shared/inc/sql/lists.php in Domain Technologie Control (DTC) before 0. ...) {DSA-2365-1} - dtc 0.34.1-1 (bug #637477) CVE-2011-3194 (Buffer overflow in the TIFF reader in gui/image/qtiffhandler.cpp in Qt ...) {DLA-117-1} - qt4-x11 4:4.7.4-1 (bug #641738) CVE-2011-3193 (Heap-based buffer overflow in the Lookup_MarkMarkPos function in the H ...) {DLA-117-1} - qt4-x11 4:4.7.4-1 (bug #641738) - pango1.0 1.28.3-1 NOTE: affected code in pango1.0 removed earlier, but this is the version checked (lenny is affected) CVE-2011-3192 (The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through 2. ...) {DSA-2298-1} - apache2 2.2.19-2 CVE-2011-3191 (Integer signedness error in the CIFSFindNext function in fs/cifs/cifss ...) {DSA-2310-1 DSA-2303-1} - linux-2.6 3.0.0-5 CVE-2011-3190 (Certain AJP protocol connector implementations in Apache Tomcat 7.0.0 ...) {DSA-2401-1} - tomcat6 6.0.35-1 - tomcat7 7.0.21-1 - tomcat5.5 CVE-2011-3189 (The crypt function in PHP 5.3.7, when the MD5 hash type is used, retur ...) - php5 5.3.8-1 [squeeze] - php5 (Introduced in 5.3.7) [lenny] - php5 (Introduced in 5.3.7) CVE-2011-3188 (The (1) IPv4 and (2) IPv6 implementations in the Linux kernel before 3 ...) {DSA-2310-1 DSA-2303-1} - linux-2.6 3.0.0-2 CVE-2011-3187 (The to_s method in actionpack/lib/action_dispatch/middleware/remote_ip ...) - rails (unimportant) NOTE: X-Forwarded-For header is user supplied (like User-Agent) CVE-2011-3186 (CRLF injection vulnerability in actionpack/lib/action_controller/respo ...) {DSA-2301-1} - rails 2.3.14 CVE-2011-3185 (gtkutils.c in Pidgin before 2.10.0 on Windows allows user-assisted rem ...) - pidgin (Windows-specific) CVE-2011-3184 (The msn_httpconn_parse_data function in httpconn.c in the MSN protocol ...) - pidgin 2.10.0-1 (unimportant) NOTE: Only exploitable by a malicious MSN server to crash the client CVE-2011-3183 (A Cross-Site Scripting (XSS) vulnerability exists in the rcID paramete ...) NOT-FOR-US: Concrete CMS CVE-2011-3182 (PHP before 5.3.7 does not properly check the return values of the mall ...) {DSA-2408-1} - php5 5.3.7-1 (unimportant) NOTE: exploitable by malicious scripts only CVE-2011-3181 (Multiple cross-site scripting (XSS) vulnerabilities in the Tracking fe ...) {DSA-2391-1} - phpmyadmin 4:3.4.4-1 [lenny] - phpmyadmin (Vulnerable code not present) CVE-2011-3180 (kiwi before 4.98.08, as used in SUSE Studio Onsite 1.2 before 1.2.1 an ...) NOT-FOR-US: Suse kiwi (different from python-kiwi) CVE-2011-3179 (The server process in Novell Messenger 2.1 and 2.2.x before 2.2.1, and ...) NOT-FOR-US: Novell Messenger CVE-2011-3178 (In the web ui of the openbuildservice before 2.3.0 a code injection of ...) - open-build-service (Fixed before initial upload to Debian) CVE-2011-3177 (The YaST2 network created files with world readable permissions which ...) NOT-FOR-US: YaST CVE-2011-3176 (Stack-based buffer overflow in the Preboot Service in Novell ZENworks ...) NOT-FOR-US: Novell ZENworks Configuration Management CVE-2011-3175 (Stack-based buffer overflow in the Preboot Service in Novell ZENworks ...) NOT-FOR-US: Novell ZENworks Configuration Management CVE-2011-3174 (Buffer overflow in the DoFindReplace function in the ISGrid.Grid2.1 Ac ...) NOT-FOR-US: Novell ZENworks Configuration Management CVE-2011-3173 (Stack-based buffer overflow in the GetDriverSettings function in nippl ...) NOT-FOR-US: Novell Open Enterprise Server CVE-2011-3172 (A vulnerability in pam_modules of SUSE Linux Enterprise allows attacke ...) - libpam-unix2 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=707645 NOTE: Issue was not fixed up to the version removed from unstable. NOTE: Proposed update form SUSE: https://bugzilla.suse.com/attachment.cgi?id=441720 CVE-2011-3171 (Directory traversal vulnerability in pure-FTPd 1.0.22 and possibly oth ...) NOT-FOR-US: pure-FTPd add-on CVE-2011-3170 (The gif_read_lzw function in filter/image-gif.c in CUPS 1.4.8 and earl ...) {DSA-2354-1} - cups 1.5.0-8 NOTE: This ID is for an incomplete fix for CVE-2011-2896 CVE-2010-4824 (SQL injection vulnerability in the augmentSQL method in core/model/Tra ...) - silverstripe (bug #528461) NOTE: http://seclists.org/oss-sec/2012/q2/209 CVE-2010-4823 (Cross-site scripting (XSS) vulnerability in the httpError method in sa ...) - silverstripe (bug #528461) NOTE: http://seclists.org/oss-sec/2012/q2/209 CVE-2010-4822 (core/model/MySQLDatabase.php in SilverStripe 2.4.x before 2.4.4, when ...) - silverstripe (bug #528461) NOTE: http://seclists.org/oss-sec/2012/q2/209 CVE-2010-4821 (Cross-site scripting (XSS) vulnerability in phpMyFAQ before 2.6.9 allo ...) NOT-FOR-US: phpMyFAQ CVE-2010-4820 (Untrusted search path vulnerability in Ghostscript 8.62 allows local u ...) - ghostscript 8.71~dfsg2-6.1 [lenny] - ghostscript (too risky for regressions) CVE-2010-4819 (The ProcRenderAddGlyphs function in the Render extension (render/rende ...) - xorg-server 2:1.9.0.901-1 [squeeze] - xorg-server 2:1.7.7-14 [lenny] - xorg-server (Minor issue) CVE-2010-4818 (The GLX extension in X.Org xserver 1.7.7 allows remote authenticated u ...) - xorg-server 2:1.9.99.902-1 [squeeze] - xorg-server 2:1.7.7-4 [lenny] - xorg-server (Minor issue) NOTE: As per https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4818 three commits with theoretical sec impact: NOTE: http://cgit.freedesktop.org/xorg/xserver/commit/?id=6c69235a9dfc52e4b4e47630ff4bab1a820eb543 NOTE: http://cgit.freedesktop.org/xorg/xserver/commit/?id=ec9c97c6bf70b523bc500bd3adf62176f1bb33a4 NOTE: http://cgit.freedesktop.org/xorg/xserver/commit/?id=3f0d3f4d97bce75c1828635c322b6560a45a037f CVE-2010-4817 (pithos before 0.3.5 allows overwrite of arbitrary files via symlinks. ...) - pithos 0.3.5-1 CVE-2010-4816 RESERVED CVE-2010-4815 (Coppermine gallery before 1.4.26 has an input validation vulnerability ...) NOT-FOR-US: Coppermine Photo Gallery CVE-2011-3169 (Unspecified vulnerability in the SMTP service implementation in HP TCP ...) NOT-FOR-US: HP OpenVMS CVE-2011-3168 (Unspecified vulnerability in the POP and IMAP service implementations ...) NOT-FOR-US: HP OpenVMS CVE-2011-3167 (Unspecified vulnerability in HP OpenView Network Node Manager (OV NNM) ...) NOT-FOR-US: HP OpenView CVE-2011-3166 (Unspecified vulnerability in HP OpenView Network Node Manager (OV NNM) ...) NOT-FOR-US: HP OpenView CVE-2011-3165 (Unspecified vulnerability in HP OpenView Network Node Manager (OV NNM) ...) NOT-FOR-US: HP OpenView CVE-2011-3164 (Unspecified vulnerability in HP-UX Containers (formerly HP-UX Secure R ...) NOT-FOR-US: HP-UX CVE-2011-3163 (HP MFP Digital Sending Software 4.9x through 4.91.21 allows local user ...) NOT-FOR-US: HP MFP Digital Sending Software CVE-2011-3162 (Unspecified vulnerability in HP Data Protector Notebook Extension 6.20 ...) NOT-FOR-US: HP Data Protector CVE-2011-3161 (Unspecified vulnerability in HP Data Protector Notebook Extension 6.20 ...) NOT-FOR-US: HP Data Protector CVE-2011-3160 (Unspecified vulnerability in HP Data Protector Notebook Extension 6.20 ...) NOT-FOR-US: HP Data Protector CVE-2011-3159 (Unspecified vulnerability in HP Data Protector Notebook Extension 6.20 ...) NOT-FOR-US: HP Data Protector CVE-2011-3158 (Unspecified vulnerability in HP Data Protector Notebook Extension 6.20 ...) NOT-FOR-US: HP Data Protector CVE-2011-3157 (Unspecified vulnerability in HP Data Protector Notebook Extension 6.20 ...) NOT-FOR-US: HP Data Protector CVE-2011-3156 (Unspecified vulnerability in HP Data Protector Notebook Extension 6.20 ...) NOT-FOR-US: HP Data Protector CVE-2011-3155 (Unspecified vulnerability in HP Onboard Administrator (OA) 3.21 throug ...) NOT-FOR-US: HP Onboard Administrator CVE-2011-3154 (DistUpgrade/DistUpgradeViewKDE.py in Update Manager before 1:0.87.31.1 ...) - update-manager (ubuntu-specific issue) NOTE: see bug #650307 CVE-2011-3153 (dmrc.c in Light Display Manager (aka LightDM) before 1.1.1 allows loca ...) - lightdm 1.0.6-2 CVE-2011-3152 (DistUpgrade/DistUpgradeFetcherCore.py in Update Manager before 1:0.87. ...) - update-manager (ubuntu-specific issue) NOTE: see bug #650307 CVE-2011-3151 (The Ubuntu SELinux initscript before version 1:0.10 used touch to crea ...) NOT-FOR-US: Historic Ubuntu init script issue CVE-2011-3150 (Software Center in Ubuntu 11.10, 11.04 10.10 does not properly validat ...) - software-center (ubuntu-specific issue) NOTE: debian package does not contain the vulnerable purchaseview.py code, and probably won't ever as that's part of their commercial interface code CVE-2011-3149 (The _expand_arg function in the pam_env module (modules/pam_env/pam_en ...) {DSA-2326-1} - pam 1.1.3-5 [lenny] - pam (user_env parsing not yet available) CVE-2011-3148 (Stack-based buffer overflow in the _assemble_line function in modules/ ...) {DSA-2326-1} - pam 1.1.3-5 [lenny] - pam (user_env parsing not yet available) CVE-2011-3147 (Versions of nova before 2012.1 could expose hypervisor host files to a ...) - nova 2012.1~e1-1 NOTE: http://bazaar.launchpad.net/~hudson-openstack/nova/trunk/revision/1604 CVE-2011-3146 (librsvg before 2.34.1 uses the node name to identify the type of node, ...) - librsvg 2.34.1-1 [squeeze] - librsvg (Minor issue) NOTE: http://git.gnome.org/browse/librsvg/commit/?id=34c95743ca692ea0e44778e41a7c0a129363de84 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=658014 CVE-2011-3145 (When mount.ecrpytfs_private before version 87-0ubuntu1.2 calls setreui ...) {DSA-2382-1} - ecryptfs-utils 92-1 [lenny] - ecryptfs-utils (Vulnerable code not present) CVE-2011-3144 (Cross-site scripting (XSS) vulnerability in Control Microsystems Clear ...) NOT-FOR-US: Control Microsystems ClearSCADA CVE-2011-3143 (Use-after-free vulnerability in Control Microsystems ClearSCADA 2005, ...) NOT-FOR-US: Control Microsystems ClearSCADA CVE-2011-3142 (Stack-based buffer overflow in an ActiveX control in KVWebSvr.dll in W ...) NOT-FOR-US: WellinTech KingView CVE-2011-3141 (Buffer overflow in the InBatch BatchField ActiveX control for Invensys ...) NOT-FOR-US: Wonderware InBatch CVE-2011-3140 (IBM Web Application Firewall, as used on the G400 IPS-G400-IB-1 and GX ...) NOT-FOR-US: IBM Web Application Firewall CVE-2011-3139 REJECTED CVE-2011-3138 (The LTPA STS module support implementation in IBM Tivoli Federated Ide ...) NOT-FOR-US: Tivoli CVE-2011-3137 (Unspecified vulnerability in the Management Console in IBM Tivoli Fede ...) NOT-FOR-US: Tivoli CVE-2011-3136 (Unspecified vulnerability in the Management Console in IBM Tivoli Fede ...) NOT-FOR-US: Tivoli CVE-2011-3135 (Unspecified vulnerability in the Runtime in IBM Tivoli Federated Ident ...) NOT-FOR-US: Tivoli CVE-2009-5085 (IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before 6.2.0.2, whe ...) NOT-FOR-US: Tivoli CVE-2009-5084 (IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before 6.2.0.2, whe ...) NOT-FOR-US: Tivoli CVE-2009-5083 (IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before 6.2.0.2, whe ...) NOT-FOR-US: Tivoli CVE-2008-7299 (IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before 6.2.0.2 uses ...) NOT-FOR-US: Tivoli CVE-2011-3134 (Unspecified vulnerability in TIBCO Spotfire Server 3.0.x before 3.0.2, ...) NOT-FOR-US: TIBCO Spotfire Server CVE-2011-3133 (Session fixation vulnerability in TIBCO Spotfire Server 3.0.x before 3 ...) NOT-FOR-US: TIBCO Spotfire Server CVE-2011-3132 (Cross-site scripting (XSS) vulnerability in TIBCO Spotfire Server 3.0. ...) NOT-FOR-US: TIBCO Spotfire Server CVE-2011-3131 (Xen 4.1.1 and earlier allows local guest OS kernels with control of a ...) {DSA-2582-1} - xen 4.1.2-1 CVE-2011-3130 (wp-includes/taxonomy.php in WordPress 3.1 before 3.1.3 and 3.2 before ...) {DSA-2470-1} - wordpress 3.2.1+dfsg-1 NOTE: CVE allocated from the Wordpress 3.1.3 / 3.2 beta2 release announce CVE-2011-3129 (The file upload functionality in WordPress 3.1 before 3.1.3 and 3.2 be ...) {DSA-2470-1} - wordpress 3.2.1+dfsg-1 NOTE: CVE allocated from the Wordpress 3.1.3 / 3.2 beta2 release announce CVE-2011-3128 (WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 treats unattached att ...) {DSA-2470-1} - wordpress 3.2.1+dfsg-1 NOTE: CVE allocated from the Wordpress 3.1.3 / 3.2 beta2 release announce CVE-2011-3127 (WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 does not prevent rend ...) {DSA-2470-1} - wordpress 3.2.1+dfsg-1 NOTE: CVE allocated from the Wordpress 3.1.3 / 3.2 beta2 release announce CVE-2011-3126 (WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 allows remote attacke ...) {DSA-2470-1} - wordpress 3.2.1+dfsg-1 NOTE: CVE allocated from the Wordpress 3.1.3 / 3.2 beta2 release announce CVE-2011-3125 (Unspecified vulnerability in WordPress 3.1 before 3.1.3 and 3.2 before ...) {DSA-2470-1} - wordpress 3.2.1+dfsg-1 NOTE: CVE allocated from the Wordpress 3.1.3 / 3.2 beta2 release announce CVE-2011-3124 (IBM InfoSphere Information Server 8.5 and 8.5.0.1 on Unix and Linux, a ...) NOT-FOR-US: InfoSphere CVE-2011-3123 (IBM InfoSphere Information Server 8.5 and 8.5.0.1 on Unix and Linux, a ...) NOT-FOR-US: InfoSphere CVE-2011-3122 (Unspecified vulnerability in WordPress 3.1 before 3.1.3 and 3.2 before ...) {DSA-2470-1} - wordpress 3.2.1+dfsg-1 NOTE: CVE allocated from the Wordpress 3.1.3 / 3.2 beta2 release announce NOTE: original advisory seems to be http://technet.microsoft.com/en-us/security/msvr/msvr11-010 CVE-2011-3121 RESERVED CVE-2011-3120 REJECTED CVE-2011-3119 REJECTED CVE-2011-3118 REJECTED CVE-2011-3117 REJECTED CVE-2011-3116 REJECTED CVE-2011-3115 (Google V8, as used in Google Chrome before 19.0.1084.52, allows remote ...) - libv8 (Only affects >= 3.9, bug #687574) CVE-2011-3114 (Multiple buffer overflows in the PDF functionality in Google Chrome be ...) - chromium-browser (PDF functionality not built) [squeeze] - chromium-browser CVE-2011-3113 (The PDF functionality in Google Chrome before 19.0.1084.52 does not pr ...) - chromium-browser (PDF functionality not built) [squeeze] - chromium-browser CVE-2011-3112 (Use-after-free vulnerability in the PDF functionality in Google Chrome ...) - chromium-browser (PDF functionality specific to Chrome) [squeeze] - chromium-browser CVE-2011-3111 (Google V8, as used in Google Chrome before 19.0.1084.52, allows remote ...) - libv8 3.8.9.20-2 (bug #687574) [squeeze] - libv8 (Unsupported in squeeze-lts) CVE-2011-3110 (The PDF functionality in Google Chrome before 19.0.1084.52 allows remo ...) - chromium-browser (PDF functionality not built) [squeeze] - chromium-browser CVE-2011-3109 (Google Chrome before 19.0.1084.52 on Linux does not properly perform a ...) - chromium-browser 20.0.1132.21~r139451-1 [squeeze] - chromium-browser CVE-2011-3108 (Use-after-free vulnerability in Google Chrome before 19.0.1084.52 allo ...) - chromium-browser 20.0.1132.21~r139451-1 [squeeze] - chromium-browser CVE-2011-3107 (Google Chrome before 19.0.1084.52 does not properly implement JavaScri ...) - chromium-browser 20.0.1132.21~r139451-1 [squeeze] - chromium-browser CVE-2011-3106 (The WebSockets implementation in Google Chrome before 19.0.1084.52 doe ...) - chromium-browser 20.0.1132.21~r139451-1 [squeeze] - chromium-browser CVE-2011-3105 (Use-after-free vulnerability in the Cascading Style Sheets (CSS) imple ...) - chromium-browser 20.0.1132.21~r139451-1 [squeeze] - chromium-browser CVE-2011-3104 (Skia, as used in Google Chrome before 19.0.1084.52, allows remote atta ...) - chromium-browser 20.0.1132.21~r139451-1 [squeeze] - chromium-browser CVE-2011-3103 (Google V8, as used in Google Chrome before 19.0.1084.52, does not prop ...) - libv8 (Only affects >= 3.9, bug #687574) CVE-2011-3102 (Off-by-one error in libxml2, as used in Google Chrome before 19.0.1084 ...) {DSA-2479-1} - libxml2 2.7.8.dfsg-9.1 (bug #674191) NOTE: http://git.gnome.org/browse/libxml2/commit/?id=d8e1faeaa99c7a7c07af01c1c72de352eb590a3e CVE-2011-3101 (Google Chrome before 19.0.1084.46 on Linux does not properly mitigate ...) [squeeze] - chromium-browser - chromium-browser 20.0.1132.21~r139451-1 CVE-2011-3100 (Google Chrome before 19.0.1084.46 does not properly draw dash paths, w ...) - chromium-browser 20.0.1132.21~r139451-1 [squeeze] - chromium-browser CVE-2011-3099 (Use-after-free vulnerability in the PDF functionality in Google Chrome ...) - chromium-browser (PDF viewer not included in Chromium) [squeeze] - chromium-browser CVE-2011-3098 (Google Chrome before 19.0.1084.46 on Windows uses an incorrect search ...) - chromium-browser (Windows-specific) [squeeze] - chromium-browser CVE-2011-3097 (The PDF functionality in Google Chrome before 19.0.1084.46 allows remo ...) - chromium-browser (PDF functionality not built) [squeeze] - chromium-browser CVE-2011-3096 (Use-after-free vulnerability in Google Chrome before 19.0.1084.46 on L ...) - chromium-browser 20.0.1132.21~r139451-1 [squeeze] - chromium-browser CVE-2011-3095 (The OGG container in Google Chrome before 19.0.1084.46 allows remote a ...) - chromium-browser 20.0.1132.21~r139451-1 [squeeze] - chromium-browser CVE-2011-3094 (Google Chrome before 19.0.1084.46 does not properly handle Tibetan tex ...) - chromium-browser 20.0.1132.21~r139451-1 [squeeze] - chromium-browser CVE-2011-3093 (Google Chrome before 19.0.1084.46 does not properly handle glyphs, whi ...) - chromium-browser 20.0.1132.21~r139451-1 [squeeze] - chromium-browser CVE-2011-3092 (The regex implementation in Google V8, as used in Google Chrome before ...) - libv8 (Only affects >= 3.9, bug #687574) CVE-2011-3091 (Use-after-free vulnerability in the IndexedDB implementation in Google ...) - chromium-browser 20.0.1132.21~r139451-1 [squeeze] - chromium-browser CVE-2011-3089 (Use-after-free vulnerability in Google Chrome before 19.0.1084.46 allo ...) - chromium-browser 20.0.1132.21~r139451-1 [squeeze] - chromium-browser CVE-2011-3088 (Google Chrome before 19.0.1084.46 does not properly draw hairlines, wh ...) - chromium-browser 20.0.1132.21~r139451-1 [squeeze] - chromium-browser CVE-2011-3087 (Google Chrome before 19.0.1084.46 does not properly perform window nav ...) - chromium-browser 20.0.1132.21~r139451-1 [squeeze] - chromium-browser CVE-2011-3086 (Use-after-free vulnerability in Google Chrome before 19.0.1084.46 allo ...) - chromium-browser 20.0.1132.21~r139451-1 [squeeze] - chromium-browser CVE-2011-3085 (The Autofill feature in Google Chrome before 19.0.1084.46 does not pro ...) - chromium-browser 20.0.1132.21~r139451-1 [squeeze] - chromium-browser CVE-2011-3084 (Google Chrome before 19.0.1084.46 does not use a dedicated process for ...) - chromium-browser 20.0.1132.21~r139451-1 [squeeze] - chromium-browser CVE-2011-3083 (browser/profiles/profile_impl_io_data.cc in Google Chrome before 19.0. ...) - chromium-browser 20.0.1132.21~r139451-1 [squeeze] - chromium-browser CVE-2011-3082 RESERVED CVE-2011-3081 (Use-after-free vulnerability in Google Chrome before 18.0.1025.168 all ...) - chromium-browser 18.0.1025.168~r134367-1 [squeeze] - chromium-browser CVE-2011-3080 (Race condition in the Inter-process Communication (IPC) implementation ...) - chromium-browser 18.0.1025.168~r134367-1 [squeeze] - chromium-browser CVE-2011-3079 (The Inter-process Communication (IPC) implementation in Google Chrome ...) {DSA-3260-1} - chromium-browser 18.0.1025.168~r134367-1 [squeeze] - chromium-browser - iceweasel (Only affects Firefox on Windows) - icedove (Only affects Thunderbird on Windows) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-57/ CVE-2011-3078 (Use-after-free vulnerability in Google Chrome before 18.0.1025.168 all ...) - chromium-browser 18.0.1025.168~r134367-1 [squeeze] - chromium-browser CVE-2011-3077 (Use-after-free vulnerability in Google Chrome before 18.0.1025.151 all ...) - chromium-browser 18.0.1025.151~r130497-1 [squeeze] - chromium-browser CVE-2011-3076 (Use-after-free vulnerability in Google Chrome before 18.0.1025.151 all ...) - chromium-browser 18.0.1025.151~r130497-1 [squeeze] - chromium-browser CVE-2011-3075 (Use-after-free vulnerability in Google Chrome before 18.0.1025.151 all ...) - chromium-browser 18.0.1025.151~r130497-1 [squeeze] - chromium-browser CVE-2011-3074 (Use-after-free vulnerability in Google Chrome before 18.0.1025.151 all ...) - chromium-browser 18.0.1025.151~r130497-1 [squeeze] - chromium-browser CVE-2011-3073 (Use-after-free vulnerability in Google Chrome before 18.0.1025.151 all ...) - chromium-browser 18.0.1025.151~r130497-1 [squeeze] - chromium-browser CVE-2011-3072 (Google Chrome before 18.0.1025.151 allows remote attackers to bypass t ...) - chromium-browser 18.0.1025.151~r130497-1 [squeeze] - chromium-browser CVE-2011-3071 (Use-after-free vulnerability in the HTMLMediaElement implementation in ...) - chromium-browser 18.0.1025.151~r130497-1 [squeeze] - chromium-browser CVE-2011-3070 (Use-after-free vulnerability in Google Chrome before 18.0.1025.151 all ...) - chromium-browser 18.0.1025.151~r130497-1 [squeeze] - chromium-browser CVE-2011-3069 (Use-after-free vulnerability in the Cascading Style Sheets (CSS) imple ...) - chromium-browser 18.0.1025.151~r130497-1 [squeeze] - chromium-browser CVE-2011-3068 (Use-after-free vulnerability in the Cascading Style Sheets (CSS) imple ...) - chromium-browser 18.0.1025.151~r130497-1 [squeeze] - chromium-browser CVE-2011-3067 (Google Chrome before 18.0.1025.151 allows remote attackers to bypass t ...) - chromium-browser 18.0.1025.151~r130497-1 [squeeze] - chromium-browser CVE-2011-3066 (Skia, as used in Google Chrome before 18.0.1025.151, does not properly ...) - chromium-browser 18.0.1025.151~r130497-1 [squeeze] - chromium-browser CVE-2011-3065 (Skia, as used in Google Chrome before 18.0.1025.142, allows remote att ...) - chromium-browser 18.0.1025.142~r129054-1 [squeeze] - chromium-browser CVE-2011-3064 (Use-after-free vulnerability in Google Chrome before 18.0.1025.142 all ...) [squeeze] - chromium-browser - chromium-browser 18.0.1025.142~r129054-1 CVE-2011-3063 (Google Chrome before 18.0.1025.142 does not properly validate the rend ...) - chromium-browser 18.0.1025.142~r129054-1 [squeeze] - chromium-browser CVE-2011-3062 (Off-by-one error in the OpenType Sanitizer in Google Chrome before 18. ...) - chromium-browser 18.0.1025.142~r129054-1 [squeeze] - chromium-browser - icedove 10.0.4-1 [squeeze] - icedove (Vulnerable code not present) - iceweasel 10.0.4esr-1 [squeeze] - iceweasel (Vulnerable code not present) - iceape 2.7.4-1 [squeeze] - iceape (Vulnerable code not present) CVE-2011-3061 (Google Chrome before 18.0.1025.142 does not properly check X.509 certi ...) - chromium-browser 18.0.1025.142~r129054-1 [squeeze] - chromium-browser CVE-2011-3060 (Google Chrome before 18.0.1025.142 does not properly handle text fragm ...) - chromium-browser 18.0.1025.142~r129054-1 [squeeze] - chromium-browser CVE-2011-3059 (Google Chrome before 18.0.1025.142 does not properly handle SVG text e ...) - chromium-browser 18.0.1025.142~r129054-1 [squeeze] - chromium-browser CVE-2011-3058 (Google Chrome before 18.0.1025.142 does not properly handle the EUC-JP ...) - chromium-browser 18.0.1025.142~r129054-1 [squeeze] - chromium-browser CVE-2011-3057 (Google V8, as used in Google Chrome before 17.0.963.83, allows remote ...) - libv8 3.8.9.20-1 (bug #687574) [squeeze] - libv8 (Unsupported in squeeze-lts) NOTE: http://code.google.com/p/chromium/issues/detail?id=117794 NOTE: access restricted to chrome/libv8 bug log, so uncheckable CVE-2011-3056 (Google Chrome before 17.0.963.83 allows remote attackers to bypass the ...) - chromium-browser 17.0.963.83~r127885-1 [squeeze] - chromium-browser CVE-2011-3055 (The browser native UI in Google Chrome before 17.0.963.83 does not req ...) - chromium-browser 17.0.963.83~r127885-1 [squeeze] - chromium-browser CVE-2011-3054 (The WebUI privilege implementation in Google Chrome before 17.0.963.83 ...) - chromium-browser 17.0.963.83~r127885-1 [squeeze] - chromium-browser CVE-2011-3053 (Use-after-free vulnerability in Google Chrome before 17.0.963.83 allow ...) - chromium-browser 17.0.963.83~r127885-1 [squeeze] - chromium-browser CVE-2011-3052 (The WebGL implementation in Google Chrome before 17.0.963.83 does not ...) - chromium-browser 17.0.963.83~r127885-1 [squeeze] - chromium-browser CVE-2011-3051 (Use-after-free vulnerability in the Cascading Style Sheets (CSS) imple ...) - chromium-browser 17.0.963.83~r127885-1 [squeeze] - chromium-browser CVE-2011-3050 (Use-after-free vulnerability in the Cascading Style Sheets (CSS) imple ...) - chromium-browser 17.0.963.83~r127885-1 [squeeze] - chromium-browser CVE-2011-3049 (Google Chrome before 17.0.963.83 does not properly restrict the extens ...) - chromium-browser 17.0.963.83~r127885-1 [squeeze] - chromium-browser CVE-2011-3048 (The png_set_text_2 function in pngset.c in libpng 1.0.x before 1.0.59, ...) {DSA-2446-1} - libpng 1.2.49-1 (bug #667475) CVE-2011-3047 (The GPU process in Google Chrome before 17.0.963.79 allows remote atta ...) - chromium-browser 17.0.963.83~r127885-1 [squeeze] - chromium-browser CVE-2011-3046 (The extension subsystem in Google Chrome before 17.0.963.78 does not p ...) - chromium-browser 17.0.963.78~r125577-1 [squeeze] - chromium-browser CVE-2011-3045 (Integer signedness error in the png_inflate function in pngrutil.c in ...) {DSA-2439-1} - libpng 1.2.47-2 (bug #665208; high) CVE-2011-3044 (Use-after-free vulnerability in Google Chrome before 17.0.963.65 allow ...) - chromium-browser 17.0.963.66~r124982-1 [squeeze] - chromium-browser CVE-2011-3043 (Use-after-free vulnerability in Google Chrome before 17.0.963.65 allow ...) - chromium-browser 17.0.963.66~r124982-1 [squeeze] - chromium-browser CVE-2011-3042 (Use-after-free vulnerability in Google Chrome before 17.0.963.65 allow ...) - chromium-browser 17.0.963.66~r124982-1 [squeeze] - chromium-browser CVE-2011-3041 (Use-after-free vulnerability in Google Chrome before 17.0.963.65 allow ...) - chromium-browser 17.0.963.66~r124982-1 [squeeze] - chromium-browser CVE-2011-3040 (Google Chrome before 17.0.963.65 does not properly handle text, which ...) - chromium-browser 17.0.963.66~r124982-1 [squeeze] - chromium-browser CVE-2011-3039 (Use-after-free vulnerability in Google Chrome before 17.0.963.65 allow ...) - chromium-browser 17.0.963.66~r124982-1 [squeeze] - chromium-browser CVE-2011-3038 (Use-after-free vulnerability in Google Chrome before 17.0.963.65 allow ...) - chromium-browser 17.0.963.66~r124982-1 [squeeze] - chromium-browser CVE-2011-3037 (Google Chrome before 17.0.963.65 does not properly perform casts of un ...) - chromium-browser 17.0.963.66~r124982-1 [squeeze] - chromium-browser CVE-2011-3036 (Google Chrome before 17.0.963.65 does not properly perform a cast of a ...) - chromium-browser 17.0.963.66~r124982-1 [squeeze] - chromium-browser CVE-2011-3035 (Use-after-free vulnerability in Google Chrome before 17.0.963.65 allow ...) - chromium-browser 17.0.963.66~r124982-1 [squeeze] - chromium-browser CVE-2011-3034 (Use-after-free vulnerability in Google Chrome before 17.0.963.65 allow ...) - chromium-browser 17.0.963.66~r124982-1 [squeeze] - chromium-browser CVE-2011-3033 (Buffer overflow in Skia, as used in Google Chrome before 17.0.963.65, ...) - chromium-browser 17.0.963.66~r124982-1 [squeeze] - chromium-browser CVE-2011-3032 (Use-after-free vulnerability in Google Chrome before 17.0.963.65 allow ...) - chromium-browser 17.0.963.66~r124982-1 [squeeze] - chromium-browser CVE-2011-3031 (Use-after-free vulnerability in the element wrapper in Google V8, as u ...) - chromium-browser 17.0.963.66~r124982-1 [squeeze] - chromium-browser CVE-2011-3030 RESERVED CVE-2011-3029 RESERVED CVE-2011-3028 RESERVED CVE-2011-3027 (Google Chrome before 17.0.963.56 does not properly perform a cast of a ...) - chromium-browser 17.0.963.56~r121963-1 [squeeze] - chromium-browser CVE-2011-3026 (Integer overflow in libpng, as used in Google Chrome before 17.0.963.5 ...) {DSA-2410-1} - libpng 1.2.46-5 (high; bug #660026) CVE-2011-3025 (Google Chrome before 17.0.963.56 does not properly parse H.264 data, w ...) - chromium-browser 17.0.963.56~r121963-1 [squeeze] - chromium-browser CVE-2011-3024 (Google Chrome before 17.0.963.56 allows remote attackers to cause a de ...) - chromium-browser 17.0.963.56~r121963-1 [squeeze] - chromium-browser CVE-2011-3023 (Use-after-free vulnerability in Google Chrome before 17.0.963.56 allow ...) - chromium-browser 17.0.963.56~r121963-1 [squeeze] - chromium-browser CVE-2011-3022 (translate/translate_manager.cc in Google Chrome before 17.0.963.56 and ...) - chromium-browser 17.0.963.56~r121963-1 [squeeze] - chromium-browser CVE-2011-3021 (Use-after-free vulnerability in Google Chrome before 17.0.963.56 allow ...) - chromium-browser 17.0.963.56~r121963-1 [squeeze] - chromium-browser CVE-2011-3020 (Unspecified vulnerability in the Native Client validator implementatio ...) - chromium-browser 17.0.963.56~r121963-1 [squeeze] - chromium-browser CVE-2011-3019 (Heap-based buffer overflow in Google Chrome before 17.0.963.56 allows ...) - chromium-browser 17.0.963.56~r121963-1 [squeeze] - chromium-browser CVE-2011-3018 (Heap-based buffer overflow in Google Chrome before 17.0.963.56 allows ...) - chromium-browser 17.0.963.56~r121963-1 [squeeze] - chromium-browser CVE-2011-3017 (Use-after-free vulnerability in Google Chrome before 17.0.963.56 allow ...) - chromium-browser 17.0.963.56~r121963-1 [squeeze] - chromium-browser CVE-2011-3016 (Use-after-free vulnerability in Google Chrome before 17.0.963.56 allow ...) - chromium-browser 17.0.963.56~r121963-1 [squeeze] - chromium-browser CVE-2011-3015 (Multiple integer overflows in the PDF codecs in Google Chrome before 1 ...) - chromium-browser (PDF functionality not built) CVE-2011-3014 (The Mobility Pack before 1.2 in Novell Data Synchronizer 1.x through 1 ...) NOT-FOR-US: Novell Data Synchronizer CVE-2011-3013 (WebAdmin in the Mobility Pack before 1.2 in Novell Data Synchronizer 1 ...) NOT-FOR-US: Novell Data Synchronizer CVE-2011-3012 (The ioQuake3 engine, as used in World of Padman 1.2 and earlier, Tremu ...) - openarena 0.8.5-5+exp1 NOTE: Current openarena packages use the share ioquake3 engine [squeeze] - openarena (Minor issue, will be fixed in point update) - ioquake3 1.36+svn1946-4 - tremulous 1.1.0-6 (bug #660836) [squeeze] - tremulous 1.1.0-7~squeeze1 CVE-2011-3011 (BaseServiceImpl.class in CA ARCserve D2D r15 does not properly handle ...) NOT-FOR-US: CA ARCserve D2D CVE-2011-3010 (Multiple cross-site scripting (XSS) vulnerabilities in TWiki before 5. ...) - twiki CVE-2011-3009 (Ruby before 1.8.6-p114 does not reset the random seed upon forking, wh ...) - ruby1.8 1.8.7.352-1 [squeeze] - ruby1.8 1.8.7.302-2squeeze2 CVE-2011-3008 (The default configuration of Avaya Secure Access Link (SAL) Gateway 1. ...) NOT-FOR-US: Avaya Secure Access Link Gateway CVE-2008-7298 (The Android browser in Android cannot properly restrict modifications ...) NOT-FOR-US: Android browser CVE-2008-7297 (Opera cannot properly restrict modifications to cookies established in ...) NOT-FOR-US: Opera CVE-2008-7296 (Apple Safari cannot properly restrict modifications to cookies establi ...) NOT-FOR-US: Safari, see CVE-2008-7294 for potential webkit ramifications CVE-2008-7295 (Microsoft Internet Explorer cannot properly restrict modifications to ...) NOT-FOR-US: Internet Explorer CVE-2008-7294 (Google Chrome before 4.0.211.0 cannot properly restrict modifications ...) - chromium-browser 4.0.211.0 - webkit CVE-2008-7293 (Mozilla Firefox before 4 cannot properly restrict modifications to coo ...) - iceweasel 4.0-1 (unimportant) NOTE: This is about the lack of HTTP Strict Transport Security, which is ultimately NOTE: a security feature enhancement CVE-2008-7292 (Bugzilla 2.20.x before 2.20.5, 2.22.x before 2.22.3, and 3.0.x before ...) - bugzilla 3.0.4-1 CVE-2011-3007 (The myCIOScn ActiveX control (myCIOScn.dll) in McAfee SaaS Endpoint Pr ...) NOT-FOR-US: McAfee SaaS CVE-2011-3006 (The MyAsUtil ActiveX control in MyAsUtil5.2.0.603.dll in McAfee SaaS E ...) NOT-FOR-US: McAfee SaaS CVE-2011-3005 (Use-after-free vulnerability in Mozilla Firefox 4.x through 6, Thunder ...) - xulrunner (Only affects Firefox >= 4) - iceweasel 7.0-1 [lenny] - iceweasel (Only affects Firefox >= 4) [squeeze] - iceweasel (Only affects Firefox >= 4) - iceape (Only affects Firefox >= 4) CVE-2011-3004 (The JSSubScriptLoader in Mozilla Firefox 4.x through 6 and SeaMonkey b ...) - xulrunner (Only affects Firefox >= 4) - iceweasel 7.0-1 [lenny] - iceweasel (Only affects Firefox >= 4) [squeeze] - iceweasel (Only affects Firefox >= 4) - iceape (Only affects Firefox >= 4) CVE-2011-3003 (Mozilla Firefox before 7.0 and SeaMonkey before 2.4 allow remote attac ...) - xulrunner (Only affects Firefox >= 4) - iceweasel 7.0-1 [lenny] - iceweasel (Only affects Firefox >= 4) [squeeze] - iceweasel (Only affects Firefox >= 4) - iceape (Only affects Firefox >= 4) CVE-2011-3002 (Almost Native Graphics Layer Engine (ANGLE), as used in Mozilla Firefo ...) - xulrunner (Only affects Firefox >= 4) - iceweasel 7.0-1 [lenny] - iceweasel (Only affects Firefox >= 4) [squeeze] - iceweasel (Only affects Firefox >= 4) - iceape (Only affects Firefox >= 4) CVE-2011-3001 (Mozilla Firefox 4.x through 6, Thunderbird before 7.0, and SeaMonkey b ...) - xulrunner (Only affects Firefox >= 4) - iceweasel 7.0-1 [lenny] - iceweasel (Only affects Firefox >= 4) [squeeze] - iceweasel (Only affects Firefox >= 4) - iceape (Only affects Firefox >= 4) CVE-2011-3000 (Mozilla Firefox before 3.6.23 and 4.x through 6, Thunderbird before 7. ...) {DSA-2317-1 DSA-2313-1 DSA-2312-1} - icedove 3.1.15-1 [lenny] - icedove - xulrunner (unimportant) - iceweasel 7.0-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.14-8 [lenny] - iceape (Only a stub package) NOTE: xulrunner in wheezy is not covered by security support CVE-2011-2999 (Mozilla Firefox before 3.6.23 and 4.x through 5, Thunderbird before 6. ...) {DSA-2317-1 DSA-2313-1 DSA-2312-1} - icedove 3.1.15-1 [lenny] - icedove - xulrunner (unimportant) - iceweasel 7.0-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.14-8 [lenny] - iceape (Only a stub package) NOTE: xulrunner in wheezy is not covered by security support CVE-2011-2998 (Integer underflow in Mozilla Firefox 3.6.x before 3.6.23 allows remote ...) {DSA-2317-1 DSA-2313-1 DSA-2312-1} - icedove 3.1.15-1 [lenny] - icedove - xulrunner (unimportant) - iceweasel 7.0-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.14-8 [lenny] - iceape (Only a stub package) NOTE: Only affects firefox 3.6 code base, not 4.0 oder later NOTE: xulrunner in wheezy is not covered by security support CVE-2011-2997 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - xulrunner (Only affects Firefox 6) - iceweasel 7.0-1 [lenny] - iceweasel (Only affects Firefox 6) [squeeze] - iceweasel (Only affects Firefox 6) - iceape (Only affects Firefox 6) CVE-2011-2996 (Unspecified vulnerability in the plugin API in Mozilla Firefox 3.6.x b ...) - icedove (Only affects MacOS) - xulrunner (Only affects MacOS) - iceweasel (Only affects MacOS) - iceape (Only affects MacOS) CVE-2011-2995 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-2317-1 DSA-2313-1 DSA-2312-1} - icedove 3.1.15-1 [lenny] - icedove - xulrunner (unimportant) - iceweasel 7.0-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.14-8 [lenny] - iceape (Only a stub package) NOTE: xulrunner in wheezy is not covered by security support CVE-2011-2994 RESERVED CVE-2011-2993 (The implementation of digital signatures for JAR files in Mozilla Fire ...) - xulrunner (Only affects Firefox >= 4) - iceweasel 6.0-1 [lenny] - iceweasel (Only affects Firefox >= 4) [squeeze] - iceweasel (Only affects Firefox >= 4) - iceape (Only affects Firefox >= 4) CVE-2011-2992 (The Ogg reader in the browser engine in Mozilla Firefox 4.x through 5, ...) - xulrunner (Only affects Firefox >= 4) - iceweasel 6.0-1 [lenny] - iceweasel (Only affects Firefox >= 4) [squeeze] - iceweasel (Only affects Firefox >= 4) - iceape (Only affects Firefox >= 4) - icedove (Only affects Thunderbird 5) CVE-2011-2991 (The browser engine in Mozilla Firefox 4.x through 5, SeaMonkey 2.x bef ...) - xulrunner (Only affects Firefox >= 4) - iceweasel 6.0-1 [lenny] - iceweasel (Only affects Firefox >= 4) [squeeze] - iceweasel (Only affects Firefox >= 4) - iceape (Only affects Firefox >= 4) - icedove (Only affects Thunderbird 5) CVE-2011-2990 (The implementation of Content Security Policy (CSP) violation reports ...) - xulrunner (Only affects Firefox >= 4) - iceweasel 6.0-1 [lenny] - iceweasel (Only affects Firefox >= 4) [squeeze] - iceweasel (Only affects Firefox >= 4) - iceape (Only affects Firefox >= 4) CVE-2011-2989 (The browser engine in Mozilla Firefox 4.x through 5, SeaMonkey 2.x bef ...) - xulrunner (Only affects Firefox >= 4) - iceweasel 6.0-1 [lenny] - iceweasel (Only affects Firefox >= 4) [squeeze] - iceweasel (Only affects Firefox >= 4) - iceape (Only affects Firefox >= 4) - icedove (Only affects Thunderbird 5) CVE-2011-2988 (Buffer overflow in an unspecified string class in the WebGL shader imp ...) - xulrunner (Only affects Firefox >= 4) - iceweasel 6.0-1 [lenny] - iceweasel (Only affects Firefox >= 4) [squeeze] - iceweasel (Only affects Firefox >= 4) - iceape (Only affects Firefox >= 4) - icedove (Only affects Thunderbird 5) CVE-2011-2987 (Heap-based buffer overflow in Almost Native Graphics Layer Engine (ANG ...) - xulrunner (Only affects Firefox >= 4) - iceweasel 6.0-1 [lenny] - iceweasel (Only affects Firefox >= 4) [squeeze] - iceweasel (Only affects Firefox >= 4) - iceape (Only affects Firefox >= 4) - icedove (Only affects Thunderbird 5) CVE-2011-2986 (Mozilla Firefox 4.x through 5, Thunderbird before 6, SeaMonkey 2.x bef ...) - xulrunner (Only affects Windows) - iceweasel (Only affects Windows) - icedove (Only affects Thunderbird 5) CVE-2011-2985 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - xulrunner (Only affects Firefox >= 4) - iceweasel 6.0-1 [lenny] - iceweasel (Only affects Firefox >= 4) [squeeze] - iceweasel (Only affects Firefox >= 4) - iceape (Only affects Firefox >= 4) - icedove (Only affects Thunderbird 5) CVE-2011-2984 (Mozilla Firefox before 3.6.20, SeaMonkey 2.x, Thunderbird 3.x before 3 ...) {DSA-2297-1 DSA-2296-1 DSA-2295-1} - icedove 3.1.12-1 [lenny] - icedove - xulrunner (unimportant) [lenny] - xulrunner (Only affects Firefox >= 3.5) - iceweasel 6.0-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.14-5 [lenny] - iceape (Only a stub package) NOTE: xulrunner in wheezy is not covered by security support CVE-2011-2983 (Mozilla Firefox before 3.6.20, Thunderbird 2.x and 3.x before 3.1.12, ...) {DSA-2297-1 DSA-2296-1 DSA-2295-1} - icedove 3.1.12-1 [lenny] - icedove - xulrunner (unimportant) [lenny] - xulrunner 1.9.0.19-13 - iceweasel 6.0-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.14-5 [lenny] - iceape (Only a stub package) NOTE: xulrunner in wheezy is not covered by security support CVE-2011-2982 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-2297-1 DSA-2296-1 DSA-2295-1} - icedove 3.1.12-1 [lenny] - icedove - xulrunner (unimportant) [lenny] - xulrunner 1.9.0.19-13 - iceweasel 6.0-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.14-5 [lenny] - iceape (Only a stub package) NOTE: xulrunner in wheezy is not covered by security support CVE-2011-2981 (The event-management implementation in Mozilla Firefox before 3.6.20, ...) {DSA-2297-1 DSA-2296-1 DSA-2295-1} - icedove 3.1.12-1 [lenny] - icedove - xulrunner (unimportant) [lenny] - xulrunner 1.9.0.19-13 - iceweasel 6.0-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.14-5 [lenny] - iceape (Only a stub package) NOTE: xulrunner in wheezy is not covered by security support CVE-2011-2980 (Untrusted search path vulnerability in the ThinkPadSensor::Startup fun ...) - icedove (Only affects Windows) - xulrunner (Only affects Windows) - iceweasel (Only affects Windows) CVE-2011-2979 (Bugzilla 4.1.x before 4.1.3 generates different responses for certain ...) {DSA-2322-1} - bugzilla (Only affects Bugzilla 4.1, never uploaded to the archive) CVE-2011-2978 (Bugzilla 2.16rc1 through 2.22.7, 3.0.x through 3.3.x, 3.4.x before 3.4 ...) {DSA-2322-1} - bugzilla (low) [squeeze] - bugzilla 3.6.2.0-4.4 CVE-2011-2977 (Bugzilla 3.6.x before 3.6.6, 3.7.x, 4.0.x before 4.0.2, and 4.1.x befo ...) - bugzilla (Only affects Bugzilla on Windows) CVE-2011-2976 (Cross-site scripting (XSS) vulnerability in Bugzilla 2.16rc1 through 2 ...) - bugzilla 3.6.1.0-0.1 (low) NOTE: Fixed in 3.5.1, but 3.6.1 was first fixed upload to archive CVE-2011-2975 (Double free vulnerability in the msAddImageSymbol function in mapsymbo ...) - mapserver 6.0.1-1 [lenny] - mapserver (Vulnerable code not present) [squeeze] - mapserver (Vulnerable code not present) CVE-2011-2974 REJECTED CVE-2011-2973 REJECTED CVE-2011-2972 REJECTED CVE-2011-2971 REJECTED CVE-2011-2970 REJECTED CVE-2011-2969 REJECTED CVE-2011-2968 REJECTED CVE-2011-2967 REJECTED CVE-2011-2966 REJECTED CVE-2011-2965 REJECTED CVE-2011-2964 (foomaticrip.c in foomatic-rip in foomatic-filters in Foomatic 4.0.6 al ...) {DSA-2380-1} - foomatic-filters 4.0.9-1 NOTE: There two implementation of the affected filter: the version from foomatic-filters NOTE: 4.0 is written in C and has been assigned CVE-2011-2964 and the version in NOTE: foomatic-filters 3.x is written in Perl and has been assigned CVE-2011-2697 NOTE: Fixed in foomatic-filters 4.0.8 CVE-2011-2963 (TCPUploadServer.exe in Progea Movicon 11.2 before Build 1084 does not ...) NOT-FOR-US: Progea Movicon CVE-2011-2962 (Multiple stack-based buffer overflows in Invensys Wonderware Informati ...) NOT-FOR-US: Invensys Wonderware Information Server CVE-2011-2961 (Heap-based buffer overflow in AngelServer.exe 6.0.11.3 in Sunway pNetP ...) NOT-FOR-US: Sunway pNetPower CVE-2011-2960 (Heap-based buffer overflow in httpsvr.exe 6.0.5.3 in Sunway ForceContr ...) NOT-FOR-US: Sunway ForceControl CVE-2011-2959 (Stack-based buffer overflow in the Open Database Connectivity (ODBC) s ...) NOT-FOR-US: 7-Technologies Interactive Graphical SCADA System (IGSS) CVE-2011-2958 (Multiple cross-site scripting (XSS) vulnerabilities in Ecava IntegraXo ...) NOT-FOR-US: Ecava IntegraXor CVE-2011-2957 (Unspecified vulnerability in Rockwell Automation FactoryTalk Diagnosti ...) NOT-FOR-US: Rockwell Automation FactoryTalk Diagnostics Viewer CVE-2011-2956 (AzeoTech DAQFactory before 5.85 (Build 1842) does not perform authenti ...) NOT-FOR-US: AzeoTech DAQFactory CVE-2011-XXXX [rtkit: failure to drop supplemental groups] - rtkit 0.10-2 CVE-2011-XXXX [minissdpd multiple issues] - minissdpd 1.0.20110729-1 (bug #635836) CVE-2011-2955 (Use-after-free vulnerability in RealNetworks RealPlayer 11.0 through 1 ...) NOT-FOR-US: RealNetworks RealPlayer 11.0 CVE-2011-2954 (Use-after-free vulnerability in the AutoUpdate feature in RealNetworks ...) NOT-FOR-US: RealNetworks RealPlayer 11.0 CVE-2011-2953 (An unspecified ActiveX control in the browser plugin in RealNetworks R ...) NOT-FOR-US: RealNetworks RealPlayer CVE-2011-2952 (Use-after-free vulnerability in RealNetworks RealPlayer 11.0 through 1 ...) NOT-FOR-US: RealNetworks RealPlayer CVE-2011-2951 (Buffer overflow in RealNetworks RealPlayer 11.0 through 11.1 and 14.0. ...) NOT-FOR-US: RealNetworks RealPlayer CVE-2011-2950 (Heap-based buffer overflow in qcpfformat.dll in RealNetworks RealPlaye ...) NOT-FOR-US: RealNetworks RealPlayer CVE-2011-2949 (Heap-based buffer overflow in RealNetworks RealPlayer 11.0 through 11. ...) NOT-FOR-US: RealNetworks RealPlayer CVE-2011-2948 (RealNetworks RealPlayer 11.0 through 11.1 and 14.0.0 through 14.0.5, R ...) NOT-FOR-US: RealNetworks RealPlayer CVE-2011-2947 (Cross-zone scripting vulnerability in the RealPlayer ActiveX control i ...) NOT-FOR-US: RealNetworks RealPlayer CVE-2011-2946 (Unspecified vulnerability in an ActiveX control in RealNetworks RealPl ...) NOT-FOR-US: RealNetworks RealPlayer CVE-2011-2945 (Heap-based buffer overflow in RealNetworks RealPlayer 11.0 through 11. ...) NOT-FOR-US: RealNetworks RealPlayer CVE-2011-2944 (SQL injection vulnerability in login.php in MegaLab The Uploader befor ...) NOT-FOR-US: MegaLab The Uploader CVE-2011-2943 (The irc_msg_who function in msgs.c in the IRC protocol plugin in libpu ...) - pidgin 2.10.0-1 (bug #638709) [squeeze] - pidgin (Only affects 2.8 to 2.10) [lenny] - pidgin (Only affects 2.8 to 2.10) CVE-2011-2942 (A certain Red Hat patch to the __br_deliver function in net/bridge/br_ ...) - linux-2.6 (RHEL-specific backport issue) CVE-2011-2941 (Open redirect vulnerability in Red Hat JBoss Enterprise Portal Platfor ...) NOT-FOR-US: JBoss Enterprise Portal Platform CVE-2011-2940 (stunnel 4.40 and 4.41 might allow remote attackers to execute arbitrar ...) - stunnel4 3:4.42-1 (bug #638758) [squeeze] - stunnel4 (Only 4.4x affected) [lenny] - stunnel4 (Only 4.4x affected) CVE-2011-2939 (Off-by-one error in the decode_xs function in Unicode/Unicode.xs in th ...) - perl 5.12.4-4 (low; bug #637376) [squeeze] - perl 5.10.1-17squeeze3 [lenny] - perl (Minor issue) - libencode-perl 2.44-1 (low) CVE-2011-2938 (Multiple cross-site scripting (XSS) vulnerabilities in filter_api.php ...) - mantis 1.2.6-1 (bug #638321) [squeeze] - mantis (Only affects Mantis 1.1) [lenny] - mantis (Only affects Mantis 1.1) CVE-2011-2937 (Cross-site scripting (XSS) vulnerability in the UI messages functional ...) - roundcube 0.5.4+dfsg-1 (low; bug #641996) [squeeze] - roundcube (Minor issue) CVE-2011-2936 (Elgg through 1.7.10 has a SQL injection vulnerability ...) - elgg (bug #526197) CVE-2011-2935 (Elgg through 1.7.10 has XSS ...) - elgg (bug #526197) CVE-2011-2934 (A Cross Site Request Forgery (CSRF) vulnerability exists in the admini ...) NOT-FOR-US: WebsiteBaker CVE-2011-2933 (An Arbitrary File Upload vulnerability exists in admin/media/upload.ph ...) NOT-FOR-US: WebsiteBaker CVE-2011-2932 (Cross-site scripting (XSS) vulnerability in activesupport/lib/active_s ...) {DSA-2655-1} - rails 2.3.14 CVE-2011-2931 (Cross-site scripting (XSS) vulnerability in the strip_tags helper in a ...) {DSA-2301-1} - rails 2.3.14 CVE-2011-2930 (Multiple SQL injection vulnerabilities in the quote_table_name method ...) {DSA-2301-1} - rails 2.3.14 CVE-2011-2929 (The template selection functionality in actionpack/lib/action_view/tem ...) - rails (Only affects RoR 3.0 and above) CVE-2011-2928 (The befs_follow_link function in fs/befs/linuxvfs.c in the Linux kerne ...) {DSA-2310-1 DSA-2303-1} - linux-2.6 3.0.0-2 CVE-2011-2927 (Multiple cross-site scripting (XSS) vulnerabilities in Spacewalk 1.6, ...) NOT-FOR-US: Red Hat Network Satellite server CVE-2011-2926 RESERVED CVE-2011-2925 (Cumin in Red Hat Enterprise Messaging, Realtime, and Grid (MRG) 2.0 re ...) NOT-FOR-US: Cumin CVE-2011-2924 (foomatic-rip filter v4.0.12 and prior used insecurely creates temporar ...) - foomatic-filters 4.0.12-1 (low) [squeeze] - foomatic-filters 4.0.5-6+squeeze2 CVE-2011-2923 (foomatic-rip filter, all versions, used insecurely creates temporary f ...) - foomatic-filters (unimportant) NOTE: debug mode-only CVE-2011-2922 (ktsuss versions 1.4 and prior spawns the GTK interface to run as root. ...) - ktsuss CVE-2011-2921 (ktsuss versions 1.4 and prior has the uid set to root and does not dro ...) - ktsuss CVE-2011-2920 (Multiple cross-site scripting (XSS) vulnerabilities in Spacewalk 1.6, ...) NOT-FOR-US: Red Hat Network Satellite server CVE-2011-2919 (Cross-site scripting (XSS) vulnerability in Spacewalk 1.6, as used in ...) NOT-FOR-US: Red Hat Network Satellite server CVE-2011-2918 (The Performance Events subsystem in the Linux kernel before 3.1 does n ...) {DSA-2303-1} - linux-2.6 3.0.0-2 [lenny] - linux-2.6 (perf not yet present) CVE-2011-2917 (SQL injection vulnerability in administrator/index2.php in Mambo CMS 4 ...) NOT-FOR-US: Mambo CVE-2011-2916 (qtnx 0.9 stores non-custom SSH keys in a world-readable configuration ...) - qtnx (low; bug #637439) [squeeze] - qtnx (Minor issue) CVE-2011-2915 (Off-by-one error in the CSoundFile::ReadAMS2 function in src/load_ams. ...) {DSA-2415-1} - libmodplug 1:0.8.8.4-1 CVE-2011-2914 (Off-by-one error in the CSoundFile::ReadDSM function in src/load_dms.c ...) {DSA-2415-1} - libmodplug 1:0.8.8.4-1 CVE-2011-2913 (Off-by-one error in the CSoundFile::ReadAMS function in src/load_ams.c ...) {DSA-2415-1} - libmodplug 1:0.8.8.4-1 CVE-2011-2912 (Stack-based buffer overflow in the CSoundFile::ReadS3M function in src ...) {DSA-2415-1} - libmodplug 1:0.8.8.4-1 CVE-2011-2911 (Integer overflow in the CSoundFile::ReadWav function in src/load_wav.c ...) {DSA-2415-1} - libmodplug 1:0.8.8.4-1 CVE-2011-2910 (The AX.25 daemon (ax25d) in ax25-tools before 0.0.8-13 does not check ...) - ax25-tools 0.0.8-13.2 (low; bug #638198) [lenny] - ax25-tools (Minor issue) [squeeze] - ax25-tools (Minor issue) CVE-2011-2909 (The do_devinfo_ioctl function in drivers/staging/comedi/comedi_fops.c ...) {DSA-2303-1} - linux-2.6 3.0.0-2 CVE-2011-2908 (Cross-site request forgery (CSRF) vulnerability in the JMX Console (jm ...) NOT-FOR-US: JBoss Enterprise Application Platform CVE-2011-2907 (Terascale Open-Source Resource and Queue Manager (aka TORQUE Resource ...) - torque 2.4.15+dfsg-1 [squeeze] - torque (Not fixable, would need an update to a release with MUNGE support, clusters typically run in locked down environments) CVE-2011-2906 (** DISPUTED ** Integer signedness error in the pmcraid_ioctl_passthrou ...) NOT-FOR-US: ** REJECT ** CVE-2011-2905 (Untrusted search path vulnerability in the perf_config function in too ...) {DSA-2303-1} - linux-2.6 3.0.0-2 [lenny] - linux-2.6 (perf not yet present) CVE-2011-2904 (Cross-site scripting (XSS) vulnerability in acknow.php in Zabbix befor ...) - zabbix 1:1.8.6-1 [squeeze] - zabbix (Will be handled through point update) CVE-2011-2903 (Heap-based buffer overflow in tcptrack before 1.4.2 might allow attack ...) - tcptrack 1.4.2-1 (unimportant; bug #551092) NOTE: https://bugs.gentoo.org/show_bug.cgi?id=377917 CVE-2011-2902 (zxpdf in xpdf before 3.02-19 as packaged in Debian unstable and 3.02-1 ...) - xpdf 3.02-19 (low; bug #635849) [lenny] - xpdf (zxpdf script is indeed affected, but it's not associated with pdf handling by default, so not a concern for remote abuse) [squeeze] - xpdf 3.02-12+squeeze1 CVE-2011-2901 (Off-by-one error in the __addr_ok macro in Xen 3.3 and earlier allows ...) - xen (Only affects Xen <= 3.3) - xen-3 CVE-2011-2900 (Stack-based buffer overflow in the (1) put_dir function in mongoose.c ...) NOT-FOR-US: Mongoose CVE-2011-2899 (pysmb.py in system-config-printer 0.6.x and 0.7.x, as used in foomatic ...) - foomatic-gui 0.7.9.5 (low) - system-config-printer (Vulnerable code not present; bug #639243) [squeeze] - system-config-printer (Vulnerable code not present) [lenny] - system-config-printer (Minor issue) CVE-2011-2898 (net/packet/af_packet.c in the Linux kernel before 2.6.39.3 does not pr ...) {DSA-2389-1} - linux-2.6 3.0.0-1 [lenny] - linux-2.6 (introduced in 2.6.27) CVE-2011-2897 (gdk-pixbuf through 2.31.1 has GIF loader buffer overflow when initiali ...) - gdk-pixbuf (This only applies to the old standalone copy shipped until Lenny) CVE-2011-2896 (The LZW decompressor in the LWZReadByte function in giftoppm.c in the ...) {DSA-2426-1 DSA-2354-1} - cups 1.5.0-8 - gimp 2.6.11-5 (bug #643753) CVE-2011-2895 (The LZW decompressor in (1) the BufCompressedFill function in fontfile ...) {DSA-2293-1} - libxfont 1:1.4.4-1 CVE-2011-2894 (Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3. ...) - libspring-security-2.0-java 2.0.7.RELEASE-1 (bug #670901) [squeeze] - libspring-security-2.0-java (Minor issue) CVE-2011-2893 (The DataPilot feature in IBM Lotus Symphony 3 before FP3 allows user-a ...) NOT-FOR-US: IBM Lotus Symphony CVE-2011-2892 (Joomla! 1.6.x before 1.6.2 does not prevent page rendering inside a fr ...) NOT-FOR-US: Joomla! CVE-2011-2891 (Joomla! 1.6.x before 1.6.2 allows remote attackers to obtain sensitive ...) NOT-FOR-US: Joomla! CVE-2011-2890 (The MediaViewMedia class in administrator/components/com_media/views/m ...) NOT-FOR-US: Joomla! CVE-2011-2889 (templates/system/error.php in Joomla! before 1.5.23 might allow remote ...) NOT-FOR-US: Joomla! CVE-2011-2888 (IBM Lotus Symphony 3 before FP3 allows remote attackers to cause a den ...) NOT-FOR-US: IBM Lotus Symphony CVE-2011-2887 (IBM Lotus Symphony 3 before FP3 on Linux allows remote attackers to ca ...) NOT-FOR-US: IBM Lotus Symphony CVE-2011-2886 (IBM Lotus Symphony 3 before FP3 allows remote attackers to cause a den ...) NOT-FOR-US: IBM Lotus Symphony CVE-2011-2885 (IBM Lotus Symphony 3 before FP3 allows remote attackers to cause a den ...) NOT-FOR-US: IBM Lotus Symphony CVE-2011-2884 (Multiple unspecified vulnerabilities in IBM Lotus Symphony 3 before FP ...) NOT-FOR-US: IBM Lotus Symphony CVE-2011-2883 (The NSEPA.NsepaCtrl.1 ActiveX control in nsepa.ocx in Citrix Access Ga ...) NOT-FOR-US: Citrix Access Gateway CVE-2011-2882 (Stack-based buffer overflow in the NSEPA.NsepaCtrl.1 ActiveX control i ...) NOT-FOR-US: Citrix Access Gateway CVE-2011-2881 (Google Chrome before 14.0.835.202 does not properly handle Google V8 h ...) - chromium-browser (chromium uses libv8 system copy) - libv8 3.8.9.20-1 (bug #687574) [squeeze] - libv8 (Unsupported in squeeze-lts) NOTE: http://code.google.com/p/chromium/issues/detail?id=97784 NOTE: access restricted to chrome/libv8 bug log, so uncheckable CVE-2011-2880 (Use-after-free vulnerability in Google Chrome before 14.0.835.202 allo ...) - chromium-browser 14.0.835.202~r103287-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/95667 NOTE: http://trac.webkit.org/changeset/95689 NOTE: http://trac.webkit.org/changeset/95728 CVE-2011-2879 (Google Chrome before 14.0.835.202 does not properly consider object li ...) - chromium-browser 14.0.835.202~r103287-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/94984 CVE-2011-2878 (Google Chrome before 14.0.835.202 does not properly restrict access to ...) - chromium-browser 14.0.835.202~r103287-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/95488 CVE-2011-2877 (Google Chrome before 14.0.835.202 does not properly handle SVG text, w ...) - chromium-browser 14.0.835.202~r103287-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/94508 CVE-2011-2876 (Use-after-free vulnerability in Google Chrome before 14.0.835.202 allo ...) - chromium-browser 14.0.835.202~r103287-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/95600 CVE-2011-2875 (Google V8, as used in Google Chrome before 14.0.835.163, does not prop ...) - chromium-browser 14.0.835.163~r101024-1 [squeeze] - chromium-browser - webkit (libv8 issue) - libv8 3.8.9.20-1 (bug #687574) [squeeze] - libv8 (Unsupported in squeeze-lts) NOTE: http://code.google.com/p/chromium/issues/detail?id=95920 NOTE: access restricted to chrome/libv8 bug log, so uncheckable CVE-2011-2874 (Google Chrome before 14.0.835.163 does not perform an expected pin ope ...) - chromium-browser 14.0.835.163~r101024-1 [squeeze] - chromium-browser - webkit (chromium specific) CVE-2011-2873 (WebKit, as used in Apple iOS before 5.1 and iTunes before 10.6, allows ...) NOT-FOR-US: Apple WebKit NOTE: reported by google, likely duplicate CVE-2011-2872 (WebKit, as used in Apple iOS before 5.1 and iTunes before 10.6, allows ...) NOT-FOR-US: Apple WebKit NOTE: reported by google, likely duplicate CVE-2011-2871 (WebKit, as used in Apple iOS before 5.1 and iTunes before 10.6, allows ...) NOT-FOR-US: Apple WebKit NOTE: reported by google, likely duplicate CVE-2011-2870 (WebKit, as used in Apple iOS before 5.1 and iTunes before 10.6, allows ...) NOT-FOR-US: Apple WebKit NOTE: reported by google, likely duplicate CVE-2011-2869 (WebKit, as used in Apple iOS before 5.1 and iTunes before 10.6, allows ...) NOT-FOR-US: Apple WebKit NOTE: reported by google, likely duplicate CVE-2011-2868 (WebKit, as used in Apple iOS before 5.1 and iTunes before 10.6, allows ...) NOT-FOR-US: Apple WebKit NOTE: reported by google, likely duplicate CVE-2011-2867 (WebKit, as used in Apple iOS before 5.1 and iTunes before 10.6, allows ...) NOT-FOR-US: Apple WebKit NOTE: reported by google, likely duplicate CVE-2011-2866 (WebKit, as used in Apple iTunes before 10.6, allows man-in-the-middle ...) NOT-FOR-US: Apple WebKit NOTE: reported by google, likely duplicate CVE-2011-2865 RESERVED CVE-2011-2864 (Google Chrome before 14.0.835.163 does not properly handle Tibetan cha ...) - chromium-browser 14.0.835.163~r101024-1 [squeeze] - chromium-browser - webkit (chromium specific) CVE-2011-2863 (Insufficient policy enforcement in V8 in Google Chrome prior to 14.0.0 ...) - chromium-browser 14.0.835.163~r101024-1 CVE-2011-2862 (Google V8, as used in Google Chrome before 14.0.835.163, does not prop ...) - chromium-browser 14.0.835.163~r101024-1 [squeeze] - chromium-browser - webkit (chromium specific) CVE-2011-2861 (Google Chrome before 14.0.835.163 does not properly handle strings in ...) - chromium-browser (pdf plugin) CVE-2011-2860 (Use-after-free vulnerability in Google Chrome before 14.0.835.163 allo ...) - chromium-browser 14.0.835.163~r101024-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/93794 CVE-2011-2859 (Google Chrome before 14.0.835.163 uses incorrect permissions for non-g ...) - chromium-browser 14.0.835.163~r101024-1 [squeeze] - chromium-browser - webkit (chromium specific) CVE-2011-2858 (Google Chrome before 14.0.835.163 does not properly handle triangle ar ...) - chromium-browser 14.0.835.163~r101024-1 [squeeze] - chromium-browser - webkit (chromium specific) CVE-2011-2857 (Use-after-free vulnerability in Google Chrome before 14.0.835.163 allo ...) - chromium-browser 14.0.835.163~r101024-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/93514 CVE-2011-2856 (Google V8, as used in Google Chrome before 14.0.835.163, allows remote ...) - chromium-browser 14.0.835.163~r101024-1 [squeeze] - chromium-browser (uses libv8 system copy) - webkit - libv8 3.4.14.21-1 [squeeze] - libv8 (Unsupported in squeeze-lts) CVE-2011-2855 (Google Chrome before 14.0.835.163 does not properly handle Cascading S ...) - chromium-browser 14.0.835.163~r101024-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/93227 CVE-2011-2854 (Use-after-free vulnerability in Google Chrome before 14.0.835.163 allo ...) - chromium-browser 14.0.835.163~r101024-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/94109 NOTE: http://trac.webkit.org/changeset/94543 CVE-2011-2853 (Use-after-free vulnerability in Google Chrome before 14.0.835.163 allo ...) - chromium-browser 14.0.835.163~r101024-1 [squeeze] - chromium-browser - webkit (chromium specific) CVE-2011-2852 (Off-by-one error in Google V8, as used in Google Chrome before 14.0.83 ...) - chromium-browser 14.0.835.163~r101024-1 [squeeze] - chromium-browser (uses libv8 system copy) - webkit - libv8 3.4.14.21-1 [squeeze] - libv8 (Unsupported in squeeze-lts) CVE-2011-2851 (Google Chrome before 14.0.835.163 does not properly handle video, whic ...) - chromium-browser 14.0.835.163~r101024-1 [squeeze] - chromium-browser - webkit (chromium specific) CVE-2011-2850 (Google Chrome before 14.0.835.163 does not properly handle Khmer chara ...) - chromium-browser 14.0.835.163~r101024-1 [squeeze] - chromium-browser - webkit (chromium specific) CVE-2011-2849 (The WebSockets implementation in Google Chrome before 14.0.835.163 all ...) - chromium-browser 14.0.835.163~r101024-1 [squeeze] - chromium-browser - webkit (chromium specific) CVE-2011-2848 (Google Chrome before 14.0.835.163 allows user-assisted remote attacker ...) - chromium-browser 14.0.835.163~r101024-1 [squeeze] - chromium-browser - webkit (chromium specific) CVE-2011-2847 (Use-after-free vulnerability in the document loader in Google Chrome b ...) - chromium-browser 14.0.835.163~r101024-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/93521 CVE-2011-2846 (Use-after-free vulnerability in Google Chrome before 14.0.835.163 allo ...) - chromium-browser 14.0.835.163~r101024-1 [squeeze] - chromium-browser CVE-2011-2845 (Google Chrome before 15.0.874.102 does not properly handle history dat ...) - chromium-browser 15.0.874.106~r107270-1 [squeeze] - chromium-browser CVE-2011-2844 (Google Chrome before 14.0.835.163 does not properly process MP3 files, ...) - chromium-browser 14.0.835.163~r101024-1 [squeeze] - chromium-browser - webkit CVE-2011-2843 (Google Chrome before 14.0.835.163 does not properly handle media buffe ...) - chromium-browser 14.0.835.163~r101024-1 [squeeze] - chromium-browser - webkit (chromium specific) CVE-2011-2842 (The installer in Google Chrome before 14.0.835.163 on Mac OS X does no ...) - chromium-browser - webkit CVE-2011-2841 (Google Chrome before 14.0.835.163 does not properly perform garbage co ...) - chromium-browser (pdf plugin) - webkit CVE-2011-2840 (Google Chrome before 14.0.835.163 allows user-assisted remote attacker ...) - chromium-browser 14.0.835.163~r101024-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/90164 CVE-2011-2839 (The PDF implementation in Google Chrome before 13.0.782.215 on Linux d ...) - chromium-browser (Pdf plugin) CVE-2011-2838 (Google Chrome before 14.0.835.163 does not properly consider the MIME ...) - chromium-browser 14.0.835.163~r101024-1 [squeeze] - chromium-browser - webkit (chromium specific) CVE-2011-2837 (Google Chrome before 14.0.835.163 on Linux does not use the PIC and PI ...) - chromium-browser 14.0.835.163~r101024-1 [squeeze] - chromium-browser - webkit (chromium specific) CVE-2011-2836 (Google Chrome before 14.0.835.163 does not require Infobar interaction ...) - chromium-browser 14.0.835.163~r101024-1 (unimportant) - webkit (chromium specific) CVE-2011-2835 (Race condition in Google Chrome before 14.0.835.163 allows attackers t ...) - chromium-browser 14.0.835.163~r101024-1 [squeeze] - chromium-browser - webkit CVE-2011-2834 (Double free vulnerability in libxml2, as used in Google Chrome before ...) {DSA-2394-1} - libxml2 2.7.8.dfsg-5 (low; bug #643648) CVE-2011-2833 (WebKit, as used in Apple iOS before 5.1 and iTunes before 10.6, allows ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-2832 RESERVED CVE-2011-2831 (WebKit, as used in Apple iTunes before 10.5, allows man-in-the-middle ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-2830 (Google V8, as used in Google Chrome before 14.0.835.163, does not prop ...) NOTE: CVE description is wrong, see #656057 CVE-2011-2829 (Integer overflow in Google Chrome before 13.0.782.215 on 32-bit platfo ...) - chromium-browser 13.0.782.215~r97094-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/92413 CVE-2011-2828 (Google V8, as used in Google Chrome before 13.0.782.215, allows remote ...) - chromium-browser 13.0.782.215~r97094-1 [squeeze] - chromium-browser - webkit (Chromium specific) CVE-2011-2827 (Use-after-free vulnerability in Google Chrome before 13.0.782.215 allo ...) - chromium-browser 13.0.782.215~r97094-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/91908 CVE-2011-2826 (Google Chrome before 13.0.782.215 allows remote attackers to bypass th ...) - chromium-browser 13.0.782.215~r97094-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/91957 CVE-2011-2825 (Use-after-free vulnerability in Google Chrome before 13.0.782.215 allo ...) - chromium-browser 13.0.782.215~r97094-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/r91738 NOTE: http://trac.webkit.org/r91739 NOTE: http://trac.webkit.org/changeset/92744 CVE-2011-2824 (Use-after-free vulnerability in Google Chrome before 13.0.782.215 allo ...) - chromium-browser 13.0.782.215~r97094-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/92630 CVE-2011-2823 (Use-after-free vulnerability in Google Chrome before 13.0.782.215 allo ...) - chromium-browser 13.0.782.215~r97094-1 [squeeze] - chromium-browser CVE-2011-2822 (Google Chrome before 13.0.782.215 on Windows does not properly parse U ...) - chromium-browser (windows only) - webkit CVE-2011-2821 (Double free vulnerability in libxml2, as used in Google Chrome before ...) {DSA-2394-1} - chromium-browser 13.0.782.215~r97094-1 [squeeze] - chromium-browser - webkit (chromium specific) - libxml2 2.7.8.dfsg-5 (low; bug #643648) [squeeze] - libxml2 (denial-of-service only issue) CVE-2011-2820 (WebKit, as used in Apple iTunes before 10.5, allows man-in-the-middle ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-2819 (Google Chrome before 13.0.782.107 allows remote attackers to bypass th ...) - chromium-browser 13.0.782.107~r94237-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/91611 CVE-2011-2818 (Use-after-free vulnerability in Google Chrome before 13.0.782.107 allo ...) {DSA-2307-1} - chromium-browser 13.0.782.107~r94237-1 NOTE: http://trac.webkit.org/changeset/91386 CVE-2011-2817 (WebKit, as used in Apple iTunes before 10.5, allows man-in-the-middle ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-2816 (WebKit, as used in Apple iTunes before 10.5, allows man-in-the-middle ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-2815 (WebKit, as used in Apple iTunes before 10.5, allows man-in-the-middle ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-2814 (WebKit, as used in Apple iTunes before 10.5, allows man-in-the-middle ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-2813 (WebKit, as used in Apple iTunes before 10.5, allows man-in-the-middle ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-2812 RESERVED CVE-2011-2811 (WebKit, as used in Apple iTunes before 10.5, allows man-in-the-middle ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-2810 REJECTED CVE-2011-2809 (WebKit, as used in Apple iTunes before 10.5, allows man-in-the-middle ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-2808 (A stale layout root is set as an input element in WebKit in Google Chr ...) NOTE: Historic webkit/Chromium issues CVE-2011-2807 (Incorrect handling of timer information in Timer.cpp in WebKit in Goog ...) NOTE: Historic webkit/Chromium issues CVE-2011-2806 (Google Chrome before 13.0.782.215 on Windows does not properly handle ...) - chromium-browser (It's in Windows-specific code) CVE-2011-2805 (Google Chrome before 13.0.782.107 allows remote attackers to bypass th ...) - chromium-browser 13.0.782.107~r94237-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/91152 CVE-2011-2804 (Google Chrome before 13.0.782.107 does not properly handle nested func ...) - chromium-browser (pdf plugin) CVE-2011-2803 (Google Chrome before 13.0.782.107 does not properly handle Skia paths, ...) - chromium-browser 13.0.782.107~r94237-1 [squeeze] - chromium-browser - webkit (skia code) CVE-2011-2802 (Google V8, as used in Google Chrome before 13.0.782.107, does not prop ...) - chromium-browser 13.0.782.107~r94237-1 [squeeze] - chromium-browser - webkit - libv8 3.4 [squeeze] - libv8 NOTE: Bug was introduced in http://code.google.com/p/v8/source/detail?r=8224 CVE-2011-2801 (Use-after-free vulnerability in Google Chrome before 13.0.782.107 allo ...) - chromium-browser 13.0.782.107~r94237-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/90936 CVE-2011-2800 (Google Chrome before 13.0.782.107 allows remote attackers to obtain po ...) {DSA-2307-1} - chromium-browser 13.0.782.107~r94237-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/91044 NOTE: http://developer.apple.com/library/safari/#documentation/Tools/Conceptual/SafariExtensionGuide/MessagesandProxies/MessagesandProxies.html#//apple_ref/doc/uid/TP40009977-CH14-SW9 CVE-2011-2799 (Use-after-free vulnerability in Google Chrome before 13.0.782.107 allo ...) - chromium-browser 13.0.782.107~r94237-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/90130 CVE-2011-2798 (Google Chrome before 13.0.782.107 does not properly restrict access to ...) - chromium-browser 13.0.782.107~r94237-1 [squeeze] - chromium-browser - webkit (chromium specific) CVE-2011-2797 (Use-after-free vulnerability in Google Chrome before 13.0.782.107 allo ...) - chromium-browser 13.0.782.107~r94237-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/90595 CVE-2011-2796 (Use-after-free vulnerability in Skia, as used in Google Chrome before ...) - chromium-browser 13.0.782.107~r94237-1 [squeeze] - chromium-browser - webkit (skia code) CVE-2011-2795 (Google Chrome before 13.0.782.107 does not prevent calls to functions ...) - chromium-browser 13.0.782.107~r94237-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/89782 CVE-2011-2794 (Google Chrome before 13.0.782.107 does not properly perform text itera ...) - chromium-browser 13.0.782.107~r94237-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/89831 CVE-2011-2793 (Use-after-free vulnerability in Google Chrome before 13.0.782.107 allo ...) - chromium-browser 13.0.782.107~r94237-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/89595 CVE-2011-2792 (Use-after-free vulnerability in Google Chrome before 13.0.782.107 allo ...) - chromium-browser 13.0.782.107~r94237-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/89836 CVE-2011-2791 (The International Components for Unicode (ICU) functionality in Google ...) - chromium-browser 13.0.782.107~r94237-1 (unimportant) - webkit (icu issue) NOTE: ICU bug only in debug build CVE-2011-2790 (Use-after-free vulnerability in Google Chrome before 13.0.782.107 allo ...) - chromium-browser 13.0.782.107~r94237-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/89165 CVE-2011-2789 (Use-after-free vulnerability in Google Chrome before 13.0.782.107 allo ...) - chromium-browser 13.0.782.107~r94237-1 [squeeze] - chromium-browser - webkit (chromium specific) CVE-2011-2788 (Buffer overflow in the inspector serialization functionality in Google ...) - chromium-browser 13.0.782.107~r94237-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/88444 CVE-2011-2787 (Google Chrome before 13.0.782.107 does not properly address re-entranc ...) - chromium-browser 13.0.782.107~r94237-1 [squeeze] - chromium-browser - webkit (chromium specific) CVE-2011-2786 (Google Chrome before 13.0.782.107 does not ensure that the speech-inpu ...) - chromium-browser 13.0.782.107~r94237-1 [squeeze] - chromium-browser - webkit (chromium specific) CVE-2011-2785 (The extensions implementation in Google Chrome before 13.0.782.107 doe ...) - chromium-browser 13.0.782.107~r94237-1 [squeeze] - chromium-browser - webkit (chromium specific) CVE-2011-2784 (Google Chrome before 13.0.782.107 allows remote attackers to obtain se ...) - chromium-browser 13.0.782.107~r94237-1 [squeeze] - chromium-browser - webkit (issue in angleproject) CVE-2011-2783 (Google Chrome before 13.0.782.107 does not ensure that developer-mode ...) - chromium-browser 13.0.782.107~r94237-1 [squeeze] - chromium-browser - webkit (chromium specific) CVE-2011-2782 (The drag-and-drop implementation in Google Chrome before 13.0.782.107 ...) - chromium-browser 13.0.782.107~r94237-1 [squeeze] - chromium-browser - webkit (chromium specific) CVE-2011-2781 RESERVED CVE-2011-2780 (Directory traversal vulnerability in includes/lib/gz.php in Chyrp 2.0 ...) NOT-FOR-US: Chyrp CVE-2011-2779 (Windows Event Log SmartConnector in HP ArcSight Connector Appliance be ...) NOT-FOR-US: HP ArcSight Connector Appliance CVE-2011-2778 (Multiple heap-based buffer overflows in Tor before 0.2.2.35 allow remo ...) {DSA-2363-1} - tor 0.2.2.35-1 CVE-2011-2777 (samples/powerbtn/powerbtn.sh in acpid (aka acpid2) 2.0.16 and earlier ...) - acpid 1:2.0.14-1 [lenny] - acpid (Vulnerable code not present) [squeeze] - acpid 1:2.0.7-1squeeze3 CVE-2011-2776 (Buffer overflow in the Error function in super.c in Super 3.30.0 might ...) {DSA-2383-1} - super 3.30.0-6 CVE-2011-2775 RESERVED CVE-2011-2774 (The "Reply to message" feature in Mahara 1.3.x and 1.4.x before 1.4.1 ...) - mahara 1.4.1-1 [squeeze] - mahara (Vulnerable code not present) [lenny] - mahara (Vulnerable code not present) CVE-2011-4118 (Mahara before 1.4.1, when MNet (aka the Moodle network feature) is use ...) {DSA-2334-1} - mahara 1.4.1-1 NOTE: http://mahara.org/interaction/forum/topic.php?id=4138 CVE-2011-2773 (Cross-site request forgery (CSRF) vulnerability in Mahara before 1.4.1 ...) {DSA-2334-1} - mahara 1.4.1-1 CVE-2011-2772 (The get_dataroot_image_path function in lib/file.php in Mahara before ...) {DSA-2334-1} - mahara 1.4.1-1 CVE-2011-2771 (Multiple cross-site scripting (XSS) vulnerabilities in Mahara before 1 ...) {DSA-2334-1} - mahara 1.4.1-1 CVE-2011-2770 (Cross-site scripting (XSS) vulnerability in man2html.cgi.c in man2html ...) {DSA-2335-1} - man2html 1.6g-6 CVE-2011-2769 (Tor before 0.2.2.34, when configured as a bridge, accepts the CREATE a ...) {DSA-2331-1} - tor 0.2.2.34-1 CVE-2011-2768 (Tor before 0.2.2.34, when configured as a client or bridge, sends a TL ...) {DSA-2331-1} - tor 0.2.2.34-1 CVE-2011-2767 (mod_perl 2.0 through 2.0.10 allows attackers to execute arbitrary Perl ...) {DLA-1507-1} - libapache2-mod-perl2 2.0.10-3 (bug #644169) [stretch] - libapache2-mod-perl2 2.0.10-2+deb9u1 NOTE: https://mail-archives.apache.org/mod_mbox/perl-modperl/201110.mbox/raw/%3C20111004084343.GA21290%40ktnx.net%3E NOTE: https://rt.cpan.org/Public/Bug/Display.html?id=126984 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1623265#c3 CVE-2011-2766 (The FCGI (aka Fast CGI) module 0.70 through 0.73 for Perl, as used by ...) {DSA-2327-1} - libfcgi-perl 0.73-2 (bug #607479) [lenny] - libfcgi-perl (Introduced in 0.70) CVE-2011-2765 (pyro before 3.15 unsafely handles pid files in temporary directory loc ...) - pyro 1:3.14-1 (low; bug #631912) [lenny] - pyro (Minor issue) [squeeze] - pyro (Minor issue) NOTE: https://github.com/irmen/Pyro3/commit/554e095a62c4412c91f981e72fd34a936ac2bf1e CVE-2011-2764 (The FS_CheckFilenameIsNotExecutable function in qcommon/files.c in the ...) - openarena 0.8.5-5+exp1 NOTE: Current openarena packages use the share ioquake3 engine [squeeze] - openarena 0.8.5-5+squeeze1 - ioquake3 1.36+svn1946-4 - tremulous 1.1.0-6 (bug #660836) [squeeze] - tremulous 1.1.0-7~squeeze1 CVE-2011-2763 (The web interface on the LifeSize Room appliance LS_RM1_3.5.3 (11) and ...) NOT-FOR-US: LifeSize Room appliance CVE-2011-2762 (The web interface on the LifeSize Room appliance LS_RM1_3.5.3 (11) all ...) NOT-FOR-US: LifeSize Room appliance CVE-2011-2761 (Google Chrome 14.0.794.0 does not properly handle a reload of a page g ...) - chromium-browser 14.0.835.157~r99685-1 [squeeze] - chromium-browser - webkit (chromium issue) CVE-2011-2760 (Brocade BigIron RX switches allow remote attackers to bypass ACL rules ...) NOT-FOR-US: Brocade BigIron RX CVE-2011-2759 (The login page of IDSWebApp in the Web Administration Tool in IBM Tivo ...) NOT-FOR-US: IBM Tivoli Directory Server CVE-2011-2758 (IDSWebApp in the Web Administration Tool in IBM Tivoli Directory Serve ...) NOT-FOR-US: IBM Tivoli Directory Server CVE-2011-2757 (Directory traversal vulnerability in FileDownload.jsp in ManageEngine ...) NOT-FOR-US: ManageEngine ServiceDesk Plus CVE-2011-2756 (FileDownload.jsp in ManageEngine ServiceDesk Plus 8.0 before Build 801 ...) NOT-FOR-US: ManageEngine ServiceDesk Plus CVE-2011-2755 (Directory traversal vulnerability in FileDownload.jsp in ManageEngine ...) NOT-FOR-US: ManageEngine ServiceDesk Plus CVE-2011-2754 (Cross-site scripting (XSS) vulnerability in the PageBuilder2 (aka Page ...) NOT-FOR-US: IBM WebSphere Portal CVE-2011-2753 (Multiple cross-site request forgery (CSRF) vulnerabilities in Squirrel ...) {DSA-2291-1} - squirrelmail 2:1.4.22-1 (low) NOTE: difficult to exploit CVE-2011-2752 (CRLF injection vulnerability in SquirrelMail 1.4.21 and earlier allows ...) {DSA-2291-1} - squirrelmail 2:1.4.22-1 (low) NOTE: difficult to exploit CVE-2011-2751 (SQL injection vulnerability in Parodia before 6.809 allows remote atta ...) NOT-FOR-US: Parodia CVE-2011-2750 (NFRAgent.exe in Novell File Reporter 1.0.4.2 and earlier allows remote ...) NOT-FOR-US: Novell File Reporter CVE-2011-2749 (The server in ISC DHCP 3.x and 4.x before 4.2.2, 3.1-ESV before 3.1-ES ...) {DSA-2292-1} - isc-dhcp 4.2.2-1 (bug #638404) - dhcp3 CVE-2011-2748 (The server in ISC DHCP 3.x and 4.x before 4.2.2, 3.1-ESV before 3.1-ES ...) {DSA-2292-1} - isc-dhcp 4.2.2-1 (bug #638404) - dhcp3 CVE-2011-2747 (Google Picasa before 3.6 Build 105.67 does not properly handle invalid ...) NOT-FOR-US: Google Picasa CVE-2011-2746 (Unspecified vulnerability in Kernel/Modules/AdminPackageManager.pm in ...) - otrs2 2.4.7-1 (low) [lenny] - otrs2 (Minor issue) CVE-2011-2745 (upload_handler.php in the swfupload extension in Chyrp 2.0 and earlier ...) NOT-FOR-US: Chyrp CVE-2011-2744 (Directory traversal vulnerability in Chyrp 2.1 and earlier allows remo ...) NOT-FOR-US: Chyrp CVE-2011-2743 (Multiple cross-site scripting (XSS) vulnerabilities in Chyrp 2.1 and e ...) NOT-FOR-US: Chyrp CVE-2011-2742 (EMC RSA Adaptive Authentication On-Premise (AAOP) 6.0.2.1 SP1 Patch 2, ...) NOT-FOR-US: EMC RSA Adaptive Authentication On-Premise CVE-2011-2741 (EMC RSA Adaptive Authentication On-Premise (AAOP) 6.0.2.1 SP1 Patch 2, ...) NOT-FOR-US: EMC RSA Adaptive Authentication On-Premise CVE-2011-2740 (EMC RSA Key Manager (RKM) Appliance 2.7 SP1 before 2.7.1.6, when Firef ...) NOT-FOR-US: EMC RSA Key Manager CVE-2011-2739 (The file-blocking feature in EMC Documentum eRoom 7.3.x and 7.4.x befo ...) NOT-FOR-US: EMC Documentum eRoom CVE-2011-2738 (Multiple unspecified vulnerabilities in Cisco Unified Service Monitor ...) NOT-FOR-US: Cisco Unified Service Monitor, CiscoWorks LAN Management Solution CVE-2011-2737 (RSA enVision 3.x and 4.x before 4 SP4 P3 allows remote attackers to re ...) NOT-FOR-US: RSA enVision CVE-2011-2736 (RSA enVision 4.x before 4 SP4 P3 places cleartext administrative crede ...) NOT-FOR-US: RSA enVision CVE-2011-2735 (Multiple buffer overflows in EMC AutoStart 5.3.x and 5.4.x before 5.4. ...) NOT-FOR-US: EMC AutoStart CVE-2011-2734 REJECTED CVE-2011-2733 (EMC RSA Adaptive Authentication On-Premise (AAOP) 6.0.2.1 SP1 Patch 2, ...) NOT-FOR-US: EMC RSA Adaptive Authentication On-Premise CVE-2011-2732 (CRLF injection vulnerability in the logout functionality in VMware Spr ...) - libspring-security-2.0-java 2.0.7.RELEASE-1 (bug #670901) [squeeze] - libspring-security-2.0-java (Minor issue) CVE-2011-2731 (Race condition in the RunAsManager mechanism in VMware SpringSource Sp ...) - libspring-security-2.0-java 2.0.7.RELEASE-1 (bug #670901) [squeeze] - libspring-security-2.0-java (Minor issue) CVE-2011-2730 (VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, ...) {DSA-2504-1} - libspring-2.5-java (bug #677814) CVE-2011-2729 (native/unix/native/jsvc-unix.c in jsvc in the Daemon component 1.0.3 t ...) - commons-daemon 1.0.7-1 [squeeze] - commons-daemon (Support for libcap was only added in 1.0.6) NOTE: According to http://tomcat.apache.org/security-7.html jsvc needs to be build againt libcap to be exploitable CVE-2011-2728 (The bsd_glob function in the File::Glob module for Perl before 5.14.2 ...) - perl 5.14.2-1 (unimportant) NOTE: requires the attacker to manipulate glob flags CVE-2011-2727 (The (1) templatewrap/templatefoot.php, (2) cmsjs/plugin.js.php, and (3 ...) NOT-FOR-US: Tribiq CMS CVE-2011-2726 (An access bypass issue was found in Drupal 7.x before version 7.5. If ...) - drupal7 7.6-1 CVE-2011-2725 (Directory traversal vulnerability in Ark 4.7.x and earlier allows remo ...) - kdeutils 4:4.6.5-4 (low; bug #635541) [lenny] - kdeutils (Minor issue) [squeeze] - kdeutils 4:4.4.5-1+squeeze1 CVE-2011-2724 (The check_mtab function in client/mount.cifs.c in mount.cifs in smbfs ...) - samba 2:3.4.7~dfsg-2 (low) - cifs-utils 2:5.1-1 (low) [squeeze] - cifs-utils 2:4.5-2+squeeze1 NOTE: cifs-utils was split off from the samba source package with 2:3.4.7~dfsg-2, so marking it as fixed NOTE: http://web.archive.org/web/20111209193822/http://git.samba.org/?p=cifs-utils.git;a=commit;h=1e7a32924b22d1f786b6f490ce8590656f578f91 CVE-2011-2723 (The skb_gro_header_slow function in include/linux/netdevice.h in the L ...) {DSA-2303-1} - linux-2.6 3.0.0-2 CVE-2011-2722 (The send_data_to_stdout function in prnt/hpijs/hpcupsfax.cpp in HP Lin ...) - hplip 3.11.10-1 (bug #635549; low) [squeeze] - hplip 3.10.6-2+squeeze0 [lenny] - hplip (Vulnerable code not present) CVE-2011-2721 (Off-by-one error in the cli_hm_scan function in matcher-hash.c in libc ...) - clamav 0.97.2+dfsg-1 (bug #635599) [squeeze] - clamav 0.97.2+dfsg-1~squeeze1 CVE-2011-2720 (The autocompletion functionality in GLPI before 0.80.2 does not blackl ...) - glpi 0.80.2-1 (bug #635544; unimportant) NOTE: Only supported behind an authenticated HTTP zone CVE-2011-2719 (libraries/auth/swekey/swekey.auth.lib.php in phpMyAdmin 3.x before 3.3 ...) {DSA-2286-1} - phpmyadmin 4:3.4.3.2-1 (low) [lenny] - phpmyadmin (Vulnerable code not present) CVE-2011-2718 (Multiple directory traversal vulnerabilities in the relational schema ...) - phpmyadmin 4:3.4.3.2-1 [squeeze] - phpmyadmin (Vulnerable code not present) [lenny] - phpmyadmin (Vulnerable code not present) CVE-2011-2717 (The DHCPv6 client (dhcp6c) as used in the dhcpv6 project through 2011- ...) NOT-FOR-US: udhcp6c CVE-2011-2716 (The DHCP client (udhcpc) in BusyBox before 1.20.0 allows remote DHCP s ...) - busybox 1:1.20.0-3 (unimportant; bug #635548) NOTE: the default action script of busybox is not vulnerable to this attack NOTE: fixed in 1.20 (experimental). default script in udeb may be vulnerable. CVE-2011-2715 (An SQL Injection vulnerability exists in Drupal 6.20 with Data 6.x-1.0 ...) NOT-FOR-US: Drupal data module CVE-2011-2714 (A Cross-Site Scripting vulnerability exists in Drupal 6.20 with Data 6 ...) NOT-FOR-US: Drupal data module CVE-2011-2713 (oowriter in OpenOffice.org 3.3.0 and LibreOffice before 3.4.3 allows u ...) {DSA-2315-1} - libreoffice 1:3.4.3-1 - openoffice.org 1:3.3.0-1 NOTE: Since 3.3.0 openoffice.org is a transitional source package to migrate to libreoffice CVE-2011-2712 (Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before ...) NOT-FOR-US: Apache Wicket CVE-2011-2711 (Cross-site scripting (XSS) vulnerability in the print_fileinfo functio ...) NOT-FOR-US: cgit CVE-2011-2710 (Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before ...) NOT-FOR-US: Joomla! CVE-2011-2709 (libgssapi and libgssglue before 0.4 do not properly check privileges, ...) - libgssglue 0.4-1 (low; bug #670256) [squeeze] - libgssglue (Minor issue in Squeeze) NOTE: Our mount.nfs does not link against libgssglue, NOTE: so we do not appear to be affected directly. CVE-2011-2708 REJECTED CVE-2011-2707 (The ptrace_setxregs function in arch/xtensa/kernel/ptrace.c in the Lin ...) - linux-2.6 (xtensa arch not used in Debian) CVE-2011-2706 (A Cross-Site Scripting (XSS) vulnerability exists in the reorder admin ...) NOT-FOR-US: sNews CVE-2011-2705 (The SecureRandom.random_bytes function in lib/securerandom.rb in Ruby ...) {DLA-235-1 DLA-88-1} - ruby1.8 1.8.7.352-1 (low; bug #635878) - ruby1.9.1 1.9.3~preview1-1 (low) CVE-2011-2704 (Stack-based buffer overflow in MapServer before 4.10.7 and 5.x before ...) {DSA-2285-1} - mapserver 6.0.1-1 CVE-2011-2703 (Multiple SQL injection vulnerabilities in MapServer before 4.10.7, 5.x ...) {DSA-2285-1} - mapserver 6.0.1-1 CVE-2011-2702 (Integer signedness error in Glibc before 2.13 and eglibc before 2.13, ...) - eglibc 2.13-10 [squeeze] - eglibc (ssse3 optimizations not included in squeeze version) - glibc (ssse3 optimizations not included) NOTE: http://web.archive.org/web/20110824011938/http://www.nodefense.org:80/eglibc.txt NOTE: fixed well before 2.13-10, but that is the present testing version that was available to check CVE-2011-2701 (The ocsp_check function in rlm_eap_tls.c in FreeRADIUS 2.1.11, when OC ...) - freeradius (Introduced in 2.1.11, even sid ships 2.1.10+dfsg-3+b2) CVE-2011-2700 (Multiple buffer overflows in the si4713_write_econtrol_string function ...) {DSA-2303-1} - linux-2.6 3.0.0-1 [lenny] - linux-2.6 (Driver introduced in 2.6.32) CVE-2011-2699 (The IPv6 implementation in the Linux kernel before 3.1 does not genera ...) - linux-2.6 3.0.0-2 [squeeze] - linux-2.6 2.6.32-40 CVE-2011-2698 (Off-by-one error in the elem_cell_id_aux function in epan/dissectors/p ...) - wireshark 1.6.1-1 (unimportant) NOTE: no code injection, not treated as a security issue, see README.Debian.security CVE-2011-2697 (foomatic-rip-hplip in HP Linux Imaging and Printing (HPLIP) 3.11.5 all ...) {DSA-2380-1} - hplip 3.10.6-2 (bug #635549; medium) NOTE: hplip might have been fixed earlier than stable, current versions use foomatic-rip NOTE: from foomatic-filters: /usr/lib/cups/filter/foomatic-rip - foomatic-filters 4.0 NOTE: There two implementation of the affected filter: the version from foomatic-filters NOTE: 4.0 is written in C and has been assigned CVE-2011-2964 and the version in NOTE: foomatic-filters 3.x is written in Perl and has been assigned CVE-2011-2697 NOTE: hplip includes local copy of the Perl version. It needs to be checked, whether NOTE: it's modified somehow CVE-2011-2696 (Integer overflow in libsndfile before 1.0.25 allows remote attackers t ...) {DSA-2288-1} - libsndfile 1.0.25-1 CVE-2011-2695 (Multiple off-by-one errors in the ext4 subsystem in the Linux kernel b ...) - linux-2.6 3.0.0-1 [squeeze] - linux-2.6 2.6.32-48 CVE-2011-2694 (Cross-site scripting (XSS) vulnerability in the chg_passwd function in ...) {DSA-2290-1} - samba 2:3.5.10~dfsg-1 (low) CVE-2011-2693 (The perf subsystem in the kernel package 2.6.32-122.el6.x86_64 in Red ...) NOTE: Duplicate of CVE-2011-2521 CVE-2011-2692 (The png_handle_sCAL function in pngrutil.c in libpng 1.0.x before 1.0. ...) {DSA-2287-1} - libpng 1.2.46-1 (low; bug #633871) CVE-2011-2691 (The png_err function in pngerror.c in libpng 1.0.x before 1.0.55, 1.2. ...) {DSA-2287-1} - libpng 1.2.46-1 (low; bug #633871) CVE-2011-2690 (Buffer overflow in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1. ...) {DSA-2287-1} - libpng 1.2.46-1 (high; bug #633871) CVE-2011-2689 (The gfs2_fallocate function in fs/gfs2/file.c in the Linux kernel befo ...) - linux-2.6 3.0.0-1 [squeeze] - linux-2.6 (gfs didn't have fallocate support until 2.6.37) [lenny] - linux-2.6 (gfs didn't have fallocate support until 2.6.37) CVE-2011-2688 (SQL injection vulnerability in mysql/mysql-auth.pl in the mod_authnz_e ...) {DSA-2279-1} - libapache2-mod-authnz-external 3.2.4-2.1 (medium; bug #633637) CVE-2011-2687 (Drupal 7.x before 7.3 allows remote attackers to bypass intended node_ ...) NOTE: http://drupal.org/node/1168756 - drupal7 7.2-1 (bug #633385) - drupal6 6.22-1 [squeeze] - drupal6 6.18-1squeeze1 CVE-2011-2686 (Ruby before 1.8.7-p352 does not reset the random seed upon forking, wh ...) {DLA-88-1} - ruby1.8 1.8.7.352-1 (low; bug #635878) CVE-2011-2685 (Stack-based buffer overflow in the Lotus Word Pro import filter in Lib ...) {DSA-2275-1} - libreoffice 1:3.3.3-1 - openoffice.org 1:3.3.0-1 [lenny] - openoffice.org (Vulnerable code not present) NOTE: Since 3.3.0 openoffice.org is a transitional source package to migrate to libreoffice CVE-2011-2684 (foo2zjs before 20110722dfsg-3ubuntu1 as packaged in Ubuntu, 20110722df ...) - foo2zjs 20110722dfsg-1 (low; bug #633870) [lenny] - foo2zjs (Minor issue) [squeeze] - foo2zjs 20090908dfsg-5.1+squeeze0 CVE-2011-2683 (reseed seeds random numbers from an insecure HTTP request to random.or ...) - reseed [lenny] - reseed (Minor issue) CVE-2010-4814 (SQL injection vulnerability in index1.php in Best Soft Inc. (BSI) Adva ...) NOT-FOR-US: Best Soft Inc. CVE-2010-4813 (Cross-site scripting (XSS) vulnerability in the Category Tokens module ...) NOT-FOR-US: Drupal 6.x Category Tokens module CVE-2010-4812 (Multiple SQL injection vulnerabilities in 6kbbs 8.0 build 20100901 all ...) NOT-FOR-US: 6kbbs CVE-2010-4811 (Multiple cross-site scripting (XSS) vulnerabilities in ajaxmember.php ...) NOT-FOR-US: 6kbbs CVE-2010-4810 (Multiple PHP remote file inclusion vulnerabilities in AR Web Content M ...) NOT-FOR-US: AR Web Content Manager CVE-2010-4809 (SQL injection vulnerability in index.php in DBSite 1.0 allows remote a ...) NOT-FOR-US: DBSite CVE-2010-4808 (SQL injection vulnerability in index.php in Webmatic allows remote att ...) NOT-FOR-US: Webmatic CVE-2011-2682 (The Login component in IBM Rational DOORS Web Access 1.4.x before 1.4. ...) NOT-FOR-US: IBM Rational DOORS Web Access CVE-2011-2681 (IBM Rational DOORS Web Access 1.4.x before 1.4.0.4 does not properly h ...) NOT-FOR-US: IBM Rational DOORS Web Access CVE-2011-2680 (Unspecified vulnerability in IBM Rational DOORS Web Access 1.4.x befor ...) NOT-FOR-US: IBM Rational DOORS Web Access CVE-2011-2679 (Cross-site scripting (XSS) vulnerability in IBM Rational DOORS Web Acc ...) NOT-FOR-US: IBM Rational DOORS Web Access CVE-2011-2678 (The Cisco VPN Client 5.0.7.0240 and 5.0.7.0290 on 64-bit Windows platf ...) NOT-FOR-US: Cisco VPN Client CVE-2011-2677 (Cybozu Office before 8.0.0 allows remote authenticated users to bypass ...) NOT-FOR-US: Cybozu Office CVE-2011-2676 (The A-Form and A-Form bamboo before 1.3.6 and 2.x before 2.0.3, and A- ...) NOT-FOR-US: A-Form CVE-2011-2675 (Cross-site scripting (XSS) vulnerability in Enkai-kun before 110916 al ...) NOT-FOR-US: Enkai-kun CVE-2011-2674 (BaserCMS before 1.6.12 does not properly restrict additions to the mem ...) NOT-FOR-US: BaserCMS CVE-2011-2673 (Cross-site scripting (XSS) vulnerability in BaserCMS before 1.6.13.2 a ...) NOT-FOR-US: BaserCMS CVE-2011-2672 (Cross-site scripting (XSS) vulnerability in SemanticScuttle before 0.9 ...) NOT-FOR-US: SemanticScuttle CVE-2011-2671 (Unspecified vulnerability in Megalith 12th edition through 27th editio ...) NOT-FOR-US: Megalith CVE-2011-2670 (Mozilla Firefox before 3.6 is vulnerable to XSS via the rendering of C ...) - firefox (Fixed before initial upload renamed as src:firefox) - firefox-esr (Fixed before initial upload renamed as src:firefox-esr) CVE-2011-2669 (Mozilla Firefox prior to 3.6 has a DoS vulnerability due to an issue i ...) - firefox (Fixed before initial upload renamed as src:firefox) - firefox-esr (Fixed before initial upload renamed as src:firefox-esr) CVE-2011-2668 (Mozilla Firefox through 1.5.0.3 has a vulnerability in processing the ...) - firefox (Fixed before initial upload renamed as src:firefox) - firefox-esr (Fixed before initial upload renamed as src:firefox-esr) CVE-2011-2667 (Icihttp.exe in CA Gateway Security for HTTP, as used in CA Gateway Sec ...) NOT-FOR-US: CA Gateway Security for HTTP CVE-2011-2666 (The default configuration of the SIP channel driver in Asterisk Open S ...) - asterisk 1:1.8.3.3-1 [squeeze] - asterisk (minor issue; can be addressed through configuration) CVE-2011-2665 (reqresp_parser.c in the SIP channel driver in Asterisk Open Source 1.8 ...) - asterisk 1:1.8.4.3-1 (bug #631445) [squeeze] - asterisk [lenny] - asterisk CVE-2011-2664 (Unspecified vulnerability in Check Point Multi-Domain Management / Pro ...) NOT-FOR-US: Check Point Multi-Domain Management CVE-2011-2663 (Array index error in GroupWise Internet Agent (GWIA) in Novell GroupWi ...) NOT-FOR-US: Novell GroupWise CVE-2011-2662 (Integer signedness error in GroupWise Internet Agent (GWIA) in Novell ...) NOT-FOR-US: Novell GroupWise CVE-2011-2661 (Multiple cross-site scripting (XSS) vulnerabilities in WebAccess in No ...) NOT-FOR-US: Novell GroupWise CVE-2011-2660 (The modify_resolvconf_suse script in the vpnc package before 0.5.1-55. ...) - vpnc NOTE: This only affects the SUSE packaging. CVE-2011-2659 RESERVED CVE-2011-2658 (The ISList.ISAvi ActiveX control in AdminStudio in Novell ZENworks Con ...) NOT-FOR-US: Novell ZENworks Configuration Management CVE-2011-2657 (Directory traversal vulnerability in the LaunchProcess function in the ...) NOT-FOR-US: Novell ZENworks Configuration Management CVE-2011-2656 (Unspecified vulnerability in ZfHSrvr.exe in Novell ZENworks Handheld M ...) NOT-FOR-US: Novell ZENworks CVE-2011-2655 (Unspecified vulnerability in ZfHSrvr.exe in Novell ZENworks Handheld M ...) NOT-FOR-US: Novell ZENworks CVE-2011-2654 (The RPC implementation in the server in Novell Cloud Manager 1.1.2 bef ...) NOT-FOR-US: Novell Cloud Manager CVE-2011-2653 (Directory traversal vulnerability in the rtrlet component in Novell ZE ...) NOT-FOR-US: Novell ZENworks CVE-2011-2652 (Cross-site scripting (XSS) vulnerability in Kiwi before 3.74.2, as use ...) NOT-FOR-US: Kiwi, SUSE Studio CVE-2011-2651 (Unspecified vulnerability in the file browser in Kiwi before 3.74.2, a ...) NOT-FOR-US: Kiwi, SUSE Studio CVE-2011-2650 (Cross-site scripting (XSS) vulnerability in Kiwi before 3.74.2, as use ...) NOT-FOR-US: Kiwi, SUSE Studio CVE-2011-2649 (Kiwi before 3.74.2, as used in SUSE Studio 1.1 before 1.1.4, allows at ...) NOT-FOR-US: Kiwi, SUSE Studio CVE-2011-2648 (Unspecified vulnerability in Kiwi before 3.74.2, as used in SUSE Studi ...) NOT-FOR-US: Kiwi, SUSE Studio CVE-2011-2647 (Unspecified vulnerability in Kiwi before 3.74.2, as used in SUSE Studi ...) NOT-FOR-US: Kiwi, SUSE Studio CVE-2011-2646 (Unspecified vulnerability in Kiwi before 3.74.2, as used in SUSE Studi ...) NOT-FOR-US: Kiwi, SUSE Studio CVE-2011-2645 (Unspecified vulnerability in Kiwi before 3.74.2, as used in SUSE Studi ...) NOT-FOR-US: Kiwi, SUSE Studio CVE-2011-2644 (Cross-site scripting (XSS) vulnerability in Kiwi before 3.74.2, as use ...) NOT-FOR-US: Kiwi, SUSE Studio CVE-2011-2643 (Directory traversal vulnerability in sql.php in phpMyAdmin 3.4.x befor ...) - phpmyadmin 4:3.4.3.2-1 [squeeze] - phpmyadmin (Vulnerable code not present) [lenny] - phpmyadmin (Vulnerable code not present) CVE-2011-2642 (Multiple cross-site scripting (XSS) vulnerabilities in the table Print ...) {DSA-2286-1} - phpmyadmin 4:3.4.3.2-1 CVE-2011-XXXX [stardict: minor information disclosure] - stardict 3.0.1-5 (low; bug #632260) [squeeze] - stardict (minor information disclosure) [lenny] - stardict (minor information disclosure) CVE-2011-2641 (Opera 11.11 allows remote attackers to cause a denial of service (appl ...) NOT-FOR-US: Opera CVE-2011-2640 (Opera before 11.10 allows remote attackers to cause a denial of servic ...) NOT-FOR-US: Opera CVE-2011-2639 (Opera before 11.10 does not properly handle hidden animated GIF images ...) NOT-FOR-US: Opera CVE-2011-2638 (Unspecified vulnerability in Opera before 11.10 allows remote attacker ...) NOT-FOR-US: Opera CVE-2011-2637 (Unspecified vulnerability in Opera before 11.10 allows remote attacker ...) NOT-FOR-US: Opera CVE-2011-2636 (Unspecified vulnerability in Opera before 11.10 allows remote attacker ...) NOT-FOR-US: Opera CVE-2011-2635 (The Cascading Style Sheets (CSS) implementation in Opera before 11.10 ...) NOT-FOR-US: Opera CVE-2011-2634 (Opera before 11.10 allows remote attackers to hijack (1) searches and ...) NOT-FOR-US: Opera CVE-2011-2633 (Unspecified vulnerability in Opera before 11.11 allows remote attacker ...) NOT-FOR-US: Opera CVE-2011-2632 (Opera before 11.11 does not properly handle destruction of a Silverlig ...) NOT-FOR-US: Opera CVE-2011-2631 (The Cascading Style Sheets (CSS) implementation in Opera before 11.11 ...) NOT-FOR-US: Opera CVE-2011-2630 (Opera before 11.11 allows user-assisted remote attackers to cause a de ...) NOT-FOR-US: Opera CVE-2011-2629 (Unspecified vulnerability in Opera before 11.11 allows remote attacker ...) NOT-FOR-US: Opera CVE-2011-2628 (Opera before 11.11 does not properly implement FRAMESET elements, whic ...) NOT-FOR-US: Opera CVE-2011-2627 (Unspecified vulnerability in the DOM implementation in Opera before 11 ...) NOT-FOR-US: Opera CVE-2011-2626 (Opera before 11.50 allows remote attackers to cause a denial of servic ...) NOT-FOR-US: Opera CVE-2011-2625 (Opera before 11.50 allows remote attackers to cause a denial of servic ...) NOT-FOR-US: Opera CVE-2011-2624 (Opera before 11.50 allows user-assisted remote attackers to cause a de ...) NOT-FOR-US: Opera CVE-2011-2623 (Unspecified vulnerability in the SVG BiDi implementation in Opera befo ...) NOT-FOR-US: Opera CVE-2011-2622 (Unspecified vulnerability in the Web Workers implementation in Opera b ...) NOT-FOR-US: Opera CVE-2011-2621 (Unspecified vulnerability in Opera before 11.50 allows remote attacker ...) NOT-FOR-US: Opera CVE-2011-2620 (Unspecified vulnerability in Opera before 11.50 allows remote attacker ...) NOT-FOR-US: Opera CVE-2011-2619 (Opera before 11.50 allows remote attackers to cause a denial of servic ...) NOT-FOR-US: Opera CVE-2011-2618 (Opera before 11.50 allows remote attackers to cause a denial of servic ...) NOT-FOR-US: Opera CVE-2011-2617 (Unspecified vulnerability in Opera before 11.50 allows remote attacker ...) NOT-FOR-US: Opera CVE-2011-2616 (Unspecified vulnerability in Opera before 11.50 allows remote attacker ...) NOT-FOR-US: Opera CVE-2011-2615 (Unspecified vulnerability in Opera before 11.50 allows remote attacker ...) NOT-FOR-US: Opera CVE-2011-2614 (The SVG implementation in Opera before 11.50 allows remote attackers t ...) NOT-FOR-US: Opera CVE-2011-2613 (The Array.prototype.join method in Opera before 11.50 allows remote at ...) NOT-FOR-US: Opera CVE-2011-2612 (Unspecified vulnerability in Opera before 11.50 allows remote attacker ...) NOT-FOR-US: Opera CVE-2011-2611 (Unspecified vulnerability in the printing functionality in Opera befor ...) NOT-FOR-US: Opera CVE-2011-2610 (Unspecified vulnerability in Opera before 11.50 has unknown impact and ...) NOT-FOR-US: Opera CVE-2011-2609 (Opera before 11.50 does not properly restrict data: URIs, which makes ...) NOT-FOR-US: Opera CVE-2011-2608 (ovbbccb.exe 6.20.50.0 and other versions in HP OpenView Performance Ag ...) NOT-FOR-US: HP OpenView CVE-2011-2607 (Cross-site scripting (XSS) vulnerability in IBM Rational Team Concert ...) NOT-FOR-US: IBM Rational Team Concert CVE-2011-2606 (Cross-site scripting (XSS) vulnerability in the Web UI in IBM Rational ...) NOT-FOR-US: IBM Rational Team Concert CVE-2011-2605 (CRLF injection vulnerability in the nsCookieService::SetCookieStringIn ...) {DSA-2273-3 DSA-2269-1 DSA-2268-1} - xulrunner (unimportant) [lenny] - xulrunner 1.9.0.19-12 - iceweasel 3.5.19-3 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.14-3 [lenny] - iceape (Only a stub package) - icedove 3.1.11-1 [lenny] - icedove NOTE: xulrunner in wheezy is not covered by security support CVE-2011-2604 (The Intel G41 driver 6.14.10.5355 on Windows XP SP3 allows remote atta ...) NOT-FOR-US: Windows XP CVE-2011-2603 (The NVIDIA 9400M driver 6.2.6 on Mac OS X 10.6.7 allows remote attacke ...) NOT-FOR-US: Mac OS X CVE-2011-2602 (The NVIDIA Geforce 310 driver 6.14.12.7061 on Windows XP SP3 allows re ...) NOT-FOR-US: Windows XP CVE-2011-2601 (The GPU support functionality in Mac OS X does not properly restrict r ...) NOT-FOR-US: Mac OS X CVE-2011-2600 (The GPU support functionality in Windows XP does not properly restrict ...) NOT-FOR-US: Windows XP CVE-2011-2599 (Google Chrome 11 does not block use of a cross-domain image as a WebGL ...) - chromium-browser (unimportant) [squeeze] - chromium-browser CVE-2011-2598 (The WebGL implementation in Mozilla Firefox 4.x allows remote attacker ...) - xulrunner (Only affects Firefox 4.0, not yet in unstable) - iceweasel (Only affects Firefox 4.0, not yet in unstable) CVE-2009-5082 (The (1) configure and (2) config.guess scripts in GNU troff (aka groff ...) - groff 1.20.1-5 (unimportant; bug #538338) NOTE: Only exploitable during build CVE-2009-5081 (The (1) config.guess, (2) contrib/groffer/perl/groffer.pl, and (3) con ...) - groff 1.20.1-5 (unimportant) NOTE: Only exploitable during build CVE-2009-5080 (The (1) contrib/eqn2graph/eqn2graph.sh, (2) contrib/grap2graph/grap2gr ...) - groff 1.20.1-5 (low; bug #538330) [lenny] - groff (Minor issue) CVE-2009-5079 (The (1) gendef.sh, (2) doc/fixinfo.sh, and (3) contrib/gdiffmk/tests/r ...) - groff 1.20.1-5 (unimportant) CVE-2009-5078 (contrib/pdfmark/pdfroff.sh in GNU troff (aka groff) before 1.21 launch ...) - groff 1.20.1-5 (low; bug #538338) [etch] - groff (pdfroff not yet present) [lenny] - groff (pdfroff not yet present) CVE-2011-2597 (The Lucent/Ascend file parser in Wireshark 1.2.x before 1.2.18, 1.4.x ...) - wireshark 1.6.1-1 (unimportant) NOTE: no code injection, not treated as a security issue, see README.Debian.security CVE-2011-2596 RESERVED CVE-2011-2595 (Multiple stack-based buffer overflows in ACDSee FotoSlate 4.0 Build 14 ...) NOT-FOR-US: ACDSee FotoSlate CVE-2011-2594 (Heap-based buffer overflow in KMPlayer 3.0.0.1441, and possibly other ...) NOT-FOR-US: KMPlayer NOTE: This is http://www.kmplayer.com and not our kmplayer package. CVE-2011-2593 (Integer overflow in the StartEpa method in the nsepacom ActiveX contro ...) NOT-FOR-US: Citrix Access Gateway Enterprise Edition Plug-in CVE-2011-2592 (Heap-based buffer overflow in the StartEpa method in the nsepacom Acti ...) NOT-FOR-US: ActiveX control for Citrix Access Gateway CVE-2011-2591 (Multiple buffer overflows in the Provideo ActiveX controls allow remot ...) NOT-FOR-US: Provideo ActiveX CVE-2011-2590 (The Play method in the UUPlayer ActiveX control 6.0.0.1 in UUSee 2010 ...) NOT-FOR-US: UUSee 201 CVE-2011-2589 (Heap-based buffer overflow in the SendLogAction method in the UUPlayer ...) NOT-FOR-US: UUSee 201 CVE-2011-2588 (Heap-based buffer overflow in the AVI_ChunkRead_strf function in libav ...) - vlc 1.1.11-1 (bug #633675) [squeeze] - vlc (Unsupported in squeeze-lts) CVE-2011-2587 (Heap-based buffer overflow in the DemuxAudioSipr function in real.c in ...) - vlc 1.1.11-1 (bug #633674) [squeeze] - vlc (Unsupported in squeeze-lts) CVE-2011-2586 (The HTTP client in Cisco IOS 12.4 and 15.0 allows user-assisted remote ...) NOT-FOR-US: Cisco IOS CVE-2011-2585 (Cisco Show and Share 5(2), 5.2(1), and 5.2(2) before 5.2(2.1) allows r ...) NOT-FOR-US: Cisco Show and Share CVE-2011-2584 (Cisco Show and Share 5(2), 5.2(1), and 5.2(2) before 5.2(2.1) allows r ...) NOT-FOR-US: Cisco Show and Share CVE-2011-2583 (Cisco Unified Contact Center Express (aka CCX) 8.0 and 8.5 allows remo ...) NOT-FOR-US: Cisco CCX CVE-2011-2582 RESERVED CVE-2011-2581 (The ACL implementation in Cisco NX-OS 5.0(2) and 5.0(3) before 5.0(3)N ...) NOT-FOR-US: Cisco NX-OS CVE-2011-2580 RESERVED CVE-2011-2579 RESERVED CVE-2011-2578 (Memory leak in Cisco IOS 15.1 and 15.2 allows remote attackers to caus ...) NOT-FOR-US: Cisco IOS CVE-2011-2577 (Unspecified vulnerability in Cisco TelePresence C Series Endpoints, E/ ...) NOT-FOR-US: Cisco TelePresence CVE-2011-2576 RESERVED CVE-2011-2575 RESERVED CVE-2011-2574 RESERVED CVE-2011-2573 RESERVED CVE-2011-2572 RESERVED CVE-2011-2571 RESERVED CVE-2011-2570 RESERVED CVE-2011-2569 (Cisco Nexus OS (aka NX-OS) 4.2 and 5.0 and Cisco Unified Computing Sys ...) NOT-FOR-US: Cisco NX-OS CVE-2011-2568 RESERVED CVE-2011-2567 RESERVED CVE-2011-2566 RESERVED CVE-2011-2565 RESERVED CVE-2011-2564 (Unspecified vulnerability in the Service Advertisement Framework (SAF) ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2011-2563 (Unspecified vulnerability in the Service Advertisement Framework (SAF) ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2011-2562 (Unspecified vulnerability in Cisco Unified Communications Manager (aka ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2011-2561 (The SIP process in Cisco Unified Communications Manager (aka CUCM, for ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2011-2560 (The Packet Capture Service in Cisco Unified Communications Manager (ak ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2011-2559 RESERVED CVE-2011-2558 RESERVED CVE-2011-2557 RESERVED CVE-2011-2556 RESERVED CVE-2011-2555 (Cisco TelePresence Recording Server 1.7.2.x before 1.7.2.1 has a defau ...) NOT-FOR-US: Cisco TelePresence Recording Server CVE-2011-2554 RESERVED CVE-2011-2553 RESERVED CVE-2011-2552 RESERVED CVE-2011-2551 RESERVED CVE-2011-2550 RESERVED CVE-2011-2549 (Unspecified vulnerability in Cisco IOS XR 4.1.x before 4.1.1 on Cisco ...) NOT-FOR-US: Cisco IOS XR CVE-2011-2548 RESERVED CVE-2011-2547 (The web-based management interface on Cisco SA 500 series security app ...) NOT-FOR-US: Cisco SA 500 series appliances management interface CVE-2011-2546 (SQL injection vulnerability in the web-based management interface on C ...) NOT-FOR-US: Cisco SA 500 series appliances management interface CVE-2011-2545 (Cross-site scripting (XSS) vulnerability in the SIP implementation on ...) NOT-FOR-US: Cisco SPA CVE-2011-2544 (Cross-site scripting (XSS) vulnerability in the web interface in Cisco ...) NOT-FOR-US: Cisco CVE-2011-2543 (Buffer overflow in the cuil component in Cisco Telepresence System Int ...) NOT-FOR-US: Cisco CVE-2011-2542 RESERVED CVE-2011-2541 RESERVED CVE-2011-2540 RESERVED CVE-2011-2539 RESERVED CVE-2011-2538 (Cisco Video Communications Server (VCS) before X7.0.3 contains a comma ...) - plone3 CVE-2011-2537 RESERVED CVE-2011-XXXX [unspecified security vulnerabilities from 4.3.7] - movabletype-opensource 4.3.7+dfsg-1 (bug #631437) CVE-2011-2536 (chan_sip.c in the SIP channel driver in Asterisk Open Source 1.4.x bef ...) {DSA-2276-2 DSA-2276-1} - asterisk 1:1.8.4.4~dfsg-1 (bug #632029) CVE-2011-2534 (Buffer overflow in the clusterip_proc_write function in net/ipv4/netfi ...) - linux-2.6 2.6.32-34 (low) CVE-2011-2533 (The configure script in D-Bus (aka DBus) 1.2.x before 1.2.28 allows lo ...) - dbus 1.3.2~git20100715.821f99c-1 (unimportant) NOTE: Compile-time only CVE-2011-2532 (The json.decode function in util/json.lua in Prosody 0.8.x before 0.8. ...) - prosody 0.8.1-1 [squeeze] - prosody (Minor issue) CVE-2011-2531 (Prosody 0.8.x before 0.8.1, when MySQL is used, assigns an incorrect d ...) - prosody 0.8.1-1 [squeeze] - prosody (Minor issue) CVE-2011-2530 (Buffer overflow in RSEds.dll in RSHWare.exe in the EDS Hardware Instal ...) NOT-FOR-US: EDS Hardware Installation tool CVE-2011-2535 (chan_iax2.c in the IAX2 channel driver in Asterisk Open Source 1.4.x b ...) {DSA-2276-2 DSA-2276-1} - asterisk 1:1.8.4.3-1 (bug #631448) [squeeze] - asterisk [lenny] - asterisk CVE-2011-2529 (chan_sip.c in the SIP channel driver in Asterisk Open Source 1.6.x bef ...) {DSA-2276-2 DSA-2276-1} - asterisk 1:1.8.4.3-1 (bug #631446) CVE-2011-2528 (Unspecified vulnerability in (1) Zope 2.12.x before 2.12.19 and 2.13.x ...) - plone3 CVE-2011-2527 (The change_process_uid function in os-posix.c in Qemu 0.14.0 and earli ...) {DSA-2282-1} - qemu-kvm 0.14.1+dfsg-3 (bug #633669) - kvm (Vulnerable code not present) CVE-2011-2526 (Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7 ...) {DSA-2401-1} - tomcat6 6.0.32-7 (bug #634992) - tomcat7 7.0.19-1 (bug #634992) - tomcat5.5 (bug #634992) CVE-2011-2525 (The qdisc_notify function in net/sched/sch_api.c in the Linux kernel b ...) {DSA-2310-1 DSA-2303-1} - linux-2.6 2.6.35-1 CVE-2011-2524 (Directory traversal vulnerability in soup-uri.c in SoupServer in libso ...) {DSA-2369-1} - libsoup2.4 2.34.3-1 (bug #635837) CVE-2011-2523 (vsftpd 2.3.4 downloaded between 20110630 and 20110703 contains a backd ...) - vsftpd (backdoored version was never in the Debian archive) CVE-2011-2522 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Samb ...) {DSA-2290-1} - samba 2:3.5.10~dfsg-1 (low) CVE-2011-2521 (The x86_assign_hw_event function in arch/x86/kernel/cpu/perf_event.c i ...) - linux-2.6 2.6.39-1 (low) [squeeze] - linux-2.6 (Vulnerable code not present) [lenny] - linux-2.6 (Vulnerable code not present) CVE-2011-2520 (fw_dbus.py in system-config-firewall 1.2.29 and earlier uses the pickl ...) NOT-FOR-US: system-config-firewall CVE-2011-2519 (Xen in the Linux kernel, when running a guest on a host without hardwa ...) - xen-3 3.2.1-2 NOTE: Possibly fixed earlier than 3.2.1-2, but that's the version in oldstable, which NOTE: was checked to contain http://xenbits.xen.org/hg/xen-3.1-testing.hg/rev/15644 - xen (Only affects older Xen 3 releases) CVE-2011-2518 (The tomoyo_mount_acl function in security/tomoyo/mount.c in the Linux ...) - linux-2.6 2.6.39-3 (low) [squeeze] - linux-2.6 (Vulnerable code not present) [lenny] - linux-2.6 (Vulnerable code not present) CVE-2011-2517 (Multiple buffer overflows in net/wireless/nl80211.c in the Linux kerne ...) {DSA-2303-1} - linux-2.6 2.6.39-3 (unimportant) [lenny] - linux-2.6 (Vulnerable code not present) NOTE: Requires CAP_NET_ADMIn to exploit CVE-2011-2516 (Off-by-one error in the XML signature feature in Apache XML Security f ...) {DSA-2277-1} - xml-security-c 1.6.1-1 (low; bug #632973) CVE-2011-2515 (PackageKit 0.6.17 allows installation of unsigned RPM packages as thou ...) - packagekit 0.6.17-1 CVE-2011-2514 (The Java Network Launching Protocol (JNLP) implementation in IcedTea6 ...) - openjdk-6 6b21~pre1-1 - icedtea-web 1.1-1 NOTE: Browser plugin was removed in openjdk-6 6b21~pre1-1. CVE-2011-2513 (The Java Network Launching Protocol (JNLP) implementation in IcedTea6 ...) - openjdk-6 6b21~pre1-1 - icedtea-web 1.1.2-1 NOTE: Browser plugin was removed in openjdk-6 6b21~pre1-1. CVE-2011-2512 (The virtio_queue_notify in qemu-kvm 0.14.0 and earlier does not proper ...) {DSA-2270-1} - qemu-kvm 0.14.1+dfsg-2 (bug #631975) - kvm [lenny] - kvm (Vulnerability not present) CVE-2011-2511 (Integer overflow in libvirt before 0.9.3 allows remote authenticated u ...) {DSA-2280-1} - libvirt 0.9.2-7 (bug #633630) CVE-2011-2510 (Cross-site scripting (XSS) vulnerability in the RSS embedding feature ...) - dokuwiki 0.0.20110525a-1 (low; bug #631818) [squeeze] - dokuwiki 0.0.20091225c-10+squeeze2 [lenny] - dokuwiki 0.0.20080505-4+lenny3 CVE-2011-2509 (Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before ...) NOT-FOR-US: Joomla! CVE-2011-2508 (Directory traversal vulnerability in libraries/display_tbl.lib.php in ...) {DSA-2286-1} - phpmyadmin 4:3.4.3.1-1 [lenny] - phpmyadmin (Vulnerable code not present) CVE-2011-2507 (libraries/server_synchronize.lib.php in the Synchronize implementation ...) {DSA-2286-1} - phpmyadmin 4:3.4.3.1-1 (unimportant) [lenny] - phpmyadmin (Vulnerable code not present) NOTE: neutralized by Suhosin patch CVE-2011-2506 (setup/lib/ConfigGenerator.class.php in phpMyAdmin 3.x before 3.3.10.2 ...) {DSA-2286-1} - phpmyadmin 4:3.4.3.1-1 (low) [lenny] - phpmyadmin (Vulnerable code not present) CVE-2011-2505 (libraries/auth/swekey/swekey.auth.lib.php in the Swekey authentication ...) {DSA-2286-1} - phpmyadmin 4:3.4.3.1-1 [lenny] - phpmyadmin (Vulnerable code not present) CVE-2011-2504 (Untrusted search path vulnerability in x11perfcomp in XFree86 x11perf ...) - x11-apps 7.7~1 (low) [squeeze] - x11-apps (Minor issue) CVE-2011-2503 (The insert_module function in runtime/staprun/staprun_funcs.c in the s ...) {DSA-2348-1} - systemtap 1.6-1 (bug #635542) [lenny] - systemtap (Signed modules not yet supported) CVE-2011-2502 (runtime/staprun/staprun_funcs.c in the systemtap runtime tool (staprun ...) - systemtap 1.6-1 (bug #635542) [lenny] - systemtap (Affected option introduced in 1.4) [squeeze] - systemtap (Affected option introduced in 1.4) CVE-2011-2501 (The png_format_buffer function in pngerror.c in libpng 1.0.x before 1. ...) {DSA-2287-1} - libpng 1.2.44-3 (bug #632786) CVE-2011-2500 (The host_reliable_addrinfo function in support/export/hostname.c in nf ...) - nfs-utils 1:1.2.4-1 (bug #633155) [lenny] - nfs-utils (Introduced in 1.2.3) [squeeze] - nfs-utils (Introduced in 1.2.3) CVE-2011-2499 (Mambo CMS through 4.6.5 has multiple XSS. ...) NOT-FOR-US: Mambo CMS CVE-2011-2498 (The Linux kernel from v2.3.36 before v2.6.39 allows local unprivileged ...) - linux-2.6 2.6.39-1 (low) [squeeze] - linux-2.6 (introduced in 2.6.36) [lenny] - linux-2.6 (introduced in 2.6.36) CVE-2011-2497 (Integer underflow in the l2cap_config_req function in net/bluetooth/l2 ...) {DSA-2310-1 DSA-2303-1} - linux-2.6 2.6.39-3 CVE-2011-2496 (Integer overflow in the vma_to_resize function in mm/mremap.c in the L ...) {DSA-2310-1 DSA-2303-1} - linux-2.6 2.6.39-1 (low) CVE-2011-2495 (fs/proc/base.c in the Linux kernel before 2.6.39.4 does not properly r ...) {DSA-2310-1 DSA-2303-1} - linux-2.6 3.0.0-1 (low) CVE-2011-2494 (kernel/taskstats.c in the Linux kernel before 3.1 allows local users t ...) - linux-2.6 3.0.0-5 (low) [squeeze] - linux-2.6 2.6.32-40 CVE-2011-2493 (The ext4_fill_super function in fs/ext4/super.c in the Linux kernel be ...) - linux-2.6 2.6.39-1 (low) [squeeze] - linux-2.6 (sbi->s_err-report didn't exist yet) [lenny] - linux-2.6 (sbi->s_err-report didn't exist yet) CVE-2011-2492 (The bluetooth subsystem in the Linux kernel before 3.0-rc4 does not pr ...) {DSA-2310-1 DSA-2303-1} - linux-2.6 3.0.0-1 (low) CVE-2011-2491 (The Network Lock Manager (NLM) protocol implementation in the NFS clie ...) {DSA-2310-1 DSA-2303-1} - linux-2.6 3.0.0-1 CVE-2011-2490 (opielogin.c in opielogin in OPIE 2.4.1-test1 and earlier does not chec ...) {DSA-2281-1} - opie (bug #631345) CVE-2011-2489 (Multiple off-by-one errors in opiesu.c in opiesu in OPIE 2.4.1-test1 a ...) {DSA-2281-1} - opie (bug #631344) CVE-2011-2488 (Joomla! before 1.5.23 does not properly check for errors, which allows ...) NOT-FOR-US: Joomla! CVE-2011-2487 (The implementations of PKCS#1 v1.5 key transport mechanism for XMLEncr ...) NOT-FOR-US: Apache CXF CVE-2011-2486 (nspluginwrapper before 1.4.4 does not properly provide access to NPNVp ...) - nspluginwrapper (bug #671846) [squeeze] - nspluginwrapper (Contrib not supported) CVE-2011-2485 (The gdk_pixbuf__gif_image_load function in gdk-pixbuf/io-gif.c in gdk- ...) - gdk-pixbuf 2.23.3-3.1 (bug #631524) [squeeze] - gdk-pixbuf (Minor issue) [lenny] - gdk-pixbuf (Minor issue) CVE-2011-2484 (The add_del_listener function in kernel/taskstats.c in the Linux kerne ...) {DSA-2310-1 DSA-2303-1} - linux-2.6 2.6.39-3 (low) CVE-2011-2483 (crypt_blowfish before 1.1, as used in PHP before 5.3.7 on certain plat ...) {DSA-2399-1 DSA-2340-1} - libcrypt-eksblowfish-perl (discovered and corrected in initial release in 2007) - php-suhosin (bug #631283; that portion is not used since PHP 5.3) [lenny] - php-suhosin (bug #631283) - postgresql-8.4 8.4.9-1 (bug #631285) - postgresql-9.0 9.0.5-1 (bug #631285) - postgresql-9.1 9.1~rc1-1 - php5 5.3.6-13 (bug #631347) - libxcrypt 1:2.4-1.1 (bug #679628) [squeeze] - libxcrypt (Minor issue) NOTE: http://openwall.com/lists/oss-security/2011/06/20/2 CVE-2011-2482 (A certain Red Hat patch to the sctp_sock_migrate function in net/sctp/ ...) - linux-2.6 (RHEL-specific regression) CVE-2011-2481 (Apache Tomcat 7.0.x before 7.0.17 permits web applications to replace ...) - tomcat7 7.0.19-1 CVE-2011-2480 (Information Disclosure vulnerability in the 802.11 stack, as used in F ...) - kfreebsd-9 9.0~svn223502-1 (bug #631160) - kfreebsd-8 8.2-3 (bug #631161) [squeeze] - kfreebsd-8 8.1+dfsg-8+squeeze1 - kfreebsd-7 CVE-2011-2479 (The Linux kernel before 2.6.39 does not properly create transparent hu ...) - linux-2.6 2.6.39-1 [squeeze] - linux-2.6 (Vulnerable code introduced in 2.6.38) [lenny] - linux-2.6 (Vulnerable code introduced in 2.6.38) CVE-2011-2478 (Google SketchUp before 8 does not properly handle edge geometry in Ske ...) NOT-FOR-US: Google SketchUp CVE-2011-2470 (Cross-site scripting (XSS) vulnerability in chat/base/admin/login.php ...) NOT-FOR-US: A Really Simple Chat CVE-2011-2469 RESERVED CVE-2011-2467 (SQL injection vulnerability in lsassd in Lsass in the Likewise Securit ...) NOT-FOR-US: Likewise CVE-2011-2466 RESERVED CVE-2011-2465 (Unspecified vulnerability in ISC BIND 9 9.8.0, 9.8.0-P1, 9.8.0-P2, and ...) - bind9 1:9.8.1.dfsg.P1-1 [squeeze] - bind9 (Only affects 9.8) [lenny] - bind9 (Only affects 9.8) CVE-2011-2464 (Unspecified vulnerability in ISC BIND 9 9.6.x before 9.6-ESV-R4-P3, 9. ...) {DSA-2272-1} - bind9 1:9.8.1.dfsg-1 (high) CVE-2011-2463 (Cross-site scripting (XSS) vulnerability in Adobe ColdFusion 8.0 throu ...) NOT-FOR-US: Adobe ColdFusion CVE-2011-2462 (Unspecified vulnerability in the U3D component in Adobe Reader and Acr ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2011-2461 (Cross-site scripting (XSS) vulnerability in the Adobe Flex SDK 3.x and ...) NOT-FOR-US: Adobe Flex CVE-2011-2460 (Adobe Flash Player before 10.3.183.11 and 11.x before 11.1.102.55 on W ...) NOT-FOR-US: Adobe Flash Player CVE-2011-2459 (Adobe Flash Player before 10.3.183.11 and 11.x before 11.1.102.55 on W ...) NOT-FOR-US: Adobe Flash Player CVE-2011-2458 (Adobe Flash Player before 10.3.183.11 and 11.x before 11.1.102.55 on W ...) NOT-FOR-US: Adobe Flash Player CVE-2011-2457 (Stack-based buffer overflow in Adobe Flash Player before 10.3.183.11 a ...) NOT-FOR-US: Adobe Flash Player CVE-2011-2456 (Buffer overflow in Adobe Flash Player before 10.3.183.11 and 11.x befo ...) NOT-FOR-US: Adobe Flash Player CVE-2011-2455 (Adobe Flash Player before 10.3.183.11 and 11.x before 11.1.102.55 on W ...) NOT-FOR-US: Adobe Flash Player CVE-2011-2454 (Adobe Flash Player before 10.3.183.11 and 11.x before 11.1.102.55 on W ...) NOT-FOR-US: Adobe Flash Player CVE-2011-2453 (Adobe Flash Player before 10.3.183.11 and 11.x before 11.1.102.55 on W ...) NOT-FOR-US: Adobe Flash Player CVE-2011-2452 (Adobe Flash Player before 10.3.183.11 and 11.x before 11.1.102.55 on W ...) NOT-FOR-US: Adobe Flash Player CVE-2011-2451 (Adobe Flash Player before 10.3.183.11 and 11.x before 11.1.102.55 on W ...) NOT-FOR-US: Adobe Flash Player CVE-2011-2450 (Adobe Flash Player before 10.3.183.11 and 11.x before 11.1.102.55 on W ...) NOT-FOR-US: Adobe Flash Player CVE-2011-2449 (The TextXtra module in Adobe Shockwave Player before 11.6.3.633 allows ...) NOT-FOR-US: Adobe Shockwave CVE-2011-2448 (The DIRapi library in Adobe Shockwave Player before 11.6.3.633 allows ...) NOT-FOR-US: Adobe Shockwave CVE-2011-2447 (Adobe Shockwave Player before 11.6.3.633 allows attackers to execute a ...) NOT-FOR-US: Adobe Shockwave CVE-2011-2446 (The DIRapi library in Adobe Shockwave Player before 11.6.3.633 allows ...) NOT-FOR-US: Adobe Shockwave CVE-2011-2445 (Adobe Flash Player before 10.3.183.11 and 11.x before 11.1.102.55 on W ...) NOT-FOR-US: Adobe Flash Player CVE-2011-2444 (Cross-site scripting (XSS) vulnerability in Adobe Flash Player before ...) NOT-FOR-US: Adobe Flash Player CVE-2011-2443 (Multiple buffer overflows in Adobe Photoshop Elements 8.0 and earlier ...) NOT-FOR-US: Adobe Photoshop Elements CVE-2011-2442 (Adobe Reader and Acrobat 8.x before 8.3.1, 9.x before 9.4.6, and 10.x ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2011-2441 (Multiple stack-based buffer overflows in CoolType.dll in Adobe Reader ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2011-2440 (Use-after-free vulnerability in Adobe Reader and Acrobat 8.x before 8. ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2011-2439 (Adobe Reader and Acrobat 8.x before 8.3.1, 9.x before 9.4.6, and 10.x ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2011-2438 (Multiple stack-based buffer overflows in the image-parsing library in ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2011-2437 (Heap-based buffer overflow in Adobe Reader and Acrobat 8.x before 8.3. ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2011-2436 (Heap-based buffer overflow in the image-parsing library in Adobe Reade ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2011-2435 (Buffer overflow in Adobe Reader and Acrobat 8.x before 8.3.1, 9.x befo ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2011-2434 (Heap-based buffer overflow in Adobe Reader and Acrobat 8.x before 8.3. ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2011-2433 (Heap-based buffer overflow in Adobe Reader and Acrobat 8.x before 8.3. ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2011-2432 (Buffer overflow in the U3D TIFF Resource in Adobe Reader and Acrobat 8 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2011-2431 (Adobe Reader and Acrobat 8.x before 8.3.1, 9.x before 9.4.6, and 10.x ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2011-2430 (Adobe Flash Player before 10.3.183.10 on Windows, Mac OS X, Linux, and ...) NOT-FOR-US: Adobe Flash Player CVE-2011-2429 (Adobe Flash Player before 10.3.183.10 on Windows, Mac OS X, Linux, and ...) NOT-FOR-US: Adobe Flash Player CVE-2011-2428 (Adobe Flash Player before 10.3.183.10 on Windows, Mac OS X, Linux, and ...) NOT-FOR-US: Adobe Flash Player CVE-2011-2427 (Stack-based buffer overflow in the ActionScript Virtual Machine (AVM) ...) NOT-FOR-US: Adobe Flash Player CVE-2011-2426 (Stack-based buffer overflow in the ActionScript Virtual Machine (AVM) ...) NOT-FOR-US: Adobe Flash Player CVE-2011-2425 (Adobe Flash Player before 10.3.183.5 on Windows, Mac OS X, Linux, and ...) NOT-FOR-US: Adobe Flash Player CVE-2011-2424 (Adobe Flash Player before 10.3.183.5 on Windows, Mac OS X, Linux, and ...) NOT-FOR-US: Adobe Flash Player CVE-2011-2423 (msvcr90.dll in Adobe Shockwave Player before 11.6.1.629 allows remote ...) NOT-FOR-US: Adobe Shockwave Player CVE-2011-2422 (Textra.x32 in Adobe Shockwave Player before 11.6.1.629 allows remote a ...) NOT-FOR-US: Adobe Shockwave Player CVE-2011-2421 (Dirapi.dll in Adobe Shockwave Player before 11.6.1.629 allows attacker ...) NOT-FOR-US: Adobe Shockwave Player CVE-2011-2420 (Adobe Shockwave Player before 11.6.1.629 allows remote attackers to ex ...) NOT-FOR-US: Adobe Shockwave Player CVE-2011-2419 (IML32.dll in Adobe Shockwave Player before 11.6.1.629 allows remote at ...) NOT-FOR-US: Adobe Shockwave Player CVE-2011-2418 REJECTED CVE-2011-2417 (Adobe Flash Player before 10.3.183.5 on Windows, Mac OS X, Linux, and ...) NOT-FOR-US: Adobe Flash Player CVE-2011-2416 (Integer overflow in Adobe Flash Player before 10.3.183.5 on Windows, M ...) NOT-FOR-US: Adobe Flash Player CVE-2011-2415 (Buffer overflow in Adobe Flash Player before 10.3.183.5 on Windows, Ma ...) NOT-FOR-US: Adobe Flash Player CVE-2011-2414 (Buffer overflow in Adobe Flash Player before 10.3.183.5 on Windows, Ma ...) NOT-FOR-US: Adobe Flash Player CVE-2011-2413 RESERVED CVE-2011-2412 (Unspecified vulnerability in HP Business Service Automation (BSA) Esse ...) NOT-FOR-US: HP Business Service Automation CVE-2011-2411 (Unspecified vulnerability on HP NonStop Servers with software H06.x th ...) NOT-FOR-US: HP NonStop Servers CVE-2011-2410 (Cross-site scripting (XSS) vulnerability in HP OpenView Performance In ...) NOT-FOR-US: HP OpenView CVE-2011-2409 (Cross-site scripting (XSS) vulnerability in the Calendar application i ...) NOT-FOR-US: HP Palm webOS 3.x CVE-2011-2408 (Cross-site scripting (XSS) vulnerability in the Contacts application i ...) NOT-FOR-US: HP Palm webOS 3.x CVE-2011-2407 (Unspecified vulnerability in HP OpenView Performance Insight 5.3, 5.31 ...) NOT-FOR-US: HP OpenView Performance Insight CVE-2011-2406 (Cross-site scripting (XSS) vulnerability in HP OpenView Performance In ...) NOT-FOR-US: HP OpenView Performance Insight CVE-2011-2405 (The HP ProLiant SL Advanced Power Manager (SL-APM) with firmware befor ...) NOT-FOR-US: HP ProLiant SL Advanced Power Manager CVE-2011-2404 (A certain ActiveX control in HPTicketMgr.dll in HP Easy Printer Care S ...) NOT-FOR-US: HP Easy Printer Care Software CVE-2011-2403 (SQL injection vulnerability in HP Network Automation 7.2x, 7.5x, 7.6x, ...) NOT-FOR-US: HP Network Automation CVE-2011-2402 (Cross-site scripting (XSS) vulnerability in HP Network Automation 7.2x ...) NOT-FOR-US: HP Network Automation CVE-2011-2401 (Session fixation vulnerability in HP SiteScope 9.x, 10.x, and 11.x all ...) NOT-FOR-US: HP SiteScope CVE-2011-2400 (Cross-site scripting (XSS) vulnerability in HP SiteScope 9.x, 10.x, an ...) NOT-FOR-US: HP SiteScope CVE-2011-2399 (Unspecified vulnerability in the Media Management Daemon (mmd) in HP D ...) NOT-FOR-US: HP Data Protector CVE-2011-2398 (Unspecified vulnerability in the dynamic loader in HP HP-UX B.11.11, B ...) NOT-FOR-US: HP-UX CVE-2011-2397 (The Agent service in Iron Mountain Connected Backup 8.4 allows remote ...) NOT-FOR-US: Iron Mountain Connected Backup CVE-2011-2396 RESERVED CVE-2011-2394 RESERVED CVE-2011-2393 (The Neighbor Discovery (ND) protocol implementation in the IPv6 stack ...) - kfreebsd-7 (low) - kfreebsd-8 (low) [squeeze] - kfreebsd-8 (Minor issue) [wheezy] - kfreebsd-8 (Minor issue) - kfreebsd-9 (low; bug #684072) [squeeze] - kfreebsd-9 (Minor issue) [wheezy] - kfreebsd-9 (Minor issue) - kfreebsd-10 (unimportant) [jessie] - kfreebsd-10 (Minor issue) NOTE: http://www.mh-sec.de/downloads/mh-RA_flooding_CVE-2010-multiple.txt NOTE: Starting with stretch kfreebsd is no longer supported CVE-2011-2392 RESERVED CVE-2011-2391 (The IPv6 implementation in the kernel in Apple iOS before 7 allows rem ...) NOT-FOR-US: Apple iOS CVE-2011-2390 RESERVED CVE-2011-2389 RESERVED CVE-2011-2388 RESERVED CVE-2011-2387 RESERVED CVE-2011-2386 (VisiWaveReport.exe in AZO Technologies, Inc. VisiWave Site Survey befo ...) NOT-FOR-US: VisiWave Site Survey CVE-2011-2385 (The iPhoneHandle package 0.9.x before 0.9.7 and 1.0.x before 1.0.3 in ...) - otrs2 (does not include iPhoneHandle package) CVE-2011-2384 RESERVED CVE-2011-2381 (CRLF injection vulnerability in Bugzilla 2.17.1 through 2.22.7, 3.0.x ...) {DSA-2322-1} - bugzilla (low) [squeeze] - bugzilla 3.6.2.0-4.4 CVE-2011-2380 (Bugzilla 2.23.3 through 2.22.7, 3.0.x through 3.3.x, 3.4.x before 3.4. ...) {DSA-2322-1} - bugzilla (low) [squeeze] - bugzilla 3.6.2.0-4.4 CVE-2011-2379 (Cross-site scripting (XSS) vulnerability in Bugzilla 2.4 through 2.22. ...) {DSA-2322-1} - bugzilla (low) [squeeze] - bugzilla 3.6.2.0-4.4 CVE-2011-2378 (The appendChild function in Mozilla Firefox before 3.6.20, Thunderbird ...) {DSA-2297-1 DSA-2296-1 DSA-2295-1} - icedove 3.1.12-1 [lenny] - icedove - xulrunner (unimportant) [lenny] - xulrunner 1.9.0.19-13 - iceweasel 6.0-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.14-5 [lenny] - iceape (Only a stub package) NOTE: xulrunner in wheezy is not covered by security support CVE-2011-2377 (Mozilla Firefox before 3.6.18 and 4.x through 4.0.1, Thunderbird befor ...) - xulrunner (Was already fixed as CVE-2010-1201 for Firefox < 3.6) - iceweasel (Was already fixed as CVE-2010-1201 for Firefox < 3.6) - iceape (Was already fixed as CVE-2010-1201 for Firefox < 3.6) - icedove (Was already fixed as CVE-2010-1201 for Firefox < 3.6) CVE-2011-2376 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-2273-3 DSA-2269-1 DSA-2268-1} - xulrunner (unimportant) [lenny] - xulrunner 1.9.0.19-12 - iceweasel 3.5.19-3 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.14-3 [lenny] - iceape (Only a stub package) - icedove 3.1.11-1 [lenny] - icedove NOTE: xulrunner in wheezy is not covered by security support CVE-2011-2375 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - xulrunner (Only affects Firefox 5.0, not yet in unstable) - iceweasel (Only affects Firefox 5.0, not yet in unstable) CVE-2011-2374 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-2273-3 DSA-2269-1 DSA-2268-1} - xulrunner (unimportant) [lenny] - xulrunner 1.9.0.19-12 - iceweasel 3.5.19-3 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.14-3 [lenny] - iceape (Only a stub package) - icedove 3.1.11-1 [lenny] - icedove NOTE: xulrunner in wheezy is not covered by security support CVE-2011-2373 (Use-after-free vulnerability in Mozilla Firefox before 3.6.18 and 4.x ...) {DSA-2273-3 DSA-2269-1 DSA-2268-1} - xulrunner (unimportant) - iceweasel 3.5.19-3 [lenny] - xulrunner 1.9.0.19-12 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.14-3 [lenny] - iceape (Only a stub package) - icedove 3.1.11-1 [lenny] - icedove NOTE: xulrunner in wheezy is not covered by security support CVE-2011-2372 (Mozilla Firefox before 3.6.23 and 4.x through 6, Thunderbird before 7. ...) {DSA-2317-1 DSA-2313-1 DSA-2312-1} - icedove 3.1.15-1 [lenny] - icedove - xulrunner (unimportant) - iceweasel 7.0-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.14-8 [lenny] - iceape (Only a stub package) NOTE: xulrunner in wheezy is not covered by security support CVE-2011-2371 (Integer overflow in the Array.reduceRight method in Mozilla Firefox be ...) {DSA-2273-3 DSA-2269-1 DSA-2268-1} - xulrunner (unimportant) - iceweasel 3.5.19-3 [lenny] - xulrunner 1.9.0.19-12 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.14-3 [lenny] - iceape (Only a stub package) - icedove 3.1.11-1 [lenny] - icedove NOTE: xulrunner in wheezy is not covered by security support CVE-2011-2370 (Mozilla Firefox before 5.0 does not properly enforce the whitelist for ...) - xulrunner (Only affects Firefox 4.x and above) - iceweasel 5.0-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) [squeeze] - iceweasel (Only affects Firefox 4.x and above) - iceape (Only affects Firefox 4.x and above) - icedove (Only affects Firefox 4.x and above) CVE-2011-2369 (Cross-site scripting (XSS) vulnerability in Mozilla Firefox 4.x throug ...) - xulrunner (Only affects Firefox >= 4.0, not yet in unstable) - iceweasel (Only affects Firefox >= 4.0, not yet in unstable) CVE-2011-2368 (The WebGL implementation in Mozilla Firefox 4.x through 4.0.1 does not ...) - xulrunner (Only affects Firefox >= 4.0, not yet in unstable) - iceweasel (Only affects Firefox >= 4.0, not yet in unstable) CVE-2011-2367 (The WebGL implementation in Mozilla Firefox 4.x through 4.0.1 does not ...) - xulrunner (Only affects Firefox >= 4.0, not yet in unstable) - iceweasel (Only affects Firefox >= 4.0, not yet in unstable) CVE-2011-2366 (Mozilla Gecko before 5.0, as used in Firefox before 5.0 and Thunderbir ...) - xulrunner (Only affects Firefox >= 4.0, not yet in unstable) - iceweasel (Only affects Firefox >= 4.0, not yet in unstable) CVE-2011-2365 (Unspecified vulnerability in the browser engine in Mozilla Firefox 3.6 ...) {DSA-2273-3 DSA-2269-1 DSA-2268-1} - xulrunner (Vulnerable code not present) - iceweasel 3.5.19-3 [lenny] - xulrunner 1.9.0.19-12 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.14-3 [lenny] - iceape (Only a stub package) - icedove 3.1.11-1 [lenny] - icedove CVE-2011-2364 (Unspecified vulnerability in the browser engine in Mozilla Firefox 3.6 ...) - xulrunner (Only affects Firefox >= 3.6) - iceweasel (Only affects Firefox >= 3.6) - iceape (Only affects Firefox >= 3.6) - icedove (Only affects Firefox >= 3.6) CVE-2011-2363 (Use-after-free vulnerability in the nsSVGPointList::AppendElement func ...) {DSA-2273-3 DSA-2269-1 DSA-2268-1} - iceweasel 3.5.19-3 - xulrunner (unimportant) [lenny] - xulrunner 1.9.0.19-12 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.14-3 [lenny] - iceape (Only a stub package) - icedove 3.1.11-1 [lenny] - icedove NOTE: xulrunner in wheezy is not covered by security support CVE-2011-2362 (Mozilla Firefox before 3.6.18, Thunderbird before 3.1.11, and SeaMonke ...) {DSA-2273-3 DSA-2269-1 DSA-2268-1} - iceweasel 3.5.19-3 - xulrunner (unimportant) [lenny] - xulrunner 1.9.0.19-12 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.14-3 [lenny] - iceape (Only a stub package) - icedove 3.1.11-1 [lenny] - icedove NOTE: xulrunner in wheezy is not covered by security support CVE-2011-2361 (The Basic Authentication dialog implementation in Google Chrome before ...) - chromium-browser 13.0.782.107~r94237-1 (unimportant) - webkit (chromium specific) CVE-2011-2360 (Google Chrome before 13.0.782.107 does not ensure that the user is pro ...) - chromium-browser 13.0.782.107~r94237-1 (unimportant) - webkit (chromium specific) CVE-2011-2359 (Google Chrome before 13.0.782.107 does not properly track line boxes d ...) {DSA-2307-1} - chromium-browser 13.0.782.107~r94237-1 NOTE: http://trac.webkit.org/changeset/90068 CVE-2011-2358 (Google Chrome before 13.0.782.107 does not ensure that extension insta ...) - chromium-browser 13.0.782.107~r94237-1 (unimportant) - webkit (chromium specific) CVE-2011-2357 (Cross-application scripting vulnerability in the Browser URL loading f ...) NOT-FOR-US: Android CVE-2011-2356 (WebKit, as used in Apple iTunes before 10.5, allows man-in-the-middle ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-2355 RESERVED CVE-2011-2354 (WebKit, as used in Apple iTunes before 10.5, allows man-in-the-middle ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-2353 (Use after free vulnerability in documentloader in WebKit in Google Chr ...) NOTE: Historic webkit/Chromium issues CVE-2011-2352 (WebKit, as used in Apple iTunes before 10.5, allows man-in-the-middle ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-2351 (Use-after-free vulnerability in Google Chrome before 12.0.742.112 allo ...) - chromium-browser 12.0.742.112~r90304-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/88584 NOTE: http://trac.webkit.org/changeset/88549 CVE-2011-2350 (The HTML parser in Google Chrome before 12.0.742.112 does not properly ...) - chromium-browser 12.0.742.112~r90304-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/88411 NOTE: http://trac.webkit.org/changeset/88434 CVE-2011-2349 (Use-after-free vulnerability in Google Chrome before 12.0.742.112 allo ...) - chromium-browser 12.0.742.112~r90304-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/88456 CVE-2011-2348 (Google V8, as used in Google Chrome before 12.0.742.112, performs an i ...) - libv8 3.4.14-1 [squeeze] - libv8 (Unsupported in squeeze-lts) NOTE: Fixed in V8 bleeding edge r8230, 3.2.10.17 and 3.3.10.9. CVE-2011-2347 (Google Chrome before 12.0.742.112 does not properly handle Cascading S ...) - chromium-browser 12.0.742.112~r90304-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/88448 CVE-2011-2346 (Use-after-free vulnerability in Google Chrome before 12.0.742.112 allo ...) - chromium-browser 12.0.742.112~r90304-1 [squeeze] - chromium-browser NOTE: introduced in http://trac.webkit.org/changeset/77740 NOTE: http://trac.webkit.org/changeset/87827 CVE-2011-2345 (The NPAPI implementation in Google Chrome before 12.0.742.112 does not ...) - chromium-browser (linux version is not affected) - webkit CVE-2011-2344 (Android Picasa in Android 3.0 and 2.x through 2.3.4 uses a cleartext H ...) NOT-FOR-US: Android SDK CVE-2011-2343 (The Bluetooth stack in Android before 2.3.6 allows a physically proxim ...) NOT-FOR-US: Android CVE-2011-2341 (WebKit, as used in Apple iTunes before 10.5, allows man-in-the-middle ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-2340 RESERVED CVE-2011-2339 (WebKit, as used in Apple iTunes before 10.5, allows man-in-the-middle ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-2338 (WebKit, as used in Apple iTunes before 10.5, allows man-in-the-middle ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-2337 (A wrong type is used for a return value from strlen in WebKit in Googl ...) NOTE: Historic webkit/Chromium issues CVE-2011-2336 (An issue exists in WebKit in Google Chrome before Blink M12. when clea ...) NOTE: Historic webkit/Chromium issues CVE-2011-2335 (A double-free vulnerability exists in WebKit in Google Chrome before B ...) NOTE: Historic webkit/Chromium issues CVE-2011-2334 (Use after free vulnerability exists in WebKit in Google Chrome before ...) NOTE: Historic webkit/Chromium issues CVE-2011-2333 RESERVED CVE-2011-2329 (The rampart_timestamp_token_validate function in util/rampart_timestam ...) - rampart 1.3.0-3 (low; bug #631221) [squeeze] - rampart (Minor issue) CVE-2011-2327 (Unspecified vulnerability in the Oracle Communications Unified compone ...) NOT-FOR-US: Oracle Sun Products Suite CVE-2011-2326 (Unspecified vulnerability in the EnterpriseOne Tools component in Orac ...) NOT-FOR-US: Oracle JD Edwards Products CVE-2011-2325 (Unspecified vulnerability in the EnterpriseOne Tools component in Orac ...) NOT-FOR-US: Oracle JD Edwards Products CVE-2011-2324 (Unspecified vulnerability in the EnterpriseOne Tools component in Orac ...) NOT-FOR-US: Oracle JD Edwards Products CVE-2011-2323 (Unspecified vulnerability in the Health Sciences - Oracle Thesaurus Ma ...) NOT-FOR-US: Oracle Thesaurus Management System CVE-2011-2322 (Unspecified vulnerability in the Database Vault component in Oracle Da ...) NOT-FOR-US: Oracle Database Server CVE-2011-2321 (Unspecified vulnerability in the EnterpriseOne Tools component in Orac ...) NOT-FOR-US: Oracle JD Edwards Products CVE-2011-2320 (Unspecified vulnerability in the Oracle WebLogic Server component in O ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2011-2319 (Unspecified vulnerability in the Oracle WebLogic Server component in O ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2011-2318 (Unspecified vulnerability in the Oracle WebLogic Server component in O ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2011-2317 (Unspecified vulnerability in the EnterpriseOne Tools component in Orac ...) NOT-FOR-US: Oracle JD Edwards Products CVE-2011-2316 (Unspecified vulnerability in the Siebel Apps - Marketing component in ...) NOT-FOR-US: Oracle Siebel CVE-2011-2315 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: PeopleSoft Enterprise CVE-2011-2314 (Unspecified vulnerability in the Oracle Containers for J2EE component ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2011-2313 (Unspecified vulnerability in Oracle Solaris 10 allows local users to a ...) NOT-FOR-US: Oracle Solaris CVE-2011-2312 (Unspecified vulnerability in Oracle Solaris 10 allows local users to a ...) NOT-FOR-US: Oracle Solaris CVE-2011-2311 (Unspecified vulnerability in Oracle Solaris 10 allows local users to a ...) NOT-FOR-US: Oracle Solaris CVE-2011-2310 (Unspecified vulnerability in the Oracle Waveset component in Oracle Su ...) NOT-FOR-US: Oracle Sun Products Suite CVE-2011-2309 (Unspecified vulnerability in the Health Sciences - Oracle Clinical, Re ...) NOT-FOR-US: Oracle Industry Applications CVE-2011-2308 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle E-Business Suite CVE-2011-2307 (Unspecified vulnerability in Oracle SysFW 8.1.0.a in various Oracle SP ...) NOT-FOR-US: Oracle SysFW CVE-2011-2306 (Unspecified vulnerability in Oracle Linux 4 and 5 allows remote authen ...) NOT-FOR-US: Oracle Linux-specific feature CVE-2011-2305 (Unspecified vulnerability in Oracle VM VirtualBox 4.0 allows local use ...) - virtualbox-ose (Only affects 4.x) - virtualbox 4.0.10-dfsg-1 CVE-2011-2304 (Unspecified vulnerability in Oracle Solaris 10 allows remote attackers ...) NOT-FOR-US: Oracle Solaris CVE-2011-2303 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle E-Business Suite CVE-2011-2302 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle E-Business Suite CVE-2011-2301 (Unspecified vulnerability in the Oracle Text component in Oracle Datab ...) NOT-FOR-US: Oracle Database CVE-2011-2300 (Unspecified vulnerability in Oracle VM VirtualBox 3.0, 3.1, 3.2, and 4 ...) - virtualbox-guest-additions-iso 4.0.10-1 (bug #635276) [squeeze] - virtualbox-guest-additions (Non-free not supported) CVE-2011-2299 (Unspecified vulnerability in Oracle SPARC Enterprise M3000, M4000, M50 ...) NOT-FOR-US: Oracle SPARC Enterprise CVE-2011-2298 (Unspecified vulnerability in Oracle Solaris 10 and 11 Express allows r ...) NOT-FOR-US: Oracle Solaris CVE-2011-2297 (Unspecified vulnerability in Oracle Solaris Cluster 3.3 allows local u ...) NOT-FOR-US: Oracle Solaris Cluster CVE-2011-2296 (Unspecified vulnerability in Oracle Solaris 11 Express allows local us ...) NOT-FOR-US: Oracle Solaris CVE-2011-2295 (Unspecified vulnerability in Oracle Solaris 8, 9, 10, and 11 Express a ...) NOT-FOR-US: Oracle Solaris CVE-2011-2294 (Unspecified vulnerability in Oracle Solaris 10 and 11 Express allows r ...) NOT-FOR-US: Oracle Solaris CVE-2011-2293 (Unspecified vulnerability in Oracle Solaris 11 Express allows local us ...) NOT-FOR-US: Oracle Solaris CVE-2011-2292 (Unspecified vulnerability in Oracle Solaris 9 and 11 Express allows lo ...) NOT-FOR-US: Oracle Solaris CVE-2011-2291 (Unspecified vulnerability in Oracle Solaris 10 allows local users to a ...) NOT-FOR-US: Oracle Solaris CVE-2011-2290 (Unspecified vulnerability in Oracle Solaris 10, and 11 Express allows ...) NOT-FOR-US: Oracle Solaris CVE-2011-2289 (Unspecified vulnerability in Oracle Solaris 10 allows local users to a ...) NOT-FOR-US: Oracle Solaris CVE-2011-2288 (Unspecified vulnerability in Sun Integrated Lights Out Manager (ILOM) ...) NOT-FOR-US: Oracle SysFW CVE-2011-2287 (Unspecified vulnerability in Oracle Solaris 8, 9, 10, and 11 Express a ...) NOT-FOR-US: Oracle Solaris CVE-2011-2286 (Unspecified vulnerability in Oracle Solaris 10 and 11 Express allows r ...) NOT-FOR-US: Oracle Solaris CVE-2011-2285 (Unspecified vulnerability in Oracle Solaris 10 allows local users to a ...) NOT-FOR-US: Oracle Solaris CVE-2011-2284 (Unspecified vulnerability in the PeopleSoft Enterprise HRMS component ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2011-2283 (Unspecified vulnerability in the PeopleSoft Enterprise FMS component i ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2011-2282 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2011-2281 (Unspecified vulnerability in the PeopleSoft Enterprise HRMS component ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2011-2280 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2011-2279 (Unspecified vulnerability in the PeopleSoft Enterprise HRMS component ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2011-2278 (Unspecified vulnerability in the PeopleSoft Enterprise HRMS component ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2011-2277 (Unspecified vulnerability in the PeopleSoft Enterprise SCM component i ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2011-2276 REJECTED CVE-2011-2275 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2011-2274 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2011-2273 (Unspecified vulnerability in the Agile Core Technology component in Or ...) NOT-FOR-US: Oracle Supply Chain Products Suite CVE-2011-2272 (Unspecified vulnerability in the PeopleSoft Enterprise FSCM component ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2011-2271 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle E-Business Suite CVE-2011-2270 REJECTED CVE-2011-2269 REJECTED CVE-2011-2268 REJECTED CVE-2011-2267 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2011-2266 REJECTED CVE-2011-2265 REJECTED CVE-2011-2264 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2011-2263 (Unspecified vulnerability in Sun Integrated Lights Out Manager in Orac ...) NOT-FOR-US: Oracle SysFW CVE-2011-2262 (Unspecified vulnerability in the MySQL Server component in Oracle MySQ ...) {DSA-2429-1} - mysql-5.1 5.1.61-2 (bug #659687) CVE-2011-2261 (Unspecified vulnerability in the Oracle Secure Backup component in Ora ...) NOT-FOR-US: Oracle Secure Backup CVE-2011-2260 (Unspecified vulnerability in the Oracle GlassFish Server component in ...) NOT-FOR-US: Oracle Sun Products Suite CVE-2011-2259 (Unspecified vulnerability in Oracle Solaris 8, 9, 10, and 11 Express a ...) NOT-FOR-US: Oracle Solaris CVE-2011-2258 (Unspecified vulnerability in Oracle Solaris 8, 9, 10, and 11 Express a ...) NOT-FOR-US: Oracle Solaris CVE-2011-2257 (Unspecified vulnerability in the Database Target Type Menus component ...) NOT-FOR-US: Oracle Database Server and Enterprise Manager Grid Control CVE-2011-2256 REJECTED CVE-2011-2255 (Unspecified vulnerability in the Oracle WebLogic Portal component in O ...) NOT-FOR-US: Oracle Fusion CVE-2011-2254 REJECTED CVE-2011-2253 (Unspecified vulnerability in the Core RDBMS component in Oracle Databa ...) NOT-FOR-US: Oracle Database Server CVE-2011-2252 (Unspecified vulnerability in the Oracle Secure Backup component in Ora ...) NOT-FOR-US: Oracle Secure Backup CVE-2011-2251 (Unspecified vulnerability in the Oracle Secure Backup component in Ora ...) NOT-FOR-US: Oracle Secure Backup CVE-2011-2250 (Unspecified vulnerability in the PeopleSoft Enterprise FIN component i ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2011-2249 (Unspecified vulnerability in Oracle Solaris 8, 9, and 10 allows remote ...) NOT-FOR-US: Oracle Solaris CVE-2011-2248 (Unspecified vulnerability in the SQL Performance Advisories/UIs compon ...) NOT-FOR-US: Oracle Database Server and Enterprise Manager Grid Control CVE-2011-2247 REJECTED CVE-2011-2246 (Unspecified vulnerability in the Business Intelligence component in Or ...) NOT-FOR-US: Oracle E-Business Suite CVE-2011-2245 (Unspecified vulnerability in the Solaris component in Oracle Sun Produ ...) NOT-FOR-US: Oracle Sun Products Suite CVE-2011-2244 (Unspecified vulnerability in the Security Framework component in Oracl ...) NOT-FOR-US: Oracle Database Server and Enterprise Manager Grid Control CVE-2011-2243 (Unspecified vulnerability in the Core RDBMS component in Oracle Databa ...) NOT-FOR-US: Oracle Database Server CVE-2011-2242 (Unspecified vulnerability in the Core RDBMS component in Oracle Databa ...) NOT-FOR-US: Oracle Database Server CVE-2011-2241 (Unspecified vulnerability in the Oracle Business Intelligence Enterpri ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2011-2240 (Unspecified vulnerability in the Oracle Universal Installer component ...) NOT-FOR-US: Oracle Database Server CVE-2011-2239 (Unspecified vulnerability in the Core RDBMS component in Oracle Databa ...) NOT-FOR-US: Oracle Database Server CVE-2011-2238 (Unspecified vulnerability in the Database Vault component in Oracle Da ...) NOT-FOR-US: Oracle Database Server CVE-2011-2237 (Unspecified vulnerability in the Oracle Web Services Manager component ...) NOT-FOR-US: Oracle Fusion CVE-2011-2236 REJECTED CVE-2011-2235 REJECTED CVE-2011-2234 REJECTED CVE-2011-2233 REJECTED CVE-2011-2232 (Unspecified vulnerability in the XML Developer Kit component in Oracle ...) NOT-FOR-US: Oracle Database Server CVE-2011-2231 (Unspecified vulnerability in the XML Developer Kit component in Oracle ...) NOT-FOR-US: Oracle Database Server CVE-2011-2230 (Unspecified vulnerability in the Core RDBMS component in Oracle Databa ...) NOT-FOR-US: Oracle Database Server CVE-2011-2229 REJECTED CVE-2011-2228 REJECTED CVE-2011-2227 (Cross-site scripting (XSS) vulnerability in Novell Identity Manager (a ...) NOT-FOR-US: Novell Identity Manager CVE-2011-2226 (Cross-site scripting (XSS) vulnerability in Kiwi before 3.74.2, as use ...) NOT-FOR-US: Kiwi, SUSE Studio CVE-2011-2225 (Unspecified vulnerability in Kiwi before 3.74.2, as used in SUSE Studi ...) NOT-FOR-US: Kiwi, SUSE Studio CVE-2011-2224 (The Mobility Pack before 1.2 in Novell Data Synchronizer 1.x through 1 ...) NOT-FOR-US: Novell Data Synchronizer CVE-2011-2223 (The Mobility Pack before 1.2 in Novell Data Synchronizer 1.x through 1 ...) NOT-FOR-US: Novell Data Synchronizer CVE-2011-2222 (Session fixation vulnerability in WebAdmin in the Mobility Pack before ...) NOT-FOR-US: Novell Data Synchronizer CVE-2011-2221 (The Mobility Pack before 1.2 in Novell Data Synchronizer 1.x through 1 ...) NOT-FOR-US: Novell Data Synchronizer CVE-2011-2220 (Stack-based buffer overflow in NFREngine.exe in Novell File Reporter E ...) NOT-FOR-US: Novell File Reporter CVE-2011-2219 (Unspecified vulnerability in GroupWise Internet Agent (GWIA) in Novell ...) NOT-FOR-US: Novell GroupWise CVE-2011-2218 (Unspecified vulnerability in GroupWise Internet Agent (GWIA) in Novell ...) NOT-FOR-US: Novell GroupWise CVE-2011-2217 (Certain ActiveX controls in (1) tsgetxu71ex552.dll and (2) tsgetx71ex5 ...) NOT-FOR-US: VMware CVE-2011-2213 (The inet_diag_bc_audit function in net/ipv4/inet_diag.c in the Linux k ...) {DSA-2389-1 DSA-2310-1} - linux-2.6 2.6.39-3 [squeeze] - linux-2.6 2.6.32-36 CVE-2011-2212 (Buffer overflow in the virtio subsystem in qemu-kvm 0.14.0 and earlier ...) {DSA-2282-1} - qemu-kvm 0.14.1+dfsg-3 (bug #632987) - kvm CVE-2011-2207 (dirmngr before 2.1.0 improperly handles certain system calls, which al ...) - dirmngr (unimportant; bug #627377) NOTE: Negligible impact CVE-2011-2206 (XMLParser.pm in DJabberd before 0.85 allows remote authenticated users ...) NOT-FOR-US: Djabberd CVE-2011-2205 (Prosody before 0.8.1 does not properly detect recursion during entity ...) - prosody 0.7.0-1 (low; bug #579087) [squeeze] - prosody (Minor issue) [lenny] - prosody (Minor issue) CVE-2011-2204 (Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7 ...) {DSA-2401-1} - tomcat5.5 (low; bug #632882) [lenny] - tomcat5.5 (Minor issue) - tomcat6 6.0.32-5 (low; bug #632882) [lenny] - tomcat6 (Minor issue) [squeeze] - tomcat6 (Minor issue) - tomcat7 7.0.16-3 (low; bug #632882) CVE-2011-2201 (The Data::FormValidator module 4.66 and earlier for Perl, when untaint ...) - libdata-formvalidator-perl 4.66-3 (low; bug #629511) [lenny] - libdata-formvalidator-perl (Minor issue) [squeeze] - libdata-formvalidator-perl 4.66-1+squeeze1 CVE-2011-2200 (The _dbus_header_byteswap function in dbus-marshal-header.c in D-Bus ( ...) - dbus 1.4.12-1 (low; bug #629938) [squeeze] - dbus 1.2.24-4+squeeze1 [lenny] - dbus (Minor issue) CVE-2011-2197 (The cross-site scripting (XSS) prevention feature in Ruby on Rails 2.x ...) - rails (Affected plugin not installed, see bug #634990) CVE-2011-2196 (jboss-seam.jar in the JBoss Seam 2 framework 2.2.x and earlier, as dis ...) NOT-FOR-US: JBoss Seam CVE-2011-2195 RESERVED CVE-2011-2193 (Multiple buffer overflows in Terascale Open-Source Resource and Queue ...) {DSA-2329-1} - torque 2.4.15+dfsg-1 (bug #635342) CVE-2011-2192 (The Curl_input_negotiate function in http_negotiate.c in libcurl 7.10. ...) {DSA-2271-1} - curl 7.21.6-2 (high; bug #631615) CVE-2011-2191 (Cross-site request forgery (CSRF) vulnerability in Cherokee-admin in C ...) - cherokee (low; bug #661993) [squeeze] - cherokee (Minor issue) CVE-2011-2189 (net/core/net_namespace.c in the Linux kernel 2.6.32 and earlier does n ...) - linux-2.6 2.6.35-1 (low) [lenny] - linux-2.6 (attacker needs elevated CAP_SYS_ADMIN privileges to abuse this) [squeeze] - linux-2.6 (attacker needs elevated CAP_SYS_ADMIN privileges to abuse this) - vsftpd 2.3.4-1 (bug #629373) [squeeze] - vsftpd 2.3.2-3+squeeze2 [lenny] - vsftpd 2.0.7-1+lenny1 NOTE: this is technically a kernel bug. however this has been workarounded specifically NOTE: for vsftpd by adding a kernel check before using this feature, see DSA-2304-1 NOTE: for details CVE-2011-2187 (xscreensaver before 5.14 crashes during activation and leaves the scre ...) - xscreensaver 5.14-1 (bug #627382) [squeeze] - xscreensaver (introduced in 5.13) CVE-2011-2186 REJECTED CVE-2011-2181 (Multiple SQL injection vulnerabilities in A Really Simple Chat (ARSC) ...) NOT-FOR-US: A Really Simple Chat CVE-2011-2180 (Cross-site scripting (XSS) vulnerability in dereferer.php in A Really ...) NOT-FOR-US: A Really Simple Chat CVE-2011-2177 (OpenOffice.org v3.3 allows execution of arbitrary code with the privil ...) NOT-FOR-US: Claimed older OpenOffice vulnerability, which was never disclosed CVE-2011-2176 (GNOME NetworkManager before 0.8.6 does not properly enforce the auth_a ...) - network-manager 0.9.0-1 (low; bug #631520) [squeeze] - network-manager (Minor issue) NOTE: http://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?h=id=e7273c1609ac267e1d77ff03c97c8929f15e3737 NOTE: http://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?h=id=287fe10c40ae9b90ce703b79f3479b755f0956c0 NOTE: http://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?h=id=e5085f950730b1e2e68645231e2042127c29a82e CVE-2011-2167 (script-login in Dovecot 2.0.x before 2.0.13 does not follow the chroot ...) - dovecot 1:2.0.13-1 (low) [squeeze] - dovecot (Vulnerable script not present) [lenny] - dovecot (Vulnerable script not present) CVE-2011-2166 (script-login in Dovecot 2.0.x before 2.0.13 does not follow the user a ...) - dovecot 1:2.0.13-1 (low) [squeeze] - dovecot (Vulnerable script not present) [lenny] - dovecot (Vulnerable script not present) CVE-2010-4805 (The socket implementation in net/core/sock.c in the Linux kernel befor ...) - linux-2.6 2.6.34-1 [squeeze] - linux-2.6 2.6.32-48 CVE-2009-5077 (CRE Loaded before 6.2.14 allows remote attackers to bypass authenticat ...) NOT-FOR-US: CRE Loaded CVE-2009-5076 (CRE Loaded before 6.2.14, and possibly other versions before 6.3.x, al ...) NOT-FOR-US: CRE Loaded CVE-2011-2477 (Multiple cross-site scripting (XSS) vulnerabilities in config.c in con ...) - icinga 1.4.1-1 [squeeze] - icinga (Minor issue) - nagios3 3.4.1-1 [squeeze] - nagios3 (Minor issue) NOTE: Nagios might be fixed earlier than 3.4.1, checked the Wheezy version CVE-2011-2476 (Cross-site scripting (XSS) vulnerability in Coppermine Photo Gallery ( ...) NOT-FOR-US: Coppermine Photo Gallery CVE-2011-2208 (Integer signedness error in the osf_getdomainname function in arch/alp ...) {DSA-2310-1} - linux-2.6 2.6.32-1 NOTE: Support for Alpha was dropped with Squeeze, so marking 2.6.32 as fixed CVE-2011-2209 (Integer signedness error in the osf_sysinfo function in arch/alpha/ker ...) {DSA-2310-1} - linux-2.6 2.6.32-1 NOTE: Support for Alpha was dropped with Squeeze, so marking 2.6.32 as fixed CVE-2011-2210 (The osf_getsysinfo function in arch/alpha/kernel/osf_sys.c in the Linu ...) - linux-2.6 2.6.32-1 NOTE: Support for Alpha was dropped with Squeeze, so marking 2.6.32 as fixed CVE-2011-2211 (The osf_wait4 function in arch/alpha/kernel/osf_sys.c in the Linux ker ...) {DSA-2310-1} - linux-2.6 2.6.32-1 NOTE: Support for Alpha was dropped with Squeeze, so marking 2.6.32 as fixed CVE-2011-2203 (The hfs_find_init function in the Linux kernel 2.6 allows local users ...) - linux-2.6 3.1.1-1 [squeeze] - linux-2.6 2.6.32-40 CVE-2011-2202 (The rfc1867_post_handler function in main/rfc1867.c in PHP before 5.3. ...) {DSA-2266-1} - php5 5.3.6-12 CVE-2011-2199 (Buffer overflow in tftp-hpa before 5.1 allows remote attackers to caus ...) - tftp-hpa 5.1-1 (low) [squeeze] - tftp-hpa (Minor issue) NOTE: http://git.kernel.org/?p=network/tftp/tftp-hpa.git;a=commitdiff;h=f3035c45bc50bb5cac87ca01e7ef6a12485184f8 CVE-2011-2198 (The "insert-blank-characters" capability in caps.c in gnome-terminal ( ...) - vte 1:0.28.1-1 (low; bug #629688) [lenny] - vte (Minor issue) [squeeze] - vte 1:0.24.3-3 CVE-2011-2185 (Fabric before 1.1.0 allows local users to overwrite arbitrary files vi ...) - fabric 1.1.2-1 (low; bug #629003) [squeeze] - fabric (Minor issue) CVE-2011-2475 (Format string vulnerability in ECTrace.dll in the iMailGateway service ...) NOT-FOR-US: Sybase OneBridge Mobile Data Suite CVE-2011-2474 (Directory traversal vulnerability in the HTTP Server in Sybase EAServe ...) NOT-FOR-US: Sybase EAServer CVE-2011-2473 (The do_dump_data function in utils/opcontrol in OProfile 0.9.6 and ear ...) - oprofile 0.9.6-1.1+squeeze2 (bug #630084) CVE-2011-2472 (Directory traversal vulnerability in utils/opcontrol in OProfile 0.9.6 ...) - oprofile 0.9.6-1.1+squeeze2 (bug #630084) CVE-2011-2471 (utils/opcontrol in OProfile 0.9.6 and earlier might allow local users ...) - oprofile 0.9.6-1.1+squeeze2 (bug #630084) CVE-2011-2468 (Directory traversal vulnerability in the web interface in AnyMacro Mai ...) NOT-FOR-US: AnyMacro Mail System G4X CVE-2011-2395 (The Neighbor Discovery (ND) protocol implementation in Cisco IOS on un ...) NOT-FOR-US: Cisco CVE-2011-2383 (Microsoft Internet Explorer 9 and earlier does not properly restrict c ...) NOT-FOR-US: Microsoft CVE-2011-2342 (The DOM implementation in Google Chrome before 12.0.742.91 allows remo ...) - chromium-browser 12.0.742.91~r87961-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/88071 CVE-2011-2382 (Microsoft Internet Explorer 8 and earlier, and Internet Explorer 9 bet ...) NOT-FOR-US: Microsoft CVE-2011-2332 (Google V8, as used in Google Chrome before 12.0.742.91, allows remote ...) - chromium-browser 12.0.742.91~r87961-1 [squeeze] - chromium-browser - libv8 3.4.14-1 [squeeze] - libv8 (Unsupported in squeeze-lts) NOTE: execScript removed in libv8 3.2 branch CVE-2011-2194 (Integer overflow in the XSPF playlist parser in VideoLAN VLC media pla ...) {DSA-2257-1} - vlc 1.1.10-1 [lenny] - vlc (Vulnerable code not present) NOTE: http://repo.or.cz/w/vlc.git/commitdiff/cd929923ff49175a501bb3e9553a683bc42ff61c CVE-2011-2190 (The generate_admin_password function in Cherokee before 1.2.99 uses ti ...) - cherokee 1.0.14-1 (low; bug #647205) [squeeze] - cherokee 1.0.8-5+squeeze1 [lenny] - cherokee (Minor issue) NOTE: http://code.google.com/p/cherokee/issues/detail?id=1212 CVE-2011-2188 (LuaExpat before 1.2.0 does not properly detect recursion during entity ...) - lua-expat 1.2.0-1 (low; bug #629225) [squeeze] - lua-expat 1.2.0-0squeeze1 [lenny] - lua-expat (Minor issue) CVE-2011-2184 (The key_replace_session_keyring function in security/keys/process_keys ...) - linux-2.6 2.6.39-2 [lenny] - linux-2.6 (Introduced in 2.6.39) [squeeze] - linux-2.6 (Introduced in 2.6.39) CVE-2011-2183 (Race condition in the scan_get_next_rmap_item function in mm/ksm.c in ...) {DSA-2389-1} - linux-2.6 2.6.39-3 (low) [lenny] - linux-2.6 (Vulnerable code not present) [squeeze] - linux-2.6 2.6.32-36 CVE-2005-4890 (There is a possible tty hijacking in shadow 4.x before 4.1.5 and sudo ...) - shadow 1:4.1.5-1 (low; bug #628843) [squeeze] - shadow (Minor issue) [lenny] - shadow (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=173008 - sudo 1.7.4p4 (low; bug #657784) NOTE: sudo might be fixed earlier, use_pty present in stable CVE-2011-2331 (Integer overflow in img.exe in HP Intelligent Management Center (IMC) ...) NOT-FOR-US: HP Intelligent Management Center (IMC) CVE-2011-2330 (Tivoli Endpoint in IBM Tivoli Management Framework 3.7.1, 4.1, 4.1.1, ...) NOT-FOR-US: IBM Tivoli Management Framework CVE-2011-2328 (Buffer overflow in HP LoadRunner allows remote attackers to cause a de ...) NOT-FOR-US: HP LoadRunner CVE-2011-2215 (Unspecified vulnerability in WalRack 1.x before 1.1.8 and 2.x before 2 ...) NOT-FOR-US: WalRack CVE-2011-2214 (Unspecified vulnerability in the Open Database Connectivity (ODBC) com ...) NOT-FOR-US: 7T Interactive Graphical SCADA System CVE-2011-2175 (Integer underflow in the visual_read function in wiretap/visual.c in W ...) {DSA-2274-1} - wireshark 1.6.0-1 (unimportant; bug #630159) NOTE: Crashes w/o code injection not treated as security issues, see README.Security CVE-2011-2174 (Double free vulnerability in the tvb_uncompress function in epan/tvbuf ...) {DSA-2274-1} - wireshark 1.6.0-1 (bug #630159) CVE-2011-2173 (The implementation of OutputMediator objects in IBM WebSphere Portal 6 ...) NOT-FOR-US: IBM WebSphere Portal CVE-2011-2172 (Cross-site scripting (XSS) vulnerability in the search center in IBM W ...) NOT-FOR-US: IBM WebSphere Portal CVE-2011-2171 (Unspecified vulnerability in the dbugs package in Google Chrome OS bef ...) NOT-FOR-US: Google Chrome OS CVE-2011-2170 (Google Chrome OS before R12 0.12.433.38 Beta, when Guest mode is enabl ...) NOT-FOR-US: Google Chrome OS CVE-2011-2169 (Google Chrome OS before R12 0.12.433.38 Beta allows local users to gai ...) NOT-FOR-US: Google Chrome OS CVE-2011-2168 (Multiple integer overflows in the glob implementation in libc in OpenB ...) NOT-FOR-US: OpenBSD CVE-2011-2165 (The STARTTLS implementation in WatchGuard XCS 9.0 and 9.1 does not pro ...) NOT-FOR-US: WatchGuard XCS CVE-2010-4807 (Race condition in IBM Web Content Manager (WCM) 7.0.0.1 before CF003 a ...) NOT-FOR-US: IBM Web Content Manager CVE-2010-4806 (The authoring tool in IBM Web Content Manager (WCM) 6.1.5, and 7.0.0.1 ...) NOT-FOR-US: IBM Web Content Manager CVE-2011-2182 (The ldm_frag_add function in fs/partitions/ldm.c in the Linux kernel b ...) {DSA-2264-1} - linux-2.6 2.6.39-2 [squeeze] - linux-2.6 2.6.32-35 CVE-2011-2179 (Multiple cross-site scripting (XSS) vulnerabilities in config.c in con ...) - nagios3 3.2.3-3 (bug #629127) [lenny] - nagios3 (Affected feature got introduced in 3.2.2) [squeeze] - nagios3 (Affected feature got introduced in 3.2.2) - icinga 1.4.1-1 (bug #629131) [squeeze] - icinga (Affected feature got introduced in 1.3.1) [lenny] - icinga (Affected feature got introduced in 1.3.1) NOTE: http://tracker.nagios.org/view.php?id=224 CVE-2011-2178 (The virSecurityManagerGetPrivateData function in security/security_man ...) - libvirt 0.9.1-2 (bug #629128) [squeeze] - libvirt (Introduced in 0.8.8) [lenny] - libvirt (Introduced in 0.8.8) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=709769 NOTE: https://www.redhat.com/archives/libvir-list/2011-May/msg01935.html CVE-2011-2216 (reqresp_parser.c in the SIP channel driver in Asterisk Open Source 1.8 ...) - asterisk 1:1.8.4.2-1 (bug #629130) [lenny] - asterisk (Only affects 1.8) [squeeze] - asterisk (Only affects 1.8) NOTE: http://downloads.digium.com/pub/security/AST-2011-007.html CVE-2011-XXXX [unspecified security vulnerabilities] - movabletype-opensource 4.3.6+dfsg-1 (bug #627936) [squeeze] - movabletype-opensource 4.3.5+dfsg-2+squeeze2 [lenny] - movabletype-opensource 4.2.3-1+lenny3 CVE-2011-2164 (Multiple unspecified vulnerabilities in Adobe Photoshop before 12.0.4 ...) NOT-FOR-US: Photoshop CVE-2011-2163 (Unspecified vulnerability in Virtualization Manager 1.2.2 in IBM Syste ...) NOT-FOR-US: IBM Systems Director CVE-2011-2162 (Multiple unspecified vulnerabilities in FFmpeg 0.4.x through 0.6.x, as ...) {DSA-2306-1} - libav 4:0.6-1 (bug #628448) - ffmpeg 7:2.4.1-1 - ffmpeg-debian NOTE: duplicate of CVE-2011-1198 CVE-2011-2161 (The ape_read_header function in ape.c in libavformat in FFmpeg before ...) {DSA-2306-1} - libav 4:0.6-1 (bug #628448) - ffmpeg 7:2.4.1-1 - ffmpeg-debian NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=1c31b26b CVE-2011-2160 (The VC-1 decoding functionality in FFmpeg before 0.5.4, as used in MPl ...) {DSA-2306-1} - libav 4:0.6-1 (bug #628448) - ffmpeg 7:2.4.1-1 - ffmpeg-debian NOTE: duplicate of CVE-2011-0723 NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=8069e2f6 CVE-2011-2159 (The SmarterTools SmarterStats 6.0 web server omits the Content-Type he ...) NOT-FOR-US: SmarterStats CVE-2011-2158 (The SmarterTools SmarterStats 6.0 web server sends incorrect Content-T ...) NOT-FOR-US: SmarterStats CVE-2011-2157 (The (1) Admin/frmEmailReportSettings.aspx and (2) Admin/frmGeneralSett ...) NOT-FOR-US: SmarterStats CVE-2011-2156 (The SmarterTools SmarterStats 6.0 web server allows remote attackers t ...) NOT-FOR-US: SmarterStats CVE-2011-2155 (Login.aspx in the SmarterTools SmarterStats 6.0 web server generates a ...) NOT-FOR-US: SmarterStats CVE-2011-2154 (login.aspx in the SmarterTools SmarterStats 6.0 web server does not in ...) NOT-FOR-US: SmarterStats CVE-2011-2153 (Login.aspx in the SmarterTools SmarterStats 6.0 web server supports UR ...) NOT-FOR-US: SmarterStats CVE-2011-2152 (The SmarterTools SmarterStats 6.0 web server generates web pages conta ...) NOT-FOR-US: SmarterStats CVE-2011-2151 (The (1) Admin/frmEmailReportSettings.aspx, (2) Admin/frmGeneralSetting ...) NOT-FOR-US: SmarterStats CVE-2011-2150 (The SmarterTools SmarterStats 6.0 web server does not properly validat ...) NOT-FOR-US: SmarterStats CVE-2011-2149 (Multiple SQL injection vulnerabilities in the SmarterTools SmarterStat ...) NOT-FOR-US: SmarterStats CVE-2011-2148 (Admin/frmSite.aspx in the SmarterTools SmarterStats 6.0 web server all ...) NOT-FOR-US: SmarterStats CVE-2011-2147 (Openswan 2.2.x does not properly restrict permissions for (1) /var/run ...) - openswan (In Debian no starter.pid is ever written and the subsys entry gets created with -rw-r--r-- permissions, bug #628449) CVE-2011-2146 (mount.vmhgfs in the VMware Host Guest File System (HGFS) in VMware Wor ...) - open-vm-tools 2:8.4.2+2011.08.21-471295-1 (bug #631507) [lenny] - open-vm-tools (Contrib not supported) [squeeze] - open-vm-tools (Contrib not supported) CVE-2011-2145 (mount.vmhgfs in the VMware Host Guest File System (HGFS) in VMware Wor ...) - open-vm-tools 2:8.4.2+2011.08.21-471295-1 (bug #631508) [lenny] - open-vm-tools (Contrib not supported) [squeeze] - open-vm-tools (Contrib not supported) CVE-2009-5075 (Monkey's Audio before 4.02 allows remote attackers to cause a denial o ...) NOT-FOR-US: Monkey's Audio CVE-2006-7245 (Monkey's Audio before 4.01b2 allows remote attackers to cause a denial ...) NOT-FOR-US: Monkey's Audio CVE-2011-2144 (The eDocument Conversion Actions implementation in IBM Datacap Taskmas ...) NOT-FOR-US: IBM Datacap Taskmaster Capture CVE-2011-2143 (IBM Datacap Taskmaster Capture 8.0.1 before FP1, when Windows Authenti ...) NOT-FOR-US: IBM Datacap Taskmaster Capture CVE-2011-2142 (The Web Client Service in IBM Datacap Taskmaster Capture 8.0.1 before ...) NOT-FOR-US: IBM Datacap Taskmaster Capture CVE-2011-2141 (SQL injection vulnerability in TMWeb in IBM Datacap Taskmaster Capture ...) NOT-FOR-US: IBM Datacap Taskmaster Capture CVE-2011-2140 (Adobe Flash Player before 10.3.183.5 on Windows, Mac OS X, Linux, and ...) NOT-FOR-US: Adobe Flash Player CVE-2011-2139 (Adobe Flash Player before 10.3.183.5 on Windows, Mac OS X, Linux, and ...) NOT-FOR-US: Adobe Flash Player CVE-2011-2138 (Integer overflow in Adobe Flash Player before 10.3.183.5 on Windows, M ...) NOT-FOR-US: Adobe Flash Player CVE-2011-2137 (Buffer overflow in Adobe Flash Player before 10.3.183.5 on Windows, Ma ...) NOT-FOR-US: Adobe Flash Player CVE-2011-2136 (Integer overflow in Adobe Flash Player before 10.3.183.5 on Windows, M ...) NOT-FOR-US: Adobe Flash Player CVE-2011-2135 (Adobe Flash Player before 10.3.183.5 on Windows, Mac OS X, Linux, and ...) NOT-FOR-US: Adobe Flash Player CVE-2011-2134 (Buffer overflow in Adobe Flash Player before 10.3.183.5 on Windows, Ma ...) NOT-FOR-US: Adobe Flash Player CVE-2011-2133 (Cross-site scripting (XSS) vulnerability in Adobe RoboHelp 8 and 9 bef ...) NOT-FOR-US: Adobe RoboHelp CVE-2011-2132 (Adobe Flash Media Server (FMS) before 3.5.7, and 4.x before 4.0.3, all ...) NOT-FOR-US: Adobe Flash Media Server CVE-2011-2131 (Adobe Photoshop 12.0 in Creative Suite 5 (CS5) and 12.1 in Creative Su ...) NOT-FOR-US: Adobe Photoshop CVE-2011-2130 (Buffer overflow in Adobe Flash Player before 10.3.183.5 on Windows, Ma ...) NOT-FOR-US: Adobe Flash Player CVE-2011-2129 REJECTED CVE-2011-2128 (Adobe Shockwave Player before 11.6.0.626 allows attackers to execute a ...) NOT-FOR-US: Adobe Shockwave Player CVE-2011-2127 (Adobe Shockwave Player before 11.6.0.626 allows attackers to execute a ...) NOT-FOR-US: Adobe Shockwave Player CVE-2011-2126 (Buffer overflow in Adobe Shockwave Player before 11.6.0.626 allows att ...) NOT-FOR-US: Adobe Shockwave Player CVE-2011-2125 (Buffer overflow in Dirapix.dll in Adobe Shockwave Player before 11.6.0 ...) NOT-FOR-US: Adobe Shockwave Player CVE-2011-2124 (Adobe Shockwave Player before 11.6.0.626 allows attackers to execute a ...) NOT-FOR-US: Adobe Shockwave Player CVE-2011-2123 (Integer overflow in the Shockwave 3D Asset x32 component in Adobe Shoc ...) NOT-FOR-US: Adobe Shockwave Player CVE-2011-2122 (Dirapi.dll in Adobe Shockwave Player before 11.6.0.626 allows attacker ...) NOT-FOR-US: Adobe Shockwave Player CVE-2011-2121 (Integer overflow in Adobe Shockwave Player before 11.6.0.626 allows at ...) NOT-FOR-US: Adobe Shockwave Player CVE-2011-2120 (Integer overflow in the CursorAsset x32 component in Adobe Shockwave P ...) NOT-FOR-US: Adobe Shockwave Player CVE-2011-2119 (Dirapi.dll in Adobe Shockwave Player before 11.6.0.626 allows attacker ...) NOT-FOR-US: Adobe Shockwave Player CVE-2011-2118 (The FLV ASSET Xtra component in Adobe Shockwave Player before 11.6.0.6 ...) NOT-FOR-US: Adobe Shockwave Player CVE-2011-2117 (Adobe Shockwave Player before 11.6.0.626 allows attackers to execute a ...) NOT-FOR-US: Adobe Shockwave Player CVE-2011-2116 (IML32.dll in Adobe Shockwave Player before 11.6.0.626 allows attackers ...) NOT-FOR-US: Adobe Shockwave Player CVE-2011-2115 (IML32.dll in Adobe Shockwave Player before 11.6.0.626 allows remote at ...) NOT-FOR-US: Adobe Shockwave Player CVE-2011-2114 (Adobe Shockwave Player before 11.6.0.626 allows attackers to execute a ...) NOT-FOR-US: Adobe Shockwave Player CVE-2011-2113 (Multiple buffer overflows in the Shockwave3DAsset component in Adobe S ...) NOT-FOR-US: Adobe Shockwave Player CVE-2011-2112 (Multiple buffer overflows in IML32.dll in Adobe Shockwave Player befor ...) NOT-FOR-US: Adobe Shockwave Player CVE-2011-2111 (IML32.dll in Adobe Shockwave Player before 11.6.0.626 allows attackers ...) NOT-FOR-US: Adobe Shockwave Player CVE-2011-2110 (Adobe Flash Player before 10.3.181.26 on Windows, Mac OS X, Linux, and ...) NOT-FOR-US: Adobe Flash Player CVE-2011-2109 (Multiple integer overflows in Dirapi.dll in Adobe Shockwave Player bef ...) NOT-FOR-US: Adobe Shockwave Player CVE-2011-2108 (Adobe Shockwave Player before 11.6.0.626 allows attackers to execute a ...) NOT-FOR-US: Adobe Shockwave Player CVE-2011-2107 (Cross-site scripting (XSS) vulnerability in Adobe Flash Player before ...) NOT-FOR-US: Adobe Flash Player CVE-2011-2106 (Adobe Reader and Acrobat 8.x before 8.3, 9.x before 9.4.5, and 10.x be ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2011-2105 (Adobe Reader and Acrobat 8.x before 8.3, 9.x before 9.4.5, and 10.x be ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2011-2104 (Adobe Reader and Acrobat 8.x before 8.3, 9.x before 9.4.5, and 10.x be ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2011-2103 (Adobe Reader and Acrobat 8.x before 8.3 on Windows and Mac OS X allow ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2011-2102 (Unspecified vulnerability in Adobe Reader and Acrobat before 10.1 on W ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2011-2101 (Adobe Reader and Acrobat 8.x before 8.3, 9.x before 9.4.5, and 10.x be ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2011-2100 (Untrusted search path vulnerability in Adobe Reader and Acrobat 8.x be ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2011-2099 (Adobe Reader and Acrobat 8.x before 8.3, 9.x before 9.4.5, and 10.x be ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2011-2098 (Adobe Reader and Acrobat 8.x before 8.3, 9.x before 9.4.5, and 10.x be ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2011-2097 (Buffer overflow in Adobe Reader and Acrobat 8.x before 8.3, 9.x before ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2011-2096 (Heap-based buffer overflow in Adobe Reader and Acrobat 8.x before 8.3, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2011-2095 (Buffer overflow in Adobe Reader and Acrobat 8.x before 8.3, 9.x before ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2011-2094 (Buffer overflow in Adobe Reader and Acrobat 8.x before 8.3, 9.x before ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2011-2093 (Adobe LiveCycle Data Services 3.1 and earlier, LiveCycle 9.0.0.2 and e ...) NOT-FOR-US: Adobe LiveCycle Data Services CVE-2011-2092 (Adobe LiveCycle Data Services 3.1 and earlier, LiveCycle 9.0.0.2 and e ...) NOT-FOR-US: Adobe LiveCycle Data Services CVE-2011-2091 (Unspecified vulnerability in Adobe ColdFusion 8.0, 8.0.1, 9.0, and 9.0 ...) NOT-FOR-US: Adobe ColdFusion CVE-2011-2090 RESERVED CVE-2011-2089 (Stack-based buffer overflow in the SetActiveXGUID method in the Versio ...) NOT-FOR-US: ICONICS BizViz, GENESIS32 CVE-2011-2088 (XWork 2.2.1 in Apache Struts 2.2.1, and OpenSymphony XWork in OpenSymp ...) - libstruts1.2-java (struts 2 issue) CVE-2011-2087 (Multiple cross-site scripting (XSS) vulnerabilities in component handl ...) - libstruts1.2-java (struts 2 issue) CVE-2011-2086 RESERVED CVE-2011-2085 (Multiple cross-site request forgery (CSRF) vulnerabilities in Best Pra ...) {DSA-2480-1} - request-tracker4 4.0.5-3 CVE-2011-2084 (Best Practical Solutions RT 3.x before 3.8.12 and 4.x before 4.0.6 all ...) {DSA-2480-1} - request-tracker4 4.0.5-3 CVE-2011-2083 (Multiple cross-site scripting (XSS) vulnerabilities in Best Practical ...) {DSA-2480-1} - request-tracker4 4.0.5-3 CVE-2011-2082 (The vulnerable-passwords script in Best Practical Solutions RT 3.x bef ...) {DSA-2480-1} - request-tracker4 4.0.5-3 CVE-2011-2081 (MediaCAST 8 and earlier does not properly handle requests for inventiv ...) NOT-FOR-US: MediaCAST CVE-2011-2080 (Multiple SQL injection vulnerabilities in MediaCAST 8 and earlier allo ...) NOT-FOR-US: MediaCAST CVE-2011-2079 (MediaCAST 8 and earlier allows remote attackers to have an unspecified ...) NOT-FOR-US: MediaCAST CVE-2011-2078 (Multiple cross-site scripting (XSS) vulnerabilities in the New Atlanta ...) NOT-FOR-US: New Atlanta BlueDragon CVE-2011-2077 (The default configuration of the New Atlanta BlueDragon administrative ...) NOT-FOR-US: New Atlanta BlueDragon CVE-2011-2076 (MediaCAST 8 and earlier stores passwords in cleartext, which makes it ...) NOT-FOR-US: MediaCAST CVE-2011-2075 (Unspecified vulnerability in Google Chrome 11.0.696.65 on Windows 7 SP ...) NOT-FOR-US: Historical Chrome issue on Windows CVE-2011-2074 (Unspecified vulnerability in the client in Skype 5.x before 5.1.0.922 ...) NOT-FOR-US: Skype CVE-2011-2073 RESERVED CVE-2011-2072 (Memory leak in Cisco IOS 12.4, 15.0, and 15.1, Cisco IOS XE 2.5.x thro ...) NOT-FOR-US: Cisco CVE-2011-2071 RESERVED CVE-2011-2070 RESERVED CVE-2011-2069 RESERVED CVE-2011-2068 RESERVED CVE-2011-2067 RESERVED CVE-2011-2066 RESERVED CVE-2011-2065 RESERVED CVE-2011-2064 (Cisco IOS 12.4MDA before 12.4(24)MDA5 on the Cisco Content Services Ga ...) NOT-FOR-US: Cisco IOS CVE-2011-2063 RESERVED CVE-2011-2062 RESERVED CVE-2011-2061 RESERVED CVE-2011-2060 (The platform-sw component on Cisco Adaptive Security Appliances (ASA) ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2011-2059 (The ipv6 component in Cisco IOS before 15.1(4)M1.3 allows remote attac ...) NOT-FOR-US: Cisco IOS CVE-2011-2058 (The cat6000-dot1x component in Cisco IOS 12.2 before 12.2(33)SXI7 does ...) NOT-FOR-US: Cisco IOS CVE-2011-2057 (The cat6000-dot1x component in Cisco IOS 12.2 before 12.2(33)SXI7 does ...) NOT-FOR-US: Cisco IOS CVE-2011-2056 RESERVED CVE-2011-2055 RESERVED CVE-2011-2054 (A vulnerability in the Cisco ASA that could allow a remote attacker to ...) NOT-FOR-US: Cisco CVE-2011-2053 RESERVED CVE-2011-2052 RESERVED CVE-2011-2051 RESERVED CVE-2011-2050 RESERVED CVE-2011-2049 RESERVED CVE-2011-2048 RESERVED CVE-2011-2047 RESERVED CVE-2011-2046 RESERVED CVE-2011-2045 RESERVED CVE-2011-2044 RESERVED CVE-2011-2043 RESERVED CVE-2011-2042 (The Sybase SQL Anywhere database component in Cisco CiscoWorks Common ...) NOT-FOR-US: Cisco CiscoWorks CVE-2011-2041 (The Start Before Logon (SBL) functionality in Cisco AnyConnect Secure ...) NOT-FOR-US: Cisco CVE-2011-2040 (The helper application in Cisco AnyConnect Secure Mobility Client (for ...) NOT-FOR-US: Cisco CVE-2011-2039 (The helper application in Cisco AnyConnect Secure Mobility Client (for ...) NOT-FOR-US: Cisco CVE-2011-2038 RESERVED CVE-2011-2037 RESERVED CVE-2011-2036 RESERVED CVE-2011-2035 RESERVED CVE-2011-2034 RESERVED CVE-2011-2033 RESERVED CVE-2011-2032 RESERVED CVE-2011-2031 RESERVED CVE-2011-2030 RESERVED CVE-2011-2029 RESERVED CVE-2011-2028 RESERVED CVE-2011-2027 RESERVED CVE-2011-2026 RESERVED CVE-2011-2025 RESERVED CVE-2011-2024 (Cisco Network Registrar before 7.2 has a default administrative passwo ...) NOT-FOR-US: Cisco CVE-2011-2023 (Cross-site scripting (XSS) vulnerability in functions/mime.php in Squi ...) {DSA-2291-1} - squirrelmail 2:1.4.22-1 CVE-2011-2022 (The agp_generic_remove_memory function in drivers/char/agp/generic.c i ...) {DSA-2264-1 DSA-2240-1} - linux-2.6 2.6.38-5 CVE-2011-2021 (Session fixation vulnerability in TIBCO iProcess Engine before 11.1.3 ...) NOT-FOR-US: TIBCO iProcess Engine CVE-2011-2020 (Cross-site scripting (XSS) vulnerability in TIBCO iProcess Engine befo ...) NOT-FOR-US: TIBCO iProcess Engine CVE-2011-2019 (Untrusted search path vulnerability in Microsoft Internet Explorer 9 o ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2011-2018 (The kernel in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP ...) NOT-FOR-US: Microsoft Windows XP CVE-2011-2017 REJECTED CVE-2011-2016 (Untrusted search path vulnerability in Windows Mail and Windows Meetin ...) NOT-FOR-US: Microsoft Windows CVE-2011-2015 REJECTED CVE-2011-2014 (The LDAP over SSL (aka LDAPS) implementation in Active Directory, Acti ...) NOT-FOR-US: Microsoft Windows CVE-2011-2013 (Integer overflow in the TCP/IP implementation in Microsoft Windows Vis ...) NOT-FOR-US: Microsoft Windows CVE-2011-2012 (Microsoft Forefront Unified Access Gateway (UAG) 2010 Gold, Update 1, ...) NOT-FOR-US: Microsoft Forefront CVE-2011-2011 (Use-after-free vulnerability in win32k.sys in the kernel-mode drivers ...) NOT-FOR-US: Microsoft Windows CVE-2011-2010 (The Microsoft Office Input Method Editor (IME) for Simplified Chinese ...) NOT-FOR-US: Microsoft Office CVE-2011-2009 (Untrusted search path vulnerability in Windows Media Center in Microso ...) NOT-FOR-US: Microsoft Windows CVE-2011-2008 (Microsoft Host Integration Server (HIS) 2004 SP1, 2006 SP1, 2009, and ...) NOT-FOR-US: Microsoft Host Integration Server CVE-2011-2007 (Microsoft Host Integration Server (HIS) 2004 SP1, 2006 SP1, 2009, and ...) NOT-FOR-US: Microsoft Host Integration Server CVE-2011-2006 REJECTED CVE-2011-2005 (afd.sys in the Ancillary Function Driver in Microsoft Windows XP SP2 a ...) NOT-FOR-US: Microsoft Windows CVE-2011-2004 (Array index error in win32k.sys in the kernel-mode drivers in Microsof ...) NOT-FOR-US: Microsoft Windows CVE-2011-2003 (Buffer overflow in win32k.sys in the kernel-mode drivers in Microsoft ...) NOT-FOR-US: Microsoft Windows CVE-2011-2002 (win32k.sys in the kernel-mode drivers in Microsoft Windows Vista SP2, ...) NOT-FOR-US: Microsoft Windows CVE-2011-2001 (Microsoft Internet Explorer 6 through 9 does not properly handle objec ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2011-2000 (Microsoft Internet Explorer 6 through 9 does not properly handle objec ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2011-1999 (Microsoft Internet Explorer 8 does not properly allocate and access me ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2011-1998 (Microsoft Internet Explorer 9 does not properly handle objects in memo ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2011-1997 (Microsoft Internet Explorer 6 does not properly handle objects in memo ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2011-1996 (Microsoft Internet Explorer 6 through 8 does not properly handle objec ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2011-1995 (Microsoft Internet Explorer 6 through 9 does not properly handle objec ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2011-1994 REJECTED CVE-2011-1993 (Microsoft Internet Explorer 6 through 9 does not properly handle objec ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2011-1992 (The XSS Filter in Microsoft Internet Explorer 8 allows remote attacker ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2011-1991 (Multiple untrusted search path vulnerabilities in Microsoft Windows XP ...) NOT-FOR-US: Microsoft Windows CVE-2011-1990 (Microsoft Excel 2007 SP2; Excel in Office 2007 SP2; Excel Viewer SP2; ...) NOT-FOR-US: Microsoft Excel CVE-2011-1989 (Microsoft Excel 2003 SP3 and 2007 SP2; Excel in Office 2007 SP2; Excel ...) NOT-FOR-US: Microsoft Excel CVE-2011-1988 (Microsoft Excel 2003 SP3 and 2007 SP2; Excel in Office 2007 SP2; Offic ...) NOT-FOR-US: Microsoft Excel CVE-2011-1987 (Array index error in Microsoft Excel 2003 SP3 and 2007 SP2; Excel in O ...) NOT-FOR-US: Microsoft Excel CVE-2011-1986 (Use-after-free vulnerability in Microsoft Excel 2003 SP3 allows remote ...) NOT-FOR-US: Microsoft Excel CVE-2011-1985 (win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and ...) NOT-FOR-US: Microsoft Windows CVE-2011-1984 (WINS in Microsoft Windows Server 2003 SP2 and Server 2008 SP2, R2, and ...) NOT-FOR-US: Microsoft Windows CVE-2011-1983 (Use-after-free vulnerability in Microsoft Office 2007 SP2 and SP3, Off ...) NOT-FOR-US: Microsoft Office CVE-2011-1982 (Microsoft Office 2007 SP2, and 2010 Gold and SP1, does not initialize ...) NOT-FOR-US: Microsoft Office CVE-2011-1981 REJECTED CVE-2011-1980 (Untrusted search path vulnerability in Microsoft Office 2003 SP3 and 2 ...) NOT-FOR-US: Microsoft Office CVE-2011-1979 (Microsoft Visio 2003 SP3 and 2007 SP2 does not properly validate objec ...) NOT-FOR-US: Microsoft Visio CVE-2011-1978 (Microsoft .NET Framework 2.0 SP2, 3.5.1, and 4 does not properly valid ...) NOT-FOR-US: Microsoft .NET CVE-2011-1977 (The ASP.NET Chart controls in Microsoft .NET Framework 4, and Chart Co ...) NOT-FOR-US: Microsoft .NET CVE-2011-1976 (Cross-site scripting (XSS) vulnerability in the Report Viewer Control ...) NOT-FOR-US: Microsoft Visual Studio CVE-2011-1975 (Untrusted search path vulnerability in the Data Access Tracing compone ...) NOT-FOR-US: Microsoft CVE-2011-1974 (NDISTAPI.sys in the NDISTAPI driver in Remote Access Service (RAS) in ...) NOT-FOR-US: Microsoft Windows CVE-2011-1973 REJECTED CVE-2011-1972 (Microsoft Visio 2003 SP3, 2007 SP2, and 2010 Gold and SP1 does not pro ...) NOT-FOR-US: Microsoft Visio CVE-2011-1971 (The kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2, R2 ...) NOT-FOR-US: Microsoft Windows CVE-2011-1970 (The DNS server in Microsoft Windows Server 2003 SP2 and Windows Server ...) NOT-FOR-US: Microsoft Windows CVE-2011-1969 (Microsoft Forefront Unified Access Gateway (UAG) 2010 Gold, Update 1, ...) NOT-FOR-US: Microsoft Forefront CVE-2011-1968 (The Remote Desktop Protocol (RDP) implementation in Microsoft Windows ...) NOT-FOR-US: Microsoft Windows CVE-2011-1967 (Winsrv.dll in the Client/Server Run-time Subsystem (aka CSRSS) in the ...) NOT-FOR-US: Microsoft Windows CVE-2011-1966 (The DNS server in Microsoft Windows Server 2008 SP2, R2, and R2 SP1 do ...) NOT-FOR-US: Microsoft Windows CVE-2011-1965 (Tcpip.sys in the TCP/IP stack in Microsoft Windows 7 Gold and SP1 and ...) NOT-FOR-US: Microsoft Windows CVE-2011-1964 (Microsoft Internet Explorer 6 through 9 does not properly handle objec ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2011-1963 (Microsoft Internet Explorer 7 through 9 does not properly handle objec ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2011-1962 (Microsoft Internet Explorer 6 through 9 does not properly handle unspe ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2011-1961 (The telnet URI handler in Microsoft Internet Explorer 6 through 9 does ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2011-1960 (Microsoft Internet Explorer 6 through 9 does not properly implement Ja ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2011-1959 (The snoop_read function in wiretap/snoop.c in Wireshark 1.2.x before 1 ...) {DSA-2274-1} - wireshark 1.6.0-1 (unimportant; bug #630159) NOTE: Crashes w/o code injection not treated as security issues, see README.Security CVE-2011-1958 (Wireshark 1.2.x before 1.2.17 and 1.4.x before 1.4.7 allows user-assis ...) {DSA-2274-1} - wireshark 1.6.0-1 (unimportant) NOTE: Crashes w/o code injection not treated as security issues, see README.Security CVE-2011-1957 (The dissect_dcm_main function in epan/dissectors/packet-dcm.c in the D ...) {DSA-2274-1} - wireshark 1.6.0-1 (unimportant) NOTE: Crashes w/o code injection not treated as security issues, see README.Security CVE-2011-1956 (The bytes_repr_len function in Wireshark 1.4.5 uses an incorrect point ...) - wireshark 1.4.6-1 (unimportant) [lenny] - wireshark (Affects 1.4.5 only) [squeeze] - wireshark (Affects 1.4.5 only) NOTE: Crashes w/o code injection not treated as security issues, see README.Security CVE-2011-1955 RESERVED CVE-2011-1954 (Multiple cross-site request forgery (CSRF) vulnerabilities in Post Rev ...) NOT-FOR-US: Post Revolution CVE-2011-1953 (Multiple cross-site scripting (XSS) vulnerabilities in common.php in P ...) NOT-FOR-US: Post Revolution CVE-2011-1952 (common.php in Post Revolution before 0.8.0c-2 allows remote attackers ...) NOT-FOR-US: Post Revolution CVE-2011-1951 (lib/logmatcher.c in Balabit syslog-ng before 3.2.4, when the global fl ...) - syslog-ng 3.2.4-1 (low) [squeeze] - syslog-ng (Only affects PCRE >= 8.12) [lenny] - syslog-ng (Only affects PCRE >= 8.12) NOTE: http://git.balabit.hu/?p=bazsi/syslog-ng-3.2.git;a=commit;h=09710c0b105e579d35c7b5f6c66d1ea5e3a3d3ff CVE-2011-1950 (plone.app.users in Plone 4.0 and 4.1 allows remote authenticated users ...) - plone3 CVE-2011-1949 (Cross-site scripting (XSS) vulnerability in the safe_html filter in Pr ...) - plone3 CVE-2011-1948 (Cross-site scripting (XSS) vulnerability in Plone 4.1 and earlier allo ...) - plone3 CVE-2011-1947 (fetchmail 5.9.9 through 6.3.19 does not properly limit the wait time a ...) - fetchmail 6.3.22-1 (unimportant) NOTE: http://www.fetchmail.info/fetchmail-SA-2011-01.txt CVE-2011-1946 (gnomesu-pam-backend in libgnomesu 1.0.0 prints an error message but pr ...) NOT-FOR-US: libgnomesu CVE-2011-1945 (The elliptic curve cryptography (ECC) subsystem in OpenSSL 1.0.0d and ...) {DSA-2309-1} - openssl 1.0.0e-1 (low) CVE-2011-1944 (Integer overflow in xpath.c in libxml2 2.6.x through 2.6.32 and 2.7.x ...) {DSA-2255-1} - libxml2 2.7.8.dfsg-3 (bug #628537) CVE-2011-1943 (The destroy_one_secret function in nm-setting-vpn.c in libnm-util in t ...) - network-manager-openvpn (Affected code was only in experimental, see bug #628730) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=708876 CVE-2011-1942 RESERVED CVE-2011-1941 (Open redirect vulnerability in the redirector feature in phpMyAdmin 3. ...) - phpmyadmin 4:3.4.1-1 [lenny] - phpmyadmin (3.4.x only) [squeeze] - phpmyadmin (3.4.x only) CVE-2011-1940 (Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.3. ...) {DSA-2391-1} - phpmyadmin 4:3.4.1-1 [lenny] - phpmyadmin (3.3.x+ only) [squeeze] - phpmyadmin (may be bundled with future issues) CVE-2011-1939 (SQL injection vulnerability in Zend Framework 1.10.x before 1.10.9 and ...) - zendframework 1.11.6-1 (low) [squeeze] - zendframework (Minor issue) CVE-2011-1938 (Stack-based buffer overflow in the socket_connect function in ext/sock ...) {DSA-2399-1} - php5 5.3.6-13 (low) [lenny] - php5 (The Lenny version doesn't use memcpy) CVE-2011-1937 (Cross-site scripting (XSS) vulnerability in Webmin 1.540 and earlier a ...) - webmin CVE-2011-1936 (Xen, when using x86 Intel processors and the VMX virtualization extens ...) - linux-2.6 (Only affected the old Xen kernel patch from 2.6.18/2.6.26) CVE-2011-1935 (pcap-linux.c in libpcap 1.1.1 before commit ea9432fabdf4b33cbc76d94372 ...) - libpcap 1.1.1-4 (low; bug #623868) [squeeze] - libpcap 1.1.1-2+squeeze1 [lenny] - libpcap NOTE: <878vsbyviu.fsf@silenus.orebokech.com> CVE-2011-1934 (lilo-uuid-diskid causes lilo.conf to be world-readable in lilo 23.1. ...) - lilo 23.1-2 (low; bug #615103) [squeeze] - lilo (Introduced in 23.1) [lenny] - lilo (Introduced in 23.1) CVE-2011-1933 (SQL injection vulnerability in Jifty::DBI before 0.68. ...) - libjifty-dbi-perl 0.68-1 (low; bug #622919) [squeeze] - libjifty-dbi-perl 0.60-1+squeeze1 CVE-2011-1932 (Directory traversal vulnerability in io/filesystem/filesystem.cc in Wi ...) - widelands 1:15-3 (low; bug #617960) [lenny] - widelands (Minor issue) CVE-2011-1931 (sp5xdec.c in the Sunplus SP5X JPEG decoder in libavcodec in FFmpeg bef ...) - libav 4:0.6.2-3 (bug #624339) - ffmpeg (vulnerability introduced in 0.6) - ffmpeg-debian (vulnerability introduced in 0.6) CVE-2011-1930 (In klibc 1.5.20 and 1.5.21, the DHCP options written by ipconfig to /t ...) - klibc 1.5.22-1 (low) [squeeze] - klibc 1.5.20-1+squeeze1 [lenny] - klibc 1.5.12-2lenny1 CVE-2011-1929 (lib-mail/message-header-parser.c in Dovecot 1.2.x before 1.2.17 and 2. ...) {DSA-2252-1} - dovecot 1:2.0.13-1 (bug #627443) NOTE: [lenny] - dovecot (Vulnerability introduced in 1.1) NOTE: claims lenny is affected CVE-2011-1928 (The fnmatch implementation in apr_fnmatch.c in the Apache Portable Run ...) {DSA-2237-2} - apr 1.4.5-1 (bug #627182) CVE-2011-1927 (The ip_expire function in net/ipv4/ip_fragment.c in the Linux kernel b ...) - linux-2.6 2.6.39-1 (high) [squeeze] - linux-2.6 (Vulnerable code not present) [lenny] - linux-2.6 (Vulnerable code not present) CVE-2011-1926 (The STARTTLS implementation in Cyrus IMAP Server before 2.4.7 does not ...) {DSA-2258-1 DSA-2242-1} - cyrus-imapd-2.2 2.2.13p1-11 (bug #627081) - cyrus-imapd-2.4 2.4.7-1 - kolab-cyrus-imapd 2.2.13p1-0.1 (bug #629350) CVE-2011-1925 (nbd-server.c in Network Block Device (nbd-server) 2.9.21 allows remote ...) - nbd 1:2.9.22-1 (bug #627042) [wheezy] - nbd [squeeze] - nbd [lenny] - nbd CVE-2011-1924 (Buffer overflow in the policy_summarize function in or/policies.c in T ...) - tor 0.2.1.30-1 [squeeze] - tor (Only affects the central Tor directory servers) [lenny] - tor (Only affects the central Tor directory servers) CVE-2011-1923 (The Diffie-Hellman key-exchange implementation in dhm.c in PolarSSL be ...) - polarssl 0.14.3-1 (low; bug #616114) [squeeze] - polarssl (Minor issue) CVE-2011-1922 (daemon/worker.c in Unbound 1.x before 1.4.10, when debugging functiona ...) - unbound 1.4.10-1 (unimportant) [lenny] - unbound 1.4.6-1~lenny2 (unimportant) [squeeze] - unbound 1.4.6-1+squeeze2 (unimportant) NOTE: http://unbound.nlnetlabs.nl/downloads/CVE-2011-1922.txt NOTE: asserts not enabled in Debian build CVE-2011-1921 (The mod_dav_svn module for the Apache HTTP Server, as distributed in A ...) {DSA-2251-1} - subversion 1.6.17dfsg-1 CVE-2011-1920 (The make include files in NetBSD before 1.6.2, as used in pmake 1.111 ...) - pmake 1.111-3 (low; bug #626673) [squeeze] - pmake 1.111-2+squeeze1 [lenny] - pmake 1.111-1+lenny1 CVE-2011-1919 (Multiple stack-based buffer overflows in GE Intelligent Platforms Prof ...) NOT-FOR-US: GE Intelligent Platforms CVE-2011-1918 (Stack-based buffer overflow in the Data Archiver service in GE Intelli ...) NOT-FOR-US: GE Intelligent Platforms CVE-2011-1917 RESERVED CVE-2011-1916 RESERVED CVE-2011-1915 (SQL injection vulnerability in eClient 7.3.2.3 in Enspire Distribution ...) NOT-FOR-US: Enspire Distribution Management Solution CVE-2011-1914 (Buffer overflow in the Advantech ADAM OLE for Process Control (OPC) Se ...) NOT-FOR-US: ActiveX CVE-2011-1913 (SQL injection vulnerability in the login form in the web interface in ...) NOT-FOR-US: Mercator SENTINEL CVE-2011-1912 RESERVED CVE-2011-1911 (JasperServer in JasperReports Server Community Project 3.7.0 and 3.7.1 ...) NOT-FOR-US: JasperReports Server CVE-2011-1910 (Off-by-one error in named in ISC BIND 9.x before 9.7.3-P1, 9.8.x befor ...) {DSA-2244-1} - bind9 1:9.8.1.dfsg-1 (high) NOTE: https://lists.isc.org/pipermail/bind-users/2011-May/083819.html CVE-2011-1909 RESERVED CVE-2011-1908 (Integer overflow in the Type 1 font decoder in the FreeType engine in ...) NOT-FOR-US: Foxit Reader CVE-2011-1906 (Trustwave WebDefend Enterprise before 5.0 7.01.903-1.4 stores specific ...) NOT-FOR-US: Trustwave WebDefend Enterprise CVE-2011-1905 (Multiple cross-site request forgery (CSRF) vulnerabilities in unspecif ...) NOT-FOR-US: Proofpoint Messaging Security Gateway CVE-2011-1904 (An unspecified function in the web interface in Proofpoint Messaging S ...) NOT-FOR-US: Proofpoint Messaging Security Gateway CVE-2011-1903 (SQL injection vulnerability in an unspecified function in Proofpoint M ...) NOT-FOR-US: Proofpoint Messaging Security Gateway CVE-2011-1902 (Directory traversal vulnerability in the web interface in Proofpoint M ...) NOT-FOR-US: Proofpoint Messaging Security Gateway CVE-2011-1901 (The mail-filter web interface in Proofpoint Messaging Security Gateway ...) NOT-FOR-US: Proofpoint Messaging Security Gateway CVE-2011-1900 (Directory traversal vulnerability in NTWebServer in InduSoft Web Studi ...) NOT-FOR-US: InduSoft Web Studio CVE-2011-1899 (Multiple cross-site scripting (XSS) vulnerabilities in CA eHealth 6.0. ...) NOT-FOR-US: CA eHealth CVE-2011-1898 (Xen 4.1 before 4.1.1 and 4.0 before 4.0.2, when using PCI passthrough ...) {DSA-2337-1} - xen 4.1.1-1 [lenny] - xen-3 CVE-2011-1897 (Cross-site scripting (XSS) vulnerability in Microsoft Forefront Unifie ...) NOT-FOR-US: Microsoft Forefront CVE-2011-1896 (Cross-site scripting (XSS) vulnerability in Microsoft Forefront Unifie ...) NOT-FOR-US: Microsoft Forefront CVE-2011-1895 (CRLF injection vulnerability in Microsoft Forefront Unified Access Gat ...) NOT-FOR-US: Microsoft Forefront CVE-2011-1894 (The MHTML protocol handler in Microsoft Windows XP SP2 and SP3, Window ...) NOT-FOR-US: Microsoft Windows CVE-2011-1893 (Cross-site scripting (XSS) vulnerability in Microsoft Office SharePoin ...) NOT-FOR-US: Microsoft SharePoint CVE-2011-1892 (Microsoft Office Groove 2007 SP2, SharePoint Workspace 2010 Gold and S ...) NOT-FOR-US: Microsoft Office CVE-2011-1891 (Cross-site scripting (XSS) vulnerability in Microsoft Windows SharePoi ...) NOT-FOR-US: Microsoft SharePoint CVE-2011-1890 (Cross-site scripting (XSS) vulnerability in EditForm.aspx in Microsoft ...) NOT-FOR-US: Microsoft SharePoint CVE-2011-1889 (The NSPLookupServiceNext function in the client in Microsoft Forefront ...) NOT-FOR-US: Microsoft Forefront Threat Management Gateway CVE-2011-1888 (win32k.sys in the kernel-mode drivers in Microsoft Windows Vista SP1 a ...) NOT-FOR-US: MS Windows CVE-2011-1887 (win32k.sys in the kernel-mode drivers in Microsoft Windows Vista SP1 a ...) NOT-FOR-US: MS Windows CVE-2011-1886 (win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP3 does ...) NOT-FOR-US: MS Windows CVE-2011-1885 (win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and ...) NOT-FOR-US: MS Windows CVE-2011-1884 (Use-after-free vulnerability in win32k.sys in the kernel-mode drivers ...) NOT-FOR-US: MS Windows CVE-2011-1883 (Use-after-free vulnerability in win32k.sys in the kernel-mode drivers ...) NOT-FOR-US: MS Windows CVE-2011-1882 (Use-after-free vulnerability in win32k.sys in the kernel-mode drivers ...) NOT-FOR-US: MS Windows CVE-2011-1881 (win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and ...) NOT-FOR-US: MS Windows CVE-2011-1880 (win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and ...) NOT-FOR-US: MS Windows CVE-2011-1879 (Use-after-free vulnerability in win32k.sys in the kernel-mode drivers ...) NOT-FOR-US: MS Windows CVE-2011-1878 (Use-after-free vulnerability in win32k.sys in the kernel-mode drivers ...) NOT-FOR-US: MS Windows CVE-2011-1877 (Use-after-free vulnerability in win32k.sys in the kernel-mode drivers ...) NOT-FOR-US: MS Windows CVE-2011-1876 (Use-after-free vulnerability in win32k.sys in the kernel-mode drivers ...) NOT-FOR-US: MS Windows CVE-2011-1875 (Use-after-free vulnerability in win32k.sys in the kernel-mode drivers ...) NOT-FOR-US: MS Windows CVE-2011-1874 (Use-after-free vulnerability in win32k.sys in the kernel-mode drivers ...) NOT-FOR-US: MS Windows CVE-2011-1873 (win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2, Win ...) NOT-FOR-US: Microsoft Windows CVE-2011-1872 (Hyper-V in Microsoft Windows Server 2008 Gold, SP2, R2, and R2 SP1 all ...) NOT-FOR-US: Microsoft Windows CVE-2011-1871 (Tcpip.sys in the TCP/IP stack in Microsoft Windows Vista SP2, Windows ...) NOT-FOR-US: Microsoft Windows Vista CVE-2011-1870 (Integer overflow in the Client/Server Run-time Subsystem (aka CSRSS) i ...) NOT-FOR-US: MS Windows CVE-2011-1869 (The Distributed File System (DFS) implementation in Microsoft Windows ...) NOT-FOR-US: Microsoft Windows CVE-2011-1868 (The Distributed File System (DFS) implementation in Microsoft Windows ...) NOT-FOR-US: Microsoft Windows CVE-2010-4804 (The Android browser in Android before 2.3.4 allows remote attackers to ...) NOT-FOR-US: Android Browser CVE-2011-XXXX [fglrx-driver xauth cookie leak] - fglrx-driver 1:11-6-3 (low; bug #625868) [squeeze] - fglrx-driver (Non-free not supported) [lenny] - fglrx-driver (Non-free not supported) CVE-2011-1907 (ISC BIND 9.8.x before 9.8.0-P1, when Response Policy Zones (RPZ) RRset ...) - bind9 1:9.8.1.dfsg.P1-1 [squeeze] - bind9 (Only affects 9.8.0) [lenny] - bind9 (Only affects 9.8.0) CVE-2011-1765 (Cross-site scripting (XSS) vulnerability in MediaWiki before 1.16.5, w ...) - mediawiki (Incomplete fix was never released for Debian, neither in sid, nor oldstable/stable) NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=28534 CVE-2011-1766 (includes/User.php in MediaWiki before 1.16.5, when wgBlockDisablesLogi ...) - mediawiki (Vulnerable code not present, planned next upload will skip it) [lenny] - mediawiki (Vulnerable code not present, introduced in 1.16.0) [squeeze] - mediawiki (Vulnerable code not present, introduced in 1.16.0) NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=28534 CVE-2011-1867 (Stack-based buffer overflow in iNodeMngChecker.exe in the User Access ...) NOT-FOR-US: iNodeMngChecker.exe of HP Intelligent Management Center CVE-2011-1866 (Buffer overflow in omniinet.exe in the inet service in HP OpenView Sto ...) NOT-FOR-US: HP OpenView CVE-2011-1865 (Multiple stack-based buffer overflows in the inet service in HP OpenVi ...) NOT-FOR-US: HP OpenView CVE-2011-1864 (Unspecified vulnerability in HP OpenView Storage Data Protector 6.0, 6 ...) NOT-FOR-US: HP OpenView Storage Data Protector CVE-2011-1863 (HP Service Manager 7.02, 7.11, 9.20, and 9.21 and Service Center 6.2.8 ...) NOT-FOR-US: HP Service Manager CVE-2011-1862 (Cross-site scripting (XSS) vulnerability in HP Service Manager 7.02, 7 ...) NOT-FOR-US: HP Service Manager CVE-2011-1861 (Unspecified vulnerability in HP Service Manager 7.02, 7.11, 9.20, and ...) NOT-FOR-US: HP Service Manager CVE-2011-1860 (Unspecified vulnerability in HP Service Manager 7.02, 7.11, 9.20, and ...) NOT-FOR-US: HP Service Manager CVE-2011-1859 (Unspecified vulnerability in HP Service Manager 7.02, 7.11, 9.20, and ...) NOT-FOR-US: HP Service Manager CVE-2011-1858 (Unspecified vulnerability in HP Service Manager 7.02, 7.11, 9.20, and ...) NOT-FOR-US: HP Service Manager CVE-2011-1857 (Unspecified vulnerability in HP Service Manager 7.02, 7.11, 9.20, and ...) NOT-FOR-US: HP Service Manager CVE-2011-1856 (Cross-site scripting (XSS) vulnerability in HP Business Availability C ...) NOT-FOR-US: HP Business Availability CVE-2011-1855 (Unspecified vulnerability in HP Network Node Manager i (NNMi) 9.0x all ...) NOT-FOR-US: HP Network Node Manager CVE-2011-1854 (Use-after-free vulnerability in HP Intelligent Management Center (IMC) ...) NOT-FOR-US: HP Intelligent Management Center CVE-2011-1853 (tftpserver.exe in HP Intelligent Management Center (IMC) 5.0 before E0 ...) NOT-FOR-US: HP Intelligent Management Center CVE-2011-1852 (Multiple stack-based buffer overflows in tftpserver.exe in HP Intellig ...) NOT-FOR-US: HP Intelligent Management Center CVE-2011-1851 (Stack-based buffer overflow in tftpserver.exe in HP Intelligent Manage ...) NOT-FOR-US: HP Intelligent Management Center CVE-2011-1850 (Stack-based buffer overflow in the logging functionality in dbman.exe ...) NOT-FOR-US: HP Intelligent Management Center CVE-2011-1849 (tftpserver.exe in HP Intelligent Management Center (IMC) 5.0 before E0 ...) NOT-FOR-US: HP Intelligent Management Center CVE-2011-1848 (Stack-based buffer overflow in img.exe in HP Intelligent Management Ce ...) NOT-FOR-US: HP Intelligent Management Center CVE-2011-1847 (IBM DB2 9.5 before FP7 and 9.7 before FP4 on Linux, UNIX, and Windows ...) NOT-FOR-US: IBM DB2 9.5 CVE-2011-1846 (IBM DB2 9.5 before FP7 and 9.7 before FP4 on Linux, UNIX, and Windows ...) NOT-FOR-US: IBM DB2 9.5 CVE-2011-1845 (Multiple memory leaks in the DataGrid control implementation in Micros ...) NOT-FOR-US: Silverlight CVE-2011-1844 (Memory leak in Microsoft Silverlight 4 before 4.0.60310.0 allows remot ...) NOT-FOR-US: Silverlight CVE-2011-1843 (Integer overflow in conf.c in Tinyproxy before 1.8.3 might allow remot ...) - tinyproxy 1.8.2-2 (unimportant; bug #627503) [squeeze] - tinyproxy 1.8.2-1squeeze2 (unimportant) NOTE: Only exploitable through config files, which are under admin control CVE-2011-1842 (dbus_backend/lsd.py in the D-Bus backend in language-selector before 0 ...) NOT-FOR-US: Ubuntu-specific language-selector package CVE-2011-1841 (Cross-site scripting (XSS) vulnerability in the link_to helper in Mojo ...) {DSA-2239-1} - libmojolicious-perl 1.12-1 CVE-2011-1840 (The MartiniCreations PassmanLite Password Manager application before 1 ...) NOT-FOR-US: MartiniCreations PassmanLite Password Manager for Android CVE-2011-1839 (IBM Rational Build Forge 7.1.0 uses the HTTP GET method during redirec ...) NOT-FOR-US: IBM Rational Build Forge 7.1.0 CVE-2011-1838 (Multiple cross-site scripting (XSS) vulnerabilities in TemplateLogin.p ...) - twiki CVE-2011-1837 (The lock-counter implementation in utils/mount.ecryptfs_private.c in e ...) {DSA-2382-1} - ecryptfs-utils 92-1 CVE-2011-1836 (utils/ecryptfs-recover-private in ecryptfs-utils before 90 does not es ...) - ecryptfs-utils 92-1 [squeeze] - ecryptfs-utils (Vulnerable code not present) [lenny] - ecryptfs-utils (Vulnerable code not present) CVE-2011-1835 (The encrypted private-directory setup process in utils/ecryptfs-setup- ...) {DSA-2382-1} - ecryptfs-utils 92-1 CVE-2011-1834 (utils/mount.ecryptfs_private.c in ecryptfs-utils before 90 does not pr ...) {DSA-2382-1} - ecryptfs-utils 92-1 CVE-2011-1833 (Race condition in the ecryptfs_mount function in fs/ecryptfs/main.c in ...) {DSA-2443-1} - ecryptfs-utils 92-1 [squeeze] - ecryptfs-utils (Minor issue) - linux-2.6 3.1.1-1 NOTE: cannot be fixed in ecryptfs-utils (squeeze, lenny) until kernel fix is in place CVE-2011-1832 (utils/mount.ecryptfs_private.c in ecryptfs-utils before 90 does not pr ...) {DSA-2382-1} - ecryptfs-utils 92-1 CVE-2011-1831 (utils/mount.ecryptfs_private.c in ecryptfs-utils before 90 does not pr ...) {DSA-2382-1} - ecryptfs-utils 92-1 CVE-2011-1830 (Ekiga versions before 3.3.0 attempted to load a module from /tmp/ekiga ...) - ekiga (Vulnerable code not in a released version) NOTE: Fixed by: https://gitlab.gnome.org/GNOME/ekiga/commit/02654fc949722a78d41fcffac8687d73d8574647 (EKIGA_3_3_0) NOTE: Introduced by: https://gitlab.gnome.org/GNOME/ekiga/commit/87d3a0824b373a3d16e9198540174ce16e4ab3db (EKIGA_3_3_0) CVE-2011-1829 (APT before 0.8.15.2 does not properly validate inline GPG signatures, ...) - apt 0.8.15.2 [squeeze] - apt (Vulnerable code not present) [lenny] - apt (Vulnerable code not present) CVE-2011-1828 (usb-creator-helper in usb-creator before 0.2.28.3 does not enforce int ...) NOT-FOR-US: usb-creator, Ubuntu-specific package CVE-2010-4803 (Mojolicious before 0.999927 does not properly implement HMAC-MD5 check ...) {DSA-2239-1} - libmojolicious-perl 0.999929-1 CVE-2010-4802 (Commands.pm in Mojolicious before 0.999928 does not properly perform C ...) {DSA-2239-1} - libmojolicious-perl 0.999929-1 CVE-2009-5074 (Unspecified vulnerability in the MojoX::Dispatcher::Static implementat ...) - libmojolicious-perl (Fixed before initial upload) CVE-2011-XXXX [spip DoS] - spip 2.1.11-0.1 [squeeze] - spip 2.1.1-3squeeze1 CVE-2011-1827 (Multiple unspecified vulnerabilities in Check Point SSL Network Extend ...) NOT-FOR-US: Check Point CVE-2010-4801 (Directory traversal vulnerability in admin/updatelist.php in BaconMap ...) NOT-FOR-US: BaconMap CVE-2010-4800 (SQL injection vulnerability in doadd.php in BaconMap 1.0 allows remote ...) NOT-FOR-US: BaconMap CVE-2010-4799 (Multiple SQL injection vulnerabilities in Chipmunk Pwngame 1.0, when m ...) NOT-FOR-US: Chipmunk Pwngame CVE-2010-4798 (Directory traversal vulnerability in index.php in OrangeHRM 2.6.0.1 al ...) NOT-FOR-US: OrangeHRM CVE-2010-4797 (Multiple SQL injection vulnerabilities in the log-in form in Truworth ...) NOT-FOR-US: Truworth Flex Timesheet CVE-2010-4796 (Multiple SQL injection vulnerabilities in PHPYun 1.1.6 allow remote at ...) NOT-FOR-US: PHPYun CVE-2010-4795 (SQL injection vulnerability in the JS Calendar (com_jscalendar) compon ...) NOT-FOR-US: JS Calendar component for Joomla! CVE-2010-4794 (Multiple cross-site scripting (XSS) vulnerabilities in the JoomlaSelle ...) NOT-FOR-US: JoomlaSeller JS Calendar component for Joomla! CVE-2010-4793 (SQL injection vulnerability in detail.asp in Site2Nite Auto e-Manager ...) NOT-FOR-US: Site2Nite Auto e-Manager CVE-2010-4792 (Cross-site scripting (XSS) vulnerability in title.php in OPEN IT OverL ...) NOT-FOR-US: OPEN IT OverLook CVE-2010-4791 (SQL injection vulnerability in infusions/mg_user_fotoalbum_panel/mg_us ...) NOT-FOR-US: MG User-Fotoalbum module for PHP-Fusion CVE-2010-4790 (Directory traversal vulnerability in FilterFTP 2.0.3, 2.0.5, and proba ...) NOT-FOR-US: FilterFTP CVE-2011-1826 (Open redirect vulnerability in the Administrative Console in CA Arcot ...) NOT-FOR-US: CA Arcot WebFort Versatile Authentication Server CVE-2011-1825 (Multiple cross-site scripting (XSS) vulnerabilities in the Administrat ...) NOT-FOR-US: CA Arcot WebFort Versatile Authentication Server CVE-2011-1824 (The VEGAOpBitmap::AddLine function in Opera before 10.61 does not prop ...) NOT-FOR-US: Opera CVE-2011-1823 (The vold volume manager daemon on Android 3.0 and 2.x before 2.3.4 tru ...) NOT-FOR-US: Android CVE-2011-1822 (The LDAP_ADD implementation in IBM Tivoli Directory Server (TDS) 5.2 b ...) NOT-FOR-US: Tivoli CVE-2011-1821 (IBM Tivoli Directory Server (TDS) 5.2 before 5.2.0.5-TIV-ITDS-IF0010 o ...) NOT-FOR-US: Tivoli CVE-2011-1820 (IBM Tivoli Directory Server (TDS) 5.2 before 5.2.0.5-TIV-ITDS-IF0010, ...) NOT-FOR-US: Tivoli CVE-2011-1819 (Google Chrome before 12.0.742.91 allows remote attackers to perform un ...) - chromium-browser 12.0.742.91~r87961-1 (unimportant) - webkit (chromium extensions) CVE-2011-1818 (Use-after-free vulnerability in the image loader in Google Chrome befo ...) - chromium-browser 12.0.742.91~r87961-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/86725 CVE-2011-1817 (Google Chrome before 12.0.742.91 does not properly implement history d ...) - chromium-browser 12.0.742.91~r87961-1 [squeeze] - chromium-browser - webkit (chromium specific) CVE-2011-1816 (Use-after-free vulnerability in the developer tools in Google Chrome b ...) - chromium-browser 12.0.742.91~r87961-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/86507 CVE-2011-1815 (Google Chrome before 12.0.742.91 allows remote attackers to inject scr ...) - chromium-browser 12.0.742.91~r87961-1 (unimportant) - webkit (chromium extensions specific) CVE-2011-1814 (Google Chrome before 12.0.742.91 attempts to read data from an uniniti ...) - chromium-browser (chromium pdiflugin) - webkit (chromium pdf plugin) CVE-2011-1813 (Google Chrome before 12.0.742.91 does not properly implement the frame ...) - chromium-browser 12.0.742.91~r87961-1 [squeeze] - chromium-browser - webkit (chromium specific) CVE-2011-1812 (Google Chrome before 12.0.742.91 allows remote attackers to bypass int ...) - chromium-browser 12.0.742.91~r87961-1 (unimportant) - webkit (chromium extensions) CVE-2011-1811 (Google Chrome before 12.0.742.91 does not properly handle a large numb ...) - chromium-browser 12.0.742.91~r87961-1 [squeeze] - chromium-browser - webkit (chromium specific) CVE-2011-1810 (The Cascading Style Sheets (CSS) implementation in Google Chrome befor ...) - chromium-browser 12.0.742.91~r87961-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/83345 CVE-2011-1809 (Use-after-free vulnerability in the accessibility feature in Google Ch ...) - chromium-browser 12.0.742.91~r87961-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/80890 CVE-2011-1808 (Use-after-free vulnerability in Google Chrome before 12.0.742.91 allow ...) - chromium-browser 12.0.742.91~r87961-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/84096 NOTE: http://trac.webkit.org/changeset/84098 NOTE: http://trac.webkit.org/changeset/84119 CVE-2011-1807 (Google Chrome before 11.0.696.71 does not properly handle blobs, which ...) - chromium-browser 11.0.696.71~r86024-1 [squeeze] - chromium-browser - webkit (chromium specific) CVE-2011-1806 (Google Chrome before 11.0.696.71 does not properly implement the GPU c ...) - chromium-browser 11.0.696.71~r86024-1 [squeeze] - chromium-browser - webkit (chromium specific) CVE-2011-1805 (Bad cast in CSS in Google Chrome prior to 11.0.0.0 allowed a remote at ...) - chromium-browser 11.0.696.65~r84435-1 CVE-2011-1804 (rendering/RenderBox.cpp in WebCore in WebKit before r86862, as used in ...) - chromium-browser 11.0.696.71~r86024-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/86448 CVE-2011-1803 (An issue exists in third_party/WebKit/Source/WebCore/svg/animation/SVG ...) NOTE: Historic webkit/Chromium issues CVE-2011-1802 (WebKit in Google Chrome before Blink M11 and M12 does not properly han ...) NOTE: Historic webkit/Chromium issues CVE-2011-1801 (Unspecified vulnerability in Google Chrome before 11.0.696.71 allows r ...) - chromium-browser 11.0.696.71~r86024-1 (unimportant) NOTE: http://trac.webkit.org/changeset/85977 CVE-2011-1800 (Multiple integer overflows in the SVG Filters implementation in WebCor ...) - chromium-browser 11.0.696.68~r84545-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/85926 CVE-2011-1799 (Google Chrome before 11.0.696.68 does not properly perform casts of va ...) {DSA-2245-1} - chromium-browser 11.0.696.68~r84545-1 CVE-2011-1798 (rendering/svg/RenderSVGText.cpp in WebCore in WebKit in Google Chrome ...) - chromium-browser 11.0.696.65~r84435-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/84085 CVE-2011-1797 (WebKit, as used in Apple Safari before 5.0.6, allows remote attackers ...) {DSA-2245-1} - chromium-browser 12.0.742.91~r87961-1 CVE-2011-1796 (Use-after-free vulnerability in the FrameView::calculateScrollbarModes ...) - chromium-browser 11.0.696.65~r84435-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/84300 CVE-2011-1795 (Integer underflow in the HTMLFormElement::removeFormElement function i ...) - chromium-browser 11.0.696.65~r84435-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/83690 CVE-2011-1794 (Integer overflow in the FilterEffect::copyImageBytes function in platf ...) - chromium-browser 11.0.696.65~r84435-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/84422 CVE-2011-1793 (rendering/svg/RenderSVGResourceFilter.cpp in WebCore in WebKit in Goog ...) - chromium-browser 11.0.696.65~r84435-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/85406 CVE-2011-1792 RESERVED CVE-2011-1791 RESERVED CVE-2011-1790 RESERVED CVE-2010-4789 (Use-after-free vulnerability in the proxy-server implementation in IBM ...) NOT-FOR-US: IBM Tivoli Directory Server CVE-2010-4788 (IBM Tivoli Directory Server (TDS) 6.0 before 6.0.0.62 (aka 6.0.0.8-TIV ...) NOT-FOR-US: Tivoli CVE-2010-4787 (IBM Tivoli Directory Server (TDS) 6.0 before 6.0.0.63 (aka 6.0.0.8-TIV ...) NOT-FOR-US: Tivoli CVE-2010-4786 (IBM Tivoli Directory Server (TDS) 6.0 before 6.0.0.63 (aka 6.0.0.8-TIV ...) NOT-FOR-US: Tivoli CVE-2010-4785 (The do_extendedOp function in ibmslapd in IBM Tivoli Directory Server ...) NOT-FOR-US: Tivoli CVE-2009-5073 (IBM Tivoli Directory Server (TDS) 6.0 before 6.0.0.59 (aka 6.0.0.8-TIV ...) NOT-FOR-US: Tivoli CVE-2009-5072 (Memory leak in the ldap_explode_dn function in IBM Tivoli Directory Se ...) NOT-FOR-US: Tivoli CVE-2008-7290 (Memory leak in the ldap_explode_rdn API function in IBM Tivoli Directo ...) NOT-FOR-US: Tivoli CVE-2008-7289 (IBM Tivoli Directory Server (TDS) 5.2 before 5.2.0.5-TIV-ITDS-LA0007 d ...) NOT-FOR-US: Tivoli CVE-2008-7288 (IBM Tivoli Directory Server (TDS) 5.2 before 5.2.0.5-TIV-ITDS-LA0007 o ...) NOT-FOR-US: Tivoli CVE-2008-7287 (Multiple memory leaks in the (1) ldap_init and (2) ldap_url_search_dir ...) NOT-FOR-US: Tivoli CVE-2007-6743 (Double free vulnerability in IBM Tivoli Directory Server (TDS) 5.2 bef ...) NOT-FOR-US: Tivoli CVE-2007-6742 (The get_filter_list function in IBM Tivoli Directory Server (TDS) 5.2 ...) NOT-FOR-US: Tivoli CVE-2011-1789 (The self-extracting installer in the vSphere Client Installer package ...) NOT-FOR-US: vSphere CVE-2011-1788 (vCenter Server in VMware vCenter 4.0 before Update 3 and 4.1 before Up ...) NOT-FOR-US: vCenter CVE-2011-1787 (Race condition in mount.vmhgfs in the VMware Host Guest File System (H ...) - open-vm-tools 2:8.4.2+2011.08.21-471295-1 (bug #631506) [lenny] - open-vm-tools (Contrib not supported) [squeeze] - open-vm-tools (Contrib not supported) CVE-2011-1786 (lsassd in Likewise Open /Enterprise 5.3 before build 7845, Open 6.0 be ...) NOT-FOR-US: Likewise CVE-2011-1785 (VMware ESXi 4.0 and 4.1 and ESX 4.0 and 4.1 allow remote attackers to ...) NOT-FOR-US: VMware CVE-2011-1784 (The pidfile_write function in core/pidfile.c in keepalived 1.2.2 and e ...) - keepalived 1:1.2.2-2 (low; bug #626281) [lenny] - keepalived (Minor issue) [squeeze] - keepalived 1:1.1.20-1+squeeze1 CVE-2011-1783 (The mod_dav_svn module for the Apache HTTP Server, as distributed in A ...) {DSA-2251-1} - subversion 1.6.17dfsg-1 CVE-2011-1782 (Heap-based buffer overflow in the read_channel_data function in file-p ...) {DSA-2426-1} - gimp 2.6.11-3 (bug #629830) CVE-2011-1781 (SystemTap 1.4, when unprivileged (aka stapusr) mode is enabled, allows ...) - systemtap 1.6-1 (bug #628819) [squeeze] - systemtap (Only affects version 1.4.x) [lenny] - systemtap (Only affects version 1.4.x) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=702687#c29 CVE-2011-1780 (The instruction emulation in Xen 3.0.3 allows local SMP guest users to ...) - linux-2.6 (Only affected the old Xen kernel patch from 2.6.18/2.6.26) CVE-2011-1779 (Multiple use-after-free vulnerabilities in libarchive 2.8.4 and 2.8.5 ...) - libarchive 3.0.4-2 (bug #669197) [squeeze] - libarchive (vulnerable code not present in 2.x series) NOTE: http://code.google.com/p/libarchive/source/detail?r=0736e0890a8fce59e96d57340405c56f084407e7 NOTE: Might be fixed earlier than 3.0.4-2, but was tested against the Wheezy version CVE-2011-1778 (Buffer overflow in libarchive through 2.8.5 allows remote attackers to ...) {DSA-2413-1} - libarchive 2.8.5-5 (bug #651844) CVE-2011-1777 (Multiple buffer overflows in the (1) heap_add_entry and (2) relocate_d ...) {DSA-2413-1} - libarchive 2.8.5-5 (bug #651844) CVE-2011-1776 (The is_gpt_valid function in fs/partitions/efi.c in the Linux kernel b ...) {DSA-2264-1 DSA-2240-1} - linux-2.6 2.6.39-1 (low) CVE-2011-1775 (The CSecurityTLS::processMsg function in common/rfb/CSecurityTLS.cxx i ...) - tigervnc (Fixed before initial release in Debian) NOTE: https://github.com/TigerVNC/tigervnc/commit/ce6c8b097f0d5b161039dc8c8208aff078d433ff CVE-2011-1774 (WebKit in Apple Safari before 5.0.6 has improper libxslt security sett ...) NOTE: CVE-2011-1774 is about webkit's interface to xmlsec, CVE-2011-1425 is the actual issue NOTE: http://www.openwall.com/lists/oss-security/2011/05/09/4 CVE-2011-1773 (virt-v2v before 0.8.4 does not preserve the VNC console password when ...) NOT-FOR-US: virt-v2v CVE-2011-1772 (Multiple cross-site scripting (XSS) vulnerabilities in XWork in Apache ...) - libstruts1.2-java (xwork introduced in 2.x) CVE-2011-1771 (The cifs_close function in fs/cifs/file.c in the Linux kernel before 2 ...) - linux-2.6 2.6.38-4 [squeeze] - linux-2.6 (Introduced in 2.6.37) [lenny] - linux-2.6 (Introduced in 2.6.37) CVE-2011-1770 (Integer underflow in the dccp_parse_options function (net/dccp/options ...) {DSA-2240-1} - linux-2.6 2.6.39-1 [squeeze] - linux-2.6 2.6.32-34squeeze1 [lenny] - linux-2.6 (Introduced in 2.6.29 with commit e77b8363b2ea7c0d89919547c1a8b0562f298b57) CVE-2011-1769 (SystemTap 1.4 and earlier, when unprivileged (aka stapusr) mode is ena ...) - systemtap 1.6-1 (unimportant; bug #628819) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=702687#c29 NOTE: http://sourceware.org/git/?p=systemtap.git;a=commit;h=fa2e3415185a28542d419a641ecd6cddd52e3cd9 NOTE: a DoS with a very limited exploitation possibility CVE-2011-1768 (The tunnels implementation in the Linux kernel before 2.6.34, when tun ...) {DSA-2264-1} - linux-2.6 2.6.34-1 [squeeze] - linux-2.6 2.6.32-35 CVE-2011-1767 (net/ipv4/ip_gre.c in the Linux kernel before 2.6.34, when ip_gre is co ...) {DSA-2264-1 DSA-2240-1} - linux-2.6 2.6.34-1 [squeeze] - linux-2.6 2.6.32-34squeeze1 CVE-2011-1764 (Format string vulnerability in the dkim_exim_verify_finish function in ...) {DSA-2232-1} - exim4 4.75-3 (high; bug #624670) [lenny] - exim4 (vulnerable code not present) CVE-2011-1763 (The get_free_port function in Xen allows local authenticated DomU user ...) - linux-2.6 (Only affected the old Xen kernel patch from 2.6.18/2.6.26) CVE-2011-1762 RESERVED CVE-2011-1761 (Multiple stack-based buffer overflows in the (1) abc_new_macro and (2) ...) {DSA-2415-1} - libmodplug 1:0.8.8.4-1 (low; bug #625966) CVE-2011-1760 (utils/opcontrol in OProfile 0.9.6 and earlier might allow local users ...) {DSA-2254-2 DSA-2254-1} - oprofile 0.9.6-1.2 (medium; bug #624212) CVE-2011-1759 (Integer overflow in the sys_oabi_semtimedop function in arch/arm/kerne ...) {DSA-2264-1 DSA-2240-1} - linux-2.6 2.6.39-1 CVE-2011-1758 (The krb5_save_ccname_done function in providers/krb5/krb5_auth.c in Sy ...) - sssd (Only affects version 1.5+) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=700867 NOTE: http://git.fedorahosted.org/git/?p=sssd.git;a=commitdiff;h=fffdae81651b460f3d2c119c56d5caa09b4de42a CVE-2011-1757 (DJabberd 0.84 and earlier does not properly detect recursion during en ...) NOTE: DJabberd CVE-2011-1756 (modules/xmpp/serv_xmpp.c in Citadel 7.86 and earlier does not properly ...) {DSA-2250-1} - citadel 8.04-1 (medium) CVE-2011-1755 (jabberd2 before 2.2.14 does not properly detect recursion during entit ...) - jabberd2 2.2.8-2.1 (medium) CVE-2011-1754 (jabberd14 1.6.1.1 and earlier does not properly detect recursion durin ...) {DSA-2249-1} - jabberd14 1.6.1.1-5.1 CVE-2011-1753 (expat_erl.c in ejabberd before 2.1.7 and 3.x before 3.0.0-alpha-3, and ...) {DSA-2248-1} - ejabberd 2.1.6-2.1 (medium) CVE-2011-1752 (The mod_dav_svn module for the Apache HTTP Server, as distributed in A ...) {DSA-2251-1} - subversion 1.6.17dfsg-1 CVE-2011-1751 (The pciej_write function in hw/acpi_piix4.c in the PIIX4 Power Managem ...) {DSA-2241-1} - qemu-kvm 0.14.1+dfsg-1 - kvm CVE-2011-1750 (Multiple heap-based buffer overflows in the virtio-blk driver (hw/virt ...) {DSA-2230-1} - qemu-kvm 0.14.1+dfsg-1 (bug #624177) - kvm (Vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=698906 CVE-2011-1749 (The nfs_addmntent function in support/nfs/nfs_mntent.c in the mount.ns ...) - nfs-utils 1:1.2.3-3 (low; bug #629420) [squeeze] - nfs-utils 1:1.2.2-4squeeze2 [lenny] - nfs-utils (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=697975 CVE-2011-1748 (The raw_release function in net/can/raw.c in the Linux kernel before 2 ...) {DSA-2264-1 DSA-2240-1} - linux-2.6 2.6.39-1 CVE-2011-1747 (The agp subsystem in the Linux kernel 2.6.38.5 and earlier does not pr ...) - linux-2.6 (unimportant) NOTE: Can only be triggered with root equivalent privs -> non-issue CVE-2011-1746 (Multiple integer overflows in the (1) agp_allocate_memory and (2) agp_ ...) {DSA-2264-1 DSA-2240-1} - linux-2.6 2.6.38-5 CVE-2011-1745 (Integer overflow in the agp_generic_insert_memory function in drivers/ ...) {DSA-2264-1 DSA-2240-1} - linux-2.6 2.6.38-5 CVE-2011-1744 (EMC Captiva eInput 2.1.1 before 2.1.1.37 does not restrict the origin ...) NOT-FOR-US: EMC CVE-2011-1743 (Cross-site scripting (XSS) vulnerability in EMC Captiva eInput 2.1.1 b ...) NOT-FOR-US: EMC CVE-2011-1742 (EMC Data Protection Advisor before 5.8.1 places cleartext account cred ...) NOT-FOR-US: EMC CVE-2011-1741 (Stack-based buffer overflow in ftserver.exe in the OpenText Hummingbir ...) NOT-FOR-US: OpenText Hummingbird Client Connector CVE-2011-1740 (EMC Avamar 4.x, 5.0.x, and 6.0.x before 6.0.0-592 allows remote authen ...) NOT-FOR-US: EMC Avamar CVE-2011-1739 (The makemask function in mountd.c in mountd in FreeBSD 7.4 through 8.2 ...) NOT-FOR-US: FreeBSD mountd CVE-2011-1738 (HP Palm webOS 1.4.5 and 1.4.5.1 does not properly restrict Plug-in Dev ...) NOT-FOR-US: HP Palm webOS CVE-2011-1737 (Multiple cross-site scripting (XSS) vulnerabilities in the Email appli ...) NOT-FOR-US: HP Palm webOS CVE-2011-1736 (Directory traversal vulnerability in OmniInet.exe in the Backup Client ...) NOT-FOR-US: HP OpenView Storage Data Protector CVE-2011-1735 (Stack-based buffer overflow in OmniInet.exe in the Backup Client Servi ...) NOT-FOR-US: HP OpenView Storage Data Protector CVE-2011-1734 (Stack-based buffer overflow in OmniInet.exe in the Backup Client Servi ...) NOT-FOR-US: HP OpenView Storage Data Protector CVE-2011-1733 (Stack-based buffer overflow in OmniInet.exe in the Backup Client Servi ...) NOT-FOR-US: HP OpenView Storage Data Protector CVE-2011-1732 (Stack-based buffer overflow in OmniInet.exe in the Backup Client Servi ...) NOT-FOR-US: HP OpenView Storage Data Protector CVE-2011-1731 (Stack-based buffer overflow in OmniInet.exe in the Backup Client Servi ...) NOT-FOR-US: HP OpenView Storage Data Protector CVE-2011-1730 (Stack-based buffer overflow in OmniInet.exe in the Backup Client Servi ...) NOT-FOR-US: HP OpenView Storage Data Protector CVE-2011-1729 (Stack-based buffer overflow in OmniInet.exe in the Backup Client Servi ...) NOT-FOR-US: HP OpenView Storage Data Protector CVE-2011-1728 (Stack-based buffer overflow in OmniInet.exe in the Backup Client Servi ...) NOT-FOR-US: HP OpenView Storage Data Protector CVE-2011-1727 (Cross-site scripting (XSS) vulnerability in HP SiteScope 9.54, 10.13, ...) NOT-FOR-US: HP SiteScope CVE-2011-1726 (Cross-site scripting (XSS) vulnerability in HP SiteScope 9.54, 10.13, ...) NOT-FOR-US: HP SiteScope CVE-2011-1725 (Unspecified vulnerability in HP Network Automation 7.2x, 7.5x, 7.6x, 9 ...) NOT-FOR-US: HP Network Automation CVE-2011-1724 (Unspecified vulnerability in HP Virtual Server Environment before 6.3 ...) NOT-FOR-US: HP Virtual Server Environment CVE-2011-1723 (Cross-site scripting (XSS) vulnerability in app/views/layouts/base.rht ...) NOT-FOR-US: WEC Discussion Forum CVE-2011-1722 (Multiple SQL injection vulnerabilities in WEC Discussion Forum (wec_di ...) NOT-FOR-US: WEC Discussion Forum CVE-2011-1721 (Cross-site request forgery (CSRF) vulnerability in php/partie_administ ...) NOT-FOR-US: WebJaxe CVE-2011-1720 (The SMTP server in Postfix before 2.5.13, 2.6.x before 2.6.10, 2.7.x b ...) {DSA-2233-1} - postfix 2.8.3-1 NOTE: http://www.postfix.org/CVE-2011-1720.html CVE-2011-1719 (Multiple stack-based buffer overflows in the Web Viewer ActiveX contro ...) NOT-FOR-US: ActiveX CVE-2011-1718 (The Web Agents component in CA SiteMinder R6 before SP6 CR2 and R12 be ...) NOT-FOR-US: CA SiteMinder CVE-2011-1716 (Multiple cross-site scripting (XSS) vulnerabilities in the Web UI in X ...) - xymon 4.3.7-1 [wheezy] - xymon (Minor issue) [squeeze] - xymon (Minor issue) CVE-2009-5071 (Unspecified vulnerability in Palm Pre WebOS before 1.2.1 has unknown i ...) NOT-FOR-US: Palm WebOS CVE-2011-1717 (Skype for Android stores sensitive user data without encryption in sql ...) NOT-FOR-US: Skype for Android CVE-2011-1715 (Directory traversal vulnerability in framework/source/resource/qx/test ...) NOT-FOR-US: QooxDoo CVE-2011-1714 (Cross-site scripting (XSS) vulnerability in framework/source/resource/ ...) NOT-FOR-US: QooxDoo CVE-2011-1713 (Microsoft msxml.dll, as used in Internet Explorer 8 on Windows 7, allo ...) NOT-FOR-US: Microsoft CVE-2011-1712 (The txXPathNodeUtils::getXSLTId function in txMozillaXPathTreeWalker.c ...) - iceweasel 4.0.1-1 (unimportant) CVE-2011-1711 (Unspecified vulnerability in the Mobility Pack 1.1.2 and earlier in No ...) NOT-FOR-US: Mobility Pack 1.1.2 and earlier in Novell Data Synchronizer CVE-2011-1710 (Multiple integer overflows in the HTTP server in the Novell XTier fram ...) NOT-FOR-US: Novell XTier CVE-2011-1709 (GNOME Display Manager (gdm) before 2.32.2, when glib 2.28 is used, ena ...) - gdm3 (Vulnerable code patched out in Debian package in sid, patched in 3.0.4 experimental) - gdm (Vulnerable code not present) CVE-2011-1708 (Stack-based buffer overflow in nipplib.dll in Novell iPrint Client bef ...) NOT-FOR-US: Novell iPrint Client CVE-2011-1707 (Stack-based buffer overflow in nipplib.dll in Novell iPrint Client bef ...) NOT-FOR-US: Novell iPrint Client CVE-2011-1706 (Stack-based buffer overflow in nipplib.dll in Novell iPrint Client bef ...) NOT-FOR-US: Novell iPrint Client CVE-2011-1705 (Heap-based buffer overflow in nipplib.dll in Novell iPrint Client befo ...) NOT-FOR-US: Novell iPrint Client CVE-2011-1704 (Heap-based buffer overflow in nipplib.dll in Novell iPrint Client befo ...) NOT-FOR-US: Novell iPrint Client CVE-2011-1703 (Heap-based buffer overflow in nipplib.dll in Novell iPrint Client befo ...) NOT-FOR-US: Novell iPrint Client CVE-2011-1702 (Heap-based buffer overflow in nipplib.dll in Novell iPrint Client befo ...) NOT-FOR-US: Novell iPrint Client CVE-2011-1701 (Heap-based buffer overflow in nipplib.dll in Novell iPrint Client befo ...) NOT-FOR-US: Novell iPrint Client CVE-2011-1700 (Heap-based buffer overflow in nipplib.dll in Novell iPrint Client befo ...) NOT-FOR-US: Novell iPrint Client CVE-2011-1699 (Heap-based buffer overflow in nipplib.dll in Novell iPrint Client befo ...) NOT-FOR-US: Novell iPrint Client CVE-2011-1698 RESERVED CVE-2011-1697 RESERVED CVE-2011-1696 (Cross-site scripting (XSS) vulnerability in Novell Identity Manager (a ...) NOT-FOR-US: Novell Identity Manager CVE-2011-1695 RESERVED CVE-2011-1694 RESERVED CVE-2011-1693 RESERVED CVE-2011-1692 RESERVED CVE-2011-1691 (The counterToCSSValue function in CSSComputedStyleDeclaration.cpp in t ...) - chromium-browser 12.0.742.91~r87961-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/82222 CVE-2011-1690 (Best Practical Solutions RT 3.6.0 through 3.6.10 and 3.8.0 through 3.8 ...) {DSA-2220-1} - request-tracker3.8 3.8.10-1 (bug #622774) - request-tracker3.6 CVE-2011-1689 (Multiple cross-site scripting (XSS) vulnerabilities in Best Practical ...) {DSA-2220-1} - request-tracker3.8 3.8.10-1 (bug #622774) - request-tracker3.6 CVE-2011-1688 (Directory traversal vulnerability in Best Practical Solutions RT 3.2.0 ...) {DSA-2220-1} - request-tracker3.8 3.8.10-1 (bug #622774) - request-tracker3.6 CVE-2011-1687 (Best Practical Solutions RT 3.0.0 through 3.6.10, 3.8.0 through 3.8.9, ...) {DSA-2220-1} - request-tracker3.8 3.8.10-1 (bug #622774) - request-tracker3.6 CVE-2011-1686 (Multiple SQL injection vulnerabilities in Best Practical Solutions RT ...) {DSA-2220-1} - request-tracker3.8 3.8.10-1 (bug #622774) - request-tracker3.6 CVE-2011-1685 (Best Practical Solutions RT 3.8.0 through 3.8.9 and 4.0.0rc through 4. ...) {DSA-2220-1} - request-tracker3.8 3.8.10-1 (bug #622774) CVE-2011-1683 (IBM WebSphere Application Server (WAS) 6.0.x through 6.0.2.43, 6.1.x b ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2011-1682 (Multiple cross-site request forgery (CSRF) vulnerabilities in phpList ...) - phplist (bug #612288) CVE-2011-1684 (Heap-based buffer overflow in the MP4_ReadBox_skcr function in libmp4. ...) {DSA-2218-1} - vlc 1.1.8-3 (medium) [lenny] - vlc (Vulnerable code not present) [squeeze] - vlc 1.1.3-1squeeze5 NOTE: CVE id requested CVE-2011-1681 (vmware-hgfsmounter in VMware Open Virtual Machine Tools (aka open-vm-t ...) - open-vm-tools 2:8.4.2+2011.08.21-471295-1 (low; bug #623968) [squeeze] - open-vm-tools (Contrib not supported) [lenny] - open-vm-tools (Contrib not supported) CVE-2011-1680 (ncpmount in ncpfs 2.2.6 and earlier does not remove the /etc/mtab~ loc ...) - ncpfs 2.2.6-9 (low; bug #660545) [squeeze] - ncpfs (Minor issue) CVE-2011-1679 (ncpfs 2.2.6 and earlier attempts to use (1) ncpmount to append to the ...) - ncpfs 2.2.6-9 (low; bug #660545) [squeeze] - ncpfs (Minor issue) CVE-2011-1678 (smbfs in Samba 3.5.8 and earlier attempts to use (1) mount.cifs to app ...) - samba 2:3.4.7~dfsg-2 (low) - cifs-utils 2:5.1-1 (low) [squeeze] - cifs-utils 2:4.5-2+squeeze1 NOTE: cifs-utils was split off from the samba source package with 2:3.4.7~dfsg-2, so marking it as fixed NOTE: http://git.samba.org/?p=cifs-utils.git;a=commitdiff;h=f6eae44a3d05b6515a59651e6bed8b6dde689aec CVE-2011-1677 (mount in util-linux 2.19 and earlier does not remove the /etc/mtab~ lo ...) - util-linux 2.20.1-1 (low) [squeeze] - util-linux (Minor issue) CVE-2011-1676 (mount in util-linux 2.19 and earlier does not remove the /etc/mtab.tmp ...) NOTE: This was found to be a non-issue, see http://thread.gmane.org/gmane.comp.security.oss.general/4374/focus=4983 CVE-2011-1675 (mount in util-linux 2.19 and earlier attempts to append to the /etc/mt ...) - util-linux 2.20.1-1 (low) [squeeze] - util-linux (Minor issue) CVE-2011-1674 (The NetGear ProSafe WNAP210 with firmware 2.0.12 allows remote attacke ...) NOT-FOR-US: NetGear ProSafe WNAP210 CVE-2011-1673 (BackupConfig.php on the NetGear ProSafe WNAP210 allows remote attacker ...) NOT-FOR-US: NetGear ProSafe WNAP210 CVE-2011-1672 (The Dell KACE K2000 Systems Deployment Appliance 3.3.36822 and earlier ...) NOT-FOR-US: Dell KACE K2000 Systems Deployment Appliance CVE-2011-1671 (Cross-site scripting (XSS) vulnerability in app/controllers/todos_cont ...) NOT-FOR-US: Tracks CVE-2011-1670 (Cross-site scripting (XSS) vulnerability in actions/add.php in InTerra ...) NOT-FOR-US: InTerra CVE-2011-1669 (Directory traversal vulnerability in wp-download.php in the WP Custom ...) NOT-FOR-US: WP Custom Pages module for WordPress CVE-2011-1668 (Cross-site scripting (XSS) vulnerability in search.php in AR Web Conte ...) NOT-FOR-US: AR Web Content Manager CVE-2011-1667 (SQL injection vulnerability in index.php in Anzeigenmarkt 2011 allows ...) NOT-FOR-US: Anzeigenmarkt CVE-2011-1666 (Metaways Tine 2.0 allows remote attackers to obtain sensitive informat ...) NOT-FOR-US: Metaways Tine CVE-2011-1665 (PHPBoost 3.0 stores sensitive information under the web root with insu ...) NOT-FOR-US: PHPBoost CVE-2011-1664 (Cross-site request forgery (CSRF) vulnerability in the Translation Man ...) NOT-FOR-US: Translation Management module for Drupal CVE-2011-1663 (SQL injection vulnerability in the Translation Management module 6.x b ...) NOT-FOR-US: Translation Management module for Drupal CVE-2011-1662 (Cross-site scripting (XSS) vulnerability in Translation Management mod ...) NOT-FOR-US: Translation Management module for Drupal CVE-2011-1661 (The Node Quick Find module 6.x-1.1 for Drupal does not use db_rewrite_ ...) NOT-FOR-US: Node Quick Find module for Drupal CVE-2011-1660 (Multiple cross-site scripting (XSS) vulnerabilities in the DataDynamic ...) NOT-FOR-US: GrapeCity Data Dynamics Reports CVE-2011-1659 (Integer overflow in posix/fnmatch.c in the GNU C Library (aka glibc or ...) - eglibc 2.13-8 [squeeze] - eglibc 2.11.3-2 - glibc 2.13-8 [lenny] - glibc (Minor issue) NOTE: http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=8126d90480fa CVE-2011-1658 (ld.so in the GNU C Library (aka glibc or libc6) 2.13 and earlier expan ...) - eglibc 2.13-33 (low; bug #672119) [squeeze] - eglibc CVE-2011-1657 (The (1) ZipArchive::addGlob and (2) ZipArchive::addPattern functions i ...) {DSA-2408-1} - php5 5.3.7-1 (unimportant) NOTE: safe mode not supported CVE-2011-1656 RESERVED CVE-2011-1655 (The management.asmx module in the Management Web Service in the Unifie ...) NOT-FOR-US: CA Total Defense CVE-2011-1654 (Directory traversal vulnerability in the Heartbeat Web Service in CA.I ...) NOT-FOR-US: CA Total Defense CVE-2011-1653 (Multiple SQL injection vulnerabilities in the Unified Network Control ...) NOT-FOR-US: CA Total Defense CVE-2011-1652 (** DISPUTED ** The default configuration of Microsoft Windows 7 immedi ...) NOT-FOR-US: Microsoft Windows 7 CVE-2010-4784 (Multiple SQL injection vulnerabilities in member.php in PHP Web Script ...) NOT-FOR-US: PHP Web Scripts Easy Banner Free CVE-2010-4783 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in PH ...) NOT-FOR-US: PHP Web Scripts Easy Banner Free CVE-2010-4782 (Multiple SQL injection vulnerabilities in list.asp in Softwebs Nepal ( ...) NOT-FOR-US: Softwebs Nepal Ananda Real Estate CVE-2010-4781 (index.php in Enano CMS 1.1.7pl1, and possibly other versions before 1. ...) NOT-FOR-US: Enano CMS CVE-2010-4780 (SQL injection vulnerability in the check_banlist function in includes/ ...) NOT-FOR-US: Enano CMS CVE-2010-4779 (Cross-site scripting (XSS) vulnerability in lib/includes/auth.inc.php ...) NOT-FOR-US: WPtouch plugin for WordPress CVE-2011-1651 (Cisco IOS XR 3.9.x and 4.0.x before 4.0.3 and 4.1.x before 4.1.1, when ...) NOT-FOR-US: Cisco CVE-2011-1650 RESERVED CVE-2011-1649 (The Internet Streamer application in Cisco Content Delivery System (CD ...) NOT-FOR-US: Cisco CVE-2011-1648 RESERVED CVE-2011-1647 (The web management interface on the Cisco RVS4000 Gigabit Security Rou ...) NOT-FOR-US: Cisco CVE-2011-1646 (The web management interface on the Cisco RVS4000 Gigabit Security Rou ...) NOT-FOR-US: Cisco CVE-2011-1645 (The web management interface on the Cisco RVS4000 Gigabit Security Rou ...) NOT-FOR-US: Cisco CVE-2011-1644 RESERVED CVE-2011-1643 (Cisco Unified Communications Manager (aka CUCM, formerly CallManager) ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2011-1642 RESERVED CVE-2011-1641 RESERVED CVE-2011-1640 (The ethernet-lldp component in Cisco IOS 12.2 before 12.2(33)SXJ1 does ...) NOT-FOR-US: Cisco IOS CVE-2011-1639 RESERVED CVE-2011-1638 RESERVED CVE-2011-1637 (Cisco Unified IP Phones 7900 devices (aka TNP phones) with software be ...) NOT-FOR-US: Cisco CVE-2011-1636 RESERVED CVE-2011-1635 RESERVED CVE-2011-1634 RESERVED CVE-2011-1633 RESERVED CVE-2011-1632 RESERVED CVE-2011-1631 RESERVED CVE-2011-1630 RESERVED CVE-2011-1629 RESERVED CVE-2011-1628 RESERVED CVE-2011-1627 RESERVED CVE-2011-1626 RESERVED CVE-2011-1625 (Cisco IOS 12.2, 12.3, 12.4, 15.0, and 15.1, when the data-link switchi ...) NOT-FOR-US: Cisco IOS CVE-2011-1624 (Cisco IOS 12.2(58)SE, when a login banner is configured, allows remote ...) NOT-FOR-US: Cisco IOS CVE-2011-1623 (Cisco Media Processing Software before 1.2 on Media Experience Engine ...) NOT-FOR-US: Cisco CVE-2011-1622 RESERVED CVE-2011-1621 RESERVED CVE-2011-1620 RESERVED CVE-2011-1619 RESERVED CVE-2011-1618 RESERVED CVE-2011-1617 RESERVED CVE-2011-1616 RESERVED CVE-2011-1615 RESERVED CVE-2011-1614 RESERVED CVE-2011-1613 (Unspecified vulnerability in Cisco Wireless LAN Controller (WLC) softw ...) NOT-FOR-US: Cisco Wireless LAN Controller CVE-2011-1612 RESERVED CVE-2011-1611 RESERVED CVE-2011-1610 (Multiple SQL injection vulnerabilities in xmldirectorylist.jsp in the ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2011-1609 (SQL injection vulnerability in Cisco Unified Communications Manager (a ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2011-1608 RESERVED CVE-2011-1607 (Directory traversal vulnerability in Cisco Unified Communications Mana ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2011-1606 (Unspecified vulnerability in Cisco Unified Communications Manager (aka ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2011-1605 (Unspecified vulnerability in Cisco Unified Communications Manager (aka ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2011-1604 (Memory leak in Cisco Unified Communications Manager (aka CUCM, formerl ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2011-1603 (Cisco Unified IP Phones 7900 devices (aka TNP phones) with software be ...) NOT-FOR-US: Cisco CVE-2011-1602 (The su utility on Cisco Unified IP Phones 7900 devices (aka TNP phones ...) NOT-FOR-US: Cisco CVE-2011-1601 RESERVED CVE-2011-1600 RESERVED CVE-2011-1599 (manager.c in the Manager Interface in Asterisk Open Source 1.4.x befor ...) {DSA-2225-1} - asterisk 1:1.8.3.3-1 [lenny] - asterisk (Vulnerable code not present) CVE-2011-1598 (The bcm_release function in net/can/bcm.c in the Linux kernel before 2 ...) {DSA-2264-1 DSA-2240-1} - linux-2.6 2.6.38-5 CVE-2011-1597 (OpenVAS Manager v2.0.3 allows plugin remote code execution. ...) NOT-FOR-US: OpenVAS Manager CVE-2011-1596 REJECTED CVE-2011-1595 (Directory traversal vulnerability in the disk_create function in disk. ...) - rdesktop 1.7.0-1 (low; bug #623552) [squeeze] - rdesktop (Minor issue) [lenny] - rdesktop (Minor issue) CVE-2011-1594 (Open redirect vulnerability in Spacewalk 1.6, as used in Red Hat Netwo ...) NOT-FOR-US: Red Hat Network Satellite server CVE-2011-1593 (Multiple integer overflows in the next_pidmap function in kernel/pid.c ...) {DSA-2264-1 DSA-2240-1} - linux-2.6 2.6.38-4 CVE-2011-1592 (The NFS dissector in epan/dissectors/packet-nfs.c in Wireshark 1.4.x b ...) - wireshark (Windows-specific) CVE-2011-1591 (Stack-based buffer overflow in the DECT dissector in epan/dissectors/p ...) - wireshark 1.4.5-1 [squeeze] - wireshark (Only affects 1.4.x) [lenny] - wireshark (Only affects 1.4.x) CVE-2011-1590 (The X.509if dissector in Wireshark 1.2.x before 1.2.16 and 1.4.x befor ...) {DSA-2274-1} - wireshark 1.4.5-1 (unimportant) CVE-2011-1589 (Directory traversal vulnerability in Path.pm in Mojolicious before 1.1 ...) {DSA-2221-1} - libmojolicious-perl 1.16-1 CVE-2011-1588 (Thunar before 1.3.1 could crash when copy and pasting a file name with ...) - thunar (Introduced in 1.2, only in experimental) NOTE: http://git.xfce.org/xfce/thunar/diff/?id=03dd312e157d4fa8a11d5fa402706ae5b05806fa CVE-2011-1587 (Cross-site scripting (XSS) vulnerability in MediaWiki before 1.16.4, w ...) {DSA-2366-1} - mediawiki 1:1.15.5-5 CVE-2011-1586 (Directory traversal vulnerability in the KGetMetalink::File::isValidNa ...) - kdenetwork 4:4.6.3-1 [squeeze] - kdenetwork 4:4.4.5-2+squeeze1 [lenny] - kdenetwork (Metalink plugin not yet present) CVE-2011-1585 (The cifs_find_smb_ses function in fs/cifs/connect.c in the Linux kerne ...) {DSA-2240-1} - linux-2.6 (unimportant) NOTE: an exploitation requires the ability to run mount.cifs w/ root privs CVE-2011-1584 (The updateFile function in inc/core/class.dc.media.php in the Media Ma ...) - dotclear (Fixed before initial upload to archive) CVE-2011-1583 (Multiple integer overflows in tools/libxc/xc_dom_bzimageloader.c in Xe ...) {DSA-2337-1} - xen 4.1.1-1 - xen-3 [lenny] - xen-3 (Minor issue; only marginally affected) CVE-2011-1582 (Apache Tomcat 7.0.12 and 7.0.13 processes the first request to a servl ...) - tomcat6 (Only affects Tomcat 7) CVE-2011-1581 (The bond_select_queue function in drivers/net/bonding/bond_main.c in t ...) - linux-2.6 2.6.39-1 (low) [squeeze] - linux-2.6 (Introduced in 2.6.36) [lenny] - linux-2.6 (Introduced in 2.6.36) CVE-2011-1580 (The transwiki import functionality in MediaWiki before 1.16.3 does not ...) {DSA-2366-1} - mediawiki 1:1.15.5-5 CVE-2011-1579 (The checkCss function in includes/Sanitizer.php in the wikitext parser ...) {DSA-2366-1} - mediawiki 1:1.15.5-5 CVE-2011-1578 (Cross-site scripting (XSS) vulnerability in MediaWiki before 1.16.3, w ...) {DSA-2366-1} - mediawiki 1:1.15.5-5 CVE-2011-1577 (Heap-based buffer overflow in the is_gpt_valid function in fs/partitio ...) {DSA-2264-1} - linux-2.6 2.6.39-3 (low) [squeeze] - linux-2.6 2.6.32-35 CVE-2011-1576 (The Generic Receive Offload (GRO) implementation in the Linux kernel 2 ...) {DSA-2303-1} - linux-2.6 3.0.0-5 [lenny] - linux-2.6 (Code not present) NOTE: "...code path in question is no longer reachable..." not sure when this was fixed CVE-2011-1575 (The STARTTLS implementation in ftp_parser.c in Pure-FTPd before 1.0.30 ...) - pure-ftpd 1.0.30-1 (low) [squeeze] - pure-ftpd 1.0.28-3+squeeze1 [lenny] - pure-ftpd (Minor issue) CVE-2011-1574 (Stack-based buffer overflow in the ReadS3M method in load_s3m.cpp in l ...) {DSA-2226-1} - libmodplug 1:0.8.8.2-1 (low; bug #622091) CVE-2011-1573 (net/sctp/sm_make_chunk.c in the Linux kernel before 2.6.34, when addip ...) - linux-2.6 2.6.34-1 [squeeze] - linux-2.6 2.6.32-34 NOTE: http://xorl.wordpress.com/2011/05/08/cve-2011-1573-linux-kernel-sctp-initinit-ack-length-miscalculation/ NOTE: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=a8170c35e738d62e9919ce5b109cf4ed66e9 CVE-2011-1572 (Directory traversal vulnerability in the Admin Defined Commands (ADC) ...) {DSA-2215-1} - gitolite 1.5.7-2 NOTE: https://github.com/sitaramc/gitolite/commit/a33f0f85047834212ff4baf5b479c6cf3d2a6075 NOTE: https://github.com/sitaramc/gitolite/commit/4ce00aef84d1ff7c35f7adbbb99a6241cfda00cc [squeeze] - gitolite 1.5.4-2+squeeze1 CVE-2011-1571 (Unspecified vulnerability in the XSL Content portlet in Liferay Portal ...) - liferay-portal (bug #569819) CVE-2011-1570 (Cross-site scripting (XSS) vulnerability in Liferay Portal Community E ...) - liferay-portal (bug #569819) CVE-2011-1569 (download.aspx in Douran Portal 3.9.7.8 allows remote attackers to obta ...) NOT-FOR-US: Douran Portal CVE-2011-1568 (Format string vulnerability in the logText function in shmemmgr9.dll i ...) NOT-FOR-US: 7-Technologies Interactive Graphical SCADA System CVE-2011-1567 (Multiple stack-based buffer overflows in IGSSdataServer.exe 9.00.00.11 ...) NOT-FOR-US: 7-Technologies Interactive Graphical SCADA System CVE-2011-1566 (Directory traversal vulnerability in dc.exe 9.00.00.11059 and earlier ...) NOT-FOR-US: 7-Technologies Interactive Graphical SCADA System CVE-2011-1565 (Directory traversal vulnerability in IGSSdataServer.exe 9.00.00.11063 ...) NOT-FOR-US: 7-Technologies Interactive Graphical SCADA System CVE-2011-1564 (Multiple integer overflows in the HMI application in DATAC RealFlex Re ...) NOT-FOR-US: DATAC RealFlex RealWin CVE-2011-1563 (Multiple stack-based buffer overflows in the HMI application in DATAC ...) NOT-FOR-US: DATAC RealFlex RealWin CVE-2011-1562 (Ecava IntegraXor HMI before n 3.60 (Build 4032) allows remote attacker ...) NOT-FOR-US: Ecava IntegraXor HMI CVE-2011-1561 (The LDAP login feature in bos.rte.security 6.1.6.4 in IBM AIX 6.1, whe ...) NOT-FOR-US: IBM AIX 6.1 CVE-2011-1560 (solid.exe in IBM solidDB before 4.5.181, 6.0.x before 6.0.1067, 6.1.x ...) NOT-FOR-US: IBM solidDB CVE-2011-1559 (Unspecified vulnerability in the IBM Web Interface for Content Managem ...) NOT-FOR-US: IBM WEBi CVE-2011-1558 (Multiple cross-site scripting (XSS) vulnerabilities in the IBM Web Int ...) NOT-FOR-US: IBM WEBi CVE-2009-5070 RESERVED CVE-2009-5069 RESERVED CVE-2009-5068 (There is a file disclosure vulnerability in SMF (Simple Machines Forum ...) NOT-FOR-US: Simple Machines Forum CVE-2009-5067 (Directory traversal vulnerability in html2ps before 1.0b6 allows remot ...) - html2ps 1.0b7-1 (low; bug #548633) [squeeze] - html2ps (Minor issue) CVE-2009-5066 (twiddle.sh in JBoss AS 5.0 and EAP 5.0 and earlier accepts credentials ...) - jbossas4 (twiddle.sh is included in the source package, but not in any of the binary packages) CVE-2009-5065 (Cross-site scripting (XSS) vulnerability in feedparser.py in Universal ...) - feedparser 5.0.1-1 (low; bug #617998) [squeeze] - feedparser (Minor issue) [lenny] - feedparser (Minor issue) CVE-2011-XXXX [drupal6-mod-tagadelic XSS] - drupal6-mod-tagadelic 1.3-1 (low) NOTE: DRUPAL-SA-CONTRIB-2011-013 CVE-2011-1557 (SQL injection vulnerability in ICloudCenter ICJobSite 1.1 allows remot ...) NOT-FOR-US: ICloudCenter ICJobSite CVE-2011-1556 (SQL injection vulnerability in plugins/pdfClasses/pdfgen.php in Andy's ...) NOT-FOR-US: Aphpkb CVE-2011-1555 (SQL injection vulnerability in saa.php in Andy's PHP Knowledgebase (Ap ...) NOT-FOR-US: Aphpkb CVE-2010-4778 (Multiple cross-site scripting (XSS) vulnerabilities in fetchmailprefs. ...) - imp4 4.3.10+debian0-1 [squeeze] - imp4 (Minor issue) CVE-2011-1554 (Off-by-one error in t1lib 5.1.2 and earlier, as used in Xpdf before 3. ...) {DSA-2388-1} - t1lib 5.1.2-3.5 [lenny] - t1lib 5.1.2-3+lenny1 [squeeze] - t1lib 5.1.2-3+squeeze1 NOTE: see https://bugzilla.redhat.com/show_bug.cgi?id=692909#c23 - xpdf 3.02-9 - poppler (never used t1lib) CVE-2011-1553 (Use-after-free vulnerability in t1lib 5.1.2 and earlier, as used in Xp ...) {DSA-2388-1} - t1lib 5.1.2-3.5 [lenny] - t1lib 5.1.2-3+lenny1 [squeeze] - t1lib 5.1.2-3+squeeze1 NOTE: see https://bugzilla.redhat.com/show_bug.cgi?id=692909#c23 - xpdf 3.02-9 - poppler (never used t1lib) CVE-2011-1552 (t1lib 5.1.2 and earlier, as used in Xpdf before 3.02pl6, teTeX, and ot ...) {DSA-2388-1} - t1lib 5.1.2-3.5 [lenny] - t1lib 5.1.2-3+lenny1 [squeeze] - t1lib 5.1.2-3+squeeze1 NOTE: see https://bugzilla.redhat.com/show_bug.cgi?id=692909#c23 - xpdf 3.02-9 - poppler (never used t1lib) CVE-2011-1551 (SUSE openSUSE Factory assigns ownership of the /var/log/cobbler/ direc ...) - cobbler (bug #796151; perms different on Debian) NOTE: /var/log/cobbler is set to cobbler:cobbler and daemon runs as root CVE-2011-1550 (The default configuration of logrotate on SUSE openSUSE Factory uses r ...) - logrotate (SuSE-specific, see CVE-2011-1548 for Debian) CVE-2011-1549 (The default configuration of logrotate on Gentoo Linux uses root privi ...) - logrotate (Gentoo-specific, see CVE-2011-1548 for Debian) CVE-2011-1548 (The default configuration of logrotate on Debian GNU/Linux uses root p ...) - logrotate 3.7.8-6 CVE-2009-5064 (** DISPUTED ** ldd in the GNU C Library (aka glibc or libc6) 2.13 and ...) - eglibc 2.10.1-7 - glibc 2.10.1-7 NOTE: Obscure attack CVE-2011-1547 (Multiple stack consumption vulnerabilities in the kernel in NetBSD 4.0 ...) NOT-FOR-US: NetBSD CVE-2011-1546 (Multiple SQL injection vulnerabilities in Andy's PHP Knowledgebase (Ap ...) NOT-FOR-US: Aphpkb CVE-2011-1545 (Cross-site request forgery (CSRF) vulnerability in HP Insight Control ...) NOT-FOR-US: HP Insight Control Performance Management CVE-2011-1544 (Unspecified vulnerability in HP Insight Control Performance Management ...) NOT-FOR-US: HP Insight Control Performance Management CVE-2011-1543 (Cross-site request forgery (CSRF) vulnerability in HP Systems Insight ...) NOT-FOR-US: HP Systems Insight Manager CVE-2011-1542 (Cross-site scripting (XSS) vulnerability in HP Systems Insight Manager ...) NOT-FOR-US: HP Systems Insight Manager CVE-2011-1541 (Unspecified vulnerability in HP System Management Homepage (SMH) befor ...) NOT-FOR-US: HP System Management Homepage CVE-2011-1540 (Unspecified vulnerability in HP System Management Homepage (SMH) befor ...) NOT-FOR-US: HP System Management Homepage CVE-2011-1539 (Unspecified vulnerability in HP Proliant Support Pack (PSP) before 8.7 ...) NOT-FOR-US: HP Proliant Support Pack CVE-2011-1538 (Open redirect vulnerability in HP Proliant Support Pack (PSP) before 8 ...) NOT-FOR-US: HP Proliant Support Pack CVE-2011-1537 (Cross-site scripting (XSS) vulnerability in HP Proliant Support Pack ( ...) NOT-FOR-US: HP Proliant Support Pack CVE-2011-1536 (Unspecified vulnerability in HP Performance Insight 5.0, 5.1x. 5.2x, 5 ...) NOT-FOR-US: HP Performance Insight CVE-2011-1535 (Unspecified vulnerability in HP Insight Control for Linux (aka IC-Linu ...) NOT-FOR-US: HP Insight Control CVE-2011-1534 (Unspecified vulnerability in HP Network Node Manager i (NNMi) 9.0x all ...) NOT-FOR-US: HP Network Node Manager CVE-2011-1533 (Cross-site scripting (XSS) vulnerability on the HP Photosmart D110 and ...) NOT-FOR-US: HP Photosmart CVE-2011-1532 (Unspecified vulnerability in the SNMP component on the HP Photosmart D ...) NOT-FOR-US: HP Photosmart CVE-2011-1531 (The webscan component in the Embedded Web Server (EWS) on the HP Photo ...) NOT-FOR-US: HP Photosmart CVE-2011-1530 (The process_tgs_req function in do_tgs_req.c in the Key Distribution C ...) - krb5 1.10+dfsg~alpha1-7 [squeeze] - krb5 (Only affecs 1.9 and higher) [lenny] - krb5 (Only affecs 1.9 and higher) CVE-2011-1529 (The lookup_lockout_policy function in the Key Distribution Center (KDC ...) {DSA-2379-1} - krb5 1.10+dfsg~alpha1-1 (low; bug #646367) [lenny] - krb5 (Introduced in 1.8) CVE-2011-1528 (The krb5_ldap_lockout_audit function in the Key Distribution Center (K ...) {DSA-2379-1} - krb5 1.10+dfsg~alpha1-1 (low; bug #646367) [lenny] - krb5 (Introduced in 1.8) CVE-2011-1527 (The kdb_ldap plugin in the Key Distribution Center (KDC) in MIT Kerber ...) - krb5 1.10+dfsg~alpha1-1 (low; bug #646367) [squeeze] - krb5 (Introduced in 1.9) [lenny] - krb5 (Introduced in 1.9) CVE-2011-1526 (ftpd.c in the GSS-API FTP daemon in MIT Kerberos Version 5 Application ...) {DSA-2283-1} - krb5-appl 1:1.0.1-1.1 CVE-2011-1525 (Heap-based buffer overflow in rvrender.dll in RealNetworks RealPlayer ...) NOT-FOR-US: RealPlayer CVE-2011-1524 (Cross-site scripting (XSS) vulnerability in the management login GUI p ...) NOT-FOR-US: Symantec LiveUpdate Administrator CVE-2011-1523 (Cross-site scripting (XSS) vulnerability in statusmap.c in statusmap.c ...) - nagios3 3.2.3-3 (bug #629127) - icinga 1.4.1-1 (bug #629131) [squeeze] - nagios3 (Minor issue) [lenny] - nagios3 (Minor issue) [squeeze] - icinga (Minor issue) [lenny] - icinga (Minor issue) NOTE: http://tracker.nagios.org/view.php?id=207 CVE-2011-1522 (Multiple SQL injection vulnerabilities in the Doctrine\DBAL\Platforms\ ...) {DSA-2223-1} - doctrine 1.2.4-1 (bug #622674) CVE-2010-4777 (The Perl_reg_numbered_buff_fetch function in Perl 5.10.0, 5.12.0, 5.14 ...) - perl 5.20.1-1 (unimportant; bug #628836) NOTE: Only affects Perl builds with enabled assertions, i.e. the debugperl binary from perl-debug NOTE: likely fixed sometime around 5.18, but 5.20 was the version checked CVE-2009-5063 (Memory leak in the embedded_profile_len function in pngwutil.c in libp ...) - libpng 1.2.39-1 (unimportant) CVE-2006-7244 (Memory leak in pngwutil.c in libpng 1.2.13beta1, and other versions be ...) - libpng 1.2.39-1 (unimportant) CVE-2011-1520 (The default configuration of the server console in IBM Lotus Domino do ...) NOT-FOR-US: Lotus Domino CVE-2011-1519 (The remote console in the Server Controller in IBM Lotus Domino 7.x an ...) NOT-FOR-US: Lotus Domino CVE-2011-1518 (Multiple cross-site scripting (XSS) vulnerabilities in Open Ticket Req ...) {DSA-2231-1} - otrs2 2.4.10+dfsg1-1 CVE-2011-1521 (The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x befo ...) {DLA-25-1} - python3.1 (bug #628453) [squeeze] - python3.1 (Minor issue) - python3.2 3.2-3 - python2.7 2.7.1-7 - python2.6 2.6.7-1 (bug #628455) - python2.5 [squeeze] - python2.5 (Minor issue) NOTE: http://bugs.python.org/issue11662 CVE-2011-XXXX [htmlpurifier various] - php-htmlpurifier 4.3.0+dfsg1-1 (unimportant) - mahara 1.2.5-1 [lenny] - mahara 1.0.4-4+lenny10 NOTE: http://web.archive.org/web/20120515064303/http://htmlpurifier.org/news/2011/0327-4.3.0-released NOTE: htmlpurifier only provides library functions, it's not vulnerable by itself NOTE: If apps are vulnerable, this must be addressed there (as done for Mahara) CVE-2011-1517 (SAP NetWeaver 7.0 allows Remote Code Execution and Denial of Service c ...) NOT-FOR-US: SAP CVE-2011-1516 (The kSBXProfileNoNetwork and kSBXProfileNoInternet sandbox profiles in ...) NOT-FOR-US: Apple Mac OS X CVE-2011-1515 (The inet service in HP OpenView Storage Data Protector 6.00 through 6. ...) NOT-FOR-US: HP OpenView CVE-2011-1514 (The inet service in HP OpenView Storage Data Protector 6.00 through 6. ...) NOT-FOR-US: HP OpenView CVE-2011-1513 (Static code injection vulnerability in install_.php in e107 CMS 0.7.24 ...) NOT-FOR-US: e107 CVE-2011-1512 (Heap-based buffer overflow in xlssr.dll in Autonomy KeyView, as used i ...) NOT-FOR-US: Autonomy KeyView CVE-2011-1511 (Unspecified vulnerability in the Oracle GlassFish Server component in ...) NOT-FOR-US: Oracle Sun Products Suite CVE-2011-1510 (Cross-site scripting (XSS) vulnerability in SolutionSearch.do in Manag ...) NOT-FOR-US: ManageEngine ServiceDesk Plus CVE-2011-1509 (The encryptPassword function in Login.js in ManageEngine ServiceDesk P ...) NOT-FOR-US: ManageEngine ServiceDesk Plus CVE-2011-1508 (Microsoft Publisher 2003 SP3, and 2007 SP2 and SP3, does not properly ...) NOT-FOR-US: Microsoft Publisher CVE-2011-1507 (Asterisk Open Source 1.4.x before 1.4.40.1, 1.6.1.x before 1.6.1.25, 1 ...) {DSA-2225-1} - asterisk 1:1.8.3.3-1 CVE-2010-4776 (SQL injection vulnerability in takefreestart.php in PreProjects Pre On ...) NOT-FOR-US: PreProjects Pre Online Tests Generator Pro CVE-2010-4775 (The Relevant Content module 5.x before 5.x-1.4 and 6.x before 6.x-1.5 ...) NOT-FOR-US: Relevant Content addon for Drupal CVE-2010-4774 (SQL injection vulnerability in pdf.php in AuraCMS 1.62 allows remote a ...) NOT-FOR-US: AuraCMS CVE-2010-4773 (Unspecified vulnerability in Hitachi EUR Form Client before 05-10 -/D ...) NOT-FOR-US: Hitachi EUR Form, uCosminexus EUR Form Service CVE-2010-4772 (Cross-site scripting (XSS) vulnerability in blocks/lang.php in S-CMS 2 ...) NOT-FOR-US: S-CMS CVE-2010-4771 (SQL injection vulnerability to viewforum.php in S-CMS 2.5 allows remot ...) NOT-FOR-US: S-CMS CVE-2010-4770 (SQL injection vulnerability in index.php in CommodityRentals DVD Renta ...) NOT-FOR-US: CommodityRentals DVD Rentals Script CVE-2010-4769 (Directory traversal vulnerability in the Jimtawl (com_jimtawl) compone ...) NOT-FOR-US: Jimtawl CVE-2011-1506 (The STARTTLS implementation in Kerio Connect 7.1.4 build 2985 and Mail ...) NOT-FOR-US: Kerio CVE-2011-1505 (Unspecified vulnerability in IBM Lotus Quickr 8.1 before 8.1.0.27 serv ...) NOT-FOR-US: IBM Lotus Quickr CVE-2011-1504 (Cross-site scripting (XSS) vulnerability in Liferay Portal Community E ...) - liferay-portal (bug #569819) CVE-2011-1503 (The XSL Content portlet in Liferay Portal Community Edition (CE) 5.x a ...) - liferay-portal (bug #569819) CVE-2011-1502 (Liferay Portal Community Edition (CE) 6.x before 6.0.6 GA, when Apache ...) - liferay-portal (bug #569819) CVE-2011-1501 REJECTED CVE-2011-1500 (PreferencesPithosDialog.py in Pithos 0.3.7 does not properly restrict ...) - pithos 0.3.8-1 (low) CVE-2011-1499 (acl.c in Tinyproxy before 1.8.3, when an Allow configuration setting s ...) {DSA-2222-1} - tinyproxy 1.8.2-2 (bug #621493) [lenny] - tinyproxy (Vulnerable code not present) CVE-2011-1498 (Apache HttpClient 4.x before 4.1.1 in Apache HttpComponents, when used ...) - httpcomponents-client 4.1.1-1 (bug #628727) [squeeze] - httpcomponents-client 4.0.1-1squeeze1 NOTE: http://seclists.org/oss-sec/2011/q2/188 NOTE: http://web.archive.org/web/20130102213624/http://www.apache.org/dist/httpcomponents/httpclient/RELEASE_NOTES-4.1.x.txt CVE-2011-1497 RESERVED CVE-2011-1496 (tmux 1.3 and 1.4 does not properly drop group privileges, which allows ...) {DSA-2212-1} - tmux 1.4-6 (bug #620304) NOTE: CVE id requested CVE-2011-1495 (drivers/scsi/mpt2sas/mpt2sas_ctl.c in the Linux kernel 2.6.38 and earl ...) {DSA-2240-1} - linux-2.6 2.6.38-5 (unimportant) CVE-2011-1494 (Integer overflow in the _ctl_do_mpt_command function in drivers/scsi/m ...) {DSA-2240-1} - linux-2.6 2.6.38-5 (unimportant) CVE-2011-1493 (Array index error in the rose_parse_national function in net/rose/rose ...) {DSA-2264-1 DSA-2240-1} - linux-2.6 2.6.38-4 CVE-2011-1492 (steps/utils/modcss.inc in Roundcube Webmail before 0.5.1 does not prop ...) - roundcube 0.5.1-1 [squeeze] - roundcube (Minor issue) CVE-2011-1491 (The login form in Roundcube Webmail before 0.5.1 does not properly han ...) - roundcube 0.5.1-1 (low) [squeeze] - roundcube (Minor issue) CVE-2011-1490 (A memory leak in rsyslog before 5.7.6 was found in the way deamon proc ...) - rsyslog 5.7.6-1 (low) [squeeze] - rsyslog (Minor issue) [lenny] - rsyslog (Minor issue) CVE-2011-1489 (A memory leak in rsyslog before 5.7.6 was found in the way deamon proc ...) - rsyslog 5.7.6-1 (low) [squeeze] - rsyslog (Minor issue) [lenny] - rsyslog (Minor issue) CVE-2011-1488 (A memory leak in rsyslog before 5.7.6 was found in the way deamon proc ...) - rsyslog 5.7.6-1 (low) [squeeze] - rsyslog (Minor issue) [lenny] - rsyslog (Minor issue) CVE-2011-1487 (The (1) lc, (2) lcfirst, (3) uc, and (4) ucfirst functions in Perl 5.1 ...) {DSA-2265-1} - perl 5.10.1-20 (unimportant; bug #622817) NOTE: http://nntp.perl.org/group/perl.perl5.porters/171010 CVE-2011-1486 (libvirtd in libvirt before 0.9.0 does not use thread-safe error report ...) {DSA-2280-1} - libvirt 0.9.0-1 (low; bug #623222) [lenny] - libvirt (Minor issue) CVE-2011-1485 (Race condition in the pkexec utility and polkitd daemon in PolicyKit ( ...) {DSA-2319-1} - policykit-1 0.101-4 (bug #644500) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=692922 CVE-2011-1484 (jboss-seam.jar in the JBoss Seam 2 framework 2.2.x and earlier, as dis ...) NOT-FOR-US: JBoss Seam CVE-2011-1483 (wsf/common/DOMUtils.java in JBossWS Native in Red Hat JBoss Enterprise ...) NOT-FOR-US: JBoss Enterprise Web Platform CVE-2011-1482 (Multiple cross-site request forgery (CSRF) vulnerabilities in mainfile ...) NOT-FOR-US: PHP-Nuke CVE-2011-1481 (Multiple cross-site scripting (XSS) vulnerabilities in Francisco Burzi ...) NOT-FOR-US: PHP-Nuke CVE-2011-1480 (SQL injection vulnerability in admin.php in the administration backend ...) NOT-FOR-US: PHP-Nuke CVE-2011-1479 (Double free vulnerability in the inotify subsystem in the Linux kernel ...) - linux-2.6 2.6.38-4 [lenny] - linux-2.6 (Only affected 2.6.37 and 2.6.38) [squeeze] - linux-2.6 (Only affected 2.6.37 and 2.6.38) CVE-2011-1478 (The napi_reuse_skb function in net/core/dev.c in the Generic Receive O ...) {DSA-2240-1} - linux-2.6 2.6.38-1 [lenny] - linux-2.6 (Vulnerable code not present) CVE-2011-1477 (Multiple array index errors in sound/oss/opl3.c in the Linux kernel be ...) {DSA-2264-1 DSA-2240-1} - linux-2.6 2.6.38-4 CVE-2011-1476 (Integer underflow in the Open Sound System (OSS) subsystem in the Linu ...) {DSA-2240-1} - linux-2.6 2.6.38-4 CVE-2011-1475 (The HTTP BIO connector in Apache Tomcat 7.0.x before 7.0.12 does not p ...) - tomcat6 (Only affects Tomcat 7) CVE-2011-1474 (A locally locally exploitable DOS vulnerability was found in pax-linux ...) NOT-FOR-US: PaX hardening patch NOTE: http://seclists.org/oss-sec/2011/q1/579 CVE-2011-1473 (** DISPUTED ** OpenSSL before 0.9.8l, and 0.9.8m through 1.x, does not ...) NOTE: Generic protocol issue, no code fix. Workarounds exist, see bug #672456 NOTE: and http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html CVE-2011-1472 (The Nokia E75 phone with firmware before 211.12.01 allows physically p ...) NOT-FOR-US: Nokia E75 phone CVE-2009-5062 (IBM Lotus Quickr 8.1 before 8.1.0.15 services for Lotus Domino on AIX ...) NOT-FOR-US: IBM Lotus Quickr CVE-2009-5061 (Unspecified vulnerability in IBM Lotus Quickr 8.1 before 8.1.0.14 serv ...) NOT-FOR-US: IBM Lotus Quickr CVE-2009-5060 (Unspecified vulnerability in IBM Lotus Quickr 8.1 before 8.1.0.11 serv ...) NOT-FOR-US: IBM Lotus Quickr CVE-2009-5059 (Unspecified vulnerability in IBM Lotus Quickr 8.1 before 8.1.0.10 serv ...) NOT-FOR-US: IBM Lotus Quickr CVE-2009-5058 (Unspecified vulnerability in IBM Lotus Quickr 8.1 before 8.1.0.5 servi ...) NOT-FOR-US: IBM Lotus Quickr CVE-2008-7286 (IBM Lotus Quickr 8.1 before 8.1.0.2 services for Lotus Domino does not ...) NOT-FOR-US: IBM Lotus Quickr CVE-2008-7285 (Unspecified vulnerability in the docnote string handling implementatio ...) NOT-FOR-US: IBM Lotus Quickr CVE-2008-7284 (IBM Lotus Quickr 8.1 before 8100.003 services for Lotus Domino allows ...) NOT-FOR-US: IBM Lotus Quickr CVE-2011-1471 (Integer signedness error in zip_stream.c in the Zip extension in PHP b ...) {DSA-2266-1} - php5 5.3.6-1 CVE-2011-1470 (The Zip extension in PHP before 5.3.6 allows context-dependent attacke ...) {DSA-2408-1} - php5 5.3.6-1 (unimportant) NOTE: exploitable by malicious scripts only CVE-2011-1469 (Unspecified vulnerability in the Streams component in PHP before 5.3.6 ...) {DSA-2408-1} - php5 5.3.6-1 (unimportant) NOTE: exploitable by malicious scripts only CVE-2011-1468 (Multiple memory leaks in the OpenSSL extension in PHP before 5.3.6 mig ...) {DSA-2408-1} - php5 5.3.6-1 (unimportant) NOTE: under normal conditions the amount of memory leaked is insignificant CVE-2011-1467 (Unspecified vulnerability in the NumberFormatter::setSymbol (aka numfm ...) {DSA-2408-1} - php5 5.3.6-1 (unimportant) [lenny] - php5 (intl extension included since 5.3) NOTE: Only triggerable with malicious script CVE-2011-1466 (Integer overflow in the SdnToJulian function in the Calendar extension ...) {DSA-2266-1} - php5 5.3.6-1 NOTE: null pointer deref because of int overflow. Fix has a bug CVE-2011-1465 (The SPDY implementation in net/http/http_network_transaction.cc in Goo ...) - chromium-browser (only the dev version was affected) - webkit (chromium specific) CVE-2011-1464 (Buffer overflow in the strval function in PHP before 5.3.6, when the p ...) {DSA-2408-1} - php5 5.3.6-1 (unimportant) NOTE: ini setting needs to be modified. CVE-2011-1463 RESERVED CVE-2011-1462 (WebKit, as used in Apple Safari before 5.0.6, allows remote attackers ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-1461 RESERVED CVE-2011-1460 (WebKit in Google Chrome before Blink M11 contains a bad cast to Render ...) NOTE: Historic webkit/Chromium issues CVE-2011-1459 (The WebKit::WebPluginContainerImpl::handleEvent function in Google Chr ...) NOTE: Historic webkit/Chromium issues CVE-2011-1458 RESERVED CVE-2011-1457 (WebKit, as used in Apple Safari before 5.0.6, allows remote attackers ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-1456 (Google Chrome before 11.0.696.57 does not properly handle PDF forms, w ...) - chromium-browser (chrome pdf plugin) CVE-2011-1455 (Google Chrome before 11.0.696.57 does not properly handle PDF document ...) - chromium-browser (chrome pdf plugin) CVE-2011-1454 (Use-after-free vulnerability in the DOM id handling functionality in G ...) - chromium-browser 11.0.696.65~r84435-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/84015 CVE-2011-1453 (WebKit, as used in Apple Safari before 5.0.6, allows remote attackers ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-1452 (Google Chrome before 11.0.696.57 allows user-assisted remote attackers ...) - chromium-browser 11.0.696.65~r84435-1 [squeeze] - chromium-browser - webkit (chromium specific) CVE-2011-1451 (Google Chrome before 11.0.696.57 does not properly handle DOM id maps, ...) - chromium-browser 11.0.696.65~r84435-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/83209 CVE-2011-1450 (Google Chrome before 11.0.696.57 does not properly present file dialog ...) - chromium-browser 11.0.696.65~r84435-1 (unimportant) - webkit (chromium specific) CVE-2011-1449 (Use-after-free vulnerability in the WebSockets implementation in Googl ...) - chromium-browser 11.0.696.65~r84435-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/82088 CVE-2011-1448 (Google Chrome before 11.0.696.57 does not properly perform height calc ...) - chromium-browser 11.0.696.65~r84435-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/81786 CVE-2011-1447 (Google Chrome before 11.0.696.57 does not properly handle drop-down li ...) - chromium-browser 11.0.696.65~r84435-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/81851 CVE-2011-1446 (Google Chrome before 11.0.696.57 allows remote attackers to spoof the ...) - chromium-browser 11.0.696.65~r84435-1 [squeeze] - chromium-browser - webkit (chromium specific) CVE-2011-1445 (Google Chrome before 11.0.696.57 does not properly handle SVG document ...) - chromium-browser 11.0.696.65~r84435-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/81689 CVE-2011-1444 (Race condition in the sandbox launcher implementation in Google Chrome ...) {DSA-2245-1} - chromium-browser 11.0.696.65~r84435-1 - webkit (chromium sandbox) CVE-2011-1443 (Google Chrome before 11.0.696.57 does not properly implement layering, ...) - chromium-browser 11.0.696.65~r84435-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/82624 CVE-2011-1442 (Google Chrome before 11.0.696.57 does not properly handle mutation eve ...) - chromium-browser 11.0.696.65~r84435-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/81611 CVE-2011-1441 (Google Chrome before 11.0.696.57 does not properly perform a cast of a ...) - chromium-browser 11.0.696.65~r84435-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/80773 NOTE: http://trac.webkit.org/changeset/81088 CVE-2011-1440 (Use-after-free vulnerability in Google Chrome before 11.0.696.57 allow ...) {DSA-2245-1} - chromium-browser 11.0.696.65~r84435-1 NOTE: http://trac.webkit.org/changeset/84009 CVE-2011-1439 (Google Chrome before 11.0.696.57 on Linux does not properly isolate re ...) - chromium-browser 11.0.696.65~r84435-1 [squeeze] - chromium-browser - webkit (chromium specific) CVE-2011-1438 (Google Chrome before 11.0.696.57 allows remote attackers to bypass the ...) - chromium-browser 11.0.696.65~r84435-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/81399 CVE-2011-1437 (Multiple integer overflows in Google Chrome before 11.0.696.57 allow r ...) - chromium-browser 11.0.696.65~r84435-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/79462 CVE-2011-1436 (Google Chrome before 11.0.696.57 on Linux does not properly interact w ...) - chromium-browser 11.0.696.65~r84435-1 [squeeze] - chromium-browser - webkit (chromium specific) CVE-2011-1435 (Google Chrome before 11.0.696.57 does not properly implement the tabs ...) - chromium-browser 11.0.696.65~r84435-1 [squeeze] - chromium-browser - webkit (chromium specific) CVE-2011-1434 (Google Chrome before 11.0.696.57 does not ensure thread safety during ...) - chromium-browser 11.0.696.65~r84435-1 [squeeze] - chromium-browser - webkit (chromium specific) CVE-2011-1433 (The (1) AgentInterface and (2) CustomerInterface components in Open Ti ...) - otrs2 3.0.8+dfsg1-1 (unimportant) NOTE: Negligible security impact CVE-2010-4768 (Open Ticket Request System (OTRS) before 2.3.5 does not properly disab ...) - otrs2 2.4.5-1 (low) [lenny] - otrs2 (Minor issue) CVE-2010-4767 (Open Ticket Request System (OTRS) before 2.3.6 does not properly handl ...) - otrs2 2.4.5-1 (low) [lenny] - otrs2 (Minor issue) CVE-2010-4766 (The AgentTicketForward feature in Open Ticket Request System (OTRS) be ...) - otrs2 2.4.7+dfsg1-1 (unimportant) NOTE: Marginal security impact, standard bug CVE-2010-4765 (Race condition in the Kernel::System::Main::FileWrite method in Open T ...) - otrs2 2.4.8+dfsg1-1 (low) [lenny] - otrs2 (Minor issue) CVE-2010-4764 (Open Ticket Request System (OTRS) before 2.4.10, and 3.x before 3.0.3, ...) - otrs2 2.4.10+dfsg1-1 (unimportant) NOTE: Marginal security impact, standard bug CVE-2010-4763 (The ACL-customer-status Ticket Type setting in Open Ticket Request Sys ...) - otrs2 3.0.8+dfsg1-1 (unimportant) NOTE: Negligible security impact CVE-2010-4762 (Cross-site scripting (XSS) vulnerability in the rich-text-editor compo ...) - otrs2 3.0.8+dfsg1-1 (unimportant) NOTE: Negligible security impact CVE-2010-4761 (The customer-interface ticket-print dialog in Open Ticket Request Syst ...) - otrs2 3.0.8+dfsg1-1 (unimportant) NOTE: Marginal security impact, standard bug CVE-2010-4760 (Open Ticket Request System (OTRS) before 3.0.0-beta6 adds email-notifi ...) - otrs2 3.0.8+dfsg1-1 (unimportant) NOTE: No security impact, feature enhancement CVE-2010-4759 (Open Ticket Request System (OTRS) before 3.0.0-beta7 does not properly ...) - otrs2 3.0.8+dfsg1-1 (unimportant) NOTE: No security impact, feature enhancement CVE-2010-4758 (installer.pl in Open Ticket Request System (OTRS) before 3.0.3 has an ...) - otrs2 3.0.8+dfsg1-1 (unimportant) NOTE: Negligible security enhancement CVE-2009-5057 (The S/MIME feature in Open Ticket Request System (OTRS) before 2.3.4 d ...) - otrs2 2.4.5-1 (low) [lenny] - otrs2 (Minor issue) CVE-2009-5056 (Open Ticket Request System (OTRS) before 2.4.0-beta2 does not properly ...) - otrs2 2.4.5-1 (low) [lenny] - otrs2 (Minor issue) CVE-2009-5055 (Open Ticket Request System (OTRS) before 2.4.4 grants ticket access on ...) - otrs2 2.4.5-1 (low) [lenny] - otrs2 (Minor issue) CVE-2008-7283 (Open Ticket Request System (OTRS) before 2.2.6, when customer group su ...) - otrs2 2.2.6-1 CVE-2008-7282 (Kernel/Output/HTML/CustomerNewTicketQueueSelectionGeneric.pm in Open T ...) - otrs2 2.2.6-1 CVE-2008-7281 (Open Ticket Request System (OTRS) before 2.2.7 sends e-mail containing ...) - otrs2 2.2.7-1 CVE-2008-7280 (Kernel/System/EmailParser.pm in PostmasterPOP3.pl in Open Ticket Reque ...) - otrs2 2.2.7-1 CVE-2008-7279 (The CustomerInterface component in Open Ticket Request System (OTRS) b ...) - otrs2 2.3.2-1 CVE-2008-7278 (The S/MIME feature in Open Ticket Request System (OTRS) before 2.2.5, ...) - otrs2 2.3.2-1 (low) CVE-2008-7277 (Open Ticket Request System (OTRS) before 2.3.0-beta4 checks for the rw ...) - otrs2 2.3.2-1 (low) CVE-2008-7276 (Kernel/System/Web/Request.pm in Open Ticket Request System (OTRS) befo ...) - otrs2 2.3.2-1 (low) CVE-2008-7275 (Multiple cross-site scripting (XSS) vulnerabilities in Open Ticket Req ...) - otrs2 2.3.3-1 CVE-2011-1432 (The STARTTLS implementation in SCO SCOoffice Server does not properly ...) NOT-FOR-US: SCO SCOoffice Server CVE-2011-1431 (The STARTTLS implementation in qmail-smtpd.c in qmail-smtpd in the net ...) - qmail (unimportant; bug #652378) NOTE: The TLS patch is shipped in the source package, but it's not applied - netqmail (Doesn't include the TLS patch) CVE-2011-1430 (The STARTTLS implementation in the server in Ipswitch IMail 11.03 and ...) NOT-FOR-US: Ipswitch IMail CVE-2011-1429 (Mutt does not verify that the smtps server hostname matches the domain ...) - mutt 1.5.21-5 (low; bug #619216) [squeeze] - mutt 1.5.20-9+squeeze2 [lenny] - mutt (Minor issue) NOTE: http://dev.mutt.org/trac/ticket/3506 CVE-2011-1428 (Wee Enhanced Environment for Chat (aka WeeChat) 0.3.4 and earlier does ...) {DSA-2598-1} - weechat 0.3.5-1 CVE-2011-1427 (Multiple cross-site scripting (XSS) vulnerabilities in Kodak InSite 5. ...) NOT-FOR-US: Kodak InSite CVE-2011-1426 (The OpenURLInDefaultBrowser method in RealNetworks RealPlayer 11.0 thr ...) NOT-FOR-US: RealNetworks RealPlayer CVE-2011-1425 (xslt.c in XML Security Library (aka xmlsec) before 1.2.17, as used in ...) {DSA-2219-1} - xmlsec1 1.2.14-1.1 (bug #620560) NOTE: http://www.aleksey.com/xmlsec/news.html CVE-2011-1424 (The default configuration of ExShortcut\Web.config in EMC SourceOne Em ...) NOT-FOR-US: EMC SourceOne Email Management CVE-2011-1423 (Cross-site scripting (XSS) vulnerability in RSA Data Loss Prevention ( ...) NOT-FOR-US: RSA Data Loss Prevention Enterprise Manager CVE-2011-1422 (Cross-site scripting (XSS) vulnerability in an unspecified Shockwave F ...) NOT-FOR-US: EMC RSA Adaptive Authentication On-Premise CVE-2011-1421 (EMC NetWorker 7.5.x before 7.5.4.3 and 7.6.x before 7.6.1.5, when the ...) NOT-FOR-US: EMC NetWorker CVE-2011-1420 (EMC Data Protection Advisor Collector 5.7 and 5.7.1 on Solaris SPARC p ...) NOT-FOR-US: EMC Data Protection Advisor Collector CVE-2011-1419 (Apache Tomcat 7.x before 7.0.11, when web.xml has no security constrai ...) - tomcat6 (Only affects Tomcat 7) CVE-2011-1418 (The stateless address autoconfiguration (aka SLAAC) functionality in t ...) NOT-FOR-US: Apple iOS CVE-2011-1417 (Integer overflow in QuickLook, as used in Apple Mac OS X before 10.6.7 ...) NOT-FOR-US: QuickLook, CVE-2011-1416 (The Research In Motion (RIM) BlackBerry Torch 9800 with firmware 6.0.0 ...) NOT-FOR-US: BlackBerry CVE-2011-1415 REJECTED CVE-2010-4757 (Cross-site scripting (XSS) vulnerability in submitnews.php in e107 bef ...) NOT-FOR-US: e107 CVE-2011-1414 (Cross-site scripting (XSS) vulnerability in the tibbr web server, as u ...) NOT-FOR-US: TIBCO tibbr CVE-2011-1413 (Google Chrome before 10.0.648.127 on Linux does not properly mitigate ...) - chromium-browser 10.0.648.127~r76697-1 [squeeze] - chromium-browser [wheezy] - chromium-browser - webkit (chromium specific) CVE-2011-1412 (sys/sys_unix.c in the ioQuake3 engine on Unix and Linux, as used in Wo ...) - openarena (Vulnerable code not present, the version in sid uses ioquake3) - ioquake3 1.36+svn1946-4 CVE-2011-1411 (Shibboleth OpenSAML library 2.4.x before 2.4.3 and 2.5.x before 2.5.1, ...) {DSA-2284-1} - opensaml2 2.4.3-1 CVE-2011-1410 RESERVED CVE-2011-1409 (Frams's Fast File EXchange (F*EX, aka fex) 20100208, and possibly othe ...) {DSA-2259-1} - fex 20110610-1 CVE-2011-1408 (ikiwiki before 3.20110608 allows remote attackers to hijack root's tty ...) - ikiwiki 3.20110608 (low) [squeeze] - ikiwiki (Minor issue) CVE-2011-1407 (The DKIM implementation in Exim 4.7x before 4.76 permits matching for ...) {DSA-2236-1} - exim4 4.76-1 [lenny] - exim4 (Vulnerable code not present) CVE-2011-1406 (Mahara before 1.3.6 does not properly handle an https URL in the wwwro ...) {DSA-2246-1} - mahara 1.3.6-1 CVE-2011-1405 (Cross-site scripting (XSS) vulnerability in Mahara before 1.3.6 allows ...) {DSA-2246-1} - mahara 1.3.6-1 CVE-2011-1404 (Mahara before 1.3.6 does not properly restrict the data in responses t ...) {DSA-2246-1} - mahara 1.3.6-1 CVE-2011-1403 (Cross-site request forgery (CSRF) vulnerability in the pieforms implem ...) {DSA-2246-1} - mahara 1.3.6-1 CVE-2011-1402 (Mahara before 1.3.6 allows remote authenticated users to bypass intend ...) {DSA-2246-1} - mahara 1.3.6-1 CVE-2011-1401 (ikiwiki before 3.20110328 does not ascertain whether the htmlscrubber ...) {DSA-2214-1} - ikiwiki 3.20110328 CVE-2011-1400 (The default configuration of the shell_escape_commands directive in co ...) {DSA-2198-1} - tex-common 2.09 CVE-2011-1399 RESERVED CVE-2011-1398 (The sapi_header_op function in main/SAPI.c in PHP before 5.3.11 and 5. ...) - php5 5.4.0~rc5-1 (low) [squeeze] - php5 (Minor issue) CVE-2011-1397 (Cross-site request forgery (CSRF) vulnerability in the Labor Reporting ...) NOT-FOR-US: IBM Tivoli CVE-2011-1396 (Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Managemen ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2011-1395 (Cross-site scripting (XSS) vulnerability in imicon.jsp in IBM Maximo A ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2011-1394 (IBM Maximo Asset Management and Asset Management Essentials 6.2, 7.1, ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2011-1393 (Unspecified vulnerability in the authentication functionality in the s ...) NOT-FOR-US: IBM Lotus Domino CVE-2011-1392 (The Blueberry FlashBack ActiveX control in BB FlashBack Recorder.dll i ...) NOT-FOR-US: IBM Rational Rhapsody CVE-2011-1391 (The Blueberry FlashBack ActiveX control in BB FlashBack Recorder.dll i ...) NOT-FOR-US: IBM Rational Rhapsody CVE-2011-1390 (SQL injection vulnerability in the Maintenance tool in IBM Rational Cl ...) NOT-FOR-US: IBM Rational ClearQuest CVE-2011-1389 (Multiple directory traversal vulnerabilities in the vendor daemon in R ...) NOT-FOR-US: Telelogic License Server CVE-2011-1388 (The Blueberry FlashBack ActiveX control in BB FlashBack Recorder.dll i ...) NOT-FOR-US: IBM Rational Rhapsody CVE-2011-1387 RESERVED CVE-2011-1386 (IBM Tivoli Federated Identity Manager (TFIM) and Tivoli Federated Iden ...) NOT-FOR-US: IBM Tivoli Federated Identity Manager CVE-2011-1385 (IBM AIX 5.3, 6.1, and 7.1, and VIOS 2.1.x and 2.2.x, allows remote att ...) NOT-FOR-US: IBM AIX CVE-2011-1384 (The (1) bin/invscoutClient_VPD_Survey and (2) sbin/invscout_lsvpd prog ...) NOT-FOR-US: IBM AIX CVE-2011-1383 RESERVED CVE-2011-1382 RESERVED CVE-2011-1381 (Unspecified vulnerability in IBM OpenPages GRC Platform 6.1.0.1 before ...) NOT-FOR-US: IBM OpenPages GRC Platform CVE-2011-1380 RESERVED CVE-2011-1379 RESERVED CVE-2011-1378 (IBM WebSphere MQ 6.0 on OpenVMS, when the default rights of the MQM gr ...) NOT-FOR-US: IBM WebSphere CVE-2011-1377 (The Web Services Security component in the Web Services Feature Pack b ...) NOT-FOR-US: IBM WebSphere CVE-2011-1376 (iscdeploy in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.4 ...) NOT-FOR-US: IBM WebSphere CVE-2011-1375 (IBM AIX 6.1 and 7.1 does not restrict the wpar_limits_config and wpar_ ...) NOT-FOR-US: IBM AIX CVE-2011-1374 (Buffer overflow in Apple QuickTime before 7.7.3 allows remote attacker ...) NOT-FOR-US: Appe QuickTime CVE-2011-1373 (Unspecified vulnerability in IBM DB2 9.7 before FP5 on UNIX, when the ...) NOT-FOR-US: IBM DB2 CVE-2011-1372 (The Web User Interface on the IBM TS3100 and TS3200 tape libraries wit ...) NOT-FOR-US: IBM web interface to tape libraries CVE-2011-1371 (Cross-site scripting (XSS) vulnerability in content/error.jsp in IBM W ...) NOT-FOR-US: IBM WebSphere CVE-2011-1370 (The default configuration of the Sametime configuration servlet (SCS) ...) NOT-FOR-US: IBM Lotus Sametime CVE-2011-1369 RESERVED CVE-2011-1368 (The JavaServer Faces (JSF) application functionality in IBM WebSphere ...) NOT-FOR-US: IBM WebSphere CVE-2011-1367 (Unspecified vulnerability in the File Load feature in IBM Rational App ...) NOT-FOR-US: IBM Rational AppScan CVE-2011-1366 (Unspecified vulnerability in the Import feature in IBM Rational AppSca ...) NOT-FOR-US: IBM Rational AppScan CVE-2011-1365 RESERVED CVE-2011-1364 (Cross-site request forgery (CSRF) vulnerability in _ah/admin/interacti ...) NOT-FOR-US: Goole App Engine Python SDK CVE-2011-1363 RESERVED CVE-2011-1362 (Cross-site scripting (XSS) vulnerability in the Installation Verificat ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2011-1361 RESERVED CVE-2011-1360 (Multiple cross-site scripting (XSS) vulnerabilities in IBM HTTP Server ...) NOT-FOR-US: IBM HTTP Server CVE-2011-1359 (Directory traversal vulnerability in the administration console in IBM ...) NOT-FOR-US: IBM WebSphere CVE-2011-1358 RESERVED CVE-2011-1357 (Cross-site scripting (XSS) vulnerability in agentDetect.jsp in the web ...) NOT-FOR-US: IBM WebSphere Service Registry and Repository CVE-2011-1356 (IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.39 and 7.0 bef ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2011-1355 (Open redirect vulnerability in IBM WebSphere Application Server (WAS) ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2011-1354 RESERVED CVE-2011-1353 (Unspecified vulnerability in Adobe Reader 10.x before 10.1.1 on Window ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2011-1352 (The PowerVR SGX driver in Android before 2.3.6 allows attackers to gai ...) NOT-FOR-US: Anroid CVE-2011-1351 RESERVED CVE-2011-1350 (The PowerVR SGX driver in Android before 2.3.6 allows attackers to obt ...) NOT-FOR-US: Android CVE-2011-1349 RESERVED CVE-2011-1348 RESERVED CVE-2011-1347 (Unspecified vulnerability in Microsoft Internet Explorer 8 on Windows ...) NOT-FOR-US: Internet Explorer CVE-2011-1346 (Unspecified vulnerability in Microsoft Internet Explorer 8 on Windows ...) NOT-FOR-US: Internet Explorer CVE-2011-1345 (Microsoft Internet Explorer 6, 7, and 8 does not properly handle objec ...) NOT-FOR-US: Internet Explorer CVE-2011-1344 (Use-after-free vulnerability in WebKit, as used in Apple Safari before ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-1343 (SQL injection vulnerability in the Web GUI in IBM Tivoli Netcool/OMNIb ...) NOT-FOR-US: Tivoli CVE-2011-1342 (SQL injection vulnerability in Aimluck Aipo before 5.1.1, and Aipo for ...) NOT-FOR-US: Aimluck Aipo CVE-2011-1341 (Cross-site request forgery (CSRF) vulnerability in Aimluck Aipo before ...) NOT-FOR-US: Aimluck Aipo CVE-2011-1340 (Cross-site scripting (XSS) vulnerability in skins/plone_templates/defa ...) - plone3 CVE-2011-1339 (Cross-site scripting (XSS) vulnerability in Google Search Appliance be ...) NOT-FOR-US: Google Search Appliance CVE-2011-1338 (Untrusted search path vulnerability in XnView before 1.98.1 allows loc ...) NOT-FOR-US: XnView CVE-2011-1337 (Opera before 11.50 allows remote attackers to cause a denial of servic ...) NOT-FOR-US: Opera CVE-2011-1336 (Buffer overflow in ALZip 8.21 and earlier allows remote attackers to e ...) NOT-FOR-US: ALZip CVE-2011-1335 (Cross-site scripting (XSS) vulnerability in Cybozu Office 6, 7, and 8 ...) NOT-FOR-US: Cybozu Office CVE-2011-1334 (Cross-site scripting (XSS) vulnerability in Cybozu Office 6, Cybozu Ga ...) NOT-FOR-US: Cybozu CVE-2011-1333 (Cross-site scripting (XSS) vulnerability in Cybozu Office 6 and Cybozu ...) NOT-FOR-US: Cybozu CVE-2011-1332 (Cross-site scripting (XSS) vulnerability in Cybozu Garoon 2.0.0 throug ...) NOT-FOR-US: Cybozu Garoon CVE-2011-1331 (JustSystems Ichitaro 2005 through 2011, Ichitaro Government 6, Ichitar ...) NOT-FOR-US: JustSystems Ichitaro Products CVE-2011-1330 (Cross-site scripting (XSS) vulnerability in WeblyGo 5.0 Pro/LE, 5.02 P ...) NOT-FOR-US: WeblyGo CVE-2011-1329 (WalRack 1.x before 1.1.9 and 2.x before 2.0.7 does not properly restri ...) NOT-FOR-US: WalRack CVE-2011-1328 (SQL injection vulnerability in RADVISION iVIEW Suite before 7.5 allows ...) NOT-FOR-US: RADVISION iVIEW Suite CVE-2011-1327 (The Keystroke Encryption feature in Trend Micro Internet Security 2009 ...) NOT-FOR-US: Trend Micro Internet Security CVE-2011-1326 (Unspecified vulnerability on the La Fonera+ router with firmware befor ...) NOT-FOR-US: La Fonera+ router CVE-2011-1325 (Cross-site request forgery (CSRF) vulnerability in EC-CUBE before 2.11 ...) NOT-FOR-US: EC-CUBE CVE-2011-1324 (Multiple cross-site request forgery (CSRF) vulnerabilities in the mana ...) NOT-FOR-US: Buffalo routers CVE-2011-1323 (Yamaha RTX, RT, SRT, RTV, RTW, and RTA series routers with firmware 6. ...) NOT-FOR-US: Yamaha RTX, RT, SRT, RTV, RTW, and RTA series routers CVE-2011-1322 (The SOAP with Attachments API for Java (SAAJ) implementation in the We ...) NOT-FOR-US: WebSphere CVE-2011-1321 (The AuthCache purge implementation in the Security component in IBM We ...) NOT-FOR-US: WebSphere CVE-2011-1320 (The Security component in IBM WebSphere Application Server (WAS) 6.1.0 ...) NOT-FOR-US: WebSphere CVE-2011-1319 (The Security component in IBM WebSphere Application Server (WAS) 6.1.0 ...) NOT-FOR-US: WebSphere CVE-2011-1318 (Memory leak in org.apache.jasper.runtime.JspWriterImpl.response in the ...) NOT-FOR-US: WebSphere CVE-2011-1317 (Memory leak in com.ibm.ws.jsp.runtime.WASJSPStrBufferImpl in the JavaS ...) NOT-FOR-US: WebSphere CVE-2011-1316 (The Session Initiation Protocol (SIP) Proxy in the HTTP Transport comp ...) NOT-FOR-US: WebSphere CVE-2011-1315 (Memory leak in the messaging engine in IBM WebSphere Application Serve ...) NOT-FOR-US: WebSphere CVE-2011-1314 (The Service Integration Bus (SIB) messaging engine in IBM WebSphere Ap ...) NOT-FOR-US: WebSphere CVE-2011-1313 (Double free vulnerability in IBM WebSphere Application Server (WAS) 6. ...) NOT-FOR-US: WebSphere CVE-2011-1312 (The Administrative Console component in IBM WebSphere Application Serv ...) NOT-FOR-US: WebSphere CVE-2011-1311 (The Security component in IBM WebSphere Application Server (WAS) befor ...) NOT-FOR-US: WebSphere CVE-2011-1310 (The Administrative Scripting Tools component in IBM WebSphere Applicat ...) NOT-FOR-US: WebSphere CVE-2011-1309 (The Plug-in component in IBM WebSphere Application Server (WAS) before ...) NOT-FOR-US: WebSphere CVE-2011-1308 (Cross-site scripting (XSS) vulnerability in the Installation Verificat ...) NOT-FOR-US: WebSphere CVE-2011-1307 (The installer in IBM WebSphere Application Server (WAS) before 7.0.0.1 ...) NOT-FOR-US: WebSphere CVE-2011-1306 (Unspecified vulnerability in the Scratchpad application in Google Chro ...) NOT-FOR-US: Google ChromeOS CVE-2011-1305 (Race condition in Google Chrome before 11.0.696.57 on Linux and Mac OS ...) - chromium-browser 11.0.696.65~r84435-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/76713 CVE-2011-1304 (Unspecified vulnerability in Google Chrome before 11.0.696.57 allows r ...) - chromium-browser 11.0.696.65~r84435-1 (unimportant) CVE-2011-1303 (Google Chrome before 11.0.696.57 does not properly handle floating obj ...) - chromium-browser 11.0.696.65~r84435-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/80682 CVE-2011-1302 (Heap-based buffer overflow in the GPU process in Google Chrome before ...) - chromium-browser 10.0.648.205~r81283-1 [squeeze] - chromium-browser - webkit (chromium specific) CVE-2011-1301 (Use-after-free vulnerability in the GPU process in Google Chrome befor ...) - chromium-browser 10.0.648.205~r81283-1 [squeeze] - chromium-browser - webkit (chromium specific) CVE-2011-1300 (The Program::getActiveUniformMaxLength function in libGLESv2/Program.c ...) NOT-FOR-US: Mozilla Firefox on Windows, Google Chrome on Windows CVE-2011-1299 RESERVED CVE-2011-1298 (An Integer Overflow exists in WebKit in Google Chrome before Blink M11 ...) NOTE: Historic webkit/Chromium issues CVE-2011-1297 RESERVED CVE-2011-1296 (Google Chrome before 10.0.648.204 does not properly handle SVG text, w ...) - chromium-browser 10.0.648.204~r79063-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/80520 CVE-2011-1295 (WebKit, as used in Google Chrome before 10.0.648.204 and Apple Safari ...) - chromium-browser 10.0.648.204~r79063-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/80487 CVE-2011-1294 (Google Chrome before 10.0.648.204 does not properly handle Cascading S ...) - chromium-browser 10.0.648.204~r79063-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/80144 CVE-2011-1293 (Use-after-free vulnerability in the HTMLCollection implementation in G ...) {DSA-2245-1} - chromium-browser 10.0.648.204~r79063-1 NOTE: http://trac.webkit.org/changeset/80797 CVE-2011-1292 (Use-after-free vulnerability in the frame-loader implementation in Goo ...) {DSA-2245-1} - chromium-browser 10.0.648.204~r79063-1 NOTE: http://trac.webkit.org/changeset/79808 CVE-2011-1291 (Google Chrome before 10.0.648.204 does not properly handle base string ...) - chromium-browser 10.0.648.204~r79063-1 [squeeze] - chromium-browser - webkit (chromium specific) CVE-2011-1290 (Integer overflow in WebKit, as used on the Research In Motion (RIM) Bl ...) {DSA-2192-1} - chromium-browser 10.0.648.133~r77742-1 [wheezy] - chromium-browser 6.0.472.63~r59945-5+squeeze4 NOTE: needs port NOTE: http://trac.webkit.org/changeset/80787 CVE-2011-1289 RESERVED CVE-2011-1288 (WebKit, as used in Apple Safari before 5.0.6, allows remote attackers ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-1287 RESERVED CVE-2011-1286 (Google V8, as used in Google Chrome before 10.0.648.127, allows remote ...) - libv8 3.1.8.10-1 (bug #617418) [squeeze] - libv8 (Unsupported in squeeze-lts) CVE-2011-1285 (The regular-expression functionality in Google Chrome before 10.0.648. ...) - libv8 3.1.8.10-1 (bug #617418) [squeeze] - libv8 (Unsupported in squeeze-lts) CVE-2011-1284 (Integer overflow in the Client/Server Run-time Subsystem (aka CSRSS) i ...) NOT-FOR-US: MS Windows CVE-2011-1283 (The Client/Server Run-time Subsystem (aka CSRSS) in the Win32 subsyste ...) NOT-FOR-US: MS Windows CVE-2011-1282 (The Client/Server Run-time Subsystem (aka CSRSS) in the Win32 subsyste ...) NOT-FOR-US: MS Windows CVE-2011-1281 (The Client/Server Run-time Subsystem (aka CSRSS) in the Win32 subsyste ...) NOT-FOR-US: MS Windows CVE-2011-1280 (The XML Editor in Microsoft InfoPath 2007 SP2 and 2010; SQL Server 200 ...) NOT-FOR-US: Microsoft InfoPath, SQL Server, SQL Server Management Studio Express, Visual Studio CVE-2011-1279 (Microsoft Excel 2002 SP3 and 2003 SP3, Office 2004 and 2008 for Mac, a ...) NOT-FOR-US: Microsoft Excel, Office, Open XML File Format Converter CVE-2011-1278 (Microsoft Excel 2002 SP3 and Office 2004 for Mac do not properly valid ...) NOT-FOR-US: Microsoft Excel, Office CVE-2011-1277 (Microsoft Excel 2002 SP3, Office 2008 for Mac, and Open XML File Forma ...) NOT-FOR-US: Microsoft Excel, Office, Open XML File Format Converter CVE-2011-1276 (Buffer overflow in Microsoft Excel 2002 SP3, 2003 SP3, and 2007 SP2; O ...) NOT-FOR-US: Microsoft Excel, Office, Open XML File Format Converter, Excel Viewer, Office Compatibility Pack CVE-2011-1275 (Microsoft Excel 2002 SP3; Office 2004, 2008, and 2011 for Mac; and Ope ...) NOT-FOR-US: Microsoft Excel, Office, Open XML File Format Converter CVE-2011-1274 (Microsoft Excel 2002 SP3, 2003 SP3, and 2007 SP2; Office 2004 and 2008 ...) NOT-FOR-US: Microsoft Excel, Office, Open XML File Format Converter, Excel Viewer, Office Compatibility Pack CVE-2011-1273 (Microsoft Excel 2002 SP3, 2003 SP3, 2007 SP2, and 2010; Office 2004, 2 ...) NOT-FOR-US: Microsoft Excel, Office, Open XML File Format Converter, Excel Viewer, Office Compatibility Pack CVE-2011-1272 (Microsoft Excel 2002 SP3, 2003 SP3, and 2007 SP2; Office 2004 and 2008 ...) NOT-FOR-US: Microsoft Excel, Office, Open XML File Format Converter, Excel Viewer, Office Compatibility Pack CVE-2011-1271 (The JIT compiler in Microsoft .NET Framework 3.5 Gold and SP1, 3.5.1, ...) NOT-FOR-US: Microsoft .NET Framework CVE-2011-1270 (Buffer overflow in Microsoft PowerPoint 2002 SP3 and 2003 SP3 allows r ...) NOT-FOR-US: Microsoft PowerPoint 2002 SP3 and 2003 SP3 CVE-2011-1269 (Microsoft PowerPoint 2002 SP3, 2003 SP3, and 2007 SP2; Office 2004 and ...) NOT-FOR-US: Microsoft CVE-2011-1268 (The SMB client in Microsoft Windows XP SP2 and SP3, Windows Server 200 ...) NOT-FOR-US: Microsoft Windows CVE-2011-1267 (The SMB server in Microsoft Windows Vista SP1 and SP2, Windows Server ...) NOT-FOR-US: Microsoft Windows CVE-2011-1266 (The Vector Markup Language (VML) implementation in vgx.dll in Microsof ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2011-1265 (The Bluetooth Stack 2.1 in Microsoft Windows Vista SP1 and SP2 and Win ...) NOT-FOR-US: MS Windows CVE-2011-1264 (Cross-site scripting (XSS) vulnerability in Active Directory Certifica ...) NOT-FOR-US: Microsoft Windows CVE-2011-1263 (Cross-site scripting (XSS) vulnerability in the logon page in Remote D ...) NOT-FOR-US: Microsoft Windows CVE-2011-1262 (Microsoft Internet Explorer 7 through 9 does not properly handle objec ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2011-1261 (Microsoft Internet Explorer 6 through 9 does not properly handle objec ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2011-1260 (Microsoft Internet Explorer 8 and 9 does not properly handle objects i ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2011-1259 REJECTED CVE-2011-1258 (Microsoft Internet Explorer 6 through 8 does not properly restrict web ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2011-1257 (Race condition in Microsoft Internet Explorer 6 through 8 allows remot ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2011-1256 (Microsoft Internet Explorer 6 through 8 does not properly handle objec ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2011-1255 (The Timed Interactive Multimedia Extensions (aka HTML+TIME) implementa ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2011-1254 (Microsoft Internet Explorer 6 through 8 does not properly handle objec ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2011-1253 (Microsoft .NET Framework 1.0 SP3, 1.1 SP1, 2.0 SP2, 3.5.1, and 4, and ...) NOT-FOR-US: Microsoft .NET Framework, Silverlight CVE-2011-1252 (Cross-site scripting (XSS) vulnerability in the SafeHTML function in t ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2011-1251 (Microsoft Internet Explorer 8 does not properly handle objects in memo ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2011-1250 (Microsoft Internet Explorer 6 through 9 does not properly handle objec ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2011-1249 (The Ancillary Function Driver (AFD) in afd.sys in Microsoft Windows XP ...) NOT-FOR-US: Microsoft Windows CVE-2011-1248 (WINS in Microsoft Windows Server 2003 SP2 and Server 2008 Gold, SP2, R ...) NOT-FOR-US: Microsoft Windows CVE-2011-1247 (Untrusted search path vulnerability in the Microsoft Active Accessibil ...) NOT-FOR-US: Microsoft Windows CVE-2011-1246 (Microsoft Internet Explorer 8 does not properly handle content setting ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2011-1245 (Microsoft Internet Explorer 6 and 7 does not properly restrict script ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2011-1244 (Microsoft Internet Explorer 6, 7, and 8 does not enforce intended doma ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2011-1243 (The Windows Messenger ActiveX control in msgsc.dll in Microsoft Window ...) NOT-FOR-US: Microsoft Windows CVE-2011-1242 (Use-after-free vulnerability in win32k.sys in the kernel-mode drivers ...) NOT-FOR-US: Microsoft Windows CVE-2011-1241 (Use-after-free vulnerability in win32k.sys in the kernel-mode drivers ...) NOT-FOR-US: Microsoft Windows CVE-2011-1240 (Use-after-free vulnerability in win32k.sys in the kernel-mode drivers ...) NOT-FOR-US: Microsoft Windows CVE-2011-1239 (Use-after-free vulnerability in win32k.sys in the kernel-mode drivers ...) NOT-FOR-US: Microsoft Windows CVE-2011-1238 (Use-after-free vulnerability in win32k.sys in the kernel-mode drivers ...) NOT-FOR-US: Microsoft Windows CVE-2011-1237 (Use-after-free vulnerability in win32k.sys in the kernel-mode drivers ...) NOT-FOR-US: Microsoft Windows CVE-2011-1236 (Use-after-free vulnerability in win32k.sys in the kernel-mode drivers ...) NOT-FOR-US: Microsoft Windows CVE-2011-1235 (Use-after-free vulnerability in win32k.sys in the kernel-mode drivers ...) NOT-FOR-US: Microsoft Windows CVE-2011-1234 (Use-after-free vulnerability in win32k.sys in the kernel-mode drivers ...) NOT-FOR-US: Microsoft Windows CVE-2011-1233 (win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and ...) NOT-FOR-US: Microsoft Windows CVE-2011-1232 (win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and ...) NOT-FOR-US: Microsoft Windows CVE-2011-1231 (win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and ...) NOT-FOR-US: Microsoft Windows CVE-2011-1230 (win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and ...) NOT-FOR-US: Microsoft Windows CVE-2011-1229 (win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and ...) NOT-FOR-US: Microsoft Windows CVE-2011-1228 (win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and ...) NOT-FOR-US: Microsoft Windows CVE-2011-1227 (win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and ...) NOT-FOR-US: Microsoft Windows CVE-2011-1226 (win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and ...) NOT-FOR-US: Microsoft Windows CVE-2011-1225 (win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and ...) NOT-FOR-US: Microsoft Windows CVE-2011-XXXX [dokuwiki ACL bypass] - dokuwiki 0.0.20101107a-1 (low) [squeeze] - dokuwiki (Minor issue) [lenny] - dokuwiki (Minor issue) CVE-2011-1224 (IBM WebSphere MQ 6.0 before 6.0.2.11 and 7.0 before 7.0.1.5 does not u ...) NOT-FOR-US: IBM WebSphere MQ CVE-2011-1223 (Buffer overflow in the Alternate Data Stream (aka ADS or named stream) ...) NOT-FOR-US: IBM Tivoli Storage Manager CVE-2011-1222 (Buffer overflow in the Journal Based Backup (JBB) feature in the backu ...) NOT-FOR-US: IBM Tivoli Storage Manager CVE-2011-1221 (Cross-zone scripting vulnerability in the RealPlayer ActiveX control i ...) NOT-FOR-US: RealNetworks RealPlayer CVE-2011-1220 (Stack-based buffer overflow in lcfd.exe in Tivoli Endpoint in IBM Tivo ...) NOT-FOR-US: IBM Tivoli Management Framework CVE-2011-1219 RESERVED CVE-2011-1218 (Buffer overflow in kvarcve.dll in Autonomy KeyView, as used in IBM Lot ...) NOT-FOR-US: Autonomy KeyView CVE-2011-1217 (Buffer overflow in kpprzrdr.dll in Autonomy KeyView, as used in IBM Lo ...) NOT-FOR-US: Autonomy KeyView CVE-2011-1216 (Stack-based buffer overflow in assr.dll in Autonomy KeyView, as used i ...) NOT-FOR-US: Autonomy KeyView CVE-2011-1215 (Stack-based buffer overflow in mw8sr.dll in Autonomy KeyView, as used ...) NOT-FOR-US: Autonomy KeyView CVE-2011-1214 (Stack-based buffer overflow in rtfsr.dll in Autonomy KeyView, as used ...) NOT-FOR-US: Autonomy KeyView CVE-2011-1213 (Integer underflow in lzhsr.dll in Autonomy KeyView, as used in IBM Lot ...) NOT-FOR-US: Autonomy KeyView CVE-2011-1212 RESERVED CVE-2011-1211 RESERVED CVE-2011-1210 RESERVED CVE-2011-1209 (IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.39 and 7.0 bef ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2011-1208 (IBM solidDB 4.5.x before 4.5.182, 6.0.x before 6.0.1069, 6.1.x and 6.3 ...) NOT-FOR-US: IBM solidDB CVE-2011-1207 (The ActiveBar1 ActiveX control in the Data Dynamics ActiveBar ActiveX ...) NOT-FOR-US: IBM Rational System CVE-2011-1206 (Stack-based buffer overflow in the server process in ibmslapd.exe in I ...) NOT-FOR-US: IBM Tivoli Directory Server CVE-2011-1205 (Multiple buffer overflows in unspecified COM objects in Rational Commo ...) NOT-FOR-US: IBM Rational ClearCase, ClearQuest CVE-2011-1204 (Google Chrome before 10.0.648.127 does not properly handle attributes, ...) - chromium-browser 10.0.648.127~r76697-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/79810 NOTE: very hard to merge: needs introduction of ScopedEventQueue.cpp CVE-2011-1203 (Google Chrome before 10.0.648.127 does not properly handle SVG cursors ...) {DSA-2189-1} - chromium-browser 10.0.648.127~r76697-1 [wheezy] - chromium-browser 6.0.472.63~r59945-5+squeeze4 NOTE: http://trac.webkit.org/changeset/79476 CVE-2011-1202 (The xsltGenerateIdFunction function in functions.c in libxslt 1.1.26 a ...) - libxslt 1.1.26-7 (low; bug #617413) - xulrunner (unimportant) [lenny] - xulrunner (minor issue) - iceweasel 3.5.19-1 [squeeze] - iceweasel (minor issue) [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.14-1 [squeeze] - iceape (minor issue) [lenny] - iceape (Only a stub package) NOTE: http://scarybeastsecurity.blogspot.com/2011/03/multi-browser-heap-address-leak-in-xslt.html [squeeze] - libxslt 1.1.26-6+squeeze1 [lenny] - libxslt (minor issue) NOTE: xulrunner in wheezy is not covered by security support CVE-2011-1201 (The context implementation in WebKit, as used in Google Chrome before ...) - chromium-browser 10.0.648.127~r76697-1 [squeeze] - chromium-browser [wheezy] - chromium-browser - webkit (losecontext not present in 1.2) NOTE: http://trac.webkit.org/changeset/78921 CVE-2011-1200 (Google Chrome before 10.0.648.127 does not properly perform a cast of ...) - chromium-browser 10.0.648.127~r76697-1 [squeeze] - chromium-browser [wheezy] - chromium-browser - webkit (vulnerable code not present) NOTE: http://trac.webkit.org/changeset/78744 CVE-2011-1199 (Google Chrome before 10.0.648.127 does not properly handle DataView ob ...) - chromium-browser 10.0.648.127~r76697-1 [squeeze] - chromium-browser [wheezy] - chromium-browser - webkit (issue in libv8 bindings) NOTE: https://trac.webkit.org/changeset/78738 CVE-2011-1198 (The video functionality in Google Chrome before 10.0.648.127 allows re ...) - chromium-browser 10.0.648.127~r76697-1 [squeeze] - chromium-browser [wheezy] - chromium-browser - libav (Specific to ffmpeg-mt) CVE-2011-1197 (Google Chrome before 10.0.648.127 does not properly perform table pain ...) {DSA-2189-1} - chromium-browser 10.0.648.127~r76697-1 [wheezy] - chromium-browser 6.0.472.63~r59945-5+squeeze4 NOTE: http://trac.webkit.org/changeset/79734 CVE-2011-1196 (The OGG container implementation in Google Chrome before 10.0.648.127 ...) - chromium-browser 10.0.648.127~r76697-1 [squeeze] - chromium-browser [wheezy] - chromium-browser - libav 4:0.7.1-1 - ffmpeg-debian (Info from maintainer: the patch does not apply 0.5, and I failed to reproduce) - ffmpeg (Info from maintainer: the patch does not apply 0.5, and I failed to reproduce) CVE-2011-1195 (Use-after-free vulnerability in Google Chrome before 10.0.648.127 allo ...) - chromium-browser 10.0.648.127~r76697-1 [squeeze] - chromium-browser [wheezy] - chromium-browser - webkit (vulnerable code not present) NOTE: http://trac.webkit.org/changeset/78147 CVE-2011-1194 (Multiple unspecified vulnerabilities in Google Chrome before 10.0.648. ...) - chromium-browser 10.0.648.127~r76697-1 (unimportant) NOTE: http://trac.webkit.org/changeset/77049 NOTE: http://trac.webkit.org/changeset/77329 NOTE: popup blocker bypass not treated as a security issue CVE-2011-1193 (Google V8, as used in Google Chrome before 10.0.648.127, allows remote ...) - libv8 3.1.8.10-1 (bug #617418) [squeeze] - libv8 (Unsupported in squeeze-lts) CVE-2011-1192 (Google Chrome before 10.0.648.127 on Linux does not properly handle Un ...) - chromium-browser 10.0.648.127~r76697-1 [squeeze] - chromium-browser [wheezy] - chromium-browser - webkit (issue in chromium-specific code) NOTE: http://trac.webkit.org/changeset/76732 CVE-2011-1191 (Use-after-free vulnerability in Google Chrome before 10.0.648.127 allo ...) - chromium-browser 10.0.648.127~r76697-1 [squeeze] - chromium-browser [wheezy] - chromium-browser - webkit (vulnerable code not yet present) NOTE: http://trac.webkit.org/changeset/76652 CVE-2011-1190 (The Web Workers implementation in Google Chrome before 10.0.648.127 al ...) {DSA-2189-1} - chromium-browser 10.0.648.127~r76697-1 [wheezy] - chromium-browser 6.0.472.63~r59945-5+squeeze4 NOTE: http://trac.webkit.org/changeset/77563 CVE-2011-1189 (Google Chrome before 10.0.648.127 does not properly perform box layout ...) {DSA-2189-1} - chromium-browser 10.0.648.127~r76697-1 [wheezy] - chromium-browser 6.0.472.63~r59945-5+squeeze4 NOTE: http://trac.webkit.org/changeset/79689 CVE-2011-1188 (Google Chrome before 10.0.648.127 does not properly handle counter nod ...) {DSA-2189-1} - chromium-browser 10.0.648.127~r76697-1 [wheezy] - chromium-browser 6.0.472.63~r59945-5+squeeze4 NOTE: http://trac.webkit.org/changeset/77142 CVE-2011-1187 (Google Chrome before 10.0.648.127 allows remote attackers to bypass th ...) - libv8 3.1.8.10-1 (bug #617418) [squeeze] - libv8 (Unsupported in squeeze-lts) - icedove 17.0.2-1 (low) [wheezy] - icedove (Minor issue, also not fixed in ESV branch) [squeeze] - icedove (Minor issue, also not fixed in ESV branch) - iceweasel 12.0-1 (bug #703071) [wheezy] - iceweasel (Minor issue, also not fixed in ESV branch) [squeeze] - iceweasel (Minor issue, also not fixed in ESV branch) - iceape (low) [wheezy] - iceape (Minor issue, also not fixed in ESV branch) [squeeze] - iceape (Minor issue, also not fixed in ESV branch) NOTE: Fixed in Thunderbird 12 and Seamonkey 2.9 CVE-2011-1186 (Google Chrome before 10.0.648.127 on Linux does not properly handle pa ...) - chromium-browser 10.0.648.127~r76697-1 [squeeze] - chromium-browser [wheezy] - chromium-browser - webkit (chromium specific) CVE-2011-1185 (Google Chrome before 10.0.648.127 does not prevent (1) navigation and ...) - chromium-browser 10.0.648.127~r76697-1 [squeeze] - chromium-browser NOTE: http://trac.webkit.org/changeset/74853 CVE-2011-1184 (The HTTP Digest Access Authentication implementation in Apache Tomcat ...) {DSA-2401-1} - tomcat6 6.0.32-7 - tomcat7 7.0.12 - tomcat5.5 CVE-2011-1183 (Apache Tomcat 7.0.11, when web.xml has no login configuration, does no ...) - tomcat6 (Only affects Tomcat 7) CVE-2011-1182 (kernel/signal.c in the Linux kernel before 2.6.39 allows local users t ...) {DSA-2264-1 DSA-2240-1} - linux-2.6 2.6.38-2 CVE-2011-1181 [missing error handling in linux netdev] REJECTED CVE-2011-1180 (Multiple stack-based buffer overflows in the iriap_getvaluebyclass_ind ...) {DSA-2264-1 DSA-2240-1} - linux-2.6 2.6.38-4 CVE-2011-1179 (The SPICE Firefox plug-in (spice-xpi) 2.4, 2.3, 2.2, and possibly othe ...) - spice-xpi [jessie] - spice-xpi (Broken with newer Firefox versions) CVE-2011-1178 (Multiple integer overflows in the load_image function in file-pcx.c in ...) - gimp 2.6.10-1 NOTE: Likely fixed earlier, but only the squeeze version was checked CVE-2011-1177 RESERVED CVE-2011-1176 (The configuration merger in itk.c in the Steinar H. Gunderson mpm-itk ...) {DSA-2202-1} - apache2 2.2.17-2 (bug #618857; medium) [lenny] - apache2 (different source package in lenny: apache2-mpm-itk) - apache2-mpm-itk [lenny] - apache2-mpm-itk (bug was introduced later, in 2.2.11-01) CVE-2011-1175 (tcptls.c in the TCP/TLS server in Asterisk Open Source 1.6.1.x before ...) {DSA-2225-1} - asterisk 1:1.8.3.3-1 [lenny] - asterisk (Vulnerable code not present) CVE-2011-1174 (manager.c in Asterisk Open Source 1.6.1.x before 1.6.1.24, 1.6.2.x bef ...) {DSA-2225-1} - asterisk 1:1.8.3.3-1 [lenny] - asterisk (Vulnerable code not present) CVE-2011-1173 (The econet_sendmsg function in net/econet/af_econet.c in the Linux ker ...) {DSA-2264-1 DSA-2240-1} - linux-2.6 2.6.38-4 (low) CVE-2011-1172 (net/ipv6/netfilter/ip6_tables.c in the IPv6 implementation in the Linu ...) {DSA-2264-1 DSA-2240-1} - linux-2.6 2.6.38-4 (low) CVE-2011-1171 (net/ipv4/netfilter/ip_tables.c in the IPv4 implementation in the Linux ...) {DSA-2264-1 DSA-2240-1} - linux-2.6 2.6.38-4 (low) CVE-2011-1170 (net/ipv4/netfilter/arp_tables.c in the IPv4 implementation in the Linu ...) {DSA-2264-1 DSA-2240-1} - linux-2.6 2.6.38-4 (low) CVE-2011-1169 (Array index error in the asihpi_hpi_ioctl function in sound/pci/asihpi ...) - linux-2.6 2.6.38-2 [lenny] - linux-2.6 (Introduced in 2.6.35) [squeeze] - linux-2.6 (Introduced in 2.6.35) CVE-2011-1168 (Cross-site scripting (XSS) vulnerability in the KHTMLPart::htmlError f ...) - kde4libs 4:4.4.5-4 (low) [squeeze] - kde4libs 4:4.4.5-2+squeeze2 [lenny] - kde4libs (Minor issue) CVE-2011-1167 (Heap-based buffer overflow in the thunder (aka ThunderScan) decoder in ...) {DSA-2210-1} - tiff 3.9.4-9 (bug #619614) - tiff3 (fixed before initial upload) CVE-2011-1166 (Xen, possibly before 4.0.2, allows local 64-bit PV guests to cause a d ...) {DSA-2337-1} - xen 4.1.0-1 - xen-3 CVE-2011-1165 (Vino, possibly before 3.2, does not properly document that it opens po ...) - vino (unimportant) NOTE: Mostly interface glitches CVE-2011-1164 (Vino before 2.99.4 can connect external networks contrary to the state ...) - vino (unimportant) NOTE: Mostly interface glitches CVE-2011-1163 (The osf_partition function in fs/partitions/osf.c in the Linux kernel ...) {DSA-2264-1 DSA-2240-1} - linux-2.6 2.6.38-1 CVE-2011-1162 (The tpm_read function in the Linux kernel 2.6 does not properly clear ...) - linux-2.6 3.0.0-5 (low) [squeeze] - linux-2.6 2.6.32-40 CVE-2011-1161 REJECTED CVE-2011-1160 (The tpm_open function in drivers/char/tpm/tpm.c in the Linux kernel be ...) {DSA-2264-1 DSA-2240-1} - linux-2.6 2.6.38-4 (low) CVE-2011-1159 (acpid.c in acpid before 2.0.9 does not properly handle a situation in ...) {DSA-2362-1} - acpid 1:2.0.9-1 [lenny] - acpid (Minor issue) CVE-2011-1158 (Cross-site scripting (XSS) vulnerability in feedparser.py in Universal ...) - feedparser 5.0.1-1 (low; bug #617998) [squeeze] - feedparser (Minor issue) [lenny] - feedparser (Minor issue) - planet-venus 0~git9de2109-2 (low; bug #684246) [wheezy] - planet-venus (Minor issue) [squeeze] - planet-venus (Minor issue) [lenny] - planet-venus (Minor issue) NOTE: http://web.archive.org/web/20120304003020/https://code.google.com/p/feedparser/issues/detail?id=255 CVE-2011-1157 (Cross-site scripting (XSS) vulnerability in feedparser.py in Universal ...) - feedparser 5.0.1-1 (low; bug #617998) [squeeze] - feedparser (Minor issue) [lenny] - feedparser (Minor issue) - planet-venus 0~git9de2109-2 (low; bug #684246) [wheezy] - planet-venus (Minor issue) [squeeze] - planet-venus (Minor issue) [lenny] - planet-venus (Minor issue) NOTE: http://web.archive.org/web/20120211010803/https://code.google.com/p/feedparser/issues/detail?id=254 CVE-2011-1156 (feedparser.py in Universal Feed Parser (aka feedparser or python-feedp ...) - feedparser 5.0.1-1 (low; bug #617998) [squeeze] - feedparser (Minor issue) [lenny] - feedparser (Minor issue) - planet-venus 0~git9de2109-2 (low; bug #684246) [wheezy] - planet-venus (Minor issue) [squeeze] - planet-venus (Minor issue) [lenny] - planet-venus (Minor issue) NOTE: http://web.archive.org/web/20130326201801/http://code.google.com/p/feedparser/issues/detail?id=91 CVE-2011-1155 (The writeState function in logrotate.c in logrotate 3.7.9 and earlier ...) - logrotate 3.8.0-1 [squeeze] - logrotate (Minor issue) CVE-2011-1154 (The shred_file function in logrotate.c in logrotate 3.7.9 and earlier ...) - logrotate 3.8.0-1 [squeeze] - logrotate (Minor issue) CVE-2011-1153 (Multiple format string vulnerabilities in phar_object.c in the phar ex ...) {DSA-2266-1} - php5 5.3.6-1 (unimportant) NOTE: only exploitable by malicious scripts CVE-2011-1152 REJECTED CVE-2011-1151 (Joomla! 1.6.0 is vulnerable to SQL Injection via the filter_order and ...) NOT-FOR-US: Joomla! CVE-2011-1150 (bbPress through 1.0.2 has XSS in /bb-login.php url via the re paramete ...) NOT-FOR-US: bbPress CVE-2011-1149 (Android before 2.3 does not properly restrict access to the system pro ...) NOT-FOR-US: Android CVE-2011-1148 (Use-after-free vulnerability in the substr_replace function in PHP 5.3 ...) {DSA-2408-1} - php5 5.4.0-1 (unimportant) NOTE: only exploitable by malicious scripts CVE-2011-1147 (Multiple stack-based and heap-based buffer overflows in the (1) decode ...) {DSA-2225-1} - asterisk 1:1.8.3.3-1 (bug #614580) CVE-2011-1146 (libvirt.c in the API in Red Hat libvirt 0.8.8 does not properly restri ...) {DSA-2194-1} - libvirt 0.8.8-3 (low; bug #617773) [lenny] - libvirt (Vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=683650 CVE-2011-1145 (The SQLDriverConnect() function in unixODBC before 2.2.14p2 have a pos ...) - unixodbc 2.2.14p2-3 (low; bug #617655) [squeeze] - unixodbc (Only exploitable through a malicious server) [lenny] - unixodbc (Only exploitable through a malicious server) NOTE: http://seclists.org/oss-sec/2011/q1/446 CVE-2011-1144 (The installer in PEAR 1.9.2 and earlier allows local users to overwrit ...) - php5 (incomplete fix never used in Debian packages) CVE-2011-1143 (epan/dissectors/packet-ntlmssp.c in the NTLMSSP dissector in Wireshark ...) - wireshark 1.4.4-1 (unimportant) CVE-2011-1142 (Stack consumption vulnerability in the dissect_ber_choice function in ...) - wireshark 1.4.4-1 (unimportant) CVE-2011-1141 (epan/dissectors/packet-ldap.c in Wireshark 1.0.x, 1.2.0 through 1.2.14 ...) {DSA-2201-1} - wireshark 1.4.4-1 (unimportant) CVE-2011-1140 (Multiple stack consumption vulnerabilities in the dissect_ms_compresse ...) {DSA-2201-1} - wireshark 1.4.4-1 (unimportant) CVE-2011-1139 (wiretap/pcapng.c in Wireshark 1.2.0 through 1.2.14 and 1.4.0 through 1 ...) {DSA-2201-1} - wireshark 1.4.4-1 (unimportant) CVE-2011-1138 (Off-by-one error in the dissect_6lowpan_iphc function in packet-6lowpa ...) - wireshark 1.4.4-1 [lenny] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Vulnerable code not present) CVE-2011-1131 (The PlushSearch2 function in Search.php in Simple Machines Forum (SMF) ...) NOT-FOR-US: Simple Machines Forum CVE-2011-1130 (Simple Machines Forum (SMF) before 1.1.13, and 2.x before 2.0 RC5, doe ...) NOT-FOR-US: Simple Machines Forum CVE-2011-1129 (Cross-site scripting (XSS) vulnerability in the EditNews function in M ...) NOT-FOR-US: Simple Machines Forum CVE-2011-1128 (The loadUserSettings function in Load.php in Simple Machines Forum (SM ...) NOT-FOR-US: Simple Machines Forum CVE-2011-1127 (SSI.php in Simple Machines Forum (SMF) before 1.1.13, and 2.x before 2 ...) NOT-FOR-US: Simple Machines Forum CVE-2011-1126 (VMware vmrun, as used in VIX API 1.x before 1.10.3 and VMware Workstat ...) NOT-FOR-US: VMware Workstation CVE-2010-4756 (The glob implementation in the GNU C Library (aka glibc or libc6) allo ...) - glibc (unimportant) - eglibc (unimportant) NOTE: That's standard POSIX behaviour implemented by (e)glibc. Applications using NOTE: glob need to impose limits for themselves CVE-2010-4755 (The (1) remote_glob function in sftp-glob.c and the (2) process_put fu ...) NOTE: That's essentially shooting yourself in your own foot: NOTE: http://lists.mindrot.org/pipermail/openssh-unix-dev/2011-March/029433.html CVE-2010-4754 (The glob implementation in libc in FreeBSD 7.3 and 8.1, NetBSD 5.0.2, ...) NOT-FOR-US: FreeBSD/NetBSD libc CVE-2011-1125 (Google Chrome before 9.0.597.107 does not properly perform layout, whi ...) - chromium-browser 9.0.597.107~r75357-1 [squeeze] - chromium-browser [wheezy] - chromium-browser - webkit (vulnerable code introduced in commit 75823) NOTE: http://trac.webkit.org/changeset/78775 CVE-2011-1124 (Use-after-free vulnerability in Google Chrome before 9.0.597.107 allow ...) - chromium-browser 9.0.597.107~r75357-1 [squeeze] - chromium-browser [wheezy] - chromium-browser - webkit (Chromium specific) CVE-2011-1123 (Google Chrome before 9.0.597.107 does not properly restrict access to ...) - chromium-browser 9.0.597.107~r75357-1 [squeeze] - chromium-browser [wheezy] - chromium-browser - webkit (chromium specific) CVE-2011-1122 (The WebGL implementation in Google Chrome before 9.0.597.107 allows re ...) {DSA-2189-1} - chromium-browser 9.0.597.107~r75357-1 [wheezy] - chromium-browser 6.0.472.63~r59945-5+squeeze4 NOTE: https://bugs.webkit.org/show_bug.cgi?id=53782 CVE-2011-1121 (Integer overflow in Google Chrome before 9.0.597.107 allows remote att ...) {DSA-2189-1} - chromium-browser 9.0.597.107~r75357-1 [wheezy] - chromium-browser 6.0.472.63~r59945-5+squeeze4 NOTE: needs port (s/logicalBottom/bottom) NOTE: http://trac.webkit.org/changeset/77565 CVE-2011-1120 (The WebGL implementation in Google Chrome before 9.0.597.107 allows re ...) - chromium-browser 9.0.597.107~r75357-1 [squeeze] - chromium-browser [wheezy] - chromium-browser 6.0.472.63~r59945-5+squeeze4 - webkit (webgl support not present in 1.2) NOTE: http://trac.webkit.org/changeset/77956 CVE-2011-1119 (Google Chrome before 9.0.597.107 does not properly determine device or ...) - chromium-browser 9.0.597.107~r75357-1 [squeeze] - chromium-browser [wheezy] - chromium-browser - webkit (device orientation code/support not present in 1.2) NOTE: http://trac.webkit.org/changeset/77418 CVE-2011-1118 (Google Chrome before 9.0.597.107 does not properly handle TEXTAREA ele ...) - chromium-browser 9.0.597.107~r75357-1 [squeeze] - chromium-browser [wheezy] - chromium-browser NOTE: http://trac.webkit.org/changeset/77144 CVE-2011-1117 (Google Chrome before 9.0.597.107 does not properly handle XHTML docume ...) - chromium-browser 9.0.597.107~r75357-1 [squeeze] - chromium-browser [wheezy] - chromium-browser NOTE: http://trac.webkit.org/changeset/77262 CVE-2011-1116 (Google Chrome before 9.0.597.107 does not properly handle SVG animatio ...) - chromium-browser 9.0.597.107~r75357-1 [squeeze] - chromium-browser [wheezy] - chromium-browser NOTE: http://trac.webkit.org/changeset/77548 CVE-2011-1115 (Google Chrome before 9.0.597.107 does not properly render tables, whic ...) {DSA-2189-1} - chromium-browser 9.0.597.107~r75357-1 [wheezy] - chromium-browser 6.0.472.63~r59945-5+squeeze4 NOTE: http://trac.webkit.org/changeset/76915 CVE-2011-1114 (Google Chrome before 9.0.597.107 does not properly handle tables, whic ...) {DSA-2189-1} - chromium-browser 9.0.597.107~r75357-1 [wheezy] - chromium-browser 6.0.472.63~r59945-5+squeeze4 - webkit (vulnerable code introduced after 1.2, and the fix restores this code to its 1.2 state) NOTE: http://trac.webkit.org/changeset/77141 CVE-2011-1113 (Google Chrome before 9.0.597.107 on 64-bit Linux platforms does not pr ...) {DSA-2189-1} - chromium-browser 9.0.597.107~r75357-1 [wheezy] - chromium-browser 6.0.472.63~r59945-5+squeeze4 - webkit (chromium specific) CVE-2011-1112 (Google Chrome before 9.0.597.107 does not properly perform SVG renderi ...) - chromium-browser 9.0.597.107~r75357-1 [squeeze] - chromium-browser [wheezy] - chromium-browser - webkit (Chromium specific) CVE-2011-1111 (Google Chrome before 9.0.597.107 does not properly implement forms con ...) - chromium-browser 9.0.597.107~r75357-1 [squeeze] - chromium-browser [wheezy] - chromium-browser NOTE: needs port (s/FormAssociatedElement/HTMLFormElement) NOTE: http://trac.webkit.org/changeset/77114 CVE-2011-1110 (Google Chrome before 9.0.597.107 does not properly implement key frame ...) - chromium-browser 9.0.597.107~r75357-1 [squeeze] - chromium-browser [wheezy] - chromium-browser - webkit (vulnerable code not present in 1.2) NOTE: http://trac.webkit.org/changeset/76828 CVE-2011-1109 (Google Chrome before 9.0.597.107 does not properly process nodes in Ca ...) {DSA-2189-1} - chromium-browser 9.0.597.107~r75357-1 [wheezy] - chromium-browser 6.0.472.63~r59945-5+squeeze4 NOTE: http://trac.webkit.org/changeset/76728 CVE-2011-1108 (Google Chrome before 9.0.597.107 does not properly implement JavaScrip ...) {DSA-2189-1} - chromium-browser 9.0.597.107~r75357-1 [wheezy] - chromium-browser 6.0.472.63~r59945-5+squeeze4 - webkit (Chromium specific) CVE-2011-1107 (Unspecified vulnerability in Google Chrome before 9.0.597.107 allows r ...) - chromium-browser 9.0.597.107~r75357-1 [squeeze] - chromium-browser - webkit (history controller code not present in 1.2) NOTE: http://trac.webkit.org/changeset/76205 CVE-2011-1106 (Cross-site scripting (XSS) vulnerability in stcenter.nsf in the server ...) NOT-FOR-US: IBM Lotus Sametime CVE-2010-4753 (Cross-site scripting (XSS) vulnerability in LightNEasy.php in LightNEa ...) NOT-FOR-US: LightNEasy CVE-2010-4752 (SQL injection vulnerability in LightNEasy.php in LightNEasy 3.2.1, whe ...) NOT-FOR-US: LightNEasy CVE-2010-4751 (SQL injection vulnerability in LightNEasy.php in LightNEasy 3.2.1, whe ...) NOT-FOR-US: LightNEasy CVE-2010-4750 (Cross-site request forgery (CSRF) vulnerability in admin/libs/ADMIN.ph ...) NOT-FOR-US: BLOG:CMS CVE-2010-4749 (Multiple cross-site scripting (XSS) vulnerabilities in BLOG:CMS 4.2.1. ...) NOT-FOR-US: BLOG:CMS CVE-2010-4748 (Cross-site scripting (XSS) vulnerability in pmwiki.php in PmWiki 2.2.2 ...) NOT-FOR-US: pmwiki CVE-2010-4747 (Cross-site scripting (XSS) vulnerability in wordpress-processing-embed ...) NOT-FOR-US: Wordpress plugin CVE-2011-1105 (Multiple cross-site scripting (XSS) vulnerabilities in Mutare EVM allo ...) NOT-FOR-US: Mutare EVM CVE-2011-1104 (Multiple cross-site request forgery (CSRF) vulnerabilities in Mutare E ...) NOT-FOR-US: Mutare EVM CVE-2011-1103 (The WebReporting module in F-Secure Policy Manager 7.x, 8.00 before ho ...) NOT-FOR-US: F-Secure Policy Manager CVE-2011-1102 (Cross-site scripting (XSS) vulnerability in the WebReporting module in ...) NOT-FOR-US: F-Secure Policy Manager CVE-2011-1101 (Multiple unspecified vulnerabilities in a third-party component of the ...) NOT-FOR-US: Citrix License Management Console CVE-2011-1100 (Multiple SQL injection vulnerabilities in admin/index.php in Pixelpost ...) - pixelpost CVE-2011-1099 (Multiple directory traversal vulnerabilities in FocalMedia.Net Quick P ...) NOT-FOR-US: FocalMedia.Net Quick Polls CVE-2011-1098 (Race condition in the createOutputFile function in logrotate.c in logr ...) - logrotate 3.8.0-1 (low) [squeeze] - logrotate (Minor issue) CVE-2011-1097 (rsync 3.x before 3.0.8, when certain recursion, deletion, and ownershi ...) - rsync 3.0.8 (low; bug #621866) [squeeze] - rsync (Minor issue) CVE-2011-1096 (The W3C XML Encryption Standard, as used in the JBoss Web Services (JB ...) NOT-FOR-US: alleged flaw in W3C XML Encryption standard. Nothing specific to fix CVE-2011-1095 (locale/programs/locale.c in locale in the GNU C Library (aka glibc or ...) - glibc 2.13-16 [lenny] - glibc (Minor issue) - eglibc 2.13-16 [squeeze] - eglibc 2.11.3-2 NOTE: http://sources.redhat.com/bugzilla/show_bug.cgi?id=11904 NOTE: http://bugs.gentoo.org/show_bug.cgi?id=330923 CVE-2011-1094 (kio/kio/tcpslavebase.cpp in KDE KSSL in kdelibs before 4.6.1 does not ...) - kde4libs 4:4.4.5-4 (low) [squeeze] - kde4libs 4:4.4.5-2+squeeze2 [lenny] - kde4libs (Minor issue) - kdelibs (vulnerable code not present) NOTE: http://seclists.org/oss-sec/2011/q1/434 CVE-2011-1093 (The dccp_rcv_state_process function in net/dccp/input.c in the Datagra ...) {DSA-2264-1} - linux-2.6 2.6.38-1 (low) [squeeze] - linux-2.6 2.6.32-31 CVE-2011-1092 (Integer overflow in ext/shmop/shmop.c in PHP before 5.3.6 allows conte ...) {DSA-2408-1} - php5 5.4.0-1 (unimportant) NOTE: only exploitable by malicious scripts NOTE: http://seclists.org/oss-sec/2011/q1/430 CVE-2011-1091 (libymsg.c in the Yahoo! protocol plugin in libpurple in Pidgin 2.6.0 t ...) - pidgin 2.7.11-1 (low) [lenny] - pidgin (Minor issue) [squeeze] - pidgin (Minor issue) CVE-2011-1090 (The __nfs4_proc_set_acl function in fs/nfs/nfs4proc.c in the Linux ker ...) {DSA-2264-1 DSA-2240-1} - linux-2.6 2.6.38-1 (low) CVE-2011-1089 (The addmntent function in the GNU C Library (aka glibc or libc6) 2.13 ...) - glibc 2.13-8 - eglibc 2.13-8 [squeeze] - eglibc 2.11.3-1 NOTE: http://seclists.org/oss-sec/2011/q1/368 NOTE: http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=e1fb097f447a89aa69a926e45e673a52d86a6c57 CVE-2011-1088 (Apache Tomcat 7.x before 7.0.10 does not follow ServletSecurity annota ...) - tomcat6 (Only affects Tomcat 7) CVE-2011-1087 (Buffer overflow in VideoLAN VLC media player 1.0.5 allows user-assiste ...) - vlc 1.1.10-1 (low; bug #616156) [squeeze] - vlc (Minor issue) [lenny] - vlc (Minor issue) NOTE: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4931.php NOTE: obscure exploit scenario CVE-2011-1086 (Cross-site scripting (XSS) vulnerability in admin/system.html in Openf ...) NOT-FOR-US: openfiler CVE-2011-1085 (CSRF vulnerability in Smoothwall Express 3. ...) NOT-FOR-US: smoothwall CVE-2011-1084 (A cross-site scripting (XSS) vulnerability in Smoothwall Express 3. ...) NOT-FOR-US: smoothwall CVE-2011-1083 (The epoll implementation in the Linux kernel 2.6.37.2 and earlier does ...) - linux-2.6 3.2.9-1 (low) [squeeze] - linux-2.6 2.6.32-47 CVE-2011-1082 (fs/eventpoll.c in the Linux kernel before 2.6.38 places epoll file des ...) - linux-2.6 2.6.38-1 (low) [squeeze] - linux-2.6 2.6.32-31 CVE-2011-1081 (modrdn.c in slapd in OpenLDAP 2.4.x before 2.4.24 allows remote attack ...) - openldap 2.4.25-1 (low; bug #617606) [lenny] - openldap 2.4.11-1+lenny2.1 [squeeze] - openldap 2.4.23-7.1 CVE-2011-1080 (The do_replace function in net/bridge/netfilter/ebtables.c in the Linu ...) {DSA-2264-1 DSA-2240-1} - linux-2.6 2.6.38-4 (low) CVE-2011-1079 (The bnep_sock_ioctl function in net/bluetooth/bnep/sock.c in the Linux ...) {DSA-2264-1 DSA-2240-1} - linux-2.6 2.6.38-4 (low) CVE-2011-1078 (The sco_sock_getsockopt_old function in net/bluetooth/sco.c in the Lin ...) {DSA-2264-1 DSA-2240-1} - linux-2.6 2.6.38-4 (low) CVE-2011-1077 (Multiple cross-site scripting (XSS) vulnerabilities in Apache Archiva ...) NOT-FOR-US: Apache Archiva CVE-2011-1076 (net/dns_resolver/dns_key.c in the Linux kernel before 2.6.38 allows re ...) - linux-2.6 2.6.38-1 [lenny] - linux-2.6 (Introduced in 2.6.36) [squeeze] - linux-2.6 (Introduced in 2.6.36) [wheezy] - linux-2.6 (Introduced in 2.6.36) CVE-2011-1075 RESERVED CVE-2011-1074 (crontab.c in crontab in FreeBSD allows local users to determine the ex ...) - cron (Debian's cron not affected) CVE-2011-1073 (crontab.c in crontab in FreeBSD and Apple Mac OS X allows local users ...) - cron (Debian's cron not affected) CVE-2011-1071 (The GNU C Library (aka glibc or libc6) before 2.12.2 and Embedded GLIB ...) - glibc 2.11.2-12 - eglibc 2.11.2-12 (bug #615120) [squeeze] - eglibc 2.11.3-2 CVE-2011-1070 (v86d before 0.1.10 do not verify if received netlink messages are sent ...) - v86d 0.1.10-1 (low; bug #619404) [squeeze] - v86d 0.1.9-1+squeeze1 [lenny] - v86d 0.1.5.2-1+lenny1 CVE-2011-1069 (PHPShop through 0.8.1 has XSS. ...) NOT-FOR-US: PHPShop CVE-2011-1068 (Microsoft Windows Azure Software Development Kit (SDK) 1.3.x before 1. ...) NOT-FOR-US: Microsoft Windows Azure SDK CVE-2011-1067 (slapd (aka ns-slapd) in 389 Directory Server before 1.2.8.a2 does not ...) NOT-FOR-US: s389 LDAP server CVE-2011-1066 (Cross-site scripting (XSS) vulnerability in the Messaging module 6.x-2 ...) NOT-FOR-US: Messaging module for Drupal CVE-2011-1065 (Multiple stack-based buffer overflows in the PIPIWebPlayer ActiveX con ...) NOT-FOR-US: PIPI Player CVE-2011-1064 (SQL injection vulnerability in member/list.php in qibosoft Qi Bo CMS 7 ...) NOT-FOR-US: Qi Bo CMS CVE-2011-1063 (Multiple cross-site scripting (XSS) vulnerabilities in Cherry-Design P ...) NOT-FOR-US: Cherry-Design Photopad CVE-2011-1062 (Multiple cross-site scripting (XSS) vulnerabilities in include/html/he ...) NOT-FOR-US: TaskFreak! CVE-2011-1061 (SQL injection vulnerability in memberlist.php in WSN Guest 1.24 allows ...) NOT-FOR-US: WSN Guest CVE-2011-1060 (SQL injection vulnerability in the member function in classes/member.p ...) NOT-FOR-US: WSN Guest CVE-2011-1059 (Use-after-free vulnerability in WebCore in WebKit before r77705, as us ...) - webkit (history controller code not present in 1.2) NOTE: http://trac.webkit.org/changeset/77705 CVE-2010-4746 (Multiple memory leaks in the normalization functionality in 389 Direct ...) NOT-FOR-US: 389 LDAP server CVE-2011-1058 (Cross-site scripting (XSS) vulnerability in the reStructuredText (rst) ...) {DSA-2321-1} - moin 1.9.3-3 CVE-2011-1057 REJECTED CVE-2011-1056 (The installer for Metasploit Framework 3.5.1, when running on Windows, ...) NOT-FOR-US: Metasploit Framework CVE-2011-1055 (SQL injection vulnerability in api/ice_media.cfc in Lingxia I.C.E CMS ...) NOT-FOR-US: Lingxia I.C.E CMS CVE-2011-1054 (Unspecified vulnerability in the PEF input file loader in Hex-Rays IDA ...) NOT-FOR-US: IDA Pro CVE-2011-1053 (Unspecified vulnerability in the Mach-O input file loader in Hex-Rays ...) NOT-FOR-US: IDA Pro CVE-2011-1052 (Integer overflow in the PSX/GEOS input file loaders in Hex-Rays IDA Pr ...) NOT-FOR-US: IDA Pro CVE-2011-1051 (Integer overflow in the COFF/EPOC/EXPLOAD input file loaders in Hex-Ra ...) NOT-FOR-US: IDA Pro CVE-2011-1050 (Unspecified vulnerability in Hex-Rays IDA Pro 5.7 and 6.0 has unknown ...) NOT-FOR-US: IDA Pro CVE-2011-1049 (Buffer overflow in the Mach-O input file loader in Hex-Rays IDA Pro 5. ...) NOT-FOR-US: IDA Pro CVE-2011-1048 (SQL injection vulnerability in product.php in MihanTools 1.33 allows r ...) NOT-FOR-US: MihanTools CVE-2011-1047 (Multiple SQL injection vulnerabilities in VastHTML Forum Server (aka F ...) NOT-FOR-US: VastHTML Forum Server CVE-2011-1046 (IBM FileNet P8 Content Engine (aka P8CE) 4.0.1 through 5.0.0, as used ...) NOT-FOR-US: FileNet P8 Content Engine CVE-2011-1045 (Unspecified vulnerability in the Rendition Engine (aka P8RE) 4.0.1 thr ...) NOT-FOR-US: Rendition Engine CVE-2010-4745 (Cross-site scripting (XSS) vulnerability in nav.html in PHPXref before ...) NOT-FOR-US: PHPXref CVE-2011-XXXX [pam_pgsql overflow] - pam-pgsql 0.7.1-5 (bug #603436) [lenny] - pam-pgsql 0.6.3-2+lenny1 [squeeze] - pam-pgsql 0.7.1-4+squeeze1 CVE-2011-1044 (The ib_uverbs_poll_cq function in drivers/infiniband/core/uverbs_cmd.c ...) - linux-2.6 2.6.32-30 [lenny] - linux-2.6 2.6.26-26lenny2 CVE-2011-1043 RESERVED CVE-2011-1042 (Use-after-free vulnerability in flimflamd in flimflam in Google Chrome ...) NOT-FOR-US: flimflam in Google Chrome OS CVE-2011-1041 RESERVED CVE-2011-1040 RESERVED CVE-2011-1039 RESERVED CVE-2011-1038 (Multiple cross-site scripting (XSS) vulnerabilities in stconf.nsf in t ...) NOT-FOR-US: Lotus Sametime CVE-2011-1037 RESERVED CVE-2011-1036 (The XML Security Database Parser class in the XMLSecDB ActiveX control ...) NOT-FOR-US: CA Internet Security Suite CVE-2011-1035 (The password reset in PivotX before 2.2.4 allows remote attackers to m ...) NOT-FOR-US: PivotX CVE-2010-4744 (Multiple unspecified vulnerabilities in abcm2ps before 5.9.13 have unk ...) - abcm2ps 5.9.22-1 (low) [squeeze] - abcm2ps (Minor issue) [lenny] - abcm2ps (Minor issue) CVE-2010-4743 (Heap-based buffer overflow in the getarena function in abc2ps.c in abc ...) - abcm2ps 5.9.22-1 (low) [squeeze] - abcm2ps (Minor issue) [lenny] - abcm2ps (Minor issue) CVE-2010-4742 (Stack-based buffer overflow in a certain ActiveX control in MediaDBPla ...) NOT-FOR-US: MediaDBPlayback.DLL CVE-2010-4741 (Stack-based buffer overflow in MDMUtil.dll in MDMTool.exe in MDM Tool ...) NOT-FOR-US: Moxa Device Manager CVE-2011-1034 (Cross-site scripting (XSS) vulnerability in the UI in IBM Rational Bui ...) NOT-FOR-US: IBM Rational Build Forge CVE-2010-4740 (Stack-based buffer overflow in WTclient.dll in SCADA Engine BACnet OPC ...) NOT-FOR-US: SCADA Engine BACnet CVE-2010-4739 (SQL injection vulnerability in the Maian Media Silver (com_maianmedia) ...) NOT-FOR-US: Maian Media Silver CVE-2010-4738 (Multiple SQL injection vulnerabilities in Rae Media INC Real Estate Si ...) NOT-FOR-US: Rae Media INC Real Estate Single and Multi Agent System CVE-2010-4737 (SQL injection vulnerability in resorts.asp in HotWebScripts HotWeb Ren ...) NOT-FOR-US: HotWebScripts HotWeb Rentals CVE-2010-4736 (SQL injection vulnerability in ECO.asp in GateSoft DocuSafe 4.1.0 and ...) NOT-FOR-US: GateSoft DocuSafe CVE-2010-4735 (SQL injection vulnerability in shoppingcart.asp in Ecommercemax Soluti ...) NOT-FOR-US: Ecommercemax Solutions Digital-goods seller CVE-2010-4734 (Multiple cross-site scripting (XSS) vulnerabilities in the comment fea ...) NOT-FOR-US: Skeletonz CMS CVE-2011-1033 (Stack-based buffer overflow in oninit in IBM Informix Dynamic Server ( ...) NOT-FOR-US: IBM CVE-2011-1032 (IBM Lotus Connections 3.0, when IBM WebSphere Application Server 7.0.0 ...) NOT-FOR-US: IBM CVE-2011-1031 (The feh_unique_filename function in utils.c in feh 1.11.2 and earlier ...) - feh 1.12-1 (low) [lenny] - feh (Minor issue) [squeeze] - feh (Minor issue) CVE-2011-1030 (Cross-site scripting (XSS) vulnerability in the Wikis component in IBM ...) NOT-FOR-US: IBM CVE-2011-1029 (Cross-site scripting (XSS) vulnerability in IBM Rational Team Concert ...) NOT-FOR-US: IBM CVE-2011-1028 (The $smarty.template variable in Smarty3 allows attackers to possibly ...) - smarty3 3.0.8-1 - smarty [squeeze] - smarty3 (Unsupported in squeeze-lts) [squeeze] - smarty (Unsupported in squeeze-lts) CVE-2011-1027 (Off-by-one error in the convert_query_hexchar function in html.c in cg ...) NOT-FOR-US: cgit CVE-2011-1026 (Multiple cross-site request forgery (CSRF) vulnerabilities in Apache A ...) NOT-FOR-US: Apache Archiva CVE-2011-1025 (bind.cpp in back-ndb in OpenLDAP 2.4.x before 2.4.24 does not require ...) - openldap 2.4.25-1 (unimportant; bug #617606) [squeeze] - openldap 2.4.23-7.1 NOTE: NBD backend disabled in Debian builds CVE-2011-1024 (chain.c in back-ldap in OpenLDAP 2.4.x before 2.4.24, when a master-sl ...) - openldap 2.4.25-1 (low; bug #617606) [lenny] - openldap 2.4.11-1+lenny2.1 [squeeze] - openldap 2.4.23-7.1 CVE-2011-1023 (The Reliable Datagram Sockets (RDS) subsystem in the Linux kernel befo ...) - linux-2.6 2.6.38-1 [squeeze] - linux-2.6 (Introduced in 2.6.35) [lenny] - linux-2.6 (Introduced in 2.6.35) CVE-2011-1022 (The cgre_receive_netlink_msg function in daemon/cgrulesengd.c in cgrul ...) {DSA-2193-1} - libcgroup 0.37.1-1 (bug #615987) CVE-2011-1021 (drivers/acpi/debugfs.c in the Linux kernel before 3.0 allows local use ...) - linux-2.6 2.6.37-1 [wheezy] - linux-2.6 (Introduced in 2.6.33) [squeeze] - linux-2.6 (Introduced in 2.6.33) [lenny] - linux-2.6 (Introduced in 2.6.33) CVE-2011-1020 (The proc filesystem implementation in the Linux kernel 2.6.37 and earl ...) {DSA-2310-1 DSA-2303-1} - linux-2.6 2.6.39-1 CVE-2011-1019 (The dev_load function in net/core/dev.c in the Linux kernel before 2.6 ...) [lenny] - linux-2.6 (Introduced in 2.6.32) - linux-2.6 2.6.38-1 (unimportant) NOTE: We won't fix this for Squeeze. This only applies to non-standard setups with fine NOTE: grained security capability models, and an attacker can only load modules from NOTE: /lib/modules, which is only writable with root privs CVE-2011-1018 (logwatch.pl in Logwatch 7.3.6 allows remote attackers to execute arbit ...) {DSA-2182-1} - logwatch 7.3.6.cvs20090906-2 (bug #615995) CVE-2011-1017 (Heap-based buffer overflow in the ldm_frag_add function in fs/partitio ...) {DSA-2264-1 DSA-2240-1} - linux-2.6 2.6.38-5 CVE-2011-1016 (The Radeon GPU drivers in the Linux kernel before 2.6.38-rc5 do not pr ...) {DSA-2240-1} - linux-2.6 2.6.38-1 CVE-2011-1015 (The is_cgi method in CGIHTTPServer.py in the CGIHTTPServer module in P ...) {DLA-25-1} - python2.6 2.6.8-1 (low; bug #614860) [wheezy] - python2.6 (Minor issue, fix modifies behaviour, too intrusive to backport) - python2.5 (low) [squeeze] - python2.5 (Minor issue, fix modifies behaviour, too intrusive to backport) [lenny] - python2.5 (Minor issue, fix modifies behaviour, too intrusive to backport) - python2.4 (low) [lenny] - python2.4 (Minor issue) NOTE: Python 2.7 and 3.1 are fixed NOTE: http://bugs.python.org/issue2254 CVE-2011-1014 REJECTED CVE-2011-1013 (Integer signedness error in the drm_modeset_ctl function in (1) driver ...) - linux-2.6 2.6.38-1 [wheezy] - linux-2.6 2.6.32-31 [squeeze] - linux-2.6 2.6.32-31 [lenny] - linux-2.6 (Vulnerable code not present) CVE-2011-1012 (The ldm_parse_vmdb function in fs/partitions/ldm.c in the Linux kernel ...) {DSA-2264-1} - linux-2.6 2.6.38-1 [squeeze] - linux-2.6 2.6.32-31 CVE-2011-1011 (The seunshare_mount function in sandbox/seunshare.c in seunshare in ce ...) NOT-FOR-US: seunshare CVE-2011-1010 (Buffer overflow in the mac_partition function in fs/partitions/mac.c i ...) {DSA-2264-1} - linux-2.6 2.6.37-2 [wheezy] - linux-2.6 2.6.32-31 [squeeze] - linux-2.6 2.6.32-31 CVE-2011-1009 (Vanilla Forums 2.0.17.1 through 2.0.17.5 has XSS in /vanilla/index.php ...) NOT-FOR-US: Vanilla Forums CVE-2011-1008 (Scrips_Overlay.pm in Best Practical Solutions RT before 3.8.9 does not ...) - request-tracker3.8 3.8.10-1 (bug #614576) [squeeze] - request-tracker3.8 3.8.8-7+squeeze1 [lenny] - request-tracker3.6 3.6.7-5+lenny6 CVE-2011-1007 (Best Practical Solutions RT before 3.8.9 does not perform certain redi ...) - request-tracker3.6 (unimportant) - request-tracker3.8 3.8.10-1 (unimportant) NOTE: A physically proximate attacker can do far more damage anyway CVE-2011-1006 (Heap-based buffer overflow in the parse_cgroup_spec function in tools/ ...) {DSA-2193-1} - libcgroup 0.37.1-1 CVE-2011-1005 (The safe-level feature in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through ...) - ruby1.8 1.8.7.334-1 (bug #615517) [lenny] - ruby1.8 (Minor issue) [squeeze] - ruby1.8 (Minor issue) - ruby1.9 - ruby1.9.1 CVE-2011-1004 (The FileUtils.remove_entry_secure method in Ruby 1.8.6 through 1.8.6-4 ...) - ruby1.8 1.8.7.334-1 (bug #615518) [lenny] - ruby1.8 (Minor issue) [squeeze] - ruby1.8 (Minor issue) - ruby1.9 (bug #615519) [lenny] - ruby1.9 (Minor issue) - ruby1.9.1 1.9.2.180-1 (bug #615519) [squeeze] - ruby1.9.1 (Minor issue, patch would change behaviour and might break things) CVE-2011-1003 (Double free vulnerability in the vba_read_project_strings function in ...) - clamav 0.97+dfsg-1 (low) [squeeze] - clamav 0.97+dfsg-2~squeeze1 (bug #617444) [lenny] - clamav NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=2486 NOTE: http://web.archive.org/web/20110304224953/http://git.clamav.net:80/gitweb?p=clamav-devel.git;a=commit;h=d21fb8d975f8c9688894a8cef4d50d977022e09f CVE-2011-1002 (avahi-core/socket.c in avahi-daemon in Avahi before 0.6.29 allows remo ...) {DSA-2174-1} - avahi 0.6.28-4 (bug #614785) NOTE: duped with CVE-2011-0634 CVE-2011-1001 (dexdump in Android SDK before 2.3 does not properly perform structural ...) NOT-FOR-US: Android SDK CVE-2011-1000 (jingle-factory.c in Telepathy Gabble 0.11 before 0.11.7, 0.10 before 0 ...) {DSA-2169-1} - telepathy-gabble 0.9.15-2 NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=34048 CVE-2011-0999 (mm/huge_memory.c in the Linux kernel before 2.6.38-rc5 does not preven ...) - linux-2.6 (Introduced in 2.6.38-rc1, fixed in 2.6.38-rc5) CVE-2011-0998 RESERVED CVE-2011-0997 (dhclient in ISC DHCP 3.0.x through 4.2.x before 4.2.1-P1, 3.1-ESV befo ...) {DSA-2217-1 DSA-2216-1} - isc-dhcp 4.1.1-P1-16.1 (bug #621099) - dhcp3 CVE-2011-XXXX [isc-dhcp: omapi dos] - isc-dhcp (only affects 4.2.0) - dhcp3 (only affects 4.2.0) NOTE: http://thread.gmane.org/gmane.comp.security.oss.general/4820 NOTE: inrodroduced in 4.2.0 and fixed in 4.2.1 CVE-2011-0996 (dhcpcd before 5.2.12 allows remote attackers to execute arbitrary comm ...) - dhcpcd (old shell quoting code is not vulnerable) NOTE: Debian's dhcpcd.sh is not vulnerable. CVE-2011-0995 (The sqlite3-ruby gem in the rubygem-sqlite3 package before 1.2.4-0.5.1 ...) - ruby-sqlite3 (SuSE-specific packaging flaw) CVE-2011-0994 (Stack-based buffer overflow in NFRAgent.exe in Novell File Reporter (N ...) NOT-FOR-US: Novell File Reporter CVE-2011-0993 (SUSE Lifecycle Management Server before 1.1 uses world readable postgr ...) NOT-FOR-US: SUSE Lifecycle Management Server CVE-2011-0992 (Use-after-free vulnerability in Mono, when Moonlight 2.x before 2.4.1 ...) - mono (Moonlight no longer present in Debian) CVE-2011-0991 (Use-after-free vulnerability in Mono, when Moonlight 2.x before 2.4.1 ...) - mono (Moonlight no longer present in Debian) CVE-2011-0990 (Race condition in the FastCopy optimization in the Array.Copy method i ...) - mono (Moonlight no longer present in Debian) CVE-2011-0989 (The RuntimeHelpers.InitializeArray method in metadata/icall.c in Mono, ...) - mono (Moonlight no longer present in Debian) CVE-2011-0988 (pure-ftpd 1.0.22, as used in SUSE Linux Enterprise Server 10 SP3 and S ...) - pure-ftpd (SUSE-specific) CVE-2010-4733 (WebSCADA WS100 and WS200, Easy Connect EC150, Modbus RTU - TCP Gateway ...) NOT-FOR-US: WebSCADA CVE-2010-4732 (cgi-bin/read.cgi in WebSCADA WS100 and WS200, Easy Connect EC150, Modb ...) NOT-FOR-US: WebSCADA CVE-2010-4731 (Absolute path traversal vulnerability in cgi-bin/read.cgi in WebSCADA ...) NOT-FOR-US: WebSCADA CVE-2010-4730 (Directory traversal vulnerability in cgi-bin/read.cgi in WebSCADA WS10 ...) NOT-FOR-US: WebSCADA CVE-2008-7274 (IBM WebSphere Application Server (WAS) 6.1.0.9, when the JAAS Login fu ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2011-1132 (The IPv6 implementation in the kernel in Apple Mac OS X before 10.6.8 ...) NOT-FOR-US: Apple IPv6 implementation CVE-2011-XXXX [kfreebsd dos] - kfreebsd-8 8.2-1 (low; bug #613312; bug #611476) [squeeze] - kfreebsd-8 8.1+dfsg-8 [lenny] - kfreebsd-8 (Not-supported in Lenny) - kfreebsd-7 [lenny] - kfreebsd-7 (Not supported in Lenny) CVE-2011-1133 (Cross-Site Scripting (XSS) in Xinha, as included in the Serendipity pa ...) - serendipity (bug #611661) [lenny] - serendipity (Xinha not yet included) [squeeze] - serendipity (Minor issue) - openacs (PHP bindings not used) - dotlrn (PHP bindings not used) NOTE: http://secunia.com/advisories/40669/ CVE-2011-1134 (Cross-Site Scripting (XSS) in Xinha, as included in the Serendipity pa ...) - serendipity (bug #611661) [lenny] - serendipity (Xinha not yet included) [squeeze] - serendipity (Minor issue) - openacs (PHP bindings not used) - dotlrn (PHP bindings not used) NOTE: http://secunia.com/advisories/40669/ CVE-2011-1135 (Cross-Site Scripting (XSS) in Xinha, as included in the Serendipity pa ...) - serendipity (bug #611661) [lenny] - serendipity (Xinha not yet included) [squeeze] - serendipity (Minor issue) - openacs (PHP bindings not used) - dotlrn (PHP bindings not used) NOTE: http://secunia.com/advisories/40669/ CVE-2011-1137 (Integer overflow in the mod_sftp (aka SFTP) module in ProFTPD 1.3.3d a ...) {DSA-2185-1} - proftpd-dfsg 1.3.3d-4 (bug #616179) [lenny] - proftpd-dfsg (Vulnerable code not present) NOTE: http://bugs.proftpd.org/show_bug.cgi?id=3586 NOTE: http://www.exploit-db.com/exploits/16129/ CVE-2011-XXXX [incorrect handling of {$smarty.template} and {$smarty.current_dir}] - smarty3 3.0.8-1 (unimportant) - smarty (unimportant) NOTE: http://www.smarty.net/forums/viewtopic.php?t=18815 NOTE: http://code.google.com/p/smarty-php/source/detail?r=3989 NOTE: https://github.com/smarty-php/smarty/commit/0154f17de2b2dd16ff9c016923015ac19af9c0cb(3.0.7) NOTE: non-issue in practice, if you can place arbitrary template files you have worse problems CVE-2011-0987 (The PMA_Bookmark_get function in libraries/bookmark.lib.php in phpMyAd ...) {DSA-2167-1} - phpmyadmin 4:3.3.9.2-1 CVE-2011-0986 (phpMyAdmin 2.11.x before 2.11.11.2, and 3.3.x before 3.3.9.1, does not ...) - phpmyadmin 4:3.3.9.2-1 (unimportant) NOTE: Path disclosure; paths in Debian are public info already CVE-2011-0985 (Google Chrome before 9.0.597.94 does not properly perform process term ...) {DSA-2166-1} - chromium-browser 9.0.597.98~r74359-1 [wheezy] - chromium-browser 6.0.472.63~r59945-5+squeeze4 - webkit (Chromium specific) CVE-2011-0984 (Google Chrome before 9.0.597.94 does not properly handle plug-ins, whi ...) {DSA-2166-1} - chromium-browser 9.0.597.98~r74359-1 [wheezy] - chromium-browser 6.0.472.63~r59945-5+squeeze4 - webkit (doesn't include v8 code) NOTE: http://trac.webkit.org/changeset/76264 NOTE: ^ this has to be the wrong commit, its a v8 fix, but that doesn't match the description at all CVE-2011-0983 (Google Chrome before 9.0.597.94 does not properly handle anonymous blo ...) {DSA-2166-1} - chromium-browser 9.0.597.98~r74359-1 [wheezy] - chromium-browser 6.0.472.63~r59945-5+squeeze4 - webkit (vulnerable code not yet present in 1.2) NOTE: http://trac.webkit.org/changeset/75810 CVE-2011-0982 (Use-after-free vulnerability in Google Chrome before 9.0.597.94 allows ...) - chromium-browser 9.0.597.98~r74359-1 [squeeze] - chromium-browser [wheezy] - chromium-browser 6.0.472.63~r59945-5+squeeze4 NOTE: http://trac.webkit.org/changeset/76990 CVE-2011-0981 (Google Chrome before 9.0.597.94 does not properly perform event handli ...) {DSA-2166-1} - chromium-browser 9.0.597.98~r74359-1 [wheezy] - chromium-browser 6.0.472.63~r59945-5+squeeze4 NOTE: http://trac.webkit.org/changeset/76708 CVE-2011-0980 (Microsoft Excel 2002 SP3 and 2003 SP3, Office 2004 and 2008 for Mac, a ...) NOT-FOR-US: Microsoft Office Excel 2003 CVE-2011-0979 (Microsoft Excel 2002 SP3, 2003 SP3, 2007 SP2, and 2010; Office 2004, 2 ...) NOT-FOR-US: Microsoft Office Excel CVE-2011-0978 (Stack-based buffer overflow in Microsoft Excel 2002 SP3, 2003 SP3, and ...) NOT-FOR-US: Microsoft Office Excel CVE-2011-0977 (Use-after-free vulnerability in Microsoft Office XP SP3, Office 2003 S ...) NOT-FOR-US: Microsoft Office Excel CVE-2011-0976 (Microsoft PowerPoint 2002 SP3, 2003 SP3, and 2007 SP2; Office 2004 and ...) NOT-FOR-US: Microsoft Office CVE-2011-0975 (Stack-based buffer overflow in BMC PATROL Agent Service Daemon for in ...) NOT-FOR-US: BMC PATROL CVE-2011-0974 RESERVED CVE-2011-0973 RESERVED CVE-2011-0972 RESERVED CVE-2011-0971 RESERVED CVE-2011-0970 RESERVED CVE-2011-0969 RESERVED CVE-2011-0968 RESERVED CVE-2011-0967 RESERVED CVE-2011-0966 (Directory traversal vulnerability in cwhp/auditLog.do in the Homepage ...) NOT-FOR-US: Cisco CiscoWorks Common Services CVE-2011-0965 RESERVED CVE-2011-0964 RESERVED CVE-2011-0963 (The default configuration of the RADIUS authentication feature on the ...) NOT-FOR-US: Cisco Network Access Control (NAC) Guest Server CVE-2011-0962 (Cross-site scripting (XSS) vulnerability in CSCOnm/servlet/com.cisco.n ...) NOT-FOR-US: Cisco Unified Operations Manager CVE-2011-0961 (Cross-site scripting (XSS) vulnerability in cwhp/device.center.do in t ...) NOT-FOR-US: Cisco CiscoWorks Common Services CVE-2011-0960 (Multiple SQL injection vulnerabilities in Cisco Unified Operations Man ...) NOT-FOR-US: Cisco Unified Operations Manager CVE-2011-0959 (Multiple cross-site scripting (XSS) vulnerabilities in Cisco Unified O ...) NOT-FOR-US: Cisco Unified Operations Manager CVE-2011-0958 RESERVED CVE-2011-0957 RESERVED CVE-2011-0956 RESERVED CVE-2011-0955 RESERVED CVE-2011-0954 RESERVED CVE-2011-0953 RESERVED CVE-2011-0952 RESERVED CVE-2011-0951 (The web-based management interface in Cisco Secure Access Control Syst ...) NOT-FOR-US: Cisco ACS CVE-2011-0950 RESERVED CVE-2011-0949 (Cisco IOS XR 3.6.x, 3.8.x before 3.8.3, and 3.9.x before 3.9.1 does no ...) NOT-FOR-US: Cisco CVE-2011-0948 RESERVED CVE-2011-0947 RESERVED CVE-2011-0946 (The NAT implementation in Cisco IOS 12.1 through 12.4 and 15.0 through ...) NOT-FOR-US: Cisco IOS CVE-2011-0945 (Memory leak in the Data-link switching (aka DLSw) feature in Cisco IOS ...) NOT-FOR-US: Cisco IOS CVE-2011-0944 (Cisco IOS 12.4, 15.0, and 15.1 allows remote attackers to cause a deni ...) NOT-FOR-US: Cisco IOS CVE-2011-0943 (Cisco IOS XR 3.8.3, 3.8.4, and 3.9.1 allows remote attackers to cause ...) NOT-FOR-US: Cisco CVE-2011-0942 RESERVED CVE-2011-0941 (Memory leak in Cisco Unified Communications Manager (CUCM) 6.x before ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2011-0940 RESERVED CVE-2011-0939 (Unspecified vulnerability in Cisco IOS 12.4, 15.0, and 15.1, and IOS X ...) NOT-FOR-US: Cisco IOS CVE-2011-0938 RESERVED CVE-2011-0937 RESERVED CVE-2011-0936 RESERVED CVE-2011-0935 (The PKI functionality in Cisco IOS 15.0 and 15.1 does not prevent perm ...) NOT-FOR-US: Cisco IOS CVE-2011-0934 RESERVED CVE-2011-0933 RESERVED CVE-2011-0932 RESERVED CVE-2011-0931 RESERVED CVE-2011-0930 RESERVED CVE-2011-0929 RESERVED CVE-2011-0928 RESERVED CVE-2011-0927 RESERVED CVE-2011-0926 (A certain ActiveX control in CSDWebInstaller.ocx in Cisco Secure Deskt ...) NOT-FOR-US: Cisco Secure Desktop CVE-2011-0925 (The CSDWebInstallerCtrl ActiveX control in CSDWebInstaller.ocx in Cisc ...) NOT-FOR-US: Cisco Secure Desktop CVE-2011-0924 (The client in HP Data Protector does not verify the contents of files ...) NOT-FOR-US: HP Data Protector CVE-2011-0923 (The client in HP Data Protector does not properly validate EXEC_CMD ar ...) NOT-FOR-US: HP Data Protector CVE-2011-0922 (The client in HP Data Protector allows remote attackers to execute arb ...) NOT-FOR-US: HP Data Protector CVE-2011-0921 (crs.exe in the Cell Manager Service in the client in HP Data Protector ...) NOT-FOR-US: HP Data Protector CVE-2011-0920 (The Remote Console in IBM Lotus Domino, when a certain unsupported con ...) NOT-FOR-US: IBM Lotus Domino CVE-2011-0919 (Multiple stack-based buffer overflows in the (1) POP3 and (2) IMAP ser ...) NOT-FOR-US: IBM Lotus Domino CVE-2011-0918 (Stack-based buffer overflow in the NRouter (aka Router) service in IBM ...) NOT-FOR-US: IBM Lotus Domino CVE-2011-0917 (Buffer overflow in nLDAP.exe in IBM Lotus Domino allows remote attacke ...) NOT-FOR-US: IBM Lotus Domino CVE-2011-0916 (Stack-based buffer overflow in the SMTP service in IBM Lotus Domino al ...) NOT-FOR-US: IBM Lotus Domino CVE-2011-0915 (Stack-based buffer overflow in nrouter.exe in IBM Lotus Domino before ...) NOT-FOR-US: IBM Lotus Domino CVE-2011-0914 (Integer signedness error in ndiiop.exe in the DIIOP implementation in ...) NOT-FOR-US: IBM Lotus Domino CVE-2011-0913 (Stack-based buffer overflow in ndiiop.exe in the DIIOP implementation ...) NOT-FOR-US: IBM Lotus Domino CVE-2011-0912 (Argument injection vulnerability in IBM Lotus Notes 8.0.x before 8.0.2 ...) NOT-FOR-US: IBM Lotus Notes CVE-2011-0911 (Cross-site scripting (XSS) vulnerability in the Users module in Zikula ...) NOT-FOR-US: zikula CVE-2011-0910 (The cookie implementation in Vanilla Forums before 2.0.17.6 makes it e ...) NOT-FOR-US: Vanilla Forums CVE-2011-0909 (Cross-site scripting (XSS) vulnerability in Vanilla Forums before 2.0. ...) NOT-FOR-US: Vanilla Forums CVE-2011-0908 (Open redirect vulnerability in Vanilla Forums before 2.0.17.6 allows r ...) NOT-FOR-US: Vanilla Forums CVE-2011-0907 RESERVED CVE-2011-0906 RESERVED CVE-2011-0905 (The rfbSendFramebufferUpdate function in server/libvncserver/rfbserver ...) {DSA-2238-1} - vino 2.28.2-3 - libvncserver (Performs sufficient range validation, but was initially reported as affected) - kdenetwork 4:4.0 NOTE: Only affects the krfb from KDE 3.5 CVE-2011-0904 (The rfbSendFramebufferUpdate function in server/libvncserver/rfbserver ...) {DSA-2238-1} - vino 2.28.2-3 - libvncserver (Performs sufficient range validation, but was initially reported as affected) - kdenetwork 4:4.0 NOTE: Only affects the krfb from KDE 3.5 CVE-2011-0903 (Multiple directory traversal vulnerabilities in AR Web Content Manager ...) NOT-FOR-US: AR Web Content Manager CVE-2011-0902 (Multiple untrusted search path vulnerabilities in the Java Service in ...) NOT-FOR-US: SunOS CVE-2011-0901 (Multiple stack-based buffer overflows in the tsc_launch_remote functio ...) - tsclient (low; bug #613204) [lenny] - tsclient (Minor issue) [squeeze] - tsclient (Minor issue) CVE-2011-0900 (Stack-based buffer overflow in the tsc_launch_remote function (src/sup ...) - tsclient (low; bug #613204) [lenny] - tsclient (Minor issue) [squeeze] - tsclient (Minor issue) CVE-2011-0899 (The AES encryption module 7.x-1.4 for Drupal leaves certain debugging ...) NOT-FOR-US: AES module for Drupal CVE-2011-0898 (Cross-site scripting (XSS) vulnerability in HP Network Node Manager i ...) NOT-FOR-US: HP Network Node Manager CVE-2011-0897 (Unspecified vulnerability in HP Network Node Manager i (NNMi) 9.00 all ...) NOT-FOR-US: HP Network Node Manager CVE-2011-0896 (Unspecified vulnerability in HP NFS/ONCplus B.11.31.10 and earlier on ...) NOT-FOR-US: HP-UX CVE-2011-0895 (Unspecified vulnerability in HP Network Node Manager i (NNMi) 9.0x and ...) NOT-FOR-US: HP Network Node Manager CVE-2011-0894 (Unspecified vulnerability in HP Operations 9.10 on UNIX platforms allo ...) NOT-FOR-US: HP Operations CVE-2011-0893 (Cross-site scripting (XSS) vulnerability in HP Operations 9.10 on UNIX ...) NOT-FOR-US: HP Operations CVE-2011-0892 (Cross-site scripting (XSS) vulnerability in HP Diagnostics 7.5x and 8. ...) NOT-FOR-US: HP Diagnostics CVE-2011-0891 (Unspecified vulnerability in the OS-Core.CORE2-KRN fileset in HP HP-UX ...) NOT-FOR-US: HP HP-UX CVE-2011-0890 (HP Discovery & Dependency Mapping Inventory (DDMI) 7.50, 7.51, 7.6 ...) NOT-FOR-US: HP Discovery & Dependency Mapping Inventory CVE-2011-0889 (Unspecified vulnerability in HP Client Automation Enterprise (aka HPCA ...) NOT-FOR-US: HP Client Automation Enterprise CVE-2011-0888 RESERVED CVE-2011-0887 (The web management portal on the SMC SMCD3G-CCR (aka Comcast Business ...) NOT-FOR-US: SMC SMCD3G-CCR CVE-2011-0886 (Multiple cross-site request forgery (CSRF) vulnerabilities in the web ...) NOT-FOR-US: SMC SMCD3G-CCR CVE-2011-0885 (A certain Comcast Business Gateway configuration of the SMC SMCD3G-CCR ...) NOT-FOR-US: SMC SMCD3G-CCR CVE-2011-0884 (Unspecified vulnerability in the Oracle BPEL Process Manager component ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2011-0883 (Unspecified vulnerability in the Oracle Containers for J2EE component ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2011-0882 (Unspecified vulnerability in the Content Management component in Oracl ...) NOT-FOR-US: Oracle Database Server CVE-2011-0881 (Unspecified vulnerability in the EMCTL component in Oracle Database Se ...) NOT-FOR-US: Oracle Database Server CVE-2011-0880 (Unspecified vulnerability in the Core RDBMS component in Oracle Databa ...) NOT-FOR-US: Oracle Database Server CVE-2011-0879 (Unspecified vulnerability in the Instance Management component in Orac ...) NOT-FOR-US: Oracle Database Server CVE-2011-0878 REJECTED CVE-2011-0877 (Unspecified vulnerability in the Instance Management component in Orac ...) NOT-FOR-US: Oracle Database Server CVE-2011-0876 (Unspecified vulnerability in the Enterprise Manager Console component ...) NOT-FOR-US: Oracle Database Server CVE-2011-0875 (Unspecified vulnerability in the EMCTL component in Oracle Database Se ...) NOT-FOR-US: Oracle Database Server CVE-2011-0874 REJECTED CVE-2011-0873 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) [lenny] - sun-java6 6.26-0lenny1 [squeeze] - sun-java6 6.26-0squeeze1 - sun-java6 6.26-1 (bug #629852) - openjdk-6 6b18-1.8.9-0.1 (bug #629852) CVE-2011-0872 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) NOT-FOR-US: OpenJDK on Microsoft Windows CVE-2011-0871 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) {DSA-2358-1 DSA-2311-1} [lenny] - sun-java6 6.26-0lenny1 [squeeze] - sun-java6 6.26-0squeeze1 - sun-java6 6.26-1 (bug #629852) - openjdk-6 6b18-1.8.9-0.1 (bug #629852) CVE-2011-0870 (Unspecified vulnerability in the Schema Management component in Oracle ...) NOT-FOR-US: Oracle Database Server CVE-2011-0869 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) {DSA-2358-1 DSA-2311-1} [lenny] - sun-java6 6.26-0lenny1 [squeeze] - sun-java6 6.26-0squeeze1 - sun-java6 6.26-1 (bug #629852) - openjdk-6 6b18-1.8.9-0.1 (bug #629852) CVE-2011-0868 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) {DSA-2358-1 DSA-2311-1} [lenny] - sun-java6 6.26-0lenny1 [squeeze] - sun-java6 6.26-0squeeze1 - sun-java6 6.26-1 (bug #629852) - openjdk-6 6b18-1.8.9-0.1 (bug #629852) CVE-2011-0867 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) {DSA-2358-1 DSA-2311-1} [lenny] - sun-java6 6.26-0lenny1 [squeeze] - sun-java6 6.26-0squeeze1 - sun-java6 6.26-1 (bug #629852) - openjdk-6 6b18-1.8.9-0.1 (bug #629852) CVE-2011-0866 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) NOT-FOR-US: Java on Windows CVE-2011-0865 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) {DSA-2358-1 DSA-2311-1} [lenny] - sun-java6 6.26-0lenny1 [squeeze] - sun-java6 6.26-0squeeze1 - sun-java6 6.26-1 (bug #629852) - openjdk-6 6b18-1.8.9-0.1 (bug #629852) CVE-2011-0864 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) {DSA-2358-1 DSA-2311-1} [lenny] - sun-java6 6.26-0lenny1 [squeeze] - sun-java6 6.26-0squeeze1 - sun-java6 6.26-1 (bug #629852) - openjdk-6 6b18-1.8.9-0.1 (bug #629852) CVE-2011-0863 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) [lenny] - sun-java6 6.26-0lenny1 [squeeze] - sun-java6 6.26-0squeeze1 - sun-java6 6.26-1 (bug #629852) CVE-2011-0862 (Multiple unspecified vulnerabilities in the Java Runtime Environment ( ...) {DSA-2358-1 DSA-2311-1} [lenny] - sun-java6 6.26-0lenny1 [squeeze] - sun-java6 6.26-0squeeze1 - sun-java6 6.26-1 (bug #629852) - openjdk-6 6b18-1.8.9-0.1 (bug #629852) CVE-2011-0861 (Unspecified vulnerability in Oracle PeopleSoft Enterprise HRMS 9.0 Upd ...) NOT-FOR-US: Oracle PeopleSoft Enterprise CVE-2011-0860 (Unspecified vulnerability in Oracle PeopleSoft Enterprise HRMS 9.0 Upd ...) NOT-FOR-US: Oracle PeopleSoft Enterprise CVE-2011-0859 (Unspecified vulnerability in Oracle PeopleSoft Enterprise HRMS 9.0 Tax ...) NOT-FOR-US: Oracle PeopleSoft Enterprise CVE-2011-0858 (Unspecified vulnerability in Oracle PeopleSoft Enterprise HRMS 9.0 Bun ...) NOT-FOR-US: Oracle PeopleSoft Enterprise CVE-2011-0857 (Unspecified vulnerability in Oracle PeopleSoft Enterprise HRMS 9.0 Bun ...) NOT-FOR-US: Oracle PeopleSoft Enterprise CVE-2011-0856 (Unspecified vulnerability in Oracle PeopleSoft Enterprise 8.49 GA thro ...) NOT-FOR-US: Oracle PeopleSoft Enterprise CVE-2011-0855 (Unspecified vulnerability in the InForm component in Oracle Industry A ...) NOT-FOR-US: Oracle Industry Applications CVE-2011-0854 (Unspecified vulnerability in Oracle PeopleSoft Enterprise HRMS 9.1 Bun ...) NOT-FOR-US: Oracle PeopleSoft Enterprise CVE-2011-0853 (Unspecified vulnerability in Oracle PeopleSoft Enterprise HRMS 9.0 Bun ...) NOT-FOR-US: Oracle PeopleSoft Enterprise CVE-2011-0852 (Unspecified vulnerability in the Security Management component in Orac ...) NOT-FOR-US: Oracle Database Server CVE-2011-0851 (Unspecified vulnerability in Oracle PeopleSoft Enterprise ELS 9.0 Bund ...) NOT-FOR-US: Oracle PeopleSoft Enterprise CVE-2011-0850 (Unspecified vulnerability in Oracle PeopleSoft Enterprise CRM 8.9 Bund ...) NOT-FOR-US: Oracle PeopleSoft Enterprise CVE-2011-0849 (Unspecified vulnerability in Oracle Java Dynamic Management Kit 5.1 al ...) NOT-FOR-US: Oracle Java Dynamic Management Kit CVE-2011-0848 (Unspecified vulnerability in the Security Framework component in Oracl ...) NOT-FOR-US: Oracle Database Server CVE-2011-0847 (Unspecified vulnerability in the OpenSSO Enterprise and Sun Java Syste ...) NOT-FOR-US: Oracle Sun Products Suite CVE-2011-0846 (Unspecified vulnerability in the Oracle Sun Java System Access Manager ...) NOT-FOR-US: Oracle Sun Java System Access Manager Policy Agent CVE-2011-0845 (Unspecified vulnerability in the Database Control component in Oracle ...) NOT-FOR-US: Oracle Enterprise Manager Grid Control CVE-2011-0844 (Unspecified vulnerability in the OpenSSO Enterprise and Sun Java Syste ...) NOT-FOR-US: Oracle Sun Products Suite CVE-2011-0843 (Unspecified vulnerability in the Siebel CRM Core component in Oracle S ...) NOT-FOR-US: Oracle Siebel CRM CVE-2011-0842 REJECTED CVE-2011-0841 (Unspecified vulnerability in Oracle Solaris 11 Express allows remote a ...) NOT-FOR-US: Oracle Solaris CVE-2011-0840 (Unspecified vulnerability in Oracle PeopleSoft Enterprise PeopleTools ...) NOT-FOR-US: Oracle PeopleSoft Enterprise PeopleTools CVE-2011-0839 (Unspecified vulnerability in Oracle Solaris 9, 10, and 11 Express allo ...) NOT-FOR-US: Oracle Solaris CVE-2011-0838 (Unspecified vulnerability in the Core RDBMS component in Oracle Databa ...) NOT-FOR-US: Oracle Database Server CVE-2011-0837 (Unspecified vulnerability in the Agile Technology Platform component i ...) NOT-FOR-US: Oracle Supply Chain Products Suite CVE-2011-0836 (Unspecified vulnerability in Oracle JD Edwards EnterpriseOne Tools 8.9 ...) NOT-FOR-US: Oracle JD Edwards EnterpriseOne CVE-2011-0835 (Unspecified vulnerability in the Core RDBMS component in Oracle Databa ...) NOT-FOR-US: Oracle Database Server CVE-2011-0834 (Unspecified vulnerability in the Siebel CRM Core component in Oracle S ...) NOT-FOR-US: Oracle Siebel CRM CVE-2011-0833 (Unspecified vulnerability in the Siebel CRM Core component in Oracle S ...) NOT-FOR-US: Oracle Siebel CRM CVE-2011-0832 (Unspecified vulnerability in the Core RDBMS component in Oracle Databa ...) NOT-FOR-US: Oracle Database Server CVE-2011-0831 (Unspecified vulnerability in the Enterprise Config Management componen ...) NOT-FOR-US: Oracle Database Server CVE-2011-0830 (Unspecified vulnerability in the Event Management component in Oracle ...) NOT-FOR-US: Oracle Database Server CVE-2011-0829 (Unspecified vulnerability in Oracle Solaris 10 and 11 Express allows l ...) NOT-FOR-US: Oracle Solaris CVE-2011-0828 (Unspecified vulnerability in Oracle PeopleSoft Enterprise 8.8 Bundle # ...) NOT-FOR-US: Oracle PeopleSoft Enterprise CVE-2011-0827 (Unspecified vulnerability in the PeopleSoft Enterprise component in Or ...) NOT-FOR-US: Oracle PeopleSoft CVE-2011-0826 (Unspecified vulnerability in Oracle PeopleSoft Enterprise 8.8 Bundle # ...) NOT-FOR-US: Oracle PeopleSoft CVE-2011-0825 (Unspecified vulnerability in Oracle JD Edwards EnterpriseOne Tools 8.9 ...) NOT-FOR-US: Oracle JD Edwards EnterpriseOne CVE-2011-0824 (Unspecified vulnerability in Oracle JD Edwards EnterpriseOne Tools 8.9 ...) NOT-FOR-US: Oracle JD Edwards EnterpriseOne CVE-2011-0823 (Unspecified vulnerability in Oracle JD Edwards EnterpriseOne Tools 8.9 ...) NOT-FOR-US: Oracle JD Edwards EnterpriseOne CVE-2011-0822 (Unspecified vulnerability in the Streams, AQ & Replication Mgmt co ...) NOT-FOR-US: Oracle Database Serve CVE-2011-0821 (Unspecified vulnerability in Oracle Solaris 8, 9, and 10 allows local ...) NOT-FOR-US: Oracle Solaris CVE-2011-0820 (Unspecified vulnerability in Oracle Solaris 10, and 11 Express allows ...) NOT-FOR-US: Oracle Solaris CVE-2011-0819 (Unspecified vulnerability in Oracle JD Edwards EnterpriseOne Tools 8.9 ...) NOT-FOR-US: Oracle JD Edwards EnterpriseOne CVE-2011-0818 (Unspecified vulnerability in Oracle JD Edwards EnterpriseOne Tools 8.9 ...) NOT-FOR-US: Oracle JD Edwards EnterpriseOne CVE-2011-0817 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) NOT-FOR-US: Java on Windows CVE-2011-0816 (Unspecified vulnerability in the CMDB Metadata & Instance APIs com ...) NOT-FOR-US: Oracle Database Server CVE-2011-0815 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) NOT-FOR-US: Java on Windows CVE-2011-0814 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) [lenny] - sun-java6 6.26-0lenny1 [squeeze] - sun-java6 6.26-0squeeze1 - sun-java6 6.26-1 (bug #629852) CVE-2011-0813 (Unspecified vulnerability in Oracle Solaris 8, 9, 10, and 11 Express a ...) NOT-FOR-US: Oracle Solaris CVE-2011-0812 (Unspecified vulnerability in the Solaris component in Oracle Solaris 8 ...) NOT-FOR-US: Oracle Solaris CVE-2011-0811 (Unspecified vulnerability in the Enterprise Config Management componen ...) NOT-FOR-US: Oracle Database Server CVE-2011-0810 (Unspecified vulnerability Oracle JD Edwards EnterpriseOne Tools 8.9 GA ...) NOT-FOR-US: Oracle JD Edwards EnterpriseOne CVE-2011-0809 (Unspecified vulnerability in the Web ADI component in Oracle E-Busines ...) NOT-FOR-US: Oracle E-Business Suite CVE-2011-0808 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2011-0807 (Unspecified vulnerability in Oracle Sun GlassFish Enterprise Server 2. ...) NOT-FOR-US: Oracle Sun GlassFish Enterprise Server CVE-2011-0806 (Unspecified vulnerability in the Network Foundation component in Oracl ...) NOT-FOR-US: Oracle Database Server CVE-2011-0805 (Unspecified vulnerability in the UIX component in Oracle Database Serv ...) NOT-FOR-US: Oracle Database Server CVE-2011-0804 (Unspecified vulnerability in the Database Vault component in Oracle Da ...) NOT-FOR-US: Oracle Database Server CVE-2011-0803 (Unspecified vulnerability in the JD Edwards EnterpriseOne Tools compon ...) NOT-FOR-US: Oracle JD Edwards Products CVE-2011-0802 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) [lenny] - sun-java6 6.26-0lenny1 [squeeze] - sun-java6 6.26-0squeeze1 - sun-java6 6.26-1 (bug #629852) CVE-2011-0801 (Unspecified vulnerability in Oracle Solaris 10 and 11 Express allows l ...) NOT-FOR-US: Oracle Solaris CVE-2011-0800 (Unspecified vulnerability in the Solaris component in Oracle Solaris 8 ...) NOT-FOR-US: Oracle Solaris CVE-2011-0799 (Unspecified vulnerability in the Oracle Warehouse Builder component in ...) NOT-FOR-US: Oracle Database Server CVE-2011-0798 (Unspecified vulnerability in the Portal component in Oracle Fusion Mid ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2011-0797 (Unspecified vulnerability in the Applications Install component in Ora ...) NOT-FOR-US: Oracle E-Business Suite CVE-2011-0796 (Unspecified vulnerability in the Applications Install component in Ora ...) NOT-FOR-US: Oracle E-Business Suite CVE-2011-0795 (Unspecified vulnerability in the Single Sign On component in Oracle Fu ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2011-0794 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2011-0793 (Unspecified vulnerability in the Database Vault component in Oracle Da ...) NOT-FOR-US: Oracle Database Server CVE-2011-0792 (Unspecified vulnerability in the Oracle Warehouse Builder component in ...) NOT-FOR-US: Oracle Database Server CVE-2011-0791 (Unspecified vulnerability in the Application Object Library component ...) NOT-FOR-US: Oracle E-Business Suite CVE-2011-0790 (Unspecified vulnerability in Oracle Solaris 9 and 10 allows local user ...) NOT-FOR-US: Oracle Solaris CVE-2011-0789 (Unspecified vulnerability in the Oracle HTTP Server component in Oracl ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2011-0788 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) NOT-FOR-US: Java on Windows CVE-2011-0787 (Unspecified vulnerability in the Application Service Level Management ...) NOT-FOR-US: Oracle CVE-2011-0786 (Unspecified vulnerability in the Java Runtime Environment (JRE) compon ...) NOT-FOR-US: Java on Windows CVE-2011-0785 (Unspecified vulnerability in the Oracle Help component in Oracle Datab ...) NOT-FOR-US: Oracle CVE-2011-0784 (Race condition in Google Chrome before 9.0.597.84 allows remote attack ...) - chromium-browser 9.0.597.84~r72991-1 [squeeze] - chromium-browser [wheezy] - chromium-browser 6.0.472.63~r59945-5+squeeze4 - webkit (chromium specific) CVE-2011-0783 (Unspecified vulnerability in Google Chrome before 9.0.597.84 allows us ...) {DSA-2166-1} - chromium-browser 9.0.597.84~r72991-1 [wheezy] - chromium-browser 6.0.472.63~r59945-5+squeeze4 - webkit (chromium specific) CVE-2011-0782 (Google Chrome before 9.0.597.84 on Mac OS X does not properly mitigate ...) - chromium-browser (mac only) - webkit (chromium specific) CVE-2011-0781 (Google Chrome before 9.0.597.84 does not properly handle autofill prof ...) - chromium-browser 9.0.597.84~r72991-1 (unimportant) - webkit (chromium specific) CVE-2011-0780 (The PDF event handler in Google Chrome before 9.0.597.84 does not prop ...) - chromium-browser (Chrome pdf plugin) - webkit (chromium specific) CVE-2011-0779 (Google Chrome before 9.0.597.84 does not properly handle a missing key ...) {DSA-2192-1} - chromium-browser 9.0.597.84~r72991-1 [wheezy] - chromium-browser 6.0.472.63~r59945-5+squeeze4 - webkit (chromium specific) CVE-2011-0778 (Google Chrome before 9.0.597.84 does not properly restrict drag and dr ...) {DSA-2188-1 DSA-2166-1} - chromium-browser 9.0.597.84~r72991-1 [wheezy] - chromium-browser 6.0.472.63~r59945-5+squeeze4 - webkit 1.2.7-1 NOTE: http://trac.webkit.org/changeset/71925 CVE-2011-0777 (Use-after-free vulnerability in Google Chrome before 9.0.597.84 allows ...) {DSA-2166-1} - chromium-browser 9.0.597.84~r72991-1 [wheezy] - chromium-browser 6.0.472.63~r59945-5+squeeze4 NOTE: http://trac.webkit.org/changeset/72230 CVE-2011-0776 (The sandbox implementation in Google Chrome before 9.0.597.84 on Mac O ...) - chromium-browser (mac only) - webkit (chromium specific) CVE-2010-4729 (Zikula before 1.2.3 does not use the authid protection mechanism for ( ...) NOT-FOR-US: zikula CVE-2010-4728 (Zikula before 1.3.1 uses the rand and srand PHP functions for random n ...) NOT-FOR-US: zikula CVE-2011-XXXX [evince segfault] - evince 2.30.3-1 [lenny] - evince (bug #612668) CVE-2011-XXXX [php-gettext XSS] - php-gettext (unimportant) NOTE: http://www.autosectools.com/Advisories/CiviCRM.3.3.3.Drupal-Joomla_Reflected.Cross-site.Scripting_102.html NOTE: Vulnerable code only in examples/ CVE-2011-1136 (In tesseract 2.03 and 2.04, an attacker can rewrite an arbitrary user ...) - tesseract 2.04-2.1 (low; bug #612032) [squeeze] - tesseract 2.04-2+squeeze1 [lenny] - tesseract 2.03-2+lenny1 (bug #612032) CVE-2011-XXXX [aptitude tempfile] - aptitude 0.6.3-4 (low; bug #612034) [squeeze] - aptitude 0.6.3-2.1+squeeze1 (bug #612034) [lenny] - aptitude 0.4.11.11-1~lenny2 (bug #612034) CVE-2011-0775 (pivotx/modules/module_image.php in PivotX 2.2.2 allows remote attacker ...) NOT-FOR-US: PivotX CVE-2011-0774 (PivotX before 2.2.2 allows remote attackers to obtain sensitive inform ...) NOT-FOR-US: PivotX CVE-2011-0773 (Cross-site scripting (XSS) vulnerability in pivotx/modules/module_imag ...) NOT-FOR-US: PivotX CVE-2011-0772 (Multiple cross-site scripting (XSS) vulnerabilities in PivotX 2.2.0, a ...) NOT-FOR-US: PivotX CVE-2011-0771 (The Janrain Engage (formerly RPX) module 6.x-1.3 for Drupal does not v ...) NOT-FOR-US: Janrain Engage Drupal module CVE-2011-0770 (Cross-site scripting (XSS) vulnerability in Windows Event Log SmartCon ...) NOT-FOR-US: Windows Event Log SmartConnector CVE-2011-0769 RESERVED CVE-2011-0768 RESERVED CVE-2011-0767 (Cross-site scripting (XSS) vulnerability in the management GUI in the ...) NOT-FOR-US: Imperva SecureSphere Web Application Firewall CVE-2011-0766 (The random number generator in the Crypto application before 2.0.2.2, ...) - erlang 1:14.b.3-dfsg-1 (low; bug #628456) [squeeze] - erlang 1:14.a-dfsg-3squeeze1 NOTE: http://www.kb.cert.org/vuls/id/178990 NOTE: https://github.com/erlang/otp/commit/f228601de45c5 CVE-2011-0765 (Unspecified vulnerability in lft in pWhois Layer Four Traceroute (LFT) ...) NOT-FOR-US: pWhois Layer Four Traceroute CVE-2011-0764 (t1lib 5.1.2 and earlier, as used in Xpdf before 3.02pl6, teTeX, and ot ...) {DSA-2388-1} - xpdf 3.02-9 - poppler (never used t1lib) - t1lib 5.1.2-3.3 [lenny] - t1lib 5.1.2-3+lenny1 [squeeze] - t1lib 5.1.2-3+squeeze1 NOTE: http://www.toucan-system.com/advisories/tssa-2011-01.txt CVE-2011-0763 RESERVED CVE-2011-0762 (The vsf_filename_passes_filter function in ls.c in vsftpd before 2.3.3 ...) {DSA-2305-1} - vsftpd 2.3.4-1 (bug #622741) [squeeze] - vsftpd 2.3.2-3+squeeze2 [lenny] - vsftpd 2.0.7-1+lenny1 CVE-2011-0761 (Perl 5.10.x allows context-dependent attackers to cause a denial of se ...) - perl 5.12.0-1 (unimportant; bug #628817) CVE-2011-0760 (Multiple cross-site request forgery (CSRF) vulnerabilities in the conf ...) NOT-FOR-US: WP Related Posts plugin for WordPress CVE-2011-0759 (Multiple cross-site request forgery (CSRF) vulnerabilities in the conf ...) NOT-FOR-US: Recaptcha plugin for WordPress CVE-2010-4727 (Smarty before 3.0.0 beta 7 does not properly handle the <?php and ? ...) - smarty3 3.0~rc1-1 - smarty [squeeze] - smarty3 (Unsupported in squeeze-lts) [squeeze] - smarty (Unsupported in squeeze-lts) CVE-2010-4726 (Unspecified vulnerability in the math plugin in Smarty before 3.0.0 RC ...) - smarty3 3.0.8-1 - smarty [squeeze] - smarty3 (Unsupported in squeeze-lts) [squeeze] - smarty (Unsupported in squeeze-lts) CVE-2010-4725 (Smarty before 3.0.0 RC3 does not properly handle an on value of the as ...) - smarty3 3.0.8-1 - smarty [squeeze] - smarty3 (Unsupported in squeeze-lts) [squeeze] - smarty (Unsupported in squeeze-lts) CVE-2010-4724 (Multiple unspecified vulnerabilities in the parser implementation in S ...) - smarty3 3.0.8-1 - smarty [squeeze] - smarty3 (Unsupported in squeeze-lts) [squeeze] - smarty (Unsupported in squeeze-lts) CVE-2010-4723 (Smarty before 3.0.0, when security is enabled, does not prevent access ...) - smarty3 3.0.8-1 - smarty [squeeze] - smarty3 (Unsupported in squeeze-lts) [squeeze] - smarty (Unsupported in squeeze-lts) CVE-2010-4722 (Unspecified vulnerability in the fetch plugin in Smarty before 3.0.2 h ...) - smarty3 3.0.8-1 - smarty [squeeze] - smarty3 (Unsupported in squeeze-lts) [squeeze] - smarty (Unsupported in squeeze-lts) CVE-2009-5054 (Smarty before 3.0.0 beta 4 does not consider the umask value when sett ...) - smarty3 3.0~rc1-1 - smarty [squeeze] - smarty (Unsupported in squeeze-lts) CVE-2009-5053 (Unspecified vulnerability in Smarty before 3.0.0 beta 6 allows remote ...) - smarty3 3.0~rc1-1 - smarty [squeeze] - smarty (Unsupported in squeeze-lts) CVE-2009-5052 (Multiple unspecified vulnerabilities in Smarty before 3.0.0 beta 6 hav ...) - smarty3 3.0~rc1-1 - smarty [squeeze] - smarty (Unsupported in squeeze-lts) CVE-2011-0758 (The eCS component (ECSQdmn.exe) in CA ETrust Secure Content Manager 8. ...) NOT-FOR-US: CA ETrust CVE-2011-0757 (IBM DB2 9.1 before FP10, 9.5 before FP6a, and 9.7 before FP2 on Linux, ...) NOT-FOR-US: IBM DB2 CVE-2011-0756 (The application server in Trustwave WebDefend Enterprise before 5.0 us ...) NOT-FOR-US: Trustwave WebDefend Enterprise CVE-2011-0755 (Integer overflow in the mt_rand function in PHP before 5.3.4 might mak ...) - php5 5.3.5-1 (unimportant) NOTE: Only exploitable with malicious script CVE-2011-0754 (The SplFileInfo::getType function in the Standard PHP Library (SPL) ex ...) - php5 (Only affects PHP on Windows) CVE-2011-0753 (Race condition in the PCNTL extension in PHP before 5.3.4, when a user ...) - php5 5.3.5-1 (unimportant) NOTE: Only exploitable with malicious script CVE-2011-0752 (The extract function in PHP before 5.2.15 does not prevent use of the ...) - php5 5.3.3-7 (unimportant) NOTE: Only exploitable with malicious script CVE-2011-0751 (Directory traversal vulnerability in nhttpd (aka Nostromo webserver) b ...) NOT-FOR-US: Nostromo webserver CVE-2011-0750 RESERVED CVE-2011-0749 RESERVED CVE-2011-0748 (Multiple cross-site request forgery (CSRF) vulnerabilities in phpList ...) - phplist (bug #612288) CVE-2011-0747 RESERVED CVE-2011-0746 (Cross-site request forgery (CSRF) vulnerability in Forms/PortForwardin ...) NOT-FOR-US: ZyXEL O2 DSL Router CVE-2011-0745 (SugarCRM before 6.1.3 does not properly handle reloads and direct requ ...) - sugarcrm-ce-5.0 (bug #457876) CVE-2011-0744 RESERVED CVE-2011-0743 RESERVED CVE-2011-0742 (Buffer overflow in ZfHIPCND.exe in Novell ZENworks Handheld Management ...) NOT-FOR-US: Novell ZENworks Handheld Management CVE-2011-0741 (Multiple cross-site scripting (XSS) vulnerabilities in ModX Evolution ...) NOT-FOR-US: ModX CVE-2011-0740 (Cross-site scripting (XSS) vulnerability in magpie/scripts/magpie_slas ...) - magpierss 0.72-10 (low; bug #611940) [squeeze] - magpierss 0.72-8+squeeze1 [lenny] - magpierss 0.72-5+lenny1 CVE-2011-0739 (The deliver function in the sendmail delivery agent (lib/mail/network/ ...) NOT-FOR-US: Ruby mail gem CVE-2011-0738 (MyProxy 5.0 through 5.2, as used in Globus Toolkit 5.0.0 through 5.0.2 ...) NOT-FOR-US: MyProxy CVE-2011-0737 (** DISPUTED ** Adobe ColdFusion 9.0.1 CHF1 and earlier allows remote a ...) NOT-FOR-US: Adobe Coldfusion CVE-2011-0736 (** DISPUTED ** Adobe ColdFusion 9.0.1 CHF1 and earlier, when a web app ...) NOT-FOR-US: Adobe ColdFusion CVE-2011-0735 (Cross-site scripting (XSS) vulnerability in Adobe ColdFusion before 9. ...) NOT-FOR-US: Adobe ColdFusion CVE-2011-0734 (Cross-site scripting (XSS) vulnerability in Adobe ColdFusion before 9. ...) NOT-FOR-US: Adobe ColdFusion CVE-2011-0733 (Cross-site scripting (XSS) vulnerability in Adobe ColdFusion before 9. ...) NOT-FOR-US: Adobe ColdFusion CVE-2011-0732 (Multiple unspecified vulnerabilities in IBM Tivoli Integrated Portal ( ...) NOT-FOR-US: IBM Tivoli Integrated Portal CVE-2011-0731 (Buffer overflow in the DB2 Administration Server (DAS) component in IB ...) NOT-FOR-US: IBM DB2 CVE-2011-0730 (Eucalyptus before 2.0.3 and Eucalyptus EE before 2.0.2, as used in Ubu ...) - eucalyptus (It was once removed from archive, then re-added as 3.1.0) CVE-2011-0729 (dbus_backend/ls-dbus-backend in the D-Bus backend in language-selector ...) NOT-FOR-US: Ubuntu-specific language-selector package CVE-2011-0728 (Cross-site scripting (XSS) vulnerability in templatefunctions.py in Lo ...) - loggerhead 1.18.1-1 (low) [squeeze] - loggerhead (Minor issue) CVE-2011-0727 (GNOME Display Manager (gdm) 2.x before 2.32.1 allows local users to ch ...) {DSA-2205-1} - gdm3 2.30.5-9 - gdm (Affected code was introduced in 2.28) CVE-2011-0726 (The do_task_stat function in fs/proc/array.c in the Linux kernel befor ...) {DSA-2264-1 DSA-2240-1} - linux-2.6 2.6.38-2 [lenny] - linux-2.6 2.6.26-26lenny3 [squeeze] - linux-2.6 2.6.32-32 CVE-2011-0725 (Absolute path traversal vulnerability in the org.debian.apt.UpdateCach ...) - aptdaemon 0.43+bzr707-1 [squeeze] - aptdaemon (Introduced in 0.33) CVE-2011-0724 (The Live DVD for Edubuntu 9.10, 10.04 LTS, and 10.10 does not correctl ...) - italc (Only Edubuntu Live DVD affected) NOTE: https://bugs.launchpad.net/ubuntu/+source/italc/+bug/714864 NOTE: http://web.archive.org/web/20140817234205/https://lists.ubuntu.com/archives/ubuntu-security-announce/2011-February/001245.html CVE-2011-0723 (FFmpeg 0.5.x, as used in MPlayer and other products, allows remote att ...) {DSA-2306-1} - libav 4:0.6-1 - ffmpeg 7:2.4.1-1 - ffmpeg-debian CVE-2011-0722 (FFmpeg before 0.5.4, as used in MPlayer and other products, allows rem ...) {DSA-2306-1} - libav 4:0.6-1 - ffmpeg 7:2.4.1-1 - ffmpeg-debian CVE-2011-0721 (Multiple CRLF injection vulnerabilities in (1) chfn and (2) chsh in sh ...) {DSA-2164-1} - shadow 1:4.1.4.2+svn3283-3 [lenny] - shadow (Vulnerable code not present) CVE-2010-4721 (SQL injection vulnerability in news.php in Immo Makler allows remote a ...) NOT-FOR-US: Immo Makler CVE-2010-4720 (SQL injection vulnerability in the JExtensions JE Auto (com_jeauto) co ...) NOT-FOR-US: Joomla JEAuto addon CVE-2010-4719 (Directory traversal vulnerability in JRadio (com_jradio) component bef ...) NOT-FOR-US: Joomla JRadio addon CVE-2010-4718 (Multiple cross-site scripting (XSS) vulnerabilities in the Lyftenblogg ...) NOT-FOR-US: Joomla Lyftenbloggie addon CVE-2011-0720 (Unspecified vulnerability in Plone 2.5 through 4.0, as used in Conga, ...) - plone3 CVE-2011-0719 (Samba 3.x before 3.3.15, 3.4.x before 3.4.12, and 3.5.x before 3.5.7 d ...) {DSA-2175-1} - samba 2:3.5.7~dfsg-1 CVE-2011-0718 (Red Hat Network (RHN) Satellite Server 5.4 does not use a time delay a ...) NOT-FOR-US: Red Hat Network Satellite/Spacewalk CVE-2011-0717 (Session fixation vulnerability in Red Hat Network (RHN) Satellite Serv ...) NOT-FOR-US: Red Hat Network Satellite/Spacewalk CVE-2011-0716 (The br_multicast_add_group function in net/bridge/br_multicast.c in th ...) - linux-2.6 2.6.38-1 (low) [lenny] - linux-2.6 (Vulnerable code not present, introduced in 2.6.34) [squeeze] - linux-2.6 (Vulnerable code not present, introduced in 2.6.34) [wheezy] - linux-2.6 (Vulnerable code not present, introduced in 2.6.34) CVE-2011-0715 (The mod_dav_svn module for the Apache HTTP Server, as distributed in A ...) {DSA-2181-1} - subversion 1.6.16dfsg-1 CVE-2011-0714 (Use-after-free vulnerability in a certain Red Hat patch for the RPC se ...) - linux-2.6 (This issue only affects Red Hat Enterprise Linux 6) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=678144 NOTE: http://seclists.org/oss-sec/2011/q1/438 CVE-2011-0713 (Heap-based buffer overflow in wiretap/dct3trace.c in Wireshark 1.2.0 t ...) {DSA-2201-1} - wireshark 1.4.4-1 [lenny] - wireshark (Vulnerable code not present) NOTE: http://anonsvn.wireshark.org/viewvc?view=rev&revision=35953 CVE-2011-0712 (Multiple buffer overflows in the caiaq Native Instruments USB audio fu ...) {DSA-2310-1} - linux-2.6 2.6.37-2 [wheezy] - linux-2.6 2.6.32-31 [squeeze] - linux-2.6 2.6.32-31 CVE-2011-0711 (The xfs_fs_geometry function in fs/xfs/xfs_fsops.c in the Linux kernel ...) {DSA-2264-1 DSA-2240-1} - linux-2.6 2.6.38-1 (low) CVE-2011-0710 (The task_show_regs function in arch/s390/kernel/traps.c in the Linux k ...) {DSA-2264-1} - linux-2.6 2.6.37-2 (low) [wheezy] - linux-2.6 2.6.32-31 [squeeze] - linux-2.6 2.6.32-31 CVE-2011-0709 (The br_mdb_ip_get function in net/bridge/br_multicast.c in the Linux k ...) - linux-2.6 (Introduced in 2.6.35-rc1 and fixed in 2.6.35-rc5) CVE-2011-0708 (exif.c in the Exif extension in PHP before 5.3.6 on 64-bit platforms p ...) {DSA-2266-1} - php5 5.3.6-1 CVE-2011-0707 (Multiple cross-site scripting (XSS) vulnerabilities in Cgi/confirm.py ...) {DSA-2170-1} - mailman 1:2.1.14-1 NOTE: patch http://mail.python.org/pipermail/mailman-developers/attachments/20110218/15500b22/attachment.txt NOTE: present in 2.1.14 and earlier NOTE: http://mail.python.org/pipermail/mailman-developers/2011-February/021317.html CVE-2011-0706 (The JNLPClassLoader class in IcedTea-Web before 1.0.1, as used in Open ...) {DSA-2224-1} - openjdk-6 6b18-1.8.7-1 CVE-2011-0705 REJECTED CVE-2011-0704 (389 Directory Server 1.2.7.5, when built with mozldap, allows remote a ...) NOT-FOR-US: 389 Directory Server CVE-2011-0703 (In gksu-polkit before 0.0.3, the source file for xauth may contain arb ...) - gksu-polkit (bug #684489) [squeeze] - gksu-polkit (Unsupported in squeeze-lts) CVE-2011-0702 (The feh_unique_filename function in utils.c in feh before 1.11.2 might ...) - feh 1.12-1 (low; bug #612035) [squeeze] - feh (Minor issue) [lenny] - feh (Minor issue) CVE-2011-0701 (wp-admin/async-upload.php in the media uploader in WordPress before 3. ...) {DSA-2190-1} - wordpress 3.0.5+dfsg-1 [lenny] - wordpress (2.x version is not affected) CVE-2011-0700 (Multiple cross-site scripting (XSS) vulnerabilities in WordPress befor ...) {DSA-2190-1} - wordpress 3.0.5+dfsg-1 [lenny] - wordpress (2.x version is not affected) CVE-2011-0699 (Integer signedness error in the btrfs_ioctl_space_info function in the ...) - linux-2.6 2.6.37-2 [wheezy] - linux-2.6 (code introduced in .37) [squeeze] - linux-2.6 (code introduced in .37) [lenny] - linux-2.6 (code introduced in .37) CVE-2011-0698 (Directory traversal vulnerability in Django 1.1.x before 1.1.4 and 1.2 ...) - python-django (Windows-specific) NOTE: http://www.djangoproject.com/weblog/2011/feb/08/security/ CVE-2011-0697 (Cross-site scripting (XSS) vulnerability in Django 1.1.x before 1.1.4 ...) {DSA-2163-1} - python-django 1.2.5-1 [lenny] - python-django (Vulnerable code not present) NOTE: http://www.djangoproject.com/weblog/2011/feb/08/security/ [squeeze] - python-django 1.2.3-3+squeeze1 CVE-2011-0696 (Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does not properly val ...) {DSA-2163-1} - python-django 1.2.5-1 [lenny] - python-django (Vulnerable code not present) NOTE: http://www.djangoproject.com/weblog/2011/feb/08/security/ [squeeze] - python-django 1.2.3-3+squeeze1 CVE-2011-0695 (Race condition in the cm_work_handler function in the InfiniBand drive ...) {DSA-2264-1 DSA-2240-1} - linux-2.6 2.6.38-2 CVE-2011-0694 (RealNetworks RealPlayer 11.0 through 11.1, SP 1.0 through 1.1.5, and 1 ...) NOT-FOR-US: RealPlayer CVE-2011-0693 RESERVED CVE-2011-0692 RESERVED CVE-2011-0691 RESERVED CVE-2011-0690 RESERVED CVE-2011-0689 RESERVED CVE-2011-0688 (Intel Alert Management System (aka AMS or AMS2), as used in Symantec A ...) NOT-FOR-US: Symantec Intel Alert Handler CVE-2011-0687 (Opera before 11.01 does not properly implement Wireless Application Pr ...) NOT-FOR-US: Opera CVE-2011-0686 (Unspecified vulnerability in Opera before 11.01 allows remote attacker ...) NOT-FOR-US: Opera CVE-2011-0685 (The Delete Private Data feature in Opera before 11.01 does not properl ...) NOT-FOR-US: Opera CVE-2011-0684 (Opera before 11.01 does not properly handle redirections and unspecifi ...) NOT-FOR-US: Opera CVE-2011-0683 (Opera before 11.01 does not properly restrict the use of opera: URLs, ...) NOT-FOR-US: Opera CVE-2011-0682 (Integer truncation error in opera.dll in Opera before 11.01 allows rem ...) NOT-FOR-US: Opera CVE-2011-0681 (The Cascading Style Sheets (CSS) Extensions for XML implementation in ...) NOT-FOR-US: Opera CVE-2011-0680 (data/WorkingMessage.java in the Mms application in Android before 2.2. ...) NOT-FOR-US: Mms for Android CVE-2010-4717 (Multiple stack-based buffer overflows in the IMAP server component in ...) NOT-FOR-US: Novell GroupWise CVE-2010-4716 (Cross-site scripting (XSS) vulnerability in the WebPublisher component ...) NOT-FOR-US: Novell GroupWise CVE-2010-4715 (Multiple directory traversal vulnerabilities in the (1) WebAccess Agen ...) NOT-FOR-US: Novell GroupWise CVE-2010-4714 (Multiple stack-based buffer overflows in Novell GroupWise before 8.02H ...) NOT-FOR-US: Novell GroupWise CVE-2010-4713 (Integer signedness error in gwia.exe in GroupWise Internet Agent (GWIA ...) NOT-FOR-US: Novell GroupWise CVE-2010-4712 (Multiple stack-based buffer overflows in gwia.exe in GroupWise Interne ...) NOT-FOR-US: Novell GroupWise CVE-2010-4711 (Double free vulnerability in the IMAP server component in GroupWise In ...) NOT-FOR-US: Novell GroupWise CVE-2011-0679 (IBM WebSphere Portal 6.0.1.1 through 7.0.0.0, as used in IBM Lotus Web ...) NOT-FOR-US: IBM WebSphere Portal CVE-2011-0678 (Unrestricted file upload vulnerability in the EasyEdit module in Lomte ...) NOT-FOR-US: Lomtec ActiveWeb Professional CVE-2011-0677 (win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and ...) NOT-FOR-US: Microsoft Windows CVE-2011-0676 (win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and ...) NOT-FOR-US: Microsoft Windows CVE-2011-0675 (Use-after-free vulnerability in win32k.sys in the kernel-mode drivers ...) NOT-FOR-US: Microsoft Windows CVE-2011-0674 (Use-after-free vulnerability in win32k.sys in the kernel-mode drivers ...) NOT-FOR-US: Microsoft Windows CVE-2011-0673 (win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP3 allo ...) NOT-FOR-US: Microsoft Windows CVE-2011-0672 (Use-after-free vulnerability in win32k.sys in the kernel-mode drivers ...) NOT-FOR-US: Microsoft Windows CVE-2011-0671 (Use-after-free vulnerability in win32k.sys in the kernel-mode drivers ...) NOT-FOR-US: Microsoft Windows CVE-2011-0670 (Use-after-free vulnerability in win32k.sys in the kernel-mode drivers ...) NOT-FOR-US: Microsoft Windows CVE-2011-0669 REJECTED CVE-2011-0668 RESERVED CVE-2011-0667 (Use-after-free vulnerability in win32k.sys in the kernel-mode drivers ...) NOT-FOR-US: Microsoft Windows CVE-2011-0666 (Use-after-free vulnerability in win32k.sys in the kernel-mode drivers ...) NOT-FOR-US: Microsoft Windows CVE-2011-0665 (Use-after-free vulnerability in win32k.sys in the kernel-mode drivers ...) NOT-FOR-US: Microsoft Windows CVE-2011-0664 (Microsoft .NET Framework 2.0 SP1 and SP2, 3.5 Gold and SP1, 3.5.1, and ...) NOT-FOR-US: Microsoft .NET Framework, Silverlight CVE-2011-0663 (Multiple integer overflows in the Microsoft (1) JScript 5.6 through 5. ...) NOT-FOR-US: Microsoft JScript CVE-2011-0662 (Use-after-free vulnerability in win32k.sys in the kernel-mode drivers ...) NOT-FOR-US: Microsoft Windows CVE-2011-0661 (The SMB Server service in Microsoft Windows XP SP2 and SP3, Windows Se ...) NOT-FOR-US: Microsoft Windows CVE-2011-0660 (The SMB client in Microsoft Windows XP SP2 and SP3, Windows Server 200 ...) NOT-FOR-US: Microsoft Windows CVE-2011-0659 REJECTED CVE-2011-0658 (Integer underflow in the OLE Automation protocol implementation in VBS ...) NOT-FOR-US: Microsoft Windows CVE-2011-0657 (DNSAPI.dll in the DNS client in Microsoft Windows XP SP2 and SP3, Wind ...) NOT-FOR-US: Microsoft Windows CVE-2011-0656 (Microsoft PowerPoint 2002 SP3, 2003 SP3, 2007 SP2, and 2010; Office 20 ...) NOT-FOR-US: Microsoft CVE-2011-0655 (Microsoft PowerPoint 2007 SP2 and 2010; Office 2004, 2008, and 2011 fo ...) NOT-FOR-US: Microsoft CVE-2011-0654 (Integer underflow in the BowserWriteErrorLogEntry function in the Comm ...) NOT-FOR-US: Windows 2003 CVE-2011-0653 (Cross-site scripting (XSS) vulnerability in Microsoft Office SharePoin ...) NOT-FOR-US: Microsoft SharePoint CVE-2011-0652 (lnsfw1.sys 6.0.2900.5512 in Look 'n' Stop Firewall 2.06p4 and 2.07 all ...) NOT-FOR-US: Look 'n' Stop Firewall CVE-2011-0651 (Buffer overflow in the key exchange functionality in Icon Labs Iconfid ...) NOT-FOR-US: Iconfidant SSL Server (VxWorks OS) CVE-2011-0650 (Cross-site request forgery (CSRF) vulnerability in Greenbone Security ...) NOT-FOR-US: Greenbone Security Manager appliance CVE-2010-4710 (Cross-site scripting (XSS) vulnerability in the addItem method in the ...) - yui (unimportant) NOTE: Mostly a case of mis-documentation CVE-2010-4709 (Heap-based buffer overflow in Automated Solutions Modbus/TCP Master OP ...) NOT-FOR-US: Automated Solutions Modbus/TCP Master CVE-2011-0649 (Multiple unspecified vulnerabilities in TIBCO Rendezvous 8.2.1 through ...) NOT-FOR-US: TIBCO Rendezvous CVE-2011-0648 (Unspecified vulnerability in EMC Avamar before 5.0.4-30 allows remote ...) NOT-FOR-US: EMC Avamar CVE-2011-0647 (The irccd.exe service in EMC Replication Manager Client before 5.3 and ...) NOT-FOR-US: EMC CVE-2011-0646 (SQL injection vulnerability in viewfaqs.php in PHP LOW BIDS allows rem ...) NOT-FOR-US: PHPLOWBIDS CVE-2011-0645 (SQL injection vulnerability in data.php in PHPCMS 2008 V2 allows remot ...) NOT-FOR-US: PHPCMS CVE-2011-0644 (SQL injection vulnerability in include/admin/model_field.class.php in ...) NOT-FOR-US: PHPCMS CVE-2011-0643 (Cross-site request forgery (CSRF) vulnerability in admin/conf_users_ed ...) NOT-FOR-US: PHP Link Directory CVE-2011-0642 (Cross-site request forgery (CSRF) vulnerability in news/admin.php in N ...) NOT-FOR-US: N-13 News CVE-2011-0641 (Multiple cross-site scripting (XSS) vulnerabilities in wp-admin/admin. ...) NOT-FOR-US: StatPressCN Wordpress Plugin CVE-2011-0640 (The default configuration of udev on Linux does not warn the user befo ...) NOTE: Not much that could sensibly be fixed here CVE-2011-0639 (Apple Mac OS X does not properly warn the user before enabling additio ...) NOT-FOR-US: Mac OS X CVE-2011-0638 (Microsoft Windows does not properly warn the user before enabling addi ...) NOT-FOR-US: Microsoft Windows CVE-2011-0637 (The FC SCSI protocol driver in IBM AIX 6.1 does not verify that a time ...) NOT-FOR-US: AIX CVE-2011-0636 (The (1) cudaHostAlloc and (2) cuMemHostAlloc functions in the NVIDIA C ...) NOT-FOR-US: NVIDIA CUDA Toolkit CVE-2011-0635 (Static code injection vulnerability in Simploo CMS 1.7.1 and earlier a ...) NOT-FOR-US: Simploo CVE-2010-4708 (The pam_env module in Linux-PAM (aka pam) 1.1.2 and earlier reads the ...) - pam 1.1.3-7.1 (low; bug #611136) [lenny] - pam (Minor issue, too invasive for a stable release) [squeeze] - pam (Minor issue, too invasive for a stable release) CVE-2010-4707 (The check_acl function in pam_xauth.c in the pam_xauth module in Linux ...) - pam 1.1.3-1 (low) [lenny] - pam (Minor issue) [squeeze] - pam (Minor issue) CVE-2010-4706 (The pam_sm_close_session function in pam_xauth.c in the pam_xauth modu ...) - pam 1.1.3-1 (low) [lenny] - pam (Minor issue) [squeeze] - pam (Minor issue) CVE-2010-4705 (Integer overflow in the vorbis_residue_decode_internal function in lib ...) {DSA-2165-1} - ffmpeg (issue introduced in 0.6.x series; bug #611495) - ffmpeg-debian NOTE: recheck when 0.6.x gets uploaded CVE-2010-4704 (libavcodec/vorbis_dec.c in the Vorbis decoder in FFmpeg 0.6.1 and earl ...) {DSA-2306-1 DSA-2165-1} - libav 4:0.6.2-1 (low; bug #611495) - ffmpeg 7:2.4.1-1 (low; bug #611495) - ffmpeg-debian NOTE: this is a crash found by fuzzing and not clearly exploitable (can be combined with other fixes so low urgency) CVE-2011-XXXX [shibboleth Single TransientID Mapped to Multiple Principals] NOTE: Not packaged in Debian, separate package Shibboleth IdP NOTE: http://shibboleth.internet2.edu/secadv/secadv_20110113.txt CVE-2011-0520 (The compress_add_dlabel_points function in dns/Compress.c in MaraDNS 1 ...) {DSA-2196-1} - maradns 1.4.03-1.1 (bug #610834) CVE-2011-0634 REJECTED CVE-2011-0633 (The Net::HTTPS module in libwww-perl (LWP) before 6.00, as used in WWW ...) - libwww-perl 6.01-1 (low; bug #669126) [squeeze] - libwww-perl (Minor issue) CVE-2011-0632 RESERVED CVE-2011-0631 RESERVED CVE-2011-0630 RESERVED CVE-2011-0629 (Cross-site request forgery (CSRF) vulnerability in Adobe ColdFusion 8. ...) NOT-FOR-US: Adobe ColdFusion CVE-2011-0628 (Integer overflow in Adobe Flash Player before 10.3.181.14 on Windows, ...) NOT-FOR-US: Adobe Flash Player CVE-2011-0627 (Adobe Flash Player before 10.3.181.14 on Windows, Mac OS X, Linux, and ...) NOT-FOR-US: Adobe Flash Player CVE-2011-0626 (Adobe Flash Player before 10.3.181.14 on Windows, Mac OS X, Linux, and ...) NOT-FOR-US: Adobe Flash Player CVE-2011-0625 (Adobe Flash Player before 10.3.181.14 on Windows, Mac OS X, Linux, and ...) NOT-FOR-US: Adobe Flash Player CVE-2011-0624 (Adobe Flash Player before 10.3.181.14 on Windows, Mac OS X, Linux, and ...) NOT-FOR-US: Adobe Flash Player CVE-2011-0623 (Adobe Flash Player before 10.3.181.14 on Windows, Mac OS X, Linux, and ...) NOT-FOR-US: Adobe Flash Player CVE-2011-0622 (Adobe Flash Player before 10.3.181.14 on Windows, Mac OS X, Linux, and ...) NOT-FOR-US: Adobe Flash Player CVE-2011-0621 (Adobe Flash Player before 10.3.181.14 on Windows, Mac OS X, Linux, and ...) NOT-FOR-US: Adobe Flash Player CVE-2011-0620 (Adobe Flash Player before 10.3.181.14 on Windows, Mac OS X, Linux, and ...) NOT-FOR-US: Adobe Flash Player CVE-2011-0619 (Adobe Flash Player before 10.3.181.14 on Windows, Mac OS X, Linux, and ...) NOT-FOR-US: Adobe Flash Player CVE-2011-0618 (Integer overflow in Adobe Flash Player before 10.3.181.14 on Windows, ...) NOT-FOR-US: Adobe Flash Player CVE-2011-0617 REJECTED CVE-2011-0616 REJECTED CVE-2011-0615 (Multiple buffer overflows in Adobe Audition 3.0.1 and earlier allow re ...) NOT-FOR-US: Adobe Audition CVE-2011-0614 (Buffer overflow in Adobe Audition 3.0.1 and earlier allows remote atta ...) NOT-FOR-US: Adobe Audition CVE-2011-0613 (Multiple cross-site scripting (XSS) vulnerabilities in RoboHelp 7 and ...) NOT-FOR-US: RoboHelp CVE-2011-0612 (Adobe Flash Media Server (FMS) before 3.5.6, and 4.x before 4.0.2, all ...) NOT-FOR-US: Adobe Flash Media Server CVE-2011-0611 (Adobe Flash Player before 10.2.154.27 on Windows, Mac OS X, Linux, and ...) NOT-FOR-US: Adobe Flash Player / Acrobat Reader CVE-2011-0610 (The CoolType library in Adobe Reader 9.x before 9.4.4 and 10.x through ...) NOT-FOR-US: Adobe Reader CVE-2011-0609 (Unspecified vulnerability in Adobe Flash Player 10.2.154.13 and earlie ...) NOT-FOR-US: Adobe Flash Player CVE-2011-0608 (Adobe Flash Player before 10.2.152.26 allows attackers to execute arbi ...) NOT-FOR-US: Adobe Flash Player CVE-2011-0607 (Adobe Flash Player before 10.2.152.26 allows attackers to execute arbi ...) NOT-FOR-US: Adobe Flash Player CVE-2011-0606 (Stack-based buffer overflow in rt3d.dll in Adobe Reader and Acrobat 10 ...) NOT-FOR-US: Adobe Reader CVE-2011-0605 (Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x ...) NOT-FOR-US: Adobe Reader CVE-2011-0604 (Cross-site scripting (XSS) vulnerability in Adobe Reader and Acrobat 1 ...) NOT-FOR-US: Adobe Reader CVE-2011-0603 (Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x ...) NOT-FOR-US: Adobe Reader CVE-2011-0602 (Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x ...) NOT-FOR-US: Adobe Reader CVE-2011-0601 REJECTED CVE-2011-0600 (The U3D component in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x ...) NOT-FOR-US: Adobe Reader CVE-2011-0599 (The Bitmap parsing component in rt3d.dll in Adobe Reader and Acrobat 1 ...) NOT-FOR-US: Adobe Reader CVE-2011-0598 (Integer overflow in ACE.dll in Adobe Reader and Acrobat 10.x before 10 ...) NOT-FOR-US: Adobe Reader CVE-2011-0597 REJECTED CVE-2011-0596 (The Bitmap parsing component in 2d.dll in Adobe Reader and Acrobat 10. ...) NOT-FOR-US: Adobe Reader CVE-2011-0595 (Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x ...) NOT-FOR-US: Adobe Reader CVE-2011-0594 (Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x ...) NOT-FOR-US: Adobe Reader CVE-2011-0593 (Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x ...) NOT-FOR-US: Adobe Reader CVE-2011-0592 (Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x ...) NOT-FOR-US: Adobe Reader CVE-2011-0591 (Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x ...) NOT-FOR-US: Adobe Reader CVE-2011-0590 (Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x ...) NOT-FOR-US: Adobe Reader CVE-2011-0589 (Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x ...) NOT-FOR-US: Adobe Reader CVE-2011-0588 (Untrusted search path vulnerability in Adobe Reader and Acrobat 10.x b ...) NOT-FOR-US: Adobe Reader CVE-2011-0587 (Cross-site scripting (XSS) vulnerability in Adobe Reader and Acrobat 1 ...) NOT-FOR-US: Adobe Reader CVE-2011-0586 (Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x ...) NOT-FOR-US: Adobe Reader CVE-2011-0585 (Unspecified vulnerability in Adobe Reader and Acrobat 10.x before 10.0 ...) NOT-FOR-US: Adobe Reader CVE-2011-0584 (Session fixation vulnerability in Adobe ColdFusion 8.0 through 9.0.1 a ...) NOT-FOR-US: Adobe ColdFusion CVE-2011-0583 (Cross-site scripting (XSS) vulnerability in Adobe ColdFusion 8.0 throu ...) NOT-FOR-US: Adobe ColdFusion CVE-2011-0582 (Unspecified vulnerability in the administrator console in Adobe ColdFu ...) NOT-FOR-US: ColdFusion CVE-2011-0581 (Multiple CRLF injection vulnerabilities in Adobe ColdFusion 8.0 throug ...) NOT-FOR-US: Adobe ColdFusion CVE-2011-0580 (Multiple cross-site scripting (XSS) vulnerabilities in the administrat ...) NOT-FOR-US: Adobe ColdFusion CVE-2011-0579 (Adobe Flash Player before 10.3.181.14 on Windows, Mac OS X, Linux, and ...) NOT-FOR-US: Adobe Flash Player CVE-2011-0578 (Adobe Flash Player before 10.2.152.26 allows attackers to execute arbi ...) NOT-FOR-US: Adobe Flash Player CVE-2011-0577 (Unspecified vulnerability in Adobe Flash Player before 10.2.152.26 all ...) NOT-FOR-US: Adobe Flash Player CVE-2011-0576 REJECTED CVE-2011-0575 (Untrusted search path vulnerability in Adobe Flash Player before 10.2. ...) NOT-FOR-US: Adobe Flash Player CVE-2011-0574 (Adobe Flash Player before 10.2.152.26 allows attackers to execute arbi ...) NOT-FOR-US: Adobe Flash Player CVE-2011-0573 (Adobe Flash Player before 10.2.152.26 allows attackers to execute arbi ...) NOT-FOR-US: Adobe Flash Player CVE-2011-0572 (Adobe Flash Player before 10.2.152.26 allows attackers to execute arbi ...) NOT-FOR-US: Adobe Flash Player CVE-2011-0571 (Adobe Flash Player before 10.2.152.26 allows attackers to execute arbi ...) NOT-FOR-US: Adobe Flash Player CVE-2011-0570 (Untrusted search path vulnerability in Adobe Reader and Acrobat 10.x b ...) NOT-FOR-US: Adobe Reader CVE-2011-0569 (The Font Xtra.x32 module in Adobe Shockwave Player before 11.5.9.620 a ...) NOT-FOR-US: Adobe Shockwave Player CVE-2011-0568 (Unspecified vulnerability in Adobe Reader and Acrobat 10.x before 10.0 ...) NOT-FOR-US: Adobe Reader CVE-2011-0567 (AcroRd32.dll in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x befor ...) NOT-FOR-US: Adobe Reader CVE-2011-0566 (Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x ...) NOT-FOR-US: Adobe Reader CVE-2011-0565 (Unspecified vulnerability in Adobe Reader and Acrobat 10.x before 10.0 ...) NOT-FOR-US: Adobe Reader CVE-2011-0564 (Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x ...) NOT-FOR-US: Adobe Reader CVE-2011-0563 (Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x ...) NOT-FOR-US: Adobe Reader CVE-2011-0562 (Untrusted search path vulnerability in Adobe Reader and Acrobat 10.x b ...) NOT-FOR-US: Adobe Reader CVE-2011-0561 (Adobe Flash Player before 10.2.152.26 allows attackers to execute arbi ...) NOT-FOR-US: Adobe Flash Player CVE-2011-0560 (Adobe Flash Player before 10.2.152.26 allows attackers to execute arbi ...) NOT-FOR-US: Adobe Flash Player CVE-2011-0559 (Adobe Flash Player before 10.2.152.26 allows attackers to execute arbi ...) NOT-FOR-US: Adobe Flash Player CVE-2011-0558 (Integer overflow in Adobe Flash Player before 10.2.152.26 allows attac ...) NOT-FOR-US: Adobe Flash Player CVE-2011-0557 (Integer overflow in Adobe Shockwave Player before 11.5.9.620 allows re ...) NOT-FOR-US: Adobe Shockwave Player CVE-2011-0556 (The Font Xtra.x32 module in Adobe Shockwave Player before 11.5.9.620 a ...) NOT-FOR-US: Adobe Shockwave Player CVE-2011-0555 (The TextXtra.x32 module in Adobe Shockwave Player before 11.5.9.620 al ...) NOT-FOR-US: Adobe Shockwave Player CVE-2011-0554 (The management console in Symantec IM Manager before 8.4.18 allows rem ...) NOT-FOR-US: Symantec IM Manager CVE-2011-0553 (SQL injection vulnerability in the management console in Symantec IM M ...) NOT-FOR-US: Symantec IM Manager CVE-2011-0552 (Multiple cross-site scripting (XSS) vulnerabilities in the management ...) NOT-FOR-US: Symantec IM Manager CVE-2011-0551 (Cross-site request forgery (CSRF) vulnerability in the Web Interface i ...) NOT-FOR-US: Symantec Endpoint Protection CVE-2011-0550 (Multiple cross-site scripting (XSS) vulnerabilities in the Web Interfa ...) NOT-FOR-US: Symantec Endpoint Protection CVE-2011-0549 (SQL injection vulnerability in forget.php in the management GUI in Sym ...) NOT-FOR-US: Symantec Web Gateway CVE-2011-0548 (Buffer overflow in the Lotus Freelance Graphics PRZ file viewer in Aut ...) NOT-FOR-US: Lotus Freelance Graphics CVE-2011-0547 (Multiple integer overflows in vxsvc.exe in the Veritas Enterprise Admi ...) NOT-FOR-US: Veritas CVE-2011-0546 (Symantec Backup Exec 11.0, 12.0, 12.5, 13.0, and 13.0 R2 does not vali ...) NOT-FOR-US: Symantec Backup Exec CVE-2011-0545 (Cross-site request forgery (CSRF) vulnerability in adduser.do in Syman ...) NOT-FOR-US: Symantec LiveUpdate Administrator CVE-2011-0544 (phpbb 3.0.x-3.0.6 has an XSS vulnerability via the [flash] BB tag. ...) - phpbb3 3.0.7-PL1-5 (low; bug #612477) [squeeze] - phpbb3 (Minor issue) CVE-2011-0543 (Certain legacy functionality in fusermount in fuse 2.8.5 and earlier, ...) - fuse 2.8.5-1 (low; bug #624551) [squeeze] - fuse (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-0541 CVE-2011-0542 (fusermount in fuse 2.8.5 and earlier does not perform a chdir to / bef ...) - fuse 2.8.5-1 (low; bug #624551) [squeeze] - fuse (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-0541 CVE-2011-0541 (fuse 2.8.5 and earlier does not properly handle when /etc/mtab cannot ...) - fuse 2.8.5-1 (low; bug #624551) [squeeze] - fuse (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-0541 CVE-2011-0540 REJECTED CVE-2011-0539 (The key_certify function in usr.bin/ssh/key.c in OpenSSH 5.6 and 5.7, ...) - openssh 1:5.8p1-2 [squeeze] - openssh (Only affects OpenSSH 5.6 and 5.7) [lenny] - openssh (Only affects OpenSSH 5.6 and 5.7) CVE-2011-0538 (Wireshark 1.2.0 through 1.2.14, 1.4.0 through 1.4.3, and 1.5.0 frees a ...) {DSA-2201-1} - wireshark 1.4.3-3 (low; bug #613202) CVE-2011-0537 (Multiple directory traversal vulnerabilities in (1) languages/Language ...) - mediawiki (Only affected when running on Windows or Novell Netware) CVE-2011-0536 (Multiple untrusted search path vulnerabilities in elf/dl-object.c in c ...) - eglibc 2.11.2-8 (bug #600667) - glibc (Lenny version not affected) CVE-2011-0535 (Cross-site request forgery (CSRF) vulnerability in the Users module in ...) NOT-FOR-US: zikula CVE-2011-0534 (Apache Tomcat 7.0.0 through 7.0.6 and 6.0.0 through 6.0.30 does not en ...) {DSA-2160-1} - tomcat5.5 (Vulnerable code not present) - tomcat6 6.0.28-10 (bug #612257) [lenny] - tomcat6 (Only ships the servlet package) CVE-2011-0533 (Cross-site scripting (XSS) vulnerability in Apache Continuum 1.1 throu ...) NOT-FOR-US: Apache Continuum CVE-2011-0532 (The (1) backup and restore scripts, (2) main initialization script, an ...) NOT-FOR-US: 389 LDAP server CVE-2011-0531 (demux/mkv/mkv.hpp in the MKV demuxer plugin in VideoLAN VLC media play ...) {DSA-2159-1} - vlc 1.1.7-1 (medium) [lenny] - vlc 0.8.6.h-4+lenny3 CVE-2011-0530 (Buffer overflow in the mainloop function in nbd-server.c in the server ...) {DSA-2183-1} - nbd 1:2.9.16-8 (bug #611187) [etch] - nbd (reintroduced in 2.9.0) CVE-2011-0529 (Weborf before 0.12.5 is affected by a Denial of Service (DOS) due to m ...) - weborf 0.12.5-1 CVE-2011-0528 (Puppet 2.6.0 through 2.6.3 does not properly restrict access to node r ...) - puppet 2.6.2-3 [lenny] - puppet (Only affects 2.6.x) CVE-2011-0527 (VMware vFabric tc Server (aka SpringSource tc Server) 2.0.x before 2.0 ...) NOT-FOR-US: VMware vFabric tc Server CVE-2011-0526 (Cross-site scripting (XSS) vulnerability in index.php in Vanilla Forum ...) NOT-FOR-US: Vanilla Forums CVE-2011-0525 (Batavi before 1.0 has CSRF. ...) NOT-FOR-US: Batavi CVE-2011-0524 (Multiple buffer overflows in the NMEA parser (nmea-gen.c) in gypsy 0.8 ...) - gypsy (bug #491723) CVE-2011-0523 (gypsy 0.8 does not properly restrict the files that can be read while ...) - gypsy (bug #491723) CVE-2011-0521 (The dvb_ca_ioctl function in drivers/media/dvb/ttpci/av7110_ca.c in th ...) {DSA-2153-1} - linux-2.6 2.6.37-2 [wheezy] - linux-2.6 2.6.32-31 [squeeze] - linux-2.6 2.6.32-31 CVE-2011-0519 (SQL injection vulnerability in gallery.php in Gallarific PHP Photo Gal ...) NOT-FOR-US: Gallarific CVE-2011-0518 (Directory traversal vulnerability in core/lib/router.php in LotusCMS F ...) NOT-FOR-US: LotusCMS CVE-2011-0517 (Stack-based buffer overflow in Sielco Sistemi Winlog Pro 2.07.00 and e ...) NOT-FOR-US: Winlog Pro CVE-2011-0516 (SQL injection vulnerability in mainx_a.php in E-PROMPT C BetMore Site ...) NOT-FOR-US: BetMore Site Suite CVE-2011-0515 (KisKrnl.sys 2011.1.13.89 and earlier in Kingsoft AntiVirus 2011 SP5.2 ...) NOT-FOR-US: Kingsoft AntiVirus CVE-2011-0514 (The RDS service (rds.exe) in HP Data Protector Manager 6.11 allows rem ...) NOT-FOR-US: HP Data Protector Manager CVE-2011-0513 (DCR.sys driver in SecurStar DriveCrypt 5.4, 5.3, and earlier allows lo ...) NOT-FOR-US: SecurStar DriveCrypt CVE-2011-0512 (SQL injection vulnerability in team.php in the Teams Structure module ...) NOT-FOR-US: PHP-Fusion CVE-2011-0511 (SQL injection vulnerability in the allCineVid component (com_allcinevi ...) NOT-FOR-US: Joomla! component CVE-2011-0510 (SQL injection vulnerability in cart.php in Advanced Webhost Billing Sy ...) NOT-FOR-US: Advanced Webhost Billing System CVE-2011-0509 (Cross-site scripting (XSS) vulnerability in Vaadin before 6.4.9 allows ...) NOT-FOR-US: Vaadin CVE-2011-0508 (Cross-site scripting (XSS) vulnerability in system/modules/comments/Co ...) NOT-FOR-US: Contao CMS CVE-2011-0507 (FTPService.exe in Blackmoon FTP 3.1 Build 1735 and Build 1736 (3.1.7.1 ...) NOT-FOR-US: Blackmoon FTP NOTE: Windows-only CVE-2011-0506 (Directory traversal vulnerability in modules/profile/user.php in Ax De ...) NOT-FOR-US: AxDCMS CVE-2011-0505 (Directory traversal vulnerability in system/system.php in Zwii 2.1.1, ...) NOT-FOR-US: Zwii CVE-2011-0504 (Multiple cross-site scripting (XSS) vulnerabilities in VaM Shop 1.6, 1 ...) NOT-FOR-US: VaM Shop CVE-2011-0503 (Cross-site request forgery (CSRF) vulnerability in VaM Shop 1.6, 1.6.1 ...) NOT-FOR-US: VaM Shop CVE-2011-0502 (Music Animation Machine MIDI Player 2006aug19 Release 035 and possibly ...) NOT-FOR-US: Music Animation Machine MIDI Player NOTE: Windows-only CVE-2011-0501 (Stack-based buffer overflow in Music Animation Machine MIDI Player 200 ...) NOT-FOR-US: Music Animation Machine MIDI Player NOTE: Windows-only CVE-2011-0500 (Buffer overflow in VideoSpirit Pro 1.6.8.1, 1.68, and earlier; and Vid ...) NOT-FOR-US: VideoSpirit Pro CVE-2011-0499 (Buffer overflow in VideoSpirit Pro 1.6.8.1 and possibly earlier versio ...) NOT-FOR-US: VideoSpirit Pro CVE-2011-0498 (Stack-based buffer overflow in Nokia Multimedia Player 1.00.55.5010, a ...) NOT-FOR-US: Nokia Multimedia Player CVE-2011-0497 (Directory traversal vulnerability in Sybase EAServer 6.x before 6.3 ES ...) NOT-FOR-US: Sybase EAServer CVE-2011-0496 (Unspecified vulnerability in Sybase EAServer 5.x and 6.x before 6.3 ES ...) NOT-FOR-US: Sybase EAServer CVE-2010-4703 (SQL injection vulnerability in default.asp in HotWebScripts HotWeb Ren ...) NOT-FOR-US: HotWebScripts HotWeb Rentals CVE-2010-4702 (SQL injection vulnerability in JRadio (com_jradio) component before 1. ...) NOT-FOR-US: Joomla component CVE-2010-4701 (Heap-based buffer overflow in the CDrawPoly::Serialize function in fxs ...) NOT-FOR-US: Microsoft Windows Fax Services Cover Page Editor CVE-2011-0495 (Stack-based buffer overflow in the ast_uri_encode function in main/uti ...) {DSA-2171-1} - asterisk 1:1.6.2.9-2+squeeze1 (bug #610487) CVE-2011-0494 (Directory traversal vulnerability in WebSEAL in IBM Tivoli Access Mana ...) NOT-FOR-US: IBM Tivoli Access Manager CVE-2011-0489 (The server components in Objectivity/DB 10.0 do not require authentica ...) NOT-FOR-US: Objectivity/DB CVE-2011-0488 (Stack-based buffer overflow in NTWebServer.exe in the test web service ...) NOT-FOR-US: NTWebServer CVE-2011-0487 (ICQ 7 does not verify the authenticity of updates, which allows man-in ...) NOT-FOR-US: ICQ CVE-2011-0486 (Cross-site scripting (XSS) vulnerability in cognos.cgi in IBM Cognos 8 ...) NOT-FOR-US: IBM Cognos CVE-2010-4700 (The set_magic_quotes_runtime function in PHP 5.3.2 and 5.3.3, when the ...) - php5 (vuln code in mysqlnd, we use libmysqlclient) CVE-2010-4699 (The iconv_mime_decode_headers function in the Iconv extension in PHP b ...) - php5 5.3.5-1 (unimportant) CVE-2010-4698 (Stack-based buffer overflow in the GD extension in PHP before 5.2.15 a ...) - php5 5.3.3-7 (unimportant) NOTE: Only exloitable with malicious script CVE-2010-4697 (Use-after-free vulnerability in the Zend engine in PHP before 5.2.15 a ...) {DSA-2408-1} - php5 5.3.5-1 (unimportant) NOTE: requires attacker to be able to execute code already CVE-2010-4696 (Multiple SQL injection vulnerabilities in Joomla! 1.5.x before 1.5.22 ...) NOT-FOR-US: Joomla! CVE-2009-5051 (Hastymail2 before RC 8 does not set the secure flag for the session co ...) - hastymail CVE-2011-0493 (Tor before 0.2.1.29 and 0.2.2.x before 0.2.2.21-alpha might allow remo ...) {DSA-2148-1} - tor 0.2.1.29-1 CVE-2011-0492 (Tor before 0.2.1.29 and 0.2.2.x before 0.2.2.21-alpha allows remote at ...) {DSA-2148-1} - tor 0.2.1.29-1 CVE-2011-0491 (The tor_realloc function in Tor before 0.2.1.29 and 0.2.2.x before 0.2 ...) {DSA-2148-1} - tor 0.2.1.29-1 CVE-2011-0490 (Tor before 0.2.1.29 and 0.2.2.x before 0.2.2.21-alpha makes calls to L ...) {DSA-2148-1} - tor 0.2.1.29-1 CVE-2011-XXXX [multiple spip issues] - spip 2.1.1-3 (bug #609212; bug #610016) CVE-2011-0485 (Google Chrome before 8.0.552.237 and Chrome OS before 8.0.552.344 do n ...) - chromium-browser 9.0.597.45~r70550-1 [squeeze] - chromium-browser [wheezy] - chromium-browser 6.0.472.63~r59945-5+squeeze4 - webkit (chromium specific) CVE-2011-0484 (Google Chrome before 8.0.552.237 and Chrome OS before 8.0.552.344 do n ...) - chromium-browser 6.0.472.63~r59945-5 - webkit (vulnerable code not present in 1.2) NOTE: http://trac.webkit.org/changeset/75082 NOTE: http://trac.webkit.org/changeset/75084 CVE-2011-0483 (Google Chrome before 8.0.552.237 and Chrome OS before 8.0.552.344 do n ...) - chromium-browser 6.0.472.63~r59945-5 - webkit (vulnerable code not present in 1.2) NOTE: http://trac.webkit.org/changeset/74787 CVE-2011-0482 (Google Chrome before 8.0.552.237 and Chrome OS before 8.0.552.344 do n ...) {DSA-2188-1} - chromium-browser 6.0.472.63~r59945-5 - webkit 1.2.7-1 NOTE: http://trac.webkit.org/changeset/74779 CVE-2011-0481 (Buffer overflow in Google Chrome before 8.0.552.237 and Chrome OS befo ...) - chromium-browser (Chrome PDF plugin) - webkit (Chrome PDF plugin) CVE-2011-0480 (Multiple buffer overflows in vorbis_dec.c in the Vorbis decoder in FFm ...) {DSA-2306-1} - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg (webm not supported yet) - ffmpeg-debian (webm not supported yet) - libav 4:0.6.1-1 (bug #610550) CVE-2011-0479 (Google Chrome before 8.0.552.237 and Chrome OS before 8.0.552.344 do n ...) - chromium-browser 9.0.597.45~r70550-1 [squeeze] - chromium-browser [wheezy] - chromium-browser - webkit (chromium specific) CVE-2011-0478 (Google Chrome before 8.0.552.237 and Chrome OS before 8.0.552.344 do n ...) - chromium-browser 6.0.472.63~r59945-5 NOTE: http://trac.webkit.org/changeset/74636 CVE-2011-0477 (Google Chrome before 8.0.552.237 and Chrome OS before 8.0.552.344 do n ...) - chromium-browser 6.0.472.63~r59945-5 - webkit (chromium specific) CVE-2011-0476 (Google Chrome before 8.0.552.237 and Chrome OS before 8.0.552.344 allo ...) - chromium-browser (Chrome PDF plugin) - webkit (Chrome PDF plugin) CVE-2011-0475 (Use-after-free vulnerability in Google Chrome before 8.0.552.237 and C ...) - chromium-browser (Chrome PDF plugin) - webkit (Chrome PDF plugin) CVE-2011-0474 (Google Chrome before 8.0.552.237 and Chrome OS before 8.0.552.344 do n ...) - chromium-browser 6.0.472.63~r59945-5 NOTE: http://trac.webkit.org/changeset/74574 CVE-2011-0473 (Google Chrome before 8.0.552.237 and Chrome OS before 8.0.552.344 do n ...) - chromium-browser 6.0.472.63~r59945-5 NOTE: http://trac.webkit.org/changeset/73927 NOTE: http://trac.webkit.org/changeset/73937 CVE-2011-0472 (Google Chrome before 8.0.552.237 and Chrome OS before 8.0.552.344 do n ...) - chromium-browser (Chrome PDF plugin) - webkit (Chrome PDF plugin) CVE-2011-0471 (The node-iteration implementation in Google Chrome before 8.0.552.237 ...) - chromium-browser 6.0.472.63~r59945-5 NOTE: http://trac.webkit.org/changeset/73559 NOTE: http://trac.webkit.org/changeset/73620 CVE-2011-0470 (Google Chrome before 8.0.552.237 and Chrome OS before 8.0.552.344 do n ...) - chromium-browser 9.0.597.45~r70550-1 [squeeze] - chromium-browser [wheezy] - chromium-browser - webkit (chromium specific) CVE-2011-0469 (Code injection in openSUSE when running some source services used in t ...) - open-build-service (Fixed before initial upload to Debian) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=679325 NOTE: Main fix: https://github.com/openSUSE/open-build-service/commit/76b0ab003f34435ca90d943e02dd22279cdeec2a NOTE: Secondary fix: https://github.com/openSUSE/open-build-service/commit/23c8d21c75242999e29379e6ca8418a14c8725c6 CVE-2011-0468 (The aaa_base package before 11.3-8.9.1 in SUSE openSUSE 11.3, and befo ...) NOT-FOR-US: OpenSUSE aaa_base package CVE-2011-0467 (A vulnerability in the listing of available software of SUSE Studio On ...) NOT-FOR-US: SUSE Studio Onsite CVE-2011-0466 (The API in SUSE openSUSE Build Service (OBS) 2.0.x before 2.0.8 and 2. ...) NOT-FOR-US: openSUSE Build Service CVE-2011-0465 (xrdb.c in xrdb before 1.0.9 in X.Org X11R7.6 and earlier allows remote ...) {DSA-2213-1} - x11-xserver-utils 7.6+2 (low; bug #621423) NOTE: http://cgit.freedesktop.org/xorg/app/xrdb/commit/?id=1027d5df07398c1507fb1fe3a9981aa6b4bc3a56 NOTE: low as this is not enabled in a standard setup CVE-2011-0464 (Unspecified vulnerability in Novell Vibe OnPrem 3.0 before Hot Patch 1 ...) NOT-FOR-US: Novell Vibe OnPrem CVE-2011-0463 (The ocfs2_prepare_page_for_write function in fs/ocfs2/aops.c in the Or ...) - linux-2.6 2.6.39-1 [squeeze] - linux-2.6 2.6.32-34 CVE-2011-0462 (Multiple cross-site scripting (XSS) vulnerabilities in the login page ...) NOT-FOR-US: openSUSE Build Service CVE-2011-0461 (/etc/init.d/boot.localfs in the aaa_base package before 11.2-43.48.1 i ...) NOT-FOR-US: OpenSUSE aaa_base package CVE-2011-0460 (The init script in kbd, possibly 1.14.1 and earlier, allows local user ...) - kbd (SUSE-specific) CVE-2011-0459 (Cross-site scripting (XSS) vulnerability in Cyber-Ark Password Vault W ...) NOT-FOR-US: Cyber-Ark CVE-2011-0458 (Untrusted search path vulnerability in the Locate on Disk feature in G ...) NOT-FOR-US: Google Picasa CVE-2011-0457 (Cross-site scripting (XSS) vulnerability in e107 0.7.22 and earlier al ...) NOT-FOR-US: e107 CVE-2011-0456 (webscript.pl in Open Ticket Request System (OTRS) 2.3.4 and earlier al ...) - otrs2 2.4.5-1 CVE-2011-0455 (Cross-site scripting (XSS) vulnerability in Things BBS before 2.0.3 an ...) NOT-FOR-US: Things BBS CVE-2011-0454 (Buffer overflow in the PPP Access Concentrator (PPPAC) on the SEIL/x86 ...) NOT-FOR-US: PPP Access Concentrator CVE-2011-0453 (F-Secure Internet Gatekeeper for Linux 3.x before 3.03 does not requir ...) NOT-FOR-US: F-Secure Internet Gatekeeper CVE-2011-0452 (Untrusted search path vulnerability in the script function in Lunascap ...) NOT-FOR-US: Lunascape CVE-2011-0451 (Multiple cross-site scripting (XSS) vulnerabilities in (1) data/Smarty ...) NOT-FOR-US: EC-CUBE CVE-2011-0450 (The downloads manager in Opera before 11.01 on Windows does not proper ...) NOT-FOR-US: Opera CVE-2011-0449 (actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x ...) - rails (Only affects 3.x) CVE-2011-0448 (Ruby on Rails 3.0.x before 3.0.4 does not ensure that arguments to the ...) - rails (Only affects 3.x) CVE-2011-0447 (Ruby on Rails 2.1.x, 2.2.x, and 2.3.x before 2.3.11, and 3.x before 3. ...) {DSA-2247-1} - rails 2.3.11-0.1 (bug #614864) CVE-2011-0446 (Multiple cross-site scripting (XSS) vulnerabilities in the mail_to hel ...) {DSA-2247-1} - rails 2.3.11-0.1 (bug #614864) CVE-2010-4695 (A certain Fedora patch for gif2png.c in gif2png 2.5.1 and 2.5.2, as di ...) - gif2png 2.5.4-2 (low; bug #610479) [lenny] - gif2png (Minor issue) [squeeze] - gif2png (Minor issue) CVE-2010-4694 (Buffer overflow in gif2png.c in gif2png 2.5.3 and earlier might allow ...) - gif2png 2.5.4-2 (low; bug #610479) [lenny] - gif2png (Minor issue) [squeeze] - gif2png (Minor issue) CVE-2008-7271 (Multiple cross-site scripting (XSS) vulnerabilities in the Help Conten ...) - eclipse (Fixed before the version now in Squeeze) CVE-2011-0426 (Directory traversal vulnerability in vCenter Server in VMware vCenter ...) NOT-FOR-US: VMware CVE-2011-0445 (The ASN.1 BER dissector in Wireshark 1.4.0 through 1.4.2 allows remote ...) - wireshark (Only affects Wireshark 1.4, fixed in experimental) CVE-2011-0444 (Buffer overflow in the MAC-LTE dissector (epan/dissectors/packet-mac-l ...) - wireshark 1.2.11-6 [lenny] - wireshark (Vulnerable code not present) CVE-2011-0443 (SQL injection vulnerability in inc/tinybb-settings.php in tinyBB 1.2, ...) NOT-FOR-US: tinyBB CVE-2011-0442 (The service utility in EMC Avamar 5.x before 5.0.4 uses cleartext to t ...) NOT-FOR-US: EMC Avamar CVE-2011-0441 (The Debian GNU/Linux /etc/cron.d/php5 cron job for PHP 5.3.5 allows lo ...) {DSA-2195-1} - php5 5.3.6-1 (bug #618489) NOTE: Debian-specific CVE-2011-0440 (Cross-site request forgery (CSRF) vulnerability in Mahara 1.2.x before ...) {DSA-2206-1} - mahara 1.2.7-1 CVE-2011-0439 (Cross-site scripting (XSS) vulnerability in Mahara 1.2.x before 1.2.7 ...) {DSA-2206-1} - mahara 1.2.7-1 CVE-2011-0438 (nslcd/pam.c in the nss-pam-ldapd 0.8.0 PAM module returns a success co ...) - nss-pam-ldapd (Only affects 0.8.0, which was only uploaded to experimental) CVE-2011-0437 (shared/inc/sql/ssh.php in the SSH accounts management implementation i ...) {DSA-2179-1} - dtc 0.32.10-1 CVE-2011-0436 (The register_user function in client/new_account_form.php in Domain Te ...) {DSA-2179-1} - dtc 0.32.10-1 (bug #614302) CVE-2011-0435 (Domain Technologie Control (DTC) before 0.32.9 does not require authen ...) {DSA-2179-1} - dtc 0.32.10-1 CVE-2011-0434 (Multiple SQL injection vulnerabilities in Domain Technologie Control ( ...) {DSA-2179-1} - dtc 0.32.10-1 CVE-2011-0433 (Heap-based buffer overflow in the linetoken function in afmparse.c in ...) {DSA-2388-1} - evince 2.32.0-1 (bug #614668) [squeeze] - evince 2.30.3-2+squeeze1 - vftool 2.0alpha-4.1 (low; bug #614669) [squeeze] - vftool 2.0alpha-4+squeeze1 [lenny] - vftool 2.0alpha-3+lenny1 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=640923 - t1lib 5.1.2-3.5 [lenny] - t1lib 5.1.2-3+lenny1 [squeeze] - t1lib 5.1.2-3+squeeze1 NOTE: vuln source file is lib/t1lib/parseAFM.c, which differs slightly from evince's afmparse.c in the affected areas but it is indeed affected NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=640923 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=643882 CVE-2011-0432 (Multiple SQL injection vulnerabilities in the get_userinfo method in t ...) {DSA-2177-1} - pywebdav 0.9.4-3 CVE-2011-0431 (The afs_linux_lock function in afs/LINUX/osi_vnodeops.c in the kernel ...) {DSA-2168-1} - openafs 1.4.14+dfsg-1 CVE-2011-0430 (Double free vulnerability in the Rx server process in OpenAFS 1.4.14, ...) {DSA-2168-1} - openafs 1.4.14+dfsg-1 CVE-2011-0429 RESERVED CVE-2011-0428 (Cross Site Scripting (XSS) in ikiwiki before 3.20110122 could allow re ...) - ikiwiki 3.20110122 [squeeze] - ikiwiki 3.20100815.5 [lenny] - ikiwiki (Vulnerable code not present) NOTE: https://ikiwiki.info/security/#index38h2 CVE-2011-0427 (Heap-based buffer overflow in Tor before 0.2.1.29 and 0.2.2.x before 0 ...) {DSA-2148-1} - tor 0.2.1.29-1 CVE-2011-0425 RESERVED CVE-2011-0424 RESERVED CVE-2011-0423 (The PolyVision RoomWizard with firmware 3.2.3 has a default password o ...) NOT-FOR-US: PolyVision RoomWizard CVE-2011-0422 RESERVED CVE-2011-0421 (The _zip_name_locate function in zip_name_locate.c in the Zip extensio ...) {DSA-2266-1} - php5 5.3.6-1 NOTE: http://svn.php.net/viewvc?view=revision&revision=307867 - libzip 0.10-1 (low) [squeeze] - libzip (Minor issue) NOTE: http://hg.nih.at/libzip/?fd=13654bfdc88c;file=lib/zip_name_locate.c CVE-2011-0420 (The grapheme_extract function in the Internationalization extension (I ...) {DSA-2266-1} - php5 5.3.6-1 (unimportant) [lenny] - php5 (intl extension added in 5.3) NOTE: Only triggerable through malicious script NOTE: http://svn.php.net/viewvc?view=revision&revision=306449 CVE-2011-0419 (Stack consumption vulnerability in the fnmatch implementation in apr_f ...) {DSA-2237-2} - apr 1.4.4-1 (low) CVE-2011-0418 (The glob implementation in Pure-FTPd before 1.0.32, and in libc in Net ...) - pure-ftpd 1.0.32-1 (unimportant) NOTE: The attack could not be reproduced on Linux. The upstream change from 1.0.32 NOTE: only disables GLOB_BRACE, possibly to protect installations with a vulnerable libc CVE-2011-0417 RESERVED CVE-2011-0416 RESERVED CVE-2011-0415 RESERVED CVE-2011-0414 (ISC BIND 9.7.1 through 9.7.2-P3, when configured as an authoritative s ...) {DSA-2208-1} - bind9 1:9.7.3.dfsg-1 (bug #601830) [lenny] - bind9 (Introduced in 9.7.1) CVE-2011-0413 (The DHCPv6 server in ISC DHCP 4.0.x and 4.1.x before 4.1.2-P1, 4.0-ESV ...) {DSA-2184-1} - isc-dhcp 4.1.1-P1-16 (bug #611217) - dhcp3 (vuln code introduced in 4.0) - dhcp (vuln code introduced in 4.0) NOTE: maintainer is aware NOTE: http://www.isc.org/software/dhcp/advisories/cve-2011-0413 CVE-2011-0412 (Oracle Solaris 8, 9, and 10 stores back-out patch files (undo.Z) unenc ...) NOT-FOR-US: Oracle Solaris CVE-2011-0411 (The STARTTLS implementation in Postfix 2.4.x before 2.4.16, 2.5.x befo ...) {DSA-2233-1} - postfix 2.8.0-1 (bug #617849) NOTE: http://www.securityfocus.com/archive/1/516901/30/0/threaded NOTE: http://www.postfix.org/announcements/postfix-2.7.3.html NOTE: http://www.postfix.org/CVE-2011-0411.html NOTE: http://www.kb.cert.org/vuls/id/MAPG-8D9M5Q CVE-2011-0410 (CollabNet ScrumWorks Basic 1.8.4 uses cleartext credentials for networ ...) NOT-FOR-US: CollabNet ScrumWorks Basic CVE-2011-0409 RESERVED CVE-2011-0408 (pngrtran.c in libpng 1.5.x before 1.5.1 allows remote attackers to cau ...) - libpng (vulnerable code introduced in 1.5.0, not packaged) CVE-2011-0407 (SQL injection vulnerability in the store function in _phenotype/system ...) NOT-FOR-US: Phenotype CMS CVE-2011-0406 (Heap-based buffer overflow in HistorySvr.exe in WellinTech KingView 6. ...) NOT-FOR-US: WellinTech KingView CVE-2011-0405 (Directory traversal vulnerability in module.php in PhpGedView 4.2.3 an ...) - phpgedview CVE-2011-0404 (Stack-based buffer overflow in NetSupport Manager Agent for Linux 11.0 ...) NOT-FOR-US: NetSupport Manager Agent for Linux CVE-2011-0403 (Untrusted search path vulnerability in ImgBurn.exe in ImgBurn 2.4.0.0, ...) NOT-FOR-US: ImgBurn CVE-2011-0402 (dpkg-source in dpkg before 1.14.31 and 1.15.x allows user-assisted rem ...) {DSA-2142-1} - dpkg 1.15.8.8 CVE-2011-0401 (Piwik before 1.1 does not properly limit the number of files stored un ...) - piwik (bug #506933) CVE-2011-0400 (Cookie.php in Piwik before 1.1 does not set the secure flag for the se ...) - piwik (bug #506933) CVE-2011-0399 (Piwik before 1.1 does not prevent the rendering of the login form insi ...) - piwik (bug #506933) CVE-2011-0398 (The Piwik_Common::getIP function in Piwik before 1.1 does not properly ...) - piwik (bug #506933) CVE-2010-4693 (Multiple cross-site scripting (XSS) vulnerabilities in Coppermine Phot ...) NOT-FOR-US: Coppermine Photo Gallery CVE-2011-0397 RESERVED CVE-2011-0396 (Cisco Adaptive Security Appliances (ASA) 5500 series devices with soft ...) NOT-FOR-US: Cisco CVE-2011-0395 (Cisco Adaptive Security Appliances (ASA) 5500 series devices with soft ...) NOT-FOR-US: Cisco CVE-2011-0394 (Cisco Adaptive Security Appliances (ASA) 5500 series devices with soft ...) NOT-FOR-US: Cisco CVE-2011-0393 (Cisco Adaptive Security Appliances (ASA) 5500 series devices with soft ...) NOT-FOR-US: Cisco CVE-2011-0392 (Cisco TelePresence Recording Server devices with software 1.6.x do not ...) NOT-FOR-US: Cisco CVE-2011-0391 (Cisco TelePresence Recording Server devices with software 1.6.x allow ...) NOT-FOR-US: Cisco CVE-2011-0390 (The XML-RPC implementation on Cisco TelePresence Multipoint Switch (CT ...) NOT-FOR-US: Cisco CVE-2011-0389 (Cisco TelePresence Multipoint Switch (CTMS) devices with software 1.0. ...) NOT-FOR-US: Cisco CVE-2011-0388 (Cisco TelePresence Recording Server devices with software 1.6.x and Ci ...) NOT-FOR-US: Cisco CVE-2011-0387 (The administrative web interface on Cisco TelePresence Multipoint Swit ...) NOT-FOR-US: Cisco CVE-2011-0386 (The XML-RPC implementation on Cisco TelePresence Recording Server devi ...) NOT-FOR-US: Cisco CVE-2011-0385 (The administrative web interface on Cisco TelePresence Recording Serve ...) NOT-FOR-US: Cisco CVE-2011-0384 (The Java Servlet framework on Cisco TelePresence Multipoint Switch (CT ...) NOT-FOR-US: Cisco CVE-2011-0383 (The Java Servlet framework on Cisco TelePresence Recording Server devi ...) NOT-FOR-US: Cisco CVE-2011-0382 (The CGI subsystem on Cisco TelePresence Recording Server devices with ...) NOT-FOR-US: Cisco CVE-2011-0381 (Cisco TelePresence Manager 1.2.x through 1.6.x allows remote attackers ...) NOT-FOR-US: Cisco CVE-2011-0380 (Cisco TelePresence Manager 1.2.x through 1.6.x allows remote attackers ...) NOT-FOR-US: Cisco CVE-2011-0379 (Buffer overflow on Cisco Adaptive Security Appliances (ASA) 5500 serie ...) NOT-FOR-US: Cisco CVE-2011-0378 (The XML-RPC implementation on Cisco TelePresence endpoint devices with ...) NOT-FOR-US: Cisco CVE-2011-0377 (Cisco TelePresence endpoint devices with software 1.2.x through 1.6.x ...) NOT-FOR-US: Cisco CVE-2011-0376 (The TFTP implementation on Cisco TelePresence endpoint devices with so ...) NOT-FOR-US: Cisco CVE-2011-0375 (The CGI implementation on Cisco TelePresence endpoint devices with sof ...) NOT-FOR-US: Cisco CVE-2011-0374 (The CGI implementation on Cisco TelePresence endpoint devices with sof ...) NOT-FOR-US: Cisco CVE-2011-0373 (The CGI implementation on Cisco TelePresence endpoint devices with sof ...) NOT-FOR-US: Cisco CVE-2011-0372 (The CGI implementation on Cisco TelePresence endpoint devices with sof ...) NOT-FOR-US: Cisco CVE-2011-0371 RESERVED CVE-2011-0370 RESERVED CVE-2011-0369 RESERVED CVE-2011-0368 RESERVED CVE-2011-0367 RESERVED CVE-2011-0366 RESERVED CVE-2011-0365 RESERVED CVE-2011-0364 (The Management Console (webagent.exe) in Cisco Security Agent 5.1, 5.2 ...) NOT-FOR-US: Cisco Security Agent Management CVE-2011-0363 RESERVED CVE-2011-0362 RESERVED CVE-2011-0361 RESERVED CVE-2011-0360 RESERVED CVE-2011-0359 RESERVED CVE-2011-0358 RESERVED CVE-2011-0357 RESERVED CVE-2011-0356 RESERVED CVE-2011-0355 (Cisco Nexus 1000V Virtual Ethernet Module (VEM) 4.0(4) SV1(1) through ...) NOT-FOR-US: Cisco CVE-2011-0354 (The default configuration of Cisco Tandberg C Series Endpoints, and Ta ...) NOT-FOR-US: Cisco CVE-2011-0353 RESERVED CVE-2011-0352 (Buffer overflow in the web-based management interface on the Cisco Lin ...) NOT-FOR-US: Linksys router CVE-2011-0351 RESERVED CVE-2011-0350 (Unspecified vulnerability in Cisco IOS 12.4(24)MD before 12.4(24)MD2 o ...) NOT-FOR-US: Cisco IOS CVE-2011-0349 (Unspecified vulnerability in Cisco IOS 12.4(24)MD before 12.4(24)MD2 o ...) NOT-FOR-US: Cisco IOS CVE-2011-0348 (Cisco IOS 12.4(11)MD, 12.4(15)MD, 12.4(22)MD, 12.4(24)MD before 12.4(2 ...) NOT-FOR-US: Cisco IOS CVE-2011-0347 (Microsoft Internet Explorer on Windows XP allows remote attackers to t ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2011-0346 (Use-after-free vulnerability in the ReleaseInterface function in MSHTM ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2011-0345 (Directory traversal vulnerability in the NMS server in Alcatel-Lucent ...) NOT-FOR-US: Alcatel-Lucent OmniVista CVE-2011-0344 (Multiple stack-based buffer overflows in unspecified CGI programs in t ...) NOT-FOR-US: Unified Maintenance Tool CVE-2011-0342 (Multiple buffer overflows in the InduSoft ISSymbol ActiveX control in ...) NOT-FOR-US: InduSoft ISSymbol ActiveX CVE-2011-0341 (Stack-based buffer overflow in the pdfmoz_onmouse function in apps/moz ...) NOT-FOR-US: MuPDF plug-in for Firefox CVE-2011-0340 (Multiple buffer overflows in the ISSymbol ActiveX control in ISSymbol. ...) NOT-FOR-US: ISSymbol.ocx CVE-2011-0339 RESERVED CVE-2011-0338 RESERVED CVE-2011-0337 RESERVED CVE-2011-0336 RESERVED CVE-2011-0335 (Dirapi.dll in Adobe Shockwave Player before 11.6.0.626 allows attacker ...) NOT-FOR-US: Adobe Shockwave Player CVE-2011-0334 (Stack-based buffer overflow in gwia.exe in GroupWise Internet Agent (G ...) NOT-FOR-US: Novell GroupWise CVE-2011-0333 (Heap-based buffer overflow in the NgwiCalVTimeZoneBody::ParseSelf func ...) NOT-FOR-US: Novell GroupWise CVE-2011-0332 (Integer overflow in Foxit Reader before 4.3.1.0218 and Foxit Phantom b ...) NOT-FOR-US: Foxit Reader CVE-2011-0331 (Use-after-free vulnerability in the addOSPLext method in the Honeywell ...) NOT-FOR-US: Honeywell ScanServer CVE-2011-0330 (The Dell DellSystemLite.Scanner ActiveX control in DellSystemLite.ocx ...) NOT-FOR-US: Dell System Lite CVE-2011-0329 (Directory traversal vulnerability in the GetData method in the Dell De ...) NOT-FOR-US: Dell System Lite CVE-2011-0328 RESERVED CVE-2011-0327 RESERVED CVE-2011-0326 RESERVED CVE-2011-0325 RESERVED CVE-2011-0324 (Multiple heap-based buffer overflows in Topaz Systems SigPlus Pro Acti ...) NOT-FOR-US: Topaz Systems SigPlus CVE-2011-0323 (Topaz Systems SigPlus Pro ActiveX Control 3.95, and possibly other ver ...) NOT-FOR-US: Topaz Systems SigPlus CVE-2011-0322 (Unspecified vulnerability in EMC RSA Access Manager Server 5.5.x, 6.0. ...) NOT-FOR-US: EMC RSA Access Manager Server CVE-2011-0321 (librpc.dll in nsrexecd in EMC NetWorker before 7.5 SP4, 7.5.3.x before ...) NOT-FOR-US: EMC NetWorker CVE-2011-0320 (Dirapi.dll in Adobe Shockwave Player before 11.6.0.626 allows attacker ...) NOT-FOR-US: Adobe Shockwave Player CVE-2011-0319 (Dirapi.dll in Adobe Shockwave Player before 11.6.0.626 allows attacker ...) NOT-FOR-US: Adobe Shockwave Player CVE-2011-0318 (Dirapi.dll in Adobe Shockwave Player before 11.6.0.626 allows attacker ...) NOT-FOR-US: Adobe Shockwave Player CVE-2011-0317 (Dirapi.dll in Adobe Shockwave Player before 11.6.0.626 allows attacker ...) NOT-FOR-US: Adobe Shockwave Player CVE-2011-0316 (The Administrative Console component in IBM WebSphere Application Serv ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2011-0315 (Cross-site scripting (XSS) vulnerability in the Servlet Engine / Web C ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2011-0314 (Heap-based buffer overflow in IBM WebSphere MQ 6.0 before 6.0.2.11 and ...) NOT-FOR-US: IBM WebSphere MQ CVE-2011-0313 RESERVED CVE-2011-0312 RESERVED CVE-2011-0311 (The class file parser in IBM Java before 1.4.2 SR13 FP9, as used in IB ...) NOT-FOR-US: IBM Java CVE-2011-0310 (Buffer overflow in IBM WebSphere MQ 7.0 before 7.0.1.4 allows remote a ...) NOT-FOR-US: IBM WebSphere MQ CVE-2011-0309 RESERVED CVE-2011-0308 RESERVED CVE-2011-0307 RESERVED CVE-2011-0306 RESERVED CVE-2011-0305 RESERVED CVE-2011-0304 RESERVED CVE-2011-0303 RESERVED CVE-2011-0302 RESERVED CVE-2011-0301 RESERVED CVE-2011-0300 RESERVED CVE-2011-0299 RESERVED CVE-2011-0298 RESERVED CVE-2011-0297 RESERVED CVE-2011-0296 RESERVED CVE-2011-0295 RESERVED CVE-2011-0294 RESERVED CVE-2011-0293 RESERVED CVE-2011-0292 RESERVED CVE-2011-0291 (The BlackBerry PlayBook service on the Research In Motion (RIM) BlackB ...) NOT-FOR-US: BlackBarry PlayBook CVE-2011-0290 (The BlackBerry Collaboration Service in Research In Motion (RIM) Black ...) NOT-FOR-US: BlackBerry Enterprise Server CVE-2011-0289 RESERVED CVE-2011-0288 RESERVED CVE-2011-0287 (Unspecified vulnerability in the BlackBerry Administration API in Rese ...) NOT-FOR-US: BlackBerry products CVE-2011-0286 (Cross-site scripting (XSS) vulnerability in webdesktop/app in the Blac ...) NOT-FOR-US: BlackBerry Enterprise Server CVE-2010-4692 (Unspecified vulnerability on Cisco Adaptive Security Appliances (ASA) ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2010-4691 (Unspecified vulnerability on Cisco Adaptive Security Appliances (ASA) ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2010-4690 (The Mobile User Security (MUS) service on Cisco Adaptive Security Appl ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2010-4689 (Cisco Adaptive Security Appliances (ASA) 5500 series devices with soft ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2010-4688 (Unspecified vulnerability in the SIP inspection feature on Cisco Adapt ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2010-4687 (STCAPP (aka the SCCP telephony control application) on Cisco IOS befor ...) NOT-FOR-US: Cisco IOS CVE-2010-4686 (CallManager Express (CME) on Cisco IOS before 15.0(1)XA1 does not prop ...) NOT-FOR-US: Cisco IOS CVE-2010-4685 (Cisco IOS before 15.0(1)XA1 does not clear the public key cache upon a ...) NOT-FOR-US: Cisco IOS CVE-2010-4684 (Cisco IOS before 15.0(1)XA1, when certain TFTP debugging is enabled, a ...) NOT-FOR-US: Cisco IOS CVE-2010-4683 (Memory leak in Cisco IOS before 15.0(1)XA5 might allow remote attacker ...) NOT-FOR-US: Cisco IOS CVE-2010-4682 (Memory leak on Cisco Adaptive Security Appliances (ASA) 5500 series de ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2010-4681 (Unspecified vulnerability on Cisco Adaptive Security Appliances (ASA) ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2010-4680 (The WebVPN implementation on Cisco Adaptive Security Appliances (ASA) ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2010-4679 (Cisco Adaptive Security Appliances (ASA) 5500 series devices with soft ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2010-4678 (Cisco Adaptive Security Appliances (ASA) 5500 series devices with soft ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2010-4677 (emWEB on Cisco Adaptive Security Appliances (ASA) 5500 series devices ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2010-4676 (Unspecified vulnerability on Cisco Adaptive Security Appliances (ASA) ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2010-4675 (Cisco Adaptive Security Appliances (ASA) 5500 series devices with soft ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2010-4674 (Unspecified vulnerability on Cisco Adaptive Security Appliances (ASA) ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2010-4673 (Cisco Adaptive Security Appliances (ASA) 5500 series devices with soft ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2010-4672 (Cisco Adaptive Security Appliances (ASA) 5500 series devices with soft ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2010-4671 (The Neighbor Discovery (ND) protocol implementation in the IPv6 stack ...) NOT-FOR-US: Cisco IOS CVE-2010-4670 (The Neighbor Discovery (ND) protocol implementation in the IPv6 stack ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2010-4669 (The Neighbor Discovery (ND) protocol implementation in the IPv6 stack ...) NOT-FOR-US: Microsoft Windows CVE-2009-5040 (CallManager Express (CME) on Cisco IOS before 15.0(1)XA allows remote ...) NOT-FOR-US: Cisco IOS CVE-2009-5039 (Memory leak in the gk_circuit_info_do_in_acf function in the H.323 imp ...) NOT-FOR-US: Cisco IOS CVE-2009-5038 (Cisco IOS before 15.0(1)XA does not properly handle IRC traffic during ...) NOT-FOR-US: Cisco IOS CVE-2009-5037 (Cisco Adaptive Security Appliances (ASA) 5500 series devices with soft ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2011-XXXX - xdigger (bug #609096) [lenny] - xdigger 1.0.10-13+lenny1 NOTE: CVE ID requested CVE-2010-4645 (strtod.c, as used in the zend_strtod function in PHP 5.2 before 5.2.17 ...) - php5 5.3.3-7 (high) [lenny] - php5 NOTE: lenny10 includes a test for the bug. With lenny's toolchain NOTE: and settings, the bug can't be reproduced. CVE-2011-XXXX [Crash with long HOME environment variable] - toppler 1.1.4-2 (unimportant; bug #608979) NOTE: Negligible privilege escalation CVE-2011-XXXX [Crash with long HOME environment variable] - lbreakout2 (unimportant; bug #608980) NOTE: sgid games is dropped before buffer overflow CVE-2011-XXXX [Crash with long GGI_DISPLAY environment variable] - libggi (bug #608981) [squeeze] - libggi (Minor issue) CVE-2011-0343 (Balabit syslog-ng 2.0, 3.0, 3.1, 3.2 OSE and PE, when running on FreeB ...) - syslog-ng 3.1.3-2 (bug #608491) [lenny] - syslog-ng (2.0 not affected, also Freebsd-specific, which is not supported in Lenny anyway) CVE-2010-XXXX [XSS in ftpls] - ftpcopy 0.6.7-3 (bug #607494) [squeeze] - ftpcopy (Minor issue) [lenny] - ftpcopy (Minor issue) NOTE: CVE ID requested CVE-2011-0285 (The process_chpw_request function in schpw.c in the password-changing ...) - krb5 1.9.1+dfsg-1 (bug #622681) [squeeze] - krb5 1.8.3+dfsg-4squeeze1 [lenny] - krb5 (see below) NOTE: 1.6 is not affected: While the error case in the process_chpw_request() NOTE: in kadmind in 1.6 can leave the data pointer uninitialized, the error NOTE: path in its caller will not free() that pointer (the invalid pointer NOTE: goes out of scope without being freed), unlike in krb5-1.7 and later. NOTE: Those later releases add support for password changing over TCP, and NOTE: the error path in the TCP handling code is what frees the NOTE: uninitialized pointer. (Clarification by Tom Yu) CVE-2011-0284 (Double free vulnerability in the prepare_error_as function in do_as_re ...) - krb5 1.8.3+dfsg-6 (low; bug #618517) [squeeze] - krb5 1.8.3+dfsg-4squeeze1 [lenny] - krb5 (Will be fixed through a point update) CVE-2011-0283 (The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.9 all ...) - krb5 (Only affects 1.9.x) [squeeze] - krb5 (minor issue) [lenny] - krb5 (minor issue) CVE-2011-0282 (The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.6.x t ...) - krb5 1.8.3+dfsg-5 [squeeze] - krb5 1.8.3+dfsg-4squeeze1 [lenny] - krb5 (Will be fixed in a point update) CVE-2011-0281 (The unparse implementation in the Key Distribution Center (KDC) in MIT ...) - krb5 1.8.3+dfsg-5 [squeeze] - krb5 1.8.3+dfsg-4squeeze1 [lenny] - krb5 (Will be fixed in a point update) CVE-2010-4668 (The blk_rq_map_user_iov function in block/blk-map.c in the Linux kerne ...) {DSA-2153-1} - linux-2.6 2.6.32-29 CVE-2010-4667 (Cross-site scripting (XSS) vulnerability in Coppermine Photo Gallery ( ...) NOT-FOR-US: Coppermine Photo Gallery CVE-2010-4666 (Buffer overflow in libarchive 3.0 pre-release code allows remote attac ...) - libarchive 3.0.4-2 (bug #669197) [squeeze] - libarchive (no cab support prior to 3.0) NOTE: http://code.google.com/p/libarchive/source/detail?r=488ef3fb28c416285ebe4c00266268db7330466b NOTE: Might be fixed earlier than 3.0.4-2, but was tested against the Wheezy version CVE-2010-4665 (Integer overflow in the ReadDirectory function in tiffdump.c in tiffdu ...) {DSA-2552-1} - tiff (vulnerable code not present) - tiff3 3.9.5 CVE-2010-4664 (In ConsoleKit before 0.4.2, an intended security policy restriction by ...) - consolekit 0.4.2-1 (low) [squeeze] - consolekit (Minor issue) CVE-2010-4663 (Unspecified vulnerability in the News module in CMS Made Simple (CMSMS ...) NOT-FOR-US: CMS Made Simple CVE-2010-4662 (PmWiki before 2.2.21 has XSS. ...) NOT-FOR-US: pmwiki CVE-2010-4661 (udisks before 1.0.3 allows a local user to load arbitrary Linux kernel ...) - udisks 1.0.3-1 [squeeze] - udisks (Minor issue) NOTE: upstream bug https://bugs.freedesktop.org/show_bug.cgi?id=32232 NOTE: fixed by http://cgit.freedesktop.org/udisks/commit/?id=c933a929f07421ec747cebb24d5e620fc2b97037 CVE-2010-4660 (Unspecified vulnerability in statusnet through 2010 due to the way add ...) - statusnet (bug #491723) CVE-2010-4659 (Cross-site scripting (XSS) vulnerability in statusnet through 2010 in ...) - statusnet (bug #491723) CVE-2010-4658 (statusnet through 2010 allows attackers to spoof syslog messages via n ...) - statusnet (bug #491723) CVE-2010-4657 (PHP5 before 5.4.4 allows passing invalid utf-8 strings via the xmlText ...) - php5 5.4.4-1 (low) [squeeze] - php5 (Minor issue) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=631551 NOTE: Not sure when this was initially fixed, tested with the initial Wheezy version 5.4.4 NOTE: and the reproducer from https://bugs.launchpad.net/php/%2Bbug/655442 CVE-2010-4656 (The iowarrior_write function in drivers/usb/misc/iowarrior.c in the Li ...) {DSA-2153-1} - linux-2.6 2.6.37-1 [wheezy] - linux-2.6 2.6.32-31 [squeeze] - linux-2.6 2.6.32-31 CVE-2010-4655 (net/core/ethtool.c in the Linux kernel before 2.6.36 does not initiali ...) {DSA-2264-1} - linux-2.6 2.6.32-27 CVE-2010-4654 (poppler before 0.16.3 has malformed commands that may cause corruption ...) - kdegraphics (no stackheight) - xpdf (no stackheight) - poppler 0.16.3-1 [lenny] - poppler (stackheights introduced after 0.12) [squeeze] - poppler (stackheights introduced after 0.12) NOTE: http://cgit.freedesktop.org/poppler/poppler/commit/?id=8284008aa8230a92ba08d547864353d3290e9bf9 CVE-2010-4653 (An integer overflow condition in poppler before 0.16.3 can occur when ...) - kdegraphics 4:4.0.0-1 - xpdf 3.02-9 - poppler 0.16.3-1 (low) [lenny] - poppler (minor issue) [squeeze] - poppler 0.12.4-1.2+squeeze1 NOTE: http://cgit.freedesktop.org/poppler/poppler/commit/?id=cad66a7d25abdb6aa15f3aa94a35737b119b2659 CVE-2010-4652 (Heap-based buffer overflow in the sql_prepare_where function (contrib/ ...) {DSA-2191-1} - proftpd-dfsg 1.3.3a-6 CVE-2010-4651 (Directory traversal vulnerability in util.c in GNU patch 2.6.1 and ear ...) - patch (unimportant) NOTE: Applying a patch blindly opens more severe security issues than only directory traversal... NOTE: openwall ships a fix NOTE: See https://bugzilla.redhat.com/show_bug.cgi?id=667529 for details CVE-2010-4650 (Buffer overflow in the fuse_do_ioctl function in fs/fuse/file.c in the ...) - linux-2.6 2.6.32-30 [lenny] - linux-2.6 (Introduced in 2.6.29) CVE-2010-4649 (Integer overflow in the ib_uverbs_poll_cq function in drivers/infiniba ...) {DSA-2153-1} - linux-2.6 2.6.32-30 CVE-2010-4648 (The orinoco_ioctl_set_auth function in drivers/net/wireless/orinoco/we ...) - linux-2.6 2.6.32-30 [lenny] - linux-2.6 (Introduced in 2.6.28) CVE-2010-4647 (Multiple cross-site scripting (XSS) vulnerabilities in the Help Conten ...) - eclipse 3.5.2-9 (low; bug #611849) [squeeze] - eclipse 3.5.2-6squeeze2 CVE-2010-4646 (Cross-site scripting (XSS) vulnerability in Hastymail2 before 1.01 all ...) - hastymail CVE-2010-4644 (Multiple memory leaks in rev_hunt.c in Apache Subversion before 1.6.15 ...) - subversion 1.6.12dfsg-3 (low; bug #608989) [lenny] - subversion (Minor issue) CVE-2010-4643 (Heap-based buffer overflow in Impress in OpenOffice.org (OOo) 2.x and ...) {DSA-2151-1} - openoffice.org 1:3.2.1-11+squeeze2 CVE-2010-4642 (Cross-site scripting (XSS) vulnerability in XWiki Enterprise before 2. ...) NOT-FOR-US: XWiki CVE-2010-4641 (SQL injection vulnerability in XWiki Enterprise before 2.5 allows remo ...) NOT-FOR-US: XWiki CVE-2010-4640 (Multiple cross-site scripting (XSS) vulnerabilities in XWiki Watch 1.0 ...) NOT-FOR-US: XWiki CVE-2010-4639 (SQL injection vulnerability in index.php in MySource Matrix allows rem ...) NOT-FOR-US: MySource Matrix CVE-2010-4638 (SQL injection vulnerability in the submitSurvey function in controller ...) NOT-FOR-US: Joomla! JQuarks4s component CVE-2010-4637 (Cross-site scripting (XSS) vulnerability in feedlist/handler_image.php ...) NOT-FOR-US: FeedList CVE-2010-4636 (SQL injection vulnerability in detail.asp in Site2Nite Business e-List ...) NOT-FOR-US: Site2Nite CVE-2010-4635 (SQL injection vulnerability in detail.asp in Site2Nite Vacation Rental ...) NOT-FOR-US: Site2Nite CVE-2010-4634 NOT-FOR-US: osTicket CVE-2010-4633 (SQL injection vulnerability in cart.php in digiSHOP 2.0.2 allows remot ...) NOT-FOR-US: digiSHOP CVE-2010-4632 (Multiple SQL injection vulnerabilities in ASPilot Pilot Cart 7.3 allow ...) NOT-FOR-US: ASPilot Pilot Cart CVE-2010-4631 (Multiple cross-site scripting (XSS) vulnerabilities in ASPilot Pilot C ...) NOT-FOR-US: ASPilot Pilot Cart CVE-2010-4630 (Cross-site scripting (XSS) vulnerability in pages/admin/surveys/create ...) NOT-FOR-US: WordPress Survey and Quiz Tool plugin CVE-2010-4629 (MyBB (aka MyBulletinBoard) before 1.4.12 does not properly restrict ui ...) NOT-FOR-US: MyBB CVE-2010-4628 (member.php in MyBB (aka MyBulletinBoard) before 1.4.12 makes a certain ...) NOT-FOR-US: MyBB CVE-2010-4627 (Cross-site request forgery (CSRF) vulnerability in usercp2.php in MyBB ...) NOT-FOR-US: MyBB CVE-2010-4626 (The my_rand function in functions.php in MyBB (aka MyBulletinBoard) be ...) NOT-FOR-US: MyBB CVE-2010-4625 (MyBB (aka MyBulletinBoard) before 1.4.12 does not properly handle a co ...) NOT-FOR-US: MyBB CVE-2010-4624 (MyBB (aka MyBulletinBoard) before 1.4.12 allows remote authenticated u ...) NOT-FOR-US: MyBB CVE-2010-4623 (WebSEAL in IBM Tivoli Access Manager for e-business 6.1.1 before 6.1.1 ...) NOT-FOR-US: IBM Tivoli Access Manager CVE-2010-4622 (Directory traversal vulnerability in WebSEAL in IBM Tivoli Access Mana ...) NOT-FOR-US: IBM Tivoli Access Manager CVE-2010-4621 RESERVED CVE-2010-4620 RESERVED CVE-2010-4543 (Heap-based buffer overflow in the read_channel_data function in file-p ...) {DSA-2426-1} - gimp 2.6.11-2 (low; bug #608497) CVE-2010-4542 (Stack-based buffer overflow in the gfig_read_parameter_gimp_rgb functi ...) {DSA-2426-1} - gimp 2.6.11-2 (low; bug #608497) CVE-2010-4541 (Stack-based buffer overflow in the loadit function in plug-ins/common/ ...) {DSA-2426-1} - gimp 2.6.11-2 (low; bug #608497) CVE-2010-4540 (Stack-based buffer overflow in the load_preset_response function in pl ...) {DSA-2426-1} - gimp 2.6.11-2 (low; bug #608497) CVE-2010-4619 (SQL injection vulnerability in profil.php in Mafya Oyun Scrpti (aka Ma ...) NOT-FOR-US: Mafya Oyun Scrpti CVE-2010-4618 (Cross-site scripting (XSS) vulnerability in the Algis Info aiContactSa ...) NOT-FOR-US: Algis Info for Joomla! CVE-2010-4617 (Directory traversal vulnerability in the JotLoader (com_jotloader) com ...) NOT-FOR-US: JotLoader for Joomla! CVE-2010-4616 (Cross-site scripting (XSS) vulnerability in modules/content/admin/cont ...) NOT-FOR-US: ImpressCMS CVE-2010-4615 (Multiple SQL injection vulnerabilities in Oto Galeri Sistemi 1.0 allow ...) NOT-FOR-US: Oto Galeri Sistemi CVE-2010-4614 (SQL injection vulnerability in item.php in Ero Auktion 2010 allows rem ...) NOT-FOR-US: Ero Auktion CVE-2010-4613 (Multiple directory traversal vulnerabilities in Hycus CMS 1.0.3 allow ...) NOT-FOR-US: Hycus CMS CVE-2010-4612 (Multiple SQL injection vulnerabilities in index.php in Hycus CMS 1.0.3 ...) NOT-FOR-US: Hycus CMS CVE-2010-4611 (Html-edit CMS 3.1.8 allows remote attackers to obtain sensitive inform ...) NOT-FOR-US: Html-edit CMS CVE-2010-4610 (Cross-site scripting (XSS) vulnerability in index.php in Html-edit CMS ...) NOT-FOR-US: Html-edit CMS CVE-2010-4609 (SQL injection vulnerability in index.php in Html-edit CMS 3.1.8 allows ...) NOT-FOR-US: Html-edit CMS CVE-2010-4608 (Habari 0.6.5 allows remote attackers to obtain sensitive information v ...) NOT-FOR-US: Habari CVE-2010-4607 (Multiple cross-site scripting (XSS) vulnerabilities in Habari 0.6.5, w ...) NOT-FOR-US: Habari CVE-2010-4606 (Unspecified vulnerability in the Space Management client in the Hierar ...) NOT-FOR-US: IBM Tivoli Storage Manager CVE-2010-4605 (Unspecified vulnerability in the backup-archive client in IBM Tivoli S ...) NOT-FOR-US: IBM Tivoli Storage Manager CVE-2010-4604 (Stack-based buffer overflow in the GeneratePassword function in dsmtca ...) NOT-FOR-US: IBM Tivoli Storage Manager CVE-2010-4603 (IBM Rational ClearQuest 7.0.x before 7.0.1.11, 7.1.1.x before 7.1.1.4, ...) NOT-FOR-US: IBM Rational ClearQuest CVE-2010-4602 (The Web client in IBM Rational ClearQuest 7.1.1.x before 7.1.1.4 and 7 ...) NOT-FOR-US: IBM Rational ClearQuest CVE-2010-4601 (Multiple unspecified vulnerabilities in IBM Rational ClearQuest 7.0.x ...) NOT-FOR-US: IBM Rational ClearQuest CVE-2010-4600 (Dojo Toolkit, as used in the Web client in IBM Rational ClearQuest 7.1 ...) NOT-FOR-US: IBM Rational ClearQuest CVE-2011-0280 (Multiple cross-site scripting (XSS) vulnerabilities in HP Power Manage ...) NOT-FOR-US: HP Power Manager CVE-2011-0279 (HP Multifunction Peripheral (MFP) Digital Sending Software (DSS) 4.91. ...) NOT-FOR-US: HP Multifunction Peripheral CVE-2011-0278 (Unspecified vulnerability in HP Web Jetadmin 10.2 Service Release 3 an ...) NOT-FOR-US: HP Web Jetadmin CVE-2011-0277 (Cross-site request forgery (CSRF) vulnerability in HP Power Manager (H ...) NOT-FOR-US: HP Power Manager CVE-2011-0276 (HP OpenView Performance Insight Server 5.2, 5.3, 5.31, 5.4, and 5.41 c ...) NOT-FOR-US: HP OpenView Performance Insight Server CVE-2011-0275 (Unspecified vulnerability in HP OpenView Storage Data Protector 6.0, 6 ...) NOT-FOR-US: HP OpenView CVE-2011-0274 (Cross-site scripting (XSS) vulnerability in HP Business Availability C ...) NOT-FOR-US: HP Business Availability CVE-2011-0273 (Buffer overflow in crs.exe in HP OpenView Storage Data Protector Cell ...) NOT-FOR-US: HP OpenView Storage Data Protector CVE-2011-0272 (Unspecified vulnerability in HP LoadRunner 9.52 allows remote attacker ...) NOT-FOR-US: HP LoadRunner CVE-2011-0271 (The CGI scripts in HP OpenView Network Node Manager (OV NNM) 7.51 and ...) NOT-FOR-US: HP OpenView CVE-2011-0270 (Format string vulnerability in nnmRptConfig.exe in HP OpenView Network ...) NOT-FOR-US: HP OpenView CVE-2011-0269 (Buffer overflow in nnmRptConfig.exe in HP OpenView Network Node Manage ...) NOT-FOR-US: HP OpenView CVE-2011-0268 (Buffer overflow in nnmRptConfig.exe in HP OpenView Network Node Manage ...) NOT-FOR-US: HP OpenView CVE-2011-0267 (Multiple buffer overflows in nnmRptConfig.exe in HP OpenView Network N ...) NOT-FOR-US: HP OpenView CVE-2011-0266 (Buffer overflow in nnmRptConfig.exe in HP OpenView Network Node Manage ...) NOT-FOR-US: HP OpenView CVE-2011-0265 (Buffer overflow in nnmRptConfig.exe in HP OpenView Network Node Manage ...) NOT-FOR-US: HP OpenView CVE-2011-0264 (Stack-based buffer overflow in ovutil.dll in HP OpenView Network Node ...) NOT-FOR-US: HP OpenView CVE-2011-0263 (Multiple stack-based buffer overflows in ovas.exe in the OVAS service ...) NOT-FOR-US: HP OpenView CVE-2011-0262 (Buffer overflow in the stringToSeconds function in ovutil.dll in ovweb ...) NOT-FOR-US: HP OpenView CVE-2011-0261 (Unspecified vulnerability in jovgraph.exe in jovgraph in HP OpenView N ...) NOT-FOR-US: HP OpenView CVE-2011-0260 (The CoreProcesses component in Apple Mac OS X 10.7 before 10.7.2 does ...) NOT-FOR-US: Apple Mac OS CVE-2011-0259 (CoreFoundation, as used in Apple iTunes before 10.5, does not properly ...) NOT-FOR-US: Apple iTunes CVE-2011-0258 (Apple QuickTime before 7.7 on Windows allows remote attackers to execu ...) NOT-FOR-US: Apple QuickTime CVE-2011-0257 (Integer signedness error in Apple QuickTime before 7.7 allows remote a ...) NOT-FOR-US: Apple QuickTime CVE-2011-0256 (Integer overflow in Apple QuickTime before 7.7 allows remote attackers ...) NOT-FOR-US: Apple QuickTime CVE-2011-0255 (WebKit, as used in Apple Safari before 5.0.6, allows remote attackers ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0254 (WebKit, as used in Apple Safari before 5.0.6, allows remote attackers ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0253 (WebKit, as used in Apple Safari before 5.0.6, allows remote attackers ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0252 (Heap-based buffer overflow in Apple QuickTime before 7.7 allows remote ...) NOT-FOR-US: Apple QuickTime CVE-2011-0251 (Heap-based buffer overflow in Apple QuickTime before 7.7 allows remote ...) NOT-FOR-US: Apple QuickTime CVE-2011-0250 (Heap-based buffer overflow in Apple QuickTime before 7.7 allows remote ...) NOT-FOR-US: Apple QuickTime CVE-2011-0249 (Heap-based buffer overflow in Apple QuickTime before 7.7 allows remote ...) NOT-FOR-US: Apple QuickTime CVE-2011-0248 (Stack-based buffer overflow in the QuickTime ActiveX control in Apple ...) NOT-FOR-US: Apple QuickTime CVE-2011-0247 (Multiple stack-based buffer overflows in Apple QuickTime before 7.7 on ...) NOT-FOR-US: Apple QuickTime CVE-2011-0246 (Heap-based buffer overflow in Apple QuickTime before 7.7 on Windows al ...) NOT-FOR-US: Apple QuickTime CVE-2011-0245 (Buffer overflow in Apple QuickTime before 7.7 allows remote attackers ...) NOT-FOR-US: Apple QuickTime CVE-2011-0244 (WebKit in Apple Safari before 5.0.6 allows user-assisted remote attack ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0243 RESERVED CVE-2011-0242 (Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari bef ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0241 (Heap-based buffer overflow in ImageIO in Apple Safari before 5.0.6 all ...) NOT-FOR-US: Apple Safari CVE-2011-0240 (WebKit, as used in Apple Safari before 5.0.6, allows remote attackers ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0239 RESERVED CVE-2011-0238 (WebKit, as used in Apple Safari before 5.0.6, allows remote attackers ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0237 (WebKit, as used in Apple Safari before 5.0.6, allows remote attackers ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0236 RESERVED CVE-2011-0235 (WebKit, as used in Apple Safari before 5.0.6, allows remote attackers ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0234 (WebKit, as used in Apple Safari before 5.0.6, allows remote attackers ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0233 (WebKit, as used in Apple Safari before 5.0.6, allows remote attackers ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0232 (WebKit, as used in Apple Safari before 5.0.6, allows remote attackers ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0231 (CFNetwork in Apple Mac OS X before 10.7.2 does not properly follow an ...) NOT-FOR-US: Apple Mac OS X CVE-2011-0230 (Buffer overflow in the ATSFontDeactivate API in Apple Type Services (A ...) NOT-FOR-US: Apple Mac OS X CVE-2011-0229 (Apple Type Services (ATS) in Apple Mac OS X through 10.6.8 does not pr ...) NOT-FOR-US: Apple Mac OS X CVE-2011-0228 (The Data Security component in Apple iOS before 4.2.10 and 4.3.x befor ...) NOT-FOR-US: Apple iOS CVE-2011-0227 (The queueing primitives in IOMobileFrameBuffer in Apple iOS before 4.2 ...) NOT-FOR-US: Apple iOS CVE-2011-0226 (Integer signedness error in psaux/t1decode.c in FreeType before 2.4.6, ...) {DSA-2294-1} - freetype 2.4.6-1 (bug #635871) CVE-2011-0225 (WebKit, as used in Apple Safari before 5.0.6, allows remote attackers ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0224 (CoreMedia in Apple Mac OS X through 10.6.8 allows remote attackers to ...) NOT-FOR-US: Apple Mac OS X CVE-2011-0223 (WebKit, as used in Apple Safari before 5.0.6, allows remote attackers ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0222 (WebKit, as used in Apple Safari before 5.0.6, allows remote attackers ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0221 (WebKit, as used in Apple Safari before 5.0.6, allows remote attackers ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0220 (Apple Bonjour before 2011 allows a crash via a crafted multicast DNS p ...) NOT-FOR-US: Apple CVE-2011-0219 (Apple Safari before 5.0.6 allows remote attackers to bypass the Same O ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0218 (WebKit, as used in Apple Safari before 5.0.6, allows remote attackers ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0217 (Apple Safari before 5.0.6 provides AutoFill information to scripts tha ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0216 (Off-by-one error in libxml in Apple Safari before 5.0.6 allows remote ...) {DSA-2394-1} - libxml2 2.7.8.dfsg-5.1 (bug #652352) CVE-2011-0215 (ImageIO in Apple Safari before 5.0.6 on Windows does not properly addr ...) NOT-FOR-US: ImageIO in Apple Safari CVE-2011-0214 (CFNetwork in Apple Safari before 5.0.6 on Windows does not properly ha ...) NOT-FOR-US: CFNetwork in Apple Safari CVE-2011-0213 (Buffer overflow in QuickTime in Apple Mac OS X before 10.6.8 allows re ...) NOT-FOR-US: QuickTime in Apple Mac OS CVE-2011-0212 (servermgrd in Apple Mac OS X before 10.6.8 allows remote attackers to ...) NOT-FOR-US: Apple Mac OS X CVE-2011-0211 (Integer overflow in QuickTime in Apple Mac OS X before 10.6.8 allows r ...) NOT-FOR-US: Apple Mac OS X CVE-2011-0210 (QuickTime in Apple Mac OS X before 10.6.8 allows remote attackers to e ...) NOT-FOR-US: Apple Mac OS X CVE-2011-0209 (Integer overflow in QuickTime in Apple Mac OS X before 10.6.8 allows r ...) NOT-FOR-US: Apple Mac OS X CVE-2011-0208 (QuickLook in Apple Mac OS X 10.6 before 10.6.8 allows remote attackers ...) NOT-FOR-US: Apple Mac OS X CVE-2011-0207 (The MobileMe component in Apple Mac OS X before 10.6.8 uses a cleartex ...) NOT-FOR-US: Apple Mac OS X CVE-2011-0206 (Buffer overflow in International Components for Unicode (ICU) in Apple ...) NOT-FOR-US: Apple Mac OS X CVE-2011-0205 (Heap-based buffer overflow in ImageIO in Apple Mac OS X before 10.6.8 ...) NOT-FOR-US: Apple Mac OS X CVE-2011-0204 (Heap-based buffer overflow in ImageIO in Apple Mac OS X before 10.6.8 ...) NOT-FOR-US: Apple Mac OS X CVE-2011-0203 (Absolute path traversal vulnerability in xftpd in the FTP Server compo ...) NOT-FOR-US: Apple Mac OS X CVE-2011-0202 (Integer overflow in CoreGraphics in Apple Mac OS X before 10.6.8 allow ...) NOT-FOR-US: Apple Mac OS X CVE-2011-0201 (Off-by-one error in the CoreFoundation framework in Apple Mac OS X bef ...) NOT-FOR-US: Apple Mac OS X CVE-2011-0200 (Integer overflow in ColorSync in Apple Mac OS X before 10.6.8 allows r ...) NOT-FOR-US: Apple Mac OS X CVE-2011-0199 (The Certificate Trust Policy component in Apple Mac OS X before 10.6.8 ...) NOT-FOR-US: Apple Mac OS X CVE-2011-0198 (Heap-based buffer overflow in Apple Type Services (ATS) in Apple Mac O ...) NOT-FOR-US: Apple Mac OS X CVE-2011-0197 (App Store in Apple Mac OS X before 10.6.8 creates a log entry containi ...) NOT-FOR-US: Apple Mac OS X CVE-2011-0196 (AirPort in Apple Mac OS X 10.5.8 allows remote attackers to cause a de ...) NOT-FOR-US: Apple Mac OS X CVE-2011-0195 (The generate-id XPath function in libxslt in Apple iOS 4.3.x before 4. ...) NOT-FOR-US: Apple iOS CVE-2011-0194 (Integer overflow in ImageIO in Apple Mac OS X 10.6 before 10.6.7 allow ...) NOT-FOR-US: Apple Mac OS CVE-2011-0193 (Multiple buffer overflows in Image RAW in Apple Mac OS X before 10.6.7 ...) NOT-FOR-US: Apple Mac OS CVE-2011-0192 (Buffer overflow in Fax4Decode in LibTIFF 3.9.4 and possibly other vers ...) {DSA-2210-1} - tiff 3.9.4-7 - tiff3 (fixed before initial upload) CVE-2011-0191 (Buffer overflow in LibTIFF 3.9.4 and possibly other versions, as used ...) {DSA-2210-1} - tiff 3.9.4-1 - tiff3 (fixed before initial upload) NOTE: This might've been fixed earlier even CVE-2011-0190 (Install Helper in Installer in Apple Mac OS X before 10.6.7 does not p ...) NOT-FOR-US: Apple Mac OS CVE-2011-0189 (The default configuration of Terminal in Apple Mac OS X 10.6 before 10 ...) NOT-FOR-US: Apple Mac OS CVE-2011-0188 (The VpMemAlloc function in bigdecimal.c in the BigDecimal class in Rub ...) {DLA-235-1 DLA-88-1} - ruby1.8 1.8.7.352-1 (bug #628452) - ruby1.9 (bug #628451) - ruby1.9.1 1.9.2.290-1 (bug #628450) CVE-2011-0187 (The plug-in in QuickTime in Apple Mac OS X before 10.6.7 allows remote ...) NOT-FOR-US: Apple Mac OS CVE-2011-0186 (QuickTime in Apple Mac OS X before 10.6.7 allows remote attackers to e ...) NOT-FOR-US: Apple Mac OS CVE-2011-0185 (Format string vulnerability in the debug-logging feature in Applicatio ...) NOT-FOR-US: Apple Mac OS X CVE-2011-0184 (QuickLook in Apple Mac OS X 10.6 before 10.6.7 allows remote attackers ...) NOT-FOR-US: Apple Mac OS CVE-2011-0183 (Libinfo in Apple Mac OS X before 10.6.7 does not properly handle an un ...) NOT-FOR-US: Apple Mac OS CVE-2011-0182 (The i386_set_ldt system call in the kernel in Apple Mac OS X before 10 ...) NOT-FOR-US: Apple Mac OS CVE-2011-0181 (Integer overflow in ImageIO in Apple Mac OS X before 10.6.7 allows rem ...) NOT-FOR-US: Apple Mac OS CVE-2011-0180 (Integer overflow in HFS in Apple Mac OS X before 10.6.7 allows local u ...) NOT-FOR-US: Apple Mac OS CVE-2011-0179 (CoreText in Apple Mac OS X before 10.6.7 allows remote attackers to ex ...) NOT-FOR-US: Apple Mac OS CVE-2011-0178 (The FSFindFolder API in CarbonCore in Apple Mac OS X before 10.6.7 pro ...) NOT-FOR-US: Apple Mac OS CVE-2011-0177 (Multiple buffer overflows in Apple Type Services (ATS) in Apple Mac OS ...) NOT-FOR-US: Apple Mac OS CVE-2011-0176 (Multiple buffer overflows in Apple Type Services (ATS) in Apple Mac OS ...) NOT-FOR-US: Apple Mac OS CVE-2011-0175 (Multiple buffer overflows in Apple Type Services (ATS) in Apple Mac OS ...) NOT-FOR-US: Apple Mac OS CVE-2011-0174 (Heap-based buffer overflow in Apple Type Services (ATS) in Apple Mac O ...) NOT-FOR-US: Apple Mac OS CVE-2011-0173 (Multiple format string vulnerabilities in AppleScript in Apple Mac OS ...) NOT-FOR-US: Apple Mac OS CVE-2011-0172 (AirPort in Apple Mac OS X 10.6 before 10.6.7 allows remote attackers t ...) NOT-FOR-US: Apple Mac OS CVE-2011-0171 RESERVED CVE-2011-0170 (Heap-based buffer overflow in ImageIO in CoreGraphics in Apple iTunes ...) NOT-FOR-US: Apple iTunes CVE-2011-0169 (WebKit in Apple Safari before 5.0.4, when the Web Inspector is used, d ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0168 (WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in- ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0167 (The windows functionality in WebKit in Apple Safari before 5.0.4 allow ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0166 (The HTML5 drag and drop functionality in WebKit in Apple Safari before ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0165 (WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in- ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0164 (WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in- ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0163 (WebKit, as used in Apple Safari before 5.0.4 and iOS before 4.3, does ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0162 (Wi-Fi in Apple iOS before 4.3 and Apple TV before 4.2 does not properl ...) NOT-FOR-US: Apple iOS CVE-2011-0161 (WebKit, as used in Apple Safari before 5.0.4 and iOS before 4.3, does ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0160 (WebKit, as used in Apple Safari before 5.0.4 and iOS before 4.3, does ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0159 (The Safari Settings feature in Safari in Apple iOS 4.x before 4.3 does ...) NOT-FOR-US: Safari in Apple iOS CVE-2011-0158 (MobileSafari in Apple iOS before 4.3 does not properly implement appli ...) NOT-FOR-US: MobileSafari in Apple iOS CVE-2011-0157 (WebKit, as used in Apple iOS before 4.3, allows remote attackers to ex ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0156 (WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in- ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0155 (WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in- ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0154 (WebKit, as used in Apple iTunes before 10.2 on Windows and Apple iOS, ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0153 (WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in- ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0152 (WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in- ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0151 (WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in- ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0150 (WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in- ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0149 (WebKit, as used in Apple iTunes before 10.2 on Windows, does not prope ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0148 (WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in- ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0147 (WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in- ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0146 (WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in- ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0145 (WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in- ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0144 (WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in- ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0143 (WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in- ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0142 (WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in- ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0141 (WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in- ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0140 (WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in- ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0139 (WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in- ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0138 (WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in- ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0137 (WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in- ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0136 (WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in- ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0135 (WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in- ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0134 (WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in- ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0133 (WebKit, as used in Apple iTunes before 10.2 on Windows, does not prope ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0132 (Use-after-free vulnerability in the Runin box functionality in the Cas ...) NOT-FOR-US: Apple CVE-2011-0131 (WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in- ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0130 (WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in- ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0129 (WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in- ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0128 (WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in- ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0127 (WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in- ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0126 (WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in- ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0125 (WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in- ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0124 (WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in- ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0123 (WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in- ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0122 (WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in- ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0121 (WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in- ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0120 (WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in- ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0119 (WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in- ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0118 (WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in- ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0117 (WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in- ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0116 (Use-after-free vulnerability in the setOuterText method in the htmlele ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0115 (The DOM level 2 implementation in WebKit, as used in Apple iTunes befo ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0114 (WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in- ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0113 (WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in- ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0112 (WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in- ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2011-0111 (WebKit, as used in Apple iTunes before 10.2 on Windows, allows man-in- ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2010-4599 (Untrusted search path vulnerability in Ecava IntegraXor 3.6.4000.0 all ...) NOT-FOR-US: Ecava IntegraXor CVE-2010-4598 (Directory traversal vulnerability in Ecava IntegraXor 3.6.4000.0 and e ...) NOT-FOR-US: Ecava IntegraXor CVE-2010-4597 (Stack-based buffer overflow in the save method in the IntegraXor.Proje ...) NOT-FOR-US: Ecava IntegraXor CVE-2010-4596 (Stack-based buffer overflow in RealNetworks Helix Server 12.x, 13.x, a ...) NOT-FOR-US: RealNetworks Helix CVE-2010-4595 (The Connection Manager in IBM Lotus Mobile Connect before 6.1.4 disabl ...) NOT-FOR-US: IBM Lotus Mobile Connect CVE-2010-4594 (The Connection Manager in IBM Lotus Mobile Connect before 6.1.4, when ...) NOT-FOR-US: IBM Lotus Mobile Connect CVE-2010-4593 (The Connection Manager in IBM Lotus Mobile Connect before 6.1.4 does n ...) NOT-FOR-US: IBM Lotus Mobile Connect CVE-2010-4592 (The Mobile Network Connections functionality in the Connection Manager ...) NOT-FOR-US: IBM Lotus Mobile Connect CVE-2010-4591 (The Connection Manager in IBM Lotus Mobile Connect (LMC) before 6.1.4, ...) NOT-FOR-US: IBM Lotus Mobile Connect CVE-2010-4590 (Cross-site scripting (XSS) vulnerability in HTTP Access Services (HTTP ...) NOT-FOR-US: IBM Lotus Mobile Connect CVE-2010-4589 (Cross-site scripting (XSS) vulnerability in IBM ENOVIA 6 allows remote ...) NOT-FOR-US: IBM ENOVIA 6 CVE-2010-4588 (The WBEMSingleView.ocx ActiveX control 1.50.1131.0 in Microsoft WMI Ad ...) NOT-FOR-US: Microsoft CVE-2011-0110 REJECTED CVE-2011-0109 REJECTED CVE-2011-0108 REJECTED CVE-2011-0107 (Untrusted search path vulnerability in Microsoft Office XP SP3, Office ...) NOT-FOR-US: Microsoft Office CVE-2011-0106 REJECTED CVE-2011-0105 (Microsoft Excel 2002 SP3, Office 2004 and 2008 for Mac, and Open XML F ...) NOT-FOR-US: Microsoft Excel CVE-2011-0104 (Microsoft Excel 2002 SP3 and 2003 SP3, Office 2004 and 2008 for Mac, a ...) NOT-FOR-US: Microsoft Excel CVE-2011-0103 (Microsoft Excel 2002 SP3 and 2003 SP3, Office 2004 and 2008 for Mac, a ...) NOT-FOR-US: Microsoft Excel CVE-2011-0102 REJECTED CVE-2011-0101 (Microsoft Excel 2002 SP3 allows remote attackers to execute arbitrary ...) NOT-FOR-US: Microsoft Excel CVE-2011-0100 REJECTED CVE-2011-0099 REJECTED CVE-2011-0098 (Integer signedness error in Microsoft Excel 2002 SP3, 2003 SP3, 2007 S ...) NOT-FOR-US: Microsoft Excel CVE-2011-0097 (Integer underflow in Microsoft Excel 2002 SP3, 2003 SP3, 2007 SP2, and ...) NOT-FOR-US: Microsoft Excel CVE-2011-0096 (The MHTML protocol handler in Microsoft Windows XP SP2 and SP3, Window ...) NOT-FOR-US: Microsoft mhtml CVE-2011-0095 REJECTED CVE-2011-0094 (Use-after-free vulnerability in Microsoft Internet Explorer 6 and 7 al ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2011-0093 (ELEMENTS.DLL in Microsoft Visio 2002 SP2, 2003 SP3, and 2007 SP2 does ...) NOT-FOR-US: Microsoft Visio CVE-2011-0092 (The LZW stream decompression functionality in ORMELEMS.DLL in Microsof ...) NOT-FOR-US: Microsoft Visio CVE-2011-0091 (Kerberos in Microsoft Windows Server 2008 R2 and Windows 7 does not pr ...) NOT-FOR-US: Microsoft Windows CVE-2011-0090 (win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and ...) NOT-FOR-US: Microsoft Windows CVE-2011-0089 (win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and ...) NOT-FOR-US: Microsoft Windows CVE-2011-0088 (win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and ...) NOT-FOR-US: Microsoft Windows CVE-2011-0087 (win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and ...) NOT-FOR-US: Microsoft Windows CVE-2011-0086 (win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and ...) NOT-FOR-US: Microsoft Windows CVE-2011-0085 (Use-after-free vulnerability in the nsXULCommandDispatcher function in ...) {DSA-2273-3 DSA-2269-1 DSA-2268-1} - iceweasel 3.5.19-3 - xulrunner (unimportant) [lenny] - xulrunner 1.9.0.19-12 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.14-3 [lenny] - iceape (Only a stub package) - icedove 3.1.11-1 [lenny] - icedove NOTE: xulrunner in wheezy is not covered by security support CVE-2011-0084 (The SVGTextElement.getCharNumAtPosition function in Mozilla Firefox be ...) {DSA-2297-1 DSA-2296-1 DSA-2295-1} - icedove 3.1.12-1 [lenny] - xulrunner (Only affects Firefox >= 3.6) - iceweasel 6.0-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.14-5 [lenny] - iceape (Only a stub package) [lenny] - icedove (Only affects Thunderbird 5) CVE-2011-0083 (Use-after-free vulnerability in the nsSVGPathSegList::ReplaceItem func ...) {DSA-2273-3 DSA-2269-1 DSA-2268-1} - iceweasel 3.5.19-3 - xulrunner (unimportant) [lenny] - xulrunner 1.9.0.19-12 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.14-3 [lenny] - iceape (Only a stub package) - icedove 3.1.11-1 [lenny] - icedove NOTE: xulrunner in wheezy is not covered by security support CVE-2011-0082 (The X.509 certificate validation functionality in Mozilla Firefox 4.0. ...) - xulrunner (unimportant) - iceweasel (unimportant; bug #627552) NOTE: Negligible impact CVE-2011-0081 (Unspecified vulnerability in the browser engine in Mozilla Firefox 3.6 ...) {DSA-2235-1 DSA-2228-1 DSA-2227-1} - xulrunner (Only affects Firefox 4.0/3.6, not yet in unstable) - iceweasel (Only affects Firefox 4.0/3.6, not yet in unstable) CVE-2011-0080 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-2235-1 DSA-2228-1 DSA-2227-1} - xulrunner (unimportant) - iceweasel 3.5.19-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.14-1 [lenny] - iceape (Only a stub package) - icedove 3.1.10-1 [lenny] - icedove NOTE: xulrunner in wheezy is not covered by security support CVE-2011-0079 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - xulrunner (Only affects Firefox 4.0, not yet in unstable) - iceweasel (Only affects Firefox 4.0, not yet in unstable) CVE-2011-0078 (Unspecified vulnerability in the browser engine in Mozilla Firefox 3.5 ...) {DSA-2235-1 DSA-2228-1 DSA-2227-1} - xulrunner (unimportant) - iceweasel 3.5.19-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.14-1 [lenny] - iceape (Only a stub package) - icedove 3.1.10-1 [lenny] - icedove NOTE: xulrunner in wheezy is not covered by security support CVE-2011-0077 (Unspecified vulnerability in the browser engine in Mozilla Firefox 3.5 ...) {DSA-2235-1 DSA-2228-1 DSA-2227-1} - xulrunner (unimportant) - iceweasel 3.5.19-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.14-1 [lenny] - iceape (Only a stub package) - icedove 3.1.10-1 [lenny] - icedove NOTE: xulrunner in wheezy is not covered by security support CVE-2011-0076 (Unspecified vulnerability in the Java Embedding Plugin (JEP) in Mozill ...) - xulrunner (Only affects MacOS X) - iceweasel (Only affects MacOS X) CVE-2011-0075 (Unspecified vulnerability in the browser engine in Mozilla Firefox 3.5 ...) {DSA-2235-1 DSA-2228-1 DSA-2227-1} - xulrunner (unimportant) - iceweasel 3.5.19-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.14-1 [lenny] - iceape (Only a stub package) - icedove 3.1.10-1 [lenny] - icedove NOTE: xulrunner in wheezy is not covered by security support CVE-2011-0074 (Unspecified vulnerability in the browser engine in Mozilla Firefox 3.5 ...) {DSA-2235-1 DSA-2228-1 DSA-2227-1} - xulrunner (unimportant) - iceweasel 3.5.19-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.14-1 [lenny] - iceape (Only a stub package) - icedove 3.1.10-1 [lenny] - icedove NOTE: xulrunner in wheezy is not covered by security support CVE-2011-0073 (Mozilla Firefox before 3.5.19 and 3.6.x before 3.6.17, and SeaMonkey b ...) {DSA-2235-1 DSA-2228-1 DSA-2227-1} - xulrunner (unimportant) - iceweasel 3.5.19-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.14-1 [lenny] - iceape (Only a stub package) NOTE: xulrunner in wheezy is not covered by security support CVE-2011-0072 (Unspecified vulnerability in the browser engine in Mozilla Firefox 3.5 ...) {DSA-2235-1 DSA-2228-1 DSA-2227-1} - xulrunner (unimportant) - iceweasel 3.5.19-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.14-1 [lenny] - iceape (Only a stub package) - icedove 3.1.10-1 [lenny] - icedove NOTE: xulrunner in wheezy is not covered by security support CVE-2011-0071 (Directory traversal vulnerability in Mozilla Firefox before 3.5.19 and ...) {DSA-2235-1 DSA-2228-1 DSA-2227-1} - xulrunner (unimportant) - iceweasel 3.5.19-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.14-1 [lenny] - iceape (Only a stub package) - icedove 3.1.10-1 [lenny] - icedove NOTE: xulrunner in wheezy is not covered by security support CVE-2011-0070 (Unspecified vulnerability in the browser engine in Mozilla Firefox 3.5 ...) {DSA-2235-1 DSA-2228-1 DSA-2227-1} - xulrunner (unimportant) - iceweasel 3.5.19-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.14-1 [lenny] - iceape (Only a stub package) - icedove 3.1.10-1 [lenny] - icedove NOTE: xulrunner in wheezy is not covered by security support CVE-2011-0069 (Unspecified vulnerability in the browser engine in Mozilla Firefox 3.5 ...) {DSA-2235-1 DSA-2228-1 DSA-2227-1} - xulrunner (Vulnerable code not present) - iceweasel 3.5.19-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.14-1 [lenny] - iceape (Only a stub package) - icedove 3.1.10-1 [lenny] - icedove CVE-2011-0068 RESERVED - xulrunner (Only affects Firefox 4.0, not yet in unstable) - iceweasel (Only affects Firefox 4.0, not yet in unstable) CVE-2011-0067 (Mozilla Firefox before 3.5.19 and 3.6.x before 3.6.17, and SeaMonkey b ...) {DSA-2235-1 DSA-2228-1 DSA-2227-1} - xulrunner (unimportant) - iceweasel 3.5.19-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.14-1 [lenny] - iceape (Only a stub package) NOTE: xulrunner in wheezy is not covered by security support CVE-2011-0066 (Use-after-free vulnerability in Mozilla Firefox before 3.5.19 and 3.6. ...) {DSA-2235-1 DSA-2228-1 DSA-2227-1} - xulrunner (unimportant) - iceweasel 3.5.19-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.14-1 [lenny] - iceape (Only a stub package) - icedove 3.1.15-1+b1 NOTE: xulrunner in wheezy is not covered by security support CVE-2011-0065 (Use-after-free vulnerability in Mozilla Firefox before 3.5.19 and 3.6. ...) {DSA-2235-1 DSA-2228-1 DSA-2227-1} - xulrunner (unimportant) - iceweasel 3.5.19-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.14-1 [lenny] - iceape (Only a stub package) - icedove 3.1.15-1+b1 NOTE: xulrunner in wheezy is not covered by security support CVE-2011-0064 (The hb_buffer_ensure function in hb-buffer.c in HarfBuzz, as used in P ...) {DSA-2178-1} - pango1.0 1.28.3-2~sid1 [wheezy] - pango1.0 1.28.3-1+squeeze2 [lenny] - pango1.0 (introduced in code cleanup) CVE-2011-0063 (The _list_file_get function in lib/Majordomo.pm in Majordomo 2 2011020 ...) NOT-FOR-US: Majordomo CVE-2011-0062 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - xulrunner (Only affects Firefox 3.6, not yet in unstable) - iceweasel (Only affects Firefox 3.6, not yet in unstable) CVE-2011-0061 (Buffer overflow in Mozilla Firefox 3.6.x before 3.6.14, Thunderbird be ...) - xulrunner (Only affects Firefox 3.6, not yet in unstable) - iceweasel (Only affects Firefox 3.6, not yet in unstable) CVE-2011-0060 REJECTED CVE-2011-0059 (Cross-site request forgery (CSRF) vulnerability in Mozilla Firefox bef ...) {DSA-2187-1 DSA-2186-1 DSA-2180-1} - icedove 3.0.11-2 [lenny] - icedove - xulrunner (unimportant) [lenny] - xulrunner 1.9.0.19-8 - iceweasel 3.5.17-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.12-1 [lenny] - iceape (Only a stub package) NOTE: xulrunner in wheezy is not covered by security support CVE-2011-0058 (Buffer overflow in Mozilla Firefox before 3.5.17 and 3.6.x before 3.6. ...) - icedove (Windows-specific) - xulrunner (Windows-specific) - iceweasel (Windows-specific) CVE-2011-0057 (Use-after-free vulnerability in the Web Workers implementation in Mozi ...) {DSA-2187-1 DSA-2186-1 DSA-2180-1} - icedove 3.0.11-2 [lenny] - icedove - xulrunner (Vulnerable code not present) - iceweasel 3.5.17-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.12-1 [lenny] - iceape (Only a stub package) CVE-2011-0056 (Buffer overflow in the JavaScript engine in Mozilla Firefox before 3.5 ...) {DSA-2187-1 DSA-2186-1 DSA-2180-1} - icedove 3.0.11-2 [lenny] - icedove - xulrunner (unimportant) [lenny] - xulrunner 1.9.0.19-8 - iceweasel 3.5.17-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.12-1 [lenny] - iceape (Only a stub package) NOTE: xulrunner in wheezy is not covered by security support CVE-2011-0055 (Use-after-free vulnerability in the JSON.stringify method in js3250.dl ...) {DSA-2187-1 DSA-2186-1 DSA-2180-1} - icedove 3.0.11-2 [lenny] - icedove - xulrunner (Vulnerable code not present) - iceweasel 3.5.17-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.12-1 [lenny] - iceape (Only a stub package) CVE-2011-0054 (Buffer overflow in the JavaScript engine in Mozilla Firefox before 3.5 ...) {DSA-2187-1 DSA-2186-1 DSA-2180-1} - icedove 3.0.11-2 [lenny] - icedove - xulrunner (Vulnerable code not present) - iceweasel 3.5.17-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.12-1 [lenny] - iceape (Only a stub package) CVE-2011-0053 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-2187-1 DSA-2186-1 DSA-2180-1} - icedove 3.0.11-2 [lenny] - icedove - xulrunner (unimportant) [lenny] - xulrunner 1.9.0.19-8 - iceweasel 3.5.17-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.12-1 [lenny] - iceape (Only a stub package) NOTE: xulrunner in wheezy is not covered by security support CVE-2011-0052 RESERVED CVE-2011-0051 (Mozilla Firefox before 3.5.17 and 3.6.x before 3.6.14, and SeaMonkey b ...) {DSA-2187-1 DSA-2186-1 DSA-2180-1} - icedove 3.0.11-2 [lenny] - icedove - xulrunner (unimportant) [lenny] - xulrunner 1.9.0.19-8 - iceweasel 3.5.17-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.12-1 [lenny] - iceape (Only a stub package) NOTE: xulrunner in wheezy is not covered by security support CVE-2011-0050 (Cross-site scripting (XSS) vulnerability in the nonjs interface (inter ...) {DSA-2158-1} - cgiirc 0.5.9-3.1 (bug #612671) CVE-2011-0049 (Directory traversal vulnerability in the _list_file_get function in li ...) NOT-FOR-US: Majordomo CVE-2011-0048 (Bugzilla before 3.2.10, 3.4.x before 3.4.10, 3.6.x before 3.6.4, and 4 ...) {DSA-2322-1} - bugzilla (bug #611176) [squeeze] - bugzilla 3.6.2.0-4.4 NOTE: http://www.bugzilla.org/security/3.2.9/ CVE-2011-0047 (Cross-site scripting (XSS) vulnerability in MediaWiki before 1.16.2 al ...) - mediawiki 1:1.15.5-3 (low; bug #611787) [lenny] - mediawiki 1:1.12.0-2lenny8 (low; bug #611787) [squeeze] - mediawiki 1:1.15.5-2squeeze1 (low; bug #611787) CVE-2011-0046 (Multiple cross-site request forgery (CSRF) vulnerabilities in Bugzilla ...) {DSA-2322-1} - bugzilla (bug #611176) [squeeze] - bugzilla 3.6.2.0-4.4 NOTE: http://www.bugzilla.org/security/3.2.9/ CVE-2010-4578 (Google Chrome before 8.0.552.224 and Chrome OS before 8.0.552.343 do n ...) {DSA-2188-1} - chromium-browser 6.0.472.63~r59945-4 - webkit 1.2.7-1 NOTE: http://trac.webkit.org/changeset/73432 CVE-2010-4577 (The CSSParser::parseFontFaceSrc function in WebCore/css/CSSParser.cpp ...) {DSA-2188-1} - chromium-browser 6.0.472.63~r59945-4 - webkit 1.2.7-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=49883 NOTE: http://code.google.com/p/chromium/issues/detail?id=63866 NOTE: http://trac.webkit.org/changeset/72685 CVE-2010-4576 (browser/worker_host/message_port_dispatcher.cc in Google Chrome before ...) - chromium-browser 6.0.472.63~r59945-4 (bug #607843; low) NOTE: http://code.google.com/p/chromium/issues/detail?id=63529 CVE-2010-4575 (The ThemeInstalledInfoBarDelegate::Observe function in browser/extensi ...) - chromium-browser 6.0.472.63~r59945-4 (bug #607846; low) NOTE: http://code.google.com/p/chromium/issues/detail?id=60761 NOTE: http://codereview.chromium.org/5326011/ CVE-2010-4574 (The Pickle::Pickle function in base/pickle.cc in Google Chrome before ...) - chromium-browser 6.0.472.63~r59945-4 (bug #607848; low) NOTE: http://code.google.com/p/chromium/issues/detail?id=56449 NOTE: http://codereview.chromium.org/4716006 CVE-2010-4573 (The Update Installer in VMware ESXi 4.1, when a modified sfcb.cfg is p ...) NOT-FOR-US: VMware ESXi CVE-2010-4572 (CRLF injection vulnerability in chart.cgi in Bugzilla before 3.2.10, 3 ...) {DSA-2322-1} - bugzilla [squeeze] - bugzilla 3.6.2.0-4.4 NOTE: http://www.bugzilla.org/security/3.2.9/ NOTE: perl and associate packages are CVE-2010-2761 and CVE-2010-4411 (see above reference) CVE-2010-4571 RESERVED CVE-2010-4570 (Cross-site scripting (XSS) vulnerability in the duplicate-detection fu ...) - bugzilla (vulnerable code introduced in 3.7) CVE-2010-4569 (Cross-site scripting (XSS) vulnerability in Bugzilla 3.7.1, 3.7.2, 3.7 ...) - bugzilla (vulnerable code introduced in 3.7) CVE-2010-4568 (Bugzilla 2.14 through 2.22.7; 3.0.x, 3.1.x, and 3.2.x before 3.2.10; 3 ...) {DSA-2322-1} - bugzilla (bug #611176) [squeeze] - bugzilla 3.6.2.0-4.4 NOTE: http://www.bugzilla.org/security/3.2.9/ CVE-2010-4567 (Bugzilla before 3.2.10, 3.4.x before 3.4.10, 3.6.x before 3.6.4, and 4 ...) {DSA-2322-1} - bugzilla (high; bug #611176) [squeeze] - bugzilla 3.6.2.0-4.4 NOTE: http://www.bugzilla.org/security/3.2.9/ CVE-2010-4566 (The web authentication form in the NT4 authentication component in Cit ...) NOT-FOR-US: Citrix Acces Gateway CVE-2010-4565 (The bcm_connect function in net/can/bcm.c (aka the Broadcast Manager) ...) {DSA-2153-1} - linux-2.6 2.6.37-1 [wheezy] - linux-2.6 2.6.32-31 [squeeze] - linux-2.6 2.6.32-31 CVE-2010-4564 RESERVED CVE-2010-4563 (The Linux kernel, when using IPv6, allows remote attackers to determin ...) - linux (unimportant) - linux-2.6 (unimportant) NOTE: http://seclists.org/fulldisclosure/2011/Apr/254 CVE-2010-4562 (Microsoft Windows 2008, 7, Vista, 2003, 2000, and XP, when using IPv6, ...) NOT-FOR-US: Microsoft Windows CVE-2010-4561 RESERVED CVE-2010-4560 REJECTED CVE-2010-4559 REJECTED CVE-2010-4587 (Opera before 11.00 on Windows does not properly implement the Insecure ...) NOT-FOR-US: Opera CVE-2010-4586 (The default configuration of Opera before 11.00 enables WebSockets fun ...) NOT-FOR-US: Opera CVE-2010-4585 (Unspecified vulnerability in the auto-update functionality in Opera be ...) NOT-FOR-US: Opera CVE-2010-4584 (Opera before 11.00, when Opera Turbo is used, does not properly presen ...) NOT-FOR-US: Opera CVE-2010-4583 (Opera before 11.00, when Opera Turbo is enabled, does not display a pa ...) NOT-FOR-US: Opera CVE-2010-4582 (Opera before 11.00 does not properly handle security policies during u ...) NOT-FOR-US: Opera CVE-2010-4581 (Unspecified vulnerability in Opera before 11.00 has unknown impact and ...) NOT-FOR-US: Opera CVE-2010-4580 (Opera before 11.00 does not clear WAP WML form fields after manual nav ...) NOT-FOR-US: Opera CVE-2010-4579 (Opera before 11.00 does not properly constrain dialogs to appear on to ...) NOT-FOR-US: Opera CVE-2010-XXXX [calibre XSS] - calibre 0.7.38+dfsg-1 (bug #608822) [squeeze] - calibre (Vulnerable code not present, see #608822) NOTE: http://www.waraxe.us/advisory-77.html NOTE: CVE ID requested CVE-2010-XXXX [calibre file disclosure] - calibre 0.7.38+dfsg-1 (bug #608822) [squeeze] - calibre (Vulnerable code not present, see #608822) NOTE: http://www.waraxe.us/advisory-77.html NOTE: CVE ID requested CVE-2010-XXXX [webkit info leak] - chromium-browser 26.0.1410.43-1 (low) [squeeze] - chromium-browser NOTE: this was fixed much earlier (webkit 1.2), but this was the version checked NOTE: http://em386.blogspot.com/2010/12/webkit-css-type-confusion.html CVE-2010-4558 (phpMyFAQ 2.6.11 and 2.6.12, as distributed between December 4th and De ...) NOT-FOR-US: phpMyFAQ CVE-2010-4557 (Buffer overflow in the lm_tcp service in Invensys Wonderware InBatch 8 ...) NOT-FOR-US: Invensys Wonderware InBatch CVE-2010-4556 (Stack-based buffer overflow in the SapThemeRepository ActiveX control ...) NOT-FOR-US: SAP NetWeaver Business Client CVE-2010-4523 (Multiple stack-based buffer overflows in libopensc in OpenSC 0.11.13 a ...) - opensc 0.11.13-1.1 (low; bug #607427) [lenny] - opensc 0.11.4-5+lenny1.1 CVE-2010-4555 (Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1. ...) {DSA-2291-1} - squirrelmail 2:1.4.22-1 (low) NOTE: difficult to exploit CVE-2010-4554 (functions/page_header.php in SquirrelMail 1.4.21 and earlier does not ...) {DSA-2291-1} - squirrelmail 2:1.4.22-1 CVE-2010-4553 (An unspecified Domino API in IBM Lotus Notes Traveler before 8.5.1.1 d ...) NOT-FOR-US: IBM Lotus Notes Traveler CVE-2010-4552 (Memory leak in IBM Lotus Notes Traveler before 8.5.1.1 allows remote a ...) NOT-FOR-US: IBM Lotus Notes Traveler CVE-2010-4551 (IBM Lotus Notes Traveler before 8.5.1.2 allows remote authenticated us ...) NOT-FOR-US: IBM Lotus Notes Traveler CVE-2010-4550 (IBM Lotus Notes Traveler before 8.5.1.3 allows remote attackers to cau ...) NOT-FOR-US: IBM Lotus Notes Traveler CVE-2010-4549 (IBM Lotus Notes Traveler before 8.5.1.3 on the Nokia s60 device succes ...) NOT-FOR-US: IBM Lotus Notes Traveler CVE-2010-4548 (IBM Lotus Notes Traveler before 8.5.1.2 allows remote authenticated us ...) NOT-FOR-US: IBM Lotus Notes Traveler CVE-2010-4547 (IBM Lotus Notes Traveler before 8.5.1.3, when a multidomain environmen ...) NOT-FOR-US: IBM Lotus Notes Traveler CVE-2010-4546 (IBM Lotus Notes Traveler before 8.5.1.2 does not reject an attachment ...) NOT-FOR-US: IBM Lotus Notes Traveler CVE-2010-4545 (IBM Lotus Notes Traveler before 8.5.1.2 allows remote authenticated us ...) NOT-FOR-US: IBM Lotus Notes Traveler CVE-2010-4544 (Cross-site scripting (XSS) vulnerability in the servlet in IBM Lotus N ...) NOT-FOR-US: IBM Lotus Notes Traveler CVE-2009-5036 (traveler.exe in IBM Lotus Notes Traveler before 8.0.1.3 CF1 allows rem ...) NOT-FOR-US: IBM Lotus Notes Traveler CVE-2009-5035 (The Nokia client in IBM Lotus Notes Traveler before 8.5.0.2 does not p ...) NOT-FOR-US: IBM Lotus Notes Traveler CVE-2009-5034 (IBM Lotus Notes Traveler before 8.5.0.2 allows remote authenticated us ...) NOT-FOR-US: IBM Lotus Notes Traveler CVE-2009-5033 (IBM Lotus Notes Traveler before 8.5.0.2 does not properly handle a "* ...) NOT-FOR-US: IBM Lotus Notes Traveler CVE-2009-5032 (The encrypted e-mail feature in IBM Lotus Notes Traveler before 8.5.0. ...) NOT-FOR-US: IBM Lotus Notes Traveler CVE-2011-0045 (The Trace Events functionality in the kernel in Microsoft Windows XP S ...) NOT-FOR-US: Microsoft Windows CVE-2011-0044 REJECTED CVE-2011-0043 (Kerberos in Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 suppo ...) NOT-FOR-US: Microsoft Windows CVE-2011-0042 (SBE.dll in the Stream Buffer Engine in Windows Media Player and Window ...) NOT-FOR-US: Microsoft Windows CVE-2011-0041 (Integer overflow in gdiplus.dll in GDI+ in Microsoft Windows XP SP2 an ...) NOT-FOR-US: Microsoft Windows CVE-2011-0040 (The server in Microsoft Active Directory on Windows Server 2003 SP2 do ...) NOT-FOR-US: Microsoft Windows CVE-2011-0039 (The Local Security Authority Subsystem Service (LSASS) in Microsoft Wi ...) NOT-FOR-US: Microsoft Windows CVE-2011-0038 (Untrusted search path vulnerability in Microsoft Internet Explorer 8 m ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2011-0037 (Microsoft Malware Protection Engine before 1.1.6603.0, as used in Micr ...) NOT-FOR-US: Microsoft Malware Protection Engine CVE-2011-0036 (Microsoft Internet Explorer 6, 7, and 8 does not properly handle objec ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2011-0035 (Microsoft Internet Explorer 6, 7, and 8 does not properly handle objec ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2011-0034 (Stack-based buffer overflow in the OpenType Compact Font Format (aka O ...) NOT-FOR-US: Microsoft Windows CVE-2011-0033 (The OpenType Compact Font Format (CFF) driver in Microsoft Windows XP ...) NOT-FOR-US: Microsoft Windows CVE-2011-0032 (Untrusted search path vulnerability in DirectShow in Microsoft Windows ...) NOT-FOR-US: Microsoft Windows CVE-2011-0031 (The (1) JScript 5.8 and (2) VBScript 5.8 scripting engines in Microsof ...) NOT-FOR-US: Microsoft Windows CVE-2011-0030 (The Client/Server Run-time Subsystem (CSRSS) in Microsoft Windows XP S ...) NOT-FOR-US: Microsoft Windows CVE-2011-0029 (Untrusted search path vulnerability in the client in Microsoft Remote ...) NOT-FOR-US: Microsoft CVE-2011-0028 (WordPad in Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 does n ...) NOT-FOR-US: Microsoft Windows CVE-2011-0027 (Microsoft Data Access Components (MDAC) 2.8 SP1 and SP2, and Windows D ...) NOT-FOR-US: Microsoft Data Access Components CVE-2011-0026 (Integer signedness error in the SQLConnectW function in an ODBC API (o ...) NOT-FOR-US: Microsoft Data Access Components CVE-2010-XXXX [ircd-ratbox password disclosure during TLS handshake] - ircd-ratbox 3.0.6.dfsg-2 [lenny] - ircd-ratbox (TLS support not yet activated) CVE-2010-4539 (The walk function in repos.c in the mod_dav_svn module for the Apache ...) - subversion 1.6.12dfsg-4 (low; bug #608989) [lenny] - subversion (Minor issue) CVE-2010-4538 (Buffer overflow in the sect_enttec_dmx_da function in epan/dissectors/ ...) {DSA-2144-1} - wireshark 1.2.11-6 (bug #608990) CVE-2010-4537 (Unspecified vulnerability in CrawlTrack before 3.2.7, when a public st ...) NOT-FOR-US: CrawlTrack CVE-2010-4536 (Multiple cross-site scripting (XSS) vulnerabilities in KSES, as used i ...) - wordpress 3.0.4+dfsg-1 [lenny] - wordpress (2.x version is not affected) - moodle (Moodle's version of KSES is not affected) - egroupware (Only uses a minor subset of KSES) CVE-2010-4535 (The password reset functionality in django.contrib.auth in Django befo ...) - python-django 1.2.4-1 [squeeze] - python-django 1.2.3-3 NOTE: http://www.djangoproject.com/weblog/2010/dec/22/security/ CVE-2010-4534 (The administrative interface in django.contrib.admin in Django before ...) - python-django 1.2.4-1 [squeeze] - python-django 1.2.3-3 NOTE: http://www.djangoproject.com/weblog/2010/dec/22/security/ CVE-2010-4533 (offlineimap before 6.3.4 added support for SSL server certificate vali ...) - offlineimap 6.3.4-1 (low; bug #606962) NOTE: offlineimap uses the "ssl" standard lib in Python, marking the version of offlineimap in wheezy as fixed [squeeze] - offlineimap (Long-standing, documented behaviour, can be updated in spu if needed) [lenny] - offlineimap (Long-standing, documented behaviour, can be updated in spu if needed) CVE-2010-4532 (offlineimap before 6.3.2 does not check for SSL server certificate val ...) - offlineimap 6.3.2~rc3-2 (low; bug #603450) [squeeze] - offlineimap (Long-standing, documented behaviour, can be updated in spu if needed) [lenny] - offlineimap (Long-standing, documented behaviour, can be updated in spu if needed) CVE-2010-4531 (Stack-based buffer overflow in the ATRDecodeAtr function in the Answer ...) {DSA-2156-1} - pcsc-lite 1.5.5-4 (low; bug #607781) CVE-2010-4530 (Signedness error in ccid_serial.c in libccid in the USB Chip/Smart Car ...) - ccid 1.3.11-2 (unimportant; bug #607780) NOTE: Theoretical attack CVE-2011-XXXX [remote DoS when case of the characters of a nickname is modified] - bip 0.8.7-1 [squeeze] - bip 0.8.2-1squeeze3 [lenny] - bip (Vulnerable code not present) CVE-2010-4529 (Integer underflow in the irda_getsockopt function in net/irda/af_irda. ...) {DSA-2153-1} - linux-2.6 2.6.32-30 CVE-2010-4528 (directconn.c in the MSN protocol plugin in libpurple 2.7.6 through 2.7 ...) - pidgin 2.7.9-1 (bug #608331; medium) [squeeze] - pidgin (Vulnerable code not present) [lenny] - pidgin (Vulnerable code not present) CVE-2010-4527 (The load_mixer_volumes function in sound/oss/soundcard.c in the OSS so ...) {DSA-2153-1} - linux-2.6 2.6.32-30 CVE-2010-4526 (Race condition in the sctp_icmp_proto_unreachable function in net/sctp ...) {DSA-2153-1} - linux-2.6 2.6.32-30 CVE-2010-4525 (Linux kernel 2.6.33 and 2.6.34.y does not initialize the kvm_vcpu_even ...) - linux-2.6 2.6.35-1 [squeeze] - linux-2.6 (Only affects 2.6.33/2.6.34) [lenny] - linux-2.6 (Only affects 2.6.33/2.6.34) [wheezy] - linux-2.6 (Only affects 2.6.33/2.6.34) CVE-2010-4524 (Cross-site scripting (XSS) vulnerability in lib/mhtxthtml.pl in MHonAr ...) - mhonarc 2.6.18-1 (low; bug #607693) [squeeze] - mhonarc (Minor issue) CVE-2010-4522 (Multiple cross-site scripting (XSS) vulnerabilities in MyBB (aka MyBul ...) NOT-FOR-US: MyBB CVE-2010-4521 (Cross-site scripting (XSS) vulnerability in the Views module 6.x befor ...) - drupal6-mod-views 2.12-1 CVE-2010-4520 (Multiple cross-site scripting (XSS) vulnerabilities in the Views modul ...) - drupal6-mod-views 2.11-1 CVE-2010-4519 (Multiple cross-site request forgery (CSRF) vulnerabilities in the View ...) - drupal6-mod-views 2.11-1 CVE-2010-4518 (Cross-site scripting (XSS) vulnerability in wp-safe-search/wp-safe-sea ...) NOT-FOR-US: Safe Search plugin for WordPress CVE-2010-4517 (SQL injection vulnerability in the JExtensions JE Auto (com_jeauto) co ...) NOT-FOR-US: Joomla! extension CVE-2010-4516 (Multiple cross-site scripting (XSS) vulnerabilities in the JXtended Co ...) NOT-FOR-US: Joomla! CVE-2010-4515 (Cross-site scripting (XSS) vulnerability in Citrix Web Interface 5.0, ...) NOT-FOR-US: Citrix Web Interface CVE-2010-4514 (Cross-site scripting (XSS) vulnerability in Install/InstallWizard.aspx ...) NOT-FOR-US: DotNetNuke CVE-2010-4513 (Multiple cross-site scripting (XSS) vulnerabilities in Zimplit CMS 3.0 ...) NOT-FOR-US: Zimplit CMS CVE-2010-4512 (Cobbler before 2.0.4 uses an incorrect umask value, which allows local ...) - cobbler (Fixed before initial upload) CVE-2010-4511 (Unspecified vulnerability in Movable Type 4.x before 4.35 and 5.x befo ...) - movabletype-opensource 4.3.5+dfsg-1 (bug #606311) [lenny] - movabletype-opensource 4.2.3-1+lenny2 CVE-2010-4509 (Multiple unspecified vulnerabilities in Movable Type 4.x before 4.35 a ...) - movabletype-opensource 4.3.5+dfsg-1 (bug #606311) [lenny] - movabletype-opensource 4.2.3-1+lenny2 CVE-2010-4508 (The WebSockets implementation in Mozilla Firefox 4 through 4.0 Beta 7 ...) - xulrunner (Only affects Firefox 4.x) CVE-2009-5031 (ModSecurity before 2.5.11 treats request parameter values containing s ...) - modsecurity-apache (Fixed before initial upload) - libapache-mod-security 2.5.12-1 NOTE: https://www.modsecurity.org/fisheye/browse/modsecurity/m2/branches/2.5.x/apache2/msc_multipart.c?r2=1419&r1=1366 NOTE: http://www.openwall.com/lists/oss-security/2012/06/22/1 NOTE: http://www.openwall.com/lists/oss-security/2012/06/22/2 CVE-2009-5030 (The tcd_free_encode function in tcd.c in OpenJPEG 1.3 through 1.5 allo ...) {DSA-2629-1} - openjpeg 1.3+dfsg-4.1 (medium; bug #672455) NOTE: Upstream ticket http://code.google.com/p/openjpeg/issues/detail?id=5 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=812317 CVE-2009-5029 (Integer overflow in the __tzfile_read function in glibc before 2.15 al ...) - eglibc 2.13-24 (low; bug #656108) [squeeze] - eglibc 2.11.3-3 - glibc 2.13-24 NOTE: http://support.novell.com/security/cve/CVE-2009-5029.html NOTE: https://bugzilla.suse.com/show_bug.cgi?id=735850 CVE-2009-5028 (Stack-based buffer overflow in Namazu before 2.0.20 allows remote atta ...) - namazu2 2.0.20-1.0 (low) CVE-2009-5027 REJECTED CVE-2009-5026 (The executable comment feature in MySQL 5.0.x before 5.0.93 and 5.1.x ...) - mysql-5.1 5.1.53-1 CVE-2009-5025 (A backdoor (aka BMSA-2009-07) was found in PyForum v1.0.3 where an att ...) NOT-FOR-US: PyForum CVE-2009-5024 (ViewVC before 1.1.11 allows remote attackers to bypass the cvsdb row_l ...) {DSA-2563-1} - viewvc 1.1.5-1.3 (bug #671482) CVE-2009-5023 (The (1) dshield.conf, (2) mail-buffered.conf, (3) mynetwatchman.conf, ...) - fail2ban 0.8.4+svn20110323-1 (low; bug #544232) [lenny] - fail2ban (Minor issue) [squeeze] - fail2ban 0.8.4-3+squeeze1 CVE-2009-5022 (Heap-based buffer overflow in tif_ojpeg.c in the OJPEG decoder in LibT ...) {DSA-2256-1} - tiff 3.9.5-1 (bug #624287) - tiff3 (fixed before initial upload) [lenny] - tiff (3.9+ only) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=1999 CVE-2009-5021 (Cobbler before 1.6.1 does not properly determine whether an installati ...) - cobbler (Fixed before initial upload) CVE-2010-4507 (Multiple cross-site request forgery (CSRF) vulnerabilities on the iSpo ...) NOT-FOR-US: iSpot/ClearSpot hardware devices CVE-2010-4506 (Passlogix v-GO Self-Service Password Reset (SSPR) and OEM before 7.0A ...) NOT-FOR-US: Passlogix CVE-2010-4505 (Multiple SQL injection vulnerabilities in login.php in Injader 2.4.4, ...) NOT-FOR-US: Injader CVE-2010-4504 (Multiple cross-site scripting (XSS) vulnerabilities in eSyndiCat Direc ...) NOT-FOR-US: eSyndiCat CVE-2010-4503 (SQL injection vulnerability in indexlight.php in Aigaion 1.3.4 allows ...) NOT-FOR-US: Aigaion CVE-2010-4502 (Integer overflow in KmxSbx.sys 6.2.0.22 in CA Internet Security Suite ...) NOT-FOR-US: CA Internet Security Suite CVE-2010-4501 REJECTED CVE-2010-4500 (Multiple SQL injection vulnerabilities in contact.php in MRCGIGUY (MCG ...) NOT-FOR-US: MRCGIGUY FreeTicket CVE-2011-0025 (IcedTea 1.7 before 1.7.8, 1.8 before 1.8.5, and 1.9 before 1.9.5 does ...) {DSA-2224-1} - openjdk-6 6b18-1.8.5-1 [squeeze] - openjdk-6 (bug #614151) [lenny] - openjdk-6 (bug #614151) CVE-2011-0024 (Heap-based buffer overflow in wiretap/pcapng.c in Wireshark before 1.2 ...) - wireshark 1.2-0-1 CVE-2011-0023 RESERVED CVE-2011-0022 (The setup scripts in 389 Directory Server 1.2.x (aka Red Hat Directory ...) NOT-FOR-US: 389 LDAP server CVE-2011-0522 (The StripTags function in (1) the USF decoder (modules/codec/subtitles ...) - vlc 1.1.3-1squeeze2 [lenny] - vlc 0.8.6.h-4+lenny3 CVE-2011-0021 (Multiple heap-based buffer overflows in cdg.c in the CDG decoder in Vi ...) - vlc 1.1.3-1squeeze2 [lenny] - vlc (Vulnerable code not present) NOTE: http://git.videolan.org/?p=vlc.git;a=commit;h=f9b664eac0e1a7bceed9d7b5854fd9fc351b4aab CVE-2011-0020 (Heap-based buffer overflow in the pango_ft2_font_render_box_glyph func ...) - pango1.0 1.28.3-1+squeeze1 (bug #610792) CVE-2011-0019 (slapd (aka ns-slapd) in 389 Directory Server 1.2.7.5 (aka Red Hat Dire ...) NOT-FOR-US: 389 LDAP server CVE-2011-0018 (The email function in manage_sql.c in OpenVAS Manager 1.0.x through 1. ...) NOT-FOR-US: OpenVAS Manager CVE-2011-0017 (The open_log function in log.c in Exim 4.72 and earlier does not check ...) {DSA-2154-1} - exim4 4.72-4 CVE-2011-0016 (Tor before 0.2.1.29 and 0.2.2.x before 0.2.2.21-alpha does not properl ...) {DSA-2148-1} - tor 0.2.1.29-1 CVE-2011-0015 (Tor before 0.2.1.29 and 0.2.2.x before 0.2.2.21-alpha does not properl ...) {DSA-2148-1} - tor 0.2.1.29-1 CVE-2011-0014 (ssl/t1_lib.c in OpenSSL 0.9.8h through 0.9.8q and 1.0.0 through 1.0.0c ...) {DSA-2162-1} - openssl 0.9.8o-5 (low) [lenny] - openssl (Only 0.9.8h through 0.9.8q are affected) CVE-2011-0013 (Multiple cross-site scripting (XSS) vulnerabilities in the HTML Manage ...) {DSA-2160-1} - tomcat5.5 (low) [lenny] - tomcat5.5 (Minor issue) - tomcat6 6.0.28-10 (bug #612257) [lenny] - tomcat6 (Only ships the servlet package) CVE-2011-0012 (The SPICE Firefox plug-in (spice-xpi) 2.4, 2.3, 2.2, and possibly othe ...) - spice-xpi [jessie] - spice-xpi (Broken with newer Firefox versions) CVE-2011-0011 (qemu-kvm before 0.11.0 disables VNC authentication when the password i ...) {DSA-2230-1} - qemu-kvm 0.14.0+dfsg-1~tls (low; bug #611134) - kvm (Vulnerable code not present) NOTE: Harmless implementation bug, see discussion in #611134 CVE-2011-0010 (check.c in sudo 1.7.x before 1.7.4p5, when a Runas group is configured ...) - sudo 1.7.4p4-6 (bug #609641) [lenny] - sudo (Only affects 1.7.x) [squeeze] - sudo 1.7.4p4-2.squeeze.1 NOTE: http://www.sudo.ws/sudo/alerts/runas_group_pw.html CVE-2011-0009 (Best Practical Solutions RT 3.x before 3.8.9rc2 and 4.x before 4.0.0rc ...) {DSA-2150-1} - request-tracker3.8 3.8.8-7 CVE-2011-0008 (A certain Fedora patch for parse.c in sudo before 1.7.4p5-1.fc14 on Fe ...) - sudo (Fedora-specific issue) CVE-2011-0007 (pimd 2.1.5 and possibly earlier versions allows user-assisted local us ...) {DSA-2147-1} - pimd 2.1.6-1 (unimportant; bug #609304) [squeeze] - pimd 2.1.1-1.1 (unimportant; bug #609304) CVE-2011-0006 (The ima_lsm_rule_init function in security/integrity/ima/ima_policy.c ...) - linux-2.6 2.6.32-30 [lenny] - linux-2.6 (Introduced in 2.6.30) CVE-2011-0005 (Cross-site scripting (XSS) vulnerability in the com_search module for ...) NOT-FOR-US: Joomla! CVE-2011-0004 (Multiple cross-site scripting (XSS) vulnerabilities in Piwik before 1. ...) - piwik (bug #506933) CVE-2011-0003 (MediaWiki before 1.16.1, when user or site JavaScript or CSS is enable ...) {DTSA-207-1} - mediawiki 1:1.15.5-2 [lenny] - mediawiki 1:1.12.0-2lenny7 CVE-2011-0002 (libuser before 0.57 uses a cleartext password value of (1) !! or (2) x ...) - libuser 1:0.56.9.dfsg.1-1.1 (bug #610034) CVE-2011-0001 (Double free vulnerability in the iscsi_rx_handler function (usr/iscsi/ ...) {DSA-2209-1} - tgt 1:1.0.4-3 CVE-2010-4499 (Session fixation vulnerability in Collaborative Information Manager se ...) NOT-FOR-US: TIBCO Collaborative Information Manager CVE-2010-4498 (Unspecified vulnerability in Collaborative Information Manager server, ...) NOT-FOR-US: TIBCO Collaborative Information Manager CVE-2010-4497 (Cross-site scripting (XSS) vulnerability in Collaborative Information ...) NOT-FOR-US: TIBCO Collaborative Information Manager CVE-2010-4496 (Multiple SQL injection vulnerabilities in Collaborative Information Ma ...) NOT-FOR-US: TIBCO Collaborative Information Manager CVE-2010-4495 (Unspecified vulnerability in the ActiveMatrix Runtime component in TIB ...) NOT-FOR-US: TIBCO ActiveMatrix CVE-2010-4494 (Double free vulnerability in libxml2 2.7.8 and other versions, as used ...) {DSA-2137-1} - libxml2 2.7.8.dfsg-2 (bug #607922) - chromium-browser 5.0.375.29~r46008-1 - webkit (never embedded libxml2's xpath.c) CVE-2010-4493 (Use-after-free vulnerability in Google Chrome before 8.0.552.215 allow ...) {DSA-2188-1} - chromium-browser 6.0.472.63~r59945-3 - webkit 1.2.7-1 NOTE: http://trac.webkit.org/changeset/72013 CVE-2010-4492 (Use-after-free vulnerability in Google Chrome before 8.0.552.215 allow ...) {DSA-2188-1} - chromium-browser 6.0.472.63~r59945-3 - webkit 1.2.7-1 NOTE: http://trac.webkit.org/changeset/71686 CVE-2010-4491 (Google Chrome before 8.0.552.215 does not properly restrict privileged ...) - chromium-browser 9.0.597.45~r70550-1 [squeeze] - chromium-browser [wheezy] - chromium-browser - webkit (issue in chromium-specific webkit code) NOTE: http://code.google.com/p/chromium/issues/detail?id=62168 NOTE: http://trac.webkit.org/changeset/71533 CVE-2010-4490 (Google Chrome before 8.0.552.215 allows remote attackers to cause a de ...) - chromium-browser 6.0.472.63~r59945-3 - webkit (chromium specific issue) CVE-2010-4489 (libvpx, as used in Google Chrome before 8.0.552.215 and possibly other ...) - chromium-browser - webkit - libvpx 0.9.5-1 (bug #610510) [squeeze] - libvpx (regression in later version) CVE-2010-4488 (Google Chrome before 8.0.552.215 does not properly handle HTTP proxy a ...) - chromium-browser 9.0.597.83~r72435-1 (unimportant) [squeeze] - chromium-browser - webkit (chromium issue) NOTE: only a browser crash CVE-2010-4487 (Incomplete blacklist vulnerability in Google Chrome before 8.0.552.215 ...) - chromium-browser 6.0.472.63~r59945-3 - webkit (chromium issue) CVE-2010-4486 (Use-after-free vulnerability in Google Chrome before 8.0.552.215 allow ...) - chromium-browser 6.0.472.63~r59945-3 - webkit (vulnerable code not present in 1.2) NOTE: http://trac.webkit.org/changeset/71170 CVE-2010-4485 (Google Chrome before 8.0.552.215 does not properly restrict the genera ...) - chromium-browser 9.0.597.83~r72435-1 (unimportant) NOTE: http://trac.webkit.org/changeset/69914 NOTE: only a browser crash due to opening too many dialogs (i.e. a dos) CVE-2010-4484 (Google Chrome before 8.0.552.215 does not properly handle HTML5 databa ...) - chromium-browser 9.0.597.83~r72435-1 (unimportant) [squeeze] - chromium-browser - webkit (chromium specific) NOTE: only a browser crash CVE-2010-4483 (Google Chrome before 8.0.552.215 does not properly restrict read acces ...) - chromium-browser 6.0.472.63~r59945-3 NOTE: https://bugs.webkit.org/show_bug.cgi?id=46678 CVE-2010-4482 (Unspecified vulnerability in Google Chrome before 8.0.552.215 allows r ...) - chromium-browser (unimportant) NOTE: unimportant, bypass the pop-up blocker NOTE: http://trac.webkit.org/changeset/69990 CVE-2010-4481 (phpMyAdmin before 3.4.0-beta1 allows remote attackers to bypass authen ...) {DSA-2139-1} - phpmyadmin 4:3.3.7-3 (bug #608290) NOTE: enables phpinfo output; this is disabled by default and phpinfo on Debian NOTE: systems is by and large full of otherwise predictable information. CVE-2010-4480 (error.php in PhpMyAdmin 3.3.8.1, and other versions before 3.4.0-beta1 ...) {DSA-2139-1} - phpmyadmin 4:3.3.7-3 (bug #608290) CVE-2010-4510 REJECTED CVE-2010-4479 (Unspecified vulnerability in pdf.c in libclamav in ClamAV before 0.96. ...) - clamav 0.96.5+dfsg-1 [lenny] - clamav (Introduced in 3643f3d2b0a38fdc7bc6777d093c857b9760804e) NOTE: Fixed in 019f1955194360600ecf0644959ceca6734c2d7b CVE-2010-4478 (OpenSSH 5.6 and earlier, when J-PAKE is enabled, does not properly val ...) - openssh (J-PAKE not activated, see bug #606922) CVE-2010-4477 REJECTED CVE-2010-4476 (The Double.parseDouble method in Java Runtime Environment (JRE) in Ora ...) {DSA-2161-2 DSA-2161-1} - openjdk-6 6b18-1.8.7-1 (bug #612660) [lenny] - sun-java6 (non-free not supported) [squeeze] - sun-java6 (non-free not supported) - sun-java6 6.24-1 NOTE: Patch http://mail.openjdk.java.net/pipermail/core-libs-dev/2011-February/005795.html NOTE: Oracle http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html NOTE: Original report http://www.exploringbinary.com/java-hangs-when-converting-2-2250738585072012e-308/ CVE-2010-4475 (Unspecified vulnerability in the Java Runtime Environment (JRE) in Ora ...) - sun-java6 6.24-1 [lenny] - sun-java6 (non-free not supported) [squeeze] - sun-java6 (non-free not supported) CVE-2010-4474 (Unspecified vulnerability in the Java DB component in Oracle Java SE a ...) - sun-java6 6.24-1 [lenny] - sun-java6 (non-free not supported) [squeeze] - sun-java6 (non-free not supported) CVE-2010-4473 (Unspecified vulnerability in the Java Runtime Environment (JRE) in Ora ...) - sun-java6 6.24-1 [lenny] - sun-java6 (non-free not supported) [squeeze] - sun-java6 (non-free not supported) CVE-2010-4472 (Unspecified vulnerability in the Java Runtime Environment (JRE) in Ora ...) {DSA-2224-1} - sun-java6 6.24-1 - openjdk-6 6b18-1.8.7-1 (bug #614033) [lenny] - sun-java6 (non-free not supported) [squeeze] - sun-java6 (non-free not supported) CVE-2010-4471 (Unspecified vulnerability in the Java Runtime Environment (JRE) in Ora ...) {DSA-2224-1} - sun-java6 6.24-1 [lenny] - sun-java6 (non-free not supported) [squeeze] - sun-java6 (non-free not supported) CVE-2010-4470 (Unspecified vulnerability in the Java Runtime Environment (JRE) in Ora ...) {DSA-2224-1} - sun-java6 6.24-1 - openjdk-6 6b18-1.8.7-1 (bug #614033) [lenny] - sun-java6 (non-free not supported) [squeeze] - sun-java6 (non-free not supported) CVE-2010-4469 (Unspecified vulnerability in the Java Runtime Environment (JRE) in Ora ...) {DSA-2224-1} - sun-java6 6.24-1 - openjdk-6 6b18-1.8.7-1 (bug #614033) [lenny] - sun-java6 (non-free not supported) [squeeze] - sun-java6 (non-free not supported) CVE-2010-4468 (Unspecified vulnerability in the Java Runtime Environment (JRE) in Ora ...) - sun-java6 6.24-1 [lenny] - sun-java6 (non-free not supported) [squeeze] - sun-java6 (non-free not supported) CVE-2010-4467 (Unspecified vulnerability in the Java Runtime Environment (JRE) in Ora ...) - sun-java6 6.24-1 [lenny] - sun-java6 (non-free not supported) [squeeze] - sun-java6 (non-free not supported) CVE-2010-4466 (Unspecified vulnerability in the Java Runtime Environment (JRE) in Ora ...) - sun-java6 6.24-1 [lenny] - sun-java6 (non-free not supported) [squeeze] - sun-java6 (non-free not supported) CVE-2010-4465 (Unspecified vulnerability in the Java Runtime Environment (JRE) in Ora ...) {DSA-2224-1} - sun-java6 6.24-1 - openjdk-6 6b18-1.8.7-1 (bug #614033) [lenny] - sun-java6 (non-free not supported) [squeeze] - sun-java6 (non-free not supported) CVE-2010-4464 (Unspecified vulnerability in Oracle Sun Convergence 1.0 allows remote ...) NOT-FOR-US: Oracle Convergence CVE-2010-4463 (Unspecified vulnerability in the Java Runtime Environment (JRE) in Ora ...) - sun-java6 6.24-1 [lenny] - sun-java6 (non-free not supported) [squeeze] - sun-java6 (non-free not supported) CVE-2010-4462 (Unspecified vulnerability in the Java Runtime Environment (JRE) in Ora ...) - sun-java6 6.24-1 [lenny] - sun-java6 (non-free not supported) [squeeze] - sun-java6 (non-free not supported) CVE-2010-4461 (Unspecified vulnerability in the PeopleSoft Enterprise HRMS component ...) NOT-FOR-US: PeopleSoft CVE-2010-4460 (Unspecified vulnerability in Oracle Solaris 10 allows local users to a ...) NOT-FOR-US: Solaris CVE-2010-4459 (Unspecified vulnerability in Oracle Solaris 11 Express allows local us ...) NOT-FOR-US: Solaris CVE-2010-4458 (Unspecified vulnerability in Oracle Solaris 11 Express allows local us ...) NOT-FOR-US: Solaris CVE-2010-4457 (Unspecified vulnerability in Oracle Solaris 11 Express allows remote a ...) NOT-FOR-US: Solaris CVE-2010-4456 (Unspecified vulnerability in Oracle Sun Java System Communications Exp ...) NOT-FOR-US: Oracle Sun Java System Communications Express CVE-2010-4455 (Unspecified vulnerability in the Oracle HTTP Server component in Oracl ...) NOT-FOR-US: Oracle Fusion CVE-2010-4454 (Unspecified vulnerability in the Java Runtime Environment (JRE) in Ora ...) - sun-java6 6.24-1 [lenny] - sun-java6 (non-free not supported) [squeeze] - sun-java6 (non-free not supported) CVE-2010-4453 (Unspecified vulnerability in the Oracle WebLogic Server component in O ...) NOT-FOR-US: Oracle WebLogic CVE-2010-4452 (Unspecified vulnerability in the Deployment component in Java Runtime ...) - sun-java6 6.24-1 [lenny] - sun-java6 (non-free not supported) [squeeze] - sun-java6 (non-free not supported) CVE-2010-4451 (Unspecified vulnerability in the Java Runtime Environment (JRE) in Ora ...) - sun-java6 6.24-1 [lenny] - sun-java6 (non-free not supported) [squeeze] - sun-java6 (non-free not supported) CVE-2010-4450 (Unspecified vulnerability in the Java Runtime Environment (JRE) in Ora ...) {DSA-2224-1} - sun-java6 6.24-1 - openjdk-6 6b18-1.8.7-1 (bug #614033) [lenny] - sun-java6 (non-free not supported) [squeeze] - sun-java6 (non-free not supported) CVE-2010-4449 (Unspecified vulnerability in the Audit Vault component in Oracle Audit ...) NOT-FOR-US: Oracle Audit CVE-2010-4448 (Unspecified vulnerability in the Java Runtime Environment (JRE) in Ora ...) {DSA-2224-1} - sun-java6 6.24-1 - openjdk-6 6b18-1.8.7-1 (bug #614033) [lenny] - sun-java6 (non-free not supported) [squeeze] - sun-java6 (non-free not supported) CVE-2010-4447 (Unspecified vulnerability in the Java Runtime Environment (JRE) in Ora ...) - sun-java6 6.24-1 [lenny] - sun-java6 (non-free not supported) [squeeze] - sun-java6 (non-free not supported) CVE-2010-4446 (Unspecified vulnerability in Oracle Solaris 11 Express allows local us ...) NOT-FOR-US: Solaris CVE-2010-4445 (Unspecified vulnerability in the PeopleSoft Enterprise HRMS component ...) NOT-FOR-US: PeopleSoft CVE-2010-4444 (Unspecified vulnerability in Oracle Sun Java System Access Manager and ...) NOT-FOR-US: OpenSSO CVE-2010-4443 (Unspecified vulnerability in Oracle Solaris 10 and 11 Express allows l ...) NOT-FOR-US: Solaris CVE-2010-4442 (Unspecified vulnerability in Oracle Solaris 10 and 11 Express allows l ...) NOT-FOR-US: Solaris CVE-2010-4441 (Unspecified vulnerability in the PeopleSoft Enterprise HRMS component ...) NOT-FOR-US: PeopleSoft CVE-2010-4440 (Unspecified vulnerability in Oracle 10 and 11 Express allows local use ...) NOT-FOR-US: Oracle Express CVE-2010-4439 (Unspecified vulnerability in the PeopleSoft Enterprise HRMS component ...) NOT-FOR-US: PeopleSoft CVE-2010-4438 (Unspecified vulnerability in Oracle GlassFish 2.1, 2.1.1, and 3.0.1, a ...) - glassfish (Only builds a few class libs) CVE-2010-4437 (Unspecified vulnerability in the Oracle WebLogic Server component in O ...) NOT-FOR-US: WebLogic CVE-2010-4436 (Unspecified vulnerability in Oracle Sun Management Center (SunMC) 4.0 ...) NOT-FOR-US: SunMC CVE-2010-4435 (Unspecified vulnerability in Oracle Solaris 8, 9, and 10 allows remote ...) NOT-FOR-US: Solaris CVE-2010-4434 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: PeopleSoft CVE-2010-4433 (Unspecified vulnerability in Oracle Solaris 10 allows remote attackers ...) NOT-FOR-US: Solaris CVE-2010-4432 (Unspecified vulnerability in the Oracle Transportation Manager compone ...) NOT-FOR-US: Oracle Supply Chain CVE-2010-4431 (Unspecified vulnerability in Oracle Sun Java System Portal Server 7.1 ...) NOT-FOR-US: Oracle Sun Java System Portal Server CVE-2010-4430 (Unspecified vulnerability in the PeopleSoft Enterprise HRMS component ...) NOT-FOR-US: PeopleSoft CVE-2010-4429 (Unspecified vulnerability in the Agile Core component in Oracle Supply ...) NOT-FOR-US: Oracle Supply Chain CVE-2010-4428 (Unspecified vulnerability in the PeopleSoft Enterprise HRMS component ...) NOT-FOR-US: PeopleSoft CVE-2010-4427 (Unspecified vulnerability in the Oracle BI Publisher component in Orac ...) NOT-FOR-US: Oracle BI Publisher CVE-2010-4426 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: PeopleSoft CVE-2010-4425 (Unspecified vulnerability in the Oracle BI Publisher component in Orac ...) NOT-FOR-US: Oracle BI Publisher CVE-2010-4424 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: PeopleSoft CVE-2010-4423 (Unspecified vulnerability in the Cluster Verify Utility component in O ...) NOT-FOR-US: Oracle Database CVE-2010-4422 (Unspecified vulnerability in the Java Runtime Environment (JRE) in Ora ...) - sun-java6 6.24-1 [lenny] - sun-java6 (non-free not supported) [squeeze] - sun-java6 (non-free not supported) CVE-2010-4421 (Unspecified vulnerability in the Database Vault component in Oracle Da ...) NOT-FOR-US: Oracle Database CVE-2010-4420 (Unspecified vulnerability in the Database Vault component in Oracle Da ...) NOT-FOR-US: Oracle Database CVE-2010-4419 (Unspecified vulnerability in the PeopleSoft Enterprise CRM component i ...) NOT-FOR-US: PeopleSoft CVE-2010-4418 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: PeopleSoft CVE-2010-4417 (Unspecified vulnerability in the Services for Beehive component in Ora ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2010-4416 (Unspecified vulnerability in the Oracle GoldenGate Veridata component ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2010-4415 (Unspecified vulnerability in Oracle Solaris 8, 9, and 10 allows local ...) NOT-FOR-US: Solaris CVE-2010-4414 (Unspecified vulnerability in Oracle VM VirtualBox 4.0 allows local use ...) - virtualbox-ose (Support for extensions was added in 4.x, see #611925) CVE-2010-4413 (Unspecified vulnerability in the Scheduler Agent component in Oracle D ...) NOT-FOR-US: Oracle Database CVE-2010-4412 (Multiple cross-site scripting (XSS) vulnerabilities in pfSense 2 beta ...) NOT-FOR-US: pfSense CVE-2010-4411 (Unspecified vulnerability in CGI.pm 3.50 and earlier allows remote att ...) - perl 5.10.1-17 (bug #606995) [lenny] - perl 5.10.0-19lenny3 - libcgi-simple-perl 1.111-2 (bug #606379) [lenny] - libcgi-simple-perl 1.105-1lenny1 - libcgi-pm-perl 3.51-1 (bug #606370) [lenny] - libcgi-pm-perl 3.38-2lenny2 [squeeze] - libcgi-pm-perl 3.49-1squeeze1 CVE-2010-4410 (CRLF injection vulnerability in the header function in (1) CGI.pm befo ...) - perl 5.10.1-17 (bug #606995) [lenny] - perl 5.10.0-19lenny3 - libcgi-pm-perl 3.50-1 (bug #606370) [lenny] - libcgi-pm-perl 3.38-2lenny2 [squeeze] - libcgi-pm-perl 3.49-1squeeze1 - libcgi-simple-perl 1.111-2 (bug #606379) [lenny] - libcgi-simple-perl 1.105-1lenny1 CVE-2010-4408 (Apache Archiva 1.0 through 1.0.3, 1.1 through 1.1.4, 1.2 through 1.2.2 ...) NOT-FOR-US: Apache archiva CVE-2008-7270 (OpenSSL before 0.9.8j, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is ...) - openssl 0.9.8k-1 [lenny] - openssl 0.9.8g-15+lenny11 NOTE: lenny was fixed as a side effect of the fix of CVE-2010-4180 NOTE: which disabled the bug compatibility code CVE-2010-4334 (The IO::Socket::SSL module 1.35 for Perl, when verify_mode is not VERI ...) - libio-socket-ssl-perl 1.35-1 (bug #606058) [squeeze] - libio-socket-ssl-perl 1.33-1+squeeze1 [lenny] - libio-socket-ssl-perl (Vulnerable code not present) CVE-2010-4335 (The _validatePost function in libs/controller/components/security.php ...) - cakephp 1.3.2-1.1 (bug #606386) [lenny] - cakephp NOTE: https://github.com/cakephp/cakephp/commit/e431e86aa4301ced4273dc7919b59362cbb353cb CVE-2010-4336 (The cu_rrd_create_file function (src/utils_rrdcreate.c) in collectd 4. ...) {DSA-2133-1} - collectd 4.10.1-2.1 (bug #605092; low) [squeeze] - collectd 4.10.1-1+squeeze2 CVE-2010-4337 (The configure script in gnash 0.8.8 allows local users to overwrite ar ...) {DSA-2435-1} - gnash 0.8.8-8 (unimportant; bug #605419) CVE-2006-7243 (PHP before 5.3.4 accepts the \0 character in a pathname, which might a ...) - php5 5.3.3-6 (low) NOTE: old, known, issue -- partial protection by the suhosin extension NOTE: http://svn.php.net/viewvc?view=revision&revision=305507 CVE-2010-4409 (Integer overflow in the NumberFormatter::getSymbol (aka numfmt_get_sym ...) - php5 5.3.3-6 [lenny] - php5 (intl extension included since 5.3) NOTE: http://www.kb.cert.org/vuls/id/479900 CVE-2010-4407 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Al ...) NOT-FOR-US: AlGuest CVE-2010-4406 (Directory traversal vulnerability in gallery.php in Brunetton LittlePh ...) NOT-FOR-US: LittlePhpGallery CVE-2010-4405 (Cross-site scripting (XSS) vulnerability in the Yannick Gaultier sh404 ...) NOT-FOR-US: Joomla! extension CVE-2010-4404 (SQL injection vulnerability in the Yannick Gaultier sh404SEF component ...) NOT-FOR-US: Joomla! extension CVE-2010-4403 (The Register Plus plugin 3.5.1 and earlier for WordPress allows remote ...) NOT-FOR-US: The Register Plus plugin for WordPress CVE-2010-4402 (Multiple cross-site scripting (XSS) vulnerabilities in wp-login.php in ...) NOT-FOR-US: The Register Plus plugin for WordPress CVE-2010-4401 (languages.inc.php in DynPG CMS 4.2.0 allows remote attackers to obtain ...) NOT-FOR-US: DynPG CVE-2010-4400 (SQL injection vulnerability in _rights.php in DynPG CMS 4.2.0 allows r ...) NOT-FOR-US: DynPG CVE-2010-4399 (Directory traversal vulnerability in languages.inc.php in DynPG CMS 4. ...) NOT-FOR-US: DynPG CVE-2010-4398 (Stack-based buffer overflow in the RtlQueryRegistryValues function in ...) NOT-FOR-US: Microsoft Windows CVE-2010-4397 (Integer overflow in the pnen3260.dll module in RealNetworks RealPlayer ...) NOT-FOR-US: RealPlayer CVE-2010-4396 (Cross-zone scripting vulnerability in the HandleAction method in a cer ...) NOT-FOR-US: RealPlayer CVE-2010-4395 (Heap-based buffer overflow in RealNetworks RealPlayer 11.0 through 11. ...) NOT-FOR-US: RealPlayer CVE-2010-4394 (Heap-based buffer overflow in RealNetworks RealPlayer 11.0 through 11. ...) NOT-FOR-US: RealPlayer CVE-2010-4393 (Heap-based buffer overflow in vidplin.dll in RealNetworks RealPlayer 1 ...) NOT-FOR-US: RealPlayer CVE-2010-4392 (Heap-based buffer overflow in RealNetworks RealPlayer 11.0 through 11. ...) NOT-FOR-US: RealPlayer CVE-2010-4391 (Heap-based buffer overflow in RealNetworks RealPlayer 11.0 through 11. ...) NOT-FOR-US: RealPlayer CVE-2010-4390 (Multiple heap-based buffer overflows in RealNetworks RealPlayer 11.0 t ...) NOT-FOR-US: RealPlayer CVE-2010-4389 (Heap-based buffer overflow in the cook codec in RealNetworks RealPlaye ...) NOT-FOR-US: RealPlayer CVE-2010-4388 (The (1) Upsell.htm, (2) Main.html, and (3) Custsupport.html components ...) NOT-FOR-US: RealPlayer CVE-2010-4387 (The RealAudio codec in RealNetworks RealPlayer 11.0 through 11.1, Real ...) NOT-FOR-US: RealPlayer CVE-2010-4386 (RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1 ...) NOT-FOR-US: RealPlayer CVE-2010-4385 (Integer overflow in RealNetworks RealPlayer 11.0 through 11.1, RealPla ...) NOT-FOR-US: RealPlayer CVE-2010-4384 (Array index error in RealNetworks RealPlayer 11.0 through 11.1, RealPl ...) NOT-FOR-US: RealPlayer CVE-2010-4383 (Heap-based buffer overflow in RealNetworks RealPlayer 11.0 through 11. ...) NOT-FOR-US: RealPlayer CVE-2010-4382 (Multiple heap-based buffer overflows in RealNetworks RealPlayer 11.0 t ...) NOT-FOR-US: RealPlayer CVE-2010-4381 (Heap-based buffer overflow in RealNetworks RealPlayer 11.0 through 11. ...) NOT-FOR-US: RealPlayer CVE-2010-4380 (Heap-based buffer overflow in RealNetworks RealPlayer 11.0 through 11. ...) NOT-FOR-US: RealPlayer CVE-2010-4379 (Heap-based buffer overflow in RealNetworks RealPlayer 11.0 through 11. ...) NOT-FOR-US: RealPlayer CVE-2010-4378 (The drv2.dll (aka RV20 decompression) module in RealNetworks RealPlaye ...) NOT-FOR-US: RealPlayer CVE-2010-4377 (Heap-based buffer overflow in RealNetworks RealPlayer 11.0 through 11. ...) NOT-FOR-US: RealPlayer CVE-2010-4376 (Heap-based buffer overflow in RealNetworks RealPlayer 11.0 through 11. ...) NOT-FOR-US: RealPlayer CVE-2010-4375 (Heap-based buffer overflow in RealNetworks RealPlayer 11.0 through 11. ...) NOT-FOR-US: RealPlayer CVE-2010-4374 (The in_mkv plugin in Winamp before 5.6 allows remote attackers to caus ...) NOT-FOR-US: Winamp CVE-2010-4373 (The in_mp4 plugin in Winamp before 5.6 allows remote attackers to caus ...) NOT-FOR-US: Winamp CVE-2010-4372 (Integer overflow in the in_nsv plugin in Winamp before 5.6 allows remo ...) NOT-FOR-US: Winamp CVE-2010-4371 (Buffer overflow in the in_mod plugin in Winamp before 5.6 allows remot ...) NOT-FOR-US: Winamp CVE-2010-4370 (Multiple integer overflows in the in_midi plugin in Winamp before 5.6 ...) NOT-FOR-US: Winamp CVE-2010-4369 (Directory traversal vulnerability in AWStats before 7.0 allows remote ...) - awstats 6.9.5~dfsg-5 (low; bug #606263) [lenny] - awstats 6.7.dfsg-5.1+lenny1 CVE-2010-4368 (awstats.cgi in AWStats before 7.0 on Windows accepts a configdir param ...) - awstats (Windows-specific issue) NOTE: looks like it's the same as CVE-2010-4367 CVE-2010-4367 (awstats.cgi in AWStats before 7.0 accepts a configdir parameter in the ...) - awstats 6.9.5~dfsg-5 (low; bug #606263) [lenny] - awstats 6.7.dfsg-5.1+lenny1 CVE-2009-5020 (Open redirect vulnerability in awredir.pl in AWStats before 6.95 allow ...) - awstats 6.9.5~dfsg-1 (unimportant) CVE-2010-4338 (ocrodjvu 0.4.6-1 on Debian GNU/Linux allows local users to modify arbi ...) - ocrodjvu 0.4.6-2 (low; bug #598134) CVE-2010-4339 (Cross-site scripting (XSS) vulnerability in Hypermail 2.2.0 allows rem ...) - hypermail (low; bug #598743) [lenny] - hypermail (Minor issue) CVE-2010-4366 (Multiple cross-site scripting (XSS) vulnerabilities in forum_new_topic ...) NOT-FOR-US: Chameleon Social Networking CVE-2010-4365 (SQL injection vulnerability in JE Ajax Event Calendar (com_jeajaxevent ...) NOT-FOR-US: Joomla! extension CVE-2010-4364 (DaDaBIK 4.3 beta3, when running in a case-sensitive environment, does ...) NOT-FOR-US: DaDaBIK CVE-2010-4363 (Multiple SQL injection vulnerabilities in contact.php in MRCGIGUY (MCG ...) NOT-FOR-US: FreeTicket CVE-2010-4362 (Multiple SQL injection vulnerabilities in MicroNetsoft RV Dealer Websi ...) NOT-FOR-US: MicroNetsoft RV Dealer CVE-2010-4361 (Cross-site scripting (XSS) vulnerability in url-gateway.php in Jurpopa ...) NOT-FOR-US: Jurpopage CVE-2010-4360 (Multiple SQL injection vulnerabilities in index.php in Jurpopage 0.2.0 ...) NOT-FOR-US: Jurpopage CVE-2010-4359 (SQL injection vulnerability in index.php in Jurpopage 0.2.0 allows rem ...) NOT-FOR-US: Jurpopage CVE-2010-4358 (Multiple cross-site scripting (XSS) vulnerabilities in gb.cgi in MRCGI ...) NOT-FOR-US: MRCGIGUY (MCG) Guestbook CVE-2010-4357 (SQL injection vulnerability in comments.php in SiteEngine 7.1 allows r ...) NOT-FOR-US: SiteEngine CVE-2010-4356 (SQL injection vulnerability in news_default.asp in Site2Nite Big Truck ...) NOT-FOR-US: Site2Nite Big Truck CVE-2010-4355 (Cross-site scripting (XSS) vulnerability in DaDaBIK before 4.3 beta2, ...) NOT-FOR-US: DaDaBIK CVE-2009-5019 (Web Wiz NewsPad stores sensitive information under the web root with i ...) NOT-FOR-US: Web Wiz NewsPad CVE-2008-7269 (Open redirect vulnerability in api.php in SiteEngine 5.x allows user-a ...) NOT-FOR-US: SiteEngine CVE-2008-7268 (The phpinfo function in SiteEngine 5.x allows remote attackers to obta ...) NOT-FOR-US: SiteEngine CVE-2008-7267 (SQL injection vulnerability in announcements.php in SiteEngine 5.x all ...) NOT-FOR-US: SiteEngine CVE-2010-XXXX [elfsign uses cryptographically weak md5 hashes] - elfsign (low; bug #555668) [lenny] - elfsign (a stronger hashing algorithm would completely change functionality of the package) CVE-2010-4354 (The remote-access IPSec VPN implementation on Cisco Adaptive Security ...) NOT-FOR-US: Cisco ASA CVE-2010-4353 (Unrestricted file upload vulnerability in modules/gallery/models/item. ...) - gallery3 (bug #511715) CVE-2010-4352 (Stack consumption vulnerability in D-Bus (aka DBus) before 1.4.1 allow ...) {DSA-2149-1} - dbus 1.2.24-4 CVE-2010-4351 (The JNLP SecurityManager in IcedTea (IcedTea.so) 1.7 before 1.7.7, 1.8 ...) {DSA-2224-1} - openjdk-6 6b18-1.8.4-1 [squeeze] - openjdk-6 (bug #614151) [lenny] - openjdk-6 (bug #614151) CVE-2010-4350 (Directory traversal vulnerability in admin/upgrade_unattended.php in M ...) - mantis (admin dir procected in Apache config, see #607159) CVE-2010-4349 (admin/upgrade_unattended.php in MantisBT before 1.2.4 allows remote at ...) - mantis (admin dir procected in Apache config, see #607159) CVE-2010-4348 (Cross-site scripting (XSS) vulnerability in admin/upgrade_unattended.p ...) - mantis (admin dir procected in Apache config, see #607159) CVE-2010-4347 (The ACPI subsystem in the Linux kernel before 2.6.36.2 uses 0222 permi ...) - linux-2.6 (Introduced in 2.6.33 and fixed in 2.6.36.2, we never released an affected kernel) CVE-2010-4346 (The install_special_mapping function in mm/mmap.c in the Linux kernel ...) {DSA-2153-1} - linux-2.6 2.6.32-30 CVE-2010-4345 (Exim 4.72 and earlier allows local users to gain privileges by leverag ...) {DSA-2154-1} - exim4 4.72-3 (bug #606527) CVE-2010-4344 (Heap-based buffer overflow in the string_vformat function in string.c ...) {DSA-2131-1} - exim4 4.70-1 (bug #606612) CVE-2010-4343 (drivers/scsi/bfa/bfa_core.c in the Linux kernel before 2.6.35 does not ...) - linux-2.6 2.6.32-30 [lenny] - linux-2.6 (Driver introduced in 2.6.32) CVE-2010-4342 (The aun_incoming function in net/econet/af_econet.c in the Linux kerne ...) {DSA-2153-1} - linux-2.6 2.6.32-30 CVE-2010-4341 (The pam_parse_in_data_v2 function in src/responder/pam/pamsrv_cmd.c in ...) - sssd 1.2.1-4.1 (bug #610032) [squeeze] - sssd 1.2.1-4+squeeze1 [wheezy] - sssd 1.2.1-4+squeeze1 CVE-2010-4333 (Pointter PHP Micro-Blogging Social Network 1.8 allows remote attackers ...) NOT-FOR-US: Pointter PHP Micro-Blogging Social Network CVE-2010-4332 (Pointter PHP Content Management System 1.0 allows remote attackers to ...) NOT-FOR-US: Pointter PHP Content Management System CVE-2010-4331 (Multiple cross-site scripting (XSS) vulnerabilities in Seo Panel 2.2.0 ...) NOT-FOR-US: Seo Panel CVE-2010-4330 (Directory traversal vulnerability in includes/controller.php in Pulse ...) NOT-FOR-US: Pulse CMS Basic CVE-2010-4329 (Cross-site scripting (XSS) vulnerability in the PMA_linkOrButton funct ...) {DSA-2139-1} - phpmyadmin 4:3.3.7-2 CVE-2010-4328 (Multiple stack-based buffer overflows in opt/novell/iprint/bin/ipsmd i ...) NOT-FOR-US: Novell iPrint LPD CVE-2010-4327 (Unspecified vulnerability in the NCP service in Novell eDirectory 8.8. ...) NOT-FOR-US: Novell eDirectory CVE-2010-4326 (Multiple buffer overflows in gwwww1.dll in GroupWise Internet Agent (G ...) NOT-FOR-US: Groupwise CVE-2010-4325 (Buffer overflow in gwwww1.dll in GroupWise Internet Agent (GWIA) in No ...) NOT-FOR-US: Groupwise CVE-2010-4324 (Cross-site scripting (XSS) vulnerability in the Approval Form in the U ...) NOT-FOR-US: Novell Identity Manager CVE-2010-4323 (Heap-based buffer overflow in novell-tftp.exe in Novell ZENworks Confi ...) NOT-FOR-US: Novell ZENworks CVE-2010-4322 (Cross-site scripting (XSS) vulnerability in gwtTeaming.rpc in Novell V ...) NOT-FOR-US: Novell Vibe CVE-2010-4321 (Stack-based buffer overflow in an ActiveX control in ienipp.ocx in Nov ...) NOT-FOR-US: Novell iPrint client CVE-2010-4320 RESERVED CVE-2010-4319 RESERVED CVE-2010-4318 RESERVED CVE-2010-4317 RESERVED CVE-2010-4316 RESERVED CVE-2010-4315 RESERVED CVE-2010-4314 (Remote attackers can use the iPrint web-browser ActiveX plugin in Nove ...) NOT-FOR-US: iPrint web-browser ActiveX plugin in Novell iPrint Client CVE-2010-4313 (Unrestricted file upload vulnerability in fileman_file_upload.php in O ...) NOT-FOR-US: Orbis CMS CVE-2010-4312 (The default configuration of Apache Tomcat 6.x does not include the HT ...) - tomcat6 6.0.35-5 (unimportant; bug #608286) [lenny] - tomcat6 (Only ships the servlet package) CVE-2010-4311 (Free Simple Software 1.0 stores passwords in cleartext, which allows c ...) NOT-FOR-US: Free Simple Software CVE-2010-4310 RESERVED CVE-2010-4309 (Adobe Shockwave Player before 11.6.1.629 allows attackers to execute a ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-4308 (Adobe Shockwave Player before 11.6.1.629 allows attackers to execute a ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-4307 (Buffer overflow in Adobe Shockwave Player before 11.5.9.620 allows att ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-4306 (Adobe Shockwave Player before 11.5.9.620 allows attackers to execute a ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-4305 (Cisco Unified Videoconferencing (UVC) System 3545, 5110, 5115, and 523 ...) NOT-FOR-US: Cisco Unified Videoconferencing CVE-2010-4304 (The web interface in Cisco Unified Videoconferencing (UVC) System 3545 ...) NOT-FOR-US: Cisco Unified Videoconferencing CVE-2010-4303 (Cisco Unified Videoconferencing (UVC) System 5110 and 5115, when the L ...) NOT-FOR-US: Cisco Unified Videoconferencing CVE-2010-4302 (/opt/rv/Versions/CurrentVersion/Mcu/Config/Mcu.val in Cisco Unified Vi ...) NOT-FOR-US: Cisco Unified Videoconferencing CVE-2010-4299 (Heap-based buffer overflow in ZfHIPCND.exe in Novell Zenworks 7 Handhe ...) NOT-FOR-US: Novell Zenworks CVE-2010-4298 (SQL injection vulnerability in the download module in Free Simple Soft ...) NOT-FOR-US: Free Simple Software CVE-2010-4297 (The VMware Tools update functionality in VMware Workstation 6.5.x befo ...) NOT-FOR-US: VMware CVE-2010-4296 (vmware-mount in VMware Workstation 7.x before 7.1.2 build 301548 on Li ...) NOT-FOR-US: VMware CVE-2010-4295 (Race condition in the mounting process in vmware-mount in VMware Works ...) NOT-FOR-US: VMware CVE-2010-4294 (The frame decompression functionality in the VMnc media codec in VMwar ...) NOT-FOR-US: VMware CVE-2008-7266 (Cross-site scripting (XSS) vulnerability in an unspecified Shockwave F ...) NOT-FOR-US: RSA Adaptive Authentication CVE-2010-XXXX [directory traversal] - openacs 5.5.1+dfsg-2 - dotlrn 2.5.0+dfsg-2 CVE-2010-XXXX [insecure python path handling] - pymca 4.4.1p1-1 (low; bug #605160) - opendnssec 1.1.3-2 (low; bug #605161) - pybliographer 1.2.14-3 (low; bug #605153) [squeeze] - pybliographer 1.2.12-4squeeze1 - calendarserver 2.4.dfsg-2.1 (low; bug #605157) [lenny] - calendarserver (Minor issue) - gquilt 0.22-1.1 (low; bug #605152) [lenny] - gquilt 0.20-2+lenny1 - snappea 3.0d3-20 (low; bug #605151) [lenny] - snappea (Minor issue) - dlr-languages 20090805+git.e6b28d27+dfsg-3 (low; bug #605158) [lenny] - ironpython (Minor issue) - gnome-schedule 2.1.1-3.1 (low; bug #605169) [lenny] - gnome-schedule (Minor issue) - gnumed-client 0.8.5-1 (low; bug #605159) [squeeze] - gnumed-client 0.7.10-1 [lenny] - gnumed-client (Minor issue) - distcc 3.1-3.2 (low; bug #605168) [lenny] - distcc (Vulnerable code not present) - mmass 3.8.0-2 (low; bug #605150) [squeeze] - mmass (Doesn't set PYTHONPATH) - guake 0.4.2-3 (low; bug #605163) CVE-2010-4301 (epan/dissectors/packet-zbee-zcl.c in the ZigBee ZCL dissector in Wires ...) - wireshark (Only affects >= 1.4) CVE-2010-4300 (Heap-based buffer overflow in the dissect_ldss_transfer function (epan ...) - wireshark 1.2.11-4 [lenny] - wireshark (Only affects >= 1.2) CVE-2010-4293 REJECTED CVE-2010-4292 REJECTED CVE-2010-4291 REJECTED CVE-2010-4290 REJECTED CVE-2010-4289 REJECTED CVE-2010-4288 REJECTED CVE-2010-4287 REJECTED CVE-2010-4286 REJECTED CVE-2010-4285 REJECTED CVE-2010-4284 (SQL injection vulnerability in the authentication form in the integrat ...) NOT-FOR-US: Samsung Integrated Management System CVE-2010-4283 (PHP remote file inclusion vulnerability in extras/pandora_diag.php in ...) NOT-FOR-US: Pandora FMS CVE-2010-4282 (Multiple directory traversal vulnerabilities in Pandora FMS before 3.1 ...) NOT-FOR-US: Pandora FMS CVE-2010-4281 (Incomplete blacklist vulnerability in the safe_url_extraclean function ...) NOT-FOR-US: Pandora FMS CVE-2010-4280 (Multiple SQL injection vulnerabilities in Pandora FMS before 3.1.1 all ...) NOT-FOR-US: Pandora FMS CVE-2010-4279 (The default configuration of Pandora FMS 3.1 and earlier specifies an ...) NOT-FOR-US: Pandora FMS CVE-2010-4278 (operation/agentes/networkmap.php in Pandora FMS before 3.1.1 allows re ...) NOT-FOR-US: Pandora FMS CVE-2010-4277 (Cross-site scripting (XSS) vulnerability in lembedded-video.php in the ...) NOT-FOR-US: Embedded Video plugin 4.1 for WordPress CVE-2010-4276 (Cross-site scripting (XSS) vulnerability in the lz_tracking_set_sessid ...) NOT-FOR-US: LiveZilla CVE-2010-4275 (Multiple cross-site scripting (XSS) vulnerabilities in Radius Manager ...) NOT-FOR-US: Radius Manager CVE-2010-4274 (reset_diragent_keys in the Common agent in IBM Systems Director 6.2.0 ...) NOT-FOR-US: IBM Systems Director CVE-2010-4273 (SQL injection vulnerability in imoveis.php in DescargarVista ACC IMove ...) NOT-FOR-US: DescargarVista ACC CVE-2010-4272 (SQL injection vulnerability in the Pulse Infotech Sponsor Wall (com_sp ...) NOT-FOR-US: Pulse Infotech Sponsor Wall CVE-2010-4271 (SQL injection vulnerability in ImpressCMS before 1.2.3 RC2 allows remo ...) NOT-FOR-US: ImpressCMS CVE-2010-4270 (Directory traversal vulnerability in the nBill (com_netinvoice) compon ...) NOT-FOR-US: Joomla addon CVE-2010-4269 (SQL injection vulnerability in managechat.php in Collabtive 0.65 allow ...) NOT-FOR-US: Collabtive CVE-2010-4268 (SQL injection vulnerability in the Pulse Infotech Flip Wall (com_flipw ...) NOT-FOR-US: Pulse Infotech CVE-2010-4267 (Stack-based buffer overflow in the hpmud_get_pml function in io/hpmud/ ...) {DSA-2152-1} - hplip 3.10.6-2 (bug #610960) CVE-2010-4266 RESERVED CVE-2010-4265 (The org.jboss.remoting.transport.bisocket.BisocketServerInvoker$Second ...) - jbossas4 (Red Hat issue, they didn't include the fix for CVE-2010-3862 in the update) CVE-2010-4264 RESERVED CVE-2010-4263 (The igb_receive_skb function in drivers/net/igb/igb_main.c in the Inte ...) - linux-2.6 2.6.32-30 [lenny] - linux-2.6 (Vulnerable code not present) CVE-2010-4262 (Stack-based buffer overflow in Xfig 3.2.4 and 3.2.5 allows remote atta ...) - xfig 1:3.2.5.b-1.1 (bug #606257) NOTE: details and patch at https://bugzilla.redhat.com/659676 CVE-2010-4261 (Off-by-one error in the icon_cb function in pe_icons.c in libclamav in ...) - clamav 0.96.5+dfsg-1 [lenny] - clamav (icon extractor not yet present) NOTE: Fixed in 1f3db7f074995bd4e1d0183b2db8b1c472d2f41b CVE-2010-4260 (Multiple unspecified vulnerabilities in pdf.c in libclamav in ClamAV b ...) - clamav 0.96.5+dfsg-1 [lenny] - clamav (Introduced in 3643f3d2b0a38fdc7bc6777d093c857b9760804e) NOTE: Fixed in 019f1955194360600ecf0644959ceca6734c2d7b CVE-2010-4259 (Stack-based buffer overflow in FontForge 20100501 allows remote attack ...) {DSA-2253-1} - fontforge 0.0.20100501-4 (bug #605537) CVE-2010-4258 (The do_exit function in kernel/exit.c in the Linux kernel before 2.6.3 ...) {DSA-2153-1} - linux-2.6 2.6.32-29 CVE-2010-4257 (SQL injection vulnerability in the do_trackbacks function in wp-includ ...) {DSA-2138-1} NOTE: http://core.trac.wordpress.org/changeset/16625 - wordpress 3.0.2-1 (bug #605603) CVE-2010-4256 (The pipe_fcntl function in fs/pipe.c in the Linux kernel before 2.6.37 ...) - linux-2.6 (introduced in 2.6.35; fixed in 2.6.37) CVE-2010-4255 (The fixup_page_fault function in arch/x86/traps.c in Xen 4.0.1 and ear ...) - xen 4.0.1-2 (bug #609531) CVE-2010-4254 (Mono, when Moonlight before 2.3.0.1 or 2.99.x before 2.99.0.10 is used ...) - moon (Debian's version of Moonlight is not affected, see #608288) CVE-2010-4253 (Heap-based buffer overflow in Impress in OpenOffice.org (OOo) 2.x and ...) {DSA-2151-1} - openoffice.org 1:3.2.1-11+squeeze2 CVE-2010-4252 (OpenSSL before 1.0.0c, when J-PAKE is enabled, does not properly valid ...) - openssl (configured with -DOPENSSL_NO_JPAKE; bug #606902) NOTE: http://www.openssl.org/news/secadv/20101202.txt CVE-2010-4251 (The socket implementation in net/core/sock.c in the Linux kernel befor ...) - linux-2.6 2.6.32-22 CVE-2010-4250 (Memory leak in the inotify_init1 function in fs/notify/inotify/inotify ...) - linux-2.6 2.6.37-1 [squeeze] - linux-2.6 (Introduced after 2.6.32) [lenny] - linux-2.6 (Introduced after 2.6.32) [wheezy] - linux-2.6 (Introduced after 2.6.32) CVE-2010-4249 (The wait_for_unix_gc function in net/unix/garbage.c in the Linux kerne ...) {DSA-2153-1} - linux-2.6 2.6.32-30 CVE-2010-4248 (Race condition in the __exit_signal function in kernel/exit.c in the L ...) {DSA-2153-1} - linux-2.6 2.6.32-29 CVE-2010-4247 (The do_block_io_op function in (1) drivers/xen/blkback/blkback.c and ( ...) - linux-2.6 (changes included since introduction of dom0 support) CVE-2010-4246 (Multiple cross-site scripting (XSS) vulnerabilities in graph.php in pf ...) NOT-FOR-US: pfSense CVE-2010-4245 (pootle 2.0.5 has XSS via 'match_names' parameter ...) - pootle 2.0.5-0.3 (low; bug #604060) [lenny] - pootle (Vulnerable code not present) CVE-2010-4244 REJECTED CVE-2010-4243 (fs/exec.c in the Linux kernel before 2.6.37 does not enable the OOM Ki ...) {DSA-2153-1} - linux-2.6 2.6.32-30 CVE-2010-4242 (The hci_uart_tty_open function in the HCI UART driver (drivers/bluetoo ...) {DSA-2153-1} - linux-2.6 2.6.32-28 CVE-2010-4241 (Tiki Wiki CMS Groupware 5.2 has CSRF ...) - tikiwiki CVE-2010-4240 (Tiki Wiki CMS Groupware 5.2 has XSS ...) - tikiwiki CVE-2010-4239 (Tiki Wiki CMS Groupware 5.2 has Local File Inclusion ...) - tikiwiki CVE-2010-4238 (The vbd_create function in Xen 3.1.2, when the Linux kernel 2.6.18 on ...) - linux-2.6 (RedHat-specific issue, does not affect Xen-upstream/Debian) CVE-2010-4236 (Untrusted search path vulnerability in estaskwrapper in IBM OmniFind E ...) NOT-FOR-US: IBM OmniFind Enterprise Edition CVE-2010-4235 (Format string vulnerability in RealNetworks Helix Server 12.x, 13.x, a ...) NOT-FOR-US: RealNetworks Helix CVE-2010-4234 (The web server on the Camtron CMNC-200 Full HD IP Camera and TecVoz CM ...) NOT-FOR-US: Camtron, TecVoz CVE-2010-4233 (The Linux installation on the Camtron CMNC-200 Full HD IP Camera and T ...) NOT-FOR-US: Camtron, TecVoz CVE-2010-4232 (The web-based administration interface on the Camtron CMNC-200 Full HD ...) NOT-FOR-US: Camtron, TecVoz CVE-2010-4231 (Directory traversal vulnerability in the web-based administration inte ...) NOT-FOR-US: Camtron, TecVoz CVE-2010-4230 (Stack-based buffer overflow in a certain ActiveX control for the Camtr ...) NOT-FOR-US: Camtron, TecVoz CVE-2010-4229 (Directory traversal vulnerability in an unspecified servlet in the Inv ...) NOT-FOR-US: Novell ZENworks Configuration Management CVE-2010-4228 (Stack-based buffer overflow in NWFTPD.NLM before 5.10.02 in the FTP se ...) NOT-FOR-US: Novell NetWare CVE-2010-4227 (The xdrDecodeString function in XNFS.NLM in Novell Netware 6.5 before ...) NOT-FOR-US: Novell Netware CVE-2010-4226 (cpio, as used in build 2007.05.10, 2010.07.28, and possibly other vers ...) NOT-FOR-US: OpenSuSE build services NOTE: This might qualify as a cpio hardening issue, but this CVE-ID is not about cpio itself. CVE-2010-4225 (Unspecified vulnerability in the mod_mono module for XSP in Mono 2.8.x ...) - mono 2.6.7-5 (bug #608288) CVE-2010-4224 RESERVED CVE-2010-4223 RESERVED CVE-2010-4222 RESERVED CVE-2009-5017 (Mozilla Firefox before 3.6 Beta 3 does not properly handle overlong UT ...) - xulrunner [wheezy] - xulrunner (no detailed information available) CVE-2009-5016 (Integer overflow in the xml_utf8_decode function in ext/xml/xml.c in P ...) - php5 5.3.3-4 [lenny] - php5 5.2.6.dfsg.1-1+lenny10 [squeeze] - php5 5.3.3-7+squeeze1 NOTE: Also fixed by debian/patches/CVE-2010-3870.patch CVE-2010-4221 (Multiple stack-based buffer overflows in the pr_netio_telnet_gets func ...) - proftpd-dfsg 1.3.3a-5 (bug #603511; bug #602279) [lenny] - proftpd-dfsg (Introduced in 1.3.2rc3) CVE-2010-4220 (Cross-site scripting (XSS) vulnerability in the Integrated Solution Co ...) NOT-FOR-US: IBM WebSphere CVE-2010-4219 (Cross-site scripting (XSS) vulnerability in SemanticTagService.js in I ...) NOT-FOR-US: IBM WebSphere CVE-2010-4218 (Unspecified vulnerability in Web Services in IBM ENOVIA 6 has unknown ...) NOT-FOR-US: IBM ENOVIA 6 CVE-2010-4217 (Use-after-free vulnerability in the proxy server in IBM Tivoli Directo ...) NOT-FOR-US: IBM Tivoli Directory Server CVE-2010-4216 (IBM Tivoli Directory Server (TDS) 6.0.0.x before 6.0.0.8-TIV-ITDS-IF00 ...) NOT-FOR-US: IBM Tivoli Directory Server CVE-2010-4215 (UI/Manage.pm in Foswiki 1.1.0 and 1.1.1 allows remote authenticated us ...) - foswiki (bug #509864) CVE-2010-4214 (The Wells Fargo Mobile application 1.1 for Android stores a username a ...) NOT-FOR-US: Wells Fargo Mobile for Android CVE-2010-4213 (The Bank of America application 2.12 for Android stores a security que ...) NOT-FOR-US: Bank of America application for Android CVE-2010-4212 (The USAA application 3.0 for Android stores a mirror image of each vis ...) NOT-FOR-US: USAA application for Android CVE-2010-4211 (The PayPal app before 3.0.1 for iOS does not verify that the server ho ...) NOT-FOR-US: PayPal app for iOS CVE-2010-4210 (The pfs_getextattr function in FreeBSD 7.x before 7.3-RELEASE and 8.x ...) - kfreebsd-7 [lenny] - kfreebsd-7 (Not covered by security support in Lenny) - kfreebsd-8 8.1-1 - kfreebsd-9 (fixed prior to first upload) - kfreebsd-10 (fixed prior to first upload) CVE-2010-4209 (Cross-site scripting (XSS) vulnerability in the Flash component infras ...) - yui 2.8.2r1~squeeze-1 (bug #603513) CVE-2010-4208 (Cross-site scripting (XSS) vulnerability in the Flash component infras ...) - yui 2.8.2r1~squeeze-1 (bug #603513) CVE-2010-4207 (Cross-site scripting (XSS) vulnerability in the Flash component infras ...) - yui 2.8.2r1~squeeze-1 (bug #603513) CVE-2010-4206 (Array index error in the FEBlend::apply function in WebCore/platform/g ...) - webkit 1.2.6-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 6.0.472.63~r59945-2 NOTE: http://trac.webkit.org/changeset/70652 CVE-2010-4205 (Google Chrome before 7.0.517.44 does not properly handle the data type ...) - chromium-browser 6.0.472.63~r59945-2 NOTE: https://bugs.webkit.org/show_bug.cgi?id=48159 NOTE: http://trac.webkit.org/changeset/70550 CVE-2010-4204 (WebKit, as used in Google Chrome before 7.0.517.44, webkitgtk before 1 ...) - webkit 1.2.6-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 6.0.472.63~r59945-2 NOTE: https://bugs.webkit.org/show_bug.cgi?id=48281 NOTE: http://trac.webkit.org/changeset/70517 CVE-2010-4202 (Multiple integer overflows in Google Chrome before 7.0.517.44 on Linux ...) - webkit (skia issue) - chromium-browser 6.0.472.63~r59945-2 NOTE: http://code.google.com/p/skia/source/detail?r=606 NOTE: http://code.google.com/p/skia/source/detail?r=607 CVE-2010-4201 (Use-after-free vulnerability in Google Chrome before 7.0.517.44 allows ...) - chromium-browser 6.0.472.63~r59945-2 NOTE: https://bugs.webkit.org/show_bug.cgi?id=47522 CVE-2010-4200 REJECTED CVE-2010-4199 (Google Chrome before 7.0.517.44 does not properly perform a cast of an ...) {DSA-2188-1} - webkit 1.2.7-1 - chromium-browser 6.0.472.63~r59945-2 NOTE: http://trac.webkit.org/changeset/69936 CVE-2010-4198 (WebKit, as used in Google Chrome before 7.0.517.44, webkitgtk before 1 ...) - webkit 1.2.6-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 6.0.472.63~r59945-2 NOTE: http://trac.webkit.org/changeset/69735 NOTE: style fix change set: http://trac.webkit.org/changeset/69801 CVE-2010-4197 (Use-after-free vulnerability in WebKit, as used in Google Chrome befor ...) - webkit 1.2.6-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 6.0.472.63~r59945-2 NOTE: http://trac.webkit.org/changeset/70594 CVE-2010-4196 (The Shockwave 3d Asset module in Adobe Shockwave Player before 11.5.9. ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-4195 (The TextXtra module in Adobe Shockwave Player before 11.5.9.620 does n ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-4194 (The dirapi.dll module in Adobe Shockwave Player before 11.5.9.620 does ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-4193 (Adobe Shockwave Player before 11.5.9.620 does not properly validate un ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-4192 (Adobe Shockwave Player before 11.5.9.620 allows attackers to execute a ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-4191 (Adobe Shockwave Player before 11.5.9.620 allows attackers to execute a ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-4190 (Adobe Shockwave Player before 11.5.9.620 allows attackers to execute a ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-4189 (The IML32 module in Adobe Shockwave Player before 11.5.9.620 allows at ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-4188 (The dirapi.dll module in Adobe Shockwave Player before 11.5.9.620 allo ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-4187 (Adobe Shockwave Player before 11.5.9.620 allows attackers to execute a ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-4186 (SQL injection vulnerability in process.asp in OnlineTechTools Online W ...) NOT-FOR-US: OnlineTechTools CVE-2010-4185 (SQL injection vulnerability in index.php in Energine, possibly 2.3.8 a ...) NOT-FOR-US: Energine CVE-2010-4184 (NetSupport Manager (NSM) before 11.00.0005 sends HTTP headers with cle ...) NOT-FOR-US: NetSupport Manager CVE-2010-4183 (Multiple cross-site scripting (XSS) vulnerabilities in HTML Purifier b ...) - php-htmlpurifier 4.1.1+dfsg1-1 CVE-2010-4182 (Untrusted search path vulnerability in the Data Access Objects (DAO) l ...) NOT-FOR-US: Microsoft Windows CVE-2010-4181 (Directory traversal vulnerability in Yaws 1.89 allows remote attackers ...) - yaws (Only affects Windows) CVE-2010-4180 (OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_R ...) {DSA-2141-1} - openssl 0.9.8o-4 NOTE: http://www.openssl.org/news/secadv/20101202.txt CVE-2010-4179 (The installation documentation for Red Hat Enterprise Messaging, Realt ...) NOT-FOR-US: RedHat documentation of MRG CVE-2010-4178 (MySQL-GUI-tools (mysql-administrator) leaks passwords into process lis ...) - mysql-gui-tools (low; bug #605542) [squeeze] - mysql-gui-tools (Minor issue) [lenny] - mysql-gui-tools (Minor issue) CVE-2010-4177 (mysql-gui-tools (mysql-query-browser and mysql-admin) before 5.0r14+op ...) - mysql-gui-tools (low; bug #605542) [squeeze] - mysql-gui-tools (Minor issue) [lenny] - mysql-gui-tools (Minor issue) CVE-2010-4176 (plymouth-pretrigger.sh in dracut and udev, when running on Fedora 13 a ...) - dracut (vulnerable script not shipped) - udev (vulnerable script not shipped; fedora-specific issue) CVE-2010-4175 (Integer overflow in the rds_cmsg_rdma_args function (net/rds/rdma.c) i ...) - linux-2.6 2.6.32-28 [lenny] - linux-2.6 (RDS introduced in 2.6.30) CVE-2010-4174 REJECTED CVE-2010-4173 (The default configuration of libsdp.conf in libsdp 1.1.104 and earlier ...) - libsdp 1.1.99-2.1 (bug #603841) CVE-2010-4172 (Multiple cross-site scripting (XSS) vulnerabilities in the Manager app ...) - tomcat6 6.0.28-9 (bug #606388) [lenny] - tomcat6 (Only ships the servlet package) CVE-2010-4171 (The staprun runtime tool in SystemTap 1.3 does not verify that a modul ...) {DSA-2348-1} - systemtap 1.2-3 (bug #603946) CVE-2010-4170 (The staprun runtime tool in SystemTap 1.3 does not properly clear the ...) {DSA-2348-1} - systemtap 1.2-3 (bug #603946) CVE-2010-4169 (Use-after-free vulnerability in mm/mprotect.c in the Linux kernel befo ...) - linux-2.6 2.6.32-29 [lenny] - linux-2.6 (perf counters not yet present) CVE-2010-4168 (Multiple use-after-free vulnerabilities in OpenTTD 1.0.x before 1.0.5 ...) - openttd 1.0.4-3 (bug #603752) [lenny] - openttd (Introduced in 1.0) CVE-2010-4167 (Untrusted search path vulnerability in configure.c in ImageMagick befo ...) - imagemagick 8:6.6.0.4-3 (low; bug #601824) [lenny] - imagemagick 7:6.3.7.9.dfsg2-1~lenny4 CVE-2010-4166 (Multiple SQL injection vulnerabilities in Joomla! 1.5.x before 1.5.22 ...) NOT-FOR-US: Joomla! CVE-2010-4165 (The do_tcp_setsockopt function in net/ipv4/tcp.c in the Linux kernel b ...) - linux-2.6 2.6.32-28 [lenny] - linux-2.6 (Introduced in 2.6.28) CVE-2010-4164 (Multiple integer underflows in the x25_parse_facilities function in ne ...) {DSA-2126-1} - linux-2.6 2.6.32-28 CVE-2010-4163 (The blk_rq_map_user_iov function in block/blk-map.c in the Linux kerne ...) {DSA-2153-1} - linux-2.6 2.6.32-29 CVE-2010-4162 (Multiple integer overflows in fs/bio.c in the Linux kernel before 2.6. ...) {DSA-2153-1} - linux-2.6 2.6.32-29 CVE-2010-4161 (The udp_queue_rcv_skb function in net/ipv4/udp.c in a certain Red Hat ...) - linux-2.6 2.6.28-1 [lenny] - linux-2.6 (Vulnerable code not present) CVE-2010-4159 (Untrusted search path vulnerability in metadata/loader.c in Mono 2.8 a ...) - mono 2.6.7-4 (bug #605097) [lenny] - mono (Minor issue) CVE-2010-4156 (The mb_strcut function in Libmbfl 1.1.0, as used in PHP 5.3.x through ...) - php5 5.3.3-4 (bug #603751) [lenny] - php5 (Only affects 5.3.x) CVE-2010-4155 (Multiple cross-site scripting (XSS) vulnerabilities in eXV2 CMS 2.10 a ...) NOT-FOR-US: eXV2 CMS CVE-2010-4154 (Directory traversal vulnerability in Rhino Software, Inc. FTP Voyager ...) NOT-FOR-US: Rhino Software, Inc. FTP Voyager CVE-2010-4153 (Directory traversal vulnerability in CrossFTP Pro 1.65a, and probably ...) NOT-FOR-US: CrossFTP CVE-2010-4152 (SQL injection vulnerability in catalog/index.shtml in 4site CMS 2.6, a ...) NOT-FOR-US: 4site CMS CVE-2010-4151 (SQL injection vulnerability in misc.php in DeluxeBB 1.3, and possibly ...) NOT-FOR-US: DeluxeBB CVE-2010-4150 (Double free vulnerability in the imap_do_open function in the IMAP ext ...) {DSA-2195-1} - php5 5.3.3-7 CVE-2009-5015 (The URL dispatch mechanism in TurboGears2 (aka tg2) before 2.0.2 expos ...) - turbogears2 2.0.3-1 CVE-2009-5014 (The default quickstart configuration of TurboGears2 (aka tg2) before 2 ...) - turbogears2 2.0.3-1 CVE-2008-7265 (The pr_data_xfer function in ProFTPD before 1.3.2rc3 allows remote aut ...) {DSA-2191-1} - proftpd-dfsg 1.3.2-1 (low) CVE-2010-4203 (WebM libvpx (aka the VP8 Codec SDK) before 0.9.5, as used in Google Ch ...) - libvpx 0.9.1-2 (bug #602693) CVE-2010-4160 (Multiple integer overflows in the (1) pppol2tp_sendmsg function in net ...) {DSA-2126-1} - linux-2.6 2.6.32-27 (low) CVE-2010-4158 (The sk_run_filter function in net/core/filter.c in the Linux kernel be ...) {DSA-2153-1} - linux-2.6 2.6.32-29 (low) CVE-2010-4157 (Integer overflow in the ioc_general function in drivers/scsi/gdth.c in ...) {DSA-2126-1} - linux-2.6 2.6.32-28 (low) CVE-2010-4149 (Directory traversal vulnerability in FreshWebMaster Fresh FTP 5.36, 5. ...) NOT-FOR-US: FreshWebMaster Fresh FTP CVE-2010-4148 (Directory traversal vulnerability in AnyConnect 1.2.3.0, and possibly ...) NOT-FOR-US: AnyConnect CVE-2010-4147 (Multiple SQL injection vulnerabilities in Pentasoft Avactis Shopping C ...) NOT-FOR-US: Pentasoft Avactis Shopping Cart CVE-2010-4146 (Cross-site scripting (XSS) vulnerability in Attachmate Reflection for ...) NOT-FOR-US: Attachmate Reflection CVE-2010-4145 (Kisisel Radyo Script stores sensitive information under the web root w ...) NOT-FOR-US: Kisisel Radyo Script CVE-2010-4144 (SQL injection vulnerability in radyo.asp in Kisisel Radyo Script allow ...) NOT-FOR-US: Kisisel Radyo Script CVE-2010-4143 (SQL injection vulnerability in chart.php in phpCheckZ 1.1.0, when magi ...) NOT-FOR-US: phpCheckZ CVE-2010-4142 (Multiple stack-based buffer overflows in DATAC RealWin 2.0 Build 6.1.8 ...) NOT-FOR-US: DATAC RealWin CVE-2010-4141 REJECTED CVE-2010-4140 REJECTED CVE-2010-4139 REJECTED CVE-2010-4138 REJECTED CVE-2010-4137 REJECTED CVE-2010-4136 REJECTED CVE-2010-4135 REJECTED CVE-2010-4134 REJECTED CVE-2010-4133 REJECTED CVE-2010-4132 REJECTED CVE-2010-4131 REJECTED CVE-2010-4130 REJECTED CVE-2010-4129 REJECTED CVE-2010-4128 REJECTED CVE-2010-4127 REJECTED CVE-2010-4126 REJECTED CVE-2010-4125 REJECTED CVE-2010-4124 REJECTED CVE-2010-4123 REJECTED CVE-2010-4122 REJECTED CVE-2010-4121 (** DISPUTED ** The TCP-to-ODBC gateway in IBM Tivoli Provisioning Mana ...) NOT-FOR-US: IBM Tivoli CVE-2010-XXXX - weborf 0.12.4-1 (bug #601585) CVE-2010-4120 (Multiple cross-site scripting (XSS) vulnerabilities in the TAM console ...) NOT-FOR-US: IBM Tivoli CVE-2010-4119 REJECTED CVE-2010-4118 REJECTED CVE-2010-4117 REJECTED CVE-2010-4116 (Unspecified vulnerability in HP StorageWorks Storage Mirroring 5.x bef ...) NOT-FOR-US: HP StorageWorks Storage Mirroring CVE-2010-4115 (HP StorageWorks Modular Smart Array P2000 G3 firmware TS100R011, TS100 ...) NOT-FOR-US: HP StorageWorks CVE-2010-4114 (Cross-site scripting (XSS) vulnerability in HP Discovery & Depende ...) NOT-FOR-US: HP DDMI CVE-2010-4113 (Stack-based buffer overflow in HP Power Manager (HPPM) before 4.3.2 al ...) NOT-FOR-US: HP HPPM CVE-2010-4112 (HP Insight Management Agents before 8.6 allows remote attackers to obt ...) NOT-FOR-US: HP Insight Management Agents CVE-2010-4111 (Cross-site scripting (XSS) vulnerability in HP Insight Diagnostics Onl ...) NOT-FOR-US: HP Insight Diagnostics CVE-2010-4110 (Unspecified vulnerability in HP OpenVMS 8.3, 8.3-1H1, and 8.4 on the I ...) NOT-FOR-US: HP OpenVMS CVE-2010-4109 (Cross-site scripting (XSS) vulnerability in the Contacts Application i ...) NOT-FOR-US: HP Palm webOS CVE-2010-4108 (HP HP-UX B.11.11, B.11.23, and B.11.31 does not properly support threa ...) NOT-FOR-US: HP-UX CVE-2010-4107 (The default configuration of the PJL Access value in the File System E ...) NOT-FOR-US: HP LaserJet CVE-2010-4106 (Cross-site request forgery (CSRF) vulnerability in HP Insight Control ...) NOT-FOR-US: HP Insight Orchestration CVE-2010-4105 (Unspecified vulnerability in HP Insight Orchestration before 6.2 allow ...) NOT-FOR-US: HP Insight Orchestration CVE-2010-4104 (Unspecified vulnerability in HP Insight Orchestration before 6.2 allow ...) NOT-FOR-US: HP Insight Orchestration CVE-2010-4103 (Unspecified vulnerability in HP Insight Managed System Setup Wizard be ...) NOT-FOR-US: HP Insight Managed System Setup Wizard CVE-2010-4102 (Unspecified vulnerability in HP Insight Recovery before 6.2 allows rem ...) NOT-FOR-US: HP Insight Recovery CVE-2010-4101 (Cross-site scripting (XSS) vulnerability in HP Insight Recovery before ...) NOT-FOR-US: HP Insight Recovery CVE-2010-4100 (Unspecified vulnerability in HP Insight Control Performance Management ...) NOT-FOR-US: HP Insight Control Performance Management CVE-2010-4099 (ess.pm in NitroSecurity NitroView ESM 8.4.0a, when ESSPMDebug is enabl ...) NOT-FOR-US: NitroSecurity NitroView CVE-2010-4098 (monotone before 0.48.1, when configured to allow remote commands, allo ...) - monotone 0.48-3 [lenny] - monotone (Vulnerable feature introduced in 0.46) CVE-2010-4097 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Aa ...) NOT-FOR-US: Aardvark Topsites PHP CVE-2010-4095 (Directory traversal vulnerability in the FTP client in Serengeti Syste ...) NOT-FOR-US: Serengeti Systems Incorporated Robo-FTP 3.7.3 CVE-2010-4094 (The Tomcat server in IBM Rational Quality Manager and Rational Test La ...) NOT-FOR-US: IBM Rational Quality Manager CVE-2010-4093 (Adobe Shockwave Player before 11.5.9.620 allows attackers to execute a ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-4092 (Use-after-free vulnerability in an unspecified compatibility component ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-4091 (The EScript.api plugin in Adobe Reader and Acrobat 10.x before 10.0.1, ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2010-4090 (Adobe Shockwave Player before 11.5.9.615 allows attackers to execute a ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-4089 (IML32.dll in Adobe Shockwave Player before 11.5.9.615 allows attackers ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-4088 (dirapi.dll in Adobe Shockwave Player before 11.5.9.615 allows attacker ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-4087 (IML32.dll in Adobe Shockwave Player before 11.5.9.615 allows attackers ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-4086 (dirapi.dll in Adobe Shockwave Player before 11.5.9.615 allows attacker ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-4085 (dirapi.dll in Adobe Shockwave Player before 11.5.9.615 allows attacker ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-4084 (dirapi.dll in Adobe Shockwave Player before 11.5.9.615 allows attacker ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-4083 (The copy_semid_to_user function in ipc/sem.c in the Linux kernel befor ...) {DSA-2126-1} - linux-2.6 2.6.32-29 (low) CVE-2010-4082 (The viafb_ioctl_get_viafb_info function in drivers/video/via/ioctl.c i ...) - linux-2.6 2.6.32-24 (low) [lenny] - linux-2.6 (Vulnerable code not present) CVE-2010-4081 (The snd_hdspm_hwdep_ioctl function in sound/pci/rme9652/hdspm.c in the ...) {DSA-2126-1} - linux-2.6 2.6.32-27 (low) CVE-2010-4080 (The snd_hdsp_hwdep_ioctl function in sound/pci/rme9652/hdsp.c in the L ...) {DSA-2126-1} - linux-2.6 2.6.32-27 (low) CVE-2010-4079 (The ivtvfb_ioctl function in drivers/media/video/ivtv/ivtvfb.c in the ...) {DSA-2126-1} - linux-2.6 2.6.32-29 (low) CVE-2010-4078 (The sisfb_ioctl function in drivers/video/sis/sis_main.c in the Linux ...) {DSA-2126-1} - linux-2.6 2.6.32-24 (low) CVE-2010-4077 (The ntty_ioctl_tiocgicount function in drivers/char/nozomi.c in the Li ...) - linux-2.6 2.6.37-1 (low) [wheezy] - linux-2.6 2.6.32-31 [squeeze] - linux-2.6 2.6.32-31 CVE-2010-4076 (The rs_ioctl function in drivers/char/amiserial.c in the Linux kernel ...) - linux-2.6 2.6.37-1 (low) [wheezy] - linux-2.6 2.6.32-31 [squeeze] - linux-2.6 2.6.32-31 CVE-2010-4075 (The uart_get_count function in drivers/serial/serial_core.c in the Lin ...) {DSA-2264-1} - linux-2.6 2.6.37-1 (low) [wheezy] - linux-2.6 2.6.32-31 [squeeze] - linux-2.6 2.6.32-31 CVE-2010-4074 (The USB subsystem in the Linux kernel before 2.6.36-rc5 does not prope ...) {DSA-2126-1} - linux-2.6 2.6.32-24 (low) CVE-2010-4073 (The ipc subsystem in the Linux kernel before 2.6.37-rc1 does not initi ...) {DSA-2126-1} - linux-2.6 2.6.32-29 (low) CVE-2010-4072 (The copy_shmid_to_user function in ipc/shm.c in the Linux kernel befor ...) {DSA-2126-1} - linux-2.6 2.6.32-29 (low) CVE-2010-4071 (Cross-site scripting (XSS) vulnerability in AgentTicketZoom in OTRS 2. ...) - otrs2 2.4.9+dfsg1-1 [lenny] - otrs2 (Only affects OTRS 2.4) CVE-2010-4070 (Integer overflow in librpc.dll in portmap.exe (aka the ISM Portmapper ...) NOT-FOR-US: portmap.exe CVE-2010-4069 (Stack-based buffer overflow in IBM Informix Dynamic Server (IDS) 7.x t ...) NOT-FOR-US: IBM Informix Dynamic Server CVE-2010-4068 (Unspecified vulnerability in the Extension Manager in TYPO3 4.2.x befo ...) {DSA-2121-1} - typo3-src 4.3.7-1 CVE-2010-4096 (share/ma/keys_for_user in Monkeysphere 0.31 and 0.32 allows local user ...) - monkeysphere 0.31-3 (bug #600304) NOTE: micah requested this CVE from mitre, issue has been fixed in debian already CVE-2010-4067 RESERVED CVE-2010-4066 RESERVED CVE-2010-4065 RESERVED CVE-2010-4064 RESERVED CVE-2010-4063 RESERVED CVE-2010-4062 RESERVED CVE-2010-4061 RESERVED CVE-2010-4060 RESERVED CVE-2010-4059 RESERVED CVE-2010-4058 RESERVED CVE-2010-4057 (solid.exe in IBM solidDB 6.5.0.3 and earlier does not properly perform ...) NOT-FOR-US: IBM solidDB CVE-2010-4056 (solid.exe in IBM solidDB 6.5.0.3 and earlier does not properly perform ...) NOT-FOR-US: IBM solidDB CVE-2010-4055 (Stack consumption vulnerability in solid.exe in IBM solidDB 6.5.0.3 an ...) NOT-FOR-US: IBM solidDB CVE-2010-4054 (The gs_type2_interpret function in Ghostscript allows remote attackers ...) - ghostscript 8.71~dfsg-1 (unimportant) NOTE: Crash-only CVE-2010-4053 (Stack-based buffer overflow in an unspecified logging function in onin ...) NOT-FOR-US: IBM Informix Dynamic Server CVE-2010-4052 (Stack consumption vulnerability in the regcomp implementation in the G ...) - glibc (unimportant) - eglibc (unimportant) NOTE: Deficiency in the regexp engine of glibc, while there implementations which NOTE: process such expressions more efficiently, imposing a limit lies within NOTE: the application accepting it from user input CVE-2010-4051 (The regcomp implementation in the GNU C Library (aka glibc or libc6) t ...) - glibc (unimportant) - eglibc (unimportant) NOTE: Deficiency in the regexp engine of glibc, while there implementations which NOTE: process such expressions more efficiently, imposing a limit lies within NOTE: the application accepting it from user input CVE-2010-XXXX [XSS vulnerability discovered -plugin-globalsearch] - fusionforge 5.0.2-3 CVE-2010-XXXX [insecure usage of temporary files in flash-kernel] - flash-kernel 2.33 (low) [lenny] - flash-kernel (Minor issue) CVE-2010-4050 (Opera before 10.63 allows remote attackers to cause a denial of servic ...) NOT-FOR-US: Opera CVE-2010-4049 (Opera before 10.63 allows remote attackers to cause a denial of servic ...) NOT-FOR-US: Opera CVE-2010-4048 (Opera before 10.63 allows user-assisted remote web servers to cause a ...) NOT-FOR-US: Opera CVE-2010-4047 (Opera before 10.63 does not properly select the security context of Ja ...) NOT-FOR-US: Opera CVE-2010-4046 (Opera before 10.63 does not properly verify the origin of video conten ...) NOT-FOR-US: Opera CVE-2010-4045 (Opera before 10.63 does not properly restrict web script in unspecifie ...) NOT-FOR-US: Opera CVE-2010-4044 (Opera before 10.63 does not ensure that the portion of a URL shown in ...) NOT-FOR-US: Opera CVE-2010-4043 (Opera before 10.63 does not prevent interpretation of a cross-origin d ...) NOT-FOR-US: Opera CVE-2010-4042 (Google Chrome before 7.0.517.41 does not properly handle element maps, ...) - webkit 1.2.6-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 6.0.472.63~r59945-1 NOTE: http://trac.webkit.org/changeset/68096 CVE-2010-4041 (The sandbox implementation in Google Chrome before 7.0.517.41 on Linux ...) - webkit (issue with chromium sandbox) - chromium-browser 6.0.472.63~r59945-1 CVE-2010-4040 (Google Chrome before 7.0.517.41 does not properly handle animated GIF ...) {DSA-2188-1} - webkit 1.2.6-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 6.0.472.63~r59945-1 NOTE: http://trac.webkit.org/changeset/68446 CVE-2010-4039 (Google Chrome before 7.0.517.41 on Linux does not properly set the PAT ...) - webkit (chromium-specifc LD_LIBRARY_PATH issue) - chromium-browser (package uses its own startup script) CVE-2010-4038 (The Web Sockets implementation in Google Chrome before 7.0.517.41 does ...) - webkit (issue in chromium code base) - chromium-browser 9.0.570 [squeeze] - chromium-browser (websocket_experiment not enabled in v6) [wheezy] - chromium-browser CVE-2010-4037 (Unspecified vulnerability in Google Chrome before 7.0.517.41 allows re ...) - webkit (affected gesture code not present in 1.2.x) - chromium-browser (unimportant) NOTE: http://trac.webkit.org/changeset/67716 CVE-2010-4036 (Google Chrome before 7.0.517.41 does not properly handle the unloading ...) - webkit (chromium-specifc issue) - chromium-browser 6.0.472.63~r59945-1 CVE-2010-4035 (Google Chrome before 7.0.517.41 does not properly perform autofill ope ...) - webkit (issue in chromium code base) - chromium-browser 6.0.472.63~r59945-1 CVE-2010-4034 (Google Chrome before 7.0.517.41 does not properly handle forms, which ...) - webkit (issue in chromium code base) - chromium-browser 6.0.472.63~r59945-1 CVE-2010-4033 (Google Chrome before 7.0.517.41 does not properly implement the autofi ...) - webkit (issue in gestures, which resides in the webkit codebase, but is only used by chromium right now) - chromium-browser 6.0.472.63~r59945-1 NOTE: http://trac.webkit.org/changeset/63786 NOTE: http://trac.webkit.org/changeset/67240 CVE-2010-4032 (Cross-site request forgery (CSRF) vulnerability in HP Insight Control ...) NOT-FOR-US: HP Insight Control Performance Management CVE-2010-4031 (Unspecified vulnerability in HP Insight Control Performance Management ...) NOT-FOR-US: HP Insight Control Performance Management CVE-2010-4030 (Cross-site scripting (XSS) vulnerability in HP Insight Control Perform ...) NOT-FOR-US: HP Insight Control Performance Management CVE-2010-4029 (Unspecified vulnerability in HP Storage Essentials before 6.3.0, when ...) NOT-FOR-US: HP Storage Essentials CVE-2010-4028 (Unspecified vulnerability in LoadRunner Web Tours 9.10 in HP LoadRunne ...) NOT-FOR-US: HP LoadRunner CVE-2010-4027 (Unspecified vulnerability in the camera application in HP Palm webOS 1 ...) NOT-FOR-US: HP Palm webOS CVE-2010-4026 (Unspecified vulnerability in the service API in HP Palm webOS 1.4.1 al ...) NOT-FOR-US: HP Palm webOS CVE-2010-4025 (Unspecified vulnerability in Doc Viewer in HP Palm webOS 1.4.1 allows ...) NOT-FOR-US: HP Palm webOS CVE-2010-4024 (Cross-site request forgery (CSRF) vulnerability in HP Insight Control ...) NOT-FOR-US: HP Insight Control Power Management CVE-2010-4023 (Cross-site scripting (XSS) vulnerability in HP Insight Control Power M ...) NOT-FOR-US: HP Insight Control Power Management CVE-2010-4022 (The do_standalone function in the MIT krb5 KDC database propagation da ...) - krb5 1.8.3+dfsg-5 (low) [squeeze] - krb5 1.8.3+dfsg-4squeeze1 [lenny] - krb5 (Only affects 1.7.x onwards) [etch] - krb5 (Only affects 1.7.x onwards) CVE-2010-4021 (The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.7 doe ...) - krb5 1.8+dfsg~alpha1-1 [lenny] - krb5 (Only affects 1.7.x) CVE-2010-4020 (MIT Kerberos 5 (aka krb5) 1.8.x through 1.8.3 does not reject RC4 key- ...) - krb5 1.8.3+dfsg-3 (bug #605553) [lenny] - krb5 (Only affects krb5 >= 1.8) CVE-2010-4019 RESERVED CVE-2010-4018 RESERVED CVE-2010-4017 RESERVED CVE-2010-4016 RESERVED CVE-2010-4015 (Buffer overflow in the gettoken function in contrib/intarray/_int_bool ...) {DSA-2157-1} - postgresql-9.0 9.0.3-1 - postgresql-8.4 8.4.7-1 - postgresql-8.3 CVE-2010-4014 RESERVED CVE-2010-4013 (Format string vulnerability in PackageKit in Apple Mac OS X 10.6.x bef ...) NOT-FOR-US: This is not the PackageKit distributed by Debian, but a different code base CVE-2010-4012 (Race condition in Apple iOS 4.0 through 4.1 for iPhone 3G and later al ...) NOT-FOR-US: Apple iOS CVE-2010-4011 (Dovecot in Apple Mac OS X 10.6.5 10H574 does not properly manage memor ...) - dovecot (HT4452 claims it is Apple-specific and doesn't affect the OSS version) CVE-2010-4010 (Integer signedness error in Apple Type Services (ATS) in Apple Mac OS ...) NOT-FOR-US: Apple Type Services CVE-2010-4009 (Integer overflow in Apple QuickTime before 7.6.9 allows remote attacke ...) NOT-FOR-US: Apple QuickTime CVE-2010-4008 (libxml2 before 2.7.8, as used in Google Chrome before 7.0.517.44, Appl ...) {DSA-2128-1} - libxml2 2.7.8.dfsg-1 (bug #602609) CVE-2010-4007 (Oracle Mojarra uses an encrypted View State without a Message Authenti ...) - mojarra (Fixed before initial upload, in 2.0.1) CVE-2010-4006 (Multiple SQL injection vulnerabilities in search.php in WSN Links 5.0. ...) NOT-FOR-US: WSN Links CVE-2010-4005 (The (1) tomboy and (2) tomboy-panel scripts in GNOME Tomboy 1.5.2 and ...) - tomboy 1.2.2-2 (low; bug #605096) [lenny] - tomboy (Minor issue) CVE-2010-4004 RESERVED CVE-2010-4003 RESERVED CVE-2010-4002 RESERVED CVE-2010-4001 (** DISPUTED ** GMXRC.bash in Gromacs 4.5.1 and earlier places a zero-l ...) NOTE: Not a security issue CVE-2010-4000 (gnome-shell in GNOME Shell 2.31.5 places a zero-length directory name ...) - gnome-shell 2.91.3-1 (bug #605098) [lenny] - gnome-shell (Minor issue) CVE-2010-3999 (gnc-test-env in GnuCash 2.3.15 and earlier places a zero-length direct ...) - gnucash 2.2.9-10 (low; bug #603329) [lenny] - gnucash (Minor issue) CVE-2010-3998 (The (1) banshee-1 and (2) muinshee scripts in Banshee 1.8.0 and earlie ...) - banshee 1.6.1-1.1 (bug #605095) [lenny] - banshee (Minor issue) CVE-2010-3997 RESERVED CVE-2010-3996 (festival_server in Centre for Speech Technology Research (CSTR) Festiv ...) - festival (From Lenny onwards we don't include the server component) CVE-2009-5013 (Memory leak in the on_dtp_close function in ftpserver.py in pyftpdlib ...) - python-pyftpdlib 0.5.2-1 CVE-2009-5012 (ftpserver.py in pyftpdlib before 0.5.2 does not require the l permissi ...) - python-pyftpdlib 0.5.2-1 CVE-2009-5011 (Race condition in the FTPHandler class in ftpserver.py in pyftpdlib be ...) - python-pyftpdlib 0.5.2-1 CVE-2009-5010 (Race condition in the FTPHandler class in ftpserver.py in pyftpdlib be ...) - python-pyftpdlib (Fixed before initial upload to the archive) CVE-2008-7264 (The ftp_QUIT function in ftpserver.py in pyftpdlib before 0.5.0 allows ...) - python-pyftpdlib (Fixed before initial upload to the archive) CVE-2008-7263 (ftpserver.py in pyftpdlib before 0.5.0 does not delay its response aft ...) - python-pyftpdlib (Fixed before initial upload to the archive) CVE-2008-7262 (Multiple directory traversal vulnerabilities in FTPServer.py in pyftpd ...) - python-pyftpdlib (Fixed before initial upload to the archive) CVE-2007-6741 (The ftp_PORT function in FTPServer.py in pyftpdlib before 0.2.0 does n ...) - python-pyftpdlib (Fixed before initial upload to the archive) CVE-2007-6740 (The ftp_STOU function in FTPServer.py in pyftpdlib before 0.2.0 does n ...) - python-pyftpdlib (Fixed before initial upload to the archive) CVE-2007-6739 (FTPServer.py in pyftpdlib before 0.2.0 allows remote attackers to caus ...) - python-pyftpdlib (Fixed before initial upload to the archive) CVE-2007-6738 (pyftpdlib before 0.1.1 does not choose a random value for the port ass ...) - python-pyftpdlib (Fixed before initial upload to the archive) CVE-2007-6737 (FTPServer.py in pyftpdlib before 0.2.0 does not increment the attempte ...) - python-pyftpdlib (Fixed before initial upload to the archive) CVE-2007-6736 (Multiple directory traversal vulnerabilities in FTPServer.py in pyftpd ...) - python-pyftpdlib (Fixed before initial upload to the archive) CVE-2010-3995 RESERVED CVE-2010-3994 (Cross-site scripting (XSS) vulnerability in HP Version Control Reposit ...) NOT-FOR-US: HP VCRM CVE-2010-3993 (Unspecified vulnerability in HP Insight Control Server Migration befor ...) NOT-FOR-US: HP Insight CVE-2010-3992 (Unspecified vulnerability in HP Insight Control Server Migration befor ...) NOT-FOR-US: HP Insight CVE-2010-3991 (Cross-site scripting (XSS) vulnerability in HP Insight Control Server ...) NOT-FOR-US: HP Insight CVE-2010-3990 (Unspecified vulnerability in HP Virtual Server Environment before 6.2 ...) NOT-FOR-US: HP Virtual Server Environment CVE-2010-3989 (Cross-site request forgery (CSRF) vulnerability in HP Insight Control ...) NOT-FOR-US: HP Insight CVE-2010-3988 (Unspecified vulnerability in HP Insight Control Virtual Machine Manage ...) NOT-FOR-US: HP Insight CVE-2010-3987 (Cross-site scripting (XSS) vulnerability in HP Insight Control Virtual ...) NOT-FOR-US: HP Insight CVE-2010-3986 (Unspecified vulnerability in HP Virtual Connect Enterprise Manager (VC ...) NOT-FOR-US: HP VCEM CVE-2010-3985 (Cross-site scripting (XSS) vulnerability in HP Operations Orchestratio ...) NOT-FOR-US: HP Operations Orchestration CVE-2010-3984 (Buffer overflow in mng_core_com.dll in CA XOsoft Replication r12.0 SP1 ...) NOT-FOR-US: CA XOsoft CVE-2010-3983 (CmcApp in SAP BusinessObjects Enterprise XI 3.2 allows remote authenti ...) NOT-FOR-US: SAP BusinessObjects Enterprise CVE-2010-3982 (SAP BusinessObjects Enterprise XI 3.2 allows remote attackers to trigg ...) NOT-FOR-US: SAP BusinessObjects Enterprise CVE-2010-3981 (Cross-site scripting (XSS) vulnerability in SAP BusinessObjects Enterp ...) NOT-FOR-US: SAP BusinessObjects Enterprise CVE-2010-3980 (Dswsbobje in SAP BusinessObjects Enterprise XI 3.2 does not limit the ...) NOT-FOR-US: SAP BusinessObjects Enterprise CVE-2010-3979 (Dswsbobje in SAP BusinessObjects Enterprise XI 3.2 generates different ...) NOT-FOR-US: SAP BusinessObjects Enterprise CVE-2010-3978 (Spree 0.11.x before 0.11.2 and 0.30.x before 0.30.0 exchanges data usi ...) NOT-FOR-US: Spree CVE-2010-3977 (Multiple cross-site scripting (XSS) vulnerabilities in wp-content/plug ...) NOT-FOR-US: cForm wordpress plugin CVE-2010-3976 (Untrusted search path vulnerability in Adobe Flash Player before 9.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2010-3975 (Untrusted search path vulnerability in Adobe Flash Player 9 allows loc ...) NOT-FOR-US: Adobe Flash Player CVE-2010-3974 (fxscover.exe in the Fax Cover Page Editor in Microsoft Windows XP SP2 ...) NOT-FOR-US: Microsoft Windows CVE-2010-3973 (The WMITools ActiveX control in WBEMSingleView.ocx 1.50.1131.0 in Micr ...) NOT-FOR-US: Microsoft CVE-2010-3972 (Heap-based buffer overflow in the TELNET_STREAM_CONTEXT::OnSendData fu ...) NOT-FOR-US: Microsoft Internet Information Services CVE-2010-3971 (Use-after-free vulnerability in the CSharedStyleSheet::Notify function ...) NOT-FOR-US: Microsoft Internet Explorer 7 and 8 CVE-2010-3970 (Stack-based buffer overflow in the CreateSizedDIBSECTION function in s ...) NOT-FOR-US: Microsoft Windows CVE-2010-3969 REJECTED CVE-2010-3968 REJECTED CVE-2010-3967 (Untrusted search path vulnerability in Microsoft Windows Movie Maker ( ...) NOT-FOR-US: Microsoft Windows CVE-2010-3966 (Untrusted search path vulnerability in Microsoft Windows Server 2008 R ...) NOT-FOR-US: Microsoft Windows CVE-2010-3965 (Untrusted search path vulnerability in Windows Media Encoder 9 on Micr ...) NOT-FOR-US: Microsoft Windows CVE-2010-3964 (Unrestricted file upload vulnerability in the Document Conversions Lau ...) NOT-FOR-US: Microsoft Office SharePoint Server CVE-2010-3963 (Buffer overflow in the Routing and Remote Access NDProxy component in ...) NOT-FOR-US: Microsoft Windows CVE-2010-3962 (Use-after-free vulnerability in Microsoft Internet Explorer 6, 7, and ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2010-3961 (The Consent User Interface (UI) in Microsoft Windows Vista SP1 and SP2 ...) NOT-FOR-US: Microsoft Windows CVE-2010-3960 (Hyper-V in Microsoft Windows Server 2008 Gold, SP2, and R2 allows gues ...) NOT-FOR-US: Microsoft Windows CVE-2010-3959 (The OpenType Font (OTF) driver in Microsoft Windows XP SP2 and SP3, Wi ...) NOT-FOR-US: Microsoft Windows CVE-2010-3958 (The x86 JIT compiler in Microsoft .NET Framework 2.0 SP2, 3.5 SP1, 3.5 ...) NOT-FOR-US: Microsoft .NET Framework CVE-2010-3957 (Double free vulnerability in the OpenType Font (OTF) driver in Microso ...) NOT-FOR-US: Microsoft Windows CVE-2010-3956 (The OpenType Font (OTF) driver in Microsoft Windows XP SP2 and SP3, Wi ...) NOT-FOR-US: Microsoft Windows CVE-2010-3955 (pubconv.dll (aka the Publisher Converter DLL) in Microsoft Publisher 2 ...) NOT-FOR-US: Microsoft Publisher CVE-2010-3954 (Microsoft Publisher 2002 SP3, 2003 SP3, and 2010 allows remote attacke ...) NOT-FOR-US: Microsoft Publisher CVE-2010-3953 REJECTED CVE-2010-3952 (The FlashPix image converter in the graphics filters in Microsoft Offi ...) NOT-FOR-US: Microsoft Office CVE-2010-3951 (Buffer overflow in the FlashPix image converter in the graphics filter ...) NOT-FOR-US: Microsoft Office CVE-2010-3950 (The TIFF image converter in the graphics filters in Microsoft Office X ...) NOT-FOR-US: Microsoft Office CVE-2010-3949 (Buffer overflow in the TIFF image converter in the graphics filters in ...) NOT-FOR-US: Microsoft Office CVE-2010-3948 REJECTED CVE-2010-3947 (Heap-based buffer overflow in the TIFF image converter in the graphics ...) NOT-FOR-US: Microsoft Office CVE-2010-3946 (Integer overflow in the PICT image converter in the graphics filters i ...) NOT-FOR-US: Microsoft Office CVE-2010-3945 (Buffer overflow in the CGM image converter in the graphics filters in ...) NOT-FOR-US: Microsoft Office CVE-2010-3944 (win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2008 ...) NOT-FOR-US: Microsoft Windows CVE-2010-3943 (win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and ...) NOT-FOR-US: Microsoft Windows CVE-2010-3942 (win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and ...) NOT-FOR-US: Microsoft Windows CVE-2010-3941 (Double free vulnerability in win32k.sys in the kernel-mode drivers in ...) NOT-FOR-US: Microsoft Windows CVE-2010-3940 (Double free vulnerability in win32k.sys in the kernel-mode drivers in ...) NOT-FOR-US: Microsoft Windows CVE-2010-3939 (Buffer overflow in win32k.sys in the kernel-mode drivers in Microsoft ...) NOT-FOR-US: Microsoft Windows CVE-2010-3938 REJECTED CVE-2010-3937 (Microsoft Exchange Server 2007 SP2 on the x64 platform allows remote a ...) NOT-FOR-US: Microsoft Exchange Server CVE-2010-3936 (Cross-site scripting (XSS) vulnerability in Signurl.asp in Microsoft F ...) NOT-FOR-US: Forefront Unified Access Gateway CVE-2010-3935 REJECTED CVE-2010-3934 (The browser in Research In Motion (RIM) BlackBerry Device Software 5.0 ...) NOT-FOR-US: BlackBerry Device Software CVE-2010-3933 (Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attribut ...) - rails (Only affects >= 2.3.9, which is not yet in the archive) CVE-2010-3932 REJECTED CVE-2010-3931 (Cross-site scripting (XSS) vulnerability in multiple Rocomotion produc ...) NOT-FOR-US: Rocomotion CVE-2010-3930 (Directory traversal vulnerability in MODx Evolution 1.0.4 and earlier ...) NOT-FOR-US: MODx CVE-2010-3929 (SQL injection vulnerability in MODx Evolution 1.0.4 and earlier allows ...) NOT-FOR-US: MODx CVE-2010-3928 (Ruby Version Manager (RVM) before 1.2.1 writes file contents to a term ...) NOT-FOR-US: Ruby Version Manager CVE-2010-3927 (Untrusted search path vulnerability in Lunascape before 6.4.0 allows l ...) NOT-FOR-US: Lunascape CVE-2010-3926 (Multiple cross-site scripting (XSS) vulnerabilities in Shop.cgi in SGX ...) NOT-FOR-US: SGX-SP Final CVE-2010-3925 (Contents-Mall before 15 does not properly handle passwords, which allo ...) NOT-FOR-US: Contents-Mall CVE-2010-3924 (SQL injection vulnerability in Aimluck Aipo before 5.1.0.1 allows remo ...) NOT-FOR-US: Aimluck Aipo CVE-2010-3923 (Untrusted search path vulnerability in AttacheCase before 2.70 allows ...) NOT-FOR-US: AttacheCase CVE-2010-3922 (SQL injection vulnerability in Movable Type 4.x before 4.35 and 5.x be ...) - movabletype-opensource 4.3.5+dfsg-1 (bug #606311) [lenny] - movabletype-opensource 4.2.3-1+lenny2 (bug #606311) CVE-2010-3921 (Cross-site scripting (XSS) vulnerability in Movable Type 4.x before 4. ...) - movabletype-opensource 4.3.5+dfsg-1 (bug #606311) [lenny] - movabletype-opensource 4.2.3-1+lenny2 (bug #606311) CVE-2010-3920 (The Seiko Epson printer driver installers for LP-S9000 before 4.1.11 a ...) NOT-FOR-US: Seiko Epson printer driver CVE-2010-3919 (Fenrir Grani 4.5 and earlier does not prevent interaction between web ...) NOT-FOR-US: Fenrir Grani CVE-2010-3918 (Fenrir Sleipnir 2.9.6 and earlier does not prevent interaction between ...) NOT-FOR-US: Fenrir Sleipnir CVE-2010-3917 (Google Chrome before 3.0 does not properly handle XML documents, which ...) - chromium-browser (Fixed before initial upload to Debian) CVE-2010-3916 (Unspecified vulnerability in JustSystems Ichitaro and Ichitaro Governm ...) NOT-FOR-US: JustSystems Ichitaro and Ichitaro Government CVE-2010-3915 (Unspecified vulnerability in JustSystems Ichitaro and Ichitaro Governm ...) NOT-FOR-US: JustSystems Ichitaro and Ichitaro Government CVE-2010-3914 (Untrusted search path vulnerability in VIM Development Group GVim befo ...) - vim (Windows-specific) CVE-2010-3913 (CRLF injection vulnerability in TransWARE Active! mail 6 build 6.40.01 ...) NOT-FOR-US: TransWARE Active! mail CVE-2010-3912 (The supportconfig script in supportutils in SUSE Linux Enterprise 11 S ...) NOT-FOR-US: SLES support scripts CVE-2010-3911 (Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM befo ...) NOT-FOR-US: vTiger CRM CVE-2010-3910 (Multiple directory traversal vulnerabilities in the return_application ...) NOT-FOR-US: vTiger CRM CVE-2010-3909 (Incomplete blacklist vulnerability in config.template.php in vtiger CR ...) NOT-FOR-US: vtiger CRM CVE-2010-3908 (FFmpeg before 0.5.4, as used in MPlayer and other products, allows rem ...) {DSA-2306-1} - libav 4:0.6-1 - ffmpeg 7:2.4.1-1 - ffmpeg-debian CVE-2010-3907 (Multiple integer overflows in real.c in the Real demuxer plugin in Vid ...) - vlc 1.1.3-1squeeze1 [lenny] - vlc (Vulnerable code not present) CVE-2010-3906 (Cross-site scripting (XSS) vulnerability in Gitweb 1.7.3.3 and earlier ...) - git-core [lenny] - git-core 1.5.6.5-3+lenny3.3 - git 1:1.7.2.3-2.2 CVE-2010-3905 (The password reset feature in the administrator interface for Eucalypt ...) - eucalyptus (bug #608289) (It was once removed from archive, then re-added as 3.1.0) CVE-2010-3904 (The rds_page_copy_user function in net/rds/page.c in the Reliable Data ...) - linux-2.6 2.6.32-26 [lenny] - linux-2.6 (Vulnerable code introduced in 2.6.30) CVE-2010-3903 (Unspecified vulnerability in OpenConnect before 2.23 allows remote Any ...) - openconnect 2.25-0.1 CVE-2010-3902 (OpenConnect before 2.26 places the webvpn cookie value in the debuggin ...) - openconnect 3.02-1 (unimportant) NOTE: This is an additional safety net for careless users, not a vulnerability CVE-2010-3901 (OpenConnect before 2.25 does not properly validate X.509 certificates, ...) - openconnect 2.25-0.1 (bug #590873) CVE-2010-3900 (Midori before 0.2.5, when WebKitGTK+ before 1.1.14 or LibSoup before 2 ...) - midori 0.2.7-1.1 (unimportant; bug #607497) NOTE: Current Midori SSL support is very limited NOTE: Midori should not be used if SSL support is important to you CVE-2010-3899 (IBM OmniFind Enterprise Edition 8.x and 9.x performs web crawls with a ...) NOT-FOR-US: IBM OmniFind Enterprise Edition CVE-2010-3898 (IBM OmniFind Enterprise Edition 8.x and 9.x does not properly restrict ...) NOT-FOR-US: IBM OmniFind Enterprise Edition CVE-2010-3897 (ESSearchApplication/palette.do in IBM OmniFind Enterprise Edition 8.x ...) NOT-FOR-US: IBM OmniFind Enterprise Edition CVE-2010-3896 (The ESSearchApplication directory tree in IBM OmniFind Enterprise Edit ...) NOT-FOR-US: IBM OmniFind Enterprise Edition CVE-2010-3895 (esRunCommand in IBM OmniFind Enterprise Edition before 9.1 allows loca ...) NOT-FOR-US: IBM OmniFind Enterprise Edition CVE-2010-3894 (Stack-based buffer overflow in the Java_com_ibm_es_oss_CryptionNative_ ...) NOT-FOR-US: IBM OmniFind Enterprise Edition CVE-2010-3893 (The administrator interface in IBM OmniFind Enterprise Edition 8.x and ...) NOT-FOR-US: IBM OmniFind Enterprise Edition CVE-2010-3892 (Session fixation vulnerability in the login form in the administrator ...) NOT-FOR-US: IBM OmniFind Enterprise Edition CVE-2010-3891 (Cross-site request forgery (CSRF) vulnerability in ESAdmin/security.do ...) NOT-FOR-US: IBM OmniFind Enterprise Edition CVE-2010-3890 (Cross-site scripting (XSS) vulnerability in IBM OmniFind Enterprise Ed ...) NOT-FOR-US: IBM OmniFind Enterprise Edition CVE-2010-3889 (Unspecified vulnerability in Microsoft Windows on 32-bit platforms all ...) NOT-FOR-US: Microsoft Windows CVE-2010-3888 (Unspecified vulnerability in Microsoft Windows on 32-bit platforms all ...) NOT-FOR-US: Microsoft Windows CVE-2010-3887 (The Limit Mail feature in the Parental Controls functionality in Mail ...) NOT-FOR-US: Apple Mail CVE-2010-3886 (The CTimeoutEventList::InsertIntoTimeoutList function in Microsoft msh ...) NOT-FOR-US: Microsoft Windows CVE-2010-3885 REJECTED CVE-2010-3884 (Cross-site request forgery (CSRF) vulnerability in CMS Made Simple 1.8 ...) NOT-FOR-US: CMS Made Simple CVE-2010-3883 (Cross-site request forgery (CSRF) vulnerability in the Change Group Pe ...) NOT-FOR-US: CMS Made Simple CVE-2010-3882 (Multiple cross-site scripting (XSS) vulnerabilities in CMS Made Simple ...) NOT-FOR-US: CMS Made Simple CVE-2010-3881 (arch/x86/kvm/x86.c in the Linux kernel before 2.6.36.2 does not initia ...) - linux-2.6 2.6.32-29 (low) [lenny] - linux-2.6 (Vulnerable code not present) CVE-2010-3880 (net/ipv4/inet_diag.c in the Linux kernel before 2.6.37-rc2 does not pr ...) {DSA-2126-1} - linux-2.6 2.6.32-30 (low) CVE-2010-3879 (FUSE, possibly 2.8.5 and earlier, allows local users to create mtab en ...) - fuse 2.8.5-1 (bug #602333) [squeeze] - fuse (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3879 CVE-2010-3878 (Cross-site request forgery (CSRF) vulnerability in the JMX Console in ...) - jbossas4 (Only builds a few libraries, not the full application server, #581226) CVE-2010-3877 (The get_name function in net/tipc/socket.c in the Linux kernel before ...) {DSA-2126-1} - linux-2.6 2.6.32-30 (low) CVE-2010-3876 (net/packet/af_packet.c in the Linux kernel before 2.6.37-rc2 does not ...) {DSA-2126-1} - linux-2.6 2.6.32-30 (low) CVE-2010-3875 (The ax25_getname function in net/ax25/af_ax25.c in the Linux kernel be ...) {DSA-2264-1 DSA-2240-1 DSA-2126-1} - linux-2.6 2.6.32-30 (low) CVE-2010-3874 (Heap-based buffer overflow in the bcm_connect function in net/can/bcm. ...) {DSA-2126-1} - linux-2.6 2.6.32-29 (low) CVE-2010-3873 (The X.25 implementation in the Linux kernel before 2.6.36.2 does not p ...) {DSA-2126-1} - linux-2.6 2.6.32-28 (low) CVE-2010-3872 (The fcgid_header_bucket_read function in fcgid_bucket.c in the mod_fcg ...) {DSA-2140-1} - libapache2-mod-fcgid 1:2.3.6-1 (bug #605484) CVE-2010-3871 (Cross-site scripting (XSS) vulnerability in blocktype/groupviews/theme ...) - mahara (Vulnerable feature introduced in 1.3) CVE-2010-3870 (The utf8_decode function in PHP before 5.3.4 does not properly handle ...) {DSA-2195-1} - php5 5.3.3-4 (bug #603751) CVE-2010-3869 (Red Hat Certificate System (RHCS) 7.3 and 8 and Dogtag Certificate Sys ...) NOT-FOR-US: Red Hat Certificate System CVE-2010-3868 (Red Hat Certificate System (RHCS) 7.3 and 8 and Dogtag Certificate Sys ...) NOT-FOR-US: Red Hat Certificate System CVE-2010-3867 (Multiple directory traversal vulnerabilities in the mod_site_misc modu ...) {DSA-2191-1} - proftpd-dfsg 1.3.3a-4 CVE-2010-3866 REJECTED CVE-2010-3865 (Integer overflow in the rds_rdma_pages function in net/rds/rdma.c in t ...) - linux-2.6 2.6.37-1 [wheezy] - linux-2.6 2.6.32-31 [squeeze] - linux-2.6 2.6.32-31 [lenny] - linux-2.6 (Introduced in 2.6.30) CVE-2010-3864 (Multiple race conditions in ssl/t1_lib.c in OpenSSL 0.9.8f through 0.9 ...) {DSA-2125-1} - openssl 0.9.8o-3 CVE-2010-3863 (Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize ...) - shiro (Fixed before the initial release in Debian) CVE-2010-3862 (The org.jboss.remoting.transport.bisocket.BisocketServerInvoker$Second ...) - jbossas4 (Only builds a few libraries, not the full application server, #581226) CVE-2010-3861 (The ethtool_get_rxnfc function in net/core/ethtool.c in the Linux kern ...) - linux-2.6 2.6.32-29 [lenny] - linux-2.6 (Introduced in 2.6.27) CVE-2010-3860 (IcedTea 1.7.x before 1.7.6, 1.8.x before 1.8.3, and 1.9.x before 1.9.2 ...) - openjdk-6 6b18-1.8.3-1 CVE-2010-3859 (Multiple integer signedness errors in the TIPC implementation in the L ...) {DSA-2126-1} - linux-2.6 2.6.32-27 CVE-2010-3858 (The setup_arg_pages function in fs/exec.c in the Linux kernel before 2 ...) {DSA-2126-1} - linux-2.6 2.6.32-27 CVE-2010-3857 (JBoss BRMS before 5.1.0 has a XSS vulnerability via asset=UUID paramet ...) - jbossas4 (Vulnerable code not present) NOTE: JBoss 5 only; fixed in 5.1.0 CVE-2010-3856 (ld.so in the GNU C Library (aka glibc or libc6) before 2.11.3, and 2.1 ...) {DSA-2122-2 DSA-2122-1} - glibc 2.11.2-8 - eglibc 2.11.2-8 (bug #600667) CVE-2010-3855 (Buffer overflow in the ft_var_readpackedpoints function in truetype/tt ...) {DSA-2155-1} - freetype 2.4.2-2.1 (bug #602221) CVE-2010-3854 (Multiple cross-site scripting (XSS) vulnerabilities in the web adminis ...) - couchdb 1.1.0-1 [squeeze] - couchdb (Unsupported in squeeze-lts) CVE-2010-3853 (pam_namespace.c in the pam_namespace module in Linux-PAM (aka pam) bef ...) - pam 1.1.3-1 (low; bug #608273) [squeeze] - pam (Minor issue) [lenny] - pam (Minor issue) CVE-2010-3852 (The default configuration of Luci 0.22.4 and earlier in Red Hat Conga ...) NOT-FOR-US: Red Hat Conga CVE-2010-3851 (libguestfs before 1.5.23, as used in virt-v2v, virt-inspector 1.5.3 an ...) NOT-FOR-US: libguestfs CVE-2010-3850 (The ec_dev_ioctl function in net/econet/af_econet.c in the Linux kerne ...) {DSA-2126-1} - linux-2.6 2.6.32-28 CVE-2010-3849 (The econet_sendmsg function in net/econet/af_econet.c in the Linux ker ...) {DSA-2126-1} - linux-2.6 2.6.32-28 CVE-2010-3848 (Stack-based buffer overflow in the econet_sendmsg function in net/econ ...) {DSA-2126-1} - linux-2.6 2.6.32-28 CVE-2010-3847 (elf/dl-load.c in ld.so in the GNU C Library (aka glibc or libc6) throu ...) {DSA-2122-2 DSA-2122-1} - eglibc 2.11.2-8 (bug #600667) - glibc 2.11.2-8 CVE-2010-3846 (Array index error in the apply_rcs_change function in rcs.c in CVS 1.1 ...) - cvs (vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3852 CVE-2010-3844 (An unchecked sscanf() call in ettercap before 0.7.5 allows an insecure ...) - ettercap 1:0.7.4-1 (unimportant; bug #600130) NOTE: Very far-fetched attack vector CVE-2010-3843 RESERVED - ettercap 1:0.7.4-1 (unimportant; bug #600130) NOTE: Very far-fetched attack vector CVE-2010-3842 (Absolute path traversal vulnerability in curl 7.20.0 through 7.21.1, w ...) - curl (Doesn't affect POSIX systems) CVE-2010-3841 (Multiple cross-site scripting (XSS) vulnerabilities in lib/TWiki.pm in ...) NOT-FOR-US: TWiki CVE-2009-5009 (Double free vulnerability in OpenConnect before 1.40 might allow remot ...) - openconnect 1.40-1 CVE-2009-5008 (Cisco Secure Desktop (CSD), when used in conjunction with an AnyConnec ...) NOT-FOR-US: isco Secure Desktop CVE-2009-5007 (The Cisco trial client on Linux for Cisco AnyConnect SSL VPN allows lo ...) NOT-FOR-US: Cisco AnyConnect SSL VPN trial client CVE-2009-5006 (The SessionAdapter::ExchangeHandlerImpl::checkAlternate function in br ...) - qpid-cpp (Fixed before initial upload to archive) CVE-2009-5005 (The Cluster::deliveredEvent function in cluster/Cluster.cpp in Apache ...) - qpid-cpp (Fixed before initial upload to archive) CVE-2009-5004 (qpid-cpp 1.0 crashes when a large message is sent and the Digest-MD5 m ...) - qpid-cpp (Fixed before initial upload to archive) CVE-2010-3845 (libapache-authenhook-perl 2.00-04 stores usernames and passwords in pl ...) - libapache-authenhook-perl 2.00-04+pristine-2 (low; bug #599712) [lenny] - libapache-authenhook-perl 2.00-04+pristine-1+lenny1 CVE-2010-4237 (Mercurial before 1.6.4 fails to verify the Common Name field of SSL ce ...) - mercurial 1.6.4-1 (low; bug #598841) [lenny] - mercurial (Minor issue) CVE-2010-3840 (The Gis_line_string::init_from_wkb function in sql/spatial.cc in MySQL ...) {DSA-2143-1} - mysql-5.1 5.1.49-3 (bug #599937) - mysql-dfsg-5.0 CVE-2010-3839 (MySQL 5.1 before 5.1.51 and 5.5 before 5.5.6 allows remote authenticat ...) - mysql-5.1 5.1.49-3 (bug #599937) - mysql-dfsg-5.0 [lenny] - mysql-dfsg-5.0 (vulnerable code not present) CVE-2010-3838 (MySQL 5.0 before 5.0.92, 5.1 before 5.1.51, and 5.5 before 5.5.6 allow ...) {DSA-2143-1} - mysql-5.1 5.1.49-3 (bug #599937) - mysql-dfsg-5.0 CVE-2010-3837 (MySQL 5.0 before 5.0.92, 5.1 before 5.1.51, and 5.5 before 5.5.6 allow ...) {DSA-2143-1} - mysql-5.1 5.1.49-3 (bug #599937) - mysql-dfsg-5.0 CVE-2010-3836 (MySQL 5.0 before 5.0.92, 5.1 before 5.1.51, and 5.5 before 5.5.6 allow ...) {DSA-2143-1} - mysql-5.1 5.1.49-3 (bug #599937) - mysql-dfsg-5.0 CVE-2010-3835 (MySQL 5.1 before 5.1.51 and 5.5 before 5.5.6 allows remote authenticat ...) {DSA-2143-1} - mysql-5.1 5.1.49-3 (bug #599937) - mysql-dfsg-5.0 CVE-2010-3834 (Unspecified vulnerability in MySQL 5.0 before 5.0.92, 5.1 before 5.1.5 ...) {DSA-2143-1} - mysql-5.1 5.1.49-3 (bug #599937) - mysql-dfsg-5.0 CVE-2010-3833 (MySQL 5.0 before 5.0.92, 5.1 before 5.1.51, and 5.5 before 5.5.6 does ...) {DSA-2143-1} - mysql-5.1 5.1.49-3 (bug #599937) - mysql-dfsg-5.0 CVE-2010-3832 (Heap-based buffer overflow in the GSM mobility management implementati ...) NOT-FOR-US: Apple iOS Telophony CVE-2010-3831 (Photos in Apple iOS before 4.2 enables support for HTTP Basic Authenti ...) NOT-FOR-US: Apple iOS Photos CVE-2010-3830 (Networking in Apple iOS before 4.2 accesses an invalid pointer during ...) NOT-FOR-US: Apple iOS Networking CVE-2010-3829 (WebKit in Apple iOS before 4.2 allows remote attackers to bypass the r ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2010-3828 (iAd Content Display in Apple iOS before 4.2 allows man-in-the-middle a ...) NOT-FOR-US: Apple iOS iAd CVE-2010-3827 (Apple iOS before 4.2 does not properly validate signatures before disp ...) NOT-FOR-US: Apple iOS configuration installation utility CVE-2010-3826 (WebKit in Apple Safari before 5.0.3 on Mac OS X 10.5 through 10.6 and ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2010-3825 RESERVED CVE-2010-3824 (Use-after-free vulnerability in WebKit in Apple Safari before 5.0.3 on ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2010-3823 (Use-after-free vulnerability in WebKit in Apple Safari before 5.0.3 on ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2010-3822 (WebKit in Apple Safari before 5.0.3 on Mac OS X 10.5 through 10.6 and ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2010-3821 (WebKit in Apple Safari before 5.0.3 on Mac OS X 10.5 through 10.6 and ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2010-3820 (WebKit in Apple Safari before 5.0.3 on Mac OS X 10.5 through 10.6 and ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2010-3819 (WebKit in Apple Safari before 5.0.3 on Mac OS X 10.5 through 10.6 and ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2010-3818 (Use-after-free vulnerability in WebKit in Apple Safari before 5.0.3 on ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2010-3817 (WebKit in Apple Safari before 5.0.3 on Mac OS X 10.5 through 10.6 and ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2010-3816 (Use-after-free vulnerability in WebKit in Apple Safari before 5.0.3 on ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2010-3815 RESERVED CVE-2010-3814 (Heap-based buffer overflow in the Ins_SHZ function in ttinterp.c in Fr ...) {DSA-2155-1} - freetype 2.4.2-2.1 (bug #602221) CVE-2010-3813 (The WebCore::HTMLLinkElement::process function in WebCore/html/HTMLLin ...) - webkit 1.2.6-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 29.0.1547.57-1 [squeeze] - chromium-browser NOTE: fixed much earlier in chromium, but this was the version checked CVE-2010-3812 (Integer overflow in the Text::wholeText method in dom/Text.cpp in WebK ...) - webkit 1.2.6-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 29.0.1547.57-1 [squeeze] - chromium-browser NOTE: fixed much earlier in chromium, but this was the version checked NOTE: http://www.zerodayinitiative.com/advisories/ZDI-10-257 CVE-2010-3811 (Use-after-free vulnerability in WebKit in Apple Safari before 5.0.3 on ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2010-3810 (WebKit in Apple Safari before 5.0.3 on Mac OS X 10.5 through 10.6 and ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2010-3809 (WebKit in Apple Safari before 5.0.3 on Mac OS X 10.5 through 10.6 and ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2010-3808 (WebKit in Apple Safari before 5.0.3 on Mac OS X 10.5 through 10.6 and ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2010-3807 RESERVED CVE-2010-3806 RESERVED CVE-2010-3805 (Integer underflow in WebKit in Apple Safari before 5.0.3 on Mac OS X 1 ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2010-3804 (The JavaScript implementation in WebKit in Apple Safari before 5.0.3 o ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2010-3803 (Integer overflow in WebKit in Apple Safari before 5.0.3 on Mac OS X 10 ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2010-3802 (Integer signedness error in Apple QuickTime before 7.6.9 allows remote ...) NOT-FOR-US: Apple QuickTime CVE-2010-3801 (Apple QuickTime before 7.6.9 allows remote attackers to execute arbitr ...) NOT-FOR-US: Apple QuickTime CVE-2010-3800 (Apple QuickTime before 7.6.9 allows remote attackers to execute arbitr ...) NOT-FOR-US: Apple QuickTime CVE-2010-3799 RESERVED CVE-2010-3798 (Heap-based buffer overflow in xar in Apple Mac OS X 10.6.x before 10.6 ...) - xar [lenny] - xar (Minor issue) CVE-2010-3797 (Cross-site scripting (XSS) vulnerability in Wiki Server in Apple Mac O ...) NOT-FOR-US: Apple Wiki Server CVE-2010-3796 (Safari RSS in Apple Mac OS X 10.5.8 and 10.6.x before 10.6.5 does not ...) NOT-FOR-US: Apple Safari RSS CVE-2010-3795 (QuickTime in Apple Mac OS X 10.6.x before 10.6.5 accesses uninitialize ...) NOT-FOR-US: Apple QuickTime CVE-2010-3794 (QuickTime in Apple Mac OS X 10.6.x before 10.6.5 accesses uninitialize ...) NOT-FOR-US: Apple QuickTime CVE-2010-3793 (QuickTime in Apple Mac OS X 10.6.x before 10.6.5 allows remote attacke ...) NOT-FOR-US: Apple QuickTime CVE-2010-3792 (Integer signedness error in QuickTime in Apple Mac OS X 10.6.x before ...) NOT-FOR-US: Apple QuickTime CVE-2010-3791 (Buffer overflow in QuickTime in Apple Mac OS X 10.6.x before 10.6.5 al ...) NOT-FOR-US: Apple QuickTime CVE-2010-3790 (QuickTime in Apple Mac OS X 10.6.x before 10.6.5 allows remote attacke ...) NOT-FOR-US: Apple QuickTime CVE-2010-3789 (QuickTime in Apple Mac OS X 10.6.x before 10.6.5 allows remote attacke ...) NOT-FOR-US: Apple QuickTime CVE-2010-3788 (QuickTime in Apple Mac OS X 10.6.x before 10.6.5 accesses uninitialize ...) NOT-FOR-US: Apple QuickTime CVE-2010-3787 (Heap-based buffer overflow in QuickTime in Apple Mac OS X 10.6.x befor ...) NOT-FOR-US: Apple QuickTime CVE-2010-3786 (QuickLook in Apple Mac OS X 10.6.x before 10.6.5 allows remote attacke ...) NOT-FOR-US: Apple QuickLook CVE-2010-3785 (Buffer overflow in QuickLook in Apple Mac OS X 10.5.8 and 10.6.x befor ...) NOT-FOR-US: Apple QuickLook CVE-2010-3784 (The PMPageFormatCreateWithDataRepresentation API in Printing in Apple ...) NOT-FOR-US: Apple Printing CVE-2010-3783 (Password Server in Apple Mac OS X 10.5.8 and 10.6.x before 10.6.5 does ...) NOT-FOR-US: Apple Password Server CVE-2010-3782 (obs-server before 1.7.7 allows logins by 'unconfirmed' accounts due to ...) - open-build-service (Fixed before initial upload to archive) CVE-2010-3781 (The PL/php add-on 1.4 and earlier for PostgreSQL does not properly pro ...) - postgresql-9.0 9.0.1-1 CVE-2010-3780 (Dovecot 1.2.x before 1.2.15 allows remote authenticated users to cause ...) - dovecot 1:1.2.15-1 (bug #599521) [lenny] - dovecot (Only affects 1.2.x) CVE-2010-3779 (Dovecot 1.2.x before 1.2.15 and 2.0.x before 2.0.beta2 grants the admi ...) - dovecot 1:1.2.15-1 (bug #599521) [lenny] - dovecot (Only affects 1.2.x) CVE-2010-3778 (Unspecified vulnerability in Mozilla Firefox 3.5.x before 3.5.16, Thun ...) {DSA-2132-1} - xulrunner (unimportant) - icedove 3.0.11-1 [lenny] - icedove - iceweasel 3.5.16-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.11-1 [lenny] - iceape (Only a stub package) NOTE: xulrunner in wheezy is not covered by security support CVE-2010-3777 (Unspecified vulnerability in Mozilla Firefox 3.6.x before 3.6.13 and T ...) - iceweasel (Only affects Firefox 3.6, which is only in experimental) CVE-2010-3776 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-2132-1} - xulrunner (unimportant) - iceweasel 3.5.16-1 - icedove 3.0.11-1 [lenny] - icedove [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.11-1 [lenny] - iceape (Only a stub package) NOTE: xulrunner in wheezy is not covered by security support CVE-2010-3775 (Mozilla Firefox before 3.5.16 and 3.6.x before 3.6.13, and SeaMonkey b ...) {DSA-2132-1} - xulrunner (unimportant) - iceweasel 3.5.16-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.11-1 [lenny] - iceape (Only a stub package) NOTE: xulrunner in wheezy is not covered by security support CVE-2010-3774 (The NS_SecurityCompareURIs function in netwerk/base/public/nsNetUtil.h ...) - xulrunner (unimportant) - iceweasel 3.5.16-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.11-1 [lenny] - iceape (Only a stub package) [lenny] - xulrunner (Doesn't affect 1.9.0) NOTE: xulrunner in wheezy is not covered by security support CVE-2010-3773 (Mozilla Firefox before 3.5.16 and 3.6.x before 3.6.13, and SeaMonkey b ...) {DSA-2132-1} - xulrunner (unimportant) - iceweasel 3.5.16-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.11-1 [lenny] - iceape (Only a stub package) NOTE: xulrunner in wheezy is not covered by security support CVE-2010-3772 (Mozilla Firefox before 3.5.16 and 3.6.x before 3.6.13, and SeaMonkey b ...) {DSA-2132-1} - xulrunner (unimportant) - iceweasel 3.5.16-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.11-1 [lenny] - iceape (Only a stub package) NOTE: xulrunner in wheezy is not covered by security support CVE-2010-3771 (Mozilla Firefox before 3.5.16 and 3.6.x before 3.6.13, and SeaMonkey b ...) {DSA-2132-1} - xulrunner (unimportant) - iceweasel 3.5.16-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.11-1 [lenny] - iceape (Only a stub package) NOTE: xulrunner in wheezy is not covered by security support CVE-2010-3770 (Multiple cross-site scripting (XSS) vulnerabilities in the rendering e ...) {DSA-2132-1} - xulrunner (unimportant) - iceweasel 3.5.16-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.11-1 [lenny] - iceape (Only a stub package) NOTE: xulrunner in wheezy is not covered by security support CVE-2010-3769 (The line-breaking implementation in Mozilla Firefox before 3.5.16 and ...) {DSA-2132-1} - xulrunner (unimportant) - icedove 3.0.11-1 - iceweasel 3.5.16-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.11-1 [lenny] - iceape (Only a stub package) [lenny] - xulrunner (font-face support introduced in 1.9.1) NOTE: xulrunner in wheezy is not covered by security support CVE-2010-3768 (Mozilla Firefox before 3.5.16 and 3.6.x before 3.6.13, Thunderbird bef ...) - xulrunner (unimportant) [lenny] - xulrunner (Vulnerable code not present) - icedove 3.0.11-1 - iceweasel 3.5.16-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.11-1 [lenny] - iceape (Only a stub package) NOTE: xulrunner in wheezy is not covered by security support CVE-2010-3767 (Integer overflow in the NewIdArray function in Mozilla Firefox before ...) {DSA-2132-1} - xulrunner (unimportant) - iceweasel 3.5.16-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.11-1 [lenny] - iceape (Only a stub package) NOTE: xulrunner in wheezy is not covered by security support CVE-2010-3766 (Use-after-free vulnerability in Mozilla Firefox before 3.5.16 and 3.6. ...) - xulrunner (unimportant) [lenny] - xulrunner (Vulnerable code not present) - iceweasel 3.5.16-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.11-1 [lenny] - iceape (Only a stub package) NOTE: xulrunner in wheezy is not covered by security support CVE-2010-3765 (Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunder ...) {DSA-2124-1} - xulrunner (unimportant) - iceweasel 3.5.15-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.10-1 - icedove 3.0.10-1 [lenny] - icedove [lenny] - iceape (Only a stub package) [lenny] - xulrunner (bug in optimization added later) NOTE: xulrunner in wheezy is not covered by security support CVE-2010-3764 (The Old Charts implementation in Bugzilla 2.12 through 3.2.8, 3.4.8, 3 ...) - bugzilla 3.6.3.0-1 (bug #602420; low) [squeeze] - bugzilla 3.6.2.0-4.2 CVE-2010-3763 (Cross-site scripting (XSS) vulnerability in core/summary_api.php in Ma ...) - mantis 1.1.8+dfsg-9 (bug #601618) [lenny] - mantis 1.1.6+dfsg-2lenny4 CVE-2010-3762 (ISC BIND before 9.7.2-P2, when DNSSEC validation is enabled, does not ...) {DSA-2130-1} - bind9 1:9.7.2.dfsg.P2-1 (bug #599515) NOTE: http://ftp.isc.org/isc/bind9/9.7.2-P2/RELEASE-NOTES-BIND-9.7.2-P2.html NOTE: ACL bypass claimed to only affect >=9.7.2: https://kb.isc.org/article/AA-00935/0/CVE-2010-3762%3A-failure-to-handle-bad-signatures-if-multiple-trust-anchors-configured.html NOTE: The crash with multiple trust anchors affects 9.6 and is fixed in 9.6-ESV-R2. CVE-2010-3761 (Unspecified vulnerability in IBM Tivoli Storage Manager (TSM) FastBack ...) NOT-FOR-US: IBM Tivoli Storage Manager CVE-2010-3760 (FastBackMount.exe in the Mount service in IBM Tivoli Storage Manager ( ...) NOT-FOR-US: IBM Tivoli Storage Manager CVE-2010-3759 (FastBackMount.exe in the Mount service in IBM Tivoli Storage Manager ( ...) NOT-FOR-US: IBM Tivoli Storage Manager CVE-2010-3758 (Multiple stack-based buffer overflows in FastBackServer.exe in the Ser ...) NOT-FOR-US: IBM Tivoli Storage Manager CVE-2010-3757 (Format string vulnerability in the _Eventlog function in FastBackServe ...) NOT-FOR-US: IBM Tivoli Storage Manager CVE-2010-3756 (The _CalcHashValueWithLength function in FastBackServer.exe in the Ser ...) NOT-FOR-US: IBM Tivoli Storage Manager CVE-2010-3755 (The _DAS_ReadBlockReply function in FastBackServer.exe in the Server i ...) NOT-FOR-US: IBM Tivoli Storage Manager CVE-2010-3754 (The FXCLI_OraBR_Exec_Command function in FastBackServer.exe in the Ser ...) NOT-FOR-US: IBM Tivoli Storage Manager CVE-2010-3753 (programs/pluto/xauth.c in the client in Openswan 2.6.26 through 2.6.28 ...) - openswan 1:2.6.28+dfsg-2 [lenny] - openswan (Introduced in version 2.6.26) CVE-2010-3752 (programs/pluto/xauth.c in the client in Openswan 2.6.25 through 2.6.28 ...) - openswan 1:2.6.28+dfsg-2 [lenny] - openswan (Introduced in version 2.6.25) CVE-2010-3751 (Multiple heap-based buffer overflows in an ActiveX control in RealNetw ...) NOT-FOR-US: RealNetworks RealPlayer CVE-2010-3750 (rjrmrpln.dll in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer ...) NOT-FOR-US: RealNetworks RealPlayer CVE-2010-3749 (The browser-plugin implementation in RealNetworks RealPlayer 11.0 thro ...) NOT-FOR-US: RealNetworks RealPlayer CVE-2010-3748 (Stack-based buffer overflow in the RichFX component in RealNetworks Re ...) NOT-FOR-US: RealNetworks RealPlayer CVE-2010-3747 (An ActiveX control in RealNetworks RealPlayer 11.0 through 11.1, RealP ...) NOT-FOR-US: RealNetworks RealPlayer CVE-2010-3746 RESERVED CVE-2010-3745 RESERVED CVE-2010-3744 RESERVED CVE-2010-3743 (Directory traversal vulnerability in Visual Synapse HTTP Server 1.0 RC ...) NOT-FOR-US: Visual Synapse HTTP Server CVE-2010-3742 (Multiple PHP remote file inclusion vulnerabilities in themes/default/i ...) NOT-FOR-US: Free Simple CMS 1.0 CVE-2010-3741 (The offline backup mechanism in Research In Motion (RIM) BlackBerry De ...) NOT-FOR-US: BlackBerry Desktop Software CVE-2010-3740 (The Net Search Extender (NSE) implementation in the Text Search compon ...) NOT-FOR-US: IBM DB2 UDB 9.5 CVE-2010-3739 (The audit facility in the Security component in IBM DB2 UDB 9.5 before ...) NOT-FOR-US: IBM DB2 UDB 9.5 CVE-2010-3738 (The Security component in IBM DB2 UDB 9.5 before FP6a logs AUDIT event ...) NOT-FOR-US: IBM DB2 UDB 9.5 CVE-2010-3737 (Memory leak in the Relational Data Services component in IBM DB2 UDB 9 ...) NOT-FOR-US: IBM DB2 UDB 9.5 CVE-2010-3736 (Memory leak in the Relational Data Services component in IBM DB2 UDB 9 ...) NOT-FOR-US: IBM DB2 UDB 9.5 CVE-2010-3735 (The "Query Compiler, Rewrite, Optimizer" component in IBM DB2 UDB 9.5 ...) NOT-FOR-US: IBM DB2 UDB 9.5 CVE-2010-3734 (The Install component in IBM DB2 UDB 9.5 before FP6a on Linux, UNIX, a ...) NOT-FOR-US: IBM DB2 UDB 9.5 CVE-2010-3733 (The Engine Utilities component in IBM DB2 UDB 9.5 before FP6a uses wor ...) NOT-FOR-US: IBM DB2 UDB 9.5 CVE-2010-3732 (The DRDA Services component in IBM DB2 UDB 9.5 before FP6a allows remo ...) NOT-FOR-US: IBM DB2 UDB 9.5 CVE-2010-3731 (Stack-based buffer overflow in the validateUser implementation in the ...) NOT-FOR-US: IBM DB2 UDB 9.5 CVE-2010-3730 (Google Chrome before 6.0.472.62 does not properly use information abou ...) - webkit (issue in libv8) - chromium-browser 6.0.472.62~r59676-1 - libv8 NOTE: https://bugs.webkit.org/show_bug.cgi?id=45700 NOTE: http://trac.webkit.org/changeset/67509 CVE-2010-3729 (The SPDY protocol implementation in Google Chrome before 6.0.472.62 do ...) - webkit (chromium specific) - chromium-browser 6.0.472.62~r59676-1 CVE-2010-3728 REJECTED CVE-2010-3727 REJECTED CVE-2010-3726 REJECTED CVE-2010-3725 REJECTED CVE-2010-3724 REJECTED CVE-2010-3723 REJECTED CVE-2010-3722 REJECTED CVE-2010-3721 REJECTED CVE-2010-3720 REJECTED CVE-2010-3719 (Eval injection vulnerability in IMAdminSchedTask.asp in the administra ...) NOT-FOR-US: Symantec IM Manager CVE-2010-3718 (Apache Tomcat 7.0.0 through 7.0.3, 6.0.x, and 5.5.x, when running with ...) {DSA-2160-1} - tomcat5.5 (low) [lenny] - tomcat5.5 (Minor issue) - tomcat6 6.0.28-10 (bug #612257) [lenny] - tomcat6 (Only ships the servlet package) CVE-2010-3717 (The t3lib_div::validEmail function in TYPO3 4.2.x before 4.2.15, 4.3.x ...) {DSA-2121-1} - typo3-src 4.3.7-1 CVE-2010-3716 (The be_user_creation task in TYPO3 4.2.x before 4.2.15 and 4.3.x befor ...) {DSA-2121-1} - typo3-src 4.3.7-1 CVE-2010-3715 (Multiple cross-site scripting (XSS) vulnerabilities in TYPO3 4.2.x bef ...) {DSA-2121-1} - typo3-src 4.3.7-1 CVE-2010-3714 (The jumpUrl (aka access tracking) implementation in tslib/class.tslib_ ...) {DSA-2121-1} - typo3-src 4.3.7-1 CVE-2010-3713 (rss.php in UseBB before 1.0.11 does not properly handle forum configur ...) NOT-FOR-US: UseBB CVE-2010-3712 (Cross-site scripting (XSS) vulnerability in Joomla! 1.5.x before 1.5.2 ...) NOT-FOR-US: Joomla! CVE-2010-3711 (libpurple in Pidgin before 2.7.4 does not properly validate the return ...) - pidgin 2.7.4-1 [squeeze] - pidgin 2.7.3-1+squeeze1 CVE-2010-3710 (Stack consumption vulnerability in the filter_var function in PHP 5.2. ...) {DSA-2195-1} - php5 5.3.3-3 (bug #601619) CVE-2010-3709 (The ZipArchive::getArchiveComment function in PHP 5.2.x through 5.2.14 ...) {DSA-2195-1} - php5 5.3.3-4 (bug #603751) CVE-2010-3708 (The serialization implementation in JBoss Drools in Red Hat JBoss Ente ...) - jbossas4 (Only builds a few libraries, not the full application server, #581226) CVE-2010-3707 (plugins/acl/acl-backend-vfile.c in Dovecot 1.2.x before 1.2.15 and 2.0 ...) - dovecot 1:1.2.15-1 [lenny] - dovecot (Only affects 1.2.x) CVE-2010-3706 (plugins/acl/acl-backend-vfile.c in Dovecot 1.2.x before 1.2.15 and 2.0 ...) - dovecot 1:1.2.15-1 [lenny] - dovecot (Only affects 1.2.x) CVE-2010-3705 (The sctp_auth_asoc_get_hmac function in net/sctp/auth.c in the Linux k ...) {DSA-2126-1} - linux-2.6 2.6.32-25 CVE-2010-3704 (The FoFiType1::parse function in fofi/FoFiType1.cc in the PDF parser i ...) {DSA-2135-1 DSA-2119-1} - kdegraphics 4:4.0.0-1 - xpdf 3.02-9 - poppler 0.12.4-1.2 (bug #599165) NOTE: http://cgit.freedesktop.org/poppler/poppler/commit/?id=39d140bfc0b8239bdd96d6a55842034ae5c05473 CVE-2010-3703 (The PostScriptFunction::PostScriptFunction function in poppler/Functio ...) - kdegraphics 4:4.0.0-1 [lenny] - kdegraphics (Vulnerable code not present) - xpdf 3.02-9 [lenny] - xpdf (Vulnerable code not present) - poppler 0.12.4-1.2 (bug #599165) [lenny] - poppler (Vulnerable code not present) NOTE: http://cgit.freedesktop.org/poppler/poppler/commit/?id=bf2055088a3a2d3bb3d3c37d464954ec1a25771f CVE-2010-3702 (The Gfx::getPos function in the PDF parser in xpdf before 3.02pl5, pop ...) {DSA-2135-1 DSA-2119-1} - kdegraphics 4:4.0.0-1 - xpdf 3.02-9 - poppler 0.12.4-1.2 (bug #599165) NOTE: http://cgit.freedesktop.org/poppler/poppler/commit/?id=e853106b58d6b4b0467dbd6436c9bb1cfbd372cf CVE-2010-3701 (lib/MessageStoreImpl.cpp in Red Hat Enterprise MRG before 1.2.2 allows ...) NOT-FOR-US: Red Hat Enterprise MRG CVE-2010-3700 (VMware SpringSource Spring Security 2.x before 2.0.6 and 3.x before 3. ...) NOT-FOR-US: VMware SpringSource Spring Security CVE-2010-3699 (The backend driver in Xen 3.x allows guest OS users to cause a denial ...) {DSA-2153-1} - linux-2.6 2.6.32-31 CVE-2010-3698 (The KVM implementation in the Linux kernel before 2.6.36 does not prop ...) - linux-2.6 2.6.32-28 [lenny] - linux-2.6 (Vulnerable code not present) CVE-2010-3697 (The wait_for_child_to_die function in main/event.c in FreeRADIUS 2.1.x ...) - freeradius 2.1.10+dfsg-1 (bug #600176; unimportant) NOTE: requires server to be down already CVE-2010-3696 (The fr_dhcp_decode function in lib/dhcp.c in FreeRADIUS 2.1.9, in cert ...) - freeradius 2.1.10+dfsg-1 (bug #600176) [lenny] - freeradius (Vulnerable code not present) CVE-2010-3695 (Cross-site scripting (XSS) vulnerability in fetchmailprefs.php in Hord ...) {DSA-2204-1} - imp4 4.3.7+debian0-2.1 (bug #598584; low) NOTE: http://archives.neohapsis.com/archives/fulldisclosure/2010-09/0379.html CVE-2010-3694 (Cross-site request forgery (CSRF) vulnerability in the Horde Applicati ...) {DSA-2278-1} - horde3 3.3.8+debian0-2 (bug #598582) NOTE: http://lists.horde.org/archives/announce/2010/000568.html CVE-2010-3693 (Cross-site scripting (XSS) vulnerability in Horde Dynamic IMP (DIMP) b ...) - dimp1 1.1.4+debian2-1.1 (bug #598583) NOTE: http://lists.horde.org/archives/announce/2010/000561.html CVE-2010-3692 (Directory traversal vulnerability in the callback function in client.p ...) {DSA-2172-1} - libphp-cas (bug #495542) - glpi (unimportant) NOTE: Only supported behind an authenticated HTTP zone - moodle 1.9.9.dfsg2-2 (bug #601384) CVE-2010-3691 (PGTStorage/pgt-file.php in phpCAS before 1.1.3, when proxy mode is ena ...) {DSA-2172-1} - libphp-cas (bug #495542) - glpi (unimportant) NOTE: Only supported behind an authenticated HTTP zone - moodle 1.9.9.dfsg2-2 (bug #601384) CVE-2010-3690 (Multiple cross-site scripting (XSS) vulnerabilities in phpCAS before 1 ...) {DSA-2172-1} - libphp-cas (bug #495542) - glpi (unimportant) NOTE: Only supported behind an authenticated HTTP zone - moodle 1.9.9.dfsg2-2 (bug #601384) CVE-2010-3689 (soffice in OpenOffice.org (OOo) 3.x before 3.3 places a zero-length di ...) {DSA-2151-1} - openoffice.org 1:3.2.1-11+squeeze2 CVE-2010-3687 (Unspecified vulnerability in the powermail extension 1.5.3 and earlier ...) NOT-FOR-US: powermail extension 1.5.3 for typo3 CVE-2010-3686 (The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x ...) {DSA-2113-1} - drupal6 6.18-1 (low; bug #592716) CVE-2010-3685 (The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x ...) {DSA-2113-1} - drupal6 6.18-1 (low; bug #592716) CVE-2010-4340 (libcloud before 0.4.1 does not verify SSL certificates for HTTPS conne ...) - libcloud 0.5.0-1 (low; bug #598463) CVE-2010-3688 (Directory traversal vulnerability in ADMIN/login.php in NetArtMEDIA We ...) NOT-FOR-US: NetArtMEDIA WebSiteAdmin CVE-2010-3684 (The FTP authentication module in Synology Disk Station 2.x logs passwo ...) NOT-FOR-US: Synology Disk Station CVE-2010-3683 (Oracle MySQL 5.1 before 5.1.49 and 5.5 before 5.5.5 sends an OK packet ...) - mysql-5.1 5.1.49-1 (bug #598580) - mysql-dfsg-5.0 [lenny] - mysql-dfsg-5.0 (vulnerable code not present) CVE-2010-3682 (Oracle MySQL 5.1 before 5.1.49 and 5.0 before 5.0.92 allows remote aut ...) {DSA-2143-1} - mysql-5.1 5.1.49-1 (bug #598580) - mysql-dfsg-5.0 CVE-2010-3681 (Oracle MySQL 5.1 before 5.1.49 and 5.5 before 5.5.5 allows remote auth ...) {DSA-2143-1} - mysql-5.1 5.1.49-1 (bug #598580) - mysql-dfsg-5.0 CVE-2010-3680 (Oracle MySQL 5.1 before 5.1.49 allows remote authenticated users to ca ...) {DSA-2143-1} - mysql-5.1 5.1.49-1 (bug #598580) - mysql-dfsg-5.0 CVE-2010-3679 (Oracle MySQL 5.1 before 5.1.49 allows remote authenticated users to ca ...) - mysql-5.1 5.1.49-1 (bug #598580) - mysql-dfsg-5.0 [lenny] - mysql-dfsg-5.0 (vulnerable code not present) CVE-2010-3678 (Oracle MySQL 5.1 before 5.1.49 allows remote authenticated users to ca ...) - mysql-5.1 5.1.49-1 (bug #598580) - mysql-dfsg-5.0 [lenny] - mysql-dfsg-5.0 (vulnerable code not present) CVE-2010-3677 (Oracle MySQL 5.1 before 5.1.49 and 5.0 before 5.0.92 allows remote aut ...) {DSA-2143-1} - mysql-5.1 5.1.49-1 (bug #598580) - mysql-dfsg-5.0 CVE-2010-3676 (storage/innobase/dict/dict0crea.c in mysqld in Oracle MySQL 5.1 before ...) - mysql-5.1 5.1.49-1 (bug #598580) - mysql-dfsg-5.0 [lenny] - mysql-dfsg-5.0 (vulnerable code not present) CVE-2010-3675 RESERVED CVE-2010-3658 (Adobe Reader and Acrobat 9.x before 9.4, and 8.x before 8.2.5 on Windo ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2010-3657 (Unspecified vulnerability in Adobe Reader and Acrobat 9.x before 9.4, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2010-3656 (Unspecified vulnerability in Adobe Reader and Acrobat 9.x before 9.4, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2010-3655 (Stack-based buffer overflow in dirapi.dll in Adobe Shockwave Player be ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-3654 (Adobe Flash Player before 9.0.289.0 and 10.x before 10.1.102.64 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2010-3653 (The Director module (dirapi.dll) in Adobe Shockwave Player before 11.5 ...) NOT-FOR-US: Adobe Shockwave CVE-2010-3652 (Unspecified vulnerability in Adobe Flash Player before 9.0.289.0 and 1 ...) NOT-FOR-US: Adobe Flash Player CVE-2010-3651 REJECTED CVE-2010-3650 (Unspecified vulnerability in Adobe Flash Player before 9.0.289.0 and 1 ...) NOT-FOR-US: Adobe Flash Player CVE-2010-3649 (Unspecified vulnerability in Adobe Flash Player before 9.0.289.0 and 1 ...) NOT-FOR-US: Adobe Flash Player CVE-2010-3648 (Unspecified vulnerability in Adobe Flash Player before 9.0.289.0 and 1 ...) NOT-FOR-US: Adobe Flash Player CVE-2010-3647 (Unspecified vulnerability in Adobe Flash Player before 9.0.289.0 and 1 ...) NOT-FOR-US: Adobe Flash Player CVE-2010-3646 (Unspecified vulnerability in Adobe Flash Player before 9.0.289.0 and 1 ...) NOT-FOR-US: Adobe Flash Player CVE-2010-3645 (Unspecified vulnerability in Adobe Flash Player before 9.0.289.0 and 1 ...) NOT-FOR-US: Adobe Flash Player CVE-2010-3644 (Unspecified vulnerability in Adobe Flash Player before 9.0.289.0 and 1 ...) NOT-FOR-US: Adobe Flash Player CVE-2010-3643 (Unspecified vulnerability in Adobe Flash Player before 9.0.289.0 and 1 ...) NOT-FOR-US: Adobe Flash Player CVE-2010-3642 (Unspecified vulnerability in Adobe Flash Player before 9.0.289.0 and 1 ...) NOT-FOR-US: Adobe Flash Player CVE-2010-3641 (Unspecified vulnerability in Adobe Flash Player before 9.0.289.0 and 1 ...) NOT-FOR-US: Adobe Flash Player CVE-2010-3640 (Unspecified vulnerability in Adobe Flash Player before 9.0.289.0 and 1 ...) NOT-FOR-US: Adobe Flash Player CVE-2010-3639 (Unspecified vulnerability in Adobe Flash Player before 9.0.289.0 and 1 ...) NOT-FOR-US: Adobe Flash Player CVE-2010-3638 (Unspecified vulnerability in Adobe Flash Player before 9.0.289.0 and 1 ...) NOT-FOR-US: Adobe Flash Player CVE-2010-3637 (An unspecified ActiveX control in Adobe Flash Player before 9.0.289.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2010-3636 (Adobe Flash Player before 9.0.289.0 and 10.x before 10.1.102.64 on Win ...) NOT-FOR-US: Adobe Flash Player CVE-2010-3635 (Adobe Flash Media Server (FMS) 3.0.x before 3.0.7, 3.5.x before 3.5.5, ...) NOT-FOR-US: Adobe Flash Media Server CVE-2010-3634 (Unspecified vulnerability in the edge process in Adobe Flash Media Ser ...) NOT-FOR-US: Adobe Flash Media Server CVE-2010-3633 (Memory leak in Adobe Flash Media Server (FMS) 3.0.x before 3.0.7, 3.5. ...) NOT-FOR-US: Adobe Flash Media Server CVE-2010-3632 (Adobe Reader and Acrobat 9.x before 9.4, and 8.x before 8.2.5 on Windo ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2010-3631 (Array index error in Adobe Reader and Acrobat 8.x before 8.2.5 and 9.x ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2010-3630 (Unspecified vulnerability in Adobe Reader and Acrobat 9.x before 9.4, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2010-3629 (Unspecified vulnerability in Adobe Reader and Acrobat 9.x before 9.4, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2010-3628 (Adobe Reader and Acrobat 9.x before 9.4, and 8.x before 8.2.5 on Windo ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2010-3627 (Unspecified vulnerability in Adobe Reader and Acrobat 9.x before 9.4, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2010-3626 (Unspecified vulnerability in Adobe Reader and Acrobat 9.x before 9.4, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2010-3625 (Adobe Reader and Acrobat 9.x before 9.4, and 8.x before 8.2.5 on Windo ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2010-3624 (Unspecified vulnerability in Adobe Reader and Acrobat 8.x before 8.2.5 ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2010-3623 (Adobe Reader and Acrobat 8.x before 8.2.5 and 9.x before 9.4 on Mac OS ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2010-3622 (Adobe Reader and Acrobat 9.x before 9.4, and 8.x before 8.2.5 on Windo ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2010-3621 (Adobe Reader and Acrobat 9.x before 9.4, and 8.x before 8.2.5 on Windo ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2010-3620 (Unspecified vulnerability in Adobe Reader and Acrobat 9.x before 9.4, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2010-3619 (Adobe Reader and Acrobat 9.x before 9.4, and 8.x before 8.2.5 on Windo ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2010-3618 (PGP Desktop 10.0.x before 10.0.3 SP2 and 10.1.0 before 10.1.0 SP1 does ...) NOT-FOR-US: PGP Desktop CVE-2010-3617 RESERVED CVE-2010-3616 (ISC DHCP server 4.2 before 4.2.0-P2, when configured to use failover p ...) - isc-dhcp (Only affects 4.2.x) - dhcp3 (Only affects 4.2.x) - dhcp (Only affects 4.2.x) CVE-2010-3615 (named in ISC BIND 9.7.2-P2 does not check all intended locations for a ...) - bind9 1:9.7.2.dfsg.P3-1 (bug #605876) [lenny] - bind9 (Doesn't affect 9.6 ESV) NOTE: http://ftp.isc.org/isc/bind9/9.7.2-P3/RELEASE-NOTES-BIND-9.7.2-P3.html CVE-2010-3614 (named in ISC BIND 9.x before 9.6.2-P3, 9.7.x before 9.7.2-P3, 9.4-ESV ...) {DSA-2130-1} - bind9 1:9.7.2.dfsg.P3-1 (bug #605876) NOTE: http://ftp.isc.org/isc/bind9/9.7.2-P3/RELEASE-NOTES-BIND-9.7.2-P3.html CVE-2010-3613 (named in ISC BIND 9.6.2 before 9.6.2-P3, 9.6-ESV before 9.6-ESV-R3, an ...) {DSA-2130-1} - bind9 1:9.7.2.dfsg.P3-1 (bug #605876) NOTE: http://ftp.isc.org/isc/bind9/9.7.2-P3/RELEASE-NOTES-BIND-9.7.2-P3.html CVE-2010-3612 RESERVED CVE-2010-3611 (ISC DHCP server 4.0 before 4.0.2, 4.1 before 4.1.2, and 4.2 before 4.2 ...) - isc-dhcp 4.1.1-P1-14 - dhcp3 (Only affects DHCP 4.x) - dhcp (Only affects DHCP 4.x) CVE-2010-3610 RESERVED CVE-2010-3609 (The extension parser in slp_v2message.c in OpenSLP 1.2.1, and other ve ...) {DLA-304-1} - openslp-dfsg 1.2.1-8 (low; bug #623551) [squeeze] - openslp-dfsg (Minor issue) [lenny] - openslp-dfsg (Minor issue) CVE-2010-3659 (Multiple cross-site scripting (XSS) vulnerabilities in TYPO3 CMS 4.1.x ...) {DSA-2098-1} - typo3-src 4.3.5-1 (bug #590719) CVE-2010-3660 (TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x ...) {DSA-2098-1} - typo3-src 4.3.5-1 (bug #590719) CVE-2010-3661 (TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x ...) {DSA-2098-1} - typo3-src 4.3.5-1 (bug #590719) CVE-2010-3662 (TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x ...) {DSA-2098-1} - typo3-src 4.3.5-1 (bug #590719) CVE-2010-3663 (TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x ...) {DSA-2098-1} - typo3-src 4.3.5-1 (bug #590719) CVE-2010-3664 (TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x ...) {DSA-2098-1} - typo3-src 4.3.5-1 (bug #590719) CVE-2010-3665 (TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x ...) {DSA-2098-1} - typo3-src 4.3.5-1 (bug #590719) CVE-2010-3666 (TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x ...) {DSA-2098-1} - typo3-src 4.3.5-1 (bug #590719) CVE-2010-3667 (TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x ...) {DSA-2098-1} - typo3-src 4.3.5-1 (bug #590719) CVE-2010-3668 (TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x ...) {DSA-2098-1} - typo3-src 4.3.5-1 (bug #590719) CVE-2010-3669 (TYPO3 before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows ...) {DSA-2098-1} - typo3-src 4.3.5-1 (bug #590719) CVE-2010-3670 (TYPO3 before 4.3.4 and 4.4.x before 4.4.1 contains insecure randomness ...) {DSA-2098-1} - typo3-src 4.3.5-1 (bug #590719) CVE-2010-3671 (TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x ...) {DSA-2098-1} - typo3-src 4.3.5-1 (bug #590719) CVE-2010-3672 (TYPO3 before 4.3.4 and 4.4.x before 4.4.1 allows XSS in the textarea v ...) {DSA-2098-1} - typo3-src 4.3.5-1 (bug #590719) CVE-2010-3673 (TYPO3 before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows ...) {DSA-2098-1} - typo3-src 4.3.5-1 (bug #590719) CVE-2010-3674 (TYPO3 before 4.4.1 allows XSS in the frontend search box. ...) {DSA-2098-1} - typo3-src 4.3.5-1 (bug #590719) CVE-2010-XXXX [piwigo] - piwigo 2.1.2-2 NOTE: http://www.exploit-db.com/exploits/14973/ NOTE: First unfilled CVE-request http://www.openwall.com/lists/oss-security/2010/12/07/1 NOTE: Second CVE-request http://www.openwall.com/lists/oss-security/2012/10/06/3 CVE-2010-3608 (Multiple SQL injection vulnerabilities in wpQuiz 2.7 allow remote atta ...) NOT-FOR-US: wpQuiz CVE-2010-3607 (Cross-site scripting (XSS) vulnerability in AGENTS/index.php in NetArt ...) NOT-FOR-US: NetArt MEDIA Real Estate Portal CVE-2010-3606 (Multiple directory traversal vulnerabilities in AGENTS/index.php in Ne ...) NOT-FOR-US: NetArt MEDIA Real Estate Portal CVE-2010-3605 (Cross-site scripting (XSS) vulnerability in the powermail extension 1. ...) NOT-FOR-US: powermail extension 1.5.3 for typo3 CVE-2010-3604 (SQL injection vulnerability in the powermail extension 1.5.3 and earli ...) NOT-FOR-US: powermail extension 1.5.3 for typo3 CVE-2010-3603 (Cross-site request forgery (CSRF) vulnerability in the file manager se ...) NOT-FOR-US: mojoPortal CVE-2010-3602 (Cross-site scripting (XSS) vulnerability in ProfileView.aspx in mojoPo ...) NOT-FOR-US: mojoPortal CVE-2010-3601 (SQL injection vulnerability in index.php in ibPhotohost 1.1.2 allows r ...) NOT-FOR-US: ibPhotohost CVE-2010-3499 (F-Secure Anti-Virus does not properly interact with the processing of ...) NOT-FOR-US: F-Secure Anti-Virus CVE-2010-3498 (AVG Anti-Virus does not properly interact with the processing of hcp:/ ...) NOT-FOR-US: AVG Anti-Virus CVE-2010-3497 (Symantec Norton AntiVirus 2011 does not properly interact with the pro ...) NOT-FOR-US: Symantec Norton AntiVirus CVE-2010-3496 (McAfee VirusScan Enterprise 8.5i and 8.7i does not properly interact w ...) NOT-FOR-US: McAfee VirusScan Enterprise CVE-2010-3495 (Race condition in ZEO/StorageServer.py in Zope Object Database (ZODB) ...) - zodb 1:3.9.4-1.1 (bug #599711) CVE-2010-3494 (Race condition in the FTPHandler class in ftpserver.py in pyftpdlib be ...) - python-pyftpdlib 0.5.2-1 (low) NOTE: http://code.google.com/p/pyftpdlib/issues/detail?id=104 CVE-2010-3493 (Multiple race conditions in smtpd.py in the smtpd module in Python 2.6 ...) - python3.1 3.1.2+20100829-1 - python2.6 2.6.6-1 (low; bug #601690) - python2.5 (low) [squeeze] - python2.5 (Minor issue) [lenny] - python2.5 (Minor issue) CVE-2010-3492 (The asyncore module in Python before 3.2 does not properly handle unsu ...) - python2.7 2.7.8-11 (unimportant) - python3.1 (unimportant) - python3.2 3.4.2-1 (unimportant) NOTE: likely fixed much earlier, but these were the versions checked CVE-2010-3491 (The (1) ActiveMatrix Runtime and (2) ActiveMatrix Administrator compon ...) NOT-FOR-US: TIBCO ActiveMatrix Service Grid CVE-2010-3490 (Directory traversal vulnerability in page.recordings.php in the System ...) NOT-FOR-US: FreePBX CVE-2010-3489 (Cross-site scripting (XSS) vulnerability in netautor/napro4/home/login ...) NOT-FOR-US: CMS Digital Workroom CVE-2010-3488 (Directory traversal vulnerability in QuickShare 1.0 allows remote atta ...) NOT-FOR-US: QuickShare CVE-2010-3487 (Directory traversal vulnerability in YelloSoft Pinky 1.0 for Windows a ...) NOT-FOR-US: YelloSoft Pinky CVE-2010-3486 (Directory traversal vulnerability in FileStorageUpload.ashx in Smarter ...) NOT-FOR-US: SmarterMail CVE-2010-3483 (cms_write.php in Primitive CMS 1.0.9 does not properly restrict access ...) NOT-FOR-US: Primitive CMS CVE-2010-3482 (Multiple SQL injection vulnerabilities in cms_write.php in Primitive C ...) NOT-FOR-US: Primitive CMS CVE-2010-3481 (Multiple SQL injection vulnerabilities in login.php in ApPHP PHP Micro ...) NOT-FOR-US: MicroCMS CVE-2010-3480 (Directory traversal vulnerability in index.php in ApPHP PHP MicroCMS 1 ...) NOT-FOR-US: MicroCMS CVE-2010-3479 (SQL injection vulnerability in list.php in BoutikOne 1.0 allows remote ...) NOT-FOR-US: BoutikOne CVE-2009-5003 (SQL injection vulnerability in click.php in e-soft24 Banner Exchange S ...) NOT-FOR-US: e-soft24 Banner Exchange Script CVE-2010-3478 RESERVED CVE-2010-3477 (The tcf_act_police_dump function in net/sched/act_police.c in the acti ...) {DSA-2126-1} - linux-2.6 2.6.32-25 CVE-2010-3600 (Unspecified vulnerability in the Client System Analyzer component in O ...) NOT-FOR-US: Oracle Database CVE-2010-3599 (Unspecified vulnerability in the Oracle Document Capture component in ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2010-3598 (Unspecified vulnerability in the Oracle Document Capture component in ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2010-3597 (Unspecified vulnerability in the Oracle Outside In Technology componen ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2010-3596 (Unspecified vulnerability in the mod_ssl component in Oracle Secure Ba ...) NOT-FOR-US: Dupe of CVE-2009-3555, will be rejected CVE-2010-3595 (Unspecified vulnerability in the Oracle Document Capture component in ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2010-3594 (Unspecified vulnerability in the Real User Experience Insight componen ...) NOT-FOR-US: Oracle Enterprise Manager Grid Control CVE-2010-3593 (Unspecified vulnerability in the Health Sciences - Oracle Argus Safety ...) NOT-FOR-US: Oracle Industry Applications CVE-2010-3592 (Unspecified vulnerability in the Oracle Document Capture component in ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2010-3591 (Unspecified vulnerability in the Oracle Document Capture component in ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2010-3590 (Unspecified vulnerability in the Oracle Spatial component in Oracle Da ...) NOT-FOR-US: Oracle Database CVE-2010-3589 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle Application Object Library component CVE-2010-3588 (Unspecified vulnerability in the Oracle Discoverer component in Oracle ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2010-3587 (Unspecified vulnerability in the Oracle Common Applications component ...) NOT-FOR-US: Oracle Applications CVE-2010-3586 (Unspecified vulnerability in Oracle Solaris 9 allows local users to af ...) - xscreensaver (Solaris-specific patch) CVE-2010-3585 (Unspecified vulnerability in the OracleVM component in Oracle VM 2.2.1 ...) NOT-FOR-US: OracleVM CVE-2010-3584 (Unspecified vulnerability in the Oracle VM component in Oracle VM 2.2. ...) NOT-FOR-US: OracleVM CVE-2010-3583 (Unspecified vulnerability in the OracleVM component in Oracle VM 2.2.1 ...) NOT-FOR-US: OracleVM CVE-2010-3582 (Unspecified vulnerability in the OracleVM component in Oracle VM 2.2.1 ...) NOT-FOR-US: OracleVM CVE-2010-3581 (Unspecified vulnerability in the BPEL Console component in Oracle Fusi ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2010-3580 (Unspecified vulnerability in Oracle OpenSolaris allows local users to ...) NOT-FOR-US: Oracle OpenSolaris CVE-2010-3579 (Unspecified vulnerability in the (1) Sun Convergence 1 and (2) Sun Jav ...) NOT-FOR-US: Java Communications Suite CVE-2010-3578 (Unspecified vulnerability in Oracle OpenSolaris allows remote attacker ...) NOT-FOR-US: Oracle OpenSolaris CVE-2010-3577 (Unspecified vulnerability in Oracle OpenSolaris allows remote attacker ...) NOT-FOR-US: Oracle OpenSolaris CVE-2010-3576 (Unspecified vulnerability in Oracle Solaris 8, 9, and 10, and OpenSola ...) NOT-FOR-US: Oracle OpenSolaris CVE-2010-3575 (Unspecified vulnerability in the Oracle Communications Messaging Serve ...) NOT-FOR-US: Oracle Sun Products Suite CVE-2010-3574 (Unspecified vulnerability in the Networking component in Oracle Java S ...) - openjdk-6 6b18-1.8.2-1 - sun-java6 6.22-1 [lenny] - sun-java6 6-22-0lenny CVE-2010-3573 (Unspecified vulnerability in the Networking component in Oracle Java S ...) - openjdk-6 6b18-1.8.2-1 - sun-java6 6.22-1 [lenny] - sun-java6 6-22-0lenny CVE-2010-3572 (Unspecified vulnerability in the Sound component in Oracle Java SE and ...) - sun-java6 6.22-1 [lenny] - sun-java6 6-22-0lenny CVE-2010-3571 (Unspecified vulnerability in the 2D component in Oracle Java SE and Ja ...) - sun-java6 6.22-1 [lenny] - sun-java6 6-22-0lenny CVE-2010-3570 (Unspecified vulnerability in the Deployment Toolkit component in Oracl ...) - sun-java6 6.22-1 [lenny] - sun-java6 6-22-0lenny CVE-2010-3569 (Unspecified vulnerability in the Java Runtime Environment component in ...) - openjdk-6 6b18-1.8.2-1 - sun-java6 6.22-1 [lenny] - sun-java6 6-22-0lenny CVE-2010-3568 (Unspecified vulnerability in the Java Runtime Environment component in ...) - openjdk-6 6b18-1.8.2-1 - sun-java6 6.22-1 [lenny] - sun-java6 6-22-0lenny CVE-2010-3567 (Unspecified vulnerability in the 2D component in Oracle Java SE and Ja ...) - openjdk-6 6b18-1.8.2-1 - sun-java6 6.22-1 [lenny] - sun-java6 6-22-0lenny CVE-2010-3566 (Unspecified vulnerability in the 2D component in Oracle Java SE and Ja ...) - openjdk-6 6b18-1.8.2-1 - sun-java6 6.22-1 [lenny] - sun-java6 6-22-0lenny CVE-2010-3565 (Unspecified vulnerability in the 2D component in Oracle Java SE and Ja ...) - openjdk-6 6b18-1.8.2-1 - sun-java6 6.22-1 [lenny] - sun-java6 6-22-0lenny CVE-2010-3564 (Unspecified vulnerability in the Oracle Communications Messaging Serve ...) - openjdk-6 6b18-1.8.2-1 CVE-2010-3563 (Unspecified vulnerability in the Deployment component in Oracle Java S ...) - sun-java6 6.22-1 [lenny] - sun-java6 6-22-0lenny CVE-2010-3562 (Unspecified vulnerability in the 2D component in Oracle Java SE and Ja ...) - openjdk-6 6b18-1.8.2-1 - sun-java6 6.22-1 [lenny] - sun-java6 6-22-0lenny CVE-2010-3561 (Unspecified vulnerability in the CORBA component in Oracle Java SE and ...) - openjdk-6 6b18-1.8.2-1 - sun-java6 6.22-1 [lenny] - sun-java6 6-22-0lenny CVE-2010-3560 (Unspecified vulnerability in the Networking component in Oracle Java S ...) - sun-java6 6.22-1 [lenny] - sun-java6 6-22-0lenny CVE-2010-3559 (Unspecified vulnerability in the Sound component in Oracle Java SE and ...) - sun-java6 6.22-1 [lenny] - sun-java6 6-22-0lenny CVE-2010-3558 (Unspecified vulnerability in the Java Web Start component in Oracle Ja ...) - sun-java6 6.22-1 [lenny] - sun-java6 6-22-0lenny CVE-2010-3557 (Unspecified vulnerability in the Swing component in Oracle Java SE and ...) - openjdk-6 6b18-1.8.2-1 - sun-java6 6.22-1 [lenny] - sun-java6 6-22-0lenny CVE-2010-3556 (Unspecified vulnerability in the 2D component in Oracle Java SE and Ja ...) - sun-java6 6.22-1 [lenny] - sun-java6 6-22-0lenny CVE-2010-3555 (Unspecified vulnerability in the Deployment component in Oracle Java S ...) - sun-java6 6.22-1 [lenny] - sun-java6 6-22-0lenny CVE-2010-3554 (Unspecified vulnerability in the CORBA component in Oracle Java SE and ...) - openjdk-6 6b18-1.8.2-1 - sun-java6 6.22-1 [lenny] - sun-java6 6-22-0lenny CVE-2010-3553 (Unspecified vulnerability in the Swing component in Oracle Java SE and ...) - openjdk-6 6b18-1.8.2-1 - sun-java6 6.22-1 [lenny] - sun-java6 6-22-0lenny CVE-2010-3552 (Unspecified vulnerability in the New Java Plug-in component in Oracle ...) - sun-java6 6.22-1 [lenny] - sun-java6 6-22-0lenny CVE-2010-3551 (Unspecified vulnerability in the Networking component in Oracle Java S ...) - openjdk-6 6b18-1.8.2-1 - sun-java6 6.22-1 [lenny] - sun-java6 6-22-0lenny CVE-2010-3550 (Unspecified vulnerability in the Java Web Start component in Oracle Ja ...) - sun-java6 6.22-1 [lenny] - sun-java6 6-22-0lenny CVE-2010-3549 (Unspecified vulnerability in the Networking component in Oracle Java S ...) - openjdk-6 6b18-1.8.2-1 - sun-java6 6.22-1 [lenny] - sun-java6 6-22-0lenny CVE-2010-3548 (Unspecified vulnerability in the Java Naming and Directory Interface ( ...) - openjdk-6 6b18-1.8.2-1 - sun-java6 6.22-1 [lenny] - sun-java6 6-22-0lenny CVE-2010-3547 (Unspecified vulnerability in the PeopleSoft FMS ESA - EX component in ...) NOT-FOR-US: Oracle PeopleSoft CVE-2010-3546 (Unspecified vulnerability in the Sun Java System Identity Manager comp ...) NOT-FOR-US: Oracle Sun Products Suite CVE-2010-3545 (Unspecified vulnerability in the Oracle iPlanet Web Server (Sun Java S ...) NOT-FOR-US: Oracle iPlanet Web Server CVE-2010-3544 (Unspecified vulnerability in the Oracle iPlanet Web Server (Sun Java S ...) NOT-FOR-US: Oracle iPlanet Web Server CVE-2010-3543 REJECTED CVE-2010-3542 (Unspecified vulnerability in Oracle Solaris 8, 9, and 10, and OpenSola ...) NOT-FOR-US: Oracle Solaris CVE-2010-3541 (Unspecified vulnerability in the Networking component in Oracle Java S ...) - openjdk-6 6b18-1.8.2-1 - sun-java6 6.22-1 [lenny] - sun-java6 6-22-0lenny CVE-2010-3540 (Unspecified vulnerability in Oracle Solaris 10 and OpenSolaris allows ...) NOT-FOR-US: Oracle Solaris CVE-2010-3539 (Unspecified vulnerability in the PeopleSoft Enterprise FMS - GL compon ...) NOT-FOR-US: Oracle PeopleSoft and JDEdwards Suite CVE-2010-3538 (Unspecified vulnerability in the PeopleSoft Enterprise FMS - GL compon ...) NOT-FOR-US: PeopleSoft Enterprise FMS CVE-2010-3537 (Unspecified vulnerability in the PeopleSoft Enterprise FMS - AM compon ...) NOT-FOR-US: PeopleSoft Enterprise FMS CVE-2010-3536 (Unspecified vulnerability in the PeopleSoft Enterprise SCM component i ...) NOT-FOR-US: PeopleSoft Enterprise SCM CVE-2010-3535 (Unspecified vulnerability in the Directory Server Enterprise Edition c ...) NOT-FOR-US: Oracle Sun Products Suite CVE-2010-3534 (Unspecified vulnerability in the Primavera P6 Enterprise Project Portf ...) NOT-FOR-US: Oracle Primavera Products Suite CVE-2010-3533 (Unspecified vulnerability in the PeopleSoft Enterprise SCM OM and CRM ...) NOT-FOR-US: Oracle PeopleSoft and JDEdwards Suite CVE-2010-3532 (Unspecified vulnerability in the PeopleSoft Enterprise CRM - Order Cap ...) NOT-FOR-US: Oracle PeopleSoft and JDEdwards Suite CVE-2010-3531 (Unspecified vulnerability in the PeopleSoft Enterprise FMS ESA - RM co ...) NOT-FOR-US: Oracle PeopleSoft and JDEdwards Suite CVE-2010-3530 (Unspecified vulnerability in the PeopleSoft Enterprise HCM - HR compon ...) NOT-FOR-US: Oracle PeopleSoft and JDEdwards Suite CVE-2010-3529 (Unspecified vulnerability in the PeopleSoft Enterprise FMS - Cash Mana ...) NOT-FOR-US: Oracle PeopleSoft and JDEdwards Suite CVE-2010-3528 (Unspecified vulnerability in the PeopleSoft Enterprise CRM - Common Co ...) NOT-FOR-US: Oracle PeopleSoft and JDEdwards Suite CVE-2010-3527 (Unspecified vulnerability in the PeopleSoft Enterprise FMS - AM compon ...) NOT-FOR-US: Oracle PeopleSoft and JDEdwards Suite CVE-2010-3526 (Unspecified vulnerability in the PeopleSoft Enterprise SCM - PO compon ...) NOT-FOR-US: Oracle PeopleSoft and JDEdwards Suite CVE-2010-3525 (Unspecified vulnerability in the (1) PeopleSoft Enterprise FMS, (2) SC ...) NOT-FOR-US: Oracle PeopleSoft and JDEdwards Suite CVE-2010-3524 (Unspecified vulnerability in the PeopleSoft Enterprise SCM - Strategic ...) NOT-FOR-US: Oracle PeopleSoft and JDEdwards Suite CVE-2010-3523 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft and JDEdwards Suite CVE-2010-3522 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft and JDEdwards Suite CVE-2010-3521 (Unspecified vulnerability in the PeopleSoft Enterprise HCM ePay compon ...) NOT-FOR-US: Oracle PeopleSoft and JDEdwards Suite CVE-2010-3520 (Unspecified vulnerability in the PeopleSoft Enterprise HCM - GP France ...) NOT-FOR-US: Oracle PeopleSoft and JDEdwards Suite CVE-2010-3519 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft and JDEdwards Suite CVE-2010-3518 (Unspecified vulnerability in the PeopleSoft Enterprise HCM GP - Japan ...) NOT-FOR-US: Oracle PeopleSoft and JDEdwards Suite CVE-2010-3517 (Unspecified vulnerability in Oracle Solaris 10 and OpenSolaris allows ...) NOT-FOR-US: Oracle Solaris 10 and OpenSolaris CVE-2010-3516 (Unspecified vulnerability in Oracle Solaris 10 and OpenSolaris allows ...) NOT-FOR-US: Oracle Solaris 10 and OpenSolaris CVE-2010-3515 (Unspecified vulnerability in the Solaris component in Oracle Solaris 9 ...) NOT-FOR-US: Oracle Solaris 10 and OpenSolaris CVE-2010-3514 (Unspecified vulnerability in the Oracle iPlanet Web Server (Sun Java S ...) NOT-FOR-US: Oracle Sun Products Suite CVE-2010-3513 (Unspecified vulnerability in Oracle Solaris 9 and 10, and OpenSolaris, ...) NOT-FOR-US: Oracle Solaris and OpenSolaris CVE-2010-3512 (Unspecified vulnerability in the Oracle iPlanet Web Server (Sun Java S ...) NOT-FOR-US: Oracle iPlanet Web Server CVE-2010-3511 (Unspecified vulnerability in Oracle OpenSolaris allows local users to ...) NOT-FOR-US: Oracle OpenSolaris CVE-2010-3510 (Unspecified vulnerability in the Oracle WebLogic Server component in O ...) NOT-FOR-US: Oracle WebLogic CVE-2010-3509 (Unspecified vulnerability in Oracle Solaris 8, 9, and 10 allows remote ...) NOT-FOR-US: Oracle Solaris CVE-2010-3508 (Unspecified vulnerability in Oracle Solaris 10 allows local users to a ...) NOT-FOR-US: Oracle Solaris CVE-2010-3507 (Unspecified vulnerability in Oracle Solaris 8, 9, and 10 allows local ...) NOT-FOR-US: Oracle Solaris CVE-2010-3506 (Unspecified vulnerability in the Oracle Explorer (Sun Explorer) compon ...) NOT-FOR-US: Oracle Explorer CVE-2010-3505 (Unspecified vulnerability in the Agile Core component in Oracle Supply ...) NOT-FOR-US: Oracle Supply Chain Products CVE-2010-3504 (Unspecified vulnerability in the Oracle Applications Technology Stack ...) NOT-FOR-US: Oracle E-Business Suite CVE-2010-3503 (Unspecified vulnerability in Oracle Solaris 10 and OpenSolaris allows ...) NOT-FOR-US: Oracle Solaris 10 and OpenSolaris CVE-2010-3502 (Unspecified vulnerability in the Siebel Core component in Oracle Siebe ...) NOT-FOR-US: Oracle Siebel Suite CVE-2010-3501 (Unspecified vulnerability in the OID component in Oracle Fusion Middle ...) NOT-FOR-US: Oracle Fusion CVE-2010-3500 (Unspecified vulnerability in the Siebel Core - Highly Interactive Clie ...) NOT-FOR-US: Oracle Siebel Suite CVE-2010-3476 (Open Ticket Request System (OTRS) 2.3.x before 2.3.6 and 2.4.x before ...) - otrs2 2.4.8+dfsg1-1 [lenny] - otrs2 (Only affects OTRS 2.3 and 2.4) CVE-2010-3475 (IBM DB2 9.7 before FP3 does not properly enforce privilege requirement ...) NOT-FOR-US: IBM DB2 CVE-2010-3474 (IBM DB2 9.7 before FP3 does not perform the expected drops or invalida ...) NOT-FOR-US: IBM DB2 CVE-2010-3473 (Open redirect vulnerability in the Workplace (aka WP) component in IBM ...) NOT-FOR-US: IBM FileNet P8 Application Engine CVE-2010-3472 (Multiple cross-site scripting (XSS) vulnerabilities in the Workplace ( ...) NOT-FOR-US: IBM FileNet P8 Application Engine CVE-2010-3471 (Session fixation vulnerability in the Workplace (aka WP) component in ...) NOT-FOR-US: IBM FileNet P8 Application Engine CVE-2010-3470 (Multiple cross-site scripting (XSS) vulnerabilities in the Workplace ( ...) NOT-FOR-US: IBM FileNet P8 Application Engine CVE-2010-3469 RESERVED CVE-2010-3468 (Directory traversal vulnerability in fileManager.cfc in Mura CMS 5.1 b ...) NOT-FOR-US: Mura CMS CVE-2009-5002 (The Workplace (aka WP) component in IBM FileNet P8 Application Engine ...) NOT-FOR-US: IBM FileNet P8 Application Engine CVE-2009-5001 (The Workplace (aka WP) component in IBM FileNet P8 Application Engine ...) NOT-FOR-US: IBM FileNet P8 Application Engine CVE-2009-5000 (Multiple cross-site scripting (XSS) vulnerabilities in the Workplace ( ...) NOT-FOR-US: IBM FileNet P8 Application Engine CVE-2009-4999 (Cross-site scripting (XSS) vulnerability in the Workplace (aka WP) com ...) NOT-FOR-US: IBM FileNet P8 Application Engine CVE-2009-4998 (The Workplace (aka WP) component in IBM FileNet P8 Application Engine ...) NOT-FOR-US: IBM FileNet P8 Application Engine CVE-2008-7261 (The Workplace (aka WP) component in IBM FileNet P8 Application Engine ...) NOT-FOR-US: IBM FileNet P8 Application Engine CVE-2006-7242 (The Workplace (aka WP) component in IBM FileNet P8 Application Engine ...) NOT-FOR-US: IBM FileNet P8 Application Engine CVE-2006-7241 (The Image Viewer component in IBM FileNet P8 Application Engine (P8AE) ...) NOT-FOR-US: IBM FileNet P8 Application Engine CVE-2010-3467 (SQL injection vulnerability in modules/sections/index.php in E-Xooppor ...) NOT-FOR-US: E-Xoopport Samsara CVE-2010-3466 (Cross-site scripting (XSS) vulnerability in index.php in the hosted_si ...) NOT-FOR-US: NetArt Media iBoutique.MALL CVE-2010-3465 (Multiple cross-site scripting (XSS) vulnerabilities in XSE Shopping Ca ...) NOT-FOR-US: XSE Shopping Cart CVE-2010-3464 (Cross-site request forgery (CSRF) vulnerability in admin/manager_users ...) NOT-FOR-US: SantaFox CVE-2010-3463 (Cross-site scripting (XSS) vulnerability in modules/search/search.clas ...) NOT-FOR-US: SantaFox CVE-2010-3462 (Cross-site scripting (XSS) vulnerability in backend/plugin/Registratio ...) NOT-FOR-US: Mollify CVE-2010-3461 (SQL injection vulnerability in the Publisher module in eNdonesia 8.4 a ...) NOT-FOR-US: eNdonesia CVE-2010-3460 (Directory traversal vulnerability in the HTTP interface in AXIGEN Mail ...) NOT-FOR-US: AXIGEN Mail Server CVE-2010-3459 (Cross-site scripting (XSS) vulnerability in the Ajax WebMail interface ...) NOT-FOR-US: AXIGEN Mail Server CVE-2010-3458 (SQL injection vulnerability in lib/toolkit/events/event.section.php in ...) NOT-FOR-US: Symphony CMS CVE-2010-3457 (Multiple cross-site scripting (XSS) vulnerabilities in Symphony CMS 2. ...) NOT-FOR-US: Symphony CMS CVE-2010-3456 (Directory traversal vulnerability in download.php in EnergyScripts (ES ...) NOT-FOR-US: EnergyScripts Simple Download CVE-2010-3455 (Cross-site scripting (XSS) vulnerability in index.php in AChecker 1.0 ...) NOT-FOR-US: AChecker CVE-2010-3454 (Multiple off-by-one errors in the WW8DopTypography::ReadFromMem functi ...) {DSA-2151-1} - openoffice.org 1:3.2.1-11+squeeze2 CVE-2010-3453 (The WW8ListManager::WW8ListManager function in oowriter in OpenOffice. ...) {DSA-2151-1} - openoffice.org 1:3.2.1-11+squeeze2 CVE-2010-3452 (Use-after-free vulnerability in oowriter in OpenOffice.org (OOo) 2.x a ...) {DSA-2151-1} - openoffice.org 1:3.2.1-11+squeeze2 CVE-2010-3451 (Use-after-free vulnerability in oowriter in OpenOffice.org (OOo) 2.x a ...) {DSA-2151-1} - openoffice.org 1:3.2.1-11+squeeze2 CVE-2010-3450 (Multiple directory traversal vulnerabilities in OpenOffice.org (OOo) 2 ...) {DSA-2151-1} - openoffice.org 1:3.2.1-11+squeeze2 CVE-2010-3449 (Cross-site request forgery (CSRF) vulnerability in Redback before 1.2. ...) NOT-FOR-US: Redback CVE-2010-3448 (drivers/platform/x86/thinkpad_acpi.c in the Linux kernel before 2.6.34 ...) {DSA-2126-1} - linux-2.6 2.6.32-12 (bug #565790; unimportant) NOTE: this is more of a hardware bug rather than a security issue CVE-2010-3447 (Cross-site scripting (XSS) vulnerability in view.php in the file viewe ...) - gollem 1.1.1+debian0-1.1 (bug #598585) [lenny] - gollem ($filename not printed directly and passed through htmlspecialchars()) NOTE: http://bugs.horde.org/ticket/9191 CVE-2010-3446 RESERVED CVE-2010-3445 (Stack consumption vulnerability in the dissect_ber_unknown function in ...) {DSA-2127-1} - wireshark 1.2.11-3 (low) NOTE: http://archives.neohapsis.com/archives/bugtraq/2010-09/0088.html CVE-2010-3444 (Buffer overflow in the log2vis_utf8 function in pyfribidi.c in GNU Fri ...) - pyfribidi 0.10.0-2 (bug #570068) [lenny] - pyfribidi (fribidi 0.19.1 or higher needs to be installed to trigger this) CVE-2010-3443 (ctcphandler.cpp in Quassel before 0.6.3 and 0.7.x before 0.7.1 allows ...) - quassel 0.7.1-1 (bug #597853) [squeeze] - quassel 0.6.3-1 NOTE: https://bugs.launchpad.net/ubuntu/+source/quassel/+bug/629774 CVE-2010-3442 (Multiple integer overflows in the snd_ctl_new function in sound/core/c ...) {DSA-2126-1} - linux-2.6 2.6.32-25 NOTE: http://git.kernel.org/?p=linux/kernel/git/tiwai/sound-2.6.git;a=commitdiff;h=5591bf07225523600450edd9e6ad258bb877b779 CVE-2010-3441 (Multiple buffer overflows in abcm2ps before 5.9.12 might allow remote ...) - abcm2ps 5.9.13-0.1 (low; bug #577014) [lenny] - abcm2ps (Minor issue) CVE-2010-3440 (babiloo 2.0.9 before 2.0.11 creates temporary files with predictable n ...) - babiloo 2.0.11-1 (low; bug #591995) CVE-2010-3439 (It is possible to cause a DoS condition by causing the server to crash ...) - alien-arena 7.33-5 (low; bug #575621) [lenny] - alien-arena 7.0-1+lenny2 CVE-2010-3438 (libpoe-component-irc-perl before v6.32 does not remove carriage return ...) - libpoe-component-irc-perl 6.32+dfsg-1 [lenny] - libpoe-component-irc-perl 5.84+dfsg-1+lenny1 (bug #581194) CVE-2010-3437 (Integer signedness error in the pkt_find_dev_from_minor function in dr ...) {DSA-2126-1} - linux-2.6 2.6.32-25 CVE-2010-3436 (fopen_wrappers.c in PHP 5.3.x through 5.3.3 might allow remote attacke ...) - php5 5.3.3-4 (unimportant) NOTE: http://svn.php.net/viewvc?view=revision&revision=303824 CVE-2010-3435 (The (1) pam_env and (2) pam_mail modules in Linux-PAM (aka pam) before ...) - pam 1.1.3-1 (low; bug #599832) [squeeze] - pam (Minor issue) [lenny] - pam (Minor issue) NOTE: Fix from 1.1.2 is not fully complete CVE-2010-3434 (Buffer overflow in the find_stream_bounds function in pdf.c in libclam ...) - clamav 0.96.3+dfsg-1 [lenny] - clamav NOTE: libclamav/pdf.c: Add missing boundscheck to pdf code (bb #2226) CVE-2010-3433 (The PL/perl and PL/Tcl implementations in PostgreSQL 7.4 before 7.4.30 ...) {DSA-2120-1} - postgresql-9.0 9.0.1-1 - postgresql-8.4 8.4.5-1 [squeeze] - postgresql-8.4 8.4.5-0squeeze1 - postgresql-8.3 CVE-2010-3432 (The sctp_packet_config function in net/sctp/output.c in the Linux kern ...) {DSA-2126-1} - linux-2.6 2.6.32-24 CVE-2010-3431 (The privilege-dropping implementation in the (1) pam_env and (2) pam_m ...) - pam 1.1.3-1 (low; bug #599832) [squeeze] - pam (Minor issue) NOTE: 20100924164823.GA21584@openwall.com CVE-2010-3430 (The privilege-dropping implementation in the (1) pam_env and (2) pam_m ...) - pam 1.1.3-1 (bug #599832) [squeeze] - pam (Affected functionality introduced in 1.1.2, see #599832) [lenny] - pam (Affected functionality introduced in 1.1.2, see #599832) NOTE: 20100924164823.GA21584@openwall.com CVE-2010-3429 (flicvideo.c in libavcodec 0.6 and earlier in FFmpeg, as used in MPlaye ...) {DSA-2165-1} - ffmpeg 4:0.5.2-6 (bug #598590) - ffmpeg-debian NOTE: http://www.ocert.org/advisories/ocert-2010-004.html CVE-2010-XXXX [mingetty directory traversal] - mingetty 1.07-2 (low; bug #597382) [lenny] - mingetty (Minor issue) CVE-2010-XXXX [config file world readable] - sabnzbdplus 0.5.4-1 (low; bug #593829) CVE-2010-XXXX [signature verification issue] - dpkg 1.15.1 (unimportant; bug #592115) CVE-2008-XXXX [greylistd bypass] - greylistd 0.8.7+nmu2 (low; bug #464084) [lenny] - greylistd (Minor issue) CVE-2010-XXXX [numpy memory corruption] - python-numpy 1:1.4.1-5 (low; bug #581058) [lenny] - python-numpy (Minor issue) NOTE: http://projects.scipy.org/numpy/changeset/8364 CVE-2010-XXXX [mediatomb directory traversal] - mediatomb 0.12.1-47-g7ab7616-1 (low; bug #580120; bug #778669) [wheezy] - mediatomb 0.12.1-4+deb7u1 [squeeze] - mediatomb 0.12.0~svn2018-6.1 NOTE: was previously fixed in 580120 but patch was not applied to later maintainer uploads CVE-2010-3428 (SQL injection vulnerability in modules/notes/json.php in Intermesh Gro ...) NOT-FOR-US: Intermesh Group-Office CVE-2010-3427 (Multiple cross-site scripting (XSS) vulnerabilities in Open Classified ...) NOT-FOR-US: Open Classifieds CVE-2010-3426 (Directory traversal vulnerability in jphone.php in the JPhone (com_jph ...) NOT-FOR-US: JPhone for Joomla CVE-2010-3425 (Cross-site scripting (XSS) vulnerability in UserControls/Popups/frmHel ...) NOT-FOR-US: SmarterStats CVE-2010-3424 (Cross-site scripting (XSS) vulnerability in admin/sources/classes/bbco ...) NOT-FOR-US: Invision Power Board CVE-2010-3423 (SQL injection vulnerability in the Yr Weatherdata module for Drupal 6. ...) NOT-FOR-US: Yr Weatherdata module for Drupal CVE-2010-3422 (SQL injection vulnerability in the JGen (com_jgen) component 0.9.33 fo ...) NOT-FOR-US: JGen for Joomla CVE-2010-3421 (Cross-site scripting (XSS) vulnerability in AffiliateLogin.asp in Prod ...) NOT-FOR-US: ProductCart CVE-2010-3420 (Cross-site scripting (XSS) vulnerability in Products_Results.php in Po ...) NOT-FOR-US: PowerStore CVE-2010-3419 (Multiple PHP remote file inclusion vulnerabilities in Haudenschilt Fam ...) NOT-FOR-US: Haudenschilt Family Connections CMS CVE-2010-3418 (Multiple cross-site scripting (XSS) vulnerabilities in NetArt Media Ca ...) NOT-FOR-US: NetArt Media Car Portal CVE-2010-3417 (Google Chrome before 6.0.472.59 does not prompt the user before granti ...) - webkit (chromium specific) - chromium-browser 6.0.472.59~r59126-1 CVE-2010-3416 (Google Chrome before 6.0.472.59 on Linux does not properly implement t ...) - webkit (issue in chromium-specific code) - chromium-browser 6.0.472.59~r59126-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=44960 NOTE: http://trac.webkit.org/changeset/66689 CVE-2010-3415 (Google Chrome before 6.0.472.59 does not properly implement Geolocatio ...) - webkit (issue in chromium-specific code) - chromium-browser 6.0.472.59~r59126-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=45112 NOTE: http://trac.webkit.org/changeset/66837 NOTE: depends on http://trac.webkit.org/changeset/66837 NOTE: https://bugs.webkit.org/show_bug.cgi?id=45257 CVE-2010-3414 (Google Chrome before 6.0.472.59 on Mac OS X does not properly implemen ...) - webkit (Does not affect linux) - chromium-browser (Does not affect linux) CVE-2010-3413 (Unspecified vulnerability in the pop-up blocking functionality in Goog ...) - webkit (chromium specific) - chromium-browser 6.0.472.59~r59126-1 CVE-2010-3412 (Race condition in the console implementation in Google Chrome before 6 ...) - libv8 2.2.24-6 (bug #597856) CVE-2010-3411 (Google Chrome before 6.0.472.59 on Linux does not properly handle curs ...) - webkit (chromium specific) - chromium-browser 6.0.472.59~r59126-1 CVE-2010-3410 REJECTED CVE-2010-3409 REJECTED CVE-2010-3408 REJECTED CVE-2010-3407 (Stack-based buffer overflow in the MailCheck821Address function in nno ...) NOT-FOR-US: IBM Lotus Domino CVE-2010-3406 (Unspecified vulnerability in sa_snap in the bos.esagent fileset in IBM ...) NOT-FOR-US: AIX 5.3 CVE-2010-3405 (Buffer overflow in sa_snap in the bos.esagent fileset in IBM AIX 6.1, ...) NOT-FOR-US: AIX 6.1, VIOS CVE-2010-3404 (Multiple SQL injection vulnerabilities in eshtery CMS (aka eshtery.com ...) NOT-FOR-US: eshtery CMS CVE-2010-3403 (Untrusted search path vulnerability in Qualcomm eXtensible Diagnostic ...) NOT-FOR-US: Qualcomm eXtensible Diagnostic Monitor CVE-2010-3402 (Untrusted search path vulnerability in IDM Computer Solutions UltraEdi ...) NOT-FOR-US: UltraEdit CVE-2010-3401 RESERVED CVE-2010-3400 (The js_InitRandom function in the JavaScript implementation in Mozilla ...) NOTE: These will likely be rejected, Mozilla people will clarify with MITRE CVE-2010-3399 (The js_InitRandom function in the JavaScript implementation in Mozilla ...) NOTE: These will likely be rejected, Mozilla people will clarify with MITRE CVE-2010-3398 (Unspecified vulnerability in the webcontainer implementation in IBM Lo ...) NOT-FOR-US: IBM Lotus Sametime Connect CVE-2010-3397 (Untrusted search path vulnerability in PGP Desktop 9.9.0 Build 397, 9. ...) NOT-FOR-US: PGP Desktop CVE-2010-3396 (Buffer overflow in kavfm.sys in Kingsoft Antivirus 2010.04.26.648 and ...) NOT-FOR-US: Kingsoft Antivirus CVE-2010-3395 RESERVED CVE-2010-3394 (The (1) texmacs and (2) tm_mupad_help scripts in TeXmacs 1.0.7.4 place ...) - texmacs 1:1.0.7.7-1.1 (bug #598424) [squeeze] - texmacs 1:1.0.7.4-3.1 [lenny] - texmacs (minor issue) CVE-2010-3393 (magics-config in Magics++ 2.10.0 places a zero-length directory name i ...) - magics++ 2.10.0.dfsg-5.1 (bug #598418) CVE-2010-3392 RESERVED CVE-2010-3391 RESERVED CVE-2010-3390 RESERVED CVE-2010-3389 (The (1) SAPDatabase and (2) SAPInstance scripts in OCF Resource Agents ...) - cluster-agents 1:1.0.3-3.1 (bug #598549) CVE-2010-3388 RESERVED CVE-2010-3387 - vdr 1.6.0-19.1 (unimportant; bug #598308) NOTE: Only affects a debugging tool, see bug #598308 CVE-2010-3386 (usttrace in LTTng Userspace Tracer (aka UST) 0.7 places a zero-length ...) - ust 0.7-2.1 (bug #598309) [squeeze] - ust 0.5-1+squeeze1 [wheezy] - ust 0.5-1+squeeze1 CVE-2010-3385 (TuxGuitar 1.2 places a zero-length directory name in the LD_LIBRARY_PA ...) - tuxguitar 1.2-7 (bug #598307) [lenny] - tuxguitar (Minor issue) CVE-2010-3384 (The (1) torcs, (2) nfsperf, (3) accc, (4) texmapper, (5) trackgen, and ...) - torcs 1.3.1-5 (bug #598306) [lenny] - torcs (Minor issue) CVE-2010-3383 (The (1) teamspeak and (2) teamspeak-server scripts in TeamSpeak 2.0.32 ...) - teamspeak-client 2.0.32-3.1 (low; bug #598304) [lenny] - teamspeak-client (Non-free not supported) - teamspeak-server 2.0.24.1+debian-1.1 (low; bug #598305) [lenny] - teamspeak-server (Non-free not supported) CVE-2010-3382 (tauex in Tuning and Analysis Utilities (TAU) 2.16.4 places a zero-leng ...) - tau 2.16.4-1.4 (bug #598303) CVE-2010-3381 (The (1) tangerine and (2) tangerine-properties scripts in Tangerine 0. ...) - tangerine 0.3.2.2-6 (bug #598302) [lenny] - tangerine (minor issue) CVE-2010-3380 (The (1) init.d/slurm and (2) init.d/slurmdbd scripts in SLURM before 2 ...) - slurm-llnl 2.1.15-2 (bug #602340) [wheezy] - slurm-llnl 2.1.11-1squeeze1 (bug #602340) [squeeze] - slurm-llnl 2.1.11-1squeeze1 (bug #602340) [lenny] - slurm-llnl (Minor issue) NOTE: Debian package ships its own, also vulnerable, init script. NOT fixed in 2.1.14-1 CVE-2010-3379 RESERVED CVE-2010-3378 (The (1) scilab, (2) scilab-cli, and (3) scilab-adv-cli scripts in Scil ...) - scilab 5.2.2-8 (bug #598423; bug #598422) [lenny] - scilab (Non-free not supported) CVE-2010-3377 (The (1) runSalome, (2) runTestMedCorba, (3) runLightSalome, and (4) hx ...) - salome 5.1.3-11 (bug #598421) CVE-2010-3376 (The (1) proofserv, (2) xrdcp, (3) xrdpwdadmin, and (4) xrd scripts in ...) - root-system 5.34.00-1 (bug #598420; bug #598419) [lenny] - root-system (minor issue) CVE-2010-3375 (qtparted has insecure library loading which may allow arbitrary code e ...) - qtparted 0.4.5-8 (low; bug #598301) [lenny] - qtparted (Minor issue) CVE-2010-3374 (Qt Creator before 2.0.1 places a zero-length directory name in the LD_ ...) - qtcreator 1.3.1-3 (bug #598300) CVE-2010-3373 (paxtest handles temporary files insecurely ...) - paxtest 1:0.9.9-1 (unimportant; bug #598413) CVE-2010-3372 (Untrusted search path vulnerability in NorduGrid Advanced Resource Con ...) - nordugrid-arc-nox 1.1.0~rc6-2.1 (bug #606151) CVE-2010-3371 RESERVED CVE-2010-3370 RESERVED CVE-2010-3369 (The (1) mdb and (2) mdb-symbolreader scripts in mono-debugger 2.4.3, a ...) - mono-debugger 2.6.3-2.1 (low; bug #598299) [lenny] - mono-debugger (Minor issue) CVE-2010-3368 RESERVED CVE-2010-3367 RESERVED CVE-2010-3366 (Mn_Fit 5.13 places a zero-length directory name in the LD_LIBRARY_PATH ...) - mn-fit (bug #598298) [lenny] - mn-fit (Minor issue) CVE-2010-3365 (Mistelix 0.31 places a zero-length directory name in the LD_LIBRARY_PA ...) - mistelix 0.31-2 (low; bug #598297) CVE-2010-3364 (The vips-7.22 script in VIPS 7.22.2 places a zero-length directory nam ...) - vips 7.14.5-2 (unimportant; bug #598296) NOTE: Scripts are not used for any real world scenarios CVE-2010-3363 (roarify in roaraudio 0.3 places a zero-length directory name in the LD ...) - roaraudio 0.3-2 (low; bug #598295) [lenny] - roaraudio (Minor issue) CVE-2010-3362 (lastfm 1.5.4 places a zero-length directory name in the LD_LIBRARY_PAT ...) - lastfm 1:1.5.4.26862+dfsg-5 (low; bug #598294) [lenny] - lastfm 1:1.5.1.31879.dfsg-1+lenny1 CVE-2010-3361 (The (1) iked, (2) ikea, and (3) ikec scripts in Shrew Soft IKE 2.1.5 p ...) - ike 2.1.5+dfsg-2 (low; bug #598292) [lenny] - ike (Minor issue) CVE-2010-3360 (Hipo 0.6.1 places a zero-length directory name in the LD_LIBRARY_PATH, ...) - hipo (bug #598291) [lenny] - hipo (Minor issue) CVE-2010-3359 (If LD_LIBRARY_PATH is undefined in gargoyle-free before 2009-08-25, th ...) - gargoyle-free 2009-08-25-2 NOTE: http://groups.google.com/group/garglk-dev/browse_thread/thread/1c92ab6f24d5ebe6 CVE-2010-3358 (HenPlus JDBC SQL-Shell 0.9.7 places a zero-length directory name in th ...) - henplus (bug #598290) CVE-2010-3357 (gnome-subtitles 1.0 places a zero-length directory name in the LD_LIBR ...) - gnome-subtitles 1.0-2 (low; bug #598289) [lenny] - gnome-subtitles (Minor issue) CVE-2010-3356 RESERVED CVE-2010-3355 (Ember 0.5.7 places a zero-length directory name in the LD_LIBRARY_PATH ...) - ember 0.5.7-1.1 (low; bug #598288) CVE-2010-3354 (dropboxd in Dropbox 0.7.110 places a zero-length directory name in the ...) - dropbox 0.8.107-1 (low; bug #598287) [lenny] - dropbox (Non-free not supported) CVE-2010-3353 (Cowbell 0.2.7.1 places a zero-length directory name in the LD_LIBRARY_ ...) - cowbell (See bug #598286) CVE-2010-3352 RESERVED CVE-2010-3351 (startBristol in Bristol 0.60.5 places a zero-length directory name in ...) - bristol 0.60.5-2 (bug #598285) CVE-2010-3350 (bareFTP 0.3.4 places a zero-length directory name in the LD_LIBRARY_PA ...) - bareftp 0.3.4-1.1 (bug #598284) CVE-2010-3349 (Ardour 2.8.11 places a zero-length directory name in the LD_LIBRARY_PA ...) - ardour 1:2.8.11-2 (low; bug #598282) CVE-2010-3348 (Microsoft Internet Explorer 6, 7, and 8 does not prevent rendering of ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2010-3347 REJECTED CVE-2010-3346 (Microsoft Internet Explorer 6, 7, and 8 does not properly handle objec ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2010-3345 (Microsoft Internet Explorer 8 does not properly handle objects in memo ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2010-3344 REJECTED CVE-2010-3343 (Microsoft Internet Explorer 6 does not properly handle objects in memo ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2010-3342 (Microsoft Internet Explorer 6, 7, and 8 does not prevent rendering of ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2010-3341 REJECTED CVE-2010-3340 (Microsoft Internet Explorer 6 and 7 does not properly handle objects i ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2010-3339 REJECTED CVE-2010-3338 (The Windows Task Scheduler in Microsoft Windows Vista SP1 and SP2, Win ...) NOT-FOR-US: Microsoft Windows CVE-2010-3337 (Untrusted search path vulnerability in Microsoft Office 2007 SP2 and 2 ...) NOT-FOR-US: Microsoft Office 2007 SP2 CVE-2010-3336 (Microsoft Office XP SP3, Office 2004 and 2008 for Mac, Office for Mac ...) NOT-FOR-US: Microsoft Office XP SP3 CVE-2010-3335 (Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010 ...) NOT-FOR-US: Microsoft Office XP SP3 CVE-2010-3334 (Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010 ...) NOT-FOR-US: Microsoft Office XP SP3 CVE-2010-3333 (Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP ...) NOT-FOR-US: Microsoft Office CVE-2010-3332 (Microsoft .NET Framework 1.1 SP1, 2.0 SP1 and SP2, 3.5, 3.5 SP1, 3.5.1 ...) NOT-FOR-US: Microsoft .NET Framework CVE-2010-3331 (Microsoft Internet Explorer 6 through 8 does not properly handle objec ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2010-3330 (Microsoft Internet Explorer 6 through 8 does not properly restrict scr ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2010-3329 (mshtmled.dll in Microsoft Internet Explorer 7 and 8 allows remote atta ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2010-3328 (Use-after-free vulnerability in the CAttrArray::PrivateFind function i ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2010-3327 (The implementation of HTML content creation in Microsoft Internet Expl ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2010-3326 (Microsoft Internet Explorer 6 does not properly handle objects in memo ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2010-3325 (Microsoft Internet Explorer 6 through 8 does not properly handle unspe ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2010-3324 (The toStaticHTML function in Microsoft Internet Explorer 8, and the Sa ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2010-3323 (Splunk 4.0.0 through 4.1.4 allows remote attackers to conduct session ...) NOT-FOR-US: Splunk CVE-2010-3322 (The XML parser in Splunk 4.0.0 through 4.1.4 allows remote authenticat ...) NOT-FOR-US: Splunk CVE-2010-3321 (RSA Authentication Client 2.0.x, 3.0, and 3.5.x before 3.5.3 does not ...) NOT-FOR-US: RSA Authentication Client CVE-2010-3320 (Open redirect vulnerability in IBM Records Manager (RM) 4.5.x before 4 ...) NOT-FOR-US: IBM Records Manager CVE-2010-3319 (IBM Records Manager (RM) 4.5.x before 4.5.1.1-IER-FP001 places a sessi ...) NOT-FOR-US: IBM Records Manager CVE-2010-3318 (IBM Records Manager (RM) 4.5.x before 4.5.1.1-IER-FP001 transmits pass ...) NOT-FOR-US: IBM Records Manager CVE-2010-3317 (Cross-site scripting (XSS) vulnerability in IBM Records Manager (RM) 4 ...) NOT-FOR-US: IBM Records Manager CVE-2010-3316 (The run_coprocess function in pam_xauth.c in the pam_xauth module in L ...) - pam 1.1.2-1 (unimportant; bug #599832) NOTE: partial fix http://git.altlinux.org/people/ldv/packages/?p=pam.git;a=commitdiff;h=06f882f30092a39a1db867c9744b2ca8d60e4ad6 NOTE: Not exploitable with current kernels CVE-2010-3315 (authz.c in the mod_dav_svn module for the Apache HTTP Server, as distr ...) {DSA-2118-1} - subversion 1.6.12dfsg-2 (low) CVE-2010-3314 (Cross-site scripting (XSS) vulnerability in login.php in EGroupware 1. ...) {DSA-2013-1} - egroupware (high; bug #573279) [lenny] - egroupware 1.4.004-2.dfsg-4.2 CVE-2010-3313 (phpgwapi/js/fckeditor/editor/dialog/fck_spellerpages/spellerpages/serv ...) {DSA-2013-1} - egroupware (high; bug #573279) [lenny] - egroupware 1.4.004-2.dfsg-4.2 CVE-2010-3312 (Epiphany 2.28 and 2.29, when WebKit and LibSoup are used, unconditiona ...) - epiphany-browser 2.29.91-1 (bug #564690) [lenny] - epiphany-browser (Introduced with the switch to webkit after Lenny release) CVE-2010-3311 (Integer overflow in base/ftstream.c in libXft (aka the X FreeType libr ...) {DSA-2116-1} - freetype 2.4.0-1 NOTE: Only the 2.3.x series is affected CVE-2010-3310 (Multiple integer signedness errors in net/rose/af_rose.c in the Linux ...) {DSA-2126-1} - linux-2.6 2.6.32-25 CVE-2010-3309 REJECTED CVE-2010-3308 (Buffer overflow in programs/pluto/xauth.c in the client in Openswan 2. ...) - openswan 1:2.6.28+dfsg-2 [lenny] - openswan (Introduced in version 2.6.25) CVE-2010-3307 (Multiple PHP remote file inclusion vulnerabilities in themes/default/i ...) NOT-FOR-US: Free Simple CMS 1.0 CVE-2010-3305 (Cross-site request forgery (CSRF) vulnerability in pixelpost 1.7.3 cou ...) - pixelpost (bug #597224) CVE-2010-3304 (The ACL plugin in Dovecot 1.2.x before 1.2.13 propagates INBOX ACLs to ...) - dovecot 1.2.13-1 [lenny] - dovecot (only affects 1.2.x) CVE-2010-3303 (Multiple cross-site scripting (XSS) vulnerabilities in MantisBT before ...) - mantis 1.1.8+dfsg-8 (bug #599710) [lenny] - mantis 1.1.6+dfsg-2lenny3 CVE-2010-3302 (Buffer overflow in programs/pluto/xauth.c in the client in Openswan 2. ...) - openswan 1:2.6.28+dfsg-2 [lenny] - openswan (Introduced in version 2.6.25) CVE-2010-3301 (The IA32 system call emulation functionality in arch/x86/ia32/ia32entr ...) - linux-2.6 2.6.32-23 [lenny] - linux-2.6 (vulnerability introduced in 2.6.27) CVE-2010-3300 RESERVED CVE-2010-3299 (The encrypt/decrypt functions in Ruby on Rails 2.3 are vulnerable to p ...) - rails (unimportant) NOTE: http://seclists.org/oss-sec/2010/q3/415 NOTE: http://seclists.org/oss-sec/2010/q3/413 NOTE: http://usenix.org/events/woot10/tech/full_papers/Rizzo.pdf CVE-2010-3298 (The hso_get_count function in drivers/net/usb/hso.c in the Linux kerne ...) - linux-2.6 2.6.32-24 [lenny] - linux-2.6 (Introduced in 2.6.27) CVE-2010-3297 (The eql_g_master_cfg function in drivers/net/eql.c in the Linux kernel ...) {DSA-2126-1} - linux-2.6 2.6.32-24 CVE-2010-3296 (The cxgb_extension_ioctl function in drivers/net/cxgb3/cxgb3_main.c in ...) {DSA-2126-1} - linux-2.6 2.6.32-24 CVE-2010-3295 REJECTED CVE-2010-3291 (Cross-site scripting (XSS) vulnerability in HP AssetCenter 5.0x throug ...) NOT-FOR-US: HP AssetCenter CVE-2010-3290 (Unspecified vulnerability in HP Systems Insight Manager (SIM) before 6 ...) NOT-FOR-US: HP Systems Insight Manager CVE-2010-3289 (Cross-site scripting (XSS) vulnerability in HP Systems Insight Manager ...) NOT-FOR-US: HP Systems Insight Manager CVE-2010-3288 (Cross-site request forgery (CSRF) vulnerability in HP Systems Insight ...) NOT-FOR-US: HP Systems Insight Manager CVE-2010-3287 (Unspecified vulnerability on HP ProCurve Access Points, Access Control ...) NOT-FOR-US: HP ProCurve CVE-2010-3286 (Unspecified vulnerability in HP Systems Insight Manager (SIM) 6.0 and ...) NOT-FOR-US: HP Systems Insight Manager CVE-2010-3285 (Unspecified vulnerability in HP OpenView Network Node Manager (OV NNM) ...) NOT-FOR-US: HP OpenView Network Node Manager CVE-2010-3284 (Unspecified vulnerability in HP System Management Homepage (SMH) befor ...) NOT-FOR-US: HP System Management Homepage CVE-2010-3283 (Open redirect vulnerability in HP System Management Homepage (SMH) bef ...) NOT-FOR-US: HP System Management Homepage CVE-2010-3282 (389 Directory Server before 1.2.7.1 (aka Red Hat Directory Server 8.2) ...) NOT-FOR-US: Red Hat Directory Server CVE-2010-3281 (Stack-based buffer overflow in the HTTP proxy service in Alcatel-Lucen ...) NOT-FOR-US: Alcatel-Lucent OmniVista CVE-2010-3280 (The CCAgent option 9.0.8.4 and earlier in the management server (aka T ...) NOT-FOR-US: Alcatel-Lucent OmniTouch Contact Center CVE-2010-3279 (The default configuration of the CCAgent option before 9.0.8.4 in the ...) NOT-FOR-US: Alcatel-Lucent OmniTouch Contact Center CVE-2010-3294 (Cross-site scripting (XSS) vulnerability in apc.php in the Alternative ...) - php-apc (unimportant) NOTE: vulnerable script is, mainly, for debugging purposes NOTE: and is distributed gzip-compressed CVE-2010-3293 (mailscanner can allow local users to prevent virus signatures from bei ...) - mailscanner (bug #596397; unimportant) NOTE: or even unimportant, the script is not used by default CVE-2010-3292 (The update{_bad,}_phishing_sites scripts in mailscanner 4.79.11-2 down ...) - mailscanner (bug #596396; low) [squeeze] - mailscanner (Minor issue) CVE-2010-3278 REJECTED CVE-2010-3277 (The installer in VMware Workstation 7.x before 7.1.2 build 301548 and ...) NOT-FOR-US: VMware Workstation CVE-2010-3276 (libdirectx_plugin.dll in VideoLAN VLC Media Player before 1.1.8 allows ...) {DSA-2211-1} - vlc 1.1.8-1 NOTE: fe44129dc6509b3347113ab0e1a0524af1e0dd11 in 1.1 branch CVE-2010-3275 (libdirectx_plugin.dll in VideoLAN VLC Media Player before 1.1.8 allows ...) {DSA-2211-1} - vlc 1.1.8-1 NOTE: fe44129dc6509b3347113ab0e1a0524af1e0dd11 in 1.1 branch CVE-2010-3274 (Multiple cross-site scripting (XSS) vulnerabilities in EmployeeSearch. ...) NOT-FOR-US: ZOHO ManageEngine CVE-2010-3273 (ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 allows remo ...) NOT-FOR-US: ZOHO ManageEngine CVE-2010-3272 (accounts/ValidateAnswers in the security-questions implementation in Z ...) NOT-FOR-US: ZOHO ManageEngine CVE-2010-3271 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Inte ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2010-3270 (Stack-based buffer overflow in Cisco WebEx Meeting Center T27LB before ...) NOT-FOR-US: Cisco WebEx Meeting Center CVE-2010-3269 (Multiple stack-based buffer overflows in the Cisco WebEx Recording For ...) NOT-FOR-US: Cisco WebEx CVE-2010-3268 (The GetStringAMSHandler function in prgxhndl.dll in hndlrsvc.exe in th ...) NOT-FOR-US: Symantec Antivirus CVE-2010-3267 (Multiple SQL injection vulnerabilities in BugTracker.NET before 3.4.5 ...) NOT-FOR-US: BugTracker.NET CVE-2010-3266 (Multiple cross-site scripting (XSS) vulnerabilities in BugTracker.NET ...) NOT-FOR-US: BugTracker.NET CVE-2010-3265 RESERVED CVE-2010-3264 (The engine installer in Novell Identity Manager (aka IDM) 3.6.1 stores ...) NOT-FOR-US: Novell Identity Manager CVE-2010-3263 (Cross-site scripting (XSS) vulnerability in setup/frames/index.inc.php ...) - phpmyadmin 4:3.3.7-1 (low) [lenny] - phpmyadmin (Vulnerable code not present) CVE-2010-3262 (Cross-site scripting (XSS) vulnerability in Flock Browser 3.x before 3 ...) NOT-FOR-US: flock CVE-2010-3261 (Directory traversal vulnerability in RSA Authentication Agent 7.0 befo ...) NOT-FOR-US: RSA Authentication Agent 7.0 for Web CVE-2010-3260 (oxf/xml/xerces/XercesSAXParserFactoryImpl.java in the xforms-server co ...) NOT-FOR-US: Orbeon Forms CVE-2010-3259 (WebKit, as used in Apple Safari before 4.1.3 and 5.0.x before 5.0.3, G ...) - chromium-browser 6.0.472.53~r57914-1 - webkit 1.2.5-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) NOTE: https://bugs.webkit.org/show_bug.cgi?id=44399 NOTE: http://trac.webkit.org/changeset/65826 CVE-2010-3258 (The sandbox implementation in Google Chrome before 6.0.472.53 does not ...) - chromium-browser 6.0.472.53~r57914-1 - webkit NOTE: chromium specific CVE-2010-3257 (Use-after-free vulnerability in WebKit, as used in Apple Safari before ...) - chromium-browser 6.0.472.53~r57914-1 - webkit 1.2.5-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) NOTE: http://trac.webkit.org/changeset/65748 NOTE: https://bugs.webkit.org/show_bug.cgi?id=44226 CVE-2010-3256 (Google Chrome before 6.0.472.53 does not properly limit the number of ...) - chromium-browser 6.0.472.53~r57914-1 - webkit NOTE: chromium specific CVE-2010-3255 (Google Chrome before 6.0.472.53 and webkitgtk before 1.2.6 do not prop ...) - chromium-browser 6.0.472.53~r57914-1 - webkit 1.2.5-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) NOTE: https://bugs.webkit.org/show_bug.cgi?id=43812 NOTE: http://trac.webkit.org/changeset/66052 CVE-2010-3254 (The WebSockets implementation in Google Chrome before 6.0.472.53 does ...) - chromium-browser 6.0.472.53~r57914-1 - webkit 1.2.6-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) NOTE: http://trac.webkit.org/changeset/65135 CVE-2010-3253 (The implementation of notification permissions in Google Chrome before ...) - chromium-browser 6.0.472.53~r57914-1 - webkit (notifications not yet used in webkit) NOTE: http://trac.webkit.org/changeset/64647 NOTE: http://trac.webkit.org/changeset/64651 CVE-2010-3252 (Use-after-free vulnerability in the Notifications presenter in Google ...) - chromium-browser 6.0.472.53~r57914-1 - webkit (notifications not yet used in webkit) NOTE: https://bugs.webkit.org/show_bug.cgi?id=43645 NOTE: http://trac.webkit.org/changeset/65742 CVE-2010-3251 (The WebSockets implementation in Google Chrome before 6.0.472.53 allow ...) - chromium-browser 6.0.472.53~r57914-1 - webkit NOTE: chromium specific CVE-2010-3250 (Unspecified vulnerability in Google Chrome before 6.0.472.53 allows re ...) - chromium-browser 6.0.472.53~r57914-1 - webkit NOTE: chromium specific CVE-2010-3249 (Google Chrome before 6.0.472.53 does not properly implement SVG filter ...) - chromium-browser 6.0.472.53~r57914-1 NOTE: http://trac.webkit.org/changeset/60541 CVE-2010-3248 (Google Chrome before 6.0.472.53 does not properly restrict copying to ...) - chromium-browser 6.0.472.53~r57914-1 - webkit 1.2.5-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) NOTE: http://trac.webkit.org/changeset/58703 CVE-2010-3247 (Google Chrome before 6.0.472.53 does not properly restrict the charact ...) - chromium-browser 6.0.472.53~r57914-1 - webkit NOTE: chromium specific CVE-2010-3246 (Google Chrome before 6.0.472.53 does not properly handle the _blank va ...) - chromium-browser 6.0.472.53~r57914-1 - webkit (vulnerable code not present in 1.2.x series) NOTE: https://bugs.webkit.org/show_bug.cgi?id=34541 NOTE: https://bugs.webkit.org/show_bug.cgi?id=44969 NOTE: http://trac.webkit.org/changeset/66742 CVE-2010-3245 (The automated-backup functionality in Blackboard Transact Suite (forme ...) NOT-FOR-US: Blackboard Transact Suite CVE-2010-3244 (BbtsConnection_Edit.exe in Blackboard Transact Suite (formerly Blackbo ...) NOT-FOR-US: Blackboard Transact Suite CVE-2009-4997 (gnome-power-manager 2.27.92 does not properly implement the lock_on_su ...) - gnome-power-manager 2.28.0-1 (unimportant) CVE-2009-4996 NOTE: Disputed non-issue CVE-2006-7240 (gnome-power-manager 2.14.0 does not properly implement the lock_on_sus ...) - gnome-power-manager 2.28.0-1 (unimportant) CVE-2010-3306 (Directory traversal vulnerability in the modURL function in instance.c ...) - weborf 0.12.3-1 (bug #596112) CVE-2010-3243 (Cross-site scripting (XSS) vulnerability in the toStaticHTML function ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2010-3242 (Microsoft Excel 2002 SP3, Office 2004 and 2008 for Mac, and Open XML F ...) NOT-FOR-US: Microsoft Excel CVE-2010-3241 (Microsoft Excel 2002 SP3, Office 2004 and 2008 for Mac, and Open XML F ...) NOT-FOR-US: Microsoft Excel CVE-2010-3240 (Microsoft Excel 2002 SP3 and 2007 SP2; Excel Viewer SP2; and Office Co ...) NOT-FOR-US: Microsoft Excel CVE-2010-3239 (Microsoft Excel 2002 SP3 does not properly validate record information ...) NOT-FOR-US: Microsoft Excel CVE-2010-3238 (Microsoft Excel 2002 SP3 and 2003 SP3, and Office 2004 for Mac, does n ...) NOT-FOR-US: Microsoft Excel CVE-2010-3237 (Microsoft Excel 2002 SP3 and Office 2004 for Mac do not properly valid ...) NOT-FOR-US: Microsoft Excel CVE-2010-3236 (Microsoft Excel 2002 SP3 and 2003 SP3, Office 2004 and 2008 for Mac, a ...) NOT-FOR-US: Microsoft Excel CVE-2010-3235 (Microsoft Excel 2002 SP3 does not properly validate formula informatio ...) NOT-FOR-US: Microsoft Excel CVE-2010-3234 (Microsoft Excel 2002 SP3 does not properly validate formula informatio ...) NOT-FOR-US: Microsoft Excel CVE-2010-3233 (Microsoft Excel 2002 SP3 and 2003 SP3 does not properly validate recor ...) NOT-FOR-US: Microsoft Excel CVE-2010-3232 (Microsoft Excel 2003 SP3 and 2007 SP2; Office 2004 and 2008 for Mac; O ...) NOT-FOR-US: Microsoft Excel CVE-2010-3231 (Microsoft Excel 2002 SP3, Office 2004 and 2008 for Mac, and Open XML F ...) NOT-FOR-US: Microsoft Excel CVE-2010-3230 (Integer overflow in Microsoft Excel 2002 SP3 allows remote attackers t ...) NOT-FOR-US: Microsoft Excel CVE-2010-3229 (The Secure Channel (aka SChannel) security package in Microsoft Window ...) NOT-FOR-US: Microsoft OSes CVE-2010-3228 (The JIT compiler in Microsoft .NET Framework 4.0 on 64-bit platforms d ...) NOT-FOR-US: Microsoft .NET Framework CVE-2010-3227 (Stack-based buffer overflow in the UpdateFrameTitleForDocument method ...) NOT-FOR-US: Microsoft Windows CVE-2010-3226 REJECTED CVE-2010-3225 (Use-after-free vulnerability in the Media Player Network Sharing Servi ...) NOT-FOR-US: Microsoft Windows Vista CVE-2010-3224 REJECTED CVE-2010-3223 (The user interface in Microsoft Cluster Service (MSCS) in Microsoft Wi ...) NOT-FOR-US: Microsoft Windows CVE-2010-3222 (Stack-based buffer overflow in the Remote Procedure Call Subsystem (RP ...) NOT-FOR-US: Microsoft Windows CVE-2010-3221 (Microsoft Word 2002 SP3 and 2003 SP3, Office 2004 for Mac, and Word Vi ...) NOT-FOR-US: Microsoft Word CVE-2010-3220 (Unspecified vulnerability in Microsoft Word 2002 SP3 and Office 2004 f ...) NOT-FOR-US: Microsoft Word CVE-2010-3219 (Array index vulnerability in Microsoft Word 2002 SP3 allows remote att ...) NOT-FOR-US: Microsoft Word CVE-2010-3218 (Heap-based buffer overflow in Microsoft Word 2002 SP3 allows remote at ...) NOT-FOR-US: Microsoft Word CVE-2010-3217 (Double free vulnerability in Microsoft Word 2002 SP3 allows remote att ...) NOT-FOR-US: Microsoft Word CVE-2010-3216 (Microsoft Word 2002 SP3 and Office 2004 for Mac allow remote attackers ...) NOT-FOR-US: Microsoft Word CVE-2010-3215 (Microsoft Word 2002 SP3 and Office 2004 for Mac do not properly handle ...) NOT-FOR-US: Microsoft Word CVE-2010-3214 (Stack-based buffer overflow in Microsoft Word 2002 SP3, 2003 SP3, 2007 ...) NOT-FOR-US: Microsoft Word CVE-2010-3213 (Cross-site request forgery (CSRF) vulnerability in Microsoft Outlook W ...) NOT-FOR-US: Microsoft Outlook Web Access CVE-2010-3212 (SQL injection vulnerability in index.php in Seagull 0.6.7 and earlier ...) NOT-FOR-US: Seagull CVE-2010-3211 (Multiple SQL injection vulnerabilities in the JE FAQ Pro (com_jefaqpro ...) NOT-FOR-US: Joomla addon CVE-2010-3210 (Multiple PHP remote file inclusion vulnerabilities in Multi-lingual E- ...) NOT-FOR-US: Multi-lingual E-Commerce System CVE-2010-3209 (Multiple PHP remote file inclusion vulnerabilities in Seagull 0.6.7 al ...) NOT-FOR-US: Seagull CVE-2010-3208 (Cross-site scripting (XSS) vulnerability in ajax.php in Wiccle Web Bui ...) NOT-FOR-US: Wiccle Web Builder CVE-2010-3207 (SQL injection vulnerability in index.php in GaleriaSHQIP 1.0, when mag ...) NOT-FOR-US: GaleriaSHQIP CVE-2010-3206 (Multiple PHP remote file inclusion vulnerabilities in DiY-CMS 1.0 allo ...) NOT-FOR-US: DiY-CMS CVE-2010-3205 (PHP remote file inclusion vulnerability in index.php in Textpattern CM ...) - textpattern [squeeze] - textpattern (Minor issue) CVE-2010-3204 (Multiple PHP remote file inclusion vulnerabilities in Pecio CMS 2.0.5 ...) NOT-FOR-US: Pecio CMS CVE-2010-3203 (Directory traversal vulnerability in the PicSell (com_picsell) compone ...) NOT-FOR-US: PicSell CVE-2010-3202 (Cross-site scripting (XSS) vulnerability in Flock Browser 3.0.0.3989 a ...) NOT-FOR-US: flock CVE-2010-3201 (Cross-site scripting (XSS) vulnerability in NetWin Surgemail before 4. ...) NOT-FOR-US: NetWin Surgemail CVE-2010-3200 (MSO.dll in Microsoft Word 2003 SP3 11.8326.11.8324 allows remote attac ...) NOT-FOR-US: Microsoft Word CVE-2010-3199 (Untrusted search path vulnerability in TortoiseSVN 1.6.10, Build 19898 ...) NOT-FOR-US: TortoiseSVN CVE-2010-3198 (ZServer in Zope 2.10.x before 2.10.12 and 2.11.x before 2.11.7 allows ...) - zope2.10 - zope2.11 CVE-2010-3197 (IBM DB2 9.7 before FP2 does not perform the expected access control on ...) NOT-FOR-US: IBM DB2 CVE-2010-3196 (IBM DB2 9.7 before FP2, when AUTO_REVAL is IMMEDIATE, allows remote au ...) NOT-FOR-US: IBM DB2 CVE-2010-3195 (Unspecified vulnerability in IBM DB2 9.1 before FP9, 9.5 before FP6, a ...) NOT-FOR-US: IBM DB2 CVE-2010-3194 (The DB2DART program in IBM DB2 9.1 before FP9, 9.5 before FP6, and 9.7 ...) NOT-FOR-US: IBM DB2 CVE-2010-3193 (Unspecified vulnerability in the DB2STST program in IBM DB2 9.1 before ...) NOT-FOR-US: IBM DB2 CVE-2010-3192 (Certain run-time memory protection mechanisms in the GNU C Library (ak ...) - eglibc (unimportant) NOTE: Minor information leak CVE-2010-3191 (Untrusted search path vulnerability in Adobe Captivate 5.0.0.596, and ...) NOT-FOR-US: Adobe Captivate CVE-2010-3190 (Untrusted search path vulnerability in the Microsoft Foundation Class ...) NOT-FOR-US: ATL MFC Trace Tool CVE-2010-3189 (The extSetOwner function in the UfProxyBrowserCtrl ActiveX control (Uf ...) NOT-FOR-US: Trend Micro Internet Security Pro CVE-2010-3188 (SQL injection vulnerability in search.aspx in BugTracker.NET 3.4.3 and ...) NOT-FOR-US: BugTracker.NET CVE-2010-3187 (Buffer overflow in ftpd in IBM AIX 5.3 and earlier allows remote attac ...) NOT-FOR-US: IBM AIX CVE-2010-3186 (IBM WebSphere Application Server (WAS) 7.x before 7.0.0.13, and WebSph ...) NOT-FOR-US: WebSphere CVE-2010-3185 RESERVED CVE-2010-3184 RESERVED CVE-2010-3183 (The LookupGetterOrSetter function in js3250.dll in Mozilla Firefox bef ...) {DSA-2124-1} - xulrunner (unimportant) - iceweasel 3.5.14-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - icedove 3.0.9-1 [lenny] - icedove - iceape 2.0.9-1 [lenny] - iceape (Only a stub package) [lenny] - xulrunner (bug in optimization added later) NOTE: xulrunner in wheezy is not covered by security support CVE-2010-3182 (A certain application-launch script in Mozilla Firefox before 3.5.14 a ...) - icedove 3.0.9-1 [lenny] - icedove - iceweasel (run-mozilla.sh not used) CVE-2010-3181 (Untrusted search path vulnerability in Mozilla Firefox before 3.5.14 a ...) - iceweasel (Windows-specific) CVE-2010-3180 (Use-after-free vulnerability in the nsBarProp function in Mozilla Fire ...) {DSA-2124-1} - xulrunner (unimportant) - icedove 3.0.9-1 - iceweasel 3.5.14-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.9-1 [lenny] - iceape (Only a stub package) [lenny] - icedove NOTE: xulrunner in wheezy is not covered by security support CVE-2010-3179 (Stack-based buffer overflow in the text-rendering functionality in Moz ...) {DSA-2124-1} - xulrunner (unimportant) - icedove 3.0.9-1 [lenny] - icedove - iceweasel 3.5.14-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.9-1 [lenny] - iceape (Only a stub package) NOTE: xulrunner in wheezy is not covered by security support CVE-2010-3178 (Mozilla Firefox before 3.5.14 and 3.6.x before 3.6.11, Thunderbird bef ...) {DSA-2124-1} - xulrunner (unimportant) - icedove 3.0.9-1 [lenny] - icedove - iceweasel 3.5.14-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.9-1 [lenny] - iceape (Only a stub package) NOTE: xulrunner in wheezy is not covered by security support CVE-2010-3177 (Multiple cross-site scripting (XSS) vulnerabilities in the Gopher pars ...) {DSA-2124-1} - xulrunner (unimportant) - iceweasel 3.5.14-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.9-1 [lenny] - iceape (Only a stub package) NOTE: xulrunner in wheezy is not covered by security support CVE-2010-3176 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-2124-1} - xulrunner (unimportant) - iceweasel 3.5.14-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.9-1 [lenny] - iceape (Only a stub package) NOTE: xulrunner in wheezy is not covered by security support CVE-2010-3175 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - iceweasel (Only affects Firefox 3.6, which is only in experimental) CVE-2010-3174 (Unspecified vulnerability in the browser engine in Mozilla Firefox 3.5 ...) {DSA-2124-1} - xulrunner (unimportant) - icedove 3.0.9-1 [lenny] - icedove - iceweasel 3.5.14-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.9-1 [lenny] - iceape (Only a stub package) NOTE: xulrunner in wheezy is not covered by security support CVE-2010-3173 (The SSL implementation in Mozilla Firefox before 3.5.14 and 3.6.x befo ...) {DSA-2123-1} - nss 3.12.8-1 CVE-2010-3172 (CRLF injection vulnerability in Bugzilla before 3.2.9, 3.4.x before 3. ...) - bugzilla 3.6.3.0-1 (bug #602420; low) [squeeze] - bugzilla 3.6.2.0-4.2 CVE-2010-3171 (The Math.random function in the JavaScript implementation in Mozilla F ...) NOTE: Will likely be rejected by MITRE CVE-2010-3170 (Mozilla Firefox before 3.5.14 and 3.6.x before 3.6.11, Thunderbird bef ...) {DSA-2123-1} - nss 3.12.8-1 - kde4libs 4:4.4.5-4 (low) - qt4-x11 4:4.7.2-4 (low) [squeeze] - qt4-x11 4:4.6.3-4+squeeze1 [lenny] - qt4-x11 (Vulnerable code not present) [squeeze] - kde4libs 4:4.4.5-2+squeeze2 [lenny] - kde4libs (Minor issue) CVE-2010-3169 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-2106-1} - xulrunner (unimportant) - iceweasel 3.5.12-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - icedove 3.0.7-1 [lenny] - icedove - iceape 2.0.7-1 [lenny] - iceape (Only a stub package) NOTE: xulrunner in wheezy is not covered by security support CVE-2010-3168 (Mozilla Firefox before 3.5.12 and 3.6.x before 3.6.9, Thunderbird befo ...) {DSA-2106-1} - xulrunner (unimportant) - iceweasel 3.5.12-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - icedove 3.0.7-1 [lenny] - icedove - iceape 2.0.7-1 [lenny] - iceape (Only a stub package) NOTE: xulrunner in wheezy is not covered by security support CVE-2010-3167 (The nsTreeContentView function in Mozilla Firefox before 3.5.12 and 3. ...) {DSA-2106-1} - xulrunner (unimportant) - iceweasel 3.5.12-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - icedove 3.0.7-1 [lenny] - icedove - iceape 2.0.7-1 [lenny] - iceape (Only a stub package) NOTE: xulrunner in wheezy is not covered by security support CVE-2010-3166 (Heap-based buffer overflow in the nsTextFrameUtils::TransformText func ...) - xulrunner (unimportant) - iceweasel 3.5.12-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) [lenny] - xulrunner (Doesn't affect Xulrunner 1.9.0 code base) - icedove 3.0.7-1 [lenny] - icedove (Doesn't affect Xulrunner 1.9.0 code base) - iceape 2.0.7-1 [lenny] - iceape (Only a stub package) NOTE: xulrunner in wheezy is not covered by security support CVE-2010-3165 (Untrusted search path vulnerability in Yokka NoEditor 1.33.1.1 and ear ...) NOT-FOR-US: Yokka NoEditor and others CVE-2010-3164 (Untrusted search path vulnerability in Fenrir Sleipnir 2.9.4 and earli ...) NOT-FOR-US: Fenrir Sleipnir, Grani CVE-2010-3163 (Untrusted search path vulnerability in Fenrir Sleipnir before 2.9.5 an ...) NOT-FOR-US: Fenrir Sleipnir, Grani CVE-2010-3162 (Untrusted search path vulnerability in Apsaly before 3.74 allows local ...) NOT-FOR-US: Apsaly CVE-2010-3161 (Untrusted search path vulnerability in TeraPad before 1.00 allows loca ...) NOT-FOR-US: TeraPad CVE-2010-3160 (Untrusted search path vulnerability in Archive Decoder 1.23 and earlie ...) NOT-FOR-US: Archive Decoder CVE-2010-3159 (Untrusted search path vulnerability in Explzh 5.67 and earlier allows ...) NOT-FOR-US: Explzh CVE-2010-3158 (Untrusted search path vulnerability in Lhaplus before 1.58 allows loca ...) NOT-FOR-US: Lhaplus CVE-2010-3157 (Untrusted search path vulnerability in XacRett before 50 allows attack ...) NOT-FOR-US: XacRett CVE-2010-3156 (Untrusted search path vulnerability in K2 K2Editor before 1.5.9 allows ...) NOT-FOR-US: K2Editor CVE-2010-3133 (Untrusted search path vulnerability in Wireshark 0.8.4 through 1.0.15 ...) - wireshark (Only affects Windows port) CVE-2010-3131 (Untrusted search path vulnerability in Mozilla Firefox before 3.5.12 a ...) - xulrunner (Only affects Windows port) - iceweasel (Only affects Windows port) CVE-2010-3123 RESERVED CVE-2010-3155 (Untrusted search path vulnerability in Adobe ExtendScript Toolkit (EST ...) NOT-FOR-US: Adobe ExtendedScript Toolkit CVE-2010-3154 (Untrusted search path vulnerability in Adobe Extension Manager CS5 5.0 ...) NOT-FOR-US: Adobe Extension Manager CVE-2010-3153 (Untrusted search path vulnerability in Adobe InDesign CS4 6.0, InDesig ...) NOT-FOR-US: Adobe InDesign CVE-2010-3152 (Untrusted search path vulnerability in Adobe Illustrator CS4 14.0.0, C ...) NOT-FOR-US: Adobe Illustrator CVE-2010-3151 (Untrusted search path vulnerability in Adobe On Location CS4 Build 315 ...) NOT-FOR-US: Adobe On Location CVE-2010-3150 (Untrusted search path vulnerability in Adobe Premier Pro CS4 4.0.0 (31 ...) NOT-FOR-US: Adobe Premier Pro CVE-2010-3149 (Untrusted search path vulnerability in Adobe Device Central CS5 3.0.0( ...) NOT-FOR-US: Adobe Device Central CVE-2010-3148 (Untrusted search path vulnerability in Microsoft Visio 2003 SP3 allows ...) NOT-FOR-US: Microsoft Visio CVE-2010-3147 (Untrusted search path vulnerability in wab.exe 6.00.2900.5512 in Windo ...) NOT-FOR-US: Microsoft Address Book CVE-2010-3146 (Multiple untrusted search path vulnerabilities in Microsoft Groove 200 ...) NOT-FOR-US: Microsoft Office Groove CVE-2010-3145 (Untrusted search path vulnerability in the BitLocker Drive Encryption ...) NOT-FOR-US: Microsoft Vista BitLocker CVE-2010-3144 (Untrusted search path vulnerability in the Internet Connection Signup ...) NOT-FOR-US: Microsoft Internet Connection Signup Wizard CVE-2010-3143 (Untrusted search path vulnerability in Microsoft Windows Contacts allo ...) NOT-FOR-US: Microsoft Windows Contacts CVE-2010-3142 (Untrusted search path vulnerability in Microsoft Office PowerPoint 200 ...) NOT-FOR-US: Microsoft Office PowerPoint CVE-2010-3141 (Untrusted search path vulnerability in Microsoft PowerPoint 2010 allow ...) NOT-FOR-US: Microsoft Power Point CVE-2010-3140 (Untrusted search path vulnerability in Microsoft Windows Internet Comm ...) NOT-FOR-US: Microsoft Windows Internet Communication Settings CVE-2010-3139 (Untrusted search path vulnerability in Microsoft Windows Progman Group ...) NOT-FOR-US: Microsoft Windows Progman Group Converter CVE-2010-3138 (Untrusted search path vulnerability in the Indeo Codec in iac25_32.ax ...) NOT-FOR-US: Microsoft Windows Media Player CVE-2010-3137 (Untrusted search path vulnerability in Nullsoft Winamp 5.581, and prob ...) NOT-FOR-US: Nullsoft Winamp CVE-2010-3136 (Untrusted search path vulnerability in Skype 4.2.0.169 and earlier all ...) NOT-FOR-US: Skype CVE-2010-3135 (Untrusted search path vulnerability in Cisco Packet Tracer 5.2 allows ...) NOT-FOR-US: Cisco Packet Tracer CVE-2010-3134 (Untrusted search path vulnerability in Google Earth 5.1.3535.3218 allo ...) NOT-FOR-US: Google Earth CVE-2010-3132 (Untrusted search path vulnerability in Adobe Dreamweaver CS5 11.0 buil ...) NOT-FOR-US: Adobe Dreamweaver CVE-2010-3130 (Untrusted search path vulnerability in TechSmith Snagit all versions 1 ...) NOT-FOR-US: TechSmith Snagit CVE-2010-3129 (Untrusted search path vulnerability in uTorrent 2.0.3 and earlier allo ...) NOT-FOR-US: uTorrent CVE-2010-3128 (Untrusted search path vulnerability in TeamViewer 5.0.8703 and earlier ...) NOT-FOR-US: TeamViewer CVE-2010-3127 (Untrusted search path vulnerability in Adobe PhotoShop CS2 through CS5 ...) NOT-FOR-US: Adobe PhotoShop CVE-2010-3126 (Untrusted search path vulnerability in avast! Free Antivirus version 5 ...) NOT-FOR-US: avast! Free Antivirus version CVE-2010-3125 (Untrusted search path vulnerability in TeamMate Audit Management Softw ...) NOT-FOR-US: TeamMate Audit Management Software Suite CVE-2010-3122 (The DevonIT thin-client management tool relies on a shared secret for ...) NOT-FOR-US: DevonIT thin-client management tool CVE-2010-3121 (Buffer overflow in tm-console-bin in the DevonIT thin-client managemen ...) NOT-FOR-US: DevonIT thin-client management tool CVE-2009-4995 (Cross-site scripting (XSS) vulnerability in frmTickets.aspx in Smarter ...) NOT-FOR-US: SmarterTools SmarterTrack CVE-2009-4994 (Cross-site scripting (XSS) vulnerability in frmKBSearch.aspx in Smarte ...) NOT-FOR-US: SmarterTools SmarterTrack CVE-2009-4993 (PHP remote file inclusion vulnerability in home.php in LM Starmail Pai ...) NOT-FOR-US: LM Starmail Paidmail CVE-2009-4992 (SQL injection vulnerability in paidbanner.php in LM Starmail Paidmail ...) NOT-FOR-US: LM Starmail Paidmail CVE-2009-4991 (Cross-site scripting (XSS) vulnerability in users/resume_register.php ...) NOT-FOR-US: Omnistar Recruiting CVE-2009-4990 (Cross-site scripting (XSS) vulnerability in the Webform report module ...) NOT-FOR-US: Webform report module for Drupal CVE-2009-4989 (Cross-site scripting (XSS) vulnerability in index.php in AJ Auction Pr ...) NOT-FOR-US: AJ Auction Pro OOPD CVE-2009-4988 (Stack-based buffer overflow in NT_Naming_Service.exe in SAP Business O ...) NOT-FOR-US: SAP Business One CVE-2009-4987 (admin/header.php in Scripteen Free Image Hosting Script 2.3 allows rem ...) NOT-FOR-US: Scripteen Free Image Hosting Script CVE-2009-4986 (Directory traversal vulnerability in index.php in In-Portal 4.3.1, whe ...) NOT-FOR-US: In-Portal CVE-2009-4985 (SQL injection vulnerability in browse.php in Accessories Me PHP Affili ...) NOT-FOR-US: Accessories Me PHP Affiliate Script CVE-2009-4984 (Multiple cross-site scripting (XSS) vulnerabilities in Accessories Me ...) NOT-FOR-US: Accessories Me PHP Affiliate Script CVE-2009-4983 (Multiple cross-site scripting (XSS) vulnerabilities in Silurus Classif ...) NOT-FOR-US: Silurus Classifieds CVE-2009-4982 (SQL injection vulnerability in the select function in Irokez CMS 0.7.1 ...) NOT-FOR-US: Irokez CMS CVE-2009-4981 (Multiple cross-site request forgery (CSRF) vulnerabilities in Photokor ...) NOT-FOR-US: Photokorn Gallery CVE-2009-4980 (Multiple cross-site scripting (XSS) vulnerabilities in Photokorn Galle ...) NOT-FOR-US: Photokorn Gallery CVE-2009-4979 (Multiple SQL injection vulnerabilities in search.php in Photokorn Gall ...) NOT-FOR-US: Photokorn Gallery CVE-2009-4978 (Directory traversal vulnerability in down.php in MyBackup 1.4.0 allows ...) NOT-FOR-US: MyBackup CVE-2009-4977 (PHP remote file inclusion vulnerability in index.php in MyBackup 1.4.0 ...) NOT-FOR-US: MyBackup CVE-2010-3124 (Untrusted search path vulnerability in bin/winvlc.c in VLC Media Playe ...) - vlc (Windows specific vulnerability) CVE-2010-3120 (Google Chrome before 5.0.375.127 does not properly implement the Geolo ...) - chromium-browser 5.0.375.127~r55887-1 - webkit 1.2.5-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) NOTE: https://bugs.webkit.org/show_bug.cgi?id=43776 NOTE: https://bugs.webkit.org/show_bug.cgi?id=39879 NOTE: https://bugs.webkit.org/show_bug.cgi?id=44096 NOTE: http://trac.webkit.org/changeset/65329 NOTE: http://trac.webkit.org/changeset/65325 CVE-2010-3119 (Google Chrome before 5.0.375.127 and webkitgtk before 1.2.6 do not pro ...) - chromium-browser 5.0.375.127~r55887-1 - webkit 1.2.4-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) NOTE: https://bugs.webkit.org/show_bug.cgi?id=43795 NOTE: http://trac.webkit.org/changeset/65090 CVE-2010-3118 (The autosuggest feature in the Omnibox implementation in Google Chrome ...) - chromium-browser 5.0.375.127~r55887-1 - webkit (chromium specific) CVE-2010-3117 (Google Chrome before 5.0.375.127 does not properly implement the notif ...) - chromium-browser 5.0.375.127~r55887-1 - webkit (chromium specific) CVE-2010-3116 (Multiple use-after-free vulnerabilities in WebKit, as used in Apple Sa ...) - webkit 1.2.5-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.375.127~r55887-1 NOTE: http://trac.webkit.org/changeset/64293 NOTE: https://bugs.webkit.org/show_bug.cgi?id=43147 NOTE: https://bugs.webkit.org/show_bug.cgi?id=43888 NOTE: http://trac.webkit.org/changeset/65280 vulnerable code not present in 1.2 series CVE-2010-3115 (Google Chrome before 5.0.375.127, and webkitgtk before 1.2.6, does not ...) - webkit 1.2.5-1 (bug #599830) [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.375.127~r55887-1 NOTE: http://trac.webkit.org/changeset/63925 NOTE: http://trac.webkit.org/changeset/64077 NOTE: only partially fixed: only 64077 applied in 1.2.4-1 CVE-2010-3114 (The text-editing implementation in Google Chrome before 5.0.375.127, a ...) - webkit 1.2.4-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.375.127~r55887-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=42655 NOTE: http://trac.webkit.org/changeset/63773 CVE-2010-3113 (Google Chrome before 5.0.375.127, and webkitgtk before 1.2.5, does not ...) - webkit 1.2.5-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.375.127~r55887-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=42659 NOTE: http://trac.webkit.org/changeset/63865 CVE-2010-3112 (Google Chrome before 5.0.375.127 does not properly implement file dial ...) - webkit (chromium specific) - chromium-browser 5.0.375.127~r55887-1 CVE-2010-3111 (Google Chrome before 6.0.472.53 does not properly mitigate an unspecif ...) - chromium-browser 5.0.375.127~r55887-1 - webkit (chromium specific) CVE-2010-3110 (Multiple buffer overflows in the Novell Client novfs module for the Li ...) NOT-FOR-US: novfs kernel module (only included in SUSE it seems) CVE-2010-2948 (Stack-based buffer overflow in the bgp_route_refresh_receive function ...) {DSA-2104-1} - quagga 0.99.17-1 (bug #594262) CVE-2010-2949 (bgpd in Quagga before 0.99.17 does not properly parse AS paths, which ...) {DSA-2104-1} - quagga 0.99.17-1 (bug #594262) CVE-2010-3109 (Stack-based buffer overflow in the browser plugin in Novell iPrint Cli ...) NOT-FOR-US: browser plugin in Novell iPrint Client CVE-2010-3108 (Buffer overflow in the browser plugin in Novell iPrint Client before 5 ...) NOT-FOR-US: browser plugin in Novell iPrint Client CVE-2010-3107 (A certain ActiveX control in ienipp.ocx in the browser plugin in Novel ...) NOT-FOR-US: browser plugin in Novell iPrint Client CVE-2010-3106 (The ienipp.ocx ActiveX control in the browser plugin in Novell iPrint ...) NOT-FOR-US: browser plugin in Novell iPrint Client CVE-2010-3105 (The PluginGetDriverFile function in Novell iPrint Client before 5.44 i ...) NOT-FOR-US: browser plugin in Novell iPrint Client CVE-2010-3104 (Directory traversal vulnerability in DeskShare AutoFTP Manager 4.31, a ...) NOT-FOR-US: DeskShare AutoFTP Manager CVE-2010-3103 (Directory traversal vulnerability in FTPGetter Team FTPGetter 3.51.0.0 ...) NOT-FOR-US: FTPGetter CVE-2010-3102 (Directory traversal vulnerability in SiteDesigner Technologies, Inc. 3 ...) NOT-FOR-US: SiteDesigner Technologies CVE-2010-3101 (Directory traversal vulnerability in FTPx Corp FTP Explorer 10.5.19.1 ...) NOT-FOR-US: FTPx Corp FTP Explorer CVE-2010-3100 (Directory traversal vulnerability in Porta+ FTP Client 4.1, and possib ...) NOT-FOR-US: Porta+ FTP Client CVE-2010-3099 (Directory traversal vulnerability in SmartSoft Ltd SmartFTP Client 4.0 ...) NOT-FOR-US: SmartSoft Ltd SmartFTP CVE-2010-3098 (Directory traversal vulnerability in IoRush Software FTP Rush 1.1.3 an ...) NOT-FOR-US: IoRush Software FTP Rush CVE-2010-3097 (Directory traversal vulnerability in WinFrigate Frigate 3 FTP client 3 ...) NOT-FOR-US: WinFrigate Frigate 3 FTP CVE-2010-3096 (Directory traversal vulnerability in SoftX FTP Client 3.3 and possibly ...) NOT-FOR-US: SoftX FTP Client 3.3 CVE-2010-3095 (mailscanner before 4.79.11-2.1 might allow local users to overwrite ar ...) - mailscanner 4.79.11-2.1 (bug #596403) CVE-2010-3094 (Multiple cross-site scripting (XSS) vulnerabilities in Drupal 6.x befo ...) {DSA-2113-1} - drupal6 6.18-1 (low; bug #592716) CVE-2010-3093 (The comment module in Drupal 5.x before 5.23 and 6.x before 6.18 allow ...) {DSA-2113-1} - drupal6 6.18-1 (low; bug #592716) CVE-2010-3092 (The upload module in Drupal 5.x before 5.23 and 6.x before 6.18 does n ...) {DSA-2113-1} - drupal6 6.18-1 (low; bug #592716) CVE-2010-3091 (The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x ...) {DSA-2113-1} - drupal6 6.18-1 (low; bug #592716) CVE-2010-3090 REJECTED CVE-2010-3089 (Multiple cross-site scripting (XSS) vulnerabilities in GNU Mailman bef ...) {DSA-2170-1} - mailman 1:2.1.13-4.1 (bug #599833) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id={631881,631859} CVE-2010-3088 (The notify function in pidgin-knotify.c in the pidgin-knotify plugin 0 ...) NOT-FOR-US: Knotify plugin for Pidgin CVE-2010-3087 (LibTIFF before 3.9.2-5.2.1 in SUSE openSUSE 11.3 allows remote attacke ...) - tiff 3.9.4-5 (bug #600188) - tiff3 (fixed before initial upload) [lenny] - tiff (Vulnerable code not present) CVE-2010-3086 (include/asm-x86/futex.h in the Linux kernel before 2.6.25 does not pro ...) - linux-2.6 2.6.25-1 CVE-2010-3085 (The network-play implementation in Mednafen before 0.8.D might allow r ...) - mednafen 0.8.D-1 (unimportant) NOTE: Extremely obscure attack vector, marking as unimportant CVE-2010-3084 (Buffer overflow in the niu_get_ethtool_tcam_all function in drivers/ne ...) - linux-2.6 2.6.32-25 [lenny] - linux-2.6 (vulnerable code introduced in 2.6.30) CVE-2010-3083 (sys/ssl/SslSocket.cpp in qpidd in Apache Qpid, as used in Red Hat Ente ...) - qpid-cpp (Fixed before initial upload to archive) CVE-2010-3082 (Cross-site scripting (XSS) vulnerability in Django 1.2.x before 1.2.2 ...) - python-django 1.2.3-1 (low; bug #596205) NOTE: http://www.djangoproject.com/weblog/2010/sep/08/security-release/ CVE-2010-3081 (The compat_alloc_user_space functions in include/asm/compat.h files in ...) {DSA-2110-1} - linux-2.6 2.6.32-23 (high) CVE-2010-3080 (Double free vulnerability in the snd_seq_oss_open function in sound/co ...) {DSA-2110-1} - linux-2.6 2.6.32-24 CVE-2010-3079 (kernel/trace/ftrace.c in the Linux kernel before 2.6.35.5, when debugf ...) - linux-2.6 2.6.32-24 [lenny] - linux-2.6 (Introduced in 2.6.30) CVE-2010-3078 (The xfs_ioc_fsgetxattr function in fs/xfs/linux-2.6/xfs_ioctl.c in the ...) {DSA-2110-1} - linux-2.6 2.6.32-24 CVE-2010-3077 (Cross-site scripting (XSS) vulnerability in util/icon_browser.php in t ...) {DSA-2278-1} - horde3 3.3.8+debian0-2 (bug #598582) NOTE: http://seclists.org/fulldisclosure/2010/Sep/82 CVE-2010-3076 (The filter function in php/src/include.php in Simple Management for BI ...) {DSA-2103-1} - smbind 0.4.7-5 (high) NOTE: http://packetstormsecurity.org/1009-exploits/smbind-sql.txt CVE-2010-3075 (EncFS before 1.7.0 encrypts multiple blocks by means of the CFB cipher ...) - encfs 1.7.2-1 (bug #595998) [lenny] - encfs (Not backportable, breaks backwards-compatibility) CVE-2010-3074 (SSL_Cipher.cpp in EncFS before 1.7.0 uses an improper combination of a ...) - encfs 1.7.2-1 (bug #595998) [lenny] - encfs (Minor issue) CVE-2010-3073 (SSL_Cipher.cpp in EncFS before 1.7.0 does not properly handle integer ...) - encfs 1.7.2-1 (bug #595998) [lenny] - encfs (Minor issue) CVE-2010-3072 (The string-comparison functions in String.cci in Squid 3.x before 3.1. ...) {DSA-2111-1} - squid3 3.1.6-1.1 (bug #596086; low) - squid (Only affects 3.x) CVE-2010-3071 (bip before 0.8.6 allows remote attackers to cause a denial of service ...) - bip 0.8.6-1 (low; bug #595409) [lenny] - bip (vulnerable code ('LINK(lc)->name') not in 0.7.4-2) [squeeze] - bip 0.8.2-1squeeze2 CVE-2010-3070 (Cross-site scripting (XSS) vulnerability in NuSOAP 0.9.5, as used in M ...) - nusoap 0.7.3-4 (low; bug #595248) CVE-2010-3069 (Stack-based buffer overflow in the (1) sid_parse and (2) dom_sid_parse ...) {DSA-2109-1} - samba 2:3.5.5~dfsg-1 (bug #596891) CVE-2010-3068 REJECTED CVE-2010-3067 (Integer overflow in the do_io_submit function in fs/aio.c in the Linux ...) {DSA-2126-1} - linux-2.6 2.6.32-24 CVE-2010-3066 (The io_submit_one function in fs/aio.c in the Linux kernel before 2.6. ...) - linux-2.6 2.6.23-1 CVE-2010-3064 (Stack-based buffer overflow in the php_mysqlnd_auth_write function in ...) - php5 (unimportant) NOTE: mysqlnd not used in squeeze/sid CVE-2010-3063 (The php_mysqlnd_read_error_from_line function in the Mysqlnd extension ...) - php5 (unimportant) NOTE: mysqlnd not used in squeeze/sid CVE-2010-3062 (mysqlnd_wireprotocol.c in the Mysqlnd extension in PHP 5.3 through 5.3 ...) - php5 (unimportant) NOTE: mysqlnd not used in squeeze/sid CVE-2010-3061 (Unspecified vulnerability in the message-protocol implementation in th ...) NOT-FOR-US: Tivoli CVE-2010-3060 (Unspecified vulnerability in the message-protocol implementation in th ...) NOT-FOR-US: Tivoli CVE-2010-3059 (Buffer overflow in the message-protocol implementation in the Server i ...) NOT-FOR-US: Tivoli CVE-2010-3058 (The Mount service in IBM Tivoli Storage Manager (TSM) FastBack 5.x.x b ...) NOT-FOR-US: Tivoli CVE-2010-3065 (The default session serializer in PHP 5.2 through 5.2.13 and 5.3 throu ...) {DSA-2089-1} - php5 5.3.3-1 CVE-2010-3057 RESERVED CVE-2010-3054 (Unspecified vulnerability in FreeType 2.3.9, and other versions before ...) - freetype 2.4.2-1 (unimportant) CVE-2010-3053 (bdf/bdflib.c in FreeType before 2.4.2 allows remote attackers to cause ...) {DSA-2105-1} - freetype 2.4.2-1 CVE-2010-3056 (Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 2.11 ...) {DSA-2097-2 DSA-2097-1} - phpmyadmin 4:3.3.5.1-1 NOTE: https://www.phpmyadmin.net/security/PMASA-2010-5/ CVE-2010-3055 (The configuration setup script (aka scripts/setup.php) in phpMyAdmin 2 ...) {DSA-2097-2 DSA-2097-1} - phpmyadmin 4:3.0.0 NOTE: Affects only 2.x branch CVE-2010-3052 RESERVED CVE-2010-3051 RESERVED CVE-2010-3050 (Cisco IOS before 12.2(33)SXI allows remote authenticated users to caus ...) NOT-FOR-US: Cisco CVE-2010-3049 (Cisco IOS before 12.2(33)SXI allows local users to cause a denial of s ...) NOT-FOR-US: Cisco CVE-2010-3048 (Cisco Unified Personal Communicator 7.0 (1.13056) does not free alloca ...) NOT-FOR-US: Cisco CVE-2010-3047 RESERVED CVE-2010-3046 RESERVED CVE-2010-3045 RESERVED CVE-2010-3044 (Multiple buffer overflows in the Cisco WebEx Recording Format (WRF) an ...) NOT-FOR-US: Cisco WebEx CVE-2010-3043 (Multiple buffer overflows in the Cisco WebEx Recording Format (WRF) an ...) NOT-FOR-US: Cisco WebEx CVE-2010-3042 (Multiple buffer overflows in the Cisco WebEx Recording Format (WRF) an ...) NOT-FOR-US: Cisco WebEx CVE-2010-3041 (Multiple buffer overflows in the Cisco WebEx Recording Format (WRF) an ...) NOT-FOR-US: Cisco WebEx CVE-2010-3040 (Multiple stack-based buffer overflows in agent.exe in Setup Manager in ...) NOT-FOR-US: Cisco Intelligent Contact Manager CVE-2010-3039 (/usr/local/cm/bin/pktCap_protectData in Cisco Unified Communications M ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2010-3038 (Cisco Unified Videoconferencing (UVC) System 5110 and 5115, when the L ...) NOT-FOR-US: Cisco Unified Videoconferencing CVE-2010-3037 (goform/websXMLAdminRequestCgi.cgi in Cisco Unified Videoconferencing ( ...) NOT-FOR-US: Cisco Unified Videoconferencing CVE-2010-3036 (Multiple buffer overflows in the authentication functionality in the w ...) NOT-FOR-US: Cisco CVE-2010-3035 (Cisco IOS XR 3.4.0 through 3.9.1, when BGP is enabled, does not proper ...) NOT-FOR-US: Cisco IOS XR CVE-2010-3034 (Cisco Wireless LAN Controller (WLC) software, possibly 6.0.x or possib ...) NOT-FOR-US: Cisco CVE-2010-3033 (Cisco Wireless LAN Controller (WLC) software, possibly 4.2 through 6.0 ...) NOT-FOR-US: Cisco CVE-2010-3032 (Integer overflow in the OBGIOPServerWorker::extractHeader function in ...) NOT-FOR-US: SAP Crystal Reports 2008 CVE-2010-3031 (Buffer overflow in Wyse ThinOS HF 4.4.079i, and possibly other version ...) NOT-FOR-US: Wyse ThinOS CVE-2010-3030 (Cross-site request forgery (CSRF) vulnerability in Tomaz Muraus Open B ...) NOT-FOR-US: Tomaz Muraus Open Blog CVE-2010-3029 (SQL injection vulnerability in statistics.php in PHPKick 0.8 allows re ...) NOT-FOR-US: PHPKick CVE-2010-3028 (The Aardvertiser component before 2.2.1 for Joomla! uses insecure perm ...) NOT-FOR-US: Joomla! CVE-2010-3027 (SQL injection vulnerability in index.php in Tycoon Baseball Script 1.0 ...) NOT-FOR-US: Tycoon Baseball Script CVE-2010-3026 (Cross-site request forgery (CSRF) vulnerability in application/modules ...) NOT-FOR-US: Tomaz Muraus Open Blog CVE-2010-3025 (Multiple cross-site scripting (XSS) vulnerabilities in Tomaz Muraus Op ...) NOT-FOR-US: Tomaz Muraus Open Blog CVE-2010-3024 (Multiple cross-site request forgery (CSRF) vulnerabilities in user/mai ...) NOT-FOR-US: DiamondList CVE-2010-3023 (Multiple cross-site scripting (XSS) vulnerabilities in DiamondList 0.1 ...) NOT-FOR-US: DiamondList CVE-2010-3022 (Cross-site scripting (XSS) vulnerability in the Performance logging mo ...) NOT-FOR-US: Drupal Addon CVE-2010-3021 (Unspecified vulnerability in Opera before 10.61 allows remote attacker ...) NOT-FOR-US: Opera CVE-2010-3020 (The news-feed preview feature in Opera before 10.61 does not properly ...) NOT-FOR-US: Opera CVE-2010-3019 (Heap-based buffer overflow in Opera before 10.61 allows remote attacke ...) NOT-FOR-US: Opera CVE-2010-3018 (RSA Access Manager Server 5.5.3 before 5.5.3.172, 6.0.4 before 6.0.4.5 ...) NOT-FOR-US: RSA Access Manager CVE-2010-3017 (Unspecified vulnerability in RSA Access Manager Agent 4.7.1 before 4.7 ...) NOT-FOR-US: RSA Access Manager CVE-2010-3016 REJECTED CVE-2010-3013 (SQL injection vulnerability in groupadmin.php in Pligg before 1.1.1 al ...) NOT-FOR-US: Pligg CVE-2010-3012 (Cross-site scripting (XSS) vulnerability in HP System Management Homep ...) NOT-FOR-US: HP System Management Homepage CVE-2010-3011 (CRLF injection vulnerability in HP System Management Homepage (SMH) be ...) NOT-FOR-US: HP System Management Homepage CVE-2010-3010 (Cross-site scripting (XSS) vulnerability on the HP 3Com OfficeConnect ...) NOT-FOR-US: HP 3Com OfficeConnect CVE-2010-3009 (Unspecified vulnerability in HP System Management Homepage (SMH) for L ...) NOT-FOR-US: HP System Management Homepage CVE-2010-3008 (Unspecified vulnerability in HP Data Protector Express, and Data Prote ...) NOT-FOR-US: HP Data Protector Express CVE-2010-3007 (Unspecified vulnerability in HP Data Protector Express, and Data Prote ...) NOT-FOR-US: HP Data Protector Express CVE-2010-3006 (Unspecified vulnerability on the HP ProLiant G6 Lights-Out 100 Remote ...) NOT-FOR-US: HP ProLiant G6 Lights-Out CVE-2010-3005 (Unspecified vulnerability in HP Operations Agent 7.36 and 8.6 on Windo ...) NOT-FOR-US: HP Operations Agents CVE-2010-3004 (Unspecified vulnerability in HP Operations Agent 7.36 and 8.6 on Windo ...) NOT-FOR-US: HP Operations Agents CVE-2010-3003 (Cross-site scripting (XSS) vulnerability in HP Insight Diagnostics Onl ...) NOT-FOR-US: HP Insight Diagnostics Online Edition CVE-2010-3002 (Unspecified vulnerability in RealNetworks RealPlayer 11.0 through 11.1 ...) NOT-FOR-US: RealPlayer CVE-2010-3001 (Unspecified vulnerability in an ActiveX control in the Internet Explor ...) NOT-FOR-US: Internet Explorer CVE-2010-3000 (Multiple integer overflows in the ParseKnownType function in RealNetwo ...) NOT-FOR-US: RealPlayer CVE-2010-2999 (Integer overflow in RealNetworks RealPlayer 11.0 through 11.1, RealPla ...) NOT-FOR-US: RealPlayer CVE-2010-2998 (Array index error in RealNetworks RealPlayer 11.0 through 11.1 and Rea ...) NOT-FOR-US: RealNetworks RealPlayer CVE-2010-2997 (Use-after-free vulnerability in RealNetworks RealPlayer 11.0 through 1 ...) NOT-FOR-US: RealPlayer CVE-2010-2996 (Array index error in RealNetworks RealPlayer 11.0 through 11.1 on Wind ...) NOT-FOR-US: RealPlayer CVE-2010-2991 (The IICAClient interface in the ICAClient library in the ICA Client Ac ...) NOT-FOR-US: Citrix ICA Client CVE-2010-2990 (Citrix Online Plug-in for Windows for XenApp & XenDesktop before 1 ...) NOT-FOR-US: Citrix ICA Client CVE-2010-2989 (nessusd_www_server.nbin in the Nessus Web Server plugin 1.2.4 for Ness ...) NOT-FOR-US: Nessus CVE-2010-2988 (Cross-site scripting (XSS) vulnerability in Cisco Unified Wireless Net ...) NOT-FOR-US: Cisco CVE-2010-2987 (Multiple cross-site scripting (XSS) vulnerabilities in Cisco Wireless ...) NOT-FOR-US: Cisco CVE-2010-2986 (Cross-site scripting (XSS) vulnerability in webacs/QuickSearchAction.d ...) NOT-FOR-US: Cisco CVE-2010-2985 (Multiple cross-site scripting (XSS) vulnerabilities in IBM WebSphere S ...) NOT-FOR-US: IBM WebSphere CVE-2010-2984 (Cisco Unified Wireless Network (UWN) Solution 7.x before 7.0.98.0 on 4 ...) NOT-FOR-US: Cisco CVE-2010-2983 (The workgroup bridge (aka WGB) functionality in Cisco Unified Wireless ...) NOT-FOR-US: Cisco CVE-2010-2982 (Cisco Unified Wireless Network (UWN) Solution 7.x before 7.0.98.0 allo ...) NOT-FOR-US: Cisco CVE-2010-2981 (Cisco Unified Wireless Network (UWN) Solution 7.x before 7.0.98.0 allo ...) NOT-FOR-US: Cisco CVE-2010-2980 (Cisco Unified Wireless Network (UWN) Solution 7.x before 7.0.98.0 on 5 ...) NOT-FOR-US: Cisco CVE-2010-2979 (Cisco Unified Wireless Network (UWN) Solution 7.x before 7.0.98.0 on 5 ...) NOT-FOR-US: Cisco CVE-2010-2978 (Cisco Unified Wireless Network (UWN) Solution 7.x before 7.0.98.0 does ...) NOT-FOR-US: Cisco CVE-2010-2977 (Cisco Unified Wireless Network (UWN) Solution 7.x before 7.0.98.0 does ...) NOT-FOR-US: Cisco CVE-2010-2976 (The controller in Cisco Unified Wireless Network (UWN) Solution 7.x th ...) NOT-FOR-US: Cisco CVE-2010-2975 (Cisco Unified Wireless Network (UWN) Solution 7.x through 7.0.98.0 doe ...) NOT-FOR-US: Cisco CVE-2010-2974 (Stack-based buffer overflow in the IConfigurationAccess interface in t ...) NOT-FOR-US: Wonderware Application Server CVE-2010-2973 (Integer overflow in IOSurface in Apple iOS before 4.0.2 on the iPhone ...) NOT-FOR-US: Apple CVE-2010-2972 REJECTED CVE-2008-7260 RESERVED CVE-2008-7259 RESERVED CVE-2010-3014 (The Coda filesystem kernel module, as used in NetBSD and FreeBSD, when ...) - kfreebsd-7 - kfreebsd-8 8.1-5 - kfreebsd-9 (fixed prior to first upload) - kfreebsd-10 (fixed prior to first upload) CVE-2010-3015 (Integer overflow in the ext4_ext_get_blocks function in fs/ext4/extent ...) {DSA-2094-1} - linux-2.6 2.6.32-22 CVE-2010-2995 (The SigComp Universal Decompressor Virtual Machine (UDVM) in Wireshark ...) {DSA-2101-1} - wireshark 1.2.10-1 CVE-2010-2992 (packet-gsm_a_rr.c in the GSM A RR dissector in Wireshark 1.2.2 through ...) - wireshark 1.2.10-1 [lenny] - wireshark (Only affects 1.2.x) CVE-2010-2994 (Stack-based buffer overflow in the ASN.1 BER dissector in Wireshark 0. ...) {DSA-2101-1} - wireshark 1.2.10-1 CVE-2010-2993 (The IPMI dissector in Wireshark 1.2.0 through 1.2.9 allows remote atta ...) - wireshark 1.2.10-1 [lenny] - wireshark (Only affects 1.2.x) CVE-2010-2971 (loaders/load_it.c in libmikmod, possibly 3.1.12, does not properly acc ...) {DSA-2081-1} - libmikmod 3.1.11-6.3 CVE-2010-2970 (Multiple cross-site scripting (XSS) vulnerabilities in MoinMoin 1.9.x ...) - moin 1.9.3-1 (low) CVE-2010-2969 (Multiple cross-site scripting (XSS) vulnerabilities in MoinMoin 1.7.3 ...) - moin 1.9.3-1 CVE-2010-2968 (The FTP daemon in Wind River VxWorks does not close the TCP connection ...) NOT-FOR-US: vxworks CVE-2010-2967 (The loginDefaultEncrypt algorithm in loginLib in Wind River VxWorks be ...) NOT-FOR-US: vxworks CVE-2010-2966 (The INCLUDE_SECURITY functionality in Wind River VxWorks 6.x, 5.x, and ...) NOT-FOR-US: vxworks CVE-2010-2965 (The WDB target agent debug service in Wind River VxWorks 6.x, 5.x, and ...) NOT-FOR-US: vxworks CVE-2010-2964 RESERVED CVE-2010-2963 (drivers/media/video/v4l2-compat-ioctl32.c in the Video4Linux (V4L) imp ...) {DSA-2126-1} - linux-2.6 2.6.32-26 CVE-2010-2962 (drivers/gpu/drm/i915/i915_gem.c in the Graphics Execution Manager (GEM ...) - linux-2.6 2.6.32-25 [lenny] - linux-2.6 (Vulnerable code not present) CVE-2010-2961 (mountall.c in mountall before 2.15.2 uses 0666 permissions for the roo ...) NOT-FOR-US: mountall CVE-2010-2960 (The keyctl_session_to_parent function in security/keys/keyctl.c in the ...) - linux-2.6 2.6.32-23 [lenny] - linux-2.6 (vulnerable code introduced in 2.6.32) CVE-2010-2959 (Integer overflow in net/can/bcm.c in the Controller Area Network (CAN) ...) {DSA-2094-1} - linux-2.6 2.6.32-20 CVE-2010-2958 (Cross-site scripting (XSS) vulnerability in libraries/Error.class.php ...) - phpmyadmin 4:3.3.6-1 [lenny] - phpmyadmin (only affects 3.x) NOTE: https://www.phpmyadmin.net/security/PMASA-2010-6/ CVE-2010-2957 (Cross-site scripting (XSS) vulnerability in Serendipity before 1.5.4, ...) - serendipity 1.5.3-2 (bug #594905) CVE-2010-2956 (Sudo 1.7.0 through 1.7.4p3, when a Runas group is configured, does not ...) - sudo 1.7.4p4-1 (bug #595935) [lenny] - sudo (Only affects 1.7.x) NOTE: http://www.sudo.ws/sudo/alerts/runas_group.html CVE-2010-2955 (The cfg80211_wext_giwessid function in net/wireless/wext-compat.c in t ...) - linux-2.6 2.6.32-23 CVE-2010-2954 (The irda_bind function in net/irda/af_irda.c in the Linux kernel befor ...) {DSA-2110-1} - linux-2.6 2.6.32-22 CVE-2010-2953 (Untrusted search path vulnerability in a certain Debian GNU/Linux patc ...) {DSA-2107-1} - couchdb 0.11.0-1 (low; bug #594412) CVE-2010-2952 (Apache Traffic Server before 2.0.1, and 2.1.x before 2.1.2-unstable, d ...) - trafficserver (Fixed before initial release) CVE-2010-2951 (dns_internal.cc in Squid 3.1.6, when IPv6 DNS resolution is not enable ...) - squid3 3.1.6-1.2 (bug #599709) [lenny] - squid3 (vulnerable code introduced in 3.1.6) NOTE: http://marc.info/?l=squid-users&m=128263555724981&w=2 CVE-2010-2950 (Format string vulnerability in stream.c in the phar extension in PHP 5 ...) - php5 5.3.3-2 (low) [lenny] - php5 (phar extension introduced in 5.3) CVE-2010-2947 (Heap-based buffer overflow in the HX_split function in string.c in lib ...) - libhx 3.5-2 (low; bug #594393) [lenny] - libhx (Minor issue, asked maintainer to fix through spu) CVE-2010-2946 (fs/jfs/xattr.c in the Linux kernel before 2.6.35.2 does not properly h ...) - linux-2.6 2.6.32-21 [lenny] - linux-2.6 2.6.26-25 CVE-2010-2945 (The default configuration of SLiM before 1.3.2 places ./ (dot slash) a ...) - slim 1.3.1-7 (low; bug #594414) [lenny] - slim 1.3.0-1+lenny3 CVE-2010-2944 (The authenticate function in LDAPUserFolder/LDAPUserFolder.py in zope- ...) {DSA-2096-1} - zope-ldapuserfolder (high; bug #593466) CVE-2010-2943 (The xfs implementation in the Linux kernel before 2.6.35 does not look ...) - linux-2.6 2.6.37-1 [wheezy] - linux-2.6 2.6.32-31 [squeeze] - linux-2.6 2.6.32-31 [lenny] - linux-2.6 (test case fails on 2.6.26) CVE-2010-2942 (The actions implementation in the network queueing functionality in th ...) - linux-2.6 2.6.32-25 [lenny] - linux-2.6 2.6.26-25 CVE-2010-2941 (ipp.c in cupsd in CUPS 1.4.4 and earlier does not properly allocate me ...) {DSA-2176-1} - cups 1.4.4-7 (bug #603344) CVE-2010-2940 (The auth_send function in providers/ldap/ldap_auth.c in System Securit ...) - sssd 1.2.1-4 (bug #594413) CVE-2010-2939 (Double free vulnerability in the ssl3_get_key_exchange function in the ...) {DSA-2100-1} - openssl 0.9.8o-2 (low; bug #594415) CVE-2010-2938 (arch/x86/hvm/vmx/vmcs.c in the virtual-machine control structure (VMCS ...) - linux-2.6 (affected code not present in any of the released kernels; only affects xen package itself) - xen 4.0.1-1 NOTE: probably fixed well before this version, but this is the one i checked and its fixed CVE-2010-2937 (The ReadMetaFromId3v2 function in taglib.cpp in the TagLib plugin in V ...) - vlc 1.1.3-1 [lenny] - vlc (Vulnerable code not present) CVE-2010-2936 (Integer overflow in simpress.bin in the Impress module in OpenOffice.o ...) {DSA-2099-1} - openoffice.org 1:3.2.1-6 CVE-2010-2935 (simpress.bin in the Impress module in OpenOffice.org (OOo) 2.x and 3.x ...) {DSA-2099-1} - openoffice.org 1:3.2.1-6 CVE-2010-2934 (Multiple unspecified vulnerabilities in ZNC 0.092 allow remote attacke ...) - znc 0.092-2 (unimportant; bug #599708) CVE-2010-2933 (SQL injection vulnerability in AV Scripts AV Arcade 3 allows remote at ...) NOT-FOR-US: AV Arcade CVE-2010-2932 (Buffer overflow in BarCodeWiz BarCode 3.29 ActiveX control (BarcodeWiz ...) NOT-FOR-US: BarCodeWiz BarCode CVE-2010-2931 (Stack-based buffer overflow in SigPlus Pro 3.74 ActiveX control allows ...) NOT-FOR-US: SigPlus Pro activex control CVE-2010-2930 (Multiple stack-based buffer overflows in hsolinkcontrol in hsolink 1.0 ...) - hsolink CVE-2010-2929 (Untrusted search path vulnerability in hsolinkcontrol in hsolink 1.0.1 ...) - hsolink CVE-2010-2928 (The vCenter Tomcat Management Application in VMware vCenter Server 4.1 ...) NOT-FOR-US: VMware vCenter Server CVE-2010-2927 (The slapi_printmessage function in IBM Tivoli Directory Server (ITDS) ...) NOT-FOR-US: Tivoli CVE-2009-4976 (Cross-site scripting (XSS) vulnerability in webkitpart.cpp in kwebkitp ...) - webkitkde 0.4svn1059630-1 CVE-2009-4975 (Cross-site scripting (XSS) vulnerability in webview.cpp in QtDemoBrows ...) - rekonq 0.5.0-1 CVE-2010-2926 (SQL injection vulnerability in index.php in sNews 1.7 allows remote at ...) NOT-FOR-US: sNews CMS CVE-2010-2925 (SQL injection vulnerability in index.php in Freeway CMS 1.4.3.210 allo ...) NOT-FOR-US: OpenFreeway CVE-2010-2924 (SQL injection vulnerability in myLDlinker.php in the myLinksDump Plugi ...) NOT-FOR-US: myLinksDump WordPress plugin CVE-2010-2923 (SQL injection vulnerability in the YouTube (com_youtube) component 1.5 ...) NOT-FOR-US: com_youtube Joomla extension CVE-2010-2922 (SQL injection vulnerability in default.asp in AKY Blog allows remote a ...) NOT-FOR-US: Aspindir AKY Blog CVE-2010-2921 (SQL injection vulnerability in the Golf Course Guide (com_golfcoursegu ...) NOT-FOR-US: Joomla Component com_golfcourseguide CVE-2010-2920 (Directory traversal vulnerability in the Foobla Suggestions (com_foobl ...) NOT-FOR-US: Joomla Component Foobla Suggestions CVE-2010-2919 (SQL injection vulnerability in the StaticXT (com_staticxt) component f ...) NOT-FOR-US: Joomla Component StaticXT CVE-2010-2918 (PHP remote file inclusion vulnerability in core/include/myMailer.class ...) NOT-FOR-US: Joomla Component Visites CVE-2010-2917 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in AJ ...) NOT-FOR-US: AJ square CVE-2010-2916 (SQL injection vulnerability in news.php in AJ Square AJ HYIP MERIDIAN ...) NOT-FOR-US: AJ square CVE-2010-2915 (SQL injection vulnerability in welcome.php in AJ Square AJ HYIP PRIME ...) NOT-FOR-US: AJ square CVE-2010-2914 (Cross-site scripting (XSS) vulnerability in nessusd_www_server.nbin in ...) NOT-FOR-US: Nessus plugin CVE-2010-2913 (The Citibank Citi Mobile app before 2.0.3 for iOS stores account data ...) NOT-FOR-US: Citibank Citi Mobile app CVE-2010-2912 (SQL injection vulnerability in index.php in Kayako eSupport 3.70.02 al ...) NOT-FOR-US: Kayako eSupport CVE-2010-2911 (SQL injection vulnerability in index.php in Kayako eSupport 3.70.02 al ...) NOT-FOR-US: Kayako eSupport CVE-2010-2910 (SQL injection vulnerability in the Ozio Gallery (com_oziogallery) comp ...) NOT-FOR-US: Ozio Gallery CVE-2010-2909 (SQL injection vulnerability in ttvideo.php in the TTVideo (com_ttvideo ...) NOT-FOR-US: Joomla addon CVE-2010-2908 (SQL injection vulnerability in the Joomdle (com_joomdle) component 0.2 ...) NOT-FOR-US: Joomla addon CVE-2010-2907 (SQL injection vulnerability in the Huru Helpdesk (com_huruhelpdesk) co ...) NOT-FOR-US: Joomla addon CVE-2010-2906 (SQL injection vulnerability in articlesdetails.php in ScriptsFeed and ...) NOT-FOR-US: ScriptsFeed / BrotherScripts CVE-2010-2905 (SQL injection vulnerability in info.php in ScriptsFeed and BrotherScri ...) NOT-FOR-US: ScriptsFeed / BrotherScripts CVE-2010-2904 (Multiple cross-site scripting (XSS) vulnerabilities in the System Land ...) NOT-FOR-US: System Landscape Directory CVE-2010-2903 (Google Chrome before 5.0.375.125 performs unexpected truncation and im ...) - webkit (Chromium specific issue) - chromium-browser 5.0.375.125~r53311-1 CVE-2010-2902 (The SVG implementation in Google Chrome before 5.0.375.125 allows remo ...) - webkit 1.2.4-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.375.125~r53311-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=41621 NOTE: http://trac.webkit.org/changeset/62662 NOTE: duplicate of cve-2010-1793 CVE-2010-2901 (The rendering implementation in Google Chrome before 5.0.375.125 allow ...) {DSA-2188-1} - webkit 1.2.5-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.375.125~r53311-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=41373 NOTE: http://trac.webkit.org/changeset/63048 CVE-2010-2900 (Google Chrome before 5.0.375.125 does not properly handle a large canv ...) - webkit 1.2.5-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.375.125~r53311-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=41962 NOTE: http://trac.webkit.org/changeset/63219 CVE-2010-2899 (Unspecified vulnerability in the layout implementation in Google Chrom ...) - webkit 1.2.4-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.375.125~r53311-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=38977 NOTE: http://trac.webkit.org/changeset/62134 CVE-2010-2898 (Google Chrome before 5.0.375.125 does not properly mitigate an unspeci ...) - webkit (chromium specific issue) - chromium-browser 5.0.375.125~r53311-1 CVE-2010-2897 (Google Chrome before 5.0.375.125 does not properly mitigate an unspeci ...) - webkit (chromium specific issue) - chromium-browser 5.0.375.125~r53311-1 CVE-2010-2896 (IBM FileNet Content Manager (CM) 4.0.0, 4.0.1, 4.5.0, and 4.5.1 before ...) NOT-FOR-US: IBM FileNet Content Manager CVE-2010-XXXX [flaw that allows unsigned code to access any file on the machine (accessible to the user) and write to it.] - openjdk-6 6b18-1.8.1-1 CVE-2010-XXXX [flaw in NetX that allows arbitrary unsigned apps to set any java property] - openjdk-6 6b18-1.8.1-1 CVE-2010-2895 RESERVED CVE-2010-2894 RESERVED CVE-2010-2893 RESERVED CVE-2010-2892 (gsb/drivers.php in LANDesk Management Gateway 4.0 through 4.0-1.48 and ...) NOT-FOR-US: LANDesk Management Gateway CVE-2010-2891 (Buffer overflow in the smiGetNode function in lib/smi.c in libsmi 0.4. ...) {DSA-2145-1} - libsmi 0.4.8+dfsg2-3 CVE-2010-2890 (Adobe Reader and Acrobat 9.x before 9.4, and 8.x before 8.2.5 on Windo ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2010-2889 (Unspecified vulnerability in Adobe Reader and Acrobat 9.x before 9.4, ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2010-2888 (Multiple unspecified vulnerabilities in an ActiveX control in Adobe Re ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2010-2887 (Multiple unspecified vulnerabilities in Adobe Reader and Acrobat 9.x b ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2010-2886 (Multiple cross-site scripting (XSS) vulnerabilities in Adobe RoboHelp ...) NOT-FOR-US: Adobe RoboHelp CVE-2010-2885 (Cross-site scripting (XSS) vulnerability in Adobe RoboHelp 7 and 8, an ...) NOT-FOR-US: Adobe RoboHelp CVE-2010-2884 (Adobe Flash Player 10.1.82.76 and earlier on Windows, Mac OS X, Linux, ...) NOT-FOR-US: Adobe Flash Player CVE-2010-2883 (Stack-based buffer overflow in CoolType.dll in Adobe Reader and Acroba ...) NOT-FOR-US: Adobe Reader CVE-2010-2882 (DIRAPI.dll in Adobe Shockwave Player before 11.5.8.612 does not proper ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-2881 (IML32.dll in Adobe Shockwave Player before 11.5.8.612 does not properl ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-2880 (DIRAPI.dll in Adobe Shockwave Player before 11.5.8.612 does not proper ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-2879 (Multiple integer overflows in the allocator in the TextXtra.x32 module ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-2878 (DIRAPIX.dll in Adobe Shockwave Player before 11.5.8.612 does not prope ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-2877 (Adobe Shockwave Player before 11.5.8.612 does not properly validate a ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-2876 (Adobe Shockwave Player before 11.5.8.612 does not properly validate va ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-2875 (Integer signedness error in Adobe Shockwave Player before 11.5.8.612 a ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-2874 (Unspecified vulnerability in Adobe Shockwave Player before 11.5.8.612 ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-2873 (Adobe Shockwave Player before 11.5.8.612 does not properly validate of ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-2872 (Adobe Shockwave Player before 11.5.8.612 does not properly validate an ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-2871 (Integer overflow in the 3D object functionality in Adobe Shockwave Pla ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-2870 (DIRAPIX.dll in Adobe Shockwave Player before 11.5.8.612 does not prope ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-2869 (IML32.dll in Adobe Shockwave Player before 11.5.8.612 does not properl ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-2868 (IML32.dll in Adobe Shockwave Player before 11.5.8.612 does not properl ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-2867 (DIRAPIX.dll in Adobe Shockwave Player before 11.5.8.612 does not prope ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-2866 (Integer signedness error in the DIRAPI module in Adobe Shockwave Playe ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-2865 (Unspecified vulnerability in Adobe Shockwave Player before 11.5.8.612 ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-2864 (IML32.dll in Adobe Shockwave Player before 11.5.8.612 does not properl ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-2863 (Adobe Shockwave Player before 11.5.8.612 allows attackers to cause a d ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-2862 (Integer overflow in CoolType.dll in Adobe Reader 8.2.3 and 9.3.3, and ...) NOT-FOR-US: Adobe Reader CVE-2010-2861 (Multiple directory traversal vulnerabilities in the administrator cons ...) NOT-FOR-US: Adobe ColdFusion CVE-2010-2860 (The EMC Celerra Network Attached Storage (NAS) appliance accepts exter ...) NOT-FOR-US: EMC CVE-2009-4974 (Directory traversal vulnerability in box_display.php in TotalCalendar ...) NOT-FOR-US: TotalCalendar CVE-2009-4973 (SQL injection vulnerability in rss.php in TotalCalendar 2.4 allows rem ...) NOT-FOR-US: TotalCalendar CVE-2009-4972 (Cross-site scripting (XSS) vulnerability in index.php (aka the log in ...) NOT-FOR-US: SimpleID CVE-2009-4971 (SQL injection vulnerability in the AJAX Chat (vjchat) extension before ...) NOT-FOR-US: AJAX Chat CVE-2009-4970 (SQL injection vulnerability in the t3m_affiliate extension 0.5.0 for T ...) NOT-FOR-US: TYPO3 addon CVE-2009-4969 (SQL injection vulnerability in the Solidbase Bannermanagement (SBbanne ...) NOT-FOR-US: TYPO3 addon CVE-2009-4968 (SQL injection vulnerability in the Event Registration (event_registr) ...) NOT-FOR-US: TYPO3 addon CVE-2009-4967 (SQL injection vulnerability in the Car (car) extension before 0.1.1 fo ...) NOT-FOR-US: TYPO3 addon CVE-2009-4966 (SQL injection vulnerability in the AST ZipCodeSearch (ast_addresszipse ...) NOT-FOR-US: TYPO3 addon CVE-2009-4965 (SQL injection vulnerability in the AIRware Lexicon (air_lexicon) exten ...) NOT-FOR-US: TYPO3 addon CVE-2009-4964 (Stack-based buffer overflow in KSP 2006 FINAL allows remote attackers ...) NOT-FOR-US: KSP CVE-2009-4963 (Cross-site scripting (XSS) vulnerability in the Commerce extension bef ...) NOT-FOR-US: TYPO3 addon CVE-2009-4962 (Stack-based buffer overflow in Fat Player 0.6b allows remote attackers ...) NOT-FOR-US: Fat Player CVE-2009-4961 (Lanai Core 0.6 allows remote attackers to obtain configuration informa ...) NOT-FOR-US: Lanai Core CVE-2009-4960 (Directory traversal vulnerability in modules/backup/download.php in La ...) NOT-FOR-US: Lanai Core CVE-2009-4959 (SQL injection vulnerability in the T3M E-Mail Marketing Tool (t3m) ext ...) NOT-FOR-US: T3M E-Mail Marketing Tool CVE-2009-4958 (SQL injection vulnerability in video.php in EMO Breeder Manager (aka E ...) NOT-FOR-US: EMO Breader Manager CVE-2010-2859 (news.php in SimpNews 2.47.3 and earlier allows remote attackers to obt ...) NOT-FOR-US: SimpNews CVE-2010-2858 (Multiple cross-site scripting (XSS) vulnerabilities in news.php in Sim ...) NOT-FOR-US: SimpNews CVE-2010-2857 (Directory traversal vulnerability in the Music Manager component for J ...) NOT-FOR-US: Joomla! Music Manager CVE-2010-2856 (Cross-site scripting (XSS) vulnerability in admin/currencies.php in os ...) NOT-FOR-US: osCSS CVE-2010-2855 (Multiple SQL injection vulnerabilities in modfile.php in Event Horizon ...) NOT-FOR-US: Event Horizon CVE-2010-2854 (Multiple cross-site scripting (XSS) vulnerabilities in modfile.php in ...) NOT-FOR-US: Event Horizon CVE-2010-2853 (SQL injection vulnerability in flashPlayer/playVideo.php in iScripts V ...) NOT-FOR-US: iScripts VisualCaster CVE-2010-2852 (Cross-site scripting (XSS) vulnerability in modules/headlines/magpiers ...) NOT-FOR-US: RunCMS CVE-2010-2851 (SQL injection vulnerability in the BookLibrary From Same Author (com_b ...) NOT-FOR-US: Joomla! BookLibrary From Same Author CVE-2010-2850 (Directory traversal vulnerability in productionnu2/fileuploader.php in ...) NOT-FOR-US: nuBuilder CVE-2010-2849 (Cross-site scripting (XSS) vulnerability in productionnu2/nuedit.php i ...) NOT-FOR-US: nuBuilder CVE-2010-2848 (Directory traversal vulnerability in assets/captcha/includes/alikon/pl ...) NOT-FOR-US: Joomla! ArtForms CVE-2010-2847 (Multiple SQL injection vulnerabilities in the InterJoomla ArtForms (co ...) NOT-FOR-US: Joomla! ArtForms CVE-2010-2846 (Cross-site scripting (XSS) vulnerability in the InterJoomla ArtForms ( ...) NOT-FOR-US: Joomla! ArtForms CVE-2010-2845 (SQL injection vulnerability in the QuickFAQ (com_quickfaq) component 1 ...) NOT-FOR-US: Joomla! QuickFAQ CVE-2010-2844 (Cross-site scripting (XSS) vulnerability in news_show.php in Newanz Ne ...) NOT-FOR-US: Newanz NewsOffice CVE-2010-2843 (Cisco Wireless LAN Controller (WLC) software, possibly 4.2 through 6.0 ...) NOT-FOR-US: Cisco WLC CVE-2010-2842 (Cisco Wireless LAN Controller (WLC) software, possibly 4.2 through 6.0 ...) NOT-FOR-US: Cisco WLC CVE-2010-2841 (Unspecified vulnerability in Cisco Wireless LAN Controller (WLC) softw ...) NOT-FOR-US: Cisco WLC CVE-2010-2840 (The Presence Engine (PE) service in Cisco Unified Presence 6.x before ...) NOT-FOR-US: Cisco CVE-2010-2839 (SIPD in Cisco Unified Presence 6.x before 6.0(7) and 7.x before 7.0(8) ...) NOT-FOR-US: Cisco CVE-2010-2838 (The SendCombinedStatusInfo implementation in Cisco Unified Communicati ...) NOT-FOR-US: Cisco CVE-2010-2837 (The SIPStationInit implementation in Cisco Unified Communications Mana ...) NOT-FOR-US: Cisco CVE-2010-2836 (Memory leak in the SSL VPN feature in Cisco IOS 12.4, 15.0, and 15.1, ...) NOT-FOR-US: Cisco CVE-2010-2835 (Cisco IOS 12.2 through 12.4 and 15.0 through 15.1, Cisco IOS XE 2.5.x ...) NOT-FOR-US: Cisco CVE-2010-2834 (Cisco IOS 12.2 through 12.4 and 15.0 through 15.1, Cisco IOS XE 2.5.x ...) NOT-FOR-US: Cisco CVE-2010-2833 (Unspecified vulnerability in the NAT for H.225.0 implementation in Cis ...) NOT-FOR-US: Cisco CVE-2010-2832 (Unspecified vulnerability in the NAT for H.323 implementation in Cisco ...) NOT-FOR-US: Cisco CVE-2010-2831 (Unspecified vulnerability in the NAT for SIP implementation in Cisco I ...) NOT-FOR-US: Cisco CVE-2010-2830 (The IGMPv3 implementation in Cisco IOS 12.2, 12.3, 12.4, and 15.0 and ...) NOT-FOR-US: Cisco CVE-2010-2829 (Unspecified vulnerability in the H.323 implementation in Cisco IOS 12. ...) NOT-FOR-US: Cisco CVE-2010-2828 (Unspecified vulnerability in the H.323 implementation in Cisco IOS 12. ...) NOT-FOR-US: Cisco CVE-2010-2827 (Cisco IOS 15.1(2)T allows remote attackers to cause a denial of servic ...) NOT-FOR-US: Cisco CVE-2010-2826 (SQL injection vulnerability in Cisco Wireless Control System (WCS) 6.0 ...) NOT-FOR-US: Cisco CVE-2010-2825 (Unspecified vulnerability in the SIP inspection feature on the Cisco A ...) NOT-FOR-US: Cisco CVE-2010-2824 (Unspecified vulnerability on the Cisco Application Control Engine (ACE ...) NOT-FOR-US: Cisco CVE-2010-2823 (Unspecified vulnerability in the deep packet inspection feature on the ...) NOT-FOR-US: Cisco CVE-2010-2822 (Unspecified vulnerability in the RTSP inspection feature on the Cisco ...) NOT-FOR-US: Cisco CVE-2010-2821 (Unspecified vulnerability on the Cisco Firewall Services Module (FWSM) ...) NOT-FOR-US: Cisco CVE-2010-2820 (Unspecified vulnerability in the SunRPC inspection feature on the Cisc ...) NOT-FOR-US: Cisco CVE-2010-2819 (Unspecified vulnerability in the SunRPC inspection feature on the Cisc ...) NOT-FOR-US: Cisco CVE-2010-2818 (Unspecified vulnerability in the SunRPC inspection feature on the Cisc ...) NOT-FOR-US: Cisco CVE-2010-2817 (Unspecified vulnerability in the IKE implementation on Cisco Adaptive ...) NOT-FOR-US: Cisco CVE-2010-2816 (Unspecified vulnerability in the SIP inspection feature on Cisco Adapt ...) NOT-FOR-US: Cisco CVE-2010-2815 (Unspecified vulnerability in the Transport Layer Security (TLS) implem ...) NOT-FOR-US: Cisco CVE-2010-2814 (Unspecified vulnerability in the Transport Layer Security (TLS) implem ...) NOT-FOR-US: Cisco CVE-2010-2813 (functions/imap_general.php in SquirrelMail before 1.4.21 does not prop ...) {DSA-2091-1} - squirrelmail 2:1.4.21-1 (low) [lenny] - squirrelmail (low-risk issue) CVE-2010-2812 (Client.cpp in ZNC 0.092 allows remote attackers to cause a denial of s ...) - znc 0.092-2 (unimportant; bug #599708) CVE-2010-2811 (Virtual Desktop Server Manager (VDSM) in Red Hat Enterprise Virtualiza ...) - vdsm (bug #668538) CVE-2010-2810 (Heap-based buffer overflow in the convert_to_idna function in WWW/Libr ...) - lynx-cur 2.8.8dev.5-1 (bug #594300) [lenny] - lynx-cur (Minor issue, exploit scenario really obscure) CVE-2010-2809 (The default configuration of the <Button2> binding in Uzbl befor ...) - uzbl 0.0.0~git.20100403-3 (bug #594301) CVE-2010-2808 (Buffer overflow in the Mac_Read_POST_Resource function in base/ftobjs. ...) {DSA-2105-1} - freetype 2.4.2-1 CVE-2010-2807 (FreeType before 2.4.2 uses incorrect integer data types during bounds ...) {DSA-2105-1} - freetype 2.4.2-1 CVE-2010-2806 (Array index error in the t42_parse_sfnts function in type42/t42parse.c ...) {DSA-2105-1} - freetype 2.4.2-1 CVE-2010-2805 (The FT_Stream_EnterFrame function in base/ftstream.c in FreeType befor ...) {DSA-2105-1} - freetype 2.4.2-1 CVE-2010-2804 RESERVED CVE-2010-2803 (The drm_ioctl function in drivers/gpu/drm/drm_drv.c in the Direct Rend ...) {DSA-2094-1} - linux-2.6 2.6.32-22 CVE-2010-2802 (Cross-site scripting (XSS) vulnerability in MantisBT before 1.2.2 allo ...) - mantis (vulnerable code introduced in 1.2.x) NOTE: http://www.mantisbt.org/bugs/view.php?id=11952 CVE-2010-2801 (Integer signedness error in the Quantum decompressor in cabextract bef ...) {DSA-2087-1} - cabextract 1.3-1 (bug #591552) CVE-2010-2800 (The MS-ZIP decompressor in cabextract before 1.3 allows remote attacke ...) - cabextract 1.3-1 (bug #591552; unimportant) CVE-2010-2799 (Stack-based buffer overflow in the nestlex function in nestlex.c in So ...) {DSA-2090-1} - socat 1.7.1.3-1 (bug #591443; medium) CVE-2010-2798 (The gfs2_dirent_find_space function in fs/gfs2/dir.c in the Linux kern ...) {DSA-2094-1} - linux-2.6 2.6.32-20 CVE-2010-2797 (Directory traversal vulnerability in lib/translation.functions.php in ...) NOT-FOR-US: CMS Made Simple CVE-2010-2796 (Cross-site scripting (XSS) vulnerability in phpCAS before 1.1.2, when ...) {DSA-2172-1} - libphp-cas (bug #495542) - glpi (unimportant) NOTE: Only supported behind an authenticated HTTP zone - moodle 1.9.9.dfsg2-2 (bug #601384) CVE-2010-2795 (phpCAS before 1.1.2 allows remote authenticated users to hijack sessio ...) {DSA-2172-1} - libphp-cas (bug #495542) - glpi (unimportant) NOTE: Only supported behind an authenticated HTTP zone - moodle 1.9.9.dfsg2-2 (bug #601384) CVE-2010-2794 (The SPICE (aka spice-xpi) plug-in 2.2 for Firefox allows local users t ...) - spice-xpi [jessie] - spice-xpi (Broken with newer Firefox versions) CVE-2010-2793 (Race condition in the SPICE (aka spice-activex) plug-in for Internet E ...) NOT-FOR-US: SPICE plugin for Internet Explorer CVE-2010-2792 (Race condition in the SPICE (aka spice-xpi) plug-in 2.2 for Firefox al ...) - spice-xpi [jessie] - spice-xpi (Broken with newer Firefox versions) CVE-2010-2791 (mod_proxy in httpd in Apache HTTP Server 2.2.9, when running on Unix, ...) - apache2 2.2.9-10 (low) CVE-2010-2790 (Multiple cross-site scripting (XSS) vulnerabilities in the formatQuery ...) - zabbix 1:1.8.3-1 (bug #594304) [squeeze] - zabbix 1:1.8.2-1squeeze1 [lenny] - zabbix (Minor issue) CVE-2010-2789 (PHP remote file inclusion vulnerability in MediaWikiParserTest.php in ...) - mediawiki (Affects mediawiki 1:1.16.0beta* - was not and will not be in Debian) NOTE: http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-July/000092.html CVE-2010-2788 (Cross-site scripting (XSS) vulnerability in profileinfo.php in MediaWi ...) - mediawiki 1:1.15.5-1 (bug #590669; low) [lenny] - mediawiki 1:1.12.0-2lenny6 NOTE: http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-July/000092.html CVE-2010-2787 (api.php in MediaWiki before 1.15.5 does not prevent use of public cach ...) - mediawiki 1:1.15.5-1 (bug #590660; low) [lenny] - mediawiki (Minor issue) NOTE: http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-July/000092.html CVE-2010-2786 (Directory traversal vulnerability in Piwik 0.6 through 0.6.3 allows re ...) - piwik (bug #506933) CVE-2010-2785 (The IRC Protocol component in KVIrc 3.x and 4.x before r4693 does not ...) {DSA-2078-1} - kvirc 4:4.0.0-3 CVE-2010-2784 (The subpage MMIO initialization functionality in the subpage_register ...) - qemu-kvm 0.12.5+dfsg-3 (bug #594478) - kvm [lenny] - kvm 72+dfsg-5~lenny6 CVE-2010-2783 (IcedTea6 before 1.7.4 allow unsigned apps to read and write arbitrary ...) - openjdk-6 6b18-1.8.1-1 CVE-2009-4957 (Directory traversal vulnerability in loadpanel.php in Interspire Activ ...) NOT-FOR-US: Interspire ActiveKB CVE-2009-4956 (Cross-site scripting (XSS) vulnerability in the Visitor Tracking (ws_s ...) NOT-FOR-US: typo3 third party component (ws_stats) CVE-2009-4955 (SQL injection vulnerability in the ultraCards (th_ultracards) extensio ...) NOT-FOR-US: typo3 third party component (th_ultracards) CVE-2009-4954 (SQL injection vulnerability in the Versatile Calendar Extension [VCE] ...) NOT-FOR-US: typo3 third party component (sk_calendar) CVE-2009-4953 (Cross-site scripting (XSS) vulnerability in the Userdata Create/Edit ( ...) NOT-FOR-US: typo3 third party component (sg_userdata) CVE-2009-4952 (Directory traversal vulnerability in the Directory Listing (dir_listin ...) NOT-FOR-US: typo3 third party component (dir_listing) CVE-2009-4951 (Unspecified vulnerability in the ClickStream Analyzer [output] (altern ...) NOT-FOR-US: typo3 third party component (alternet_csa_out) CVE-2009-4950 (SQL injection vulnerability in the A21glossary Advanced Output (a21glo ...) NOT-FOR-US: typo3 third party component (a21glossary_advanced_output) CVE-2009-4949 (SQL injection vulnerability in the Store Locator extension before 1.2. ...) NOT-FOR-US: typo3 third party component (locator) CVE-2009-4948 (Cross-site scripting (XSS) vulnerability in the Store Locator extensio ...) NOT-FOR-US: typo3 third party component (locator) CVE-2009-4947 (SQL injection vulnerability in frmLoginPwdReminderPopup.aspx in Q2 Sol ...) NOT-FOR-US: Q2 Solutions ConnX CVE-2009-4946 (Directory traversal vulnerability in the Messaging (com_messaging) com ...) NOT-FOR-US: Joomla! Messaging CVE-2010-2782 RESERVED CVE-2010-2781 RESERVED CVE-2010-2780 RESERVED CVE-2010-2779 (Cross-site scripting (XSS) vulnerability in WebAccess in Novell GroupW ...) NOT-FOR-US: GroupWise CVE-2010-2778 (Cross-site scripting (XSS) vulnerability in WebAccess in Novell GroupW ...) NOT-FOR-US: GroupWise CVE-2010-2777 (Stack-based buffer overflow in the IMAP server component in GroupWise ...) NOT-FOR-US: GroupWise CVE-2010-2776 RESERVED CVE-2010-2775 RESERVED CVE-2010-2774 RESERVED CVE-2010-2773 RESERVED CVE-2010-2772 (Siemens Simatic WinCC and PCS 7 SCADA system uses a hard-coded passwor ...) NOT-FOR-US: SCADA CVE-2010-2771 (solid.exe in IBM solidDB before 6.5 FP2 allows remote attackers to exe ...) NOT-FOR-US: IBM solidDB CVE-2009-4945 (AdPeeps 8.5d1 has a default password of admin for the admin account, w ...) NOT-FOR-US: AdPeeps CVE-2009-4944 (Multiple cross-site scripting (XSS) vulnerabilities in ATRC ACollab 1. ...) NOT-FOR-US: ATRC ACollab CVE-2009-4943 (index.php in AdPeeps 8.5d1 allows remote attackers to obtain sensitive ...) NOT-FOR-US: AdPeeps CVE-2009-4942 (Cross-site request forgery (CSRF) vulnerability in ACollab 1.2 allows ...) NOT-FOR-US: ATRC ACollab CVE-2009-4941 (Cross-site scripting (XSS) vulnerability in sign_in.php in ATRC AColla ...) NOT-FOR-US: ATRC ACollab CVE-2009-4940 (SQL injection vulnerability in index.php in Zeus Cart 2.3 and earlier ...) NOT-FOR-US: Zeus Cart CVE-2009-4939 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Ad ...) NOT-FOR-US: AdPeeps CVE-2009-4938 (SQL injection vulnerability in the JVideo! (com_jvideo) component 0.3. ...) NOT-FOR-US: JVideo CVE-2009-4937 (Cross-site scripting (XSS) vulnerability in Small Pirate (SPirate) 2.1 ...) NOT-FOR-US: SPirate CVE-2009-4936 (Multiple SQL injection vulnerabilities in Small Pirate (SPirate) 2.1 a ...) NOT-FOR-US: SPirate CVE-2010-3484 (SQL injection vulnerability in common.php in LightNEasy 3.2.1 allows r ...) - mapserver 5.6.4-1 (low) [lenny] - mapserver (Minor issue) CVE-2010-3485 (SQL injection vulnerability in common.php in LightNEasy 3.2.1 allows r ...) - mapserver 5.6.4-1 (low) [lenny] - mapserver (Minor issue) CVE-2010-2770 (Mozilla Firefox before 3.5.12 and 3.6.x before 3.6.9, Thunderbird befo ...) - xulrunner (The vulnerability is MacOS-specific) - iceweasel (The vulnerability is MacOS-specific) - iceape (The vulnerability is MacOS-specific) CVE-2010-2769 (Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 3.5 ...) {DSA-2124-1 DSA-2106-1} - xulrunner (unimportant) - iceweasel 3.5.12-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - icedove 3.0.7-1 [lenny] - icedove - iceape 2.0.7-1 [lenny] - iceape (Only a stub package) NOTE: xulrunner in wheezy is not covered by security support CVE-2010-2768 (Mozilla Firefox before 3.5.12 and 3.6.x before 3.6.9, Thunderbird befo ...) {DSA-2106-1} - xulrunner (unimportant) - iceweasel 3.5.12-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - icedove 3.0.7-1 [lenny] - icedove - iceape 2.0.7-1 [lenny] - iceape (Only a stub package) NOTE: xulrunner in wheezy is not covered by security support CVE-2010-2767 (The navigator.plugins implementation in Mozilla Firefox before 3.5.12 ...) {DSA-2106-1} - xulrunner (unimportant) - iceweasel 3.5.12-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - icedove 3.0.7-1 [lenny] - icedove - iceape 2.0.7-1 [lenny] - iceape (Only a stub package) NOTE: xulrunner in wheezy is not covered by security support CVE-2010-2766 (The normalizeDocument function in Mozilla Firefox before 3.5.12 and 3. ...) {DSA-2106-1} - xulrunner (unimportant) - iceweasel 3.5.12-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - icedove 3.0.7-1 [lenny] - icedove - iceape 2.0.7-1 [lenny] - iceape (Only a stub package) NOTE: xulrunner in wheezy is not covered by security support CVE-2010-2765 (Integer overflow in the FRAMESET element implementation in Mozilla Fir ...) {DSA-2106-1} - xulrunner (unimportant) - iceweasel 3.5.12-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - icedove 3.0.7-1 [lenny] - icedove - iceape 2.0.7-1 [lenny] - iceape (Only a stub package) NOTE: xulrunner in wheezy is not covered by security support CVE-2010-2764 (Mozilla Firefox before 3.5.12 and 3.6.x before 3.6.9, Thunderbird befo ...) - xulrunner (unimportant) - iceweasel 3.5.12-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) [lenny] - xulrunner (Doesn't affect Xulrunner 1.9.0 code base) - icedove 3.0.7-1 [lenny] - icedove (Doesn't affect Xulrunner 1.9.0 code base) - iceape 2.0.7-1 [lenny] - iceape (Only a stub package) NOTE: xulrunner in wheezy is not covered by security support CVE-2010-2763 (The XPCSafeJSObjectWrapper class in the SafeJSObjectWrapper (aka SJOW) ...) {DSA-2106-1} - xulrunner (unimportant) - iceweasel 3.5.12-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - icedove 3.0.7-1 [lenny] - icedove - iceape 2.0.7-1 [lenny] - iceape (Only a stub package) NOTE: xulrunner in wheezy is not covered by security support CVE-2010-2762 (The XPCSafeJSObjectWrapper class in the SafeJSObjectWrapper (aka SJOW) ...) - xulrunner (Only affects 3.6, only in experimental) - iceweasel (Only affects 3.6, only in experimental) CVE-2010-2761 (The multipart_init function in (1) CGI.pm before 3.50 and (2) Simple.p ...) - perl 5.10.1-17 (bug #606995) - libcgi-pm-perl 3.50-1 (bug #606370) [lenny] - libcgi-pm-perl 3.38-2lenny2 [squeeze] - libcgi-pm-perl 3.49-1squeeze1 - libcgi-simple-perl 1.111-2 (bug #606379) [lenny] - libcgi-simple-perl 1.105-1lenny1 [lenny] - perl 5.10.0-19lenny3 (bug #606995) CVE-2010-2760 (Use-after-free vulnerability in the nsTreeSelection function in Mozill ...) {DSA-2106-1} - xulrunner (unimportant) - iceweasel 3.5.12-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - icedove 3.0.7-1 [lenny] - icedove - iceape 2.0.7-1 [lenny] - iceape (Only a stub package) NOTE: xulrunner in wheezy is not covered by security support CVE-2010-2759 (Bugzilla 2.23.1 through 3.2.7, 3.3.1 through 3.4.7, 3.5.1 through 3.6. ...) - bugzilla 3.6.2.0-1 (bug #595015; medium) CVE-2010-2758 (Bugzilla 2.17.1 through 3.2.7, 3.3.1 through 3.4.7, 3.5.1 through 3.6. ...) - bugzilla 3.6.2.0-1 (bug #595015; low) CVE-2010-2757 (The sudo feature in Bugzilla 2.22rc1 through 3.2.7, 3.3.1 through 3.4. ...) - bugzilla 3.6.2.0-1 (bug #595015; low) CVE-2010-2756 (Search.pm in Bugzilla 2.19.1 through 3.2.7, 3.3.1 through 3.4.7, 3.5.1 ...) - bugzilla 3.6.2.0-1 (bug #595015; low) CVE-2010-2755 (layout/generic/nsObjectFrame.cpp in Mozilla Firefox 3.6.7 does not pro ...) - xulrunner (Only exploitable in Firefox 3.6.x and above) - iceweasel (Only exploitable in Firefox 3.6.x and above) CVE-2010-2754 (dom/base/nsJSEnvironment.cpp in Mozilla Firefox 3.5.x before 3.5.11 an ...) {DSA-2075-1} - xulrunner 1.9.1.11-1 - iceweasel 3.5.11-2 [lenny] - iceweasel (Iceweasel in Lenny links against xulrunner) - icedove 3.0.6-1 [lenny] - icedove - iceape 2.0.6-1 [lenny] - iceape (Only a stub package) CVE-2010-2753 (Integer overflow in Mozilla Firefox 3.5.x before 3.5.11 and 3.6.x befo ...) {DSA-2075-1} - xulrunner 1.9.1.11-1 - iceweasel 3.5.11-2 [lenny] - iceweasel (Iceweasel in Lenny links against xulrunner) - iceape 2.0.6-1 [lenny] - iceape (Only a stub package) - icedove 3.0.6-1 [lenny] - icedove CVE-2010-2752 (Integer overflow in an array class in Mozilla Firefox 3.5.x before 3.5 ...) - xulrunner 1.9.1.11-1 [lenny] - xulrunner (Only affects 1.9.1 and above) - iceweasel 3.5.11-2 [lenny] - iceweasel (Iceweasel in Lenny links against xulrunner) - iceape 2.0.6-1 [lenny] - iceape (Only a stub package) - icedove 3.0.6-1 [lenny] - icedove CVE-2010-2751 (The nsDocShell::OnRedirectStateChange function in docshell/base/nsDocS ...) {DSA-2075-1} - xulrunner 1.9.1.11-1 - iceweasel 3.5.11-2 [lenny] - iceweasel (Iceweasel in Lenny links against xulrunner) - iceape 2.0.6-1 [lenny] - iceape (Only a stub package) CVE-2010-2750 (Array index error in Microsoft Word 2002 SP3 and Office 2004 for Mac a ...) NOT-FOR-US: Microsoft Word CVE-2010-2749 REJECTED CVE-2010-2748 (Microsoft Word 2002 SP3 and Office 2004 for Mac do not properly check ...) NOT-FOR-US: Microsoft Word CVE-2010-2747 (Microsoft Word 2002 SP3 and Office 2004 for Mac do not properly handle ...) NOT-FOR-US: Microsoft Word CVE-2010-2746 (Heap-based buffer overflow in Comctl32.dll (aka the common control lib ...) NOT-FOR-US: Microsoft Windows CVE-2010-2745 (Microsoft Windows Media Player (WMP) 9 through 12 does not properly de ...) NOT-FOR-US: Microsoft Windows Media Player CVE-2010-2744 (The kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows S ...) NOT-FOR-US: Microsoft Windows CVE-2010-2743 (The kernel-mode drivers in Microsoft Windows XP SP3 do not properly pe ...) NOT-FOR-US: Microsoft Windows CVE-2010-2742 (The Netlogon RPC Service in Microsoft Windows Server 2003 SP2 and Serv ...) NOT-FOR-US: Microsoft Windows CVE-2010-2741 (The OpenType Font (OTF) format driver in Microsoft Windows XP SP2 and ...) NOT-FOR-US: Microsoft Windows CVE-2010-2740 (The OpenType Font (OTF) format driver in Microsoft Windows XP SP2 and ...) NOT-FOR-US: Microsoft Windows CVE-2010-2739 (Buffer overflow in the CreateDIBPalette function in win32k.sys in Micr ...) NOT-FOR-US: Windows CVE-2010-2738 (The Uniscribe (aka new Unicode Script Processor) implementation in USP ...) NOT-FOR-US: Microsoft Windows CVE-2010-2737 REJECTED CVE-2010-2736 REJECTED CVE-2010-2735 REJECTED CVE-2010-2734 (Cross-site scripting (XSS) vulnerability in the mobile portal in Micro ...) NOT-FOR-US: Microsoft Forefront Unified Access Gateway CVE-2010-2733 (Cross-site scripting (XSS) vulnerability in the Web Monitor in Microso ...) NOT-FOR-US: Microsoft Forefront Unified Access Gateway CVE-2010-2732 (Open redirect vulnerability in the web interface in Microsoft Forefron ...) NOT-FOR-US: Microsoft Forefront Unified Access Gateway CVE-2010-2731 (Unspecified vulnerability in Microsoft Internet Information Services ( ...) NOT-FOR-US: Microsoft Windows CVE-2010-2730 (Buffer overflow in Microsoft Internet Information Services (IIS) 7.5, ...) NOT-FOR-US: Microsoft IIS CVE-2010-2729 (The Print Spooler service in Microsoft Windows XP SP2 and SP3, Windows ...) NOT-FOR-US: Microsoft Windows CVE-2010-2728 (Heap-based buffer overflow in Microsoft Outlook 2002 SP3, 2003 SP3, an ...) NOT-FOR-US: Microsoft Outlook CVE-2010-2727 REJECTED CVE-2010-2726 REJECTED CVE-2010-2725 (BarnOwl before 1.6.2 does not check the return code of calls to the (1 ...) {DSA-2102-1} - barnowl 1.6.2-1 (bug #593299) CVE-2010-2724 (Cross-site scripting (XSS) vulnerability in the Hierarchical Select mo ...) NOT-FOR-US: Drupal addon module CVE-2010-2723 (Cross-site scripting (XSS) vulnerability in LISTSERV 15 and 16 allows ...) NOT-FOR-US: LISTSERV CVE-2010-2722 (Cross-site scripting (XSS) vulnerability in index.php in RightInPoint ...) NOT-FOR-US: RightInPoint Lyrics Script CVE-2010-2721 (SQL injection vulnerability in index.php in RightInPoint Lyrics Script ...) NOT-FOR-US: RightInPoint Lyrics Script CVE-2010-2720 (SQL injection vulnerability in list.php in phpaaCms 0.3.1 UTF-8, and p ...) NOT-FOR-US: phpaaCms CVE-2010-2719 (SQL injection vulnerability in show.php in phpaaCms 0.3.1 UTF-8, and p ...) NOT-FOR-US: phpaaCms CVE-2010-2718 (Multiple cross-site scripting (XSS) vulnerabilities in CruxSoftware Cr ...) NOT-FOR-US: CruxSoftware CVE-2010-2717 (Cross-site scripting (XSS) vulnerability in manager/login.php in CruxS ...) NOT-FOR-US: CruxSoftware CVE-2010-2716 (Multiple SQL injection vulnerabilities in PsNews 1.3 allow remote atta ...) NOT-FOR-US: PsNews CVE-2010-2715 (Cross-site scripting (XSS) vulnerability in photos/index.php in TCW PH ...) NOT-FOR-US: TCW PHP Album CVE-2010-2714 (SQL injection vulnerability in photos/index.php in TCW PHP Album 1.0 a ...) NOT-FOR-US: TCW PHP Album CVE-2010-2713 (The vte_sequence_handler_window_manipulation function in vteseq.c in l ...) [lenny] - vte (Uses a hardcoded string in the terminal icon/window title) - vte 1:0.24.3-1 NOTE: http://git.gnome.org/browse/vte/commit/?id=58bc3a942f198a1a8788553ca72c19d7c1702b74 NOTE: http://git.gnome.org/browse/vte/commit/?id=8b971a7b2c59902914ecbbc3915c45dd21530a91 CVE-2010-2712 (Unspecified vulnerability in Software Distributor (sd) in HP HP-UX B.1 ...) NOT-FOR-US: Software Distributor in HP HP-UX CVE-2010-2711 (Unspecified vulnerability in the HP MagCloud app before 1.0.5 for the ...) NOT-FOR-US: HP MagCloud app CVE-2010-2710 (Unspecified vulnerability in HP OpenView Network Node Manager (OV NNM) ...) NOT-FOR-US: HP OpenView CVE-2010-2709 (Stack-based buffer overflow in webappmon.exe in HP OpenView Network No ...) NOT-FOR-US: HP OpenView CVE-2010-2708 (Unspecified vulnerability on the HP ProCurve 2610 switch before R.11.2 ...) NOT-FOR-US: HP ProCurve CVE-2010-2707 (Unspecified vulnerability on the HP ProCurve 2626 and 2650 switches be ...) NOT-FOR-US: HP ProCurve CVE-2010-2706 (Unspecified vulnerability in the In-band Agent on the HP ProCurve 2610 ...) NOT-FOR-US: HP ProCurve CVE-2010-2705 (Unspecified vulnerability on the HP ProCurve 1800-24G switch with soft ...) NOT-FOR-US: HP ProCurve CVE-2010-2704 (Buffer overflow in HP OpenView Network Node Manager (OV NNM) 7.51 and ...) NOT-FOR-US: HP OpenView CVE-2010-2703 (Stack-based buffer overflow in the execvp_nc function in the ov.dll mo ...) NOT-FOR-US: HP OpenView CVE-2010-2702 (Buffer overflow in the UGameEngine::UpdateConnectingMessage function i ...) NOT-FOR-US: Unreal engine CVE-2010-2701 (Multiple buffer overflows in the FathFTP ActiveX control 1.7 allow rem ...) NOT-FOR-US: FathFTP ActiveX control CVE-2010-2700 (Cross-site scripting (XSS) vulnerability in index.php in Edge PHP Clic ...) NOT-FOR-US: Edge PHP Clickbank Affiliate Marketplace Script CVE-2010-2699 (SQL injection vulnerability in index.php in Edge PHP Clickbank Affilia ...) NOT-FOR-US: Edge PHP Clickbank Affiliate Marketplace Script CVE-2010-2698 (Multiple cross-site scripting (XSS) vulnerabilities in Sijio Community ...) NOT-FOR-US: Sijio Community Software CVE-2010-2697 (Cross-site scripting (XSS) vulnerability in Sijio Community Software a ...) NOT-FOR-US: Sijio Community Software CVE-2010-2696 (SQL injection vulnerability in gallery/index.php in Sijio Community So ...) NOT-FOR-US: Sijio Community Software CVE-2010-2695 (Directory traversal vulnerability in the SFTP/SSH2 virtual server in X ...) NOT-FOR-US: Xlight FTP Server CVE-2010-2694 (SQL injection vulnerability in the redSHOP Component (com_redshop) 1.0 ...) NOT-FOR-US: Joomla addon CVE-2010-2693 (FreeBSD 7.1 through 8.1-PRERELEASE does not copy the read-only flag wh ...) - kfreebsd-7 7.3-5 [lenny] - kfreebsd-7 (Not covered by security support in Lenny) - kfreebsd-8 8.0-10 CVE-2010-2692 (Cross-site scripting (XSS) vulnerability in 2daybiz Custom T-Shirt Des ...) NOT-FOR-US: 2daybiz Custom T-Shirt Design Script CVE-2010-2691 (Multiple SQL injection vulnerabilities in 2daybiz Custom T-Shirt Desig ...) NOT-FOR-US: 2daybiz Custom T-Shirt Design Script CVE-2010-2690 (SQL injection vulnerability in the JOOFORGE Gamesbox (com_gamesbox) co ...) NOT-FOR-US: Joomla addon CVE-2010-2689 (SQL injection vulnerability in cont_form.php in Internet DM WebDM CMS ...) NOT-FOR-US: Internet DM WebDM CMS CVE-2010-2688 (SQL injection vulnerability in detail.asp in Site2Nite Boat Classified ...) NOT-FOR-US: Site2Nite Boat Classifieds CVE-2010-2687 (SQL injection vulnerability in printdetail.asp in Site2Nite Boat Class ...) NOT-FOR-US: Site2Nite Boat Classifieds CVE-2010-2686 (Multiple SQL injection vulnerabilities in clientes.asp in the TopManag ...) NOT-FOR-US: SAP module CVE-2010-2685 (siteadmin/adduser.php in Customer Paradigm PageDirector CMS does not p ...) NOT-FOR-US: Customer Paradigm PageDirector CMS CVE-2010-2684 (SQL injection vulnerability in index.php in Customer Paradigm PageDire ...) NOT-FOR-US: Customer Paradigm PageDirector CMS CVE-2010-2683 (SQL injection vulnerability in result.php in Customer Paradigm PageDir ...) NOT-FOR-US: Customer Paradigm PageDirector CMS CVE-2010-2682 (Directory traversal vulnerability in the Realtyna Translator (com_real ...) NOT-FOR-US: Joomla addon CVE-2010-2681 (PHP remote file inclusion vulnerability in the SEF404x (com_sef) compo ...) NOT-FOR-US: Joomla addon CVE-2010-2680 (Directory traversal vulnerability in the JExtensions JE Section/Proper ...) NOT-FOR-US: Joomla addon CVE-2010-2679 (SQL injection vulnerability in the Weblinks (com_weblinks) component i ...) NOT-FOR-US: Joomla addon CVE-2010-2678 (SQL injection vulnerability in xmap (com_xmap) component for Joomla! a ...) NOT-FOR-US: Joomla addon CVE-2010-2677 (PHP remote file inclusion vulnerability in mw_plugin.php in Open Web A ...) NOT-FOR-US: Open Web Analytics CVE-2010-2676 (Multiple directory traversal vulnerabilities in index.php in Open Web ...) NOT-FOR-US: Open Web Analytics CVE-2010-2675 (Cross-site scripting (XSS) vulnerability in index.php in TSOKA:CMS 1.1 ...) NOT-FOR-US: TSOKA:CMS CVE-2010-2674 (SQL injection vulnerability in index.php in TSOKA:CMS 1.1, 1.9, and 2. ...) NOT-FOR-US: TSOKA:CMS CVE-2010-2673 (SQL injection vulnerability in profile_view.php in Devana 1.6.6 and ea ...) NOT-FOR-US: Devana CVE-2010-2672 (Multiple SQL injection vulnerabilities in eZ Publish 3.7.0 through 4.2 ...) - ezpublish CVE-2010-2671 (Cross-site scripting (XSS) vulnerability in advancedsearch.php in eZ P ...) - ezpublish CVE-2010-2670 (SQL injection vulnerability in recipedetail.php in BrotherScripts Reci ...) NOT-FOR-US: BrotherScripts Recipe Website CVE-2010-2669 (Cross-site scripting (XSS) vulnerability in admin/editors/text/editor- ...) NOT-FOR-US: Orbis CMS CVE-2010-2668 (Unspecified vulnerability in Adaptive Micro Systems ALPHA Ethernet Ada ...) NOT-FOR-US: Adaptive Micro Systems ALPHA Ethernet Adapter CVE-2010-2667 (Multiple unspecified vulnerabilities in the Virtual Appliance Manageme ...) NOT-FOR-US: VMware Studio CVE-2010-2666 (Opera before 10.54 on Windows and Mac OS X does not properly enforce p ...) NOT-FOR-US: Opera CVE-2010-2665 (Cross-site scripting (XSS) vulnerability in Opera before 10.54 on Wind ...) NOT-FOR-US: Opera CVE-2010-2664 (Opera before 10.60 allows remote attackers to cause a denial of servic ...) NOT-FOR-US: Opera CVE-2010-2663 (Opera before 10.60 allows remote attackers to cause a denial of servic ...) NOT-FOR-US: Opera CVE-2010-2662 (Opera before 10.60 allows remote attackers to bypass the popup blocker ...) NOT-FOR-US: Opera CVE-2010-2661 (Opera before 10.54 on Windows and Mac OS X, and before 10.60 on UNIX p ...) NOT-FOR-US: Opera CVE-2010-2660 (Opera before 10.54 on Windows and Mac OS X, and before 10.60 on UNIX p ...) NOT-FOR-US: Opera CVE-2010-2659 (Opera before 10.50 on Windows, before 10.52 on Mac OS X, and before 10 ...) NOT-FOR-US: Opera CVE-2010-2658 (Opera before 10.60 does not properly restrict certain interaction betw ...) NOT-FOR-US: Opera CVE-2010-2657 (Opera before 10.60 on Windows and Mac OS X does not properly prevent c ...) NOT-FOR-US: Opera CVE-2010-2656 (The IBM BladeCenter with Advanced Management Module (AMM) firmware bui ...) NOT-FOR-US: BladeCenter software CVE-2010-2655 (Directory traversal vulnerability in private/file_management.php on th ...) NOT-FOR-US: BladeCenter software CVE-2010-2654 (Multiple cross-site scripting (XSS) vulnerabilities on the IBM BladeCe ...) NOT-FOR-US: BladeCenter software CVE-2010-2653 (Race condition in the hvc_close function in drivers/char/hvc_console.c ...) - linux-2.6 2.6.32-25 CVE-2009-4935 (SQL injection vulnerability in ogp_show.php in Online Guestbook Pro al ...) NOT-FOR-US: Online Guestbook Pro CVE-2009-4934 (Cross-site scripting (XSS) vulnerability in index.php in Online Photo ...) NOT-FOR-US: Online Photo Pro CVE-2009-4933 (Multiple SQL injection vulnerabilities in login.php in EZ Webitor allo ...) NOT-FOR-US: EZ Webitor CVE-2009-4932 (Stack-based buffer overflow in 1by1 1.67 (aka 1.6.7.0) allows remote a ...) NOT-FOR-US: 1by1 CVE-2009-4931 (Stack-based buffer overflow in Groovy Media Player 1.1.0 allows remote ...) NOT-FOR-US: Groovy Media Player CVE-2009-4930 (Cross-site scripting (XSS) vulnerability in the twbkwbis.P_SecurityQue ...) NOT-FOR-US: SunGard Banner Student System CVE-2009-4929 (admin/manage_users.php in TotalCalendar 2.4 does not require administr ...) NOT-FOR-US: TotalCalendar CVE-2009-4928 (PHP remote file inclusion vulnerability in config.php in TotalCalendar ...) NOT-FOR-US: TotalCalendar CVE-2009-4927 (WB News 2.1.2 allows remote attackers to bypass authentication and gai ...) NOT-FOR-US: WB News CVE-2009-4926 (Multiple cross-site scripting (XSS) vulnerabilities in Online Contact ...) NOT-FOR-US: Online Contact Manager CVE-2009-4925 (Multiple SQL injection vulnerabilities in Portale e-commerce Creasito ...) NOT-FOR-US: Portale e-commerce Creasito CVE-2010-2652 (Google Chrome before 5.0.375.99 does not properly implement modal dial ...) - webkit (chromium specific issue) - chromium-browser 5.0.375.99~r51029-1 CVE-2010-2651 (The Cascading Style Sheets (CSS) implementation in Google Chrome befor ...) - webkit 1.2.5-1 (bug #599830) [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.375.99~r51029-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=38891 NOTE: http://src.chromium.org/viewvc/chrome?view=rev&revision=51014 NOTE: http://trac.webkit.org/changeset/59247 CVE-2010-2650 (Unspecified vulnerability in Google Chrome before 5.0.375.99 has unkno ...) - webkit (chromium specific) - chromium-browser 5.0.375.99~r51029-1 CVE-2010-2649 (Unspecified vulnerability in Google Chrome before 5.0.375.99 allows re ...) - webkit (issue in chromium-specific code) - chromium-browser 5.0.375.99~r51029-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=39797 NOTE: http://trac.webkit.org/changeset/60973 NOTE: http://trac.webkit.org/changeset/60977 CVE-2010-2648 (The implementation of the Unicode Bidirectional Algorithm (aka Bidi al ...) - webkit 1.2.4-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.375.99~r51029-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=39305 NOTE: http://trac.webkit.org/projects/webkit/changeset/61921 CVE-2010-2647 (Google Chrome before 5.0.375.99 allows remote attackers to cause a den ...) - webkit 1.2.4-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.375.99~r51029-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=38627 NOTE: http://trac.webkit.org/changeset/61667 NOTE: http://trac.webkit.org/changeset/61669 mac fixes NOTE: http://trac.webkit.org/changeset/61676 chromium fixes NOTE: http://trac.webkit.org/changeset/61679 additional layout test NOTE: duplicate of cve-2010-1786 CVE-2010-2646 (Google Chrome before 5.0.375.99 does not properly isolate sandboxed IF ...) - webkit 1.2.5-1 (bug #599830) [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.375.99~r51029-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=38151 NOTE: http://trac.webkit.org/changeset/58873 NOTE: http://trac.webkit.org/changeset/59870 chromium updates CVE-2010-2645 (Unspecified vulnerability in Google Chrome before 5.0.375.99, when Web ...) - webkit (doesn't include webgl code yet) - chromium-browser 5.0.375.99~r51029-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=38039 NOTE: http://trac.webkit.org/changeset/58957 CVE-2010-2644 (IBM WebSphere Service Registry and Repository (WSRR) 7.0.0 before FP1 ...) NOT-FOR-US: IBM WebSphere Service Registry and Repository CVE-2010-2643 (Integer overflow in the TFM font parser in the dvi-backend component i ...) {DSA-2357-1} - evince 2.30.3-2 (bug #609534) CVE-2010-2642 (Heap-based buffer overflow in the AFM font parser in the dvi-backend c ...) {DSA-2388-1 DSA-2357-1} - evince 3.0.2-1 (bug #609534) [squeeze] - evince 2.30.3-2+squeeze1 - t1lib 5.1.2-3.5 [lenny] - t1lib 5.1.2-3+lenny1 [squeeze] - t1lib 5.1.2-3+squeeze1 CVE-2010-2641 (Array index error in the VF font parser in the dvi-backend component i ...) {DSA-2357-1} - evince 2.30.3-2 (bug #609534) CVE-2010-2640 (Array index error in the PK font parser in the dvi-backend component i ...) {DSA-2357-1} - evince 2.30.3-2 (bug #609534) CVE-2010-2639 (IBM WebSphere Commerce Enterprise 7.0 before 7.0.0.2 allows remote att ...) NOT-FOR-US: IBM WebSphere Commerce Enterprise 7.0 CVE-2010-2638 (Unspecified vulnerability in IBM WebSphere MQ 7.0 before 7.0.1.5 allow ...) NOT-FOR-US: IBM WebSphere MQ CVE-2010-2637 (IBM WebSphere MQ 6.0 before 6.0.2.9 and 7.0 before 7.0.1.1 does not en ...) NOT-FOR-US: IBM WebSphere CVE-2010-2636 (Multiple cross-site scripting (XSS) vulnerabilities in sample store pa ...) NOT-FOR-US: IBM WebSphere Commerce CVE-2010-2635 (SQL injection vulnerability in IBM WebSphere Commerce 6.0 before 6.0.0 ...) NOT-FOR-US: IBM WebSphere Commerce CVE-2010-2634 (RSA enVision before 3.7 SP1 allows remote authenticated users to cause ...) NOT-FOR-US: RSA enVision CVE-2010-2633 (Unspecified vulnerability in EMC Disk Library (EDL) before 3.2.7, 3.3. ...) NOT-FOR-US: EMC CVE-2010-2632 (Unspecified vulnerability in the FTP Server in Oracle Solaris 8, 9, 10 ...) NOT-FOR-US: Solaris FTP server CVE-2010-2631 (LibTIFF 3.9.0 ignores tags in certain situations during the first stag ...) - tiff 3.9.4-1 - tiff3 (fixed before initial upload) CVE-2010-2630 (The TIFFReadDirectory function in LibTIFF 3.9.0 does not properly vali ...) {DSA-2552-1} - tiff 3.9.6-1 - tiff3 3.9.6-1 NOTE: may have been fixed earlier CVE-2010-2629 (The Cisco Content Services Switch (CSS) 11500 with software 8.20.4.02 ...) NOT-FOR-US: Cisco CVE-2010-2628 (The IKE daemon in strongSwan 4.3.x before 4.3.7 and 4.4.x before 4.4.1 ...) - strongswan 4.4.1-1 [lenny] - strongswan (Vulnerability introduced in 4.3.3) [squeeze] - strongswan (Vulnerability introduced in 4.3.3) CVE-2010-2627 (Multiple directory traversal vulnerabilities in the Refractor 2 engine ...) NOT-FOR-US: Refractor 2 CVE-2010-2626 (index.pl in Miyabi CGI Tools SEO Links 1.02 allows remote attackers to ...) NOT-FOR-US: Miyabi CGI Tools SEO Links CVE-2010-2625 (Unspecified vulnerability in the Client Service for DPM in Hitachi Ser ...) NOT-FOR-US: Hitachi ServerConductor CVE-2010-2624 (Multiple SQL injection vulnerabilities in iScripts EasySnaps 2.0 allow ...) NOT-FOR-US: iScripts EasySnaps CVE-2010-2623 (SQL injection vulnerability in pages.php in Internet DM Specialist Bed ...) NOT-FOR-US: Internet DM Specialist Bed and Breakfast CVE-2010-2622 (SQL injection vulnerability in the Joomanager component, possibly 1.1. ...) NOT-FOR-US: Joomanager CVE-2010-2621 (The QSslSocketBackendPrivate::transmit function in src_network_ssl_qss ...) - qt4-x11 4:4.6.3-2 (low; bug #587711) [lenny] - qt4-x11 (Harmless impact) NOTE: Fixed by commit c25c7c9bdfade6b906f37ac8bad44f6f0de57597 CVE-2010-2620 (Open&Compact FTP Server (Open-FTPD) 1.2 and earlier allows remote ...) NOT-FOR-US: Open&Compact FTP Server CVE-2010-2619 (Citrix XenServer 5.0 Update 2 and earlier, and 5.5 Update 1 and earlie ...) NOT-FOR-US: Citrix XenServer (it's based on Xen, likely a duplicate of an existing Xen issue) CVE-2009-4924 (Dan Pascu python-cjson 1.0.5 does not properly handle a ['/'] argument ...) - python-cjson 1.0.5-4 (low; bug #593302) [lenny] - python-cjson (Minor issue) CVE-2004-2769 (Cerberus FTP Server before 4.0.3.0 allows remote authenticated users t ...) NOT-FOR-US: Cerberus FTP Server CVE-2010-2494 (Multiple buffer underflows in the base64 decoder in base64.c in (1) bo ...) - bogofilter 1.2.1-3 (low; bug #588090) [lenny] - bogofilter 1.1.7-1+lenny1 NOTE: this is "only" null write to an invalid pointer, no arbitrary location CVE-2010-2495 (The pppol2tp_xmit function in drivers/net/pppol2tp.c in the L2TP imple ...) - linux-2.6 2.6.32-16 [lenny] - linux-2.6 (vulnerability introduced in 2.6.29) CVE-2010-2618 (PHP remote file inclusion vulnerability in inc/smarty/libs/init.php in ...) NOT-FOR-US: AdaptCMS CVE-2010-2617 (Cross-site scripting (XSS) vulnerability in bible.php in PHP Bible Sea ...) NOT-FOR-US: PHP Bible Search CVE-2010-2616 (SQL injection vulnerability in bible.php in PHP Bible Search, probably ...) NOT-FOR-US: PHP Bible Search CVE-2010-2615 (Multiple cross-site scripting (XSS) vulnerabilities in admin/admin.php ...) NOT-FOR-US: Grafik CMS CVE-2010-2614 (SQL injection vulnerability in admin/admin.php in Grafik CMS 1.1.2, an ...) NOT-FOR-US: Grafik CMS CVE-2010-2613 (Cross-site scripting (XSS) vulnerability in the JExtensions JE Awd Son ...) NOT-FOR-US: com_awd_song component for joomla! CVE-2010-2612 (Unspecified vulnerability in the HP OpenVMS Auditing feature in OpenVM ...) NOT-FOR-US: HP OpenVMS CVE-2010-2611 (SQL injection vulnerability in show_search_result.php in i-netsolution ...) NOT-FOR-US: i-netsolution Job Search Engine CVE-2010-2610 (Multiple SQL injection vulnerabilities in 2daybiz Job Site Script allo ...) NOT-FOR-US: 2daybiz Job Site Script CVE-2010-2609 (SQL injection vulnerability in show_search_result.php in 2daybiz Job S ...) NOT-FOR-US: 2daybiz Job Search Engine Script CVE-2010-2608 RESERVED CVE-2010-2607 RESERVED CVE-2010-2606 RESERVED CVE-2010-2605 RESERVED CVE-2010-2604 (Multiple buffer overflows in the PDF Distiller in the BlackBerry Attac ...) NOT-FOR-US: BlackBerry Enterprise Server CVE-2010-2603 (RIM BlackBerry Desktop Software 4.7 through 6.0 for PC, and 1.0 for Ma ...) NOT-FOR-US: RIM BlackBerry Desktop Software CVE-2010-2602 (Multiple buffer overflows in the PDF distiller component in the BlackB ...) NOT-FOR-US: BlackBerry Enterprise Serve CVE-2010-2601 (Multiple buffer overflows in the PDF distiller in the Attachment Servi ...) NOT-FOR-US: BlackBerry Enterprise Server CVE-2010-2600 (Untrusted search path vulnerability in BlackBerry Desktop Software bef ...) NOT-FOR-US: BlackBerry Desktop Software CVE-2010-2599 (Unspecified vulnerability in Research In Motion (RIM) BlackBerry Devic ...) NOT-FOR-US: BlackBerry Device Software CVE-2010-2594 (Multiple cross-site request forgery (CSRF) vulnerabilities in the web ...) NOT-FOR-US: InterSect Allience Snare Agent CVE-2010-2593 RESERVED CVE-2010-2592 RESERVED CVE-2010-2591 RESERVED CVE-2010-2590 (Heap-based buffer overflow in the CrystalReports12.CrystalPrintControl ...) NOT-FOR-US: ActiveX CVE-2010-2589 (Integer overflow in the dirapi.dll module in Adobe Shockwave Player be ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-2588 (The dirapi.dll module in Adobe Shockwave Player before 11.5.9.620 allo ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-2587 (The dirapi.dll module in Adobe Shockwave Player before 11.5.9.620 allo ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-2586 (Multiple integer overflows in in_nsv.dll in the in_nsv plugin in Winam ...) NOT-FOR-US: Winamp CVE-2010-2585 (Multiple buffer overflows in the RealPage Module Upload ActiveX contro ...) NOT-FOR-US: RealPage Module ActiveX Controls CVE-2010-2584 (The Upload method in the RealPage Module Upload ActiveX control in Rea ...) NOT-FOR-US: RealPage Module ActiveX Controls CVE-2010-2583 (Stack-based buffer overflow in SonicWALL SSL-VPN End-Point Interrogato ...) NOT-FOR-US: SonicWALL CVE-2010-2582 (An unspecified function in TextXtra.x32 in Adobe Shockwave Player befo ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-2581 (dirapi.dll in Adobe Shockwave Player before 11.5.9.615 allows remote a ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-2580 (The SMTP service (MESMTPC.exe) in MailEnable 3.x and 4.25 does not pro ...) NOT-FOR-US: MailEnable CVE-2010-2579 (The cook codec in RealNetworks RealPlayer 11.0 through 11.1, RealPlaye ...) NOT-FOR-US: RealPlayer CVE-2010-2578 (Heap-based buffer overflow in RealNetworks RealPlayer 11.0 through 11. ...) NOT-FOR-US: RealNetworks RealPlayer CVE-2010-2577 (Multiple SQL injection vulnerabilities in Pligg before 1.1.1 allow rem ...) NOT-FOR-US: Pligg CVE-2010-2576 (Opera before 10.61 does not properly suppress clicks on download dialo ...) NOT-FOR-US: Opera CVE-2010-2575 (Heap-based buffer overflow in the RLE decompression functionality in t ...) - okular 4:4.4.5-2 [lenny] - okular 0.7-2+lenny1 - kdegraphics 4:4.4.5-2 [lenny] - kdegraphics (Lenny's kdegraphics doesn't yet contain Okular) NOTE: http://www.kde.org/info/security/advisory-20100825-1.txt NOTE: Okular was initially a single source package (lenny days), then it was merged into NOTE: kdegraphics (squeeze days) and later split off again (wheezy) CVE-2010-2574 (Cross-site scripting (XSS) vulnerability in manage_proj_cat_add.php in ...) - mantis 1.1.8+dfsg-6 (low; bug #595510) [lenny] - mantis 1.1.6+dfsg-2lenny2 CVE-2010-2598 (LibTIFF in Red Hat Enterprise Linux (RHEL) 3 on x86_64 platforms, as u ...) - tiff 3.9.4-1 - tiff3 (fixed prior to initial upload) CVE-2010-2597 (The TIFFVStripSize function in tif_strip.c in LibTIFF 3.9.0 and 3.9.2 ...) {DSA-2552-1} - tiff 3.9.6-1 - tiff3 3.9.6-1 NOTE: may have been fixed earlier CVE-2010-2596 (The OJPEGPostDecode function in tif_ojpeg.c in LibTIFF 3.9.0 and 3.9.2 ...) {DLA-610-1} - tiff 4.0.6-1 (unimportant) - tiff3 (unimportant) NOTE: fixed by http://bugzilla.maptools.org/show_bug.cgi?id=2209 NOTE: according to upstream http://bugzilla.maptools.org/show_bug.cgi?id=2209#c6 NOTE: unreproducible in VCS. Confirmed for version 4.0.6 in Stretch by verifying NOTE: that the reproducer does not trigger the crash anymore. NOTE: Tom Lane's patch should be applied for tiff in Wheezy too. NOTE: Not confirmed which exact version should fix the issue. CVE-2010-2595 (The TIFFYCbCrtoRGB function in LibTIFF 3.9.0 and 3.9.2, as used in Ima ...) {DSA-2552-1} - tiff 3.9.6-1 - tiff3 3.9.6-1 NOTE: may have been fixed earlier CVE-2010-2573 (Integer underflow in Microsoft PowerPoint 2002 SP3 and 2003 SP3, Power ...) NOT-FOR-US: Microsoft PowerPoint CVE-2010-2572 (Buffer overflow in Microsoft PowerPoint 2002 SP3 and 2003 SP3 allows r ...) NOT-FOR-US: Microsoft PowerPoint CVE-2010-2571 (Array index error in pubconv.dll (aka the Publisher Converter DLL) in ...) NOT-FOR-US: Microsoft Publisher CVE-2010-2570 (Heap-based buffer overflow in pubconv.dll (aka the Publisher Converter ...) NOT-FOR-US: Microsoft Publisher CVE-2010-2569 (pubconv.dll (aka the Publisher Converter DLL) in Microsoft Publisher 2 ...) NOT-FOR-US: Microsoft Publisher CVE-2010-2568 (Windows Shell in Microsoft Windows XP SP3, Server 2003 SP2, Vista SP1 ...) NOT-FOR-US: Microsoft CVE-2010-2567 (The RPC client implementation in Microsoft Windows XP SP2 and SP3 and ...) NOT-FOR-US: Microsoft Windows CVE-2010-2566 (The Secure Channel (aka SChannel) security package in Microsoft Window ...) NOT-FOR-US: Microsoft CVE-2010-2565 REJECTED CVE-2010-2564 (Buffer overflow in Microsoft Windows Movie Maker (WMM) 2.1, 2.6, and 6 ...) NOT-FOR-US: Microsoft CVE-2010-2563 (The Word 97 text converter in the WordPad Text Converters in Microsoft ...) NOT-FOR-US: Microsoft Windows CVE-2010-2562 (Microsoft Office Excel 2002 SP3 and 2003 SP3, Office 2004 and 2008 for ...) NOT-FOR-US: Microsoft CVE-2010-2561 (Microsoft XML Core Services (aka MSXML) 3.0 does not properly handle H ...) NOT-FOR-US: Microsoft CVE-2010-2560 (Microsoft Internet Explorer 6, 7, and 8 does not properly handle objec ...) NOT-FOR-US: Microsoft CVE-2010-2559 (Microsoft Internet Explorer 8 does not properly handle objects in memo ...) NOT-FOR-US: Microsoft CVE-2010-2558 (Race condition in Microsoft Internet Explorer 6, 7, and 8 allows remot ...) NOT-FOR-US: Microsoft CVE-2010-2557 (Microsoft Internet Explorer 6 does not properly handle objects in memo ...) NOT-FOR-US: Microsoft CVE-2010-2556 (Microsoft Internet Explorer 6, 7, and 8 does not properly handle objec ...) NOT-FOR-US: Microsoft CVE-2010-2555 (The Tracing Feature for Services in Microsoft Windows Vista SP1 and SP ...) NOT-FOR-US: Microsoft CVE-2010-2554 (The Tracing Feature for Services in Microsoft Windows Vista SP1 and SP ...) NOT-FOR-US: Microsoft CVE-2010-2553 (The Cinepak codec in Microsoft Windows XP SP2 and SP3, Windows Vista S ...) NOT-FOR-US: Microsoft CVE-2010-2552 (Stack consumption vulnerability in the SMB Server in Microsoft Windows ...) NOT-FOR-US: Microsoft CVE-2010-2551 (The SMB Server in Microsoft Windows Vista SP1 and SP2, Windows Server ...) NOT-FOR-US: Microsoft CVE-2010-2550 (The SMB Server in Microsoft Windows XP SP2 and SP3, Windows Server 200 ...) NOT-FOR-US: Microsoft CVE-2010-2549 (Use-after-free vulnerability in the kernel-mode drivers in Microsoft W ...) NOT-FOR-US: Microsoft CVE-2010-2548 (IcedTea6 before 1.7.4 does not properly check property access, which a ...) - openjdk-6 6b18-1.8.1-1 CVE-2010-2547 (Use-after-free vulnerability in kbx/keybox-blob.c in GPGSM in GnuPG 2. ...) {DSA-2076-1} - gnupg2 2.0.14-2 CVE-2010-2546 (Multiple heap-based buffer overflows in loaders/load_it.c in libmikmod ...) {DSA-2081-1} - libmikmod 3.1.11-6.3 CVE-2010-2545 (Multiple cross-site scripting (XSS) vulnerabilities in Cacti before 0. ...) {DSA-2384-1} - cacti 0.8.7g-1 CVE-2010-2544 (Cross-site scripting (XSS) vulnerability in utilities.php in Cacti bef ...) - cacti 0.8.7g-1 CVE-2010-2543 (Cross-site scripting (XSS) vulnerability in include/top_graph_header.p ...) {DSA-2384-1} - cacti 0.8.7g-1 CVE-2010-2542 (Stack-based buffer overflow in the is_git_directory function in setup. ...) {DSA-2114-1} - git-core 1:1.7.1-1.1 (low; bug #590026) CVE-2010-2541 (Buffer overflow in ftmulti.c in the ftmulti demo program in FreeType b ...) {DSA-2105-1} - freetype 2.4.2-1 (low) CVE-2010-2540 (mapserv.c in mapserv in MapServer before 4.10.6 and 5.x before 5.6.4 d ...) {DSA-2079-1} - mapserver 5.6.4-1 CVE-2010-2539 (Buffer overflow in the msTmpFile function in maputil.c in mapserv in M ...) {DSA-2079-1} - mapserver 5.6.4-1 CVE-2010-2538 (Integer overflow in the btrfs_ioctl_clone function in fs/btrfs/ioctl.c ...) - linux-2.6 2.6.32-19 [lenny] - linux-2.6 (brtfs introduced in 2.6.29) CVE-2010-2537 (The btrfs_ioctl_clone function in fs/btrfs/ioctl.c in the Linux kernel ...) - linux-2.6 2.6.32-19 [lenny] - linux-2.6 (brtfs introduced in 2.6.29) CVE-2010-2536 (Multiple cross-site scripting (XSS) vulnerabilities in rekonq 0.5 and ...) - rekonq 0.5.0-2 (bug #593300) CVE-2010-2535 (Multiple cross-site scripting (XSS) vulnerabilities in the Back End in ...) NOT-FOR-US: Joomla! CVE-2010-2534 (The NetworkSyncCommandQueue function in network/network_command.cpp in ...) - openttd 1.0.3-1 [lenny] - openttd (Introduced in 1.0.1) NOTE: http://bugs.openttd.org/task/3909 CVE-2010-2533 REJECTED CVE-2010-2532 - lxsession 0.4.4-3 (bug #591409) CVE-2010-2531 (The var_export function in PHP 5.2 before 5.2.14 and 5.3 before 5.3.3 ...) {DSA-2266-1} - php5 5.3.3-2 (low) CVE-2010-2530 (Multiple integer signedness errors in smb_subr.c in the netsmb module ...) NOT-FOR-US: NetBSD CVE-2010-2529 (Unspecified vulnerability in ping.c in iputils 20020927, 20070202, 200 ...) {DSA-2645-1} - iputils 3:20100418-2 - inetutils 2:1.9-2 [lenny] - iputils 3:20071127-1+lenny1 CVE-2010-2528 (The clientautoresp function in family_icbm.c in the oscar protocol plu ...) - pidgin 2.7.2-1 [lenny] - pidgin (Vulnerable code not present, support for X-Status was added later) CVE-2010-2527 (Multiple buffer overflows in demo programs in FreeType before 2.4.0 al ...) {DSA-2070-1} - freetype 2.4.0-1 CVE-2010-2526 (The cluster logical volume manager daemon (clvmd) in lvm2-cluster in L ...) {DSA-2095-1} - lvm2 2.02.66-3 (bug #591204) CVE-2010-2525 RESERVED CVE-2010-2524 (The DNS resolution functionality in the CIFS implementation in the Lin ...) {DSA-2264-1} - linux-2.6 2.6.32-19 CVE-2010-2523 (Multiple buffer overflows in ha.c in the mipv6 daemon in UMIP 0.4 allo ...) NOT-FOR-US: UMIP CVE-2010-2522 (The mipv6 daemon in UMIP 0.4 does not verify that netlink messages ori ...) NOT-FOR-US: UMIP CVE-2010-2521 (Multiple buffer overflows in fs/nfsd/nfs4xdr.c in the XDR implementati ...) {DSA-2094-1} - linux-2.6 2.6.32-13 CVE-2010-2520 (Heap-based buffer overflow in the Ins_IUP function in truetype/ttinter ...) {DSA-2070-1} - freetype 2.4.0-1 CVE-2010-2519 (Heap-based buffer overflow in the Mac_Read_POST_Resource function in b ...) {DSA-2070-1} - freetype 2.4.0-1 CVE-2010-2518 (Unspecified vulnerability in the P8 Content Engine (P8CE) 4.5.1 before ...) NOT-FOR-US: P8 Content Search Engine CVE-2010-2517 (Multiple unspecified vulnerabilities in IBM Rational ClearQuest before ...) NOT-FOR-US: ClearQuest CVE-2010-2516 (Multiple SQL injection vulnerabilities in 2daybiz Multi Level Marketin ...) NOT-FOR-US: 2daybiz Multi Level Marketing CVE-2009-4923 (Unspecified vulnerability in the DTLS implementation on Cisco Adaptive ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2009-4922 (Unspecified vulnerability on Cisco Adaptive Security Appliances (ASA) ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2009-4921 (Cisco Adaptive Security Appliances (ASA) 5580 series devices with soft ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2009-4920 (Unspecified vulnerability in CTM on Cisco Adaptive Security Appliances ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2009-4919 (Buffer overflow on Cisco Adaptive Security Appliances (ASA) 5580 serie ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2009-4918 (Cisco Adaptive Security Appliances (ASA) 5580 series devices with soft ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2009-4917 (Unspecified vulnerability on Cisco Adaptive Security Appliances (ASA) ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2009-4916 (Unspecified vulnerability on Cisco Adaptive Security Appliances (ASA) ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2009-4915 (Unspecified vulnerability on Cisco Adaptive Security Appliances (ASA) ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2009-4914 (Memory leak on Cisco Adaptive Security Appliances (ASA) 5580 series de ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2009-4913 (The IPv6 implementation on Cisco Adaptive Security Appliances (ASA) 55 ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2009-4912 (Cisco Adaptive Security Appliances (ASA) 5580 series devices with soft ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2009-4911 (Unspecified vulnerability on Cisco Adaptive Security Appliances (ASA) ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2009-4910 (Cross-site scripting (XSS) vulnerability in the WebVPN portal on Cisco ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2010-2515 (Multiple SQL injection vulnerabilities in index.php in the JFaq (com_j ...) NOT-FOR-US: component for Joomla! CVE-2010-2514 (Cross-site scripting (XSS) vulnerability in the JFaq (com_jfaq) compon ...) NOT-FOR-US: component for Joomla! CVE-2010-2513 (SQL injection vulnerability in the JE Ajax Event Calendar (com_jeajaxe ...) NOT-FOR-US: component for Joomla! CVE-2010-2512 (SQL injection vulnerability in customprofile.php in 2daybiz Matrimonia ...) NOT-FOR-US: 2daybiz Matrimonial Script CVE-2010-2511 (SQL injection vulnerability in viewnews.php in 2daybiz Multi Level Mar ...) NOT-FOR-US: 2daybiz Multi Level Marketing CVE-2010-2510 (SQL injection vulnerability in customize.php in 2daybiz Web Template S ...) NOT-FOR-US: 2daybiz Web Template CVE-2010-2509 (Multiple cross-site scripting (XSS) vulnerabilities in 2daybiz Web Tem ...) NOT-FOR-US: 2daybiz Web Template CVE-2010-2508 (SQL injection vulnerability in user-profile.php in 2daybiz Video Commu ...) NOT-FOR-US: 2daybiz Video CVE-2010-2507 (Directory traversal vulnerability in the Picasa2Gallery (com_picasa2ga ...) NOT-FOR-US: component for Joomla! CVE-2010-2506 (Cross-site scripting (XSS) vulnerability in debug.cgi in Linksys WAP54 ...) NOT-FOR-US: Linksys CVE-2010-2505 (Soft SaschArt SasCAM Webcam Server 2.6.5, 2.7, and earlier allows remo ...) NOT-FOR-US: Soft SaschArt SasCAM Webcam Server CVE-2010-2504 (Splunk 4.0 through 4.0.10 and 4.1 through 4.1.1 allows remote authenti ...) NOT-FOR-US: Splunk CVE-2010-2503 (Multiple cross-site scripting (XSS) vulnerabilities in Splunk 4.0 thro ...) NOT-FOR-US: Splunk CVE-2010-2502 (Multiple directory traversal vulnerabilities in Splunk 4.0 through 4.0 ...) NOT-FOR-US: Splunk CVE-2010-2501 RESERVED CVE-2010-2500 (Integer overflow in the gray_render_span function in smooth/ftgrays.c ...) {DSA-2070-1} - freetype 2.4.0-1 CVE-2010-2499 (Buffer overflow in the Mac_Read_POST_Resource function in base/ftobjs. ...) {DSA-2070-1} - freetype 2.4.0-1 CVE-2010-2498 (The psh_glyph_find_strong_points function in pshinter/pshalgo.c in Fre ...) {DSA-2070-1} - freetype 2.4.0-1 CVE-2010-2497 (Integer underflow in glyph handling in FreeType before 2.4.0 allows re ...) {DSA-2070-1} - freetype 2.4.0-1 CVE-2010-2496 RESERVED CVE-2010-2493 (The default configuration of the deployment descriptor (aka web.xml) i ...) - jbossas4 (Only builds a few libraries, not the full application server, #581226) CVE-2010-2492 (Buffer overflow in the ecryptfs_uid_hash macro in fs/ecryptfs/messagin ...) {DSA-2110-1} - linux-2.6 2.6.32-19 CVE-2010-2491 (Cross-site scripting (XSS) vulnerability in cgi/client.py in Roundup b ...) - roundup 1.4.13-3.1 (bug #590769) NOTE: http://bugs.gentoo.org/show_bug.cgi?id=326395 NOTE: http://roundup.svn.sourceforge.net/viewvc/roundup?view=revision&revision=4486 CVE-2010-2490 (Mumble: murmur-server has DoS due to malformed client query ...) - mumble 1.2.2-4 (bug #587713) [lenny] - mumble (Minor issue) - qt4-x11 (low; bug #587713) CVE-2010-2489 (Buffer overflow in Ruby 1.9.x before 1.9.1-p429 on Windows might allow ...) - ruby1.8 (Windows-specific) - ruby1.9.1 (Windows-specific) CVE-2010-2488 (NULL pointer dereference vulnerability in ZNC before 0.092 caused by t ...) {DSA-2069-1} - znc 0.090-2 (bug #584929) CVE-2010-2487 (Multiple cross-site scripting (XSS) vulnerabilities in MoinMoin 1.7.3 ...) {DSA-2083-1} - moin 1.9.3-1 (bug #584809) CVE-2010-2486 RESERVED CVE-2010-2485 RESERVED CVE-2010-2484 (The strrchr function in PHP 5.2 before 5.2.14 allows context-dependent ...) - php5 5.3.3-1 (unimportant) CVE-2010-2483 (The TIFFRGBAImageGet function in LibTIFF 3.9.0 allows remote attackers ...) - tiff 3.9.4-4 (unimportant) - tiff3 (fixed prior to initial upload) CVE-2010-2482 (LibTIFF 3.9.4 and earlier does not properly handle an invalid td_strip ...) {DSA-2552-1} - tiff 3.9.4-1 (unimportant) - tiff3 (fixed prior to initial upload) CVE-2010-2481 (The TIFFExtractData macro in LibTIFF before 3.9.4 does not properly ha ...) - tiff 3.9.4-1 (unimportant) - tiff3 (fixed prior to initial upload) CVE-2010-2480 (Mako before 0.3.4 relies on the cgi.escape function in the Python stan ...) - mako 0.3.4-1 (low) [lenny] - mako (Minor issue) CVE-2010-2478 (Integer overflow in the ethtool_get_rxnfc function in net/core/ethtool ...) - linux-2.6 2.6.32-19 [lenny] - linux-2.6 (Introduced in 2.6.27) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=608950 NOTE: http://thread.gmane.org/gmane.linux.network/164869 CVE-2010-2477 (Multiple cross-site scripting (XSS) vulnerabilities in the paste.httpe ...) - paste 1.7.4-1 (low) [lenny] - paste 1.7.1-1+lenny1 NOTE: http://bitbucket.org/ianb/paste/changeset/fcae59df8b56 CVE-2010-2475 RESERVED CVE-2010-2474 (JBoss Enterprise Service Bus (ESB) before 4.7 CP02 in JBoss Enterprise ...) - jbossas4 (Only builds a few libraries, not the full application server, #581226) CVE-2010-2470 (Install/Filesystem.pm in Bugzilla 3.5.1 through 3.6.1 and 3.7 through ...) - bugzilla (Only affects 3.5 to 3.7) CVE-2010-2476 (syscp 1.4.2.1 allows attackers to add arbitrary paths via the document ...) - syscp (bug #587481) CVE-2010-2469 (The Linear eMerge 50 and 5000 uses a default password of eMerge for th ...) NOT-FOR-US: Linear eMerge CVE-2010-2468 (The S2 Security NetBox 2.x and 3.x, as used in the Linear eMerge 50 an ...) NOT-FOR-US: S2 Security NetBox CVE-2010-2467 (The S2 Security NetBox, possibly 2.x and 3.x, as used in the Linear eM ...) NOT-FOR-US: S2 Security NetBox CVE-2010-2466 (The S2 Security NetBox, possibly 2.x and 3.x, as used in the Linear eM ...) NOT-FOR-US: S2 Security NetBox CVE-2010-2465 (The S2 Security NetBox 2.5, 3.3, and 4.0, as used in the Linear eMerge ...) NOT-FOR-US: S2 Security NetBox CVE-2010-2464 (Multiple cross-site scripting (XSS) vulnerabilities in the RSComments ...) NOT-FOR-US: component for Joomla! CVE-2010-2463 (Cross-site scripting (XSS) vulnerability in forum.php in Jamroom befor ...) NOT-FOR-US: Jamroom CVE-2010-2462 (SQL injection vulnerability in withdraw_money.php in Toma Cero OroHYIP ...) NOT-FOR-US: Toma Cero OroHYIP CVE-2010-2461 (SQL injection vulnerability in storecat.php in JCE-Tech Overstock 1 al ...) NOT-FOR-US: JCE-Tech Overstock CVE-2010-2460 (SQL injection vulnerability in merchant_product_list.php in JCE-Tech S ...) NOT-FOR-US: JCE-Tech Shareasale Script CVE-2010-2459 (SQL injection vulnerability in video.php in 2daybiz Video Community Po ...) NOT-FOR-US: 2daybiz Video Community Portal Script CVE-2010-2458 (Cross-site scripting (XSS) vulnerability in video.php in 2daybiz Video ...) NOT-FOR-US: 2daybiz Video Community Portal Script CVE-2010-2457 (Cross-site scripting (XSS) vulnerability in index.php in K-Search allo ...) NOT-FOR-US: K-Search CVE-2010-2456 (Multiple directory traversal vulnerabilities in index.php in Linker IM ...) NOT-FOR-US: Linker IMG CVE-2010-2455 (Opera does not properly manage the address bar between the request to ...) NOT-FOR-US: Opera CVE-2010-2454 (Apple Safari does not properly manage the address bar between the requ ...) - webkit (iceweasel/safari-specific issues) - chromium-browser (iceweasel/safari-specific issues) NOTE: i tested both firefox and safari poc's, and neither of them caused the NOTE: address bar to be spoofed in either webkit or chrome NOTE: this will be address in iceweasel in cve-2010-1206 CVE-2010-2453 (Multiple cross-site scripting (XSS) vulnerabilities in Synology Disk S ...) NOT-FOR-US: Synology Disk Station CVE-2009-4909 (admin/index.php in oBlog allows remote attackers to conduct brute-forc ...) NOT-FOR-US: oBlog CVE-2009-4908 (Multiple cross-site scripting (XSS) vulnerabilities in oBlog allow rem ...) NOT-FOR-US: oBlog CVE-2009-4907 (Multiple cross-site request forgery (CSRF) vulnerabilities in oBlog al ...) NOT-FOR-US: oBlog CVE-2009-4906 (Cross-site request forgery (CSRF) vulnerability in index.php in Acc PH ...) NOT-FOR-US: Acc PHP eMail CVE-2009-4905 (Multiple cross-site request forgery (CSRF) vulnerabilities in index.ph ...) NOT-FOR-US: Acc Statistics CVE-2009-4904 (article.php in oBlog does not properly restrict comments, which allows ...) NOT-FOR-US: oBlog CVE-2009-4903 (Cross-site scripting (XSS) vulnerability in index.php in oBlog allows ...) NOT-FOR-US: oBlog CVE-2010-2452 (Directory traversal vulnerability in the DCC functionality in KVIrc 3. ...) {DSA-2065-1} - kvirc 4:4.0.0~svn4340+rc3-1 CVE-2010-2451 (Multiple format string vulnerabilities in the DCC functionality in KVI ...) {DSA-2065-1} - kvirc 4:4.0.0~svn4340+rc3-1 CVE-2010-2443 (The OJPEGReadBufferFill function in tif_ojpeg.c in LibTIFF before 3.9. ...) - tiff 3.9.4-1 (unimportant) - tiff3 (fixed prior to initial upload) NOTE: Triggers a NULL pointer deref, crasher only CVE-2010-2442 (Microsoft Internet Explorer, possibly 8, does not properly restrict fo ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2010-2441 (WebKit does not properly restrict focus changes, which allows remote a ...) - webkit 1.2.1-3 (low) [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.375.55~r47796-1 NOTE: http://trac.webkit.org/changeset/58829 CVE-2010-2440 (Stack-based buffer overflow in st-wizard.exe in Subtitle Translation W ...) NOT-FOR-US: Subtitle Translation Wizard CVE-2010-2439 (Stack-based buffer overflow in MoreAmp allows remote attackers to exec ...) NOT-FOR-US: MoreAmp CVE-2010-2438 (SQL injection vulnerability in G.CMS generator allows remote attackers ...) NOT-FOR-US: G.CMS CVE-2010-2437 (Cross-site scripting (XSS) vulnerability in class/tools.class.php in A ...) NOT-FOR-US: AneCMS BLog CVE-2010-2436 (SQL injection vulnerability in modules/blog/index.php in AneCMS Blog 1 ...) NOT-FOR-US: AneCMS Blog CVE-2010-2435 (Weborf HTTP Server 0.12.1 and earlier allows remote attackers to cause ...) - weborf 0.12.2-1 CVE-2010-2434 (Buffer overflow in Arcext.dll 2.16.1 and earlier in pon software Explz ...) NOT-FOR-US: Explzh CVE-2010-2433 (Multiple cross-site scripting (XSS) vulnerabilities in content/interna ...) NOT-FOR-US: IBM WebSphere CVE-2010-2432 (The cupsDoAuthentication function in auth.c in the client in CUPS befo ...) {DSA-2176-1} - cups 1.4.4-1 CVE-2010-2431 (The cupsFileOpen function in CUPS before 1.4.4 allows local users, wit ...) {DSA-2176-1} - cups 1.4.4-1 CVE-2010-2430 RESERVED CVE-2010-2429 (Cross-site scripting (XSS) vulnerability in Splunk 4.0 through 4.1.2, ...) NOT-FOR-US: Splunk CVE-2010-2428 (Cross-site scripting (XSS) vulnerability in admin_loginok.html in the ...) NOT-FOR-US: Wing FTP Server CVE-2010-2427 (VMware Studio 2.0 does not properly write to temporary files, which al ...) NOT-FOR-US: VMware Studio CVE-2010-2426 (Directory traversal vulnerability in TitanFTPd in South River Technolo ...) NOT-FOR-US: Titan FTP Server CVE-2010-2425 (Directory traversal vulnerability in TitanFTPd in South River Technolo ...) NOT-FOR-US: Titan FTP Server CVE-2010-2424 RESERVED CVE-2010-2423 RESERVED CVE-2010-2422 (Cross-site scripting (XSS) vulnerability in PortalTransforms in Plone ...) - plone3 CVE-2010-2421 (Multiple unspecified vulnerabilities in Opera before 10.54 have unknow ...) NOT-FOR-US: Opera CVE-2010-2420 (Multiple unspecified vulnerabilities in Fenrir Inc. ActiveGeckoBrowser ...) NOT-FOR-US: Sleipnir CVE-2008-7258 - ssmtp (unimportant; bug #591515) CVE-2008-7257 (CRLF injection vulnerability in +webvpn+/index.html in WebVPN on Cisco ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2010-2479 (Cross-site scripting (XSS) vulnerability in HTML Purifier before 4.1.1 ...) {DSA-2067-1} - php-htmlpurifier 4.1.1+dfsg1-1 - mahara 1.2.5-1 - moodle 1.9.9.dfsg2-1 (low; bug #593301) [lenny] - moodle (doesn't ship/use htmlpurifier) - knowledgeroot 0.9.9.5-5 [lenny] - knowledgeroot (low) CVE-2010-2419 (Unspecified vulnerability in the Java Virtual Machine component in Ora ...) NOT-FOR-US: Oracle Database Server CVE-2010-2418 (Unspecified vulnerability in the Oracle Territory Management component ...) NOT-FOR-US: Oracle E-Business Suite CVE-2010-2417 (Unspecified vulnerability in the Agile PLM component in Oracle Supply ...) NOT-FOR-US: Oracle Supply Chain Products Suite CVE-2010-2416 (Unspecified vulnerability in the Oracle E-Business Intelligence compon ...) NOT-FOR-US: Oracle E-Business Intelligence CVE-2010-2415 (Unspecified vulnerability in the Change Data Capture component in Orac ...) NOT-FOR-US: Oracle Database Server CVE-2010-2414 (Unspecified vulnerability in the (1) Sun Convergence 1 and (2) Sun Jav ...) NOT-FOR-US: Oracle Sun Products Suite CVE-2010-2413 (Unspecified vulnerability in the BI Publisher component in Oracle Fusi ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2010-2412 (Unspecified vulnerability in the OLAP component in Oracle Database Ser ...) NOT-FOR-US: Oracle Database Server CVE-2010-2411 (Unspecified vulnerability in the Job Queue component in Oracle Databas ...) NOT-FOR-US: Oracle Database Server CVE-2010-2410 (Unspecified vulnerability in the Cabo/UIX component in Oracle Fusion M ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2010-2409 (Unspecified vulnerability in the Cabo/UIX component in Oracle Fusion M ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2010-2408 (Unspecified vulnerability in the Oracle iRecruitment component in Orac ...) NOT-FOR-US: Oracle E-Business Suite CVE-2010-2407 (Unspecified vulnerability in the XDK component in Oracle Database Serv ...) NOT-FOR-US: Oracle Database Server CVE-2010-2406 (Unspecified vulnerability in the Siebel Core - Highly Interactive Clie ...) NOT-FOR-US: Oracle Siebel Suite CVE-2010-2405 (Unspecified vulnerability in the Siebel Core - Highly Interactive Clie ...) NOT-FOR-US: Oracle Siebel Suite CVE-2010-2404 (Unspecified vulnerability in the Oracle iRecruitment component in Orac ...) NOT-FOR-US: Oracle E-Business Suite CVE-2010-2403 (Unspecified vulnerability in the PeopleSoft Enterprise Campus Solution ...) NOT-FOR-US: PeopleSoft CVE-2010-2402 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: PeopleSoft CVE-2010-2401 (Unspecified vulnerability in the PeopleSoft Enterprise HCM - eProfile ...) NOT-FOR-US: PeopleSoft CVE-2010-2400 (Unspecified vulnerability in Oracle Solaris 9 and 10, and OpenSolaris, ...) NOT-FOR-US: Solaris CVE-2010-2399 (Unspecified vulnerability in Oracle Solaris 10 and OpenSolaris allows ...) NOT-FOR-US: Solaris CVE-2010-2398 (Unspecified vulnerability in the PeopleSoft Enterprise HCM component i ...) NOT-FOR-US: PeopleSoft CVE-2010-2397 (Unspecified vulnerability in Oracle Sun Java System Application Server ...) NOT-FOR-US: Oracle Sun Java System Application Serve CVE-2010-2396 (Unspecified vulnerability in the Forms component in Oracle Fusion Midd ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2010-2395 (Unspecified vulnerability in the Cabo/UIX component in Oracle Fusion M ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2010-2394 (Unspecified vulnerability in Oracle Solaris 10 allows local users to a ...) NOT-FOR-US: Solaris CVE-2010-2393 (Unspecified vulnerability in Oracle Solaris 10 and OpenSolaris allows ...) NOT-FOR-US: Solaris CVE-2010-2392 (Unspecified vulnerability in Oracle Solaris 10 and OpenSolaris allows ...) NOT-FOR-US: Solaris CVE-2010-2391 (Unspecified vulnerability in the Core RDBMS component in Oracle Databa ...) NOT-FOR-US: Oracle Database Server CVE-2010-2390 (Unspecified vulnerability in the Database Control component in EM Cons ...) NOT-FOR-US: Oracle Database Server CVE-2010-2389 (Unspecified vulnerability in the Perl component in Oracle Database Ser ...) NOT-FOR-US: Oracle Database Server CVE-2010-2388 (Unspecified vulnerability in the Oracle Applications Manager component ...) NOT-FOR-US: Oracle E-Business Suite CVE-2010-2387 (vicious-extensions/ve-misc.c in GNOME Display Manager (gdm) 2.20.x bef ...) - gdm 2.20.11-1 CVE-2010-2386 (Unspecified vulnerability in Oracle Solaris 8, 9, and 10, and OpenSola ...) NOT-FOR-US: Solaris CVE-2010-2385 (Unspecified vulnerability in Oracle Sun Java System Web Proxy Server 4 ...) NOT-FOR-US: Oracle Sun Java System Web Proxy Server CVE-2010-2384 (Unspecified vulnerability in Oracle Solaris 9 and 10 allows local user ...) NOT-FOR-US: Solaris CVE-2010-2383 (Unspecified vulnerability in Oracle Solaris 8, 9, and 10, and OpenSola ...) NOT-FOR-US: Solaris CVE-2010-2382 (Unspecified vulnerability in Oracle Solaris 8, 9, and 10 allows local ...) NOT-FOR-US: Solaris CVE-2010-2381 (Unspecified vulnerability in the Application Server Control component ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2010-2380 (Unspecified vulnerability in the PeopleSoft Enterprise FSCM component ...) NOT-FOR-US: PeopleSoft CVE-2010-2379 (Unspecified vulnerability in the PeopleSoft Enterprise HCM - Time & ...) NOT-FOR-US: PeopleSoft CVE-2010-2378 (Unspecified vulnerability in the PeopleSoft Enterprise CRM component i ...) NOT-FOR-US: PeopleSoft CVE-2010-2377 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: PeopleSoft CVE-2010-2376 (Unspecified vulnerability in Oracle Solaris 8, 9, and 10 allows local ...) NOT-FOR-US: Solaris CVE-2010-2375 (Package/Privilege: Plugins for Apache, Sun and IIS web servers Unspeci ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2010-2374 (Unspecified vulnerability in Solaris Studio 12 update 1 allows local u ...) NOT-FOR-US: Solaris CVE-2010-2373 (Unspecified vulnerability in the Console component in Oracle Enterpris ...) NOT-FOR-US: Oracle Enterprise Manager Grid Control CVE-2010-2372 (Unspecified vulnerability in the Oracle Transportation Management comp ...) NOT-FOR-US: Oracle Supply Chain Products Suite CVE-2010-2371 (Unspecified vulnerability in the Oracle Transportation Management comp ...) NOT-FOR-US: Oracle Supply Chain Products Suite CVE-2010-2370 (Unspecified vulnerability in the Oracle Business Process Management co ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2010-2369 (Untrusted search path vulnerability in Lhasa 0.19 and earlier allows l ...) NOT-FOR-US: Lhasa CVE-2010-2368 (Untrusted search path vulnerability in Lhaplus before 1.58 allows loca ...) NOT-FOR-US: Lhaplus CVE-2010-2367 (Cross-site scripting (XSS) vulnerability in search.cgi in AD-EDIT2 bef ...) NOT-FOR-US: AD-EDIT2 CVE-2010-2366 (Cross-site scripting (XSS) vulnerability in futomi CGI Cafe Access Ana ...) NOT-FOR-US: CGI Cafe Access Analyzer CVE-2010-2365 (Cross-site scripting (XSS) vulnerability in Free CGI Moo moobbs2 befor ...) NOT-FOR-US: Free CGI Moo moobbs2 CVE-2010-2364 (Cross-site scripting (XSS) vulnerability in Free CGI Moo moobbs before ...) NOT-FOR-US: Free CGI Moo moobbs2 CVE-2010-2363 (The IPv6 Unicast Reverse Path Forwarding (RPF) implementation on the S ...) NOT-FOR-US: SEIL/X1, SEIL/X2, and SEIL/B1 routers CVE-2010-2362 (Winny 2.0b7.1 and earlier does not properly process node information, ...) NOT-FOR-US: Winny CVE-2010-2361 (Winny 2.0b7.1 and earlier does not properly process BBS information, w ...) NOT-FOR-US: Winny CVE-2010-2360 (Multiple buffer overflows in Winny 2.0b7.1 and earlier might allow rem ...) NOT-FOR-US: Winny CVE-2010-2359 (SQL injection vulnerability in eWebQuiz.asp in ActiveWebSoftwares.com ...) NOT-FOR-US: eWebquiz CVE-2010-2358 (PHP remote file inclusion vulnerability in modules/catalog/upload_phot ...) NOT-FOR-US: Nakid CMS CVE-2010-2357 (SQL injection vulnerability in index.php in Eicra Realestate Script 1. ...) NOT-FOR-US: Eicra Realestate Script CVE-2010-2356 (Cross-site scripting (XSS) vulnerability in subscribe.php in Pilot Gro ...) NOT-FOR-US: Pilot Group eLMS Pro CVE-2010-2355 (Cross-site scripting (XSS) vulnerability in error.php in Pilot Group ( ...) NOT-FOR-US: Pilot Group eLMS Pro CVE-2010-2354 (SQL injection vulnerability in subscribe.php in Pilot Group (PG) eLMS ...) NOT-FOR-US: Pilot Group eLMS Pro CVE-2010-2353 (The Node Reference module in Content Construction Kit (CCK) module 6.x ...) - drupal6-mod-cck (Fixed before initial upload) CVE-2010-2352 (The Node Reference module in Content Construction Kit (CCK) module 5.x ...) - drupal6-mod-cck (Fixed before initial upload) CVE-2010-2351 (Stack-based buffer overflow in the CIFS.NLM driver in Netware SMB 1.0 ...) NOT-FOR-US: Novell Netware CVE-2010-2350 (Heap-based buffer overflow in the PNG decoder in Ziproxy 3.1.0 allows ...) - ziproxy 3.1.1-1 (bug #587039) [lenny] - ziproxy (Introduced in 3.1.0) CVE-2010-2349 (H264WebCam 3.7 allows remote attackers to cause a denial of service (c ...) NOT-FOR-US: H264WebCam CVE-2010-2348 (Stack-based buffer overflow in Batch Audio Converter Lite Edition 1.0. ...) NOT-FOR-US: Batch Audio Converter CVE-2010-2347 (The Telnet interface in the SAP J2EE Engine Core (SAP-JEECOR) 6.40 thr ...) NOT-FOR-US: SAP J2EE Telnet Interface CVE-2010-2346 RESERVED CVE-2010-2345 (Cross-site request forgery (CSRF) vulnerability in odCMS 1.06, and pos ...) NOT-FOR-US: odCMS CVE-2010-2344 (Multiple cross-site scripting (XSS) vulnerabilities in odCMS 1.06, and ...) NOT-FOR-US: odCMS CVE-2010-2343 (Stack-based buffer overflow in D.R. Software Audio Converter 8.1, 2007 ...) NOT-FOR-US: D.R. Software Audio Converter CVE-2010-2342 (SQL injection vulnerability in onlinenotebookmanager.asp in DMXReady O ...) NOT-FOR-US: DMXReady Online Notebook Manager CVE-2010-2341 (PHP remote file inclusion vulnerability in system/application/views/pu ...) NOT-FOR-US: EZPX Photoblog CVE-2010-2340 (SQL injection vulnerability in members.php in Arab Portal 2.2, when ma ...) NOT-FOR-US: Arab Portal CVE-2010-2339 (SQL injection vulnerability in admin/pages.php in Subdreamer CMS 3.x.x ...) NOT-FOR-US: Subdreamer CMS CVE-2010-2338 (Multiple SQL injection vulnerabilities in redir.asp in VU Web Visitor ...) NOT-FOR-US: VU Web Visitor Analyst CVE-2010-2337 (Open redirect vulnerability in RSA Federated Identity Manager 4.0 befo ...) NOT-FOR-US: RSA Federated Identity Manager CVE-2010-2336 (index.php in Yamamah Photo Gallery 1.00 allows remote attackers to obt ...) NOT-FOR-US: Yamamah Photo Gallery CVE-2010-2335 (SQL injection vulnerability in index.php in Yamamah Photo Gallery 1.00 ...) NOT-FOR-US: Yamamah Photo Gallery CVE-2010-2334 (Directory traversal vulnerability in themes/default/download.php in Ya ...) NOT-FOR-US: Yamamah Phote Gallery CVE-2010-2333 (LiteSpeed Technologies LiteSpeed Web Server 4.0.x before 4.0.15 allows ...) NOT-FOR-US: LiteSpeed Web Server CVE-2010-2332 (Impact Financials, Inc. Impact PDF Reader 2.0, 1.2, and other versions ...) NOT-FOR-US: Impact PDF Reader CVE-2010-2331 (Stack-based buffer overflow in iSharer File Sharing Wizard 1.5.0 allow ...) NOT-FOR-US: iSharer File Sharing Wizard CVE-2010-2330 (Stack-based buffer overflow in iSharer File Sharing Wizard 1.5.0 allow ...) NOT-FOR-US: iSharer File Sharing Wizard CVE-2010-2329 (Buffer overflow in Rosoft Audio Converter 4.4.4 allows remote attacker ...) NOT-FOR-US: Rosoft Audio Converter CVE-2010-2328 (The HTTP Channel in IBM WebSphere Application Server (WAS) 7.0 before ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2010-2327 (mod_ibm_ssl in IBM HTTP Server 6.0 before 6.0.2.43, 6.1 before 6.1.0.3 ...) NOT-FOR-US: IBM HTTP Server CVE-2010-2326 (IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.11, when addNo ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2010-2325 (Cross-site scripting (XSS) vulnerability in the administrative console ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2010-2324 (IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.11 on z/OS all ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2010-2323 (IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.11 on z/OS mig ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2010-2322 (Absolute path traversal vulnerability in the extract_jar function in j ...) - fastjar 2:0.98-3 (low) [lenny] - fastjar (Minor issue) CVE-2010-2321 (Buffer overflow in Adobe InDesign CS3 10.0 allows user-assisted remote ...) NOT-FOR-US: Adobe InDesign CVE-2009-4902 (Buffer overflow in the MSGFunctionDemarshall function in winscard_svc. ...) - pcsc-lite (Covered by initial CVE-2010-0407 fix) NOTE: See https://bugzilla.redhat.com/show_bug.cgi?id=596426#c20 for an explanation NOTE: of the weird CVE assignments on this one CVE-2009-4901 (The MSGFunctionDemarshall function in winscard_svc.c in the PC/SC Smar ...) - pcsc-lite (Covered by initial CVE-2010-0407 fix) NOTE: See https://bugzilla.redhat.com/show_bug.cgi?id=596426#c20 for an explanation NOTE: of the weird CVE assignments on this one CVE-2010-2320 (bozotic HTTP server (aka bozohttpd) before 20100621 allows remote atta ...) - bozohttpd 20100621-1 (low; bug #590298) [lenny] - bozohttpd (Minor information leak) CVE-2010-2319 (SQL injection vulnerability in index.php in IDevSpot TextAds 2.08 allo ...) NOT-FOR-US: IDevSpot TextAds CVE-2010-2318 (Cross-site scripting (XSS) vulnerability in cms_data.php in PHPCityPor ...) NOT-FOR-US: PHPCityPortal CVE-2010-2317 (Multiple SQL injection vulnerabilities in WmsCms 2.0 and earlier allow ...) NOT-FOR-US: WmsCms CVE-2010-2316 (Multiple cross-site scripting (XSS) vulnerabilities in default.asp in ...) NOT-FOR-US: WmsCms CVE-2010-2315 (PHP remote file inclusion vulnerability in picturelib.php in SmartISof ...) NOT-FOR-US: SmartISoft phpBazar CVE-2010-2314 (PHP remote file inclusion vulnerability in nucleus/plugins/NP_Twitter. ...) NOT-FOR-US: NP_Twitter Plugin CVE-2010-2313 (Directory traversal vulnerability in index.php in Anodyne Productions ...) NOT-FOR-US: SIMM Management System CVE-2010-2312 (SQL injection vulnerability in index.php in HauntmAx Haunted House Dir ...) NOT-FOR-US: HauntmAx Haunted House Directory Listing CMS CVE-2010-2311 (Stack-based buffer overflow in Power Tab Editor 1.7 build 80 allows us ...) NOT-FOR-US: Power Tab Editor CVE-2010-2310 (SolarWinds TFTP Server 10.4.0.13 allows remote attackers to cause a de ...) NOT-FOR-US: SolarWinds TFTP Server CVE-2010-2309 (Buffer overflow in the web server for EvoLogical EvoCam 3.6.6 and 3.6. ...) NOT-FOR-US: EvoLogical EvoCam CVE-2010-2308 (Unspecified vulnerability in the filter driver (savonaccessfilter.sys) ...) NOT-FOR-US: Sophos Anti-Virus CVE-2010-2307 (Multiple directory traversal vulnerabilities in the web server for Mot ...) NOT-FOR-US: Motorola firmware CVE-2010-2306 (The default installation of Sourcefire 3D Sensor 1000, 2000, and 9900; ...) NOT-FOR-US: Sourcefire 3D Sensor CVE-2010-2305 (Buffer overflow in an ActiveX control in SSHelper.dll for Symantec Syg ...) NOT-FOR-US: Symantec Sygate Personal Firewall CVE-2010-2304 REJECTED CVE-2010-2303 REJECTED CVE-2010-2302 (Use-after-free vulnerability in WebCore in WebKit in Google Chrome bef ...) - webkit 1.2.1-3 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.375.70~r48679-1 NOTE: http://trac.webkit.org/changeset/59876 NOTE: duplicate of cve-2010-1771 CVE-2010-2301 (Cross-site scripting (XSS) vulnerability in editing/markup.cpp in WebC ...) - webkit 1.2.1-3 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.375.70~r48679-1 NOTE: http://trac.webkit.org/changeset/59241 NOTE: http://trac.webkit.org/changeset/59242 NOTE: duplicate of cve-2010-1762 CVE-2010-2300 (Use-after-free vulnerability in the Element::normalizeAttributes funct ...) - webkit 1.2.1-3 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.375.70~r48679-1 NOTE: http://trac.webkit.org/changeset/59109 NOTE: duplicate of cve-2010-1759 CVE-2010-2299 (The Clipboard::DispatchObject function in app/clipboard/clipboard.cc i ...) - webkit (chromium-specific) - chromium-browser 5.0.375.70~r48679-1 CVE-2010-2298 (browser/renderer_host/database_dispatcher_host.cc in Google Chrome bef ...) - webkit (chromium-specific) - chromium-browser 5.0.375.70~r48679-1 CVE-2010-2297 (rendering/FixedTableLayout.cpp in WebCore in WebKit in Google Chrome b ...) - webkit 1.2.1-3 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.375.55~r47796-1 NOTE: http://trac.webkit.org/changeset/59495 CVE-2010-2296 (The implementation of unspecified DOM methods in Google Chrome before ...) - webkit 1.2.1-2 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.375.70~r48679-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=37031 NOTE: http://trac.webkit.org/changeset/57627 NOTE: http://trac.webkit.org/changeset/57658 NOTE: http://trac.webkit.org/changeset/57658 NOTE: http://trac.webkit.org/changeset/59769 NOTE: http://src.chromium.org/viewvc/chrome?view=rev&revision=48159 CVE-2010-2295 (page/EventHandler.cpp in WebCore in WebKit in Google Chrome before 5.0 ...) - webkit 1.2.1-3 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.375.55~r47796-1 NOTE: http://trac.webkit.org/changeset/58829 CVE-2009-4900 (pixelpost 1.7.1 has XSS ...) - pixelpost (bug #597224) NOTE: http://www.pixelpost.org/blog/2009/09/02/pixelpost-173-security-update/ CVE-2009-4899 (pixelpost 1.7.1 has SQL injection ...) - pixelpost (bug #597224) NOTE: http://www.pixelpost.org/blog/2009/09/02/pixelpost-173-security-update/ CVE-2009-4898 (Cross-site request forgery (CSRF) vulnerability in TWiki before 4.3.2 ...) NOT-FOR-US: TWiki CVE-2009-4897 (Buffer overflow in gs/psi/iscan.c in Ghostscript 8.64 and earlier allo ...) {DSA-2093-1} - ghostscript 8.70~dfsg-1 CVE-2009-4896 (Multiple directory traversal vulnerabilities in the mlmmj-php-admin we ...) {DSA-2073-1} - mlmmj 1.2.17-1.1 (bug #588038) CVE-2010-2294 (Cross-site request forgery (CSRF) vulnerability in Plume CMS 1.2.4 and ...) NOT-FOR-US: Plume CMS CVE-2010-2293 (The Ping tools web interface in Dlink Di-604 router allows remote auth ...) NOT-FOR-US: Dlink Di-604 CVE-2010-2292 (Cross-site scripting (XSS) vulnerability in the Ping tools web interfa ...) NOT-FOR-US: Dlink Di-604 Router CVE-2010-2291 (Unspecified vulnerability in the web interface in snom VoIP Phone firm ...) NOT-FOR-US: snom VoIP Phone CVE-2010-2290 (Cross-site scripting (XSS) vulnerability in cgi-bin/cgix/help in McAfe ...) NOT-FOR-US: McAfee CVE-2010-2289 (Open redirect vulnerability in dana/home/homepage.cgi in Juniper Netwo ...) NOT-FOR-US: Juniper Networks CVE-2010-2288 (Cross-site scripting (XSS) vulnerability in dana/nc/ncrun.cgi in Junip ...) NOT-FOR-US: Juniper Networks CVE-2010-2282 (Cross-site request forgery (CSRF) vulnerability in TomatoCMS 2.0.6 all ...) NOT-FOR-US: TomatoCMS CVE-2010-2281 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in To ...) NOT-FOR-US: TomatoCMS CVE-2010-2280 (Open redirect vulnerability in the Mobile component in IBM Lotus Conne ...) NOT-FOR-US: IBM Lotus Connections CVE-2010-2279 (The Top Updates implementation in the Homepage component in IBM Lotus ...) NOT-FOR-US: IBM Lotus Connections CVE-2010-2278 (The bookmarklet pop-up in the Bookmarks component in IBM Lotus Connect ...) NOT-FOR-US: IBM Lotus Connections CVE-2010-2277 (Multiple cross-site scripting (XSS) vulnerabilities in IBM Lotus Conne ...) NOT-FOR-US: IBM Lotus Connections CVE-2010-2276 (The default configuration of the build process in Dojo 0.4.x before 0. ...) - dojo (Doesn't affect the Debian packaging) CVE-2010-2275 (Cross-site scripting (XSS) vulnerability in dijit/tests/_testCommon.js ...) - dojo 1.4.2+dfsg-1 CVE-2010-2274 (Multiple open redirect vulnerabilities in Dojo 1.0.x before 1.0.3, 1.1 ...) - dojo 1.4.2+dfsg-1 CVE-2010-2273 (Multiple cross-site scripting (XSS) vulnerabilities in Dojo 1.0.x befo ...) - dojo 1.4.2+dfsg-1 CVE-2010-2272 (Unspecified vulnerability in iframe_history.html in Dojo 0.4.x before ...) - dojo (only affects 0.4 branch) CVE-2010-2271 (Format string vulnerability in authcfg.cgi in Accoria Web Server (aka ...) NOT-FOR-US: Accoria Web Server CVE-2010-2270 (Accoria Web Server (aka Rock Web Server) 1.4.7 uses a predictable http ...) NOT-FOR-US: Accoria Web Server CVE-2010-2269 (Directory traversal vulnerability in loadstatic.cgi in Accoria Web Ser ...) NOT-FOR-US: Accoria Web Server CVE-2010-2268 (Cross-site request forgery (CSRF) vulnerability in authcfg.cgi in Acco ...) NOT-FOR-US: Accoria Web Server CVE-2010-2267 (Multiple cross-site scripting (XSS) vulnerabilities in Accoria Web Ser ...) NOT-FOR-US: Accoria Web Server CVE-2010-2266 (nginx 0.8.36 allows remote attackers to cause a denial of service (cra ...) - nginx (Confirmed Windows only, see bug #590768) CVE-2009-4895 (Race condition in the tty_fasync function in drivers/char/tty_io.c in ...) {DSA-2094-1} - linux-2.6 2.6.32-9 CVE-2009-4894 (Multiple cross-site scripting (XSS) vulnerabilities in profile.php in ...) NOT-FOR-US: PunBB CVE-2009-4893 (Buffer overflow in UnrealIRCd 3.2beta11 through 3.2.8, when allow::opt ...) - unrealircd (bug #515130) CVE-2010-2265 (Cross-site scripting (XSS) vulnerability in the GetServerName function ...) NOT-FOR-US: Microsoft Windows CVE-2010-2264 (The Cascading Style Sheets (CSS) implementation in WebKit in Apple Saf ...) - chromium-browser 6.0.466.0~r52279-1 NOTE: This is a large series of risky behaviour-changing changesets. NOTE: upstream changelog says this is fixed in 1.2.3, but i'm doubtful of that CVE-2010-2263 (nginx 0.8 before 0.8.40 and 0.7 before 0.7.66, when running on Windows ...) - nginx (Windows-specific vulnerability when running on NTFS) CVE-2009-4892 (SQL injection vulnerability in Content Management System WEBjump! allo ...) NOT-FOR-US: Content Management System WEBjump! CVE-2009-4891 (SQL injection vulnerability in index.php in CS-Cart 2.0.0 Beta 3 allow ...) NOT-FOR-US: CS-Cart CVE-2009-4890 (Multiple cross-site scripting (XSS) vulnerabilities in the login appli ...) NOT-FOR-US: vBook CVE-2009-4889 (SQL injection vulnerability in books.php in the Book Panel (book_panel ...) NOT-FOR-US: book_panel module for php-fusion CVE-2009-4888 (Cross-site scripting (XSS) vulnerability in poster.php in PHortail 1.2 ...) NOT-FOR-US: PHortail CVE-2009-4887 (PHP remote file inclusion vulnerability in index.php in CMS S.Builder ...) NOT-FOR-US: CMS S.Builder CVE-2009-4886 (Multiple directory traversal vulnerabilities in phpCommunity 2 2.1.8 a ...) NOT-FOR-US: phpCommunity CVE-2009-4885 (Cross-site scripting (XSS) vulnerability in templates/1/login.php in p ...) NOT-FOR-US: phpCommunity CVE-2009-4884 (Multiple SQL injection vulnerabilities in phpCommunity 2 2.1.8, when m ...) NOT-FOR-US: phpCommunity CVE-2009-4883 (SQL injection vulnerability in index.php in PHPRecipeBook 2.24 and 2.3 ...) NOT-FOR-US: PHPRecipeBook CVE-2010-2283 (The SMB dissector in Wireshark 0.99.6 through 1.0.13, and 1.2.0 throug ...) {DSA-2066-1} - wireshark 1.2.9-1 CVE-2010-2285 (The SMB PIPE dissector in Wireshark 0.8.20 through 1.0.13 and 1.2.0 th ...) {DSA-2066-1} - wireshark 1.2.9-1 CVE-2010-2284 (Buffer overflow in the ASN.1 BER dissector in Wireshark 0.10.13 throug ...) {DSA-2066-1} - wireshark 1.2.9-1 CVE-2010-2287 (Buffer overflow in the SigComp Universal Decompressor Virtual Machine ...) {DSA-2066-1} - wireshark 1.2.9-1 CVE-2010-2286 (The SigComp Universal Decompressor Virtual Machine dissector in Wiresh ...) {DSA-2066-1} - wireshark 1.2.9-1 CVE-2010-2262 (Galileo Students Team Weborf before 0.12.1 allows remote attackers to ...) - weborf 0.12.1-1 CVE-2010-2261 (Linksys WAP54Gv3 firmware 3.04.03 and earlier allows remote attackers ...) NOT-FOR-US: Linksys WAP54Gv3 CVE-2010-2260 (Multiple cross-site scripting (XSS) vulnerabilities in Gambit Design B ...) NOT-FOR-US: Gabmbit Design Bandwidth Meter CVE-2010-2259 (Directory traversal vulnerability in the BF Survey (com_bfsurvey) comp ...) NOT-FOR-US: com_bfsurvey component for joomla! CVE-2010-2258 (Cross-site scripting (XSS) vulnerability in signupconfirm.php in phpBa ...) NOT-FOR-US: phpBannerExchange CVE-2010-2257 (SQL injection vulnerability in index_ie.php in Pay Per Minute Video Ch ...) NOT-FOR-US: Pay Per Minute Video Chat Script CVE-2010-2256 (Multiple cross-site scripting (XSS) vulnerabilities in Pay Per Minute ...) NOT-FOR-US: Pay Per Minute Video Chat Script CVE-2010-2255 (SQL injection vulnerability in the BF Survey Pro (com_bfsurvey_pro) co ...) NOT-FOR-US: com_bfsurvey component for joomla! CVE-2010-2254 (SQL injection vulnerability in the Shape5 Bridge of Hope template for ...) NOT-FOR-US: joomla! CVE-2010-2253 (lwp-download in libwww-perl before 5.835 does not reject downloads to ...) - libwww-perl 5.835-1 (low) [lenny] - libwww-perl 5.813-1+lenny2 CVE-2010-2252 (GNU Wget 1.12 and earlier uses a server-provided filename instead of t ...) {DSA-2088-1} - wget 1.12-2.1 (low; bug #590296) CVE-2010-2251 (The get1 command, as used by lftpget, in LFTP before 4.0.6 does not pr ...) {DSA-2085-1} - lftp 4.0.6-1 (low) [lenny] - lftp (Minor issue) NOTE: http://www.ocert.org/advisories/ocert-2010-001.html CVE-2010-2249 (Memory leak in pngrutil.c in libpng before 1.2.44, and 1.4.x before 1. ...) {DSA-2072-1} - libpng 1.2.44-1 (low; bug #587670) - tuxonice-userui 1.0-1 (unimportant) NOTE: tuxonice-userui 1.0-1 was binNMUed CVE-2010-2248 (fs/cifs/cifssmb.c in the CIFS implementation in the Linux kernel befor ...) {DSA-2094-1} - linux-2.6 2.6.32-12 (low) CVE-2010-2247 (makepasswd 1.10 default settings generate insecure passwords ...) - makepasswd 1.10-5 (low; bug #564559) [lenny] - makepasswd 1.10-3+lenny1 CVE-2010-2246 (feh before 1.8, when the --wget-timestamp option is enabled, might all ...) - feh 1.8-1 (low; bug #587205) [lenny] - feh (Minor issue) CVE-2010-2245 (XML External Entity (XXE) vulnerability in Apache Wink 1.1.1 and earli ...) NOT-FOR-US: Apache Wink CVE-2010-2244 (The AvahiDnsPacket function in avahi-core/socket.c in avahi-daemon in ...) {DSA-2086-1} - avahi 0.6.26-1 CVE-2010-2243 (A vulnerability exists in kernel/time/clocksource.c in the Linux kerne ...) - linux-2.6 2.6.32-11 [lenny] - linux-2.6 (Vulnerable code not present) CVE-2010-2242 (Red Hat libvirt 0.2.0 through 0.8.2 creates iptables rules with improp ...) - libvirt 0.8.3-1 (low) [lenny] - libvirt 0.4.6-10+lenny1 CVE-2010-2241 (The (1) setup-ds.pl and (2) setup-ds-admin.pl setup scripts for Red Ha ...) NOT-FOR-US: Red Hat Directory Server CVE-2010-2240 (The do_anonymous_page function in mm/memory.c in the Linux kernel befo ...) {DSA-2094-1} - linux-2.6 2.6.32-21 CVE-2010-2239 (Red Hat libvirt, possibly 0.6.0 through 0.8.2, creates new images with ...) - libvirt 0.8.3-1 (low) [lenny] - libvirt (only affects >= 0.6.0) CVE-2010-2238 (Red Hat libvirt, possibly 0.7.2 through 0.8.2, recurses into disk-imag ...) - libvirt 0.8.3-1 [lenny] - libvirt (only affects >= 0.7.2) CVE-2010-2237 (Red Hat libvirt, possibly 0.6.1 through 0.8.2, looks up disk backing s ...) - libvirt 0.8.3-1 [lenny] - libvirt (only affects >= 0.6.1) CVE-2010-2236 (The monitoring probe display in spacewalk-java before 2.1.148-1 and Re ...) NOT-FOR-US: Red Hat Satellite CVE-2010-2235 (template_api.py in Cobbler before 2.0.7, as used in Red Hat Network Sa ...) - cobbler (Fixed before initial upload) CVE-2010-2233 (tif_getimage.c in LibTIFF 3.9.0 and 3.9.2 on 64-bit platforms, as used ...) - tiff 3.9.4-2 - tiff3 (fixed prior to initial upload) [lenny] - tiff (Only affects 3.9.x) CVE-2010-2232 (In Apache Derby 10.1.2.1, 10.2.2.0, 10.3.1.4, and 10.4.1.3, Export pro ...) - derby (Fixed before initial upload to Debian) NOTE: https://issues.apache.org/jira/browse/DERBY-2925 CVE-2010-2231 (Cross-site request forgery (CSRF) vulnerability in report/overview/rep ...) {DSA-2115-1} - moodle 1.9.9-1 (bug #586280) CVE-2010-2230 (The KSES text cleaning filter in lib/weblib.php in Moodle before 1.8.1 ...) {DSA-2115-1} - moodle 1.9.9-1 (bug #586280) - wordpress 3.0.4+dfsg-1 [lenny] - wordpress (2.x version is not affected) - egroupware (Only forks a minor subset of KSES) CVE-2010-2229 (Multiple cross-site scripting (XSS) vulnerabilities in blog/index.php ...) {DSA-2115-1} - moodle 1.9.9-1 (bug #586280) CVE-2010-2228 (Cross-site scripting (XSS) vulnerability in the MNET access-control in ...) {DSA-2115-1} - moodle 1.9.9-1 (bug #586280) CVE-2010-2227 (Apache Tomcat 5.5.0 through 5.5.29, 6.0.0 through 6.0.27, and 7.0.0 be ...) {DSA-2207-1} - tomcat5.5 - tomcat6 6.0.28-1 (bug #588813) [lenny] - tomcat6 (Only ships the servlet package) CVE-2010-2226 (The xfs_swapext function in fs/xfs/xfs_dfrag.c in the Linux kernel bef ...) {DSA-2094-1} - linux-2.6 2.6.32-19 CVE-2010-2225 (Use-after-free vulnerability in the SplObjectStorage unserializer in P ...) {DSA-2089-1} - php5 5.3.3-1 CVE-2010-2224 (The snapshot merging functionality in Red Hat Enterprise Virtualizatio ...) NOT-FOR-US: Red Hat Enterprise Virtualization Manager (RHEV-M) CVE-2010-2223 (Virtual Desktop Server Manager (VDSM) in Red Hat Enterprise Virtualiza ...) - vdsm (bug #668538) CVE-2010-2222 (The _ger_parse_control function in Red Hat Directory Server 8 and the ...) NOT-FOR-US: Red Hat Directory Server CVE-2010-2221 (Multiple buffer overflows in the iSNS implementation in isns.c in (1) ...) - iscsitarget 1.4.20.1-1 CVE-2010-2220 (Adobe Flash Media Server (FMS) before 3.0.6, and 3.5.x before 3.5.4, a ...) NOT-FOR-US: Adobe Flash Media Server CVE-2010-2219 (Unspecified vulnerability in Adobe Flash Media Server (FMS) before 3.0 ...) NOT-FOR-US: Adobe Flash Media Server CVE-2010-2218 (Adobe Flash Media Server (FMS) before 3.0.6, and 3.5.x before 3.5.4, a ...) NOT-FOR-US: Adobe Flash Media Server CVE-2010-2217 (Adobe Flash Media Server (FMS) before 3.0.6, and 3.5.x before 3.5.4, a ...) NOT-FOR-US: Adobe Flash Media Server CVE-2010-2216 (Adobe Flash Player before 9.0.280 and 10.x before 10.1.82.76, and Adob ...) NOT-FOR-US: Adobe Flash Plugin CVE-2010-2215 (Adobe Flash Player before 9.0.280 and 10.x before 10.1.82.76, and Adob ...) NOT-FOR-US: Adobe Flash Plugin CVE-2010-2214 (Adobe Flash Player before 9.0.280 and 10.x before 10.1.82.76, and Adob ...) NOT-FOR-US: Adobe Flash Plugin CVE-2010-2213 (Adobe Flash Player before 9.0.280 and 10.x before 10.1.82.76, and Adob ...) NOT-FOR-US: Adobe Flash Plugin CVE-2010-2212 (Buffer overflow in Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x ...) NOT-FOR-US: Adobe Reader CVE-2010-2211 (Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Win ...) NOT-FOR-US: Adobe Reader CVE-2010-2210 (Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Win ...) NOT-FOR-US: Adobe Reader CVE-2010-2209 (Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Win ...) NOT-FOR-US: Adobe Reader CVE-2010-2208 (Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Win ...) NOT-FOR-US: Adobe Reader CVE-2010-2207 (Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Win ...) NOT-FOR-US: Adobe Reader CVE-2010-2206 (Array index error in AcroForm.api in Adobe Reader and Acrobat 9.x befo ...) NOT-FOR-US: Adobe Reader CVE-2010-2205 (Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Win ...) NOT-FOR-US: Adobe Reader CVE-2010-2204 (Unspecified vulnerability in Adobe Reader and Acrobat 9.x before 9.3.3 ...) NOT-FOR-US: Adobe Reader CVE-2010-2203 (Adobe Reader and Acrobat 9.x before 9.3.3 on UNIX allow attackers to e ...) NOT-FOR-US: Adobe Reader CVE-2010-2202 (Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Win ...) NOT-FOR-US: Adobe Reader CVE-2010-2201 (Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Win ...) NOT-FOR-US: Adobe Reader CVE-2010-2200 RESERVED CVE-2010-2199 (lib/fsm.c in RPM 4.8.0 and earlier does not properly reset the metadat ...) - rpm (bug #584257; unimportant) NOTE: Marking as unimportant since rpm isn't used as a package manager CVE-2010-2198 (lib/fsm.c in RPM 4.8.0 and earlier does not properly reset the metadat ...) - rpm (bug #584257; unimportant) NOTE: Marking as unimportant since rpm isn't used as a package manager CVE-2010-2197 (rpmbuild in RPM 4.8.0 and earlier does not properly parse the syntax o ...) - rpm 4.8.1-1 (low; bug #584257) [lenny] - rpm (Minor issue) CVE-2005-4889 (lib/fsm.c in RPM before 4.4.3 does not properly reset the metadata of ...) - rpm 4.7.0-1 (bug #584257; unimportant) NOTE: Marking as unimportant since rpm isn't used as a package manager CVE-2004-2768 (dpkg 1.9.21 does not properly reset the metadata of a file during repl ...) - dpkg 1.10.19 (bug #225692) CVE-2010-2196 RESERVED CVE-2010-2195 (bozotic HTTP server (aka bozohttpd) 20090522 through 20100512 allows a ...) - bozohttpd 20100621-1 (low; bug #590298) [lenny] - bozohttpd (Only affects 20090522 to 20100512) CVE-2010-2194 RESERVED CVE-2010-2193 (Multiple unspecified vulnerabilities in the CA (1) PSFormX and (2) Web ...) NOT-FOR-US: CA Global Advisor CVE-2010-2192 (The make_lockdir_name function in policy.c in pmount 0.9.18 allow loca ...) {DSA-2063-1} - pmount 0.9.23-1 CVE-2010-2191 (The (1) parse_str, (2) preg_match, (3) unpack, and (4) pack functions; ...) - php5 5.3.3-1 (unimportant) NOTE: Only triggerable through malicious script CVE-2010-2190 (The (1) trim, (2) ltrim, (3) rtrim, and (4) substr_replace functions i ...) - php5 (unimportant) NOTE: Only triggerable through malicious script CVE-2010-2189 (Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and Ad ...) NOT-FOR-US: Adobe Flash Player CVE-2010-2188 (Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and Ad ...) NOT-FOR-US: Adobe Flash Player CVE-2010-2187 (Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and Ad ...) NOT-FOR-US: Adobe Flash Player CVE-2010-2186 (Unspecified vulnerability in Adobe Flash Player before 9.0.277.0 and 1 ...) NOT-FOR-US: Adobe Flash Player CVE-2010-2185 (Buffer overflow in Adobe Flash Player before 9.0.277.0 and 10.x before ...) NOT-FOR-US: Adobe Flash Player CVE-2010-2184 (Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and Ad ...) NOT-FOR-US: Adobe Flash Player CVE-2010-2183 (Integer overflow in Adobe Flash Player before 9.0.277.0 and 10.x befor ...) NOT-FOR-US: Adobe Flash Player CVE-2010-2182 (Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and Ad ...) NOT-FOR-US: Adobe Flash Player CVE-2010-2181 (Integer overflow in Adobe Flash Player before 9.0.277.0 and 10.x befor ...) NOT-FOR-US: Adobe Flash Player CVE-2010-2180 (Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and Ad ...) NOT-FOR-US: Adobe Flash Player CVE-2010-2179 (Cross-site scripting (XSS) vulnerability in Adobe Flash Player before ...) NOT-FOR-US: Adobe Flash Player CVE-2010-2178 (Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and Ad ...) NOT-FOR-US: Adobe Flash Player CVE-2010-2177 (Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and Ad ...) NOT-FOR-US: Adobe Flash Player CVE-2010-2176 (Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and Ad ...) NOT-FOR-US: Adobe Flash Player CVE-2010-2175 (Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and Ad ...) NOT-FOR-US: Adobe Flash Player CVE-2010-2174 (Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and Ad ...) NOT-FOR-US: Adobe Flash Player CVE-2010-2173 (Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and Ad ...) NOT-FOR-US: Adobe Flash Player CVE-2010-2172 (Adobe Flash Player 9 before 9.0.277.0 on unspecified UNIX platforms al ...) NOT-FOR-US: Adobe Flash Player CVE-2010-2171 (Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and Ad ...) NOT-FOR-US: Adobe Flash Player CVE-2010-2170 (Integer overflow in Adobe Flash Player before 9.0.277.0 and 10.x befor ...) NOT-FOR-US: Adobe Flash Player CVE-2010-2169 (Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and Ad ...) NOT-FOR-US: Adobe Flash Player CVE-2010-2168 (Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Win ...) NOT-FOR-US: Adobe Reader CVE-2010-2167 (Multiple heap-based buffer overflows in Adobe Flash Player before 9.0. ...) NOT-FOR-US: Adobe Flash Player CVE-2010-2166 (Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and Ad ...) NOT-FOR-US: Adobe Flash Player CVE-2010-2165 (Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and Ad ...) NOT-FOR-US: Adobe Flash Player CVE-2010-2164 (Use-after-free vulnerability in Adobe Flash Player before 9.0.277.0 an ...) NOT-FOR-US: Adobe Flash Player CVE-2010-2163 (Multiple unspecified vulnerabilities in Adobe Flash Player before 9.0. ...) NOT-FOR-US: Adobe Flash Player CVE-2010-2162 (Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and Ad ...) NOT-FOR-US: Adobe Flash Player CVE-2010-2161 (Array index error in Adobe Flash Player before 9.0.277.0 and 10.x befo ...) NOT-FOR-US: Adobe Flash Player CVE-2010-2160 (Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and Ad ...) NOT-FOR-US: Adobe Flash Player CVE-2010-2159 (Dameng DM Database Server allows remote authenticated users to cause a ...) NOT-FOR-US: Dameng DM Database CVE-2010-2158 (Multiple cross-site scripting (XSS) vulnerabilities in the Storm modul ...) NOT-FOR-US: Storm module for Drupal CVE-2010-2157 (Unspecified vulnerability in CA ARCserve Backup r11.5 SP4, r12.0 SP2, ...) NOT-FOR-US: CA ARCserve CVE-2010-2156 (ISC DHCP 4.1 before 4.1.1-P1 and 4.0 before 4.0.2-P1 allows remote att ...) - isc-dhcp 4.1.1-P1-1 - dhcp3 (Only affects DHCP 4.x) - dhcp (Only affects DHCP 4.x) NOTE: http://www.isc.org/software/dhcp/advisories/cve-2010-2156 CVE-2010-2155 (Multiple cross-site scripting (XSS) vulnerabilities in zc/publisher/ht ...) {DSA-2056-1} - zonecheck 2.1.1-1 (bug #583290) CVE-2010-2154 (Cross-site scripting (XSS) vulnerability in the Search Site in CMScout ...) NOT-FOR-US: CMScout CVE-2010-2153 (Unrestricted file upload vulnerability in admin/code/tce_functions_tce ...) NOT-FOR-US: TCExam CVE-2010-2152 (Unspecified vulnerability in JustSystems Ichitaro 2004 through 2009, I ...) NOT-FOR-US: JustSystems Ichitaro CVE-2010-2151 (Cross-site request forgery (CSRF) vulnerability in Fujitsu e-Pares V01 ...) NOT-FOR-US: Fujitsu e-Pares CVE-2010-2150 (Cross-site scripting (XSS) vulnerability Fujitsu e-Pares V01 L01 allow ...) NOT-FOR-US: Fujitsu e-Pares CVE-2010-2149 (Session fixation vulnerability in Fujitsu e-Pares V01 L01, L03, L10, L ...) NOT-FOR-US: Fujitsu e-Pares CVE-2010-2148 (SQL injection vulnerability in the My Car (com_mycar) component 1.0 fo ...) NOT-FOR-US: My Car for Joomla CVE-2010-2147 (Cross-site scripting (XSS) vulnerability in the My Car (com_mycar) com ...) NOT-FOR-US: My Car for Joomla CVE-2010-2146 (PHP remote file inclusion vulnerability in banned.php in Visitor Logge ...) NOT-FOR-US: Visitor Logger CVE-2010-2145 (Multiple PHP remote file inclusion vulnerabilities in ClearSite Beta 4 ...) NOT-FOR-US: ClearSite CVE-2010-2144 (Cross-site scripting (XSS) vulnerability in signinform.php in Zeeways ...) NOT-FOR-US: Zeeways eBay Clone auction script CVE-2010-2143 (Directory traversal vulnerability in index.php in Symphony CMS 2.0.7 a ...) NOT-FOR-US: Symphony CMS CVE-2010-2142 (SQL injection vulnerability in default.asp in Cyberhost allows remote ...) NOT-FOR-US: Cyberhost CVE-2010-2141 (SQL injection vulnerability in index.php in NITRO Web Gallery allows r ...) NOT-FOR-US: NITRO Web Gallery CVE-2010-2140 (SQL injection vulnerability in itemdetail.php in Multishop CMS allows ...) NOT-FOR-US: Multishop CMS CVE-2010-2139 (SQL injection vulnerability in pages.php in Multishop CMS allows remot ...) NOT-FOR-US: Multishop CMS CVE-2010-2138 (Multiple directory traversal vulnerabilities in ProMan 0.1.1 and earli ...) NOT-FOR-US: ProMan CVE-2010-2137 (PHP remote file inclusion vulnerability in _center.php in ProMan 0.1.1 ...) NOT-FOR-US: ProMan CVE-2010-2136 (Directory traversal vulnerability in admin/index.php in Article Friend ...) NOT-FOR-US: Article Friendly CVE-2010-2135 (Multiple SQL injection vulnerabilities in login.php in HazelPress Lite ...) NOT-FOR-US: HazelPress Lite CVE-2010-2134 (Multiple SQL injection vulnerabilities in login.php in Project Man 1.0 ...) NOT-FOR-US: Project Man CVE-2010-2133 (SQL injection vulnerability in contact.php in My Little Forum allows r ...) NOT-FOR-US: My Little Forum CVE-2010-2132 (Multiple PHP remote file inclusion vulnerabilities in Open Education S ...) NOT-FOR-US: Open Education System CVE-2010-2131 (SQL injection vulnerability in the Calendar Base (cal) extension befor ...) NOT-FOR-US: TYPO3 extenson Calendar Base CVE-2010-2130 (Cross-site scripting (XSS) vulnerability in wflogin.jsp in Aris Global ...) NOT-FOR-US: Aris Global ARISg CVE-2009-4882 (Cross-site scripting (XSS) vulnerability in zc/publisher/html.rb in Zo ...) {DSA-2056-1} - zonecheck 2.1.1-1 (bug #583290) CVE-2008-7256 (mm/shmem.c in the Linux kernel before 2.6.28-rc8, when strict overcomm ...) - linux-2.6 2.6.28-1 (low) [lenny] - linux-2.6 2.6.26-23 CVE-2010-2129 (Directory traversal vulnerability in the JE Ajax Event Calendar (com_j ...) NOT-FOR-US: JE Ajax Event Calenda CVE-2010-2128 (Directory traversal vulnerability in the JE Quotation Form (com_jequot ...) NOT-FOR-US: JE Quotation Form for Joomla CVE-2010-2127 (PHP remote file inclusion vulnerability in gallery.php in JV2 Folder G ...) NOT-FOR-US: JV2 Folder Gallery CVE-2010-2126 (Multiple PHP remote file inclusion vulnerabilities in Snipe Gallery 3. ...) NOT-FOR-US: Snipe Gallery CVE-2010-2125 (Multiple cross-site scripting (XSS) vulnerabilities in the Rotor Banne ...) NOT-FOR-US: Rotor Banner module for Drupal CVE-2010-2124 (SQL injection vulnerability in firma.php in Bartels Schone ConPresso 4 ...) NOT-FOR-US: Bartels Schone ConPresso CVE-2010-2123 (Multiple cross-site scripting (XSS) vulnerabilities in the Storm modul ...) NOT-FOR-US: Storm module for Drupal CVE-2010-2122 (Directory traversal vulnerability in the SimpleDownload (com_simpledow ...) NOT-FOR-US: SimpleDownload for Joomla CVE-2010-2121 (Opera 9.52 allows remote attackers to cause a denial of service (resou ...) NOT-FOR-US: Opera CVE-2010-2120 (Google Chrome 1.0.154.48 allows remote attackers to cause a denial of ...) NOT-FOR-US: Unclear, historic Chrome issue CVE-2010-2119 (Microsoft Internet Explorer 6.0.2900.2180 allows remote attackers to c ...) NOT-FOR-US: MS IE CVE-2010-2118 (Microsoft Internet Explorer 6.0.2900.2180 and 8.0.7600.16385 allows re ...) NOT-FOR-US: MS IE CVE-2010-2117 (Mozilla Firefox 3.0.19, 3.5.x, and 3.6.x allows remote attackers to ca ...) - xulrunner (unimportant) CVE-2009-4881 (Integer overflow in the __vstrfmon_l function in stdlib/strfmon_l.c in ...) {DSA-2058-1} - eglibc 2.10.1-1 (unimportant) - glibc 2.11.1-1 (unimportant) NOTE: http://sourceware.org/git/?p=glibc.git;a=commit;h=153aa31b93be22e01b236375fb02a9f9b9a0195f CVE-2009-4880 (Multiple integer overflows in the strfmon implementation in the GNU C ...) {DSA-2058-1} - eglibc 2.11.1-1 (unimportant) - glibc 2.11.1-1 (unimportant) NOTE: http://sourceware.org/git/?p=glibc.git;a=commit;h=199eb0de8d673fb23aa127721054b4f1803d61f3 CVE-2010-2116 (The web interface in McAfee Email Gateway (formerly IronMail) 6.7.1 al ...) NOT-FOR-US: McAfee Email Gateway CVE-2010-2115 (SolarWinds TFTP Server 10.4.0.10 allows remote attackers to cause a de ...) NOT-FOR-US: SolarWinds TFTP Server CVE-2010-2114 (Cross-site request forgery (CSRF) vulnerability in pbx/gate in Brekeke ...) NOT-FOR-US: Brekeke PBX CVE-2010-2113 (Multiple cross-site request forgery (CSRF) vulnerabilities in The Unif ...) NOT-FOR-US: The Uniform Server CVE-2010-2112 (Directory traversal vulnerability in the FTP service in FileCOPA befor ...) NOT-FOR-US: FileCOPA CVE-2010-2111 (Cross-site request forgery (CSRF) vulnerability in user/user-set.do in ...) NOT-FOR-US: Pacific Timesheet CVE-2010-2110 (Google Chrome before 5.0.375.55 does not properly execute JavaScript c ...) - chromium-browser 5.0.375.55~r47796-1 - webkit (issue in chrome's libv8 bindings) NOTE: http://trac.webkit.org/changeset/58229 CVE-2010-2109 (Unspecified vulnerability in Google Chrome before 5.0.375.55 allows us ...) - chromium-browser 5.0.375.55~r47796-1 - webkit 1.2.1-2 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) NOTE: http://trac.webkit.org/changeset/58441 CVE-2010-2108 (Unspecified vulnerability in Google Chrome before 5.0.375.55 allows re ...) - chromium-browser 5.0.375.55~r47796-1 - webkit (chrome-specific issue) CVE-2010-2107 (Unspecified vulnerability in Google Chrome before 5.0.375.55 allows at ...) - chromium-browser 5.0.375.55~r47796-1 - webkit (doesn't have safebrowsing feature) CVE-2010-2106 (Unspecified vulnerability in Google Chrome before 5.0.375.55 might all ...) - chromium-browser 5.0.375.55~r47796-1 - webkit (chrome-specific issue) CVE-2010-2105 (Google Chrome before 5.0.375.55 does not properly follow the Safe Brow ...) - chromium-browser 5.0.375.55~r47796-1 - webkit (doesn't have safebrowsing feature) CVE-2010-2104 (Directory traversal vulnerability in Orbit Downloader 3.0.0.4 and 3.0. ...) NOT-FOR-US: Orbit Downloader CVE-2010-2103 (Cross-site scripting (XSS) vulnerability in axis2-admin/axis2-admin/en ...) - axis (axis != axis2, vulnerable code not present) CVE-2010-2102 (Buffer overflow in Webby Webserver 1.01 allows remote attackers to exe ...) NOT-FOR-US: Webby Webserver CVE-2010-2101 (The (1) strip_tags, (2) setcookie, (3) strtok, (4) wordwrap, (5) str_w ...) - php5 (unimportant) NOTE: Only triggerable through malicious script CVE-2010-2100 (The (1) htmlentities, (2) htmlspecialchars, (3) str_getcsv, (4) http_b ...) - php5 (unimportant) NOTE: Only triggerable through malicious script CVE-2010-2099 (bbcode/php.bb in e107 0.7.20 and earlier does not perform access contr ...) NOT-FOR-US: e107 CVE-2010-2098 (Incomplete blacklist vulnerability in usersettings.php in e107 0.7.20 ...) NOT-FOR-US: e107 CVE-2010-2097 (The (1) iconv_mime_decode, (2) iconv_substr, and (3) iconv_mime_encode ...) - php5 (unimportant) NOTE: Only triggerable through malicious script CVE-2010-2096 (Directory traversal vulnerability in index.php in CMSQlite 1.2 and ear ...) NOT-FOR-US: CMSQlite CVE-2010-2095 (SQL injection vulnerability in index.php in CMSQlite 1.2 and earlier a ...) NOT-FOR-US: CMSQlite CVE-2010-2094 (Multiple format string vulnerabilities in the phar extension in PHP 5. ...) - php5 5.3.3-1 (low) [lenny] - php5 (Vulnerable code not present) CVE-2010-2093 (Use-after-free vulnerability in the request shutdown functionality in ...) - php5 5.3.3-1 (unimportant) NOTE: Only triggerable through malicious script CVE-2010-2092 (SQL injection vulnerability in graph.php in Cacti 0.8.7e and earlier a ...) {DSA-2060-1} - cacti 0.8.7e-4 (bug #582691) CVE-2010-2091 (Microsoft Outlook Web Access (OWA) 8.2.254.0, when Internet Explorer 7 ...) NOT-FOR-US: Microsoft OWA CVE-2010-2090 (The npb_protocol_error function in sna V5router64 in IBM Communication ...) NOT-FOR-US: IBM Communications Server CVE-2010-2089 (The audioop module in Python 2.7 and 3.2 does not verify the relations ...) - python3.1 3.1.2+20100706-1 (low) - python2.7 2.7-1 (low) - python2.6 2.6.5+20100706-1 (low) - python2.5 2.5.5-10 (low; bug #599739) [lenny] - python2.5 (Minor issue) - python2.4 (low) [lenny] - python2.4 (Minor issue) CVE-2010-2088 (ASP.NET in Microsoft .NET 3.5 does not properly handle an unencrypted ...) NOT-FOR-US: Microsoft .NET CVE-2010-2087 (Oracle Mojarra 1.2_14 and 2.0.2, as used in IBM WebSphere Application ...) - mojarra (unimportant; bug #611130) NOTE: Affected feature is fundamentally insecure CVE-2010-2086 (Apache MyFaces 1.1.7 and 1.2.8, as used in IBM WebSphere Application S ...) NOT-FOR-US: Apache MyFaces CVE-2010-2085 (The default configuration of ASP.NET in Microsoft .NET before 1.1 has ...) NOT-FOR-US: Microsoft .NET CVE-2010-2084 (Microsoft ASP.NET 2.0 does not prevent setting the InnerHtml property ...) NOT-FOR-US: Microsoft .NET CVE-2010-2083 (Microsoft Dynamics GP has a default value of ACCESS for the system pas ...) NOT-FOR-US: Microsoft Dynamics GP CVE-2010-2082 (The web interface on the Cisco Scientific Atlanta WebSTAR DPC2100R2 ca ...) NOT-FOR-US: Cisco CVE-2010-2081 RESERVED CVE-2010-2080 (Multiple cross-site scripting (XSS) vulnerabilities in Open Ticket Req ...) - otrs2 2.4.8+dfsg1-1 [lenny] - otrs2 (Only affects OTRS 2.3 and 2.4) CVE-2009-4879 (The Identity Server in Novell Access Manager before 3.1 SP1 allows att ...) NOT-FOR-US: Novell Access Manager CVE-2009-4878 (Unspecified vulnerability in the Administration Console in Novell Acce ...) NOT-FOR-US: Novell Access Manager CVE-2009-4877 (Multiple cross-site request forgery (CSRF) vulnerabilities in WebGUI b ...) - webgui 7.7.22-1 CVE-2009-4876 (admin/cikkform.php in Netrix CMS 1.0 allows remote attackers to modify ...) NOT-FOR-US: Netrix CMS CVE-2009-4875 (FCKeditor.Java 2.4 allows remote attackers to cause a denial of servic ...) NOT-FOR-US: FCKeditor.Java, different than fckeditor in the archive CVE-2009-4874 (TalkBack 2.3.14 does not properly restrict access to the edit comment ...) NOT-FOR-US: TalkBack CVE-2009-4873 (Stack-based buffer overflow in the HTTP server in Rhino Software Serv- ...) NOT-FOR-US: Rhino Software Serv-U Web Client CVE-2010-2079 (DataTrack System 3.5 allows remote attackers to bypass intended restri ...) NOT-FOR-US: DataTrack System CVE-2010-2078 (DataTrack System 3.5 allows remote attackers to list the root director ...) NOT-FOR-US: DataTrack System CVE-2010-2077 REJECTED CVE-2010-2076 (Apache CXF 2.0.x before 2.0.13, 2.1.x before 2.1.10, and 2.2.x before ...) NOT-FOR-US: Apache CXF CVE-2010-2075 (UnrealIRCd 3.2.8.1, as distributed on certain mirror sites from Novemb ...) - unrealircd (bug #515130) CVE-2010-2074 (istream.c in w3m 0.5.2 and possibly other versions, when ssl_verify_se ...) - w3m 0.5.2-5 (low; bug #587445) [lenny] - w3m 0.5.2-2+lenny1 CVE-2010-2073 (auth_db_config.py in Pyftpd 0.8.4 contains hard-coded usernames and pa ...) - pyftpd 0.8.5 (low; bug #585776) [lenny] - pyftpd 0.8.4.6+lenny1 CVE-2010-2072 (Pyftpd 0.8.4 creates log files with predictable names in a temporary d ...) - pyftpd 0.8.5 (low; bug #585773) [lenny] - pyftpd 0.8.4.6+lenny1 CVE-2010-2071 (The btrfs_xattr_set_acl function in fs/btrfs/acl.c in btrfs in the Lin ...) - linux-2.6 2.6.32-16 [lenny] - linux-2.6 (btrfs introduced in 2.6.29) CVE-2010-2070 (arch/ia64/xen/faults.c in Xen 3.4 and 4.0 in Linux kernel 2.6.18, and ...) - xen-3 3.2.1-2 NOTE: The respective patch is present in Lenny's version of xen-3, might be fixed even earlier CVE-2010-2069 REJECTED CVE-2010-2068 (mod_proxy_http.c in mod_proxy_http in the Apache HTTP Server 2.2.9 thr ...) - apache2 (does not affect UNIX, only Windows, etc.) CVE-2010-2067 (Stack-based buffer overflow in the TIFFFetchSubjectDistance function i ...) - tiff 3.9.4-1 - tiff3 (fixed prior to initial upload) [lenny] - tiff (Only affects 3.9.x) CVE-2010-2066 (The mext_check_arguments function in fs/ext4/move_extent.c in the Linu ...) - linux-2.6 2.6.32-21 [lenny] - linux-2.6 (Vulnerable code introduced in 2.6.31) CVE-2010-2065 (Integer overflow in the TIFFroundup macro in LibTIFF before 3.9.3 allo ...) - tiff 3.9.4-1 - tiff3 (fixed prior to initial upload) [lenny] - tiff (Only affects 3.9.x) NOTE: https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/589145 NOTE: https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/589565 CVE-2010-2064 (rpcbind 0.2.0 allows local users to write to arbitrary files or gain p ...) - rpcbind 0.2.0-4.1 NOTE: This version changed the state directory to /var/run/rpcbind, which is only writable by root CVE-2010-2063 (Buffer overflow in the SMB1 packet chaining implementation in the chai ...) {DSA-2061-1} - samba 2:3.4.0~pre1-1 (high) NOTE: the affected code has been completely rewritten since 3.4.x CVE-2010-2062 (Integer underflow in the real_get_rdt_chunk function in real.c, as use ...) {DSA-2044-1 DSA-2043-1} - vlc 1.0.1-1 [lenny] - vlc 0.8.6.h-4+lenny2.3 - mplayer 2:1.0~rc3+svn20100502-3 (medium; bug #581245) [lenny] - mplayer 1.0~rc2-17+lenny3.2 - xine-lib (immune due to additional check in xio_rw_abbort()) NOTE: http://git.videolan.org/?p=vlc.git;a=commitdiff;h=dc74600c97eb834c08674676e209afa842053aca NOTE: http://dzcore.wordpress.com/2009/07/27/dzc-2009-001-the-movie-player-and-vlc-media-player-real-data-transport-parsing-integer-underflow/ NOTE: DSA-2043 and DSA-2044 CVE-2010-2061 (rpcbind 0.2.0 does not properly validate (1) /tmp/portmap.xdr and (2) ...) - rpcbind 0.2.0-4.1 CVE-2010-2060 (The put command functionality in beanstalkd 1.4.5 and earlier allows r ...) - beanstalkd 1.4.6-1 (unimportant; bug #585162) NOTE: Package description reads: "Beanstalkd is meant to be ran in a trusted network, NOTE: "as it has no authorisation/authentication mechanisms". So this is likely a non-issue CVE-2010-2059 (lib/fsm.c in RPM 4.8.0 and unspecified 4.7.x and 4.6.x versions, and R ...) - rpm 4.8.1-1 (bug #584257; unimportant) NOTE: Marking as unimportant since rpm isn't used as a package manager CVE-2010-2058 (setup.py in Prewikka 0.9.14 installs prewikka.conf with world-readable ...) - prewikka 1.0.0-1.1 (low; bug #584469) [lenny] - prewikka (The insecure permissions only apply for a very short timeframe during pkg update) NOTE: FEDORA-2009-3761 http://lwn.net/Articles/330642 CVE-2010-2057 (shared/util/StateUtils.java in Apache MyFaces 1.1.x before 1.1.8, 1.2. ...) NOT-FOR-US: Apache MyFaces CVE-2010-2056 (GNU gv before 3.7.0 allows local users to overwrite arbitrary files vi ...) - gv 1:3.7.1-1 (low) [lenny] - gv (Minor issue) CVE-2010-2055 (Ghostscript 8.71 and earlier reads initialization files from the curre ...) - ghostscript 8.71~dfsg2-6.1 (bug #584653; bug #592569; bug #584663) [lenny] - ghostscript (too risky for regressions) CVE-2010-2054 (Integer overflow in httpAdapter.c in httpAdapter in SBLIM SFCB 1.3.4 t ...) NOT-FOR-US: SBLIM SFCB CVE-2010-2053 (emesenelib/ProfileManager.py in emesene before 1.6.2 allows local user ...) - emesene 1.6.2-1 (low) [lenny] - emesene (Introduced in 1.6.1) CVE-2010-2052 REJECTED CVE-2010-2051 (SQL injection vulnerability in article.php in Debliteck DBCart allows ...) NOT-FOR-US: Debliteck DBCart CVE-2010-2050 (Directory traversal vulnerability in the Moron Solutions MS Comment (c ...) NOT-FOR-US: Moron Solutions MS Comment CVE-2010-2049 (Cross-site scripting (XSS) vulnerability in jsp/audit/reports/ExportRe ...) NOT-FOR-US: ManageEngine ADAudit Plus CVE-2010-2048 (Multiple cross-site scripting (XSS) vulnerabilities in the Heartbeat m ...) NOT-FOR-US: Heartbeat module for Drupal CVE-2010-2047 (SQL injection vulnerability in index.php in JE CMS 1.0.0 and 1.1 allow ...) NOT-FOR-US: JE CMS CVE-2010-2046 (Multiple cross-site scripting (XSS) vulnerabilities in the ActiveHelpe ...) NOT-FOR-US: ActiveHelper LiveHelp for Joomla CVE-2010-2045 (Directory traversal vulnerability in the Dione Form Wizard (aka FDione ...) NOT-FOR-US: Dione Form Wizard CVE-2010-2044 (SQL injection vulnerability in the Konsultasi (com_konsultasi) compone ...) NOT-FOR-US: Konsultasi for Joomla CVE-2010-2043 (Cross-site scripting (XSS) vulnerability in Home.aspx in DataTrack Sys ...) NOT-FOR-US: DataTrack System CVE-2010-2042 (SQL injection vulnerability in search.php in ECShop 2.7.2 allows remot ...) NOT-FOR-US: ECShop CVE-2010-2041 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in PH ...) NOT-FOR-US: PHP-Calendar CVE-2010-2040 (Cross-site scripting (XSS) vulnerability in search.php in V-EVA Shopzi ...) NOT-FOR-US: V-EVA Shopzilla script CVE-2010-2039 (Cross-site request forgery (CSRF) vulnerability in gpEasy CMS 1.6.2, 1 ...) NOT-FOR-US: gpEasy CMS CVE-2010-2038 (Cross-site scripting (XSS) vulnerability in include/tool/editing_files ...) NOT-FOR-US: gpEasy CMS CVE-2010-2037 (Directory traversal vulnerability in the Percha Downloads Attach (com_ ...) NOT-FOR-US: Percha CVE-2010-2036 (Directory traversal vulnerability in the Percha Fields Attach (com_per ...) NOT-FOR-US: Percha CVE-2010-2035 (Directory traversal vulnerability in the Percha Gallery (com_perchagal ...) NOT-FOR-US: Percha CVE-2010-2034 (Directory traversal vulnerability in the Percha Image Attach (com_perc ...) NOT-FOR-US: Percha CVE-2010-2033 (Directory traversal vulnerability in the Percha Multicategory Article ...) NOT-FOR-US: Percha CVE-2010-2032 (Multiple cross-site scripting (XSS) vulnerabilities in resin-admin/dig ...) NOT-FOR-US: Caucho Technology Resin Professional CVE-2010-2031 (KAVSafe.sys 2010.4.14.609 and earlier, as used in Kingsoft Webshield 3 ...) NOT-FOR-US: Kingsoft Webshield CVE-2010-2030 (Cross-site scripting (XSS) vulnerability in the External Link Page mod ...) NOT-FOR-US: External Link Page module for Drupal CVE-2010-2029 (Cybozu Office 7 Ktai and Dotsales do not properly restrict access to t ...) NOT-FOR-US: Cybozu Office and Dotsales CVE-2010-2028 (Buffer overflow in k23productions TFTPUtil GUI (aka TFTPGUI) 1.4.5 all ...) NOT-FOR-US: k23productions TFTPGUI CVE-2010-2027 (Mathematica 7, when running on Linux, allows local users to overwrite ...) NOT-FOR-US: Mathematica CVE-2010-2026 (The web interface on the Cisco Scientific Atlanta WebSTAR DPC2100R2 ca ...) NOT-FOR-US: Cisco CVE-2010-2025 (Multiple cross-site request forgery (CSRF) vulnerabilities in the web ...) NOT-FOR-US: Cisco CVE-2010-2024 (transports/appendfile.c in Exim before 4.72, when MBX locking is enabl ...) - exim4 4.72-1 (low) [lenny] - exim4 (Minor issue) CVE-2010-2023 (transports/appendfile.c in Exim before 4.72, when a world-writable sti ...) - exim4 4.72-1 (low) [lenny] - exim4 (Minor issue) CVE-2010-2022 (jail.c in jail in FreeBSD 8.0 and 8.1-PRERELEASE, when the "-l -U root ...) - kfreebsd-6 (jail binary not yet provided, see bug #584930) - kfreebsd-7 (jail binary not yet provided, see bug #584930) - kfreebsd-8 (jail binary not yet provided, see bug #584930) CVE-2010-2021 (Open redirect vulnerability in the Global Redirect module 6.x-1.x befo ...) NOT-FOR-US: Global Redirect module for Drupal is not in Debian CVE-2010-2020 (sys/nfsclient/nfs_vfsops.c in the NFS client in the kernel in FreeBSD ...) - kfreebsd-6 [lenny] - kfreebsd-6 (Minor issue, not enabled by default) - kfreebsd-7 7.3-2 [lenny] - kfreebsd-7 (Minor issue, not enabled by default) - kfreebsd-8 8.0-6 (bug #584930) CVE-2010-2019 (SQL injection vulnerability in downlot.php in Lokomedia CMS 1.4.1, whe ...) NOT-FOR-US: Lokomedia CMS CVE-2010-2018 (Directory traversal vulnerability in downlot.php in Lokomedia CMS 1.4. ...) NOT-FOR-US: Lokomedia CMS CVE-2010-2017 (Cross-site scripting (XSS) vulnerability in hasil-pencarian.html in Lo ...) NOT-FOR-US: Lokomedia CMS CVE-2010-2016 (SQL injection vulnerability in details.php in Iceberg CMS allows remot ...) NOT-FOR-US: Iceberg CMS CVE-2010-2015 (Multiple SQL injection vulnerabilities in LiSK CMS 4.4 allow remote at ...) NOT-FOR-US: LiSK CMS CVE-2010-2014 (Cross-site scripting (XSS) vulnerability in cp/list_content.php in LiS ...) NOT-FOR-US: LiSK CMS CVE-2010-2013 (Cross-site scripting (XSS) vulnerability in cp/edit_email.php in LiSK ...) NOT-FOR-US: LiSK CMS CVE-2010-2012 (SQL injection vulnerability in function.php in MigasCMS 1.1, when magi ...) NOT-FOR-US: MigasCMS CVE-2006-7239 (The _gnutls_x509_oid2mac_algorithm function in lib/gnutls_algorithms.c ...) - gnutls26 (fix is present in lenny/sid; fixed originally in upstream 1.4.2, which precedes 26) CVE-2010-2011 (Microsoft Dynamics GP uses a substitution cipher to encrypt the system ...) NOT-FOR-US: Microsoft Dynamics GP CVE-2010-2010 (Multiple cross-site scripting (XSS) vulnerabilities in the Chaos Tool ...) NOT-FOR-US: CTools module for Drupal CVE-2010-2009 (Stack-based buffer overflow in the media library in BS.Global BS.Playe ...) NOT-FOR-US: BS.Global BS.Player CVE-2010-2008 (MySQL before 5.1.48 allows remote authenticated users with alter datab ...) - mysql-5.1 5.1.48-1 - mysql-dfsg-5.0 (Only affects MySQL 5.1 onwards) CVE-2010-2007 (Multiple cross-site request forgery (CSRF) vulnerabilities in LetoDMS ...) - mydms (bug #590904; low) [lenny] - mydms (Minor issue) NOTE: seems to have changed name to letoDMS CVE-2010-2006 (Directory traversal vulnerability in op/op.Login.php in LetoDMS (forme ...) {DSA-2146-1} - mydms 1.7.2+1.7.3-1.1 (bug #582587; medium) NOTE: seems to have changed name to letoDMS CVE-2010-2005 (Multiple PHP remote file inclusion vulnerabilities in DataLife Engine ...) NOT-FOR-US: Datalife Engine CVE-2010-2004 (Stack-based buffer overflow in BS.Global BS.Player 2.51 Build 1022 Fre ...) NOT-FOR-US: BS.Player CVE-2010-2003 (Cross-site scripting (XSS) vulnerability in misc/get_admin.php in Adva ...) NOT-FOR-US: Advanced Poll CVE-2010-2002 (Cross-site scripting (XSS) vulnerability in the Wordfilter module 5.x ...) NOT-FOR-US: Wordfilter module for Drupal CVE-2010-2001 (Cross-site scripting (XSS) vulnerability in the CiviRegister module be ...) NOT-FOR-US: CiviRegister module for Drupal CVE-2010-2000 (Cross-site scripting (XSS) vulnerability in the Bibliography (Biblio) ...) NOT-FOR-US: Biblio module for Drupal CVE-2010-1999 (Directory traversal vulnerability in scr/soustab.php in OpenMairie Ope ...) NOT-FOR-US: OpenMairie CVE-2010-1998 (Cross-site scripting (XSS) vulnerability in the CCK TableField module ...) NOT-FOR-US: CCK TableField module for Drupal CVE-2010-1997 (Cross-site scripting (XSS) vulnerability in admin/edit.php in Saurus C ...) NOT-FOR-US: Saurus CMS CVE-2010-1996 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in To ...) NOT-FOR-US: Tomato CMS CVE-2010-1995 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in To ...) NOT-FOR-US: Tomato CMS CVE-2010-1994 (SQL injection vulnerability in index.php in TomatoCMS before 2.0.5 all ...) NOT-FOR-US: Tomato CMS CVE-2010-1993 (Opera 9.52 does not properly handle an IFRAME element with a mailto: U ...) NOT-FOR-US: Opera CVE-2010-1992 (Google Chrome 1.0.154.48 executes a mail application in situations whe ...) - chromium-browser (unimportant) NOTE: http://translate.google.com/translate?hl=en&u=http://websecurity.com.ua/4206/&sl=uk&tl=en NOTE: poc is just one window, but can be changed to open many NOTE: this is a dos-only attack, so its considered unimportant CVE-2010-1991 (Microsoft Internet Explorer 6.0.2900.2180, 7, and 8.0.7600.16385 execu ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2010-1990 (Mozilla Firefox 3.6.x, 3.5.x, 3.0.19, and earlier, and SeaMonkey, exec ...) - xulrunner (unimportant; bug #582590) - iceape (unimportant) NOTE: browser dos attacks are not considered security-relevant CVE-2010-1989 (Opera 9.52 executes a mail application in situations where an IMG elem ...) NOT-FOR-US: Opera CVE-2010-1988 (Mozilla Firefox 3.6.3 on Windows XP SP3 allows remote attackers to cau ...) - xulrunner (unimportant) - iceape (unimportant) NOTE: these poc's do lead to heavy resource consumption on xulrunner 1.9.1.9, but it does not crash (that may be a windows-specific symptom) CVE-2010-1987 (Mozilla Firefox 3.6.3 on Windows XP SP3 allows remote attackers to cau ...) - xulrunner (unimportant) - iceape (unimportant) NOTE: these poc's do lead to heavy resource consumption on xulrunner 1.9.1.9, but it does not crash (that may be a windows-specific symptom) CVE-2010-1986 (Mozilla Firefox 3.6.3 on Windows XP SP3 allows remote attackers to cau ...) - xulrunner (unimportant) - iceape (unimportant) NOTE: these poc's do lead to heavy resource consumption on xulrunner 1.9.1.9, but it does not crash (that may be a windows-specific symptom) CVE-2010-1985 (Multiple cross-site scripting (XSS) vulnerabilities in the administrat ...) NOT-FOR-US: Six Apart Movable type CVE-2010-1984 (Cross-site scripting (XSS) vulnerability in the Taxonomy Breadcrumb mo ...) NOT-FOR-US: Taxonomy Breadcrumb module for Drupal CVE-2010-1983 (Directory traversal vulnerability in the redTWITTER (com_redtwitter) c ...) NOT-FOR-US: com_redtwitter component for joomla! CVE-2010-1982 (Directory traversal vulnerability in the JA Voice (com_javoice) compon ...) NOT-FOR-US: com_javoice component for joomla! CVE-2010-1981 (Directory traversal vulnerability in the Fabrik (com_fabrik) component ...) NOT-FOR-US: com_fabrik component for joomla! CVE-2010-1980 (Directory traversal vulnerability in joomlaflickr.php in the Joomla Fl ...) NOT-FOR-US: com_joomlaflickr component for joomla! CVE-2010-1979 (Directory traversal vulnerability in the Affiliate Datafeeds (com_data ...) NOT-FOR-US: com_datafeeds component for joomla! CVE-2010-1978 (PHP remote file inclusion vulnerability in default_theme.php in FreePH ...) NOT-FOR-US: FreePHPBlogSoftware CVE-2010-1977 (Directory traversal vulnerability in the J!WHMCS Integrator (com_jwhmc ...) NOT-FOR-US: com_jwhmcs component for joomla! CVE-2010-1976 (Cross-site scripting (XSS) vulnerability in the Taxonomy Breadcrumb mo ...) NOT-FOR-US: Taxonomy Breadcrumb module for Drupal CVE-2010-1975 (PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8. ...) {DSA-2051-1} - postgresql-8.4 8.4.4-1 (low) - postgresql-8.3 (low) CVE-2010-1974 REJECTED CVE-2010-1973 (Unspecified vulnerability in the Auditing subsystem in HP OpenVMS 8.3, ...) NOT-FOR-US: OpenVMS CVE-2010-1972 (The default configuration of HP Client Automation (HPCA) Enterprise In ...) NOT-FOR-US: HP Client Automation CVE-2010-1971 (Cross-site request forgery (CSRF) vulnerability in HP Insight Software ...) NOT-FOR-US: HP Insight CVE-2010-1970 (Unspecified vulnerability in HP Insight Software Installer for Windows ...) NOT-FOR-US: HP Insight CVE-2010-1969 (Cross-site scripting (XSS) vulnerability in HP Virtual Connect Enterpr ...) NOT-FOR-US: HP Virtual Connect Enterprise Manager CVE-2010-1968 (Cross-site request forgery (CSRF) vulnerability in HP Insight Software ...) NOT-FOR-US: HP Insight CVE-2010-1967 (Unspecified vulnerability in HP Insight Software Installer for Windows ...) NOT-FOR-US: HP Insight CVE-2010-1966 (Unspecified vulnerability in HP Insight Control power management for W ...) NOT-FOR-US: HP Insight CVE-2010-1965 (Unspecified vulnerability in HP Insight Orchestration for Windows befo ...) NOT-FOR-US: HP Insight CVE-2010-1964 (Buffer overflow in ovwebsnmpsrv.exe in HP OpenView Network Node Manage ...) NOT-FOR-US: HP OpenView Network Node Manager CVE-2010-1963 (Cross-site scripting (XSS) vulnerability in HP ServiceCenter allows re ...) NOT-FOR-US: HP ServiceCenter CVE-2010-1962 (Unspecified vulnerability in HP StorageWorks Storage Mirroring 5 befor ...) NOT-FOR-US: HP StorageWorks CVE-2010-1961 (Buffer overflow in ovutil.dll in ovwebsnmpsrv.exe in HP OpenView Netwo ...) NOT-FOR-US: HP OpenView Network Node Manager CVE-2010-1960 (Buffer overflow in the error handling functionality in ovwebsnmpsrv.ex ...) NOT-FOR-US: HP OpenView Network Node Manager CVE-2010-1959 (Unspecified vulnerability in HP TestDirector for Quality Center 9.2 be ...) NOT-FOR-US: HP TestDirector for Quality Center CVE-2010-1958 (Cross-site scripting (XSS) vulnerability in the FileField module 5.x b ...) NOT-FOR-US: Drupal addon CVE-2010-1957 (Directory traversal vulnerability in the Love Factory (com_lovefactory ...) NOT-FOR-US: com_lovefactory component for joomla! CVE-2010-1956 (Directory traversal vulnerability in the Gadget Factory (com_gadgetfac ...) NOT-FOR-US: com_gadgetfactory component for joomla! CVE-2010-1955 (Directory traversal vulnerability in the Deluxe Blog Factory (com_blog ...) NOT-FOR-US: com_blogfactory component for joomla! CVE-2010-1954 (Directory traversal vulnerability in the iNetLanka Multiple root (com_ ...) NOT-FOR-US: com_multiroot component for joomla! CVE-2010-1953 (Directory traversal vulnerability in the iNetLanka Multiple Map (com_m ...) NOT-FOR-US: com_multimap component for joomla! CVE-2010-1952 (Directory traversal vulnerability in the BeeHeard (com_beeheard) and B ...) NOT-FOR-US: com_beeheard component for joomla! CVE-2010-1951 (Multiple directory traversal vulnerabilities in 60cycleCMS allow remot ...) NOT-FOR-US: 60cycleCMS CVE-2010-1950 (SQL injection vulnerability in the Online News Paper Manager (com_jnew ...) NOT-FOR-US: Online News Paper Manager CVE-2010-1949 (SQL injection vulnerability in the Online News Paper Manager (com_jnew ...) NOT-FOR-US: Online News Paper Manager CVE-2010-1948 (Directory traversal vulnerability in scr/soustab.php in openMairie Ope ...) NOT-FOR-US: openMairie CVE-2010-1947 (Directory traversal vulnerability in scr/soustab.php in openMairie Ope ...) NOT-FOR-US: openMairie CVE-2010-1946 (Multiple PHP remote file inclusion vulnerabilities in openMairie Openr ...) NOT-FOR-US: openMairie CVE-2010-1945 (Multiple PHP remote file inclusion vulnerabilities in openMairie Openf ...) NOT-FOR-US: openMairie CVE-2010-1944 (Multiple PHP remote file inclusion vulnerabilities in openMairie openC ...) NOT-FOR-US: openMairie CVE-2010-1943 (Unspecified vulnerability in NEC CapsSuite Small Edition PatchMeister ...) NOT-FOR-US: NEC CapsSuite Small Edition CVE-2010-1942 (Unspecified vulnerability in the Servlet service in Fujitsu Limited In ...) NOT-FOR-US: Fujitsu Limited Interstage Application Server CVE-2010-1941 (Unspecified vulnerability in NEC WebSAM DeploymentManager 5.13 and ear ...) NOT-FOR-US: NEC WebSAM DeploymentManager CVE-2010-1940 (Apple Safari 4.0.5 on Windows sends the "Authorization: Basic" header ...) - chromium-browser - webkit NOTE: Safari-specific. Chromium and Safari have totally separate HTTP stacks. CVE-2010-1939 (Use-after-free vulnerability in Apple Safari 4.0.5 on Windows allows r ...) - chromium-browser - webkit NOTE: poc seems to cause a dos in both chromium and webkit; not sure if code execution is possible NOTE: This is Safari only CVE-2010-1938 (Off-by-one error in the __opiereadrec function in readrec.c in libopie ...) - opie 2.32.dfsg.1-0.2 (low; bug #584932) [lenny] - opie 2.32-10.2+lenny2 CVE-2010-1937 (Heap-based buffer overflow in httpAdapter.c in httpAdapter in SBLIM SF ...) NOT-FOR-US: SBLIM SFCB CVE-2010-1936 (Directory traversal vulnerability in scr/soustab.php in openMairie ope ...) NOT-FOR-US: openMairie openComInterne CVE-2010-1935 (Directory traversal vulnerability in scr/soustab.php in openMairie Ope ...) NOT-FOR-US: openMairie Openpresse CVE-2010-1934 (Multiple PHP remote file inclusion vulnerabilities in openMairie openP ...) NOT-FOR-US: openMairie openPlanning CVE-2010-1928 (Directory traversal vulnerability in scr/soustab.php in openMairie ope ...) NOT-FOR-US: openMairie openPlanning CVE-2010-1927 (Multiple PHP remote file inclusion vulnerabilities in openMairie openC ...) NOT-FOR-US: openMairie openCourrier CVE-2010-1926 (Directory traversal vulnerability in scr/soustab.php in openMairie ope ...) NOT-FOR-US: openMairie openCourrier CVE-2010-1925 (SQL injection vulnerability in makale.php in tekno.Portal 0.1b allows ...) NOT-FOR-US: tekno.Portal CVE-2010-1924 (SQL injection vulnerability in index.php in Hi Web Wiesbaden Live Shop ...) NOT-FOR-US: Hi Web Wiesbaden Live Shopping multi Portal System CVE-2010-1923 (SQL injection vulnerability in user.php in Hi Web Wiesbaden Web 2.0 So ...) NOT-FOR-US: Hi Web Wiesbaden Web Social Network Community System CVE-2010-1922 (Multiple PHP remote file inclusion vulnerabilities in 29o3 CMS 0.1 all ...) NOT-FOR-US: 29o3 CMS CVE-2010-1921 (Multiple PHP remote file inclusion vulnerabilities in OpenMairie openA ...) NOT-FOR-US: OpenMairie openAnnuaire CVE-2010-1920 (Directory traversal vulnerability in scr/soustab.php in OpenMairie ope ...) NOT-FOR-US: OpenMairie openAnnuaire CVE-2010-1933 RESERVED CVE-2010-1932 (Heap-based buffer overflow in XnView 1.97.4 and possibly earlier allow ...) NOT-FOR-US: XnView CVE-2010-1931 (SQL injection vulnerability in includes/content/cart.inc.php in CubeCa ...) NOT-FOR-US: CubeCart PHP Shopping Cart CVE-2010-1930 (Off-by-one error in Novell iManager 2.7, 2.7.3, and 2.7.3 FTF2 allows ...) NOT-FOR-US: Novell iManager CVE-2010-1929 (Multiple stack-based buffer overflows in the jclient._Java_novell_jcli ...) NOT-FOR-US: Novell iImanager CVE-2010-1919 (Unspecified vulnerability in EMC Avamar 4.1.x and 5.0 before SP1 allow ...) NOT-FOR-US: EMC CVE-2010-1913 (The default configuration of pluginlicense.ini for the SdcWebSecureBas ...) NOT-FOR-US: Consona CVE-2010-1912 (The SdcWebSecureBase interface in tgctlcm.dll in Consona Live Assistan ...) NOT-FOR-US: Consona CVE-2010-1911 (The site-locking implementation in the SdcWebSecureBase interface in t ...) NOT-FOR-US: Consona CVE-2010-1910 (The Forgot Password implementation in Consona Live Assistance, Dynamic ...) NOT-FOR-US: Consona CVE-2010-1909 (Buffer overflow in the RunCmd method in the SdcUser.TgConCtl ActiveX c ...) NOT-FOR-US: Consona CVE-2010-1908 (The SdcUser.TgConCtl ActiveX control in tgctlcm.dll in Consona Live As ...) NOT-FOR-US: Consona CVE-2010-1907 (The SdcUser.TgConCtl ActiveX control in tgctlcm.dll in Consona Live As ...) NOT-FOR-US: ConsonA CVE-2010-1906 (tgsrv.exe in the Repair Service in Consona Dynamic Agent, Repair Manag ...) NOT-FOR-US: Consona CVE-2010-1905 (Multiple cross-site scripting (XSS) vulnerabilities in Consona Live As ...) NOT-FOR-US: Consona CVE-2010-1904 (SQL injection vulnerability in EMC RSA Key Manager (RKM) C Client 1.5. ...) NOT-FOR-US: EMC RSA key manager CVE-2010-1903 (Microsoft Office Word 2002 SP3 and 2003 SP3, and Office Word Viewer, a ...) NOT-FOR-US: Microsoft Word CVE-2010-1902 (Buffer overflow in Microsoft Office Word 2002 SP3, 2003 SP3, and 2007 ...) NOT-FOR-US: Microsoft Word CVE-2010-1901 (Microsoft Office Word 2002 SP3, 2003 SP3, and 2007 SP2; Microsoft Offi ...) NOT-FOR-US: Microsoft Word CVE-2010-1900 (Microsoft Office Word 2002 SP3, 2003 SP3, and 2007 SP2; Microsoft Offi ...) NOT-FOR-US: Microsoft Office Word CVE-2010-1899 (Stack consumption vulnerability in the ASP implementation in Microsoft ...) NOT-FOR-US: Microsoft IIS CVE-2010-1898 (The Common Language Runtime (CLR) in Microsoft .NET Framework 2.0 SP1, ...) NOT-FOR-US: Microsoft .NET Framework CVE-2010-1897 (The Windows kernel-mode drivers in win32k.sys in Microsoft Windows XP ...) NOT-FOR-US: Microsoft Windows CVE-2010-1896 (The Windows kernel-mode drivers in win32k.sys in Microsoft Windows XP ...) NOT-FOR-US: Microsoft Windows CVE-2010-1895 (The Windows kernel-mode drivers in win32k.sys in Microsoft Windows XP ...) NOT-FOR-US: Microsoft Windows CVE-2010-1894 (The Windows kernel-mode drivers in win32k.sys in Microsoft Windows XP ...) NOT-FOR-US: Microsoft Windows CVE-2010-1893 (Integer overflow in the TCP/IP stack in Microsoft Windows Vista SP1, W ...) NOT-FOR-US: Microsoft Windows CVE-2010-1892 (The TCP/IP stack in Microsoft Windows Vista SP1 and SP2, Windows Serve ...) NOT-FOR-US: Microsoft Windows CVE-2010-1891 (The Client/Server Runtime Subsystem (aka CSRSS) in the Win32 subsystem ...) NOT-FOR-US: Microsoft Windows CVE-2010-1890 (The kernel in Microsoft Windows Vista SP1 and SP2, Windows Server 2008 ...) NOT-FOR-US: Microsoft Windows CVE-2010-1889 (Double free vulnerability in the kernel in Microsoft Windows Vista SP1 ...) NOT-FOR-US: Microsoft Windows CVE-2010-1888 (Race condition in the kernel in Microsoft Windows XP SP3 allows local ...) NOT-FOR-US: Microsoft Windows CVE-2010-1887 (The Windows kernel-mode drivers in win32k.sys in Microsoft Windows XP ...) NOT-FOR-US: Microsoft Windows CVE-2010-1886 (Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vis ...) NOT-FOR-US: Microsoft Windows CVE-2010-1885 (The MPC::HexToNum function in helpctr.exe in Microsoft Windows Help an ...) NOT-FOR-US: Microsoft Windows CVE-2010-1884 REJECTED CVE-2010-1883 (Integer overflow in the Embedded OpenType (EOT) Font Engine in Microso ...) NOT-FOR-US: Microsoft Windows CVE-2010-1882 (Multiple buffer overflows in the MPEG Layer-3 Audio Codec for Microsof ...) NOT-FOR-US: MPEG Layer-3 Audio Codec for CVE-2010-1881 (The FieldList ActiveX control in the Microsoft Access Wizard Controls ...) NOT-FOR-US: Microsoft CVE-2010-1880 (Unspecified vulnerability in Quartz.dll for DirectShow on Microsoft Wi ...) NOT-FOR-US: Microsoft CVE-2010-1879 (Unspecified vulnerability in Quartz.dll for DirectShow; Windows Media ...) NOT-FOR-US: Microsoft CVE-2010-1878 (Directory traversal vulnerability in the OrgChart (com_orgchart) compo ...) NOT-FOR-US: com_orgchart component for joomla! CVE-2010-1877 (SQL injection vulnerability in the JTM Reseller (com_jtm) component 1. ...) NOT-FOR-US: com_jtm component for joomla! CVE-2010-1876 (SQL injection vulnerability in index.php in AJ Shopping Cart 1.0 allow ...) NOT-FOR-US: AJ Shopping Cart CVE-2010-1875 (Directory traversal vulnerability in the Real Estate Property (com_pro ...) NOT-FOR-US: com_properties component for joomla! CVE-2010-1874 (SQL injection vulnerability in the Real Estate Property (com_propertie ...) NOT-FOR-US: com_properties component for joomla! CVE-2010-1873 (SQL injection vulnerability in the Jvehicles (com_jvehicles) component ...) NOT-FOR-US: com_jvehicles component for joomla! CVE-2010-1872 (Cross-site scripting (XSS) vulnerability in cPlayer.php in FlashCard 2 ...) NOT-FOR-US: FlashCard CVE-2010-1918 (SQL injection vulnerability in ask_chat.php in eFront 3.6.2 and earlie ...) NOT-FOR-US: EFront ask_chat CVE-2010-1917 (Stack consumption vulnerability in PHP 5.2 through 5.2.13 and 5.3 thro ...) {DSA-2089-1} - php5 5.3.3-1 (low) [lenny] - php5 (Minor issue) CVE-2010-1916 (The dynamic configuration feature in Xinha WYSIWYG editor 0.96 Beta 2 ...) - serendipity 1.5.3-1 [lenny] - serendipity (Only affects >= 1.4) - horde3 (Vulnerable code not included, see bug #585165) - openacs (Doesn't use the PHP interface, see bug #585163) - dotlrn (Doesn't use the PHP interface, see bug #585164) CVE-2010-1915 (The preg_quote function in PHP 5.2 through 5.2.13 and 5.3 through 5.3. ...) - php5 (unimportant) CVE-2010-1914 (The Zend Engine in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allows ...) - php5 (unimportant) CVE-2010-1871 (JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Pl ...) - jbossas4 (Only builds a few libraries, not the full application server, #581226) CVE-2010-1870 (The OGNL extensive expression evaluation capability in XWork in Struts ...) - libstruts1.2-java (issue involves a problem in xwork, which was introduced in struts2) - libspring-2.5-java (Vulnerable code not present) CVE-2010-1869 (Stack-based buffer overflow in the parser function in GhostScript 8.70 ...) {DSA-2080-1} - ghostscript 8.71~dfsg-4 NOTE: http://www.openwall.com/lists/oss-security/2010/05/11/3 CVE-2010-1868 (The (1) sqlite_single_query and (2) sqlite_array_query functions in ex ...) - php5 (unimportant) CVE-2010-1867 (SQL injection vulnerability in the ArticleAttachment::GetAttachmentsBy ...) NOT-FOR-US: Campsite CVE-2010-1866 (The dechunk filter in PHP 5.3 through 5.3.2, when decoding an HTTP chu ...) - php5 5.3.3-1 (low) [lenny] - php5 (dechunk filter introduced in 5.3) CVE-2010-1865 (Multiple SQL injection vulnerabilities in ClanSphere 2009.0.3 and earl ...) NOT-FOR-US: ClanSphere CVE-2010-1864 (The addcslashes function in PHP 5.2 through 5.2.13 and 5.3 through 5.3 ...) - php5 5.3.3-1 (unimportant) CVE-2010-1863 (SQL injection vulnerability in the shoutbox module (modules/shoutbox.p ...) NOT-FOR-US: ClanTiger CVE-2010-1862 (The chunk_split function in PHP 5.2 through 5.2.13 and 5.3 through 5.3 ...) - php5 (unimportant) CVE-2010-1861 (The sysvshm extension for PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 ...) - php5 (unimportant) CVE-2010-1860 (The html_entity_decode function in PHP 5.2 through 5.2.13 and 5.3 thro ...) - php5 5.3.3-1 (unimportant) CVE-2010-1859 (SQL injection vulnerability in newpost.php in DeluxeBB 1.3 and earlier ...) NOT-FOR-US: DeluxeBB CVE-2010-1858 (Directory traversal vulnerability in the SMEStorage (com_smestorage) c ...) NOT-FOR-US: com_smestorage component for joomla! CVE-2010-1857 (SQL injection vulnerability in index.php in RepairShop2 1.9.023 Trial, ...) NOT-FOR-US: RepairShop2 CVE-2010-1856 (Cross-site scripting (XSS) vulnerability in index.php in RepairShop2 1 ...) NOT-FOR-US: RepairShop2 CVE-2010-1855 (SQL injection vulnerability in auktion.php in Pay Per Watch & Bid ...) NOT-FOR-US: Pay Per Watch & Bid Auktions System CVE-2010-1854 (Cross-site scripting (XSS) vulnerability in auktion.php in Pay Per Wat ...) NOT-FOR-US: Pay Per Watch & Bid Auktions System CVE-2010-1853 (Multiple stack-based buffer overflows in the tr_magnetParse function i ...) - transmission 1.92-1 [lenny] - transmission (Support for Magnet links not yet available) CVE-2010-1852 (Microsoft Internet Explorer, when the Invisible Hand extension is enab ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2010-1851 (Google Chrome, when the Invisible Hand extension is enabled, uses cook ...) NOT-FOR-US: Invisible Hand extension for chromium CVE-2009-4872 (Multiple SQL injection vulnerabilities in globepersonnel_login.asp in ...) NOT-FOR-US: Logoshows BBS CVE-2009-4871 (SQL injection vulnerability in globepersonnel_forum.asp in Logoshows B ...) NOT-FOR-US: Logoshows BBS CVE-2009-4870 (Multiple SQL injection vulnerabilities in login.php in PHPCityPortal a ...) NOT-FOR-US: PHPCityPortal CVE-2009-4869 (Cross-site scripting (XSS) vulnerability in index.php in Nasim Guest B ...) NOT-FOR-US: Nasim Guest Book CVE-2009-4868 (Cross-site scripting (XSS) vulnerability in Hitron Soft Answer Me 1.0 ...) NOT-FOR-US: Hitron Soft Answer Me CVE-2009-4867 (Buffer overflow in Tuniac 090517c allows remote attackers to cause a d ...) NOT-FOR-US: Tuniac CVE-2009-4866 (Cross-site scripting (XSS) vulnerability in search.cgi in Matt's Scrip ...) NOT-FOR-US: Matt's Script Archive (MSA) Simple Search CVE-2009-4865 (Multiple SQL injection vulnerabilities in escorts_search.php in I-Esco ...) NOT-FOR-US: I-Escorts Directory Script and Agency Script CVE-2009-4864 (Multiple cross-site scripting (XSS) vulnerabilities in escorts_search. ...) NOT-FOR-US: I-Escorts Directory Script and Agency Script CVE-2009-4863 (Stack-based buffer overflow in UltraPlayer Media Player 2.112 allows r ...) NOT-FOR-US: UltraPlayer Media Player CVE-2009-4862 (Multiple SQL injection vulnerabilities in Alwasel 1.5 allow remote att ...) NOT-FOR-US: Alwasel CVE-2009-4861 (Cross-site scripting (XSS) vulnerability in shownews.php in SupportPRO ...) NOT-FOR-US: SupportPRO SupportDesk CVE-2009-4860 (SQL injection vulnerability in demo.php in Typing Pal 1.0 and earlier ...) NOT-FOR-US: Typing Pal CVE-2009-4859 (Multiple cross-site scripting (XSS) vulnerabilities in Online Work Ord ...) NOT-FOR-US: Online Work Order Suite (OWOS) CVE-2009-4858 (Cross-site scripting (XSS) vulnerability in questiondetail.php in Yaho ...) NOT-FOR-US: Yahoo Answers Clone CVE-2009-4857 (Cross-site scripting (XSS) vulnerability in login.php in PHP Photo Vot ...) NOT-FOR-US: PHP Photo Vote CVE-2009-4856 (Cross-site scripting (XSS) vulnerability in subitems.php in PHP Easy S ...) NOT-FOR-US: PHP Easy Shopping Cart CVE-2009-4855 NOT-FOR-US: Bogus issue claimed for typo3 NOTE: See http://secure.t3sec.info/blog/post/2009/08/06/typo3-cms-40-showuid-exploit-not-a-vulnerability/4.2.5-1+lenny3 CVE-2009-4854 (addons/import.php in TalkBack 2.3.14 allows remote attackers to execut ...) NOT-FOR-US: TalkBack CVE-2009-4853 (Multiple cross-site scripting (XSS) vulnerabilities in JumpBox before ...) NOT-FOR-US: JumpBox CVE-2009-4852 (Multiple cross-site scripting (XSS) vulnerabilities in SemanticScuttle ...) NOT-FOR-US: SemanticScuttle CVE-2009-4851 (The activation resend function in the Profiles module in XOOPS before ...) NOT-FOR-US: XOOPS CVE-2009-4850 (The Awingsoft Awakening Winds3D Viewer plugin 3.5.0.9 allows remote at ...) NOT-FOR-US: Awingsoft Awakening Winds3D Viewer CVE-2009-4849 (Multiple cross-site request forgery (CSRF) vulnerabilities in ToutVirt ...) NOT-FOR-US: ToutVirtual VirtualIQ Pro CVE-2009-4848 (Multiple cross-site scripting (XSS) vulnerabilities in ToutVirtual Vir ...) NOT-FOR-US: ToutVirtual VirtualIQ Pro CVE-2009-4847 (Deliantra Server before 2.82 allows remote authenticated users to caus ...) NOT-FOR-US: Deliantra Server CVE-2009-4846 (Multiple buffer overflows in Deliantra Server before 2.82 allow remote ...) NOT-FOR-US: Deliantra Server CVE-2009-4845 (The configuration page in ToutVirtual VirtualIQ Pro 3.2 build 7882 con ...) NOT-FOR-US: ToutVirtual VirtualIQ Pro CVE-2009-4844 (ToutVirtual VirtualIQ Pro 3.2 build 7882 does not restrict access to t ...) NOT-FOR-US: ToutVirtual VirtualIQ Pro CVE-2009-4843 (ToutVirtual VirtualIQ Pro before 3.5 build 8691 does not require admin ...) NOT-FOR-US: ToutVirtual VirtualIQ Pro CVE-2009-4842 (Multiple cross-site scripting (XSS) vulnerabilities in ToutVirtual Vir ...) NOT-FOR-US: ToutVirtual VirtualIQ Pro CVE-2010-1850 (Buffer overflow in MySQL 5.0 through 5.0.91 and 5.1 before 5.1.47 allo ...) {DSA-2057-1} - mysql-5.1 5.1.47-1 (bug #582526) - mysql-dfsg-5.0 CVE-2010-XXXX [wicd changes permissions of resolv.conf] - wicd 1.7.0+ds1-3 (low; bug #582798) CVE-2010-1849 (The my_net_skip_rest function in sql/net_serv.cc in MySQL 5.0 through ...) {DSA-2057-1} - mysql-5.1 5.1.47-1 (bug #582526) - mysql-dfsg-5.0 CVE-2010-1848 (Directory traversal vulnerability in MySQL 5.0 through 5.0.91 and 5.1 ...) {DSA-2057-1} - mysql-5.1 5.1.47-1 (bug #582526) - mysql-dfsg-5.0 CVE-2010-1847 (The kernel in Apple Mac OS X 10.6.x before 10.6.5 does not properly pe ...) NOT-FOR-US: Apple Mac OS X CVE-2010-1846 (Heap-based buffer overflow in Image RAW in Apple Mac OS X 10.5.8 and 1 ...) NOT-FOR-US: Apple Mac OS X CVE-2010-1845 (ImageIO in Apple Mac OS X 10.5.8 and 10.6.x before 10.6.5 allows remot ...) NOT-FOR-US: Apple Mac OS X CVE-2010-1844 (Unspecified vulnerability in Image Capture in Apple Mac OS X 10.6.x be ...) NOT-FOR-US: Apple Mac OS X CVE-2010-1843 (Networking in Apple Mac OS X 10.6.2 through 10.6.4 allows remote attac ...) NOT-FOR-US: Apple Mac OS X CVE-2010-1842 (Buffer overflow in AppKit in Apple Mac OS X 10.6.x before 10.6.5 allow ...) NOT-FOR-US: Apple Mac OS X CVE-2010-1841 (Disk Images in Apple Mac OS X 10.5.8 and 10.6.x before 10.6.5 allows r ...) NOT-FOR-US: Apple Mac OS X CVE-2010-1840 (Stack-based buffer overflow in the password-validation functionality i ...) NOT-FOR-US: Apple Mac OS X CVE-2010-1839 RESERVED CVE-2010-1838 (Directory Services in Apple Mac OS X 10.5.8 and 10.6.x before 10.6.5 d ...) NOT-FOR-US: Apple Mac OS X CVE-2010-1837 (CoreText in Apple Mac OS X 10.5.8 and 10.6.x before 10.6.5 allows remo ...) NOT-FOR-US: Apple Mac OS X CVE-2010-1836 (Stack-based buffer overflow in CoreGraphics in Apple Mac OS X 10.5.8 a ...) NOT-FOR-US: Apple Mac OS X CVE-2010-1835 RESERVED CVE-2010-1834 (CFNetwork in Apple Mac OS X 10.6.x before 10.6.5 does not properly val ...) NOT-FOR-US: Apple Mac OS X CVE-2010-1833 (Apple Type Services (ATS) in Apple Mac OS X 10.6.x before 10.6.5 allow ...) NOT-FOR-US: Apple Mac OS X CVE-2010-1832 (Stack-based buffer overflow in Apple Type Services (ATS) in Apple Mac ...) NOT-FOR-US: Apple Mac OS X CVE-2010-1831 (Buffer overflow in Apple Type Services (ATS) in Apple Mac OS X 10.5.8 ...) NOT-FOR-US: Apple Mac OS X CVE-2010-1830 (AFP Server in Apple Mac OS X 10.5.8 and 10.6.x before 10.6.5 generates ...) NOT-FOR-US: Apple Mac OS X CVE-2010-1829 (Directory traversal vulnerability in AFP Server in Apple Mac OS X 10.5 ...) NOT-FOR-US: Apple Mac OS X CVE-2010-1828 (AFP Server in Apple Mac OS X 10.5.8 and 10.6.x before 10.6.5 allows re ...) NOT-FOR-US: Apple Mac OS X CVE-2010-1827 RESERVED CVE-2010-1826 RESERVED CVE-2010-1825 (Use-after-free vulnerability in WebKit, as used in Google Chrome befor ...) - chromium-browser 6.0.472.59~r59126-1 NOTE: http://trac.webkit.org/changeset/66847 CVE-2010-1824 (Use-after-free vulnerability in WebKit, as used in Apple iTunes before ...) - webkit 1.2.6-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 6.0.472.59~r59126-1 NOTE: http://trac.webkit.org/changeset/66795 CVE-2010-1823 (Use-after-free vulnerability in WebKit before r65958, as used in Googl ...) - webkit (vulnerable code not present in 1.2.x series) - chromium-browser 6.0.472.59~r59126-1 NOTE: http://trac.webkit.org/changeset/65958 CVE-2010-1822 (WebKit, as used in Apple Safari before 4.1.3 and 5.0.x before 5.0.3 an ...) - webkit (rendererIsNeeded function not present in 1.2.x series) - chromium-browser 6.0.472.62~r59676-1 CVE-2010-1821 (Apple Mac OS X 10.6 through 10.6.3 and Mac OS X Server 10.6 through 10 ...) NOT-FOR-US: Apple Mac OS X CVE-2010-1820 (Apple Filing Protocol (AFP) Server in Apple Mac OS X 10.6.x through 10 ...) NOT-FOR-US: Apple Filing Protocol Server CVE-2010-1819 (Untrusted search path vulnerability in the Picture Viewer in Apple Qui ...) NOT-FOR-US: Apple QuickTime CVE-2010-1818 (The IPersistPropertyBag2::Read function in QTPlugin.ocx in Apple Quick ...) NOT-FOR-US: QuickTime CVE-2010-1817 (Buffer overflow in ImageIO in Apple iOS before 4.1 on the iPhone and i ...) NOT-FOR-US: Apple iOS CVE-2010-1816 (Buffer overflow in ImageIO in Apple Mac OS X 10.6 through 10.6.3 and M ...) NOT-FOR-US: Apple Mac OS X CVE-2010-1815 (Use-after-free vulnerability in WebKit in Apple iOS before 4.1 on the ...) - webkit 1.2.5-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) CVE-2010-1814 (WebKit in Apple iOS before 4.1 on the iPhone and iPod touch, and webki ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2010-1813 (WebKit in Apple iOS before 4.1 on the iPhone and iPod touch allows rem ...) - webkit 1.2.5-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser NOTE: http://trac.webkit.org/changeset/63048 CVE-2010-1812 (Use-after-free vulnerability in WebKit in Apple iOS before 4.1 on the ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2010-1811 (ImageIO in Apple iOS before 4.1 on the iPhone and iPod touch allows re ...) NOT-FOR-US: Apple iOS CVE-2010-1810 (FaceTime in Apple iOS before 4.1 on the iPhone and iPod touch does not ...) NOT-FOR-US: Apple iOS CVE-2010-1809 (The Accessibility component in Apple iOS before 4.1 on the iPhone and ...) NOT-FOR-US: Apple iOS CVE-2010-1808 (Stack-based buffer overflow in Apple Type Services (ATS) in Apple Mac ...) NOT-FOR-US: Apple Mac OS X CVE-2010-1807 (WebKit in Apple Safari 4.x before 4.1.2 and 5.x before 5.0.2; Android ...) - webkit 1.2.5-1 (bug #599830) [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser NOTE: http://trac.webkit.org/changeset/64706 NOTE: https://bugs.webkit.org/show_bug.cgi?id=43461 NOTE: the problem is that the standard-library strtod() NOTE: parses "NAN(payload)" as a NaN with a user-defined payload, which is bad for the nan-boxing NOTE: scheme used by webkit (and mozilla). The fix is not to accept "NAN(payload)". NOTE: test-case: -parseFloat("NAN(ffffeeeeeff0f)") NOTE: reproduced with epiphany CVE-2010-1806 (Use-after-free vulnerability in Apple Safari 4.x before 4.1.2 and 5.x ...) - chromium-browser 5.0.375.127~r55887-1 NOTE: http://trac.webkit.org/changeset/63772 CVE-2010-1805 (Untrusted search path vulnerability in Apple Safari 4.x before 4.1.2 a ...) - webkit (windows-specific issue) - chromium-browser (windows-specific issue) NOTE: This is the windows DLL planting attack CVE-2010-1804 (Unspecified vulnerability in the network bridge functionality on the A ...) NOT-FOR-US: Apple CVE-2010-1803 (Time Machine in Apple Mac OS X 10.6.x before 10.6.5 does not verify th ...) NOT-FOR-US: Apple Mac OS X CVE-2010-1802 (libsecurity in Apple Mac OS X 10.5.8 and 10.6.4 does not properly perf ...) NOT-FOR-US: Apple Mac OS X CVE-2010-1801 (Heap-based buffer overflow in CoreGraphics in Apple Mac OS X 10.5.8 an ...) NOT-FOR-US: CoreGraphics CVE-2010-1800 (CFNetwork in Apple Mac OS X 10.6.3 and 10.6.4 supports anonymous SSL a ...) NOT-FOR-US: CFNetwork CVE-2010-1799 (Stack-based buffer overflow in the error-logging functionality in Appl ...) NOT-FOR-US: Apple QuickTime on Windows CVE-2010-1798 RESERVED CVE-2010-1797 (Multiple stack-based buffer overflows in the cff_decoder_parse_charstr ...) {DSA-2105-1} - freetype 2.4.2-1 CVE-2010-1796 (The AutoFill feature in Apple Safari before 5.0.1 on Mac OS X 10.5 thr ...) - webkit - chromium-browser NOTE: Very Safari specific CVE-2010-1795 (Untrusted search path vulnerability in Apple iTunes before 9.1, when r ...) NOT-FOR-US: Apple iTunes on Windows CVE-2010-1794 (The webdav_mount function in webdav_vfsops.c in the WebDAV kernel exte ...) NOT-FOR-US: Apple CVE-2010-1793 (Multiple use-after-free vulnerabilities in WebKit in Apple Safari befo ...) - webkit 1.2.4-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.375.125~r53311-1 NOTE: http://trac.webkit.org/changeset/62482 NOTE: http://trac.webkit.org/changeset/62662 NOTE: duplicated as cve-2010-2902 CVE-2010-1792 (WebKit in Apple Safari before 5.0.1 on Mac OS X 10.5 through 10.6 and ...) - webkit 1.2.4-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser NOTE: http://trac.webkit.org/changeset/62386 NOTE: Chromium uses a totally different regexp implementation. CVE-2010-1791 (Integer signedness error in WebKit in Apple Safari before 5.0.1 on Mac ...) - webkit 1.2.6-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser NOTE: this is specific to Safari's JavaScript engine CVE-2010-1790 (WebKit in Apple Safari before 5.0.1 on Mac OS X 10.5 through 10.6 and ...) - webkit 1.2.4-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser NOTE: http://trac.webkit.org/changeset/62301 NOTE: this is specific to Safari's JavaScript engine CVE-2010-1789 (Heap-based buffer overflow in WebKit in Apple Safari before 5.0.1 on M ...) - webkit - chromium-browser NOTE: this is specific to Safari's JavaScript engine CVE-2010-1788 (WebKit in Apple Safari before 5.0.1 on Mac OS X 10.5 through 10.6 and ...) - webkit 1.2.4-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.375.127~r55887-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=40994 NOTE: http://trac.webkit.org/changeset/62482 CVE-2010-1787 (WebKit in Apple Safari before 5.0.1 on Mac OS X 10.5 through 10.6 and ...) - webkit 1.2.4-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.375.127~r55887-1 NOTE: http://trac.webkit.org/changeset/61044 CVE-2010-1786 (Use-after-free vulnerability in WebKit in Apple Safari before 5.0.1 on ...) - webkit 1.2.4-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.375.99~r51029-1 NOTE: http://trac.webkit.org/changeset/61667 NOTE: duplicated as cve-2010-2647 CVE-2010-1785 (WebKit in Apple Safari before 5.0.1 on Mac OS X 10.5 through 10.6 and ...) - webkit 1.2.4-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.375.99~r51029-1 NOTE: http://trac.webkit.org/changeset/61050 NOTE: http://trac.webkit.org/changeset/61051 CVE-2010-1784 (The counters functionality in the Cascading Style Sheets (CSS) impleme ...) - webkit 1.2.4-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.375.125~r53311-1 NOTE: http://trac.webkit.org/changeset/62271 CVE-2010-1783 (WebKit in Apple Safari before 5.0.1 on Mac OS X 10.5 through 10.6 and ...) {DSA-2188-1} - webkit 1.2.7-1 - chromium-browser 5.0.375.127~r55887-1 NOTE: (Chromium Sec) This seems a duplicate of CVE-2010-2899 NOTE: http://trac.webkit.org/changeset/62134 CVE-2010-1782 (WebKit in Apple Safari before 5.0.1 on Mac OS X 10.5 through 10.6 and ...) - webkit 1.2.4-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.375.127~r55887-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=41375 NOTE: http://trac.webkit.org/changeset/61921 CVE-2010-1781 (Double free vulnerability in WebKit in Apple iOS before 4.1 on the iPh ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2010-1780 (Use-after-free vulnerability in WebKit in Apple Safari before 5.0.1 on ...) - webkit 1.2.5-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.375.125~r53311-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=40407 NOTE: http://trac.webkit.org/changeset/60984 CVE-2010-1779 RESERVED CVE-2010-1778 (Cross-site scripting (XSS) vulnerability in Apple Safari before 5.0.1 ...) - webkit - chromium-browser NOTE: Safari only (chromium security team) CVE-2010-1777 (Buffer overflow in Apple iTunes before 9.2.1 allows remote attackers t ...) NOT-FOR-US: Apple iTunes CVE-2010-1776 (Find My iPhone on iOS 2.0 through 3.1.3 for iPhone 3G and later and iO ...) NOT-FOR-US: Apple iOS CVE-2010-1775 (Race condition in Passcode Lock in Apple iOS before 4 on the iPhone an ...) NOT-FOR-US: Apple iPhone Passcode Lock CVE-2010-1774 (WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Wi ...) - webkit 1.2.2-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.375.55~r47796-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=38261 NOTE: http://trac.webkit.org/changeset/59495 CVE-2010-1773 (Off-by-one error in the toAlphabetic function in rendering/RenderListM ...) - webkit 1.2.2-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.375.55~r47796-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=39508 NOTE: http://trac.webkit.org/changeset/59950 CVE-2010-1772 (Use-after-free vulnerability in page/Geolocation.cpp in WebCore in Web ...) - webkit 1.2.2-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.375.55~r47796-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=39388 NOTE: http://trac.webkit.org/changeset/59859 CVE-2010-1771 (Use-after-free vulnerability in WebKit in Apple Safari before 5.0 on M ...) - webkit 1.2.2-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.375.55~r47796-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=39453 NOTE: http://trac.webkit.org/changeset/59876 CVE-2010-1770 (WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Wi ...) - webkit 1.2.2-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.375.70~r48679-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=38626 NOTE: http://trac.webkit.org/changeset/59795 CVE-2010-1769 (WebKit in Apple iTunes before 9.2 on Windows, and Apple iOS before 4 o ...) - webkit 1.2.2-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.375.55~r47796-1 NOTE: dupe of CVE-2010-1774 CVE-2010-1768 (Unspecified vulnerability in Apple iTunes before 9.1 allows local user ...) NOT-FOR-US: Apple iTunes CVE-2010-1767 (Cross-site request forgery (CSRF) vulnerability in loader/DocumentThre ...) - webkit 1.2.1-3 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.375.29~r46008-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=36843 NOTE: http://trac.webkit.org/changeset/57041 CVE-2010-1766 (Off-by-one error in the WebSocketHandshake::readServerHandshake functi ...) - webkit 1.2.1-2 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.375.55~r47796-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=36339 NOTE: http://trac.webkit.org/changeset/56380 CVE-2010-1765 RESERVED - webkit (doesn't include cf code) - chromium-browser 5.0.375.55~r47796-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=37933 NOTE: http://trac.webkit.org/changeset/57995 CVE-2010-1764 (WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Wi ...) - webkit 1.2.1-2 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.375.55~r47796-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=31410 NOTE: http://trac.webkit.org/changeset/55157 CVE-2010-1763 (Unspecified vulnerability in WebKit in Apple iTunes before 9.2 on Wind ...) - webkit (vulnerable code introduced in svn58950, which isn't included in 1.2.1 yet) - chromium-browser 5.0.375.55~r47796-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=39008 NOTE: http://trac.webkit.org/changeset/59486 CVE-2010-1762 (Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari bef ...) - webkit 1.2.2-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.375.55~r47796-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=38922 NOTE: http://trac.webkit.org/changeset/59241 NOTE: http://trac.webkit.org/changeset/59242 CVE-2010-1761 (Use-after-free vulnerability in WebKit in Apple Safari before 5.0 on M ...) - webkit 1.2.2-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.375.55~r47796-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=37760 NOTE: http://trac.webkit.org/changeset/59263 CVE-2010-1760 (loader/DocumentThreadableLoader.cpp in the XMLHttpRequest implementati ...) - webkit 1.2.2-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.375.99~r51029-2 NOTE: https://bugs.webkit.org/show_bug.cgi?id=37781 NOTE: http://trac.webkit.org/changeset/58409 CVE-2010-1759 (Use-after-free vulnerability in WebKit in Apple Safari before 5.0 on M ...) - webkit 1.2.2-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.375.55~r47796-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=38583 NOTE: http://trac.webkit.org/changeset/59109 CVE-2010-1758 (Use-after-free vulnerability in WebKit in Apple Safari before 5.0 on M ...) - webkit 1.2.2-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.375.55~r47796-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=28697 NOTE: http://trac.webkit.org/changeset/59098 CVE-2010-1757 (WebKit in Apple iOS before 4 on the iPhone and iPod touch does not enf ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2010-1756 (The Settings application in Apple iOS before 4 on the iPhone and iPod ...) NOT-FOR-US: Apple iPhone CVE-2010-1755 (Safari in Apple iOS before 4 on the iPhone and iPod touch does not pro ...) NOT-FOR-US: Apple Safari CVE-2010-1754 (Passcode Lock in Apple iOS before 4 on the iPhone and iPod touch does ...) NOT-FOR-US: Apple Passcode Lock CVE-2010-1753 (ImageIO in Apple iOS before 4 on the iPhone and iPod touch allows remo ...) NOT-FOR-US: iOS CVE-2010-1752 (Stack-based buffer overflow in CFNetwork in Apple iOS before 4 on the ...) NOT-FOR-US: Apple CFNetwork CVE-2010-1751 (Application Sandbox in Apple iOS before 4 on the iPhone and iPod touch ...) NOT-FOR-US: Apple Application Sandbox CVE-2010-1750 (Use-after-free vulnerability in Apple Safari before 5.0 on Windows all ...) NOT-FOR-US: Apple Safari CVE-2010-1749 (Use-after-free vulnerability in WebKit in Apple Safari before 5.0 on M ...) - webkit 1.2.1-2 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.342.9~r43360-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=27193 NOTE: https://bugs.webkit.org/show_bug.cgi?id=38625 NOTE: http://trac.webkit.org/changeset/45941 CVE-2010-1748 (The cgi_initialize_string function in cgi-bin/var.c in the web interfa ...) {DSA-2176-1} - cups 1.4.4-1 CVE-2010-1747 RESERVED CVE-2010-1746 (Multiple cross-site scripting (XSS) vulnerabilities in the Table JX (c ...) NOT-FOR-US: com_grid component for joomla! CVE-2010-1745 REJECTED CVE-2010-1744 (SQL injection vulnerability in product.html in B2B Gold Script allows ...) NOT-FOR-US: B2B Gold Script CVE-2010-1743 (SQL injection vulnerability in projects.php in Scratcher allows remote ...) NOT-FOR-US: Scratcher CVE-2010-1742 (Cross-site scripting (XSS) vulnerability in projects.php in Scratcher ...) NOT-FOR-US: Scratcher CVE-2010-1741 (SQL injection vulnerability in request_account.php in Billwerx RC 5.2. ...) NOT-FOR-US: Billwerx CVE-2010-1740 (SQL injection vulnerability in newsletter.php in GuppY 4.5.18 allows r ...) NOT-FOR-US: GuppY CVE-2010-1739 (SQL injection vulnerability in the Newsfeeds (com_newsfeeds) component ...) NOT-FOR-US: com_newsfeeds component for joomla! CVE-2010-1738 REJECTED CVE-2010-1737 (PHP remote file inclusion vulnerability in core/includes/gfw_smarty.ph ...) NOT-FOR-US: Gallo CVE-2010-1736 (KrM Haber 1.0 stores sensitive information under the web root with ins ...) NOT-FOR-US: KrM Haber CVE-2010-1735 (The SfnLOGONNOTIFY function in win32k.sys in the kernel in Microsoft W ...) NOT-FOR-US: Microsoft Windows CVE-2010-1734 (The SfnINSTRING function in win32k.sys in the kernel in Microsoft Wind ...) NOT-FOR-US: Microsoft Windows CVE-2010-1733 (Multiple SQL injection vulnerabilities in OCS Inventory NG before 1.02 ...) - ocsinventory-server (unimportant) NOTE: Authentication is needed, only supported in trusted environments, see debtags CVE-2010-1732 (Cross-site request forgery (CSRF) vulnerability in the users module in ...) NOT-FOR-US: Zikula Application Framework CVE-2010-1731 (Google Chrome on the HTC Hero allows remote attackers to cause a denia ...) - chromium-browser 5.0.375.55~r47796-1 NOTE: various crashes on window close after opening the file on chromium (including sometimes segfaults) NOTE: CVE-2010-1729/1730/1731 are the same issue but with different effects NOTE: not reproducible with chromium-browser 5.0.375.55~r47796-1 CVE-2010-1730 (Dolphin Browser 2.5.0 on the HTC Hero allows remote attackers to cause ...) NOT-FOR-US: Dolphin browser, Konqueror not covered by security support NOTE: CVE-2010-1729/1730/1731 are the same issue but with different effects CVE-2010-1729 (WebKit.dll in WebKit, as used in Safari.exe 4.531.9.1 in Apple Safari, ...) - webkit (unimportant) NOTE: CVE-2010-1729/1730/1731 are the same issue but with different effects NOTE: dos-only on webkit CVE-2010-1728 (Opera before 10.53 on Windows and Mac OS X does not properly handle a ...) NOT-FOR-US: Opera CVE-2010-1727 (SQL injection vulnerability in type.asp in JobPost 1.0 allows remote a ...) NOT-FOR-US: JobPost CVE-2010-1726 (SQL injection vulnerability in offers_buy.php in EC21 Clone 3.0 allows ...) NOT-FOR-US: EC21 CVE-2010-1725 (SQL injection vulnerability in offers_buy.php in Alibaba Clone Platinu ...) NOT-FOR-US: Alibaba Clone Platinum CVE-2010-1724 (Multiple cross-site scripting (XSS) vulnerabilities in Zikula Applicat ...) NOT-FOR-US: Zikula Application Framework CVE-2009-4841 (Heap-based buffer overflow in the SonicMediaPlayer ActiveX control in ...) NOT-FOR-US: Roxio CinePlayer CVE-2009-4840 (Heap-based buffer overflow in the IAManager ActiveX control in IAManag ...) NOT-FOR-US: Roxio CinePlayer CVE-2009-4839 (Multiple cross-site scripting (XSS) vulnerabilities in Basic Analysis ...) - acidbase 1.4.5-1 (bug #587819) [lenny] - acidbase (Minor issue) CVE-2009-4838 (SQL injection vulnerability in base_ag_common.php in Basic Analysis an ...) - acidbase 1.4.4-1 (low) [lenny] - acidbase (Minor issue) CVE-2009-4837 (Multiple cross-site scripting (XSS) vulnerabilities in Basic Analysis ...) - acidbase 1.4.4-1 (low) [lenny] - acidbase (Minor issue) CVE-2009-4836 (Eval injection vulnerability in system/services/init.php in Movie PHP ...) NOT-FOR-US: Movie PHP Script CVE-2009-4835 (The (1) htk_read_header, (2) alaw_init, (3) ulaw_init, (4) pcm_init, ( ...) - libsndfile 1.0.21-3 (unimportant; bug #530831) NOTE: application crash only, so not security-relevant CVE-2010-1723 (Directory traversal vulnerability in the iNetLanka Contact Us Draw Roo ...) NOT-FOR-US: com_drawroot component for joomla! CVE-2010-1722 (Directory traversal vulnerability in the Online Market (com_market) co ...) NOT-FOR-US: com_market component for joomla! CVE-2010-1721 (SQL injection vulnerability in the Intellectual Property (aka IPropert ...) NOT-FOR-US: com_iproperty component for joomla! CVE-2010-1720 (SQL injection vulnerability in the Q-Personel (com_qpersonel) componen ...) NOT-FOR-US: com_qpersonel component for joomla! CVE-2010-1719 (Directory traversal vulnerability in the MT Fire Eagle (com_mtfireeagl ...) NOT-FOR-US: com_mtfireeagle component for joomla! CVE-2010-1718 (Directory traversal vulnerability in archeryscores.php in the Archery ...) NOT-FOR-US: com_archeryscores component for joomla! CVE-2010-1717 (Directory traversal vulnerability in the iF surfALERT (com_if_surfaler ...) NOT-FOR-US: com_if_surfalert component for joomla! CVE-2010-1716 (SQL injection vulnerability in the Agenda Address Book (com_agenda) co ...) NOT-FOR-US: com_agenda component for joomla! CVE-2010-1715 (Directory traversal vulnerability in the Online Examination (aka Onlin ...) NOT-FOR-US: com_onlineexam component for joomla! CVE-2010-1714 (Directory traversal vulnerability in the Arcade Games (com_arcadegames ...) NOT-FOR-US: com_arcadegames component for joomla! CVE-2010-1713 (SQL injection vulnerability in modules.php in PostNuke 0.764 allows re ...) NOT-FOR-US: PostNuke CVE-2010-1712 (Multiple cross-site scripting (XSS) vulnerabilities in base/Comments.p ...) NOT-FOR-US: Webmobo WB News CVE-2010-1711 (Cross-site scripting (XSS) vulnerability in carga_foto_al.php in Siest ...) NOT-FOR-US: Siestta CVE-2010-1710 (Directory traversal vulnerability in login.php in Siestta 2.0, when re ...) NOT-FOR-US: Siestta CVE-2010-1709 (Multiple cross-site scripting (XSS) vulnerabilities in upload.cgi in G ...) NOT-FOR-US: G5-Scripts CVE-2010-1708 (Multiple SQL injection vulnerabilities in agentadmin.php in Free Realt ...) NOT-FOR-US: Free Realty CVE-2010-1707 (Multiple cross-site scripting (XSS) vulnerabilities in register.php in ...) - piwigo 2.0.10-1 CVE-2010-1706 (Multiple SQL injection vulnerabilities in login.php in 2daybiz Auction ...) NOT-FOR-US: 2daybiz Auction Script CVE-2010-1705 (SQL injection vulnerability in casting_view.php in Modelbook allows re ...) NOT-FOR-US: Modelbook CVE-2010-1704 (Multiple SQL injection vulnerabilities in 2daybiz Polls (aka Advanced ...) NOT-FOR-US: 2daybiz Polls Script CVE-2010-1703 (Multiple cross-site scripting (XSS) vulnerabilities in index_search.ph ...) NOT-FOR-US: 2daybiz Polls Script CVE-2010-1702 (SQL injection vulnerability in submitticket.php in WHMCompleteSolution ...) NOT-FOR-US: WHMCompleteSolution CVE-2010-1701 (SQL injection vulnerability in browse.html in PHP Video Battle Script ...) NOT-FOR-US: PHP Video Battle Script CVE-2010-1700 REJECTED CVE-2010-1699 REJECTED CVE-2010-1698 REJECTED CVE-2010-1697 REJECTED CVE-2010-1696 REJECTED CVE-2010-1695 REJECTED CVE-2010-1694 REJECTED CVE-2010-1693 (openibd in OpenFabrics Enterprise Distribution (OFED) 1.5.2 allows loc ...) NOT-FOR-US: OpenFabrics Enterprise Distribution (OFED) NOTE: openibd is part of ofa-kernel (ofa_1_5_kernel-20101028-0200/ofed_scripts/openibd), fixed in 2010-10-28 build NOTE: http://www.openfabrics.org/downloads/ofa_1_5_kernel/ NOTE: ITP for ofa-kernel is bug #541849 CVE-2010-1692 REJECTED CVE-2010-1691 REJECTED CVE-2010-1690 (The DNS implementation in smtpsvc.dll before 6.0.2600.5949 in Microsof ...) NOT-FOR-US: Microsoft Windows CVE-2010-1689 (The DNS implementation in smtpsvc.dll before 6.0.2600.5949 in Microsof ...) NOT-FOR-US: Microsoft Windows CVE-2010-1688 (Stack-based buffer overflow in 2BrightSparks SyncBack Freeware 3.2.20. ...) NOT-FOR-US: 2BrightSparks SyncBack Freeware CVE-2010-1687 (Stack-based buffer overflow in lpd.exe in Mocha W32 LPD 1.9 allows rem ...) NOT-FOR-US: Mocha W32 LPD CVE-2010-1686 (Stack-based buffer overflow in (1) Urgent Backup 3.20, and (2) ABC Bac ...) NOT-FOR-US: Urgent Backup CVE-2010-1685 (Stack-based buffer overflow in CursorArts ZipWrangler 1.20 allows user ...) NOT-FOR-US: CursorArts ZipWrangler CVE-2010-1684 RESERVED CVE-2010-1683 RESERVED CVE-2010-1682 RESERVED CVE-2010-1681 (Buffer overflow in VISIODWG.DLL before 10.0.6880.4 in Microsoft Office ...) NOT-FOR-US: Microsoft Office Visio CVE-2010-1680 REJECTED CVE-2010-1679 (Directory traversal vulnerability in dpkg-source in dpkg before 1.14.3 ...) {DSA-2142-1} - dpkg 1.15.8.8 CVE-2010-1678 (Mapserver 5.2, 5.4 and 5.6 before 5.6.5-2 improperly validates symbol ...) - mapserver 5.6.5-2 NOTE: http://trac.osgeo.org/mapserver/ticket/3641 CVE-2010-1677 (MHonArc 2.6.16 allows remote attackers to cause a denial of service (C ...) - mhonarc 2.6.18-1 (low) [squeeze] - mhonarc (Minor issue) CVE-2010-1676 (Heap-based buffer overflow in Tor before 0.2.1.28 and 0.2.2.x before 0 ...) {DSA-2136-1} - tor 0.2.1.26-6 CVE-2010-1675 (bgpd in Quagga before 0.99.18 allows remote attackers to cause a denia ...) {DSA-2197-1} - quagga 0.99.18-1 CVE-2010-1674 (The extended-community parser in bgpd in Quagga before 0.99.18 allows ...) {DSA-2197-1} - quagga 0.99.18-1 CVE-2010-1673 (A cross-site scripting (XSS) vulnerability in ikiwiki before 3.2010111 ...) - ikiwiki 3.20101112 [squeeze] - ikiwiki 3.20100815.2 [lenny] - ikiwiki CVE-2010-1672 RESERVED CVE-2010-1671 (hsolinkcontrol in hsolink 1.0.118 allows local users to gain privilege ...) - hsolink (bug #590670) CVE-2010-1670 (Mahara before 1.0.15, 1.1.x before 1.1.9, and 1.2.x before 1.2.5 has i ...) {DSA-2067-1} - mahara 1.2.5-1 CVE-2010-1669 (SQL injection vulnerability in Mahara 1.1.x before 1.1.9 and 1.2.x bef ...) - mahara 1.2.5-1 [lenny] - mahara CVE-2010-1668 (Multiple cross-site request forgery (CSRF) vulnerabilities in Mahara b ...) {DSA-2067-1} - mahara 1.2.5-1 CVE-2010-1667 (Multiple cross-site scripting (XSS) vulnerabilities in Mahara before 1 ...) {DSA-2067-1} - mahara 1.2.5-1 CVE-2010-1666 (Buffer overflow in Dan Pascu python-cjson 1.0.5, when UCS-4 encoding i ...) {DSA-2068-1} - python-cjson 1.0.5-3 (bug #587700) NOTE: https://bugs.launchpad.net/ubuntu/+source/python-cjson/+bug/585274 CVE-2010-1665 (Google Chrome before 4.1.249.1064 does not properly handle fonts, whic ...) - chromium-browser 5.0.375.29~r46008-1 - webkit 1.2.1-3 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) NOTE: http://trac.webkit.org/changeset/58201 CVE-2010-1664 (Google Chrome before 4.1.249.1064 does not properly handle HTML5 media ...) - chromium-browser 5.0.375.29~r46008-1 - webkit 1.2.2-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) NOTE: http://trac.webkit.org/changeset/57922 CVE-2010-1663 (The Google URL Parsing Library (aka google-url or GURL) in Google Chro ...) - chromium-browser 5.0.375.29~r46008-1 - webkit (issue is in google url; i.e. chromium-specific) CVE-2010-1662 (Cross-site scripting (XSS) vulnerability in acpmoderate.php in PHP-Qui ...) NOT-FOR-US: PHP-Quick-Arcade CVE-2010-1661 (Multiple SQL injection vulnerabilities in PHP-Quick-Arcade (PHPQA) 3.0 ...) NOT-FOR-US: PHP-Quick-Arcade CVE-2010-1660 (SQL injection vulnerability in help-details.php in CLScript Classified ...) NOT-FOR-US: CLScript Classifieds Script CVE-2010-1659 (Directory traversal vulnerability in the Ultimate Portfolio (com_ultim ...) NOT-FOR-US: component for Joomla! CVE-2010-1658 (Directory traversal vulnerability in the Code-Garage NoticeBoard (com_ ...) NOT-FOR-US: component for Joomla! CVE-2010-1657 (Directory traversal vulnerability in the SmartSite (com_smartsite) com ...) NOT-FOR-US: component for Joomla! CVE-2010-1656 (SQL injection vulnerability in the Airiny ABC (com_abc) component 1.1. ...) NOT-FOR-US: component for Joomla! CVE-2010-1655 (Cross-site scripting (XSS) vulnerability in User/User_ChkLogin.asp in ...) NOT-FOR-US: PowerEasy CVE-2010-1654 (Multiple SQL injection vulnerabilities in system_member_login.php in I ...) NOT-FOR-US: Infocus Real Estate Enterprise Edition CVE-2010-1653 (Directory traversal vulnerability in graphics.php in the Graphics (com ...) NOT-FOR-US: Graphics component for Joomla! CVE-2010-1652 (Directory traversal vulnerability in the HelpCenter module in Help Cen ...) NOT-FOR-US: Help Center Live CVE-2010-1651 (IBM WebSphere Application Server (WAS) 6.1.x before 6.1.0.31 and 7.0.x ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2010-1650 (IBM WebSphere Application Server (WAS) 6.0.x before 6.0.2.41, 6.1.x be ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2010-1649 (Multiple cross-site scripting (XSS) vulnerabilities in the back end in ...) NOT-FOR-US: Joomla! CVE-2010-1648 (Cross-site request forgery (CSRF) vulnerability in the login interface ...) - mediawiki 1:1.15.4-1 (bug #585918; low) [lenny] - mediawiki 1:1.12.0-2lenny6 NOTE: http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html CVE-2010-1647 (Cross-site scripting (XSS) vulnerability in MediaWiki 1.15 before 1.15 ...) - mediawiki 1:1.15.4-1 (bug #585918; low) [lenny] - mediawiki 1:1.12.0-2lenny6 NOTE: http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html CVE-2010-1646 (The secure path feature in env.c in sudo 1.3.1 through 1.6.9p22 and 1. ...) {DSA-2062-1} - sudo 1.7.2p7-1 (bug #585394) CVE-2010-1645 (Cacti before 0.8.7f, as used in Red Hat High Performance Computing (HP ...) {DSA-2384-1} - cacti 0.8.7g-1 CVE-2010-1644 (Multiple cross-site scripting (XSS) vulnerabilities in Cacti before 0. ...) {DSA-2384-1} - cacti 0.8.7g-1 CVE-2010-1643 (mm/shmem.c in the Linux kernel before 2.6.28-rc3, when strict overcomm ...) - linux-2.6 2.6.28-1 [lenny] - linux-2.6 2.6.26-23 CVE-2010-1642 (The reply_sesssetup_and_X_spnego function in sesssetup.c in smbd in Sa ...) - samba 2:3.5.4~dfsg-2 (unimportant) NOTE: Only crashes a single connection, not the entire smbd CVE-2010-1641 (The do_gfs2_set_flags function in fs/gfs2/file.c in the Linux kernel b ...) - linux-2.6 2.6.32-16 [lenny] - linux-2.6 2.6.26-23 CVE-2010-1640 (Off-by-one error in the parseicon function in libclamav/pe_icons.c in ...) - clamav 0.96.1+dfsg-1 (bug #584183) [lenny] - clamav CVE-2010-1639 (The cli_pdf function in libclamav/pdf.c in ClamAV before 0.96.1 allows ...) - clamav 0.96.1+dfsg-1 (bug #584183) [lenny] - clamav CVE-2010-1638 (The IMP plugin in Horde allows remote attackers to bypass firewall res ...) - horde3 (unimportant) CVE-2010-1637 (The Mail Fetch plugin in SquirrelMail 1.4.20 and earlier allows remote ...) - squirrelmail 2:1.4.21-1 (unimportant) CVE-2010-1636 (The btrfs_ioctl_clone function in fs/btrfs/ioctl.c in the btrfs functi ...) - linux-2.6 2.6.32-14 [lenny] - linux-2.6 (brtfs introduced in 2.6.32) CVE-2010-1635 (The chain_reply function in process.c in smbd in Samba before 3.4.8 an ...) - samba 2:3.6.1-2 (unimportant) NOTE: http://git.samba.org/?p=samba.git;a=commitdiff;h=25452a2268ac7013da28125f3df22085139af12d NOTE: Only crashes a single connection, not the entire smbd CVE-2010-1634 (Multiple integer overflows in audioop.c in the audioop module in Pytho ...) - python3.1 3.1.2+20100822-1 (low) - python2.7 2.7-1 (low) - python2.6 2.6.6-1 (low) - python2.5 2.5.5-10 (low; bug #599739) [lenny] - python2.5 (Minor issue) - python2.4 (low) [lenny] - python2.4 (Minor issue) CVE-2010-1633 (RSA verification recovery in the EVP_PKEY_verify_recover function in O ...) - openssl (This bug is only present in OpenSSL 1.0.0, first version of 1.0.0 ever uploaded was 1.0.0c) CVE-2010-1632 (Apache Axis2 before 1.5.2, as used in IBM WebSphere Application Server ...) - axis2c 1.6.0-1 CVE-2010-1631 REJECTED CVE-2010-1630 (Unspecified vulnerability in posting.php in phpBB before 3.0.5 has unk ...) - phpbb3 3.0.7-PL1-1 (low) [lenny] - phpbb3 (Minor issue) CVE-2010-1629 (Cross-site scripting (XSS) vulnerability in Phorum before 5.2.15 allow ...) NOT-FOR-US: Phorum CVE-2010-1628 (Ghostscript 8.64, 8.70, and possibly other versions allows context-dep ...) {DSA-2093-1} - ghostscript 8.71~dfsg2-4 (medium; bug #584516) NOTE: no upstream fix available, see issue #1 in ubuntu bug report: NOTE: https://bugs.launchpad.net/ubuntu/+source/ghostscript/+bug/546009 NOTE: http://bugs.ghostscript.com/show_bug.cgi?id=691295 CVE-2010-1627 (feed.php in phpBB 3.0.7 before 3.0.7-PL1 does not properly check permi ...) - phpbb3 3.0.7-PL1-1 (low) [lenny] - phpbb3 (Minor issue) CVE-2010-1626 (MySQL before 5.1.46 allows local users to delete the data and index fi ...) {DSA-2057-1} - mysql-5.1 5.1.46-1 (bug #582526) - mysql-dfsg-5.0 (low; bug #584400) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=553648 CVE-2010-1625 (Cross-site scripting (XSS) vulnerability in LXR Cross Referencer befor ...) {DSA-2092-1} - lxr (low; bug #588138) [lenny] - lxr (Minor issue) - lxr-cvs 0.9.5+cvs20071020-1.1 (low; bug #588137) CVE-2010-1624 (The msn_emoticon_msg function in slp.c in the MSN protocol plugin in l ...) - pidgin 2.7.0-1 (low) [lenny] - pidgin 2.4.3-4lenny6 NOTE: MSN support was disabled in 2.4.3-4lenny6 CVE-2010-1623 (Memory leak in the apr_brigade_split_line function in buckets/apr_brig ...) {DSA-2117-1} - apr-util 1.3.9+dfsg-4 (medium) - apache2 2.2.16-3 [lenny] - apache2 (vulnerable code introduced in 2.2.15-2 or -3) CVE-2010-1622 (SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2 ...) - libspring-2.5-java 2.5.6.SEC02-1 (medium) CVE-2010-1621 (The mysql_uninstall_plugin function in sql/sql_plugin.cc in MySQL 5.1 ...) - mysql-5.1 5.1.46-1 - mysql-dfsg-5.0 (Vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=590190 CVE-2010-1620 (Integer overflow in the load_iface function in Tools/gdomap.c in gdoma ...) - gnustep-base 1.19.3-2 (bug #584401) [lenny] - gnustep-base (Minor issue) CVE-2010-1612 (The IBM WebSphere DataPower XML Accelerator XA35, Low Latency Applianc ...) NOT-FOR-US: IBM WebSphere DataPower XML Accelerator CVE-2010-1611 (Cross-site request forgery (CSRF) vulnerability in AlegroCart 1.1 allo ...) NOT-FOR-US: AlegroCart CVE-2010-1610 (Cross-site request forgery (CSRF) vulnerability in index.php in OpenCa ...) NOT-FOR-US: OpenCart CVE-2010-1609 (Cross-site scripting (XSS) vulnerability in SAP NetWeaver 2004 before ...) NOT-FOR-US: SAP NetWeaver CVE-2010-1608 (Stack-based buffer overflow in IBM Lotus Notes 8.5 and 8.5fp1, and pos ...) NOT-FOR-US: IBM Lotus Notes CVE-2010-1607 (Directory traversal vulnerability in wmi.php in the Webmoney Web Merch ...) NOT-FOR-US: Webmoney Web Merchant Interface component for Joomla! CVE-2010-1606 (Multiple cross-site scripting (XSS) vulnerabilities in NCT Jobs Portal ...) NOT-FOR-US: NCT Jobs Portal Script CVE-2010-1605 (Multiple SQL injection vulnerabilities in isearch.php in NCT Jobs Port ...) NOT-FOR-US: NCT Jobs Portal Script CVE-2010-1604 (Multiple SQL injection vulnerabilities in admin_login.php in NCT Jobs ...) NOT-FOR-US: NCT Jobs Portal Script CVE-2010-1603 (Directory traversal vulnerability in the ZiMB Core (aka ZiMBCore or co ...) NOT-FOR-US: ZiMB Core component for Joomla! CVE-2010-1602 (Directory traversal vulnerability in the ZiMB Comment (com_zimbcomment ...) NOT-FOR-US: ZiMB Comment component for Joomla! CVE-2010-1601 (Directory traversal vulnerability in the JA Comment (com_jacomment) co ...) NOT-FOR-US: JA Comment component for Joomla! CVE-2010-1600 (SQL injection vulnerability in the Media Mall Factory (com_mediamall) ...) NOT-FOR-US: Media Mall Factory component for Joomla! CVE-2010-1599 (SQL injection vulnerability in loadorder.php in NKInFoWeb 2.5 and 5.2. ...) NOT-FOR-US: NKInFoWeb CVE-2010-1598 (phpThumb.php in phpThumb() 1.7.9 and possibly other versions, when Ima ...) NOT-FOR-US: phpThumb() CVE-2010-1597 (Stack-based buffer overflow in zgtips.dll in ZipGenius 6.3.1.2552 allo ...) NOT-FOR-US: ZipGenius CVE-2009-4834 (lib.php in Zeroboard 4.1 pl7 allows remote attackers to execute arbitr ...) NOT-FOR-US: Zeroboard CVE-2009-4833 (MySQL Connector/NET before 6.0.4, when using encryption, does not veri ...) NOT-FOR-US: MySQL Connector/NET CVE-2009-4832 (The dlpcrypt.sys kernel driver 0.1.1.27 in DESlock+ 4.0.2 allows local ...) NOT-FOR-US: DLPCryptCore CVE-2009-4831 (Cerulean Studios Trillian 3.1 Basic does not check SSL certificates du ...) NOT-FOR-US: Cerulean Studios Trillian CVE-2010-1619 (Cross-site scripting (XSS) vulnerability in the fix_non_standard_entit ...) {DSA-2115-1} - moodle 1.9.8-1 (low; bug #585425) - wordpress (Vulnerable code not present) - egroupware (Vulneable code not present) CVE-2010-1618 (Cross-site scripting (XSS) vulnerability in the phpCAS client library ...) {DSA-2115-1} - libphp-cas (bug #495542) - moodle 1.9.8-1 (low; bug #574757) - glpi (unimportant) NOTE: Only supported behind an authenticated HTTP zone CVE-2010-1617 (user/view.php in Moodle 1.8.x before 1.8.12 and 1.9.x before 1.9.8 doe ...) {DSA-2115-1} - moodle 1.9.8-1 (unimportant; bug #585427) NOTE: i have a hard time seeing the security impact, moodle is a course management NOTE: system and the real names of your colleagues are probably not a secret, since NOTE: a patch exists I filed a bug anyway CVE-2010-1616 (Moodle 1.8.x and 1.9.x before 1.9.8 can create new roles when restorin ...) {DSA-2115-1} - moodle 1.9.8-1 CVE-2010-1615 (Multiple SQL injection vulnerabilities in Moodle 1.8.x before 1.8.12 a ...) {DSA-2115-1} - moodle 1.9.8-1 CVE-2010-1614 (Multiple cross-site scripting (XSS) vulnerabilities in Moodle 1.8.x be ...) {DSA-2115-1} - moodle 1.9.8-1 CVE-2010-1613 (Moodle 1.8.x and 1.9.x before 1.9.8 does not enable the "Regenerate se ...) {DSA-2115-1} - moodle 1.9.8-1 CVE-2010-1596 (Support Incident Tracker before 3.51, when using LDAP authentication w ...) NOT-FOR-US: Support Incident Tracker CVE-2010-1595 (Multiple SQL injection vulnerabilities in ocsreports/index.php in OCS ...) - ocsinventory-server 1.02.1-1 (unimportant) NOTE: Authentication is needed, only supported in trusted environments, see debtags CVE-2010-1594 (Multiple cross-site scripting (XSS) vulnerabilities in ocsreports/inde ...) - ocsinventory-server 1.02.1-1 (unimportant) NOTE: Authentication is needed, only supported in trusted environments, see debtags CVE-2010-1593 (Multiple cross-site scripting (XSS) vulnerabilities in SilverStripe be ...) - silverstripe (bug #528461) CVE-2010-1592 (sandra.sys 15.18.1.1 and earlier in the Sandra Device Driver in SiSoft ...) NOT-FOR-US: SiSoftware Sandra CVE-2010-1591 (Beijing Rising International Rising Antivirus 2008 through 2010 does n ...) NOT-FOR-US: Beijing Rising International Rising Antivirus CVE-2010-1590 (Cross-site scripting (XSS) vulnerability in shopsessionsubs.asp in Roc ...) NOT-FOR-US: Rocksalt International VP-ASP Shopping Cart CVE-2010-1589 (Directory traversal vulnerability in shopsessionsubs.asp in Rocksalt I ...) NOT-FOR-US: Rocksalt International VP-ASP Shopping Cart CVE-2010-1588 (SQL injection vulnerability in the Getwebsess function in shopsessions ...) NOT-FOR-US: Rocksalt International VP-ASP Shopping Cart CVE-2010-1587 (The Jetty ResourceHandler in Apache ActiveMQ 5.x before 5.3.2 and 5.4. ...) NOT-FOR-US: Apache ActiveMQ CVE-2010-1586 (Open redirect vulnerability in red2301.html in HP System Management Ho ...) NOT-FOR-US: HP System Management Homepage CVE-2010-1585 (The nsIScriptableUnescapeHTML.parseFragment method in the ParanoidFrag ...) {DSA-2187-1 DSA-2186-1 DSA-2180-1} - icedove 3.0.11-2 [lenny] - icedove - xulrunner (unimportant) [lenny] - xulrunner 1.9.0.19-8 - iceweasel 3.5.17-1 [lenny] - iceweasel (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg) - iceape 2.0.12-1 [lenny] - iceape (Only a stub package) NOTE: xulrunner in wheezy is not covered by security support CVE-2010-1584 (Cross-site scripting (XSS) vulnerability in the Context module before ...) NOT-FOR-US: Context module for drupal CVE-2010-1583 (SQL injection vulnerability in the loadByKey function in the TznDbConn ...) NOT-FOR-US: Tirzen Framework CVE-2010-1582 RESERVED CVE-2010-1581 (Unspecified vulnerability in the Transport Layer Security (TLS) implem ...) NOT-FOR-US: Cisco ASA CVE-2010-1580 (Unspecified vulnerability in the SunRPC inspection feature on Cisco Ad ...) NOT-FOR-US: Cisco ASA CVE-2010-1579 (Unspecified vulnerability in the SunRPC inspection feature on Cisco Ad ...) NOT-FOR-US: Cisco ASA CVE-2010-1578 (Unspecified vulnerability in the SunRPC inspection feature on Cisco Ad ...) NOT-FOR-US: Cisco ASA CVE-2010-1577 (Directory traversal vulnerability in Cisco Internet Streamer, as used ...) NOT-FOR-US: Cisco CVE-2010-1576 (The Cisco Content Services Switch (CSS) 11500 with software before 8.2 ...) NOT-FOR-US: Cisco CVE-2010-1575 (The Cisco Content Services Switch (CSS) 11500 with software 08.20.1.01 ...) NOT-FOR-US: Cisco CVE-2010-1574 (IOS 12.2(52)SE and 12.2(52)SE1 on Cisco Industrial Ethernet (IE) 3000 ...) NOT-FOR-US: Cisco CVE-2010-1573 (Linksys WAP54Gv3 firmware 3.04.03 and earlier uses a hard-coded userna ...) NOT-FOR-US: Linksys firmware CVE-2010-1572 (Unspecified vulnerability in the tech support diagnostic shell in Cisc ...) NOT-FOR-US: Cisco CVE-2010-1571 (Directory traversal vulnerability in the bootstrap service in Cisco Un ...) NOT-FOR-US: Cisco CVE-2010-1570 (The computer telephony integration (CTI) server component in Cisco Uni ...) NOT-FOR-US: Cisco CVE-2010-1569 RESERVED CVE-2010-1568 (The Send Secure functionality in the Cisco IronPort Desktop Flag Plug- ...) NOT-FOR-US: Cisco IronPort Desktop Flag Plug-in for Microsoft Outlook CVE-2010-1567 (The SIP implementation on the Cisco PGW 2200 Softswitch with software ...) NOT-FOR-US: Cisco PGW CVE-2010-1566 RESERVED CVE-2010-1565 (Unspecified vulnerability in the SIP implementation on the Cisco PGW 2 ...) NOT-FOR-US: Cisco PGW CVE-2010-1563 (The SIP implementation on the Cisco PGW 2200 Softswitch with software ...) NOT-FOR-US: Cisco PGW CVE-2010-1562 (The SIP implementation on the Cisco PGW 2200 Softswitch with software ...) NOT-FOR-US: Cisco PGW CVE-2010-1561 (The SIP implementation on the Cisco PGW 2200 Softswitch with software ...) NOT-FOR-US: Cisco PGW CVE-2010-1560 (Buffer overflow in the REPEAT function in IBM DB2 9.1 before FP9 allow ...) NOT-FOR-US: IBM DB2 CVE-2010-1559 (SQL injection vulnerability in the SermonSpeaker (com_sermonspeaker) c ...) NOT-FOR-US: com_sermonspeaker component for joomla! CVE-2009-4830 (Unspecified vulnerability in OpenX 2.8.1 and 2.8.2 allows remote attac ...) - openx (bug #513771) CVE-2009-4829 (Cross-site scripting (XSS) vulnerability in the Automated Logout modul ...) NOT-FOR-US: Automated Logout module for drupal CVE-2009-4828 (Cross-site request forgery (CSRF) vulnerability in administration/admi ...) NOT-FOR-US: Ad Manager Pro CVE-2009-4827 (Cross-site request forgery (CSRF) vulnerability in admin.php in Mail M ...) NOT-FOR-US: Mail Manager Pro CVE-2009-4826 (Cross-site request forgery (CSRF) vulnerability in hosting/admin_ac.ph ...) NOT-FOR-US: ScriptsEz Mini Hosting Panel CVE-2009-4825 (8pixel.net Blog 4 stores sensitive information under the web root with ...) NOT-FOR-US: 8pixel.net Blog CVE-2009-4824 (Unspecified vulnerability in Kolab Webclient before 1.2.0 in Kolab Ser ...) {DSA-1897-1} - kolab-webclient - horde3 3.3.5+debian0-1 NOTE: package only in experimental; claimed fixed in version 20091202, but not enough info to check NOTE: http://kolab.org/cgi-bin/viewcvs-kolab.cgi/*checkout*/server/patches/horde-webmail/1.2.0/tg/Attic/t_framework_H_JS_Form_FixFormSecurityForImageUploads.diff?rev=1.1.2.1&only_with_tag=kolab_2_2_branch CVE-2009-4823 (Cross-site scripting (XSS) vulnerability in frontend/x3/files/fileop.h ...) NOT-FOR-US: cPanel CVE-2009-4822 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Ka ...) NOT-FOR-US: Kasseler CMS CVE-2009-4821 (The D-Link DIR-615 with firmware 3.10NA does not require administrativ ...) NOT-FOR-US: D-Link DIR-615 CVE-2009-4820 (Angelo-Emlak 1.0 stores sensitive information under the web root with ...) NOT-FOR-US: Angelo-Emlak CVE-2009-4819 (Multiple unrestricted file upload vulnerabilities in upload.php in PHP ...) NOT-FOR-US: PHPhotoalbum CVE-2009-4818 (Unrestricted file upload vulnerability in upload.php in PHPSimplicity ...) NOT-FOR-US: PHPSimplicity of Upload CVE-2009-4817 (Unrestricted file upload vulnerability in Element-IT Ultimate Uploader ...) NOT-FOR-US: Element-IT Ultimate Uploader CVE-2009-4816 (Directory traversal vulnerability in api/download_checker.php in MegaL ...) NOT-FOR-US: MegaLab The Uploader CVE-2009-4815 (Directory traversal vulnerability in Serv-U before 9.2.0.1 allows remo ...) NOT-FOR-US: Serv-U CVE-2009-4814 (Cross-site scripting (XSS) vulnerability in Wolfram Research webMathem ...) NOT-FOR-US: Wolfram Research webMathematica CVE-2009-4813 (Cross-site scripting (XSS) vulnerability in myps.php in MyBB (aka MyBu ...) NOT-FOR-US: MyBB CVE-2009-4812 (Wolfram Research webMathematica allows remote attackers to obtain sens ...) NOT-FOR-US: Wolfram Research webMathematica CVE-2009-4811 (VMware Authentication Daemon 1.0 in vmware-authd.exe in the VMware Aut ...) NOT-FOR-US: VMware CVE-2010-2447 (gitolite before 1.4.1 does not filter src/ or hooks/ from path names. ...) - gitolite 1.4.2-1 (low) NOTE: http://secunia.com/advisories/39587/ CVE-2010-2448 (znc.cpp in ZNC before 0.092 allows remote authenticated users to cause ...) - gitolite 1.4.2-1 (medium) NOTE: http://secunia.com/advisories/39587/ CVE-2010-1558 (Unspecified vulnerability in HP Multifunction Peripheral (MFP) Digital ...) NOT-FOR-US: HP MFP Digital Sending Software CVE-2010-1557 (Multiple cross-site scripting (XSS) vulnerabilities in HP Insight Cont ...) NOT-FOR-US: HP Insight Control Server Migration CVE-2010-1556 (Unspecified vulnerability in HP Systems Insight Manager (SIM) 5.3, 5.3 ...) NOT-FOR-US: HP Systems Insight Manager CVE-2010-1555 (Stack-based buffer overflow in getnnmdata.exe in HP OpenView Network N ...) NOT-FOR-US: HP OpenView Network Node Manager CVE-2010-1554 (Stack-based buffer overflow in getnnmdata.exe in HP OpenView Network N ...) NOT-FOR-US: HP OpenView Network Node Manager CVE-2010-1553 (Stack-based buffer overflow in getnnmdata.exe in HP OpenView Network N ...) NOT-FOR-US: HP OpenView Network Node Manager CVE-2010-1552 (Stack-based buffer overflow in the doLoad function in snmpviewer.exe i ...) NOT-FOR-US: HP OpenView Network Node Manager CVE-2010-1551 (Stack-based buffer overflow in the _OVParseLLA function in ov.dll in n ...) NOT-FOR-US: HP OpenView Network Node Manager CVE-2010-1550 (Format string vulnerability in ovet_demandpoll.exe in HP OpenView Netw ...) NOT-FOR-US: HP OpenView Network Node Manager CVE-2010-1549 (Unspecified vulnerability in the Agent in HP LoadRunner before 9.50 an ...) NOT-FOR-US: HP LoadRunner CVE-2010-1548 (The auto-complete functionality in the Chaos Tool Suite (aka CTools) m ...) NOT-FOR-US: CTools module for Drupal CVE-2010-1547 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Chao ...) NOT-FOR-US: CTools module for Drupal CVE-2010-1546 (Multiple eval injection vulnerabilities in the import functionality in ...) NOT-FOR-US: CTools module for Drupal CVE-2010-1545 RESERVED CVE-2010-1544 (micro_httpd on the RCA DCM425 cable modem allows remote attackers to c ...) NOT-FOR-US: RCA DCM425 Cable Modem CVE-2010-1543 (Cross-site scripting (XSS) vulnerability in the eTracker module before ...) NOT-FOR-US: eTracker module for drupal CVE-2010-1542 (Multiple cross-site request forgery (CSRF) vulnerabilities in admin/co ...) NOT-FOR-US: DFD Cart CVE-2010-1541 (Multiple cross-site scripting (XSS) vulnerabilities in DFD Cart 1.198, ...) NOT-FOR-US: DFD Cart CVE-2010-1540 (Directory traversal vulnerability in index.php in the MyBlog (com_mybl ...) NOT-FOR-US: com_myblog component for joomla! CVE-2010-1539 (Cross-site scripting (XSS) vulnerability in the Workflow module 5.x-2. ...) NOT-FOR-US: workflow module for drupal CVE-2010-1538 (SQL injection vulnerability in print_raincheck.php in phpRAINCHECK 1.0 ...) NOT-FOR-US: phpRAINCHECK CVE-2010-1537 (Multiple directory traversal vulnerabilities in phpCDB 1.0 and earlier ...) NOT-FOR-US: phpCDB CVE-2010-1536 (Cross-site scripting (XSS) vulnerability in the AddThis Button module ...) NOT-FOR-US: AddThis Button module for drupal CVE-2010-1535 (Directory traversal vulnerability in the TRAVELbook (com_travelbook) c ...) NOT-FOR-US: com_travelbook component for joomla! CVE-2010-1534 (Directory traversal vulnerability in the Shoutbox Pro (com_shoutbox) c ...) NOT-FOR-US: com_shoutbox component for joomla! CVE-2010-1533 (Directory traversal vulnerability in the TweetLA (com_tweetla) compone ...) NOT-FOR-US: com_tweetla component for joomla! CVE-2010-1532 (Directory traversal vulnerability in the givesight PowerMail Pro (com_ ...) NOT-FOR-US: com_powermail component for joomla! CVE-2010-1531 (Directory traversal vulnerability in the redSHOP (com_redshop) compone ...) NOT-FOR-US: com_redshop component for joomla! CVE-2010-1530 (Multiple cross-site scripting (XSS) vulnerabilities in the Internation ...) NOT-FOR-US: Internationalization module for drupal CVE-2010-1529 (SQL injection vulnerability in the Freestyle FAQs Lite (com_fsf) compo ...) NOT-FOR-US: com_fsf component for joomla! CVE-2010-1528 (PHP remote file inclusion vulnerability in include/template.php in Uig ...) NOT-FOR-US: Uiga Proxy CVE-2010-1527 (Stack-based buffer overflow in Novell iPrint Client before 5.44 allows ...) NOT-FOR-US: Novell iPrint Client CVE-2010-1526 (Multiple integer overflows in libgdiplus 2.6.7, as used in Mono, allow ...) - libgdiplus 2.6.7-2 (low; bug #594155) [lenny] - libgdiplus 1.9-1+lenny1 CVE-2010-1525 (Integer underflow in the SpreadSheet Lotus 123 reader (wkssr.dll) in A ...) NOT-FOR-US: SpreadSheet Lotus 123 reader CVE-2010-1524 (The SpreadSheet Lotus 123 reader (wkssr.dll) in Autonomy KeyView 10.4 ...) NOT-FOR-US: SpreadSheet Lotus 123 reader CVE-2010-1523 (Multiple heap-based buffer overflows in vp6.w5s (aka the VP6 codec) in ...) NOT-FOR-US: Winamp CVE-2010-1522 (Multiple SQL injection vulnerabilities in the BookLibrary Basic (com_b ...) NOT-FOR-US: com_booklibrary component for joomla! CVE-2010-1521 (SQL injection vulnerability in include/classes/tzn_user.php in TaskFre ...) NOT-FOR-US: TaskFreak! Original multi user CVE-2010-1520 (Cross-site scripting (XSS) vulnerability in logout.php in TaskFreak! O ...) NOT-FOR-US: TaskFreak! Original multi user CVE-2010-1519 (Multiple integer overflows in glpng.c in glpng 1.45 allow context-depe ...) - libglpng (low; bug #595171) [lenny] - libglpng (Minor issue) CVE-2010-1518 (Array index error in the SetDLInfo method in the GIGABYTE Dldrv2 Activ ...) NOT-FOR-US: GIGABYTE Dldrv2 ActiveX control CVE-2010-1517 (The GIGABYTE Dldrv2 ActiveX control 1.4.206.11 allows remote attackers ...) NOT-FOR-US: GIGABYTE Dldrv2 ActiveX control CVE-2010-1516 (Multiple integer overflows in SWFTools 0.9.1 allow remote attackers to ...) NOT-FOR-US: SWFtools (were once packaged) CVE-2010-1515 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in To ...) NOT-FOR-US: TomatoCMS CVE-2010-1514 (Unrestricted file upload vulnerability in TomatoCMS 2.0.6 and earlier ...) NOT-FOR-US: TomatoCMS CVE-2010-1513 (Multiple integer overflows in src/image.c in Ziproxy before 3.0.1 allo ...) - ziproxy 3.1.0-1 (bug #584933) [lenny] - ziproxy (Minor issue, obscure attack vector) CVE-2010-1512 (Directory traversal vulnerability in aria2 before 1.9.3 allows remote ...) {DSA-2047-1} - aria2 1.9.3-1 NOTE: http://seclists.org/fulldisclosure/2010/May/168 CVE-2010-1511 (KGet 2.4.2 in KDE SC 4.0.0 through 4.4.3 does not properly request dow ...) - kdenetwork 4:4.4.4-1 (low) [lenny] - kdenetwork (Metalink plugin not yet present) NOTE: http://seclists.org/fulldisclosure/2010/May/164 CVE-2010-1510 (Heap-based buffer overflow in IrfanView before 4.27 allows remote atta ...) NOT-FOR-US: IrfanView CVE-2010-1509 (IrfanView before 4.27 does not properly handle an unspecified integer ...) NOT-FOR-US: IrfanView CVE-2010-1508 (Heap-based buffer overflow in Apple QuickTime before 7.6.9 on Windows ...) NOT-FOR-US: Apple QuickTime CVE-2010-1507 (WebYaST in yast2-webclient in SUSE Linux Enterprise (SLE) 11 on the We ...) NOT-FOR-US: YAST CVE-2010-1506 (The Google V8 bindings in Google Chrome before 4.1.249.1059 allow atta ...) - chromium-browser 5.0.375.29~r46008-1 - webkit (doesn't use v8 bindings yet) NOTE: http://trac.webkit.org/changeset/45826 NOTE: https://bugs.webkit.org/show_bug.cgi?id=37210 NOTE: http://trac.webkit.org/changeset/57224 CVE-2010-1505 (Google Chrome before 4.1.249.1059 does not prevent pages from loading ...) - chromium-browser 5.0.375.29~r46008-1 - webkit (chromium-specific issue) CVE-2010-1504 (Cross-site scripting (XSS) vulnerability in Google Chrome before 4.1.2 ...) - chromium-browser 5.0.375.29~r46008-1 - webkit (chromium-specific issue) CVE-2010-1503 (Cross-site scripting (XSS) vulnerability in Google Chrome before 4.1.2 ...) - chromium-browser 5.0.375.29~r46008-1 - webkit (chromium-specific issue) CVE-2010-1502 (Unspecified vulnerability in Google Chrome before 4.1.249.1059 allows ...) - chromium-browser 5.0.375.29~r46008-1 - webkit (chromium-specific directory traversal) CVE-2010-1501 REJECTED CVE-2010-1500 (Google Chrome before 4.1.249.1059 does not properly support forms, whi ...) - chromium-browser 5.0.375.29~r46008-1 - webkit (proof-of-concept not effective; chromium-specific issue) CVE-2010-1499 (SQL injection vulnerability in genre_artists.php in MusicBox 3.3 allow ...) NOT-FOR-US: MusicBox CVE-2010-1498 (Multiple SQL injection vulnerabilities in dl_stats before 2.0 allow re ...) NOT-FOR-US: dl_stats CVE-2010-1497 (Cross-site scripting (XSS) vulnerability in download_proc.php in dl_st ...) NOT-FOR-US: dl_stats CVE-2010-1496 (SQL injection vulnerability in the JoltCard (com_joltcard) component 1 ...) NOT-FOR-US: com_joltcard component for joomla! CVE-2010-1495 (Directory traversal vulnerability in the Matamko (com_matamko) compone ...) NOT-FOR-US: com_matamko component for joomla! CVE-2010-1494 (Directory traversal vulnerability in the AWDwall (com_awdwall) compone ...) NOT-FOR-US: com_awdwall component for joomla! CVE-2010-1493 (SQL injection vulnerability in the AWDwall (com_awdwall) component bef ...) NOT-FOR-US: com_awdwall component for joomla! CVE-2010-1492 (Directory traversal vulnerability in help/frameRight.php in Elastix 1. ...) NOT-FOR-US: Elastix CVE-2010-1491 (Directory traversal vulnerability in the MMS Blog (com_mmsblog) compon ...) NOT-FOR-US: com_mmsblog component for joomla! CVE-2009-4810 (The Secure Remote Password (SRP) implementation in Samhain before 2.5. ...) - samhain 2.5.4-1 (unimportant) NOTE: Support for client/server operation is not enabled in the Debian packages CVE-2009-4809 (Directory traversal vulnerability in thumbnail.ghp in Easy File Sharin ...) NOT-FOR-US: Easy File Sharing Web Server CVE-2009-4808 (admin.php in Graugon PHP Article Publisher 1.0 allows remote attackers ...) NOT-FOR-US: Graugon PHP Article Publisher CVE-2009-4807 (Multiple SQL injection vulnerabilities in Graugon PHP Article Publishe ...) NOT-FOR-US: Graugon PHP Article Publisher CVE-2009-4806 (admin/save_user.asp in Digital Interchange Document Library 1.0.1 does ...) NOT-FOR-US: Digital Interchange Document Library CVE-2009-4805 (Multiple SQL injection vulnerabilities in EZ-Blog Beta 1, when magic_q ...) NOT-FOR-US: EZ-Blog CVE-2009-4804 (Cross-site scripting (XSS) vulnerability in the Calendar Base (cal) ex ...) NOT-FOR-US: cal extension for typo3 CVE-2009-4803 (SQL injection vulnerability in the Accessibility Glossary (a21glossary ...) NOT-FOR-US: a21glossary extension for typo3 CVE-2009-4802 (SQL injection vulnerability in the Flat Manager (flatmgr) extension be ...) NOT-FOR-US: fsatmgr extension for typo3 CVE-2009-4801 (EZ-Blog Beta 1 does not require authentication, which allows remote at ...) NOT-FOR-US: EZ-Blog CVE-2010-1490 (Unspecified vulnerability in IBM Cognos 8 Business Intelligence before ...) NOT-FOR-US: IBM Cognos CVE-2009-4800 (Directory traversal vulnerability in Sysax Multi Server 4.3 and 4.5 al ...) NOT-FOR-US: Sysax Multi Server CVE-2009-4799 (Diskos CMS 6.x stores sensitive information under the web root with in ...) NOT-FOR-US: Diskos CMS CVE-2009-4798 (Multiple SQL injection vulnerabilities in Diskos CMS 6.x allow remote ...) NOT-FOR-US: Diskos CMS CVE-2009-4797 (SQL injection vulnerability in browse.php in JobHut 1.2 and earlier al ...) NOT-FOR-US: JobHut CVE-2009-4796 (Multiple SQL injection vulnerabilities in the ExecuteQueries function ...) NOT-FOR-US: glFusion CVE-2009-4795 (Multiple SQL injection vulnerabilities in Xlight FTP Server before 3.2 ...) NOT-FOR-US: Xlight FTP Server CVE-2009-4794 (Multiple SQL injection vulnerabilities in Community CMS 0.5 allow remo ...) NOT-FOR-US: Community CMS CVE-2009-4793 (Unrestricted file upload vulnerability in adminpanel/scripts/addphotos ...) NOT-FOR-US: BandSite CMS CVE-2009-4792 (SQL injection vulnerability in includes/content/member_content.php in ...) NOT-FOR-US: BandSite CMS CVE-2009-4791 (Multiple SQL injection vulnerabilities in Family Connections (aka FCMS ...) NOT-FOR-US: Family Connections CVE-2009-4790 (Multiple directory traversal vulnerabilities in Sysax Multi Server 4.5 ...) NOT-FOR-US: Sysax Multi Server CVE-2009-4789 (Multiple PHP remote file inclusion vulnerabilities in the MojoBlog com ...) NOT-FOR-US: mojoblog component for joomla! CVE-2009-4788 (Multiple open redirect vulnerabilities in Pligg 1.0.2 and earlier allo ...) NOT-FOR-US: Pligg CVE-2009-4787 (Multiple cross-site request forgery (CSRF) vulnerabilities in Pligg be ...) NOT-FOR-US: Pligg CVE-2009-4786 (Multiple cross-site scripting (XSS) vulnerabilities in Pligg before 1. ...) NOT-FOR-US: Pligg CVE-2009-4785 (SQL injection vulnerability in the Quick News (com_quicknews) componen ...) NOT-FOR-US: com_quicknews component for joomla! CVE-2009-4784 (SQL injection vulnerability in the Joaktree (com_joaktree) component 1 ...) NOT-FOR-US: com_joaktree component for joomla! CVE-2009-4783 (Multiple SQL injection vulnerabilities in Theeta CMS, possibly 0.01, a ...) NOT-FOR-US: Theeta CMS CVE-2009-4782 (Multiple cross-site scripting (XSS) vulnerabilities in Theeta CMS, pos ...) NOT-FOR-US: Theeta CMS CVE-2009-4781 (TUKEVA Password Reminder before 1.0.0.4 uses a hard-coded password for ...) NOT-FOR-US: TUKEVA Password Reminder CVE-2009-4780 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in ph ...) NOT-FOR-US: phpMyFAQ CVE-2009-4779 (Multiple PHP remote file inclusion vulnerabilities in NukeHall 0.3 and ...) NOT-FOR-US: NukeHall CVE-2009-4778 (Multiple unspecified vulnerabilities in the PDF distiller in the Attac ...) NOT-FOR-US: BlackBerry PDF distiller CVE-2009-4777 (Unspecified vulnerability in multiple versions of Hitachi JP1/Automati ...) NOT-FOR-US: Hitachi Job Management / System Observer CVE-2009-4776 (Buffer overflow in Hitachi Cosminexus V4 through V8, Processing Kit fo ...) NOT-FOR-US: Hitachi Cosminexus CVE-2009-4775 (Format string vulnerability in Ipswitch WS_FTP Professional 12 before ...) NOT-FOR-US: Ipswitch WS_FTP Professional CVE-2009-4774 (Unspecified vulnerability in Sun Solaris 10 and OpenSolaris snv_49 thr ...) NOT-FOR-US: OpenSolaris CVE-2010-XXXX [prosody password world-readable] - prosody 0.7.0-1 (low; bug #579087) CVE-2010-XXXX [gnome-orca: shell access without logon] - gnome-orca 2.30.0-2 (bug #578928) [lenny] - gnome-orca (Doesn't affect Lenny's version) CVE-2010-1431 (SQL injection vulnerability in templates_export.php in Cacti 0.8.7e an ...) {DSA-2039-1} - cacti 0.8.7e-3 (bug #578909) NOTE: http://seclists.org/fulldisclosure/2010/Apr/272 NOTE: http://www.cacti.net/downloads/patches/0.8.7e/sql_injection_template_export.patch CVE-2010-1489 (The XSS Filter in Microsoft Internet Explorer 8 does not properly perf ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2010-1488 (The proc_oom_score function in fs/proc/base.c in the Linux kernel befo ...) - linux-2.6 2.6.32-12 [lenny] - linux-2.6 (vulnerable code introduced in 2.6.32) CVE-2010-1487 (IBM Lotus Notes 7.0, 8.0, and 8.5 stores administrative credentials in ...) NOT-FOR-US: IBM Lotus Notes CVE-2010-1486 (Multiple cross-site scripting (XSS) vulnerabilities in _invoice.asp in ...) NOT-FOR-US: CactuShop CVE-2010-1485 RESERVED CVE-2010-1484 RESERVED CVE-2010-1483 RESERVED CVE-2010-1482 (Cross-site scripting (XSS) vulnerability in admin/editprefs.php in the ...) NOT-FOR-US: CMS Made Simple CVE-2010-1481 (Cross-site scripting (XSS) vulnerability in the table feature in PmWik ...) NOT-FOR-US: PmWiki CVE-2010-1480 (SQL injection vulnerability in the RokModule (com_rokmodule) component ...) NOT-FOR-US: component for Joomla! CVE-2010-1479 (SQL injection vulnerability in the RokModule (com_rokmodule) component ...) NOT-FOR-US: component for Joomla! CVE-2010-1478 (Directory traversal vulnerability in the Ternaria Informatica Jfeedbac ...) NOT-FOR-US: component for Joomla! CVE-2010-1477 (SQL injection vulnerability in the SermonSpeaker (com_sermonspeaker) c ...) NOT-FOR-US: component for Joomla! CVE-2010-1476 (Directory traversal vulnerability in the AlphaUserPoints (com_alphause ...) NOT-FOR-US: component for Joomla! CVE-2010-1475 (Directory traversal vulnerability in the Preventive & Reservation ...) NOT-FOR-US: component for Joomla! CVE-2010-1474 (Directory traversal vulnerability in the Sweety Keeper (com_sweetykeep ...) NOT-FOR-US: component for Joomla! CVE-2010-1473 (Directory traversal vulnerability in the Advertising (com_advertising) ...) NOT-FOR-US: component for Joomla! CVE-2010-1472 (Directory traversal vulnerability in the Daily Horoscope (com_horoscop ...) NOT-FOR-US: component for Joomla! CVE-2010-1471 (Directory traversal vulnerability in the AddressBook (com_addressbook) ...) NOT-FOR-US: component for Joomla! CVE-2010-1470 (Directory traversal vulnerability in the Web TV (com_webtv) component ...) NOT-FOR-US: component for Joomla! CVE-2010-1469 (Directory traversal vulnerability in the Ternaria Informatica JProject ...) NOT-FOR-US: component for Joomla! CVE-2010-1468 (SQL injection vulnerability in the Multi-Venue Restaurant Menu Manager ...) NOT-FOR-US: component for Joomla! CVE-2009-4773 (Cross-site request forgery (CSRF) vulnerability in the order-managemen ...) NOT-FOR-US: Ubercart module for Drupal CVE-2009-4772 (Unspecified vulnerability in the PayPal Website Payments Standard func ...) NOT-FOR-US: Ubercart module for Drupal CVE-2009-4771 (The PayPal Website Payments Standard functionality in the Ubercart mod ...) NOT-FOR-US: Ubercart module for Drupal CVE-2009-4770 (The FTP server component in httpdx 1.4, 1.4.5, 1.4.6, 1.4.6b, and 1.5 ...) NOT-FOR-US: httpdx CVE-2009-4769 (Multiple format string vulnerabilities in the tolog function in httpdx ...) NOT-FOR-US: httpdx CVE-2009-4768 (Unspecified vulnerability in the JASS script interpreter in Warcraft I ...) NOT-FOR-US: World of Warcraft CVE-2009-4767 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Pl ...) NOT-FOR-US: Plohni Shoutbox CVE-2008-7255 (login_screen.tcl in aMSN (aka Alvaro's Messenger) before 0.97.1 saves ...) - amsn 0.97.1~debian-1 (low) CVE-2010-1467 (Multiple PHP remote file inclusion vulnerabilities in openUrgence Vacc ...) NOT-FOR-US: openUrgence CVE-2010-1466 (Directory traversal vulnerability in scr/soustab.php in openUrgence Va ...) NOT-FOR-US: openUrgence CVE-2010-1465 (Stack-based buffer overflow in Trellian FTP client 3.01, including 3.1 ...) NOT-FOR-US: Trellian FTP CVE-2010-1464 (Multiple cross-site scripting (XSS) vulnerabilities in WebAsyst Shop-S ...) NOT-FOR-US: WebAsyst Shop-Script FREE CVE-2010-1463 (Multiple SQL injection vulnerabilities in WebAsyst Shop-Script FREE al ...) NOT-FOR-US: WebAsyst Shop-Script FREE CVE-2010-1462 (Directory traversal vulnerability in WebAsyst Shop-Script FREE has unk ...) NOT-FOR-US: WebAsyst Shop-Script FREE CVE-2010-1461 (Directory traversal vulnerability in the Photo Battle (com_photobattle ...) NOT-FOR-US: Photo Battle Component for Joomla! CVE-2010-1460 (The IBM BladeCenter with Advanced Management Module (AMM) firmware bef ...) NOT-FOR-US: IBM BladeCenter Management Module CVE-2010-1459 (The default configuration of ASP.NET in Mono before 2.6.4 has a value ...) - mono 2.4.4~svn151842-3 (bug #585440) CVE-2010-1458 (Stack-based buffer overflow in Create and Extract Zips TweakFS Zip Uti ...) NOT-FOR-US: TweakFS CVE-2010-1167 (fetchmail 4.6.3 through 6.3.16, when debug mode is enabled, does not p ...) - fetchmail 6.3.16-2 (low) [lenny] - fetchmail (only vulnerable when run under debug verbosity level) NOTE: http://www.fetchmail.info/fetchmail-SA-2010-02.txt NOTE: http://gitorious.org/fetchmail/fetchmail/commit/ec06293 CVE-2010-1457 (Tools/gdomap.c in gdomap in GNUstep Base before 1.20.0 allows local us ...) - gnustep-base 1.19.3-2 (bug #584402) [lenny] - gnustep-base (Not installed setuid root) NOTE: http://thread.gmane.org/gmane.comp.lib.gnustep.bugs/12336 CVE-2010-1456 REJECTED CVE-2010-1455 (The DOCSIS dissector in Wireshark 0.9.6 through 1.0.12 and 1.2.0 throu ...) - wireshark 1.2.8-1 (unimportant) NOTE: Not triggerable remotely CVE-2010-1454 (com.springsource.tcserver.serviceability.rmi.JmxSocketListener in VMwa ...) NOT-FOR-US: VMware CVE-2010-1453 (Cross-site scripting (XSS) vulnerability in the Login form in Piwik 0. ...) - piwik (bug #506933) CVE-2010-1452 (The (1) mod_cache and (2) mod_dav modules in the Apache HTTP Server 2. ...) - apache2 2.2.16-1 (low) [lenny] - apache2 2.2.9-10+lenny10 CVE-2010-1451 (The TSB I-TLB load implementation in arch/sparc/kernel/tsb.S in the Li ...) {DSA-2053-1} - linux-2.6 2.6.32-10 CVE-2010-1450 (Multiple buffer overflows in the RLE decoder in the rgbimg module in P ...) - python3.1 (rgbimgmodule no longer included in source) - python2.7 (rgbimgmodule no longer included in source) - python2.6 (rgbimgmodule no longer included in source) - python2.5 2.5.5-11 (low; bug #603162) [lenny] - python2.5 (Minor issue) - python2.4 (low) [lenny] - python2.4 (Minor issue) CVE-2010-1449 (Integer overflow in rgbimgmodule.c in the rgbimg module in Python 2.5 ...) - python3.1 (rgbimgmodule no longer included in source) - python2.7 (rgbimgmodule no longer included in source) - python2.6 (rgbimgmodule no longer included in source) - python2.5 2.5.5-11 (low; bug #603162) [lenny] - python2.5 (Minor issue) - python2.4 (low) [lenny] - python2.4 (Minor issue) CVE-2010-1448 (Cross-site scripting (XSS) vulnerability in lib/LXR/Common.pm in LXR C ...) {DSA-2092-1} - lxr (low; bug #585411) [lenny] - lxr (Minor issue) - lxr-cvs 0.9.5+cvs20071020-1.1 (low; bug #588036) NOTE: seems to be a dupe of CVE-2010-1738 CVE-2010-1447 (The Safe (aka Safe.pm) module 2.26, and certain earlier versions, for ...) {DSA-2267-1 DSA-2051-1} - postgresql-8.4 8.4.4-1 - postgresql-8.3 - perl 5.12.3-1 NOTE: Originally attributed to Postgres, but also affects standard Perl CVE-2010-1446 (arch/powerpc/mm/fsl_booke_mmu.c in KGDB in the Linux kernel 2.6.30 and ...) {DSA-2053-1} - linux-2.6 2.6.32-12 (unimportant) NOTE: KGDB is not currently enabled in debian builds CVE-2010-1445 (Heap-based buffer overflow in VideoLAN VLC media player before 1.0.6 a ...) - vlc 1.0.6-1 [lenny] - vlc (Vulnerable code not present) NOTE: http://www.videolan.org/security/sa1003.html CVE-2010-1444 (The ZIP archive decompressor in VideoLAN VLC media player before 1.0.6 ...) - vlc 1.0.6-1 [lenny] - vlc (Vulnerable code not present) NOTE: http://www.videolan.org/security/sa1003.html CVE-2010-1443 (The parse_track_node function in modules/demux/playlist/xspf.c in the ...) - vlc 1.0.6-1 (unimportant) NOTE: http://www.videolan.org/security/sa1003.html CVE-2010-1442 (VideoLAN VLC media player before 1.0.6 allows remote attackers to caus ...) - vlc 1.0.6-1 [lenny] - vlc 0.8.6.h-4+lenny3 NOTE: http://www.videolan.org/security/sa1003.html CVE-2010-1441 (Multiple heap-based buffer overflows in VideoLAN VLC media player befo ...) - vlc 1.0.6-1 [lenny] - vlc 0.8.6.h-4+lenny3 NOTE: http://www.videolan.org/security/sa1003.html CVE-2010-1440 (Multiple integer overflows in dvipsk/dospecial.c in dvips in TeX Live ...) - texlive-bin 2009-6 (low; bug #580668) [lenny] - texlive-bin 2007.dfsg.2-4+lenny3 CVE-2010-1439 (yum-rhn-plugin in Red Hat Network Client Tools (aka rhn-client-tools) ...) NOT-FOR-US: Red Hat Network Client Tools CVE-2010-1438 (Web Application Finger Printer (WAFP) 0.01-26c3 uses fixed pathnames u ...) - wafp (bug #562949) CVE-2010-1437 (Race condition in the find_keyring_by_name function in security/keys/k ...) {DSA-2053-1} - linux-2.6 2.6.32-13 CVE-2010-1436 (gfs2 in the Linux kernel 2.6.18, and possibly other versions, does not ...) - linux-2.6 2.6.32-25 [lenny] - linux-2.6 2.6.26-23 CVE-2010-1435 RESERVED CVE-2010-1434 RESERVED CVE-2010-1433 RESERVED CVE-2010-1432 RESERVED CVE-2010-1430 REJECTED CVE-2010-1429 (Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) ...) - jbossas4 (Only builds a few libraries, not the full application server, #581226) CVE-2010-1428 (The Web Console (aka web-console) in JBossAs in Red Hat JBoss Enterpri ...) - jbossas4 (Only builds a few libraries, not the full application server, #581226) CVE-2010-1427 (Cross-site scripting (XSS) vulnerability in the SearchHighlight plugin ...) NOT-FOR-US: MODx Evolution CVE-2010-1426 (SQL injection vulnerability in MODx Evolution before 1.0.3 allows remo ...) NOT-FOR-US: MODx Evolution CVE-2010-1425 (F-Secure Internet Security 2010 and earlier; Anti-Virus for Microsoft ...) NOT-FOR-US: F-Secure Internet Security CVE-2010-1424 (Unspecified vulnerability in JustSystems Ichitaro and Ichitaro Governm ...) NOT-FOR-US: JustSystems Ichitaro and Ichitaro Government CVE-2010-1422 (WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Wi ...) - webkit 1.2.2-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.375.29~r46008-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=26824 NOTE: http://trac.webkit.org/changeset/58829 CVE-2010-1421 (The execCommand JavaScript function in WebKit in Apple Safari before 5 ...) - webkit 1.2.2-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.375.29~r46008-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=27751 NOTE: http://trac.webkit.org/changeset/58703 CVE-2010-1420 (Cross-site scripting (XSS) vulnerability in CFNetwork in Apple Safari ...) NOT-FOR-US: Apple Safari CVE-2010-1419 (Use-after-free vulnerability in WebKit in Apple Safari before 5.0 on M ...) - webkit 1.2.1-2 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.375.29~r46008-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=37618 NOTE: http://trac.webkit.org/changeset/58616 CVE-2010-1418 (Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari bef ...) - webkit 1.2.2-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.375.29~r46008-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=38260 NOTE: https://bugs.webkit.org/show_bug.cgi?id=36502 NOTE: https://bugs.webkit.org/show_bug.cgi?id=37031 NOTE: http://trac.webkit.org/changeset/58844 NOTE: http://trac.webkit.org/changeset/56651 NOTE: http://trac.webkit.org/changeset/57627 CVE-2010-1417 (The Cascading Style Sheets (CSS) implementation in WebKit in Apple Saf ...) - webkit 1.2.2-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.375.29~r46008-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=38001 NOTE: http://trac.webkit.org/changeset/58201 NOTE: if this commit is correct, this is a dup of cve-2010-1665 CVE-2010-1416 (WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Wi ...) - webkit 1.2.2-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.375.70~r48679-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=36838 NOTE: http://trac.webkit.org/changeset/56810 CVE-2010-1415 (WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Wi ...) - webkit 1.2.1-2 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.375.70~r48679-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=36000 NOTE: http://trac.webkit.org/changeset/56420 CVE-2010-1414 (Use-after-free vulnerability in WebKit in Apple Safari before 5.0 on M ...) - webkit 1.2.1-2 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.375.70~r48679-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=35818 NOTE: http://trac.webkit.org/changeset/55783 CVE-2010-1413 (WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Wi ...) - webkit (affected cf/iss code is not present) - chromium-browser 5.0.375.70~r48679-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=37230 NOTE: http://trac.webkit.org/changeset/57232 CVE-2010-1412 (Use-after-free vulnerability in WebKit in Apple Safari before 5.0 on M ...) - webkit 1.2.1-2 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.375.70~r48679-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=29635 NOTE: http://trac.webkit.org/changeset/57759 NOTE: http://trac.webkit.org/changeset/57817 CVE-2010-1411 (Multiple integer overflows in the Fax3SetupState function in tif_fax3. ...) {DSA-2084-1} - tiff 3.9.4-1 - tiff3 (fixed prior to initial upload) CVE-2010-1410 (WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Wi ...) - webkit 1.2.1-2 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.342.9~r43360-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=35603 NOTE: http://trac.webkit.org/changeset/55511 CVE-2010-1409 (Incomplete blacklist vulnerability in WebKit in Apple Safari before 5. ...) - webkit 1.2.1-2 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.342.9~r43360-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=34451 NOTE: http://trac.webkit.org/changeset/54193 CVE-2010-1408 (WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Wi ...) - webkit 1.2.1-2 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.342.9~r43360-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=36571 NOTE: http://trac.webkit.org/changeset/56489 NOTE: http://trac.webkit.org/changeset/56492 NOTE: http://trac.webkit.org/changeset/56879 CVE-2010-1407 (WebKit in Apple iOS before 4 on the iPhone and iPod touch does not pro ...) - webkit 1.2.2-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.342.9~r43360-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=36435 NOTE: http://trac.webkit.org/changeset/56365 CVE-2010-1406 (WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Wi ...) - webkit 1.2.1-2 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.342.9~r43360-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=30841 NOTE: http://trac.webkit.org/changeset/50226 NOTE: http://trac.webkit.org/changeset/50240 CVE-2010-1405 (Use-after-free vulnerability in WebKit in Apple Safari before 5.0 on M ...) - webkit 1.2.2-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.342.9~r43360-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=36198 NOTE: http://trac.webkit.org/changeset/56186 CVE-2010-1404 (Use-after-free vulnerability in WebKit in Apple Safari before 5.0 on M ...) - webkit 1.2.1-2 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.342.9~r43360-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=35709 NOTE: http://trac.webkit.org/changeset/53446 CVE-2010-1403 (WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Wi ...) - chromium-browser 5.0.342.9~r43360-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=35708 NOTE: http://trac.webkit.org/changeset/53446 CVE-2010-1402 (Double free vulnerability in WebKit in Apple Safari before 5.0 on Mac ...) - webkit 1.2.1-2 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.342.9~r43360-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=35598 NOTE: http://trac.webkit.org/changeset/55182 CVE-2010-1401 (Use-after-free vulnerability in the Cascading Style Sheets (CSS) imple ...) - webkit 1.2.1-2 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.342.9~r43360-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=35353 NOTE: http://trac.webkit.org/changeset/55196 CVE-2010-1400 (Use-after-free vulnerability in WebKit in Apple Safari before 5.0 on M ...) - webkit 1.2.1-2 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.342.9~r43360-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=34734 NOTE: http://trac.webkit.org/changeset/54521 CVE-2010-1399 (WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Wi ...) - webkit 1.2.1-2 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.342.9~r43360-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=35599 NOTE: http://trac.webkit.org/changeset/46437 CVE-2010-1398 (WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Wi ...) - webkit 1.2.1-2 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.342.9~r43360-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=35305 NOTE: http://trac.webkit.org/changeset/55167 CVE-2010-1397 (Use-after-free vulnerability in WebKit in Apple Safari before 5.0 on M ...) - webkit 1.2.1-2 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.342.9~r43360-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=32842 NOTE: http://trac.webkit.org/changeset/52034 NOTE: http://trac.webkit.org/changeset/55114 CVE-2010-1396 (Use-after-free vulnerability in WebKit in Apple Safari before 5.0 on M ...) - webkit 1.2.1-2 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.342.9~r43360-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=35621 NOTE: http://trac.webkit.org/changeset/55462 NOTE: http://trac.webkit.org/changeset/55465 CVE-2010-1395 (Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari bef ...) - webkit 1.2.1-2 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.342.9~r43360-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=26868 NOTE: http://trac.webkit.org/changeset/46068 CVE-2010-1394 (Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari bef ...) - webkit 1.2.1-2 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.342.9~r43360-1 NOTE: http://trac.webkit.org/changeset/55203 NOTE: http://trac.webkit.org/changeset/55212 CVE-2010-1393 (The Cascading Style Sheets (CSS) implementation in WebKit in Apple Saf ...) - webkit 1.2.1-2 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.342.9~r43360-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=33683 NOTE: http://trac.webkit.org/changeset/53607 CVE-2010-1392 (Use-after-free vulnerability in WebKit in Apple Safari before 5.0 on M ...) - webkit 1.2.2-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.342.9~r43360-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=34641 NOTE: http://trac.webkit.org/changeset/56297 CVE-2010-1391 (Multiple directory traversal vulnerabilities in the (a) Local Storage ...) - webkit 1.2.1-2 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.342.9~r43360-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=36243 NOTE: http://trac.webkit.org/changeset/56139 CVE-2010-1390 (Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari bef ...) - webkit 1.2.1-2 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.342.9~r43360-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=29078 NOTE: http://trac.webkit.org/changeset/49487 CVE-2010-1389 (Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari bef ...) - webkit 1.2.1-2 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.342.9~r43360-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=30019 NOTE: https://bugs.webkit.org/show_bug.cgi?id=34148 NOTE: https://bugs.webkit.org/show_bug.cgi?id=33970 NOTE: http://trac.webkit.org/changeset/53442 NOTE: http://trac.webkit.org/changeset/53835 NOTE: http://trac.webkit.org/changeset/53659 CVE-2010-1388 (WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6, and b ...) - webkit (issue in mac-specific code) - chromium-browser (issue in mac-specific code) NOTE: https://bugs.webkit.org/show_bug.cgi?id=28755 NOTE: http://trac.webkit.org/changeset/47829 CVE-2010-1387 (Use-after-free vulnerability in JavaScriptCore in WebKit in Apple iTun ...) - webkit 1.2.1-2 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.342.9~r43360-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=34321 NOTE: http://trac.webkit.org/changeset/54129 NOTE: http://trac.webkit.org/changeset/54141 NOTE: http://trac.webkit.org/changeset/54265 CVE-2010-1386 (page/Geolocation.cpp in WebCore in WebKit before r56188 and before 1.2 ...) - webkit 1.2.2-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.342.9~r43360-1 NOTE: https://bugs.webkit.org/show_bug.cgi?id=36255 NOTE: http://trac.webkit.org/changeset/56188 CVE-2010-1385 (Use-after-free vulnerability in Apple Safari before 5.0 on Mac OS X 10 ...) - webkit (this is a bug in Apple's PDFKit) - chromium-browser (this is a bug in Apple's PDFKit) CVE-2010-1384 (Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and ...) - chromium-browser (unimportant) NOTE: This is based on various misconceptions surrounding "phishing" The only supported browser security model NOTE: surrounding URLs is the accurate post-link-click indication of the final target URL in the URL bar. CVE-2010-1383 (CFNetwork in Apple Safari before 5.0.6 on Windows allows remote web se ...) NOT-FOR-US: Apple Safari CVE-2010-1382 (Cross-site scripting (XSS) vulnerability in Wiki Server in Apple Mac O ...) NOT-FOR-US: Apple Mac OS X CVE-2010-1381 (The default configuration of SMB File Server in Apple Mac OS X 10.5.8, ...) NOT-FOR-US: Apple Mac OS X CVE-2010-1380 (Integer overflow in the cgtexttops CUPS filter in Printing in Apple Ma ...) NOT-FOR-US: Apple-specific CUPS filter "cgtexttops" CVE-2010-1379 (Printer Setup in Apple Mac OS X 10.6 before 10.6.4 does not properly i ...) NOT-FOR-US: Apple Mac OS X CVE-2010-1378 (OpenSSL in Apple Mac OS X 10.6.x before 10.6.5 does not properly perfo ...) - openssl (fix for an apple-specific flaw) NOTE: sounds like a duplicate of CVE-2009-2409 CVE-2010-1377 (Open Directory in Apple Mac OS X 10.6 before 10.6.4 creates an unencry ...) NOT-FOR-US: Apple Mac OS X CVE-2010-1376 (Multiple format string vulnerabilities in Network Authorization in App ...) NOT-FOR-US: Apple Mac OS X CVE-2010-1375 (NetAuthSysAgent in Network Authorization in Apple Mac OS X 10.5.8 does ...) NOT-FOR-US: Apple Mac OS X CVE-2010-1374 (Directory traversal vulnerability in iChat in Apple Mac OS X 10.5.8, a ...) NOT-FOR-US: iChat CVE-2010-1373 (Cross-site scripting (XSS) vulnerability in Help Viewer in Apple Mac O ...) NOT-FOR-US: Apple Mac OS X CVE-2010-1423 (Argument injection vulnerability in the URI handler in (a) Java NPAPI ...) - sun-java6 6.20-1 (high) [lenny] - sun-java6 6-20-0lenny1 CVE-2010-2449 (Gource through 0.26 logs to a predictable file name (/tmp/gource-$UID. ...) - gource 0.26-2 (low; bug #577958) CVE-2010-1564 REJECTED CVE-2010-1372 (SQL injection vulnerability in the HD FLV Player (com_hdflvplayer) com ...) NOT-FOR-US: Joomla! CVE-2010-1371 (Cross-site scripting (XSS) vulnerability in signup.asp in Pre Classifi ...) NOT-FOR-US: Pre Classified Listings ASP CVE-2010-1370 (SQL injection vulnerability in detailad.asp in Pre Classified Listings ...) NOT-FOR-US: Pre Classified Listings ASP CVE-2010-1369 (SQL injection vulnerability in signup.asp in Pre Classified Listings A ...) NOT-FOR-US: Pre Classified Listings ASP CVE-2010-1368 (SQL injection vulnerability in index.php in GameScript (GS) 3.0 allows ...) NOT-FOR-US: GameScript CVE-2010-1367 (Multiple cross-site scripting (XSS) vulnerabilities in admin/admin_log ...) NOT-FOR-US: Uiga Fan Club CVE-2010-1366 (Multiple SQL injection vulnerabilities in admin/admin_login.php in Uig ...) NOT-FOR-US: Uiga Fan Club CVE-2010-1365 (SQL injection vulnerability in index.php in Uiga Fan Club, as download ...) NOT-FOR-US: Uiga Fan Club CVE-2010-1364 (SQL injection vulnerability in index.php in Uiga Personal Portal, as d ...) NOT-FOR-US: Uiga Fan Club CVE-2010-1363 (SQL injection vulnerability in the JProjects (com_j-projects) componen ...) NOT-FOR-US: Joomla! CVE-2010-1362 (Cross-site scripting (XSS) vulnerability in the Own Term module 6.x-1. ...) NOT-FOR-US: Own Term module for Drupal CVE-2010-1361 (Cross-site scripting (XSS) vulnerability in shop/USER_ARTIKEL_HANDLING ...) NOT-FOR-US: PHPepperShop CVE-2010-1360 (Multiple PHP remote file inclusion vulnerabilities in FAQEngine 4.24.0 ...) NOT-FOR-US: FAQEngine CVE-2010-1359 (SQL injection vulnerability in bluegate_seo.inc.php in the Direct URL ...) NOT-FOR-US: xt:Commerce CVE-2010-1358 (Cross-site scripting (XSS) vulnerability in the Bibliography (Biblio) ...) NOT-FOR-US: Biblio module for Drupal CVE-2010-1357 (Cross-site scripting (XSS) vulnerability in editors/logindialogue.php ...) NOT-FOR-US: SBD Directory Software CVE-2010-1356 (Unspecified vulnerability on the TANDBERG Video Communication Server ( ...) NOT-FOR-US: TANDBERG Video Communication Server CVE-2010-1355 (Cross-site scripting (XSS) vulnerability on the TANDBERG Video Communi ...) NOT-FOR-US: TANDBERG Video Communication Server CVE-2009-4766 (YP Portal MS-Pro Surumu (aka MS-Pro Portal Scripti) 1.0 and 1.2 stores ...) NOT-FOR-US: MS-Pro Portal Scripti CVE-2009-4765 (CNR Hikaye Portal 2.0 stores sensitive information under the web root ...) NOT-FOR-US: CNR Hikaye Portal CVE-2010-1354 (Directory traversal vulnerability in the VJDEO (com_vjdeo) component 1 ...) NOT-FOR-US: Joomla! CVE-2010-1353 (Directory traversal vulnerability in the LoginBox Pro (com_loginbox) c ...) NOT-FOR-US: Joomla! CVE-2010-1352 (Directory traversal vulnerability in the JOOFORGE Jutebox (com_jukebox ...) NOT-FOR-US: Joomla! CVE-2010-1351 (Multiple PHP remote file inclusion vulnerabilities in Nodesforum 1.033 ...) NOT-FOR-US: Nodesforum CVE-2010-1350 (SQL injection vulnerability in the JP Jobs (com_jp_jobs) component 1.4 ...) NOT-FOR-US: Joomla! CVE-2010-1349 (Integer overflow in Opera 10.10 through 10.50 allows remote attackers ...) NOT-FOR-US: Opera CVE-2010-1348 (Unspecified vulnerability in the login process in IBM WebSphere Portal ...) NOT-FOR-US: IBM WebSphere CVE-2010-1347 (Director Agent 6.1 before 6.1.2.3 in IBM Systems Director on AIX and L ...) NOT-FOR-US: IBM AIX CVE-2010-1346 (SQL injection vulnerability in admin/login.php in Mini CMS RibaFS 1.0, ...) NOT-FOR-US: Mini CMS RibaFS CVE-2010-1345 (Directory traversal vulnerability in the Cookex Agency CKForms (com_ck ...) NOT-FOR-US: Joomla! CVE-2010-1344 (SQL injection vulnerability in the Cookex Agency CKForms (com_ckforms) ...) NOT-FOR-US: Joomla! CVE-2010-1343 (SQL injection vulnerability in photo.php in SiteX 0.7.4 beta allows re ...) NOT-FOR-US: SiteX CVE-2010-1342 (Multiple PHP remote file inclusion vulnerabilities in Direct News 4.10 ...) NOT-FOR-US: Direct News CVE-2010-1341 (SQL injection vulnerability in index.php in Systemsoftware Community B ...) NOT-FOR-US: Systemsoftware Community Black Forum CVE-2010-1340 (Directory traversal vulnerability in jresearch.php in the J!Research ( ...) NOT-FOR-US: Joomla! CVE-2010-1339 (Cross-site scripting (XSS) vulnerability in ts_other.php in the Teamsi ...) NOT-FOR-US: Teamsite Hack plugin CVE-2010-1338 (SQL injection vulnerability in ts_other.php in the Teamsite Hack plugi ...) NOT-FOR-US: Teamsite Hack plugin CVE-2010-1337 (Multiple PHP remote file inclusion vulnerabilities in definitions.php ...) NOT-FOR-US: Lussumo Vanilla CVE-2010-1336 (Multiple SQL injection vulnerabilities in INVOhost 3.4 allow remote at ...) NOT-FOR-US: INVOhost CVE-2010-1335 (Multiple PHP remote file inclusion vulnerabilities in Insky CMS 006-01 ...) NOT-FOR-US: Insky CMS CVE-2010-1334 (Unrestricted file upload vulnerability in Pulse CMS Basic 1.2.4 allows ...) NOT-FOR-US: Pulse CMS Basic CVE-2010-1333 (Multiple cross-site scripting (XSS) vulnerabilities in Almas Inc. Comp ...) NOT-FOR-US: Almas Inc. Compiere J300_A02 CVE-2010-1332 (Cross-site scripting (XSS) vulnerability in PrettyBook PrettyFormMail ...) NOT-FOR-US: PrettyBook PrettyFormMail CVE-2010-1331 (SQL injection vulnerability in Heartlogic HL-SiteManager allows remote ...) NOT-FOR-US: Heartlogic HL-SiteManager CVE-2010-1330 (The regular expression engine in JRuby before 1.4.1, when $KCODE is se ...) - jruby 1.5.0~rc1-1 CVE-2010-1329 (Imperva SecureSphere Web Application Firewall and Database Firewall 5. ...) NOT-FOR-US: Imperva SecureSphere Web Application Firewall and Database Firewall CVE-2010-1328 (Multiple cross-site scripting (XSS) vulnerabilities in TornadoStore 1. ...) NOT-FOR-US: TornadoStore CVE-2010-1327 (Multiple SQL injection vulnerabilities in TornadoStore 1.4.3 and earli ...) NOT-FOR-US: TornadoStore CVE-2010-1326 (perms.cpp in March Hare Software CVSNT 2.0.58, 2.5.01, 2.5.02, 2.5.03 ...) {DSA-2108-1} - cvsnt 2.5.04.3236-1.2 (medium; bug #593884) NOTE: http://march-hare.com/cvspro/vuln.htm CVE-2010-1325 (Cross-site request forgery (CSRF) vulnerability in the apache2-slms pa ...) NOT-FOR-US: SUSE Lifecycle Management Server CVE-2010-1324 (MIT Kerberos 5 (aka krb5) 1.7.x and 1.8.x through 1.8.3 does not prope ...) - krb5 1.8.3+dfsg-3 (bug #605553) [lenny] - krb5 (Only affects krb5 >= 1.7) CVE-2010-1323 (MIT Kerberos 5 (aka krb5) 1.3.x, 1.4.x, 1.5.x, 1.6.x, 1.7.x, and 1.8.x ...) {DSA-2129-1} - krb5 1.8.3+dfsg-3 (bug #605553) CVE-2010-1322 (The merge_authdata function in kdc_authdata.c in the Key Distribution ...) - krb5 1.8.3+dfsg-2 (bug #599237) [lenny] - krb5 (Only affects 1.8) [etch] - krb5 (Only affects 1.8) NOTE: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-006.txt CVE-2010-1321 (The kg_accept_krb5 function in krb5/accept_sec_context.c in the GSS-AP ...) {DSA-2052-1} - krb5 1.8.1+dfsg-3 (low; bug #582261) - heimdal 1.4.0~git20100605.dfsg.1-1 - sun-java6 6.22-1 [lenny] - sun-java6 6-22-0lenny CVE-2010-1320 (Double free vulnerability in do_tgs_req.c in the Key Distribution Cent ...) - krb5 1.8.1+dfsg-2 (bug #577490) [lenny] - krb5 (Only affects 1.7/1.8) NOTE: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-004.txt CVE-2010-1319 (Integer overflow in the AgentX::receive_agentx function in AgentX++ 1. ...) NOT-FOR-US: Real Helix Server CVE-2010-1318 (Stack-based buffer overflow in the AgentX::receive_agentx function in ...) NOT-FOR-US: Real Helix Server CVE-2010-1317 (Heap-based buffer overflow in the NTLM authentication functionality in ...) NOT-FOR-US: Real Helix Server CVE-2010-1316 (Multiple stack-based buffer overflows in Tembria Server Monitor before ...) NOT-FOR-US: Tembria Server Monitor CVE-2010-1315 (Directory traversal vulnerability in weberpcustomer.php in the webERPc ...) NOT-FOR-US: Joomla! CVE-2010-1314 (Directory traversal vulnerability in the Highslide JS (com_hsconfig) c ...) NOT-FOR-US: Joomla! CVE-2010-1313 (Directory traversal vulnerability in the Seber Cart (com_sebercart) co ...) NOT-FOR-US: Joomla! CVE-2010-1312 (Directory traversal vulnerability in the iJoomla News Portal (com_news ...) NOT-FOR-US: Joomla! CVE-2010-1311 (The qtm_decompress function in libclamav/mspack.c in ClamAV before 0.9 ...) - clamav 0.96+dfsg-2 (bug #577462; low) [lenny] - clamav (bug #577462; low) NOTE: Lenny version achieved end of life! see NOTE: http://www.clamav.net/lang/en/2009/10/05/eol-clamav-094/ CVE-2010-1310 (Opera 10.50 allows remote attackers to obtain sensitive information vi ...) NOT-FOR-US: Opera CVE-2010-1309 (Directory traversal vulnerability in Irmin CMS (formerly Pepsi CMS) 0. ...) NOT-FOR-US: Pepsi CMS CVE-2010-1308 (Directory traversal vulnerability in the SVMap (com_svmap) component 1 ...) NOT-FOR-US: Joomla! CVE-2010-1307 (Directory traversal vulnerability in the Magic Updater (com_joomlaupda ...) NOT-FOR-US: Joomla! CVE-2010-1306 (Directory traversal vulnerability in the Picasa (com_joomlapicasa2) co ...) NOT-FOR-US: Joomla! CVE-2010-1305 (Directory traversal vulnerability in jinventory.php in the JInventory ...) NOT-FOR-US: Joomla! CVE-2010-1304 (Directory traversal vulnerability in userstatus.php in the User Status ...) NOT-FOR-US: Joomla! CVE-2010-1303 (Multiple cross-site scripting (XSS) vulnerabilities in the Taxonomy Fi ...) NOT-FOR-US: Drupal module CVE-2010-1302 (Directory traversal vulnerability in dwgraphs.php in the DecryptWeb DW ...) NOT-FOR-US: Joomla! CVE-2010-1301 (SQL injection vulnerability in main.php in Centreon 2.1.5 allows remot ...) - centreon-web (bug #913903) CVE-2010-1300 (SQL injection vulnerability in index.php in Yamamah (aka Dove Photo Al ...) NOT-FOR-US: Yamamah CVE-2010-1299 (Multiple PHP remote file inclusion vulnerabilities in DynPG CMS 4.1.0, ...) NOT-FOR-US: DynPG CMS CVE-2008-7254 (Directory traversal vulnerability in includes/template-loader.php in I ...) NOT-FOR-US: Pepsi CMS CVE-2010-1298 (Directory traversal vulnerability in view.php in Pulse CMS 1.2.2 allow ...) NOT-FOR-US: Pulse CMS CVE-2010-1297 (Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64; Adobe ...) NOT-FOR-US: Adobe Flash Player CVE-2010-1296 (Multiple buffer overflows in Adobe Photoshop CS4 before 11.0.2 allow u ...) NOT-FOR-US: Adobe Photoshop CS4 CVE-2010-1295 (Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Win ...) NOT-FOR-US: Adobe Reader CVE-2010-1294 (Unspecified vulnerability in Adobe ColdFusion 8.0, 8.0.1, and 9.0 allo ...) NOT-FOR-US: Adobe ColdFusion CVE-2010-1293 (Cross-site scripting (XSS) vulnerability in the Administrator page in ...) NOT-FOR-US: Adobe ColdFusion CVE-2010-1292 (The implementation of pami RIFF chunk parsing in Adobe Shockwave Playe ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-1291 (Adobe Shockwave Player before 11.5.7.609 allows attackers to cause a d ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-1290 (Adobe Shockwave Player before 11.5.7.609 allows attackers to cause a d ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-1289 (Adobe Shockwave Player before 11.5.7.609 allows attackers to cause a d ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-1288 (Buffer overflow in Adobe Shockwave Player before 11.5.7.609 might allo ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-1287 (Adobe Shockwave Player before 11.5.7.609 allows attackers to cause a d ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-1286 (Adobe Shockwave Player before 11.5.7.609 allows attackers to cause a d ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-1285 (Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Win ...) NOT-FOR-US: Adobe Reader CVE-2010-1284 (Adobe Shockwave Player before 11.5.7.609 allows attackers to cause a d ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-1283 (Adobe Shockwave Player before 11.5.7.609 does not properly parse 3D ob ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-1282 (Adobe Shockwave Player before 11.5.7.609 allows remote attackers to ca ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-1281 (iml32.dll in Adobe Shockwave Player before 11.5.7.609 does not validat ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-1280 (Adobe Shockwave Player before 11.5.7.609 allows remote attackers to ex ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-1279 (Multiple unspecified vulnerabilities in Adobe Photoshop CS4 11.x befor ...) NOT-FOR-US: Adobe Photoshop CVE-2010-1278 (Buffer overflow in the Atlcom.get_atlcom ActiveX control in gp.ocx in ...) NOT-FOR-US: Adobe Download Manager CVE-2010-1277 (SQL injection vulnerability in the user.authenticate method in the API ...) - zabbix 1:1.8.2-1 (bug #577058) [lenny] - zabbix (vulnerable code not present) [etch] - zabbix (vulnerable code not present) NOTE: This is a bug that was introduced with the Zabbix 1.8 API CVE-2010-1276 (Multiple cross-site scripting (XSS) vulnerabilities in BBSXP 2008 SP2 ...) NOT-FOR-US: BBSXP CVE-2010-1275 (Cross-site scripting (XSS) vulnerability in ShowPost.asp in BBSXP 2008 ...) NOT-FOR-US: BBSXP CVE-2010-1274 (Cross-site scripting (XSS) vulnerability in Emweb Wt before 3.1.1 allo ...) NOT-FOR-US: Emweb Wt CVE-2010-1273 (Emweb Wt before 3.1.1 does not validate the UTF-8 encoding of (1) form ...) NOT-FOR-US: Emweb Wt CVE-2010-1272 (PHP remote file inclusion vulnerability in includes/tgpinc.php in Gnat ...) NOT-FOR-US: Gnat-TGP CVE-2010-1271 (SQL injection vulnerability in showplugs.php in smartplugs 1.3 allows ...) NOT-FOR-US: smartplugs CVE-2010-1270 (SQL injection vulnerability in auktion.php in Multi Auktions Komplett ...) NOT-FOR-US: Multi Auktions Komplett System CVE-2010-1269 (SQL injection vulnerability in auktion.php in phpscripte24 Niedrig Geb ...) NOT-FOR-US: Gebote Pro Auktions System CVE-2010-1268 (Directory traversal vulnerability in index.php in justVisual CMS 2.0, ...) NOT-FOR-US: justVisual CMS CVE-2010-1267 (Multiple directory traversal vulnerabilities in WebMaid CMS 0.2-6 Beta ...) NOT-FOR-US: WebMaid CMS CVE-2010-1266 (Multiple PHP remote file inclusion vulnerabilities in WebMaid CMS 0.2- ...) NOT-FOR-US: WebMaid CMS CVE-2010-1265 (SQL injection vulnerability in Adam Corley dcsFlashGames (com_dcs_flas ...) NOT-FOR-US: dcsFlashGames CVE-2010-1264 (Unspecified vulnerability in Microsoft Windows SharePoint Services 3.0 ...) NOT-FOR-US: Microsoft CVE-2010-1263 (Windows Shell and WordPad in Microsoft Windows XP SP2 and SP3, Windows ...) NOT-FOR-US: Microsoft CVE-2010-1262 (Microsoft Internet Explorer 6 SP1 and SP2, 7, and 8 allows remote atta ...) NOT-FOR-US: Microsoft CVE-2010-1261 (The IE8 Developer Toolbar in Microsoft Internet Explorer 8 SP1, SP2, a ...) NOT-FOR-US: Microsoft CVE-2010-1260 (The IE8 Developer Toolbar in Microsoft Internet Explorer 8 SP1, SP2, a ...) NOT-FOR-US: Microsoft CVE-2010-1259 (Microsoft Internet Explorer 6 SP1 and SP2, 7, and 8 allows remote atta ...) NOT-FOR-US: Microsoft CVE-2010-1258 (Microsoft Internet Explorer 6, 7, and 8 does not properly determine th ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2010-1257 (Cross-site scripting (XSS) vulnerability in the toStaticHTML API, as u ...) NOT-FOR-US: Microsoft CVE-2010-1256 (Unspecified vulnerability in Microsoft IIS 6.0, 7.0, and 7.5, when Ext ...) NOT-FOR-US: Microsoft CVE-2010-1255 (The Windows kernel-mode drivers in win32k.sys in Microsoft Windows 200 ...) NOT-FOR-US: Microsoft CVE-2010-1254 (The installation for Microsoft Open XML File Format Converter for Mac ...) NOT-FOR-US: Microsoft CVE-2010-1253 (Microsoft Office Excel 2002 SP3, 2007 SP1, and SP2; Office 2004 for ma ...) NOT-FOR-US: Microsoft CVE-2010-1252 (Unspecified vulnerability in Microsoft Office Excel 2002 SP3 and Offic ...) NOT-FOR-US: Microsoft CVE-2010-1251 (Unspecified vulnerability in Microsoft Office Excel 2002 SP3 and Offic ...) NOT-FOR-US: Microsoft CVE-2010-1250 (Heap-based buffer overflow in Microsoft Office Excel 2002 SP3, Office ...) NOT-FOR-US: Microsoft CVE-2010-1249 (Buffer overflow in Microsoft Office Excel 2002 SP3, Office 2004 for Ma ...) NOT-FOR-US: Microsoft CVE-2010-1248 (Buffer overflow in Microsoft Office Excel 2002 SP3 and Office 2004 for ...) NOT-FOR-US: Microsoft CVE-2010-1247 (Unspecified vulnerability in Microsoft Office Excel 2002 SP3 allows re ...) NOT-FOR-US: Microsoft CVE-2010-1246 (Stack-based buffer overflow in Microsoft Office Excel 2002 SP3 allows ...) NOT-FOR-US: Microsoft CVE-2010-1245 (Unspecified vulnerability in Microsoft Office Excel 2002 SP3, Office 2 ...) NOT-FOR-US: Microsoft CVE-2010-XXXX [tcpdf code execution via tcpdf tag] - moodle (Vulnerable code not present) - phpmyadmin (Vulnerable code not present) - tcpdf 6.0.010+dfsg-1 NOTE: http://sourceforge.net/projects/tcpdf/files/CHANGELOG.TXT/view NOTE: http://seclists.org/fulldisclosure/2010/Apr/104 NOTE: setting K_TCPDF_CALLS_IN_HTML to false mitigates the problem CVE-2010-XXXX [xmail insecure temp files handling] - xmail 1.27-1 (low) [lenny] - xmail (Minor issue) NOTE: http://www.xmailserver.org/ChangeLog.html#feb_25__2010_v_1_27 CVE-2010-1159 (Multiple heap-based buffer overflows in Aircrack-ng before 1.1 allow r ...) - aircrack-ng 1:1.1-1 (low; bug #577758) [lenny] - aircrack-ng (low) [etch] - aircrack-ng (low) NOTE: http://pyrit.googlecode.com/svn/tags/opt/aircrackng_exploit.py CVE-2010-1244 (Cross-site request forgery (CSRF) vulnerability in createDestination.a ...) NOT-FOR-US: Apache ActiveMQ CVE-2010-1243 (The IBM Web Interface for Content Management (aka WEBi) before 1.0.4 c ...) NOT-FOR-US: IBM Web Interface for Content Management CVE-2010-1242 (Multiple cross-site scripting (XSS) vulnerabilities in the IBM Web Int ...) NOT-FOR-US: IBM Web Interface for Content Management CVE-2010-1241 (Heap-based buffer overflow in the custom heap management system in Ado ...) NOT-FOR-US: Acrobat Reader CVE-2010-1240 (Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Win ...) NOT-FOR-US: Adobe Reader CVE-2010-1239 (Foxit Reader before 3.2.1.0401 allows remote attackers to (1) execute ...) NOT-FOR-US: Foxit Reader CVE-2010-1238 (MoinMoin 1.7.1 allows remote attackers to bypass the textcha protectio ...) - moin 1.9.2-3 (bug #575995; medium) [lenny] - moin 1.7.1-3+lenny4 (bug #575995; medium) NOTE: see http://www.debian.org/security/2010/dsa-2024 CVE-2009-4764 (Adobe Reader 8.x and 9.x on Windows is able to execute EXE files that ...) NOT-FOR-US: Adobe Reader CVE-2007-6735 (NWFTPD.nlm before 5.08.06 in the FTP server in Novell NetWare does not ...) NOT-FOR-US: Novell NetWare CVE-2007-6734 (NWFTPD.nlm before 5.08.07 in the FTP server in Novell NetWare 6.5 SP7 ...) NOT-FOR-US: Novell NetWare CVE-2005-4888 (NWFTPD.nlm before 5.06.04 in the FTP server in Novell NetWare allows r ...) NOT-FOR-US: Novell NetWare CVE-2005-4887 (NWFTPD.nlm before 5.06.05 in the FTP server in Novell NetWare 6.5 SP5 ...) NOT-FOR-US: Novell NetWare CVE-2004-2767 (NWFTPD.nlm before 5.04.25 in the FTP server in Novell NetWare does not ...) NOT-FOR-US: Novell NetWare CVE-2003-1596 (NWFTPD.nlm before 5.03.12 in the FTP server in Novell NetWare does not ...) NOT-FOR-US: Novell NetWare CVE-2003-1595 (NWFTPD.nlm before 5.04.05 in the FTP server in Novell NetWare 6.5 does ...) NOT-FOR-US: Novell NetWare CVE-2003-1594 (NWFTPD.nlm before 5.04.05 in the FTP server in Novell NetWare 6.5 does ...) NOT-FOR-US: Novell NetWare CVE-2003-1593 (NWFTPD.nlm in the FTP server in Novell NetWare 6.0 before SP4 and 6.5 ...) NOT-FOR-US: Novell NetWare CVE-2003-1592 (Multiple buffer overflows in NWFTPD.nlm in the FTP server in Novell Ne ...) NOT-FOR-US: Novell NetWare CVE-2003-1591 (NWFTPD.nlm in the FTP server in Novell NetWare 6.0 before SP4 and 6.5 ...) NOT-FOR-US: Novell NetWare CVE-2002-2434 (NWFTPD.nlm before 5.02i in the FTP server in Novell NetWare does not p ...) NOT-FOR-US: Novell NetWare CVE-2002-2433 (NWFTPD.nlm before 5.03b in the FTP server in Novell NetWare allows rem ...) NOT-FOR-US: Novell NetWare CVE-2002-2432 (Unspecified vulnerability in NWFTPD.nlm before 5.03b in the FTP server ...) NOT-FOR-US: Novell NetWare CVE-2001-1587 (NWFTPD.nlm before 5.01w in the FTP server in Novell NetWare allows rem ...) NOT-FOR-US: Novell NetWare CVE-2000-1246 (NWFTPD.nlm before 5.01o in the FTP server in Novell NetWare 5.1 SP3 al ...) NOT-FOR-US: Novell NetWare CVE-2000-1245 (Multiple unspecified vulnerabilities in NWFTPD.nlm before 5.01o in the ...) NOT-FOR-US: Novell NetWare CVE-2010-1237 (Google Chrome 4.1 BETA before 4.1.249.1036 allows remote attackers to ...) - webkit 1.1.90-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.375.29~r46008-1 NOTE: http://trac.webkit.org/changeset/55511 NOTE: evidence of memory corruption http://code.google.com/p/chromium/issues/detail?id=37061 CVE-2010-1236 (The protocolIs function in platform/KURLGoogle.cpp in WebCore in WebKi ...) - webkit (bug #577457; proof-of-concepts are not effective against webkit) - chromium-browser 5.0.375.29~r46008-1 NOTE: http://trac.webkit.org/changeset/55822 CVE-2010-1235 (Unspecified vulnerability in Google Chrome before 4.1.249.1036 allows ...) - chromium-browser 5.0.375.29~r46008-1 NOTE: issue in chrome-specific download dialog CVE-2010-1234 (Unspecified vulnerability in Google Chrome before 4.1.249.1036 allows ...) - chromium-browser 5.0.375.29~r46008-1 - webkit (chrome-specific issue) CVE-2010-1233 (Multiple integer overflows in Google Chrome before 4.1.249.1036 allow ...) - webkit (v8 and webgl not yet included) - chromium-browser 5.0.375.29~r46008-1 NOTE: http://trac.webkit.org/changeset/55376 CVE-2010-1232 (Google Chrome before 4.1.249.1036 allows remote attackers to cause a d ...) - webkit 1.1.90-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.375.29~r46008-1 NOTE: http://code.google.com/p/chromium/issues/detail?id=34978 CVE-2010-1231 (Google Chrome before 4.1.249.1036 processes HTTP headers before invoki ...) - webkit (does not yet have a "safe browsing" feature; i.e. chromium-specific issue) - chromium-browser 5.0.375.29~r46008-1 CVE-2010-1230 (Google Chrome before 4.1.249.1036 does not have the expected behavior ...) - chromium-browser 5.0.375.29~r46008-1 - webkit (chrome-specific issue) CVE-2010-1229 (The sandbox infrastructure in Google Chrome before 4.1.249.1036 does n ...) - chromium-browser 5.0.375.29~r46008-1 - webkit (chrome-specific issue) CVE-2010-1228 (Multiple race conditions in the sandbox infrastructure in Google Chrom ...) - chromium-browser 5.0.375.29~r46008-1 - webkit (chrome-specific issue) CVE-2010-1227 (Cross-site scripting (XSS) vulnerability in Sun Java System Communicat ...) NOT-FOR-US: Sun Java System Communication Express CVE-2010-1226 (The HTTP client functionality in Apple iPhone OS 3.1 on the iPhone 2G ...) NOT-FOR-US: Apple iPhone CVE-2010-1225 (The memory-management implementation in the Virtual Machine Monitor (a ...) NOT-FOR-US: Microsoft Virtual PC CVE-2010-1224 (main/acl.c in Asterisk Open Source 1.6.0.x before 1.6.0.25, 1.6.1.x be ...) - asterisk 1:1.6.2.6-1 (low; bug #576560) [lenny] - asterisk (Vulnerable code not present) CVE-2010-1223 (Multiple buffer overflows in CA XOsoft r12.0 and r12.5 allow remote at ...) NOT-FOR-US: CA XOsoft CVE-2010-1222 (CA XOsoft r12.5 does not properly perform authentication, which allows ...) NOT-FOR-US: CA XOsoft CVE-2010-1221 (CA XOsoft r12.0 and r12.5 does not properly perform authentication, wh ...) NOT-FOR-US: CA XOsoft CVE-2010-1220 RESERVED CVE-2010-XXXX [interchange potential HTTP response splitting vulnerability] - interchange 5.7.6-1 CVE-2010-1219 (Directory traversal vulnerability in the JA News (com_janews) componen ...) NOT-FOR-US: com_janews component for Joomla! CVE-2010-1218 (Cross-site scripting (XSS) vulnerability in the mm_forum extension 1.8 ...) NOT-FOR-US: mm_forum extension for TYPO3 CVE-2010-1217 (Directory traversal vulnerability in the JE Form Creator (com_jeformcr ...) NOT-FOR-US: com_jeformcr component for Joomla! CVE-2010-1216 (PHP remote file inclusion vulnerability in templates/template.php in n ...) NOT-FOR-US: notsoPureEdit CVE-2010-1215 (Mozilla Firefox 3.6.x before 3.6.7 and Thunderbird 3.1.x before 3.1.1 ...) - xulrunner (Only affects Firefox 3.6.x and above) - iceweasel (Only affects Firefox 3.6.x and above) CVE-2010-1214 (Integer overflow in Mozilla Firefox 3.5.x before 3.5.11 and 3.6.x befo ...) {DSA-2075-1} - xulrunner 1.9.1.11-1 - iceweasel 3.5.11-2 [lenny] - iceweasel (Iceweasel in Lenny links against xulrunner) - iceape 2.0.6-1 [lenny] - iceape (Only a stub package) CVE-2010-1213 (The importScripts Web Worker method in Mozilla Firefox 3.5.x before 3. ...) - xulrunner 1.9.1.11-1 [lenny] - xulrunner (Only affects 1.9.1 and above) - iceweasel 3.5.11-2 [lenny] - iceweasel (Iceweasel in Lenny links against xulrunner) - iceape 2.0.6-1 [lenny] - icedove [lenny] - iceape (Only a stub package) - icedove 3.0.6-1 CVE-2010-1212 (js/src/jstracer.cpp in the browser engine in Mozilla Firefox 3.6.x bef ...) - xulrunner (Only affects Firefox 3.6.x and above) - iceweasel (Only affects Firefox 3.6.x and above) - icedove 3.0.6-1 [lenny] - icedove CVE-2010-1211 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-2075-1} - xulrunner 1.9.1.11-1 - iceweasel 3.5.11-2 [lenny] - iceweasel (Iceweasel in Lenny links against xulrunner) - iceape 2.0.6-1 [lenny] - icedove - icedove 3.0.6-1 [lenny] - iceape (Only a stub package) CVE-2010-1210 (intl/uconv/util/nsUnicodeDecodeHelper.cpp in Mozilla Firefox before 3. ...) - xulrunner (Only affects 1.9.2 and above) - iceweasel (Only affects 1.9.2 and above) CVE-2010-1209 (Use-after-free vulnerability in the NodeIterator implementation in Moz ...) - xulrunner 1.9.1.11-1 [lenny] - xulrunner (Only affects 1.9.1 and above) - iceweasel 3.5.11-2 [lenny] - iceweasel (Iceweasel in Lenny links against xulrunner) - iceape 2.0.6-1 [lenny] - iceape (Only a stub package) CVE-2010-1208 (Use-after-free vulnerability in the attribute-cloning functionality in ...) {DSA-2075-1} - xulrunner 1.9.1.11-1 - iceape 2.0.6-1 [lenny] - iceape (Only a stub package) CVE-2010-1207 (Mozilla Firefox before 3.6.7 and Thunderbird before 3.1.1 do not prope ...) - xulrunner (Only affects 1.9.2 and above) - iceweasel (Only affects 1.9.2 and above) CVE-2010-1206 (The startDocumentLoad function in browser/base/content/browser.js in M ...) - iceweasel 3.5.11-1 [lenny] - iceweasel (Vulnerable code not present) NOTE: Introduced by https://bugzilla.mozilla.org/show_bug.cgi?id=254714 CVE-2010-1205 (Buffer overflow in pngpread.c in libpng before 1.2.44 and 1.4.x before ...) {DSA-2075-1 DSA-2072-1} - libpng 1.2.44-1 (bug #587670) - icedove 3.0.6-1 [lenny] - icedove - tuxonice-userui 1.0-1 (unimportant) NOTE: tuxonice-userui 1.0-1 was binNMUed CVE-2010-1204 (Search.pm in Bugzilla 2.17.1 through 3.2.6, 3.3.1 through 3.4.6, 3.5.1 ...) - bugzilla 3.4.7.0-1 (low; bug #587663) [lenny] - bugzilla (Minor issue) CVE-2010-1203 (The JavaScript engine in Mozilla Firefox 3.6.x before 3.6.4 allow remo ...) - xulrunner (Only affects Firefox 3.6, i.e xulrunner 1.9.2) - iceweasel (Only affects Firefox 3.6, i.e xulrunner 1.9.2) CVE-2010-1202 (Multiple unspecified vulnerabilities in the JavaScript engine in Mozil ...) {DSA-2064-1} - xulrunner 1.9.1.10-1 - iceweasel 3.5.11-2 [lenny] - iceweasel (Iceweasel in Lenny links against xulrunner) - iceape 2.0.5-1 [lenny] - iceape (Only a stub package) CVE-2010-1201 (Unspecified vulnerability in the browser engine in Mozilla Firefox 3.5 ...) {DSA-2064-1} - xulrunner 1.9.1.10-1 - iceweasel 3.5.11-2 [lenny] - iceweasel (Iceweasel in Lenny links against xulrunner) - iceape 2.0.5-1 [lenny] - iceape (Only a stub package) CVE-2010-1200 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-2064-1} - xulrunner 1.9.1.10-1 - iceweasel 3.5.11-2 [lenny] - iceweasel (Iceweasel in Lenny links against xulrunner) - iceape 2.0.5-1 [lenny] - iceape (Only a stub package) CVE-2010-1199 (Integer overflow in the XSLT node sorting implementation in Mozilla Fi ...) {DSA-2064-1} - xulrunner 1.9.1.10-1 - iceweasel 3.5.11-2 [lenny] - iceweasel (Iceweasel in Lenny links against xulrunner) - iceape 2.0.5-1 [lenny] - icedove - icedove 3.0.5-1 [lenny] - iceape (Only a stub package) CVE-2010-1198 (Use-after-free vulnerability in Mozilla Firefox 3.5.x before 3.5.10 an ...) {DSA-2064-1} - xulrunner 1.9.1.10-1 - iceweasel 3.5.11-2 [lenny] - iceweasel (Iceweasel in Lenny links against xulrunner) - iceape 2.0.5-1 [lenny] - iceape (Only a stub package) CVE-2010-1197 (Mozilla Firefox 3.5.x before 3.5.10 and 3.6.x before 3.6.4, and SeaMon ...) {DSA-2064-1} - xulrunner 1.9.1.10-1 - iceweasel 3.5.11-2 [lenny] - iceweasel (Iceweasel in Lenny links against xulrunner) - iceape 2.0.5-1 [lenny] - iceape (Only a stub package) CVE-2010-1196 (Integer overflow in the nsGenericDOMDataNode::SetTextInternal function ...) {DSA-2064-1} - xulrunner 1.9.1.10-1 - iceweasel 3.5.11-2 [lenny] - iceweasel (Iceweasel in Lenny links against xulrunner) [lenny] - icedove - iceape 2.0.5-1 - icedove 3.0.5-1 [lenny] - iceape (Only a stub package) CVE-2010-1194 (The match_component function in smtp-tls.c in libESMTP 1.0.3.r1, and p ...) - libesmtp 1.0.4-2 (bug #311191) CVE-2010-1191 (Sahana disaster management system 0.6.2.2, and possibly other versions ...) - sahana (bug #497414) CVE-2010-1186 (Cross-site scripting (XSS) vulnerability in xml/media-rss.php in the N ...) NOT-FOR-US: NextGEN Gallery plugin for WordPress CVE-2009-4763 (Unspecified vulnerability in the ClickHeat plugin, as used in phpMyVis ...) NOT-FOR-US: ClickHeat plugin CVE-2010-1188 (Use-after-free vulnerability in net/ipv4/tcp_input.c in the Linux kern ...) - linux-2.6 2.6.20-1 CVE-2010-1187 (The Transparent Inter-Process Communication (TIPC) functionality in Li ...) {DSA-2053-1} - linux-2.6 2.6.32-12 CVE-2010-1185 (Stack-based buffer overflow in serv.exe in SAP MaxDB 7.4.3.32, and 7.6 ...) NOT-FOR-US: SAP MaxDB CVE-2010-1184 (The Microsoft wireless keyboard uses XOR encryption with a key derived ...) NOT-FOR-US: Microsoft Wireless Keyboard CVE-2010-1183 (Certain patch-installation scripts in Oracle Solaris allow local users ...) NOT-FOR-US: Oracle Solaris CVE-2010-1182 (Multiple unspecified vulnerabilities in the administrative console in ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2010-1181 (Safari on Apple iPhone OS 3.1.3 for iPod touch allows remote attackers ...) NOTE: proof of concept maximum impact against webkit is dos-only CVE-2010-1180 (Safari on Apple iPhone OS 3.1.3 for iPod touch allows remote attackers ...) NOTE: proof of concept maximum impact against webkit is dos-only CVE-2010-1179 (Safari on Apple iPhone OS 3.1.3 for iPod touch allows remote attackers ...) - webkit CVE-2010-1178 (Safari on Apple iPhone OS 3.1.3 for iPod touch allows remote attackers ...) - webkit CVE-2010-1177 (Safari on Apple iPhone OS 3.1.3 for iPod touch allows remote attackers ...) - webkit CVE-2010-1176 (Safari on Apple iPhone OS 3.1.3 for iPod touch allows remote attackers ...) - webkit CVE-2010-1175 (Microsoft Internet Explorer 7.0 on Windows XP and Windows Server 2003 ...) NOT-FOR-US: Microsoft Internet Explorer 7.0 CVE-2010-1174 (Cisco TFTP Server 1.1 allows remote attackers to cause a denial of ser ...) NOT-FOR-US: Cisco TFTP Server CVE-2010-1173 (The sctp_process_unk_param function in net/sctp/sm_make_chunk.c in the ...) {DSA-2053-1} - linux-2.6 2.6.32-12 CVE-2010-1172 (DBus-GLib 0.73 disregards the access flag of exported GObject properti ...) - dbus-glib 0.88-1 (low; bug #592753) [lenny] - dbus-glib (Minor issue) CVE-2010-1171 (Red Hat Network (RHN) Satellite 5.3 and 5.4 exposes a dangerous, obsol ...) NOT-FOR-US: Red Hat Network Satellite Server CVE-2010-1170 (The PL/Tcl implementation in PostgreSQL 7.4 before 7.4.29, 8.0 before ...) {DSA-2051-1} - postgresql-8.4 8.4.4-1 (low) - postgresql-8.3 CVE-2010-1169 (PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8. ...) {DSA-2051-1} - postgresql-8.4 8.4.4-1 (low) - postgresql-8.3 CVE-2010-1168 (The Safe (aka Safe.pm) module before 2.25 for Perl allows context-depe ...) - perl 5.10.1-13 (bug #582978) [lenny] - perl 5.10.0-19lenny3 CVE-2010-1166 (The fbComposite function in fbpict.c in the Render extension in the X ...) - xorg-server (Xorg in Lenny onwards uses Pixman, which isn't affected) NOTE: https://rhn.redhat.com/errata/RHSA-2010-0382.html CVE-2010-1165 (Atlassian JIRA 3.12 through 4.1 allows remote authenticated administra ...) NOT-FOR-US: Atlassian JIRA CVE-2010-1164 (Multiple cross-site scripting (XSS) vulnerabilities in Atlassian JIRA ...) NOT-FOR-US: Atlassian JIRA CVE-2010-1163 (The command matching functionality in sudo 1.6.8 through 1.7.2p5 does ...) - sudo 1.7.2p6-1 (bug #578275) [lenny] - sudo (ignore_dot default value is off and can't be changed in runtime) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=580441#c3 CVE-2010-1162 (The release_one_tty function in drivers/char/tty_io.c in the Linux ker ...) {DSA-2053-1} - linux-2.6 2.6.32-12 CVE-2010-1161 (Race condition in GNU nano before 2.2.4, when run by root to edit a fi ...) - nano 2.2.4-1 (low; bug #577817) [lenny] - nano 2.0.7-5 CVE-2010-1160 (GNU nano before 2.2.4 does not verify whether a file has been changed ...) - nano 2.2.4-1 (low; bug #577817) [lenny] - nano 2.0.7-5 CVE-2010-1158 (Integer overflow in the regular expression engine in Perl 5.8.x allows ...) - perl (re engine rewritten for 5.10 to address issues such as this; and proof-of-concept not effective) CVE-2010-1157 (Apache Tomcat 5.5.0 through 5.5.29 and 6.0.0 through 6.0.26 might allo ...) {DSA-2207-1} - tomcat6 6.0.26-5 (bug #587447; unimportant) - tomcat5.5 (unimportant) NOTE: Negligible information disclosure CVE-2010-1156 (core/nicklist.c in Irssi before 0.8.15 allows remote attackers to caus ...) - irssi 0.8.15-1 (low) [lenny] - irssi (Minor issue) CVE-2010-1155 (Irssi before 0.8.15, when SSL is used, does not verify that the server ...) - irssi 0.8.15-1 (low) [lenny] - irssi (Minor issue) CVE-2010-1154 REJECTED CVE-2010-1153 (PHP remote file inclusion vulnerability in the autoloader in TYPO3 4.3 ...) - typo3-src 4.3.3-1 (bug #577993) [lenny] - typo3-src (Only affects 4.3.x) CVE-2010-1152 (memcached.c in memcached before 1.4.3 allows remote attackers to cause ...) - memcached 1.4.5-1 (low; bug #579913) [lenny] - memcached (Minor issue) CVE-2010-1151 (Race condition in the mod_auth_shadow module for the Apache HTTP Serve ...) - libapache2-mod-auth-shadow (bug #503184) CVE-2010-1150 (MediaWiki before 1.15.3, and 1.6.x before 1.16.0beta2, does not proper ...) {DSA-2041-1} - mediawiki 1:1.15.3-1 (low) CVE-2010-1149 (probers/udisks-dm-export.c in udisks before 1.0.1 exports UDISKS_DM_TA ...) - udisks 1.0.1-1 (medium; bug #576687) CVE-2010-1148 (The cifs_create function in fs/cifs/dir.c in the Linux kernel 2.6.33.2 ...) - linux-2.6 2.6.32-12 [lenny] - linux-2.6 (vulnerable code not yet present) CVE-2010-1147 (Stack-based buffer overflow in Open Direct Connect Hub (aka Open DC Hu ...) - opendchub 0.8.2-1 (bug #576308) [lenny] - opendchub (Vulnerable code not present) CVE-2010-1146 (The Linux kernel 2.6.33.2 and earlier, when a ReiserFS filesystem exis ...) - linux-2.6 2.6.32-12 [lenny] - linux-2.6 (vulnerability introduced in 2.6.30) CVE-2010-1145 REJECTED CVE-2010-0751 (The ip_evictor function in ip_fragment.c in libnids 1.24, as used in d ...) - libnids 1.23-1.2 (low; bug #576281) [lenny] - libnids (Minor issue) NOTE: dsniff is the only software in Debian using this lib so the impact is pretty minor CVE-2010-1143 (Cross-site scripting (XSS) vulnerability in VMware View (formerly Virt ...) NOT-FOR-US: VMware CVE-2010-1142 (VMware Tools in VMware Workstation 6.5.x before 6.5.4 build 246459; VM ...) NOT-FOR-US: VMware products CVE-2010-1141 (VMware Tools in VMware Workstation 6.5.x before 6.5.4 build 246459; VM ...) NOT-FOR-US: VMware products CVE-2010-1140 (The USB service in VMware Workstation 7.0 before 7.0.1 build 227600 an ...) NOT-FOR-US: VMware products CVE-2010-1139 (Format string vulnerability in vmrun in VMware VIX API 1.6.x, VMware W ...) NOT-FOR-US: VMware products CVE-2010-1138 (The virtual networking stack in VMware Workstation 7.0 before 7.0.1 bu ...) NOT-FOR-US: VMware products CVE-2010-1137 (Cross-site scripting (XSS) vulnerability in WebAccess in VMware Virtua ...) NOT-FOR-US: VMware Server CVE-2009-4762 (MoinMoin 1.7.x before 1.7.3 and 1.8.x before 1.8.3 checks parent ACLs ...) - moin 1.9.2-1 (bug #569975; medium) [lenny] - moin 1.7.1-3+lenny3 (bug #569975; medium) NOTE: see http://www.debian.org/security/2010/dsa-2014 CVE-2009-4761 (Stack-based buffer overflow in Mini-stream RM Downloader allows remote ...) NOT-FOR-US: Mini-stream RM Downloader CVE-2009-4760 (Winn ASP Guestbook 1.01 Beta stores sensitive information under the we ...) NOT-FOR-US: Winn ASP Guestbook CVE-2009-4759 (Buffer overflow in BrotherSoft BMXPlay 0.4.4b allows remote attackers ...) NOT-FOR-US: BrotherSoft BMXPlay CVE-2009-4758 (Stack-based buffer overflow in dicas Mpegable Player 2.12 allows remot ...) NOT-FOR-US: Mpegable Player CVE-2009-4757 (Stack-based buffer overflow in BrotherSoft EW-MusicPlayer 0.8 allows r ...) NOT-FOR-US: BrotherSoft EW-MusicPlayer CVE-2009-4756 (Stack-based buffer overflow in TraktorBeatport.exe 1.0.0.283 in Beatpo ...) NOT-FOR-US: Beatport Player CVE-2009-4755 (Multiple stack-based buffer overflows in Mercury Audio Player 1.21 all ...) NOT-FOR-US: Mercury Audio Player CVE-2009-4754 (Stack-based buffer overflow in Mercury Audio Player 1.21 allows remote ...) NOT-FOR-US: Mercury Audio Player CVE-2009-4753 (Multiple buffer overflows in the FTP server on the Addonics NAS Adapte ...) NOT-FOR-US: Addonics NAS Adapter NASU2FW41 CVE-2010-1136 (The Standard Remember method in TikiWiki CMS/Groupware 3.x before 3.5 ...) - tikiwiki CVE-2010-1135 (The user_logout function in TikiWiki CMS/Groupware 4.x before 4.2 does ...) - tikiwiki CVE-2010-1134 (SQL injection vulnerability in the _find function in searchlib.php in ...) - tikiwiki CVE-2010-1133 (Multiple SQL injection vulnerabilities in TikiWiki CMS/Groupware 4.x b ...) - tikiwiki CVE-2010-1131 (JavaScriptCore.dll, as used in Apple Safari 4.0.5 on Windows XP SP3, a ...) NOTE: browser crashes are not considered security-relevant CVE-2010-1130 (session.c in the session extension in PHP before 5.2.13, and 5.3.1, do ...) - php5 5.3.2-1 (unimportant) NOTE: open_basedir not supported CVE-2010-1129 (The safe_mode implementation in PHP before 5.2.13 does not properly ha ...) - php5 5.3.2-1 (unimportant) NOTE: safe_mode not supported CVE-2010-1128 (The Linear Congruential Generator (LCG) in PHP before 5.2.13 does not ...) {DSA-2195-1} - php5 5.3.2-1 (low) CVE-2010-1127 (Microsoft Internet Explorer 6 and 7 does not initialize certain data s ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2010-1126 (The JavaScript implementation in WebKit allows remote attackers to sen ...) - webkit (proof-of-concept not effective; windows-only?) CVE-2010-1125 (The JavaScript implementation in Mozilla Firefox 3.x before 3.5.10 and ...) - xulrunner (Only affects Firefox 3.6, i.e xulrunner 1.9.2) NOTE: Description is wrong, only affects Firefox 3.6 per https://bugzilla.mozilla.org/show_bug.cgi?id=552255 CVE-2010-1124 (bos.rte.libc 5.3.9.4 on IBM AIX 5.3 does not properly support reading ...) NOT-FOR-US: IBM AIX CVE-2010-1123 (Chip Salzenberg Deliver does not properly associate a lockfile with th ...) - deliver CVE-2009-4752 (PHP remote file inclusion vulnerability in anzeiger/start.php in Swing ...) NOT-FOR-US: Swinger Club Portal CVE-2009-4751 (SQL injection vulnerability in anzeiger/start.php in Swinger Club Port ...) NOT-FOR-US: Swinger Club Portal CVE-2009-4750 (PHP remote file inclusion vulnerability in home.php in Top Paidmailer ...) NOT-FOR-US: Top Paidmailer CVE-2009-4749 (Multiple SQL injection vulnerabilities in PHP Live! 3.2.1 and 3.2.2 al ...) NOT-FOR-US: PHP Live! CVE-2009-4748 (SQL injection vulnerability in mycategoryorder.php in the My Category ...) NOT-FOR-US: My Category Order plugin for wordpress CVE-2009-4747 (PHP remote file inclusion vulnerability in public/code/cp_html2xhtmlba ...) NOT-FOR-US: All In One Control Panel (AIOCP) CVE-2009-4746 (Cross-site scripting (XSS) vulnerability in index.php in Dreamlevels D ...) NOT-FOR-US: Dreamlevels DreamPoll CVE-2009-4745 (Multiple SQL injection vulnerabilities in index.php in Dreamlevels Dre ...) NOT-FOR-US: Dreamlevels DreamPoll CVE-2009-4744 (Cross-site scripting (XSS) vulnerability in the Contact module in Expo ...) NOT-FOR-US: Exponent CMS CVE-2009-4743 (Multiple cross-site scripting (XSS) vulnerabilities in history-storage ...) NOT-FOR-US: AfterLogic WebMail CVE-2009-4742 (Multiple SQL injection vulnerabilities in Docebo 3.6.0.3 allow remote ...) NOT-FOR-US: Docebo CVE-2009-4741 (Unspecified vulnerability in the Extras Manager before 2.0.0.67 in Sky ...) NOT-FOR-US: Skype CVE-2009-4740 (Directory traversal vulnerability in the Webesse E-Card (ws_ecard) ext ...) NOT-FOR-US: ws_ecard extension for typo3 CVE-2009-4739 (PHP remote file inclusion vulnerability in index.php in SkaDate Dating ...) NOT-FOR-US: SkaDate Dating CVE-2010-2445 (freeciv 2.2 before 2.2.1 and 2.3 before 2.3.0 allows attackers to read ...) - freeciv 2.2.1-1 (low; bug #584589) [lenny] - freeciv (Minor issue) NOTE: http://gna.org/bugs/?15624 CVE-2010-2446 (Rbot Reaction plugin allows command execution ...) - rbot 0.9.14-2 (bug #575286) [lenny] - rbot ("reaction" plugin not present in 0.9.10) [etch] - rbot ("reaction" plugin not present in 0.9.10) CVE-2010-1122 (Unspecified vulnerability in Mozilla Firefox 3.5.x through 3.5.8 allow ...) - xulrunner (Only affects the Firefox 3.6 branch) NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=552216 CVE-2010-1121 (Mozilla Firefox 3.6.x before 3.6.3 does not properly manage the scopes ...) - xulrunner (vulnerable code introduced in firefox 3.6) - iceape (vulnerable code introduced in firefox 3.6) CVE-2010-1120 (Unspecified vulnerability in Safari 4 on Apple Mac OS X 10.6 allows re ...) NOT-FOR-US: Apple Type Services CVE-2010-1119 (Use-after-free vulnerability in WebKit in Apple Safari before 5.0 on M ...) - webkit 1.2.1-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) NOTE: https://bugs.webkit.org/show_bug.cgi?id=33850 NOTE: http://trac.webkit.org/changeset/53501 NOTE: http://trac.webkit.org/changeset/53504 CVE-2010-1118 (Unspecified vulnerability in Internet Explorer 8 on Microsoft Windows ...) NOT-FOR-US: Internet Explorer CVE-2010-1117 (Heap-based buffer overflow in Internet Explorer 8 on Microsoft Windows ...) NOT-FOR-US: Internet Explorer CVE-2010-1116 (LookMer Music Portal stores sensitive information under the web root w ...) NOT-FOR-US: LookMer Music Portal CVE-2010-1115 (Directory traversal vulnerability in news/include/customize.php in Web ...) NOT-FOR-US: Web Server Creator - Web Portal CVE-2010-1114 (Multiple PHP remote file inclusion vulnerabilities in Web Server Creat ...) NOT-FOR-US: Web Server Creator - Web Portal CVE-2010-1113 (Cross-site scripting (XSS) vulnerability in the forum page in Web Serv ...) NOT-FOR-US: Web Server Creator - Web Portal CVE-2010-1112 (Cross-site scripting (XSS) vulnerability in cat.php in KloNews 2.0 all ...) NOT-FOR-US: KloNews CVE-2010-1111 (Multiple cross-site scripting (XSS) vulnerabilities in Jokes Complete ...) NOT-FOR-US: Jokes Complete Website CVE-2010-1110 (Directory traversal vulnerability in index.php in phpMySport 1.4 allow ...) NOT-FOR-US: phpMySport CVE-2010-1109 (Multiple SQL injection vulnerabilities in index.php in phpMySport 1.4, ...) NOT-FOR-US: phpMySport CVE-2010-1108 (Cross-site scripting (XSS) vulnerability in the Control Panel module 5 ...) NOT-FOR-US: third-party Drupal module CVE-2010-1107 (Cross-site scripting (XSS) vulnerability in the Recent Comments module ...) NOT-FOR-US: third-party Drupal module CVE-2010-1106 (PHP remote file inclusion vulnerability in cgi/index.php in Advertisem ...) NOT-FOR-US: AdvertisementManager CVE-2010-1105 (Cross-site scripting (XSS) vulnerability in cgi/index.php in Advertise ...) NOT-FOR-US: AdvertisementManager CVE-2010-1103 (Integer overflow in Stainless allows remote attackers to bypass intend ...) NOT-FOR-US: Stainless CVE-2010-1102 (Integer overflow in OmniWeb allows remote attackers to bypass intended ...) NOT-FOR-US: OmniWeb CVE-2010-1101 (Integer overflow in Alexander Clauss iCab allows remote attackers to b ...) NOT-FOR-US: Alexander Clauss iCab CVE-2010-1100 (Integer overflow in Arora allows remote attackers to bypass intended p ...) - arora (Advisory is wrong, URL range is protected by QUrl) CVE-2010-1099 (Integer overflow in Apple Safari allows remote attackers to bypass int ...) NOT-FOR-US: Apple Safari CVE-2010-1098 (The ANI parser in Microsoft Windows before 7 on the x86 platform, as u ...) NOT-FOR-US: Microsoft Windows CVE-2010-1097 (include/userlogin.class.php in DeDeCMS 5.5 GBK, when session.auto_star ...) NOT-FOR-US: DeDeCMS CVE-2010-1096 (Multiple SQL injection vulnerabilities in searchmatch.php in ScriptsFe ...) NOT-FOR-US: ScriptsFeed Dating Software CVE-2010-1095 (Cross-site scripting (XSS) vulnerability in login_reset_password_page. ...) NOT-FOR-US: Tracking Requirements & Use Cases CVE-2010-1094 (SQL injection vulnerability in news.php in DZ EROTIK Auktionshaus V4rg ...) NOT-FOR-US: Auktionshaus V4rgo CVE-2010-1093 (SQL injection vulnerability in rss.php in 1024 CMS 2.1.1, when magic_q ...) NOT-FOR-US: 1024 CMS CVE-2010-1092 (Multiple SQL injection vulnerabilities in login.php in ScriptsFeed Bus ...) NOT-FOR-US: ScriptsFeed Business Directory CVE-2010-1091 (Multiple cross-site scripting (XSS) vulnerabilities in contact.php in ...) NOT-FOR-US: phpMySite CVE-2010-1090 (SQL injection vulnerability in index.php in phpMySite allows remote at ...) NOT-FOR-US: phpMySite CVE-2010-1089 (SQL injection vulnerability in vedi_faq.php in PHP Trouble Ticket 2.2 ...) NOT-FOR-US: PHP Trouble Ticket CVE-2010-1088 (fs/namei.c in Linux kernel 2.6.18 through 2.6.34 does not always follo ...) {DSA-2053-1} - linux-2.6 2.6.32-10 CVE-2010-1087 (The nfs_wait_on_request function in fs/nfs/pagelist.c in Linux kernel ...) {DSA-2053-1} - linux-2.6 2.6.32-9 (low) CVE-2010-1086 (The ULE decapsulation functionality in drivers/media/dvb/dvb-core/dvb_ ...) {DSA-2053-1} - linux-2.6 2.6.32-10 (low) CVE-2010-1085 (The azx_position_ok function in hda_intel.c in Linux kernel 2.6.33-rc4 ...) - linux-2.6 2.6.32-9 [lenny] - linux-2.6 (affected call not present) CVE-2010-1084 (Linux kernel 2.6.18 through 2.6.33, and possibly other versions, allow ...) {DSA-2053-1} - linux-2.6 2.6.32-11 CVE-2010-1083 (The processcompl_compat function in drivers/usb/core/devio.c in Linux ...) {DSA-2053-1} - linux-2.6 2.6.32-9 CVE-2010-1082 (Multiple directory traversal vulnerabilities in OI.Blogs 1.0.0, when m ...) NOT-FOR-US: OI.Blogs CVE-2010-1081 (Directory traversal vulnerability in the Community Polls (com_communit ...) NOT-FOR-US: com_communitypolls component for Joomla! CVE-2010-1080 (Cross-site scripting (XSS) vulnerability in view.php in Pulse CMS 1.2. ...) NOT-FOR-US: Pulse CMS CVE-2010-1079 (Cross-site scripting (XSS) vulnerability in Sawmill before 7.2.18 allo ...) NOT-FOR-US: Sawmill CVE-2010-1078 (SQL injection vulnerability in archive.php in XlentProjects SphereCMS ...) NOT-FOR-US: Xlent Projects SphereCMS CVE-2010-1077 (Directory traversal vulnerability in vbseo.php in Crawlability vBSEO p ...) NOT-FOR-US: Crawlability vBSEO plugin for vBulletin CVE-2010-1076 (Cross-site scripting (XSS) vulnerability in index.php in Entry Level C ...) NOT-FOR-US: Entry Level CMS CVE-2010-1075 (SQL injection vulnerability in index.php in Entry Level CMS (EL CMS) a ...) NOT-FOR-US: Entry Level CMS CVE-2010-1074 (Cross-site scripting (XSS) vulnerability in the Currency Exchange modu ...) NOT-FOR-US: Currency Exchange module for Drupal CVE-2010-1073 (SQL injection vulnerability in the jEmbed-Embed Anything (com_jembed) ...) NOT-FOR-US: com_jembed component for Joomla! CVE-2010-1072 (Cross-site scripting (XSS) vulnerability in search.php in Sniggabo CMS ...) NOT-FOR-US: Sniggabo CMS CVE-2010-1071 (SQL injection vulnerability in profil.php in phpMDJ 1.0.3 allows remot ...) NOT-FOR-US: phpMDJ CVE-2010-1070 (SQL injection vulnerability in index.php in ImagoScripts Deviant Art C ...) NOT-FOR-US: ImagoScripts CVE-2010-1069 (SQL injection vulnerability in games/game.php in ProArcadeScript allow ...) NOT-FOR-US: ProArcadeScript CVE-2010-1068 (Multiple cross-site scripting (XSS) vulnerabilities in surgeftpmgr.cgi ...) NOT-FOR-US: NetWin SurgeFTP CVE-2010-1067 (E-membres 1.0 stores sensitive information under the web root with ins ...) NOT-FOR-US: E-membres CVE-2010-1066 (AR Web Content Manager (AWCM) 2.1 stores sensitive information under t ...) NOT-FOR-US: AR Web Content Manager CVE-2010-1065 (Lebisoft Ziyaretci Defteri 7.4 and 7.5 stores sensitive information un ...) NOT-FOR-US: Lebisoft Ziparetci Defteri CVE-2010-1064 (Erolife AjxGaleri VT stores sensitive information under the web root w ...) NOT-FOR-US: Erolife AjxGaleri VT CVE-2010-1063 (Multiple directory traversal vulnerabilities in Phpkobo Free Real Esta ...) NOT-FOR-US: Phpkobo Free Real Estate Contact Form CVE-2010-1062 (Directory traversal vulnerability in codelib/sys/common.inc.php in Php ...) NOT-FOR-US: Phpkobo Free Real Estate Contact Form CVE-2010-1061 (Multiple directory traversal vulnerabilities in Phpkobo Short URL 1.01 ...) NOT-FOR-US: Phpkbo Short URL CVE-2010-1060 (Directory traversal vulnerability in staff/app/common.inc.php in Phpko ...) NOT-FOR-US: Phpkobo Short URL CVE-2010-1059 (Directory traversal vulnerability in staff/app/common.inc.php in Phpko ...) NOT-FOR-US: Phpkobo Address Book Script CVE-2010-1058 (Directory traversal vulnerability in codelib/cfg/common.inc.php in Php ...) NOT-FOR-US: Phpkobo Adress Book Script CVE-2010-1057 (Multiple directory traversal vulnerabilities in Phpkobo AdFreely (aka ...) NOT-FOR-US: Phpkobo AdFreely CVE-2010-1056 (Directory traversal vulnerability in the RokDownloads (com_rokdownload ...) NOT-FOR-US: com_rokdownloads component for Joomla! CVE-2010-1055 (Multiple PHP remote file inclusion vulnerabilities in osDate 2.1.9 and ...) NOT-FOR-US: osDate CVE-2010-1054 (Multiple SQL injection vulnerabilities in ParsCMS allow remote attacke ...) NOT-FOR-US: ParsCMS CVE-2010-1053 (Multiple SQL injection vulnerabilities in Zen Time Tracking 2.2 and ea ...) NOT-FOR-US: Zen Time Tracking CVE-2010-1052 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Au ...) NOT-FOR-US: AudiStat CVE-2010-1051 (Multiple SQL injection vulnerabilities in index.php in AudiStat 1.3 al ...) NOT-FOR-US: AudiStat CVE-2010-1050 (SQL injection vulnerability in index.php in AudiStat 1.3 allows remote ...) NOT-FOR-US: AudiStat CVE-2010-1049 (Multiple SQL injection vulnerabilities in Uiga Business Portal allow r ...) NOT-FOR-US: Uiga Business Portal CVE-2010-1048 (Cross-site scripting (XSS) vulnerability in blog/index.php in Uiga Bus ...) NOT-FOR-US: Uiga Business Portal CVE-2010-1047 (SQL injection vulnerability in index.php in MASA2EL Music City 1.0 and ...) NOT-FOR-US: MASA2EL Music City CVE-2010-1046 (Multiple SQL injection vulnerabilities in index.php in Rostermain 1.1 ...) NOT-FOR-US: Rostermain CVE-2010-1045 (SQL injection vulnerability in the Productbook (com_productbook) compo ...) NOT-FOR-US: com_productbook component for Joomla! CVE-2010-1044 (SQL injection vulnerability in Login.do in ManageEngine OpUtils 5.0 al ...) NOT-FOR-US: ManageEngine OpUtils CVE-2010-1043 (Directory traversal vulnerability in index.php in jaxCMS 1.0 allows re ...) NOT-FOR-US: jaxCMS CVE-2010-1042 (Microsoft Windows Media Player 11 does not properly perform colorspace ...) NOT-FOR-US: Microsoft Windows Media Player CVE-2010-1041 (Unspecified vulnerability in the single sign-on functionality in the W ...) NOT-FOR-US: IBM DB2 Content Manager Toolkit CVE-2010-1040 (The "IP address range limitation" function in OpenPNE 1.6 through 1.8, ...) NOT-FOR-US: OpenPNE CVE-2010-1039 (Format string vulnerability in the _msgout function in rpc.pcnfsd in I ...) NOT-FOR-US: HP-UX CVE-2010-1038 (Unspecified vulnerability in HP System Insight Manager before 6.0 allo ...) NOT-FOR-US: HP System Insight Manager CVE-2010-1037 (Cross-site request forgery (CSRF) vulnerability in HP System Insight M ...) NOT-FOR-US: HP System Insight Manager CVE-2010-1036 (Cross-site scripting (XSS) vulnerability in HP System Insight Manager ...) NOT-FOR-US: hP System Insight Manager CVE-2010-1035 (Multiple unspecified vulnerabilities in HP Virtual Machine Manager (VM ...) NOT-FOR-US: HP Virtual Machine Manager CVE-2010-1034 (Unspecified vulnerability in HP System Management Homepage (SMH) 6.0 b ...) NOT-FOR-US: HP System Management Homepage CVE-2010-1033 (Multiple stack-based buffer overflows in a certain Tetradyne ActiveX c ...) NOT-FOR-US: HP Operations Manager CVE-2010-1032 (Unspecified vulnerability in HP HP-UX B.11.11 allows local users to ca ...) NOT-FOR-US: HP-UX CVE-2010-1031 (Unspecified vulnerability in HP Insight Control for Linux (aka IC-Linu ...) NOT-FOR-US: HP Insight Control CVE-2010-1030 (Unspecified vulnerability in HP-UX B.11.31, with AudFilter rules enabl ...) NOT-FOR-US: HP-UX CVE-2010-1029 (Stack consumption vulnerability in the WebCore::CSSSelector function i ...) - webkit (proof-of-concept not effective) - chromium-browser 5.0.375.29~r46008-1 CVE-2010-1027 (SQL injection vulnerability in the Meet Travelmates (travelmate) exten ...) NOT-FOR-US: travelmate extension for typo3 CVE-2010-1026 (SQL injection vulnerability in the CleanDB - DBAL (tmsw_cleandb) exten ...) NOT-FOR-US: tmsw_cleandb extension for typo3 CVE-2010-1025 (Cross-site scripting (XSS) vulnerability in the TGM-Newsletter (tgm_ne ...) NOT-FOR-US: tgm_newsletter extension for typo3 CVE-2010-1024 (SQL injection vulnerability in the TGM-Newsletter (tgm_newsletter) ext ...) NOT-FOR-US: tgm_newsletter extension for typo3 CVE-2010-1023 (Cross-site scripting (XSS) vulnerability in the UserTask Center, Recen ...) NOT-FOR-US: taskcenter_recent extension for typo3 CVE-2010-1022 (The TYPO3 Security - Salted user password hashes (t3sec_saltedpw) exte ...) NOT-FOR-US: t3sec_saltedpw extension for typo3 CVE-2010-1021 (Cross-site scripting (XSS) vulnerability in the Typo3 Quixplorer (t3qu ...) NOT-FOR-US: t3quixplorer extension for typo3 CVE-2010-1020 (Cross-site scripting (XSS) vulnerability in the Simple Gallery (sk_sim ...) NOT-FOR-US: sk_simplegallery extension for typo3 CVE-2010-1019 (SQL injection vulnerability in the Simple Gallery (sk_simplegallery) e ...) NOT-FOR-US: sk_simplegallery extension for typo3 CVE-2010-1018 (SQL injection vulnerability in the Book Reviews (sk_bookreview) extens ...) NOT-FOR-US: sk_bookreview extension for typo3 CVE-2010-1017 (SQL injection vulnerability in the SAV Filter Months (sav_filter_month ...) NOT-FOR-US: sav_filter_months extension for typo3 CVE-2010-1016 (SQL injection vulnerability in the SAV Filter Selectors (sav_filter_se ...) NOT-FOR-US: sav_filter_selectors extension for typo3 CVE-2010-1015 (SQL injection vulnerability in the SAV Filter Alphabetic (sav_filter_a ...) NOT-FOR-US: sav_filter_abc extension for typo3 CVE-2010-1014 (Cross-site scripting (XSS) vulnerability in the Reports Logfile View ( ...) NOT-FOR-US: reports_logview extension for typo3 CVE-2010-1013 (SQL injection vulnerability in the Diocese of Portsmouth Database (pd_ ...) NOT-FOR-US: pd_diocesedatabase extension for typo3 CVE-2010-1012 (SQL injection vulnerability in the CleanDB (nf_cleandb) extension 1.0. ...) NOT-FOR-US: nf_cleandb extension for typo3 CVE-2010-1011 (Cross-site scripting (XSS) vulnerability in the myDashboard (mydashboa ...) NOT-FOR-US: mydashboard extension for typo3 CVE-2010-1010 (SQL injection vulnerability in the MK Wastebasket (mk_wastebasket) ext ...) NOT-FOR-US: mk_wastebasket extension for typo3 CVE-2010-1009 (SQL injection vulnerability in the Educator extension 0.1.5 for TYPO3 ...) NOT-FOR-US: educator extension for typo3 CVE-2010-1008 (Cross-site scripting (XSS) vulnerability in the Sellector.com Widget I ...) NOT-FOR-US: chsellector extension for typo3 CVE-2010-1007 (Unspecified vulnerability in the Power Extension Manager (ch_lightem) ...) NOT-FOR-US: ch_lightem extension for typo3 CVE-2010-1006 (SQL injection vulnerability in the Brainstorming extension 0.1.8 and e ...) NOT-FOR-US: brainstorming extension for typo3 CVE-2010-1005 (Cross-site scripting (XSS) vulnerability in the Yet another TYPO3 sear ...) NOT-FOR-US: yatse extension for typo3 CVE-2010-1004 (SQL injection vulnerability in the Yet another TYPO3 search engine (YA ...) NOT-FOR-US: yatse extension for typo3 CVE-2009-4738 (Unspecified vulnerability in JustSystems Corporation ATOK 2006 through ...) NOT-FOR-US: JustSystems Corporation CVE-2009-4737 (Stack-based buffer overflow in JustSystems Corporation Ichitaro 13, 20 ...) NOT-FOR-US: JustSystems Corporation Ichitaro CVE-2009-4736 (Cross-site scripting (XSS) vulnerability in search.php in CommonSense ...) NOT-FOR-US: CommonSense CMS CVE-2010-XXXX [phpCAS XSS in final_uri; PHPCAS-52] - libphp-cas (bug #495542) - glpi 0.72.4-2 (bug #574760; unimportant) NOTE: Only supported behind an authenticated HTTP zone NOTE: http://www.ja-sig.org/issues/browse/PHPCAS-52 CVE-2010-1028 (Integer overflow in the decompression functionality in the Web Open Fo ...) - xulrunner (vulnerability introduced in firefox 3.6) - iceape (Vulnerable code not present) - calibre 2.38.0+dfsg-1 (bug #787085) [jessie] - calibre (Minor issue) [wheezy] - calibre (src/calibre/utils/fonts/woff/ not introduced until version 0.9.33) NOTE: 2.38.0+dfsg-1 removed the copy of woff below src/calibre/utils/fonts/woff/ CVE-2010-XXXX [Escape href attribute in auto links] - redmine 0.9.3-3 CVE-2010-XXXX [Fixes permission check in QueriesController] - redmine 0.9.3-3 CVE-2010-1003 (Directory traversal vulnerability in www/editor/tiny_mce/langs/languag ...) NOT-FOR-US: eFront-learning CVE-2010-1002 RESERVED CVE-2010-1001 RESERVED CVE-2010-1000 (Directory traversal vulnerability in KGet in KDE SC 4.0.0 through 4.4. ...) - kdenetwork 4:4.4.3-2 [lenny] - kdenetwork (Metalink plugin not yet present) NOTE: http://seclists.org/fulldisclosure/2010/May/165 CVE-2010-0999 (Directory traversal vulnerability in Free Download Manager (FDM) befor ...) NOT-FOR-US: Free Download Manager CVE-2010-0998 (Multiple stack-based buffer overflows in Free Download Manager (FDM) b ...) NOT-FOR-US: Free Download Manager CVE-2010-0997 (Cross-site scripting (XSS) vulnerability in 107_plugins/content/conten ...) NOT-FOR-US: e107 CVE-2010-0996 (Unrestricted file upload vulnerability in e107 before 0.7.20 allows re ...) NOT-FOR-US: e107 CVE-2010-0995 (Stack-based buffer overflow in Internet Download Manager (IDM) before ...) NOT-FOR-US: Internet Download Manager CVE-2010-0994 (Multiple buffer overflows in src/vl/vlDAT.cpp in Visualization Library ...) NOT-FOR-US: Visualization Library CVE-2010-0993 (Unrestricted file upload vulnerability in Pulse CMS Basic 1.2.2 and 1. ...) NOT-FOR-US: Pulse CMS Basic CVE-2010-0992 (Multiple cross-site request forgery (CSRF) vulnerabilities in Pulse CM ...) NOT-FOR-US: Pulse CMS Basic CVE-2010-0991 (Multiple heap-based buffer overflows in imlib2 1.4.3 allow context-dep ...) - imlib2 (vulnerable code introduced in 1.4.3) CVE-2010-0990 (Stack-based buffer overflow in Creative Software AutoUpdate Engine Act ...) NOT-FOR-US: Creative Software AutoUpdate CVE-2010-0989 (Directory traversal vulnerability in delete.php in Pulse CMS before 1. ...) NOT-FOR-US: Pulse CMS CVE-2010-0988 (Multiple unspecified vulnerabilities in Pulse CMS before 1.2.3 allow ( ...) NOT-FOR-US: Pulse CMS CVE-2010-0987 (Heap-based buffer overflow in Adobe Shockwave Player before 11.5.7.609 ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-0986 (Adobe Shockwave Player before 11.5.7.609 does not properly process ass ...) NOT-FOR-US: Adobe Shockwave Player CVE-2009-4735 (SQL injection vulnerability in login.php in Allomani Audio & Video ...) NOT-FOR-US: Allomani Audio & Video Library CVE-2009-4734 (SQL injection vulnerability in login.php in Allomani Movies Library (M ...) NOT-FOR-US: Allomani Movies Library CVE-2009-4733 (SQL injection vulnerability in checkuser.php in SimpleLoginSys 0.5, wh ...) NOT-FOR-US: SimpleLoginSys CVE-2009-4732 (SQL injection vulnerability in tt/index.php in TT Web Site Manager 0.5 ...) NOT-FOR-US: TT Web Site Manager CVE-2009-4731 (SQL injection vulnerability in photos.php in Model Agency Manager PRO ...) NOT-FOR-US: Model Agency Manager PRO CVE-2009-4730 (SQL injection vulnerability in report.php in x10 Adult Media Script 1. ...) NOT-FOR-US: Adult Media Script CVE-2009-4729 (Multiple cross-site scripting (XSS) vulnerabilities in x10 Adult Media ...) NOT-FOR-US: Adult Media Script CVE-2009-4728 (SQL injection vulnerability in the administrative interface in Questio ...) NOT-FOR-US: Questions Answered CVE-2009-4727 (SQL injection vulnerability in x/login in JungleScripts Ajax Short Url ...) NOT-FOR-US: JungleScripts Ajax Short Url CVE-2009-4726 (Directory traversal vulnerability in download.php in Quickdev 4 PHP al ...) NOT-FOR-US: Quickdev 4 PHP CVE-2009-4725 (Directory traversal vulnerability in modules/aljazeera/admin/setup.php ...) NOT-FOR-US: Arab Portal CVE-2009-4724 (SQL injection vulnerability in shop.htm in PaymentProcessorScript.net ...) NOT-FOR-US: PaymentProcessorScript.net PPScript CVE-2009-4723 (Directory traversal vulnerability in confirm.php in Netpet CMS 1.9 all ...) NOT-FOR-US: Netpet CMS CVE-2009-4722 (SQL injection vulnerability in the CheckLogin function in includes/fun ...) NOT-FOR-US: Limny CVE-2009-4721 (Multiple SQL injection vulnerabilities in Admin/index.asp in Andrews-W ...) NOT-FOR-US: Andrews-Web BannerAd CVE-2009-4720 (SQL injection vulnerability in cgi-bin/gnudip.cgi in GnuDIP 2.1.1 allo ...) - gnudip (medium; bug #539452) CVE-2009-4719 (SQL injection vulnerability in index.php in Discloser 0.0.4 rc2 allows ...) NOT-FOR-US: Discloser CVE-2010-XXXX [dojo can be used as a redirector] - dojo 1.4.2+dfsg-1 (low) NOTE: http://web.archive.org/web/20101029020014/http://dojotoolkit.org/blog/post/dylan/2010/03/dojo-security-advisory/ NOTE: http://bugs.dojotoolkit.org/ticket/10773 CVE-2010-0985 (Directory traversal vulnerability in the Abbreviations Manager (com_ab ...) NOT-FOR-US: com_abbrev component for Joomla! CVE-2010-0984 (Acidcat CMS 3.5.3 and earlier stores sensitive information under the w ...) NOT-FOR-US: Acidcat CMS CVE-2010-0983 (PHP remote file inclusion vulnerability in include/mail.inc.php in Rez ...) NOT-FOR-US: Rezervi CVE-2010-0982 (Directory traversal vulnerability in the CARTwebERP (com_cartweberp) c ...) NOT-FOR-US: com_cartweberp component for Joomla! CVE-2010-0981 (SQL injection vulnerability in the TPJobs (com_tpjobs) component for J ...) NOT-FOR-US: com_tpjobs component for Joomla! CVE-2010-0980 (SQL injection vulnerability in player.php in Left 4 Dead (L4D) Stats 1 ...) NOT-FOR-US: Left 4 Dead Stats CVE-2010-0979 (Cross-site scripting (XSS) vulnerability in display.php in Obsession-D ...) NOT-FOR-US: Obsession-Design Image-Gallery CVE-2010-0978 (KMSoft Guestbook (aka GBook) 1.0 stores sensitive information under th ...) NOT-FOR-US: KMSoft Guestbook CVE-2010-0977 (PD PORTAL 4.0 stores sensitive information under the web root with ins ...) NOT-FOR-US: PD PORTAL CVE-2010-0976 (Acidcat CMS 3.5.x does not prevent access to install.asp after install ...) NOT-FOR-US: Acidcat CMS CVE-2010-0975 (PHP remote file inclusion vulnerability in external.php in PHPCityPort ...) NOT-FOR-US: PHPCityPortal CVE-2010-0974 (Multiple SQL injection vulnerabilities in PHPCityPortal allow remote a ...) NOT-FOR-US: PHPCityPortal CVE-2010-0973 (SQL injection vulnerability in index.php in phppool media Domain Verka ...) NOT-FOR-US: phppool Media Domain Verkaus and Auktions Portal CVE-2010-0972 (Directory traversal vulnerability in the GCalendar (com_gcalendar) com ...) NOT-FOR-US: com_gcalendar component for Joomla! CVE-2010-0971 (Multiple cross-site scripting (XSS) vulnerabilities in ATutor 1.6.4 al ...) NOT-FOR-US: ATutor CMS CVE-2010-0970 (SQL injection vulnerability in phpmylogon.php in PhpMyLogon 2 allows r ...) NOT-FOR-US: PhpMyLogon CVE-2010-0968 (SQL injection vulnerability in bannershow.php in Geekhelps ADMP 1.01 a ...) NOT-FOR-US: Geekhelps ADMP CVE-2010-0967 (Multiple directory traversal vulnerabilities in Geekhelps ADMP 1.01, w ...) NOT-FOR-US: Geekhelps ADMP CVE-2010-0966 (PHP remote file inclusion vulnerability in inc/config.php in deV!L`z C ...) NOT-FOR-US: deV!L`z Clanportal CVE-2010-0965 (Jevci Siparis Formu Scripti stores sensitive information under the web ...) NOT-FOR-US: Jevci Siparis Formu Scripti CVE-2010-0964 (SQL injection vulnerability in start.php in Eros Webkatalog allows rem ...) NOT-FOR-US: Eros Webkatalog CVE-2010-0963 (Cross-site scripting (XSS) vulnerability in index.php in dl Download T ...) NOT-FOR-US: dl Download Ticket Service CVE-2007-6733 (The nfs_lock function in fs/nfs/file.c in the Linux kernel 2.6.9 does ...) - linux-2.6 2.6.10-1 CVE-2010-1195 (Cross-site scripting (XSS) vulnerability in the htmlscrubber component ...) {DSA-2020-1} - ikiwiki 3.20100312 (low) CVE-2010-0747 (drbd8 allows local users to bypass intended restrictions for certain a ...) {DSA-2015-1} - linux-2.6 (drbd introduced for the first time in 2.6.32-12, which included the fix for this issue, so no supported debian kernel was ever affected) - drbd8 2:8.3.7-1 [lenny] - drbd8 2:8.0.14-2+lenny1 CVE-2009-4718 (SQL injection vulnerability in visitorduration.php in Gonafish WebStat ...) NOT-FOR-US: Gonafish WebStatCaffe CVE-2009-4717 (Multiple cross-site scripting (XSS) vulnerabilities in Gonafish WebSta ...) NOT-FOR-US: Gonafish WebStatCaffe CVE-2009-4716 (Cross-site scripting (XSS) vulnerability in results.php in EDGEPHP EZW ...) NOT-FOR-US: EDGEPHP EZWebSearch CVE-2009-4715 (Cross-site scripting (XSS) vulnerability in rates.php in Real Time Cur ...) NOT-FOR-US: Real Time Currency Exchange CVE-2009-4714 (Cross-site scripting (XSS) vulnerability in the quiz module for XOOPS ...) NOT-FOR-US: XOOPS Celepar CVE-2009-4713 (Multiple cross-site scripting (XSS) vulnerabilities in the Qas (aka Qu ...) NOT-FOR-US: XOOPS Celepar CVE-2009-4712 (SQL injection vulnerability in index.php in Tukanas Classifieds (aka E ...) NOT-FOR-US: EasyClassifieds CVE-2009-4711 (SQL injection vulnerability in the CoolURI (cooluri) extension before ...) NOT-FOR-US: typo3 third-party extension CVE-2009-4710 (SQL injection vulnerability in the Reset backend password (cwt_resetbe ...) NOT-FOR-US: typo3 third-party extension CVE-2009-4709 (SQL injection vulnerability in the datamints Newsticker (datamints_new ...) NOT-FOR-US: typo3 third-party extension CVE-2009-4708 (SQL injection vulnerability in the [Gobernalia] Front End News Submitt ...) NOT-FOR-US: typo3 third-party extension CVE-2009-4707 (Cross-site scripting (XSS) vulnerability in the [Gobernalia] Front End ...) NOT-FOR-US: typo3 third-party extension CVE-2009-4706 (Cross-site scripting (XSS) vulnerability in the Mailform (mailform) ex ...) NOT-FOR-US: typo3 third-party extension CVE-2009-4705 (Cross-site scripting (XSS) vulnerability in the Twitter Search (twitte ...) NOT-FOR-US: typo3 third-party extension CVE-2009-4704 (Unspecified vulnerability in the Webesse E-Card (ws_ecard) extension 1 ...) NOT-FOR-US: typo3 third-party extension CVE-2009-4703 (SQL injection vulnerability in the Webesse Image Gallery (ws_gallery) ...) NOT-FOR-US: typo3 third-party extension CVE-2009-4702 (SQL injection vulnerability in the Tour Extension (pm_tour) extension ...) NOT-FOR-US: typo3 third-party extension CVE-2009-4701 (SQL injection vulnerability in the Myth download (myth_download) exten ...) NOT-FOR-US: typo3 third-party extension CVE-2009-4700 (Directory traversal vulnerability in index.php in SkaDate Dating allow ...) NOT-FOR-US: SkaDate Dating CVE-2009-4699 (Multiple cross-site scripting (XSS) vulnerabilities in SkaDate Dating ...) NOT-FOR-US: SkaDate Dating CVE-2009-4698 (Multiple SQL injection vulnerabilities in the Qas (aka Quas) module fo ...) NOT-FOR-US: XOOPS Celepar CVE-2010-0969 (Unbound before 1.4.3 does not properly align structures on 64-bit plat ...) - unbound 1.4.3-1 [lenny] - unbound (Vulnerable code not present) CVE-2010-XXXX [moin: hierarchical ACLs security issue] - moin 1.8.4-1 (low) [lenny] - moin 1.7.1-3+lenny3 NOTE: http://hg.moinmo.in/moin/1.8/rev/897cdbe9e8f2 CVE-2010-0962 (The FTP proxy server in Apple AirPort Express, AirPort Extreme, and Ti ...) NOT-FOR-US: Apple CVE-2010-0961 (Buffer overflow in qoslist in bos.net.tcp.server in IBM AIX 6.1 and VI ...) NOT-FOR-US: IBM AIX and VIOS CVE-2010-0960 (Buffer overflow in qosmod in bos.net.tcp.server in IBM AIX 6.1 and VIO ...) NOT-FOR-US: IBM AIX and VIOS CVE-2010-0959 (Cross-site scripting (XSS) vulnerability in WebEditor/Authentication/L ...) NOT-FOR-US: IBM ENOVIA SmarTeam CVE-2010-0958 (Directory traversal vulnerability in modules/hayoo/index.php in Tribis ...) NOT-FOR-US: Tribisur CVE-2010-0957 (Directory traversal vulnerability in content.php in Saskia's Shopsyste ...) NOT-FOR-US: Saskia's Shopsystem CVE-2010-0956 (SQL injection vulnerability in index.php in OpenCart 1.3.2 allows remo ...) NOT-FOR-US: OpenCart CVE-2010-0955 (SQL injection vulnerability in index.php in Bild Flirt Community 2.0 a ...) NOT-FOR-US: Bild Flirt Community CVE-2010-0954 (SQL injection vulnerability in search_result.asp in Pre Projects Pre E ...) NOT-FOR-US: Pre Projects Pre E-Learning Portal CVE-2010-0953 (Directory traversal vulnerability in mod.php in phpCOIN 1.2.1 allows r ...) NOT-FOR-US: phpCOIN CVE-2010-0952 (SQL injection vulnerability in index.php in OneCMS 2.5, when magic_quo ...) NOT-FOR-US: OneCMS CVE-2010-0951 (SQL injection vulnerability in go_target.php in dev4u CMS allows remot ...) NOT-FOR-US: dev4u CMS CVE-2010-0950 (Multiple SQL injection vulnerabilities in Natychmiast CMS allow remote ...) NOT-FOR-US: Natychmiast CMS CVE-2010-0949 (Multiple cross-site scripting (XSS) vulnerabilities in Natychmiast CMS ...) NOT-FOR-US: Natychmiast CMS CVE-2010-0948 (SQL injection vulnerability in profil.php in Bigforum 4.5, when magic_ ...) NOT-FOR-US: Bigforum CVE-2010-0947 (Cross-site scripting (XSS) vulnerability in post.aspx in Max Network T ...) NOT-FOR-US: BBSMAX CVE-2009-4697 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Ra ...) NOT-FOR-US: RadNICS Gold 5 CVE-2009-4696 (SQL injection vulnerability in index.php in RadNICS Gold 5 allows remo ...) NOT-FOR-US: RadNICS Gold 5 CVE-2009-4695 (SQL injection vulnerability in index.php in RadScripts RadLance Gold 7 ...) NOT-FOR-US: RadScripts RadLance Gold CVE-2009-4694 (Cross-site scripting (XSS) vulnerability in index.php in RadScripts Ra ...) NOT-FOR-US: RadScripts RadLance Gold CVE-2009-4693 (Multiple PHP remote file inclusion vulnerabilities in GraFX MiniCWB 2. ...) NOT-FOR-US: GraFX MiniCWB CVE-2009-4692 (Cross-site scripting (XSS) vulnerability in index.php in RadScripts Ra ...) NOT-FOR-US: RadScripts RadLance Gold CVE-2009-4691 (SQL injection vulnerability in addlink.php in Classified Linktrader Sc ...) NOT-FOR-US: Classified Linktrader Script CVE-2009-4690 (Multiple cross-site scripting (XSS) vulnerabilities in YourFreeWorld P ...) NOT-FOR-US: YourFreeWorld Programs Rating Script CVE-2009-4689 (SQL injection vulnerability in index.php in PHP Shopping Cart Selling ...) NOT-FOR-US: PHP Shopping Cart Selling Website Script CVE-2009-4688 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in PH ...) NOT-FOR-US: PHP Shopping Cart Selling Website Script CVE-2009-4687 (SQL injection vulnerability in silentum_guestbook.php in Silentum Gues ...) NOT-FOR-US: Silentum Guestbook CVE-2009-4686 (Cross-site scripting (XSS) vulnerability in account.php in phplemon Ad ...) NOT-FOR-US: phplemon AdQuick CVE-2009-4685 (Cross-site scripting (XSS) vulnerability in celebrities.php in PHP Scr ...) NOT-FOR-US: PHP Scripts Now Astrology CVE-2009-4684 (Cross-site scripting (XSS) vulnerability in index.php in EZodiak allow ...) NOT-FOR-US: EZodiak CVE-2009-4683 (Directory traversal vulnerability in vote.php in Good/Bad Vote allows ...) NOT-FOR-US: Good/Bad Vote CVE-2009-4682 (Cross-site scripting (XSS) vulnerability in vote.php in Good/Bad Vote ...) NOT-FOR-US: Good/Bad Vote CVE-2009-4681 (Cross-site scripting (XSS) vulnerability in search.php in phpDirectory ...) NOT-FOR-US: phpDirectorySource CVE-2009-4680 (SQL injection vulnerability in search.php in phpDirectorySource 1.x al ...) NOT-FOR-US: phpDirectorySource CVE-2010-1132 (The mlfi_envrcpt function in spamass-milter.cpp in SpamAssassin Milter ...) {DSA-2021-2 DSA-2021-1} - spamass-milter 0.3.1-9 (bug #573228) [lenny] - spamass-milter 0.3.1-8+lenny1 CVE-2010-1189 (MediaWiki before 1.15.2 does not prevent wiki editors from linking to ...) {DSA-2022-1} - mediawiki 1:1.15.2-1 (low) NOTE: http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-March/000088.html [lenny] - mediawiki 1:1.12.0-2lenny4 CVE-2010-1190 (thumb.php in MediaWiki before 1.15.2, when used with access-restrictio ...) {DSA-2022-1} - mediawiki 1:1.15.2-1 (low) [lenny] - mediawiki 1:1.12.0-2lenny4 NOTE: http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-March/000088.html CVE-2010-0946 (SQL injection vulnerability in the Keep It Simple Stupid (KISS) Softwa ...) NOT-FOR-US: com_ksadvertiser component for Joomla! CVE-2010-0945 (SQL injection vulnerability in the HotBrackets Tournament Brackets (co ...) NOT-FOR-US: com_hotbrackets component for Joomla! CVE-2010-0944 (Directory traversal vulnerability in the JCollection (com_jcollection) ...) NOT-FOR-US: com_jcollection component for Joomla! CVE-2010-0943 (Directory traversal vulnerability in the JA Showcase (com_jashowcase) ...) NOT-FOR-US: com_jashowcase component for Joomla! CVE-2010-0942 (Directory traversal vulnerability in the jVideoDirect (com_jvideodirec ...) NOT-FOR-US: com_jvideodirect component for Joomla! CVE-2010-0941 (Multiple cross-site scripting (XSS) vulnerabilities in eTek Systems Hi ...) NOT-FOR-US: eTek Systems Hit Counter CVE-2010-0940 (Cross-site scripting (XSS) vulnerability in guestbook.php in Simple PH ...) NOT-FOR-US: Simple PHP Guestbook CVE-2010-0939 (Visialis ABB Forum 1.1 stores sensitive information under the web root ...) NOT-FOR-US: Visialis ABB Forum CVE-2010-0938 (Cross-site scripting (XSS) vulnerability in todooforum.php in Todoo Fo ...) NOT-FOR-US: Todoo Forum CVE-2010-0937 (Multiple unspecified vulnerabilities in Visualization Library before 2 ...) NOT-FOR-US: Visualization Library CVE-2010-0936 (Cross-site scripting (XSS) vulnerability in auth.asp on the D-LINK DKV ...) NOT-FOR-US: D-LINK firmware CVE-2009-4679 (Directory traversal vulnerability in the inertialFATE iF Portfolio Nex ...) NOT-FOR-US: com_if_nexus component for Joomla! CVE-2009-4678 (Cross-site scripting (XSS) vulnerability in index.php in Winn Guestboo ...) NOT-FOR-US: Winn Guestbook CVE-2009-4677 (Cross-site scripting (XSS) vulnerability in search.php in phpFK PHP Fo ...) NOT-FOR-US: phpFK PHP Forum CVE-2010-XXXX [phpbb 3.0.7 permissions bypass] - phpbb3 3.0.7-PL1 [lenny] - phpbb3 (older version is in the archive) [squeeze] - phpbb3 (older version is in the archive) NOTE: http://www.phpbb.com/community/viewtopic.php?f=14&t=2014195 CVE-2010-0928 (OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex- ...) - openssl (unimportant) NOTE: http://www.eecs.umich.edu/~valeria/research/publications/DATE10RSA.pdf NOTE: somewhat impractical right now, but the openssl developers are working NOTE: on a fix just in case CVE-2010-0926 (The default configuration of smbd in Samba before 3.3.11, 3.4.x before ...) - samba 2:3.4.6~dfsg-1 (low; bug #568493; bug #572953) [lenny] - samba (Minor issue, patch breaks existing behaviour, can be fixed through configuration modifications) CVE-2010-0935 (Perforce Server 2009.2 and earlier, when the protection table is empty ...) NOT-FOR-US: Perforce Server CVE-2010-0934 (The triggers functionality in Perforce Server 2008.1 allows remote aut ...) NOT-FOR-US: Perforce Server CVE-2010-0933 (Directory traversal vulnerability in Perforce Server 2008.1 allows rem ...) NOT-FOR-US: Perforce Server CVE-2010-0932 (The FTP server in Perforce Server 2008.1 allows remote attackers to ca ...) NOT-FOR-US: Perforce Server CVE-2010-0931 (The Perforce service (p4s.exe) in Perforce Server 2008.1 allows remote ...) NOT-FOR-US: Perforce Server CVE-2010-0930 (The Perforce service (p4s.exe) in Perforce Server 2008.1 allows remote ...) NOT-FOR-US: Perforce Server CVE-2010-0929 (The Perforce service (p4s.exe) in Perforce Server 2008.1 allows remote ...) NOT-FOR-US: Perforce Server CVE-2010-0927 (Cross-site scripting (XSS) vulnerability in help/readme.nsf/Header in ...) NOT-FOR-US: IBM Lotus Domino CVE-2009-4676 (Stack-based buffer overflow in JetCast.exe 2.0.4.1109 in jetAudio 7.5. ...) NOT-FOR-US: JetCast.exe CVE-2009-4675 (admin/admin_info/index.php in the Mole Group Gastro Portal (Restaurant ...) NOT-FOR-US: Mole Group Gastro Portal CVE-2009-4674 (admin/admin.php in Mole Group Sky Hunter Airline Ticket Sale Script an ...) NOT-FOR-US: Mole Group Sky Hunter Airline Ticket Sale Script and Bus Ticket CVE-2009-4673 (SQL injection vulnerability in profile.php in Mole Group Adult Portal ...) NOT-FOR-US: Mole Group Adult Portal Script CVE-2009-4672 (Directory traversal vulnerability in main.php in the WP-Lytebox plugin ...) NOT-FOR-US: WP-Lytebox plugin for WordPress CVE-2009-4671 (Login.php in RoomPHPlanning 1.6 allows remote attackers to bypass auth ...) NOT-FOR-US: RoomPHPlanning CVE-2009-4670 (admin/delitem.php in RoomPHPlanning 1.6 does not require authenticatio ...) NOT-FOR-US: RoomPHPlanning CVE-2009-4669 (Multiple SQL injection vulnerabilities in RoomPHPlanning 1.6 allow rem ...) NOT-FOR-US: RoomPHPlanning CVE-2009-4668 (Stack-based buffer overflow in JetCast.exe 2.0.4.1109 in jetAudio 7.5. ...) NOT-FOR-US: JetCast.exe CVE-2009-4667 (SQL injection vulnerability in form.php in WebMember 1.0 allows remote ...) NOT-FOR-US: WebMember CVE-2009-4666 (Multiple PHP remote file inclusion vulnerabilities in Webradev Downloa ...) NOT-FOR-US: Webradev Download Protect CVE-2009-4665 (Directory traversal vulnerability in CuteSoft_Client/CuteEditor/Load.a ...) NOT-FOR-US: Cute Editor CVE-2010-0925 (cfnetwork.dll 1.450.5.0 in CFNetwork, as used by safari.exe 531.21.10 ...) NOT-FOR-US: Apple Safari CVE-2010-0924 (cfnetwork.dll 1.450.5.0 in CFNetwork, as used by safari.exe 531.21.10 ...) NOT-FOR-US: Apple Safari CVE-2010-0923 (Race condition in workspace/krunner/lock/lockdlg.cc in the KRunner loc ...) - kdebase 4:4.4.2-1 [lenny] - kdebase (Only affected version 4.4.0) - kdebase-workspace 4:4.4.2-1 CVE-2010-0922 (Unspecified vulnerability in secldapclntd in IBM AIX 5.3 with SP 5300- ...) NOT-FOR-US: IBM AIX CVE-2010-0921 (Cross-site request forgery (CSRF) vulnerability in IBM Lotus iNotes (a ...) NOT-FOR-US: IBM Lotus iNotes/IBM Domino Web Access CVE-2010-0920 (Cross-site scripting (XSS) vulnerability in IBM Lotus iNotes (aka Domi ...) NOT-FOR-US: IBM Lotus iNotes/IBM Domino Web Access CVE-2010-0919 (Stack-based buffer overflow in the Lotus Domino Web Access ActiveX con ...) NOT-FOR-US: IBM Lotus iNotes/IBM Domino Web Access CVE-2010-0918 (Multiple unspecified vulnerabilities in the UltraLite functionality in ...) NOT-FOR-US: IBM Lotus iNotes/IBM Domino Web Access CVE-2010-0917 (Stack-based buffer overflow in VBScript in Microsoft Windows 2000 SP4, ...) NOT-FOR-US: Microsoft Windows CVE-2010-0916 (Unspecified vulnerability in Oracle OpenSolaris 10 allows local users ...) NOT-FOR-US: Solaris CVE-2010-0915 (Unspecified vulnerability in the Oracle Advanced Product Catalog compo ...) NOT-FOR-US: Oracle CVE-2010-0914 (Unspecified vulnerability in Oracle Sun Convergence 1.0 allows remote ...) NOT-FOR-US: Oracle CVE-2010-0913 (Unspecified vulnerability in the Oracle Applications Manager component ...) NOT-FOR-US: Oracle CVE-2010-0912 (Unspecified vulnerability in the Oracle Applications Framework compone ...) NOT-FOR-US: Oracle CVE-2010-0911 (Unspecified vulnerability in the Listener component in Oracle Database ...) NOT-FOR-US: Oracle CVE-2010-0910 (Unspecified vulnerability in the Data Server component in Oracle Times ...) NOT-FOR-US: Oracle CVE-2010-0909 (Unspecified vulnerability in the Oracle Applications Framework compone ...) NOT-FOR-US: Oracle CVE-2010-0908 (Unspecified vulnerability in the Oracle Applications Framework compone ...) NOT-FOR-US: Oracle CVE-2010-0907 (Unspecified vulnerability in Oracle Secure Backup 10.3.0.1 allows remo ...) NOT-FOR-US: Oracle CVE-2010-0906 (Unspecified vulnerability in Oracle Secure Backup 10.3.0.1 allows remo ...) NOT-FOR-US: Oracle CVE-2010-0905 (Unspecified vulnerability in the Oracle Applications Manager component ...) NOT-FOR-US: Oracle CVE-2010-0904 (Unspecified vulnerability in Oracle Secure Backup 10.3.0.1 allows remo ...) NOT-FOR-US: Oracle CVE-2010-0903 (Unspecified vulnerability in the Net Foundation Layer component in Ora ...) NOT-FOR-US: Oracle CVE-2010-0902 (Unspecified vulnerability in the Oracle OLAP component in Oracle Datab ...) NOT-FOR-US: Oracle CVE-2010-0901 (Unspecified vulnerability in the Export component in Oracle Database S ...) NOT-FOR-US: Oracle CVE-2010-0900 (Unspecified vulnerability in the Network Layer component in Oracle Dat ...) NOT-FOR-US: Oracle CVE-2010-0899 (Unspecified vulnerability in Oracle Secure Backup 10.3.0.1 allows remo ...) NOT-FOR-US: Oracle CVE-2010-0898 (Unspecified vulnerability in Oracle Secure Backup 10.3.0.1 allows remo ...) NOT-FOR-US: Oracle CVE-2010-0897 (Unspecified vulnerability in the Sun Java System Directory Server comp ...) NOT-FOR-US: Sun Java System Directory Server CVE-2010-0896 (Unspecified vulnerability in the Sun Convergence component in Oracle S ...) NOT-FOR-US: Oracle Sun Product Suite CVE-2010-0895 (Unspecified vulnerability in the Solaris component in Oracle Sun Produ ...) NOT-FOR-US: OpenSolaris CVE-2010-0894 (Unspecified vulnerability in the Sun Java System Access Manager compon ...) NOT-FOR-US: Oracle Sun Product Suite CVE-2010-0893 (Unspecified vulnerability in the Sun Convergence component in Oracle S ...) NOT-FOR-US: Oracle sun Product Suite CVE-2010-0892 (Unspecified vulnerability in the Application Express component in Orac ...) NOT-FOR-US: Oracle CVE-2010-0891 (Unspecified vulnerability in the Sun Management Center component in Or ...) NOT-FOR-US: Oracle Sun Product Suite CVE-2010-0890 (Unspecified vulnerability in the Solaris component in Oracle Sun Produ ...) NOT-FOR-US: OpenSolaris CVE-2010-0889 (Unspecified vulnerability in the Solaris component in Oracle Sun Produ ...) NOT-FOR-US: OpenSolaris CVE-2010-0888 (Unspecified vulnerability in the Sun Ray Server Software component in ...) NOT-FOR-US: Oracle Sun Product Suite CVE-2010-0887 (Unspecified vulnerability in the New Java Plug-in component in Oracle ...) - sun-java6 6.20-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2010-0886 (Unspecified vulnerability in the Java Deployment Toolkit component in ...) - sun-java6 6.20-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2010-0885 (Unspecified vulnerability in the Sun Java System Communications Expres ...) NOT-FOR-US: Oracle Sun Product Suite CVE-2010-0884 (Unspecified vulnerability in the Sun Cluster component in Oracle Sun P ...) NOT-FOR-US: Oracle Sun Product Suite CVE-2010-0883 (Unspecified vulnerability in the Sun Cluster component in Oracle Sun P ...) NOT-FOR-US: Oracle Sun Product Suite CVE-2010-0882 (Unspecified vulnerability in the Solaris component in Oracle Sun Produ ...) NOT-FOR-US: Oracle Sun Product Suite CVE-2010-0881 (Unspecified vulnerability in the User Interface Components in Oracle C ...) NOT-FOR-US: Oracle Collaboration Suite CVE-2010-0880 (Unspecified vulnerability in the PeopleTools component in Oracle Peopl ...) NOT-FOR-US: Oracle PeopleSoft CVE-2010-0879 (Unspecified vulnerability in the PeopleTools component in Oracle Peopl ...) NOT-FOR-US: Oracle PeopleSoft CVE-2010-0878 (Unspecified vulnerability in the PeopleTools component in Oracle Peopl ...) NOT-FOR-US: Oracle PeopleSoft CVE-2010-0877 (Unspecified vulnerability in the PeopleTools component in Oracle Peopl ...) NOT-FOR-US: Oracle PeopleSoft CVE-2010-0876 (Unspecified vulnerability in the Life Sciences - Oracle Clinical Remot ...) NOT-FOR-US: Oracle Industry Product Suite CVE-2010-0875 (Unspecified vulnerability in the Life Sciences - Oracle Thesaurus Mana ...) NOT-FOR-US: Oracle Industry Product Suite CVE-2010-0874 (Unspecified vulnerability in the Communications - Oracle Communication ...) NOT-FOR-US: Oracle Industry Product Suite CVE-2010-0873 (Unspecified vulnerability in the Data Server component in Oracle Times ...) NOT-FOR-US: Oracle CVE-2010-0872 (Unspecified vulnerability in the Oracle Internet Directory component i ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2010-0871 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle E-Business Suite CVE-2010-0870 (Unspecified vulnerability in the Change Data Capture component in Orac ...) NOT-FOR-US: Oracle Database CVE-2010-0869 (Unspecified vulnerability in the Oracle Transportation Management comp ...) NOT-FOR-US: Oracle E-Business Suite CVE-2010-0868 (Unspecified vulnerability in the Oracle iStore component in Oracle E-B ...) NOT-FOR-US: Oracle E-Business Suite CVE-2010-0867 (Unspecified vulnerability in the JavaVM component in Oracle Database 1 ...) NOT-FOR-US: Oracle Database CVE-2010-0866 (Unspecified vulnerability in the JavaVM component in Oracle Database 1 ...) NOT-FOR-US: Oracle Database CVE-2010-0865 (Unspecified vulnerability in the Oracle Agile Engineering Data Managem ...) NOT-FOR-US: Oracle E-Business Suite CVE-2010-0864 (Unspecified vulnerability in the Retail - Oracle Retail Place In-Seaso ...) NOT-FOR-US: Oracle Industry Product Suite CVE-2010-0863 (Unspecified vulnerability in the Retail - Oracle Retail Plan In-Season ...) NOT-FOR-US: Oracle Industry Product Suite CVE-2010-0862 (Unspecified vulnerability in the Retail - Oracle Retail Markdown Optim ...) NOT-FOR-US: Oracle Industry Product Suite CVE-2010-0861 (Unspecified vulnerability in the Oracle HRMS (Self Service) component ...) NOT-FOR-US: Oracle E-Business Suite CVE-2010-0860 (Unspecified vulnerability in the Core RDBMS component in Oracle Databa ...) NOT-FOR-US: Oracle Database CVE-2010-0859 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle E-Business Suite CVE-2010-0858 (Unspecified vulnerability in the E-Business Intelligence component in ...) NOT-FOR-US: Oracle E-Business Suite CVE-2010-0857 (Unspecified vulnerability in the Oracle Workflow Cartridge component i ...) NOT-FOR-US: Oracle E-Business Suite CVE-2010-0856 (Unspecified vulnerability in the Portal component in Oracle Fusion Mid ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2010-0855 (Unspecified vulnerability in the Portal component in Oracle Fusion Mid ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2010-0854 (Unspecified vulnerability in the Audit component in Oracle Database 9. ...) NOT-FOR-US: Oracle Database CVE-2010-0853 (Unspecified vulnerability in the Oracle Internet Directory component i ...) NOT-FOR-US: Oracle Database CVE-2010-0852 (Unspecified vulnerability in the XML DB component in Oracle Database 9 ...) NOT-FOR-US: Oracle Database CVE-2010-0851 (Unspecified vulnerability in the XML DB component in Oracle Database 9 ...) NOT-FOR-US: Oracle Database CVE-2010-0850 (Unspecified vulnerability in the Java 2D component in Oracle Java SE a ...) - openjdk-6 6b20~pre1-1 - sun-java6 6.19-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2010-0849 (Unspecified vulnerability in the Java 2D component in Oracle Java SE a ...) - openjdk-6 6b20~pre1-1 - sun-java6 6.19-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2010-0848 (Unspecified vulnerability in the Java 2D component in Oracle Java SE a ...) - openjdk-6 6b20~pre1-1 - sun-java6 6.19-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2010-0847 (Unspecified vulnerability in the Java 2D component in Oracle Java SE a ...) - openjdk-6 6b20~pre1-1 - sun-java6 6.19-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2010-0846 (Unspecified vulnerability in the ImageIO component in Oracle Java SE a ...) - openjdk-6 6b20~pre1-1 - sun-java6 6.19-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2010-0845 (Unspecified vulnerability in the HotSpot Server component in Oracle Ja ...) - openjdk-6 6b20~pre1-1 - sun-java6 6.19-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2010-0844 (Unspecified vulnerability in the Sound component in Oracle Java SE and ...) - openjdk-6 6b20~pre1-1 - sun-java6 6.19-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2010-0843 (Unspecified vulnerability in the Sound component in Oracle Java SE and ...) - openjdk-6 6b20~pre1-1 - sun-java6 6.19-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2010-0842 (Unspecified vulnerability in the Sound component in Oracle Java SE and ...) - openjdk-6 6b20~pre1-1 - sun-java6 6.19-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2010-0841 (Unspecified vulnerability in the ImageIO component in Oracle Java SE a ...) - openjdk-6 6b20~pre1-1 - sun-java6 6.19-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2010-0840 (Unspecified vulnerability in the Java Runtime Environment component in ...) - openjdk-6 6b20~pre1-1 - sun-java6 6.19-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2010-0839 (Unspecified vulnerability in the Sound component in Oracle Java SE and ...) - openjdk-6 6b20~pre1-1 - sun-java6 6.19-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2010-0838 (Unspecified vulnerability in the Java 2D component in Oracle Java SE a ...) - openjdk-6 6b20~pre1-1 - sun-java6 6.19-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2010-0837 (Unspecified vulnerability in the Pack200 component in Oracle Java SE a ...) - openjdk-6 6b20~pre1-1 - sun-java6 6.19-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2010-0836 (Unspecified vulnerability in the Oracle Knowledge Management component ...) NOT-FOR-US: Oracle CVE-2010-0835 (Unspecified vulnerability in the Wireless component in Oracle Fusion M ...) NOT-FOR-US: Oracle CVE-2010-0834 (The base-files package before 5.0.0ubuntu7.1 on Ubuntu 9.10 and before ...) - base-files (ubuntu-specific fix for their default OEM configuration on the Dell Latitude 2110, which permitted installation of unsigned packages) CVE-2010-0833 (The pam_lsass library in Likewise Open 5.4 and CIFS 5.4 before build 8 ...) NOT-FOR-US: Likewise CVE-2010-0832 (pam_motd (aka the MOTD module) in libpam-modules before 1.1.0-2ubuntu1 ...) - pam (flaw in ubuntu-specific changes to the package) CVE-2010-0831 (Directory traversal vulnerability in the extract_jar function in jarto ...) - fastjar 2:0.98-3 (low) [lenny] - fastjar (Minor issue) CVE-2010-0830 (Integer signedness error in the elf_get_dynamic_info function in elf/d ...) {DSA-2058-1} - glibc 2.11-1 - eglibc 2.11-1 NOTE: http://sourceware.org/git/?p=glibc.git;a=commit;h=db07e962b6ea963dbb345439f6ab9b0cf74d87c5 CVE-2010-0829 (Multiple array index errors in set.c in dvipng 1.11 and 1.12, and teTe ...) {DSA-2048-1} - dvipng 1.13-1 (low; bug #580628) - texlive-bin (dvipng is not shipped in texlive-bin Debian packages) CVE-2010-0828 (Cross-site scripting (XSS) vulnerability in action/Despam.py in the De ...) {DSA-2024-1} - moin 1.9.2-3 (low; bug #575995) CVE-2010-0827 (Integer overflow in dvips in TeX Live 2009 and earlier, and teTeX, all ...) - texlive-bin 2009-6 (low; bug #580669) [lenny] - texlive-bin 2007.dfsg.2-4+lenny3 CVE-2010-0826 (The Free Software Foundation (FSF) Berkeley DB NSS module (aka libnss- ...) - libnss-db 2.2.3pre1-3.2 (low; bug #577057) [squeeze] - libnss-db (Minor issue) [lenny] - libnss-db (Minor issue) CVE-2010-0825 (lib-src/movemail.c in movemail in emacs 22 and 23 allows local users t ...) - emacs21 (low) [lenny] - emacs21 (Minor issue) NOTE: Only exploitable when configured as setgid mail, which isn't set by default - emacs22 (low; bug #590301) [lenny] - emacs22 (Minor issue) - xemacs21 21.4.22-3.1 (low) [lenny] - xemacs21 (Minor issue) [lenny] - xmacs21 (Minor issue) - emacs23 23.2+1-1 (low) CVE-2009-4664 (Firewall Builder 3.0.4, 3.0.5, and 3.0.6, when running on Linux, allow ...) - fwbuilder 3.0.7-1 (bug #547390; medium) [lenny] - fwbuilder (only versions 3.0.4, 3.0.5 and 3.0.6 are affected) - libfwbuilder 3.0.7-1 (bug #547390; medium) [lenny] - libfwbuilder (only versions 3.0.4, 3.0.5 and 3.0.6 are affected) NOTE: m68k package in debports in still affected at version 3.0.5 NOTE: see http://www.fwbuilder.org/docs/firewall_builder_release_notes.html#3.0.7 CVE-2009-4663 (Heap-based buffer overflow in the Quiksoft EasyMail Objects 6 ActiveX ...) NOT-FOR-US: Quiksoft EasyMail Objects CVE-2009-4662 (Cross-site scripting (XSS) vulnerability in the WebAccess component in ...) NOT-FOR-US: Novell GroupWise CVE-2009-4661 (Multiple buffer overflows in BigAnt Server 2.50 SP6 and earlier allow ...) NOT-FOR-US: BigAnt Server CVE-2009-4660 (Stack-based buffer overflow in the AntServer Module (AntServer.exe) in ...) NOT-FOR-US: BigAnt IM Server CVE-2009-4659 (Unspecified vulnerability in MP3-Cutter Ease Audio Cutter 1.20 allows ...) NOT-FOR-US: MP3-Cutter Ease Audio Cutter CVE-2009-4658 (Xerver 4.32 allows remote authenticated users to cause a denial of ser ...) NOT-FOR-US: Xerver CVE-2009-4657 (The administrator package for Xerver 4.32 does not require authenticat ...) NOT-FOR-US: Xerver CVE-2009-4656 (Stack-based buffer overflow in E-Soft DJ Studio Pro 4.2 including 4.2. ...) NOT-FOR-US: E-Soft DJ Studio Pro CVE-2010-XXXX [esmtp: world-readable config file] - esmtp 1.2-3 (unimportant; bug #568925) NOTE: Documentation advises against adding password data to the respective config file CVE-2010-XXXX [irssi emote leak] - irssi-plugin-otr 1.0.0~alpha2-1 (unimportant; bug #569506) CVE-2010-2450 (The keygen.sh script in Shibboleth SP 2.0 (located in /usr/local/etc/s ...) - shibboleth-sp2 2.3.1+dfsg-2 (low; bug #571631) [lenny] - shibboleth-sp2 (Minor issue) - shibboleth-sp (Vulnerable code not present) CVE-2010-1192 (libESMTP, probably 1.0.4 and earlier, does not properly handle a '\0' ...) - libesmtp 1.0.4-5 (bug #572960) [lenny] - libesmtp (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2010/03/03/6 CVE-2010-1193 (Cross-site scripting (XSS) vulnerability in WebAccess in VMware Server ...) NOT-FOR-US: VMware Server CVE-2010-XXXX [argyll unsafe udev rules] - argyll (issue with redhat-specific changes to the package) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=560050 CVE-2010-2473 (Drupal 6.x before 6.16 and 5.x before version 5.22 does not properly b ...) {DSA-2016-1} - drupal6 6.18-1 (bug #592716) CVE-2010-2472 (Locale module and dependent contributed modules in Drupal 6.x before 6 ...) {DSA-2016-1} - drupal6 6.18-1 (bug #592716) CVE-2010-2471 (drupal6 version 6.16 has open redirection ...) {DSA-2016-1} - drupal6 6.18-1 (bug #592716) CVE-2010-2250 (Drupal 6.x before 6.16 uses a user-supplied value in output during sit ...) {DSA-2016-1} - drupal6 6.18-1 (bug #592716) CVE-2010-XXXX [linux-ftpd: null ptr dereference] - linux-ftpd (Performs proper length checks, see #572813) CVE-2010-0824 (Unspecified vulnerability in Microsoft Office Excel 2002 SP3 and Offic ...) NOT-FOR-US: Microsoft CVE-2010-0823 (Unspecified vulnerability in Microsoft Office Excel 2002 SP3, 2003 SP3 ...) NOT-FOR-US: Microsoft CVE-2010-0822 (Stack-based buffer overflow in Microsoft Office Excel 2002 SP3, Office ...) NOT-FOR-US: Microsoft CVE-2010-0821 (Unspecified vulnerability in Microsoft Office Excel 2002 SP3, 2003 SP3 ...) NOT-FOR-US: Microsoft CVE-2010-0820 (Heap-based buffer overflow in the Local Security Authority Subsystem S ...) NOT-FOR-US: Microsoft Windows CVE-2010-0819 (Unspecified vulnerability in the Windows OpenType Compact Font Format ...) NOT-FOR-US: Microsoft CVE-2010-0818 (The MPEG-4 codec in the Windows Media codecs in Microsoft Windows XP S ...) NOT-FOR-US: Microsoft Windows CVE-2010-0817 (Cross-site scripting (XSS) vulnerability in _layouts/help.aspx in Micr ...) NOT-FOR-US: Microsoft SharePoint Server CVE-2010-0816 (Integer overflow in inetcomm.dll in Microsoft Outlook Express 5.5 SP2, ...) NOT-FOR-US: Microsoft Outlook Express, Windows Live Mail, and Windows Mail CVE-2010-0815 (VBE6.DLL in Microsoft Office XP SP3, Office 2003 SP3, 2007 Microsoft O ...) NOT-FOR-US: Microsoft Office CVE-2010-0814 (The Microsoft Access Wizard Controls in ACCWIZ.dll in Microsoft Office ...) NOT-FOR-US: Microsoft CVE-2010-0813 REJECTED CVE-2010-0812 (Microsoft Windows XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, an ...) NOT-FOR-US: Microsoft Windows CVE-2010-0811 (Multiple unspecified vulnerabilities in the Microsoft Internet Explore ...) NOT-FOR-US: Microsoft CVE-2010-0810 (The kernel in Microsoft Windows Vista Gold, SP1, and SP2, and Windows ...) NOT-FOR-US: Microsoft Windows CVE-2010-0809 REJECTED CVE-2010-0808 (Microsoft Internet Explorer 6 and 7 on Windows XP and Vista does not p ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2010-0807 (Microsoft Internet Explorer 7 does not properly handle objects in memo ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2010-0806 (Use-after-free vulnerability in the Peer Objects component (aka iepeer ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2010-0805 (The Tabular Data Control (TDC) ActiveX control in Microsoft Internet E ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2010-0804 (Cross-site scripting (XSS) vulnerability in index.php in iBoutique 4.0 ...) NOT-FOR-US: iBoutique CVE-2010-0803 (SQL injection vulnerability in the jVideoDirect (com_jvideodirect) com ...) NOT-FOR-US: jVideoDirect CVE-2010-0802 (SQL injection vulnerability in index.php in (nv2) Awards 1.1.0, a modi ...) NOT-FOR-US: Invision Power Board CVE-2010-0801 (Directory traversal vulnerability in the AutartiTarot (com_autartitaro ...) NOT-FOR-US: Joomla! CVE-2010-0800 (SQL injection vulnerability in the Ossolution Team Documents Seller (a ...) NOT-FOR-US: Joomla! CVE-2010-0799 (Directory traversal vulnerability in misc/tell_a_friend/tell.php in ph ...) NOT-FOR-US: phpunity.newsmanager CVE-2010-0798 (SQL injection vulnerability in the T3BLOG extension 0.6.2 and earlier ...) NOT-FOR-US: T3BLOG extension for TYPO3 CVE-2010-0797 (Cross-site scripting (XSS) vulnerability in the T3BLOG extension 0.6.2 ...) NOT-FOR-US: T3BLOG extension for TYPO3 CVE-2010-0796 (SQL injection vulnerability in the JE Quiz (com_jequizmanagement) comp ...) NOT-FOR-US: Joomla! CVE-2010-0795 (SQL injection vulnerability in the JE Event Calendars (com_jeeventcale ...) NOT-FOR-US: Joomla! CVE-2010-0794 RESERVED CVE-2010-0793 (Buffer overflow in BarnOwl before 1.5.1 allows remote attackers to cau ...) {DSA-2049-1} - barnowl 1.5.1-1 (bug #574418) CVE-2010-0792 (fcrontab in fcron before 3.0.5 allows local users to read arbitrary fi ...) - fcron (unimportant; bug #572587) NOTE: On Debian runs suid/sgid fcron and the issue is limited to the exposure NOTE: of the content of crontabs CVE-2010-0791 (The (1) ncpmount, (2) ncpumount, and (3) ncplogin programs in ncpfs 2. ...) - ncpfs 2.2.6-7 (bug #572937) [lenny] - ncpfs (Minor issue) CVE-2010-0790 (sutil/ncpumount.c in ncpumount in ncpfs 2.2.6 produces certain detaile ...) - ncpfs 2.2.6-7 (bug #572937) [lenny] - ncpfs (Minor issue) CVE-2010-0789 (fusermount in FUSE before 2.7.5, and 2.8.x before 2.8.2, allows local ...) {DSA-1989-1} - fuse 2.8.1-1.2 (bug #567633) NOTE: Initial DSA released as CVE-2009-3297 CVE-2010-0788 (ncpfs 2.2.6 allows local users to cause a denial of service, obtain se ...) - ncpfs 2.2.6-7 (bug #572937) [lenny] - ncpfs (Minor issue) CVE-2010-0787 (client/mount.cifs.c in mount.cifs in smbfs in Samba 3.0.22, 3.0.28a, 3 ...) {DSA-2004-1} - samba 2:3.4.5~dfsg-2 (bug #567554) NOTE: https://bugzilla.samba.org/show_bug.cgi?id=6853 NOTE: Initial DSA released as CVE-2009-3297 CVE-2010-0786 (The Web Services Security component in IBM WebSphere Application Serve ...) NOT-FOR-US: IBM WebSphere Application CVE-2010-0785 (Cross-site request forgery (CSRF) vulnerability in the Administrative ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2010-0784 (Cross-site scripting (XSS) vulnerability in the Administrative Console ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2010-0783 (Cross-site scripting (XSS) vulnerability in the Administrative Console ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2010-0782 (IBM WebSphere MQ 6.x before 6.0.2.10 and 7.x before 7.0.1.3 allows rem ...) NOT-FOR-US: IBM WebSphere CVE-2010-0781 (Unspecified vulnerability in the administrative console in IBM WebSphe ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2010-0780 (IBM WebSphere MQ 7.x before 7.0.1.4 allows remote attackers to cause a ...) NOT-FOR-US: IBM WebSphere CVE-2010-0779 (Cross-site scripting (XSS) vulnerability in the Administration Console ...) NOT-FOR-US: IBM WebSphere CVE-2010-0778 (Cross-site scripting (XSS) vulnerability in the Administration Console ...) NOT-FOR-US: IBM WebSphere CVE-2010-0777 (The Web Container in IBM WebSphere Application Server (WAS) 6.0 before ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2010-0776 (The Web Container in IBM WebSphere Application Server (WAS) 6.0 before ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2010-0775 (Unspecified vulnerability in IBM WebSphere Application Server (WAS) 6. ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2010-0774 (The (1) JAX-RPC WS-Security 1.0 and (2) JAX-WS runtime implementations ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2010-0773 RESERVED CVE-2010-0772 (Unspecified vulnerability in the channel process in IBM WebSphere MQ 7 ...) NOT-FOR-US: IMB WebSphere MQ CVE-2010-0771 REJECTED CVE-2010-0770 (IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.41, 6.1 before ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2010-0769 (IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.41, 6.1 before ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2010-0768 (Cross-site scripting (XSS) vulnerability in the Administration Console ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2010-0767 RESERVED CVE-2010-0766 (Integer overflow in the Swap4 function in valet4.dll in Luxology Modo ...) NOT-FOR-US: Luxology Modo CVE-2010-0765 (fipsForum 2.6 stores sensitive information under the web root with ins ...) NOT-FOR-US: fipsForum CVE-2010-0764 (SQL injection vulnerability in index.php in KuwaitPHP eSmile allows re ...) NOT-FOR-US: KuwaitPHP eSmile CVE-2010-0763 (SQL injection vulnerability in index.php in CommodityRentals Vacation ...) NOT-FOR-US: ComodityRentals Vacation Rental Software CVE-2010-0762 (SQL injection vulnerability in index.php in CommodityRentals CD Rental ...) NOT-FOR-US: CommodityRentals CD Rental Software CVE-2010-0761 (SQL injection vulnerability in index.php in CommodityRentals Books/eBo ...) NOT-FOR-US: CommodityRentals Books/eBooks Rentals Script CVE-2010-0760 (Multiple directory traversal vulnerabilities in the Core Design Script ...) NOT-FOR-US: Joomla! CVE-2010-0759 (Directory traversal vulnerability in plugins/system/cdscriptegrator/li ...) NOT-FOR-US: Joomla! CVE-2010-0758 (SQL injection vulnerability in news_desc.php in Softbiz Jobs allows re ...) NOT-FOR-US: Softbiz Jobs CVE-2010-0757 (Unrestricted file upload vulnerability in index.php/Attach in WikyBlog ...) NOT-FOR-US: WikyBlog CVE-2010-0756 (Session fixation vulnerability in WikyBlog 1.7.3 rc2 allows remote att ...) NOT-FOR-US: WikyBlog CVE-2010-0755 (PHP remote file inclusion vulnerability in include/WBmap.php in WikyBl ...) NOT-FOR-US: WikyBlog CVE-2010-0754 (Cross-site scripting (XSS) vulnerability in index.php/Special/Main/Tem ...) NOT-FOR-US: WikyBlog CVE-2010-0753 (SQL injection vulnerability in the SQL Reports (com_sqlreport) compone ...) NOT-FOR-US: Joomla! CVE-2010-0752 (The week_post_page function in the Weekly Archive by Node Type module ...) NOT-FOR-US: Weekly Archive by Node Type (Drupal module) CVE-2010-1144 REJECTED CVE-2010-0750 (pkexec.c in pkexec in libpolkit in PolicyKit 0.96 allows local users t ...) - policykit-1 (pkexec introduced in 0.92) [lenny] - policykit-1 (pkexec introduced in 0.92) CVE-2010-0749 (Transmission before 1.92 allows attackers to prevent download of a fil ...) - transmission 1.92-1 (unimportant; bug #574507) CVE-2010-0748 (Transmission before 1.92 allows an attacker to cause a denial of servi ...) - transmission 1.92-1 (medium; bug #574507) [lenny] - transmission (Support for Magnet links not yet available) CVE-2010-0746 (Directory traversal vulnerability in DeviceKit-disks in DeviceKit, as ...) - udisks 1.0.0~git20100212.aae17d9-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=523178 NOTE: http://cgit.freedesktop.org/DeviceKit/DeviceKit-disks/commit/?id=62f883c7d38e75d0669c162529062a1e81d00da2 NOTE: http://bugs.freedesktop.org/show_bug.cgi?id=23235 CVE-2010-0745 (Unspecified vulnerability in Dovecot 1.2.x before 1.2.11 allows remote ...) - dovecot 1:1.2.11-1 (low) [lenny] - dovecot (this problem exists only with v1.2.x, not with v1.0 or v1.1) NOTE: http://www.dovecot.org/list/dovecot-news/2010-March/000152.html [etch] - dovecot (Vulnerable code not present) CVE-2010-0744 (aMSN (aka Alvaro's Messenger) 0.98.3 and earlier, when SSL is used, do ...) - amsn 0.98.3-1 (low; bug #572818) [lenny] - amsn (Minor issue) CVE-2010-0743 (Multiple format string vulnerabilities in isns.c in (1) Linux SCSI tar ...) {DSA-2042-1} - iscsitarget 0.4.17+svn229-1.4 (medium; bug #574935) - tgt 1:1.0.3-2 (medium; bug #576086) CVE-2010-0742 (The Cryptographic Message Syntax (CMS) implementation in crypto/cms/cm ...) - openssl 1.0.0e-1 (unimportant; bug #584592) [lenny] - openssl (CMS is only present in OpenSSL 0.9.8h and later) NOTE: unimportant since cms is disabled by default CVE-2010-0741 (The virtio_net_bad_features function in hw/virtio-net.c in the virtio- ...) - linux-2.6 2.6.26-1 CVE-2010-0740 (The ssl3_get_record function in ssl/s3_pkt.c in OpenSSL 0.9.8f through ...) - openssl 0.9.8n-1 (medium; bug #575607) [lenny] - openssl (only 0.9.8m is affected with 16 bit shorts) NOTE: http://www.openssl.org/news/secadv/20100324.txt CVE-2010-0739 (Integer overflow in the predospecial function in dospecial.c in dvips ...) - texlive-bin 2009-6 (low; bug #560668) [lenny] - texlive-bin 2007.dfsg.2-4+lenny3 CVE-2010-0738 (The JMX-Console web application in JBossAs in Red Hat JBoss Enterprise ...) - jbossas4 (Only builds a few libraries, not the full application server, #581226) CVE-2010-0737 (A missing permission check was found in The CLI in JBoss Operations Ne ...) NOT-FOR-US: JBoss Operations Network CVE-2010-0736 (Cross-site scripting (XSS) vulnerability in the view_queryform functio ...) - viewvc 1.1.5-1 (bug #575787) CVE-2010-0735 REJECTED CVE-2010-0734 (content_encoding.c in libcurl 7.10.5 through 7.19.7, when zlib is enab ...) {DSA-2023-1} - curl 7.20.0-1 (low) NOTE: http://www.openwall.com/lists/oss-security/2010/03/16/11 NOTE: depends on the application that uses libcurl CVE-2010-0733 (Integer overflow in src/backend/executor/nodeHash.c in PostgreSQL 8.4. ...) - postgresql-8.4 8.4.2-1 CVE-2010-0732 (gdk/gdkwindow.c in GTK+ before 2.18.5, as used in gnome-screensaver be ...) - gtk+2.0 2.18.5-1 [lenny] - gtk+2.0 (issue only exposed by gnome-screensaver 2.28) [etch] - gtk+2.0 (issue only exposed by gnome-screensaver 2.28) NOTE: http://www.openwall.com/lists/oss-security/2010/02/12/1 CVE-2010-0731 (The gnutls_x509_crt_get_serial function in the GnuTLS library before 1 ...) - gnutls26 (Fixed before initial release) - gnutls13 1.2.1-1 CVE-2010-0730 (The MMIO instruction decoder in the Xen hypervisor in the Linux kernel ...) - linux-2.6 (redhat-specific issue in the 2.6.18 xen kernel) CVE-2010-0729 (A certain Red Hat patch for the Linux kernel in Red Hat Enterprise Lin ...) - linux-2.6 (vulnerability in redhat-specific patch) CVE-2010-0728 (smbd in Samba 3.3.11, 3.4.6, and 3.5.0, when libcap support is enabled ...) - samba 2:3.4.7~dfsg-1 (high; bug #573223) [lenny] - samba (Only affects 3.3.11, 3.4.6 and 3.5.0) CVE-2010-0727 (The gfs2_lock function in the Linux kernel before 2.6.34-rc1-next-2010 ...) {DSA-2053-1} - linux-2.6 2.6.32-11 CVE-2010-0726 (Cross-site scripting (XSS) vulnerability in the tb-send.rb (TrackBack ...) {DSA-2009-1} - tdiary 2.2.1-1.1 (low; bug #572417) CVE-2010-0717 (The default configuration of cfg.packagepages_actions_excluded in Moin ...) {DSA-2014-1} - moin 1.9.0~rc2-1 CVE-2009-4652 (The (1) Conn_GetCipherInfo and (2) Conn_UsesSSL functions in src/ngirc ...) - ngircd 15-0.1 [lenny] - ngircd (SSL/TLS support not yet present) CVE-2003-1590 (Unspecified vulnerability in Sun ONE (aka iPlanet) Web Server 6.0 SP3 ...) NOT-FOR-US: Sun ONE Web Server CVE-2003-1589 (Unspecified vulnerability in Sun ONE (aka iPlanet) Web Server 4.1 befo ...) NOT-FOR-US: Sun ONE Web Server CVE-2010-0725 (Cross-site scripting (XSS) vulnerability in showimg.php in Arab Cart 1 ...) NOT-FOR-US: Arab Cart CVE-2010-0724 (SQL injection vulnerability in showimg.php in Arab Cart 1.0.2.0 allows ...) NOT-FOR-US: Arab Cart CVE-2010-0723 (SQL injection vulnerability in news.php in Ero Auktion 2.0 and 2010 al ...) NOT-FOR-US: Ero Auktion CVE-2010-0722 (SQL injection vulnerability in news.php in Php Auktion Pro allows remo ...) NOT-FOR-US: Php Auktion Pro CVE-2010-0721 (SQL injection vulnerability in news.php in Auktionshaus Gelb 3.0 allow ...) NOT-FOR-US: Auktionshaus Gelb CVE-2010-0720 (SQL injection vulnerability in news.php in Erotik Auktionshaus allows ...) NOT-FOR-US: Erotik Auktionshaus CVE-2010-0719 (An unspecified API in Microsoft Windows 2000, Windows XP, Windows Serv ...) NOT-FOR-US: Microsoft CVE-2010-0718 (Buffer overflow in Microsoft Windows Media Player 9 and 11.0.5721.5145 ...) NOT-FOR-US: Microsoft CVE-2010-0716 (_layouts/Upload.aspx in the Documents module in Microsoft SharePoint b ...) NOT-FOR-US: Microsoft CVE-2010-0715 (Open redirect vulnerability in login.jsp in IBM WebSphere Portal, IBM ...) NOT-FOR-US: IBM WebSphere Portal CVE-2010-0714 (Cross-site scripting (XSS) vulnerability in login.jsp in IBM WebSphere ...) NOT-FOR-US: IBM WebSphere Portal CVE-2010-0713 (Multiple cross-site request forgery (CSRF) vulnerabilities in Zenoss 2 ...) - zenoss (bug #361253) NOTE: http://seclists.org/fulldisclosure/2010/Jan/296 CVE-2010-0712 (Multiple SQL injection vulnerabilities in zport/dmd/Events/getJSONEven ...) - zenoss (bug #361253) NOTE: http://seclists.org/fulldisclosure/2010/Jan/241 CVE-2010-0711 (Cross-site request forgery (CSRF) vulnerability in default.asp in ASPC ...) NOT-FOR-US: ASPCode CMS CVE-2010-0710 (SQL injection vulnerability in default.asp in ASPCode CMS 1.5.8, 2.0.0 ...) NOT-FOR-US: ASPCode CMS CVE-2010-0709 (Multiple cross-site request forgery (CSRF) vulnerabilities in Limny 2. ...) NOT-FOR-US: Limny CVE-2010-0708 (Multiple unspecified vulnerabilities in (1) ns-slapd and (2) slapd.exe ...) NOT-FOR-US: Sun Directory Server Enterprise Edition CVE-2010-0707 (Cross-site request forgery (CSRF) vulnerability in add_user.php in Emp ...) NOT-FOR-US: Employee Timeclock Software CVE-2010-0706 (Cross-site scripting (XSS) vulnerability in the login/prompt component ...) NOT-FOR-US: Subex Nikira Fraud Management System CVE-2010-0705 (Aavmker4.sys in avast! 4.8 through 4.8.1368.0 and 5.0 before 5.0.418.0 ...) NOT-FOR-US: Windows 2000 CVE-2009-4655 (The dhost web service in Novell eDirectory 8.8.5 uses a predictable se ...) NOT-FOR-US: Novell eDirectory CVE-2009-4654 (Stack-based buffer overflow in the dhost module in Novell eDirectory 8 ...) NOT-FOR-US: Novell eDirectory CVE-2009-4653 (Stack-based buffer overflow in the dhost module in Novell eDirectory 8 ...) NOT-FOR-US: Novell eDirectory CVE-2010-0704 (Cross-site scripting (XSS) vulnerability in the Portlet Palette in IBM ...) NOT-FOR-US: IBM WebSphere Portal CVE-2010-0703 (Cross-site scripting (XSS) vulnerability in wa/auth in PortWise SSL VP ...) NOT-FOR-US: PortWise SSL VPN CVE-2010-0702 (SQL injection vulnerability in cisco/services/PhonecDirectory.php in F ...) NOT-FOR-US: Fonality Trixbox CVE-2010-0701 (SQL injection vulnerability in ForceChangePassword.jsp in Newgen Softw ...) NOT-FOR-US: Newgen Software OmniDocs CVE-2010-0700 (Cross-site scripting (XSS) vulnerability in index.php in WampServer 2. ...) NOT-FOR-US: WampServer CVE-2010-0699 (Cross-site scripting (XSS) vulnerability in index.php in VideoSearchSc ...) NOT-FOR-US: VideoSearchScript Pro CVE-2010-0698 (SQL injection vulnerability in backoffice/login.asp in Dynamicsoft WSC ...) NOT-FOR-US: Dynamicsoft WSC CMS CVE-2010-0697 (Cross-site scripting (XSS) vulnerability in the iTweak Upload module 6 ...) NOT-FOR-US: iTweak Upload module for Drupal CVE-2010-0696 (Directory traversal vulnerability in includes/download.php in the Joom ...) NOT-FOR-US: Joomla! CVE-2010-0695 (Cross-site scripting (XSS) vulnerability in pages/index.php in BASIC-C ...) NOT-FOR-US: BASIC-CMS CVE-2010-0694 (SQL injection vulnerability in the PerchaGallery (com_perchagallery) c ...) NOT-FOR-US: Joomla! CVE-2010-0693 (SQL injection vulnerability in products.php in CommodityRentals Trade ...) NOT-FOR-US: CommodityRentals Trade Manager Script CVE-2010-0692 (SQL injection vulnerability in the IP-Tech JQuarks (com_jquarks) Compo ...) NOT-FOR-US: Joomla! CVE-2010-0691 (SQL injection vulnerability in druckansicht.php in JTL-Shop 2 allows r ...) NOT-FOR-US: JTL-Shop CVE-2010-0690 (SQL injection vulnerability in index.php in CommodityRentals Video Gam ...) NOT-FOR-US: CommodityRentals Video Games Rentals CVE-2010-0689 (The ExecuteExe method in the DVBSExeCall Control ActiveX control 1.0.0 ...) NOT-FOR-US: ActiveX CVE-2010-0688 (Stack-based buffer overflow in Orbital Viewer 1.04 allows user-assiste ...) NOT-FOR-US: Orbital Viewer CVE-2010-0687 RESERVED CVE-2010-0686 (WebAccess in VMware VirtualCenter 2.0.2 and 2.5, VMware Server 2.0, an ...) NOT-FOR-US: VMware Server CVE-2010-0685 (The design of the dialplan functionality in Asterisk Open Source 1.2.x ...) - asterisk 1:1.6.2.6-1 NOTE: Design limitation documented in that version [lenny] - asterisk (Unfixable design issue, best practice docs need to be followed) [squeeze] - asterisk (Unfixable design issue, best practice docs need to be followed) CVE-2010-0684 (Cross-site scripting (XSS) vulnerability in createDestination.action i ...) NOT-FOR-US: Apache ActiveMQ CVE-2010-0683 (Unspecified vulnerability in TIBRepoServer5.jar in TIBCO Administrator ...) NOT-FOR-US: TIBCO Administrator CVE-2010-0682 (WordPress 2.9 before 2.9.2 allows remote authenticated users to read t ...) - wordpress 2.9.2-1 (low) [lenny] - wordpress (Only affects Wordpress >= 2.9) CVE-2010-XXXX [multiple typo issues] - typo3-src 4.3.2-1 (bug #571151) [lenny] - typo3-src 4.2.5-1+lenny3 NOTE: DSA-2008 CVE-2010-0681 (ZeusCMS 0.2 stores sensitive information under the web root with insuf ...) NOT-FOR-US: ZeusCMS CVE-2010-0680 (Directory traversal vulnerability in index.php in ZeusCMS 0.2 allows r ...) NOT-FOR-US: ZeusCMS CVE-2010-0679 (Multiple stack-based buffer overflows in the HyleosChemView.HLChemView ...) NOT-FOR-US: ActiveX CVE-2010-0678 (PHP remote file inclusion vulnerability in includes/moderation.php in ...) NOT-FOR-US: Katalog Stron Hurricane CVE-2010-0677 (SQL injection vulnerability in index.php in Katalog Stron Hurricane 1. ...) NOT-FOR-US: Katalog Stron Hurricane CVE-2010-0676 (Directory traversal vulnerability in index.php in the RWCards (com_rwc ...) NOT-FOR-US: RWCards component for Joomla! CVE-2010-0675 (Cross-site scripting (XSS) vulnerability in index.php in BGSvetionik B ...) NOT-FOR-US: BGSvetionik BGS CMS CVE-2010-0674 (StatCounteX 3.1 stores sensitive information under the web root with i ...) NOT-FOR-US: StatCounteX CVE-2010-0673 (SQL injection vulnerability in cplphoto.php in the Copperleaf Photolog ...) NOT-FOR-US: Copperleaf Photolog plugin for WordPress CVE-2010-0672 (SQL injection vulnerability in index.php in WSN Guest 1.02 allows remo ...) NOT-FOR-US: WSN Guest CVE-2010-0671 (SQL injection vulnerability in index.php in KR MEDIA Pogodny CMS allow ...) NOT-FOR-US: KR MEDIA Pogodny CMS CVE-2010-0670 (Unspecified vulnerability in the IP-Tech JQuarks (com_jquarks) Compone ...) NOT-FOR-US: IP-Tech JQuarks (com_jquarks) Component CVE-2010-0669 (MoinMoin before 1.8.7 and 1.9.x before 1.9.2 does not properly sanitiz ...) {DSA-2014-1} - moin 1.9.2-1 (bug #569975) CVE-2010-0668 (Unspecified vulnerability in MoinMoin 1.5.x through 1.7.x, 1.8.x befor ...) {DSA-2014-1} - moin 1.9.2-1 (bug #569975) CVE-2010-0667 (MoinMoin 1.9 before 1.9.1 does not perform the expected clearing of th ...) - moin 1.9.1-1 [lenny] - moin (versions before 1.9 are not affected) [etch] - moin (versions before 1.9 are not affected) NOTE: http://hg.moinmo.in/moin/1.9/rev/9d8e7ce3c3a2 NOTE: http://hg.moinmo.in/moin/1.9/rev/04afdde50094 NOTE: http://moinmo.in/MoinMoinChat/Logs/moin-dev/2010-01-18 CVE-2010-0666 (Unspecified vulnerability in eMBox in Novell eDirectory 8.8 SP5 Patch ...) NOT-FOR-US: Novell eDirectory CVE-2010-0665 (JAG (Just Another Guestbook) 1.14 stores sensitive information under t ...) NOT-FOR-US: JAG CVE-2009-4651 (Multiple cross-site scripting (XSS) vulnerabilities in the Webee Comme ...) NOT-FOR-US: Webee Comments component for Joomla! CVE-2009-4650 (SQL injection vulnerability in the Webee Comments (com_webeecomment) c ...) NOT-FOR-US: Webee Comments component for Joomla! CVE-2009-4649 (Multiple cross-site scripting (XSS) vulnerabilities in geccBBlite 0.1 ...) NOT-FOR-US: geccBBlite CVE-2009-4648 (Accellion Secure File Transfer Appliance before 8_0_105 does not prope ...) NOT-FOR-US: Accellion Secure File Transfer Appliance CVE-2009-4647 (Cross-site scripting (XSS) vulnerability in Accellion Secure File Tran ...) NOT-FOR-US: Accellion Secure File Transfer Appliance CVE-2009-4646 (Static code injection vulnerability in the administrative web interfac ...) NOT-FOR-US: Accellion Secure File Transfer Appliance CVE-2009-4645 (Directory traversal vulnerability in web_client_user_guide.html in Acc ...) NOT-FOR-US: Accellion Secure File Transfer Appliance CVE-2009-4644 (Accellion Secure File Transfer Appliance before 8_0_105 allows remote ...) NOT-FOR-US: Accellion Secure File Transfer Appliance CVE-2005-4886 (The selinux_parse_skb_ipv6 function in security/selinux/hooks.c in the ...) - linux-2.6 2.6.12-1 - linux-2.6.24 (fixed before 2.6.24) CVE-2009-5050 (konversation before 1.2.3 allows attackers to cause a denial of servic ...) - konversation 1.2.3-1 (low) [lenny] - konversation (Doesn't affect the combination of kdelibs/QT in Lenny) NOTE: http://bugs.kde.org/show_bug.cgi?id=219985 CVE-2010-0664 (Stack consumption vulnerability in the ChildProcessSecurityPolicy::Can ...) - chromium-browser 5.0.375.29~r46008-1 - webkit (chrome-specific issue) CVE-2010-0663 (The ParamTraits<SkBitmap>::Read function in common/common_param_ ...) - chromium-browser 5.0.375.29~r46008-1 - webkit (chrome-specific issue) CVE-2010-0662 (The ParamTraits<SkBitmap>::Read function in common/common_param_ ...) - chromium-browser 5.0.375.29~r46008-1 - webkit (chrome-specific issue) CVE-2010-0661 (WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp in WebKit before r524 ...) - chromium-browser 5.0.375.29~r46008-1 - webkit (libv8 issue) NOTE: http://trac.webkit.org/changeset/52401 CVE-2010-0660 (Google Chrome before 4.0.249.78 sends an https URL in the Referer head ...) - chromium-browser 5.0.375.29~r46008-1 - webkit (chrome-specific issue) CVE-2010-0659 (The image decoder in WebKit before r52833, as used in Google Chrome be ...) - chromium-browser 5.0.375.29~r46008-1 - webkit 1.1.21-1 (low) [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) CVE-2010-0658 (Multiple integer overflows in Skia, as used in Google Chrome before 4. ...) - chromium-browser 5.0.375.29~r46008-1 - webkit (chrome-specific issue) CVE-2010-0657 (Google Chrome before 4.0.249.78 on Windows does not perform the expect ...) - chromium-browser 5.0.375.29~r46008-1 - webkit (chrome-specific issue) NOTE: claimed to be a windows-only issue CVE-2010-0656 (WebKit before r51295, as used in Google Chrome before 4.0.249.78, pres ...) - chromium-browser 5.0.375.29~r46008-1 - webkit 1.1.21-1 (low) [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) CVE-2010-0655 (Use-after-free vulnerability in Google Chrome before 4.0.249.78 allows ...) - chromium-browser 5.0.375.29~r46008-1 - webkit (chrome-specific issue) CVE-2010-0654 (Mozilla Firefox 3.5.x before 3.5.11 and 3.6.x before 3.6.7, Thunderbir ...) {DSA-2124-1 DSA-2075-1} - xulrunner 1.9.1.11-1 (bug #570743) - iceweasel 3.5.11-2 [lenny] - iceweasel (Iceweasel in Lenny links against xulrunner) - icedove 3.0.6-1 [lenny] - icedove - iceape 2.0.6-1 [lenny] - iceape (Only a stub package) CVE-2010-0653 (Opera before 10.10 permits cross-origin loading of CSS stylesheets eve ...) NOT-FOR-US: Opera CVE-2010-0652 (Microsoft Internet Explorer permits cross-origin loading of CSS styles ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2010-0651 (WebKit before r52784, as used in Google Chrome before 4.0.249.78 and A ...) - chromium-browser 5.0.375.29~r46008-1 - webkit 1.1.21-1 (low) [lenny] - webkit (Too intrusive to backport, disk of regression higher than impact at hand) NOTE: http://trac.webkit.org/changeset/52784 CVE-2010-0650 (WebKit, as used in Google Chrome before 4.0.249.78 and Apple Safari, a ...) - chromium-browser 5.0.375.29~r46008-1 - webkit 1.1.21-1 (unimportant) NOTE: http://code.google.com/p/chromium/issues/detail?id=3275 NOTE: unimportant because this is just a popup blocker bypass CVE-2010-0649 (Integer overflow in the CrossCallParamsEx::CreateFromBuffer function i ...) - chromium-browser 5.0.375.29~r46008-1 - webkit (chrome-specific issue) CVE-2010-0648 (Mozilla Firefox, possibly before 3.6, allows remote attackers to disco ...) - xulrunner (bug #570743) [wheezy] - xulrunner (no detailed information available) CVE-2010-0647 (WebKit before r53525, as used in Google Chrome before 4.0.249.89, allo ...) - chromium-browser 5.0.375.29~r46008-1 - webkit 1.1.21-1 (medium) [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) CVE-2010-0646 (Multiple integer signedness errors in factory.cc in Google V8 before r ...) - chromium-browser 5.0.375.29~r46008-1 - libv8 2.1.6-1 - webkit (libv8 issue) CVE-2010-0645 (Multiple integer overflows in factory.cc in Google V8 before r3560, as ...) - chromium-browser 5.0.375.29~r46008-1 - libv8 2.1.6-1 - webkit (libv8 issue) CVE-2010-0644 (Google Chrome before 4.0.249.89, when a SOCKS 5 proxy server is config ...) - chromium-browser 5.0.375.29~r46008-1 - webkit (chrome-specific issue) CVE-2010-0643 (Google Chrome before 4.0.249.89 attempts to make direct connections to ...) - chromium-browser 5.0.375.29~r46008-1 - webkit (chrome-specific issue) CVE-2010-0642 (Cisco Collaboration Server (CCS) 5 allows remote attackers to read the ...) NOT-FOR-US: Cisco Collaboration Server CVE-2010-0641 (Cross-site scripting (XSS) vulnerability in webline/html/admin/wcs/Log ...) NOT-FOR-US: Cisco Collaboration Server CVE-2010-0640 (Cross-site scripting (XSS) vulnerability in CA eHealth Performance Man ...) NOT-FOR-US: CA eHealth Performance Manager CVE-2010-0639 (The htcpHandleTstRequest function in htcp.c in Squid 2.x before 2.6.ST ...) - squid 2.7.STABLE8-1 (bug #572553) [lenny] - squid (Minor issue, only affects non-default setup) - squid3 3.1.0.17-1 (bug #572554) [lenny] - squid3 (Minor issue, only affects non-default setup) CVE-2010-0638 (Cross-site request forgery (CSRF) vulnerability in WebCalendar 1.2.0 a ...) - webcalendar (bug #572557) CVE-2009-4643 (Stack-based buffer overflow in dsInstallerService.dll in the Juniper I ...) NOT-FOR-US: Juniper Installer Service CVE-2009-XXXX [ffmpeg potentially remaining vulnerabilities after DSA 2000] - ffmpeg 4:0.5.1-1 (medium; bug #570713) - ffmpeg-debian CVE-2010-XXXX [phpbb3 weak captcha] - phpbb3 3.0.7-PL1-1 (unimportant; bug #570011) CVE-2010-0634 (Unspecified vulnerability in Fast Lexical Analyzer Generator (flex) be ...) - flex 2.5.35-1 CVE-2010-0629 (Use-after-free vulnerability in kadmin/server/server_stubs.c in kadmin ...) {DSA-2031-1} - krb5 1.7+dfsg-1 (low) NOTE: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-003.txt CVE-2010-0628 (The spnego_gss_accept_sec_context function in lib/gssapi/spnego/spnego ...) - krb5 1.8+dfsg-1.1 (bug #575740) [lenny] - krb5 (Only affects 1.7/1.8) CVE-2010-2234 (Cross-site request forgery (CSRF) vulnerability in Apache CouchDB 0.8. ...) - couchdb 0.11.0-2.1 (bug #570013) [lenny] - couchdb (does not support authentication at all) CVE-2010-0637 (Multiple cross-site request forgery (CSRF) vulnerabilities in WebCalen ...) - webcalendar (bug #572557) CVE-2010-0636 (Multiple cross-site scripting (XSS) vulnerabilities in WebCalendar 1.2 ...) - webcalendar (bug #572557) CVE-2010-0635 (SQL injection vulnerability in the plgSearchEventsearch::onSearch meth ...) NOT-FOR-US: JEvents Search plugin for Joomla! CVE-2010-0633 (Unspecified vulnerability in Citrix XenServer 5.0 Update 3 and earlier ...) NOT-FOR-US: Citrix XenServer CVE-2010-0632 (SQL injection vulnerability in the Parkview Consultants SimpleFAQ (com ...) NOT-FOR-US: Parkview Consultants SimpleFAQ component for Joomla! CVE-2010-0631 (Multiple SQL injection vulnerabilities in index.php in Eicra Car Renta ...) NOT-FOR-US: Eicra Car Rental-Script CVE-2010-0630 (SQL injection vulnerability in viewjokes.php in Evernew Free Joke Scri ...) NOT-FOR-US: Evernew Free Joke Script CVE-2010-0627 RESERVED CVE-2010-0626 RESERVED CVE-2010-0625 (Stack-based buffer overflow in NWFTPD.nlm before 5.10.01 in the FTP se ...) NOT-FOR-US: Novell NetWare CVE-2010-0624 (Heap-based buffer overflow in the rmt_read__ function in lib/rtapelib. ...) - cpio 2.11-1 (low) - tar 1.23-1 (low) [lenny] - tar 1.20-1+lenny1 [lenny] - cpio 2.9-13lenny1 CVE-2010-0621 RESERVED CVE-2010-0620 (Directory traversal vulnerability in the SSL Service in EMC HomeBase S ...) NOT-FOR-US: EMC HomeBase Server CVE-2010-0619 (Stack-based buffer overflow in the base, IPDS DLE, Forms DLE, Barcode ...) NOT-FOR-US: Lexmark laser printers CVE-2010-0618 (The flood-protection feature in the base, IPDS DLE, Forms DLE, Barcode ...) NOT-FOR-US: Lexmark laser and injet printers and MarkNet devices CVE-2010-0617 (Cross-site scripting (XSS) vulnerability in ajax.php in evalSMSI 2.1.0 ...) NOT-FOR-US: evalSMSI CVE-2010-0616 (evalSMSI 2.1.03 stores passwords in cleartext in the database, which a ...) NOT-FOR-US: evalSMSI CVE-2010-0615 (Cross-site scripting (XSS) vulnerability in assess.php in evalSMSI 2.1 ...) NOT-FOR-US: evalSMSI CVE-2010-0614 (SQL injection vulnerability in ajax.php in evalSMSI 2.1.03 allows remo ...) NOT-FOR-US: evalSMSI CVE-2010-0613 (Directory traversal vulnerability in viewfile.php in ARWScripts Fonts ...) NOT-FOR-US: ARWScripts Fonts Script CVE-2010-0612 (Unspecified vulnerability in DocumentManager before 4.0 has unknown im ...) NOT-FOR-US: DocumentManager CVE-2010-0611 (Multiple SQL injection vulnerabilities in adminlogin.php in Baal Syste ...) NOT-FOR-US: Baal Systems CVE-2010-0610 (Multiple SQL injection vulnerabilities in the Photoblog (com_photoblog ...) NOT-FOR-US: Photoblog component for Joomla! CVE-2010-0609 (SQL injection vulnerability in header.php in NovaBoard 1.1.2 allows re ...) NOT-FOR-US: NovaBoard CVE-2010-0608 (SQL injection vulnerability in index.php in NovaBoard 1.1.2 allows rem ...) NOT-FOR-US: NovaBoard CVE-2010-0607 (Cross-site scripting (XSS) vulnerability in Forms/status_statistics_1 ...) NOT-FOR-US: Sterlite SAM300 AX Router CVE-2010-0606 (Cross-site scripting (XSS) vulnerability in scp/ajax.php in osTicket b ...) NOT-FOR-US: osTicket CVE-2010-0605 (SQL injection vulnerability in scp/ajax.php in osTicket before 1.6.0 S ...) NOT-FOR-US: osTicket CVE-2010-0604 (Unspecified vulnerability in the SIP implementation on the Cisco PGW 2 ...) NOT-FOR-US: Cisco PGW CVE-2010-0603 (The SIP implementation on the Cisco PGW 2200 Softswitch with software ...) NOT-FOR-US: Cisco PWG CVE-2010-0602 (The SIP implementation on the Cisco PGW 2200 Softswitch with software ...) NOT-FOR-US: Cisco PGW CVE-2010-0601 (The MGCP implementation on the Cisco PGW 2200 Softswitch with software ...) NOT-FOR-US: Cisco PGW CVE-2010-0600 (Cisco Mediator Framework 1.5.1 before 1.5.1.build.14-eng, 2.2 before 2 ...) NOT-FOR-US: Cisco Mediator Framework CVE-2010-0599 (Cisco Mediator Framework 1.5.1 before 1.5.1.build.14-eng, 2.2 before 2 ...) NOT-FOR-US: Cisco Mediator Framework CVE-2010-0598 (Cisco Mediator Framework 1.5.1 before 1.5.1.build.14-eng, 2.2 before 2 ...) NOT-FOR-US: Cisco Mediator Framework CVE-2010-0597 (Unspecified vulnerability in Cisco Mediator Framework 1.5.1 before 1.5 ...) NOT-FOR-US: Cisco Mediator Framework CVE-2010-0596 (Unspecified vulnerability in Cisco Mediator Framework 2.2 before 2.2.1 ...) NOT-FOR-US: Cisco Mediator Framework CVE-2010-0595 (Cisco Mediator Framework 1.5.1 before 1.5.1.build.14-eng, 2.2 before 2 ...) NOT-FOR-US: Cisco Mediator Framework CVE-2010-0594 (Cross-site scripting (XSS) vulnerability in Cisco Router and Security ...) NOT-FOR-US: Cisco Router and Security Device Manager CVE-2010-0593 (The Cisco RVS4000 4-port Gigabit Security Router before 1.3.2.0, PVC23 ...) NOT-FOR-US: Cisco RVS4000 Router CVE-2010-0592 (The CTI Manager service in Cisco Unified Communications Manager (aka C ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2010-0591 (Cisco Unified Communications Manager (aka CUCM, formerly CallManager) ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2010-0590 (The CMSIPUtility component in Cisco Unified Communications Manager (ak ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2010-0589 (The Web Install ActiveX control (CSDWebInstaller) in Cisco Secure Desk ...) NOT-FOR-US: Cisco Secure Desktop CVE-2010-0588 (Cisco Unified Communications Manager (aka CUCM, formerly CallManager) ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2010-0587 (Cisco Unified Communications Manager (aka CUCM, formerly CallManager) ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2010-0586 (Cisco IOS 12.1 through 12.4, when Cisco Unified Communications Manager ...) NOT-FOR-US: Cisco IOS CVE-2010-0585 (Cisco IOS 12.1 through 12.4, when Cisco Unified Communications Manager ...) NOT-FOR-US: Cisco IOS CVE-2010-0584 (Unspecified vulnerability in Cisco IOS 12.4, when NAT SCCP fragmentati ...) NOT-FOR-US: Cisco IOS CVE-2010-0583 (Memory leak in the H.323 implementation in Cisco IOS 12.1 through 12.4 ...) NOT-FOR-US: Cisco IOS CVE-2010-0582 (Cisco IOS 12.1 through 12.4, and 15.0M before 15.0(1)M1, allows remote ...) NOT-FOR-US: Cisco IOS CVE-2010-0581 (Unspecified vulnerability in the SIP implementation in Cisco IOS 12.3 ...) NOT-FOR-US: Cisco IOS CVE-2010-0580 (Unspecified vulnerability in the SIP implementation in Cisco IOS 12.3 ...) NOT-FOR-US: CiscoIOS CVE-2010-0579 (The SIP implementation in Cisco IOS 12.3 and 12.4 allows remote attack ...) NOT-FOR-US: Cisco IOS CVE-2010-0578 (The IKE implementation in Cisco IOS 12.2 through 12.4 on Cisco 7200 an ...) NOT-FOR-US: Cisco IOS CVE-2010-0577 (Cisco IOS 12.2 through 12.4, when certain PMTUD, SNAT, or window-size ...) NOT-FOR-US: Cisco IOS CVE-2010-0576 (Unspecified vulnerability in Cisco IOS 12.0 through 12.4, IOS XE 2.1.x ...) NOT-FOR-US: Cisco IOS CVE-2010-0575 (Cisco Wireless LAN Controller (WLC) software, possibly 6.0.x or possib ...) NOT-FOR-US: Cisco WLC CVE-2010-0574 (Unspecified vulnerability in Cisco Wireless LAN Controller (WLC) softw ...) NOT-FOR-US: Cisco WLC CVE-2010-0573 (Unspecified vulnerability on the Cisco Digital Media Player before 5.2 ...) NOT-FOR-US: Cisco Digital Media Player CVE-2010-0572 (Cisco Digital Media Manager (DMM) before 5.2 allows remote authenticat ...) NOT-FOR-US: Cisco Digital Media Manager CVE-2010-0571 (Unspecified vulnerability in Cisco Digital Media Manager (DMM) 5.0.x a ...) NOT-FOR-US: Cisco Digital Media Manager CVE-2010-0570 (Cisco Digital Media Manager (DMM) 5.0.x and 5.1.x has a default passwo ...) NOT-FOR-US: Cisco Digital Media Manager CVE-2010-0569 (Unspecified vulnerability in Cisco ASA 5500 Series Adaptive Security A ...) NOT-FOR-US: Cisco CVE-2010-0568 (Unspecified vulnerability in Cisco ASA 5500 Series Adaptive Security A ...) NOT-FOR-US: Cisco CVE-2010-0567 (Unspecified vulnerability in Cisco ASA 5500 Series Adaptive Security A ...) NOT-FOR-US: Cisco CVE-2010-0566 (Unspecified vulnerability in Cisco ASA 5500 Series Adaptive Security A ...) NOT-FOR-US: Cisco CVE-2010-0565 (Unspecified vulnerability in Cisco ASA 5500 Series Adaptive Security A ...) NOT-FOR-US: Cisco CVE-2009-4642 (gnome-screensaver 2.26.1 relies on the gnome-session D-Bus interface t ...) - gnome-screensaver 2.26.1-2 [lenny] - gnome-screensaver (vulnerability introduced in 2.26) NOTE: only an issue under certain desktop environments such as xfce CVE-2009-4641 (gnome-screensaver 2.28.0 does not resume adherence to its activation s ...) - gnome-screensaver 2.28.0-2 (low; bug #569667) [etch] - gnome-screensaver (Vulnerable code not present) [lenny] - gnome-screensaver (Vulnerable code not present) CVE-2001-1586 (Directory traversal vulnerability in SimpleServer:WWW 1.13 and earlier ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2010-XXXX [multiple mod_security issues] - libapache-mod-security 2.5.12-1 (bug #569658) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=563455 CVE-2010-0623 (The futex_lock_pi function in kernel/futex.c in the Linux kernel befor ...) - linux-2.6 2.6.32-9 [etch] - linux-2.6 (vulnerable code introduced in 2.6.28) [lenny] - linux-2.6 (vulnerable code introduced in 2.6.28) - linux-2.6.24 (vulnerable code introduced in 2.6.28) CVE-2010-0622 (The wake_futex_pi function in kernel/futex.c in the Linux kernel befor ...) {DSA-2012-1 DSA-2005-1 DSA-2003-1} - linux-2.6 2.6.32-9 - linux-2.6.24 CVE-2010-0564 (Buffer overflow in Trend Micro URL Filtering Engine (TMUFE) in OfficeS ...) NOT-FOR-US: Trend Micro URL Filtering Engine CVE-2009-4640 (Array index error in vorbis_dec.c in FFmpeg 0.5 allows remote attacker ...) {DSA-2000-1} - ffmpeg 4:0.5+svn20090706-3 (bug #550442) - ffmpeg-debian CVE-2009-4639 (The av_rescale_rnd function in the AVI demuxer in FFmpeg 0.5 allows re ...) - ffmpeg 7:2.4.1-1 (unimportant; bug #550442) - ffmpeg-debian (unimportant) NOTE: denial-of-service only, so not worth worrying about NOTE: http://thread.gmane.org/gmane.comp.video.ffmpeg.devel/97154/focus=97156 NOTE: http://thread.gmane.org/gmane.comp.video.ffmpeg.issues/6111/focus=6116 CVE-2009-4638 (Integer overflow in FFmpeg 0.5 allows remote attackers to cause a deni ...) {DSA-2000-1} - ffmpeg 4:0.5+svn20090706-3 (bug #550442) - ffmpeg-debian CVE-2009-4637 (FFmpeg 0.5 allows remote attackers to cause a denial of service (crash ...) {DSA-2000-1} - ffmpeg 4:0.5+svn20090706-3 (bug #550442) - ffmpeg-debian CVE-2009-4636 (FFmpeg 0.5 allows remote attackers to cause a denial of service (hang) ...) {DSA-2000-1} - ffmpeg 4:0.5+svn20090706-3 (bug #550442) - ffmpeg-debian CVE-2009-4635 (FFmpeg 0.5 allows remote attackers to cause a denial of service and po ...) {DSA-2000-1} - ffmpeg 4:0.5+svn20090706-3 (bug #550442) - ffmpeg-debian CVE-2009-4634 (Multiple integer underflows in FFmpeg 0.5 allow remote attackers to ca ...) {DSA-2000-1} - ffmpeg 4:0.5+svn20090706-3 (bug #550442) - ffmpeg-debian CVE-2009-4633 (vorbis_dec.c in FFmpeg 0.5 uses an assignment operator when a comparis ...) {DSA-2000-1} - ffmpeg 4:0.5+svn20090706-3 (bug #550442) - ffmpeg-debian CVE-2009-4632 (oggparsevorbis.c in FFmpeg 0.5 does not properly perform certain point ...) {DSA-2000-1} - ffmpeg 4:0.5+svn20090706-3 (bug #550442) - ffmpeg-debian CVE-2009-4631 (Off-by-one error in the VP3 decoder (vp3.c) in FFmpeg 0.5 allows remot ...) {DSA-2000-1} - ffmpeg 4:0.5+svn20090706-3 (bug #550442) - ffmpeg-debian CVE-2010-0563 (The Single Sign-on (SSO) functionality in IBM WebSphere Application Se ...) NOT-FOR-US: IBM WebSphere Application CVE-2010-0562 (The sdump function in sdump.c in fetchmail 6.3.11, 6.3.12, and 6.3.13, ...) - fetchmail 6.3.13-2 (low) [lenny] - fetchmail (This issue was introduced in 6.3.11) [etch] - fetchmail (This issue was introduced in 6.3.11) NOTE: the conditions so that this is exploitable are rather obscure CVE-2010-0561 (Integer signedness error in NetBSD 4.0, 5.0, and NetBSD-current before ...) NOT-FOR-US: NetBSD CVE-2010-0560 (Unspecified vulnerability in the BIOS in Intel Desktop Board DB, DG, D ...) NOT-FOR-US: Intel Desktop BIOS CVE-2003-1588 (Sun Cluster 2.2, when HA-Oracle or HA-Sybase DBMS services are used, s ...) NOT-FOR-US: Sun Cluster CVE-2010-0559 (The default configuration of Oracle OpenSolaris snv_91 through snv_131 ...) NOT-FOR-US: Oracle OpenSolaris CVE-2010-0558 (The default configuration of Oracle OpenSolaris snv_77 through snv_131 ...) NOT-FOR-US: Oracle OpenSolaris CVE-2010-0557 (IBM Cognos Express 9.0 allows attackers to obtain unspecified access t ...) NOT-FOR-US: IBM Cognos Express CVE-2010-0556 (browser/login/login_prompt.cc in Google Chrome before 4.0.249.89 popul ...) - chromium-browser 5.0.375.29~r46008-1 - webkit (chrome-specific issue) CVE-2003-1587 (Cross-site scripting (XSS) vulnerability in LoganPro allows remote att ...) NOT-FOR-US: LoganPro CVE-2003-1586 (Cross-site scripting (XSS) vulnerability in WebExpert allows remote at ...) NOT-FOR-US: WebExpert CVE-2003-1585 (Cross-site scripting (XSS) vulnerability in WebLogExpert allows remote ...) NOT-FOR-US: WebLogExpert CVE-2003-1584 (Cross-site scripting (XSS) vulnerability in SurfStats allows remote at ...) NOT-FOR-US: SurfStats CVE-2003-1583 (Cross-site scripting (XSS) vulnerability in WebTrends allows remote at ...) NOT-FOR-US: WebTrends CVE-2003-1582 (Microsoft Internet Information Services (IIS) 6.0, when DNS resolution ...) NOT-FOR-US: Microsoft CVE-2003-1581 (The Apache HTTP Server 2.0.44, when DNS resolution is enabled for clie ...) - apache (unimportant) - apache2 (unimportant; bug #570740) NOTE: not really an apache issue; if an apache log analyzer is known vulnerable, NOTE: then that itself should be fixed CVE-2003-1580 (The Apache HTTP Server 2.0.44, when DNS resolution is enabled for clie ...) - apache (unimportant) - apache2 (unimportant; bug #570740) NOTE: not really an apache issue; if an apache log analyzer is known vulnerable, NOTE: then that itself should be fixed CVE-2003-1579 (Sun ONE (aka iPlanet) Web Server 6 on Windows, when DNS resolution is ...) NOT-FOR-US: Sun ONE (aka iPlanet) Web Server 6 on Windows CVE-2003-1578 (Sun ONE (aka iPlanet) Web Server 4.1 through SP12 and 6.0 through SP5, ...) NOT-FOR-US: Sun ONE (aka iPlanet) Web Server 6 on Windows CVE-2003-1577 (Sun ONE (aka iPlanet) Web Server 4.1 through SP12 and 6.0 through SP5, ...) NOT-FOR-US: Sun ONE (aka iPlanet) Web Server 6 on Windows CVE-2010-0555 (Microsoft Internet Explorer 5.01 SP4, 6, 6 SP1, 7, and 8 does not prev ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2010-0554 (The HTTP Authentication implementation in Geo++ GNCASTER 1.4.0.7 and e ...) NOT-FOR-US: Geo++ GNCASTER CVE-2010-0553 (Geo++ GNCASTER 1.4.0.7 and earlier allows remote authenticated users t ...) NOT-FOR-US: Geo++ GNCASTER CVE-2010-0552 (Geo++ GNCASTER 1.4.0.7 and earlier allows remote attackers to cause a ...) NOT-FOR-US: Geo++ GNCASTER CVE-2010-0551 (HTTP authentication implementation in Geo++ GNCASTER 1.4.0.7 and earli ...) NOT-FOR-US: Geo++ GNCASTER CVE-2010-0550 (admin.htm in Geo++ GNCASTER 1.4.0.7 and earlier does not properly enfo ...) NOT-FOR-US: Geo++ GNCASTER CVE-2010-0549 (Unspecified vulnerability in the Network Controller in Xerox WorkCentr ...) NOT-FOR-US: Xerox WorkCentre CVE-2010-0548 (Multiple unspecified vulnerabilities in the Network Controller and Web ...) NOT-FOR-US: Xerox WorkCentre CVE-2010-0547 (client/mount.cifs.c in mount.cifs in smbfs in Samba 3.4.5 and earlier ...) {DSA-2004-1} - samba 2:3.4.5~dfsg-2 (bug #568942; medium) CVE-2010-0546 (Folder Manager in Apple Mac OS X 10.5.8, and 10.6 before 10.6.4, allow ...) NOT-FOR-US: Apple Mac OS X CVE-2010-0545 (The Finder in DesktopServices in Apple Mac OS X 10.5.8, and 10.6 befor ...) NOT-FOR-US: Apple Mac OS X CVE-2010-0544 (Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari bef ...) - webkit 1.2.1-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser (only Safari is affected, they have a different URL parsing implementation) NOTE: https://bugs.webkit.org/show_bug.cgi?id=37662 NOTE: http://trac.webkit.org/changeset/58792 NOTE: http://trac.webkit.org/changeset/58796 CVE-2010-0543 (ImageIO in Apple Mac OS X 10.5.8, and 10.6 before 10.6.2, allows remot ...) NOT-FOR-US: Apple Mac OS X CVE-2010-0542 (The _WriteProlog function in texttops.c in texttops in the Text Filter ...) {DSA-2176-1} - cups 1.4.4-1 CVE-2010-0541 (Cross-site scripting (XSS) vulnerability in the WEBrick HTTP server in ...) - ruby1.8 1.8.7.302-1 [lenny] - ruby1.8 (Minor issue) - ruby1.9 [lenny] - ruby1.9 (Minor issue) - ruby1.9.1 1.9.2.0-1 (bug #593298) CVE-2010-0540 (Cross-site request forgery (CSRF) vulnerability in the web interface i ...) {DSA-2176-1} - cups 1.4.4-1 CVE-2010-0539 (Integer signedness error in the window drawing implementation in Apple ...) NOT-FOR-US: Apple Java CVE-2010-0538 (Apple Java for Mac OS X 10.5 before Update 7 and Java for Mac OS X 10. ...) NOT-FOR-US: Apple Java CVE-2010-0537 (DesktopServices in Apple Mac OS X 10.6 before 10.6.3 does not properly ...) NOT-FOR-US: Apple DesktopServices CVE-2010-0536 (Apple QuickTime before 7.6.6 on Windows allows remote attackers to exe ...) NOT-FOR-US: Apple QuickTime CVE-2010-0535 (Dovecot in Apple Mac OS X 10.6 before 10.6.3, when Kerberos is enabled ...) - dovecot (Apple specific, http://marc.info/?l=oss-security&m=136546217008001&w=2) CVE-2010-0534 (Wiki Server in Apple Mac OS X 10.6 before 10.6.3 does not enforce the ...) NOT-FOR-US: Apple Wiki Server CVE-2010-0533 (Directory traversal vulnerability in AFP Server in Apple Mac OS X befo ...) NOT-FOR-US: Apple AFP Server CVE-2010-0532 (Race condition in the installation package in Apple iTunes before 9.1 ...) NOT-FOR-US: Apple itunes CVE-2010-0531 (Apple iTunes before 9.1 allows remote attackers to cause a denial of s ...) NOT-FOR-US: Apple iTunes CVE-2010-0530 (Apple QuickTime before 7.6.9 on Windows sets weak permissions for the ...) NOT-FOR-US: QuickTime CVE-2010-0529 (Heap-based buffer overflow in QuickTime.qts in Apple QuickTime before ...) NOT-FOR-US: Apple QuickTime CVE-2010-0528 (Apple QuickTime before 7.6.6 on Windows allows remote attackers to exe ...) NOT-FOR-US: Apple Quicktime CVE-2010-0527 (Integer overflow in Apple QuickTime before 7.6.6 on Windows allows rem ...) NOT-FOR-US: Apple QuickTime CVE-2010-0526 (Heap-based buffer overflow in QuickTimeMPEG.qtx in QuickTime in Apple ...) NOT-FOR-US: Apple QuickTime CVE-2010-0525 (Mail in Apple Mac OS X before 10.6.3 does not properly enforce the key ...) NOT-FOR-US: Apple Mail CVE-2010-0524 (The default configuration of the FreeRADIUS server in Apple Mac OS X S ...) - freeradius (Apple specific configuration issue) CVE-2010-0523 (Wiki Server in Apple Mac OS X 10.5.8 does not restrict the file types ...) NOT-FOR-US: Apple Wiki Server CVE-2010-0522 (Server Admin in Apple Mac OS X Server 10.5.8 does not properly determi ...) NOT-FOR-US: Apple Server Admin CVE-2010-0521 (Server Admin in Apple Mac OS X Server before 10.6.3 does not properly ...) NOT-FOR-US: Apple Server Admin CVE-2010-0520 (Heap-based buffer overflow in QuickTimeAuthoring.qtx in QuickTime in A ...) NOT-FOR-US: Apple QuickTime CVE-2010-0519 (Integer overflow in QuickTime in Apple Mac OS X before 10.6.3 allows r ...) NOT-FOR-US: Apple QuickTime CVE-2010-0518 (QuickTime in Apple Mac OS X before 10.6.3 allows remote attackers to e ...) NOT-FOR-US: Apple QuickTime CVE-2010-0517 (Heap-based buffer overflow in QuickTime in Apple Mac OS X before 10.6. ...) NOT-FOR-US: Apple QuickTime CVE-2010-0516 (Heap-based buffer overflow in QuickTime in Apple Mac OS X before 10.6. ...) NOT-FOR-US: Apple QuickTime CVE-2010-0515 (QuickTime in Apple Mac OS X before 10.6.3 allows remote attackers to e ...) NOT-FOR-US: Apple QuickTime CVE-2010-0514 (Heap-based buffer overflow in QuickTime in Apple Mac OS X before 10.6. ...) NOT-FOR-US: Apple QuickTime CVE-2010-0513 (Stack-based buffer overflow in PS Normalizer in Apple Mac OS X before ...) NOT-FOR-US: Apple PS Normalizer CVE-2010-0512 (The Accounts Preferences implementation in Apple Mac OS X 10.6 before ...) NOT-FOR-US: Apple Accounts Preferences CVE-2010-0511 (Podcast Producer in Apple Mac OS X 10.6 before 10.6.3 deletes the acce ...) NOT-FOR-US: Apple Podcast Producer CVE-2010-0510 (Password Server in Apple Mac OS X Server before 10.6.3 does not proper ...) NOT-FOR-US: Apple Password Server CVE-2010-0509 (SFLServer in OS Services in Apple Mac OS X before 10.6.3 allows local ...) NOT-FOR-US: Apple SFLServer CVE-2010-0508 (Mail in Apple Mac OS X before 10.6.3 does not disable the filter rules ...) NOT-FOR-US: Apple Mail CVE-2010-0507 (Buffer overflow in Image RAW in Apple Mac OS X before 10.6.3 allows re ...) NOT-FOR-US: Apple Image RAW CVE-2010-0506 (Buffer overflow in Image RAW in Apple Mac OS X 10.5.8 allows remote at ...) NOT-FOR-US: Apple Image RAW CVE-2010-0505 (Heap-based buffer overflow in ImageIO in Apple Mac OS X before 10.6.3 ...) NOT-FOR-US: Apple ImageIO CVE-2010-0504 (Multiple stack-based buffer overflows in iChat Server in Apple Mac OS ...) NOT-FOR-US: Apple iChat CVE-2010-0503 (Use-after-free vulnerability in iChat Server in Apple Mac OS X Server ...) NOT-FOR-US: Apple iChat CVE-2010-0502 (iChat Server in Apple Mac OS X Server before 10.6.3, when group chat i ...) NOT-FOR-US: Apple iChat CVE-2010-0501 (Directory traversal vulnerability in FTP Server in Apple Mac OS X Serv ...) NOT-FOR-US: Apple FTP Server CVE-2010-0500 (Event Monitor in Apple Mac OS X before 10.6.3 does not properly valida ...) NOT-FOR-US: Apple Event Monitor CVE-2010-0499 RESERVED CVE-2010-0498 (Directory Services in Apple Mac OS X before 10.6.3 does not properly p ...) NOT-FOR-US: Apple Directory Services CVE-2010-0497 (Disk Images in Apple Mac OS X before 10.6.3 does not provide the expec ...) NOT-FOR-US: Apple Disk Images CVE-2010-0496 (FreeBit ServersMan 3.1.5 on Apple iPhone OS 3.1.2, and iPhone OS for i ...) NOT-FOR-US: Apple iPhone OS CVE-2010-0495 REJECTED CVE-2010-0494 (Cross-domain vulnerability in Microsoft Internet Explorer 6, 6 SP1, 7, ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2010-0493 REJECTED CVE-2010-0492 (Use-after-free vulnerability in mstime.dll in Microsoft Internet Explo ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2010-0491 (Use-after-free vulnerability in Microsoft Internet Explorer 5.01 SP4, ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2010-0490 (Microsoft Internet Explorer 6, 6 SP1, 7, and 8 does not properly handl ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2010-0489 (Race condition in Microsoft Internet Explorer 5.01 SP4, 6, 6 SP1, and ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2010-0488 (Microsoft Internet Explorer 5.01 SP4, 6, 6 SP1, and 7 does not properl ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2010-0487 (The Authenticode Signature verification functionality in cabview.dll i ...) NOT-FOR-US: Microsoft Windows CVE-2010-0486 (The WinVerifyTrust function in Authenticode Signature Verification 5.1 ...) NOT-FOR-US: Microsoft Windows CVE-2010-0485 (The Windows kernel-mode drivers in win32k.sys in Microsoft Windows 200 ...) NOT-FOR-US: Microsoft CVE-2010-0484 (The Windows kernel-mode drivers in win32k.sys in Microsoft Windows 200 ...) NOT-FOR-US: Microsoft CVE-2010-0483 (vbscript.dll in VBScript 5.1, 5.6, 5.7, and 5.8 in Microsoft Windows 2 ...) NOT-FOR-US: Microsoft Windows CVE-2010-0482 (The kernel in Microsoft Windows Server 2008 R2 and Windows 7 does not ...) NOT-FOR-US: Microsoft Windows CVE-2010-0481 (The kernel in Microsoft Windows Vista Gold, SP1, and SP2, Windows Serv ...) NOT-FOR-US: Microsoft Windows CVE-2010-0480 (Multiple stack-based buffer overflows in the MPEG Layer-3 audio codecs ...) NOT-FOR-US: Microsoft Windows CVE-2010-0479 (Buffer overflow in Microsoft Office Publisher 2002 SP3, 2003 SP3, and ...) NOT-FOR-US: Microsoft Windows CVE-2010-0478 (Stack-based buffer overflow in nsum.exe in the Windows Media Unicast S ...) NOT-FOR-US: Microsoft Windows CVE-2010-0477 (The SMB client in Microsoft Windows Server 2008 R2 and Windows 7 does ...) NOT-FOR-US: Microsoft Windows CVE-2010-0476 (The SMB client in Microsoft Windows Server 2003 SP2, Vista Gold, SP1, ...) NOT-FOR-US: Microsoft Windows CVE-2010-0475 (Cross-site scripting (XSS) vulnerability in esp/editUser.esp in the Pa ...) NOT-FOR-US: Palo Alto Networks Firewall CVE-2010-0474 RESERVED {DSA-2188-1} - webkit 1.4.0-1 CVE-2010-0473 RESERVED CVE-2010-0472 (kuddb2 in Tivoli Monitoring for DB2, as distributed in IBM DB2 9.7 FP1 ...) NOT-FOR-US: IBM DB2 CVE-2010-0471 (SQL injection vulnerability in the comment submission interface (inclu ...) NOT-FOR-US: Enano CMS CVE-2010-0470 (Cross-site scripting (XSS) vulnerability in scvrtsrv.cmd in Comtrend C ...) NOT-FOR-US: Comtrend CVE-2010-0469 (SQL injection vulnerability in Files2Links F2L 3000 appliance 4.0.0, a ...) NOT-FOR-US: Files2Links CVE-2010-0468 (Cross-site scripting (XSS) vulnerability in utilities/longproc.cfm in ...) NOT-FOR-US: PaperThin CommonSpot Content Server CVE-2010-0467 (Directory traversal vulnerability in the ccNewsletter (com_ccnewslette ...) NOT-FOR-US: ccNewsletter component for Joomla! CVE-2010-XXXX [nautilus: file preview html script execution] - nautilus (proof-of-concept script is previewed as text, not executed) NOTE: http://seclists.org/fulldisclosure/2010/Feb/112 CVE-2010-XXXX [browser javascript document.write denial-of-service] - xulrunner (unimportant; bug #568486) - webkit (unimportant; bug #568485) - qt4-x11 (unimportant) - kdelibs (unimportant) - kde4libs (unimportant) CVE-2010-0466 RESERVED CVE-2010-0465 (Cross-site scripting (XSS) vulnerability in the online Documents funct ...) - sugarcrm-ce-5.0 (bug #457876) CVE-2010-0464 (Roundcube 0.3.1 and earlier does not request that the web browser avoi ...) - roundcube 0.3.1-3 (bug #569660) CVE-2010-0463 (Horde IMP 4.3.6 and earlier does not request that the web browser avoi ...) - imp4 4.3.7+debian0-2 (low; bug #569661) [lenny] - imp4 4.2-4lenny2 CVE-2010-0462 (Heap-based buffer overflow in IBM DB2 9.1 before FP9, 9.5 before FP6, ...) NOT-FOR-US: IBM DB2 CVE-2010-0461 (SQL injection vulnerability in the casino (com_casino) component 1.0 f ...) NOT-FOR-US: Joomla! CVE-2010-0460 (Multiple cross-site scripting (XSS) vulnerabilities in staff/index.php ...) NOT-FOR-US: Kayako SupportSuite CVE-2010-0459 (SQL injection vulnerability in the Mochigames (com_mochigames) compone ...) NOT-FOR-US: Joomla! CVE-2010-0458 (Multiple SQL injection vulnerabilities in NetArt Media Blog System 1.5 ...) NOT-FOR-US: NetArt Media Blog System CVE-2010-0457 (SQL injection vulnerability in home.php in magic-portal 2.1 allows rem ...) NOT-FOR-US: magic-portal CVE-2010-0456 (SQL injection vulnerability in the indianpulse Game Server (com_gamese ...) NOT-FOR-US: Joomla! CVE-2010-0455 (Cross-site scripting (XSS) vulnerability in forum/viewtopic.php in Pun ...) NOT-FOR-US: PunBB CVE-2010-0454 (SQL injection vulnerability in cgi/cgilua.exe/sys/start.htm in Publiqu ...) NOT-FOR-US: Publique! CMS CVE-2010-0453 (The ucode_ioctl function in intel/io/ucode_drv.c in Sun Solaris 10 and ...) NOT-FOR-US: Sun Solaris CVE-2010-0452 (Multiple cross-site scripting (XSS) vulnerabilities in HP Project and ...) NOT-FOR-US: HP Project and Portfolio Management Center CVE-2010-0451 (The installation process for NFS/ONCplus B.11.31_08 and earlier on HP ...) NOT-FOR-US: HP-UX CVE-2010-0450 (Unspecified vulnerability in HP SOA Registry Foundation 6.63 and 6.64 ...) NOT-FOR-US: HP SOA Registry Foundation CVE-2010-0449 (Cross-site scripting (XSS) vulnerability in HP SOA Registry Foundation ...) NOT-FOR-US: HP SOA Registry Foundation CVE-2010-0448 (Unspecified vulnerability in HP SOA Registry Foundation 6.63 and 6.64 ...) NOT-FOR-US: HP SOA Registry Foundation CVE-2010-0447 (The helpmanager servlet in the web server in HP OpenView Performance I ...) NOT-FOR-US: HP OpenView Performance Insight CVE-2010-0446 (Unspecified vulnerability on the HP DreamScreen 100 and 130 with firmw ...) NOT-FOR-US: HP DreamScreen CVE-2010-0445 (Unspecified vulnerability in HP Network Node Manager (NNM) 8.10, 8.11, ...) NOT-FOR-US: HP Network Node Manager CVE-2010-0444 (HP Operations Agent 8.51, 8.52, 8.53, and 8.60 on Solaris 10 uses a bl ...) NOT-FOR-US: HP Operations Agent CVE-2010-0443 (Unspecified vulnerability in Record Management Services (RMS) before V ...) NOT-FOR-US: HP OpenVMS CVE-2010-0441 (Asterisk Open Source 1.6.0.x before 1.6.0.22, 1.6.1.x before 1.6.1.14, ...) - asterisk 1:1.6.2.2-1 [lenny] - asterisk (Only affects 1.6.x) [etch] - asterisk (Only affects 1.6.x) CVE-2010-0440 (Cross-site scripting (XSS) vulnerability in +CSCOT+/translation in Cis ...) NOT-FOR-US: Cisco Secure Desktop CVE-2010-0439 (Chip Salzenberg Deliver allows local users to cause a denial of servic ...) - deliver CVE-2010-0438 (Multiple SQL injection vulnerabilities in Kernel/System/Ticket.pm in O ...) {DSA-1993-1} - otrs (vulnerable code not present) [etch] - otrs2 (vulnerable code not present) - otrs2 2.4.7-1 (medium) NOTE: http://web.archive.org/web/20111224162621/http://otrs.org/advisory/OSA-2010-01-en/ CVE-2010-0437 (The ip6_dst_lookup_tail function in net/ipv6/ip6_output.c in the Linux ...) - linux-2.6 2.6.26-9 CVE-2010-0436 (Race condition in backend/ctrl.c in KDM in KDE Software Compilation (S ...) {DSA-2037-1} - kdebase 4:4.0 - kdebase-workspace 4:4.4.3-1 NOTE: The binary package kdm was built from kdebase in Lenny and from kdebase-workspace NOTE: in KDE 4.x, i.e. Squeeze onwards CVE-2010-0435 (The Hypervisor (aka rhev-hypervisor) in Red Hat Enterprise Virtualizat ...) {DSA-2153-1} - linux-2.6 2.6.32-29 CVE-2010-0434 (The ap_read_request function in server/protocol.c in the Apache HTTP S ...) {DSA-2035-1} - apache2 2.2.15-1 CVE-2010-0433 (The kssl_keytab_is_available function in ssl/kssl.c in OpenSSL before ...) - openssl (Kerberos support not enabled) NOTE: http://www.openwall.com/lists/oss-security/2010/03/03/5 CVE-2010-0432 (Multiple cross-site scripting (XSS) vulnerabilities in the Apache Open ...) NOT-FOR-US: Apache Open For Business Project (OFBiz) CVE-2010-0431 (QEMU-KVM, as used in the Hypervisor (aka rhev-hypervisor) in Red Hat E ...) - qemu-kvm (QXL support not yet present in Debian packages) - kvm (QXL support not yet present in Debian packages) CVE-2010-0430 (libspice, as used in QEMU-KVM in Red Hat Enterprise Virtualization Hyp ...) - spice (Fixed before initial upload to archive) CVE-2010-0429 (libspice, as used in QEMU-KVM in the Hypervisor (aka rhev-hypervisor) ...) - spice (Fixed before initial upload to archive) CVE-2010-0428 (libspice, as used in QEMU-KVM in the Hypervisor (aka rhev-hypervisor) ...) - spice (Fixed before initial upload to archive) CVE-2010-0427 (sudo 1.6.x before 1.6.9p21, when the runas_default option is used, doe ...) {DSA-2006-1} - sudo 1.7.0-1 NOTE: http://www.openwall.com/lists/oss-security/2010/02/23/4 CVE-2010-0426 (sudo 1.6.x before 1.6.9p21 and 1.7.x before 1.7.2p4, when a pseudo-com ...) {DSA-2006-1} - sudo 1.7.2p1-1.2 (bug #570737) NOTE: http://www.openwall.com/lists/oss-security/2010/02/23/4 CVE-2010-0425 (modules/arch/win32/mod_isapi.c in mod_isapi in the Apache HTTP Server ...) - apache2 (Windows only) CVE-2010-0424 (The edit_cmd function in crontab.c in (1) cronie before 1.4.4 and (2) ...) - cron (vulnerability in redhat-specific changes to their cron forks; cronie and vixie-cron) CVE-2010-0423 (gtkimhtml.c in Pidgin before 2.6.6 allows remote attackers to cause a ...) {DSA-2038-1} - pidgin 2.6.6-1 (low) - gaim (low) [lenny] - gaim (gaim is a transitional dummy package only) - qutecom 2.2~rc3.hg396~dfsg1-6 (low; bug #572946) CVE-2010-0422 (gnome-screensaver 2.28.x before 2.28.3 does not properly synchronize t ...) - gnome-screensaver 2.28.3-1 [lenny] - gnome-screensaver (Vulnerable code not present) CVE-2010-0421 (Array index error in the hb_ot_layout_build_glyph_classes function in ...) {DSA-2019-1} - pango1.0 1.26.2-1 (bug #574021) CVE-2010-0420 (libpurple in Finch in Pidgin before 2.6.6, when an XMPP multi-user cha ...) {DSA-2038-1} - pidgin 2.6.6-1 (low) - gaim (low) [lenny] - gaim (gaim is a transitional dummy package only) - qutecom 2.2~rc3.hg396~dfsg1-6 (low; bug #572946) CVE-2010-0419 (The x86 emulator in KVM 83, when a guest is configured for Symmetric M ...) {DSA-2010-1} - kvm CVE-2010-0418 (The web interface in chumby one before 1.0.4 and chumby classic before ...) NOT-FOR-US: Chumby device's web interface CVE-2010-0417 (Buffer overflow in common/util/rlstate.cpp in Helix Player 1.0.6 and R ...) NOT-FOR-US: RealPlayer/Helix Player CVE-2010-0416 (Buffer overflow in the Unescape function in common/util/hxurl.cpp and ...) NOT-FOR-US: RealPlayer/Helix Player CVE-2010-0415 (The do_pages_move function in mm/migrate.c in the Linux kernel before ...) {DSA-2005-1 DSA-2003-1 DSA-1996-1} - linux-2.6 2.6.32-8 - linux-2.6.24 CVE-2010-0414 (gnome-screensaver before 2.28.2 allows physically proximate attackers ...) - gnome-screensaver 2.28.2-1 (bug #569084) [etch] - gnome-screensaver (Vulnerable code not present) [lenny] - gnome-screensaver (Vulnerable code not present) CVE-2010-0413 RESERVED CVE-2010-0412 (stap-server in SystemTap 1.1 does not properly restrict the value of t ...) - systemtap 1.2-1 (bug #572560) [lenny] - systemtap (Server component not yet present) [etch] - systemtap (Server component not yet present) CVE-2010-0411 (Multiple integer signedness errors in the (1) __get_argv and (2) __get ...) - systemtap 1.2-1 (low; bug #568809) [lenny] - systemtap (Vulnerable code not present) [etch] - systemtap (Minor issue) NOTE: http://sourceware.org/bugzilla/show_bug.cgi?id=11234 and RH CVE-2010-0410 (drivers/connector/connector.c in the Linux kernel before 2.6.32.8 allo ...) {DSA-2005-1 DSA-2003-1 DSA-1996-1} - linux-2.6 2.6.32-8 - linux-2.6.24 NOTE: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=f98bfbd78c37c5946cc53089da32a5f741efdeb7 CVE-2010-0409 (Buffer overflow in the GMIME_UUENCODE_LEN macro in gmime/gmime-encodin ...) {DSA-2082-1} - gmime2.2 2.2.25-1.1 (bug #568291) - gmime2.4 2.4.14-1+nmu1 (bug #573877) CVE-2010-0408 (The ap_proxy_ajp_request function in mod_proxy_ajp.c in mod_proxy_ajp ...) {DSA-2035-1} - apache2 2.2.15-1 (low) [lenny] - apache2 (minor issue) NOTE: Will be fixed in s-p-u CVE-2010-0407 (Multiple buffer overflows in the MSGFunctionDemarshall function in win ...) {DSA-2059-1} - pcsc-lite 1.5.4-1 CVE-2010-0406 (OpenTTD before 1.0.1 allows remote attackers to cause a denial of serv ...) - openttd 1.0.1-1 [lenny] - openttd 0.6.2-1+lenny2 CVE-2010-0405 (Integer overflow in the BZ2_decompress function in decompress.c in bzi ...) {DSA-2112-1} - bzip2 1.0.5-6 - clamav 0.96.3+dfsg-1 [lenny] - clamav (No longer supported in Lenny) CVE-2010-0404 (Multiple SQL injection vulnerabilities in phpGroupWare (phpgw) before ...) {DSA-2046-1} - phpgroupware 1:0.9.16.016+dfsg-1 (bug #584517) CVE-2010-0403 (Directory traversal vulnerability in about.php in phpGroupWare (phpgw) ...) {DSA-2046-1} - phpgroupware 1:0.9.16.016+dfsg-1 (bug #584518) CVE-2010-0402 (OpenTTD before 1.0.1 does not properly validate index values of certai ...) - openttd 1.0.1-1 [lenny] - openttd 0.6.2-1+lenny2 CVE-2010-0401 (OpenTTD before 1.0.1 accepts a company password for authentication in ...) - openttd 1.0.1-1 [lenny] - openttd 0.6.2-1+lenny2 CVE-2010-0400 (SQL injection vulnerability in lib/user.php in mahara 1.0.4 allows rem ...) {DSA-2030-1} - mahara 1.2.4-1 (medium) CVE-2010-0399 RESERVED CVE-2010-0398 (The init script in autokey before 0.61.3-2 allows local attackers to w ...) - autokey 0.61.3-2 CVE-2010-0397 (The xmlrpc extension in PHP 5.3.1 does not properly handle a missing m ...) {DSA-2018-1} - php5 5.3.2-1 (medium; bug #573573) CVE-2010-0396 (Directory traversal vulnerability in the dpkg-source component in dpkg ...) {DSA-2011-1} - dpkg 1.15.6 CVE-2010-0395 (OpenOffice.org 2.x and 3.0 before 3.2.1 allows user-assisted remote at ...) {DSA-2055-1} - openoffice.org 1:3.2.1-1 (low) CVE-2010-0394 (PyGIT.py in the Trac Git plugin (trac-git) before 0.0.20080710-3+lenny ...) {DSA-1990-2 DSA-1990-1} - trac-git 0.0.20090320-1 (high; bug #567039) CVE-2010-0393 (The _cupsGetlang function, as used by lppasswd.c in lppasswd in CUPS 1 ...) {DSA-2007-1} - cupsys - cups 1.4.2-9.1 CVE-2009-4630 (Mozilla Necko, as used in Firefox, SeaMonkey, and other applications, ...) - xulrunner 1.9.1-1 (low) [etch] - xulrunner (dns prefetching implemented in xulrunner 1.9.1) [lenny] - xulrunner (dns prefetching implemented in xulrunner 1.9.1) - iceweasel 3.5.11-2 [lenny] - iceweasel (Iceweasel in Lenny links against xulrunner) - iceape 2.0-1 (low) [etch] - iceape (dns prefetching implemented in xulrunner 1.9.1) [lenny] - iceape (dns prefetching implemented in xulrunner 1.9.1) NOTE: mozilla's dns prefetching leads to disclosure of the user's network location CVE-2009-4629 (Mozilla Necko, as used in Thunderbird 3.0.1, SeaMonkey, and other appl ...) - icedove 3.0.2-1 (unimportant) [etch] - icedove (dns prefetching implemented in xulrunner 1.9.1) [lenny] - icedove (dns prefetching implemented in xulrunner 1.9.1) - iceweasel 3.5.11-2 [lenny] - iceweasel (Iceweasel in Lenny links against xulrunner) - iceape (unimportant) [etch] - iceape (dns prefetching implemented in xulrunner 1.9.1) [lenny] - iceape (dns prefetching implemented in xulrunner 1.9.1) CVE-2005-4885 (Unspecified vulnerability on certain Sun StorEdge 6130 (SE6130) Contro ...) NOT-FOR-US: Sun StorEdge 6130 CVE-2004-2766 (Webmail in Sun ONE Messaging Server 6.1 and iPlanet Messaging Server 5 ...) NOT-FOR-US: iPlanet Messaging Server/Sun ONE Messaging Server CVE-2004-2765 (Cross-site scripting (XSS) vulnerability in Webmail in Sun ONE Messagi ...) NOT-FOR-US: iPlanet Messaging Server/Sun ONE Messaging Server CVE-2003-1576 (Buffer overflow in pamverifier in Change Manager (CM) 1.0 for Sun Mana ...) NOT-FOR-US: Sun Management Center CVE-2003-1575 (VERITAS File System (VxFS) 3.3.3, 3.4, and 3.5 before MP1 Rolling Patc ...) NOT-FOR-US: VERITAS File System CVE-2010-0392 (Stack-based buffer overflow in vpnconf.exe in TheGreenBow IPSec VPN Cl ...) NOT-FOR-US: TheGreenBow IPSec VPN Client CVE-2010-0391 (Multiple stack-based buffer overflows in Embarcadero Technologies Inte ...) NOT-FOR-US: InterBase SMP 2009 9.0.3.437 CVE-2010-0390 (Unrestricted file upload vulnerability in maxImageUpload/index.php in ...) NOT-FOR-US: PHP F1 Max's Image Uploader CVE-2010-0389 (The admin server in Sun Java System Web Server 7.0 Update 6 allows rem ...) NOT-FOR-US: Sun Java System Web Server CVE-2010-0388 (Format string vulnerability in the WebDAV implementation in webservd i ...) NOT-FOR-US: Sun Java System Web Server CVE-2010-0387 (Multiple heap-based buffer overflows in (1) webservd and (2) the admin ...) NOT-FOR-US: Sun Java System Web Server CVE-2010-0386 (The default configuration of Sun Java System Application Server 7 and ...) NOT-FOR-US: Sun Java System Application Server CVE-2010-0385 (Tor before 0.2.1.22, and 0.2.2.x before 0.2.2.7-alpha, when functionin ...) - tor 0.2.1.22-1 (low) [lenny] - tor (only affects versions > 0.2.1.6-alpha) NOTE: the CVE entry is wrong, only 0.2.1.6-alpha and up are affected NOTE: confirmed with Tor developers, Lenny is not affected CVE-2010-0384 (Tor 0.2.2.x before 0.2.2.7-alpha, when functioning as a directory mirr ...) - tor (only affects versions 0.2.2.x) [lenny] - tor (only affects versions 0.2.2.x) NOTE: does not appear to be a real vulnerability? CVE-2010-0383 (Tor before 0.2.1.22, and 0.2.2.x before 0.2.2.7-alpha, uses deprecated ...) - tor 0.2.1.22-1 (medium) [lenny] - tor 0.2.0.35-1~lenny2 (medium) CVE-2010-0382 (ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P5, 9.5 before 9.5.2-P2 ...) {DSA-2054-1} - bind9 1:9.7.0.dfsg-1 CVE-2010-0381 (SQL injection vulnerability in modules/arcade/index.php in PHP MySpace ...) NOT-FOR-US: PHP MySpace Gold Edition CVE-2010-0380 (install.php in JCE-Tech PHP Calendars, downloaded 20100121, allows rem ...) NOT-FOR-US: JCE-Tech PHP Calendars CVE-2008-7253 (The default configuration of the web server in IBM Lotus Domino Server ...) NOT-FOR-US: IBM Lotus Domino Server CVE-2005-4884 (Unspecified vulnerability in the Oracle OLAP component in Oracle Datab ...) NOT-FOR-US: Oracle Database Server CVE-2010-XXXX [gmetad incorrect file permissions] - ganglia 3.1.2-3 (low; bug #567175) CVE-2010-0442 (The bitsubstr function in backend/utils/adt/varbit.c in PostgreSQL 8.0 ...) {DSA-2051-1} - postgresql-7.4 - postgresql-8.1 - postgresql-8.2 - postgresql-8.3 (low; bug #567058) - postgresql-8.4 8.4.3-1 CVE-2010-2444 (parse/Csv2_parse.c in MaraDNS 1.3.03, and other versions before 1.4.03 ...) - maradns 1.4.03-1 (low; bug #584587) [lenny] - maradns (minor issue) [etch] - maradns (vulnerable code introduced in 1.3.03) CVE-2010-XXXX [sqlite: info leak] - sqlite3 3.6.21-1 (low; bug #566326) [lenny] - sqlite3 (Minor information leak) CVE-2010-XXXX [backup-manager: make sure password is not written to world-readable files] - backup-manager 0.7.9-1 (low) [lenny] - backup-manager 0.7.7-2 NOTE: http://lists.debian.org/debian-release/2010/01/msg00181.html NOTE: checked in 0.7.9-1, but may have been fixed sooner CVE-2010-XXXX [sudosh3: many security weaknesses] - sudosh3 (high; bug #566142) CVE-2010-0379 (Multiple unspecified vulnerabilities in the Macromedia Flash ActiveX c ...) NOT-FOR-US: Macromedia Flash ActiveX CVE-2010-0378 (Use-after-free vulnerability in Adobe Flash Player 6.0.79, as distribu ...) NOT-FOR-US: Adobe Flash Player CVE-2010-0377 (SQL injection vulnerability in modules/arcade/index.php in PHP MySpace ...) NOT-FOR-US: PHP MySpace Gold Edition CVE-2010-0376 (Cross-site scripting (XSS) vulnerability in product_list.php in JCE-Te ...) NOT-FOR-US: JCE-Tech PHP Calendars CVE-2010-0375 (SQL injection vulnerability in product_list.php in JCE-Tech PHP Calend ...) NOT-FOR-US: JCE-Tech PHP Calendars CVE-2010-0374 (Cross-site scripting (XSS) vulnerability in the Marketplace (com_marke ...) NOT-FOR-US: component for Joomla! CVE-2010-0373 (SQL injection vulnerability in the libros (com_libros) component for J ...) NOT-FOR-US: component for Joomla! CVE-2010-0372 (SQL injection vulnerability in the Articlemanager (com_articlemanager) ...) NOT-FOR-US: component for Joomla! CVE-2010-0371 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Hi ...) NOT-FOR-US: Hitmaaan Gallery CVE-2010-0370 (Cross-site scripting (XSS) vulnerability in the Node Blocks module 5.x ...) NOT-FOR-US: Node Blocks module for Drupal CVE-2010-0369 RESERVED CVE-2010-0368 RESERVED CVE-2010-0367 (Multiple PHP remote file inclusion vulnerabilities in BitScripts Bits ...) NOT-FOR-US: BitScripts Bits Video Script CVE-2010-0366 (Multiple unrestricted file upload vulnerabilities in (1) register.php ...) NOT-FOR-US: BitScripts Bits Video Script CVE-2010-0365 (Cross-site scripting (XSS) vulnerability in search.php in BitScripts B ...) NOT-FOR-US: BitScripts Bits Video Script CVE-2010-0364 (Stack-based buffer overflow in VideoLAN VLC Media Player 0.8.6 allows ...) - vlc 0.8.6.c-4.1 (low; bug #458318) NOTE: subset of CVE-2007-6681 CVE-2010-0363 (Cross-site scripting (XSS) vulnerability in Zeus Web Server before 4.3 ...) NOT-FOR-US: Zeus Web Server CVE-2010-0362 (Zeus Web Server before 4.3r5 does not use random transaction IDs for D ...) NOT-FOR-US: Zeus Web Server CVE-2010-0361 (Stack-based buffer overflow in the WebDAV implementation in webservd i ...) NOT-FOR-US: Sun Java System Web Server CVE-2010-0360 (Sun Java System Web Server (aka SJWS) 7.0 Update 7 allows remote attac ...) NOT-FOR-US: Sun Java System Web Server CVE-2010-0359 (Buffer overflow in the SSLv2 support in Zeus Web Server before 4.3r5 a ...) NOT-FOR-US: Zeus Web Server CVE-2010-0358 (Heap-based buffer overflow in the server in IBM Lotus Domino 7 and 8.5 ...) NOT-FOR-US: IBM Lotus Domino CVE-2010-0357 (Cross-site scripting (XSS) vulnerability in the Login page in IBM Lotu ...) NOT-FOR-US: IBM Lotus Web Content Management CVE-2010-0356 (Stack-based buffer overflow in the MOVIEPLAYER.MoviePlayerCtrl.1 Activ ...) NOT-FOR-US: ActiveX CVE-2010-0355 RESERVED CVE-2010-0354 RESERVED CVE-2010-0353 RESERVED CVE-2010-0352 RESERVED CVE-2010-0351 RESERVED CVE-2009-4628 (SQL injection vulnerability in the TemplatePlaza.com TPDugg (com_tpdug ...) NOT-FOR-US: Joomla! CVE-2009-4627 (Directory traversal vulnerability in sources/_template_parser.php in M ...) NOT-FOR-US: Moa Gallery CVE-2009-4626 (Directory traversal vulnerability in menu.php in phpNagios 1.2.0 allow ...) NOT-FOR-US: phpNagios CVE-2009-4625 (SQL injection vulnerability in the updateOnePage function in component ...) NOT-FOR-US: Joomla! CVE-2009-4624 (SQL injection vulnerability in download.php in Nicecoder iDesk allows ...) NOT-FOR-US: Nicecoder iDesk CVE-2009-4623 (Multiple PHP remote file inclusion vulnerabilities in Advanced Comment ...) NOT-FOR-US: Advanced Comment System CVE-2009-4622 (PHP remote file inclusion vulnerability in admin/admin_news_bot.php in ...) NOT-FOR-US: Drunken:Golem Gaming Portal CVE-2009-4621 (SQL injection vulnerability in the JiangHu Inn plugin 1.1 and earlier ...) NOT-FOR-US: Discuz CVE-2009-4620 (SQL injection vulnerability in the Joomloc (com_joomloc) component 1.0 ...) NOT-FOR-US: Joomla! CVE-2009-4619 (SQL injection vulnerability in the Lucy Games (com_lucygames) componen ...) NOT-FOR-US: Joomla! CVE-2009-4618 (Multiple SQL injection vulnerabilities in Tourism Script Bus Script al ...) NOT-FOR-US: Tourism Script Bus Script CVE-2009-4617 (Multiple SQL injection vulnerabilities in Tourism Script Accommodation ...) NOT-FOR-US: Tourism Script Accommodation Hotel Booking Portal Script CVE-2009-4616 (Cross-site scripting (XSS) vulnerability in search.php in MYRE Holiday ...) NOT-FOR-US: MYRE Holiday Rental Manager CVE-2009-4615 (SQL injection vulnerability in review.php in MYRE Holiday Rental Manag ...) NOT-FOR-US: MYRE Holiday Rental Manager CVE-2009-4614 (Multiple PHP remote file inclusion vulnerabilities in Moa Gallery 1.2. ...) NOT-FOR-US: Moa Gallery CVE-2010-1104 (Cross-site scripting (XSS) vulnerability in Zope 2.8.x before 2.8.12, ...) - zope3 (low) [lenny] - zope3 (Minor issue) - zope2.11 - zope2.10 (low) [lenny] - zope2.10 (Minor issue) - zope2.9 NOTE: https://mail.zope.org/pipermail/zope-announce/2010-January/002229.html CVE-2010-0350 (Directory traversal vulnerability in the Photo Book (goof_fotoboek) ex ...) NOT-FOR-US: TYPO3 third party extensions CVE-2010-0349 (Cross-site scripting (XSS) vulnerability in C3 Corp. WebCalenderC3 0.3 ...) NOT-FOR-US: WebCalenderC3 CVE-2010-0348 (Directory traversal vulnerability in C3 Corp. WebCalenderC3 0.32 and e ...) NOT-FOR-US: WebCalenderC3 CVE-2010-0347 (Cross-site scripting (XSS) vulnerability in the VD / Geomap (vd_geomap ...) NOT-FOR-US: TYPO3 third party extensions CVE-2010-0346 (Cross-site scripting (XSS) vulnerability in the Tip many friends (mimi ...) NOT-FOR-US: TYPO3 third party extensions CVE-2010-0345 (Cross-site scripting (XSS) vulnerability in the Majordomo extension 1. ...) NOT-FOR-US: TYPO3 third party extensions CVE-2010-0344 (SQL injection vulnerability in the zak_store_management extension 1.0. ...) NOT-FOR-US: TYPO3 third party extensions CVE-2010-0343 (SQL injection vulnerability in the Clan Users List (pb_clanlist) exten ...) NOT-FOR-US: TYPO3 third party extensions CVE-2010-0342 (SQL injection vulnerability in the Reports for Job (job_reports) exten ...) NOT-FOR-US: TYPO3 third party extensions CVE-2010-0341 (SQL injection vulnerability in the BB Simple Jobs (bb_simplejobs) exte ...) NOT-FOR-US: TYPO3 third party extensions CVE-2010-0340 (SQL injection vulnerability in the MJS Event Pro (mjseventpro) extensi ...) NOT-FOR-US: TYPO3 third party extensions CVE-2010-0339 (SQL injection vulnerability in the User Links (vm19_userlinks) extensi ...) NOT-FOR-US: TYPO3 third party extensions CVE-2010-0338 (SQL injection vulnerability in the TT_Products editor (ttpedit) extens ...) NOT-FOR-US: TYPO3 third party extensions CVE-2010-0337 (SQL injection vulnerability in the tt_news Mail alert (dl3_tt_news_ale ...) NOT-FOR-US: TYPO3 third party extensions CVE-2010-0336 (Unspecified vulnerability in the kiddog_mysqldumper (kiddog_mysqldumpe ...) NOT-FOR-US: TYPO3 third party extensions CVE-2010-0335 (Cross-site scripting (XSS) vulnerability in the Vote rank for news (vo ...) NOT-FOR-US: TYPO3 third party extensions CVE-2010-0334 (SQL injection vulnerability in the Vote rank for news (vote_for_tt_new ...) NOT-FOR-US: TYPO3 third party extensions CVE-2010-0333 (SQL injection vulnerability in the Helpdesk (mg_help) extension 1.1.6 ...) NOT-FOR-US: TYPO3 third party extensions CVE-2010-0332 (SQL injection vulnerability in the TV21 Talkshow (tv21_talkshow) exten ...) NOT-FOR-US: TYPO3 third party extensions CVE-2010-0331 (Cross-site scripting (XSS) vulnerability in the TV21 Talkshow (tv21_ta ...) NOT-FOR-US: TYPO3 third party extensions CVE-2010-0330 (SQL injection vulnerability in the Googlemaps for tt_news (jf_easymaps ...) NOT-FOR-US: TYPO3 third party extensions CVE-2010-0329 (SQL injection vulnerability in the powermail extension 1.5.1 and earli ...) NOT-FOR-US: TYPO3 third party extensions CVE-2010-0328 (Cross-site scripting (XSS) vulnerability in the Unit Converter (cs2_un ...) NOT-FOR-US: TYPO3 third party extensions CVE-2010-0327 (Cross-site scripting (XSS) vulnerability in the KJ: Imagelightbox (kj_ ...) NOT-FOR-US: TYPO3 third party extensions CVE-2010-0326 (Cross-site scripting (XSS) vulnerability in the Developer log (devlog) ...) NOT-FOR-US: TYPO3 third party extensions CVE-2010-0325 (Unspecified vulnerability in the SB Folderdownload (sb_folderdownload) ...) NOT-FOR-US: TYPO3 third party extensions CVE-2010-0324 (SQL injection vulnerability in the Customer Reference List (ref_list) ...) NOT-FOR-US: TYPO3 third party extensions CVE-2010-0323 (Unspecified vulnerability in the Photo Book (goof_fotoboek) extension ...) NOT-FOR-US: TYPO3 third party extensions CVE-2010-0322 (SQL injection vulnerability in the init function in MK-AnydropdownMenu ...) NOT-FOR-US: TYPO3 third party extensions CVE-2010-0321 (Cross-site scripting (XSS) vulnerability in jobs/index.php in Jamit Jo ...) NOT-FOR-US: Jamit Job Board 3.0 CVE-2010-0320 (Cross-site scripting (XSS) vulnerability in submitlink.php in Glitter ...) NOT-FOR-US: Glitter Central Script CVE-2010-0319 (Cross-site scripting (XSS) vulnerability in index.php in Docmint 1.0 a ...) NOT-FOR-US: Docmint CVE-2010-0318 (The replay functionality for ZFS Intent Log (ZIL) in FreeBSD 7.1, 7.2, ...) - kfreebsd-6 (vulnerable code introduced in freebsd 7) - kfreebsd-7 7.2-10 (medium; bug #566684) [lenny] - kfreebsd-7 (kfreebsd not support in Lenny) - kfreebsd-8 8.0-2 (medium) CVE-2010-0317 (Novell Netware 6.5 SP8 allows remote attackers to cause a denial of se ...) NOT-FOR-US: Novell Netware CVE-2010-0316 (Integer overflow in Google SketchUp before 7.1 M2 allows remote attack ...) NOT-FOR-US: Google SketchUp CVE-2010-0315 (WebKit before r53607, as used in Google Chrome before 4.0.249.89, allo ...) - chromium-browser 5.0.375.29~r46008-1 - webkit 1.1.21-1 (low) [lenny] - webkit (Too intrusive to backport, disk of regression higher than impact at hand) CVE-2010-0314 (Apple Safari allows remote attackers to discover a redirect's target U ...) - webkit 1.1.90-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 5.0.375.29~r46008-1 CVE-2010-0313 (The core_get_proxyauth_dn function in ns-slapd in Sun Java System Dire ...) NOT-FOR-US: Sun Java System Directory Server Enterprise Edition CVE-2010-0312 (The do_extendedOp function in ibmslapd in IBM Tivoli Directory Server ...) NOT-FOR-US: IBM Tivoli Directory Server CVE-2010-0311 (Unspecified vulnerability in Sun Java System Identity Manager (aka IdM ...) NOT-FOR-US: Sun Java System Identity Manager CVE-2010-0310 (Trusted Extensions in Sun Solaris 10 allows local users to gain privil ...) NOT-FOR-US: Trusted Extensions in Sun Solaris 10 CVE-2009-4613 (SQL injection vulnerability in realestate20/loginaction.php in NetArt ...) NOT-FOR-US: NetArt Media Real Estate Portal CVE-2010-XXXX [zend framework multiple issues] - zendframework 1.9.7-1 NOTE: http://framework.zend.com/security/advisory/ZF2010-01 - ZF2010-06 CVE-2010-XXXX [ZF2010-07] - zendframework 1.10.3-1 NOTE: http://framework.zend.com/security/advisory/ZF2010-07 CVE-2009-4612 (Multiple cross-site scripting (XSS) vulnerabilities in the WebApp JSP ...) - jetty 6.1.22-1 (bug #575789) CVE-2009-4611 (Mort Bay Jetty 6.x through 6.1.22 and 7.0.0 writes backtrace data with ...) - jetty 6.1.22-1 (unimportant; bug #553644) NOTE: http://www.ush.it/team/ush/hack-jetty6x7x/jetty-adv.txt NOTE: The affected apps are not shipped in the package, see #553644 CVE-2009-4610 (Multiple cross-site scripting (XSS) vulnerabilities in Mort Bay Jetty ...) - jetty (low; bug #575790) NOTE: the exploitable servlet is not shipped in Debian packages CVE-2009-4609 (The Dump Servlet in Mort Bay Jetty 6.x and 7.0.0 allows remote attacke ...) - jetty (low; bug #575791) NOTE: the exploitable servlet is not shipped in Debian packages CVE-2010-0309 (The pit_ioport_read function in the Programmable Interval Timer (PIT) ...) {DSA-2010-1 DSA-1996-1} - linux-2.6 2.6.32-8 [etch] - linux-2.6 (kvm introduced in 2.6.25) - linux-2.6.24 (kvm introduced in 2.6.25) - kvm NOTE: http://git.kernel.org/?p=linux/kernel/git/avi/kvm.git;a=commitdiff;h=336f40a728b9a4a5db5e1df5c89852c79ff95604 CVE-2010-0308 (lib/rfc1035.c in Squid 2.x, 3.0 through 3.0.STABLE22, and 3.1 through ...) {DSA-1991-1} - squid 2.7.STABLE8-1 - squid3 3.1.0.16-1 (bug #575747) CVE-2010-0307 (The load_elf_binary function in fs/binfmt_elf.c in the Linux kernel be ...) {DSA-1996-1} - linux-2.6 2.6.32-8 - linux-2.6.24 CVE-2010-0306 (The x86 emulator in KVM 83, when a guest is configured for Symmetric M ...) {DSA-2010-1 DSA-1996-1} - linux-2.6 2.6.32-8 [etch] - linux-2.6 (kvm introduced in 2.6.25) - linux-2.6.24 (kvm introduced in 2.6.25) - kvm CVE-2010-0305 (ejabberd_c2s.erl in ejabberd before 2.1.3 allows remote attackers to c ...) {DSA-2033-1} - ejabberd 2.1.2-2 (medium; bug #568383) NOTE: https://support.process-one.net/browse/EJAB-1173 CVE-2010-0304 (Multiple buffer overflows in the LWRES dissector in Wireshark 0.9.15 t ...) {DSA-1983-1} - wireshark 1.2.6-1 CVE-2010-0303 (mystring.c in hybserv in IRCD-Hybrid (aka Hybrid2 IRC Services) 1.9.2 ...) {DSA-1982-1} - hybserv 1.9.2-4.1 (low; bug #550389) CVE-2010-0302 (Use-after-free vulnerability in the abstract file-descriptor handling ...) - cups 1.4.2-10 (bug #572940) [lenny] - cups 1.3.8-1+lenny9 - cupsys (vulnerable code introduced in 1.3.x) NOTE: This is for an incomplete fix for CVE-2009-3553 CVE-2010-0301 (main.C in maildrop 2.3.0 and earlier, when run by root with the -d opt ...) {DSA-1981-1} - maildrop 2.2.0-3.1 (low; bug #564601) CVE-2010-0300 (cache.c in ircd-ratbox before 2.2.9 allows remote attackers to cause a ...) {DSA-1980-1} - ircd-ratbox 3.0.6.dfsg-1 (low; bug #567191) - ircd-hybrid 1:7.2.2.dfsg.2-6.1 (low) CVE-2010-0299 (openSUSE 11.2 installs the devtmpfs root directory with insecure permi ...) - linux-2.6 2.6.32-6 [etch] - linux-2.6 (vulnerable code introduced in 2.6.31) [lenny] - linux-2.6 (vulnerable code introduced in 2.6.31) - linux-2.6.24 (vulnerable code introduced in 2.6.31) CVE-2010-0298 (The x86 emulator in KVM 83 does not use the Current Privilege Level (C ...) {DSA-2010-1 DSA-1996-1} - linux-2.6 2.6.32-8 [etch] - linux-2.6 (kvm introduced in 2.6.25) - linux-2.6.24 (kvm introduced in 2.6.25) - kvm CVE-2010-0297 (Buffer overflow in the usb_host_handle_control function in the USB pas ...) - qemu-kvm 0.11.1+dfsg-1 - kvm (low) [lenny] - kvm (minor issue) CVE-2010-0296 (The encode_name macro in misc/mntent_r.c in the GNU C Library (aka gli ...) {DSA-2058-1} - glibc 2.11-1 (bug #583908) - eglibc 2.11-1 NOTE: http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=ab00f4eac8f4932211259ff87be83144f5211540 CVE-2010-0295 (lighttpd before 1.4.26, and 1.5.x, allocates a buffer for each read op ...) {DSA-1987-1} - lighttpd 1.4.26-1 (medium) CVE-2010-0294 (chronyd in Chrony before 1.23.1, and possibly 1.24-pre1, generates a s ...) {DSA-1992-1} - chrony 1.23-7 (low) CVE-2010-0293 (The client logging functionality in chronyd in Chrony before 1.23.1 do ...) {DSA-1992-1} - chrony 1.23-7 (low) CVE-2010-0292 (The read_from_cmd_socket function in cmdmon.c in chronyd in Chrony bef ...) {DSA-1992-1} - chrony 1.23-7 (medium) CVE-2010-0291 (The Linux kernel before 2.6.32.4 allows local users to gain privileges ...) {DSA-2005-1 DSA-1996-1} - linux-2.6 2.6.32-6 CVE-2010-0290 (Unspecified vulnerability in ISC BIND 9.0.x through 9.3.x, 9.4 before ...) {DSA-2054-1} - bind9 1:9.7.0.dfsg-1 (medium) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=554851#c7 CVE-2010-0289 (Multiple cross-site request forgery (CSRF) vulnerabilities in the ACL ...) {DSA-1976-1} - dokuwiki 0.0.20090214b-3.1 (low) [etch] - dokuwiki (Vulnerable code not present) NOTE: http://secunia.com/advisories/38205/ CVE-2010-0288 (A typo in the administrator permission check in the ACL Manager plugin ...) {DSA-1976-1} - dokuwiki 0.0.20090214b-3.1 (medium; bug #565406) [etch] - dokuwiki (Vulnerable code not present) NOTE: http://bugs.splitbrain.org/index.php?do=details&task_id=1847 NOTE: issue being exploited CVE-2010-0287 (Directory traversal vulnerability in the ACL Manager plugin (plugins/a ...) {DSA-1976-1} - dokuwiki 0.0.20090214b-3.1 (low) [etch] - dokuwiki (Vulnerable code not present) NOTE: http://secunia.com/advisories/38205/ CVE-2010-0286 (Unspecified vulnerability in the OpenID Identity Authentication extens ...) - typo3-src 4.3.1-1 (bug #567163) [lenny] - typo3-src (Only affects 4.3.x) NOTE: http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-001/ CVE-2010-0285 (gnome-screensaver 2.14.3, 2.22.2, 2.27.x, 2.28.0, and 2.28.3, when the ...) - gnome-screensaver 2.28.3-1 (low) [lenny] - gnome-screensaver (Minor issue) NOTE: http://git.gnome.org/browse/gnome-screensaver/commit/?id=2f597ea9f1f363277fd4dfc109fa41bbc6225aca NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=593616 CVE-2010-0284 (Directory traversal vulnerability in the getEntry method in the Portal ...) NOT-FOR-US: Novell Access Manager CVE-2010-0283 (The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.7 bef ...) - krb5 1.8+dfsg~alpha1-7 [lenny] - krb5 (Only affects krb5 >= 1.7) CVE-2010-0282 RESERVED CVE-2010-0281 RESERVED CVE-2010-0280 (Array index error in Jan Eric Kyprianidis lib3ds 1.x, as used in Googl ...) - lib3ds 1.3.0-5 (low; bug #575741) [lenny] - lib3ds (Minor issue) [etch] - lib3ds (Minor issue) - openscenegraph 2.8.0-1 [lenny] - openscenegraph 2.4.0-1.1+lenny1 NOTE: openscenegraph embeds acopy of lib3ds NOTE: http://www.coresecurity.com/content/google-sketchup-vulnerability NOTE: issue was published saying it affects google sketchup, NOTE: but the vulnerable code is in lib3ds NOTE: http://code.google.com/p/lib3ds/issues/detail?id=9 CVE-2010-0279 (Unrestricted file upload vulnerability in upload.php in BTS-GI Read ex ...) NOT-FOR-US: BTS-GI Read excel CVE-2010-0278 (A certain ActiveX control in msgsc.14.0.8089.726.dll in Microsoft Wind ...) NOT-FOR-US: ActiveX CVE-2009-4608 (Cross-site scripting (XSS) vulnerability in Canon IT Solutions Inc. AC ...) NOT-FOR-US: ACCESSGUARDIAN CVE-2009-4607 (The command line interface in Overland Storage Snap Server 410 with Gu ...) NOT-FOR-US: Overland Storage Snap Server CVE-2009-4606 (South River Technologies WebDrive 9.02 build 2232 installs the WebDriv ...) NOT-FOR-US: South River Technologies WebDrive CVE-2009-4604 (PHP remote file inclusion vulnerability in mamboleto.php in the Fernan ...) NOT-FOR-US: Joomla! CVE-2009-4603 (Unspecified vulnerability in sapstartsrv.exe in the SAP Kernel 6.40, 7 ...) NOT-FOR-US: SAP Kernel CVE-2009-4602 (Cross-site scripting (XSS) vulnerability in the Randomizer module 5.x ...) NOT-FOR-US: Randomizer module for Drupal CVE-2009-4601 (Cross-site scripting (XSS) vulnerability in basic_search_result.php in ...) NOT-FOR-US: ZeeJobsite CVE-2009-4600 (SQL injection vulnerability in realestate20/loginaction.php in NetArt ...) NOT-FOR-US: NetArt Media Real Estate Portal CVE-2009-4599 (Multiple SQL injection vulnerabilities in the JS Jobs (com_jsjobs) com ...) NOT-FOR-US: Joomla! CVE-2009-4598 (SQL injection vulnerability in the JPhoto (com_jphoto) component 1.0 f ...) NOT-FOR-US: Joomla! CVE-2009-4597 (Multiple SQL injection vulnerabilities in index.php in PHP Inventory 1 ...) NOT-FOR-US: PHP Inventory CVE-2009-4596 (Cross-site scripting (XSS) vulnerability in index.php in PHP Inventory ...) NOT-FOR-US: PHP Inventory CVE-2009-4595 (SQL injection vulnerability in index.php in PHP Inventory 1.2 allows r ...) NOT-FOR-US: PHP Inventory CVE-2010-0277 (slp.c in the MSN protocol plugin in libpurple in Pidgin before 2.6.6, ...) {DSA-2038-1} - pidgin 2.6.6-1 (low; bug #566775) - gaim (low) [lenny] - gaim (gaim is a transitional dummy package only) - qutecom 2.2~rc3.hg396~dfsg1-6 (low; bug #572946) CVE-2010-0276 (IBM Lotus iNotes (aka Domino Web Access or DWA) before 229.241 for Dom ...) NOT-FOR-US: IBM Lotus iNotes CVE-2010-0275 (Ultra-light Mode in IBM Lotus iNotes (aka Domino Web Access or DWA) be ...) NOT-FOR-US: IBM Lotus iNotes CVE-2010-0274 (Unspecified vulnerability in the Edit Contact scene in Ultra-light Mod ...) NOT-FOR-US: IBM Lotus iNotes CVE-2010-0273 (Unspecified vulnerability in Sun Java System Web Server 7.0 Update 6 o ...) NOT-FOR-US: Sun Java System Web Server CVE-2010-0272 (Heap-based buffer overflow in Sun Java System Web Server 7.0 Update 6 ...) NOT-FOR-US: Sun Java System Web Server CVE-2010-0271 (hald in Sun OpenSolaris snv_51 through snv_130 does not have the proc_ ...) NOT-FOR-US: hald in Sun OpenSolaris CVE-2010-0270 (The SMB client in Microsoft Windows Server 2008 R2 and Windows 7 does ...) NOT-FOR-US: Microsoft Windows CVE-2010-0269 (The SMB client in Microsoft Windows 2000 SP4, Windows XP SP2 and SP3, ...) NOT-FOR-US: Microsoft Windows CVE-2010-0268 (Unspecified vulnerability in the Windows Media Player ActiveX control ...) NOT-FOR-US: Microsoft Windows CVE-2010-0267 (Microsoft Internet Explorer 6, 6 SP1, and 7 does not properly handle o ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2010-0266 (Microsoft Office Outlook 2002 SP3, 2003 SP3, and 2007 SP1 and SP2 does ...) NOT-FOR-US: Microsoft Office CVE-2010-0265 (Buffer overflow in Microsoft Windows Movie Maker 2.1, 2.6, and 6.0, an ...) NOT-FOR-US: Microsoft Windows Movie Maker CVE-2010-0264 (Microsoft Office Excel 2002 SP3, Office 2004 and 2008 for Mac, and Ope ...) NOT-FOR-US: Microsoft Office CVE-2010-0263 (Microsoft Office Excel 2007 SP1 and SP2; Office 2008 for Mac; Open XML ...) NOT-FOR-US: Microsoft Office CVE-2010-0262 (Microsoft Office Excel 2007 SP1 and SP2 and Office 2004 for Mac do not ...) NOT-FOR-US: Microsoft Office CVE-2010-0261 (Heap-based buffer overflow in Microsoft Office Excel 2007 SP1 and SP2 ...) NOT-FOR-US: Microsoft Office CVE-2010-0260 (Heap-based buffer overflow in Microsoft Office Excel 2007 SP1 and SP2; ...) NOT-FOR-US: Microsoft Office CVE-2010-0259 REJECTED CVE-2010-0258 (Microsoft Office Excel 2002 SP3, 2003 SP3, and 2007 SP1 and SP2; Offic ...) NOT-FOR-US: Microsoft Office CVE-2010-0257 (Microsoft Office Excel 2002 SP3 does not properly parse the Excel file ...) NOT-FOR-US: Microsoft Office CVE-2010-0256 (Microsoft Office Visio 2002 SP2, 2003 SP3, and 2007 SP1 and SP2 does n ...) NOT-FOR-US: Microsoft Office CVE-2010-0255 (Microsoft Internet Explorer 5.01 SP4, 6, 6 SP1, 7, and 8 does not prev ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2010-0254 (Microsoft Office Visio 2002 SP2, 2003 SP3, and 2007 SP1 and SP2 does n ...) NOT-FOR-US: Microsoft Office CVE-2010-0253 REJECTED CVE-2010-0252 (The Microsoft Data Analyzer ActiveX control (aka the Office Excel Acti ...) NOT-FOR-US: Microsoft Data Analyzer ActiveX control CVE-2010-0251 REJECTED CVE-2010-0250 (Heap-based buffer overflow in DirectShow in Microsoft DirectX, as used ...) NOT-FOR-US: Microsoft DirectX CVE-2010-0249 (Use-after-free vulnerability in Microsoft Internet Explorer 6, 6 SP1, ...) NOT-FOR-US: Microsoft CVE-2010-0248 (Microsoft Internet Explorer 6, 6 SP1, 7, and 8 does not properly handl ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2010-0247 (Microsoft Internet Explorer 5.01 SP4, 6, and 6 SP1 does not properly h ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2010-0246 (Microsoft Internet Explorer 8 does not properly handle objects in memo ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2010-0245 (Microsoft Internet Explorer 8 does not properly handle objects in memo ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2010-0244 (Microsoft Internet Explorer 6, 6 SP1, 7, and 8 does not properly handl ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2010-0243 (Buffer overflow in MSO.DLL in Microsoft Office XP SP3 and Office 2004 ...) NOT-FOR-US: Microsoft Office XP CVE-2010-0242 (The TCP/IP implementation in Microsoft Windows Vista Gold, SP1, and SP ...) NOT-FOR-US: Microsoft Windows Vista Gold CVE-2010-0241 (The TCP/IP implementation in Microsoft Windows Vista Gold, SP1, and SP ...) NOT-FOR-US: Microsoft Windows Vista Gold CVE-2010-0240 (The TCP/IP implementation in Microsoft Windows Vista Gold, SP1, and SP ...) NOT-FOR-US: Microsoft Windows Vista Gold CVE-2010-0239 (The TCP/IP implementation in Microsoft Windows Vista Gold, SP1, and SP ...) NOT-FOR-US: Microsoft Windows Vista Gold CVE-2010-0238 (Unspecified vulnerability in registry-key validation in the kernel in ...) NOT-FOR-US: Microsoft Windows CVE-2010-0237 (The kernel in Microsoft Windows 2000 SP4 and XP SP2 and SP3 allows loc ...) NOT-FOR-US: Microsoft Windows CVE-2010-0236 (The kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 ...) NOT-FOR-US: Microsoft Windows CVE-2010-0235 (The kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 ...) NOT-FOR-US: Microsoft Windows CVE-2010-0234 (The kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 ...) NOT-FOR-US: Microsoft Windows CVE-2010-0233 (Double free vulnerability in the kernel in Microsoft Windows 2000 SP4, ...) NOT-FOR-US: Microsoft Windows CVE-2010-0232 (The kernel in Microsoft Windows NT 3.1 through Windows 7, including Wi ...) NOT-FOR-US: Microsoft Windows CVE-2010-0231 (The SMB implementation in the Server service in Microsoft Windows 2000 ...) NOT-FOR-US: Microsoft Windows CVE-2010-0230 (SUSE Linux Enterprise 10 SP3 (SLE10-SP3) and openSUSE 11.2 configures ...) - postfix (SUSE-specific packaging issue) CVE-2010-0229 (Verbatim Corporate Secure and Corporate Secure FIPS Edition USB flash ...) NOT-FOR-US: Verbatim Corporate Secure CVE-2010-0228 (Verbatim Corporate Secure and Corporate Secure FIPS Edition USB flash ...) NOT-FOR-US: Verbatim Corporate Secure CVE-2010-0227 (Verbatim Corporate Secure and Corporate Secure FIPS Edition USB flash ...) NOT-FOR-US: Verbatim Corporate Secure CVE-2010-0226 (SanDisk Cruzer Enterprise USB flash drives do not prevent password rep ...) NOT-FOR-US: SanDisk Cruzer Enterprise USB flash drives CVE-2010-0225 (SanDisk Cruzer Enterprise USB flash drives use a fixed 256-bit key for ...) NOT-FOR-US: SanDisk Cruzer Enterprise USB flash drives CVE-2010-0224 (SanDisk Cruzer Enterprise USB flash drives validate passwords with a p ...) NOT-FOR-US: SanDisk Cruzer Enterprise USB flash drives CVE-2010-0223 (Kingston DataTraveler BlackBox (DTBB), DataTraveler Secure Privacy Edi ...) NOT-FOR-US: Kingston USB flash drives CVE-2010-0222 (Kingston DataTraveler BlackBox (DTBB), DataTraveler Secure Privacy Edi ...) NOT-FOR-US: Kingston USB flash drives CVE-2010-0221 (Kingston DataTraveler BlackBox (DTBB), DataTraveler Secure Privacy Edi ...) NOT-FOR-US: Kingston USB flash drives CVE-2010-0220 (The nsObserverList::FillObserverArray function in xpcom/ds/nsObserverL ...) - xulrunner (unimportant) NOTE: browser DoS not treated as security issue CVE-2009-4605 (scripts/setup.php (aka the setup script) in phpMyAdmin 2.11.x before 2 ...) {DSA-2034-1} - phpmyadmin 4:3.2.4-1 NOTE: vulnerable code does not in the 3.x series (sid and squeeze checked) NOTE: http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin?view=rev&revision=13149 NOTE: there is still at least one unserialize() call on _POST data CVE-2009-4594 (Unspecified vulnerability in IBM Lotus iNotes (aka Domino Web Access o ...) NOT-FOR-US: IBM Lotus iNotes CVE-2009-4593 (The bftpdutmp_log function in bftpdutmp.c in Bftpd before 2.4 does not ...) NOT-FOR-US: Bftpd CVE-2009-4592 (Unspecified vulnerability in base_local_rules.php in Basic Analysis an ...) - acidbase 1.4.4-1 [lenny] - acidbase (Minor issue) [etch] - acidbase (Minor issue) CVE-2009-4591 (SQL injection vulnerability in Basic Analysis and Security Engine (BAS ...) - acidbase 1.4.4-1 [lenny] - acidbase (Minor issue) [etch] - acidbase (Minor issue) CVE-2009-4590 (Cross-site scripting (XSS) vulnerability in base_local_rules.php in Ba ...) - acidbase 1.4.4-1 [lenny] - acidbase (Minor issue) [etch] - acidbase (Minor issue) NOTE: 1.4.5 fixed more XSS issues in this file CVE-2009-4588 (Heap-based buffer overflow in the WindsPlayerIE.View.1 ActiveX control ...) NOT-FOR-US: AwingSoft Awakening CVE-2009-4587 (Cherokee Web Server 0.5.4 allows remote attackers to cause a denial of ...) - cherokee (Only affects Windows and DOS) NOTE: this only works on windows and dos as you are not allowed NOTE: to use a file name with AUX and any or no extension as this is a NOTE: reserved device name. cherokee was lacking error handling... CVE-2009-4586 (Multiple cross-site scripting (XSS) vulnerabilities in index.html in W ...) NOT-FOR-US: Wowd client CVE-2010-0219 (Apache Axis2, as used in dswsbobje.war in SAP BusinessObjects Enterpri ...) NOT-FOR-US: SAP BusinessObjects Enterprise CVE-2010-0218 (ISC BIND 9.7.2 through 9.7.2-P1 uses an incorrect ACL to restrict the ...) - bind9 (Only affects 9.7.2, which is not yet in the archive) NOTE: http://ftp.isc.org/isc/bind9/9.7.2-P2/RELEASE-NOTES-BIND-9.7.2-P2.html NOTE: ACL bypass claimed to only affect >=9.7.2: https://lists.isc.org/pipermail/bind-announce/2010-September/000655.html CVE-2010-0217 (Zeacom Chat Server before 5.1 uses too short a random string for the J ...) NOT-FOR-US: Zeacom Chat Server CVE-2010-0216 (authenticate_ad_setup_finished.cfm in MediaCAST 8 and earlier allows r ...) NOT-FOR-US: MediaCAST CVE-2010-0215 (ActiveCollab before 2.3.2 allows remote authenticated users to bypass ...) NOT-FOR-US: ActiveCollab CVE-2010-0214 (The administrative interface on the PolyVision RoomWizard with firmwar ...) NOT-FOR-US: PolyVision RoomWizard CVE-2010-0213 (BIND 9.7.1 and 9.7.1-P1, when a recursive validating server has a trus ...) - bind9 9.7.1.dfsg.P2 [lenny] - bind9 (vulnerability introduced in 9.7.1) CVE-2010-0212 (OpenLDAP 2.4.22 allows remote attackers to cause a denial of service ( ...) {DSA-2077-1} - openldap 2.4.23-1 CVE-2010-0211 (The slap_modrdn2mods function in modrdn.c in OpenLDAP 2.4.22 does not ...) {DSA-2077-1} - openldap 2.4.23-1 CVE-2010-0210 RESERVED CVE-2010-0209 (Adobe Flash Player before 9.0.280 and 10.x before 10.1.82.76, and Adob ...) NOT-FOR-US: Adobe Flash Plugin CVE-2010-0208 RESERVED CVE-2010-0207 (In xpdf, the xref table contains an infinite loop which allows remote ...) - kdegraphics 4:4.0.0-1 (unimportant) - xpdf (unimportant) - poppler 0.16.3-1 (unimportant) [squeeze] - poppler 0.12.4-1.2+squeeze1 NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=28172 NOTE: Just a crasher, not treated as a security issue CVE-2010-0206 (xpdf allows remote attackers to cause a denial of service (NULL pointe ...) - kdegraphics 4:4.0.0-1 (unimportant) - xpdf (unimportant) - poppler 0.16.3-1 (unimportant) [squeeze] - poppler 0.12.4-1.2+squeeze1 NOTE: Just a crasher, not treated as a security issue CVE-2010-0205 (The png_decompress_chunk function in pngrutil.c in libpng 1.0.x before ...) {DSA-2032-1} - libpng 1.2.43-1 (low; bug #572308) NOTE: http://www.kb.cert.org/vuls/id/576029 CVE-2010-0204 (Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x before 8.2.2 on Win ...) NOT-FOR-US: Adobe Reader CVE-2010-0203 (Buffer overflow in Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x ...) NOT-FOR-US: Adobe Reader CVE-2010-0202 (Buffer overflow in Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x ...) NOT-FOR-US: Adobe Reader CVE-2010-0201 (Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x before 8.2.2 on Win ...) NOT-FOR-US: Adobe Reader CVE-2010-0200 REJECTED CVE-2010-0199 (Buffer overflow in Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x ...) NOT-FOR-US: Adobe Reader CVE-2010-0198 (Buffer overflow in Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x ...) NOT-FOR-US: Adobe Reader CVE-2010-0197 (Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x before 8.2.2 on Win ...) NOT-FOR-US: Adobe Reader CVE-2010-0196 (Unspecified vulnerability in Adobe Reader and Acrobat 9.x before 9.3.2 ...) NOT-FOR-US: Adobe Reader CVE-2010-0195 (Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x before 8.2.2 on Win ...) NOT-FOR-US: Adobe Reader CVE-2010-0194 (Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x before 8.2.2 on Win ...) NOT-FOR-US: Adobe Reader CVE-2010-0193 (Unspecified vulnerability in Adobe Reader and Acrobat 9.x before 9.3.2 ...) NOT-FOR-US: Adobe Reader CVE-2010-0192 (Unspecified vulnerability in Adobe Reader and Acrobat 9.x before 9.3.2 ...) NOT-FOR-US: Adobe Reader CVE-2010-0191 (Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x before 8.2.2 on Win ...) NOT-FOR-US: Adobe Reader CVE-2010-0190 (Cross-site scripting (XSS) vulnerability in Adobe Reader and Acrobat 9 ...) NOT-FOR-US: Adobe Reader CVE-2010-0189 (A certain ActiveX control in NOS Microsystems getPlus Download Manager ...) NOT-FOR-US: Adobe Download Manager CVE-2010-0188 (Unspecified vulnerability in Adobe Reader and Acrobat 8.x before 8.2.1 ...) NOT-FOR-US: Adobe Reader CVE-2010-0187 (Adobe Flash Player before 10.0.45.2 and Adobe AIR before 1.5.3.9130 al ...) NOT-FOR-US: Adobe Flash plugin CVE-2010-0186 (Cross-domain vulnerability in Adobe Flash Player before 10.0.45.2, Ado ...) NOT-FOR-US: Adobe Flash plugin CVE-2010-0185 (The default configuration of Adobe ColdFusion 9.0 does not restrict ac ...) NOT-FOR-US: Adobe ColdFusion CVE-2010-0184 (The (1) domainutility and (2) domainutilitycmd components in TIBCO Dom ...) NOT-FOR-US: TIBCO Domain Utility in TIBCO Runtime Agent CVE-2010-0183 (Use-after-free vulnerability in the nsCycleCollector::MarkRoots functi ...) {DSA-2064-1} - xulrunner 1.9.1.10-1 - iceweasel 3.5.11-2 [lenny] - iceweasel (Iceweasel in Lenny links against xulrunner) - iceape 2.0.5-1 [lenny] - iceape (Only a stub package) CVE-2010-0182 (The XMLDocument::load function in Mozilla Firefox before 3.5.9 and 3.6 ...) {DSA-2075-1} - xulrunner 1.9.1.9-1 (low) [lenny] - xulrunner (Minor issue, no upstream fix for 3.0 series) - iceape 2.0.4-1 - iceweasel 3.5.11-2 [lenny] - iceweasel (Iceweasel in Lenny links against xulrunner) - icedove 3.0.4-1 [lenny] - iceape (Only a stub package) [lenny] - icedove CVE-2010-0181 (Mozilla Firefox before 3.5.9 and 3.6.x before 3.6.2, and SeaMonkey bef ...) - xulrunner 1.9.1.9-1 (unimportant) - iceweasel 3.5.11-2 [lenny] - iceweasel (Iceweasel in Lenny links against xulrunner) - iceape 2.0.4-1 [lenny] - iceape (Only a stub package) CVE-2010-0180 (Install/Filesystem.pm in Bugzilla 3.5.1 through 3.6 and 3.7, when use_ ...) - bugzilla (Only affects 3.5 to 3.7) CVE-2010-0179 (Mozilla Firefox before 3.0.19 and 3.5.x before 3.5.8, and SeaMonkey be ...) {DSA-2027-1} - xulrunner 1.9.1.9-1 - iceweasel 3.5.11-2 [lenny] - iceweasel (Iceweasel in Lenny links against xulrunner) - iceape 2.0.4-1 [lenny] - iceape (Only a stub package) CVE-2010-0178 (Mozilla Firefox before 3.0.19, 3.5.x before 3.5.9, and 3.6.x before 3. ...) {DSA-2027-1} - xulrunner 1.9.1.9-1 - iceweasel 3.5.11-2 [lenny] - iceweasel (Iceweasel in Lenny links against xulrunner) - iceape 2.0.4-1 [lenny] - iceape (Only a stub package) CVE-2010-0177 (Mozilla Firefox before 3.0.19, 3.5.x before 3.5.9, and 3.6.x before 3. ...) {DSA-2027-1} - xulrunner 1.9.1.9-1 - iceweasel 3.5.11-2 [lenny] - iceweasel (Iceweasel in Lenny links against xulrunner) - iceape 2.0.4-1 [lenny] - iceape (Only a stub package) CVE-2010-0176 (Mozilla Firefox before 3.0.19, 3.5.x before 3.5.9, and 3.6.x before 3. ...) {DSA-2027-1} - xulrunner 1.9.1.9-1 - iceweasel 3.5.11-2 [lenny] - iceweasel (Iceweasel in Lenny links against xulrunner) - iceape 2.0.4-1 - icedove 3.0.4-1 [lenny] - icedove [lenny] - iceape (Only a stub package) CVE-2010-0175 (Use-after-free vulnerability in the nsTreeSelection implementation in ...) {DSA-2027-1} - xulrunner 1.9.1.9-1 - iceweasel 3.5.11-2 [lenny] - iceweasel (Iceweasel in Lenny links against xulrunner) - iceape 2.0.4-1 - icedove 3.0.4-1 [lenny] - icedove [lenny] - iceape (Only a stub package) CVE-2010-0174 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-2027-1} - xulrunner 1.9.1.9-1 - iceweasel 3.5.11-2 [lenny] - iceweasel (Iceweasel in Lenny links against xulrunner) - iceape 2.0.4-1 - icedove 3.0.4-1 [lenny] - icedove [lenny] - iceape (Only a stub package) CVE-2010-0173 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - xulrunner 1.9.1.9-1 - iceweasel 3.5.11-2 [lenny] - iceweasel (Iceweasel in Lenny links against xulrunner) - iceape 2.0.4-1 - icedove 3.0.4-1 [lenny] - icedove [lenny] - iceape (Only a stub package) [lenny] - xulrunner (Only affects Firefox >= 3.5) CVE-2010-0172 (toolkit/components/passwordmgr/src/nsLoginManagerPrompter.js in the as ...) - xulrunner (vulnerable code introduced in firefox 3.6) - iceape (vulnerable code introduced in firefox 3.6) - iceweasel (vulnerable code introduced in firefox 3.6) CVE-2010-0171 (Mozilla Firefox 3.0.x before 3.0.18, 3.5.x before 3.5.8, and 3.6.x bef ...) {DSA-1999-1} - xulrunner 1.9.1.8-1 - iceweasel 3.5.11-2 [lenny] - iceweasel (Iceweasel in Lenny links against xulrunner) - iceape 2.0.3-1 [lenny] - iceape (Lenny package only provide xpcom stubs) - icedove 3.0.2-1 [lenny] - icedove CVE-2010-0170 (Mozilla Firefox 3.6 before 3.6.2 does not offer plugins the expected w ...) - xulrunner (vulnerable code introduced in firefox 3.6) - iceape (vulnerable code introduced in firefox 3.6) - iceweasel (vulnerable code introduced in firefox 3.6) CVE-2010-0169 (The CSSLoaderImpl::DoSheetComplete function in layout/style/nsCSSLoade ...) {DSA-1999-1} - xulrunner 1.9.1.8-1 - iceape 2.0.3-1 - iceweasel 3.5.11-2 [lenny] - iceweasel (Iceweasel in Lenny links against xulrunner) [lenny] - iceape (Lenny package only provide xpcom stubs) - icedove 3.0.2-1 [lenny] - icedove CVE-2010-0168 (The nsDocument::MaybePreLoadImage function in content/base/src/nsDocum ...) - xulrunner (vulnerable code introduced in firefox 3.6) - iceape (vulnerable code introduced in firefox 3.6) - iceweasel (vulnerable code introduced in firefox 3.6) CVE-2010-0167 (The browser engine in Mozilla Firefox 3.0.x before 3.0.18, 3.5.x befor ...) {DSA-1999-1} - xulrunner 1.9.1.8-1 - iceweasel 3.5.11-2 [lenny] - iceweasel (Iceweasel in Lenny links against xulrunner) - iceape 2.0.3-1 [lenny] - iceape (Lenny package only provide xpcom stubs) - icedove 3.0.2-1 [lenny] - icedove CVE-2010-0166 (The gfxTextRun::SanitizeGlyphRuns function in gfx/thebes/src/gfxFont.c ...) - xulrunner (vulnerable code introduced in firefox 3.6) - iceape (vulnerable code introduced in firefox 3.6) - iceweasel (vulnerable code introduced in firefox 3.6) CVE-2010-0165 (The TraceRecorder::traverseScopeChain function in js/src/jstracer.cpp ...) - xulrunner (vulnerable code introduced in firefox 3.6) - iceape (vulnerable code introduced in firefox 3.6) - iceweasel (vulnerable code introduced in firefox 3.6) CVE-2010-0164 (Use-after-free vulnerability in the imgContainer::InternalAddFrameHelp ...) - xulrunner (vulnerable code introduced in firefox 3.6) - iceape (vulnerable code introduced in firefox 3.6) - iceweasel (vulnerable code introduced in firefox 3.6) CVE-2010-0163 (Mozilla Thunderbird before 2.0.0.24 and SeaMonkey before 1.1.19 proces ...) {DSA-2025-1} - icedove 3.0.4-1 (medium) CVE-2010-0162 (Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5.8, and SeaMon ...) {DSA-1999-1} - xulrunner 1.9.1.8-1 - iceweasel 3.5.11-2 [lenny] - iceweasel (Iceweasel in Lenny links against xulrunner) [etch] - xulrunner - iceape 2.0.3-1 [lenny] - iceape (Lenny package only provide xpcom stubs) CVE-2010-0161 (The nsAuthSSPI::Unwrap function in extensions/auth/nsAuthSSPI.cpp in M ...) - xulrunner (Windows-specific) - iceape (Windows-specific) - iceweasel (Windows-specific) CVE-2010-0160 (The Web Worker functionality in Mozilla Firefox 3.0.x before 3.0.18 an ...) - xulrunner 1.9.1.8-1 [etch] - xulrunner (web workers introduced in gecko 1.9.1) [lenny] - xulrunner (web workers introduced in gecko 1.9.1) - iceweasel 3.5.11-2 [lenny] - iceweasel (Iceweasel in Lenny links against xulrunner) - iceape 2.0.3-1 [etch] - iceape (web workers introduced in gecko 1.9.1) [lenny] - iceape (web workers introduced in gecko 1.9.1) CVE-2010-0159 (The browser engine in Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x be ...) {DSA-1999-1} - xulrunner 1.9.1.8-1 [etch] - xulrunner - iceweasel 3.5.11-2 [lenny] - iceweasel (Iceweasel in Lenny links against xulrunner) - iceape 2.0.3-1 [lenny] - iceape (Lenny package only provide xpcom stubs) - icedove 3.0.2-1 [lenny] - icedove CVE-2010-0158 NOT-FOR-US: JoomlaBamboo (JB) Simpla Admin template CVE-2010-0157 (Directory traversal vulnerability in the Bible Study (com_biblestudy) ...) NOT-FOR-US: component for Joomla! CVE-2010-0156 (Puppet 0.24.x before 0.24.9 and 0.25.x before 0.25.2 allows local user ...) - puppet 0.25.4-2 [lenny] - puppet (Minor issue) CVE-2010-0155 (CRLF injection vulnerability in load.php in the Local Management Inter ...) NOT-FOR-US: IBM Proventia Network Mail Security System CVE-2010-0154 (Directory traversal vulnerability in sla/index.php in the Local Manage ...) NOT-FOR-US: IBM Proventia Network Mail Security System CVE-2010-0153 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Loca ...) NOT-FOR-US: IBM Proventia Network Mail Security System CVE-2010-0152 (Multiple cross-site scripting (XSS) vulnerabilities in the Local Manag ...) NOT-FOR-US: IBM Proventia Network Mail Security System CVE-2010-0151 (The Cisco Firewall Services Module (FWSM) 4.0 before 4.0(8), as used i ...) NOT-FOR-US: Cisco CVE-2010-0150 (Unspecified vulnerability in Cisco ASA 5500 Series Adaptive Security A ...) NOT-FOR-US: Cisco CVE-2010-0149 (Unspecified vulnerability in Cisco ASA 5500 Series Adaptive Security A ...) NOT-FOR-US: Cisco CVE-2010-0148 (Unspecified vulnerability in Cisco Security Agent 5.2 before 5.2.0.285 ...) NOT-FOR-US: Cisco Security Agent CVE-2010-0147 (SQL injection vulnerability in the Management Center for Cisco Securit ...) NOT-FOR-US: Cisco CVE-2010-0146 (Directory traversal vulnerability in the Management Center for Cisco S ...) NOT-FOR-US: Cisco CVE-2010-0145 (Unspecified vulnerability in the embedded HTTPS server on the Cisco Ir ...) NOT-FOR-US: Cisco IronPort Encryption Appliance CVE-2010-0144 (Unspecified vulnerability in the WebSafe DistributorServlet in the emb ...) NOT-FOR-US: Cisco IronPort Encryption Appliance CVE-2010-0143 (Unspecified vulnerability in the administrative interface in the embed ...) NOT-FOR-US: Cisco IronPort Encryption Appliance CVE-2010-0142 (MeetingTime in Cisco Unified MeetingPlace 6 before MR5, and possibly 5 ...) NOT-FOR-US: Cisco Unified MeetingPlace CVE-2010-0141 (MeetingTime in Cisco Unified MeetingPlace 6 before MR5, and possibly 5 ...) NOT-FOR-US: Cisco Unified MeetingPlace CVE-2010-0140 (Multiple unspecified vulnerabilities in the web server in Cisco Unifie ...) NOT-FOR-US: Cisco Unified MeetingPlace CVE-2010-0139 (Cisco Unified MeetingPlace 7 before 7.0(2.3) hotfix 5F, 6 before 6.0.6 ...) NOT-FOR-US: Cisco Unified MeetingPlace CVE-2010-0138 (Buffer overflow in Cisco CiscoWorks Internetwork Performance Monitor ( ...) NOT-FOR-US: Cisco CiscoWorks Internetwork Performance Monitor CVE-2010-0137 (Unspecified vulnerability in the sshd_child_handler process in the SSH ...) NOT-FOR-US: Cisco IOS XR CVE-2010-0136 (OpenOffice.org (OOo) 2.0.4, 2.4.1, and 3.1.1 does not properly enforce ...) {DSA-1995-1} - openoffice.org 1:3.1.1-11 CVE-2010-0135 (Heap-based buffer overflow in the WordPerfect 5.x reader (wosr.dll), a ...) NOT-FOR-US: WordPerfect reader on Windows CVE-2010-0134 (Integer signedness error in rtfsr.dll in Autonomy KeyView 10.4 and 10. ...) NOT-FOR-US: Autonomy KeyView CVE-2010-0133 (Multiple stack-based buffer overflows in the SpreadSheet Lotus 123 rea ...) NOT-FOR-US: SpreadSheet Lotus 123 reader CVE-2010-0132 (Cross-site scripting (XSS) vulnerability in ViewVC 1.1 before 1.1.5 an ...) - viewvc 1.1.5-1 (bug #576307) CVE-2010-0131 (Stack-based buffer overflow in the SpreadSheet Lotus 123 reader (wkssr ...) NOT-FOR-US: SpreadSheet Lotus 123 reader CVE-2010-0130 (Integer overflow in Adobe Shockwave Player before 11.5.7.609 might all ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-0129 (Multiple integer overflows in Adobe Shockwave Player before 11.5.7.609 ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-0128 (Integer signedness error in dirapi.dll in Adobe Shockwave Player befor ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-0127 (Adobe Shockwave Player before 11.5.7.609 allows remote attackers to ex ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-0126 (Heap-based buffer overflow in an unspecified library in Autonomy KeyVi ...) NOT-FOR-US: Autonomy KeyView CVE-2010-0125 (RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1 ...) NOT-FOR-US: RealPlayer CVE-2010-0124 (Employee Timeclock Software 0.99 places the database password on the m ...) NOT-FOR-US: Employee Timeclock Software CVE-2010-0123 (The database backup implementation in Employee Timeclock Software 0.99 ...) NOT-FOR-US: Employee Timeclock Software CVE-2010-0122 (Multiple SQL injection vulnerabilities in Employee Timeclock Software ...) NOT-FOR-US: Employee Timeclock Software CVE-2010-0121 (The cook codec in RealNetworks RealPlayer 11.0 through 11.1, RealPlaye ...) NOT-FOR-US: RealPlayer CVE-2010-0120 (Heap-based buffer overflow in RealNetworks RealPlayer 11.0 through 11. ...) NOT-FOR-US: RealPlayer CVE-2010-0119 (Bournal before 1.4.1 on FreeBSD 8.0, when the -K option is used, place ...) NOT-FOR-US: Bournal CVE-2010-0118 (Bournal before 1.4.1 allows local users to overwrite arbitrary files v ...) NOT-FOR-US: Bournal CVE-2010-0117 (RealNetworks RealPlayer 11.0 through 11.1 and RealPlayer SP 1.0 throug ...) NOT-FOR-US: RealPlayer CVE-2010-0116 (Integer overflow in RealNetworks RealPlayer 11.0 through 11.1 and Real ...) NOT-FOR-US: RealPlayer CVE-2009-4585 (UranyumSoft Listing Service stores sensitive information under the web ...) NOT-FOR-US: UranyumSoft Listing Service CVE-2009-4584 (admin.php in dB Masters Multimedia Links Directory 3.1.3 allows remote ...) NOT-FOR-US: dB Masters Multimedia Links Directory CVE-2009-4583 (SQL injection vulnerability in the DhForum (com_dhforum) component for ...) NOT-FOR-US: component for Joomla! CVE-2009-4582 (SQL injection vulnerability in detail.php in the Dictionary module for ...) NOT-FOR-US: XOOPS module CVE-2009-4581 (Directory traversal vulnerability in modules/admincp.php in RoseOnline ...) NOT-FOR-US: RoseOnlineCMS CVE-2009-4580 (Multiple cross-site scripting (XSS) vulnerabilities in Hasta Blog 2.3 ...) NOT-FOR-US: Hasta Blog CVE-2009-4579 (Cross-site scripting (XSS) vulnerability in the Artist avenue (com_art ...) NOT-FOR-US: component for Joomla! CVE-2009-4578 (Cross-site scripting (XSS) vulnerability in the Facileforms (com_facil ...) NOT-FOR-US: component for Joomla! CVE-2009-4577 (SQL injection vulnerability in the MDForum module 2.x through 2.07 for ...) NOT-FOR-US: MDForum module for MAXdev MDPro CVE-2009-4576 (SQL injection vulnerability in the BeeHeard (com_beeheard) component 1 ...) NOT-FOR-US: component for Joomla! CVE-2009-4575 (Cross-site scripting (XSS) vulnerability in the Q-Personel (com_qperso ...) NOT-FOR-US: component for Joomla! CVE-2009-4574 (SQL injection vulnerability in country_escorts.php in I-Escorts Direct ...) NOT-FOR-US: I-Escorts Directory Script CVE-2009-4573 (Multiple cross-site scripting (XSS) vulnerabilities in the Joomulus (m ...) NOT-FOR-US: component for Joomla! CVE-2009-4572 (Cross-site request forgery (CSRF) vulnerability in PhpShop 0.8.1 allow ...) NOT-FOR-US: PhpShop CVE-2009-4571 (Multiple SQL injection vulnerabilities in index.php in PhpShop 0.8.1 a ...) NOT-FOR-US: PhpShop CVE-2009-4570 (Cross-site scripting (XSS) vulnerability in PhpShop 0.8.1 allows remot ...) NOT-FOR-US: PhpShop CVE-2009-4569 (SQL injection vulnerability in elkagroup Image Gallery allows remote a ...) NOT-FOR-US: elkagroup Image Gallery CVE-2009-4568 (Cross-site scripting (XSS) vulnerability in Webmin before 1.500 and Us ...) - webmin CVE-2009-4567 (Multiple cross-site scripting (XSS) vulnerabilities in editprofile.php ...) NOT-FOR-US: Viscacha CVE-2009-4566 (SQL injection vulnerability in index.php in Zenphoto 1.2.5 allows remo ...) NOT-FOR-US: Zenphoto CVE-2009-4564 (SQL injection vulnerability in index.php in Zenphoto 1.2.5, when the Z ...) NOT-FOR-US: Zenphoto CVE-2009-4563 (Cross-site request forgery (CSRF) vulnerability in zp-core/admin-optio ...) NOT-FOR-US: Zenphoto CVE-2009-4562 (Cross-site scripting (XSS) vulnerability in zp-core/admin.php in Zenph ...) NOT-FOR-US: Zenphoto CVE-2009-4561 (Multiple SQL injection vulnerabilities in Admin/index.php in WebLeague ...) NOT-FOR-US: WebLeague CVE-2009-4560 (SQL injection vulnerability in profile.php in WebLeague 2.2.0 allows r ...) NOT-FOR-US: WebLeague CVE-2009-4559 (Cross-site scripting (XSS) vulnerability in the Submitted By module 6. ...) NOT-FOR-US: module for Drupal CVE-2009-4558 (The Image Assist module 5.x-1.x before 5.x-1.8, 5.x-2.x before 2.0-alp ...) NOT-FOR-US: module for Drupal CVE-2009-4557 (Cross-site scripting (XSS) vulnerability in the Image Assist module 5. ...) NOT-FOR-US: module for Drupal CVE-2009-4556 (Quick Heal AntiVirus Plus 2009 10.00 SP1 and Quick Heal Total Security ...) NOT-FOR-US: Quick Heal products CVE-2009-4555 (Multiple cross-site request forgery (CSRF) vulnerabilities in AgoraCar ...) NOT-FOR-US: AgoraCart CVE-2009-4554 (Multiple cross-site scripting (XSS) vulnerabilities in Snitz Forums 20 ...) NOT-FOR-US: Snitz Forums CVE-2009-4553 (Stack-based buffer overflow in iRehearse allows remote attackers to ca ...) NOT-FOR-US: iRehearse CVE-2009-4552 (Cross-site scripting (XSS) vulnerability in the Survey Pro module for ...) NOT-FOR-US: module for Miniweb CVE-2009-4551 (SQL injection vulnerability in the Survey Pro module for Miniweb 2.0 a ...) NOT-FOR-US: module for Miniweb CVE-2009-4550 (SQL injection vulnerability in the Kunena Forum (com_kunena) component ...) NOT-FOR-US: component for Joomla! CVE-2009-4549 (Stack-based buffer overflow in A2 Media Player Pro 2.51 allows remote ...) NOT-FOR-US: A2 Media Player Pro CVE-2009-4548 (Multiple cross-site scripting (XSS) vulnerabilities in ViArt Helpdesk ...) NOT-FOR-US: ViArt Helpdesk CVE-2009-4547 (Multiple cross-site scripting (XSS) vulnerabilities in ViArt CMS 3.x a ...) NOT-FOR-US: ViArt CMS CVE-2009-4546 (globepersonnel_login.asp in Logoshows BBS 2.0 allows remote attackers ...) NOT-FOR-US: Logoshows BBS CVE-2009-4545 (Logoshows BBS 2.0 stores sensitive information under the web root with ...) NOT-FOR-US: Logoshows BBS CVE-2009-4544 (Cross-site scripting (XSS) vulnerability in kbase/kbase.php in Cromoso ...) NOT-FOR-US: Cromosoft Technologies Facil Helpdesk CVE-2009-4543 (PHP remote file inclusion vulnerability in index.php in Cromosoft Tech ...) NOT-FOR-US: Cromosoft Technologies Facil Helpdesk CVE-2009-4542 (Cross-site scripting (XSS) vulnerability in newticket.php in IsolSoft ...) NOT-FOR-US: IsolSoft Support Center CVE-2009-4541 (Multiple PHP remote file inclusion vulnerabilities in IsolSoft Support ...) NOT-FOR-US: IsolSoft Support Center CVE-2009-4540 (SQL injection vulnerability in page.php in Mini CMS 1.0.1 allows remot ...) NOT-FOR-US: Mini CMS CVE-2009-4539 (Cross-site scripting (XSS) vulnerability in main.php in SQLiteManager ...) NOT-FOR-US: SQLiteManager CVE-2010-0115 (SQL injection vulnerability in login.php in the GUI management console ...) NOT-FOR-US: Symantec Web Gateway CVE-2010-0114 (fw_charts.php in the reporting module in the Manager (aka SEPM) compon ...) NOT-FOR-US: Symantec Endpoint Protection CVE-2010-0113 (The Symantec Norton Mobile Security application 1.0 Beta for Android r ...) NOT-FOR-US: Symantec Norton Mobile Security application 1.0 CVE-2010-0112 (Multiple SQL injection vulnerabilities in the Administrative Interface ...) NOT-FOR-US: Symantec IM Manager CVE-2010-0111 (HDNLRSVC.EXE in the Intel Alert Handler service (aka Symantec Intel Ha ...) NOT-FOR-US: Symantec Intel Alert Handler CVE-2010-0110 (Multiple stack-based buffer overflows in Intel Alert Management System ...) NOT-FOR-US: Symantec Intel Alert Handler CVE-2010-0109 (DBManager in Symantec Altiris Deployment Solution 6.9.x before DS 6.9 ...) NOT-FOR-US: Symantec CVE-2010-0108 (Buffer overflow in the cliproxy.objects.1 ActiveX control in the Syman ...) NOT-FOR-US: Symantec AntiVirus CVE-2010-0107 (Buffer overflow in an ActiveX control (SYMLTCOM.dll) in Symantec N360 ...) NOT-FOR-US: Symantec CVE-2010-0106 (The on-demand scanning in Symantec AntiVirus 10.0.x and 10.1.x before ...) NOT-FOR-US: Symantec AntiVirus CVE-2010-0105 (The hfs implementation in Apple Mac OS X 10.5.8 and 10.6.x before 10.6 ...) NOT-FOR-US: Apple hfs implementation CVE-2010-0104 (Unspecified vulnerability in the Broadcom Integrated NIC Management Fi ...) NOT-FOR-US: Broadcom Integrated NIC Management Firmware CVE-2010-0103 (UsbCharger.dll in the Energizer DUO USB battery charger software conta ...) NOT-FOR-US: Energizer DUO USB Battery Charger Software CVE-2010-0102 RESERVED CVE-2010-0101 (The embedded HTTP server in multiple Lexmark laser and inkjet printers ...) NOT-FOR-US: Lexmark printers and MarkNet devices CVE-2010-0100 RESERVED CVE-2010-0099 REJECTED CVE-2010-0098 (ClamAV before 0.96 does not properly handle the (1) CAB and (2) 7z fil ...) - clamav 0.96+dfsg-1 [lenny] - clamav (No longer supported in Lenny) CVE-2010-0097 (ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P5, 9.5 before 9.5.2-P2 ...) {DSA-2054-1} - bind9 1:9.7.0.dfsg-1 CVE-2010-0096 RESERVED CVE-2009-4538 (drivers/net/e1000e/netdev.c in the e1000e driver in the Linux kernel 2 ...) {DSA-2005-1 DSA-1996-1} - linux-2.6 2.6.32-6 (low; bug #564114) [etch] - linux-2.6 (does not have e1000e driver) - linux-2.6.24 (low) NOTE: just like CVE-2009-4536 but was reported later CVE-2009-4537 (drivers/net/r8169.c in the r8169 driver in the Linux kernel 2.6.32.3 a ...) {DSA-2053-1} - linux-2.6 2.6.32-11 (medium; bug #564110; bug #591581) - linux-2.6.24 (medium) CVE-2009-4536 (drivers/net/e1000/e1000_main.c in the e1000 driver in the Linux kernel ...) {DSA-2005-1 DSA-2003-1 DSA-1996-1} - linux-2.6 2.6.32-6 (low; bug #564114) - linux-2.6.24 (low) CVE-2009-4535 (Mongoose 2.8.0 and earlier allows remote attackers to obtain the sourc ...) NOT-FOR-US: Mongoose CVE-2009-4534 (Open redirect vulnerability in the FAQ Ask module 5.x and 6.x before 6 ...) NOT-FOR-US: module for Drupal CVE-2009-4533 (The Webform module 5.x before 5.x-2.8 and 6.x before 6.x-2.8, a module ...) NOT-FOR-US: module for Drupal CVE-2009-4532 (Cross-site scripting (XSS) vulnerability in the Webform module 5.x bef ...) NOT-FOR-US: module for Drupal CVE-2009-4531 (httpdx 1.4.4 and earlier allows remote attackers to obtain the source ...) NOT-FOR-US: httpdx CVE-2009-4530 (Mongoose 2.8.0 and earlier allows remote attackers to obtain the sourc ...) NOT-FOR-US: Mongoose CVE-2009-4529 (InterVations NaviCOPA Web Server 3.0.1.2 and earlier allows remote att ...) NOT-FOR-US: InterVations NaviCOPA Web Server CVE-2009-4528 (The Organic Groups (OG) Vocabulary module 6.x before 6.x-1.0 for Drupa ...) NOT-FOR-US: module for Drupal CVE-2009-4527 (The Shibboleth authentication module 5.x before 5.x-3.4 and 6.x before ...) NOT-FOR-US: module for Drupal CVE-2009-4526 (The Send by e-mail sub-module in the Print (aka Printer, e-mail and PD ...) NOT-FOR-US: module for Drupal CVE-2009-4525 (Cross-site scripting (XSS) vulnerability in the Print (aka Printer, e- ...) NOT-FOR-US: module for Drupal CVE-2009-4524 (Cross-site scripting (XSS) vulnerability in the RealName module 6.x-1. ...) NOT-FOR-US: module for Drupal CVE-2009-4523 (Cross-site scripting (XSS) vulnerability in index.php in Zainu 1.0 all ...) NOT-FOR-US: Zainu CVE-2009-4522 (Cross-site scripting (XSS) vulnerability in search.5.html in BloofoxCM ...) NOT-FOR-US: BloofoxCMS CVE-2009-4521 (Cross-site scripting (XSS) vulnerability in birt-viewer/run in Eclipse ...) NOT-FOR-US: Eclipse Business Intelligence and Reporting Tools CVE-2009-4520 (The CCK Comment Reference module 5.x before 5.x-1.2 and 6.x before 6.x ...) NOT-FOR-US: module for Drupal CVE-2009-4519 (Multiple unspecified vulnerabilities in Ortro before 1.3.4 have unknow ...) NOT-FOR-US: Ortro CVE-2009-4518 (Cross-site scripting (XSS) vulnerability in the Insert Node module 5.x ...) NOT-FOR-US: module for Drupal CVE-2009-4517 (Cross-site request forgery (CSRF) vulnerability in the FAQ Ask module ...) NOT-FOR-US: module for Drupal CVE-2009-4516 (Cross-site scripting (XSS) vulnerability in the FAQ Ask module 5.x and ...) NOT-FOR-US: module for Drupal CVE-2009-4515 (The Storm module 6.x before 6.x-1.25 for Drupal does not enforce privi ...) NOT-FOR-US: module for Drupal CVE-2009-4514 (Cross-site scripting (XSS) vulnerability in the OpenSocial Shindig-Int ...) NOT-FOR-US: module for Drupal CVE-2009-4513 (Multiple cross-site scripting (XSS) vulnerabilities in the Workflow mo ...) NOT-FOR-US: module for Drupal CVE-2009-4512 (Directory traversal vulnerability in index.php in Oscailt 3.3, when Us ...) NOT-FOR-US: Oscailt CVE-2009-4511 (Multiple directory traversal vulnerabilities in the web administration ...) NOT-FOR-US: TANDBERG Video Communication Server CVE-2009-4510 (The SSH service on the TANDBERG Video Communication Server (VCS) befor ...) NOT-FOR-US: TANDBERG Video Communication Server CVE-2009-4509 (The administrative web console on the TANDBERG Video Communication Ser ...) NOT-FOR-US: TANDBERG Video Communication Server CVE-2009-4508 RESERVED CVE-2009-4507 RESERVED CVE-2009-4506 RESERVED CVE-2009-4505 (Multiple cross-site scripting (XSS) vulnerabilities in OpenCMS OAMP Co ...) NOT-FOR-US: OpenCMS CVE-2009-4504 RESERVED CVE-2009-4503 RESERVED CVE-2009-4502 (The NET_TCP_LISTEN function in net.c in Zabbix Agent before 1.6.7, whe ...) - zabbix 1:1.8-1 (bug #562613) CVE-2009-4501 (The zbx_get_next_field function in libs/zbxcommon/str.c in Zabbix Serv ...) - zabbix 1:1.8-1 (bug #562613) CVE-2009-4500 (The process_trap function in trapper/trapper.c in Zabbix Server before ...) - zabbix 1:1.8-1 (bug #562613) CVE-2009-4499 (SQL injection vulnerability in the get_history_lastid function in the ...) - zabbix 1:1.8-1 (bug #562613) CVE-2009-4498 (The node_process_command function in Zabbix Server before 1.8 allows r ...) - zabbix 1:1.8-1 (bug #562613) CVE-2009-4497 (Cross-site scripting (XSS) vulnerability in LXR Cross Referencer 0.9.5 ...) {DSA-2092-1} - lxr-cvs 0.9.5+cvs20071020-1.1 (low; bug #575745) NOTE: http://sourceforge.net/mailarchive/forum.php?thread_name=E1NS2s4-0001PE-F2@3bkjzd1.ch3.sourceforge.com&forum_name=lxr-developer CVE-2009-4496 (Boa 0.94.14rc21 writes data to a log file without sanitizing non-print ...) - boa 0.94.14rc21-4 (unimportant; bug #578035) NOTE: The actual issue is within the broken terminal emulators and needs to be fixed there, see CVE-2009-4487 CVE-2009-4495 (Yaws 1.85 writes data to a log file without sanitizing non-printable c ...) - yaws (unimportant) NOTE: The actual issue is within the broken terminal emulators and needs to be fixed there, see CVE-2009-4487 CVE-2009-4494 (AOLserver 4.5.1 writes data to a log file without sanitizing non-print ...) - aolserver4 (unimportant) NOTE: The actual issue is within the broken terminal emulators and needs to be fixed there, see CVE-2009-4487 CVE-2009-4493 (Orion Application Server 2.0.7 writes data to a log file without sanit ...) NOT-FOR-US: Orion httpd CVE-2009-4492 (WEBrick 1.3.1 in Ruby 1.8.6 through patchlevel 383, 1.8.7 through patc ...) - ruby1.8 1.8.7.249-1 (unimportant; bug #564598) - ruby1.9 (unimportant; bug #564647) - ruby1.9.1 1.9.1.378-1 (unimportant; bug #564646) NOTE: The actual issue is within the broken terminal emulators and needs to be fixed there, see CVE-2009-4487 NOTE: same as CVE-2009-4487 CVE-2009-4491 (thttpd 2.25b0 writes data to a log file without sanitizing non-printab ...) - thttpd (unimportant) NOTE: The actual issue is within the broken terminal emulators and needs to be fixed there, see CVE-2009-4487 CVE-2009-4490 (mini_httpd 1.19 writes data to a log file without sanitizing non-print ...) - mini-httpd (unimportant) NOTE: The actual issue is within the broken terminal emulators and needs to be fixed there, see CVE-2009-4487 CVE-2009-4489 (header.c in Cherokee before 0.99.32 writes data to a log file without ...) - cherokee 0.99.37-1 (unimportant) NOTE: The actual issue is within the broken terminal emulators and needs to be fixed there, see CVE-2009-4487 CVE-2009-4488 (** DISPUTED ** Varnish 2.0.6 writes data to a log file without sanitiz ...) - varnish (unimportant) NOTE: The actual issue is within the broken terminal emulators and needs to be fixed there, see CVE-2009-4487 CVE-2009-4487 (nginx 0.7.64 writes data to a log file without sanitizing non-printabl ...) - nginx (unimportant) NOTE: The actual issue is within the broken terminal emulators and needs to be fixed there, see CVE-2009-4487 CVE-2009-4486 (Stack-based buffer overflow in the eDirectory plugin in Novell iManage ...) NOT-FOR-US: iManager CVE-2009-4485 REJECTED CVE-2009-4484 (Multiple stack-based buffer overflows in the CertDecoder::GetName func ...) {DSA-1997-1} - mysql-dfsg-5.0 (medium) - mysql-5.1 5.1.41-4 (medium) - cyassl (Fixed before initial upload to archive) NOTE: http://web.archive.org/web/20100129040903/http://intevydis.blogspot.com:80/2010/01/mysq-yassl-stack-overflow.html NOTE: http://bazaar.launchpad.net/~mysql/mysql-server/mysql-5.0/revision/2837.1.1 CVE-2009-4483 (Unspecified vulnerability in LDAP3A.exe in MailSite 8.0.4 allows remot ...) NOT-FOR-US: MailSite CVE-2009-4482 (Buffer overflow in MediaServer.exe in TVersity 1.6 allows remote attac ...) NOT-FOR-US: TVersity CVE-2009-4481 REJECTED CVE-2009-4480 (Buffer overflow in the web service in AzeoTech DAQFactory 5.77 might a ...) NOT-FOR-US: AzeoTech DAQFactory CVE-2009-4479 (LDAP3A.exe in MailSite 8.0.4 allows remote attackers to cause a denial ...) NOT-FOR-US: MailSite CVE-2009-4478 (Multiple cross-site scripting (XSS) vulnerabilities in Xstate Real Est ...) NOT-FOR-US: Xstate Real Estate CVE-2009-4477 (SQL injection vulnerability in page.html in Xstate Real Estate 1.0 all ...) NOT-FOR-US: Xstate Real Estate CVE-2009-4476 (Stack-based buffer overflow in HAURI ViRobot Desktop 5.5 before 2009-0 ...) NOT-FOR-US: HAURI ViRobot Desktop CVE-2009-4475 (SQL injection vulnerability in the Joomlub (com_joomlub) component for ...) NOT-FOR-US: component for Joomla! CVE-2009-4474 (SQL injection vulnerability in the Mike de Boer zoom (com_zoom) compon ...) NOT-FOR-US: Mambo component CVE-2009-4473 (Multiple cross-site scripting (XSS) vulnerabilities in WorkArea/Conten ...) NOT-FOR-US: Ektron CMS400.NET CVE-2009-4472 (Multiple PHP remote file inclusion vulnerabilities in PHPope 1.0.0 and ...) NOT-FOR-US: PHPope CVE-2009-4471 (Multiple PHP remote file inclusion vulnerabilities in FreeSchool 1.1.0 ...) NOT-FOR-US: FreeSchool CVE-2009-4470 (SQL injection vulnerability in boardrule.php in DVBBS 2.0 allows remot ...) NOT-FOR-US: DVBBS CVE-2009-4469 (Multiple cross-site scripting (XSS) vulnerabilities in pagenumber.inc. ...) NOT-FOR-US: phpPowerCards CVE-2009-4468 (Cross-site scripting (XSS) vulnerability in misc.php in DeluxeBB 1.3 a ...) NOT-FOR-US: DeluxeBB CVE-2009-4467 (misc.php in DeluxeBB 1.3 allows remote attackers to register accounts ...) NOT-FOR-US: DeluxeBB CVE-2009-4466 (DeluxeBB 1.3 allows remote attackers to obtain sensitive information v ...) NOT-FOR-US: DeluxeBB CVE-2009-4465 (DeluxeBB 1.3 stores sensitive information under the web root with insu ...) NOT-FOR-US: DeluxeBB CVE-2009-4464 (Cross-site scripting (XSS) vulnerability in searchadvance.asp in Activ ...) NOT-FOR-US: Active Business Directory CVE-2009-4463 (Intellicom NetBiter WebSCADA devices use default passwords for the HIC ...) NOT-FOR-US: Intellicom NetBiter WebSCADA CVE-2009-4462 (Stack-based buffer overflow in the NetBiterConfig utility (NetBiterCon ...) NOT-FOR-US: Intellicom NetBiter WebSCADA CVE-2009-4461 (Multiple cross-site scripting (XSS) vulnerabilities in FlatPress 0.909 ...) - flatpress (bug #466297) CVE-2009-4460 (Multiple cross-site scripting (XSS) vulnerabilities in Auto-Surf Traff ...) NOT-FOR-US: Auto-Surf Traffic Exchange Script CVE-2009-4459 (Redmine 0.8.7 and earlier uses the title tag before defining the chara ...) - redmine 0.9.1-1 (bug #563940) CVE-2008-7252 (libraries/File.class.php in phpMyAdmin 2.11.x before 2.11.10 uses pred ...) {DSA-2034-1} - phpmyadmin 4:3.0.0-1 NOTE: http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin?view=rev&revision=11528 CVE-2008-7251 (libraries/File.class.php in phpMyAdmin 2.11.x before 2.11.10 creates a ...) {DSA-2034-1} - phpmyadmin 4:3.0.0-1 NOTE: http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin?view=rev&revision=11536 CVE-2008-7250 (Cross-site scripting (XSS) vulnerability in Squid Analysis Report Gene ...) - sarg 2.2.5-1 (low) CVE-2008-7249 (Buffer overflow in Squid Analysis Report Generator (Sarg) 2.2.3.1, and ...) - sarg 2.2.4-1 (medium) CVE-2009-4565 (sendmail before 8.14.4 does not properly handle a '\0' character in a ...) {DSA-1985-1} - sendmail 8.14.3-9.1 (medium; bug #564581) NOTE: http://www.sendmail.org/releases/8.14.4 CVE-2009-4458 (Multiple cross-site scripting (XSS) vulnerabilities in FreePBX 2.5.2 a ...) NOT-FOR-US: FreePBX CVE-2009-4457 (Multiple unspecified vulnerabilities in the Vsftpd Webmin module befor ...) - webmin CVE-2009-4456 (SQL injection vulnerability in news_detail.php in Green Desktiny 2.3.1 ...) NOT-FOR-US: Green Desktiny CVE-2009-4455 (The default configuration of Cisco ASA 5500 Series Adaptive Security A ...) NOT-FOR-US: Cisco CVE-2009-4454 (vccleaner in VideoCache 1.9.2 allows local users with Squid proxy user ...) - videocache (bug #505329) CVE-2009-4453 (Insecure method vulnerability in SoftCab Sound Converter ActiveX contr ...) NOT-FOR-US: SoftCab Sound Converter ActiveX CVE-2009-4452 (Kaspersky Anti-Virus 5.0 (5.0.712); Antivirus Personal 5.0.x; Anti-Vir ...) NOT-FOR-US: Kaspersky Anti-Viru CVE-2009-4451 (Unrestricted file upload vulnerability in upper.php in kandalf upper 0 ...) NOT-FOR-US: kandalf upper CVE-2009-4450 (Multiple cross-site scripting (XSS) vulnerabilities in map.php in Live ...) NOT-FOR-US: LiveZilla CVE-2009-4449 (Directory traversal vulnerability in MyBB (aka MyBulletinBoard) 1.4.10 ...) NOT-FOR-US: MyBB CVE-2009-4448 (inc/functions_time.php in MyBB (aka MyBulletinBoard) 1.4.10, and possi ...) NOT-FOR-US: MyBB CVE-2009-4447 (Jax Guestbook 3.5.0 allows remote attackers to bypass authentication a ...) NOT-FOR-US: Jax Guestbook CVE-2009-4446 (Cross-site scripting (XSS) vulnerability in admin.php in phpInstantGal ...) NOT-FOR-US: phpInstantGallery CVE-2009-4445 (Microsoft Internet Information Services (IIS), when used in conjunctio ...) NOT-FOR-US: Microsoft CVE-2009-4444 (Microsoft Internet Information Services (IIS) 5.x and 6.x uses only th ...) NOT-FOR-US: Microsoft CVE-2009-4443 (Unspecified vulnerability in the psearch (aka persistent search) funct ...) NOT-FOR-US: Sun Java System Directory Server Enterprise Edition CVE-2009-4442 (Directory Proxy Server (DPS) in Sun Java System Directory Server Enter ...) NOT-FOR-US: Sun Java System Directory Server Enterprise Edition CVE-2009-4441 (Directory Proxy Server (DPS) in Sun Java System Directory Server Enter ...) NOT-FOR-US: Sun Java System Directory Server Enterprise Edition CVE-2009-4440 (Directory Proxy Server (DPS) in Sun Java System Directory Server Enter ...) NOT-FOR-US: Sun Java System Directory Server Enterprise Edition CVE-2009-4439 (Unspecified vulnerability in the Query Compiler, Rewrite, and Optimize ...) NOT-FOR-US: DB2 CVE-2009-4438 (The Query Compiler, Rewrite, and Optimizer component in IBM DB2 9.1 be ...) NOT-FOR-US: DB2 CVE-2009-4437 (Multiple SQL injection vulnerabilities in Active Auction House 3.6 all ...) NOT-FOR-US: Active Auction House 3.6 CVE-2009-4436 (Multiple SQL injection vulnerabilities in Active Web Softwares eWebqui ...) NOT-FOR-US: Active Web Softwares eWebquiz CVE-2009-4435 (Multiple directory traversal vulnerabilities in F3Site 2009 allow remo ...) NOT-FOR-US: F3Site 2009 CVE-2009-4434 (Directory traversal vulnerability in index.php in IDevSpot iSupport 1. ...) NOT-FOR-US: IDevSpot CVE-2009-4433 (Multiple cross-site scripting (XSS) vulnerabilities in IDevSpot iSuppo ...) NOT-FOR-US: IDevSpot CVE-2009-4432 (SQL injection vulnerability in index.php in CodeMight VideoCMS 3.1 all ...) NOT-FOR-US: CodeMight VideoCMS CVE-2009-4431 (PHP remote file inclusion vulnerability in cal_popup.php in the Anythi ...) NOT-FOR-US: Joomla addon CVE-2009-4430 (SQL injection vulnerability in index.php in VirtueMart 1.0 allows remo ...) NOT-FOR-US: VirtueMart CVE-2009-4429 (Cross-site scripting (XSS) vulnerability in the Sections module 5.x be ...) NOT-FOR-US: Drupal addon CVE-2009-4428 (SQL injection vulnerability in the JoomPortfolio (com_joomportfolio) c ...) NOT-FOR-US: Joomla addon CVE-2009-4427 (Directory traversal vulnerability in cmd.php in phpLDAPadmin 1.1.0.5 a ...) {DSA-1965-1} - phpldapadmin 1.1.0.7-1.1 (medium; bug #561975) [etch] - phpldapadmin (Vulnerable code not present) CVE-2009-4426 (Multiple directory traversal vulnerabilities in Ignition 1.2, when mag ...) NOT-FOR-US: Ignition CVE-2009-4425 (Cross-site scripting (XSS) vulnerability in index.php in iDevCart 1.09 ...) NOT-FOR-US: iDevCart CVE-2009-4424 (SQL injection vulnerability in results.php in the Pyrmont plugin 2 for ...) NOT-FOR-US: Wordpress plugin CVE-2009-XXXX [ampache DoS and CSRF] - ampache 3.5.3-1 (low) [lenny] - ampache (minor issue) CVE-2009-4423 (SQL injection vulnerability in index.php in weenCompany 4.0.0 allows r ...) NOT-FOR-US: weenCompany CVE-2009-4422 (Multiple cross-site scripting (XSS) vulnerabilities in the GetURLArgum ...) - libphp-jpgraph (Vulnerable code not present) CVE-2009-4421 (Directory traversal vulnerability in languages_cgi.php in Simple PHP B ...) NOT-FOR-US: Simple PHP Blog CVE-2009-4420 (Buffer overflow in the bd daemon in F5 Networks BIG-IP Application Sec ...) NOT-FOR-US: F5 Networks BIG-IP Application Security Manager (ASM) and Protocol Security Manager (PSM) CVE-2009-4419 (Intel Q35, GM45, PM45 Express, Q45, and Q43 Express chipsets in the SI ...) NOT-FOR-US: Intel Q35, GM45, PM45 Express, Q45, and Q43 Express chipsets CVE-2009-4418 (The unserialize function in PHP 5.3.0 and earlier allows context-depen ...) - php5 (unimportant) NOTE: Only exploitable by malicious script, not treated as a security issue NOTE: per Debian PHP security policy CVE-2009-4417 (The shutdown function in the Zend_Log_Writer_Mail class in Zend Framew ...) NOTE: the CVE talks about the Zend Framework, but the culprit NOTE: is actually piwik CVE-2009-4416 (Cross-site scripting (XSS) vulnerability in login.php in phpGroupWare ...) {DSA-1978-1} - phpgroupware 1:0.9.16.012+dfsg-9 CVE-2009-4415 (Multiple directory traversal vulnerabilities in phpGroupWare 0.9.16.12 ...) {DSA-1978-1} - phpgroupware 1:0.9.16.012+dfsg-9 CVE-2009-4414 (SQL injection vulnerability in phpgwapi /inc/class.auth_sql.inc.php in ...) {DSA-1978-1} - phpgroupware 1:0.9.16.012+dfsg-9 CVE-2009-4412 (Unrestricted file upload vulnerability in Serendipity before 1.5 allow ...) - serendipity 1.5.3-1 (low; bug #562634) CVE-2009-4411 (The (1) setfacl and (2) getfacl commands in XFS acl 2.2.47, when runni ...) - acl 2.2.49-2 (low; bug #499076) [etch] - acl (Vulnerable code not present) [lenny] - acl (Minor issue, symlink attack not always as root) NOTE: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499076#51 CVE-2009-4409 (The (1) CHAP and (2) MS-CHAP-V2 authentication capabilities in the PPP ...) NOT-FOR-US: Internet Initiative Japan SEIL/B1 firmware CVE-2009-4408 (Multiple cross-site scripting (XSS) vulnerabilities in models.parser i ...) NOT-FOR-US: PyForum CVE-2009-4407 (Multiple cross-site request forgery (CSRF) vulnerabilities in PyForum ...) NOT-FOR-US: PyForum CVE-2009-4406 (Cross-site scripting (XSS) vulnerability in Forms/login1 in American P ...) NOT-FOR-US: APC Switched Rack PDU AP7932 B2 CVE-2009-4405 (Multiple unspecified vulnerabilities in Trac before 0.11.6 have unknow ...) - trac 0.11.6-1 (low) [lenny] - trac (Minor information disclosure) CVE-2009-4404 (Unspecified vulnerability in t-prot (TOFU Protection) before 2.8 allow ...) - t-prot 2.8-1 (low) [etch] - t-prot (Minor issue) [lenny] - t-prot (Minor issue) CVE-2009-4403 (Cross-site scripting (XSS) vulnerability in index.php in Rumba XML 1.8 ...) NOT-FOR-US: Rumba XML CVE-2009-4402 (The default configuration of SQL-Ledger 2.8.24 allows remote attackers ...) - sql-ledger (unimportant; bug #562639) NOTE: Only supported behind an authenticated HTTP zone, see README.Debian CVE-2009-4410 (The fuse_ioctl_copy_user function in the ioctl handler in fs/fuse/file ...) - linux-2.6 2.6.32-1 (low) [etch] - linux-2.6 (vulnerable code introduced in 2.6.29) [lenny] - linux-2.6 (vulnerable code introduced in 2.6.29) - linux-2.6.24 (vulnerable code introduced in 2.6.29) CVE-2009-4401 (SQL injection vulnerability in the Parish Administration Database (ste ...) NOT-FOR-US: ste_parish_admin typo3 extension CVE-2009-4400 (Cross-site scripting (XSS) vulnerability in the Parish Administration ...) NOT-FOR-US: ste_parish_admin typo3 extension CVE-2009-4399 (SQL injection vulnerability in the Parish of the Holy Spirit Religious ...) NOT-FOR-US: hs_religiousartgallery typo3 extension CVE-2009-4398 (Cross-site scripting (XSS) vulnerability in the Parish of the Holy Spi ...) NOT-FOR-US: hs_religiousartgallery typo3 extension CVE-2009-4397 (Cross-site scripting (XSS) vulnerability in the Diocese of Portsmouth ...) NOT-FOR-US: pd_resources typo3 extension CVE-2009-4396 (SQL injection vulnerability in the Diocese of Portsmouth Resources Dat ...) NOT-FOR-US: pd_resources typo3 extension CVE-2009-4395 (Cross-site scripting (XSS) vulnerability in the Random Prayer 2 (ste_p ...) NOT-FOR-US: ste_prayer2 typo3 extension CVE-2009-4394 (SQL injection vulnerability in the Random Prayer 2 (ste_prayer2) exten ...) NOT-FOR-US: ste_prayer2 typo3 extension CVE-2009-4393 (SQL injection vulnerability in the Document Directorys (danp_documentd ...) NOT-FOR-US: danp_documentdirs CVE-2009-4392 (SQL injection vulnerability in the XDS Staff List (xds_staff) extensio ...) NOT-FOR-US: xds_staff typo3 extension CVE-2009-4391 (Cross-site scripting (XSS) vulnerability in the File list (dr_blob) ex ...) NOT-FOR-US: dr_blob typo3 extension CVE-2009-4390 (SQL injection vulnerability in the Car (car) extension 0.1.1 for TYPO3 ...) NOT-FOR-US: car typo3 extension CVE-2009-4389 (Unspecified vulnerability in the Watchdog (aba_watchdog) extension 2.0 ...) NOT-FOR-US: aba_watchdog typo3 extension CVE-2009-4388 (Cross-site scripting (XSS) vulnerability in the ListMan (nl_listman) e ...) NOT-FOR-US: nl_listman typo3 extension CVE-2009-4387 (The cross-site scripting (XSS) protection mechanism in ShowInContentAr ...) NOT-FOR-US: ManageEngine Password Manager Pro (PMP) CVE-2009-4386 (SQL injection vulnerability in hotel_tiempolibre_ext.php in Venalsur B ...) NOT-FOR-US: Venalsur Booking Centre Booking System CVE-2009-4385 (Multiple cross-site request forgery (CSRF) vulnerabilities in Scriptse ...) NOT-FOR-US: Scriptsez.net Ez Poll Hoster CVE-2009-4384 (Multiple cross-site scripting (XSS) vulnerabilities in Scriptsez.net E ...) NOT-FOR-US: Scriptsez.net Ez Poll Hoster CVE-2009-4383 (Directory traversal vulnerability in Pforum.php in Rocomotion P forum ...) NOT-FOR-US: Rocomotion P forum CVE-2009-4382 (Cross-site scripting (XSS) vulnerability in module.php in PHPFABER CMS ...) NOT-FOR-US: PHPFABER CMS CVE-2009-4381 (Cross-site scripting (XSS) vulnerability in index.php in texmedia Mill ...) NOT-FOR-US: texmedia Million Pixel Script CVE-2009-4380 (Multiple SQL injection vulnerabilities in Valarsoft Webmatic before 3. ...) NOT-FOR-US: Valarsoft Webmatic CVE-2009-4379 (Multiple cross-site scripting (XSS) vulnerabilities in Valarsoft Webma ...) NOT-FOR-US: Valarsoft Webmatic CVE-2010-0095 (Unspecified vulnerability in the Java Runtime Environment component in ...) - openjdk-6 6b17-1 - sun-java6 6.19-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2010-0094 (Unspecified vulnerability in the Java Runtime Environment component in ...) - openjdk-6 6b17-1 - sun-java6 6.19-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2010-0093 (Unspecified vulnerability in the Java Runtime Environment component in ...) - openjdk-6 6b17-1 - sun-java6 6.19-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2010-0092 (Unspecified vulnerability in the Java Runtime Environment component in ...) - openjdk-6 6b17-1 - sun-java6 6.19-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2010-0091 (Unspecified vulnerability in the Java Runtime Environment component in ...) - openjdk-6 6b17-1 - sun-java6 6.19-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2010-0090 (Unspecified vulnerability in the Java Web Start, Java Plug-in componen ...) - openjdk-6 6b17-1 - sun-java6 6.19-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2010-0089 (Unspecified vulnerability in the Java Web Start, Java Plug-in componen ...) - openjdk-6 6b17-1 - sun-java6 6.19-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2010-0088 (Unspecified vulnerability in the Java Runtime Environment component in ...) - openjdk-6 6b18-1.8-1 - sun-java6 6.19-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2010-0087 (Unspecified vulnerability in the Java Web Start, Java Plug-in componen ...) - openjdk-6 6b17-1 - sun-java6 6.19-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2010-0086 (Unspecified vulnerability in the Portal component in Oracle Fusion Mid ...) NOT-FOR-US: Oracle Fusion Middleware CVE-2010-0085 (Unspecified vulnerability in the Java Runtime Environment component in ...) - openjdk-6 6b17-1 - sun-java6 6.19-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2010-0084 (Unspecified vulnerability in the Java Runtime Environment component in ...) - openjdk-6 6b17-1 - sun-java6 6.19-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2010-0083 (Unspecified vulnerability in Oracle OpenSolaris 8, 9, and 10 allows re ...) NOT-FOR-US: Solaris CVE-2010-0082 (Unspecified vulnerability in the HotSpot Server component in Oracle Ja ...) - openjdk-6 6b17-1 - sun-java6 6.19-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2010-0081 (Unspecified vulnerability in the Application Server Control component ...) NOT-FOR-US: Oracle Fusion CVE-2010-0080 (Unspecified vulnerability in the PeopleSoft Enterprise HCM - eProfile ...) NOT-FOR-US: PeopleSoft Enterprise HCM CVE-2010-0079 (Multiple vulnerabilities in the JRockit component in BEA Product Suite ...) NOT-FOR-US: BEA Product Suite CVE-2010-0078 (Unspecified vulnerability in the WebLogic Server component in BEA Prod ...) NOT-FOR-US: BEA Product Suite CVE-2010-0077 (Unspecified vulnerability in the CRM Technical Foundation (mobile) com ...) NOT-FOR-US: Oracle E-Business Suite CVE-2010-0076 (Unspecified vulnerability in the Application Express Application Build ...) NOT-FOR-US: Oracle Database CVE-2010-0075 (Unspecified vulnerability in the Oracle HRMS (Self Service) component ...) NOT-FOR-US: Oracle E-Business Suite CVE-2010-0074 (Unspecified vulnerability in the WebLogic Server component in BEA Prod ...) NOT-FOR-US: BEA Product Suite CVE-2010-0073 (Unspecified vulnerability in the WebLogic Server in Oracle WebLogic Se ...) NOT-FOR-US: Oracle WebLogic Server CVE-2010-0072 (Unspecified vulnerability in the Oracle Secure Backup component in Ora ...) NOT-FOR-US: Oracle Secure Backup CVE-2010-0071 (Unspecified vulnerability in the Listener component in Oracle Database ...) NOT-FOR-US: Oracle Database CVE-2010-0070 (Unspecified vulnerability in the Oracle Containers for J2EE component ...) NOT-FOR-US: Oracle Application Server CVE-2010-0069 (Unspecified vulnerability in the WebLogic Server component in BEA Prod ...) NOT-FOR-US: BEA Product Suite CVE-2010-0068 (Unspecified vulnerability in the WebLogic Server component in BEA Prod ...) NOT-FOR-US: BEA Product Suite CVE-2010-0067 (Unspecified vulnerability in the Oracle Containers for J2EE component ...) NOT-FOR-US: Oracle Application Server CVE-2010-0066 (Unspecified vulnerability in the Access Manager Identity Server compon ...) NOT-FOR-US: Oracle Application Server CVE-2009-4378 (The IPMI dissector in Wireshark 1.2.0 through 1.2.4 on Windows allows ...) - wireshark (Windows-specific) CVE-2009-4377 (The (1) SMB and (2) SMB2 dissectors in Wireshark 0.9.0 through 1.2.4 a ...) {DSA-1983-1} - wireshark 1.2.5-1 [etch] - wireshark (Minor issue) CVE-2009-4376 (Buffer overflow in the daintree_sna_read function in the Daintree SNA ...) - wireshark 1.2.5-1 [lenny] - wireshark (Only affects Wireshark 1.2.x) [etch] - wireshark (Only affects Wireshark 1.2.x) CVE-2009-4375 (SQL injection vulnerability in repository/repository_attachment.php in ...) NOT-FOR-US: AlienVault Open Source Security Information Management CVE-2009-4374 (Directory traversal vulnerability in repository/repository_attachment. ...) NOT-FOR-US: AlienVault Open Source Security Information Management CVE-2009-4373 (Unrestricted file upload vulnerability in repository/repository_attach ...) NOT-FOR-US: AlienVault Open Source Security Information Management CVE-2009-4372 (AlienVault Open Source Security Information Management (OSSIM) 2.1.5, ...) NOT-FOR-US: AlienVault Open Source Security Information Management CVE-2009-4371 (Cross-site scripting (XSS) vulnerability in the Locale module (modules ...) - drupal6 6.15-1 (low; bug #562165) [lenny] - drupal6 6.6-3lenny4 - drupal5 5.21-1 [lenny] - drupal5 (Minor issue, requires auth) CVE-2009-4370 (Cross-site scripting (XSS) vulnerability in the Menu module (modules/m ...) - drupal6 6.15-1 (low; bug #562165) [lenny] - drupal6 6.6-3lenny4 - drupal5 5.21-1 [lenny] - drupal5 (Minor issue, requires auth) CVE-2009-4369 (Cross-site scripting (XSS) vulnerability in the Contact module (module ...) - drupal6 6.15-1 (low; bug #562165) [lenny] - drupal6 6.6-3lenny4 - drupal5 5.21-1 (low) [lenny] - drupal5 (Minor issue, requires auth) CVE-2009-4368 (Multiple unspecified vulnerabilities in Centreon before 2.1.4 have unk ...) - centreon-web (bug #913903) CVE-2009-4367 (The Staging Webservice ("sitecore modules/staging/service/api.asmx") i ...) NOT-FOR-US: Sitecore Staging Module CVE-2009-4366 (Cross-site scripting (XSS) vulnerability in index.php in ScriptsEz Ez ...) NOT-FOR-US: ScriptsEz Ez Blog CVE-2009-4365 (Multiple cross-site request forgery (CSRF) vulnerabilities in admin.ph ...) NOT-FOR-US: ScriptsEz Ez Blog CVE-2009-4364 (Cross-site scripting (XSS) vulnerability in index.php in ScriptsEz Ez ...) NOT-FOR-US: ScriptsEz Ez Blog CVE-2009-4363 (Text_Filter/lib/Horde/Text/Filter/Xss.php in Horde Application Framewo ...) {DSA-1966-1} - horde3 3.3.6+debian0-1 (low) CVE-2009-4362 (Multiple buffer overflows in qosmod in IBM AIX 6.1 allow local users t ...) NOT-FOR-US: IBM AIX CVE-2009-4361 (Multiple buffer overflows in qoslist in IBM AIX 6.1 allow local users ...) NOT-FOR-US: IBM AIX CVE-2009-4360 (SQL injection vulnerability in modules/content/index.php in the Conten ...) NOT-FOR-US: XOOPS CVE-2009-4359 (Cross-site scripting (XSS) vulnerability in folder.php in the SmartMed ...) NOT-FOR-US: XOOPS CVE-2009-4358 (freebsd-update in FreeBSD 8.0, 7.2, 7.1, 6.4, and 6.3 uses insecure pe ...) NOT-FOR-US: freebsd-update CVE-2009-4357 (CQWeb (aka the web interface) in IBM Rational ClearQuest before 7.1.1 ...) NOT-FOR-US: IBM Rational ClearQuest CVE-2009-4356 (Multiple integer overflows in the jpeg.w5s and png.w5s filters in Wina ...) NOT-FOR-US: Winamp CVE-2009-4355 (Memory leak in the zlib_stateful_finish function in crypto/comp/c_zlib ...) {DSA-1970-1} - openssl 0.9.8k-8 (low) [etch] - openssl (affects only 0.9.8f and later) NOTE: apache2 packages in squeeze/sid do not seem to allow exploit CVE-2009-4354 (TransWARE Active! mail 2003 build 2003.0139.0871 and earlier does not ...) NOT-FOR-US: TransWARE Active CVE-2009-4353 (The Mobile Edition of TransWARE Active! mail 2003 build 2003.0139.0871 ...) NOT-FOR-US: TransWARE Active CVE-2009-4352 (Multiple cross-site scripting (XSS) vulnerabilities in TransWARE Activ ...) NOT-FOR-US: TransWARE Active CVE-2009-4351 (SQL injection vulnerability in ADMIN/loginaction.php in WSCreator 1.1, ...) NOT-FOR-US: WSCreator CVE-2009-4350 (SQL injection vulnerability in index.php in Arctic Issue Tracker 2.1.1 ...) NOT-FOR-US: Arctic Issue Tracker CVE-2009-4349 (Cross-site request forgery (CSRF) vulnerability in administration/admi ...) NOT-FOR-US: Link Up Gold CVE-2009-4348 (Cross-site scripting (XSS) vulnerability in index.php in Harold Bakker ...) NOT-FOR-US: Harold Bakker's NewsScript CVE-2009-4347 (Cross-site scripting (XSS) vulnerability in daloradius-users/login.php ...) NOT-FOR-US: daloRADIUS CVE-2009-4346 (Cross-site scripting (XSS) vulnerability in the Frontend news submitte ...) NOT-FOR-US: fe_rtenews typo3 extension CVE-2009-4345 (Cross-site scripting (XSS) vulnerability in the vShoutbox (vshoutbox) ...) NOT-FOR-US: vShoutbox typo3 extension CVE-2009-4344 (Cross-site scripting (XSS) vulnerability in the ZID Linkliste (zid_lin ...) NOT-FOR-US: zid_linklist typo3 extension CVE-2009-4343 (Cross-site scripting (XSS) vulnerability in the Training Company Datab ...) NOT-FOR-US: trainincdb typo3 extension CVE-2009-4342 (SQL injection vulnerability in the Job Exchange (jobexchange) extensio ...) NOT-FOR-US: jobexchange typo3 extension CVE-2009-4341 (SQL injection vulnerability in the No indexed Search (no_indexed_searc ...) NOT-FOR-US: no_indexed_search typo3 extension CVE-2009-4340 (Cross-site scripting (XSS) vulnerability in the No indexed Search (no_ ...) NOT-FOR-US: no_indexed_search typo3 extension CVE-2009-4339 (SQL injection vulnerability in the Subscription (mf_subscription) exte ...) NOT-FOR-US: mf_subscription typo3 extension CVE-2009-4338 (SQL injection vulnerability in the Flash SlideShow (slideshow) extensi ...) NOT-FOR-US: slideshow typo3 extension CVE-2009-4337 (SQL injection vulnerability in the Diocese of Portsmouth Calendar (pd_ ...) NOT-FOR-US: pd_calendar typo3 extension CVE-2009-4336 (Cross-site scripting (XSS) vulnerability in the Diocese of Portsmouth ...) NOT-FOR-US: pd_calendar typo3 extension CVE-2009-4335 (Multiple unspecified vulnerabilities in bundled stored procedures in t ...) NOT-FOR-US: IBM DB2 CVE-2009-4334 (The Self Tuning Memory Manager (STMM) component in IBM DB2 9.1 before ...) NOT-FOR-US: IBM DB2 CVE-2009-4333 (The Relational Data Services component in IBM DB2 9.5 before FP5 allow ...) NOT-FOR-US: IBM DB2 CVE-2009-4332 (db2pd in the Problem Determination component in IBM DB2 9.1 before FP7 ...) NOT-FOR-US: IBM DB2 CVE-2009-4331 (The Install component in IBM DB2 9.5 before FP5 and 9.7 before FP1 con ...) NOT-FOR-US: IBM DB2 CVE-2009-4330 (Unspecified vulnerability in db2licm in the Engine Utilities component ...) NOT-FOR-US: IBM DB2 CVE-2009-4329 (Unspecified vulnerability in the Engine Utilities component in IBM DB2 ...) NOT-FOR-US: IBM DB2 CVE-2009-4328 (Unspecified vulnerability in the DRDA Services component in IBM DB2 9. ...) NOT-FOR-US: IBM DB2 CVE-2009-4327 (The Common Code Infrastructure component in IBM DB2 9.5 before FP5 and ...) NOT-FOR-US: IBM DB2 CVE-2009-4326 (The RAND scalar function in the Common Code Infrastructure component i ...) NOT-FOR-US: IBM DB2 CVE-2009-4325 (The Client Interfaces component in IBM DB2 8.2 before FP18, 9.1 before ...) NOT-FOR-US: IBM DB2 CVE-2009-XXXX [libhaml-ruby XSS issue] - libhaml-ruby 2.2.8-1 CVE-2009-XXXX [roundup: unspecified issue] - roundup 1.4.11-1 CVE-2010-0065 (Disk Images in Apple Mac OS X before 10.6.3 allows user-assisted remot ...) NOT-FOR-US: Apple Disk Images CVE-2010-0064 (DesktopServices in Apple Mac OS X 10.6 before 10.6.3 preserves file ow ...) NOT-FOR-US: Apple DesktopServices CVE-2010-0063 (Incomplete blacklist vulnerability in CoreTypes in Apple Mac OS X befo ...) NOT-FOR-US: Apple CoreTypes CVE-2010-0062 (Heap-based buffer overflow in quicktime.qts in CoreMedia and QuickTime ...) NOT-FOR-US: Apple QuickTime CVE-2010-0061 RESERVED CVE-2010-0060 (CoreAudio in Apple Mac OS X before 10.6.3 allows remote attackers to e ...) NOT-FOR-US: Apple CoreAudio CVE-2010-0059 (CoreAudio in Apple Mac OS X before 10.6.3 allows remote attackers to e ...) NOT-FOR-US: Apple CoreAudio CVE-2010-0058 (freshclam in ClamAV in Apple Mac OS X 10.5.8 with Security Update 2009 ...) - clamav (apple-specific configuration issue) CVE-2010-0057 (AFP Server in Apple Mac OS X before 10.6.3 does not prevent guest use ...) NOT-FOR-US: Apple AFP Server CVE-2010-0056 (Buffer overflow in Cocoa spell checking in AppKit in Apple Mac OS X 10 ...) NOT-FOR-US: Apple AppKit CVE-2010-0055 (xar in Apple Mac OS X 10.5.8 does not properly validate package signat ...) - xar (bug #572556) [lenny] - xar (Minor issue) CVE-2010-0054 (Use-after-free vulnerability in WebKit in Apple Safari before 4.0.5 al ...) - chromium-browser 6.0.466.0~r52279-1 - webkit 1.1.90-1 (bug #574064) [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) NOTE: http://trac.webkit.org/changeset/53812 NOTE: http://trac.webkit.org/changeset/53813 NOTE: http://trac.webkit.org/changeset/54242 CVE-2010-0053 (Use-after-free vulnerability in WebKit in Apple Safari before 4.0.5 al ...) - chromium-browser 6.0.466.0~r52279-1 - webkit 1.1.90-1 (bug #574064) [lenny] - webkit (Vulnerable code not present) NOTE: http://trac.webkit.org/changeset/50466 CVE-2010-0052 (Use-after-free vulnerability in WebKit in Apple Safari before 4.0.5 al ...) - chromium-browser 6.0.466.0~r52279-1 - webkit 1.1.90-1 (bug #574064) [lenny] - webkit (Vulnerable code not present) NOTE: http://trac.webkit.org/changeset/51877 CVE-2010-0051 (WebKit in Apple Safari before 4.0.5 does not properly validate the cro ...) NOTE: http://trac.webkit.org/changeset/52784 NOTE: duplicate of CVE-2010-0651 CVE-2010-0050 (Use-after-free vulnerability in WebKit in Apple Safari before 4.0.5 al ...) - chromium-browser 6.0.466.0~r52279-1 - webkit 1.1.90-1 (bug #574064) [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) NOTE: http://trac.webkit.org/changeset/52073 CVE-2010-0049 (Use-after-free vulnerability in WebKit in Apple Safari before 4.0.5 al ...) - chromium-browser 6.0.466.0~r52279-1 - webkit 1.1.90-1 (bug #574064) [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) NOTE: http://trac.webkit.org/changeset/52527 CVE-2010-0048 (Use-after-free vulnerability in WebKit in Apple Safari before 4.0.5 al ...) - chromium-browser 6.0.466.0~r52279-1 - webkit 1.1.90-1 (bug #574064) [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) NOTE: http://trac.webkit.org/changeset/51962 CVE-2010-0047 (Use-after-free vulnerability in WebKit in Apple Safari before 4.0.5 al ...) - chromium-browser 6.0.466.0~r52279-1 - webkit 1.1.90-1 (bug #574064) [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) NOTE: http://trac.webkit.org/changeset/50698 CVE-2010-0046 (The Cascading Style Sheets (CSS) implementation in WebKit in Apple Saf ...) - chromium-browser 6.0.466.0~r52279-1 - webkit 1.1.90-1 (bug #574064) [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) NOTE: http://trac.webkit.org/changeset/51727 CVE-2010-0045 (Apple Safari before 4.0.5 on Windows does not properly validate extern ...) NOT-FOR-US: Apple Safari CVE-2010-0044 (PubSub in Apple Safari before 4.0.5 does not properly implement use of ...) NOT-FOR-US: Apple PubSub NOTE: apple's pubsub is rss-oriented and all debian packages with pubsub NOTE: components are not; hence this is very likely an issue specifically with NOTE: their own code, or their wrapper code around another PubSub library CVE-2010-0043 (ImageIO in Apple Safari before 4.0.5 and iTunes before 9.1 on Windows ...) NOT-FOR-US: Apple Safari CVE-2010-0042 (ImageIO in Apple Safari before 4.0.5 and iTunes before 9.1 on Windows ...) NOT-FOR-US: Apple Safari CVE-2010-0041 (ImageIO in Apple Safari before 4.0.5 and iTunes before 9.1 on Windows ...) NOT-FOR-US: Apple Safari CVE-2010-0040 (Integer overflow in ColorSync in Apple Safari before 4.0.5 on Windows, ...) NOT-FOR-US: Apple Safari CVE-2010-0039 (The Application-Level Gateway (ALG) on the Apple Time Capsule, AirPort ...) NOT-FOR-US: Apple CVE-2010-0038 (Recovery Mode in Apple iPhone OS 1.0 through 3.1.2, and iPhone OS for ...) NOT-FOR-US: Apple iPhone OS CVE-2010-0037 (Buffer overflow in Image RAW in Apple Mac OS X 10.5.8 and 10.6.2 allow ...) NOT-FOR-US: Apple Mac OS X CVE-2010-0036 (Buffer overflow in CoreAudio in Apple Mac OS X 10.5.8 and 10.6.2 allow ...) NOT-FOR-US: Apple Mac OS X CVE-2010-0035 (The Key Distribution Center (KDC) in Kerberos in Microsoft Windows 200 ...) NOT-FOR-US: Microsoft Windows CVE-2010-0034 (Stack-based buffer overflow in Microsoft Office PowerPoint 2003 SP3 al ...) NOT-FOR-US: Microsoft Office PowerPoint CVE-2010-0033 (Stack-based buffer overflow in Microsoft Office PowerPoint 2003 SP3 al ...) NOT-FOR-US: Microsoft Office PowerPoint CVE-2010-0032 (Use-after-free vulnerability in Microsoft Office PowerPoint 2002 SP3 a ...) NOT-FOR-US: Microsoft Office PowerPoint CVE-2010-0031 (Array index error in Microsoft Office PowerPoint 2002 SP3 and 2003 SP3 ...) NOT-FOR-US: Microsoft Office PowerPoint CVE-2010-0030 (Heap-based buffer overflow in Microsoft Office PowerPoint 2002 SP3 and ...) NOT-FOR-US: Microsoft Office PowerPoint CVE-2010-0029 (Buffer overflow in Microsoft Office PowerPoint 2002 SP3 allows remote ...) NOT-FOR-US: Microsoft Office PowerPoint CVE-2010-0028 (Integer overflow in Microsoft Paint in Windows 2000 SP4, XP SP2 and SP ...) NOT-FOR-US: Microsoft Paint CVE-2010-0027 (The URL validation functionality in Microsoft Internet Explorer 5.01, ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2010-0026 (The Hyper-V server implementation in Microsoft Windows Server 2008 Gol ...) NOT-FOR-US: Microsoft Windows Server CVE-2010-0025 (The SMTP component in Microsoft Windows 2000 SP4, XP SP2 and SP3, Serv ...) NOT-FOR-US: Microsoft Windows CVE-2010-0024 (The SMTP component in Microsoft Windows 2000 SP4, XP SP2 and SP3, Serv ...) NOT-FOR-US: Microsoft Windows CVE-2010-0023 (The Client/Server Run-time Subsystem (CSRSS) in Microsoft Windows 2000 ...) NOT-FOR-US: Microsoft Windows CVE-2010-0022 (The SMB implementation in the Server service in Microsoft Windows 2000 ...) NOT-FOR-US: Microsoft Windows CVE-2010-0021 (Multiple race conditions in the SMB implementation in the Server servi ...) NOT-FOR-US: Microsoft Windows Vista Gold CVE-2010-0020 (The SMB implementation in the Server service in Microsoft Windows 2000 ...) NOT-FOR-US: Microsoft Windows CVE-2010-0019 (Microsoft Silverlight 3 before 3.0.50611.0 on Windows, and before 3.0. ...) NOT-FOR-US: Microsoft Silverlight on Windows CVE-2010-0018 (Integer overflow in the Embedded OpenType (EOT) Font Engine (t2embed.d ...) NOT-FOR-US: Microsoft Windows CVE-2010-0017 (Race condition in the SMB client implementation in Microsoft Windows S ...) NOT-FOR-US: Microsoft Windows Server CVE-2010-0016 (The SMB client implementation in Microsoft Windows 2000 SP4, XP SP2 an ...) NOT-FOR-US: Microsoft Windows CVE-2010-0015 (nis/nss_nis/nis-pwd.c in the GNU C Library (aka glibc or libc6) 2.7 an ...) {DSA-1973-1} - eglibc 2.10.2-4 (medium; bug #560333) - glibc 2.10.2-4 (medium) CVE-2010-0014 (System Security Services Daemon (SSSD) before 1.0.1, when the krb5 aut ...) - sssd 1.0.5-1 CVE-2010-0013 (Directory traversal vulnerability in slp.c in the MSN protocol plugin ...) - pidgin 2.6.5-1 (medium; bug #563206) [lenny] - pidgin (vulnerable code not present) - gaim (vulnerable code not present) NOTE: http://events.ccc.de/congress/2009/Fahrplan/attachments/1483_26c3_ipv4_fuckups.pdf CVE-2010-0012 (Directory traversal vulnerability in libtransmission/metainfo.c in Tra ...) {DSA-1967-1} - transmission 1.77-1 (low) NOTE: http://trac.transmissionbt.com/changeset/9829/ NOTE: https://bugs.launchpad.net/ubuntu/+source/transmission/+bug/500625 CVE-2010-0011 (The eval_js function in uzbl-core.c in Uzbl before 2010.01.05 exposes ...) - uzbl 0.0.0~git.20100105-1 (medium) NOTE: http://www.uzbl.org/news.php?id=22 NOTE: maintainer is aware of it CVE-2010-0010 (Integer overflow in the ap_proxy_send_fb function in proxy/proxy_util. ...) - apache (low) NOTE: Exploitability is fairly limited: Can only be exploited by a malicious server, NOTE: not by a client. No sane person uses apache 1.3 as forward proxy and in reverse NOTE: proxy situations, the backend server is usually trusted, anyway. CVE-2010-0009 (Apache CouchDB 0.8.0 through 0.10.1 allows remote attackers to obtain ...) - couchdb 0.11.0-1 (bug #576304) [lenny] - couchdb (Minor information leak) CVE-2010-0008 (The sctp_rcv_ootb function in the SCTP implementation in the Linux ker ...) - linux-2.6 2.6.23-1 CVE-2010-0007 (net/bridge/netfilter/ebtables.c in the ebtables module in the netfilte ...) {DSA-2005-1 DSA-2003-1 DSA-1996-1} - linux-2.6 2.6.32-6 - linux-2.6.24 CVE-2010-0006 (The ipv6_hop_jumbo function in net/ipv6/exthdrs.c in the Linux kernel ...) - linux-2.6 2.6.32-6 [lenny] - linux-2.6 (vulnerable code introduced in 2.6.28) [etch] - linux-2.6 (vulnerable code introduced in 2.6.28) - linux-2.6.24 (vulnerable code introduced in 2.6.28) CVE-2010-0005 (query.py in the query interface in ViewVC before 1.1.3 does not reject ...) - viewvc 1.1.5-1 (bug #575777) CVE-2010-0004 (ViewVC before 1.1.3 composes the root listing view without using the a ...) - viewvc 1.1.5-1 (bug #575777) CVE-2010-0003 (The print_fatal_signal function in kernel/signal.c in the Linux kernel ...) {DSA-2005-1 DSA-1996-1} - linux-2.6 2.6.32-6 [etch] - linux-2.6 (does not have print-fatal-signals) - linux-2.6.24 CVE-2010-0002 (The /etc/profile.d/60alias.sh script in the Mandriva bash package for ...) - bash (mandriva-specific packaging issue) CVE-2010-0001 (Integer underflow in the unlzw function in unlzw.c in gzip before 1.4 ...) {DSA-2074-1 DSA-1974-1} - gzip 1.3.12-9 (medium; bug #566002) - linux-2.6 (does not include unlzw.c in its gzip code copy) - klibc (does not include unlzw.c in its gzip code copy) - busybox (does not include unlzw.c in its gzip code copy) - pristine-tar (does not include unlzw.c in its gzip code copy) - ncompress 4.2.4.3-1 CVE-2009-4324 (Use-after-free vulnerability in the Doc.media.newPlayer method in Mult ...) NOT-FOR-US: Adobe Reader and Acrobat 8.0 CVE-2009-4323 (The installation for Zen Cart stores sensitive information and insecur ...) NOT-FOR-US: Zen Cart CVE-2009-4322 (extras/ipn_test_return.php in Zen Cart allows remote attackers to obta ...) NOT-FOR-US: Zen Cart CVE-2009-4321 (extras/curltest.php in Zen Cart 1.3.8 and 1.3.8a, and possibly other v ...) NOT-FOR-US: Zen Cart CVE-2009-4320 (Cross-site scripting (XSS) vulnerability in searchform.php in The Next ...) NOT-FOR-US: The Next Generation of Genealogy Sitebuilding CVE-2009-4319 (PHP remote file inclusion vulnerability in js/bbcodepress/bbcode-form. ...) NOT-FOR-US: eoCMS CVE-2009-4318 (Cross-site scripting (XSS) vulnerability in index.php in Real Estate M ...) NOT-FOR-US: Real Estate Manager CVE-2009-4317 (Cross-site scripting (XSS) vulnerability in index.php in ScriptsEz Ez ...) NOT-FOR-US: ScriptsEz CVE-2009-4316 (Cross-site scripting (XSS) vulnerability in searchresults_main.php in ...) NOT-FOR-US: ZeeLyrics CVE-2009-4315 (Directory traversal vulnerability in admin/ajaxsave.php in Nuggetz CMS ...) NOT-FOR-US: Nuggetz CMS CVE-2009-4314 (Sun Ray Server Software 4.1 on Solaris 10, when Automatic Multi-Group ...) NOT-FOR-US: Sun Ray Server Software CVE-2009-4313 (ir32_32.dll 3.24.15.3 in the Indeo32 codec in Microsoft Windows 2000 S ...) NOT-FOR-US: Microsoft CVE-2009-4312 (Unspecified vulnerability in the Indeo codec in Microsoft Windows 2000 ...) NOT-FOR-US: Microsoft CVE-2009-4311 (Unspecified vulnerability in the Indeo codec in Microsoft Windows 2000 ...) NOT-FOR-US: Microsoft CVE-2009-4310 (Stack-based buffer overflow in the Intel Indeo41 codec for Windows Med ...) NOT-FOR-US: Microsoft CVE-2009-4309 (Heap-based buffer overflow in the Intel Indeo41 codec for Windows Medi ...) NOT-FOR-US: Microsoft CVE-2009-4308 (The ext4_decode_error function in fs/ext4/super.c in the ext4 filesyst ...) {DSA-2005-1} - linux-2.6 2.6.32-1 (medium) [etch] - linux-2.6 (ext4 introduced in 2.6.19) [lenny] - linux-2.6 2.6.26-21 - linux-2.6.24 (medium) CVE-2009-4307 (The ext4_fill_flex_info function in fs/ext4/super.c in the Linux kerne ...) {DSA-2443-1} - linux-2.6 2.6.32-2 (low) [etch] - linux-2.6 (vulnerable code introduced in 2.6.27) [lenny] - linux-2.6 (vulnerable code introduced in 2.6.27) - linux-2.6.24 (vulnerabile code introduced in 2.6.27) CVE-2009-4306 (Unspecified vulnerability in the EXT4_IOC_MOVE_EXT (aka move extents) ...) - linux-2.6 2.6.32-2 (medium) [etch] - linux-2.6 (vulnerable code introduced in 2.6.31) [lenny] - linux-2.6 (vulnerable code introduced in 2.6.31) - linux-2.6.24 (vulnerable code introduced in 2.6.31) CVE-2009-4291 RESERVED CVE-2009-4290 RESERVED CVE-2009-4289 RESERVED CVE-2009-4288 RESERVED CVE-2009-4287 RESERVED CVE-2009-4286 RESERVED CVE-2009-4285 RESERVED CVE-2009-4284 RESERVED CVE-2009-4283 RESERVED CVE-2009-4282 RESERVED CVE-2009-4281 RESERVED CVE-2009-4280 RESERVED CVE-2009-4279 RESERVED CVE-2009-4278 RESERVED CVE-2009-4277 RESERVED CVE-2009-4276 REJECTED CVE-2009-4275 REJECTED CVE-2009-4274 (Stack-based buffer overflow in converter/ppm/xpmtoppm.c in netpbm befo ...) {DSA-2026-1 DTSA-206-1} - netpbm-free 2:10.0-12.2 (medium; bug #569060) CVE-2009-4273 (stap-server in SystemTap before 1.1 allows remote attackers to execute ...) - systemtap 1.1-1 (bug #568865) [lenny] - systemtap (Server component not yet present) [etch] - systemtap (Server component not yet present) CVE-2009-4272 (A certain Red Hat patch for net/ipv4/route.c in the Linux kernel 2.6.1 ...) - linux-2.6 2.6.31-1 (medium) [lenny] - linux-2.6 (vulnerable code introduced in 2.6.27) [etch] - linux-2.6 (vulnerable code introduced in 2.6.27) - linux-2.6.24 (vulnerable code introduced in 2.6.27) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=545411 CVE-2009-4271 (The Linux kernel 2.6.9 through 2.6.17 on the x86_64 and amd64 platform ...) - linux-2.6 2.6.18-1 CVE-2009-4270 (Stack-based buffer overflow in the errprintf function in base/gsmisc.c ...) {DSA-2080-1} - ghostscript 8.70~dfsg-2.1 (medium; bug #562643) CVE-2009-4269 (The password hash generation algorithm in the BUILTIN authentication f ...) - derby (Fixed before initial upload to Debian) NOTE: https://issues.apache.org/jira/browse/DERBY-4483 CVE-2009-4268 REJECTED CVE-2009-4267 (The console in Apache jUDDI 3.0.0 does not properly escape line feeds, ...) NOT-FOR-US: Apache jUDDI CVE-2009-XXXX [gnome-screensaver inhibitor not removed when connection is closed] - gnome-screensaver 2.28.0-2 (low; bug #560895) [etch] - gnome-screensaver (vulnerable code introduced in 2.28) [lenny] - gnome-screensaver (vulnerable code introduced in 2.28) NOTE: the code in etch's version is more different but it seems to be affected NOTE: http://git.gnome.org/browse/gnome-screensaver/commit/?id=284c9924969a49dbf2d5fae1d680d3310c4df4a3 CVE-2009-5018 (Stack-based buffer overflow in gif2png.c in gif2png 2.5.3 and earlier ...) - gif2png 2.5.2-1 (low; bug #550978) [etch] - gif2png (minor issue) [lenny] - gif2png (minor issue) CVE-2009-XXXX [browser-based css info disclosure] - xulrunner (unimportant; bug #560108) - webkit (unimportant; bug #560870) - qt4-x11 (unimportant; bug #561754) - kdelibs (unimportant; bug #561752) - kde4libs (unimportant; bug #561753) - kazehakase (unimportant; bug #560871) - epiphany-browser (unimportant; bug #560872) - galeon (unimportant; bug #560873) - dillo (unimportant; bug #560874) NOTE: Minor design issue CVE-2009-XXXX [xpat2: save game permissions issue] - xpat2 1.07-17 (unimportant; bug #560087) CVE-2009-4144 (NetworkManager (NM) 0.7.2 does not ensure that the configured Certific ...) - network-manager-applet 0.7.2-2 (low; bug #560067) [lenny] - network-manager-applet (WPA/enterprise was added in 0.7.2) - network-manager (vulnerable code is in -applet, which is a source package on its own as of 0.6.5) CVE-2009-XXXX [unsafe xfs] - xfs 1:1.0.8-6 (low; bug #521107) [etch] - xfs (minor issue) [lenny] - xfs 1:1.0.8-2.2+lenny1 CVE-2009-XXXX [xserver-xorg: inherits user's mask] - xorg-server 2:1.7.2-1 (low; bug #555308) [lenny] - xorg-server 2:1.4.2-10.lenny3 CVE-2009-4296 (SQL injection vulnerability in the Taxonomy Timer module 5.x-1.8 and e ...) NOT-FOR-US: Taxonomy Timer module for Drupal CVE-2009-4295 (Sun Ray Server Software 4.0 and 4.1 does not generate a unique DSA pri ...) NOT-FOR-US: Sun Ray Server Software CVE-2009-4294 (Unspecified vulnerability in the Authentication Manager (aka utauthd) ...) NOT-FOR-US: Sun Ray Server Software CVE-2009-4293 (Internet Initiative Japan SEIL/X1, SEIL/X2, and SEIL/B1 firmware 2.30 ...) NOT-FOR-US: Internet Initiative Japan CVE-2009-4292 (Buffer overflow in the URL filtering function in Internet Initiative J ...) NOT-FOR-US: Internet Initiative Japan CVE-2009-4266 (Cross-site scripting (XSS) vulnerability in search.php in YABSoft Adva ...) NOT-FOR-US: YABSoft Advanced Image Hosting (AIH) Script CVE-2009-4265 (Stack-based buffer overflow in Ideal Administration 2009 9.7.1, and po ...) NOT-FOR-US: Ideal Administration CVE-2009-4264 (PHP remote file inclusion vulnerability in components/core/connect.php ...) NOT-FOR-US: AROUNDMe CVE-2009-4263 (SQL injection vulnerability in main_forum.php in PTCPay GeN3 forum 1.3 ...) NOT-FOR-US: PTCPay CVE-2009-4262 (Harold Bakker's NewsScript (HB-NS) 1.3 allows remote attackers to obta ...) NOT-FOR-US: Harold Bakker's Newscript HB-NS CVE-2009-XXXX [php-net-ping argument injection] - php-net-ping 2.4.2-1.1 (medium) [etch] - php-net-ping 2.4.2-1+etch1 [lenny] - php-net-ping 2.4.2-1+lenny1 CVE-2009-4305 (SQL injection vulnerability in the SCORM module in Moodle 1.8 before 1 ...) {DSA-1986-1} - moodle 1.8.2.dfsg-6 (medium; bug #559531) NOTE: MSA-09-0031 CVE-2009-4304 (Moodle 1.8 before 1.8.11 and 1.9 before 1.9.7 does not use a random pa ...) {DSA-2115-1} - moodle 1.9.8-1 (bug #559531) [lenny] - moodle (Minor issue) [etch] - moodle (Minor issue) NOTE: MSA-09-0029 CVE-2009-4303 (Moodle 1.8 before 1.8.11 and 1.9 before 1.9.7 stores (1) password hash ...) {DSA-1986-1} - moodle 1.8.2.dfsg-6 (bug #559531) NOTE: MSA-09-0028 CVE-2009-4302 (login/index_form.html in Moodle 1.8 before 1.8.11 and 1.9 before 1.9.7 ...) {DSA-1986-1} - moodle 1.8.2.dfsg-6 (bug #559531) NOTE: MSA-09-0027 CVE-2009-4301 (mnet/lib.php in Moodle 1.8 before 1.8.11 and 1.9 before 1.9.7, when MN ...) {DSA-1986-1} - moodle 1.8.2.dfsg-6 (bug #559531) NOTE: MSA-09-0026 CVE-2009-4300 (Multiple unspecified authentication plugins in Moodle 1.8 before 1.8.1 ...) {DSA-2115-1} - moodle 1.9.8-1 (bug #559531) [lenny] - moodle (Minor issue) [etch] - moodle (Minor issue) NOTE: MSA-09-0025 CVE-2009-4299 (mod/glossary/showentry.php in the Glossary module for Moodle 1.8 befor ...) {DSA-1986-1} - moodle 1.8.2.dfsg-6 (bug #559531) NOTE: MSA-09-0024 CVE-2009-4298 (The LAMS module (mod/lams) for Moodle 1.8 before 1.8.11 and 1.9 before ...) {DSA-1986-1} - moodle 1.8.2.dfsg-6 (bug #559531) NOTE: MSA-09-0023 CVE-2009-4297 (Multiple cross-site request forgery (CSRF) vulnerabilities in Moodle 1 ...) {DSA-1986-1} - moodle 1.8.2.dfsg-6 (bug #559531) NOTE: MSA-09-0022 CVE-2009-5042 (python-docutils allows insecure usage of temporary files ...) - python-docutils 0.6-2 (low; bug #560755) [etch] - python-docutils (vulnerable code introduced in 0.5) [lenny] - python-docutils 0.5-2+lenny1 NOTE: cve requested CVE-2009-4261 (Multiple directory traversal vulnerabilities in the iallocator framewo ...) {DSA-1959-1} - ganeti 2.0.5-1 (low) NOTE: http://www.ocert.org/advisories/ocert-2009-019.html CVE-2009-4260 RESERVED CVE-2009-4259 RESERVED CVE-2009-4258 RESERVED CVE-2009-4257 (Heap-based buffer overflow in datatype/smil/common/smlpkt.cpp in smlre ...) NOT-FOR-US: RealPlayer CVE-2009-4256 (Multiple SQL injection vulnerabilities in cource.php in AlefMentor 2.0 ...) NOT-FOR-US: AlefMentor CVE-2009-4255 (Cross-site scripting (XSS) vulnerability in the You!Hostit! template 1 ...) NOT-FOR-US: Joomla! component CVE-2009-4254 (PowerPhlogger 2.2.5 allows remote attackers to obtain sensitive inform ...) NOT-FOR-US: PowerPhlogger CVE-2009-4253 (Cross-site scripting (XSS) vulnerability in dspStats.php in PowerPhlog ...) NOT-FOR-US: PowerPhlogger CVE-2009-4252 (Cross-site scripting (XSS) vulnerability in images.php in Image Hostin ...) NOT-FOR-US: Image Hosting Script DPI CVE-2009-4251 (Stack-based buffer overflow in Jasc Paint Shop Pro 8.10 (aka Corel Pai ...) NOT-FOR-US: Jasc Paint Shop Pro CVE-2009-4250 (Multiple cross-site scripting (XSS) vulnerabilities in CutePHP CuteNew ...) NOT-FOR-US: CuteNews CVE-2009-4249 (Multiple cross-site scripting (XSS) vulnerabilities in CutePHP CuteNew ...) NOT-FOR-US: CuteNews CVE-2009-4248 (Buffer overflow in the RTSPProtocol::HandleSetParameterRequest functio ...) NOT-FOR-US: RealPlayer CVE-2009-4247 (Stack-based buffer overflow in protocol/rtsp/rtspclnt.cpp in RealNetwo ...) NOT-FOR-US: RealPlayer CVE-2009-4246 (Stack-based buffer overflow in RealNetworks RealPlayer 10, RealPlayer ...) NOT-FOR-US: RealPlayer CVE-2009-4245 (Heap-based buffer overflow in RealNetworks RealPlayer 10, RealPlayer 1 ...) NOT-FOR-US: RealPlayer CVE-2009-4244 (Heap-based buffer overflow in RealNetworks RealPlayer 10; RealPlayer 1 ...) NOT-FOR-US: RealPlayer CVE-2009-4243 (RealNetworks RealPlayer 10, RealPlayer 10.5 6.0.12.1040 through 6.0.12 ...) NOT-FOR-US: RealPlayer CVE-2009-4242 (Heap-based buffer overflow in the CGIFCodec::GetPacketBuffer function ...) NOT-FOR-US: RealPlayer CVE-2009-4241 (Heap-based buffer overflow in RealNetworks RealPlayer 10, RealPlayer 1 ...) NOT-FOR-US: RealPlayer CVE-2009-4240 (Multiple buffer overflows in unspecified setuid executables in the Dat ...) NOT-FOR-US: IBM InfoSphere Information Server CVE-2009-4239 (Cross-site scripting (XSS) vulnerability in the Web console in IBM Inf ...) NOT-FOR-US: IBM InfoSphere Information Server CVE-2009-4238 (Multiple SQL injection vulnerabilities in TestLink before 1.8.5 allow ...) NOT-FOR-US: TestLink CVE-2009-4237 (Multiple cross-site scripting (XSS) vulnerabilities in TestLink before ...) NOT-FOR-US: TestLink CVE-2009-4236 (The process function in data/class/pages/admin/customer/LC_Page_Admin_ ...) NOT-FOR-US: EC-CUBE CVE-2009-4235 (acpid 1.0.4 sets an unrestrictive umask, which might allow local users ...) {DSA-1960-1} - acpid 1.0.6 (low; bug #560771) NOTE: all versions set umask(0), might be worth double-checking what it opens CVE-2009-4234 (Cross-site scripting (XSS) vulnerability in loginpages/error_user.shtm ...) NOT-FOR-US: Micronet Network Access Controller CVE-2009-4233 (Cross-site scripting (XSS) vulnerability in modules/mod_yj_whois.php i ...) NOT-FOR-US: Joomla! component CVE-2009-4232 (The Kide Shoutbox (com_kide) component 0.4.6 for Joomla! does not prop ...) NOT-FOR-US: Joomla! component CVE-2009-4231 (Directory traversal vulnerability in as/lib/plugins.php in SweetRice 0 ...) NOT-FOR-US: SweetRice CVE-2009-4230 (Multiple stack-based buffer overflows in src/Task.cc in the FastCGI pr ...) NOT-FOR-US: IIPImage Server CVE-2009-4229 (Multiple SQL injection vulnerabilities in ActiveWebSoftwares Active Bi ...) NOT-FOR-US: ActiveWebSoftwares Active Bids CVE-2009-4226 (Race condition in the IP module in the kernel in Sun OpenSolaris snv_1 ...) NOT-FOR-US: OpenSolaris kernel CVE-2009-4225 (Stack-based buffer overflow in the PestPatrol ActiveX control (ppctl.d ...) NOT-FOR-US: PestPatrol CVE-2009-4228 (Stack consumption vulnerability in u_bound.c in Xfig 3.2.5b and earlie ...) - xfig (unimportant) CVE-2009-4227 (Stack-based buffer overflow in the read_1_3_textobject function in f_r ...) - xfig 1:3.2.5.b-1 (low; bug #559274) [lenny] - xfig (Minor issue) [etch] - xfig (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=543905 CVE-2009-4413 (The httpClientDiscardBody function in client.c in Polipo 0.9.8, 0.9.12 ...) {DSA-2002-1} - polipo 1.0.4-2 (low; bug #560779) [etch] - polipo (Minor issue) [lenny] - polipo (Minor issue) CVE-2009-4224 (Multiple PHP remote file inclusion vulnerabilities in SweetRice 0.5.4, ...) NOT-FOR-US: SweetRice CVE-2009-4223 (PHP remote file inclusion vulnerability in adm/krgourl.php in KR-Web 1 ...) NOT-FOR-US: KR-Web CVE-2009-4222 (phpBazar 2.1.1fix and earlier does not require administrative authenti ...) NOT-FOR-US: phpBazar CVE-2009-4221 (SQL injection vulnerability in classified.php in phpBazar 2.1.1fix and ...) NOT-FOR-US: phpBazar CVE-2009-4220 (PHP remote file inclusion vulnerability in includes/classes/pctemplate ...) NOT-FOR-US: PointComma CVE-2009-4219 (Stack-based buffer overflow in the MYACTIVEX.MyActiveXCtrl.1 ActiveX c ...) NOT-FOR-US: Haihaisoft Universal Player CVE-2009-4218 (Multiple SQL injection vulnerabilities in files/login.asp in JiRo's Ba ...) NOT-FOR-US: JiRo's Banner System eXperience (JBSX) CVE-2009-4217 (SQL injection vulnerability in the Itamar Elharar MusicGallery (com_mu ...) NOT-FOR-US: Joomla! component CVE-2009-4216 (Directory traversal vulnerability in funzioni/lib/menulast.php in klin ...) NOT-FOR-US: klinza CVE-2009-4215 (Panda Global Protection 2010, Internet Security 2010, and Antivirus Pr ...) NOT-FOR-US: Panda CVE-2009-4213 RESERVED CVE-2009-4212 (Multiple integer underflows in the (1) AES and (2) RC4 decryption func ...) {DSA-1969-1} - krb5 1.8+dfsg~alpha1-1 CVE-2009-4211 (The U.S. Defense Information Systems Agency (DISA) Security Readiness ...) NOT-FOR-US: U.S. Defense Information Systems Agency (DISA) Security Readiness Review (SRR) script CVE-2009-4210 (The Indeo codec in Microsoft Windows 2000 SP4, XP SP2 and SP3, and Ser ...) NOT-FOR-US: Microsoft CVE-2009-4209 (Multiple cross-site scripting (XSS) vulnerabilities in admin/index.php ...) NOT-FOR-US: moziloCMS CVE-2009-4208 (SQL injection vulnerability in the os_news module in Open-school (OS) ...) NOT-FOR-US: Open-school CVE-2009-4207 (Cross-site scripting (XSS) vulnerability in the Webform module 5.x bef ...) NOT-FOR-US: module for Drupal CVE-2009-4206 (SQL injection vulnerability in admin.link.modify.php in Million Dollar ...) NOT-FOR-US: Million Dollar Text Links CVE-2009-4205 (Directory traversal vulnerability in admin.php in Flashlight Free Edit ...) NOT-FOR-US: Flashlight Free Edition CVE-2009-4204 (SQL injection vulnerability in read.php in Flashlight Free Edition all ...) NOT-FOR-US: Flashlight Free Edition CVE-2009-4203 (Multiple SQL injection vulnerabilities in admin/aclass/admin_func.php ...) NOT-FOR-US: Arab Portal CVE-2009-4202 (Directory traversal vulnerability in the Omilen Photo Gallery (com_omp ...) NOT-FOR-US: Joomla! component CVE-2009-4201 (Multiple stack-based buffer overflows in Mp3 Tag Assistant Professiona ...) NOT-FOR-US: Mp3 Tag Assistant Professional CVE-2009-4200 (SQL injection vulnerability in the Seminar (com_seminar) component 1.2 ...) NOT-FOR-US: Joomla! component CVE-2009-4199 (Multiple SQL injection vulnerabilities in the Mambo Resident (aka Mos ...) NOT-FOR-US: Joomla! component CVE-2009-4198 (SQL injection vulnerability in my_orders.php in MyMiniBill allows remo ...) NOT-FOR-US: MyMiniBill CVE-2009-4197 (rpwizPppoe.htm in Huawei MT882 V100R002B020 ARG-T running firmware 3.7 ...) NOT-FOR-US: Huawei MT882 V100R002B020 CVE-2009-4196 (Multiple cross-site scripting (XSS) vulnerabilities in multiple script ...) NOT-FOR-US: Huawei MT882 V100R002B020 CVE-2009-4195 (Buffer overflow in Adobe Illustrator CS4 14.0.0, CS3 13.0.3 and earlie ...) NOT-FOR-US: Adobe Illustrator CVE-2009-4194 (Directory traversal vulnerability in Golden FTP Server 4.30 Free and P ...) NOT-FOR-US: Golden FTP CVE-2009-4192 (Directory traversal vulnerability in dialog/file_manager.php in Inters ...) NOT-FOR-US: Interspire Knowledge Manager CVE-2009-4191 (Unspecified vulnerability in the kernel in Sun Solaris 10 and OpenSola ...) NOT-FOR-US: Sun Solaris CVE-2009-4190 (Unspecified vulnerability in the kernel in Sun OpenSolaris 2009.06 all ...) NOT-FOR-US: Sun Solaris CVE-2009-4189 (HP Operations Manager has a default password of OvW*busr1 for the ovwe ...) NOT-FOR-US: HP Operations Manager CVE-2009-4188 (HP Operations Dashboard has a default password of j2deployer for the j ...) NOT-FOR-US: HP Operations Dashboard CVE-2009-4187 (Multiple cross-site scripting (XSS) vulnerabilities in the Gateway com ...) NOT-FOR-US: Sun Java System Portal Server CVE-2009-4186 (Stack consumption vulnerability in Apple Safari 4.0.3 on Windows allow ...) NOT-FOR-US: Apple Safari CVE-2009-4185 (Cross-site scripting (XSS) vulnerability in proxy/smhui/getuiinfo in H ...) NOT-FOR-US: HP System Management Homepage CVE-2009-4184 (Unspecified vulnerability in HP Enterprise Cluster Master Toolkit (ECM ...) NOT-FOR-US: HP Enterprise Cluster Master Toolkit CVE-2009-4183 (Unspecified vulnerability in HP OpenView Storage Data Protector 6.00 a ...) NOT-FOR-US: HP OpenView Storage Data Protector CVE-2009-4182 (Multiple unspecified vulnerabilities in HP Web Jetadmin 10.2, when a r ...) NOT-FOR-US: HP Web Jetadmin CVE-2009-4181 (Stack-based buffer overflow in ovwebsnmpsrv.exe in HP OpenView Network ...) NOT-FOR-US: HP OpenView Network Node Manager CVE-2009-4180 (Stack-based buffer overflow in snmpviewer.exe in HP OpenView Network N ...) NOT-FOR-US: HP OpenView Network Node Manager CVE-2009-4179 (Stack-based buffer overflow in ovalarm.exe in HP OpenView Network Node ...) NOT-FOR-US: HP OpenView Network Node Manager CVE-2009-4178 (Heap-based buffer overflow in OvWebHelp.exe in HP OpenView Network Nod ...) NOT-FOR-US: HP OpenView Network Node Manager CVE-2009-4177 (Buffer overflow in webappmon.exe in HP OpenView Network Node Manager ( ...) NOT-FOR-US: HP OpenView Network Node Manager CVE-2009-4176 (Multiple heap-based buffer overflows in ovsessionmgr.exe in HP OpenVie ...) NOT-FOR-US: HP OpenView Network Node Manager CVE-2009-4175 (CutePHP CuteNews 1.4.6 and UTF-8 CuteNews before 8b allows remote atta ...) NOT-FOR-US: CuteNews CVE-2009-4174 (The editnews module in CutePHP CuteNews 1.4.6 and UTF-8 CuteNews befor ...) NOT-FOR-US: CuteNews CVE-2009-4173 (Cross-site request forgery (CSRF) vulnerability in CutePHP CuteNews 1. ...) NOT-FOR-US: CuteNews CVE-2009-4172 (Cross-site scripting (XSS) vulnerability in index.php in CutePHP CuteN ...) NOT-FOR-US: CuteNews CVE-2009-4171 (An ActiveX control in YahooBridgeLib.dll for Yahoo! Messenger 9.0.0.21 ...) NOT-FOR-US: ActiveX CVE-2009-4170 (WP-Cumulus Plug-in 1.20 for WordPress, and possibly other versions, al ...) NOT-FOR-US: WP-Cumulus Plug-in 1.20 for WordPress CVE-2009-4169 (Cross-site scripting (XSS) vulnerability in wp-cumulus.php in the WP-C ...) NOT-FOR-US: WP-Cumulus Plug-in 1.20 for WordPress CVE-2009-4168 (Cross-site scripting (XSS) vulnerability in Roy Tanck tagcloud.swf, as ...) NOT-FOR-US: WP-Cumulus Plug-in 1.20 for WordPress CVE-2009-4167 (Unspecified vulnerability in the Automatic Base Tags for RealUrl (lt_b ...) NOT-FOR-US: TYPO3 extension CVE-2009-4166 (SQL injection vulnerability in the Trips (mchtrips) extension 2.0.0 fo ...) NOT-FOR-US: TYPO3 extension CVE-2009-4165 (SQL injection vulnerability in the simple Glossar (simple_glossar) ext ...) NOT-FOR-US: TYPO3 extension CVE-2009-4164 (Cross-site scripting (XSS) vulnerability in the simple Glossar (simple ...) NOT-FOR-US: TYPO3 extension CVE-2009-4163 (SQL injection vulnerability in the TW Productfinder (tw_productfinder) ...) NOT-FOR-US: TYPO3 extension CVE-2009-4162 (Unspecified vulnerability in the DB Integration (wfqbe) extension 1.3. ...) NOT-FOR-US: TYPO3 extension CVE-2009-4161 (Cross-site scripting (XSS) vulnerability in the [AN] Search it! (an_se ...) NOT-FOR-US: TYPO3 extension CVE-2009-4160 (Unspecified vulnerability in the Simple download-system with counter a ...) NOT-FOR-US: TYPO3 extension CVE-2009-4159 (Cross-site scripting (XSS) vulnerability in the newsletter configurati ...) NOT-FOR-US: TYPO3 extension CVE-2009-4158 (SQL injection vulnerability in the Calendar Base (cal) extension befor ...) NOT-FOR-US: TYPO3 extension CVE-2009-4157 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in th ...) NOT-FOR-US: Joomla! CVE-2009-4156 (PHP remote file inclusion vulnerability in modules/pms/index.php in Ci ...) NOT-FOR-US: Ciamos CMS CVE-2009-4155 (Multiple SQL injection vulnerabilities in Eshopbuilde CMS allow remote ...) NOT-FOR-US: Eshopbuilde CVE-2009-4154 (Directory traversal vulnerability in includes/feedcreator.class.php in ...) NOT-FOR-US: Elxis CMS CVE-2009-4153 (Unspecified vulnerability in the XMLAccess component in IBM WebSphere ...) NOT-FOR-US: IBM WebSphere CVE-2009-4152 (Cross-site scripting (XSS) vulnerability in the Collaboration componen ...) NOT-FOR-US: IBM WebSphere CVE-2009-4151 (Session fixation vulnerability in html/Elements/SetupSessionCookie in ...) {DSA-1944-1} - request-tracker3.6 3.6.9-2 (low) - request-tracker3.4 CVE-2009-4150 (dasauto in IBM DB2 8 before FP18, 9.1 before FP8, 9.5 before FP4, and ...) NOT-FOR-US: IBM DB2 CVE-2009-4149 (Cross-site scripting (XSS) vulnerability in the web interface in CA Se ...) NOT-FOR-US: CA Service Desk CVE-2009-4148 (DAZ Studio 2.3.3.161, 2.3.3.163, and 3.0.1.135 allows remote attackers ...) NOT-FOR-US: DAZ Studio CVE-2009-4147 (The _rtld function in the Run-Time Link-Editor (rtld) in libexec/rtld- ...) - kfreebsd-6 (the affected file -rtld.c- is not in the archive, not even kFreeBSD) CVE-2009-4146 (The _rtld function in the Run-Time Link-Editor (rtld) in libexec/rtld- ...) - kfreebsd-6 (the affected file -rtld.c- is not in the archive, not even kFreeBSD) CVE-2009-4145 (nm-connection-editor in NetworkManager (NM) 0.7.x exports connection o ...) - network-manager-applet 0.7.2-2 (low; bug #563371) - network-manager (-editor introduced in 0.7 on the -applet package) [lenny] - network-manager-applet (-editor was introduced in 0.7) CVE-2009-4143 (PHP before 5.2.12 does not properly handle session data, which has uns ...) {DSA-2001-1} - php5 5.2.12.dfsg.1-1 (low) CVE-2009-4142 (The htmlspecialchars function in PHP before 5.2.12 does not properly h ...) {DSA-2001-1} - php5 5.2.12.dfsg.1-1 (medium) CVE-2009-4141 (Use-after-free vulnerability in the fasync_helper function in fs/fcntl ...) - linux-2.6 2.6.32-6 [lenny] - linux-2.6 (vulnerable code introduced in 2.6.28) [etch] - linux-2.6 (vulnerable code introduced in 2.6.28) - linux-2.6.24 (vulnerable code introduced in 2.6.28) NOTE: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=53281b6d3 CVE-2009-4140 (Unrestricted file upload vulnerability in ofc_upload_image.php in Open ...) - piwik (bug #506933) CVE-2009-4139 (Cross-site request forgery (CSRF) vulnerability in the Spacewalk Java ...) NOT-FOR-US: spacewalk-java CVE-2009-4138 (drivers/firewire/ohci.c in the Linux kernel before 2.6.32-git9, when p ...) {DSA-2005-1} - linux-2.6 2.6.32-3 (medium) [etch] - linux-2.6 (ohci introduced in 2.6.22) [lenny] - linux-2.6 2.6.26-21 - linux-2.6.24 (medium) CVE-2009-4137 (The loadContentFromCookie function in core/Cookie.php in Piwik before ...) - piwik (bug #506933) CVE-2009-4136 (PostgreSQL 7.4.x before 7.4.27, 8.0.x before 8.0.23, 8.1.x before 8.1. ...) {DSA-1964-1} - postgresql-7.4 - postgresql-8.1 - postgresql-8.2 - postgresql-8.3 8.3.9-1 (low) - postgresql-8.4 8.4.2-1 (low) CVE-2009-4135 (The distcheck rule in dist-check.mk in GNU coreutils 5.2.1 through 8.1 ...) - coreutils (this issue only affects the coreutils build process; bug #560898) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=545439 CVE-2009-4134 (Buffer underflow in the rgbimg module in Python 2.5 allows remote atta ...) - python3.1 (rgbimgmodule no longer included in source) - python2.7 (rgbimgmodule no longer included in source) - python2.6 (rgbimgmodule no longer included in source) - python2.5 2.5.5-11 (low; bug #603162) [lenny] - python2.5 (Minor issue) - python2.4 (low) [lenny] - python2.4 (Minor issue) CVE-2009-4133 (Condor 6.5.4 through 7.2.4, 7.3.x, and 7.4.0, as used in MRG, Grid for ...) - condor (Fixed before initial upload to archive) CVE-2009-4132 REJECTED CVE-2009-4131 (The EXT4_IOC_MOVE_EXT (aka move extents) ioctl implementation in the e ...) - linux-2.6 2.6.32-2 (medium) [etch] - linux-2.6 (introduced in 2.6.31) [lenny] - linux-2.6 (introduced in 2.6.31) - linux-2.6.24 (introduced in 2.6.31) CVE-2009-XXXX [monkey DoS] - monkey 0.9.3-1 (low) [lenny] - monkey (Minor issue, fringe package) CVE-2009-4130 (Visual truncation vulnerability in the MakeScriptDialogTitle function ...) - xulrunner (bug #565521) [wheezy] - xulrunner (no detailed information available) CVE-2009-4129 (Race condition in Mozilla Firefox allows remote attackers to produce a ...) - xulrunner (bug #565521) [wheezy] - xulrunner (no detailed information available) CVE-2009-4128 (GNU GRand Unified Bootloader (GRUB) 2 1.97 only compares the submitted ...) - grub2 1.97+20091115-1 (bug #555195) [lenny] - grub2 (Password authentication not yet present) - grub (only affects grub2) CVE-2009-4127 (Unspecified vulnerability in Wikipedia Toolbar extension before 0.5.9. ...) NOT-FOR-US: Wikipedia Toolbar extension for Firefox CVE-2009-4126 RESERVED CVE-2009-4125 RESERVED CVE-2009-4124 (Heap-based buffer overflow in the rb_str_justify function in string.c ...) - ruby1.9.1 1.9.1.376-1 - ruby1.9 (bug #572817) - ruby1.8 NOTE: http://www.ruby-lang.org/en/news/2009/12/07/heap-overflow-in-string/ CVE-2009-4123 RESERVED CVE-2009-4122 RESERVED CVE-2009-4121 (Multiple cross-site request forgery (CSRF) vulnerabilities in Quick.CM ...) NOT-FOR-US: Quick CMS CVE-2009-4120 (Multiple cross-site request forgery (CSRF) vulnerabilities in Quick.Ca ...) NOT-FOR-US: Quick.Cart CVE-2009-4119 (Cross-site scripting (XSS) vulnerability in Feed Element Mapper module ...) NOT-FOR-US: module for Drupal CVE-2009-4118 (The StartServiceCtrlDispatcher function in the cvpnd service (cvpnd.ex ...) NOT-FOR-US: Cisco VPN client for Windows CVE-2009-4117 (Multiple stack-based buffer overflows in pdf_shade4.c in MuPDF before ...) NOT-FOR-US: MuPDF CVE-2009-4116 (Multiple directory traversal vulnerabilities in CutePHP CuteNews 1.4.6 ...) NOT-FOR-US: CutePHP CVE-2009-4115 (Multiple static code injection vulnerabilities in the Categories modul ...) NOT-FOR-US: CutePHP CuteNews CVE-2009-4114 (kl1.sys in Kaspersky Anti-Virus 2010 9.0.0.463, and possibly other ver ...) NOT-FOR-US: Kaspersky Anti-Virus CVE-2009-4113 (Static code injection vulnerability in the Categories module in CutePH ...) NOT-FOR-US: CutePHP CuteNews CVE-2009-4110 (Cross-site scripting (XSS) vulnerability in the search functionality i ...) NOT-FOR-US: DotNetNuke CVE-2009-4109 (The install wizard in DotNetNuke 4.0 through 5.1.4 does not prevent an ...) NOT-FOR-US: DotNetNuke CVE-2009-4108 (XM Easy Personal FTP Server 5.8.0 allows remote authenticated users to ...) NOT-FOR-US: XM Easy Personal FTP Server CVE-2009-4107 (Buffer overflow in Invisible Browsing 5.0.52 allows user-assisted remo ...) NOT-FOR-US: Invisible Browsing CVE-2009-4106 (Unrestricted file upload vulnerability in admintools/editpage-2.php in ...) NOT-FOR-US: Agoko CMS CVE-2009-4105 (TYPSoft FTP Server 1.10 allows remote authenticated users to cause a d ...) NOT-FOR-US: TYPSoft FTP Server CVE-2009-4104 (SQL injection vulnerability in Lyften Designs LyftenBloggie (com_lyfte ...) NOT-FOR-US: Joomla! component CVE-2009-4103 (Buffer overflow in Robo-FTP 3.6.17, and possibly other versions, allow ...) NOT-FOR-US: Robo-FTP CVE-2009-4102 (Sage 1.4.3 and earlier extension for Firefox performs certain operatio ...) {DSA-1951-1} - firefox-sage 1.4.3-4 (medium; bug #559267) CVE-2009-4101 (infoRSS 1.1.4.2 and earlier extension for Firefox performs certain ope ...) NOT-FOR-US: infoRSS extension for Firefox CVE-2009-4100 (Yoono extension before 6.1.1 for Firefox performs certain operations w ...) NOT-FOR-US: Yoono extension for Firefox CVE-2009-4099 (SQL injection vulnerability in the Google Calendar GCalendar (com_gcal ...) NOT-FOR-US: Joomla! Component CVE-2009-4098 (Unrestricted file upload vulnerability in banner-edit.php in OpenX ads ...) - openx (bug #513771) CVE-2009-4097 (Stack-based buffer overflow in the MplayInputFile function in Serenity ...) NOT-FOR-US: Serenity Audio Player CVE-2009-4096 (RADIO istek scripti 2.5 stores sensitive information under the web roo ...) NOT-FOR-US: RADIO istek scripti CVE-2009-4095 (myPhile 1.2.1 allows remote attackers to bypass authentication via an ...) NOT-FOR-US: myPhile CVE-2009-4094 (PHP remote file inclusion vulnerability in class/php/d4m_ajax_pagenav. ...) NOT-FOR-US: Joomla! component CVE-2009-4093 (Multiple cross-site scripting (XSS) vulnerabilities in comments.php in ...) NOT-FOR-US: Simplog CVE-2009-4092 (Cross-site request forgery (CSRF) vulnerability in user.php in Simplog ...) NOT-FOR-US: Simplog CVE-2009-4091 (comments.php in Simplog 0.9.3.2, and possibly earlier, does not proper ...) NOT-FOR-US: Simplog CVE-2009-4090 (Unrestricted file upload vulnerability in ajax/addComment.php in telep ...) NOT-FOR-US: telepark.wiki CVE-2009-4089 (telepark.wiki 2.4.23 and earlier allows remote attackers to bypass aut ...) NOT-FOR-US: telepark.wiki CVE-2009-4088 (Multiple directory traversal vulnerabilities in telepark.wiki 2.4.23 a ...) NOT-FOR-US: telepark.wiki CVE-2009-4087 (Cross-site scripting (XSS) vulnerability in index.php in telepark.wiki ...) NOT-FOR-US: telepark.wiki CVE-2009-4086 (CRLF injection vulnerability in Xerver HTTP Server 4.31 and 4.32 allow ...) NOT-FOR-US: Xerver HTTP Server CVE-2009-4085 (PHP remote file inclusion vulnerability in assets/plugins/mp3_id/mp3_i ...) NOT-FOR-US: PHP Traverser CVE-2009-4084 (SQL injection vulnerability in the search feature in e107 0.7.16 and e ...) NOT-FOR-US: e107 CVE-2009-4083 (Multiple cross-site scripting (XSS) vulnerabilities in e107 0.7.16 and ...) NOT-FOR-US: e107 CVE-2009-4082 (PHP remote file inclusion vulnerability in forums/Forum_Include/index. ...) NOT-FOR-US: Outreach Project Tool CVE-2009-4081 (Untrusted search path vulnerability in dstat before r3199 allows local ...) - dstat (Fixed/tracked as CVE-2009-3894) NOTE: This second ID is about the same issue, but for an older version, see NOTE: http://bugs.gentoo.org/show_bug.cgi?id=293497 NOTE: For Debian we'll just use CVE-2009-3894 and mark this one as not-affected CVE-2009-4080 (Multiple unspecified vulnerabilities in ldap_cachemgr (aka the LDAP cl ...) NOT-FOR-US: ldap_cachemgr in Sun Solaris CVE-2009-4079 (Cross-site request forgery (CSRF) vulnerability in Redmine 0.8.5 and e ...) - redmine 0.9.0~svn2902-1 CVE-2009-4078 (Multiple cross-site scripting (XSS) vulnerabilities in Redmine 0.8.5 a ...) - redmine 0.9.0~svn2902-1 CVE-2009-4077 (Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail 0 ...) - roundcube 0.3-1 CVE-2009-4076 (Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail 0 ...) - roundcube 0.3-1 CVE-2009-4075 (Unspecified vulnerability in the timeout mechanism in sshd in Sun Sola ...) NOT-FOR-US: Sun Solaris CVE-2009-4074 (The XSS Filter in Microsoft Internet Explorer 8 allows remote attacker ...) NOT-FOR-US: Microsoft Internet Explorer 8 CVE-2008-7247 (sql/sql_table.cc in MySQL 5.0.x through 5.0.88, 5.1.x through 5.1.41, ...) - mysql-5.1 5.1.49-3 (low; bug #569484) - mysql-dfsg-5.0 (Vulnerable code not present) CVE-2009-4214 (Cross-site scripting (XSS) vulnerability in the strip_tags function in ...) {DSA-2301-1 DSA-2260-1} - rails 2.2.3-2 (low; bug #558685) NOTE: http://groups.google.com/group/rubyonrails-security/browse_thread/thread/4d4f71f2aef4c0ab?pli=1 CVE-2008-7248 (Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify ...) - rails 2.2.3-1 (medium; bug #558685) [lenny] - rails (Vulnerable code not present) NOTE: http://weblog.rubyonrails.org/2008/11/18/potential-circumvention-of-csrf-protection-in-rails-2-1 CVE-2009-4073 (The printing functionality in Microsoft Internet Explorer 8 allows rem ...) NOT-FOR-US: Microsoft Internet Explorer 8 CVE-2009-4072 (Unspecified vulnerability in Opera before 10.10 has unknown impact and ...) NOT-FOR-US: Opera CVE-2009-4071 (Opera before 10.10, when exception stacktraces are enabled, places scr ...) NOT-FOR-US: Opera CVE-2009-4070 (SQL injection vulnerability in GForge 4.5.14, 4.7.3, and possibly othe ...) {DSA-1818-1} - gforge 4.7.3-2 CVE-2009-4069 (Multiple cross-site scripting (XSS) vulnerabilities in GForge 4.5.14, ...) {DSA-1818-1} - gforge 4.7.3-2 CVE-2009-4068 RESERVED CVE-2009-4067 (Buffer overflow in the auerswald_probe function in the Auerswald Linux ...) {DSA-2310-1} - linux-2.6 2.6.28-1 (low) NOTE: Driver was removed in 2.6.27 CVE-2009-4066 (Multiple cross-site request forgery (CSRF) vulnerabilities in the "My ...) NOT-FOR-US: module for Drupal CVE-2009-4065 (Cross-site scripting (XSS) vulnerability in the settings page in the S ...) NOT-FOR-US: module for Drupal CVE-2009-4064 (Cross-site scripting (XSS) vulnerability in the Gallery Assist module ...) NOT-FOR-US: module for Drupal CVE-2009-4063 (Cross-site scripting (XSS) vulnerability in the Subgroups for Organic ...) NOT-FOR-US: module for Drupal CVE-2009-4062 (Multiple cross-site scripting (XSS) vulnerabilities in the Printfriend ...) NOT-FOR-US: module for Drupal CVE-2009-4061 (Multiple cross-site scripting (XSS) vulnerabilities in the Agreement m ...) NOT-FOR-US: module for Drupal CVE-2009-4060 (SQL injection vulnerability in includes/content/viewProd.inc.php in Cu ...) NOT-FOR-US: CubeCart CVE-2009-4059 (SQL injection vulnerability in the JoomClip (com_joomclip) component f ...) NOT-FOR-US: component for Joomla! CVE-2009-4058 (SQL injection vulnerability in allauctions.php in Telebid Auction Scri ...) NOT-FOR-US: Telebid Auction Script CVE-2009-4057 (SQL injection vulnerability in the inertialFATE iF Portfolio Nexus (co ...) NOT-FOR-US: component for Joomla! CVE-2009-4056 (Directory traversal vulnerability in admin/popup.php in Betsy CMS 3.5 ...) NOT-FOR-US: Betsy CMS CVE-2009-4055 (rtp.c in Asterisk Open Source 1.2.x before 1.2.37, 1.4.x before 1.4.27 ...) {DSA-1952-1} - asterisk 1:1.6.2.0~rc7-1 (bug #559103) [etch] - asterisk (Etch Packages no longer covered by security support) CVE-2009-4054 REJECTED CVE-2009-4053 (Multiple directory traversal vulnerabilities in Home FTP Server 1.10.1 ...) NOT-FOR-US: Home FTP Server CVE-2009-4052 (Multiple cross-site scripting (XSS) vulnerabilities in the JSF Widget ...) NOT-FOR-US: IBM Rational Application Developer for WebSphere CVE-2009-4051 (Home FTP Server 1.10.1.139 allows remote attackers to cause a denial o ...) NOT-FOR-US: Home FTP Server CVE-2009-4050 (Directory traversal vulnerability in get_file.php in phpMyBackupPro 2. ...) NOT-FOR-US: phpMyBackupPro CVE-2009-4049 (Heap-based buffer overflow in aswRdr.sys (aka the TDI RDR driver) in a ...) NOT-FOR-US: avast CVE-2009-4048 (Dxmsoft XM Easy Personal FTP Server 5.8.0 allows remote authenticated ...) NOT-FOR-US: Dxmsoft XM Easy Personal FTP Server CVE-2009-4047 (Multiple cross-site scripting (XSS) vulnerabilities in PHD Help Desk 1 ...) NOT-FOR-US: PHD Help Desk CVE-2009-4112 (Cacti 0.8.7e and earlier allows remote authenticated administrators to ...) [experimental] - cacti 1.2.0~beta2+ds1-1 - cacti 1.2.1+ds1-1 (unimportant; bug #561339) NOTE: 4B0E1566.1070509@moritz-naumann.com in bugtraq NOTE: as one requires admin access to cacti, upstream will implement a whitelist NOTE: https://github.com/Cacti/cacti/issues/1072 CVE-2009-4032 (Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.7e al ...) {DSA-1954-1} - cacti 0.8.7e-1.1 (low; bug #561338) NOTE: http://docs.cacti.net/#cross-site_scripting_fixes NOTE: http://www.cacti.net/download_patches.php NOTE: incomplete, probably another CVE id will be allocated: https://bugzilla.redhat.com/show_bug.cgi?id=541279#c17 CVE-2009-4046 (Multiple SQL injection vulnerabilities in FrontAccounting (FA) 2.2.x b ...) NOT-FOR-US: FrontAccounting CVE-2009-4045 (Multiple SQL injection vulnerabilities in FrontAccounting (FA) before ...) NOT-FOR-US: FrontAccounting CVE-2009-4044 (The Web Services module 6.x for Drupal does not perform the expected a ...) NOT-FOR-US: Web Services module for Drupal CVE-2009-4043 (Cross-site scripting (XSS) vulnerability in the AddToAny module 5.x be ...) NOT-FOR-US: module for Drupal CVE-2009-4042 (Cross-site scripting (XSS) vulnerability in the RootCandy theme 6.x be ...) NOT-FOR-US: theme for Drupal CVE-2009-4041 (UseBB 1.0.9 before 1.0.10 allows remote attackers to cause a denial of ...) NOT-FOR-US: UseBB CVE-2009-4040 (Cross-site scripting (XSS) vulnerability in phpMyFAQ before 2.0.17 and ...) NOT-FOR-US: phpMyFAQ CVE-2009-4039 (Cross-site scripting (XSS) vulnerability in Piwigo before 2.0.6 allows ...) - piwigo (Fixed before initial upload to the archive) CVE-2009-4038 (Multiple cross-site scripting (XSS) vulnerabilities in NCH Software Ax ...) NOT-FOR-US: NCH Software Axon Virtual PBX CVE-2009-4037 (Multiple SQL injection vulnerabilities in FrontAccounting (FA) before ...) NOT-FOR-US: FrontAccounting CVE-2009-4036 REJECTED CVE-2009-4035 (The FoFiType1::parse function in fofi/FoFiType1.cc in Xpdf 3.0.0, gpdf ...) - kdegraphics 4:4.0.0-1 - xpdf 3.01-1 - poppler 0.5.1-1 - swftools 0.9.2+ds1-2 NOTE: was silently fixed by upstream xpdf, fix propagated to poppler in 4b4fc5c017b/2005-09-14 NOTE: but at least version 0.4.5 does *not* contain the ship. NOTE: Was fixed somewhere between 0.4.5 and 0.5.1 CVE-2009-4034 (PostgreSQL 7.4.x before 7.4.27, 8.0.x before 8.0.23, 8.1.x before 8.1. ...) {DSA-1964-1} - postgresql-7.4 - postgresql-8.1 - postgresql-8.2 - postgresql-8.3 8.3.9-1 (low) - postgresql-8.4 8.4.2-1 (low) CVE-2009-4033 (A certain Red Hat patch for acpid 1.0.4 effectively triggers a call to ...) - acpid (problem in redhat-specific patch; debian uses sensible permissions 0664) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=515062 CVE-2009-4031 (The do_insn_fetch function in arch/x86/kvm/emulate.c in the x86 emulat ...) {DSA-1962-1} - linux-2.6 2.6.32-3 (low) [lenny] - linux-2.6 2.6.26-21 [etch] - linux-2.6 (kvm introduced in 2.6.25) - linux-2.6.24 (kvm introduced in 2.6.25) - kvm (low; bug #562075) CVE-2009-4030 (MySQL 5.1.x before 5.1.41 allows local users to bypass certain privile ...) {DSA-1997-1} - mysql-5.1 5.1.43-1 - mysql-dfsg-5.0 CVE-2009-4029 (The (1) dist or (2) distcheck rules in GNU Automake 1.11.1, 1.10.3, an ...) - automake 1:1.4-p6-13.1 [lenny] - automake (Minor issue) - automake1.9 1.9.6+nogfdl-3.1 [lenny] - automake1.9 (Minor issue) - automake1.7 1.7.9-9.1 [lenny] - automake1.7 (Minor issue) - automake1.10 1:1.10.3-1 [lenny] - automake1.10 (Minor issue) NOTE: spu will be released to avoid spreading the bug even further NOTE: http://lists.gnu.org/archive/html/automake/2009-12/msg00012.html CVE-2009-4028 (The vio_verify_callback function in viosslfactories.c in MySQL 5.0.x b ...) - mysql-5.1 (Vulnerable code not present) - mysql-dfsg-5.0 (Vulnerable code not present) NOTE: built with --without-openssl CVE-2009-4027 (Race condition in the mac80211 subsystem in the Linux kernel before 2. ...) {DSA-1996-1 DTSA-204-1} - linux-2.6 2.6.32-1 (medium) [etch] - linux-2.6 (introduced in 2.6.26) - linux-2.6.24 (introduced in 2.6.26) CVE-2009-4026 (The mac80211 subsystem in the Linux kernel before 2.6.32-rc8-next-2009 ...) {DTSA-204-1} - linux-2.6 2.6.32-1 (medium) [etch] - linux-2.6 (introduced in 2.6.30) [lenny] - linux-2.6 (introduced in 2.6.30) - linux-2.6.24 (introduced in 2.6.30) CVE-2009-4025 (Argument injection vulnerability in the traceroute function in Tracero ...) NOT-FOR-US: Net_Traceroute PEAR module CVE-2009-4024 (Argument injection vulnerability in the ping function in Ping.php in t ...) {DSA-1949-1} - php-net-ping 2.4.2-1.1 (medium) NOTE: fix applied by upstream is incomplete, reported to oss-sec CVE-2009-4111 (Argument injection vulnerability in Mail/sendmail.php in the Mail pack ...) {DSA-1938-1} - php-mail 1.1.14-2 (medium; bug #557121) [lenny] - php-mail 1.1.14-1+lenny1 [etch] - php-mail 1.1.6-2+etch1 CVE-2009-4023 (Argument injection vulnerability in the sendmail implementation of the ...) {DSA-1938-1} - php-mail 1.1.14-2 (medium; bug #557121) [lenny] - php-mail 1.1.14-1+lenny1 [etch] - php-mail 1.1.6-2+etch1 CVE-2009-4022 (Unspecified vulnerability in ISC BIND 9.0.x through 9.3.x, 9.4 before ...) {DSA-1961-1} - bind9 1:9.6.1.dfsg.P2-1 (medium) NOTE: https://www.isc.org/node/504 NOTE: Only affects installations with trust anchors, but then the NOTE: consequences are quite severe. CVE-2009-4020 (Stack-based buffer overflow in the hfs subsystem in the Linux kernel 2 ...) {DSA-2005-1 DSA-2003-1} - linux-2.6 2.6.32-3 (medium) [lenny] - linux-2.6 2.6.26-21 - linux-2.6.24 (medium) CVE-2009-4019 (mysqld in MySQL 5.0.x before 5.0.88 and 5.1.x before 5.1.41 does not ( ...) {DSA-1997-1} - mysql-5.1 5.1.41-1 - mysql-dfsg-5.0 NOTE: http://web.archive.org/web/20140722233305/http://dev.mysql.com/doc/refman/5.1/en/news-5-1-41.html NOTE: http://web.archive.org/web/20140723045533/http://dev.mysql.com/doc/refman/5.0/en/news-5-0-88.html NOTE: http://bugs.mysql.com/47780 NOTE: http://bugs.mysql.com/48291 CVE-2009-4018 (The proc_open function in ext/standard/proc_open.c in PHP before 5.2.1 ...) - php5 5.2.11.dfsg.1-1 (unimportant) NOTE: safe_mode bypass CVE-2005-4883 (Race condition in Philippe Jounin Tftpd32 before 2.80 allows remote at ...) NOT-FOR-US: Tftpd32 CVE-2005-4882 (tftpd in Philippe Jounin Tftpd32 2.74 and earlier, as used in Wyse Sim ...) NOT-FOR-US: Tftpd32 CVE-2009-4016 (Integer underflow in the clean_string function in irc_string.c in (1) ...) {DSA-1980-1} - ircd-ratbox 3.0.6.dfsg-1 (medium; bug #567191) - ircd-hybrid 1:7.2.2.dfsg.2-6.1 (medium; bug #567192) - oftc-hybrid 1.6.3.dfsg-1.1 (medium; bug #567193) CVE-2009-4015 (Lintian 1.23.x through 1.23.28, 1.24.x through 1.24.2.1, and 2.x befor ...) {DSA-1979-1} - lintian 2.3.2 (medium) CVE-2009-4014 (Multiple format string vulnerabilities in Lintian 1.23.x through 1.23. ...) {DSA-1979-1} - lintian 2.3.2 (medium) CVE-2009-4013 (Multiple directory traversal vulnerabilities in Lintian 1.23.x through ...) {DSA-1979-1} - lintian 2.3.2 (medium) CVE-2009-4012 (Multiple integer overflows in LibThai before 0.1.13 might allow contex ...) {DSA-1971-1} - libthai 0.1.13-1 CVE-2009-4011 (dtc-xen 0.5.x before 0.5.4 suffers from a race condition where an atta ...) - dtc-xen 0.5.4-1 [lenny] - dtc-xen (Only affects 0.5.x) CVE-2009-4010 (Unspecified vulnerability in PowerDNS Recursor before 3.1.7.2 allows r ...) {DSA-1968-2 DSA-1968-1} - pdns-recursor 3.1.7.2-1 (high) CVE-2009-4009 (Buffer overflow in PowerDNS Recursor before 3.1.7.2 allows remote atta ...) {DSA-1968-1} - pdns-recursor 3.1.7.2-1 (high) [etch] - pdns-recursor (vulnerable code not present) CVE-2009-4008 (Unbound before 1.4.4 does not send responses for signed zones after mi ...) {DSA-2243-1} - unbound 1.4.4-1 (low) CVE-2009-4007 (Unspecified vulnerability in the NormaliseTrainConsist function in src ...) - openttd 0.7.5-1 [lenny] - openttd 0.6.2-1+lenny1 CVE-2009-4006 (Stack-based buffer overflow in the TEA decoding algorithm in RhinoSoft ...) NOT-FOR-US: Serv-U FTP server CVE-2009-4005 (The collect_rx_frame function in drivers/isdn/hisax/hfc_usb.c in the L ...) {DSA-2005-1 DSA-2003-1} - linux-2.6 2.6.32-1 (low) [lenny] - linux-2.6 2.6.26-21 - linux-2.6.24 (low) CVE-2009-4003 (Multiple integer overflows in Adobe Shockwave Player before 11.5.6.606 ...) NOT-FOR-US: Adobe Shockwave Player CVE-2009-4002 (Heap-based buffer overflow in Adobe Shockwave Player before 11.5.6.606 ...) NOT-FOR-US: Adobe Shockwave Player CVE-2009-4001 (Integer overflow in XnView before 1.97.2 might allow remote attackers ...) NOT-FOR-US: XnView CVE-2009-4000 (Directory traversal vulnerability in goform/formExportDataLogs in HP P ...) NOT-FOR-US: HP Power Manager CVE-2009-3999 (Stack-based buffer overflow in goform/formExportDataLogs in HP Power M ...) NOT-FOR-US: HP Power Manager CVE-2009-3998 RESERVED CVE-2009-3997 (Integer overflow in IN_MOD.DLL (aka the Module Decoder Plug-in) in Win ...) NOT-FOR-US: winamp CVE-2009-3996 (Heap-based buffer overflow in IN_MOD.DLL (aka the Module Decoder Plug- ...) {DSA-2071-1} - libmikmod 3.1.11-6.2 (bug #575742) - pysol-sound-server (unimportant) NOTE: pysol-sound-server embeds a mikmod copy, but only reads to local files CVE-2009-3995 (Multiple heap-based buffer overflows in IN_MOD.DLL (aka the Module Dec ...) {DSA-2081-1 DSA-2071-1} - libmikmod 3.1.11-6.2 (bug #575742) - pysol-sound-server (unimportant) NOTE: pysol-sound-server embeds a mikmod copy, but only reads to local files CVE-2009-3994 (Stack-based buffer overflow in the GetUID function in src-IL/src/il_di ...) - devil 1.7.8-6 (low; bug #560080) [lenny] - devil (Minor issue) [etch] - devil (Minor issue) CVE-2009-3993 REJECTED CVE-2009-3992 REJECTED CVE-2009-3991 REJECTED CVE-2009-3990 REJECTED CVE-2009-3989 (Bugzilla before 3.0.11, 3.2.x before 3.2.6, 3.4.x before 3.4.5, and 3. ...) - bugzilla 3.4.7.0-1 (unimportant) NOTE: http://www.bugzilla.org/security/3.0.10/ CVE-2009-3988 (Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5.8, and SeaMon ...) {DSA-1999-1} - xulrunner 1.9.1.8-1 [etch] - xulrunner - iceweasel 3.5.11-2 [lenny] - iceweasel (Iceweasel in Lenny links against xulrunner) - iceape 2.0.3-1 [lenny] - iceape (Lenny package only provide xpcom stubs) CVE-2009-3987 (The GeckoActiveXObject function in Mozilla Firefox before 3.0.16 and 3 ...) - xulrunner (Windows-specific vulnerability) CVE-2009-3986 (Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey be ...) {DSA-1956-1} - iceweasel 3.5.11-2 [lenny] - iceweasel (Iceweasel in Lenny links against xulrunner) - xulrunner 1.9.1.6-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-3985 (Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey be ...) {DSA-1956-1} - iceweasel 3.5.11-2 [lenny] - iceweasel (Iceweasel in Lenny links against xulrunner) - xulrunner 1.9.1.6-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-3984 (Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey be ...) {DSA-1956-1} - iceweasel 3.5.11-2 [lenny] - iceweasel (Iceweasel in Lenny links against xulrunner) - xulrunner 1.9.1.6-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-3983 (Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey be ...) {DSA-1956-1} - iceweasel 3.5.11-2 [lenny] - iceweasel (Iceweasel in Lenny links against xulrunner) - xulrunner 1.9.1.6-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-3982 (Multiple unspecified vulnerabilities in the JavaScript engine in Mozil ...) - xulrunner 1.9.1.6-1 [lenny] - xulrunner (Only affects Firefox 3.5) [etch] - xulrunner (Only affects Firefox 3.5) CVE-2009-3981 (Unspecified vulnerability in the browser engine in Mozilla Firefox bef ...) {DSA-1956-1} - iceweasel 3.5.11-2 [lenny] - iceweasel (Iceweasel in Lenny links against xulrunner) - xulrunner 1.9.1 NOTE: Only affects Firefox 3 CVE-2009-3980 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - xulrunner 1.9.1.6-1 - iceweasel 3.5.11-2 [lenny] - iceweasel (Iceweasel in Lenny links against xulrunner) [etch] - xulrunner (Mozilla packages from oldstable no longer covered by security support) [lenny] - xulrunner (Only affects Firefox 3.5) CVE-2009-3979 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-1956-1} - iceweasel 3.5.11-2 [lenny] - iceweasel (Iceweasel in Lenny links against xulrunner) - xulrunner 1.9.1.6-1 [etch] - xulrunner (Mozilla packages from oldstable no longer covered by security support) CVE-2009-3978 (The nsGIFDecoder2::GifWrite function in decoders/gif/nsGIFDecoder2.cpp ...) - xulrunner 1.9.1.5-1 (unimportant) NOTE: Browser crashes not treated as security issues CVE-2009-3977 (Multiple buffer overflows in a certain ActiveX control in ActiveDom.oc ...) NOT-FOR-US: HP OpenView Network Node Manager CVE-2009-3976 (Buffer overflow in Labtam ProFTP 2.9 allows remote FTP servers to caus ...) NOT-FOR-US: Labtam ProFTP CVE-2009-3975 (SQL injection vulnerability in index.php in Moa Gallery 1.1.0 and 1.2. ...) NOT-FOR-US: Moa Gallery CVE-2009-3974 (Multiple SQL injection vulnerabilities in Invision Power Board (IPB or ...) NOT-FOR-US: Invision Power Board CVE-2009-3973 (SQL injection vulnerability in index.php in Turnkey Arcade Script allo ...) NOT-FOR-US: Turnkey Arcade Script CVE-2009-3972 (SQL injection vulnerability in the Q-Proje Siirler Bileseni (com_siirl ...) NOT-FOR-US: component for Joomla! CVE-2009-3971 (SQL injection vulnerability in the jTips (com_jtips) component 1.0.7 a ...) NOT-FOR-US: component for Joomla! CVE-2009-3970 (SQL injection vulnerability in index.php in PHP Dir Submit (aka Websit ...) NOT-FOR-US: PHP Dir Submit CVE-2009-3969 (Stack-based buffer overflow in Faslo Player 7.0 allows remote attacker ...) NOT-FOR-US: Faslo Player CVE-2009-3968 (Multiple SQL injection vulnerabilities in ITechBids 8.0 allow remote a ...) NOT-FOR-US: ITechBids CVE-2009-3967 (SQL injection vulnerability in browse.php in Ed Charkow SuperCharged L ...) NOT-FOR-US: Ed Charkow SuperCharged Linking CVE-2009-3966 (Arcade Trade Script 1.0 allows remote attackers to bypass authenticati ...) NOT-FOR-US: Arcade Trade Script CVE-2009-3965 (SQL injection vulnerability in rating.php in New 5 star Rating 1.0 all ...) NOT-FOR-US: New 5 star Rating CVE-2009-3964 (SQL injection vulnerability in the NinjaMonials (com_ninjacentral) com ...) NOT-FOR-US: component for Joomla! CVE-2009-3898 (Directory traversal vulnerability in src/http/modules/ngx_http_dav_mod ...) - nginx 0.7.63-1 (low; bug #557389) [etch] - nginx (upload rights required) [lenny] - nginx (upload rights required) CVE-2009-3897 (Dovecot 1.2.x before 1.2.8 sets 0777 permissions during creation of ce ...) - dovecot 1:1.2.8-1 (medium; bug #557601) [lenny] - dovecot (Only affects 1.2.x) [etch] - dovecot (Only affects 1.2.x) CVE-2009-4017 (PHP before 5.2.12 and 5.3.x before 5.3.1 does not restrict the number ...) {DSA-1940-1} - php5 5.2.11.dfsg.1-2 (medium) - php4 (medium) NOTE: workarounds include using 5.3.1 or php5-suhosin NOTE: 4B068517.802@acunetix.com on bugtraq explains it CVE-2009-3080 (Array index error in the gdth_read_event function in drivers/scsi/gdth ...) {DSA-2005-1 DSA-2003-1} - linux-2.6 2.6.32-1 (medium) [lenny] - linux-2.6 2.6.26-21 - linux-2.6.24 (medium) NOTE: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=690e744869f3262855b83b4fb59199cf142765b0 CVE-2009-4021 (The fuse_direct_io function in fs/fuse/file.c in the fuse subsystem in ...) {DSA-2005-1 DSA-2003-1} - linux-2.6 2.6.32-1 (low) [lenny] - linux-2.6 2.6.26-21 - linux-2.6.24 (low) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=538734 CVE-2009-3963 (Multiple unspecified vulnerabilities in XOOPS before 2.4.0 Final have ...) NOT-FOR-US: XOOPS CVE-2009-3962 (The management interface on the 2wire Gateway 1700HG, 1701HG, 1800HW, ...) NOT-FOR-US: 2wire Gateway CVE-2009-3961 (SQL injection vulnerability in user.php in Super Serious Stats (aka su ...) NOT-FOR-US: Super Serious Stats CVE-2009-3960 (Unspecified vulnerability in BlazeDS 3.2 and earlier, as used in LiveC ...) NOT-FOR-US: LiveCycle CVE-2009-3959 (Integer overflow in the U3D implementation in Adobe Reader and Acrobat ...) NOT-FOR-US: Adobe Reader and Acrobat 8.0 CVE-2009-3958 (Multiple stack-based buffer overflows in the NOS Microsystems getPlus ...) NOT-FOR-US: Adobe Reader and Acrobat 8.0 CVE-2009-3957 (Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows ...) NOT-FOR-US: Adobe Reader and Acrobat 8.0 CVE-2009-3956 (The default configuration of Adobe Reader and Acrobat 9.x before 9.3, ...) NOT-FOR-US: Adobe Reader and Acrobat 8.0 CVE-2009-3955 (Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows ...) NOT-FOR-US: Adobe Reader and Acrobat 8.0 CVE-2009-3954 (The 3D implementation in Adobe Reader and Acrobat 9.x before 9.3, and ...) NOT-FOR-US: Adobe Reader and Acrobat 8.0 CVE-2009-3953 (The U3D implementation in Adobe Reader and Acrobat 9.x before 9.3, 8.x ...) NOT-FOR-US: Adobe Reader and Acrobat 8.0 CVE-2009-3952 (Buffer overflow in Adobe Illustrator CS3 13.0.3 and earlier and Illust ...) NOT-FOR-US: Adobe Illustrator CVE-2009-3951 (Unspecified vulnerability in the Flash Player ActiveX control in Adobe ...) NOT-FOR-US: Flash Player CVE-2009-3950 (Multiple cross-site scripting (XSS) vulnerabilities in Bractus SunTrac ...) NOT-FOR-US: Bractus SunTrack CVE-2009-3949 (cp/profile.php in VivaPrograms Infinity 2.0.5 and earlier does not req ...) NOT-FOR-US: VivaPrograms Infinity CVE-2009-3948 (JetAudio 7.5.3 COWON Media Center allows remote attackers to cause a d ...) NOT-FOR-US: JetAudio CVE-2009-3947 (Buffer overflow in the FTP service on the Tandberg MXP F7.0 allows rem ...) NOT-FOR-US: Tandberg MXP F7.0 CVE-2009-3946 (Joomla! before 1.5.15 allows remote attackers to read an extension's X ...) NOT-FOR-US: Joomla! CVE-2009-3945 (Unspecified vulnerability in the Front-End Editor in the com_content c ...) NOT-FOR-US: component in Joomla! CVE-2009-3944 (Research In Motion (RIM) BlackBerry Browser on the BlackBerry 8800 all ...) NOT-FOR-US: BlackBerry Browser on the BlackBerry 8800 CVE-2009-3943 (Microsoft Internet Explorer 6 through 6.0.2900.2180 and 7 through 7.0. ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2009-3942 (Martin Lambers msmtp before 1.4.19, when OpenSSL is used, does not pro ...) - msmtp (uses GnuTLS and not OpenSSL; bug #557324) CVE-2009-3941 (Martin Lambers mpop before 1.0.19, when OpenSSL is used, does not prop ...) - mpop (uses GnuTLS and not OpenSSL; bug #557326) CVE-2009-3940 (Unspecified vulnerability in Guest Additions in Sun xVM VirtualBox 1.6 ...) - virtualbox-guest-additions 3.0.10-1 CVE-2009-3939 (The poll_mode_io file for the megaraid_sas driver in the Linux kernel ...) {DSA-1996-1} - linux-2.6 2.6.32-6 (low) [etch] - linux-2.6 (Vulnerable code not present) - linux-2.6.24 (low) CVE-2009-4004 (Buffer overflow in the kvm_vcpu_ioctl_x86_setup_mce function in arch/x ...) - linux-2.6 2.6.32-1 (medium) [etch] - linux-2.6 (kvm introduced in 2.6.25) [lenny] - linux-2.6 (vulnerable code not present) - linux-2.6.24 (kvm introduced in 2.6.25) - kvm 88+dfsg-2 (medium; bug #557736) [lenny] - kvm (vulnerable code not present) NOTE: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=a9e38c3e01ad242fe2a625354cf065c34b01e3aa CVE-2009-3937 (Memory leak in Solaris TCP sockets in Sun OpenSolaris snv_106 through ...) NOT-FOR-US: Sun OpenSolaris CVE-2009-3936 (Unspecified vulnerability in Citrix Online Plug-in for Windows 11.0.x ...) NOT-FOR-US: Citrix Online Plug-in CVE-2009-3935 (Multiple unspecified vulnerabilities in the Advanced Management Module ...) NOT-FOR-US: IBM BladeCenter CVE-2009-3934 (The WebFrameLoaderClient::dispatchDidChangeLocationWithinPage function ...) - chromium-browser (Only 0.x is affected) - webkit (chrome-specific issue) CVE-2009-3933 (WebKit before r50173, as used in Google Chrome before 3.0.195.32, allo ...) - webkit (chromium-specific issue in their timer) - qt4-x11 (chromium-specific issue in their timer) - kdelibs (chromium-specific issue in their timer) - kde4libs (chromium-specific issue in their timer) - chromium-browser (Only 0.x is affected) CVE-2009-3932 (The Gears plugin in Google Chrome before 3.0.195.32 allows user-assist ...) - chromium-browser (Only 0.x is affected) - webkit (gears is only implemented in chromium) CVE-2009-3931 (Incomplete blacklist vulnerability in browser/download/download_exe.cc ...) - chromium-browser (Only 3.x is affected) - webkit (chrome-specific issue) CVE-2009-3930 (Multiple integer overflows in Christos Zoulas file before 5.02 allow u ...) - file 5.03-1 [lenny] - file [etch] - file CVE-2009-3929 REJECTED CVE-2009-3928 REJECTED CVE-2009-3927 REJECTED CVE-2009-3926 REJECTED CVE-2009-3925 REJECTED CVE-2009-XXXX [eglibc: ldd arbitrary code execution] - eglibc 2.10.1-7 (unimportant; bug #552518) - glibc 2.10.1-7 (unimportant; bug #552518) CVE-2009-3924 (Buffer overflow in pbsv.dll, as used in Soldier of Fortune II and poss ...) NOT-FOR-US: Soldier of Fortune CVE-2009-3923 (The VirtualBox 2.0.8 and 2.0.10 web service in Sun Virtual Desktop Inf ...) NOT-FOR-US: Sun Virtual Desktop Infrastructure CVE-2009-3922 (Multiple cross-site request forgery (CSRF) vulnerabilities in the User ...) NOT-FOR-US: module for Drupal CVE-2009-3921 (The Smartqueue_og module 5.x before 5.x-1.3 and 6.x before 6.x-1.0-rc3 ...) NOT-FOR-US: module for Drupal CVE-2009-3920 (An administration page in the NGP COO/CWP Integration (crmngp) module ...) NOT-FOR-US: module for Drupal CVE-2009-3919 (Cross-site scripting (XSS) vulnerability in the NGP COO/CWP Integratio ...) NOT-FOR-US: module for Drupal CVE-2009-3918 (Cross-site scripting (XSS) vulnerability in the Zoomify module 5.x bef ...) NOT-FOR-US: module for Drupal CVE-2009-3917 (Cross-site scripting (XSS) vulnerability in the S5 Presentation Player ...) NOT-FOR-US: module for Drupal CVE-2009-3916 (Cross-site scripting (XSS) vulnerability in the Node Hierarchy module ...) NOT-FOR-US: module for Drupal CVE-2009-3915 (Cross-site scripting (XSS) vulnerability in the "Separate title and UR ...) NOT-FOR-US: module for Drupal CVE-2009-3914 (Cross-site scripting (XSS) vulnerability in the Temporary Invitation m ...) NOT-FOR-US: module for Drupal CVE-2009-3913 (SQL injection vulnerability in summary.php in Xerox Fiery Webtools all ...) NOT-FOR-US: Xerox Fiery Webtools CVE-2009-3912 (Directory traversal vulnerability in index.php in TFTgallery 0.13 allo ...) NOT-FOR-US: TFTgallery CVE-2009-3911 (Cross-site scripting (XSS) vulnerability in settings.php in TFTgallery ...) NOT-FOR-US: TFTgallery CVE-2009-3910 RESERVED CVE-2009-3909 (Integer overflow in the read_channel_data function in plug-ins/file-ps ...) - gimp 2.6.7-1.1 (medium; bug #556750) NOTE: http://secunia.com/secunia_research/2009-43/ CVE-2009-3908 REJECTED CVE-2009-3907 REJECTED CVE-2009-3906 REJECTED CVE-2009-3905 (Multiple cross-site scripting (XSS) vulnerabilities in e-Courier CMS a ...) NOT-FOR-US: e-Courier CMS CVE-2009-3904 (classes/session/cc_admin_session.php in CubeCart 4.3.4 does not proper ...) NOT-FOR-US: CubeCart CVE-2009-3903 (Multiple cross-site scripting (XSS) vulnerabilities in jspui/index.jsp ...) NOT-FOR-US: ManageEngine Netflow Analyzer 7.5 build 7500 CVE-2009-3902 (Directory traversal vulnerability in Cherokee Web Server 0.5.4 and ear ...) - cherokee (Only windows version is affected) CVE-2009-3901 (Multiple cross-site scripting (XSS) vulnerabilities in e-Courier CMS a ...) NOT-FOR-US: e-Courier CMS CVE-2009-3900 (Unspecified vulnerability in the Cluster Management component in IBM P ...) NOT-FOR-US: IBM PowerHA CVE-2009-3899 (Memory leak in the Sockets Direct Protocol (SDP) driver in Sun Solaris ...) NOT-FOR-US: Sun Solaris CVE-2009-3896 (src/http/ngx_http_parse.c in nginx (aka Engine X) 0.1.0 through 0.4.14 ...) {DSA-1920-1} - nginx 0.7.62-1 CVE-2009-3895 (Heap-based buffer overflow in the exif_entry_fix function (aka the tag ...) - libexif 0.6.19-1 (medium; bug #557137) [lenny] - libexif (Only 0.6.18 is affected) [etch] - libexif (Only 0.6.18 is affected) CVE-2009-3894 (Multiple untrusted search path vulnerabilities in dstat before 0.7.0 a ...) - dstat 0.7.0-1 (low; bug #557989) [lenny] - dstat (Minor issue) [etch] - dstat (Minor issue) NOTE: http://svn.rpmforge.net/svn/trunk/tools/dstat/ChangeLog CVE-2009-3893 RESERVED CVE-2009-3891 (Cross-site scripting (XSS) vulnerability in wp-admin/press-this.php in ...) - wordpress 2.8.6-1 (low) [etch] - wordpress (Vulnerable code not present) [lenny] - wordpress (Vulnerable code not present) CVE-2009-3890 (Unrestricted file upload vulnerability in the wp_check_filetype functi ...) - wordpress 2.8.6-1 (low) [etch] - wordpress (Vulnerable code not present) [lenny] - wordpress (Vulnerable code not present) CVE-2009-3889 (The dbg_lvl file for the megaraid_sas driver in the Linux kernel befor ...) {DSA-2005-1} - linux-2.6 2.6.27-1 (low) [etch] - linux-2.6 (Vulnerable code not present) [lenny] - linux-2.6 2.6.26-21 - linux-2.6.24 (low) CVE-2009-3888 (The do_mmap_pgoff function in mm/nommu.c in the Linux kernel before 2. ...) - linux-2.6 (Vulnerable code not built) - linux-2.6.24 (Vulnerable code not built) CVE-2009-3887 (ytnef has directory traversal ...) - ytnef (bug #567631) [lenny] - ytnef (Minor issue) NOTE: http://www.ocert.org/advisories/ocert-2009-013.html NOTE: This doesn't affect Evolution, the TNEF plugin is external CVE-2009-3886 (The Java Web Start implementation in Sun Java SE 6 before Update 17 do ...) - openjdk-6 6b17-1.7-1 (medium; bug #560908) - sun-java6 6-17-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2009-3885 (Sun Java SE 5.0 before Update 22 and 6 before Update 17 on Windows all ...) - openjdk-6 (a problem in code that is unused on non-windows platforms) - sun-java6 (a problem in code that is unused on non-windows platforms) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=530114 CVE-2009-3884 (The TimeZone.getTimeZone method in Sun Java SE 5.0 before Update 22 an ...) - openjdk-6 6b17~pre3-1 (medium; bug #560908) - sun-java6 6-17-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2009-3883 (Multiple unspecified vulnerabilities in the Windows Pluggable Look and ...) - openjdk-6 6b17~pre3-1 (medium; bug #560908) - sun-java6 6-17-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2009-3882 (Multiple unspecified vulnerabilities in the Swing implementation in Su ...) - openjdk-6 6b17~pre3-1 (medium; bug #560908) - sun-java6 6-17-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2009-3881 (Sun Java SE 5.0 before Update 22 and 6 before Update 17, and OpenJDK, ...) - openjdk-6 6b17~pre3-1 (medium; bug #560908) - sun-java6 6-17-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2009-3880 (The Abstract Window Toolkit (AWT) in Java Runtime Environment (JRE) in ...) - openjdk-6 6b17~pre3-1 (medium; bug #560908) - sun-java6 6-17-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2009-3879 (Multiple unspecified vulnerabilities in the (1) X11 and (2) Win32Graph ...) - openjdk-6 6b17~pre3-1 (medium; bug #560908) - sun-java6 6-17-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2009-3878 (Buffer overflow in Sun Java System Web Server 7.0 Update 6 has unspeci ...) NOT-FOR-US: Sun Java System Web Server CVE-2009-3877 (Unspecified vulnerability in Sun Java SE in JDK and JRE 5.0 before Upd ...) - openjdk-6 6b17~pre3-1 (medium; bug #560908) - sun-java6 6-17-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2009-3876 (Unspecified vulnerability in Sun Java SE in JDK and JRE 5.0 before Upd ...) - openjdk-6 6b17~pre3-1 (medium; bug #560908) - sun-java6 6-17-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2009-3875 (The MessageDigest.isEqual function in Java Runtime Environment (JRE) i ...) - openjdk-6 6b17~pre3-1 (medium; bug #560908) - sun-java6 6-17-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2009-3874 (Integer overflow in the JPEGImageReader implementation in the ImageI/O ...) - openjdk-6 6b17~pre3-1 (medium; bug #560908) - sun-java6 6-17-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2009-3873 (The JPEG Image Writer in Sun Java SE in JDK and JRE 5.0 before Update ...) - openjdk-6 6b17~pre3-1 (medium; bug #560908) - sun-java6 6-17-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2009-3872 (Unspecified vulnerability in the JPEG JFIF Decoder in Sun Java SE in J ...) - openjdk-6 6b17-1.7-1 (medium; bug #560908) - sun-java6 6-17-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2009-3871 (Heap-based buffer overflow in the setBytePixels function in the Abstra ...) - openjdk-6 6b17~pre3-1 (medium; bug #560908) - sun-java6 6-17-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2009-3869 (Stack-based buffer overflow in the setDiffICM function in the Abstract ...) - openjdk-6 6b17~pre3-1 (medium; bug #560908) - sun-java6 6-17-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2009-3868 (Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before ...) - openjdk-6 6b17~pre3-1 (medium; bug #560908) - sun-java6 6-17-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2009-3867 (Stack-based buffer overflow in the HsbParser.getSoundBank function in ...) - openjdk-6 6b17-1.7-1 (medium; bug #560908) - sun-java6 6-17-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2009-3866 (The Java Web Start Installer in Sun Java SE in JDK and JRE 6 before Up ...) - openjdk-6 6b17-1.7-1 (medium; bug #560908) - sun-java6 6-17-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2009-3865 (The launch method in the Deployment Toolkit plugin in Java Runtime Env ...) - openjdk-6 6b17-1.7-1 (medium; bug #560908) - sun-java6 6-17-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2009-3864 (The Java Update functionality in Java Runtime Environment (JRE) in Sun ...) - openjdk-6 6b17 (unimportant) - sun-java6 6-17-1 (unimportant) NOTE: a problem in their updater, which is irrelevant since debian NOTE: updates are provided by the security team CVE-2009-3863 (Buffer overflow in the gxmim1.dll ActiveX control in Novell Groupwise ...) NOT-FOR-US: ActiveX CVE-2009-3862 (The NDSD process in Novell eDirectory 8.7.3 before 8.7.3.10 ftf2 and e ...) NOT-FOR-US: Novell eDirectory CVE-2009-3861 (Stack-based buffer overflow in SafeNet SoftRemote 10.8.5 (Build 2) and ...) NOT-FOR-US: SafeNet SoftRemote CVE-2009-3860 (Multiple insecure method vulnerabilities in Idefense Labs COMRaider al ...) NOT-FOR-US: Idefense Labs COMRaider CVE-2009-3859 (Buffer overflow in eEye Retina WiFi Scanner 1.0.8.68, as used in Retin ...) NOT-FOR-US: Retina Network Security Scanner CVE-2009-3858 (Cross-site scripting (XSS) vulnerability in GejoSoft allows remote att ...) NOT-FOR-US: GejoSoft CVE-2009-3857 (Buffer overflow in Softonic International SciTE 1.72 allows user-assis ...) NOT-FOR-US: Softonic International SciTE CVE-2009-3856 (Cross-site scripting (XSS) vulnerability in the default URI in news/ i ...) NOT-FOR-US: Twilight CMS CVE-2009-3855 (Multiple unspecified vulnerabilities in the (1) UNIX and (2) Linux bac ...) NOT-FOR-US: IBM Tivoli Storage Manager CVE-2009-3854 (Buffer overflow in the traditional client scheduler in the client in I ...) NOT-FOR-US: IBM Tivoli Storage Manager CVE-2009-3853 (Stack-based buffer overflow in the client acceptor daemon (CAD) schedu ...) NOT-FOR-US: IBM Tivoli Storage Manager CVE-2009-3852 (Unspecified vulnerability in the XML component in IBM Runtimes for Jav ...) NOT-FOR-US: IBM Runtimes for Java Technology 5.0.0 CVE-2009-3851 (Trusted Extensions in Sun Solaris 10 interferes with the operation of ...) NOT-FOR-US: Sun Solaris 10 CVE-2009-3850 (Blender 2.34, 2.35a, 2.40, and 2.49b allows remote attackers to execut ...) - blender (unimportant) NOTE: attack vector is social engineering to get the user to open NOTE: a malicious .blend file. by design, blend files support NOTE: all python operations, so ultimately any code can be executed CVE-2009-3849 (Multiple stack-based buffer overflows in HP OpenView Network Node Mana ...) NOT-FOR-US: HP OpenView Network Node Manager CVE-2009-3848 (Stack-based buffer overflow in nnmRptConfig.exe in HP OpenView Network ...) NOT-FOR-US: HP OpenView Network Node Manager CVE-2009-3847 (Unspecified vulnerability in HP OpenView Network Node Manager (OV NNM) ...) NOT-FOR-US: HP OpenView Network Node Manager CVE-2009-3846 (Multiple heap-based buffer overflows in ovlogin.exe in HP OpenView Net ...) NOT-FOR-US: HP OpenView Network Node Manager CVE-2009-3845 (The port-3443 HTTP server in HP OpenView Network Node Manager (OV NNM) ...) NOT-FOR-US: HP OpenView Network Node Manager CVE-2009-3844 (Stack-based buffer overflow in the OmniInet process in HP OpenView Dat ...) NOT-FOR-US: HP OpenView Data Protector Application CVE-2009-3843 (HP Operations Manager 8.10 on Windows contains a "hidden account" in t ...) NOT-FOR-US: HP Operations Manager CVE-2009-3842 (Unspecified vulnerability on the HP Color LaserJet M3530 Multifunction ...) NOT-FOR-US: HP Color LaserJet CVE-2009-3841 (Unspecified vulnerability in HP Discovery & Dependency Mapping Inv ...) NOT-FOR-US: HP Discovery & Dependency Mapping CVE-2009-3840 (The embedded database engine service (aka ovdbrun.exe) in HP OpenView ...) NOT-FOR-US: HP OpenView CVE-2009-3839 (Unspecified vulnerability in the Solaris Trusted Extensions Policy con ...) NOT-FOR-US: Sun Solaris CVE-2009-3838 (Stack-based buffer overflow in Pegasus Mail (PMail) 4.41 and possibly ...) NOT-FOR-US: Pegasus Mail CVE-2009-3837 (Stack-based buffer overflow in Eureka Email 2.2q allows remote POP3 se ...) NOT-FOR-US: Eureka Email CVE-2009-3836 (ArubaOS 3.3.1.x, 3.3.2.x, RN 3.1.x, 3.4.x, and 3.3.2.x-FIPS on the Aru ...) NOT-FOR-US: ArubaOS CVE-2009-3835 (SQL injection vulnerability in the JShop (com_jshop) component for Joo ...) NOT-FOR-US: Joomla! CVE-2009-3834 (SQL injection vulnerability in the Photoblog (com_photoblog) component ...) NOT-FOR-US: Joomla! CVE-2009-3833 (Cross-site scripting (XSS) vulnerability in index.php in TFTgallery 0. ...) NOT-FOR-US: TFTgallery CVE-2009-3832 (Opera before 10.01 on Windows does not prevent use of Web fonts in ren ...) NOT-FOR-US: Opera CVE-2009-3831 (Opera before 10.01 allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Opera CVE-2009-3830 (The download functionality in Team Services in Microsoft Office ShareP ...) NOT-FOR-US: Microsoft CVE-2009-3829 (Integer overflow in wiretap/erf.c in Wireshark before 1.2.2 allows rem ...) {DSA-1942-1} - wireshark 1.2.2-1 (bug #553583) CVE-2009-3828 (The web interface for Everfocus EDR1600 DVR allows remote attackers to ...) NOT-FOR-US: Everfocus EDR1600 DVR CVE-2009-3827 RESERVED CVE-2009-3826 (Multiple buffer overflows in squidGuard 1.4 allow remote attackers to ...) {DSA-2040-1} - squidguard 1.2.0-9 (low; bug #553319) CVE-2009-3825 (Multiple directory traversal vulnerabilities in GenCMS 2006 allow remo ...) NOT-FOR-US: GenCMS CVE-2009-3824 (Directory traversal vulnerability in include/processor.php in Greenwoo ...) NOT-FOR-US: Greenwood PHP Content Manager CVE-2009-3823 (Directory traversal vulnerability in myhtml.php in Mobilelib GOLD 3.0, ...) NOT-FOR-US: Mobilelib GOLD CVE-2009-3822 (PHP remote file inclusion vulnerability in Fiji Web Design Ajax Chat ( ...) NOT-FOR-US: com_ajaxchat component for Joomla CVE-2009-3821 (Cross-site scripting (XSS) vulnerability in the Apache Solr Search (so ...) NOT-FOR-US: Apache Solr Search extension for TYPO3 CVE-2009-3820 (SQL injection vulnerability in the Flagbit Filebase (fb_filebase) exte ...) NOT-FOR-US: Flagbit Filebase extension for TYPO3 CVE-2009-3819 (Unspecified vulnerability in the Random Images (maag_randomimage) exte ...) NOT-FOR-US: Random Images extension for TYPO3 CVE-2009-3818 (Unspecified vulnerability in the session handling feature in freeCap C ...) NOT-FOR-US: freeCap CAPTCHA for TYPO3 CVE-2009-3817 (PHP remote file inclusion vulnerability in doc/releasenote.php in the ...) NOT-FOR-US: com_booklibrary component for Joomla! CVE-2009-3816 (Multiple cross-site scripting (XSS) vulnerabilities in Activities page ...) NOT-FOR-US: IBM Lotus Connections CVE-2009-3815 (RunCMS 2M1, when running with certain error_reporting levels, allows r ...) NOT-FOR-US: RunCMS 2M1 CVE-2009-3814 (Static code injection vulnerability in RunCMS 2M1 allows remote authen ...) NOT-FOR-US: RunCMS 2M1 CVE-2009-3813 (Multiple SQL injection vulnerabilities in RunCMS 2M1 allow remote auth ...) NOT-FOR-US: RunCMS 2M1 CVE-2009-3812 (Heap-based buffer overflow in OtsAV DJ trial version 1.85.64.0, Radio ...) NOT-FOR-US: OtsAV products CVE-2009-3811 (Stack-based buffer overflow in Music Tag Editor 1.61 build 212 allows ...) NOT-FOR-US: Music Tag Editor CVE-2009-3810 (Heap-based buffer overflow in Acoustica MP3 Audio Mixer 2.471 allows r ...) NOT-FOR-US: Acoustica MP3 Audio Mixer CVE-2009-3809 (Acoustica MP3 Audio Mixer 1.0 and possibly 2.471 allows remote attacke ...) NOT-FOR-US: Acoustica MP3 Audio Mixer CVE-2009-3808 (MixSense DJ Studio 1.0.0.1 allows remote attackers to cause a denial o ...) NOT-FOR-US: MixSense DJ Studio CVE-2009-3807 (Stack-based buffer overflow in MixVibes 7.043 Pro allows remote attack ...) NOT-FOR-US: MixVibes CVE-2009-3806 (SQL injection vulnerability in feedback_js.php in DedeCMS 5.1 allows r ...) NOT-FOR-US: DedeCMS CVE-2009-3805 (gpg2.exe in Gpg4win 2.0.1, as used in KDE Kleopatra 2.0.11, allows rem ...) NOT-FOR-US: Gpg4win NOTE: looks like an issue in gpg2 for windows (gpg4win.org), not specific NOTE: to kleopatra CVE-2009-3804 (Multiple SQL injection vulnerabilities in modules/forum/post.php in Ru ...) NOT-FOR-US: RunCMS 2M1 CVE-2009-3803 (Multiple cross-site scripting (XSS) vulnerabilities in Amiro.CMS 5.4.0 ...) NOT-FOR-US: Amiro.CMS CVE-2009-3802 (Amiro.CMS 5.4.0.0 and earlier allows remote attackers to obtain sensit ...) NOT-FOR-US: Amiro.CMS CVE-2009-3801 (SQL injection vulnerability in index.php in OpenDocMan 1.2.5 allows re ...) NOT-FOR-US: OpenDocMan CVE-2009-XXXX [multiple missing input sanity checks in KDE] - kdelibs 4:3.5.10.dfsg.1-3 (low) - kde4libs 4:4.3.4-1 (low) [lenny] - kde4libs (Minor issue) [lenny] - kdelibs (minor and unlikely to be exploited) [etch] - kdelibs (minor and unlikely to be exploited) NOTE: http://www.ocert.org/advisories/ocert-2009-015.html NOTE: https://www.portcullis-security.com/security-research-and-downloads/security-advisories/pre-2014-advisories/ NOTE: advisory mentions kmail and ark (from kdepim and kdeutils, respectively) NOTE: but the "fixes" linked from the advisory only change code in kdelibs NOTE: more info at oss-sec threads CVE-2009-3800 (Multiple unspecified vulnerabilities in Adobe Flash Player before 10.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2009-3799 (Integer overflow in the Verifier::parseExceptionHandlers function in A ...) NOT-FOR-US: Adobe Flash Player CVE-2009-3798 (Adobe Flash Player before 10.0.42.34 and Adobe AIR before 1.5.3 might ...) NOT-FOR-US: Adobe Flash Player CVE-2009-3797 (Adobe Flash Player 10.x before 10.0.42.34 and Adobe AIR before 1.5.3 m ...) NOT-FOR-US: Adobe Flash Player CVE-2009-3796 (Adobe Flash Player before 10.0.42.34 and Adobe AIR before 1.5.3 might ...) NOT-FOR-US: Adobe Flash Player CVE-2009-3795 REJECTED CVE-2009-3794 (Heap-based buffer overflow in Adobe Flash Player before 10.0.42.34 and ...) NOT-FOR-US: Adobe Flash Player CVE-2009-3793 (Unspecified vulnerability in Adobe Flash Player before 9.0.277.0 and 1 ...) NOT-FOR-US: Adobe Flash Player CVE-2009-3792 (Directory traversal vulnerability in Adobe Flash Media Server (FMS) be ...) NOT-FOR-US: Adobe Flash Media Server CVE-2009-3791 (Unspecified vulnerability in Adobe Flash Media Server (FMS) before 3.5 ...) NOT-FOR-US: Adobe Flash Media Server CVE-2009-3790 (Heap-based buffer overflow in FormMax (formerly AcroForm) evaluation 3 ...) NOT-FOR-US: FormMax CVE-2009-3789 (Multiple cross-site scripting (XSS) vulnerabilities in OpenDocMan 1.2. ...) NOT-FOR-US: OpenDocMan CVE-2009-3788 (SQL injection vulnerability in index.php in OpenDocMan 1.2.5 allows re ...) NOT-FOR-US: OpenDocMan CVE-2009-3787 (files.php in Vivvo CMS 4.1.5.1 allows remote attackers to conduct dire ...) NOT-FOR-US: Vivvo CMS CVE-2009-3786 (Cross-site scripting (XSS) vulnerability in Organic Groups (OG) Vocabu ...) NOT-FOR-US: module for Drupal CVE-2009-3785 (Multiple cross-site request forgery (CSRF) vulnerabilities in Simplene ...) NOT-FOR-US: module for Drupal CVE-2009-3784 (Open redirect vulnerability in Simplenews Statistics 6.x before 6.x-2. ...) NOT-FOR-US: module for Drupal CVE-2009-3783 (Cross-site scripting (XSS) vulnerability in Simplenews Statistics 6.x ...) NOT-FOR-US: module for Drupal CVE-2009-3782 (Unspecified vulnerability in Userpoints 6.x before 6.x-1.1, a module f ...) NOT-FOR-US: module for Drupal CVE-2009-3781 (The filefield_file_download function in FileField 6.x-3.1, a module fo ...) NOT-FOR-US: module for Drupal CVE-2009-3780 (Cross-site scripting (XSS) vulnerability in Abuse 5.x before 5.x-2.1 a ...) NOT-FOR-US: module for Drupal CVE-2009-3779 (Cross-site scripting (XSS) vulnerability in vCard 5.x before 5.x-1.4 a ...) NOT-FOR-US: module for Drupal CVE-2009-3778 (SQL injection vulnerability in Moodle Course List 6.x before 6.x-1.2, ...) NOT-FOR-US: module for Drupal CVE-2009-5045 (Dump Servlet information leak in jetty before 6.1.22. ...) - jetty 6.1.22-1 (unimportant; bug #553644) NOTE: http://www.ush.it/team/ush/hack-jetty6x7x/jetty-adv.txt NOTE: The affected apps are not shipped in the package, see #553644 CVE-2009-5046 (JSP Dump and Session Dump Servlet XSS in jetty before 6.1.22. ...) - jetty 6.1.22-1 (unimportant; bug #553644) NOTE: http://www.ush.it/team/ush/hack-jetty6x7x/jetty-adv.txt NOTE: The affected apps are not shipped in the package, see #553644 CVE-2009-5047 REJECTED CVE-2009-5048 (Cookie Dump Servlet stored XSS vulnerability in jetty though 6.1.20. ...) - jetty 6.1.22-1 (unimportant; bug #553644) NOTE: http://www.ush.it/team/ush/hack-jetty6x7x/jetty-adv.txt NOTE: The affected apps are not shipped in the package, see #553644 CVE-2009-5049 (WebApp JSP Snoop page XSS in jetty though 6.1.21. ...) - jetty 6.1.22-1 (unimportant; bug #553644) NOTE: http://www.ush.it/team/ush/hack-jetty6x7x/jetty-adv.txt NOTE: The affected apps are not shipped in the package, see #553644 CVE-2009-XXXX [cherokee 0.5.4 DoS] - cherokee (not reproducible) NOTE: <4089.110.37.64.157.1256562313.squirrel@mail.xc0re.net> in bugtraq NOTE: not reproducible in etch's 0.5.5 nor sid's 0.99.22-1.1 CVE-2009-3777 RESERVED CVE-2009-3776 RESERVED CVE-2009-3775 RESERVED CVE-2009-3774 RESERVED CVE-2009-3773 RESERVED CVE-2009-3772 RESERVED CVE-2009-3771 RESERVED CVE-2009-3770 RESERVED CVE-2009-3769 RESERVED CVE-2009-3768 RESERVED CVE-2009-3767 (libraries/libldap/tls_o.c in OpenLDAP 2.2 and 2.4, and possibly other ...) {DSA-1943-1} - openldap 2.4.17-2.1 (low; bug #553432) - openldap2.3 CVE-2009-3766 (mutt_ssl.c in mutt 1.5.16 and other versions before 1.5.19, when OpenS ...) - mutt (uses GnuTLS and not OpenSSL) NOTE: our mutt is linked against gnutls, bug #553433 CVE-2009-3765 (mutt_ssl.c in mutt 1.5.19 and 1.5.20, when OpenSSL is used, does not p ...) - mutt (uses GnuTLS and not OpenSSL) NOTE: our mutt is linked against gnutls CVE-2009-3764 (Unspecified vulnerability in the OpenSSO component in Oracle OpenSSO E ...) NOT-FOR-US: Oracle OpenSSO CVE-2009-3763 (Unspecified vulnerability in the Access Manager / OpenSSO component in ...) NOT-FOR-US: Oracle OpenSSO CVE-2009-3762 (Unspecified vulnerability in Oracle OpenSSO Enterprise 8.0 allows remo ...) NOT-FOR-US: Oracle OpenSSO CVE-2009-3761 RESERVED CVE-2009-3760 (Static code injection vulnerability in config/writeconfig.php in the s ...) NOT-FOR-US: Citrix XenCenterWeb CVE-2009-3759 (Multiple cross-site request forgery (CSRF) vulnerabilities in sample c ...) NOT-FOR-US: Citrix XenCenterWeb CVE-2009-3758 (SQL injection vulnerability in login.php in sample code in the XenServ ...) NOT-FOR-US: Citrix XenCenterWeb CVE-2009-3757 (Multiple cross-site scripting (XSS) vulnerabilities in sample code in ...) NOT-FOR-US: Citrix XenCenterWeb CVE-2009-3756 (phpBMS 0.96 allows remote attackers to obtain sensitive information vi ...) NOT-FOR-US: phpBMS CVE-2009-3755 (Multiple cross-site scripting (XSS) vulnerabilities in phpBMS 0.96 all ...) NOT-FOR-US: phpBMS CVE-2009-3754 (Multiple SQL injection vulnerabilities in phpBMS 0.96 allow remote att ...) NOT-FOR-US: phpBMS CVE-2009-3753 (Unrestricted file upload vulnerability in Opial 1.0 allows remote atta ...) NOT-FOR-US: Opial CVE-2009-3752 (SQL injection vulnerability in home.php in Opial 1.0 allows remote att ...) NOT-FOR-US: Opial CVE-2009-3751 (Cross-site scripting (XSS) vulnerability in home.php in Opial 1.0 allo ...) NOT-FOR-US: Opial CVE-2009-3750 (SQL injection vulnerability in read.php in ToyLog 0.1 allows remote at ...) NOT-FOR-US: ToyLog CVE-2009-3749 (The Web Administrator service (STEMWADM.EXE) in Websense Personal Emai ...) NOT-FOR-US: Websense Personal Email Manager CVE-2009-3748 (Multiple cross-site scripting (XSS) vulnerabilities in the Web Adminis ...) NOT-FOR-US: Websense Personal Email Manager CVE-2009-3747 (Cross-site scripting (XSS) vulnerability in index.php in TBmnetCMS 1.0 ...) NOT-FOR-US: TBmnetCMS CVE-2009-3746 (XScreenSaver in Sun Solaris 10, when the accessibility feature is enab ...) NOT-FOR-US: XScreenSaver in Sun Solaris 10 CVE-2009-3745 (Cross-site scripting (XSS) vulnerability in the help pages in IBM Rati ...) NOT-FOR-US: IBM Rational AppScan Enterprise Edition CVE-2009-3744 (rep_serv.exe 6.3.1.3 in the server in EMC RepliStor allows remote atta ...) NOT-FOR-US: EMC RepliStor CVE-2009-3743 (Off-by-one error in the Ins_MINDEX function in the TrueType bytecode i ...) - ghostscript 8.71~dfsg-1 CVE-2009-3742 (Cross-site scripting (XSS) vulnerability in Liferay Portal before 5.3. ...) - liferay-portal (bug #569819) CVE-2009-3741 REJECTED CVE-2009-3740 RESERVED CVE-2009-3739 (Multiple unspecified vulnerabilities on the Rockwell Automation AB Mic ...) NOT-FOR-US: Micrologix CVE-2009-3738 RESERVED CVE-2009-3737 (The Oracle Siebel Option Pack for IE ActiveX control does not properly ...) NOT-FOR-US: Oracle Siebel Option Pack CVE-2009-3736 (ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b, as us ...) {DSA-1958-1} - libtool 2.2.6b-1 (low; bug #559797) - arts (Uses absolute path to the sound backend) - bochs (additional hardening in this package prevents this type of attack; bug #559799) - camserv (low; bug #559800) NOTE: requested camserv removal [lenny] - camserv (Minor issue) [etch] - camserv (Minor issue) - collectd 4.8.2-1 (low; bug #559801) [lenny] - collectd (Minor issue) [etch] - collectd (Minor issue) - cvsnt 2.5.04.3236-1.2 (low; bug #559803) [etch] - cvsnt (Minor issue) [lenny] - cvsnt (Minor issue) - ggobi 2.1.9~20091212-1 (low; bug #559806) [etch] - ggobi (Minor issue) [lenny] - ggobi (Minor issue) - gnash 0.8.7-2 (low; bug #559808) [lenny] - gnash (Minor issue) - gnu-smalltalk 3.1-2 (low; bug #559809) [lenny] - gnu-smalltalk (Minor issue) [etch] - gnu-smalltalk (Minor issue) - graphicsmagick 1.3.5-6 (low; bug #559811) [lenny] - graphicsmagick (Minor issue, can be fixed along with later updates) [etch] - graphicsmagick (Minor issue, can be fixed along with later updates) - guile-1.6 1.6.8-7 (low; bug #559813) [etch] - guile-1.6 (Minor issue) [lenny] - guile-1.6 (Minor issue) - hamlib 1.2.10-1 (low; bug #559814) [lenny] - hamlib 1.2.7.1-1+lenny1 [etch] - hamlib (Minor issue) - hercules 3.06-1.2 (low; bug #559815) [lenny] - hercules (Minor issue) [etch] - hercules (Minor issue) - jags 1.0.4-1 (low; bug #559816) - kdelibs (dl_open open loads from fixed paths) - libannodex (low; bug #559818) [lenny] - libannodex (Minor issue) [etch] - libannodex (Minor issue) - libextractor 0.5.23+dfsg-4 (low; bug #559819) [etch] - libextractor (Minor issue) [lenny] - libextractor (Minor issue) - libmcrypt (not included in any of the binary packages; bug #559820) - libtunepimp 0.5.3-7.3 (low; bug #559821) [lenny] - libtunepimp (Minor issue) [etch] - libtunepimp (Minor issue) - mp4h 1.3.1-4.1 (low; bug #559822) [etch] - mp4h (Minor issue) [lenny] - mp4h (Minor issue) - naim (low; bug #559823) [lenny] - naim (Minor issue) [etch] - naim (Minor issue) - parser-mysql 10.3-2 (unimportant; bug #559824) - pinball 0.3.1-11 (low; bug #559825) [lenny] - pinball (Minor issue) [etch] - pinball (Minor issue) - redland 1.0.10-1 (low; bug #559826) [etch] - redland (Versions prior to 1.0.9 don't use libtool/libltdl) [lenny] - redland (Versions prior to 1.0.9 don't use libtool/libltdl) - siproxd 1:0.8.1-1 (low; bug #559827) [lenny] - siproxd (Minor issue) [etch] - siproxd (Minor issue) - ski (low; bug #559828) - synfig 0.62.00-1 (low; bug #559829) [lenny] - synfig (Minor issue) - xmlsec1 1.2.14-1 (unimportant; bug #559831) NOTE: Embedded code copy isn't used - clamav 0.95+dfsg-1 (low; bug #559832) [lenny] - clamav (Minor issue) [etch] - clamav (Minor issue) - imagemagick 6:6.2.3.1-1 (low; bug #559833) [lenny] - imagemagick (Minor issue) [etch] - imagemagick (Minor issue) - hypre 2.4.0b-5 (low; bug #559834) [etch] - hypre (Minor issue) [lenny] - hypre (Minor issue) - lam 7.1.2-1.6 (low; bug #559835) [lenny] - lam (Minor issue) [etch] - lam (Minor issue) - openmpi 1.3.3-4 (low; bug #559836) [lenny] - openmpi (Minor issue) [etch] - openmpi (Minor issue) - parser 3.4.0-2 (unimportant; bug #559837) NOTE: users with write access can modify configuration to load new extensions, see #559837 - pdsh (Only loads from /usr/lib/pdsh, which is controlled by root) - sdcc 2.9.0-5 (low; bug #559840) [lenny] - sdcc (Minor issue) [etch] - sdcc (Minor issue) - proftpd-dfsg (Only loads from /usr/lib/proftpd) - babel 1.4.0.dfsg-5 (low; bug #559843) [lenny] - babel (Minor issue) - libprelude 0.9.14-2 (low; bug #559844) [etch] - libprelude (Minor issue) - heartbeat 2.1.4-7 (unimportant; bug #559845) NOTE: the dlopened path is always below /usr/lib/heartbeat, which isn't under control of an attacker NOTE: From Squeeze onwards the system copy of ltdl is used, use the current version from Squeeze, NOTE: might've been fixed earlier - graphviz 2.26.3-14 (low; bug #702436) [squeeze] - graphviz 2.26.3-5+squeeze1 CVE-2009-3735 (The ActiveScan Installer ActiveX control in as2stubie.dll before 1.3.3 ...) NOT-FOR-US: ActiveScan Installer ActiveX control CVE-2009-3734 (Unspecified vulnerability in the management console in the S2 Security ...) NOT-FOR-US: S2 Security Linear eMerge Access Control System CVE-2009-XXXX [mandos 0600 file being included in initrd] - mandos 1.0.13-1 (bug #551907) CVE-2009-3733 (Directory traversal vulnerability in VMware Server 1.x before 1.0.10 b ...) - vmware-package CVE-2009-3732 (Format string vulnerability in vmware-vmrc.exe build 158248 in VMware ...) NOT-FOR-US: VMware CVE-2009-3731 (Multiple cross-site scripting (XSS) vulnerabilities in WebWorks Help 2 ...) NOT-FOR-US: WebWorks Help CVE-2009-3730 (Multiple cross-site scripting (XSS) vulnerabilities in the ReqWeb Help ...) NOT-FOR-US: ReqWeb CVE-2009-3729 (Unspecified vulnerability in the TrueType font parsing functionality i ...) - openjdk-6 6b17-1.7-1 (medium; bug #560908) - sun-java6 6-17-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2009-3728 (Directory traversal vulnerability in the ICC_Profile.getInstance metho ...) - openjdk-6 6b17~pre3-1 (medium; bug #560908) - sun-java6 6-17-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2009-3727 (Asterisk Open Source 1.2.x before 1.2.35, 1.4.x before 1.4.26.3, 1.6.0 ...) {DSA-1952-1} - asterisk 1:1.6.2.0~rc6-1 [lenny] - asterisk (Minor issue) [etch] - asterisk (Etch Packages no longer covered by security support) CVE-2009-3726 (The nfs4_proc_lock function in fs/nfs/nfs4proc.c in the NFSv4 client i ...) {DSA-2005-1 DSA-2003-1} - linux-2.6 2.6.31-1 (medium) [lenny] - linux-2.6 2.6.26-21 - linux-2.6.24 (medium) CVE-2009-3725 (The connector layer in the Linux kernel before 2.6.31.5 does not requi ...) {DSA-2012-1} - linux-2.6 2.6.31-1 (medium) [etch] - linux-2.6 (Vulnerable code not present) - linux-2.6.24 (medium) CVE-2009-3724 (python-markdown2 before 1.0.1.14 has multiple cross-site scripting (XS ...) NOT-FOR-US: python-markdown2 (not our markdown, different code base) CVE-2009-3723 (asterisk allows calls on prohibited networks ...) [etch] - asterisk [lenny] - asterisk - asterisk 1:1.6.2.0~rc3-2 (medium; bug #552756) NOTE: http://downloads.asterisk.org/pub/security/AST-2009-007.html CVE-2009-3722 (The handle_dr function in arch/x86/kvm/vmx.c in the KVM subsystem in t ...) {DSA-1962-1} [etch] - linux-2.6 (issue introduced in 2.6.30-rc1) [lenny] - linux-2.6 (issue introduced in 2.6.30-rc1) - linux-2.6 2.6.31-1 (low) - kvm 88+dfsg-2 (low; bug #557739) NOTE: http://bugzilla.redhat.com/531660 NOTE: https://git.kernel.org/linus/0a79b009525b160081d75cef5dbf45817956acf2 CVE-2009-3721 [ytnef buffer overflow] RESERVED - ytnef (bug #567631) [lenny] - ytnef (Minor issue) NOTE: http://www.ocert.org/advisories/ocert-2009-013.html NOTE: This doesn't affect Evolution, the TNEF plugin is external CVE-2009-3720 (The updatePosition function in lib/xmltok_impl.c in libexpat in Expat ...) {DSA-1977-1 DSA-1921-1} - expat 2.0.1-5 (low; bug #551936) - mcabber 0.10.0-1 (low; bug #601053) [lenny] - mcabber (Minor issue) - w3c-libwww (low; bug #551938) [etch] - w3c-libwww (Minor issue, only used by fringe apps) - python-xml (low; bug #560951) [etch] - python-xml (minor issue) [lenny] - python-xml 0.8.4-10.1+lenny1 - python2.5 2.5.4-3.1 (low; bug #560912) - python2.4 2.4.4-3etch3 (low; bug #560913) - python-4suite 1.0.2-7.2 (low; bug #560914) [etch] - python-4suite (Minor issue) [lenny] - python-4suite (Minor issue) - wxwindows2.4 (unimportant; bug #560915) - wxwidgets2.6 2.6.3.2.2-4 (unimportant; bug #560916) - wxwidgets2.8 2.8.10.1-2 (unimportant; bug #560917) - audacity 1.3.2-1 (unimportant; bug #560919) - matanza (unimportant; bug #560920) - tdom 0.8.3~20080525-1 (low; bug #560921) [etch] - tdom (minor issue) - udunits 2.1.8-4 (unimportant; bug #560922) - ayttm 0.6.1-2 (low; bug #560924) [etch] - ayttm (minor issue) [lenny] - ayttm (minor issue) - cableswig (unimportant; bug #560925) - cadaver (unimportant; bug #560926) - centerim 4.22.10-1 (low) [lenny] - centerim (Minor issue) - cmake 2.6.0-6 (unimportant; bug #560927) - coin3 (unimportant; bug #560928) - gdcm 2.0.14-2 (low; bug #560929) - ghostscript 8.71~dfsg-2 (unimportant; bug #560930) - gs-gpl (unimportant) - grmonitor (unimportant; bug #560931) - iceape (unimportant; bug #560932) - insighttoolkit 3.16.0-1 (unimportant; bug #560933) - paraview 3.6.2-1 (unimportant; bug #560935) - poco 1.3.6p1-1 (unimportant; bug #560936) - simgear 2.10.0-1 (unimportant; bug #560937) - smart 1.2-5 (low; bug #560953) [etch] - smart (minor issue) [lenny] - smart (minor issue) - tla 1.3.5+dfsg-15 (unimportant; bug #560940) [lenny] - tla 1.3.5+dfsg-14+lenny1 - xmlrpc-c 1.06.27-1.1 (low; bug #560942) [etch] - xmlrpc-c (minor issue) [lenny] - xmlrpc-c (minor issue) - iceweasel (uses xulrunner; bug #560943) - kompozer 1:0.8~b1-2 (unimportant; bug #560944) - vxl 1.13.0-2 (low; bug #560945) - xulrunner (unimportant; bug #560946) - texlive-bin (Files are not compiled in, see #560948) - vnc4 (Not affected, see bug #560949) - xotcl 1.6.5-1.2 (low; bug #560950) [lenny] - xotcl (minor issue) CVE-2009-3719 (Cross-site scripting (XSS) vulnerability in comment.asp in Battle Blog ...) NOT-FOR-US: Battle Blog CVE-2009-3718 (SQL injection vulnerability in admin/authenticate.asp in Battle Blog 1 ...) NOT-FOR-US: Battle Blog CVE-2009-3717 (Heap-based buffer overflow in LucVil PatPlayer 3.9 allows remote attac ...) NOT-FOR-US: LucVil PatPlayer CVE-2009-3716 (Unrestricted file upload vulnerability in admin.php in MCshoutbox 1.1 ...) NOT-FOR-US: MCshoutbox CVE-2009-3715 (Multiple SQL injection vulnerabilities in scr_login.php in MCshoutbox ...) NOT-FOR-US: MCshoutbox CVE-2009-3714 (Cross-site scripting (XSS) vulnerability in admin_login.php in MCshout ...) NOT-FOR-US: MCshoutbox CVE-2009-3713 (SQL injection vulnerability in fichero.php in MorcegoCMS 1.7.6 and ear ...) NOT-FOR-US: MorcegoCMS CVE-2009-3712 (Multiple SQL injection vulnerabilities in Ebay Clone 2009 allow remote ...) NOT-FOR-US: Ebay Clone 2009 CVE-2009-3711 (Stack-based buffer overflow in the h_handlepeer function in http.cpp i ...) NOT-FOR-US: httpdx CVE-2009-3710 (RioRey RIOS 4.6.6 and 4.7.0 uses an undocumented, hard-coded username ...) NOT-FOR-US: RioRey RIOS CVE-2009-3709 (Stack-based buffer overflow in the Meta Content Optimizer in Konae Tec ...) NOT-FOR-US: Konae Technologies Alleycode HTML Editor CVE-2009-3708 (Stack-based buffer overflow in the Meta Content Optimizer in Konae Tec ...) NOT-FOR-US: Konae Technologies Alleycode HTML Editor CVE-2009-3707 (VMware Authentication Daemon 1.0 in vmware-authd.exe in the VMware Aut ...) NOT-FOR-US: VMware CVE-2009-3706 (Unspecified vulnerability in the ZFS filesystem in Sun Solaris 10, and ...) NOT-FOR-US: ZFS filesystem in Sun Solaris CVE-2009-3705 (PHP remote file inclusion vulnerability in debugger.php in Achievo bef ...) NOT-FOR-US: Achievo CVE-2009-3704 (ZoIPer 2.22, and possibly other versions before 2.24 Library 5324, all ...) NOT-FOR-US: ZoIPer CVE-2009-3703 (Multiple SQL injection vulnerabilities in the WP-Forum plugin before 2 ...) NOT-FOR-US: WordPress plugin CVE-2009-3702 (Multiple absolute path traversal vulnerabilities in PHP-Calendar 1.1 a ...) NOT-FOR-US: PHP-Calendar CVE-2009-3701 (Multiple cross-site scripting (XSS) vulnerabilities in the administrat ...) {DSA-1966-1} - horde3 3.3.6+debian0-1 (low) NOTE: In order to successfully exploit this vulnerability the targeted user has to be logged as an administrator. CVE-2009-3700 (Buffer overflow in sgLog.c in squidGuard 1.3 and 1.4 allows remote att ...) {DSA-2040-1} - squidguard 1.2.0-9 (low; bug #553319) CVE-2009-3699 (Stack-based buffer overflow in libcsa.a (aka the calendar daemon libra ...) NOT-FOR-US: IBM AIX CVE-2009-3698 (An unspecified function in the Dalvik API in Android 1.5 and earlier a ...) NOT-FOR-US: Dalvik API in Android CVE-2009-3697 (SQL injection vulnerability in the PDF schema generator functionality ...) {DSA-1918-1} - phpmyadmin 4:3.2.2.1-1 [etch] - phpmyadmin (Vulnerable code not present) CVE-2009-3696 (Cross-site scripting (XSS) vulnerability in phpMyAdmin 2.11.x before 2 ...) {DSA-1918-1} - phpmyadmin 4:3.2.2.1-1 CVE-2009-3610 REJECTED CVE-2009-3695 (Algorithmic complexity vulnerability in the forms library in Django 1. ...) {DSA-1905-1} - python-django 1.1.1-1 (medium; bug #550457) [etch] - python-django (introduced in 1.0) [lenny] - python-django 1.0.2-1+lenny2 CVE-2009-3694 (Directory traversal vulnerability in config/config.php in ezRecipe-Zee ...) NOT-FOR-US: ezRecipe-Zee 91 CVE-2009-3693 (Directory traversal vulnerability in the Persits.XUpload.2 ActiveX con ...) NOT-FOR-US: Persits.XUpload.2 ActiveX CVE-2009-3691 (Multiple integer overflows in setnet32.exe 3.50.0.13752 in IBM Informi ...) NOT-FOR-US: IBM Informix Client SDK CVE-2009-3690 RESERVED CVE-2009-3689 REJECTED CVE-2009-3688 REJECTED CVE-2009-3687 REJECTED CVE-2009-3686 REJECTED CVE-2009-3685 REJECTED CVE-2009-3684 REJECTED CVE-2009-3683 REJECTED CVE-2009-3682 REJECTED CVE-2009-3681 REJECTED CVE-2009-3680 REJECTED CVE-2009-3679 REJECTED CVE-2009-3678 (Integer overflow in cdd.dll in the Canonical Display Driver (CDD) in M ...) NOT-FOR-US: Microsoft Windows CVE-2009-3677 (The Internet Authentication Service (IAS) in Microsoft Windows 2000 SP ...) NOT-FOR-US: Microsoft Internet Authentication Service CVE-2009-3676 (The SMB client in the kernel in Microsoft Windows Server 2008 R2 and W ...) NOT-FOR-US: Microsoft Windows Server CVE-2009-3675 (LSASS.exe in the Local Security Authority Subsystem Service (LSASS) in ...) NOT-FOR-US: Microsoft Local Security Authority Subsystem Service CVE-2009-3674 (Microsoft Internet Explorer 8 does not properly handle objects in memo ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2009-3673 (Microsoft Internet Explorer 7 and 8 does not properly handle objects i ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2009-3672 (Microsoft Internet Explorer 6 and 7 does not properly handle objects i ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2009-3671 (Microsoft Internet Explorer 8 does not properly handle objects in memo ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2009-3670 (Stack-based buffer overflow in KSP Sound Player 2009 R2 and R2.1 allow ...) NOT-FOR-US: KSP Sound Player CVE-2009-3669 (SQL injection vulnerability in the foobla Suggestions (com_foobla_sugg ...) NOT-FOR-US: Joomla! component CVE-2009-3668 (Cross-site scripting (XSS) vulnerability in ardguest.php in Ardguest 1 ...) NOT-FOR-US: Ardguest 1.8 CVE-2009-3667 (SQL injection vulnerability in admin/index.php in AdsDX 3.05 allows re ...) NOT-FOR-US: AdsDX CVE-2009-3666 (Cross-site scripting (XSS) vulnerability in index.php in Nullam Blog 0 ...) NOT-FOR-US: Nullam Blog CVE-2009-3665 (Multiple SQL injection vulnerabilities in index.php in Nullam Blog 0.1 ...) NOT-FOR-US: Nullam Blog CVE-2009-3664 (Multiple directory traversal vulnerabilities in index.php in Nullam Bl ...) NOT-FOR-US: Nullam Blog CVE-2009-3663 (Format string vulnerability in the h_readrequest function in http.c in ...) NOT-FOR-US: httpdx CVE-2009-3662 (FileCopa FTP Server 5.01 allows remote attackers to cause a denial of ...) NOT-FOR-US: FileCopa FTP Server CVE-2009-3661 (Multiple SQL injection vulnerabilities in the DJ-Catalog (com_djcatalo ...) NOT-FOR-US: component for Joomla! CVE-2009-3660 (PHP remote file inclusion vulnerability in libraries/database.php in E ...) NOT-FOR-US: Efront CVE-2009-3659 (SQL injection vulnerability in file/stats.php in BS Counter 2.5.3 allo ...) NOT-FOR-US: BS Counter CVE-2009-3658 (Use-after-free vulnerability in the Sb.SuperBuddy.1 ActiveX control (s ...) NOT-FOR-US: Sb.SuperBuddy.1 ActiveX CVE-2009-3657 (Session fixation vulnerability in Shared Sign-On 5.x and 6.x, a module ...) NOT-FOR-US: module for Drupal CVE-2009-3656 (Cross-site request forgery (CSRF) vulnerability in Shared Sign-On 5.x ...) NOT-FOR-US: module for Drupal CVE-2009-3655 (Rhino Software Serv-U 7.0.0.1 through 8.2.0.3 allows remote attackers ...) NOT-FOR-US: Rhino Software Serv-U CVE-2009-3654 (Unspecified vulnerability in Boost before 6.x-1.03, a module for Drupa ...) NOT-FOR-US: module for Drupal CVE-2009-3653 (Cross-site scripting (XSS) vulnerability in the additional links inter ...) NOT-FOR-US: module for Drupal CVE-2009-3652 (Cross-site scripting (XSS) vulnerability in Organic Groups (OG) 5.x-7. ...) NOT-FOR-US: module for Drupal CVE-2009-3651 (Cross-site scripting (XSS) vulnerability in the "Monitor browsers' fea ...) NOT-FOR-US: module for Drupal CVE-2009-3650 (Cross-site scripting (XSS) vulnerability in Dex 5.x-1.0 and earlier an ...) NOT-FOR-US: module for Drupal CVE-2009-3649 (Cross-site scripting (XSS) vulnerability in forums/index.php in Power ...) NOT-FOR-US: PBBoard CVE-2009-3648 (Cross-site scripting (XSS) vulnerability in Service Links 6.x-1.0, a m ...) NOT-FOR-US: module for Drupal CVE-2009-3647 (Cross-site scripting (XSS) vulnerability in emaullinks.php in YABSoft ...) NOT-FOR-US: YABSoft Mega File Hosting Script (aka MFH or MFHS) CVE-2009-3646 (InterVations NaviCOPA Web Server 3.01 allows remote attackers to obtai ...) NOT-FOR-US: NaviCOPA Web Server CVE-2009-3645 (SQL injection vulnerability in the JoomlaCache CB Resume Builder (com_ ...) NOT-FOR-US: JoomlaCache CVE-2009-3644 (SQL injection vulnerability in the Soundset (com_soundset) component 1 ...) NOT-FOR-US: Joomla component CVE-2009-3643 (Dxmsoft XM Easy Personal FTP Server 5.8.0 allows remote attackers to c ...) NOT-FOR-US: Dxmsoft XM Easy Personal FTP Server CVE-2009-3642 (Multiple SQL injection vulnerabilities in the Call Logging feature in ...) NOT-FOR-US: FrontRange HEAT CVE-2009-3641 (Snort before 2.8.5.1, when the -v option is enabled, allows remote att ...) - snort 2.8.5.2-1 (unimportant; bug #553584) NOTE: current debian packages are not compiled with support for ipv6 CVE-2009-3640 (The update_cr8_intercept function in arch/x86/kvm/x86.c in the KVM sub ...) - linux-2.6 2.6.31-1 (medium) [lenny] - linux-2.6 (introduced post 2.6.27) [etch] - linux-2.6 (introduced post 2.6.27) - linux-2.6.24 (introduced post 2.6.27) - kvm 88+dfsg-2 (medium; bug #557737) [lenny] - kvm (Vulnerable code not present) CVE-2009-3639 (The mod_tls module in ProFTPD before 1.3.2b, and 1.3.3 before 1.3.3rc2 ...) {DSA-1925-1} - proftpd-dfsg 1.3.2a-2 (low) NOTE: http://bugs.proftpd.org/show_bug.cgi?id=3275 CVE-2009-3638 (Integer overflow in the kvm_dev_ioctl_get_supported_cpuid function in ...) {DSA-1962-1 DSA-1927-1} - linux-2.6 2.6.31-1 (medium) [etch] - linux-2.6 (introduced in 2.6.25) NOTE: fixed in upstream 2.6.32-rc4 - linux-2.6.24 (introduced in 2.6.25) - kvm (medium; bug #562076) CVE-2009-3637 (Stack-based buffer overflow in the M_AddToServerList function in clien ...) - alien-arena 7.33-1 (medium; bug #552038) [lenny] - alien-arena 7.0-1+lenny1 CVE-2009-3636 (Cross-site scripting (XSS) vulnerability in the Install Tool subcompon ...) {DSA-1926-1} - typo3-src 4.2.10-1 (medium; bug #552020) CVE-2009-3635 (The Install Tool subcomponent in TYPO3 4.0.13 and earlier, 4.1.x befor ...) {DSA-1926-1} - typo3-src 4.2.10-1 (medium; bug #552020) CVE-2009-3634 (Cross-site scripting (XSS) vulnerability in the Frontend Login Box (ak ...) {DSA-1926-1} - typo3-src 4.2.10-1 (medium; bug #552020) CVE-2009-3633 (Cross-site scripting (XSS) vulnerability in the t3lib_div::quoteJSvalu ...) {DSA-1926-1} - typo3-src 4.2.10-1 (medium; bug #552020) CVE-2009-3632 (SQL injection vulnerability in the traditional frontend editing featur ...) {DSA-1926-1} - typo3-src 4.2.10-1 (medium; bug #552020) CVE-2009-3631 (The Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1 ...) {DSA-1926-1} - typo3-src 4.2.10-1 (medium; bug #552020) CVE-2009-3630 (The Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1 ...) {DSA-1926-1} - typo3-src 4.2.10-1 (medium; bug #552020) CVE-2009-3629 (Multiple cross-site scripting (XSS) vulnerabilities in the Backend sub ...) {DSA-1926-1} - typo3-src 4.2.10-1 (medium; bug #552020) CVE-2009-3628 (The Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1 ...) {DSA-1926-1} - typo3-src 4.2.10-1 (medium; bug #552020) CVE-2009-3627 (The decode_entities function in util.c in HTML-Parser before 3.63 allo ...) {DSA-1923-1} - libhtml-parser-perl 3.64-1 (bug #552531) NOTE: http://secunia.com/advisories/37155/ CVE-2009-3626 (Perl 5.10.1 allows context-dependent attackers to cause a denial of se ...) - perl 5.10.1-6 (bug #552291) [lenny] - perl (Vulnerable code not present) [etch] - perl (Vulnerable code not present) CVE-2009-3625 (Directory traversal vulnerability in www/index.php in Sahana 0.6.2.2 a ...) - sahana (bug #497414) CVE-2009-3624 (The get_instantiation_keyring function in security/keys/keyctl.c in th ...) - linux-2.6 2.6.31-2 (low) [etch] - linux-2.6 (vulnerable code introduced in 2.6.29) [lenny] - linux-2.6 (vulnerable code introduced in 2.6.29) - linux-2.6.24 (vulnerable code introduced in 2.6.29) NOTE: fixed upstream in 2.6.32-rc5 CVE-2009-3623 (The lookup_cb_cred function in fs/nfsd/nfs4callback.c in the nfsd4 sub ...) - linux-2.6 2.6.31-1 (medium) [etch] - linux-2.6 (vulnerable code introduced in 2.6.31) [lenny] - linux-2.6 (vulnerable code introduced in 2.6.31) - linux-2.6.24 (vulnerable code introduced in 2.6.31) CVE-2009-3622 (Algorithmic complexity vulnerability in wp-trackback.php in WordPress ...) - wordpress 2.8.5-1 [lenny] - wordpress 2.5.1-11+lenny3 [etch] - wordpress 2.0.10-1etch6 NOTE: http://seclists.org/fulldisclosure/2009/Oct/263 CVE-2009-3621 (net/unix/af_unix.c in the Linux kernel 2.6.31.4 and earlier allows loc ...) {DSA-1929-1 DSA-1928-1 DSA-1927-1} - linux-2.6 2.6.31-2 (low) - linux-2.6.24 (low) CVE-2009-3620 (The ATI Rage 128 (aka r128) driver in the Linux kernel before 2.6.31-g ...) {DSA-1928-1 DSA-1927-1} - linux-2.6 2.6.32-1 (medium) - linux-2.6.24 (medium) NOTE: https://git.kernel.org/linus/7dc482dfeeeefcfd000d4271c4626937406756d7 CVE-2009-3619 (Unspecified vulnerability in ViewVC 1.0 before 1.0.9 and 1.1 before 1. ...) - viewvc 1.0.9-1 (low; bug #545779; bug #560903) CVE-2009-3618 (Cross-site scripting (XSS) vulnerability in viewvc.py in ViewVC 1.0 be ...) - viewvc 1.0.9-1 (low; bug #545779; bug #560903) CVE-2009-3617 (Format string vulnerability in the AbstractCommand::onAbort function i ...) - aria2 1.6.2-1 (low) [lenny] - aria2 (Vulnerable code not present) [etch] - aria2 (Vulnerable code not present) CVE-2009-3616 (Multiple use-after-free vulnerabilities in vnc.c in the VNC server in ...) - qemu 0.11.0-1 (medium; bug #553589) [lenny] - qemu (Vulnerable code not present) [etch] - qemu (Vulnerable code not present) - kvm (medium; bug #553590) [lenny] - kvm (Vulnerable code not present) CVE-2009-3615 (The OSCAR protocol plugin in libpurple in Pidgin before 2.6.3 and Adiu ...) {DSA-1932-1} - pidgin 2.6.3-1 NOTE: http://pidgin.im/news/security/?id=41 CVE-2009-3614 (liboping 1.3.2 allows users reading arbitrary files upon the local sys ...) - liboping 1.3.3-1 (low; bug #548684) [lenny] - liboping (doesn't have -f option yet) [etch] - liboping (doesn't have -f option yet) CVE-2009-3613 (The swiotlb functionality in the r8169 driver in drivers/net/r8169.c i ...) {DSA-1928-1 DSA-1915-1} - linux-2.6 2.6.29-1 (medium) - linux-2.6.24 NOTE: http://www.openwall.com/lists/oss-security/2009/10/15/4 CVE-2009-3612 (The tcf_fill_node function in net/sched/cls_api.c in the netlink subsy ...) {DSA-1929-1 DSA-1928-1 DSA-1927-1} - linux-2.6 2.6.31-2 (low) - linux-2.6.24 (low) CVE-2009-3611 (common/snapshots.py in Back In Time (aka backintime) 0.9.26 changes ce ...) - backintime 0.9.26-3 (bug #543785) CVE-2009-3609 (Integer overflow in the ImageStream::ImageStream function in Stream.cc ...) {DSA-2050-1 DSA-2028-1 DSA-1941-1} - xpdf 3.02-2 (medium; bug #551287) - poppler 0.12.2-1 (medium; bug #551289) - kdegraphics 4:4.0 (medium; bug #551290) - swftools 0.9.2+ds1-2 CVE-2009-3608 (Integer overflow in the ObjectStream::ObjectStream function in XRef.cc ...) {DSA-2050-1 DSA-2028-1 DSA-1941-1} - xpdf 3.02-2 (medium; bug #551287) - poppler 0.12.2-1 (medium; bug #551289) - kdegraphics 4:4.0 (medium; bug #551290) - swftools 0.9.2+ds1-2 CVE-2009-3607 (Integer overflow in the create_surface_from_thumbnail_data function in ...) {DSA-1941-1} - poppler 0.12.2-1 (medium; bug #551289) CVE-2009-3606 (Integer overflow in the PSOutputDev::doImageL1Sep function in Xpdf bef ...) {DSA-2050-1 DSA-2028-1 DSA-1941-1} - xpdf 3.02-2 (medium; bug #551287) - poppler 0.12.2-1 (medium; bug #551289) - kdegraphics 4:4.0 (medium; bug #551290) - swftools 0.9.2+ds1-2 CVE-2009-3605 (Multiple integer overflows in Poppler 0.10.5 and earlier allow remote ...) {DSA-1941-1} - poppler 0.12.2-1 (medium; bug #551289) CVE-2009-3604 (The Splash::drawImage function in Splash.cc in Xpdf 2.x and 3.x before ...) {DSA-2050-1 DSA-2028-1 DSA-1941-1} - xpdf 3.02-2 (medium; bug #551287) - poppler 0.12.2-1 (medium; bug #551289) - kdegraphics 4:4.0 (medium; bug #551290) - swftools 0.9.2+ds1-2 CVE-2009-3603 (Integer overflow in the SplashBitmap::SplashBitmap function in Xpdf 3. ...) {DSA-2050-1 DSA-2028-1 DSA-1941-1} - xpdf 3.02-2 (medium; bug #551287) - poppler 0.12.2-1 (medium; bug #551289) - kdegraphics 4:4.0 (medium; bug #551290) - swftools 0.9.2+ds1-2 CVE-2009-3591 (Dopewars 1.5.12 allows remote attackers to cause a denial of service ( ...) - dopewars 1.5.12-9 (low; bug #550913) [etch] - dopewars (negligible issue) [lenny] - dopewars (neglibigble issue) CVE-2009-3589 (incron 0.5.5 does not initialize supplementary groups when running a p ...) - incron 0.5.7-1 CVE-2009-3588 (Unspecified vulnerability in the arclib component in the Anti-Virus en ...) NOT-FOR-US: eTrust Antivirus CVE-2009-3587 (Unspecified vulnerability in the arclib component in the Anti-Virus en ...) NOT-FOR-US: eTrust Antivirus CVE-2009-3586 (Off-by-one error in src/http.c in CoreHTTP 0.5.3.1 and earlier allows ...) NOT-FOR-US: CoreHTTP CVE-2009-3585 (Session fixation vulnerability in html/Elements/SetupSessionCookie in ...) {DSA-1944-1} - request-tracker3.4 - request-tracker3.6 3.6.9-2 (low) CVE-2009-3584 (SQL-Ledger 2.8.24 does not set the secure flag for the session cookie ...) - sql-ledger (unimportant; bug #562639) NOTE: Only supported behind an authenticated HTTP zone, see README.Debian CVE-2009-3583 (Directory traversal vulnerability in the Preferences menu item in SQL- ...) - sql-ledger (unimportant; bug #562639) NOTE: Only supported behind an authenticated HTTP zone, see README.Debian CVE-2009-3582 (Multiple SQL injection vulnerabilities in the delete subroutine in SQL ...) - sql-ledger (unimportant; bug #562639) NOTE: Only supported behind an authenticated HTTP zone, see README.Debian CVE-2009-3581 (Multiple cross-site scripting (XSS) vulnerabilities in SQL-Ledger 2.8. ...) - sql-ledger (unimportant; bug #562639) NOTE: Only supported behind an authenticated HTTP zone, see README.Debian CVE-2009-3580 (Cross-site request forgery (CSRF) vulnerability in am.pl in SQL-Ledger ...) - sql-ledger (unimportant; bug #562639) NOTE: Only supported behind an authenticated HTTP zone, see README.Debian CVE-2009-3578 (Autodesk Maya 8.0, 8.5, 2008, 2009, and 2010 and Alias Wavefront Maya ...) NOT-FOR-US: Autodesk Maya CVE-2009-3577 (Autodesk 3D Studio Max (3DSMax) 6 through 9 and 2008 through 2010 allo ...) NOT-FOR-US: Autodesk CVE-2009-3576 (Autodesk Softimage 7.x and Softimage XSI 6.x allow remote attackers to ...) NOT-FOR-US: Autodesk Softimage CVE-2009-3575 (Buffer overflow in DHTRoutingTableDeserializer.cc in aria2 0.15.3, 1.2 ...) {DSA-1957-1} - aria2 1.2.0-1 (low; bug #551070) [etch] - aria2 (Vulnerable code not present) CVE-2009-3571 (Unspecified vulnerability in OpenOffice.org (OOo) has unknown impact a ...) NOT-FOR-US: Unidentified exploit for OpenOffice, hasn't materialised in any form CVE-2009-3570 (Unspecified vulnerability in OpenOffice.org (OOo) has unspecified impa ...) NOT-FOR-US: Unidentified exploit for OpenOffice, hasn't materialised in any form CVE-2009-3569 (Stack-based buffer overflow in OpenOffice.org (OOo) allows remote atta ...) NOT-FOR-US: Unidentified exploit for OpenOffice, hasn't materialised in any form CVE-2009-3568 (Comment RSS 5.x before 5.x-2.2 and 6.x before 6.x-2.2, a module for Dr ...) NOT-FOR-US: module for Drupal CVE-2009-3692 (Unspecified vulnerability in the VBoxNetAdpCtl configuration tool in S ...) - virtualbox-ose 3.0.8-dfsg-1 [lenny] - virtualbox-ose (vulnerable code not present) CVE-2009-3602 (Unbound before 1.3.4 does not properly verify signatures for NSEC3 rec ...) {DSA-1963-1} - unbound 1.3.4-1 (low) NOTE: http://unbound.net/pipermail/unbound-users/2009-October/000852.html CVE-2009-3601 (Cross-site scripting (XSS) vulnerability in demo_page.php in Scriptsez ...) NOT-FOR-US: Scriptsez Ultimate Poll CVE-2009-3600 (HUBScript 1.0 allows remote attackers to obtain configuration informat ...) NOT-FOR-US: HUBScript CVE-2009-3599 (Cross-site scripting (XSS) vulnerability in single_winner1.php in HUBS ...) NOT-FOR-US: HUBScript CVE-2009-3598 (Cross-site scripting (XSS) vulnerability in survey_result.php in eCard ...) NOT-FOR-US: eCardMAX FormXP CVE-2009-3597 (Digitaldesign CMS 0.1 stores sensitive information under the web root ...) NOT-FOR-US: Digitaldesign CMS CVE-2009-3596 (JoxTechnology Ajox Poll does not properly restrict access to admin/man ...) NOT-FOR-US: JoxTechnology Ajox Poll CVE-2009-3595 (SQL injection vulnerability in results.php in VS PANEL 7.5.5 allows re ...) NOT-FOR-US: VS PANEL CVE-2009-3594 (Cross-site scripting (XSS) vulnerability in bpost.php in BLOB Blog Sys ...) NOT-FOR-US: BLOB Blog System CVE-2009-3593 (Multiple cross-site scripting (XSS) vulnerabilities in Freelancers 1.0 ...) NOT-FOR-US: Freelancers CVE-2009-3592 (Cross-site scripting (XSS) vulnerability in customer/home.php in Quali ...) NOT-FOR-US: Qualiteam X-Cart CVE-2009-3590 (SQL injection vulnerability in showcat.php in VS PANEL 7.3.6 allows re ...) NOT-FOR-US: VS PANEL CVE-2009-3574 (Tuniac 090517c allows remote attackers to cause a denial of service (c ...) NOT-FOR-US: Tuniac CVE-2009-3573 (Multiple insecure method vulnerabilities in the PDIControl.PDI.1 Activ ...) NOT-FOR-US: ActiveX CVE-2009-3572 (OpenBSD 4.4, 4.5, and 4.6, when running on an i386 kernel, does not pr ...) NOT-FOR-US: OpenBSD CVE-2009-3567 (Cross-site scripting (XSS) vulnerability in modules/tickets/functions_ ...) NOT-FOR-US: Kayako SupportSuite and eSupport CVE-2009-3579 (Cross-site scripting (XSS) vulnerability in the CookieDump.java sample ...) - jetty (unimportant) NOTE: http://www.coresecurity.com/content/jetty-persistent-xss NOTE: only an example application CVE-2009-3566 (McAfee IntruShield Network Security Manager (NSM) before 5.1.11.8.1 do ...) NOT-FOR-US: McAfee IntruShield Network Security Manager CVE-2009-3565 (Multiple cross-site scripting (XSS) vulnerabilities in intruvert/jsp/m ...) NOT-FOR-US: McAfee IntruShield Network Security Manager CVE-2009-3564 (puppetmasterd in puppet 0.24.6 does not reset supplementary groups whe ...) - puppet 0.25.1-3 (low; bug #551073) [etch] - puppet (minor issue) [lenny] - puppet (minor issue) CVE-2009-3563 (ntp_request.c in ntpd in NTP before 4.2.4p8, and 4.2.5, allows remote ...) {DSA-1948-1} - ntp 1:4.2.4p8+dfsg-1 (medium; bug #560074) CVE-2009-3562 (Cross-site scripting (XSS) vulnerability in Xerver HTTP Server 4.32 al ...) NOT-FOR-US: Xerver HTTP Server CVE-2009-3561 (Directory traversal vulnerability in Xerver HTTP Server 4.32 allows re ...) NOT-FOR-US: Xerver HTTP Server CVE-2009-3560 (The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, a ...) {DSA-1977-1 DSA-1953-2 DSA-1953-1} - expat 2.0.1-6 (low; bug #560901) - mcabber 0.10.0-1 (low; bug #601053) [lenny] - mcabber (Minor issue) - w3c-libwww [etch] - w3c-libwww (Minor issue, only used by fringe apps) - python-xml (low; bug #560951) [etch] - python-xml (minor issue) [lenny] - python-xml 0.8.4-10.1+lenny1 - python2.5 2.5.4-3.1 (low; bug #560912) - python2.4 2.4.4-3+etch3 (low; bug #560913) - python2.6 2.6.4-4 - python-4suite 1.0.2-7.2 (low; bug #560914) [etch] - python-4suite (Minor issue) [lenny] - python-4suite (Minor issue) - wxwindows2.4 (unimportant; bug #560915) - wxwidgets2.6 2.6.3.2.2-4 (unimportant; bug #560916) - wxwidgets2.8 2.8.10.1-2 (unimportant; bug #560917) - audacity 1.3.2-1 (unimportant; bug #560919) - matanza (unimportant; bug #560920) - tdom 0.8.3~20080525-1 (low; bug #560921) [etch] - tdom (minor issue) - udunits 2.1.8-4 (unimportant; bug #560922) - ayttm 0.6.1-2 (low; bug #560924) [etch] - ayttm (minor issue) [lenny] - ayttm (minor issue) - cableswig (unimportant; bug #560925) - cadaver (unimportant; bug #560926) - cmake 2.6.0-6 (unimportant; bug #560927) - coin3 (unimportant; bug #560928) - gdcm 2.0.14-2 (low; bug #560929) - ghostscript 8.71~dfsg-2 (unimportant; bug #560930) - gs-gpl (unimportant) - grmonitor (unimportant; bug #560931) - iceape (unimportant; bug #560932) - insighttoolkit 3.16.0-1 (unimportant; bug #560933) - paraview 3.6.2-1 (unimportant; bug #560935) - poco 1.3.6p1-1 (unimportant; bug #560936) - simgear 2.10.0-1 (unimportant; bug #560937) - smart 1.2-5.1 (low; bug #560953) [etch] - smart (minor issue) [lenny] - smart (minor issue) - tla 1.3.5+dfsg-15 (unimportant; bug #560940) [lenny] - tla 1.3.5+dfsg-14+lenny1 - xmlrpc-c 1.06.27-1.1 (low; bug #560942) [etch] - xmlrpc-c (minor issue) [lenny] - xmlrpc-c (minor issue) - iceweasel (uses xulrunner; bug #560943) - kompozer 1:0.8~b1-2 (low; bug #560944) - vxl 1.13.0-2 (low; bug #560945) - xulrunner (unimportant; bug #560946) - texlive-bin (Files are not compiled in, see #560948) - vnc4 (Not affected, see bug #560949) - xotcl (Vulnerable code not present in embedded Expat copy) CVE-2009-3559 - php5 (unimportant) NOTE: safe_mode regression CVE-2009-3558 (The posix_mkfifo function in ext/posix/posix.c in PHP before 5.2.12 an ...) - php5 5.2.12.dfsg.1-1 (unimportant) NOTE: open_basedir bypass CVE-2009-3557 (The tempnam function in ext/standard/file.c in PHP before 5.2.12 and 5 ...) - php5 5.2.12.dfsg.1-1 (unimportant) NOTE: safe_mode bypass CVE-2009-3556 (A certain Red Hat configuration step for the qla2xxx driver in the Lin ...) - linux-2.6 (redhat-specific configuration issue) - linux-2.6.24 (redhat-specific configuration issue) CVE-2009-3555 (The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as us ...) {DSA-3253-1 DSA-2626-1 DSA-2141-2 DSA-2141-1 DSA-1934-1 DLA-400-1} - apache2 2.2.14-2 - openssl 0.9.8k-6 - nss 3.12.6-1 - sun-java5 [lenny] - sun-java5 (Minor issue) - sun-java6 6.19-1 [lenny] - sun-java6 6-22-0lenny NOTE: Update 22 for Sun Java implemented the new RFC extension - openjdk-6 6b18-1.8.2-1 - nginx 0.7.64-1 - matrixssl 1.8.8-1 [lenny] - matrixssl (Fringe SSL implementation, can be fixed in spu) - tomcat-native 1.1.18-1 [lenny] - tomcat-native (Minor issue) - gnutls26 (safely handles renegotiation; however support for RFC 5746 would be useful) - polarssl 1.2.0-1 (bug #704946) - classpath - zorp 3.9.2-1 [squeeze] - zorp (Minor issue) [lenny] - zorp (Minor issue) - lighttpd 1.4.30-1 - pound 2.6-6.1 (bug #765649) [jessie] - pound (Minor issue) NOTE: the anti_beast.patch in pound 2.6-2 has some provision for this issue too but it seems to be broken, cf #765649 NOTE: for any of the currently unfixed implementations, you can solve the problem by disabling renegotiation NOTE: the following implement RFC 5746: NOTE: - openssl 0.9.8m-1 NOTE: - apache 2.2.15-1 NOTE: - nss 3.12.6-1 NOTE: - sun-java6 6.19-1 CVE-2009-3554 (Twiddle in Red Hat JBoss Enterprise Application Platform (aka JBoss EA ...) - jbossas4 4.2.2.GA-1 (bug #562000) [lenny] - jbossas4 (Contrib not supported) CVE-2009-3553 (Use-after-free vulnerability in the abstract file-descriptor handling ...) {DSA-2176-1} - cups 1.4.2-4 (low; bug #557740) [lenny] - cups (Minor issue) - cupsys (vulnerable code introduced in 1.3.x) NOTE: http://www.cups.org/newsgroups.php/s1+gcups.bugs?s1+gcups.bugs+v4+T+Q3200 CVE-2009-3552 (In RHEV-M VDC 2.2.0, it was found that the SSL certificate was not ver ...) NOT-FOR-US: Red Hat Enterprise Virtualization Manager CVE-2009-3551 (Off-by-one error in the dissect_negprot_response function in packet-sm ...) - wireshark 1.2.3-1 (low; bug #553583) [lenny] - wireshark (Only affects Wireshark 1.2.x) [etch] - wireshark (Only affects Wireshark 1.2.x) CVE-2009-3550 (The DCERPC/NT dissector in Wireshark 0.10.10 through 1.0.9 and 1.2.0 t ...) {DSA-1942-1} - wireshark 1.2.3-1 (low; bug #553583) CVE-2009-3549 (packet-paltalk.c in the Paltalk dissector in Wireshark 1.2.0 through 1 ...) - wireshark 1.2.3-1 (low; bug #553583) [lenny] - wireshark (Only affects Wireshark 1.2.x) [etch] - wireshark (Only affects Wireshark 1.2.x) CVE-2009-3548 (The Windows installer for Apache Tomcat 6.0.0 through 6.0.20, 5.5.0 th ...) - tomcat6 (Windows only) CVE-2009-3547 (Multiple race conditions in fs/pipe.c in the Linux kernel before 2.6.3 ...) {DSA-1929-1 DSA-1928-1 DSA-1927-1} - linux-2.6 2.6.31-2 (high) - linux-2.6.24 (high) CVE-2009-3546 (The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.x before 5. ...) {DSA-1936-1} - libwmf (unimportant) - racket 5.0.2-1 (unimportant; bug #601525) NOTE: Only present in one of the sample pl-scheme packages (plot) - libgd2 2.0.36~rc1~dfsg-3.1 (medium; bug #552534) - php5 (the php packages use the system libgd2) NOTE: http://svn.php.net/viewvc?view=revision&revision=289557 NOTE: <20091015173822.084de220@redhat.com> in OSS-sec CVE-2009-3545 (DataWizard Technologies FtpXQ FTP Server 3.0 allows remote authenticat ...) NOT-FOR-US: DataWizard Technologies FtpXQ FTP Server CVE-2009-3544 (Xerver HTTP Server 4.32 allows remote attackers to obtain the source c ...) NOT-FOR-US: Xerver HTTP Server CVE-2009-3527 (Race condition in the Pipe (IPC) close function in FreeBSD 6.3 and 6.4 ...) - kfreebsd-6 [lenny] - kfreebsd-6 (KFreebsd not supported) CVE-2009-3526 RESERVED CVE-2011-1072 (The installer in PEAR before 1.9.2 allows local users to overwrite arb ...) {DSA-2408-1} - php5 5.3.6-1 (low; bug #546164) CVE-2009-XXXX [kfreebsd: Devfs / VFS NULL pointer race condition] - kfreebsd-6 [lenny] - kfreebsd-6 (KFreebsd not supported) - kfreebsd-7 7.2-9 (bug #549871) [lenny] - kfreebsd-7 (KFreebsd not supported) CVE-2009-3543 (SQL injection vulnerability in _phenotype/admin/login.php in Phenotype ...) NOT-FOR-US: Phenotype CMS CVE-2009-3542 (Directory traversal vulnerability in ls.php in LittleSite (aka LS or L ...) NOT-FOR-US: LittleSite CVE-2009-3541 (PHP remote file inclusion vulnerability in CoupleDB.php in PHPGenealog ...) NOT-FOR-US: PHPGenealogy CVE-2009-3540 (Cross-site scripting (XSS) vulnerability in listads.php in YourFreeWor ...) NOT-FOR-US: YourFreeWorld Ultra Classifieds Pro CVE-2009-3539 (Multiple cross-site scripting (XSS) vulnerabilities in YourFreeWorld U ...) NOT-FOR-US: YourFreeWorld Ultra Classifieds Pro CVE-2009-3538 (Directory traversal vulnerability in thumb.php in Clear Content 1.1 al ...) NOT-FOR-US: Clear Content CVE-2009-3537 (Multiple stack-based buffer overflows in EpicDJSoftware EpicDJ 1.3.9.1 ...) NOT-FOR-US: EpicDJSoftware EpicDJ CVE-2009-3536 (Multiple stack-based buffer overflows in EpicDJSoftware EpicVJ 1.2.8.0 ...) NOT-FOR-US: EpicDJSoftware EpicVJ CVE-2009-3535 (Directory traversal vulnerability in image.php in Clear Content 1.1 al ...) NOT-FOR-US: Clear Content CVE-2009-3534 (Directory traversal vulnerability in index.php in LionWiki 3.0.3, when ...) NOT-FOR-US: LionWiki CVE-2009-3533 (SQL injection vulnerability in report.php in Meeting Room Booking Syst ...) NOT-FOR-US: Meeting Room Booking System CVE-2009-3532 (Multiple SQL injection vulnerabilities in login.asp (aka the login scr ...) NOT-FOR-US: LogRover CVE-2009-3531 (SQL injection vulnerability in vnews.php in Universe CMS 1.0.6 allows ...) NOT-FOR-US: Universe CMS CVE-2009-3530 (Cross-site scripting (XSS) vulnerability in storefront.php in RadScrip ...) NOT-FOR-US: RadScripts RadBids Gold CVE-2009-3529 (SQL injection vulnerability in index.php in RadScripts RadBids Gold 4 ...) NOT-FOR-US: RadScripts RadBids Gold CVE-2009-3528 (SQL injection vulnerability in Profile.php in MyMsg 1.0.3 allows remot ...) NOT-FOR-US: MyMsg CVE-2009-3525 (The pyGrub boot loader in Xen 3.0.3, 3.3.0, and Xen-3.3.1 does not sup ...) - xen-3 (unimportant) - xen-unstable (unimportant) NOTE: This is an enhancement, not a security issue. NOTE: A user must have access to a guest hard drive image in order to boot it, NOTE: so he can simply mount the drive and remove the password option. CVE-2009-5041 (overkill has buffer overflow via long player names that can corrupt da ...) - overkill 0.16-14.1 (bug #549310; low) [lenny] - overkill (Minor issue) [etch] - overkill (Minor issue) CVE-2009-3524 (Unspecified vulnerability in ashWsFtr.dll in avast! Home and Professio ...) NOT-FOR-US: avast! Home and Professional CVE-2009-3523 (aavmKer4.sys in avast! Home and Professional for Windows before 4.8.13 ...) NOT-FOR-US: avast! Home and Professional CVE-2009-3522 (Stack-based buffer overflow in aswMon2.sys in avast! Home and Professi ...) NOT-FOR-US: avast! Home and Professional CVE-2009-3521 (Multiple cross-site scripting (XSS) vulnerabilities in the Visualizati ...) NOT-FOR-US: WebSphere CVE-2009-3520 (Cross-site request forgery (CSRF) vulnerability in the Your_account mo ...) NOT-FOR-US: CMSphp CVE-2009-3519 (Multiple memory leaks in the IP module in the kernel in Sun Solaris 8 ...) NOT-FOR-US: Sun Solaris CVE-2009-3518 (Argument injection vulnerability in the iim: URI handler in IBMIM.exe ...) NOT-FOR-US: IBM Installation Manager CVE-2009-3517 (nfs.ext in IBM AIX 5.3.x through 5.3.9 and 6.1.0 through 6.1.2 does no ...) NOT-FOR-US: IBM AIX CVE-2009-3516 (gssd in IBM AIX 5.3.x through 5.3.9 and 6.1.0 through 6.1.2 does not p ...) NOT-FOR-US: IBM AIX CVE-2009-3515 (Directory traversal vulnerability in dnet_admin/index.php in d.net CMS ...) NOT-FOR-US: d.net CMS CVE-2009-3514 (Multiple SQL injection vulnerabilities in d.net CMS allow remote attac ...) NOT-FOR-US: d.net CMS CVE-2009-3513 (Multiple cross-site scripting (XSS) vulnerabilities in Pilot Group (PG ...) NOT-FOR-US: Pilot Group (PG) eTraining CVE-2009-3512 (Multiple cross-site scripting (XSS) vulnerabilities in MyWeight 1.0 al ...) NOT-FOR-US: MyWeight CVE-2009-3511 (Multiple PHP remote file inclusion vulnerabilities in justVisual 1.2 a ...) NOT-FOR-US: justVisual CVE-2009-3510 (SQL injection vulnerability in viewListing.php in linkSpheric 0.74 Bet ...) NOT-FOR-US: linkSpheric CVE-2009-3509 (Cross-site scripting (XSS) vulnerability in admin/admin_index.php in C ...) NOT-FOR-US: CJ Dynamic Poll PRO CVE-2009-3508 (Multiple directory traversal vulnerabilities in MUJE CMS 1.0.4.34 allo ...) NOT-FOR-US: MUJE CMS CVE-2009-3507 (Directory traversal vulnerability in modules.php in CMSphp 0.21 allows ...) NOT-FOR-US: CMSphp CVE-2009-3506 (Multiple cross-site scripting (XSS) vulnerabilities in CMSphp 0.21 all ...) NOT-FOR-US: CMSphp CVE-2009-3505 (SQL injection vulnerability in view_news.php in Vastal I-Tech MMORPG Z ...) NOT-FOR-US: Vastal I-Tech MMORPG Zone CVE-2009-3504 (SQL injection vulnerability in offers_buy.php in Alibaba Clone 3.0 all ...) NOT-FOR-US: Alibaba Clone CVE-2009-3503 (Multiple SQL injection vulnerabilities in search.aspx in BPowerHouse B ...) NOT-FOR-US: BPowerHouse BPHolidayLettings CVE-2009-3502 (SQL injection vulnerability in music.php in BPowerHouse BPMusic 1.0 al ...) NOT-FOR-US: BPowerHouse BPMusic CVE-2009-3501 (SQL injection vulnerability in students.php in BPowerHouse BPStudents ...) NOT-FOR-US: BPowerHouse BPStudents CVE-2009-3500 (Multiple SQL injection vulnerabilities in BPowerHouse BPGames 1.0 allo ...) NOT-FOR-US: BPowerHouse BPGames CVE-2009-3499 (SQL injection vulnerability in employee.aspx in BPowerHouse BPLawyerCa ...) NOT-FOR-US: BPowerHouse BPLawyerCaseDocuments CVE-2009-3498 (SQL injection vulnerability in php/update_article_hits.php in HBcms 1. ...) NOT-FOR-US: HBcms CVE-2009-3497 (SQL injection vulnerability in view_listing.php in Vastal I-Tech Agent ...) NOT-FOR-US: Vastal I-Tech Agent CVE-2009-3496 (Cross-site scripting (XSS) vulnerability in view_mag.php in Vastal I-T ...) NOT-FOR-US: Vastal I-Tech DVD Zone CVE-2009-3495 (SQL injection vulnerability in view_mag.php in Vastal I-Tech DVD Zone ...) NOT-FOR-US: Vastal I-Tech DVD Zone CVE-2009-3494 (Multiple SQL injection vulnerabilities in index.php in T-HTB Manager 0 ...) NOT-FOR-US: T-HTB Manager CVE-2009-3493 (Multiple cross-site scripting (XSS) vulnerabilities in Zenas PaoBachec ...) NOT-FOR-US: Zenas PaoBacheca Guestbook CVE-2009-3492 (Multiple PHP remote file inclusion vulnerabilities in Loggix Project 9 ...) NOT-FOR-US: Loggix Project CVE-2009-3491 (SQL injection vulnerability in the Kinfusion SportFusion (com_sportfus ...) NOT-FOR-US: Kinfusion SportFusion CVE-2009-3490 (GNU Wget before 1.12 does not properly handle a '\0' character in a do ...) {DSA-1904-1} - wget 1.12-1 (medium; bug #549293) CVE-2009-3489 (Adobe Photoshop Elements 8.0 installs the Adobe Active File Monitor V8 ...) NOT-FOR-US: Adobe Photoshop Elements CVE-2009-3488 (Cross-site scripting (XSS) vulnerability in the Bibliography (aka Bibl ...) NOT-FOR-US: Drupal Bibliography Module CVE-2009-3487 (Multiple cross-site scripting (XSS) vulnerabilities in the J-Web inter ...) NOT-FOR-US: J-Web interface in Juniper JUNOS CVE-2009-3486 (Multiple cross-site scripting (XSS) vulnerabilities in the J-Web inter ...) NOT-FOR-US: J-Web interface in Juniper JUNOS CVE-2009-3485 (Cross-site scripting (XSS) vulnerability in the J-Web interface in Jun ...) NOT-FOR-US: J-Web interface in Juniper JUNOS CVE-2009-3484 (Stack-based buffer overflow in Core FTP 2.1 build 1612 allows user-ass ...) NOT-FOR-US: Core FTP CVE-2009-3483 (Heap-based buffer overflow in the Create New Site feature in GlobalSCA ...) NOT-FOR-US: CuteFTP CVE-2009-3482 (TrustPort Antivirus before 2.8.0.2266 and PC Security before 2.0.0.129 ...) NOT-FOR-US: TrustPort Antivirus and PC Security CVE-2009-3481 (A certain interface in the iCRM Basic (com_icrmbasic) component 1.4.2. ...) NOT-FOR-US: Joomla component CVE-2009-3480 (SQL injection vulnerability in the iCRM Basic (com_icrmbasic) componen ...) NOT-FOR-US: Joomla component CVE-2009-3479 (Cross-site scripting (XSS) vulnerability in Bibliography (Biblio) 5.x ...) NOT-FOR-US: Bibliography CVE-2009-3478 (Argument injection vulnerability in (1) src/content/js/connection/sftp ...) NOT-FOR-US: Bibliography CVE-2009-3477 (The Blackberry Browser in RIM BlackBerry Device Software 4.5.0 before ...) NOT-FOR-US: Blackberry Browser in RIM BlackBerry Device Software CVE-2009-3476 (Buffer overflow in OpenSAML before 1.1.3 as used in Internet2 Shibbole ...) {DSA-1895-2 DSA-1896-1 DSA-1895-1} - xmltooling 1.2.2-1 - opensaml 3.0.0-2 - opensaml2 2.2.1-1 - shibboleth-sp 3.0.2+dfsg1-2 - shibboleth-sp2 2.2.1+dfsg-1 CVE-2009-3475 (Internet2 Shibboleth Service Provider software 1.3.x before 1.3.3 and ...) {DSA-1895-2 DSA-1896-1 DSA-1895-1} - xmltooling 1.2.2-1 - opensaml 3.0.0-2 - opensaml2 2.2.1-1 - shibboleth-sp 3.0.2+dfsg1-2 - shibboleth-sp2 2.2.1+dfsg-1 CVE-2009-3474 (OpenSAML 2.x before 2.2.1 and XMLTooling 1.x before 1.2.1, as used by ...) {DSA-1895-2 DSA-1896-1 DSA-1895-1} - xmltooling 1.2.2-1 - opensaml 3.0.0-2 - opensaml2 2.2.1-1 - shibboleth-sp 3.0.2+dfsg1-2 - shibboleth-sp2 2.2.1+dfsg-1 [lenny] - opensaml 1.1.1-2+lenny1 [lenny] - opensaml2 2.0-2+lenny1 CVE-2009-3473 (IBM DB2 9.1 before FP8 does not require the SETSESSIONUSER privilege f ...) NOT-FOR-US: IBM DB2 CVE-2009-3472 (IBM DB2 8 before FP18, 9.1 before FP8, and 9.5 before FP4 allows remot ...) NOT-FOR-US: IBM DB2 CVE-2009-3471 (IBM DB2 8 before FP18, 9.1 before FP8, 9.5 before FP4, and 9.7 before ...) NOT-FOR-US: IBM DB2 CVE-2009-3470 (IBM Informix Dynamic Server (IDS) 10.00 before 10.00.xC11, 11.10 befor ...) NOT-FOR-US: IBM Informix Dynamic Server (IDS) CVE-2009-3469 (Cross-site scripting (XSS) vulnerability in profiles/html/simpleSearch ...) NOT-FOR-US: IBM Lotus Connections CVE-2009-3468 (Multiple unspecified vulnerabilities in Common Desktop Environment (CD ...) NOT-FOR-US: Common Desktop Environment (CDE) in Sun Solaris CVE-2009-3467 (Cross-site scripting (XSS) vulnerability in an unspecified method in A ...) NOT-FOR-US: Adobe ColdFusion CVE-2009-3466 (Adobe Shockwave Player before 11.5.2.602 allows remote attackers to ex ...) NOT-FOR-US: Adobe Shockwave Player CVE-2009-3465 (Adobe Shockwave Player before 11.5.2.602 allows remote attackers to ex ...) NOT-FOR-US: Adobe Shockwave Player CVE-2009-3464 (Adobe Shockwave Player before 11.5.2.602 allows remote attackers to ex ...) NOT-FOR-US: Adobe Shockwave Player CVE-2009-3463 (Array index error in Adobe Shockwave Player before 11.5.2.602 allows r ...) NOT-FOR-US: Adobe Shockwave Player CVE-2009-3462 (Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x b ...) NOT-FOR-US: Adobe CVE-2009-3461 (Unspecified vulnerability in Adobe Acrobat 9.x before 9.2 allows attac ...) NOT-FOR-US: Adobe CVE-2009-3460 (Adobe Acrobat 9.x before 9.2, 8.x before 8.1.7, and possibly 7.x throu ...) NOT-FOR-US: Adobe CVE-2009-3459 (Heap-based buffer overflow in Adobe Reader and Acrobat 7.x before 7.1. ...) NOT-FOR-US: Adobe Acrobat CVE-2009-3458 (Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x b ...) NOT-FOR-US: Adobe CVE-2009-3457 (Cisco ACE XML Gateway (AXG) and ACE Web Application Firewall (WAF) bef ...) NOT-FOR-US: Cisco ACE XML Gateway (AXG) and ACE Web Application Firewall (WAF) CVE-2009-3456 (Google Chrome, possibly 3.0.195.21 and earlier, does not properly hand ...) - chromium-browser - webkit NOTE: This was caused by a bug in NSS (CVE-2009-2408). chromium-browser uses libnss3 CVE-2009-3455 (Apple Safari, possibly before 4.0.3, on Mac OS X does not properly han ...) NOT-FOR-US: Apple Safari CVE-2009-3454 REJECTED CVE-2009-3453 (Multiple cross-site scripting (XSS) vulnerabilities in IBM Lotus Quick ...) NOT-FOR-US: IBM Lotus Quickr CVE-2009-3452 (WebCoreModule.ashx in RADactive I-Load before 2008.2.5.0 allows remote ...) NOT-FOR-US: RADactive I-Load CVE-2009-3451 (Directory traversal vulnerability in WebCoreModule.ashx in RADactive I ...) NOT-FOR-US: RADactive CVE-2009-3450 (Multiple cross-site scripting (XSS) vulnerabilities in WebCoreModule.a ...) NOT-FOR-US: RADactive I-Load CVE-2009-3449 (MP3 Collector 2.3 allows remote attackers to cause a denial of service ...) NOT-FOR-US: MP3 Collector CVE-2009-3448 (npvmgr.exe in BakBone NetVault Backup 8.22 Build 29 allows remote atta ...) NOT-FOR-US: BakBone NetVault Backup CVE-2009-3447 (Unrestricted file upload vulnerability in RADactive I-Load before 2008 ...) NOT-FOR-US: RADactive I-Load CVE-2009-XXXX [xen-tools: world readable disk image files] - xen-tools 4.2~beta1-1 (low; bug #548909) [lenny] - xen-tools 3.9-4+lenny1 CVE-2009-3446 (SQL injection vulnerability in the MyRemote Video Gallery (com_mytube) ...) NOT-FOR-US: com_mytube component for Joomla! CVE-2009-3445 (Unspecified vulnerability in Code-Crafters Ability Mail Server before ...) NOT-FOR-US: Ability Mail Server CVE-2009-3444 (Cross-site scripting (XSS) vulnerability in email.php in e107 0.7.16 a ...) NOT-FOR-US: e107 CVE-2009-3443 (SQL injection vulnerability in the Fastball (com_fastball) component 1 ...) NOT-FOR-US: com_fastball component for Joomla! CVE-2009-3442 (The Meta tags (aka Nodewords) module before 6.x-1.1 for Drupal does no ...) NOT-FOR-US: Nodewords module for Drupal CVE-2009-3441 (Open Source Security Information Management (OSSIM) before 2.1.2 allow ...) NOT-FOR-US: Open Source Security Information Management CVE-2009-3440 (Cross-site scripting (XSS) vulnerability in Open Source Security Infor ...) NOT-FOR-US: Open Source Security Information Management CVE-2009-3439 (Multiple SQL injection vulnerabilities in Open Source Security Informa ...) NOT-FOR-US: Open Source Security Information Management CVE-2009-3438 (SQL injection vulnerability in the JoomlaFacebook (com_facebook) compo ...) NOT-FOR-US: com_facebook component for Joomla! CVE-2009-3437 (Cross-site scripting (XSS) vulnerability in the live preview feature i ...) NOT-FOR-US: Markdown Preview module for Drupal CVE-2009-3436 (Multiple SQL injection vulnerabilities in forum.asp in MaxWebPortal al ...) NOT-FOR-US: MaxWebPortal CVE-2009-3435 (Cross-site scripting (XSS) vulnerability in the variable editor in the ...) NOT-FOR-US: Devel module for Drupal CVE-2009-3434 (SQL injection vulnerability in the Tupinambis (com_tupinambis) compone ...) NOT-FOR-US: com_tupinambis for Mambo and Joomla! CVE-2009-3433 (Unspecified vulnerability in clsetup in the configuration utility in S ...) NOT-FOR-US: Sun Solaris Cluster CVE-2009-3432 (Unspecified vulnerability in xscreensaver in Sun Solaris 10, and OpenS ...) NOT-FOR-US: Sun OpenSolaris xscreensaver CVE-2009-3431 (Stack consumption vulnerability in Adobe Reader and Acrobat 9.1.3, 9.1 ...) NOT-FOR-US: Adobe Acrobat CVE-2009-3892 (Cross-site scripting (XSS) vulnerability in Best Practical Solutions R ...) - request-tracker3.8 3.8.5-1 (bug #546829) - request-tracker3.6 3.6.9-1 (bug #546778) [etch] - request-tracker3.6 (vulnerable code not present) [lenny] - request-tracker3.6 3.6.7-5+lenny2 NOTE: CVE id requested CVE-2009-3430 (SQL injection vulnerability in login.php in Allomani Mobile 2.5 allows ...) NOT-FOR-US: Allomani Mobile CVE-2009-3429 (Stack-based buffer overflow in Pirate Radio Destiny Media Player 1.61 ...) NOT-FOR-US: Pirate Radio Destiny Media Player CVE-2009-3428 (Stack-based buffer overflow in Easy Music Player 1.0.0.2 allows remote ...) NOT-FOR-US: Easy Music Player CVE-2009-3427 (Cross-site scripting (XSS) vulnerability in Kayako SupportSuite 3.50.0 ...) NOT-FOR-US: Kayako SupportSuite CVE-2009-3426 (PHP remote file inclusion vulnerability in includes/file_manager/speci ...) NOT-FOR-US: MaxCMS CVE-2009-3425 (Directory traversal vulnerability in includes/inc.thcms_admin_dirtree. ...) NOT-FOR-US: MaxCMS CVE-2009-3424 (Multiple PHP remote file inclusion vulnerabilities in MaxCMS 3.11.20b, ...) NOT-FOR-US: MaxCMS CVE-2009-3423 (login.php in Zenas PaoLink 1.0, when register_globals is enabled, allo ...) NOT-FOR-US: Zenas PaoLink CVE-2009-3422 (login.php in Zenas PaoLiber 1.1, when register_globals is enabled, all ...) NOT-FOR-US: Zenas PaoLiber CVE-2009-3421 (login.php in Zenas PaoBacheca Guestbook 2.1, when register_globals is ...) NOT-FOR-US: Zenas PaoBacheca Guestbook CVE-2009-3420 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in th ...) NOT-FOR-US: Miniweb Publisher module CVE-2009-3419 (SQL injection vulnerability in index.php in the Publisher module 2.0 f ...) NOT-FOR-US: Miniweb Publisher module CVE-2009-3418 (Multiple SQL injection vulnerabilities in Plume CMS 1.2.3 allow (1) re ...) NOT-FOR-US: Plume CMS CVE-2009-3417 (SQL injection vulnerability in the IDoBlog (com_idoblog) component 1.1 ...) NOT-FOR-US: IDoBlog component Joomla CVE-2009-3416 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle E-Business Suite CVE-2009-3415 (Unspecified vulnerability in the Oracle OLAP component in Oracle Datab ...) NOT-FOR-US: Oracle Database CVE-2009-3414 (Unspecified vulnerability in the Oracle Spatial component in Oracle Da ...) NOT-FOR-US: Oracle Database CVE-2009-3413 (Unspecified vulnerability in the Oracle Spatial component in Oracle Da ...) NOT-FOR-US: Oracle Database CVE-2009-3412 (Unspecified vulnerability in the Unzip component in Oracle Database 9. ...) NOT-FOR-US: Oracle Database and Oracle Application Server CVE-2009-3411 (Unspecified vulnerability in the Oracle Data Pump component in Oracle ...) NOT-FOR-US: Oracle Database CVE-2009-3410 (Unspecified vulnerability in the RDBMS component in Oracle Database 11 ...) NOT-FOR-US: Oracle Database CVE-2009-3409 (Unspecified vulnerability in the PeopleSoft Enterprise HCM (TAM) compo ...) NOT-FOR-US: Oracle PeopleSoft Enterprise CVE-2009-3408 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle E-Business Suite CVE-2009-3407 (Unspecified vulnerability in the Portal component in Oracle Applicatio ...) NOT-FOR-US: Oracle Application Server CVE-2009-3406 (Unspecified vulnerability in the JD Edwards Tools component in Oracle ...) NOT-FOR-US: Oracle PeopleSoft Enterprise CVE-2009-3405 (Unspecified vulnerability in the JD Edwards Tools component in Oracle ...) NOT-FOR-US: Oracle PeopleSoft Enterprise CVE-2009-3404 (Unspecified vulnerability in the PeopleSoft PeopleTools & Enterpri ...) NOT-FOR-US: Oracle PeopleSoft Enterprise CVE-2009-3403 (Unspecified vulnerability in the JRockit component in BEA Product Suit ...) NOT-FOR-US: BEA Product Suite CVE-2009-3402 (Unspecified vulnerability in the Oracle Applications Framework compone ...) NOT-FOR-US: Oracle E-Business Suite CVE-2009-3401 (Unspecified vulnerability in the Oracle Applications Technology Stack ...) NOT-FOR-US: Oracle E-Business Suite CVE-2009-3400 (Unspecified vulnerability in the Oracle Advanced Benefits component in ...) NOT-FOR-US: Oracle E-Business Suite CVE-2009-3399 (Unspecified vulnerability in the WebLogic Server component in BEA Prod ...) NOT-FOR-US: BEA Product Suite CVE-2009-3398 REJECTED CVE-2009-3397 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle E-Business Suite CVE-2009-3396 (Unspecified vulnerability in the WebLogic Server component in BEA Prod ...) NOT-FOR-US: BEA Product Suite CVE-2009-3395 (Unspecified vulnerability in the AutoVue component in Oracle E-Busines ...) NOT-FOR-US: Oracle E-Business Suite CVE-2009-3394 REJECTED CVE-2009-3393 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle E-Business Suite CVE-2009-3392 (Unspecified vulnerability in the Agile Engineering Data Management (ED ...) NOT-FOR-US: Oracle E-Business Suite CVE-2009-4193 (Merkaartor 0.14 allows local users to append data to arbitrary files v ...) - merkaartor 0.14+svnfixes~20090912-2 (low; bug #548546) [lenny] - merkaartor (vulnerable code not present) NOTE: does not run as root so minor issue. CVE-2009-XXXX [SA-CORE-2009-008] - drupal6 6.14-1 (bug #547140) [lenny] - drupal6 6.6-3lenny3 CVE-2009-3391 RESERVED CVE-2009-3390 (Multiple unspecified vulnerabilities in the (1) iscsiadm and (2) iscsi ...) NOT-FOR-US: iscsiadm and iscsitadm programs in Sun Solaris 10 CVE-2009-3389 (Integer overflow in libtheora in Xiph.Org Theora before 1.1, as used i ...) {DSA-2045-1} - libtheora 1.1 (bug #572950) [etch] - libtheora (vulnerable code not present) - iceweasel 3.5.11-2 [lenny] - iceweasel (Iceweasel in Lenny links against xulrunner) - xulrunner 1.9.1.6-1 [etch] - xulrunner (Mozilla packages from oldstable no longer covered by security support) [lenny] - xulrunner (Video playback capabilities were added in 3.5) CVE-2009-3388 (liboggplay in Mozilla Firefox 3.5.x before 3.5.6 and SeaMonkey before ...) - liboggplay 0.2.1~git20091227-1.1 (bug #575743) - iceweasel 3.5.11-2 [lenny] - iceweasel (Iceweasel in Lenny links against xulrunner) - xulrunner 1.9.1.6-1 [etch] - xulrunner (Mozilla packages from oldstable no longer covered by security support) [lenny] - xulrunner (Video playback capabilities were added in 3.5) CVE-2009-3387 (Bugzilla 3.3.1 through 3.4.4, 3.5.1, and 3.5.2 does not allow group re ...) - bugzilla 3.4.7.0-1 [lenny] - bugzilla (Only Bugzilla >= 3.3 is affected) CVE-2009-3386 (Template.pm in Bugzilla 3.3.2 through 3.4.3 and 3.5 through 3.5.1 allo ...) - bugzilla 3.4.7.0-1 [lenny] - bugzilla (Only Bugzilla >= 3.3 is affected) CVE-2009-3385 (The mail component in Mozilla SeaMonkey before 1.1.19 does not properl ...) {DSA-1922-1} - xulrunner 1.9.0.15-1 - iceweasel 3.5.11-2 [lenny] - iceweasel (Iceweasel in Lenny links against xulrunner) - iceape 2.0-1 [lenny] - iceape (stub package) CVE-2009-3384 (Multiple unspecified vulnerabilities in WebKit in Apple Safari before ...) - webkit 1.1.17-2 (medium; bug #559759) [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - qt4-x11 4:4.6.2-4 (bug #561760) [lenny] - qt4-x11 (Minor impact, no apps in Lenny which use qtwebkit ) NOTE: QT4 might be fixed earlier, but only 4.6.2 was checked against, Lenny is affected [etch] - qt4-x11 (webkit support introduced in version 4.4) - kdelibs (vulnerable code not present) - kde4libs (vulnerable code not present) NOTE: http://trac.webkit.org/changeset/48725 CVE-2009-3383 (Multiple unspecified vulnerabilities in the JavaScript engine in Mozil ...) - xulrunner 1.9.1.4-1 [lenny] - xulrunner (Only affects Firefox 3.5) [etch] - xulrunner (Only affects Firefox 3.5) CVE-2009-3382 (layout/base/nsCSSFrameConstructor.cpp in the browser engine in Mozilla ...) {DSA-1922-1} - xulrunner 1.9.1.4-1 [etch] - xulrunner (Mozilla packages from oldstable no longer covered by security support) CVE-2009-3381 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - xulrunner 1.9.1.4-1 [lenny] - xulrunner (Only affects Firefox 3.5) [etch] - xulrunner (Only affects Firefox 3.5) CVE-2009-3380 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-1922-1} - xulrunner 1.9.1.4-1 [etch] - xulrunner (Mozilla packages from oldstable no longer covered by security support) CVE-2009-3379 (Multiple unspecified vulnerabilities in libvorbis, as used in Mozilla ...) {DSA-1939-1} - libvorbisidec 1.0.2+svn18153-0.1 (bug #669196) [squeeze] - libvorbisidec (Minor issue, no dev-deps) - libvorbis 1.2.3-1 (medium) - xulrunner 1.9.1.4-1 [lenny] - xulrunner (Only affects Firefox 3.5) [etch] - xulrunner (Only affects Firefox 3.5) CVE-2009-3378 (The oggplay_data_handle_theora_frame function in media/liboggplay/src/ ...) - xulrunner 1.9.1.4-1 [etch] - xulrunner (ogg support added in firefox 3.5) [lenny] - xulrunner (ogg support added in firefox 3.5) - liboggplay 0.2.1~git20091120-1 (medium; bug #552743) CVE-2009-3377 (Multiple unspecified vulnerabilities in liboggz before cf5feeaab69b05e ...) - xulrunner 1.9.1.4-1 [lenny] - xulrunner (Only affects Firefox 3.5) [etch] - xulrunner (Only affects Firefox 3.5) - liboggz 0.9.9-1 (low) [lenny] - liboggz (Too intrusive to backport, needs to be updated to 0.9.9. Requires additional rebuild of rev dep) CVE-2009-3376 (Mozilla Firefox before 3.0.15 and 3.5.x before 3.5.4, and SeaMonkey be ...) {DSA-1922-1} - xulrunner 1.9.1.4-1 [etch] - xulrunner (Mozilla packages from oldstable no longer covered by security support) CVE-2009-3375 (content/html/document/src/nsHTMLDocument.cpp in Mozilla Firefox 3.0.x ...) {DSA-1922-1} - xulrunner 1.9.1.4-1 [etch] - xulrunner (Only affects Firefox 3.x) CVE-2009-3374 (The XPCVariant::VariantDataToJS function in the XPCOM implementation i ...) {DSA-1922-1} - xulrunner 1.9.1.4-1 [etch] - xulrunner (Mozilla packages from oldstable no longer covered by security support) CVE-2009-3373 (Heap-based buffer overflow in the GIF image parser in Mozilla Firefox ...) {DSA-1922-1} - xulrunner 1.9.1.4-1 [etch] - xulrunner (Only affects Firefox 3.x) CVE-2009-3372 (Mozilla Firefox before 3.0.15 and 3.5.x before 3.5.4, and SeaMonkey be ...) {DSA-1922-1} - xulrunner 1.9.1.4-1 [etch] - xulrunner (Mozilla packages from oldstable no longer covered by security support) CVE-2009-3371 (Use-after-free vulnerability in Mozilla Firefox 3.5.x before 3.5.4 all ...) - xulrunner 1.9.1.4-1 [etch] - xulrunner (web workers introduced in firefox 3.5) [lenny] - xulrunner (web workers introduced in firefox 3.5) - kompozer (unimportant; bug #555326) NOTE: kompozer shares the browser engine with Firefox, but JavaScript is not enabled CVE-2009-3370 (Mozilla Firefox before 3.0.15, and 3.5.x before 3.5.4, allows remote a ...) {DSA-1922-1} - xulrunner 1.9.1.4-1 [etch] - xulrunner (Mozilla packages from oldstable no longer covered by security support) CVE-2009-3368 (Cross-site scripting (XSS) vulnerability in the Hotel Booking Reservat ...) NOT-FOR-US: component for Joomla! CVE-2009-3367 (Multiple cross-site scripting (XSS) vulnerabilities in An image galler ...) NOT-FOR-US: An image gallery 1.0 CVE-2009-3366 (Directory traversal vulnerability in navigation.php in An image galler ...) NOT-FOR-US: An image gallery 1.0 CVE-2009-3365 (PHP remote file inclusion vulnerability in add-ons/modules/sysmanager/ ...) NOT-FOR-US: Aurora CMS CVE-2009-3364 (Stack-based buffer overflow in FTPShell Client 4.1 RC2 allows remote F ...) NOT-FOR-US: FTPShell Client CVE-2009-3363 (Cross-site scripting (XSS) vulnerability in the BUEditor module 5.x be ...) NOT-FOR-US: a module for Drupal CVE-2009-3362 (PHP remote file inclusion vulnerability in printnews.php3 in SZNews 2. ...) NOT-FOR-US: SZNews CVE-2009-3361 (SQL injection vulnerability in index.php in PHP-IPNMonitor allows remo ...) NOT-FOR-US: PHP-IPNMonitor CVE-2009-3360 (Multiple cross-site scripting (XSS) vulnerabilities in Datemill 1.0 al ...) NOT-FOR-US: Datemill CVE-2009-3359 (Multiple cross-site scripting (XSS) vulnerabilities in Match Agency Bi ...) NOT-FOR-US: Match Agency BiZ CVE-2009-3358 (SQL injection vulnerability in profile.php in Tourism Scripts Adult Po ...) NOT-FOR-US: Tourism Scripts Adult CVE-2009-3357 (Multiple SQL injection vulnerabilities in the Hotel Booking Reservatio ...) NOT-FOR-US: component for Joomla! CVE-2009-3356 (SQL injection vulnerability in index.php in Image voting 1.0 allows re ...) NOT-FOR-US: Image voting CVE-2009-3355 (Cross-site scripting (XSS) vulnerability in profile.php in Datetopia B ...) NOT-FOR-US: Datetopia Buy Dating Site CVE-2009-3354 (Multiple unspecified vulnerabilities in the Rest API module for Drupal ...) NOT-FOR-US: Rest API module for Drupal CVE-2009-3353 (Multiple unspecified vulnerabilities in the Node2Node module for Drupa ...) NOT-FOR-US: Node2Node module for Drupal CVE-2009-3352 (Multiple unspecified vulnerabilities in the quota_by_role (Quota by ro ...) NOT-FOR-US: quota_by_role (Quota by role) module for Drupal CVE-2009-3351 (Multiple unspecified vulnerabilities in the Node Browser module for Dr ...) NOT-FOR-US: Node Browser module for Drupal CVE-2009-3350 (Multiple unspecified vulnerabilities in the Subdomain Manager module f ...) NOT-FOR-US: Subdomain Manager module for Drupal CVE-2009-3349 (SQL injection vulnerability in Datavore Gyro 5.0 allows remote attacke ...) NOT-FOR-US: Datavore Gyro CVE-2009-3348 (Cross-site scripting (XSS) vulnerability in Datavore Gyro 5.0 allows r ...) NOT-FOR-US: Datavore Gyro CVE-2009-3347 (Buffer overflow on the D-Link DIR-400 wireless router allows remote at ...) NOT-FOR-US: D-Link DIR-400 wireless router CVE-2009-3346 (Unspecified vulnerability in SAP Crystal Reports Server 2008 allows re ...) NOT-FOR-US: SAP Crystal Reports Server CVE-2009-3345 (Heap-based buffer overflow in SAP Crystal Reports Server 2008 has unkn ...) NOT-FOR-US: SAP Crystal Reports Server CVE-2009-3344 (Unspecified vulnerability in SAP Crystal Reports Server 2008 on Window ...) NOT-FOR-US: SAP Crystal Reports Server CVE-2009-3343 (SQL injection vulnerability in details.asp in HotWeb Rentals allows re ...) NOT-FOR-US: HotWeb Rentals CVE-2009-3342 (SQL injection vulnerability in frontend/assets/ajax/checkusername.php ...) NOT-FOR-US: component for Joomla! CVE-2009-3341 (Buffer overflow on the Linksys WRT54GL wireless router allows remote a ...) NOT-FOR-US: Linksys WRT54GL wireless router CVE-2009-3340 (Unspecified vulnerability in FreeSSHD 1.2.4 allows remote attackers to ...) NOT-FOR-US: FreeSSHD CVE-2009-3339 (Unspecified vulnerability in McAfee Email and Web Security Appliance 5 ...) NOT-FOR-US: McAfee Email and Web Security Appliance CVE-2009-3338 (Stack-based buffer overflow in EffectMatrix (E.M.) Magic Morph 1.95b a ...) NOT-FOR-US: Magic Morph CVE-2009-3337 (SQL injection vulnerability in the Freetag (serendipity_event_freetag) ...) NOT-FOR-US: plugin for Serendipity CVE-2009-3336 (SQL injection vulnerability in auction_details.php in PHP Pro Bid allo ...) NOT-FOR-US: PHP Pro Bid CVE-2009-3335 (SQL injection vulnerability in the TurtuShout component 0.11 for Jooml ...) NOT-FOR-US: TurtuShout component 0.11 for Joomla! CVE-2009-3334 (SQL injection vulnerability in the Lhacky! Extensions Cave Joomla! Int ...) NOT-FOR-US: Lhacky! Extensions Cave Joomla! CVE-2009-3333 (PHP remote file inclusion vulnerability in koesubmit.php in the koeSub ...) NOT-FOR-US: koeSubmit (com_koesubmit) component 1.0 for Mambo CVE-2009-3332 (SQL injection vulnerability in the JBudgetsMagic (com_jbudgetsmagic) c ...) NOT-FOR-US: BudgetsMagic (com_jbudgetsmagic) component for Joomla! CVE-2009-3331 (Multiple PHP remote file inclusion vulnerabilities in DDL CMS 1.0 allo ...) NOT-FOR-US: DDL CMS CVE-2009-3330 (SQL injection vulnerability in index.php in cP Creator 2.7.1, when mag ...) NOT-FOR-US: cP Creator CVE-2009-3329 (Stack-based buffer overflow in Winplot 1.25.0.1 allows user-assisted r ...) NOT-FOR-US: Winplot CVE-2009-3328 (Cross-site scripting (XSS) vulnerability in sign.php in WX-Guestbook 1 ...) NOT-FOR-US: WX-Guestbook CVE-2009-3327 (Multiple SQL injection vulnerabilities in WX-Guestbook 1.1.208 allow r ...) NOT-FOR-US: WX-Guestbook CVE-2009-3326 (SQL injection vulnerability in index.php in CMScontrol Content Managem ...) NOT-FOR-US: CMScontrol CVE-2009-3325 (SQL injection vulnerability in the Focusplus Developments Survey Manag ...) NOT-FOR-US: Survey Manager (com_surveymanager) component 1.5.0 for Joomla! CVE-2009-3324 (PHP remote file inclusion vulnerability in include/prodler.class.php i ...) NOT-FOR-US: ProdLer CVE-2009-3323 (Multiple PHP remote file inclusion vulnerabilities in BAnner ROtation ...) NOT-FOR-US: BAnner ROtation System mini (BAROSmini) CVE-2009-3322 (The Siemens Gigaset SE361 WLAN router allows remote attackers to cause ...) NOT-FOR-US: Siemens Gigaset SE361 WLAN router CVE-2009-3321 (SQL injection vulnerability in SaphpLesson 4.3, when magic_quotes_gpc ...) NOT-FOR-US: SaphpLesson CVE-2009-3320 (Cross-site scripting (XSS) vulnerability in scrivi.php in Zenas PaoLin ...) NOT-FOR-US: Zenas PaoLink (aka Pao-Link) CVE-2009-3319 (SQL injection vulnerability in poems.php in DCI-Designs Dawaween 1.03 ...) NOT-FOR-US: DCI-Designs Dawaween CVE-2009-3318 (Directory traversal vulnerability in the Roland Breedveld Album (com_a ...) NOT-FOR-US: Roland Breedveld Album (com_album) component 1.14 for Joomla! CVE-2009-3317 (PHP remote file inclusion vulnerability in pages/pageHeader.php in Ope ...) NOT-FOR-US: OpenSiteAdmin CVE-2009-3316 (SQL injection vulnerability in the JReservation (com_jreservation) com ...) NOT-FOR-US: JReservation (com_jreservation) component 1.0 and 1.5 for Joomla! CVE-2009-3315 (SQL injection vulnerability in admin/index.php in NeLogic Nephp Publis ...) NOT-FOR-US: NeLogic Nephp Publisher Enterprise CVE-2009-3314 (SQL injection vulnerability in ladders.php in Elite Gaming Ladders 3.2 ...) NOT-FOR-US: Elite Gaming Ladders CVE-2009-3313 (Multiple SQL injection vulnerabilities in FMyClone 2.3 allow remote at ...) NOT-FOR-US: FMyClone CVE-2009-3312 (PHP remote file inclusion vulnerability in php/init.poll.php in phpPol ...) NOT-FOR-US: phpPollScript CVE-2009-3311 (Cross-site scripting (XSS) vulnerability in index.php in RSSMediaScrip ...) NOT-FOR-US: RSSMediaScript CVE-2009-3310 (SQL injection vulnerability in index.php in Zainu 1.0 allows remote at ...) NOT-FOR-US: Zainu CVE-2009-3309 (SQL injection vulnerability in index.cfm in CF ShopKart 5.4 beta allow ...) NOT-FOR-US: CF ShopKart CVE-2009-3308 (SQL injection vulnerability in show-cat.php in FanUpdate 2.2.1 allows ...) NOT-FOR-US: FanUpdate CVE-2009-3307 (Multiple PHP remote file inclusion vulnerabilities in FSphp 0.2.1 allo ...) NOT-FOR-US: FSphp CVE-2009-3306 (PHP remote file inclusion vulnerability in include/header.php in Clear ...) NOT-FOR-US: ClearSite CVE-2009-3305 (Polipo 1.0.4, and possibly other versions, allows remote attackers to ...) {DSA-2002-1} - polipo 1.0.4-1.1 (low; bug #547047) [etch] - polipo (Minor issue) [lenny] - polipo (Minor issue) CVE-2009-3304 (GForge 4.5.14, 4.7 rc2, and 4.8.2 allows local users to overwrite arbi ...) {DSA-1945-1} - gforge 4.8.2-1 CVE-2009-3303 (Cross-site scripting (XSS) vulnerability in www/help/tracker.php in GF ...) {DSA-1937-1} - gforge 4.8.1-3 (low) CVE-2009-3302 (filter/ww8/ww8par2.cxx in OpenOffice.org (OOo) before 3.2 allows remot ...) {DSA-1995-1 DTSA-205-1} - openoffice.org 1:3.1.1-16 CVE-2009-3301 (Integer underflow in filter/ww8/ww8par2.cxx in OpenOffice.org (OOo) be ...) {DSA-1995-1 DTSA-205-1} - openoffice.org 1:3.1.1-16 CVE-2009-3300 (Multiple cross-site scripting (XSS) vulnerabilities in the Identity Pr ...) {DSA-1947-1} - shibboleth-sp2 2.3+dfsg-1 (medium; bug #555608) - shibboleth-sp 3.0.2+dfsg1-2 (medium) - opensaml2 2.3-1 (medium) NOTE: xmltooling also needs to be updated, changed in sid in 1.3.1-1 CVE-2009-3299 (Cross-site scripting (XSS) vulnerability in the resume blocktype in Ma ...) {DSA-1924-1} - mahara 1.1.7-1 (low) NOTE: http://mahara.org/interaction/forum/topic.php?id=1170 CVE-2009-3298 (Mahara before 1.0.13, and 1.1.x before 1.1.7, allows remote authentica ...) {DSA-1924-1} - mahara 1.1.7-1 (low) NOTE: http://mahara.org/interaction/forum/topic.php?id=1169 CVE-2009-3297 [mount race conditions] REJECTED CVE-2009-3296 (Multiple integer overflows in tiffread.c in CamlImages 2.2 might allow ...) {DSA-1912-2 DSA-1912-1} - camlimages 1:3.0.1-5 (low) - advi 1.6.0-15 (low; bug #551282) CVE-2009-3295 (The prep_reprocess_req function in kdc/do_tgs_req.c in the cross-realm ...) - krb5 1.7+dfsg-4 (medium) [lenny] - krb5 (code introduced in 1.7) [etch] - krb5 (code introduced in 1.7) CVE-2009-3294 (The popen API function in TSRM/tsrm_win32.c in PHP before 5.2.11 and 5 ...) - php5 (win32-specific) CVE-2009-3293 (Unspecified vulnerability in the imagecolortransparent function in PHP ...) - php5 (the php packages use the system libgd2) - php4 (the php packages use the system libgd2) NOTE: the transparent colours functionality is only on php5's bundled libgd2 CVE-2009-3292 (Unspecified vulnerability in PHP before 5.2.11, and 5.3.x before 5.3.1 ...) {DSA-1940-1} - php5 5.2.11.dfsg.1-1 (low) NOTE: unknown impact, it is related to missing sanity checks NOTE: when determining the length of sections of jpg headers NOTE: a missing limit on the nesting level of TIFF files, and NOTE: missing EOF checks, possibly leading to NULL dereferences NOTE: experimental is likely to be affected (as of 5.3.0) CVE-2009-3291 (The php_openssl_apply_verification_policy function in PHP before 5.2.1 ...) {DSA-1940-1} - php5 5.2.11.dfsg.1-1 (low) [lenny] - php5 (rather unimportant) [etch] - php5 (rather unimportant) NOTE: seems to be related to handling of \0 on CN NOTE: not worth a dsa on its own, php doesn't verify certificates by default NOTE: experimental is likely to be affected (as of 5.3.0) CVE-2009-3289 (The g_file_copy function in glib 2.0 sets the permissions of a target ...) - glib2.0 2.22.0-1 (low) [lenny] - glib2.0 2.16.6-3 [etch] - glib2.0 (Minor issue) CVE-2009-3287 (lib/thin/connection.rb in Thin web server before 1.2.4 relies on the X ...) - thin 1.2.4-1 (low) CVE-2009-3285 RESERVED CVE-2009-3284 (Directory traversal vulnerability in phpspot PHP BBS, PHP Image Captur ...) NOT-FOR-US: phpspot Products CVE-2009-3283 (Cross-site scripting (XSS) vulnerability in phpspot PHP BBS, PHP Image ...) NOT-FOR-US: phpspot Products CVE-2009-3282 (Integer overflow in the vmx86 kernel extension in VMware Fusion before ...) NOT-FOR-US: VMware Fusion CVE-2009-3281 (The vmx86 kernel extension in VMware Fusion before 2.0.6 build 196839 ...) NOT-FOR-US: VMware Fusion CVE-2009-3280 (Integer signedness error in the find_ie function in net/wireless/scan. ...) - linux-2.6 2.6.31-1 (medium) - linux-2.6.24 (vulnerable code not present) [etch] - linux-2.6 (vulnerable code not present) [lenny] - linux-2.6 (vulnerable code not present) CVE-2009-3279 (The QNAP TS-239 Pro and TS-639 Pro with firmware 2.1.7 0613, 3.1.0 062 ...) NOT-FOR-US: QNAP TS-239 Pro and TS-639 CVE-2009-3278 (The QNAP TS-239 Pro and TS-639 Pro with firmware 2.1.7 0613, 3.1.0 062 ...) NOT-FOR-US: QNAP TS-239 Pro and TS-639 CVE-2009-3277 (DataVault.Tesla/Impl/TypeSystem/AssociationHelper.cs in datavault allo ...) NOT-FOR-US: datavault CVE-2009-3276 (Zoran/WinFormsAdvansed/RegeularDataToXML/Form1.cs in WinFormsAdvansed ...) NOT-FOR-US: NASD CORE.NET Terelik (aka corenet1) CVE-2009-3275 (Blocks/Common/Src/Configuration/Manageability/Adm/AdmContentBuilder.cs ...) NOT-FOR-US: Microsoft patterns & practices Enterprise Library CVE-2009-3274 (Mozilla Firefox 3.6a1, 3.5.3, 3.5.2, and earlier 3.5.x versions, and 3 ...) {DSA-1922-1} - xulrunner 1.9.1.4-1 [etch] - xulrunner (Mozilla packages from oldstable no longer covered by security support) CVE-2009-3273 (iPhone Mail in Apple iPhone OS, and iPhone OS for iPod touch, does not ...) NOT-FOR-US: Apple iPhone CVE-2009-3272 (Stack consumption vulnerability in WebKit.dll in WebKit in Apple Safar ...) - qt4-x11 (unimportant) [etch] - qt4-x11 (webkit support introduced in version 4.4) - kdelibs (unimportant) - kde4libs (unimportant) NOTE: browser crashers are not considered security-relevant CVE-2009-3271 (Apple Safari on iPhone OS 3.0.1 allows remote attackers to cause a den ...) NOT-FOR-US: Apple Safari on iPhone OS 3.0.1 CVE-2009-3290 (The kvm_emulate_hypercall function in arch/x86/kvm/x86.c in KVM in the ...) {DSA-1915-1 DSA-1907-1 DTSA-203-1} - linux-2.6 2.6.31-1 (medium) [etch] - linux-2.6 (introduced in 2.6.25) - linux-2.6.24 (introduced in 2.6.25) - kvm 85+dfsg-4.1 (high; bug #548975) CVE-2009-3288 (The sg_build_indirect function in drivers/scsi/sg.c in Linux kernel 2. ...) - linux-2.6 2.6.31-1 (low) [etch] - linux-2.6 (introduced in 2.6.28) [lenny] - linux-2.6 (introduced in 2.6.28) - linux-2.6.24 (introduced in 2.6.28) CVE-2009-3286 (NFSv4 in the Linux kernel 2.6.18, and possibly other versions, does no ...) {DSA-1929-1 DSA-1928-1 DSA-1915-1} - linux-2.6 2.6.30-1 (low) - linux-2.6.24 CVE-2009-3270 (Microsoft Internet Explorer 7 through 7.0.6000.16711 allows remote att ...) NOT-FOR-US: Microsoft Internet Explorer 7 CVE-2009-3269 (Opera 9.52 and earlier allows remote attackers to cause a denial of se ...) NOT-FOR-US: Opera CVE-2009-3268 (Google Chrome 1.0.154.48 and earlier allows remote attackers to cause ...) - chromium-browser (Only 1.x is affected) NOTE: browser denial of services not considered security-relevant CVE-2009-3267 (Microsoft Internet Explorer 6 through 6.0.2900.2180, and 7.0.6000.1671 ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2009-3266 (Opera before 10.01 does not properly restrict HTML in a (1) RSS or (2) ...) NOT-FOR-US: Opera CVE-2009-3265 (Cross-site scripting (XSS) vulnerability in Opera 9 and 10 allows remo ...) NOT-FOR-US: Opera CVE-2009-3264 (The getSVGDocument method in Google Chrome before 3.0.195.21 omits an ...) - chromium-browser (Only 3.x is affected) - libv8 1.3.11+dfsg-1 - webkit (libv8 issue) CVE-2009-3263 (Cross-site scripting (XSS) vulnerability in Google Chrome 2.x and 3.x ...) - chromium-browser (Only 3.x is affected) - webkit (chrome-specific issue) NOTE: http://seclists.org/fulldisclosure/2009/Sep/201 NOTE: other browsers are not affected (only chrome and opera) CVE-2009-3262 (Cross-site scripting (XSS) vulnerability in the Self Service UI (SSUI) ...) NOT-FOR-US: IBM Tivoli Identity Manager CVE-2009-3261 (update/update_0.1.2_to_0.2.php in LiveStreet 0.2 does not require admi ...) NOT-FOR-US: LiveStreet CVE-2009-3260 (Cross-site scripting (XSS) vulnerability in LiveStreet 0.2 allows remo ...) NOT-FOR-US: LiveStreet CVE-2009-3259 (Multiple SQL injection vulnerabilities in RASH Quote Management System ...) NOT-FOR-US: RASH Quote Management System (RQMS) CVE-2009-3258 (vtiger CRM before 5.1.0 allows remote authenticated users, with certai ...) NOT-FOR-US: vtiger CRM CVE-2009-3257 (vtiger CRM before 5.1.0 allows remote authenticated users to bypass th ...) NOT-FOR-US: vtiger CRM CVE-2009-3256 (Cross-site scripting (XSS) vulnerability in include/ajax/blogInfo.php ...) NOT-FOR-US: LiveStreet CVE-2009-3255 (SQL injection vulnerability in RASH Quote Management System (RQMS) 1.2 ...) NOT-FOR-US: RASH Quote Management System (RQMS) CVE-2009-3254 (Multiple stack-based buffer overflows in Ultimate Player 1.56 beta all ...) NOT-FOR-US: Ultimate Player CVE-2009-3253 (Stack-based buffer overflow in TriceraSoft Swift Ultralite 1.032 allow ...) NOT-FOR-US: TriceraSoft Swift Ultralite CVE-2009-3252 (Multiple SQL injection vulnerabilities in news.php in Rock Band CMS 0. ...) NOT-FOR-US: Rock Band CMS CVE-2009-3251 (include/utils/ListViewUtils.php in vtiger CRM before 5.1.0 allows remo ...) NOT-FOR-US: vtiger CRM CVE-2009-3250 (The saveForwardAttachments procedure in the Compose Mail functionality ...) NOT-FOR-US: vtiger CRM CVE-2009-3249 (Multiple directory traversal vulnerabilities in vtiger CRM 5.0.4 allow ...) NOT-FOR-US: vtiger CRM CVE-2009-3248 (Cross-site request forgery (CSRF) vulnerability in the RSS module in v ...) NOT-FOR-US: vtiger CRM CVE-2009-3247 (Cross-site scripting (XSS) vulnerability in the Activities module in v ...) NOT-FOR-US: vtiger CRM CVE-2009-3246 (SQL injection vulnerability in spnews.php in MyBuxScript PTC-BUX allow ...) NOT-FOR-US: MyBuxScript PTC-BUX CVE-2008-7246 (Google Chrome 0.2.149.29 and earlier allows remote attackers to cause ...) - chromium-browser (unimportant) NOTE: browser denial of services aren't considered security-relevant CVE-2008-7245 (Opera 9.52 and earlier allows remote attackers to cause a denial of se ...) NOT-FOR-US: Opera CVE-2008-7244 (Mozilla Firefox 3.0.1 and earlier allows remote attackers to cause a d ...) - xulrunner (unimportant) NOTE: browser denial-of-services are unimportant CVE-2009-3245 (OpenSSL before 0.9.8m does not check for a NULL return value from bn_w ...) - openssl 0.9.8m-1 (low; bug #575433) [lenny] - openssl 0.9.8g-15+lenny7 CVE-2009-3244 (Heap-based buffer overflow in the SwDir.dll ActiveX control in Adobe S ...) NOT-FOR-US: Adobe ShockWave Player CVE-2009-3243 (Unspecified vulnerability in the TLS dissector in Wireshark 1.2.0 and ...) - wireshark (Windows-only issue) CVE-2009-3242 (Unspecified vulnerability in packet.c in the GSM A RR dissector in Wir ...) - wireshark 1.2.2-1 (low; bug #547704) [etch] - wireshark (Only affects 1.2.x) [lenny] - wireshark (Only affects 1.2.x) CVE-2009-3241 (Unspecified vulnerability in the OpcUa (OPC UA) dissector in Wireshark ...) {DSA-1942-1} - wireshark 1.2.2-1 (low; bug #547704) [etch] - wireshark (Only affects >= 0.99.6) [lenny] - wireshark 1.0.2-3+lenny6 CVE-2009-3240 (Cross-site scripting (XSS) vulnerability in the Happy Linux XF-Section ...) NOT-FOR-US: module for XOOPS CVE-2009-3239 REJECTED CVE-2009-3238 (The get_random_int function in drivers/char/random.c in the Linux kern ...) {DSA-1929-1 DSA-1928-1 DSA-1927-1} - linux-2.6 2.6.30-1 (low) - linux-2.6.24 (low) CVE-2009-3237 (Multiple cross-site scripting (XSS) vulnerabilities in Horde Applicati ...) {DSA-1966-1} - horde3 3.3.5+debian0-1 (low) [lenny] - horde3 3.2.2+debian0-2+lenny1 NOTE: horde3 issue fixed in backport of latest DSA, DSA however did not fix etch CVE-2009-3235 (Multiple stack-based buffer overflows in the Sieve plugin in Dovecot 1 ...) {DSA-1893-1 DSA-1892-1} - cyrus-imapd-2.2 2.2.13-17 (medium; bug #547947) - kolab-cyrus-imapd 2.2.13-5.1 (medium; bug #547712) - dovecot 1:1.2.1-1 (medium; bug #546656) NOTE: This is a different vulnerability than CVE-2009-2632, it covers a few additional buffer overflows CVE-2009-3228 (The tc_fill_tclass function in net/sched/sch_api.c in the tc subsystem ...) {DSA-1929-1 DSA-1928-1 DSA-1927-1} - linux-2.6 2.6.31-1 (low) - linux-2.6.24 (low) CVE-2005-4881 (The netlink subsystem in the Linux kernel 2.4.x before 2.4.37.6 and 2. ...) - linux-2.6 2.6.13-1 (low) - linux-2.6.24 (fixed prior to first upload of 2.6.24) CVE-2009-3236 (The form library in Horde Application Framework 3.2 before 3.2.5 and 3 ...) {DSA-1897-1} - horde3 3.3.5+debian0-1 (medium; bug #547318) CVE-2008-7243 (Cross-site request forgery (CSRF) vulnerability in page 34 in MODx CMS ...) NOT-FOR-US: MODx CMS CVE-2008-7242 (Multiple cross-site scripting (XSS) vulnerabilities in MODx CMS 0.9.6. ...) NOT-FOR-US: MODx CMS CVE-2008-7241 (Cross-site request forgery (CSRF) vulnerability in PunBB before 1.2.17 ...) NOT-FOR-US: PunBB CVE-2008-7240 (Directory traversal vulnerability in include/unverified.inc.php in Lin ...) NOT-FOR-US: Linux Web Shop (LWS) php User Base CVE-2009-3234 (Buffer overflow in the perf_copy_attr function in kernel/perf_counter. ...) - linux-2.6 (Introduced in 2.6.31, fixed in Debian package before initial 2.6.31 upload) - linux-2.6.24 (Introduced in 2.6.31) CVE-2009-3227 (Cross-site scripting (XSS) vulnerability in index.php in AlmondSoft Al ...) NOT-FOR-US: AlmondSoft Almond Classifieds Ads Enterprise CVE-2009-3226 (SQL injection vulnerability in index.php in AlmondSoft Almond Classifi ...) NOT-FOR-US: AlmondSoft Almond Classifieds Ads Enterprise CVE-2009-3225 (Multiple cross-site scripting (XSS) vulnerabilities in AlmondSoft Almo ...) NOT-FOR-US: AlmondSoft Almond Classifieds Wap and Pro CVE-2009-3224 (SQL injection vulnerability in index.php in Super Mod System, when usi ...) NOT-FOR-US: Super Mod System CVE-2009-3223 (SQL injection vulnerability in ppc-add-keywords.php in Inout Adserver ...) NOT-FOR-US: Inout Adserver CVE-2009-3222 (Cross-site scripting (XSS) vulnerability in index.php in FreeWebScript ...) NOT-FOR-US: FreeWebScriptz Honest Traffic CVE-2009-3221 (Stack-based buffer overflow in Audio Lib Player (ALP) allows remote at ...) NOT-FOR-US: Audio Lib Player (ALP) CVE-2009-3220 (PHP remote file inclusion vulnerability in cp_html2txt.php in All In O ...) NOT-FOR-US: All In One Control Panel CVE-2009-3219 (Directory traversal vulnerability in a.php in AR Web Content Manager ( ...) NOT-FOR-US: AR Web Content Manager CVE-2009-3218 (SQL injection vulnerability in control/login.php in AR Web Content Man ...) NOT-FOR-US: AR Web Content Manager CVE-2009-3217 (SQL injection vulnerability in the admin module in iWiccle 1.01 allows ...) NOT-FOR-US: iWiccle CVE-2009-3216 (Multiple directory traversal vulnerabilities in iWiccle 1.01, when mag ...) NOT-FOR-US: iWiccle CVE-2009-3215 (SQL injection vulnerability in IXXO Cart Standalone before 3.9.6.1, an ...) NOT-FOR-US: IXXO Cart Standalone CVE-2009-3214 (Multiple stack-based buffer overflows in Photodex ProShow Gold 4.0.254 ...) NOT-FOR-US: Photodex ProShow Gold CVE-2009-3213 (Stack-based buffer overflow in broid 1.0 Beta 3a allows remote attacke ...) NOT-FOR-US: broid CVE-2009-3212 (SQL injection vulnerability in VivaPrograms Infinity Script 2.x.x, whe ...) NOT-FOR-US: VivaPrograms Infinity Script CVE-2009-3211 (Directory traversal vulnerability in VivaPrograms Infinity Script 2.x. ...) NOT-FOR-US: VivaPrograms Infinity Script CVE-2009-3210 (Multiple cross-site scripting (XSS) vulnerabilities in the Print (aka ...) NOT-FOR-US: Print (aka Printer, e-mail and PDF versions) Drupal module (3rd party module) CVE-2009-3209 (SQL injection vulnerability in remove.php in PHP eMail Manager 3.3.0 a ...) NOT-FOR-US: PHP eMail Manager CVE-2009-3208 (Multiple SQL injection vulnerabilities in phpfreeBB 1.0 allow remote a ...) NOT-FOR-US: phpfreeBB CVE-2009-3207 (The ImageCache module 5.x before 5.x-2.5 and 6.x before 6.x-2.0-beta10 ...) NOT-FOR-US: ImageCache module for Drupal (3rd party module) CVE-2009-3206 (Multiple cross-site scripting (XSS) vulnerabilities in the ImageCache ...) NOT-FOR-US: ImageCache module for Drupal (3rd party module) CVE-2009-3205 (SQL injection vulnerability in main.php in CBAuthority allows remote a ...) NOT-FOR-US: CBAuthority CVE-2009-3204 (Multiple cross-site scripting (XSS) vulnerabilities in Stiva Forum 1.0 ...) NOT-FOR-US: Stiva Forum CVE-2009-3203 (SQL injection vulnerability in store.php in AJ Auction Pro OOPD 2.x al ...) NOT-FOR-US: AJ Auction Pro OOPD CVE-2009-3202 (Cross-site scripting (XSS) vulnerability in search.php in ULoKI PHP Fo ...) NOT-FOR-US: ULoKI PHP Forum CVE-2009-3201 (Integer overflow in Media Player Classic 6.4.9 allows user-assisted re ...) NOT-FOR-US: Media Player Classic CVE-2009-3200 (The QNAP TS-239 Pro and TS-639 Pro with firmware 2.1.7 0613, 3.1.0 062 ...) NOT-FOR-US: QNAP TS-239 Pro and TS-639 Pro CVE-2009-3199 (Uebimiau Webmail 3.2.0-2.0 stores sensitive information under the web ...) NOT-FOR-US: Uebimiau Webmail CVE-2009-3198 (Cross-site scripting (XSS) vulnerability in search.php in JCE-Tech Aff ...) NOT-FOR-US: Affiliate Master CVE-2009-3197 (Cross-site scripting (XSS) vulnerability in search.php in JCE-Tech PHP ...) NOT-FOR-US: JCE-Tech PHP Calendars CVE-2009-3196 (Cross-site scripting (XSS) vulnerability in index.php in JCE-Tech PHP ...) NOT-FOR-US: JCE-Tech PHP Video Script CVE-2009-3195 (Multiple cross-site scripting (XSS) vulnerabilities in JCE-Tech Auctio ...) NOT-FOR-US: JCE-Tech Auction RSS Content Script CVE-2009-3194 (Cross-site scripting (XSS) vulnerability in index.php in JCE-Tech Sear ...) NOT-FOR-US: JCE-Tech SearchFeed Script CVE-2009-3193 (SQL injection vulnerability in the DigiFolio (com_digifolio) component ...) NOT-FOR-US: component for Joomla! CVE-2009-3192 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Li ...) NOT-FOR-US: LinkorCMS CVE-2009-3191 (Multiple cross-site scripting (XSS) vulnerabilities in PAD Site Script ...) NOT-FOR-US: PAD Site Scripts CVE-2009-3190 (Multiple SQL injection vulnerabilities in PAD Site Scripts 3.6 allow r ...) NOT-FOR-US: PAD Site Scripts CVE-2009-3189 (Cross-site scripting (XSS) vulnerability in search.php in DigiOz Guest ...) NOT-FOR-US: DigiOz Guestbook CVE-2009-3188 (PHP remote file inclusion vulnerability in save.php in phpSANE 0.5.0 a ...) NOT-FOR-US: phpSANE CVE-2009-3187 (Cross-site scripting (XSS) vulnerability in gamelist.php in Stand Alon ...) NOT-FOR-US: Stand Alone Arcade CVE-2009-3186 (Multiple cross-site scripting (XSS) vulnerabilities in VideoGirls BiZ ...) NOT-FOR-US: VideoGirls BiZ CVE-2009-3185 (SQL injection vulnerability in plugin.php in the Crazy Star plugin 2.0 ...) NOT-FOR-US: Crazy Star plugin 2.0 for Discuz! CVE-2009-3184 (Multiple SQL injection vulnerabilities in index.php in Pirates of The ...) NOT-FOR-US: Pirates of The Caribbean CVE-2009-3233 (changetrack 4.3 allows local users to execute arbitrary commands via C ...) {DSA-1891-1} - changetrack 4.5-2 (medium; bug #546791) CVE-2008-7228 (Multiple format string vulnerabilities in White_Dune before 0.29beta85 ...) - whitedune (bug #546903) NOTE: The debian binary versions are not compiled with the --with-aflockdebug option CVE-2008-7224 (Buffer overflow in entity_cache in ELinks before 0.11.4rc0 allows remo ...) {DSA-1902-1} - elinks 0.11.3-1 (low; bug #380347) CVE-2009-3183 (Heap-based buffer overflow in w in Sun Solaris 8 through 10, and OpenS ...) NOT-FOR-US: Sun Solaris CVE-2008-7239 (Multiple unspecified vulnerabilities in Oracle E-Business Suite 11.5.1 ...) NOT-FOR-US: Oracle E-Business Suite CVE-2008-7238 (Multiple unspecified vulnerabilities in Oracle E-Business Suite 12.0.3 ...) NOT-FOR-US: Oracle E-Business Suite CVE-2008-7237 (Unspecified vulnerability in the Oracle Internet Directory component i ...) NOT-FOR-US: Oracle Application Server CVE-2008-7236 (Unspecified vulnerability in the Oracle JDeveloper component in Oracle ...) NOT-FOR-US: Oracle Application Server CVE-2008-7235 (Unspecified vulnerability in the Oracle Forms component in Oracle Appl ...) NOT-FOR-US: Oracle Application Server CVE-2008-7234 (Unspecified vulnerability in the Oracle BPEL Worklist Application comp ...) NOT-FOR-US: Oracle Application Server CVE-2008-7233 (Unspecified vulnerability in the E-Business Application client, as use ...) NOT-FOR-US: E-Business Application client CVE-2008-7232 (Buffer overflow in the report function in xtacacsd 4.1.2 and earlier a ...) NOT-FOR-US: xtacacsd CVE-2008-7231 (Cross-site scripting (XSS) vulnerability in Meridio Document and Recor ...) NOT-FOR-US: Meridio Document and Records Management CVE-2008-7230 (Unspecified vulnerability in Small Footprint CIM Broker (SFCB) before ...) NOT-FOR-US: Small Footprint CIM Broker CVE-2008-7229 (GreenSQL Firewall (greensql-fw) before 0.9.2 allows remote attackers t ...) NOT-FOR-US: GreenSQL Firewall CVE-2008-7227 (PartialBufferOutputStream2 in GeoServer before 1.6.1 and 1.7.0-beta1 a ...) NOT-FOR-US: GeoServer CVE-2008-7226 (SQL injection vulnerability in index.php in the Recipes module 1.3, 1. ...) NOT-FOR-US: Recipes module for PHP-Nuke CVE-2008-7225 (Heap-based buffer overflow in Foxit Remote Access Server (aka WAC Serv ...) NOT-FOR-US: Foxit Remote Access Server CVE-2008-7223 (Multiple cross-site scripting (XSS) vulnerabilities in LinPHA before 1 ...) NOT-FOR-US: LinPHA CVE-2008-7222 (Cross-site scripting (XSS) vulnerability in system/admin.php in RunCMS ...) NOT-FOR-US: RunCMS CVE-2008-7221 (Cross-site request forgery (CSRF) vulnerability in RunCMS 1.6.1 allows ...) NOT-FOR-US: RunCMS CVE-2009-3166 (token.cgi in Bugzilla 3.4rc1 through 3.4.1 places a password in a URL ...) - bugzilla 3.4.7.0-1 [lenny] - bugzilla (Only Bugzilla >= 3.3 is affected) CVE-2009-3165 (SQL injection vulnerability in the Bug.create WebService function in B ...) {DSA-1913-1} - bugzilla 3.2.5.0-1 (low; bug #547132) [etch] - bugzilla (Vulnerable code not present) NOTE: Introduced in 2.23.4 CVE-2008-7220 (Unspecified vulnerability in Prototype JavaScript framework (prototype ...) {DSA-1952-1} - prototypejs 1.6.0.2-1 - asterisk 1:1.6.2.0~rc3-1 (low; bug #555220) [etch] - asterisk (Etch Packages no longer covered by security support) [lenny] - asterisk (Minor issue) - auth2db 0.2.5-2+dfsg-1 (low; bug #555217) - libaws 2.7-1 (low; bug #555221) [etch] - libaws (minor issue) [lenny] - libaws (minor issue) - libjson-ruby 1.1.4-1 (low; bug #555223) [lenny] - libjson-ruby 1.1.2-1+lenny1 - lucene2 2.9.1+ds1-2 (unimportant; bug #555225) [etch] - lucene2 (prototype.js not present) NOTE: prototype.js copy unused per #555225 - glpi 0.72.3-1 (low; bug #555228) [etch] - glpi (minor issue) [lenny] - glpi (minor issue) - knowledgeroot 0.9.9.5-1 (low; bug #555229) [etch] - knowledgeroot (minor issue) [lenny] - knowledgeroot (Vulnerable code not present) - mt-daapd 0.9~r1696.dfsg-6 (low; bug #555231) [etch] - mt-daapd 0.2.4+r1376-1.1+etch3 - mediatomb 0.12.0~svn2018-5 (low; bug #555232) [lenny] - mediatomb (minor issue) - op-panel 0.30~dfsg-1 (low; bug #555234) - ebug-http 0.31-2.1 (low; bug #555235) [lenny] - ebug-http (Minor issue) - poker-network 1.7.6-1 (low; bug #555237) [etch] - poker-network (minor issue) - webhelpers 0.3.4-2 (low; bug #555239) - qwik (low; bug #555240) [etch] - qwik (minor issue) [lenny] - qwik (minor issue) - wordpress 2.5.0-2 (low; bug #555242) [etch] - wordpress (prototype.js not present) - exaile 0.2.14+debian-2.2 (low; bug #555244) [lenny] - exaile (minor issue) - hobix 0.5~svn20070319-4 (low; bug #555246) [lenny] - hobix (minor issue) - pixelpost 1.7.1-6 (low; bug #555248) [lenny] - pixelpost (minor issue) - symfony 1.0.21-1.1 (low; bug #555250) [lenny] - symfony (minor issue) - jscropperui 1.2.1-1 (low; bug #555255) [lenny] - jscropperui (minor issue) - rt-extension-emailcompletion (prototype.js not included in the binary package; bug #555258) - scriptaculous 1.8.3-1 (low; bug #555259) [lenny] - scriptaculous (Minor issue) - activeldap 1.0.9-1 (unimportant; bug #555263) NOTE: Only shipped in an example - otrs2 2.3.4-6 (low; bug #555266) [etch] - otrs2 (prototype.js not present) [lenny] - otrs2 (prototype.js not present) - webcalendar 1.2~b1-2 (low; bug #555268) [lenny] - webcalendar (prototype.js not present) - libhtml-prototype-perl 1.48-3 (low; bug #558977) [etch] - libhtml-prototype-perl (minor issue) [lenny] - libhtml-prototype-perl (minor issue) - plone3 (low; bug #555274) - wesnoth (prototype.js not included in any of the binary packages; bug #555266) - webcit (fixed since initial inclusion) - zabbix (fixed since initial inclusion) - chora2 (fixed since initial inclusion) - gollem (fixed since initial inclusion) - ingo1 (fixed since initial inclusion) - kronolith2 (fixed since initial inclusion) - jifty (fixed since initial inclusion) - jquery (fixed since initial inclusion) - passenger (fixed since initial inclusion) CVE-2008-7219 (Horde Kronolith H3 2.1 before 2.1.7 and 2.2 before 2.2-RC2; Nag H3 2.1 ...) - kronolith2 2.1.7-1 - nag2 2.1.4-1 - mnemo2 2.1.2-1 CVE-2008-7218 (Unspecified vulnerability in the Horde API in Horde 3.1 before 3.1.6 a ...) {DSA-1897-1} - horde3 3.1.6-1 - turba2 2.1.7-1 - kronolith2 2.1.7-1 - nag2 2.1.4-1 - mnemo2 2.1.2-1 CVE-2008-7217 (Microsoft Office 2008 for Mac, when running on Macintosh systems that ...) NOT-FOR-US: Microsoft Office CVE-2007-6732 (Multiple buffer overflows in the dtt_load function in loaders/dtt_load ...) - xmp 2.6.1-1 (low; bug #546730) [etch] - xmp (Minor issue, fringe app/formats) [lenny] - xmp (Minor issue, fringe app/formats) CVE-2007-6731 (Extended Module Player (XMP) 2.5.1 and earlier allow remote attackers ...) - xmp 2.6.1-1 (low; bug #546730) [etch] - xmp (Minor issue, fringe app/formats) [lenny] - xmp (Minor issue, fringe app/formats) CVE-2009-3182 (Unrestricted file upload vulnerability in admin/editor/filemanager/bro ...) NOT-FOR-US: Anantasoft Gazelle CMS CVE-2009-3181 (Directory traversal vulnerability in Anantasoft Gazelle CMS 1.0 allows ...) NOT-FOR-US: Anantasoft Gazelle CMS CVE-2009-3180 (Anantasoft Gazelle CMS 1.0 allows remote attackers to conduct a passwo ...) NOT-FOR-US: Anantasoft Gazelle CMS CVE-2009-3179 (Multiple unspecified vulnerabilities in Symantec Altiris Deployment So ...) NOT-FOR-US: Symantec Altiris Deployment Solution CVE-2009-3178 (Unspecified vulnerability in mm.exe in Symantec Altiris Deployment Sol ...) NOT-FOR-US: Symantec Altiris Deployment Solution CVE-2009-3177 (Unspecified vulnerability in Kaspersky Online Scanner 7.0 has unknown ...) NOT-FOR-US: Kaspersky Online Scanner CVE-2009-3176 (Buffer overflow in the ActiveX control in Novell iPrint Client 4.38 al ...) NOT-FOR-US: Novell iPrint Client CVE-2009-3175 (Multiple SQL injection vulnerabilities in Model Agency Manager PRO (fo ...) NOT-FOR-US: Model Agency Manager PRO CVE-2009-3174 (PHP remote file inclusion vulnerability in fonctions_racine.php in OBO ...) NOT-FOR-US: OBOphiX CVE-2009-3173 (Unrestricted file upload vulnerability in admin/add_album.php in The R ...) NOT-FOR-US: Rat CMS Alpha CVE-2009-3172 (Unspecified vulnerability in Hitachi Groupmax Groupware Server 07-00 t ...) NOT-FOR-US: Hitachi Groupmax Groupware Server CVE-2009-3171 (Multiple cross-site scripting (XSS) vulnerabilities in Anantasoft Gaze ...) NOT-FOR-US: Anantasoft Gazelle CMS CVE-2009-3170 (Stack-based buffer overflow in AIMP2 Audio Converter 2.53 (build 330) ...) NOT-FOR-US: AIMP2 Audio Converter CVE-2009-3169 (Multiple unspecified vulnerabilities in Hitachi JP1/File Transmission ...) NOT-FOR-US: Hitachi CVE-2009-3168 (Mevin Productions Basic PHP Events Lister 2.0 does not properly restri ...) NOT-FOR-US: Mevin Productions Basic PHP Events Lister CVE-2009-3167 (Directory traversal vulnerability in index.php in Anantasoft Gazelle C ...) NOT-FOR-US: Anantasoft Gazelle CMS CVE-2008-7216 (Peter's Math Anti-Spam Spinoff plugin for WordPress generates audio CA ...) NOT-FOR-US: Math Anti-Spam Spinoff plugin for WordPress CVE-2008-7215 (The Image Manager in MOStlyCE before 2.4, as used in Mambo 4.6.3 and e ...) NOT-FOR-US: MOStlyCE CVE-2008-7214 (Cross-site request forgery (CSRF) vulnerability in administrator/index ...) NOT-FOR-US: MOStlyCE CVE-2008-7213 (Cross-site scripting (XSS) vulnerability in mambots/editors/mostlyce/j ...) NOT-FOR-US: MOStlyCE CVE-2008-7212 (MOStlyCE before 2.4, as used in Mambo 4.6.3 and earlier, allows remote ...) NOT-FOR-US: MOStlyCE CVE-2008-7211 (CreativeLabs es1371mp.sys 5.1.3612.0 WDM audio driver, as used in Enso ...) NOT-FOR-US: CreativeLabs WDM audio driver CVE-2008-7210 (directory.php in AJchat 0.10 allows remote attackers to bypass input v ...) NOT-FOR-US: AJchat CVE-2008-7209 (Unrestricted file upload vulnerability in the add2 action in a_upload. ...) NOT-FOR-US: OneCMS CVE-2008-7208 (Multiple SQL injection vulnerabilities in OneCMS 2.4, and possibly ear ...) NOT-FOR-US: OneCMS CVE-2008-7207 (RivetTracker before 1.0 stores passwords in cleartext in config.php, w ...) NOT-FOR-US: RivetTracker CVE-2008-7206 (Unspecified vulnerability in Electronic Logbook (ELOG) before 2.7.2 ha ...) NOT-FOR-US: Electronic Logbook CVE-2008-7205 (Unspecified vulnerability in the product view functionality in VirtueM ...) NOT-FOR-US: VirtueMart CVE-2008-7204 (Cross-site request forgery (CSRF) vulnerability in VirtueMart 1.0.13a ...) NOT-FOR-US: VirtueMart CVE-2008-7203 (Valve Software Half-Life Counter-Strike 1.6 allows remote attackers to ...) NOT-FOR-US: Valve Software Half-Life Counter-Strike CVE-2009-3232 (pam-auth-update for PAM, as used in Ubuntu 8.10 and 9.4, and Debian GN ...) - pam 1.0.1-10 (bug #519927) [lenny] - pam (pam-auth-update not yet present) [etch] - pam (pam-auth-update not yet present) CVE-2009-3229 (The core server component in PostgreSQL 8.4 before 8.4.1, 8.3 before 8 ...) {DSA-1900-1} - postgresql-8.4 8.4.1-1 - postgresql-8.3 8.3.8-1 - postgresql-8.1 - postgresql-7.4 CVE-2009-3230 (The core server component in PostgreSQL 8.4 before 8.4.1, 8.3 before 8 ...) {DSA-1900-1} - postgresql-8.4 8.4.1-1 - postgresql-8.3 8.3.8-1 - postgresql-8.1 - postgresql-7.4 CVE-2009-3231 (The core server component in PostgreSQL 8.3 before 8.3.8 and 8.2 befor ...) {DSA-1900-1} - postgresql-8.4 8.4.1-1 - postgresql-8.3 8.3.8-1 - postgresql-8.1 - postgresql-7.4 CVE-2009-3164 (Unspecified vulnerability in the IPv6 networking stack in Sun Solaris ...) NOT-FOR-US: Solaris CVE-2009-3163 (Multiple format string vulnerabilities in lib/silcclient/command.c in ...) {DSA-1879-1} - silc-toolkit 1.1.10-1 (medium) - silc-client 1.1-2 (medium) - silc-server 1.1.2-1 (medium) NOTE: silc-client/silc-server use libsilc from silc-toolkit since 1.1-2 CVE-2009-3145 REJECTED CVE-2009-3144 REJECTED CVE-2009-3143 REJECTED CVE-2009-3142 REJECTED CVE-2009-3141 REJECTED CVE-2009-3140 REJECTED CVE-2009-3139 REJECTED CVE-2009-3138 REJECTED CVE-2009-3137 REJECTED CVE-2009-3136 REJECTED CVE-2009-3135 (Stack-based buffer overflow in Microsoft Office Word 2002 SP3 and 2003 ...) NOT-FOR-US: Microsoft Office CVE-2009-3134 (Microsoft Office Excel 2002 SP3, 2003 SP3, and 2007 SP1 and SP2; Offic ...) NOT-FOR-US: Microsoft Office CVE-2009-3133 (Microsoft Office Excel 2002 SP3, Office 2004 and 2008 for Mac, and Ope ...) NOT-FOR-US: Microsoft Office CVE-2009-3132 (Microsoft Office Excel 2002 SP3, 2003 SP3, and 2007 SP1 and SP2; Offic ...) NOT-FOR-US: Microsoft Office CVE-2009-3131 (Microsoft Office Excel 2002 SP3, 2003 SP3, and 2007 SP1 and SP2; Offic ...) NOT-FOR-US: Microsoft Office CVE-2009-3130 (Heap-based buffer overflow in Microsoft Office Excel 2002 SP3, Office ...) NOT-FOR-US: Microsoft Office CVE-2009-3129 (Microsoft Office Excel 2002 SP3, 2003 SP3, and 2007 SP1 and SP2; Offic ...) NOT-FOR-US: Microsoft Office CVE-2009-3128 (Microsoft Office Excel 2002 SP3 and 2003 SP3, and Office Excel Viewer ...) NOT-FOR-US: Microsoft Office CVE-2009-3127 (Microsoft Office Excel 2002 SP3 and 2003 SP3, Office 2004 and 2008 for ...) NOT-FOR-US: Microsoft Office CVE-2009-3126 (Integer overflow in GDI+ in Microsoft Internet Explorer 6 SP1, Windows ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2009-3162 (Cross-site scripting (XSS) vulnerability in Multi Website 1.5 allows r ...) NOT-FOR-US: Multi Website CVE-2009-3161 (The server in IBM WebSphere MQ 7.0.0.1, 7.0.0.2, and 7.0.1.0 allows at ...) NOT-FOR-US: IBM WebSpHere MQ CVE-2009-3160 (IBM WebSphere MQ 6.x through 6.0.2.7, 7.0.0.0, 7.0.0.1, 7.0.0.2, and 7 ...) NOT-FOR-US: IBM WebSphere MQ CVE-2009-3159 (Unspecified vulnerability in the rriDecompress function in IBM WebSphe ...) NOT-FOR-US: IBM WebSphere MQ CVE-2009-3158 (admin/files.php in simplePHPWeb 0.2 does not require authentication, w ...) NOT-FOR-US: simplePHPWeb CVE-2009-3157 (Cross-site scripting (XSS) vulnerability in the Calendar module 6.x be ...) NOT-FOR-US: Calendar module for Drupal CVE-2009-3156 (Cross-site scripting (XSS) vulnerability in the Date Tools sub-module ...) NOT-FOR-US: Date module for Drupal CVE-2009-3155 (Cross-site scripting (XSS) vulnerability in gmap.php in the Almond Cla ...) NOT-FOR-US: Almond Classifieds component for Joomla! CVE-2009-3154 (SQL injection vulnerability in the Almond Classifieds (com_aclassf) co ...) NOT-FOR-US: Almond Classifieds component for Joomla! CVE-2009-3153 (Multiple cross-site scripting (XSS) vulnerabilities in x10 MP3 Search ...) NOT-FOR-US: x10 MP3 Search engine CVE-2009-3152 (Multiple cross-site scripting (XSS) vulnerabilities in becommunity/com ...) NOT-FOR-US: NTSOFT BBS E-Market Professional CVE-2009-3151 (Directory traversal vulnerability in actions/downloadFile.php in Ultri ...) NOT-FOR-US: Ultrize TimeSheet CVE-2009-3150 (SQL injection vulnerability in index.php in Multi Website 1.5 allows r ...) NOT-FOR-US: Multi Website CVE-2009-3149 (Directory traversal vulnerability in _css/js.php in Elgg 1.5, when mag ...) - elgg (bug #526197) CVE-2009-3148 (Multiple SQL injection vulnerabilities in PortalXP Teacher Edition 1.2 ...) NOT-FOR-US: PortalXP Teacher Edition CVE-2009-3147 (Cross-site scripting (XSS) vulnerability in showproduct.php in ReviewP ...) NOT-FOR-US: ReviewPost Pro CVE-2009-3146 (Cross-site scripting (XSS) vulnerability in search_advance.php in Arti ...) NOT-FOR-US: ArticleFriend Script CVE-2009-3125 (SQL injection vulnerability in the Bug.search WebService function in B ...) - bugzilla 3.4.7.0-1 [lenny] - bugzilla (Only Bugzilla >= 3.3 is affected) CVE-2009-3124 (Directory traversal vulnerability in get_message.cgi in QuarkMail allo ...) NOT-FOR-US: QuarkMail CVE-2009-3123 (Directory traversal vulnerability in gallery/gallery.php in Wap-Motor ...) NOT-FOR-US: Wap-Motor CVE-2009-3122 (The Ajax Table module 5.x for Drupal does not perform access control, ...) NOT-FOR-US: Ajax Table module module for Drupal CVE-2009-3121 (Cross-site scripting (XSS) vulnerability in the Ajax Table module 5.x ...) NOT-FOR-US: Ajax Table module module for Drupal CVE-2009-3120 (Cross-site scripting (XSS) vulnerability in public/index.php in BIGACE ...) NOT-FOR-US: BIGACE Web CMS CVE-2009-3119 (SQL injection vulnerability in screen.php in the Download System mSF ( ...) NOT-FOR-US: PHP-Fusion CVE-2009-3118 (SQL injection vulnerability in mod/poll/comment.php in the vote module ...) NOT-FOR-US: Danneo CMS CVE-2009-3117 (SQL injection vulnerability in category.php in Snow Hall Silurus Syste ...) NOT-FOR-US: Snow Hall Silurus System CVE-2009-3116 (SQL injection vulnerability in index.php in Uiga Church Portal allows ...) NOT-FOR-US: Uiga Church Portal CVE-2009-3115 (SolarWinds TFTP Server 9.2.0.111 and earlier allows remote attackers t ...) NOT-FOR-US: SolarWinds TFTP Server CVE-2009-3114 (The RSS reader widget in IBM Lotus Notes 8.0 and 8.5 saves items from ...) NOT-FOR-US: IBM Lotus Notes CVE-2009-3113 (Unspecified vulnerability in OXID eShop Professional, Enterprise, and ...) NOT-FOR-US: OXID eShop Professional CVE-2009-3112 (Unspecified vulnerability in OXID eShop Professional, Enterprise, and ...) NOT-FOR-US: OXID eShop Professional CVE-2009-3111 (The rad_decode function in FreeRADIUS before 1.1.8 allows remote attac ...) - freeradius 2.0.0-1 (low) CVE-2008-7202 (Multiple cross-site scripting (XSS) vulnerabilities in OpenWebMail bef ...) NOT-FOR-US: OpenWebMail CVE-2008-7201 (Lantronix MSS485-T allows remote attackers to cause a denial of servic ...) NOT-FOR-US: Lantronix MSS485-T CVE-2008-7200 (Double free vulnerability in Deliantra server engine before 2.4 has un ...) NOT-FOR-US: Deliantra server engine CVE-2008-7199 (Phoenix Contact FL IL 24 BK-PAC allows remote attackers to cause a den ...) NOT-FOR-US: Phoenix Contact FL IL 24 BK-PAC CVE-2008-7198 (Multiple unspecified vulnerabilities in phpns before 2.1.1beta1 have u ...) NOT-FOR-US: phpns CVE-2008-7197 (Multiple unspecified vulnerabilities in G15Daemon before 1.9.4 have un ...) NOT-FOR-US: G15Daemon CVE-2008-7196 (Unspecified vulnerability in metashell before 0.03 has unknown impact ...) NOT-FOR-US: metashell CVE-2008-7195 (Unspecified vulnerability in Fujitsu Interstage HTTP Server, as used i ...) NOT-FOR-US: Fujitsu Interstage HTTP Server CVE-2008-7194 (Unspecified vulnerability in Fujitsu Interstage HTTP Server, as used i ...) NOT-FOR-US: Fujitsu Interstage HTTP Server CVE-2008-7193 (PHPKIT 1.6.4 PL1 includes the session ID in the URL, which allows remo ...) NOT-FOR-US: PHPKIT CVE-2008-7192 (Cross-site request forgery (CSRF) vulnerability in index.php in WoltLa ...) NOT-FOR-US: WoltLab Burning Board CVE-2008-7191 (Unspecified vulnerability in Polipo before 1.0.4 allows remote attacke ...) - polipo 1.0.4-1 (low) CVE-2008-7190 (Unspecified vulnerability in Adium before 1.2 has unknown impact and a ...) NOT-FOR-US: Adium CVE-2008-7189 (Multiple unspecified vulnerabilities in Local Media Browser before 0.1 ...) NOT-FOR-US: Local Media Browser CVE-2008-7188 (ClipShare 2.6 does not properly restrict access to certain functionali ...) NOT-FOR-US: ClipShare CVE-2008-7187 (Coppermine Photo Gallery (CPG) 1.4.14 allows remote attackers to obtai ...) NOT-FOR-US: Coppermine Photo Gallery CVE-2008-7186 (Coppermine Photo Gallery (CPG) 1.4.14 does not restrict access to upda ...) NOT-FOR-US: Coppermine Photo Gallery CVE-2007-6730 (Multiple cross-site request forgery (CSRF) vulnerabilities in the web ...) NOT-FOR-US: ZyXEL P-330W CVE-2007-6729 (Cross-site scripting (XSS) vulnerability in the web management interfa ...) NOT-FOR-US: ZyXEL P-330W CVE-2009-3110 (Race condition in the file transfer functionality in Symantec Altiris ...) NOT-FOR-US: Symantec Altiris Deployment Solution CVE-2009-3109 (Unspecified vulnerability in the AClient agent in Symantec Altiris Dep ...) NOT-FOR-US: Symantec Altiris Deployment Solution CVE-2009-3108 (The Aclient GUI in Symantec Altiris Deployment Solution 6.9.x before 6 ...) NOT-FOR-US: Symantec Altiris Deployment Solution CVE-2009-3107 (Symantec Altiris Deployment Solution 6.9.x before 6.9 SP3 Build 430 do ...) NOT-FOR-US: Symantec Altiris Deployment Solution CVE-2009-3106 (The Servlet Engine/Web Container component in IBM WebSphere Applicatio ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2009-3105 (Cross-site scripting (XSS) vulnerability in IBM Lotus iNotes (aka Domi ...) NOT-FOR-US: IBM Lotus iNotes CVE-2009-3104 (Unspecified vulnerability in Symantec Norton AntiVirus 2005 through 20 ...) NOT-FOR-US: Symantec Norton AntiVirus CVE-2009-3103 (Array index error in the SMBv2 protocol implementation in srv2.sys in ...) NOT-FOR-US: Microsoft CVE-2009-3102 (The doHotCopy subroutine in socket-server.pl in Zmanda Recovery Manage ...) NOT-FOR-US: Zmanda Recovery Manager CVE-2009-3101 (xscreensaver (aka Gnome-XScreenSaver) in Sun Solaris 10, and OpenSolar ...) - xscreensaver (OpenSolaris-specific, patch 120094-22 causes this) CVE-2009-3100 (xscreensaver (aka Gnome-XScreenSaver) in Sun Solaris 9 and 10, OpenSol ...) - xscreensaver (OpenSolaris-specific, patch 120094-22 causes this) CVE-2009-3099 (Unspecified vulnerability in HP OpenView Operations Manager 8.1 on Win ...) NOT-FOR-US: HP OpenView Operations Manager CVE-2009-3098 (Unspecified vulnerability in the Portal in HP Operations Dashboard 2.1 ...) NOT-FOR-US: HP Operations Dashboard CVE-2009-3097 (Multiple unspecified vulnerabilities in HP Performance Insight 5.3 on ...) NOT-FOR-US: HP Performance Insight CVE-2009-3096 (Multiple unspecified vulnerabilities in HP Performance Insight 5.3 all ...) NOT-FOR-US: HP Performance Insight CVE-2009-3095 (The mod_proxy_ftp module in the Apache HTTP Server allows remote attac ...) {DSA-1934-1} - apache2 2.2.13-2 (low; bug #545951) [etch] - apache2 (minor issue) [lenny] - apache2 2.2.9-10+lenny5 (low; bug #545951) NOTE: The attacker needs to have valid credentials for the FTP server, which NOTE: makes this irrelevant in most cases. Based on a VulnDisco commercial 0day. CVE-2009-3094 (The ap_proxy_ftp_handler function in modules/proxy/proxy_ftp.c in the ...) {DSA-1934-1} - apache2 2.2.13-2 (low; bug #545951) [etch] - apache2 (minor issue) [lenny] - apache2 2.2.9-10+lenny5 (low; bug #545951) CVE-2009-3093 (Unspecified vulnerability on the ASUS WL-500W wireless router has unkn ...) NOT-FOR-US: ASUS WL-500W CVE-2009-3092 (Buffer overflow on the ASUS WL-500W wireless router has unknown impact ...) NOT-FOR-US: ASUS WL-500W CVE-2009-3091 (Unspecified vulnerability on the ASUS WL-330gE has unknown impact and ...) NOT-FOR-US: ASUS WL-330gE CVE-2009-3090 (Unspecified vulnerability in IBM Tivoli Directory Server (TDS) 6.0 on ...) NOT-FOR-US: IBM Tivoli Directory Server CVE-2009-3089 (IBM Tivoli Directory Server (TDS) 6.0 allows remote attackers to cause ...) NOT-FOR-US: IBM Tivoli Directory Server CVE-2009-3088 (Heap-based buffer overflow in ibmdiradm in IBM Tivoli Directory Server ...) NOT-FOR-US: IBM Tivoli Directory Server CVE-2009-3087 (Unspecified vulnerability in nserver.exe in the server in IBM Lotus Do ...) NOT-FOR-US: IBM Lotus Domino CVE-2009-3086 (A certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x be ...) {DSA-2260-1} - rails 2.2.3-1 (low; bug #545063) [etch] - rails (Minor issue) CVE-2009-3085 (The XMPP protocol plugin in libpurple in Pidgin before 2.6.2 does not ...) - pidgin 2.6.2-1 (low) [lenny] - pidgin (Minor issue) CVE-2009-3084 (The msn_slp_process_msg function in libpurple/protocols/msn/slpcall.c ...) {DSA-2038-1} - pidgin 2.6.2-1 (low) CVE-2009-3083 (The msn_slp_sip_recv function in libpurple/protocols/msn/slp.c in the ...) {DSA-2038-1} - pidgin 2.6.2-1 (low) CVE-2008-7185 (GNOME Rhythmbox 0.11.5 allows remote attackers to cause a denial of se ...) - rhythmbox (unimportant) NOTE: No practical security impact CVE-2008-7184 (Cross-site scripting (XSS) vulnerability in Diigo Toolbar and Diigolet ...) NOT-FOR-US: Diigo Toolbar and Diigolet CVE-2008-7183 (PHP remote file inclusion vulnerability in eva/index.php in EVA CMS 2. ...) NOT-FOR-US: EVA CMS CVE-2009-3082 (SQL injection vulnerability in wcategory.php in Snow Hall Silurus Syst ...) NOT-FOR-US: Snow Hall Silurus System CVE-2009-3081 (SQL injection vulnerability in index.php in Uiga Church Portal allows ...) NOT-FOR-US: Uiga Church Portal CVE-2009-3079 (Unspecified vulnerability in Mozilla Firefox before 3.0.14, and 3.5.x ...) {DSA-1886-1} - iceweasel 3.0.14-1 [etch] - iceweasel (Mozilla packages from oldstable no longer covered by security support) CVE-2009-3078 (Visual truncation vulnerability in Mozilla Firefox before 3.0.14, and ...) {DSA-1885-1} - xulrunner 1.9.0.14-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-3077 (Mozilla Firefox before 3.0.14, and 3.5.x before 3.5.3, does not proper ...) {DSA-1885-1} - xulrunner 1.9.0.14-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-3076 (Mozilla Firefox before 3.0.14 does not properly implement certain dial ...) {DSA-1885-1} - xulrunner 1.9.0.14-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-3075 (Multiple unspecified vulnerabilities in the JavaScript engine in Mozil ...) {DSA-2025-1 DSA-1885-1} - xulrunner 1.9.0.14-1 - icedove 3.0~rc2-2 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-3074 (Unspecified vulnerability in the JavaScript engine in Mozilla Firefox ...) {DSA-1885-1} - xulrunner 1.9.0.14-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-3073 (Unspecified vulnerability in the JavaScript engine in Mozilla Firefox ...) - xulrunner (Only affects Firefox 3.5.x) [lenny] - xulrunner (Only affects Firefox 3.5.x) [etch] - xulrunner (Only affects Firefox 3.5.x) CVE-2009-3072 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-2025-1 DSA-1885-1} - xulrunner 1.9.0.14-1 - icedove 3.0~rc2-2 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-3071 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-1885-1} - xulrunner 1.9.0.14-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-3070 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-1885-1} - xulrunner 1.9.0.14-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-3069 (Unspecified vulnerability in the browser engine in Mozilla Firefox 3.5 ...) - xulrunner (Only affects Firefox 3.5.x) [lenny] - xulrunner (Only affects Firefox 3.5.x) [etch] - xulrunner (Only affects Firefox 3.5.x) CVE-2008-7182 (Buffer overflow in the IMAP service in NetWin Surgemail 3.9e, and poss ...) NOT-FOR-US: Surgemail CVE-2008-7181 (Butterfly Organizer 2.0.0 allows remote attackers to (1) delete arbitr ...) NOT-FOR-US: Butterfly Organizer CVE-2008-7180 (del_query1.php in Telephone Directory 2008 allows remote attackers to ...) NOT-FOR-US: Telephone Directory CVE-2008-7179 (OTManager CMS 2.4 allows remote attackers to bypass authentication and ...) NOT-FOR-US: OTManager CVE-2008-7178 (Directory traversal vulnerability in Uploader module 1.1 for XOOPS all ...) NOT-FOR-US: XOOPS CVE-2008-7177 (Buffer overflow in the listing module in Netwide Assembler (NASM) befo ...) - nasm 2.03.01-1 (low) CVE-2008-7176 (Multiple directory traversal vulnerabilities in Facil CMS 0.1RC allow ...) NOT-FOR-US: Facil CMS CVE-2008-7175 (Cross-site scripting (XSS) vulnerability in wp-admin/admin.php in Next ...) NOT-FOR-US: NextGEN Gallery third party plugin for wordpress CVE-2008-7174 (Multiple buffer overflows in the Jura Internet Connection Kit for the ...) NOT-FOR-US: Jura Impressa CVE-2008-7173 (The Jura Internet Connection Kit for the Jura Impressa F90 coffee make ...) NOT-FOR-US: Jura Impressa CVE-2008-7172 (Lightweight news portal (LNP) 1.0b does not properly restrict access t ...) NOT-FOR-US: Lightweight news portal CVE-2008-7171 (Multiple cross-site scripting (XSS) vulnerabilities in Lightweight new ...) NOT-FOR-US: Lightweight news portal CVE-2008-7170 (GSC build 2067 and earlier relies on the client to enforce administrat ...) NOT-FOR-US: GSC build CVE-2008-7169 (SQL injection vulnerability in Jabode horoscope extension (com_jabode) ...) NOT-FOR-US: Joomla! CVE-2008-7168 (Insecure method vulnerability in the UUSee UUUpgrade ActiveX control ( ...) NOT-FOR-US: ActiveX CVE-2008-7167 (Unrestricted file upload vulnerability in upload.php in Page Manager 2 ...) NOT-FOR-US: Page Manager CVE-2009-3068 (Unrestricted file upload vulnerability in the RoboHelpServer Servlet ( ...) NOT-FOR-US: Adobe RoboHelp Server CVE-2009-3067 (Cross-site scripting (XSS) vulnerability in index.php in Reservation M ...) NOT-FOR-US: Reservation Manager CVE-2009-3066 (Multiple cross-site scripting (XSS) vulnerabilities in PropertyWatchSc ...) NOT-FOR-US: PropertyWatchScript.com Property Watch CVE-2009-3065 (PHP remote file inclusion vulnerability in editor/edit_htmlarea.php in ...) NOT-FOR-US: Ve-EDIT CVE-2009-3064 (Directory traversal vulnerability in debugger/debug_php.php in Ve-EDIT ...) NOT-FOR-US: Ve-EDIT CVE-2009-3063 (SQL injection vulnerability in the Game Server (com_gameserver) compon ...) NOT-FOR-US: Joomla! CVE-2009-3062 (SQL injection vulnerability in message_box.php in OSI Codes PHP Live! ...) NOT-FOR-US: OSI Codes PHP Live! CVE-2009-3061 (SQL injection vulnerability in lesson.php in Alqatari Q R Script 1.0 a ...) NOT-FOR-US: Alqatari Q R Script CVE-2009-3060 (Multiple cross-site scripting (XSS) vulnerabilities in Joker Board (ak ...) NOT-FOR-US: Joker Board CVE-2009-3059 (Multiple SQL injection vulnerabilities in Joker Board (aka JBoard) 2.0 ...) NOT-FOR-US: Joker Board CVE-2009-3058 (Stack-based buffer overflow in akPlayer 1.9.0 allows remote attackers ...) NOT-FOR-US: akPlayer CVE-2009-3057 (Multiple cross-site scripting (XSS) vulnerabilities in AOM Software Be ...) NOT-FOR-US: AOM Software Beex CVE-2009-3056 (PHP remote file inclusion vulnerability in include/engine/content/elem ...) NOT-FOR-US: KingCMS CVE-2009-3055 (PHP remote file inclusion vulnerability in engine/api/api.class.php in ...) NOT-FOR-US: DataLife Engine CVE-2009-3054 (SQL injection vulnerability in the Artetics.com Art Portal (com_artpor ...) NOT-FOR-US: Joomla! CVE-2009-3053 (Directory traversal vulnerability in the Agora (com_agora) component 3 ...) NOT-FOR-US: Joomla! CVE-2009-3052 (SQL injection vulnerability in root/includes/prime_quick_style.php in ...) NOT-FOR-US: Prime Quick Style addon CVE-2008-7166 (Buffer overflow in the web interface in BitTorrent 6.0.1 (build 7859) ...) NOT-FOR-US: web interface in BitTorrent 6.0.1 (build 7859) CVE-2008-7165 (Cross-site request forgery in cp06_wifi_m_nocifr.cgi in the administra ...) NOT-FOR-US: TELECOM ITALIA Alice Gate2 Plus Wi-Fi CVE-2008-7164 (Multiple unspecified vulnerabilities in Shareaza before 2.3.1.0 have u ...) NOT-FOR-US: Shareaza CVE-2008-7163 (Directory traversal vulnerability in mods/Integrated/index.php in Sine ...) NOT-FOR-US: SineCMS CVE-2008-7162 (Buffer overflow in Hero Super Player 3000 allows remote attackers to c ...) NOT-FOR-US: Hero Super Player CVE-2008-7161 (Fortinet FortiGuard Fortinet FortiGate-1000 3.00 build 040075,070111 a ...) NOT-FOR-US: Fortinet FortiGuard Fortinet CVE-2008-7159 (The silc_asn1_encoder function in lib/silcasn1/silcasn1_encode.c in Se ...) {DSA-1879-1} [lenny] - silc-toolkit 1.1.7-2+lenny1 - silc-toolkit 1.1.10-1 (low) - silc-client 1.1-2 (low) - silc-server (Vulnerable code not present) NOTE: silc-client uses libsilc from silc-toolkit since 1.1-2 CVE-2009-3051 (Multiple format string vulnerabilities in lib/silcclient/client_entry. ...) {DSA-1879-1} - silc-toolkit 1.1.10-1 (medium) - silc-client 1.1-2 (medium) - silc-server 1.1.2-1 (medium) NOTE: silc-client/silc-server use libsilc from silc-toolkit since 1.1-2 CVE-2008-7160 (The silc_http_server_parse function in lib/silchttp/silchttpserver.c i ...) {DSA-1879-1} - silc-toolkit 1.1.10-1 (low) - silc-client 1.1-2 (low) - silc-server 1.1.2-1 (low) NOTE: silc-client/silc-server use libsilc from silc-toolkit since 1.1-2 CVE-2009-3050 (Buffer overflow in the set_page_size function in util.cxx in HTMLDOC 1 ...) - htmldoc 1.8.27-4.1 (low; bug #537637) [etch] - htmldoc (Minor issue) [lenny] - htmldoc (Minor issue) CVE-2009-3049 (Opera before 10.00 does not properly display all characters in Interna ...) NOT-FOR-US: Opera CVE-2009-3048 (Opera before 10.00 on Linux, Solaris, and FreeBSD does not properly im ...) NOT-FOR-US: Opera CVE-2009-3047 (Opera before 10.00, when a collapsed address bar is used, does not pro ...) NOT-FOR-US: Opera CVE-2009-3046 (Opera before 10.00 does not check all intermediate X.509 certificates ...) NOT-FOR-US: Opera CVE-2009-3045 (Opera before 10.00 trusts root X.509 certificates signed with the MD2 ...) NOT-FOR-US: Opera CVE-2009-3044 (Opera before 10.00 does not properly handle a (1) '\0' character or (2 ...) NOT-FOR-US: Opera CVE-2009-3043 (The tty_ldisc_hangup function in drivers/char/tty_ldisc.c in the Linux ...) - linux-2.6 2.6.31-1 (medium) [etch] - linux-2.6 (vulnerable code introduced in 2.6.31) [lenny] - linux-2.6 (vulnerable code introduced in 2.6.31) - linux-2.6.24 (vulnerable code introduced in 2.6.31) CVE-2008-7158 (Numara FootPrints 7.5a through 7.5a1 and 8.0 through 8.0a allows remot ...) NOT-FOR-US: Numara FootPrints CVE-2008-7157 (Unrestricted file upload vulnerability in EkinBoard 1.1.0 and earlier ...) NOT-FOR-US: EkinBoard CVE-2008-7156 (EkinBoard 1.1.0 and earlier, when register_globals is enabled, allows ...) NOT-FOR-US: EkinBoard CVE-2008-7155 (NetRisk 1.9.7 does not properly restrict access to admin/change_submit ...) NOT-FOR-US: NetRisk CVE-2008-7154 (Docebo 3.5.0.3 and earlier allows remote attackers to obtain sensitive ...) NOT-FOR-US: Docebo CVE-2008-7153 (SQL injection vulnerability in the autoDetectRegion function in docebo ...) NOT-FOR-US: Docebo CVE-2009-3039 RESERVED CVE-2009-3038 (A certain ActiveX control in lnresobject.dll 7.1.1.119 in the Research ...) NOT-FOR-US: ActiveX CVE-2009-3037 (Buffer overflow in xlssr.dll in the Autonomy KeyView XLS viewer (aka F ...) NOT-FOR-US: Autonomy KeyView XLS viewer CVE-2008-7152 (Multiple PHP remote file inclusion vulnerabilities in Specimen Image D ...) NOT-FOR-US: Specimen Image Database CVE-2008-7151 (Cross-site request forgery (CSRF) vulnerability in Live 5.x before 5.x ...) NOT-FOR-US: Live third-party Drupal module CVE-2008-7150 (Cross-site scripting (XSS) vulnerability in Refine by Taxonomy 5.x bef ...) NOT-FOR-US: Refine by Taxonomy CVE-2008-7149 (Unspecified vulnerability in AgileWiki before 0.10.1 has unknown impac ...) NOT-FOR-US: AgileWiki CVE-2008-7148 (Unspecified vulnerability in Synfig Animation Studio before 0.61.08 al ...) - synfig 0.61.08-1 CVE-2008-7147 (Multiple cross-site scripting (XSS) vulnerabilities in IntraLearn Soft ...) NOT-FOR-US: IntraLearn Software IntraLearn CVE-2008-7146 (IntraLearn Software IntraLearn 2.1, and possibly other versions before ...) NOT-FOR-US: IntraLearn Software IntraLearn CVE-2008-7145 (Multiple SQL injection vulnerabilities in index.php in CoronaMatrix ph ...) NOT-FOR-US: CoronaMatrix phpAddressBook CVE-2008-7144 (Multiple unspecified vulnerabilities in RARLAB WinRAR before 3.71 have ...) NOT-FOR-US: RARLAB WinRAR CVE-2008-7143 (phpBB 2.0.23 includes the session ID in a request to modcp.php when th ...) - phpbb2 CVE-2008-7142 (Absolute path traversal vulnerability in the Disk Usage module (fronte ...) NOT-FOR-US: cPanel CVE-2008-7141 (Cross-site scripting (XSS) vulnerability in setup.php in @lex Poll 2.1 ...) NOT-FOR-US: @lex Poll CVE-2008-7140 (Multiple cross-site scripting (XSS) vulnerabilities in @lex Guestbook ...) NOT-FOR-US: @lex Guestbook CVE-2008-7139 (Multiple cross-site request forgery (CSRF) vulnerabilities in WS-Proxy ...) NOT-FOR-US: Eye-Fi CVE-2008-7138 (The Manager in Eye-Fi 1.1.2 generates predictable snonce values based ...) NOT-FOR-US: Eye-Fi CVE-2008-7137 (WS-Proxy in Eye-Fi 1.1.2 allows remote attackers to cause a denial of ...) NOT-FOR-US: Eye-Fi CVE-2008-7136 (toolbaru.dll in ICQ Toolbar (ICQToolbar) 2.3 allows remote attackers t ...) NOT-FOR-US: ICQ Toolbar CVE-2008-7135 (toolbaru.dll in ICQ Toolbar (ICQToolbar) 2.3 allows remote attackers t ...) NOT-FOR-US: ICQ Toolbar CVE-2008-7134 (Multiple cross-site scripting (XSS) vulnerabilities in the default URI ...) NOT-FOR-US: Chris LaPointe RedGalaxy Download Center CVE-2008-7133 (Multiple cross-site scripting (XSS) vulnerabilities in onlinetools.org ...) NOT-FOR-US: onlinetools.org EasyImageCatalogue CVE-2008-7132 (Cross-site scripting (XSS) vulnerability in index.php in Nuked-Klan 1. ...) NOT-FOR-US: Nuked-Klan CVE-2009-3036 (Cross-site scripting (XSS) vulnerability in the console in Symantec IM ...) NOT-FOR-US: Symantec IM Manager CVE-2009-3035 (The web console in Symantec Altiris Notification Server 6.0.x before 6 ...) NOT-FOR-US: Symantec Altiris Notification Server CVE-2009-3034 REJECTED CVE-2009-3033 (Buffer overflow in the RunCmd method in the Altiris eXpress NS Console ...) NOT-FOR-US: ActiveX CVE-2009-3032 (Integer overflow in kvolefio.dll 8.5.0.8339 and 10.5.0.0 in the Autono ...) NOT-FOR-US: Autonomy KeyView CVE-2009-3031 (Stack-based buffer overflow in the BrowseAndSaveFile method in the Alt ...) NOT-FOR-US: Symantec Altiris Notification Server CVE-2009-3030 (Cross-site scripting (XSS) vulnerability in Symantec SecurityExpressio ...) NOT-FOR-US: Symantec SecurityExpressions Audit and Compliance Server CVE-2009-3029 (Cross-site scripting (XSS) vulnerability in the console in Symantec Se ...) NOT-FOR-US: Symantec SecurityExpressions Audit and Compliance Server CVE-2009-3028 (The Altiris eXpress NS SC Download ActiveX control in AeXNSPkgDLLib.dl ...) NOT-FOR-US: Symantec CVE-2009-3027 (VRTSweb.exe in VRTSweb in Symantec Backup Exec Continuous Protection S ...) NOT-FOR-US: Symantec Backup Exec Continuous Protection Server CVE-2009-3025 (Unspecified vulnerability in Pidgin 2.6.0 allows remote attackers to c ...) - pidgin 2.6.1-1 (low) [lenny] - pidgin (Vulnerable code introduced in 2.6.0) [etch] - pidgin (Vulnerable code introduced in 2.6.0) CVE-2009-3024 (The verify_hostname_of_cert function in the certificate checking featu ...) - libio-socket-ssl-perl 1.30-1 [lenny] - libio-socket-ssl-perl 1.16-1+lenny1 [etch] - libio-socket-ssl-perl (Affected functionality introduced in 1.14) CVE-2009-3023 (Buffer overflow in the FTP Service in Microsoft Internet Information S ...) NOT-FOR-US: Microsoft IIS CVE-2009-3022 (Cross-site request forgery (CSRF) vulnerability in bingo!CMS 1.2 and e ...) NOT-FOR-US: bingo!CMS CVE-2009-3021 (Cross-site scripting (XSS) vulnerability in Site Calendar 'mycaljp' pl ...) NOT-FOR-US: Site Calendar 'mycaljp' plugin CVE-2009-3020 (win32k.sys in Microsoft Windows Server 2003 SP2 allows remote attacker ...) NOT-FOR-US: Microsoft Windows Server CVE-2009-3019 (Microsoft Internet Explorer 6 on Windows XP SP2 and SP3, and Internet ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2009-3018 (Maxthon Browser 3.0.0.145 Alpha with Ultramode does not properly block ...) NOT-FOR-US: Maxthon Browser CVE-2009-3017 (Orca Browser 1.2 build 5 does not properly block data: URIs in Refresh ...) NOT-FOR-US: Orca Browser CVE-2009-3016 (Apple Safari 4.0.3 does not properly block javascript: and data: URIs ...) NOT-FOR-US: Apple Safari CVE-2009-3015 (QtWeb 3.0 Builds 001 and 003 does not properly block javascript: and d ...) - qt4-x11 (unimportant) - kdelibs (unimportant) - kde4libs (unimportant) NOTE: This is a web site issue (open redirector), not a browser problem. CVE-2009-3014 (Mozilla Firefox 3.0.13 and earlier, 3.5, 3.6 a1 pre, and 3.7 a1 pre; S ...) NOTE: This is a web site issue (open redirector), not a browser problem. - iceweasel (unimportant) CVE-2009-3013 (Opera 9.52 and earlier, and 10.00 Beta 3 Build 1699, does not properly ...) NOT-FOR-US: Opera CVE-2009-3012 (Mozilla Firefox 3.0.13 and earlier, 3.5, 3.6 a1 pre, and 3.7 a1 pre do ...) NOTE: This is a web site issue (open redirector), not a browser problem. CVE-2009-3011 (Google Chrome 1.0.154.48 and earlier, 2.0.172.28, 2.0.172.37, and 3.0. ...) NOT-FOR-US: Unclear, historic Chrome issue CVE-2009-3010 (Mozilla Firefox 3.0.13 and earlier, 3.5, 3.6 a1 pre, and 3.7 a1 pre; S ...) NOTE: This is a web site issue (open redirector), not a browser problem. - iceweasel (unimportant) CVE-2009-3009 (Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2 ...) {DSA-1887-1} - rails 2.2.3-1 (low; bug #545063) [etch] - rails (Unsupported) CVE-2009-3008 (K-Meleon 1.5.3 allows context-dependent attackers to spoof the address ...) NOT-FOR-US: K-Meleon CVE-2009-3007 (Mozilla Firefox 3.5.1 and SeaMonkey 1.1.17, and Flock 2.5.1, allow con ...) {DSA-1922-1} - xulrunner 1.9.1.3-3 (low) [etch] - xulrunner (Etch Packages no longer covered by security support) - iceape 2.0-1 (low) [etch] - iceape (Etch Packages no longer covered by security support) [lenny] - iceape (Iceape from Lenny only provides NSS libs) - webkit (proof-of-concept did not work) CVE-2009-3006 (Maxthon Browser 2.5.3.80 UNICODE allows remote attackers to spoof the ...) NOT-FOR-US: Maxthon Browser CVE-2009-3005 (Lunascape 5.1.3 and 5.1.4 allows remote attackers to spoof the address ...) NOT-FOR-US: Lunascape CVE-2009-3004 (Avant Browser 11.7 Builds 35 and 36 allows remote attackers to spoof t ...) NOT-FOR-US: Avant Browser CVE-2009-3003 (Microsoft Internet Explorer 6 through 8 allows remote attackers to spo ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2009-3002 (The Linux kernel before 2.6.31-rc7 does not initialize certain data st ...) {DSA-1929-1 DSA-1928-1 DSA-1915-1} - linux-2.6 2.6.30-7 (low) - linux-2.6.24 NOTE: minor info leaks CVE-2009-3001 (The llc_ui_getname function in net/llc/af_llc.c in the Linux kernel 2. ...) {DSA-1929-1 DSA-1928-1 DSA-1915-1} - linux-2.6 2.6.30-7 (low) - linux-2.6.24 NOTE: minor info leak CVE-2009-3000 (The sockfs module in the kernel in Sun Solaris 10 and OpenSolaris snv_ ...) NOT-FOR-US: Sun Solaris CVE-2008-7131 (Unspecified vulnerability in DB2 Monitoring Console 2.2.4 and earlier ...) NOT-FOR-US: DB2 Monitoring Console CVE-2008-7130 (Unspecified vulnerability in DB2 Monitoring Console 2.2.4 and earlier ...) NOT-FOR-US: DB2 Monitoring Console CVE-2008-7129 (XySSL before 0.9 allows remote attackers to cause a denial of service ...) - xyssl 0.9-1 - polarssl (fixed in xyssl before polarssl was forked from it) - pdkim (bug #543150) NOTE: check pdkim if/when it enters unstable (contains polarssl code copy) CVE-2008-7128 (The ssl_parse_client_key_exchange function in XySSL before 0.9 does no ...) - xyssl 0.9-1 - polarssl (fixed in xyssl before polarssl was forked from it) - pdkim (bug #543150) NOTE: check pdkim if/when it enters unstable (contains polarssl code copy) CVE-2008-7127 (osagent.exe in Borland VisiBroker Smart Agent 08.00.00.C1.03 and earli ...) NOT-FOR-US: Borland VisiBroker Smart Agent CVE-2008-7126 (Integer overflow in osagent.exe in Borland VisiBroker Smart Agent 08.0 ...) NOT-FOR-US: Borland VisiBroker Smart Agent CVE-2008-7125 (pphoto in Ariadne before 2.6 allows remote authenticated users with ce ...) NOT-FOR-US: Ariadne CVE-2008-7124 (zKup CMS 2.0 through 2.3 does not require administrative authenticatio ...) NOT-FOR-US: zKup CMS CVE-2008-7123 (Static code injection vulnerability in admin/configuration/modifier.ph ...) NOT-FOR-US: zKup CMS CVE-2008-7122 (Multiple insecure method vulnerabilities in an ActiveX control in (epR ...) NOT-FOR-US: ActiveX CVE-2008-7121 (Cross-site scripting (XSS) vulnerability in Mr. CGI Guy Hot Links SQL- ...) NOT-FOR-US: Mr. CGI Guy Hot Links SQL-PHP CVE-2008-7120 (SQL injection vulnerability in Mr. CGI Guy Hot Links SQL-PHP 3 and ear ...) NOT-FOR-US: Mr. CGI Guy Hot Links SQL-PHP CVE-2008-7119 (SQL injection vulnerability in item.php in WeBid auction script 0.5.4 ...) NOT-FOR-US: WeBid auction script CVE-2008-7118 (WeBid auction script 0.5.4 stores sensitive information under the web ...) NOT-FOR-US: WeBid auction script CVE-2008-7117 (eledicss.php in WeBid auction script 0.5.4 allows remote attackers to ...) NOT-FOR-US: WeBid auction script CVE-2008-7116 (SQL injection vulnerability in the admin panel (admin/) in WeBid aucti ...) NOT-FOR-US: WeBid auction script CVE-2008-7115 (The web interface to the Belkin Wireless G router and ADSL2 modem F5D7 ...) NOT-FOR-US: Belkin Wireless G CVE-2008-7114 (SQL injection vulnerability in members_search.php in iFusion Services ...) NOT-FOR-US: iFusion Services CVE-2008-7113 (The Scanner File Utility (aka listener) in Kyocera Mita (KM) 3.3.0.1 u ...) NOT-FOR-US: Kyocera Mita CVE-2008-7112 (The Scanner File Utility (aka listener) in Kyocera Mita (KM) 3.3.0.1 a ...) NOT-FOR-US: Kyocera Mita CVE-2008-7111 (The Scanner File Utility (aka listener) in Kyocera Mita (KM) 3.3.0.1 d ...) NOT-FOR-US: Kyocera Mita CVE-2008-7110 (Directory traversal vulnerability in the Scanner File Utility (aka lis ...) NOT-FOR-US: Kyocera Mita CVE-2008-7109 (The Scanner File Utility (aka listener) in Kyocera Mita (KM) 3.3.0.1 a ...) NOT-FOR-US: Kyocera Mita CVE-2008-7108 (Multiple cross-site scripting (XSS) vulnerabilities in Carmosa phpCart ...) NOT-FOR-US: Carmosa phpCart CVE-2008-7107 (easdrv.sys in ESET Smart Security 3.0.667.0 allows local users to caus ...) NOT-FOR-US: ESET Smart Security CVE-2009-2999 (The com.android.phone process in Android 1.5 CRBxx allows remote attac ...) NOT-FOR-US: Android CVE-2009-XXXX [serveez: buffer overflow in header parser] - serveez (low) [lenny] - serveez 0.1.5-2.1+lenny1 [etch] - serveez 0.1.5-2+etch1 CVE-2009-2998 (Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x b ...) NOT-FOR-US: Adobe CVE-2009-2997 (Heap-based buffer overflow in Adobe Reader and Acrobat 7.x before 7.1. ...) NOT-FOR-US: Adobe CVE-2009-2996 (Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x b ...) NOT-FOR-US: Adobe CVE-2009-2995 (Integer overflow in Adobe Acrobat 7.x before 7.1.4, 8.x before 8.1.7, ...) NOT-FOR-US: Adobe CVE-2009-2994 (Buffer overflow in Adobe Reader and Acrobat 7.x before 7.1.4, 8.x befo ...) NOT-FOR-US: Adobe CVE-2009-2993 (The JavaScript for Acrobat API in Adobe Reader and Acrobat 7.x before ...) NOT-FOR-US: Adobe CVE-2009-2992 (An unspecified ActiveX control in Adobe Reader and Acrobat 9.x before ...) NOT-FOR-US: Adobe CVE-2009-2991 (Unspecified vulnerability in the Mozilla plug-in in Adobe Reader and A ...) NOT-FOR-US: Adobe CVE-2009-2990 (Array index error in Adobe Reader and Acrobat 9.x before 9.2, 8.x befo ...) NOT-FOR-US: Adobe CVE-2009-2989 (Integer overflow in Adobe Acrobat 9.x before 9.2, 8.x before 8.1.7, an ...) NOT-FOR-US: Adobe CVE-2009-2988 (Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x b ...) NOT-FOR-US: Adobe CVE-2009-2987 (Unspecified vulnerability in an ActiveX control in Adobe Reader and Ac ...) NOT-FOR-US: Adobe CVE-2009-2986 (Multiple heap-based buffer overflows in Adobe Reader and Acrobat 7.x b ...) NOT-FOR-US: Adobe CVE-2009-2985 (Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x b ...) NOT-FOR-US: Adobe CVE-2009-2984 (Unspecified vulnerability in the image decoder in Adobe Acrobat 9.x be ...) NOT-FOR-US: Adobe CVE-2009-2983 (Adobe Reader and Acrobat 9.x before 9.2, 8.x before 8.1.7, and possibl ...) NOT-FOR-US: Adobe CVE-2009-2982 (An unspecified certificate in Adobe Reader and Acrobat 9.x before 9.2, ...) NOT-FOR-US: Adobe CVE-2009-2981 (Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x b ...) NOT-FOR-US: Adobe CVE-2009-2980 (Integer overflow in Adobe Reader and Acrobat 7.x before 7.1.4, 8.x bef ...) NOT-FOR-US: Adobe CVE-2009-2979 (Adobe Reader and Acrobat 9.x before 9.2, 8.x before 8.1.7, and possibl ...) NOT-FOR-US: Adobe CVE-2009-2978 (SQL injection vulnerability in SugarCRM 4.5.1o and earlier, 5.0.0k and ...) - sugarcrm-ce-5.0 (bug #457876) CVE-2009-2977 (The Cisco Security Monitoring, Analysis and Response System (CS-MARS) ...) NOT-FOR-US: Cisco CVE-2009-2976 (Cisco Aironet Lightweight Access Point (AP) devices send the contents ...) NOT-FOR-US: Cisco CVE-2009-2975 (Mozilla Firefox 3.5.2 on Windows XP, in some situations possibly invol ...) - xulrunner (unimportant) NOTE: browser crashes not treated as security issues NOTE: not reproducible, probably only Firefox in Windows XP is affected CVE-2009-2974 (Google Chrome 1.0.154.65, 1.0.154.48, and earlier allows remote attack ...) - chromium-browser (Only 1.x is affected) - webkit (doesn't support 'chromehtml' protocol) CVE-2009-2973 (Google Chrome before 2.0.172.43 does not prevent SSL connections to a ...) - chromium-browser (Only 2.x is affected) - webkit (chrome-specific issue) CVE-2009-2972 (in.lpd in the print service in Sun Solaris 8 and 9 allows remote attac ...) NOT-FOR-US: Sun Solaris CVE-2008-7106 (The installation of Sophos PureMessage for Microsoft Exchange 3.0 befo ...) NOT-FOR-US: Microsoft Exchange CVE-2008-7105 (Sophos PureMessage for Microsoft Exchange 3.0 before 3.0.2 allows remo ...) NOT-FOR-US: Sophos PureMessage for Microsoft Exchange CVE-2008-7104 (Sophos PureMessage Scanner service (PMScanner.exe) in PureMessage for ...) NOT-FOR-US: Sophos PureMessage Scanner service CVE-2008-7103 (Stack-based buffer overflow in an ActiveX control in najdisitoolbar.dl ...) NOT-FOR-US: Toolbar 2.0.4.1 CVE-2008-7102 (DotNetNuke 2.0 through 4.8.4 allows remote attackers to load .ascx fil ...) NOT-FOR-US: DotNetNuke CVE-2008-7101 (Unspecified vulnerability in DotNetNuke 4.0 through 4.8.4 and 5.0 allo ...) NOT-FOR-US: DotNetNuke CVE-2008-7100 (Unspecified vulnerability in DotNetNuke 4.4.1 through 4.8.4 allows rem ...) NOT-FOR-US: DotNetNuke CVE-2008-7099 (Unspecified vulnerability in the Manage Templates feature in Qsoft K-R ...) NOT-FOR-US: Qsoft K-Rate Premium CVE-2008-7098 (Multiple cross-site scripting (XSS) vulnerabilities in Qsoft K-Rate Pr ...) NOT-FOR-US: Qsoft K-Rate Premium CVE-2008-7097 (Multiple SQL injection vulnerabilities in Qsoft K-Rate Premium allow r ...) NOT-FOR-US: Qsoft K-Rate Premium CVE-2008-7096 (Intel Desktop and Intel Mobile Boards with BIOS firmware DQ35JO, DQ35M ...) NOT-FOR-US: Intel Desktop and Intel Mobile Boards CVE-2008-7095 (The SNMP daemon in ArubaOS 3.3.2.6 in Aruba Mobility Controller does n ...) NOT-FOR-US: ArubaOS CVE-2009-2971 RESERVED CVE-2009-2970 (Stack-based buffer overflow in the GetUiDllVersion function in an Acti ...) NOT-FOR-US: UiTV UiPlayer CVE-2009-2969 RESERVED CVE-2009-2968 (Directory traversal vulnerability in a support component in the web in ...) NOT-FOR-US: VMware Studio CVE-2009-2967 (Multiple cross-site scripting (XSS) vulnerabilities in Buildbot 0.7.6 ...) - buildbot 0.7.11p3-1 [lenny] - buildbot (Minor issue) [etch] - buildbot (According to the vendor 0.7.5 and earlier are not affected) CVE-2008-7094 (Campaign/CampaignListener in the listener server in Unica Affinium Cam ...) NOT-FOR-US: Affinium Campaign CVE-2008-7093 (Multiple directory traversal vulnerabilities in Unica Affinium Campaig ...) NOT-FOR-US: Affinium Campaign CVE-2008-7092 (Multiple cross-site scripting (XSS) vulnerabilities in Unica Affinium ...) NOT-FOR-US: Affinium Campaign CVE-2008-7091 (Multiple SQL injection vulnerabilities in Pligg 9.9 and earlier allow ...) NOT-FOR-US: Pligg CVE-2008-7090 (Multiple directory traversal vulnerabilities in Pligg 9.9 and earlier ...) NOT-FOR-US: Pligg CVE-2008-7089 (Cross-site scripting (XSS) vulnerability in Pligg 9.9 and earlier allo ...) NOT-FOR-US: Pligg CVE-2008-7088 (Unrestricted file upload vulnerability in upload.php in PhotoPost vBGa ...) NOT-FOR-US: PhotoPost vBGallery CVE-2008-7087 (PHP remote file inclusion vulnerability in search_wA.php in OpenPro 1. ...) NOT-FOR-US: OpenPro CVE-2008-7086 (Maian Greetings 2.1 allows remote attackers to bypass authentication a ...) NOT-FOR-US: Maian Greetings CVE-2008-7085 (Multiple SQL injection vulnerabilities in TheHockeyStop HockeySTATS On ...) NOT-FOR-US: TheHockeyStop HockeySTATS Online CVE-2008-7084 (Directory traversal vulnerability in the web server 1.0 in Velocity Se ...) NOT-FOR-US: Velocity Security Management System CVE-2009-2966 (avp.exe in Kaspersky Internet Security 9.0.0.459 and Anti-Virus 9.0.0. ...) NOT-FOR-US: Kaspersky Internet Security CVE-2009-2965 (Cross-site scripting (XSS) vulnerability in entry/index.jsp in Radvisi ...) NOT-FOR-US: Radvision Scopia CVE-2009-2964 (Multiple cross-site request forgery (CSRF) vulnerabilities in Squirrel ...) {DSA-2091-1} - squirrelmail 2:1.4.20~rc2-1 (low; bug #543818) CVE-2009-2963 (Unspecified vulnerability in the update feature in Toolbar Uninstaller ...) NOT-FOR-US: Toolbar Uninstaller CVE-2009-2961 (Stack-based buffer overflow in Thaddy de Konng KOL Player 1.0 allows r ...) NOT-FOR-US: Thaddy de Konng KOL Player CVE-2009-2960 (CuteFlow 2.10.3 and 2.11.0_c does not properly restrict access to page ...) NOT-FOR-US: CuteFlow CVE-2009-2959 (Cross-site scripting (XSS) vulnerability in the waterfall web status v ...) - buildbot 0.7.11p3-1 (low; bug #543822) [lenny] - buildbot (Minor issue) [etch] - buildbot (According to the vendor 0.7.5 and earlier are not affected) CVE-2009-2958 (The tftp_request function in tftp.c in dnsmasq before 2.50, when --ena ...) {DSA-1876-1} - dnsmasq 2.50-1 [etch] - dnsmasq CVE-2009-2957 (Heap-based buffer overflow in the tftp_request function in tftp.c in d ...) {DSA-1876-1} - dnsmasq 2.50-1 [etch] - dnsmasq CVE-2009-2956 (The (1) Net.Commerce and (2) Net.Data components in IBM WebSphere Comm ...) NOT-FOR-US: IBM WebSphere CVE-2009-2955 (Google Chrome 1.0.154.48 and earlier allows remote attackers to cause ...) - chromium-browser (Only 1.x is affected) NOTE: browser denial of services are not considered security-relevant CVE-2009-2954 (Microsoft Internet Explorer 6.0.2900.2180 and earlier allows remote at ...) NOT-FOR-US: Microsoft CVE-2009-2953 (Mozilla Firefox 3.0.6 through 3.0.13, and 3.5.x, allows remote attacke ...) - xulrunner (unimportant; bug #557753) NOTE: browser denial-of-services are considered unimportant CVE-2009-2952 (Unspecified vulnerability in the pollwakeup function in Sun Solaris 10 ...) NOT-FOR-US: Sun Solaris CVE-2009-2951 (Phenotype CMS before 2.9 does not use a random salt value for password ...) NOT-FOR-US: Phenotype CMS CVE-2008-7083 (Multiple SQL injection vulnerabilities in ReVou Micro Blogging Twitter ...) NOT-FOR-US: ReVou Micro Blogging Twitter clone CVE-2008-7082 (MyBB (aka MyBulletinBoard) 1.4.3 includes the sensitive my_post_key pa ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2008-7081 (userHandler.cgi in RaidSonic ICY BOX NAS firmware 2.3.2.IB.2.RS.1 allo ...) NOT-FOR-US: RaidSonic ICY BOX NAS firmware CVE-2008-7080 (Team PHP PHP Classifieds Script stores sensitive information under the ...) NOT-FOR-US: Team PHP PHP Classifieds Script CVE-2008-7079 (Buffer overflow in Nero ShowTime 5.0.15.0 allows remote attackers to c ...) NOT-FOR-US: Nero ShowTime CVE-2008-7078 (Multiple buffer overflows in Rumpus before 6.0.1 allow remote attacker ...) NOT-FOR-US: Rumpus CVE-2008-7077 (Multiple SQL injection vulnerabilities in SailPlanner 0.3a allow remot ...) NOT-FOR-US: SailPlanner CVE-2008-7076 (Unrestricted file upload vulnerability in user.modify.profile.php in K ...) NOT-FOR-US: Kalptaru Infotech Ltd. Star Articles CVE-2008-7075 (Multiple SQL injection vulnerabilities in Kalptaru Infotech Ltd. Star ...) NOT-FOR-US: Kalptaru Infotech Ltd. Star Articles CVE-2008-7074 (Format string vulnerability in MemeCode Software i.Scribe 1.88 through ...) NOT-FOR-US: MemeCode Software i.Scribe CVE-2008-7073 (PHP remote file inclusion vulnerability in lib/action/rss.php in RSS m ...) NOT-FOR-US: RSS module 0.1 for Pie Web M{a,e}sher CVE-2008-7072 (Cross-site scripting (XSS) vulnerability in index.php in Chipmunk Tops ...) NOT-FOR-US: Chipmunk Topsites CVE-2008-7071 (SQL injection vulnerability in authenticate.php in Chipmunk Topsites a ...) NOT-FOR-US: Chipmunk Topsites CVE-2008-7070 (Argument injection vulnerability in the URI handler in KVIrc 3.4.2 Shi ...) - kvirc (Only affects Windows builds) NOTE: https://svn.kvirc.de/kvirc/ticket/274#comment:8 CVE-2008-7069 (All Club CMS (ACCMS) 0.0.2 and earlier stores sensitive information un ...) NOT-FOR-US: All Club CMS (ACCMS) CVE-2008-7067 (PHP remote file inclusion vulnerability in admin/plugins/Online_Users/ ...) NOT-FOR-US: PageTree CMS CVE-2008-7066 (OpenForum 0.66 Beta allows remote attackers to bypass authentication a ...) NOT-FOR-US: OpenForum CVE-2008-7065 (Siemens C450 IP and C475 IP VoIP devices allow remote attackers to cau ...) NOT-FOR-US: Siemens C450 IP and C475 IP VoIP devices CVE-2008-7064 (Directory traversal vulnerability in the get_lang function in global.p ...) NOT-FOR-US: Quicksilver Forums CVE-2008-7063 (Ocean12 FAQ Manager Pro stores sensitive data under the web root with ...) NOT-FOR-US: Ocean12 FAQ Manager Pro CVE-2008-7062 (Unrestricted file upload vulnerability in admin/index.php in Download ...) NOT-FOR-US: Download Manager module 1.0 for LoveCMS CVE-2008-7061 (The tooltip manager (chrome/views/tooltip_manager.cc) in Google Chrome ...) - chromium-browser (Only 0.x is affected) - webkit (chrome-specific issue) CVE-2008-7060 (Multiple cross-site scripting (XSS) vulnerabilities in One-News Beta 2 ...) NOT-FOR-US: One-News CVE-2008-7059 (SQL injection vulnerability in index.php in One-News Beta 2 allows rem ...) NOT-FOR-US: One-News CVE-2008-7058 (Cross-site request forgery (CSRF) vulnerability in BandSite CMS 1.1.4 ...) NOT-FOR-US: BandSite CMS CVE-2008-7057 (Cross-site scripting (XSS) vulnerability in merchandise.php in BandSit ...) NOT-FOR-US: BandSite CMS CVE-2008-7056 (BandSite CMS 1.1.4 does not perform access control for adminpanel/phpm ...) NOT-FOR-US: BandSite CMS CVE-2008-7055 (module.php in ezContents 2.0.3 allows remote attackers to bypass the d ...) NOT-FOR-US: ezContents CVE-2008-7054 (Multiple directory traversal vulnerabilities in ezContents 2.0.3 allow ...) NOT-FOR-US: ezContents CVE-2008-7053 (LogMeIn Remote Access Utility ActiveX control (RACtrl.dll) allows remo ...) NOT-FOR-US: LogMeIn CVE-2009-2950 (Heap-based buffer overflow in the GIFLZWDecompressor::GIFLZWDecompress ...) {DSA-1995-1 DTSA-205-1} - openoffice.org 1:3.1.1-16 CVE-2009-2949 (Integer overflow in the XPMReader::ReadXPM function in filter.vcl/ixpm ...) {DSA-1995-1 DTSA-205-1} - openoffice.org 1:3.1.1-16 CVE-2009-2948 (mount.cifs in Samba 3.0 before 3.0.37, 3.2 before 3.2.15, 3.3 before 3 ...) {DSA-1908-1} - samba 2:3.4.2-1 (medium; bug #550423) CVE-2009-2947 (Cross-site scripting (XSS) vulnerability in Xapian Omega before 1.0.16 ...) {DSA-1882-1} - xapian-omega 1.0.15-2 CVE-2009-2946 (Eval injection vulnerability in scripts/uscan.pl before Rev 1984 in de ...) {DSA-1878-2 DSA-1878-1} - devscripts 2.10.54 CVE-2009-2945 (weblogin/login.fcgi (aka the WebLogin login script) in Stanford Univer ...) - webauth 3.6.2-1 (low) [lenny] - webauth 3.6.0-1+lenny1 [etch] - webauth (Vulnerable code not present) CVE-2009-2944 (Incomplete blacklist vulnerability in the teximg plugin in ikiwiki bef ...) {DSA-1875-1} - ikiwiki 3.1415926 CVE-2009-2943 (The postgresql-ocaml bindings 1.5.4, 1.7.0, and 1.12.1 for PostgreSQL ...) {DSA-1909-1} - postgresql-ocaml 1.12.1-1 (low) CVE-2009-2942 (The mysql-ocaml bindings 1.0.4 for MySQL do not properly support the m ...) {DSA-1910-1} - mysql-ocaml 1.0.4-7 (low) CVE-2009-2941 RESERVED CVE-2009-2940 (The pygresql module 3.8.1 and 4.0 for Python does not properly support ...) {DSA-1911-1} - pygresql 1:4.0-1 (low) CVE-2009-2939 (The postfix.postinst script in the Debian GNU/Linux and Ubuntu postfix ...) - postfix 2.6.5-3 (low) [lenny] - postfix 2.5.5-1.1+lenny1 [etch] - postfix (Minor issue) CVE-2009-2938 RESERVED CVE-2009-2937 (Cross-site scripting (XSS) vulnerability in Planet 2.0 and Planet Venu ...) - planet (low; bug #546178) [lenny] - planet (Minor issue) [etch] - planet (Minor issue) - planet-venus 0~bzr116-1 (low; bug #546179) [lenny] - planet-venus 0~bzr95-2+lenny1 [etch] - planet-venus (Minor issue) CVE-2009-2936 (** DISPUTED ** The Command Line Interface (aka Server CLI or administr ...) - varnish 2.1.0-2 (unimportant) NOTE: Only a security issue if used against best practices CVE-2009-2935 (Google V8, as used in Google Chrome before 2.0.172.43, allows remote a ...) - chromium-browser (Only 2.x is affected) - libv8 1.3.11+dfsg-1 - webkit (libv8 issue) CVE-2009-2934 (Multiple stack-based buffer overflows in xaudio.dll in Programmed Inte ...) NOT-FOR-US: Programmed Integration PIPL CVE-2009-2933 (SQL injection vulnerability in comments.php in Piwigo before 2.0.3 all ...) - piwigo (Fixed before initial upload to the archive) CVE-2009-2932 (Cross-site scripting (XSS) vulnerability in uddiclient/process in the ...) NOT-FOR-US: SAP NetWeaver CVE-2009-2931 (Directory traversal vulnerability in p.php in SlideShowPro Director 1. ...) NOT-FOR-US: SlideShowPro Director CVE-2009-2930 (Cross-site scripting (XSS) vulnerability in the Search feature in elka ...) NOT-FOR-US: elka CMS (aka Elkapax) CVE-2009-2929 (Multiple SQL injection vulnerabilities in TGS Content Management 0.x a ...) NOT-FOR-US: TGS Content Management CVE-2009-2928 (Cross-site scripting (XSS) vulnerability in login.php in TGS Content M ...) NOT-FOR-US: TGS Content Management CVE-2009-2927 (SQL injection vulnerability in DetailFile.php in DigitalSpinners DS CM ...) NOT-FOR-US: DigitalSpinners DS CMS CVE-2009-2926 (Multiple SQL injection vulnerabilities in PHP Competition System BETA ...) NOT-FOR-US: PHP Competition System BETA CVE-2008-7052 (Unrestricted file upload vulnerability in profile.php in Pre Projects ...) NOT-FOR-US: Pre Projects Pre Real Estate Listings CVE-2008-7051 (AJ Square AJ Article allows remote attackers to bypass authentication ...) NOT-FOR-US: AJ Square AJ Article CVE-2008-7050 (The password_check function in auth/auth_phpbb3.php in WoW Raid Manage ...) NOT-FOR-US: WoW Raid Manager CVE-2008-7049 (Multiple SQL injection vulnerabilities in login.asp in NatterChat 1.1 ...) NOT-FOR-US: NatterChat CVE-2008-7048 (Multiple cross-site scripting (XSS) vulnerabilities in NatterChat 1.12 ...) NOT-FOR-US: NatterChat CVE-2008-7047 (NatterChat 1.1 allows remote attackers to bypass authentication and ga ...) NOT-FOR-US: NatterChat CVE-2008-7046 (AJ Square Free Polling Script (AJPoll) allows remote attackers to bypa ...) NOT-FOR-US: AJ Square Free Polling Script CVE-2008-7045 (AJ Square Free Polling Script (AJPoll) Database version allows remote ...) NOT-FOR-US: AJ Square Free Polling Script CVE-2008-7044 (SQL injection vulnerability in admin/include/newpoll.php in AJ Square ...) NOT-FOR-US: AJ Square Free Polling Script CVE-2008-7043 (Cross-site scripting (XSS) vulnerability in register.php in FreshScrip ...) NOT-FOR-US: FreshScripts Fresh Email Script CVE-2008-7042 (PHP remote file inclusion vulnerability in url.php in FreshScripts Fre ...) NOT-FOR-US: FreshScripts Fresh Email Script CVE-2008-7041 (AJ Classifieds allows remote attackers to bypass authentication and ga ...) NOT-FOR-US: AJ Classifieds CVE-2008-7040 (SQL injection vulnerability in ahah/sf-profile.php in the Yellow Sword ...) NOT-FOR-US: Yellow Swordfish Simple Forum module for Wordpress CVE-2008-7039 (Cross-site scripting (XSS) vulnerability in admin/comments.php in Gela ...) NOT-FOR-US: Gelato CMS CVE-2008-7038 (SQL injection vulnerability in the My_eGallery module for PHP-Nuke all ...) NOT-FOR-US: My_eGallery module for PHP-Nuke CVE-2008-7037 (The Sidebar gadget in ITN News Gadget (aka ITN Hub Gadget) 1.06 for Wi ...) NOT-FOR-US: ITN News Gadget CVE-2008-7036 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in De ...) NOT-FOR-US: DevTracker module 3.0 for bcoos CVE-2008-7035 (Cross-site scripting (XSS) vulnerability in an unspecified component i ...) NOT-FOR-US: Simple Machines phpRaider CVE-2008-7034 (PHP remote file inclusion vulnerability in kernel/smarty/Smarty.class. ...) NOT-FOR-US: PHPEcho CMS CVE-2008-7033 (SQL injection vulnerability in the Simple Shop Galore (com_simpleshop) ...) NOT-FOR-US: component for Joomla! CVE-2008-7032 (Web Management Console Cross-site request forgery (CSRF) vulnerability ...) NOT-FOR-US: web management console in F5 BIG-IP CVE-2008-7031 (Heap-based buffer overflow in Foxit Remote Access Server (aka WAC Serv ...) NOT-FOR-US: Foxit Remote Access Server (aka WAC Server) CVE-2008-7030 (Multiple SQL injection vulnerabilities in Site2Nite Real Estate Web al ...) NOT-FOR-US: Site2Nite Real Estate Web CVE-2008-7029 (Unrestricted file upload vulnerability in usercp.php in AlilG Applicat ...) NOT-FOR-US: AlilG Application AliBoard CVE-2008-7028 (RPG.Board 0.8 Beta2 and earlier allows remote attackers to bypass auth ...) NOT-FOR-US: RPG.Board CVE-2008-7027 (Libra File Manager 1.18 and earlier allows remote attackers to bypass ...) NOT-FOR-US: Libra File Manager CVE-2008-7026 (Unrestricted file upload vulnerability in filesystem3.class.php in eFr ...) NOT-FOR-US: eFront CVE-2008-7025 (TrueVector in Check Point ZoneAlarm 8.0.020.000, with vsmon.exe runnin ...) NOT-FOR-US: Check Point ZoneAlarm CVE-2008-7024 (admin.php in Arz Development The Gemini Portal 4.7 and earlier allows ...) NOT-FOR-US: Arz Development The Gemini Portal CVE-2008-7023 (Aruba Mobility Controller running ArubaOS 3.3.1.16, and possibly other ...) NOT-FOR-US: ArubaOS CVE-2008-7022 (Insecure method vulnerability in ChilkatMail_v7_9.dll in the Chilkat S ...) NOT-FOR-US: Chilkat Software IMAP ActiveX control CVE-2008-7021 (Unrestricted file upload vulnerability in editlogo.php in AvailScript ...) NOT-FOR-US: AvailScript Jobs Portal Script CVE-2008-7020 (McAfee SafeBoot Device Encryption 4 build 4750 and earlier stores pre- ...) NOT-FOR-US: McAfee SafeBoot Device Encryption CVE-2008-7019 (Esqlanelapse 2.6.1 and 2.6.2 allows remote attackers to bypass authent ...) NOT-FOR-US: Esqlanelapse CVE-2008-7018 (Cross-site scripting (XSS) vulnerability in NashTech Easy PHP Calendar ...) NOT-FOR-US: NashTech Easy PHP Calendar CVE-2008-7017 (Cross-site scripting (XSS) vulnerability in analyse.php in CAcert 2008 ...) NOT-FOR-US: CAcert CVE-2008-7016 (tnftpd before 20080929 splits large command strings into multiple comm ...) NOT-FOR-US: tnftpd CVE-2003-1574 (TikiWiki 1.6.1 allows remote attackers to bypass authentication by ent ...) - tikiwiki CVE-2009-3026 (protocols/jabber/auth.c in libpurple in Pidgin 2.6.0, and possibly oth ...) - pidgin 2.6.1-1 (low; bug #542891) [lenny] - pidgin 2.4.3-4lenny4 NOTE: gaim nof affected, it never claimed to support TLS/SSL NOTE: http://developer.pidgin.im/ticket/8131 NOTE: http://developer.pidgin.im/viewmtn/revision/diff/312e056d702d29379ea61aea9d27765f127bc888/with/55897c4ce0787edc1e7721b7f4a9b5cbc8357279 CVE-2009-2962 REJECTED CVE-2009-2925 (Directory traversal vulnerability in DJcalendar.cgi in DJCalendar allo ...) NOT-FOR-US: DJCalendar CVE-2009-2924 (Multiple SQL injection vulnerabilities in Videos Broadcast Yourself 2 ...) NOT-FOR-US: Videos Broadcast Yourself 2 CVE-2009-2923 (Multiple directory traversal vulnerabilities in BitmixSoft PHP-Lance 1 ...) NOT-FOR-US: BitmixSoft PHP-Lance CVE-2009-2922 (Absolute path traversal vulnerability in pixaria.image.php in Pixaria ...) NOT-FOR-US: Pixaria Gallery CVE-2009-2921 (Multiple SQL injection vulnerabilities in login.php in MOC Designs PHP ...) NOT-FOR-US: MOC Designs PHP News CVE-2009-2920 (Multiple cross-site scripting (XSS) vulnerabilities in Elvin 1.2.2 all ...) NOT-FOR-US: Elvin CVE-2009-2919 (Cross-site scripting (XSS) vulnerability in Boonex Orca 2.0 and 2.0.2 ...) NOT-FOR-US: Boonex Orca CVE-2009-2918 (The tgbvpn.sys driver in TheGreenBow IPSec VPN Client 4.61.003 allows ...) NOT-FOR-US: TheGreenBow IPSec VPN Client CVE-2009-2917 (Stack-based buffer overflow in ImTOO MPEG Encoder 3.1.53 allows remote ...) NOT-FOR-US: ImTOO MPEG Encoder CVE-2009-2916 (Format string vulnerability in the CNS_AddTxt function in logs.dll in ...) NOT-FOR-US: 2K Games Vietcong CVE-2009-2915 (SQL injection vulnerability in 2fly_gift.php in 2FLY Gift Delivery Sys ...) NOT-FOR-US: 2FLY Gift Delivery System CVE-2009-2914 (Cross-site scripting (XSS) vulnerability in index.php in XZero Communi ...) NOT-FOR-US: XZero Community Classified CVE-2009-2913 (Cross-site scripting (XSS) vulnerability in index.php in XZero Communi ...) NOT-FOR-US: XZero Community Classified CVE-2009-2912 (The (1) sendfile and (2) sendfilev functions in Sun Solaris 8 through ...) NOT-FOR-US: Sun Solaris CVE-2009-2911 (SystemTap 1.0, when the --unprivileged option is used, does not proper ...) - systemtap 1.0-2 (bug #551918) [lenny] - systemtap (Affected functionality only added in 1.0) CVE-2009-2910 (arch/x86/ia32/ia32entry.S in the Linux kernel before 2.6.31.4 on the x ...) {DSA-1928-1 DSA-1915-1} - linux-2.6 2.6.31-1 (medium) - linux-2.6.24 (medium) CVE-2009-2909 (Integer signedness error in the ax25_setsockopt function in net/ax25/a ...) {DSA-1929-1 DSA-1928-1 DSA-1915-1} - linux-2.6 2.6.31-1 (medium) - linux-2.6.24 (medium) CVE-2009-2908 (The d_delete function in fs/ecryptfs/inode.c in eCryptfs in the Linux ...) {DSA-1928-1 DSA-1915-1} - linux-2.6 2.6.31-1 (medium) [etch] - linux-2.6 (vulnerable code introduced in 2.6.19) - linux-2.6.24 (medium) CVE-2009-2907 (Multiple cross-site scripting (XSS) vulnerabilities in SpringSource tc ...) NOT-FOR-US: SpringSource tc Server, Application Management Suite, Hyperic HQ Open Source, and Hyperic Enterprise CVE-2009-2906 (smbd in Samba 3.0 before 3.0.37, 3.2 before 3.2.15, 3.3 before 3.3.8, ...) {DSA-1908-1} - samba 2:3.4.2-1 (low; bug #550423) CVE-2009-2905 (Heap-based buffer overflow in textbox.c in newt 0.51.5, 0.51.6, and 0. ...) {DSA-1894-1} - newt 0.52.10-4.1 (medium; bug #548198) CVE-2009-2904 (A certain Red Hat modification to the ChrootDirectory feature in OpenS ...) - openssh (issue with homechroot patch specific to Red Hat) CVE-2009-2903 (Memory leak in the appletalk subsystem in the Linux kernel 2.4.x throu ...) {DSA-1928-1 DSA-1915-1} - linux-2.6 2.6.31-1 (low) - linux-2.6.24 (low) CVE-2009-2902 (Directory traversal vulnerability in Apache Tomcat 5.5.0 through 5.5.2 ...) {DSA-2207-1} - tomcat6 6.0.24-1 (low) [lenny] - tomcat6 (Only ships the servlet package) - tomcat5.5 CVE-2009-2901 (The autodeployment process in Apache Tomcat 5.5.0 through 5.5.28 and 6 ...) - tomcat6 (Windows-only) - tomcat5.5 (Windows-only) CVE-2009-2900 RESERVED CVE-2009-2899 (The monitor perl script in the Sybase database plug-in in SpringSource ...) NOT-FOR-US: SpringSource Hyperic HQ CVE-2009-2898 (Cross-site scripting (XSS) vulnerability in the Alerts list feature in ...) NOT-FOR-US: SpringSource Hyperic HQ CVE-2009-2897 (Multiple cross-site scripting (XSS) vulnerabilities in hq/web/common/G ...) NOT-FOR-US: SpringSource Hyperic HQ CVE-2009-2896 (Buffer overflow in KMplayer 2.9.4.1433 and earlier allows remote attac ...) NOT-FOR-US: KMPlayer: http://www.kmplayer.com CVE-2009-2895 (SQL injection vulnerability in rss.php in Ultimate Regnow Affiliate (U ...) NOT-FOR-US: Ultimate Regnow Affiliate CVE-2009-2894 (Multiple SQL injection vulnerabilities in Ebay Clone 2009 allow remote ...) NOT-FOR-US: Ebay Clone 2009 CVE-2009-2893 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in XZ ...) NOT-FOR-US: XZero Community Classifieds CVE-2009-2892 (Multiple SQL injection vulnerabilities in header.php in Scripteen Free ...) NOT-FOR-US: Scripteen Free Image Hosting Script CVE-2009-2891 (SQL injection vulnerability in list.php in PHP Scripts Now Riddles all ...) NOT-FOR-US: PHP Scripts Now Riddles CVE-2009-2890 (Cross-site scripting (XSS) vulnerability in results.php in PHP Scripts ...) NOT-FOR-US: PHP Scripts Now Riddles CVE-2009-2889 (Cross-site scripting (XSS) vulnerability in index.php in PHP Scripts N ...) NOT-FOR-US: PHP Scripts Now Riddles CVE-2009-2888 (SQL injection vulnerability in index.php in PHP Scripts Now Hangman al ...) NOT-FOR-US: PHP Scripts Now Hangman CVE-2009-2887 (Cross-site scripting (XSS) vulnerability in bios.php in PHP Scripts No ...) NOT-FOR-US: PHP Scripts Now President Bios CVE-2009-2886 (SQL injection vulnerability in bios.php in PHP Scripts Now President B ...) NOT-FOR-US: PHP Scripts Now President CVE-2009-2885 (SQL injection vulnerability in bios.php in PHP Scripts Now World's Tal ...) NOT-FOR-US: PHP Scripts Now World's CVE-2009-2884 (Cross-site scripting (XSS) vulnerability in bios.php in PHP Scripts No ...) NOT-FOR-US: PHP Scripts Now World's Tallest Buildings CVE-2009-2883 (SQL injection vulnerability in admin/login.php in SaphpLesson 4.0, whe ...) NOT-FOR-US: SaphpLesson CVE-2009-2882 (Multiple cross-site scripting (XSS) vulnerabilities in PG MatchMaking ...) NOT-FOR-US: PG MatchMaking CVE-2009-2881 (Multiple SQL injection vulnerabilities in Basilic 1.5.13 allow remote ...) NOT-FOR-US: Basilic CVE-2009-3369 (CgiUserConfigEdit in BackupPC 3.1.0, when SSH keys and Rsync are in us ...) - backuppc 3.1.0-8 (low; bug #542218) [etch] - backuppc (No configuration GUI) [lenny] - backuppc 3.1.0-4lenny2 CVE-2009-5043 (burn allows file names to escape via mishandled quotation marks ...) - burn 0.4.5-1 (low; bug #542329) [lenny] - burn 0.4.3-2.1+lenny1 [etch] - burn (Minor issue) CVE-2009-2880 (Buffer overflow in atrpui.dll in the Cisco WebEx WRF Player 26.x befor ...) NOT-FOR-US: Cisco WebEx WRF Player CVE-2009-2879 (Heap-based buffer overflow in atas32.dll in the Cisco WebEx WRF Player ...) NOT-FOR-US: Cisco WebEx WRF Player CVE-2009-2878 (Heap-based buffer overflow in atas32.dll in the Cisco WebEx WRF Player ...) NOT-FOR-US: Cisco WebEx WRF Player CVE-2009-2877 (Stack-based buffer overflow in ataudio.dll in the Cisco WebEx WRF Play ...) NOT-FOR-US: Cisco WebEx WRF Player CVE-2009-2876 (Heap-based buffer overflow in atas32.dll in the Cisco WebEx WRF Player ...) NOT-FOR-US: Cisco WebEx WRF Player CVE-2009-2875 (Buffer overflow in atas32.dll in the Cisco WebEx WRF Player 26.x befor ...) NOT-FOR-US: Cisco WebEx WRF Player CVE-2009-2874 (The TimesTenD process in Cisco Unified Presence 1.x, 6.x before 6.0(6) ...) NOT-FOR-US: Cisco Unified Presence CVE-2009-2873 (Cisco IOS 12.0 through 12.4, when IP-based tunnels and the Cisco Expre ...) NOT-FOR-US: Cisco IOS CVE-2009-2872 (Cisco IOS 12.0 through 12.4, when IP-based tunnels and the Cisco Expre ...) NOT-FOR-US: Cisco IOS CVE-2009-2871 (Unspecified vulnerability in Cisco IOS 12.2 and 12.4, when SSLVPN sess ...) NOT-FOR-US: Cisco IOS CVE-2009-2870 (Unspecified vulnerability in Cisco IOS 12.2 through 12.4, when the Cis ...) NOT-FOR-US: Cisco IOS CVE-2009-2869 (Unspecified vulnerability in Cisco IOS 12.2XNA, 12.2XNB, 12.2XNC, 12.2 ...) NOT-FOR-US: Cisco IOS CVE-2009-2868 (Unspecified vulnerability in Cisco IOS 12.2 through 12.4, when certifi ...) NOT-FOR-US: Cisco IOS CVE-2009-2867 (Unspecified vulnerability in Cisco IOS 12.2XNA, 12.2XNB, 12.2XNC, 12.2 ...) NOT-FOR-US: Cisco IOS CVE-2009-2866 (Unspecified vulnerability in Cisco IOS 12.2 through 12.4 allows remote ...) NOT-FOR-US: Cisco IOS CVE-2009-2865 (Buffer overflow in the login implementation in the Extension Mobility ...) NOT-FOR-US: Cisco IOS CVE-2009-2864 (Cisco Unified Communications Manager (aka CUCM, formerly CallManager) ...) NOT-FOR-US: Cisco CVE-2009-2863 (Race condition in the Firewall Authentication Proxy feature in Cisco I ...) NOT-FOR-US: Cisco IOS CVE-2009-2862 (The Object Groups for Access Control Lists (ACLs) feature in Cisco IOS ...) NOT-FOR-US: Cisco CVE-2009-2861 (The Over-the-Air Provisioning (OTAP) functionality on Cisco Aironet Li ...) NOT-FOR-US: Cisco CVE-2009-2860 (Unspecified vulnerability in db2jds in IBM DB2 8.1 before FP18 allows ...) NOT-FOR-US: db2jds in IBM DB2 CVE-2009-2859 (IBM DB2 8.1 before FP18 allows attackers to obtain unspecified access ...) NOT-FOR-US: IBM DB2 CVE-2009-2858 (Memory leak in the Security component in IBM DB2 8.1 before FP18 on Un ...) NOT-FOR-US: IBM DB2 CVE-2009-2857 (The kernel in Sun Solaris 8, 9, and 10, and OpenSolaris before snv_103 ...) NOT-FOR-US: kernel in Sun Solaris CVE-2009-2856 (Sun Virtual Desktop Infrastructure (VDI) 3.0, when anonymous binding i ...) NOT-FOR-US: Sun Virtual Desktop Infrastructure CVE-2009-2855 (The strListGetItem function in src/HttpHeaderTools.c in Squid 2.7 allo ...) {DSA-1991-1} - squid 2.7.STABLE7-1 (low; bug #534982) - squid3 3.0.STABLE19-1 CVE-2009-2854 (Wordpress before 2.8.3 does not check capabilities for certain actions ...) {DSA-1871-2 DSA-1871-1} - wordpress 2.8.3-1 CVE-2009-2853 (Wordpress before 2.8.3 allows remote attackers to gain privileges via ...) {DSA-1871-2 DSA-1871-1} - wordpress 2.8.3-1 CVE-2009-2852 (WP-Syntax plugin 0.9.1 and earlier for Wordpress, with register_global ...) NOT-FOR-US: WP-Syntax plugin CVE-2009-2851 (Cross-site scripting (XSS) vulnerability in the administrator interfac ...) {DSA-1871-2 DSA-1871-1} - wordpress 2.8.3-1 (low) CVE-2009-2850 (Multiple buffer overflows in NASA Common Data Format (CDF) allow conte ...) NOT-FOR-US: NASA Common Data Format CVE-2009-2845 REJECTED CVE-2008-7015 (Unreal engine 3, as used in Unreal Tournament 3 1.3, Frontlines: Fuel ...) NOT-FOR-US: Unreal Tournament CVE-2008-7014 (fhttpd 0.4.2 allows remote attackers to cause a denial of service (cra ...) NOT-FOR-US: fhttpd CVE-2008-7013 (NetService.dll in Baidu Hi IM allows remote servers to cause a denial ...) NOT-FOR-US: Baidu Hi IM CVE-2008-7012 (courier/1000@/api_error_email.html (aka "error reporting page") in Acc ...) NOT-FOR-US: Accellion File Transfer Appliance CVE-2008-7011 (The Unreal engine, as used in Unreal Tournament 3 1.3, Unreal Tourname ...) NOT-FOR-US: Unreal Tournament CVE-2008-7010 (Skalfa Software SkaLinks Exchange Script 1.5 allows remote attackers t ...) NOT-FOR-US: Skalfa Software SkaLinks Exchange Script CVE-2008-7009 (Buffer overflow in multiscan.exe in Check Point ZoneAlarm Security Sui ...) NOT-FOR-US: Check Point ZoneAlarm Security Suite CVE-2008-7008 (HyperStop Web Host Directory 1.2 allows remote attackers to bypass aut ...) NOT-FOR-US: HyperStop Web Host Directory CVE-2008-7007 (Free PHP VX Guestbook 1.06 allows remote attackers to bypass authentic ...) NOT-FOR-US: Free PHP VX Guestbook CVE-2008-7006 (Free PHP VX Guestbook 1.06 allows remote attackers to bypass authentic ...) NOT-FOR-US: Free PHP VX Guestbook CVE-2008-7005 (include/modules/top/1-random_quote.php in Minb Is Not a Blog (minb) 0. ...) NOT-FOR-US: Minb Is Not a Blog CVE-2008-7004 (Buffer overflow in Electronic Logbook (ELOG) before 2.7.1 has unknown ...) NOT-FOR-US: Electronic Logbook CVE-2009-2849 (The md driver (drivers/md/md.c) in the Linux kernel before 2.6.30.2 mi ...) {DSA-1928-1 DSA-1872-1} - linux-2.6 2.6.30-4 (medium) - linux-2.6.24 [lenny] - linux-2.6 2.6.26-19 (medium) CVE-2009-2848 (The execve function in the Linux kernel, possibly 2.6.30-rc6 and earli ...) {DSA-1928-1 DSA-1872-1} - linux-2.6 2.6.30-7 (low) - linux-2.6.24 [lenny] - linux-2.6 2.6.26-19 (low) CVE-2009-2847 (The do_sigaltstack function in kernel/signal.c in Linux kernel 2.4 thr ...) {DSA-1928-1 DSA-1872-1} - linux-2.6 2.6.30-6 (low) - linux-2.6.24 [lenny] - linux-2.6 2.6.26-19 (low) CVE-2009-2846 (The eisa_eeprom_read function in the parisc isa-eeprom component (driv ...) {DSA-1928-1 DSA-1872-1} - linux-2.6 2.6.30-6 (low) - linux-2.6.24 [lenny] - linux-2.6 2.6.26-19 (low) CVE-2009-2844 (cfg80211 in net/wireless/scan.c in the Linux kernel 2.6.30-rc1 and oth ...) - linux-2.6 2.6.30-7 (medium) [etch] - linux-2.6 (vulnerability introduced in 2.6.30) [lenny] - linux-2.6 (vulnerability introduced in 2.6.30) - linux-2.6.24 (vulnerability introduced in 2.6.30) CVE-2009-2843 (Java for Mac OS X 10.5 before Update 6 and 10.6 before Update 1 accept ...) NOT-FOR-US: Mac OS X CVE-2009-2842 (Apple Safari before 4.0.4 does not properly implement certain (1) Open ...) NOT-FOR-US: Apple Safari CVE-2009-2841 (The HTMLMediaElement::loadResource function in html/HTMLMediaElement.c ...) - webkit 1.1.21-1 (medium; bug #559759) [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) NOTE: http://trac.webkit.org/changeset/49480 - qt4-x11 4:4.6.2-4 (medium; bug #561760) NOTE: QT4 might be fixed earlier, but only 4.6.2 was checked against [lenny] - qt4-x11 (HTML video support introduced in version 4.5) [etch] - qt4-x11 (webkit support introduced in version 4.4) - kdelibs (No support for HTML5 video tags) CVE-2009-2840 (Spotlight in Apple Mac OS X 10.5.8 does not properly handle temporary ...) NOT-FOR-US: Apple Mac OS X CVE-2009-2839 (Screen Sharing in Apple Mac OS X 10.5.8 allows remote VNC servers to e ...) NOT-FOR-US: Apple Mac OS X CVE-2009-2838 (Integer overflow in QuickLook in Apple Mac OS X 10.5.8 allows remote a ...) NOT-FOR-US: Apple Mac OS X CVE-2009-2837 (Heap-based buffer overflow in QuickDraw Manager in Apple Mac OS X befo ...) NOT-FOR-US: Apple Mac OS X CVE-2009-2836 (Race condition in Login Window in Apple Mac OS X 10.6.x before 10.6.2, ...) NOT-FOR-US: Apple Mac OS X CVE-2009-2835 (The kernel in Apple Mac OS X before 10.6.2 does not properly handle ta ...) NOT-FOR-US: Apple Mac OS X CVE-2009-2834 (IOKit in Apple Mac OS X before 10.6.2 allows local users to modify the ...) NOT-FOR-US: Apple Mac OS X CVE-2009-2833 (Buffer overflow in the UCCompareTextDefault API in International Compo ...) NOT-FOR-US: Apple Mac OS X CVE-2009-2832 (Buffer overflow in FTP Server in Apple Mac OS X before 10.6.2 allows r ...) NOT-FOR-US: Apple Mac OS X CVE-2009-2831 (Dictionary in Apple Mac OS X 10.5.8 allows remote attackers to create ...) NOT-FOR-US: Apple Mac OS X CVE-2009-2830 (Multiple buffer overflows in Christos Zoulas file before 5.03 in Apple ...) - file 5.03-1 [lenny] - file [etch] - file CVE-2009-2829 (Event Monitor in Apple Mac OS X 10.5.8 does not properly handle crafte ...) NOT-FOR-US: Apple Mac OS X CVE-2009-2828 (The server in DirectoryService in Apple Mac OS X 10.5.8 allows remote ...) NOT-FOR-US: Apple Mac OS X CVE-2009-2827 (Heap-based buffer overflow in Disk Images in Apple Mac OS X 10.5.8 all ...) NOT-FOR-US: Apple Mac OS X CVE-2009-2826 (Multiple integer overflows in CoreGraphics in Apple Mac OS X 10.5.8 al ...) NOT-FOR-US: Apple Mac OS X CVE-2009-2825 (Certificate Assistant in Apple Mac OS X before 10.6.2 does not properl ...) NOT-FOR-US: Apple Mac OS X CVE-2009-2824 (Multiple buffer overflows in Apple Type Services (ATS) in Apple Mac OS ...) NOT-FOR-US: Apple Mac OS X CVE-2009-2823 (The Apache HTTP Server in Apple Mac OS X before 10.6.2 enables the HTT ...) NOT-FOR-US: Apple Mac OS X CVE-2009-2822 (AirPort Utility before 5.5.1 for Apple AirPort Base Station does not p ...) NOT-FOR-US: AirPort Utility CVE-2009-2821 RESERVED CVE-2009-2820 (The web interface in CUPS before 1.4.2, as used on Apple Mac OS X befo ...) {DSA-1933-1} - cups 1.4.2-1 (low; bug #555666) - cupsys CVE-2009-2819 (AFP Client in Apple Mac OS X 10.5.8 allows remote AFP servers to execu ...) NOT-FOR-US: Apple Mac OS X CVE-2009-2818 (Adaptive Firewall in Apple Mac OS X before 10.6.2 does not properly ha ...) NOT-FOR-US: Apple Mac OS X CVE-2009-2817 (Buffer overflow in Apple iTunes before 9.0.1 allows remote attackers t ...) NOT-FOR-US: Apple iTunes CVE-2009-2816 (The implementation of Cross-Origin Resource Sharing (CORS) in WebKit, ...) - webkit 1.1.21-1 (low; bug #559759) [lenny] - webkit (vulnerable code not present) - kdelibs - kde4libs - qt4-x11 4:4.6.2-4 (low) NOTE: QT4 might be fixed earlier, but only 4.6.2 was checked against [lenny] - qt4-x11 (Vulnerable code not present) NOTE: http://trac.webkit.org/changeset/47494 CVE-2009-2815 (The Telephony component in Apple iPhone OS before 3.1 does not properl ...) NOT-FOR-US: Apple iPhone OS CVE-2009-2814 (Cross-site scripting (XSS) vulnerability in the Wiki Server in Apple M ...) NOT-FOR-US: Apple Mac OS X CVE-2009-2813 (Samba 3.4 before 3.4.2, 3.3 before 3.3.8, 3.2 before 3.2.15, and 3.0.1 ...) {DSA-1908-1} - samba 2:3.4.2-1 (bug #550422) NOTE: requires an administrator to manually configure a user account without NOTE: a home dir, otherwise, this is ineffective CVE-2009-2812 (Launch Services in Apple Mac OS X 10.5.8 does not properly recognize a ...) NOT-FOR-US: Apple Mac OS X CVE-2009-2811 (Incomplete blacklist vulnerability in Launch Services in Apple Mac OS ...) NOT-FOR-US: Apple Mac OS X CVE-2009-2810 (Launch Services in Apple Mac OS X 10.6.x before 10.6.2 recursively cle ...) NOT-FOR-US: Apple Mac OS X CVE-2009-2809 (ImageIO in Apple Mac OS X 10.4.11 and 10.5.8 allows remote attackers t ...) NOT-FOR-US: Apple Mac OS X CVE-2009-2808 (Help Viewer in Apple Mac OS X before 10.6.2 does not use an HTTPS conn ...) NOT-FOR-US: Apple Mac OS X CVE-2009-2807 (Heap-based buffer overflow in the USB backend in CUPS in Apple Mac OS ...) - cupsys (issue in darwin-specific code; bug #550150) - cups (issue in darwin-specific code; bug #550150) CVE-2009-2806 RESERVED CVE-2009-2805 (Integer overflow in CoreGraphics in Apple Mac OS X 10.4.11 and 10.5.8 ...) NOT-FOR-US: CoreGraphics in Apple Mac OS X CVE-2009-2804 (Integer overflow in ColorSync in Apple Mac OS X 10.4.11 and 10.5.8, an ...) NOT-FOR-US: Apple Mac OS X CVE-2009-2803 (CarbonCore in Apple Mac OS X 10.4.11 and 10.5.8 allows attackers to ex ...) NOT-FOR-US: Apple Mac OS X CVE-2009-2802 (MantisBT 1.2.x before 1.2.2 insecurely handles attachments and MIME ty ...) - mantis (Only affects 1.2.x) NOTE: http://www.mantisbt.org/bugs/view.php?id=11952 NOTE: http://www.mantisbt.org/blog/?p=113 CVE-2009-2801 (The Application Firewall in Apple Mac OS X 10.5.8 drops unspecified fi ...) NOT-FOR-US: Apple Application Firewall CVE-2009-2800 (Buffer overflow in Alias Manager in Apple Mac OS X 10.4.11 and 10.5.8 ...) NOT-FOR-US: Apple Mac OS X CVE-2009-2799 (Heap-based buffer overflow in Apple QuickTime before 7.6.4 allows remo ...) NOT-FOR-US: Apple QuickTime CVE-2009-2798 (Heap-based buffer overflow in Apple QuickTime before 7.6.4 allows remo ...) NOT-FOR-US: Apple QuickTime CVE-2009-2797 (The WebKit component in Safari in Apple iPhone OS before 3.1, and iPho ...) - webkit 1.1.21-1 (low; bug #559759) [lenny] - webkit (Too intrusive to backport, disk of regression higher than impact at hand) - kdelibs - kde4libs NOTE: QT4 might be fixed earlier, but only 4.6.2 was checked against - qt4-x11 4:4.6.2-4 (low) [lenny] - qt4-x11 (Too intrusive to backport, disk of regression higher than impact at hand) NOTE: http://trac.webkit.org/changeset/42483 CVE-2009-2796 (The UIKit component in Apple iPhone OS 3.0, and iPhone OS 3.0.1 for iP ...) NOT-FOR-US: Apple iPhone OS CVE-2009-2795 (Heap-based buffer overflow in the Recovery Mode component in Apple iPh ...) NOT-FOR-US: Apple iPhone OS CVE-2009-2794 (The Exchange Support component in Apple iPhone OS before 3.1, and iPho ...) NOT-FOR-US: Apple iPhone OS CVE-2009-2793 (The kernel in NetBSD, probably 5.0.1 and earlier, on x86 platforms doe ...) NOT-FOR-US: NetBSD kernel CVE-2009-2792 (Directory traversal vulnerability in plugings/pagecontent.php in Reall ...) NOT-FOR-US: Really Simple CMS CVE-2009-2791 (PHP remote file inclusion vulnerability in pda_projects.php in WebDyna ...) NOT-FOR-US: WebDynamite ProjectButler CVE-2009-2790 (SQL injection vulnerability in cat_products.php in SoftBiz Dating Scri ...) NOT-FOR-US: SoftBiz Dating CVE-2009-2789 (SQL injection vulnerability in the Permis (com_groups) component 1.0 f ...) NOT-FOR-US: com_groups component for Joomla! CVE-2009-2788 (Multiple SQL injection vulnerabilities in Mobilelib GOLD 3 allow remot ...) NOT-FOR-US: Mobilelib GOLD CVE-2009-2787 (Directory traversal vulnerability in include/reputation/rep_profile.ph ...) NOT-FOR-US: Reputation plugin for PunBB CVE-2009-2786 (SQL injection vulnerability in reputation.php in the Reputation plugin ...) NOT-FOR-US: Reputation plugin for PunBB CVE-2009-2785 (Multiple cross-site scripting (XSS) vulnerabilities in PHP Open Classi ...) NOT-FOR-US: PHP Open Classifieds Script CVE-2009-2784 (Multiple directory traversal vulnerabilities in dit.cms 1.3, when regi ...) NOT-FOR-US: dit.cms CVE-2009-2783 (Multiple cross-site scripting (XSS) vulnerabilities in XOOPS 2.3.3 all ...) NOT-FOR-US: XOOPS CVE-2009-2782 (SQL injection vulnerability in the JFusion (com_jfusion) component for ...) NOT-FOR-US: com_jfusion component for Joomla! CVE-2009-2781 (SQL injection vulnerability in forum.php in Arab Portal 2.x, when magi ...) NOT-FOR-US: Arab Portal CVE-2009-2780 (Multiple cross-site scripting (XSS) vulnerabilities in 68 Classifieds ...) NOT-FOR-US: 68 Classifieds CVE-2009-2779 (SQL injection vulnerability in index.php in AJ Matrix DNA allows remot ...) NOT-FOR-US: AJ Matrix DNA CVE-2008-7003 (Multiple SQL injection vulnerabilities in login.php in The Rat CMS Alp ...) NOT-FOR-US: The Rat CMS CVE-2008-7002 (PHP 5.2.5 does not enforce (a) open_basedir and (b) safe_mode_exec_dir ...) - php5 (unimportant) NOTE: safe-mode and basedir violations not treated as security issues CVE-2008-7001 (Unrestricted file upload vulnerability in the file manager in Creative ...) NOT-FOR-US: Creative Mind Creator CMS CVE-2008-7000 (PHP remote file inclusion vulnerability in index.php in PHPAuction 3.2 ...) NOT-FOR-US: phpAuction CVE-2008-6999 (phpAuction 3.2, and possibly 3.3.0 GPL Basic edition, allows remote at ...) NOT-FOR-US: phpAuction CVE-2008-6998 (Stack-based buffer overflow in chrome/common/gfx/url_elider.cc in Goog ...) - chromium-browser (Only 0.x is affected) - webkit (chrome-specific issue) CVE-2008-6997 (Google Chrome 0.2.149.27 allows user-assisted remote attackers to caus ...) - chromium-browser (Only 0.x is affected) - webkit (chrome-specific issue) CVE-2008-6996 (Google Chrome BETA (0.2.149.27) does not prompt the user before saving ...) - chromium-browser (Only 0.x is affected) - webkit (chrome-specific issue) CVE-2008-6995 (Integer underflow in net/base/escape.cc in chrome.dll in Google Chrome ...) - chromium-browser (Only 0.x is affected) - webkit (chrome-specific issue) CVE-2008-6994 (Stack-based buffer overflow in the SaveAs feature (SaveFileAsWithFilte ...) - chromium-browser (Only 0.x is affected) - webkit (chrome-specific issue) CVE-2008-6993 (Siemens Gigaset WLAN Camera 1.27 has an insecure default password, whi ...) NOT-FOR-US: Siemens Gigaset WLAN Camera CVE-2008-6992 (GreenSQL Firewall (greensql-fw), possibly before 0.9.2 or 0.9.4, allow ...) NOT-FOR-US: GreenSQL Firewall CVE-2008-6991 (SQL injection vulnerability in public/page.php in Websens CMSbright al ...) NOT-FOR-US: CMSbright CVE-2008-6990 (SQL injection vulnerability in gallery.php in Easy Photo Gallery (aka ...) NOT-FOR-US: Easy Photo Gallery CVE-2008-6989 (SQL injection vulnerability in gallery.php in Easy Photo Gallery (aka ...) NOT-FOR-US: Easy Photo Gallery CVE-2008-6988 (Multiple cross-site scripting (XSS) vulnerabilities in Easy Photo Gall ...) NOT-FOR-US: Easy Photo Gallery CVE-2008-6987 (Unrestricted file upload vulnerability in eZoneScripts Dating Website ...) NOT-FOR-US: eZoneScripts Dating Website script CVE-2008-6986 (SQL injection vulnerability in the actionMultipleAddProduct function i ...) NOT-FOR-US: Zen Cart CVE-2008-6985 (Multiple SQL injection vulnerabilities in includes/classes/shopping_ca ...) NOT-FOR-US: Zen Cart CVE-2008-6984 (Plesk 8.6.0, when short mail login names (SHORTNAMES) are enabled, all ...) NOT-FOR-US: Plesk CVE-2008-6983 (modules/tool/hitcounter.php in devalcms 1.4a allows remote attackers t ...) NOT-FOR-US: devalcms CVE-2008-6982 (Cross-site scripting (XSS) vulnerability in index.php in devalcms 1.4a ...) NOT-FOR-US: devalcms CVE-2008-6981 (index.php in phpAdultSite CMS, possibly 2.3.2, allows remote attackers ...) NOT-FOR-US: phpAdultSite CMS CVE-2008-6980 (SQL injection vulnerability in as_archives.php in phpAdultSite CMS, po ...) NOT-FOR-US: phpAdultSite CMS CVE-2008-6979 (Cross-site scripting (XSS) vulnerability in as_archives.php in phpAdul ...) NOT-FOR-US: phpAdultSite CMS CVE-2008-6978 (Unrestricted file upload vulnerability in Full Revolution aspWebAlbum ...) NOT-FOR-US: aspWebAlbum CVE-2008-6977 (Cross-site scripting (XSS) vulnerability in album.asp in Full Revoluti ...) NOT-FOR-US: aspWebAlbum CVE-2008-6976 (MikroTik RouterOS 3.x through 3.13 and 2.x through 2.9.51 allows remot ...) NOT-FOR-US: MicroTik RouterOS CVE-2009-2778 (Cross-site scripting (XSS) vulnerability in visitor/view.php in Garage ...) NOT-FOR-US: GarageSales script CVE-2009-2777 (SQL injection vulnerability in visitor/view.php in GarageSales Script ...) NOT-FOR-US: GarageSales Script CVE-2009-2776 (SQL injection vulnerability in showresult.asp in Smart ASP Survey allo ...) NOT-FOR-US: Smart ASP Survey CVE-2009-2775 (SQL injection vulnerability in linkout.php in PHPArcadeScript (PHP Arc ...) NOT-FOR-US: PHPArcadeScript CVE-2009-2774 (SQL injection vulnerability in paidbanner.php in PHP Paid 4 Mail Scrip ...) NOT-FOR-US: PHP Paid 4 Mail CVE-2009-2773 (PHP remote file inclusion vulnerability in home.php in PHP Paid 4 Mail ...) NOT-FOR-US: PHP Paid 4 Mail CVE-2009-2772 (Multiple cross-site scripting (XSS) vulnerabilities in PG Roommate Fin ...) NOT-FOR-US: PG Roommate Finder Solution CVE-2009-2771 (Cross-site scripting (XSS) vulnerability in Free Arcade Script 1.3 all ...) NOT-FOR-US: Free Arcade Script CVE-2009-2770 (PowerUpload 2.4 allows remote attackers to bypass authentication and g ...) NOT-FOR-US: PowerUpload CVE-2009-2769 (PHP remote file inclusion vulnerability in include/timesheet.php in Ul ...) NOT-FOR-US: Ultrize TimeSheet CVE-2009-2768 (The load_flat_shared_library function in fs/binfmt_flat.c in the flat ...) - linux-2.6 2.6.30-6 (medium) [etch] - linux-2.6 (kernel/cred.c introduced in 2.6.29) [lenny] - linux-2.6 (kernel/cred.c introduced in 2.6.29) - linux-2.6.24 (kernel/cred.c introduced in 2.6.29) CVE-2009-2767 (The init_posix_timers function in kernel/posix-timers.c in the Linux k ...) - linux-2.6 2.6.30-6 (medium) [etch] - linux-2.6 (introduced in 2.6.28) [lenny] - linux-2.6 (introduced in 2.6.28) - linux-2.6.24 (introduced in 2.6.28) CVE-2009-2766 (httpd.c in httpd in the management GUI in DD-WRT 24 sp1 does not requi ...) NOT-FOR-US: DD-WRT CVE-2009-2765 (httpd.c in httpd in the management GUI in DD-WRT 24 sp1, and other ver ...) NOT-FOR-US: DD-WRT CVE-2009-2764 (Microsoft Internet Explorer 8.0.7100.0 on Windows 7 RC on the x64 plat ...) NOT-FOR-US: Microsoft CVE-2008-6975 (Multiple cross-site request forgery (CSRF) vulnerabilities in apply.cg ...) NOT-FOR-US: DD-WRT CVE-2008-6974 (Multiple cross-site request forgery (CSRF) vulnerabilities in apply.cg ...) NOT-FOR-US: DD-WRT CVE-2009-3040 (Multiple SQL injection vulnerabilities in Open Computer and Software ( ...) - ocsinventory-server 1.02.1-2 (unimportant; bug #541995) NOTE: Authentication is needed, only supported in trusted environments, see debtags CVE-2009-3042 (SQL injection vulnerability in machine.php in Open Computer and Softwa ...) - ocsinventory-server 1.02.1-2 (unimportant; bug #541995) NOTE: Authentication is needed, only supported in trusted environments, see debtags CVE-2009-2763 RESERVED CVE-2009-XXXX [logrotate race condition could lead to file disclosure] - logrotate 3.7.8-4 (low; bug #388608) [lenny] - logrotate (Minor issue) CVE-2008-6973 (Multiple unspecified vulnerabilities in IBM WebSphere Commerce 6.0 bef ...) NOT-FOR-US: IBM WebSphere CVE-2008-6961 (mailnews in Mozilla Thunderbird before 2.0.0.18 and SeaMonkey before 1 ...) - icedove 2.0.0.19-1 - iceape 1.1.14-1 [etch] - iceape (Etch Packages no longer covered by security support) CVE-2009-XXXX [XSS in drupal printing module] - drupal6 (unimportant) NOTE: you need admin privs in orde to exploit this NOTE: http://lampsecurity.org/drupal-print-module-vulnerabilities CVE-2009-2761 (Unquoted Windows search path vulnerability in the scheduler (sched.exe ...) NOT-FOR-US: Avira AntiVir CVE-2008-6972 (Multiple cross-site scripting (XSS) vulnerabilities in Drupal Content ...) NOT-FOR-US: Drupal Content Construction Kit (third-party module) CVE-2008-6971 (The password reset functionality in Simple Machines Forum (SMF) 1.0.x ...) NOT-FOR-US: Simple Machines Forum CVE-2008-6970 (SQL injection vulnerability in dosearch.inc.php in UBB.threads 7.3.1 a ...) NOT-FOR-US: UBB.threads CVE-2008-6969 (Multiple cross-site scripting (XSS) vulnerabilities in checkout.php in ...) NOT-FOR-US: Avactis Shopping Cart CVE-2008-6968 (Multiple SQL injection vulnerabilities in submit.php in Pligg CMS 9.9. ...) NOT-FOR-US: Pligg CMS CVE-2008-6967 (Multiple unspecified vulnerabilities in WorldClient in Alt-N MDaemon b ...) NOT-FOR-US: Alt-N MDaemon CVE-2008-6966 (AJ Square AJ Auction Pro Platinum Skin #1 sends a redirect but does no ...) NOT-FOR-US: AJ Square AJ Auction Pro Platinum Skin #1 CVE-2008-6965 (AJ Square AJ Auction OOPD, Pro Platinum Skin #1, Pro Platinum Skin #2, ...) NOT-FOR-US: AJ Square AJ Auction OOPD CVE-2008-6964 (SQL injection vulnerability in the login page in X7 Chat 2.0.5 allows ...) NOT-FOR-US: X7 Chat CVE-2008-6963 (admin.php in TurnkeyForms Text Link Sales allows remote attackers to b ...) NOT-FOR-US: TurnkeyForms Text Link Sales CVE-2008-6962 (Avira AntiVir Premium, Premium Security Suite, AntiVir Professional, a ...) NOT-FOR-US: Avira AntiVir Premium CVE-2009-2760 RESERVED CVE-2009-2759 RESERVED CVE-2009-2758 RESERVED CVE-2009-2757 RESERVED CVE-2009-2756 RESERVED CVE-2009-2755 RESERVED CVE-2009-2754 (Integer signedness error in the authentication functionality in librpc ...) NOT-FOR-US: Informix Storage Manager CVE-2009-2753 (Multiple buffer overflows in the authentication functionality in librp ...) NOT-FOR-US: Informix Storage Manager CVE-2009-2752 (IBM WebSphere Commerce 7.0 does not properly encrypt data in a databas ...) NOT-FOR-US: IBM WebSphere Commerce CVE-2009-2751 (IBM WebSphere Commerce 7.0 uses the same cryptographic key for session ...) NOT-FOR-US: IBM WebSphere Commerce CVE-2009-2750 (IBM WebSphere Service Registry and Repository (WSRR) 6.3.0 before FP2 ...) NOT-FOR-US: IBM WebSphere Service Registry and Repository CVE-2009-2749 (Feature Pack for Communications Enabled Applications (CEA) before 1.0. ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2009-2748 (Cross-site scripting (XSS) vulnerability in the Administration Console ...) NOT-FOR-US: IBM WebSphere CVE-2009-2747 (The Java Naming and Directory Interface (JNDI) implementation in IBM W ...) NOT-FOR-US: IBM WebSphere CVE-2009-2746 (Cross-site request forgery (CSRF) vulnerability in the administrative ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2009-2745 RESERVED CVE-2009-2744 (Unspecified vulnerability in IBM WebSphere Application Server (WAS) 6. ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2009-2743 (IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.27, and 7.0 be ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2009-2742 (Cross-site scripting (XSS) vulnerability in Eclipse Help in IBM WebSph ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2009-2741 (Unspecified vulnerability in the wberuntimeear application in the test ...) NOT-FOR-US: IBM WebSphere Business Events CVE-2009-2740 (kmxIds.sys before 7.3.1.18 in CA Host-Based Intrusion Prevention Syste ...) NOT-FOR-US: CA Host-Based Intrusion Prevention System (HIPS) CVE-2009-2739 (Cross-site scripting (XSS) vulnerability in FreeNAS before 0.69.2 allo ...) NOT-FOR-US: FreeNAS CVE-2009-2738 (Cross-site request forgery (CSRF) vulnerability in the WebGUI in FreeN ...) NOT-FOR-US: FreeNAS CVE-2008-6960 (download.php in X10media x10 Automatic Mp3 Search Engine Script 1.5.5 ...) NOT-FOR-US: X10media CVE-2008-6959 (Insecure method vulnerability in the Chilkat Socket ActiveX control (C ...) NOT-FOR-US: ActiveX CVE-2008-6958 (wap/index.php in Crossday Discuz! Board 6.x and 7.x allows remote auth ...) NOT-FOR-US: Crossday Discuz! Board CVE-2008-6957 (member.php in Crossday Discuz! Board allows remote attackers to reset ...) NOT-FOR-US: Crossday Discuz! Board CVE-2008-6956 (Static code injection vulnerability in admin/admin.php in mxCamArchive ...) NOT-FOR-US: mxCamArchive CVE-2008-6955 (mxCamArchive 2.2 stores sensitive information under the web root with ...) NOT-FOR-US: mxCamArchive CVE-2008-6954 (The web interface (CobblerWeb) in Cobbler before 1.2.9 allows remote a ...) - cobbler (Fixed before initial upload) CVE-2008-6953 (Buffer overflow in oovoo.exe in ooVoo 1.7.1.35, and possibly other ver ...) NOT-FOR-US: ooVoo CVE-2008-6952 (SQL injection vulnerability in Rss.php in MauryCMS 0.53.2 and earlier ...) NOT-FOR-US: MauryCMS CVE-2008-6951 (MauryCMS 0.53.2 and earlier does not require administrative authentica ...) NOT-FOR-US: MauryCMS CVE-2008-6950 (Multiple SQL injection vulnerabilities in login.asp in Bankoi WebHosti ...) NOT-FOR-US: Bankoi WebHosting Control Panel CVE-2008-6949 (Multiple cross-site request forgery (CSRF) vulnerabilities in Collabti ...) NOT-FOR-US: Collabtive CVE-2008-6948 (Unrestricted file upload vulnerability in Collabtive 0.4.8 allows remo ...) NOT-FOR-US: Collabtive CVE-2008-6947 (Collabtive 0.4.8 allows remote attackers to bypass authentication and ...) NOT-FOR-US: Collabtive CVE-2008-6946 (Cross-site scripting (XSS) vulnerability in manageproject.php in Colla ...) NOT-FOR-US: Collabtive CVE-2008-6945 (Multiple cross-site scripting (XSS) vulnerabilities in Interchange 5.7 ...) - interchange 5.6.1-1 (low; bug #505732) CVE-2008-6944 (Unrestricted file upload vulnerability in ScriptsFeed Auto Classifieds ...) NOT-FOR-US: ScriptsFeed Auto Classifieds CVE-2008-6943 (Unrestricted file upload vulnerability in ScriptsFeed Recipes Listing ...) NOT-FOR-US: ScriptsFeed Recipes Listing Portal CVE-2008-6942 (Unrestricted file upload vulnerability in ScriptsFeed Realtor Classifi ...) NOT-FOR-US: ScriptsFeed Realtor Classifieds System CVE-2008-6941 (SQL injection vulnerability in the login functionality in TurnkeyForms ...) NOT-FOR-US: TurnkeyForms Web Hosting Directory CVE-2008-6940 (TurnkeyForms Web Hosting Directory stores sensitive information under ...) NOT-FOR-US: TurnkeyForms Web Hosting Directory CVE-2008-6939 (TurnkeyForms Web Hosting Directory allows remote attackers to bypass a ...) NOT-FOR-US: TurnkeyForms Web Hosting Directory CVE-2008-6938 (Pi3Web 2.0.3 before PL2, when installed on Windows as a desktop applic ...) NOT-FOR-US: Pi3Web CVE-2008-6937 (Argument injection vulnerability in Exodus 0.10 allows remote attacker ...) NOT-FOR-US: Exodus CVE-2008-6936 (Argument injection vulnerability in Exodus 0.10 allows remote attacker ...) NOT-FOR-US: Exodus CVE-2008-6935 (Argument injection vulnerability in Exodus 0.10 allows remote attacker ...) NOT-FOR-US: Exodus CVE-2008-6934 (Static code injection vulnerability in Sanus|artificium (aka Sanusart) ...) NOT-FOR-US: Sanus|artificium (aka Sanusart) CVE-2008-6933 (Directory traversal vulnerability in index.php in MiniGal b13 (aka MG2 ...) NOT-FOR-US: MiniGal CVE-2008-6932 (Unrestricted file upload vulnerability in submit_file.php in AlstraSof ...) NOT-FOR-US: AlstraSoft SendIt Pro CVE-2008-6931 (Unrestricted file upload vulnerability in PHPStore Job Search (aka PHP ...) NOT-FOR-US: PHPStore Job Search (aka PHPCareers) CVE-2008-6930 (Unrestricted file upload vulnerability in PHPStore Real Estate allows ...) NOT-FOR-US: PHPStore Real Estate CVE-2008-6929 (Unrestricted file upload vulnerability in PHPStore Auto Classifieds al ...) NOT-FOR-US: PHPStore Auto Classifieds CVE-2008-6928 (Unrestricted file upload vulnerability in PHPStore Complete Classified ...) NOT-FOR-US: PHPStore Complete Classifieds CVE-2009-2737 (The EditCSVAction function in cgi/actions.py in Roundup 1.2 before 1.2 ...) {DSA-1754-1} - roundup 1.4.4-4+lenny1 (bug #518768) CVE-2009-2736 (Static code injection vulnerability in admin.php in sun-jester OpenNew ...) NOT-FOR-US: OpenNews CVE-2009-2735 (SQL injection vulnerability in admin.php in sun-jester OpenNews 1.0, w ...) NOT-FOR-US: OpenNews CVE-2009-2734 (SQL injection vulnerability in the get_employee function in classweekr ...) NOT-FOR-US: Achievo CVE-2009-2733 (Multiple cross-site scripting (XSS) vulnerabilities in Achievo before ...) NOT-FOR-US: Achievo CVE-2009-2732 (The checkHTTPpassword function in http.c in ntop 3.3.10 and earlier al ...) - ntop 3:3.3-12 (low; bug #543312) [lenny] - ntop (Minor issue) [etch] - ntop (Minor issue) CVE-2009-2731 RESERVED CVE-2009-2730 (libgnutls in GnuTLS before 2.8.2 does not properly handle a '\0' chara ...) {DSA-1935-1} - gnutls26 2.8.3-1 (low; bug #541439) - gnutls13 CVE-2009-2729 RESERVED CVE-2009-2728 RESERVED CVE-2009-2727 (Stack-based buffer overflow in the _tt_internal_realpath function in t ...) NOT-FOR-US: IBM AIX CVE-2009-2726 (The SIP channel driver in Asterisk Open Source 1.2.x before 1.2.34, 1. ...) - asterisk 1:1.6.2.0~dfsg~rc1-1 (bug #541441) [squeeze] - asterisk (Doesn't permit SIP packets to exceed 1500 bytes total) [lenny] - asterisk (Doesn't permit SIP packets to exceed 1500 bytes total) [etch] - asterisk (Doesn't permit SIP packets to exceed 1500 bytes total) CVE-2009-2725 RESERVED CVE-2009-2724 (Race condition in the java.lang package in Sun Java SE 5.0 before Upda ...) - sun-java5 1.5.0-20-1 [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 NOTE: unknown impact and attack vectors CVE-2009-2723 (Unspecified vulnerability in deserialization in the Provider class in ...) - sun-java5 1.5.0-20-1 [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 NOTE: unknown impact and attack vectors CVE-2009-2722 (Multiple unspecified vulnerabilities in the Provider class in Sun Java ...) - sun-java5 1.5.0-20-1 [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 NOTE: unknown impact and attack vectors CVE-2009-2721 (Multiple unspecified vulnerabilities in the Provider class in Sun Java ...) - sun-java5 1.5.0-20-1 [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 NOTE: unknown impact and attack vectors CVE-2009-2720 (Unspecified vulnerability in the javax.swing.plaf.synth.SynthContext.i ...) - sun-java6 6-15-1 [etch] - sun-java6 (Non-free not supported) [lenny] - sun-java6 6-20-0lenny1 - openjdk-6 6b16-1 (medium; bug #560908) CVE-2009-2719 (The Java Web Start implementation in Sun Java SE 6 before Update 15 al ...) - sun-java6 6-15-1 [etch] - sun-java6 (Non-free not supported) [lenny] - sun-java6 6-20-0lenny1 - openjdk-6 6b16-1 (medium; bug #560908) CVE-2009-2718 (The Abstract Window Toolkit (AWT) implementation in Sun Java SE 6 befo ...) - sun-java6 6-15-1 [etch] - sun-java6 (Non-free not supported) [lenny] - sun-java6 6-20-0lenny1 - openjdk-6 6b16-1 (medium; bug #560908) CVE-2009-2717 (The Abstract Window Toolkit (AWT) implementation in Sun Java SE 6 befo ...) - sun-java6 6-15-1 [etch] - sun-java6 (Non-free not supported) [lenny] - sun-java6 6-20-0lenny1 - openjdk-6 6b16-1 (medium; bug #560908) CVE-2009-2716 (The plugin functionality in Sun Java SE 6 before Update 15 does not pr ...) - sun-java6 6-15-1 [etch] - sun-java6 (Non-free not supported) [lenny] - sun-java6 6-20-0lenny1 - openjdk-6 6b16-1 (medium; bug #560908) CVE-2008-6927 (Multiple cross-site scripting (XSS) vulnerabilities in autoinstall4ima ...) NOT-FOR-US: cPanel CVE-2008-6926 (Directory traversal vulnerability in autoinstall4imagesgalleryupgrade. ...) NOT-FOR-US: cPanel CVE-2008-6925 (Cross-site scripting (XSS) vulnerability in function.php in Zenphoto 1 ...) NOT-FOR-US: Zenphoto CVE-2008-6924 (Multiple cross-site scripting (XSS) vulnerabilities in register.php in ...) NOT-FOR-US: eSyndiCat Directory CVE-2008-6923 (SQL injection vulnerability in the content component (com_content) 1.0 ...) NOT-FOR-US: Joomla! CVE-2008-6922 (Multiple stack-based buffer overflows in CMailCOM.dll in CMailServer 5 ...) NOT-FOR-US: CMailServer CVE-2008-6921 (Unrestricted file upload vulnerability in index.php in phpAdBoard 1.8 ...) NOT-FOR-US: phpAdBoard CVE-2008-6920 (Unrestricted file upload vulnerability in auth.php in phpEmployment 1. ...) NOT-FOR-US: phpEmployment CVE-2008-6919 (profileedit.php TaskDriver 1.3 and earlier allows remote attackers to ...) NOT-FOR-US: TaskDriver 1.3 CVE-2008-6918 (Unrestricted file upload vulnerability in admin/galeria.php in ThePort ...) NOT-FOR-US: ThePortal2 CVE-2009-2762 (wp-login.php in WordPress 2.8.3 and earlier allows remote attackers to ...) - wordpress 2.8.3-2 (unimportant; bug #541102) [lenny] - wordpress (Vulnerable code not present) [etch] - wordpress (Vulnerable code not present) NOTE: not really a security issue in my opinion, just an annoying bug CVE-2008-7291 (gri before 2.12.18 generates temporary files in an insecure way. ...) - gri 2.12.18-1 (low) [etch] - gri (Minor issue) [lenny] - gri (Minor issue) CVE-2009-2715 (Sun VirtualBox 2.2 through 3.0.2 r49928 allows guest OS users to cause ...) - virtualbox-ose 3.0.4-dfsg-1 (medium) [lenny] - virtualbox-ose (Doesn't affect 1.6.x) CVE-2009-2714 (Unspecified vulnerability in Sun VirtualBox 3.0.0 and 3.0.2 allows gue ...) - virtualbox-ose 3.0.4-dfsg-1 [lenny] - virtualbox-ose (Only 3.0.x affected per Sun advisory) CVE-2009-2713 (The CDCServlet component in Sun Java System Access Manager 7.0 2005Q4 ...) NOT-FOR-US: Sun Java System Access Manager CVE-2009-2712 (Sun Java System Access Manager 6.3 2005Q1, 7.0 2005Q4, and 7.1; and Op ...) NOT-FOR-US: Sun Java System Access Manager CVE-2009-2711 (XScreenSaver in Sun Solaris 9 and 10, OpenSolaris before snv_120, and ...) NOT-FOR-US: XScreenSaver in Sun Solaris CVE-2008-6917 (SQL injection vulnerability in admin.php in Exocrew ExoPHPDesk 1.2 Fin ...) NOT-FOR-US: ExoPHPDesk CVE-2008-6916 (Siemens SpeedStream 5200 with NetPort Software 1.1 allows remote attac ...) NOT-FOR-US: Siemens SpeedStream 5200 CVE-2008-6915 (Cross-site scripting (XSS) vulnerability in view_prop_details.php in Z ...) NOT-FOR-US: Zeeways ZEEPROPERTY CVE-2008-6914 (Unrestricted file upload vulnerability in viewprofile.php in Zeeways Z ...) NOT-FOR-US: Zeeways ZEEPROPERTY CVE-2008-6913 (Unrestricted file upload vulnerability in editresume_next.php in Zeewa ...) NOT-FOR-US: Zeeways ZEEPROPERTY CVE-2008-6912 (Zeeways SHAADICLONE 2.0 allows remote attackers to bypass authenticati ...) NOT-FOR-US: Zeeways SHAADICLONE CVE-2009-XXXX [mantis: information leak] - mantis 1.1.8+dfsg-2 (medium; bug #425010) [lenny] - mantis 1.1.6+dfsg-2lenny1 NOTE: cve id requested on oss-sec CVE-2009-3041 (SPIP 1.9 before 1.9.2i and 2.0.x through 2.0.8 does not use proper acc ...) - spip 2.0.9-1 (medium) CVE-2009-XXXX [rubygems: integrity violation] - libgems-ruby (Debian's version installs gems packages to /var/lib/gems, bug #540610) NOTE: so no opportunity to overwrite system files NOTE: CVE id already requested CVE-2009-XXXX [bugzilla: unauthorized bug modification] - bugzilla 3.2.4-1 (low) [etch] - bugzilla (minor issue) [lenny] - bugzilla (minor issue) NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=495257 CVE-2009-5044 (contrib/pdfmark/pdfroff.sh in GNU troff (aka groff) before 1.21 allows ...) - groff 1.20.1-5 (low; bug #538330) [etch] - groff (pdfroff not yet present) [lenny] - groff (pdfroff not yet present) NOTE: requested CVE ids CVE-2009-XXXX [xscreensaver: local screen lock bypassable via low resolution video devices] - xscreensaver 5.05-3+nmu1 (low; bug #539699) [etch] - xscreensaver (vulnerable code not present) [lenny] - xscreensaver 5.05-3+lenny1 CVE-2009-2626 (The zend_restore_ini_entry_cb function in zend_ini.c in PHP 5.3.0, 5.2 ...) {DSA-1940-1} - php5 5.2.11.dfsg.1-1 (low; bug #540605) [etch] - php5 (too risky to fix it there) NOTE: requires the script itself to set and then restore a config var CVE-2009-XXXX [php5: 'open_basedir' bypass] - php5 5.3.1-1 (unimportant; bug #540606) NOTE: only affects 5.3.0 in experimental, open_basedir unsupported CVE-2009-2710 REJECTED CVE-2009-2709 REJECTED CVE-2009-2708 REJECTED CVE-2009-2707 (Unspecified vulnerability in ia32el (aka the IA 32 emulation functiona ...) NOT-FOR-US: SUSE Linux CVE-2009-2706 REJECTED CVE-2008-6911 (SQL injection vulnerability in the authenticateUser function in includ ...) NOT-FOR-US: BrewBlogger CVE-2008-6910 (Services 5.x before 5.x-0.92 and 6.x before 6.x-0.13, a module for Dru ...) NOT-FOR-US: module for Drupal CVE-2008-6909 (Services 5.x before 5.x-0.92 and 6.x before 6.x-0.13, a module for Dru ...) NOT-FOR-US: module for Drupal CVE-2008-6908 (Services 5.x before 5.x-0.92 and 6.x before 6.x-0.13, a module for Dru ...) NOT-FOR-US: module for Drupal CVE-2008-6907 (Multiple SQL injection vulnerabilities in checkuser.php in 2532designs ...) NOT-FOR-US: 2532designs 2532|Gigs CVE-2008-6906 (Cross-site scripting (XSS) vulnerability in index.php in BabbleBoard 1 ...) NOT-FOR-US: BabbleBoard CVE-2008-6905 (Cross-site request forgery (CSRF) vulnerability in index.php in Babble ...) NOT-FOR-US: BabbleBoard CVE-2009-2705 (CA SiteMinder allows remote attackers to bypass cross-site scripting ( ...) NOT-FOR-US: SiteMinder CVE-2009-2704 (CA SiteMinder allows remote attackers to bypass cross-site scripting ( ...) NOT-FOR-US: SiteMinder CVE-2009-2703 (libpurple/protocols/irc/msgs.c in the IRC protocol plugin in libpurple ...) - pidgin 2.6.2 (low) [lenny] - pidgin (Minor issue) [etch] - pidgin (Minor issue) [lenny] - gaim (Only a transitional package) - gaim NOTE: this is only a null ptr dereference and can only be triggered by a rogue irc server CVE-2009-2702 (KDE KSSL in kdelibs 3.5.4, 4.2.4, and 4.3 does not properly handle a ' ...) {DSA-1916-1} - kdelibs 4:3.5.10.dfsg.1-2.1 (low; bug #546212) - kde4libs 4:4.3.2-1 (low; bug #546218) [lenny] - kde4libs (Minor issue) CVE-2009-2701 (Unspecified vulnerability in the Zope Enterprise Objects (ZEO) storage ...) - zodb 1:3.9.0-1 [etch] - zodb (The vulnerability was introduced in ZODB 3.8) [lenny] - zodb (The vulnerability was introduced in ZODB 3.8) CVE-2009-2700 (src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not ...) {DSA-1988-1} - qt4-x11 4:4.5.3-1 (medium; bug #545793) [etch] - qt4-x11 (QSsl* classes were introduced in Qt 4.3) CVE-2009-2699 (The Solaris pollset feature in the Event Port backend in poll/unix/por ...) - apr (does not affect Linux or kFreeBSD) CVE-2009-2698 (The udp_sendmsg function in the UDP implementation in (1) net/ipv4/udp ...) {DSA-1872-1} - linux-2.6 2.6.19-1 (high) - linux-2.6.24 (Fixed before initial upload, 2.6.19) CVE-2009-2697 (The Red Hat build script for the GNOME Display Manager (GDM) before 2. ...) - gdm (TCP Wrappers support enabled correctly) CVE-2009-2696 (Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the ca ...) NOT-FOR-US: Red-Hat-specific patching problem in Tomcat NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=616717 CVE-2009-2695 (The Linux kernel before 2.6.31-rc7 does not properly prevent mmap oper ...) {DSA-2005-1 DSA-1915-1} - linux-2.6 2.6.31-1 (medium) [etch] - linux-2.6 (2.6.18 does not have mmap_min_addr) - linux-2.6.24 (medium) CVE-2009-2694 (The msn_slplink_process_msg function in libpurple/protocols/msn/slplin ...) {DSA-1870-1} - pidgin 2.5.9-1 (medium; bug #542486) [lenny] - gaim (Only a transitional package) - gaim CVE-2009-2693 (Directory traversal vulnerability in Apache Tomcat 5.5.0 through 5.5.2 ...) {DSA-2207-1} - tomcat6 6.0.24-1 (low) [lenny] - tomcat6 (The package only ships the servlet packages) - tomcat5.5 CVE-2009-2692 (The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, d ...) {DSA-1864-1 DSA-1865-1 DSA-1862-1} - linux-2.6 2.6.30-6 (high; bug #541403) - linux-2.6.24 CVE-2009-2691 (The mm_for_maps function in fs/proc/base.c in the Linux kernel 2.6.30. ...) {DSA-2005-1} - linux-2.6 2.6.30-7 (low) [lenny] - linux-2.6 2.6.26-21 - linux-2.6.24 CVE-2009-2690 (The encoder in Sun Java SE 6 before Update 15, and OpenJDK, grants rea ...) - sun-java6 6-15-1 [lenny] - sun-java6 6-20-0lenny1 - openjdk-6 6b16-1.6-1 (medium; bug #542210) CVE-2009-2689 (JDK13Services.getProviders in Sun Java SE 5.0 before Update 20 and 6 b ...) - sun-java5 1.5.0-20-1 [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 [lenny] - sun-java6 6-20-0lenny1 - openjdk-6 6b16-1.6-1 (medium; bug #542210) CVE-2009-2688 (Multiple integer overflows in glyphs-eimage.c in XEmacs 21.4.22, when ...) - xemacs21 21.4.22-3 (low; bug #540470) [etch] - xemacs21 (Minor issue, obscure attack vector) [lenny] - xemacs21 (Minor issue, obscure attack vector) CVE-2009-2686 (Unspecified vulnerability in HP NonStop G06.12.00 through G06.32.00, H ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2009-2685 (Stack-based buffer overflow in the login form in the management web se ...) NOT-FOR-US: HP Power Manager CVE-2009-2684 (Multiple cross-site scripting (XSS) vulnerabilities in Jetdirect and t ...) NOT-FOR-US: Embedded Web Server in HP printers CVE-2009-2683 (Unspecified vulnerability in the Sender module in HP Remote Graphics S ...) NOT-FOR-US: HP Remote Graphics CVE-2009-2682 (Unspecified vulnerability in Role-Based Access Control (RBAC) in HP HP ...) NOT-FOR-US: HP-UX CVE-2009-2681 (Unspecified vulnerability in HP ProCurve Identity Driven Manager (IDM) ...) NOT-FOR-US: HP ProCurve Identity Driven Manager CVE-2009-2680 (Unspecified vulnerability in the Remote Management Interface (RMI) for ...) NOT-FOR-US: HP StorageWorks CVE-2009-2679 (Unspecified vulnerability in bootpd in HP HP-UX B.11.11, B.11.23, and ...) NOT-FOR-US: HP HP-UX CVE-2009-2678 (Unspecified vulnerability in Open System Services (OSS) Name Server on ...) NOT-FOR-US: Open System Services (OSS) Name Server on HP NonStop CVE-2009-2677 (Cross-site request forgery (CSRF) vulnerability in HP Insight Control ...) NOT-FOR-US: HP Insight Control Suite For Linux (aka ICE-LX) CVE-2009-2676 (Unspecified vulnerability in JNLPAppletlauncher in Sun Java SE, and SE ...) - sun-java5 1.5.0-20-1 [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 - sun-java6 6-15-1 [lenny] - sun-java6 6-20-0lenny1 - openjdk-6 (bug #566769) [wheezy] - openjdk-6 CVE-2009-2675 (Integer overflow in the unpack200 utility in Sun Java Runtime Environm ...) - sun-java5 1.5.0-20-1 [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 - sun-java6 6-15-1 [lenny] - sun-java6 6-20-0lenny1 - openjdk-6 (bug #566769) [wheezy] - openjdk-6 CVE-2009-2674 (Integer overflow in javaws.exe in Sun Java Web Start in Sun Java Runti ...) - sun-java5 1.5.0-20-1 [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 - sun-java6 6-15-1 [lenny] - sun-java6 6-20-0lenny1 - openjdk-6 6b16-1.6-1 (medium; bug #542210) CVE-2009-2673 (The proxy mechanism implementation in Sun Java Runtime Environment (JR ...) - sun-java5 1.5.0-20-1 [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 - sun-java6 6-15-1 [lenny] - sun-java6 6-20-0lenny1 - openjdk-6 6b16-1.6-1 (medium; bug #542210) CVE-2009-2672 (The proxy mechanism implementation in Sun Java Runtime Environment (JR ...) - sun-java5 1.5.0-20-1 [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 - sun-java6 6-15-1 [lenny] - sun-java6 6-20-0lenny1 - openjdk-6 6b16-1.6-1 (medium; bug #542210) CVE-2009-2671 (The SOCKS proxy implementation in Sun Java Runtime Environment (JRE) i ...) - sun-java5 1.5.0-20-1 [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 - sun-java6 6-15-1 [lenny] - sun-java6 6-20-0lenny1 - openjdk-6 6b16-1.6-1 (medium; bug #542210) CVE-2009-2670 (The audio system in Sun Java Runtime Environment (JRE) in JDK and JRE ...) - sun-java5 1.5.0-20-1 [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 - sun-java6 6-15-1 [lenny] - sun-java6 6-20-0lenny1 - openjdk-6 6b16-1.6-1 (medium; bug #542210) CVE-2009-2669 (A certain debugging component in IBM AIX 5.3 and 6.1 does not properly ...) NOT-FOR-US: IBM AIX CVE-2009-2668 (Microsoft Internet Explorer 6 through 6.0.2900.2180 and 7 through 7.0. ...) NOT-FOR-US: Microsoft CVE-2009-2667 (Unspecified vulnerability in IBM Tivoli Key Lifecycle Manager (TKLM) 1 ...) NOT-FOR-US: IBM Tivoli Key Lifecycle Manager CVE-2008-6904 (Multiple unspecified vulnerabilities in Sophos SAVScan 4.33.0 for Linu ...) NOT-FOR-US: Sophos SAVScan CVE-2008-6903 (Sophos Anti-Virus for Windows before 7.6.3, Anti-Virus for Windows NT/ ...) NOT-FOR-US: Sophos SAVScan CVE-2008-6902 (Unrestricted file upload vulnerability in upload_flyer.php in 2532desi ...) NOT-FOR-US: 2532designs CVE-2008-6901 (Multiple directory traversal vulnerabilities in 2532designs 2532|Gigs ...) NOT-FOR-US: 2532designs CVE-2008-6900 (Unrestricted file upload vulnerability in "Add Pen/Author Name" featur ...) NOT-FOR-US: AvailScript Article Script CVE-2008-6899 (Multiple buffer overflows in freeSSHd 1.2.1 allow remote authenticated ...) NOT-FOR-US: freeSSHd CVE-2008-6898 (Buffer overflow in the XHTTP Module 4.1.0.0 in the ActiveX control for ...) NOT-FOR-US: ActiveX control CVE-2008-6897 (Multiple buffer overflows in Getleft.exe in Andres Garcia Getleft 1.2 ...) NOT-FOR-US: Andres Garcia Getleft CVE-2009-2666 (socket.c in fetchmail before 6.3.11 does not properly handle a '\0' ch ...) {DSA-1852-1} - fetchmail 6.3.9~rc2-6 CVE-2009-2665 (The nsDocument::SetScriptGlobalObject function in content/base/src/nsD ...) - xulrunner 1.9.1.8-1 [lenny] - xulrunner (vulnerability introduced in firefox 3.5) [etch] - xulrunner (vulnerability introduced in firefox 3.5) CVE-2009-2664 (The js_watch_set function in js/src/jsdbgapi.cpp in the JavaScript eng ...) {DSA-1873-1} - xulrunner 1.9.0.13-1 [etch] - xulrunner (Mozilla packages from oldstable no longer covered by security support) CVE-2009-2663 (libvorbis before r16182, as used in Mozilla Firefox 3.5.x before 3.5.2 ...) {DSA-1939-1} - libvorbisidec 1.0.2+svn16259-2 (bug #669196) [squeeze] - libvorbisidec (Minor issue, no dev-deps) - libvorbis 1.2.0.dfsg-6 (medium; bug #540958) - xulrunner 1.9.1.2-1 (medium; bug #540961) [etch] - xulrunner (vulnerability introduced in 1.9.1.0) [lenny] - xulrunner (vulnerability introduced in 1.9.1.0) CVE-2009-2662 (The browser engine in Mozilla Firefox 3.5.x before 3.5.2 allows remote ...) {DSA-1873-1} - xulrunner 1.9.0.13-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-2661 (The asn1_length function in strongSwan 2.8 before 2.8.11, 4.2 before 4 ...) {DSA-1899-1} - strongswan 4.3.2-1.1 (bug #540144) CVE-2009-2660 (Multiple integer overflows in CamlImages 2.2 might allow context-depen ...) {DSA-1912-2 DSA-1912-1 DSA-1857-1} - camlimages 1:3.0.1-3 (low; bug #540146) - advi 1.6.0-15 (low; bug #551282) CVE-2009-2657 (nilfs-utils before 2.0.14 installs multiple programs with unnecessary ...) - nilfs2-tools (dh_fixperms removes the setuid and setgid bits from all files) CVE-2009-2656 (Unspecified vulnerability in the com.android.phone process in Android ...) NOT-FOR-US: Android CVE-2008-6896 (login.php in 3CX Phone System 6.0.806.0, when 100% disk capacity is re ...) NOT-FOR-US: 3CX Phone System CVE-2008-6895 (3CX Phone System 6.0.806.0 allows remote attackers to cause a denial o ...) NOT-FOR-US: 3CX Phone System CVE-2008-6894 (Multiple cross-site scripting (XSS) vulnerabilities in login.php in 3C ...) NOT-FOR-US: 3CX Phone System CVE-2008-6893 (Cross-site scripting (XSS) vulnerability in Alt-N MDaemon WorldClient ...) NOT-FOR-US: MDaemon WorldClient CVE-2008-6892 (SQL injection vulnerability in lire/index.php in Peel 3.1 allows remot ...) NOT-FOR-US: Peel CVE-2009-2655 (mshtml.dll in Microsoft Internet Explorer 7 and 8 on Windows XP SP3 al ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2009-2654 (Mozilla Firefox before 3.0.13, and 3.5.x before 3.5.2, allows remote a ...) {DSA-1873-1} - xulrunner 1.9.0.13-1 (low; bug #539891) [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-2653 NOT-FOR-US: Microsoft Windows CVE-2009-2652 (Unspecified vulnerability in Solaris Trusted Extensions in Sun Solaris ...) NOT-FOR-US: Solaris Trusted Extensions CVE-2008-6891 (Multiple cross-site scripting (XSS) vulnerabilities in ASP Forum Scrip ...) NOT-FOR-US: ASP Forum Script CVE-2008-6890 (SQL injection vulnerability in messages.asp in ASP Forum Script allows ...) NOT-FOR-US: ASP Forum Script CVE-2008-6889 (SQL injection vulnerability in Merchantsadd.asp in ASPReferral 5.3 all ...) NOT-FOR-US: ASPReferral CVE-2008-6888 (Cross-site scripting (XSS) vulnerability in signup.asp in Pre Classifi ...) NOT-FOR-US: Pre Classified Listings CVE-2008-6887 (SQL injection vulnerability in detailad.asp in Pre Classified Listings ...) NOT-FOR-US: Pre Classified Listings CVE-2008-6886 (RSA EnVision 3.5.0, 3.5.1, 3.5.2, and 3.7.0 does not properly restrict ...) NOT-FOR-US: RSA EnVision CVE-2008-6885 (Cross-site scripting (XSS) vulnerability in pmlite.php in XOOPS 2.3.1 ...) NOT-FOR-US: XOOPS CVE-2008-6884 (Multiple directory traversal vulnerabilities in XOOPS 2.3.1, when regi ...) NOT-FOR-US: XOOPS CVE-2009-3938 (Buffer overflow in the ABWOutputDev::endWord function in poppler/ABWOu ...) {DSA-1941-1} - poppler 0.12.2-2.1 (low; bug #534680) [etch] - poppler (Vulnerable code not present) CVE-2009-2408 (Mozilla Network Security Services (NSS) before 3.12.3, Firefox before ...) {DSA-2025-1 DSA-1874-1} - nss 3.12.3-1 (medium; bug #539934) - icedove 2.0.0.24-1 (medium) CVE-2009-2651 (main/rtp.c in Asterisk Open Source 1.6.1 before 1.6.1.2 allows remote ...) - asterisk 1:1.6.2.0~dfsg~rc1-1 (low; bug #539473) [etch] - asterisk (Vulnerable code not present) [lenny] - asterisk (Vulnerable code not present) [squeeze] - asterisk (Vulnerable code not present) NOTE: AST-2009-004 CVE-2009-2650 (Heap-based buffer overflow in Sorcerer Software MultiMedia Jukebox 4.0 ...) NOT-FOR-US: Sorcerer Software MultiMedia Jukebox CVE-2009-2649 (The IATA (ata) driver in FreeBSD 6.0 and 8.0, when read access to /dev ...) - kfreebsd-8 8.0-1 (bug #572811) - kfreebsd-7 7.3-1 (bug #572811) [lenny] - kfreebsd-7 (KFreebsd not supported) - kfreebsd-6 (bug #572811) [lenny] - kfreebsd-6 (KFreebsd not supported) CVE-2009-2648 (FlashDen Guestbook allows remote attackers to obtain configuration inf ...) NOT-FOR-US: FlashDen Guestbook CVE-2009-2647 (Unspecified vulnerability in Kaspersky Anti-Virus 2010 and Kaspersky I ...) NOT-FOR-US: Kaspersky Anti-Virus CVE-2009-2646 (Multiple unspecified vulnerabilities in the PDF distiller in the Attac ...) NOT-FOR-US: Research In Motion (RIM) BlackBerry Enterprise Server (BES) CVE-2009-2645 REJECTED CVE-2009-2644 (Race condition in the Solaris Auditing subsystem in Sun Solaris 9 and ...) NOT-FOR-US: Sun Solaris CVE-2008-6883 (SQL injection vulnerability in the Live Chat (com_livechat) component ...) NOT-FOR-US: Joomla! CVE-2008-6882 (Live Chat (com_livechat) component 1.0 for Joomla! allows remote attac ...) NOT-FOR-US: Joomla! CVE-2008-6881 (Multiple SQL injection vulnerabilities in the Live Chat (com_livechat) ...) NOT-FOR-US: Joomla! CVE-2008-6880 (SQL injection vulnerability in joke.php in EasySiteNetwork Free Jokes ...) NOT-FOR-US: EasySiteNetwork Free Jokes Website CVE-2008-6879 (Cross-site scripting (XSS) vulnerability in Apache Roller 2.3, 3.0, 3. ...) NOT-FOR-US: Apache Roller CVE-2009-2659 (The Admin media handler in core/servers/basehttp.py in Django 1.0 and ...) - python-django 1.1-1 (low; bug #539134) [etch] - python-django (Minor issue) [lenny] - python-django 1.0.2-1+lenny1 CVE-2009-2643 (Multiple unspecified vulnerabilities in the PDF distiller in the Attac ...) NOT-FOR-US: BlackBerry Products CVE-2009-XXXX [ser2net DoS] - ser2net 2.6-1 (low; bug #535159) [etch] - ser2net (Minor issue) [lenny] - ser2net (Minor issue) CVE-2009-2642 (index.php in Desi Short URL Script 1.0 allows remote attackers to bypa ...) NOT-FOR-US: Desi Short URL CVE-2009-2641 (PHP remote file inclusion vulnerability in app_and_readme/navigator/in ...) NOT-FOR-US: School Data Navigator CVE-2009-2640 (Multiple SQL injection vulnerabilities in cgi/admin.cgi in Interlogy P ...) NOT-FOR-US: Interlogy Profile Manager Basic CVE-2009-2639 (SQL injection vulnerability in admin.php in MRCGIGUY The Ticket System ...) NOT-FOR-US: MRCGIGUY CVE-2009-2638 (SQL injection vulnerability in the AkoBook (com_akobook) component 2.3 ...) NOT-FOR-US: Joomla! component CVE-2009-2637 (PHP remote file inclusion vulnerability in toolbar_ext.php in the Book ...) NOT-FOR-US: Joomla! component CVE-2009-2636 (Cross-site scripting (XSS) vulnerability in the Integration page in th ...) NOT-FOR-US: WebMail component in Kerio MailServer CVE-2009-2635 (PHP remote file inclusion vulnerability in toolbar_ext.php in the Real ...) NOT-FOR-US: Joomla! component CVE-2009-2634 (PHP remote file inclusion vulnerability in toolbar_ext.php in the Medi ...) NOT-FOR-US: Joomla! component CVE-2009-2633 (PHP remote file inclusion vulnerability in toolbar_ext.php in the Vehi ...) NOT-FOR-US: Joomla! component CVE-2009-2632 (Buffer overflow in the SIEVE script component (sieve/script.c), as use ...) {DSA-1893-1 DSA-1892-1 DSA-1881-1} - cyrus-imapd-2.2 2.2.13-15 (medium) - kolab-cyrus-imapd 2.2.13-5.1 (medium; bug #547712) - dovecot 1:1.2.1-1 (medium; bug #546656) CVE-2009-2631 (Multiple clientless SSL VPN products that run in web browsers, includi ...) NOT-FOR-US: Commercial SSL VPN products CVE-2009-2630 RESERVED CVE-2009-2629 (Buffer underflow in src/http/ngx_http_parse.c in nginx 0.1.0 through 0 ...) {DSA-1884-1} - nginx 0.7.61-3 (medium) CVE-2009-2628 (The VMnc media codec in vmnc.dll in VMware Movie Decoder before 6.5.3 ...) NOT-FOR-US: VMware Movie Decoder CVE-2009-2627 (Insecure method vulnerability in the Acer LunchApp (aka AcerCtrls.APlu ...) NOT-FOR-US: Acer LunchApp CVE-2009-2625 (XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime En ...) {DSA-1984-1} - sun-java5 1.5.0-20-1 [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 - sun-java6 6-15-1 [lenny] - sun-java6 6-20-0lenny1 - openjdk-6 6b16-1.6-1 (medium; bug #542210) - libxerces2-java 2.9.1-4.1 (bug #548358) CVE-2009-2624 (The huft_build function in inflate.c in gzip before 1.3.13 creates a h ...) {DSA-1974-1} - gzip 1.3.12-8 (medium; bug #507263) CVE-2009-2623 RESERVED CVE-2009-2620 (src/remote/server.cpp in fbserver.exe in Firebird SQL 1.5 before 1.5.6 ...) - firebird2.0 2.0.5.13206-0.ds2-4 (low; bug #539477) [lenny] - firebird2.0 2.0.4.13130-1.ds1-4+lenny1 - firebird2.1 2.1.2.18118-0.ds1-4 (low; bug #539478) CVE-2009-2619 (SQL injection vulnerability in login.asp in DataCheck Solutions V-Spac ...) NOT-FOR-US: DataCheck Solutions V-SpacePal CVE-2009-2618 (SQL injection vulnerability in the Surveys (aka NS-Polls) module in MD ...) NOT-FOR-US: MDPro module CVE-2009-2617 (Stack-based buffer overflow in medialib.dll in BaoFeng Storm 3.9.62 al ...) NOT-FOR-US: BaoFeng Storm CVE-2009-2616 (SQL injection vulnerability in z_admin_login.asp in DataCheck Solution ...) NOT-FOR-US: DataCheck Solutions CVE-2009-2615 (Multiple cross-site scripting (XSS) vulnerabilities in DataCheck Solut ...) NOT-FOR-US: DataCheck Solutions CVE-2009-2614 (SQL injection vulnerability in z_admin_login.asp in DataCheck Solution ...) NOT-FOR-US: DataCheck Solutions CVE-2009-2613 (Multiple cross-site scripting (XSS) vulnerabilities in DataCheck Solut ...) NOT-FOR-US: DataCheck Solutions CVE-2009-2612 (SQL injection vulnerability in login.aspx in ProSMDR allows remote att ...) NOT-FOR-US: ProSMDR CVE-2009-2611 (Directory traversal vulnerability in infusions/last_seen_users_panel/l ...) NOT-FOR-US: MyFusion CVE-2009-2610 (Cross-site scripting (XSS) vulnerability in the Links Related module i ...) NOT-FOR-US: Drupal module CVE-2009-2609 (SQL injection vulnerability in the amoCourse (com_amocourse) component ...) NOT-FOR-US: Joomla! module CVE-2009-2608 (Multiple SQL injection vulnerabilities in PHP Address Book 4.0.x allow ...) NOT-FOR-US: PHP Address Book CVE-2009-2607 (SQL injection vulnerability in the com_pinboard component for Joomla! ...) NOT-FOR-US: Joomla! component CVE-2009-2606 (ASP Football Pool 2.3 stores sensitive information under the web root ...) NOT-FOR-US: ASP Football Pool CVE-2009-2605 (Multiple SQL injection vulnerabilities in adminquery.php in Traidnt Up ...) NOT-FOR-US: Traidnt up CVE-2009-2604 (Multiple SQL injection vulnerabilities in adminlogin.asp in Zen Help D ...) NOT-FOR-US: Zen Help Desk CVE-2009-2603 (Multiple SQL injection vulnerabilities in index.php in Escon SupportPo ...) NOT-FOR-US: Escon SupportPortal Pro CVE-2009-2602 (R2 Newsletter Lite, Pro, and Stats stores sensitive information under ...) NOT-FOR-US: R2 Newsletter Store CVE-2009-2601 (SQL injection vulnerability in the Joomlaequipment (aka JUser or com_j ...) NOT-FOR-US: Joomla! component CVE-2009-2600 (Multiple directory traversal vulnerabilities in view.php in Webboard 2 ...) NOT-FOR-US: Webboard CVE-2009-2599 (SQL injection vulnerability in index.php in RadCLASSIFIEDS Gold 2.0 al ...) NOT-FOR-US: RadCLASSIFIEDS CVE-2009-2598 (Multiple SQL injection vulnerabilities in Online Grades & Attendan ...) NOT-FOR-US: Online Grades & Attendance CVE-2009-2597 (The Sun Java System (SJS) Access Manager Policy Agent module 2.2 for S ...) NOT-FOR-US: Sun Java System (SJS) Access Manager Policy Agent module 2.2 for SJS Web Proxy Server CVE-2009-2596 (Unspecified vulnerability in the Solaris Auditing subsystem in Sun Sol ...) NOT-FOR-US: Solaris Auditing subsystem CVE-2008-6878 (** DISPUTED ** Directory traversal vulnerability in admin/includes/lan ...) NOT-FOR-US: Zen Cart CVE-2008-6877 NOT-FOR-US: Zen Cart CVE-2009-2622 (Squid 3.0 through 3.0.STABLE16 and 3.1 through 3.1.0.11 allows remote ...) {DSA-1843-2 DSA-1843-1} - squid3 3.0.STABLE18-1 (medium; bug #538989) - squid (see NOTE) NOTE: squid 2.x not affected, according to NOTE: http://www.squid-cache.org/Advisories/SQUID-2009_2.txt CVE-2009-2621 (Squid 3.0 through 3.0.STABLE16 and 3.1 through 3.1.0.11 does not prope ...) {DSA-1843-2 DSA-1843-1} - squid3 3.0.STABLE18-1 (medium; bug #538989) - squid (see NOTE) NOTE: squid 2.x not affected, according to NOTE: http://www.squid-cache.org/Advisories/SQUID-2009_2.txt CVE-2009-2595 (Cross-site scripting (XSS) vulnerability in productSearch.html in Cens ...) NOT-FOR-US: Censura CVE-2009-2594 (Cross-site scripting (XSS) vulnerability in censura.php in Censura 1.1 ...) NOT-FOR-US: Censura CVE-2009-2593 (SQL injection vulnerability in censura.php in Censura 1.16.04 allows r ...) NOT-FOR-US: Censura CVE-2009-2592 (SQL injection vulnerability in guestbook.php in PHPJunkYard GBook 1.6 ...) NOT-FOR-US: PHPJunkYard CVE-2009-2591 (SQL injection vulnerability in the MyAnnonces module for E-Xoopport 3. ...) NOT-FOR-US: MyAnnonces module for E-Xoopport CVE-2009-2590 (SQL injection vulnerability in showcategory.php in Hutscripts PHP Webs ...) NOT-FOR-US: Hutscripts PHP CVE-2009-2589 (Multiple cross-site scripting (XSS) vulnerabilities in Hutscripts PHP ...) NOT-FOR-US: Hutscripts PHP CVE-2009-2588 (Multiple cross-site scripting (XSS) vulnerabilities in Hotscripts Type ...) NOT-FOR-US: Hotscripts Type PHP Clone Script CVE-2009-2587 (Multiple cross-site scripting (XSS) vulnerabilities in DragDropCart al ...) NOT-FOR-US: DragDropCart CVE-2009-2586 (Cross-site scripting (XSS) vulnerability in articles.php in EDGEPHP EZ ...) NOT-FOR-US: EZArticles CVE-2009-2585 (SQL injection vulnerability in index.php in Mlffat 2.2 allows remote a ...) NOT-FOR-US: Mlffat CVE-2008-6876 (Cross-site scripting (XSS) vulnerability in login.php in EsPartenaires ...) NOT-FOR-US: EsPartenaires CVE-2008-6875 (SQL injection vulnerability in default.asp in ASP Product Catalog allo ...) NOT-FOR-US: ASP Product Catalog CVE-2008-6874 (Multiple SQL injection vulnerabilities in ASP SiteWare autoDealer 1 an ...) NOT-FOR-US: ASP SiteWare autoDealer CVE-2009-XXXX [nilfs-tools privilege escalation] - nilfs2-tools (We don't install this with setuid) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=505374 CVE-2009-XXXX [XSS in drupal 6 calendar field] - drupal6 (unimportant) NOTE: you need to be able to create new calendar items, e.g. admistrative NOTE: access in order to exploit that NOTE: http://lists.grok.org.uk/pipermail/full-disclosure/2009-July/069849.html CVE-2009-2584 (Off-by-one error in the options_write function in drivers/misc/sgi-gru ...) - linux-2.6 2.6.31-2 (high) [etch] - linux-2.6 (vulnerable code not present) [lenny] - linux-2.6 (vulnerable code not present) - linux-2.6.24 (vulnerable code not present) NOTE: exploit code exists CVE-2009-2583 (Multiple session fixation vulnerabilities in IBM Tivoli Identity Manag ...) NOT-FOR-US: IBM Tivoli CVE-2009-2582 (Stack-based buffer overflow in manager.exe in Akamai Download Manager ...) NOT-FOR-US: Akamai Download Manager CVE-2009-2581 (Cross-site scripting (XSS) vulnerability in modifier.php in EditeurScr ...) NOT-FOR-US: EditeurScripts EsNews CVE-2009-2580 REJECTED CVE-2009-2579 (SQL injection vulnerability in reward_points.post.php in the Reward po ...) NOT-FOR-US: CS-Cart CVE-2009-2578 (Google Chrome 2.x through 2.0.172 allows remote attackers to cause a d ...) - chromium-browser (Only 2.x is affected) NOTE: browser denial of services not considered security-relevant CVE-2009-2577 (Opera 9.52 and earlier allows remote attackers to cause a denial of se ...) NOT-FOR-US: Opera CVE-2009-2576 (Microsoft Internet Explorer 6.0.2900.2180 and earlier allows remote at ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2009-2575 (The Research In Motion (RIM) BlackBerry 8800 allows remote attackers t ...) NOT-FOR-US: BlackBerry CVE-2009-2574 (index.php in MiniTwitter 0.2 beta allows remote authenticated users to ...) NOT-FOR-US: MiniTwitter CVE-2009-2573 (Multiple SQL injection vulnerabilities in MiniTwitter 0.2 beta, when m ...) NOT-FOR-US: MiniTwitter CVE-2009-2572 (Cross-site request forgery (CSRF) vulnerability in the Fivestar module ...) NOT-FOR-US: Drupal Module CVE-2009-2571 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Ve ...) NOT-FOR-US: VerliAdmin CVE-2009-2570 (Stack-based buffer overflow in the Symantec.FaxViewerControl.1 ActiveX ...) NOT-FOR-US: Symantec WinFax Pro CVE-2009-2569 (Multiple cross-site scripting (XSS) vulnerabilities in Verlihub Contro ...) NOT-FOR-US: vhcp CVE-2009-2568 (Stack-based buffer overflow in Sorinara Streaming Audio Player (SAP) 0 ...) NOT-FOR-US: Sorinara Streaming Audio Player CVE-2009-2567 (SQL injection vulnerability in the Almond Classifieds (com_aclassf) co ...) NOT-FOR-US: Joomla! component CVE-2008-6873 (SQL injection vulnerability in Active Web Mail 4.0 allows remote attac ...) NOT-FOR-US: Active Web Mail 4.0 CVE-2008-6872 (ASPThai.NET ASPThai Forums 8.5 stores sensitive information under the ...) NOT-FOR-US: ASPThai.NET ASPThai Forums CVE-2008-6871 (Merlix Educate Server stores db.mdb under the web root with insufficie ...) NOT-FOR-US: Merlix Educate Server CVE-2008-6870 (Merlix Educate Server allows remote attackers to bypass intended secur ...) NOT-FOR-US: Merlix Educate Server CVE-2008-6869 (Oramon Oracle Database Monitoring Tool 2.0.1 stores sensitive informat ...) NOT-FOR-US: Oramon Oracle Database Monitoring Tool CVE-2008-6868 (Cross-site scripting (XSS) vulnerability in default/login.php in Edite ...) NOT-FOR-US: EsBaseAdmin CVE-2009-2566 (Stack-based buffer overflow in TFM MMPlayer 2.0, and possibly 2.0.0.30 ...) NOT-FOR-US: TFM MMPlayer CVE-2009-2565 (Cross-site scripting (XSS) vulnerability in Perl CGI's By Mrs. Shiromu ...) NOT-FOR-US: Perl CGI's By Mrs. Shiromuku shiromuku CVE-2009-2564 (NOS Microsystems getPlus Download Manager, as used in Adobe Reader 1.6 ...) NOT-FOR-US: Adobe CVE-2009-2563 (Unspecified vulnerability in the Infiniband dissector in Wireshark 1.0 ...) - wireshark 1.2.1-1 (bug #538237) [etch] - wireshark (Only affects 1.0.6 to 1.2.0) [lenny] - wireshark (Only affects 1.0.6 to 1.2.0) CVE-2009-2562 (Unspecified vulnerability in the AFS dissector in Wireshark 0.9.2 thro ...) {DSA-1942-1} - wireshark 1.2.1-1 (low; bug #538237) [lenny] - wireshark 1.0.2-3+lenny6 [etch] - wireshark (Minor issue) CVE-2009-2561 (Unspecified vulnerability in the sFlow dissector in Wireshark 1.2.0 al ...) - wireshark 1.2.1-1 (bug #538237) [etch] - wireshark (Only affects 1.2.0) [lenny] - wireshark (Only affects 1.2.0) CVE-2009-2560 (Multiple unspecified vulnerabilities in Wireshark 1.2.0 allow remote a ...) {DSA-1942-1} - wireshark 1.2.1-1 (bug #538237) CVE-2009-2559 (Buffer overflow in the IPMI dissector in Wireshark 1.2.0 allows remote ...) - wireshark 1.2.1-1 (bug #538237) [etch] - wireshark (Only affects 1.2.0) [lenny] - wireshark (Only affects 1.2.0) CVE-2009-2558 (system/message.php in Admin News Tools 2.5 does not properly restrict ...) NOT-FOR-US: Admin News Tools CVE-2009-2557 (Directory traversal vulnerability in system/download.php in Admin News ...) NOT-FOR-US: Admin News Tools CVE-2009-2556 (Google Chrome before 2.0.172.37 allows attackers to leverage renderer ...) - chromium-browser (Only 2.x is affected) - webkit (chrome-specfic renderer issue) CVE-2009-2555 (Heap-based buffer overflow in src/jsregexp.cc in Google V8 before 1.1. ...) - chromium-browser (Only 1.x and 2.x are affected) - libv8 1.3.11+dfsg-1 - webkit (libv8 issue) CVE-2009-2658 (Directory traversal vulnerability in ZNC before 0.072 allows remote at ...) {DSA-1848-1} - znc 0.074-1 (medium; bug #537977) NOTE: http://znc.svn.sourceforge.net/viewvc/znc?view=rev&sortby=rev&sortdir=down&revision=1570 NOTE: CVE id requested CVE-2009-2554 (SQL injection vulnerability in the search method in jobline.class.php ...) NOT-FOR-US: Joomla! CVE-2009-2553 (Multiple SQL injection vulnerabilities in comments.php in Super Simple ...) NOT-FOR-US: Super Simple Blog Script CVE-2009-2552 (Multiple directory traversal vulnerabilities in comments.php in Super ...) NOT-FOR-US: Super Simple Blog Script CVE-2009-2551 (Multiple cross-site scripting (XSS) vulnerabilities in ScriptsEz Easy ...) NOT-FOR-US: ScriptsEz Easy Image Downloader CVE-2009-2550 (Stack-based buffer overflow in Hamster Audio Player 0.3a allows remote ...) NOT-FOR-US: Hamster Audio Player CVE-2009-2549 (Armed Assault (aka ArmA) 1.14 and earlier, and 1.16 beta, and Armed As ...) NOT-FOR-US: Armed Assault CVE-2009-2548 (Format string vulnerability in Armed Assault (aka ArmA) 1.14 and earli ...) NOT-FOR-US: Armed Assault CVE-2009-2547 (Integer underflow in Armed Assault (aka ArmA) 1.14 and earlier, and 1. ...) NOT-FOR-US: Armed Assault CVE-2009-2546 (Directory traversal vulnerability in Advanced Electron Forum (AEF) 1.x ...) NOT-FOR-US: Advanced Electron Forum CVE-2009-2545 (SQL injection vulnerability in Advanced Electron Forum (AEF) 1.x, when ...) NOT-FOR-US: Advanced Electron Forum CVE-2009-2544 (Directory traversal vulnerability in the Marcelo Costa FileServer comp ...) NOT-FOR-US: Marcelo Costa FileServer CVE-2009-2543 (Multiple unspecified vulnerabilities in the IBM Proventia engine 4.9.0 ...) NOT-FOR-US: IBM Proventia engine CVE-2009-2542 (Netscape 6 and 8 allows remote attackers to cause a denial of service ...) NOT-FOR-US: Netscape 6 and 8 CVE-2009-2541 (The web browser on the Sony PLAYSTATION 3 (PS3) allows remote attacker ...) NOT-FOR-US: Sony PLAYSTATION 3 CVE-2009-2540 (Opera, possibly 9.64 and earlier, allows remote attackers to cause a d ...) NOT-FOR-US: Opera CVE-2009-2539 (The Aigo P8860 allows remote attackers to cause a denial of service (m ...) NOT-FOR-US: Aigo P8860 CVE-2009-2538 (The Nokia N95 running Symbian OS 9.2, N82, and N810 Internet Tablet al ...) NOT-FOR-US: Nokia N95 CVE-2009-2537 (KDE Konqueror allows remote attackers to cause a denial of service (me ...) - kdebase (unimportant; bug #537931) CVE-2009-2536 (Microsoft Internet Explorer 5 through 8 allows remote attackers to cau ...) NOT-FOR-US: Microsoft Internet Explorer 5 CVE-2009-2535 (Mozilla Firefox before 2.0.0.19 and 3.x before 3.0.5, SeaMonkey, and T ...) - iceweasel 3.0.5-1 (unimportant) [etch] - iceweasel 2.0.0.19-0etch1 (unimportant) CVE-2009-2534 (RealNetworks Helix Server and Helix Mobile Server before 13.0.0 allow ...) NOT-FOR-US: RealNetworks Helix Server and Helix Mobile Server CVE-2009-2533 (rmserver in RealNetworks Helix Server and Helix Mobile Server before 1 ...) NOT-FOR-US: RealNetworks Helix Server and Helix Mobile Server CVE-2009-2532 (Microsoft Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold a ...) NOT-FOR-US: Microsoft Windows Vista CVE-2009-2531 (Microsoft Internet Explorer 6, 6 SP1, 7, and 8 does not properly handl ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2009-2530 (Microsoft Internet Explorer 6, 6 SP1, 7, and 8 does not properly handl ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2009-2529 (Microsoft Internet Explorer 5.01 SP4, 6, 6 SP1, 7, and 8 does not prop ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2009-2528 (GDI+ in Microsoft Office XP SP3 does not properly handle malformed obj ...) NOT-FOR-US: Microsoft Office XP CVE-2009-2527 (Heap-based buffer overflow in Microsoft Windows Media Player 6.4 allow ...) NOT-FOR-US: Microsoft Windows Media Player CVE-2009-2526 (Microsoft Windows Vista Gold, SP1, and SP2 and Server 2008 Gold and SP ...) NOT-FOR-US: Microsoft Windows Vista CVE-2009-2525 (Microsoft Windows Media Runtime, as used in DirectShow WMA Voice Codec ...) NOT-FOR-US: Microsoft Windows Media Runtime CVE-2009-2524 (Integer underflow in the NTLM authentication feature in the Local Secu ...) NOT-FOR-US: Microsoft Windows XP CVE-2009-2523 (The License Logging Server (llssrv.exe) in Microsoft Windows 2000 SP4 ...) NOT-FOR-US: Microsoft Windows 2000 CVE-2009-2522 REJECTED CVE-2009-2521 (Stack consumption vulnerability in the FTP Service in Microsoft Intern ...) NOT-FOR-US: Microsoft Internet Information Server CVE-2009-2520 REJECTED CVE-2009-2519 (The DHTML Editing Component ActiveX control in Microsoft Windows 2000 ...) NOT-FOR-US: Microsoft Windows CVE-2009-2518 (Integer overflow in GDI+ in Microsoft Office XP SP3 allows remote atta ...) NOT-FOR-US: Microsoft Office XP CVE-2009-2517 (The kernel in Microsoft Windows Server 2003 SP2 does not properly hand ...) NOT-FOR-US: Microsoft Windows Server 2003 CVE-2009-2516 (The kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 ...) NOT-FOR-US: Microsoft Windows 2000 CVE-2009-2515 (Integer underflow in the kernel in Microsoft Windows 2000 SP4, XP SP2 ...) NOT-FOR-US: Microsoft Windows 2000 CVE-2009-2514 (win32k.sys in the kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3 ...) NOT-FOR-US: Microsoft Windows CVE-2009-2513 (The Graphics Device Interface (GDI) in win32k.sys in the kernel in Mic ...) NOT-FOR-US: Microsoft Windows CVE-2009-2512 (The Web Services on Devices API (WSDAPI) in Windows Vista Gold, SP1, a ...) NOT-FOR-US: Microsoft Windows CVE-2009-2511 (Integer overflow in the CryptoAPI component in Microsoft Windows 2000 ...) NOT-FOR-US: Microsoft Windows 2000 CVE-2009-2510 (The CryptoAPI component in Microsoft Windows 2000 SP4, Windows XP SP2 ...) NOT-FOR-US: Microsoft Windows 2000 CVE-2009-2509 (Active Directory Federation Services (ADFS) in Microsoft Windows Serve ...) NOT-FOR-US: Microsoft Active Directory Federation Services CVE-2009-2508 (The single sign-on implementation in Active Directory Federation Servi ...) NOT-FOR-US: Microsoft Active Directory Federation Services CVE-2009-2507 (A certain ActiveX control in the Indexing Service in Microsoft Windows ...) NOT-FOR-US: Microsoft Windows CVE-2009-2506 (Integer overflow in the text converters in Microsoft Office Word 2002 ...) NOT-FOR-US: Microsoft Office CVE-2009-2505 (The Internet Authentication Service (IAS) in Microsoft Windows Vista S ...) NOT-FOR-US: Microsoft Office CVE-2009-2504 (Multiple integer overflows in unspecified APIs in GDI+ in Microsoft .N ...) NOT-FOR-US: Microsoft products CVE-2009-2503 (GDI+ in Microsoft Internet Explorer 6 SP1, Windows XP SP2 and SP3, Win ...) NOT-FOR-US: Microsoft products CVE-2009-2502 (Buffer overflow in GDI+ in Microsoft Internet Explorer 6 SP1, Windows ...) NOT-FOR-US: Microsoft products CVE-2009-2501 (Heap-based buffer overflow in GDI+ in Microsoft Internet Explorer 6 SP ...) NOT-FOR-US: Microsoft products CVE-2009-2500 (Integer overflow in GDI+ in Microsoft Internet Explorer 6 SP1, Windows ...) NOT-FOR-US: Microsoft products CVE-2009-2499 (Microsoft Windows Media Format Runtime 9.0, 9.5, and 11; and Microsoft ...) NOT-FOR-US: Microsoft Windows Media Format Runtime CVE-2009-2498 (Microsoft Windows Media Format Runtime 9.0, 9.5, and 11 and Windows Me ...) NOT-FOR-US: Microsoft Windows Media Format Runtime CVE-2009-2497 (The Common Language Runtime (CLR) in Microsoft .NET Framework 2.0, 2.0 ...) NOT-FOR-US: Microsoft products CVE-2009-2496 (Heap-based buffer overflow in the Office Web Components ActiveX Contro ...) NOT-FOR-US: Microsoft Office XP CVE-2009-2495 (The Active Template Library (ATL) in Microsoft Visual Studio .NET 2003 ...) NOT-FOR-US: Microsoft Visual Studio .NET CVE-2009-2494 (The Active Template Library (ATL) in Microsoft Windows 2000 SP4, XP SP ...) NOT-FOR-US: Microsoft Windows CVE-2009-2493 (The Active Template Library (ATL) in Microsoft Visual Studio .NET 2003 ...) NOT-FOR-US: Microsoft Visual Studio .NET CVE-2009-2492 (Cross-site scripting (XSS) vulnerability in mt-wizard.cgi in Six Apart ...) - movabletype-opensource 4.2.6.1-1 (low; bug #537935) [lenny] - movabletype-opensource 4.2.3-1+lenny1 CVE-2009-4589 (Cross-site scripting (XSS) vulnerability in the Special:Block implemen ...) - mediawiki 1:1.15.0-1.1 (low; bug #537634) - mediawiki1.7 [etch] - mediawiki (metapackage) [etch] - mediawiki1.7 (vulnerably code introduced in 1.14.0) [lenny] - mediawiki (vulnerably code introduced in 1.14.0) NOTE: fixed in upstream 1.15.1 CVE-2009-XXXX [insecure tmp file vulnerability in slim] - slim (unimportant; bug #537604) NOTE: exploit scenario too constructed [lenny] - slim 1.3.0-1+lenny2 CVE-2009-2484 (Stack-based buffer overflow in the Win32AddConnection function in modu ...) - vlc (The vulnerability affects Windows builds only) CVE-2009-2479 (Mozilla Firefox 3.0.x, 3.5, and 3.5.1 on Windows allows remote attacke ...) - xulrunner 1.9.1.1-1 [etch] - xulrunner (only affects firefox 3.5) [lenny] - xulrunner (only affects firefox 3.5) CVE-2009-2478 (Mozilla Firefox 3.5 allows remote attackers to cause a denial of servi ...) - xulrunner (unimportant) NOTE: browser crashes not treated as security issues CVE-2009-2476 (The Java Management Extensions (JMX) implementation in Sun Java SE 6 b ...) - sun-java6 6-15-1 [lenny] - sun-java6 6-20-0lenny1 - openjdk-6 6b16-1.6-1 (medium; bug #542210) CVE-2009-2475 (Sun Java SE 5.0 before Update 20 and 6 before Update 15, and OpenJDK, ...) - sun-java5 1.5.0-20-1 [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 - sun-java6 6-15-1 [lenny] - sun-java6 6-20-0lenny1 - openjdk-6 6b16-1.6-1 (medium; bug #542210) CVE-2009-2474 (neon before 0.28.6, when OpenSSL or GnuTLS is used, does not properly ...) - neon27 0.28.6-1 (low; bug #542926) [lenny] - neon27 (Minor issue) - neon26 0.26.4-3 (low; bug #542926) [lenny] - neon26 (Minor issue) - neon (low; bug #542926) [etch] - neon (Minor issue) - gnome-vfs2 NOTE: affected neon code copy present in gnome-vfs2 [./imported/*] - litmus 0.13-1 NOTE: affected neon code copy present in litmus [./libneon/*] NOTE: The new reintroduced litmus package removes the embedded copy CVE-2009-2473 (neon before 0.28.6, when expat is used, does not properly detect recur ...) - neon27 (neon27 is compiled to use libxml2 instead of expat) - neon26 (neon26 is compiled to use libxml2 instead of expat) - neon [etch] - neon (neon is compiled to use libxml2 instead of expat) CVE-2009-2472 (Mozilla Firefox before 3.0.12 does not always use XPCCrossOriginWrappe ...) {DSA-1840-1} - xulrunner 1.9.0.12-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-2471 (The setTimeout function in Mozilla Firefox before 3.0.12 does not prop ...) {DSA-1840-1} - xulrunner 1.9.0.12-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-2470 (Mozilla Firefox before 3.0.12, and 3.5.x before 3.5.2, allows remote S ...) {DSA-1840-1} - xulrunner 1.9.0.12-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-2469 (Mozilla Firefox before 3.0.12 does not properly handle an SVG element ...) {DSA-1840-1} - xulrunner 1.9.0.12-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-2468 (Integer overflow in Apple CoreGraphics, as used in Safari before 4.0.3 ...) NOT-FOR-US: CoreGraphics in Apple Mac OS X NOTE: related issue to CVE-2009-1194 CVE-2009-2467 (Mozilla Firefox before 3.0.12 and 3.5 before 3.5.1 allows remote attac ...) {DSA-1840-1} - xulrunner 1.9.0.12-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-2466 (The JavaScript engine in Mozilla Firefox before 3.0.12 and Thunderbird ...) {DSA-1840-1} - xulrunner 1.9.0.12-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-2465 (Mozilla Firefox before 3.0.12 and Thunderbird allow remote attackers t ...) {DSA-1840-1} - xulrunner 1.9.0.12-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-2464 (The nsXULTemplateQueryProcessorRDF::CheckIsSeparator function in Mozil ...) {DSA-1840-1} - xulrunner 1.9.0.12-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-2463 (Multiple integer overflows in the (1) PL_Base64Decode and (2) PL_Base6 ...) {DSA-2025-1 DSA-1931-1} - nspr 4.8.2-1 - icedove 3.0~rc2-2 [etch] - nspr (Mozilla packages from oldstable no longer covered by security support) CVE-2009-2462 (The browser engine in Mozilla Firefox before 3.0.12 and Thunderbird al ...) {DSA-1840-1} - xulrunner 1.9.0.12-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-2491 (The utaudiod daemon in Sun Ray Server Software (SRSS) 4.0, when Solari ...) NOT-FOR-US: Sun Ray Server Software CVE-2009-2490 (Unspecified vulnerability in the utaudiod daemon in Sun Ray Server Sof ...) NOT-FOR-US: Sun Ray Server Software CVE-2009-2489 (Unspecified vulnerability in the utdmsession program in Sun Ray Server ...) NOT-FOR-US: Sun Ray Server Software CVE-2009-2488 (Unspecified vulnerability in the NFSv4 module in the kernel in Sun Sol ...) NOT-FOR-US: Sun Solaris CVE-2009-2487 (Use-after-free vulnerability in the frpr_icmp function in the ipfilter ...) NOT-FOR-US: Sun Solaris CVE-2009-2486 (Unspecified vulnerability in the SCTP implementation in Sun Solaris 10 ...) NOT-FOR-US: Sun Solaris CVE-2009-2485 (Stack-based buffer overflow in HT-MP3Player 1.0 allows remote attacker ...) NOT-FOR-US: HT-MP3Player CVE-2009-2483 (libprop/prop_object.c in proplib in NetBSD 4.0 and 4.0.1 allows local ...) NOT-FOR-US: NetBSD CVE-2009-2482 (The pam_unix module in OpenPAM in NetBSD 4.0 before 4.0.2 and 5.0 befo ...) NOT-FOR-US: NetBSD OpenPAM CVE-2009-2481 (mt-wizard.cgi in Six Apart Movable Type before 4.261, when global temp ...) NOT-FOR-US: Six Apart Movable Type CVE-2009-2480 (Cross-site scripting (XSS) vulnerability in mt-wizard.cgi in Six Apart ...) NOT-FOR-US: Six Apart Movable Type CVE-2009-2461 (mathtex.cgi in mathTeX, when downloaded before 20090713, does not secu ...) - mathtex 1.03-1 (low; bug #537253) CVE-2009-2460 (Multiple stack-based buffer overflows in mathtex.cgi in mathTeX, when ...) - mathtex 1.03-1 (medium; bug #537253) NOTE: severity set to medium as this is used in several web applications for conversions CVE-2009-2459 (Multiple unspecified vulnerabilities in mimeTeX, when downloaded befor ...) {DSA-1917-1} - mimetex 1.50-1.1 (medium; bug #537254) NOTE: set impact to medium as this is used in several web applications for conversions CVE-2009-2458 (Unspecified vulnerability in Sun Fire V215 Server, when using XVR-100 ...) NOT-FOR-US: Sun Fire V215 Server CVE-2009-2457 (The DS\NDSD component in Novell eDirectory 8.8 before SP5 allows remot ...) NOT-FOR-US: Novell eDirectory CVE-2009-2456 (The DS\NDSD component in Novell eDirectory 8.8 before SP5 allows remot ...) NOT-FOR-US: Novell eDirectory CVE-2009-2455 (Multiple cross-site scripting (XSS) vulnerabilities in webadmin/admin. ...) NOT-FOR-US: @mail CVE-2009-2454 (Cross-site scripting (XSS) vulnerability in Citrix Web Interface 4.6, ...) NOT-FOR-US: Citrix Web Interface CVE-2009-2453 (Citrix XenApp (formerly Presentation Server) 4.5 Hotfix Rollup Pack 3 ...) NOT-FOR-US: Citrix XenApp CVE-2009-2452 (Multiple unspecified vulnerabilities in Citrix Licensing 11.5 have unk ...) NOT-FOR-US: Citrix Licensing CVE-2009-2451 (Multiple SQL injection vulnerabilities in index.php in MIM:InfiniX 1.2 ...) NOT-FOR-US: MIM:InfiniX CVE-2008-6867 (SQL injection vulnerability in content.php in Scripts For Sites (SFS) ...) NOT-FOR-US: Scripts For Sites CVE-2008-6866 (SQL injection vulnerability in modules.php in the Current_Issue module ...) NOT-FOR-US: PHP-Nuke CVE-2008-6865 (SQL injection vulnerability in modules.php in the Sectionsnew module f ...) NOT-FOR-US: PHP-Nuke CVE-2008-6864 (Xigla Software Absolute Live Support .NET 5.1 allows remote attackers ...) NOT-FOR-US: Xigla Software Absolute Live Support .NET CVE-2008-6863 (Xigla Software Absolute Form Processor .NET 4.0 allows remote attacker ...) NOT-FOR-US: Xigla Software CVE-2008-6862 (Absolute Content Rotator 6.0 allows remote attackers to bypass authent ...) NOT-FOR-US: Absolute Content Rotator CVE-2008-6861 (Xigla Software Absolute Newsletter 6.0 and 6.1 allows remote attackers ...) NOT-FOR-US: Xigla Software Absolute Newsletter CVE-2008-6860 (Xigla Software Absolute Poll Manager XE 4.1 allows remote attackers to ...) NOT-FOR-US: Xigla Software Absolute Poll Manager CVE-2008-6859 (Xigla Software Absolute Control Panel XE 1.5 allows remote attackers t ...) NOT-FOR-US: Xigla Software Absolute Control Panel CVE-2008-6858 (Absolute Banner Manager .NET 4.0 allows remote attackers to bypass aut ...) NOT-FOR-US: Absolute Banner Manager .NET CVE-2008-6857 (Absolute Podcast .NET 1.0 allows remote attackers to bypass authentica ...) NOT-FOR-US: Absolute Podcast .NET CVE-2008-6856 (Xigla Software Absolute News Manager.NET 5.1 allows remote attackers t ...) NOT-FOR-US: Xigla Software Absolute News Manager.NET CVE-2008-6855 (Xigla Software Absolute News Feed 1.0 and possibly 1.5 allows remote a ...) NOT-FOR-US: Xigla Software Absolute News Feed CVE-2008-6854 (Xigla Software Absolute FAQ Manager.NET 6.0 allows remote attackers to ...) NOT-FOR-US: Xigla Software Absolute FAQ Manager.NET CVE-2009-2477 (js/src/jstracer.cpp in the Just-in-time (JIT) JavaScript compiler (aka ...) - xulrunner 1.9.1.2-1 (bug #537104) [lenny] - xulrunner (vulnerable code introduced in firefox 3.5) [etch] - xulrunner (vulnerable code introduced in firefox 3.5) CVE-2009-2450 (The OAmon.sys kernel driver 3.1.0.0 and earlier in Tall Emu Online Arm ...) NOT-FOR-US: Tall Emu Online Armor Personal Firewall CVE-2009-2449 (Directory traversal vulnerability in maillinglist/admin/change_config. ...) NOT-FOR-US: ADbNewsSender CVE-2009-2448 (Cross-site scripting (XSS) vulnerability in ogp_show.php in Online Gue ...) NOT-FOR-US: Online Guestbook Pro CVE-2009-2447 (Multiple cross-site scripting (XSS) vulnerabilities in ogp_show.php in ...) NOT-FOR-US: Online Guestbook Pro CVE-2009-2445 (Oracle iPlanet Web Server (formerly Sun Java System Web Server or Sun ...) NOT-FOR-US: Sun ONE Web Server CVE-2009-2444 (Directory traversal vulnerability in maillinglist/setup/step1.php.inc ...) NOT-FOR-US: ADbNewsSender CVE-2009-2443 (Siteframe 3.2.3, and other 3.2.x versions, allows remote attackers to ...) NOT-FOR-US: Siteframe CVE-2009-2442 (Cross-site scripting (XSS) vulnerability in public/index.php in Linea2 ...) NOT-FOR-US: Linea21 CVE-2009-2441 (Cross-site scripting (XSS) vulnerability in ogp_show.php in Online Gue ...) NOT-FOR-US: Online Guestbook Pro CVE-2009-2440 (Cross-site scripting (XSS) vulnerability in index.php in JNM Guestbook ...) NOT-FOR-US: JNM Guestbook CVE-2009-2439 (Multiple SQL injection vulnerabilities in Web Development House Alibab ...) NOT-FOR-US: Web Development House Alibaba CVE-2009-2438 (Cross-site scripting (XSS) vulnerability in index.php in the search mo ...) NOT-FOR-US: ClanSphere CVE-2009-2437 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Re ...) NOT-FOR-US: MyPHPDating CVE-2009-2436 (SQL injection vulnerability in page.php in Online Dating Software MyPH ...) NOT-FOR-US: MyPHPDating CVE-2009-2435 (The Sametime server in IBM Lotus Instant Messaging and Web Conferencin ...) NOT-FOR-US: IBM Lotus CVE-2009-2434 (Buffer overflow in the syscall implementation in IBM AIX 5.3 allows lo ...) NOT-FOR-US: IBM AIX CVE-2009-2433 (Stack-based buffer overflow in the AddFavorite method in Microsoft Int ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2009-2432 (WordPress and WordPress MU before 2.8.1 allow remote attackers to obta ...) - wordpress 2.8.3-1 (unimportant; bug #537146) NOTE: Installation path is a known fact on a Debian package installation CVE-2009-2431 (WordPress 2.7.1 places the username of a post's author in an HTML comm ...) - wordpress 2.8.3-1 (unimportant; bug #537146) NOTE: Minor information leak CVE-2009-2430 (Unspecified vulnerability in auditconfig in Sun Solaris 8, 9, 10, and ...) NOT-FOR-US: Sun Solaris CVE-2009-2429 (SmartFilter Web Gateway Security 4.2.1.00 stores user credentials in c ...) NOT-FOR-US: SmartFilter Web Gateway Security CVE-2009-2428 (Multiple SQL injection vulnerabilities in Tausch Ticket Script 3 allow ...) NOT-FOR-US: Tausch Ticket Script CVE-2009-2427 (SQL injection vulnerability in co-profile.php in Jobbr 2.2.7 allows re ...) NOT-FOR-US: Jobbr CVE-2009-2426 (The connection_edge_process_relay_cell_not_open function in src/or/rel ...) - tor 0.2.0.35-1 (low; bug #537148) [lenny] - tor 0.2.0.35-1~lenny1 CVE-2009-2425 (Tor before 0.2.0.35 allows remote attackers to cause a denial of servi ...) - tor 0.2.0.35-1 (low; bug #537148) [lenny] - tor 0.2.0.35-1~lenny1 CVE-2009-2424 (Cross-site scripting (XSS) vulnerability in search.php in Ebay Clone 2 ...) NOT-FOR-US: Ebay Clone 2009 CVE-2009-2423 (SQL injection vulnerability in category.php in Ebay Clone 2009 allows ...) NOT-FOR-US: Ebay Clone 2009 CVE-2009-2422 (The example code for the digest authentication functionality (http_aut ...) - rails 2.3.5-1 (bug #535896) [lenny] - rails (vulnerable code not present, introduced in 2.3.x) CVE-2009-2446 (Multiple format string vulnerabilities in the dispatch_command functio ...) {DSA-1877-1} - mysql-dfsg-5.0 (low; bug #536726) [squeeze] - mysql-dfsg-5.0 5.0.51a-24+lenny2 CVE-2009-XXXX [libio-socket-ssl-perl: partial hostname matching vulnerability] - libio-socket-ssl-perl 1.26-1 (low; bug #535946) [lenny] - libio-socket-ssl-perl 1.16-1+lenny1 NOTE: hostname validition is not implemented until 1.14, so etch NOTE: is in a way is not affected, but in another sense, it is NOTE: completely affected since no validation done at all CVE-2009-2421 (The CFCharacterSetInitInlineBuffer method in CoreFoundation.dll in App ...) NOT-FOR-US: Apple Safari CVE-2009-2420 (Apple Safari 3.2.3 does not properly implement the file: protocol hand ...) NOT-FOR-US: Apple Safari CVE-2009-2419 (Use-after-free vulnerability in the servePendingRequests function in W ...) - webkit 1.1.10-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) CVE-2009-2418 REJECTED CVE-2009-2417 (lib/ssluse.c in cURL and libcurl 7.4 through 7.19.5, when OpenSSL is u ...) {DSA-1869-1} - curl 7.19.5-1.1 (medium; bug #541991) CVE-2009-2416 (Multiple use-after-free vulnerabilities in libxml2 2.5.10, 2.6.16, 2.6 ...) {DSA-1861-1 DSA-1859-1} - libxml2 2.7.3.dfsg-2.1 (low; bug #540865) - libxml CVE-2009-2415 (Multiple integer overflows in memcached 1.1.12 and 1.2.2 allow remote ...) {DSA-1853-1} - memcached 1.4.1-1 (medium; bug #540379) - memcachedb 1.2.0-5 (medium; bug #540381) NOTE: the impact varies, on etch this runs as root and is not bound NOTE: to the loopback interface by default, memcached is even distributed NOTE: but fortunately not in a stable release. CVE-2009-2414 (Stack consumption vulnerability in libxml2 2.5.10, 2.6.16, 2.6.26, 2.6 ...) {DSA-1861-1 DSA-1859-1} - libxml2 2.7.3.dfsg-2.1 (medium; bug #540865) - libxml CVE-2009-2413 REJECTED CVE-2009-2412 (Multiple integer overflows in the Apache Portable Runtime (APR) librar ...) {DSA-1854-1} - apr 1.3.8-1 - apr-util 1.3.9+dfsg-1 CVE-2009-2411 (Multiple integer overflows in the libsvn_delta library in Subversion b ...) {DSA-1855-1} - subversion 1.6.4dfsg-1 CVE-2009-2410 (The local_handler_callback function in server/responder/pam/pam_LOCAL_ ...) - sssd (Fixed before initial upload to the archive) CVE-2009-2409 (The Network Security Services (NSS) library before 3.12.3, as used in ...) {DSA-1935-1 DSA-1888-1 DSA-1874-1} - nss 3.12.3-1 (low; bug #539895) - openssl 0.9.8k-4 (low; bug #539899) [etch] - openssl 0.9.8c-4etch8 - gnutls26 2.4.2-5 (low; bug #539901) - openjdk-6 6b17~pre3-1 (low) - gnutls13 - sun-java6 6-17-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2009-2407 (Heap-based buffer overflow in the parse_tag_3_packet function in fs/ec ...) {DSA-1845-1 DSA-1844-1} - linux-2.6 2.6.30-5 (medium) [etch] - linux-2.6 (ecryptfs not yet present) - linux-2.6.24 CVE-2009-2406 (Stack-based buffer overflow in the parse_tag_11_packet function in fs/ ...) {DSA-1845-1 DSA-1844-1} - linux-2.6 2.6.30-5 (medium) [etch] - linux-2.6 (ecryptfs not yet present) - linux-2.6.24 CVE-2009-2405 (Multiple cross-site scripting (XSS) vulnerabilities in the Web Console ...) - jbossas4 4.2.2.GA-1 (bug #562000) [lenny] - jbossas4 (Contrib not supported) CVE-2009-2404 (Heap-based buffer overflow in a regular-expression parser in Mozilla N ...) {DSA-2025-1 DSA-1874-1} - nss 3.12.3-1 (low; bug #539934) - icedove 2.0.0.24-1 (low) CVE-2009-2403 (Heap-based buffer overflow in SCMPX 1.5.1 allows remote attackers to c ...) NOT-FOR-US: SCMPX CVE-2009-2402 (SQL injection vulnerability in index.php in the forum module in PHPEch ...) NOT-FOR-US: PHPEcho CVE-2009-2401 (Cross-site scripting (XSS) vulnerability in PHPEcho CMS 2.0-rc3 allows ...) NOT-FOR-US: PHPEcho CVE-2009-2400 (SQL injection vulnerability in the PHP (com_php) component for Joomla! ...) NOT-FOR-US: Joomla! CVE-2009-2399 (PHP remote file inclusion vulnerability in dm-albums/template/album.ph ...) NOT-FOR-US: DM FileManager CVE-2009-2398 (Directory traversal vulnerability in test/index.php in PHP-Sugar 0.80 ...) NOT-FOR-US: PHP-Sugar CVE-2009-2397 (Directory traversal vulnerability in download.php in Audio Article Dir ...) NOT-FOR-US: Audio Article Directory CVE-2009-2396 (PHP remote file inclusion vulnerability in template/album.php in DM Al ...) NOT-FOR-US: DM Albums CVE-2009-2395 (SQL injection vulnerability in the K2 (com_k2) component 1.0.1 Beta an ...) NOT-FOR-US: Joomla! CVE-2009-2394 (SQL injection vulnerability in cat.php in SMSPages 1.0 in Mr.Saphp Ara ...) NOT-FOR-US: SMSPages CVE-2009-2393 (admin/index.php in Virtuenetz Virtue Online Test Generator does not re ...) NOT-FOR-US: Virtuenetz Virtue Online Test Generator CVE-2009-2392 (SQL injection vulnerability in text.php in Virtuenetz Virtue Online Te ...) NOT-FOR-US: Virtuenetz Virtue Online Test Generator CVE-2009-2391 (Cross-site scripting (XSS) vulnerability in text.php in Virtuenetz Vir ...) NOT-FOR-US: Virtuenetz Virtue Online Test Generator CVE-2009-2390 (SQL injection vulnerability in the BookFlip (com_bookflip) component 2 ...) NOT-FOR-US: Joomla! CVE-2009-2389 (Multiple SQL injection vulnerabilities in newsscript.php in USOLVED NE ...) NOT-FOR-US: USOLVED NEWSolved CVE-2009-2388 (SQL injection vulnerability in admin/index.php in Opial 1.0 allows rem ...) NOT-FOR-US: Opial CVE-2009-2387 (Unspecified vulnerability in the proc filesystem in Sun OpenSolaris sn ...) NOT-FOR-US: Sun OpenSolaris CVE-2009-2386 (Insecure method vulnerability in Awingsoft Awakening Winds3D Viewer pl ...) NOT-FOR-US: Awingsoft Awakening Winds3D Viewer plugin CVE-2009-2369 (Integer overflow in the wxImage::Create function in src/common/image.c ...) {DSA-1890-1} - wxwidgets2.8 2.8.7.1-2 (medium; bug #537174) - wxwidgets2.6 2.6.3.2.2-3.1 (medium; bug #537175) - wxwindows2.4 (medium) CVE-2009-2360 (Cross-site scripting (XSS) vulnerability in passwd/main.php in the Pas ...) {DSA-1829-1} - sork-passwd-h3 3.1-1.1 (low; bug #536554) CVE-2009-2385 (SQL injection vulnerability in the awardsMembers function in Sources/P ...) NOT-FOR-US: Member Awards component for Simple Machines Forum CVE-2009-2384 (Buffer overflow in amp.exe in Brothersoft PEamp 1.02b allows user-assi ...) NOT-FOR-US: Brothersoft PEamp CVE-2009-2383 (SQL injection vulnerability in BTE_RW_webajax.php in the Related Sites ...) NOT-FOR-US: Related Sites plugin for WordPress CVE-2009-2382 (admin.php in phpMyBlockchecker 1.0.0055 allows remote attackers to byp ...) NOT-FOR-US: phpMyBlockchecker CVE-2009-2381 (Gizmo 3.1.0.79 on Linux does not verify a server's SSL certificate, wh ...) NOT-FOR-US: Gizmo CVE-2009-2380 (Cross-site scripting (XSS) vulnerability in includes/functions.php in ...) NOT-FOR-US: 4images CVE-2009-2379 (Directory traversal vulnerability in public/index.php in BIGACE Web CM ...) NOT-FOR-US: BIGACE Web CMS CVE-2009-2378 (PHP remote file inclusion vulnerability in formmailer.admin.inc.php in ...) NOT-FOR-US: Jax FormMailer CVE-2009-2377 (Buffer overflow in the Avax Vector ActiveX control in avPreview.ocx in ...) NOT-FOR-US: AVAX-software Avax Vector ActiveX CVE-2009-2376 (Cross-site scripting (XSS) vulnerability in the Html::textarea functio ...) NOT-FOR-US: TangoCMS CVE-2009-2375 (Stack-based buffer overflow in Photo DVD Maker 8.02, and possibly earl ...) NOT-FOR-US: Photo DVD Maker CVE-2009-2371 (Advanced Forum 6.x before 6.x-1.1, a module for Drupal, does not preve ...) NOT-FOR-US: Advanced Forum module for Drupal CVE-2009-2370 (Cross-site scripting (XSS) vulnerability in Advanced Forum 5.x before ...) NOT-FOR-US: Advanced Forum module for Drupal CVE-2009-2368 (Unspecified vulnerability in Socks Server 5 before 3.7.8-8 has unknown ...) NOT-FOR-US: Socks Server CVE-2009-2367 (cgi-bin/makecgi-pro in Iomega StorCenter Pro generates predictable ses ...) NOT-FOR-US: Iomega StorCenter Pro CVE-2009-2366 (SQL injection vulnerability in login.asp in DataCheck Solutions ForumP ...) NOT-FOR-US: DataCheck Solutions ForumPal FE CVE-2009-2365 (SQL injection vulnerability in login.asp in DataCheck Solutions Galler ...) NOT-FOR-US: DataCheck Solutions GalleryPal FE CVE-2009-2364 (Stack-based buffer overflow in Mp3-Nator 2.0 allows remote attackers t ...) NOT-FOR-US: Mp3-Nator CVE-2009-2363 (Stack-based buffer overflow in KUDRSOFT AudioPLUS 2.00.215 allows remo ...) NOT-FOR-US: KUDRSOFT AudioPLUS CVE-2009-2362 (Stack-based buffer overflow in KUDRSOFT AudioPLUS 2.0.0.215 allows rem ...) NOT-FOR-US: KUDRSOFT AudioPLUS CVE-2009-2361 (SQL injection vulnerability in include/class.staff.php in osTicket bef ...) NOT-FOR-US: osTicket CVE-2009-2359 (Multiple SQL injection vulnerabilities in TekRADIUS 3.0 allow context- ...) NOT-FOR-US: TekRADIUS CVE-2009-2358 (TekRADIUS 3.0 uses BUILTIN\Users:R permissions for the TekRADIUS.ini f ...) NOT-FOR-US: TekRADIUS CVE-2009-2357 (The default configuration of TekRADIUS 3.0 uses the sa account to comm ...) NOT-FOR-US: TekRADIUS CVE-2009-2356 (Multiple stack-based buffer overflows in the pgsqlQuery function in Nu ...) NOT-FOR-US: NullLogic Groupware CVE-2009-2355 (The forum module in NullLogic Groupware 1.2.7 allows remote authentica ...) NOT-FOR-US: NullLogic Groupware CVE-2009-2354 (SQL injection vulnerability in the auth_checkpass function in the logi ...) NOT-FOR-US: NullLogic Groupware CVE-2009-2353 (encoder.php in eAccelerator allows remote attackers to execute arbitra ...) - eaccelerator-src (bug #460341) CVE-2009-2352 (Google Chrome 1.0.154.48 and earlier does not block javascript: URIs i ...) - chromium-browser 5.0.375.70~r48679-2 - webkit (doesn't have a 'view-source' handler) NOTE: poc didn't seem to work against 5.0.375.70~r48679-2 NOTE: chromium security team doesn't consider this a valid security issue NOTE: http://crbug.com/40086 CVE-2009-2351 (Opera 9.52 and earlier does not block javascript: URIs in Refresh head ...) NOT-FOR-US: Opera CVE-2009-2350 (Microsoft Internet Explorer 6.0.2900.2180 and earlier does not block j ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2009-2349 RESERVED CVE-2009-2348 (Android 1.5 CRBxx allows local users to bypass the (1) Manifest.permis ...) NOT-FOR-US: Android CVE-2009-2347 (Multiple integer overflows in inter-color spaces conversion tools in l ...) {DSA-1835-1} - tiff 3.8.2-13 - tiff3 (fixed prior to initial upload) CVE-2009-2346 (The IAX2 protocol implementation in Asterisk Open Source 1.2.x before ...) - asterisk 1:1.6.2.0~dfsg~beta3-1 (bug #539473) [etch] - asterisk (Etch Packages no longer covered by security support) [lenny] - asterisk (Intrusive protocol-level vulnerabilitity, see http://downloads.asterisk.org/pub/security/IAX2-security.pdf) CVE-2009-2345 (Multiple SQL injection vulnerabilities in ClanSphere before 2009.0.1 a ...) NOT-FOR-US: ClanSphere CVE-2009-2344 (The web-based management interfaces in Sourcefire Defense Center (DC) ...) NOT-FOR-US: Sourcefire CVE-2009-2342 (Cross-site scripting (XSS) vulnerability in admin.php (aka the login p ...) NOT-FOR-US: CMME CVE-2009-2341 (SQL injection vulnerability in albumdetail.php in Opial 1.0 allows rem ...) NOT-FOR-US: Opial CVE-2009-2340 (SQL injection vulnerability in admin/index.php in Opial 1.0 allows rem ...) NOT-FOR-US: Opial CVE-2009-2339 (SQL injection vulnerability in index.php in Rentventory allows remote ...) NOT-FOR-US: Rentventory CVE-2009-2338 (Directory traversal vulnerability in includes/startmodules.inc.php in ...) NOT-FOR-US: FreeWebshop.org CVE-2009-2337 (SQL injection vulnerability in includes/module/book/index.inc.php in w ...) NOT-FOR-US: w3b|cms CVE-2008-6853 (SQL injection vulnerability in modules/poll/index.php in AIST NetCat 3 ...) NOT-FOR-US: AIST NetCat CVE-2008-6852 (SQL injection vulnerability in the Ice Gallery (com_ice) component 0.5 ...) NOT-FOR-US: Joomla! component CVE-2008-6851 (SQL injection vulnerability in page.php in PHP Link Directory (phpLD) ...) NOT-FOR-US: PHP Link Directory CVE-2008-6850 (Cross-site scripting (XSS) vulnerability in messages.php in PHP-Fusion ...) NOT-FOR-US: PHP-Fusion CVE-2008-6849 (Unrestricted file upload vulnerability in index.php in phpGreetCards 3 ...) NOT-FOR-US: phpGreetCards CVE-2008-6848 (Cross-site scripting (XSS) vulnerability in index.php in phpGreetCards ...) NOT-FOR-US: phpGreetCards CVE-2009-2336 (The forgotten mail interface in WordPress and WordPress MU before 2.8. ...) - wordpress 2.8.3-1 (unimportant; bug #536724) NOTE: Minor information leak CVE-2009-2335 (WordPress and WordPress MU before 2.8.1 exhibit different behavior for ...) - wordpress 2.8.3-1 (unimportant; bug #536724) NOTE: Minor information leak CVE-2009-2334 (wp-admin/admin.php in WordPress and WordPress MU before 2.8.1 does not ...) {DSA-1871-2 DSA-1871-1} - wordpress 2.8.3-1 (low; bug #536724) CVE-2009-2333 (Multiple directory traversal vulnerabilities in CMS Chainuk 1.2 and ea ...) NOT-FOR-US: CMS Chainuk CVE-2009-2332 (CMS Chainuk 1.2 and earlier allows remote attackers to obtain sensitiv ...) NOT-FOR-US: CMS Chainuk CVE-2009-2331 (Multiple static code injection vulnerabilities in CMS Chainuk 1.2 and ...) NOT-FOR-US: CMS Chainuk CVE-2009-2330 (Cross-site scripting (XSS) vulnerability in admin/admin_menu.php in CM ...) NOT-FOR-US: CMS Chainuk CVE-2009-2329 (KerviNet Forum 1.1 and earlier allows remote attackers to obtain sensi ...) NOT-FOR-US: KerviNet Forum CVE-2009-2328 (admin/edit_user.php in KerviNet Forum 1.1 and earlier does not require ...) NOT-FOR-US: KerviNet Forum CVE-2009-2327 (Cross-site scripting (XSS) vulnerability in add_voting.php in KerviNet ...) NOT-FOR-US: KerviNet Forum CVE-2009-2326 (Multiple SQL injection vulnerabilities in KerviNet Forum 1.1 and earli ...) NOT-FOR-US: KerviNet Forum CVE-2009-2325 (Directory traversal vulnerability in index.php in Clicknet CMS 2.1 all ...) NOT-FOR-US: Clicknet CMS CVE-2009-2324 (Multiple cross-site scripting (XSS) vulnerabilities in FCKeditor befor ...) {DSA-1836-1} - fckeditor 1:2.6.4.1-1 (low; bug #536051) - moin 1.8.2-2 NOTE: moin from 1.8.2-2 uses systemwide copy of fckeditor [lenny] - moin (unimportant; provides FCKeditor as example files in /usr/share/doc, but not executable in general case) [etch] - moin (doesn't provide FCKeditor sample files) - knowledgeroot 0.9.8.5-3 NOTE: knowledgeroot from 0.9.8.5-3 uses systemwide copy of fckeditor [etch] - knowledgeroot (doesn't provide FCKeditor sample files) - karrigell [etch] - karrigell (doesn't provide FCKeditor sample files) - gforge 4.6.99+svn6225-1 [etch] - gforge (doesn't contain FCKeditor) - egroupware (doesn't provide FCKeditor sample files) - request-tracker3.8 (doesn't provide FCKeditor sample files) CVE-2009-2323 (The web interface on the Axesstel MV 410R redirects users back to the ...) NOT-FOR-US: Axesstel MV 410R CVE-2009-2322 (Cross-site scripting (XSS) vulnerability in cgi-bin/sysconf.cgi on the ...) NOT-FOR-US: Axesstel MV 410R CVE-2009-2321 (cgi-bin/sysconf.cgi on the Axesstel MV 410R allows remote attackers to ...) NOT-FOR-US: Axesstel MV 410R CVE-2009-2320 (The web interface on the Axesstel MV 410R relies on client-side JavaSc ...) NOT-FOR-US: Axesstel MV 410R CVE-2009-2319 (The default configuration of the Wi-Fi component on the Axesstel MV 41 ...) NOT-FOR-US: Axesstel MV 410R CVE-2009-2318 (The Axesstel MV 410R allows remote attackers to cause a denial of serv ...) NOT-FOR-US: Axesstel MV 410R CVE-2009-2317 (The Axesstel MV 410R has a certain default administrator password, and ...) NOT-FOR-US: Axesstel MV 410R CVE-2009-2316 (Multiple cross-site scripting (XSS) vulnerabilities in IBM Tivoli Iden ...) NOT-FOR-US: IBM Tivoli CVE-2009-2315 REJECTED CVE-2009-2314 (Race condition in the Sun Lightweight Availability Collection Tool 3.0 ...) NOT-FOR-US: Lightweight Availability Collection Tool CVE-2007-6728 (Cross-site scripting (XSS) vulnerability in XMB 1.5 allows remote atta ...) NOT-FOR-US: XMB CVE-2007-6727 (SQL injection vulnerability in topic.php in KerviNet Forum 1.1 allows ...) NOT-FOR-US: KerviNet Forum CVE-2009-2687 (The exif_read_data function in the Exif module in PHP before 5.2.10 al ...) {DSA-1940-1} - php5 5.2.10.dfsg.1-2 (low; bug #535888) - php4 (low; bug #535897) NOTE: 5.3.0 (in experimental) is not affected CVE-2009-XXXX [apache2: htaccess override] - apache2 2.2.9-1 (low; bug #535886) [etch] - apache2 2.2.3-4+etch8 NOTE: fixed in etch in DSA-1816-1 CVE-2009-XXXX [xscreensaver: symlink attack enables local information disclosure] - xscreensaver (does not run setuid in debian) NOTE: http://bugs.debian.org/535870 CVE-2009-XXXX [libdkim: signature parsing is not thread-safe] - libdkim 1:1.0.19-4 (unimportant; bug #532740) NOTE: This is mostly a missing feature, it's unlikely that any threaded application NOTE: is using libdkim in the current state, so the practical impact is none CVE-2009-XXXX [mimedecode: potential dos/crash due to invalid input] - mimedecode (low; bug #530430) [etch] - mimedecode (minor issue) [lenny] - mimedecode (minor issue) CVE-2009-2313 (Directory traversal vulnerability in index.php in Jinzora Media Jukebo ...) NOT-FOR-US: Jinzora Media Jukebox CVE-2009-2312 (SmartFilter Web Gateway Security 4.2.1.00 stores user credentials in c ...) NOT-FOR-US: Secure Computing SmartFilter CVE-2009-2311 (SQL injection vulnerability in the rGallery plugin 1.2.3 for WoltLab B ...) NOT-FOR-US: rGallery plugin for WoltLab CVE-2009-2310 (SQL injection vulnerability in include/get_read.php in Extensible-BioL ...) NOT-FOR-US: Extensible-BioLawCom CMS CVE-2009-2309 (SQL injection vulnerability in index.php in Codice CMS 2 allows remote ...) NOT-FOR-US: Codice CMS 2 CVE-2009-2308 (Multiple SQL injection vulnerabilities in affiliates.php in the Affili ...) NOT-FOR-US: PunBB CVE-2009-2307 (SQL injection vulnerability in the CWGuestBook module 2.1 and earlier ...) NOT-FOR-US: MDPro CVE-2009-2306 (The ARD-9808 DVR card security camera stores sensitive information und ...) NOT-FOR-US: ARD-9808 DVR card security camera CVE-2009-2305 (The ARD-9808 DVR card security camera allows remote attackers to cause ...) NOT-FOR-US: ARD-9808 DVR card security camera CVE-2009-2304 (index.php in Aardvark Topsites PHP 5.2.0 and earlier allows remote att ...) NOT-FOR-US: Aardvark Topsites CVE-2009-2303 (index.php in Aardvark Topsites PHP 5.2.1 and earlier allows remote att ...) NOT-FOR-US: Aardvark Topsites CVE-2009-2302 (Cross-site scripting (XSS) vulnerability in index.php in Aardvark Tops ...) NOT-FOR-US: Aardvark Topsites CVE-2009-2301 (The radware AppWall Web Application Firewall (WAF) 1.0.2.6, with Gatew ...) NOT-FOR-US: AppWall Web Application Firewall CVE-2009-2300 (The management interface in the phion airlock Web Application Firewall ...) NOT-FOR-US: phion airlock Web Application Firewall CVE-2009-2299 (The Artofdefence Hyperguard Web Application Firewall (WAF) module befo ...) NOT-FOR-US: Artofdefence Hyperguard Web Application Firewall CVE-2009-2298 (Stack-based buffer overflow in rping in HP OpenView Network Node Manag ...) NOT-FOR-US: HP Network Node Manager rping CVE-2009-2297 (Unspecified vulnerability in the udp subsystem in the kernel in Sun So ...) NOT-FOR-US: kernel in Sun Solaris CVE-2009-2296 (The NFSv4 server kernel module in Sun Solaris 10, and OpenSolaris befo ...) NOT-FOR-US: kernel module in Sun Solaris CVE-2009-2295 (Multiple integer overflows in CamlImages 2.2 and earlier might allow c ...) {DSA-1912-2 DSA-1832-1} - camlimages 1:3.0.1-2 (low; bug #535909) - advi 1.6.0-15 (low; bug #550440) CVE-2009-2294 (Integer overflow in the Png_datainfo_callback function in Dillo 2.1 an ...) - dillo 3.0-1 (medium; bug #535788) CVE-2009-2293 (Optimum Web Design Tutorial Share 3.5.0 and earlier allows remote atta ...) NOT-FOR-US: Optimum Web Design Tutorial Share CVE-2009-2292 (Cross-site scripting (XSS) vulnerability in Appleple a-News 2.32 allow ...) NOT-FOR-US: Appleple a-News CVE-2009-2291 (Unspecified vulnerability in LoginToboggan 6.x-1.x before 6.x-1.5, a m ...) NOT-FOR-US: LoginToboggan module for Drupal CVE-2009-2290 (SQL injection vulnerability in the Boy Scout Advancement (com_bsadv) c ...) NOT-FOR-US: Joomla! CVE-2009-2289 (Cross-site scripting (XSS) vulnerability in index.php in Arcade Trade ...) NOT-FOR-US: Arcade Trade Script CVE-2009-2287 (The kvm_arch_vcpu_ioctl_set_sregs function in the KVM in Linux kernel ...) {DSA-1846-1 DSA-1845-1} - linux-2.6 2.6.30-2 (low) - linux-2.6.24 - kvm 88+dfsg-2 (low; bug #557737) CVE-2009-2285 (Buffer underflow in the LZWDecodeCompat function in libtiff 3.8.2 allo ...) {DSA-1835-1} - tiff 3.8.2-12 (low; bug #534137) - tiff3 (fixed prior to initial upload) NOTE: this doesn't allow code execution, only a crash. CVE-2009-2283 (Multiple cross-site scripting (XSS) vulnerabilities in the help jsp sc ...) NOT-FOR-US: Sun Java Web Console in Solaris CVE-2009-2282 (The Virtual Network Terminal Server daemon (vntsd) for Logical Domains ...) NOT-FOR-US: LDoms in Sun Solaris CVE-2008-6847 (Cross-site scripting (XSS) vulnerability in Employee/emp_login.asp in ...) NOT-FOR-US: Pre ASP Job Board CVE-2008-6846 (Multiple stack-based buffer overflows in avast! Linux Home Edition 1.0 ...) NOT-FOR-US: avast! Linux Home Edition CVE-2008-6845 (The unpack feature in ClamAV 0.93.3 and earlier allows remote attacker ...) - clamav 0.94.dfsg-1 [etch] - clamav (Support was discontinued) CVE-2008-6844 (The registration view (/user/register) in eZ Publish 3.5.6 and earlier ...) NOT-FOR-US: eZ Publish CVE-2008-6843 (Directory traversal vulnerability in index.php in Fantastico, as used ...) NOT-FOR-US: Fantastico CVE-2008-6842 (Directory traversal vulnerability in data/modules/blog/module_pages_si ...) NOT-FOR-US: Pluck CVE-2008-6841 (PHP remote file inclusion vulnerability in the Green Mountain Informat ...) NOT-FOR-US: component for Joomla! CVE-2008-6840 (Multiple PHP remote file inclusion vulnerabilities in V-webmail 1.6.4 ...) NOT-FOR-US: V-webmail CVE-2009-2373 (Cross-site scripting (XSS) vulnerability in the Forum module in Drupal ...) {DSA-1930-1} - drupal6 6.12-1.1 (low; bug #535435) - drupal5 (Vulnerable code not present) NOTE: http://drupal.org/node/507572 NOTE: requested CVE id CVE-2009-2372 (Drupal 6.x before 6.13 does not prevent users from modifying user sign ...) {DSA-1930-1} - drupal6 6.12-1.1 (medium; bug #535435) - drupal5 (Vulnerable code not present) NOTE: http://drupal.org/node/507572 NOTE: marked as medium as this might lead to code execution if the php filter is enabled NOTE: requested CVE id CVE-2009-2374 (Drupal 5.x before 5.19 and 6.x before 6.13 does not properly sanitize ...) {DSA-1930-1} - drupal6 6.12-1.1 (low; bug #535435) - drupal5 5.18-1.1 (low; bug #535476) NOTE: http://drupal.org/node/507572 NOTE: requested CVE id CVE-2009-2284 (Cross-site scripting (XSS) vulnerability in phpMyAdmin before 3.2.0.1 ...) - phpmyadmin 4:3.2.0.1-1 (medium; bug #535890) [etch] - phpmyadmin (Vulnerable code not present) [lenny] - phpmyadmin (Vulnerable code not present) NOTE: affects 3.x branch only CVE-2009-2280 RESERVED CVE-2009-2279 RESERVED CVE-2009-2278 RESERVED CVE-2009-2277 (Cross-site scripting (XSS) vulnerability in WebAccess in VMware Virtua ...) NOT-FOR-US: VMware CVE-2009-2276 (SQL injection vulnerability in voteforus.php in the Vote For Us extens ...) NOT-FOR-US: voteforus.php extension for PunBB CVE-2009-2275 (Directory traversal vulnerability in frontend/x3/stats/lastvisit.html ...) NOT-FOR-US: cPanel CVE-2009-2274 (The Huawei D100 allows remote attackers to obtain sensitive informatio ...) NOT-FOR-US: Huawei D100 CVE-2009-2273 (The default configuration of the Wi-Fi component on the Huawei D100 do ...) NOT-FOR-US: Huawei D100 CVE-2009-2272 (The Huawei D100 stores the administrator's account name and password i ...) NOT-FOR-US: Huawei D100 CVE-2009-2271 (The Huawei D100 has (1) a certain default administrator password for t ...) NOT-FOR-US: Huawei D100 CVE-2009-2270 (Unrestricted file upload vulnerability in member/uploads_edit.php in d ...) NOT-FOR-US: dedecms CVE-2009-2269 (SQL injection vulnerability in Empire CMS 5.1 allows remote attackers ...) NOT-FOR-US: Empire CMS CVE-2009-2268 (Cross-site scripting (XSS) vulnerability in the Cross-Domain Controlle ...) NOT-FOR-US: Sun Java System Access Manager CVE-2009-2267 (VMware Workstation 6.5.x before 6.5.3 build 185404, VMware Player 2.5. ...) - vmware-package CVE-2009-2266 (OXID eShop 4.x before 4.1.4-21266, 3.x, and 2.x allows remote attacker ...) NOT-FOR-US: OXID eShop CVE-2009-2281 (Multiple heap-based buffer underflows in the readPostBody function in ...) {DSA-1914-1} - mapserver 5.4.2-1 (medium; bug #535340) NOTE: http://www.openwall.com/lists/oss-security/2009/06/22/2 CVE-2009-2265 (Multiple directory traversal vulnerabilities in FCKeditor before 2.6.4 ...) {DSA-1836-1} - fckeditor 1:2.6.4.1-1 (medium; bug #536051) NOTE: http://dev.fckeditor.net/changeset/3815/FCKeditor/trunk/editor/filemanager - moin 1.8.2-2 NOTE: moin from 1.8.2-2 uses systemwide copy of fckeditor [lenny] - moin (unimportant) [etch] - moin (Vulnerable code not present) NOTE: moin in lenny provides FCKeditor as example files (/usr/share/doc) - request-tracker3.8 (Vulnerable code not present) - egroupware 1.6.002+dfsg-1 (low) [lenny] - egroupware 1.4.004-2.dfsg-4.2 - gforge 4.6.99+svn6225-1 [etch] - gforge (doesn't contain FCKeditor) - knowledgeroot 0.9.8.5-3 (medium; bug #538722) - karrigell [etch] - karrigell (Vulnerable code not present) NOTE: knowledgeroot from 0.9.8.5-3 uses systemwide copy of fckeditor CVE-2009-2264 RESERVED CVE-2009-2263 (Directory traversal vulnerability in index.php in Awesome PHP Mega Fil ...) NOT-FOR-US: Mega File Manager CVE-2009-2262 (PHP remote file inclusion vulnerability in install/di.php in AjaxPorta ...) NOT-FOR-US: AjaxPortal CVE-2009-2261 (PeaZIP 2.6.1, 2.5.1, and earlier on Windows allows user-assisted remot ...) NOT-FOR-US: PeaZIP CVE-2009-2260 (stardict 3.0.1, when Enable Net Dict is configured, sends the contents ...) - stardict 3.0.1-5 (low; bug #534731) [etch] - stardict (netdict plugin not yet present) [lenny] - stardict 3.0.1-4+lenny1 CVE-2009-2259 REJECTED CVE-2009-2258 (Directory traversal vulnerability in cgi-bin/webcm in the administrati ...) NOT-FOR-US: Netgear DG632 CVE-2009-2257 (The administrative web interface on the Netgear DG632 with firmware 3. ...) NOT-FOR-US: Netgear DG632 CVE-2009-2256 (The administrative web interface on the Netgear DG632 with firmware 3. ...) NOT-FOR-US: Netgear DG632 CVE-2009-2255 (Zen Cart 1.3.8a, 1.3.8, and earlier does not require administrative au ...) NOT-FOR-US: Zen Cart CVE-2009-2254 (Zen Cart 1.3.8a, 1.3.8, and earlier does not require administrative au ...) NOT-FOR-US: Zen Cart CVE-2009-2253 RESERVED CVE-2009-2252 RESERVED CVE-2009-2251 RESERVED CVE-2009-2250 RESERVED CVE-2009-2249 RESERVED CVE-2009-2248 RESERVED CVE-2009-2247 RESERVED CVE-2009-2246 RESERVED CVE-2009-2245 RESERVED CVE-2009-2244 RESERVED CVE-2009-2243 (SQL injection vulnerability in active_appointments.asp in ASP Inline C ...) NOT-FOR-US: ASP Inline Corporate Calendar CVE-2009-2242 (SQL injection vulnerability in active_appointments.asp in ASP Inline C ...) NOT-FOR-US: ASP Inline Corporate Calendar CVE-2009-2241 (Cross-site scripting (XSS) vulnerability in search.asp in ASP Inline C ...) NOT-FOR-US: ASP Inline Corporate Calendar CVE-2009-2240 (Cross-site scripting (XSS) vulnerability in AD2000 free-sw leger (aka ...) NOT-FOR-US: Web Conference Room Free CVE-2009-2239 (SQL injection vulnerability in the (1) casinobase (com_casinobase), (2 ...) NOT-FOR-US: Joomla! components CVE-2009-2238 (Unrestricted file upload vulnerability in includes/shared_scripts/wysi ...) NOT-FOR-US: DMXReady Registration Manager CVE-2009-2237 (Unspecified vulnerability in Views Bulk Operations 5.x-1.x before 5.x- ...) NOT-FOR-US: contributed Views Bulk Operations module for Drupal CVE-2009-2236 (SQL injection vulnerability in yad-admin/login.php in Your Article Dir ...) NOT-FOR-US: Your Articles Directory CVE-2009-2235 (SQL injection vulnerability in page.php in Your Articles Directory all ...) NOT-FOR-US: Your Articles Directory CVE-2009-2234 (Multiple SQL injection vulnerabilities in admin.php in VICIDIAL Call C ...) NOT-FOR-US: VICIDIAL Call Center Suite CVE-2009-2210 (Mozilla Thunderbird before 2.0.0.22 and SeaMonkey before 1.1.17 allow ...) {DSA-1830-1} - icedove 2.0.0.22-1 (bug #535124) [squeeze] - icedove 2.0.0.22-0lenny1 - iceape 1.1.17-1 [squeeze] - iceape (only provides a stub for XPCOM) [lenny] - iceape (Only provides a stub for XPCOM) [etch] - iceape (Etch Packages no longer covered by security support) - kompozer (mail suite not compiled) NOTE: http://www.mozilla.org/security/announce/2009/mfsa2009-33.html NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=495057 CVE-2008-6839 (Multiple cross-site scripting (XSS) vulnerabilities in TGS Content Man ...) NOT-FOR-US: TGS Content Management CVE-2008-6838 (Cross-site scripting (XSS) vulnerability in search.php in Zoph 0.7.2.1 ...) - zoph 0.8.0.1-1 (low; bug #535188) [lenny] - zoph (Minor issue, fringe package) NOTE: it seems a duplicate of CVE-2008-3258 CVE-2008-6837 (SQL injection vulnerability in Zoph 0.7.2.1 allows remote attackers to ...) - zoph 0.8.0.1-1 (bug #535188) [lenny] - zoph (Minor issue, fringe package) NOTE: the details are unknown CVE-2009-2343 (Cross-site scripting (XSS) vulnerability in people.php in Zoph before ...) - zoph 0.7.5-1 (low; bug #535188) [lenny] - zoph (Minor issue, fringe package) NOTE: http://sourceforge.net/tracker/?func=detail&aid=2815898&group_id=69353&atid=524249 NOTE: http://sourceforge.net/project/shownotes.php?group_id=69353&release_id=694128 CVE-2008-6836 (Cross-site request forgery (CSRF) vulnerability in OpenID 5.x before 5 ...) NOT-FOR-US: OpenID module for Drupal CVE-2008-6835 (Cross-site scripting (XSS) vulnerability in OpenID 5.x before 5.x-1.2, ...) NOT-FOR-US: OpenID module for Drupal CVE-2009-XXXX [udev: creates aacraid devices that are rw by group floppy] - udev 0.141-1 (low; bug #530245; bug #462655; bug #404927) [lenny] - udev (Minor issue) [etch] - udev (minor issue) CVE-2009-2288 (statuswml.cgi in Nagios before 3.1.1 allows remote attackers to execut ...) {DSA-1825-1} - nagios3 3.0.6-5 - nagios2 NOTE: http://secunia.com/advisories/35543 CVE-2009-2286 (Buffer overflow in compface 1.5.2 and earlier allows user-assisted att ...) - libcompface 1:1.5.2-5 (unimportant; bug #534973) CVE-2009-2233 (The admin interface in AWScripts.com Gallery Search Engine 1.5 allows ...) NOT-FOR-US: AWScripts.com Gallery Search Engine CVE-2009-2232 (SQL injection vulnerability in image.php in Softbiz Banner Ad Manageme ...) NOT-FOR-US: Softbiz Banner Ad Management Script CVE-2009-2231 (MIDAS 1.43 allows remote attackers to bypass authentication and obtain ...) NOT-FOR-US: MIDAS CVE-2009-2230 (SQL injection vulnerability in inc/datahandlers/user.php in MyBB (aka ...) NOT-FOR-US: MyBB CVE-2009-2229 (Directory traversal vulnerability in engine.php in Kasseler CMS 1.3.5 ...) NOT-FOR-US: Kasseler CMS CVE-2009-2228 (Cross-site scripting (XSS) vulnerability in engine.php in Kasseler CMS ...) NOT-FOR-US: Kasseler CMS CVE-2009-2227 (Stack-based buffer overflow in B Labs Bopup Communication Server 3.2.2 ...) NOT-FOR-US: Bopup Communication Server CVE-2009-2226 (Cross-site scripting (XSS) vulnerability in Let's PHP! Tree BBS 2004/1 ...) NOT-FOR-US: Let's PHP! Tree BBS CVE-2009-2225 (Stack-based buffer overflow in SureThing CD/DVD Labeler 5.1.616 trial ...) NOT-FOR-US: SureThing CD/DVD Labeler CVE-2009-2224 (Directory traversal vulnerability in ang/shared/flags.php in AN Guestb ...) NOT-FOR-US: AN Guestbook CVE-2009-2223 (Directory traversal vulnerability in locms/smarty.php in LightOpenCMS ...) NOT-FOR-US: LightOpenCMS CVE-2009-2222 (Directory traversal vulnerability in PHP-I-BOARD 1.2 and earlier allow ...) NOT-FOR-US: PHP-I-BOARD CVE-2009-2221 (Cross-site scripting (XSS) vulnerability in PHP-I-BOARD 1.2 and earlie ...) NOT-FOR-US: PHP-I-BOARD CVE-2009-2220 (Multiple directory traversal vulnerabilities in Tribiq CMS 5.0.12c, wh ...) NOT-FOR-US: Tribiq CMS CVE-2009-2219 (Multiple cross-site scripting (XSS) vulnerabilities in phpCollegeExcha ...) NOT-FOR-US: phpCollegeExchange CVE-2009-2218 (Multiple PHP remote file inclusion vulnerabilities in phpCollegeExchan ...) NOT-FOR-US: phpCollegeExchange CVE-2009-2217 (Cross-site scripting (XSS) vulnerability in NBBC before 1.4.2 allows r ...) NOT-FOR-US: NBBC CVE-2009-2216 (Cross-site scripting (XSS) vulnerability in CMD_REDIRECT in DirectAdmi ...) NOT-FOR-US: DirectAdmin CVE-2009-2215 (Multiple cross-site scripting (XSS) vulnerabilities in URD before 0.6. ...) NOT-FOR-US: URD CVE-2009-2214 (The Secure Gateway service in Citrix Secure Gateway 3.1 and earlier al ...) NOT-FOR-US: Citrix Secure Gateway CVE-2009-2213 (The default configuration of the Security global settings on the Citri ...) NOT-FOR-US: Citrix NetScaler Access Gateway CVE-2009-2212 (The CQWeb server in IBM Rational ClearQuest 7.0.0 before 7.0.0.6 and 7 ...) NOT-FOR-US: IBM Rational ClearQuest CVE-2009-2211 (Cross-site scripting (XSS) vulnerability in the CQWeb server in IBM Ra ...) NOT-FOR-US: IBM Rational ClearQuest CVE-2009-2209 (SQL injection vulnerability in rscms_mod_newsview.php in RS-CMS 2.1 al ...) NOT-FOR-US: RS-CMS CVE-2009-2208 (FreeBSD 6.3, 6.4, 7.1, and 7.2 does not enforce permissions on the SIO ...) - kfreebsd-6 [lenny] - kfreebsd-6 (KFreebsd not supported) - kfreebsd-7 7.2-2 [lenny] - kfreebsd-7 (KFreebsd not supported) NOTE: http://security.freebsd.org/advisories/FreeBSD-SA-09:10.ipv6.asc CVE-2009-2207 (The MobileMail component in Apple iPhone OS 3.0 and 3.0.1, and iPhone ...) NOT-FOR-US: Apple iPhone OS CVE-2009-2206 (Multiple heap-based buffer overflows in the AudioCodecs library in the ...) NOT-FOR-US: Apple iPhone OS CVE-2009-2205 (Stack-based buffer overflow in the Java Web Start command launcher in ...) NOT-FOR-US: Mac OS X CVE-2009-2204 (Unspecified vulnerability in the CoreTelephony component in Apple iPho ...) NOT-FOR-US: Apple iPhone OS CVE-2009-2203 (Buffer overflow in Apple QuickTime before 7.6.4 allows remote attacker ...) NOT-FOR-US: Apple QuickTime CVE-2009-2202 (Apple QuickTime before 7.6.4 allows remote attackers to execute arbitr ...) NOT-FOR-US: Apple QuickTime CVE-2009-2201 (The screensharing feature in the Admin application in Apple Xsan befor ...) NOT-FOR-US: Admin application in Apple Xsan CVE-2009-2200 (WebKit in Apple Safari before 4.0.3 does not properly restrict the URL ...) - kdelibs - webkit (gtk-based frame loader not affected) - qt4-x11 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=517273 NOTE: http://trac.webkit.org/changeset/44905 NOTE: http://trac.webkit.org/changeset/44909 CVE-2009-2199 (Incomplete blacklist vulnerability in WebKit in Apple Safari before 4. ...) - kdelibs - webkit (problem with look-alike character rendering with mac-specific fonts) - qt4-x11 CVE-2009-2198 (Apple GarageBand before 5.1 reconfigures Safari to accept all cookies ...) NOT-FOR-US: Apple GarageBand CVE-2009-2197 (Apple Safari before 9.1 allows remote attackers to spoof the user inte ...) NOT-FOR-US: Apple Safari CVE-2009-2196 (Unspecified vulnerability in Apple Safari 4 before 4.0.3 allows remote ...) NOT-FOR-US: Apple Safari CVE-2009-2195 (Buffer overflow in WebKit in Apple Safari before 4.0.3 allows remote a ...) - webkit 1.1.12-1 (medium) [lenny] - webkit (Vulnerable code not present) - kdelibs - kde4libs - qt4-x11 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=517273 NOTE: http://trac.webkit.org/changeset/45696 CVE-2009-2194 (Apple Mac OS X 10.5 before 10.5.8 does not properly share file descrip ...) NOT-FOR-US: Apple Mac OS X CVE-2009-2193 (Buffer overflow in the kernel in Apple Mac OS X 10.5 before 10.5.8 all ...) NOT-FOR-US: kernel in Apple Mac OS X CVE-2009-2192 (MobileMe in Apple Mac OS X 10.5 before 10.5.8 does not properly delete ...) NOT-FOR-US: MobileMe in Apple Mac OS X CVE-2009-2191 (Format string vulnerability in Login Window in Apple Mac OS X 10.4.11 ...) NOT-FOR-US: Login Window in Apple Mac OS X CVE-2009-2190 (launchd in Apple Mac OS X 10.5 before 10.5.8 allows remote attackers t ...) NOT-FOR-US: launchd in Apple Mac OS X CVE-2009-2189 (The ICMPv6 implementation on the Apple Time Capsule, AirPort Extreme B ...) NOT-FOR-US: Apple CVE-2009-2188 (Buffer overflow in ImageIO in Apple Mac OS X 10.5 before 10.5.8, and S ...) NOT-FOR-US: ImageIO in Apple Mac OS X CVE-2009-2187 (Multiple memory leaks in the (1) IP and (2) IPv6 multicast implementat ...) NOT-FOR-US: Sun Solaris CVE-2009-2186 (Unspecified vulnerability in Adobe Shockwave Player before 11.0.0.465 ...) NOT-FOR-US: Adobe Shockwave Playe CVE-2009-2185 (The ASN.1 parser (pluto/asn1.c, libstrongswan/asn1/asn1.c, libstrongsw ...) {DSA-1899-1 DSA-1898-1} - strongswan 4.2.14-1.2 (bug #533837) - openswan 1:2.6.22+dfsg-1 CVE-2009-2184 (Absolute path traversal vulnerability in forcedownload.php in Gravy Me ...) NOT-FOR-US: Gravy Media Photo CVE-2009-2183 (Directory traversal vulnerability in admin-files/ad.php in Campsite 3. ...) NOT-FOR-US: Campsite CVE-2009-2182 (Multiple PHP remote file inclusion vulnerabilities in Campsite 3.3.0 R ...) NOT-FOR-US: Campsite CVE-2009-2181 (Cross-site scripting (XSS) vulnerability in admin-files/templates/list ...) NOT-FOR-US: Campsite CVE-2009-2180 (Multiple directory traversal vulnerabilities in upfiles/index.php in P ...) NOT-FOR-US: Pc4 Uploader CVE-2009-2179 (SQL injection vulnerability in search.php in phpDatingClub 3.7 allows ...) NOT-FOR-US: phpDatingClub CVE-2009-2178 (Cross-site scripting (XSS) vulnerability in website.php in phpDatingCl ...) NOT-FOR-US: phpDatingClub CVE-2009-2177 (code/display.php in fuzzylime (cms) 3.03a and earlier, when magic_quot ...) NOT-FOR-US: fuzzylime CVE-2009-2176 (Multiple directory traversal vulnerabilities in fuzzylime (cms) 3.03a ...) NOT-FOR-US: fuzzylime CVE-2009-2175 (Stack-based buffer overflow in the flattenIncrementally function in fl ...) - gnome-xcf-thumbnailer 1.0-1.1 (low; bug #601735) [lenny] - gnome-xcf-thumbnailer (Minor issue) - xcftools 1.0.7-1 (low; bug #533361) [etch] - xcftools 1.0.4-1+etch1 [lenny] - xcftools 1.0.4-1+lenny1 CVE-2009-2174 (GUPnP 0.12.7 allows remote attackers to cause a denial of service (cra ...) - gupnp 0.12.6-3.1 (low; bug #534594) [etch] - gupnp (Minor issue) [lenny] - gupnp (Minor issue) CVE-2009-2173 (The LAN game feature in Carom3D 5.06 allows remote authenticated users ...) NOT-FOR-US: Carom3D CVE-2009-2172 (Cross-site scripting (XSS) vulnerability in forum/radioandtv.php in th ...) NOT-FOR-US: Radio and TV Player addon for vBulletin CVE-2009-2169 (Insecure method vulnerability in the PDFVIEWER.PDFViewerCtrl.1 ActiveX ...) NOT-FOR-US: Edraw PDF Viewer CVE-2009-2168 (cpanel/login.php in EgyPlus 7ammel (aka 7ml) 1.0.1 and earlier sends a ...) NOT-FOR-US: EgyPlus 7ammel (aka 7ml) CVE-2009-2167 (Multiple SQL injection vulnerabilities in cpanel/login.php in EgyPlus ...) NOT-FOR-US: EgyPlus 7ammel (aka 7ml) CVE-2009-2166 (Absolute path traversal vulnerability in cvs.php in OCS Inventory NG b ...) - ocsinventory-server 1.02.1-1 (unimportant; bug #531735) NOTE: README.Debian states Important: access to the reports server should be restricted CVE-2009-2165 (SerendipityNZ (aka SimpleBoxes) Serene Bach 2.20R and earlier, and 3.0 ...) NOT-FOR-US: SerendipityNZ (aka SimpleBoxes) Serene Bach CVE-2009-2164 (Multiple SQL injection vulnerabilities in Kjtechforce mailman beta1, w ...) NOT-FOR-US: kjtechforce CVE-2009-2163 (Cross-site scripting (XSS) vulnerability in login/default.aspx in Site ...) NOT-FOR-US: Sitecore CMS CVE-2009-2162 (Cross-site scripting (XSS) vulnerability in the XOOPS MANIAC PukiWikiM ...) NOT-FOR-US: XOOPS MANIAC PukiWikiMod module CVE-2009-2161 (Directory traversal vulnerability in backend/admin-functions.php in To ...) NOT-FOR-US: TorrentTrader CVE-2009-2160 (TorrentTrader Classic 1.09 allows remote attackers to (1) obtain confi ...) NOT-FOR-US: TorrentTrader CVE-2009-2159 (backup-database.php in TorrentTrader Classic 1.09 does not require adm ...) NOT-FOR-US: TorrentTrader CVE-2009-2158 (account-recover.php in TorrentTrader Classic 1.09 chooses random passw ...) NOT-FOR-US: TorrentTrader CVE-2009-2157 (Multiple SQL injection vulnerabilities in TorrentTrader Classic 1.09 a ...) NOT-FOR-US: TorrentTrader CVE-2009-2156 (Multiple cross-site scripting (XSS) vulnerabilities in TorrentTrader C ...) NOT-FOR-US: TorrentTrader CVE-2009-2155 (Cross-site scripting (XSS) vulnerability in report/ReportViewAction.do ...) NOT-FOR-US: WebNMS CVE-2009-2154 (SQL injection vulnerability in admin/login.php in Impleo Music Collect ...) NOT-FOR-US: Impleo Music Collection CVE-2009-2153 (Cross-site scripting (XSS) vulnerability in index.php in Impleo Music ...) NOT-FOR-US: Impleo Music Collection CVE-2009-2152 (SQL injection vulnerability in a_index.php in AdaptWeb 0.9.2 allows re ...) NOT-FOR-US: AdaptWeb CVE-2009-2151 (Directory traversal vulnerability in index.php in AdaptWeb 0.9.2 allow ...) NOT-FOR-US: AdaptWeb CVE-2009-2150 (Multiple cross-site request forgery (CSRF) vulnerabilities in Campus V ...) NOT-FOR-US: Campus Virtual-LMS CVE-2009-2149 (Multiple cross-site scripting (XSS) vulnerabilities in Campus Virtual- ...) NOT-FOR-US: Campus Virtual-LMS CVE-2009-2148 (SQL injection vulnerability in news/index.php in Campus Virtual-LMS al ...) NOT-FOR-US: Campus Virtual-LMS CVE-2009-2147 (SQL injection vulnerability in fdown.php in phpWebThings 1.5.2 and ear ...) NOT-FOR-US: phpWebThings CVE-2009-2146 (Unrestricted file upload vulnerability in the Compose Email feature in ...) - sugarcrm-ce-5.0 (bug #457876) CVE-2009-2145 (Multiple cross-site scripting (XSS) vulnerabilities in transLucid 1.75 ...) NOT-FOR-US: transLucid CVE-2009-2144 (SQL injection vulnerability in the FireStats plugin before 1.6.2-stabl ...) NOT-FOR-US: FireStats plugin for WordPress CVE-2009-2143 (PHP remote file inclusion vulnerability in firestats-wordpress.php in ...) NOT-FOR-US: FireStats plugin for WordPress CVE-2009-2142 (Multiple SQL injection vulnerabilities in admin/index.asp in Zip Store ...) NOT-FOR-US: Zip Store Chat CVE-2009-2141 (Multiple cross-site scripting (XSS) vulnerabilities in TBDev.NET 01-01 ...) NOT-FOR-US: TBDev.NET CVE-2008-6834 (Multiple directory traversal vulnerabilities in fuzzylime (cms) 3.01 a ...) NOT-FOR-US: fuzzylime CVE-2008-6833 (Directory traversal vulnerability in commsrss.php in fuzzylime (cms) b ...) NOT-FOR-US: fuzzylime CVE-2009-2140 (Multiple heap-based buffer overflows in cppcanvas/source/mtfrenderer/e ...) - openoffice.org (bug introduced by a patch not applied to the deb) CVE-2009-2139 (Heap-based buffer overflow in svtools/source/filter.vcl/wmf/enhwmf.cxx ...) {DSA-1880-1} - openoffice.org 1:3.1.1~ooo310m15-1 CVE-2009-2138 (Multiple open redirect vulnerabilities in TBDev.NET 01-01-08 allow rem ...) NOT-FOR-US: TBDev.NET CVE-2009-2137 (Memory leak in the Ultra-SPARC T2 crypto provider device driver (aka n ...) NOT-FOR-US: Ultra-SPARC T2 crypto provider device driver in Sun Solaris 10 CVE-2009-2136 (Unspecified vulnerability in the TCP/IP networking stack in Sun Solari ...) NOT-FOR-US: Sun Solaris 10 CVE-2009-2135 (Multiple race conditions in the Solaris Event Port API in Sun Solaris ...) NOT-FOR-US: Sun Solaris 10 CVE-2009-2134 (pivot/tb.php in Pivot 1.40.4 and 1.40.7 allows remote attackers to obt ...) NOT-FOR-US: Pivot CVE-2009-2133 (Multiple cross-site scripting (XSS) vulnerabilities in Pivot 1.40.4 an ...) NOT-FOR-US: Pivot CVE-2009-2132 (Directory traversal vulnerability in global.php in 4images before 1.7. ...) NOT-FOR-US: 4images CVE-2009-2131 (Cross-site scripting (XSS) vulnerability in 4images 1.7.7 and earlier ...) NOT-FOR-US: 4images CVE-2009-2130 (Elvin 1.2.0 allows remote attackers to read the PHP source code of (1) ...) NOT-FOR-US: Elvin CVE-2009-2129 (Cross-site request forgery (CSRF) vulnerability in login.php in Elvin ...) NOT-FOR-US: Elvin CVE-2009-2128 (SQL injection vulnerability in close_bug.php in Elvin before 1.2.1 all ...) NOT-FOR-US: Elvin CVE-2009-2127 (Cross-site scripting (XSS) vulnerability in show_activity.php in Elvin ...) NOT-FOR-US: Elvin CVE-2009-2126 (Cross-site scripting (XSS) vulnerability in close_bug.php in Elvin bef ...) NOT-FOR-US: Elvin CVE-2009-2125 (delete_bug.php in Elvin before 1.2.1 does not require administrative p ...) NOT-FOR-US: Elvin CVE-2009-2124 (Directory traversal vulnerability in page.php in Elvin 1.2.0 allows re ...) NOT-FOR-US: Elvin CVE-2009-2123 (Multiple SQL injection vulnerabilities in Elvin 1.2.0 allow remote att ...) NOT-FOR-US: Elvin CVE-2009-2122 (SQL injection vulnerability in viewimg.php in the Paolo Palmonari Phot ...) NOT-FOR-US: Photoracer plugin for WordPress CVE-2009-2121 (Buffer overflow in the browser kernel in Google Chrome before 2.0.172. ...) - chromium-browser (Only 2.x is affected) - webkit (chrome-specific issue) CVE-2009-2170 (Multiple cross-site scripting (XSS) vulnerabilities in Mahara 1.0 befo ...) {DSA-1822-1} - mahara 1.1.5-1 (low) CVE-2009-2171 (Mahara 1.1 before 1.1.5 does not apply permission checks when saving a ...) - mahara 1.1.5-1 (low) [lenny] - mahara (vulnerable code introduced in 1.1) CVE-2009-2120 (Multiple SQL injection vulnerabilities in TekBase All-in-One 3.1 allow ...) NOT-FOR-US: TekBase CVE-2009-2119 (Cross-site scripting (XSS) vulnerability in the login interface (my.lo ...) NOT-FOR-US: FirePass CVE-2009-2118 (Integer overflow in IrfanView 4.23, when the resampling or screen fitt ...) NOT-FOR-US: IrfanView CVE-2009-2117 (uye_paneli.php in phPortal 1.0 allows remote attackers to bypass authe ...) NOT-FOR-US: phPortal CVE-2009-2116 (Directory traversal vulnerability in admin.php in SkyBlueCanvas 1.1 r2 ...) NOT-FOR-US: SkyBlueCanvas CVE-2009-2115 (admin.php in SkyBlueCanvas 1.1 r237 allows remote authenticated admini ...) NOT-FOR-US: SkyBlueCanvas CVE-2009-2114 (Multiple cross-site scripting (XSS) vulnerabilities in admin.php in Sk ...) NOT-FOR-US: SkyBlueCanvas CVE-2009-2113 (Multiple SQL injection vulnerabilities in FretsWeb 1.2 allow remote at ...) NOT-FOR-US: FretsWeb CVE-2009-2112 (Directory traversal vulnerability in include/page_bottom.php in phpFK ...) NOT-FOR-US: phpFK CVE-2009-2111 (Static code injection vulnerability in add_reg.php in DB Top Sites 1.0 ...) NOT-FOR-US: DB Top Site CVE-2009-2110 (Multiple directory traversal vulnerabilities in DB Top Sites 1.0, when ...) NOT-FOR-US: DB Top Sites 1.0 CVE-2009-2109 (Multiple directory traversal vulnerabilities in FretsWeb 1.2 allow rem ...) NOT-FOR-US: FretsWeb CVE-2009-2108 (git-daemon in git 1.4.4.5 through 1.6.3 allows remote attackers to cau ...) {DSA-1841-2 DSA-1841-1} - git-core 1:1.6.3.3-1 (medium; bug #532935) NOTE: http://git.kernel.org/?p=git/git.git;a=commitdiff;h=73bb33a9 CVE-2009-XXXX [moin: heirarchical ACL vulnerability] - moin 1.8.4-1 (unimportant; bug #533673) NOTE: Not a specific vulnerability, rather a security-related behaviour change, see bug [etch] - moin (vulnerable code not present in 1.5.3-1.2etch2) CVE-2009-XXXX [pcsc-lite: creates world-writable directory] - pcsc-lite 1.5.4-1 (low; bug #533670) [etch] - pcsc-lite (directory introduced in 1.5.0) [lenny] - pcsc-lite (directory introduced in 1.5.0) CVE-2009-XXXX ["slowloris" denial-of-service vulnerabilty in webservers] - squid - squid3 NOTE: http://www.squid-cache.org/bugs/show_bug.cgi?id=2694 - lighttpd CVE-2009-2107 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in We ...) NOT-FOR-US: Webmedia Explorer CVE-2009-XXXX [ShowConfigTab unintentionally grants rights intended for SuperUsers] - request-tracker3.6 3.6.8-1 (low; bug #532990) [lenny] - request-tracker3.6 3.6.7-5+lenny1 [etch] - request-tracker3.6 (flaw introduced in 3.6.2) - request-tracker3.4 (flaw introduced in 3.6.2; bug #534498) - request-tracker3.8 3.8.4-1 CVE-2009-2106 (SQL injection vulnerability in the Virtual Civil Services (civserv) ex ...) NOT-FOR-US: Virtual Civil Services extension for TYPO3 CVE-2009-2105 (SQL injection vulnerability in the References database (t3references) ...) NOT-FOR-US: References database extension for TYPO3 CVE-2009-2104 (Cross-site scripting (XSS) vulnerability in the Modern Guestbook / Com ...) NOT-FOR-US: Modern Guestbook extension for TYPO3 CVE-2009-2103 (SQL injection vulnerability in the Frontend MP3 Player (fe_mp3player) ...) NOT-FOR-US: Frontend MP3 Player extension for TYPO3 CVE-2009-2102 (SQL injection vulnerability in the Jumi (com_jumi) component 2.0.3 and ...) NOT-FOR-US: Jumi component for Joomla CVE-2009-2101 (Directory traversal vulnerability in archive.php in TorrentVolve 1.4, ...) NOT-FOR-US: TorrentVolve CVE-2009-2100 (Directory traversal vulnerability in the JoomlaPraise Projectfork (com ...) NOT-FOR-US: JoomlaPraise component for Joomla CVE-2009-2099 (SQL injection vulnerability in the iJoomla RSS Feeder (com_ijoomla_rss ...) NOT-FOR-US: iJoomla RSS Feeder component for Joomla CVE-2009-2098 (SQL injection vulnerability in topicler.php in phPortal 1.0 allows rem ...) NOT-FOR-US: phPortal CVE-2009-2097 (SQL injection vulnerability in system/application/controllers/catalog. ...) NOT-FOR-US: Zoki Catalog CVE-2009-2096 (SQL injection vulnerability in house/listing_view.php in phpCollegeExc ...) NOT-FOR-US: phpCollegeExchange CVE-2009-2095 (PHP remote file inclusion vulnerability in template/simpledefault/admi ...) NOT-FOR-US: Mundi Mail CVE-2009-2094 (Unspecified vulnerability in IBM WebSphere Commerce 6.0 Enterprise bef ...) NOT-FOR-US: IBM WebSphere Commerce CVE-2009-2093 (SQL injection vulnerability in the console in IBM WebSphere Partner Ga ...) NOT-FOR-US: IBM WebSphere CVE-2009-2092 (IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.5 does not pro ...) NOT-FOR-US: IBM WebSphere CVE-2009-2091 (The System Management/Repository component in IBM WebSphere Applicatio ...) NOT-FOR-US: IBM WebSphere CVE-2009-2090 (Unspecified vulnerability in wsadmin in the System Management/Reposito ...) NOT-FOR-US: IBM WebSphere CVE-2009-2089 (The Migration component in IBM WebSphere Application Server (WAS) 6.1 ...) NOT-FOR-US: IBM WebSphere CVE-2009-2088 (The Servlet Engine/Web Container component in IBM WebSphere Applicatio ...) NOT-FOR-US: IBM WebSphere CVE-2009-2087 (The Web Services functionality in IBM WebSphere Application Server (WA ...) NOT-FOR-US: IBM WebSphere CVE-2009-2086 REJECTED CVE-2009-2085 (The Security component in IBM WebSphere Application Server (WAS) 6.1 b ...) NOT-FOR-US: IBM WebSphere CVE-2009-2084 (Simple Linux Utility for Resource Management (SLURM) 1.2 and 1.3 befor ...) {DSA-1776-1} - slurm-llnl 1.3.15-1 (bug #524980) [lenny] - slurm-llnl 1.3.6-1lenny3 CVE-2009-2083 (Cross-site scripting (XSS) vulnerability in the term data detail page ...) NOT-FOR-US: Taxonomy CVE-2009-2082 (SQL injection vulnerability in insidepage.php in Creative Web Solution ...) NOT-FOR-US: Creative Web Solutions Multi-Level CMS CVE-2009-2081 (Directory traversal vulnerability in help.php in phpWebThings 1.5.2 an ...) NOT-FOR-US: phpWebThings CVE-2009-2080 (admin.php in MRCGIGUY The Ticket System 2.0 does not properly restrict ...) NOT-FOR-US: MRCGIGUY CVE-2009-2079 (Cross-site scripting (XSS) vulnerability in the administrative page in ...) NOT-FOR-US: Taxonomy CVE-2009-2078 (Multiple cross-site scripting (XSS) vulnerabilities in Booktree 5.x be ...) NOT-FOR-US: Booktree module for drupal CVE-2009-2077 (Drupal 6.x before 6.x-2.6, a module for Drupal, allows remote authenti ...) - drupal6-mod-views (Fixed before initial upload) CVE-2009-2076 (Cross-site scripting (XSS) vulnerability in Views 6.x before 6.x-2.6, ...) - drupal6-mod-views (Fixed before initial upload) CVE-2009-2075 (Nodequeue 5.x before 5.x-2.7 and 6.x before 6.x-2.2, a module for Drup ...) NOT-FOR-US: Nodequeue module for Drupal CVE-2009-2074 (Cross-site scripting (XSS) vulnerability in Nodequeue 5.x before 5.x-2 ...) NOT-FOR-US: Nodequeue module for Drupal CVE-2009-XXXX [backuppc: web frontend installed insecurely by default] - backuppc 3.1.0-6 [lenny] - backuppc 3.1.0-4lenny1 CVE-2009-XXXX [clamav scanner bypass with archives] - clamav 0.95.2+dfsg-1 (low; bug #535881) [lenny] - clamav (Inherent to the concept of malware concept) [etch] - clamav (Support was discontinued) NOTE: http://blog.zoller.lu/2009/05/advisory-clamav-generic-bypass.html CVE-2009-2073 (Cross-site request forgery (CSRF) vulnerability in Linksys WRT160N wir ...) NOT-FOR-US: Linksys CVE-2009-2072 (Apple Safari does not require a cached certificate before displaying a ...) NOT-FOR-US: Apple Safari CVE-2009-2071 (Google Chrome before 1.0.154.53 displays a cached certificate for a (1 ...) - chromium-browser (Only 1.x is affected) - webkit (chrome-specific issue) CVE-2009-2070 (Opera displays a cached certificate for a (1) 4xx or (2) 5xx CONNECT r ...) NOT-FOR-US: Opera CVE-2009-2069 (Microsoft Internet Explorer before 8 displays a cached certificate for ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2009-2068 (Google Chrome detects http content in https web pages only when the to ...) - chromium-browser 5.0.342.9~r43360-1 CVE-2009-2067 (Opera detects http content in https web pages only when the top-level ...) NOT-FOR-US: Opera CVE-2009-2066 (Apple Safari detects http content in https web pages only when the top ...) NOT-FOR-US: Apple Safari CVE-2009-2065 (Mozilla Firefox 3.0.10, and possibly other versions, detects http cont ...) - xulrunner (bug #565521) [wheezy] - xulrunner (no detailed information available) CVE-2009-2064 (Microsoft Internet Explorer 8, and possibly other versions, detects ht ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2009-2063 (Opera, possibly before 9.25, processes a 3xx HTTP CONNECT response bef ...) NOT-FOR-US: Opera CVE-2009-2062 (Apple Safari before 3.2.2 processes a 3xx HTTP CONNECT response before ...) NOT-FOR-US: Apple Safari CVE-2009-2061 (Mozilla Firefox before 3.0.10 processes a 3xx HTTP CONNECT response be ...) {DSA-1830-1 DSA-1820-1} - xulrunner 1.9.0.11-1 - icedove 2.0.0.22-1 (bug #535124) [squeeze] - icedove 2.0.0.22-0lenny1 CVE-2009-2060 (src/net/http/http_transaction_winhttp.cc in Google Chrome before 1.0.1 ...) - chromium-browser (Only 1.x is affected) - webkit (chrome-specific issue) CVE-2009-2059 (Opera, possibly before 9.25, uses the HTTP Host header to determine th ...) NOT-FOR-US: Opera CVE-2009-2058 (Apple Safari before 3.2.2 uses the HTTP Host header to determine the c ...) NOT-FOR-US: Apple Safari CVE-2009-2057 (Microsoft Internet Explorer before 8 uses the HTTP Host header to dete ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2009-2056 (Cisco IOS XR 3.8.1 and earlier allows remote authenticated users to ca ...) NOT-FOR-US: Cisco CVE-2009-2055 (Cisco IOS XR 3.4.0 through 3.8.1 allows remote attackers to cause a de ...) NOT-FOR-US: Cisco IOS CVE-2009-2054 (Cisco Unified Communications Manager (aka CUCM, formerly CallManager) ...) NOT-FOR-US: Cisco CVE-2009-2053 (Cisco Unified Communications Manager (aka CUCM, formerly CallManager) ...) NOT-FOR-US: Cisco CVE-2009-2052 (Cisco Unified Communications Manager (aka CUCM, formerly CallManager) ...) NOT-FOR-US: Cisco CVE-2009-2051 (Cisco IOS 12.2 through 12.4 and 15.0 through 15.1, Cisco IOS XE 2.5.x ...) NOT-FOR-US: Cisco CVE-2009-2050 (Cisco Unified Communications Manager (aka CUCM, formerly CallManager) ...) NOT-FOR-US: Cisco CVE-2009-2049 (Cisco IOS 12.0(32)S12 through 12.0(32)S13 and 12.0(33)S3 through 12.0( ...) NOT-FOR-US: Cisco IOS CVE-2009-2048 (Cross-site scripting (XSS) vulnerability in the Administration interfa ...) NOT-FOR-US: Cisco CVE-2009-2047 (Directory traversal vulnerability in the Administration interface in C ...) NOT-FOR-US: Cisco CVE-2009-2046 (The embedded web server on the Cisco Video Surveillance 2500 Series IP ...) NOT-FOR-US: Cisco CVE-2009-2045 (The Cisco Video Surveillance Stream Manager firmware before 5.3, as us ...) NOT-FOR-US: Cisco CVE-2009-2044 (Mozilla Firefox 3.0.10 and earlier on Linux allows remote attackers to ...) - xulrunner (uses external cairo library) - cairo 1.8.8-2 (unimportant) NOTE: http://cgit.freedesktop.org/cairo/commit/?id=2cf82eaf0d08e68b787bb0792da97e73d8d4ce38 NOTE: Just a crasher CVE-2009-2043 (nsViewManager.cpp in Mozilla Firefox 3.0.2 through 3.0.10 allows remot ...) - xulrunner (unimportant) NOTE: Browser crashes not treated as security issues CVE-2009-2042 (libpng before 1.2.37 does not properly parse 1-bit interlaced images w ...) {DSA-2032-1} - libpng 1.2.37-1 (low; bug #533676) [etch] - libpng (Minor issue, only exploitable in rare setups) - xulrunner (xulrunner dynamically linked against libpng; embeded code copy not used) CVE-2009-2041 (Cross-site scripting (XSS) vulnerability in A51 D.O.O. activeCollab 0. ...) NOT-FOR-US: activeCollab CVE-2009-2040 (admin/options.php in Grestul 1.2 does not properly restrict access, wh ...) NOT-FOR-US: Grestul CVE-2009-2039 (Unspecified vulnerability in the Luottokunta module before 1.3 for osC ...) NOT-FOR-US: Luottokunta module for osCommerce CVE-2009-2038 (Unspecified vulnerability in the Finnish Bank Payment module 2.2 for o ...) NOT-FOR-US: Finnish Bank Payment module 2.2 for osCommerce CVE-2009-2037 (Multiple directory traversal vulnerabilities in Online Grades & At ...) NOT-FOR-US: Online Grades CVE-2009-2036 (SQL injection vulnerability in index.php in Open Biller 0.1 allows rem ...) NOT-FOR-US: Open Biller CVE-2009-2035 (Unspecified vulnerability in Services 6.x before 6.x-0.14, a module fo ...) NOT-FOR-US: Service module for Drupal CVE-2009-2034 (SQL injection vulnerability in writemessage.php in Yogurt 0.3, when re ...) NOT-FOR-US: Yogurt CVE-2009-2033 (Cross-site scripting (XSS) vulnerability in index.php in Yogurt 0.3 al ...) NOT-FOR-US: Yogurt CVE-2009-2032 (Cross-site scripting (XSS) vulnerability in search.asp in PDshopPro, w ...) NOT-FOR-US: PDshopPro CVE-2009-2031 (smbfs in Sun OpenSolaris snv_84 through snv_110, when default mount pe ...) NOT-FOR-US: OpenSolaris CVE-2009-2030 (Unspecified vulnerability in the XML Digital Signature verification fu ...) NOT-FOR-US: IBM OS/400 CVE-2009-2029 (Unspecified vulnerability in rpc.nisd in Sun Solaris 8 through 10, and ...) NOT-FOR-US: Sun Solaris CVE-2009-2028 (Multiple unspecified vulnerabilities in Adobe Reader 7 and Acrobat 7 b ...) NOT-FOR-US: Adobe CVE-2009-2027 (The Installer in Apple Safari before 4.0 on Windows allows local users ...) NOT-FOR-US: Apple Safari CVE-2009-2026 (Stack-based buffer overflow in a token searching function in the dtsco ...) NOT-FOR-US: CA Software Delivery CVE-2009-2025 (admin/login.php in DM FileManager 3.9.2 allows remote attackers to byp ...) NOT-FOR-US: DM FileManager CVE-2009-2024 (Vlad Titarenko ASP VT Auth 1.0 stores sensitive information under the ...) NOT-FOR-US: Vlad Titarenko ASP VT Auth CVE-2009-2023 (SQL injection vulnerability in index.php in Shop-Script Pro 2.12, when ...) NOT-FOR-US: Shop-Script CVE-2009-2022 (fipsCMS Light 2.1 stores sensitive information under the web root with ...) NOT-FOR-US: fipsCMS CVE-2009-2021 (SQL injection vulnerability in search.php in Virtue Classifieds allows ...) NOT-FOR-US: Virtue Classifieds allows CVE-2009-2020 (Cross-site scripting (XSS) vulnerability in news_detail.php in Virtue ...) NOT-FOR-US: News Manager CVE-2009-2019 (SQL injection vulnerability in news_detail.php in Virtue News Manager ...) NOT-FOR-US: Virtue News Manager CVE-2009-2018 (SQL injection vulnerability in admin/index.php in Jared Eckersley MyCa ...) NOT-FOR-US: Jared Eckersley MyCars CVE-2009-2017 (SQL injection vulnerability in products.php in Virtue Book Store allow ...) NOT-FOR-US: Virtue Book Store CVE-2009-2016 (SQL injection vulnerability in products.php in Virtue Shopping Mall al ...) NOT-FOR-US: Virtue Shopping Mall CVE-2009-2015 (Directory traversal vulnerability in includes/file_includer.php in the ...) NOT-FOR-US: com_moofaq for Joomla! CVE-2009-2014 (SQL injection vulnerability in the ComSchool (com_school) component 1. ...) NOT-FOR-US: com_school for Joomla! CVE-2009-2013 (SQL injection vulnerability in bin/aps_browse_sources.php in Frontis 3 ...) NOT-FOR-US: Frontis CVE-2009-2012 (Unspecified vulnerability in idmap in Sun OpenSolaris snv_88 through s ...) NOT-FOR-US: OpenSolaris CVE-2009-2011 (Worldweaver DX Studio Player 3.0.29.0, 3.0.22.0, 3.0.12.0, and probabl ...) NOT-FOR-US: Worldweaver DX Studio Player CVE-2009-2010 (Multiple SQL injection vulnerabilities in Haudenschilt Family Connecti ...) NOT-FOR-US: Haudenschilt Family Connections CMS CVE-2009-2009 (Multiple cross-site scripting (XSS) vulnerabilities in Dokeos 1.8.5, a ...) NOT-FOR-US: Dokeos CVE-2009-2008 (Multiple SQL injection vulnerabilities in Dokeos 1.8.5, and possibly e ...) NOT-FOR-US: Dokeos CVE-2009-2007 (Multiple directory traversal vulnerabilities in Dokeos 1.8.5, and poss ...) NOT-FOR-US: Dokeos CVE-2009-2006 (Multiple cross-site scripting (XSS) vulnerabilities in Dokeos 1.8.5, a ...) NOT-FOR-US: Dokeos CVE-2009-2005 (Cross-site request forgery (CSRF) vulnerability in Dokeos 1.8.5, and p ...) NOT-FOR-US: Dokeos CVE-2009-2004 (Multiple SQL injection vulnerabilities in main/mySpace/myStudents.php ...) NOT-FOR-US: Dokeos CVE-2009-2003 (Ascad Networks Password Protector SD 1.3.1 allows remote attackers to ...) NOT-FOR-US: Ascad Networks Password Protector CVE-2009-2002 (Unspecified vulnerability in the WebLogic Portal component in BEA Prod ...) NOT-FOR-US: BEA Product Suite CVE-2009-2001 (Unspecified vulnerability in the PL/SQL component in Oracle Database 1 ...) NOT-FOR-US: Oracle Database CVE-2009-2000 (Unspecified vulnerability in the Authentication component in Oracle Da ...) NOT-FOR-US: Oracle Database CVE-2009-1999 (Unspecified vulnerability in the Business Intelligence Enterprise Edit ...) NOT-FOR-US: Oracle Application Server CVE-2009-1998 (Unspecified vulnerability in the Oracle Communications Order and Servi ...) NOT-FOR-US: Oracle Industry Applications CVE-2009-1997 (Unspecified vulnerability in the Authentication component in Oracle Da ...) NOT-FOR-US: Oracle Database CVE-2009-1996 (Unspecified vulnerability in the Logical Standby component in Oracle D ...) NOT-FOR-US: Oracle Database CVE-2009-1995 (Unspecified vulnerability in the Advanced Queuing component in Oracle ...) NOT-FOR-US: Oracle Database CVE-2009-1994 (Unspecified vulnerability in the Oracle Spatial component in Oracle Da ...) NOT-FOR-US: Oracle Database CVE-2009-1993 (Unspecified vulnerability in the Application Express component in Orac ...) NOT-FOR-US: Oracle Database CVE-2009-1992 (Unspecified vulnerability in the Core RDBMS component in Oracle Databa ...) NOT-FOR-US: Oracle Database CVE-2009-1991 (Unspecified vulnerability in the Oracle Text component in Oracle Datab ...) NOT-FOR-US: Oracle Database CVE-2009-1990 (Unspecified vulnerability in the Business Intelligence Enterprise Edit ...) NOT-FOR-US: Oracle Application Server CVE-2009-1989 (Unspecified vulnerability in the PeopleSoft Enterprise FMS component i ...) NOT-FOR-US: Oracle PeopleSoft Enterprise CVE-2009-1988 (Unspecified vulnerability in the PeopleSoft Enterprise HRMS eProfile M ...) NOT-FOR-US: Oracle PeopleSoft Enterprise CVE-2009-1987 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools - E ...) NOT-FOR-US: Oracle PeopleSoft Enterprise CVE-2009-1986 (Unspecified vulnerability in the Oracle Applications Manager component ...) NOT-FOR-US: Oracle Applications Manager CVE-2009-1985 (Unspecified vulnerability in the Network Authentication component in O ...) NOT-FOR-US: Oracle Database CVE-2009-1984 (Unspecified vulnerability in the Application Install component in Orac ...) NOT-FOR-US: Oracle E-Business Suite CVE-2009-1983 (Unspecified vulnerability in the Oracle iStore component in Oracle E-B ...) NOT-FOR-US: Oracle E-Business Suite CVE-2009-1982 (Unspecified vulnerability in the Oracle Applications Framework compone ...) NOT-FOR-US: Oracle E-Business Suite CVE-2009-1981 (Unspecified vulnerability in the Highly Interactive Client component i ...) NOT-FOR-US: Siebel Product Suite CVE-2009-1980 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle E-Business Suite CVE-2009-1979 (Unspecified vulnerability in the Network Authentication component in O ...) NOT-FOR-US: Oracle Database CVE-2009-1978 (Unspecified vulnerability in the Oracle Secure Backup component in Ora ...) NOT-FOR-US: Oracle Secure Backup CVE-2009-1977 (Unspecified vulnerability in the Oracle Secure Backup component in Ora ...) NOT-FOR-US: Oracle Secure Backup CVE-2009-1976 (Unspecified vulnerability in the HTTP Server component in Oracle Appli ...) NOT-FOR-US: Oracle Application Server CVE-2009-1975 (Unspecified vulnerability in the WebLogic Server component in BEA Prod ...) NOT-FOR-US: BEA WebLogic Server CVE-2009-1974 (Unspecified vulnerability in the WebLogic Server component in BEA Prod ...) NOT-FOR-US: BEA WebLogic CVE-2009-1973 (Unspecified vulnerability in the Virtual Private Database component in ...) NOT-FOR-US: Oracle Database CVE-2009-1972 (Unspecified vulnerability in the Auditing component in Oracle Database ...) NOT-FOR-US: Oracle Database CVE-2009-1971 (Unspecified vulnerability in the Data Pump component in Oracle Databas ...) NOT-FOR-US: Oracle Database CVE-2009-1970 (Unspecified vulnerability in the Listener component in Oracle Database ...) NOT-FOR-US: Oracle Database CVE-2009-1969 (Unspecified vulnerability in the Auditing component in Oracle Database ...) NOT-FOR-US: Oracle Database CVE-2009-1968 (Unspecified vulnerability in the Secure Enterprise Search component in ...) NOT-FOR-US: Oracle Database CVE-2009-1967 (Unspecified vulnerability in the Config Management component in (1) Or ...) NOT-FOR-US: Oracle Database CVE-2009-1966 (Unspecified vulnerability in the Config Management component in (1) Or ...) NOT-FOR-US: Oracle Database CVE-2009-1965 (Unspecified vulnerability in the Net Foundation Layer component in Ora ...) NOT-FOR-US: Oracle Database CVE-2009-1964 (Unspecified vulnerability in the Workspace Manager component in Oracle ...) NOT-FOR-US: Oracle Database CVE-2009-1963 (Unspecified vulnerability in the Network Foundation component in Oracl ...) NOT-FOR-US: Oracle Database CVE-2008-6832 (Cross-site request forgery (CSRF) vulnerability in Atlassian JIRA Ente ...) NOT-FOR-US: Atlassian JIRA Enterprise Edition CVE-2008-6831 (Multiple cross-site scripting (XSS) vulnerabilities in Atlassian JIRA ...) NOT-FOR-US: Atlassian JIRA Enterprise Edition CVE-2008-6830 (The disconnection feature in Citrix Web Interface 5.0 and 5.0.1 for Ja ...) NOT-FOR-US: Java Application Servers CVE-2008-6829 (VicFTPS 5.0 allows remote attackers to cause a denial of service (cras ...) NOT-FOR-US: VicFTPS CVE-2008-6828 (Symantec Altiris Deployment Solution 6.x before 6.9.355 SP1 stores the ...) NOT-FOR-US: Symantec Altiris Deployment Solution CVE-2008-6827 (The ListView control in the Client GUI (AClient.exe) in Symantec Altir ...) NOT-FOR-US: Symantec Altiris Deployment Solution CVE-2008-6826 (dhtml.pl in MHF Media Pro allows remote attackers to execute arbitrary ...) NOT-FOR-US: MHF Media Pro CVE-2009-XXXX [predictable random number generator used in web browsers] - webkit 1.2 (low; bug #532514) NOTE: The implementations for UNIX seems fine, might be fixed earlier [lenny] - webkit (Minor issue) - kdebase (unimportant; bug #532519) - w3m (unimportant; bug #532521) NOTE: w3m doesn't have Javascript support and the boundary issue is harmles - chromium-browser 26.0.1410.43-1 (bug #520324) [squeeze] - chromium-browser NOTE: chromium has provides window.crypto.getRandomValues as a strong random number generator NOTE: https://code.google.com/p/chromium/issues/detail?id=246054 - lynx 2.8.7rel.1-1 (unimportant; bug #532520) NOTE: lynx doesn't have Javascript and form-data support - dillo (bug #532522) NOTE: These issues can be fixed in more recent upstream versions, but the risk NOTE: of regression doesn't outweigh the issue at hand CVE-2009-1961 (The inode double locking code in fs/ocfs2/file.c in the Linux kernel 2 ...) {DSA-1844-1} - linux-2.6 2.6.30-1 (low) [etch] - linux-2.6 (Affected code was introduced in 2.6.19) [lenny] - linux-2.6 2.6.26-16 - linux-2.6.24 NOTE: fixed in lenny 5.0.2 release CVE-2009-1959 (Off-by-one error in the event_wallops function in fe-common/irc/fe-eve ...) - irssi 0.8.13-2 (low; bug #532607; bug #531357) [lenny] - irssi 0.8.12-7 [etch] - irssi 0.8.10-3 NOTE: exploitability limited, DoS rather obscure attack scenario CVE-2009-1956 (Off-by-one error in the apr_brigade_vprintf function in Apache APR-uti ...) - apr-util 1.3.7+dfsg-1 (low) [lenny] - apr-util 1.2.12+dfsg-8+lenny3 CVE-2009-1955 (The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in Ap ...) {DSA-1812-1} - apr-util 1.3.7+dfsg-1 (medium) CVE-2009-1954 (Unspecified vulnerability in portmapper (aka portmap) in IBM AIX 5.3 a ...) NOT-FOR-US: IBM AIX CVE-2009-1953 (IBM FileNet Content Manager 4.0, 4.0.1, and 4.5, as used in IBM WebSph ...) NOT-FOR-US: IBM FileNet Content Manager CVE-2009-1952 (Multiple SQL injection vulnerabilities in the administrative login fea ...) NOT-FOR-US: PropertyMax CVE-2009-1951 (Cross-site scripting (XSS) vulnerability in index.php in PropertyMax P ...) NOT-FOR-US: PropertyMax CVE-2009-1950 (SQL injection vulnerability in yorum.asp in WebEyes Guest Book 3 allow ...) NOT-FOR-US: WebEyes Guest Book CVE-2009-1949 (import_wbb1.php in Unclassified NewsBoard (UNB) 1.6.4 allows remote at ...) NOT-FOR-US: Unclassified NewsBoard CVE-2009-1948 (Multiple directory traversal vulnerabilities in forum.php in Unclassif ...) NOT-FOR-US: Unclassified NewsBoard CVE-2009-1947 (SQL injection vulnerability in the UnbDbEncode function in unb_lib/dat ...) NOT-FOR-US: Unclassified NewsBoard CVE-2009-1946 (PHP remote file inclusion vulnerability in latestposts.php in AdaptBB ...) NOT-FOR-US: AdaptBB CVE-2009-1945 (SQL injection vulnerability in webCal3_detail.asp in WebCal 3.04 allow ...) NOT-FOR-US: cWebCal CVE-2009-1944 (Stack-based buffer overflow in AIMP 2.51 build 330 allows remote attac ...) NOT-FOR-US: AIMP CVE-2009-1943 (Stack-based buffer overflow in the IKE service (ireIke.exe) in SafeNet ...) NOT-FOR-US: SafeNet SoftRemote CVE-2009-1942 (Cross-site scripting (XSS) vulnerability in the Quiz module 5.x, 6.x-2 ...) NOT-FOR-US: Quiz module for Drupal CVE-2009-1941 (PAD Site Scripts 3.6 stores sensitive information under the web docume ...) NOT-FOR-US: PAD Site Scripts CVE-2009-1940 (Cross-site scripting (XSS) vulnerability in the administrator panel in ...) NOT-FOR-US: Joomla! CVE-2009-1939 (Cross-site scripting (XSS) vulnerability in the JA_Purity template for ...) NOT-FOR-US: Joomla! CVE-2009-1938 (Cross-site scripting (XSS) vulnerability in Joomla! 1.5.x through 1.5. ...) NOT-FOR-US: Joomla! CVE-2009-1937 (Cross-site scripting (XSS) vulnerability in the comment posting featur ...) NOT-FOR-US: LightNEasy CVE-2009-1936 (_functions.php in cpCommerce 1.2.x, possibly including 1.2.9, sends a ...) NOT-FOR-US: cpCommerce CVE-2009-1935 (Integer overflow in the pipe_build_write_buffer function (sys/kern/sys ...) - kfreebsd-6 [lenny] - kfreebsd-6 (KFreebsd not supported) - kfreebsd-7 7.2-2 [lenny] - kfreebsd-7 (KFreebsd not supported) CVE-2009-1934 (Cross-site scripting (XSS) vulnerability in the Reverse Proxy Plug-in ...) NOT-FOR-US: Sun Java System Web Server CVE-2009-1933 (Kerberos in Sun Solaris 8, 9, and 10, and OpenSolaris before snv_117, ...) NOT-FOR-US: Solaris CVE-2008-6825 (Directory traversal vulnerability in user/index.php in Fonality trixbo ...) NOT-FOR-US: trixbox CVE-2009-XXXX [pgp4pine off-by-one] - pgp4pine (bug #457947; medium) [etch] - pgp4pine (Contrib not supported) [lenny] - pgp4pine (Contrib not supported) NOTE: http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0122.html NOTE: unlike the note states this is not just an off-by-one, classic stack-based buffer overflow CVE-2009-1932 (Multiple integer overflows in the (1) user_info_callback, (2) user_end ...) {DSA-1839-1} - gst-plugins-good0.10 0.10.15-2 (medium; bug #531631; bug #532352) CVE-2009-1931 RESERVED CVE-2009-1930 (The Telnet service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Serv ...) NOT-FOR-US: Microsoft Windows CVE-2009-1929 (Heap-based buffer overflow in the Microsoft Terminal Services Client A ...) NOT-FOR-US: ActiveX CVE-2009-1928 (Stack consumption vulnerability in the LDAP service in Active Director ...) NOT-FOR-US: Microsoft Windows CVE-2009-1927 REJECTED CVE-2009-1926 (Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gol ...) NOT-FOR-US: Microsoft Windows CVE-2009-1925 (The TCP/IP implementation in Microsoft Windows Vista Gold, SP1, and SP ...) NOT-FOR-US: Microsoft Windows Vista Gold CVE-2009-1924 (Integer overflow in the Windows Internet Name Service (WINS) component ...) NOT-FOR-US: Microsoft Windows CVE-2009-1923 (Heap-based buffer overflow in the Windows Internet Name Service (WINS) ...) NOT-FOR-US: Microsoft Windows CVE-2009-1922 (The Message Queuing (aka MSMQ) service for Microsoft Windows 2000 SP4, ...) NOT-FOR-US: Microsoft Windows CVE-2009-1921 REJECTED CVE-2009-1920 (The JScript scripting engine 5.1, 5.6, 5.7, and 5.8 in JScript.dll in ...) NOT-FOR-US: Microsoft CVE-2009-1919 (Microsoft Internet Explorer 5.01 SP4 and 6 SP1; Internet Explorer 6 fo ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2009-1918 (Microsoft Internet Explorer 5.01 SP4 and 6 SP1; Internet Explorer 6 fo ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2009-1917 (Microsoft Internet Explorer 6 SP1; Internet Explorer 6 for Windows XP ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2009-1916 (dig.php in GScripts.net DNS Tools allows remote attackers to execute a ...) NOT-FOR-US: GScripts.net DNS Tools CVE-2009-1915 (Stack-based buffer overflow in the URL Search Hook (ICQToolBar.dll) in ...) NOT-FOR-US: ICQ CVE-2009-1914 (The pci_register_iommu_region function in arch/sparc/kernel/pci_common ...) {DSA-1844-1} - linux-2.6 2.6.29-1 (low; bug #532722) [lenny] - linux-2.6 2.6.26-16 - linux-2.6.24 NOTE: updated in lenny 5.0.2 release CVE-2009-1913 (SQL injection vulnerability in manager.php in LuxBum 0.5.5, when magic ...) NOT-FOR-US: LuxBum CVE-2009-1912 (Directory traversal vulnerability in src/func/language.php in webSPELL ...) NOT-FOR-US: webSPELL CVE-2009-1911 (Directory traversal vulnerability in .include/init.php (aka admin/_inc ...) NOT-FOR-US: QuiXplorer CVE-2009-1910 (SQL injection vulnerability in index.php in RTWebalbum 1.0.462 allows ...) NOT-FOR-US: RTWebalbum CVE-2009-1909 (SQL injection vulnerability in Skip 1.0.2 and earlier, and 1.1RC2 and ...) NOT-FOR-US: Skip CVE-2009-1908 (Cross-site scripting (XSS) vulnerability in Skip 1.0.2 and earlier, an ...) NOT-FOR-US: Skip CVE-2009-1907 (Cross-site scripting (XSS) vulnerability in claroline/linker/notfound. ...) NOT-FOR-US: Claroline CVE-2008-6824 (The management interface on the A-LINK WL54AP3 and WL54AP2 access poin ...) NOT-FOR-US: A-LINK WL54AP3 and WL54AP2 access points CVE-2008-6823 (Multiple cross-site request forgery (CSRF) vulnerabilities in the mana ...) NOT-FOR-US: A-LINK WL54AP3 and WL54AP2 access points CVE-2008-6822 (Unrestricted file upload vulnerability in uploadp.php in New Earth Pro ...) NOT-FOR-US: NEPT Image Uploader CVE-2009-1906 (The DRDA Services component in IBM DB2 9.1 before FP7 and 9.5 before F ...) NOT-FOR-US: IBM DB2 CVE-2009-1905 (The Common Code Infrastructure component in IBM DB2 8 before FP17, 9.1 ...) NOT-FOR-US: IBM DB2 CVE-2009-1904 (The BigDecimal library in Ruby 1.8.6 before p369 and 1.8.7 before p173 ...) {DSA-1860-1} - ruby1.8 1.8.7.173-1 (low; bug #532689) - ruby1.9 (bug #575778) NOTE: http://www.ruby-lang.org/en/news/2009/06/09/dos-vulnerability-in-bigdecimal/ CVE-2009-1903 (The PDF XSS protection feature in ModSecurity before 2.5.8 allows remo ...) - libapache-mod-security 2.5.9-1 CVE-2009-1902 (The multipart processor in ModSecurity before 2.5.9 allows remote atta ...) - libapache-mod-security 2.5.9-1 CVE-2009-1901 (The Security component in IBM WebSphere Application Server (WAS) 6.0.2 ...) NOT-FOR-US: IBM WebSphere CVE-2009-1900 (The Configservice APIs in the Administrative Console component in IBM ...) NOT-FOR-US: IBM WebSphere CVE-2009-1899 (Unspecified vulnerability in the Administrative Configservice API in t ...) NOT-FOR-US: IBM WebSphere CVE-2009-1898 (The secure login page in the Administrative Console component in IBM W ...) NOT-FOR-US: IBM WebSphere CVE-2008-6821 (Buffer overflow in the DAS server in IBM DB2 8 before FP17, 9.1 before ...) NOT-FOR-US: IBM DB2 CVE-2008-6820 (The db2fmp process in IBM DB2 8 before FP17, 9.1 before FP5, and 9.5 b ...) NOT-FOR-US: IBM DB2 CVE-2009-1960 (inc/init.php in DokuWiki 2009-02-14, rc2009-02-06, and rc2009-01-30, w ...) - dokuwiki 0.0.20090214b-1 (unimportant) NOTE: we don't support setups with register_globals enabled CVE-2009-1897 (The tun_chr_poll function in drivers/net/tun.c in the tun subsystem in ...) - linux-2.6 2.6.30-3 (high; bug #537409) [etch] - linux-2.6 (vulnerable code introduced in 2.6.29) [lenny] - linux-2.6 (vulnerable code introduced in 2.6.29) - linux-2.6.24 (vulnerable code introduced in 2.6.29) NOTE: http://seclists.org/fulldisclosure/2009/Jul/0241.html CVE-2009-1896 (The Java Web Start framework in IcedTea in OpenJDK before 1.6.0.0-20.b ...) - openjdk-6 6b16-1.6-1 (bug #542210) CVE-2009-1895 (The personality subsystem in the Linux kernel before 2.6.31-rc3 has a ...) {DSA-1845-1 DSA-1844-1} - linux-2.6 2.6.30-3 (low) [etch] - linux-2.6 (mmap_min_addr first indroduced in 2.6.23) - linux-2.6.24 CVE-2009-1894 (Race condition in PulseAudio 0.9.9, 0.9.10, and 0.9.14 allows local us ...) {DSA-1838-1} - pulseaudio 0.9.15-4.1 (high; bug #537351) [etch] - pulseaudio (vulnerable code not present) CVE-2009-1893 (The configtest function in the Red Hat dhcpd init script for DHCP 3.0. ...) NOT-FOR-US: Red Hat dhcpd init script for DHCP CVE-2009-1892 (dhcpd in ISC DHCP 3.0.4 and 3.1.1, when the dhcp-client-identifier and ...) {DSA-1833-2} - isc-dhcp 3.1.2p1-2 (low; bug #539492) - dhcp3 3.1.2p1-2 (low; bug #549584) [etch] - dhcp3 (problematic assert is not present) [lenny] - dhcp3 3.1.1-6+lenny2 CVE-2009-1891 (The mod_deflate module in Apache httpd 2.2.11 and earlier compresses l ...) {DSA-1834-1} - apache2 2.2.11-7 (medium; bug #534712) CVE-2009-1890 (The stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy mo ...) {DSA-1834-1} - apache2 2.2.11-7 (medium; bug #536718) [etch] - apache2 (bug introduced in 2.2.5) [lenny] - apache2 2.2.9-10+lenny4 CVE-2009-1889 (The OSCAR protocol implementation in Pidgin before 2.5.8 misinterprets ...) - pidgin 2.5.8-1 (low; bug #535790) [lenny] - pidgin (Minor issue) NOTE: http://developer.pidgin.im/ticket/9483 NOTE: http://developer.pidgin.im/viewmtn/revision/info/9bac0a540156fb1848eedd61c8630737dee752c7 CVE-2009-1888 (The acl_group_override function in smbd/posix_acls.c in smbd in Samba ...) {DSA-1823-1} - samba 2:3.3.6-1 (low) [etch] - samba (Vulnerable code not present) NOTE: Successful exploitation requires that "dos filemode" is set to "yes" in smb.conf. CVE-2009-1887 (agent/snmp_agent.c in snmpd in net-snmp 5.0.9 in Red Hat Enterprise Li ...) - net-snmp (Vulnerable code not present) NOTE: Red Hat incorrect fix for CVE-2008-4309. Checked code in oldstable and stable. CVE-2009-1886 (Multiple format string vulnerabilities in client/client.c in smbclient ...) {DSA-1823-1} - samba 2:3.3.6-1 [etch] - samba (Vulnerable code not present) NOTE: Only the 3.2.x branch was affected, so marking 3.3 as affected CVE-2009-1885 (Stack consumption vulnerability in validators/DTD/DTDScanner.cpp in Ap ...) - xerces-c 3.0.1-2 (low; bug #540297) [etch] - xerces-c (Minor issue) [lenny] - xerces-c (Minor issue) - xerces-c2 2.8.0+deb1-2 (low; bug #541986) [lenny] - xerces-c2 2.8.0-3+lenny1 - xerces27 [etch] - xerces27 (Minor issue) CVE-2009-1884 (Off-by-one error in the bzinflate function in Bzip2.xs in the Compress ...) - libcompress-raw-bzip2-perl 2.018-1 (medium; bug #542777) [lenny] - libcompress-raw-bzip2-perl 2.011-2lenny1 CVE-2009-1883 (The z90crypt_unlocked_ioctl function in the z90crypt driver in the Lin ...) {DSA-1929-1} - linux-2.6 2.6.19-1 - linux-2.6.24 (problem was fixed before first upload, 2.6.19) NOTE: See Solar Designer's posting to oss-security CVE-2009-1882 (Integer overflow in the XMakeImage function in magick/xwindow.c in Ima ...) {DSA-1903-1 DSA-1858-1} - imagemagick 7:6.5.1.0-1.1 (medium; bug #530838) - graphicsmagick 1.3.5-5.1 (medium; bug #530946) CVE-2009-1881 (Cross-site scripting (XSS) vulnerability in MT312 IMG-BBS allows remot ...) NOT-FOR-US: MT312 CVE-2009-1880 (Cross-site scripting (XSS) vulnerability in MT312 REP-BBS allows remot ...) NOT-FOR-US: MT312 CVE-2009-XXXX [OCS Inventory NG SQL Injection Vulnerability] - ocsinventory-server 1.02.1-1 (unimportant; bug #531735) NOTE: README.Debian states Important: access to the reports server should be restricted NOTE: can be exploited only if magic_quotes is off CVE-2009-3870 REJECTED CVE-2009-1879 (Cross-site scripting (XSS) vulnerability in index.template.html in the ...) NOT-FOR-US: Adobe Flex CVE-2009-1878 (Session fixation vulnerability in Adobe ColdFusion 8.0.1 and earlier a ...) NOT-FOR-US: Adobe ColdFusion CVE-2009-1877 (Cross-site scripting (XSS) vulnerability in Adobe ColdFusion 8.0.1 and ...) NOT-FOR-US: Adobe ColdFusion CVE-2009-1876 (Adobe ColdFusion 8.0.1 and earlier might allow attackers to obtain sen ...) NOT-FOR-US: Adobe ColdFusion CVE-2009-1875 (Multiple cross-site scripting (XSS) vulnerabilities in Adobe ColdFusio ...) NOT-FOR-US: Adobe ColdFusion CVE-2009-1874 (Multiple cross-site scripting (XSS) vulnerabilities in the Management ...) NOT-FOR-US: Adobe JRun CVE-2009-1873 (Directory traversal vulnerability in logging/logviewer.jsp in the Mana ...) NOT-FOR-US: Adobe JRun CVE-2009-1872 (Multiple cross-site scripting (XSS) vulnerabilities in Adobe ColdFusio ...) NOT-FOR-US: Adobe ColdFusion Server CVE-2009-1871 REJECTED CVE-2009-1870 (Adobe Flash Player before 9.0.246.0 and 10.x before 10.0.32.18, and Ad ...) NOT-FOR-US: Adobe Flash Player CVE-2009-1869 (Integer overflow in the ActionScript Virtual Machine 2 (AVM2) abcFile ...) NOT-FOR-US: Adobe Flash Player CVE-2009-1868 (Heap-based buffer overflow in Adobe Flash Player before 9.0.246.0 and ...) NOT-FOR-US: Adobe Flash Player CVE-2009-1867 (Adobe Flash Player before 9.0.246.0 and 10.x before 10.0.32.18, and Ad ...) NOT-FOR-US: Adobe Flash Player CVE-2009-1866 (Stack-based buffer overflow in Adobe Flash Player before 9.0.246.0 and ...) NOT-FOR-US: Adobe Flash Player CVE-2009-1865 (Adobe Flash Player before 9.0.246.0 and 10.x before 10.0.32.18, and Ad ...) NOT-FOR-US: Adobe Flash Player CVE-2009-1864 (Heap-based buffer overflow in Adobe Flash Player before 9.0.246.0 and ...) NOT-FOR-US: Adobe Flash Player CVE-2009-1863 (Unspecified vulnerability in Adobe Flash Player before 9.0.246.0 and 1 ...) NOT-FOR-US: Adobe Flash Player CVE-2009-1862 (Unspecified vulnerability in Adobe Reader and Acrobat 9.x through 9.1. ...) NOT-FOR-US: Adobe Flash Player CVE-2009-1861 (Multiple heap-based buffer overflows in Adobe Reader 7 and Acrobat 7 b ...) NOT-FOR-US: Adobe Reader CVE-2009-1860 (Unspecified vulnerability in Adobe Shockwave Player before 11.5.0.600 ...) NOT-FOR-US: Adobe Shockwave Player CVE-2009-1859 (Adobe Reader 7 and Acrobat 7 before 7.1.3, Adobe Reader 8 and Acrobat ...) NOT-FOR-US: Adobe Reader CVE-2009-1858 (The JBIG2 filter in Adobe Reader 7 and Acrobat 7 before 7.1.3, Adobe R ...) NOT-FOR-US: Adobe Reader CVE-2009-1857 (Adobe Reader 7 and Acrobat 7 before 7.1.3, Adobe Reader 8 and Acrobat ...) NOT-FOR-US: Adobe Reader CVE-2009-1856 (Integer overflow in Adobe Reader 7 and Acrobat 7 before 7.1.3, Adobe R ...) NOT-FOR-US: Adobe Reader CVE-2009-1855 (Stack-based buffer overflow in Adobe Reader 7 and Acrobat 7 before 7.1 ...) NOT-FOR-US: Adobe Reader CVE-2009-1854 (Million Dollar Text Links 1.0 allows remote attackers to bypass authen ...) NOT-FOR-US: Million Dollar Text Links CVE-2009-1853 (Multiple SQL injection vulnerabilities in index.php in Kensei Board 2. ...) NOT-FOR-US: Kensei Board CVE-2009-1852 (Multiple SQL injection vulnerabilities in Graphiks MyForum 1.3 allow r ...) NOT-FOR-US: Graphiks MyForum CVE-2009-1851 (SQL injection vulnerability in include.php in phpBugTracker 1.0.4 and ...) NOT-FOR-US: phpBugTracker CVE-2009-1850 (SQL injection vulnerability in index.php in phpBugTracker 1.0.3 allows ...) NOT-FOR-US: phpBugTracker CVE-2009-1849 (Cross-site scripting (XSS) vulnerability in the Monitor_Bandwidth func ...) NOT-FOR-US: PRTG Traffic Grapher CVE-2009-1848 (SQL injection vulnerability in the JoomlaMe AgoraGroups (aka AG or com ...) NOT-FOR-US: JoomlaMe CVE-2009-1847 (Directory traversal vulnerability in index.php in Easy PX 41 CMS 9.0 B ...) NOT-FOR-US: Easy PX 41 CMS CVE-2009-1846 (Multiple directory traversal vulnerabilities in SiteX 0.7.4 Build 418 ...) NOT-FOR-US: SiteX CVE-2009-1845 (Cross-site scripting (XSS) vulnerability in ajax/updatecheck.php in Lu ...) NOT-FOR-US: Lussumo Vanilla CVE-2009-1844 (Multiple cross-site scripting (XSS) vulnerabilities in Drupal 5.x befo ...) {DSA-1808-1} - drupal5 5.17-1.1 (low; bug #529191) - drupal6 6.11-1.1 (low; bug #529190; bug #531386) CVE-2009-1843 (Multiple SQL injection vulnerabilities in Flash Quiz Beta 2 allow remo ...) NOT-FOR-US: Flash Quiz CVE-2009-1842 (SQL injection vulnerability in main/tracking/userLog.php in Francisco ...) NOT-FOR-US: PHP-Nuke CVE-2008-6819 (win32k.sys in Microsoft Windows Server 2003 and Vista allows local use ...) NOT-FOR-US: Microsoft Windows Server 2003 and Vista CVE-2008-6818 (Mole Group Real Estate Script 1.1 and earlier stores passwords in clea ...) NOT-FOR-US: Mole Group Real Estate Script CVE-2008-6817 (Mole Group Lastminute Script 4.0 and earlier stores passwords in clear ...) NOT-FOR-US: Mole Group Lastminute Script CVE-2004-2764 (Sun SDK and Java Runtime Environment (JRE) 1.4.2 through 1.4.2_04, 1.4 ...) NOT-FOR-US: Historic issues in proprietary Java CVE-2004-2763 (The default configuration of Sun ONE/iPlanet Web Server 4.1 SP1 throug ...) NOT-FOR-US: Sun ONE iPlanet Web Server CVE-2003-1573 (The PointBase 4.6 database component in the J2EE 1.4 reference impleme ...) NOT-FOR-US: Historic issues in proprietary Java CVE-2003-1572 (Sun Java Media Framework (JMF) 2.1.1 through 2.1.1c allows unsigned ap ...) NOT-FOR-US: Historic issues in proprietary Java CVE-2009-1957 (charon/sa/ike_sa.c in the charon daemon in strongSWAN before 4.3.1 all ...) {DSA-1899-1} - strongswan 4.2.14-1.1 (medium; bug #531612) [etch] - strongswan (Vulnerable code not present, IKEv2 was introduced in 4.3) CVE-2009-1958 (charon/sa/tasks/child_create.c in the charon daemon in strongSWAN befo ...) {DSA-1899-1} - strongswan 4.2.14-1.1 (medium; bug #531612) [etch] - strongswan (Vulnerable code not present, IKEv2 was introduced in 4.3) CVE-2009-1841 (js/src/xpconnect/src/xpcwrappedjsclass.cpp in Mozilla Firefox before 3 ...) {DSA-1830-1 DSA-1820-1} - xulrunner 1.9.0.11-1 [etch] - xulrunner (Etch Packages no longer covered by security support) - icedove 2.0.0.22-1 (bug #535124) [squeeze] - icedove 2.0.0.22-0lenny1 CVE-2009-1840 (Mozilla Firefox before 3.0.11, Thunderbird, and SeaMonkey do not check ...) {DSA-1820-1} - xulrunner 1.9.0.11-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-1839 (Mozilla Firefox 3 before 3.0.11 associates an incorrect principal with ...) {DSA-1820-1} - xulrunner 1.9.0.11-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-1838 (The garbage-collection implementation in Mozilla Firefox before 3.0.11 ...) {DSA-1830-1 DSA-1820-1} - xulrunner 1.9.0.11-1 [etch] - xulrunner (Etch Packages no longer covered by security support) - icedove 2.0.0.22-1 (bug #535124) [squeeze] - icedove 2.0.0.22-0lenny1 CVE-2009-1837 (Race condition in the NPObjWrapper_NewResolve function in modules/plug ...) {DSA-1820-1} - xulrunner 1.9.0.11-1 [etch] - xulrunner (Doesn't affect Gecko 1.8) CVE-2009-1836 (Mozilla Firefox before 3.0.11, Thunderbird before 2.0.0.22, and SeaMon ...) {DSA-1830-1 DSA-1820-1} - xulrunner 1.9.0.11-1 [etch] - xulrunner (Etch Packages no longer covered by security support) - icedove 2.0.0.22-1 (bug #535124) [squeeze] - icedove 2.0.0.22-0lenny1 CVE-2009-1835 (Mozilla Firefox before 3.0.11 and SeaMonkey before 1.1.17 associate lo ...) {DSA-1820-1} - xulrunner 1.9.0.11-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-1834 (Visual truncation vulnerability in netwerk/dns/src/nsIDNService.cpp in ...) {DSA-1820-1} - xulrunner 1.9.0.11-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-1833 (The JavaScript engine in Mozilla Firefox before 3.0.11, Thunderbird be ...) {DSA-1820-1} - xulrunner 1.9.0.11-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-1832 (Mozilla Firefox before 3.0.11, Thunderbird before 2.0.0.22, and SeaMon ...) {DSA-1830-1 DSA-1820-1} - xulrunner 1.9.0.11-1 [etch] - xulrunner (Etch Packages no longer covered by security support) - icedove 2.0.0.22-1 (bug #535124) [squeeze] - icedove 2.0.0.22-0lenny1 CVE-2009-1828 (Mozilla Firefox 3.0.10 allows remote attackers to cause a denial of se ...) - xulrunner (unimportant) NOTE: Browser crashes not treated as security issues CVE-2009-1827 (The SVG component in Mozilla Firefox 3.0.4 allows remote attackers to ...) - xulrunner (unimportant) NOTE: Browser crashes not treated as security issues CVE-2009-1831 (The Nullsoft Modern Skins Support module (gen_ff.dll) in Nullsoft Wina ...) NOT-FOR-US: Nullsoft Winamp CVE-2009-1830 (Stack-based buffer overflow in Soulseek 156 and 157 NS allows remote a ...) NOT-FOR-US: Soulseek CVE-2009-1826 (modules/admuser.php in myGesuad 0.9.14 (aka 0.9) does not require admi ...) NOT-FOR-US: myGesuad CVE-2009-1825 (modules/admuser.php in myColex 1.4.2 does not require administrative a ...) NOT-FOR-US: myColex CVE-2009-1824 (The ps_drv.sys kernel driver in ArcaBit ArcaVir 2009 Antivirus Protect ...) NOT-FOR-US: ArcaBit ArcaVir CVE-2009-1823 (Cross-site scripting (XSS) vulnerability in the Print (aka Printer, e- ...) NOT-FOR-US: 3rd party Printer, e-mail and PDF module for Drupal CVE-2009-1822 (Multiple PHP remote file inclusion vulnerabilities in the InterJoomla ...) NOT-FOR-US: Joomla! CVE-2009-1821 (DMXReady Registration Manager 1.1 stores sensitive information under t ...) NOT-FOR-US: DMXReady Registration Manager CVE-2009-1820 (Cross-site scripting (XSS) vulnerability in product.php in 2daybiz Cus ...) NOT-FOR-US: 2daybiz Custom T-shirt Design Script CVE-2009-1819 (SQL injection vulnerability in product.php in 2daybiz Custom T-shirt D ...) NOT-FOR-US: 2daybiz Custom T-shirt Design Script CVE-2009-1818 (SQL injection vulnerability in admin/admin_manager.asp in MaxCMS 2.0 a ...) NOT-FOR-US: MaxCMS CVE-2009-1817 (Multiple buffer overflows in DigiMode Maya 1.0.2 allow remote attacker ...) NOT-FOR-US: DigiMode Maya CVE-2009-1816 (SQL injection vulnerability in admin.php in My Game Script 2.0 allows ...) NOT-FOR-US: My Game Script CVE-2009-1815 (Stack-based buffer overflow in Sonic Spot Audioactive Player 1.93b all ...) NOT-FOR-US: Sonic Spot Audioactive Player CVE-2009-1814 (SQL injection vulnerability in mail.php in PHPenpals 1.1 and earlier a ...) NOT-FOR-US: PHPenpals CVE-2009-1813 (Multiple SQL injection vulnerabilities in admin/index.php in Submitter ...) NOT-FOR-US: Submitter Script CVE-2009-1812 (Multiple SQL injection vulnerabilities in myGesuad 0.9.14 (aka 0.9) al ...) NOT-FOR-US: myGesuad CVE-2009-1811 (Multiple cross-site scripting (XSS) vulnerabilities in myGesuad 0.9.14 ...) NOT-FOR-US: myGesuad CVE-2009-1810 (Multiple SQL injection vulnerabilities in myColex 1.4.2 allow remote a ...) NOT-FOR-US: myColex CVE-2009-1809 (Multiple cross-site scripting (XSS) vulnerabilities in myColex 1.4.2 a ...) NOT-FOR-US: myColex CVE-2009-1829 (Unspecified vulnerability in the PCNFSD dissector in Wireshark 0.8.20 ...) {DSA-1942-1} - wireshark 1.0.8-1 (low; bug #533347) [lenny] - wireshark 1.0.2-3+lenny6 [etch] - wireshark (Minor issue) CVE-2009-1808 (Microsoft Windows XP SP3 allows local users to cause a denial of servi ...) NOT-FOR-US: Microsoft CVE-2009-1807 (Unspecified vulnerability in Config.dll in Baofeng products 3.09.04.17 ...) NOT-FOR-US: Baofeng CVE-2009-1806 (Unspecified vulnerability in IBM Hardware Management Console (HMC) 7 r ...) NOT-FOR-US: IBM Hardware Management Console CVE-2009-1805 (Unspecified vulnerability in the VMware Descheduled Time Accounting dr ...) NOT-FOR-US: VMware (experimental feature anyway) CVE-2009-1804 (Multiple SQL injection vulnerabilities in admin/index.php in VideoScri ...) NOT-FOR-US: videoscript CVE-2009-1803 (FreePBX 2.5.1, and other 2.4.x, 2.5.x, and pre-release 2.6.x versions, ...) NOT-FOR-US: FreePBX CVE-2009-1802 (Multiple cross-site request forgery (CSRF) vulnerabilities in FreePBX ...) NOT-FOR-US: FreePBX CVE-2009-1801 (Multiple cross-site scripting (XSS) vulnerabilities in FreePBX 2.5.1, ...) NOT-FOR-US: FreePBX CVE-2009-1800 (Stack-based buffer overflow in the Chinagames CGAgent ActiveX control ...) NOT-FOR-US: Chinagames CVE-2009-1799 (Multiple SQL injection vulnerabilities in the getGalleryImage function ...) NOT-FOR-US: ST-Gallery CVE-2008-6816 (Eaton MGEOPS Network Shutdown Module before 3.10 Build 13 allows remot ...) NOT-FOR-US: Eaton CVE-2008-6815 (mykdownload.php in MyKtools 2.4 does not require administrative authen ...) NOT-FOR-US: MyKtools CVE-2008-6814 (Unrestricted file upload vulnerability in image_upload.php in the Simp ...) NOT-FOR-US: SimpleBoard for Mambo CVE-2009-1798 (Multiple cross-site scripting (XSS) vulnerabilities on the Network Man ...) NOT-FOR-US: APC CVE-2009-1797 (Multiple cross-site request forgery (CSRF) vulnerabilities on the Netw ...) NOT-FOR-US: APC CVE-2009-1796 (Cross-site scripting (XSS) vulnerability in Sun Java System Portal Ser ...) NOT-FOR-US: Sun Java System Portal Server CVE-2009-1795 RESERVED CVE-2009-1794 RESERVED CVE-2009-1793 RESERVED CVE-2009-1792 (The system.openURL function in StoneTrip Ston3D StandalonePlayer (aka ...) NOT-FOR-US: StoneTrip Ston3D StandalonePlayer CVE-2009-1790 (Cross-site scripting (XSS) vulnerability in CGI RESCUE Trees before 2. ...) NOT-FOR-US: CGI Rescue Trees CVE-2009-1787 (Multiple SQL injection vulnerabilities in PHP Dir Submit (aka WebsiteS ...) NOT-FOR-US: PHP Dir Submit CVE-2009-1786 (The malloc subsystem in libc in IBM AIX 5.3 and 6.1 allows local users ...) NOT-FOR-US: IBM AIX libc CVE-2009-1785 (Cross-site scripting (XSS) vulnerability in Ulteo Open Virtual Desktop ...) NOT-FOR-US: Ulteo Open Virtual Desktop CVE-2009-1784 (The AVG parsing engine 8.5 323, as used in multiple AVG anti-virus pro ...) NOT-FOR-US: AVG anti-virus CVE-2009-1783 (Multiple FRISK Software F-Prot anti-virus products, including Antiviru ...) NOT-FOR-US: FRISK Software F-Prot anti-virus CVE-2009-1782 (Multiple F-Secure anti-virus products, including Anti-Virus for Micros ...) NOT-FOR-US: F-Secure anti-virus CVE-2009-1781 (Static code injection vulnerability in admin.php in Frax.dk Php Recomm ...) NOT-FOR-US: Frax.dk Php Recommend CVE-2009-1780 (admin.php in Frax.dk Php Recommend 1.3 and earlier does not require au ...) NOT-FOR-US: Frax.dk Php Recommend CVE-2009-1779 (PHP remote file inclusion vulnerability in admin.php in Frax.dk Php Re ...) NOT-FOR-US: Frax.dk Php Recommend CVE-2009-1778 (SQL injection vulnerability in the new user registration feature in Bi ...) NOT-FOR-US: BigACE CMS CVE-2009-1777 (CRLF injection vulnerability in FormMail.pl in Matt Wright FormMail 1. ...) NOT-FOR-US: Matt Wright FormMail CVE-2009-1776 (Multiple cross-site scripting (XSS) vulnerabilities in FormMail.pl in ...) NOT-FOR-US: Matt Wright FormMail CVE-2009-1775 (Multiple cross-site scripting (XSS) vulnerabilities in Ulteo Open Virt ...) NOT-FOR-US: Ulteo Open Virtual Desktop CVE-2009-1774 (Directory traversal vulnerability in plugins/ddb/foot.php in Strawberr ...) NOT-FOR-US: Strawberry CVE-2009-1773 (activeCollab 2.1 Corporate allows remote attackers to obtain sensitive ...) NOT-FOR-US: activeCollab CVE-2009-1772 (Cross-site scripting (XSS) vulnerability in activeCollab 2.1 Corporate ...) NOT-FOR-US: activeCollab CVE-2009-1771 (index.php in Flyspeck CMS 6.8 does not require administrative authenti ...) NOT-FOR-US: Flyspeck CMS CVE-2009-1770 (Directory traversal vulnerability in includes/database/examples/addres ...) NOT-FOR-US: Flyspeck CMS CVE-2009-1769 (The web interface in Open Computer and Software Inventory Next Generat ...) - ocsinventory-server 1.02.1-1 (unimportant; bug #529344) NOTE: README.Debian states Important: access to the reports server should be restricted CVE-2009-1768 (Directory traversal vulnerability in download.php in Rama Zaiten CMS 0 ...) NOT-FOR-US: Rama Zaiten CMS CVE-2009-1767 (admin/edituser.php in 2daybiz Template Monster Clone does not require ...) NOT-FOR-US: 2daybiz Template Monster Clone CVE-2009-1766 (SQL injection vulnerability in index.php in LightOpenCMS 0.1 allows re ...) NOT-FOR-US: LightOpenCMS CVE-2009-1765 (Multiple directory traversal vulnerabilities in pluck 4.6.2, when regi ...) NOT-FOR-US: pluck CMS CVE-2009-1764 (SQL injection vulnerability in inc/ajax.asp in MaxCMS 2.0 allows remot ...) NOT-FOR-US: MaxCMS CVE-2009-1763 (Unspecified vulnerability in the Solaris Secure Digital slot driver (a ...) NOT-FOR-US: Solaris CVE-2009-1762 (Multiple cross-site scripting (XSS) vulnerabilities in the WebAccess l ...) NOT-FOR-US: Novell GroupWise CVE-2009-XXXX [radare-common insecure temp files handling] - radare 1.4-1 (low) CVE-2009-1761 (The message engine in CA ARCserve Backup r12.0 and r12.0 SP1 for Windo ...) NOT-FOR-US: CA ARCserve Backup CVE-2009-1760 (Directory traversal vulnerability in src/torrent_info.cpp in Rasterbar ...) {DSA-1815-1} - libtorrent-rasterbar 0.14.4-1 (medium) CVE-2009-1759 (Stack-based buffer overflow in the btFiles::BuildFromMI function (trun ...) {DSA-1817-1} - ctorrent 1.3.4-dnh3.2-1.1 (medium; bug #530255) CVE-2009-1758 (The hypervisor_callback function in Xen, possibly before 3.4.0, as app ...) {DSA-1809-1} - linux-2.6 2.6.28-1 (low; bug #536148) - linux-2.6.24 CVE-2009-1757 (Cross-site request forgery (CSRF) vulnerability in Transmission 1.5 be ...) - transmission 1.61-1 (low) [lenny] - transmission (Vulnerable code not present, the web interface was introduced in 1.30) [etch] - transmission (Vulnerable code not present, the web interface was introduced in 1.30) CVE-2009-1754 (The PackageManagerService class in services/java/com/android/server/Pa ...) NOT-FOR-US: Android CVE-2009-1752 (exJune Office Message System 1 does not properly restrict access to (1 ...) NOT-FOR-US: exJune Office Message System CVE-2009-1751 (SQL injection vulnerability in list_list.php in Realty Webware Technol ...) NOT-FOR-US: Realty Web-Base CVE-2009-1750 (Unrestricted file upload vulnerability in VidSharePro allows remote au ...) NOT-FOR-US: VidSharePro CVE-2009-1749 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Ca ...) NOT-FOR-US: Catviz CVE-2009-1748 (Multiple directory traversal vulnerabilities in index.php in Catviz 0. ...) NOT-FOR-US: Catviz CVE-2009-1747 (SQL injection vulnerability in index.php in 26th Avenue bSpeak 1.10 al ...) NOT-FOR-US: bSpeak CVE-2009-1746 (SQL injection vulnerability in berita.php in Dian Gemilang DGNews 3.0 ...) NOT-FOR-US: Dian Gemilang DGNews CVE-2009-1745 (Armorlogic Profense Web Application Firewall before 2.2.22, and 2.4.x ...) NOT-FOR-US: Armorlogic Profense Web Application Firewall CVE-2009-1744 (InstallHFZ.exe 6.5.201.0 in Pinnacle Hollywood Effects 6, a module in ...) NOT-FOR-US: Pinnacle CVE-2009-1743 (Directory traversal vulnerability in InstallHFZ.exe 6.5.201.0 in Pinna ...) NOT-FOR-US: Pinnacle CVE-2009-1742 (code.php in PC4Arb Pc4 Uploader 9.0 and earlier makes it easier for re ...) NOT-FOR-US: PC4Arb Pc4 Uploader CVE-2009-1741 (Multiple SQL injection vulnerabilities in login.php in DM FileManager ...) NOT-FOR-US: DM FileManager CVE-2009-1740 (Multiple heap-based buffer overflows in the D-Link MPEG4 Viewer Active ...) NOT-FOR-US: D-Link MPEG4 Viewer CVE-2009-1739 (PAD Site Scripts 3.6 allows remote attackers to bypass authentication ...) NOT-FOR-US: PAD Site Scripts CVE-2009-1738 (Cross-site scripting (XSS) vulnerability in Feed Block 6.x-1.x before ...) NOT-FOR-US: Feed Block CVE-2009-1737 (Directory traversal vulnerability in bom.php in MyPic 2.1 allows remot ...) NOT-FOR-US: MyPic CVE-2009-1736 (SQL injection vulnerability in the GridSupport (GS) Ticket System (com ...) NOT-FOR-US: GridSupport component for Joomla CVE-2009-1735 (Cross-site scripting (XSS) vulnerability in search.php in VidSharePro ...) NOT-FOR-US: VidSharePro CVE-2009-1734 (SQL injection vulnerability in listing_video.php in VidSharePro allows ...) NOT-FOR-US: VidSharePro CVE-2009-1733 (Cross-site request forgery (CSRF) vulnerability in IPplan 4.91a allows ...) - ipplan 4.91a-1.1 (unimportant; bug #530271) NOTE: Only exploitable with admin rights CVE-2009-1732 (Cross-site scripting (XSS) vulnerability in admin/usermanager in IPpla ...) {DSA-1827-1} - ipplan 4.91a-1.1 (low; bug #530271) CVE-2009-1731 (SQL injection vulnerability in panel/index.php in MLFFAT 2.1 allows re ...) NOT-FOR-US: MLFFAT CVE-2009-1730 (Multiple directory traversal vulnerabilities in NetMechanica NetDecisi ...) NOT-FOR-US: NetDecision TFTP Server CVE-2009-1729 (Multiple cross-site scripting (XSS) vulnerabilities in Sun Java System ...) NOT-FOR-US: Sun Java System Communications Express CVE-2009-1728 (Stack-based buffer overflow in Image RAW in Apple Mac OS X 10.5 before ...) NOT-FOR-US: Image RAW in Apple Mac OS X CVE-2009-1727 (Incomplete blacklist vulnerability in CoreTypes in Apple Mac OS X 10.5 ...) NOT-FOR-US: CoreTypes in Apple Mac OS X CVE-2009-1726 (Heap-based buffer overflow in ColorSync in Apple Mac OS X 10.4.11 and ...) NOT-FOR-US: ColorSync in Apple Mac OS X CVE-2009-1725 (WebKit in Apple Safari before 4.0.2, as used on iPhone OS before 3.1, ...) {DSA-1988-1 DSA-1950-1} - webkit 1.1.13-1 (medium; bug #538346) - qt4-x11 4:4.5.2-2 (medium; bug #538347) [etch] - qt4-x11 (QTWebkit was introduced in 4.4) - kdelibs (medium; bug #538350) - kde4libs (medium; bug #538349) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=513813#c18 NOTE: patch http://trac.webkit.org/changeset/44799/ NOTE: PoC http://web.archive.org/web/20110813092643/https://cevans-app.appspot.com/static/webkitentityoffbyone.html CVE-2009-1724 (Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari bef ...) - qt4-x11 (bug #538403) [etch] - qt4-x11 (webkit support introduced in version 4.4) - webkit 1.1.13-1 (low; bug #538402) [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - kdelibs (unimportant) - kde4libs (unimportant) NOTE: http://www.thespanner.co.uk/2009/06/19/minor-safari-cross-domain-bug/ CVE-2009-1723 (CFNetwork in Apple Mac OS X 10.5 before 10.5.8 places an incorrect URL ...) NOT-FOR-US: CFNetwork in Apple Mac OS X CVE-2009-1722 (Heap-based buffer overflow in the compression implementation in OpenEX ...) {DSA-1842-1} - openexr 1.6.1-1 (medium; bug #540424) CVE-2009-1721 (The decompression implementation in the Imf::hufUncompress function in ...) {DSA-1842-1} - openexr 1.6.1-4.1 (medium; bug #540424) CVE-2009-1720 (Multiple integer overflows in OpenEXR 1.2.2 and 1.6.1 allow context-de ...) {DSA-1842-1} - openexr 1.6.1-4.1 (medium; bug #540424) CVE-2009-1719 (The Aqua Look and Feel for Java implementation in Java 1.5 on Mac OS X ...) NOT-FOR-US: Aqua Look and Feel for Java implementation in Java 1.5 on Mac OS X CVE-2009-1718 (WebKit in Apple Safari before 4.0 allows user-assisted remote attacker ...) - webkit 1.1.12-1 (medium; bug #535793) [lenny] - webkit (Minor issue) - kdelibs (unimportant) - kde4libs (unimportant) - qt4-x11 4:4.6.2-4 (low; bug #561760) [lenny] - qt4-x11 (qtwebkit not supported security-wise) NOTE: QT4 might be fixed earlier, but only 4.6.2 was checked against NOTE: http://trac.webkit.org/changeset/44010 CVE-2009-1717 (Integer overflow in Terminal in Apple Mac OS X 10.5 before 10.5.7 allo ...) NOT-FOR-US: Mac OS X CVE-2009-1716 (CFNetwork in Apple Safari before 4.0 on Windows does not properly prot ...) NOT-FOR-US: CFNetwork in Apple CVE-2009-1715 (Cross-site scripting (XSS) vulnerability in Web Inspector in WebKit in ...) - webkit 1.0.1-4 (medium; bug #535793) - kdelibs - kde4libs - qt4-x11 4:4.6.2-4 (bug #561760) [lenny] - qt4-x11 (qtwebkit not supported security-wise) NOTE: QT4 might be fixed earlier, but only 4.6.2 was checked against NOTE: http://trac.webkit.org/changeset/31890 CVE-2009-1714 (Cross-site scripting (XSS) vulnerability in Web Inspector in WebKit in ...) {DSA-1950-1} - webkit 1.1.12-1 (low; bug #535793) - kdelibs - kde4libs - qt4-x11 4:4.6.3-1 (low) [lenny] - qt4-x11 (Minor impact, no apps in Lenny which use qtwebkit ) NOTE: http://trac.webkit.org/changeset/36359 CVE-2009-1713 (The XSLT functionality in WebKit in Apple Safari before 4.0 does not p ...) {DSA-1988-1} - webkit 1.0.1-4 (medium; bug #535793) - kdelibs - kde4libs - qt4-x11 4:4.5.2-2 [etch] - qt4-x11 (QTWebkit was introduced in 4.4) NOTE: http://trac.webkit.org/changeset/34533 CVE-2009-1712 (WebKit in Apple Safari before 4.0 does not prevent remote loading of l ...) {DSA-1988-1 DSA-1950-1} - webkit 1.1.12-1 (medium; bug #535793) - kdelibs - kde4libs - qt4-x11 4:4.5.2-2 [etch] - qt4-x11 (QTWebkit was introduced in 4.4) NOTE: http://trac.webkit.org/changeset/41568 CVE-2009-1711 (WebKit in Apple Safari before 4.0 does not properly initialize memory ...) {DSA-1988-1 DSA-1950-1} - webkit 1.1.12-1 (medium; bug #535793) NOTE: http://trac.webkit.org/changeset/36918 - kdelibs - kde4libs - qt4-x11 4:4.5.2-1 [etch] - qt4-x11 (QTWebkit was introduced in 4.4) CVE-2009-1710 (WebKit in Apple Safari before 4.0 allows remote attackers to spoof the ...) {DSA-1950-1} - webkit 1.1.12-1 (low; bug #535793) - kdelibs - kde4libs - qt4-x11 4:4.6.2-4 (low; bug #561760) [lenny] - qt4-x11 (qtwebkit not supported security-wise) NOTE: QT4 might be fixed earlier, but only 4.6.2 was checked against NOTE: http://trac.webkit.org/changeset/35157 CVE-2009-1709 (Use-after-free vulnerability in the garbage-collection implementation ...) {DSA-1866-1} - webkit 0~svn32442-1 NOTE: fixed in upstream commit http://trac.webkit.org/changeset/32230 - kdelibs (vulnerable code in kdegraphics) - kde4libs (Vulnerable code not present) - kdegraphics 4:4.0 (medium; bug #534951) NOTE: kdegraphics >4.0 not affected since ksvg is only in 3.5.x series) CVE-2009-1708 (Apple Safari before 4.0 does not prevent calls to the open-help-anchor ...) NOT-FOR-US: Apple Safari CVE-2009-1707 (Race condition in the Reset Safari implementation in Apple Safari befo ...) NOT-FOR-US: Apple Safari CVE-2009-1706 (The Private Browsing feature in Apple Safari before 4.0 on Windows doe ...) NOT-FOR-US: Apple Safari CVE-2009-1705 (CoreGraphics in Apple Safari before 4.0 on Windows does not properly u ...) NOT-FOR-US: Apple Safari CVE-2009-1704 (CFNetwork in Apple Safari before 4.0 misinterprets downloaded image fi ...) NOT-FOR-US: Apple Safari CVE-2009-1703 (WebKit in Apple Safari before 4.0 does not prevent references to file: ...) - webkit 1.1.12-1 (low; bug #535793) [lenny] - webkit (Minor issue) - kdelibs - kde4libs - qt4-x11 4:4.6.2-4 (medium; bug #561760) NOTE: QT4 might be fixed earlier, but only 4.6.2 was checked against [lenny] - qt4-x11 (HTML video support introduced in version 4.5) NOTE: http://trac.webkit.org/changeset/42533 CVE-2009-1702 (Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari bef ...) - webkit 1.1.12-1 (low; bug #535793) [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - kdelibs - kde4libs - qt4-x11 4:4.6.2-4 (low) [lenny] - qt4-x11 (qtwebkit not supported security-wise) NOTE: QT4 might be fixed earlier, but only 4.6.2 was checked against NOTE: http://trac.webkit.org/changeset/42216 CVE-2009-1701 (Use-after-free vulnerability in the JavaScript DOM implementation in W ...) - webkit 1.1.12-1 (medium; bug #535793) [lenny] - webkit (Unmaintained, only affects fringe apps) - kdelibs - qt4-x11 4:4.6.2-4 [lenny] - qt4-x11 (qtwebkit not supported security-wise) NOTE: QT4 might be fixed earlier, but only 4.6.2 was checked against NOTE: invasive patch to backport. NOTE: http://trac.webkit.org/changeset/40881 CVE-2009-1700 (The XSLT implementation in WebKit in Apple Safari before 4.0, iPhone O ...) - webkit 1.1.12-1 (low; bug #535793) [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - kdelibs - kde4libs - qt4-x11 4:4.6.2-4 (low) [lenny] - qt4-x11 (qtwebkit not supported security-wise) NOTE: QT4 might be fixed earlier, but only 4.6.2 was checked against NOTE: http://trac.webkit.org/changeset/38065 CVE-2009-1699 (The XSL stylesheet implementation in WebKit in Apple Safari before 4.0 ...) {DSA-1988-1} - webkit 1.0.1-4 (medium; bug #535793) - kdelibs - kde4libs - qt4-x11 4:4.5.2-2 [etch] - qt4-x11 (QTWebkit was introduced in 4.4) CVE-2009-1698 (WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and iP ...) {DSA-1988-1 DSA-1950-1 DSA-1868-1 DSA-1867-1} - webkit 1.1.5-1 (medium; bug #534946) NOTE: http://trac.webkit.org/changeset/42081 - qt4-x11 4:4.5.2-1 [etch] - qt4-x11 (QTWebkit was introduced in 4.4) - kdelibs 4:3.5.10.dfsg.1-2.1 (medium; bug #534949) - kde4libs 4:4.3.0-1 (medium) CVE-2009-1697 (CRLF injection vulnerability in WebKit in Apple Safari before 4.0, iPh ...) {DSA-1950-1} - webkit 1.1.15.2-1 (medium; bug #535793) - kdelibs - kde4libs - qt4-x11 4:4.6.2-4 [lenny] - qt4-x11 (qtwebkit not supported security-wise) NOTE: QT4 might be fixed earlier, but only 4.6.2 was checked against NOTE: http://trac.webkit.org/changeset/41262 CVE-2009-1696 (WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and iP ...) - webkit 1.1.12-1 (medium; bug #535793) [lenny] - webkit (Vulnerable code not present) - kdelibs - kde4libs - qt4-x11 4:4.6.2-4 [lenny] - qt4-x11 (Vulnerable code not present) NOTE: QT4 might be fixed earlier, but only 4.6.2 was checked against NOTE: http://trac.webkit.org/changeset/39510 NOTE: http://trac.webkit.org/changeset/39553 CVE-2009-1695 (Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari bef ...) {DSA-1950-1} - webkit 1.1.12-1 (low; bug #535793) - kdelibs - kde4libs - qt4-x11 4:4.6.2-4 (low) [lenny] - qt4-x11 (Vulnerable code not present) NOTE: QT4 might be fixed earlier, but only 4.6.2 was checked against NOTE: http://trac.webkit.org/changeset/42223 CVE-2009-1694 (WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and iP ...) {DSA-1950-1} - webkit 1.1.12-1 (low; bug #535793) - kdelibs - kde4libs - qt4-x11 4:4.6.2-4 (low) [lenny] - qt4-x11 (qtwebkit not supported security-wise) NOTE: QT4 might be fixed earlier, but only 4.6.2 was checked against NOTE: http://trac.webkit.org/changeset/35935 CVE-2009-1693 (WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and iP ...) {DSA-1950-1} - webkit 1.1.12-1 (medium; bug #535793) - kdelibs - kde4libs - qt4-x11 4:4.6.2-4 NOTE: QT4 might be fixed earlier, but only 4.6.2 was checked against [lenny] - qt4-x11 (Minor impact, no apps in Lenny which use qtwebkit ) NOTE: http://trac.webkit.org/changeset/35928 CVE-2009-1692 (WebKit before r41741, as used in Apple iPhone OS 1.0 through 2.2.1, iP ...) {DSA-1950-1} - webkit 1.1.12-1 (low; bug #535793) - kdelibs (unimportant) - kde4libs (unimportant) - qt4-x11 4:4.6.2-4 (unimportant) NOTE: QT4 might be fixed earlier, but only 4.6.2 was checked against NOTE: upstream (undisclosed) bug report is https://bugs.webkit.org/show_bug.cgi?id=23319 NOTE: http://trac.webkit.org/changeset/41741 CVE-2009-1691 (Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari bef ...) - webkit 1.1.12-1 (medium; bug #535793) [lenny] - webkit (Vulnerable code not present) NOTE: http://trac.webkit.org/changeset/32791 - kdelibs - kde4libs - qt4-x11 4.4.3-1 NOTE: QT4 might be fixed earlier, but only Lenny version was checked CVE-2009-1690 (Use-after-free vulnerability in WebKit, as used in Apple Safari before ...) {DSA-1988-1 DSA-1950-1 DSA-1868-1 DSA-1867-1} - webkit 1.1.5-1 (medium; bug #534946) NOTE: http://trac.webkit.org/changeset/42532 - kdelibs 4:3.5.10.dfsg.1-2.1 (medium; bug #534952) - kde4libs 4:4.3.0-1 (medium; bug #534949) NOTE: http://websvn.kde.org/?view=rev&revision=983316 - qt4-x11 4:4.5.2-1 (medium; bug #534947) [etch] - qt4-x11 (QTWebkit was introduced in 4.4) CVE-2009-1689 (Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari bef ...) - webkit 1.1.12-1 (low; bug #535793) [lenny] - webkit (Vulnerable code not present) - kdelibs - kde4libs - qt4-x11 4.4.3-1 NOTE: QT4 might be fixed earlier, but only Lenny version was checked NOTE: http://trac.webkit.org/changeset/32791 CVE-2009-1688 (Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari bef ...) - webkit 1.1.12-1 (low; bug #535793) [lenny] - webkit (Vulnerable code not present) - kdelibs - kde4libs - qt4-x11 4.4.3-1 NOTE: QT4 might be fixed earlier, but only Lenny version was checked NOTE: http://trac.webkit.org/changeset/32791 CVE-2009-1687 (The JavaScript garbage collector in WebKit in Apple Safari before 4.0, ...) {DSA-1988-1 DSA-1950-1 DSA-1868-1 DSA-1867-1} - webkit 1.1.5-1 (medium; bug #534946) - kdelibs 4:3.5.10.dfsg.1-2.1 (bug #534952) - kde4libs 4:4.3.0-1 NOTE: http://trac.webkit.org/changeset/41854 - qt4-x11 4:4.5.2-1 (medium; bug #534946) [etch] - qt4-x11 (QTWebkit was introduced in 4.4) CVE-2009-1686 (WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and iP ...) - webkit 1.1.12-1 (medium; bug #535793) [lenny] - webkit (Vulnerable code not present) - kdelibs - kde4libs - qt4-x11 4:4.6.2-4 [lenny] - qt4-x11 (qtwebkit not supported security-wise) NOTE: QT4 might be fixed earlier, but only 4.6.2 was checked against NOTE: http://trac.webkit.org/changeset/31431 CVE-2009-1685 (Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari bef ...) - webkit 1.0.1-4 (bug #535793) - kdelibs - qt4-x11 4:4.6.2-4 (low) [lenny] - qt4-x11 (qtwebkit not supported security-wise) NOTE: QT4 might be fixed earlier, but only 4.6.2 was checked against NOTE: http://trac.webkit.org/changeset/34574 CVE-2009-1684 (Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari bef ...) {DSA-1950-1} - webkit 1.1.12-1 (low; bug #535793) - kdelibs - kde4libs - qt4-x11 4:4.6.2-4 (low) [lenny] - qt4-x11 (qtwebkit not supported security-wise) NOTE: QT4 might be fixed earlier, but only 4.6.2 was checked against NOTE: http://trac.webkit.org/changeset/42365 CVE-2009-1683 (The Telephony component in Apple iPhone OS 1.0 through 2.2.1 and iPhon ...) NOT-FOR-US: iPhone CVE-2009-1682 (Apple Safari before 4.0 does not properly check for revoked Extended V ...) NOT-FOR-US: Apple Safari CVE-2009-1681 (WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and iP ...) {DSA-1950-1} - webkit 1.1.12-1 (low; bug #535793) - kdelibs - kde4libs - qt4-x11 4:4.6.2-4 (low) [lenny] - qt4-x11 (qtwebkit not supported security-wise) NOTE: QT4 might be fixed earlier, but only 4.6.2 was checked against, Lenny is affected NOTE: http://trac.webkit.org/changeset/42333 CVE-2009-1680 (Safari in Apple iPhone OS 1.0 through 2.2.1 and iPhone OS for iPod tou ...) NOT-FOR-US: Safari in Apple iPhone OS CVE-2009-1679 (The Profiles component in Apple iPhone OS 1.0 through 2.2.1 and iPhone ...) NOT-FOR-US: iPhone CVE-2008-6813 (SQL injection vulnerability in index.php in phpWebNews 0.2 MySQL Editi ...) NOT-FOR-US: phpWebNews CVE-2008-6812 (SQL injection vulnerability in bukutamu.php in phpWebNews 0.2 MySQL Ed ...) NOT-FOR-US: phpWebNews CVE-2009-1756 (SLiM Simple Login Manager 1.3.0 places the X authority magic cookie (m ...) - slim 1.3.1-2 (low; bug #529306) [lenny] - slim 1.3.0-1+lenny2 CVE-2009-1755 (Off-by-one error in the packet_read_query_section function in packet.c ...) {DSA-1803-1} - nsd3 3.2.2-1 (medium; bug #529418) - nsd 2.3.7-3 (medium; bug #529420) NOTE: VU#710316 CVE-2009-1753 (Coccinelle 0.1.7 allows local users to overwrite arbitrary files via a ...) - coccinelle 0.1.7.deb-3 (low) CVE-2009-1678 (Directory traversal vulnerability in the saveFeed function in rss/feed ...) NOT-FOR-US: Bitweaver CVE-2009-1677 (Multiple static code injection vulnerabilities in the saveFeed functio ...) NOT-FOR-US: Bitweaver CVE-2009-1676 REJECTED CVE-2009-1675 (Stack-based buffer overflow in ElectraSoft 32bit FTP 09.04.24 allows r ...) NOT-FOR-US: ElectraSoft 32bit FTP CVE-2009-1674 (Stack-based buffer overflow in Microchip MPLAB IDE 8.30 allows user-as ...) NOT-FOR-US: Microchip MPLAB IDE CVE-2009-1673 (The kernel in Sun Solaris 9 allows local users to cause a denial of se ...) NOT-FOR-US: SunOS CVE-2009-1672 (The Deployment Toolkit ActiveX control in deploytk.dll 6.0.130.3 in Su ...) NOT-FOR-US: ActiveX CVE-2009-1671 (Multiple buffer overflows in the Deployment Toolkit ActiveX control in ...) NOT-FOR-US: ActiveX CVE-2009-1670 (user/index.php in TCPDB 3.8 does not require administrative authentica ...) NOT-FOR-US: TCPDB CVE-2009-1669 (The smarty_function_math function in libs/plugins/function.math.php in ...) {DSA-1919-1} - smarty 2.6.26-0.1 (low; bug #529810) [etch] - smarty (Vulnerable code not present) [lenny] - smarty (Minor issue) CVE-2009-1668 (TYPSoft FTP Server 1.11 allows remote attackers to cause a denial of s ...) NOT-FOR-US: TYPSoft CVE-2009-1667 (Stack-based buffer overflow in Mini-stream CastRipper 2.50.70 allows r ...) NOT-FOR-US: CastRipper CVE-2009-1666 (Multiple unspecified vulnerabilities in CycloMedia CycloScopeLite 2.50 ...) NOT-FOR-US: CycloMedia CycloScopeLite CVE-2009-1665 (myaccount.php in Easy Scripts Answer and Question Script allows remote ...) NOT-FOR-US: Easy Scripts Answer and Question Script CVE-2009-1664 (myaccount.php in Easy Scripts Answer and Question Script does not veri ...) NOT-FOR-US: Easy Scripts Answer and Question Script CVE-2009-1663 (Unrestricted file upload vulnerability in myaccount.php in Easy Script ...) NOT-FOR-US: Easy Scripts Answer and Question Script CVE-2009-1662 (Multiple SQL injection vulnerabilities in admin/login.php in Wright Wa ...) NOT-FOR-US: Wright Way Services Recipe Script CVE-2009-1661 (SQL injection vulnerability in admin/utopic.php in uTopic 1.0, when ma ...) NOT-FOR-US: uTopic CVE-2009-1660 (Stack-based buffer overflow in URUWorks ViPlay3 3.0 and earlier allows ...) NOT-FOR-US: ViPlay3 CVE-2009-1659 (Unrestricted file upload vulnerability in admin/uploadimage.php in eLi ...) NOT-FOR-US: eLitius CVE-2009-1658 (Multiple SQL injection vulnerabilities in admin/admin.php in Realty We ...) NOT-FOR-US: Web-Base CVE-2009-1657 (Multiple SQL injection vulnerabilities in the Starrating plugin before ...) NOT-FOR-US: Starrating plugin for b2evolution CVE-2009-1656 (Xerox WorkCentre and WorkCentre Pro 232, 238, 245, 255, 265, 275; and ...) NOT-FOR-US: Xerox CVE-2009-1655 (Multiple SQL injection vulnerabilities in myaccount.php in Easy Script ...) NOT-FOR-US: Easy Scripts Answer and Question Script CVE-2009-1654 (Cross-site scripting (XSS) vulnerability in questiondetail.php in Easy ...) NOT-FOR-US: Easy Scripts Answer and Question Script CVE-2009-1653 (Directory traversal vulnerability in examples/tbs_us_examples_0view.ph ...) NOT-FOR-US: TinyButStrong CVE-2009-1652 (admin/adminaddeditdetails.php in Business Community Script does not pr ...) NOT-FOR-US: Business Community Script CVE-2009-1651 (SQL injection vulnerability in admin/member_details.php in 2daybiz Bus ...) NOT-FOR-US: 2daybiz CVE-2009-1650 (Multiple SQL injection vulnerabilities in photos.php in Shutter 0.1.1 ...) NOT-FOR-US: Shutter CVE-2009-1649 (Directory traversal vulnerability in arch.php in beLive 0.2.3 allows r ...) NOT-FOR-US: beLive CVE-2009-1648 (The YaST2 LDAP module in yast2-ldap-server on SUSE Linux Enterprise Se ...) NOT-FOR-US: yast2-ldap-server on SUSE CVE-2009-1647 (Heap-based buffer overflow in popcorn.exe in Ultrafunk Popcorn 1.87 al ...) NOT-FOR-US: Ultrafunk Popcorn CVE-2009-1646 (Stack-based buffer overflow in Mini-stream RM Downloader 3.0.0.9 allow ...) NOT-FOR-US: Mini-stream RM Downloader CVE-2009-1645 (Multiple stack-based buffer overflows in Mini-stream Easy RM-MP3 Conve ...) NOT-FOR-US: Mini-stream Easy RM-MP Converter CVE-2009-1644 (Stack-based buffer overflow in Sorinara Streaming Audio Player 0.9 all ...) NOT-FOR-US: Streaming Audio Player CVE-2009-1643 (Stack-based buffer overflow in Sorinara Soritong MP3 Player 1.0 allows ...) NOT-FOR-US: Sorinara Soritong MP3 Player CVE-2009-1642 (Multiple stack-based buffer overflows in Mini-stream ASX to MP3 Conver ...) NOT-FOR-US: Mini-stream ASX to MP3 Converter CVE-2009-1641 (Multiple stack-based buffer overflows in Mini-stream Ripper 3.0.1.1 al ...) NOT-FOR-US: Mini-stream Ripper CVE-2009-1640 (Stack-based buffer overflow in Nucleus Data Recovery Kernel Recovery f ...) NOT-FOR-US: Nucleus Data Recovery Kernel Recovery CVE-2009-1639 (Stack-based buffer overflow in Nucleus Data Recovery Kernel Recovery f ...) NOT-FOR-US: Nucleus Data Recovery Kernel Recovery CVE-2009-1638 (Techno Dreams Job Career Package 3.0 allows remote attackers to bypass ...) NOT-FOR-US: Techno Dreams Job Career Package CVE-2009-1637 (profile.php in Simple Customer 1.3 does not require administrative aut ...) NOT-FOR-US: Simple Customer CVE-2008-6811 (Unrestricted file upload vulnerability in image_processing.php in the ...) NOT-FOR-US: e-Commerce Plugin for Wordpress CVE-2008-6810 (Multiple SQL injection vulnerabilities in admin/checklogin.php in Vena ...) NOT-FOR-US: Venalsur Booking center Booking System CVE-2008-6809 (SQL injection vulnerability in hotel_habitaciones.php in Venalsur Book ...) NOT-FOR-US: Venalsur Booking center Booking System CVE-2009-1788 (Heap-based buffer overflow in voc_read_header in libsndfile 1.0.15 thr ...) {DSA-1814-1 DTSA-202-1} - libsndfile 1.0.20-1 (low; bug #528650) CVE-2009-1791 (Heap-based buffer overflow in aiff_read_header in libsndfile 1.0.15 th ...) {DSA-1814-1 DTSA-202-1} - libsndfile 1.0.20-1 (low; bug #528650) CVE-2009-1636 (Multiple buffer overflows in the Internet Agent (aka GWIA) component i ...) NOT-FOR-US: Novell GroupWise CVE-2009-1635 (Multiple cross-site scripting (XSS) vulnerabilities in the WebAccess c ...) NOT-FOR-US: Novell GroupWise CVE-2009-1634 (The WebAccess component in Novell GroupWise 7.x before 7.03 HP3 and 8. ...) NOT-FOR-US: Novell GroupWise CVE-2009-1633 (Multiple buffer overflows in the cifs subsystem in the Linux kernel be ...) {DSA-1865-1 DSA-1844-1 DSA-1809-1} - linux-2.6 2.6.30-1 - linux-2.6.24 CVE-2009-1632 (Multiple memory leaks in Ipsec-tools before 0.7.2 allow remote attacke ...) {DSA-1804-1} - ipsec-tools 1:0.7.1-1.5 (medium; bug #528933) CVE-2009-1631 (The Mailer component in Evolution 2.26.1 and earlier uses world-readab ...) - evolution 2.29.90-1 (unimportant; bug #526409) NOTE: Mostly a security enhancement, only for local users/mail and open homedirs CVE-2009-1630 (The nfs_permission function in fs/nfs/dir.c in the NFS client implemen ...) {DSA-1865-1 DSA-1844-1 DSA-1809-1} - linux-2.6 2.6.30-1 - linux-2.6.24 CVE-2009-1629 (ajaxterm.js in AjaxTerm 0.10 and earlier generates session IDs with pr ...) {DSA-1994-1} - ajaxterm 0.10-5 (medium; bug #528938) CVE-2009-1789 (mod/server.mod/servmsg.c in Eggheads Eggdrop and Windrop 1.6.19 and ea ...) {DSA-1826-1} - eggdrop 1.6.19-1.2 (medium; bug #528778) CVE-2009-XXXX [cron: Incomplete fix for CVE-2006-2607 (setgid() and initgroups() not checked] - cron 3.0pl1-106 (low; bug #528434) [lenny] - cron (Minor issue) [etch] - cron (Minor issue) CVE-2009-1628 (Stack-based buffer overflow in mnet.exe in Unisys Business Information ...) NOT-FOR-US: Unisys Business Information Server CVE-2009-1627 (Stack-based buffer overflow in Streaming Download Project (SDP) Downlo ...) NOT-FOR-US: Streaming Download Project (SDP) CVE-2009-1626 (SQL injection vulnerability in public/specific.php in EZ-Blog before B ...) NOT-FOR-US: EZ-Blog CVE-2009-1625 (Directory traversal vulnerability in index.php in Thickbox Gallery 2 a ...) NOT-FOR-US: Thickbox Gallery 2 CVE-2009-1624 (Directory traversal vulnerability in index.php in Dew-NewPHPLinks 2.0 ...) NOT-FOR-US: Dew-NewPHPLinks 2.0 CVE-2009-1623 (Cross-site scripting (XSS) vulnerability in index.php in Dew-NewPHPLin ...) NOT-FOR-US: Dew-NewPHPLinks 2.0 CVE-2009-1622 (SQL injection vulnerability in user.php in EcShop 2.5.0 allows remote ...) NOT-FOR-US: EcShop 2.5.0 CVE-2009-1621 (Directory traversal vulnerability in index.php in OpenCart 1.1.8 allow ...) NOT-FOR-US: OpenCart CVE-2009-1620 (Multiple cross-site scripting (XSS) vulnerabilities in input.php in Ma ...) NOT-FOR-US: MataChat CVE-2009-1619 (Teraway FileStream 1.0 allows remote attackers to bypass authenticatio ...) NOT-FOR-US: Teraway FileStream CVE-2009-1618 (Teraway LiveHelp 2.0 allows remote attackers to bypass authentication ...) NOT-FOR-US: Teraway LiveHelp CVE-2009-1617 (Teraway LinkTracker 1.0 allows remote attackers to bypass authenticati ...) NOT-FOR-US: Teraway LinkTracker CVE-2008-6808 (SQL injection vulnerability in links.php in Scripts for Sites (SFS) EZ ...) NOT-FOR-US: SFS Link Directory CVE-2008-6807 (PHP remote file inclusion vulnerability in ListRecords.php in osprey 1 ...) NOT-FOR-US: osprey CVE-2008-6806 (Unrestricted file upload vulnerability in includes/imageupload.php in ...) NOT-FOR-US: 7Shop CVE-2009-1616 (Cross-site scripting (XSS) vulnerability in docs/showdoc.php in Copper ...) NOT-FOR-US: Coppermine Photo Gallery CVE-2009-1615 (Unrestricted file upload vulnerability in Leap CMS 0.1.4 allows remote ...) NOT-FOR-US: Leap CMS CVE-2009-1614 (Multiple cross-site scripting (XSS) vulnerabilities in Leap CMS 0.1.4 ...) NOT-FOR-US: Leap CMS CVE-2009-1613 (Multiple SQL injection vulnerabilities in leap.php in Leap CMS 0.1.4, ...) NOT-FOR-US: Leap CMS CVE-2009-1612 (Stack-based buffer overflow in the MPS.StormPlayer.1 ActiveX control i ...) NOT-FOR-US: ActiveX CVE-2009-1611 (Stack-based buffer overflow in ElectraSoft 32bit FTP 09.04.24 allows r ...) NOT-FOR-US: ElectraSoft 32bit FTP CVE-2009-1610 (admin/changepassword.php in Job Script Job Board Software 2.0 allows r ...) NOT-FOR-US: Job Script Job Board Software CVE-2009-1609 (Unrestricted file upload vulnerability in admin/uploadform.asp in Batt ...) NOT-FOR-US: Battle Blog CVE-2009-1608 (Multiple buffer overflows in Microchip MPLAB IDE 8.30 and possibly ear ...) NOT-FOR-US: Microchip MPLAB IDE CVE-2009-1607 (Cross-site scripting (XSS) vulnerability in the administrator panel in ...) NOT-FOR-US: LinkBase CVE-2009-1606 (Multiple stack-based and heap-based buffer overflows in Dafolo DafoloC ...) NOT-FOR-US: Dafolo DafoloControl ActiveX CVE-2009-1605 (Heap-based buffer overflow in the loadexponentialfunc function in mupd ...) NOT-FOR-US: MuPDF CVE-2009-1604 (Unspecified vulnerability in LimeSurvey before 1.82 allows remote atta ...) - limesurvey (bug #472802) CVE-2009-1603 (src/tools/pkcs11-tool.c in pkcs11-tool in OpenSC 0.11.7, when used wit ...) - opensc 0.11.8 (high; bug #527640) [etch] - opensc (vulnerable code introduced in 0.11.7) [lenny] - opensc (vulnerable code introduced in 0.11.7) NOTE: checked code, public exponent set correctly in etch/lenny versions (CK_BYTE publicExponent[] = { 3 };) CVE-2009-1602 (Pablo Software Solutions Quick 'n Easy Mail Server 3.3 allows remote a ...) NOT-FOR-US: Pablo Software CVE-2009-1601 (The Ubuntu clamav-milter.init script in clamav-milter before 0.95.1+df ...) - clamav (Vulnerable code not present) NOTE: from what I see this code was never uploaded to the debian archive CVE-2009-1600 (Apple Safari executes DOM calls in response to a javascript: URI in th ...) NOT-FOR-US: Apple Safari CVE-2009-1599 (Opera executes DOM calls in response to a javascript: URI in the targe ...) NOT-FOR-US: Opera CVE-2009-1598 (Google Chrome executes DOM calls in response to a javascript: URI in t ...) - chromium-browser (unimportant) - webkit (chrome-specific issue) NOTE: it sounds like a "researcher misconception bug" (as seeming explained by Abobe) rather than a security issue CVE-2009-1597 (Mozilla Firefox executes DOM calls in response to a javascript: URI in ...) - xulrunner (bug #565521) [wheezy] - xulrunner (no detailed information available) CVE-2009-1596 (Ignite Realtime Openfire before 3.6.5 does not properly implement the ...) NOT-FOR-US: Openfire CVE-2009-1595 (The jabber:iq:auth implementation in IQAuthHandler.java in Ignite Real ...) NOT-FOR-US: Openfire CVE-2008-6805 (Multiple SQL injection vulnerabilities in Mic_Blog 0.0.3, when magic_q ...) NOT-FOR-US: Mic_Blog CVE-2008-6804 (** DISPUTED ** Tribiq CMS 5.0.9a beta allows remote attackers to bypas ...) NOT-FOR-US: Tribiq CMS Community CVE-2008-6803 (SQL injection vulnerability in diziler.asp in Yigit Aybuga Dizi Portal ...) NOT-FOR-US: Yigit Aybuga Dizi Portali CVE-2009-XXXX [More file buffer overflows] - file 5.03-1 (bug #525820) [etch] - file (CDF code not yet present in 4.x) [lenny] - file (CDF code not yet present in 4.x) CVE-2009-1594 (Armorlogic Profense Web Application Firewall before 2.2.22, and 2.4.x ...) NOT-FOR-US: Armorlogic Profense Web Application Firewall CVE-2009-1593 (Armorlogic Profense Web Application Firewall before 2.2.22, and 2.4.x ...) NOT-FOR-US: Armorlogic Profense Web Application Firewall CVE-2009-1592 (Stack-based buffer overflow in ElectraSoft 32bit FTP 09.04.24 allows r ...) NOT-FOR-US: ElectraSoft 32bit FTP CVE-2009-1591 (CRLF injection vulnerability in CGI RESCUE Web Mailer before 1.04 allo ...) NOT-FOR-US: CGI RESCUE Web Mailer CVE-2009-1590 (Unspecified vulnerability in CGI RESCUE FORM2MAIL before 1.42 allows r ...) NOT-FOR-US: CGI RESCUE FORM2MAIL CVE-2009-1589 (Unspecified vulnerability in CGI RESCUE MiniBBS22 before 1.01 allows r ...) NOT-FOR-US: CGI RESCUE MiniBBS CVE-2009-1588 (Cross-site scripting (XSS) vulnerability in CGI RESCUE MiniBBS 8t befo ...) NOT-FOR-US: CGI RESCUE MiniBBS CVE-2009-XXXX [hex-a-hop: buffer overflow in loading save games] - hex-a-hop (unimportant; bug #528250) NOTE: That's a simple bug, it's silly to treat this as a security issue CVE-2009-1587 (index.php in PHP Site Lock 2.0 allows remote attackers to bypass authe ...) NOT-FOR-US: PHP Site Lock CVE-2009-1586 (Stack-based buffer overflow in the NZB importer feature in GrabIt 1.7. ...) NOT-FOR-US: GrabIt CVE-2009-1585 (Multiple SQL injection vulnerabilities in TemaTres 1.031, when magic_q ...) NOT-FOR-US: TemaTres CVE-2009-1584 (Multiple SQL injection vulnerabilities in TemaTres 1.0.3 and 1.031, wh ...) NOT-FOR-US: TemaTres CVE-2009-1583 (Multiple cross-site scripting (XSS) vulnerabilities in TemaTres 1.0.3 ...) NOT-FOR-US: TemaTres CVE-2009-1582 (Million Dollar Text Links 1.0 does not properly restrict administrator ...) NOT-FOR-US: Million Dollar Text Links CVE-2008-6802 (Multiple SQL injection vulnerabilities in index.php in phPhotoGallery ...) NOT-FOR-US: phPhotoGallery CVE-2008-6801 (Cross-site request forgery (CSRF) vulnerability in Vivvo CMS before 4. ...) NOT-FOR-US: Vivvo CMS CVE-2008-6800 REJECTED CVE-2008-6799 (connection.php in FlashChat 5.0.8 allows remote attackers to bypass th ...) NOT-FOR-US: FlashChat CVE-2008-6798 (Multiple SQL injection vulnerabilities in login.php in Pre Projects Pr ...) NOT-FOR-US: Pre Real Estate Listings CVE-2008-6797 (The server in Mitel NuPoint Messenger R11 and R3 sends usernames and p ...) NOT-FOR-US: Mitel NuPoint Messenger CVE-2008-6796 (SQL injection vulnerability in manager/login.php in Pre Projects Pre R ...) NOT-FOR-US: Pre Real Estate Listings CVE-2008-6795 (SQL injection vulnerability in view_news.php in nicLOR Vibro-School-CM ...) NOT-FOR-US: nicLOR Vibro-School-CMS CVE-2008-6794 (SQL injection vulnerability in directory.php in Scripts For Sites (SFS ...) NOT-FOR-US: Scripts For Sites (SFS) CVE-2008-6793 (The get_file_type function in lib/file_content.php in DFLabs PTK 0.1, ...) NOT-FOR-US: DFLabs CVE-2008-6792 (system-tools-backends before 2.6.0-1ubuntu1.1 in Ubuntu 8.10, as used ...) - system-tools-backends 2.6.0-6.1 (low; bug #527952) [lenny] - system-tools-backends 2.6.0-2lenny3 [etch] - system-tools-backends (SHA was added to crypt(3) post-etch) CVE-2009-1581 (functions/mime.php in SquirrelMail before 1.4.18 does not protect the ...) {DSA-1802-1} - squirrelmail 2:1.4.18-1 (low; bug #528528) NOTE: http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail?view=rev&revision=13667 CVE-2009-1580 (Session fixation vulnerability in SquirrelMail before 1.4.18 allows re ...) {DSA-1802-1} - squirrelmail 2:1.4.18-1 (low; bug #528528) NOTE: http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail?view=rev&revision=13676 CVE-2009-1579 (The map_yp_alias function in functions/imap_general.php in SquirrelMai ...) {DSA-1802-1} - squirrelmail 2:1.4.18-1 (medium; bug #528528) NOTE: http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail?view=rev&revision=13674 NOTE: doesn't affect every setup CVE-2009-1578 (Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail be ...) {DSA-1802-1} - squirrelmail 2:1.4.18-1 (low; bug #528528) NOTE: http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail?view=rev&revision=13670 CVE-2009-1577 (Multiple stack-based buffer overflows in the putstring function in fin ...) - cscope 15.6-1 CVE-2009-1576 (Unspecified vulnerability in Drupal 5.x before 5.17 and 6.x before 6.1 ...) {DSA-1792-1} - drupal6 6.11-1 (bug #526378) - drupal5 5.17-1 CVE-2009-1575 (Cross-site scripting (XSS) vulnerability in Drupal 5.x before 5.17 and ...) {DSA-1792-1} - drupal6 6.11-1 (bug #526378) - drupal5 5.17-1 CVE-2009-1574 (racoon/isakmp_frag.c in ipsec-tools before 0.7.2 allows remote attacke ...) {DSA-1804-1} - ipsec-tools 1:0.7.1-1.4 (medium; bug #527634) CVE-2009-1571 (Use-after-free vulnerability in the HTML parser in Mozilla Firefox 3.0 ...) {DSA-1999-1} - xulrunner 1.9.1.8-1 [etch] - xulrunner - iceape 2.0.3-1 [lenny] - iceape (Lenny package only provide xpcom stubs) - icedove 3.0.2-1 CVE-2009-1570 (Integer overflow in the ReadImage function in plug-ins/file-bmp/bmp-re ...) - gimp 2.6.7-1.1 (medium; bug #555929) CVE-2009-1569 (Multiple stack-based buffer overflows in Novell iPrint Client 4.38, 5. ...) NOT-FOR-US: Novell iPrint Client CVE-2009-1568 (Stack-based buffer overflow in ienipp.ocx in Novell iPrint Client 5.30 ...) NOT-FOR-US: Novell iPrint Client CVE-2009-1567 (Multiple stack-based buffer overflows in the Lateral Arts Photobox upl ...) NOT-FOR-US: ActiveX CVE-2009-1566 (Integer overflow in Roxio Easy Media Creator 9.0.136, and Roxio Creato ...) NOT-FOR-US: Roxio Easy Media Creator CVE-2009-1565 (vmnc.dll in the VMnc media codec in VMware Movie Decoder before 6.5.4 ...) NOT-FOR-US: VMware Movie Decoder CVE-2009-1564 (Heap-based buffer overflow in vmnc.dll in the VMnc media codec in VMwa ...) NOT-FOR-US: VMwar CVE-2009-1563 REJECTED CVE-2009-1562 RESERVED CVE-2009-1561 (Cross-site request forgery (CSRF) vulnerability in administration.cgi ...) NOT-FOR-US: Cisco Linksys CVE-2009-1560 (The Cisco Linksys WVC54GCA wireless video camera with firmware 1.00R22 ...) NOT-FOR-US: Cisco Linksys CVE-2009-1559 (Absolute path traversal vulnerability in adm/file.cgi on the Cisco Lin ...) NOT-FOR-US: Cisco Linksys CVE-2009-1558 (Directory traversal vulnerability in adm/file.cgi on the Cisco Linksys ...) NOT-FOR-US: Cisco Linksys CVE-2009-1557 (Multiple cross-site scripting (XSS) vulnerabilities on the Cisco Links ...) NOT-FOR-US: Cisco Linksys CVE-2009-1556 (img/main.cgi on the Cisco Linksys WVC54GCA wireless video camera with ...) NOT-FOR-US: Cisco Linksys CVE-2009-1555 (The Cisco Linksys WVC54GCA wireless video camera with firmware 1.00R22 ...) NOT-FOR-US: Cisco Linksys CVE-2009-1554 (Cross-site scripting (XSS) vulnerability in ThemeServlet.java in Sun W ...) NOT-FOR-US: Sun Woodstock CVE-2009-1553 (Multiple cross-site scripting (XSS) vulnerabilities in the Admin Conso ...) NOT-FOR-US: Sun GlassFish Enterprise Server CVE-2009-1552 (Unspecified vulnerability in the IGMP driver in SCO Unixware Release 7 ...) NOT-FOR-US: SCO UnixWare CVE-2009-1551 (Multiple PHP remote file inclusion vulnerabilities in Qt quickteam 2 a ...) NOT-FOR-US: Qt quickteam CVE-2009-1550 (Zakkis Technology ABC Advertise 1.0 does not properly restrict access ...) NOT-FOR-US: Zakkis Technology ABC Advertise CVE-2009-1549 (AGTC MyShop 3.2b allows remote attackers to bypass authentication and ...) NOT-FOR-US: AGTC MyShop CVE-2009-1548 (SQL injection vulnerability in index.php in BluSky CMS allows remote a ...) NOT-FOR-US: BluSky CMS CVE-2009-XXXX [prelude-manager: password world-readable] - prelude-manager (The postinst sets correct permissions, see bug #527344) NOTE: FEDORA-2009-3931 http://lwn.net/Articles/331612 CVE-2009-XXXX [bash-completion: does not properly quote characters] - bash-completion 200811xx~bzr1223 (bug #259987) NOTE: adding this reference to track the fact that this has already been addressed by debian security NOTE: fixed over a year ago in debian; but fedora finally got around to addressing the issue recently NOTE: FEDORA-2009-3639 http://lwn.net/Articles/331605 CVE-2009-1547 (Unspecified vulnerability in Microsoft Internet Explorer 5.01 SP4, 6, ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2009-1546 (Integer overflow in Avifil32.dll in the Windows Media file handling fu ...) NOT-FOR-US: Microsoft Windows CVE-2009-1545 (Unspecified vulnerability in Avifil32.dll in the Windows Media file ha ...) NOT-FOR-US: Microsoft Windows CVE-2009-1544 (Double free vulnerability in the Workstation service in Microsoft Wind ...) NOT-FOR-US: Microsoft Windows CVE-2009-1543 REJECTED CVE-2009-1542 (The Virtual Machine Monitor (VMM) in Microsoft Virtual PC 2004 SP1, 20 ...) NOT-FOR-US: Microsoft CVE-2009-1541 REJECTED CVE-2009-1540 REJECTED CVE-2009-1539 (The QuickTime Movie Parser Filter in quartz.dll in DirectShow in Micro ...) NOT-FOR-US: Microsoft DirectX CVE-2009-1538 (The QuickTime Movie Parser Filter in quartz.dll in DirectShow in Micro ...) NOT-FOR-US: Microsoft DirectX CVE-2009-1537 (Unspecified vulnerability in the QuickTime Movie Parser Filter in quar ...) NOT-FOR-US: Microsoft DirectX CVE-2009-1536 (ASP.NET in Microsoft .NET Framework 2.0 SP1 and SP2 and 3.5 Gold and S ...) NOT-FOR-US: Microsoft .NET Framework CVE-2009-1535 (The WebDAV extension in Microsoft Internet Information Services (IIS) ...) NOT-FOR-US: IIS CVE-2009-1534 (Buffer overflow in the Office Web Components ActiveX Control in Micros ...) NOT-FOR-US: Microsoft Office XP CVE-2009-1533 (Buffer overflow in the Works for Windows document converters in Micros ...) NOT-FOR-US: Microsoft CVE-2009-1532 (Microsoft Internet Explorer 8 for Windows XP SP2 and SP3; 8 for Server ...) NOT-FOR-US: Microsoft CVE-2009-1531 (Microsoft Internet Explorer 7 for Windows XP SP2 and SP3; 7 for Server ...) NOT-FOR-US: Microsoft CVE-2009-1530 (Use-after-free vulnerability in Microsoft Internet Explorer 7 for Wind ...) NOT-FOR-US: Microsoft CVE-2009-1529 (Microsoft Internet Explorer 7 for Windows XP SP2 and SP3; 7 for Server ...) NOT-FOR-US: Microsoft CVE-2009-1528 (Microsoft Internet Explorer 6 and 7 for Windows XP SP2 and SP3; 6 and ...) NOT-FOR-US: Microsoft CVE-2009-1527 (Race condition in the ptrace_attach function in kernel/ptrace.c in the ...) - linux-2.6 2.6.29-5 (high) [etch] - linux-2.6 (vulnerable code introduced in 2.6.29) [lenny] - linux-2.6 (vulnerable code introduced in 2.6.29) CVE-2009-1526 (JBMC Software DirectAdmin before 1.334 allows local users to create or ...) NOT-FOR-US: Directadmin CVE-2009-1525 (CMD_DB in JBMC Software DirectAdmin before 1.334 allows remote authent ...) NOT-FOR-US: Directadmin CVE-2009-1524 (Cross-site scripting (XSS) vulnerability in Mort Bay Jetty before 6.1. ...) - jetty 6.1.19-1 (low; bug #527571) CVE-2009-1523 (Directory traversal vulnerability in the HTTP server in Mort Bay Jetty ...) - jetty 6.1.19-1 (low; bug #528389) CVE-2009-1522 (The IBM Tivoli Storage Manager (TSM) client 5.5.0.0 through 5.5.1.17 o ...) NOT-FOR-US: Tivoli CVE-2009-1521 (Unspecified vulnerability in the Java GUI in the IBM Tivoli Storage Ma ...) NOT-FOR-US: Tivoli CVE-2009-1520 (Buffer overflow in the Web GUI in the IBM Tivoli Storage Manager (TSM) ...) NOT-FOR-US: Tivoli CVE-2009-XXXX [moin: XSS in AttachFile.py via attachements] - moin 1.8.3-1 (low; bug #526594) [lenny] - moin 1.7.1-3+lenny2 [etch] - moin (Vulnerable code not present) NOTE: http://hg.moinmo.in/moin/1.8/rev/269a1fbc3ed7 NOTE: CVE id requested CVE-2009-1513 (Buffer overflow in the PATinst function in src/load_pat.cpp in libmodp ...) {DSA-1850-1} - libmodplug 1:0.8.7-1 (medium; bug #526084) - gst-plugins-bad0.10 (Vulnerable code not present; bug #527077) [etch] - libmodplug (Vulnerable code not present) NOTE: gst-plugins-bad0.10 in testing and unstable builds against an external libmodplug. CVE-2009-1519 (Directory traversal vulnerability in index.php in Pecio CMS 1.1.5 allo ...) NOT-FOR-US: Pecio CMS CVE-2009-1518 (Cross-site request forgery (CSRF) vulnerability in Beltane before 2.3. ...) NOT-FOR-US: Beltane CVE-2009-1517 (Multiple insecure method vulnerabilities in the Symantec.EasySetup.1 A ...) NOT-FOR-US: ActiveX CVE-2009-1516 (Stack-based buffer overflow in the IceWarpServer.APIObject ActiveX con ...) NOT-FOR-US: ActiveX CVE-2009-1514 (Google Chrome 1.0.154.53 allows remote attackers to cause a denial of ...) - chromium-browser 5.0.375.38~r46659-1 (low) NOTE: proof of concept maximum impact against webkit is dos-only CVE-2008-6791 (PumpKIN TFTP Server 2.7.2.0 allows remote attackers to cause a denial ...) NOT-FOR-US: PumpKIN TFTP Server CVE-2008-6790 (The admin module in MindDezign Photo Gallery 2.2 allows remote attacke ...) NOT-FOR-US: MindDezign Photo Gallery CVE-2008-6789 (SQL injection vulnerability in MindDezign Photo Gallery 2.2 allows rem ...) NOT-FOR-US: MindDezign Photo Gallery CVE-2008-6788 (SQL injection vulnerability in MindDezign Photo Gallery 2.2, when magi ...) NOT-FOR-US: MindDezign Photo Gallery CVE-2009-1573 (xvfb-run 1.6.1 in Debian GNU/Linux, Ubuntu, Fedora 10, and possibly ot ...) - xorg-server 2:1.6.1.901-3 (low; bug #526678) [etch] - xorg-server (minor issue) [lenny] - xorg-server (minor issue) CVE-2009-1515 (Heap-based buffer overflow in the cdf_read_sat function in src/cdf.c i ...) - file 5.02-1 [lenny] - file (Vulnerable code not present) [etch] - file (Vulnerable code not present) NOTE: code introduced in 5.xx series CVE-2009-1512 (Static code injection vulnerability in X-Forum 0.6.2 allows remote aut ...) NOT-FOR-US: X-Forum CVE-2009-1511 (GDI+ in Microsoft Windows XP SP3 allows remote attackers to cause a de ...) NOT-FOR-US: Microsoft Windows CVE-2009-1510 (Multiple directory traversal vulnerabilities in KoschtIT Image Gallery ...) NOT-FOR-US: KoschtIT Image Gallery CVE-2009-1509 (SQL injection vulnerability in ajaxp_backend.php in MyioSoft AjaxPorta ...) NOT-FOR-US: MyioSoft AjaxPortal CVE-2009-1508 (SQL injection vulnerability in the xforum_validateUser function in Com ...) NOT-FOR-US: X-Forum CVE-2009-1507 (The Node Access User Reference module 5.x before 5.x-2.0-beta4 and 6.x ...) NOT-FOR-US: Node Access User Reference module for Drupal CVE-2009-1506 (SQL injection vulnerability in classes/Xp.php in eLitius 1.0 allows re ...) NOT-FOR-US: eLitius CVE-2009-1505 (SQL injection vulnerability in the News Page module 5.x before 5.x-1.2 ...) NOT-FOR-US: News Page module for Drupal CVE-2009-1504 (Absolute Form Processor XE 1.5 allows remote attackers to bypass authe ...) NOT-FOR-US: Absolute Form Processor XE CVE-2009-1503 (Multiple SQL injection vulnerabilities in login.php in Tiger Document ...) NOT-FOR-US: Tiger Document Management System CVE-2009-1502 (Directory traversal vulnerability in plugin.php in S-Cms 1.1 Stable an ...) NOT-FOR-US: S-Cms CVE-2009-1501 (Cross-site scripting (XSS) vulnerability in the Exif module 5.x-1.x be ...) NOT-FOR-US: EXIF module for Drupal CVE-2009-1500 (SQL injection vulnerability in index.php in ProjectCMS 1.0 Beta allows ...) NOT-FOR-US: ProjectCMS CVE-2009-1499 (SQL injection vulnerability in the MailTo (aka com_mailto) component i ...) NOT-FOR-US: com_mailto component for Joomla! CVE-2009-1498 (Directory traversal vulnerability in inc/profilemain.php in Game Maker ...) NOT-FOR-US: Game Maker 2k Internet Discussion Boards CVE-2009-1497 (Stack-based buffer overflow in srt2smi.exe in Gretech Online Movie Pla ...) NOT-FOR-US: GOM Player CVE-2009-1496 (Directory traversal vulnerability in the Cmi Marketplace (com_cmimarke ...) NOT-FOR-US: com_cmimarketplace component for Joomla! CVE-2009-1495 (Web File Explorer 3.1 stores sensitive information under the web root ...) NOT-FOR-US: Web File Explorer CVE-2008-6787 (SQL injection vulnerability in administrator/index.php in Lizardware C ...) NOT-FOR-US: Lizardware CMS CVE-2008-6786 (Multiple directory traversal vulnerabilities in geekigeeki.py in Geeki ...) NOT-FOR-US: GeekiGeeki CVE-2008-6785 (Unrestricted file upload vulnerability in Mini File Host 1.5 allows re ...) NOT-FOR-US: Mini File Host CVE-2008-6784 (SQL injection vulnerability in directory.php in Scripts For Sites (SFS ...) NOT-FOR-US: EZ Adult Directory CVE-2008-6783 (SQL injection vulnerability in directory.php in Sites for Scripts (SFS ...) NOT-FOR-US: EZ Home Business Directory CVE-2008-6782 (SQL injection vulnerability in directory.php in Sites for Scripts (SFS ...) NOT-FOR-US: EZ Hosting Directory CVE-2008-6781 (SQL injection vulnerability in directory.php in Sites for Scripts (SFS ...) NOT-FOR-US: Gaming Directory CVE-2008-6780 (SQL injection vulnerability in directory.php in Scripts for Sites (SFS ...) NOT-FOR-US: EZ Affiliate CVE-2008-6779 (SQL injection vulnerability in the Sarkilar module for PHP-Nuke allows ...) NOT-FOR-US: PHP-Nuke CVE-2008-6778 (SQL injection vulnerability in viewfaqs.php in Scripts for Sites (SFS) ...) NOT-FOR-US: EZ Auction CVE-2008-6777 (Multiple SQL injection vulnerabilities in MyPHP Forum 3.0 and earlier ...) NOT-FOR-US: MyPHP Forum CVE-2008-6776 (SQL injection vulnerability in viewcomments.php in Scripts For Sites ( ...) NOT-FOR-US: EZ Hot or Not CVE-2008-6775 (HTC Touch Pro and HTC Touch Cruise vCard allows remote attackers to ca ...) NOT-FOR-US: HTC Touch CVE-2009-1494 (The process_stat function in Memcached 1.2.8 discloses memory-allocati ...) - memcached 1.2.8-1 (low; bug #526554) [lenny] - memcached (Affected compile-time options not set) [etch] - memcached (Affected compile-time options not set) CVE-2009-1493 (The customDictionaryOpen spell method in the JavaScript API in Adobe R ...) NOT-FOR-US: Adobe Reader CVE-2009-1492 (The getAnnots Doc method in the JavaScript API in Adobe Reader and Acr ...) NOT-FOR-US: Adobe Reader CVE-2009-1491 (McAfee GroupShield for Microsoft Exchange on Exchange Server 2000, and ...) NOT-FOR-US: McAfee GroupShield for Microsoft Exchange CVE-2009-1490 (Heap-based buffer overflow in Sendmail before 8.13.2 allows remote att ...) - sendmail 8.13.2-0 CVE-2009-XXXX [samba: Account locking out doesnt work with an LDAP backend] - samba 2:3.2.6 (bug #514151) [lenny] - samba 2:3.2.5-4lenny1 [etch] - samba (Bug not yet present in Etch's version) CVE-2009-1572 (The BGP daemon (bgpd) in Quagga 0.99.11 and earlier allows remote atta ...) {DSA-1788-1} - quagga 0.99.11-2 (high; bug #526270) [lenny] - quagga 0.99.10-1lenny2 [etch] - quagga (no AS4 code) CVE-2009-1489 (includes/user.php in Fungamez RC1 allows remote attackers to bypass au ...) NOT-FOR-US: Fungamez CVE-2009-1488 (Directory traversal vulnerability in admin/load.php in FunGamez RC1 al ...) NOT-FOR-US: Fungamez CVE-2009-1487 (SQL injection vulnerability in pages/login.php in FunGamez RC1 allows ...) NOT-FOR-US: Fungamez CVE-2009-1486 (Directory traversal vulnerability in pmscript.php in Flatchat 3.0 allo ...) NOT-FOR-US: Flatchat CVE-2009-1485 (The logging feature in eMule Plus before 1.2e allows remote attackers ...) NOT-FOR-US: eMule Plus CVE-2009-1484 (Cross-site scripting (XSS) vulnerability in the web mail interface fea ...) NOT-FOR-US: AXIGEN Mail Server CVE-2009-1483 (Unrestricted file upload vulnerability in upload-file.php in Adam Patt ...) NOT-FOR-US: Adam Patterson Studio Lounge Address Book CVE-2009-1482 (Multiple cross-site scripting (XSS) vulnerabilities in action/AttachFi ...) {DSA-1791-1} - moin 1.8.3-1 (low; bug #526594) [etch] - moin (Not exploitable) NOTE: http://hg.moinmo.in/moin/1.8/rev/5f51246a4df1 CVE-2009-1481 (SQL injection vulnerability in action.asp in PuterJam's Blog (PJBlog3) ...) NOT-FOR-US: PuterJam's Blog CVE-2009-1480 (SQL injection vulnerability in index.php Pragyan CMS 2.6.4 allows remo ...) NOT-FOR-US: Pragyan CMS CVE-2009-1479 (Directory traversal vulnerability in client/desktop/default.htm in Box ...) NOT-FOR-US: Boxalino CVE-2009-1478 (Multiple unspecified vulnerabilities in the DTrace ioctl handlers in S ...) NOT-FOR-US: Solaris CVE-2008-6774 (internettoolbar/edit.php in YourPlace 1.0.2 and earlier does not end e ...) NOT-FOR-US: YourPlace CVE-2008-6773 (Static code injection vulnerability in user/internettoolbar/edit.php i ...) NOT-FOR-US: YourPlace CVE-2008-6772 (login/register_form.php in YourPlace 1.0.2 and earlier does not check ...) NOT-FOR-US: YourPlace CVE-2008-6771 (YourPlace 1.0.2 and earlier allows remote attackers to obtain sensitiv ...) NOT-FOR-US: YourPlace CVE-2008-6770 (YourPlace 1.0.2 and earlier stores sensitive information under the web ...) NOT-FOR-US: YourPlace CVE-2008-6769 (Unrestricted file upload vulnerability in upload.php in YourPlace 1.0. ...) NOT-FOR-US: YourPlace CVE-2008-6768 (Unrestricted file upload vulnerability in admin/editor/images.php in K ...) NOT-FOR-US: K&S Shopsoftware CVE-2009-1477 (The https web interfaces on the ATEN KH1516i IP KVM switch with firmwa ...) NOT-FOR-US: ATEN IP KVM Switch CVE-2009-1476 (Buffer overflow in lib/load_http.c in ippool in Darren Reed IPFilter ( ...) NOT-FOR-US: IPFilter CVE-2009-1475 RESERVED CVE-2009-1474 (The ATEN KH1516i IP KVM switch with firmware 1.0.063 and the KN9116 IP ...) NOT-FOR-US: ATEN IP KVM Switch CVE-2009-1473 (The (1) Windows and (2) Java client programs for the ATEN KH1516i IP K ...) NOT-FOR-US: ATEN IP KVM Switch CVE-2009-1472 (The Java client program for the ATEN KH1516i IP KVM switch with firmwa ...) NOT-FOR-US: ATEN IP KVM Switch CVE-2009-1471 RESERVED CVE-2009-1470 RESERVED CVE-2009-1469 (CRLF injection vulnerability in the Forgot Password implementation in ...) NOT-FOR-US: IceWarp CVE-2009-1468 (Multiple SQL injection vulnerabilities in the search form in server/we ...) NOT-FOR-US: IceWarp CVE-2009-1467 (Multiple cross-site scripting (XSS) vulnerabilities in IceWarp eMail S ...) NOT-FOR-US: IceWarp CVE-2009-1466 (Application Access Server (A-A-S) 2.0.48 stores (1) passwords and (2) ...) NOT-FOR-US: Application Access Server (A-A-S) CVE-2009-1465 (Application Access Server (A-A-S) 2.0.48 has "wildbat" as its default ...) NOT-FOR-US: Application Access Server (A-A-S) CVE-2009-1464 (Multiple cross-site request forgery (CSRF) vulnerabilities in index.aa ...) NOT-FOR-US: Application Access Server (A-A-S) CVE-2009-1463 (Static code injection vulnerability in razorCMS before 0.4 allows remo ...) NOT-FOR-US: razorCMS CVE-2009-1462 (The Security Manager in razorCMS before 0.4 does not verify the permis ...) NOT-FOR-US: razorCMS CVE-2009-1461 (Cross-site scripting (XSS) vulnerability in the Create New Page form i ...) NOT-FOR-US: razorCMS CVE-2009-1460 (razorCMS before 0.4 uses weak permissions for (1) admin/core/admin_con ...) NOT-FOR-US: razorCMS CVE-2009-1459 (Cross-site request forgery (CSRF) vulnerability in razorCMS before 0.4 ...) NOT-FOR-US: razorCMS CVE-2009-1458 (Multiple cross-site scripting (XSS) vulnerabilities in admin/index.php ...) NOT-FOR-US: razorCMS CVE-2009-1457 (Cross-site scripting (XSS) vulnerability in player.php in Nuke Evoluti ...) NOT-FOR-US: Nuke Evolution Xtreme CVE-2009-1456 (Directory traversal vulnerability in admin.php in Malleo 1.2.3 allows ...) NOT-FOR-US: Malleo CVE-2009-1455 (Multiple cross-site request forgery (CSRF) vulnerabilities in WebColla ...) NOT-FOR-US: WebCollab CVE-2009-1454 (Cross-site scripting (XSS) vulnerability in tasks.php in WebCollab bef ...) NOT-FOR-US: WebCollab CVE-2009-1453 (SQL injection vulnerability in class.eport.php in Tiny Blogr 1.0.0 rc4 ...) NOT-FOR-US: Tiny Blogr CVE-2009-1452 (Multiple PHP remote file inclusion vulnerabilities in theme/format.php ...) NOT-FOR-US: SMA-DB CVE-2009-1451 (Cross-site scripting (XSS) vulnerability in startpage.php in SMA-DB 0. ...) NOT-FOR-US: SMA-DB CVE-2009-1450 (PHP remote file inclusion vulnerability in format.php in SMA-DB 0.3.12 ...) NOT-FOR-US: SMA-DB CVE-2008-6767 (wp-admin/upgrade.php in WordPress, probably 2.6.x, allows remote attac ...) {DSA-1871-2 DSA-1871-1} - wordpress 2.8.3-1 (low; bug #531736) NOTE: low impact, probably no-dsa CVE-2008-6766 (cart_save.php in ViArt Shop (aka Shopping Cart) 3.5 allows remote atta ...) NOT-FOR-US: ViArt Shop (aka Shopping Cart) CVE-2008-6765 (ViArt Shop (aka Shopping Cart) 3.5 allows remote attackers to access t ...) NOT-FOR-US: ViArt Shop (aka Shopping Cart) CVE-2008-6764 (Cross-site scripting (XSS) vulnerability in login.php in Silentum Logi ...) NOT-FOR-US: Silentum LoginSys CVE-2008-6763 (login2.php in Silentum LoginSys 1.0.0 allows remote attackers to bypas ...) NOT-FOR-US: Silentum LoginSys CVE-2008-6762 (Open redirect vulnerability in wp-admin/upgrade.php in WordPress, prob ...) {DSA-1871-2 DSA-1871-1} - wordpress 2.8.3-1 (low; bug #531736) NOTE: low impact, probably no-dsa CVE-2008-6761 (Static code injection vulnerability in admin/install.php in Flexcustom ...) NOT-FOR-US: Flexcustomer CVE-2008-6760 (ViArt Shop (aka Shopping Cart) 3.5 allows remote attackers to obtain s ...) NOT-FOR-US: ViArt Shop (aka Shopping Cart) CVE-2008-6759 (ViArt Shop (aka Shopping Cart) 3.5 allows remote attackers to obtain s ...) NOT-FOR-US: ViArt Shop (aka Shopping Cart) CVE-2008-6758 (Cross-site request forgery (CSRF) vulnerability in cart_save.php in Vi ...) NOT-FOR-US: ViArt Shop (aka Shopping Cart) CVE-2008-6757 (Cross-site scripting (XSS) vulnerability in manuals_search.php in ViAr ...) NOT-FOR-US: ViArt Shop (aka Shopping Cart) CVE-2009-1449 (Stack-based buffer overflow in PortableApps CoolPlayer Portable (aka C ...) NOT-FOR-US: CoolPlayer CVE-2009-1448 (Cross-site scripting (XSS) vulnerability in apricot.php in LovPop.net ...) NOT-FOR-US: LovPop.net CVE-2009-1447 (Unrestricted file upload vulnerability in admin/editor/image.php in e- ...) NOT-FOR-US: e-cart.biz Free Shopping Car CVE-2009-1446 (Unrestricted file upload vulnerability in upload.php in Elkagroup Imag ...) NOT-FOR-US: Elkagroup Image Gallery CVE-2009-1445 (Multiple directory traversal vulnerabilities in WebPortal CMS 0.8-beta ...) NOT-FOR-US: WebPortal CMS CVE-2009-1444 (PHP remote file inclusion vulnerability in indexk.php in WebPortal CMS ...) NOT-FOR-US: WebPortal CMS CVE-2009-1443 (Multiple unspecified vulnerabilities in the Server component in OCS In ...) - ocsinventory-server 1.02-1 (unimportant) NOTE: Only supported in trusted environments, see debtags CVE-2009-1442 (Multiple integer overflows in Skia, as used in Google Chrome 1.x befor ...) NOT-FOR-US: skia CVE-2009-1441 (Heap-based buffer overflow in the ParamTraits<SkBitmap>::Read fu ...) - chromium-browser (Only 1.x is affected) - webkit (chrome-specific issue) CVE-2009-1439 (Buffer overflow in fs/cifs/connect.c in CIFS in the Linux kernel 2.6.2 ...) {DSA-1800-1 DSA-1794-1 DSA-1787-1} - linux-2.6 2.6.29-2 (bug #523365) - linux-2.6.24 CVE-2009-1438 (Integer overflow in the CSoundFile::ReadMed function (src/load_med.cpp ...) {DSA-1851-1 DSA-1850-1} - libmodplug 1:0.8.7-1 (low; bug #526657; bug #527076) - gst-plugins-bad0.10 0.10.10.2-1 (bug #527075) NOTE: gstreamer in unstable dynamically linked to external libmodplug CVE-2009-1437 (Stack-based buffer overflow in PortableApps CoolPlayer Portable (aka C ...) NOT-FOR-US: CoolPlayer CVE-2009-1436 (The db interface in libc in FreeBSD 6.3, 6.4, 7.0, 7.1, and 7.2-PREREL ...) - kfreebsd-7 (Debian/kfreebsd uses glibc) CVE-2009-1435 (NTRtScan.exe in Trend Micro OfficeScan Client 8.0 SP1 and 8.0 SP1 Patc ...) NOT-FOR-US: Trend Micro OfficeScan CVE-2009-1434 (Cross-site request forgery (CSRF) vulnerability in Foswiki before 1.0. ...) - foswiki (bug #509864) CVE-2008-6756 (ZoneMinder 1.23.3 on Gentoo Linux uses 0644 permissions for /etc/zm.co ...) - zoneminder 1.22.3-5 CVE-2008-6755 (ZoneMinder 1.23.3 on Fedora 10 sets the ownership of /etc/zm.conf to t ...) - zoneminder 1.24.1-1 (unimportant; bug #528252) NOTE: we are also affected but this is not a security issue by itself even if it's ugly CVE-2008-6754 (The Personal Sticky Threads addon 1.0.3c for vBulletin allows remote a ...) NOT-FOR-US: vBullerin addon CVE-2008-6753 (SQL injection vulnerability in SilverStripe before 2.2.2 allows remote ...) NOT-FOR-US: SilverStripe CVE-2009-1433 (SQL injection vulnerability in File::find (filesystem/File.php) in Sil ...) NOT-FOR-US: SilverStripe CVE-2009-1432 (Symantec Reporting Server, as used in Symantec AntiVirus (SAV) Corpora ...) NOT-FOR-US: Symantec CVE-2009-1431 (XFR.EXE in the Intel File Transfer service in the console in Symantec ...) NOT-FOR-US: Symantec CVE-2009-1430 (Multiple stack-based buffer overflows in IAO.EXE in the Intel Alert Or ...) NOT-FOR-US: Symantec CVE-2009-1429 (The Intel LANDesk Common Base Agent (CBA) in Symantec Alert Management ...) NOT-FOR-US: Symantec CVE-2009-1428 (Multiple cross-site scripting (XSS) vulnerabilities in ccLgView.exe in ...) NOT-FOR-US: Symantec CVE-2009-1427 (Unspecified vulnerability in HP-UX B.11.31 allows local users to cause ...) NOT-FOR-US: HP-UX CVE-2009-1426 (Unspecified vulnerability on HP ProLiant DL and ML 100 Series G5, G5p, ...) NOT-FOR-US: HP ProLiant CVE-2009-1425 (Unspecified vulnerability in HP ProCurve Threat Management Services zl ...) NOT-FOR-US: HP ProCurve CVE-2009-1424 (Unspecified vulnerability in HP ProCurve Threat Management Services zl ...) NOT-FOR-US: HP ProCurve CVE-2009-1423 (Unspecified vulnerability in HP ProCurve Threat Management Services zl ...) NOT-FOR-US: HP ProCurve CVE-2009-1422 (Unspecified vulnerability in HP ProCurve Threat Management Services zl ...) NOT-FOR-US: HP ProCurve CVE-2009-1421 (Unspecified vulnerability in NFS / ONCplus B.11.31_06 and B.11.31_07 o ...) NOT-FOR-US: ONCplus on HP HP-UX CVE-2009-1420 (Stack-based buffer overflow in rping in HP OpenView Network Node Manag ...) NOT-FOR-US: HP OpenView Network Node Manager CVE-2009-1419 (Unspecified vulnerability in HP Discovery & Dependency Mapping Inv ...) NOT-FOR-US: HP Discovery & Dependency Mapping Inventory CVE-2009-1418 (Cross-site scripting (XSS) vulnerability in HP System Management Homep ...) NOT-FOR-US: HP System Management Homepage CVE-2009-1417 (gnutls-cli in GnuTLS before 2.6.6 does not verify the activation and e ...) - gnutls26 2.6.6-1 (low; bug #528281) [lenny] - gnutls26 (Minor issue, explicitly labeled as a test program) - gnutls13 [etch] - gnutls13 (Minor issue, explicitly labeled as a test program) CVE-2009-1416 (lib/gnutls_pk.c in libgnutls in GnuTLS 2.5.0 through 2.6.5 generates R ...) - gnutls26 2.6.6-1 (medium) - gnutls13 [lenny] - gnutls26 (Vulnerable code not present, only affects 2.6.x) [etch] - gnutls13 (Vulnerable code not present, only affects 2.6.x) CVE-2009-1415 (lib/pk-libgcrypt.c in libgnutls in GnuTLS before 2.6.6 does not proper ...) - gnutls26 2.6.6-1 (medium) - gnutls13 [lenny] - gnutls26 (Vulnerable code not present) [etch] - gnutls26 (Vulnerable code not present) [etch] - gnutls13 (Vulnerable code not present, only affects 2.6.x) CVE-2009-1414 (Google Chrome 2.0.x lets modifications to the global object persist ac ...) - chromium-browser (Only 2.x is affected) - webkit (doesn't have a 'chromehtml' handler) CVE-2009-1413 (Google Chrome 1.0.x does not cancel timeouts upon a page transition, w ...) - chromium-browser (Only 1.x is affected) - webkit (doesn't have a 'chromehtml' handler) CVE-2009-1412 (Argument injection vulnerability in the chromehtml: protocol handler i ...) - chromium-browser (Only 1.x is affected) - webkit (doesn't have a 'chromehtml' handler) CVE-2009-XXXX [iodine: DoS against iodined triggerable by authenticated users] - iodine 0.5.1 (low) [lenny] - iodine 0.4.2-2~lenny1 CVE-2009-XXXX [ntop: access.log permissions] - ntop (fedora-specific configuration issue; debian package not affected) NOTE: bug #524801 (http://bugs.debian.org/524801) CVE-2009-1402 RESERVED CVE-2009-1401 RESERVED CVE-2009-1400 RESERVED CVE-2009-1399 RESERVED CVE-2009-1398 RESERVED CVE-2009-1397 RESERVED CVE-2009-1396 RESERVED CVE-2009-1395 RESERVED CVE-2009-1394 (Stack-based buffer overflow in Motorola Timbuktu Pro 8.6.5 on Windows ...) NOT-FOR-US: Motorola Timbuktu Pro CVE-2009-1393 RESERVED CVE-2009-1392 (The browser engine in Mozilla Firefox 3 before 3.0.11, Thunderbird bef ...) {DSA-1830-1 DSA-1820-1} - xulrunner 1.9.0.11-1 [etch] - xulrunner (Etch Packages no longer covered by security support) - icedove 2.0.0.22-1 (bug #535124) [squeeze] - icedove 2.0.0.22-0lenny1 CVE-2009-1391 (Off-by-one error in the inflate function in Zlib.xs in Compress::Raw:: ...) - perl 5.10.0-23 (low; bug #532736) [etch] - perl (Doesn't yet include Compress-Raw-Zlib) - libcompress-raw-zlib-perl 2.015-2 (low; bug #532738) [lenny] - libcompress-raw-zlib-perl 2.012-1lenny1 [lenny] - perl 5.10.0-19lenny1 CVE-2009-1390 (Mutt 1.5.19, when linked against (1) OpenSSL (mutt_ssl.c) or (2) GnuTL ...) - mutt 1.5.20-1 [lenny] - mutt (Affected code was introduced in 1.5.19) [etch] - mutt (Affected code was introduced in 1.5.19) [squeeze] - mutt (Affected code was introduced in 1.5.19) CVE-2009-1389 (Buffer overflow in the RTL8169 NIC driver (drivers/net/r8169.c) in the ...) {DSA-1865-1 DSA-1844-1} - linux-2.6 2.6.26-16 (high; bug #532376) - linux-2.6.24 NOTE: potential for kernel memory corruption by remote attacker CVE-2009-1388 (The ptrace_start function in kernel/ptrace.c in the Linux kernel 2.6.1 ...) - linux-2.6 (problem in redhat-specific kernel patches) - linux-2.6.24 (problem in redhat-specific kernel patches) CVE-2009-1387 (The dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in Open ...) - openssl 0.9.8k-2 (low; bug #532037) [lenny] - openssl 0.9.8g-15+lenny3 [etch] - openssl 0.9.8c-4etch9 - openssl097 (DTLS support was introduced in 0.9.8) CVE-2009-1386 (ssl/s3_pkt.c in OpenSSL before 0.9.8i allows remote attackers to cause ...) - openssl 0.9.8k-1 (low; bug #532037) [lenny] - openssl 0.9.8g-15+lenny3 [etch] - openssl 0.9.8c-4etch9 - openssl097 (DTLS support was introduced in 0.9.8) CVE-2009-1385 (Integer underflow in the e1000_clean_rx_irq function in drivers/net/e1 ...) {DSA-1865-1 DSA-1844-1} - linux-2.6 2.6.26-16 (low; bug #532721) - linux-2.6.24 CVE-2009-1384 (pam_krb5 2.2.14 through 2.3.4, as used in Red Hat Enterprise Linux (RH ...) - libpam-krb5 (different code base than Debian's libpam-krb5) CVE-2009-1383 (The getdirective function in mathtex.cgi in mathTeX, when downloaded b ...) - mathtex 1.03-1 (medium; bug #537258) CVE-2009-1382 (Multiple stack-based buffer overflows in mimetex.cgi in mimeTeX, when ...) {DSA-1917-1} - mimetex 1.50-1.1 (medium; bug #537254) CVE-2009-1381 (The map_yp_alias function in functions/imap_general.php in SquirrelMai ...) {DSA-1802-2} - squirrelmail 2:1.4.19-1 CVE-2009-1380 (Cross-site scripting (XSS) vulnerability in JMX-Console in JBossAs in ...) - jbossas4 4.2.2.GA-1 (bug #562000) [lenny] - jbossas4 (Contrib not supported) CVE-2009-1379 (Use-after-free vulnerability in the dtls1_retrieve_buffered_fragment f ...) - openssl 0.9.8k-1 (low; bug #530400) [lenny] - openssl 0.9.8g-15+lenny3 [etch] - openssl 0.9.8c-4etch9 - openssl097 (DTLS support was introduced in 0.9.8) CVE-2009-1378 (Multiple memory leaks in the dtls1_process_out_of_seq_message function ...) - openssl 0.9.8k-1 (low; bug #530400) [lenny] - openssl 0.9.8g-15+lenny3 [etch] - openssl 0.9.8c-4etch9 - openssl097 (DTLS support was introduced in 0.9.8) CVE-2009-1377 (The dtls1_buffer_record function in ssl/d1_pkt.c in OpenSSL 0.9.8k and ...) - openssl 0.9.8k-1 (low; bug #530400) [lenny] - openssl 0.9.8g-15+lenny3 [etch] - openssl 0.9.8c-4etch9 - openssl097 (DTLS support was introduced in 0.9.8) CVE-2009-1376 (Multiple integer overflows in the msn_slplink_process_msg functions in ...) {DSA-1805-1} - pidgin 2.5.6-1 - gaim [lenny] - gaim (Only a transitional package) CVE-2009-1375 (The PurpleCircBuffer implementation in Pidgin (formerly Gaim) before 2 ...) {DSA-1805-1} - pidgin 2.5.6-1 - gaim [lenny] - gaim (Only a transitional package) CVE-2009-1374 (Buffer overflow in the decrypt_out function in Pidgin (formerly Gaim) ...) - pidgin 2.5.6-1 [lenny] - pidgin (QQ support not yet present) - gaim (QQ support not yet present) CVE-2009-1373 (Buffer overflow in the XMPP SOCKS5 bytestream server in Pidgin (former ...) {DSA-1805-1} - pidgin 2.5.6-1 - gaim [lenny] - gaim (Only a transitional package) CVE-2009-1365 (Unspecified vulnerability in Adobe Flash Media Server (FMS) before 3.0 ...) NOT-FOR-US: Adobe Flash Media Server CVE-2009-1364 (Use-after-free vulnerability in the embedded GD library in libwmf 0.2. ...) {DSA-1796-1} - libwmf 0.2.8.4-6.1 (low; bug #526434) CVE-2009-1363 RESERVED CVE-2009-1360 (The __inet6_check_established function in net/ipv6/inet6_hashtables.c ...) - linux-2.6 2.6.29-1 (low; bug #529342) [etch] - linux-2.6 (Introduced in 2.6.27) [lenny] - linux-2.6 (Introduced in 2.6.27) - linux-2.6.24 (Introduced in 2.6.27) CVE-2009-1411 (SQL injection vulnerability in events/inc/events.inc.php in the Events ...) NOT-FOR-US: Seditio CMS CVE-2009-1410 (SQL injection vulnerability in index.php in Quick.Cms.Lite 0.5 allows ...) NOT-FOR-US: Quick.Cms.Lite CVE-2009-1409 (SQL injection vulnerability in usersettings.php in e107 0.7.15 and ear ...) NOT-FOR-US: e107 CVE-2009-1408 (Cross-site scripting (XSS) vulnerability in webSPELL 4.2.0c allows rem ...) NOT-FOR-US: webSPELL CVE-2009-1407 (Directory traversal vulnerability in config.php in NotFTP 1.3.1 allows ...) NOT-FOR-US: NotFTP CVE-2009-1406 (Directory traversal vulnerability in cms_detect.php in TotalCalendar 2 ...) NOT-FOR-US: TotalCalendar CVE-2009-1405 (Directory traversal vulnerability in index.php in PastelCMS 0.8.0, whe ...) NOT-FOR-US: PastelCMS CVE-2009-1404 (SQL injection vulnerability in admin.php in PastelCMS 0.8.0, when magi ...) NOT-FOR-US: PastelCMS CVE-2009-1403 (SQL injection vulnerability in product_info.php in CRE Loaded 6.2 allo ...) NOT-FOR-US: CRE Loaded CVE-2009-1370 (Stack-based buffer overflow in ape_plugin.plg in Xilisoft Video Conver ...) NOT-FOR-US: Xilisoft Video Converter CVE-2009-1369 (moziloCMS 1.11 allows remote attackers to obtain sensitive information ...) NOT-FOR-US: moziloCMS CVE-2009-1368 (Directory traversal vulnerability in index.php in moziloCMS 1.11 allow ...) NOT-FOR-US: moziloCMS CVE-2009-1367 (Cross-site scripting (XSS) vulnerability in index.php in moziloCMS 1.1 ...) NOT-FOR-US: moziloCMS CVE-2009-1366 (Cross-site scripting (XSS) vulnerability in Website\admin\Sales\paypal ...) NOT-FOR-US: DotNetNuke CVE-2009-1362 (SQL injection vulnerability in administration/index.php in chCounter 3 ...) NOT-FOR-US: chCounter CVE-2009-1361 (dig.php in GScripts.net DNS Tools allows remote attackers to execute a ...) NOT-FOR-US: GScripts.net DNS Tools CVE-2009-1359 (Unspecified vulnerability in the SCTP sockets implementation in Sun Op ...) NOT-FOR-US: Sun OpenSolaris CVE-2008-6752 (adminlogin/password.php in the Twitter Clone (TClone) plugin for ReVou ...) NOT-FOR-US: Twitter Clone (TClone) plugin for ReVou Micro Blogging CVE-2008-6751 (Unrestricted file upload vulnerability in index.php in the Twitter Clo ...) NOT-FOR-US: Twitter Clone (TClone) plugin for ReVou Micro Blogging CVE-2008-6750 (Unrestricted file upload vulnerability in add.php in FlexPHPDirectory ...) NOT-FOR-US: FlexPHPDirectory CVE-2008-6749 (Multiple SQL injection vulnerabilities in admin/usercheck.php in FlexP ...) NOT-FOR-US: FlexPHPDirectory CVE-2008-6748 (Eval injection vulnerability in Megacubo 5.0.7 allows remote attackers ...) NOT-FOR-US: Megacubo CVE-2008-6747 (dotProject before 2.1.2 does not properly restrict access to administr ...) NOT-FOR-US: dotProject CVE-2008-6746 (Cross-site scripting (XSS) vulnerability in the contact display view i ...) NOT-FOR-US: Turba Contact Manager CVE-2008-6745 (index.php in BlogPHP 2.0 allows remote attackers to gain administrator ...) NOT-FOR-US: BlogPHP CVE-2008-6744 (Cross-site request forgery (CSRF) vulnerability in Cybozu Office 6, Cy ...) NOT-FOR-US: Cybozu Office CVE-2008-6743 (RSMScript 1.21 allows remote attackers to bypass authentication and ga ...) NOT-FOR-US: RSMScript CVE-2009-1357 (CRLF injection vulnerability in da/DA/Login in Sun Java System Delegat ...) NOT-FOR-US: Sun Java System Delegated Administrator CVE-2009-1356 (Stack-based buffer overflow in Elecard AVC HD Player allows remote att ...) NOT-FOR-US: Elecard AVC HD Player CVE-2009-1355 (Stack-based buffer overflow in muxatmd in IBM AIX 5.2, 5.3, and 6.1 al ...) NOT-FOR-US: IBM AIX CVE-2009-1354 (Directory traversal vulnerability in Mongoose 2.4 allows remote attack ...) NOT-FOR-US: Mongoose CVE-2009-1353 (Buffer overflow in the http_parse_hex function in libz/misc.c in Zervi ...) NOT-FOR-US: Zervit Webserver CVE-2009-1352 (Stack-based buffer overflow in Dawningsoft PowerCHM 5.7 allows remote ...) NOT-FOR-US: PowerCHM CVE-2009-1351 (Heap-based buffer overflow in Apollo 37zz allows remote attackers to c ...) NOT-FOR-US: Apollo 37zz CVE-2009-1350 (Unspecified vulnerability in xtagent.exe in Novell NetIdentity Client ...) NOT-FOR-US: Novell NetIdentity Client CVE-2009-1349 (Cross-site scripting (XSS) vulnerability in C2Net Stronghold 2.3 allow ...) NOT-FOR-US: C2Net Stronghold CVE-2008-6742 (Foxy P2P software allows remote attackers to cause a denial of service ...) NOT-FOR-US: Foxy P2P CVE-2008-6741 (SQL injection vulnerability in Load.php in Simple Machines Forum (SMF) ...) NOT-FOR-US: Simple Machines Forum CVE-2008-6740 (PHP remote file inclusion vulnerability in html/admin/modules/plugin_a ...) NOT-FOR-US: HoMaP-CMS CVE-2008-6739 (Todd Woolums ASP Download management script 1.03 does not require auth ...) NOT-FOR-US: Todd Woolums ASP Download management script CVE-2008-6738 (MyShoutPro 1.2 allows remote attackers to bypass authentication and ga ...) NOT-FOR-US: MyShoutPro CVE-2008-6737 (Crysis 1.21 and earlier allows remote attackers to obtain sensitive pl ...) NOT-FOR-US: Crysis CVE-2008-6736 (Flat Calendar 1.1 does not properly restrict access to administrative ...) NOT-FOR-US: Flat Calendar CVE-2008-6735 (Directory traversal vulnerability in qc/index.php in ThaiQuickCart 3 a ...) NOT-FOR-US: ThaiQuickCart CVE-2008-6734 (Directory traversal vulnerability in Public/index.php in Keller Web Ad ...) NOT-FOR-US: Keller Web Admin CMS CVE-2008-6733 (Cross-site scripting (XSS) vulnerability in the error handling page in ...) NOT-FOR-US: DotNetNuke CVE-2008-6732 (Cross-site scripting (XSS) vulnerability in the Language skin object i ...) NOT-FOR-US: DotNetNuke CVE-2006-7238 (Cross-site scripting (XSS) vulnerability in MyShoutPro before 1.2 allo ...) NOT-FOR-US: MyShoutPro CVE-2009-1358 (apt-get in apt before 0.7.21 does not check for the correct error code ...) {DSA-1779-1 DTSA-199-1} - apt 0.7.21 (bug #433091) CVE-2009-1440 (Incomplete blacklist vulnerability in DownloadListCtrl.cpp in amule 2. ...) {DSA-1821-1} - amule 2.2.5-1.1 (low; bug #525078) [etch] - amule (Doesn't support preview of complete files, which is the vulnerable part) CVE-2009-1348 (The AV engine before DAT 5600 in McAfee VirusScan, Total Protection, I ...) NOT-FOR-US: Various AV junk CVE-2009-1347 (Multiple SQL injection vulnerabilities in stats/index.php in chCounter ...) NOT-FOR-US: chCounter CVE-2009-1346 (SQL injection vulnerability in publico/ficha.php in NetHoteles 3.0 all ...) NOT-FOR-US: NetHoteles CVE-2009-1345 (SQL injection vulnerability in document.php in cpCommerce 1.2.8 allows ...) NOT-FOR-US: cpCommerce CVE-2009-1344 (Cross-site scripting (XSS) vulnerability in the Localization client mo ...) NOT-FOR-US: Localization client for drupal CVE-2009-1343 (Cross-site scripting (XSS) vulnerability in the Print (aka Printer, e- ...) NOT-FOR-US: Print module for Drupal CVE-2009-1342 (Cross-site scripting (XSS) vulnerability in the CCK comment reference ...) NOT-FOR-US: CCK comment module for Drupal CVE-2008-6731 (Unrestricted file upload vulnerability in submitlink.php in FlexPHPLin ...) NOT-FOR-US: FlexPHPLink Pro CVE-2008-6730 (Multiple SQL injection vulnerabilities in admin/usercheck.php in FlexP ...) NOT-FOR-US: FlexPHPLink Pro CVE-2008-6729 (Multiple cross-site request forgery (CSRF) vulnerabilities in password ...) NOT-FOR-US: PHPmotion CVE-2008-6728 (SQL injection vulnerability in the Sections module in PHP-Nuke, probab ...) NOT-FOR-US: PHP-Nuke CVE-2008-6727 (Cross-site scripting (XSS) vulnerability in Ultimate PHP Board (UPB) 2 ...) NOT-FOR-US: Ultimate PHP Board CVE-2009-XXXX [git-core in Debian has non-root-owned files under /usr] - git-core 1:1.6.2.1-1 (bug #516669) [lenny] - git-core 1:1.5.6.5-3+lenny3.2 NOTE: fixed accidently through spu CVE-2009-1341 (Memory leak in the dequote_bytea function in quote.c in the DBD::Pg (a ...) {DSA-1780-1} - libdbd-pg-perl 2.1.3-1 CVE-2009-1340 RESERVED CVE-2009-1339 (Cross-site request forgery (CSRF) vulnerability in TWiki before 4.3.1 ...) - twiki (bug #526258) NOTE: We should probably request removal from unstable, replaced by foswiki CVE-2009-1338 (The kill_something_info function in kernel/signal.c in the Linux kerne ...) {DSA-1800-1 DSA-1787-1} - linux-2.6 2.6.29-1 [etch] - linux-2.6 (Vulnerable code not present) CVE-2009-1337 (The exit_notify function in kernel/exit.c in the Linux kernel before 2 ...) {DSA-1800-1 DSA-1794-1 DSA-1787-1} - linux-2.6 2.6.29-5 - linux-2.6.24 CVE-2009-1336 (fs/nfs/client.c in the Linux kernel before 2.6.23 does not properly in ...) {DSA-1794-1} - linux-2.6 2.6.23-1 [etch] - linux-2.6 (Vulnerable code not present) CVE-2009-1335 (Microsoft Internet Explorer 7 and 8 on Windows XP and Vista allows rem ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2009-1334 (Cross-site scripting (XSS) vulnerability in login/FilepathLogin.html i ...) NOT-FOR-US: IBM Tivoli Continuous Data Protection CVE-2009-1333 (Cross-site scripting (XSS) vulnerability in refresh_rate.htm in the we ...) NOT-FOR-US: HP Deskjet CVE-2009-1332 (The Online Help feature in Sun Java System Directory Server 5.2 and En ...) NOT-FOR-US: Sun Java System Directory Server CVE-2009-1331 (Integer overflow in Microsoft Windows Media Player (WMP) 11.0.5721.526 ...) NOT-FOR-US: Windows Media Player CVE-2009-XXXX [pptp-linux: unrestrictive pptpsetup permissions] - pptp-linux 1.7.2-3 (low; bug #523476) [lenny] - pptp-linux (Minor issue) [etch] - pptp-linux (Minor issue) CVE-2009-1330 (Stack-based buffer overflow in Easy RM to MP3 Converter allows remote ...) NOT-FOR-US: Easy RM to MP3 Converter CVE-2009-1329 (Stack-based buffer overflow in Mini-stream Shadow Stream Recorder 3.0. ...) NOT-FOR-US: Mini-stream CVE-2009-1328 (Stack-based buffer overflow in Mini-stream RM-MP3 Converter 3.0.0.7 al ...) NOT-FOR-US: Mini-stream CVE-2009-1327 (Stack-based buffer overflow in Mini-stream WM Downloader 3.0.0.9 allow ...) NOT-FOR-US: Mini-stream CVE-2009-1326 (Stack-based buffer overflow in Mini-stream RM Downloader 3.0.0.9 allow ...) NOT-FOR-US: Mini-stream CVE-2009-1325 (Stack-based buffer overflow in Mini-stream Ripper 3.0.1.1 allows remot ...) NOT-FOR-US: Mini-stream CVE-2009-1324 (Stack-based buffer overflow in Mini-stream ASX to MP3 Converter 3.0.0. ...) NOT-FOR-US: Mini-stream CVE-2009-1323 (SQL injection vulnerability in body.asp in Web File Explorer 3.1 allow ...) NOT-FOR-US: Web File Explorer CVE-2009-1322 (ASP Product Catalog 1.0 stores sensitive information under the web roo ...) NOT-FOR-US: ASP Product Catalog CVE-2009-1321 (Cross-site scripting (XSS) vulnerability in search.asp in ASP Product ...) NOT-FOR-US: ASP Product Catalog CVE-2009-1320 (Multiple cross-site scripting (XSS) vulnerabilities in include/zstore. ...) NOT-FOR-US: Zazzle Store Builder CVE-2009-1319 (Directory traversal vulnerability in includes/ini.inc.php in GuestCal ...) NOT-FOR-US: GuestCal CVE-2009-1318 (Directory traversal vulnerability in index.php in Jamroom 3.1.2, 3.2.3 ...) NOT-FOR-US: Jamroom CVE-2009-1317 (Multiple SQL injection vulnerabilities in Aqua CMS 1.1, when magic_quo ...) NOT-FOR-US: Aqua CMS CVE-2009-1316 (Multiple SQL injection vulnerabilities in AbleSpace 1.0 allow remote a ...) NOT-FOR-US: AbleSpace CVE-2009-1315 (Multiple cross-site scripting (XSS) vulnerabilities in AbleSpace 1.0 a ...) NOT-FOR-US: Ablespace CVE-2009-1314 (body.asp in Web File Explorer 3.1 allows remote attackers to create ar ...) NOT-FOR-US: Web File Explorer CVE-2009-1313 (The nsTextFrame::ClearTextRun function in layout/generic/nsTextFrameTh ...) - xulrunner 1.9.0.10-1 (low) [etch] - xulrunner (introduced in 1.9.0.9) [lenny] - xulrunner (introduced in 1.9.0.9) CVE-2009-1312 (Mozilla Firefox before 3.0.9 and SeaMonkey 1.1.17 do not block javascr ...) {DSA-1797-1} - xulrunner 1.9.0.9-1 [etch] - xulrunner (Etch Packages no longer covered by security support) - kompozer (unimportant) NOTE: kompozer shares the browser engine with Firefox, but JavaScript is not enabled CVE-2009-1311 (Mozilla Firefox before 3.0.9 and SeaMonkey before 1.1.17 allow user-as ...) {DSA-1797-1} - xulrunner 1.9.0.9-1 [etch] - xulrunner (Etch Packages no longer covered by security support) - kompozer 1:0.8~alpha2+dfsg+svn129-3 CVE-2009-1310 (Cross-site scripting (XSS) vulnerability in the MozSearch plugin imple ...) {DSA-1886-1} - iceweasel 3.0.9-1 [etch] - iceweasel (Etch Packages no longer covered by security support) CVE-2009-1309 (Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey do not proper ...) {DSA-1797-1} - xulrunner 1.9.0.9-1 [etch] - xulrunner (Etch Packages no longer covered by security support) - kompozer (unimportant) NOTE: kompozer shares the browser engine with Firefox, but JavaScript is not enabled CVE-2009-1308 (Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 3.0 ...) {DSA-1797-1} - xulrunner 1.9.0.9-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-1307 (The view-source: URI implementation in Mozilla Firefox before 3.0.9, T ...) {DSA-1830-1 DSA-1797-1} - icedove 2.0.0.22-1 (bug #535124) [squeeze] - icedove 2.0.0.22-0lenny1 - xulrunner 1.9.0.9-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-1306 (The jar: URI implementation in Mozilla Firefox before 3.0.9, Thunderbi ...) {DSA-1797-1} - xulrunner 1.9.0.9-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-1305 (The JavaScript engine in Mozilla Firefox before 3.0.9, Thunderbird bef ...) {DSA-1797-1} - xulrunner 1.9.0.9-1 [etch] - xulrunner (Etch Packages no longer covered by security support) - kompozer (unimportant) NOTE: kompozer shares the browser engine with Firefox, but JavaScript is not enabled CVE-2009-1304 (The JavaScript engine in Mozilla Firefox 3.x before 3.0.9, Thunderbird ...) {DSA-1797-1} - xulrunner 1.9.0.9-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-1303 (The browser engine in Mozilla Firefox before 3.0.9, Thunderbird before ...) {DSA-1830-1 DSA-1797-1} - icedove 2.0.0.22-1 (bug #535124) [squeeze] - icedove 2.0.0.22-0lenny1 - xulrunner 1.9.0.9-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-1302 (The browser engine in Mozilla Firefox 3.x before 3.0.9, Thunderbird be ...) {DSA-1830-1 DSA-1797-1} - icedove 2.0.0.22-1 (bug #535124) [squeeze] - icedove 2.0.0.22-0lenny1 - xulrunner 1.9.0.9-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-1301 (Integer signedness error in the store_id3_text function in the ID3v2 c ...) - mpg123 1.7.2-1 (low) [etch] - mpg123 (Minor issue) [lenny] - mpg123 (Minor issue) NOTE: http://secunia.com/advisories/34587/3/ NOTE: unlike secunia states I can't see that this allows code execution but is just an invalid read NOTE: crashing the application CVE-2009-1300 (apt 0.7.20 does not check when the date command returns an "invalid da ...) {DSA-1779-1 DTSA-199-1} - apt 0.7.21 (bug #523213) CVE-2008-6726 (Multiple directory traversal vulnerabilities in CMScout 2.06, when reg ...) NOT-FOR-US: CMScout CVE-2008-6725 (Multiple SQL injection vulnerabilities in CMScout 2.06 allow remote au ...) NOT-FOR-US: CMScout CVE-2008-6724 (Cross-site scripting (XSS) vulnerability in index.pl in Perl Nopaste 1 ...) NOT-FOR-US: Perl Nopaste CVE-2009-1299 (The pa_make_secure_dir function in core-util.c in PulseAudio 0.9.10 an ...) {DSA-2017-1} - pulseaudio 0.9.21-1.1 (bug #573615) CVE-2009-1298 (The ip_frag_reasm function in net/ipv4/ip_fragment.c in the Linux kern ...) {DTSA-204-1} - linux-2.6 2.6.32-1 (low) [etch] - linux-2.6 (introduced in 2.6.29) [lenny] - linux-2.6 (introduced in 2.6.29) - linux-2.6.24 (introduced in 2.6.29) CVE-2009-1297 (iscsi_discovery in open-iscsi in SUSE openSUSE 10.3 through 11.1 and S ...) - open-iscsi 2.0.871-1 (low; bug #547011) [lenny] - open-iscsi 2.0.870~rc3-0.4.1 [etch] - open-iscsi (Vulnerable script not yet present) CVE-2009-1296 (The eCryptfs support utilities (ecryptfs-utils) 73-0ubuntu6.1 on Ubunt ...) - ecryptfs-utils 75-2 (unimportant; bug #532372) NOTE: this is a non-issue as the debian installer doesn't support per user NOTE: encrypted home directories with ecryptfs, so no passphrase is stored in the NOTE: installer logs on disk CVE-2009-1295 (Apport before 0.108.4 on Ubuntu 8.04 LTS, before 0.119.2 on Ubuntu 8.1 ...) NOT-FOR-US: Apport CVE-2009-1294 (Multiple cross-site scripting (XSS) vulnerabilities in web/guest/home ...) NOT-FOR-US: Novell Teaming CVE-2009-1293 (The web login functionality (c/portal/login) in Novell Teaming 1.0 thr ...) NOT-FOR-US: Novell Teaming CVE-2009-1292 (UCM-CQ in IBM Rational ClearCase 7.0.0.x before 7.0.0.5, 7.0.1.x befor ...) NOT-FOR-US: ClearCase CVE-2008-6723 (TurnkeyForms Entertainment Portal 2.0 allows remote attackers to bypas ...) NOT-FOR-US: TurnkeyForms CVE-2008-6722 (Novell Access Manager 3 SP4 does not properly expire X.509 certificate ...) NOT-FOR-US: Novell Access Manager CVE-2008-6721 (SQL injection vulnerability in index.php in AJ Square AJ Article allow ...) NOT-FOR-US: AJ Square AJ Article CVE-2009-1371 (The CLI_ISCONTAINED macro in libclamav/others.h in ClamAV before 0.95. ...) {DSA-1771-1} - clamav 0.95.1+dfsg-1 NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=1552 CVE-2009-1372 (Stack-based buffer overflow in the cli_url_canon function in libclamav ...) - clamav 0.95.1+dfsg-1 [etch] - clamav (vulnerable code not present) [lenny] - clamav (vulnerable code not present) NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=1552 CVE-2009-1291 (Stack-based buffer overflow in TIBCO SmartSockets before 6.8.2, SmartS ...) NOT-FOR-US: SmartSockets CVE-2009-1290 (Multiple cross-site request forgery (CSRF) vulnerabilities in the web ...) NOT-FOR-US: IBM BladeCenter CVE-2009-1289 (private/login.ssi in the Advanced Management Module (AMM) on the IBM B ...) NOT-FOR-US: IBM BladeCenter CVE-2009-1288 (Multiple cross-site scripting (XSS) vulnerabilities in the Advanced Ma ...) NOT-FOR-US: IBM BladeCenter CVE-2009-1287 (Cross-site scripting (XSS) vulnerability in Cisco Subscriber Edge Serv ...) NOT-FOR-US: Cisco Subscriber Edge Services Manager CVE-2009-1286 (The IMAP task in the server in IBM Lotus Domino 8.0.2 before FP1 IF1 a ...) NOT-FOR-US: IBM Lotus Domino CVE-2008-6720 (SQL injection vulnerability in admin/adm_login.php in DeltaScripts PHP ...) NOT-FOR-US: DeltaScripts PHP Links CVE-2008-6719 (U&M Software Event Lister (aka JustListIt) 1.0 does not require ad ...) NOT-FOR-US: Software Event Lister CVE-2008-6718 (U&M Software JustBookIt 1.0 does not require administrative authen ...) NOT-FOR-US: JustBookIt CVE-2008-6717 (U&M Software Signup 1.0 and 1.1 does not require administrative au ...) NOT-FOR-US: Software Signup CVE-2008-6716 (homeadmin/adminhome.php in Pre ADS Portal 2.0 and earlier does not req ...) NOT-FOR-US: Pre ADS Portal CVE-2008-6715 (Multiple cross-site scripting (XSS) vulnerabilities in Pre ADS Portal ...) NOT-FOR-US: Pre ADS Portal CVE-2009-1285 (Static code injection vulnerability in the getConfigFile function in s ...) - phpmyadmin 4:3.1.3.2-1 (unimportant; bug #524804) [etch] - phpmyadmin (Vulnerable code not present) [lenny] - phpmyadmin (Vulnerable code not present) CVE-2008-6714 (admin.php in xeCMS 1.0.0 RC2 and earlier allows remote attackers to by ...) NOT-FOR-US: xeCMS CVE-2008-6713 (World in Conflict (WIC) 1.008 and earlier allows remote attackers to c ...) NOT-FOR-US: World in Conflict CVE-2008-6712 (The HTTP/XML-RPC service in Crysis 1.21 (game version 1.1.1.6156) and ...) NOT-FOR-US: Crysis CVE-2008-6711 (Unspecified vulnerability in the Web administration interface in Avaya ...) NOT-FOR-US: Avaya Communication Manager CVE-2008-6710 (Unspecified vulnerability in the Web administration interface in Avaya ...) NOT-FOR-US: Avaya Communication Manager CVE-2008-6709 (Unspecified vulnerability in the Web management interface in Avaya SIP ...) NOT-FOR-US: Avaya SIP Enablement Services CVE-2008-6708 (Unspecified vulnerability in the Web management interface in Avaya SIP ...) NOT-FOR-US: Avaya SIP Enablement Services CVE-2008-6707 (The Web management interface in Avaya SIP Enablement Services (SES) 3. ...) NOT-FOR-US: Avaya SIP Enablement Services CVE-2008-6706 (Multiple unspecified vulnerabilities in the Web management interface i ...) NOT-FOR-US: Avaya SIP Enablement Services CVE-2008-6705 (The MultipacketReciever::RecievePacket function in S.T.A.L.K.E.R.: Sha ...) NOT-FOR-US: S.T.A.L.K.E.R.: Shadow of Chernobyl CVE-2008-6704 (Integer overflow in the NET_Compressor::Decompress function in S.T.A.L ...) NOT-FOR-US: S.T.A.L.K.E.R.: Shadow of Chernobyl CVE-2008-6703 (Stack-based buffer overflow in the IPureServer::_Recieve function in S ...) NOT-FOR-US: S.T.A.L.K.E.R.: Shadow of Chernobyl CVE-2008-6702 (S.T.A.L.K.E.R.: Shadow of Chernobyl 1.0006 and earlier allows remote a ...) NOT-FOR-US: S.T.A.L.K.E.R.: Shadow of Chernobyl CVE-2008-6701 (NetScout (formerly Network General) Visualizer V2100 and InfiniStream ...) NOT-FOR-US: NetScout Visualizer CVE-2008-6700 (Multiple cross-site scripting (XSS) vulnerabilities in Butterfly Organ ...) NOT-FOR-US: Butterfly Organizer CVE-2008-6699 (Cross-site scripting (XSS) vulnerability in Resource Library (tjs_resl ...) NOT-FOR-US: Resource Library extension for TYPO3 CVE-2008-6698 (Cross-site scripting (XSS) vulnerability in TARGET-E WorldCup Bets (wo ...) NOT-FOR-US: WorldCup Bets extension for TYPO3 CVE-2008-6697 (SQL injection vulnerability in TARGET-E WorldCup Bets (worldcup) 2.0.0 ...) NOT-FOR-US: WorldCup Bets extension for TYPO3 CVE-2008-6696 (SQL injection vulnerability in Fussballtippspiel (toto) 0.1.1 and earl ...) NOT-FOR-US: Fussballtippspiel extension for TYPO3 CVE-2008-6695 (SQL injection vulnerability in TIMTAB social bookmark icons (timtab_so ...) NOT-FOR-US: TIMTAB social bookmark icons extension for TYPO3 CVE-2008-6694 (SQL injection vulnerability in Random Prayer (ste_prayer) 0.0.1 for TY ...) NOT-FOR-US: Random Prayer extension for TYPO3 CVE-2008-6693 (SQL injection vulnerability in Download system (sb_downloader) extensi ...) NOT-FOR-US: Download system extension for TYPO3 CVE-2008-6692 (SQL injection vulnerability in Diocese of Portsmouth Training Courses ...) NOT-FOR-US: Training Courses extension for TYPO3 CVE-2008-6691 (SQL injection vulnerability in Diocese of Portsmouth Calendar Today (p ...) NOT-FOR-US: Calendar Today extension for TYPO3 CVE-2008-6690 (Unspecified vulnerability in nepa-design.de Spam Protection (nd_antisp ...) NOT-FOR-US: Spam Protection extension for TYPO3 CVE-2008-6689 (SQL injection vulnerability in JobControl (dmmjobcontrol) 1.15.0 and e ...) NOT-FOR-US: JobControl extension for TYPO3 CVE-2008-6688 (Cross-site scripting (XSS) vulnerability in JobControl (dmmjobcontrol) ...) NOT-FOR-US: JobControl extension for TYPO3 CVE-2008-6687 (Cross-site scripting (XSS) vulnerability in DCD GoogleMap (dcdgooglema ...) NOT-FOR-US: DCD GoogleMap extension for TYPO3 CVE-2008-6686 (SQL injection vulnerability in CoolURI (cooluri) 1.0.11 and earlier ex ...) NOT-FOR-US: CoolURI extension for TYPO3 CVE-2008-6685 (Unspecified vulnerability in Frontend Filemanager (air_filemanager) 0. ...) NOT-FOR-US: Frontend Filemanager extension for TYPO3 CVE-2008-6684 (Unrestricted file upload vulnerability in editimage.php in Apartment S ...) NOT-FOR-US: Apartment Search Script CVE-2008-6683 (Cross-site scripting (XSS) vulnerability in listtest.php in Apartment ...) NOT-FOR-US: Apartment Search Script CVE-2009-1284 (Buffer overflow in BibTeX 0.99 allows context-dependent attackers to c ...) - texlive-bin 2009-1 (low; bug #520920) [etch] - texlive-bin (Minor issue) [lenny] - texlive-bin 2007.dfsg.2-4+lenny2 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=492136 CVE-2009-1283 (glFusion before 1.1.3 performs authentication with a user-provided pas ...) NOT-FOR-US: glFusion CVE-2009-1282 (SQL injection vulnerability in private/system/lib-session.php in glFus ...) NOT-FOR-US: glFusion CVE-2009-1281 (Cross-site scripting (XSS) vulnerability in glFusion before 1.1.3 allo ...) NOT-FOR-US: glFusion CVE-2009-1280 (Multiple cross-site request forgery (CSRF) vulnerabilities in the com_ ...) NOT-FOR-US: Joomla! CVE-2009-1279 (Multiple cross-site scripting (XSS) vulnerabilities in Joomla! 1.5 thr ...) NOT-FOR-US: Joomla! CVE-2009-1278 (Static code injection vulnerability in forms/ajax/configure.php in Gra ...) NOT-FOR-US: Gravity Board CVE-2009-1277 (SQL injection vulnerability in index.php in Gravity Board X (GBX) 2.0 ...) NOT-FOR-US: Gravity Board CVE-2009-1276 (XScreenSaver in Sun Solaris 10 and OpenSolaris before snv_109, and Sol ...) NOT-FOR-US: Sun Solaris CVE-2009-1275 (Apache Tiles 2.1 before 2.1.2, as used in Apache Struts and other prod ...) - tiles 2.2.0-1 CVE-2008-6682 (Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2 ...) - libstruts1.2-java (Only affects Struts 2) CVE-2008-6681 (Cross-site scripting (XSS) vulnerability in dijit.Editor in Dojo befor ...) NOT-FOR-US: Dojo CVE-2007-6726 (Multiple cross-site scripting (XSS) vulnerabilities in Dojo 0.4.1 and ...) NOT-FOR-US: Dojo CVE-2009-1273 (pam_ssh 1.92 and possibly other versions, as used when PAM is compiled ...) - libpam-ssh 1.92-7 (low; bug #535877) [etch] - libpam-ssh (Minor issue) [lenny] - libpam-ssh 1.91.0-9.3+lenny1 CVE-2009-1272 (The php_zip_make_relative_path function in php_zip.c in PHP 5.2.x befo ...) {DTSA-188-1} - php5 5.2.6.dfsg.1-3 [etch] - php5 (this is caused by the fix for CVE-2008-5658, which was not applied to php4) - php4 (this is caused by the fix for CVE-2008-5658, which was not applied to php4) CVE-2009-1271 (The JSON_parser function (ext/json/JSON_parser.c) in PHP 5.2.x before ...) {DSA-1789-1 DSA-1775-1} - php5 5.2.9.dfsg.1-1 - php4 (the JSON extension was introduced in php5.2) - php-json-ext CVE-2009-1269 (Unspecified vulnerability in Wireshark 0.99.6 through 1.0.6 allows rem ...) {DSA-1785-1} - wireshark 1.0.7-1 (low) [etch] - wireshark (Vulnerable code not present; introduced in 0.99.6) CVE-2009-1268 (The Check Point High-Availability Protocol (CPHAP) dissector in Wiresh ...) {DSA-1785-1} - wireshark 1.0.7-1 (low) [etch] - wireshark 0.99.4-5.etch.4 CVE-2009-1267 (Unspecified vulnerability in the LDAP dissector in Wireshark 0.99.2 th ...) - wireshark (Only affects Wireshark on Windows) CVE-2009-1266 (Unspecified vulnerability in Wireshark before 1.0.7 has unknown impact ...) NOTE: Dupe of CVE-2009-1210 CVE-2009-1265 (Integer overflow in rose_sendmsg (sys/net/af_rose.c) in the Linux kern ...) {DSA-1800-1 DSA-1794-1 DSA-1787-1} - linux-2.6 2.6.29-4 - linux-2.6.24 CVE-2009-1264 (Frontend User Registration (sr_feuser_register) extension 2.5.20 and e ...) NOT-FOR-US: Frontend User Registration (sr_feuser_register) extension CVE-2009-1263 (SQL injection vulnerability in sub_commententry.php in the BookJoomlas ...) NOT-FOR-US: Joomla! CVE-2009-1262 (Format string vulnerability in Fortinet FortiClient 3.0.614, and possi ...) NOT-FOR-US: Fortinet FortiClient CVE-2009-1261 (Multiple cross-site scripting (XSS) vulnerabilities in Web Help Desk 9 ...) NOT-FOR-US: Web Help Desk CVE-2009-1260 (Multiple stack-based buffer overflows in UltraISO 9.3.3.2685 and earli ...) NOT-FOR-US: UltraISO CVE-2009-1259 (SQL injection vulnerability in inc/bb/topic.php in Insane Visions Adap ...) NOT-FOR-US: Insane Visions AdaptBB CVE-2009-1258 (SQL injection vulnerability in the RD-Autos (com_rdautos) component 1. ...) NOT-FOR-US: Joomla! CVE-2009-1257 (Heap-based buffer overflow in Magic ISO Maker 5.5 build 0274 allows re ...) NOT-FOR-US: Magic ISO Maker CVE-2009-1256 (SQL injection vulnerability in FlexCMS 2.5 allows remote attackers to ...) NOT-FOR-US: FlexCMS CVE-2009-1255 (The process_stat function in (1) Memcached before 1.2.8 and (2) Memcac ...) - memcached 1.2.8-1 (low) [etch] - memcached (Minor issue) [lenny] - memcached (Minor issue) [squeeze] - memcached (Minor issue) - memcachedb 1.2.0-3 (low; bug #527330) [squeeze] - memcachedb (Minor issue) NOTE: why are weaknesses in security hardening features like ASLR considered minor? NOTE: even though this is not directly a vulnerability itself, part of this application's armor is now missing; making it easier for unknown vulnerabilities to be effective. CVE-2008-6679 (Buffer overflow in the BaseFont writer module in Ghostscript 8.62, and ...) {DSA-2080-1} - ghostscript 8.64~dfsg-1 (medium; bug #524803) - gs-gpl (medium; bug #561717) CVE-2008-6678 (SQL injection vulnerability in asp/includes/contact.asp in QuickerSite ...) NOT-FOR-US: QuickerSite CVE-2008-6677 (Unrestricted file upload vulnerability in fckeditor251/editor/filemana ...) NOT-FOR-US: QuickerSite CVE-2008-6676 (QuickerSite 1.8.5 allows remote attackers to obtain sensitive informat ...) NOT-FOR-US: QuickerSite CVE-2008-6675 (Multiple cross-site scripting (XSS) vulnerabilities in QuickerSite 1.8 ...) NOT-FOR-US: QuickerSite CVE-2008-6674 (mailPage.asp in QuickerSite 1.8.5 allows remote attackers to flood e-m ...) NOT-FOR-US: QuickerSite CVE-2008-6673 (asp/bs_login.asp in QuickerSite 1.8.5 does not properly restrict acces ...) NOT-FOR-US: QuickerSite CVE-2008-6672 (Vertex4 SunAge 1.08.1 and earlier allows remote attackers to cause a d ...) NOT-FOR-US: Vertex4 SunAge CVE-2008-6671 (Vertex4 SunAge 1.08.1 and earlier allows remote attackers to cause a d ...) NOT-FOR-US: Vertex4 SunAge CVE-2008-6670 (Integer overflow in Vertex4 SunAge 1.08.1 and earlier allows remote at ...) NOT-FOR-US: Vertex4 SunAge CVE-2008-6669 (viewrq.php in nweb2fax 0.2.7 and earlier allows remote attackers to ex ...) NOT-FOR-US: nweb2fax CVE-2008-6668 (Multiple directory traversal vulnerabilities in nweb2fax 0.2.7 and ear ...) NOT-FOR-US: nweb2fax CVE-2008-6667 (A+ PHP Scripts News Management System (NMS) allows remote attackers to ...) NOT-FOR-US: A+ PHP Scripts News Management System (NMS) CVE-2008-6666 (Multiple cross-site scripting (XSS) vulnerabilities in Kronos webTA al ...) NOT-FOR-US: Kronos webTA CVE-2008-6665 (change.php in Ananta CMS 1.0b5, with magic_quotes_gpc disabled, allows ...) NOT-FOR-US: Ananta CMS CVE-2008-6664 (action.php in SH-News 3.0 allows remote attackers to bypass authentica ...) NOT-FOR-US: SH-News CVE-2008-6663 (SQL injection vulnerability in profile.php in PHPAuctions.info PHPAuct ...) NOT-FOR-US: PHPAuctions CVE-2008-6662 (AVG Anti-Virus for Linux 7.5.51, and possibly earlier, allows remote a ...) NOT-FOR-US: AVG Anti-Virus CVE-2008-6661 (Multiple integer overflows in the scanning engine in Bitdefender for L ...) NOT-FOR-US: Bitdefender CVE-2008-6660 (Unrestricted file upload vulnerability in bigdump.php in Alexey Ozerov ...) NOT-FOR-US: Alexey Ozerov BigDump CVE-2008-6659 (Directory traversal vulnerability in index.php in Simple Machines Foru ...) NOT-FOR-US: Simple Machines Forum CVE-2008-6658 (Directory traversal vulnerability in index.php in Simple Machines Foru ...) NOT-FOR-US: Simple Machines Forum CVE-2008-6657 (Cross-site request forgery (CSRF) vulnerability in index.php in Simple ...) NOT-FOR-US: Simple Machines Forum CVE-2007-6725 (The CCITTFax decoding filter in Ghostscript 8.60, 8.61, and possibly o ...) {DSA-2080-1} - ghostscript 8.63.dfsg.1-1 (medium; bug #524803) - gs-gpl (medium; bug #561717) CVE-2008-6680 (libclamav/pe.c in ClamAV before 0.95 allows remote attackers to cause ...) {DSA-1771-1} - clamav 0.95.1+dfsg-1 (medium; bug #523016) CVE-2009-1270 (libclamav/untar.c in ClamAV before 0.95 allows remote attackers to cau ...) {DSA-1771-1} - clamav 0.95.1+dfsg-1 (medium; bug #523016) CVE-2009-1254 (James Stone Tunapie 2.1 allows remote attackers to execute arbitrary c ...) {DSA-1764-1} - tunapie 2.1.17-1 CVE-2009-1253 (James Stone Tunapie 2.1 allows local users to overwrite arbitrary file ...) {DSA-1764-1} - tunapie 2.1.17-1 CVE-2009-1252 (Stack-based buffer overflow in the crypto_recv function in ntp_crypto. ...) {DSA-1801-1} - ntp 1:4.2.4p6+dfsg-2 (high; bug #525373) NOTE: VU#853097 CVE-2009-1251 (Heap-based buffer overflow in the cache manager in the client in OpenA ...) {DSA-1768-1} - openafs 1.4.10+dfsg1-1 CVE-2009-1250 (The cache manager in the client in OpenAFS 1.0 through 1.4.8 and 1.5.0 ...) {DSA-1768-1} - openafs 1.4.10+dfsg1-1 [etch] - openafs 1.4.2-6etch3 CVE-2009-1249 (Cross-site scripting (XSS) vulnerability in Feed element mapper 5.x be ...) NOT-FOR-US: Feed element mapper for Drupal CVE-2009-1248 (Multiple PHP remote file inclusion vulnerabilities in Acute Control Pa ...) NOT-FOR-US: Acute Control Panel CVE-2009-1247 (SQL injection vulnerability in login.php in Acute Control Panel 1.0.0 ...) NOT-FOR-US: Acute Control Panel CVE-2009-1246 (Multiple directory traversal vulnerabilities in Blogplus 1.0 allow rem ...) NOT-FOR-US: Blogplus CVE-2009-1245 (Multiple SQL injection vulnerabilities in the insert_to_pastebin funct ...) NOT-FOR-US: CCCP Community Clan Portal Pastebin CVE-2009-1244 (Unspecified vulnerability in the virtual machine display function in V ...) NOT-FOR-US: VMware CVE-2009-1243 (net/ipv4/udp.c in the Linux kernel before 2.6.29.1 performs an unlocki ...) - linux-2.6 (Issue was introduced after 2.6.27 release) - linux-2.6.24 (Issue was introduced after 2.6.27 release) CVE-2009-1242 (The vmx_set_msr function in arch/x86/kvm/vmx.c in the VMX implementati ...) {DSA-1800-1 DSA-1787-1} - linux-2.6 2.6.30-1 [etch] - linux-2.6 (Doesn't include KVM yet) - linux-2.6.24 CVE-2008-6656 (Multiple SQL injection vulnerabilities in Open Auto Classifieds 1.4.3b ...) NOT-FOR-US: Open Auto Classifieds CVE-2008-6655 (Multiple cross-site scripting (XSS) vulnerabilities in GEDCOM_TO_MYSQL ...) NOT-FOR-US: GEDCOM_TO_MYSQL CVE-2008-6654 (Cross-site scripting (XSS) vulnerability in search_results.php in Info ...) NOT-FOR-US: InfoBiz Server CVE-2008-6653 (SQL injection vulnerability in webhosting.php in the Webhosting Compon ...) NOT-FOR-US: Joomla! CVE-2008-6652 (SQL injection vulnerability in asd.php in OneCMS 2.5 allows remote att ...) NOT-FOR-US: OneCMS CVE-2008-6651 (Static code injection vulnerability in edithistory.php in OxYProject O ...) NOT-FOR-US: OxYProject OxYBox CVE-2008-6650 (del.php in miniBloggie 1.0 allows remote attackers to delete arbitrary ...) NOT-FOR-US: miniBloggie CVE-2008-6649 (SQL injection vulnerability in manager/image_details_editor.php in Kto ...) NOT-FOR-US: Ktools PhotoStore CVE-2008-6648 (SQL injection vulnerability in crumbs.php in Ktools PhotoStore 3.4.3 a ...) NOT-FOR-US: Ktools PhotoStore CVE-2008-6647 (SQL injection vulnerability in gallery.php in Ktools PhotoStore 3.4.3 ...) NOT-FOR-US: Ktools PhotoStore CVE-2008-6646 (Cross-site scripting (XSS) vulnerability in index.php in CoronaMatrix ...) NOT-FOR-US: CoronaMatrix phpAddressBook CVE-2008-6645 (Cross-site scripting (XSS) vulnerability in Opencosmo VisualSentinel 0 ...) NOT-FOR-US: Opencosmo VisualSentinel CVE-2008-6644 (Cross-site scripting (XSS) vulnerability in Default.aspx in DotNetNuke ...) NOT-FOR-US: DotNetNuke CVE-2008-6643 (LokiCMS 0.3.4 and possibly earlier versions does not properly restrict ...) NOT-FOR-US: LokiCMS CVE-2008-6642 (SQL injection vulnerability in view.php in DotContent FluentCMS 4.x al ...) NOT-FOR-US: DotContent FluentCMS CVE-2008-6641 (Multiple SQL injection vulnerabilities in Shader TV (Beta) allow remot ...) NOT-FOR-US: Shader TV CVE-2008-6640 (Multiple SQL injection vulnerabilities in BatmanPorTaL allow remote at ...) NOT-FOR-US: BatmanPorTaL CVE-2008-6639 (Cross-site request forgery (CSRF) vulnerability in admin.php in AjaXpl ...) - ajaxplorer (bug #668381) CVE-2008-6638 (Insecure method vulnerability in the Versalsoft HTTP Image Uploader Ac ...) NOT-FOR-US: Versalsoft HTTP Image Uploader ActiveX CVE-2008-6637 (Multiple cross-site scripting (XSS) vulnerabilities in forgotPW.php in ...) NOT-FOR-US: Library Video Company SAFARI Montage CVE-2008-6636 (PHP remote file inclusion vulnerability in skins/default.php in Geody ...) NOT-FOR-US: Geody Labs Dagger CVE-2008-6635 (PHP remote file inclusion vulnerability in skins/default.php in Geody ...) NOT-FOR-US: Geody Labs Dagger CVE-2008-6634 (SQL injection vulnerability in RoomPHPlanning 1.5 allows remote attack ...) NOT-FOR-US: RoomPHPlanning CVE-2008-6633 (SQL injection vulnerability in RoomPHPlanning 1.5 allows remote attack ...) NOT-FOR-US: RoomPHPlanning CVE-2008-6632 (SQL injection vulnerability in func/login.php in MercuryBoard 1.1.5 an ...) NOT-FOR-US: MercuryBoard CVE-2008-6631 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Bl ...) NOT-FOR-US: BlogPHP CVE-2008-6630 (Directory traversal vulnerability in the wt_gallery extension 2.5.0 an ...) NOT-FOR-US: wt_gallery extension for TYPO3 CVE-2008-6629 (Cross-site scripting (XSS) vulnerability in detail.php in WEBBDOMAIN M ...) NOT-FOR-US: WEBBDOMAIN Multi Languages WebShop Online CVE-2008-6628 REJECTED CVE-2008-6627 (SQL injection vulnerability in getin.php in WEBBDOMAIN WebShop 1.2, 1. ...) NOT-FOR-US: WEBBDOMAIN Multi Languages WebShop Online CVE-2008-6626 (SQL injection vulnerability in getin.php in WEBBDOMAIN Quiz 1.02 and e ...) NOT-FOR-US: WEBBDOMAIN Multi Languages WebShop Online CVE-2008-6625 (SQL injection vulnerability in getin.php in WEBBDOMAIN Polls (aka Poll ...) NOT-FOR-US: WEBBDOMAIN Multi Languages WebShop Online CVE-2008-6624 (SQL injection vulnerability in getin.php in WEBBDOMAIN Petition 1.02, ...) NOT-FOR-US: WEBBDOMAIN Multi Languages WebShop Online CVE-2008-6623 (SQL injection vulnerability in getin.php in WEBBDOMAIN Post Card (aka ...) NOT-FOR-US: WEBBDOMAIN Multi Languages WebShop Online CVE-2008-6622 (SQL injection vulnerability in choosecard.php in WEBBDOMAIN Post Card ...) NOT-FOR-US: WEBBDOMAIN Multi Languages WebShop Online CVE-2008-6621 (Unspecified vulnerability in GraphicsMagick before 1.2.3 allows remote ...) {DSA-1903-1} - graphicsmagick 1.2.3-1 CVE-2008-6620 (Multiple cross-site scripting (XSS) vulnerabilities in javascript/edit ...) NOT-FOR-US: GraFX miniCWB CVE-2008-6619 (Unrestricted file upload vulnerability in class/ApplyDB.php in ClassSy ...) NOT-FOR-US: ClassSystem CVE-2008-6618 (Multiple SQL injection vulnerabilities in ClassSystem 2.3 allow remote ...) NOT-FOR-US: ClassSystem CVE-2008-6617 (Unrestricted file upload vulnerability in adm/visual/upload.php in Sit ...) NOT-FOR-US: SiteXS CMS CVE-2008-6616 (Cross-site scripting (XSS) vulnerability in index.php in Zen Software ...) NOT-FOR-US: Zen Software Zen Cart CVE-2008-6615 (SQL injection vulnerability in index.php in Zen Software Zen Cart 2008 ...) NOT-FOR-US: Zen Software Zen Cart CVE-2008-6614 (Multiple SQL injection vulnerabilities in microcms-admin-login.php in ...) NOT-FOR-US: Micro CMS CVE-2008-6613 (uploader.php in minimal-ablog 0.4 does not properly restrict access, w ...) NOT-FOR-US: minimal-ablog CVE-2008-6612 (Unrestricted file upload vulnerability in admin/uploader.php in Minima ...) NOT-FOR-US: minimal-ablog CVE-2008-6611 (SQL injection vulnerability in index.php in Minimal ABlog 0.4 allows r ...) NOT-FOR-US: minimal-ablog CVE-2008-6610 (Absolute path traversal vulnerability in phpcksec.php in Stefan Ott ph ...) NOT-FOR-US: phpcksec CVE-2008-6609 (Cross-site scripting (XSS) vulnerability in phpcksec.php in Stefan Ott ...) NOT-FOR-US: phpcksec CVE-2008-6608 (Multiple SQL injection vulnerabilities in DevelopItEasy Events Calenda ...) NOT-FOR-US: DevelopItEasy Events Calendar CVE-2008-6607 (Cross-site scripting (XSS) vulnerability in view.php in MatPo Link 1.2 ...) NOT-FOR-US: MatPo Link CVE-2008-6606 (SQL injection vulnerability in view.php in MatPo Link 1.2 Beta allows ...) NOT-FOR-US: MatPo Link CVE-2008-6605 (Cross-site request forgery (CSRF) vulnerability in the xslt script in ...) NOT-FOR-US: 2wire CVE-2009-1241 (Unspecified vulnerability in ClamAV before 0.95 allows remote attacker ...) - clamav 0.95+dfsg-1 (medium; bug #526042) [etch] - clamav (debian package does not use the rar code in clamav at the current time) [lenny] - clamav (debian package does not use the rar code in clamav at the current time) CVE-2009-1240 (Unspecified vulnerability in the IBM Proventia engine 4.9.0.0.44 20081 ...) NOT-FOR-US: IBM Proventia CVE-2009-1239 (IBM DB2 9.1 before FP7 returns incorrect query results in certain situ ...) NOT-FOR-US: IBM DB2 CVE-2008-6604 (Directory traversal vulnerability in index.php in PicoFlat CMS 0.5.9 a ...) NOT-FOR-US: PicoFlat CMS CVE-2008-6603 (MoinMoin 1.6.2 and 1.7 does not properly enforce ACL checks when acl_h ...) - moin 1.7.1-1 (low) [etch] - moin (Vulnerable code not present) CVE-2008-6602 (Unspecified vulnerability in Download Center Lite before 2.1 has unkno ...) NOT-FOR-US: Download Center Lite CVE-2008-6601 (Unspecified vulnerability in Epona 1.5rc3 allows remote attackers to o ...) NOT-FOR-US: Epona CVE-2008-6600 (Cross-site scripting (XSS) vulnerability in the search feature in XMLP ...) NOT-FOR-US: XMLPortal CVE-2008-6599 (cookiecheck.php in CookieCheck 1.0 stores tmp/cc_sessions under the we ...) NOT-FOR-US: CookieCheck CVE-2008-6598 (Multiple race conditions in WANPIPE before 3.3.6 have unknown impact a ...) NOT-FOR-US: WANPIPE CVE-2008-6597 (Cross-site scripting (XSS) vulnerability in upload/install/index.php i ...) NOT-FOR-US: PHCDownload CVE-2008-6596 (SQL injection vulnerability in admin/index.php in PHCDownload 1.1 allo ...) NOT-FOR-US: PHCDownload CVE-2008-6595 (SQL injection vulnerability in the pmk_rssnewsexport extension for TYP ...) NOT-FOR-US: pmk_rssnewsexport extension for TYPO3 CVE-2008-6594 (SQL injection vulnerability in the cm_rdfexport extension for TYPO3 al ...) NOT-FOR-US: 3dparty typo3 extension CVE-2008-6593 (SQL injection vulnerability in LightNEasy/lightneasy.php in LightNEasy ...) NOT-FOR-US: LightNEasy SQLite CVE-2008-6592 (thumbsup.php in Thumbs-Up 1.12, as used in LightNEasy "no database" (a ...) NOT-FOR-US: LightNEasy SQLite CVE-2008-6591 (LightNEasy "no database" (aka flat) version 1.2.2, and possibly SQLite ...) NOT-FOR-US: LightNEasy SQLite CVE-2008-6590 (Multiple directory traversal vulnerabilities in LightNEasy "no databas ...) NOT-FOR-US: LightNEasy SQLite CVE-2008-6589 (Multiple cross-site scripting (XSS) vulnerabilities in LightNEasy "no ...) NOT-FOR-US: LightNEasy SQLite CVE-2008-6588 (Aztech ADSL2/2+ 4-port router has a default "isp" account with a defau ...) NOT-FOR-US: Aztech port router CVE-2008-6587 (Cross-site request forgery (CSRF) vulnerability in index.tmpl in Vuze ...) NOT-FOR-US: Azureus HTML WebUI CVE-2008-6586 (Cross-site request forgery (CSRF) vulnerability in gui/index.php in &# ...) NOT-FOR-US: ?Torrent (uTorrent) WebUI CVE-2008-6585 (Cross-site request forgery (CSRF) vulnerability in html/admin.php in T ...) - torrentflux (Debian packaging uses a different directory layout, see bug #531614) CVE-2008-6584 (html/index.php in TorrentFlux 2.3 allows remote authenticated users to ...) - torrentflux (Debian packaging uses a different directory layout, see bug #531614) CVE-2008-6583 (Buffer overflow in BS.player 2.27 build 959 allows remote attackers to ...) NOT-FOR-US: BS.player CVE-2009-1274 (Integer overflow in the qt_error parse_trak_atom function in demuxers/ ...) - xine-lib 1.1.16.3-1 (medium; bug #522811) - vlc (affected part of xine-lib code not present) CVE-2009-1238 (Race condition in the HFS vfs sysctl interface in XNU 1228.8.20 and ea ...) NOT-FOR-US: Mac OS X CVE-2009-1237 (Multiple memory leaks in XNU 1228.3.13 and earlier on Apple Mac OS X 1 ...) NOT-FOR-US: Mac OS X CVE-2009-1236 (Heap-based buffer overflow in the AppleTalk networking stack in XNU 12 ...) NOT-FOR-US: Mac OS X CVE-2009-1235 (XNU 1228.9.59 and earlier on Apple Mac OS X 10.5.6 and earlier does no ...) NOT-FOR-US: Mac OS X CVE-2009-1234 (Opera 9.64 allows remote attackers to cause a denial of service (appli ...) NOT-FOR-US: Opera CVE-2009-1233 (Apple Safari 3.2.2 and 4 Beta on Windows allows remote attackers to ca ...) NOT-FOR-US: Safari on Windows CVE-2009-1232 (Mozilla Firefox 3.0.8 and earlier 3.0.x versions allows remote attacke ...) - xulrunner (unimportant) NOTE: Browser crashes not treated as security issues CVE-2009-1231 (Unspecified vulnerability in the eClient in IBM DB2 Content Manager 8. ...) NOT-FOR-US: DB2 CVE-2009-1230 (Static code injection vulnerability in index.php in Podcast Generator ...) NOT-FOR-US: Podcast Generator CVE-2009-1229 (SQL injection vulnerability in Arcadwy Arcade Script allows remote att ...) NOT-FOR-US: Arcadwy Arcade Script CVE-2009-1228 (Cross-site scripting (XSS) vulnerability in register.php in Arcadwy Ar ...) NOT-FOR-US: Arcadwy Arcade Script CVE-2009-1227 NOT-FOR-US: Check Point CVE-2009-1226 (core/admin/delete.php in Podcast Generator 1.1 and earlier does not pr ...) NOT-FOR-US: Podcast Generator CVE-2009-1225 (Cross-site scripting (XSS) vulnerability in index.php in Turnkey Ebook ...) NOT-FOR-US: Turnkey Ebook Store CVE-2009-1224 (SQL injection vulnerability in vsp-core/pub/themes/bismarck/gamestat.p ...) NOT-FOR-US: vsp stats processor CVE-2009-1223 (aspWebCalendar Free Edition stores sensitive information under the web ...) NOT-FOR-US: aspWebCalendar Free Edition CVE-2009-1222 (Directory traversal vulnerability in index.php in webEdition 6.0.0.4 a ...) NOT-FOR-US: webEdition CVE-2008-6582 (SQL injection vulnerability in index.php in Miniweb 2.0 allows remote ...) NOT-FOR-US: Miniweb CVE-2008-6581 (login.php in PhpAddEdit 1.3 allows remote attackers to bypass authenti ...) NOT-FOR-US: PhpAddEdit CVE-2008-6580 (The Red_Reservations script for ColdFusion stores sensitive informatio ...) NOT-FOR-US: ColdFusion CVE-2003-1571 (Web Wiz Guestbook 6.0 stores sensitive information under the web root ...) NOT-FOR-US: Web Wiz Guestbook CVE-2009-1221 RESERVED CVE-2009-1220 (Cross-site scripting (XSS) vulnerability in +webvpn+/index.html in Web ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2009-1219 (Sun Calendar Express Web Server in Sun ONE Calendar Server 6.0 and Sun ...) NOT-FOR-US: Sun Calendar Express Web Server CVE-2009-1218 (Multiple cross-site scripting (XSS) vulnerabilities in Sun Calendar Ex ...) NOT-FOR-US: Sun Calendar Express Web Server CVE-2009-1217 (Off-by-one error in the GpFont::SetData function in gdiplus.dll in Mic ...) NOT-FOR-US: Windows GDI+ CVE-2009-1216 (Multiple unspecified vulnerabilities in (1) unlzh.c and (2) unpack.c i ...) NOTE: Duplicate of CVE-2006-4335, confirmed by Microsoft. They're working on NOTE: getting it rejected CVE-2008-6579 (Nortel Communication Server 1000 4.50.x allows remote attackers to obt ...) NOT-FOR-US: Nortel Communication Server CVE-2008-6578 (Multiple unspecified vulnerabilities in Nortel Communication Server 10 ...) NOT-FOR-US: Nortel Communication Server CVE-2008-6577 (Nortel MG1000S, Signaling Server, and Call Server on the Communication ...) NOT-FOR-US: Nortel appliances CVE-2008-6576 (Unspecified vulnerability in the "session limitation technique" in the ...) NOT-FOR-US: Nortel Communication Server CVE-2008-6575 (Unspecified vulnerability in the SIP server in SIP Enablement Services ...) NOT-FOR-US: Avaya Communication Manager CVE-2008-6574 (Unspecified vulnerability in SIP Enablement Services (SES) in Avaya Co ...) NOT-FOR-US: Avaya Communication Manager CVE-2008-6573 (Multiple SQL injection vulnerabilities in Avaya SIP Enablement Service ...) NOT-FOR-US: Avaya Communication Manager CVE-2009-1215 (Race condition in GNU screen 4.0.3 allows local users to create or ove ...) - screen 4.0.3-13 (low; bug #521123) [etch] - screen (etch version predates #433338) [lenny] - screen 4.0.3-11+lenny1 CVE-2009-1214 (GNU screen 4.0.3 creates the /tmp/screen-exchange temporary file with ...) - screen 4.0.3-13 (bug #521123) [lenny] - screen 4.0.3-11+lenny1 NOTE: documented behaviour "or the public accessible screen-exchange", see man screen CVE-2009-1213 (Cross-site request forgery (CSRF) vulnerability in attachment.cgi in B ...) - bugzilla 3.2.4.0-1 (low; bug #514143) [etch] - bugzilla (Minor issue) [lenny] - bugzilla (Minor issue) NOTE: should this really be considered minor? see fedora bug and FSA: NOTE: - https://bugzilla.redhat.com/show_bug.cgi?id=494398 NOTE: - https://www.redhat.com/archives/fedora-package-announce/2009-April/msg00191.html CVE-2009-1212 (Multiple insecure method vulnerabilities in PRECIS~2.DLL in the Precis ...) NOT-FOR-US: PrecisionID Datamatrix ActiveX control CVE-2009-1211 (Blue Coat ProxySG, when transparent interception mode is enabled, uses ...) NOT-FOR-US: Blue Coat ProxySG CVE-2009-1210 (Format string vulnerability in the PROFINET/DCP (PN-DCP) dissector in ...) {DSA-1785-1} - wireshark 1.0.7-1 (low) [etch] - wireshark (Vulnerable code not present, introduced in 0.99.6) CVE-2009-1209 (Stack-based buffer overflow in W3C Amaya Web Browser 11.1 allows remot ...) - amaya CVE-2009-1208 (SQL injection vulnerability in auth2db 0.2.5, and possibly other versi ...) {DSA-1757-1} - auth2db 0.2.5-2+dfsg-1.1 (bug #521823; low) CVE-2009-1207 (Race condition in the dircmp script in Sun Solaris 8 through 10, and O ...) NOT-FOR-US: Solaris CVE-2009-1206 (Unspecified vulnerability in futomi's CGI Cafe Access Analyzer CGI Pro ...) NOT-FOR-US: Cafe Access Analyzer CGI Professional CVE-2009-1205 REJECTED CVE-2009-1204 (Cross-site scripting (XSS) vulnerability in TikiWiki (Tiki) CMS/Groupw ...) - tikiwiki CVE-2009-1203 (WebVPN on the Cisco Adaptive Security Appliances (ASA) device with sof ...) NOT-FOR-US: Cisco CVE-2009-1202 (WebVPN on the Cisco Adaptive Security Appliances (ASA) device with sof ...) NOT-FOR-US: Cisco CVE-2009-1201 (Eval injection vulnerability in the csco_wrap_js function in /+CSCOL+/ ...) NOT-FOR-US: Cisco CVE-2009-1200 RESERVED CVE-2009-1199 RESERVED CVE-2009-1198 (Cross-site scripting (XSS) vulnerability in Apache jUDDI before 2.0 al ...) NOT-FOR-US: Apache jUDDI CVE-2009-1197 (Apache jUDDI before 2.0 allows attackers to spoof entries in log files ...) NOT-FOR-US: Apache jUDDI CVE-2009-1196 (The directory-services functionality in the scheduler in CUPS 1.1.17 a ...) - cups 1.1.99.b1.r4748-1 - cupsys [etch] - cupsys 1.1.99.b1.r4748-1 CVE-2009-1195 (The Apache HTTP Server 2.2.11 and earlier 2.2 versions does not proper ...) {DSA-1816-1} - apache2 2.2.11-6 (low; bug #530834) CVE-2009-1194 (Integer overflow in the pango_glyph_string_set_size function in pango/ ...) {DSA-1798-1} - pango1.0 1.24.0-2 (medium; bug #527474) CVE-2009-1193 REJECTED CVE-2009-1192 (The (1) agp_generic_alloc_page and (2) agp_generic_alloc_pages functio ...) {DSA-1800-1 DSA-1794-1 DSA-1787-1} - linux-2.6 2.6.29-4 - linux-2.6.24 CVE-2009-1191 (mod_proxy_ajp.c in the mod_proxy_ajp module in the Apache HTTP Server ...) - apache2 2.2.11-4 (low) [etch] - apache2 (introduced in 2.2.11) [lenny] - apache2 (introduced in 2.2.11) CVE-2009-1190 (Algorithmic complexity vulnerability in the java.util.regex.Pattern.co ...) - libspring-2.5-java 2.5.6.SEC01-1 CVE-2009-1189 (The _dbus_validate_signature_with_reason function (dbus-marshal-valida ...) {DSA-1837-1} - dbus 1.2.14-1 (high; bug #532720) NOTE: remote signature spoofing possible, and this was supposed to be NOTE: originally fixed with the updates for CVE-2008-3834 CVE-2009-1188 (Integer overflow in the JBIG2 decoding feature in the SplashBitmap::Sp ...) {DSA-2050-1 DSA-2028-1} - poppler 0.10.6-1 (medium; bug #524806) [etch] - poppler (SplashBitmap code not present) [lenny] - poppler 0.8.7-3.1 - xpdf 3.02-2 (bug #575779) - kdegraphics 4:4.0 - swftools 0.9.2+ds1-2 CVE-2009-1187 (Integer overflow in the JBIG2 decoding feature in Poppler before 0.10. ...) {DSA-1941-1} - poppler 0.10.6-1 (medium; bug #524806) CVE-2009-1186 (Buffer overflow in the util_path_encode function in udev/lib/libudev-u ...) {DSA-1772-1} - udev 0.141-1 (medium) CVE-2009-1185 (udev before 1.4.1 does not verify whether a NETLINK message originates ...) {DSA-1772-1} - udev 0.141-1 (medium) CVE-2009-1184 (The selinux_ip_postroute_iptables_compat function in security/selinux/ ...) {DSA-1809-1 DSA-1800-1} - linux-2.6 2.6.29-5 [etch] - linux-2.6 (Issue was introduced after 2.6.24 release) - linux-2.6.24 (Issue was introduced after 2.6.24 release) CVE-2009-1183 (The JBIG2 MMR decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earl ...) {DSA-1793-1 DSA-1790-1} - poppler 0.10.6-1 (medium; bug #524806) [lenny] - poppler 0.8.7-2 - xpdf 3.02-1.4+lenny1 (medium; bug #524809) [squeeze] - xpdf 3.02-1.4+lenny1 - kdegraphics 4:4.0 (medium; bug #524810) - swftools 0.9.2+ds1-2 CVE-2009-1182 (Multiple buffer overflows in the JBIG2 MMR decoder in Xpdf 3.02pl2 and ...) {DSA-1793-1 DSA-1790-1} - poppler 0.10.6-1 (medium; bug #524806) [lenny] - poppler 0.8.7-2 - xpdf 3.02-1.4+lenny1 (medium; bug #524809) [squeeze] - xpdf 3.02-1.4+lenny1 - kdegraphics 4:4.0-1 (medium; bug #524810) - swftools 0.9.2+ds1-2 CVE-2009-1181 (The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, ...) {DSA-1793-1 DSA-1790-1} - poppler 0.10.6-1 (medium; bug #524806) [lenny] - poppler 0.8.7-2 - xpdf 3.02-1.4+lenny1 (medium; bug #524809) [squeeze] - xpdf 3.02-1.4+lenny1 - kdegraphics 4:4.0-1 (medium; bug #524810) - swftools 0.9.2+ds1-2 CVE-2009-1180 (The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, ...) {DSA-1793-1 DSA-1790-1} - poppler 0.10.6-1 (medium; bug #524806) [lenny] - poppler 0.8.7-2 - xpdf 3.02-1.4+lenny1 (medium; bug #524809) [squeeze] - xpdf 3.02-1.4+lenny1 - kdegraphics 4:4.0-1 (medium; bug #524810) - swftools 0.9.2+ds1-2 CVE-2009-1179 (Integer overflow in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUP ...) {DSA-1793-1 DSA-1790-1} - poppler 0.10.6-1 (medium; bug #524806) [lenny] - poppler 0.8.7-2 - xpdf 3.02-1.4+lenny1 (medium; bug #524809) [squeeze] - xpdf 3.02-1.4+lenny1 - kdegraphics 4:4.0-1 (medium; bug #524810) - swftools 0.9.2+ds1-2 CVE-2009-1178 (Unspecified vulnerability in the server in IBM Tivoli Storage Manager ...) NOT-FOR-US: Tivoli CVE-2009-1177 (Multiple stack-based buffer overflows in maptemplate.c in mapserv in M ...) - mapserver 5.2.2-1 (medium; bug #523027) [lenny] - mapserver (Vulnerable code not present or covered by 02_CVE-2009-840-CVE-2009-2281.dpatch) [etch] - mapserver (Vulnerable code not present or covered by 02_CVE-2009-840-CVE-2009-2281.dpatch) CVE-2009-1176 (mapserv.c in mapserv in MapServer 4.x before 4.10.4 and 5.x before 5.2 ...) {DSA-1914-1} - mapserver 5.2.2-1 (low; bug #523027) NOTE: covered by 02_CVE-2009-840-CVE-2009-2281.dpatch as well CVE-2008-6572 (SQL injection vulnerability in search_results.php in ABK-Soft AbleDati ...) NOT-FOR-US: ABK-Soft AbleDating CVE-2008-6571 (Multiple cross-site scripting (XSS) vulnerabilities in LinPHA before 1 ...) NOT-FOR-US: LinPHA CVE-2008-6570 (Cross-site scripting (XSS) vulnerability in the RSS reader in Cybozu G ...) NOT-FOR-US: Cybozu Garoon CVE-2008-6569 (Session fixation vulnerability in Cybozu Garoon 2.0.0 through 2.1.3 al ...) NOT-FOR-US: Cybozu Garoon CVE-2008-6568 (Unrestricted file upload vulnerability in Yehe 2.0 allows remote attac ...) NOT-FOR-US: Yehe CVE-2008-6567 (Multiple cross-site scripting (XSS) vulnerabilities in Gallarific Free ...) NOT-FOR-US: Gallarific Free Edition CVE-2008-6566 (Unspecified vulnerability in Octopussy before 0.9.5.8 has unknown impa ...) NOT-FOR-US: Octopussy CVE-2008-6565 (Cross-site scripting (XSS) vulnerability in Invision Power Board 2.3.1 ...) NOT-FOR-US: Invision Power Board CVE-2008-6564 (Nortel UNIStim protocol, as used in Communication Server 1000 and othe ...) NOT-FOR-US: Nortel Communication Server CVE-2008-6563 (Buffer overflow in the XML parser in Trillian 3.1.9.0, and possibly ea ...) NOT-FOR-US: Trillian CVE-2008-6562 (Cross-site scripting (XSS) vulnerability in jax_linklists.php in Jack ...) NOT-FOR-US: Jack (tR) Jax LinkLists CVE-2008-6561 (Citrix Presentation Server Client for Windows before 10.200 does not c ...) NOT-FOR-US: Citrix CVE-2007-6724 (Vidalia bundle before 0.1.2.18, when running on Windows, installs Priv ...) NOT-FOR-US: Vidalia CVE-2007-6723 (TorK before 0.22, when running on Windows and Mac OS X, installs Privo ...) - tork (Affects only Windows and MacOS) CVE-2007-6722 (Vidalia bundle before 0.1.2.18, when running on Windows and Mac OS X, ...) NOT-FOR-US: Vidalia CVE-2006-7237 (PHP remote file inclusion vulnerability in mod/nc_phpmyadmin/core/libr ...) NOT-FOR-US: Ixprim CVE-2005-4880 (Jax Guestbook 3.1 and 3.31 stores sensitive information under the web ...) NOT-FOR-US: Jax Guestbook CVE-2005-4879 (Multiple cross-site scripting (XSS) vulnerabilities in jax_guestbook.p ...) NOT-FOR-US: Jax Guestbook CVE-2004-2762 (The server in IBM Tivoli Storage Manager (TSM) 4.2.x on MVS, 5.1.9.x b ...) NOT-FOR-US: Tivoli CVE-2003-1570 (The server in IBM Tivoli Storage Manager (TSM) 5.1.x, 5.2.x before 5.2 ...) NOT-FOR-US: Tivoli CVE-2009-1175 (Cross-site scripting (XSS) vulnerability in apps/web/vs_diag.cgi in th ...) - banshee (unimportant) NOTE: banshee is intented as a desktop music player with no serious NOTE: login credentials that an attacker could use remote CVE-2009-1174 (The Web Services Security component in IBM WebSphere Application Serve ...) NOT-FOR-US: WebSphere CVE-2009-1173 (IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.3 uses weak pe ...) NOT-FOR-US: WebSphere CVE-2009-1172 (The JAX-RPC WS-Security runtime in the Web Services Security component ...) NOT-FOR-US: WebSphere CVE-2009-1171 (The TeX filter in Moodle 1.6 before 1.6.9+, 1.7 before 1.7.7+, 1.8 bef ...) {DSA-1761-1} - moodle 1.8.2.dfsg-5 (medium; bug #522116) NOTE: this applies only to people who have a complete tex environment and NOTE: aren't just using mimetex to render the tex CVE-2009-1170 (Unspecified vulnerability in Sun OpenSolaris snv_100 through snv_101 a ...) NOT-FOR-US: OpenSolaris CVE-2009-1169 (The txMozillaXSLTProcessor::TransformToDoc function in Mozilla Firefox ...) {DSA-1756-1} - xulrunner 1.9.0.8-1 [etch] - xulrunner (Etch Packages no longer covered by security support) - kompozer 1:0.8~alpha2+dfsg+svn129-1 CVE-2009-1168 (Cisco IOS 12.0(32)S12 through 12.0(32)S13 and 12.0(33)S3 through 12.0( ...) NOT-FOR-US: Cisco IOS CVE-2009-1167 (Unspecified vulnerability on the Cisco Wireless LAN Controller (WLC) p ...) NOT-FOR-US: Cisco Wireless LAN Controller CVE-2009-1166 (The administrative web interface on the Cisco Wireless LAN Controller ...) NOT-FOR-US: Cisco Wireless LAN Controller CVE-2009-1165 (Memory leak on the Cisco Wireless LAN Controller (WLC) platform 4.x be ...) NOT-FOR-US: Cisco Wireless LAN Controller CVE-2009-1164 (The administrative web interface on the Cisco Wireless LAN Controller ...) NOT-FOR-US: Cisco Wireless LAN Controller CVE-2009-1163 (Memory leak on the Cisco Physical Access Gateway with software before ...) NOT-FOR-US: Cisco CVE-2009-1162 (Cross-site scripting (XSS) vulnerability in the Spam Quarantine login ...) NOT-FOR-US: Cisco IronPort AsyncOS CVE-2009-1161 (Directory traversal vulnerability in the TFTP service in Cisco CiscoWo ...) NOT-FOR-US: CiscoWorks CVE-2009-1160 (Cisco Adaptive Security Appliances (ASA) 5500 Series and PIX Security ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2009-1159 (Unspecified vulnerability on Cisco Adaptive Security Appliances (ASA) ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2009-1158 (Unspecified vulnerability on Cisco Adaptive Security Appliances (ASA) ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2009-1157 (Memory leak on Cisco Adaptive Security Appliances (ASA) 5500 Series an ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2009-1156 (Unspecified vulnerability on Cisco Adaptive Security Appliances (ASA) ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2009-1155 (Cisco Adaptive Security Appliances (ASA) 5500 Series and PIX Security ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2009-1154 (Cisco IOS XR 3.8.1 and earlier allows remote attackers to cause a deni ...) NOT-FOR-US: Cisco CVE-2009-1153 REJECTED CVE-2009-1152 (Siemens Gigaset SE461 WiMAX router 1.5-BL024.9.6401, and possibly othe ...) NOT-FOR-US: Siemens router CVE-2009-1151 (Static code injection vulnerability in setup.php in phpMyAdmin 2.11.x ...) {DSA-1824-1} - phpmyadmin 4:3.1.3.1-1 CVE-2009-1150 (Multiple cross-site scripting (XSS) vulnerabilities in the export page ...) {DSA-1824-1} - phpmyadmin 4:3.1.3.1-1 CVE-2009-1149 (CRLF injection vulnerability in bs_disp_as_mime_type.php in the BLOB s ...) - phpmyadmin 4:3.1.3.1-1 [etch] - phpmyadmin (Vulnerable code not present) [lenny] - phpmyadmin (Vulnerable code not present) CVE-2009-1148 (Directory traversal vulnerability in bs_disp_as_mime_type.php in the B ...) - phpmyadmin 4:3.1.3.1-1 [etch] - phpmyadmin (Vulnerable code not present) [lenny] - phpmyadmin (Vulnerable code not present) CVE-2009-1147 (Unspecified vulnerability in vmci.sys in the Virtual Machine Communica ...) NOT-FOR-US: VmWare CVE-2009-1146 (Unspecified vulnerability in an ioctl in hcmon.sys in VMware Workstati ...) NOT-FOR-US: VmWare CVE-2009-1145 RESERVED CVE-2009-1144 (Untrusted search path vulnerability in the Gentoo package of Xpdf befo ...) - xpdf (Gentoo specific vulnerability in building xpdf) CVE-2009-1143 RESERVED CVE-2009-1142 RESERVED CVE-2009-1141 (Microsoft Internet Explorer 6 for Windows XP SP2 and SP3 and Server 20 ...) NOT-FOR-US: Microsoft CVE-2009-1140 (Microsoft Internet Explorer 5.01 SP4; 6 SP1; 6 and 7 for Windows XP SP ...) NOT-FOR-US: Microsoft CVE-2009-1139 (Memory leak in the LDAP service in Active Directory on Microsoft Windo ...) NOT-FOR-US: Microsoft CVE-2009-1138 (The LDAP service in Active Directory on Microsoft Windows 2000 SP4 doe ...) NOT-FOR-US: Microsoft CVE-2009-1137 (Microsoft Office PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3 allows re ...) NOT-FOR-US: Microsoft CVE-2009-1136 (The Microsoft Office Web Components Spreadsheet ActiveX control (aka O ...) NOT-FOR-US: ActiveX CVE-2009-1135 (Microsoft Internet Security and Acceleration (ISA) Server 2006 Gold an ...) NOT-FOR-US: Microsoft Internet Security and Acceleration (ISA) Server CVE-2009-1134 (Excel in 2007 Microsoft Office System SP1 and SP2; Microsoft Office Ex ...) NOT-FOR-US: Microsoft CVE-2009-1133 (Heap-based buffer overflow in Microsoft Remote Desktop Connection (for ...) NOT-FOR-US: Microsoft CVE-2009-1132 (Heap-based buffer overflow in the Wireless LAN AutoConfig Service (aka ...) NOT-FOR-US: Microsoft Windows Vista Gold CVE-2009-1131 (Multiple stack-based buffer overflows in Microsoft Office PowerPoint 2 ...) NOT-FOR-US: Microsoft CVE-2009-1130 (Heap-based buffer overflow in Microsoft Office PowerPoint 2002 SP3 and ...) NOT-FOR-US: Microsoft CVE-2009-1129 (Multiple stack-based buffer overflows in the PowerPoint 95 importer (P ...) NOT-FOR-US: Microsoft CVE-2009-1128 (Microsoft Office PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3 allows re ...) NOT-FOR-US: Microsoft CVE-2009-1127 (win32k.sys in the kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3 ...) NOT-FOR-US: Microsoft Windows CVE-2009-1126 (The kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, and Server 2 ...) NOT-FOR-US: Microsoft CVE-2009-1125 (The kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 ...) NOT-FOR-US: Microsoft CVE-2009-1124 (The kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 ...) NOT-FOR-US: Microsoft CVE-2009-1123 (The kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 ...) NOT-FOR-US: Microsoft CVE-2009-1122 (The WebDAV extension in Microsoft Internet Information Services (IIS) ...) NOT-FOR-US: Microsoft CVE-2009-1121 RESERVED CVE-2009-1120 (EMC RepliStor Server Service before ESA-09-003 has a DoASOCommand Remo ...) NOT-FOR-US: EMC CVE-2009-1119 (Multiple heap-based buffer overflows in EMC RepliStor 6.2 before SP5 a ...) NOT-FOR-US: EMC RepliStor CVE-2009-1118 RESERVED CVE-2009-1117 RESERVED CVE-2009-1116 RESERVED CVE-2009-1115 RESERVED CVE-2009-1114 RESERVED CVE-2009-1113 RESERVED CVE-2009-1112 RESERVED CVE-2009-1111 RESERVED CVE-2009-1110 RESERVED CVE-2009-1109 RESERVED CVE-2009-1108 RESERVED CVE-2009-1086 (Heap-based buffer overflow in the ldns_rr_new_frm_str_internal functio ...) {DSA-1795-1} - ldns 1.5.1-1 CVE-2008-6560 (Buffer overflow in CMAN - The Cluster Manager before 2.03.09-1 on Fedo ...) - redhat-cluster 2.20081102-1 NOTE: This seems like a non-issue, since the config file should be under control NOTE: of the admin? NOTE: Fixed in 2.03.09 upstream version. CVE-2008-6559 (Merge mcd in ReliantHA 1.1.4 in SCO UnixWare 7.1.4 allows local users ...) NOT-FOR-US: SCO UnixWare CVE-2008-6558 (Untrusted search path vulnerability in (1) hvdisp and (2) rcvm in Reli ...) NOT-FOR-US: SCO UnixWare CVE-2008-6557 (cgi-bin/webutil.pl in The Puppet Master WebUtil 2.7 allows remote atta ...) NOT-FOR-US: Puppet Master WebUtit, different than puppetmaster from puppet CVE-2008-6556 (cgi-bin/webutil.pl in The Puppet Master WebUtil 2.3 allows remote atta ...) NOT-FOR-US: Puppet Master WebUtit, different than puppetmaster from puppet CVE-2008-6555 (cgi-bin/webutil.pl in The Puppet Master WebUtil allows remote attacker ...) NOT-FOR-US: Puppet Master WebUtit, different than puppetmaster from puppet CVE-2008-6554 (cgi-bin/script in Aztech ADSL2/2+ 4-port router 3.7.0 build 070426 all ...) NOT-FOR-US: Aztech router CVE-2008-6553 (microcms-admin-home.php in Implied by Design Micro CMS (Micro-CMS) 3.5 ...) NOT-FOR-US: Micro CMS CVE-2008-6552 (Red Hat Cluster Project 2.x allows local users to modify or overwrite ...) - redhat-cluster 2.20081102-1 NOTE: Fixed in 2.03.09 upstream version. NOTE: Similar to CVE-2008-4192 and CVE-2008-4579 CVE-2008-6551 (Multiple directory traversal vulnerabilities in e-Vision CMS 2.0.2 and ...) NOT-FOR-US: e-vision CMS CVE-2008-6550 (Cross-site scripting (XSS) vulnerability in glossaire.php in Glossaire ...) NOT-FOR-US: Glossaire CVE-2008-6549 (The password_checker function in config/multiconfig.py in MoinMoin 1.6 ...) - moin 1.6.2-1 (low) CVE-2008-6548 (The rst parser (parser/text_rst.py) in MoinMoin 1.6.1 does not check t ...) - moin 1.6.2-1 (low) CVE-2008-6547 (schema.py in FormEncode for Python (python-formencode) 1.0 does not ap ...) - python-formencode 1.0.1-1 [etch] - python-formencode (Vulnerable code was introduced in 1.0) CVE-2008-6546 (Unspecified vulnerability in phpns before 2.1.3 has unknown impact and ...) NOT-FOR-US: phpns CVE-2008-6545 (PHP remote file inclusion vulnerability in news/include/createdb.php i ...) NOT-FOR-US: Web Server Creator Web Portal CVE-2008-6544 NOT-FOR-US: Simple Machines Forum CVE-2008-6543 (Multiple PHP remote file inclusion vulnerabilities in ComScripts TEAM ...) NOT-FOR-US: ComScripts TEAM Quick Classifieds CVE-2008-6542 (Unspecified vulnerability in the Skin Manager in DotNetNuke before 4.8 ...) NOT-FOR-US: DotNetNuke CVE-2008-6541 (Unrestricted file upload vulnerability in the file manager module in D ...) NOT-FOR-US: DotNetNuke CVE-2008-6540 (DotNetNuke before 4.8.2, during installation or upgrade, does not warn ...) NOT-FOR-US: DotNetNuke CVE-2008-6539 (Static code injection vulnerability in user/settings/ in DeStar 0.2.2- ...) - destar (bug #522123) CVE-2008-6538 (DeStar 0.2.2-5 allows remote attackers to add arbitrary users via a di ...) - destar (bug #522123) NOTE: we include a default configuration user which can be changed with instructions in README.Debian CVE-2008-6537 (LightNEasy/lightneasy.php in LightNEasy No database version 1.2 allows ...) NOT-FOR-US: LightNEasy No database CVE-2008-6536 (Unspecified vulnerability in 7-zip before 4.5.7 has unknown impact and ...) - p7zip 4.57~dfsg.1-1 CVE-2008-6535 (admin/settings.php in PayPal eStores allows remote attackers to bypass ...) NOT-FOR-US: PayPal eStores CVE-2008-6534 (Incomplete blacklist vulnerability in NULL FTP Server Free and Pro 1.1 ...) NOT-FOR-US: NULL FTP Server CVE-2008-6533 (Drupal 5.x before 5.13 and 6.x before 6.7 does not delete all related ...) - drupal5 5.14-1 (low) - drupal6 6.9-1 (low) [lenny] - drupal6 6.6-1.1 CVE-2008-6532 (Multiple cross-site request forgery (CSRF) vulnerabilities in the upda ...) - drupal5 5.14-1 (low) - drupal6 6.9-1 (low) [lenny] - drupal6 6.6-1.1 CVE-2008-6531 (The WebWork 1 web application framework in Atlassian JIRA before 3.13. ...) NOT-FOR-US: Atlassian JIRA CVE-2008-6530 (Unrestricted file upload vulnerability in editimage.php in eZoneScript ...) NOT-FOR-US: eZoneScripts Living Local CVE-2008-6529 (Cross-site scripting (XSS) vulnerability in listtest.php in eZoneScrip ...) NOT-FOR-US: eZoneScripts Living Local CVE-2008-6528 (NTFS TmaxSoft JEUS 5 before Fix 26 allows remote attackers to read the ...) NOT-FOR-US: NTFS TmaxSoft JEUS 5 CVE-2007-6721 (The Legion of the Bouncy Castle Java Cryptography API before release 1 ...) - bouncycastle 1.38-1 CVE-2009-1107 (The Java Plug-in in Java SE Development Kit (JDK) and Java Runtime Env ...) - sun-java6 6-13-1 (bug #521414) [lenny] - sun-java6 6-20-0lenny1 - sun-java5 1.5.0-18-1 [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 CVE-2009-1106 (The Java Plug-in in Java SE Development Kit (JDK) and Java Runtime Env ...) - sun-java6 6-13-1 (bug #521414) [lenny] - sun-java6 6-20-0lenny1 - sun-java5 1.5.0-18-1 [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 CVE-2009-1105 (The Java Plug-in in Java SE Development Kit (JDK) and Java Runtime Env ...) - sun-java6 6-13-1 (bug #521414) [lenny] - sun-java6 6-20-0lenny1 - sun-java5 1.5.0-18-1 [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 CVE-2009-1104 (The Java Plug-in in Java SE Development Kit (JDK) and Java Runtime Env ...) - sun-java6 6-13-1 (bug #521414) [lenny] - sun-java6 6-20-0lenny1 - sun-java5 1.5.0-18-1 [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 CVE-2009-1103 (Unspecified vulnerability in the Java Plug-in in Java SE Development K ...) - sun-java6 6-13-1 (bug #521414) [lenny] - sun-java6 6-20-0lenny1 - sun-java5 1.5.0-18-1 [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 CVE-2009-1102 (Unspecified vulnerability in the Virtual Machine in Java SE Developmen ...) - sun-java6 6-13-1 (bug #521414) [lenny] - sun-java6 6-20-0lenny1 - sun-java5 1.5.0-18-1 [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 CVE-2009-1101 (Unspecified vulnerability in the lightweight HTTP server implementatio ...) {DSA-1769-1} - sun-java6 6-13-1 (bug #521414) [lenny] - sun-java6 6-20-0lenny1 - sun-java5 1.5.0-18-1 [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 CVE-2009-1100 (Multiple unspecified vulnerabilities in Java SE Development Kit (JDK) ...) - sun-java6 6-13-1 (bug #521414) [lenny] - sun-java6 6-20-0lenny1 CVE-2009-1099 (Integer signedness error in Java SE Development Kit (JDK) and Java Run ...) - sun-java6 6-13-1 (bug #521414) [lenny] - sun-java6 6-20-0lenny1 CVE-2009-1098 (Buffer overflow in Java SE Development Kit (JDK) and Java Runtime Envi ...) {DSA-1769-1} - sun-java6 6-13-1 (bug #521414) [lenny] - sun-java6 6-20-0lenny1 CVE-2009-1097 (Multiple buffer overflows in Java SE Development Kit (JDK) and Java Ru ...) {DSA-1769-1} - sun-java6 6-13-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2009-1096 (Buffer overflow in unpack200 in Java SE Development Kit (JDK) and Java ...) {DSA-1769-1} - sun-java6 6-13-1 (bug #521414) [lenny] - sun-java6 6-20-0lenny1 - sun-java5 1.5.0-18-1 [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 CVE-2009-1095 (Integer overflow in unpack200 in Java SE Development Kit (JDK) and Jav ...) {DSA-1769-1} - sun-java6 6-13-1 (bug #521414) [lenny] - sun-java6 6-20-0lenny1 - sun-java5 1.5.0-18-1 [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 CVE-2009-1094 (Unspecified vulnerability in the LDAP implementation in Java SE Develo ...) {DSA-1769-1} - sun-java6 6-13-1 (bug #521414) [lenny] - sun-java6 6-20-0lenny1 - sun-java5 1.5.0-18-1 [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 CVE-2009-1093 (LdapCtx in the LDAP service in Java SE Development Kit (JDK) and Java ...) {DSA-1769-1} - sun-java6 6-13-1 (bug #521414) [lenny] - sun-java6 6-20-0lenny1 CVE-2009-1962 (Xfig, possibly 3.2.5, allows local users to read and write arbitrary f ...) - xfig 1:3.2.5.a-1 [etch] - xfig (Minor issue) [lenny] - xfig (Minor issue) CVE-2009-1092 (Use-after-free vulnerability in the LIVEAUDIO.LiveAudioCtrl.1 ActiveX ...) NOT-FOR-US: LIVEAUDIO.LiveAudioCtrl.1 ActiveX CVE-2009-1091 (Cross-site scripting (XSS) vulnerability in upload.php in Rapidleech r ...) NOT-FOR-US: Rapidleech CVE-2009-1090 (Directory traversal vulnerability in upload.php in Rapidleech rev.36 a ...) NOT-FOR-US: Rapidleech CVE-2009-1089 (Absolute path traversal vulnerability in upload.php in Rapidleech rev. ...) NOT-FOR-US: Rapidleech CVE-2009-1088 (Hannon Hill Cascade Server 5.7 and other versions allows remote authen ...) NOT-FOR-US: Hannon Hill Cascade Server CVE-2009-1087 (Multiple argument injection vulnerabilities in PPLive.exe in PPLive 1. ...) NOT-FOR-US: PPLive CVE-2009-1085 (Piwik 0.2.32 and earlier stores sensitive information under the web ro ...) - piwik (bug #506933) CVE-2009-1084 (Sun Java System Identity Manager (IdM) 7.0 through 8.0 does not proper ...) NOT-FOR-US: Sun Java System Identity Manager CVE-2009-1083 (Sun Java System Identity Manager (IdM) 7.0 through 8.0 on Linux, AIX, ...) NOT-FOR-US: Sun Java System Identity Manager CVE-2009-1082 (Sun Java System Identity Manager (IdM) 7.0 through 8.0 allows remote a ...) NOT-FOR-US: Sun Java System Identity Manager CVE-2009-1081 (Multiple cross-site scripting (XSS) vulnerabilities in Sun Java System ...) NOT-FOR-US: Sun Java System Identity Manager CVE-2009-1080 (Multiple cross-site scripting (XSS) vulnerabilities in Sun Java System ...) NOT-FOR-US: Sun Java System Identity Manager CVE-2009-1079 (Multiple cross-site scripting (XSS) vulnerabilities in Sun Java System ...) NOT-FOR-US: Sun Java System Identity Manager CVE-2009-1078 (Sun Java System Identity Manager (IdM) 7.0 through 8.0 does not enforc ...) NOT-FOR-US: Sun Java System Identity Manager CVE-2009-1077 (The Change My Password implementation in the admin interface in Sun Ja ...) NOT-FOR-US: Sun Java System Identity Manager CVE-2009-1076 (Sun Java System Identity Manager (IdM) 7.0 through 8.0 responds differ ...) NOT-FOR-US: Sun Java System Identity Manager CVE-2009-1075 (Sun Java System Identity Manager (IdM) 7.0 through 8.0 responds differ ...) NOT-FOR-US: Sun Java System Identity Manager CVE-2009-1074 (Sun Java System Identity Manager (IdM) 7.0 through 8.0 does not use SS ...) NOT-FOR-US: Sun Java System Identity Manager CVE-2008-6527 (SQL injection vulnerability in forum.asp in GO4I.NET ASP Forum 1.0 all ...) NOT-FOR-US: GO4I.NET ASP Forum CVE-2008-6526 (SQL injection vulnerability in index.php in BosDev BosClassifieds allo ...) NOT-FOR-US: BosClassifieds CVE-2008-6525 (SQL injection vulnerability in the Admin Panel in Nice PHP FAQ Script ...) NOT-FOR-US: Nice PHP FAQ Script CVE-2008-6524 (resetpass.php in openInvoice 0.90 beta and earlier allows remote authe ...) NOT-FOR-US: openInvoice CVE-2008-6523 (auth.php in openInvoice 0.90 beta and earlier allows remote attackers ...) NOT-FOR-US: openInvoice CVE-2008-6522 (Multiple directory traversal vulnerabilities in the RenderFile functio ...) NOT-FOR-US: OpenTerracotta CVE-2008-6521 (index.php in Terracotta (aka OpenTerracotta) 0.6.1 allows remote attac ...) NOT-FOR-US: OpenTerracotta CVE-2008-6520 (Multiple format string vulnerabilities in the SSI filter in Xitami Web ...) NOT-FOR-US: Xitami Web Server CVE-2008-6519 (Format string vulnerability in Xitami Web Server 2.2a through 2.5c2, a ...) NOT-FOR-US: Xitami Web Server CVE-2008-6518 (Unrestricted file upload vulnerability in the profile feature in VidiS ...) NOT-FOR-US: VidiScript CVE-2008-6517 (SQL injection vulnerability in NewsHOWLER 1.03 Beta allows remote atta ...) NOT-FOR-US: NewsHOWLER CVE-2008-6516 (Multiple directory traversal vulnerabilities in phpKF-Portal 1.10 allo ...) NOT-FOR-US: phpKF-Portal CVE-2009-1073 (nss-ldapd before 0.6.8 uses world-readable permissions for the /etc/ns ...) {DSA-1758-1} - nss-ldapd 0.6.8 CVE-2009-1072 (nfsd in the Linux kernel before 2.6.28.9 does not drop the CAP_MKNOD c ...) {DSA-1800-1} - linux-2.6 2.6.29-1 [etch] - linux-2.6 (Issue was introduced after 2.6.24 release) - linux-2.6.24 (Issue was introduced after 2.6.24 release) CVE-2009-0934 (Cross-site scripting (XSS) vulnerability in ejabberd before 2.0.4 allo ...) {DSA-1774-1} - ejabberd 2.0.5-1 (bug #520852) [etch] - ejabberd (Vulnerable expression not present) CVE-2009-1071 (Stack-based buffer overflow in Icarus 2.0 allows remote attackers to c ...) NOT-FOR-US: Icarus CVE-2009-1070 (Cross-site scripting (XSS) vulnerability in system/index.php in Expres ...) NOT-FOR-US: ExpressionEngine CVE-2009-1069 (Multiple cross-site scripting (XSS) vulnerabilities in the node edit f ...) NOT-FOR-US: Drupal module CVE-2009-1068 (Stack-based buffer overflow in BS.Player (bsplayer) 2.32 Build 975 Fre ...) NOT-FOR-US: BS.Player CVE-2009-1067 (Cross-site scripting (XSS) vulnerability in index.php in Pixie CMS 1.0 ...) NOT-FOR-US: Pixie CMS CVE-2009-1066 (SQL injection vulnerability in the referral function in admin/lib/lib_ ...) NOT-FOR-US: Pixie CMS CVE-2009-1065 (SQL injection vulnerability in index.php in Pixie CMS 1.01a allows rem ...) NOT-FOR-US: Pixie CMS CVE-2009-1064 (Argument injection vulnerability in orbitmxt.dll 2.1.0.2 in the Orbit ...) NOT-FOR-US: Orbit Downloader CVE-2009-1063 (Buffer overflow in eXeScope 6.50 allows user-assisted remote attackers ...) NOT-FOR-US: eXeScope CVE-2009-1062 (Adobe Acrobat Reader 9 before 9.1, 8 before 8.1.4, and 7 before 7.1.1 ...) NOT-FOR-US: Acrobat Reader CVE-2009-1061 (Unspecified vulnerability in Adobe Acrobat Reader 9 before 9.1, 8 befo ...) NOT-FOR-US: Acrobat Reader CVE-2009-1060 (Unspecified vulnerability in Apple Safari on Mac OS X 10.5.6 allows re ...) NOT-FOR-US: Apple Safari CVE-2009-1059 (Stack-based buffer overflow in Trident PowerZip 7.2 might allow remote ...) NOT-FOR-US: Trident PowerZip CVE-2009-1058 (Stack-based buffer overflow in ZipGenius might allow remote attackers ...) NOT-FOR-US: ZipGenius CVE-2009-1057 (MicroSmarts Enterprise ZipItFast! 3.0 allows remote attackers to execu ...) NOT-FOR-US: MicroSmarts Enterprise ZipItFast! CVE-2009-1056 (IBM Rational AppScan Enterprise before 5.5 FP1 allows remote attackers ...) NOT-FOR-US: IBM Rational AppScan Enterprise CVE-2009-1055 (Unspecified vulnerability in the web service in Sitecore CMS 5.3.1 rev ...) NOT-FOR-US: Sitecore CMS CVE-2009-1054 (Unspecified vulnerability in JustSystems Ichitaro 13, 2004 through 200 ...) NOT-FOR-US: JustSystems Ichitaro CVE-2009-1053 (chaozzDB 1.2 and earlier stores sensitive information under the web ro ...) NOT-FOR-US: chaozzDB CVE-2009-1052 (FireAnt 1.3 and earlier stores sensitive information under the web roo ...) NOT-FOR-US: FireAnt CVE-2009-1051 (FubarForum 1.6 and earlier stores sensitive information under the web ...) NOT-FOR-US: FubarForum CVE-2009-1050 (Bloginator 1A allows remote attackers to bypass authentication and gai ...) NOT-FOR-US: Bloginator CVE-2009-1049 (SQL injection vulnerability in articleCall.php in Bloginator 1A allows ...) NOT-FOR-US: Bloginator CVE-2008-6515 (Cross-site scripting (XSS) vulnerability in Fritz Berger yet another p ...) NOT-FOR-US: yappa-ng CVE-2008-6514 (The Expo plugin in Compiz Fusion 0.7.8 allows local users with physica ...) - compiz-fusion-plugins-main 0.8.2-1 (low) [lenny] - compiz-fusion-plugins-main (Minor issue) CVE-2008-6513 (Unrestricted file upload vulnerability in saa.php in Andy's PHP Knowle ...) NOT-FOR-US: Andy's PHP Knowledgebase CVE-2008-6512 (Cross-domain vulnerability in the WorkerPool API in Google Gears befor ...) NOT-FOR-US: Google Gears CVE-2009-1048 (The web interface on the snom VoIP phones snom 300, snom 320, snom 360 ...) NOT-FOR-US: snom VoIP phones CVE-2009-1047 (Cross-site scripting (XSS) vulnerability in the Send by e-mail module ...) NOT-FOR-US: Send by e-mail module for Drupal CVE-2009-1046 (The console selection feature in the Linux kernel 2.6.28 before 2.6.28 ...) {DSA-1800-1 DSA-1787-1} - linux-2.6 2.6.29-1 - linux-2.6.24 [etch] - linux-2.6 (Introduced in 2.6.23-rc1) CVE-2009-1045 (requests/status.xml in VLC 0.9.8a allows remote attackers to cause a d ...) - vlc 0.9.9a-1 (unimportant; bug #522170) NOTE: access is limited to localhost CVE-2009-1044 (Mozilla Firefox 3.0.7 on Windows 7 allows remote attackers to execute ...) {DSA-1756-1} - xulrunner 1.9.0.8-1 [etch] - xulrunner (Etch Packages no longer covered by security support) - kompozer 1:0.8~alpha2+dfsg+svn129-3 CVE-2009-1043 (Unspecified vulnerability in Microsoft Internet Explorer 8 on Windows ...) NOT-FOR-US: Microsoft CVE-2009-1042 (Unspecified vulnerability in Apple Safari on Mac OS X 10.5.6 allows re ...) NOT-FOR-US: Apple Safari CVE-2009-1041 (The ktimer feature (sys/kern/kern_time.c) in FreeBSD 7.0, 7.1, and 7.2 ...) - kfreebsd-7 7.1-3 [lenny] - kfreebsd-7 7.0-7lenny1 CVE-2008-6511 (Open redirect vulnerability in login.jsp in Openfire 3.6.0a and earlie ...) NOT-FOR-US: Openfire CVE-2008-6510 (Cross-site scripting (XSS) vulnerability in login.jsp in the Admin Con ...) NOT-FOR-US: Openfire CVE-2008-6509 (SQL injection vulnerability in CallLogDAO in SIP Plugin in Openfire 3. ...) NOT-FOR-US: Openfire CVE-2008-6508 (Directory traversal vulnerability in the AuthCheck filter in the Admin ...) NOT-FOR-US: Openfire CVE-2008-6507 (Unspecified vulnerability in phpBB before 3.0.4 allows attackers to ob ...) - phpbb3 3.0.2-4 CVE-2008-6505 (Multiple directory traversal vulnerabilities in Apache Struts 2.0.x be ...) - libstruts1.2-java (Vulnerable code not present) NOTE: looks like this was introduced in 2.x, see upstream trunk r688095 CVE-2008-6504 (ParametersInterceptor in OpenSymphony XWork 2.0.x before 2.0.6 and 2.1 ...) NOT-FOR-US: OpenSymphony XWork CVE-2009-1040 (Buffer overflow in WinAsm Studio 5.1.5.0 allows user-assisted remote a ...) NOT-FOR-US: WinAsm CVE-2009-1039 (Buffer overflow in CDex 1.70b2 allows remote attackers to execute arbi ...) NOT-FOR-US: CDex CVE-2009-1038 (Multiple SQL injection vulnerabilities in YAP Blog 1.1.1 allow remote ...) NOT-FOR-US: YAP Blog CVE-2009-1037 (Unspecified vulnerability in the Send by e-mail module in the "Printer ...) NOT-FOR-US: Send by e-mail module for Drupal CVE-2009-1036 (Cross-site request forgery (CSRF) vulnerability in the Plus 1 module b ...) NOT-FOR-US: Plus 1 module for Drupal CVE-2009-1035 (Cross-site scripting (XSS) vulnerability in the Tasklist module 5.x-1. ...) NOT-FOR-US: Tasklist module for Drupal CVE-2009-1034 (SQL injection vulnerability in the Tasklist module 5.x-1.x before 5.x- ...) NOT-FOR-US: Tasklist module for Drupal CVE-2009-1033 (SQL injection vulnerability in misc.php in DeluxeBB 1.3 and earlier al ...) NOT-FOR-US: DeluxeBB CVE-2009-1032 (SQL injection vulnerability in gallery_list.php in YABSoft Advanced Im ...) NOT-FOR-US: YABSoft Advanced Image Gallery CVE-2009-1031 (Directory traversal vulnerability in the FTP server in Rhino Software ...) NOT-FOR-US: FTP Rhino Software Serv-U CVE-2009-1030 (Cross-site scripting (XSS) vulnerability in the choose_primary_blog fu ...) - wordpress-mu 2.9.1-1 (bug #399756) CVE-2009-1029 (Stack-based buffer overflow in POP Peeper 3.4.0.0 and earlier allows r ...) NOT-FOR-US: POP Peeper CVE-2009-1028 (Stack-based buffer overflow in ediSys eZip Wizard 3.0 allows remote at ...) NOT-FOR-US: ediSys eZip Wizard CVE-2009-1027 (SQL injection vulnerability in OpenCart 1.1.8 allows remote attackers ...) NOT-FOR-US: OpenCart CVE-2009-1026 (Multiple SQL injection vulnerabilities in login.php in Kim Websites 1. ...) NOT-FOR-US: Kim Websites CVE-2009-1025 (PHP remote file inclusion vulnerability in linkadmin.php in Beerwin PH ...) NOT-FOR-US: Beerwin PHPLinkAdmin CVE-2009-1024 (Multiple SQL injection vulnerabilities in Beerwin PHPLinkAdmin 1.0 all ...) NOT-FOR-US: Beerwin PHPLinkAdmin CVE-2009-1023 (SQL injection vulnerability in index.php in phpComasy 0.9.1 allows rem ...) NOT-FOR-US: phpComasy CVE-2009-1022 (Heap-based buffer overflow in the Preview/ Set Segment function in Gre ...) NOT-FOR-US: Gretech GOMlab GOM Encoder CVE-2009-1021 (Unspecified vulnerability in the Advanced Replication component in Ora ...) NOT-FOR-US: Oracle Database CVE-2009-1020 (Unspecified vulnerability in the Network Foundation component in Oracl ...) NOT-FOR-US: Oracle Database CVE-2009-1019 (Unspecified vulnerability in the Network Authentication component in O ...) NOT-FOR-US: Oracle Database CVE-2009-1018 (Unspecified vulnerability in the Workspace Manager component in Oracle ...) NOT-FOR-US: Oracle Database CVE-2009-1017 (Unspecified vulnerability in the BI Publisher component in Oracle Appl ...) NOT-FOR-US: Oracle Application Server CVE-2009-1016 (Unspecified vulnerability in the WebLogic Server component in BEA Prod ...) NOT-FOR-US: BEA Product Suite CVE-2009-1015 (Unspecified vulnerability in the Core RDBMS component in Oracle Databa ...) NOT-FOR-US: Oracle Database CVE-2009-1014 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Enterprise CVE-2009-1013 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Enterprise CVE-2009-1012 (Unspecified vulnerability in the plug-ins for Apache and IIS web serve ...) NOT-FOR-US: BEA Product Suite CVE-2009-1011 (Unspecified vulnerability in the Outside In Technology component in Or ...) NOT-FOR-US: Oracle Application Server CVE-2009-1010 (Unspecified vulnerability in the Outside In Technology component in Or ...) NOT-FOR-US: Oracle Application Server CVE-2009-1009 (Unspecified vulnerability in the Outside In Technology component in Or ...) NOT-FOR-US: Oracle Application Server CVE-2009-1008 (Unspecified vulnerability in the Outside In Technology component in Or ...) NOT-FOR-US: Oracle Application Server CVE-2009-1007 (Unspecified vulnerability in the Data Mining component in Oracle Datab ...) NOT-FOR-US: Oracle Database CVE-2009-1006 (Unspecified vulnerability in the JRockit component in BEA Product Suit ...) NOT-FOR-US: BEA Product Suite CVE-2009-1005 (Unspecified vulnerability in the Oracle Data Service Integrator (AquaL ...) NOT-FOR-US: BEA Product Suite CVE-2009-1004 (Unspecified vulnerability in the WebLogic Server component in BEA Prod ...) NOT-FOR-US: BEA Product Suite CVE-2009-1003 (Unspecified vulnerability in the WebLogic Server component in BEA Prod ...) NOT-FOR-US: BEA Product Suite CVE-2009-1002 (Unspecified vulnerability in Oracle BEA WebLogic Server 10.3, 10.0 Gol ...) NOT-FOR-US: BEA Product Suite CVE-2009-1001 (Unspecified vulnerability in Oracle BEA WebLogic Portal 8.1 Gold throu ...) NOT-FOR-US: BEA Product Suite CVE-2009-1000 (The Oracle Applications Framework component in Oracle E-Business Suite ...) NOT-FOR-US: Oracle E-Business Suite CVE-2009-0999 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle E-Business Suite CVE-2009-0998 (Unspecified vulnerability in the PeopleSoft Enterprise HRMS - eBenefit ...) NOT-FOR-US: PeopleSoft Enterprise HRMS CVE-2009-0997 (Unspecified vulnerability in the Database Vault component in Oracle Da ...) NOT-FOR-US: Oracle Database CVE-2009-0996 (Unspecified vulnerability in the BI Publisher component in Oracle Appl ...) NOT-FOR-US: Oracle Application Server CVE-2009-0995 (Unspecified vulnerability in the Oracle Applications Framework compone ...) NOT-FOR-US: Oracle E-Business Suite CVE-2009-0994 (Unspecified vulnerability in the BI Publisher component in Oracle Appl ...) NOT-FOR-US: Oracle Application Server CVE-2009-0993 (Unspecified vulnerability in the OPMN component in Oracle Application ...) NOT-FOR-US: Oracle Application Server CVE-2009-0992 (Unspecified vulnerability in the Advanced Queuing component in Oracle ...) NOT-FOR-US: Oracle Database CVE-2009-0991 (Unspecified vulnerability in the Listener component in Oracle Database ...) NOT-FOR-US: Oracle Database CVE-2009-0990 (Unspecified vulnerability in the BI Publisher component in Oracle Appl ...) NOT-FOR-US: Oracle Application Server CVE-2009-0989 (Unspecified vulnerability in the BI Publisher component in Oracle Appl ...) NOT-FOR-US: Oracle Application Server CVE-2009-0988 (Unspecified vulnerability in the Password Policy component in Oracle D ...) NOT-FOR-US: Oracle Database CVE-2009-0987 (Unspecified vulnerability in the Upgrade component in Oracle Database ...) NOT-FOR-US: Oracle Database CVE-2009-0986 (Unspecified vulnerability in the Workspace Manager component in Oracle ...) NOT-FOR-US: Oracle Database CVE-2009-0985 (Unspecified vulnerability in the Core RDBMS component in Oracle Databa ...) NOT-FOR-US: Oracle Database CVE-2009-0984 (Unspecified vulnerability in the Database Vault component in Oracle Da ...) NOT-FOR-US: Oracle Database CVE-2009-0983 (Unspecified vulnerability in the Portal component in Oracle Applicatio ...) NOT-FOR-US: Oracle Application Server CVE-2009-0982 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Enterprise CVE-2009-0981 (Unspecified vulnerability in the Application Express component in Orac ...) NOT-FOR-US: Oracle Database CVE-2009-0980 (Unspecified vulnerability in the SQLX Functions component in Oracle Da ...) NOT-FOR-US: Oracle Database CVE-2009-0979 (Unspecified vulnerability in the Resource Manager component in Oracle ...) NOT-FOR-US: Oracle Database CVE-2009-0978 (Unspecified vulnerability in the Workspace Manager component in Oracle ...) NOT-FOR-US: Oracle Database CVE-2009-0977 (Unspecified vulnerability in the Advanced Queuing component in Oracle ...) NOT-FOR-US: Oracle Database CVE-2009-0976 (Unspecified vulnerability in the Workspace Manager component in Oracle ...) NOT-FOR-US: Oracle Database CVE-2009-0975 (Unspecified vulnerability in the Workspace Manager component in Oracle ...) NOT-FOR-US: Oracle Database CVE-2009-0974 (Unspecified vulnerability in the Portal component in Oracle Applicatio ...) NOT-FOR-US: Oracle Application Server CVE-2009-0973 (Unspecified vulnerability in the Cluster Ready Services component in O ...) NOT-FOR-US: Oracle Database CVE-2009-0972 (Unspecified vulnerability in the Workspace Manager component in Oracle ...) NOT-FOR-US: Oracle Database CVE-2008-6503 (Multiple cross-site scripting (XSS) vulnerabilities in PrestaShop 1.1. ...) NOT-FOR-US: PrestaShop CVE-2008-6502 (Directory traversal vulnerability in Pro Chat Rooms 3.0.2 allows remot ...) NOT-FOR-US: Pro Chat Rooms CVE-2008-6501 (Cross-site scripting (XSS) vulnerability in profiles/index.php in Pro ...) NOT-FOR-US: Pro Chat Rooms CVE-2008-6500 (Cross-site scripting (XSS) vulnerability in CodeToad ASP Shopping Cart ...) NOT-FOR-US: CodeToad ASP Shopping Cart Script CVE-2008-6499 (security/xamppsecurity.php in XAMPP 1.6.8 performs an extract operatio ...) NOT-FOR-US: XAMPP CVE-2008-6498 (Cross-site request forgery (CSRF) vulnerability in security/xamppsecur ...) NOT-FOR-US: XAMPP CVE-2008-6497 (The Neostrada Livebox ADSL Router allows remote attackers to cause a d ...) NOT-FOR-US: Neostrada Livebox ADSL Router CVE-2008-6496 (Insecure method vulnerability in the VSPDFEditorX.VSPDFEdit ActiveX co ...) NOT-FOR-US: VSPDFEditorX.ocx CVE-2008-6495 (Cross-site scripting (XSS) vulnerability in index.php in Fritz Berger ...) NOT-FOR-US: Fritz Berger yet another php photo album - next generation CVE-2008-6494 (ASP User Engine.NET stores sensitive information under the web root wi ...) NOT-FOR-US: ASP User Engine.NET CVE-2008-6493 (Easy Content Management Publishing stores sensitive information under ...) NOT-FOR-US: Easy Content Management Publishing CVE-2008-6492 (Unrestricted file upload vulnerability in process.php in Tizag Countdo ...) NOT-FOR-US: Tizag Countdown Creator CVE-2009-0971 (Cross-site scripting (XSS) vulnerability in futomi's CGI Cafe Access A ...) NOT-FOR-US: futomi's CGI Cafe Access Analyzer CGI Standard Version CVE-2009-0970 (PHP remote file inclusion vulnerability in includes/class_image.php in ...) NOT-FOR-US: PHP Pro Bid CVE-2009-0969 (Cross-site request forgery (CSRF) vulnerability in account/settings/ac ...) NOT-FOR-US: phpFoX CVE-2009-0968 (SQL injection vulnerability in fmoblog.php in the fMoblog plugin 2.1 f ...) NOT-FOR-US: fMoblog plugin for WordPress CVE-2009-0967 (The FTP server in Serv-U 7.0.0.1 through 7.4.0.1 allows remote authent ...) NOT-FOR-US: Serv-U CVE-2009-0966 (PHP remote file inclusion vulnerability in cross.php in YABSoft Mega F ...) NOT-FOR-US: YABSoft Mega File Hosting CVE-2009-0965 (SQL injection vulnerability in functions/browse.php in Ganesha Digital ...) NOT-FOR-US: Ganesha Digital Library CVE-2009-0964 (UserView_list.php in PHPRunner 4.2, and possibly earlier, stores passw ...) NOT-FOR-US: PHPRunner CVE-2009-0963 (Multiple SQL injection vulnerabilities in PHPRunner 4.2, and possibly ...) NOT-FOR-US: PHPRunner CVE-2009-0962 (Unspecified vulnerability in Futomi's CGI Cafe MP Form Mail CGI eComme ...) NOT-FOR-US: Futomi's CGI Cafe MP Form Mail CGI eCommerce CVE-2009-0961 (The Mail component in Apple iPhone OS 1.0 through 2.2.1 and iPhone OS ...) NOT-FOR-US: Apple iPhone CVE-2009-0960 (The Mail component in Apple iPhone OS 1.0 through 2.2.1 and iPhone OS ...) NOT-FOR-US: Apple iPhone CVE-2009-0959 (The MPEG-4 video codec in Apple iPhone OS 1.0 through 2.2.1 and iPhone ...) NOT-FOR-US: Apple iPhone CVE-2009-0958 (Apple iPhone OS 1.0 through 2.2.1 and iPhone OS for iPod touch 1.1 thr ...) NOT-FOR-US: Apple iPhone CVE-2009-0957 (Heap-based buffer overflow in Apple QuickTime before 7.6.2 allows remo ...) NOT-FOR-US: Apple QuickTime CVE-2009-0956 (Apple QuickTime before 7.6.2 does not properly initialize memory befor ...) NOT-FOR-US: Apple QuickTime CVE-2009-0955 (Apple QuickTime before 7.6.2 allows remote attackers to execute arbitr ...) NOT-FOR-US: Apple QuickTime CVE-2009-0954 (Heap-based buffer overflow in Apple QuickTime before 7.6.2 on Windows ...) NOT-FOR-US: Apple QuickTime CVE-2009-0953 (Heap-based buffer overflow in Apple QuickTime before 7.6.2 allows remo ...) NOT-FOR-US: Apple QuickTime CVE-2009-0952 (Buffer overflow in Apple QuickTime before 7.6.2 allows remote attacker ...) NOT-FOR-US: Apple QuickTime CVE-2009-0951 (Heap-based buffer overflow in Apple QuickTime before 7.6.2 allows remo ...) NOT-FOR-US: Apple QuickTime CVE-2009-0950 (Stack-based buffer overflow in Apple iTunes before 8.2 allows remote a ...) NOT-FOR-US: Apple iTunes CVE-2009-0949 (The ippReadIO function in cups/ipp.c in cupsd in CUPS before 1.3.10 do ...) {DSA-1811-1} - cups 1.3.10-1 CVE-2009-0948 RESERVED - file 5.02-1 CVE-2009-0947 RESERVED - file 5.02-1 CVE-2009-0946 (Multiple integer overflows in FreeType 2.3.9 and earlier allow remote ...) {DSA-1784-1} - freetype 2.3.9-4.1 (medium; bug #524925) CVE-2009-0945 (Array index error in the insertItemBefore method in WebKit, as used in ...) {DSA-1988-1 DSA-1950-1 DSA-1866-1} - qt4-x11 4:4.5.2-1 (medium; bug #532718) [etch] - qt4-x11 (webkit support introduced in version 4.4) - webkit 1.1.5-1 (medium; bug #532724; bug #532725) NOTE: http://trac.webkit.org/changeset/43590 - kde4libs 4:4.3.0-1 (medium; bug #534917) [lenny] - kde4libs (khtml doesn't have SVG support) NOTE: http://websvn.kde.org/?view=rev&revision=983302 - kdegraphics 4:4.0 (medium; bug #534918) NOTE: kdegraphics >4.0 not affected since ksvg is only in 3.5.x series NOTE: http://websvn.kde.org/?view=rev&revision=983306 CVE-2009-0944 (The Microsoft Office Spotlight Importer in Spotlight in Apple Mac OS X ...) NOT-FOR-US: Microsoft Office Spotlight CVE-2009-0943 (Help Viewer in Apple Mac OS X 10.4.11 and 10.5 before 10.5.7 does not ...) NOT-FOR-US: Help Viewer in Apple Mac OS X CVE-2009-0942 (Help Viewer in Apple Mac OS X 10.4.11 and 10.5 before 10.5.7 does not ...) NOT-FOR-US: Help Viewer in Apple Mac OS X CVE-2009-0941 (The HP Embedded Web Server (EWS) on HP LaserJet Printers, Edgeline Pri ...) NOT-FOR-US: HP Embedded Web Server CVE-2009-0940 (Multiple cross-site request forgery (CSRF) vulnerabilities in the HP E ...) NOT-FOR-US: HP Embedded Web Server CVE-2008-6491 (PHP remote file inclusion vulnerability in connexion.php in PHPGKit 0. ...) NOT-FOR-US: PHPGKit CVE-2008-6490 (function/update_xml.php in FLABER 1.1 and earlier allows remote attack ...) NOT-FOR-US: FLABER CVE-2008-6489 (SQL injection vulnerability in MyAlbum component (com_myalbum) 1.0 for ...) NOT-FOR-US: MyAlbum component (com_myalbum) for Joomla! CVE-2008-6488 (SQL injection vulnerability in index.php in SoftComplex PHP Image Gall ...) NOT-FOR-US: SoftComplex PHP Image Gallery CVE-2008-6487 (Multiple SQL injection vulnerabilities in login.asp in Digiappz DigiAf ...) NOT-FOR-US: Digiappz DigiAffiliate CVE-2008-6486 (PHP remote file inclusion vulnerability in slideshow_uploadvideo.conte ...) NOT-FOR-US: sharedlog CMS CVE-2008-6485 (SQL injection vulnerability in index.php in SoftComplex PHP Image Gall ...) NOT-FOR-US: SoftComplex PHP Image Gallery CVE-2008-6484 (SQL injection vulnerability in login.php in Mole Group Taxi Map Script ...) NOT-FOR-US: Mole Group Taxi Map Script CVE-2008-6483 (PHP remote file inclusion vulnerability in admin.googlebase.php in the ...) NOT-FOR-US: Ecom Solutions VirtueMart Google Base (aka com_googlebase or Froogle) component for Joomla! CVE-2008-6482 (PHP remote file inclusion vulnerability in admin.treeg.php in the Flas ...) NOT-FOR-US: Flash Tree Gallery (com_treeg) component for Joomla! CVE-2009-0939 (Tor before 0.2.0.34 treats incomplete IPv4 addresses as valid, which h ...) - tor 0.2.0.34-1 CVE-2009-0938 (Unspecified vulnerability in Tor before 0.2.0.34 allows directory mirr ...) - tor 0.2.0.34-1 (bug #512728) CVE-2009-0937 (Unspecified vulnerability in Tor before 0.2.0.34 allows directory mirr ...) - tor 0.2.0.34-1 (bug #514580) CVE-2009-0936 (Unspecified vulnerability in Tor before 0.2.0.34 allows attackers to c ...) - tor 0.2.0.34-1 CVE-2009-0935 (The inotify_read function in the Linux kernel 2.6.27 to 2.6.27.13, 2.6 ...) - linux-2.6 2.6.30-1 (low) [etch] - linux-2.6 (Vulnerability was introduced in 2.6.27-rc9) [lenny] - linux-2.6 (Vulnerability was introduced in 2.6.27-rc9) - linux-2.6.24 (Vulnerability was introduced in 2.6.27-rc9) CVE-2009-0933 (Cross-site scripting (XSS) vulnerability in the administrative interfa ...) - dotclear (Fixed before initial upload to archive) CVE-2009-0932 (Directory traversal vulnerability in framework/Image/Image.php in Hord ...) {DSA-1765-1} - horde3 3.2.2+debian0-2 (bug #513265; medium) CVE-2009-0931 (Cross-site scripting (XSS) vulnerability in the tag cloud search scrip ...) - horde3 3.2.2+debian0-2 (bug #513265) [etch] - horde3 (Vulnerable code not present) CVE-2009-0930 (Multiple cross-site scripting (XSS) vulnerabilities in Horde IMP befor ...) {DSA-1770-1} - imp4 4.2-4 (medium; bug #513266) CVE-2009-0929 (Directory traversal vulnerability in the media manager in Nucleus CMS ...) NOT-FOR-US: Nucleus CMS CVE-2009-0928 (Heap-based buffer overflow in Adobe Acrobat Reader and Acrobat Profess ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2009-0927 (Stack-based buffer overflow in Adobe Reader and Adobe Acrobat 9 before ...) NOT-FOR-US: Adobe Reader and Adobe Acrobat CVE-2009-0926 (Unspecified vulnerability in the UFS filesystem functionality in Sun O ...) NOT-FOR-US: Sun OpenSolaris CVE-2009-0925 (Unspecified vulnerability in Sun Solaris 10 on SPARC sun4v systems, an ...) NOT-FOR-US: Sun Solaris CVE-2009-0924 (Unspecified vulnerability in Sun OpenSolaris snv_39 through snv_45, wh ...) NOT-FOR-US: Sun OpenSolaris CVE-2009-0923 (Unspecified vulnerability in Kerberos Incremental Propagation in Solar ...) NOT-FOR-US: Solaris CVE-2009-0922 (PostgreSQL before 8.3.7, 8.2.13, 8.1.17, 8.0.21, and 7.4.25 allows rem ...) - postgresql-8.3 8.3.7-1 (bug #517405) [lenny] - postgresql-8.3 8.3.7-0lenny1 - postgresql-8.1 - postgresql-7.4 [etch] - postgresql-8.1 8.1.17-0etch1 [etch] - postgresql-7.4 (Minor issue) CVE-2008-6481 (SQL injection vulnerability in the Versioning component (com_versionin ...) NOT-FOR-US: Versioning component (com_versioning) in Joomla! and Mambo CVE-2009-0921 (Multiple heap-based buffer overflows in OvCgi/Toolbar.exe in HP OpenVi ...) NOT-FOR-US: HP Openview CVE-2009-0920 (Stack-based buffer overflow in OvCgi/Toolbar.exe in HP OpenView Networ ...) NOT-FOR-US: HP Openview CVE-2009-0919 (XAMPP installs multiple packages with insecure default passwords, whic ...) NOT-FOR-US: DFLabs PTK CVE-2009-0918 (Multiple unspecified vulnerabilities in DFLabs PTK 1.0.0 through 1.0.4 ...) NOT-FOR-US: DFLabs PTK CVE-2009-0917 (Cross-site scripting (XSS) vulnerability in DFLabs PTK 1.0.0 through 1 ...) NOT-FOR-US: DFLabs PTK CVE-2009-0916 (Unspecified vulnerability in Opera before 9.64 has unknown impact and ...) NOT-FOR-US: Opera CVE-2009-0915 (Opera before 9.64 allows remote attackers to conduct cross-domain scri ...) NOT-FOR-US: Opera CVE-2009-0914 (Opera before 9.64 allows remote attackers to execute arbitrary code vi ...) NOT-FOR-US: Opera CVE-2009-0913 (Unspecified vulnerability in the keysock kernel module in Solaris 10 a ...) NOT-FOR-US: Solaris CVE-2009-0912 (perl-MDK-Common 1.1.11 and 1.1.24, 1.2.9 through 1.2.14, and possibly ...) NOT-FOR-US: perl-MDK-Common CVE-2009-0911 RESERVED CVE-2008-6480 (Cross-site request forgery (CSRF) vulnerability in engine/modules/imag ...) NOT-FOR-US: Datalife Engine CVE-2008-6479 (Cross-site request forgery (CSRF) vulnerability in the "change passwor ...) NOT-FOR-US: swsoft CVE-2008-6478 (Cross-site request forgery (CSRF) vulnerability in the file manager in ...) NOT-FOR-US: swsoft CVE-2008-6477 (SQL injection vulnerability in Mumbo Jumbo Media OP4 allows remote att ...) NOT-FOR-US: Mumbo Jumbo Media CVE-2008-6476 (Cross-site scripting (XSS) vulnerability in blog/search.aspx in BlogEn ...) NOT-FOR-US: BlogEngine.NET CVE-2008-6475 (SQL injection vulnerability in the guestbook component (components/gue ...) NOT-FOR-US: Drake CMS CVE-2008-6474 (The management interface in F5 BIG-IP 9.4.3 allows remote authenticate ...) NOT-FOR-US: F5 BIG-IP CVE-2008-6473 (_blogadata/include/init_pass2.php in Blogator-script 0.95 allows remot ...) NOT-FOR-US: Blogator-script CVE-2009-0910 (Heap-based buffer overflow in the VNnc Codec in VMware Workstation 6.5 ...) NOT-FOR-US: VmWare CVE-2009-0909 (Heap-based buffer overflow in the VNnc Codec in VMware Workstation 6.5 ...) NOT-FOR-US: VmWare CVE-2009-0908 (Unspecified vulnerability in the ACE shared folders implementation in ...) NOT-FOR-US: VmWare CVE-2009-0907 REJECTED CVE-2009-0906 (The Service Component Architecture (SCA) feature pack for IBM WebSpher ...) NOT-FOR-US: IBM WebSphere CVE-2009-0905 (IBM WebSphere MQ 6.0 before 6.0.2.8 and 7.0 before 7.0.1.0 does not pr ...) NOT-FOR-US: IBM WebSphere CVE-2009-0904 (The IBM Stax XMLStreamWriter in the Web Services component in IBM WebS ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2009-0903 (IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.3, and the Fea ...) NOT-FOR-US: WebSphere CVE-2009-0902 RESERVED CVE-2009-0901 (The Active Template Library (ATL) in Microsoft Visual Studio .NET 2003 ...) NOT-FOR-US: Microsoft Visual Studio .NET CVE-2009-0900 (Heap-based buffer overflow in the client in IBM WebSphere MQ 6.0 befor ...) NOT-FOR-US: IBM WebSphere CVE-2009-0899 (IBM WebSphere Application Server (WAS) 6.1 through 6.1.0.24 and 7.0 th ...) NOT-FOR-US: IBM WebSphere CVE-2009-0898 (Stack-based buffer overflow in HP OpenView Network Node Manager (OV NN ...) NOT-FOR-US: HP OpenView Network Node Manager CVE-2009-0897 (IBM WebSphere Partner Gateway (WPG) 6.1.0 before 6.1.0.1 and 6.1.1 bef ...) NOT-FOR-US: IBM WebSphere CVE-2009-0896 (Buffer overflow in the queue manager in IBM WebSphere MQ 6.x before 6. ...) NOT-FOR-US: IBM WebSphere CVE-2009-0895 (Integer overflow in Novell eDirectory 8.7.3.x before 8.7.3.10 ftf2 and ...) NOT-FOR-US: Novell eDirectory CVE-2009-0894 (Heap-based buffer overflow in the decoder_create function in the initi ...) - xvidcore (Fixed before initial release) CVE-2009-0893 (Multiple heap-based buffer overflows in xvidcore/src/decoder.c in the ...) - xvidcore (Fixed before initial release) CVE-2009-0892 (The administrative console in IBM WebSphere Application Server (WAS) 6 ...) NOT-FOR-US: IBM WebSphere CVE-2009-0891 (The Web Services Security component in IBM WebSphere Application Serve ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2009-0890 RESERVED CVE-2009-0889 (Heap-based buffer overflow in the JBIG2 filter in Adobe Reader 7 and A ...) NOT-FOR-US: Adobe Reader CVE-2009-0888 (Heap-based buffer overflow in the JBIG2 filter in Adobe Reader 7 and A ...) NOT-FOR-US: Adobe Reader CVE-2009-0887 (Integer signedness error in the _pam_StrTok function in libpam/pam_mis ...) - pam 1.0.1-10 (low; bug #520115) [lenny] - pam 1.0.1-5+lenny1 [etch] - pam 0.79-5+etch1 CVE-2009-0886 (Directory traversal vulnerability in login.php in OneOrZero Helpdesk 1 ...) NOT-FOR-US: OneOrZero Helpdesk CVE-2009-0885 (Multiple heap-based buffer overflows in Media Commands 1.0 allow remot ...) NOT-FOR-US: Media Commands CVE-2009-0884 (Buffer overflow in FileZilla Server before 0.9.31 allows remote attack ...) NOT-FOR-US: FileZilla Server (only client packaged in debian) CVE-2009-0883 (SQL injection vulnerability in Blue Eye CMS 1.0.0 and earlier, when ma ...) NOT-FOR-US: Blue Eye CMS CVE-2009-0882 (Multiple SQL injection vulnerabilities in nForum 1.5 allow remote atta ...) NOT-FOR-US: nForum CVE-2009-0881 (SQL injection vulnerability in ejemplo/paises.php in isiAJAX 1 allows ...) NOT-FOR-US: isiAJAX CVE-2009-0880 (Directory traversal vulnerability in the CIM server in IBM Director be ...) NOT-FOR-US: Windows CVE-2009-0879 (The CIM server in IBM Director before 5.20.3 Service Update 2 on Windo ...) NOT-FOR-US: Windows CVE-2009-0878 (The read_game_map function in src/terrain_translation.cpp in Wesnoth b ...) {DSA-1737-1} - wesnoth 1:1.4.7-4 CVE-2009-0877 (Multiple cross-site scripting (XSS) vulnerabilities in Sun Java System ...) NOT-FOR-US: Sun Java System Communications Express CVE-2009-0876 (Sun xVM VirtualBox 2.0.0, 2.0.2, 2.0.4, 2.0.6r39760, 2.1.0, 2.1.2, and ...) - virtualbox-ose (Vulnerable code not present, Debian version patches localconf) [lenny] - virtualbox-ose (lenny version doesn't install binaries with suid 0) CVE-2009-0875 (Race condition in the Doors subsystem in the kernel in Sun Solaris 8 t ...) NOT-FOR-US: Sun Solaris CVE-2009-0874 (Multiple unspecified vulnerabilities in the Doors subsystem in the ker ...) NOT-FOR-US: Sun Solaris CVE-2008-6472 (The WLCCP dissector in Wireshark 0.99.7 through 1.0.4 allows remote at ...) [etch] - wireshark (vulnerable code not present) [lenny] - wireshark 1.0.2-3+lenny3 - wireshark 1.0.5-1 (low; bug #506741) CVE-2008-6471 (SQL injection vulnerability in detail.php in MountainGrafix easyLink 1 ...) NOT-FOR-US: MountainGrafix easyLink CVE-2008-6470 (Multiple unspecified vulnerabilities in ClanSphere before 2008.2.1 all ...) NOT-FOR-US: ClanSphere CVE-2008-6469 (SQL injection vulnerability in index.php in PlainCart 1.1.2 allows rem ...) NOT-FOR-US: PlainCart CVE-2008-6468 (SQL injection vulnerability in index.php in Diesel Pay allows remote a ...) NOT-FOR-US: Diesel Pay CVE-2008-6467 (SQL injection vulnerability in jobs/jobseekers/job-info.php in Diesel ...) NOT-FOR-US: Diesel Pay CVE-2008-6466 (SQL injection vulnerability in image_gallery.php in the Akira Powered ...) NOT-FOR-US: e107 CVE-2008-6465 (Multiple cross-site scripting (XSS) vulnerabilities in login.php in we ...) NOT-FOR-US: Parallels H-Sphere CVE-2008-6464 (SQL injection vulnerability in event.php in Mevin Productions Basic PH ...) NOT-FOR-US: Mevin Productions Basic PHP Events Lister CVE-2008-6463 (SQL injection vulnerability in the Diocese of Portsmouth Church Search ...) NOT-FOR-US: Diocese of Portsmouth Church Search extension for TYPO3 CVE-2008-6462 (SQL injection vulnerability in the My quiz and poll (myquizpoll) exten ...) NOT-FOR-US: My quiz and poll CVE-2008-6461 (SQL injection vulnerability in the Random Prayer 2 (ste_prayer2) exten ...) NOT-FOR-US: TYPO3 addon Random Prayer CVE-2008-6460 (SQL injection vulnerability in the Simple Random Objects (mw_random_ob ...) NOT-FOR-US: TYPO3 addon Simple Random Objects CVE-2008-6459 (SQL injection vulnerability in the auto BE User Registration (autobeus ...) NOT-FOR-US: TYPO3 addon auto BE User Registration CVE-2008-6458 (SQL injection vulnerability in the FE address edit for tt_address & ...) NOT-FOR-US: TYPO3 addon CVE-2008-6457 (SQL injection vulnerability in the Swigmore institute (cgswigmore) ext ...) NOT-FOR-US: TYPO3 addon CVE-2008-6456 (SQL injection vulnerability in the HBook (h_book) extension 2.3.0 and ...) NOT-FOR-US: TYPO3 addon CVE-2008-6455 (Session fixation vulnerability in Edikon phpShop 0.8.1 allows remote a ...) NOT-FOR-US: Edikon phpShop CVE-2008-6454 (SQL injection vulnerability in section.php in 6rbScript 3.3 allows rem ...) NOT-FOR-US: 6rbScript CVE-2008-6453 (Directory traversal vulnerability in section.php in 6rbScript 3.3, whe ...) NOT-FOR-US: 6rbScript CVE-2008-6452 (SQL injection vulnerability in show_vote.php in Oceandir 2.9 and earli ...) NOT-FOR-US: Oceandir CVE-2008-6451 (SQL injection vulnerability in humor.php in jPORTAL 2 allows remote at ...) NOT-FOR-US: jPORTAL CVE-2009-0873 (The NFS daemon (aka nfsd) in Sun Solaris 10 and OpenSolaris before snv ...) NOT-FOR-US: Solaris CVE-2009-0872 (The NFS server in Sun Solaris 10, and OpenSolaris before snv_111, does ...) NOT-FOR-US: Solaris CVE-2009-0871 (The SIP channel driver in Asterisk Open Source 1.4.22, 1.4.23, and 1.4 ...) - asterisk (Vulnerable code introduced in 1.4.22) CVE-2009-0870 (The NFSv4 Server module in the kernel in Sun Solaris 10, and OpenSolar ...) NOT-FOR-US: Solaris CVE-2009-0869 (Buffer overflow in the client in IBM Tivoli Storage Manager (TSM) HSM ...) NOT-FOR-US: IBM Tivoli Storage Manager CVE-2009-0868 (CRLF injection vulnerability in the WebLink template in Fujitsu Jasmin ...) NOT-FOR-US: Fujitsu Jasmine2000 Enterprise Edition CVE-2009-0867 (The HRM-S service in Fujitsu Enhanced Support Facility 3.0 and 3.0.1 a ...) NOT-FOR-US: Fujitsu Enhanced Support Facility CVE-2009-0866 (pHNews Alpha 1 stores sensitive information under the web root with in ...) NOT-FOR-US: pHNews CVE-2009-0865 (Directory traversal vulnerability in the SnapShotToFile method in the ...) NOT-FOR-US: GeoVision CVE-2009-0864 (S-Cms 1.1 Stable allows remote attackers to bypass authentication and ...) NOT-FOR-US: S-Cms CVE-2009-0863 (SQL injection vulnerability in admin/delete_page.php in S-Cms 1.1 Stab ...) NOT-FOR-US: S-Cms CVE-2009-0862 (Cross-site scripting (XSS) vulnerability in the hook_cntrlr_error_outp ...) NOT-FOR-US: TangoCMS CVE-2009-0861 (Cross-site scripting (XSS) vulnerability in phpDenora before 1.2.3 all ...) NOT-FOR-US: phpDenora CVE-2009-0860 (Cross-site scripting (XSS) vulnerability in the web user interface in ...) NOT-FOR-US: NetMRI CVE-2009-0859 (The shm_get_stat function in ipc/shm.c in the shm subsystem in the Lin ...) {DSA-1800-1 DSA-1794-1 DSA-1787-1} - linux-2.6 2.6.29-1 NOTE: All Debian kernels set CONFIG_SHMEM, so this is moot except NOTE: for locally modified configs and even for that I fail to NOTE: see why anyone would run a kernel w/o CONFIG_SHMEM? CVE-2009-0858 (The response_addname function in response.c in Daniel J. Bernstein djb ...) {DSA-1831-1} - djbdns 1:1.05-5 (low; bug #518169; bug #517631) CVE-2009-0857 (Cross-site scripting (XSS) vulnerability in /prm/reports in the Perfor ...) NOT-FOR-US: SunMC CVE-2009-0856 (Multiple cross-site scripting (XSS) vulnerabilities in sample applicat ...) NOT-FOR-US: IBM WebSphere CVE-2009-0855 (Cross-site scripting (XSS) vulnerability in the administrative console ...) NOT-FOR-US: IBM WebSphere CVE-2009-0853 (login.php in CelerBB 0.0.2, when magic_quotes_gpc is disabled, allows ...) NOT-FOR-US: CelerBB CVE-2009-0852 (showme.php in CelerBB 0.0.2 allows remote attackers to obtain "reserve ...) NOT-FOR-US: CelerBB CVE-2009-0851 (Multiple SQL injection vulnerabilities in CelerBB 0.0.2, when magic_qu ...) NOT-FOR-US: CelerBB CVE-2009-0850 (Cross-site scripting (XSS) vulnerability in BitDefender Internet Secur ...) NOT-FOR-US: BitDefender CVE-2009-0849 (Stack-based buffer overflow in the DtbClsLogin function in NovaStor No ...) NOT-FOR-US: NovaNET CVE-2009-0848 (Untrusted search path vulnerability in GTK2 in OpenSUSE 11.0 and 11.1 ...) - gtk+2.0 (suse specific patch) CVE-2009-0847 (The asn1buf_imbed function in the ASN.1 decoder in MIT Kerberos 5 (aka ...) {DSA-1766-1} - krb5 1.6.dfsg.4~beta1-13 [etch] - krb5 (Affected code present, but not exploitable before 1.6.3) CVE-2009-0846 (The asn1_decode_generaltime function in lib/krb5/asn.1/asn1_decode.c i ...) {DSA-1766-1} - krb5 1.6.dfsg.4~beta1-13 CVE-2009-0845 (The spnego_gss_accept_sec_context function in lib/gssapi/spnego/spnego ...) {DSA-1766-1} - krb5 1.6.dfsg.4~beta1-13 [etch] - krb5 (Vulnerable code was introduced in 1.5) CVE-2009-0844 (The get_input_token function in the SPNEGO implementation in MIT Kerbe ...) {DSA-1766-1} - krb5 1.6.dfsg.4~beta1-13 [etch] - krb5 (Vulnerable code was introduced in 1.5) CVE-2009-0843 (The msLoadQuery function in mapserv in MapServer 4.x before 4.10.4 and ...) {DSA-1914-1} - mapserver 5.2.2-1 (bug #523027) NOTE: this can only probe for files that are not present, useless when not NOTE: in combination with another attack CVE-2009-0842 (mapserv in MapServer 4.x before 4.10.4 and 5.x before 5.2.2 allows rem ...) {DSA-1914-1} - mapserver 5.2.2-1 (low; bug #523027) CVE-2009-0841 (Directory traversal vulnerability in mapserv.c in mapserv in MapServer ...) {DSA-1914-1} - mapserver 5.2.2-1 (bug #523027) NOTE: this doesn't work under linux as the root from the directory traversal needs to exist CVE-2009-0840 (Heap-based buffer underflow in the readPostBody function in cgiutil.c ...) {DSA-1914-1} - mapserver 5.4.2-1 (medium; bug #523027) NOTE: Initial fix was incomplete CVE-2009-0839 (Stack-based buffer overflow in mapserv.c in mapserv in MapServer 4.x b ...) {DSA-1914-1} - mapserver 5.2.2-1 (medium; bug #523027) CVE-2009-0838 (The crypto pseudo device driver in Sun Solaris 10, and OpenSolaris snv ...) NOT-FOR-US: Solaris CVE-2009-0837 (Stack-based buffer overflow in Foxit Reader 3.0 before Build 1506, inc ...) NOT-FOR-US: Foxit Reader CVE-2009-0836 (Foxit Reader 2.3 before Build 3902 and 3.0 before Build 1506, includin ...) NOT-FOR-US: Foxit Reader CVE-2008-6450 (Cross-site scripting (XSS) vulnerability in Under Construction, Baby ( ...) NOT-FOR-US: Under Construction, Baby CVE-2008-6449 (Cross-site request forgery (CSRF) vulnerability in multiple Century Sy ...) NOT-FOR-US: Century Systems routers CVE-2008-6448 (Cross-site scripting (XSS) vulnerability in install.cgi in SKYARC Syst ...) NOT-FOR-US: SKYARC System MTCMS WYSIWYG Editor CVE-2008-6447 (Buffer overflow in emmailstore.dll 6.5.0.3 in the QuikSoft EasyMail Ma ...) NOT-FOR-US: QuikSoft EasyMail CVE-2008-6446 (Static code injection vulnerability in the Guestbook component in CMS ...) NOT-FOR-US: CMS MAXSITE CVE-2008-6445 (Unspecified vulnerability in YourPlace before 1.0.1 has unknown impact ...) NOT-FOR-US: YourPlace CVE-2008-6444 (Stack-based buffer overflow in CSTransfer.dll in Baidu Hi IM might all ...) NOT-FOR-US: Baidu Hi IM CVE-2008-6443 (SQL injection vulnerability in forum_duzen.php in phpKF allows remote ...) NOT-FOR-US: phpKF CVE-2008-6442 (Insecure method vulnerability in Sina Inc. DLoader Class ActiveX Contr ...) NOT-FOR-US: Sina Inc. DLoader Class ActiveX CVE-2008-6441 (Format string vulnerability in the Epic Games Unreal engine client, as ...) NOT-FOR-US: Epic Games Unreal engine client CVE-2008-6440 (Cerberus Helpdesk before 4.0 (Build 600) allows remote attackers to ob ...) NOT-FOR-US: Cerberus Helpdesk CVE-2008-6439 (Cross-site scripting (XSS) vulnerability in search_results.php in ABK- ...) NOT-FOR-US: ABK-Soft AbleDating CVE-2008-6438 (SQL injection vulnerability in macgurublog_menu/macgurublog.php in the ...) NOT-FOR-US: MacGuru BLOG Engine CVE-2008-6437 (Multiple cross-site scripting (XSS) vulnerabilities in PHPFreeForum 1. ...) NOT-FOR-US: PHPFreeForum CVE-2008-6436 (Cross-site scripting (XSS) vulnerability in the Web Server in Xerox Wo ...) NOT-FOR-US: Xerox WorkCentre CVE-2008-6435 (Multiple cross-site scripting (XSS) vulnerabilities in phpSQLiteCMS 1 ...) NOT-FOR-US: phpSQLiteCMS CVE-2008-6434 (SQL injection vulnerability in index.cfm in Blue River Interactive Gro ...) NOT-FOR-US: Blue River Interactive Group Sava CMS CVE-2008-6433 (Cross-site scripting (XSS) vulnerability in index.cfm in Blue River In ...) NOT-FOR-US: Blue River Interactive Group Sava CMS CVE-2008-6431 (Multiple cross-site scripting (XSS) vulnerabilities in BMForum 5.6 all ...) NOT-FOR-US: BMForum CVE-2008-6430 (SQL injection vulnerability in the MyContent (com_mycontent) component ...) NOT-FOR-US: Joomla! CVE-2008-6429 (SQL injection vulnerability in the PrayerCenter (com_prayercenter) com ...) NOT-FOR-US: Joomla! CVE-2008-6428 (The CGI framework in Kaya 0.4.0 allows remote attackers to inject arbi ...) - kaya 0.4.2-1 (low) [etch] - kaya (Minor issue) NOTE: the fix checks with a regex for malicious characters in the HTTP header, see CGI.k changes CVE-2008-6427 (SQL injection vulnerability in index.php in Hivemaker Professional 1.0 ...) NOT-FOR-US: Hivemaker Professional CVE-2008-6425 (SQL injection vulnerability in news.php in ComicShout 2.8 allows remot ...) NOT-FOR-US: ComicShout CVE-2008-6424 (Directory traversal vulnerability in FFFTP 1.96b allows remote FTP ser ...) NOT-FOR-US: FFFTP CVE-2008-6423 (Directory traversal vulnerability in passwiki.php in PassWiki 0.9.16 R ...) NOT-FOR-US: PassWiki CVE-2008-6422 (Multiple SQL injection vulnerabilities in PsychoStats 2.3, 2.3.1, and ...) NOT-FOR-US: PsychoStats CVE-2008-6421 (PHP remote file inclusion vulnerability in social_game_play.php in Soc ...) NOT-FOR-US: Social Site Generator CVE-2008-6420 (Social Site Generator (SSG) 2.0 allows remote attackers to read arbitr ...) NOT-FOR-US: Social Site Generator CVE-2008-6419 (Multiple SQL injection vulnerabilities in Social Site Generator (SSG) ...) NOT-FOR-US: Social Site Generator CVE-2008-6418 (SQL injection vulnerability in scrape.php in TorrentTrader before 2008 ...) NOT-FOR-US: TorrentTrader CVE-2008-6417 (Unspecified vulnerability in GreenSQL-Console before 0.3.5 allows atta ...) NOT-FOR-US: GreenSQL-Console CVE-2008-6416 (Multiple cross-site scripting (XSS) vulnerabilities in GreenSQL-Consol ...) NOT-FOR-US: GreenSQL-Console CVE-2009-0854 (Untrusted search path vulnerability in dash 0.5.4, when used as a logi ...) - dash (Debian uses upstream's patch to implement -l) CVE-2009-0835 (The __secure_computing function in kernel/seccomp.c in the seccomp sub ...) {DSA-1800-1} - linux-2.6 2.6.30-1 (low) [etch] - linux-2.6 (Not enabled in 2.6.18) - linux-2.6.24 [etch] - linux-2.6.24 (unimportant) NOTE: CONFIG_SECCOMP has only been enabled in 2.6.26 CVE-2009-0834 (The audit_syscall_entry function in the Linux kernel 2.6.28.7 and earl ...) {DSA-1800-1 DSA-1794-1 DSA-1787-1} - linux-2.6 2.6.29-1 (low) - linux-2.6.24 CVE-2009-0833 (Heap-based buffer overflow in gen_msn.dll in the gen_msn plugin 0.31 f ...) NOT-FOR-US: Winamp CVE-2009-0832 (SQL injection vulnerability in items.php in the E-Cart module 1.3 for ...) NOT-FOR-US: PHP-Fusion CVE-2009-0831 (SQL injection vulnerability in members.php in the Members CV (job) mod ...) NOT-FOR-US: PHP-Fusion CVE-2009-0830 (Cross-site scripting (XSS) vulnerability in QuoteBook allows remote at ...) NOT-FOR-US: QuoteBook CVE-2009-0829 (Multiple SQL injection vulnerabilities in QuoteBook allow remote attac ...) NOT-FOR-US: QuoteBook CVE-2009-0828 (QuoteBook stores quotes.inc under the web root with insufficient acces ...) NOT-FOR-US: QuoteBook CVE-2009-0827 (PollHelper stores poll.inc under the web root with insufficient access ...) NOT-FOR-US: PollHelper CVE-2009-0826 (BlogHelper stores common_db.inc under the web root with insufficient a ...) NOT-FOR-US: BlogHelper CVE-2009-0825 (SQL injection vulnerability in system/rss.php in TinX/cms 3.x before 3 ...) NOT-FOR-US: TinX/cms CVE-2009-0824 (Elaborate Bytes ElbyCDIO.sys 6.0.2.0 and earlier, as distributed in Sl ...) NOT-FOR-US: Elaborate Bytes ElbyCDIO.sys CVE-2009-0823 RESERVED CVE-2009-0822 RESERVED CVE-2008-6415 (Buffer overflow in YoungZSoft CCProxy 6.5 might allow remote attackers ...) NOT-FOR-US: CCProxy CVE-2008-6414 (SQL injection vulnerability in detail.php in AJ Auction Pro Platinum S ...) NOT-FOR-US: AJ Auction Pro Platinum CVE-2008-6413 (Cross-site scripting (XSS) vulnerability in the Answers module 5.x-1.x ...) NOT-FOR-US: Answers module for Drupal CVE-2008-6412 (Unspecified vulnerability in Vignette Content Management 7.3.0.5, 7.3. ...) NOT-FOR-US: Vignette Content Management CVE-2008-6411 (Explay CMS 2.1 and earlier allows remote attackers to bypass authentic ...) NOT-FOR-US: Explay CMS CVE-2008-6410 (Directory traversal vulnerability in show.php in ol'bookmarks manager ...) NOT-FOR-US: ol'bookmarks manager CVE-2008-6409 (SQL injection vulnerability in index.php in ol'bookmarks manager 0.7.5 ...) NOT-FOR-US: ol'bookmarks manager CVE-2008-6408 (PHP remote file inclusion vulnerability in frame.php in ol'bookmarks m ...) NOT-FOR-US: ol'bookmarks manager CVE-2008-6407 (Directory traversal vulnerability in frame.php in ol'bookmarks manager ...) NOT-FOR-US: ol'bookmarks manager CVE-2008-6406 (Cross-site scripting (XSS) vulnerability in admin.php in DataLife Engi ...) NOT-FOR-US: DataLife Engine CVE-2008-6405 (SQL injection vulnerability in showcategory.php in Hotscripts Clone al ...) NOT-FOR-US: Hotscripts Clone CVE-2008-6404 (Cross-site scripting (XSS) vulnerability in add_calendars.php in eXtro ...) NOT-FOR-US: eXtrovert Software Thyme CVE-2008-6403 (PHP remote file inclusion vulnerability in themes/default/include/html ...) NOT-FOR-US: OpenRat CVE-2008-6402 (PHP remote file inclusion vulnerability in hu/modules/reg-new/modstart ...) NOT-FOR-US: Sofi WebGui CVE-2008-6401 (SQL injection vulnerability in sayfa.php in JETIK-WEB allows remote at ...) NOT-FOR-US: JETIK-WEB CVE-2008-6400 (Cross-site scripting (XSS) vulnerability in refbase before 0.9.5 allow ...) NOT-FOR-US: refbase CVE-2008-6399 (Unspecified vulnerability in DotNetNuke 4.5.2 through 4.9 allows remot ...) NOT-FOR-US: DotNetNuke CVE-2009-0821 (Mozilla Firefox 2.0.0.20 and earlier allows remote attackers to cause ...) - iceweasel (unimportant) NOTE: Browser DoS not treated as security issues CVE-2009-0820 (Multiple eval injection vulnerabilities in phpScheduleIt before 1.2.11 ...) NOT-FOR-US: phpScheduleIt CVE-2009-0819 (sql/item_xmlfunc.cc in MySQL 5.1 before 5.1.32 and 6.0 before 6.0.10 a ...) - mysql-dfsg-5.0 (Vulnerable code introduced in 5.1.5) - mysql-5.1 5.1.32-1 CVE-2009-0818 (Cross-site scripting (XSS) vulnerability in the taxonomy_theme_admin_t ...) NOT-FOR-US: Taxonomy Theme module for Drupal CVE-2009-0817 (Cross-site scripting (XSS) vulnerability in the Protected Node module ...) NOT-FOR-US: Protected Node module for Drupal CVE-2009-0816 (Multiple cross-site scripting (XSS) vulnerabilities in the backend use ...) {DTSA-193-1} - typo3-src 4.2.6-1 (low; bug #514713) [etch] - typo3-src 4.0.2+debian-8 CVE-2009-0815 (The jumpUrl mechanism in class.tslib_fe.php in TYPO3 3.3.x through 3.8 ...) {DTSA-193-1} - typo3-src 4.2.6-1 (medium; bug #514713) [etch] - typo3-src 4.0.2+debian-8 CVE-2009-0814 (Cross-site scripting (XSS) vulnerability in Widgets.aspx in Blogsa 1.0 ...) NOT-FOR-US: Blogsa CVE-2009-0813 (Insecure method vulnerability in the ImeraIEPlugin ActiveX control (Im ...) NOT-FOR-US: ActiveX CVE-2009-0812 (Stack-based buffer overflow in BreakPoint Software Hex Workshop 4.23, ...) NOT-FOR-US: BreakPoint Software Hex Workshop CVE-2009-0811 (Insecure method vulnerability in the SopCast SopCore ActiveX control i ...) NOT-FOR-US: ActiveX CVE-2009-0810 (SQL injection vulnerability in login.php in xGuestbook 2.0 allows remo ...) NOT-FOR-US: xGuestbook CVE-2009-0809 (The Web Editor in Dassault Systemes ENOVIA SmarTeam V5 before Release ...) NOT-FOR-US: Dassault Systemes ENOVIA SmarTeam CVE-2009-0808 (Multiple SQL injection vulnerabilities in SimpleCMMS before 0.1.0 allo ...) NOT-FOR-US: SimpleCMMS CVE-2009-0807 (zFeeder 1.6 allows remote attackers to gain administrative access via ...) NOT-FOR-US: zFeeder CVE-2009-0806 (Unspecified vulnerability in OpenGoo before 1.2.1 allows remote authen ...) NOT-FOR-US: OpenGoo CVE-2009-0805 (Cross-site scripting (XSS) vulnerability in piCal 0.91h and earlier, a ...) NOT-FOR-US: piCal CVE-2009-0804 (Ziproxy 2.6.0, when transparent interception mode is enabled, uses the ...) - ziproxy 2.7.2-1 (low; bug #521051) [lenny] - ziproxy (Minor issue) CVE-2009-0803 (SmoothWall SmoothGuardian, as used in SmoothWall Firewall, NetworkGuar ...) NOT-FOR-US: SmoothWall CVE-2009-0802 (Qbik WinGate, when transparent interception mode is enabled, uses the ...) NOT-FOR-US: Qbik WinGate CVE-2009-0801 (Squid, when transparent interception mode is enabled, uses the HTTP Ho ...) - squid 4.1-1 (unimportant; bug #521053) - squid3 3.3.3-1 (unimportant; bug #521052) NOTE: This only affects HTTP connections and only in transparent mode NOTE: Also, same origin validations in the browsers still apply and keep this mostly harmless NOTE: http://marc.info/?l=squid-dev&m=123542836103750&w=4 CVE-2009-0800 (Multiple "input validation flaws" in the JBIG2 decoder in Xpdf 3.02pl2 ...) {DSA-1793-1 DSA-1790-1} - poppler 0.10.6-1 (medium; bug #524806) [lenny] - poppler 0.8.7-2 - xpdf 3.02-1.4+lenny1 (medium; bug #524809) [squeeze] - xpdf 3.02-1.4+lenny1 - kdegraphics 4:4.0 (medium; bug #524810) - swftools 0.9.2+ds1-2 CVE-2009-0799 (The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, ...) {DSA-1793-1 DSA-1790-1} - poppler 0.10.6-1 (medium; bug #524806) [lenny] - poppler 0.8.7-2 - xpdf 3.02-1.4+lenny1 (medium; bug #524809) [squeeze] - xpdf 3.02-1.4+lenny1 - kdegraphics 4:4.0 (medium; bug #524810) - swftools 0.9.2+ds1-2 CVE-2009-0798 (ACPI Event Daemon (acpid) before 1.0.10 allows remote attackers to cau ...) {DSA-1786-1} - acpid 1.0.10-1 (medium) CVE-2009-0797 REJECTED CVE-2009-0796 (Cross-site scripting (XSS) vulnerability in Status.pm in Apache::Statu ...) - libapache2-mod-perl2 2.0.4-6 (low; bug #567635) [lenny] - libapache2-mod-perl2 2.0.4-5+lenny1 - apache [etch] - apache (minor issue) CVE-2009-0795 REJECTED CVE-2009-0794 (Integer overflow in the PulseAudioTargetDataL class in src/java/org/cl ...) - openjdk-6 6b16-1 [lenny] - openjdk-6 (no PulseAudio support included) CVE-2009-0793 (cmsxform.c in LittleCMS (aka lcms or liblcms) 1.18, as used in OpenJDK ...) {DSA-1769-1} - openjdk-6 6b16-1 - lcms 1.18.dfsg-1.1 (low; bug #530785) [lenny] - lcms (Minor issue) [etch] - lcms (Minor issue) CVE-2009-0792 (Multiple integer overflows in icc.c in the International Color Consort ...) {DSA-2080-1 DTSA-198-1} - argyll 1.0.3-3 (medium; bug #523472; bug #524802) - ghostscript 8.64~dfsg-1.1 (medium; bug #524915) - gs-gpl (medium; bug #561717) CVE-2009-0791 (Multiple integer overflows in Xpdf 2.x and 3.x and Poppler 0.x, as use ...) - cupsys (medium; bug #535488) - cups 1.3.10-1 (medium; bug #535489) [etch] - cupsys (pdftops source included, but not built) [lenny] - cups (pdftops source included, but not built) CVE-2009-0790 (The pluto IKE daemon in Openswan and Strongswan IPsec 2.6 before 2.6.2 ...) {DSA-1760-1 DSA-1759-1} - openswan 1:2.6.21+dfsg-1 (medium; bug #521949) - strongswan 4.2.14-1 (medium; bug #521950) CVE-2009-0789 (OpenSSL before 0.9.8k on WIN64 and certain other platforms does not pr ...) - openssl (only non-Debian architectures affected) CVE-2009-0788 (Red Hat Network (RHN) Satellite Server 5.3 and 5.4 does not properly r ...) NOT-FOR-US: Red Hat Network Satellite Server CVE-2009-0787 (The ecryptfs_write_metadata_to_contents function in the eCryptfs funct ...) - linux-2.6 2.6.29-1 (medium; bug #529326) [etch] - linux-2.6 (ecryptfs was merged in 2.6.19) [lenny] - linux-2.6 (vulnerable code introduced in 2.6.28) - linux-2.6.24 (vulnerabile code introduced in 2.6.28) CVE-2009-0786 REJECTED CVE-2009-0785 RESERVED CVE-2009-0784 (Race condition in the SystemTap stap tool 0.0.20080705 and 0.0.2009031 ...) {DSA-1755-1} - systemtap 0.0.20090314-2 [etch] - systemtap (vulnerable code not present) CVE-2009-0783 (Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 th ...) {DSA-2207-1} - tomcat5.5 (low; bug #532366) - tomcat6 6.0.20-1 (low; bug #532362) [lenny] - tomcat6 (Only ships the servlet package) - tomcat5 (low; bug #532363) CVE-2009-0782 REJECTED CVE-2009-0781 (Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the ca ...) {DSA-2207-1} - tomcat5.5 (unimportant; bug #532366) - tomcat6 6.0.20-1 (unimportant; bug #532362) - tomcat5 (unimportant; bug #532363) NOTE: Just examples on how to use Tomcat, not for production CVE-2009-0780 (The aspath_prepend function in rde_attr.c in bgpd in OpenBSD 4.3 and 4 ...) NOT-FOR-US: openbsd CVE-2009-0779 (Buffer overflow in pppdial in IBM AIX 5.3 and 6.1 allows local users t ...) NOT-FOR-US: IBM AIX CVE-2009-0778 (The icmp_send function in net/ipv4/icmp.c in the Linux kernel before 2 ...) - linux-2.6 (Issue was introduced after 2.6.24 release and fixed before release of 2.6.25) - linux-2.6.24 (Issue was introduced after 2.6.24 release and fixed before release of 2.6.25) CVE-2009-0777 (Mozilla Firefox before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonk ...) - iceweasel 3.0.7-1 (low; bug #576466) [lenny] - iceweasel (minor issue) [etch] - iceweasel (Etch Packages no longer covered by security support) CVE-2009-0776 (nsIRDFService in Mozilla Firefox before 3.0.7, Thunderbird before 2.0. ...) {DSA-1830-1 DSA-1751-1} - icedove 2.0.0.22-1 (bug #535124) [squeeze] - icedove 2.0.0.22-0lenny1 - iceweasel 3.0 [etch] - iceweasel (Etch Packages no longer covered by security support) NOTE: Iceweasel in Lenny links against Xulrunner - xulrunner 1.9.0.7-1 [etch] - xulrunner (Etch Packages no longer covered by security support) - kompozer 1:0.8~alpha2+dfsg+svn129-3 CVE-2009-0775 (Double free vulnerability in Mozilla Firefox before 3.0.7, Thunderbird ...) {DSA-1751-1} - xulrunner 1.9.0.7-1 [etch] - xulrunner (Vulnerable code not present) CVE-2009-0774 (The layout engine in Mozilla Firefox 2 and 3 before 3.0.7, Thunderbird ...) {DSA-1830-1 DSA-1751-1} - icedove 2.0.0.22-1 (bug #535124) [squeeze] - icedove 2.0.0.22-0lenny1 - iceweasel 3.0 [etch] - iceweasel (Etch Packages no longer covered by security support) NOTE: Iceweasel in Lenny links against Xulrunner - xulrunner 1.9.0.7-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-0773 (The JavaScript engine in Mozilla Firefox before 3.0.7, Thunderbird bef ...) {DSA-1830-1 DSA-1751-1} - icedove 2.0.0.22-1 (bug #535124) [squeeze] - icedove 2.0.0.22-0lenny1 - xulrunner 1.9.0.7-1 [etch] - xulrunner (Vulnerable code not present) CVE-2009-0772 (The layout engine in Mozilla Firefox 2 and 3 before 3.0.7, Thunderbird ...) {DSA-1830-1 DSA-1751-1} - icedove 2.0.0.22-1 (bug #535124) [squeeze] - icedove 2.0.0.22-0lenny1 - iceweasel 3.0 [etch] - iceweasel (Etch Packages no longer covered by security support) NOTE: Iceweasel in Lenny links against Xulrunner - xulrunner 1.9.0.7-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-0771 (The layout engine in Mozilla Firefox before 3.0.7, Thunderbird before ...) {DSA-1830-1 DSA-1751-1} - icedove 2.0.0.22-1 (bug #535124) [squeeze] - icedove 2.0.0.22-0lenny1 - xulrunner 1.9.0.7-1 [etch] - xulrunner (Vulnerable code not present) - kompozer 1:0.8~alpha2+dfsg+svn129-1 CVE-2009-0769 (QIP 2005 build 8082 allows remote attackers to cause a denial of servi ...) NOT-FOR-US: QIP CVE-2009-0768 (SQL injection vulnerability in forumhop.php in YapBB 1.2 and earlier a ...) NOT-FOR-US: YapBB CVE-2009-0767 (Kipper 2.01 stores sensitive information under the web root with insuf ...) NOT-FOR-US: Kipper CVE-2009-0766 (Directory traversal vulnerability in default.php in Kipper 2.01 allows ...) NOT-FOR-US: Kipper CVE-2009-0765 (Directory traversal vulnerability in index.php in Kipper 2.01 allows r ...) NOT-FOR-US: Kipper CVE-2009-0764 (Multiple cross-site scripting (XSS) vulnerabilities in Kipper 2.01 all ...) NOT-FOR-US: Kipper CVE-2009-0763 (Cross-site scripting (XSS) vulnerability in default.php in Kipper 2.01 ...) NOT-FOR-US: Kipper CVE-2009-0762 (Cross-site scripting (XSS) vulnerability in ScriptsEz Ez PHP Comment a ...) NOT-FOR-US: ScriptsEz Ez PHP Comment CVE-2009-0761 (Cross-site scripting (XSS) vulnerability in online.asp in Team Board 1 ...) NOT-FOR-US: Team Board CVE-2009-0760 (Team Board 1.x and 2.x stores sensitive information under the web root ...) NOT-FOR-US: Team Board CVE-2009-0759 (Multiple CRLF injection vulnerabilities in webadmin in ZNC before 0.06 ...) {DSA-1735-1} - znc 0.066-1 (bug #516950) CVE-2009-0758 (The originates_from_local_legacy_unicast_socket function in avahi-core ...) {DSA-2086-1} - avahi 0.6.24-3 (low; bug #517683) [etch] - avahi (Minor issue) NOTE: reflector is off by default CVE-2009-0757 (Multiple buffer overflows in GNU MPFR 2.4.0 allow context-dependent at ...) - mpfr 2.4.0-5 (low; bug #527475) [lenny] - mpfr (Vulnerable code not yet present) [etch] - mpfr (Vulnerable code not yet present) CVE-2009-0756 (The JBIG2Stream::readSymbolDictSeg function in Poppler before 0.10.4 a ...) - poppler 0.10.6-1 (low; bug #518478) [lenny] - poppler 0.8.7-2 [etch] - poppler (Application crash only, could be fixed with further issues) NOTE: poppler in lenny fixed in batch of CVEs pushed out in 5.0.2 release CVE-2009-0755 (The FormWidgetChoice::loadDefaults function in Poppler before 0.10.4 a ...) {DSA-1941-1} - poppler 0.10.6-1 (low; bug #518478) [lenny] - poppler (Application crash only, could be fixed with further issues) [etch] - poppler (vulnerable code not present; forms introduced after 0.4.5) CVE-2009-0754 (PHP 4.4.4, 5.1.6, and other versions, when running on Apache, allows l ...) {DSA-1789-1} - php4 (low) - php5 5.2.9.dfsg.1-2 (low; bug #523049) CVE-2008-6398 (sng_regress in SNG 1.0.2 allows local users to overwrite arbitrary fil ...) - sng 1.0.2-6 (bug #496407; unimportant) CVE-2008-6397 (rlatex in AlcoveBook sgml2x 1.0.0 allows local users to overwrite arbi ...) - sgml2x 1.0.0-11.2 (bug #496368; low) [etch] - sgml2x (Minor issue) CVE-2008-6396 (Cross-site scripting (XSS) vulnerability in account.php in Celerondude ...) NOT-FOR-US: Celerondude Uploader CVE-2008-6395 (The web management interface in 3Com Wireless 8760 Dual Radio 11a/b/g ...) NOT-FOR-US: web management interface in 3Com Wireless CVE-2008-6394 (SQL injection vulnerability in core/user.php in CS-Cart 1.3.5 and earl ...) NOT-FOR-US: CS-Cart CVE-2008-6393 (PSI Jabber client before 0.12.1 allows remote attackers to cause a den ...) {DSA-1741-1} - psi 0.12.1-1 (low; bug #518468) [etch] - psi (Vulnerable code not present) CVE-2009-0752 (Unspecified vulnerability in Movable Type Pro and Community Solution 4 ...) - movabletype-opensource (bug #518469) NOTE: http://www.sixapart.com/pipermail/mtos-dev/2009-March/002677.html CVE-2009-0751 (Yaws before 1.80 allows remote attackers to cause a denial of service ...) {DSA-1740-1} - yaws 1.80-1 CVE-2009-0750 (SQL injection vulnerability in login.php in the smNews example script ...) NOT-FOR-US: txtSQL CVE-2008-6392 (SQL injection vulnerability in showads.php in Z1Exchange allows remote ...) NOT-FOR-US: Z1Exchange CVE-2008-6391 (SQL injection vulnerability in main.asp in Jbook allows remote attacke ...) NOT-FOR-US: Jbook CVE-2008-6390 (SQL injection vulnerability in login.asp in Ocean12 Membership Manager ...) NOT-FOR-US: Ocean12 Membership Manager Pro CVE-2008-6389 (SQL injection vulnerability in asadmin/default.asp in Rae Media Contac ...) NOT-FOR-US: Rae Media Contact Management Software CVE-2008-6388 (Rapid Classified 3.1 and 3.15 stores sensitive information under the w ...) NOT-FOR-US: Rapid Classified CVE-2008-6387 (Quick Tree View .NET 3.1 stores sensitive information under the web ro ...) NOT-FOR-US: Quick Tree View .NET CVE-2008-6386 (Cross-site scripting (XSS) vulnerability in showads.php in Z1Exchange ...) NOT-FOR-US: Z1Exchange CVE-2008-6385 (Cross-site scripting (XSS) vulnerability in index.php in W3matter RevS ...) NOT-FOR-US: W3matter RevSense CVE-2008-6384 (Multiple cross-site request forgery (CSRF) vulnerabilities in Comment ...) NOT-FOR-US: Comment Mail CVE-2008-6383 (SQL injection vulnerability in SpeedTech Organization and Resource Man ...) NOT-FOR-US: SpeedTech Organization and Resource Manager CVE-2008-6382 (ASP Portal 3.2.5 stores sensitive information under the web root with ...) NOT-FOR-US: ASP Portal CVE-2008-6381 (SQL injection vulnerability in modules/adresses/viewcat.php in bcoos 1 ...) NOT-FOR-US: bcoos CVE-2008-6380 (SQL injection vulnerability in default.aspx in Active Web Helpdesk 2.0 ...) NOT-FOR-US: Active Web Helpdesk CVE-2008-6379 (SQL injection vulnerability in pics_pre.asp in Gallery MX 2.0.0 allows ...) NOT-FOR-US: Gallery MX CVE-2008-6378 (SQL injection vulnerability in calendar_Eventupdate.asp in Calendar Mx ...) NOT-FOR-US: Calendar Mx Professional CVE-2008-6377 (PHP remote file inclusion vulnerability in include/global.php in Multi ...) NOT-FOR-US: Multi SEO phpBB CVE-2008-6376 (SQL injection vulnerability in main.asp in Jbook allows remote attacke ...) NOT-FOR-US: Jbook CVE-2008-6375 (JBook stores sensitive information under the web root with insufficien ...) NOT-FOR-US: JBook CVE-2008-6374 (CodefixerSoftware MailingListPro Free Edition stores sensitive informa ...) NOT-FOR-US: MailingListPro Free Edition CVE-2008-6373 (Unspecified vulnerability in Nagios before 3.0.6 has unspecified impac ...) - nagios3 3.0.6-3 [etch] - nagios2 (Related to CVE-2008-5028, which has minimal attack vector) CVE-2008-6372 (SQL injection vulnerability in default.asp in Ocean12 FAQ Manager Pro ...) NOT-FOR-US: Ocean12 FAQ Manager Pro CVE-2008-6371 (SQL injection vulnerability in login.asp in Ocean12 Membership Manager ...) NOT-FOR-US: Ocean12 Membership Manager Pro CVE-2008-6370 (Cross-site scripting (XSS) vulnerability in default.asp in Ocean12 Con ...) NOT-FOR-US: Ocean12 Contact Manager Pro CVE-2008-6369 (SQL injection vulnerability in default.asp in Ocean12 Contact Manager ...) NOT-FOR-US: Ocean12 Contact Manager Pro CVE-2008-6368 (SQL injection vulnerability in index.php in Chipmunk Guestbook 1.4m al ...) NOT-FOR-US: Chipmunk Guestbook CVE-2008-6367 (Unrestricted file upload vulnerability in Photos/create_album.php in S ...) NOT-FOR-US: Social Groupie CVE-2008-6366 (SQL injection vulnerability in logon.jsp in Ad Server Solutions Affili ...) NOT-FOR-US: Ad Server Solutions Affiliate Software Java CVE-2008-6365 (SQL injection vulnerability in logon.jsp in Ad Server Solutions Ad Man ...) NOT-FOR-US: Ad Server Solutions Ad Management Software Java CVE-2008-6364 (SQL injection vulnerability in logon_process.jsp in Ad Server Solution ...) NOT-FOR-US: Ad Server Solutions Banner Exchange Solution Java CVE-2008-6363 (Stack-based buffer overflow in DesignWorks Professional 4.3.1 and 5.0. ...) NOT-FOR-US: DesignWorks Professional CVE-2008-6362 (SQL injection vulnerability in sitepage.php in Multiple Membership Scr ...) NOT-FOR-US: Multiple Membership Script CVE-2008-6361 (Directory traversal vulnerability in index.php in InSun Feed CMS 1.7.3 ...) NOT-FOR-US: InSun Feed CMS CVE-2008-6360 (Cross-site scripting (XSS) vulnerability in the userranks feature in m ...) NOT-FOR-US: ImpressCMS CVE-2008-6359 (Cross-site scripting (XSS) vulnerability in index.php in Max's Guestbo ...) NOT-FOR-US: Max's Guestbook CVE-2008-6358 (SQL injection vulnerability in group_index.php in Social Groupie allow ...) NOT-FOR-US: Social Groupie CVE-2008-6357 (MyCal Personal Events Calendar stores sensitive information under the ...) NOT-FOR-US: MyCal Personal Events Calendar CVE-2008-6356 (evCal Events Calendar stores sensitive information under the web root ...) NOT-FOR-US: evCal Events Calendar CVE-2008-6355 (The Net Guys ASPired2Protect stores sensitive information under the we ...) NOT-FOR-US: ASPired2poll CVE-2008-6354 (The Net Guys ASPired2poll stores sensitive information under the web r ...) NOT-FOR-US: ASPired2poll CVE-2008-6353 (SQL injection vulnerability in index.asp in ASP-CMS 1.0 allows remote ...) NOT-FOR-US: ASP-CMS CVE-2008-6352 (SQL injection vulnerability in home.html in Xpoze Pro 4.10 allows remo ...) NOT-FOR-US: Xpoze Pro CVE-2008-6351 (Cross-site scripting (XSS) vulnerability in listtest.php in TurnkeyFor ...) NOT-FOR-US: TurnkeyForms Local Classifieds CVE-2008-6350 (SQL injection vulnerability in listtest.php in TurnkeyForms Local Clas ...) NOT-FOR-US: TurnkeyForms Local Classifieds CVE-2008-6349 (SQL injection vulnerability in survey_results_text.php in TurnkeyForms ...) NOT-FOR-US: TurnkeyForms Business Survey Pro CVE-2008-6348 (Multiple SQL injection vulnerabilities in DevelopItEasy Photo Gallery ...) NOT-FOR-US: DevelopItEasy Photo Gallery CVE-2008-6347 (PHP remote file inclusion vulnerability in lib/onguma.class.php in the ...) NOT-FOR-US: Onguma Time Sheet component for Joomla! CVE-2009-0748 (The ext4_fill_super function in fs/ext4/super.c in the Linux kernel 2. ...) {DSA-1749-1} - linux-2.6 2.6.29-1 (low) [etch] - linux-2.6 (ext4 not yet present) - linux-2.6.24 (low) NOTE: Since the feature is experimental until 2.6.27, I don't think we need to fix this CVE-2009-0747 (The ext4_isize function in fs/ext4/ext4.h in the Linux kernel 2.6.27 b ...) {DSA-1749-1} - linux-2.6 2.6.28-2 (low) [etch] - linux-2.6 (ext4 not yet present) - linux-2.6.24 (low) NOTE: Since the feature is experimental until 2.6.27, I don't think we need to fix this CVE-2009-0746 (The make_indexed_dir function in fs/ext4/namei.c in the Linux kernel 2 ...) {DSA-1749-1} - linux-2.6 2.6.28-1 (low) [etch] - linux-2.6 (ext4 not yet present) - linux-2.6.24 (low) NOTE: Since the feature is experimental until 2.6.27, I don't think we need to fix this CVE-2009-0745 (The ext4_group_add function in fs/ext4/resize.c in the Linux kernel 2. ...) {DSA-1787-1 DSA-1749-1} - linux-2.6 2.6.29-1 (low) [etch] - linux-2.6 (ext4 not yet present) - linux-2.6.24 (low) NOTE: Since the feature is experimental until 2.6.27, I don't think we need to fix this CVE-2009-0744 (Apple Safari 4 Beta build 528.16 allows remote attackers to cause a de ...) NOT-FOR-US: Apple Safari CVE-2009-0743 (Cross-site scripting (XSS) vulnerability in the edit account page in t ...) NOT-FOR-US: Cisco Unified MeetingPlace Web Conferencing CVE-2009-0742 (The username command in Cisco ACE Application Control Engine Module fo ...) NOT-FOR-US: Cisco CVE-2008-6346 (Cross-site scripting (XSS) vulnerability in the DR Wiki (dr_wiki) exte ...) NOT-FOR-US: DR Wiki extension for TYPO3 CVE-2008-6345 (SQL injection vulnerability in Forum.php in SolarCMS 0.53.8 and 1.0 al ...) NOT-FOR-US: SolarCMS CVE-2008-6344 (SQL injection vulnerability in the TU-Clausthal Staff (tuc_staff) 0.3. ...) NOT-FOR-US: TU-Clausthal Staff extension for TYPO3 CVE-2008-6343 (Cross-site scripting (XSS) vulnerability in the TU-Clausthal ODIN (tuc ...) NOT-FOR-US: TU-Clausthal ODIN extension for TYPO3 CVE-2008-6342 (Unspecified vulnerability in the TYPO3 Simple File Browser (simplefile ...) NOT-FOR-US: Simple File Browser extension for TYPO3 CVE-2008-6341 (Cross-site scripting (XSS) vulnerability in the SB Universal Plugin (S ...) NOT-FOR-US: SB Universal Plugin extension for TYPO3 CVE-2008-6340 (Cross-site scripting (XSS) vulnerability in the Vox populi (mv_vox_pop ...) NOT-FOR-US: Vox populi extension for TYPO3 CVE-2008-6338 (SQL injection vulnerability in the WEBERkommunal Facilities (wes_facil ...) NOT-FOR-US: WEBERkommunal Facilities extension for TYPO3 CVE-2008-6337 (SQL injection vulnerability in the Volunteer Management System (com_vo ...) NOT-FOR-US: Volunteer Management System module for Joomla! CVE-2008-6336 (Directory traversal vulnerability in download.php in Text Lines Rearra ...) NOT-FOR-US: Text Lines Rearrange Script CVE-2008-6335 (Directory traversal vulnerability in download.php in eMetrix Online Ke ...) NOT-FOR-US: eMetrix Online Keyword Research Tool CVE-2008-6334 (Directory traversal vulnerability in download.php in eMetrix Extract W ...) NOT-FOR-US: eMetrix Extract Website CVE-2008-6333 (SQL injection vulnerability in news.php in RSS Simple News (RSSSN), wh ...) NOT-FOR-US: RSS Simple News CVE-2008-6332 (SQL injection vulnerability in login.php in Simple Customer 1.2 allows ...) NOT-FOR-US: Simple Customer CVE-2008-6331 (Multiple cross-site request forgery (CSRF) vulnerabilities in Streber ...) NOT-FOR-US: Streber CVE-2008-6330 (SQL injection vulnerability in index.php in MyTopix 1.3.0 and earlier ...) NOT-FOR-US: MyTopix CVE-2008-6329 (SQL injection vulnerability in Employee/login.asp in Pre ASP Job Board ...) NOT-FOR-US: Pre ASP Job Board CVE-2008-6328 (SQL injection vulnerability in view.php in Butterfly Organizer 2.0.0 a ...) NOT-FOR-US: Butterfly Organizer CVE-2008-6327 (SQL injection vulnerability in index.php in ProQuiz 1.0 allows remote ...) NOT-FOR-US: ProQuiz CVE-2008-6326 (SQL injection vulnerability in login.php in Simple Customer as downloa ...) NOT-FOR-US: Simple Customer CVE-2008-6325 (Multiple cross-site scripting (XSS) vulnerabilities in Softbiz Classif ...) NOT-FOR-US: Softbiz Classifieds Script CVE-2008-6324 (SQL injection vulnerability in forummessages.cfm in CF_Forum allows re ...) NOT-FOR-US: CF_Forum CVE-2008-6323 (SQL injection vulnerability in forummessages.cfm in CFMSource CF_Aucti ...) NOT-FOR-US: CFMSource CF_Auction CVE-2008-6322 (SQL injection vulnerability in index.cfm in CFMSource CFMBlog allows r ...) NOT-FOR-US: CFMSource CFMBlog CVE-2008-6321 (CF Shopkart 5.2.2 stores cfshopkart52.mdb under the web root with insu ...) NOT-FOR-US: CF Shopkart CVE-2008-6320 (SQL injection vulnerability in index.cfm in CF Shopkart 5.2.2 allows r ...) NOT-FOR-US: CF Shopkart CVE-2008-6319 (SQL injection vulnerability in calendarevent.cfm in CF_Calendar allows ...) NOT-FOR-US: CF_Calendar CVE-2008-6318 (PHP remote file inclusion vulnerability in _conf/_php-core/common-tpl- ...) NOT-FOR-US: PHPmyGallery CVE-2008-6317 (Directory traversal vulnerability in _conf/_php-core/common-tpl-vars.p ...) NOT-FOR-US: PHPmyGallery CVE-2008-6316 (Directory traversal vulnerability in _conf/core/common-tpl-vars.php in ...) NOT-FOR-US: PHPmyGallery CVE-2008-6315 (PHP remote file inclusion vulnerability in _conf/core/common-tpl-vars. ...) NOT-FOR-US: PHPmyGallery CVE-2008-6314 (SQL injection vulnerability in tag_board.php in the Tag Board module 4 ...) NOT-FOR-US: Tag Board module CVE-2008-6313 (Directory traversal vulnerability in addedit-render.php in phpAddEdit ...) NOT-FOR-US: phpAddEdit CVE-2008-6312 (SQL injection vulnerability in index.php in ProQuiz 1.0 allows remote ...) NOT-FOR-US: ProQuiz CVE-2008-6311 (SQL injection vulnerability in view.php in Butterfly Organizer 2.0.1 a ...) NOT-FOR-US: Butterfly Organizer CVE-2008-6310 (SQL injection vulnerability in index.php in W3matter RevSense 1.0 allo ...) NOT-FOR-US: W3matter RevSense CVE-2008-6309 (SQL injection vulnerability in index.php in W3matter AskPert allows re ...) NOT-FOR-US: W3matter AskPert CVE-2008-6308 (Multiple directory traversal vulnerabilities in Private Messaging Syst ...) NOT-FOR-US: Private Messaging System CVE-2008-6307 (E-topbiz Link Back Checker 1 allows remote attackers to bypass authent ...) NOT-FOR-US: E-topbiz Link Back Checker CVE-2008-6306 (Cross-site scripting (XSS) vulnerability in signinform.php in Softbiz ...) NOT-FOR-US: Softbiz Classifieds Script CVE-2008-6305 (PHP remote file inclusion vulnerability in init.php in Free Directory ...) NOT-FOR-US: Free Directory Script CVE-2008-6304 (SQL injection vulnerability in xt:Commerce before 3.0.4 Sp2.1, when ma ...) NOT-FOR-US: xt:Commerce CVE-2008-6303 (SQL injection vulnerability in tourview.php in ToursManager allows rem ...) NOT-FOR-US: ToursManager CVE-2008-6302 (TurnkeyForms Local Classifieds allows remote attackers to bypass authe ...) NOT-FOR-US: TurnkeyForms Local Classifieds CVE-2008-6301 (SQL injection vulnerability in shoutbox_view.php in the Small ShoutBox ...) NOT-FOR-US: Small ShoutBox module CVE-2008-6300 (Galatolo WebManager 1.3a allows remote attackers to bypass authenticat ...) NOT-FOR-US: Galatolo WebManager CVE-2008-6299 (Multiple cross-site scripting (XSS) vulnerabilities in Joomla! 1.5.7 a ...) NOT-FOR-US: Joomla! CVE-2008-6298 (Unspecified vulnerability in sISAPILocation before 1.0.2.2 allows remo ...) NOT-FOR-US: sISAPILocation CVE-2008-6297 (Cross-site scripting (XSS) vulnerability in order.php in DHCart allows ...) NOT-FOR-US: DHCart CVE-2008-6296 (admin.php in Maran PHP Shop allows remote attackers to bypass authenti ...) NOT-FOR-US: Maran PHP Shop CVE-2008-6295 (Multiple cross-site scripting (XSS) vulnerabilities in Camera Life 2.6 ...) NOT-FOR-US: Camera Life CVE-2008-6294 (admin/Index.php in Acc Statistics 1.1 allows remote attackers to bypas ...) NOT-FOR-US: Acc Statistics CVE-2008-6293 (admin/Index.php in Acc Real Estate 4.0 allows remote attackers to bypa ...) NOT-FOR-US: Acc Real Estate CVE-2008-6292 (Acc Autos 4.0 allows remote attackers to bypass authentication and gai ...) NOT-FOR-US: Acc Autos CVE-2008-6291 (Acc PHP eMail 1.1 allows remote attackers to bypass authentication and ...) NOT-FOR-US: Acc PHP eMail CVE-2008-6290 (Directory traversal vulnerability in includefile.php in nicLOR Sito, w ...) NOT-FOR-US: nicLOR Sito CVE-2008-6289 (SQL injection vulnerability in cityview.php in Tours Manager 1.0 allow ...) NOT-FOR-US: Tours Manager CVE-2009-0770 (dkim-milter 2.6.0 through 2.8.0 allows remote attackers to cause a den ...) {DSA-1728-1} - dkim-milter 2.6.0.dfsg-2 (low) [lenny] - dkim-milter 2.6.0.dfsg-1+lenny1 NOTE: http://sourceforge.net/tracker/index.php?func=detail&aid=2508602&group_id=139420&atid=744358 CVE-2009-0749 (Use-after-free vulnerability in the GIFReadNextExtension function in l ...) - optipng 0.6.2.1-1 (low) [etch] - optipng 0.5.5-2 [lenny] - optipng 0.6.1.1-2 CVE-2009-0741 (SQL injection vulnerability in Login.asp in Craft Silicon Banking@Home ...) NOT-FOR-US: Craft Silicon Banking@Home CVE-2009-0740 (SQL injection vulnerability in login.php in BlueBird Prelease allows r ...) NOT-FOR-US: BlueBird Prelease CVE-2009-0739 (SQL injection vulnerability in login.php in MyNews 0.10 allows remote ...) NOT-FOR-US: MyNews CVE-2009-0738 (SQL injection vulnerability in login.php in Auth Php 1.0 allows remote ...) NOT-FOR-US: Auth Php CVE-2009-0736 (Cross-site scripting (XSS) vulnerability in Pebble before 2.3.2 allows ...) NOT-FOR-US: Pebble CVE-2009-0735 (Directory traversal vulnerability in lib/classes/message_class.php in ...) NOT-FOR-US: Papoo CMS CVE-2009-0734 (Heap-based buffer overflow in MultimediaPlayer.exe 6.86.240.7 in Nokia ...) NOT-FOR-US: MultimediaPlayer.exe CVE-2009-0733 (Multiple stack-based buffer overflows in the ReadSetOfCurves function ...) {DSA-1769-1 DSA-1745-1} - lcms 1.18.dfsg-1 (bug #522446) - openjdk-6 6b18-1.8.13-0+squeeze2 NOTE: Marking the current oldstable version as fixed, but likely fixed way earlier CVE-2009-0732 (Downloadcenter 2.1 stores common.h under the web root with insufficien ...) NOT-FOR-US: Downloadcenter CVE-2009-0731 (Directory traversal vulnerability in pages/play.php in Free Arcade Scr ...) NOT-FOR-US: Free Arcade Script CVE-2009-0730 (Multiple SQL injection vulnerabilities in the GigCalendar (com_gigcal) ...) NOT-FOR-US: GigCalendar CVE-2009-0729 (Multiple directory traversal vulnerabilities in Page Engine CMS 2.0 Ba ...) NOT-FOR-US: Page Engine CMS CVE-2009-0728 (SQL injection vulnerability in the My_eGallery module for MAXdev MDPro ...) NOT-FOR-US: MAXdev MDPro/Postnuke CVE-2009-0727 (SQL injection vulnerability in jobdetails.php in taifajobs 1.0 and ear ...) NOT-FOR-US: taifajobs CVE-2009-0726 (SQL injection vulnerability in the GigCalendar (com_gigcal) component ...) NOT-FOR-US: Joomla! CVE-2009-0725 RESERVED CVE-2009-0724 RESERVED CVE-2009-0723 (Multiple integer overflows in LittleCMS (aka lcms or liblcms) before 1 ...) {DSA-1769-1 DSA-1745-1} - lcms 1.18.dfsg-1 (bug #522446) - openjdk-6 6b18-1.8.13-0+squeeze2 NOTE: Marking the current oldstable version as fixed, but likely fixed way earlier CVE-2009-0722 (Directory traversal vulnerability in admin.php in Potato News 1.0.0 al ...) NOT-FOR-US: Potato News CVE-2009-0721 (Unspecified vulnerability in Easy Login in the Sender module in HP Rem ...) NOT-FOR-US: HP Remote Graphics CVE-2009-0720 (Unspecified vulnerability in HP OpenView Network Node Manager (OV NNM) ...) NOT-FOR-US: HP OpenView Network Node Manager CVE-2009-0719 (Unspecified vulnerability in useradd in HP HP-UX B.11.11, B.11.23, and ...) NOT-FOR-US: HP-UX CVE-2009-0718 (Unspecified vulnerability in HP StorageWorks Storage Mirroring 5 befor ...) NOT-FOR-US: HP StorageWorks Storage Mirroring CVE-2009-0717 (Unspecified vulnerability in HP StorageWorks Storage Mirroring 5 befor ...) NOT-FOR-US: HP StorageWorks Storage Mirroring CVE-2009-0716 (Unspecified vulnerability in HP StorageWorks Storage Mirroring 5 befor ...) NOT-FOR-US: HP StorageWorks Storage Mirroring CVE-2009-0715 (Unspecified vulnerability in Secure NaviCLI in HP Storage Essentials 6 ...) NOT-FOR-US: HP Storage Essentials CVE-2009-0714 (Unspecified vulnerability in the dpwinsup module (dpwinsup.dll) for dp ...) NOT-FOR-US: HP Data Protector Express CVE-2009-0713 (Unspecified vulnerability in WMI Mapper for HP Systems Insight Manager ...) NOT-FOR-US: WMI Mapper CVE-2009-0712 (Unspecified vulnerability in WMI Mapper for HP Systems Insight Manager ...) NOT-FOR-US: WMI Mapper CVE-2009-0711 (filter.php in PHPFootball 1.6 and earlier allows remote attackers to r ...) NOT-FOR-US: PHPFootball CVE-2009-0710 (Multiple cross-site scripting (XSS) vulnerabilities in PHPFootball 1.6 ...) NOT-FOR-US: PHPFootball CVE-2009-0709 (SQL injection vulnerability in login.php in PHPFootball 1.6 allows rem ...) NOT-FOR-US: PHPFootball CVE-2009-0708 (Multiple cross-site request forgery (CSRF) vulnerabilities in Semantic ...) NOT-FOR-US: SemanticScuttle CVE-2009-0707 (SQL injection vulnerability in admin/index.php in PowerClan 1.14a allo ...) NOT-FOR-US: PowerClan CVE-2009-0706 (SQL injection vulnerability in the Simple Review (com_simple_review) c ...) NOT-FOR-US: Joomla! CVE-2009-0705 (SQL injection vulnerability in news.php in PowerScripts PowerNews 2.5. ...) NOT-FOR-US: PowerScripts PowerNews CVE-2009-0704 (SQL injection vulnerability in search.php in WSN Guest 1.23 allows rem ...) NOT-FOR-US: WSN Guest CVE-2009-0703 (SQL injection vulnerability in bview.asp in ASPThai.Net Webboard 6.0 a ...) NOT-FOR-US: ASPThai.Net Webboard CVE-2009-0702 (SQL injection vulnerability in the Phoca Documentation (com_phocadocum ...) NOT-FOR-US: Joomla! CVE-2009-0701 (Multiple PHP remote file inclusion vulnerabilities in index.php in Cyb ...) NOT-FOR-US: Cybershade CVE-2009-0700 (Plunet BusinessManager 4.1 and earlier allows remote authenticated use ...) NOT-FOR-US: Plunet BusinessManager CVE-2009-0699 (Cross-site scripting (XSS) vulnerability in pagesUTF8/auftrag_allgemei ...) NOT-FOR-US: Plunet BusinessManager CVE-2009-0698 (Integer overflow in the 4xm demuxer (demuxers/demux_4xm.c) in xine-lib ...) - xine-lib 1.1.16.2-1 (bug #517792; bug #523475; medium) - vlc (affected part of xine-lib code not present) CVE-2009-0697 RESERVED CVE-2009-0696 (The dns_db_findrdataset function in db.c in named in ISC BIND 9.4 befo ...) {DSA-1847-1} - bind9 1:9.6.1.dfsg.P1-1 (bug #538975; high) NOTE: See also http://www.kb.cert.org/vuls/id/725188 CVE-2009-0695 (hagent.exe in Wyse Device Manager (WDM) 4.7.x does not require authent ...) NOT-FOR-US: Wyse Device Manager not in Debian CVE-2009-0694 RESERVED CVE-2009-0693 (Multiple buffer overflows in Wyse Device Manager (WDM) 4.7.x allow rem ...) NOT-FOR-US: Wyse Device Manager not in Debian CVE-2009-0692 (Stack-based buffer overflow in the script_write_params method in clien ...) {DSA-1833-2 DSA-1833-1} - dhcp3 3.1.2p1-1 (medium) NOTE: dhcp in etch is not affected. CVE-2009-0691 (The Foxit JPEG2000/JBIG2 Decoder add-on before 2.0.2009.616 for Foxit ...) NOT-FOR-US: Foxit JPEG2000/JBIG2 Decoder add-on CVE-2009-0690 (The Foxit JPEG2000/JBIG2 Decoder add-on before 2.0.2009.616 for Foxit ...) NOT-FOR-US: Foxit JPEG2000/JBIG2 Decoder add-on CVE-2009-0689 (Array index error in the (1) dtoa implementation in dtoa.c (aka pdtoa. ...) {DSA-1998-1 DSA-1931-1 DLA-1564-1 DLA-376-1} - nspr 4.8-2 [etch] - nspr (Mozilla packages from oldstable no longer covered by security support) - kdelibs 4:3.5.10.dfsg.1-3 (medium; bug #559265) - kde4libs 4:4.3.4-1 (medium; bug #559266) [lenny] - kde4libs (Only uses by a few packages in Lenny, hardly any attack vector) - mono 4.2.1.102+dfsg2-4 [wheezy] - mono (Minor issue) NOTE: http://www.mono-project.com/docs/about-mono/vulnerabilities/ NOTE: https://gist.github.com/directhex/01e853567fd2cc74ed39 CVE-2009-0688 (Multiple buffer overflows in the CMU Cyrus SASL library before 2.1.23 ...) {DSA-1807-1 DTSA-200-1 DTSA-201-1} - cyrus-sasl2 2.1.23.dfsg1-1 (bug #528749) - cyrus-sasl2-heimdal 2.1.23.dfsg1-1 NOTE: VU#238019 CVE-2009-0687 (The pf_test_rule function in OpenBSD Packet Filter (PF), as used in Op ...) NOT-FOR-US: OpenBSD Packet Filter CVE-2009-0686 (The TrendMicro Activity Monitor Module (tmactmon.sys) 2.52.0.1002 in T ...) NOT-FOR-US: Trend Micro Internet Pro CVE-2009-0685 RESERVED CVE-2009-0684 RESERVED CVE-2009-0683 RESERVED CVE-2009-0682 (vetmonnt.sys in CA Internet Security Suite r3, vetmonnt.sys before 9.0 ...) NOT-FOR-US: CA Internet Security Suite CVE-2009-0681 (PGP Desktop before 9.10 allows local users to (1) cause a denial of se ...) NOT-FOR-US: PGP Desktop CVE-2009-0680 (cgi-bin/welcome/VPN_only in the web interface in Netgear SSL312 allows ...) NOT-FOR-US: Netgear CVE-2009-0679 (Cross-site scripting (XSS) vulnerability in the Your Account module in ...) NOT-FOR-US: RavenNuke CVE-2009-0678 (images/captcha.php in RavenNuke 2.30 allows remote attackers to obtain ...) NOT-FOR-US: RavenNuke CVE-2009-0677 (avatarlist.php in the Your Account module, reached through modules.php ...) NOT-FOR-US: RavenNuke CVE-2009-0676 (The sock_getsockopt function in net/core/sock.c in the Linux kernel be ...) {DSA-1794-1 DSA-1787-1 DSA-1749-1} - linux-2.6 2.6.29-1 (low) - linux-2.6.24 (low) NOTE: Original fix was incomplete/risky, see: NOTE: NOTE: Reproducer in NOTE: lacks initialzer for len. Leak confirmed with fixed reproducer. CVE-2009-0675 (The skfp_ioctl function in drivers/net/skfp/skfddi.c in the Linux kern ...) {DSA-1794-1 DSA-1787-1 DSA-1749-1} - linux-2.6 2.6.29-1 (low) - linux-2.6.24 (low) CVE-2009-0674 (images/captcha.php in Raven Web Services RavenNuke 2.30, when register ...) NOT-FOR-US: RavenNuke CVE-2009-0673 (Eval injection vulnerability in the Custom Fields feature in the Your ...) NOT-FOR-US: RavenNuke CVE-2009-0672 (SQL injection vulnerability in the Resend_Email module in Raven Web Se ...) NOT-FOR-US: RavenNuke CVE-2009-0671 REJECTED CVE-2009-0670 RESERVED CVE-2009-0669 (Zope Object Database (ZODB) before 3.8.2, when certain Zope Enterprise ...) {DSA-2234-1 DSA-1863-1} - zope3 (bug #540462) - zope2.11 2.11.4-1 (bug #540463) - zope2.10 2.10.9-1 (bug #540464) - zope2.9 - zodb 1:3.8.2-1 (bug #540465) CVE-2009-0668 (Unspecified vulnerability in Zope Object Database (ZODB) before 3.8.2, ...) {DSA-2234-1 DSA-1863-1} - zope3 (medium; bug #540462) - zope2.11 2.11.4-1 (medium; bug #540463) - zope2.10 2.10.9-1 (medium; bug #540464) - zope2.9 - zodb 1:3.8.2-1 (medium; bug #540465) CVE-2009-0667 (Untrusted search path vulnerability in Agent/Backend.pm in Ocsinventor ...) {DSA-1828-1} - ocsinventory-agent 1:0.0.9.2repack1-5 (medium; bug #506416) CVE-2009-0666 RESERVED CVE-2009-0665 RESERVED CVE-2009-0664 (Multiple cross-site scripting (XSS) vulnerabilities in Mahara 1.0.x be ...) {DSA-1778-1} - mahara 1.1.3-1 (low) CVE-2009-0663 (Heap-based buffer overflow in the DBD::Pg (aka DBD-Pg or libdbd-pg-per ...) {DSA-1780-1} - libdbd-pg-perl 2.1.3-1 CVE-2009-0662 (The PlonePAS product 3.x before 3.9 and 3.2.x before 3.2.2, a product ...) - plone3 (medium; bug #525943) CVE-2009-0661 (Wee Enhanced Environment for Chat (WeeChat) 0.2.6 allows remote attack ...) {DSA-1744-1} - weechat 0.2.6.1-1 (medium; bug #519940) [etch] - weechat (vulnerable code not present) CVE-2009-0660 (Multiple cross-site scripting (XSS) vulnerabilities in Mahara 1.0 befo ...) {DSA-1736-1} - mahara 1.1.2-1 (low) CVE-2009-0659 (Stack-based buffer overflow in the GetStatsFromLine function in TPTEST ...) NOT-FOR-US: TPTEST CVE-2009-0658 (Buffer overflow in Adobe Reader 9.0 and earlier, and Acrobat 9.0 and e ...) NOT-FOR-US: Adobe Reader CVE-2009-0657 (Toshiba Face Recognition 2.0.2.32 allows physically proximate attacker ...) NOT-FOR-US: Toshiba Face Recognition CVE-2009-0656 (Asus SmartLogon 1.0.0005 allows physically proximate attackers to bypa ...) NOT-FOR-US: Asus SmartLogon CVE-2009-0655 (Lenovo Veriface III allows physically proximate attackers to login to ...) NOT-FOR-US: Lenovo Veriface CVE-2009-0654 (Tor 0.2.0.28, and probably 0.2.0.34 and earlier, allows remote attacke ...) - tor (unimportant) NOTE: attacker already controls entry and exit node at this stage CVE-2009-0653 (OpenSSL, probably 0.9.6, does not verify the Basic Constraints for an ...) - openssl 0.9.8-1 (bug #517791) CVE-2009-0652 (The Internationalized Domain Names (IDN) blacklist in Mozilla Firefox ...) {DSA-1830-1 DSA-1797-1} - icedove 2.0.0.22-1 (bug #535124) [squeeze] - icedove 2.0.0.22-0lenny1 - xulrunner 1.9.0.9-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-0651 (Unspecified vulnerability in the Veritas network daemon (aka vnetd) in ...) NOT-FOR-US: Veritas network daemon CVE-2009-0650 (Stack-based buffer overflow in the GetStatsFromLine function in TPTEST ...) NOT-FOR-US: TPTEST CVE-2009-0649 (The web browser in Symbian OS on the Nokia N95 cell phone allows remot ...) NOT-FOR-US: Symbian OS CVE-2008-6288 (Directory traversal vulnerability in download.php in Interface Medien ...) NOT-FOR-US: Interface Medien ibase CVE-2008-6287 (Multiple PHP remote file inclusion vulnerabilities in Broadcast Machin ...) NOT-FOR-US: Broadcast Machine CVE-2008-6286 (Multiple SQL injection vulnerabilities in SubscriberStart.asp in Activ ...) NOT-FOR-US: Active Newsletter CVE-2008-6285 (SQL injection vulnerability in index.php in PHP TV Portal 2.0 and earl ...) NOT-FOR-US: PHP TV Portal CVE-2008-6284 (SQL injection vulnerability in edit.php in Z1Exchange 1.0 allows remot ...) NOT-FOR-US: Z1Exchange CVE-2008-6283 (Cross-site scripting (XSS) vulnerability in Subtext 2.0 allows remote ...) NOT-FOR-US: Subtext CVE-2008-6282 (SQL injection vulnerability in engine/users/users_edit_pub.inc in CMS ...) NOT-FOR-US: CMS Ortus CVE-2008-6281 (SQL injection vulnerability in index.php in Bluo CMS 1.2 allows remote ...) NOT-FOR-US: Bluo CMS CVE-2008-6280 (Cross-site scripting (XSS) vulnerability in apply.cgi on the Linksys W ...) NOT-FOR-US: Linksys WRT160N CVE-2008-6279 (RakhiSoftware Price Comparison Script (aka Shopping Cart) allows remot ...) NOT-FOR-US: RakhiSoftware Price Comparison Script CVE-2008-6278 (Multiple cross-site scripting (XSS) vulnerabilities in product.php in ...) NOT-FOR-US: RakhiSoftware Price Comparison Script CVE-2008-6277 (SQL injection vulnerability in product.php in RakhiSoftware Price Comp ...) NOT-FOR-US: RakhiSoftware Price Comparison Script CVE-2008-6276 (Multiple SQL injection vulnerabilities in the User Karma module 5.x be ...) NOT-FOR-US: User Karma module for Drupal CVE-2008-6275 (Cross-site scripting (XSS) vulnerability in the User Karma module 5.x ...) NOT-FOR-US: User Karma module for Drupal CVE-2008-6274 (Multiple SQL injection vulnerabilities in index.php in FamilyProject 2 ...) NOT-FOR-US: FamilyProject CVE-2008-6273 (Directory traversal vulnerability in configuration_script.php in MyKto ...) NOT-FOR-US: MyKtools CVE-2008-6272 (SQL injection vulnerability in admin/index.php in Dragan Mitic Apoll 0 ...) NOT-FOR-US: Dragan Mitic Apoll CVE-2008-6271 (Directory traversal vulnerability in index.php in TBmnetCMS 1.0, when ...) NOT-FOR-US: TBmnetCMS CVE-2008-6270 (SQL injection vulnerability in admin/index.php in Dragan Mitic Apoll 0 ...) NOT-FOR-US: Dragan Mitic Apoll CVE-2008-6269 (Joovili 3.1.4 allows remote attackers to bypass authentication and gai ...) NOT-FOR-US: Joovili CVE-2008-6268 (SQL injection vulnerability in detail.php in WEBBDOMAIN Multi Language ...) NOT-FOR-US: Multi Languages WebShop Online CVE-2008-6267 (Cross-site scripting (XSS) vulnerability in detail.php in Multi Langua ...) NOT-FOR-US: Multi Languages WebShop Online CVE-2008-6266 (SQL injection vulnerability in links.php in Appalachian State Universi ...) NOT-FOR-US: phpWebSite CVE-2008-6265 (Directory traversal vulnerability in portfolio/css.php in Cyberfolio 7 ...) NOT-FOR-US: Cyberfolio CVE-2008-6264 (SQL injection vulnerability in admin/admin.php in E-topbiz Slide Popup ...) NOT-FOR-US: E-topbiz Slide Popups CVE-2008-6263 (SQL injection vulnerability in lib/user/t_user.php in SaturnCMS allows ...) NOT-FOR-US: SaturnCMS CVE-2008-6262 (SQL injection vulnerability in lib/url/meta_url.php in SaturnCMS allow ...) NOT-FOR-US: SaturnCMS CVE-2008-6261 (SQL injection vulnerability in view.php in E-topbiz AdManager 4 allows ...) NOT-FOR-US: E-topbiz AdManager CVE-2008-6260 (SQL injection vulnerability in index.php in Ultrastats 0.2.144 and 0.3 ...) NOT-FOR-US: Ultrastats CVE-2008-6259 (Cross-site scripting (XSS) vulnerability in search.asp in QuadComm Q-S ...) NOT-FOR-US: QuadComm Q-Shop CVE-2008-6258 (SQL injection vulnerability in users.asp in QuadComm Q-Shop 3.0, and p ...) NOT-FOR-US: QuadComm Q-Shop CVE-2008-6257 (SQL injection vulnerability in default.asp in Openasp 3.0 and earlier ...) NOT-FOR-US: Openasp CVE-2008-6256 (SQL injection vulnerability in admincp/admincalendar.php in vBulletin ...) NOT-FOR-US: vBulletin CVE-2008-6255 (Multiple SQL injection vulnerabilities in vBulletin 3.7.4 allow remote ...) NOT-FOR-US: vBulletin CVE-2008-6254 (SQL injection vulnerability in scripts/documents.php in Jadu Galaxies ...) NOT-FOR-US: Jadu Galaxies CVE-2008-6253 (Directory traversal vulnerability in data/inc/lib/pcltar.lib.php in Pl ...) NOT-FOR-US: Pluck CMS CVE-2008-6252 (Stack-based buffer overflow in the smc program in smcFanControl 2.1.2 ...) NOT-FOR-US: smcFanControl CVE-2008-6251 (PHP remote file inclusion vulnerability in includes/init.php in phpFan ...) NOT-FOR-US: phpFan CVE-2008-6250 (SQL injection vulnerability in Comdev Web Blogger 4.1.3 and earlier al ...) NOT-FOR-US: Comdev Web Blogger CVE-2008-6249 (SQL injection vulnerability in plugins/users/index.php in Galatolo Web ...) NOT-FOR-US: Galatolo WebManager CVE-2008-6248 (Cross-site scripting (XSS) vulnerability in all.php in Galatolo WebMan ...) NOT-FOR-US: Galatolo WebManager CVE-2008-6247 (SQL injection vulnerability in topsite.php in Scripts For Sites (SFS) ...) NOT-FOR-US: Scripts For Sites CVE-2008-6246 (SQL injection vulnerability in category.php in Scripts For Sites (SFS) ...) NOT-FOR-US: Scripts For Sites CVE-2008-6245 (SQL injection vulnerability in track.php in Scripts For Sites (SFS) EZ ...) NOT-FOR-US: Scripts For Sites CVE-2008-6244 (SQL injection vulnerability in view_reviews.php in Scripts for Sites ( ...) NOT-FOR-US: Scripts For Sites CVE-2008-6243 (SQL injection vulnerability in showcategory.php in Scripts For Sites ( ...) NOT-FOR-US: Scripts For Sites CVE-2008-6242 (SQL injection vulnerability in SearchResults.php in Scripts For Sites ...) NOT-FOR-US: Scripts For Sites CVE-2008-6241 (Multiple SQL injection vulnerabilities in admin/usercheck.php in FlexP ...) NOT-FOR-US: FlexPHPSite CVE-2008-6240 (Cross-site scripting (XSS) vulnerability in data/views/index.html in O ...) NOT-FOR-US: OpenEdit Digital Asset Management CVE-2008-6239 (Cross-site request forgery (CSRF) vulnerability in OpenEdit Digital As ...) NOT-FOR-US: OpenEdit Digital Asset Management CVE-2008-6238 (Cross-site scripting (XSS) vulnerability in archive/savedqueries/saveq ...) NOT-FOR-US: OpenEdit Digital Asset Management CVE-2008-6237 (SQL injection vulnerability in software-description.php in Scripts For ...) NOT-FOR-US: Scripts For Sites CVE-2008-6236 (SQL injection vulnerability in login.php in Simple Document Management ...) NOT-FOR-US: Simple Document Management System CVE-2008-6235 (The Netrw plugin (netrw.vim) in Vim 7.0 and 7.1 allows user-assisted a ...) - vim 2:7.2.148-1 (low) [lenny] - vim (proof-of-concept does not work) [etch] - vim (Minor issue) CVE-2008-6234 (SQL injection vulnerability in the com_musica module in Joomla! and Ma ...) NOT-FOR-US: Joomla! CVE-2008-6233 (SQL injection vulnerability in index.php in Five Dollar Scripts Drinks ...) NOT-FOR-US: Five Dollar Scripts Drinks script CVE-2008-6232 (Pre Shopping Mall allows remote attackers to bypass authentication and ...) NOT-FOR-US: Pre Shopping Mall CVE-2008-6231 (Pre Classified Listing PHP allows remote attackers to bypass authentic ...) NOT-FOR-US: Pre Classified Listing PHP CVE-2008-6230 (SQL injection vulnerability in Tour.php in Pre Projects Pre Podcast Po ...) NOT-FOR-US: Pre Projects Pre Podcast Portal CVE-2008-6229 (Cross-site scripting (XSS) vulnerability in the administrative interfa ...) NOT-FOR-US: CCK module for Drupal CVE-2008-6228 (Pre Multi-Vendor Shopping Malls allows remote attackers to bypass auth ...) NOT-FOR-US: Pre Multi-Vendor Shopping Malls CVE-2008-6227 (SQL injection vulnerability in buyer_detail.php in Pre Multi-Vendor Sh ...) NOT-FOR-US: Pre Multi-Vendor Shopping Malls CVE-2008-6226 (SQL injection vulnerability in moreinfo.php in Pre Projects PHP Auto L ...) NOT-FOR-US: Pre Projects PHP Auto Listings Script CVE-2008-6225 NOT-FOR-US: Mole Group Airline Ticket Sale Script CVE-2008-6224 (Directory traversal vulnerability in visualizza.php in Way Of The Warr ...) NOT-FOR-US: Way Of The Warrior CVE-2008-6223 (PHP remote file inclusion vulnerability in visualizza.php in Way Of Th ...) NOT-FOR-US: Way Of The Warrior CVE-2008-6222 (Directory traversal vulnerability in the Pro Desk Support Center (com_ ...) NOT-FOR-US: Joomla! CVE-2008-6221 (PHP remote file inclusion vulnerability in config.dadamail.php in the ...) NOT-FOR-US: Joomla! CVE-2008-6220 (SQL injection vulnerability in login.php in Simple Document Management ...) NOT-FOR-US: Simple Document Management System CVE-2008-6219 (nsrexecd.exe in multiple EMC Networker products including EMC NetWorke ...) NOT-FOR-US: EMC Networker products CVE-2008-6218 (Memory leak in the png_handle_tEXt function in pngrutil.c in libpng be ...) {DSA-1750-1} - libpng 1.2.33-1 CVE-2008-6217 (Cross-site scripting (XSS) vulnerability in index.php in Extrakt Frame ...) NOT-FOR-US: Extrakt Framework CVE-2008-6216 (SQL injection vulnerability in cadena_ofertas_ext.php in Venalsur Book ...) NOT-FOR-US: Venalsur Booking center Booking System CVE-2008-6215 (Cross-site scripting (XSS) vulnerability in cadena_ofertas_ext.php in ...) NOT-FOR-US: Venalsur Booking center Booking System CVE-2008-6214 (SQL injection vulnerability in poll_results.php in Harlandscripts Pro ...) NOT-FOR-US: Harlandscripts Pro Traffic One CVE-2008-6213 (SQL injection vulnerability in mypage.php in Harlandscripts Pro Traffi ...) NOT-FOR-US: Harlandscripts Pro Traffic One CVE-2009-XXXX [thunar: potential exploits via application launchers] - thunar (bug #517020; unimportant) NOTE: Minor impact, any attack would still require a significant amount of social engineering CVE-2009-XXXX [sysvinit: no-root option in expert installer exposes locally exploitable security flaw] - sysvinit (bug #517018; unimportant) NOTE: hardly a security issue, if an attacker has local access to the machine and you NOTE: don't use encryption or something similar you have lost anyway NOTE: - this ^ philosophy is flawed; it should not be trivial to get root just because you NOTE: have local access to the machine. it is worth it to make it as difficult as NOTE: possible without impacting authorized users. otherwise, why spend so much effort NOTE: to make sure xscreensaver, gdm, and login are rock solid? NOTE: - i would like to track as low, rather than unimportant CVE-2009-0753 (Absolute path traversal vulnerability in MLDonkey 2.8.4 through 2.9.7 ...) {DSA-1739-1} - mldonkey 3.0.0-1 (bug #516829; medium) [etch] - mldonkey (vulnerable code not present) NOTE: daemon is run as non-root and can only be exploited via localhost CVE-2009-0648 (Multiple cross-site request forgery (CSRF) vulnerabilities in the mana ...) NOT-FOR-US: Falt4 CMS CVE-2009-0647 (msnmsgr.exe in Windows Live Messenger (WLM) 2009 build 14.0.8064.206, ...) NOT-FOR-US: Windows Live Messenger CVE-2008-6212 (Cross-site scripting (XSS) vulnerability in admin.php in Php-Stats 0.1 ...) NOT-FOR-US: Php-Stats CVE-2008-6211 (Multiple cross-site scripting (XSS) vulnerabilities in PhpForums.net m ...) NOT-FOR-US: PhpForums.net mcGallery CVE-2008-6210 (SQL injection vulnerability in index.php in dream4 Koobi 4.4 and 5.4 a ...) NOT-FOR-US: dream4 Koobi CVE-2008-6209 (SQL injection vulnerability in view_product.php in Vastal I-Tech Softw ...) NOT-FOR-US: Vastal I-Tech Software Zone CVE-2008-6208 (Cross-site scripting (XSS) vulnerability in submitnews.php in e107 CMS ...) NOT-FOR-US: e107 CMS CVE-2008-6207 (Unrestricted file upload vulnerability in form_upload.php in PHPG Uplo ...) NOT-FOR-US: PHPG Upload CVE-2008-6206 (Multiple PHP remote file inclusion vulnerabilities in RobotStats 0.1 a ...) NOT-FOR-US: RobotStats CVE-2008-6205 (Cross-site scripting (XSS) vulnerability in seeurl.php in Xavier Flaha ...) NOT-FOR-US: Xavier Flahaut URLStreet CVE-2008-6204 (Multiple SQL injection vulnerabilities in SuperNET Shop 1.0 and earlie ...) NOT-FOR-US: SuperNET Shop CVE-2008-6203 (SQL injection vulnerability in adminler.asp in CoBaLT 2.0 allows remot ...) NOT-FOR-US: CoBaLT CVE-2008-6202 (SQL injection vulnerability in CoBaLT 1.0 allows remote attackers to e ...) NOT-FOR-US: CoBaLT CVE-2008-6201 (Directory traversal vulnerability in help.php in the eskuel module in ...) NOT-FOR-US: KwsPHP CVE-2008-6200 (Multiple cross-site scripting (XSS) vulnerabilities in Swiki 1.5 allow ...) NOT-FOR-US: Swiki CVE-2008-6199 (2532designs 2532|Gigs 1.2.2 and earlier allows remote attackers to tri ...) NOT-FOR-US: 2532designs 2532|Gigs CVE-2008-6198 (SQL injection vulnerability in pages.php in Custom Pages 1.0 plugin fo ...) NOT-FOR-US: Custom Pages 1.0 plugin for MyBulletinBoard CVE-2008-6197 (SQL injection vulnerability in index.php in the galerie module for Kws ...) NOT-FOR-US: KwsPHP CVE-2008-6196 (Multiple PHP remote file inclusion vulnerabilities in Philippe CROCHAT ...) NOT-FOR-US: Philippe CROCHAT EasySite CVE-2008-6195 (Directory traversal vulnerability in the PXE TFTP Service (PXEMTFTP.ex ...) NOT-FOR-US: LANDesk Management Suite CVE-2008-6194 (Memory leak in the DNS server in Microsoft Windows allows remote attac ...) NOT-FOR-US: Microsoft Windows CVE-2008-6193 (Sam Crew MyBlog stores passwords in cleartext in a MySQL database, whi ...) NOT-FOR-US: Sam Crew MyBlog CVE-2008-6192 (Multiple cross-site scripting (XSS) vulnerabilities in unspecified Por ...) NOT-FOR-US: Sun Java System Portal Server CVE-2008-6191 (Conductor.exe in Intrinsic Swimage Encore before 5.0.1.21 contains a h ...) NOT-FOR-US: Intrinsic Swimage Encore CVE-2008-6190 (Cross-site scripting (XSS) vulnerability in index.php in EEBCMS 0.95 a ...) NOT-FOR-US: EEBCMS CVE-2008-6189 (SQL injection vulnerability in GForge 4.5.19 allows remote attackers t ...) {DSA-1698-1} - gforge 4.7~rc2-5 CVE-2008-6188 (SQL injection vulnerability in people/editprofile.php in Gforge 4.6 rc ...) {DSA-1698-1} - gforge 4.7~rc2-5 CVE-2008-6187 (SQL injection vulnerability in frs/shownotes.php in Gforge 4.5.19 and ...) {DSA-1698-1} - gforge 4.7~rc2-5 CVE-2008-6186 (Stack-based buffer overflow in RaidenFTPD 2.4 build 3620 allows remote ...) NOT-FOR-US: RaidenFTPD CVE-2008-6185 (NoticeWare Email Server NG 5.1.2.2 allows remote attackers to cause a ...) NOT-FOR-US: NoticeWare Email Server NG CVE-2008-6184 (SQL injection vulnerability in the OwnBiblio (com_ownbiblio) component ...) NOT-FOR-US: Joomla! CVE-2008-6183 (Multiple directory traversal vulnerabilities in index.php in My PHP In ...) NOT-FOR-US: My PHP Indexer CVE-2008-6182 (SQL injection vulnerability in the Ignite Gallery (com_ignitegallery) ...) NOT-FOR-US: Joomla! CVE-2008-6181 (SQL injection vulnerability in the Mad4Joomla Mailforms (com_mad4jooml ...) NOT-FOR-US: Joomla! CVE-2008-6180 (SQL injection vulnerability in system/nlb_user.class.php in NewLife Bl ...) NOT-FOR-US: NewLife Blogger CVE-2008-6179 (SQL injection vulnerability in sug_cat.php in IndexScript 3.0 allows r ...) NOT-FOR-US: IndexScript CVE-2008-6178 (Unrestricted file upload vulnerability in editor/filemanager/browser/d ...) NOTE: Alleged exploit does not work. CVE-2008-6177 (Multiple directory traversal vulnerabilities in LightBlog 9.8, when ma ...) NOT-FOR-US: LightBlog CVE-2008-6176 REJECTED CVE-2008-6175 (SilverSHielD 1.0.2.34 allows remote attackers to cause a denial of ser ...) NOT-FOR-US: SilverSHielD CVE-2008-6174 (Cross-site scripting (XSS) vulnerability in admin/postlister/index.php ...) NOT-FOR-US: Jetbox CMS CVE-2008-6173 (Cross-site scripting (XSS) vulnerability in fullscreen.php in ClipShar ...) NOT-FOR-US: ClipShare Pro CVE-2008-6172 (Directory traversal vulnerability in captcha/captcha_image.php in the ...) NOT-FOR-US: Joomla! CVE-2008-6171 (includes/bootstrap.inc in Drupal 5.x before 5.12 and 6.x before 6.6, w ...) - drupal5 5.12-1 (low; bug #519114) - drupal6 6.6-1 (low; bug #519115) CVE-2008-6170 (Cross-site scripting (XSS) vulnerability in Drupal 5.x before 5.12 and ...) - drupal6 6.9-1 (low) [lenny] - drupal6 6.6-1.1 CVE-2008-6169 (Cross-site request forgery (CSRF) vulnerability in the Localization cl ...) NOT-FOR-US: Localization modules for Drupal CVE-2008-6168 (Cross-site scripting (XSS) vulnerability in search.php in miniPortail ...) NOT-FOR-US: miniPortail CVE-2008-6167 (Directory traversal vulnerability in search.php in miniPortail 2.2 and ...) NOT-FOR-US: miniPortail CVE-2009-0646 (Multiple SQL injection vulnerabilities in 4Site CMS 2.6 and earlier al ...) NOT-FOR-US: 4Site CMS CVE-2009-0645 (Directory traversal vulnerability in index.php in Jaws 0.8.8 allows re ...) NOT-FOR-US: Jaws CVE-2009-0644 (The HTTP interface in Swann DVR4-SecuraNet has a certain default admin ...) NOT-FOR-US: Swann DVR4-SecuraNet CVE-2009-0643 (Static code injection vulnerability in post.php in Simple PHP News 1.0 ...) NOT-FOR-US: Simple PHP News CVE-2009-0642 (ext/openssl/ossl_ocsp.c in Ruby 1.8 and 1.9 does not properly check th ...) {DSA-1860-1} - ruby1.9 1.9.0.5-1 (bug #513528) - ruby1.8 1.8.7.72-3.1 (medium; bug #517639; bug #522939) CVE-2009-0641 (sys_term.c in telnetd in FreeBSD 7.0-RELEASE and other 7.x versions de ...) NOT-FOR-US: FreeBSD telnetd (apparently there's some common code base in netkit-telnet, but it's not affected CVE-2009-0640 (Directory traversal vulnerability in the administrative web server in ...) NOT-FOR-US: Swann DVR4-SecuraNet CVE-2009-0639 (PHP remote file inclusion vulnerability in moduli/libri/index.php in p ...) NOT-FOR-US: phpyabs CVE-2008-6166 (SQL injection vulnerability in the KBase (com_kbase) 1.2 component for ...) NOT-FOR-US: Joomla! CVE-2008-6165 (SQL injection vulnerability in gestion.php in CSPartner 0.1, when magi ...) NOT-FOR-US: CSPartner CVE-2008-6164 (Cross-site scripting (XSS) vulnerability in index.php in DreamCost Hos ...) NOT-FOR-US: DreamCost HostAdmin CVE-2008-6163 (SQL injection vulnerability in www/delivery/ac.php in OpenX 2.6.1 allo ...) - openx (bug #513771) CVE-2008-6162 (Bux.to Clone script allows remote attackers to bypass authentication a ...) NOT-FOR-US: Bux.to Clone script CVE-2008-6161 (Cross-site scripting (XSS) vulnerability in WOW Raid Manager (WRM) bef ...) NOT-FOR-US: WOW Raid Manager CVE-2008-6160 (Semantically-Interconnected Online Communities (SIOC) 5.x before 5.x-1 ...) NOT-FOR-US: Semantically-Interconnected Online Communities CVE-2008-6159 (Content Management Made Easy (CMME) 1.19 allows remote attackers to ob ...) NOT-FOR-US: Content Management Made Easy CVE-2005-4878 (Multiple cross-site scripting (XSS) vulnerabilities in (1) acid_qry_ma ...) - acidbase 1.2.1-1 CVE-2009-0638 (The Cisco Firewall Services Module (FWSM) 2.x, 3.1 before 3.1(16), 3.2 ...) NOT-FOR-US: Cisco Firewall Services Module CVE-2009-0637 (The SCP server in Cisco IOS 12.2 through 12.4, when Role-Based CLI Acc ...) NOT-FOR-US: Cisco IOS CVE-2009-0636 (Unspecified vulnerability in Cisco IOS 12.0 through 12.4, when SIP voi ...) NOT-FOR-US: Cisco IOS CVE-2009-0635 (Memory leak in the Cisco Tunneling Control Protocol (cTCP) encapsulati ...) NOT-FOR-US: Cisco IOS CVE-2009-0634 (Multiple unspecified vulnerabilities in the home agent (HA) implementa ...) NOT-FOR-US: Cisco IOS CVE-2009-0633 (Multiple unspecified vulnerabilities in the (1) Mobile IP NAT Traversa ...) NOT-FOR-US: Cisco IOS CVE-2009-0632 (The IP Phone Personal Address Book (PAB) Synchronizer feature in Cisco ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2009-0631 (Unspecified vulnerability in Cisco IOS 12.0 through 12.4, when configu ...) NOT-FOR-US: Cisco IOS CVE-2009-0630 (The (1) Cisco Unified Communications Manager Express; (2) SIP Gateway ...) NOT-FOR-US: Cisco IOS CVE-2009-0629 (The (1) Airline Product Set (aka ALPS), (2) Serial Tunnel Code (aka ST ...) NOT-FOR-US: Cisco IOS CVE-2009-0628 (Memory leak in the SSLVPN feature in Cisco IOS 12.3 through 12.4 allow ...) NOT-FOR-US: Cisco IOS CVE-2009-0627 (Unspecified vulnerability in Cisco NX-OS before 4.0(1a)N2(1), when run ...) NOT-FOR-US: Cisco NX-OS CVE-2009-0626 (The SSLVPN feature in Cisco IOS 12.3 through 12.4 allows remote attack ...) NOT-FOR-US: Cisco IOS CVE-2009-0625 (Unspecified vulnerability in Cisco ACE Application Control Engine Modu ...) NOT-FOR-US: Cisco CVE-2009-0624 (Unspecified vulnerability in the SNMPv2c implementation in Cisco ACE A ...) NOT-FOR-US: Cisco CVE-2009-0623 (Unspecified vulnerability in Cisco ACE Application Control Engine Modu ...) NOT-FOR-US: Cisco CVE-2009-0622 (Unspecified vulnerability in Cisco ACE Application Control Engine Modu ...) NOT-FOR-US: Cisco CVE-2009-0621 (Cisco ACE 4710 Application Control Engine Appliance before A1(8a) uses ...) NOT-FOR-US: Cisco CVE-2009-0620 (Cisco ACE Application Control Engine Module for Catalyst 6500 Switches ...) NOT-FOR-US: Cisco CVE-2009-0619 (Unspecified vulnerability in the Session Border Controller (SBC) befor ...) NOT-FOR-US: Cisco CVE-2009-0618 (Unspecified vulnerability in the Java agent in Cisco Application Netwo ...) NOT-FOR-US: Cisco CVE-2009-0617 (Cisco Application Networking Manager (ANM) before 2.0 uses a default M ...) NOT-FOR-US: Cisco CVE-2009-0616 (Cisco Application Networking Manager (ANM) before 2.0 uses default use ...) NOT-FOR-US: Cisco CVE-2009-0615 (Directory traversal vulnerability in Cisco Application Networking Mana ...) NOT-FOR-US: Cisco CVE-2009-0614 (Unspecified vulnerability in the Web Server in Cisco Unified MeetingPl ...) NOT-FOR-US: Cisco CVE-2009-0613 (Trend Micro InterScan Web Security Suite (IWSS) 3.1 before build 1237 ...) NOT-FOR-US: Trend Micro CVE-2009-0612 (Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 3.x and I ...) NOT-FOR-US: Trend Micro CVE-2009-0611 (Multiple cross-site scripting (XSS) vulnerabilities in qfsearch/AdminS ...) NOT-FOR-US: Novell Open Enterprise Server CVE-2009-0610 (Multiple static code injection vulnerabilities in post.php in Simple P ...) NOT-FOR-US: Simple PHP News CVE-2009-0609 (Sun Java System Directory Proxy Server in Sun Java System Directory Se ...) NOT-FOR-US: Sun Java System Directory Server Enterprise Edition CVE-2009-0608 (Integer overflow in the showLog function in fake_log_device.c in liblo ...) NOT-FOR-US: Android CVE-2009-0607 (Multiple integer overflows in malloc_leak.c in Bionic in Open Handset ...) NOT-FOR-US: Android CVE-2009-0606 (The link_image function in linker/linker.c in the dynamic linker in Bi ...) NOT-FOR-US: Android CVE-2009-0605 (Stack consumption vulnerability in the do_page_fault function in arch/ ...) - linux-2.6 (CONFIG_KPROBES is not enabled) - linux-2.6.24 (CONFIG_KPROBES is not enabled) CVE-2008-6158 (Multiple unspecified vulnerabilities in the admin backend in w3b>cm ...) NOT-FOR-US: w3blabor CMS CVE-2008-6157 (SepCity Classified Ads stores the admin password in cleartext in data/ ...) NOT-FOR-US: SepCity Classified Ads CVE-2009-0604 (SQL injection vulnerability in index.php in PHP Director 0.21 and earl ...) NOT-FOR-US: PHP Director CVE-2009-0603 (Cross-site scripting (XSS) vulnerability in index.php in the Link modu ...) NOT-FOR-US: Link drupal module CVE-2009-0602 (Unrestricted file upload vulnerability in upload.php in WikkiTikkiTavi ...) NOT-FOR-US: WikkiTikkiTavi CVE-2009-0601 (Format string vulnerability in Wireshark 0.99.8 through 1.0.5 on non-W ...) - wireshark 1.0.6-1 [etch] - wireshark (Vulnerable code not present, introduced in 0.99.8) [lenny] - wireshark 1.0.2-3+lenny4 CVE-2009-0600 (Wireshark 0.99.6 through 1.0.5 allows user-assisted remote attackers t ...) - wireshark 1.0.6-1 [etch] - wireshark (Vulnerable code not present, introduced in 0.99.6) [lenny] - wireshark 1.0.2-3+lenny4 CVE-2009-0599 (Buffer overflow in wiretap/netscreen.c in Wireshark 0.99.7 through 1.0 ...) - wireshark 1.0.6-1 [etch] - wireshark (Vulnerable code not present, introduced in 0.99.7) [lenny] - wireshark 1.0.2-3+lenny4 CVE-2009-0598 (SQL injection vulnerability in index.php in PhpMesFilms 1.0 and 1.8 al ...) NOT-FOR-US: PhpMesFilms CVE-2009-0597 (SQL injection vulnerability in admin/index.php in w3b>cms (aka w3bl ...) NOT-FOR-US: w3b>cms CVE-2009-0596 (Directory traversal vulnerability in skysilver/login.tpl.php in phpSke ...) NOT-FOR-US: phpSkelSite CVE-2009-0595 (PHP remote file inclusion vulnerability in skysilver/login.tpl.php in ...) NOT-FOR-US: phpSkelSite CVE-2009-0594 (Cross-site scripting (XSS) vulnerability in index.php in phpSkelSite 1 ...) NOT-FOR-US: phpSkelSite CVE-2009-0593 (SQL injection vulnerability in members.php in plx Auto Reminder 3.7 al ...) NOT-FOR-US: plx Auto Reminder CVE-2009-0592 (Multiple directory traversal vulnerabilities in PNphpBB2 1.2i and earl ...) NOT-FOR-US: PNphpBB2 CVE-2008-6156 (SQL injection vulnerability in editCampaign.php in AdMan 1.1.20070907 ...) NOT-FOR-US: AdMan CVE-2008-6155 (SQL injection vulnerability in index.php in Hispah Text Links Ads 1.1 ...) NOT-FOR-US: Hispah Text Links Ads CVE-2008-6154 (SQL injection vulnerability in index.php in Hispah Text Links Ads 1.1 ...) NOT-FOR-US: Hispah Text Links Ads CVE-2008-6153 (SQL injection vulnerability in Photo.asp in Jay Patel Pixel8 Web Photo ...) NOT-FOR-US: Jay Patel Pixel8 Web Photo CVE-2008-6152 (SQL injection vulnerability in deptdisplay.asp in SepCity Faculty Port ...) NOT-FOR-US: SepCity Faculty Portal CVE-2008-6151 (SQL injection vulnerability in shpdetails.asp in SepCity Shopping Mall ...) NOT-FOR-US: SepCity Faculty Portal CVE-2008-6150 (SQL injection vulnerability in classdis.asp in SepCity Classified Ads ...) NOT-FOR-US: SepCity Faculty Portal CVE-2008-6149 (SQL injection vulnerability in the mDigg (com_mdigg) component 2.2.8 f ...) NOT-FOR-US: Joomla! CVE-2008-6148 (SQL injection vulnerability in the Live Ticker (com_liveticker) module ...) NOT-FOR-US: Joomla! CVE-2008-6147 (ForumApp 3.3 stores sensitive information under the web root with insu ...) NOT-FOR-US: ForumApp CVE-2008-6146 (SQL injection vulnerability in pm.php in DeluxeBB 1.2 and earlier, whe ...) NOT-FOR-US: DeluxeBB CVE-2008-6145 (Multiple SQL injection vulnerabilities in the WEC Discussion Forum (we ...) NOT-FOR-US: WEC Discussion Forum (wec_discussion) extension TYPO3 CVE-2008-6144 (Multiple cross-site scripting (XSS) vulnerabilities in the WEC Discuss ...) NOT-FOR-US: WEC Discussion Forum (wec_discussion) extension TYPO3 CVE-2008-6143 (OwenPoll 1.0 allows remote attackers to bypass authentication and obta ...) NOT-FOR-US: OwenPoll CVE-2008-6142 (Multiple SQL injection vulnerabilities in admin/usercheck.php in FlexP ...) NOT-FOR-US: FlexPHPic CVE-2009-0591 (The CMS_verify function in OpenSSL 0.9.8h through 0.9.8j, when CMS is ...) - openssl (vulnerable versions not uploaded to Debian) CVE-2009-0590 (The ASN1_STRING_print_ex function in OpenSSL before 0.9.8k allows remo ...) {DSA-1763-1} - openssl 0.9.8g-16 (low; bug #522002) CVE-2009-0589 REJECTED CVE-2009-0588 (agent/request/op.cgi in the Registration Authority (RA) component in R ...) NOT-FOR-US: Registration Authority (RA) component in Red Hat Certificate System (RHCS) CVE-2009-0587 (Multiple integer overflows in Evolution Data Server (aka evolution-dat ...) {DSA-1813-1} - evolution-data-server 2.22.3-1 (medium) NOTE: this version doesnt fix the overflows but uses the glib functions for decoding instead CVE-2009-0586 (Integer overflow in the gst_vorbis_tag_add_coverart function (gst-libs ...) - gst-plugins-base0.10 0.10.22-4 [lenny] - gst-plugins-base0.10 (Vulnerable lib calls not present) [etch] - gst-plugins-base0.10 (Vulnerable lib calls not present) CVE-2009-0585 (Integer overflow in the soup_base64_encode function in soup-misc.c in ...) {DSA-1748-1} - libsoup 2.2.105-4 (medium; bug #520039) CVE-2009-0584 (icc.c in the International Color Consortium (ICC) Format library (aka ...) {DSA-1746-1 DTSA-198-1} - ghostscript 8.64~dfsg-1.1 (medium; bug #522416) - argyll 1.0.3-2 (bug #522448) - gs-gpl (medium) - gs-esp CVE-2009-0583 (Multiple integer overflows in icc.c in the International Color Consort ...) {DSA-1746-1 DTSA-198-1} - ghostscript 8.64~dfsg-1.1 (medium; bug #522416) - argyll 1.0.3-2 (bug #522448) - gs-gpl (medium) - gs-esp CVE-2009-0582 (The ntlm_challenge function in the NTLM SASL authentication mechanism ...) {DSA-1813-1} - evolution-data-server 2.26.1.1-1 CVE-2009-0581 (Memory leak in LittleCMS (aka lcms or liblcms) before 1.18beta2, as us ...) {DSA-1769-1 DSA-1745-1} - lcms 1.18.dfsg-1 (bug #522446) CVE-2009-0580 (Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 th ...) {DSA-2207-1} - tomcat6 6.0.20-1 (low; bug #532362) [lenny] - tomcat6 (Only ships the servlet package) - tomcat5 (low; bug #532363) - tomcat5.5 (low; bug #532366) CVE-2009-0579 (Linux-PAM before 1.0.4 does not enforce the minimum password age (MIND ...) - pam 1.0.1-10 (unimportant; bug #514437) NOTE: the ability to change a password earlier than scheduled is not a security NOTE: vulnerability in itself (unless the user changes their password back to NOTE: their previous password; thus violating the security policy as defined by NOTE: the administrator) CVE-2009-0578 (GNOME NetworkManager before 0.7.0.99 does not properly verify privileg ...) - network-manager-applet 0.7.0.99-1 (medium; bug #519801) [lenny] - network-manager-applet (Bug affected the 0.7.x series) CVE-2009-0577 (Integer overflow in the WriteProlog function in texttops in CUPS 1.1.1 ...) NOT-FOR-US: RedHat specific, because they had a problem applying the fix for CVE-2008-3640 CVE-2009-0576 (Unspecified vulnerability in Sun Java System Directory Server 5.2 p6 a ...) NOT-FOR-US: Sun Java System Directory Server CVE-2009-0575 (Cross-site scripting (XSS) vulnerability in the theme_views_bulk_opera ...) NOT-FOR-US: Views Bulk Operations CVE-2009-0574 (SQL injection vulnerability in index.php in Easy CafeEngine allows rem ...) NOT-FOR-US: Easy CafeEngine CVE-2009-0573 (Multiple cross-site scripting (XSS) vulnerabilities in FotoWeb 6.0 (Bu ...) NOT-FOR-US: FotoWeb CVE-2009-0572 (PHP remote file inclusion vulnerability in include/flatnux.php in Flat ...) NOT-FOR-US: FlatnuX CMS CVE-2009-0571 (admin.php in Ninja Designs Mailist 3.0 stores backup copies of maillis ...) NOT-FOR-US: Ninja Designs Mailist CVE-2009-0570 (Directory traversal vulnerability in send.php in Ninja Designs Mailist ...) NOT-FOR-US: Ninja Designs Mailist CVE-2009-0569 (Buffer overflow in Becky! Internet Mail 2.48.02 and earlier allows rem ...) NOT-FOR-US: Becky! Internet Mail CVE-2009-0568 (The RPC Marshalling Engine (aka NDR) in Microsoft Windows 2000 SP4, XP ...) NOT-FOR-US: Microsoft CVE-2009-0567 REJECTED CVE-2009-0566 (Microsoft Office Publisher 2007 SP1 does not properly calculate object ...) NOT-FOR-US: Microsoft Office Publisher CVE-2009-0565 (Buffer overflow in Microsoft Office Word 2000 SP3, 2002 SP3, and 2007 ...) NOT-FOR-US: Microsoft CVE-2009-0564 RESERVED CVE-2009-0563 (Stack-based buffer overflow in Microsoft Office Word 2002 SP3, 2003 SP ...) NOT-FOR-US: Microsoft CVE-2009-0562 (The Office Web Components ActiveX Control in Microsoft Office XP SP3, ...) NOT-FOR-US: ActiveX CVE-2009-0561 (Integer overflow in Excel in Microsoft Office 2000 SP3, Office XP SP3, ...) NOT-FOR-US: Microsoft CVE-2009-0560 (Excel in Microsoft Office 2000 SP3, Office XP SP3, Office 2003 SP3, an ...) NOT-FOR-US: Microsoft CVE-2009-0559 (Stack-based buffer overflow in Excel in Microsoft Office 2000 SP3 and ...) NOT-FOR-US: Microsoft CVE-2009-0558 (Array index error in Excel in Microsoft Office 2000 SP3 and Office 200 ...) NOT-FOR-US: Microsoft CVE-2009-0557 (Excel in Microsoft Office 2000 SP3, Office XP SP3, Office 2003 SP3, an ...) NOT-FOR-US: Microsoft CVE-2009-0556 (Microsoft Office PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3, and Powe ...) NOT-FOR-US: Microsoft Office CVE-2009-0555 (Microsoft Windows Media Runtime, as used in DirectShow WMA Voice Codec ...) NOT-FOR-US: Microsoft Windows CVE-2009-0554 (Microsoft Internet Explorer 5.01 SP4, 6 SP1, 6 and 7 on Windows XP SP2 ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2009-0553 (Microsoft Internet Explorer 6 SP1, 6 and 7 on Windows XP SP2 and SP3, ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2009-0552 (Unspecified vulnerability in Microsoft Internet Explorer 5.01 SP4, 6 S ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2009-0551 (Microsoft Internet Explorer 6 SP1, 6 and 7 on Windows XP SP2 and SP3, ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2009-0550 (Windows HTTP Services (aka WinHTTP) in Microsoft Windows 2000 SP4, XP ...) NOT-FOR-US: Microsoft Windows CVE-2009-0549 (Excel in Microsoft Office 2000 SP3, Office XP SP3, Office 2003 SP3, an ...) NOT-FOR-US: Microsoft CVE-2009-0548 (Cross-site scripting (XSS) vulnerability in the Additional Report Sett ...) NOT-FOR-US: Additional Report Settings interface in ESET Remote Administrator CVE-2009-0547 (Evolution 2.22.3.1 checks S/MIME signatures against a copy of the e-ma ...) {DSA-1813-1} - evolution-data-server 2.24.5-2 (low; bug #508479) CVE-2009-0546 (Stack-based buffer overflow in NewsGator FeedDemon 2.7 and earlier all ...) NOT-FOR-US: NewsGator FeedDemon CVE-2009-0545 (cgi-bin/kerbynet in ZeroShell 1.0beta11 and earlier allows remote atta ...) NOT-FOR-US: ZeroShell CVE-2009-0544 (Buffer overflow in the PyCrypto ARC2 module 2.0.1 allows remote attack ...) {DSA-1726-1} - python-crypto 2.0.1+dfsg1-3 (bug #516660) CVE-2009-0543 (ProFTPD Server 1.3.1, with NLS support enabled, allows remote attacker ...) {DSA-1730-1 DSA-1727-1} - proftpd-dfsg 1.3.2-1 (medium; bug #516388) [etch] - proftpd-dfsg (etch version not affected) [lenny] - proftpd-dfsg 1.3.1-17lenny2 CVE-2009-0542 (SQL injection vulnerability in ProFTPD Server 1.3.1 through 1.3.2rc2 a ...) {DSA-1730-1 DSA-1727-1} - proftpd-dfsg 1.3.2-1 (medium; bug #516388) [etch] - proftpd-dfsg (etch version not affected) [lenny] - proftpd-dfsg 1.3.1-17lenny2 CVE-2009-0541 (Multiple cross-site scripting (XSS) vulnerabilities in Magento 1.2.0 a ...) NOT-FOR-US: Magento CVE-2009-0540 (Cross-site scripting (XSS) vulnerability in Libero 5.3 SP5, and possib ...) NOT-FOR-US: Libero CVE-2009-0539 RESERVED CVE-2009-0538 (Format string vulnerability in Symantec pcAnywhere before 12.5 SP1 all ...) NOT-FOR-US: Symantec pcAnywhere CVE-2009-0537 (Integer overflow in the fts_build function in fts.c in libc in (1) Ope ...) - glibc (Vulnerable code not present) NOTE: glibc checks the comlete path length being not longer than USHRT_MAX NOTE: and closes the directory path + free of structures in case , io/fts.c line 727 CVE-2009-0536 (at in bos.rte.cron on IBM AIX 5.2.0, 5.3.0 through 5.3.9, and 6.1.0 th ...) NOT-FOR-US: IBM AIX CVE-2009-0535 (Directory traversal vulnerability in export.php in Thyme 1.3 and earli ...) NOT-FOR-US: Thyme CVE-2009-0534 (SQL injection vulnerability in FlexCMS allows remote attackers to exec ...) NOT-FOR-US: FlexCMS CVE-2009-0533 (Cross-site scripting (XSS) vulnerability in password.php in Scripts fo ...) NOT-FOR-US: Sites EZ Reminder CVE-2009-0532 (Cross-site scripting (XSS) vulnerability in password.php in Scripts Fo ...) NOT-FOR-US: Scripts For Sites (SFS) EZ Baby CVE-2009-0531 (SQL injection vulnerability in gallery/view.asp in A Better Member-Bas ...) NOT-FOR-US: A Better Member-Based ASP Photo Gallery CVE-2009-0530 (Multiple PHP remote file inclusion vulnerabilities in SnippetMaster 2. ...) NOT-FOR-US: SnippetMaster CVE-2009-0529 (Cross-site scripting (XSS) vulnerability in index.php in SnippetMaster ...) NOT-FOR-US: SnippetMaster CVE-2009-0528 (SQL injection vulnerability in frame.php in Rhadrix If-CMS 2.07 and ea ...) NOT-FOR-US: Rhadrix If-CMS CVE-2009-0527 (PHP remote file inclusion vulnerability in plugins/rss_importer_functi ...) NOT-FOR-US: AdaptCMS CVE-2009-0526 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Ad ...) NOT-FOR-US: AdaptCMS CVE-2009-0525 (Cross-site scripting (XSS) vulnerability in the sajax_get_common_js fu ...) NOT-FOR-US: Sajax CVE-2008-6141 (Unspecified vulnerability in Avaya IP Softphone 6.0 SP4 and 6.01.85 al ...) NOT-FOR-US: Avaya IP Softphone CVE-2008-6140 (Unspecified vulnerability in the Session Initiation Protocol (SIP) imp ...) NOT-FOR-US: Avaya one-X Desktop Edition CVE-2008-6139 (Directory traversal vulnerability in faqsupport/wce.download.php in We ...) NOT-FOR-US: WebBiscuits Modules Controller CVE-2008-6138 (PHP remote file inclusion vulnerability in adminhead.php in WebBiscuit ...) NOT-FOR-US: WebBiscuits Modules Controller CVE-2008-6137 (EveryBlog 5.x and 6.x, a module for Drupal, allows remote attackers to ...) NOT-FOR-US: EveryBlog CVE-2008-6136 (Unspecified vulnerability in EveryBlog 5.x and 6.x, a module for Drupa ...) NOT-FOR-US: EveryBlog CVE-2008-6135 (Cross-site scripting (XSS) vulnerability in EveryBlog 5.x and 6.x, a m ...) NOT-FOR-US: EveryBlog CVE-2008-6134 (SQL injection vulnerability in EveryBlog 5.x and 6.x, a module for Dru ...) NOT-FOR-US: EveryBlog CVE-2008-6133 (SQL injection vulnerability in arsaprint.php in Full PHP Emlak Script ...) NOT-FOR-US: Full PHP Emlak Script CVE-2008-6132 (Eval injection vulnerability in reserve.php in phpScheduleIt 1.2.10 an ...) NOT-FOR-US: phpScheduleIt CVE-2008-6131 (Session fixation vulnerability in moziloWiki 1.0.1 and earlier allows ...) NOT-FOR-US: moziloWiki CVE-2008-6130 (Cross-site scripting (XSS) vulnerability in index.php in moziloWiki 1. ...) NOT-FOR-US: moziloWiki CVE-2008-6129 (Directory traversal vulnerability in print.php in moziloWiki 1.0.1 and ...) NOT-FOR-US: moziloWiki CVE-2008-6128 (Session fixation vulnerability in moziloCMS 1.10.2 and earlier allows ...) NOT-FOR-US: moziloCMS CVE-2008-6127 (Multiple cross-site scripting (XSS) vulnerabilities in moziloCMS 1.10. ...) NOT-FOR-US: moziloCMS CVE-2008-6126 (Multiple directory traversal vulnerabilities in moziloCMS 1.10.2 and e ...) NOT-FOR-US: moziloCMS CVE-2008-6125 (Unspecified vulnerability in the user editing interface in Moodle 1.5. ...) {DSA-1724-1} - moodle 1.8.2.dfsg-2 CVE-2008-6124 (SQL injection vulnerability in the hotpot_delete_selected_attempts fun ...) {DSA-1691-1} - moodle 1.8.2.dfsg-2 CVE-2008-6123 (The netsnmp_udp_fmtaddr function (snmplib/snmpUDPDomain.c) in net-snmp ...) - net-snmp 5.4.3~dfsg-1 (low; bug #516801) [etch] - net-snmp (Minor issue) [lenny] - net-snmp (Minor issue) CVE-2008-6122 (The web management interface in Netgear WGR614v9 allows remote attacke ...) NOT-FOR-US: Netgear WGR614v9 CVE-2008-6121 (CRLF injection vulnerability in SocialEngine (SE) 2.7 and earlier allo ...) NOT-FOR-US: SocialEngine CVE-2008-6120 (SQL injection vulnerability in profile_comments.php in SocialEngine (S ...) NOT-FOR-US: SocialEngine CVE-2008-6119 (Static code injection vulnerability in gooplecms/admin/account/action/ ...) NOT-FOR-US: Goople CMS CVE-2008-6118 (win/content/upload.php in Goople CMS 1.7 allows remote attackers to by ...) NOT-FOR-US: Goople CMS CVE-2008-6117 (SQL injection vulnerability in homepage.php in PG Job Site Pro allows ...) NOT-FOR-US: PG Job Site Pro CVE-2008-6116 (SQL injection vulnerability in the EXtrovert Software Thyme (com_thyme ...) NOT-FOR-US: Joomla! CVE-2008-6115 (SQL injection vulnerability in directory.php in Prozilla Hosting Index ...) NOT-FOR-US: Prozilla Hosting Index CVE-2008-6114 (SQL injection vulnerability in product_details.php in the Mytipper Zog ...) NOT-FOR-US: Mytipper Zogo-shop CVE-2008-6113 (Cross-site scripting (XSS) vulnerability in SemanticScuttle before 0.9 ...) NOT-FOR-US: SemanticScuttle CVE-2008-6112 (Multiple directory traversal vulnerabilities in Ez Ringtone Manager al ...) NOT-FOR-US: Ez Ringtone Manager CVE-2008-6111 (SQL injection vulnerability in blog.php in NetArt Media Vlog System 1. ...) NOT-FOR-US: NetArt Media Vlog System CVE-2009-XXXX [nautilus: potential exploits via application launchers] - nautilus 2.26.2-1 (low; bug #515104) [lenny] - nautilus (Minor issue) [etch] - nautilus (Minor issue) NOTE: need to submit a request for CVE id CVE-2009-XXXX [konqueror: potential exploits via application launchers] - kdebase (unimportant; bug #515106) NOTE: Minor impact, any attack would still require a significant amount of social engineering CVE-2009-0737 (Multiple cross-site scripting (XSS) vulnerabilities in the web-based i ...) {DSA-1901-1} - mediawiki 1:1.14.0-1 (low; bug #514547) - mediawiki1.7 [lenny] - mediawiki 1:1.12.0-2lenny3 [etch] - mediawiki (metapackage) CVE-2009-0524 (Cross-site scripting (XSS) vulnerability in Adobe RoboHelp 6 and 7, an ...) NOT-FOR-US: Adobe RoboHelp CVE-2009-0523 (Cross-site scripting (XSS) vulnerability in Adobe RoboHelp Server 6 an ...) NOT-FOR-US: Adobe RoboHelp CVE-2009-0522 (Adobe Flash Player 9.x before 9.0.159.0 and 10.x before 10.0.22.87 on ...) NOT-FOR-US: Adobe Flash Player CVE-2009-0521 (Untrusted search path vulnerability in Adobe Flash Player 9.x before 9 ...) NOT-FOR-US: Adobe Flash Player CVE-2009-0520 (Adobe Flash Player 9.x before 9.0.159.0 and 10.x before 10.0.22.87 doe ...) NOT-FOR-US: Adobe Flash Player CVE-2009-0519 (Unspecified vulnerability in Adobe Flash Player 9.x before 9.0.159.0 a ...) NOT-FOR-US: Adobe Flash Player CVE-2009-0518 (VI Client in VMware VirtualCenter before 2.5 Update 4, VMware ESXi 3.5 ...) NOT-FOR-US: VMware CVE-2009-0517 (Eval injection vulnerability in index.php in phpSlash 0.8.1.1 and earl ...) NOT-FOR-US: phpSlash CVE-2009-0516 (SQL injection vulnerability in the classified page (classified.php) in ...) NOT-FOR-US: BusinessSpace CVE-2009-0515 (Directory traversal vulnerability in check_lang.php in Yet Another NOC ...) NOT-FOR-US: YANOCC CVE-2009-0514 (Multiple directory traversal vulnerabilities in WebFrame 0.76 allow re ...) NOT-FOR-US: WebFrame CVE-2009-0513 (Multiple PHP remote file inclusion vulnerabilities in WebFrame 0.76 al ...) NOT-FOR-US: WebFrame CVE-2009-0512 (Heap-based buffer overflow in the JBIG2 filter in Adobe Reader 7 and A ...) NOT-FOR-US: Adobe Reader CVE-2009-0511 (Heap-based buffer overflow in the JBIG2 filter in Adobe Reader 7 and A ...) NOT-FOR-US: Adobe Reader CVE-2009-0510 (Heap-based buffer overflow in the JBIG2 filter in Adobe Reader 7 and A ...) NOT-FOR-US: Adobe Reader CVE-2009-0509 (Heap-based buffer overflow in the JBIG2 filter in Adobe Reader 7 and A ...) NOT-FOR-US: Adobe Reader CVE-2009-0508 (The Servlet Engine/Web Container and JSP components in IBM WebSphere A ...) NOT-FOR-US: IBM WebSphere CVE-2009-0507 (IBM WebSphere Process Server (WPS) 6.1.2 before 6.1.2.3 and 6.2 before ...) NOT-FOR-US: IBM WebSphere CVE-2009-0506 (Unspecified vulnerability in IBM WebSphere Application Server (WAS) 5. ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2009-0505 (The CICS listener in IBM TXSeries for Multiplatforms 6.2 GA waits for ...) NOT-FOR-US: IBM TXSeries CVE-2009-0504 (WSPolicy in the Web Services component in IBM WebSphere Application Se ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2009-0503 (IBM WebSphere Message Broker 6.1.x before 6.1.0.2 writes a database co ...) NOT-FOR-US: IBM WebSphere CVE-2008-6110 (Unspecified vulnerability in SemanticScuttle before 0.90 has unknown i ...) NOT-FOR-US: SemanticScuttle CVE-2008-6109 (Robin Rawson-Tetley Animal Shelter Manager (ASM) before 2.2.2 does not ...) NOT-FOR-US: Robin Rawson-Tetley Animal Shelter Manager CVE-2008-6108 (Cross-site scripting (XSS) vulnerability in result.php in Galatolo Web ...) NOT-FOR-US: Galatolo WebManager CVE-2008-6107 (The (1) sys32_mremap function in arch/sparc64/kernel/sys_sparc32.c, th ...) - linux-2.6 2.6.25-4 (low) - linux-2.6.24 CVE-2008-6106 (Cross-site request forgery (CSRF) vulnerability in IBM Workplace for B ...) NOT-FOR-US: IBM Workplace for Business Controls CVE-2008-6105 (Cross-site scripting (XSS) vulnerability in IBM Workplace for Business ...) NOT-FOR-US: IBM Workplace for Business Controls CVE-2008-6104 (SQL injection vulnerability in A4Desk PHP Event Calendar allows remote ...) NOT-FOR-US: A4Desk PHP Event Calendar CVE-2008-6103 (PHP remote file inclusion vulnerability in index.php in A4Desk Event C ...) NOT-FOR-US: A4Desk PHP Event Calendar CVE-2008-6102 (SQL injection vulnerability in ratelink.php in Link Trader Script allo ...) NOT-FOR-US: Link Trader Script CVE-2008-6101 (SQL injection vulnerability in click.php in Adult Banner Exchange Webs ...) NOT-FOR-US: Adult Banner Exchange Website CVE-2008-6100 (Multiple SQL injection vulnerabilities in Discussion Forums 2k 3.3, wh ...) NOT-FOR-US: Discussion Forums CVE-2008-6099 (PHP remote file inclusion vulnerability in index.php in RPortal 1.1 an ...) NOT-FOR-US: RPortal CVE-2009-0502 (Cross-site scripting (XSS) vulnerability in blocks/html/block_html.php ...) {DSA-1724-1} - moodle 1.8.2.dfsg-3 (low) NOTE: MSA-09-0004 CVE-2009-0501 (Unspecified vulnerability in the Calendar export feature in Moodle 1.8 ...) {DTSA-195-1} - moodle 1.8.2.dfsg-4 (low) [etch] - moodle (Vulnerable code not present) CVE-2009-0500 (Cross-site scripting (XSS) vulnerability in course/lib.php in Moodle 1 ...) {DSA-1724-1 DTSA-195-1} - moodle 1.8.2.dfsg-3 (low) CVE-2009-0499 (Cross-site request forgery (CSRF) vulnerability in the forum code in M ...) - moodle 1.8.2.dfsg-3 (low) [etch] - moodle (Vulnerable code not present) CVE-2009-0498 (Virtual GuestBook (vgbook) 2.1 stores sensitive information under the ...) NOT-FOR-US: Virtual GuestBook CVE-2009-0497 (Directory traversal vulnerability in log.jsp in Ignite Realtime Openfi ...) NOT-FOR-US: Openfire CVE-2009-0496 (Multiple cross-site scripting (XSS) vulnerabilities in Ignite Realtime ...) NOT-FOR-US: Openfire CVE-2009-0495 (PHP remote file inclusion vulnerability in include/define.php in REALT ...) NOT-FOR-US: REALTOR CVE-2009-0494 (SQL injection vulnerability in the Portfol (com_portfol) 1.2 component ...) NOT-FOR-US: Joomla! CVE-2009-0493 (SQL injection vulnerability in login.php in IT!CMS 2.1a and earlier al ...) NOT-FOR-US: IT CMS CVE-2009-0492 (Unspecified vulnerability in SimpleIrcBot before 1.0 Stable has unknow ...) NOT-FOR-US: SimpleIrcBot CVE-2009-0491 (Stack-based buffer overflow in Elecard MPEG Player 5.5 build 15884.081 ...) NOT-FOR-US: Elecard MPEG Player CVE-2009-0488 (Cross-site scripting (XSS) vulnerability in Phorum before 5.2.10 allow ...) NOT-FOR-US: Phorum CVE-2009-0486 (Bugzilla 3.2.1, 3.0.7, and 3.3.2, when running under mod_perl, calls t ...) - bugzilla 3.2.4.0-1 (bug #514143) [etch] - bugzilla (Versions before 3.2.1, 3.0.7, and 3.3.2 were not affected) [lenny] - bugzilla (Versions before 3.2.1, 3.0.7, and 3.3.2 were not affected) CVE-2009-0485 (Cross-site request forgery (CSRF) vulnerability in Bugzilla 2.17 to 2. ...) - bugzilla 3.2.4.0-1 (low; bug #514143) [etch] - bugzilla (Minor issue) [lenny] - bugzilla (Minor issue) CVE-2009-0484 (Cross-site request forgery (CSRF) vulnerability in Bugzilla 3.0 before ...) - bugzilla 3.2.4.0-1 (low; bug #514143) [etch] - bugzilla (Minor issue) [lenny] - bugzilla (Minor issue) CVE-2009-0483 (Cross-site request forgery (CSRF) vulnerability in Bugzilla 2.22 befor ...) - bugzilla 3.2.4.0-1 (low; bug #514143) [etch] - bugzilla (Minor issue) [lenny] - bugzilla (Minor issue) CVE-2009-0482 (Cross-site request forgery (CSRF) vulnerability in Bugzilla before 3.2 ...) - bugzilla 3.2.4.0-1 (low; bug #514143) [etch] - bugzilla (Minor issue) [lenny] - bugzilla (Minor issue) CVE-2009-0481 (Bugzilla 2.x before 2.22.7, 3.0 before 3.0.7, 3.2 before 3.2.1, and 3. ...) - bugzilla 3.2.4.0-1 (low; bug #514143) [etch] - bugzilla (Minor issue) [lenny] - bugzilla (Minor issue) CVE-2009-0480 (The IP implementation in Sun Solaris 8 through 10, and OpenSolaris bef ...) NOT-FOR-US: Solaris CVE-2008-6098 (Bugzilla 3.2 before 3.2 RC2, 3.0 before 3.0.6, 2.22 before 2.22.6, 2.2 ...) - bugzilla (unimportant) CVE-2008-6097 (Multiple cross-site scripting (XSS) vulnerabilities in WikyBlog before ...) NOT-FOR-US: WikyBlog CVE-2008-6096 (Cross-site scripting (XSS) vulnerability in Juniper NetScreen ScreenOS ...) NOT-FOR-US: Juniper NetScreen ScreenOS CVE-2008-6095 (Cross-site scripting (XSS) vulnerability in surveillanceView.htm in Op ...) NOT-FOR-US: OpenNMS CVE-2008-6094 (Cross-site scripting (XSS) vulnerability in user.do in Celoxis Technol ...) NOT-FOR-US: Celoxis Technologies Celoxis CVE-2008-6093 (SQL injection vulnerability in index.php in Noname CMS 1.0, when magic ...) NOT-FOR-US: Noname CMS CVE-2008-6092 (phpscripts Ranking Script allows remote attackers to bypass authentica ...) NOT-FOR-US: phpscripts Ranking Script CVE-2008-6091 (SQL injection vulnerability in plugins.php in BMForum 5.6, when magic_ ...) NOT-FOR-US: BMForum CVE-2009-0489 (The DBus configuration file for Wicd before 1.5.9 allows arbitrary use ...) - wicd 1.5.9-1 CVE-2009-0479 (Multiple SQL injection vulnerabilities in admin/admin_login.php in Onl ...) NOT-FOR-US: Online Grades CVE-2009-0477 (Unspecified vulnerability in the process (aka proc) filesystem in Sun ...) NOT-FOR-US: OpenSolaris CVE-2009-0476 (Stack-based buffer overflow in MultiMedia Soft AdjMmsEng.dll 7.11.1.0 ...) NOT-FOR-US: MultiMedia Soft audio components CVE-2009-0475 (Integer underflow in the Huffman decoding functionality (pvmp3_huffman ...) NOT-FOR-US: OpenCORE CVE-2009-0474 (The web interface in the Rockwell Automation ControlLogix 1756-ENBT/A ...) NOT-FOR-US: Rockwell EtherNet/IP Bridge Module CVE-2009-0473 (Open redirect vulnerability in the web interface in the Rockwell Autom ...) NOT-FOR-US: Rockwell EtherNet/IP Bridge Module CVE-2009-0472 (Multiple cross-site scripting (XSS) vulnerabilities in the web interfa ...) NOT-FOR-US: Rockwell EtherNet/IP Bridge Module CVE-2009-0471 (Cross-site request forgery (CSRF) vulnerability in the HTTP server in ...) NOT-FOR-US: Cisco IOS CVE-2009-0470 (Multiple cross-site scripting (XSS) vulnerabilities in the HTTP server ...) NOT-FOR-US: Cisco IOS CVE-2009-0469 (Unspecified vulnerability in futomi's CGI Cafe Fulltext search CGI 1.1 ...) NOT-FOR-US: futomi's CGI Cafe CVE-2009-0468 (Multiple cross-site request forgery (CSRF) vulnerabilities in ajax.htm ...) NOT-FOR-US: Profense Web Application Firewall CVE-2009-0467 (Cross-site scripting (XSS) vulnerability in proxy.html in Profense Web ...) NOT-FOR-US: Profense Web Application Firewall CVE-2009-0466 (Cross-site scripting (XSS) vulnerability in Vivvo CMS before 4.1.1 all ...) NOT-FOR-US: Vivvo CMS CVE-2009-0465 (The SaveDoc method in the All_In_The_Box.AllBox ActiveX control in ALL ...) NOT-FOR-US: Synactis ALL In-The-Box ActiveX 3 CVE-2009-0464 (PHP remote file inclusion vulnerability in includes/header.php in Groo ...) NOT-FOR-US: Groone GBook CVE-2009-0463 (PHP remote file inclusion vulnerability in includes/header.php in Groo ...) NOT-FOR-US: Groone GLinks CVE-2009-0462 (Multiple SQL injection vulnerabilities in customer_login_check.asp in ...) NOT-FOR-US: ClickTech ClickCart CVE-2009-0461 (Whole Hog Password Protect: Enhanced 1.x allows remote attackers to by ...) NOT-FOR-US: Whole Hog Password Protect CVE-2009-0460 (Whole Hog Ware Support 1.x allows remote attackers to bypass authentic ...) NOT-FOR-US: Whole Hog Ware Support CVE-2009-0459 (Multiple SQL injection vulnerabilities in admin/login_submit.php in Wh ...) NOT-FOR-US: Whole Hog Password Protect CVE-2009-0458 (Multiple SQL injection vulnerabilities in admin/login_submit.php in Wh ...) NOT-FOR-US: Whole Hog Ware Support CVE-2009-0457 (Multiple directory traversal vulnerabilities in AJA Portal 1.2 allow r ...) NOT-FOR-US: AJA Portal CVE-2009-0456 (PHP remote file inclusion vulnerability in examples/example_clientside ...) NOT-FOR-US: patForms CVE-2009-0455 (Cross-site scripting (XSS) vulnerability in the anonymous comments fea ...) NOT-FOR-US: glFusion CVE-2009-0454 (Multiple SQL injection vulnerabilities in DMXReady Online Notebook Man ...) NOT-FOR-US: DMXReady Online Notebook Manager CVE-2009-0453 (Online Grades 3.2.4 allows remote attackers to obtain configuration in ...) NOT-FOR-US: Online Grades CVE-2009-0452 (Multiple SQL injection vulnerabilities in parents/login.php in Online ...) NOT-FOR-US: Online Grades CVE-2009-0451 (SQL injection vulnerability in Skalfa SkaLinks 1.5 allows remote attac ...) NOT-FOR-US: Skalfa SkaLinks CVE-2009-0450 (Stack-based buffer overflow in BlazeVideo HDTV Player 3.5 and earlier ...) NOT-FOR-US: BlazeVideo CVE-2009-0449 (Buffer overflow in klim5.sys in Kaspersky Anti-Virus for Workstations ...) NOT-FOR-US: Kaspersky Anti-Virus CVE-2009-0448 (Directory traversal vulnerability in admin/modules/aa/preview.php in S ...) NOT-FOR-US: Syntax Desktop CVE-2009-0447 (Multiple SQL injection vulnerabilities in default.asp in MyDesign Saya ...) NOT-FOR-US: MyDesign Sayac CVE-2009-0446 (SQL injection vulnerability in photo.php in WEBalbum 2.4b allows remot ...) NOT-FOR-US: WEBalbum CVE-2009-0445 (SQL injection vulnerability in index.php in Dreampics Gallery Builder ...) NOT-FOR-US: Dreampics Gallery Builder CVE-2009-0444 (Multiple PHP remote file inclusion vulnerabilities in GRBoard 1.8, whe ...) NOT-FOR-US: GRBoard CVE-2009-0443 (Stack-based buffer overflow in Elecard AVC HD PLAYER 5.5.90116 allows ...) NOT-FOR-US: Elecard AVC HD PLAYER CVE-2009-0442 (Directory traversal vulnerability in bbcode.php in PHPbbBook 1.3 and 1 ...) NOT-FOR-US: PHPbbBook CVE-2009-0441 (PHP remote file inclusion vulnerability in skin_shop/standard/2_view_b ...) NOT-FOR-US: Technote CVE-2009-0440 (IBM WebSphere Partner Gateway (WPG) 6.0.0 through 6.0.0.7 does not pro ...) NOT-FOR-US: IBM WebSphere Partner Gateway CVE-2009-0439 (Unspecified vulnerability in the queue manager in IBM WebSphere MQ (WM ...) NOT-FOR-US: IBM WebSphere CVE-2009-0438 (IBM WebSphere Application Server (WAS) 7 before 7.0.0.1 on Windows all ...) NOT-FOR-US: IBM WebSphere CVE-2009-0437 (The Installation Factory installation process for IBM WebSphere Applic ...) NOT-FOR-US: IBM WebSphere CVE-2009-0436 (The (1) mod_ibm_ssl and (2) mod_cgid modules in IBM HTTP Server 6.0.x ...) NOT-FOR-US: IBM HTTP Server CVE-2009-0435 (Unspecified vulnerability in the IBM Asynchronous I/O (aka AIO or libi ...) NOT-FOR-US: IBM WebSphere CVE-2009-0434 (PerfServlet in the PMI/Performance Tools component in IBM WebSphere Ap ...) NOT-FOR-US: IBM WebSphere CVE-2009-0433 (Unspecified vulnerability in IBM WebSphere Application Server (WAS) 5. ...) NOT-FOR-US: IBM WebSphere CVE-2009-0432 (The installation process for the File Transfer servlet in the System M ...) NOT-FOR-US: IBM WebSphere CVE-2008-6090 (Directory traversal vulnerability in members.php in ScriptsEz Mini Hos ...) NOT-FOR-US: ScriptsEz Mini Hosting Panel CVE-2008-6089 (Directory traversal vulnerability in main.php in ScriptsEz Easy Image ...) NOT-FOR-US: ScriptsEz CVE-2008-6088 (SQL injection vulnerability in the Joomtracker (com_joomtracker) 1.01 ...) NOT-FOR-US: Joomla! CVE-2008-6087 (Cross-site scripting (XSS) vulnerability in topic.php in Camera Life 2 ...) NOT-FOR-US: Camera Life CVE-2008-6086 (SQL injection vulnerability in album.php in Camera Life 2.6.2b4 allows ...) NOT-FOR-US: Camera Life CVE-2008-6085 (Integer overflow in multiple F-Secure anti-virus products, including I ...) NOT-FOR-US: F-Secure CVE-2008-6084 (Unrestricted file upload vulnerability in pages/download.php in Iamma ...) NOT-FOR-US: Iamma Simple Gallery CVE-2008-6083 (Directory traversal vulnerability in header.php in TXTshop beta 1.0 al ...) NOT-FOR-US: TXTshop CVE-2008-6082 (Titan FTP Server 6.26 build 630 allows remote attackers to cause a den ...) NOT-FOR-US: Titan FTP Server CVE-2008-6081 (SQL injection vulnerability in contact.php in Simple Customer 1.2 allo ...) NOT-FOR-US: Simple Customer CVE-2008-6080 (Directory traversal vulnerability in download.php in the ionFiles (com ...) NOT-FOR-US: Joomla! CVE-2008-6079 (imlib2 before 1.4.2 allows context-dependent attackers to have an unsp ...) {DSA-2029-1} - imlib2 1.4.2-1 (bug #576469) NOTE: poked upstream for more details CVE-2008-6078 (SQL injection vulnerability in open.php in the Private Messaging (com_ ...) NOT-FOR-US: Limbo CMS CVE-2008-6077 (SQL injection vulnerability in loudblog/ajax.php in LoudBlog 0.8.0a an ...) NOT-FOR-US: LoudBlog CVE-2008-6076 (SQL injection vulnerability in the Daily Message (com_dailymessage) 1. ...) NOT-FOR-US: Joomla! CVE-2008-6075 (SQL injection vulnerability in aspkat.asp in Bahar Download Script 2.0 ...) NOT-FOR-US: Bahar Download Script CVE-2008-6074 (Directory traversal vulnerability in frame.php in phpcrs 2.06 and earl ...) NOT-FOR-US: phpcrs CVE-2008-6073 (StorageCrypt 2.0.1 does not properly encrypt disks, which allows local ...) NOT-FOR-US: StorageCrypt CVE-2008-6072 (Multiple unspecified vulnerabilities in GraphicsMagick before 1.1.14, ...) {DSA-1903-1} - graphicsmagick 1.2.3-1 CVE-2008-6071 (Heap-based buffer overflow in the DecodeImage function in coders/pict. ...) {DSA-1903-1} - graphicsmagick 1.2.3-1 CVE-2008-6070 (Multiple heap-based buffer underflows in the ReadPALMImage function in ...) {DSA-1903-1} - graphicsmagick 1.2.3-1 CVE-2008-6069 (SQL injection vulnerability in e107chat.php in the eChat plugin 4.2 fo ...) NOT-FOR-US: eChat plugin CVE-2008-6068 (SQL injection vulnerability in the JoomlaDate (com_joomladate) compone ...) NOT-FOR-US: Joomla! CVE-2003-1569 (GoAhead WebServer before 2.1.5 on Windows 95, 98, and ME allows remote ...) NOT-FOR-US: Windows CVE-2003-1568 (GoAhead WebServer before 2.1.6 allows remote attackers to cause a deni ...) NOT-FOR-US: GoAhead WebServer CVE-2002-2431 (Unspecified vulnerability in GoAhead WebServer before 2.1.4 allows rem ...) NOT-FOR-US: GoAhead WebServer CVE-2002-2430 (GoAhead WebServer before 2.1.1 allows remote attackers to cause a deni ...) NOT-FOR-US: GoAhead WebServer CVE-2002-2429 (webs.c in GoAhead WebServer before 2.1.4 allows remote attackers to ca ...) NOT-FOR-US: GoAhead WebServer CVE-2002-2428 (webs.c in GoAhead WebServer before 2.1.4 allows remote attackers to ca ...) NOT-FOR-US: GoAhead WebServer CVE-2002-2427 (The security handler in GoAhead WebServer before 2.1.1 allows remote a ...) NOT-FOR-US: GoAhead WebServer CVE-2008-7272 (FireGPG before 0.6 handle user’s passphrase and decrypted cleart ...) - iceweasel-firegpg (bug #514386) CVE-2008-7273 (A symlink issue exists in Iceweasel-firegpg before 0.6 due to insecure ...) - iceweasel-firegpg (bug #514386) CVE-2009-0431 (SQL injection vulnerability in Default.asp in LinksPro Standard Editio ...) NOT-FOR-US: LinksPro CVE-2009-0430 (Multiple cross-site scripting (XSS) vulnerabilities in Active Bids all ...) NOT-FOR-US: Active Bids CVE-2009-0429 (Multiple SQL injection vulnerabilities in Active Bids allow remote att ...) NOT-FOR-US: Active Bids CVE-2009-0428 (SQL injection vulnerability in CategoryManager/upload_image_category.a ...) NOT-FOR-US: DMXReady Secure Document CVE-2009-0427 (SQL injection vulnerability in CategoryManager/upload_image_category.a ...) NOT-FOR-US: DMXReady Secure Document CVE-2009-0426 (SQL injection vulnerability in CategoryManager/upload_image_category.a ...) NOT-FOR-US: DMXReady Secure Document CVE-2009-0425 (SQL injection vulnerability in index.php in Blue Eye CMS 1.0.0 and ear ...) NOT-FOR-US: Blue Eye CMS CVE-2009-0424 (Cross-site scripting (XSS) vulnerability in sign1.php in AN Guestbook ...) NOT-FOR-US: AN Guestbook CVE-2009-0423 (Directory traversal vulnerability in index.php in Php Photo Album (PHP ...) NOT-FOR-US: Php Photo Album CVE-2009-0422 (Dynamic variable evaluation vulnerability in lists/admin.php in phpLis ...) - phplist (bug #612288) CVE-2009-0421 (SQL injection vulnerability in the Eventing (com_eventing) 1.6.x compo ...) NOT-FOR-US: Joomla! CVE-2009-0420 (SQL injection vulnerability in the RD-Autos (com_rdautos) 1.5.5 Stable ...) NOT-FOR-US: Joomla! CVE-2009-0419 (Microsoft XML Core Services, as used in Microsoft Expression Web, Offi ...) NOT-FOR-US: Microsoft CVE-2009-0418 (The IPv6 Neighbor Discovery Protocol (NDP) implementation in HP HP-UX ...) NOT-FOR-US: HP HP-UX CVE-2008-6067 REJECTED CVE-2008-6066 (Multiple PHP remote file inclusion vulnerabilities in Meet#Web 0.8 all ...) NOT-FOR-US: Meet#Web CVE-2008-6065 (Oracle Database Server 10.1, 10.2, and 11g grants directory WRITE perm ...) NOT-FOR-US: Oracle Database Server CVE-2008-6064 (Multiple SQL injection vulnerabilities in DomPHP 0.81 allow remote att ...) NOT-FOR-US: DomPHP CVE-2008-6063 (Microsoft Word 2007, when the "Save as PDF" add-on is enabled, places ...) NOT-FOR-US: Microsoft CVE-2008-6062 (Cross-site scripting (XSS) vulnerability in ActionScript in arbitrary ...) NOT-FOR-US: Adobe Dreamweaver CVE-2008-6061 (Cross-site scripting (XSS) vulnerability in ActionScript in arbitrary ...) NOT-FOR-US: Techsmith Camtasia Studio CVE-2008-6060 (Cross-site scripting (XSS) vulnerability in ActionScript in arbitrary ...) NOT-FOR-US: InfoSoft FusionCharts CVE-2008-6059 (xml/XMLHttpRequest.cpp in WebCore in WebKit before r38566 does not pro ...) - webkit (bug #516555; low) NOTE: webkit in linux needs libsoup for cookie support CVE-2008-6058 (Syslserve 1.058 and earlier, and probably 1.059, allows remote attacke ...) NOT-FOR-US: Syslserve CVE-2008-6057 (Doug Luxem Liberum Help Desk 0.97.3 stores db/helpdesk2000.mdb under t ...) NOT-FOR-US: Doug Luxem Liberum Help Desk CVE-2008-6056 (Multiple cross-site scripting (XSS) vulnerabilities in World Recipe 2. ...) NOT-FOR-US: World Recipe CVE-2008-6055 (PreProjects Pre Classified Listings stores pclasp.mdb under the web ro ...) NOT-FOR-US: PreProjects Pre Classified Listings CVE-2008-6054 (PreProjects Pre Courier and Cargo Business stores dbcourior.mdb under ...) NOT-FOR-US: PreProjects Pre Classified Listings CVE-2008-6053 (PreProjects Pre Resume Submitter stores onlineresume.mdb under the web ...) NOT-FOR-US: PreProjects Pre Classified Listings CVE-2008-6052 (PreProjects Pre E-Learning Portal stores db_elearning.mdb under the we ...) NOT-FOR-US: PreProjects Pre Classified Listings CVE-2008-6051 (MetaCart Free stores metacart.mdb under the web root with insufficient ...) NOT-FOR-US: MetaCart Free CVE-2008-6050 (SQL injection vulnerability in the Tech Articles (com_tech_article) 1. ...) NOT-FOR-US: Tech Articles CVE-2008-6049 REJECTED CVE-2008-6048 (Multiple cross-site request forgery (CSRF) vulnerabilities in TangoCMS ...) NOT-FOR-US: TangoCMS CVE-2008-6047 (Cross-site scripting (XSS) vulnerability in ADbNewsSender before 1.5.2 ...) NOT-FOR-US: ADbNewsSender CVE-2008-6046 (SQL injection vulnerability in ADbNewsSender before 1.5.2 allows remot ...) NOT-FOR-US: ADbNewsSender CVE-2009-0417 (Cross-site scripting (XSS) vulnerability in the AgaviWebRouting::gen(n ...) NOT-FOR-US: Agavi CVE-2009-0416 (The SSL certificate setup program (genSslCert.sh) in Standards Based L ...) NOT-FOR-US: sblim-sfcb CVE-2009-0415 (Untrusted search path vulnerability in trickle 1.07 allows local users ...) - trickle 1.07-6 (bug #513456; low) [etch] - trickle (Minor issue) CVE-2009-0413 (Cross-site scripting (XSS) vulnerability in RoundCube Webmail (roundcu ...) - roundcube 0.2~stable-1 (low; bug #514179) [lenny] - roundcube (Vulnerable code not present) CVE-2009-0412 (The ProcessLogin function in class.auth.php in Interspire Shopping Car ...) NOT-FOR-US: Interspire Shopping Cart CVE-2009-0411 (Google Chrome before 1.0.154.46 does not properly restrict access from ...) - chromium-browser (Only 1.x is affected) - webkit (chrome-specific issue) CVE-2009-0410 (Off-by-one error in the SMTP daemon in GroupWise Internet Agent (GWIA) ...) NOT-FOR-US: Novell GroupWise CVE-2009-0409 (SQL injection vulnerability in offline_auth.php in Max.Blog 1.0.6 and ...) NOT-FOR-US: Max.Blog CVE-2009-0408 (Cross-site request forgery (CSRF) vulnerability in osCommerce 2.2 RC 2 ...) NOT-FOR-US: osCommerce CVE-2009-0407 (SQL injection vulnerability in admin/login.php in PHP-CMS Project 1 al ...) NOT-FOR-US: PHP-CMS CVE-2009-0406 (SQL injection vulnerability in index.php in Community CMS 0.4 and earl ...) NOT-FOR-US: Community CMS CVE-2009-0405 (SQL injection vulnerability in articles.php in smartSite CMS 1.0 allow ...) NOT-FOR-US: smartSite CMS CVE-2009-0404 (Multiple cross-site scripting (XSS) vulnerabilities in Bioinformatics ...) NOT-FOR-US: Bioinformatics htmLawed CVE-2009-0403 (SQL injection vulnerability in admin/authenticate.php in Chipmunk Blog ...) NOT-FOR-US: Chipmunk Blogger Script CVE-2009-0402 (SQL injection vulnerability in client/new_account.php in Domain Techno ...) NOT-FOR-US: Domain Technologie Control CVE-2009-0401 (SQL injection vulnerability in browsecats.php in E-Php CMS allows remo ...) NOT-FOR-US: E-Php CMS CVE-2009-0400 (SQL injection vulnerability in blog.php in SocialEngine 3.06 trial all ...) NOT-FOR-US: SocialEngine CVE-2009-0399 (Chipmunk Blogger Script allows remote attackers to gain administrator ...) NOT-FOR-US: Chipmunk Blogger Script CVE-2009-0398 (Array index error in the gst_qtp_trak_handler function in gst/qtdemux/ ...) - gst-plugins-good0.10 (Vulnerable code not present) - gst-plugins-bad0.10 (Vulnerable code not present) CVE-2009-0397 (Heap-based buffer overflow in the qtdemux_parse_samples function in gs ...) {DSA-1729-1} - gst-plugins-good0.10 0.10.8-4.1 (bug #514177) [lenny] - gst-plugins-good0.10 0.10.8-4.1~lenny1 [etch] - gst-plugins-good0.10 (plugin in other package) - gst-plugins-bad0.10 0.10.4-1 CVE-2009-0396 (The Sony Ericsson W910i, W660i, K618i, K610i, Z610i, K810i, K660i, W88 ...) NOT-FOR-US: Sony Ericsson CVE-2009-0395 (SQL injection vulnerability in the login feature in NetArt Media Car P ...) NOT-FOR-US: NetArt Media Car Portal CVE-2009-0394 (SQL injection vulnerability in login.php in Pre Lecture Exercises (PLE ...) NOT-FOR-US: Pre Lecture Exercises CVE-2009-0393 (Cross-site scripting (XSS) vulnerability in sysconf.cgi in Motorola Wi ...) NOT-FOR-US: Motorola Wimax CVE-2009-0392 (Directory traversal vulnerability in sysconf.cgi in Motorola Wimax mod ...) NOT-FOR-US: Motorola Wimax CVE-2009-0391 (Unspecified vulnerability in IBM WebSphere Application Server (WAS) 6. ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2009-0390 (Argument injection vulnerability in Enomaly Elastic Computing Platform ...) NOT-FOR-US: Enomaly Elastic Computing Platform CVE-2009-0389 (Multiple insecure method vulnerabilities in the Web On Windows (WOW) A ...) NOT-FOR-US: ActiveX CVE-2009-0388 (Multiple integer signedness errors in (1) UltraVNC 1.0.2 and 1.0.5 and ...) - tightvnc (bug in the windows-specific client connection code) NOTE: http://bugs.debian.org/528204 CVE-2009-0387 (Array index error in the qtdemux_parse_samples function in gst/qtdemux ...) {DSA-1729-1} - gst-plugins-good0.10 0.10.8-4.1 (bug #514177) [lenny] - gst-plugins-good0.10 0.10.8-4.1~lenny1 [etch] - gst-plugins-good0.10 (plugin in other package) - gst-plugins-bad0.10 0.10.4-1 CVE-2009-0386 (Heap-based buffer overflow in the qtdemux_parse_samples function in gs ...) {DSA-1729-1} - gst-plugins-good0.10 0.10.8-4.1 (bug #514177) [lenny] - gst-plugins-good0.10 0.10.8-4.1~lenny1 [etch] - gst-plugins-good0.10 (plugin in other package) - gst-plugins-bad0.10 0.10.4-1 CVE-2009-0384 (SQL injection vulnerability in autor.php in OwnRS CMS 1.2 allows remot ...) NOT-FOR-US: OwnRS CMS CVE-2009-0383 (delete.php in Max.Blog 1.0.6 does not properly restrict access, which ...) NOT-FOR-US: Max.Blog CVE-2009-0382 (Unspecified vulnerability in Internationalization (i18n) Translation 5 ...) - drupal5 (Translation module not packaged) - drupal6 (Issue only affects the 5.x branch) CVE-2009-0381 (SQL injection vulnerability in the BazaarBuilder Ecommerce Shopping Ca ...) NOT-FOR-US: BazaarBuilder Ecommerce Shopping Cart CVE-2009-0380 NOT-FOR-US: Sigsiu Online Business Index CVE-2009-0379 (SQL injection vulnerability in the Prince Clan Chess Club (com_pcchess ...) NOT-FOR-US: Prince Clan Chess Club CVE-2009-0378 (Cross-site scripting (XSS) vulnerability in index.php in the beamospet ...) NOT-FOR-US: Joomla! CVE-2009-0377 (SQL injection vulnerability in the beamospetition (com_beamospetition) ...) NOT-FOR-US: Joomla! CVE-2009-0376 (Heap-based buffer overflow in a DLL file in RealNetworks RealPlayer 10 ...) NOT-FOR-US: RealPlayer CVE-2009-0375 (Buffer overflow in a DLL file in RealNetworks RealPlayer 10, RealPlaye ...) NOT-FOR-US: RealPlayer CVE-2009-0374 - chromium-browser (unimportant) - webkit (poc doesn't work) CVE-2009-0373 (SQL injection vulnerability in the ElearningForce Flash Magazine Delux ...) NOT-FOR-US: Joomla! CVE-2009-0372 (Unrestricted file upload vulnerability in index.php in Miltenovik Mano ...) NOT-FOR-US: Miltenovik Manojlo MemHT Portal CVE-2009-0371 (Directory traversal vulnerability in post.php in SiteXS CMS 0.1.1 and ...) NOT-FOR-US: SiteXS CMS CVE-2009-0370 (Multiple unspecified vulnerabilities in IBM AIX 5.2.0 through 6.1.2 al ...) NOT-FOR-US: IBM AIX CVE-2009-0369 (Microsoft Internet Explorer 7 allows remote attackers to trick a user ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2008-6045 (Session fixation vulnerability in shopping_cart.php in xt:Commerce 3.0 ...) NOT-FOR-US: xt:Commerce CVE-2008-6044 (Cross-site scripting (XSS) vulnerability in advanced_search_result.php ...) NOT-FOR-US: xt:Commerce CVE-2008-6043 (Multiple SQL injection vulnerabilities in PHP Pro Bid (PPB) 6.04 allow ...) NOT-FOR-US: PHP Pro Bid CVE-2008-6042 (SQL injection vulnerability in the re_search module in NetArtMedia Rea ...) NOT-FOR-US: NetArtMedia Real Estate Portal CVE-2008-6041 (Multiple cross-site scripting (XSS) vulnerabilities in Index.asp in Da ...) NOT-FOR-US: Dataspade CVE-2008-6040 (SQL injection vulnerability in index.php in Arcadem Pro 2.700 through ...) NOT-FOR-US: Arcadem Pro CVE-2008-6039 (Session fixation vulnerability in BLUEPAGE CMS 2.5 and earlier allows ...) NOT-FOR-US: BLUEPAGE CMS CVE-2008-6038 (SQL injection vulnerability in index.php in MapCal 0.1 allows remote a ...) NOT-FOR-US: MapCal CVE-2008-6037 (SQL injection vulnerability in view.php in AvailScript Article Script ...) NOT-FOR-US: AvailScript Article Script CVE-2008-6036 (PHP remote file inclusion vulnerability in main.inc.php in BaseBuilder ...) NOT-FOR-US: BaseBuilder CVE-2008-6035 (Cross-site scripting (XSS) vulnerability in dispatch.php in Achievo 1. ...) NOT-FOR-US: Achievo CVE-2008-6034 (Cross-site scripting (XSS) vulnerability in dispatch.php in Achievo 1. ...) NOT-FOR-US: Achievo CVE-2008-6033 (SQL injection vulnerability in comments.php in WSN Links 2.20 allows r ...) NOT-FOR-US: WSN Links CVE-2008-6032 (SQL injection vulnerability in comments.php in WSN Links Free 4.0.34P ...) NOT-FOR-US: WSN Links CVE-2008-6031 (SQL injection vulnerability in vote.php in WSN Links 2.22 and 2.23 all ...) NOT-FOR-US: WSN Links CVE-2008-6030 (Multiple SQL injection vulnerabilities in NetArtMedia Jobs Portal 1.3 ...) NOT-FOR-US: NetArtMedia Jobs Portal CVE-2008-6029 (SQL injection vulnerability in search.php in BuzzyWall 1.3.1 and earli ...) NOT-FOR-US: BuzzyWall CVE-2008-6028 (SQL injection vulnerability in list.php in University of Queensland Li ...) NOT-FOR-US: Library Fez CVE-2008-6027 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in BL ...) NOT-FOR-US: BLUEPAGE CMS CVE-2008-6026 (SQL injection vulnerability in tienda.php in BlueCUBE CMS allows remot ...) NOT-FOR-US: BlueCUBE CMS CVE-2008-6025 (Directory traversal vulnerability in scr/form.php in openElec 3.01 and ...) NOT-FOR-US: openElec CVE-2008-6024 (Unspecified vulnerability in the NFSv4 client module in the kernel on ...) NOT-FOR-US: Sun Solaris CVE-2008-6023 (PHP remote file inclusion vulnerability in includes/todofleetcontrol.p ...) NOT-FOR-US: Xnova CVE-2008-6022 (PHP remote file inclusion vulnerability in includes/todofleetcontrol.p ...) NOT-FOR-US: Xnova CVE-2008-6021 (Multiple unspecified vulnerabilities in Attachmate Reflection for Secu ...) NOT-FOR-US: Attachmate Reflection CVE-2008-6020 (SQL injection vulnerability in the Views module 6.x before 6.x-2.2 for ...) NOT-FOR-US: View module (drupal module) CVE-2008-6019 (SQL injection vulnerability in index.php in EACOMM DO-CMS 3.0 allows r ...) NOT-FOR-US: EACOMM DO-CMS CVE-2008-6018 (Directory traversal vulnerability in index.php in MyPHPSite, when magi ...) NOT-FOR-US: MyPHPSite CVE-2008-6017 (SQL injection vulnerability in messages.php in I-Rater Basic allows re ...) NOT-FOR-US: I-Rater Basic CVE-2008-6016 (SQL injection vulnerability in questions.php in EsFaq 2.0 allows remot ...) NOT-FOR-US: EsFaq CVE-2008-6015 (Multiple SQL injection vulnerabilities in search.php in EsFaq 2.0 allo ...) NOT-FOR-US: EsFaq CVE-2008-6014 (SQL injection vulnerability in scripts/links.php in Rianxosencabos CMS ...) NOT-FOR-US: Rianxosencabos CMS CVE-2008-6013 (Multiple SQL injection vulnerabilities in Freeway before 1.4.3.210 all ...) NOT-FOR-US: Freeway CVE-2008-6012 (Directory traversal vulnerability in index.php in Pritlog 0.4 and earl ...) NOT-FOR-US: Pritlog CVE-2008-6011 (SQL injection vulnerability in index.php in SG Real Estate Portal 2.0 ...) NOT-FOR-US: SG Real Estate Portal CVE-2008-6010 (Multiple directory traversal vulnerabilities in SG Real Estate Portal ...) NOT-FOR-US: SG Real Estate Portal CVE-2008-6009 (SG Real Estate Portal 2.0 allows remote attackers to bypass authentica ...) NOT-FOR-US: SG Real Estate Portal CVE-2008-6008 (hyBook Guestbook Script stores sensitive information under the web roo ...) NOT-FOR-US: hyBook Guestbook Script CVE-2008-6007 (SQL injection vulnerability in view_group.php in QuidaScript BookMarks ...) NOT-FOR-US: QuidaScript BookMarks Favourites Script CVE-2008-6006 (Multiple PHP remote file inclusion vulnerabilities in Micronation Bank ...) NOT-FOR-US: Micronation Banking System CVE-2009-0487 (Cross-site scripting (XSS) vulnerability in Mahara before 1.0.9 allows ...) - mahara 1.0.9-1 (low) [lenny] - mahara 1.0.4-4 CVE-2009-0478 (Squid 2.7 to 2.7.STABLE5, 3.0 to 3.0.STABLE12, and 3.1 to 3.1.0.4 allo ...) {DSA-1732-1} - squid 2.7.STABLE3-4.1 (medium; bug #514142) - squid3 3.0.STABLE8-3 (medium) [etch] - squid (Vulnerable code not present) CVE-2009-XXXX [glpi sql injection] - glpi 0.71.5-1 (bug #513611; unimportant) NOTE: Only supported behind an authenticated HTTP zone CVE-2009-0490 (Stack-based buffer overflow in the String_parse::get_nonspace_quoted f ...) {DTSA-192-1} - audacity 1.3.6-1 (bug #514138) [lenny] - audacity 1.3.5-2+lenny1 CVE-2009-0368 (OpenSC before 0.11.7 allows physically proximate attackers to bypass i ...) {DSA-1734-1} - opensc 0.11.7-1 [etch] - opensc (vulnerable code not present) CVE-2009-0367 (The Python AI module in Wesnoth 1.4.x and 1.5 before 1.5.11 allows rem ...) {DSA-1737-1} - wesnoth 1:1.4.7-4 CVE-2009-0366 (The uncompress_buffer function in src/server/simple_wml.cpp in Wesnoth ...) {DSA-1737-1} - wesnoth 1:1.4.7-4 CVE-2009-0365 (nm-applet.conf in GNOME NetworkManager before 0.7.0.99 contains an inc ...) {DSA-1955-1} - network-manager-applet 0.7.0.99-1 (medium; bug #519801) - network-manager 0.6.5-1 (medium) NOTE: network-manager in lenny not affected, because it is in network-manager-applet CVE-2009-0364 (Format string vulnerability in the mini_calendar component in Citadel. ...) {DSA-1752-1} - webcit 7.38b-dfsg-2 (low) CVE-2009-0363 (Multiple buffer overflows in (a) BarnOwl before 1.0.5 and (b) owl 2.1. ...) {DTSA-197-1} - barnowl 1.0.5-1 [lenny] - barnowl 1.0.1-4 - owl 2.2.2-1 (bug #515118) [lenny] - owl (Minor issue) [etch] - owl (Minor issue) CVE-2009-0362 (filter.d/wuftpd.conf in Fail2ban 0.8.3 uses an incorrect regular expre ...) - fail2ban 0.8.3-2sid1 (low; bug #514163) CVE-2009-0361 (Russ Allbery pam-krb5 before 3.13, as used by libpam-heimdal, su in So ...) {DSA-1722-1 DSA-1721-1} - libpam-heimdal 3.10-2.1 (bug #516695) - libpam-krb5 3.13-2 [lenny] - libpam-krb5 3.11-4 CVE-2009-0360 (Russ Allbery pam-krb5 before 3.13, when linked against MIT Kerberos, d ...) {DSA-1721-1} - libpam-krb5 3.13-2 [lenny] - libpam-krb5 3.11-4 CVE-2009-0359 (Multiple cross-site scripting (XSS) vulnerabilities in Samizdat before ...) {DTSA-194-1} - samizdat 0.6.2-2 CVE-2009-0358 (Mozilla Firefox 3.x before 3.0.6 does not properly implement the (1) n ...) - iceweasel 3.0 [etch] - iceweasel (Only affects Firefox 3.x) NOTE: Iceweasel in Lenny links against Xulrunner - xulrunner 1.9.0.5-1 [etch] - xulrunner (Only affects Xulrunner 1.9) CVE-2009-0357 (Mozilla Firefox before 3.0.6 and SeaMonkey before 1.1.15 do not proper ...) - iceweasel 3.0 [etch] - iceweasel (Etch Packages no longer covered by security support) NOTE: Iceweasel in Lenny links against Xulrunner - xulrunner 1.9.0.5-1 [etch] - xulrunner (Etch Packages no longer covered by security support) - iceape 1.1.14-1.1 [etch] - iceape (Etch Packages no longer covered by security support) NOTE: Iceape in Lenny only provides XPCOM libs - kompozer 1:0.8~alpha2+dfsg+svn129-1 CVE-2009-0356 (Mozilla Firefox before 3.0.6 and SeaMonkey do not block links to the ( ...) - iceweasel 3.0 [etch] - iceweasel (Etch Packages no longer covered by security support) NOTE: Iceweasel in Lenny links against Xulrunner - xulrunner 1.9.0.5-1 [etch] - xulrunner (Etch Packages no longer covered by security support) - iceape 1.1.14-1.1 [etch] - iceape (Etch Packages no longer covered by security support) NOTE: Iceape in Lenny only provides XPCOM libs - kompozer (.desktop file support is not available) CVE-2009-0355 (components/sessionstore/src/nsSessionStore.js in Mozilla Firefox befor ...) - iceweasel 3.0.6-1 [etch] - iceweasel (Etch Packages no longer covered by security support) CVE-2009-0354 (Cross-domain vulnerability in js/src/jsobj.cpp in Mozilla Firefox 3.x ...) - iceweasel 3.0 [etch] - iceweasel (Only affects Firefox 3.x) NOTE: Iceweasel in Lenny links against Xulrunner - xulrunner 1.9.0.5-1 [etch] - xulrunner (Only affects Xulrunner 1.9) CVE-2009-0353 (Unspecified vulnerability in Mozilla Firefox 3.x before 3.0.6, Thunder ...) {DSA-1830-1} - iceweasel 3.0 [etch] - iceweasel (Etch Packages no longer covered by security support) NOTE: Iceweasel in Lenny links against Xulrunner - xulrunner 1.9.0.5-1 [etch] - xulrunner (Etch Packages no longer covered by security support) - iceape 1.1.14-1.1 [etch] - iceape (Etch Packages no longer covered by security support) NOTE: Iceape in Lenny only provides XPCOM libs - icedove 2.0.0.22-1 (bug #535124) [squeeze] - icedove 2.0.0.22-0lenny1 CVE-2009-0352 (Multiple unspecified vulnerabilities in Mozilla Firefox 3.x before 3.0 ...) {DSA-1830-1} - iceweasel 3.0 [etch] - iceweasel (Etch Packages no longer covered by security support) NOTE: Iceweasel in Lenny links against Xulrunner - xulrunner 1.9.0.5-1 [etch] - xulrunner (Etch Packages no longer covered by security support) - iceape 1.1.14-1.1 [etch] - iceape (Etch Packages no longer covered by security support) NOTE: Iceape in Lenny only provides XPCOM libs - icedove 2.0.0.22-1 (bug #535124) [squeeze] - icedove 2.0.0.22-0lenny1 - kompozer 1:0.8~alpha2+dfsg+svn129-1 CVE-2009-0343 (Niels Provos Systrace 1.6f and earlier on the x86_64 Linux platform al ...) - systrace CVE-2009-0342 (Niels Provos Systrace before 1.6f on the x86_64 Linux platform allows ...) - systrace CVE-2009-0351 (Stack-based buffer overflow in WFTPSRV.exe in WinFTP 2.3.0 allows remo ...) NOT-FOR-US: WinFTP CVE-2009-0350 (Stack-based buffer overflow in Merak Media Player 3.2 allows remote at ...) NOT-FOR-US: Merak Media Player CVE-2009-0349 (Stack-based buffer overflow in FTPShell Server 4.3 allows user-assiste ...) NOT-FOR-US: FTPShell Server CVE-2009-0348 (The login module in Sun Java System Access Manager 6 2005Q1 (aka 6.3), ...) NOT-FOR-US: Sun Java System Access Manager CVE-2009-0347 (Open redirect vulnerability in cs.html in the Autonomy (formerly Verit ...) NOT-FOR-US: Autonomy (formerly Verity) Ultraseek search engine CVE-2009-0346 (The IP-in-IP packet processing implementation in the IPsec and IP stac ...) NOT-FOR-US: Sun Solaris CVE-2009-0345 (Unspecified vulnerability in the Embedded Lights Out Manager (ELOM) on ...) NOT-FOR-US: Embedded Lights Out Manager (ELOM) CVE-2009-0344 (Unspecified vulnerability in the Embedded Lights Out Manager (ELOM) on ...) NOT-FOR-US: Embedded Lights Out Manager (ELOM) CVE-2009-0341 (The shell32 module in Microsoft Internet Explorer 7.0 on Windows XP SP ...) NOT-FOR-US: Microsoft CVE-2009-0340 (Multiple directory traversal vulnerabilities in Simple PHP Newsletter ...) NOT-FOR-US: Simple PHP Newsletter CVE-2009-0339 (SQL injection vulnerability in inc_webblogmanager.asp in DMXReady Blog ...) NOT-FOR-US: DMXReady Blog Manager CVE-2009-0338 (Cross-site scripting (XSS) vulnerability in inc_webblogmanager.asp in ...) NOT-FOR-US: DMXReady Blog Manager CVE-2009-0337 (SQL injection vulnerability in index.asp in Katy Whitton BlogIt! allow ...) NOT-FOR-US: Katy Whitton BlogIt! CVE-2009-0336 (Katy Whitton BlogIt! stores sensitive information under the web root w ...) NOT-FOR-US: Katy Whitton BlogIt! CVE-2009-0335 (Cross-site scripting (XSS) vulnerability in index.asp in Katy Whitton ...) NOT-FOR-US: Katy Whitton BlogIt! CVE-2009-0334 (SQL injection vulnerability in index.asp in Katy Whitton BlogIt! allow ...) NOT-FOR-US: Katy Whitton BlogIt! CVE-2009-0333 (SQL injection vulnerability in the WebAmoeba (WA) Ticket System (com_w ...) NOT-FOR-US: Joomla! CVE-2009-0332 (Multiple SQL injection vulnerabilities in AV Book Library before 1.1 a ...) NOT-FOR-US: AV Book Library CVE-2009-0331 (Directory traversal vulnerability in gallery/comment.php in Enhanced S ...) NOT-FOR-US: Enhanced Simple PHP Gallery (ESPG) CVE-2009-0330 (Directory traversal vulnerability in index.php in Simple Content Manag ...) NOT-FOR-US: Simple Content Management System (SCMS) CVE-2009-0329 (SQL injection vulnerability in the PcCookBook (com_pccookbook) compone ...) NOT-FOR-US: Joomla! CVE-2009-0328 (ROBS-PROJECTS Digital Sales IPN (aka DS-IPN.NET or DS-IPN Paypal Shop) ...) NOT-FOR-US: ROBS-PROJECTS Digital Sales IPN CVE-2009-0327 (SQL injection vulnerability in readbible.php in Free Bible Search PHP ...) NOT-FOR-US: Free Bible Search PHP Script CVE-2009-0326 (SQL injection vulnerability in login.php in Dark Age CMS 0.2c beta all ...) NOT-FOR-US: Dark Age CMS CVE-2009-0325 (Directory traversal vulnerability in entries/index.php in Ninja Blog 4 ...) NOT-FOR-US: Ninja Blog CVE-2009-0324 (Multiple SQL injection vulnerabilities in BibCiter 1.4 allow remote at ...) NOT-FOR-US: BibCiter CVE-2009-0322 (drivers/firmware/dell_rbu.c in the Linux kernel before 2.6.27.13, and ...) {DSA-1794-1 DSA-1787-1 DSA-1749-1} - linux-2.6 2.6.29-1 (low) - linux-2.6.24 CVE-2009-0321 (Apple Safari 3.2.1 (aka AppVer 3.525.27.1) on Windows allows remote at ...) NOT-FOR-US: Apple Safari on Windows CVE-2009-0320 (Microsoft Windows XP, Server 2003 and 2008, and Vista exposes I/O acti ...) NOT-FOR-US: Microsoft Windows CVE-2009-0319 (Unspecified vulnerability in the autofs module in the kernel in Sun So ...) NOT-FOR-US: Solaris CVE-2008-6004 (Cross-site scripting (XSS) vulnerability in search.php in AJ Auction P ...) NOT-FOR-US: AJ Auction Pro Platinum CVE-2008-6003 (SQL injection vulnerability in sellers_othersitem.php in AJ Auction Pr ...) NOT-FOR-US: AJ Auction Pro Platinum CVE-2008-6002 (Absolute path traversal vulnerability in sendfile.php in web-cp 0.5.7, ...) NOT-FOR-US: web-cp CVE-2008-6001 (index.php in ADN Forum 1.0b and earlier allows remote attackers to byp ...) NOT-FOR-US: ADN Forum CVE-2008-6000 (The GDTdiIcpt.sys driver in G DATA AntiVirus 2008, InternetSecurity 20 ...) NOT-FOR-US: G DATA AntiVirus CVE-2008-5999 (Cross-site scripting (XSS) vulnerability in the Ajax Checklist module ...) NOT-FOR-US: Ajax Checklist module for Drupal CVE-2008-5998 (Multiple SQL injection vulnerabilities in the ajax_checklist_save func ...) NOT-FOR-US: Ajax Checklist module for Drupal CVE-2008-5997 (Absolute path traversal vulnerability in admin/fileKontrola/browser.as ...) NOT-FOR-US: Omnicom Content Platform CVE-2008-5996 (Cross-site scripting (XSS) vulnerability in the Simplenews module 5.x ...) NOT-FOR-US: Simplenews module for Drupal CVE-2008-5995 (Cross-site scripting (XSS) vulnerability in the freeCap CAPTCHA (sr_fr ...) NOT-FOR-US: freeCap CAPTCHA extension for TYPO3 CVE-2008-5994 (Cross-site scripting (XSS) vulnerability in index.php in Check Point C ...) NOT-FOR-US: Check Point Connectra CVE-2008-5993 (Directory traversal vulnerability in image.php in Barcode Generator 1D ...) NOT-FOR-US: Barcode Generator 1D CVE-2008-5992 (Multiple SQL injection vulnerabilities in Jetik Emlak Sistem A (ESA) 2 ...) NOT-FOR-US: Jetik Emlak Sistem CVE-2008-5991 (Directory traversal vulnerability in docs.php in MailWatch for MailSca ...) NOT-FOR-US: MailWatch for MailScanner CVE-2008-5990 (Directory traversal vulnerability in connect/init.inc in emergecolab 1 ...) NOT-FOR-US: emergecolab CVE-2008-5989 (Directory traversal vulnerability in defs.php in PHPcounter 1.3.2 and ...) NOT-FOR-US: PHPcounterJadu CMS CVE-2008-5988 (SQL injection vulnerability in scripts/recruit_details.php in Jadu CMS ...) NOT-FOR-US: Jadu CMS CVE-2008-XXXX [minor cyrus sasl DoS] - cyrus-sasl2 2.1.22.dfsg1-18 (bug #465561) [etch] - cyrus-sasl2 (Minor issue) CVE-2009-0385 (Integer signedness error in the fourxm_read_header function in libavfo ...) {DSA-1782-1 DSA-1781-1} - ffmpeg-debian 0.svn20080206-16 (medium; bug #524799) - ffmpeg 0.svn20080206-16 - xmovie - mplayer 1.0~rc2-14 (medium; bug #524805) NOTE: MPlayer links against libavformat since 1.0~rc2-14, etch Mplayer still needs a fix NOTE: http://git.ffmpeg.org/?p=ffmpeg;a=commitdiff;h=72e715fb798f2cb79fd24a6d2eaeafb7c6eeda17 CVE-2009-0318 (Untrusted search path vulnerability in the GObject Python interpreter ...) {DTSA-190-1} - gnumeric 1.8.4-3 (low; bug #513418) [etch] - gnumeric 1.6.3-5.1+etch2 CVE-2009-0317 (Untrusted search path vulnerability in the Python language bindings fo ...) - nautilus-python 0.4.3-3.2 (low; bug #513419) CVE-2009-0316 (Untrusted search path vulnerability in src/if_python.c in the Python i ...) - vim 2:7.2.025-2 (low; bug #493937) [lenny] - vim 1:7.1.314-3+lenny2 [squeeze] - vim 1:7.1.314-3+lenny2 [etch] - vim (Minor issue) NOTE: Not included in this round, could be fixed via next DSA with other issues CVE-2009-0315 (Untrusted search path vulnerability in the Python module in xchat allo ...) - xchat 2.8.6-2.1 (low; bug #513509) [etch] - xchat (Minor issue) CVE-2009-0314 (Untrusted search path vulnerability in the Python module in gedit allo ...) {DTSA-191-1} - gedit 2.22.3-2 (low; bug #513513) [etch] - gedit (Minor issue) CVE-2009-0313 (winetricks before 20081223 allows local users to overwrite arbitrary f ...) NOT-FOR-US: winetricks CVE-2009-0311 (The Backbone service (ftbackbone.exe) in EMC AutoStart before 5.3 SP2 ...) NOT-FOR-US: EMC AutoStart CVE-2009-0310 (Buffer overflow in SUSE blinux (aka sbl) in SUSE openSUSE 10.3 through ...) NOT-FOR-US: SuSE blinux CVE-2009-0309 RESERVED CVE-2009-0308 RESERVED CVE-2009-0307 (Cross-site scripting (XSS) vulnerability in the "Customize Statistics ...) NOT-FOR-US: Motion (RIM) BlackBerry Enterprise Server CVE-2009-0306 (Buffer overflow in the IBM Lotus Notes Intellisync ActiveX control in ...) NOT-FOR-US: IBM Lotus Notes Intellisync ActiveX CVE-2009-0305 (Multiple stack-based buffer overflows in the Research in Motion RIM Ax ...) NOT-FOR-US: ActiveX CVE-2009-0304 (The kernel in Sun Solaris 10 and 11 snv_101b, and OpenSolaris before s ...) NOT-FOR-US: Solaris CVE-2009-0303 (Cross-site scripting (XSS) vulnerability in Web Help Desk before 9.1.1 ...) NOT-FOR-US: Web Help Desk CVE-2009-0302 (SQL injection vulnerability in the Downloads module for PHP-Nuke 8.0 8 ...) NOT-FOR-US: PHP-Nuke CVE-2009-0301 (Multiple insecure method vulnerabilities in the FlexCell.Grid ActiveX ...) NOT-FOR-US: FlexCell Grid Control CVE-2009-0300 REJECTED CVE-2009-0299 (SQL injection vulnerability in index.php in Groone GLinks 2.1 allows r ...) NOT-FOR-US: Groone GLinks CVE-2009-0298 (Heap-based buffer overflow in MW6 Technologies Barcode ActiveX control ...) NOT-FOR-US: MW6 Technologies Barcode CVE-2009-0297 (SQL injection vulnerability in login_check.asp in ClickAuction allows ...) NOT-FOR-US: ClickAuction CVE-2009-0296 (SQL injection vulnerability in shop_display_products.php in Script Tok ...) NOT-FOR-US: Script Toko Online CVE-2009-0295 (SQL injection vulnerability in index.php in Information Technology Lig ...) NOT-FOR-US: ITLPoll CVE-2009-0294 (Multiple PHP remote file inclusion vulnerabilities in WB News 2.0.1, w ...) NOT-FOR-US: WB News CVE-2009-0293 (SQL injection vulnerability in profile_view.php in Wazzum Dating Softw ...) NOT-FOR-US: Wazzum Dating Software CVE-2009-0292 (SQL injection vulnerability in show_cat2.php in SHOP-INET 4 allows rem ...) NOT-FOR-US: SHOP-INET CVE-2009-0291 (Directory traversal vulnerability in fc.php in OpenX 2.6.3 allows remo ...) - openx (bug #513771) CVE-2009-0290 (Directory traversal vulnerability in common.php in SIR GNUBoard 4.31.0 ...) NOT-FOR-US: GNU Board CVE-2009-0289 (k23productions TFTPUtil GUI 1.2.0 and 1.3.0 allows remote attackers to ...) NOT-FOR-US: k23productions TFTPUtil GUI CVE-2009-0288 (Directory traversal vulnerability in k23productions TFTPUtil GUI 1.2.0 ...) NOT-FOR-US: k23productions TFTPUtil GUI CVE-2009-0287 (SQL injection vulnerability in lib/patUser.php in KEEP Toolkit before ...) NOT-FOR-US: KEEP Toolkit CVE-2009-0286 (Directory traversal vulnerability in upgrade/index.php in OpenGoo 1.1, ...) NOT-FOR-US: OpenGoo CVE-2009-0285 (Cross-site scripting (XSS) vulnerability in error.asp in BBSXP 5.13 an ...) NOT-FOR-US: BBSXP CVE-2009-0284 (SQL injection vulnerability in category.php in Flax Article Manager 1. ...) NOT-FOR-US: Flax Article Manager CVE-2009-0283 (Cross-site scripting (XSS) vulnerability in err.asp in Oblog allows re ...) NOT-FOR-US: Oblog CVE-2009-0281 (SQL injection vulnerability in login.aspx in WarHound Walking Club all ...) NOT-FOR-US: WarHound Walking Club CVE-2009-0280 (Asp Project Management 1.0 allows remote attackers to bypass authentic ...) NOT-FOR-US: Asp Project Management CVE-2009-0279 (SQL injection vulnerability in comentar.php in Pardal CMS 0.2.0 and ea ...) NOT-FOR-US: Pardal CMS CVE-2008-5987 (Untrusted search path vulnerability in the Python interface in Eye of ...) - eog 2.22.3-2 (bug #504352; low) [etch] - eog (Vulnerable code not present) CVE-2008-5986 (Untrusted search path vulnerability in the (1) "VST plugin with Python ...) - csound 5.08.2~dfsg-1.1 (bug #504359; low) [lenny] - csound 1:5.08.0.dfsg2-8+lenny2 (bug #504359; low) [etch] - csound (Vulnerable code not present) CVE-2008-5985 (Untrusted search path vulnerability in the Python interface in Epiphan ...) - epiphany-browser 2.22.3-7 (bug #504363; low) [etch] - epiphany-browser (Minor issue, only vulnerable when called from certain dir) CVE-2008-5984 (Untrusted search path vulnerability in the Python plugin in Dia 0.96.1 ...) - dia 0.96.1-7.1 (low; bug #504251) [etch] - dia (Minor issue, only vulnerable when called from certain dir) CVE-2008-5983 (Untrusted search path vulnerability in the PySys_SetArgv API function ...) - python3.1 3.1.2+20100703-1 (low; bug #575780) - python2.6 2.6.5+20100529-1 (low; bug #572010) - python2.5 (low) [etch] - python2.5 (Minor issue) [lenny] - python2.5 (Minor issue) [squeeze] - python2.5 (Minor issue, patch only introduces a new, more secure API) - python2.4 (low) [etch] - python2.4 (Minor issue) [lenny] - python2.4 (Minor issue) NOTE: I suppose the behaviour will be changed in a future Python release, but NOTE: a backport has a significant risk of breakage for little gain. If a NOTE: proper upstream patch should be available, this can be re-evaluated NOTE: http://bugs.python.org/issue5753 CVE-2008-5982 (Format string vulnerability in BMC PATROL Agent before 3.7.30 allows r ...) NOT-FOR-US: BMC PATROL Agent CVE-2009-0323 (Multiple stack-based buffer overflows in W3C Amaya Web Browser 10.0 an ...) - amaya (medium; bug #507587) NOTE: http://www.coresecurity.com/content/amaya-buffer-overflows CVE-2009-0282 (Integer overflow in Ralink Technology USB wireless adapter (RT73) 3.08 ...) {DSA-1714-1 DSA-1713-1 DSA-1712-1} - rt2400 1.2.2+cvs20080623-3 (bug #512999) - rt2500 1:1.1.0-b4+cvs20080623-3 (bug #513000) - rt2570 1.1.0+cvs20080623-2 (bug #513001) - rt73 1:1.0.3.6-cvs20080623-dfsg1-3 (bug #512995) CVE-2009-0312 (Cross-site scripting (XSS) vulnerability in the antispam feature (secu ...) {DSA-1715-1 DTSA-187-1} - moin 1.8.1-1.1 (low) NOTE: http://hg.moinmo.in/moin/1.7/rev/89b91bf87dad CVE-2009-0276 (Cross-domain vulnerability in the V8 JavaScript engine in Google Chrom ...) - chromium-browser (only 1.x is affected) - libv8 1.3.11+dfsg-1 - webkit (libv8 issue) CVE-2009-0274 (Unspecified vulnerability in WebAccess in Novell GroupWise 6.5, 7.0, 7 ...) NOT-FOR-US: Novell GroupWise CVE-2009-0273 (Multiple cross-site scripting (XSS) vulnerabilities in Novell GroupWis ...) NOT-FOR-US: Novell GroupWise CVE-2009-0272 (Cross-site request forgery (CSRF) vulnerability in Novell GroupWise We ...) NOT-FOR-US: Novell GroupWise CVE-2009-0269 (fs/ecryptfs/inode.c in the eCryptfs subsystem in the Linux kernel befo ...) {DSA-1787-1 DSA-1749-1} - linux-2.6 2.6.29-1 [etch] - linux-2.6 (ecryptfs was merged in 2.6.19) - linux-2.6.24 CVE-2009-0265 (Internet Systems Consortium (ISC) BIND 9.6.0 and earlier does not prop ...) - bind9 (vulnerable code not present, introduced in 9.6.x) CVE-2008-5968 (Directory traversal vulnerability in print.php in PHP iCalendar 2.24 a ...) - phpicalendar (bug #513517) CVE-2008-5967 (admin/index.php in PHP iCalendar 2.3.4, 2.24, and earlier does not req ...) - phpicalendar (bug #513517) CVE-2009-0278 (Sun Java System Application Server (AS) 8.1 and 8.2 allows remote atta ...) NOT-FOR-US: Sun Java System Application Server (AS) CVE-2009-0277 (Unspecified vulnerability in the kernel in OpenSolaris snv_100 through ...) NOT-FOR-US: OpenSolaris CVE-2009-0275 (Static code injection vulnerability in admin.php in Ryneezy phoSheezy ...) NOT-FOR-US: Ryneezy phoSheezy CVE-2009-0271 (Directory traversal vulnerability in the TFTP service in Fujitsu Syste ...) NOT-FOR-US: Fujitsu SystemcastWizard Lite CVE-2009-0270 (Stack-based buffer overflow in PXEService.exe in Fujitsu SystemcastWiz ...) NOT-FOR-US: Fujitsu SystemcastWizard Lite CVE-2009-0268 (Race condition in the pseudo-terminal (aka pty) driver module in Sun S ...) NOT-FOR-US: Sun Solaris CVE-2009-0267 (libike in Sun Solaris 9 and 10, and OpenSolaris before snv_100, does n ...) NOT-FOR-US: Sun Solaris CVE-2009-0266 (Stack-based buffer overflow in Triologic Media Player 8.0.0.0 allows u ...) NOT-FOR-US: Triologic Media Player CVE-2009-0264 (Buffer overflow in the Registry Setting Tool in Fujitsu SystemcastWiza ...) NOT-FOR-US: Fujitsu SystemcastWizard Lite CVE-2008-5981 (PacPoll 4.0 stores sensitive information under the web root with insuf ...) NOT-FOR-US: PacPoll CVE-2008-5980 (Ocean12 Mailing List Manager Gold stores sensitive data under the web ...) NOT-FOR-US: Ocean12 Mailing List Manager Gold CVE-2008-5979 (Cross-site scripting (XSS) vulnerability in default.asp in Ocean12 Mai ...) NOT-FOR-US: Ocean12 Mailing List Manager Gold CVE-2008-5978 (Multiple SQL injection vulnerabilities in Ocean12 Mailing List Manager ...) NOT-FOR-US: Ocean12 Mailing List Manager Gold CVE-2008-5977 (SQL injection vulnerability in siteadmin/forgot.php in PHP JOBWEBSITE ...) NOT-FOR-US: PHP JOBWEBSITE PRO CVE-2008-5976 (Multiple cross-site scripting (XSS) vulnerabilities in siteadmin/forgo ...) NOT-FOR-US: PHP JOBWEBSITE PRO CVE-2008-5975 (SQL injection vulnerability in links.asp in Active Price Comparison 4. ...) NOT-FOR-US: Active Price Comparison CVE-2008-5974 (Multiple SQL injection vulnerabilities in login.aspx in Active Price C ...) NOT-FOR-US: Active Price Comparison CVE-2008-5973 (SQL injection vulnerability in login.aspx in Active Web Mail 4.0 allow ...) NOT-FOR-US: Active Web Mail CVE-2008-5972 (SQL injection vulnerability in default.asp in Active Business Director ...) NOT-FOR-US: Active Business Directory CVE-2008-5971 (Cross-site scripting (XSS) vulnerability in profile_social.php in i-Ne ...) NOT-FOR-US: i-Net Solution Orkut Clone CVE-2008-5970 (SQL injection vulnerability in profile_social.php in i-Net Solution Or ...) NOT-FOR-US: i-Net Solution Orkut Clone CVE-2008-5969 (SQL injection vulnerability in popupproduct.php in Sunbyte e-Flower al ...) NOT-FOR-US: Sunbyte e-Flower CVE-2008-5966 (globsy_edit.php in Globsy 1.0 and earlier allows remote attackers to c ...) NOT-FOR-US: Globsy CVE-2008-5965 (Directory traversal vulnerability in index.php in LokiCMS 0.3.4 and ea ...) NOT-FOR-US: LokiCMS CVE-2009-0263 (Multiple buffer overflows in Winamp 5.541 and earlier allow remote att ...) NOT-FOR-US: Winamp CVE-2009-0262 (Stack-based buffer overflow in Triologic Media Player 7 and 8.0.0.0 al ...) NOT-FOR-US: Triologic Media Player CVE-2009-0261 (Stack-based buffer overflow in EffectMatrix Total Video Player 1.31 al ...) NOT-FOR-US: EffectMatrix Total Video Player CVE-2009-0260 (Multiple cross-site scripting (XSS) vulnerabilities in action/AttachFi ...) {DSA-1715-1 DTSA-187-1} - moin 1.8.1-1.1 (bug #513158; low) CVE-2008-5964 (Session fixation vulnerability in Social ImpressCMS before 1.1.1 RC1 a ...) NOT-FOR-US: Social ImpressCMS CVE-2008-5963 (Eval injection vulnerability in library/setup/rpc.php in Gravity Getti ...) NOT-FOR-US: Gravity Getting Things Done CVE-2008-5962 (Directory traversal vulnerability in library/setup/rpc.php in Gravity ...) NOT-FOR-US: Gravity Getting Things Done CVE-2008-5961 (Cross-site scripting (XSS) vulnerability in index.php in Tribiq CMS Co ...) NOT-FOR-US: Tribiq CMS Community CVE-2008-5960 (SQL injection vulnerability in index.php in Tribiq CMS Community 5.0.1 ...) NOT-FOR-US: Tribiq CMS Community CVE-2008-5959 (Multiple SQL injection vulnerabilities in start.asp in Active Test 2.1 ...) NOT-FOR-US: Active Test CVE-2008-5958 (Multiple SQL injection vulnerabilities in Active Test 2.1 allow remote ...) NOT-FOR-US: Active Test CVE-2008-5957 (SQL injection vulnerability in the Mydyngallery (com_mydyngallery) com ...) NOT-FOR-US: Joomla! CVE-2008-5956 (Wbstreet (aka PHPSTREET Webboard) 1.0 stores sensitive information und ...) NOT-FOR-US: Wbstreet CVE-2008-5955 (SQL injection vulnerability in show.php in Wbstreet (aka PHPSTREET Web ...) NOT-FOR-US: Wbstreet CVE-2008-5954 (SQL injection vulnerability in KTP Computer Customer Database (KTPCCD) ...) NOT-FOR-US: KTP Computer Customer Database (KTPCCD) CMS CVE-2008-5953 (Directory traversal vulnerability in KTP Computer Customer Database (K ...) NOT-FOR-US: KTP Computer Customer Database (KTPCCD) CMS CVE-2008-5952 (SQL injection vulnerability in KTP Computer Customer Database (KTPCCD) ...) NOT-FOR-US: KTP Computer Customer Database (KTPCCD) CMS CVE-2008-5951 (ASP Template Creature stores sensitive information under the web root ...) NOT-FOR-US: ASP Template Creature CVE-2008-5950 (SQL injection vulnerability in media/media_level.asp in ASP Template C ...) NOT-FOR-US: ASP Template Creature CVE-2008-5949 (Multiple PHP remote file inclusion vulnerabilities in ccTiddly 1.7.4 a ...) NOT-FOR-US: ccTiddly CVE-2008-5948 (Directory traversal vulnerability in index.php in BNCwi 1.04 and earli ...) NOT-FOR-US: BNCwi CVE-2009-0259 (The Word processor in OpenOffice.org 1.1.2 through 1.1.5 allows remote ...) - openoffice.org 2.0.4.dfsg.2-7 NOTE: Checked with maintainer and issue was fixed long ago, marking etch version as fixed for now CVE-2009-0254 (Stack-based buffer overflow in easyHDR PRO 1.60.2 allows user-assisted ...) NOT-FOR-US: easyHDR PRO CVE-2009-0253 (Mozilla Firefox 3.0.5 allows remote attackers to trick a user into vis ...) NOTE: Mozilla #474967, upstream disputes this being a bug CVE-2009-0252 (Multiple SQL injection vulnerabilities in default.asp in Enthrallweb e ...) NOT-FOR-US: Enthrallweb eReservations CVE-2009-0251 (Static code injection vulnerability in admin.php in Ryneezy phoSheezy ...) NOT-FOR-US: Ryneezy phoSheezy CVE-2009-0250 (Ryneezy phoSheezy 0.2 stores sensitive information under the web root ...) NOT-FOR-US: Ryneezy phoSheezy CVE-2009-0249 (Katy Whitton RankEm stores sensitive information under the web root wi ...) NOT-FOR-US: Katy Whitton RankEm CVE-2009-0248 (Cross-site scripting (XSS) vulnerability in rankup.asp in Katy Whitton ...) NOT-FOR-US: Katy Whitton RankEm CVE-2009-0247 (The server for 53KF Web IM 2009 Home, Professional, and Enterprise edi ...) NOT-FOR-US: 53KF Web IM CVE-2009-0246 (Stack-based buffer overflow in easyHDR PRO 1.60.2 allows user-assisted ...) NOT-FOR-US: easyHDR PRO CVE-2009-0414 (Unspecified vulnerability in Tor before 0.2.0.33 has unspecified impac ...) - tor 0.2.0.33-1 CVE-2009-0245 (Cross-site scripting (XSS) vulnerability in Usagi Project MyNETS 1.2.0 ...) NOT-FOR-US: Usagi Project MyNETS CVE-2009-0244 (Directory traversal vulnerability in the OBEX FTP Service in the Micro ...) NOT-FOR-US: Microsoft product CVE-2009-0243 (Microsoft Windows does not properly enforce the Autorun and NoDriveTyp ...) NOT-FOR-US: Microsoft product CVE-2008-5947 (PHP remote file inclusion vulnerability in include/class_yapbbcooker.p ...) NOT-FOR-US: YapBB CVE-2008-5946 (SQL injection vulnerability in readmore.php in PHP-Fusion 4.01 allows ...) NOT-FOR-US: PHP-Fusion CVE-2008-5945 (Nukeviet 2.0 Beta allows remote attackers to bypass authentication and ...) NOT-FOR-US: Nukeviet CVE-2008-5944 (Cross-site scripting (XSS) vulnerability in modules.php in NavBoard 16 ...) NOT-FOR-US: NavBoard CVE-2008-5943 (Multiple directory traversal vulnerabilities in NavBoard 16 (2.6.0) al ...) NOT-FOR-US: NavBoard CVE-2008-5942 (Multiple cross-site scripting (XSS) vulnerabilities in MODx before 0.9 ...) NOT-FOR-US: MODx CMS CVE-2008-5941 (Cross-site request forgery (CSRF) vulnerability in MODx 0.9.6.1p2 and ...) NOT-FOR-US: MODx CMS CVE-2008-5940 (SQL injection vulnerability in index.php in MODx 0.9.6.2 and earlier, ...) NOT-FOR-US: MODx CMS CVE-2008-5939 (Cross-site scripting (XSS) vulnerability in index.php in MODx CMS 0.9. ...) NOT-FOR-US: MODx CMS CVE-2008-5938 (PHP remote file inclusion vulnerability in assets/snippets/reflect/sni ...) NOT-FOR-US: MODx CMS CVE-2008-5937 (AyeView 2.20 allows user-assisted attackers to cause a denial of servi ...) NOT-FOR-US: AyeView CVE-2008-5936 (front-end/edit.php in mini-pub 0.3 and earlier allows remote attackers ...) NOT-FOR-US: mini-pub CVE-2008-5935 (Facto stores sensitive information under the web root with insufficien ...) NOT-FOR-US: Facto CVE-2008-5934 (SQL injection vulnerability in index.php in CMS ISWEB 3.0 allows remot ...) NOT-FOR-US: CMS ISWEB CVE-2008-5933 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in CM ...) NOT-FOR-US: CMS ISWEB CVE-2008-5932 (CodeAvalanche FreeForum stores sensitive information under the web roo ...) NOT-FOR-US: CodeAvalanche FreeForum CVE-2008-5931 (The Net Guys ASPired2Blog stores sensitive information under the web r ...) NOT-FOR-US: ASPired2Blog CVE-2008-5930 (SQL injection vulnerability in admin/blog_comments.asp in The Net Guys ...) NOT-FOR-US: ASPired2Blog CVE-2008-5929 (VP-ASP Shopping Cart 6.50 stores sensitive information under the web r ...) NOT-FOR-US: VP-ASP Shopping Cart CVE-2008-5928 (SQL injection vulnerability in redir.php in Free Links Directory Scrip ...) NOT-FOR-US: Free Links Directory Script CVE-2008-5927 (Multiple SQL injection vulnerabilities in admin/usercheck.php in FlexP ...) NOT-FOR-US: FlexPHPNews CVE-2008-5926 (Multiple SQL injection vulnerabilities in login.asp in ASP-DEv Interna ...) NOT-FOR-US: ASP-DEv CVE-2008-5925 (ASP-DEv XM Events Diary stores sensitive information under the web roo ...) NOT-FOR-US: ASP-DEv CVE-2008-5924 (SQL injection vulnerability in diary_viewC.asp in ASP-DEv XM Events Di ...) NOT-FOR-US: ASP-DEv CVE-2008-5923 (SQL injection vulnerability in default.asp in ASP-DEv XM Events Diary ...) NOT-FOR-US: ASP-DEv CVE-2008-5922 (Multiple PHP remote file inclusion vulnerabilities in themes/default/i ...) NOT-FOR-US: Cant Find A Gaming CMS CVE-2008-5921 (SQL injection vulnerability in albums.php in Umer Inc Songs Portal all ...) NOT-FOR-US: Umer Inc Songs Portal CVE-2009-0255 (The System extension Install tool in TYPO3 4.0.0 through 4.0.9, 4.1.0 ...) {DSA-1711-1} - typo3-src 4.2.4-1 CVE-2009-0256 (Session fixation vulnerability in the authentication library in TYPO3 ...) {DSA-1711-1} - typo3-src 4.2.4-1 CVE-2009-0257 (Multiple cross-site scripting (XSS) vulnerabilities in TYPO3 4.0.0 thr ...) {DSA-1711-1} - typo3-src 4.2.4-1 CVE-2009-0258 (The Indexed Search Engine (indexed_search) system extension in TYPO3 4 ...) {DSA-1711-1} - typo3-src 4.2.4-1 CVE-2009-0242 REJECTED CVE-2009-0241 (Stack-based buffer overflow in the process_path function in gmetad/ser ...) {DSA-1710-1} - ganglia-monitor-core 2.5.7-5 (medium; bug #512637) CVE-2009-0240 (listing.php in WebSVN 2.0 and possibly 1.7 beta, when using an SVN aut ...) {DSA-1725-1} - websvn 2.0-4+lenny1 (bug #512191) [etch] - websvn (authenthication doesn't exist in that version) CVE-2009-0239 (Cross-site scripting (XSS) vulnerability in Windows Search 4.0 for Mic ...) NOT-FOR-US: Microsoft CVE-2009-0238 (Microsoft Office Excel 2000 SP3, 2002 SP3, 2003 SP3, and 2007 SP1; Exc ...) NOT-FOR-US: Microsoft CVE-2009-0237 (Cross-site scripting (XSS) vulnerability in cookieauth.dll in the HTML ...) NOT-FOR-US: Microsoft Forefront Threat Management Gateway CVE-2009-0236 REJECTED CVE-2009-0235 (Stack-based buffer overflow in the Word 97 text converter in WordPad i ...) NOT-FOR-US: Microsoft WordPad CVE-2009-0234 (The DNS Resolver Cache Service (aka DNSCache) in Windows DNS Server in ...) NOT-FOR-US: Microsoft Windows CVE-2009-0233 (The DNS Resolver Cache Service (aka DNSCache) in Windows DNS Server in ...) NOT-FOR-US: Microsoft Windows CVE-2009-0232 (Integer overflow in the Embedded OpenType (EOT) Font Engine in Microso ...) NOT-FOR-US: Microsoft Windows CVE-2009-0231 (The Embedded OpenType (EOT) Font Engine (T2EMBED.DLL) in Microsoft Win ...) NOT-FOR-US: Microsoft Windows CVE-2009-0230 (The Windows Print Spooler in Microsoft Windows 2000 SP4, XP SP2 and SP ...) NOT-FOR-US: Microsoft CVE-2009-0229 (The Windows Printing Service in Microsoft Windows 2000 SP4, XP SP2 and ...) NOT-FOR-US: Microsoft CVE-2009-0228 (Stack-based buffer overflow in the EnumeratePrintShares function in Wi ...) NOT-FOR-US: Microsoft CVE-2009-0227 (Stack-based buffer overflow in the PowerPoint 4.2 conversion filter (P ...) NOT-FOR-US: Microsoft CVE-2009-0226 (Stack-based buffer overflow in the PowerPoint 4.2 conversion filter in ...) NOT-FOR-US: Microsoft CVE-2009-0225 (Microsoft Office PowerPoint 2002 SP3 allows remote attackers to execut ...) NOT-FOR-US: Microsoft CVE-2009-0224 (Microsoft Office PowerPoint 2000 SP3, 2002 SP3, 2003 SP3, and 2007 SP1 ...) NOT-FOR-US: Microsoft CVE-2009-0223 (Microsoft Office PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3 allows re ...) NOT-FOR-US: Microsoft CVE-2009-0222 (Microsoft Office PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3 allows re ...) NOT-FOR-US: Microsoft CVE-2009-0221 (Integer overflow in Microsoft Office PowerPoint 2002 SP3 and 2003 SP3 ...) NOT-FOR-US: Microsoft CVE-2009-0220 (Multiple stack-based buffer overflows in the PowerPoint 4.0 importer ( ...) NOT-FOR-US: Microsoft CVE-2009-0219 (The PDF distiller in the Attachment Service in Research in Motion (RIM ...) NOT-FOR-US: BlackBerry CVE-2009-0218 (Insecure method vulnerability in Particle Software IntraLaunch Applica ...) NOT-FOR-US: IntraLaunch Application Launcher ActiveX control CVE-2009-0217 (The design of the W3C XML Signature Syntax and Processing (XMLDsig) re ...) {DSA-1995-1 DSA-1849-1 DTSA-205-1} - xml-security-c 1.4.0-4 - xmlsec1 1.2.12-1 [lenny] - xmlsec1 (Minor issue) - mono 2.4.2.3+dfsg-1 NOTE: http://www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.html NOTE: http://web.archive.org/web/20090124230233/http://anonsvn.mono-project.com:80/viewvc?view=rev NOTE: http://www.aleksey.com/xmlsec/download.html (1.2.12 has fix) - sun-java6 6-15-1 [lenny] - sun-java6 6-20-0lenny1 - openjdk-6 6b16-1.6-1 (medium; bug #542210) - openoffice.org 1:3.1.1-16 CVE-2009-0216 (GE Fanuc iFIX 5.0 and earlier relies on client-side authentication inv ...) NOT-FOR-US: GE Fanuc iFIX CVE-2009-0215 (Stack-based buffer overflow in the GetXMLValue method in the IBM Acces ...) NOT-FOR-US: IBM Access Support ActiveX CVE-2009-0214 (Unspecified vulnerability in the WebFGServer application in AREVA e-te ...) NOT-FOR-US: WebFGServer CVE-2009-0213 (Unspecified vulnerability in the NETIO application in AREVA e-terrahab ...) NOT-FOR-US: AREVA e-terrahabitat CVE-2009-0212 (Unspecified vulnerability in the WebFGServer application in AREVA e-te ...) NOT-FOR-US: AREVA e-terrahabitat CVE-2009-0211 (Unspecified vulnerability in the WebFGServer application in AREVA e-te ...) NOT-FOR-US: AREVA e-terrahabitat CVE-2009-0210 (Buffer overflow in the MLF application in AREVA e-terrahabitat 5.7 and ...) NOT-FOR-US: AREVA e-terrahabitat CVE-2009-0209 (PI Server in OSIsoft PI System before 3.4.380.x does not properly use ...) NOT-FOR-US: OSIsoft PI System CVE-2009-0208 (Unspecified vulnerability in HP Virtual Rooms Client before 7.0.1, whe ...) NOT-FOR-US: HP Virtual Rooms Client CVE-2009-0207 (Unspecified vulnerability in HP-UX B.11.11 running VERITAS Oracle Disk ...) NOT-FOR-US: VERITAS Oracle Disk Manager CVE-2009-0206 (Unspecified vulnerability in NFS in HP ONCplus B.11.31.05 and earlier ...) NOT-FOR-US: HP ONCplus CVE-2009-0205 RESERVED CVE-2009-0204 (Cross-site scripting (XSS) vulnerability in HP Select Access 6.1 and 6 ...) NOT-FOR-US: HP Select Access CVE-2009-0203 RESERVED CVE-2009-0202 (Array index error in FL21WIN.DLL in the PowerPoint Freelance Windows 2 ...) NOT-FOR-US: Microsoft CVE-2009-0201 (Heap-based buffer overflow in OpenOffice.org (OOo) before 3.1.1 and St ...) {DSA-1880-1} - openoffice.org 1:3.1.1~ooo310m15-1 CVE-2009-0200 (Integer underflow in OpenOffice.org (OOo) before 3.1.1 and StarOffice/ ...) {DSA-1880-1} - openoffice.org 1:3.1.1~ooo310m15-1 CVE-2009-0199 (Heap-based buffer overflow in the VMnc media codec in vmnc.dll in VMwa ...) NOT-FOR-US: VMware Movie Decoder CVE-2009-0198 (Heap-based buffer overflow in the JBIG2 filter in Adobe Reader 7 and A ...) NOT-FOR-US: Adobe Reader CVE-2009-0197 (Integer overflow in the FORMATS Plugin before 4.23 for IrfanView allow ...) NOT-FOR-US: IrfanView CVE-2009-0196 (Heap-based buffer overflow in the big2_decode_symbol_dict function (jb ...) {DSA-2080-1 DTSA-198-1} - ghostscript 8.64~dfsg-1.1 (medium; bug #524803) - gs-gpl (medium; bug #561717) - jbig2dec (already fixed in initial upload) CVE-2009-0195 (Heap-based buffer overflow in Xpdf 3.02pl2 and earlier, CUPS 1.3.9, an ...) {DSA-1790-1} - xpdf 3.02-1.4+lenny1 (medium; bug #524809) [squeeze] - xpdf 3.02-1.4+lenny1 CVE-2009-0194 (The domain-locking implementation in the GARMINAXCONTROL.GarminAxContr ...) NOT-FOR-US: Garmin Communicator Plug-In CVE-2009-0193 (Heap-based buffer overflow in Adobe Acrobat Reader 9 before 9.1, 8 bef ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2009-0192 (Off-by-one error in the iMonitor component in Novell eDirectory 8.8 SP ...) NOT-FOR-US: Novell eDirectory CVE-2009-0191 (Foxit Reader 2.3 before Build 3902 and 3.0 before Build 1506, includin ...) NOT-FOR-US: Foxit Reader CVE-2009-0190 REJECTED CVE-2009-0189 REJECTED CVE-2009-0188 (Apple QuickTime before 7.6.2 allows remote attackers to execute arbitr ...) NOT-FOR-US: Apple QuickTime CVE-2009-0187 (Stack-based buffer overflow in Orbit Downloader 2.8.2 and 2.8.3, and p ...) NOT-FOR-US: Orbit Downloader CVE-2009-0186 (Integer overflow in libsndfile 1.0.18, as used in Winamp and other pro ...) {DSA-1742-1 DTSA-202-1} - libsndfile 1.0.19-1 (medium) CVE-2009-0185 (Heap-based buffer overflow in Apple QuickTime before 7.6.2 allows remo ...) NOT-FOR-US: Apple QuickTime CVE-2009-0184 (Multiple buffer overflows in the torrent parsing implementation in Fre ...) NOT-FOR-US: Free Download Manager CVE-2009-0183 (Stack-based buffer overflow in Remote Control Server in Free Download ...) NOT-FOR-US: Free Download Manager CVE-2009-0182 (Buffer overflow in VUPlayer 2.49 and earlier allows user-assisted atta ...) NOT-FOR-US: VUPlayer CVE-2009-0181 (Buffer overflow in VUPlayer allows user-assisted attackers to have an ...) NOT-FOR-US: VUPlayer CVE-2009-0180 (Certain Fedora build scripts for nfs-utils before 1.1.2-9.fc9 on Fedor ...) NOT-FOR-US: Fedora specific issue CVE-2009-0179 (libmikmod 3.1.11 through 3.2.0, as used by MikMod and possibly other p ...) - libmikmod 3.1.11-6.1 (low; bug #476339) [etch] - libmikmod (Minor issue) [lenny] - libmikmod (Minor issue) CVE-2009-0178 (Unspecified vulnerability in IBM Hardware Management Console (HMC) 7 r ...) NOT-FOR-US: IBM Hardware Management Console CVE-2009-0177 (vmwarebase.dll, as used in the vmware-authd service (aka vmware-authd. ...) NOT-FOR-US: vmware-authd CVE-2009-0176 (Multiple heap-based buffer overflows in the PDF distiller in the Attac ...) NOT-FOR-US: Attachment Service in Research in Motion CVE-2009-0175 (Heap-based buffer overflow in Heathco Software MP3 TrackMaker 1.5 allo ...) NOT-FOR-US: Heathco Software MP3 TrackMaker CVE-2009-0174 (Stack-based buffer overflow in VUPlayer 2.49 allows remote attackers t ...) NOT-FOR-US: VUPlayer CVE-2008-5920 (The create_anchors function in utils.inc in WebSVN 1.x allows remote a ...) - websvn 1.61-21 (bug #503330) CVE-2008-5917 (Cross-site scripting (XSS) vulnerability in the XSS filter (framework/ ...) {DSA-1765-1} - horde3 3.2.2+debian0-2 (bug #512592) CVE-2008-5916 (gitweb/gitweb.perl in gitweb in Git 1.6.x before 1.6.0.6, 1.5.6.x befo ...) {DSA-1708-1} - git-core 1:1.5.6.5-2 (low) CVE-2008-5915 (An unspecified function in the JavaScript implementation in Google Chr ...) NOT-FOR-US: Google CVE-2008-5914 (An unspecified function in the JavaScript implementation in Apple Safa ...) NOT-FOR-US: Apple CVE-2008-5913 (The Math.random function in the JavaScript implementation in Mozilla F ...) - xulrunner 1.9.1.10-1 (unimportant; bug #559792; bug #532516) - iceape 2.0.5-1 (unimportant) [lenny] - iceape (Just a stub package) NOTE: Limited to browser life time CVE-2008-5912 (An unspecified function in the JavaScript implementation in Microsoft ...) NOT-FOR-US: Microsoft CVE-2008-5911 (Multiple buffer overflows in RealNetworks Helix Server and Helix Mobil ...) NOT-FOR-US: RealNetworks Helix CVE-2007-6720 (libmikmod 3.1.9 through 3.2.0, as used by MikMod, SDL-mixer, and possi ...) - libmikmod 3.1.11-6.1 (low; bug #461519) [etch] - libmikmod (Minor issue) [lenny] - libmikmod (Minor issue) - sdl-mixer1.2 1.2.8-1 (low; bug #422021) [etch] - sdl-mixer1.2 (Minor issue) CVE-2009-0173 (Unspecified vulnerability in the server in IBM DB2 8 before FP17a, 9.1 ...) NOT-FOR-US: IBM DB2 CVE-2009-0172 (Unspecified vulnerability in IBM DB2 8 before FP17a, 9.1 before FP6a, ...) NOT-FOR-US: IBM DB2 9.1 CVE-2009-0171 (The Sun SPARC Enterprise M4000 and M5000 Server, within a certain rang ...) NOT-FOR-US: Sun SPARC Enterprise M4000 and M5000 Server CVE-2009-0170 (Sun Java System Access Manager 6.3 2005Q1, 7 2005Q4, and 7.1 allows re ...) NOT-FOR-US: Sun Java System Access Manager CVE-2009-0169 (Sun Java System Access Manager 7.1 allows remote authenticated sub-rea ...) NOT-FOR-US: Sun Java System Access Manager CVE-2009-0168 (Unspecified vulnerability in ppdmgr in Sun Solaris 10 and OpenSolaris ...) NOT-FOR-US: ppdmgr in Sun Solaris 10 and OpenSolaris CVE-2009-0167 (Unspecified vulnerability in lpadmin in Sun Solaris 10 and OpenSolaris ...) NOT-FOR-US: lpadmin in Sun Solaris 10 and OpenSolaris CVE-2009-0166 (The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, ...) {DSA-1793-1 DSA-1790-1} - poppler 0.10.6-1 (medium; bug #524806) [lenny] - poppler 0.8.7-2 - cups (Uses poppler's pdftops) - xpdf 3.02-1.4+lenny1 (medium; bug #524809) [squeeze] - xpdf 3.02-1.4+lenny1 - kdegraphics 4:4.0 (medium; bug #524810) - swftools 0.9.2+ds1-2 CVE-2009-0165 (Integer overflow in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, as ...) {DSA-1793-1 DSA-1790-1} - xpdf 3.02-1.4+lenny1 (low; bug #524809) [squeeze] - xpdf 3.02-1.4+lenny1 - kdegraphics 4:4.0 (low; bug #528369) CVE-2009-0164 (The web interface for CUPS before 1.3.10 does not validate the HTTP Ho ...) - cups 1.3.10-1 (low) [lenny] - cups (Minor issue, needs several prerequirements for attack) - cupsys [etch] - cupsys (Minor issue, needs several prerequirements for attack) CVE-2009-0163 (Integer overflow in the TIFF image decoding routines in CUPS 1.3.9 and ...) {DSA-1773-1} - cups 1.3.10-1 - cupsys CVE-2009-0162 (Cross-site scripting (XSS) vulnerability in Safari before 3.2.3, and 4 ...) NOT-FOR-US: Safari CVE-2009-0161 (The OpenSSL::OCSP module for Ruby in Apple Mac OS X 10.5 before 10.5.7 ...) NOT-FOR-US: Mac OS X NOTE: dupe of CVE-2009-0642 CVE-2009-0160 (QuickDraw Manager in Apple Mac OS X 10.4.11 and 10.5 before 10.5.7 all ...) NOT-FOR-US: QuickDraw Manager CVE-2009-0159 (Stack-based buffer overflow in the cookedprint function in ntpq/ntpq.c ...) {DSA-1801-1} - ntp 1:4.2.4p6+dfsg-2 (low; bug #525373) CVE-2009-0158 (Stack-based buffer overflow in telnet in Apple Mac OS X 10.4.11 and 10 ...) NOT-FOR-US: telnet in Apple Mac OS X CVE-2009-0157 (Heap-based buffer overflow in CFNetwork in Apple Mac OS X 10.5 before ...) NOT-FOR-US: CFNetwork in Apple CVE-2009-0156 (Launch Services in Apple Mac OS X 10.4.11 and 10.5 before 10.5.7 allow ...) NOT-FOR-US: Launch Services in Apple Mac OS CVE-2009-0155 (Integer underflow in CoreGraphics in Apple Mac OS X 10.5 before 10.5.7 ...) NOT-FOR-US: CoreGraphics in Apple Mac OS CVE-2009-0154 (Heap-based buffer overflow in Apple Type Services (ATS) in Apple Mac O ...) NOT-FOR-US: Apple Type Services CVE-2009-0153 (International Components for Unicode (ICU) 4.0, 3.6, and other 3.x ver ...) {DSA-1889-1} - icu 4.0.1-1 (low; bug #534590) CVE-2009-0152 (iChat in Apple Mac OS X 10.5 before 10.5.7 disables SSL for AOL Instan ...) NOT-FOR-US: iChat in Apple Mac OS X CVE-2009-0151 (The screen saver in Dock in Apple Mac OS X 10.5 before 10.5.8 does not ...) NOT-FOR-US: screen saver in Dock in Apple Mac OS X CVE-2009-0150 (Stack-based buffer overflow in Apple Mac OS X 10.5 before 10.5.7 allow ...) NOT-FOR-US: Apple Mac OS X CVE-2009-0149 (Apple Mac OS X 10.4.11 and 10.5 before 10.5.7 allows local users to ga ...) NOT-FOR-US: Apple Mac OS X CVE-2009-0148 (Multiple buffer overflows in Cscope before 15.7a allow remote attacker ...) {DSA-1806-1} - cscope 15.7a-1 (low; bug #528510) CVE-2009-0147 (Multiple integer overflows in the JBIG2 decoder in Xpdf 3.02pl2 and ea ...) {DSA-1793-1 DSA-1790-1} - poppler 0.10.6-1 (low; bug #524806) [lenny] - poppler 0.8.7-2 - cups (Uses poppler's pdftops) - xpdf 3.02-1.4+lenny1 (medium; bug #524809) [squeeze] - xpdf 3.02-1.4+lenny1 - kdegraphics 4:4.0 (medium; bug #524810) - swftools 0.9.2+ds1-2 CVE-2009-0146 (Multiple buffer overflows in the JBIG2 decoder in Xpdf 3.02pl2 and ear ...) {DSA-1793-1 DSA-1790-1} - poppler 0.10.6-1 (medium; bug #524806) [lenny] - poppler 0.8.7-2 - cups (Uses poppler's pdftops) - xpdf 3.02-1.4+lenny1 (medium; bug #524809) [squeeze] - xpdf 3.02-1.4+lenny1 - kdegraphics 4:4.0 (medium; bug #524810) - swftools 0.9.2+ds1-2 CVE-2009-0145 (CoreGraphics in Apple Mac OS X 10.4.11 and 10.5 before 10.5.7, iPhone ...) NOT-FOR-US: CoreGraphics in Apple Mac OS X CVE-2009-0144 (CFNetwork in Apple Mac OS X 10.5 before 10.5.7 does not properly parse ...) NOT-FOR-US: CFNetwork in Apple Mac OS X CVE-2009-0143 (Apple iTunes before 8.1 does not properly inform the user about the or ...) NOT-FOR-US: Apple iTunes CVE-2009-0142 (Race condition in AFP Server in Apple Mac OS X 10.5.6 allows local use ...) NOT-FOR-US: Apple Mac OS X CVE-2009-0141 (XTerm in Apple Mac OS X 10.4.11 and 10.5.6, when used with luit, creat ...) NOT-FOR-US: XTerm in Apple Mac OS X CVE-2009-0140 (Unspecified vulnerability in the SMB component in Apple Mac OS X 10.4. ...) NOT-FOR-US: Apple Mac OS X CVE-2009-0139 (Integer overflow in the SMB component in Apple Mac OS X 10.5.6 allows ...) NOT-FOR-US: Apple Mac OS X CVE-2009-0138 (servermgrd (Server Manager) in Apple Mac OS X 10.5.6 does not properly ...) NOT-FOR-US: Apple Mac OS X CVE-2009-0137 (Multiple unspecified vulnerabilities in Safari RSS in Apple Mac OS X 1 ...) NOT-FOR-US: Apple Mac OS X CVE-2009-0134 (Insecure method vulnerability in the EasyGrid.SGCtrl.32 ActiveX contro ...) NOT-FOR-US: EasyGrid.SGCtrl.32 ActiveX control CVE-2008-5910 (Unspecified vulnerability in txzonemgr in Sun OpenSolaris has unknown ...) NOT-FOR-US: txzonemgr in Sun OpenSolaris CVE-2008-5909 (Unspecified vulnerability in conv_lpd in Sun OpenSolaris has unknown i ...) NOT-FOR-US: conv_lpd in Sun OpenSolaris CVE-2008-5908 (Unspecified vulnerability in the root/boot archive tool in Sun OpenSol ...) NOT-FOR-US: root/boot archive tool in Sun OpenSolaris CVE-2009-0135 (Multiple integer overflows in the Audible::Tag::readTag function in me ...) {DSA-1706-1} - amarok 1.4.10-2 (medium) CVE-2009-0136 (Multiple array index errors in the Audible::Tag::readTag function in m ...) {DSA-1706-1} - amarok 1.4.10-2 (medium) CVE-2009-0133 (Buffer overflow in Microsoft HTML Help Workshop 4.74 and earlier allow ...) NOT-FOR-US: Microsoft HTML Help Workshop CVE-2009-0132 (Integer overflow in the aio_suspend function in Sun Solaris 8 through ...) NOT-FOR-US: Solaris CVE-2009-0131 (The UFS implementation in the kernel in Sun OpenSolaris snv_29 through ...) NOT-FOR-US: UFS in OpenSolaris CVE-2009-0130 (** DISPUTED ** lib/crypto/c_src/crypto_drv.c in erlang does not proper ...) - erlang (unimportant; bug #511520) NOTE: the return value is passed to the caller (lib/crypto/src/crypto.erl) which NOTE: only return success in case of DSA_do_verify returning 1 and failure otherwise NOTE: this is likely to be rejected CVE-2009-0129 (libcrypt-openssl-dsa-perl does not properly check the return value fro ...) - libcrypt-openssl-dsa-perl 0.13-4 (bug #511519) CVE-2009-0128 (plugins/crypto/openssl/crypto_openssl.c in Simple Linux Utility for Re ...) {DTSA-185-1} - slurm-llnl 1.3.13-1 (bug #511511) CVE-2009-0127 (** DISPUTED ** M2Crypto does not properly check the return value from ...) - m2crypto (bug #511515; unimportant) NOTE: m2crypto provides a direct mapping of the OpenSSL functions, no incorrect NOTE: call sites are known, if such are found they should be fixed in the respective NOTE: applications CVE-2009-0126 (The decrypt_public function in lib/crypt.cpp in the client in Berkeley ...) {DSA-1718-1} - boinc 6.2.14-3 (bug #511521) CVE-2009-0125 - libnasl (unimportant; bug #511517) CVE-2009-0124 (The tqsl_verifyDataBlock function in openssl_cert.cpp in American Radi ...) - tqsllib 2.0-8 (low; bug #511509) [etch] - tqsllib (Minor issue) CVE-2009-0123 (Unspecified vulnerability in Apple Safari on Mac OS X 10.5 and Windows ...) NOT-FOR-US: Apple Safari CVE-2009-0122 (hplip.postinst in HP Linux Imaging and Printing (HPLIP) 2.7.7 and 2.8. ...) - hplip (only a bug in ubuntus postinst script, we use our own postinst which is not vulnerable) CVE-2008-5907 (The png_check_keyword function in pngwutil.c in libpng before 1.0.42, ...) {DSA-1750-1} - libpng 1.2.35-1 (bug #512665) NOTE: Only an issues when using libpng to create out-of-spec images CVE-2008-5906 (Eval injection vulnerability in the web interface plugin in KTorrent b ...) - ktorrent2.2 2.2.8.dfsg.1-1 (bug #504178) - ktorrent 3.1.4+dfsg.1-1 [etch] - ktorrent (Doesn't include the web interface) CVE-2008-5905 (The web interface plugin in KTorrent before 3.1.4 allows remote attack ...) - ktorrent2.2 2.2.8.dfsg.1-1 (bug #504178) - ktorrent 3.1.4+dfsg.1-1 [etch] - ktorrent (Doesn't include the web interface) CVE-2009-XXXX [unspecified multiple Drupal vulnerabilies, likely some overlap with the next temp entry] - drupal6 6.6-3 CVE-2009-XXXX [unspecified Drupal SQL injection] - drupal5 5.15-1 CVE-2009-0121 (SQL injection vulnerability in frontpage.php in Goople CMS 1.8.2 allow ...) NOT-FOR-US: Goople CMS CVE-2009-0120 (The IBM WebSphere DataPower XML Security Gateway XS40 with firmware 3. ...) NOT-FOR-US: Web Sphere CVE-2009-0119 (Buffer overflow in Microsoft Windows XP SP3 allows remote attackers to ...) NOT-FOR-US: Windows CVE-2009-0118 RESERVED CVE-2003-1567 (The undocumented TRACK method in Microsoft Internet Information Servic ...) NOT-FOR-US: IIS CVE-2003-1566 (Microsoft Internet Information Services (IIS) 5.0 does not log request ...) NOT-FOR-US: IIS CVE-1999-1593 (Windows Internet Naming Service (WINS) allows remote attackers to caus ...) NOT-FOR-US: Windows CVE-2009-0117 RESERVED CVE-2009-0116 RESERVED CVE-2009-0115 (The Device Mapper multipathing driver (aka multipath-tools or device-m ...) {DSA-1767-1} - multipath-tools 0.4.8-15 (low; bug #522813) CVE-2008-5901 (iyzi Forum 1.0 beta 3 stores sensitive information under the web root ...) NOT-FOR-US: iyzi Forum CVE-2008-5900 (CodeAvalanche Articles stores sensitive information under the web root ...) NOT-FOR-US: CodeAvalanche Articles CVE-2008-5899 (CodeAvalanche FreeForAll stores sensitive information under the web ro ...) NOT-FOR-US: CodeAvalanche FreeForAll CVE-2008-5898 (CodeAvalanche Directory stores sensitive information under the web roo ...) NOT-FOR-US: CodeAvalanche Directory CVE-2008-5897 (CodeAvalanche FreeWallpaper stores sensitive information under the web ...) NOT-FOR-US: CodeAvalanche FreeWallpaper CVE-2008-5896 (CodeAvalanche RateMySite stores sensitive information under the web ro ...) NOT-FOR-US: CodeAvalanche RateMySite CVE-2008-5895 (SQL injection vulnerability in connection.php in Mediatheka 4.2 and ea ...) NOT-FOR-US: Mediatheka CVE-2008-5894 (Directory traversal vulnerability in index.php in Mediatheka 4.2 allow ...) NOT-FOR-US: Mediatheka CVE-2008-5893 (Cross-site scripting (XSS) vulnerability in admin_dblayers.asp in Clic ...) NOT-FOR-US: ClickAndEmail CVE-2008-5892 (Multiple SQL injection vulnerabilities in ClickAndEmail allow remote a ...) NOT-FOR-US: ClickAndEmail CVE-2008-5891 (Cross-site scripting (XSS) vulnerability in the profile editing functi ...) NOT-FOR-US: Injader CVE-2008-5890 (SQL injection vulnerability in feeds.php in Injader before 2.1.2 allow ...) NOT-FOR-US: Injader CVE-2008-5889 (Cross-site scripting (XSS) vulnerability in user.asp in Click&Rank ...) NOT-FOR-US: Click&Rank CVE-2008-5888 (Multiple SQL injection vulnerabilities in Click&Rank allow remote ...) NOT-FOR-US: Click&Rank CVE-2008-5887 (phplist before 2.10.8 allows remote attackers to include files via unk ...) - phplist (bug #612288) CVE-2008-5886 (TAKempis Discussion Web 4.0 stores sensitive information under the web ...) NOT-FOR-US: TAKempis Discussion Web CVE-2008-5885 (The Net Guys ASPired2Quote stores sensitive information under the web ...) NOT-FOR-US: Net Guys ASPired2Quote CVE-2008-5884 (AyeView 2.20 allows user-assisted attackers to cause a denial of servi ...) NOT-FOR-US: AyeView CVE-2008-5883 (Absolute path traversal vulnerability in front-end/dir.php in mini-pub ...) NOT-FOR-US: mini-pub CVE-2008-5904 (The rdp_rdp_process_color_pointer_pdu function in rdp/rdp_rdp.c in xrd ...) - xrdp 0.4.0~dfsg-9 (bug #511641) CVE-2008-5903 (Array index error in the xrdp_bitmap_def_proc function in xrdp/funcs.c ...) - xrdp 0.4.0~dfsg-9 (bug #511641) CVE-2008-5902 (Buffer overflow in the xrdp_bitmap_invalidate function in xrdp/xrdp_bi ...) - xrdp 0.4.0~dfsg-9 (bug #511641) CVE-2008-6005 (Multiple buffer overflows in the CheckUniqueName function in W3C Amaya ...) - amaya (medium; bug #507587) NOTE: different vector than described in CVE-2008-5282, see 507587#15 CVE-2009-XXXX [openslp: insecure cert validation through openssl api misuse] - openslp-dfsg (Debian's openslp doesn't build with SSL support) CVE-2009-0114 (Unspecified vulnerability in the Settings Manager in Adobe Flash Playe ...) NOT-FOR-US: Flash CVE-2009-0113 (Directory traversal vulnerability in attachmentlibrary.php in the XSta ...) NOT-FOR-US: Joomla! component CVE-2009-0112 (Cross-site request forgery (CSRF) vulnerability in admin/agent_edit.as ...) NOT-FOR-US: PollPro CVE-2009-0111 (SQL injection vulnerability in frontpage.php in Goople CMS 1.8.2 and e ...) NOT-FOR-US: Goople CMS CVE-2009-0110 (SQL injection vulnerability in read.php in RiotPix 0.61 and earlier al ...) NOT-FOR-US: RiotPix CVE-2009-0109 (SQL injection vulnerability in index.php in RiotPix 0.61 and earlier a ...) NOT-FOR-US: RiotPix CVE-2009-0108 (PHPAuctions (aka PHPAuctionSystem) allows remote attackers to bypass a ...) NOT-FOR-US: PHPAuctions CVE-2009-0107 (Cross-site scripting (XSS) vulnerability in profile.php in PHPAuctions ...) NOT-FOR-US: PHPAuctions CVE-2009-0106 (SQL injection vulnerability in profile.php in PHPAuctions (aka PHPAuct ...) NOT-FOR-US: PHPAuctions CVE-2009-0105 (Cross-site scripting (XSS) vulnerability in index.php in EZpack 4.2b2 ...) NOT-FOR-US: EZpack CVE-2009-0104 (SQL injection vulnerability in index.php in EZpack 4.2b2 allows remote ...) NOT-FOR-US: EZpack CVE-2009-0103 (Multiple PHP remote file inclusion vulnerabilities in playSMS 0.9.3 al ...) NOT-FOR-US: playSMS CVE-2008-5882 (SQL injection vulnerability in login.asp in Citrix Application Gateway ...) NOT-FOR-US: Citrix CVE-2008-5881 (Multiple directory traversal vulnerabilities in playSMS 0.9.3 allow re ...) NOT-FOR-US: playSMS CVE-2009-0102 (Microsoft Project 2000 SR1 and 2002 SP1, and Office Project 2003 SP3, ...) NOT-FOR-US: Microsoft CVE-2009-0101 REJECTED CVE-2009-0100 (Microsoft Office Excel 2000 SP3, 2002 SP3, 2003 SP3, and 2007 SP1; Exc ...) NOT-FOR-US: Microsoft Office Excel CVE-2009-0099 (The Electronic Messaging System Microsoft Data Base (EMSMDB32) provide ...) NOT-FOR-US: Microsoft CVE-2009-0098 (Microsoft Exchange 2000 Server SP3, Exchange Server 2003 SP2, and Exch ...) NOT-FOR-US: Microsoft CVE-2009-0097 (Microsoft Office Visio 2002 SP2 and 2003 SP3 does not properly validat ...) NOT-FOR-US: Microsoft CVE-2009-0096 (Microsoft Office Visio 2002 SP2, 2003 SP3, and 2007 SP1 does not prope ...) NOT-FOR-US: Microsoft CVE-2009-0095 (Microsoft Office Visio 2002 SP2, 2003 SP3, and 2007 SP1 does not prope ...) NOT-FOR-US: Microsoft CVE-2009-0094 (The WINS server in Microsoft Windows 2000 SP4 and Server 2003 SP1 and ...) NOT-FOR-US: Microsoft Windows CVE-2009-0093 (Windows DNS Server in Microsoft Windows 2000 SP4, Server 2003 SP1 and ...) NOT-FOR-US: Microsoft Windows CVE-2009-0092 REJECTED CVE-2009-0091 (Microsoft .NET Framework 2.0, 2.0 SP1, and 3.5 does not properly enfor ...) NOT-FOR-US: Microsoft .NET Framework CVE-2009-0090 (Microsoft .NET Framework 1.0 SP3, 1.1 SP1, and 2.0 SP1 does not proper ...) NOT-FOR-US: Microsoft .NET Framework CVE-2009-0089 (Windows HTTP Services (aka WinHTTP) in Microsoft Windows 2000 SP4, XP ...) NOT-FOR-US: Microsoft Windows CVE-2009-0088 (The WordPerfect 6.x Converter (WPFT632.CNV, 1998.1.27.0) in Microsoft ...) NOT-FOR-US: Microsoft Office CVE-2009-0087 (Unspecified vulnerability in the Word 6 text converter in WordPad in M ...) NOT-FOR-US: Microsoft Word CVE-2009-0086 (Integer underflow in Windows HTTP Services (aka WinHTTP) in Microsoft ...) NOT-FOR-US: Microsoft Windows CVE-2009-0085 (The Secure Channel (aka SChannel) authentication component in Microsof ...) NOT-FOR-US: Microsoft Windows CVE-2009-0084 (Use-after-free vulnerability in DirectShow in Microsoft DirectX 8.1 an ...) NOT-FOR-US: DirectX CVE-2009-0083 (The kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, and Server 2 ...) NOT-FOR-US: Microsoft Windows CVE-2009-0082 (The kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 ...) NOT-FOR-US: Microsoft Windows CVE-2009-0081 (The graphics device interface (GDI) implementation in the kernel in Mi ...) NOT-FOR-US: Microsoft Windows CVE-2009-0080 (The ThreadPool class in Windows Vista Gold and SP1, and Server 2008, d ...) NOT-FOR-US: Windows Vista CVE-2009-0079 (The RPCSS service in Microsoft Windows XP SP2 and SP3 and Server 2003 ...) NOT-FOR-US: Microsoft Windows XP CVE-2009-0078 (The Windows Management Instrumentation (WMI) provider in Microsoft Win ...) NOT-FOR-US: Microsoft Windows XP CVE-2009-0077 (The firewall engine in Microsoft Forefront Threat Management Gateway, ...) NOT-FOR-US: Microsoft Forefront Threat Management Gateway CVE-2009-0076 (Microsoft Internet Explorer 7, when XHTML strict mode is used, allows ...) NOT-FOR-US: Microsoft CVE-2009-0075 (Microsoft Internet Explorer 7 does not properly handle errors during a ...) NOT-FOR-US: Microsoft CVE-2009-0074 REJECTED CVE-2009-0073 REJECTED CVE-2009-0072 (Microsoft Internet Explorer 6.0 through 8.0 beta2 allows remote attack ...) NOT-FOR-US: Internet Explorer CVE-2009-0071 (Mozilla Firefox 3.0.5 and earlier 3.0.x versions, when designMode is e ...) - iceweasel (unimportant) NOTE: Browser crashes not treated as security issues CVE-2009-0070 (Integer signedness error in Apple Safari allows remote attackers to re ...) NOT-FOR-US: Apple Safari CVE-2008-5880 (admin/auth.php in Gobbl CMS 1.0 allows remote attackers to bypass auth ...) NOT-FOR-US: Gobbl CMS CVE-2008-5879 (Cross-site scripting (XSS) vulnerability in index.php in Phpclanwebsit ...) NOT-FOR-US: Phpclanwebsite CVE-2008-5878 (Multiple directory traversal vulnerabilities in Phpclanwebsite (aka PC ...) NOT-FOR-US: Phpclanwebsite CVE-2008-5877 (Multiple SQL injection vulnerabilities in Phpclanwebsite (aka PCW) 1.2 ...) NOT-FOR-US: Phpclanwebsite CVE-2008-5876 (Buffer overflow in Irrlicht before 1.5 allows remote attackers to caus ...) - irrlicht (package was first introduced in version 1.5) CVE-2008-5875 (SQL injection vulnerability in the com_lowcosthotels component in the ...) NOT-FOR-US: Hotel Booking Reservation System for Joomla CVE-2008-5874 (Multiple SQL injection vulnerabilities in the Hotel Booking Reservatio ...) NOT-FOR-US: Hotel Booking Reservation System for Joomla CVE-2008-5873 (Yerba SACphp 6.3 and earlier allows remote attackers to bypass authent ...) NOT-FOR-US: Yerba CVE-2008-5872 (Multiple unspecified vulnerabilities in the UNIStim File Transfer Prot ...) NOT-FOR-US: Nortel Multimedia Communication Server CVE-2008-5871 (Nortel Multimedia Communication Server (MSC) 5100 3.0.13 does not veri ...) NOT-FOR-US: Nortel Multimedia Communication Server CVE-2008-5870 (FastStone Image Viewer 3.6 allows user-assisted attackers to cause a d ...) NOT-FOR-US: FastStone Image Viewer CVE-2008-5869 (Cross-site scripting (XSS) vulnerability in the Proxim Wireless Tsunam ...) NOT-FOR-US: Proxim Wireless Tsunami CVE-2008-5868 (Stack-based buffer overflow in IntelliTamper 2.07 and 2.08 allows user ...) NOT-FOR-US: IntelliTamper CVE-2009-0069 (Unspecified vulnerability in the nfs4rename_persistent_fh function in ...) NOT-FOR-US: Solaris CVE-2009-0068 (Interaction error in xdg-open allows remote attackers to execute arbit ...) - xdg-utils (xdg-open is not added to mailcap) CVE-2009-0067 RESERVED CVE-2009-0066 (Multiple unspecified vulnerabilities in Intel system software for Trus ...) NOT-FOR-US: Intel system software for TXT CVE-2009-0065 (Buffer overflow in net/sctp/sm_statefuns.c in the Stream Control Trans ...) {DSA-1794-1 DSA-1787-1 DSA-1749-1} - linux-2.6 2.6.29-1 - linux-2.6.24 CVE-2009-0064 (Multiple unspecified vulnerabilities in the Control Center in Symantec ...) NOT-FOR-US: Symantec Brightmail Gateway Appliance CVE-2009-0063 (Cross-site scripting (XSS) vulnerability in the Control Center in Syma ...) NOT-FOR-US: Symantec Brightmail Gateway Appliance CVE-2009-0062 (Unspecified vulnerability in the Cisco Wireless LAN Controller (WLC), ...) NOT-FOR-US: Cisco CVE-2009-0061 (Unspecified vulnerability in the Wireless LAN Controller (WLC) TSEC dr ...) NOT-FOR-US: Cisco CVE-2009-0060 RESERVED CVE-2009-0059 (The Cisco Wireless LAN Controller (WLC), Cisco Catalyst 6500 Wireless ...) NOT-FOR-US: Cisco CVE-2009-0058 (The Cisco Wireless LAN Controller (WLC), Cisco Catalyst 6500 Wireless ...) NOT-FOR-US: Cisco CVE-2009-0057 (The Certificate Authority Proxy Function (CAPF) service in Cisco Unifi ...) NOT-FOR-US: Cisco CVE-2009-0056 (Cross-site request forgery (CSRF) vulnerability in the administration ...) NOT-FOR-US: Cisco IronPort Encryption Appliance CVE-2009-0055 (Cross-site request forgery (CSRF) vulnerability in the administration ...) NOT-FOR-US: Cisco IronPort Encryption Appliance CVE-2009-0054 (PXE Encryption in Cisco IronPort Encryption Appliance 6.2.4 before 6.2 ...) NOT-FOR-US: Cisco IronPort Encryption Appliance CVE-2009-0053 (PXE Encryption in Cisco IronPort Encryption Appliance 6.2.4 before 6.2 ...) NOT-FOR-US: Cisco IronPort Encryption Appliance CVE-2009-0052 (The Atheros wireless driver, as used in Netgear WNDAP330 Wi-Fi access ...) NOT-FOR-US: Netgear WNDAP330 Access Point CVE-2009-0051 (ZXID 0.29 and earlier does not properly check the return value from th ...) NOT-FOR-US: ZXID CVE-2009-0050 (Lasso 2.2.1 and earlier does not properly check the return value from ...) {DSA-1700-1} - lasso 2.2.1-2 (bug #511262) CVE-2009-0049 (Belgian eID middleware (eidlib) 2.6.0 and earlier does not properly ch ...) {DSA-1946-1} - belpic 2.6.0-6 (bug #511261) CVE-2009-0048 (OpenEvidence 1.0.6 and earlier does not properly check the return valu ...) NOT-FOR-US: OpenEvidence CVE-2009-0047 (Gale 0.99 and earlier does not properly check the return value from th ...) NOT-FOR-US: Gale CVE-2009-0046 (Sun GridEngine 5.3 and earlier does not properly check the return valu ...) NOT-FOR-US: Sun GridEngine CVE-2009-0045 RESERVED CVE-2009-0044 RESERVED CVE-2009-0043 (The smmsnmpd service in CA Service Metric Analysis r11.0 through r11.1 ...) NOT-FOR-US: CA Service Metric Analysis r11.0 through r11.1 SP1 and Service CVE-2009-0042 (Multiple unspecified vulnerabilities in the Arclib library (arclib.dll ...) NOT-FOR-US: CA Anti-Virus CVE-2009-0041 (IAX2 in Asterisk Open Source 1.2.x before 1.2.31, 1.4.x before 1.4.23- ...) {DSA-1952-1} - asterisk 1:1.6.1.0~dfsg~rc3-1 (low; bug #513413) [lenny] - asterisk (Minor issue) [etch] - asterisk (Etch Packages no longer covered by security support) CVE-2008-5867 (Directory traversal vulnerability in Yerba SACphp 6.3 allows remote at ...) NOT-FOR-US: Yerba CVE-2008-5866 (The Proxim Wireless Tsunami MP.11 2411 with firmware 3.0.3 has public ...) NOT-FOR-US: Proxim Wireless Tsunami CVE-2008-5865 (SQL injection vulnerability in the com_hbssearch component 1.0 in the ...) NOT-FOR-US: Hotel Booking Reservation System for Joomla CVE-2008-5864 (SQL injection vulnerability in the Top Hotel (com_tophotelmodule) comp ...) NOT-FOR-US: Hotel Booking Reservation System for Joomla CVE-2008-5863 (SQL injection vulnerability in locator.php in the Userlocator module 3 ...) NOT-FOR-US: Module for Woltlab Burning Board CVE-2008-5862 (Directory traversal vulnerability in webcamXP 5.3.2.375 and 5.3.2.410 ...) NOT-FOR-US: webcamXP CVE-2008-5861 (Directory traversal vulnerability in source.php in FreeLyrics 1.0 allo ...) NOT-FOR-US: FreeLyrics CVE-2008-5860 (Directory traversal vulnerability in backend/template.php in Construct ...) NOT-FOR-US: Constructr CMS CVE-2008-5859 (SQL injection vulnerability in index.php in Constructr CMS 3.02.5 and ...) NOT-FOR-US: Constructr CMS CVE-2008-5858 (Multiple cross-site scripting (XSS) vulnerabilities in KnowledgeTree b ...) NOT-FOR-US: KnowledgeTree CVE-2008-5857 (The DropDocuments plugin in KnowledgeTree before 3.5.4a allows remote ...) NOT-FOR-US: KnowledgeTree CVE-2008-5856 (Directory traversal vulnerability in scripts/export.php in ClaSS befor ...) NOT-FOR-US: ClaSS CVE-2008-5855 (myPHPscripts Login Session 2.0 stores sensitive information under the ...) NOT-FOR-US: myPHPscripts Login Session CVE-2008-5854 (Multiple cross-site scripting (XSS) vulnerabilities in login.php in my ...) NOT-FOR-US: myPHPscripts Login Session CVE-2008-5853 (Chilek Content Management System (aka ChiCoMaS) 2.0.4 and earlier stor ...) NOT-FOR-US: ChoCoMaS CVE-2008-5852 (Emefa Guestbook 3.0 stores sensitive information under the web root wi ...) NOT-FOR-US: Emefa Guestbook CVE-2008-5851 (SQL injection vulnerability in index.php in My PHP Baseball Stats (MyP ...) NOT-FOR-US: My PHP Baseball Stats CVE-2008-5850 REJECTED CVE-2008-5849 (Check Point VPN-1 R55, R65, and other versions, when Port Address Tran ...) NOT-FOR-US: Check Point CVE-2008-5848 (The Advantech ADAM-6000 module has 00000000 as its default password, w ...) NOT-FOR-US: Advantech ADAM-6000 module CVE-2008-5847 (Constructr CMS 3.02.5 and earlier stores passwords in cleartext in a M ...) NOT-FOR-US: Constructr CMS CVE-2008-5846 (Six Apart Movable Type (MT) before 4.23 allows remote authenticated us ...) - movabletype-opensource 4.2.3-1 (low) CVE-2008-5845 (Multiple cross-site scripting (XSS) vulnerabilities in Six Apart Movab ...) - movabletype-opensource 4.2.3-1 (low) CVE-2008-5844 (PHP 5.2.7 contains an incorrect change to the FILTER_UNSAFE_RAW functi ...) - php5 (vulnerable code introduced in 5.2.7, we have 5.2.6 and 5.2.8 was released in the meantime) [etch] - php4 (vulnerable code introduced in php5 5.2.7) CVE-2008-5843 (Multiple untrusted search path vulnerabilities in pdfjam allow local u ...) - pdfjam (the debian package sets pdflatex and thus dirname can't result in returning .) NOTE: it is also not possible to include a crafted sed or pdflatex executable in the pdflatex call NOTE: as our version uses random names, see #510584 CVE-2008-5842 (Multiple cross-site scripting (XSS) vulnerabilities in Fujitsu-Siemens ...) NOT-FOR-US: Fujitsu-Siemens WebTransactions CVE-2004-2761 (The MD5 Message-Digest Algorithm is not collision resistant, which mak ...) NOT-FOR-US: General MD5 weakness, doesn't need to tracked package-wise CVE-2008-XXXX [auctex insecure temp file] - auctex 11.83-7.3 (low; bug #506961) [etch] - auctex (Minor issue) CVE-2008-5841 (Multiple SQL injection vulnerabilities in iGaming 1.5 and earlier allo ...) NOT-FOR-US: iGaming CVE-2008-5840 (PHP iCalendar 2.24 and earlier allows remote attackers to bypass authe ...) - phpicalendar (bug #513517) CVE-2008-5839 (Buffer overflow in Foxmail 6.5 allows remote attackers to execute arbi ...) NOT-FOR-US: Foxmail CVE-2008-5838 (SQL injection vulnerability in search_results.php in E-Php Scripts E-S ...) NOT-FOR-US: E-Php Scripts E-Shop Shopping Cart CVE-2008-5837 RESERVED CVE-2008-5836 RESERVED CVE-2008-5835 RESERVED CVE-2008-5834 RESERVED CVE-2008-5833 RESERVED CVE-2008-5832 RESERVED CVE-2008-5831 RESERVED CVE-2008-5830 RESERVED CVE-2008-5829 RESERVED CVE-2008-5828 (Microsoft Windows Live Messenger Client 8.5.1 and earlier, when MSN Pr ...) NOT-FOR-US: Microsoft CVE-2008-5827 (The Nokia 6131 Near Field Communication (NFC) phone with 05.12 firmwar ...) NOT-FOR-US: Nokia Firmware CVE-2008-5826 (The Nokia 6131 Near Field Communication (NFC) phone with 05.12 firmwar ...) NOT-FOR-US: Nokia Firmware CVE-2008-5825 (The SmartPoster implementation on the Nokia 6131 Near Field Communicat ...) NOT-FOR-US: Nokia Firmware CVE-2008-5823 (An ActiveX control in prtstb06.dll in Microsoft Money 2006, when used ...) NOT-FOR-US: Microsoft Money CVE-2008-5822 (Memory leak in Libxul, as used in Mozilla Firefox 3.0.5 and other prod ...) - xulrunner (unimportant) NOTE: Just a crash, no security impact CVE-2008-5821 (Memory leak in WebKit.dll in WebKit, as used by Apple Safari 3.2 on Wi ...) NOT-FOR-US: Webkit on Windows CVE-2008-5820 (SQL injection vulnerability in eDNews_view.php in eDreamers eDNews 2 a ...) NOT-FOR-US: eDreamers eDNews CVE-2008-5819 (Directory traversal vulnerability in eDNews_archive.php in eDreamers e ...) NOT-FOR-US: eDreamers eDNews CVE-2008-5818 (Directory traversal vulnerability in index.php in eDreamers eDContaine ...) NOT-FOR-US: eDreamers eDNews CVE-2008-5817 (Multiple SQL injection vulnerabilities in index.php in Web Scribble So ...) NOT-FOR-US: Web Scribble Solutions webClassifieds CVE-2008-5816 (SQL injection vulnerability in repository.php in ILIAS 3.7.4 and earli ...) NOT-FOR-US: ILIAS CVE-2008-5815 (SQL injection vulnerability in Acomment.php in phpAlumni allows remote ...) NOT-FOR-US: phpAlumni CVE-2008-5814 (Cross-site scripting (XSS) vulnerability in PHP, possibly 5.2.7 and ea ...) {DSA-1789-1} - php5 5.2.11.dfsg.1-1 (low; bug #523028) NOTE: I don't know in which version this was fixed specifically, but NOTE: I've checked that the patch is present in this version - php4 (low; bug #523028) CVE-2008-5813 (SQL injection vulnerability in inc/rubriques.php in SPIP 1.8 before 1. ...) - spip 2.0.6-1 CVE-2008-5812 (Multiple unspecified vulnerabilities in SPIP 1.8 before 1.8.3b, 1.9 be ...) - spip 2.0.6-1 CVE-2008-5811 (SQL injection vulnerability in the PaxGallery (com_paxgallery) compone ...) NOT-FOR-US: joomla CVE-2008-5810 (WBPublish (aka WBPublish.exe) in Fujitsu-Siemens WebTransactions 7.0, ...) NOT-FOR-US: Fujitsu-Siemens WebTransactions CVE-2008-5809 (futomi CGI Cafe Access Analyzer CGI Standard 4.0.1 and earlier and Acc ...) NOT-FOR-US: futomi CGI Cafe Access Analyzer CGI Standard CVE-2008-5808 (Cross-site scripting (XSS) vulnerability in Six Apart Movable Type Ent ...) NOT-FOR-US: Six Apart Movable Type Enterprise CVE-2006-7236 (The default configuration of xterm on Debian GNU/Linux sid and possibl ...) {DTSA-182-1} - xterm 238-1 (medium; bug #510030) [etch] - xterm (allowWindowOps disabled in configuration) NOTE: Somewhat mitigated by a filter for control characters in NOTE: post-etch versions. CVE-2008-5807 (Multiple cross-site scripting (XSS) vulnerabilities in TestLink before ...) NOT-FOR-US: TestLink CVE-2008-5806 (SQL injection vulnerability in login.php in DeltaScripts PHP Classifie ...) NOT-FOR-US: DeltaScripts PHP Classifieds CVE-2008-5805 (SQL injection vulnerability in detail.php in DeltaScripts PHP Classifi ...) NOT-FOR-US: DeltaScripts PHP Classifieds CVE-2008-5804 (SQL injection vulnerability in admin/admin_catalog.php in e-topbiz Num ...) NOT-FOR-US: e-topbiz Number Links 1 Php Script CVE-2008-5803 (SQL injection vulnerability in admin/login.php in E-topbiz Online Stor ...) NOT-FOR-US: E-topbiz CVE-2008-5802 (SQL injection vulnerability in index.php in E-topbiz Online Store 1.0 ...) NOT-FOR-US: E-topbiz CVE-2008-5801 (Unspecified vulnerability in the Dictionary (rtgdictionary) extension ...) NOT-FOR-US: Dictionary (rtgdictionary) extension for TYPO3 CVE-2008-5800 (SQL injection vulnerability in the Wir ber uns [sic] (fsmi_people) ext ...) NOT-FOR-US: fsmi_people extension for TYPO3 CVE-2008-5799 (Cross-site scripting (XSS) vulnerability in the Wir ber uns (fsmi_peop ...) NOT-FOR-US: fsmi_people extension for TYPO3 CVE-2008-5798 (SQL injection vulnerability in the CMS Poll system (cms_poll) extensio ...) NOT-FOR-US: CMS Poll system for TYPO3 CVE-2008-5797 (SQL injection vulnerability in the advCalendar extension 0.3.1 and ear ...) NOT-FOR-US: advCalendar extension for TYPO3 CVE-2008-5796 (SQL injection vulnerability in the eluna Page Comments (eluna_pagecomm ...) NOT-FOR-US: Page Comments extension for TYPO3 CVE-2008-5795 (Cross-site scripting (XSS) vulnerability in the eluna Page Comments (e ...) NOT-FOR-US: Page Comments extension for TYPO3 CVE-2008-5794 (Directory traversal vulnerability in system/admin/images.php in LoveCM ...) NOT-FOR-US: LoveCMS CVE-2008-5793 (Multiple PHP remote file inclusion vulnerabilities in the Clickheat - ...) NOT-FOR-US: Clickheat - Heatmap stats (com_clickheat) component 1.0.1 for Joomla! CVE-2008-5792 (PHP remote file inclusion vulnerability in show_joined.php in Indiscri ...) NOT-FOR-US: Indiscripts Enthusiast CVE-2008-5791 (Multiple unspecified vulnerabilities in PrestaShop e-Commerce Solution ...) NOT-FOR-US: PrestaShop e-Commerce Solution CVE-2008-5790 (Multiple PHP remote file inclusion vulnerabilities in the Recly!Compet ...) NOT-FOR-US: Recly!Competitions (com_competitions) component 1.0 for Joomla! CVE-2008-5789 (Multiple PHP remote file inclusion vulnerabilities in the Recly Intera ...) NOT-FOR-US: Recly Interactive Feederator (com_feederator) component 1.0.5 for Joomla! CVE-2008-5788 (SQL injection vulnerability in index.php in Domain Seller Pro 1.5 allo ...) NOT-FOR-US: Domain Seller CVE-2008-5787 (Directory traversal vulnerability in mod.php in Arab Portal 2.1 on Win ...) NOT-FOR-US: Arab Portal CVE-2008-5786 (Cross-site scripting (XSS) vulnerability in the Silva Find extension 1 ...) NOT-FOR-US: Silva Find CVE-2008-5785 (SQL injection vulnerability in V3 Chat - Profiles/Dating Script 3.0.2 ...) NOT-FOR-US: V3 Chat - Profiles/Dating Script CVE-2008-5784 (V3 Chat - Profiles/Dating Script 3.0.2 allows remote attackers to bypa ...) NOT-FOR-US: V3 Chat - Profiles/Dating Script CVE-2008-5783 (admin/index.php in V3 Chat Live Support 3.0.4 allows remote attackers ...) NOT-FOR-US: V3 Chat CVE-2008-5782 (SQL injection vulnerability in bannerclick.php in ZeeMatri 3.0 allows ...) NOT-FOR-US: ZeeMatri CVE-2008-5781 (SQL injection vulnerability in right.php in Cant Find A Gaming CMS (CF ...) NOT-FOR-US: Cant Find A Gaming CMS (CFAGCMS) CVE-2008-5780 (Forest Blog 1.3.2 stores sensitive information under the web root with ...) NOT-FOR-US: Forest Blog CVE-2008-5779 (SQL injection vulnerability in lpro.php in Free Links Directory Script ...) NOT-FOR-US: Free Links Directory Script CVE-2008-5778 (SQL injection vulnerability in report.php in Free Links Directory Scri ...) NOT-FOR-US: Free Links Directory Script CVE-2008-5777 (SQL injection vulnerability in index.php in CadeNix allows remote atta ...) NOT-FOR-US: CadeNix CVE-2008-5776 (Multiple directory traversal vulnerabilities in Aperto Blog 0.1.1 allo ...) NOT-FOR-US: Aperto Blog CVE-2008-5775 (SQL injection vulnerability in categories.php in Aperto Blog 0.1.1 all ...) NOT-FOR-US: Aperto Blog CVE-2008-5774 (Multiple SQL injection vulnerabilities in ASPSiteWare HomeBuilder 1.0 ...) NOT-FOR-US: ASPSiteWare HomeBuilder CVE-2008-5773 (Nukedit 4.9.8 stores sensitive information under the web root with ins ...) NOT-FOR-US: Nukedit CVE-2008-5772 (Multiple SQL injection vulnerabilities in ASPSiteWare RealtyListings 1 ...) NOT-FOR-US: ASPSiteWare RealtyListings CVE-2008-5771 (Directory traversal vulnerability in test.php in PHP Weather 2.2.2 all ...) NOT-FOR-US: PHP Weather CVE-2008-5770 (Cross-site scripting (XSS) vulnerability in config/make_config.php in ...) NOT-FOR-US: PHP Weather CVE-2008-5769 (Multiple cross-site scripting (XSS) vulnerabilities in Kerio MailServe ...) NOT-FOR-US: Kerio MailServer CVE-2008-5768 (SQL injection vulnerability in print.php in the AM Events (aka Amevent ...) NOT-FOR-US: AM Events CVE-2008-5767 (SQL injection vulnerability in authors.asp in gNews Publisher allows r ...) NOT-FOR-US: gNews Publisher CVE-2008-5766 (SQL injection vulnerability in download.php in Farsi Script Faupload a ...) NOT-FOR-US: Farsi Script Faupload CVE-2008-5765 (WorkSimple 1.2.1 stores sensitive information under the web root with ...) NOT-FOR-US: WorkSimple CVE-2008-5764 (PHP remote file inclusion vulnerability in calendar.php in WorkSimple ...) NOT-FOR-US: WorkSimple CVE-2008-5763 (PHP remote file inclusion vulnerability in slogin_lib.inc.php in Simpl ...) NOT-FOR-US: Simple Text-File Login Script (SiTeFiLo) CVE-2008-5762 (Simple Text-File Login Script (SiTeFiLo) 1.0.6 stores sensitive inform ...) NOT-FOR-US: Simple Text-File Login Script (SiTeFiLo) CVE-2008-5761 (Multiple cross-site scripting (XSS) vulnerabilities in FlatnuX CMS (ak ...) NOT-FOR-US: FlatnuX CMS CVE-2008-5760 (Cross-site scripting (XSS) vulnerability in error413.php in Kerio Mail ...) NOT-FOR-US: Kerio MailServer CVE-2008-5759 (Cross-site scripting (XSS) vulnerability in FlatnuX CMS (aka Flatnuke3 ...) NOT-FOR-US: FlatnuX CMS CVE-2008-5758 (Cross-site request forgery (CSRF) vulnerability in PHParanoid before 0 ...) NOT-FOR-US: PHParanoid CVE-2008-5757 (Cross-site scripting (XSS) vulnerability in textarea/index.php in Text ...) - textpattern 4.0.6-1 CVE-2008-5756 (Buffer overflow in BreakPoint Software Hex Workshop 5.1.4 allows user- ...) NOT-FOR-US: BreakPoint Software Hex Workshop CVE-2008-5755 (Stack-based buffer overflow in IntelliTamper 2.07 and 2.08 allows remo ...) NOT-FOR-US: IntelliTamper CVE-2008-5754 (Stack-based buffer overflow in BulletProof FTP Client allows user-assi ...) NOT-FOR-US: BulletProof FTP Client CVE-2008-5753 (Stack-based buffer overflow in BulletProof FTP Client 2.63 and 2010 al ...) NOT-FOR-US: BulletProof FTP Client CVE-2008-5752 (Directory traversal vulnerability in getConfig.php in the Page Flip Im ...) NOT-FOR-US: Page Flip Image Gallery plugin for WordPress CVE-2008-5751 (SQL injection vulnerability in index.php in AlstraSoft Web Email Scrip ...) NOT-FOR-US: AlstraSoft Web Email Script Enterprise CVE-2008-5750 (Argument injection vulnerability in Microsoft Internet Explorer 8 beta ...) NOT-FOR-US: Microsoft CVE-2008-5749 NOT-FOR-US: Unclear, historic Chrome issue CVE-2008-5748 (Directory traversal vulnerability in plugins/spaw2/dialogs/dialog.php ...) NOT-FOR-US: BloofoxCMS CVE-2008-5747 (F-Prot 4.6.8 for GNU/Linux allows remote attackers to bypass anti-viru ...) NOT-FOR-US: F-Prot CVE-2008-5746 (Sun SNMP Management Agent (SUNWmasf) 1.4u2 through 1.5.4 allows local ...) NOT-FOR-US: Sun SNMP Management Agent CVE-2008-5745 (Integer overflow in quartz.dll in the DirectShow framework in Microsof ...) NOT-FOR-US: Microsoft CVE-2008-5824 (Heap-based buffer overflow in msadpcm.c in libaudiofile in audiofile 0 ...) {DSA-1972-1} - audiofile 0.2.6-7.1 (medium; bug #510205) CVE-2008-5744 (Array index error in the dahdi/tor2.c driver in Zaptel (aka DAHDI) 1.4 ...) {DSA-1699-1} - zaptel 1:1.4.11~dfsg-3 (bug #510583) CVE-2008-5743 (pdfjam creates the (1) pdf90, (2) pdfjoin, and (3) pdfnup files with a ...) - pdfjam 1.10-1 (low; bug #510584) CVE-2008-5742 (Multiple open redirect vulnerabilities in AIST NetCat 3.12 and earlier ...) NOT-FOR-US: AIST NetCat CVE-2008-5741 RESERVED CVE-2008-5740 RESERVED CVE-2008-5739 (SQL injection vulnerability in evb/check_url.php in Pligg CMS 9.9.5 Be ...) NOT-FOR-US: Pligg CMS CVE-2008-5738 (Nodstrum MySQL Calendar 1.1 and 1.2 allows remote attackers to bypass ...) NOT-FOR-US: Nodstrum MySQL Calendar CVE-2008-5737 (SQL injection vulnerability in index.php in Nodstrum MySQL Calendar 1. ...) NOT-FOR-US: Nodstrum MySQL Calendar CVE-2008-5736 (Multiple unspecified vulnerabilities in FreeBSD 6 before 6.4-STABLE, 6 ...) - kfreebsd-6 [lenny] - kfreebsd-6 (KFreebsd not supported) - kfreebsd-7 7.1-1 [lenny] - kfreebsd-7 (KFreebsd not supported) CVE-2008-5735 (Stack-based buffer overflow in skin.c in CoolPlayer 2.17 through 2.19 ...) NOT-FOR-US: CoolPlayer CVE-2008-5734 (Cross-site scripting (XSS) vulnerability in WebMail Pro in IceWarp Sof ...) NOT-FOR-US: IceWarp Software Merak Mail Server CVE-2008-5733 (SQL injection vulnerability in blog.php in the Team Impact TI Blog Sys ...) NOT-FOR-US: Team Impact TI Blog System mod for PHP-Fusion CVE-2008-5732 (Unrestricted file upload vulnerability in lib/image_upload.php in Kafo ...) NOT-FOR-US: KafooeyBlog CVE-2008-5731 (The PGPwded device driver (aka PGPwded.sys) in PGP Corporation PGP Des ...) NOT-FOR-US: PGP Desktop CVE-2008-5730 (Multiple CRLF injection vulnerabilities in AIST NetCat 3.12 and earlie ...) NOT-FOR-US: AIST NetCat CVE-2008-5729 (Multiple cross-site scripting (XSS) vulnerabilities in AIST NetCat 3.1 ...) NOT-FOR-US: AIST NetCat CVE-2008-5728 (Multiple directory traversal vulnerabilities in AIST NetCat 3.12 and e ...) NOT-FOR-US: AIST NetCat CVE-2008-5727 (SQL injection vulnerability in modules/auth/password_recovery.php in A ...) NOT-FOR-US: AIST NetCat CVE-2008-5726 (SQL injection vulnerability in thread.php in stormBoards 1.0.1 allows ...) NOT-FOR-US: stormBoards CVE-2008-5725 (The NT kernel-mode driver (aka pstrip.sys) 5.0.1.1 and earlier in EnTe ...) NOT-FOR-US: EnTech Taiwan PowerStrip CVE-2008-5724 (The Personal Firewall driver (aka epfw.sys) 3.0.672.0 and earlier in E ...) NOT-FOR-US: ESET Smart Security CVE-2008-5723 (Directory traversal vulnerability in CGI RESCUE KanniBBS2000 (aka Kann ...) NOT-FOR-US: CGI RESCUE KanniBBS2000 CVE-2008-5722 (Buffer overflow in SAWStudio 3.9i allows user-assisted remote attacker ...) NOT-FOR-US: SAWStudio CVE-2008-5721 (SapporoWorks BlackJumboDog (BJD) before 4.2.3 allows remote attackers ...) NOT-FOR-US: BlackJumboDog CVE-2008-5720 (Cross-site scripting (XSS) vulnerability in Mayaa before 1.1.23 allows ...) NOT-FOR-US: Mayaa CVE-2008-5719 (Cross-site scripting (XSS) vulnerability in Hitachi Groupmax Web Workf ...) NOT-FOR-US: Hitachi CVE-2008-5718 (The papd daemon in Netatalk before 2.0.4-beta2, when using certain var ...) {DSA-1705-1 DTSA-183-1} - netatalk 2.0.4~beta2-1 (medium; bug #510585) CVE-2008-5717 (Cross-site scripting (XSS) vulnerability in Hitachi JP1/Integrated Man ...) NOT-FOR-US: Hitachi CVE-2008-5716 (xend in Xen 3.3.0 does not properly restrict a guest VM's write access ...) - xen-3 (Vulnerable code never entered Debian) - xen-unstable (Vulnerable code never entered Debian) NOTE: this issue was introduced as a fix to CVE-2008-4405, which has not NOTE: yet been fixed in Debian CVE-2008-5715 (Mozilla Firefox 3.0.5 on Windows Vista allows remote attackers to caus ...) - iceweasel (unimportant) NOTE: Browser crashes not treated as security issues CVE-2008-5714 (Off-by-one error in monitor.c in Qemu 0.9.1 might make it easier for r ...) {DSA-1907-1 DTSA-203-1} - qemu 0.9.1-10 (low; bug #509882) [etch] - qemu (Vulnerable code not present) - kvm 82-1 (low; bug #509997) [lenny] - kvm (Minor issue) CVE-2008-5713 (The __qdisc_run function in net/sched/sch_generic.c in the Linux kerne ...) {DSA-1794-1} - linux-2.6 2.6.25-1 - linux-2.6.24 CVE-2008-5712 (The HTML parser in KDE Konqueror 3.5.9 allows remote attackers to caus ...) - kdebase (unimportant) NOTE: Browser crashes not treated as security issues CVE-2008-5711 (Heap-based buffer overflow in the Facebook PhotoUploader ActiveX contr ...) NOT-FOR-US: Facebook PhotoUploader ActiveX CVE-2008-5710 (Multiple unspecified vulnerabilities in the web management interface i ...) NOT-FOR-US: Avaya Communication Manager CVE-2008-5709 (Multiple unspecified vulnerabilities in the web management interface i ...) NOT-FOR-US: Avaya Communication Manager CVE-2008-5708 (redirect.php in SlimCMS 1.0.0 does not require authentication, which a ...) NOT-FOR-US: SlimCMS CVE-2008-5707 (SQL injection vulnerability in urunler.asp in Iltaweb Alisveris Sistem ...) NOT-FOR-US: Iltaweb Alisveris Sistemi CVE-2008-5704 (src/unit_test.c in gpsdrive (aka gpsdrive-scripts) 2.10~pre4 might all ...) - gpsdrive 2.10~pre4-6.dfsg-2 (low; bug #508597) [etch] - gpsdrive (Minor issue) [lenny] - gpsdrive 2.10~pre4-6.dfsg-1+lenny1 CVE-2008-5703 (gpsdrive (aka gpsdrive-scripts) 2.10~pre4 allows local users to overwr ...) - gpsdrive 2.10~pre4-6.dfsg-2 (low; bug #508597) [etch] - gpsdrive (Minor issue) [lenny] - gpsdrive 2.10~pre4-6.dfsg-1+lenny1 CVE-2008-5702 (Buffer underflow in the ibwdt_ioctl function in drivers/watchdog/ib700 ...) {DSA-1794-1 DSA-1787-1} - linux-2.6 2.6.26-13 - linux-2.6.24 CVE-2008-5701 (Array index error in arch/mips/kernel/scall64-o32.S in the Linux kerne ...) {DSA-1794-1 DSA-1787-1} - linux-2.6 2.6.26-13 - linux-2.6.24 CVE-2008-5700 (libata in the Linux kernel before 2.6.27.9 does not set minimum timeou ...) {DSA-1787-1} - linux-2.6 2.6.26-13 [etch] - linux-2.6 (Vulnerable code not present, was introduced later) - linux-2.6.24 CVE-2008-5699 (The name service cache daemon (nscd) in Sun Solaris 10 and OpenSolaris ...) NOT-FOR-US: Solaris CVE-2008-5698 (HTMLTokenizer::scriptHandler in Konqueror in KDE 3.5.9 and 3.5.10 allo ...) - kdebase (unimportant) NOTE: browser crashes not treated as security issues CVE-2008-5697 (The skype_tool.copy_num method in the Skype extension BETA 2.2.0.95 fo ...) NOT-FOR-US: Skype extension CVE-2008-5696 (Novell NetWare 6.5 before Support Pack 8, when an OES2 Linux server is ...) NOT-FOR-US: Novell NetWare CVE-2008-5695 (wp-admin/options.php in WordPress MU before 1.3.2, and WordPress 2.3.2 ...) - wordpress 2.3.2 (low; bug #510786; bug #513959) [etch] - wordpress (Minor issue) NOTE: only the admin has manage_options capabilities by default and only editors NOTE: have upload_files capabilities NOTE: Only versions prior to 2.3.2 are affected according to the Debian maintainer CVE-2008-5694 (PHP remote file inclusion vulnerability in lib/jpgraph/jpgraph_errhand ...) NOT-FOR-US: Sandbox CVE-2008-5693 (Ipswitch WS_FTP Server Manager 6.1.0.0 and earlier, and possibly other ...) NOT-FOR-US: Ipswitch WS_FTP Server Manager CVE-2008-5692 (Ipswitch WS_FTP Server Manager before 6.1.1, and possibly other Ipswit ...) NOT-FOR-US: Ipswitch WS_FTP Server Manager CVE-2008-5691 (Heap-based buffer overflow in the Phoenician Casino FlashAX ActiveX co ...) NOT-FOR-US: Phoenician Casino FlashAX ActiveX CVE-2008-5690 (The Kerberos credential renewal feature in Sun Solaris 8, 9, and 10, a ...) NOT-FOR-US: Solaris CVE-2008-5689 (tun in IP Tunnel in Solaris 10 and OpenSolaris snv_01 through snv_76 a ...) NOT-FOR-US: Solaris CVE-2008-5688 (MediaWiki 1.8.1, and other versions before 1.13.3, when the wgShowExce ...) - mediawiki 1:1.13.3-1 (unimportant) - mediawiki1.7 (unimportant) NOTE: Installation path disclosure not treated as a security issue CVE-2008-5687 (MediaWiki 1.11, and other versions before 1.13.3, does not properly pr ...) {DTSA-186-1} - mediawiki 1:1.13.3-1 (low) - mediawiki1.7 [etch] - mediawiki1.7 (The backup feature was introduced in 1.11) [etch] - mediawiki (metapackage) CVE-2008-5686 (IBM Tivoli Provisioning Manager (TPM) before 5.1.1.1 IF0006, when its ...) NOT-FOR-US: IBM Tivoli Provisioning Manager CVE-2008-5685 (Sun ScApp firmware 5.18.x, 5.19.x, and 5.20.0 through 5.20.10 on Sun F ...) NOT-FOR-US: Sun ScApp firmware CVE-2008-5684 (Unspecified vulnerability in the X Inter Client Exchange library (aka ...) NOT-FOR-US: Solaris CVE-2008-5683 (Unspecified vulnerability in Opera before 9.63 allows remote attackers ...) NOT-FOR-US: Opera CVE-2008-5682 (Cross-site scripting (XSS) vulnerability in Opera before 9.63 allows r ...) NOT-FOR-US: Opera CVE-2008-5681 (Opera before 9.63 does not block unspecified "scripted URLs" during th ...) NOT-FOR-US: Opera CVE-2008-5680 (Multiple buffer overflows in Opera before 9.63 might allow (1) remote ...) NOT-FOR-US: Opera CVE-2008-5679 (The HTML parsing engine in Opera before 9.63 allows remote attackers t ...) NOT-FOR-US: Opera CVE-2008-5678 (Fretwell-Downing Informatics (FDI) OLIB7 WebView 2.5.1.1 allows remote ...) NOT-FOR-US: OLIB7 WebView CVE-2008-5677 (Unrestricted file upload vulnerability in Kwalbum 2.0.4, 2.0.2, and ea ...) NOT-FOR-US: Kwalbum CVE-2008-5676 (Multiple unspecified vulnerabilities in the ModSecurity (aka mod_secur ...) - libapache-mod-security 2.5.6-1 CVE-2008-5675 (Unspecified vulnerability in IBM WebSphere Portal 6.0 before 6.0.1.5 h ...) NOT-FOR-US: IBM WebSphere Portal CVE-2008-5674 (Multiple array index errors in the HTTP server in Darkwet Network webc ...) NOT-FOR-US: Darkwet Network webcamXP CVE-2008-5673 (PHParanoid before 0.4 does not properly restrict access to the members ...) NOT-FOR-US: PHParanoid CVE-2008-5672 (Multiple cross-site request forgery (CSRF) vulnerabilities in PHParano ...) NOT-FOR-US: PHParanoid CVE-2008-5671 (PHP remote file inclusion vulnerability in index.php in Joomla! 1.0.11 ...) NOT-FOR-US: Joomla! CVE-2008-5670 (Textpattern (aka Txp CMS) 4.0.5 does not ask for the old password duri ...) - textpattern 4.0.6-1 (low) CVE-2008-5669 (index.php in the comments preview section in Textpattern (aka Txp CMS) ...) - textpattern 4.0.6-1 (low) CVE-2008-5668 (Multiple cross-site scripting (XSS) vulnerabilities in Textpattern (ak ...) - textpattern 4.0.6-1 (low) CVE-2008-5667 (The scanning engine in VirusBlokAda VBA32 Personal Antivirus 3.12.8.x ...) NOT-FOR-US: VBA32 Personal Antivirus CVE-2008-5666 (WinFTP FTP Server 2.3.0, when passive (aka PASV) mode is used, allows ...) NOT-FOR-US: WinFTP CVE-2008-5665 (SQL injection vulnerability in index.php in the xhresim module in XOOP ...) NOT-FOR-US: XOOPS CVE-2008-5664 (Stack-based buffer overflow in Realtek Media Player (aka Realtek Sound ...) NOT-FOR-US: Realtek Media Player CVE-2008-5663 (Multiple unrestricted file upload vulnerabilities in Kusaba 1.0.4 and ...) NOT-FOR-US: Kusaba CVE-2008-5662 (Multiple buffer overflows in Sun Java Wireless Toolkit (WTK) for CLDC ...) NOT-FOR-US: Sun Java Wireless Toolkit CVE-2008-5661 (The IPv4 Forwarding feature in Sun Solaris 10 and OpenSolaris snv_47 t ...) NOT-FOR-US: Sun Solaris CVE-2008-5659 (The gnu.java.security.util.PRNG class in GNU Classpath 0.97.2 and earl ...) - classpath 2:0.98-1 (bug #512532; low) [lenny] - classpath (Minor issue) - libgnucrypto-java (low; bug #559789) [lenny] - libgnucrypto-java (Minor issue) CVE-2008-5657 (CRLF injection vulnerability in Quassel Core before 0.3.0.3 allows rem ...) - quassel 0.2~rc1-1.1 (bug #506550) CVE-2008-5656 (Cross-site scripting (XSS) vulnerability in the frontend plugin for th ...) - typo3-src 4.2.3-1 (bug #505325) [etch] - typo3-src (TYPO3 versions below 4.2.x are not affected) CVE-2008-5655 (Multiple SQL injection vulnerabilities in MyioSoft EasyBookMarker 4.0 ...) NOT-FOR-US: MyioSoft EasyBookMarker CVE-2008-5654 (SQL injection vulnerability in the loginADP function in ajaxp.php in M ...) NOT-FOR-US: MyioSoft EasyBookMarker CVE-2008-5653 (SQL injection vulnerability in the loginADP function in ajaxp.php in M ...) NOT-FOR-US: MyioSoft EasyBookMarker CVE-2008-5652 (SQL injection vulnerability in the loginADP function in ajaxp.php in M ...) NOT-FOR-US: MyioSoft EasyBookMarker CVE-2008-5651 (SQL injection vulnerability in plugins/bookmarker/bookmarker_backend.p ...) NOT-FOR-US: MyioSoft EasyBookMarker CVE-2008-5650 (SQL injection vulnerability in the login directory in AlstraSoft Web H ...) NOT-FOR-US: AlstraSoft Web Host Directory CVE-2008-5649 (SQL injection vulnerability in admin/admin.php in AlstraSoft Article M ...) NOT-FOR-US: AlstraSoft Web Host Directory CVE-2008-5648 (SQL injection vulnerability in admin/login.php in DeltaScripts PHP Sho ...) NOT-FOR-US: DeltaScripts PHP Shop CVE-2008-5647 (Unspecified vulnerability in the HTML sanitizer filter in Trac before ...) - trac 0.11.1-2.1 (low; bug #509342; bug #505197) [etch] - trac (Minor issue) CVE-2008-5646 (Unspecified vulnerability in Trac before 0.11.2 allows attackers to ca ...) - trac 0.11.1-2.1 (low; bug #509342; bug #505197) [etch] - trac (Minor issue) CVE-2008-5645 (Directory traversal vulnerability in the media server in Orb Networks ...) NOT-FOR-US: Orb Networks Orb CVE-2008-5644 (Cross-site scripting (XSS) vulnerability in the file backend module in ...) - typo3-src 4.2.3-1 (bug #505324) [etch] - typo3-src (Only TYPO3 4.2.2 is affected) CVE-2008-5643 (SQL injection vulnerability in the Books (com_books) component for Joo ...) NOT-FOR-US: Joomla! CVE-2008-5642 (Directory traversal vulnerability in admin/login.php in CMS Made Simpl ...) NOT-FOR-US: CMS Made Simple CVE-2008-5641 (SQL injection vulnerability in account.asp in Active Photo Gallery 6.2 ...) NOT-FOR-US: Active Photo Gallery CVE-2008-5640 (SQL injection vulnerability in bidhistory.asp in Active Bids 3.5 allow ...) NOT-FOR-US: Active Bids CVE-2008-5639 (Directory traversal vulnerability in index.php in TxtBlog 1.0 Alpha al ...) NOT-FOR-US: TxtBlog CVE-2008-5638 (Multiple SQL injection vulnerabilities in Active Price Comparison 4 al ...) NOT-FOR-US: Active Price Comparison CVE-2008-5637 (SQL injection vulnerability in blog.asp in ParsBlogger (Pb) allows rem ...) NOT-FOR-US: ParsBlogger CVE-2008-5636 (SQL injection vulnerability in cate.php in Lito Lite CMS, when magic_q ...) NOT-FOR-US: Lito Lite CMS CVE-2008-5635 (SQL injection vulnerability in account.asp in Active Membership 2.0 al ...) NOT-FOR-US: Active Membership CVE-2008-5634 (SQL injection vulnerability in account.asp in Active Force Matrix 2.0 ...) NOT-FOR-US: Active Force Matrix CVE-2008-5633 (SQL injection vulnerability in register.asp in ActiveVotes 2.2 allows ...) NOT-FOR-US: ActiveVotes CVE-2008-5632 (SQL injection vulnerability in Account.asp in Active Time Billing 3.2 ...) NOT-FOR-US: Active Time Billing CVE-2008-5631 (SQL injection vulnerability in start.asp in Active eWebquiz 8.0 allows ...) NOT-FOR-US: Active eWebquiz CVE-2008-5630 (SQL injection vulnerability in merchants/index.php in Post Affiliate P ...) NOT-FOR-US: Post Affiliate CVE-2008-5629 (SQL injection vulnerability in index.php in Turnkey Arcade Script allo ...) NOT-FOR-US: Turnkey Arcade Script CVE-2008-5628 (SQL injection vulnerability in index.php in CMS little 0.0.1 allows re ...) NOT-FOR-US: CMS little CVE-2008-5627 (SQL injection vulnerability in account.asp in Active Trade 2 allows re ...) NOT-FOR-US: Active Trade CVE-2008-5626 (XM Easy Personal FTP Server 5.6.0 allows remote authenticated users to ...) NOT-FOR-US: XM Easy Personal FTP Server CVE-2008-5623 RESERVED CVE-2008-5620 (RoundCube Webmail (roundcubemail) before 0.2-beta allows remote attack ...) - roundcube 0.1.1-10 (low; bug #509596) CVE-2008-5618 (imudp in rsyslog 4.x before 4.1.2, 3.21 before 3.21.9 beta, and 3.20 b ...) - rsyslog 3.18.6-1 (low; bug #510906) CVE-2008-5615 RESERVED CVE-2008-5614 RESERVED CVE-2008-5613 RESERVED CVE-2008-5612 RESERVED CVE-2008-5611 RESERVED CVE-2008-5610 RESERVED CVE-2008-5609 (SQL injection vulnerability in the Commerce extension 0.9.6 and earlie ...) NOT-FOR-US: Commerce extension CVE-2008-5608 (ASP AutoDealer stores sensitive information under the web root with in ...) NOT-FOR-US: AutoDealer CVE-2008-5607 (SQL injection vulnerability in the JMovies (aka JM or com_jmovies) com ...) NOT-FOR-US: joomla CVE-2008-5606 (Gazatem QMail Mailing List Manager 1.2 stores sensitive information un ...) NOT-FOR-US: Gazatem QMail Mailing List Manager CVE-2008-5605 (Multiple SQL injection vulnerabilities in ASP Portal allow remote atta ...) NOT-FOR-US: ASP Portal CVE-2008-5604 (Directory traversal vulnerability in index.php in My Simple Forum 3.0 ...) NOT-FOR-US: My Simple Forum CVE-2008-5603 (ASPTicker 1.0 stores sensitive information under the web root with ins ...) NOT-FOR-US: ASPTicker CVE-2008-5602 (Natterchat 1.12 stores sensitive information under the web root with i ...) NOT-FOR-US: Natterchat CVE-2008-5601 (User Engine Lite ASP stores sensitive information under the web root w ...) NOT-FOR-US: User Engine Lite ASP CVE-2008-5600 (Merlix Teamworx Server stores sensitive information under the web root ...) NOT-FOR-US: Merlix Teamworx Server CVE-2008-5599 (SQL injection vulnerability in default.asp in Merlix Teamworx Server a ...) NOT-FOR-US: Merlix Teamworx Server CVE-2008-5598 (Directory traversal vulnerability in index.php in PHPmyGallery 1.51 go ...) NOT-FOR-US: PHPmyGallery CVE-2008-5597 (Cold BBS stores sensitive information under the web root with insuffic ...) NOT-FOR-US: Cold BBS CVE-2008-5596 (Ikon AdManager 2.1 and earlier stores sensitive information under the ...) NOT-FOR-US: Ikon AdManager CVE-2008-5595 (SQL injection vulnerability in detail.asp in ASP AutoDealer allows rem ...) NOT-FOR-US: ASP AutoDealer CVE-2008-5594 (Multiple directory traversal vulnerabilities in index.php in Mini Blog ...) NOT-FOR-US: Mini Blog CVE-2008-5593 (Multiple directory traversal vulnerabilities in index.php in Mini CMS ...) NOT-FOR-US: Mini CMS CVE-2008-5592 (Nightfall Personal Diary 1.0 stores sensitive information under the we ...) NOT-FOR-US: Nightfall Personal Diary CVE-2008-5591 (Cross-site scripting (XSS) vulnerability in login.asp in Nightfall Per ...) NOT-FOR-US: Nightfall Personal Diary CVE-2008-5590 (SQL injection vulnerability in customer.forumtopic.php in Kalptaru Inf ...) NOT-FOR-US: Kalptaru Infotech Product Sale Framework CVE-2008-5589 (SQL injection vulnerability in processlogin.asp in Katy Whitton RankEm ...) NOT-FOR-US: Katy Whitton RankEm CVE-2008-5588 (SQL injection vulnerability in rankup.asp in Katy Whitton RankEm allow ...) NOT-FOR-US: Katy Whitton RankEm CVE-2008-5587 (Directory traversal vulnerability in libraries/lib.inc.php in phpPgAdm ...) {DSA-1693-1} - phppgadmin 4.2.1-1.1 (low; bug #508026) NOTE: register_globals=on is required NOTE: http://www.milw0rm.com/exploits/7363 CVE-2008-5586 (SQL injection vulnerability in findoffice.php in Check Up New Generati ...) NOT-FOR-US: Check Up New Generation CVE-2008-5585 (Multiple PHP remote file inclusion vulnerabilities in lcxBBportal 0.1 ...) NOT-FOR-US: lcxBBportal CVE-2007-XXXX [tdiary XSS] - tdiary 2.2.0-1 (bug #464778) [etch] - tdiary 2.0.2+20060303-5 NOTE: fixed in r6 point update NOTE: http://www.tdiary.org/20071215.html CVE-2009-0040 (The PNG reference library (aka libpng) before 1.0.43, and 1.2.x before ...) {DSA-1830-1 DSA-1750-1} - icedove 2.0.0.22-1 (bug #535124) [squeeze] - icedove 2.0.0.22-0lenny1 - libpng 1.2.35-1 (bug #516256) CVE-2009-0039 (Multiple cross-site request forgery (CSRF) vulnerabilities in the web ...) - geronimo (bug #481869) CVE-2009-0038 (Multiple cross-site scripting (XSS) vulnerabilities in the web adminis ...) - geronimo (bug #481869) CVE-2009-0037 (The redirect implementation in curl and libcurl 5.11 through 7.19.3, w ...) {DSA-1738-1} - curl 7.18.2-8.1 (bug #518423) CVE-2009-0036 (Buffer overflow in the proxyReadClientSocket function in proxy/libvirt ...) - libvirt 0.5.1-7 (unimportant) NOTE: not building libvirt proxy from libvirt source package CVE-2009-0035 (alsa-utils 1.0.19 and later versions allows local users to overwrite a ...) - alsa-driver 1.0.20-1 (unimportant) NOTE: alsainfo not built into source package CVE-2009-0034 (parse.c in sudo 1.6.9p17 through 1.6.9p19 does not properly interpret ...) - sudo 1.6.9p17-2 (medium) [etch] - sudo (Vulnerable code not present) CVE-2009-0033 (Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 th ...) {DSA-2207-1} - tomcat6 6.0.28-1 [lenny] - tomcat6 (Only ships the servlet package) - tomcat5 (medium; bug #532363) - tomcat5.5 (medium; bug #532366) CVE-2009-0032 (CUPS on Mandriva Linux 2008.0, 2008.1, 2009.0, Corporate Server (CS) 3 ...) NOT-FOR-US: issue affects pdfdistiller CVE-2009-0031 (Memory leak in the keyctl_join_session_keyring function (security/keys ...) {DSA-1794-1 DSA-1787-1 DSA-1749-1} - linux-2.6 2.6.29-1 (low) - linux-2.6.24 CVE-2009-0030 (A certain Red Hat patch for SquirrelMail 1.4.8 sets the same SQMSESSID ...) - squirrelmail (RedHat-specific regression) CVE-2009-0029 (The ABI in the Linux kernel 2.6.28 and earlier on s390, powerpc, sparc ...) {DSA-1794-1 DSA-1787-1 DSA-1749-1} - linux-2.6 2.6.29-1 (medium; bug #536147) - linux-2.6.24 CVE-2009-0028 (The clone system call in the Linux kernel 2.6.28 and earlier allows lo ...) {DSA-1800-1 DSA-1794-1 DSA-1787-1} - linux-2.6 2.6.29-1 - linux-2.6.24 CVE-2009-0027 (The request handler in JBossWS in JBoss Enterprise Application Platfor ...) - jbossas4 4.2.2.GA-1 (bug #562000) [lenny] - jbossas4 (Contrib not supported) CVE-2009-0026 (Multiple cross-site scripting (XSS) vulnerabilities in Apache Jackrabb ...) NOT-FOR-US: Apache Jackrabbit CVE-2009-0025 (BIND 9.6.0, 9.5.1, 9.5.0, 9.4.3, and earlier does not properly check t ...) {DSA-1703-1} - bind9 1:9.5.1.dfsg.P1-1 (low; bug #511936) NOTE: unlike the advisory states it is DSA_do_verify not DSA_verify NOTE: low severity because it is believed hard to trigger and only NOTE: affects DNSSEC with DSA, which is supposedly rarely used. CVE-2009-0024 (The sys_remap_file_pages function in mm/fremap.c in the Linux kernel b ...) - linux-2.6 2.6.24-4 [etch] - linux-2.6 (Introduced in 2.6.23) NOTE: Fixed in 2.6.24 before initial upload CVE-2009-0023 (The apr_strmatch_precompile function in strmatch/apr_strmatch.c in Apa ...) {DSA-1812-1} - apr-util 1.3.7+dfsg-1 CVE-2009-0022 (Samba 3.2.0 through 3.2.6, when registry shares are enabled, allows re ...) - samba 2:3.2.5-3 [etch] - samba (Only 3.2.x affected) CVE-2009-0021 (NTP 4.2.4 before 4.2.4p5 and 4.2.5 before 4.2.5p150 does not properly ...) {DSA-1702-1} - ntp 1:4.2.4p4+dfsg-8 CVE-2009-0020 (Unspecified vulnerability in CarbonCore in Apple Mac OS X 10.4.11 and ...) NOT-FOR-US: Apple Mac OS X CVE-2009-0019 (Remote Apple Events in Apple Mac OS X 10.4.11 and 10.5.6 allows remote ...) NOT-FOR-US: Apple Mac OS X CVE-2009-0018 (The Remote Apple Events server in Apple Mac OS X 10.4.11 and 10.5.6 do ...) NOT-FOR-US: Apple Mac OS X CVE-2009-0017 (csregprinter in the Printing component in Apple Mac OS X 10.4.11 and 1 ...) NOT-FOR-US: Apple Mac OS X CVE-2009-0016 (Apple iTunes before 8.1 on Windows allows remote attackers to cause a ...) NOT-FOR-US: Apple iTunes CVE-2009-0015 (Unspecified vulnerability in fseventsd in the FSEvents framework in Ap ...) NOT-FOR-US: Apple Mac OS X CVE-2009-0014 (Folder Manager in Apple Mac OS X 10.5.6 uses insecure default permissi ...) NOT-FOR-US: Apple Mac OS X CVE-2009-0013 (dscl in DS Tools in Apple Mac OS X 10.4.11 and 10.5.6 requires that pa ...) NOT-FOR-US: Apple Mac OS X CVE-2009-0012 (Heap-based buffer overflow in CoreText in Apple Mac OS X 10.5.6 allows ...) NOT-FOR-US: Apple Mac OS X CVE-2009-0011 (Certificate Assistant in Apple Mac OS X 10.5.6 allows local users to o ...) NOT-FOR-US: Apple Mac OS X CVE-2009-0010 (Integer underflow in QuickDraw Manager in Apple Mac OS X 10.4.11 and 1 ...) NOT-FOR-US: QuickDraw Manager in Apple Mac OS X CVE-2009-0009 (Unspecified vulnerability in the Pixlet codec in Apple Mac OS X 10.4.1 ...) NOT-FOR-US: Apple Mac OS X CVE-2009-0008 (Unspecified vulnerability in Apple QuickTime MPEG-2 Playback Component ...) NOT-FOR-US: Apple QuickTime CVE-2009-0007 (Heap-based buffer overflow in Apple QuickTime before 7.6 allows remote ...) NOT-FOR-US: Apple QuickTime CVE-2009-0006 (Integer signedness error in Apple QuickTime before 7.6 allows remote a ...) NOT-FOR-US: Apple QuickTime CVE-2009-0005 (Unspecified vulnerability in Apple QuickTime before 7.6 allows remote ...) NOT-FOR-US: Apple QuickTime CVE-2009-0004 (Buffer overflow in Apple QuickTime before 7.6 allows remote attackers ...) NOT-FOR-US: Apple QuickTime CVE-2009-0003 (Heap-based buffer overflow in Apple QuickTime before 7.6 allows remote ...) NOT-FOR-US: Apple QuickTime CVE-2009-0002 (Heap-based buffer overflow in Apple QuickTime before 7.6 allows remote ...) NOT-FOR-US: Apple QuickTime CVE-2009-0001 (Heap-based buffer overflow in Apple QuickTime before 7.6 allows remote ...) NOT-FOR-US: Apple QuickTime CVE-2008-5622 REJECTED CVE-2008-5621 (Cross-site request forgery (CSRF) vulnerability in phpMyAdmin 2.11.x b ...) {DSA-1723-1} - phpmyadmin 4:2.11.8.1-5 NOTE: https://www.phpmyadmin.net/security/PMASA-2008-10/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/0d4adbfc1996c7d715b0ac9fa39a2ac14d8b28ad (2.11 branch) NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/01685c90aaba943511de0496e7ecb7fe49fa765b CVE-2008-5584 (Multiple cross-site scripting (XSS) vulnerabilities in ProjectPier 0.8 ...) NOT-FOR-US: ProjectPier CVE-2008-5583 (Cross-site request forgery (CSRF) vulnerability in index.php in Projec ...) NOT-FOR-US: ProjectPier CVE-2008-5582 (SQL injection vulnerability in utilities/login.asp in Nukedit 4.9.x, a ...) NOT-FOR-US: Nukedit CVE-2008-5581 (PHP remote file inclusion vulnerability in mini-pub.php/front-end/img. ...) NOT-FOR-US: mini-pub CVE-2008-5580 (mini-pub.php/front-end/cat.php in mini-pub 0.3 allows remote attackers ...) NOT-FOR-US: mini-pub CVE-2008-5579 (Absolute path traversal vulnerability in mini-pub.php/front-end/cat.ph ...) NOT-FOR-US: mini-pub CVE-2008-5578 (Multiple SQL injection vulnerabilities in index.php in sCssBoard 1.0, ...) NOT-FOR-US: sCssBoard CVE-2008-5577 (PHP remote file inclusion vulnerability in index.php in sCssBoard 1.0, ...) NOT-FOR-US: sCssBoard CVE-2008-5576 (admin/forums.php in sCssBoard 1.0, 1.1, 1.11, and 1.12 allows remote a ...) NOT-FOR-US: sCssBoard CVE-2008-5575 (Session fixation vulnerability in Pro Clan Manager 0.4.2 and earlier a ...) NOT-FOR-US: Pro Clan Manager CVE-2008-5574 (SQL injection vulnerability in member.php in Webmaster Marketplace all ...) NOT-FOR-US: Webmaster Marketplace CVE-2008-5573 (SQL injection vulnerability in the login feature in Poll Pro 2.0 allow ...) NOT-FOR-US: Poll Pro CVE-2008-5572 (Professional Download Assistant 0.1 stores sensitive information under ...) NOT-FOR-US: Professional Download Assistant CVE-2008-5571 (SQL injection vulnerability in admin/login.asp in Professional Downloa ...) NOT-FOR-US: Professional Download Assistant CVE-2008-5570 (Directory traversal vulnerability in index.php in PHP Multiple Newslet ...) NOT-FOR-US: Multiple Newsletters CVE-2008-5569 (Multiple cross-site scripting (XSS) vulnerabilities in PHPepperShop 1. ...) NOT-FOR-US: PHPepperShop CVE-2008-5568 (Cross-site request forgery (CSRF) vulnerability in admin/settings.php ...) NOT-FOR-US: IPN Pro CVE-2008-5567 (Cross-site request forgery (CSRF) vulnerability in admin/ad_settings.p ...) NOT-FOR-US: Bonza Cart CVE-2008-5566 (Cross-site scripting (XSS) vulnerability in index.php in Triangle Solu ...) NOT-FOR-US: Multiple Newsletters CVE-2008-5565 (Cross-site request forgery (CSRF) vulnerability in admin/settings.php ...) NOT-FOR-US: DL PayCart CVE-2008-5564 (Unspecified vulnerability in the media server in Orb Networks Orb befo ...) NOT-FOR-US: Orb Networks Orb CVE-2008-5563 (Aruba Mobility Controller 2.4.8.x-FIPS, 2.5.x, 3.1.x, 3.2.x, 3.3.1.x, ...) NOT-FOR-US: Aruba Mobility Controller CVE-2008-5562 (ASPPortal stores sensitive information under the web root with insuffi ...) NOT-FOR-US: ASPPortal CVE-2008-5561 (SQL injection vulnerability in Netref 4.0 allows remote attackers to e ...) NOT-FOR-US: Netref CVE-2008-5560 (PostEcards stores sensitive information under the web root with insuff ...) NOT-FOR-US: PostEcards CVE-2008-5559 (SQL injection vulnerability in sendcard.cfm in PostEcards allows remot ...) NOT-FOR-US: PostEcards CVE-2008-5558 (Asterisk Open Source 1.2.26 through 1.2.30.3 and Business Edition B.2. ...) - asterisk 1:1.4.0~dfsg-1 (bug #509686) [etch] - asterisk (Etch Packages no longer covered by security support) CVE-2008-5557 (Heap-based buffer overflow in ext/mbstring/libmbfl/filters/mbfilter_ht ...) {DSA-1789-1 DTSA-188-1} - php5 5.2.6.dfsg.1-1 (bug #511493) [lenny] - php5 5.2.6.dfsg.1-1+lenny1 NOTE: according to bug report, this was fixed in lenny prior to the release, but was not marked as such at the time CVE-2008-6506 (Unspecified vulnerability in phpBB before 3.0.4 allows attackers to by ...) - phpbb3 3.0.2-4 (low; bug #508872) CVE-2008-5556 NOT-FOR-US: Microsoft Internet Explorer CVE-2008-5555 (Microsoft Internet Explorer 8.0 Beta 2 relies on the XDomainRequestAll ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2008-5554 (The XSS Filter in Microsoft Internet Explorer 8.0 Beta 2 does not prop ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2008-5553 (The XSS Filter in Microsoft Internet Explorer 8.0 Beta 2 disables itse ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2008-5552 (The XSS Filter in Microsoft Internet Explorer 8.0 Beta 2 allows remote ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2008-5551 (The XSS Filter in Microsoft Internet Explorer 8.0 Beta 2 allows remote ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2008-5550 (Open redirect vulnerability in console/faces/jsp/login/BeginLogin.jsp ...) NOT-FOR-US: Sun Java Web Console CVE-2008-5549 (Unspecified vulnerability in the Sun Java Web Console components in Su ...) NOT-FOR-US: Sun Java Web Console CVE-2008-5548 (VirusBuster 4.5.11.0, when Internet Explorer 6 or 7 is used, allows re ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2008-5547 (HAURI ViRobot 2008.12.4.1499 and possibly 2008.9.12.1375, when Interne ...) NOT-FOR-US: HAURI ViRobot CVE-2008-5546 (VirusBlokAda VBA32 3.12.8.5, when Internet Explorer 6 or 7 is used, al ...) NOT-FOR-US: VirusBlokAda VBA32 CVE-2008-5545 (Trend Micro VSAPI 8.700.0.1004 in Trend Micro AntiVirus, when Internet ...) NOT-FOR-US: Trend Micro VSAPI CVE-2008-5544 (Hacksoft The Hacker 6.3.1.2.174 and possibly 6.3.0.9.081, when Interne ...) NOT-FOR-US: Hacksoft The Hacker CVE-2008-5543 (Symantec AntiVirus (SAV) 10, when Internet Explorer 6 or 7 is used, al ...) NOT-FOR-US: Symantec AntiVirus CVE-2008-5542 (Sunbelt VIPRE 3.1.1832.2 and possibly 3.1.1633.1, when Internet Explor ...) NOT-FOR-US: Sunbelt VIPRE CVE-2008-5541 (Sophos Anti-Virus 4.33.0, when Internet Explorer 6 or 7 is used, allow ...) NOT-FOR-US: Sophos Anti-Virus CVE-2008-5540 (Secure Computing Secure Web Gateway (aka Webwasher), when Internet Exp ...) NOT-FOR-US: Webwasher CVE-2008-5539 (RISING Antivirus 21.06.31.00 and possibly 20.61.42.00, when Internet E ...) NOT-FOR-US: RISING Antivirus CVE-2008-5538 (Prevx Prevx1 2, when Internet Explorer 6 or 7 is used, allows remote a ...) NOT-FOR-US: Prevx Prevx1 2 CVE-2008-5537 (PC Tools AntiVirus 4.4.2.0, when Internet Explorer 6 or 7 is used, all ...) NOT-FOR-US: PC Tools AntiVirus CVE-2008-5536 (Panda Antivirus 9.0.0.4, when Internet Explorer 6 or 7 is used, allows ...) NOT-FOR-US: Panda Antivirus CVE-2008-5535 (Norman Antivirus 5.80.02, when Internet Explorer 6 or 7 is used, allow ...) NOT-FOR-US: Norman Antivirus CVE-2008-5534 (ESET NOD32 Antivirus 3662 and possibly 3440, when Internet Explorer 6 ...) NOT-FOR-US: ESET NOD32 Antivirus CVE-2008-5533 (K7AntiVirus 7.10.541 and possibly 7.10.454, when Internet Explorer 6 o ...) NOT-FOR-US: K7AntiVirus CVE-2008-5532 (Ikarus Virus Utilities T3.1.1.45.0 and possibly T3.1.1.34.0, when Inte ...) NOT-FOR-US: Ikarus Virus Utilities CVE-2008-5531 (Fortinet Antivirus 3.113.0.0, when Internet Explorer 6 or 7 is used, a ...) NOT-FOR-US: Fortinet Antivirus CVE-2008-5530 (Ewido Security Suite 4.0, when Internet Explorer 6 or 7 is used, allow ...) NOT-FOR-US: Ewido Security Suite CVE-2008-5529 (CA eTrust Antivirus 31.6.6086, when Internet Explorer 6 or 7 is used, ...) NOT-FOR-US: CA eTrust Antivirus CVE-2008-5528 (Aladdin eSafe 7.0.17.0, when Internet Explorer 6 or 7 is used, allows ...) NOT-FOR-US: Aladdin eSafe CVE-2008-5527 (ESET Smart Security, when Internet Explorer 6 or 7 is used, allows rem ...) NOT-FOR-US: ESET Smart Security CVE-2008-5526 (DrWeb Anti-virus 4.44.0.09170, when Internet Explorer 6 or 7 is used, ...) NOT-FOR-US: DrWeb Anti-virus CVE-2008-5525 (ClamAV 0.94.1 and possibly 0.93.1, when Internet Explorer 6 or 7 is us ...) - clamav (medium; bug #526041) NOTE: this issue refers to a clamav antivirus bypass that occurs when the user NOTE: is using IE6 or IE7 to open a malicious page with an MZ header NOTE: - all other browsers are not vulnerable NOTE: - see http://xforce.iss.net/xforce/xfdb/47435 and bug report for details CVE-2008-5524 (CAT-QuickHeal 10.00 and possibly 9.50, when Internet Explorer 6 or 7 i ...) NOT-FOR-US: CAT-QuickHeal CVE-2008-5523 (avast! antivirus 4.8.1281.0, when Internet Explorer 6 or 7 is used, al ...) NOT-FOR-US: avast! antivirus CVE-2008-5522 (AVG Anti-Virus 8.0.0.161, when Internet Explorer 6 or 7 is used, allow ...) NOT-FOR-US: AVG Anti-Virus CVE-2008-5521 (Avira AntiVir 7.9.0.36 and possibly 7.8.1.28, when Internet Explorer 6 ...) NOT-FOR-US: Avira AntiVir CVE-2008-5520 (AhnLab V3 2008.12.4.1 and possibly 2008.9.13.0, when Internet Explorer ...) NOT-FOR-US: AhnLab V3 CVE-2008-5519 (The JK Connector (aka mod_jk) 1.2.0 through 1.2.26 in Apache Tomcat al ...) {DSA-1810-1} - libapache-mod-jk 1:1.2.26-2.1 (bug #523054) CVE-2008-5518 (Multiple directory traversal vulnerabilities in the web administration ...) - geronimo (bug #481869) CVE-2008-5517 (The web interface in git (gitweb) 1.5.x before 1.5.6 allows remote att ...) {DSA-1708-1} - git-core 1:1.5.6.5-2 (low; bug #512330) CVE-2008-5516 (The web interface in git (gitweb) 1.5.x before 1.5.5 allows remote att ...) {DSA-1708-1} - git-core 1:1.5.6-1 CVE-2008-5515 (Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 throug ...) {DSA-2207-1} - tomcat5 (bug #532363) - tomcat5.5 (bug #532366) - tomcat6 6.0.20-1 (bug #532362) [lenny] - tomcat6 (Only ships the servlet package) CVE-2008-5514 (Off-by-one error in the rfc822_output_char function in the RFC822BUFFE ...) {DTSA-174-2} - uw-imap 2007b~dfsg-1.1 (medium; bug #510918) [etch] - uw-imap (Vulnerable code not present) - alpine 2.02-3.1 (low) [lenny] - alpine (Minor issue) [squeeze] - alpine 2.00+dfsg-6+squeeze1 CVE-2008-5513 (Unspecified vulnerability in the session-restore feature in Mozilla Fi ...) {DSA-1707-1} - iceweasel 3.0.5-1 CVE-2008-5512 (Multiple unspecified vulnerabilities in Mozilla Firefox 3.x before 3.0 ...) {DSA-1707-1 DSA-1704-1 DSA-1697-1 DSA-1696-1} - iceweasel 3.0.5-1 - icedove 2.0.0.19-1 - iceape 1.1.14-1 - xulrunner 1.9.0.5-1 CVE-2008-5511 (Mozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19, Thunderbird ...) {DSA-1707-1 DSA-1704-1 DSA-1697-1 DSA-1696-1} - iceweasel 3.0.5-1 - icedove 2.0.0.19-1 - iceape 1.1.14-1 - xulrunner 1.9.0.5-1 CVE-2008-5510 (The CSS parser in Mozilla Firefox 3.x before 3.0.5 and 2.x before 2.0. ...) {DSA-1707-1} - iceweasel 3.0.5-1 - icedove 2.0.0.19-1 - iceape 1.1.14-1 [etch] - iceape (Etch Packages no longer covered by security support) - xulrunner 1.9.0.5-1 [etch] - xulrunner (Etch Packages no longer covered by security support) NOTE: patch will be checked for icedove/iceape/xulrunner by Alexander for next round CVE-2008-5509 RESERVED CVE-2008-5508 (Mozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19, Thunderbird ...) {DSA-1707-1 DSA-1704-1 DSA-1697-1 DSA-1696-1} - iceweasel 3.0.5-1 - icedove 2.0.0.19-1 - iceape 1.1.14-1 - xulrunner 1.9.0.5-1 CVE-2008-5507 (Mozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19, Thunderbird ...) {DSA-1707-1 DSA-1704-1 DSA-1697-1 DSA-1696-1} - iceweasel 3.0.5-1 - icedove 2.0.0.19-1 - iceape 1.1.14-1 - xulrunner 1.9.0.5-1 CVE-2008-5506 (Mozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19, Thunderbird ...) {DSA-1707-1 DSA-1704-1 DSA-1697-1 DSA-1696-1} - iceweasel 3.0.5-1 - icedove 2.0.0.19-1 - iceape 1.1.14-1 - xulrunner 1.9.0.5-1 CVE-2008-5505 (Mozilla Firefox 3.x before 3.0.5 allows remote attackers to bypass int ...) - iceweasel 3.0.5-1 [etch] - iceweasel (Etch Packages no longer covered by security support) NOTE: patch now available and will be checked for next patch round CVE-2008-5504 (Mozilla Firefox 2.x before 2.0.0.19 allows remote attackers to run arb ...) {DSA-1707-1} - iceweasel 3.0.1-1 - xulrunner 1.9.0.1-1 [etch] - xulrunner (The vulnerable feature is only included in 1.8.1 branch) NOTE: Original fix for CVE-2008-3836 was incomplete CVE-2008-5503 (The loadBindingDocument function in Mozilla Firefox 2.x before 2.0.0.1 ...) {DSA-1707-1 DSA-1704-1 DSA-1697-1 DSA-1696-1} - iceape 1.1.13-1 - iceweasel 3.0.1-1 - xulrunner 1.9.0.1-1 - icedove 2.0.0.19-1 (low) NOTE: JavaScript for mails is disabled by default and if users enable it ... CVE-2008-5502 (The layout engine in Mozilla Firefox 3.x before 3.0.5, Thunderbird 2.x ...) - iceweasel 3.0.5-1 [etch] - iceweasel (Firefox 2.x not affected) - xulrunner 1.9.0.5-1 [etch] - xulrunner (Xulrunner 1.8 not affected) - icedove (This issue was FF3 only, CVE-2008-5500 affects icedove) CVE-2008-5501 (The layout engine in Mozilla Firefox 3.x before 3.0.5, Thunderbird 2.x ...) - iceweasel 3.0.5-1 [etch] - iceweasel (Firefox 2.x not affected) - xulrunner 1.9.0.5-1 [etch] - xulrunner (Xulrunner 1.8 not affected) - icedove (This issue was FF3 only, CVE-2008-5500 affects icedove) CVE-2008-5500 (The layout engine in Mozilla Firefox 3.x before 3.0.5 and 2.x before 2 ...) {DSA-1707-1 DSA-1704-1 DSA-1697-1 DSA-1696-1} - iceweasel 3.0.5-1 - icedove 2.0.0.19-1 - iceape 1.1.14-1 - xulrunner 1.9.0.5-1 CVE-2008-5499 (Unspecified vulnerability in Adobe Flash Player for Linux 10.0.12.36, ...) NOT-FOR-US: Adobe Flash Player CVE-2008-5498 (Array index error in the imageRotate function in PHP 5.2.8 and earlier ...) - php5 (php5 links to the shared lib) - libgd2 (code is specific to php's libgd) NOTE: http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.2027.2.547.2.1360&r2=1.2027.2.547.2.1361 CVE-2008-5497 (BandSite CMS 1.1.4 allows remote attackers to bypass authentication an ...) NOT-FOR-US: BandSite CMS CVE-2008-5496 (SQL injection vulnerability in showcategory.php in PozScripts Business ...) NOT-FOR-US: PozScripts Business Directory Script CVE-2008-5495 (Unspecified vulnerability in the GungHo LoadPrgAx ActiveX control 1.0. ...) NOT-FOR-US: GungHo LoadPrgAx CVE-2008-5494 (SQL injection vulnerability in the Contact Information Module (com_con ...) NOT-FOR-US: Contact Information Module (com_contactinfo) component for Joomla! CVE-2008-5493 (SQL injection vulnerability in track.php in PHPStore Wholesales (aka W ...) NOT-FOR-US: PHPStore Wholesales CVE-2008-5492 (Heap-based buffer overflow in the PDFVIEW.PdfviewCtrl.1 ActiveX contro ...) NOT-FOR-US: PDFVIEW.PdfviewCtrl.1 CVE-2008-5491 (SQL injection vulnerability in edit.php in SlimCMS 1.0.0 and earlier a ...) NOT-FOR-US: SlimCMS CVE-2008-5490 (SQL injection vulnerability in index.php in PHPStore Yahoo Answers all ...) NOT-FOR-US: PHPStore Yahoo Answers CVE-2008-5489 (SQL injection vulnerability in channel_detail.php in ClipShare Pro 4, ...) NOT-FOR-US: ClipShare CVE-2008-5488 (SQL injection vulnerability in admin.php in E-topbiz Domain Shop 2 all ...) NOT-FOR-US: E-topbiz Domain Shop CVE-2008-5487 (Cross-site scripting (XSS) vulnerability in admin.php in TurnkeyForms ...) NOT-FOR-US: TurnkeyForms Text Link Sales CVE-2008-5486 (SQL injection vulnerability in admin.php in TurnkeyForms Text Link Sal ...) NOT-FOR-US: TurnkeyForms Text Link Sales CVE-2008-5616 (Stack-based buffer overflow in the demux_open_vqf function in libmpdem ...) {DSA-1782-1 DTSA-181-1} - mplayer 1.0~rc2-19 (low; bug #508803) CVE-2008-XXXX [axel URL parser buffer overflow] - axel 2.2 (unimportant) [etch] - axel (Minor issue) NOTE: http://alioth.debian.org/forum/forum.php?forum_id=2846 NOTE: this only work for non-interactive sessions which is a quite exotic usecase CVE-2008-5619 (html2text.php in Chuggnutt HTML to Text Converter, as used in PHPMaile ...) - roundcube 0.1.1-9 (high; bug #508628; bug #536498) NOTE: According to the bug report, this is being exploited. - moodle 1.8.2.dfsg-2 (bug #508909) [etch] - moodle (Vulnerable code not present) NOTE: moodle recently copied roundcube's html2text due to their copy being non-free - mahara 1.1.3-1 (high; bug #524778) [lenny] - mahara (html2text.php wasn't yet included) - atmailopen CVE-2008-5485 REJECTED CVE-2008-5484 REJECTED CVE-2008-5483 REJECTED CVE-2008-5482 REJECTED CVE-2008-5481 REJECTED CVE-2008-5480 REJECTED CVE-2008-5479 REJECTED CVE-2008-5478 REJECTED CVE-2008-5477 REJECTED CVE-2008-5476 REJECTED CVE-2008-5475 REJECTED CVE-2008-5474 REJECTED CVE-2008-5473 REJECTED CVE-2008-5472 REJECTED CVE-2008-5471 REJECTED CVE-2008-5470 REJECTED CVE-2008-5469 REJECTED CVE-2008-5468 REJECTED CVE-2008-5467 REJECTED CVE-2008-5466 REJECTED CVE-2008-5465 REJECTED CVE-2008-5464 REJECTED CVE-2008-5463 (Unspecified vulnerability in the PeopleSoft Enterprise Campus Solution ...) NOT-FOR-US: BEA WebLogic CVE-2008-5462 (Unspecified vulnerability in the WebLogic Portal component in BEA Prod ...) NOT-FOR-US: BEA WebLogic CVE-2008-5461 (Unspecified vulnerability in the WebLogic Server component in BEA Prod ...) NOT-FOR-US: BEA WebLogic CVE-2008-5460 (Unspecified vulnerability in the WebLogic Server component in BEA Prod ...) NOT-FOR-US: BEA WebLogic CVE-2008-5459 (Unspecified vulnerability in the WebLogic Server component in BEA Prod ...) NOT-FOR-US: BEA WebLogic CVE-2008-5458 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle CVE-2008-5457 (Unspecified vulnerability in the Oracle BEA WebLogic Server Plugins fo ...) NOT-FOR-US: Oracle CVE-2008-5456 (Unspecified vulnerability in the PeopleSoft Enterprise HRMS component ...) NOT-FOR-US: Oracle CVE-2008-5455 (Unspecified vulnerability in the PeopleSoft Enterprise HRMS - ePerform ...) NOT-FOR-US: Oracle CVE-2008-5454 (Unspecified vulnerability in the iProcurement component in Oracle E-Bu ...) NOT-FOR-US: Oracle CVE-2008-5453 REJECTED CVE-2008-5452 (Unspecified vulnerability in the PeopleSoft Enterprise HRMS component ...) NOT-FOR-US: Oracle CVE-2008-5451 (Unspecified vulnerability in the JD Edwards Tools component in Oracle ...) NOT-FOR-US: Oracle CVE-2008-5450 (Unspecified vulnerability in the Oracle Applications Platform Engineer ...) NOT-FOR-US: Oracle CVE-2008-5449 (Unspecified vulnerability in the Oracle Secure Backup component in Ora ...) NOT-FOR-US: Oracle CVE-2008-5448 (Unspecified vulnerability in the Oracle Secure Backup component in Ora ...) NOT-FOR-US: Oracle CVE-2008-5447 (Unspecified vulnerability in the Oracle Enterprise Manager component i ...) NOT-FOR-US: Oracle CVE-2008-5446 (Unspecified vulnerability in the Oracle Applications Framework compone ...) NOT-FOR-US: Oracle CVE-2008-5445 (Unspecified vulnerability in the Oracle Secure Backup component in Ora ...) NOT-FOR-US: Oracle CVE-2008-5444 (Unspecified vulnerability in the Oracle Secure Backup component in Ora ...) NOT-FOR-US: Oracle CVE-2008-5443 (Unspecified vulnerability in the Oracle Secure Backup component in Ora ...) NOT-FOR-US: Oracle CVE-2008-5442 (Unspecified vulnerability in the Oracle Secure Backup component in Ora ...) NOT-FOR-US: Oracle CVE-2008-5441 (Unspecified vulnerability in the Oracle Secure Backup component in Ora ...) NOT-FOR-US: Oracle CVE-2008-5440 (Unspecified vulnerability in the TimesTen Data Server component in Ora ...) NOT-FOR-US: Oracle CVE-2008-5439 (Unspecified vulnerability in the SQL*Plus Windows GUI component in Ora ...) NOT-FOR-US: Oracle CVE-2008-5438 (Unspecified vulnerability in the Oracle Portal component in Oracle App ...) NOT-FOR-US: Oracle CVE-2008-5437 (Unspecified vulnerability in the Job Queue component in Oracle Databas ...) NOT-FOR-US: Oracle CVE-2008-5436 (Unspecified vulnerability in the Oracle OLAP component in Oracle Datab ...) NOT-FOR-US: Oracle CVE-2008-5435 (Cross-site scripting (XSS) vulnerability in moderate.php in PunBB befo ...) NOT-FOR-US: PunBB CVE-2008-5434 (Multiple SQL injection vulnerabilities in PunBB 1.3 and 1.3.1 allow re ...) NOT-FOR-US: PunBB CVE-2008-5433 (Cross-site scripting (XSS) vulnerability in login.php in PunBB 1.3 and ...) NOT-FOR-US: PunBB CVE-2008-5432 (Cross-site scripting (XSS) vulnerability in Moodle before 1.6.8, 1.7 b ...) {DSA-1691-1} - moodle 1.8.2.dfsg-1 (bug #508593) CVE-2008-5431 (Teamtek Universal FTP Server 1.0.44 allows remote attackers to cause a ...) NOT-FOR-US: Teamtek Universal FTP Server CVE-2008-5430 (Mozilla Thunderbird 2.0.14 does not properly handle (1) multipart/mixe ...) - icedove (unimportant) NOTE: crashes icedove, but no security impact CVE-2008-5429 (Incredimail build 5853710 does not properly handle (1) multipart/mixed ...) NOT-FOR-US: Incredimail CVE-2008-5428 (Opera 9.51 on Windows XP does not properly handle (1) multipart/mixed ...) NOT-FOR-US: Opera CVE-2008-5427 (Norton Antivirus in Norton Internet Security 15.5.0.23 does not proper ...) NOT-FOR-US: Norton Internet Security CVE-2008-5426 (Kaspersky Internet Security Suite 2009 does not properly handle (1) mu ...) NOT-FOR-US: Kaspersky Internet Security Suite CVE-2008-5425 (ESet NOD32 2.70.0039.0000 does not properly handle (1) multipart/mixed ...) NOT-FOR-US: NOD32 CVE-2008-5424 (The MimeOleClearDirtyTree function in InetComm.dll in Microsoft Outloo ...) NOT-FOR-US: Microsoft Outlook Express CVE-2008-5423 (Sun Sun Ray Server Software 3.x and 4.0 and Sun Ray Windows Connector ...) NOT-FOR-US: Sun Ray Software CVE-2008-5422 (Sun Sun Ray Server Software 3.1 through 4.0 does not properly restrict ...) NOT-FOR-US: Sun Sun Ray Server Software CVE-2008-5421 (The SSL web administration service in NetWin SmsGate 1.1n and earlier ...) NOT-FOR-US: NetWin SmsGate CVE-2006-7235 (Teamtek Universal FTP Server 1.0.50 allows remote attackers to cause a ...) NOT-FOR-US: Teamtek Universal FTP Server CVE-2008-5420 (The SAN Manager Master Agent service (aka msragent.exe) in EMC Control ...) NOT-FOR-US: SAN Manager Master Agent CVE-2008-5419 (Stack-based buffer overflow in SAN Manager Master Agent service (aka m ...) NOT-FOR-US: SAN Manager Master Agent CVE-2008-5418 (Directory traversal vulnerability in login.php in the PunPortal module ...) NOT-FOR-US: PunBB CVE-2008-5417 (HP DECnet-Plus 8.3 before ECO03 for OpenVMS on the Alpha platform uses ...) NOT-FOR-US: HP DECnet-Plus CVE-2008-5416 (Heap-based buffer overflow in Microsoft SQL Server 2000 SP4, 8.00.2050 ...) NOT-FOR-US: Microsoft SQL Server CVE-2008-5415 (The LDBserver service in the server in CA ARCserve Backup 11.1 through ...) NOT-FOR-US: CA ARCserve Backup CVE-2008-5414 (Unspecified vulnerability in the Feature Pack for Web Services in the ...) NOT-FOR-US: IBM WebSphere CVE-2008-5413 (PerfServlet in the PMI/Performance Tools component in IBM WebSphere Ap ...) NOT-FOR-US: IBM WebSphere CVE-2008-5412 (Unspecified vulnerability in IBM WebSphere Application Server (WAS) 7 ...) NOT-FOR-US: IBM WebSphere CVE-2008-5411 (IBM WebSphere Application Server (WAS) 7 before 7.0.0.1 sends SSL traf ...) NOT-FOR-US: IBM WebSphere CVE-2008-5410 (The PK11_SESSION cache in the OpenSSL PKCS#11 engine in Sun Solaris 10 ...) NOT-FOR-US: Solaris CVE-2008-5409 (Unspecified vulnerability in the pdf.xmd module in (1) BitDefender Fre ...) NOT-FOR-US: itDefender Free Edition and Antivirus Standard, BullGuard Internet Security and Software602 Groupware Server CVE-2008-5408 (Buffer overflow in the data management protocol in Symantec Backup Exe ...) NOT-FOR-US: Symantec Backup Exec CVE-2008-5407 (Multiple unspecified vulnerabilities in the Backup Exec remote-agent l ...) NOT-FOR-US: Symantec Backup Exec CVE-2008-5406 (Stack-based buffer overflow in Apple QuickTime Player 7.5.5 and iTunes ...) NOT-FOR-US: Apple QuickTime Player and iTunes CVE-2008-5405 (Stack-based buffer overflow in the RDP protocol password decoder in Ca ...) NOT-FOR-US: Cain & Abel CVE-2008-5404 (Insecure method vulnerability in the FlexCell.Grid ActiveX control in ...) NOT-FOR-US: FlexCell CVE-2008-5403 (Heap-based buffer overflow in the XML parser in the AIM plugin in Tril ...) NOT-FOR-US: Trillian CVE-2008-5402 (Double free vulnerability in the XML parser in Trillian before 3.1.12. ...) NOT-FOR-US: Trillian CVE-2008-5401 (Stack-based buffer overflow in the image tooltip implementation in Tri ...) NOT-FOR-US: Trillian CVE-2008-5400 (Multiple cross-site request forgery (CSRF) vulnerabilities in mvnForum ...) NOT-FOR-US: mvnForum CVE-2008-5399 (Cross-site scripting (XSS) vulnerability in the listonlineusers (aka " ...) NOT-FOR-US: mvnForum CVE-2008-5398 (Tor before 0.2.0.32 does not properly process the ClientDNSRejectInter ...) - tor 0.2.0.32-1 CVE-2008-5397 (Tor before 0.2.0.32 does not properly process the (1) User and (2) Gro ...) - tor 0.2.0.32-1 (bug #505178) CVE-2008-5396 (Array index error in the (1) torisa.c and (2) dahdi/tor2.c drivers in ...) {DSA-1699-1} - zaptel 1:1.4.11~dfsg-3 CVE-2008-5395 (The parisc_show_stack function in arch/parisc/kernel/traps.c in the Li ...) {DSA-1794-1 DSA-1787-1} - linux-2.6 2.6.26-13 - linux-2.6.24 CVE-2008-5393 (UPR-Kernel in Ubuntu Privacy Remix (UPR) before 8.04_r1 includes kerne ...) NOT-FOR-US: Ubuntu Privacy Remix CVE-2008-5392 REJECTED CVE-2008-5391 REJECTED CVE-2008-5390 REJECTED CVE-2008-5389 REJECTED CVE-2008-5388 REJECTED CVE-2008-5387 (Buffer overflow in autoconf6 in IBM AIX 6.1.0 through 6.1.2, when Role ...) NOT-FOR-US: IBM AIX CVE-2008-5386 (Buffer overflow in ndp in IBM AIX 6.1.0 through 6.1.2, when the netcd ...) NOT-FOR-US: IBM AIX CVE-2008-5385 (enq in bos.rte.printers in IBM AIX 6.1.0 through 6.1.2, when a print q ...) NOT-FOR-US: IBM AIX CVE-2008-5384 (crontab in bos.rte.cron in IBM AIX 6.1.0 through 6.1.2 allows local us ...) NOT-FOR-US: IBM AIX CVE-2008-5383 (Stack-based buffer overflow in National Instruments Electronics Workbe ...) NOT-FOR-US: National Instruments Electronics Workbench CVE-2008-5382 (Cross-site request forgery (CSRF) vulnerability in I-O DATA DEVICE HDL ...) NOT-FOR-US: I-O firmware CVE-2008-5381 (Buffer overflow in the URL processing in ffdshow (aka ffdshow-tryout) ...) NOT-FOR-US: ffdshow CVE-2008-5380 (gpsdrive (aka gpsdrive-scripts) 2.09 allows local users to overwrite a ...) - gpsdrive 2.10~pre4-6.dfsg-2 (low; bug #508595) [etch] - gpsdrive (Minor issue) [lenny] - gpsdrive 2.10~pre4-6.dfsg-1+lenny1 CVE-2008-5379 (netdisco-mibs-installer 1.0 allows local users to overwrite arbitrary ...) - netdisco-mibs-installer 1.4 (low; bug #508940) [lenny] - netdisco-mibs-installer (Contrib not supported) CVE-2008-5378 (arb-kill in arb 0.0.20071207.1 allows local users to overwrite arbitra ...) - arb 0.0.20071207.1-6 (low; bug #508942) CVE-2008-5377 (pstopdf in CUPS 1.3.8 allows local users to overwrite arbitrary files ...) - cups 1.3.8-1lenny1 (low) - cupsys [etch] - cupsys (Example script) CVE-2008-5376 (editcomment in crip 3.7 allows local users to overwrite arbitrary file ...) - crip 3.7-5 (low; bug #509275) [etch] - crip 3.7-3+etch1 CVE-2008-5375 (cmus-status-display in cmus 2.2.0 allows local users to overwrite arbi ...) - cmus 2.2.0-1.1 (unimportant; bug #509277) NOTE: Just an example script CVE-2008-5374 (bash-doc 3.2 allows local users to overwrite arbitrary files via a sym ...) - bash 4.0-2 (unimportant; bug #509279) NOTE: scripts are examples CVE-2008-5373 (mtx-changer.Adic-Scalar-24 in bacula-common 2.4.2 allows local users t ...) - bacula 2.4.0-1 (unimportant; bug #509301) NOTE: script is an example CVE-2008-5372 (sdm-login in sdm-terminal 0.4.0b allows local users to overwrite arbit ...) - sdm 0.4.1-1 (unimportant; bug #509331) NOTE: Not really a bug since only "touch" is used on the temp file CVE-2008-5371 (screenie in screenie 1.30.0 allows local users to overwrite arbitrary ...) - screenie 1.30.0-5.1 (low; bug #509332) CVE-2008-5370 (pvpgn-support-installer in pvpgn 1.8.1 allows local users to overwrite ...) - pvpgn 1.8.1-2 (low; bug #509336) [etch] - pvpgn (Contrib not supported) CVE-2008-5369 (noip2 in noip2 2.1.7 allows local users to overwrite arbitrary files v ...) - no-ip 2.1.9-1 (unimportant; bug #509348) NOTE: original issue doesn't seem to be present, however there is a tmprace in the init NOTE: script if it is used to debug with strace and a missing check for mkstemp failing NOTE: but these situations are really corner cases CVE-2008-5368 (muttprint in muttprint 0.72d allows local users to overwrite arbitrary ...) - muttprint 0.72d-10 (low; bug #509487) [etch] - muttprint 0.72d-8etch1 CVE-2008-5367 (ip-up in ppp-udeb 2.4.4rel on Debian GNU/Linux allows local users to o ...) - ppp (unimportant) NOTE: insecure temp file handling in udeb is not an issue, since it is during the installation CVE-2008-5366 (The postinst script in ppp 2.4.4rel on Debian GNU/Linux allows local u ...) - ppp (unimportant; bug #509488) NOTE: Package postinst isn't vulnerable, only .tmp files in /etc CVE-2008-5365 (SQL injection vulnerability in VoteHistory.asp in ActiveWebSoftwares A ...) NOT-FOR-US: ActiveWebSoftwares CVE-2008-5364 (Stack-based buffer overflow in the getPlus ActiveX control in gp.ocx 1 ...) NOT-FOR-US: getPlus CVE-2008-5363 (The ActionScript 2 virtual machine in Adobe Flash Player 10.x before 1 ...) NOT-FOR-US: Adobe Flash Player CVE-2008-5362 (The DefineConstantPool action in the ActionScript 2 virtual machine in ...) NOT-FOR-US: Adobe Flash Player CVE-2008-5361 (The ActionScript 2 virtual machine in Adobe Flash Player 10.x before 1 ...) NOT-FOR-US: Adobe Flash Player CVE-2008-5617 (The ACL handling in rsyslog 3.12.1 to 3.20.0, 4.1.0, and 4.1.1 does no ...) - rsyslog 3.18.6-1 (bug #508027) CVE-2008-5624 (PHP 5 before 5.2.7 does not properly initialize the page_uid and page_ ...) {DSA-1789-1 DTSA-188-1} - php5 5.2.6.dfsg.1-1 (medium; bug #508021) - php4 (medium; bug #559787) CVE-2008-5660 (Format string vulnerability in the vinagre_utils_show_error function ( ...) - vinagre 0.5.1-2 CVE-2008-5360 (Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and ear ...) - sun-java5 1.5.0-17-0.1 (low; bug #508194) [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 - sun-java6 6-12-1 (low; bug #508195) [lenny] - sun-java6 6-20-0lenny1 - openjdk-6 6b11-9.1 (bug #510972) CVE-2008-5359 (Buffer overflow in Java Runtime Environment (JRE) for Sun JDK and JRE ...) - sun-java5 1.5.0-17-0.1 (bug #508194) [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 - sun-java6 6-12-1 (bug #508195) [lenny] - sun-java6 6-20-0lenny1 - openjdk-6 6b11-9.1 (bug #510972) CVE-2008-5358 (Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and ear ...) - sun-java5 1.5.0-17-0.1 (bug #508194) [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 - sun-java6 6-12-1 (bug #508195) [lenny] - sun-java6 6-20-0lenny1 - openjdk-6 6b11-9.1 (bug #510972) CVE-2008-5357 (Integer overflow in Java Runtime Environment (JRE) for Sun JDK and JRE ...) - sun-java5 1.5.0-17-0.1 (bug #508194) [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 - sun-java6 6-12-1 (bug #508195) [lenny] - sun-java6 6-20-0lenny1 - openjdk-6 (uses system's freetype library) CVE-2008-5356 (Heap-based buffer overflow in Java Runtime Environment (JRE) for Sun J ...) - sun-java5 1.5.0-17-0.1 (bug #508194) [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 - sun-java6 6-12-1 (bug #508195) [lenny] - sun-java6 6-20-0lenny1 - openjdk-6 (uses system's freetype library) CVE-2008-5355 (The "Java Update" feature for Java Runtime Environment (JRE) for Sun J ...) - sun-java5 (Java update not used in Debian) - sun-java6 (Java update not used in Debian) - openjdk-6 (Java update not used in Debian) CVE-2008-5354 (Stack-based buffer overflow in Java Runtime Environment (JRE) for Sun ...) - sun-java5 1.5.0-17-0.1 (bug #508194) [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 - sun-java6 6-12-1 (bug #508195) [lenny] - sun-java6 6-20-0lenny1 - openjdk-6 6b11-9.1 (bug #510972) CVE-2008-5353 (The Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and ...) - sun-java5 1.5.0-17-0.1 (bug #508194) [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 - sun-java6 6-12-1 (bug #508195) [lenny] - sun-java6 6-20-0lenny1 - openjdk-6 6b11-9.1 (bug #510972) CVE-2008-5352 (Integer overflow in the JAR unpacking utility (unpack200) in the unpac ...) - sun-java5 1.5.0-17-0.1 (bug #508194) [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 - sun-java6 6-12-1 (bug #508195) [lenny] - sun-java6 6-20-0lenny1 - openjdk-6 6b11-9.1 (bug #510972) CVE-2008-5351 (Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and ear ...) - sun-java5 1.5.0-17-0.1 (bug #508194) [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 - sun-java6 6-12-1 (bug #508195) [lenny] - sun-java6 6-20-0lenny1 - openjdk-6 6b11-9.1 (bug #510972) CVE-2008-5350 (Unspecified vulnerability in Java Runtime Environment (JRE) for Sun JD ...) - sun-java5 1.5.0-17-0.1 (bug #508194) [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 - sun-java6 6-12-1 (bug #508195) [lenny] - sun-java6 6-20-0lenny1 - openjdk-6 6b11-9.1 (bug #510972) CVE-2008-5349 (Unspecified vulnerability in Java Runtime Environment (JRE) for Sun JD ...) - sun-java5 1.5.0-17-0.1 (bug #508194) [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 - sun-java6 6-12-1 (bug #508195) [lenny] - sun-java6 6-20-0lenny1 - openjdk-6 6b11-9.1 (bug #510972) CVE-2008-5348 (Unspecified vulnerability in Java Runtime Environment (JRE) for Sun JD ...) - sun-java5 1.5.0-17-0.1 (bug #508194) [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 - sun-java6 6-12-1 (bug #508195) [lenny] - sun-java6 6-20-0lenny1 - openjdk-6 6b11-9.1 (bug #510972) CVE-2008-5347 (Multiple unspecified vulnerabilities in Java Runtime Environment (JRE) ...) - sun-java5 1.5.0-17-0.1 (bug #508194) [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 - sun-java6 6-12-1 (bug #508195) [lenny] - sun-java6 6-20-0lenny1 - openjdk-6 6b11-9.1 (bug #510972) CVE-2008-5346 (Unspecified vulnerability in Java Runtime Environment (JRE) for Sun JD ...) - sun-java5 1.5.0-17-0.1 (bug #508194) [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 CVE-2008-5345 (Unspecified vulnerability in Java Runtime Environment (JRE) with Sun J ...) - sun-java5 1.5.0-17-0.1 (bug #508194) [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 - sun-java6 6-12-1 (bug #508195) [lenny] - sun-java6 6-20-0lenny1 - openjdk-6 (bug in plugin code) NOTE: For OpenJDK, see: http://mail.openjdk.java.net/pipermail/core-libs-dev/2009-June/001784.html CVE-2008-5344 (Unspecified vulnerability in Java Web Start (JWS) and Java Plug-in wit ...) - sun-java5 1.5.0-17-0.1 (bug #508194) [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 - sun-java6 6-12-1 (bug #508195) [lenny] - sun-java6 6-20-0lenny1 - openjdk-6 (browser plugin is different code base) CVE-2008-5343 (Java Web Start (JWS) and Java Plug-in with Sun JDK and JRE 6 Update 10 ...) - sun-java5 1.5.0-17-0.1 (bug #508194) [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 - sun-java6 6-12-1 (bug #508195) [lenny] - sun-java6 6-20-0lenny1 - openjdk-6 (browser plugin is different code base) CVE-2008-5342 (Unspecified vulnerability in the BasicService for Java Web Start (JWS) ...) - sun-java5 1.5.0-17-0.1 (bug #508194) [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 - sun-java6 6-12-1 (bug #508195) [lenny] - sun-java6 6-20-0lenny1 - openjdk-6 (browser plugin is different code base) CVE-2008-5341 (Unspecified vulnerability in Java Web Start (JWS) and Java Plug-in wit ...) - sun-java5 1.5.0-17-0.1 (bug #508194) [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 - sun-java6 6-12-1 (bug #508195) [lenny] - sun-java6 6-20-0lenny1 - openjdk-6 (browser plugin is different code base) CVE-2008-5340 (Unspecified vulnerability in Java Web Start (JWS) and Java Plug-in wit ...) - sun-java5 1.5.0-17-0.1 (bug #508194) [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 - sun-java6 6-12-1 (bug #508195) [lenny] - sun-java6 6-20-0lenny1 - openjdk-6 (browser plugin is different code base) CVE-2008-5339 (Unspecified vulnerability in Java Web Start (JWS) and Java Plug-in wit ...) - sun-java5 1.5.0-17-0.1 (bug #508194) [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 - sun-java6 6-12-1 (bug #508195) [lenny] - sun-java6 6-20-0lenny1 - openjdk-6 (browser plugin is different code base) CVE-2008-5338 (Cross-site scripting (XSS) vulnerability in info.php in Bandwebsite (a ...) NOT-FOR-US: Bandwebsite CVE-2008-5337 (SQL injection vulnerability in lyrics.php in Bandwebsite (aka Bandsite ...) NOT-FOR-US: Bandwebsite CVE-2008-5336 (SQL injection vulnerability in index.php in WebStudio CMS allows remot ...) NOT-FOR-US: WebStudio CMS CVE-2008-5335 (SQL injection vulnerability in messages.php in PHP-Fusion 6.01.15 and ...) NOT-FOR-US: PHP-Fusion CVE-2008-5334 (PHP remote file inclusion vulnerability in includes/common.php in Nitr ...) NOT-FOR-US: NitroTech CVE-2008-5333 (SQL injection vulnerability in members.php in NitroTech 0.0.3a allows ...) NOT-FOR-US: NitroTech CVE-2008-5332 (Multiple PHP remote file inclusion vulnerabilities in Pie 0.5.3 allow ...) NOT-FOR-US: Pie Web M{a,e}sher CVE-2008-5331 (Adobe Acrobat 9 uses more efficient encryption than previous versions, ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2008-5330 (Multiple cross-site scripting (XSS) vulnerabilities in the web interfa ...) NOT-FOR-US: ClearCase RWP IBM CVE-2008-5329 (ClearQuest Web in IBM Rational ClearQuest MultiSite before 7.1 allows ...) NOT-FOR-US: IBM CVE-2008-5328 (The ClearQuest Maintenance Tool in IBM Rational ClearQuest before 7 st ...) NOT-FOR-US: IBM CVE-2008-5327 (The ClearQuest Maintenance Tool in IBM Rational ClearQuest 7 before 7. ...) NOT-FOR-US: IBM CVE-2008-5326 (The ClearQuest Maintenance Tool in IBM Rational ClearQuest 7.0.0 befor ...) NOT-FOR-US: IBM CVE-2008-5325 (Multiple cross-site scripting (XSS) vulnerabilities in CQ Web in IBM R ...) NOT-FOR-US: IBM CVE-2008-5324 (Multiple cross-site scripting (XSS) vulnerabilities in CQ Web in IBM R ...) NOT-FOR-US: IBM CVE-2007-6719 (SQL injection vulnerability in Wiz-Ad 1.3 allows remote attackers to e ...) NOT-FOR-US: Wiz-Ad CVE-2008-5658 (Directory traversal vulnerability in the ZipArchive::extractTo functio ...) {DSA-1789-1 DTSA-188-1} - php5 5.2.6.dfsg.1-3 (bug #507857) - php4 CVE-2008-5323 (Cross-site scripting (XSS) vulnerability in index.php in Wysi Wiki Wyg ...) NOT-FOR-US: Wysi Wiki Wyg CVE-2008-5322 (Wysi Wiki Wyg 1.0 allows remote attackers to obtain system information ...) NOT-FOR-US: Wysi Wiki Wyg CVE-2008-5321 (SQL injection vulnerability in index.php in GesGaleri, a module for XO ...) NOT-FOR-US: XOOPS module CVE-2008-5320 (SQL injection vulnerability in usersettings.php in e107 0.7.13 and ear ...) NOT-FOR-US: e107 CVE-2008-5319 (Unspecified vulnerability in Tikiwiki before 2.2 has unknown impact an ...) - tikiwiki CVE-2008-5318 (Unspecified vulnerability in Tikiwiki before 2.2 has unknown impact an ...) - tikiwiki CVE-2008-5317 (Integer signedness error in the cmsAllocGamma function in src/cmsgamma ...) {DSA-1684-1} - lcms 1.17-1 - openjdk-6 6b16-1 (medium; bug #542210) CVE-2008-5316 (Buffer overflow in the ReadEmbeddedTextTag function in src/cmsio1.c in ...) {DSA-1684-1} - lcms 1.16-1 CVE-2008-5315 (Directory traversal vulnerability in the web interface in Apple iPhone ...) NOT-FOR-US: Apple iPhone Configuration Web Utility CVE-2008-XXXX [Insecure tmpdir creation] [lenny] - devscripts 2.10.35lenny1 (low) - devscripts 2.10.42 (low; bug #507482) [etch] - devscripts 2.9.26etch2 CVE-2008-XXXX [Insecure tempfile creation] - devscripts 2.10.42 (low; bug #508111) [etch] - devscripts (vulnerable code not present) [lenny] - devscripts 2.10.35lenny1 (low) CVE-2008-5314 (Stack consumption vulnerability in libclamav/special.c in ClamAV befor ...) {DSA-1680-1} - clamav 0.94.dfsg.2-1 (medium; bug #507624) CVE-2008-5311 (SQL injection vulnerability in image.php in NetArt Media Blog System 1 ...) NOT-FOR-US: NetArt Media Blog System CVE-2008-5310 (SQL injection vulnerability in image.php in NetArt Media Car Portal 2. ...) NOT-FOR-US: NetArt Media Car Portal CVE-2008-5309 (SQL injection vulnerability in NetArt Media Real Estate Portal 1.2 all ...) NOT-FOR-US: NetArt Media Real Estate Portal CVE-2008-5308 (The Simple Forum 3.1d module for LoveCMS 1.6.2 Final does not properly ...) NOT-FOR-US: LoveCMS CVE-2008-5307 (SQL injection vulnerability in admin/index.php in PG Roommate Finder S ...) NOT-FOR-US: PG Roommate Finder Solution CVE-2008-5306 (SQL injection vulnerability in admin/index.php in PG Real Estate Solut ...) NOT-FOR-US: PG Real Estate Solution CVE-2008-5305 (Eval injection vulnerability in TWiki before 4.2.4 allows remote attac ...) - twiki (medium; bug #508257) CVE-2008-5304 (Cross-site scripting (XSS) vulnerability in TWiki before 4.2.4 allows ...) - twiki (low; bug #508256) CVE-2008-5303 (Race condition in the rmtree function in File::Path 1.08 (lib/File/Pat ...) {DSA-1678-1} - perl 5.10.0-18 CVE-2008-5302 (Race condition in the rmtree function in File::Path 1.08 and 2.07 (lib ...) {DSA-1678-1} - perl 5.10.0-18 CVE-2008-5301 (Directory traversal vulnerability in the ManageSieve implementation in ...) - dovecot 1:1.0.15-2.3 (bug #506031) CVE-2008-5300 (Linux kernel 2.6.28 allows local users to cause a denial of service (" ...) {DSA-1687-1 DSA-1681-1} - linux-2.6 2.6.26-12 - linux-2.6.24 2.6.24-6~etchnhalf.7 CVE-2008-5296 (Gallery 1.5.x before 1.5.10 and 1.6 before 1.6-RC3, when register_glob ...) - gallery 1.5.9-1.2 (low; bug #506824) [etch] - gallery (vulnerable code introduced in 1.5.8-svn-b34) CVE-2008-5295 (SQL injection vulnerability in index.php in Jamit Job Board 3.4.10 all ...) NOT-FOR-US: Jamit Job Board CVE-2008-5294 (SQL injection vulnerability in index.php in WebStudio eCatalogue allow ...) NOT-FOR-US: WebStudio eCatalogue CVE-2008-5293 (SQL injection vulnerability in index.php in WebStudio eHotel allows re ...) NOT-FOR-US: WebStudio eHotel CVE-2008-5292 (SQL injection vulnerability in view_snaps.php in VideoGirls BiZ allows ...) NOT-FOR-US: VideoGirls CVE-2008-5291 (Directory traversal vulnerability in code/track.php in FuzzyLime 3.03 ...) NOT-FOR-US: FuzzyLime CVE-2008-5290 (Cross-site scripting (XSS) vulnerability in full_txt.php in Werner Hil ...) NOT-FOR-US: Werner Hilversum Clean CMS CVE-2008-5289 (SQL injection vulnerability in full_txt.php in Werner Hilversum Clean ...) NOT-FOR-US: Werner Hilversum Clean CMS CVE-2008-5288 (PHP remote file inclusion vulnerability in include/header.php in Werne ...) NOT-FOR-US: Werner Hilversum Clean CMS CVE-2008-5287 (SQL injection vulnerability in catagorie.php in Werner Hilversum FAQ M ...) NOT-FOR-US: Werner Hilversum Clean CMS CVE-2008-5284 (The web server in IEA Software RadiusNT and RadiusX 5.1.38 and other v ...) NOT-FOR-US: IEA Software RadiusNT and RadiusX CVE-2008-5283 (Google Hack Honeypot (GHH) File Upload Manager 1.3 allows remote attac ...) NOT-FOR-US: File Upload Manager CVE-2008-5282 (Multiple stack-based buffer overflows in W3C Amaya Web Browser 10.0.1 ...) NOTE: neither in Etch nor Lenny, removal has been proposed - amaya (bug #507587) CVE-2008-5281 (Heap-based buffer overflow in Titan FTP Server 6.05 build 550 allows r ...) NOT-FOR-US: Titan FTP Server CVE-2008-5280 (The Local ZIM Server in Zilab Chat and Instant Messaging (ZIM) Server ...) NOT-FOR-US: Zilab Chat and Instant Messaging CVE-2008-5279 (The Local ZIM Server (zcs.exe) in Zilab Chat and Instant Messaging (ZI ...) NOT-FOR-US: Zilab Chat and Instant Messaging CVE-2008-5277 (PowerDNS before 2.9.21.2 allows remote attackers to cause a denial of ...) - pdns 2.9.21.2-1 (low) [etch] - pdns (old version of HINFO parser) CVE-2008-5275 (Multiple directory traversal vulnerabilities in the (a) "Unzip archive ...) NOT-FOR-US: net2ftp CVE-2008-5274 (Todd Woolums ASP News Management 2.2 allows remote attackers to obtain ...) NOT-FOR-US: Todd Woolums ASP News Management CVE-2008-5273 (SQL injection vulnerability in viewnews.asp in Todd Woolums ASP News M ...) NOT-FOR-US: Todd Woolums ASP News Management CVE-2008-5272 (Multiple directory traversal vulnerabilities in Fred Stuurman SyndeoCM ...) NOT-FOR-US: SyndeoCMS CVE-2008-5271 (Cross-site scripting (XSS) vulnerability in index.php in Fred Stuurman ...) NOT-FOR-US: SyndeoCMS CVE-2008-5270 (SQL injection vulnerability in view.topics.php in Yuhhu Superstar 2008 ...) NOT-FOR-US: Yuhhu Superstar CVE-2008-5269 (SQL injection vulnerability in index.php in pSys 0.7.0 alpha allows re ...) NOT-FOR-US: pSys CVE-2008-5268 (SQL injection vulnerability in content/forums/reply.asp in ASPPortal a ...) NOT-FOR-US: ASPPortal CVE-2008-5267 (SQL injection vulnerability in answer.php in Experts 1.0.0, when magic ...) NOT-FOR-US: Experts CVE-2008-5266 (Cross-site scripting (XSS) vulnerability in configuration/httpListener ...) NOT-FOR-US: Sun Java System Application Server CVE-2008-5265 (Directory traversal vulnerability in index.php in TNT Forum 0.9.4, whe ...) NOT-FOR-US: TNT Forum CVE-2008-5264 (Cross-site scripting (XSS) vulnerability in searcher.exe in Tornado Kn ...) NOT-FOR-US: Tornado Knowledge Retrieval System CVE-2008-5263 (Multiple stack-based buffer overflows in the mt_codec::getHdrHead func ...) NOT-FOR-US: ksquirrel CVE-2008-5262 (Multiple stack-based buffer overflows in the iGetHdrHeader function in ...) {DSA-1717-1 DTSA-184-1} - devil 1.7.5-4 (low; bug #511844; bug #512122) NOTE: fix for 1.7.5-3 incomplete, see #512122 CVE-2008-5261 RESERVED CVE-2008-5260 (Heap-based buffer overflow in the CamImage.CamImage.1 ActiveX control ...) NOT-FOR-US: ActiveX CVE-2008-5259 (Integer signedness error in DivX Web Player 1.4.2.7, and possibly earl ...) NOT-FOR-US: DivX Web Player CVE-2008-5258 RESERVED CVE-2008-5257 (webseald in WebSEAL 6.0.0.17 in IBM Tivoli Access Manager for e-busine ...) NOT-FOR-US: WebSEAL CVE-2008-5255 RESERVED CVE-2008-5254 RESERVED CVE-2008-5253 RESERVED CVE-2008-5252 (Cross-site request forgery (CSRF) vulnerability in the Special:Import ...) {DSA-1901-1 DTSA-186-1} - mediawiki 1:1.13.3-1 (bug #508870) - mediawiki1.7 [etch] - mediawiki (metapackage) CVE-2008-5251 RESERVED CVE-2008-5250 (Cross-site scripting (XSS) vulnerability in MediaWiki before 1.6.11, 1 ...) {DSA-1901-1 DTSA-186-1} - mediawiki 1:1.13.3-1 (bug #508869) - mediawiki1.7 [etch] - mediawiki (metapackage) CVE-2008-5249 (Cross-site scripting (XSS) vulnerability in MediaWiki 1.13.0 through 1 ...) {DSA-1901-1 DTSA-186-1} - mediawiki 1:1.13.3-1 (bug #508868) - mediawiki1.7 [etch] - mediawiki (metapackage) CVE-2008-5276 (Integer overflow in the ReadRealIndex function in real.c in the Real d ...) - vlc 0.9.8a-1 (low) [etch] - vlc (vulnerable code not present) [lenny] - vlc (vulnerable code not present) CVE-2008-7068 (The dba_replace function in PHP 5.2.6 and 4.x allows context-dependent ...) {DTSA-188-1} - php5 5.2.6.dfsg.1-3 (bug #507101) [lenny] - php5 5.2.6.dfsg.1-1+lenny2 - php4 NOTE: if a user has write access to a file he simply can use fopen() CVE-2008-5278 (Cross-site scripting (XSS) vulnerability in the self_link function in ...) - wordpress 2.5.1-11 (low; bug #507193) [etch] - wordpress (Vulnerable code not present) NOTE: introduced in 2.5 CVE-2008-5286 (Integer overflow in the _cupsImageReadPNG function in CUPS 1.1.17 thro ...) {DSA-1677-1} - cups 1.3.8-1lenny4 (bug #507183; medium) CVE-2008-XXXX [geda-gnetlist: sch2eaglepos.sh has insecure temp file handling ] - geda-gnetlist 1:1.4.0-3 (bug #506625; unimportant) NOTE: sch2eaglepos.sh only used as example script CVE-2008-5248 (xine-lib before 1.1.15 allows remote attackers to cause a denial of se ...) - xine-lib 1.1.14-3 - vlc (affected part of xine-lib code copy not present) CVE-2008-5247 (The real_parse_audio_specific_data function in demux_real.c in xine-li ...) - xine-lib (unimportant; bug #508715) NOTE: a devide by 0 because of a crafted media file is hardly a security issue, NOTE: the integer overflows covered by the ocert advisory in the same code snippet NOTE: got an own identifier CVE-2008-5246 (Multiple heap-based buffer overflows in xine-lib before 1.1.15 allow r ...) - xine-lib 1.1.14-3 (low; bug #507184; bug #498243) - vlc (affected part of xine-lib code copy not present) CVE-2008-5245 (xine-lib before 1.1.15 performs V4L video frame preallocation before a ...) - xine-lib 1.1.14-3 (low) [etch] - xine-lib (The version from Etch doesn't yet perform pre-allocation) CVE-2008-5244 (Unspecified vulnerability in xine-lib before 1.1.15 has unknown impact ...) - xine-lib 1.1.14-3 (unimportant) - faad2 2.6.1-1 (unimportant) - mplayer 1.0~rc2-20 (unimportant; bug #407010) NOTE: overlaps with CVE-2008-4610, same aac issue NOTE: just a crasher, no security implications known so far CVE-2008-5243 (The real_parse_headers function in demux_real.c in xine-lib 1.1.12, an ...) - xine-lib 1.1.16-1 (bug #508716) [lenny] - xine-lib 1.1.14-4 [squeeze] - xine-lib 1.1.14-4 NOTE: these are just invalid reads that result in segfaults, denial of service doesnt NOTE: apply here as xine reading a file is no service -> application bug CVE-2008-5242 (demux_qt.c in xine-lib 1.1.12, and other 1.1.15 and earlier versions, ...) - xine-lib 1.1.16-1 (medium; bug #507165; bug #498243) [lenny] - xine-lib 1.1.14-4 [squeeze] - xine-lib 1.1.14-4 CVE-2008-5241 (Integer underflow in demux_qt.c in xine-lib 1.1.12, and other 1.1.15 a ...) - xine-lib 1.1.16-1 (low; bug #509008) [lenny] - xine-lib 1.1.14-4 [squeeze] - xine-lib 1.1.14-4 CVE-2008-5240 (xine-lib 1.1.12, and other 1.1.15 and earlier versions, relies on an u ...) - xine-lib 1.1.16-2 (low; bug #509352) [lenny] - xine-lib 1.1.14-5 [squeeze] - xine-lib 1.1.14-5 CVE-2008-5239 (xine-lib 1.1.12, and other 1.1.15 and earlier versions, does not prope ...) - xine-lib 1.1.16-2 (medium; bug #509353) [lenny] - xine-lib 1.1.14-5 [squeeze] - xine-lib 1.1.14-5 CVE-2008-5238 (Integer overflow in the real_parse_mdpr function in demux_real.c in xi ...) - xine-lib 1.1.14-3 (low) NOTE: code execution shouldn't work here as if 0xff will be extended to 0xffffffff NOTE: memcpy fails for copying from the complete addressable address space long before any code is executed NOTE: the malloc check for type_specific_data is missing, minor issue filed as #508065 CVE-2008-5237 (Multiple integer overflows in xine-lib 1.1.12, and other 1.1.15 and ea ...) - xine-lib 1.1.16-1 (bug #509265; low) [lenny] - xine-lib 1.1.14-4 [squeeze] - xine-lib 1.1.14-4 CVE-2008-5236 (Multiple heap-based buffer overflows in xine-lib 1.1.12, and other 1.1 ...) - xine-lib 1.1.16-1 (bug #509521) [lenny] - xine-lib 1.1.14-4 [squeeze] - xine-lib 1.1.14-4 CVE-2008-5235 (Heap-based buffer overflow in the demux_real_send_chunk function in sr ...) - xine-lib 1.1.14-3 - vlc (affected part of xine-lib code copy not present) CVE-2008-5234 (Multiple heap-based buffer overflows in xine-lib 1.1.12, and other ver ...) - xine-lib 1.1.16-1 (medium; bug #508313; bug #498243) [lenny] - xine-lib 1.1.14-4 [squeeze] - xine-lib 1.1.14-4 CVE-2008-5233 (xine-lib 1.1.12, and other versions before 1.1.15, does not check for ...) - xine-lib 1.1.14-3 (low) - vlc (affected part of xine-lib code copy not present) CVE-2008-5232 (Buffer overflow in the CallHTMLHelp method in the Microsoft Windows Me ...) NOT-FOR-US: Microsoft Windows Media Services CVE-2008-5231 (Stack-based buffer overflow in the ExecuteRequest method in the Novell ...) NOT-FOR-US: Novell iPrint CVE-2008-5230 (The Temporal Key Integrity Protocol (TKIP) implementation in unspecifi ...) NOT-FOR-US: WPA weakness CVE-2008-5229 (Stack-based buffer overflow in Microsoft Device IO Control in iphlpapi ...) NOT-FOR-US: Microsoft Device IO Control CVE-2008-5228 (Cross-site scripting (XSS) vulnerability in IBM Workplace Content Mana ...) NOT-FOR-US: IBM Workplace Content Management CVE-2008-5227 (Unspecified vulnerability in PHPCow allows remote attackers to execute ...) NOT-FOR-US: PHPCow CVE-2008-5226 (SQL injection vulnerability in the MambAds (com_mambads) component 1.0 ...) NOT-FOR-US: com_mambads component for Mambo CVE-2008-5225 (Multiple cross-site scripting (XSS) vulnerabilities in Xerox DocuShare ...) NOT-FOR-US: Xerox DocuShare CVE-2008-5224 (Cross-site scripting (XSS) vulnerability in Kent Web Mart 1.61 and ear ...) NOT-FOR-US: Kent Web Mart CVE-2008-5223 (SQL injection vulnerability in index.php in Airvae Commerce 3.0 allows ...) NOT-FOR-US: Airvae Commerce CVE-2008-5222 (SQL injection vulnerability in login.asp in Dvbbs 8.2.0 allows remote ...) NOT-FOR-US: Dvbbs CVE-2008-5221 (The account_save action in admin/userinfo.php in wPortfolio 0.3 and ea ...) NOT-FOR-US: wPortfolio CVE-2008-5220 (Unrestricted file upload vulnerability in admin/upload_form.php in wPo ...) NOT-FOR-US: wPortfolio CVE-2008-5219 (The password change feature (admin/cp.php) in VideoScript 4.0.1.50 and ...) NOT-FOR-US: VideoScript CVE-2008-5218 (ScriptsEz FREEze Greetings 1.0 stores pwd.txt under the web root with ...) NOT-FOR-US: ScriptsEz FREEze Greetings CVE-2008-5217 (Directory traversal vulnerability in index.php in txtCMS 0.3, when reg ...) NOT-FOR-US: textCMS CVE-2008-5216 (SQL injection vulnerability in category_list.php in AJ Square ZeusCart ...) NOT-FOR-US: AJ Square ZeusCart CVE-2008-5215 (SQL injection vulnerability in service/profil.php in ClanLite 2.2006.0 ...) NOT-FOR-US: ClanLite CVE-2008-5214 (Cross-site scripting (XSS) vulnerability in service/calendrier.php in ...) NOT-FOR-US: ClanLite CVE-2008-5213 (SQL injection vulnerability in featured_article.php in AJ Article 1.0 ...) NOT-FOR-US: AJ Article CVE-2008-5212 (SQL injection vulnerability in classifide_ad.php in AJ Auction 6.2.1 a ...) NOT-FOR-US: AJ Auction CVE-2008-5211 (Cross-site scripting (XSS) vulnerability in search.php in Sphider 1.3. ...) NOT-FOR-US: Sphider CVE-2008-5210 (Multiple PHP remote file inclusion vulnerabilities in PhpBlock A8.5 al ...) NOT-FOR-US: PhpBlock CVE-2008-5209 (Directory traversal vulnerability in modules/download/get_file.php in ...) NOT-FOR-US: Admidio CVE-2008-5208 (SQL injection vulnerability in sub_votepic.php in the Datsogallery (co ...) NOT-FOR-US: Datsogallery joomla module CVE-2008-5207 (Multiple directory traversal vulnerabilities in Jonascms 1.2 allow rem ...) NOT-FOR-US: Jonascms CVE-2008-5206 (PHP remote file inclusion vulnerability in modules/mod_mainmenu.php in ...) NOT-FOR-US: MosXML CVE-2008-5205 (Cross-site scripting (XSS) vulnerability in edit.php in wellyblog allo ...) NOT-FOR-US: wellyblog CVE-2008-5204 (Multiple directory traversal vulnerabilities in PowerAward 1.1.0 RC1, ...) NOT-FOR-US: PowerAward CVE-2008-5203 (Cross-site scripting (XSS) vulnerability in external_vote.php in Power ...) NOT-FOR-US: PowerAward CVE-2008-5202 (Cross-site scripting (XSS) vulnerability in index.php in OTManager CMS ...) NOT-FOR-US: OTManager CMS CVE-2008-5201 (Directory traversal vulnerability in index.php in OTManager CMS 24a al ...) NOT-FOR-US: OTManager CMS CVE-2008-5200 (SQL injection vulnerability in the Xe webtv (com_xewebtv) component fo ...) NOT-FOR-US: Xe webtv CVE-2008-5199 (PHP remote file inclusion vulnerability in include.php in PHPOutsourci ...) NOT-FOR-US: PHPOutsourcing IdeaBox CVE-2008-5198 (SQL injection vulnerability in memberlist.php in Acmlmboard 1.A2 allow ...) NOT-FOR-US: Acmlmboard CVE-2008-5197 (SQL injection vulnerability in classifieds.php in PHP-Fusion allows re ...) NOT-FOR-US: PHP-Fusion CVE-2008-5196 (SQL injection vulnerability in kroax.php in the Kroax (the_kroax) 4.42 ...) NOT-FOR-US: Kroax CVE-2008-5195 (Multiple SQL injection vulnerabilities in SebracCMS (sbcms) 0.4 allow ...) NOT-FOR-US: SebracCMS CVE-2008-5194 (SQL injection vulnerability in checkavail.php in SoftVisions Software ...) NOT-FOR-US: SoftVisions Software Online Booking Manager CVE-2008-5193 (Cross-site scripting (XSS) vulnerability in search.asp in W1L3D4 Philb ...) NOT-FOR-US: W1L3D4 Philboard CVE-2008-5192 (SQL injection vulnerability in forum.asp in W1L3D4 Philboard 1.14 and ...) NOT-FOR-US: W1L3D4 Philboard CVE-2008-5191 (Multiple SQL injection vulnerabilities in SePortal 2.4 allow remote at ...) NOT-FOR-US: SePortal CVE-2008-5190 (SQL injection vulnerability in index.php in eSHOP100 allows remote att ...) NOT-FOR-US: eSHOP100 CVE-2008-5285 (Wireshark 1.0.4 and earlier allows remote attackers to cause a denial ...) [lenny] - wireshark 1.0.2-3+lenny3 - wireshark 1.0.5-1 (low; bug #506741) CVE-2008-5394 (/bin/login in shadow 4.0.18.1 in Debian GNU/Linux, and probably other ...) {DSA-1709-1} - shadow 1:4.1.1-6 (bug #505271) CVE-2008-5706 (The cTrigger::DoIt function in src/ctrigger.cpp in the trigger mechani ...) - verlihub (low; bug #506530) CVE-2008-5705 (The cTrigger::DoIt function in src/ctrigger.cpp in the trigger mechani ...) - verlihub (low; bug #506530) CVE-2008-5189 (CRLF injection vulnerability in Ruby on Rails before 2.0.5 allows remo ...) - rails 2.1.0-6 (low) CVE-2008-5188 (The (1) ecryptfs-setup-private, (2) ecryptfs-setup-confidential, and ( ...) - ecryptfs-utils 66-1 (low) [lenny] - ecryptfs-utils (Minor issue) CVE-2008-5184 (The web interface (cgi-bin/admin.c) in CUPS before 1.3.8 uses the gues ...) - cups 1.3.8-1 [etch] - cupsys (cupsys doesn't crash, code base changed, guest username not submitted) CVE-2008-5182 (The inotify functionality in Linux kernel 2.6 before 2.6.28-rc5 might ...) {DSA-1687-1 DSA-1681-1} - linux-2.6 2.6.26-12 - linux-2.6.24 2.6.24-6~etchnhalf.7 CVE-2008-5181 (Microsoft Communicator allows remote attackers to cause a denial of se ...) NOT-FOR-US: Microsoft Communicator CVE-2008-5180 (Microsoft Communicator, and Communicator in Microsoft Office 2010 beta ...) NOT-FOR-US: Microsoft Communicator CVE-2008-5179 (Unspecified vulnerability in Microsoft Office Communications Server (O ...) NOT-FOR-US: Microsoft Office Communications Server CVE-2008-5178 (Heap-based buffer overflow in Opera 9.62 on Windows allows remote atta ...) NOT-FOR-US: Opera on Windows CVE-2008-5177 (Stack-based buffer overflow in the DtbClsLogin function in Yosemite Ba ...) NOT-FOR-US: Yosemite Backup CVE-2008-5176 (Multiple buffer overflows in Client Software WinCom LPD Total 3.0.2.62 ...) NOT-FOR-US: WinCom LPD CVE-2008-5187 (The load function in the XPM loader for imlib2 1.4.2, and possibly oth ...) {DSA-1672-1} - imlib2 1.4.0-1.2 (bug #505714) CVE-2008-5625 (PHP 5 before 5.2.7 does not enforce the error_log safe_mode restrictio ...) - php5 (unimportant) NOTE: http://securityreason.com/achievement_securityalert/57 CVE-2008-5312 (mailscanner 4.55.10 and other versions before 4.74.16-1 might allow lo ...) - mailscanner 4.74.16-1 (bug #506353) [etch] - mailscanner (Minor issue) NOTE: there is no difference apart from the versions to CVE-2008-5313 CVE-2008-5313 (mailscanner 4.68.8 and other versions before 4.74.16-1 might allow loc ...) - mailscanner 4.74.16-1 (bug #506353) [etch] - mailscanner (Minor issue) NOTE: there is no difference apart from the versions to CVE-2008-5312 CVE-2008-5175 (Directory traversal vulnerability in the FTP client in AceFTP Freeware ...) NOT-FOR-US: AceFTP CVE-2008-5174 (SQL injection vulnerability in joke.php in Jokes Complete Website 2.1. ...) NOT-FOR-US: Jokes Complete Website CVE-2008-5173 (Unspecified vulnerability in testMaker before 3.0p16 allows remote aut ...) NOT-FOR-US: testMaker CVE-2008-5172 (Multiple cross-site scripting (XSS) vulnerabilities in Yazd Forum Soft ...) NOT-FOR-US: Yazd Forum Software CVE-2008-5171 (Multiple directory traversal vulnerabilities in admin/minibb/index.php ...) NOT-FOR-US: phpBLASTER CMS CVE-2008-5170 (SQL injection vulnerability in item.php in Cheats Complete Website 1.1 ...) NOT-FOR-US: Cheats Complete Website CVE-2008-5169 (SQL injection vulnerability in drinks/drink.php in Drinks Complete Web ...) NOT-FOR-US: Drinks Complete Website CVE-2008-5168 (SQL injection vulnerability in tip.php in Tips Complete Website 1.2.0 ...) NOT-FOR-US: Tips Complete Website CVE-2008-5167 (PHP remote file inclusion vulnerability in layout/default/params.php i ...) NOT-FOR-US: Orca Interactive Forum Script CVE-2008-5166 (SQL injection vulnerability in riddle.php in Riddles Website 1.2.1 all ...) NOT-FOR-US: Riddles Website CVE-2008-5165 (Multiple SQL injection vulnerabilities in eTicket 1.5.7 allow remote a ...) NOT-FOR-US: eTicket CVE-2008-5164 (Multiple cross-site scripting (XSS) vulnerabilities in The Rat CMS Pre ...) NOT-FOR-US: The Rat CMS CVE-2008-5163 (Multiple SQL injection vulnerabilities in The Rat CMS Pre-Alpha 2 allo ...) NOT-FOR-US: The Rat CMS CVE-2008-5162 (The arc4random function in the kernel in FreeBSD 6.3 through 7.1 does ...) - kfreebsd-6 [lenny] - kfreebsd-6 (KFreebsd not supported) - kfreebsd-7 7.1-1 [lenny] - kfreebsd-7 7.0-7lenny1 CVE-2008-5161 (Error handling in the SSH protocol in (1) SSH Tectia Client and Server ...) - openssh 1:5.1p1-5 (low; bug #506115) [etch] - openssh (Minor issue, see http://www.openssh.org/txt/cbc.adv) CVE-2008-5185 (The highlighting functionality in geshi.php in GeSHi before 1.0.8 allo ...) {DTSA-179-1} - geshi 1.0.8.1-1 (medium) CVE-2008-5160 (Unspecified vulnerability in MyServer 0.8.11 allows remote attackers t ...) - msp-webserver (bug #506268) CVE-2008-5159 (Integer overflow in the remote administration protocol processing in C ...) NOT-FOR-US: WinCom LPD CVE-2008-5158 (Client Software WinCom LPD Total 3.0.2.623 and earlier allows remote a ...) NOT-FOR-US: WinCom LPD CVE-2008-5157 (tau 2.16.4 allows local users to overwrite arbitrary files via a symli ...) - tau 2.16.4-1.3 (bug #506348) [etch] - tau (Minor issue) CVE-2008-5156 (si_mkbootserver in systemimager-server 3.6.3 allows local users to ove ...) - systemimager (bug #506269) [etch] - systemimager (Minor issue) CVE-2008-5155 (mail2sms.sh in smsclient 2.0.8z allows local users to overwrite arbitr ...) - smsclient (unimportant; bug #498901) CVE-2008-5154 (bluetooth.rc in p3nfs 5.19 allows local users to overwrite arbitrary f ...) - p3nfs 5.19-1.2 (low; bug #506270) [etch] - p3nfs (Minor issue) CVE-2008-5153 (spell-check-logic.cgi in Moodle 1.8.2 allows local users to overwrite ...) {DSA-1724-1} - moodle 1.8.2.2dfsg-4 [lenny] - moodle 1.8.2.dfsg-3+lenny1 NOTE: manual editing of file is required to run the unsafe code CVE-2008-5152 (inmail-show in mh-book 200605 allows local users to overwrite arbitrar ...) - mh-book (unimportant) NOTE: unsafe code is in example script CVE-2008-5151 (test_parser.py in mayavi 1.5 allows local users to overwrite arbitrary ...) - mayavi (unimportant) NOTE: just a comment, not code CVE-2008-5150 (sample.sh in maildirsync 1.1 allows local users to append data to arbi ...) - maildirsync (unimportant) NOTE: unsafe code is in example script CVE-2008-5149 (fwd_check.sh in libncbi6 6.1.20080302 allows local users to overwrite ...) - ncbi-tools6 6.1.20080302-4 (unimportant) NOTE: unsafe code is in example script CVE-2008-5148 (sch2eaglepos.sh in geda-gnetlist 1.4.0 allows local users to overwrite ...) - geda-gnetlist (unimportant) NOTE: unsafe code is an example script CVE-2008-5147 (test-pipe-to-pyodconverter.org.sh in docvert 2.4 allows local users to ...) - docvert 3.4-7 (unimportant) NOTE: unsafe code is in test script with multiple hardcoded files CVE-2008-5146 (add-accession-numbers in ctn 3.0.6 allows local users to overwrite arb ...) - ctn (unimportant) NOTE: unsafe code is in example script CVE-2008-5145 (ltpmenu in ltp 20060918 allows local users to overwrite arbitrary file ...) - ltp 20060918-3 (low; bug #506272) [etch] - ltp (Minor issue) NOTE: this is not the same as CVE-2008-4969 CVE-2008-5144 (nvidia-cg-toolkit-installer in nvidia-cg-toolkit 2.0.0015 allows local ...) - nvidia-cg-toolkit (unimportant) NOTE: -installer can be run from postinst but unsafe code is only executed when a special option is used when manually running the installer CVE-2008-5143 (mgt-helper in multi-gnome-terminal 1.6.2 allows local users to overwri ...) [etch] - multi-gnome-terminal (Symlink issue not run as root) - multi-gnome-terminal CVE-2008-5142 (sendbug in freebsd-sendpr 3.113+5.3 on Debian GNU/Linux allows local u ...) - freebsd-sendpr (unimportant) NOTE: code is only executed when the script to send bug reports fails CVE-2008-5141 (flamethrower in flamethrower 0.1.8 allows local users to overwrite arb ...) {DSA-1676-1} - flamethrower 0.1.8-2 (low; bug #506350) CVE-2008-5140 (trend-autoupdate.new in mailscanner 4.55.10 and other versions before ...) - mailscanner 4.57.6-1 (unimportant) NOTE: script should only be used when the private Trend Micro antivirus is installed CVE-2008-5139 (updatejail in jailer 0.4 allows local users to overwrite arbitrary fil ...) {DSA-1674-1} - jailer 0.4-10 (bug #410548; low) CVE-2008-5138 (passwdehd in libpam-mount 0.43 allows local users to overwrite arbitra ...) - libpam-mount 1.2+gitaa4791f-1 (low) [lenny] - libpam-mount 0.44-1+lenny2 CVE-2008-5137 (tkman in tkman 2.2 allows local users to overwrite arbitrary files via ...) - tkman 2.2-4 (low; bug #506496) [etch] - tkman 2.2-2etch1 CVE-2008-5136 (tkusr in tkusr 0.82 allows local users to overwrite arbitrary files vi ...) [etch] - tkusr (Minor issue) - tkusr (low) CVE-2008-5135 - os-prober (unimportant) CVE-2008-5134 (Buffer overflow in the lbs_process_bss function in drivers/net/wireles ...) {DSA-1681-1} [etch] - linux-2.6 (Vulnerable code not present) - linux-2.6 2.6.26-11 - linux-2.6.24 2.6.24-6~etchnhalf.7 CVE-2008-5133 (ipnat in IP Filter in Sun Solaris 10 and OpenSolaris before snv_96, wh ...) NOT-FOR-US: ipnat CVE-2008-5183 (cupsd in CUPS 1.3.9 and earlier allows local users, and possibly remot ...) {DSA-2176-1} - cups 1.3.9-13 (low; bug #506180) [lenny] - cups (Minor issue) [etch] - cupsys (RSS subscription code not yet present) CVE-2008-5297 (Buffer overflow in No-IP DUC 2.1.7 and earlier allows remote HTTP serv ...) {DSA-1686-1} - no-ip 2.1.7-11 (bug #506179) CVE-2008-5132 (SQL injection vulnerability in inc/ajax/ajax_rating.php in MemHT Porta ...) NOT-FOR-US: MemHT Portal CVE-2008-5131 (Multiple SQL injection vulnerabilities in Develop It Easy News And Art ...) NOT-FOR-US: Develop It Easy News And Article System CVE-2008-5130 (Ocean12 Calendar Manager Gold 2.04 stores sensitive information under ...) NOT-FOR-US: Ocean12 software CVE-2008-5129 (Ocean12 Poll Manager Pro 1.00 stores sensitive information under the w ...) NOT-FOR-US: Ocean12 software CVE-2008-5128 (Ocean12 Membership Manager Pro stores sensitive information under the ...) NOT-FOR-US: Ocean12 software CVE-2008-5127 (Ocean12 Contact Manager Pro 1.02 stores sensitive information under th ...) NOT-FOR-US: Ocean12 software CVE-2008-5126 (Cross-site scripting (XSS) vulnerability in search.php in BoutikOne CM ...) NOT-FOR-US: BoutikOne CVE-2008-5125 (admin.php in CCleague Pro 1.2 allows remote attackers to bypass authen ...) NOT-FOR-US: CCleague Pro CVE-2008-5124 (JSCAPE Secure FTP Applet 4.8.0 and earlier does not ask the user to ve ...) NOT-FOR-US: JSCAPE Secure FTP Applet CVE-2008-5123 (SQL injection vulnerability in admin.php in CCleague Pro 1.2 allows re ...) NOT-FOR-US: CCleague Pro CVE-2008-5122 (SQL injection vulnerability in WorkArea/ContentRatingGraph.aspx in Ekt ...) NOT-FOR-US: Ektron CMS400.NET CVE-2008-5121 (dne2000.sys in Citrix Deterministic Network Enhancer (DNE) 2.21.7.233 ...) NOT-FOR-US: Citrix Deterministic Network Enhancer CVE-2008-5120 (Stack-based buffer overflow in the Process Software MultiNet finger se ...) NOT-FOR-US: MultiNet finger service CVE-2008-5119 (Cross-site scripting (XSS) vulnerability in search.php in Scripts4Prof ...) NOT-FOR-US: Scripts4Profit DXShopCart CVE-2008-5118 (Sun Java System Identity Manager 6.0 through 6.0 SP4, 7.0, and 7.1 all ...) NOT-FOR-US: Sun Java System Identity Manager CVE-2008-5117 (Open redirect vulnerability in Sun Java System Identity Manager 6.0 th ...) NOT-FOR-US: Sun Java System Identity Manager CVE-2008-5116 (Directory traversal vulnerability in idm/includes/helpServer.jsp in Su ...) NOT-FOR-US: Sun Java System Identity Manager CVE-2008-5115 (Cross-site request forgery (CSRF) vulnerability in Sun Java System Ide ...) NOT-FOR-US: Sun Java System Identity Manager CVE-2008-5114 (Multiple cross-site scripting (XSS) vulnerabilities in Sun Java System ...) NOT-FOR-US: Sun Java System Identity Manager CVE-2008-5112 (The LDAP server in Active Directory in Microsoft Windows 2000 SP4 and ...) NOT-FOR-US: Microsoft CVE-2008-5111 (Unspecified vulnerability in the socket function in Sun Solaris 10 and ...) NOT-FOR-US: Solaris CVE-2008-5109 (The default configuration of Adobe Flash Media Server (FMS) 3.0 does n ...) NOT-FOR-US: Adobe Flash Media Server CVE-2008-5108 (Unspecified vulnerability in Adobe AIR 1.1 and earlier allows context- ...) NOT-FOR-US: Adobe AIR CVE-2008-5107 (The installation process for Citrix Presentation Server 4.5 and Deskto ...) NOT-FOR-US: Citrix PS CVE-2008-5106 (Buffer overflow in KarjaSoft Sami FTP Server 2.0.x allows remote attac ...) NOT-FOR-US: KarjaSoft Sami FTP Server CVE-2008-5105 (KarjaSoft Sami FTP Server 2.0.x allows remote attackers to cause a den ...) NOT-FOR-US: KarjaSoft Sami FTP Server CVE-2008-5104 (Ubuntu 6.06 LTS, 7.10, 8.04 LTS, and 8.10, when installed as a virtual ...) NOT-FOR-US: VMBuilder CVE-2008-5103 (The (1) python-vm-builder and (2) ubuntu-vm-builder implementations in ...) NOT-FOR-US: VMBuilder CVE-2008-5102 (PythonScripts in Zope 2 2.11.2 and earlier, as used in Conga and other ...) - zope2.10 (unimportant) NOTE: this only affects installations in which users have unrestricted access to the management NOTE: interface. On Debian there one admin user is added for this at installation time and NOTE: non-trustworthy users shouldn't have access to the interface. - zope3 (Vulnerable code not present) CVE-2008-5100 (The strong name (SN) implementation in Microsoft .NET Framework 2.0.50 ...) NOT-FOR-US: Microsoft .NET Framework CVE-2008-5099 (Sun Logical Domain Manager (aka LDoms Manager or ldm) 1.0 through 1.0. ...) NOT-FOR-US: Sun Logical Domain Manager CVE-2008-5098 (Cross-site scripting (XSS) vulnerability in Sun Java System Messaging ...) NOT-FOR-US: Sun Java System Messaging Serve CVE-2008-5110 (syslog-ng does not call chdir when it calls chroot, which might allow ...) - syslog-ng 2.0.9-4.1 (unimportant; bug #505791) NOTE: no security flaw by itself, still it should be fixed CVE-2008-5097 (SQL injection vulnerability in index.php in MyFWB 1.0 allows remote at ...) NOT-FOR-US: MyFWB CVE-2008-5096 (Unspecified vulnerability in the TYPO3 File List (file_list) extension ...) NOT-FOR-US: TYPO3 third party extension "file_list" CVE-2008-5095 (Cross-site scripting (XSS) vulnerability in the Novell User Applicatio ...) NOT-FOR-US: Novell User Application CVE-2008-5094 (Heap-based buffer overflow in the NDS Service in Novell eDirectory bef ...) NOT-FOR-US: eDirectory CVE-2008-5093 (Cross-site scripting (XSS) vulnerability in the HTTP Protocol Stack (H ...) NOT-FOR-US: eDirectory CVE-2008-5092 (Heap-based buffer overflows in Novell eDirectory HTTP protocol stack ( ...) NOT-FOR-US: eDirectory CVE-2008-5091 (Buffer overflow in the LDAP Service in Novell eDirectory 8.7.3 before ...) NOT-FOR-US: eDirectory CVE-2008-5090 (Electron Inc. Advanced Electron Forum before 1.0.7 allows remote attac ...) NOT-FOR-US: Advanced Electron Forum CVE-2008-5089 (Multiple insecure method vulnerabilities in the DDActiveReportsViewer2 ...) NOT-FOR-US: Data Dynamics ActiveReports ActiveX control CVE-2008-5088 (Multiple SQL injection vulnerabilities in PHPKB Knowledge Base Softwar ...) NOT-FOR-US: PHPKB CVE-2008-5087 (SQL injection vulnerability in TYPO3 Another Backend Login (wrg_anothe ...) NOT-FOR-US: wrg_anotherbelogin extension for typo3 CVE-2008-5086 (Multiple methods in libvirt 0.3.2 through 0.5.1 do not check if a conn ...) - libvirt 0.4.6-10 CVE-2008-5085 RESERVED CVE-2008-5084 RESERVED CVE-2008-5083 (In JON 2.1.x before 2.1.2 SP1, users can obtain unauthorized security ...) NOT-FOR-US: Red Hat JBoss Operations Network CVE-2008-5082 (The verifyProof function in the Token Processing System (TPS) componen ...) NOT-FOR-US: Red Hat Certificate System CVE-2008-5081 (The originates_from_local_legacy_unicast_socket function (avahi-core/s ...) {DSA-1690-1 DTSA-189-1} - avahi 0.6.23-3 (bug #508700; low) CVE-2008-5080 (awstats.pl in AWStats 6.8 and earlier does not properly remove quote c ...) {DSA-1679-1} - awstats 6.7.dfsg-5.1 (bug #495432; low) CVE-2008-5079 (net/atm/svc.c in the ATM subsystem in the Linux kernel 2.6.27.8 and ea ...) {DSA-1787-1 DSA-1687-1} - linux-2.6 2.6.26-12 - linux-2.6.24 NOTE: http://marc.info/?l=linux-netdev&m=122841256115780&w=2 CVE-2008-5078 (Multiple buffer overflows in the (1) recognize_eps_file function (src/ ...) {DSA-1670-1} - enscript 1.6.4-13 (bug #506261) CVE-2008-5077 (OpenSSL 0.9.8i and earlier does not properly check the return value fr ...) {DSA-1701-1} - openssl 0.9.8g-15 CVE-2008-5075 (Multiple SQL injection vulnerabilities in E-Uploader Pro 1.0 (aka Uplo ...) NOT-FOR-US: E-Uploader Pro CVE-2008-5074 (SQL injection vulnerability in index.php in the Freshlinks 1.0 RC1 mod ...) NOT-FOR-US: Freshlinks module for PHP-Fusion CVE-2008-5073 (Heap-based buffer overflow in an ActiveX control in Novell ZENworks De ...) NOT-FOR-US: Novell ZENworks ActiveX control CVE-2008-5072 (vsfilter.dll in K-Lite Mega Codec Pack 3.5.7.0 allows remote attackers ...) NOT-FOR-US: K-Lite Mega Codec Pack CVE-2008-5071 (Multiple eval injection vulnerabilities in itpm_estimate.php in Yoxel ...) NOT-FOR-US: Yoxel CVE-2008-5070 (SQL injection vulnerability in Pro Chat Rooms 3.0.3, when magic_quotes ...) NOT-FOR-US: Pro Chat Rooms CVE-2008-5069 (SQL injection vulnerability in go.php in Panuwat PromoteWeb MySQL, whe ...) NOT-FOR-US: Panuwat PromoteWeb MySQL CVE-2008-5068 (Multiple cross-site scripting (XSS) vulnerabilities in Kmita Gallery a ...) NOT-FOR-US: Kmita Gallery CVE-2008-5067 (Cross-site scripting (XSS) vulnerability in search.php in Kmita Catalo ...) NOT-FOR-US: Kmita Catalogue CVE-2008-5066 (PHP remote file inclusion vulnerability in upload/admin/frontpage_righ ...) NOT-FOR-US: Agares Media ThemeSiteScript CVE-2008-5065 (TlGuestBook 1.2 allows remote attackers to bypass authentication and g ...) NOT-FOR-US: TlGuestBook CVE-2008-5064 (SQL injection vulnerability in liga.php in H&H WebSoccer 2.80 allo ...) NOT-FOR-US: H&H WebSoccer CVE-2008-5063 (PHP remote file inclusion vulnerability in Admin/ADM_Pagina.php in OTM ...) NOT-FOR-US: OTManager CVE-2008-5062 (Directory traversal vulnerability in php/cal_pdf.php in Mini Web Calen ...) NOT-FOR-US: Mini Web Calendar CVE-2008-5061 (Cross-site scripting (XSS) vulnerability in php/cal_default.php in Min ...) NOT-FOR-US: Mini Web Calendar CVE-2008-5060 (Multiple PHP remote file inclusion vulnerabilities in ModernBill 4.4 a ...) NOT-FOR-US: ModernBill CVE-2008-5059 (Cross-site scripting (XSS) vulnerability in index.php in ModernBill 4. ...) NOT-FOR-US: ModernBill CVE-2008-5058 (SQL injection vulnerability in siteadmin/loginsucess.php in Pre Simple ...) NOT-FOR-US: Pre Simple CMS CVE-2008-5057 (SQL injection vulnerability in film.asp in Yigit Aybuga Dizi Portali a ...) NOT-FOR-US: Yigit Aybuga Dizi Portali CVE-2008-5056 (Cross-site scripting (XSS) vulnerability in department_offline_context ...) NOT-FOR-US: ActiveCampaign TrioLive CVE-2008-5055 (SQL injection vulnerability in department_offline_context.php in Activ ...) NOT-FOR-US: ActiveCampaign TrioLive CVE-2008-5054 (Multiple SQL injection vulnerabilities in Develop It Easy Membership S ...) NOT-FOR-US: Develop It Easy Membership System CVE-2008-5053 (PHP remote file inclusion vulnerability in admin.rssreader.php in the ...) NOT-FOR-US: com_rssreader component for Joomla! CVE-2008-5052 (The AppendAttributeValue function in the JavaScript engine in Mozilla ...) {DSA-1697-1 DSA-1696-1 DSA-1671-1 DSA-1669-1} - iceweasel 3.0.4-1 - xulrunner 1.9.0.4-1 - icedove 2.0.0.19-1 - iceape 1.1.13-1 CVE-2008-5051 (SQL injection vulnerability in the JooBlog (com_jb2) component 0.1.1 f ...) NOT-FOR-US: joomla CVE-2008-5049 (Buffer overflow in AKEProtect.sys 3.3.3.0 in ISecSoft Anti-Keylogger E ...) NOT-FOR-US: ISecSoft Anti-Keylogger CVE-2008-5048 (Buffer overflow in Atepmon.sys in ISecSoft Anti-Trojan Elite 4.2.1 and ...) NOT-FOR-US: ISecSoft Anti-Trojan CVE-2008-5047 (SQL injection vulnerability in admin/index.php in Mole Group Rental Sc ...) NOT-FOR-US: Mole Group Rental Script CVE-2008-5046 (SQL injection vulnerability in index.php in Mole Group Pizza Script al ...) NOT-FOR-US: Mole Group Pizza Script CVE-2008-5045 (Heap-based buffer overflow in Network-Client FTP Now 2.6, and possibly ...) NOT-FOR-US: Network-Client FTP Now CVE-2008-5044 (Race condition in Microsoft Windows Server 2003 and Vista allows local ...) NOT-FOR-US: Microsoft Windows CVE-2008-5043 (Multiple cross-site scripting (XSS) vulnerabilities in the web-based i ...) NOT-FOR-US: IBM Metrica Service Assurance Framework CVE-2008-5042 (Zeeways PhotoVideoTube 1.1 and earlier allows remote attackers to bypa ...) NOT-FOR-US: Zeeways PhotoVideoTube CVE-2008-5041 (Sweex RO002 Router with firmware Ts03-072 has "rdc123" as its default ...) NOT-FOR-US: Sweex RO002 Router CVE-2008-5040 (Graphiks MyForum 1.3 allows remote attackers to bypass authentication ...) NOT-FOR-US: Graphiks MyForum CVE-2008-5039 (Cross-site scripting (XSS) vulnerability in the League module for PHP- ...) NOT-FOR-US: PHP-Nuke CVE-2008-5038 (Use-after-free vulnerability in the NetWare Core Protocol (NCP) featur ...) NOT-FOR-US: Novell eDirectory CVE-2008-5037 (SQL injection vulnerability in view.php in ElkaGroup Image Gallery 1.0 ...) NOT-FOR-US: ElkaGroup Image Gallery CVE-2008-XXXX [typo3: passwords are not changeable bug in the backend] - typo3-src 4.2.3-1 (bug #505326) [etch] - typo3-src (TYPO3 versions below 4.2.x are not affected) CVE-2008-5919 (Directory traversal vulnerability in rss.php in WebSVN 2.0 and earlier ...) - websvn 2.0-4 (bug #503330) [etch] - websvn (vulnerable code not present) CVE-2008-5918 (Cross-site scripting (XSS) vulnerability in the getParameterisedSelfUr ...) - websvn 2.0-4 (bug #503330) [etch] - websvn (vulnerable code not present) CVE-2008-5033 (The chip_command function in drivers/media/video/tvaudio.c in the Linu ...) - linux-2.6 2.6.26-11 - linux-2.6.24 (Vulnerable code not present; different ioctls3B) [etch] - linux-2.6 (Vulnerable code not present; different ioctls) CVE-2008-5031 (Multiple integer overflows in Python 2.2.3 through 2.5.1, and 2.6, all ...) - python2.5 2.5.2-11.1 [etch] - python2.5 (Minor issue) [etch] - python2.4 (Minor issue) - python2.4 2.4.5-6 (low; bug #507317; bug #504620) NOTE: definitely fixed in 2.5.2-11.1 for lenny/unstable (svn-updates.dpatch) NOTE: maybe fixed earlier, doko is not able to tell the exact version atm CVE-2008-5030 (Heap-based buffer overflow in the cddb_read_disc_data function in cddb ...) {DSA-1665-1} - libcdaudio 0.99.12p2-7 (bug #505478) CVE-2008-5024 (Mozilla Firefox 3.x before 3.0.4, Firefox 2.x before 2.0.0.18, Thunder ...) {DSA-1697-1 DSA-1696-1 DSA-1671-1 DSA-1669-1} - iceweasel 3.0.4-1 - xulrunner 1.9.0.4-1 - icedove 2.0.0.19-1 - iceape 1.1.13-1 CVE-2008-5023 (Firefox 3.x before 3.0.4, Firefox 2.x before 2.0.0.18, and SeaMonkey 1 ...) {DSA-1671-1 DSA-1669-1} - iceweasel 3.0.4-1 - xulrunner 1.9.0.4-1 - iceape 1.1.13-1 [etch] - iceape (Etch Packages no longer covered by security support) CVE-2008-5022 (The nsXMLHttpRequest::NotifyEventListeners method in Firefox 3.x befor ...) {DSA-1697-1 DSA-1696-1 DSA-1671-1 DSA-1669-1} - xulrunner 1.9.0.4-1 - iceweasel 3.0.4-1 - icedove 2.0.0.19-1 - iceape 1.1.13-1 CVE-2008-5021 (nsFrameManager in Firefox 3.x before 3.0.4, Firefox 2.x before 2.0.0.1 ...) {DSA-1697-1 DSA-1696-1 DSA-1671-1 DSA-1669-1} - iceweasel 3.0.4-1 - xulrunner 1.9.0.4-1 - icedove 2.0.0.19-1 - iceape 1.1.13-1 CVE-2008-5020 REJECTED CVE-2008-5019 (The session restore feature in Mozilla Firefox 3.x before 3.0.4 and 2. ...) {DSA-1671-1} - iceweasel 3.0.4-1 - xulrunner 1.9.0.4-1 [etch] - xulrunner (Etch Packages no longer covered by security support) NOTE: patch for xulrunner currently not suitable, Alexander will check this further CVE-2008-5018 (The JavaScript engine in Mozilla Firefox 3.x before 3.0.4, Firefox 2.x ...) {DSA-1697-1 DSA-1696-1 DSA-1671-1 DSA-1669-1} - iceweasel 3.0.4-1 - xulrunner 1.9.0.4-1 - icedove 2.0.0.19-1 - iceape 1.1.13-1 CVE-2008-5017 (Integer overflow in xpcom/io/nsEscape.cpp in the browser engine in Moz ...) {DSA-1697-1 DSA-1696-1 DSA-1671-1 DSA-1669-1} - iceweasel 3.0.4-1 - xulrunner 1.9.0.4-1 - icedove 2.0.0.19-1 - iceape 1.1.13-1 CVE-2008-5016 (The layout engine in Mozilla Firefox 3.x before 3.0.4, Thunderbird 2.x ...) - iceweasel 3.0.4-1 - xulrunner 1.9.0.4-1 - icedove 2.0.0.19-1 - iceape 1.1.13-1 [etch] - iceweasel (Doesn't affect Firefox 2.x et al) [etch] - xulrunner (Doesn't affect Firefox 2.x et al) [etch] - iceape (Doesn't affect Firefox 2.x et al) [etch] - icedove (Doesn't affect Firefox 2.x et al) CVE-2008-5015 (Mozilla Firefox 3.x before 3.0.4 assigns chrome privileges to a file: ...) - iceweasel 3.0.4-1 - xulrunner 1.9.0.4-1 [etch] - iceweasel (Doesn't affect Firefox 2.x) [etch] - xulrunner (Doesn't affect Firefox 2.x) CVE-2008-5014 (jslock.cpp in Mozilla Firefox 3.x before 3.0.2, Firefox 2.x before 2.0 ...) {DSA-1697-1 DSA-1696-1 DSA-1671-1 DSA-1669-1} - iceweasel 3.0.4-1 - xulrunner 1.9.0.4-1 - icedove 2.0.0.19-1 - iceape 1.1.13-1 CVE-2008-5013 (Mozilla Firefox 2.x before 2.0.0.18 and SeaMonkey 1.x before 1.1.13 do ...) {DSA-1697-1 DSA-1671-1 DSA-1669-1} - iceape 1.1.13-1 - iceweasel 3.0.1-1 - xulrunner 1.9.0.1-1 CVE-2008-5012 (Mozilla Firefox 2.x before 2.0.0.18, Thunderbird 2.x before 2.0.0.18, ...) {DSA-1697-1 DSA-1696-1 DSA-1671-1 DSA-1669-1} - iceape 1.1.13-1 - iceweasel 3.0.1-1 - xulrunner 1.9.0.1-1 - icedove 2.0.0.19-1 CVE-2008-5010 (in.dhcpd in the DHCP implementation in Sun Solaris 8 through 10, and O ...) NOT-FOR-US: in.dhcpd CVE-2008-5101 (Buffer overflow in the BMP reader in OptiPNG 0.6 and 0.6.1 allows user ...) - optipng 0.6.1.1-1 (bug #505399) [etch] - optipng (Vulnerable code not present referring to upstream) CVE-2008-5035 (The Resource Monitoring and Control (RMC) daemon in IBM Hardware Manag ...) NOT-FOR-US: IBM Hardware Management Console CVE-2008-5026 (Microsoft SharePoint uses URLs with the same hostname and port number ...) NOT-FOR-US: Microsoft CVE-2008-5011 (Multiple cross-site scripting (XSS) vulnerabilities in IBM Lotus Quick ...) NOT-FOR-US: IBM Lotus Quickr CVE-2008-5009 (Race condition in the s_xout kernel module in Sun Solstice X.25 9.2, w ...) NOT-FOR-US: Sun Solstice X.25 CVE-2008-5025 (Stack-based buffer overflow in the hfs_cat_find_brec function in fs/hf ...) {DSA-1687-1 DSA-1681-1} - linux-2.6 2.6.26-11 - linux-2.6.24 2.6.24-6~etchnhalf.7 CVE-2008-5029 (The __scm_destroy function in net/core/scm.c in the Linux kernel 2.6.2 ...) {DSA-1687-1 DSA-1681-1} - linux-2.6 2.6.26-11 - linux-2.6.24 2.6.24-6~etchnhalf.7 CVE-2008-5008 (Buffer overflow in src/src_sinc.c in Secret Rabbit Code (aka SRC or li ...) - libsamplerate 0.1.4-1 (low) [etch] - libsamplerate (Minor issue) CVE-2008-5006 (smtp.c in the c-client library in University of Washington IMAP Toolki ...) {DSA-1685-1 DTSA-174-1 DTSA-174-2} - uw-imap 7:2007d~dfsg-1 CVE-2008-5005 (Multiple stack-based buffer overflows in (1) University of Washington ...) {DSA-1685-1 DTSA-174-1 DTSA-174-2} [lenny] - uw-imap 2007b~dfsg-4+lenny1 - uw-imap 7:2007d~dfsg-1 - alpine (vulnerable code present but tmail/dmail wont be installed) CVE-2008-5004 (SQL injection vulnerability in genscode.php in myWebland Bloggie Lite ...) NOT-FOR-US: myWebland Bloggie Lite CVE-2008-5003 (SQL injection vulnerability in ndetail.php in Shahrood allows remote a ...) NOT-FOR-US: Shahrood CVE-2008-5002 (Insecure method vulnerability in the ChilkatCrypt2.ChilkatCrypt2.1 Act ...) NOT-FOR-US: ActiveX CVE-2008-5001 (Multiple stack-based buffer overflows in multiple functions in vncview ...) NOT-FOR-US: UltraVNC CVE-2008-5000 (SQL injection vulnerability in admin/includes/news.inc.php in PHPX 3.5 ...) NOT-FOR-US: PHPX CVE-2008-4999 (Nortel Networks UNIStim IP Phone 0604DAS allows remote attackers to ca ...) NOT-FOR-US: Nortel Networks UNIStim IP Phone CVE-2008-4997 - pilot-qof (unimportant; bug #496429) CVE-2008-4996 - initramfs-tools (unimportant; bug #496386) CVE-2008-4992 (The SPARC hypervisor in Sun System Firmware 6.6.3 through 6.6.5 and 7. ...) NOT-FOR-US: Sun System Firmware CVE-2008-5050 (Off-by-one error in the get_unicode_name function (libclamav/vba_extra ...) {DSA-1680-1} - clamav 0.94.dfsg.1-1 (bug #505134) CVE-2008-4991 (SQL injection vulnerability in LOCKON CO.,LTD. EC-CUBE 2.3.0 and earli ...) NOT-FOR-US: LOCKON CO.,LTD. EC-CUBE CVE-2008-XXXX [yzis insecure temp file] - yzis 1.0~alpha1-2 (bug #504680) CVE-2008-5113 (WordPress 2.6.3 relies on the REQUEST superglobal array in certain dan ...) {DSA-1871-2 DSA-1871-1} - wordpress 2.5.1-10 (bug #504771) CVE-2008-4990 (Enomaly Elastic Computing Platform (ECP), formerly Enomalism, before 2 ...) NOT-FOR-US: Enomalism CVE-2008-4989 (The _gnutls_x509_verify_certificate function in lib/x509/verify.c in l ...) {DSA-1719-1} - gnutls26 2.4.2-3 (bug #505360) - gnutls13 CVE-2008-4963 (Unspecified vulnerability in the VLAN Trunking Protocol (VTP) implemen ...) NOT-FOR-US: Cisco IOS and CatOS CVE-2008-4962 RESERVED CVE-2008-4961 RESERVED CVE-2008-4953 - firehol (unimportant; bug #496424) NOTE: attack unfeasible because of $$-${RANDOM}-${RANDOM} CVE-2008-4950 (** DISPUTED ** gccross in dpkg-cross 2.3.0 allows local users to overw ...) - dpkg-cross (unimportant; bug #496413) NOTE: executed under a chroot when a package failed to cross-build CVE-2008-4938 (aegis 4.24 and aegis-web 4.24 allow local users to overwrite arbitrary ...) - aegis 4.24-3.1 (low; bug #496400) [etch] - aegis (Minor issue) CVE-2008-4934 (The hfsplus_block_allocate function in fs/hfsplus/bitmap.c in the Linu ...) {DSA-1687-1 DSA-1681-1} - linux-2.6 2.6.26-11 - linux-2.6.24 2.6.24-6~etchnhalf.7 CVE-2008-4933 (Buffer overflow in the hfsplus_find_cat function in fs/hfsplus/catalog ...) {DSA-1687-1 DSA-1681-1} - linux-2.6 2.6.26-11 - linux-2.6.24 2.6.24-6~etchnhalf.7 CVE-2008-4932 (webmail/modules/filesystem/edit.php in U-Mail Webmail server 4.91 allo ...) NOT-FOR-US: U-Mail Webmail server CVE-2008-XXXX [universalindentgui insecure usage of temp files] - universalindentgui 0.8.1-1.2 (low; bug #504726) CVE-2008-5032 (Stack-based buffer overflow in VideoLAN VLC media player 0.5.0 through ...) {DSA-1819-1 DTSA-176-1} - vlc 0.8.6.h-5 (medium; bug #504639) CVE-2008-5036 (Stack-based buffer overflow in VideoLAN VLC media player 0.9.x before ...) - vlc 1.0.3-1 (low) [etch] - vlc (Vulnerable code not present in 0.8.x) [lenny] - vlc (Vulnerable code not present in 0.8.x) CVE-2008-4931 (Cross-site scripting (XSS) vulnerability in the account module in firm ...) NOT-FOR-US: firmCHANNEL Digital Signage CVE-2008-4930 (MyBB (aka MyBulletinBoard) 1.4.2 does not properly handle an uploaded ...) NOT-FOR-US: MyBB CVE-2008-4929 (MyBB (aka MyBulletinBoard) 1.4.2 uses insufficient randomness to compo ...) NOT-FOR-US: MyBB CVE-2008-4928 (Cross-site scripting (XSS) vulnerability in the redirect function in f ...) NOT-FOR-US: MyBB CVE-2008-4927 (Microsoft Windows Media Player (WMP) 9.0 through 11 allows user-assist ...) NOT-FOR-US: Microsoft Windows Media Player CVE-2008-4926 (Multiple insecure method vulnerabilities in MW6 Technologies PDF417 Ac ...) NOT-FOR-US: MW6 Technologies PDF417 ActiveX CVE-2008-4925 (Multiple insecure method vulnerabilities in MW6 Technologies DataMatri ...) NOT-FOR-US: MW6 Technologies DataMatrix ActiveX CVE-2008-4924 (Multiple insecure method vulnerabilities in MW6 Technologies 1D Barcod ...) NOT-FOR-US: MW6 Technologies 1D Barcode ActiveX CVE-2008-4923 (Multiple insecure method vulnerabilities in MW6 Technologies Aztec Act ...) NOT-FOR-US: MW6 Technologies Aztec ActiveX CVE-2008-4922 (Buffer overflow in the DjVu ActiveX Control 3.0 for Microsoft Office ( ...) NOT-FOR-US: DjVu ActiveX CVE-2008-4921 (board/admin/reguser.php in Chipmunk CMS 1.3 allows remote attackers to ...) NOT-FOR-US: Chipmunk CMS CVE-2008-4920 REJECTED CVE-2008-4919 (Insecure method vulnerability in VISAGESOFT eXPert PDF Viewer X Active ...) NOT-FOR-US: eXPert PDF Viewer X ActiveX CVE-2008-4918 (Cross-site scripting (XSS) vulnerability in SonicWALL SonicOS Enhanced ...) NOT-FOR-US: SonicOS Enhanced CVE-2008-5027 (The Nagios process in (1) Nagios before 3.0.5 and (2) op5 Monitor befo ...) - nagios3 (unimportant) NOTE: the nagios process shouldnt have rights to execute important commands and non-trusted NOTE: users shouldn't have access to nagios anyway CVE-2008-5028 (Cross-site request forgery (CSRF) vulnerability in cmd.cgi in (1) Nagi ...) - nagios3 3.0.6-1 (low; bug #504894) [etch] - nagios2 (CSRF can only cause DoS and needs admin's browser) CVE-2008-4917 (Unspecified vulnerability in VMware Workstation 5.5.8 and earlier, and ...) NOT-FOR-US: VMware Workstation CVE-2008-4916 (Unspecified vulnerability in a guest virtual device driver in VMware W ...) NOT-FOR-US: VMWare CVE-2008-4915 (The CPU hardware emulation in VMware Workstation 6.0.5 and earlier and ...) NOT-FOR-US: VMware Workstation CVE-2008-4914 (Unspecified vulnerability in VMware ESXi 3.5 before ESXe350-200901401- ...) NOT-FOR-US: VMware CVE-2008-4913 (Directory traversal vulnerability in admin.php in LokiCMS 0.3.3 and ea ...) NOT-FOR-US: LokiCMS CVE-2008-4912 (SQL injection vulnerability in popup_img.php in the fotogalerie module ...) NOT-FOR-US: RS MAXSOFT CVE-2008-4911 (PHP remote file inclusion vulnerability in read.php in Chattaitaliano ...) NOT-FOR-US: Chattaitaliano Istant-Replay CVE-2008-4910 (The BasicService in Sun Java Web Start allows remote attackers to exec ...) NOT-FOR-US: Sun Java Web Start CVE-2008-4909 (Cross-site request forgery (CSRF) vulnerability in CompactCMS 1.1 and ...) NOT-FOR-US: CompactCMS CVE-2008-4908 (maps/Info/combine.pl in CrossFire crossfire-maps 1.11.0 allows local u ...) - crossfire-maps 1.11.0-2 (low; bug #496358; bug #504561) [etch] - crossfire-maps (Minor issue) CVE-2008-4906 (SQL injection vulnerability in lyrics_song.php in the Lyrics (lyrics_m ...) NOT-FOR-US: Lyrics (lyrics_menu) plugin for e107 CVE-2008-4905 (Typo 5.1.3 and earlier uses a hard-coded salt for calculating password ...) - typo (bug #379399) CVE-2008-4904 (SQL injection vulnerability in the "Manage pages" feature (admin/pages ...) - typo (bug #379399) CVE-2008-4903 (Cross-site scripting (XSS) vulnerability in the leave comment (feedbac ...) - typo (bug #379399) CVE-2008-4902 (SQL injection vulnerability in contact_author.php in Article Publisher ...) NOT-FOR-US: Article Publisher CVE-2008-4901 (SQL injection vulnerability in admin/admin.php in Article Publisher Pr ...) NOT-FOR-US: Article Publisher CVE-2008-4900 (SQL injection vulnerability in tr.php in YourFreeWorld Classifieds Bla ...) NOT-FOR-US: YourFreeWorld Classifieds CVE-2008-4899 (Cross-site request forgery (CSRF) vulnerability in Planetluc RateMe 1. ...) NOT-FOR-US: Planetluc RateMe CVE-2008-4898 (Cross-site scripting (XSS) vulnerability in planetluc RateMe 1.3.3 all ...) NOT-FOR-US: Planetluc RateMe CVE-2008-4897 (SQL injection vulnerability in fichiers/add_url.php in Logz podcast CM ...) NOT-FOR-US: Logz podcast CMS CVE-2008-4896 (Cross-site scripting (XSS) vulnerability in fichiers/add_url.php in Lo ...) NOT-FOR-US: Logz CMS CVE-2008-4895 (SQL injection vulnerability in tr.php in YourFreeWorld Downline Builde ...) NOT-FOR-US: YourFreeWorld Downline CVE-2008-4894 (Directory traversal vulnerability in templates/mytribiqsite/tribal-GPL ...) NOT-FOR-US: Tribiq CMS CVE-2008-4893 (Cross-site scripting (XSS) vulnerability in templates/mytribiqsite/tri ...) NOT-FOR-US: Tribiq CMS CVE-2008-4892 (Cross-site scripting (XSS) vulnerability in gallery.inc.php in Planetl ...) NOT-FOR-US: Planetluc MyGallery CVE-2008-4891 (Cross-site scripting (XSS) vulnerability in signme.inc.php in Planetlu ...) NOT-FOR-US: SignMe CVE-2008-4890 (SQL injection vulnerability in products.php in 1st News 4 Professional ...) NOT-FOR-US: 1st News 4 Professional CVE-2008-4889 (SQL injection vulnerability in index.php in deV!L'z Clanportal (DZCP) ...) NOT-FOR-US: deV!L'z Clanportal CVE-2008-4888 (Cross-site scripting (XSS) vulnerability in error.php in NetRisk 2.0 a ...) NOT-FOR-US: NetRisk 2.0 CVE-2008-4887 (SQL injection vulnerability in index.php in NetRisk 2.0 and earlier al ...) NOT-FOR-US: NetRisk 2.0 CVE-2008-4886 (SQL injection vulnerability in index.php in YourFreeWorld Shopping Car ...) NOT-FOR-US: YourFreeWorld Shopping CVE-2008-4885 (SQL injection vulnerability in tr1.php in YourFreeWorld Scrolling Text ...) NOT-FOR-US: YourFreeWorld Scrolling Text CVE-2008-4884 (SQL injection vulnerability in tr.php in YourFreeWorld Classifieds Hos ...) NOT-FOR-US: YourFreeWorld Classifieds CVE-2008-4883 (SQL injection vulnerability in tr.php in YourFreeWorld Blog Blaster Sc ...) NOT-FOR-US: YourFreeWorld Blog Blaster CVE-2008-4882 (SQL injection vulnerability in tr.php in YourFreeWorld Autoresponder H ...) NOT-FOR-US: YourFreeWorld Autoresponder CVE-2008-4881 (SQL injection vulnerability in tr.php in YourFreeWorld Reminder Servic ...) NOT-FOR-US: YourFreeWorld Reminder CVE-2008-4880 (SQL injection vulnerability in prodshow.php in Maran PHP Shop allows r ...) NOT-FOR-US: Maran PHP Shop CVE-2008-4879 (SQL injection vulnerability in prod.php in Maran PHP Shop allows remot ...) NOT-FOR-US: Maran PHP Shop CVE-2008-4907 (The message parsing feature in Dovecot 1.1.4 and 1.1.5, when using the ...) - dovecot 1:1.1.7-1 (low) [etch] - dovecot (Vulnerable code not present prior to 1.1.4) [lenny] - dovecot (Vulnerable code not present prior to 1.1.4) CVE-2008-5186 {DTSA-179-1} - geshi 1.0.8.1-1 (bug #504445) NOTE: its rather an application bug if the input to set_language_path is unfiltered user input NOTE: http://comments.gmane.org/gmane.comp.security.oss.general/1152 - dokuwiki 0.0.20080505-3.1 (unimportant; bug #504682) NOTE: DokuWiki passes a static string to $path parameter - pgfouine 1.0-1.1 (unimportant; bug #504681) NOTE: pgfouine too does not override default language files path CVE-2008-6432 REJECTED CVE-2008-4878 (Unrestricted file upload vulnerability in the "Add Image Macro" featur ...) NOT-FOR-US: WebCards CVE-2008-4877 (SQL injection vulnerability in admin.php in WebCards 1.3, when magic_q ...) NOT-FOR-US: WebCards CVE-2008-4876 (Cross-site scripting (XSS) vulnerability in the web server component i ...) NOT-FOR-US: Philips Electronics VOIP841 DECT Phone CVE-2008-4875 (Directory traversal vulnerability in the web server in Philips Electro ...) NOT-FOR-US: Philips Electronics VOIP841 DECT Phone CVE-2008-4874 (The web component in Philips Electronics VOIP841 DECT Phone with firmw ...) NOT-FOR-US: Philips Electronics VOIP841 DECT Phone CVE-2008-4873 (board.cgi in Sepal SPBOARD 4.5 allows remote attackers to execute arbi ...) NOT-FOR-US: Sepal SPBOARD CVE-2008-4872 (Cross-site scripting (XSS) vulnerability in bidhistory.php in iTechBid ...) NOT-FOR-US: iTechBids Gold CVE-2008-4871 (Cross-site scripting (XSS) vulnerability in My Little Forum 1.75 and 2 ...) NOT-FOR-US: My Little Forum CVE-2008-4870 (dovecot 1.0.7 in Red Hat Enterprise Linux (RHEL) 5, and possibly Fedor ...) - dovecot (unimportant) NOTE: by default this file doesnt containt sensitive information and administrator NOTE: changing this should ensure on its own that the mode is secure CVE-2008-4869 (FFmpeg 0.4.9, as used by MPlayer, allows context-dependent attackers t ...) - ffmpeg-debian 0.svn20080206-15 (unimportant; bug #504977) NOTE: A regular bug, but hardly a security issue - kino 1.0.0-1 [etch] - kino (Does not ship ffmpeg) - gstreamer0.10-ffmpeg 0.10.3-2 CVE-2008-4868 (Unspecified vulnerability in the avcodec_close function in libavcodec/ ...) - ffmpeg (Vulnerable code not present) - ffmpeg-debian (Vulnerable code not present) [etch] - ffmpeg (Vulnerable code not present) - mplayer 1.0~rc2-14 [etch] - mplayer (Vulnerable code not present) - kino 1.0.0-1 [etch] - kino (Does not ship ffmpeg) - gstreamer0.10-ffmpeg 0.10.3-2 [etch] - gstreamer0.10-ffmpeg (Vulnerable code not present) CVE-2008-4867 (Buffer overflow in libavcodec/dca.c in FFmpeg 0.4.9 before r14917, as ...) - ffmpeg 0.svn20080206-14 - ffmpeg-debian 0.svn20080206-14 (bug #504977) [etch] - ffmpeg (Vulnerable code not present) - mplayer 1.0~rc2-14 [etch] - mplayer (Vulnerable code not present) - kino 1.0.0-1 [etch] - kino (Does not ship ffmpeg) - gstreamer0.10-ffmpeg 0.10.3-2 [etch] - gstreamer0.10-ffmpeg (Vulnerable code not present) CVE-2008-4866 (Multiple buffer overflows in libavformat/utils.c in FFmpeg 0.4.9 befor ...) {DSA-1782-1} - ffmpeg 0.svn20080206-14 - ffmpeg-debian 0.svn20080206-14 (bug #504977) [etch] - ffmpeg (Vulnerable code not present) - mplayer 1.0~rc2-14 - kino 1.0.0-1 [etch] - kino (Does not ship ffmpeg) - gstreamer0.10-ffmpeg 0.10.3-2 [etch] - gstreamer0.10-ffmpeg (Vulnerable code not present) CVE-2008-4865 (Untrusted search path vulnerability in valgrind before 3.4.0 allows lo ...) - valgrind 1:3.3.1-3 (unimportant; bug #507312) NOTE: That's hardly an issue CVE-2008-4864 (Multiple integer overflows in imageop.c in the imageop module in Pytho ...) - python2.5 2.5.2-12 (low; bug #504619) [etch] - python2.5 (Minor issue) - python2.4 2.4.5-6 (low; bug #504620) [etch] - python2.4 (Minor issue) CVE-2008-4863 (Untrusted search path vulnerability in BPY_interface in Blender 2.46 a ...) - blender 2.46+dfsg-5 (bug #503632; low) [etch] - blender 2.42a-8 NOTE: minor issue fixed in etch r6 point update CVE-2008-4862 REJECTED CVE-2008-4861 REJECTED CVE-2008-4860 REJECTED CVE-2008-4859 REJECTED CVE-2008-4858 REJECTED CVE-2008-4857 REJECTED CVE-2008-4856 REJECTED CVE-2008-4855 REJECTED CVE-2008-4854 REJECTED CVE-2008-4853 REJECTED CVE-2008-4852 REJECTED CVE-2008-4851 REJECTED CVE-2008-4850 REJECTED CVE-2008-4849 REJECTED CVE-2008-4848 REJECTED CVE-2008-4847 REJECTED CVE-2008-4846 REJECTED CVE-2008-4845 REJECTED CVE-2008-4844 (Use-after-free vulnerability in the CRecordInstance::TransferToDestina ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2008-4843 REJECTED CVE-2008-4842 REJECTED CVE-2008-4841 (The WordPad Text Converter for Word 97 files in Microsoft Windows 2000 ...) NOT-FOR-US: Microsoft Windows CVE-2008-4840 REJECTED CVE-2008-4839 REJECTED CVE-2008-4838 REJECTED CVE-2008-4837 (Stack-based buffer overflow in Microsoft Office Word 2000 SP3, 2002 SP ...) NOT-FOR-US: Microsoft Office Word CVE-2008-4836 REJECTED CVE-2008-4835 (SMB in the Server service in Microsoft Windows 2000 SP4, XP SP2 and SP ...) NOT-FOR-US: Windows CVE-2008-4834 (Buffer overflow in SMB in the Server service in Microsoft Windows 2000 ...) NOT-FOR-US: Windows CVE-2008-4833 REJECTED CVE-2008-4832 (rc.sysinit in initscripts 8.12-8.21 and 8.56.15-0.1 on rPath allows lo ...) NOT-FOR-US: rPath CVE-2008-4831 (Unspecified vulnerability in Adobe ColdFusion 8 and 8.0.1 and ColdFusi ...) NOT-FOR-US: Adobe ColdFusion CVE-2008-4830 (Insecure method vulnerability in the KWEdit ActiveX control in SAP GUI ...) NOT-FOR-US: KWEdit ActiveX control CVE-2008-4829 (Multiple buffer overflows in lib/http.c in Streamripper 1.63.5 allow r ...) {DSA-1683-1} - streamripper 1.63.5-2 (bug #506377) CVE-2008-4828 (Multiple stack-based buffer overflows in dsmagent.exe in the Remote Ag ...) NOT-FOR-US: IBM Tivoli Storage Manager CVE-2008-4827 (Multiple heap-based buffer overflows in the AddTab method in the (1) T ...) NOT-FOR-US: ComponentOne SizerOne CVE-2008-4826 REJECTED CVE-2008-4825 (Multiple buffer overflows in UltraISO 9.3.1.2633, and possibly other v ...) NOT-FOR-US: UltraISO CVE-2008-4824 (Multiple unspecified vulnerabilities in Adobe Flash Player 10.x before ...) NOT-FOR-US: Adobe Flash Player CVE-2008-4823 (Cross-site scripting (XSS) vulnerability in Adobe Flash Player 9.0.124 ...) NOT-FOR-US: Adobe Flash Player CVE-2008-4822 (Adobe Flash Player 9.0.124.0 and earlier does not properly interpret p ...) NOT-FOR-US: Adobe Flash Player CVE-2008-4821 (Adobe Flash Player 9.0.124.0 and earlier, when a Mozilla browser is us ...) NOT-FOR-US: Adobe Flash Player CVE-2008-4820 (Unspecified vulnerability in the Flash Player ActiveX control in Adobe ...) NOT-FOR-US: Adobe Flash Player CVE-2008-4819 (Unspecified vulnerability in Adobe Flash Player 9.0.124.0 and earlier ...) NOT-FOR-US: Adobe Flash Player CVE-2008-4818 (Cross-site scripting (XSS) vulnerability in Adobe Flash Player 9.0.124 ...) NOT-FOR-US: Adobe Flash Player CVE-2008-4817 (The Download Manager in Adobe Acrobat Professional and Reader 8.1.2 an ...) NOT-FOR-US: Adobe Acrobat CVE-2008-4816 (Unspecified vulnerability in the Download Manager in Adobe Reader 8.1. ...) NOT-FOR-US: Adobe Reader on Windows CVE-2008-4815 (Untrusted search path vulnerability in Adobe Reader and Acrobat 8.1.2 ...) NOT-FOR-US: Adobe Acrobat CVE-2008-4814 (Unspecified vulnerability in a JavaScript method in Adobe Reader and A ...) NOT-FOR-US: Adobe Acrobat CVE-2008-4813 (Adobe Reader and Acrobat 8.1.2 and earlier, and before 7.1.1, allow re ...) NOT-FOR-US: Adobe Acrobat CVE-2008-4812 (Array index error in Adobe Reader and Acrobat, and the Explorer extens ...) NOT-FOR-US: Adobe Reader Explorer extension CVE-2008-4811 (The _expand_quoted_text function in libs/Smarty_Compiler.class.php in ...) {DSA-1691-1} - smarty 2.6.26-0.1 (bug #504328) [lenny] - smarty (Minor issue, fix will change behaviour) [etch] - smarty (Minor issue, fix will change behaviour) - moodle 1.8.2-2 (bug #504345) - gallery2 2.2.5-2 NOTE: This attack vector is *not* fixed in r2797 CVE-2008-4810 (The _expand_quoted_text function in libs/Smarty_Compiler.class.php in ...) {DSA-1919-1 DSA-1691-1} - smarty 2.6.26-0.1 (bug #504328) - moodle 1.8.2-2 (bug #504345) - gallery2 2.2.5-2 NOTE: This attack vector is fixed in r2797 CVE-2008-4809 (Multiple unspecified vulnerabilities in the Profiles search pages in I ...) NOT-FOR-US: IBM Lotus Connections CVE-2008-4808 (IBM Lotus Connections 2.x before 2.0.1 allows attackers to discover pa ...) NOT-FOR-US: IBM Lotus Connections CVE-2008-4807 (IBM Lotus Connections 2.x before 2.0.1 stores the password for the adm ...) NOT-FOR-US: IBM Lotus Connections CVE-2008-4806 (Multiple SQL injection vulnerabilities in IBM Lotus Connections 2.x be ...) NOT-FOR-US: IBM Lotus Connections CVE-2008-4805 (Multiple cross-site scripting (XSS) vulnerabilities in IBM Lotus Conne ...) NOT-FOR-US: IBM Lotus Connections CVE-2008-4804 (SQL injection vulnerability in the Gallery module 1.3 for PHP-Nuke all ...) NOT-FOR-US: NFU Gallery module 1.3 for PHP-Nuke CVE-2008-4803 (Cross-site scripting (XSS) vulnerability in index.php in Simple PHP Sc ...) NOT-FOR-US: Simple PHP Scripts gallery CVE-2008-4802 (Cross-site scripting (XSS) vulnerability in complete.php in Simple PHP ...) NOT-FOR-US: Simple PHP Scripts blog CVE-2008-5076 (htop 0.7 writes process names to a terminal without sanitizing non-pri ...) - htop 0.8.1-2 (unimportant; bug #504144) NOTE: That scenario is too constructed to call it a security issue, especially NOTE: given that the standard top will display the maliciously hidden processes NOTE: just fine. CVE-2008-5256 (The AcquireDaemonLock function in ipcdUnix.cpp in Sun Innotek VirtualB ...) - virtualbox-ose 1.6.6-dfsg-3 (low; bug #504149) CVE-2008-4801 (Heap-based buffer overflow in the Data Protection for SQL CAD service ...) NOT-FOR-US: SQL CAD service CVE-2008-4800 (The DebugDiag ActiveX control in CrashHangExt.dll, possibly 1.0, in Mi ...) NOT-FOR-US: ActiveX control CVE-2008-4799 (pamperspective in Netpbm before 10.35.48 does not properly calculate a ...) - netpbm-free (Vulnerable code not present) CVE-2008-4798 (The loadModule function in lib/WebGUI/Asset.pm in WebGUI before 7.5.30 ...) NOT-FOR-US: WebGUI CVE-2008-4797 (Directory traversal vulnerability in Arihiro Kurata Kantan WEB Server ...) NOT-FOR-US: Arihiro Kurata Kantan WEB Server CVE-2008-4796 (The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3 a ...) {DSA-1871-2 DSA-1871-1 DSA-1691-1} - libphp-snoopy 1.2.4-1 (bug #504168; medium) - ampache 3.4.1-2 (bug #504169) - mahara 1.0.5-2 (bug #504170) [lenny] - mahara 1.0.4-3 - pixelpost 1.7.1-5 (bug #504171) - mediamate 0.9.3.6-5 (bug #504172; unimportant) NOTE: mediamate does not use snoopy in https requests - opendb (unimportant; bug #504173) - wordpress 2.5.1-9 (bug #504234) - moodle 1.8.2-2 (bug #504235) - gforge-plugin-scmcvs [etch] - gforge-plugin-scmcvs (Snoopy function not used on URLs that come from user input) - magpierss (Fixed in all supported distributions) CVE-2008-4795 (The links panel in Opera before 9.62 processes Javascript within the c ...) NOT-FOR-US: Opera CVE-2008-4794 (Opera before 9.62 allows remote attackers to execute arbitrary command ...) NOT-FOR-US: Opera CVE-2008-4793 (The node module API in Drupal 5.x before 5.11 allows remote attackers ...) - drupal5 5.10-3 (low) - drupal6 (Vulnerable code not present) CVE-2008-4792 (The core BlogAPI module in Drupal 5.x before 5.11 and 6.x before 6.5 d ...) - drupal5 5.10-3 (low) - drupal6 6.4-2 (low) CVE-2008-4791 (The user module in Drupal 5.x before 5.11 and 6.x before 6.5 might all ...) - drupal5 5.10-3 (low) - drupal6 6.4-2 (low) CVE-2008-4790 (The core upload module in Drupal 5.x before 5.11 allows remote authent ...) - drupal5 5.10-3 (low) CVE-2008-4789 (The validation functionality in the core upload module in Drupal 6.x b ...) - drupal6 6.4-2 (low) CVE-2008-4788 (Microsoft Internet Explorer 6 omits high-bit URL-encoded characters wh ...) NOT-FOR-US: Microsoft Internet Explorer 6 CVE-2008-4787 (Visual truncation vulnerability in Microsoft Internet Explorer 6 allow ...) NOT-FOR-US: Microsoft Internet Explorer 6 CVE-2008-4786 (SQL injection vulnerability in easyshop.php in the EasyShop plugin for ...) NOT-FOR-US: EasyShop plugin for e107 CVE-2008-4785 (SQL injection vulnerability in newuser.php in the alternate_profiles p ...) NOT-FOR-US: e107 CVE-2008-4784 (aflog 1.01 allows remote attackers to bypass authentication and gain a ...) NOT-FOR-US: aflog CVE-2008-4783 (tlAds 1.0 allows remote attackers to bypass authentication and gain ad ...) NOT-FOR-US: tlAds CVE-2008-4782 (SQL injection vulnerability in public/code/cp_polls_results.php in All ...) NOT-FOR-US: AIOCP CVE-2008-4781 (Directory traversal vulnerability in update.php in MyKtools 2.4 allows ...) NOT-FOR-US: MyKtools CVE-2008-4780 (Directory traversal vulnerability in admin/centre.php in MyForum 1.3, ...) NOT-FOR-US: MyForum CVE-2008-4779 (Stack-based buffer overflow in TUGzip 3.5.0.0 allows remote attackers ...) NOT-FOR-US: TUGzip CVE-2008-4778 (SQL injection vulnerability in the gallery module in Koobi CMS 4.3.0 a ...) NOT-FOR-US: Koobi CMS CVE-2008-4777 (SQL injection vulnerability in the Showroom Joomlearn LMS (com_lms) co ...) NOT-FOR-US: Showroom Joomlearn LMS CVE-2008-4774 (Cross-site scripting (XSS) vulnerability in main/main.php in QuestCMS ...) NOT-FOR-US: QuestCMS CVE-2008-4773 (Directory traversal vulnerability in main/main.php in QuestCMS allows ...) NOT-FOR-US: QuestCMS CVE-2008-4772 (SQL injection vulnerability in main/main.php in QuestCMS allows remote ...) NOT-FOR-US: QuestCMS CVE-2008-4771 (Stack-based buffer overflow in VATDecoder.VatCtrl.1 ActiveX control in ...) NOT-FOR-US: ActiveX CVE-2008-4770 (The CMsgReader::readRect function in the VNC Viewer component in RealV ...) {DSA-1716-1} - vnc4 4.1.1+X4.3.0-31 (medium; bug #513531) CVE-2008-4776 (libgadu before 1.8.2 allows remote servers to cause a denial of servic ...) {DSA-1664-1} - libgadu 1:1.8.0+r592-3 (low; bug #503916) - kadu 0.6.0.2-3 (low; bug #504429) - ekg 1:1.8~rc0-1 (low) - centerim 4.22.9-1 (low; bug #559782) [lenny] - centerim (Minor issue) NOTE: claimed to be fixed in point update but is not: [lenny] - centerim 4.22.5-1+lenny1 - qutecom (does not use libgadu embed; bug #559784) CVE-2008-4769 (Directory traversal vulnerability in the get_category_template functio ...) {DSA-1871-2 DSA-1871-1} - wordpress 2.5.1-1 CVE-2008-4768 (SQL injection vulnerability in TLM CMS 3.1 allows remote attackers to ...) NOT-FOR-US: TLM CMS CVE-2008-4767 (Unrestricted file upload vulnerability in the DownloadsPlus module in ...) NOT-FOR-US: PHP-Nuke CVE-2008-4766 (SQL injection vulnerability in member.php in Oxygen Bulletin Board 1.1 ...) NOT-FOR-US: Oxygen Bulletin Board CVE-2008-4765 (SQL injection vulnerability in pollBooth.php in osCommerce Poll Booth ...) NOT-FOR-US: osCommerce Poll Booth Add-On CVE-2008-4764 (Directory traversal vulnerability in the eXtplorer module (com_extplor ...) NOT-FOR-US: eXtplorer module in Joomla! CVE-2008-4763 (Multiple cross-site scripting (XSS) vulnerabilities in sample.php in W ...) NOT-FOR-US: WiKID wClient-PHP CVE-2008-4762 (Stack-based buffer overflow in freeSSHd 1.2.1 allows remote authentica ...) NOT-FOR-US: freeSSHd CVE-2008-4761 (Cross-site scripting (XSS) vulnerability in includes/htmlArea/plugins/ ...) NOT-FOR-US: Kayako eSupport CVE-2008-4760 (SQL injection vulnerability in lecture.php in Graphiks MyForum 1.3, wh ...) NOT-FOR-US: Graphiks MyForum CVE-2008-4759 (Directory traversal vulnerability in download.php in BuzzyWall 1.3.1 a ...) NOT-FOR-US: BuzzyWall CVE-2008-4758 (Directory traversal vulnerability in download_file.php in PHP-Daily al ...) NOT-FOR-US: PHPdaily CVE-2008-4757 (Multiple SQL injection vulnerabilities in PHP-Daily allow remote attac ...) NOT-FOR-US: PHPdaily CVE-2008-4756 (Cross-site scripting (XSS) vulnerability in add_prest_date.php in PHP- ...) NOT-FOR-US: PHPdaily CVE-2008-4755 (SQL injection vulnerability in gotourl.php in PozScripts Classified Au ...) NOT-FOR-US: PozScripts Classified Auctions Script CVE-2008-4754 (SQL injection vulnerability in forum.php in Scripts for Sites (SFS) Ez ...) NOT-FOR-US: Scripts for Sites Ez Forum CVE-2008-4753 (SQL injection vulnerability in EditUrl.php in AJ Square RSS Reader all ...) NOT-FOR-US: AJ Square RSS Reader CVE-2008-4752 (TlNews 2.2 allows remote attackers to bypass authentication and gain a ...) NOT-FOR-US: TlNews CVE-2008-4751 (Cross-site scripting (XSS) vulnerability in index.php in iPei Guestboo ...) NOT-FOR-US: iPei Guestbook CVE-2008-4750 (Stack-based buffer overflow in the VImpX.VImpAX ActiveX control (VImpX ...) NOT-FOR-US: ActiveX CVE-2008-4749 (Multiple insecure method vulnerabilities in the VImpX.VImpAX ActiveX c ...) NOT-FOR-US: ActiveX CVE-2008-4747 (Unspecified vulnerability in the search feature in Sun Java System LDA ...) NOT-FOR-US: Sun Java System LDAP JDK CVE-2008-4746 (Multiple SQL injection vulnerabilities in Uniwin eCart Professional 2. ...) NOT-FOR-US: Uniwin eCart Professional CVE-2008-4745 (Cross-site scripting (XSS) vulnerability in emailFriend.asp in Uniwin ...) NOT-FOR-US: Uniwin eCart Professional CVE-2008-4744 (SQL injection vulnerability in product_detail.php in DXShopCart 4.30mc ...) NOT-FOR-US: DXShopCart CVE-2008-4743 (SQL injection vulnerability in index.php in QuidaScript FAQ Management ...) NOT-FOR-US: QuidaScript FAQ Management Script CVE-2008-4742 (Multiple cross-site scripting (XSS) vulnerabilities in interface/Login ...) NOT-FOR-US: TimeTrex CVE-2008-4741 (Directory traversal vulnerability in index.php in FAR-PHP 1.00, when m ...) NOT-FOR-US: FAR-PHP CVE-2008-4740 (Directory traversal vulnerability in templater.php in the ZZ_Templater ...) NOT-FOR-US: ZZ_Templater module in TinyCMS CVE-2006-7234 (Untrusted search path vulnerability in Lynx before 2.8.6rel.4 allows l ...) - lynx-cur 2.8.7dev4-1 (low) - lynx (Doesn't include the current directory in the search path) CVE-2008-4748 (Format string vulnerability in the URI handler in KVirc 3.4.0, when se ...) - kvirc (Windows-specific vulnerability) CVE-2008-XXXX [balazar3: insecure temp file handling] - balazar3 0.1-2 (bug #503750) CVE-2008-4775 (Cross-site scripting (XSS) vulnerability in pmd_pdf.php in phpMyAdmin ...) - phpmyadmin 4:2.11.8.1-4 (low) [etch] - phpmyadmin (Vulnerable code not present) NOTE: https://www.securityfocus.com/archive/1/497815 NOTE: https://www.phpmyadmin.net/security/PMASA-2008-9/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/625e9f2e93671f9e4a9086b8d6c8111f70ffcc3d (2.11 branch) NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/600a2ca21bc8b40742fd0a919a6b06a477548647 CVE-2008-4739 (Directory traversal vulnerability in index.php in PlugSpace 0.1, when ...) NOT-FOR-US: PlugSpace CVE-2008-4738 (SQL injection vulnerability in gallery.php in MyCard 1.0.2 allows remo ...) NOT-FOR-US: MyCard CVE-2008-4737 (Cross-site scripting (XSS) vulnerability in wholite.cgi in WhoDomLite ...) NOT-FOR-US: WhoDomLite CVE-2008-4736 (SQL injection vulnerability in index.php in RPG.Board 0.8 Beta2 and ea ...) NOT-FOR-US: RPG.Board CVE-2008-4735 (PHP remote file inclusion vulnerability in header.php in Concord Asset ...) NOT-FOR-US: Concord software CVE-2008-4734 (Cross-site request forgery (CSRF) vulnerability in the wpcr_do_options ...) NOT-FOR-US: WP Comment Remix plugin CVE-2008-4733 (Cross-site scripting (XSS) vulnerability in wpcommentremix.php in WP C ...) NOT-FOR-US: WP Comment Remix plugin CVE-2008-4732 (SQL injection vulnerability in ajax_comments.php in the WP Comment Rem ...) NOT-FOR-US: WP Comment Remix plugin CVE-2008-4731 (Multiple unspecified vulnerabilities in YaCy before 0.61 have unknown ...) - yacy (bug #452422) CVE-2008-4730 (Cross-site scripting (XSS) vulnerability in MyID.php in phpMyID 0.9 al ...) - phpmyid (bug #492325) CVE-2008-4729 (Stack-based buffer overflow in Hummingbird.XWebHostCtrl.1 ActiveX cont ...) NOT-FOR-US: Hummingbird Xweb CVE-2008-4728 (Multiple insecure method vulnerabilities in the DeployRun.DeploymentSe ...) NOT-FOR-US: Hummingbird Deployment Wizard CVE-2008-4727 (Cross-site scripting (XSS) vulnerability in the contact update page (s ...) NOT-FOR-US: SunGard Banner Student CVE-2008-4726 (Stack-based buffer overflow in the SFTP subsystem in GoodTech SSH 6.4 ...) NOT-FOR-US: GoodTech SSH CVE-2008-4725 (Cross-site scripting (XSS) vulnerability in Opera.dll in Opera 9.52 al ...) NOT-FOR-US: Opera CVE-2008-4724 (Multiple cross-site scripting (XSS) vulnerabilities in Google Chrome 0 ...) - webkit 1.1.7-1 (low; bug #520052) [lenny] - webkit (Minor issue) - kdelibs - kde4libs CVE-2008-4723 (Multiple cross-site scripting (XSS) vulnerabilities in Mozilla Firefox ...) - iceweasel NOTE: firefox not affected, see https://bugzilla.redhat.com/468397 CVE-2008-4722 (Unspecified vulnerability in Sun Integrated Lights-Out Manager (ILOM) ...) NOT-FOR-US: Sun ILOM CVE-2008-4721 (PHP Jabbers Post Comment 3.0 allows remote attackers to bypass authent ...) NOT-FOR-US: PHP Jabbers CVE-2008-4720 (Multiple PHP remote file inclusion vulnerabilities in The Gemini Porta ...) NOT-FOR-US: The Gemini Portal CVE-2008-4719 (PHP remote file inclusion vulnerability in cms/classes/openengine/file ...) NOT-FOR-US: openEngine CVE-2008-4718 (Directory traversal vulnerability in help/mini.php in X7 Chat 2.0.1 A1 ...) NOT-FOR-US: X7 Chat CVE-2008-4717 (SQL injection vulnerability in bannerclick.php in ZEELYRICS 2.0 allows ...) NOT-FOR-US: ZEELYRICS CVE-2008-4716 (SQL injection vulnerability in show.php in BitmixSoft PHP-Lance 1.52 a ...) NOT-FOR-US: PHP-Lance CVE-2008-4715 (SQL injection vulnerability in the Jpad (com_jpad) 1.0 component for J ...) NOT-FOR-US: com_jpad for Joomla! CVE-2008-4714 (Atomic Photo Album 1.1.0 pre4 does not properly handle the apa_cookie_ ...) NOT-FOR-US: Atomic Photo Album CVE-2008-4713 (SQL injection vulnerability in view.php in 212cafe Board 0.07 allows r ...) NOT-FOR-US: 212cafe Board CVE-2008-4712 (Directory traversal vulnerability in pages/showblog.php in LnBlog 0.9. ...) NOT-FOR-US: LnBlog CVE-2008-4711 (SQL injection vulnerability in Joovili 3.0 and earlier, when magic_quo ...) NOT-FOR-US: Joovili CVE-2008-4710 (Cross-site scripting (XSS) vulnerability in the stock quotes page in S ...) NOT-FOR-US: Stock module for Drupal CVE-2008-4709 (SQL injection vulnerability in news_read.php in Pilot Group (PG) eTrai ...) NOT-FOR-US: PG eTraining CVE-2008-4708 (BbZL.PhP 0.92 allows remote attackers to bypass authentication and gai ...) NOT-FOR-US: BbZL.PhP CVE-2008-4707 (Directory traversal vulnerability in index.php in BbZL.PhP 0.92 allows ...) NOT-FOR-US: BbZL.PhP CVE-2008-4706 (SQL injection vulnerability in VBGooglemap Hotspot Edition 1.0.3, a vB ...) NOT-FOR-US: VBGooglemap Hotspot Edition CVE-2008-4705 (SQL injection vulnerability in success_story.php in php Online Dating ...) NOT-FOR-US: MyPHPDating CVE-2008-4704 (PHP remote file inclusion vulnerability in SezHooTabsAndActions.php in ...) NOT-FOR-US: SezHoo CVE-2008-4703 (SQL injection vulnerability in news.php in BosDev BosNews 4.0 allows r ...) NOT-FOR-US: BosDev BosNews CVE-2008-4702 (Multiple directory traversal vulnerabilities in PhpWebGallery 1.3.4 al ...) NOT-FOR-US: PhpWebGallery CVE-2008-4701 (SQL injection vulnerability in admin.php in Libera CMS 1.12, when magi ...) NOT-FOR-US: Libera CMS CVE-2008-4700 (SQL injection vulnerability in admin.php in Libera CMS 1.12 and earlie ...) NOT-FOR-US: Libera CMS CVE-2008-4699 (Insecure method vulnerability in the ActiveX control (PAWWeb11.ocx) in ...) NOT-FOR-US: Peachtree Accounting CVE-2008-4698 (Opera before 9.61 does not properly block scripts during preview of a ...) NOT-FOR-US: Opera CVE-2008-4697 (The Fast Forward feature in Opera before 9.61, when a page is located ...) NOT-FOR-US: Opera CVE-2008-4696 (Cross-site scripting (XSS) vulnerability in Opera.dll in Opera before ...) NOT-FOR-US: Opera CVE-2008-4695 (Opera before 9.60 allows remote attackers to obtain sensitive informat ...) NOT-FOR-US: Opera CVE-2008-4694 (Unspecified vulnerability in Opera before 9.60 allows remote attackers ...) NOT-FOR-US: Opera CVE-2008-4693 (The SORT/LIST SERVICES component in IBM DB2 9.1 before FP6 and 9.5 bef ...) NOT-FOR-US: IBM DB2 CVE-2008-4692 (The Native Managed Provider for .NET component in IBM DB2 8 before FP1 ...) NOT-FOR-US: IBM DB2 CVE-2008-4691 (Unspecified vulnerability in the SQLNLS_UNPADDEDCHARLEN function in th ...) NOT-FOR-US: IBM DB2 CVE-2008-4690 (lynx 2.8.6dev.15 and earlier, when advanced mode is enabled and lynx i ...) - lynx (advanced mode is not switched on in Debian configurations and lynxcgi handlers are really unlikely) CVE-2008-4689 (Mantis before 1.1.3 does not unset the session cookie during logout, w ...) - mantis 1.1.2+dfsg-9 (low; bug #503588) CVE-2008-4688 (core/string_api.php in Mantis before 1.1.3 does not check the privileg ...) - mantis 1.1.2+dfsg-9 (low; bug #503588) CVE-2008-4685 (Use-after-free vulnerability in the dissect_q931_cause_ie function in ...) {DSA-1673-1} - wireshark 1.0.4-1 (low; bug #503589) [lenny] - wireshark 1.0.2-3+lenny2 CVE-2008-4684 (packet-frame in Wireshark 0.99.2 through 1.0.3 does not properly handl ...) {DSA-1673-1} - wireshark 1.0.4-1 (low; bug #503589) [lenny] - wireshark 1.0.2-3+lenny2 CVE-2008-4683 (The dissect_btacl function in packet-bthci_acl.c in the Bluetooth ACL ...) {DSA-1673-1} - wireshark 1.0.4-1 (low; bug #503589) [lenny] - wireshark 1.0.2-3+lenny2 CVE-2008-4682 (wtap.c in Wireshark 0.99.7 through 1.0.3 allows remote attackers to ca ...) - wireshark 1.0.4-1 (low; bug #503589) [etch] - wireshark (Vulnerable code not present, introduced in 0.99.7) [lenny] - wireshark 1.0.2-3+lenny2 CVE-2008-4681 (Unspecified vulnerability in the Bluetooth RFCOMM dissector in Wiresha ...) - wireshark 1.0.4-1 (low; bug #503589) [etch] - wireshark (Vulnerable code not present, introduced in 0.99.7) [lenny] - wireshark 1.0.2-3+lenny2 CVE-2008-4680 (packet-usb.c in the USB dissector in Wireshark 0.99.7 through 1.0.3 al ...) - wireshark 1.0.4-1 (low; bug #503589) [etch] - wireshark (Vulnerable code not present, introduced in 0.99.7) [lenny] - wireshark 1.0.2-3+lenny2 CVE-2008-4679 (The Web Services Security component in IBM WebSphere Application Serve ...) NOT-FOR-US: IBM Websphere CVE-2008-4678 (The HTTP_Request_Parser method in the HTTP Transport component in IBM ...) NOT-FOR-US: IBM Websphere CVE-2008-4677 (autoload/netrw.vim (aka the Netrw Plugin) 109, 131, and other versions ...) - vim (unimportant) NOTE: documented in netrw documentation CVE-2008-XXXX [local file inclusion in drupal] - drupal6 6.6-1 (low; bug #503222) - drupal5 5.10-3 (low; bug #503217) CVE-2008-XXXX [XSS in book module in drupal] - drupal6 6.6-1 (low; bug #503222) - drupal5 (vulnerable code not present) CVE-2008-4676 (Unspecified vulnerability in Citrix XenApp (formerly Presentation Serv ...) NOT-FOR-US: Citrix XenApp CVE-2008-4675 (SQL injection vulnerability in index.php in PHPcounter 1.3.2 and earli ...) NOT-FOR-US: PHPcounter CVE-2008-4674 (SQL injection vulnerability in realestate-index.php in Conkurent Real ...) NOT-FOR-US: Conkurent Real Estate Manager CVE-2008-4673 (PHP remote file inclusion vulnerability in panel/common/theme/default/ ...) NOT-FOR-US: WebBiscuits Software Events Calendar CVE-2008-4672 (Cross-site scripting (XSS) vulnerability in search_results.php in buym ...) NOT-FOR-US: buymyscripts Lyrics Script CVE-2008-4671 (Cross-site scripting (XSS) vulnerability in wp-admin/wp-blogs.php in W ...) - wordpress (Vulnerable code only in mulitiuser wordpress) CVE-2008-4670 (Cross-site scripting (XSS) vulnerability in search.php in Ed Pudol Cli ...) NOT-FOR-US: Ed Pudol Clickbank Portal CVE-2008-4669 (Cross-site scripting (XSS) vulnerability in search.php in Dan Fletcher ...) NOT-FOR-US: Dan Fletcher Recipe Script CVE-2008-4668 (Directory traversal vulnerability in the Image Browser (com_imagebrows ...) NOT-FOR-US: com_imagebrowser for Joomla! CVE-2008-4667 (Directory traversal vulnerability in rss.php in ArabCMS 2.0 beta 1 all ...) NOT-FOR-US: ArabCMS CVE-2008-4666 (SQL injection vulnerability in webboard.php in Ultimate Webboard 3.00 ...) NOT-FOR-US: Ultimate Webboard CVE-2008-4665 (SQL injection vulnerability in PG Matchmaking allows remote attackers ...) NOT-FOR-US: PG Matchmaking CVE-2008-4664 (Heap-based buffer overflow in QvodInsert.QvodCtrl.1 ActiveX control (Q ...) NOT-FOR-US: QvodInsert CVE-2008-4663 (Cross-site scripting (XSS) vulnerability in analysis.cgi 1.44, as used ...) NOT-FOR-US: K's CGI Access Log Kaiseki CVE-2008-4662 (Directory traversal vulnerability in admin.php in LokiCMS 0.3.4, when ...) NOT-FOR-US: LokiCMS CVE-2008-4661 (Cross-site scripting (XSS) vulnerability in the Page Improvements (sm_ ...) NOT-FOR-US: sm_pageimprovements for TYPO3 CVE-2008-4660 (SQL injection vulnerability in the M1 Intern (m1_intern) 1.0.0 extensi ...) NOT-FOR-US: m1_intern for TYPO3 CVE-2008-4659 (SQL injection vulnerability in the Mannschaftsliste (kiddog_playerlist ...) NOT-FOR-US: kiddog_playerlist for TYPO3 CVE-2008-4658 (SQL injection vulnerability in the JobControl (dmmjobcontrol) 1.15.4 a ...) NOT-FOR-US: dmmjobcontrol for TYPO3 CVE-2008-4657 (SQL injection vulnerability in the Econda Plugin (econda) 0.0.2 and ea ...) NOT-FOR-US: econda for TYPO3 CVE-2008-4656 (SQL injection vulnerability in the Frontend Users View (feusersview) 0 ...) NOT-FOR-US: fersview for TYPO3 CVE-2008-4655 (SQL injection vulnerability in the Simple survey (simplesurvey) 1.7.0 ...) NOT-FOR-US: simplesurvey for TYPO3 CVE-2008-4653 (SQL injection vulnerability in makale.php in Makale 0.26 and possibly ...) NOT-FOR-US: Makale module for XOOPS CVE-2008-4652 (Buffer overflow in the ActiveX control (DartFtp.dll) in Dart Communica ...) NOT-FOR-US: Dart Communications PowerTCP FTP CVE-2008-4651 (Multiple SQL injection vulnerabilities in Jetbox CMS 2.1 allow remote ...) NOT-FOR-US: Jetbox CMS CVE-2008-4650 (SQL injection vulnerability in viewevent.php in myEvent 1.6 allows rem ...) NOT-FOR-US: myEvent CVE-2008-4649 (Session fixation vulnerability in Elxis CMS 2008.1 revision 2204 allow ...) NOT-FOR-US: Elxis CVE-2008-4648 (Cross-site scripting (XSS) vulnerability in index.php in Elxis CMS 200 ...) NOT-FOR-US: Elxis CVE-2008-4647 (SQL injection vulnerability in index.php in sweetCMS 1.5.2 allows remo ...) NOT-FOR-US: sweetCMS CVE-2008-4646 (The Websense Reporter Module in Websense Enterprise 6.3.2 stores the S ...) NOT-FOR-US: Websense Enterprise CVE-2008-4645 (plugins/event_tracer/event_list.php in PhpWebGallery 1.7.2 and earlier ...) NOT-FOR-US: PhpWebGallery CVE-2008-4644 (hits.php in myWebland myStats allows remote attackers to bypass IP add ...) NOT-FOR-US: myWebland myStats CVE-2008-4643 (SQL injection vulnerability in hits.php in myWebland myStats allows re ...) NOT-FOR-US: myWebland myStats CVE-2008-4642 (SQL injection vulnerability in profile.php in AstroSPACES 1.1.1 allows ...) NOT-FOR-US: AstroSPACES CVE-2008-4641 (The DoCommand function in jhead.c in Matthias Wandel jhead 2.84 and ea ...) - jhead 2.84-2 (low; bug #503645) CVE-2008-4640 (The DoCommand function in jhead.c in Matthias Wandel jhead 2.84 and ea ...) - jhead 2.85-1 (unimportant; bug #504194) NOTE: no issue, jhead is just unlinking the output file if it already exists, this is not following symlinks CVE-2008-4639 (jhead.c in Matthias Wandel jhead 2.84 and earlier allows local users t ...) - jhead 2.84-1 (low) CVE-2008-4638 (qioadmin in the Quick I/O for Database feature in Symantec Veritas Fil ...) NOT-FOR-US: Symantec VxFS CVE-2008-4637 (Cross-site scripting (XSS) vulnerability in cpCommerce before 1.2.4 al ...) NOT-FOR-US: cpCommerce CVE-2008-4636 (yast2-backup 2.14.2 through 2.16.6 on SUSE Linux and Novell Linux allo ...) NOT-FOR-US: SUSE Linux and Novell Linux (yast2-backup) CVE-2008-4635 (Unspecified vulnerability in Hisanaga Electric Co, Ltd. hisa_cart 1.29 ...) NOT-FOR-US: XOOPS module CVE-2008-4634 (Cross-site scripting (XSS) vulnerability in Movable Type 4 through 4.2 ...) - movabletype-opensource 4.2.1-3 (low; bug #503114) CVE-2008-4633 (SQL injection vulnerability in Node Vote 5.x before 5.x-1.1 and 6.x be ...) NOT-FOR-US: Node Vote CVE-2008-4632 (Multiple directory traversal vulnerabilities in index.php in Kure 0.6. ...) NOT-FOR-US: Kure CVE-2008-4631 (Stack-based buffer overflow in the Message::AddToString function in me ...) NOT-FOR-US: MUSCLE, NOTE this is not the multiple alignment program for protein sequences in Debian CVE-2008-4630 (Multiple unspecified vulnerabilities in Midgard Components (MidCOM) Fr ...) NOT-FOR-US: Midgard Components Framework CVE-2008-4629 (Cross-site scripting (XSS) vulnerability in Usagi Project MyNETS 1.2.0 ...) NOT-FOR-US: Usagi Project MyNETS CVE-2008-4628 (SQL injection vulnerability in del.php in myWebland miniBloggie 1.0 al ...) NOT-FOR-US: myWebland miniBloggie CVE-2008-4627 (SQL injection vulnerability in the rGallery plugin 1.09 for WoltLab Bu ...) NOT-FOR-US: WoltLab Burning Board CVE-2008-4626 (Directory traversal vulnerability in index.php in Fritz Berger yet ano ...) NOT-FOR-US: yappa-ng CVE-2008-4625 (SQL injection vulnerability in stnl_iframe.php in the ShiftThis Newsle ...) NOT-FOR-US: st_newsletter plugin for WordPress CVE-2008-4624 (PHP remote file inclusion vulnerability in init.php in Fast Click SQL ...) NOT-FOR-US: Fast Click SQL Lite CVE-2008-4623 (SQL injection vulnerability in the DS-Syndicate (com_ds-syndicate) com ...) NOT-FOR-US: DS-Syndicate CVE-2008-4622 (The isLoggedIn function in fastnews-code.php in phpFastNews 1.0.0 allo ...) NOT-FOR-US: phpFastNews CVE-2008-4621 (SQL injection vulnerability in bannerclick.php in ZeeScripts Zeeproper ...) NOT-FOR-US: ZeeScripts Zeeproperty CVE-2008-4620 (SQL injection vulnerability in Meeting Room Booking System (MRBS) befo ...) NOT-FOR-US: Meeting Room Booking System CVE-2008-4619 (The RPC subsystem in Sun Solaris 9 allows remote attackers to cause a ...) NOT-FOR-US: Sun Solaris CVE-2008-4618 (The Stream Control Transmission Protocol (sctp) implementation in the ...) {DSA-1681-1} - linux-2.6 2.6.26-10 [etch] - linux-2.6 - linux-2.6.24 2.6.24-6~etchnhalf.7 NOTE: ba0166708ef4da7eeb61dd92bbba4d5a749d6561 CVE-2008-4617 (SQL injection vulnerability in the actualite module 1.0 for Joomla! al ...) NOT-FOR-US: actualite module for Joomla! CVE-2008-4616 (The SpamBam plugin for WordPress allows remote attackers to bypass res ...) NOT-FOR-US: SpamBam plugin for WordPress CVE-2008-4615 (Unspecified vulnerability in i_utils.asp in PortalApp before 4.01a has ...) NOT-FOR-US: PortalApp CVE-2008-4614 (PortalApp 4.0 does not require authentication for (1) forums.asp and ( ...) NOT-FOR-US: PortalApp CVE-2008-4613 (SQL injection vulnerability in forums.asp in PortalApp 4.0 allows remo ...) NOT-FOR-US: PortalApp CVE-2008-4612 (Cross-site scripting (XSS) vulnerability in PortalApp 4.0 allows remot ...) NOT-FOR-US: PortalApp CVE-2008-4611 (SQL injection vulnerability in index.php in PHP Arsivimiz Php Ziyaretc ...) NOT-FOR-US: PHP Arsivimiz Php Ziyaretci Defteri CVE-2008-4610 (MPlayer allows remote attackers to cause a denial of service (applicat ...) {DTSA-181-1} - mplayer 1.0~rc2-20 (bug #407010) NOTE: only the aac issue affected mplayer because it built against a copy of faad NOTE: the ogm issue is a problem in ffmpeg - ffmpeg-debian (unimportant; bug #509616) - ffmpeg 7:2.4.1-1 (unimportant) - xmovie (unimportant) NOTE: just a crasher, no security implications known so far NOTE: http://sam.zoy.org/blog/2007-01-16-exposing-file-parsing-vulnerabilities CVE-2008-4609 (The TCP implementation in (1) Linux, (2) platforms based on BSD Unix, ...) - linux (unimportant) - linux-2.6 (unimportant) - linux-2.6.24 (unimportant) NOTE: this is a design flaw in TCP itself; maximum impact is a denial-of-service NOTE: there is no upstream solution NOTE: see http://kbase.redhat.com/faq/docs/DOC-18730 for possible mitigation via iptables NOTE: also see usage of ipt_connlimit as a mitigation strategy CVE-2008-4608 REJECTED CVE-2008-4607 REJECTED CVE-2008-4606 (Multiple SQL injection vulnerabilities in IP Reg 0.4 and earlier allow ...) NOT-FOR-US: IP Reg CVE-2008-4605 (SQL injection vulnerability in CafeEngine allows remote attackers to e ...) NOT-FOR-US: CafeEngine CVE-2008-4604 (SQL injection vulnerability in index.php in Easy CafeEngine 1.1 allows ...) NOT-FOR-US: CafeEngine CVE-2008-4603 (SQL injection vulnerability in search.php in iGaming CMS 2.0 Alpha 1 a ...) NOT-FOR-US: iGaming CM CVE-2008-4602 (Directory traversal vulnerability in index.php in Post Affiliate Pro 2 ...) NOT-FOR-US: Post Affiliate Pro CVE-2008-4601 (Cross-site scripting (XSS) vulnerability in the login feature in Habar ...) NOT-FOR-US: Habari CMS CVE-2008-4600 (configure.php in PokerMax Poker League Tournament Script 0.13 allows r ...) NOT-FOR-US: PokerMax Poker League Tournament Script CVE-2008-4599 (SQL injection vulnerability in category.php in Mosaic Commerce allows ...) NOT-FOR-US: Mosaic Commerce CVE-2008-4598 (Unspecified vulnerability in Shindig-Integrator 5.x, a module for Drup ...) NOT-FOR-US: Shindig-Integrator module for Drupal CVE-2008-4597 (Shindig-Integrator 5.x, a module for Drupal, does not properly restric ...) NOT-FOR-US: Shindig-Integrator module for Drupal CVE-2008-4596 (Cross-site scripting (XSS) vulnerability in Shindig-Integrator 5.x, a ...) NOT-FOR-US: Shindig-Integrator module for Drupal CVE-2008-4595 (Multiple unspecified vulnerabilities in Slaytanic Scripts Content Plus ...) NOT-FOR-US: Slaytanic Scripts Content Plus CVE-2008-4594 (Unspecified vulnerability in the SNMPv3 component in Linksys WAP4400N ...) NOT-FOR-US: Linksys WAP4400N firmware CVE-2008-4593 (Apple iPhone 2.1 with firmware 5F136, when Require Passcode is enabled ...) NOT-FOR-US: Apple iPhone 2.1 with firmware 5F136 CVE-2007-6718 (MPlayer, possibly 1.0rc1, allows remote attackers to cause a denial of ...) - mplayer 1.0~rc3+svn20100502-1 (low; bug #407010) [lenny] - mplayer (Some have been fixed in Lenny/libavcodec, some crashers left) NOTE: http://sam.zoy.org/blog/2007-01-16-exposing-file-parsing-vulnerabilities CVE-2008-4654 (Stack-based buffer overflow in the parse_master function in the Ty dem ...) - vlc 1.0.3-1 (low; bug #502726) [etch] - vlc (introduced in 0.9.0) [lenny] - vlc (introduced in 0.9.0) CVE-2008-4686 (Multiple integer overflows in ty.c in the TY demux plugin (aka the TiV ...) {DSA-1819-1 DTSA-175-1} - vlc 0.8.6.h-4.1 (medium; bug #503118) CVE-2008-4687 (manage_proj_page.php in Mantis before 1.1.4 allows remote authenticate ...) - mantis 1.1.2+dfsg-7 (medium; bug #502728) NOTE: only registered users can perform this CVE-2008-4592 (Directory traversal vulnerability in index.php in Sports Clubs Web Pan ...) NOT-FOR-US: Sports Clubs Web Panel CVE-2008-4591 (Multiple cross-site scripting (XSS) vulnerabilities in admin/include/i ...) NOT-FOR-US: PhpWebGallery CVE-2008-4590 (Multiple SQL injection vulnerabilities in Stash 1.0.3 allow remote att ...) NOT-FOR-US: Stash CVE-2008-4589 (Heap-based buffer overflow in the tvtumin.sys kernel driver in Lenovo ...) NOT-FOR-US: Lenovo Rescue and Recovery CVE-2008-4588 (Stack-based buffer overflow in the FTP server in Etype Eserv 3.x, poss ...) NOT-FOR-US: Etype Eserv CVE-2008-4587 (Insecure method vulnerability in the MSVNClientDownloadManager61Lib.Do ...) NOT-FOR-US: Macrovision FLEXnet Connect CVE-2008-4586 (Insecure method vulnerability in the MVSNCLientWebAgent61.WebAgent.1 A ...) NOT-FOR-US: Macrovision FLEXnet Connect CVE-2008-4585 (Belong Software Site Builder 0.1 beta allows remote attackers to bypas ...) NOT-FOR-US: Software Site Builder CVE-2008-4584 (Insecure method vulnerability in Chilkat Mail 7.8 ActiveX control (Chi ...) NOT-FOR-US: Chilkat Mail CVE-2008-4583 (Insecure method vulnerability in the Chilkat FTP 2.0 ActiveX component ...) NOT-FOR-US: Chilkat FTP CVE-2008-4582 (Mozilla Firefox 3.0.1 through 3.0.3, Firefox 2.x before 2.0.0.18, and ...) {DSA-1697-1 DSA-1696-1 DSA-1671-1 DSA-1669-1} - xulrunner 1.9.0.4-1 - iceweasel 3.0.4-1 - iceape 1.1.13-1 - icedove 2.0.0.19-1 CVE-2008-4581 (The Editor in IBM ENOVIA SmarTeam 5 before release 18 SP5, and release ...) NOT-FOR-US: IBM ENOVIA SmarTeam CVE-2008-4580 (fence_manual, as used in fence 2.02.00-r1 and possibly cman, allows lo ...) - redhat-cluster 2.20080801-1 (low; bug #496410) [etch] - redhat-cluster (Minor issue) NOTE: already fixed in lenny CVE-2008-4579 (The (1) fence_apc and (2) fence_apc_snmp programs, as used in (a) fenc ...) - redhat-cluster 2.20081102-1 (low; bug #496410) [lenny] - redhat-cluster 2.20080801-4+lenny1 [etch] - redhat-cluster (Minor issue) CVE-2008-4578 (The ACL plugin in Dovecot before 1.1.4 allows attackers to bypass inte ...) - dovecot 1:1.1.9-1 (low; bug #502967) [etch] - dovecot (Minor issue) [lenny] - dovecot (Minor issue) CVE-2008-4577 (The ACL plugin in Dovecot before 1.1.4 treats negative access rights a ...) - dovecot 1:1.0.15-2.2 (low; bug #502967) [etch] - dovecot (Minor issue) CVE-2008-4576 (sctp in Linux kernel before 2.6.25.18 allows remote attackers to cause ...) {DSA-1687-1 DSA-1681-1} - linux-2.6 2.6.26-9 - linux-2.6.24 2.6.24-6~etchnhalf.7 CVE-2008-4575 (Buffer overflow in the DoCommand function in jhead before 2.84 might a ...) - jhead 2.84-1 (bug #502353; low) CVE-2008-4571 (Cross-site scripting (XSS) vulnerability in the LiveSearch module in P ...) - plone3 3.0.4-1 (low) CVE-2008-4569 (SQL injection vulnerability in xlacomments.asp in XIGLA Software Absol ...) NOT-FOR-US: XIGLA Software Absolute Poll Manager CVE-2008-4574 (SQL injection vulnerability in default.asp in Ayco Okul Portali allows ...) NOT-FOR-US: Ayco Okul Portali CVE-2008-4573 (SQL injection vulnerability in kategori.asp in MunzurSoft Wep Portal W ...) NOT-FOR-US: MunzurSoft Wep Portal W3 CVE-2008-4572 (GuildFTPd 0.999.14, and possibly other versions, allows remote attacke ...) NOT-FOR-US: GuildFTPd CVE-2008-4570 (SQL injection vulnerability in index.php in Real Estate Classifieds al ...) NOT-FOR-US: Real Estate Classifieds CVE-2008-4568 RESERVED CVE-2008-4567 RESERVED CVE-2008-4566 RESERVED CVE-2008-4565 RESERVED CVE-2008-4564 (Stack-based buffer overflow in wp6sr.dll in the Autonomy KeyView SDK 1 ...) NOT-FOR-US: Autonomy KeyView SDK CVE-2008-4563 (Heap-based buffer overflow in adsmdll.dll 5.3.7.7296, as used by the d ...) NOT-FOR-US: IBM Tivoli Storage Manager CVE-2008-4562 (Buffer overflow in the ovlaunch CGI program in HP OpenView Network Nod ...) NOT-FOR-US: HP OpenView Network Node Manager CVE-2008-4561 RESERVED CVE-2008-4560 (HP OpenView Network Node Manager (OV NNM) 7.01, 7.51, and 7.53 allows ...) NOT-FOR-US: HP OpenView Network Node Manager CVE-2008-4559 (HP OpenView Network Node Manager (OV NNM) 7.01, 7.51, and 7.53 allows ...) NOT-FOR-US: HP OpenView Network Node Manager CVE-2008-4557 (plugins/wacko/highlight/html.php in Strawberry in CuteNews.ru 1.1.1 (a ...) NOT-FOR-US: CuteNews.ru CVE-2008-4556 (Stack-based buffer overflow in the adm_build_path function in sadmind ...) NOT-FOR-US: Sun Solstice AdminSuite CVE-2008-4555 (Stack-based buffer overflow in the push_subg function in parser.y (lib ...) - graphviz 2.20.2-3 (low) [etch] - graphviz 2.8-3+etch1 NOTE: minor issue fixed in etch r6 point update CVE-2008-4554 (The do_splice_from function in fs/splice.c in the Linux kernel before ...) {DSA-1687-1 DSA-1681-1} - linux-2.6 2.6.26-9 - linux-2.6.24 2.6.24-6~etchnhalf.7 CVE-2008-4553 (qemu-make-debian-root in qemu 0.9.1-5 on Debian GNU/Linux allows local ...) {DSA-1657-1} - qemu 0.9.1-6 (low; bug #496394) CVE-2008-4552 (The good_client function in nfs-utils 1.0.9, and possibly other versio ...) - nfs-utils 1:1.1.3-1 [lenny] - nfs-utils 1:1.1.2-6lenny1 [etch] - nfs-utils (Minor issue) CVE-2008-4551 (strongSwan 4.2.6 and earlier allows remote attackers to cause a denial ...) - strongswan 4.2.4-5 (bug #502676) [etch] - strongswan (Vulnerable code not present) CVE-2008-4550 RESERVED CVE-2008-4549 (The ImageShack Toolbar ActiveX control (ImageShackToolbar.dll) in Imag ...) NOT-FOR-US: ImageShack Toolbar ActiveX control CVE-2008-4548 (Stack-based buffer overflow in the PTZCamPanelCtrl ActiveX control (Ca ...) NOT-FOR-US: PTZCamPanelCtrl ActiveX control CVE-2008-4547 (Heap-based buffer overflow in the PdvrAtl.PdvrOcx.1 ActiveX control (p ...) NOT-FOR-US: DVRHOST Web CMS CVE-2008-4546 (Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and Ad ...) NOT-FOR-US: Adobe Flash Player CVE-2008-4558 (Array index error in VLC media player 0.9.2 allows remote attackers to ...) - vlc 0.9.3-1 (medium; bug #502314) [etch] - vlc (introduced in 0.9.0) [lenny] - vlc (introduced in 0.9.0) CVE-2008-4545 (Cisco Unity 4.x before 4.2(1)ES161, 5.x before 5.0(1)ES53, and 7.x bef ...) NOT-FOR-US: Cisco CVE-2008-4544 (Unspecified vulnerability in an unspecified Microsoft API, as used by ...) NOT-FOR-US: Microsoft CVE-2008-4543 (Cisco Unity 4.x before 4.2(1)ES161, 5.x before 5.0(1)ES53, and 7.x bef ...) NOT-FOR-US: Cisco CVE-2008-4542 (Cross-site scripting (XSS) vulnerability in Cisco Unity 4.x before 4.2 ...) NOT-FOR-US: Cisco CVE-2008-4541 (Heap-based buffer overflow in the FTP subsystem in Sun Java System Web ...) NOT-FOR-US: Sun Java System Web Proxy Server CVE-2008-4540 (Windows Mobile 6 on the HTC Hermes device makes WLAN passwords availab ...) NOT-FOR-US: Windows Mobile CVE-2008-4539 (Heap-based buffer overflow in the Cirrus VGA implementation in (1) KVM ...) {DSA-1799-1} - qemu 0.9.1+svn20081101-1 (low; bug #526040) [etch] - qemu (Vulnerable code not present) CVE-2008-4538 RESERVED CVE-2008-4537 (Cross-site scripting (XSS) vulnerability in EC-CUBE Ver1 1.4.6 and ear ...) NOT-FOR-US: EC-CUBE CVE-2008-4536 (Cross-site scripting (XSS) vulnerability in EC-CUBE Ver1 1.4.6 and ear ...) NOT-FOR-US: EC-CUBE CVE-2008-4535 (Cross-site scripting (XSS) vulnerability in EC-CUBE Ver2 2.1.2a and ea ...) NOT-FOR-US: EC-CUBE CVE-2008-4534 (SQL injection vulnerability in EC-CUBE Ver2 2.1.2a and earlier, and Ve ...) NOT-FOR-US: EC-CUBE CVE-2008-5299 (chm2pdf 0.9 allows user-assisted local users to delete arbitrary files ...) - chm2pdf 0.9.1-1.1 (low; bug #501959) CVE-2008-5298 (chm2pdf 0.9 uses temporary files in directories with fixed names, whic ...) - chm2pdf 0.9.1-1.1 (low; bug #501959) CVE-2008-4533 (Cross-site scripting (XSS) vulnerability in Kantan WEB Server 1.8 and ...) NOT-FOR-US: Kantan WEB Server CVE-2008-4532 (Cross-site scripting (XSS) vulnerability in index.php in MaxiScript We ...) NOT-FOR-US: MaxiScript Website Directory CVE-2008-4531 (SQL injection vulnerability in Brilliant Gallery 5.x before 5.x-4.2, a ...) NOT-FOR-US: Brilliant Gallery (drupal module) CVE-2008-4530 (Cross-site scripting (XSS) vulnerability in Brilliant Gallery 5.x befo ...) NOT-FOR-US: Brilliant Gallery (drupal module) CVE-2008-4529 (Multiple PHP remote file inclusion vulnerabilities in asiCMS alpha 0.2 ...) NOT-FOR-US: asiCMS CVE-2008-4528 (Directory traversal vulnerability in notes.php in Phlatline's Personal ...) NOT-FOR-US: Phlatline's Personal Information Manager CVE-2008-4527 (SQL injection vulnerability in recept.php in the Recepies (Recept) mod ...) NOT-FOR-US: PHP-Fusion CVE-2008-4526 (Multiple directory traversal vulnerabilities in CCMS 3.1 allow remote ...) NOT-FOR-US: CCMS CVE-2008-4525 (SQL injection vulnerability in index.php in AmpJuke 0.7.5 allows remot ...) NOT-FOR-US: AmpJuke CVE-2008-4524 (SQL injection vulnerability in the "Check User" feature (includes/chec ...) NOT-FOR-US: AdaptCMS CVE-2008-4523 (SQL injection vulnerability in login.php in IP Reg 0.4 and earlier all ...) NOT-FOR-US: IP Reg CVE-2008-4522 (Multiple directory traversal vulnerabilities in JMweb MP3 Music Audio ...) NOT-FOR-US: JMweb MP3 Music Audio Search and Download Script CVE-2008-4521 (SQL injection vulnerability in thisraidprogress.php in the World of Wa ...) NOT-FOR-US: World of Warcraft tracker CVE-2008-4520 (Cross-site scripting (XSS) vulnerability in bulk_update.pl in AutoNess ...) NOT-FOR-US: AutoNessus CVE-2008-4519 (Multiple directory traversal vulnerabilities in Fastpublish CMS 1.9999 ...) NOT-FOR-US: Fastpublish CMS CVE-2008-4518 (Multiple SQL injection vulnerabilities in Fastpublish CMS 1.9.9.9.9 d ...) NOT-FOR-US: Fastpublish CMS CVE-2008-4517 (SQL injection vulnerability in leggi.php in geccBBlite 2.0 allows remo ...) NOT-FOR-US: geccBBlite CVE-2008-4516 (SQL injection vulnerability in galerie.php in Galerie 3.2 allows remot ...) NOT-FOR-US: Galerie CVE-2008-4515 (Blue Coat K9 Web Protection 4.0.230 Beta relies on client-side JavaScr ...) NOT-FOR-US: Blue Coat K9 Web Protection CVE-2008-4514 (The HTML parser in KDE Konqueror 3.5.9 allows remote attackers to caus ...) - kdebase (unimportant) NOTE: browser crash is a non-issue CVE-2008-4513 (Cross-site scripting (XSS) vulnerability in BBcode API module in Phoru ...) NOT-FOR-US: Phorum CVE-2008-4512 (ASP/MS Access Shoutbox, probably 1.1 beta, stores db/shoutdb.mdb under ...) NOT-FOR-US: ASP/MS Access Shoutbox CVE-2008-4511 (Todd Woolums ASP News Management, possibly 2.21, stores db/news.mdb un ...) NOT-FOR-US: Todd Woolums ASP News Management CVE-2008-4510 (Microsoft Windows Vista Home and Ultimate Edition SP1 and earlier allo ...) NOT-FOR-US: Microsoft CVE-2008-4509 (Unrestricted file upload vulnerability in processFiles.php in FOSS Gal ...) NOT-FOR-US: FOSS Gallery CVE-2008-4508 (Stack-based buffer overflow in the file parsing function in Tonec Inte ...) NOT-FOR-US: Tonec Internet Download Manager CVE-2008-4507 (Unspecified vulnerability in IBM Lotus Quickr 8.1 before Fix pack 1 (8 ...) NOT-FOR-US: IBM Lotus Quickr CVE-2008-4506 (Unspecified vulnerability in IBM Lotus Quickr 8.1 before Fix pack 1 (8 ...) NOT-FOR-US: IBM Lotus Quickr CVE-2008-4505 (Unspecified vulnerability in IBM Lotus Quickr 8.1 before Fix pack 1 (8 ...) NOT-FOR-US: IBM Lotus Quickr CVE-2008-4504 (Heap-based buffer overflow in Mplayer.exe in Herosoft Inc. Hero DVD Pl ...) NOT-FOR-US: Herosoft Inc. Hero DVD Player CVE-2008-4503 (The Settings Manager in Adobe Flash Player 9.0.124.0 and earlier allow ...) NOT-FOR-US: Adobe Flash Player CVE-2008-4482 (The XML parser in Xerces-C++ before 3.0.0 allows context-dependent att ...) - xerces-c2 (unimportant; bug #502102) NOTE: Hardly a security issue, anyone who's concerned about this should use Xerces 3 CVE-2008-4480 (Heap-based buffer overflow in dhost.exe in Novell eDirectory 8.x befor ...) NOT-FOR-US: Novell eDirectory CVE-2008-4479 (Heap-based buffer overflow in dhost.exe in Novell eDirectory 8.8 befor ...) NOT-FOR-US: Novell eDirectory CVE-2008-4478 (Multiple integer overflows in dhost.exe in Novell eDirectory 8.8 befor ...) NOT-FOR-US: Novell eDirectory CVE-2008-4473 (Multiple heap-based buffer overflows in Adobe Flash CS3 Professional o ...) NOT-FOR-US: Flash CS3 Professional CVE-2008-4502 (Multiple PHP remote file inclusion vulnerabilities in DataFeedFile (DF ...) NOT-FOR-US: DataFeedFile PHP Framework API CVE-2008-4501 (Directory traversal vulnerability in the FTP server in Serv-U 7.0.0.1 ...) NOT-FOR-US: Serv-U CVE-2008-4500 (Serv-U 7.0.0.1 through 7.3, including 7.2.0.1, allows remote authentic ...) NOT-FOR-US: Serv-U CVE-2008-4499 (Multiple directory traversal vulnerabilities in PHP Web Explorer 0.99b ...) NOT-FOR-US: PHP Web Explorer CVE-2008-4498 (SQL injection vulnerability in searchresults.php in PHP Autos 2.9.1 al ...) NOT-FOR-US: PHP Autos CVE-2008-4497 (SQL injection vulnerability in event_detail.php in Built2Go Real Estat ...) NOT-FOR-US: Built2Go Real Estate Listings CVE-2008-4496 (SQL injection vulnerability in view_cat.php in PHP Realtor 1.5 allows ...) NOT-FOR-US: PHP Realtor CVE-2008-4495 (SQL injection vulnerability in view_cat.php in PHP Auto Dealer 2.7 all ...) NOT-FOR-US: PHP Auto Dealer CVE-2008-4494 (SQL injection vulnerability in completed-advance.php in TorrentTrader ...) NOT-FOR-US: TorrentTrader Classic CVE-2008-4493 (Microsoft PicturePusher ActiveX control (PipPPush.DLL 7.00.0709), as u ...) NOT-FOR-US: PicturePusher ActiveX CVE-2008-4492 (SQL injection vulnerability in referrals.php in YourOwnBux 4.0 allows ...) NOT-FOR-US: YourOwnBux CVE-2008-4491 (Apple Mail.app 3.5 on Mac OS X, when "Store draft messages on the serv ...) NOT-FOR-US: Mac OS CVE-2008-4490 (Directory traversal vulnerability in config.inc.php in phpAbook 0.8.8b ...) NOT-FOR-US: phpAbook CVE-2008-4489 (Directory traversal vulnerability in ap-save.php in Atarone CMS 1.2.0 ...) NOT-FOR-US: Atarone CMS CVE-2008-4488 (Cross-site scripting (XSS) vulnerability in ap-pages.php in Atarone CM ...) NOT-FOR-US: Atarone CMS CVE-2008-4487 (SQL injection vulnerability in ap-save.php in Atarone CMS 1.2.0 allows ...) NOT-FOR-US: Atarone CMS CVE-2008-4486 (Directory traversal vulnerability in index.php in SAC.php (SACphp), as ...) NOT-FOR-US: SACphp CVE-2008-4485 (Cross-site scripting (XSS) vulnerability in the ICAP patience page in ...) NOT-FOR-US: Blue Coat Security Gateway OS CVE-2008-4484 (main.php in Crux Gallery 1.32 and earlier allows remote attackers to g ...) NOT-FOR-US: Crux Gallery CVE-2008-4483 (Directory traversal vulnerability in index.php in Crux Gallery 1.32 an ...) NOT-FOR-US: Crux Gallery CVE-2008-4481 (Cross-site scripting (XSS) vulnerability in Redmine 0.7.2 and earlier ...) NOT-FOR-US: Redmine CVE-2008-4472 (The UpdateEngine class in the LiveUpdate ActiveX control (LiveUpdate16 ...) NOT-FOR-US: LiveUpdate ActiveX CVE-2008-4471 (Directory traversal vulnerability in the CExpressViewerControl class i ...) NOT-FOR-US: DWF Viewer ActiveX CVE-2008-4470 (Stack-based buffer overflow in Numark CUE 5.0 rev2 allows user-assiste ...) NOT-FOR-US: Numark CVE-2008-4469 (SQL injection vulnerability in view_cresume.php in Vastal I-Tech Freel ...) NOT-FOR-US: Vastal I-Tech Freelance Zone CVE-2008-4468 (SQL injection vulnerability in view_news.php in Vastal I-Tech Share Zo ...) NOT-FOR-US: Vastal I-Tech Freelance Zone CVE-2008-4467 (SQL injection vulnerability in show_series_ink.php in Vastal I-Tech To ...) NOT-FOR-US: Vastal I-Tech Freelance Zone CVE-2008-4466 (SQL injection vulnerability in view_products_cat.php in Vastal I-Tech ...) NOT-FOR-US: Vastal I-Tech Freelance Zone CVE-2008-4465 (SQL injection vulnerability in view_mags.php in Vastal I-Tech DVD Zone ...) NOT-FOR-US: Vastal I-Tech Freelance Zone CVE-2008-4464 (SQL injection vulnerability in view_mags.php in Vastal I-Tech Mag Zone ...) NOT-FOR-US: Vastal I-Tech Freelance Zone CVE-2008-4463 (SQL injection vulnerability in view_news.php in Vastal I-Tech Jobs Zon ...) NOT-FOR-US: Vastal I-Tech Freelance Zone CVE-2008-4462 (SQL injection vulnerability in view_news.php in Vastal I-Tech Visa Zon ...) NOT-FOR-US: Vastal I-Tech Freelance Zone CVE-2008-4461 (SQL injection vulnerability in advanced_search_results.php in Vastal I ...) NOT-FOR-US: Vastal I-Tech Freelance Zone CVE-2008-4460 (SQL injection vulnerability in game.php in Vastal I-Tech MMORPG Zone a ...) NOT-FOR-US: Vastal I-Tech Freelance Zone CVE-2008-4459 (SQL injection vulnerability in pick_users.php in the groups module in ...) NOT-FOR-US: eXtrovert Thyme CVE-2008-4458 (SQL injection vulnerability in listings.php in E-Php B2B Trading Marke ...) NOT-FOR-US: E-Php B2B Trading Marketplace Script CVE-2008-4457 (SQL injection vulnerability in inc/inc_statistics.php in MemHT Portal ...) NOT-FOR-US: MemHT Portal CVE-2008-4456 (Cross-site scripting (XSS) vulnerability in the command-line client in ...) {DSA-1783-1} - mysql-dfsg-5.0 5.0.51-1 (low; bug #526254) CVE-2008-4455 (Directory traversal vulnerability in index.php in EKINdesigns MySQL Qu ...) NOT-FOR-US: EKINdesigns MySQL Quick Admin CVE-2008-4454 (Directory traversal vulnerability in EKINdesigns MySQL Quick Admin 1.5 ...) NOT-FOR-US: EKINdesigns MySQL Quick Admin CVE-2008-4453 (The GdPicture (1) Light Imaging Toolkit 4.7.1 GdPicture4S.Imaging Acti ...) NOT-FOR-US: ActiveX control CVE-2008-4452 (Buffer overflow in Cambridge Computer Corporation vxFtpSrv 2.0.3 allow ...) NOT-FOR-US: Cambridge Computer Corporation vxFtpSrv CVE-2008-4451 (The SysInspector AntiStealth driver (esiasdrv.sys) 3.0.65535.0 in ESET ...) NOT-FOR-US: ESET System Analyzer Tool CVE-2008-4450 (Cross-site scripting (XSS) vulnerability in adodb.php in XAMPP for Win ...) NOT-FOR-US: XAMPP CVE-2008-4449 (Stack-based buffer overflow in mIRC 6.34 allows remote attackers to ex ...) NOT-FOR-US: mIRC CVE-2008-4448 (Cross-site request forgery (CSRF) vulnerability in actions.php in Posi ...) NOT-FOR-US: Positive Software H-Sphere WebShell CVE-2008-4447 (Cross-site scripting (XSS) vulnerability in actions.php in Positive So ...) NOT-FOR-US: Positive Software H-Sphere WebShell CVE-2008-4446 (Cross-site scripting (XSS) vulnerability in Nucleus EUC-JP 3.31 SP1 an ...) NOT-FOR-US: Nucleus EUC-JP CVE-2008-4445 (The sctp_auth_ep_set_hmacs function in net/sctp/auth.c in the Stream C ...) {DSA-1655-1} - linux-2.6 2.6.26-5 - linux-2.6.24 2.6.24-6~etchnhalf.6 [etch] - linux-2.6 (vulnerable code not present) CVE-2008-4444 (Cisco Unified IP Phone (aka SIP phone) 7960G and 7940G with firmware P ...) NOT-FOR-US: Cisco Unified IP Phone CVE-2008-4443 RESERVED CVE-2008-4442 RESERVED CVE-2008-4441 (The Marvell driver for the Linksys WAP4400N Wi-Fi access point with fi ...) NOT-FOR-US: Linksys CVE-2008-4439 (PHP remote file inclusion vulnerability in admin/bin/patch.php in Mart ...) NOT-FOR-US: MartinWood Datafeed Studio CVE-2008-4438 (Cross-site scripting (XSS) vulnerability in search.php in Datafeed Stu ...) NOT-FOR-US: Datafeed Studio CVE-2008-4437 (Directory traversal vulnerability in importxml.pl in Bugzilla before 2 ...) {DTSA-170-1} - bugzilla 3.0.5.0-1 (low; bug #502019) [etch] - bugzilla (Minor issue) CVE-2008-4436 (SQL injection vulnerability in bblog_plugins/builtin.help.php in bBlog ...) NOT-FOR-US: bBlog CVE-2008-4435 (Multiple cross-site scripting (XSS) vulnerabilities in the RMSOFT Down ...) NOT-FOR-US: RMSOFT Downloads Plus CVE-2008-4434 (Stack-based buffer overflow in (1) uTorrent 1.7.7 build 8179 and earli ...) NOT-FOR-US: uTorrent/Bittorrent CVE-2008-4433 (SQL injection vulnerability in search.php in the RMSOFT MiniShop modul ...) NOT-FOR-US: RMSOFT MiniShop (xoops) CVE-2008-4432 (Cross-site scripting (XSS) vulnerability in search.php in the RMSOFT M ...) NOT-FOR-US: RMSOFT MiniShop (xoops) CVE-2008-4431 (SQL injection vulnerability in index.php in IceBB 1.0-rc9.3 and earlie ...) NOT-FOR-US: IceBB CVE-2008-4430 REJECTED CVE-2008-4429 (Unspecified vulnerability in SOURCENEXT Virus Security ZERO 9.5.0173 a ...) NOT-FOR-US: SOURCENEXT Virus Security ZERO CVE-2008-4428 (Unrestricted file upload vulnerability in upload.php in Phlatline's Pe ...) NOT-FOR-US: Phlatline's Personal Information Manager CVE-2008-4427 (changepassword.php in Phlatline's Personal Information Manager (pPIM) ...) NOT-FOR-US: Phlatline's Personal Information Manager CVE-2008-4426 (Cross-site scripting (XSS) vulnerability in events.php in Phlatline's ...) NOT-FOR-US: Phlatline's Personal Information Manager CVE-2008-4425 (Directory traversal vulnerability in upload.php in Phlatline's Persona ...) NOT-FOR-US: Phlatline's Personal Information Manager CVE-2008-4424 (Cross-site scripting (XSS) vulnerability in index.php in Domain Group ...) NOT-FOR-US: Domain Group Network GooCMS CVE-2008-4423 (SQL injection vulnerability in index.php in Ovidentia 6.6.5 allows rem ...) NOT-FOR-US: Ovidentia CVE-2008-4422 REJECTED CVE-2008-4421 (Directory traversal vulnerability in MetaGauge 1.0.0.17, and probably ...) NOT-FOR-US: MetaGauge CVE-2008-4420 (Multiple stack-based buffer overflows in DZIP32.DLL before 5.0.0.8 in ...) NOT-FOR-US: DynaZip Max CVE-2008-4419 (Directory traversal vulnerability in the HP JetDirect web administrati ...) NOT-FOR-US: HP-ChaiSOE CVE-2008-4418 (Unspecified vulnerability in DCE in HP HP-UX B.11.11, B.11.23, and B.1 ...) NOT-FOR-US: HP-UX CVE-2008-4417 REJECTED CVE-2008-4416 (Unspecified vulnerability in the kernel in HP HP-UX B.11.31 allows loc ...) NOT-FOR-US: HP-UX CVE-2008-4415 (Unspecified vulnerability in HP Service Manager (HPSM) before 7.01.71 ...) NOT-FOR-US: HP Service Manager (HPSM) CVE-2008-4414 (Unspecified vulnerability in the AdvFS showfile command in HP Tru64 UN ...) NOT-FOR-US: HP Tru64 UNIX CVE-2008-4413 (Unspecified vulnerability in HP System Management Homepage (SMH) 2.2.6 ...) NOT-FOR-US: HP System Management Homepage CVE-2008-4412 (Unspecified vulnerability in HP Systems Insight Manager (SIM) before 5 ...) NOT-FOR-US: HP Systems Insight Manager CVE-2008-4411 (Cross-site scripting (XSS) vulnerability in HP System Management Homep ...) NOT-FOR-US: HP System Management Homepage CVE-2008-4410 (The vmi_write_ldt_entry function in arch/x86/kernel/vmi_32.c in the Vi ...) - linux-2.6 2.6.26-8 - linux-2.6.24 (Vulnerable code not present) [etch] - linux-2.6 (Vulnerable code not present) CVE-2008-4409 (libxml2 2.7.0 and 2.7.1 does not properly handle "predefined entities ...) - libxml2 [lenny] - libxml2 (Vulnerable code not present) [etch] - libxml2 (Vulnerable code not present) NOTE: The bug affects only to 2.7.0 and 2.7.1 CVE-2008-4406 (A certain Debian patch to the run scripts for sabre (aka xsabre) 0.2.4 ...) - sabre 0.2.4b-25 (low; bug #433996) [etch] - sabre (Game not qualified as multi-user system, thus minor issue) CVE-2008-4405 (xend in Xen 3.0.3 does not properly limit the contents of the /local/d ...) - xen-3 3.4.0-1 (bug #503811) - xen-unstable NOTE: a proposed patch leads to new problems, see CVE-2008-5716 CVE-2008-4404 (The IPv6 Neighbor Discovery Protocol (NDP) implementation on IBM zSeri ...) NOT-FOR-US: IPv6 NDP on IBM zSeries CVE-2008-4403 (The CGI modules in the server in Trend Micro OfficeScan 8.0 SP1 before ...) NOT-FOR-US: Trend Micro OfficeScan CVE-2008-4402 (Multiple buffer overflows in CGI modules in the server in Trend Micro ...) NOT-FOR-US: Trend Micro OfficeScan CVE-2008-4408 (Cross-site scripting (XSS) vulnerability in MediaWiki 1.13.1, 1.12.0, ...) {DTSA-171-1} - mediawiki 1:1.13.2-1 (low; bug #501115) [etch] - mediawiki (Vulnerable code not present) CVE-2008-4475 (ibackup 2.27 allows local users to overwrite arbitrary files via a sym ...) - ibackup (low; bug #496432) [etch] - ibackup (Minor issues) CVE-2008-4401 (ActionScript in Adobe Flash Player 9.0.124.0 and earlier does not requ ...) NOT-FOR-US: Adobe Flash Player CVE-2008-4400 (Unspecified vulnerability in asdbapi.dll in CA ARCserve Backup (former ...) NOT-FOR-US: CA ARCserve Backup CVE-2008-4399 (Unspecified vulnerability in the database engine service in asdbapi.dl ...) NOT-FOR-US: CA ARCserve Backup CVE-2008-4398 (Unspecified vulnerability in the tape engine service in asdbapi.dll in ...) NOT-FOR-US: CA ARCserve Backup CVE-2008-4397 (Directory traversal vulnerability in the RPC interface (asdbapi.dll) i ...) NOT-FOR-US: CA ARCserve Backup CVE-2008-4396 (Stack-based buffer overflow in Safer Networking FileAlyzer 1.6.0.0 and ...) NOT-FOR-US: Safer Networking FileAlyzer CVE-2008-4969 (ltp-network-test 20060918 allows local users to overwrite arbitrary fi ...) - ltp 20060918-3 (low; bug #496411) [etch] - ltp (Documented to be only suitable for single user setups currently) CVE-2008-4954 (mead.pl in fml 4.0.3 allows local users to overwrite arbitrary files v ...) - fml (low; bug #496370) [etch] - fml (Minor issue) CVE-2008-4957 (find_flags in Kitware GCC-XML (gccxml) 0.9.0 allows local users to ove ...) - gccxml 0.9.0+cvs20100501-1 (unimportant; bug #496391) NOTE: Only applies to a script used for an obscure SGI compiler CVE-2008-4943 (bulmages-servers 0.11.1 allows local users to overwrite arbitrary file ...) - bulmages (unimportant; bug #496382) NOTE: Only present in example scripts CVE-2008-5034 - printfilters-ppd (unimportant; bug #496417) NOTE: Only exploitable when modifying master-filter by hand CVE-2008-4955 (freevo.real in freevo 1.8.1 allows local users to overwrite arbitrary ...) - freevo (unimportant; bug #496373) NOTE: Only exploitable when modifying script by hand CVE-2008-4974 (rrdedit in netmrg 0.20 allows local users to overwrite arbitrary files ...) - netmrg 0.20-2 (low; bug #496384) [etch] - netmrg (Minor issue) CVE-2008-4960 (impose in impose+ 0.2 allows local users to overwrite arbitrary files ...) - impose+ 0.2-11.1 (low; bug #496435) [etch] - impose+ (Minor issue) CVE-2008-4964 (filters/any-UTF8 in konwert 1.8 allows local users to delete arbitrary ...) - konwert 1.8-11.2 (low; bug #496379) [etch] - konwert (Minor issue) CVE-2008-4986 (wims 3.62 allows local users to overwrite arbitrary files via a symlin ...) - wims 3.62-13.1 (low; bug #496387) [etch] - wims (Minor issue) CVE-2008-4474 (freeradius-dialupadmin in freeradius 2.0.4 allows local users to overw ...) - freeradius 2.0.4+dfsg-6 (low; bug #496389) [etch] - freeradius (Minor issue) CVE-2008-4995 (redirect.pl in bk2site 1.1.9 allows local users to overwrite arbitrary ...) - bk2site (unimportant; bug #496430) NOTE: Only debug code, script needs to be edited to exploit this CVE-2008-4983 (scilab-bin 4.1.2 allows local users to overwrite arbitrary files via a ...) - scilab 4.1.2-6 (low; bug #496414) [etch] - scilab (Non-free not supported) CVE-2008-4395 (Multiple buffer overflows in the ndiswrapper module 1.53 for the Linux ...) {DSA-1731-1} - ndiswrapper 1.53-2 (medium; bug #504696) CVE-2008-4394 (Multiple untrusted search path vulnerabilities in Portage before 2.1.4 ...) NOT-FOR-US: Gentoo package manager Portage CVE-2008-4393 (Cross-site scripting (XSS) vulnerability in VeriSign Kontiki Delivery ...) NOT-FOR-US: VeriSign Kontiki CVE-2008-4392 (dnscache in Daniel J. Bernstein djbdns 1.05 does not prevent simultane ...) - djbdns (high; bug #516394) CVE-2008-4391 (Stack-based buffer overflow in the SetSource method in the NetCamPlaye ...) NOT-FOR-US: Cisco Linksys WVC54GC CVE-2008-4390 (The Cisco Linksys WVC54GC wireless video camera before firmware 1.25 s ...) NOT-FOR-US: Cisco Linksys WVC54GC CVE-2008-4389 (Symantec AppStream 5.2.x and Symantec Workspace Streaming (SWS) 6.1.x ...) NOT-FOR-US: Symantec AppStream CVE-2008-4388 (The LaunchObj ActiveX control before 5.2.2.865 in launcher.dll in Syma ...) NOT-FOR-US: LaunchObj ActiveX CVE-2008-4387 (Unspecified vulnerability in the Simba MDrmSap ActiveX control in mdrm ...) NOT-FOR-US: ActiveX CVE-2008-4386 RESERVED CVE-2008-4385 (Husdawg, LLC Systems Requirements Lab 3, as used by Instant Expert Ana ...) NOT-FOR-US: LLC Systems Requirements Lab CVE-2008-4384 (Multiple stack-based buffer overflows in MGI Software LPViewer ActiveX ...) NOT-FOR-US: LPViewer ActiveX CVE-2008-4383 (Stack-based buffer overflow in the Agranet-Emweb embedded management w ...) NOT-FOR-US: Agranet-Emweb CVE-2008-4382 (Konqueror in KDE 3.5.9 allows remote attackers to cause a denial of se ...) - kdebase (unimportant) NOTE: browser dos not treated as security issue. This is the same like CVE-2008-4381 NOTE: which will work in every JS browser as the PoC just creates a large string passing NOTE: it to alert and thus eating memory, no security issue. CVE-2008-4381 (Microsoft Internet Explorer 7 allows remote attackers to cause a denia ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2008-4380 (The web interface in Samsung DVR SHR2040 allows remote attackers to ca ...) NOT-FOR-US: Samsung DVR SHR2040 CVE-2008-4379 (Cross-site scripting (XSS) vulnerability in report.php in Mr. CGI Guy ...) NOT-FOR-US: Mr. CGI Guy Hot Links SQL-PHP CVE-2008-4378 (SQL injection vulnerability in report.php in Mr. CGI Guy Hot Links SQL ...) NOT-FOR-US: Mr. CGI Guy Hot Links SQL-PHP CVE-2008-4377 (SQL injection vulnerability in index.asp in Creative Mind Creator CMS ...) NOT-FOR-US: Creative Mind Creator CMS CVE-2008-4376 (SQL injection vulnerability in index.php in Live TV Script allows remo ...) NOT-FOR-US: Live TV Script CVE-2008-4375 (SQL injection vulnerability in viewprofile.php in Availscript Classmat ...) NOT-FOR-US: Availscript CVE-2008-4374 (SQL injection vulnerability in index.php in CMS Buzz allows remote att ...) NOT-FOR-US: CMS Buzz CVE-2008-4373 (SQL injection vulnerability in job_seeker/applynow.php in AvailScript ...) NOT-FOR-US: Availscript CVE-2008-4372 (Cross-site scripting (XSS) vulnerability in articles.php in AvailScrip ...) NOT-FOR-US: Availscript CVE-2008-4371 (SQL injection vulnerability in articles.php in AvailScript Article Scr ...) NOT-FOR-US: Availscript CVE-2008-4370 (Multiple cross-site scripting (XSS) vulnerabilities in Availscript Pho ...) NOT-FOR-US: Availscript CVE-2008-4369 (SQL injection vulnerability in pics.php in Availscript Photo Album all ...) NOT-FOR-US: Availscript CVE-2008-4368 (The default configuration of Java 1.5 on Apple Mac OS X 10.5.4 and 10. ...) NOT-FOR-US: Java on OSX CVE-2008-4367 RESERVED CVE-2008-4965 (liguidsoap.py in liguidsoap 0.3.8.1+2 allows local users to overwrite ...) {DTSA-177-1 DTSA-178-1} - liquidsoap 0.3.8.1+2-2 (low; bug #496360) [lenny] - liquidsoap 0.3.6-4+lenny1 CVE-2008-4966 (linux-patch-openswan 2.4.12 allows local users to overwrite arbitrary ...) - openswan 1:2.6.21+dfsg-2 (unimportant; bug #496376) NOTE: Only unused packaging bits CVE-2008-4941 (arb-common 0.0.20071207.1 allows local users to overwrite arbitrary fi ...) - arb 0.0.20071207.1-5 (low; bug #496396) CVE-2008-4940 (xmlfile.py in aptoncd 0.1 allows local users to overwrite arbitrary fi ...) - aptoncd 0.1-1.2 (bug #496390; low) CVE-2008-4947 (dhis-dummy-log-engine in dhis-server 5.3 allows local users to overwri ...) - dhis-server 5.3-1.2 (bug #496388; unimportant) CVE-2008-4967 (linuxtrade 3.65 allows local users to overwrite arbitrary files via a ...) - linuxtrade (unimportant; bug #496372) NOTE: unimportant since the program is dysfunctional with the current NOTE: trading website and thus not exploitable for practical purposes CVE-2008-4980 (delqueueask in rccp 0.9 allows local users to overwrite arbitrary file ...) - rccp 0.9-2.1 (low; bug #496364) [etch] - rccp (Minor issue) CVE-2008-4948 (fest.pl in digitaldj 0.7.5 allows local users to overwrite arbitrary f ...) - digitaldj 0.7.5-6.1 (low; bug #496399) [etch] - digitaldj (Minor issue) CVE-2008-4945 (amlabel-cdrw in cdrw-taper 0.4 might allow local users to overwrite ar ...) - cdrw-taper 0.4-2.1 (low; bug #496380) [etch] - cdrw-taper (Minor issue) CVE-2008-4958 (gdrae in gdrae 0.1 allows local users to overwrite arbitrary files via ...) - gdrae 0.1-1.1 (low; bug #496378) [etch] - gdrae (Minor issue) CVE-2008-4407 (XRunSabre in sabre (aka xsabre) 0.2.4b relies on the ability to create ...) - sabre 0.2.4b-25 (low; bug #433996) [etch] - sabre (Game not qualified as multi-user system, thus minor issue) CVE-2008-4366 (Unrestricted file upload vulnerability in the image upload component i ...) NOT-FOR-US: Camera Life CVE-2008-4365 (Cross-site scripting (XSS) vulnerability in search.php in Siteman 1.1. ...) NOT-FOR-US: Siteman CVE-2008-4364 (SQL injection vulnerability in default.aspx in ParsaGostar ParsaWeb CM ...) NOT-FOR-US: ParsaGostar ParsaWeb CMS CVE-2008-4363 (DLMFENC.sys 1.0.0.28 in DESlock+ 3.2.7 allows local users to cause a d ...) NOT-FOR-US: DESlock CVE-2008-4362 (The Virtual Token driver (vdlptokn.sys) 1.0.2.43 in DESlock+ 3.2.7 all ...) NOT-FOR-US: DESlock CVE-2008-4361 (Directory traversal vulnerability in PowerPortal 2.0.13 allows remote ...) NOT-FOR-US: PowerPortal CVE-2008-4360 (mod_userdir in lighttpd before 1.4.20, when a case-insensitive operati ...) {DSA-1645-1} - lighttpd 1.4.19-5 (low) NOTE: http://www.lighttpd.net/security/lighttpd_sa_2008_06.txt CVE-2008-4359 (lighttpd before 1.4.20 compares URIs to patterns in the (1) url.redire ...) {DSA-1645-1} - lighttpd 1.4.19-5 (low) NOTE: http://www.lighttpd.net/security/lighttpd_sa_2008_05.txt CVE-2008-4358 (Unspecified vulnerability in class/theme.class.php in SPAW Editor PHP ...) NOT-FOR-US: SPAW Editor PHP CVE-2008-4357 (SQL injection vulnerability in linkto.php in Powie pLink 2.07 allows r ...) NOT-FOR-US: Powie pLink CVE-2008-4356 (Multiple SQL injection vulnerabilities in Kasseler CMS 1.1.0 and 1.2.0 ...) NOT-FOR-US: Kasseler CMS CVE-2008-4355 (SQL injection vulnerability in showprofil.php in Powie PSCRIPT Forum ( ...) NOT-FOR-US: Powie PSCRIPT Forum CVE-2008-4354 (SQL injection vulnerability in the products module in NetArt Media iBo ...) NOT-FOR-US: NetArt Media iBoutique CVE-2008-4353 (SQL injection vulnerability in link.php in Linkarity allows remote att ...) NOT-FOR-US: Linkarity CVE-2008-4352 (SQL injection vulnerability in inc/pages/viewprofile.php in phpSmartCo ...) NOT-FOR-US: phpSmartCom CVE-2008-4351 (Directory traversal vulnerability in index.php in phpSmartCom 0.2 allo ...) NOT-FOR-US: phpSmartCom CVE-2008-4350 (SQL injection vulnerability in main.php in vbLOGIX Tutorial Script 1.0 ...) NOT-FOR-US: vbLOGIX Tutorial Script CVE-2008-4349 (Multiple cross-site scripting (XSS) vulnerabilities in news.php in s0n ...) NOT-FOR-US: s0nic Paranews CVE-2008-4348 (SQL injection vulnerability in photo.php in PHPortfolio, possibly 1.3, ...) NOT-FOR-US: PHPortfolio CVE-2008-4347 (SQL injection vulnerability in newskom.php in Powie pNews 2.03 allows ...) NOT-FOR-US: Powie pNews CVE-2008-4346 (Directory traversal vulnerability in TalkBack 2.3.6 and 2.3.6.4 allows ...) NOT-FOR-US: TalkBack CVE-2008-4345 (SQL injection vulnerability in download.php in WebPortal CMS 0.7.4 and ...) NOT-FOR-US: WebPortal CMS CVE-2008-4344 (SQL injection vulnerability in cat.php in 6rbScript allows remote atta ...) NOT-FOR-US: 6rbScript CVE-2008-4343 (The Chilkat XML ChilkatUtil.CkData.1 ActiveX control (ChilkatUtil.dll) ...) NOT-FOR-US: Chilkat XML ChilkatUtil.CkData.1 ActiveX control CVE-2008-4342 (NuMedia Soft NMS DVD Burning SDK Activex NMSDVDX.DVDEngineX.1 ActiveX ...) NOT-FOR-US: ActiveX CVE-2008-4341 (add.php in MyBlog 0.9.8 and earlier allows remote attackers to bypass ...) NOT-FOR-US: MyBlog CVE-2008-4340 (Google Chrome 0.2.149.29 and 0.2.149.30 allows remote attackers to cau ...) - chromium-browser (only 0.x is affected) - webkit (poc not effective) CVE-2008-4339 (Unspecified vulnerability in the Java Administration GUI (jnbSA) in Sy ...) NOT-FOR-US: Symantec Veritas NetBackup Server CVE-2008-4338 (SQL injection vulnerability in the brilliant_gallery_checklist_save fu ...) NOT-FOR-US: drupal brilliant gallery 3rd party module CVE-2008-4337 (Cross-site scripting (XSS) vulnerability in Bitweaver 2.0.2 allows rem ...) NOT-FOR-US: Bitweaver CVE-2008-4336 (Cross-site scripting (XSS) vulnerability in album.php in Atomic Photo ...) NOT-FOR-US: Atomic Photo Album CVE-2008-4335 (SQL injection vulnerability in album.php in Atomic Photo Album (APA) 1 ...) NOT-FOR-US: Atomic Photo Album CVE-2008-4334 (PHP infoBoard V.7 Plus allows remote attackers to bypass authenticatio ...) NOT-FOR-US: PHP infoBoard CVE-2008-4333 (Cross-site scripting (XSS) vulnerability in PHP infoBoard V.7 Plus all ...) NOT-FOR-US: PHP infoBoard CVE-2008-4332 (SQL injection vulnerability in the showjavatopic function in func.php ...) NOT-FOR-US: PHP infoBoard CVE-2008-4331 (Directory traversal vulnerability in library/pagefunctions.inc.php in ...) NOT-FOR-US: phpOCS CVE-2008-4330 (Directory traversal vulnerability in index.php in LanSuite 3.3.2 allow ...) NOT-FOR-US: LanSuite CVE-2008-4329 (PHP remote file inclusion vulnerability in cms/system/openengine.php i ...) NOT-FOR-US: openEngine CVE-2008-4328 (SQL injection vulnerability in site_search.php in EasyRealtorPRO 2008 ...) NOT-FOR-US: EasyRealtorPRO CVE-2008-4327 (gdiplus.dll in GDI+ in Microsoft Windows XP SP3 does not properly hand ...) NOT-FOR-US: Microsoft CVE-2008-4326 (The PMA_escapeJsString function in libraries/js_escape.lib.php in phpM ...) {DSA-1675-1} - phpmyadmin 4:2.11.8.1-3 NOTE: https://www.phpmyadmin.net/security/PMASA-2008-8/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/44f9f2f8b7475c2d48c529d9bfd0ff473cd328b1 (2.11 branch) NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/0d219abdcd55c11f7f629a58a2279f0839bd2acc CVE-2008-4325 (lib/viewvc.py in ViewVC 1.0.5 uses the content-type parameter in the H ...) - viewvc 1.0.9-1 (bug #500779; unimportant) CVE-2008-4324 (The user interface event dispatcher in Mozilla Firefox 3.0.3 on Window ...) - iceweasel (unimportant) NOTE: reproducible but browser DoS not treated as security issue CVE-2008-4323 (Windows Explorer in Microsoft Windows XP SP3 allows user-assisted atta ...) NOT-FOR-US: Windows Explorer CVE-2008-4322 (Stack-based buffer overflow in RealFlex Technologies Ltd. RealWin Serv ...) NOT-FOR-US: Microsoft CVE-2008-4321 (Buffer overflow in FlashGet (formerly JetCar) FTP 1.9 allows remote FT ...) NOT-FOR-US: FlashGet FTP CVE-2008-4320 (Multiple cross-site scripting (XSS) vulnerabilities in OpenNMS before ...) NOT-FOR-US: OpenNMS CVE-2008-4319 (fileadmin.php in Libra File Manager (aka Libra PHP File Manager) 1.18 ...) NOT-FOR-US: Libra File Manager CVE-2008-4318 (Observer 0.3.2.1 and earlier allows remote attackers to execute arbitr ...) NOT-FOR-US: Observer CVE-2008-4317 REJECTED CVE-2008-4316 (Multiple integer overflows in glib/gbase64.c in GLib before 2.20 allow ...) {DSA-1747-1} - glib2.0 2.20.0-1 (medium; bug #520046) CVE-2008-4315 (tog-pegasus in OpenGroup Pegasus 2.7.0 on Red Hat Enterprise Linux (RH ...) NOT-FOR-US: OpenPegasus CVE-2008-4314 (smbd in Samba 3.0.29 through 3.2.4 might allow remote attackers to rea ...) - samba 2:3.2.5-1 [etch] - samba (Vulnerable code not present) CVE-2008-4313 (A certain Red Hat patch for tog-pegasus in OpenGroup Pegasus 2.7.0 doe ...) NOT-FOR-US: OpenPegasus CVE-2008-4312 REJECTED CVE-2008-4311 (The default configuration of system.conf in D-Bus (aka DBus) before 1. ...) - dbus 1.2.1-5 (low; bug #508032) [etch] - dbus (Backport for Etch too risky for regressions for too little gain) CVE-2008-4310 (httputils.rb in WEBrick in Ruby 1.8.1 and 1.8.5, as used in Red Hat En ...) - ruby (bug #508030) NOTE: Red Hat-specific CVE-2008-4309 (Integer overflow in the netsnmp_create_subtree_cache function in agent ...) {DSA-1663-1} - net-snmp 5.4.1~dfsg-11 (bug #504150) CVE-2008-4308 (The doRead method in Apache Tomcat 4.1.32 through 4.1.34 and 5.5.10 th ...) - tomcat5.5 5.5.23-1 (low) CVE-2008-4307 (Race condition in the do_setlk function in fs/nfs/file.c in the Linux ...) {DSA-1794-1 DSA-1787-1} - linux-2.6 2.6.26-1 - linux-2.6.24 CVE-2008-4306 (Buffer overflow in enscript before 1.6.4 has unknown impact and attack ...) {DSA-1670-1} - enscript 1.6.4-13 (bug #506261) CVE-2008-4305 (Static code injection vulnerability in installation/setup.php in phpCo ...) NOT-FOR-US: phpCollab CVE-2008-4304 (general/login.php in phpCollab 2.5 rc3 and earlier allows remote attac ...) NOT-FOR-US: phpCollab CVE-2008-4303 (Multiple SQL injection vulnerabilities in phpCollab 2.5 rc3, 2.4, and ...) NOT-FOR-US: phpCollab CVE-2008-4302 (fs/splice.c in the splice subsystem in the Linux kernel before 2.6.22. ...) {DSA-1653-1} - linux-2.6 2.6.22-4 (low) - linux-2.6.24 (Vulnerable code not present) CVE-2008-4301 NOT-FOR-US: Microsoft CVE-2008-4300 (A certain ActiveX control in adsiis.dll in Microsoft Internet Informat ...) NOT-FOR-US: Microsoft CVE-2008-4299 (A certain ActiveX control in the Microsoft Internet Authentication Ser ...) NOT-FOR-US: Microsoft CVE-2008-4297 (Mercurial before 1.0.2 does not enforce the allowpull permission setti ...) - mercurial 1.0.1-5.1 (low; bug #500781) NOTE: the package doesnt install this script by default but ships it with the examples [etch] - mercurial (Only shipped in examples) CVE-2008-4296 (The Cisco Linksys WRT350N with firmware 1.0.3.7 has "admin" as its def ...) NOT-FOR-US: Cisco Linksys WRT350N CVE-2008-4295 (Microsoft Windows Mobile 6.0 on HTC Wiza 200 and HTC MDA 8125 devices ...) NOT-FOR-US: Microsoft CVE-2008-4294 (IBM Tivoli Netcool/Webtop 2.1 before 2.1.0.5 preserves cached user pri ...) NOT-FOR-US: IBM Tivoli Netcool/Webtop CVE-2008-4293 (Unspecified vulnerability in Opera before 9.52 on Windows, when regist ...) NOT-FOR-US: Opera CVE-2008-4292 (Opera before 9.52 does not check the CRL override upon encountering a ...) NOT-FOR-US: Opera CVE-2008-4291 RESERVED CVE-2008-4290 RESERVED CVE-2008-4289 RESERVED CVE-2008-4288 RESERVED CVE-2008-4287 RESERVED CVE-2008-4286 RESERVED CVE-2008-4285 (Unspecified vulnerability in the Performance Monitoring Infrastructure ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2008-4284 (Open redirect vulnerability in the ibm_security_logout servlet in IBM ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2008-4283 (CRLF injection vulnerability in the WebContainer component in IBM WebS ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2008-4282 RESERVED CVE-2008-4281 (Directory traversal vulnerability in VMWare ESXi 3.5 before ESXe350-20 ...) NOT-FOR-US: VMWare ESXi CVE-2008-4280 RESERVED CVE-2008-4279 (The CPU hardware emulation for 64-bit guest operating systems in VMwar ...) NOT-FOR-US: VMware Workstation CVE-2008-4278 (VMware VirtualCenter 2.5 before Update 3 build 119838 on Windows displ ...) NOT-FOR-US: VMWare VirtualCenter CVE-2008-4277 REJECTED CVE-2008-4276 REJECTED CVE-2008-4275 REJECTED CVE-2008-4274 REJECTED CVE-2008-4273 REJECTED CVE-2008-4272 REJECTED CVE-2008-4271 REJECTED CVE-2008-4270 REJECTED CVE-2008-4269 (The search-ms protocol handler in Windows Explorer in Microsoft Window ...) NOT-FOR-US: Microsoft Windows Explorer CVE-2008-4268 (The Windows Search component in Microsoft Windows Vista Gold and SP1 a ...) NOT-FOR-US: Microsoft Office Excel CVE-2008-4267 REJECTED CVE-2008-4266 (Array index vulnerability in Microsoft Office Excel 2000 SP3, 2002 SP3 ...) NOT-FOR-US: Microsoft Office Excel CVE-2008-4265 (Microsoft Office Excel 2000 SP3 allows remote attackers to execute arb ...) NOT-FOR-US: Microsoft Office Excel CVE-2008-4264 (Microsoft Office Excel 2000 SP3, 2002 SP3, 2003 SP3, and 2007 Gold and ...) NOT-FOR-US: Microsoft Office Excel CVE-2008-4263 REJECTED CVE-2008-4262 REJECTED CVE-2008-4261 (Stack-based buffer overflow in Microsoft Internet Explorer 5.01 SP4, 6 ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2008-4260 (Microsoft Internet Explorer 7 sometimes attempts to access a deleted o ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2008-4259 (Microsoft Internet Explorer 7 sometimes attempts to access uninitializ ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2008-4258 (Microsoft Internet Explorer 5.01 SP4 and 6 SP1 does not properly valid ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2008-4257 REJECTED CVE-2008-4256 (The Charts ActiveX control in Microsoft Visual Basic 6.0, Visual Studi ...) NOT-FOR-US: Microsoft Visual Basic CVE-2008-4255 (Heap-based buffer overflow in mscomct2.ocx (aka Windows Common ActiveX ...) NOT-FOR-US: Microsoft Visual Basic CVE-2008-4254 (Multiple integer overflows in the Hierarchical FlexGrid ActiveX contro ...) NOT-FOR-US: Microsoft Visual Basic CVE-2008-4253 (The FlexGrid ActiveX control in Microsoft Visual Basic 6.0, Visual Fox ...) NOT-FOR-US: Microsoft Visual Basic CVE-2008-4252 (The DataGrid ActiveX control in Microsoft Visual Basic 6.0 and Visual ...) NOT-FOR-US: Microsoft Visual Basic CVE-2008-4251 REJECTED CVE-2008-4250 (The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Serv ...) NOT-FOR-US: Microsoft Windows CVE-2008-4249 REJECTED CVE-2008-4248 REJECTED CVE-2008-4246 (Unspecified vulnerability in Denora IRC Stats Server before 1.4.1 allo ...) NOT-FOR-US: Denora IRC Stats Server CVE-2008-4245 (The Admin Control Panel in Rianxosencabos CMS 0.9 does not require adm ...) NOT-FOR-US: Rianxosencabos CMS CVE-2008-4244 (Rianxosencabos CMS 0.9 allows remote attackers to bypass authenticatio ...) NOT-FOR-US: Rianxosencabos CMS CVE-2008-4243 (Directory traversal vulnerability in ImageServer (aka UTImageServer) i ...) NOT-FOR-US: Epic Games Unreal Tournament CVE-2008-4242 (ProFTPD 1.3.1 interprets long commands from an FTP client as multiple ...) {DSA-1689-1} - proftpd-dfsg 1.3.1-15 (low; bug #502674) CVE-2008-4241 (SQL injection vulnerability in CJ Ultra Plus 1.0.4 and earlier allows ...) NOT-FOR-US: CJ Ultra Plus CVE-2008-4240 RESERVED CVE-2008-4239 RESERVED CVE-2008-4238 RESERVED CVE-2008-4237 (Managed Client in Apple Mac OS X before 10.5.6 sometimes misidentifies ...) NOT-FOR-US: Managed Client Mac OS X CVE-2008-4236 (Apple Type Services (ATS) in Apple Mac OS X 10.5 before 10.5.6 allows ...) NOT-FOR-US: Apple Type Services CVE-2008-4235 RESERVED CVE-2008-4234 (Incomplete blacklist vulnerability in the Quarantine feature in CoreTy ...) NOT-FOR-US: CoreTypes Apple Mac OS X CVE-2008-4233 (Safari in Apple iPhone OS 1.0 through 2.1 and iPhone OS for iPod touch ...) NOT-FOR-US: Apple CVE-2008-4232 (Safari in Apple iPhone OS 2.0 through 2.1 and iPhone OS for iPod touch ...) NOT-FOR-US: Safari CVE-2008-4231 (Safari in Apple iPhone OS 1.0 through 2.1 and iPhone OS for iPod touch ...) NOT-FOR-US: Apple CVE-2008-4230 (The Passcode Lock feature in Apple iPhone OS 1.0 through 2.1 and iPhon ...) NOT-FOR-US: Apple CVE-2008-4229 (Race condition in the Passcode Lock feature in Apple iPhone OS 2.0 thr ...) NOT-FOR-US: Apple CVE-2008-4228 (The Passcode Lock feature in Apple iPhone OS 1.0 through 2.1 and iPhon ...) NOT-FOR-US: Apple CVE-2008-4227 (Apple iPhone OS 1.0 through 2.1 and iPhone OS for iPod touch 1.1 throu ...) NOT-FOR-US: Apple CVE-2008-4226 (Integer overflow in the xmlSAX2Characters function in libxml2 2.7.2 al ...) {DSA-1666-1} - libxml2 2.6.32.dfsg-5 - chromium-browser 5.0.375.29~r46008-1 CVE-2008-4225 (Integer overflow in the xmlBufferResize function in libxml2 2.7.2 allo ...) {DSA-1666-1} - libxml2 2.6.32.dfsg-5 - chromium-browser 5.0.375.29~r46008-1 CVE-2008-4224 (UDF in Apple Mac OS X before 10.5.6 allows user-assisted attackers to ...) NOT-FOR-US: UDF Mac OS X CVE-2008-4223 (Podcast Producer in Apple Mac OS X 10.5 before 10.5.6 allows remote at ...) NOT-FOR-US: Podcast Producer Mac OS X CVE-2008-4222 (natd in network_cmds in Apple Mac OS X before 10.5.6, when Internet Sh ...) NOT-FOR-US: natd Mac OS X CVE-2008-4221 (The strptime API in Libsystem in Apple Mac OS X before 10.5.6 allows c ...) NOT-FOR-US: Libsystem Mac OS X CVE-2008-4220 (Integer overflow in the inet_net_pton API in Libsystem in Apple Mac OS ...) NOT-FOR-US: Libsystem Mac OS X CVE-2008-4219 (The kernel in Apple Mac OS X before 10.5.6 allows local users to cause ...) NOT-FOR-US: kernel Mac OS X CVE-2008-4218 (Multiple integer overflows in the kernel in Apple Mac OS X before 10.5 ...) NOT-FOR-US: kernel Mac OS X CVE-2008-4217 (Integer signedness error in BOM in Apple Mac OS X before 10.5.6 allows ...) NOT-FOR-US: BOM Apple Mac OS X CVE-2008-4216 (The plug-in interface in WebKit in Apple Safari before 3.2 does not pr ...) NOT-FOR-US: Safari CVE-2008-4215 (Weblog in Mac OS X Server 10.4.11 does not properly check an error con ...) NOT-FOR-US: Weblog Mac OS X CVE-2008-4214 (Unspecified vulnerability in Script Editor in Mac OS X 10.4.11 and 10. ...) NOT-FOR-US: Script Editor in Mac OS X CVE-2008-4213 RESERVED CVE-2008-4212 (Unspecified vulnerability in rlogind in the rlogin component in Mac OS ...) NOT-FOR-US: MacOS-only issue CVE-2008-4211 (Integer signedness error in (1) QuickLook in Apple Mac OS X 10.5.5 and ...) NOT-FOR-US: QuickLook Mac OS X CVE-2008-4210 (fs/open.c in the Linux kernel before 2.6.22 does not properly strip se ...) {DSA-1653-1} - linux-2.6 2.6.22-1 - linux-2.6.24 (Vulnerable code not prsent) NOTE: easily exploitable but of limited use as the attacker already needs access to a NOTE: directory that is setgid to the group he wants to get privileges for CVE-2008-4209 RESERVED CVE-2008-4208 (Unspecified vulnerability in OSADS Alliance Database before 2.1 has un ...) NOT-FOR-US: OSADS Alliance Database CVE-2008-4207 (Attachmax Dolphin 2.1.0 and earlier does not properly protect info.php ...) NOT-FOR-US: Attachmax Dolphin CVE-2008-4206 (PHP remote file inclusion vulnerability in config.php in Attachmax Dol ...) NOT-FOR-US: Attachmax Dolphin CVE-2008-4205 (SQL injection vulnerability in search.php Attachmax Dolphin 2.1.0 and ...) NOT-FOR-US: Attachmax Dolphin CVE-2008-4204 (SQL injection vulnerability in city.asp in SoftAcid Hotel Reservation ...) NOT-FOR-US: SoftAcid Hotel Reservation System CVE-2008-4203 (SQL injection vulnerability in cn_users.php in CzarNews 1.20 and earli ...) NOT-FOR-US: CzarNews CVE-2008-4202 (SQL injection vulnerability in index.php in Gonafish LinksCaffePRO 4.5 ...) NOT-FOR-US: Gonafish LinksCaffePRO CVE-2008-4200 (Opera before 9.52 does not ensure that the address field of a news fee ...) NOT-FOR-US: Opera CVE-2008-4199 (Opera before 9.52 does not prevent use of links from web pages to feed ...) NOT-FOR-US: Opera CVE-2008-4198 (Opera before 9.52, when rendering an http page that has loaded an http ...) NOT-FOR-US: Opera CVE-2008-4197 (Opera before 9.52 on Windows, Linux, FreeBSD, and Solaris, when proces ...) NOT-FOR-US: Opera CVE-2008-4196 (Cross-site scripting (XSS) vulnerability in Opera before 9.52 allows r ...) NOT-FOR-US: Opera CVE-2008-4195 (Opera before 9.52 does not properly restrict the ability of a framed w ...) NOT-FOR-US: Opera CVE-2008-4194 (The p_exec_query function in src/dns_query.c in pdnsd before 1.2.7-par ...) - pdnsd 1.2.6-par-10 (bug #500910) CVE-2008-4193 (Stack-based buffer overflow in SecurityGateway.dll in Alt-N Technologi ...) NOT-FOR-US: Alt-N Technologies SecurityGateway CVE-2008-4192 (The pserver_shutdown function in fence_egenera in cman 2.20080629 and ...) - redhat-cluster 2.20081102-1 (bug #496410; low) [lenny] - redhat-cluster 2.20080801-4+lenny1 CVE-2008-4191 (extract-table.pl in Emacspeak 26 and 28 allows local users to overwrit ...) - emacspeak 28.0-2 (bug #496431; low) [lenny] - emacspeak 26.0-3+lenny1 [etch] - emacspeak (Minor issue) CVE-2008-4190 (The IPSEC livetest tool in Openswan 2.4.12 and earlier, and 2.6.x thro ...) {DSA-1760-1} - openswan 1:2.4.12+dfsg-1.3 (bug #496374; low) [etch] - openswan (Vulnerable code only in example script) CVE-2008-XXXX [jumpnbump: insecure temp file] - jumpnbump 1.50+dfsg1-1 (low; bug #500611) [etch] - jumpnbump 1.50-6+etch1 CVE-2008-4959 (geo-code in gpsdrive-scripts 2.10~pre4 allows local users to overwrite ...) - gpsdrive 2.10~pre4-6.dfsg-1 (low; bug #496436) [etch] - gpsdrive (Minor issue) CVE-2008-4949 (dist 3.5 allows local users to overwrite arbitrary files via a symlink ...) - dist 1:3.5-17-2 (low; bug #496412) [etch] - dist 3.70-31etch1 CVE-2008-4970 (runiozone in lustre 1.6.5 allows local users to overwrite arbitrary fi ...) - lustre 1.6.5.1-1 (low; bug #496371) CVE-2008-4247 (ftpd in OpenBSD 4.3, FreeBSD 7.0, NetBSD 4.0, Solaris, and possibly ot ...) - linux-ftpd-ssl 0.17.27+0.3-3 (bug #500518) [etch] - linux-ftpd-ssl 0.17.18+0.3-6etch1 - linux-ftpd 0.17-29 (bug #500278) [etch] - linux-ftpd (Minor issue) CVE-2008-XXXX [possible script injection via /etc/wordpress/wp-config.php] - wordpress 2.8.4-1 (bug #500295; unimportant) NOTE: bigger problems, if attacker has access to /etc/wordpress/* CVE-2008-4298 (Memory leak in the http_request_parse function in request.c in lighttp ...) {DSA-1645-1} - lighttpd 1.4.19-5 (medium) NOTE: http://www.lighttpd.net/security/lighttpd_sa_2008_07.txt CVE-2008-XXXX [unsafe usage of temp file] - chillispot 1.0-10 (low; bug #500181) NOTE: the changelog doesn't mention the fix but its included in -10 [etch] - chillispot (minor issue) CVE-2008-XXXX [unsafe usage of temp file] - debtorrent 0.1.10 (unimportant; bug #500180) NOTE: Only exploitable when upgrading from an ancient version, package also not in Etch CVE-2008-4189 REJECTED CVE-2008-4188 (Unspecified vulnerability in the TYPO3 Secure Directory (kw_secdir) ex ...) NOT-FOR-US: kw_secdir extension for TYPO3 CVE-2008-4187 (Directory traversal vulnerability in index.php in ProActive CMS allows ...) NOT-FOR-US: ProActive CMS CVE-2008-4186 (SQL injection vulnerability in index.php in webCMS Portal Edition allo ...) NOT-FOR-US: webCMS Portal Edition CVE-2008-4185 (SQL injection vulnerability in index.php in webCMS Portal Edition allo ...) NOT-FOR-US: webCMS Portal Edition CVE-2008-4184 (Cross-site scripting (XSS) vulnerability in index.php in webCMS Portal ...) NOT-FOR-US: webCMS Portal Edition CVE-2008-4183 (IntegraMOD 1.4.x stores sensitive information under the web root with ...) NOT-FOR-US: IntegraMOD CVE-2008-4182 (Cross-site scripting (XSS) vulnerability in imp/test.php in Horde Turb ...) {DSA-1770-1} - turba2 2.2.1-2 (bug #500114; low) [etch] - turba2 (Minor issue) - imp4 4.2-3 (bug #500553; low) CVE-2008-4181 (Directory traversal vulnerability in includes/xml.php in the Netenberg ...) NOT-FOR-US: Netenberg Fantastico De Luxe module for cPanel CVE-2008-4180 (Unspecified vulnerability in db.php in NooMS 1.1 allows remote attacke ...) NOT-FOR-US: NooMS CVE-2008-4179 (Multiple cross-site scripting (XSS) vulnerabilities in NooMS 1.1 allow ...) NOT-FOR-US: NooMS CVE-2008-4178 (SQL injection vulnerability in tr.php in DownlineGoldmine Special Cate ...) NOT-FOR-US: DownlineGoldmine, etc. CVE-2008-4177 (SQL injection vulnerability in search.php in Pre Real Estate Listings ...) NOT-FOR-US: Pre Real Estate Listings CVE-2008-4176 (SQL injection vulnerability in izle.asp in FoT Video scripti 1.1 beta ...) NOT-FOR-US: FoT Video scripti CVE-2008-4175 (Multiple SQL injection vulnerabilities in Link Bid Script 1.5 allow re ...) NOT-FOR-US: Link Bid Script CVE-2008-4174 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Dy ...) NOT-FOR-US: Dynamic MP3 Lister CVE-2008-4173 (SQL injection vulnerability in ProArcadeScript 1.3 allows remote attac ...) NOT-FOR-US: ProArcadeScript CVE-2008-4172 (SQL injection vulnerability in page.php in Cars & Vehicle (aka Car ...) NOT-FOR-US: Cars & Vehicle CVE-2008-4171 (SQL injection vulnerability in xmlout.php in Invision Power Board (IP. ...) NOT-FOR-US: Invision Power Board CVE-2008-4170 (create_account.php in osCommerce 2.2 RC 2a allows remote attackers to ...) NOT-FOR-US: osCommerce CVE-2008-4169 (SQL injection vulnerability in detaillist.php in iScripts EasyIndex, p ...) NOT-FOR-US: iScripts EasyIndex CVE-2008-4168 (Cross-site scripting (XSS) vulnerability in verify_login.jsp in Pro2co ...) NOT-FOR-US: Pro2col Stingray FTS CVE-2008-4167 (useradmin.php in Easy Photo Gallery (aka Ezphotogallery) 2.1 does not ...) NOT-FOR-US: Easy Photo Gallery CVE-2008-4166 (Integer overflow in the JavaScript engine in Avant Browser 11.7 Build ...) NOT-FOR-US: Avant Browser CVE-2008-4165 (admin/user/create_user.php in Kolab Groupware Server 1.0.0 places a us ...) NOT-FOR-US: Kolab Groupware Server 1.0.0 NOTE: Debian has kolabd and kolab-webadmin, but neither has the file create_user.php. NOTE: But we have only 0.4 (in etch) and 2.1 (in lenny+sid), maybe 1.0 is different. CVE-2008-4164 (cron.php in MemHT Portal 3.9.0 and earlier allows remote attackers to ...) NOT-FOR-US: MemHT Portal CVE-2008-4163 (Unspecified vulnerability in ISC BIND 9.3.5-P2-W1, 9.4.2-P2-W1, and 9. ...) - bind9 (windows specific issue) CVE-2008-4162 (Open redirect vulnerability in admin/auth.php in NooMS 1.1 allows remo ...) NOT-FOR-US: NooMS CVE-2008-4161 (SQL injection vulnerability in search_inv.php in Assetman 2.5b allows ...) NOT-FOR-US: Assetman CVE-2008-4160 (Unspecified vulnerability in the UFS module in Sun Solaris 8 through 1 ...) NOT-FOR-US: Sun Solaris CVE-2008-4159 (SQL injection vulnerability in index.php in Jaw Portal and Zanfi CMS l ...) NOT-FOR-US: Jaw Portal and Zanfi CMS CVE-2008-4158 (Multiple directory traversal vulnerabilities in index.php in Zanfi CMS ...) NOT-FOR-US: Zanfi CMS CVE-2008-4157 (SQL injection vulnerability in groups.php in Vastal I-Tech phpVID 1.1 ...) NOT-FOR-US: Vastal I-Tech phpVID CVE-2008-4156 (SQL injection vulnerability in print.php in CustomCms (CCMS) Gaming Po ...) NOT-FOR-US: CustomCms (CCMS) Gaming Portal CVE-2008-4155 (Multiple directory traversal vulnerabilities in EasySite 2.3 allow rem ...) NOT-FOR-US: EasySite CVE-2008-4154 (SQL injection vulnerability in living-e webEdition CMS allows remote a ...) NOT-FOR-US: living-e webEdition CMS CVE-2008-4153 (The Talk module 5.x before 5.x-1.3 and 6.x before 6.x-1.5, a module fo ...) NOT-FOR-US: Talk module for Drupal CVE-2008-4152 (Cross-site scripting (XSS) vulnerability in the Talk module 5.x before ...) NOT-FOR-US: Talk module for Drupal CVE-2008-4151 (Directory traversal vulnerability in collect.php in CYASK 3.x allows r ...) NOT-FOR-US: CYASK CVE-2008-4150 (SQL injection vulnerability in picture_category.php in Diesel Joke Sit ...) NOT-FOR-US: Diesel Joke Site CVE-2008-4149 (Cross-site scripting (XSS) vulnerability in the Greg Holsclaw Link to ...) NOT-FOR-US: Greg Holsclaw Link to Us module for Drupal CVE-2008-4148 (SQL injection vulnerability in the Mailhandler module 5.x before 5.x-1 ...) NOT-FOR-US: Mailhandler module for Drupal CVE-2008-4147 (Cross-site scripting (XSS) vulnerability in the Mailsave module 5.x be ...) NOT-FOR-US: Mailsave module for Drupal CVE-2008-4146 (Addalink 1.0 beta 4 and earlier allows remote attackers to (1) approve ...) NOT-FOR-US: Addalink CVE-2008-4145 (SQL injection vulnerability in user_read_links.php in Addalink 1.0 bet ...) NOT-FOR-US: Addalink CVE-2008-4144 (SQL injection vulnerability in index.php in ACG-ScriptShop E-Gold Scri ...) NOT-FOR-US: ACG-ScriptShop E-Gold Script Shop CVE-2008-4143 (SQL injection vulnerability in category_search.php in RazorCommerce Sh ...) NOT-FOR-US: RazorCommerce Shopping Cart CVE-2008-4142 (SQL injection vulnerability in article.php in E-Php CMS allows remote ...) NOT-FOR-US: E-Php CMS CVE-2008-4141 (Multiple PHP remote file inclusion vulnerabilities in x10Media x10 Aut ...) NOT-FOR-US: x10Media x10 Automatic MP3 Script CVE-2008-4140 (Cross-site scripting (XSS) vulnerability in admin.php in Quick.Cart 3. ...) NOT-FOR-US: Quick.Cart CVE-2008-4139 (Cross-site scripting (XSS) vulnerability in admin.php in OpenSolution ...) NOT-FOR-US: OpenSolution Quick.Cms.Lite CVE-2008-4138 (PHP remote file inclusion vulnerability in skin_shop/standard/3_plugin ...) NOT-FOR-US: Technote CVE-2008-4137 (PHP remote file inclusion vulnerability in footer.php in PHP-Crawler 0 ...) NOT-FOR-US: PHP-Crawler CVE-2008-4136 (Michael Roth Software Personal FTP Server (PFT) 6.0f allows remote att ...) NOT-FOR-US: Michael Roth Software Personal FTP Server (PFT) CVE-2008-4135 (Symbian OS S60 3rd edition on the Nokia E90 Communicator 07.40.1.2 Ra- ...) NOT-FOR-US: Symbian CVE-2008-4134 (PHP remote file inclusion vulnerability in manager/static/view.php in ...) NOT-FOR-US: phpRealty CVE-2008-4133 (The web proxy service on the D-Link DIR-100 with firmware 1.12 and ear ...) NOT-FOR-US: D-Link CVE-2008-4132 (Stack-based buffer overflow in the VSFlexGrid.VSFlexGridL ActiveX cont ...) NOT-FOR-US: SFlexGrid.VSFlexGridL ActiveX CVE-2008-4131 (Multiple unspecified vulnerabilities in Sun Solaris 8 through 10 allow ...) NOT-FOR-US: Sun Solaris CVE-2008-4130 (Cross-site scripting (XSS) vulnerability in Gallery 2.x before 2.2.6 a ...) - gallery2 2.2.6-1 CVE-2008-4129 (Gallery before 1.5.9, and 2.x before 2.2.6, does not properly handle Z ...) - gallery 1.5.9-1 (medium) - gallery2 2.2.6-1 (medium) CVE-2008-4128 (Multiple cross-site request forgery (CSRF) vulnerabilities in the HTTP ...) NOT-FOR-US: Cisco CVE-2008-4127 (Mshtml.dll in Microsoft Internet Explorer 7 Gold 7.0.5730 and 8 Beta 8 ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2008-4126 (PyDNS (aka python-dns) before 2.3.1-5 in Debian GNU/Linux does not use ...) {DSA-1619-1} - python-dns 2.3.1-5 (bug #490217) CVE-2008-4125 (The search function in phpBB 2.x provides a search_id value that leaks ...) - phpbb2 2.0.23+repack-3 (low; bug #500086) [etch] - phpbb2 (Minor issue) - phpbb3 (vulnerable code not present) NOTE: this is actually a bug in the seeding by PHP, not phpBB per se, but NOTE: fixing it nonetheless as a workaround. CVE-2008-4124 RESERVED CVE-2008-4123 RESERVED CVE-2008-4122 (Joomla! 1.5.8 does not set the secure flag for the session cookie in a ...) NOT-FOR-US: Joomla! CVE-2008-4121 (Multiple cross-site scripting (XSS) vulnerabilities in cpCommerce befo ...) NOT-FOR-US: cpCommerce CVE-2008-4120 (Multiple cross-site scripting (XSS) vulnerabilities in FlatPress 0.804 ...) NOT-FOR-US: FlatPress CVE-2008-4119 (Multiple cross-site scripting (XSS) vulnerabilities in CA Service Desk ...) NOT-FOR-US: CA Service Desk CVE-2008-4118 (Cross-site scripting (XSS) vulnerability in High Norm Sound Master 2nd ...) NOT-FOR-US: High Norm Sound Master CVE-2008-4117 (Unspecified vulnerability in a web page in the PRM module in Sun Manag ...) NOT-FOR-US: Sun Management Center (SunMC) CVE-2008-4116 (Buffer overflow in Apple QuickTime 7.5.5 and iTunes 8.0 allows remote ...) NOT-FOR-US: Apple CVE-2008-4201 (Heap-based buffer overflow in the decodeMP4file function (frontend/mai ...) - faad2 2.6.1-3.1 (bug #499899) NOTE: http://bugs.gentoo.org/show_bug.cgi?id=238445 NOTE: http://www.audiocoding.com/ NOTE: http://www.audiocoding.com/patch/main_overflow.diff CVE-2008-4115 (TalkBack 2.3.6 allows remote attackers to obtain configuration informa ...) NOT-FOR-US: TalkBack CVE-2008-4114 (srv.sys in the Server service in Microsoft Windows 2000 SP4, XP SP2 an ...) NOT-FOR-US: Microsoft Windows CVE-2008-4113 (The sctp_getsockopt_hmac_ident function in net/sctp/socket.c in the St ...) {DSA-1655-1} - linux-2.6 2.6.26-5 [etch] - linux-2.6 (Vulnerable code not present) - linux-2.6.24 2.6.24-6~etchnhalf.6 CVE-2008-4112 REJECTED CVE-2008-4111 (Unspecified vulnerability in Servlet Engine/Web Container in IBM WebSp ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2008-4110 (Buffer overflow in the SQLVDIRLib.SQLVDirControl ActiveX control in To ...) NOT-FOR-US: Microsoft CVE-2008-4107 (The (1) rand and (2) mt_rand functions in PHP 5.2.6 do not produce cry ...) - php5 (unimportant; bug #500087) NOTE: the rand() and mt_rand() functions were never said to be cryptographically strong NOTE: http://www.math.sci.hiroshima-u.ac.jp/~m-mat/MT/efaq.html CVE-2008-4106 (WordPress before 2.6.2 does not properly handle MySQL warnings about i ...) {DSA-1871-2 DSA-1871-1} - wordpress 2.5.1-8 (bug #500115) CVE-2008-4105 (JRequest in Joomla! 1.5 before 1.5.7 does not sanitize variables that ...) NOT-FOR-US: Joomla! CVE-2008-4104 (Multiple open redirect vulnerabilities in Joomla! 1.5 before 1.5.7 all ...) NOT-FOR-US: Joomla! CVE-2008-4103 (The mailto (aka com_mailto) component in Joomla! 1.5 before 1.5.7 send ...) NOT-FOR-US: Joomla! CVE-2008-4102 (Joomla! 1.5 before 1.5.7 initializes PHP's PRNG with a weak seed, whic ...) NOT-FOR-US: Joomla! CVE-2008-4101 (Vim 3.0 through 7.x before 7.2.010 does not properly escape characters ...) {DSA-1733-1} - vim 2:7.2.010-1 (low; bug #500381) [lenny] - vim 1:7.1.314-3+lenny1 [squeeze] - vim 1:7.1.314-3+lenny1 CVE-2008-4098 (MySQL before 5.0.67 allows local users to bypass certain privilege che ...) {DSA-1662-1} - mysql-dfsg-5.0 5.0.67-1 [lenny] - mysql-dfsg-5.0 5.0.51a-18 [squeeze] - mysql-dfsg-5.0 5.0.51a-18 CVE-2008-4097 (MySQL 5.0.51a allows local users to bypass certain privilege checks by ...) {DSA-1608-1} - mysql-dfsg-5.0 5.0.51a-10 CVE-2008-4095 (Multiple unspecified vulnerabilities in the Importer in Flip4Mac WMV b ...) NOT-FOR-US: Flip4Mac WMV CVE-2008-4094 (Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 a ...) - rails 2.1.0-1 (medium; bug #500791) NOTE: in mysql this only allows information disclosure as multiline statements are NOTE: not allowed by default CVE-2008-4093 (SQL injection vulnerability in memberstats.php in YourOwnBux 3.1 and 3 ...) NOT-FOR-US: YourOwnBux CVE-2008-4092 (SQL injection vulnerability in printfeature.php in myPHPNuke (MPN) bef ...) NOT-FOR-US: myPHPNuke CVE-2008-4091 (SQL injection vulnerability in index.php in Web Directory Script 1.5.3 ...) NOT-FOR-US: Web Directory Script CVE-2008-4090 (SQL injection vulnerability in index.php in PHP Coupon Script 4.0 allo ...) NOT-FOR-US: PHP Coupon Script CVE-2008-4089 (Cross-site scripting (XSS) vulnerability in print.php in myPHPNuke (MP ...) NOT-FOR-US: myPHPNuke CVE-2008-4088 (SQL injection vulnerability in print.php in myPHPNuke (MPN) before 1.8 ...) NOT-FOR-US: myPHPNuke CVE-2008-4087 (Stack-based buffer overflow in Acoustica Beatcraft 1.02 Build 19 allow ...) NOT-FOR-US: Acoustica Beatcraft CVE-2008-4086 (SQL injection vulnerability in index.php in Reciprocal Links Manager 1 ...) NOT-FOR-US: Reciprocal Links Manager CVE-2008-4085 (plaiter in Plait before 1.6 allows local users to overwrite arbitrary ...) - plait 1.5.2-2 (low; bug #496381) CVE-2008-4084 (SQL injection vulnerability in staticpages/easyclassifields/index.php ...) NOT-FOR-US: MyioSoft EasyClassifields CVE-2008-4083 (Cross-site scripting (XSS) vulnerability in the Bookmarks plugin in Br ...) NOT-FOR-US: Brim CVE-2008-4082 (SQL injection vulnerability in the Tasks plugin in Brim 2.0.0, when ma ...) NOT-FOR-US: Brim CVE-2008-4081 (admin/login.php in Stash 1.0.3 allows remote attackers to bypass authe ...) NOT-FOR-US: Stash CVE-2008-4080 (SQL injection vulnerability in Stash 1.0.3, when magic_quotes_gpc is d ...) NOT-FOR-US: Stash CVE-2008-4079 (Cross-site scripting (XSS) vulnerability in Movable Type (MT) 4.x thro ...) - movabletype-opensource 4.2~rc5-1 (low; bug #499252) CVE-2008-4078 (SQL injection vulnerability in the AR/AP transaction report in (1) Led ...) - sql-ledger (unimportant) NOTE: Only supported behind an authenticated HTTP zone, see README.Debian CVE-2008-4077 (The CGI scripts in (1) LedgerSMB (LSMB) before 1.2.15 and (2) SQL-Ledg ...) - sql-ledger (unimportant) NOTE: Only supported behind an authenticated HTTP zone CVE-2008-4076 (Cross-site scripting (XSS) vulnerability in (1) Tor World Tor Board 1. ...) NOT-FOR-US: Tor World Software CVE-2008-4075 (Directory traversal vulnerability in index.php in D-iscussion Board 3. ...) NOT-FOR-US: D-iscussion Board CVE-2008-4074 (SQL injection vulnerability in index.php in Zanfi Autodealers CMS AutO ...) NOT-FOR-US: Zanfi Autodealers CMS CVE-2008-4073 (SQL injection vulnerability in index.php in Zanfi Autodealers CMS AutO ...) NOT-FOR-US: Zanfi Autodealers CMS CVE-2008-4072 (Multiple SQL injection vulnerabilities in index.php in phsBlog 0.2 all ...) NOT-FOR-US: phsBlog CVE-2008-4071 (A certain ActiveX control in Adobe Acrobat 9, when used with Microsoft ...) NOT-FOR-US: Microsoft CVE-2008-4070 (Heap-based buffer overflow in Mozilla Thunderbird before 2.0.0.17 and ...) {DSA-1697-1 DSA-1696-1} - iceape 1.1.12-1 - icedove 2.0.0.17-1 CVE-2008-4069 (The XBM decoder in Mozilla Firefox before 2.0.0.17 and SeaMonkey befor ...) {DSA-1697-1 DSA-1669-1 DSA-1649-1} - iceweasel 3.0.1-1 - xulrunner 1.9.0.1-1 - iceape 1.1.12-1 CVE-2008-4068 (Directory traversal vulnerability in Mozilla Firefox before 2.0.0.17 a ...) {DSA-1697-1 DSA-1696-1 DSA-1669-1 DSA-1649-1} - xulrunner 1.9.0.3-1 - iceape 1.1.12-1 - iceweasel 3.0.3-1 - icedove 2.0.0.17-1 CVE-2008-4067 (Directory traversal vulnerability in Mozilla Firefox before 2.0.0.17 a ...) {DSA-1697-1 DSA-1696-1 DSA-1669-1 DSA-1649-1} - xulrunner 1.9.0.3-1 - iceape 1.1.12-1 - iceweasel 3.0.3-1 - icedove 2.0.0.17-1 CVE-2008-4066 (Mozilla Firefox 2.0.0.14, and other versions before 2.0.0.17, allows r ...) {DSA-1669-1 DSA-1649-1} - iceweasel 3.0.1-1 - xulrunner 1.9.0.1-1 - iceape 1.1.12-1 [etch] - iceape (Etch Packages no longer covered by security support) - icedove 2.0.0.17-1 CVE-2008-4065 (Mozilla Firefox before 2.0.0.17 and 3.x before 3.0.2, Thunderbird befo ...) {DSA-1697-1 DSA-1696-1 DSA-1669-1 DSA-1649-1} - xulrunner 1.9.0.3-1 - iceape 1.1.12-1 - iceweasel 3.0.3-1 - icedove 2.0.0.17-1 CVE-2008-4064 (Multiple unspecified vulnerabilities in Mozilla Firefox 3.x before 3.0 ...) {DSA-1669-1} - xulrunner 1.9.0.3-1 - iceweasel 3.0.3-1 [etch] - iceweasel (Vulnerable code not present) CVE-2008-4063 (Multiple unspecified vulnerabilities in Mozilla Firefox 3.x before 3.0 ...) {DSA-1669-1} - xulrunner 1.9.0.3-1 - iceweasel 3.0.3-1 [etch] - iceweasel (Vulnerable code not present) CVE-2008-4062 (Multiple unspecified vulnerabilities in Mozilla Firefox before 2.0.0.1 ...) {DSA-1697-1 DSA-1696-1 DSA-1669-1 DSA-1649-1} - xulrunner 1.9.0.3-1 - iceape 1.1.12-1 - iceweasel 3.0.3-1 - icedove 2.0.0.17-1 CVE-2008-4061 (Integer overflow in the MathML component in Mozilla Firefox before 2.0 ...) {DSA-1697-1 DSA-1696-1 DSA-1669-1 DSA-1649-1} - xulrunner 1.9.0.3-1 - iceape 1.1.12-1 - iceweasel 3.0.3-1 - icedove 2.0.0.17-1 CVE-2008-4060 (Mozilla Firefox before 2.0.0.17 and 3.x before 3.0.2, Thunderbird befo ...) {DSA-1697-1 DSA-1696-1 DSA-1669-1 DSA-1649-1} - xulrunner 1.9.0.3-1 - iceape 1.1.12-1 - iceweasel 3.0.3-1 - icedove 2.0.0.17-1 CVE-2008-4059 (The XPConnect component in Mozilla Firefox before 2.0.0.17 allows remo ...) {DSA-1697-1 DSA-1696-1 DSA-1669-1 DSA-1649-1} - xulrunner 1.9.0.3-1 - iceape 1.1.12-1 - iceweasel 3.0.3-1 - icedove 2.0.0.17-1 CVE-2008-4058 (The XPConnect component in Mozilla Firefox before 2.0.0.17 and 3.x bef ...) {DSA-1697-1 DSA-1696-1 DSA-1669-1 DSA-1649-1} - xulrunner 1.9.0.3-1 - iceape 1.1.12-1 - iceweasel 3.0.3-1 - icedove 2.0.0.17-1 CVE-2008-4057 (Unspecified vulnerability in Objective Development Sharity 3 before 3. ...) NOT-FOR-US: Objective Development Sharity CVE-2008-4056 (Cross-site scripting (XSS) vulnerability in admin/login.php in Matterd ...) NOT-FOR-US: Matterdaddy Market CVE-2008-4055 (SQL injection vulnerability in tops_top.php in Million Pixel Ad Script ...) NOT-FOR-US: Million Pixel Ad Script CVE-2008-4054 (SQL injection vulnerability in indir.php in Kolifa.net Download Script ...) NOT-FOR-US: Kolifa.net Download Script CVE-2008-4053 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in th ...) NOT-FOR-US: Bluemoon PopnupBLOG CVE-2008-4052 (Stack-based buffer overflow in SMGSHR.EXE in OpenVMS for Integrity Ser ...) NOT-FOR-US: OpenVMS for Integrity Servers CVE-2008-4051 (Cross-site scripting (XSS) vulnerability in surveyresults.asp in Smart ...) NOT-FOR-US: Smart Survey CVE-2008-4050 (A certain ActiveX control in fwRemoteCfg.dll 3.3.3.1 in Friendly Techn ...) NOT-FOR-US: Friendly Technologies FriendlyPPPoE Client CVE-2008-4049 (A certain ActiveX control in fwRemoteCfg.dll 3.3.3.1 in Friendly Techn ...) NOT-FOR-US: Friendly Technologies FriendlyPPPoE Client CVE-2008-4048 (Heap-based buffer overflow in a certain ActiveX control in fwRemoteCfg ...) NOT-FOR-US: Friendly Technologies FriendlyPPPoE Client CVE-2008-4047 (Unspecified vulnerability in Novell Forum (formerly SiteScape Forum) 7 ...) NOT-FOR-US: Novell Forum CVE-2008-4046 (SQL injection vulnerability in index.php in eliteCMS 1.0 allows remote ...) NOT-FOR-US: eliteCMS CVE-2008-4045 (Multiple cross-site scripting (XSS) vulnerabilities in @Mail 5.42 allo ...) NOT-FOR-US: @Mail CVE-2008-4044 (SQL injection vulnerability in article/readarticle.php in AJ Square aj ...) NOT-FOR-US: AJ Square aj-hyip CVE-2008-4043 (Multiple SQL injection vulnerabilities in AJ Square AJ HYIP Acme allow ...) NOT-FOR-US: AJ Square aj-hyip CVE-2008-4042 REJECTED CVE-2008-4041 (The IMAP server in Softalk Mail Server (formerly WorkgroupMail) 8.5.1. ...) NOT-FOR-US: Softalk Mail Server CVE-2008-4040 (Directory traversal vulnerability in the Kyocera Command Center in Kyo ...) NOT-FOR-US: Kyocera FS-118MFP CVE-2008-4039 (SQL injection vulnerability in index.php in Spice Classifieds allows r ...) NOT-FOR-US: Spice Classifieds CVE-2008-4038 (Buffer underflow in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server ...) NOT-FOR-US: Microsoft Windows CVE-2008-4037 (Microsoft Windows 2000 Gold through SP4, XP Gold through SP3, Server 2 ...) NOT-FOR-US: Microsoft Windows CVE-2008-4036 (Integer overflow in Memory Manager in Microsoft Windows XP SP2 and SP3 ...) NOT-FOR-US: Microsoft Windows CVE-2008-4035 REJECTED CVE-2008-4034 REJECTED CVE-2008-4033 (Cross-domain vulnerability in Microsoft XML Core Services 3.0 through ...) NOT-FOR-US: Microsoft XML Core CVE-2008-4032 (Microsoft Office SharePoint Server 2007 Gold and SP1 and Microsoft Sea ...) NOT-FOR-US: Microsoft Office Word CVE-2008-4031 (Microsoft Office Word 2000 SP3, 2002 SP3, 2003 SP3, and 2007 Gold and ...) NOT-FOR-US: Microsoft Office Word CVE-2008-4030 (Microsoft Office Word 2000 SP3, 2002 SP3, 2003 SP3, and 2007 Gold and ...) NOT-FOR-US: Microsoft Office Word CVE-2008-4029 (Cross-domain vulnerability in Microsoft XML Core Services 3.0 and 4.0, ...) NOT-FOR-US: Microsoft XML Core CVE-2008-4028 (Microsoft Office Word 2000 SP3, 2002 SP3, 2003 SP3, and 2007 Gold and ...) NOT-FOR-US: Microsoft Office Word CVE-2008-4027 (Double free vulnerability in Microsoft Office Word 2000 SP3, 2002 SP3, ...) NOT-FOR-US: Microsoft Office Word CVE-2008-4026 (Microsoft Office Word 2000 SP3, 2002 SP3, 2003 SP3, and 2007 Gold and ...) NOT-FOR-US: Microsoft Office Word CVE-2008-4025 (Integer overflow in Microsoft Office Word 2000 SP3, 2002 SP3, 2003 SP3 ...) NOT-FOR-US: Microsoft Office Word CVE-2008-4024 (Microsoft Office Word 2000 SP3 and 2002 SP3 and Office 2004 for Mac al ...) NOT-FOR-US: Microsoft Office Word CVE-2008-4023 (Active Directory in Microsoft Windows 2000 SP4 does not properly alloc ...) NOT-FOR-US: Microsoft Windows CVE-2008-4022 REJECTED CVE-2008-4021 REJECTED CVE-2008-4020 (Cross-site scripting (XSS) vulnerability in Microsoft Office XP SP3 al ...) NOT-FOR-US: Microsoft Office CVE-2008-4019 (Integer overflow in the REPT function in Microsoft Excel 2000 SP3, 200 ...) NOT-FOR-US: Microsoft Office CVE-2008-4109 (A certain Debian patch for OpenSSH before 4.3p2-9etch3 on etch; before ...) {DSA-1638-1 CVE-2006-5051} - openssh 1:4.6p1-1 (low) NOTE: The patch backported for CVE-2006-5051 was incorrect and did not NOTE: fully address the issue. The upstream fix in 4.4p1 was NOTE: right, and it the next unstable upload after that was 4.6p1. CVE-2008-4100 (GNU adns 1.4 and earlier uses a fixed source port and sequential trans ...) - adns 1.4-2 (unimportant; bug #492698) NOTE: adns is not supported in untrusted contexts, fix documents this in README.Debian CVE-2008-4099 (PyDNS (aka python-dns) before 2.3.1-4 in Debian GNU/Linux does not use ...) {DSA-1619-1} - python-dns 2.3.1-5 (low; bug #490217) CVE-2008-4096 (libraries/database_interface.lib.php in phpMyAdmin before 2.11.9.1 all ...) {DSA-1641-1} - phpmyadmin 4:2.11.8.1-2 (medium) NOTE: https://www.phpmyadmin.net/security/PMASA-2008-7/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/f8d65ec564ada5c839be8f3f07f483cd82ce6a11 (2.11 branch) NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/64623fe9dbccff3f1ad9a54f844f91cefd07569c CVE-2008-XXXX [unsafe use of tempfile in ssmclient] - smsclient (unimportant; bug #498901) NOTE: script is not in use and only a suggestion for users CVE-2008-4108 (Tools/faqwiz/move-faqwiz.sh (aka the generic FAQ wizard moving tool) i ...) - python-defaults (unimportant; bug #498899) NOTE: script is an example, which can be used by users CVE-2008-4018 (swcons in bos.rte.console in IBM AIX 5.2.0 through 6.1.1 allows local ...) NOT-FOR-US: IBM AIX CVE-2008-4017 (Unspecified vulnerability in the OC4J component in Oracle Application ...) NOT-FOR-US: Oracle CVE-2008-4016 (Unspecified vulnerability in the Collaborative Workspaces component in ...) NOT-FOR-US: Oracle CVE-2008-4015 (Unspecified vulnerability in the Oracle Streams component in Oracle Da ...) NOT-FOR-US: Oracle CVE-2008-4014 (Unspecified vulnerability in the Oracle BPEL Process Manager component ...) NOT-FOR-US: Oracle CVE-2008-4013 (Unspecified vulnerability in the WebLogic Server component in BEA Prod ...) NOT-FOR-US: BEA WebLogic CVE-2008-4012 (Unspecified vulnerability in the WebLogic Workshop component in BEA Pr ...) NOT-FOR-US: BEA WebLogic CVE-2008-4011 (Unspecified vulnerability in the WebLogic Server component in BEA Prod ...) NOT-FOR-US: BEA WebLogic CVE-2008-4010 (Unspecified vulnerability in the WebLogic Workshop component in BEA Pr ...) NOT-FOR-US: BEA WebLogic CVE-2008-4009 (Unspecified vulnerability in the WebLogic Server component in BEA Prod ...) NOT-FOR-US: BEA WebLogic CVE-2008-4008 (Unspecified vulnerability in the WebLogic Server Plugins for Apache co ...) NOT-FOR-US: BEA WebLogic CVE-2008-4007 (Unspecified vulnerability in the PeopleSoft Enterprise Components comp ...) NOT-FOR-US: Oracle CVE-2008-4006 (Unspecified vulnerability in the Oracle Secure Backup component in Ora ...) NOT-FOR-US: Oracle CVE-2008-4005 (Unspecified vulnerability in the Oracle Application Express component ...) NOT-FOR-US: Oracle CVE-2008-4004 (Unspecified vulnerability in the JDE EnterpriseOne Business Service Se ...) NOT-FOR-US: Oracle CVE-2008-4003 (Unspecified vulnerability in the PeopleTools component in Oracle Peopl ...) NOT-FOR-US: Oracle CVE-2008-4002 (Unspecified vulnerability in the PeopleTools component in Oracle Peopl ...) NOT-FOR-US: Oracle CVE-2008-4001 (Unspecified vulnerability in the PeopleSoft Enterprise Portal componen ...) NOT-FOR-US: Oracle CVE-2008-4000 (Unspecified vulnerability in the PeopleTools component in Oracle Peopl ...) NOT-FOR-US: Oracle CVE-2008-3999 (Unspecified vulnerability in the Oracle OLAP component in Oracle Datab ...) NOT-FOR-US: Oracle CVE-2008-3998 (Unspecified vulnerability in the Oracle iStore component in Oracle E-B ...) NOT-FOR-US: Oracle CVE-2008-3997 (Unspecified vulnerability in the Oracle OLAP component in Oracle Datab ...) NOT-FOR-US: Oracle CVE-2008-3996 (Unspecified vulnerability in the Change Data Capture component in Orac ...) NOT-FOR-US: Oracle CVE-2008-3995 (Unspecified vulnerability in the Change Data Capture component in Orac ...) NOT-FOR-US: Oracle CVE-2008-3994 (Unspecified vulnerability in the Workspace Manager component in Oracle ...) NOT-FOR-US: Oracle CVE-2008-3993 (Unspecified vulnerability in the Oracle Applications Framework compone ...) NOT-FOR-US: Oracle CVE-2008-3992 (Unspecified vulnerability in the Oracle Data Mining component in Oracl ...) NOT-FOR-US: Oracle CVE-2008-3991 (Unspecified vulnerability in the Oracle OLAP component in Oracle Datab ...) NOT-FOR-US: Oracle CVE-2008-3990 (Unspecified vulnerability in the Oracle OLAP component in Oracle Datab ...) NOT-FOR-US: Oracle CVE-2008-3989 (Unspecified vulnerability in the Oracle Data Mining component in Oracl ...) NOT-FOR-US: Oracle CVE-2008-3988 (Unspecified vulnerability in the iSupplier Portal component in Oracle ...) NOT-FOR-US: Oracle CVE-2008-3987 (Unspecified vulnerability in the Oracle Discoverer Desktop component i ...) NOT-FOR-US: Oracle CVE-2008-3986 (Unspecified vulnerability in the Oracle Discoverer Administrator compo ...) NOT-FOR-US: Oracle CVE-2008-3985 (Unspecified vulnerability in the Oracle Applications Technology Stack ...) NOT-FOR-US: Oracle CVE-2008-3984 (Unspecified vulnerability in the Workspace Manager component in Oracle ...) NOT-FOR-US: Oracle CVE-2008-3983 (Unspecified vulnerability in the Workspace Manager component in Oracle ...) NOT-FOR-US: Oracle CVE-2008-3982 (Unspecified vulnerability in the Workspace Manager component in Oracle ...) NOT-FOR-US: Oracle CVE-2008-3981 (Unspecified vulnerability in the Oracle Secure Backup component in Ora ...) NOT-FOR-US: Oracle CVE-2008-3980 (Unspecified vulnerability in the Upgrade component in Oracle Database ...) NOT-FOR-US: Oracle CVE-2008-3979 (Unspecified vulnerability in the Oracle Spatial component in Oracle Da ...) NOT-FOR-US: Oracle CVE-2008-3978 (Unspecified vulnerability in the Oracle Spatial component in Oracle Da ...) NOT-FOR-US: Oracle CVE-2008-3977 (Unspecified vulnerability in the Oracle Portal component in Oracle App ...) NOT-FOR-US: Oracle CVE-2008-3976 (Unspecified vulnerability in the Oracle Spatial component in Oracle Da ...) NOT-FOR-US: Oracle CVE-2008-3975 (Unspecified vulnerability in the Oracle Portal component in Oracle App ...) NOT-FOR-US: Oracle CVE-2008-3974 (Unspecified vulnerability in the Oracle OLAP component in Oracle Datab ...) NOT-FOR-US: Oracle CVE-2008-3973 (Unspecified vulnerability in the SQL*Plus Windows GUI component in Ora ...) NOT-FOR-US: Oracle CVE-2008-3972 (pkcs15-tool in OpenSC before 0.11.6 does not apply security updates to ...) {DSA-1627-2} - opensc 0.11.4-5 CVE-2008-3971 (Heap-based buffer overflow in the open_man_file function in callbacks. ...) - gmanedit 0.4.1-1.1 (low; bug #497835) [etch] - gmanedit (Minor issue) CVE-2008-3970 (pam_mount 0.10 through 0.45, when luserconf is enabled, does not verif ...) {DTSA-169-1} - libpam-mount 0.48-1 (low; bug #499841) CVE-2008-3969 (Multiple unspecified vulnerabilities in BitlBee before 1.2.3 allow rem ...) - bitlbee 1.2.3-1 (bug #498159) [etch] - bitlbee (1.0.x not affected) CVE-2008-3968 (Cross-site scripting (XSS) vulnerability in userlist.php in PunBB befo ...) NOT-FOR-US: PunBB CVE-2008-3967 (moderation.php in MyBB (aka MyBulletinBoard) before 1.4.1 does not pro ...) NOT-FOR-US: MyBB CVE-2008-3966 (Multiple cross-site scripting (XSS) vulnerabilities in MyBB (aka MyBul ...) NOT-FOR-US: MyBB CVE-2008-3965 (SQL injection vulnerability in misc.php in MyBB (aka MyBulletinBoard) ...) NOT-FOR-US: MyBB CVE-2008-3961 (Multiple unspecified vulnerabilities in Adobe Illustrator CS2 on Macin ...) NOT-FOR-US: Adobe Illustrator CVE-2008-3960 (Unspecified vulnerability in the JDBC Applet Server Service (aka db2jd ...) NOT-FOR-US: IBM DB2 UDB CVE-2008-3959 (IBM DB2 UDB 8.1 before FixPak 16, 8.2 before FixPak 9, and 9.1 before ...) NOT-FOR-US: IBM DB2 UDB CVE-2008-3958 (IBM DB2 UDB 8 before Fixpak 17 allows remote attackers to cause a deni ...) NOT-FOR-US: IBM DB2 UDB CVE-2008-3957 (The Microsoft Windows Image Acquisition Logger ActiveX control allows ...) NOT-FOR-US: Microsoft CVE-2008-3956 (orgchart.exe in Microsoft Organization Chart 2.00 allows user-assisted ...) NOT-FOR-US: Microsoft CVE-2008-3955 (SQL injection vulnerability in index.php in Masir Camp E-Shop Module 3 ...) NOT-FOR-US: Masir Camp E-Shop Module CVE-2008-3954 (SQL injection vulnerability in index.php in AlstraSoft Forum Pay Per P ...) NOT-FOR-US: AlstraSoft Forum Pay Per Post Exchange CVE-2008-3953 (SQL injection vulnerability in keyword_search_action.php in Vastal I-T ...) NOT-FOR-US: Vastal I-Tech Shaadi Zone CVE-2008-3952 (SQL injection vulnerability in questions.php in EsFaq 2.0 allows remot ...) NOT-FOR-US: EsFaq CVE-2008-3951 (SQL injection vulnerability in view_ann.php in Vastal I-Tech Agent Zon ...) NOT-FOR-US: The Real Estate Script CVE-2008-3950 (Off-by-one error in the _web_drawInRect:withFont:ellipsis:alignment:me ...) - webkit (Vulnerable code not present) NOTE: bug #500306 CVE-2008-3949 (emacs/lisp/progmodes/python.el in Emacs 22.1 and 22.2 imports Python s ...) - emacs22 22.2+2-4 (low; bug #499568) - emacs21 (doesn't provide the python functionality) - xemacs21 (doesn't provide the python functionality) NOTE: This can happen with any Python script, just because Emacs autoloads one NOTE: doesn't make it much worse CVE-2008-3948 (SQL injection vulnerability in admin/users/self-2.php in XRMS allows r ...) NOT-FOR-US: XRMS CRM CVE-2008-3947 (DCL (aka the CLI) in OpenVMS Alpha 8.3 allows local users to gain priv ...) NOT-FOR-US: OpenVMS CVE-2008-3946 (The finger client in HP TCP/IP Services for OpenVMS 5.x allows local u ...) NOT-FOR-US: OpenVMS CVE-2008-3945 (SQL injection vulnerability in index.php in Words tag 1.2 allows remot ...) NOT-FOR-US: Words tag CVE-2008-3944 (SQL injection vulnerability in index.php in ACG-PTP 1.0.6 allows remot ...) NOT-FOR-US: ACG-PTP CVE-2008-3943 (SQL injection vulnerability in listtest.php in eZoneScripts Living Loc ...) NOT-FOR-US: eZoneScripts Living Local CVE-2008-3942 (SQL injection vulnerability in landsee.php in Full PHP Emlak Script al ...) NOT-FOR-US: Full PHP Emlak Script CVE-2008-3941 (Cross-site scripting (XSS) vulnerability in BizDirectory 2.04 and earl ...) NOT-FOR-US: BizDirectory CVE-2008-3940 (Format string vulnerability in the finger client in HP TCP/IP Services ...) NOT-FOR-US: OpenVMS CVE-2008-3939 (Directory traversal vulnerability in the web interface in AVTECH PageR ...) NOT-FOR-US: AVTECH PageR Enterprise CVE-2008-3938 (Cross-site request forgery (CSRF) vulnerability in user_admin.php in O ...) NOT-FOR-US: Open Media Collectors Database CVE-2008-3937 (Multiple cross-site scripting (XSS) vulnerabilities in Open Media Coll ...) NOT-FOR-US: Open Media Collectors Database CVE-2008-3936 (The web interface in Dreambox DM500C allows remote attackers to cause ...) NOT-FOR-US: Dreambox DM500C CVE-2008-3935 (Cross-site scripting (XSS) vulnerability in DIC shop_v50 3.0 and earli ...) NOT-FOR-US: DIC shop_v50 CVE-2008-3931 (javareconf in R 2.7.2 allows local users to overwrite arbitrary files ...) - r-base-core-ra 1.1.1-2 (low; bug #496363) - r-base 2.7.2-1 (low; bug #496418) [etch] - r-base (Minor issue) [lenny] - r-base 2.7.1-1+lenny1 CVE-2008-3930 (migrate_aliases.sh in Citadel Server 7.37 allows local users to overwr ...) - citadel 7.37-3 (low; bug #496359) CVE-2008-3929 (gather-messages.sh in Ampache 3.4.1 allows local users to overwrite ar ...) - ampache 3.4.1-2 (unimportant; bug #496369) NOTE: Tracking as unimportant, since the script is only used NOTE: when translating ampache to a new language CVE-2008-3928 (test.sh in Honeyd 1.5c might allow local users to overwrite arbitrary ...) - honeyd 1.5c-5 (unimportant; bug #496365) NOTE: Script not used by package, only a manual test script CVE-2008-3927 (genmsgidx in Tiger 3.2.2 allows local users to overwrite or delete arb ...) - tiger 1:3.2.2-4 (unimportant; bug #496415) NOTE: Tracking as unimportant, since the script is only used NOTE: during build time CVE-2008-3926 (Multiple directory traversal vulnerabilities in Content Management Mad ...) NOT-FOR-US: Content Management Made Easy CVE-2008-3925 (Cross-site request forgery (CSRF) vulnerability in admin.php in Conten ...) NOT-FOR-US: Content Management Made Easy CVE-2008-3924 (The "Make a backup" functionality in Content Management Made Easy (CMM ...) NOT-FOR-US: Content Management Made Easy CVE-2008-3923 (Multiple cross-site scripting (XSS) vulnerabilities in statistics.php ...) NOT-FOR-US: Content Management Made Easy CVE-2008-3922 (awstatstotals.php in AWStats Totals 1.0 through 1.14 allows remote att ...) NOT-FOR-US: AWStats Totals CVE-2008-3921 (Multiple cross-site scripting (XSS) vulnerabilities in AWStats Totals ...) NOT-FOR-US: AWStats Totals CVE-2008-3919 (Unspecified vulnerability in multiple JustSystems Ichitaro products al ...) NOT-FOR-US: JustSystems Ichitaro CVE-2008-3918 (SQL injection vulnerability in index.php in Ovidentia 6.6.5 allows rem ...) NOT-FOR-US: Ovidentia CVE-2008-3917 (Cross-site scripting (XSS) vulnerability in index.php in Ovidentia 6.6 ...) NOT-FOR-US: Ovidentia CVE-2008-3916 (Heap-based buffer overflow in the strip_escapes function in signal.c i ...) - ed 0.7-2 (low) [etch] - ed (Minor issue) CVE-2008-3915 (Buffer overflow in nfsd in the Linux kernel before 2.6.26.4, when NFSv ...) {DSA-1636-1} - linux-2.6 2.6.26-5 - linux-2.6.24 2.6.24-6~etchnhalf.5 [etch] - linux-2.6 (Vulnerable code was introduced in 2.6.19) NOTE: 91b80969ba466ba4b915a4a1d03add8c297add3f CVE-2008-3911 (The proc_do_xprt function in net/sunrpc/sysctl.c in the Linux kernel 2 ...) - linux-2.6 2.6.26-5 [etch] - linux-2.6 (Vulnerable code not present) - linux-2.6.24 (Vulnerable code not present) CVE-2008-3906 (CRLF injection vulnerability in Sys.Web in Mono 2.0 and earlier allows ...) - mono 1.9.1+dfsg-4 (low; bug #498894) CVE-2008-3905 (resolv.rb in Ruby 1.8.5 and earlier, 1.8.6 before 1.8.6-p287, 1.8.7 be ...) {DSA-1652-1 DSA-1651-1} - ruby1.8 1.8.7.72-1 (bug #498978) - ruby1.9 1.9.0.2-6 (bug #498977) CVE-2008-3903 (Asterisk Open Source 1.2.x before 1.2.32, 1.4.x before 1.4.24.1, and 1 ...) {DSA-1952-1} - asterisk 1:1.6.1.0~dfsg-1 (low; bug #522528) [etch] - asterisk (Etch Packages no longer covered by security support) [lenny] - asterisk (Minor issue) NOTE: http://downloads.asterisk.org/pub/security/AST-2009-003.html CVE-2008-3902 (HP firmware 68DTT F.0D stores pre-boot authentication passwords in the ...) NOT-FOR-US: HP firmware 68DTT CVE-2007-6717 (Buffer overflow in tftp in bos.net.tcp.client in IBM AIX 5.2.0 and 5.3 ...) NOT-FOR-US: IBM AIX CVE-2007-6716 (fs/direct-io.c in the dio subsystem in the Linux kernel before 2.6.23 ...) {DSA-1653-1} - linux-2.6 2.6.23-1 - linux-2.6.24 (Vulnerable code not present) NOTE: 848c4dd5153c7a0de55470ce99a8e13a63b4703f CVE-2008-3962 (The from_format function in ssmtp.c in ssmtp 2.61 and 2.62, in certain ...) - ssmtp 2.62-1.1 (low; bug #498366) [etch] - ssmtp (Minor issue, only affects rare corner cases) CVE-2008-3963 (MySQL 5.0 before 5.0.66, 5.1 before 5.1.26, and 6.0 before 6.0.6 does ...) {DSA-1783-1} - mysql-dfsg-5.0 5.0.51a-15 (low; bug #498362) CVE-2008-3964 (Multiple off-by-one errors in libpng before 1.2.32beta01, and 1.4 befo ...) - libpng 1.2.27-2 (low; bug #501109) [etch] - libpng (Vulnerable code not present) NOTE: off-by-one error in pngpread.c is not present, must have NOTE: been introduced later, but pngtest.c is affected. However, there NOTE: is no known exploit. CVE-2008-3912 (libclamav in ClamAV before 0.94 allows attackers to cause a denial of ...) {DSA-1660-1} - clamav 0.94.dfsg-1 CVE-2008-3913 (Multiple memory leaks in freshclam/manager.c in ClamAV before 0.94 mig ...) {DSA-1660-1} - clamav 0.94.dfsg-1 CVE-2008-3914 (Multiple unspecified vulnerabilities in ClamAV before 0.94 have unknow ...) {DSA-1660-1} - clamav 0.94.dfsg-1 CVE-2008-3934 (Unspecified vulnerability in Wireshark (formerly Ethereal) 0.99.6 thro ...) {DTSA-167-1} - wireshark 1.0.3-1 (bug #497878) [etch] - wireshark (Only >= 0.99.6) CVE-2008-3933 (Wireshark (formerly Ethereal) 0.10.14 through 1.0.2 allows attackers t ...) {DSA-1673-1 DTSA-167-1} - wireshark 1.0.3-1 (low; bug #497878) CVE-2008-3932 (Wireshark (formerly Ethereal) 0.9.7 through 1.0.2 allows attackers to ...) {DTSA-167-1} - wireshark 1.0.3-1 (low; bug #497878) CVE-2008-3904 (src/main-win.c in GPicView 0.1.9 in Lightweight X11 Desktop Environmen ...) - gpicview 0.1.9-2 (low; bug #498022) CVE-2008-3909 (The administration application in Django 0.91, 0.95, and 0.96 stores u ...) {DSA-1640-1} - python-django 1.0-1 NOTE: http://www.djangoproject.com/weblog/2008/sep/02/security/ CVE-2008-3910 (dns2tcp before 0.4.1 does not properly handle negative values in a cer ...) - dns2tcp 0.4.dfsg-2 (medium; bug #497730) CVE-2008-3901 (Software suspend 2 2-2.2.1, when used with the Linux kernel 2.6.16, st ...) - linux-patch-tuxonice (Fixed before initial upload) CVE-2008-3900 (Intel firmware PE94510M.86A.0050.2007.0710.1559 stores pre-boot authen ...) NOT-FOR-US: Intel firmware CVE-2008-3899 (TrueCrypt 5.0 stores pre-boot authentication passwords in the BIOS Key ...) NOT-FOR-US: TrueCrypt CVE-2008-3898 (Secu Star DriveCrypt Plus Pack 3.9 stores pre-boot authentication pass ...) NOT-FOR-US: Secu Star DriveCrypt CVE-2008-3897 (DiskCryptor 0.2.6 on Windows stores pre-boot authentication passwords ...) NOT-FOR-US: DiskCryptor CVE-2008-3896 (Grub Legacy 0.97 and earlier stores pre-boot authentication passwords ...) - grub (unimportant) NOTE: you need to be root on linux to do this, root can easily edit menu.lst anyway CVE-2008-3895 (LILO 22.6.1 and earlier stores pre-boot authentication passwords in th ...) - lilo (unimportant) NOTE: you need to be root on linux to do this, root can edit the configuration anyway CVE-2008-3894 (IBM Lenovo firmware 7CETB5WW 2.05 stores pre-boot authentication passw ...) NOT-FOR-US: IBM Lenovo firmware CVE-2008-3893 (Microsoft Bitlocker in Windows Vista before SP1 stores pre-boot authen ...) NOT-FOR-US: Bitlocker CVE-2008-3892 (Buffer overflow in a certain ActiveX control in the COM API in VMware ...) NOT-FOR-US: VMware COM API CVE-2008-3891 (The SAML Single Sign-On (SSO) Service for Google Apps allows remote se ...) NOT-FOR-US: SAML Service for Google Apps CVE-2008-3890 (The kernel in FreeBSD 6.3 through 7.0 on amd64 platforms can make an e ...) - kfreebsd-6 6.3-7 - kfreebsd-7 7.0-5 CVE-2008-3888 (SQL injection vulnerability in members.asp in Mini-NUKE Freehost 2.3 a ...) NOT-FOR-US: Mini-NUKE Freehost CVE-2008-3887 (Multiple SQL injection vulnerabilities in index.php in dotProject 2.1. ...) NOT-FOR-US: dotProject CVE-2008-3886 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in do ...) NOT-FOR-US: dotProject CVE-2008-3885 (Cross-site request forgery (CSRF) vulnerability in Blogn (BURO GUN) 1. ...) NOT-FOR-US: Blogn CVE-2008-3884 (Cross-site scripting (XSS) vulnerability in Blogn (BURO GUN) 1.9.7 and ...) NOT-FOR-US: Blogn CVE-2008-3883 (configvar in Caudium 1.4.12 allows local users to overwrite arbitrary ...) - caudium 1.4.12-11.1 (low; bug #496404) CVE-2008-3882 (Unspecified "Command Injection" vulnerability in ZoneMinder 1.23.3 and ...) - zoneminder 1.24.1-1 (bug #497640) CVE-2008-3881 (Multiple cross-site scripting (XSS) vulnerabilities in ZoneMinder 1.23 ...) - zoneminder 1.24.1-1 (low; bug #497640) CVE-2008-3880 (SQL injection vulnerability in zm_html_view_event.php in ZoneMinder 1. ...) - zoneminder 1.24.1-1 (bug #497640) CVE-2008-3879 (The Ultra.OfficeControl ActiveX control in OfficeCtrl.ocx 2.0.2008.801 ...) NOT-FOR-US: ActiveX control in OfficeCtrl.ocx CVE-2008-3878 (Stack-based buffer overflow in the Ultra.OfficeControl ActiveX control ...) NOT-FOR-US: ActiveX control in OfficeCtrl.ocx CVE-2008-3877 (Stack-based buffer overflow in Acoustica Mixcraft 4.1 Build 96 and 4.2 ...) NOT-FOR-US: Acoustica Mixcraft CVE-2008-3876 (Apple iPhone 2.0.2, in some configurations, allows physically proximat ...) NOT-FOR-US: Apple iPhone CVE-2008-3875 (The kernel in Sun Solaris 8 through 10 and OpenSolaris before snv_90 a ...) NOT-FOR-US: Sun Solaris 8 CVE-2008-3874 (Cross-site scripting (XSS) vulnerability in account.php in Lussumo Van ...) NOT-FOR-US: Lussumo Vanilla CVE-2008-3873 (The System.setClipboard method in ActionScript in Adobe Flash Player 9 ...) NOT-FOR-US: Adobe Flash Player CVE-2008-3872 (Adobe Flash Player 8.0.39.0 and earlier, and 9.x up to 9.0.115.0, allo ...) NOT-FOR-US: Adobe Flash Player CVE-2008-3871 (Multiple format string vulnerabilities in UltraISO 9.3.1.2633, and pos ...) NOT-FOR-US: UltraISO CVE-2008-3870 (Integer overflow in sadmind in Sun Solaris 8 and 9 allows remote attac ...) NOT-FOR-US: Sun Solaris CVE-2008-3869 (Heap-based buffer overflow in sadmind in Sun Solaris 8 and 9 allows re ...) NOT-FOR-US: Sun Solaris CVE-2008-3868 (Cross-site request forgery (CSRF) vulnerability in Interact 2.4.1 allo ...) NOT-FOR-US: Interact CVE-2008-3867 (SQL injection vulnerability in spaces/emailuser.php in Interact 2.4.1 ...) NOT-FOR-US: Interact CVE-2008-3866 (The Trend Micro Personal Firewall service (aka TmPfw.exe) in Trend Mic ...) NOT-FOR-US: Trend Micro Personal Firewall CVE-2008-3865 (Multiple heap-based buffer overflows in the ApiThread function in the ...) NOT-FOR-US: Trend Micro Network Security Component CVE-2008-3864 (The ApiThread function in the firewall service (aka TmPfw.exe) in Tren ...) NOT-FOR-US: Trend Micro Network Security Component CVE-2008-3863 (Stack-based buffer overflow in the read_special_escape function in src ...) {DSA-1670-1} - enscript 1.6.4-13 (bug #506261) CVE-2008-3862 (Stack-based buffer overflow in CGI programs in the server in Trend Mic ...) NOT-FOR-US: Trend Micro OfficeScan CVE-2008-3861 (Multiple SQL injection vulnerabilities in phpMyRealty (PMR) 1.0.9 and ...) NOT-FOR-US: phpMyRealty CVE-2008-3860 (Multiple cross-site scripting (XSS) vulnerabilities (1) in the WYSIWYG ...) NOT-FOR-US: IBM, Lotus Quickr 8.1 CVE-2008-3859 (Davlin Thickbox Gallery 2 allows remote attackers to obtain the admini ...) NOT-FOR-US: Davlin Thickbox Gallery CVE-2008-3858 (The Downlevel DB2RA Support component in IBM DB2 9.1 before Fixpak 4a ...) NOT-FOR-US: IBM DB2 CVE-2008-3857 (The Base Service Utilities component in IBM DB2 9.1 before Fixpak 5 re ...) NOT-FOR-US: IBM DB2 CVE-2008-3856 (The routine infrastructure component in IBM DB2 8 before FP17, 9.1 bef ...) NOT-FOR-US: IBM DB2 CVE-2008-3855 (Unspecified vulnerability in the DB2 Administration Server (DAS) in th ...) NOT-FOR-US: IBM DB2 CVE-2008-3854 (Multiple stack-based buffer overflows in IBM DB2 9.1 before Fixpak 5 a ...) NOT-FOR-US: IBM DB2 CVE-2008-3853 (Buffer overflow in the DAS server program in the Core DAS function com ...) NOT-FOR-US: IBM DB2 CVE-2008-3852 (Unspecified vulnerability in the CLR stored procedure deployment from ...) NOT-FOR-US: IBM DB2 CVE-2008-3851 (Multiple directory traversal vulnerabilities in Pluck CMS 4.5.2 on Win ...) NOT-FOR-US: Pluck CMS CVE-2008-3850 (Cross-site scripting (XSS) vulnerability in Accellion File Transfer FT ...) NOT-FOR-US: Accellion File Transfer CVE-2008-3849 (Cross-site scripting (XSS) vulnerability in the calendar controller in ...) NOT-FOR-US: Civic Website Manager CVE-2008-3848 (SQL injection vulnerability in single.php in Z-Breaknews 2.0 allows re ...) NOT-FOR-US: Z-Breaknews CVE-2008-3847 (Multiple cross-site scripting (XSS) vulnerabilities in AN Guestbook (A ...) NOT-FOR-US: AN Guestbook CVE-2008-3846 (Cross-site scripting (XSS) vulnerability in mysql-lists 1.2 and earlie ...) NOT-FOR-US: mysql-lists CVE-2008-3845 (Multiple SQL injection vulnerabilities in Crafty Syntax Live Help (CSL ...) NOT-FOR-US: Crafty Syntax Live Help CVE-2003-1564 (libxml2, possibly before 2.5.0, does not properly detect recursion dur ...) NOT-FOR-US: Old CVE id CVE-2008-XXXX [nfdump vulnerable to symlink attacks] - nfdump 1.5.7-5 (bug #497452) CVE-2008-3889 (Postfix 2.4 before 2.4.9, 2.5 before 2.5.5, and 2.6 before 2.6-2008090 ...) - postfix 2.5.5-1 (low) [etch] - postfix (Vulnerable code not present) NOTE: http://www.postfix.org/announcements/20080902.html CVE-2008-3908 (Multiple buffer overflows in Princeton WordNet (wn) 3.0 allow context- ...) {DSA-1634-1 DTSA-163-1} - wordnet 1:3.0-12 (medium; bug #497441) [lenny] - wordnet 3.0-11+lenny1 [etch] - wordnet 1:2.1-4+etch1 NOTE: 1:3.0-12 had a regression and the patch was slightly updated NOTE: by 1:3.0-13 to fix this bug CVE-2008-3907 (The open-in-browser command in newsbeuter before 1.1 allows remote att ...) {DTSA-164-1 DTSA-164-2} [lenny] - newsbeuter 0.9.1-1+lenny3 - newsbeuter 1.2-1 (medium) NOTE: medium as versions < 1.0-1 didn't include a patch to wrap long article URLs so the NOTE: crafted part of the URL can be hidden. This of course only affects people not reading NOTE: articles in the built-in reader. CVE-2008-3920 (Unspecified vulnerability in BitlBee before 1.2.2 allows remote attack ...) - bitlbee 1.2.2-1 [etch] - bitlbee (1.0.x not affected) CVE-2008-4978 (radiance 3R9+20080530 allows local users to overwrite arbitrary files ...) - radiance 3R9+20080530-4 (low; bug #496423) CVE-2008-3844 (Certain Red Hat Enterprise Linux (RHEL) 4 and 5 packages for OpenSSH, ...) NOT-FOR-US: Red Hat services issue CVE-2008-3843 (Request Validation (aka the ValidateRequest filters) in ASP.NET in Mic ...) NOT-FOR-US: Microsoft .NET Framework CVE-2008-3842 (Request Validation (aka the ValidateRequest filters) in ASP.NET in Mic ...) NOT-FOR-US: Microsoft .NET Framework CVE-2008-3841 (Cross-site scripting (XSS) vulnerability in admin/search_links.php in ...) NOT-FOR-US: Freeway eCommerce CVE-2008-3840 (Crafty Syntax Live Help (CSLH) 2.14.6 and earlier stores passwords in ...) NOT-FOR-US: Crafty Syntax Live Help (CSLH) CVE-2008-3839 (Unspecified vulnerability in the NFS module in the kernel in Sun Solar ...) NOT-FOR-US: Solaris CVE-2008-3838 (Unspecified vulnerability in the NFS Remote Procedure Calls (RPC) zone ...) NOT-FOR-US: Solaris CVE-2008-3837 (Mozilla Firefox before 2.0.0.17 and 3.x before 3.0.2, and SeaMonkey be ...) {DSA-1697-1 DSA-1669-1 DSA-1649-1} - iceweasel 3.0.3-1 (low) - xulrunner 1.9.0.3-1 (low) - iceape 1.1.12-1 (low) CVE-2008-3836 (feedWriter in Mozilla Firefox before 2.0.0.17 allows remote attackers ...) {DSA-1697-1 DSA-1669-1 DSA-1649-1} - iceweasel 3.0.1-1 - xulrunner 1.9.0.1-1 - iceape 1.1.12-1 CVE-2008-3835 (The nsXMLDocument::OnChannelRedirect function in Mozilla Firefox befor ...) {DSA-1697-1 DSA-1696-1 DSA-1669-1 DSA-1649-1} - xulrunner 1.9.0.1-1 - iceweasel 3.0.1-1 - iceape 1.1.12-1 - icedove 2.0.0.17-1 CVE-2008-3834 (The dbus_signature_validate function in the D-bus library (libdbus) be ...) {DSA-1658-1} - dbus 1.2.1-4 (bug #501443) CVE-2008-3833 (The generic_file_splice_write function in fs/splice.c in the Linux ker ...) {DSA-1653-1} - linux-2.6 2.6.19-1 - linux-2.6.24 (Fixed in upstream before 2.6.24) CVE-2008-3832 (A certain Fedora patch for the utrace subsystem in the Linux kernel be ...) - linux-2.6 (Fedora-specific patch) - linux-2.6.24 (Fedora-specific patch) CVE-2008-3831 (The i915 driver in (1) drivers/char/drm/i915_dma.c in the Linux kernel ...) {DSA-1655-1} [etch] - linux-2.6 (Vulnerable code not present) - linux-2.6 2.6.26-9 CVE-2008-3830 (Condor before 7.0.5 does not properly handle when the configuration sp ...) - condor (Fixed before initial upload to archive) CVE-2008-3829 (Unspecified vulnerability in the condor_ schedd daemon in Condor befor ...) - condor (Fixed before initial upload to archive) CVE-2008-3828 (Stack-based buffer overflow in the condor_ schedd daemon in Condor bef ...) - condor (Fixed before initial upload to archive) CVE-2008-3827 (Multiple integer underflows in the Real demuxer (demux_real.c) in MPla ...) {DSA-1644-1 DTSA-168-1} - mplayer 1.0~rc2-18 (medium; bug #500683) NOTE: http://www.ocert.org/advisories/ocert-2008-013.html CVE-2008-3826 (Unspecified vulnerability in Condor before 7.0.5 allows attackers to e ...) - condor (Fixed before initial upload to archive) CVE-2008-3825 (pam_krb5 2.2.14 in Red Hat Enterprise Linux (RHEL) 5 and earlier, when ...) NOT-FOR-US: Different code base than Debian's libpam-krb5 CVE-2008-3824 (Cross-site scripting (XSS) vulnerability in (1) Text_Filter/Filter/xss ...) {DSA-1642-1 DTSA-165-1} - horde3 3.2.2+debian0-1 (low; bug #499579) CVE-2008-3823 (Cross-site scripting (XSS) vulnerability in MIME/MIME/Contents.php in ...) {DSA-1642-1 DTSA-165-1} - horde3 3.2.2+debian0-1 (low; bug #499579) CVE-2008-3822 REJECTED CVE-2008-3821 (Multiple cross-site scripting (XSS) vulnerabilities in the HTTP server ...) NOT-FOR-US: Cisco IOS CVE-2008-3820 (Cisco Security Manager 3.1 and 3.2 before 3.2.2, when Cisco IPS Event ...) NOT-FOR-US: Cisco Security Manager CVE-2008-3819 (dnsserver in Cisco Application Control Engine Global Site Selector (GS ...) NOT-FOR-US: Cisco Application Control Engine Global Site Selector (GSS) CVE-2008-3818 (Cisco ONS 15310-CL, 15310-MA, 15327, 15454, 15454 SDH, and 15600 with ...) NOT-FOR-US: Cisco ONS CVE-2008-3817 (Memory leak in Cisco Adaptive Security Appliances (ASA) 5500 Series an ...) NOT-FOR-US: Cisco CVE-2008-3816 (Unspecified vulnerability in Cisco Adaptive Security Appliances (ASA) ...) NOT-FOR-US: Cisco CVE-2008-3815 (Unspecified vulnerability in Cisco Adaptive Security Appliances (ASA) ...) NOT-FOR-US: Cisco CVE-2008-3814 (Unspecified vulnerability in Cisco Unity 4.x before 4.2(1)ES161, 5.x b ...) NOT-FOR-US: Cisco CVE-2008-3813 (Unspecified vulnerability in Cisco IOS 12.2 and 12.4, when the L2TP mg ...) NOT-FOR-US: Cisco IOS CVE-2008-3812 (Cisco IOS 12.4, when IOS firewall Application Inspection Control (AIC) ...) NOT-FOR-US: Cisco IOS CVE-2008-3811 (Cisco IOS 12.2 and 12.4, when NAT Skinny Call Control Protocol (SCCP) ...) NOT-FOR-US: Cisco IOS CVE-2008-3810 (Cisco IOS 12.2 and 12.4, when NAT Skinny Call Control Protocol (SCCP) ...) NOT-FOR-US: Cisco IOS CVE-2008-3809 (Cisco IOS 12.0 through 12.4 on Gigabit Switch Router (GSR) devices (ak ...) NOT-FOR-US: Cisco IOS CVE-2008-3808 (Unspecified vulnerability in Cisco IOS 12.0 through 12.4 allows remote ...) NOT-FOR-US: Cisco IOS CVE-2008-3807 (Cisco IOS 12.2 and 12.3 on Cisco uBR10012 series devices, when linecar ...) NOT-FOR-US: Cisco IOS CVE-2008-3806 (Cisco IOS 12.0 through 12.4 on Cisco 10000, uBR10012 and uBR7200 serie ...) NOT-FOR-US: Cisco IOS CVE-2008-3805 (Cisco IOS 12.0 through 12.4 on Cisco 10000, uBR10012 and uBR7200 serie ...) NOT-FOR-US: Cisco IOS CVE-2008-3804 (Unspecified vulnerability in the Multi Protocol Label Switching (MPLS) ...) NOT-FOR-US: Cisco IOS CVE-2008-3803 (A "logic error" in Cisco IOS 12.0 through 12.4, when a Multiprotocol L ...) NOT-FOR-US: Cisco IOS CVE-2008-3802 (Unspecified vulnerability in the Session Initiation Protocol (SIP) imp ...) NOT-FOR-US: Cisco IOS CVE-2008-3801 (Unspecified vulnerability in the Session Initiation Protocol (SIP) imp ...) NOT-FOR-US: Cisco IOS CVE-2008-3800 (Unspecified vulnerability in the Session Initiation Protocol (SIP) imp ...) NOT-FOR-US: Cisco IOS CVE-2008-3799 (Memory leak in the Session Initiation Protocol (SIP) implementation in ...) NOT-FOR-US: Cisco IOS CVE-2008-3798 (Cisco IOS 12.4 allows remote attackers to cause a denial of service (d ...) NOT-FOR-US: Cisco IOS CVE-2008-3797 RESERVED CVE-2008-3796 (Swfdec 0.6 before 0.6.8 allows remote attackers to cause a denial of s ...) - swfdec0.6 0.6.8-1 CVE-2008-3795 (Buffer overflow in Ipswitch WS_FTP Home client allows remote FTP serve ...) NOT-FOR-US: WS_FTP Home CVE-2008-3793 REJECTED CVE-2008-3792 (net/sctp/socket.c in the Stream Control Transmission Protocol (sctp) i ...) {DSA-1636-1} - linux-2.6.24 2.6.24-6~etchnhalf.5 - linux-2.6 2.6.26-4 [etch] - linux-2.6 CVE-2008-3788 (Multiple SQL injection vulnerabilities in PICTURESPRO Photo Cart 3.9, ...) NOT-FOR-US: PICTURESPRO Photo Cart 3.9 CVE-2008-3787 (SQL injection vulnerability in listing_view.php in Web Directory Scrip ...) NOT-FOR-US: Web Directory Script CVE-2008-3786 (Cross-site scripting (XSS) vulnerability in index.php in PICTURESPRO P ...) NOT-FOR-US: PICTURESPRO Photo Cart 3.9 CVE-2008-3785 (Multiple SQL injection vulnerabilities in the com_content component in ...) NOT-FOR-US: MiaCMS CVE-2008-3784 (SQL injection vulnerability in scrape.php in BtiTracker 1.4.7 and earl ...) NOT-FOR-US: BtiTracker CVE-2008-3783 (Multiple SQL injection vulnerabilities in index.php in Matterdaddy Mar ...) NOT-FOR-US: Matterdaddy Market CVE-2008-3782 (Multiple cross-site scripting (XSS) vulnerabilities in admin/index.php ...) NOT-FOR-US: ACG-PTP CVE-2008-3781 (Cross-site scripting (XSS) vulnerability in GMOD GBrowse before 1.69 a ...) NOT-FOR-US: GMOD GBrowse CVE-2008-3780 (SQL injection vulnerability in recommend.php in Five Star Review Scrip ...) NOT-FOR-US: Five Star Review Script CVE-2008-3779 (Cross-site scripting (XSS) vulnerability in search/index.php in Five S ...) NOT-FOR-US: Five Star Review Script CVE-2008-3778 (The remote management interface in SIP Enablement Services (SES) Serve ...) NOT-FOR-US: Avaya SIP Enablement Services CVE-2008-3777 (The SIP Enablement Services (SES) Server in Avaya SIP Enablement Servi ...) NOT-FOR-US: Avaya SIP Enablement Services CVE-2008-3776 (Directory traversal vulnerability in Fujitsu Web-Based Admin View 2.1. ...) NOT-FOR-US: Fujitsu Web-Based Admin View CVE-2008-3775 (Folder Lock 5.9.5 and earlier uses weak encryption (ROT-25) for the pa ...) NOT-FOR-US: Folder Lock CVE-2008-3774 (SQL injection vulnerability in index.php in Simasy CMS allows remote a ...) NOT-FOR-US: Simasy CMS CVE-2008-3773 (Cross-site scripting (XSS) vulnerability in vBulletin 3.7.2 PL1 and 3. ...) NOT-FOR-US: vBulletin CVE-2008-3772 (SQL injection vulnerability in categories_portal.php in Pars4u Videosh ...) NOT-FOR-US: Pars4u Videosharing CVE-2008-3771 (Cross-site scripting (XSS) vulnerability in members.php in Pars4u Vide ...) NOT-FOR-US: Pars4u Videosharing CVE-2008-3770 (Multiple directory traversal vulnerabilities in Freeway 1.4.1.171, whe ...) NOT-FOR-US: Freeway CVE-2008-3769 (PHP remote file inclusion vulnerability in admin/create_order_new.php ...) NOT-FOR-US: Freeway CVE-2008-3768 (Multiple SQL injection vulnerabilities in class.ajax.php in Turnkey We ...) NOT-FOR-US: Turnkey Web Tools SunShop Shopping Cart CVE-2008-3767 (SQL injection vulnerability in classified.php in phpBazar 2.0.2 allows ...) NOT-FOR-US: phpBazar CVE-2008-3766 (Realtime Internet Band Rehearsal Low-Latency (Internet) Connection too ...) NOT-FOR-US: Realtime Internet Band Rehearsal Low-Latency (Internet) Connection tool (llcon) CVE-2008-3765 (SQL injection vulnerability in code.php in Quick Poll Script allows re ...) NOT-FOR-US: Quick Poll Script CVE-2008-3764 (Eval injection vulnerability in globalsoff.php in Turnkey PHP Live Hel ...) NOT-FOR-US: Turnkey PHP Live Helper CVE-2008-3763 (Variable overwrite vulnerability in libsecure.php in Turnkey PHP Live ...) NOT-FOR-US: Turnkey PHP Live Helper CVE-2008-3762 (SQL injection vulnerability in onlinestatus_html.php in Turnkey PHP Li ...) NOT-FOR-US: Turnkey PHP Live Helper CVE-2008-3761 (hcmon.sys in VMware Workstation 6.5.1 and earlier, VMware Player 2.5.1 ...) NOT-FOR-US: VMware Workstation NOTE: we only share a package to build VMware CVE-2008-3760 (Cross-site request forgery (CSRF) vulnerability in the sign-out page i ...) NOT-FOR-US: Vanilla CVE-2008-3759 (Cross-site request forgery (CSRF) vulnerability in ajax/UpdateCheck.ph ...) NOT-FOR-US: Vanilla CVE-2008-3758 (Multiple cross-site scripting (XSS) vulnerabilities in Lussumo Vanilla ...) NOT-FOR-US: Vanilla CVE-2008-3757 (SQL injection vulnerability in tr1.php in YourFreeWorld Forced Matrix ...) NOT-FOR-US: YourFreeWorld CVE-2008-3756 (SQL injection vulnerability in tr.php in YourFreeWorld Viral Marketing ...) NOT-FOR-US: YourFreeWorld CVE-2008-3755 (SQL injection vulnerability in view.php in YourFreeWorld Classifieds S ...) NOT-FOR-US: YourFreeWorld CVE-2008-3754 (SQL injection vulnerability in trl.php in YourFreeWorld Stylish Text A ...) NOT-FOR-US: YourFreeWorld CVE-2008-3753 (SQL injection vulnerability in details.php in YourFreeWorld Programs R ...) NOT-FOR-US: YourFreeWorld CVE-2008-3752 (SQL injection vulnerability in tr.php in YourFreeWorld Ad-Exchange Scr ...) NOT-FOR-US: YourFreeWorld CVE-2008-3751 (SQL injection vulnerability in tr.php in YourFreeWorld Short Url & ...) NOT-FOR-US: YourFreeWorld CVE-2008-3750 (SQL injection vulnerability in tr.php in YourFreeWorld URL Rotator Scr ...) NOT-FOR-US: YourFreeWorld CVE-2008-3749 (SQL injection vulnerability in tr.php in YourFreeWorld Banner Manageme ...) NOT-FOR-US: Banner Management Script CVE-2008-3748 (SQL injection vulnerability in view_group.php in Active PHP Bookmarks ...) NOT-FOR-US: Active PHP Bookmarks CVE-2008-4952 (emacs-jabber in emacs-jabber 0.7.91 allows local users to overwrite ar ...) - emacs-jabber 0.7.91-2 (low; bug #496428) [etch] - emacs-jabber (Minor issue) CVE-2008-4987 (xastir 1.9.2 allows local users to overwrite arbitrary files via a sym ...) - xastir 1.9.2-1.1 (low; bug #496383) [etch] - xastir (Minor issue) CVE-2008-4477 (alert.d/test.alert in mon 0.99.2 allows local users to overwrite arbit ...) {DSA-1648-1} - mon 0.99.2-13 (medium; bug #496398) CVE-2008-3790 (The REXML module in Ruby 1.8.6 through 1.8.6-p287, 1.8.7 through 1.8.7 ...) {DSA-1652-1 DSA-1651-1} - ruby1.8 1.8.7.72-1 (bug #496808) - ruby1.9 1.9.0.2-6 (bug #497610) CVE-2008-4939 (apertium 3.0.7 allows local users to overwrite arbitrary files via a s ...) - apertium 3.0.7+1-1.1 (low; bug #496395) [etch] - apertium (Minor issue) CVE-2008-4946 (convirt 0.8.2 allows local users to overwrite arbitrary files via a sy ...) - convirt 0.9.6-1 (medium; bug #496419) CVE-2008-4942 (audiolink in audiolink 0.05 allows local users to overwrite arbitrary ...) - audiolink 0.05-1.1 (low; bug #496433) [etch] - audiolink (Minor issue) CVE-2008-4968 (The (1) rccs and (2) STUFF scripts in lmbench 3.0-a7 allow local users ...) - lmbench 3.0-a9-1 (low; bug #496427) [etch] - lmbench (Non-free not supported) CVE-2008-4975 (mkmailpost in newsgate 1.6 allows local users to overwrite arbitrary f ...) - newsgate (low; bug #496437) [etch] - newsgate (Non-free not supported) CVE-2008-4973 (i2myspell in myspell 3.1 allows local users to overwrite arbitrary fil ...) - myspell 1:3.0+pre3.1-21 (low; bug #496392) [etch] - myspell (Minor issue) CVE-2008-4976 (ogle 0.9.2 and ogle-mmx 0.9.2 allow local users to overwrite arbitrary ...) - ogle (unimportant; bug #496420; bug #496425) NOTE: This only affects debugging scripts not present in standard path CVE-2008-3789 (Samba 3.2.0 uses weak permissions (0666) for the (1) group_mapping.tdb ...) {DTSA-161-1} - samba 2:3.2.3-1 (bug #496073; medium) [etch] - samba (Only affects Samba 3.2.x) CVE-2008-XXXX [insecure temp file in nvi] - nvi 1.81.6-4 (low; bug #496462) [etch] - nvi (Minor issue, only exploitable in postinst) CVE-2008-4982 (rkhunter in rkhunter 1.3.2 allows local users to overwrite arbitrary f ...) - rkhunter 1.3.2-6 (low; bug #496375) [etch] - rkhunter (Minor issue, only in debug mode) CVE-2008-4984 (scratchbox2 1.99.0.24 allows local users to overwrite arbitrary files ...) - scratchbox2 1.99.0.24-2 (low; bug #496409) CVE-2008-4981 (perl.robot in realtimebattle 1.0.8 allows local users to overwrite arb ...) - realtimebattle 1.0.8-8 (low; bug #496385) [etch] - realtimebattle (Minor issue) CVE-2008-4972 (mailgo in mgt 2.31 allows local users to overwrite arbitrary files via ...) - mgt 2.31-6 (low; bug #496434) [etch] - mgt (Minor issue) CVE-2008-4998 - twiki 1:4.1.2-4 (low; bug #494648) CVE-2008-4971 (mafft-homologs in mafft 6.240 allows local users to overwrite arbitrar ...) - mafft 6.240-2 (low; bug #496366) CVE-2008-4993 (qemu-dm.debug in Xen 3.2.1 allows local users to overwrite arbitrary f ...) - xen-3 3.4.0-1 (low; bug #496367) [etch] - xen-3 (Minor issue) CVE-2008-4936 (faxspool in mgetty 1.1.36 allows local users to overwrite arbitrary fi ...) - mgetty 1.1.36-1.3 (low; bug #496403) [etch] - mgetty (Minor issue) CVE-2008-4476 (sympa.pl in sympa 5.3.4 allows local users to overwrite arbitrary file ...) - sympa 5.3.4-5.1 (low; bug #496405; bug #494969) [etch] - sympa (Minor issues) CVE-2008-4935 (asciiview in aview 1.3.0 allows local users to overwrite arbitrary fil ...) - aview 1.3.0rc1-8.1 (low; bug #496422) [etch] - aview (Minor issue) CVE-2008-4956 (fwb_install in fwbuilder 2.1.19 allows local users to overwrite arbitr ...) - fwbuilder 2.1.19-5 (low; bug #496406) [etch] - fwbuilder (Minor issue) CVE-2008-4440 (The to-upgrade plugin in feta 1.4.16 allows local users to overwrite a ...) {DSA-1643-1} - feta 1.4.16+nmu1 (low; bug #496397) CVE-2008-4977 NOTE: Historic Postfix non issue, #496401 CVE-2008-4944 (writtercontrol in cdcontrol 1.90 allows local users to overwrite arbit ...) - cdcontrol (low; bug #496438) [etch] - cdcontrol (Minor issue) CVE-2008-4951 (dtc 0.29.6 allows local users to overwrite arbitrary files via a symli ...) - dtc 0.29.10-1 (low; bug #496362) CVE-2008-4994 (The (1) ncsarmt and (2) ncsawrap scripts in xmcd 2.6 allows local user ...) - xmcd 2.6-21 (low; bug #496416) [etch] - xmcd (Minor issue) CVE-2008-4988 (pscal in xcal 4.1 allows local users to overwrite arbitrary files via ...) - xcal 4.1-19 (low; bug #496393) [etch] - xcal (Minor issue) CVE-2008-3791 (src/main-win.c in GPicView 0.1.9 in Lightweight X11 Desktop Environmen ...) - gpicview 0.1.9-2 (low; bug #495968) NOTE: http://sourceforge.net/tracker/index.php?func=detail&aid=2019481&group_id=180858&atid=894869 CVE-2008-XXXX [Overwrite symlink without check] - gpicview 0.1.10-1 (unimportant; bug #497005) NOTE: http://sourceforge.net/tracker/index.php?func=detail&aid=2019485&group_id=180858&atid=894869 NOTE: CVE id requested NOTE: non-issue, not exploitable by other users CVE-2008-XXXX [Overwrite certain images without notice] - gpicview 0.1.10-1 (unimportant; bug #497005) NOTE: http://sourceforge.net/tracker/index.php?func=detail&aid=2019492&group_id=180858&atid=894869 NOTE: non-issue, not exploitable by other users NOTE: CVE id requested CVE-2008-4937 (senddoc in OpenOffice.org (OOo) 2.4.1 allows local users to overwrite ...) - openoffice.org 1:2.4.1-8 (low; bug #496361) [etch] - openoffice.org (Vulnerable code not present) NOTE: also not present in 3.0.0, only in 2.4.1. Fix pending upload. CVE-2008-4979 (getipacctg in rancid 2.3.2~a8 allows local users to overwrite arbitrar ...) - rancid 2.3.2~a8-2 (low; bug #496426) [etch] - rancid (Minor issue) CVE-2008-4985 (vdrleaktest in Video Disk Recorder (aka vdr-dbg or vdr) 1.6.0 allows l ...) - vdr 1.6.0-6 (low; bug #496421) [etch] - vdr (Vulnerable code not present) CVE-2008-5007 (create_lazarus_export_tgz.sh in lazarus 0.9.24 allows local users to o ...) - lazarus 0.9.24-0-11 (unimportant; bug #496377) NOTE: vulnerable script only called when updating the source NOTE: thus neither actively used nor invoked automatically CVE-2008-3794 (Integer signedness error in the mms_ReceiveCommand function in modules ...) {DSA-1819-1 DTSA-166-1} - vlc 0.8.6.h-4 (medium; bug #496265) CVE-2008-3747 (The (1) get_edit_post_link and (2) get_edit_comment_link functions in ...) - wordpress 2.5.1-6 (low; bug #497216) [etch] - wordpress (Does not have force-sll mechanism) CVE-2008-3746 (neon 0.28.0 through 0.28.2 allows remote servers to cause a denial of ...) - neon27 0.28.2-4 - neon26 (Issue was introduced in 0.28) CVE-2008-3739 (Cross-site scripting (XSS) vulnerability in (1) System Consultants La! ...) NOT-FOR-US: La!Cooda WIZ CVE-2008-3738 (Session fixation vulnerability in SpaceTag LacoodaST 2.1.3 and earlier ...) NOT-FOR-US: SpaceTag LacoodaST CVE-2008-3737 (Unspecified vulnerability in (1) System Consultants La!Cooda WIZ 1.4.0 ...) NOT-FOR-US: La!Cooda WIZ CVE-2008-3736 (Multiple cross-site request forgery (CSRF) vulnerabilities in (1) Syst ...) NOT-FOR-US: La!Cooda WIZ CVE-2008-3735 (Cross-site scripting (XSS) vulnerability in index.php in PHPizabi befo ...) NOT-FOR-US: PHPizabi CVE-2008-3734 (Format string vulnerability in Ipswitch WS_FTP Home 2007.0.0.2 and WS_ ...) NOT-FOR-US: WS_FTP Home CVE-2008-3733 (Stack-based buffer overflow in EO Video (eo-video) 1.36 allows remote ...) NOT-FOR-US: EO Video CVE-2008-3732 (Integer overflow in the Open function in modules/demux/tta.c in VLC Me ...) {DTSA-166-1} - vlc 0.8.6.h-2 [etch] - vlc (TTA module not present) CVE-2008-3731 (Unspecified vulnerability in Serv-U File Server 7.0.0.1, and other ver ...) NOT-FOR-US: Serv-U File CVE-2008-3730 (Cross-site scripting (XSS) vulnerability in Nordicwind Document Manage ...) NOT-FOR-US: NOAH CVE-2008-3729 (Web Based Administration in MicroWorld Technologies MailScan 5.6.a esp ...) NOT-FOR-US: MicroWorld Technologies MailScan CVE-2008-3728 (Web Based Administration in MicroWorld Technologies MailScan 5.6.a esp ...) NOT-FOR-US: MicroWorld Technologies MailScan CVE-2008-3727 (Directory traversal vulnerability in Web Based Administration in Micro ...) NOT-FOR-US: MicroWorld Technologies MailScan CVE-2008-3726 (Cross-site scripting (XSS) vulnerability in Web Based Administration i ...) NOT-FOR-US: MicroWorld Technologies MailScan CVE-2008-3725 (SQL injection vulnerability in trr.php in YourFreeWorld Ad Board Scrip ...) NOT-FOR-US: YourFreeWorld Ad Board Script CVE-2008-3724 (SQL injection vulnerability in index.php in Papoo before 3.7.2 allows ...) NOT-FOR-US: Papoo CVE-2008-3723 (Directory traversal vulnerability in index.php in PHPizabi 0.848b C1 H ...) NOT-FOR-US: PHPizabi CVE-2008-3722 (SQL injection vulnerability in forum/neu.asp in fipsCMS 2.1 allows rem ...) NOT-FOR-US: fipsCMS CVE-2008-3721 (PHP remote file inclusion vulnerability in user_language.php in DeeEmm ...) NOT-FOR-US: DeeEmm CMS CVE-2008-3720 (SQL injection vulnerability in index.php in DeeEmm CMS (DMCMS) 0.7.4 a ...) NOT-FOR-US: DeeEmm CMS CVE-2008-3719 (SQL injection vulnerability in directory.php in SFS Affiliate Director ...) NOT-FOR-US: SFS Affiliate Directory CVE-2008-3718 (Multiple SQL injection vulnerabilities in cyberBB 0.6 allow remote aut ...) NOT-FOR-US: cyberBB CVE-2008-3717 (Harmoni before 1.6.0 does not require administrative privileges to lis ...) NOT-FOR-US: Harmoni CVE-2008-3716 (Cross-site request forgery (CSRF) vulnerability in Harmoni before 1.6. ...) NOT-FOR-US: Harmoni CVE-2008-3715 (Cross-site scripting (XSS) vulnerability in inc-core-admin-editor-prev ...) NOT-FOR-US: FlexCMS CVE-2008-3714 (Cross-site scripting (XSS) vulnerability in awstats.pl in AWStats 6.8 ...) {DSA-1679-1} - awstats 6.7.dfsg-5.1 (bug #495432; low) NOTE: upstream bug 2001151 CVE-2008-3713 (SQL injection vulnerability in product.php in PHPBasket allows remote ...) NOT-FOR-US: PHPBasket CVE-2008-3712 (Multiple cross-site scripting (XSS) vulnerabilities in Mambo 4.6.2 and ...) NOT-FOR-US: Mambo CVE-2008-3711 (SQL injection vulnerability in index.php in PHPArcadeScript (PHP Arcad ...) NOT-FOR-US: PHPArcadeScript CVE-2008-3710 (Multiple directory traversal vulnerabilities in CyBoards PHP Lite 1.21 ...) NOT-FOR-US: CyBoards PHP Lite CVE-2008-3709 (Multiple cross-site scripting (XSS) vulnerabilities in CyBoards PHP Li ...) NOT-FOR-US: CyBoards PHP Lite CVE-2008-3708 (Multiple directory traversal vulnerabilities in dotCMS 1.6.0.9 allow r ...) NOT-FOR-US: dotCMS CVE-2008-3707 (Multiple PHP remote file inclusion vulnerabilities in CyBoards PHP Lit ...) NOT-FOR-US: CyBoards PHP Lite CVE-2008-3706 (SQL injection vulnerability in bannerclick.php in ZEEJOBSITE 2.0 allow ...) NOT-FOR-US: ZEEJOBSITE CVE-2008-3705 (Stack-based buffer overflow in the CLogger::WriteFormated function in ...) NOT-FOR-US: EchoVNC Linux CVE-2008-3704 (Heap-based buffer overflow in the MaskedEdit ActiveX control in Msmask ...) NOT-FOR-US: Msmask32.ocx CVE-2008-3703 (The management console in the Volume Manager Scheduler Service (aka Vx ...) NOT-FOR-US: Symantec Veritas Storage Foundation CVE-2008-3702 (Multiple stack-based buffer overflows in the Animation GIF ActiveX con ...) NOT-FOR-US: SpeedBit Download Accelerator Plus CVE-2008-3701 (SQL injection vulnerability in staff/index.php in Kayako SupportSuite ...) NOT-FOR-US: Kayako SupportSuite CVE-2008-3700 (Multiple cross-site scripting (XSS) vulnerabilities in Kayako SupportS ...) NOT-FOR-US: Kayako SupportSuite CVE-2008-3698 (Unspecified vulnerability in the OpenProcess function in VMware Workst ...) - vmware-package (Only vulnerable on windows hosted systems) CVE-2008-3697 (An unspecified ISAPI extension in VMware Server before 1.0.7 build 108 ...) NOT-FOR-US: VMware Server on Windows CVE-2008-3696 (Unspecified vulnerability in a certain ActiveX control in VMware Works ...) - vmware-package (Only vulnerable on windows hosted systems) CVE-2008-3695 (Unspecified vulnerability in a certain ActiveX control in VMware Works ...) - vmware-package (Only vulnerable on windows hosted systems) CVE-2008-3694 (Unspecified vulnerability in a certain ActiveX control in VMware Works ...) - vmware-package (Only vulnerable on windows hosted systems) CVE-2008-3693 (Unspecified vulnerability in a certain ActiveX control in VMware Works ...) - vmware-package (Only vulnerable on windows hosted systems) CVE-2008-3692 (Unspecified vulnerability in a certain ActiveX control in VMware Works ...) - vmware-package (Only vulnerable on windows hosted systems) CVE-2008-3691 (Unspecified vulnerability in a certain ActiveX control in VMware Works ...) - vmware-package (Only vulnerable on windows hosted systems) CVE-2008-3690 RESERVED CVE-2008-3689 RESERVED CVE-2008-3688 (sockethandler.cpp in HTTP Antivirus Proxy (HAVP) 0.88 allows remote at ...) {DTSA-159-1} - havp 0.88-1.1 (bug #496034) CVE-2008-3687 (Heap-based buffer overflow in the flask_security_label function in Xen ...) - xen-3 (Not compiled with XSM:FLASK) CVE-2008-3686 (The rt6_fill_node function in net/ipv6/route.c in Linux kernel 2.6.26- ...) - linux-2.6.24 (Vulnerable code was introduced in 2.6.26) - linux-2.6 2.6.26-5 [etch] - linux-2.6 (Vulnerable code was introduced in 2.6.26) CVE-2008-3685 (Directory traversal vulnerability in aws_tmxn.exe in the Admin Agent s ...) NOT-FOR-US: EMC Documentum ApplicationXtender Workflow CVE-2008-3684 (Heap-based buffer overflow in aws_tmxn.exe in the Admin Agent service ...) NOT-FOR-US: EMC Documentum ApplicationXtender Workflow CVE-2008-3683 (Unspecified vulnerability in the FTP subsystem in Sun Java System Web ...) NOT-FOR-US: Sun Java System Web Proxy Server CVE-2008-3682 (SQL injection vulnerability in dpage.php in YPN PHP Realty allows remo ...) NOT-FOR-US: YPN PHP Realty CVE-2008-3681 (components/com_user/models/reset.php in Joomla! 1.5 through 1.5.5 does ...) NOT-FOR-US: Joomla! CVE-2008-3680 (The decryption function in Flagship Industries Ventrilo 3.0.2 and earl ...) NOT-FOR-US: Flagship Industries Ventrilo CVE-2008-3679 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in ID ...) NOT-FOR-US: IDevSpot PhpLinkExchange CVE-2008-3678 (Cross-site scripting (XSS) vulnerability in admin/search_links.php in ...) NOT-FOR-US: Freeway CVE-2008-3677 (Directory traversal vulnerability in includes/events_application_top.p ...) NOT-FOR-US: Freeway CVE-2008-3676 (Unspecified vulnerability in the IMAP server in hMailServer 4.4.1 allo ...) NOT-FOR-US: hMailServer CVE-2008-3675 (Directory traversal vulnerability in classes/imgsize.php in Gelato 0.9 ...) NOT-FOR-US: Gelato CVE-2008-3674 (SQL injection vulnerability in ugroups.php in PozScripts TubeGuru Vide ...) NOT-FOR-US: PozScripts TubeGuru Video Sharing Script CVE-2008-3673 (SQL injection vulnerability in browsecats.php in PozScripts Classified ...) NOT-FOR-US: PozScripts Classified Ads CVE-2008-3672 (SQL injection vulnerability in showcategory.php in PozScripts Classifi ...) NOT-FOR-US: PozScripts Classified Ads CVE-2008-3671 (Acronis True Image Echo Server 9.x build 8072 on Linux does not proper ...) NOT-FOR-US: Echo Server CVE-2008-3670 (SQL injection vulnerability in authordetail.php in Article Friendly Pr ...) NOT-FOR-US: Article Friendly Pro CVE-2008-3669 (SQL injection vulnerability in comments.php in ZeeScripts Reviews Opin ...) NOT-FOR-US: ZeeScripts Reviews Opinions Rating Posting Engine Web-Site PHP CVE-2008-3668 (Multiple cross-site scripting (XSS) vulnerabilities in the Yogurt Soci ...) NOT-FOR-US: XOOPS CVE-2008-3667 (Stack-based buffer overflow in Maxthon Browser 2.0 and earlier allows ...) NOT-FOR-US: Maxthon Browser CVE-2006-7233 (Cross-site scripting (XSS) vulnerability in the login form (login.jsp) ...) NOT-FOR-US: Openfire CVE-2005-4877 (Cross-site scripting (XSS) vulnerability in the login form (login.jsp) ...) NOT-FOR-US: Openfire CVE-2005-4876 (Cross-site scripting (XSS) vulnerability in the login form (login.jsp) ...) NOT-FOR-US: Openfire CVE-2003-1563 (Sun Cluster 2.2 through 3.2 for Oracle Parallel Server / Real Applicat ...) NOT-FOR-US: Oracle CVE-2008-3699 (The MagnatuneBrowser::listDownloadComplete function in magnatunebrowse ...) - amarok 1.4.10-1 (unimportant; bug #494765) [etch] - amarok NOTE: The code in question doesn't dereference the symlink, tested with Etch NOTE: and Lenny. Given that it only takes a minute to test this, it's surprising NOTE: that at least one vendor issued an advisory and upstream pushed a new release... CVE-2008-3740 (Cross-site scripting (XSS) vulnerability in the output filter in Drupa ...) {DTSA-156-1} - drupal5 5.10-1 (low; bug #495122) - drupal-4.7 CVE-2008-3741 (The private filesystem in Drupal 5.x before 5.10 and 6.x before 6.4 tr ...) {DTSA-156-1} - drupal5 5.10-1 (low; bug #495122) - drupal-4.7 CVE-2008-3742 (Unrestricted file upload vulnerability in the BlogAPI module in Drupal ...) {DTSA-156-1} - drupal5 5.10-1 (medium; bug #495122) - drupal-4.7 CVE-2008-3743 (Multiple cross-site request forgery (CSRF) vulnerabilities in forms in ...) {DTSA-156-1} - drupal5 (Vulnerable code not present) - drupal-4.7 CVE-2008-3744 (Multiple cross-site request forgery (CSRF) vulnerabilities in Drupal 5 ...) {DTSA-156-1} - drupal5 5.10-1 (low; bug #495122) - drupal-4.7 CVE-2008-3745 (The Upload module in Drupal 6.x before 6.4 allows remote authenticated ...) {DTSA-156-1} - drupal5 (Vulnerable code only present in 6.x) - drupal-4.7 CVE-2008-3666 (Unspecified vulnerability in Sun Solaris 10 and OpenSolaris before snv ...) NOT-FOR-US: Sun Solaris 10 CVE-2008-3665 RESERVED CVE-2008-3664 (Multiple cross-site scripting (XSS) vulnerabilities in XRMS allow remo ...) NOT-FOR-US: XRMS CRM CVE-2008-3663 (Squirrelmail 1.4.15 does not set the secure flag for the session cooki ...) - squirrelmail 2:1.4.15-3 (low; bug #499942) [etch] - squirrelmail (less important and fix changes behaviour) NOTE: only relevant for installations that are also offered over http NOTE: which isn't normally a good idea anyway. Fixing in stable will NOTE: change behaviour so not really suited for DSA. CVE-2008-3662 (Gallery before 1.5.9, and 2.x before 2.2.6, does not set the secure fl ...) - gallery 1.5.9-1 - gallery2 2.2.6-1 CVE-2008-3661 (Drupal, probably 5.10 and 6.4, does not set the secure flag for the se ...) - drupal5 5.10-2 (low; bug #501063) - drupal6 6.4-2 (low; bug #501058) NOTE: drupal upstreams advise the users to set session.cookie_secure in the php configuration NOTE: to fix this has been documented in README.Debian CVE-2008-3660 (PHP 4.4.x before 4.4.9, and 5.x through 5.2.6, when used as a FastCGI ...) {DSA-1647-1} - php5 5.2.6-4 (medium) - php4 NOTE: *not* duplicate after all, needs review NOTE: http://cvs.php.net/viewvc.cgi/php-src/sapi/cgi/cgi_main.c?r1=1.267.2.15.2.57&r2=1.267.2.15.2.58&view=patch CVE-2008-3659 (Buffer overflow in the memnstr function in PHP 4.4.x before 4.4.9 and ...) {DSA-1647-1} - php4 - php5 5.2.6-4 (medium) NOTE: php5 -d memory_limit=256M -r '$res = explode(str_repeat("A",145999999),1);' NOTE: (From upstream's ext/standard/tests/strings/explode_bug.phpt) NOTE: could not reproduce locally NOTE: fix in pkg-php svn for both etch and sid CVE-2008-3658 (Buffer overflow in the imageloadfont function in ext/gd/gd.c in PHP 4. ...) {DSA-1647-1} - php4 - php5 5.2.6-4 (medium) NOTE: fix in pkg-php svn for both etch and sid CVE-2008-3657 (The dl module in Ruby 1.8.5 and earlier, 1.8.6 through 1.8.6-p286, 1.8 ...) {DSA-1652-1 DSA-1651-1} - ruby1.8 1.8.7.72-1 (bug #494401) - ruby1.9 1.9.0.2-6 (bug #494402) NOTE: http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/ CVE-2008-3656 (Algorithmic complexity vulnerability in the WEBrick::HTTPUtils.split_h ...) {DSA-1652-1 DSA-1651-1} - ruby1.8 1.8.7.72-1 (bug #494401) - ruby1.9 1.9.0.2-6 (bug #494402) NOTE: http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/ CVE-2008-3655 (Ruby 1.8.5 and earlier, 1.8.6 through 1.8.6-p286, 1.8.7 through 1.8.7- ...) {DSA-1652-1 DSA-1651-1} - ruby1.8 1.8.7.72-1 (bug #494401) - ruby1.9 1.9.0.2-6 (bug #494402) NOTE: http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/ CVE-2008-3654 (Unspecified vulnerability in TikiWiki CMS/Groupware before 2.0 allows ...) - tikiwiki CVE-2008-3653 (Multiple unspecified vulnerabilities in TikiWiki CMS/Groupware before ...) - tikiwiki CVE-2008-3652 (src/racoon/handler.c in racoon in ipsec-tools does not remove an "orph ...) - ipsec-tools 0.7.1-1.2 (low; bug #501026) [etch] - ipsec-tools (Minor issue) NOTE: attacker needs to be authenticated, see https://bugzilla.redhat.com/show_bug.cgi?id=456660 CVE-2008-3651 (Memory leak in racoon/proposal.c in the racoon daemon in ipsec-tools b ...) - ipsec-tools 1:0.7.1-1 (low; bug #495214) [etch] - ipsec-tools (Minor issue) CVE-2008-3650 (Multiple unspecified vulnerabilities in Horde Groupware Webmail before ...) - horde3 3.2.1+debian0-1 (low; bug #495332) - turba2 2.2.1-1 [etch] - turba2 (Vulnerable code not present) [etch] - horde3 (dup of CVE-2008-3330) NOTE: this is actually two issues: NOTE: - one a dup of CVE-2008-3330 in horde3 NOTE: - another an issue in turba2 CVE-2008-3649 (SQL injection vulnerability in categorydetail.php in Article Friendly ...) NOT-FOR-US: Article Friendly Standard CVE-2008-3648 (nslookup.exe in Microsoft Windows XP SP2 allows user-assisted remote a ...) NOT-FOR-US: Microsoft Windows CVE-2008-3647 (Buffer overflow in PSNormalizer in Mac OS X 10.4.11 and 10.5.5 allows ...) NOT-FOR-US: Mac OS CVE-2008-3646 (The Postfix configuration file in Mac OS X 10.5.5 causes Postfix to be ...) NOT-FOR-US: MacOS-only problem CVE-2008-3645 (Heap-based buffer overflow in the local IPC component in the EAPOLCont ...) NOT-FOR-US: Mac OS CVE-2008-3644 (Apple Safari before 3.2 does not properly prevent caching of form data ...) NOT-FOR-US: Apple Safari CVE-2008-3643 (Unspecified vulnerability in Finder in Mac OS X 10.5.5 allows user-ass ...) NOT-FOR-US: Mac OS CVE-2008-3642 (Buffer overflow in ColorSync in Mac OS X 10.4.11 and 10.5.5 allows rem ...) NOT-FOR-US: Mac OS CVE-2008-3641 (The Hewlett-Packard Graphics Language (HPGL) filter in CUPS before 1.3 ...) {DSA-1656-1} - cupsys - cups 1.3.8-1lenny2 (medium) CVE-2008-3640 (Integer overflow in the WriteProlog function in texttops in CUPS befor ...) {DSA-1656-1} - cupsys - cups 1.3.8-1lenny2 (medium) CVE-2008-3639 (Heap-based buffer overflow in the read_rle16 function in imagetops in ...) {DSA-1656-1} - cupsys - cups 1.3.8-1lenny2 (medium) CVE-2008-3638 (Java on Apple Mac OS X 10.5.4 and 10.5.5 does not prevent applets from ...) NOT-FOR-US: Mac OSX CVE-2008-3637 (The Hash-based Message Authentication Code (HMAC) provider in Java on ...) NOT-FOR-US: Mac OSX CVE-2008-3636 (Integer overflow in the IopfCompleteRequest API in the kernel in Micro ...) NOT-FOR-US: Apple iTunes CVE-2008-3635 (Stack-based buffer overflow in QuickTimeInternetExtras.qtx in an unspe ...) NOT-FOR-US: Apple Quick Times CVE-2008-3634 (Apple iTunes before 8.0 on Mac OS X 10.4.11, when iTunes Music Sharing ...) NOT-FOR-US: Apple iTunes CVE-2008-3633 RESERVED CVE-2008-3632 (Use-after-free vulnerability in WebKit in Apple iPod touch 1.1 through ...) - webkit 1.0.1-4 (bug #499771) - qt4-x11 4:4.6.2-4 (bug #561760) [lenny] - qt4-x11 (Minor impact, no apps in Lenny which use qtwebkit ) NOTE: QT4 might be fixed earlier, but only 4.6.2 was checked against, Lenny is affected NOTE: http://trac.webkit.org/changeset/34815 CVE-2008-3631 (Application Sandbox in Apple iPod touch 2.0 through 2.0.2, and iPhone ...) NOT-FOR-US: Apple iPod CVE-2008-3630 (mDNSResponder in Apple Bonjour for Windows before 1.0.5, when an appli ...) NOT-FOR-US: Apple Bonjour CVE-2008-3629 (Apple QuickTime before 7.5.5 allows remote attackers to cause a denial ...) NOT-FOR-US: Apple QuickTime CVE-2008-3628 (Apple QuickTime before 7.5.5 on Windows allows remote attackers to exe ...) NOT-FOR-US: Apple QuickTime CVE-2008-3627 (Apple QuickTime before 7.5.5 does not properly handle (1) MDAT atoms i ...) NOT-FOR-US: Apple QuickTime CVE-2008-3626 (The CallComponentFunctionWithStorage function in Apple QuickTime befor ...) NOT-FOR-US: Apple QuickTime CVE-2008-3625 (Stack-based buffer overflow in Apple QuickTime before 7.5.5 allows rem ...) NOT-FOR-US: Apple QuickTime CVE-2008-3624 (Heap-based buffer overflow in Apple QuickTime before 7.5.5 allows remo ...) NOT-FOR-US: Apple QuickTime CVE-2008-3623 (Heap-based buffer overflow in CoreGraphics in Apple Safari before 3.2 ...) NOT-FOR-US: Apple Safari on Windows CVE-2008-3622 (Cross-site scripting (XSS) vulnerability in Wiki Server in Apple Mac O ...) NOT-FOR-US: Mac OS X CVE-2008-3621 (VideoConference in Apple Mac OS X 10.4.11 and 10.5 through 10.5.4 allo ...) NOT-FOR-US: Apple Mac OS X CVE-2008-3620 RESERVED CVE-2008-3619 (Time Machine in Apple Mac OS X 10.5 through 10.5.4 uses weak permissio ...) NOT-FOR-US: Apple Mac OS X CVE-2008-3618 (The File Sharing pane in the Sharing preference pane in Apple Mac OS X ...) NOT-FOR-US: Apple Mac OS X CVE-2008-3617 (Remote Management and Screen Sharing in Apple Mac OS X 10.5 through 10 ...) NOT-FOR-US: Apple Mac OS X CVE-2008-3616 (Multiple integer overflows in the SearchKit API in Apple Mac OS X 10.4 ...) NOT-FOR-US: Apple Mac OS X CVE-2008-3615 (ir50_32.qtx in an unspecified third-party Indeo v5 codec for QuickTime ...) NOT-FOR-US: Apple QuickTime CVE-2008-3614 (Integer overflow in Apple QuickTime before 7.5.5 on Windows allows rem ...) NOT-FOR-US: Apple QuickTime CVE-2008-3613 (Finder in Apple Mac OS X 10.5.2 through 10.5.4 allows remote attackers ...) NOT-FOR-US: Apple Mac OS X CVE-2008-3612 (The Networking subsystem in Apple iPod touch 2.0 through 2.0.2, and iP ...) NOT-FOR-US: Apple iPod CVE-2008-3611 (Login Window in Apple Mac OS X 10.4.11 does not clear the current pass ...) NOT-FOR-US: Apple Mac OS X CVE-2008-3610 (Race condition in Login Window in Apple Mac OS X 10.5 through 10.5.4, ...) NOT-FOR-US: Apple Mac OS X CVE-2008-3609 (The kernel in Apple Mac OS X 10.5 through 10.5.4 does not properly flu ...) NOT-FOR-US: Apple Mac OS X CVE-2008-3608 (ImageIO in Apple Mac OS X 10.4.11 and 10.5 through 10.5.4 allows conte ...) NOT-FOR-US: Apple Mac OS X CVE-2008-3607 (The IMAP server in NoticeWare Email Server NG 4.6.3 and earlier allows ...) NOT-FOR-US: NoticeWare Email Server NG CVE-2008-3606 (Heap-based buffer overflow in the IMAP service in Qbik WinGate 6.2.2.1 ...) NOT-FOR-US: Qbik WinGate CVE-2008-3605 (Unspecified vulnerability in McAfee Encrypted USB Manager 3.1.0.0, whe ...) NOT-FOR-US: McAfee Encrypted USB Manager CVE-2008-3604 (SQL injection vulnerability in bannerclick.php in ZeeBuddy 2.1 allows ...) NOT-FOR-US: ZeeBuddy CVE-2008-3603 (SQL injection vulnerability in index.php in Vacation Rental Script 3.0 ...) NOT-FOR-US: Vacation Rental Script CVE-2008-3602 (admin/wr_admin.php in PHP-Ring Webring System (aka uPHP_ring_website) ...) NOT-FOR-US: PHP-Ring Webring System CVE-2008-3601 (SQL injection vulnerability in index.php in Quicksilver Forums 1.4.1 a ...) NOT-FOR-US: Quicksilver Forums CVE-2008-3600 (Directory traversal vulnerability in contrib/phpBB2/modules.php in Gal ...) - gallery (unimportant) - gallery2 (Vulnerable code not present) NOTE: We haven't supported installations with register_globals enabled since a long time CVE-2008-3599 (SQL injection vulnerability in image.php in OpenImpro 1.1 allows remot ...) NOT-FOR-US: OpenImpro CVE-2008-3598 (Multiple SQL injection vulnerabilities in psipuss 1.0 allow remote att ...) NOT-FOR-US: psipuss CVE-2008-3597 (Skulltag before 0.97d2-RC6 allows remote attackers to cause a denial o ...) NOT-FOR-US: Skulltag CVE-2008-3596 (Cross-site scripting (XSS) vulnerability in Harmoni before 1.4.7 allow ...) NOT-FOR-US: Harmoni CVE-2008-3595 (PHP remote file inclusion vulnerability in examples/txtSQLAdmin/startu ...) NOT-FOR-US: txtSQL CVE-2008-3594 (SQL injection vulnerability in viewdetails.php in MagicScripts E-Store ...) NOT-FOR-US: MagicScripts E-Store CVE-2008-3593 (Directory traversal vulnerability in index.php in SyzygyCMS 0.3 allows ...) NOT-FOR-US: SyzygyCMS CVE-2008-3592 (Unrestricted file upload vulnerability in the File Manager in the admi ...) NOT-FOR-US: Twentyone Degrees Symphony 1.7.01 CVE-2008-3591 (SQL injection vulnerability in lib/class.admin.php in Twentyone Degree ...) NOT-FOR-US: Twentyone Degrees Symphony 1.7.01 CVE-2008-3590 (Multiple SQL injection vulnerabilities in admin/login.asp in E. Z. Pol ...) NOT-FOR-US: E. Z. Poll 2 CVE-2008-3589 (Directory traversal vulnerability in download.php in moziloCMS 1.10.1, ...) NOT-FOR-US: mozilo CMS 1.10.1 CVE-2008-3588 (Multiple SQL injection vulnerabilities in phsBlog 0.1.1 allow remote a ...) NOT-FOR-US: phsBlog 0.1.1 CVE-2008-3587 (Cross-site scripting (XSS) vulnerability in result.php in Chris Buntin ...) NOT-FOR-US: Homes 4 Sale CVE-2008-3586 (SQL injection vulnerability in the EZ Store (com_ezstore) component fo ...) NOT-FOR-US: EZ Store (com_ezstore) component for Joomla! CVE-2008-3585 (Multiple SQL injection vulnerabilities in PozScripts GreenCart PHP Sho ...) NOT-FOR-US: PozScripts GreenCart PHP Shopping Cart CVE-2008-3584 (NetBSD 3.0, 3.1, and 4.0, when a pppoe instance exists, does not prope ...) NOT-FOR-US: NetBSD CVE-2008-3583 (Buffer overflow in the HTML parser in IntelliTamper 2.07 allows remote ...) NOT-FOR-US: IntelliTamper 2.07 CVE-2008-3582 (SQL injection vulnerability in login.php in Keld PHP-MySQL News Script ...) NOT-FOR-US: Keld PHP-MySQL News Script 0.7.1 CVE-2008-3581 (Cross-site scripting (XSS) vulnerability in index.php in Qsoft K-Links ...) NOT-FOR-US: Qsoft K-Links CVE-2008-3580 (Multiple SQL injection vulnerabilities in Qsoft K-Links allow remote a ...) NOT-FOR-US: Qsoft K-Links CVE-2008-3579 (Calacode @Mail 5.41 on Linux does not require administrative authentic ...) NOT-FOR-US: Calacode Atmail CVE-2008-3578 (HydraIRC 0.3.164 and earlier allows remote attackers to cause a denial ...) NOT-FOR-US: HydraIRC CVE-2008-3577 (Buffer overflow in src/openttd.cpp in OpenTTD before 0.6.2 allows loca ...) - openttd 0.6.2-1 (unimportant) NOTE: no vulnerability at all, not exploitable remote or local, openttd CVE-2008-3576 (Buffer overflow in the TruncateString function in src/gfx.cpp in OpenT ...) - openttd 0.6.2-1 CVE-2008-3575 (PHP remote file inclusion vulnerability in modules/calendar/minicalend ...) NOT-FOR-US: ezContents CMS CVE-2008-3574 (Multiple cross-site scripting (XSS) vulnerabilities in Pluck 4.5.2, wh ...) NOT-FOR-US: Pluck CMS CVE-2008-3573 (The CAPTCHA implementation in (1) Pligg 9.9.5 and possibly (2) Francis ...) NOT-FOR-US: Pligg CVE-2008-3572 (Cross-site scripting (XSS) vulnerability in index.php in Pligg 9.9.5 a ...) NOT-FOR-US: Pligg CVE-2008-3571 (The Xerox Phaser 8400 allows remote attackers to cause a denial of ser ...) NOT-FOR-US: Xerox Phaser 8400 CVE-2008-3570 (PHP remote file inclusion vulnerability in index.php in Africa Be Gone ...) NOT-FOR-US: Africa Be Gone CVE-2008-3569 (Multiple cross-site scripting (XSS) vulnerabilities in XAMPP 1.6.7, wh ...) NOT-FOR-US: XAMPP CVE-2008-3568 (Absolute path traversal vulnerability in fckeditor/editor/filemanager/ ...) - fckeditor (Vulnerable code not present) NOTE: unak specific change, see fckeditor/unak_changes.txt in source CVE-2008-3567 (Cross-zone scripting vulnerability in the NowPlaying functionality in ...) NOT-FOR-US: NullSoft Winamp CVE-2008-3566 (Cross-site scripting (XSS) vulnerability in ZoneO-soft freeForum 1.7 a ...) NOT-FOR-US: ZoneO-soft freeForum CVE-2008-3565 (Multiple cross-site scripting (XSS) vulnerabilities in Meeting Room Bo ...) NOT-FOR-US: Meeting Room Booking System (MRBS) CVE-2008-3564 (Multiple directory traversal vulnerabilities in index.php in Dayfox Bl ...) NOT-FOR-US: Dayfox Blog CVE-2008-3563 (Multiple SQL injection vulnerabilities in Plogger 3.0 and earlier allo ...) NOT-FOR-US: Plogger CVE-2008-3562 (Directory traversal vulnerability in index.php in the Contact module i ...) NOT-FOR-US: Chupix CMS CVE-2008-3561 (SQL injection vulnerability in s03.php in Powergap Shopsystem, when ma ...) NOT-FOR-US: Powergap Shopsystem CVE-2008-3560 (Cross-site scripting (XSS) vulnerability in kshop_search.php in the Ks ...) NOT-FOR-US: Kshop module for Xoops CVE-2008-3559 (Multiple cross-site scripting (XSS) vulnerabilities in KAPhotoservice ...) NOT-FOR-US: KAPhotoservice CVE-2008-3558 (Stack-based buffer overflow in the WebexUCFObject ActiveX control in a ...) NOT-FOR-US: Webex Meeting Manager (Windows) CVE-2008-3557 (Free Hosting Manager 1.2 and 2.0 allows remote attackers to bypass aut ...) NOT-FOR-US: Free Hosting Manager CVE-2008-3556 (Multiple SQL injection vulnerabilities in index.php in Battle.net Clan ...) NOT-FOR-US: Battle.net Clan Script CVE-2008-3555 (Directory traversal vulnerability in index.php in (1) WSN Forum 4.1.43 ...) NOT-FOR-US: Wsn Knowledge Base CVE-2008-3554 (SQL injection vulnerability in index.php in Discuz! 6.0.1 allows remot ...) NOT-FOR-US: Discuz! CVE-2008-3553 (Multiple unspecified vulnerabilities in Nokia Series 40 3rd edition de ...) NOT-FOR-US: Nokia Series 40 3rd edition devices CVE-2008-3552 (Multiple unspecified vulnerabilities in Nokia Series 40 3rd edition FP ...) NOT-FOR-US: Nokia Series 40 3rd edition devices CVE-2008-3551 (Multiple unspecified vulnerabilities in Sun Java Platform Micro Editio ...) NOT-FOR-US: Sun Java Platform Micro Edition CVE-2008-3550 (The CQWeb login page in IBM Rational ClearQuest 7.0.1 allows remote at ...) NOT-FOR-US: IBM Rational ClearQuest CVE-2008-3549 (Unspecified vulnerability in the pthread_mutex_reltimedlock_np API in ...) NOT-FOR-US: Sun Solaris 10 and OpenSolaris CVE-2008-3548 (Unspecified vulnerability in the Sun Netra T5220 Server with firmware ...) NOT-FOR-US: Sun Netra T5220 Server CVE-2008-3545 (Unspecified vulnerability in ovtopmd in HP OpenView Network Node Manag ...) NOT-FOR-US: HP OpenView CVE-2008-3544 (Multiple stack-based buffer overflows in ovalarmsrv in HP OpenView Net ...) NOT-FOR-US: HP OpenView CVE-2008-3543 (Unspecified vulnerability in NFS / ONCplus B.11.31_04 and earlier on H ...) NOT-FOR-US: HP-UX CVE-2008-3542 (Unspecified vulnerability in HP Insight Diagnostics before 7.9.1.2402 ...) NOT-FOR-US: HP Insight Diagnostics CVE-2008-3541 REJECTED CVE-2008-3540 RESERVED CVE-2008-3539 (Unspecified vulnerability in HP OpenView Select Identity (HPSI) Connec ...) NOT-FOR-US: HP OpenView Select Identity (HPSI) CVE-2008-3538 (Unspecified vulnerability in HP Enterprise Discovery 2.0 through 2.52 ...) NOT-FOR-US: HP Enterprise Discovery CVE-2008-3537 (Unspecified vulnerability in ovalarmsrv in HP OpenView Network Node Ma ...) NOT-FOR-US: HP OpenView Network Node Manager CVE-2008-3536 (Unspecified vulnerability in ovalarmsrv in HP OpenView Network Node Ma ...) NOT-FOR-US: HP OpenView Network Node Manager CVE-2008-3535 (Off-by-one error in the iov_iter_advance function in mm/filemap.c in t ...) {DSA-1636-1} - linux-2.6 2.6.26-2 [etch] - linux-2.6 (Vulnerable code not present) - linux-2.6.24 2.6.24-6~etchnhalf.5 NOTE: 94ad374a0751f40d25e22e036c37f7263569d24c NOTE: Fixed in 2.6.25.14 and 2.6.26.1 CVE-2008-3534 (The shmem_delete_inode function in mm/shmem.c in the tmpfs implementat ...) {DSA-1636-1} - linux-2.6.24 2.6.24-6~etchnhalf.5 - linux-2.6 2.6.26-2 [etch] - linux-2.6 (Vulnerable code not present) NOTE: 14fcc23fdc78e9d32372553ccf21758a9bd56fa1 NOTE: Fixed in 2.6.25.14 and 2.6.26.1 CVE-2008-3533 (Format string vulnerability in the window_error function in yelp-windo ...) {DTSA-154-1} - yelp 2.22.1-4 (low) [etch] - yelp (Vulnerable code not present) CVE-2008-3531 (Stack-based buffer overflow in sys/kern/vfs_mount.c in the kernel in F ...) - kfreebsd-7 7.0-5 CVE-2008-3530 (sys/netinet6/icmp6.c in the kernel in FreeBSD 6.3 through 7.1, NetBSD ...) - kfreebsd-6 6.3-7 - kfreebsd-7 7.0-5 CVE-2008-3529 (Heap-based buffer overflow in the xmlParseAttValueComplex function in ...) {DSA-1654-1} - libxml2 2.6.32.dfsg-4 (bug #498768) CVE-2008-3528 (The error-reporting functionality in (1) fs/ext2/dir.c, (2) fs/ext3/di ...) {DSA-1687-1 DSA-1681-1} - linux-2.6 2.6.26-11 - linux-2.6.24 2.6.24-6~etchnhalf.7 NOTE: cdbf6dba28e8e6268c8420857696309470009fd9 (ext3) NOTE: bd39597cbd42a784105a04010100e27267481c67 (ext2) NOTE: 9d9f177572d9e4eba0f2e18523b44f90dd51fe74 (ext4) NOTE: Comment from tytso: NOTE: Note: some people thinks this represents a security bug, since it NOTE: might make the system go away while it is printing a large number of NOTE: console messages, especially if a serial console is involved. Hence, NOTE: it has been assigned CVE-2008-3528, but it requires that the attacker NOTE: either has physical access to your machine to insert a USB disk with a NOTE: corrupted filesystem image (at which point why not just hit the power NOTE: button), or is otherwise able to convince the system administrator to NOTE: mount an arbitrary filesystem image (at which point why not just NOTE: include a setuid shell or world-writable hard disk device file or some NOTE: such). Me, I think they're just being silly. CVE-2008-3527 (arch/i386/kernel/sysenter.c in the Virtual Dynamic Shared Objects (vDS ...) {DSA-1687-1} - linux-2.6 2.6.21-1 CVE-2008-3526 (Integer overflow in the sctp_setsockopt_auth_key function in net/sctp/ ...) {DSA-1636-1} - linux-2.6 2.6.26-4 - linux-2.6.24 2.6.24-6~etchnhalf.5 [etch] - linux-2.6 CVE-2008-3525 (The sbni_ioctl function in drivers/net/wan/sbni.c in the wan subsystem ...) {DSA-1655-1 DSA-1653-1} - linux-2.6 2.6.26-7 - linux-2.6.24 2.6.24-6~etchnhalf.6 CVE-2008-3524 (rc.sysinit in initscripts before 8.76.3-1 on Fedora 9 and other Linux ...) NOT-FOR-US: rc.sysinit on Fedora CVE-2008-3523 RESERVED CVE-2008-3522 (Buffer overflow in the jas_stream_printf function in libjasper/base/ja ...) {DSA-2080-1} - jasper 1.900.1-5.1 (medium; bug #501021) - ghostscript 8.64~dfsg-2 (medium; bug #559778) - gs-gpl (medium; bug #561717) - netpbm-free (dynamically links to ghostscript if available) CVE-2008-3521 (Race condition in the jas_stream_tmpfile function in libjasper/base/ja ...) - jasper 1.900.1-5.1 (unimportant; bug #501021) NOTE: file is opened with O_EXCL even if tmpnam is used in this case CVE-2008-3520 (Multiple integer overflows in JasPer 1.900.1 might allow context-depen ...) - jasper 1.900.1-5.1 (medium; bug #501021) - ghostscript 8.64~dfsg-2 (low; bug #559778) [lenny] - ghostscript (Too intrusive to backport) - gs-gpl (low; bug #561717) - netpbm-free (dynamically links to ghostscript if available) CVE-2008-3519 (The default configuration of the JBossAs component in Red Hat JBoss En ...) - jbossas4 (configuration not yet included in Debian package) CVE-2008-3518 REJECTED CVE-2008-3517 REJECTED CVE-2008-3516 (Multiple cross-site scripting (XSS) vulnerabilities in files generated ...) NOT-FOR-US: Adobe Presenter CVE-2008-3515 (Multiple cross-site scripting (XSS) vulnerabilities in files generated ...) NOT-FOR-US: Adobe Presenter CVE-2008-3514 (VMware VirtualCenter 2.5 before Update 2 and 2.0.2 before Update 5 rel ...) NOT-FOR-US: VMware VirtualCenter CVE-2008-3513 (SQL injection vulnerability in the Book Catalog module 1.0 for PHP-Nuk ...) NOT-FOR-US: PHP-Nuke CVE-2008-3512 (SQL injection vulnerability in the Kleinanzeigen module for PHP-Nuke a ...) NOT-FOR-US: PHP-Nuke CVE-2008-3511 (Multiple cross-site scripting (XSS) vulnerabilities in Softbiz Image G ...) NOT-FOR-US: Softbiz Image Gallery CVE-2008-3510 (Cross-site scripting (XSS) vulnerability in livehelp_js.php in Crafty ...) NOT-FOR-US: Crafty Syntax Live Help (CSLH) CVE-2008-3509 (LoveCMS 1.6.2 does not require administrative authentication for (1) a ...) NOT-FOR-US: LoveCMS CVE-2008-3508 (LiteNews 0.1 (aka 01), and possibly 1.2 and earlier, allows remote att ...) NOT-FOR-US: LiteNews CVE-2008-3507 (SQL injection vulnerability in index.php in LiteNews 0.1 (aka 01), and ...) NOT-FOR-US: LiteNews CVE-2008-3506 (SQL injection vulnerability in PolyPager 1.0 rc2 and earlier allows re ...) NOT-FOR-US: PolyPager CVE-2008-3505 (Cross-site scripting (XSS) vulnerability in PolyPager 1.0 rc2 and earl ...) NOT-FOR-US: PolyPager CVE-2008-3504 (Unspecified vulnerability in mask PHP File Manager (mPFM) before 2.3 h ...) NOT-FOR-US: mask PHP File Manager (mPFM) CVE-2008-3503 (RSSFromParent in Plain Black WebGUI before 7.5.13 does not restrict vi ...) NOT-FOR-US: Plain Black WebGUI CVE-2008-3502 (Unspecified vulnerability in Best Practical Solutions RT 3.0.0 through ...) NOT-FOR-US: Best Practical Solutions RT CVE-2008-3501 (Cross-site scripting (XSS) vulnerability in the WebAccess simple inter ...) NOT-FOR-US: Novell Groupwise CVE-2008-3500 (Cross-site scripting (XSS) vulnerability in the Suggested Terms module ...) NOT-FOR-US: suggested terms, additional drupal module CVE-2008-3499 (Unspecified vulnerability in "a page in the workarea folder" in Ektron ...) NOT-FOR-US: Ektron CMS400.NET CVE-2008-3498 (SQL injection vulnerability in the nBill (com_netinvoice) component 1. ...) NOT-FOR-US: nBill, joomla component CVE-2008-3497 (SQL injection vulnerability in pages.php in MyPHP CMS 0.3.1 allows rem ...) NOT-FOR-US: MyPHP CMS CVE-2008-3496 (Buffer overflow in format descriptor parsing in the uvc_parse_format f ...) - linux-2.6 2.6.26-2 [etch] - linux-2.6 (code not present) - linux-2.6.24 (code not present) CVE-2008-3495 (SQL injection vulnerability in kategori.asp in Pcshey Portal allows re ...) NOT-FOR-US: Pcshey Portal CVE-2008-3494 (8e6 R3000 Internet Filter 2.0.12.10 allows remote attackers to bypass ...) NOT-FOR-US: 8e6 R3000 Internet Filter CVE-2008-3493 (vncviewer.exe in RealVNC Windows Client 4.1.2.0 allows remote VNC serv ...) NOT-FOR-US: RealVNC Windows Client CVE-2008-3492 (America's Army (aka AA or Army Game Project) 2.8.3.1 and earlier allow ...) NOT-FOR-US: America's Army (aka AA or Army Game Project) CVE-2008-3491 (SQL injection vulnerability in go.php in Scripts24 iPost 1.0.1 and iTG ...) NOT-FOR-US: Scripts24 iPost CVE-2008-3490 (SQL injection vulnerability in members/mail.php in E-topbiz Online Dat ...) NOT-FOR-US: E-topbiz Online Dating 3 CVE-2008-3489 (SQL injection vulnerability in checkCookie function in includes/functi ...) NOT-FOR-US: PHPX CVE-2008-3488 (Unspecified vulnerability in Novell iManager before 2.7 SP1 (2.7.1) al ...) NOT-FOR-US: Novell iManager CVE-2008-3487 (SQL injection vulnerability in profile.php in PHPAuction GPL Enhanced ...) NOT-FOR-US: PHPAuction GPL Enhanced CVE-2008-3486 (Directory traversal vulnerability in the user_get_profile function in ...) NOT-FOR-US: Coppermine Photo Gallery CVE-2008-3485 (Untrusted search path vulnerability in Citrix MetaFrame Presentation S ...) NOT-FOR-US: Citrix MetaFrame Presentation Server CVE-2008-3532 (The NSS plugin in libpurple in Pidgin 2.4.3 does not verify SSL certif ...) - pidgin 2.4.3-2 (bug #492434) - gaim [lenny] - gaim (gaim is now a transitional package depending on pidgin with its own source package) NOTE: http://developer.pidgin.im/ticket/6500 CVE-2008-3546 (Stack-based buffer overflow in the (1) diff_addremove and (2) diff_cha ...) {DSA-1637-1 DTSA-153-1 DTSA-153-2} - git-core 1:1.5.6.5 (medium; bug #494097) CVE-2008-3484 (SQL injection vulnerability in eStoreAff 0.1 allows remote attackers t ...) NOT-FOR-US: eStoreAff CVE-2008-3483 (Cross-site scripting (XSS) vulnerability in ScrewTurn Wiki 2.0.29 and ...) NOT-FOR-US: ScrewTurn Wiki CVE-2008-3482 (Cross-site scripting (XSS) vulnerability in the error page feature in ...) NOT-FOR-US: Panasonic Network Camera CVE-2008-3481 (themes/sample/theme.php in Coppermine Photo Gallery (CPG) 1.4.18 and e ...) NOT-FOR-US: Coppermine Photo Gallery CVE-2008-3480 (Stack-based buffer overflow in the Anzio Web Print Object (WePO) Activ ...) NOT-FOR-US: Anzio Web Print Object CVE-2008-3479 (Heap-based buffer overflow in the Microsoft Message Queuing (MSMQ) ser ...) NOT-FOR-US: Microsoft Windows CVE-2008-3478 REJECTED CVE-2008-3477 (Microsoft Excel 2000 SP3, 2002 SP3, and 2003 SP2 and SP3 does not prop ...) NOT-FOR-US: Microsoft Excel CVE-2008-3476 (Microsoft Internet Explorer 5.01 SP4 and 6 does not properly handle er ...) NOT-FOR-US: Microsoft CVE-2008-3475 (Microsoft Internet Explorer 6 does not properly handle errors related ...) NOT-FOR-US: Microsoft CVE-2008-3474 (Microsoft Internet Explorer 6 and 7 does not properly determine the do ...) NOT-FOR-US: Microsoft CVE-2008-3473 (Microsoft Internet Explorer 6 and 7 does not properly determine the do ...) NOT-FOR-US: Microsoft CVE-2008-3472 (Microsoft Internet Explorer 6 and 7 does not properly determine the do ...) NOT-FOR-US: Microsoft CVE-2008-3471 (Stack-based buffer overflow in Microsoft Excel 2000 SP3, 2002 SP3, 200 ...) NOT-FOR-US: Microsoft CVE-2008-3470 REJECTED CVE-2008-3469 REJECTED CVE-2008-3468 REJECTED CVE-2008-3467 REJECTED CVE-2008-3466 (Microsoft Host Integration Server (HIS) 2000, 2004, and 2006 does not ...) NOT-FOR-US: Microsoft CVE-2008-3465 (Heap-based buffer overflow in an API in GDI in Microsoft Windows 2000 ...) NOT-FOR-US: Microsoft Windows CVE-2008-3464 (afd.sys in the Ancillary Function Driver (AFD) component in Microsoft ...) NOT-FOR-US: Microsoft CVE-2008-3463 REJECTED CVE-2008-3462 REJECTED CVE-2008-3461 REJECTED CVE-2008-3460 (WPGIMP32.FLT in Microsoft Office 2000 SP3, XP SP3, and 2003 SP2; Offic ...) NOT-FOR-US: Microsoft Office 2000 CVE-2008-3459 (Unspecified vulnerability in OpenVPN 2.1-beta14 through 2.1-rc8, when ...) - openvpn 2.1~rc9-1 (low; bug #493488) NOTE: pull/push needs to be allowed, successful authentication, compromised or malicious server [etch] - openvpn (Upstream states that the 2.0.x versions are unaffected) CVE-2008-3458 (Vtiger CRM before 5.0.4 stores sensitive information under the web roo ...) NOT-FOR-US: Vtiger CRM CVE-2008-3457 (Cross-site scripting (XSS) vulnerability in setup.php in phpMyAdmin be ...) {DSA-1641-1} - phpmyadmin 4:2.11.8~rc1-1 NOTE: if an attacker can write arbitrary content to config/config.php you have way more problems than this XSS NOTE: https://www.phpmyadmin.net/security/PMASA-2008-6/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/6a5e53c31bcbcadcb5d16cffaa3b9af181b26296 (2.11 branch) NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/0bfb27fb0538f43e9c49b6a183b767c2bed1524d CVE-2008-3455 (PHP remote file inclusion vulnerability in include/admin.php in JnSHos ...) NOT-FOR-US: JnSHosts PHP Hosting Directory CVE-2008-3454 (JnSHosts PHP Hosting Directory 2.0 allows remote attackers to bypass a ...) NOT-FOR-US: JnSHosts PHP Hosting Directory CVE-2008-3453 (Multiple unspecified vulnerabilities in ImpressCMS 1.0 have unknown im ...) NOT-FOR-US: ImpressCMS CVE-2008-3452 (SQL injection vulnerability in the Calendar module in eNdonesia 8.4 al ...) NOT-FOR-US: eNdonesia CVE-2008-3451 (PhpWebGallery 1.7.0 and 1.7.1 allows remote authenticated users with a ...) NOT-FOR-US: PhpWebGallery CVE-2008-3450 (Unspecified vulnerability in the namefs kernel module in Sun Solaris 8 ...) NOT-FOR-US: Solaris CVE-2008-3449 (MailEnable Professional 3.5.2 and Enterprise 3.52 allow remote attacke ...) NOT-FOR-US: MailEnable CVE-2008-3448 (Cross-site scripting (XSS) vulnerability in index.php in common soluti ...) NOT-FOR-US: csphonebook CVE-2008-3447 (The scanning engine in F-Prot Antivirus 6.2.1 4252 allows remote attac ...) NOT-FOR-US: F-Prot Antivirus CVE-2008-3446 (Directory traversal vulnerability in inc/wysiwyg.php in LetterIt 2 all ...) NOT-FOR-US: LetterIt CVE-2008-3445 (SQL injection vulnerability in index.php in phpMyRealty (PMR) 2.0.0 al ...) NOT-FOR-US: phpMyRealty CVE-2008-3444 (The content layout component in Mozilla Firefox 3.0 and 3.0.1 allows r ...) - iceweasel (unimportant) NOTE: browser dos not treated as security issues CVE-2008-3443 (The regular expression engine (regex.c) in Ruby 1.8.5 and earlier, 1.8 ...) {DSA-1695-1} - ruby1.8 1.8.7.72-1 (low; bug #494401) - ruby1.9 1.9.0.2-9 (low) NOTE: Upstream commits 18212 (for 1.8) and 18213 (for 1.9). NOTE: this specific problem does not exist in ruby1.9 but a very similar problem NOTE: that has been fixed in this version (308_regexp_segv.dpatch) CVE-2008-3442 (WinZip before 11.0 does not properly verify the authenticity of update ...) NOT-FOR-US: WinZip CVE-2008-3441 (Nullsoft Winamp before 5.24 does not properly verify the authenticity ...) NOT-FOR-US: Nullsoft Winamp CVE-2008-3440 (Sun Java 1.6.0_03 and earlier versions, and possibly later versions, d ...) - sun-java5 (only java updater for windows affected) - sun-java6 (only java updater for windows affected) CVE-2008-3439 (SpeedBit Video Acceleration before 2.2.1.8 does not properly verify th ...) NOT-FOR-US: SpeedBit Video Acceleration CVE-2008-3438 (Apple Mac OS X does not properly verify the authenticity of updates, w ...) NOT-FOR-US: Apple Mac OS X CVE-2008-3437 (OpenOffice.org (OOo) before 2.1.0 does not properly verify the authent ...) - openoffice.org (update feature disabled) CVE-2008-3436 (The GUP generic update process in Notepad++ before 4.8.1 does not prop ...) NOT-FOR-US: Notepad++ CVE-2008-3435 (LinkedIn Browser Toolbar 3.0.3.1100 and earlier does not properly veri ...) NOT-FOR-US: LinkedIn CVE-2008-3434 (Apple iTunes before 10.5.1 does not properly verify the authenticity o ...) NOT-FOR-US: Apple iTunes CVE-2008-3433 (SpeedBit Download Accelerator Plus (DAP) before 8.6.3.9 does not prope ...) NOT-FOR-US: SpeedBit Download Accelerator Plus CVE-2008-3432 (Heap-based buffer overflow in the mch_expand_wildcards function in os_ ...) - vim (Vulnerable code only present in 6.2 and 6.3, none of them in the archive anymore) CVE-2008-3430 (Buffer overflow in the CoVideoWindow.ocx ActiveX control 5.0.907.1 in ...) NOT-FOR-US: Eyeball MessengerSDK CVE-2008-3428 (Session fixation vulnerability in phpFreeChat 1.1 allows remote authen ...) NOT-FOR-US: phpFreeChat CVE-2008-3427 REJECTED CVE-2008-3426 (Unspecified vulnerability in the Solaris Platform Information and Cont ...) NOT-FOR-US: Solaris CVE-2008-3425 (Unspecified vulnerability in the Sun Java System Web Server 7.0 plugin ...) NOT-FOR-US: Sun Java System Web Server CVE-2008-3424 (Condor before 7.0.4 does not properly handle wildcards in the ALLOW_WR ...) - condor (Fixed before initial upload to archive) CVE-2008-3423 (IBM WebSphere Portal 5.1 through 6.1.0.0 allows remote attackers to by ...) NOT-FOR-US: IBM WebSphere Portal CVE-2008-3422 (Multiple cross-site scripting (XSS) vulnerabilities in the ASP.net cla ...) - mono 1.9.1+dfsg-4 (low; bug #494406) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=413534 NOTE: http://n2.nabble.com/-PATCH--HTML-encode-attributes-that-might-need-encoding-td584193.html CVE-2004-2760 (sshd in OpenSSH 3.5p1, when PermitRootLogin is disabled, immediately c ...) - openssh 1:3.6p1-1 (unimportant) CVE-2003-1562 (sshd in OpenSSH 3.6.1p2 and earlier, when PermitRootLogin is disabled ...) - openssh 1:3.8.1p1-8.sarge.4 (low) CVE-2008-3431 (The VBoxDrvNtDeviceControl function in VBoxDrv.sys in Sun xVM VirtualB ...) - virtualbox-ose (affects only windows host systems) NOTE: CORE-2008-0716 CVE-2008-3456 (phpMyAdmin before 2.11.8 does not sufficiently prevent its pages from ...) {DSA-1641-1} - phpmyadmin 4:2.11.8~rc1-1 (low) NOTE: exploitation circumstances are rare or require other vulnerabilities to be present already. may fix combined with another issue but doesn't warrant DSA on its own CVE-2008-3547 (Buffer overflow in the server in OpenTTD 0.6.1 and earlier allows remo ...) - openttd 0.6.2-1 (medium; bug #493714) CVE-2008-3421 (Multiple cross-site request forgery (CSRF) vulnerabilities in Blackboa ...) NOT-FOR-US: Blackboard Academic Suite CVE-2008-3420 (Multiple SQL injection vulnerabilities in Mobius for Mimsy XG 1 1.4.4. ...) NOT-FOR-US: Mobius Web Publishing Software CVE-2008-3419 (SQL injection vulnerability in ugroups.php in Youtuber Clone allows re ...) NOT-FOR-US: Youtuber Clone CVE-2008-3418 (SQL injection vulnerability in browse.php in TriO 2.1 and earlier allo ...) NOT-FOR-US: TriO CVE-2008-3417 (SQL injection vulnerability in home/index.asp in fipsCMS light 2.1 and ...) NOT-FOR-US: fipsCMS CVE-2008-3416 (SQL injection vulnerability in modules/members.php in IceBB before 1.0 ...) NOT-FOR-US: IceBB CVE-2008-3415 (Directory traversal vulnerability in common.php in CMScout 2.05, when ...) NOT-FOR-US: CMScout CVE-2008-3414 (SQL injection vulnerability in line2.php in SiteAdmin allows remote at ...) NOT-FOR-US: SiteAdmin CVE-2008-3413 (SQL injection vulnerability in category.php in Greatclone GC Auction P ...) NOT-FOR-US: Greatclone GC Auction Platinum CVE-2008-3412 (SQL injection vulnerability in Comsenz EPShop (aka ECShop) before 3.0 ...) NOT-FOR-US: Comsenz EPShop CVE-2008-3411 (The Axesstel AXW-D800 modem with D2_ETH_109_01_VEBR Jun-14-2006 softwa ...) NOT-FOR-US: The Axesstel AXW-D800 modem CVE-2008-3410 (Unreal Tournament 3 1.3beta4 and earlier allows remote attackers to ca ...) NOT-FOR-US: Unreal Tournament CVE-2008-3409 (Buffer overflow in Unreal Tournament 3 1.3beta4 and earlier allows rem ...) NOT-FOR-US: Unreal Tournament CVE-2008-3408 (Stack-based buffer overflow in CoolPlayer 2.18, and possibly other ver ...) NOT-FOR-US: CoolPlayer CVE-2008-3407 (phpLinkat 0.1 allows remote attackers to bypass authentication and acc ...) NOT-FOR-US: phpLinkat CVE-2008-3406 (SQL injection vulnerability in showcat.php in phpLinkat 0.1 allows rem ...) NOT-FOR-US: phpLinkat CVE-2008-3405 (Directory traversal vulnerability in index.php in Ricardo Amaral nzFot ...) NOT-FOR-US: Ricardo Amaral nzFotolog CVE-2008-3404 (Cross-site scripting (XSS) vulnerability in guestbook.js.php in MJGues ...) NOT-FOR-US: MJGuest CVE-2008-3403 (SQL injection vulnerability in mojoClassified.cgi in MojoPersonals all ...) NOT-FOR-US: MojoPersonals CVE-2008-3402 (Multiple PHP remote file inclusion vulnerabilities in HIOX Browser Sta ...) NOT-FOR-US: HIOX Browser Statistics CVE-2008-3401 (PHP remote file inclusion vulnerability in hioxRandomAd.php in HIOX Ra ...) NOT-FOR-US: HIOX Random Ad CVE-2008-3400 (XRMS CRM 1.99.2 allows remote attackers to obtain configuration inform ...) NOT-FOR-US: XRMS CRM CVE-2008-3399 (PHP remote file inclusion vulnerability in activities/workflow-activit ...) NOT-FOR-US: XRMS CRM CVE-2008-3398 (Multiple cross-site scripting (XSS) vulnerabilities in XRMS CRM 1.99.2 ...) NOT-FOR-US: XRMS CRM CVE-2008-3397 (Cross-site scripting (XSS) vulnerability in Runesoft Cerberus CMS befo ...) NOT-FOR-US: Runesoft Cerberus CMS CVE-2008-3396 (Unreal Tournament 2004 (UT2004) 3369 and earlier allows remote attacke ...) NOT-FOR-US: Unreal Tournament CVE-2008-3395 (Calacode @Mail 5.41 on Linux uses weak world-readable permissions for ...) NOT-FOR-US: Calacode CVE-2008-3394 (Multiple cross-site scripting (XSS) vulnerabilities in search.cfm in B ...) NOT-FOR-US: BookMine CVE-2008-3393 (SQL injection vulnerability in events.cfm in BookMine allows remote at ...) NOT-FOR-US: BookMine CVE-2008-3392 (Cross-site request forgery (CSRF) vulnerability in Web Wiz Forum 9.5 a ...) NOT-FOR-US: Web Wiz Forum CVE-2008-3391 (Multiple cross-site scripting (XSS) vulnerabilities in Web Wiz Forum 9 ...) NOT-FOR-US: Web Wiz Forum CVE-2008-3390 (Directory traversal vulnerability in libraries/general.init.php in Min ...) NOT-FOR-US: Minishowcase Image Gallery CVE-2008-3389 (Stack-based buffer overflow in the libbecompat library in Ingres 2.6, ...) NOT-FOR-US: Ingres CVE-2008-3388 (Multiple SQL injection vulnerabilities in Def-Blog 1.0.3 allow remote ...) NOT-FOR-US: Def-Blog CVE-2008-3387 (SQL injection vulnerability in show.php in PHPFootball 1.6 allows remo ...) NOT-FOR-US: PHPFootball CVE-2008-3386 (SQL injection vulnerability in album.php in AlstraSoft Video Share Ent ...) NOT-FOR-US: AlstraSoft Video Share Enterprise CVE-2008-3385 (Directory traversal vulnerability in include/head_chat.inc.php in php ...) NOT-FOR-US: Help Agent CVE-2008-3384 (Multiple directory traversal vulnerabilities in help/help.php in Inter ...) NOT-FOR-US: Interact Learning Community Environment Interact CVE-2008-3383 (SQL injection vulnerability in mojoAuto.cgi in MojoAuto allows remote ...) NOT-FOR-US: MojoAuto CVE-2008-3382 (SQL injection vulnerability in mojoClassified.cgi in MojoClassifieds 2 ...) NOT-FOR-US: MojoClassifieds CVE-2008-3381 (Multiple cross-site scripting (XSS) vulnerabilities in macro/AdvancedS ...) - moin 1.7.1-1 (low) [etch] - moin (Vulnerable macro not present) CVE-2008-3380 (Cross-site scripting (XSS) vulnerability in ajaxp_backend.php in MyioS ...) NOT-FOR-US: MyioSoft EasyBookMarker CVE-2008-3379 (Cross-site scripting (XSS) vulnerability in Snark VisualPic 0.3.1 allo ...) NOT-FOR-US: Snark VisualPic CVE-2008-3378 (SQL injection vulnerability in comment.php in Fizzmedia 1.51.2 allows ...) NOT-FOR-US: Fizzmedia CVE-2008-3377 (SQL injection vulnerability in picture.php in phpTest 0.6.3 allows rem ...) NOT-FOR-US: phpTest CVE-2008-3376 (Multiple unspecified vulnerabilities in JamRoom before 3.4.0 have unkn ...) NOT-FOR-US: JamRoom CVE-2008-3375 (The jrCookie function in includes/jamroom-misc.inc.php in JamRoom befo ...) NOT-FOR-US: JamRoom CVE-2008-3374 (SQL injection vulnerability in ajax.php in Gregarius 0.5.4 and earlier ...) NOT-FOR-US: Gregarius CVE-2008-3373 (The files parsing engine in Grisoft AVG Anti-Virus before 8.0.156 allo ...) NOT-FOR-US: Grisoft AVG Anti-Virus CVE-2008-3372 (SQL injection vulnerability in search_form.php in Getacoder Clone allo ...) NOT-FOR-US: Getacoder Clone CVE-2008-3371 (Directory traversal vulnerability in install/help.php in TalkBack 2.3. ...) NOT-FOR-US: TalkBack CVE-2008-3370 (SQL injection vulnerability in the CUA Login Module in EMC Centera Uni ...) NOT-FOR-US: CUA Login Module in EMC Centera Universal Access CVE-2008-3369 (SQL injection vulnerability in products_rss.php in ViArt Shop 3.5 and ...) NOT-FOR-US: ViArt Shop CVE-2008-3368 (PHP remote file inclusion vulnerability in tools/packages/import.php i ...) NOT-FOR-US: ATutor CVE-2008-3367 (Cross-site scripting (XSS) vulnerability in RTE_popup_link.asp in Web ...) NOT-FOR-US: Web Wiz Rich Text Editor CVE-2008-3366 (SQL injection vulnerability in story.php in Pligg CMS Beta 9.9.0 allow ...) NOT-FOR-US: Pligg CMS CVE-2008-3365 (Directory traversal vulnerability in index.php in Pixelpost 1.7.1 on W ...) - pixelpost (Exploit relies on register_globals to be on) CVE-2008-3364 (Buffer overflow in the ObjRemoveCtrl Class ActiveX control in OfficeSc ...) NOT-FOR-US: Trend Micro OfficeScan Corp Edition Web-Deployment CVE-2008-3363 (Directory traversal vulnerability in user_portal.php in the Dokeos E-L ...) NOT-FOR-US: Dokeos E-Learning System CVE-2008-3362 (Unrestricted file upload vulnerability in upload.php in the Giulio Gan ...) NOT-FOR-US: Giulio Ganci Wp Downloads Manager module CVE-2008-3361 (Stack-based buffer overflow in IntelliTamper 2.07 allows remote web si ...) NOT-FOR-US: IntelliTamper CVE-2008-3360 (Stack-based buffer overflow in the HTML parser in IntelliTamper 2.0.7 ...) NOT-FOR-US: IntelliTamper CVE-2008-3359 (SQL injection vulnerability in register.php in Steve Bourgeois and Chr ...) - owl-dms 0.95-1.1 (bug #493372) CVE-2008-3358 (Cross-site scripting (XSS) vulnerability in Web Dynpro (WD) in the SAP ...) NOT-FOR-US: SAP NetWeaver portal CVE-2008-3357 (Untrusted search path vulnerability in ingvalidpw in Ingres 2.6, Ingre ...) NOT-FOR-US: Ingres CVE-2008-3356 (verifydb in Ingres 2.6, Ingres 2006 release 1 (aka 9.0.4), and Ingres ...) NOT-FOR-US: Ingres CVE-2008-3355 (SQL injection vulnerability in sitemap.xml.php in Camera Life 2.6.2 al ...) NOT-FOR-US: Camera Life CVE-2008-3354 (Multiple PHP remote file inclusion vulnerabilities in the Newbb Plus ( ...) NOT-FOR-US: Newbb Plus CVE-2008-3353 (Multiple cross-site scripting (XSS) vulnerabilities in Pure Software L ...) NOT-FOR-US: Pure Software Lore CVE-2008-3352 (SQL injection vulnerability in index.php in Live Music Plus 1.1.0 allo ...) NOT-FOR-US: Live Music Plus CVE-2008-3351 (SQL injection vulnerability in atomPhotoBlog.php in Atom PhotoBlog 1.0 ...) NOT-FOR-US: Atom PhotoBlog CVE-2008-3350 (dnsmasq 2.43 allows remote attackers to cause a denial of service (dae ...) - dnsmasq 2.44-1 (low) [etch] - dnsmasq (Issue was introduced in 2.43) CVE-2008-3349 (Multiple unspecified vulnerabilities in NetApp Data ONTAP, as used on ...) NOT-FOR-US: NetApp Data ONTAP CVE-2008-3348 (Cross-site scripting (XSS) vulnerability in staticpages/easycalendar/i ...) NOT-FOR-US: MyioSoft EasyDynamicPages CVE-2008-3347 (SQL injection vulnerability in staticpages/easycalendar/index.php in M ...) NOT-FOR-US: MyioSoft EasyDynamicPages CVE-2008-3346 (SQL injection vulnerability in product_detail.php in ShopCart DX allow ...) NOT-FOR-US: ShopCart DX CVE-2008-3345 (SQL injection vulnerability in staticpages/easyecards/index.php in Myi ...) NOT-FOR-US: MyioSoft EasyE-Cards CVE-2008-3344 (Multiple cross-site scripting (XSS) vulnerabilities in staticpages/eas ...) NOT-FOR-US: MyioSoft EasyE-Cards CVE-2008-3343 (SQL injection vulnerability in staticpages/easypublish/index.php in My ...) NOT-FOR-US: MyioSoft EasyPublish CVE-2008-3342 (Cross-site scripting (XSS) vulnerability in staticpages/easypublish/in ...) NOT-FOR-US: MyioSoft EasyPublish CVE-2008-3341 (Multiple SQL injection vulnerabilities in search_result.cfm in Jobbex ...) NOT-FOR-US: Jobbex JobSite CVE-2008-3340 (Cross-site scripting (XSS) vulnerability in search_result.cfm in Jobbe ...) NOT-FOR-US: Jobbex JobSite CVE-2008-3339 (search_result.cfm in Jobbex JobSite allows remote attackers to obtain ...) NOT-FOR-US: Jobbex JobSite CVE-2008-3429 (Buffer overflow in URI processing in HTTrack and WinHTTrack before 3.4 ...) {DSA-1626-1} - httrack 3.42.3-1 (low) CVE-2008-3338 (Multiple buffer overflows in TIBCO Hawk (1) AMI C library (libtibhawka ...) NOT-FOR-US: TIBCO Hawk CVE-2008-3337 (PowerDNS Authoritative Server before 2.9.21.1 drops malformed queries, ...) {DSA-1628-1} - pdns 2.9.21.1-1 (low) CVE-2008-3336 (Multiple cross-site scripting (XSS) vulnerabilities in PunBB before 1. ...) NOT-FOR-US: PunBB CVE-2008-3335 (Unspecified vulnerability in PunBB before 1.2.19 allows remote attacke ...) NOT-FOR-US: PunBB CVE-2008-3334 (Cross-site scripting (XSS) vulnerability in MyBB 1.2.x before 1.2.14 a ...) NOT-FOR-US: MyBB CVE-2008-3333 (Directory traversal vulnerability in core/lang_api.php in Mantis befor ...) - mantis 1.1.2+dfsg-2 NOTE: I've marked the above version as fixed, however I am not sure if it wasn't fixed NOTE: earlier. However, lenny is fixed and it is not in etch and sarge is not supported anymore. CVE-2008-3332 (Eval injection vulnerability in adm_config_set.php in Mantis before 1. ...) - mantis 1.1.2+dfsg-2 CVE-2008-3331 (Cross-site scripting (XSS) vulnerability in return_dynamic_filters.php ...) - mantis 1.1.2+dfsg-2 CVE-2008-3329 (Unspecified vulnerability in Links before 2.1, when "only proxies" is ...) - links2 2.1pre37-1.1 (low; bug #492744) [etch] - links2 (Minor information leak) CVE-2008-3328 (Cross-site scripting (XSS) vulnerability in the wiki engine in Trac be ...) - trac 0.11-1 [etch] - trac 0.10.3-1etch4 CVE-2008-3324 (The PartyGaming PartyPoker client program 121/120 does not properly ve ...) NOT-FOR-US: PartyGaming PartyPoker CVE-2008-3323 (setup.exe before 2.573.2.3 in Cygwin does not properly verify the auth ...) NOT-FOR-US: Cygwin CVE-2008-3322 (admin/index.php in Maian Recipe 1.2 and earlier allows remote attacker ...) NOT-FOR-US: Maian * CVE-2008-3321 (admin/index.php in Maian Uploader 4.0 and earlier allows remote attack ...) NOT-FOR-US: Maian * CVE-2008-3320 (admin/index.php in Maian Guestbook 3.2 and earlier allows remote attac ...) NOT-FOR-US: Maian * CVE-2008-3319 (admin/index.php in Maian Links 3.1 and earlier allows remote attackers ...) NOT-FOR-US: Maian * CVE-2008-3318 (admin/index.php in Maian Weblog 4.0 and earlier allows remote attacker ...) NOT-FOR-US: Maian * CVE-2008-3317 (admin/index.php in Maian Search 1.1 and earlier allows remote attacker ...) NOT-FOR-US: Maian * CVE-2008-3316 (Cross-site scripting (XSS) vulnerability in the search feature in the ...) NOT-FOR-US: Geeklog CVE-2008-3315 (Multiple cross-site scripting (XSS) vulnerabilities in Claroline 1.8.1 ...) NOT-FOR-US: Claroline CVE-2008-3314 (ZDaemon 1.08.07 and earlier allows remote attackers to cause a denial ...) NOT-FOR-US: ZDaemon CVE-2008-3313 (Multiple PHP remote file inclusion vulnerabilities in CreaCMS 1.0 allo ...) NOT-FOR-US: CreaCMS CVE-2008-3312 (Directory traversal vulnerability in lemon_includes/FCKeditor/editor/f ...) - fckeditor (Vulnerable code not present) NOTE: lemon cms patched sources, vulnerable code not present in plain fckeditor in no version. NOTE: if in doubt contact the fsckeditor people. CVE-2008-3311 (PHP remote file inclusion vulnerability in config.php in Adam Scheinbe ...) NOT-FOR-US: Adam Scheinberg Flip CVE-2008-3310 (SQL injection vulnerability in default.asp in Pre Survey Poll allows r ...) NOT-FOR-US: Pre Survey Poll CVE-2008-3309 (SQL injection vulnerability in info_book.asp in DigiLeave 1.2 and earl ...) NOT-FOR-US: DigiLeave CVE-2008-3308 (PHP remote file inclusion vulnerability in cuenta/cuerpo.php in C. Des ...) NOT-FOR-US: C. Desseno YouTube Blog CVE-2008-3307 (SQL injection vulnerability in todos.php in C. Desseno YouTube Blog (y ...) NOT-FOR-US: C. Desseno YouTube Blog CVE-2008-3306 (SQL injection vulnerability in info.php in C. Desseno YouTube Blog (yt ...) NOT-FOR-US: C. Desseno YouTube Blog CVE-2008-3305 (Cross-site scripting (XSS) vulnerability in mensaje.php in C. Desseno ...) NOT-FOR-US: C. Desseno YouTube Blog CVE-2008-3304 (BilboBlog 0.2.1 allows remote attackers to obtain sensitive informatio ...) NOT-FOR-US: BilboBlog CVE-2008-3303 (admin/login.php in BilboBlog 0.2.1, when register_globals is enabled, ...) NOT-FOR-US: BilboBlog CVE-2008-3302 (SQL injection vulnerability in admin/delete.php in BilboBlog 0.2.1, wh ...) NOT-FOR-US: BilboBlog CVE-2008-3301 (Multiple cross-site scripting (XSS) vulnerabilities in BilboBlog 0.2.1 ...) NOT-FOR-US: BilboBlog CVE-2008-3300 (AlphAdmin CMS 1.0.5/03 allows remote attackers to bypass authenticatio ...) NOT-FOR-US: AlphAdmin CMS CVE-2008-3299 (eSyndiCat 1.6 allows remote attackers to bypass authentication and gai ...) NOT-FOR-US: eSyndiCat CVE-2008-3298 (SocialEngine (SE) before 2.83 grants certain write privileges for temp ...) NOT-FOR-US: SocialEngine CVE-2008-3297 (Multiple SQL injection vulnerabilities in SocialEngine (SE) before 2.8 ...) NOT-FOR-US: SocialEngine CVE-2008-3296 (Directory traversal vulnerability in modules/system/admin.php in XOOPS ...) NOT-FOR-US: XOOPS CVE-2008-3295 (Cross-site scripting (XSS) vulnerability in modules/system/admin.php i ...) NOT-FOR-US: XOOPS CVE-2008-3294 (src/configure.in in Vim 5.0 through 7.1, when used for a build with Py ...) - vim (Build issue) NOTE: It looks like the vulnerability only occurs during build, so it shouldn't be an issue for Debian CVE-2008-3293 (Directory traversal vulnerability in download.php in EZWebAlbum allows ...) NOT-FOR-US: EZWebAlbum CVE-2008-3292 (constants.inc in EZWebAlbum 1.0 allows remote attackers to bypass auth ...) NOT-FOR-US: EZWebAlbum CVE-2008-3291 (SQL injection vulnerability in index.php in AproxEngine (aka Aprox CMS ...) NOT-FOR-US: AproxEngine CVE-2008-3290 (retroclient.exe in EMC Dantz Retrospect Backup Client 7.5.116 allows r ...) NOT-FOR-US: EMC Dantz Retrospect Backup Client CVE-2008-3289 (EMC Dantz Retrospect Backup Client 7.5.116 sends the password hash in ...) NOT-FOR-US: EMC Dantz Retrospect Backup Client CVE-2008-3288 (The Server Authentication Module in EMC Dantz Retrospect Backup Server ...) NOT-FOR-US: EMC Dantz Retrospect Backup Server CVE-2008-3287 (retroclient.exe in EMC Dantz Retrospect Backup Client 7.5.116 allows r ...) NOT-FOR-US: EMC Dantz Retrospect Backup Client CVE-2008-3286 (SWAT 4 1.1 and earlier allows remote attackers to cause a denial of se ...) NOT-FOR-US: SWAT 4 CVE-2008-3285 (The Filesys::SmbClientParser module 2.7 and earlier for Perl allows re ...) NOT-FOR-US: Filesys::SmbClientParser CVE-2008-3284 REJECTED CVE-2008-3283 (Multiple memory leaks in Red Hat Directory Server 7.1 before SP7, Red ...) NOT-FOR-US: Red Hat Directory Server CVE-2008-3282 (Integer overflow in the rtl_allocateMemory function in sal/rtl/source/ ...) - openoffice.org (openoffice in Debian does not use the custom allocations but g/malloc) NOTE: see ooo-build/distro-configs/CommonLinux.conf.in, openoffice builds on Debian using NOTE: --with-alloc=system which causes the build scripts to use the system allocators instead of the NOTE: custom ones CVE-2008-3281 (libxml2 2.6.32 and earlier does not properly detect recursion during e ...) {DSA-1631-1 DTSA-158-1} - libxml2 2.6.32.dfsg-3 (medium) - chromium-browser 5.0.375.29~r46008-1 CVE-2008-3280 RESERVED CVE-2008-3279 (Untrusted search path vulnerability in libbrlttybba.so in brltty 3.7.2 ...) - brltty (RedHat-specific) CVE-2008-3278 (frysk packages through 2008-08-05 as shipped in Red Hat Enterprise Lin ...) - frysk CVE-2008-3277 (Untrusted search path vulnerability in a certain Red Hat build script ...) - ibutils (RedHat-specific) CVE-2008-3276 (Integer overflow in the dccp_setsockopt_change function in net/dccp/pr ...) {DSA-1653-1 DSA-1636-1} - linux-2.6 2.6.26-4 - linux-2.6.24 2.6.24-6~etchnhalf.5 CVE-2008-3275 (The (1) real_lookup and (2) __lookup_hash functions in fs/namei.c in t ...) {DSA-1636-1 DSA-1630-1} - linux-2.6.24 2.6.24-6~etchnhalf.5 - linux-2.6 2.6.26-2 NOTE: d70b67c8bc72ee23b55381bd6a884f4796692f77 CVE-2008-3274 (The default configuration of Red Hat Enterprise IPA 1.0.0 and FreeIPA ...) NOT-FOR-US: FreeIPA CVE-2008-3273 (JBoss Enterprise Application Platform (aka JBossEAP or EAP) before 4.2 ...) - jbossas4 (Only provides a few class libs) CVE-2008-3272 (The snd_seq_oss_synth_make_info function in sound/core/seq/oss/seq_oss ...) {DSA-1636-1 DSA-1630-1} - linux-2.6.24 2.6.24-6~etchnhalf.5 - linux-2.6 2.6.26-2 NOTE: 82e68f7ffec3800425f2391c8c86277606860442 CVE-2008-3271 (Apache Tomcat 5.5.0 and 4.1.0 through 4.1.31 allows remote attackers t ...) - tomcat5 (unimportant) - tomcat5.5 5.5.1 - tomcat6 NOTE: It is unlikely that this is exploitable in real world scenarios. CVE-2008-3270 (yum-rhn-plugin in Red Hat Enterprise Linux (RHEL) 5 does not verify th ...) NOT-FOR-US: Red Hat CVE-2008-3269 (WRPCServer.exe in WinSoftMagic WinRemotePC (WRPC) Lite 2008 and Full 2 ...) NOT-FOR-US: WinRemotePC CVE-2008-3268 (Unspecified vulnerability in phpScheduleIt 1.2.0 through 1.2.9, when u ...) NOT-FOR-US: phpScheduleIt CVE-2008-3267 (SQL injection vulnerability in mojoJobs.cgi in MojoJobs allows remote ...) NOT-FOR-US: MojoJobs CVE-2008-3266 (SQL injection vulnerability in picture_pic_bv.asp in SoftAcid Hotel Re ...) NOT-FOR-US: SoftAcid Hotel Reservation System CVE-2008-3265 (SQL injection vulnerability in the DT Register (com_dtregister) 2.2.3 ...) NOT-FOR-US: DT Register CVE-2008-3264 (The FWDOWNL firmware-download implementation in Asterisk Open Source 1 ...) - asterisk 1:1.4.21.2~dfsg-1 [etch] - asterisk (Etch Packages no longer covered by security support) NOTE: http://downloads.digium.com/pub/security/AST-2008-011.html CVE-2008-3263 (The IAX2 protocol implementation in Asterisk Open Source 1.0.x, 1.2.x ...) - asterisk 1:1.4.21.2~dfsg-1 [etch] - asterisk (Etch Packages no longer covered by security support) NOTE: http://downloads.digium.com/pub/security/AST-2008-010.html CVE-2008-3262 (Cross-site request forgery (CSRF) vulnerability in Claroline before 1. ...) NOT-FOR-US: Claroline CVE-2008-3261 (Open redirect vulnerability in claroline/redirector.php in Claroline b ...) NOT-FOR-US: Claroline CVE-2008-3260 (Multiple cross-site scripting (XSS) vulnerabilities in Claroline befor ...) NOT-FOR-US: Claroline CVE-2008-3259 (OpenSSH before 5.1 sets the SO_REUSEADDR socket option when the X11Use ...) - openssh (linux check that the effective userid matches or that bind addresses dont overlap on rebind) CVE-2008-3258 (Multiple SQL injection vulnerabilities in Zoph before 0.7.0.5 allow re ...) - zoph 0.7.1-1 NOTE: http://sourceforge.net/project/shownotes.php?group_id=69353&release_id=614672 CVE-2008-3257 (Stack-based buffer overflow in the Apache Connector (mod_wl) in Oracle ...) NOT-FOR-US: Oracle CVE-2008-3256 (SQL injection vulnerability in folder.php in Siteframe CMS 3.2.3 and e ...) NOT-FOR-US: Siteframe CMS CVE-2008-3255 (Cross-site scripting (XSS) vulnerability in LunarNight Laboratory WebP ...) NOT-FOR-US: LunarNight Laboratory WebProxy CVE-2008-3254 (SQL injection vulnerability in index.php in preCMS 1 allows remote att ...) NOT-FOR-US: preCMS CVE-2008-3253 (Cross-site scripting (XSS) vulnerability in the XenAPI HTTP interfaces ...) NOT-FOR-US: Citrix XenServer Express CVE-2008-3252 (Stack-based buffer overflow in the read_article function in getarticle ...) {DSA-1622-1} - newsx 1.6-3 (bug #492742) CVE-2008-3251 (Multiple SQL injection vulnerabilities in tplSoccerSite 1.0 allow remo ...) NOT-FOR-US: tplSoccerSite CVE-2008-3250 (SQL injection vulnerability in index.php in Arctic Issue Tracker 2.0.0 ...) NOT-FOR-US: Arctic Issue Tracker CVE-2008-3249 (The client in Lenovo System Update before 3.14 does not properly valid ...) NOT-FOR-US: Lenovo System Update CVE-2008-3248 (qiomkfile in the Quick I/O for Database feature in Symantec Veritas Fi ...) NOT-FOR-US: Symantec Veritas File System on HP-UX CVE-2008-3247 (The LDT implementation in the Linux kernel 2.6.25.x before 2.6.25.11 o ...) - linux-2.6 2.6.25-7 [etch] - linux-2.6 (2.6.25-only issue) - linux-2.6.24 (2.6.25-only issue) CVE-2008-3246 (Unspecified vulnerability in the PDF distiller component in the BlackB ...) NOT-FOR-US: BlackBerry Attachment Service CVE-2008-3245 (SQL injection vulnerability in phpHoo3.php in phpHoo3 4.3.9, 4.3.10, 4 ...) NOT-FOR-US: phpHoo3 CVE-2008-3244 (The scanning engine before 4.4.4 in F-Prot Antivirus before 6.0.9.0 al ...) NOT-FOR-US: F-Prot Antivirus CVE-2008-3243 (Multiple unspecified vulnerabilities in the scanning engine before 4.4 ...) NOT-FOR-US: F-Prot Antivirus CVE-2008-3242 (Heap-based buffer overflow in the PPMedia Class ActiveX control in PPM ...) NOT-FOR-US: PPMate CVE-2008-3241 (SQL injection vulnerability in players-detail.php in UltraStats 0.2.13 ...) NOT-FOR-US: UltraStats CVE-2008-3240 (SQL injection vulnerability in index.php in AlstraSoft Affiliate Netwo ...) NOT-FOR-US: AlstraSoft Affiliate Network Pro CVE-2008-3239 (Unrestricted file upload vulnerability in the writeLogEntry function i ...) NOT-FOR-US: PHPizabi CVE-2008-3238 (Multiple SQL injection vulnerabilities in ITechBids 7.0 Gold allow rem ...) NOT-FOR-US: ITechBids CVE-2008-3237 (Cross-site scripting (XSS) vulnerability in forward_to_friend.php in I ...) NOT-FOR-US: ITechBids CVE-2008-3236 (Unspecified vulnerability in Wsadmin in the System Management/Reposito ...) NOT-FOR-US: Wsadmin CVE-2008-3235 (Unspecified vulnerability in the PropFilePasswordEncoder utility in th ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2008-3234 (sshd in OpenSSH 4 on Debian GNU/Linux, and the 20070303 OpenSSH snapsh ...) - openssh (unimportant) NOTE: this is by design CVE-2008-3233 (Cross-site scripting (XSS) vulnerability in WordPress before 2.6, SVN ...) - wordpress (Code was only present in svn versions) CVE-2008-3232 (Unrestricted file upload vulnerability in ecrire/images.php in Dotclea ...) NOT-FOR-US: dotclear CVE-2008-3231 (xine-lib before 1.1.15 allows remote attackers to cause a denial of se ...) - xine-lib 1.1.14-2 (bug #492870; unimportant) NOTE: Only a NULL pointer deference, hardly security relevant CVE-2008-3230 (The ffmpeg lavf demuxer allows user-assisted attackers to cause a deni ...) - ffmpeg-debian 0.svn20080206-16 (unimportant; bug #498764; bug #498766) - ffmpeg 0.svn20080206-16 (unimportant) - xmovie (unimportant) NOTE: Only a NULL pointer deference, hardly security relevant CVE-2008-3228 (Joomla! before 1.5.4 does not configure .htaccess to apply certain sec ...) NOT-FOR-US: Joomla! CVE-2008-3227 (Unspecified vulnerability in Joomla! before 1.5.4 has unknown impact a ...) NOT-FOR-US: Joomla! CVE-2008-3226 (The file caching implementation in Joomla! before 1.5.4 allows attacke ...) NOT-FOR-US: Joomla! CVE-2008-3225 (Joomla! before 1.5.4 allows attackers to access administration functio ...) NOT-FOR-US: Joomla! CVE-2008-3217 (PowerDNS Recursor before 3.1.6 does not always use the strongest rando ...) {DSA-1544-2} - pdns-recursor 3.1.7-1 (low; bug #493576) CVE-2008-3215 (libclamav/petite.c in ClamAV before 0.93.3 allows remote attackers to ...) {DSA-1616-2} - clamav 0.93.1.dfsg-1.1 (medium) CVE-2008-3214 (dnsmasq 2.25 allows remote attackers to cause a denial of service (dae ...) - dnsmasq 2.26-1 (medium) CVE-2008-3213 (SQL injection vulnerability in secciones/tablon/tablon.php in WebCMS P ...) NOT-FOR-US: WebCMS CVE-2008-3212 (Multiple SQL injection vulnerabilities in Scripteen Free Image Hosting ...) NOT-FOR-US: Scripteen Free Image Hosting CVE-2008-3211 (Scripteen Free Image Hosting Script 1.2 and 1.2.1 allows remote attack ...) NOT-FOR-US: Scripteen Free Image Hosting CVE-2008-3210 (rutil/dns/DnsStub.cxx in ReSIProcate 1.3.2, as used by repro, allows r ...) NOT-FOR-US: ReSIProcate CVE-2008-3209 (Heap-based buffer overflow in the OpenGifFile function in BiGif.dll in ...) NOT-FOR-US: Black Ice Document Imaging SDK CVE-2008-3208 (Simple DNS Plus 4.1, 5.0, and possibly other versions before 5.1.101 a ...) NOT-FOR-US: Simple DNS Plus CVE-2008-3207 (PHP remote file inclusion vulnerability in cms/modules/form.lib.php in ...) NOT-FOR-US: Pragyan CMS CVE-2008-3206 (SQL injection vulnerability in browse.groups.php in Yuhhu Pubs Black C ...) NOT-FOR-US: Yuhhu Pubs Black Cat CVE-2008-3205 (Directory traversal vulnerability in index.php in Easy-Script Wysi Wik ...) NOT-FOR-US: Easy-Script Wysi Wiki Wyg CVE-2008-3204 (SQL injection vulnerability in tops_top.php in E-topbiz Million Pixels ...) NOT-FOR-US: E-topbiz Million Pixels CVE-2008-3203 (js/pages/pages_data.php in AuraCMS 2.2 through 2.2.2 does not perform ...) NOT-FOR-US: AuraCMS CVE-2008-3202 (Cross-site scripting (XSS) vulnerability in index.php in Xomol CMS 1.2 ...) NOT-FOR-US: Xomol CVE-2008-3201 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Pa ...) NOT-FOR-US: Pagefusion CVE-2008-3200 (SQL injection vulnerability in vlc_forum.php in Avlc Forum as of 20080 ...) NOT-FOR-US: Avlc Forum CVE-2008-3199 (Multiple unspecified vulnerabilities in ReSIProcate before 1.3.4 allow ...) NOT-FOR-US: ReSIProcate CVE-2008-3198 (Mozilla Firefox 3.x before 3.0.1 allows remote attackers to inject arb ...) {DSA-1614-1} - iceweasel 3.0.1-1 (low) NOTE: http://www.mozilla.org/security/announce/2008/mfsa2008-35.html CVE-2008-3195 (Directory traversal vulnerability in bin/configure in TWiki before 4.2 ...) {DSA-1639-1} - twiki 1:4.1.2-5 (low; bug #499534) NOTE: access to configure script is restricted to localhost on Debian CVE-2008-3194 (Multiple directory traversal vulnerabilities in data/inc/themes/predef ...) NOT-FOR-US: pluck CMS CVE-2008-3193 (SQL injection vulnerability in jSite 1.0 OE allows remote attackers to ...) NOT-FOR-US: jSite CVE-2008-3192 (Directory traversal vulnerability in index.php in jSite 1.0 OE allows ...) NOT-FOR-US: jSite CVE-2008-3191 (Multiple SQL injection vulnerabilities in usercp.php in mForum 0.1a, w ...) NOT-FOR-US: mForum CVE-2008-3190 (Directory traversal vulnerability in list.php in 1Scripts CodeDB 1.1.1 ...) NOT-FOR-US: CodeDB CVE-2008-3189 (SQL injection vulnerability in dreamnews-rss.php in DreamNews Manager ...) NOT-FOR-US: DreamNews Manager CVE-2008-3188 (libxcrypt in SUSE openSUSE 11.0 uses the DES algorithm when the config ...) - libxcrypt (Suse issue) CVE-2008-3187 (zypp-refresh-patches in zypper in SUSE openSUSE 10.2, 10.3, and 11.0 d ...) NOT-FOR-US: SUSE Zypper CVE-2008-3330 (Cross-site scripting (XSS) vulnerability in services/obrowser/index.ph ...) {DSA-1765-1} - horde3 3.2.1+debian0-1 (low; bug #492578) - turba2 2.2.1-1 (low) [etch] - turba2 (only version 2.2 contains vulnerable code, etch has 2.1) CVE-2008-3325 (Cross-site request forgery (CSRF) vulnerability in Moodle 1.6.x before ...) {DSA-1691-1} - moodle 1.8.1-1 (low) NOTE: http://moodle.org/mod/forum/discuss.php?d=101405 CVE-2008-3326 (Cross-site scripting (XSS) vulnerability in blog/edit.php in Moodle 1. ...) {DSA-1691-1} - moodle 1.8.2-2 (low; bug #492492) NOTE: http://moodle.org/mod/forum/discuss.php?d=101401 CVE-2008-3327 (Moodle 1.6.5, when display_errors is enabled, allows remote attackers ...) - moodle (unimportant) NOTE: http://moodle.org/mod/forum/discuss.php?d=101403 NOTE: Does not allow any attack vectors, apart from gaining non-sensible information CVE-2008-XXXX [mantis multiple issues] - mantis 1.1.2+dfsg-1 (low) NOTE: http://www.mantisbt.org/bugs/changelog_page.php NOTE: CVE id requested by redhat NOTE: 0008975 (CSRF) covered by CVE-2008-2276 NOTE: 0008976 remote code execution only possible with valid administrator account CVE-2008-3196 (skeleton.c in yacc does not properly handle reduction of a rule with a ...) - byacc 20070509-1.1 (low; bug #491182) [etch] - byacc (Minor issue) CVE-2008-XXXX [libetpan NULL deref] - libetpan 0.54-3 (low) [etch] - libetpan (Minor issue) NOTE: http://lwn.net/Alerts/287640/ NOTE: http://libetpan.cvs.sourceforge.net/libetpan/libetpan/src/low-level/imf/mailimf.c?view=diff&r1=1.46&r2=1.47 CVE-2008-XXXX [XSS in press-this of wordpress] - wordpress (Vulnerable code not present) NOTE: this code was never present in a released wordpress version NOTE: http://www.openwall.com/lists/oss-security/2008/07/15/5 CVE-2008-3224 (Unspecified vulnerability in phpBB before 3.0.1 has unknown impact and ...) - phpbb3 3.0.2-1 (low) - phpbb2 (Vulnerable code not present) CVE-2008-3197 (Cross-site request forgery (CSRF) vulnerability in phpMyAdmin before 2 ...) {DSA-1641-1} - phpmyadmin 4:2.11.7.1-1 (low) NOTE: this only allows via csrf to create an empty database. NOTE: this would take a lot of work to get it only to the 'annoying' level, let alone a DoS NOTE: https://www.phpmyadmin.net/security/PMASA-2008-5/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/13fbcf4107476dc2d53a8dde707667172f807641 NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/084fd3ed16290339ee98a14d067932f638974044 (useless?) CVE-2008-3186 (Multiple cross-site scripting (XSS) vulnerabilities in Chipmunk Blog ( ...) NOT-FOR-US: Chipmunk Blog CVE-2008-3185 (SQL injection vulnerability in index.php in Relative Real Estate Syste ...) NOT-FOR-US: Relative Real Estate Systems CVE-2008-3184 (Multiple cross-site scripting (XSS) vulnerabilities in vBulletin 3.6.1 ...) NOT-FOR-US: vBulletin CVE-2008-3183 (PHP remote file inclusion vulnerability in ktmlpro/includes/ktedit/too ...) NOT-FOR-US: gapicms CVE-2008-3182 (Stack-based buffer overflow in DAP.exe in Download Accelerator Plus (D ...) NOT-FOR-US: Download Accelerator Plus CVE-2008-3181 (Unrestricted file upload vulnerability in upload.php in ContentNow CMS ...) NOT-FOR-US: ContentNow CMS CVE-2008-3180 (Multiple cross-site scripting (XSS) vulnerabilities in upload/file/lan ...) NOT-FOR-US: ContentNow CMS CVE-2008-3179 (Directory traversal vulnerability in website.php in Web 2 Business (W2 ...) NOT-FOR-US: phpDatingClub CVE-2008-3178 (Unrestricted file upload vulnerability in upload_pictures.php in WebXe ...) NOT-FOR-US: WebXell Editor CVE-2008-3177 (Sophos virus detection engine 2.75 on Linux and Unix, as used in Sopho ...) NOT-FOR-US: Sophos virus detection engine CVE-2008-3176 RESERVED CVE-2008-3175 (Integer underflow in rxRPC.dll in the LGServer service in the server i ...) NOT-FOR-US: CA ARCserve Backup CVE-2008-3174 (Unspecified vulnerability in the kmxfw.sys driver in CA Host-Based Int ...) NOT-FOR-US: r8 (Host-Based Intrusion Prevention System (HIPS)) CVE-2008-3173 (Microsoft Internet Explorer allows web sites to set cookies for domain ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2008-3172 (Opera allows web sites to set cookies for country-specific top-level d ...) NOT-FOR-US: Opera CVE-2008-3171 (Apple Safari sends Referer headers containing https URLs to different ...) NOT-FOR-US: Apple Safari CVE-2008-3170 (Apple Safari allows web sites to set cookies for country-specific top- ...) NOT-FOR-US: Apple Safari CVE-2008-3169 (Multiple heap-based buffer overflows in Empire Server before 4.3.15 al ...) NOT-FOR-US: Empire Server CVE-2008-3168 (The files utility in Empire Server before 4.3.15 discloses the world c ...) NOT-FOR-US: Empire Server CVE-2008-3167 (Multiple PHP remote file inclusion vulnerabilities in BoonEx Dolphin 6 ...) NOT-FOR-US: BoonEx Dolphin CVE-2008-3166 (PHP remote file inclusion vulnerability in modules/global/inc/content. ...) NOT-FOR-US: BoonEx Ray CVE-2008-3165 (Directory traversal vulnerability in rss.php in fuzzylime (cms) 3.01a ...) NOT-FOR-US: fuzzylime CVE-2008-3164 (Directory traversal vulnerability in blog.php in fuzzylime (cms) 3.01, ...) NOT-FOR-US: fuzzylime CVE-2008-3163 (Directory traversal vulnerability in dodosmail.php in DodosMail 2.5 al ...) NOT-FOR-US: DodosMail CVE-2008-3162 (Stack-based buffer overflow in the str_read_packet function in libavfo ...) {DSA-1781-1} - ffmpeg-debian 0.svn20080206-10 (bug #489965; low) - ffmpeg 0.svn20080206-10 - xmovie CVE-2008-3161 (Multiple cross-site scripting (XSS) vulnerabilities in jsp/common/syst ...) NOT-FOR-US: IBM Maximo CVE-2008-3160 (Multiple unspecified vulnerabilities in IBM Data ONTAP 7.1 before 7.1. ...) NOT-FOR-US: IBM Data ONTAP CVE-2008-3159 (Integer overflow in ds.dlm, as used by dhost.exe, in Novell eDirectory ...) NOT-FOR-US: eDirectory CVE-2008-3158 (Unspecified vulnerability in NWFS.SYS in Novell Client for Windows 4.9 ...) NOT-FOR-US: Novell Client for Windows CVE-2008-3157 (Nortel SIP Multimedia PC Client 4.x MCS5100 and MCS5200 does not limit ...) NOT-FOR-US: Nortel SIP Multimedia PC Client CVE-2008-3156 (The ActiveScan ActiveX Control (as2guiie.dll) in Panda ActiveScan befo ...) NOT-FOR-US: Panda ActiveScan CVE-2008-3155 (Stack-based buffer overflow in the ActiveX control (as2guiie.dll) in P ...) NOT-FOR-US: Panda ActiveScan CVE-2008-3154 (SQL injection vulnerability in index.php in WebBlizzard CMS allows rem ...) NOT-FOR-US: WebBlizzard CMS CVE-2008-3153 (SQL injection vulnerability in Triton CMS Pro allows remote attackers ...) NOT-FOR-US: Triton CMS Pro CVE-2008-3152 (SQL injection vulnerability in directory.php in SmartPPC and SmartPPC ...) NOT-FOR-US: SmartPPC CVE-2008-3151 (SQL injection vulnerability in the 4ndvddb 0.91 module for PHP-Nuke al ...) NOT-FOR-US: PHP-NUke CVE-2008-3150 (Directory traversal vulnerability in index.php in Neutrino Atomic Edit ...) NOT-FOR-US: Neutrino Atomic Edition CVE-2008-3149 (The SNMP daemon in the F5 FirePass 1200 6.0.2 hotfix 3 allows remote a ...) NOT-FOR-US: F5 FirePass CVE-2008-3148 (Stack-based buffer overflow in (1) OllyDBG 1.10 and (2) ImpREC 1.7f al ...) NOT-FOR-US: OllyDBG/ImpREC CVE-2008-3147 (WeFi 3.2.1.4.1, when diagnostic mode is enabled, stores (1) WEP, (2) W ...) NOT-FOR-US: WeFi CVE-2008-3146 (Multiple buffer overflows in packet_ncp2222.inc in Wireshark (formerly ...) {DTSA-167-1} - wireshark 1.0.3-1 (medium; bug #497878) CVE-2008-3144 (Multiple integer overflows in the PyOS_vsnprintf function in Python/my ...) {DSA-1667-1 DTSA-157-1} - python2.4 2.4.5-5 - python2.5 2.5.2-7 [etch] - python2.5 (Minor issue, not the default Python runtime) CVE-2008-3143 (Multiple integer overflows in Python before 2.5.2 might allow context- ...) {DSA-1667-1} - python2.4 2.4.5-1 [etch] - python2.5 (Minor issue, not the default Python runtime) - python2.5 2.5.2-1 CVE-2008-3142 (Multiple buffer overflows in Python 2.5.2 and earlier on 32bit platfor ...) {DSA-1667-1 DTSA-157-1} - python2.5 2.5.2-10 [etch] - python2.5 (Minor issue, not the default Python runtime) - python2.4 2.4.5-5 CVE-2008-3136 (SQL injection vulnerability in catalogue.php in AShop Deluxe 4.x allow ...) NOT-FOR-US: AShop Delux CVE-2008-3135 (Soldner Secret Wars 33724 and earlier allows remote attackers to cause ...) NOT-FOR-US: Soldner Secret Wars CVE-2008-3134 (Multiple unspecified vulnerabilities in GraphicsMagick before 1.2.4 al ...) {DSA-1903-1} - graphicsmagick 1.2.4-1 (bug #491439) - imagemagick (unimportant; bug #559775) NOTE: several DoS fixed in 1.2.4 according to upstream NOTE: http://sourceforge.net/project/shownotes.php?release_id=610253 CVE-2008-3133 (SQL injection vulnerability in admin/index.php in BareNuked CMS 1.1.0, ...) NOT-FOR-US: BareNuked CMS CVE-2008-3132 (SQL injection vulnerability in the beamospetition (com_beamospetition) ...) NOT-FOR-US: Joomla component CVE-2008-3131 (SQL injection vulnerability in chatbox.php in pSys 0.7.0 Alpha, when m ...) NOT-FOR-US: PSys CVE-2008-3130 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Op ...) NOT-FOR-US: OpenCart CVE-2008-3129 (Multiple SQL injection vulnerabilities in index.php in Catviz 0.4 beta ...) NOT-FOR-US: Catviz CVE-2008-3128 (Directory traversal vulnerability in search.php in Pivot 1.40.5 allows ...) NOT-FOR-US: Pivot CVE-2008-3127 (PHP remote file inclusion vulnerability in hioxBannerRotate.php in HIO ...) NOT-FOR-US: HIOX Banner Rotator CVE-2008-3126 (Multiple stack-based buffer overflows in the ServerView web interface ...) NOT-FOR-US: Fujitsu Siemens Computers ServerView CVE-2008-3125 (SQL injection vulnerability in index.php in Mole Group Lastminute Scri ...) NOT-FOR-US: Mole Group Lastminute Script CVE-2008-3124 (SQL injection vulnerability in index.php in Mole Group Hotel Script 1. ...) NOT-FOR-US: Mole Group CVE-2008-3123 (SQL injection vulnerability in index.php in Mole Group Real Estate Scr ...) NOT-FOR-US: Mole Group CVE-2008-3122 (Multiple SQL injection vulnerabilities in Xerox CentreWare Web (CWW) b ...) NOT-FOR-US: Xerox CentreWare Web CVE-2008-3121 (Multiple cross-site scripting (XSS) vulnerabilities in Xerox CentreWar ...) NOT-FOR-US: Xerox CentreWare Web CVE-2008-3120 REJECTED CVE-2008-3119 (SQL injection vulnerability in index.php in DreamPics Builder allows r ...) NOT-FOR-US: DreamPics Builder CVE-2008-3118 (SQL injection vulnerability in play.php in PHPmotion 2.0 and earlier a ...) NOT-FOR-US: PHPmotion CVE-2008-3117 (Unrestricted file upload vulnerability in update_profile.php in PHPmot ...) NOT-FOR-US: PHPmotion CVE-2008-3116 (Format string vulnerability in dx8render.dll in Snail Game (aka Suzhou ...) NOT-FOR-US: Snail Game CVE-2003-1561 (Opera, probably before 7.50, sends Referer headers containing https:// ...) NOT-FOR-US: ancient issue CVE-2003-1560 (Netscape 4 sends Referer headers containing https:// URLs in requests ...) NOT-FOR-US: ancient issue CVE-2003-1559 (Microsoft Internet Explorer 5.22, and other 5 through 6 SP1 versions, ...) NOT-FOR-US: ancient issue CVE-2008-3229 (Stack-based buffer overflow in op before Changeset 563, when xauth sup ...) - op (not configured with xauth support) CVE-2008-3218 (Multiple cross-site scripting (XSS) vulnerabilities in Drupal 6.x befo ...) - drupal5 (Vulnerable code not present, feature introduced in 6.0) - drupal-4.7 (Vulnerable code not present, feature introduced in 6.0) CVE-2008-3219 (The Drupal filter_xss_admin function in 5.x before 5.8 and 6.x before ...) - drupal5 5.8-1 (low; bug #490559) - drupal-4.7 CVE-2008-3220 (Cross-site request forgery (CSRF) vulnerability in Drupal 5.x before 5 ...) - drupal5 5.8-1 (low; bug #490559) - drupal-4.7 (Vulnerable code not present) NOTE: drupal-4.7 uses the locale_admin_string_delete callback which returns a confirmation dialog CVE-2008-3221 (Cross-site request forgery (CSRF) vulnerability in Drupal 6.x before 6 ...) - drupal5 (Vulnerable code not present, openids introduced in 6.0) - drupal-4.7 (Vulnerable code not present, openids introduced in 6.0) CVE-2008-3222 (Session fixation vulnerability in Drupal 5.x before 5.9 and 6.x before ...) - drupal5 5.9-1 (low; bug #490559) - drupal-4.7 CVE-2008-3223 (SQL injection vulnerability in the Schema API in Drupal 6.x before 6.3 ...) - drupal5 (Vulnerable code not present, introduced in 6.0) - drupal-4.7 (Vulnerable code not present, introduced in 6.0) CVE-2008-3145 (The fragment_add_work function in epan/reassemble.c in Wireshark 0.8.1 ...) {DSA-1673-1} - wireshark 1.0.2-1 (low) NOTE: http://www.wireshark.org/security/wnpa-sec-2008-04.html CVE-2008-3115 (Secure Static Versioning in Sun Java JDK and JRE 6 Update 6 and earlie ...) - sun-java5 1.5.0-16-1 (bug #490260) [etch] - sun-java5 (Non-free not supported) - sun-java6 6-07-1 (bug #490260) CVE-2008-3114 (Unspecified vulnerability in Sun Java Web Start in JDK and JRE 6 befor ...) - sun-java5 1.5.0-16-1 (bug #490260) [etch] - sun-java5 (Non-free not supported) - sun-java6 6-07-1 (bug #490260) CVE-2008-3113 (Unspecified vulnerability in Sun Java Web Start in JDK and JRE 5.0 bef ...) - sun-java5 1.5.0-16-1 (bug #490260) [etch] - sun-java5 (Non-free not supported) - sun-java6 (Only for sun-java5) CVE-2008-3112 (Directory traversal vulnerability in Sun Java Web Start in JDK and JRE ...) - sun-java5 1.5.0-16-1 (bug #490260) [etch] - sun-java5 (Non-free not supported) - sun-java6 6-07-1 (bug #490260) - openjdk-6 (bug #566770) [wheezy] - openjdk-6 CVE-2008-3111 (Multiple buffer overflows in Sun Java Web Start in JDK and JRE 6 befor ...) - sun-java5 1.5.0-16-1 (bug #490260) [etch] - sun-java5 (Non-free not supported) - sun-java6 6-04-1 (bug #490260) CVE-2008-3110 (Unspecified vulnerability in scripting language support in Sun Java Ru ...) - sun-java5 (Only for sun-java6) [etch] - sun-java5 (Non-free not supported) - sun-java6 6-07-1 (bug #490260) CVE-2008-3109 (Unspecified vulnerability in scripting language support in Sun Java Ru ...) - sun-java5 (Only for sun-java6) [etch] - sun-java5 (Non-free not supported) - sun-java6 6-07-1 (bug #490260) CVE-2008-3108 (Buffer overflow in Sun Java Runtime Environment (JRE) in JDK and JRE 5 ...) - sun-java5 1.5.0-10-1 (bug #490260) [etch] - sun-java5 (Non-free not supported) - sun-java6 (Only for sun-java5) CVE-2008-3107 (Unspecified vulnerability in the Virtual Machine in Sun Java Runtime E ...) - sun-java5 1.5.0-16-1 (bug #490260) [etch] - sun-java5 (Non-free not supported) - sun-java6 6-07-1 (bug #490260) CVE-2008-3106 (Unspecified vulnerability in Sun Java Runtime Environment (JRE) in JDK ...) - sun-java5 1.5.0-16-1 (bug #490260) [etch] - sun-java5 (Non-free not supported) - sun-java6 6-07-1 (bug #490260) CVE-2008-3105 (Unspecified vulnerability in the JAX-WS client and service in Sun Java ...) - sun-java5 (Only for sun-java6) - sun-java6 6-07-1 (bug #490260) CVE-2008-3104 (Multiple unspecified vulnerabilities in Sun Java Runtime Environment ( ...) [etch] - sun-java5 (Non-free not supported) - sun-java5 1.5.0-16-1 (bug #490260) - sun-java6 6-07-1 (bug #490260) CVE-2008-3103 (Unspecified vulnerability in the Java Management Extensions (JMX) mana ...) [etch] - sun-java5 (Non-free not supported) - sun-java5 1.5.0-16-1 (bug #490260) - sun-java6 6-07-1 (bug #490260) CVE-2008-3102 (Mantis 1.1.x through 1.1.2 and 1.2.x through 1.2.0a2 does not set the ...) - mantis 1.1.2+dfsg-6 (low; bug #501179) CVE-2008-3101 (Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM 5.0. ...) NOT-FOR-US: vtiger CRM CVE-2008-3100 (Cross-site scripting (XSS) vulnerability in lib/owl.lib.php in Steve B ...) - owl-dms 0.95-1.1 (low; bug #493579) CVE-2008-3099 RESERVED CVE-2008-3098 (Cross-site scripting (XSS) vulnerability in admin/usercheck.php in fuz ...) NOT-FOR-US: fuzzylime CVE-2008-3097 (Cross-site scripting (XSS) vulnerability in the Tinytax module (aka Ti ...) NOT-FOR-US: additional drupal module Tinytax CVE-2008-3096 (The Outline Designer module 5.x before 5.x-1.4 for Drupal changes each ...) NOT-FOR-US: additional drupal module Outline Designer CVE-2008-3095 (Cross-site scripting (XSS) vulnerability in the Organic Groups (OG) mo ...) NOT-FOR-US: additional drupal module Organic Groups CVE-2008-3094 (The Organic Groups (OG) module 5.x before 5.x-7.3 and 6.x before 6.x-1 ...) NOT-FOR-US: additional drupal module Organic Groups CVE-2008-3093 (Unrestricted file upload vulnerability in ImperialBB 2.3.5 and earlier ...) NOT-FOR-US: ImperialBB CVE-2008-3092 (SQL injection vulnerability in the Taxonomy Autotagger module 5.x befo ...) NOT-FOR-US: additional drupal module Taxonomy Autotagger CVE-2008-3091 (Cross-site scripting (XSS) vulnerability in the Taxonomy Autotagger mo ...) NOT-FOR-US: additional drupal module Taxonomy Autotagger CVE-2008-3090 (Multiple SQL injection vulnerabilities in index.php in BlognPlus (BURO ...) NOT-FOR-US: BlognPlus CVE-2008-3089 (SQL injection vulnerability in user.html in Xpoze Pro 3.06 (aka Xpoze ...) NOT-FOR-US: ImperialBB CVE-2008-3088 (Cross-site scripting (XSS) vulnerability in the Files module in Kassel ...) NOT-FOR-US: Kasseler CMS CVE-2008-3087 (Directory traversal vulnerability in Kasseler CMS 1.3.0 allows remote ...) NOT-FOR-US: Kasseler CMS CVE-2008-3086 REJECTED CVE-2008-3085 REJECTED CVE-2008-3084 REJECTED CVE-2008-3216 (The save function in br/prefmanager.d in projectl 1.001 creates a proj ...) - projectl 1.001.dfsg1-2 (low; bug #489988) [etch] - projectl (Minor issue) CVE-2008-3083 (SQL injection vulnerability in Brightcode Weblinks (com_brightweblinks ...) NOT-FOR-US: com_brightweblinks omponent for Joomla! CVE-2008-3082 (Cross-site scripting (XSS) vulnerability in UPM/English/login/login.as ...) NOT-FOR-US: Commtouch Enterprise Anti-Spam Gateway CVE-2008-3081 (Multiple unspecified "input validation" vulnerabilities in the Web man ...) NOT-FOR-US: Avaya Message Storage Server CVE-2008-3080 (Cross-site request forgery (CSRF) vulnerability in admin.php in myWebl ...) NOT-FOR-US: myBloggie CVE-2008-3079 (Unspecified vulnerability in Opera before 9.51 on Windows allows attac ...) NOT-FOR-US: Opera CVE-2008-3078 (Opera before 9.51 does not properly manage memory within functions sup ...) NOT-FOR-US: Opera CVE-2008-3077 (arch/x86/kernel/ptrace.c in the Linux kernel before 2.6.25.10 on the x ...) - linux-2.6 2.6.25-7 - linux-2.6.24 (Vulnerable code added later) [etch] - linux-2.6 (Vulnerable code added later) NOTE: 1e9a615bfce7996ea4d815d45d364b47ac6a74e8 CVE-2008-3076 (The Netrw plugin 125 in netrw.vim in Vim 7.2a.10 allows user-assisted ...) {DSA-1733-1} - vim 2:7.2.010-1 (bug #506919) [lenny] - vim 1:7.1.314-3+lenny1 (bug #506919) [squeeze] - vim 1:7.1.314-3+lenny1 (bug #506919) CVE-2008-3075 (The shellescape function in Vim 7.0 through 7.2, including 7.2a.10, al ...) {DSA-1733-1} - vim 2:7.2.010-1 (bug #506919) [lenny] - vim 1:7.1.314-3+lenny1 (bug #506919) [squeeze] - vim 1:7.1.314-3+lenny1 (bug #506919) CVE-2008-3074 (The shellescape function in Vim 7.0 through 7.2, including 7.2a.10, al ...) {DSA-1733-1} - vim 2:7.2.010-1 (bug #506919) [lenny] - vim 1:7.1.314-3+lenny1 (bug #506919) [squeeze] - vim 1:7.1.314-3+lenny1 (bug #506919) CVE-2008-3073 (Unspecified vulnerability in Simple Machines Forum (SMF) 1.1.x before ...) NOT-FOR-US: Simple Machines Forum CVE-2008-3072 (Simple Machines Forum (SMF) 1.1.x before 1.1.5 and 1.0.x before 1.0.13 ...) NOT-FOR-US: Simple Machines Forum CVE-2008-3071 (Directory traversal vulnerability in inc/class_language.php in MyBB be ...) NOT-FOR-US: MyBB CVE-2008-3070 (Unspecified vulnerability in inc/datahandler/user.php in MyBB before 1 ...) NOT-FOR-US: MyBB CVE-2008-3069 (Multiple cross-site scripting (XSS) vulnerabilities in MyBB before 1.2 ...) NOT-FOR-US: MyBB CVE-2008-3068 (Microsoft Crypto API 5.131.2600.2180 through 6.0, as used in Outlook, ...) NOT-FOR-US: Microsoft Crypto API CVE-2008-3067 (sudo in SUSE openSUSE 10.3 does not clear the stdin buffer when passwo ...) - sudo 1.6.9p12-1 [etch] - sudo (Issue was introduced in 1.6.9) CVE-2008-3066 (Stack-based buffer overflow in a certain ActiveX control in rjbdll.dll ...) NOT-FOR-US: RealNetworks RealPlayer Enterprise CVE-2008-3065 RESERVED CVE-2008-3064 (Unspecified vulnerability in RealNetworks RealPlayer Enterprise, RealP ...) NOT-FOR-US: RealNetworks RealPlayer Enterprise CVE-2008-3063 (SQL injection vulnerability in login.php in V-webmail 1.5.0 might allo ...) NOT-FOR-US: V-webmail CVE-2008-3062 RESERVED CVE-2008-3061 (Open redirect vulnerability in redirect.php in V-webmail 1.5.0 allows ...) NOT-FOR-US: V-webmail CVE-2008-3060 (V-webmail 1.5.0 allows remote attackers to obtain sensitive informatio ...) NOT-FOR-US: V-webmail CVE-2008-3059 (member/settings_account.php in Octeth Oempro 3.5.5.1, and possibly oth ...) NOT-FOR-US: Octeth Oempro CVE-2008-3058 (Multiple SQL injection vulnerabilities in Octeth Oempro 3.5.5.1, and p ...) NOT-FOR-US: Octeth Oempro CVE-2008-3057 (Octeth Oempro 3.5.5.1, and possibly other versions before 4, does not ...) NOT-FOR-US: Octeth Oempro CVE-2008-3056 (SQL injection vulnerability in the Codeon Petition (cd_petition) exten ...) NOT-FOR-US: cd_petition extension for TYPO3 CVE-2008-3055 (SQL injection vulnerability in the Support view (ext_tbl) extension 0. ...) NOT-FOR-US: ext_tbl extension for TYPO3 CVE-2008-3054 (SQL injection vulnerability in the Branchenbuch (aka Yellow Pages o (m ...) NOT-FOR-US: mh_branchenbuch extension for TYPO3 CVE-2008-3053 (SQL injection vulnerability in the SQL Frontend (mh_omsqlio) extension ...) NOT-FOR-US: mh_omsqlio extension for TYPO3 CVE-2008-3052 (Unspecified vulnerability in the SQL Frontend (mh_omsqlio) extension 1 ...) NOT-FOR-US: mh_omsqlio extension for TYPO3 CVE-2008-3051 (SQL injection vulnerability in the Pinboard extension 0.0.6 and earlie ...) NOT-FOR-US: Pinboard extension for TYPO3 CVE-2008-3050 (Unspecified vulnerability in the PDF Generator 2 (pdf_generator2) exte ...) NOT-FOR-US: pdfcreator extension for TYPO3 CVE-2008-3049 (The PDF Generator 2 (pdf_generator2) extension 0.5.0 and earlier for T ...) NOT-FOR-US: pdfcreator extension for TYPO3 CVE-2008-3048 (Unspecified vulnerability in the PDF Generator 2 (pdf_generator2) exte ...) NOT-FOR-US: pdfcreator extension for TYPO3 CVE-2008-3047 (Incomplete blacklist vulnerability in the KB Unpack (kb_unpack) extens ...) NOT-FOR-US: kb_unpack extension for TYPO3 CVE-2008-3046 (Incomplete blacklist vulnerability in the Packman (kb_packman) extensi ...) NOT-FOR-US: kb_packman extension for TYPO3 CVE-2008-3045 (Unspecified vulnerability in the Industry Database (aka Branchendatenb ...) NOT-FOR-US: pro_industrydb extension for TYPO3 CVE-2008-3044 (SQL injection vulnerability in the News Calendar (newscalendar) extens ...) NOT-FOR-US: newscalendar extension for TYPO3 CVE-2008-3043 (Unspecified vulnerability in the WEC Discussion Forum (wec_discussion) ...) NOT-FOR-US: wec_discussion extension for TYPO3 CVE-2008-3042 (Unspecified vulnerability in the DAM Frontend (dam_frontend) extension ...) NOT-FOR-US: dam_frontend extension for TYPO3 CVE-2008-3041 (Unspecified vulnerability in the DAM Frontend (dam_frontend) extension ...) NOT-FOR-US: dam_frontend extension for TYPO3 CVE-2008-3040 (Unspecified vulnerability in the DAM Frontend (dam_frontend) extension ...) NOT-FOR-US: dam_frontend extension for TYPO3 CVE-2008-3039 (SQL injection vulnerability in the DAM Frontend (dam_frontend) extensi ...) NOT-FOR-US: dam_frontend extension for TYPO3 CVE-2008-3038 (SQL injection vulnerability in the Address Directory (sp_directory) ex ...) NOT-FOR-US: sp_directory extension for TYPO3 CVE-2008-3037 (Cross-site scripting (XSS) vulnerability in the Address Directory (sp_ ...) NOT-FOR-US: sp_directory extension for TYPO3 CVE-2008-3036 (Directory traversal vulnerability in index.php in CMS little 0.0.1 all ...) NOT-FOR-US: CMS little CVE-2008-3035 (SQL injection vulnerability in newThread.php in XchangeBoard 1.70 Fina ...) NOT-FOR-US: XchangeBoard CVE-2008-3034 (Multiple SQL injection vulnerabilities in RSS-aggregator 1.0 allow rem ...) NOT-FOR-US: RSS-aggregator CVE-2008-3033 (RSS-aggregator 1.0 does not require administrative authentication for ...) NOT-FOR-US: RSS-aggregator CVE-2008-3032 (Cross-site scripting (XSS) vulnerability in the phpMyAdmin (phpmyadmin ...) NOT-FOR-US: phpmyadmin extension for TYPO3 CVE-2008-3031 (Directory traversal vulnerability in index.php in Simple PHP Agenda 2. ...) NOT-FOR-US: Simple PHP Agenda CVE-2008-3030 (SQL injection vulnerability in default.asp in EfesTECH Shop 2.0 allows ...) NOT-FOR-US: EfesTECH Shop CVE-2008-3029 (Cross-site scripting (XSS) vulnerability in the WEC Discussion Forum ( ...) NOT-FOR-US: WEC Discussion Forum CVE-2008-3028 (Multiple cross-site scripting (XSS) vulnerabilities in the Send-A-Card ...) NOT-FOR-US: sr_sendcard extension for TYPO3 CVE-2008-3027 (SQL injection vulnerability in get_article.php in VanGogh Web CMS 0.9 ...) NOT-FOR-US: VanGogh Web CMS CVE-2008-3026 (SQL injection vulnerability in index.php in OneClick CMS (aka Sisplet ...) NOT-FOR-US: OneClick CMS CVE-2008-3025 (SQL injection vulnerability in ad.php in plx Ad Trader 3.2 allows remo ...) NOT-FOR-US: plx Ad Trader CVE-2008-3024 (Stack-based buffer overflow in phgrafx in QNX Momentics (aka RTOS) 6.3 ...) NOT-FOR-US: phgrafx in QNX Momentics CVE-2008-3023 (Cross-site scripting (XSS) vulnerability in FreeStyle Wiki 3.6.2 and e ...) NOT-FOR-US: FreeStyle Wiki CVE-2008-3022 (Multiple PHP remote file inclusion vulnerabilities in sablonlar/gunays ...) NOT-FOR-US: PHPortal CVE-2008-3021 (Microsoft Office 2000 SP3, XP SP3, and 2003 SP2; Office Converter Pack ...) NOT-FOR-US: Microsoft Office 2000 CVE-2008-3020 (Microsoft Office 2000 SP3 and XP SP3; Office Converter Pack; and Works ...) NOT-FOR-US: Microsoft Office 2000 CVE-2008-3019 (Microsoft Office 2000 SP3, XP SP3, and 2003 SP2; Office Converter Pack ...) NOT-FOR-US: Microsoft Office 2000 CVE-2008-3018 (Microsoft Office 2000 SP3, XP SP3, and 2003 SP2; Office Converter Pack ...) NOT-FOR-US: Microsoft Office 2000 CVE-2008-3017 REJECTED CVE-2008-3016 REJECTED CVE-2008-3015 (Integer overflow in gdiplus.dll in GDI+ in Microsoft Office XP SP3, Of ...) NOT-FOR-US: Microsoft Office XP CVE-2008-3014 (Buffer overflow in gdiplus.dll in GDI+ in Microsoft Internet Explorer ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2008-3013 (gdiplus.dll in GDI+ in Microsoft Internet Explorer 6 SP1, Windows XP S ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2008-3012 (gdiplus.dll in GDI+ in Microsoft Internet Explorer 6 SP1, Windows XP S ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2008-3011 REJECTED CVE-2008-3010 (Microsoft Windows Media Player 6.4, Windows Media Format Runtime 7.1 t ...) NOT-FOR-US: Microsoft Windows Media Player CVE-2008-3009 (Microsoft Windows Media Player 6.4, Windows Media Format Runtime 7.1 t ...) NOT-FOR-US: Microsoft Windows Media Player CVE-2008-3008 (Stack-based buffer overflow in the WMEncProfileManager ActiveX control ...) NOT-FOR-US: Microsoft Windows Media Encoder CVE-2008-3007 (Argument injection vulnerability in a URI handler in Microsoft Office ...) NOT-FOR-US: Microsoft Office XP CVE-2008-3006 (Microsoft Office Excel 2000 SP3, 2002 SP3, 2003 SP2 and SP3, and 2007 ...) NOT-FOR-US: Microsoft Office Excel CVE-2008-3005 (Array index vulnerability in Microsoft Office Excel 2000 SP3 and 2002 ...) NOT-FOR-US: Microsoft Office Excel CVE-2008-3004 (Microsoft Office Excel 2000 SP3, 2002 SP3, and 2003 SP2 and SP3; Offic ...) NOT-FOR-US: Microsoft Office Excel CVE-2008-3003 (Microsoft Office Excel 2007 Gold and SP1 does not properly delete the ...) NOT-FOR-US: Microsoft Office Excel CVE-2008-3002 REJECTED CVE-2008-3001 (The Aggregation module 5.x before 5.x-4.4 for Drupal allows remote att ...) NOT-FOR-US: additional drupal module Aggregation module CVE-2008-3000 (The Aggregation module 5.x before 5.x-4.4 for Drupal, when node access ...) NOT-FOR-US: additional drupal module Aggregation module CVE-2008-2999 (Multiple SQL injection vulnerabilities in the Aggregation module 5.x b ...) NOT-FOR-US: additional drupal module Aggregation module CVE-2008-2998 (Multiple cross-site scripting (XSS) vulnerabilities in the Aggregation ...) NOT-FOR-US: additional drupal module Aggregation module CVE-2008-2997 (Cross-site scripting (XSS) vulnerability in index.php in Gravity Board ...) NOT-FOR-US: Gravity Board CVE-2008-2996 (Multiple SQL injection vulnerabilities in index.php in Gravity Board X ...) NOT-FOR-US: Gravity Board CVE-2008-2995 (Multiple SQL injection vulnerabilities in PHPEasyData 1.5.4 allow remo ...) NOT-FOR-US: PHPEasyData CVE-2008-2994 (Multiple cross-site scripting (XSS) vulnerabilities in PHPEasyData 1.5 ...) NOT-FOR-US: PHPEasyData CVE-2008-2993 (Multiple directory traversal vulnerabilities in index.php in FOG Forum ...) NOT-FOR-US: FOG Forum CVE-2008-2992 (Stack-based buffer overflow in Adobe Acrobat and Reader 8.1.2 and earl ...) NOT-FOR-US: Adobe Acrobat CVE-2008-2991 (Cross-site scripting (XSS) vulnerability in Adobe RoboHelp Server 6 an ...) NOT-FOR-US: Adobe RoboHelp Server 7 CVE-2008-2990 (PHP remote file inclusion vulnerability in facileforms.frame.php in th ...) NOT-FOR-US: FacileForms CVE-2008-2989 (SQL injection vulnerability in index.php in HoMaP-CMS 0.1 allows remot ...) NOT-FOR-US: HoMaP-CMS CVE-2008-2988 (Unrestricted file upload vulnerability in admin/upload.php in Benja CM ...) NOT-FOR-US: Benja CMS CVE-2008-2987 (Multiple cross-site scripting (XSS) vulnerabilities in Benja CMS 0.1 a ...) NOT-FOR-US: Benja CMS CVE-2008-2986 (Multiple PHP remote file inclusion vulnerabilities in phpDMCA 1.0.0 al ...) NOT-FOR-US: phpDMCA CVE-2008-2985 (Directory traversal vulnerability in load_language.php in CMReams CMS ...) NOT-FOR-US: CMReams CMS CVE-2008-2984 (Cross-site scripting (XSS) vulnerability in backend/umleitung.php in C ...) NOT-FOR-US: CMReams CMS CVE-2008-2983 (SQL injection vulnerability in index.php in Demo4 CMS 01 Beta allows r ...) NOT-FOR-US: Demo4 CMS CVE-2008-2982 (Multiple directory traversal vulnerabilities in HomePH Design 2.10 RC2 ...) NOT-FOR-US: HomePH CVE-2008-2981 (PHP remote file inclusion vulnerability in admin/templates/template_th ...) NOT-FOR-US: HomePH CVE-2008-2980 (Multiple cross-site scripting (XSS) vulnerabilities in HomePH Design 2 ...) NOT-FOR-US: HomePH CVE-2008-2979 (Multiple cross-site scripting (XSS) vulnerabilities in phpi/login.php ...) NOT-FOR-US: Ourvideo CMS CVE-2008-2978 (Directory traversal vulnerability in phpi/rss.php in Ourvideo CMS 9.5, ...) NOT-FOR-US: Ourvideo CMS CVE-2008-2977 (Multiple PHP remote file inclusion vulnerabilities in Ourvideo CMS 9.5 ...) NOT-FOR-US: Ourvideo CMS CVE-2008-2976 (Multiple directory traversal vulnerabilities in TinX/cms 1.1, when reg ...) NOT-FOR-US: TinX/cms CVE-2008-2975 (Cross-site scripting (XSS) vulnerability in admin/objects/obj_image.ph ...) NOT-FOR-US: TinX/cms CVE-2008-2974 (Directory traversal vulnerability in chatconfig.php in MM Chat 1.5, wh ...) NOT-FOR-US: MM Chat CVE-2008-2973 (Multiple cross-site scripting (XSS) vulnerabilities in chathead.php in ...) NOT-FOR-US: MM Chat CVE-2008-2972 (SQL injection vulnerability in index.php in KbLance allows remote atta ...) NOT-FOR-US: KbLance CVE-2008-2971 (SQL injection vulnerability in links-extern.php in CiBlog 3.1 allows r ...) NOT-FOR-US: CiBlog CVE-2008-2970 (Multiple session fixation vulnerabilities in Academic Web Tools (AWT Y ...) NOT-FOR-US: Academic Web Tools CVE-2008-2969 (Directory traversal vulnerability in download.php in Academic Web Tool ...) NOT-FOR-US: Academic Web Tools CVE-2008-2968 (SQL injection vulnerability in rating.php in Academic Web Tools (AWT Y ...) NOT-FOR-US: Academic Web Tools CVE-2008-2967 (Multiple cross-site scripting (XSS) vulnerabilities in Academic Web To ...) NOT-FOR-US: Academic Web Tools CVE-2008-2966 (Directory traversal vulnerability in viewprofile.php in JaxUltraBB 2.0 ...) NOT-FOR-US: JaxUltraBB CVE-2008-2965 (Cross-site scripting (XSS) vulnerability in viewforum.php in JaxUltraB ...) NOT-FOR-US: JaxUltraBB CVE-2008-2964 (SQL injection vulnerability in guide.php in ResearchGuide 0.5 allows r ...) NOT-FOR-US: ResearchGuide CVE-2008-2963 (Multiple SQL injection vulnerabilities in MyBlog allow remote attacker ...) NOT-FOR-US: MyBlog CVE-2008-2962 (Multiple cross-site scripting (XSS) vulnerabilities in MyBlog allow re ...) NOT-FOR-US: MyBlog CVE-2008-2961 (Multiple directory traversal vulnerabilities in view/index.php in CMS ...) NOT-FOR-US: CMS Mini CVE-2008-2959 (Buffer overflow in a certain ActiveX control (vb6skit.dll) in Microsof ...) NOT-FOR-US: ActiveX control CVE-2008-2951 (Open redirect vulnerability in the search script in Trac before 0.10.5 ...) - trac 0.11-1 [etch] - trac 0.10.3-1etch4 CVE-2008-2949 (Cross-domain vulnerability in Microsoft Internet Explorer 6 and 7 allo ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2008-2948 (Cross-domain vulnerability in Microsoft Internet Explorer 7 and 8 allo ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2008-2947 (Cross-domain vulnerability in Microsoft Internet Explorer 5.01 SP4, 6, ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2008-2946 (The SNMP-DMI mapper subagent daemon (aka snmpXdmid) in Solstice Enterp ...) NOT-FOR-US: Solstice Enterprise Agents in Sun Solaris CVE-2008-2945 (Sun Java System Access Manager 6.3 through 7.1 and Sun Java System Ide ...) NOT-FOR-US: Sun Java System Access Manager CVE-2008-2944 (Double free vulnerability in the utrace support in the Linux kernel, p ...) - linux-2.6 [etch] - linux-2.6 - linux-2.6.24 CVE-2008-2943 (Double free vulnerability in IBM Tivoli Directory Server (TDS) 6.1.0.0 ...) NOT-FOR-US: IBM Tivoli Directory Server CVE-2008-2941 (The hpssd message parser in hpssd.py in HP Linux Imaging and Printing ...) - hplip 2.8.6-1 (low; bug #499842) [etch] - hplip (Minor issue) NOTE: Does not affect current version in lenny, marking as fixed in current upstream release CVE-2008-2940 (The alert-mailing implementation in HP Linux Imaging and Printing (HPL ...) - hplip 2.8.6-1 (low; bug #499842) [etch] - hplip (Minor issue) NOTE: Does not affect current version in lenny, marking as fixed in current upstream release CVE-2008-2939 (Cross-site scripting (XSS) vulnerability in proxy_ftp.c in the mod_pro ...) - apache2 2.2.9-7 (low) [etch] - apache2 2.2.3-4+etch6 - apache (vulnerable code not present) CVE-2008-2938 (Directory traversal vulnerability in Apache Tomcat 4.1.0 through 4.1.3 ...) NOTE: This is an issue in the respective JVMs, Tomcat only includes a workaround NOTE: Check status of free JVMs - tomcat5.5 5.5.26-5 (unimportant; bug #496309) CVE-2008-2937 (Postfix 2.5 before 2.5.4 and 2.6 before 2.6-20080814 delivers to a mai ...) - postfix 2.5.4-1 (low) [etch] - postfix (minor issue) CVE-2008-2936 (Postfix before 2.3.15, 2.4 before 2.4.8, 2.5 before 2.5.4, and 2.6 bef ...) {DSA-1629-2 DSA-1629-1 DTSA-155-1} - postfix 2.5.4-1 CVE-2008-2935 (Multiple heap-based buffer overflows in the rc4 (1) encryption (aka ex ...) {DSA-1624-1 DTSA-152-1} - libxslt 1.1.24-2 (bug #493162) NOTE: http://www.ocert.org/advisories/ocert-2008-009.html CVE-2008-2934 (Mozilla Firefox 3 before 3.0.1 on Mac OS X allows remote attackers to ...) - iceweasel (MacOS-specific) CVE-2008-2933 (Mozilla Firefox before 2.0.0.16, and 3.x before 3.0.1, interprets '|' ...) {DSA-1697-1 DSA-1615-1 DSA-1614-1} - iceweasel 3.0.1-1 (low) - xulrunner 1.9.0.1-1 - iceape 1.1.12-1 CVE-2008-2932 (Heap-based buffer overflow in Red Hat adminutil 1.1.6 allows remote at ...) NOT-FOR-US: Red Hat adminutil CVE-2008-2931 (The do_change_type function in fs/namespace.c in the Linux kernel befo ...) {DSA-1630-1} - linux-2.6 2.6.22 NOTE: ee6f958291e2a768fd727e7a67badfff0b67711a CVE-2008-2930 (Red Hat Directory Server 7.1 before SP7, Red Hat Directory Server 8, a ...) NOT-FOR-US: Red Hat Directory Server / Fedora Directory Server CVE-2008-2929 (Multiple cross-site scripting (XSS) vulnerabilities in the adminutil l ...) NOT-FOR-US: Red Hat Directory Server / Fedora Directory Server CVE-2008-2928 (Multiple buffer overflows in the adminutil library in CGI applications ...) NOT-FOR-US: Red Hat Directory Server / Fedora Directory Server CVE-2008-2926 (The kmxfw.sys driver in CA Host-Based Intrusion Prevention System (HIP ...) NOT-FOR-US: r8 (Host-Based Intrusion Prevention System) CVE-2008-2925 (SQL injection vulnerability in Webmatic before 2.8 allows remote attac ...) NOT-FOR-US: Webmatic CVE-2008-2924 (Cross-site scripting (XSS) vulnerability in Webmatic before 2.8 allows ...) NOT-FOR-US: Webmatic CVE-2008-2923 (Cross-site scripting (XSS) vulnerability in read/search/results in Lyr ...) NOT-FOR-US: Lyris ListManager CVE-2008-2922 (Stack-based buffer overflow in artegic Dana IRC client 1.3 and earlier ...) NOT-FOR-US: Dana IRC client CVE-2008-2921 (SQL injection vulnerability in index.php in EZTechhelp EZCMS 1.2 and e ...) NOT-FOR-US: EZTechhelp CVE-2008-2920 (admin/filemanager/ (aka the File Manager) in EZTechhelp EZCMS 1.2 and ...) NOT-FOR-US: EZTechhelp CVE-2008-2919 (SQL injection vulnerability in listing.php in Gryphon gllcTS2 4.2.4 al ...) NOT-FOR-US: Gryphon CVE-2008-2918 (SQL injection vulnerability in details.php in Application Dynamics Car ...) NOT-FOR-US: Application Dynamics Cartweaver CVE-2008-2917 (SQL injection vulnerability in productsofcat.asp in E-SMART CART allow ...) NOT-FOR-US: E-SMART CART CVE-2008-2916 (Multiple SQL injection vulnerabilities in Pre ADS Portal 2.0 and earli ...) NOT-FOR-US: Pre ADS Portal CVE-2008-2915 (Multiple SQL injection vulnerabilities in jobseekers/JobSearch.php (ak ...) NOT-FOR-US: Pre Job Board CVE-2008-2914 (SQL injection vulnerability in jobseekers/JobSearch3.php (aka the sear ...) NOT-FOR-US: Pre Job Board CVE-2008-2913 (Directory traversal vulnerability in func.php in Devalcms 1.4a, when m ...) NOT-FOR-US: Devalcms CVE-2008-2912 (Multiple PHP remote file inclusion vulnerabilities in Contenido CMS 4. ...) NOT-FOR-US: Contenido CMS CVE-2008-2911 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Co ...) NOT-FOR-US: Contenido CMS CVE-2008-2910 (Buffer overflow in the DXTTextOutEffect ActiveX control (aka the Text- ...) NOT-FOR-US: ActiveX control CVE-2008-2909 (SQL injection vulnerability in results.php in Clever Copy 3.0 allows r ...) NOT-FOR-US: Clever Copy CVE-2008-2908 (Multiple stack-based buffer overflows in a certain ActiveX control in ...) NOT-FOR-US: ActiveX control CVE-2008-2907 (SQL injection vulnerability in admin/index.php in WebChamado 1.1, when ...) NOT-FOR-US: WebChamado CVE-2008-2906 (SQL injection vulnerability in lista_anexos.php in WebChamado 1.1 allo ...) NOT-FOR-US: WebChamado CVE-2008-2905 (PHP remote file inclusion vulnerability in includes/Cache/Lite/Output. ...) NOT-FOR-US: Mambo NOTE: Mambo is only in experimental NOTE: filed removal bug for Mambo from experimental #490291 CVE-2008-2904 (SQL injection vulnerability in shop.php in Conkurent PHPMyCart allows ...) NOT-FOR-US: Conkurent PHPMyCart CVE-2008-2903 (SQL injection vulnerability in news.php in Advanced Webhost Billing Sy ...) NOT-FOR-US: Advanced Webhost Billing System CVE-2008-2902 (SQL injection vulnerability in profile.php in AlstraSoft AskMe Pro 2.1 ...) NOT-FOR-US: AlstraSoft AskMe Pro CVE-2008-2901 (Multiple SQL injection vulnerabilities in Haudenschilt Family Connecti ...) NOT-FOR-US: Haudenschilt Family Connections CMS CVE-2008-2900 (SQL injection vulnerability in item.php in PHPAuction 3.2 allows remot ...) NOT-FOR-US: PHPAuction CVE-2008-2899 (Unspecified vulnerability in includes/classes/page.php in j00lean-CMS ...) NOT-FOR-US: j00lean-CMS CVE-2008-2898 (Directory traversal vulnerability in includes/header.php in Hedgehog-C ...) NOT-FOR-US: Hedgehog-CMS CVE-2008-2897 (SQL injection vulnerability in index.php in PageSquid CMS 0.3 Beta all ...) NOT-FOR-US: PageSquid CVE-2008-2896 (Directory traversal vulnerability in index.php in FireAnt 1.3 allows r ...) NOT-FOR-US: FireAnt CVE-2008-2895 (Directory traversal vulnerability in index.php in AproxEngine 5.1.0.4 ...) NOT-FOR-US: AproxEngine CVE-2008-2894 (Directory traversal vulnerability in the FTP client in NCH Software Cl ...) NOT-FOR-US: NCH Software Classic FTP Windows CVE-2008-2893 (SQL injection vulnerability in news.php in AJ Square aj-hyip (aka AJ H ...) NOT-FOR-US: AJ Square aj-hyip CVE-2008-2892 (SQL injection vulnerability in the EXP Shop (com_expshop) component 1. ...) NOT-FOR-US: Joomla! CVE-2008-2891 (SQL injection vulnerability in index.php in eMuSOFT emuCMS 0.3 allows ...) NOT-FOR-US: emuCMS CVE-2008-2890 (Multiple SQL injection vulnerabilities in Online Fantasy Football Leag ...) NOT-FOR-US: Online Fantasy Football League CVE-2008-2889 (Directory traversal vulnerability in the FTP client in AceBIT WISE-FTP ...) NOT-FOR-US: AceBIT WISE-FTP CVE-2008-2888 (Multiple PHP remote file inclusion vulnerabilities in MiGCMS 2.0.5, wh ...) NOT-FOR-US: MiGCMS CVE-2008-2887 (Directory traversal vulnerability in index.php in chaozz@work FubarFor ...) NOT-FOR-US: FubarForum CVE-2008-2886 (PHP remote file inclusion vulnerability in include/plugins/jrBrowser/p ...) NOT-FOR-US: Jamroom CVE-2008-2885 (PHP remote file inclusion vulnerability in src/browser/resource/catego ...) NOT-FOR-US: Open Digital Assets Repository System CVE-2008-2884 (PHP remote file inclusion vulnerability in display.php in RSS-aggregat ...) NOT-FOR-US: RSS-aggregator CVE-2008-2883 (PHP remote file inclusion vulnerability in include/plugins/jrBrowser/p ...) NOT-FOR-US: Jamroom CVE-2008-2882 (upgrade.asp in sHibby sHop 2.2 and earlier does not require administra ...) NOT-FOR-US: sHibby sHop CVE-2008-2881 (Relative Real Estate Systems 3.0 and earlier stores passwords in clear ...) NOT-FOR-US: Relative Real Estate Systems CVE-2008-2880 (Heap-based buffer overflow in the IBM AFP Viewer Plug-in 2.0.7.1 and 3 ...) NOT-FOR-US: IBM AFP Viewer Plug-in CVE-2008-2879 (Benja CMS 0.1 does not require authentication for access to admin/, wh ...) NOT-FOR-US: Benja CMS CVE-2008-2878 (Open redirect vulnerability in rss_getfile.php in Academic Web Tools ( ...) NOT-FOR-US: Academic Web Tools CVE-2008-2877 (PHP remote file inclusion vulnerability in admin/include/lib.module.ph ...) NOT-FOR-US: cmsWorks CVE-2008-2876 (Directory traversal vulnerability in index.php in mUnky 0.0.1 allows r ...) NOT-FOR-US: mUnky CVE-2008-2875 (SQL injection vulnerability in index.php in Webdevindo-CMS 1.0.0 allow ...) NOT-FOR-US: Webdevindo-CMS CVE-2008-2874 (SQL injection vulnerability in index.php in Softbiz Jokes & Funny ...) NOT-FOR-US: Softbiz Jokes & Funny Pics CVE-2008-2873 (sHibby sHop 2.2 and earlier stores sensitive information under the web ...) NOT-FOR-US: sHibby sHop CVE-2008-2872 (SQL injection vulnerability in default.asp in sHibby sHop 2.2 and earl ...) NOT-FOR-US: sHibby sHop CVE-2008-2871 (Multiple cross-site scripting (XSS) vulnerabilities in template2.php i ...) NOT-FOR-US: PEGames CVE-2008-2870 (Multiple SQL injection vulnerabilities in ShareCMS 0.1 Beta allow remo ...) NOT-FOR-US: ShareCMS CVE-2008-2869 (SQL injection vulnerability in out.php in E-topbiz Link ADS 1 allows r ...) NOT-FOR-US: E-topbiz Link ADS CVE-2008-2868 (SQL injection vulnerability in detail.asp in DUware DUcalendar 1.0 and ...) NOT-FOR-US: ware DUcalendar CVE-2008-2867 (SQL injection vulnerability in adclick.php in E-topbiz Viral DX 1 2.07 ...) NOT-FOR-US: E-topbiz Viral CVE-2008-2866 (SQL injection vulnerability in csc_article_details.php in Caupo.net Ca ...) NOT-FOR-US: CaupoShop Classic CVE-2008-2865 (SQL injection vulnerability in index.php in Kalptaru Infotech PHP Site ...) NOT-FOR-US: Kalptaru Infotech PHP Site CVE-2008-2864 (eLineStudio Site Composer (ESC) 2.6 and earlier allows remote attacker ...) NOT-FOR-US: eLineStudio Site Composer CVE-2008-2863 (Multiple absolute path traversal vulnerabilities in eLineStudio Site C ...) NOT-FOR-US: eLineStudio Site Composer CVE-2008-2862 (Multiple SQL injection vulnerabilities in eLineStudio Site Composer (E ...) NOT-FOR-US: eLineStudio Site Composer CVE-2008-2861 (Multiple cross-site scripting (XSS) vulnerabilities in eLineStudio Sit ...) NOT-FOR-US: eLineStudio Site Composer CVE-2008-2860 (SQL injection vulnerability in category.php in AJSquare AJ Auction Pro ...) NOT-FOR-US: AJSquare AJ Auction Pro Web CVE-2008-2859 (Unspecified vulnerability in the IMAP service in NetWin SurgeMail befo ...) NOT-FOR-US: NetWin SurgeMail CVE-2008-2858 (SQL injection vulnerability in index.php in WebChamado 1.1 allows remo ...) NOT-FOR-US: WebChamado CVE-2008-2857 (AlstraSoft AskMe Pro 2.1 and earlier stores passwords in cleartext in ...) NOT-FOR-US: AlstraSoft AskMe Pro CVE-2008-2856 (SQL injection vulnerability in clanek.php in OwnRS Beta 3 allows remot ...) NOT-FOR-US: OwnRS CVE-2008-2855 (Cross-site scripting (XSS) vulnerability in clanek.php in OwnRS Beta 3 ...) NOT-FOR-US: OwnRS CVE-2008-2854 (Multiple PHP remote file inclusion vulnerabilities in Orlando CMS 0.6 ...) NOT-FOR-US: Orlando CMS CVE-2008-2853 (SQL injection vulnerability in index.php in Easy Webstore 1.2 allows r ...) NOT-FOR-US: Easy Webstore CVE-2008-2852 (Cross-site scripting (XSS) vulnerability in CGIWrap before 4.1, when a ...) - cgiwrap (low; bug #497761) [etch] - cgiwrap (Minor issue) NOTE: only applies to certain character sets and only works with NOTE: browsers. There isn't a good solution available, the patch uses NOTE: a compile-time charset specification. All in all not a real NOTE: priority to fix in etch. CVE-2008-2851 (Multiple buffer overflows in OFF System before 0.19.14 allow remote at ...) NOT-FOR-US: OFF System CVE-2008-2850 (SQL injection vulnerability in the TrailScout module 5.x before 5.x-1. ...) NOT-FOR-US: additional drupal module TrailScout CVE-2008-2849 (Cross-site scripting (XSS) vulnerability in the TrailScout module 5.x ...) NOT-FOR-US: additional drupal module TrailScout CVE-2008-2848 (Cross-site scripting (XSS) vulnerability in the search functionality i ...) NOT-FOR-US: MindTouch DekiWiki CVE-2008-2847 (SQL injection vulnerability in the Trade module in Maxtrade AIO 1.3.23 ...) NOT-FOR-US: Maxtrade CVE-2008-2846 (SQL injection vulnerability in index.php in BoatScripts Classifieds al ...) NOT-FOR-US: BoatScripts Classifieds CVE-2008-2845 (SQL injection vulnerability in index.php in MyBizz-Classifieds allows ...) NOT-FOR-US: MyBizz-Classifieds CVE-2008-2844 (SQL injection vulnerability in index.php in Carscripts Classifieds all ...) NOT-FOR-US: Carscripts Classifieds CVE-2008-2843 (Multiple SQL injection vulnerabilities in doITLive CMS 2.50 and earlie ...) NOT-FOR-US: doITLive CMS CVE-2008-2842 (Cross-site scripting (XSS) vulnerability in edit/showmedia.asp in doIT ...) NOT-FOR-US: doITLive CMS CVE-2008-2950 (The Page destructor in Page.cc in libpoppler in Poppler 0.8.4 and earl ...) {DTSA-146-1} - poppler 0.8.4-1.1 (medium; bug #489756) [etch] - poppler (Vulnerable code not present) - xpdf (Page.cc is not allocating the widget and therefore not vulnerable in the destructor, attrs initialized) CVE-2008-2927 (Multiple integer overflows in the msn_slplink_process_msg functions in ...) {DSA-1805-1 DSA-1610-1} - pidgin 2.4.3-1 - gaim [lenny] - gaim (gaim is now a transitional package depending on pidgin with its own source package) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=453764 CVE-2008-3137 (The GSM SMS dissector in Wireshark (formerly Ethereal) 0.99.2 through ...) {DSA-1673-1} - wireshark 1.0.1-1 (low; bug #488834) NOTE: http://www.wireshark.org/security/wnpa-sec-2008-03.html CVE-2008-3138 (The (1) PANA and (2) KISMET dissectors in Wireshark (formerly Ethereal ...) {DSA-1673-1} - wireshark 1.0.1-1 (low; bug #488834) NOTE: http://www.wireshark.org/security/wnpa-sec-2008-03.html CVE-2008-3139 (The RTMPT dissector in Wireshark (formerly Ethereal) 0.99.8 through 1. ...) - wireshark 1.0.1-1 (low; bug #488834) [etch] - wireshark (Only affects 0.99.8 to 1.0.0) NOTE: http://www.wireshark.org/security/wnpa-sec-2008-03.html CVE-2008-3140 (The syslog dissector in Wireshark (formerly Ethereal) 1.0.0 allows rem ...) - wireshark 1.0.1-1 (low; bug #488834) [etch] - wireshark (Only affects 1.0.0) NOTE: http://www.wireshark.org/security/wnpa-sec-2008-03.html CVE-2008-3141 (Unspecified vulnerability in the RMI dissector in Wireshark (formerly ...) {DSA-1673-1} - wireshark 1.0.1-1 (low; bug #488834) NOTE: http://www.wireshark.org/security/wnpa-sec-2008-03.html CVE-2008-2952 (liblber/io.c in OpenLDAP 2.2.4 to 2.4.10 allows remote attackers to ca ...) {DSA-1650-1 DTSA-151-1} - openldap2.3 (low; bug #488710) - openldap 2.4.10-3 (low; bug #488710) CVE-2008-2955 (Pidgin 2.4.1 allows remote attackers to cause a denial of service (cra ...) - pidgin 2.4.3-1 (low; bug #488632) - gaim [lenny] - gaim (gaim is now a transitional package depending on pidgin with its own source package) CVE-2008-2956 - pidgin (unimportant; bug #488632) NOTE: Non-issue per analysis of Pidgin upstream developers, should be rejected CVE-2008-2957 (The UPnP functionality in Pidgin 2.0.0, and possibly other versions, a ...) - pidgin 2.4.3-4 (low; bug #488632) - gaim [lenny] - gaim (gaim is now a transitional package depending on pidgin with its own source package) NOTE: probably only a bandwidth issue CVE-2008-2942 (Directory traversal vulnerability in patch.py in Mercurial 1.0.1 allow ...) - mercurial 1.0.1-2 (low; bug #488628) [etch] - mercurial (Vulnerable functionality not present) CVE-2008-2953 (Linux DC++ (linuxdcpp) before 0.707 allows remote attackers to cause a ...) - linuxdcpp 1.0.1-2 (low; bug #488630) [etch] - linuxdcpp (Minor issue) CVE-2008-2954 (client/NmdcHub.cpp in Linux DC++ (linuxdcpp) before 0.707 allows remot ...) - linuxdcpp 1.0.1-2 (low; bug #488630) [etch] - linuxdcpp (Minor issue) CVE-2008-2958 (Race condition in (1) checkinstall 1.6.1 and (2) installwatch allows l ...) - checkinstall 1.6.1-7 (low; bug #488140) CVE-2008-XXXX [werkzeug hashes its secret instead of using hmac] - python-werkzeug 0.3.1-1 NOTE: http://web.archive.org/web/20081229140824/http://lucumr.pocoo.org:80/cogitations/2008/06/24/werkzeug-031-released/ CVE-2008-2841 (Argument injection vulnerability in XChat 2.8.7b and earlier on Window ...) - xchat (Windows specific problem) CVE-2008-2840 (Multiple directory traversal vulnerabilities in Exero CMS 1.0.0 and 1. ...) NOT-FOR-US: Exero CMS CVE-2008-2839 (Cross-site scripting (XSS) vulnerability in the search module in Train ...) NOT-FOR-US: Traindepot CVE-2008-2838 (Directory traversal vulnerability in index.php in Traindepot 0.1 allow ...) NOT-FOR-US: Traindepot CVE-2008-2837 (SQL injection vulnerability in index.php in CMS-BRD allows remote atta ...) NOT-FOR-US: CMS-BRD CVE-2008-2836 (PHP remote file inclusion vulnerability in send_reminders.php in WebCa ...) - webcalendar 1.0.5-1 (low) - gforge (code in lenny internally sets its own path) CVE-2008-2835 (SQL injection vulnerability in cgi-bin/igsuite in IGSuite 3.2.4 allows ...) NOT-FOR-US: IGSuite CVE-2008-2834 (SQL injection vulnerability in projects.php in Scientific Image DataBa ...) NOT-FOR-US: Scientific Image DataBase CVE-2008-2833 (admin/upload.php in le.cms 1.4 and earlier allows remote attackers to ...) NOT-FOR-US: le.cms CVE-2008-2832 (Unrestricted file upload vulnerability in calendar_admin.asp in Full R ...) NOT-FOR-US: aspWebCalendar 2008 CVE-2008-2831 (Multiple cross-site scripting (XSS) vulnerabilities in the delegated s ...) NOT-FOR-US: MailMarshal CVE-2008-2830 (Open Scripting Architecture in Apple Mac OS X 10.4.11 and 10.5.4, and ...) NOT-FOR-US: Apple Mac OS CVE-2008-2829 (php_imap.c in PHP 5.2.5, 5.2.6, 4.x, and other versions, uses obsolete ...) {DTSA-144-1} - php5 5.2.6-2 (low) [etch] - php5 (Fix not feasible for etch, low priority issue) NOTE: the fix sent to t-s and unstable does not seem possible in etch due to NOTE: missing api features from the version of libc-client in etch. CVE-2008-2826 (Integer overflow in the sctp_getsockopt_local_addrs_old function in ne ...) {DSA-1630-1} - linux-2.6 2.6.25-6 (low) - linux-2.6.24 2.6.24-6~etchnhalf.4 (low) NOTE: 735ce972fbc8a65fb17788debd7bbe7b4383cc62, present in 2.6.25.9 CVE-2008-2825 (Cross-site scripting (XSS) vulnerability in the embedded Web Server in ...) NOT-FOR-US: Xerox WorkCentre CVE-2008-2824 (Unspecified vulnerability in the Extensible Interface Platform in Web ...) NOT-FOR-US: Xerox WorkCentre CVE-2008-2823 (SQL injection vulnerability in newsarchive.php in PHPeasyblog (formerl ...) NOT-FOR-US: PHPeasyblog CVE-2008-2822 (Multiple directory traversal vulnerabilities in the FTP client in 3D-F ...) NOT-FOR-US: 3D-FTP Client CVE-2008-2821 (Directory traversal vulnerability in the FTP client in Glub Tech Secur ...) NOT-FOR-US: Glub Tech Secure FTP CVE-2008-2820 (Directory traversal vulnerability in lang/lang-system.php in Open Azim ...) NOT-FOR-US: Open Azimyt CMS CVE-2008-2819 (SQL injection vulnerability in BlognPlus (BURO GUN +) 2.5.4 and earlie ...) NOT-FOR-US: BlognPlus CVE-2008-2818 (Directory traversal vulnerability in Easy-Clanpage 3.0 b1 allows remot ...) NOT-FOR-US: Easy-Clanpage CVE-2008-2817 (SQL injection vulnerability in albums.php in NiTrO Web Gallery 1.4.3 a ...) NOT-FOR-US: NiTrO Web Gallery CVE-2008-2816 (SQL injection vulnerability in post.php in Oxygen (aka O2PHP Bulletin ...) NOT-FOR-US: Oxygen CVE-2008-2815 (SQL injection vulnerability in shopping/index.php in MyMarket 1.72 all ...) NOT-FOR-US: MyMarket CVE-2008-2814 (Cross-site scripting (XSS) vulnerability in WallCity-Server Shoutcast ...) NOT-FOR-US: WallCity-Server CVE-2008-2813 (Directory traversal vulnerability in index.php in WallCity-Server Shou ...) NOT-FOR-US: WallCity-Server CVE-2008-2812 (The Linux kernel before 2.6.25.10 does not properly perform tty operat ...) {DSA-1630-1} - linux-2.6 2.6.25-7 - linux-2.6.24 2.6.24-6~etchnhalf.4 CVE-2008-2811 (The block reflow implementation in Mozilla Firefox before 2.0.0.15, Th ...) {DSA-1697-1 DSA-1621-1 DSA-1615-1 DSA-1607-1} - iceweasel 3.0 NOTE: Firefox 3 not affected - iceape 1.1.10-1 - xulrunner 1.9.0.1-1 - icedove 2.0.0.16-1 CVE-2008-2810 (Mozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 do not pro ...) - iceweasel (Windows-specific) - iceape (Windows-specific) CVE-2008-2809 (Mozilla 1.9 M8 and earlier, Mozilla Firefox 2 before 2.0.0.15, SeaMonk ...) {DSA-1697-1 DSA-1621-1 DSA-1615-1 DSA-1607-1} - iceweasel 3.0 NOTE: Firefox 3 not affected - iceape 1.1.10-1 - xulrunner 1.9.0.1-1 - icedove 2.0.0.16-1 CVE-2008-2808 (Mozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 do not pro ...) {DSA-1697-1 DSA-1615-1 DSA-1607-1} - iceweasel 3.0 - iceape 1.1.10-1 - xulrunner 1.9.0.1-1 CVE-2008-2807 (Mozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 do not pro ...) {DSA-1697-1 DSA-1621-1 DSA-1615-1 DSA-1607-1} - iceweasel 3.0 - iceape 1.1.10-1 - xulrunner 1.9.0.1-1 - icedove 2.0.0.16-1 CVE-2008-2806 (Mozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 on Mac OS ...) - iceweasel (MacOS-specific) - iceape (MacOS-specific) CVE-2008-2805 (Mozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 allow remo ...) {DSA-1697-1 DSA-1615-1 DSA-1607-1} - iceweasel 3.0 NOTE: Firefox 3 not affected - iceape 1.1.10 - xulrunner 1.9.0.1-1 CVE-2008-2804 REJECTED CVE-2008-2803 (The mozIJSSubScriptLoader.LoadScript function in Mozilla Firefox befor ...) {DSA-1697-1 DSA-1621-1 DSA-1615-1 DSA-1607-1} - iceweasel 3.0~b2-1 - iceape 1.1.10-1 - xulrunner 1.9.0.1-1 - icedove 2.0.0.16-1 CVE-2008-2802 (Mozilla Firefox before 2.0.0.15, Thunderbird 2.0.0.14 and earlier, and ...) {DSA-1697-1 DSA-1621-1 DSA-1615-1 DSA-1607-1} - iceweasel 3.0~b2-1 - iceape 1.1.10-1 - icedove 2.0.0.16-1 - xulrunner 1.9.0.1-1 CVE-2008-2801 (Mozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 do not pro ...) {DSA-1697-1 DSA-1615-1 DSA-1607-1} - iceweasel 3.0~b2-1 - iceape 1.1.10-1 - xulrunner 1.9.0.1-1 CVE-2008-2800 (Mozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 allow remo ...) {DSA-1697-1 DSA-1615-1 DSA-1607-1} - iceweasel 3.0~b2-1 - iceape 1.1.10-1 - xulrunner 1.9.0.1-1 CVE-2008-2799 (Multiple unspecified vulnerabilities in Mozilla Firefox before 2.0.0.1 ...) {DSA-1697-1 DSA-1621-1 DSA-1615-1 DSA-1607-1} - iceweasel 3.0~b2-1 - iceape 1.1.10-1 - xulrunner 1.9.0.1-1 - icedove 2.0.0.16-1 CVE-2008-2798 (Multiple unspecified vulnerabilities in Mozilla Firefox before 2.0.0.1 ...) {DSA-1697-1 DSA-1621-1 DSA-1615-1 DSA-1607-1} - iceweasel 3.0~b2-1 - iceape 1.1.10-1 - xulrunner 1.9.0.1-1 - icedove 2.0.0.16-1 CVE-2008-2797 (Cross-site scripting (XSS) vulnerability in MainLayout.do in ManageEng ...) NOT-FOR-US: ManageEngine OpUtils CVE-2008-2796 (SQL injection vulnerability in index.php in FreeCMS 0.2 allows remote ...) NOT-FOR-US: FreeCMS CVE-2008-2795 (Directory traversal vulnerability in the FTP and SFTP clients in IDM C ...) NOT-FOR-US: IDM Computer Solutions Inc UltraEdit CVE-2008-2794 (Unspecified vulnerability in the GUI in Symantec Altiris Notification ...) NOT-FOR-US: Symantec Altiris Notification CVE-2008-2793 (SQL injection vulnerability in group_posts.php in ClipShare before 3.0 ...) NOT-FOR-US: ClipShare CVE-2008-2792 (SQL injection vulnerability in index.php in eroCMS 1.4 and earlier all ...) NOT-FOR-US: eroCMS CVE-2008-2791 (SQL injection vulnerability in product.detail.php in Kalptaru Infotech ...) NOT-FOR-US: Kalptaru Infotech CVE-2008-2790 (SQL injection vulnerability in detail.php in MountainGrafix easyTrade ...) NOT-FOR-US: MountainGrafix easyTrade CVE-2008-2789 (SQL injection vulnerability in pages/index.php in BASIC-CMS allows rem ...) NOT-FOR-US: BASIC-CMS CVE-2008-2788 (Cross-site scripting (XSS) vulnerability in index.php in OpenDocMan 1. ...) NOT-FOR-US: OpenDocMan CVE-2008-2787 (Cross-site scripting (XSS) vulnerability in out.php in OpenDocMan 1.2. ...) NOT-FOR-US: OpenDocMan CVE-2008-2960 (Cross-site scripting (XSS) vulnerability in phpMyAdmin before 2.11.7, ...) - phpmyadmin 4:2.11.7~rc2-1 (unimportant) NOTE: We haven't supported installations with register_globals enabled since a long time NOTE: https://www.phpmyadmin.net/security/PMASA-2008-4/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/aa2076eedc7e3664b09681d6fe9dd019eca98647 CVE-2008-2827 (The rmtree function in lib/File/Path.pm in Perl 5.10 does not properly ...) {DTSA-142-1} - perl 5.10.0-11 (bug #487319; medium) [etch] - perl (doesn't change link target permissions) NOTE: affects other packages like debsums, see bugreport CVE-2008-2828 (Stack-based buffer overflow in tmsnc allows remote attackers to cause ...) - tmsnc 0.3.2-1.1 (low; bug #487222) CVE-2008-2786 (Buffer overflow in Firefox 3.0 and 2.0.x has unknown impact and attack ...) NOT-FOR-US: Just hashes posted to full-disclosure, no specific information NOTE: Unless more specific information pops up, this can be considered covered by NOTE: CVE-2008-2785 CVE-2008-2785 (Mozilla Firefox before 2.0.0.16 and 3.x before 3.0.1, Thunderbird befo ...) {DSA-1697-1 DSA-1621-1 DSA-1615-1 DSA-1614-1} - iceweasel 3.0 (medium; bug #488358) - icedove 2.0.0.16-1 - iceape 1.1.11-1 (bug #491163) - xulrunner 1.9.0.1-1 (bug #491161) NOTE: Since 3.0 iceweasel links against xulrunner, marking it as fixed, since also need to track etch NOTE: http://www.mozilla.org/security/announce/2008/mfsa2008-34.html CVE-2008-2784 (The smtp_filter function in spamdyke before 3.1.8 does not filter RCPT ...) NOT-FOR-US: spamdyke CVE-2008-2783 (Multiple cross-site scripting (XSS) vulnerabilities in Horde Groupware ...) - kronolith2 (unimportant; Nonreproducable 'issue') - horde3 (unimportant; Nonreproducable 'issue') NOTE: not reproducible, redhat also seems to have problems reproducing this https://bugzilla.redhat.com/show_bug.cgi?id=452209 CVE-2008-2782 (Multiple directory traversal vulnerabilities in OtomiGenX 2.2 allow re ...) NOT-FOR-US: OtomiGenX CVE-2008-2781 (SQL injection vulnerability in index.php in DZOIC Handshakes 3.5 allow ...) NOT-FOR-US: DZOIC Handshakes CVE-2008-2780 (The Anubis (aka Anubis+Ripe160) plugin before 1.3 for encrypt stores t ...) NOT-FOR-US: Anubis CVE-2008-2779 (Directory traversal vulnerability in GlobalSCAPE CuteFTP Home 8.2.0 Bu ...) NOT-FOR-US: GlobalSCAPE CuteFTP Home CVE-2008-2778 (SQL injection vulnerability in inc/class_search.php in the Search Syst ...) NOT-FOR-US: RevokeBB CVE-2008-2777 (Cross-site scripting (XSS) vulnerability in Ortro before 1.3.1 allows ...) NOT-FOR-US: Ortro CVE-2008-2776 (Cross-site scripting (XSS) vulnerability in search.asp in DT Centrepie ...) NOT-FOR-US: DT Centrepiece CVE-2008-2775 (SQL injection vulnerability in search.asp in DT Centrepiece 4.0 allows ...) NOT-FOR-US: DT Centrepiece CVE-2008-2774 (SQL injection vulnerability in item.php in CartKeeper CKGold Shopping ...) NOT-FOR-US: CartKeeper CKGold Shopping Cart CVE-2008-2773 (Cross-site scripting (XSS) vulnerability in the Taxonomy Image module ...) NOT-FOR-US: Taxonomy Image module for Drupal CVE-2008-2772 (The Magic Tabs module 5.x before 5.x-1.1 for Drupal allows remote atta ...) NOT-FOR-US: Magic Tabs module for Drupal CVE-2008-2771 (The Node Hierarchy module 5.x before 5.x-1.1 and 6.x before 6.x-1.0 fo ...) NOT-FOR-US: Node Hierarchy module for Drupal CVE-2008-2770 (SQL injection vulnerability in index.php in MycroCMS 0.5, when magic_q ...) NOT-FOR-US: MycroCMS CVE-2008-2769 (PHP remote file inclusion vulnerability in authentication/smf/smf.func ...) NOT-FOR-US: phpRaider CVE-2008-2768 (Cross-site scripting (XSS) vulnerability in admin/search.asp in Xigla ...) NOT-FOR-US: Xigla Poll Manager XE CVE-2008-2767 (SQL injection vulnerability in search.asp in Xigla Poll Manager XE all ...) NOT-FOR-US: Xigla Poll Manager XE CVE-2008-2766 (Cross-site scripting (XSS) vulnerability in Xigla Absolute Image Galle ...) NOT-FOR-US: Xigla Absolute Image Gallery XE CVE-2008-2765 (SQL injection vulnerability in gallery.asp in Xigla Absolute Image Gal ...) NOT-FOR-US: Xigla Absolute Image Gallery XE CVE-2008-2764 (Cross-site scripting (XSS) vulnerability in admin/search.asp in Xigla ...) NOT-FOR-US: Xigla Absolute Live Support XE CVE-2008-2763 (SQL injection vulnerability in search.asp in Xigla Absolute Live Suppo ...) NOT-FOR-US: Xigla Absolute Live Support XE CVE-2008-2762 (SQL injection vulnerability in search.asp in Xigla Absolute Form Proce ...) NOT-FOR-US: Xigla Absolute Form Processor XE CVE-2008-2761 (Multiple cross-site scripting (XSS) vulnerabilities in Xigla Absolute ...) NOT-FOR-US: Xigla Absolute Banner Manager XE CVE-2008-2760 (SQL injection vulnerability in searchbanners.asp in Xigla Absolute Ban ...) NOT-FOR-US: Xigla Absolute Banner Manager XE CVE-2008-2759 (Multiple cross-site scripting (XSS) vulnerabilities in Xigla Absolute ...) NOT-FOR-US: Xigla Absolute Form Processor XE CVE-2008-2758 (Multiple cross-site scripting (XSS) vulnerabilities in Xigla Absolute ...) NOT-FOR-US: Xigla Absolute News Manager XE CVE-2008-2757 (SQL injection vulnerability in search.asp in Xigla Absolute News Manag ...) NOT-FOR-US: Xigla Absolute News Manager XE CVE-2008-2756 (Cross-site scripting (XSS) vulnerability in admin/users.asp in Xigla A ...) NOT-FOR-US: Xigla Absolute Control Panel XE CVE-2008-2755 (SQL injection vulnerability in index.php in JAMM CMS allows remote att ...) NOT-FOR-US: JAMM CMS CVE-2008-2754 (SQL injection vulnerability in toplists.php in eFiction 3.0 and 3.4.3, ...) NOT-FOR-US: eFiction CVE-2008-2753 (Multiple SQL injection vulnerabilities in Pooya Site Builder (PSB) 6.0 ...) NOT-FOR-US: Pooya Site Builder CVE-2008-2752 (Microsoft Word 2000 9.0.2812 and 2003 11.8106.8172 does not properly h ...) NOT-FOR-US: Microsoft Word CVE-2008-2751 (Multiple cross-site scripting (XSS) vulnerabilities in the Glassfish w ...) NOT-FOR-US: Sun Java System Application Server CVE-2008-2750 (The pppol2tp_recvmsg function in drivers/net/pppol2tp.c in the Linux k ...) - linux-2.6 2.6.26 [etch] - linux-2.6 (Vulnerable code was introduced in 2.6.23) - linux-2.6.24 2.6.24-6~etchnhalf.4 NOTE: 6b6707a50c7598a83820077393f8823ab791abf8 CVE-2008-2749 (Unspecified vulnerability in cshttpd in Sun Java System Calendar Serve ...) NOT-FOR-US: Sun Java System Application Server CVE-2008-2748 (Skulltag 0.97d2-RC2 and earlier allows remote attackers to cause a den ...) NOT-FOR-US: Skulltag CVE-2008-2747 (No-IP Dynamic Update Client (DUC) 2.2.1 on Windows uses weak permissio ...) NOT-FOR-US: Windows CVE-2008-2746 (SQL injection vulnerability in login.php in Gryphon gllcTS2 4.2.4 allo ...) NOT-FOR-US: Gryphon gllcTS2 CVE-2008-2745 (Stack-based buffer overflow in BiAnno ActiveX Control (BiAnno.ocx) in ...) NOT-FOR-US: BiAnno ActiveX Control CVE-2008-2744 (Cross-site scripting (XSS) vulnerability in vBulletin 3.6.10 and 3.7.1 ...) NOT-FOR-US: vBulletin CVE-2008-2743 (Cross-site scripting (XSS) vulnerability in the embedded web server in ...) NOT-FOR-US: web server Xerox CVE-2008-2742 (Unrestricted file upload in the mcpuk file editor (atk/attributes/fck/ ...) NOT-FOR-US: Achievo CVE-2008-2741 RESERVED CVE-2008-2740 RESERVED CVE-2008-2739 (The SERVICE.DNS signature engine in the Intrusion Prevention System (I ...) NOT-FOR-US: Cisco IOS CVE-2008-2738 RESERVED CVE-2008-2737 REJECTED CVE-2008-2736 (Unspecified vulnerability in Cisco Adaptive Security Appliance (ASA) 5 ...) NOT-FOR-US: Cisco Adaptive Security Appliance (ASA) CVE-2008-2735 (The HTTP server in Cisco Adaptive Security Appliance (ASA) 5500 device ...) NOT-FOR-US: Cisco Adaptive Security Appliance (ASA) CVE-2008-2734 (Memory leak in the crypto functionality in Cisco Adaptive Security App ...) NOT-FOR-US: Cisco Adaptive Security Appliance (ASA) CVE-2008-2733 (Cisco PIX and Adaptive Security Appliance (ASA) 5500 devices 7.2 befor ...) NOT-FOR-US: Cisco Adaptive Security Appliance (ASA) CVE-2008-2732 (Multiple unspecified vulnerabilities in the SIP inspection functionali ...) NOT-FOR-US: Cisco Adaptive Security Appliance (ASA) CVE-2008-2731 RESERVED CVE-2008-2730 (The Real-Time Information Server (RIS) Data Collector service in Cisco ...) NOT-FOR-US: cisco CVE-2008-2729 (arch/x86_64/lib/copy_user.S in the Linux kernel before 2.6.19 on some ...) {DSA-1630-1} - linux-2.6 2.6.19-1 NOTE: 3022d734a54cbd2b65eea9a024564821101b4a9a CVE-2008-2728 REJECTED CVE-2008-2727 REJECTED CVE-2008-2726 (Integer overflow in the (1) rb_ary_splice function in Ruby 1.8.4 and e ...) {DSA-1618-1 DSA-1612-1} - ruby1.9 1.9.0.2-1 - ruby1.8 1.8.7.22-1 CVE-2008-2725 (Integer overflow in the (1) rb_ary_splice function in Ruby 1.8.4 and e ...) {DSA-1618-1 DSA-1612-1} - ruby1.9 1.9.0.2-1 - ruby1.8 1.8.7.22-1 CVE-2008-2718 (Cross-site scripting (XSS) vulnerability in fe_adminlib.inc in TYPO3 4 ...) {DSA-1596-1} - typo3-src 4.1.7-1 (bug #485814) CVE-2008-2716 (Unspecified vulnerability in Opera before 9.5 allows remote attackers ...) NOT-FOR-US: Opera CVE-2008-2715 (Unspecified vulnerability in Opera before 9.5 allows remote attackers ...) NOT-FOR-US: Opera CVE-2008-2714 (Opera before 9.26 allows remote attackers to misrepresent web page add ...) NOT-FOR-US: Opera CVE-2008-2710 (Integer signedness error in the ip_set_srcfilter function in the IP Mu ...) NOT-FOR-US: Solaris CVE-2008-2709 (Buffer overflow in the BrSmRcvAndCheck function in the RCHMGR module o ...) NOT-FOR-US: Solaris CVE-2008-2708 (Unspecified vulnerability in the Sun (1) UltraSPARC T2 and (2) UltraSP ...) NOT-FOR-US: Solaris CVE-2008-2707 (Unspecified vulnerability in the e1000g driver in Sun Solaris 10 and O ...) NOT-FOR-US: Solaris CVE-2008-2706 (Unspecified vulnerability in the event port implementation in Sun Sola ...) NOT-FOR-US: Sun Solaris CVE-2008-2705 (Unspecified vulnerability in Sun Java System Access Manager (AM) 7.1, ...) NOT-FOR-US: Sun Java System Access Manager CVE-2008-2704 (Novell GroupWise Messenger (GWIM) before 2.0.3 Hot Patch 1 allows remo ...) NOT-FOR-US: Novell GroupWise CVE-2008-2703 (Multiple stack-based buffer overflows in Novell GroupWise Messenger (G ...) NOT-FOR-US: Novell GroupWise CVE-2008-2702 (Directory traversal vulnerability in the FTP client in ALTools ESTsoft ...) NOT-FOR-US: ALTools ESTsoft ALFTP CVE-2008-2701 (SQL injection vulnerability in the GameQ (com_gameq) component 4.0 and ...) NOT-FOR-US: joomla extension CVE-2008-2700 (SQL injection vulnerability in view.php in Galatolo WebManager 1.0 and ...) NOT-FOR-US: Galatolo WebManager CVE-2008-2699 (Multiple directory traversal vulnerabilities in Galatolo WebManager (G ...) NOT-FOR-US: Galatolo WebManager CVE-2008-2698 (Multiple cross-site scripting (XSS) vulnerabilities in photo_add-c.php ...) NOT-FOR-US: WEBalbum CVE-2008-2697 (SQL injection vulnerability in the Rapid Recipe (com_rapidrecipe) comp ...) NOT-FOR-US: joomla extension CVE-2008-2695 (Directory traversal vulnerability in entry.php in phpInv 0.8.0 allows ...) NOT-FOR-US: phpInv CVE-2008-2694 (Cross-site scripting (XSS) vulnerability in search.php in phpInv 0.8.0 ...) NOT-FOR-US: phpInv CVE-2008-2693 (Stack-based buffer overflow in the BITIFF.BITiffCtrl.1 ActiveX control ...) NOT-FOR-US: ActiveX control CVE-2008-2692 (SQL injection vulnerability in the yvComment (com_yvcomment) component ...) NOT-FOR-US: Joomla! CVE-2008-2691 (SQL injection vulnerability in read.asp in JiRo's FAQ Manager eXperien ...) NOT-FOR-US: JiRo's FAQ Manager eXperience CVE-2008-2690 (Multiple PHP remote file inclusion vulnerabilities in BrowserCRM 5.002 ...) NOT-FOR-US: BrowserCRM CVE-2008-2689 (PHP remote file inclusion vulnerability in pub/clients.php in BrowserC ...) NOT-FOR-US: BrowserCRM CVE-2008-2688 (SQL injection vulnerability in pilot.asp in ASPilot Pilot Cart 7.3 all ...) NOT-FOR-US: ASPilot Pilot Cart CVE-2008-2687 (Directory traversal vulnerability in inc/config.php in ProManager 0.73 ...) NOT-FOR-US: ProManager CVE-2008-2686 (webinc/bxe/scripts/loadsave.php in Flux CMS 1.5.0 and earlier allows r ...) NOT-FOR-US: Flux CMS CVE-2008-XXXX [insecure tempfile in wdiff] - wdiff 0.5-18 (low; bug #425254) [etch] - wdiff (Minor issue) CVE-2008-2719 (Off-by-one error in the ppscan function (preproc.c) in Netwide Assembl ...) - nasm 2.03.01-1 (low; bug #486715) [etch] - nasm (vulnerable code not present) CVE-2008-2712 (Vim 7.1.314, 6.4, and other versions allows user-assisted remote attac ...) {DSA-1733-1 DTSA-143-1} - vim 1:7.1.314-3 (low; bug #486502) CVE-2008-2696 (Exiv2 0.16 allows user-assisted remote attackers to cause a denial of ...) - exiv2 0.17-1 (low; bug #486328) [etch] - exiv2 (Minor issue) NOTE: http://dev.robotbattle.com/cgi-bin/viewvc.cgi/exiv2/trunk/src/nikonmn.cpp?r1=1473&r2=1499 CVE-2008-2713 (libclamav/petite.c in ClamAV before 0.93.1 allows remote attackers to ...) {DSA-1616-2 DTSA-138-1} - clamav 0.93.1.dfsg-1.1 (low; bug #490925) CVE-2008-2711 (fetchmail 6.3.8 and earlier, when running in -v -v (aka verbose) mode, ...) - fetchmail 6.3.9~rc2-1 (unimportant) [etch] - fetchmail 6.3.6-1etch3 NOTE: http://www.openwall.com/lists/oss-security/2008/06/13/1 NOTE: -vv is only used for debugging purposes so this does not NOTE: prevent a victim from getting mails. -vv is not used in non-interactive NOTE: use. CVE-2008-2720 (Cross-site scripting (XSS) vulnerability in Menalto Gallery before 2.2 ...) - gallery2 2.2.5-1 (low; bug #485947) - gallery (Vulnerable code not present, different codebase) CVE-2008-2721 (Unspecified vulnerability in the album-select module in Menalto Galler ...) - gallery2 2.2.5-1 (low; bug #485947) - gallery (Vulnerable code not present, different codebase) CVE-2008-2722 (Menalto Gallery before 2.2.5 allows remote attackers to bypass permiss ...) - gallery2 2.2.5-1 (low; bug #485947) - gallery (Vulnerable code not present, different codebase) CVE-2008-2723 (embed.php in Menalto Gallery before 2.2.5 allows remote attackers to o ...) - gallery2 2.2.5-1 (low; bug #485947) - gallery (Vulnerable code not present, different codebase) CVE-2008-2724 (Menalto Gallery before 2.2.5 does not enforce permissions for non-albu ...) - gallery2 2.2.5-1 (low; bug #485947) - gallery (Vulnerable code not present, different codebase) CVE-2008-2717 (TYPO3 4.0.x before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.2.1, ...) {DSA-1596-1} - typo3-src 4.1.7-1 (bug #485814) CVE-2008-2685 (SQL injection vulnerability in article.asp in Battle Blog 1.25 Build 4 ...) NOT-FOR-US: Battle Blog CVE-2008-2684 (The BIDIB.BIDIBCtrl.1 ActiveX control in BIDIB.ocx 10.9.3.0 in Black I ...) NOT-FOR-US: Black Ice Barcode CVE-2008-2683 (The BIDIB.BIDIBCtrl.1 ActiveX control in BIDIB.ocx 10.9.3.0 in Black I ...) NOT-FOR-US: Black Ice Barcode CVE-2008-2682 (_RealmAdmin/login.asp in Realm CMS 2.3 and earlier allows remote attac ...) NOT-FOR-US: Realm CMS CVE-2008-2681 (Realm CMS 2.3 and earlier allows remote attackers to obtain sensitive ...) NOT-FOR-US: Realm CMS CVE-2008-2680 (Multiple cross-site scripting (XSS) vulnerabilities in _db/compact.asp ...) NOT-FOR-US: Realm CMS CVE-2008-2679 (SQL injection vulnerability in the KeyWordsList function in _includes/ ...) NOT-FOR-US: Realm CMS CVE-2008-2678 (Multiple SQL injection vulnerabilities in Telephone Directory 2008, wh ...) NOT-FOR-US: Telephone Directory 2008 CVE-2008-2677 (Cross-site scripting (XSS) vulnerability in edit1.php in Telephone Dir ...) NOT-FOR-US: Telephone Directory 2008 CVE-2008-2676 (SQL injection vulnerability in the iJoomla News Portal (com_news_porta ...) NOT-FOR-US: com_news_portal component for Joomla! CVE-2008-2675 (Cross-site scripting (XSS) vulnerability in index.php in PHP Image Gal ...) NOT-FOR-US: PHP Image Gallery CVE-2008-2674 (Unspecified vulnerability in the Interstage Management Console, as use ...) NOT-FOR-US: Interstage Management Console CVE-2008-2673 (SQL injection vulnerability in index.php in Powie pNews 2.08 and 2.10, ...) NOT-FOR-US: pNews CVE-2008-2672 (Multiple directory traversal vulnerabilities in ErfurtWiki R1.02b and ...) - ewiki (unimportant) NOTE: register_globals is not supported CVE-2008-2671 (SQL injection vulnerability in comments.php in DCFM Blog 0.9.4 allows ...) NOT-FOR-US: DCFM Blog CVE-2008-2670 (Multiple SQL injection vulnerabilities in index.php in Insanely Simple ...) NOT-FOR-US: Insanely Simple Blog CVE-2008-2669 (Multiple SQL injection vulnerabilities in yBlog 0.2.2.2 allow remote a ...) NOT-FOR-US: yBlog CVE-2008-2668 (Multiple cross-site scripting (XSS) vulnerabilities in yBlog 0.2.2.2 a ...) NOT-FOR-US: yBlog CVE-2008-2666 (Multiple directory traversal vulnerabilities in PHP 5.2.6 and earlier ...) - php5 (unimportant) NOTE: safe mode not supported CVE-2008-2665 (Directory traversal vulnerability in the posix_access function in PHP ...) - php5 5.2.6.dfsg.1-3 (unimportant) NOTE: safe mode not supported CVE-2008-2664 (The rb_str_format function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8 ...) {DSA-1618-1 DSA-1612-1} - ruby1.9 1.9.0.2-1 - ruby1.8 1.8.7.22-1 CVE-2008-2663 (Multiple integer overflows in the rb_ary_store function in Ruby 1.8.4 ...) {DSA-1618-1 DSA-1612-1} - ruby1.9 1.9.0.2-1 - ruby1.8 1.8.7.22-1 CVE-2008-2662 (Multiple integer overflows in the rb_str_buf_append function in Ruby 1 ...) {DSA-1618-1 DSA-1612-1} - ruby1.9 1.9.0.2-1 - ruby1.8 1.8.7.22-1 CVE-2008-2661 RESERVED CVE-2008-2660 RESERVED CVE-2008-2659 RESERVED CVE-2008-2658 RESERVED CVE-2008-2657 RESERVED CVE-2008-2656 RESERVED CVE-2008-2655 RESERVED CVE-2008-2653 RESERVED CVE-2008-2652 (Multiple SQL injection vulnerabilities in catalog.php in SMEWeb 1.4b a ...) NOT-FOR-US: SMEWeb CVE-2008-2651 (SQL injection vulnerability in the Joomla! Bulletin Board (aka Joo!BB ...) NOT-FOR-US: com_joobb component for Joomla! CVE-2008-2650 (Directory traversal vulnerability in cmsimple/cms.php in CMSimple 3.1, ...) NOT-FOR-US: CMSimple CVE-2008-2649 (Multiple PHP remote file inclusion vulnerabilities in DesktopOnNet 3 B ...) NOT-FOR-US: DesktopOnNet CVE-2008-2648 (Unrestricted file upload vulnerability in upload/uploader.html in meBi ...) NOT-FOR-US: meBiblio CVE-2008-2647 (SQL injection vulnerability in admin/journal_change_mask.inc.php in me ...) NOT-FOR-US: meBiblio CVE-2008-2646 (Multiple cross-site scripting (XSS) vulnerabilities in meBiblio 0.4.7 ...) NOT-FOR-US: meBiblio CVE-2008-2645 (Multiple PHP remote file inclusion vulnerabilities in Brim (formerly B ...) NOT-FOR-US: Brim CVE-2008-2644 (Multiple cross-site scripting (XSS) vulnerabilities in SMEWeb 1.4b and ...) NOT-FOR-US: SMEWeb CVE-2008-2643 (SQL injection vulnerability in the Bible Study (com_biblestudy) compon ...) NOT-FOR-US: com_biblestudy component for Joomla! CVE-2008-2642 (SQL injection vulnerability in login.php in OtomiGenX 2.2 allows remot ...) NOT-FOR-US: OtomiGenX CVE-2008-2641 (Unspecified vulnerability in Adobe Reader and Acrobat 7.0.9 and earlie ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2008-2640 (Multiple cross-site scripting (XSS) vulnerabilities in the Flex 3 Hist ...) NOT-FOR-US: Adobe Flex CVE-2008-2639 (Stack-based buffer overflow in the ODBC server service in Citect Citec ...) NOT-FOR-US: Citect CitectSCADA CVE-2008-2638 (Static code injection vulnerability in guestbook.php in 1Book 1.0.1 an ...) NOT-FOR-US: 1Book CVE-2008-2637 (Multiple cross-site scripting (XSS) vulnerabilities in F5 FirePass SSL ...) NOT-FOR-US: F5 FirePass SSL VPN CVE-2008-2636 (The HTTP service on the Cisco Linksys WRH54G with firmware 1.01.03 all ...) NOT-FOR-US: Cisco firmware CVE-2008-2635 (Multiple directory traversal vulnerabilities in BitKinex 2.9.3 allow r ...) NOT-FOR-US: BitKinex CVE-2008-2634 (SQL injection vulnerability in index.asp in I-Pos Internet Pay Online ...) NOT-FOR-US: I-Pos Internet Pay Online Store CVE-2008-2633 (Multiple SQL injection vulnerabilities in the EXP JoomRadio (com_joomr ...) NOT-FOR-US: com_joomradio component for Joomla! CVE-2008-2632 (SQL injection vulnerability in the acctexp (com_acctexp) component 0.1 ...) NOT-FOR-US: com_acctexp component for Joomla! CVE-2008-2631 (The WordClient interface in Alt-N Technologies MDaemon 9.6.5 allows re ...) NOT-FOR-US: MDaemon CVE-2008-2630 (SQL injection vulnerability in the JooBlog (com_jb2) component 0.1.1 f ...) NOT-FOR-US: com_jb2 component for Joomla! CVE-2008-2629 (SQL injection vulnerability in the LifeType (formerly pLog) module for ...) NOT-FOR-US: LifeType module for Drupal CVE-2008-2628 (SQL injection vulnerability in the eQuotes (com_equotes) component 0.9 ...) NOT-FOR-US: com_equotes component for Joomla! CVE-2008-2627 (SQL injection vulnerability in the IDoBlog (com_idoblog) component b24 ...) NOT-FOR-US: com_idoblog for Joomla! CVE-2008-2626 (SQL injection vulnerability in comment.asp in Battle Blog 1.25 and ear ...) NOT-FOR-US: Battle Blog CVE-2008-2625 (Unspecified vulnerability in the Core RDBMS component in Oracle Databa ...) NOT-FOR-US: Oracle CVE-2008-2624 (Unspecified vulnerability in the Oracle OLAP component in Oracle Datab ...) NOT-FOR-US: Oracle CVE-2008-2623 (Unspecified vulnerability in the Oracle JDeveloper component in Oracle ...) NOT-FOR-US: Oracle Application Server CVE-2008-2622 (Unspecified vulnerability in the PeopleSoft PeopleTools component in O ...) NOT-FOR-US: Oracle PeopleSoft Enterprise CVE-2008-2621 (Unspecified vulnerability in the PeopleSoft PeopleTools component in O ...) NOT-FOR-US: Oracle PeopleSoft Enterprise CVE-2008-2620 (Unspecified vulnerability in the PeopleSoft PeopleTools component in O ...) NOT-FOR-US: Oracle PeopleSoft Enterprise CVE-2008-2619 (Unspecified vulnerability in the Oracle Reports Developer component in ...) NOT-FOR-US: Oracle CVE-2008-2618 (Unspecified vulnerability in the PeopleSoft PeopleTools component in O ...) NOT-FOR-US: Oracle PeopleSoft Enterprise CVE-2008-2617 (Unspecified vulnerability in the PeopleSoft PeopleTools component in O ...) NOT-FOR-US: Oracle PeopleSoft Enterprise CVE-2008-2616 (Unspecified vulnerability in the PeopleSoft PeopleTools component in O ...) NOT-FOR-US: Oracle PeopleSoft Enterprise CVE-2008-2615 (Unspecified vulnerability in the PeopleSoft PeopleTools component in O ...) NOT-FOR-US: Oracle PeopleSoft Enterprise CVE-2008-2614 (Unspecified vulnerability in the Oracle HTTP Server component in Oracl ...) NOT-FOR-US: Oracle PeopleSoft Enterprise CVE-2008-2613 (Unspecified vulnerability in the Database Scheduler component in Oracl ...) NOT-FOR-US: Oracle database CVE-2008-2612 (Unspecified vulnerability in the Hyperion BI Plus component in Oracle ...) NOT-FOR-US: Oracle database CVE-2008-2611 (Unspecified vulnerability in the Core RDBMS component in Oracle Databa ...) NOT-FOR-US: Oracle database CVE-2008-2610 (Unspecified vulnerability in the Oracle Applications Technology Stack ...) NOT-FOR-US: Oracle database CVE-2008-2609 (Unspecified vulnerability in the Oracle Portal component in Oracle App ...) NOT-FOR-US: Oracle database CVE-2008-2608 (Unspecified vulnerability in the Data Pump component in Oracle Databas ...) NOT-FOR-US: Oracle database CVE-2008-2607 (Unspecified vulnerability in the Advanced Queuing component in Oracle ...) NOT-FOR-US: Oracle database CVE-2008-2606 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle database CVE-2008-2605 (Unspecified vulnerability in the Authentication component in Oracle Da ...) NOT-FOR-US: Oracle database CVE-2008-2604 (Unspecified vulnerability in the Authentication component in Oracle Da ...) NOT-FOR-US: Oracle database CVE-2008-2603 (Unspecified vulnerability in the Resource Manager component in Oracle ...) NOT-FOR-US: Oracle database CVE-2008-2602 (Unspecified vulnerability in the Data Pump component in Oracle Databas ...) NOT-FOR-US: Oracle database CVE-2008-2601 (Unspecified vulnerability in the Oracle iStore component in Oracle E-B ...) NOT-FOR-US: Oracle database CVE-2008-2600 (Unspecified vulnerability in the Oracle Spatial component in Oracle Da ...) NOT-FOR-US: Oracle database CVE-2008-2599 (Unspecified vulnerability in the TimesTen Client/Server component in O ...) NOT-FOR-US: Oracle database CVE-2008-2598 (Unspecified vulnerability in the TimesTen Client/Server component in O ...) NOT-FOR-US: Oracle database CVE-2008-2597 (Unspecified vulnerability in the TimesTen Client/Server component in O ...) NOT-FOR-US: Oracle database CVE-2008-2596 (Unspecified vulnerability in the Mobile Application Server component i ...) NOT-FOR-US: Oracle database CVE-2008-2595 (Unspecified vulnerability in the Oracle Internet Directory component i ...) NOT-FOR-US: Oracle database CVE-2008-2594 (Unspecified vulnerability in the Oracle Portal component in Oracle App ...) NOT-FOR-US: Oracle database CVE-2008-2593 (Unspecified vulnerability in the Oracle Portal component in Oracle App ...) NOT-FOR-US: Oracle database CVE-2008-2592 (Unspecified vulnerability in the Advanced Replication component in Ora ...) NOT-FOR-US: Oracle database CVE-2008-2591 (Unspecified vulnerability in the Oracle Database Vault component in Or ...) NOT-FOR-US: Oracle database CVE-2008-2590 (Unspecified vulnerability in the Instance Management component in Orac ...) NOT-FOR-US: Oracle database CVE-2008-2589 (Unspecified vulnerability in the Oracle Portal component in Oracle App ...) NOT-FOR-US: Oracle database CVE-2008-2588 (Unspecified vulnerability in the Oracle JDeveloper component in Oracle ...) NOT-FOR-US: Oracle CVE-2008-2587 (Unspecified vulnerability in the Advanced Replication component in Ora ...) NOT-FOR-US: Oracle database CVE-2008-2586 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle database CVE-2008-2585 (Unspecified vulnerability in the Oracle Report Manager component in Or ...) NOT-FOR-US: Oracle database CVE-2008-2584 REJECTED CVE-2008-2583 (Unspecified vulnerability in the sample Discussion Forum Portlet for t ...) NOT-FOR-US: Oracle database CVE-2008-2582 (Unspecified vulnerability in the WebLogic Server component in Oracle B ...) NOT-FOR-US: BEA Product Suite CVE-2008-2581 (Unspecified vulnerability in the WebLogic Server component in Oracle B ...) NOT-FOR-US: BEA Product Suite CVE-2008-2580 (Unspecified vulnerability in the WebLogic Server component in Oracle B ...) NOT-FOR-US: BEA Product Suite CVE-2008-2579 (Unspecified vulnerability in the WebLogic Server Plugins for Apache, S ...) NOT-FOR-US: BEA Product Suite CVE-2008-2578 (Unspecified vulnerability in the WebLogic Server component in Oracle B ...) NOT-FOR-US: BEA Product Suite CVE-2008-2577 (Unspecified vulnerability in the WebLogic Server component in Oracle B ...) NOT-FOR-US: BEA Product Suite CVE-2008-2576 (Unspecified vulnerability in the WebLogic Server component in Oracle B ...) NOT-FOR-US: BEA Product Suite CVE-2008-2574 (Unrestricted file upload vulnerability in admin/Editor/imgupload.php i ...) NOT-FOR-US: FlashBlog CVE-2008-2573 (Stack-based buffer overflow in SFTP in freeSSHd 1.2.1 allows remote au ...) NOT-FOR-US: freeSSHd CVE-2008-2572 (SQL injection vulnerability in php/leer_comentarios.php in FlashBlog a ...) NOT-FOR-US: FlashBlog CVE-2008-2571 (Cross-site request forgery (CSRF) vulnerability in LimeSurvey (formerl ...) - limesurvey (bug #472802) CVE-2008-2570 (Multiple unspecified vulnerabilities in LimeSurvey (formerly PHPSurvey ...) - limesurvey (bug #472802) CVE-2008-2569 (SQL injection vulnerability in the EasyBook (com_easybook) component 1 ...) NOT-FOR-US: com_easybook component for Joomla! CVE-2008-2568 (SQL injection vulnerability in the Simple Shop Galore (com_simpleshop) ...) NOT-FOR-US: com_simpleshop component for Joomla! CVE-2008-2567 (Cross-site scripting (XSS) vulnerability in Fenriru Sleipnir 2.7.1 Rel ...) NOT-FOR-US: Fenriru Sleipnir CVE-2008-2566 (Multiple cross-site scripting (XSS) vulnerabilities in PHP Address Boo ...) NOT-FOR-US: PHP Address Book CVE-2008-2565 (Multiple SQL injection vulnerabilities in PHP Address Book 3.1.5 and e ...) NOT-FOR-US: PHP Address Book CVE-2008-2564 (SQL injection vulnerability in the JotLoader (com_jotloader) component ...) NOT-FOR-US: com_jotloader component for Joomla! CVE-2008-2563 (Multiple cross-site scripting (XSS) vulnerabilities in (1) dsp_main.ph ...) NOT-FOR-US: SamTodo CVE-2008-2562 (SQL injection vulnerability in edCss.php in PowerPhlogger 2.2.5 and ea ...) NOT-FOR-US: PowerPhlogger CVE-2008-2561 (Multiple cross-site scripting (XSS) vulnerabilities in 427BB 2.3.1 all ...) NOT-FOR-US: 427BB CVE-2008-2560 (SQL injection vulnerability in showpost.php in 427BB 2.3.1 allows remo ...) NOT-FOR-US: 427BB CVE-2008-2654 (Off-by-one error in the read_client function in webhttpd.c in Motion 3 ...) - motion 3.2.9-3 (low; bug #484572) [etch] - motion (minor issue) CVE-2008-2667 (SQL injection vulnerability in the Courier Authentication Library (aka ...) {DSA-1688-1} - courier-authlib 0.60.1-2.1 (bug #485424) CVE-2008-XXXX [missing sanity checks allow DoS via mis-formated timestamp] - evolution 2.22.2-1.1 (low; bug #484639) [etch] - evolution (Minor issue) CVE-2008-2559 (Integer overflow in Borland Interbase 2007 SP2 (8.1.0.256) allows remo ...) NOT-FOR-US: Borland Interbase CVE-2008-2558 (CRE Loaded 6.2.13.1 and earlier does not set the "Secure" attribute fo ...) NOT-FOR-US: CRE Loaded CVE-2008-2557 (Cross-site scripting (XSS) vulnerability in CRE Loaded 6.2.13.1 and ea ...) NOT-FOR-US: CRE Loaded CVE-2008-2556 (SQL injection vulnerability in read.php in PHP Visit Counter 0.4 and e ...) NOT-FOR-US: PHP Visit Counter CVE-2008-2555 (SQL injection vulnerability in index.php in EasyWay CMS allows remote ...) NOT-FOR-US: EasyWay CMS CVE-2008-2554 (Multiple SQL injection vulnerabilities in BP Blog 6.0 allow remote att ...) NOT-FOR-US: BP Blog CVE-2008-2553 (Cross-site scripting (XSS) vulnerability in Slashdot Like Automated St ...) {DSA-1633-1} - slash 2.2.6-8etch1 (low; bug #484499) NOTE: See CVE-2008-2231 NOTE: maintainer wants to remove package from unstable and move to experimental CVE-2008-2552 (Unspecified vulnerability in the Service Tag Registry on Sun Solaris 1 ...) NOT-FOR-US: Sun Solaris CVE-2008-2551 (The DownloaderActiveX Control (DownloaderActiveX.ocx) in Icona SpA C6 ...) NOT-FOR-US: DownloaderActiveX Control CVE-2008-2550 (Unspecified vulnerability in the Web Services Security component in IB ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2008-2549 (Adobe Acrobat Reader 8.1.2 and earlier, and before 7.1.1, allows remot ...) NOT-FOR-US: Acrobat Reader CVE-2008-2548 (Stack-based buffer overflow in the JPEG thumbprint component in the EX ...) NOT-FOR-US: JPEG thumbprint component in the EXIF parser on Motorola cell phones CVE-2008-2547 (Stack-based buffer overflow in msiexec.exe 3.1.4000.1823 and 4.5.6001. ...) NOT-FOR-US: Microsoft Windows Installer CVE-2008-2546 REJECTED CVE-2008-2545 (Skype 3.6.0.248, and other versions before 3.8.0.139, uses a case-sens ...) NOT-FOR-US: Skype CVE-2008-2544 RESERVED - linux (unimportant) NOTE: non-issue, cf. https://bugzilla.redhat.com/show_bug.cgi?id=449089#c22 CVE-2008-2543 (The ooh323 channel driver in Asterisk Addons 1.2.x before 1.2.9 and As ...) - asterisk-addons 1.4.7-1 (bug #484796) CVE-2008-2542 (Stack-based buffer overflow in the getline function in Ppm/ppm.C in NA ...) NOT-FOR-US: NASA Ames Research Center BigView CVE-2008-2541 (Multiple stack-based buffer overflows in the HTTP Gateway Service (ici ...) NOT-FOR-US: CA eTrust CVE-2008-2540 (Apple Safari on Mac OS X, and before 3.1.2 on Windows, does not prompt ...) NOT-FOR-US: Apple Safari CVE-2008-2539 (The Sun Cluster Global File System in Sun Cluster 3.1 on Sun Solaris 8 ...) NOT-FOR-US: Sun Solaris 8 CVE-2008-2538 (Unspecified vulnerability in crontab on Sun Solaris 8 through 10, and ...) NOT-FOR-US: Sun Solaris 8 CVE-2008-2537 (SQL injection vulnerability in cat.php in HispaH Model Search allows r ...) NOT-FOR-US: HispaH Model Search CVE-2008-2536 (SQL injection vulnerability in out.php in YABSoft Advanced Image Hosti ...) NOT-FOR-US: YABSoft Advanced Image CVE-2008-2535 (Multiple SQL injection vulnerabilities in Phoenix View CMS Pre Alpha2 ...) NOT-FOR-US: Phoenix View CMS Pre Alpha2 CVE-2008-2534 (Directory traversal vulnerability in admin/admin_frame.php in Phoenix ...) NOT-FOR-US: Phoenix View CMS Pre Alpha2 CVE-2008-2533 (Multiple cross-site scripting (XSS) vulnerabilities in Phoenix View CM ...) NOT-FOR-US: Phoenix View CMS Pre Alpha2 CVE-2008-2532 (SQL injection vulnerability in forum/topic_detail.php in AJ Square aj- ...) NOT-FOR-US: AJ Square aj-hyip CVE-2008-2531 (Cross-site scripting (XSS) vulnerability in the search script in Build ...) NOT-FOR-US: Build A Niche Store CVE-2008-2530 (Multiple SQL injection vulnerabilities in Concepts & Solutions Qui ...) NOT-FOR-US: Concepts & Solutions QuickUpCMS CVE-2008-2529 (SQL injection vulnerability in read.php in Advanced Links Management ( ...) NOT-FOR-US: Advanced Links Management CVE-2008-2528 (Unspecified vulnerability in Citrix Access Gateway Standard Edition 4. ...) NOT-FOR-US: Citrix Access Gateway Standard Edition CVE-2008-2527 (Cross-site scripting (XSS) vulnerability in view.php in ActualScripts ...) NOT-FOR-US: ActualScripts ActualAnalyzer Server CVE-2008-2526 (Cross-site scripting (XSS) vulnerability in the WT Gallery (aka wt_gal ...) NOT-FOR-US: WT Gallery CVE-2008-2525 (Cross-site scripting (XSS) vulnerability in the Event Database (aka rl ...) NOT-FOR-US: typo3 extension Event Database CVE-2008-2524 (BlogPHP 2.0 allows remote attackers to bypass authentication, and post ...) NOT-FOR-US: BlogPHP CVE-2008-2523 (SQL injection vulnerability in the Autopatcher server plugin in RakNet ...) NOT-FOR-US: RakNet CVE-2008-2522 (SQL injection vulnerability in members.php in Battle.net Clan Script f ...) NOT-FOR-US: Battle.net Clan Script CVE-2008-2521 (SQL injection vulnerability in members.php in YABSoft Mega File Hostin ...) NOT-FOR-US: YABSoft Mega File CVE-2008-2520 (Multiple PHP remote file inclusion vulnerabilities in BigACE 2.4, when ...) NOT-FOR-US: BigACE CVE-2008-2519 (Directory traversal vulnerability in Core FTP client 2.1 Build 1565 al ...) NOT-FOR-US: Core FTP client CVE-2008-2518 (Cross-site scripting (XSS) vulnerability in the advanced search mechan ...) NOT-FOR-US: Sun Java System Web Server CVE-2008-2517 (The sarab.sh script in SaraB before 0.2.4 places the dar program's enc ...) NOT-FOR-US: SaraB CVE-2008-2515 (Unspecified vulnerability in iostat in IBM AIX 5.2, 5.3, and 6.1 allow ...) NOT-FOR-US: IBM AIX CVE-2008-2514 (Buffer overflow in errpt in IBM AIX 5.2, 5.3, and 6.1 allows local use ...) NOT-FOR-US: IBM AIX CVE-2008-2513 (Buffer overflow in the kernel in IBM AIX 5.2, 5.3, and 6.1 allows loca ...) NOT-FOR-US: IBM AIX CVE-2008-2512 (Directory traversal vulnerability in Symantec Backup Exec System Recov ...) NOT-FOR-US: Symantec Backup Exec System Recovery Manager CVE-2008-2511 (Directory traversal vulnerability in the UmxEventCli.CachedAuditDataLi ...) NOT-FOR-US: CA Internet Security Suite CVE-2008-2510 (SQL injection vulnerability in wp-uploadfile.php in the Upload File pl ...) NOT-FOR-US: Upload File plugin for WordPress CVE-2008-2509 (SQL injection vulnerability in pwd.asp in Excuse Online allows remote ...) NOT-FOR-US: Excuse Online CVE-2008-2508 (Cross-site scripting (XSS) vulnerability in news.php in Tr Script News ...) NOT-FOR-US: Tr Script News CVE-2008-2507 (Cross-site scripting (XSS) vulnerability in Calcium40.pl in Brown Bear ...) NOT-FOR-US: Brown Bear Software Calcium CVE-2008-2506 (Multiple SQL injection vulnerabilities in Simpel Side Weblosning 1 thr ...) NOT-FOR-US: Simpel Side Weblosning CVE-2008-2505 (Cross-site scripting (XSS) vulnerability in result.php in Simpel Side ...) NOT-FOR-US: Simpel Side Weblosning CVE-2008-2504 (Multiple SQL injection vulnerabilities in Simpel Side Netbutik 1 throu ...) NOT-FOR-US: Simpel Side Netbutik CVE-2008-2503 (Buffer overflow in Uploadlist in eMule X-Ray before 1.4 has unknown im ...) NOT-FOR-US: eMule X-Ray CVE-2008-2502 (Unspecified vulnerability in the web server in eMule X-Ray before 1.4 ...) NOT-FOR-US: eMule X-Ray CVE-2008-2501 (Multiple SQL injection vulnerabilities in PHPhotoalbum 0.5 allow remot ...) NOT-FOR-US: PHPhotoalbum CVE-2008-2500 (Cross-site scripting (XSS) vulnerability in the MOStlyContent Editor ( ...) NOT-FOR-US: MOStlyContent Editor CVE-2008-2499 (Stack-based buffer overflow in the Community Services Multiplexer (aka ...) NOT-FOR-US: Community Services Multiplexer CVE-2008-2498 (Multiple SQL injection vulnerabilities in index.php in Mambo before 4. ...) NOT-FOR-US: Mambo CVE-2008-2497 (CRLF injection vulnerability in Mambo before 4.6.4 allows remote attac ...) NOT-FOR-US: Mambo CVE-2008-2496 (Multiple cross-site scripting (XSS) vulnerabilities in Quate CMS 0.3.4 ...) NOT-FOR-US: Quate CMS CVE-2008-2495 (Directory traversal vulnerability in index.php in Zina 1.0 RC3 allows ...) NOT-FOR-US: Zina CVE-2008-2494 (Cross-site scripting (XSS) vulnerability in index.php in Zina 1.0 RC3 ...) NOT-FOR-US: Zina CVE-2008-2493 (Cross-site scripting (XSS) vulnerability in post3/Book.asp in Campus B ...) NOT-FOR-US: Campus Bulletin Board CVE-2008-2492 (Multiple SQL injection vulnerabilities in Campus Bulletin Board 3.4 al ...) NOT-FOR-US: Campus Bulletin Board CVE-2008-2491 (SQL injection vulnerability in adv_cat.php in AbleSpace 1.0 allows rem ...) NOT-FOR-US: AbleSpace CVE-2008-2490 (Cross-site scripting (XSS) vulnerability in the KJ Image Lightbox 2 (a ...) NOT-FOR-US: KJ Image Lightbox 2 CVE-2008-2489 (SQL injection vulnerability in the Library for Frontend Plugins (aka s ...) NOT-FOR-US: Library for Frontend Plugins sg_zfelib CVE-2008-2488 (admin/userform.php in RoomPHPlanning 1.5 does not require administrati ...) NOT-FOR-US: RoomPHPlanning CVE-2008-2487 (SQL injection vulnerability in index.php in MAXSITE 1.10 and earlier a ...) NOT-FOR-US: MAXSITE CVE-2008-2486 (Unspecified vulnerability in eMule Plus before 1.2d has unknown impact ...) - amule (Different code) CVE-2008-2485 (Cross-site scripting (XSS) vulnerability in the URL redirection script ...) NOT-FOR-US: PCPIN chat CVE-2008-2484 (SQL injection vulnerability in index.php in Xomol CMS 1.20071213, when ...) NOT-FOR-US: Xomol CMS CVE-2008-2483 (Directory traversal vulnerability in index.php in Xomol CMS 1.20071213 ...) NOT-FOR-US: Xomol CMS CVE-2008-2482 (Directory traversal vulnerability in install_mod.php in insanevisions ...) NOT-FOR-US: OneCMS CVE-2008-2481 (PHP remote file inclusion vulnerability in authentication/phpbb3/phpbb ...) NOT-FOR-US: phpRaider CVE-2008-2480 (PHP remote file inclusion vulnerability in plus.php in plusPHP Short U ...) NOT-FOR-US: plusPHP CVE-2008-2479 (Multiple SQL injection vulnerabilities in phpFix 2.0 allow remote atta ...) NOT-FOR-US: phpFix CVE-2008-2478 NOT-FOR-US: cPanel CVE-2008-2477 (SQL injection vulnerability in index.php in MxBB (aka MX-System) Porta ...) NOT-FOR-US: MxBB (MX-System) CVE-2008-2476 (The IPv6 Neighbor Discovery Protocol (NDP) implementation in (1) FreeB ...) - kfreebsd-7 7.0-6 NOTE: IPv6 NDP flaw not affecting Linux CVE-2008-2475 (eBay Enhanced Picture Uploader ActiveX control (EPUWALcontrol.dll) bef ...) NOT-FOR-US: eBay Enhanced Picture Uploader ActiveX control CVE-2008-2474 (Buffer overflow in x87 before 3.5.5 in ABB Process Communication Unit ...) NOT-FOR-US: ABB Process Communication Unit CVE-2008-2473 RESERVED CVE-2008-2472 RESERVED CVE-2008-2471 RESERVED CVE-2008-2470 (The InstallShield Update Service Agent ActiveX control in isusweb.dll ...) NOT-FOR-US: InstallShield CVE-2008-2469 (Heap-based buffer overflow in the SPF_dns_resolv_lookup function in Sp ...) {DSA-1659-1 DTSA-172-1} - libspf2 1.2.9-1 (high) CVE-2008-2468 (Multiple buffer overflows in the QIP Server Service (aka qipsrvr.exe) ...) NOT-FOR-US: LANDesk Management Suite CVE-2008-2467 RESERVED CVE-2008-2466 RESERVED CVE-2008-2465 RESERVED CVE-2008-2464 (The mld_input function in sys/netinet6/mld6.c in the kernel in NetBSD ...) NOT-FOR-US: NetBSD CVE-2008-2463 (The Microsoft Office Snapshot Viewer ActiveX control in snapview.ocx 1 ...) NOT-FOR-US: Microsoft Office Snapshot Viewer ActiveX CVE-2008-2462 (Cross-site scripting (XSS) vulnerability in the viewfile documentation ...) NOT-FOR-US: Caucho Resin CVE-2008-2461 (SQL injection vulnerability in index.php in Netious CMS 0.4 allows rem ...) NOT-FOR-US: Netious CVE-2008-2460 (SQL injection vulnerability in faq.php in vBulletin 3.7.0 Gold allows ...) NOT-FOR-US: vBulletin CVE-2008-2459 (Directory traversal vulnerability in page.php in EntertainmentScript 1 ...) NOT-FOR-US: EntertainmentScript CVE-2008-2458 (Cross-site scripting (XSS) vulnerability in index.php in Starsgames Co ...) NOT-FOR-US: Starsgames CVE-2008-2457 (SQL injection vulnerability in jokes_category.php in PHP-Jokesite 2.0 ...) NOT-FOR-US: PHP-Jokesite CVE-2008-2456 (SQL injection vulnerability in index.php in ComicShout 2.5 and earlier ...) NOT-FOR-US: ComicShout CVE-2008-2455 (SQL injection vulnerability in comment.php in the MacGuru BLOG Engine ...) NOT-FOR-US: MacGuru BLOG Engine CVE-2008-2454 (SQL injection vulnerability in the xsstream-dm (com_xsstream-dm) compo ...) NOT-FOR-US: xsstream-dm CVE-2008-2453 (Multiple SQL injection vulnerabilities in PHP Classifieds Script allow ...) NOT-FOR-US: PHP Classifieds Script CVE-2008-2452 (Cross-site scripting (XSS) vulnerability in the Questionaire (aka pbsu ...) NOT-FOR-US: Questionaire pbsurvey CVE-2008-2451 (Multiple SQL injection vulnerabilities in the Statistics (aka ke_stats ...) NOT-FOR-US: Statistics ke_stats CVE-2008-2450 (Multiple cross-site scripting (XSS) vulnerabilities in the Statistics ...) NOT-FOR-US: Statistics ke_stats CVE-2008-2449 (Multiple cross-site scripting (XSS) vulnerabilities in Isaac McGowan p ...) NOT-FOR-US: phpInstantGallery CVE-2008-2448 (Multiple SQL injection vulnerabilities in Meto Forum 1.1 allow remote ...) NOT-FOR-US: Meto Forum CVE-2008-2447 (SQL injection vulnerability in products.php in the Mytipper ZoGo-shop ...) NOT-FOR-US: Mytipper ZoGo-shop CVE-2008-2446 (Multiple SQL injection vulnerabilities in Web Group Communication Cent ...) NOT-FOR-US: Web Group Communication Center CVE-2008-2445 (Cross-site scripting (XSS) vulnerability in profile.php in Web Group C ...) NOT-FOR-US: Web Group Communication Center CVE-2008-2444 (SQL injection vulnerability in userreg.php in CaLogic Calendars 1.2.2 ...) NOT-FOR-US: CaLogic Calendars CVE-2008-2443 (SQL injection vulnerability in dpage.php in The Real Estate Script all ...) NOT-FOR-US: Real Estate Script CVE-2008-2442 RESERVED CVE-2008-2441 (Cisco Secure ACS 3.x before 3.3(4) Build 12 patch 7, 4.0.x, 4.1.x befo ...) NOT-FOR-US: Cisco Secure ACS CVE-2008-2440 RESERVED CVE-2008-2439 (Directory traversal vulnerability in the UpdateAgent function in TmLis ...) NOT-FOR-US: Trend Micro OfficeScan CVE-2008-2438 (Integer overflow in ovalarmsrv.exe in HP OpenView Network Node Manager ...) NOT-FOR-US: HP OpenView CVE-2008-2437 (Stack-based buffer overflow in cgiRecvFile.exe in Trend Micro OfficeSc ...) NOT-FOR-US: Trend Micro OfficeScan CVE-2008-2436 (Multiple heap-based buffer overflows in the IppCreateServerRef functio ...) NOT-FOR-US: Novell iPrint Client CVE-2008-2435 (Use-after-free vulnerability in the Trend Micro HouseCall ActiveX cont ...) NOT-FOR-US: ActiveX CVE-2008-2434 (The Trend Micro HouseCall ActiveX control 6.51.0.1028 and 6.6.0.1278 i ...) NOT-FOR-US: ActiveX CVE-2008-2433 (The web management console in Trend Micro OfficeScan 7.0 through 8.0, ...) NOT-FOR-US: Trend Micro OfficeScan CVE-2008-2432 (Insecure method vulnerability in the GetFileList method in an unspecif ...) NOT-FOR-US: Novell iPrint CVE-2008-2431 (Multiple buffer overflows in Novell iPrint Client before 5.06 allow re ...) NOT-FOR-US: Novell iPrint CVE-2008-2430 (Integer overflow in the Open function in modules/demux/wav.c in VLC Me ...) {DSA-1819-1 DTSA-148-1} - vlc 0.8.6.h-1 (medium; bug #489004) CVE-2008-2429 (Multiple SQL injection vulnerabilities in Calendarix Basic 0.8.2007111 ...) NOT-FOR-US: Calendarix CVE-2008-2428 (Multiple SQL injection vulnerabilities in TorrentTrader 1.08 Classic a ...) NOT-FOR-US: TorrentTrader CVE-2008-2427 (Stack-based buffer overflow in NConvert 4.92, GFL SDK 2.82, and XnView ...) NOT-FOR-US: NConvert, GFL SDK, XnView CVE-2008-2426 (Multiple stack-based buffer overflows in Imlib 2 (aka imlib2) 1.4.0 al ...) {DSA-1594-1} - imlib2 1.4.0-1.1 (medium; bug #483816) - imlib (Partly not present / partly fixed) CVE-2008-2425 (SQL injection vulnerability in index.php in FicHive 1.0 allows remote ...) NOT-FOR-US: FicHive CVE-2008-2422 (SQL injection vulnerability in index.php in Web Slider 0.6 allows remo ...) NOT-FOR-US: Web Slider CVE-2008-2421 (Cross-site scripting (XSS) vulnerability in the Web GUI in SAP Web App ...) NOT-FOR-US: Web GUI in SAP Web Application Server (WAS) CVE-2008-2419 (Mozilla Firefox 2.0.0.14 allows remote attackers to cause a denial of ...) NOTE: Mozilla bug 435130, not reproducible by upstream, Debian bug #484484 CVE-2008-2418 (Race condition in the STREAMS Administrative Driver (sad) in Sun Solar ...) NOT-FOR-US: STREAMS Administrative Driver SUN CVE-2008-2417 (SQL injection vulnerability in showQAnswer.asp in How2ASP.net Webboard ...) NOT-FOR-US: Webboard CVE-2008-2416 (SQL injection vulnerability in index.php in FicHive 1.0 allows remote ...) NOT-FOR-US: FicHive CVE-2008-2415 (Directory traversal vulnerability in template/purpletech/base_include. ...) NOT-FOR-US: DigitalHive CVE-2008-2414 (Cross-site scripting (XSS) vulnerability in send_email.php in AN Guest ...) NOT-FOR-US: AN Guestbook CVE-2008-2413 (Cross-site scripting (XSS) vulnerability in glossaire.php in ACGV News ...) NOT-FOR-US: ACGV News CVE-2008-2412 (SQL injection vulnerability in glossaire.php in ACGV News 0.9.1 allows ...) NOT-FOR-US: ACGV News CVE-2008-2411 (SQL injection vulnerability in index.php in SazCart 1.5.1 and earlier, ...) NOT-FOR-US: SazCart CVE-2008-2410 (Cross-site scripting (XSS) vulnerability in the servlet engine and Web ...) NOT-FOR-US: Web Server service in IBM Lotus Domino CVE-2008-2409 (Stack-based buffer overflow in Cerulean Studios Trillian before 3.1.10 ...) NOT-FOR-US: Cerulean Studios Trillian CVE-2008-2408 (Heap-based buffer overflow in the XML parsing functionality in talk.dl ...) NOT-FOR-US: Cerulean Studios Trillian CVE-2008-2407 (Stack-based buffer overflow in AIM.DLL in Cerulean Studios Trillian be ...) NOT-FOR-US: Cerulean Studios Trillian CVE-2008-2406 (The administration application server in Sun Java Active Server Pages ...) NOT-FOR-US: Sun Java System Active Server Pages CVE-2008-2405 (Sun Java Active Server Pages (ASP) Server before 4.0.3 allows remote a ...) NOT-FOR-US: Sun Java System Active Server Pages CVE-2008-2404 (Stack-based buffer overflow in the request handling implementation in ...) NOT-FOR-US: Sun Java System Active Server Pages CVE-2008-2403 (Multiple directory traversal vulnerabilities in unspecified ASP applic ...) NOT-FOR-US: Sun Java System Active Server Pages CVE-2008-2402 (The Admin Server in Sun Java Active Server Pages (ASP) Server before 4 ...) NOT-FOR-US: Sun Java System Active Server Pages CVE-2008-2401 (The Admin Server in Sun Java Active Server Pages (ASP) Server before 4 ...) NOT-FOR-US: Sun Java System Active Server Pages CVE-2008-2400 (Unspecified vulnerability in stunnel before 4.23, when running as a se ...) - stunnel4 (Windows specific issue) CVE-2008-2399 (Directory traversal vulnerability in the FireFTP add-on before 0.98.20 ...) NOT-FOR-US: FireFTP CVE-2008-2575 (cbrPager before 0.9.17 allows user-assisted remote attackers to execut ...) - cbrpager 0.9.17-1 (low; bug #482853) [etch] - cbrpager 0.9.14-3+etch1 NOTE: Minor issue fixed in 4.0r4 point release CVE-2008-XXXX [resizing the monitor with xrandr can crash xscreensaver] - xscreensaver 5.05-3 (unimportant; bug #482385) CVE-2008-2516 (pam_sm_authenticate in pam_pgsql.c in libpam-pgsql 0.6.3 does not prop ...) - pam-pgsql 0.6.3-2 (medium; bug #481970) [etch] - pam-pgsql (Vulnerable code not present) NOTE: pam_pgsql is not configured as "sufficient" in Debian default configuration CVE-2008-2424 (Unspecified vulnerability in the 404 error page for the "Standard demo ...) - interchange 5.5.1 (low; bug #482636) CVE-2008-2423 (Unspecified vulnerability in Interchange before 5.6.0 and before 5.5.2 ...) - interchange 5.5.1 (low; bug #482636) CVE-2008-2420 (The OCSP functionality in stunnel before 4.24 does not properly search ...) - stunnel4 3:4.22-1.1 (low; bug #482644) CVE-2008-2398 (Cross-site scripting (XSS) vulnerability in index.php in AppServ Open ...) NOT-FOR-US: AppServ Open Project CVE-2008-2397 (Cross-site scripting (XSS) vulnerability in search-results.dot in dotC ...) NOT-FOR-US: dotCMS CVE-2008-2396 (PHP remote file inclusion vulnerability in index.php in Wajox Software ...) NOT-FOR-US: microSSys CVE-2008-2395 (SQL injection vulnerability in thread.php in AlkalinePHP 0.80.00 beta ...) NOT-FOR-US: AlkalinePHP CVE-2008-2394 (Multiple SQL injection vulnerabilities in TAGWORX.CMS 3.00.02 allow re ...) NOT-FOR-US: TAGWORX.CMS CVE-2008-2393 (SQL injection vulnerability in play.php in EntertainmentScript 1.4.0 a ...) NOT-FOR-US: EntertainmentScript CVE-2008-2392 (Unrestricted file upload vulnerability in WordPress 2.5.1 and earlier ...) - wordpress 2.5.1-4 (low; bug #485807) [etch] - wordpress (Vulnerable code not present) NOTE: Unrestricted file upload vulnerability was introduced in 2.3.0 CVE-2008-2391 (SubSonic allows remote attackers to bypass pagesize limits and cause a ...) NOT-FOR-US: SubSonic CVE-2008-2390 (Hpufunction.dll 4.0.0.1 in HP Software Update exposes the unsafe (1) E ...) NOT-FOR-US: HP Software Update CVE-2008-2389 (opensuse-updater in openSUSE 10.2 allows local users to access arbitra ...) NOT-FOR-US: opensuse-updater CVE-2008-2388 (Multiple off-by-one errors in opensuse-updater in openSUSE 10.2 have u ...) NOT-FOR-US: opensuse-updater CVE-2008-2387 RESERVED CVE-2008-2386 RESERVED CVE-2008-2385 RESERVED CVE-2008-2384 (SQL injection vulnerability in mod_auth_mysql.c in the mod-auth-mysql ...) - mod-auth-mysql 4.3.9-11 (medium) CVE-2008-2383 (CRLF injection vulnerability in xterm allows user-assisted attackers t ...) {DSA-1694-1 DTSA-182-1} - xterm 238-2 (medium; bug #510030) CVE-2008-2382 (The protocol_client_msg function in vnc.c in the VNC server in (1) Qem ...) - qemu 0.9.1-9 [etch] - qemu (Tested by maintainer) - kvm 72+dfsg-4 - xen-unstable (Vulnerable code not present) - xen-3 (Vulnerable code not present) CVE-2008-2381 (SQL injection vulnerability in the create function in common/include/G ...) {DSA-1698-1} - gforge 4.7~rc2-7 CVE-2008-2380 (SQL injection vulnerability in authpgsqllib.c in Courier-Authlib befor ...) {DSA-1688-1 DTSA-180-1} - courier-authlib 0.61.0-1+lenny1 CVE-2008-2379 (Cross-site scripting (XSS) vulnerability in SquirrelMail before 1.4.17 ...) {DSA-1682-1} - squirrelmail 2:1.4.15-4 CVE-2008-2378 (Untrusted search path vulnerability in hfkernel in hf 0.7.3 and 0.8 al ...) {DSA-1668-1} - hf 0.8-8.1 (medium; bug #504182) CVE-2008-2377 (Use-after-free vulnerability in the _gnutls_handshake_hash_buffers_cle ...) - gnutls26 2.4.1-1 (medium) - gnutls13 (Problem was introduced in 2.3.5) CVE-2008-2376 (Integer overflow in the rb_ary_fill function in array.c in Ruby before ...) {DSA-1618-1 DSA-1612-1} - ruby1.9 1.9.0.2-2 - ruby1.8 1.8.7.22-2 NOTE: http://www.openwall.com/lists/oss-security/2008/07/02/3 CVE-2008-2375 (Memory leak in a certain Red Hat deployment of vsftpd before 2.0.5 on ...) - vsftpd (debian versions all include the fix) CVE-2008-2374 (src/sdp.c in bluez-libs 3.30 in BlueZ, and other bluez-libs before 3.3 ...) - bluez-libs 3.34 (low) [etch] - bluez-libs (Minor issue) - bluez-utils 3.34 (low) [etch] - bluez-utils (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2374 CVE-2008-2373 REJECTED CVE-2008-2372 (The Linux kernel 2.6.24 and 2.6.25 before 2.6.25.9 allows local users ...) - linux-2.6 2.6.26-1 [etch] - linux-2.6 (Introduced between 2.6.23 and 2.6.24) - linux-2.6.24 2.6.24-6~etchnhalf.4 NOTE: IMO this is a lack of optimisation, not a security issue? - jmm NOTE: 89f5b7da2a6bad2e84670422ab8192382a5aeb9f CVE-2008-2371 (Heap-based buffer overflow in pcre_compile.c in the Perl-Compatible Re ...) {DSA-1602-1 DTSA-145-1} - pcre3 7.6-2.1 (medium; bug #488919) CVE-2008-2370 (Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 th ...) - tomcat5.5 5.5.26-4 (bug #494504) CVE-2008-2369 (manzier.pxt in Red Hat Network Satellite Server before 5.1.1 has a har ...) NOT-FOR-US: Red Hat Network Satellite Server CVE-2008-2368 (Red Hat Certificate System 7.2 stores passwords in cleartext in the Us ...) NOT-FOR-US: Red Hat Certificate System CVE-2008-2367 (Red Hat Certificate System 7.2 uses world-readable permissions for pas ...) NOT-FOR-US: Red Hat Certificate System CVE-2008-2366 (Untrusted search path vulnerability in a certain Red Hat build script ...) - openoffice.org (RedHat-specific packaging flaw) CVE-2008-2365 (Race condition in the ptrace and utrace support in the Linux kernel 2. ...) - linux-2.6 2.6.17 NOTE: 5ecfbae093f0c37311e89b29bfc0c9d586eace87 f5b40e363ad6041a96e3da32281d8faa191597b9 NOTE: f358166a9405e4f1d8e50d8f415c26d95505b6de CVE-2008-2364 (The ap_proxy_http_process_response function in mod_proxy_http.c in the ...) - apache2 2.2.9-1 (low) [etch] - apache2 2.2.3-4+etch6 - apache (vulnerable code not present) CVE-2008-2363 (The PartsBatch class in Pan 0.132 and earlier does not properly manage ...) - pan 0.132-3.1 (bug #483562) [etch] - pan (Vulnerable code not added until 0.130) NOTE: see http://svn.gnome.org/viewvc/pan2/trunk/pan/data/parts.cc?view=log&pathrev=286 CVE-2008-2362 (Multiple integer overflows in the Render extension in the X server 1.4 ...) {DSA-1595-1 DTSA-141-1} - xorg-server 2:1.4.1~git20080517-2 CVE-2008-2361 (Integer overflow in the ProcRenderCreateCursor function in the Render ...) {DSA-1595-1 DTSA-141-1} - xorg-server 2:1.4.1~git20080517-2 CVE-2008-2360 (Integer overflow in the AllocateGlyph function in the Render extension ...) {DSA-1595-1 DTSA-141-1} - xorg-server 2:1.4.1~git20080517-2 CVE-2008-2359 (The default configuration of consolehelper in system-config-network be ...) NOT-FOR-US: system-config-network Fedora CVE-2008-2358 (Integer overflow in the dccp_feat_change function in net/dccp/feat.c i ...) {DSA-1592-1} - linux-2.6 2.6.20-1 NOTE: DCCP feature sanitising was introduced in 2.6.20 NOTE: this version casts sizeof to int. This is a module, not a compiled in feature in Debian CVE-2008-2357 (Stack-based buffer overflow in the split_redraw function in split.c in ...) {DSA-1587-1} - mtr 0.73-1 CVE-2008-2356 (SQL injection vulnerability in index.php in Archangel Weblog 0.90.02 a ...) NOT-FOR-US: Archangel Weblog CVE-2008-2355 (Directory traversal vulnerability in index.php in WR-Meeting 1.0, when ...) NOT-FOR-US: WR-Meeting CVE-2008-2354 (Unspecified vulnerability in the data export function in testMaker bef ...) NOT-FOR-US: testMaker CVE-2008-2353 (Directory traversal vulnerability in admin.php in GNU/Gallery 1.1.1.0 ...) NOT-FOR-US: GNU/Gallery CVE-2008-2352 (Directory traversal vulnerability in index.php in Smeego 1.0, when mag ...) NOT-FOR-US: Smeego CVE-2008-2351 (Multiple SQL injection vulnerabilities in index.php in CMS WebManager- ...) NOT-FOR-US: WebManager-Pro CVE-2008-2350 (Directory traversal vulnerability in highlight.php in bcoos 1.0.9 thro ...) NOT-FOR-US: bcoos CVE-2008-2349 (Zomplog 3.8.2 and earlier allows remote attackers to gain administrati ...) NOT-FOR-US: Zomplog CVE-2008-2348 (MeltingIce File System 1.0 allows remote attackers to bypass applicati ...) NOT-FOR-US: MeltingIce File System CVE-2008-2347 (MyPicGallery 1.0 allows remote attackers to bypass application authent ...) NOT-FOR-US: MyPicGallery CVE-2008-2346 (AlkalinePHP 0.77.35 and earlier allows remote attackers to bypass auth ...) NOT-FOR-US: AlkalinePHP CVE-2008-2345 (Unspecified vulnerability in the air_filemanager 0.6.0 and earlier ext ...) NOT-FOR-US: air_filemanager extension for typo3 CVE-2008-2344 (Cross-site scripting (XSS) vulnerability in the air_filemanager 0.6.0 ...) NOT-FOR-US: air_filemanager extension for typo3 CVE-2008-2343 (News Manager 2.0 allows remote attackers to bypass restrictions and ob ...) NOT-FOR-US: News Manager CVE-2008-2342 (Directory traversal vulnerability in attachments.php in News Manager 2 ...) NOT-FOR-US: News Manager CVE-2008-2341 (PHP remote file inclusion vulnerability in ch_readalso.php in News Man ...) NOT-FOR-US: News Manager CVE-2008-2340 (Multiple SQL injection vulnerabilities in News Manager 2.0 allow remot ...) NOT-FOR-US: News Manager CVE-2008-2339 (SQL injection vulnerability in index.php in Turnkey Web Tools SunShop ...) NOT-FOR-US: Turnkey Web Tools SunShop Shopping Cart CVE-2008-2338 (Interspire ActiveKB 1.5 and earlier allows remote attackers to gain pr ...) NOT-FOR-US: Interspire ActiveKB CVE-2008-2337 (Multiple SQL injection vulnerabilities in IMGallery 2.5, when magic_qu ...) NOT-FOR-US: IMGallery CVE-2008-2336 (SQL injection vulnerability in category.php in 68 Classifieds 4.0.1 al ...) NOT-FOR-US: 68 Classifieds CVE-2008-2335 (Cross-site scripting (XSS) vulnerability in search_results.php in Vast ...) NOT-FOR-US: Vastal I-Tech phpVID CVE-2008-2334 (Multiple SQL injection vulnerabilities in W1L3D4 Philboard 0.5 allow r ...) NOT-FOR-US: W1L3D4 Philboard CVE-2008-2333 (Cross-site scripting (XSS) vulnerability in ldap_test.cgi in Barracuda ...) NOT-FOR-US: Barracuda CVE-2008-2332 (ImageIO in Apple Mac OS X 10.4.11 and 10.5 through 10.5.4 allows conte ...) NOT-FOR-US: Apple Mac OS X CVE-2008-2331 (Finder in Apple Mac OS X 10.5 through 10.5.4 does not properly update ...) NOT-FOR-US: Apple Mac OS X CVE-2008-2330 (slapconfig in Directory Services in Apple Mac OS X 10.5 through 10.5.4 ...) NOT-FOR-US: Apple Mac OS X CVE-2008-2329 (Directory Services in Apple Mac OS X 10.5 through 10.5.4, when Active ...) NOT-FOR-US: Apple Mac OS X CVE-2008-2328 RESERVED CVE-2008-2327 (Multiple buffer underflows in the (1) LZWDecode, (2) LZWDecodeCompat, ...) {DSA-1632-1 DTSA-160-1} - tiff 3.8.2-11 (medium) - tiff3 (fixed prior to initial upload) CVE-2008-2326 (mDNSResponder in the Bonjour Namespace Provider in Apple Bonjour for W ...) NOT-FOR-US: Apple Bonjour for Windows CVE-2008-2325 (QuickLook in Apple Mac OS X 10.4.11 and 10.5.4 allows remote attackers ...) NOT-FOR-US: Apple Mac OS X CVE-2008-2324 (The Repair Permissions tool in Disk Utility in Apple Mac OS X 10.4.11 ...) NOT-FOR-US: Apple Mac OS X CVE-2008-2323 (Unspecified vulnerability in Data Detectors Engine in Apple Mac OS X 1 ...) NOT-FOR-US: Apple Mac OS X CVE-2008-2322 (Integer overflow in CoreGraphics in Apple Mac OS X 10.4.11, 10.5.2, an ...) NOT-FOR-US: Apple Mac OS X CVE-2008-2321 (Unspecified vulnerability in CoreGraphics in Apple Mac OS X 10.4.11 an ...) NOT-FOR-US: Apple Mac OS X CVE-2008-2320 (Stack-based buffer overflow in CarbonCore in Apple Mac OS X 10.4.11 an ...) NOT-FOR-US: Apple Mac OS X NOTE: the original apple advisory (HT3613) is completely different from the current CVE NOTE: description. it claims that this is a webkit issue, which is completely wrong CVE-2008-2319 RESERVED CVE-2008-2318 (The WOHyperlink implementation in WebObjects in Apple Xcode tools befo ...) NOT-FOR-US: Apple Xcode CVE-2008-2317 (WebCore in Apple Safari does not properly perform garbage collection o ...) NOT-FOR-US: Safari CVE-2008-2316 (Integer overflow in _hashopenssl.c in the hashlib module in Python 2.5 ...) {DSA-1977-1 DTSA-157-1} - python2.5 2.5.2-11 (low; bug #493797) - python2.4 (hashlib module introduced in python2.5) CVE-2008-2315 (Multiple integer overflows in Python 2.5.2 and earlier allow context-d ...) {DSA-1667-1 DTSA-157-1} - python2.5 2.5.2-10 [etch] - python2.5 (Minor issue, not the default Python runtime) - python2.4 2.4.5-5 CVE-2008-2314 (Dock in Apple Mac OS X 10.5 before 10.5.4, when Exposé hot corner ...) NOT-FOR-US: Mac OS X CVE-2008-2313 (Apple Mac OS X before 10.5 uses weak permissions for the User Template ...) NOT-FOR-US: Mac OS X CVE-2008-2312 (Network Preferences in Apple Mac OS X 10.4.11 stores PPP passwords in ...) NOT-FOR-US: Apple Mac OS X CVE-2008-2311 (Launch Services in Apple Mac OS X before 10.5, when Open Safe Files is ...) NOT-FOR-US: Mac OS X CVE-2008-2310 (Format string vulnerability in c++filt in Apple Mac OS X 10.5 before 1 ...) - binutils 2.18.1~cvs20080103-1 (low) [etch] - binutils (Minor issue) CVE-2008-2309 (Incomplete blacklist vulnerability in CoreTypes in Apple Mac OS X befo ...) NOT-FOR-US: CoreTypes in Apple Mac OS X CVE-2008-2308 (Unspecified vulnerability in Alias Manager in Apple Mac OS X 10.5.1 an ...) NOT-FOR-US: Alias Manager in Apple Mac OS X CVE-2008-2307 (Unspecified vulnerability in WebKit in Apple Safari before 3.1.2, as d ...) - webkit 1.0.1-1 - qt4-x11 4:4.6.2-4 [lenny] - qt4-x11 (Minor impact, no apps in Lenny which use qtwebkit ) NOTE: QT4 might be fixed earlier, but only 4.6.2 was checked against NOTE: http://trac.webkit.org/changeset/34204 CVE-2008-2306 (Apple Safari before 3.1.2 on Windows does not properly interpret the U ...) NOT-FOR-US: Windows issue CVE-2008-2305 (Heap-based buffer overflow in Apple Type Services (ATS) in Apple Mac O ...) NOT-FOR-US: Apple Type Services (ATS) CVE-2008-2304 (Buffer overflow in Apple Core Image Fun House 2.0 and earlier in CoreI ...) NOT-FOR-US: Apple Core Image Fun House CVE-2008-2303 (Integer signedness error in Safari on Apple iPhone before 2.0 and iPod ...) NOT-FOR-US: Safari CVE-2008-2301 (SQL injection vulnerability in Kostenloses Linkmanagementscript allows ...) NOT-FOR-US: Kostenloses Linkmanagementscript CVE-2008-2300 (Unspecified vulnerability in Citrix Presentation Server 4.5 and earlie ...) NOT-FOR-US: Citrix Software CVE-2008-2299 (Unspecified vulnerability in SecureICA and ICA Basic encryption of Cit ...) NOT-FOR-US: Citrix Software CVE-2008-2298 (Admin.php in Web Slider 0.6 allows remote attackers to bypass authenti ...) NOT-FOR-US: Web Slider CVE-2008-2297 (The admin.php file in Rantx allows remote attackers to bypass authenti ...) NOT-FOR-US: Rantx CVE-2008-2296 (PHP remote file inclusion vulnerability in include/bbs.lib.inc.php in ...) NOT-FOR-US: Rgboard CVE-2008-2295 (Cross-site scripting (XSS) vulnerability in rg_search.php in Rgboard 3 ...) NOT-FOR-US: Rgboard CVE-2008-2294 (Pet Grooming Management System 2.0 allows remote attackers to gain pri ...) NOT-FOR-US: Pet Grooming Management System CVE-2008-2293 (admin.php in Multi-Page Comment System (MPCS) 1.0 and 1.1 allows remot ...) NOT-FOR-US: Multi-Page Comment System CVE-2008-2292 (Buffer overflow in the __snprint_value function in snmp_get in Net-SNM ...) {DSA-1663-1 DTSA-134-1} - net-snmp 5.4.1~dfsg-8 (medium; bug #482333) CVE-2008-2291 (axengine.exe in Symantec Altiris Deployment Solution 6.8.x and 6.9.x b ...) NOT-FOR-US: Symantec Altiris Deployment Solution CVE-2008-2290 (Unspecified vulnerability in the Agent user interface in Symantec Alti ...) NOT-FOR-US: Symantec Altiris Deployment Solution CVE-2008-2289 (Unspecified vulnerability in a tooltip element in Symantec Altiris Dep ...) NOT-FOR-US: Symantec Altiris Deployment Solution CVE-2008-2288 (Symantec Altiris Deployment Solution 6.8.x and 6.9.x before 6.9.176 ha ...) NOT-FOR-US: Symantec Altiris Deployment Solution CVE-2008-2287 (Symantec Altiris Deployment Solution 6.8.x and 6.9.x before 6.9.176 do ...) NOT-FOR-US: Symantec Altiris Deployment Solution CVE-2008-2286 (SQL injection vulnerability in axengine.exe in Symantec Altiris Deploy ...) NOT-FOR-US: Symantec Altiris Deployment Solution CVE-2008-2285 (The ssh-vulnkey tool on Ubuntu Linux 7.04, 7.10, and 8.04 LTS does not ...) {DSA-1576-1} - openssh 1:4.7p1-10 CVE-2008-2284 (PHP remote file inclusion vulnerability in fusebox5.php in Fusebox 5.5 ...) NOT-FOR-US: Fusebox CVE-2008-2283 (IDAutomation allows remote attackers to overwrite arbitrary files via ...) NOT-FOR-US: IDAutomation CVE-2008-2282 (admin.php in Internet Photoshow and Internet Photoshow Special Edition ...) NOT-FOR-US: Internet Photoshow CVE-2008-2281 (Cross-zone scripting vulnerability in the Print Table of Links feature ...) NOT-FOR-US: Internet Explorer CVE-2005-4875 (TYPO3 3.8.0 and earlier allows remote attackers to obtain sensitive in ...) - typo3-src 4.0.2-1 CVE-2008-2280 (Cross-site scripting (XSS) vulnerability in admin/index.php in Script ...) NOT-FOR-US: PHP PicEngine CVE-2008-2279 (Freelance Auction Script 1.0 stores user passwords in plaintext in the ...) NOT-FOR-US: Freelance Auction Script CVE-2008-2278 (SQL injection vulnerability in browseproject.php in Freelance Auction ...) NOT-FOR-US: Freelance Auction Script CVE-2008-2277 (SQL injection vulnerability in detail.php in Feedback and Rating Scrip ...) NOT-FOR-US: Feedback and Rating Script CVE-2008-2275 (Unspecified vulnerability in sr_feuser_register 1.4.0, 1.6.0, 2.2.1 to ...) NOT-FOR-US: sr_feuser_register extension for TYPO3 CVE-2008-2274 (Cross-site scripting (XSS) vulnerability in the sr_feuser_register 1.4 ...) NOT-FOR-US: sr_feuser_register extension for TYPO3 CVE-2008-2273 (Unspecified vulnerability in the TACACS authentication component in Ar ...) NOT-FOR-US: TACACS authentication component in Aruba Mobility Controller CVE-2008-2272 (Multiple cross-site scripting (XSS) vulnerabilities in the web interfa ...) NOT-FOR-US: Aruba Mobility Controller CVE-2008-2271 (The Site Documentation Drupal module 5.x before 5.x-1.8 and 6.x before ...) NOT-FOR-US: Site Documentation Drupal module CVE-2008-2270 (Multiple PHP remote file inclusion vulnerabilities in PHPWAY Kostenlos ...) NOT-FOR-US: PHPWAY Linkmanagementscript CVE-2008-2269 (AustinSmoke GasTracker (AS-GasTracker) 1.0.0 allows remote attackers t ...) NOT-FOR-US: GasTracker CVE-2008-2268 (Open redirect vulnerability in interface/redirect.htm.php in Mjguest 6 ...) NOT-FOR-US: Mjguest CVE-2008-2267 (Incomplete blacklist vulnerability in javaUpload.php in Postlet in the ...) NOT-FOR-US: Postlet CVE-2008-2265 (SQL injection vulnerability in news.php in EMO Realty Manager allows r ...) NOT-FOR-US: EMO Realty Manager CVE-2008-2264 (Cross-site scripting (XSS) vulnerability in index.php in CyrixMED 1.4 ...) NOT-FOR-US: CyrixMED CVE-2008-2263 (SQL injection vulnerability in linking.page.php in Automated Link Exch ...) NOT-FOR-US: Automated Link Exchange Portal CVE-2008-2262 REJECTED CVE-2008-2261 REJECTED CVE-2008-2260 REJECTED CVE-2008-2259 (Microsoft Internet Explorer 6 and 7 does not perform proper "argument ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2008-2258 (Microsoft Internet Explorer 5.01, 6, and 7 accesses uninitialized memo ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2008-2257 (Microsoft Internet Explorer 5.01, 6, and 7 accesses uninitialized memo ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2008-2256 (Microsoft Internet Explorer 5.01, 6, and 7 does not properly handle ob ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2008-2255 (Microsoft Internet Explorer 5.01, 6, and 7 accesses uninitialized memo ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2008-2254 (Microsoft Internet Explorer 6 and 7 accesses uninitialized memory, whi ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2008-2253 (Unspecified vulnerability in Microsoft Windows Media Player 11 allows ...) NOT-FOR-US: Microsoft Windows Media Player CVE-2008-2252 (The kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 ...) NOT-FOR-US: Microsoft CVE-2008-2251 (Double free vulnerability in the kernel in Microsoft Windows 2000 SP4, ...) NOT-FOR-US: Microsoft CVE-2008-2250 (The kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 ...) NOT-FOR-US: Microsoft CVE-2008-2249 (Integer overflow in GDI in Microsoft Windows 2000 SP4, XP SP2 and SP3, ...) NOT-FOR-US: Microsoft Windows CVE-2008-2248 (Cross-site scripting (XSS) vulnerability in Outlook Web Access (OWA) f ...) NOT-FOR-US: Exchange Server CVE-2008-2247 (Cross-site scripting (XSS) vulnerability in Outlook Web Access (OWA) f ...) NOT-FOR-US: Exchange Server CVE-2008-2246 (Microsoft Windows Vista through SP1 and Server 2008 do not properly im ...) NOT-FOR-US: Microsoft Windows Vista CVE-2008-2245 (Heap-based buffer overflow in the InternalOpenColorProfile function in ...) NOT-FOR-US: Microsoft Windows Image Color Management System (MSCMS) CVE-2008-2244 (Microsoft Office Word 2002 SP3 allows remote attackers to execute arbi ...) NOT-FOR-US: Microsoft Office Word CVE-2008-2243 REJECTED CVE-2008-2242 (Multiple buffer overflows in xdr functions in the server in CA BrightS ...) NOT-FOR-US: CA BrightStor ARCServe Backup CVE-2008-2241 (Directory traversal vulnerability in caloggerd in CA BrightStor ARCSer ...) NOT-FOR-US: CA BrightStor ARCServe Backup CVE-2008-2240 (Stack-based buffer overflow in the Web Server service in IBM Lotus Dom ...) NOT-FOR-US: IBM Lotus Domino CVE-2008-2239 RESERVED CVE-2008-2238 (Multiple integer overflows in OpenOffice.org (OOo) 2.x before 2.4.2 al ...) {DSA-1661-1} - openoffice.org 1:2.4.1-12 CVE-2008-2237 (Heap-based buffer overflow in OpenOffice.org (OOo) 2.x before 2.4.2 al ...) {DSA-1661-1} - openoffice.org 1:2.4.1-12 CVE-2008-2236 (Cross-site scripting (XSS) vulnerability in blosxom.cgi in Blosxom bef ...) - blosxom 2.1.2-1 (low; bug #500873) [etch] - blosxom 2.0-14+etch1 (low; bug #500873) CVE-2008-2235 (OpenSC before 0.11.5 uses weak permissions (ADMIN file control informa ...) {DSA-1627-2} - opensc 0.11.4-4 NOTE: https://web.archive.org/web/20081222095654/http://www.opensc-project.org/security.html CVE-2008-2234 (Multiple buffer overflows in Openwsman 1.2.0 and 2.0.0 allow remote at ...) - openwsman (bug #754501) CVE-2008-2233 (The client in Openwsman 1.2.0 and 2.0.0, in unknown configurations, al ...) - openwsman (bug #754501) CVE-2008-2232 (The expand_template function in afuse.c in afuse 0.2 allows local user ...) {DSA-1611-1 DTSA-149-1} - afuse 0.2-3 (bug #490921; medium) CVE-2008-2231 (SQL injection vulnerability in Slashdot Like Automated Storytelling Ho ...) {DSA-1633-1} - slash (medium; bug #484499) NOTE: See CVE-2008-2553 NOTE: maintainer wants to remove package from unstable and move to experimental CVE-2008-2230 (Untrusted search path vulnerability in (1) reportbug 3.8 and 3.31, and ...) - reportbug 3.41 (low; bug #484311) - reportbug-ng 0.2008.03.28 (low; bug #484474) [etch] - reportbug (Unlikely attack scenario) CVE-2008-2229 RESERVED CVE-2008-2228 (PHP remote file inclusion vulnerability in portfolio/commentaires/dern ...) NOT-FOR-US: Cyberfolio CVE-2008-2227 (Multiple directory traversal vulnerabilities in PHP-Fusion Forum Rank ...) NOT-FOR-US: PHP-Fusion CVE-2008-2226 (Unspecified vulnerability in the export feature in OpenKM before 2.0 a ...) NOT-FOR-US: OpenKM CVE-2008-2225 (SQL injection vulnerability in index.php in gameCMS Lite 1.0 allows re ...) NOT-FOR-US: gameCMS CVE-2008-2224 (Multiple PHP remote file inclusion vulnerabilities in SazCart 1.5.1, w ...) NOT-FOR-US: SazCart CVE-2008-2223 (SQL injection vulnerability in group_posts.php in vShare YouTube Clone ...) NOT-FOR-US: vShare YouTube Clone CVE-2008-2222 (SQL injection vulnerability in login.php in EQdkp 1.3.2f allows remote ...) NOT-FOR-US: EQdkp CVE-2008-2221 (Unspecified vulnerability in the Java plugin in IBM WebSphere Applicat ...) NOT-FOR-US: IBM WebSphere CVE-2008-2220 (Multiple PHP remote file inclusion vulnerabilities in Interact Learnin ...) NOT-FOR-US: Interact Learning Community Environment CVE-2008-2219 (Cross-site scripting (XSS) vulnerability in install.php in C-News.fr C ...) NOT-FOR-US: C-News.fr CVE-2008-2218 (Buffer overflow in the Multimedia PC Client in Nortel Multimedia Commu ...) NOT-FOR-US: Nortel Multimedia CVE-2008-2217 (Directory traversal vulnerability in cm/graphie.php in Content Managem ...) NOT-FOR-US: CMS Phprojekt CVE-2008-2216 (Unrestricted file upload vulnerability in src/yopy_upload.php in Proje ...) NOT-FOR-US: PBCS CVE-2008-2215 (Multiple directory traversal vulnerabilities in Project-Based Calendar ...) NOT-FOR-US: PBCS CVE-2008-2214 (Stack-based buffer overflow in the Network Manager in Castle Rock Comp ...) NOT-FOR-US: Castle Rock Computing SNMPc CVE-2008-2213 (Multiple cross-site scripting (XSS) vulnerabilities in admin/inc/foote ...) NOT-FOR-US: Maian Links CVE-2008-2212 (Multiple cross-site scripting (XSS) vulnerabilities in Maian Cart 1.1 ...) NOT-FOR-US: Maian Cart CVE-2008-2211 (Multiple cross-site scripting (XSS) vulnerabilities in admin/inc/foote ...) NOT-FOR-US: Maian Guestbook CVE-2008-2210 (Multiple cross-site scripting (XSS) vulnerabilities in Maian Support 1 ...) NOT-FOR-US: Maian Support CVE-2008-2209 (Multiple cross-site scripting (XSS) vulnerabilities in admin/inc/heade ...) NOT-FOR-US: Maian Greeting CVE-2008-2208 (SQL injection vulnerability in index.php in Maian Greeting 2.1 allows ...) NOT-FOR-US: Maian Greeting CVE-2008-2207 (Cross-site scripting (XSS) vulnerability in admin/index.php in Maian G ...) NOT-FOR-US: Maian Gallery CVE-2008-2206 (Multiple cross-site scripting (XSS) vulnerabilities in Maian Music 1.1 ...) NOT-FOR-US: Maian Music CVE-2008-2205 (SQL injection vulnerability in index.php in Maian Music 1.1 allows rem ...) NOT-FOR-US: Maian Music CVE-2008-2204 (Multiple cross-site scripting (XSS) vulnerabilities in admin/inc/heade ...) NOT-FOR-US: Maian Search CVE-2008-2203 (SQL injection vulnerability in search.php in Maian Search 1.1 allows r ...) NOT-FOR-US: Maian Search CVE-2008-2202 (Multiple cross-site scripting (XSS) vulnerabilities in Maian Uploader ...) NOT-FOR-US: Maian Uploader CVE-2008-2201 (Multiple cross-site scripting (XSS) vulnerabilities in admin/inc/heade ...) NOT-FOR-US: Maian Recipe CVE-2008-2200 (Multiple cross-site scripting (XSS) vulnerabilities in Maian Weblog 4. ...) NOT-FOR-US: Maian Weblog CVE-2008-2199 (PHP remote file inclusion vulnerability in kmitaadmin/kmitam/htmlcode. ...) NOT-FOR-US: Kmita Mail CVE-2008-2198 (PHP remote file inclusion vulnerability in kmitaadmin/kmitat/htmlcode. ...) NOT-FOR-US: Kmita Tellfriend CVE-2008-2197 (SQL injection vulnerability in the blogwriter module 2.0 for Miniweb a ...) NOT-FOR-US: Miniweb CVE-2008-2196 (Cross-site scripting (XSS) vulnerability in admin.php in LifeType 1.2. ...) NOT-FOR-US: LifeType CVE-2008-2195 (Static code injection vulnerability in admincp.php in DeluxeBB 1.2 and ...) NOT-FOR-US: DeluxeBB CVE-2008-2194 (SQL injection vulnerability in forums.php in DeluxeBB 1.2 and earlier ...) NOT-FOR-US: DeluxeBB CVE-2008-2193 (PHP remote file inclusion vulnerability in example.php in Thomas Gossm ...) NOT-FOR-US: ScorpNews CVE-2008-2192 (Static code injection vulnerability in box/minichat/boxpop.php in IT!C ...) NOT-FOR-US: itcms CVE-2008-2191 (SQL injection vulnerability in the pnEncyclopedia module 0.2.0 and ear ...) NOT-FOR-US: pnEncyclopedia CVE-2008-2190 (SQL injection vulnerability in index.php in Online Rent (aka Online Re ...) NOT-FOR-US: Online Rental Property Script CVE-2008-2189 (SQL injection vulnerability in viewfaqs.php in AnServ Auction XL allow ...) NOT-FOR-US: Online AnServ Auction XL CVE-2008-2188 (Multiple cross-site scripting (XSS) vulnerabilities in EJ3 BlackBook 1 ...) NOT-FOR-US: EJ3 BlackBook CVE-2008-2187 (Cross-site scripting (XSS) vulnerability in mjguest.php in Mjguest 6.7 ...) NOT-FOR-US: Mjguest CVE-2008-2186 (Cross-site scripting (XSS) vulnerability in index.php in Chilek Conten ...) NOT-FOR-US: Chilek CMS CVE-2008-2185 (Directory traversal vulnerability in index.php in SMartBlog (aka SMBlo ...) NOT-FOR-US: SMartBlog (SMBlog) CVE-2008-2184 (Multiple SQL injection vulnerabilities in SMartBlog (aka SMBlog) 1.3 a ...) NOT-FOR-US: SMartBlog (SMBlog) CVE-2008-2183 (SQL injection vulnerability in index.php in SMartBlog (aka SMBlog) 1.3 ...) NOT-FOR-US: SMartBlog (SMBlog) CVE-2008-2182 (Cross-site scripting (XSS) vulnerability in the powermail extension be ...) NOT-FOR-US: powermail extension for TYPO3 CVE-2008-2181 (Multiple cross-site scripting (XSS) vulnerabilities in search.php in c ...) NOT-FOR-US: cpLinks CVE-2008-2180 (Multiple SQL injection vulnerabilities in cpLinks 1.03, when magic_quo ...) NOT-FOR-US: cpLinks CVE-2008-2179 (Cross-site scripting (XSS) vulnerability in SystemList.jsp in SysAid 5 ...) NOT-FOR-US: SysAid CVE-2008-2178 (Cross-site scripting (XSS) vulnerability in admin.php in LifeType 1.2. ...) NOT-FOR-US: LifeType CVE-2008-2177 (Multiple SQL injection vulnerabilities in phpDirectorySource 1.1.06, w ...) NOT-FOR-US: phpDirectorySource CVE-2008-2176 (Cross-site scripting (XSS) vulnerability in admin/category.php in Zomp ...) NOT-FOR-US: Zomplog CVE-2008-2175 (SQL injection vulnerability in comments.php in Gamma Scripts BlogMe PH ...) NOT-FOR-US: Gamma Scripts BlogMe PHP CVE-2008-2174 (Multiple unspecified vulnerabilities in Robin Rawson-Tetley Animal She ...) NOT-FOR-US: Animal Shelter Manager CVE-2008-2173 (Unspecified vulnerability in Yamaha routers allows remote attackers to ...) NOT-FOR-US: Yamaha routers CVE-2008-2172 (Unspecified vulnerability in Hitachi GR routers allows remote attacker ...) NOT-FOR-US: Hitachi GR routers CVE-2008-2171 (Unspecified vulnerability in AlaxalA AX routers allows remote attacker ...) NOT-FOR-US: AlaxalA AX routers CVE-2008-2170 (Unspecified vulnerability in Century routers allows remote attackers t ...) NOT-FOR-US: Century routers CVE-2008-2169 (Unspecified vulnerability in Avici routers allows remote attackers to ...) NOT-FOR-US: Avici routers CVE-2008-2168 (Cross-site scripting (XSS) vulnerability in Apache 2.2.6 and earlier a ...) - apache2 2.2.8-1 (low) [etch] - apache2 2.2.3-4+etch4 (low) NOTE: This is really a browser issue. Recent apache versions add a workaround. CVE-2008-2167 (Cross-site scripting (XSS) vulnerability in ZyXEL ZyWALL 100 allows re ...) NOT-FOR-US: ZyXEL ZyWALL CVE-2008-2166 (Cross-site scripting (XSS) vulnerability in the search module in Sun J ...) NOT-FOR-US: Sun Java System CVE-2008-2165 (Cross-site scripting (XSS) vulnerability in AccessCodeStart.asp in Cis ...) NOT-FOR-US: Cisco Building Broadband Service Manager (BBSM) Captive Portal CVE-2008-2164 RESERVED CVE-2008-2163 (Cross-site scripting (XSS) vulnerability in IBM Lotus Quickr 8.1 befor ...) NOT-FOR-US: IBM Lotus Quickr CVE-2008-2276 (Cross-site request forgery (CSRF) vulnerability in manage_user_create. ...) - mantis 1.0.8-4.1 (bug #481504) CVE-2008-2266 (uulib/uunconc.c in UUDeview 0.5.20, as used in nzbget before 0.3.0 and ...) - uudeview 0.5.20-3.1 (low; bug #480972) [etch] - uudeview (Minor issue) - libconvert-uulib-perl (Code patched by libconver-uulib upstream to use mkstemp) - pan (Code patched to use g_mkstemp) NOTE: See CVE-2004-2265, where the problem occured as well CVE-2008-2302 (Cross-site scripting (XSS) vulnerability in the login form in the admi ...) - python-django 0.96.2-1 (bug #481164; low) [etch] - python-django 0.95.1-1etch1 NOTE: Minor issue fixed in 4.0r4 point release CVE-2008-2162 (Cross-site scripting (XSS) vulnerability in SonicWall Email Security 6 ...) NOT-FOR-US: SonicWall Email Security CVE-2008-2161 (Buffer overflow in TFTP Server SP 1.4 and 1.5 on Windows, and possibly ...) NOT-FOR-US: TFTP Server SP 1.4 and 1.5 on Windows CVE-2008-2160 (Multiple unspecified vulnerabilities in the JPEG (GDI+) and GIF image ...) NOT-FOR-US: Microsoft Windows CE 5.0 CVE-2008-2159 (Microsoft Internet Explorer 7 can save encrypted pages in the cache ev ...) NOT-FOR-US: Microsoft Internet Explorer 7 CVE-2008-2158 (Multiple stack-based buffer overflows in the Command Line Interface pr ...) NOT-FOR-US: AlphaStor CVE-2008-2157 (robotd in the Library Manager in EMC AlphaStor 3.1 SP1 for Windows all ...) NOT-FOR-US: AlphaStor CVE-2008-2156 RESERVED CVE-2008-2155 RESERVED CVE-2008-2154 (IBM DB2 8 before FP17, 9.1 before FP5, and 9.5 before FP2 provides an ...) NOT-FOR-US: IBM DB2 CVE-2008-2153 RESERVED CVE-2008-2152 (Integer overflow in the rtl_allocateMemory function in sal/rtl/source/ ...) - openoffice.org (openoffice in Debian does not use the custom allocations but g/malloc) NOTE: see ooo-build/distro-configs/CommonLinux.conf.in, openoffice builds on Debian using NOTE: --with-alloc=system which causes the build scripts to use the system allocators instead of the NOTE: custom ones CVE-2008-2151 RESERVED CVE-2008-2150 RESERVED CVE-2008-2149 (Stack-based buffer overflow in the searchwn function in Wordnet 2.0, 2 ...) {DSA-1634-1} - wordnet 1:3.0-10 (bug #481186) NOTE: wordnet can be used as a backend to web applications CVE-2008-2148 (The utimensat system call (sys_utimensat) in Linux kernel 2.6.22 and o ...) - linux-2.6 2.6.25-3 (bug #481195) [etch] - linux-2.6 (vulnerable code not present) - linux-2.6.24 2.6.24-6~etchnhalf.3 NOTE: utimensat() was introduced in 2.6.22 and sched_slice() in 2.6.24 CVE-2008-2145 (Stack-based buffer overflow in Novell Client 4.91 SP4 and earlier allo ...) NOT-FOR-US: Novell Client 4.91 SP4 CVE-2008-2144 (Multiple unspecified vulnerabilities in Solaris print service for Sun ...) NOT-FOR-US: Solaris print service CVE-2008-2143 (Unspecified versions of Microsoft Outlook Web Access (OWA) use the Cac ...) NOT-FOR-US: Microsoft Outlook Web Access (OWA) CVE-2008-2141 RESERVED CVE-2008-2140 (Cross-site request forgery (CSRF) vulnerability in the rootpw plugin i ...) NOT-FOR-US: rpath Appliance Platform Agent CVE-2008-2139 (The rootpw plugin in rPath Appliance Platform Agent 2 and 3 does not r ...) NOT-FOR-US: rpath Appliance Platform Agent CVE-2008-2138 (Oracle Application Server (OracleAS) Portal 10g allows remote attacker ...) NOT-FOR-US: Oracle Application Server (OracleAS) Portal 10g CVE-2008-2137 (The (1) sparc_mmap_check function in arch/sparc/kernel/sys_sparc.c and ...) {DSA-1588-1} - linux-2.6 2.6.25-3 - linux-2.6.24 2.6.24-6~etchnhalf.3 NOTE: Upstream commit: 5816339310b2d9623cf413d33e538b45e815da5d, part of 2.6.25.3 CVE-2008-2136 (Memory leak in the ipip6_rcv function in net/ipv6/sit.c in the Linux k ...) {DSA-1588-1} - linux-2.6 2.6.25-3 - linux-2.6.24 2.6.24-6~etchnhalf.3 NOTE: Upstream commit: 36ca34cc3b8335eb1fe8bd9a1d0a2592980c3f02, part of 2.6.25.3 CVE-2008-2135 (Multiple SQL injection vulnerabilities in VisualShapers ezContents 2.0 ...) NOT-FOR-US: VisualShapers ezContents CVE-2008-2134 (The Journal module in Tru-Zone Nuke ET 3.x allows remote attackers to ...) NOT-FOR-US: Tru-Zone Nuke ET CVE-2008-2133 (Cross-site scripting (XSS) vulnerability in the Journal module in Tru- ...) NOT-FOR-US: Tru-Zone Nuke ET CVE-2008-2132 (SQL injection vulnerability in step1.asp in Systementor PostcardMentor ...) NOT-FOR-US: Systementor PostcardMentor CVE-2008-2131 (Cross-site scripting (XSS) vulnerability in mvnForum 1.1 GA allows rem ...) NOT-FOR-US: mvnForum CVE-2008-2130 (SQL injection vulnerability in poll_vote.php in iGaming CMS 1.5 allows ...) NOT-FOR-US: iGaming CVE-2008-2129 (SQL injection vulnerability in index.php in Galleristic 1.0, when magi ...) NOT-FOR-US: Galleristic CVE-2008-2128 (PHP remote file inclusion vulnerability in templates/header.php in CMS ...) NOT-FOR-US: Faethon CVE-2008-2127 (Cross-site scripting (XSS) vulnerability in search.php in CMS Faethon ...) NOT-FOR-US: Faethon CVE-2008-2126 (Multiple cross-site scripting (XSS) vulnerabilities in Tux CMS 0.1 all ...) NOT-FOR-US: Tux CMS CVE-2008-2125 (SQL injection vulnerability in viewalbums.php in Musicbox 2.3.6 and 2. ...) NOT-FOR-US: Musicbox CVE-2008-2124 (SQL injection vulnerability in modules/print.asp in fipsASP fipsCMS al ...) NOT-FOR-US: fipsASP CVE-2008-2123 (Cross-site scripting (XSS) vulnerability in WGate in SAP Internet Tran ...) NOT-FOR-US: WGate CVE-2008-2122 (IBM Rational Build Forge 7.0.2 allows remote attackers to cause a deni ...) NOT-FOR-US: IBM Rational Build Forge CVE-2008-2121 (The TCP implementation in Sun Solaris 8, 9, and 10 allows remote attac ...) NOT-FOR-US: Sun Solaris CVE-2008-2120 (Unspecified vulnerability in Sun Java System Application Server 7 2004 ...) NOT-FOR-US: Sun Java System Application Server CVE-2008-2119 (Asterisk Open Source 1.0.x and 1.2.x before 1.2.29 and Business Editio ...) - asterisk 1.4 NOTE: http://downloads.digium.com/pub/security/AST-2008-008.html CVE-2008-2118 (SQL injection vulnerability in info.php in Project Alumni 1.0.9 allows ...) NOT-FOR-US: Project Alumni CVE-2008-2117 (Cross-site scripting (XSS) vulnerability in pages/news.page.inc in Pro ...) NOT-FOR-US: Project Alumni CVE-2008-2116 (Multiple directory traversal vulnerabilities in editor.php in ScriptsE ...) NOT-FOR-US: ScriptsEZ.net Power Editor CVE-2008-2115 (Multiple cross-site scripting (XSS) vulnerabilities in editor.php in S ...) NOT-FOR-US: ScriptsEZ.net Power Editor CVE-2008-2114 (SQL injection vulnerability in emall/search.php in Pre Shopping Mall 1 ...) NOT-FOR-US: Pre Shopping Mall CVE-2008-2113 (SQL injection vulnerability in annuaire.php in PHPEasyData 1.5.4 allow ...) NOT-FOR-US: PHPEasyData CVE-2003-1558 (Buffer overflow in httpd.c of fnord 1.6 allows remote attackers to cre ...) - fnord 1.7-1 (low) CVE-2008-2142 (Emacs 21 and XEmacs automatically load and execute .flc (fast lock) fi ...) - emacs22 22.2+2-3 (low; bug #480885) - xemacs21-packages 2009.02.17-1 (low; bug #480886) [etch] - xemacs21-packages (Minor issue) [lenny] - xemacs21-packages (Minor issue) [etch] - xemacs21 (Minor issue) [lenny] - xemacs21 (Minor issue) - emacs21 21.4a+1-5.5 (low; bug #480877) [etch] - emacs21 (Minor issue) CVE-2008-2147 (Untrusted search path vulnerability in VideoLAN VLC before 0.9.0 allow ...) {DSA-1819-1 DTSA-132-1} - vlc 0.8.6.e-2.2 (low; bug #480724) NOTE: https://trac.videolan.org/vlc/ticket/1578 NOTE: http://git.videolan.org/?p=vlc.git;a=commit;h=c7cef4fdd8dd72ce0a45be3cda8ba98df5e83181 CVE-2008-6339 REJECTED CVE-2008-2112 (Unspecified vulnerability in Sun Ray Kiosk Mode 4.0 allows local and r ...) NOT-FOR-US: Sun Ray Kiosk Mode CVE-2008-2111 (The ActiveX Control (yNotifier.dll) in Yahoo! Assistant 3.6 and earlie ...) NOT-FOR-US: Yahoo Assistant CVE-2008-2110 (Unrestricted file upload vulnerability in qtofm.php in QTOFileManager ...) NOT-FOR-US: QTOFileManager CVE-2008-2109 (field.c in the libid3tag 0.15.0b library allows context-dependent atta ...) - libid3tag 0.15.1b-8 (low; bug #480187) [etch] - libid3tag (Minor issue) NOTE: totally different approach to fix the bug, see Kurts comments in the bug report CVE-2008-2108 (The GENERATE_SEED macro in PHP 4.x before 4.4.8 and 5.x before 5.2.5, ...) {DSA-1789-1} - php5 5.2.2-1 (low) NOTE: http://web.archive.org/web/20120118120046/http://www.sektioneins.de/advisories/SE-2008-02.txt CVE-2008-2107 (The GENERATE_SEED macro in PHP 4.x before 4.4.8 and 5.x before 5.2.5, ...) {DSA-1789-1} - php5 5.2.2-1 (low) NOTE: closely related to CVE-2008-2108 CVE-2008-2106 (Call of Duty 4 (CoD4) 1.5 and earlier allows remote authenticated user ...) NOT-FOR-US: Call of Duty CVE-2008-2105 (email_in.pl in Bugzilla 2.23.4, 3.0.x before 3.0.4, and 3.1.x before 3 ...) - bugzilla 3.0.4-1 (low) [etch] - bugzilla (vulnerable code introduced in 2.23.4) CVE-2008-2104 (The WebService in Bugzilla 3.1.3 allows remote authenticated users wit ...) - bugzilla (regression introduced in 3.1.3 referring to upstream) CVE-2008-2103 (Cross-site scripting (XSS) vulnerability in Bugzilla 2.17.2 and later ...) - bugzilla 3.0.4-1 (low; bug #480190) [etch] - bugzilla (Minor issue) CVE-2008-2102 RESERVED CVE-2008-2101 (The VMware Consolidated Backup (VCB) command-line utilities in VMware ...) NOT-FOR-US: VMware ESX CVE-2008-2100 (Multiple buffer overflows in VIX API 1.1.x before 1.1.4 build 93057 on ...) - vmware-package (low; bug #485919) [etch] - vmware-package (Contrib not supported) NOTE: vmware-package just builds vmware from downloaded tarballs, the package itself NOTE: does not download them, however it needs to update its hashes for upstream tarballs CVE-2008-2099 (Unspecified vulnerability in VMCI in VMware Workstation 6 before 6.0.4 ...) - vmware-package (Windows issue according to CVE) [etch] - vmware-package (Contrib not supported) CVE-2008-2098 (Heap-based buffer overflow in the VMware Host Guest File System (HGFS) ...) - vmware-package (low; bug #484491) [etch] - vmware-package (Contrib not supported) NOTE: vmware-package just builds vmware from downloaded tarballs, the package itself NOTE: does not download them, however it needs to update its hashes for upstream tarballs CVE-2008-2097 (Buffer overflow in the openwsman management service in VMware ESXi 3.5 ...) NOT-FOR-US: Vmware ESX/i CVE-2008-2096 (SQL injection vulnerability in BackLinkSpider allows remote attackers ...) NOT-FOR-US: BackLinkSpider CVE-2008-2095 (SQL injection vulnerability in index.php in the FlippingBook (com_flip ...) NOT-FOR-US: FlippingBook CVE-2008-2094 (SQL injection vulnerability in article.php in the Article module for X ...) NOT-FOR-US: XOOPS CVE-2008-2093 (SQL injection vulnerability in the Profiler (com_comprofiler) componen ...) NOT-FOR-US: JOOMLA extra component CVE-2008-2092 (Linksys SPA-2102 Phone Adapter 3.3.6 allows remote attackers to cause ...) NOT-FOR-US: Linksys SPA-2102 Phone Adapter CVE-2008-2091 (Directory traversal vulnerability in ipn.php in KubeLabs Kubelance 1.6 ...) NOT-FOR-US: Kubelance CVE-2008-2090 (Unspecified vulnerability in the SCTP protocol implementation in Sun S ...) NOT-FOR-US: Sun Solaris CVE-2008-2089 (Unspecified vulnerability in the SCTP protocol implementation in Sun S ...) NOT-FOR-US: Sun Solaris CVE-2008-2088 (SQL injection vulnerability in admin/news.php in PHP Forge 3.0 beta 2 ...) NOT-FOR-US: PHP Forge CVE-2008-2087 (SQL injection vulnerability in search_result.php in Softbiz Web Host D ...) NOT-FOR-US: Softbiz Web Host Directory Script CVE-2008-2086 (Sun Java Web Start and Java Plug-in for JDK and JRE 6 Update 10 and ea ...) - openjdk-6 (browser plugin is different code base) - sun-java5 [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 (Non-free not supported) - sun-java6 6-10-1 [lenny] - sun-java6 (Non-free not supported) CVE-2008-2084 (SQL injection vulnerability in topics.php in the MyArticles 0.6 beta-1 ...) NOT-FOR-US: MyArticles CVE-2008-2083 (SQL injection vulnerability in directory.php in Prozilla Hosting Index ...) NOT-FOR-US: Prozilla Hosting CVE-2008-2082 (Cross-site scripting (XSS) vulnerability in index.php in Siteman 2.0.x ...) NOT-FOR-US: Siteman CVE-2008-2081 (Directory traversal vulnerability in index.php in Siteman 2.0.x2 allow ...) NOT-FOR-US: Siteman CVE-2008-2080 (Stack-based buffer overflow in the Read32s_64 function in src/lib/cdfr ...) NOT-FOR-US: NASA Goddard Space Flight Center Common Data Format (CDF) library CVE-2008-2079 (MySQL 4.1.x before 4.1.24, 5.0.x before 5.0.60, 5.1.x before 5.1.24, a ...) {DSA-1608-1 DTSA-150-1} - mysql-dfsg-5.0 5.0.51a-10 (low; bug #480292) CVE-2008-2078 (Robocode before 1.6.0 allows user-assisted remote attackers to "access ...) - robocode 1.6.0~beta2-1 (low) CVE-2008-2077 (Unspecified vulnerability in Plain Black WebGUI 7.4.34 has unknown imp ...) NOT-FOR-US: Plain Black WebGUI CVE-2008-2076 (Directory traversal vulnerability in admin.php in ActualScripts Actual ...) NOT-FOR-US: ActualScripts CVE-2008-2075 (Cross-site scripting (XSS) vulnerability in pic.php in AstroCam 2.5.0 ...) NOT-FOR-US: AstroCam CVE-2008-2074 (Multiple PHP remote file inclusion vulnerabilities Harris Yusuf Arifin ...) NOT-FOR-US: Harris Yusuf Arifin Harris Wap Chat 1.0 CVE-2008-2073 (Directory traversal vulnerability in include/global.inc.php in Virtual ...) NOT-FOR-US: vlbook CVE-2008-2072 (Cross-site scripting (XSS) vulnerability in index.php in Virtual Desig ...) NOT-FOR-US: vlbook CVE-2008-2071 (Multiple cross-site request forgery (CSRF) vulnerabilities in the WHM ...) NOT-FOR-US: cPanel CVE-2008-2070 (The WHM interface 11.15.0 for cPanel 11.18 before 11.18.4 and 11.22 be ...) NOT-FOR-US: cPanel CVE-2008-2069 (Buffer overflow in Novell GroupWise 7 allows remote attackers to cause ...) NOT-FOR-US: Novell GroupWise CVE-2008-2068 (Cross-site scripting (XSS) vulnerability in WordPress 2.5 allows remot ...) - wordpress 2.5.1-1 [etch] - wordpress (Vulnerable code not present) CVE-2008-2067 (SQL injection vulnerability in bb_admin.php in miniBB 2.2a allows remo ...) NOT-FOR-US: miniBB CVE-2008-2066 (Cross-site scripting (XSS) vulnerability in bb_admin.php in miniBB 2.2 ...) NOT-FOR-US: miniBB CVE-2008-2065 (SQL injection vulnerability in jokes.php in YourFreeWorld Jokes Site S ...) NOT-FOR-US: YourFreeWorld CVE-2008-2064 (Multiple unspecified vulnerabilities in PhpGedView before 4.1.5 have u ...) {DSA-1580-1} - phpgedview 4.1.e+4.1.5-1 CVE-2008-2063 (SQL injection vulnerability in browse.videos.php in Joovili 3.1 allows ...) NOT-FOR-US: Joovili CVE-2008-2062 (The Real-Time Information Server (RIS) Data Collector service in Cisco ...) NOT-FOR-US: Cisco Real-Time Information Server (RIS) Data Collector service CVE-2008-2061 (The Computer Telephony Integration (CTI) Manager service in Cisco Unif ...) NOT-FOR-US: Cisco Computer Telephony Integration (CTI) Manager service CVE-2008-2060 (Unspecified vulnerability in Cisco Intrusion Prevention System (IPS) 5 ...) NOT-FOR-US: Cisco CVE-2008-2059 (Cisco Adaptive Security Appliance (ASA) and Cisco PIX security applian ...) NOT-FOR-US: Cisco CVE-2008-2058 (Cisco Adaptive Security Appliance (ASA) and Cisco PIX security applian ...) NOT-FOR-US: Cisco CVE-2008-2057 (The Instant Messenger (IM) inspection engine in Cisco Adaptive Securit ...) NOT-FOR-US: Cisco CVE-2008-2056 (Cisco Adaptive Security Appliance (ASA) and Cisco PIX security applian ...) NOT-FOR-US: Cisco CVE-2008-2055 (Cisco Adaptive Security Appliance (ASA) and Cisco PIX security applian ...) NOT-FOR-US: Cisco CVE-2008-2054 (Unspecified vulnerability in Cisco CiscoWorks Common Services 3.0.3 th ...) NOT-FOR-US: Cisco CiscoWorks Common Services CVE-2008-2053 (Unspecified vulnerability in Cisco Unified Customer Voice Portal (CVP) ...) NOT-FOR-US: Cisco Unified Customer Voice Portal CVE-2008-2052 (Open redirect vulnerability in redirect.php in Bitrix Site Manager 6.5 ...) NOT-FOR-US: Bitrix Site Manager CVE-2008-2049 (The POP3 server (EPSTPOP3S.EXE) 4.22 in E-Post Mail Server 4.10 allows ...) NOT-FOR-US: E-Post Mail Server CVE-2008-2048 (Cross-site scripting (XSS) vulnerability in hpz/admin/Default.asp in A ...) NOT-FOR-US: Angelo-Emlak CVE-2008-2047 (Multiple SQL injection vulnerabilities in Angelo-Emlak 1.0 allow remot ...) NOT-FOR-US: Angelo-Emlak CVE-2008-2046 (Cross-site scripting (XSS) vulnerability in index.php in Softpedia Sit ...) NOT-FOR-US: Softpedia CVE-2008-2045 (Absolute path traversal vulnerability in SugarCRM Sugar Community Edit ...) - sugarcrm-ce-5.0 (bug #457876) CVE-2008-2044 (includes/library.php in netOffice Dwins 1.3 p2 compares the demoSessio ...) NOT-FOR-US: netOffice Dwins CVE-2008-2043 (Multiple cross-site request forgery (CSRF) vulnerabilities in cPanel, ...) NOT-FOR-US: cPanel CVE-2008-2085 (Multiple stack-based buffer overflows in the (1) get_remote_ip_media a ...) - sip-tester 2.0.1-1.2 (low; bug #479039) [etch] - sip-tester (Minor issue) CVE-2008-2051 (The escapeshellcmd API function in PHP before 5.2.6 has unknown impact ...) {DSA-1578-1 DSA-1572-1 DTSA-135-1} - php5 5.2.6-1 NOTE: http://www.php.net/ChangeLog-5.php NOTE: http://web.archive.org/web/20120524033327/http://www.sektioneins.de/advisories/SE-2008-03.txt CVE-2008-2050 (Stack-based buffer overflow in the FastCGI SAPI (fastcgi.c) in PHP bef ...) {DSA-1572-1 DTSA-135-1} - php5 5.2.6-1 NOTE: php4 not affected, the vulnerable code isn't present NOTE: http://www.php.net/ChangeLog-5.php CVE-2008-2042 (The Javascript API in Adobe Acrobat Professional 7.0.9 and possibly 8. ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2008-2039 REJECTED CVE-2008-2038 (Multiple SQL injection vulnerabilities in admin/adminindex.php in Turn ...) NOT-FOR-US: Tunkey WebTools CVE-2008-2037 (Multiple cross-site scripting (XSS) vulnerabilities in EditeurScripts ...) NOT-FOR-US: EidteurScripts CVE-2008-2036 (SQL injection vulnerability in index.php in dream4 Koobi Pro 6.25 allo ...) NOT-FOR-US: Koobi Pro CVE-2008-2035 (Cross-site scripting (XSS) vulnerability in the Bluemoon, Inc. (1) Bac ...) NOT-FOR-US: Bluemoon CVE-2008-2034 (SQL injection vulnerability in wp-download_monitor/download.php in the ...) NOT-FOR-US: wordpress Download Monitor 2.0.6 plugin CVE-2008-2033 REJECTED CVE-2008-2032 (The FTP service in Acritum Femitter Server 1.03 allows remote attacker ...) NOT-FOR-US: Acritum Femitter Server CVE-2008-2031 (VicFTPS 5.0 allows remote attackers to cause a denial of service (cras ...) NOT-FOR-US: VicFTPS CVE-2008-2030 (Cross-site scripting (XSS) vulnerability in installControl.php3 in F5 ...) NOT-FOR-US: FirePass CVE-2008-2029 (Multiple SQL injection vulnerabilities in (1) setup_mysql.php and (2) ...) NOT-FOR-US: miniBB CVE-2008-2028 (miniBB 2.2, and possibly earlier, when register_globals is enabled, al ...) NOT-FOR-US: miniBB CVE-2008-2027 (Open redirect vulnerability in WebID/IISWebAgentIF.dll in RSA Authenti ...) NOT-FOR-US: RSA Authentication Agent CVE-2008-2026 (Cross-site scripting (XSS) vulnerability in WebID/IISWebAgentIF.dll in ...) NOT-FOR-US: RSA Authentication Agent CVE-2008-2025 (Cross-site scripting (XSS) vulnerability in Apache Struts before 1.2.9 ...) - libstruts1.2-java 1.2.9-3.1 (low; bug #528352) [lenny] - libstruts1.2-java (Minor issue) CVE-2008-2024 (Cross-site scripting (XSS) vulnerability in index.php in miniBB 2.2, a ...) NOT-FOR-US: miniBB CVE-2008-2023 (Multiple SQL injection vulnerabilities in PD9 Software MegaBBS 2.2 all ...) NOT-FOR-US: MegaBBS CVE-2008-2022 (Mulatiple cross-site scripting (XSS) vulnerabilities in PD9 Software M ...) NOT-FOR-US: MegaBBS CVE-2008-2021 (Heap-based buffer overflow in Lhaplus before 1.57 allows remote attack ...) NOT-FOR-US: Lhaplus CVE-2008-2020 (The CAPTCHA implementation as used in (1) Francisco Burzi PHP-Nuke 7.0 ...) NOT-FOR-US: PHP-Nuke CVE-2008-2019 (Simple Machines Forum (SMF), probably 1.1.4, relies on "randomly gener ...) NOT-FOR-US: Simple Machines Forum CVE-2008-2018 (The AssignUser function in template.class.php in PHPizabi 0.848b C1 HF ...) NOT-FOR-US: PHPizabi CVE-2008-2017 (Directory traversal vulnerability in Chilek Content Management System ...) NOT-FOR-US: Chilek Content Management System CVE-2008-2016 (PHP remote file inclusion vulnerability in Chilek Content Management S ...) NOT-FOR-US: Chilek Content Management System CVE-2008-2015 (Multiple absolute path traversal vulnerabilities in certain ActiveX co ...) NOT-FOR-US: WatchFire CVE-2008-2014 (Mozilla Firefox 3.0 beta 5 allows remote attackers to cause a denial o ...) - iceweasel (unimportant) NOTE: Browser crashes / hangs not treated as security issues CVE-2008-2013 (SQL injection vulnerability in index.php in the pnFlashGames 1.5 throu ...) NOT-FOR-US: pnFlashGames CVE-2008-2012 (SQL injection vulnerability in index.php in the PostSchedule 1.0 modul ...) NOT-FOR-US: PostSchedule CVE-2008-2011 (Cross-site scripting (XSS) vulnerability in the National Rail Enquirie ...) NOT-FOR-US: National Rail Enquiries Live Departure Boards gadget CVE-2008-2010 (Unspecified vulnerability in Apple QuickTime Player on Windows XP SP2 ...) NOT-FOR-US: Windows CVE-2008-2009 (Xiph.org libvorbis before 1.0 does not properly check for underpopulat ...) - libvorbisidec 1.0.2+svn18153-0.1 (bug #669196) [squeeze] - libvorbisidec (Minor issue, no dev-deps) - libvorbis 1.2.0.dfsg-4 (bug #482039) [etch] - libvorbis (actual vulnerability fixed pre-1.0) [lenny] - libvorbis (actual vulnerability fixed pre-1.0) NOTE: additional hardening features have already been added to the unstable NOTE: packages that would be useful to have in stable, so proposing as spu/ospu CVE-2008-2008 (Buffer overflow in the Display Names message feature in Cerulean Studi ...) NOT-FOR-US: Cerulean Studios Trillian Basic CVE-2008-2007 REJECTED CVE-2008-2006 (Apple iCal 3.0.1 on Mac OS X allows remote CalDAV servers, and user-as ...) NOT-FOR-US: Apple iCal CVE-2008-2005 (The SuiteLink Service (aka slssvc.exe) in WonderWare SuiteLink before ...) NOT-FOR-US: SuiteLink CVE-2008-2004 (The drive_init function in QEMU 0.9.1 determines the format of a raw d ...) {DTSA-133-1} - qemu 0.9.1-5 - kvm 66+dfsg-1.1 (bug #481204) - xen-3 3.4.0-1 (bug #490409) - xen-unstable (bug #490411) - xen-3.0 CVE-2008-2003 (BadBlue 2.72 Personal Edition stores multiple programs in the web docu ...) NOT-FOR-US: BadBlue CVE-2008-2002 (Multiple cross-site request forgery (CSRF) vulnerabilities on Motorola ...) NOT-FOR-US: Motorola software CVE-2008-2001 (Apple Safari 3.1.1 allows remote attackers to cause a denial of servic ...) NOT-FOR-US: Apple Safari CVE-2008-2000 (Unspecified vulnerability in Apple Safari 3.1.1 allows remote attacker ...) NOT-FOR-US: Apple Safari CVE-2008-1999 (Apple Safari 3.1.1 allows remote attackers to spoof the address bar by ...) NOT-FOR-US: Apple Safari CVE-2008-1998 (The NNSTAT (aka SYSPROC.NNSTAT) procedure in IBM DB2 8 before FP16, 9. ...) NOT-FOR-US: Windows specific CVE-2008-1997 (Unspecified vulnerability in the ADMIN_SP_C2 procedure in IBM DB2 8 be ...) NOT-FOR-US: IBM DB2 CVE-2008-1996 (licq before 1.3.6 allows remote attackers to cause a denial of service ...) - licq 1.3.5-6 (low; bug #479036) [etch] - licq (Minor issue) CVE-2008-1995 (Sun Java System Directory Proxy Server 6.0, 6.1, and 6.2 classifies a ...) NOT-FOR-US: Sun Java System Directory Proxy Server CVE-2008-1994 (Multiple stack-based buffer overflows in (a) acon.c, (b) menu.c, and ( ...) - acon 1.0.5-6.1 (low; bug #475733) CVE-2008-1993 (Acidcat CMS 3.4.1 does not restrict access to the FCKEditor component, ...) NOT-FOR-US: Acidcat CVE-2008-1992 (Acidcat CMS 3.4.1 does not properly restrict access to (1) default_mai ...) NOT-FOR-US: Acidcat CVE-2008-1991 (Cross-site scripting (XSS) vulnerability in admin_colors_swatch.asp in ...) NOT-FOR-US: Acidcat CVE-2008-1990 (Multiple SQL injection vulnerabilities in Acidcat CMS 3.4.1 allow remo ...) NOT-FOR-US: Acidcat CVE-2008-1989 (PHP remote file inclusion vulnerability in 123flashchat.php in the 123 ...) NOT-FOR-US: Flash Chat CVE-2008-1988 (Unrestricted file upload vulnerability in the file_upload function in ...) NOT-FOR-US: EncapsGallery CVE-2008-1987 (Cross-site scripting (XSS) vulnerability in search.php in EncapsGaller ...) NOT-FOR-US: EncapsGallery CVE-2008-1986 (Cross-site scripting (XSS) vulnerability in liste_article.php in Blog ...) NOT-FOR-US: PixelMotion CVE-2008-1985 (Cross-site scripting (XSS) vulnerability in base.php in DigitalHive 2. ...) NOT-FOR-US: DigitalHive CVE-2008-1984 (The eTrust Common Services (Transport) Daemon (eCSqdmn) in CA Secure C ...) NOT-FOR-US: eTrust CVE-2008-1983 (Cross-site scripting (XSS) vulnerability in Advanced Electron Forum (A ...) NOT-FOR-US: Advanced Electron Forum (AEF) CVE-2008-1982 (SQL injection vulnerability in ss_load.php in the Spreadsheet (wpSS) 0 ...) NOT-FOR-US: Wordpress Spreadsheet plugin CVE-2008-1981 (Cross-site request forgery (CSRF) vulnerability in E-Publish 5.x befor ...) NOT-FOR-US: e-publish CVE-2008-1980 (Cross-site scripting (XSS) vulnerability in E-Publish 5.x before 5.x-1 ...) NOT-FOR-US: e-publish CVE-2008-1979 (The Discovery Service (casdscvc) in CA ARCserve Backup 12.0.5454.0 and ...) NOT-FOR-US: CA ARCserve Backup CVE-2008-1978 (Cross-site scripting (XSS) vulnerability in the Ubercart 5.x before 5. ...) NOT-FOR-US: Ubercart CVE-2008-1977 (Cross-site request forgery (CSRF) vulnerability in the Internationaliz ...) NOT-FOR-US: Drupal internationalization and localizer module CVE-2008-1976 (Multiple cross-site scripting (XSS) vulnerabilities in the Drupal modu ...) NOT-FOR-US: Drupal internationalization and localizer module CVE-2008-1975 (SQL injection vulnerability in index.php in E-RESERV 2.1 allows remote ...) NOT-FOR-US: E-RESERV CVE-2008-1973 (Heap-based buffer overflow in SubEdit Player build 4056 and 4066 allow ...) NOT-FOR-US: SubEdit Player CVE-2008-1972 (Multiple cross-site scripting (XSS) vulnerabilities in the user accoun ...) NOT-FOR-US: Exponent CMS CVE-2008-1971 (phShoutBox Final 1.5 and earlier only checks passwords when specified ...) NOT-FOR-US: phShoutBox CVE-2008-1970 (muCommander before 0.8.2 stores credentials.xml with insecure permissi ...) NOT-FOR-US: muCommander CVE-2008-1969 (Multiple cross-site scripting (XSS) vulnerabilities in Cezanne 6.5.1 a ...) NOT-FOR-US: Cezanne CVE-2008-1968 (Multiple SQL injection vulnerabilities in Cezanne 7 allow remote authe ...) NOT-FOR-US: Cezanne CVE-2008-1967 (Cross-site scripting (XSS) vulnerability in CFLogon/CFLogon.asp in Cez ...) NOT-FOR-US: Cezanne CVE-2008-1966 (Multiple buffer overflows in the JAR file administration routines in t ...) NOT-FOR-US: Windows specific CVE-2008-1965 (Argument injection vulnerability in the cai: URI handler in rcplaunche ...) NOT-FOR-US: Lotus Expeditor CVE-2008-1964 - xine-lib (nsf support disabled by maintainer) NOTE: xine-lib (1.1.12) uses strndup to allocate the needed memory and limits it to 32 bytes NOTE: while copyright is 100 bytes long (+ padding for chunks) CVE-2008-1963 (PHP remote file inclusion vulnerability in includes/functions.php in Q ...) NOT-FOR-US: Quate Grape Web Statistics CVE-2008-1962 (Multiple directory traversal vulnerabilities in Aterr 0.9.1 allow remo ...) NOT-FOR-US: Aterr CVE-2008-1961 (SQL injection vulnerability in index.php in Voice Of Web AllMyGuests 0 ...) NOT-FOR-US: Voice Of Web AllMyGuests CVE-2008-1960 (Cross-site scripting (XSS) vulnerability in cgi-bin/contray/search.cgi ...) NOT-FOR-US: ContRay CVE-2008-1959 (Stack-based buffer overflow in the get_remote_video_port_media functio ...) - sip-tester 2.0.1-1.2 (low; bug #479039) [etch] - sip-tester (Minor issue) CVE-2008-1958 (Unrestricted file upload vulnerability in the ajout_cat mode in admin/ ...) NOT-FOR-US: Tr Script News CVE-2008-1957 (SQL injection vulnerability in news.php in Tr Script News 2.1 allows r ...) NOT-FOR-US: Tr Script News CVE-2008-2146 (wp-includes/vars.php in Wordpress before 2.2.3 does not properly extra ...) {DSA-1564-1} - wordpress 2.2.3-1 NOTE: http://trac.wordpress.org/ticket/4748 NOTE: fixed in DSA-1564-1 CVE-2008-2040 (Stack-based buffer overflow in the HTTP::getAuthUserPass function (cor ...) {DSA-1583-1 DSA-1582-1} - peercast 0.1218+svn20080104-1.1 (medium; bug #478573) - gnome-peercast NOTE: etch version tested with PoC, affected CVE-2008-1974 (Cross-site scripting (XSS) vulnerability in addevent.php in Horde Kron ...) {DSA-1560-1} - kronolith2 2.1.8-1 CVE-2008-1956 (Cross-site scripting (XSS) vulnerability in index.php in Wikepage Opus ...) NOT-FOR-US: Wikepage Opus CVE-2008-1955 (Cross-site scripting (XSS) vulnerability in rep.php in Martin BOUCHER ...) NOT-FOR-US: Martin BOUCHER MyBoard CVE-2008-1954 (SQL injection vulnerability in one_day.php in Web Calendar Pro 4.1 and ...) NOT-FOR-US: Web Calendar Pro CVE-2008-1953 (Cross-site scripting (XSS) vulnerability in the Sitedesigner before 1. ...) NOT-FOR-US: Sitedesigner CVE-2008-1952 (The backend for XenSource Xen Para Virtualized Frame Buffer (PVFB) in ...) - xen-3 3.2.1-2 (medium; bug #487095) - xen-unstable (Vulnerable code not present, introduced in changeset 17630) NOTE: vulnerable code no longer present as of xen 3.4 (xenfb.c has been removed) CVE-2008-1951 (Untrusted search path vulnerability in a certain Red Hat build script ...) NOT-FOR-US: Red Hat issue CVE-2008-1950 (Integer signedness error in the _gnutls_ciphertext2compressed function ...) {DSA-1581-1} - gnutls13 2.0.4-4 (low) - gnutls26 2.2.5-1 (low) CVE-2008-1949 (The _gnutls_recv_client_kx_message function in lib/gnutls_kx.c in libg ...) {DSA-1581-1} - gnutls13 2.0.4-4 (low) - gnutls26 2.2.5-1 (low) CVE-2008-1948 (The _gnutls_server_name_recv_params function in lib/ext_server_name.c ...) {DSA-1581-1} - gnutls13 2.0.4-4 (medium) - gnutls26 2.2.5-1 (medium) CVE-2008-1947 (Cross-site scripting (XSS) vulnerability in Apache Tomcat 5.5.9 throug ...) {DSA-1593-1} - tomcat5.5 5.5.26-3 (low; bug #484643) - tomcat5 CVE-2008-1946 (The default configuration of su in /etc/pam.d/su in GNU coreutils 5.2. ...) - coreutils 5.93-1 CVE-2008-1945 (QEMU 0.9.0 does not properly handle changes to removable media, which ...) {DSA-1799-1} - qemu 0.9.1-5 (low; bug #526013) CVE-2008-1944 (Buffer overflow in the backend framebuffer of XenSource Xen Para-Virtu ...) - xen-3 3.2.1-2 (medium; bug #487095) - xen-unstable 3.3-unstable+hg17602-1 (medium; bug #487097) CVE-2008-1943 (Buffer overflow in the backend of XenSource Xen Para Virtualized Frame ...) - xen-3 3.2.1-2 (medium; bug #487095) - xen-unstable 3.3-unstable+hg17602-1 (medium; bug #487097) CVE-2008-1942 (Foxit Reader 2.2 allows remote attackers to cause a denial of service ...) NOT-FOR-US: Foxit Reader CVE-2008-1941 (Cross-site scripting (XSS) vulnerability in the profile update feature ...) NOT-FOR-US: Akiva WebBoard CVE-2008-1940 (The RBAC functionality in grsecurity before 2.1.11-2.6.24.5 and 2.1.11 ...) - linux-patch-grsecurity2 2.1.11+2.6.24.5+200804211829-1 (bug #478133) CVE-2008-1939 (Multiple SQL injection vulnerabilities in W1L3D4 Philboard 1.0 allow r ...) NOT-FOR-US: W1L3D4 Philboard CVE-2008-1938 (Sony Mylo COM-2 Japanese model firmware before 1.002 does not properly ...) NOT-FOR-US: Sony firmware CVE-2008-1937 (The user form processing (userform.py) in MoinMoin before 1.6.3, when ...) - moin 1.6.3-1 [etch] - moin (1.5.x is not affected) NOTE: acl_hierarchic was introduced in 1.6.0 NOTE: userform processing issue was introduced in 1.6.1 CVE-2008-1936 (SQL injection vulnerability in index.php in Classifieds Caffe allows r ...) NOT-FOR-US: Classifieds Caffe CVE-2008-1935 (SQL injection vulnerability in the Filiale 1.0.4 component for Joomla! ...) NOT-FOR-US: Filiale CVE-2008-1934 (SQL injection vulnerability in commentaires.php in Crazy Goomba 1.2.1 ...) NOT-FOR-US: Crazy Goomba CVE-2008-1933 (Absolute path traversal vulnerability in a certain ActiveX control in ...) NOT-FOR-US: Zune CVE-2008-1932 (Integer overflow in Realtek HD Audio Codec Drivers RTKVHDA.sys and RTK ...) NOT-FOR-US: Realtek HD Audio Codec CVE-2008-1931 (Realtek HD Audio Codec Drivers RTKVHDA.sys and RTKVHDA64.sys before 6. ...) NOT-FOR-US: Realtek HD Audio Codec CVE-2008-1929 RESERVED CVE-2008-1928 (Buffer overflow in Imager 0.42 through 0.63 allows attackers to cause ...) - libimager-perl 0.64-1 CVE-2008-1926 (Argument injection vulnerability in login (login-utils/login.c) in uti ...) {DTSA-126-1} - util-linux 2.13.1.1-1 (low; bug #478135) [etch] - util-linux (Audit support not available in Etch's version) CVE-2008-1923 (The IAX2 channel driver (chan_iax2) in Asterisk 1.2 before revision 72 ...) - asterisk 1:1.4.19.1~dfsg-1 (medium) [etch] - asterisk (Etch Packages no longer covered by security support) CVE-2008-1922 (Multiple stack-based buffer overflows in Sarg might allow attackers to ...) - sarg 2.2.4-1 CVE-2008-1921 (SQL injection vulnerability in store_pages/category_list.php in 5th Av ...) NOT-FOR-US: 5th Avenue Shopping Cart CVE-2008-1920 (Heap-based buffer overflow in the boxelyRenderer module in the Persona ...) NOT-FOR-US: ICQ CVE-2008-1919 (SQL injection vulnerability in listtest.php in YourFreeWorld Apartment ...) NOT-FOR-US: YourFreeWorld Apartment Search Script CVE-2008-1918 (SQL injection vulnerability in submit.php in PHP-Fusion 6.01.14 and 6. ...) NOT-FOR-US: PHP-Fusion CVE-2008-1917 (Multiple cross-site scripting (XSS) vulnerabilities in AMFPHP 1.2 allo ...) NOT-FOR-US: AMFPHP CVE-2008-1916 (Multiple cross-site scripting (XSS) vulnerabilities in the Ubercart 5. ...) NOT-FOR-US: Ubercart (drupal module) CVE-2008-1915 (SQL injection vulnerability in view.asp in DevWorx BlogWorx 1.0 allows ...) NOT-FOR-US: BlogWorx CVE-2008-1930 (The cookie authentication method in WordPress 2.5 relies on a hash of ...) - wordpress 2.5.1-1 (medium; bug #477910) NOTE: only exploitable in blogs that allow user registering [etch] - wordpress (Vulnerable code was introduced in 2.5) CVE-2008-1927 (Double free vulnerability in Perl 5.8.8 allows context-dependent attac ...) {DSA-1556-2} - perl 5.10.0-1 (bug #454792) CVE-2008-1925 (Buffer overflow in InspIRCd before 1.1.18, when using the namesx and u ...) - inspircd 1.1.18+dfsg-1 (low) CVE-2008-1924 (Unspecified vulnerability in phpMyAdmin before 2.11.5.2, when running ...) {DSA-1557-1} - phpmyadmin 4:2.11.5.2-1 NOTE: https://www.phpmyadmin.net/security/PMASA-2008-3/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/79fe2890d28076d9406f7032198109ecd22866a6 CVE-2008-1914 (Stack-based buffer overflow in the AntServer module (AntServer.exe) in ...) NOT-FOR-US: BigAnt Messenger CVE-2008-1913 (SQL injection vulnerability in index.php in Lasernet CMS 1.5 and 1.11, ...) NOT-FOR-US: Lasernet CMS CVE-2008-1912 (Stack-based buffer overflow in DivX Player 6.7 build 6.7.0.22 and earl ...) NOT-FOR-US: DivX Player CVE-2008-1911 (SQL injection vulnerability in includes/system.php in 1024 CMS 1.4.2 b ...) NOT-FOR-US: 1024 CMS CVE-2008-1910 (Stack-based buffer overflow in the database service (ibserver.exe) in ...) NOT-FOR-US: Borland InterBase CVE-2008-1909 (SQL injection vulnerability in comment.php in PHP Knowledge Base (PHPK ...) NOT-FOR-US: PHPKB CVE-2008-1908 (Multiple directory traversal vulnerabilities in cpCommerce 1.1.0 allow ...) NOT-FOR-US: cpCommerce CVE-2008-1907 (Multiple SQL injection vulnerabilities in functions/display_page.func. ...) NOT-FOR-US: cpCommerce CVE-2008-1906 (Cross-site scripting (XSS) vulnerability in calendar.php in cpCommerce ...) NOT-FOR-US: cpCommerce CVE-2008-1905 (NMMediaServer.exe in Nero MediaHome 3.3.3.0 and earlier, as used in Ne ...) NOT-FOR-US: Nero MediaHome CVE-2008-1904 (Cicoandcico CcMail 1.0.1 and earlier does not verify that the this_coo ...) NOT-FOR-US: CcMail CVE-2008-1903 (PHP remote file inclusion vulnerability in news_show.php in Newanz New ...) NOT-FOR-US: Newanz NewsOffice CVE-2008-1902 (The GUI for aptlinex before 0.91 does not sufficiently warn the user o ...) - aptlinex 0.91-1 (low; bug #476572) NOTE: the user gets a confirmation dialog CVE-2008-1901 (aptlinex before 0.91 allows local users to overwrite arbitrary files v ...) - aptlinex 0.91-1 (medium; bug #476588) NOTE: code execution via /tmp/gambas-apt-exec is also possible, maintainer confirmed this CVE-2008-1900 (option_Update.asp in Carbon Communities 2.4 and earlier allows remote ...) NOT-FOR-US: Carbon Communities CVE-2008-1899 RESERVED CVE-2008-1898 (A certain ActiveX control in WkImgSrv.dll 7.03.0616.0, as distributed ...) NOT-FOR-US: Microsoft Works CVE-2008-1897 (The IAX2 channel driver (chan_iax2) in Asterisk Open Source 1.0.x, 1.2 ...) {DSA-1563-1} - asterisk 1:1.4.19.1~dfsg-1 (medium) CVE-2008-1896 (Multiple cross-site scripting (XSS) vulnerabilities in Carbon Communit ...) NOT-FOR-US: Carbon Communities CVE-2008-1895 (Multiple SQL injection vulnerabilities in Carbon Communities 2.4 and e ...) NOT-FOR-US: Carbon Communities CVE-2008-1894 (Cross-site scripting (XSS) vulnerability in desktoplaunch/InfoView/log ...) NOT-FOR-US: BusinessObjects InfoView CVE-2008-1893 (PHP remote file inclusion vulnerability in index.php in W2B Online Ban ...) NOT-FOR-US: W2B Online Banking CVE-2008-1892 (Cross-site scripting (XSS) vulnerability in bs_auth.php in Blogator-sc ...) NOT-FOR-US: Blogator-script CVE-2008-1891 (Directory traversal vulnerability in WEBrick in Ruby 1.8.4 and earlier ...) - ruby1.8 1.8.7.22-1 (unimportant) - ruby1.9 1.9.0.2-1 (unimportant) NOTE: corner-case only exploitable if web application is run on windows fs CVE-2008-1890 (SQL injection vulnerability in the Jom Comment 2.0 build 345 component ...) NOT-FOR-US: Jom Comment for Joomla! CVE-2008-1889 (SQL injection vulnerability in viewcat.php in XplodPHP AutoTutorials 2 ...) NOT-FOR-US: XplodPHP AutoTutorials CVE-2008-1888 (Cross-site scripting (XSS) vulnerability in Microsoft Windows SharePoi ...) NOT-FOR-US: Windows CVE-2008-1886 (The NeffyLauncher 1.0.5 ActiveX control (NeffyLauncher.dll) in CDNetwo ...) NOT-FOR-US: CDNetworks Nefficient Download CVE-2008-1885 (Directory traversal vulnerability in the NeffyLauncher 1.0.5 ActiveX c ...) NOT-FOR-US: NeffyLauncher CVE-2008-1884 (Directory traversal vulnerability in index.php in Wikepage Opus 13 200 ...) NOT-FOR-US: Wikepage CVE-2008-1883 (The server in Blackboard Academic Suite 7.x stores MD5 password hashes ...) NOT-FOR-US: Blackboard Academic Suite CVE-2008-1882 RESERVED CVE-2008-1881 (Stack-based buffer overflow in the ParseSSA function (modules/demux/su ...) {DSA-1819-1 DTSA-125-1} - vlc 0.8.6.e-2.1 (medium; bug #477805) CVE-2008-1880 (The default configuration of Firebird before 2.0.3.12981.0-r6 on Gento ...) - firebird2 [etch] - firebird2 (Firebird 1.5 no longer supported, see last DSA) - firebird2.0 2.0.3.12981.ds1-14 (bug #481389) NOTE: on debian after the installation firebird2.0-super is disabled, to enable it NOTE: you need to call dpkg-reconfigure CVE-2008-1879 RESERVED CVE-2007-6715 (Mozilla Firefox allows remote attackers to cause a denial of service ( ...) - iceweasel (unimportant) NOTE: browser dos not treated as security issues NOTE: cant reproduce on 2.0.0.12-1 and 2.0.0.14-2, already fixed? CVE-2008-2041 (Multiple unspecified vulnerabilities in eGroupWare before 1.4.004 have ...) - egroupware 1.4.004-2.dfsg-1 (bug #476977) CVE-2008-1876 (PHP remote file inclusion vulnerability in index.php in VisualPic 0.3. ...) NOT-FOR-US: VisualPic CVE-2008-1875 (SQL injection vulnerability in index.php in Terong PHP Photo Gallery ( ...) NOT-FOR-US: Terong PHP Photo Gallery CVE-2008-1874 (SQL injection vulnerability in account/user/mail.html in Xpoze Pro 3.0 ...) NOT-FOR-US: Xpoze Pro CVE-2008-1873 (Cross-site scripting (XSS) vulnerability in the private message featur ...) NOT-FOR-US: Nuke ET CVE-2008-1872 (SQL injection vulnerability in home.news.php in Comdev News Publisher ...) NOT-FOR-US: Comdev News Publisher CVE-2008-1871 (SQL injection vulnerability in links.php in Scriptsagent.com Links Dir ...) NOT-FOR-US: Scriptsagent.com CVE-2008-1870 (SQL injection vulnerability in getdata.php in PIGMy-SQL 1.4.1 and earl ...) NOT-FOR-US: PIGMy-SQL CVE-2008-1869 (SQL injection vulnerability in Site Sift Listings allows remote attack ...) NOT-FOR-US: Site Sift Listings CVE-2008-1868 (admin/sauvBase.php in Blog Pixel Motion (aka Blog PixelMotion) does no ...) NOT-FOR-US: Blog Pixel Motion CVE-2008-1867 (SQL injection vulnerability in Blog Pixel Motion (aka Blog PixelMotion ...) NOT-FOR-US: Blog Pixel Motion CVE-2008-1866 (admin/modif_config.php in Blog Pixel Motion (aka PixelMotion) does not ...) NOT-FOR-US: Blog Pixel Motion CVE-2008-1865 (Stack-based buffer overflow in the msx_readnode function in libmosix.c ...) NOT-FOR-US: openmosix-tools CVE-2008-1864 (SQL injection vulnerability in project.php in Prozilla Freelancers all ...) NOT-FOR-US: Prozilla Freelancers CVE-2008-1863 (SQL injection vulnerability in view_reviews.php in Prozilla Cheat Scri ...) NOT-FOR-US: Prozilla Cheat Script CVE-2008-1862 (ExBB Italia 0.22 and earlier only checks GET requests that use the QUE ...) NOT-FOR-US: ExBB Italia CVE-2008-1861 (Directory traversal vulnerability in modules/threadstop/threadstop.php ...) NOT-FOR-US: ExBB Italia CVE-2008-1860 (Static code injection vulnerability in admin.php in LokiCMS 0.3.3 and ...) NOT-FOR-US: LokiCMS CVE-2008-1859 (SQL injection vulnerability in events.php in iScripts SocialWare allow ...) NOT-FOR-US: iScripts SocialWare CVE-2008-1858 (SQL injection vulnerability in index.php in 724Networks 724CMS 4.01 an ...) NOT-FOR-US: 724Networks 724CMS CVE-2008-1857 (Multiple directory traversal vulnerabilities in viewsource.php in Make ...) NOT-FOR-US: Mole CVE-2008-1856 (plugins/maps/db_handler.php in LinPHA 1.3.3 and earlier does not requi ...) NOT-FOR-US: LinPHA CVE-2008-1855 (FrameworkService.exe in McAfee Common Management Agent (CMA) 3.6.0.574 ...) NOT-FOR-US: McAfee CVE-2008-1854 (Unspecified vulnerability in SmarterMail Web Server (SMWebSvr.exe) in ...) NOT-FOR-US: SmarterMail Web Server CVE-2008-1853 (The ovtopmd service in HP OpenView Network Node Manager (OV NNM) 7.51, ...) NOT-FOR-US: HP OpenView CVE-2008-1852 (ovalarmsrv in HP OpenView Network Node Manager (OV NNM) 7.51, 7.53, an ...) NOT-FOR-US: HP OpenView CVE-2008-1851 (ovalarmsrv in HP OpenView Network Node Manager (OV NNM) 7.51, 7.53, an ...) NOT-FOR-US: HP OpenView CVE-2008-1850 (Multiple cross-site scripting (XSS) vulnerabilities in login.php in Om ...) NOT-FOR-US: Omnistar Interactive OSI Affiliate CVE-2008-1849 (Directory traversal vulnerability in index.php in the joomlaXplorer (c ...) NOT-FOR-US: com_joomlaxplorer Mambo/Joomla! component CVE-2008-1848 (Cross-site scripting (XSS) vulnerability in the joomlaXplorer (com_joo ...) NOT-FOR-US: com_joomlaxplorer Mambo/Joomla! CVE-2008-1847 (SQL injection vulnerability in view.php in CoronaMatrix phpAddressBook ...) NOT-FOR-US: phpAddressBook CVE-2008-1846 (The default configuration of SAP NetWeaver before 7.0 SP15 does not en ...) NOT-FOR-US: SAP CVE-2008-1845 (The Korn shell (aka mksh) before R33d on MirOS (aka MirBSD) does not f ...) - mksh 33.4-1 (low) [etch] - mksh 28.0-3 CVE-2008-1844 (SQL injection vulnerability in cat.php in W2B phpHotResources allows r ...) NOT-FOR-US: W2B phpHotResources CVE-2008-1843 (SQL injection vulnerability in browse.php in W2B DatingClub (aka Datin ...) NOT-FOR-US: W2B DatingClub CVE-2008-1842 (Integer signedness error in ovspmd.exe in HP OpenView Network Node Man ...) NOT-FOR-US: HP OpenView CVE-2008-1841 (SQL injection vulnerability in the session handling functionality in b ...) NOT-FOR-US: Coppermine CVE-2008-1840 (SQL injection vulnerability in upload.php in Coppermine Photo Gallery ...) NOT-FOR-US: Coppermine CVE-2008-1839 (Multgiple cross-site scripting (XSS) vulnerabilities in module/main.ph ...) NOT-FOR-US: WORK system e-commerce CVE-2008-1838 (SQL injection vulnerability in BosClassifieds Classified Ads System 3. ...) NOT-FOR-US: BosClassifieds Classified Ads System CVE-2008-1836 (The rfc2231 function in message.c in libclamav in ClamAV before 0.93 a ...) - clamav (Vulnerable code introduced later, checked back with upstream) CVE-2008-1834 (swfdec_load_object.c in Swfdec before 0.6.4 does not properly restrict ...) - swfdec0.6 0.6.4-1 (low) - swfdec0.5 (low; bug #477037) CVE-2008-1833 (Heap-based buffer overflow in pe.c in libclamav in ClamAV 0.92.1 allow ...) {DSA-1549-1} - clamav 0.92.1~dfsg2-1.1 (medium; bug #476694) CVE-2007-6713 (Unspecified vulnerability in Flip4Mac WMV before 2.2.0.49 has unknown ...) NOT-FOR-US: Flip4Mac CVE-2007-6714 (DBMail before 2.2.9, when using authldap with an LDAP server that supp ...) - dbmail 2.2.9 CVE-2008-1878 (Stack-based buffer overflow in the demux_nsf_send_chunk function in sr ...) {DSA-1586-1 DTSA-128-1} - xine-lib 1.1.12-2 (medium; bug #476990) NOTE: not patched but disabled in testing/unstable CVE-2008-1831 (Multiple unspecified vulnerabilities in the Siebel SimBuilder componen ...) NOT-FOR-US: Oracle Siebel Enterprise CVE-2008-1830 (Unspecified vulnerability in the PeopleSoft HCM ePerformance component ...) NOT-FOR-US: Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne CVE-2008-1829 (Unspecified vulnerability in the PeopleSoft HCM Recruiting component i ...) NOT-FOR-US: Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne CVE-2008-1828 (Unspecified vulnerability in the PeopleSoft PeopleTools component in O ...) NOT-FOR-US: Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne CVE-2008-1827 (Multiple unspecified vulnerabilities in Oracle E-Business Suite 11.5.1 ...) NOT-FOR-US: Oracle E-Business Suite CVE-2008-1826 (Multiple unspecified vulnerabilities in Oracle E-Business Suite 11.5.1 ...) NOT-FOR-US: Oracle E-Business Suite CVE-2008-1825 (Unspecified vulnerability in the Oracle Portal component in Oracle App ...) NOT-FOR-US: Oracle CVE-2008-1824 (Unspecified vulnerability in the Oracle Dynamic Monitoring Service com ...) NOT-FOR-US: Oracle CVE-2008-1823 (Unspecified vulnerability in the Oracle Jinitiator component in Oracle ...) NOT-FOR-US: Oracle CVE-2008-1822 (Unspecified vulnerability in the Oracle Application Express component ...) NOT-FOR-US: Oracle CVE-2008-1821 (Unspecified vulnerability in the Advanced Queuing component in Oracle ...) NOT-FOR-US: Oracle CVE-2008-1820 (Unspecified vulnerability in the Data Pump component in Oracle Databas ...) NOT-FOR-US: Oracle CVE-2008-1819 (Unspecified vulnerability in the Oracle Net Services component in Orac ...) NOT-FOR-US: Oracle CVE-2008-1818 (Unspecified vulnerability in the Authentication component in Oracle Da ...) NOT-FOR-US: Oracle CVE-2008-1817 (Multiple unspecified vulnerabilities in Oracle Database 9.0.1.5 FIPS+, ...) NOT-FOR-US: Oracle CVE-2008-1816 (Multiple unspecified vulnerabilities in Oracle Database 10.1.0.5 and 1 ...) NOT-FOR-US: Oracle CVE-2008-1815 (Unspecified vulnerability in the Change Data Capture component in Orac ...) NOT-FOR-US: Oracle CVE-2008-1814 (Unspecified vulnerability in the Oracle Secure Enterprise Search or Ul ...) NOT-FOR-US: Oracle CVE-2008-1813 (Multiple unspecified vulnerabilities in Oracle Database 9.0.1.5 FIPS+, ...) NOT-FOR-US: Oracle CVE-2008-1812 (Unspecified vulnerability in the Oracle Enterprise Manager component i ...) NOT-FOR-US: Oracle CVE-2008-1811 (Unspecified vulnerability in Oracle Application Express 3.0.1 has unsp ...) NOT-FOR-US: Oracle CVE-2008-1810 (Untrusted search path vulnerability in dbmsrv in SAP MaxDB 7.6.03.15 o ...) NOT-FOR-US: SAP MaxDB CVE-2008-1809 (Heap-based buffer overflow in Novell eDirectory 8.7.3 before 8.7.3.10b ...) NOT-FOR-US: Novell eDirectory CVE-2008-1808 (Multiple off-by-one errors in FreeType2 before 2.3.6 allow context-dep ...) {DSA-1635-1 DTSA-139-1} - freetype 2.3.6-1 (low; bug #485841) CVE-2008-1807 (FreeType2 before 2.3.6 allow context-dependent attackers to execute ar ...) {DSA-1635-1 DTSA-139-1} - freetype 2.3.6-1 (medium; bug #485841) CVE-2008-1806 (Integer overflow in FreeType2 before 2.3.6 allows context-dependent at ...) {DSA-1635-1 DTSA-139-1} - freetype 2.3.6-1 (medium; bug #485841) CVE-2008-1805 (Incomplete blacklist vulnerability in Skype 3.6.0.248, and other versi ...) NOT-FOR-US: Skype CVE-2008-1804 (preprocessors/spp_frag3.c in Sourcefire Snort before 2.8.1 does not pr ...) {DTSA-173-1} - snort 2.7.0-20 (low; bug #483160) [lenny] - snort 2.7.0-20.2 (low; bug #483160) [etch] - snort (Only 2.6 and 2.8 are affected) CVE-2008-1803 (Integer signedness error in the xrealloc function (rdesktop.c) in RDes ...) {DSA-1573-1} - rdesktop 1.5.0-4+cvs20071006 (bug #480135) CVE-2008-1802 (Buffer overflow in the process_redirect_pdu (rdp.c) function in rdeskt ...) {DSA-1573-1} - rdesktop 1.5.0-4+cvs20071006 (bug #480134) CVE-2008-1801 (Integer underflow in the iso_recv_msg function (iso.c) in rdesktop 1.5 ...) {DSA-1573-1} - rdesktop 1.5.0-4+cvs20071006 (bug #480133) CVE-2008-1800 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Di ...) NOT-FOR-US: DivXDB CVE-2008-1799 (Directory traversal vulnerability in thumbnails.php in sabros.us 1.75 ...) NOT-FOR-US: sabros.us CVE-2008-1798 (Directory traversal vulnerability in forum/kietu/libs/calendrier.php i ...) NOT-FOR-US: Dragoon CVE-2008-1797 (Unspecified vulnerability in Secure Computing Webwasher 5.30 before bu ...) NOT-FOR-US: Secure Computing Webwasher CVE-2008-1796 (Comix 3.6.4 creates temporary directories with predictable names, whic ...) - comix 3.6.4-1.1 (unimportant) NOTE: only exploitable with insecure umask settings CVE-2008-1795 (Multiple cross-site scripting (XSS) vulnerabilities in Blackboard Acad ...) NOT-FOR-US: Blackboard Academic Suite CVE-2008-1794 (Multiple cross-site scripting (XSS) vulnerabilities in the Webform Dru ...) NOT-FOR-US: Webform Drupal module CVE-2008-1793 (Multiple cross-site scripting (XSS) vulnerabilities in view.cgi in Sma ...) NOT-FOR-US: Smart CVE-2008-1792 (Cross-site scripting (XSS) vulnerability in the insertion filter in th ...) NOT-FOR-US: Flickr Drupal module CVE-2008-1791 (SQL injection vulnerability in ladder.php in My Gaming Ladder 7.5 and ...) NOT-FOR-US: My Gaming Ladder CVE-2008-1790 (Unrestricted file upload vulnerability in iScripts SocialWare allows r ...) NOT-FOR-US: iScripts CVE-2008-1789 (SQL injection vulnerability in forum.php in Prozilla Forum allows remo ...) NOT-FOR-US: Prozilla Forum CVE-2008-1788 (SQL injection vulnerability in directory.php in Prozilla Entertainers ...) NOT-FOR-US: Prozilla Entertainers CVE-2008-1787 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Po ...) NOT-FOR-US: Poplar Gedcom Viewer CVE-2008-1786 (The DSM gui_cm_ctrls ActiveX control (gui_cm_ctrls.ocx), as used in mu ...) NOT-FOR-US: CA products CVE-2008-1785 (delete.php in Prozilla Top 100 1.2 allows remote authenticated users t ...) NOT-FOR-US: Prozilla Top 100 CVE-2008-1784 (Prozilla Topsites 1.0 allows remote attackers to perform administrativ ...) NOT-FOR-US: Prozilla Topsites CVE-2008-1783 (Prozilla Reviews 1.0 allows remote attackers to delete arbitrary users ...) NOT-FOR-US: Prozilla Reviews CVE-2008-1782 (phpdemo/viewsource.php in Advanced Software Engineering ChartDirector ...) NOT-FOR-US: Advanced Software Engineering ChartDirector CVE-2008-1837 (libclamunrar in ClamAV before 0.93 allows remote attackers to cause a ...) - clamav (Debian doesn't include libunrar since it's non-free) CVE-2008-1835 (ClamAV before 0.93 allows remote attackers to bypass the scanning engi ...) - clamav (Debian doesn't include libunrar since it's non-free) CVE-2008-1832 (lib/prefs.tcl in Cecilia 2.0.5 allows local users to overwrite arbitra ...) - cecilia 2.0.5-2.1 (low; bug #476321) [etch] - cecilia (Minor issue) CVE-2008-1781 REJECTED CVE-2008-1780 (Unspecified vulnerability in the labeled networking functionality in S ...) NOT-FOR-US: Solaris CVE-2008-1779 (Sun Solaris 8, 9, and 10 allows "remote privileged" users to cause a d ...) NOT-FOR-US: Solaris CVE-2008-1778 (Unspecified vulnerability in the floating point context switch impleme ...) NOT-FOR-US: Solaris CVE-2008-1777 (The eDirectory Host Environment service (dhost.exe) in Novell eDirecto ...) NOT-FOR-US: Novell eDirectory CVE-2008-1776 (PHP remote file inclusion vulnerability in modules/basicfog/basicfogfa ...) NOT-FOR-US: PhpBlock CVE-2008-1775 (Cross-site scripting (XSS) vulnerability in mindex.do in ManageEngine ...) NOT-FOR-US: ManageEngine Firewall Analyzer CVE-2008-1774 (SQL injection vulnerability in editlink.php in Pligg 9.9.0 allows remo ...) NOT-FOR-US: Pligg CVE-2008-1773 (PHP remote file inclusion vulnerability in includes/header.inc.php in ...) NOT-FOR-US: Dragoon CVE-2008-1772 (iScripts SocialWare stores passwords in cleartext in a database, which ...) NOT-FOR-US: iScripts SocialWare CVE-2008-1771 (Integer overflow in the ws_getpostvars function in Firefly Media Serve ...) {DSA-1597-1} - mt-daapd 0.9~r1696-1.3 (medium; bug #476241) CVE-2008-1770 (CRLF injection vulnerability in Akamai Download Manager ActiveX contro ...) NOT-FOR-US: Akamai Download Manager CVE-2008-1769 (VLC before 0.8.6f allow remote attackers to cause a denial of service ...) {DSA-1819-1 DTSA-125-1} - vlc 0.8.6.e-2.1 (low; bug #478140) CVE-2008-1768 (Multiple integer overflows in VLC before 0.8.6f allow remote attackers ...) {DSA-1819-1 DTSA-125-1} - vlc 0.8.6.e-2.1 (medium; bug #478140) CVE-2008-1767 (Buffer overflow in pattern.c in libxslt before 1.1.24 allows context-d ...) {DSA-1589-1} - libxslt 1.1.24-1 (bug #482664) CVE-2008-1766 (Multiple unspecified vulnerabilities in phpBB before 3.0.1 have unknow ...) - phpbb3 3.0.1-1 (low) - phpbb2 (Vulnerable code not present) CVE-2008-1765 (Buffer overflow in Adobe Photoshop Album Starter Edition 3.2, and poss ...) NOT-FOR-US: Adobe CVE-2008-1764 (Unspecified vulnerability in Opera before 9.27 has unknown impact and ...) NOT-FOR-US: Opera CVE-2008-1763 (SQL injection vulnerability in _blogadata/include/sond_result.php in B ...) NOT-FOR-US: Blogator-script CVE-2008-1762 (Opera before 9.27 allows remote attackers to cause a denial of service ...) NOT-FOR-US: Opera CVE-2008-1761 (Opera before 9.27 allows remote attackers to cause a denial of service ...) NOT-FOR-US: Opera CVE-2008-1760 (Multiple PHP remote file inclusion vulnerabilities in Blogator-script ...) NOT-FOR-US: Blogator-script CVE-2008-1759 (SQL injection vulnerability in the jeuxflash module for KwsPHP allows ...) NOT-FOR-US: KwsPHP CVE-2008-1758 (SQL injection vulnerability in the ConcoursPhoto module for KwsPHP all ...) NOT-FOR-US: KwsPHP CVE-2008-1757 (Cross-site scripting (XSS) vulnerability in index.php in the ConcoursP ...) NOT-FOR-US: KwsPHP CVE-2008-1756 (Unspecified vulnerability in the Qmaster daemon in Sun N1 Grid Engine ...) NOT-FOR-US: Sun CVE-2008-1755 (Directory traversal vulnerability in the showSource function in showSo ...) NOT-FOR-US: World of Phaos CVE-2008-1754 (Symantec Altiris Deployment Solution before 6.9.164 stores the Deploym ...) NOT-FOR-US: Symantec CVE-2008-1753 (Cross-site scripting (XSS) vulnerability in system/workplace/admin/wor ...) NOT-FOR-US: Alkacon OpenCMS CVE-2008-1752 (ezRADIUS 0.1 stores sensitive information under the web root with insu ...) NOT-FOR-US: ezRADIUS CVE-2008-1751 (Multiple directory traversal vulnerabilities in index.php in Ksemail a ...) NOT-FOR-US: Ksemail CVE-2008-1750 (SQL injection vulnerability in Integry Systems LiveCart 1.1.1 and earl ...) NOT-FOR-US: LiveCart CVE-2008-1749 (Memory leak in Cisco Content Switching Module (CSM) 4.2(3) up to 4.2(8 ...) NOT-FOR-US: Cisco firmware CVE-2008-1748 (Cisco Unified Communications Manager 4.1 before 4.1(3)SR7, 4.2 before ...) NOT-FOR-US: Cisco firmware CVE-2008-1747 (Unspecified vulnerability in Cisco Unified Communications Manager 4.1 ...) NOT-FOR-US: Cisco firmware CVE-2008-1746 (The SNMP Trap Agent service in Cisco Unified Communications Manager (C ...) NOT-FOR-US: Cisco firmware CVE-2008-1745 (Cisco Unified Communications Manager (CUCM) 5.x before 5.1(2) and 6.x ...) NOT-FOR-US: Cisco firmware CVE-2008-1744 (The Certificate Authority Proxy Function (CAPF) service in Cisco Unifi ...) NOT-FOR-US: Cisco firmware CVE-2008-1743 (Memory leak in the Certificate Trust List (CTL) Provider service in Ci ...) NOT-FOR-US: Cisco firmware CVE-2008-1742 (Memory leak in the Certificate Trust List (CTL) Provider service in Ci ...) NOT-FOR-US: Cisco firmware CVE-2008-1741 (The SIP Proxy (SIPD) service in Cisco Unified Presence before 6.0(3) a ...) NOT-FOR-US: Cisco firmware CVE-2008-1740 (The Presence Engine (PE) service in Cisco Unified Presence before 6.0( ...) NOT-FOR-US: Cisco firmware CVE-2008-1739 (Apple QuickTime before 7.4.5 allows remote attackers to cause a denial ...) NOT-FOR-US: Apple QuickTime CVE-2008-1738 (Rising Antivirus 2008 before 20.38.20 allows local users to cause a de ...) NOT-FOR-US: Rising Antivirus CVE-2008-1737 (Sophos Anti-Virus 7.0.5, and other 7.x versions, when Runtime Behaviou ...) NOT-FOR-US: Sophos Anti-Virus CVE-2008-1736 (Comodo Firewall Pro before 3.0 does not properly validate certain para ...) NOT-FOR-US: Comodo Firewall CVE-2008-1735 (BitDefender Antivirus 2008 20080118 and earlier allows local users to ...) NOT-FOR-US: BitDefender Antivirus CVE-2008-1734 (Interpretation conflict in PHP Toolkit before 1.0.1 on Gentoo Linux mi ...) NOT-FOR-US: PHP Toolkit (Gentoo specific) CVE-2008-1733 (SQL injection vulnerability in puarcade.class.php 2.2 and earlier in t ...) NOT-FOR-US: Joomla component Pragmatic Utopia PU Arcade CVE-2008-1732 (SQL injection vulnerability in showpredictionsformatch.php in Predicti ...) NOT-FOR-US: Prediction Football CVE-2008-1731 (The Simple Access module for Drupal 5.x through 5.x-1.2-2 does not pro ...) NOT-FOR-US: Drupal module Simple Access CVE-2008-1730 (Directory traversal vulnerability in download.html in ARWScripts Galle ...) NOT-FOR-US: ARWScripts Gallery Script Lite CVE-2008-1729 (The menu system in Drupal 6 before 6.2 has incorrect menu settings, wh ...) NOT-FOR-US: Drupal 6 (not packaged yet) CVE-2008-1728 (ConnectionManagerImpl.java in Ignite Realtime Openfire 3.4.5 allows re ...) NOT-FOR-US: Ignite Realtime Openfire CVE-2008-1727 (KnowledgeQuest 2.5 and 2.6 does not require authentication for access ...) NOT-FOR-US: KnowledgeQuest CVE-2008-1726 (Multiple SQL injection vulnerabilities in KnowledgeQuest 2.6, when mag ...) NOT-FOR-US: KnowledgeQuest CVE-2008-1725 (The IBizEBank.FIProfile.1 ActiveX control in fiprofile20.ocx in IBiz E ...) NOT-FOR-US: ActiveX CVE-2008-1724 (Stack-based buffer overflow in the IActiveXTransfer.FileTransfer metho ...) NOT-FOR-US: ActiveX CVE-2008-1723 RESERVED CVE-2008-1722 (Multiple integer overflows in (1) filter/image-png.c and (2) filter/im ...) {DSA-1625-1} - cups 1.3.7-2 (medium; bug #476305) - cupsys 1.3.7-2 (medium; bug #476305) CVE-2008-1721 (Integer signedness error in the zlib extension module in Python 2.5.2 ...) {DSA-1620-1 DSA-1551-1} - python2.4 2.4.5-2 - python2.5 2.5.2-3 CVE-2008-1719 (Multiple cross-site request forgery (CSRF) vulnerabilities in Nuke ET ...) NOT-FOR-US: Nuke ET CVE-2008-1718 (Buffer overflow in mimesr.dll in Autonomy (formerly Verity) KeyView, a ...) NOT-FOR-US: IBM Lotus Notes CVE-2008-1717 (WoltLab Community Framework (WCF) 1.0.6 in WoltLab Burning Board 3.0.5 ...) NOT-FOR-US: WoltLab Community Framework CVE-2008-1716 (Cross-site scripting (XSS) vulnerability in WoltLab Community Framewor ...) NOT-FOR-US: WoltLab Community Framework CVE-2008-1715 (SQL injection vulnerability in content/user.php in AuraCMS 2.2.1 and e ...) NOT-FOR-US: AuraCMS CVE-2008-1714 (SQL injection vulnerability in show.php in FaScript FaPhoto 1.0, when ...) NOT-FOR-US: FaScript FaPhoto CVE-2008-1713 (MailServer.exe in NoticeWare Email Server 4.6.1.0 allows remote attack ...) NOT-FOR-US: NoticeWare Email Server CVE-2008-1712 (PHP remote file inclusion vulnerability in includes/functions_weblog.p ...) NOT-FOR-US: mx_blogs CVE-2008-1711 (Terong PHP Photo Gallery (aka Advanced Web Photo Gallery) 1.0 stores p ...) NOT-FOR-US: Terong PHP Photo Gallery CVE-2008-1710 (Untrusted search path vulnerability in chnfsmnt in IBM AIX 6.1 allows ...) NOT-FOR-US: IBM AIX CVE-2008-1709 (Buffer overflow in Microsoft Visual InterDev 6.0 (SP6) allows user-ass ...) NOT-FOR-US: Microsoft Visual InterDev CVE-2008-1708 (IBM solidDB 06.00.1018 and earlier does not validate a certain field t ...) NOT-FOR-US: IBM solidDB CVE-2008-1707 (IBM solidDB 06.00.1018 and earlier allows remote attackers to cause a ...) NOT-FOR-US: IBM solidDB CVE-2008-1706 (Uncontrolled array index in IBM solidDB 06.00.1018 and earlier allows ...) NOT-FOR-US: IBM solidDB CVE-2008-1705 (Format string vulnerability in the logging function in IBM solidDB 06. ...) NOT-FOR-US: IBM solidDB CVE-2007-6712 (Integer overflow in the hrtimer_forward function (hrtimer.c) in Linux ...) {DSA-1588-1} - linux-2.6 2.6.26-1 - linux-2.6.24 NOTE: upstream commit 13788ccc41ceea5893f9c747c59bc0b28f2416c2, not present in 2.6.25.x, NOTE: but fixed in git, so marking as fixed in 2.6.26-1 CVE-2008-1887 (Python 2.5.2 and earlier allows context-dependent attackers to execute ...) {DSA-1620-1 DSA-1551-1} - python2.4 2.4.5-2 - python2.5 2.5.2-3 CVE-2008-1877 (tss 0.8.1 allows local users to read arbitrary files via the -a parame ...) - tss (medium; bug #475747; bug #475736) CVE-2008-1720 (Buffer overflow in rsync 2.6.9 to 3.0.1, with extended attribute (xatt ...) {DSA-1545-1} - rsync 3.0.2-1 NOTE: Etch is affected (it enables the acl upstream patch) NOTE: http://samba.anu.edu.au/rsync/security.html#s3_0_2 CVE-2008-1704 (Multiple buffer overflows in TIBCO Software Enterprise Message Service ...) NOT-FOR-US: TIBCO CVE-2008-1703 (Multiple buffer overflows in TIBCO Software Rendezvous before 8.1.0, a ...) NOT-FOR-US: TIBCO CVE-2008-1702 (Absolute path traversal vulnerability in dload.php in the my_gallery 2 ...) NOT-FOR-US: my_gallery plugin for e107 CVE-2008-1701 (Novell NetWare 6.5 allows attackers to cause a denial of service (ABEN ...) NOT-FOR-US: Novell NetWare CVE-2008-1700 (The Web TransferCtrl Class 8,2,1,4 (iManFile.cab), as used in WorkSite ...) NOT-FOR-US: WorkSite Web CVE-2008-1699 (SQL injection vulnerability in permalink.php in Desi Quintans Writer's ...) NOT-FOR-US: Desi Quintans Writer's Block CMS CVE-2008-1698 (Cross-site scripting (XSS) vulnerability in gallery.php in Simple Gall ...) NOT-FOR-US: Simple Gallery CVE-2008-1697 (Stack-based buffer overflow in ovwparser.dll in HP OpenView Network No ...) NOT-FOR-US: HP OpenView Network Node Manager CVE-2008-1696 (Directory traversal vulnerability in makepost.php in DaZPHPNews 0.1-1, ...) NOT-FOR-US: DaZPHPNews CVE-2008-1695 RESERVED CVE-2008-1694 (vcdiff in Emacs 20.7 to 22.1.50, when used with SCCS, allows local use ...) - emacs21 21.4a+1-5.6 (low; bug #476612) [etch] - emacs21 (Minor issue) - emacs22 22.2+2-2 (low; bug #476611) - xemacs21 21.4.21-4 (low; bug #476613) [etch] - xemacs21 (Minor issue) CVE-2008-1693 (The CairoFont::create function in CairoFontEngine.cc in Poppler, possi ...) {DSA-1606-1 DSA-1548-1} - xpdf 3.02 - poppler 0.6.4-1 (bug #476842) - kdegraphics (Vulnerable code not present) - texlive-bin (code already has the needed fix) NOTE: see GfxFont.cc GfxFont::readEmbFontFile, line 362 checks if the font file is NOTE: a stream or not. Anyone knows a fixed version? - texlive-base (Vulnerable code not present) - swftools (Vulnerable file/code not present) CVE-2008-1692 (Eterm 0.9.4 opens a terminal window on :0 if -display is not specified ...) - eterm 0.9.4.0debian1-2.1 (unimportant; bug #473127) CVE-2008-1691 (Unspecified vulnerability in SLMail.exe in SLMail Pro 6.3.1.0 and earl ...) NOT-FOR-US: SLMail Pro CVE-2008-1690 (WebContainer.exe 1.0.0.336 and earlier in SLMail Pro 6.3.1.0 and earli ...) NOT-FOR-US: SLMail Pro CVE-2008-1689 (Stack consumption vulnerability in WebContainer.exe 1.0.0.336 and earl ...) NOT-FOR-US: SLMail Pro CVE-2008-1688 (Unspecified vulnerability in GNU m4 before 1.4.11 might allow context- ...) - m4 (unimportant) NOTE: The file name is passed through a cmdline argument and m4 doesn't run with NOTE: elevated privileges. CVE-2008-1687 (The (1) maketemp and (2) mkstemp builtin functions in GNU m4 before 1. ...) - m4 (unimportant) NOTE: This is more a generic bug and not a security issue: the random output would NOTE: need to match the name of an existing macro CVE-2008-1686 (Array index vulnerability in Speex 1.1.12 and earlier, as used in libf ...) {DSA-1586-1 DSA-1585-1 DSA-1584-1 DTSA-127-1 DTSA-128-1 DTSA-129-1} - speex 1.2~beta2-1 (medium) - libfishsound 0.7.0-2.2 (medium; bug #475152) - xine-lib 1.1.12-1 (medium) CVE-2008-1685 - gcc-4.3 4.3.1-1 (bug #482698; unimportant) NOTE: dup of CVE-2006-1902 which is fixed in Debian? CVE-2008-1684 (inetd on Sun Solaris 10, when debug logging is enabled, allows local u ...) NOT-FOR-US: Sun Solaris CVE-2008-1683 REJECTED CVE-2008-1682 (PHP remote file inclusion vulnerability in quiz/common/db_config.inc.p ...) NOT-FOR-US: com_onlineflashquiz component for Joomla! CVE-2008-1681 (Unspecified vulnerability in IBM DB2 Content Manager before 8.3 FP8 ha ...) NOT-FOR-US: IBM DB2IBM DB2 CVE-2008-1680 (PHP-Nuke Platinum 7.6.b.5 allows remote attackers to obtain configurat ...) NOT-FOR-US: PHP-Nuke Platinum CVE-2008-1679 (Multiple integer overflows in imageop.c in Python before 2.5.3 allow c ...) {DSA-1620-1 DSA-1551-1} - python2.4 2.4.5-2 - python2.5 2.5.2-3 CVE-2008-1678 (Memory leak in the zlib_stateful_init function in crypto/comp/c_zlib.c ...) {DTSA-131-1} - apache2 2.2.8-4 [etch] - apache2 (only a problem with openssl 0.9.8f or later) NOTE: https://issues.apache.org/bugzilla/show_bug.cgi?id=44975 CVE-2008-1677 (Buffer overflow in the regular expression handler in Red Hat Directory ...) NOT-FOR-US: Red Hat Directory Server CVE-2008-1676 (Red Hat PKI Common Framework (rhpki-common) in Red Hat Certificate Sys ...) NOT-FOR-US: Red Hat Issue CVE-2008-1675 (The bdx_ioctl_priv function in the tehuti driver (tehuti.c) in Linux k ...) - linux-2.6 2.6.25-2 (low) [etch] - linux-2.6 (Tehuti driver not in 2.6.18) - linux-2.6.24 2.6.24-6~etchnhalf.2 NOTE: Fixed in 2.6.24.6 and 2.6.25.1 CVE-2008-1674 REJECTED CVE-2008-1673 (The asn1 implementation in (a) the Linux kernel 2.4 before 2.4.36.6 an ...) {DSA-1592-1} - linux-2.6 2.6.25-5 (bug #485944) - linux-2.6.24 2.6.24-6~etchnhalf.3 CVE-2008-1672 (OpenSSL 0.9.8f and 0.9.8g allows remote attackers to cause a denial of ...) {DTSA-136-1} - openssl 0.9.8g-10.1 (bug #483379) [etch] - openssl (Vulnerable code (TLS extensions) not present) CVE-2008-1671 (start_kdeinit in KDE 3.5.5 through 3.5.9, when installed setuid root, ...) {DSA-1867-1} - kdelibs 4:3.5.9.dfsg.1-4 (low; bug #478024) [etch] - kdelibs (Minor issue) CVE-2008-1670 (Heap-based buffer overflow in the progressive PNG Image loader (decode ...) - kdelibs (Vulnerable code introduce in kde 4.0) - kde4libs 4:4.0.72-1 (bug #478283) CVE-2008-1669 (Linux kernel before 2.6.25.2 does not apply a certain protection mecha ...) {DSA-1575-1} - linux-2.6 2.6.25-2 (low) - linux-2.6.24 2.6.24-6~etchnhalf.2 NOTE: 0b2bac2f1ea0d33a3621b27ca68b9ae760fca2e9, fixed in 2.6.24.7 and 2.6.25.2 CVE-2008-1668 (ftpd.c in (1) wu-ftpd 2.4.2 and (2) ftpd in HP HP-UX B.11.11 assigns u ...) NOT-FOR-US: wu-ftpd in HP-UX CVE-2008-1667 (The Probe Builder Service (aka PBOVISServer.exe) in European Performan ...) NOT-FOR-US: Probe Builder 2.2 CVE-2008-1666 (Unspecified vulnerability in HP Oracle for OpenView (OfO) 8.1.7, 9.1.0 ...) NOT-FOR-US: HP Oracle for OpenView CVE-2008-1665 (Multiple unspecified vulnerabilities in HP Select Identity (HPSI) Acti ...) NOT-FOR-US: HP Select Identity CVE-2008-1664 (Unspecified vulnerability in libc on HP HP-UX B.11.23 and B.11.31 allo ...) NOT-FOR-US: HP HP-UX CVE-2008-1663 (Cross-site scripting (XSS) vulnerability in HP System Management Homep ...) NOT-FOR-US: HP System Management Homepage CVE-2008-1662 (Unspecified vulnerability in the HP System Administration Manager (SAM ...) NOT-FOR-US: HP System Administration Manager CVE-2008-1661 (Stack-based buffer overflow in DoubleTake.exe in HP StorageWorks Stora ...) NOT-FOR-US: HP StorageWorks CVE-2008-1660 (Unspecified vulnerability in useradd on HP-UX B.11.11, B.11.23, and B. ...) NOT-FOR-US: HP-UX CVE-2008-1659 (Unspecified vulnerability in HP LDAP-UX vB.04.10 through vB.04.15 allo ...) NOT-FOR-US: HP LDAP-UX CVE-2008-1658 (Format string vulnerability in the grant helper (polkit-grant-helper.c ...) - policykit-1 0.8-1 (medium; bug #476615; bug #476616) CVE-2008-1657 (OpenSSH 4.4 up to versions before 4.9 allows remote authenticated user ...) - openssh 1:4.7p1-8 (low; bug #475156) [etch] - openssh (Vulnerable functionality was introduced in 4.4) CVE-2008-1656 (Adobe ColdFusion 8 and 8.0.1 does not properly implement the public ac ...) NOT-FOR-US: Adobe ColdFusion CVE-2008-1655 (Unspecified vulnerability in Adobe Flash Player 9.0.115.0 and earlier, ...) - flashplugin-nonfree 1:1.4 [etch] - flashplugin-nonfree (Contrib not supported) NOTE: Fix came from Adobe via new Adobe Flash Player, debian package didn't change CVE-2008-1654 (Interaction error between Adobe Flash and multiple Universal Plug and ...) - flashplugin-nonfree 1:1.4 [etch] - flashplugin-nonfree (Contrib not supported) CVE-2008-1653 (Directory traversal vulnerability in index.php in Sava's Link Manager ...) NOT-FOR-US: Sava's Link Manager CVE-2008-1652 (Directory traversal vulnerability in the _serve_request_multiple funct ...) - perlbal (Fixed before initial upload to archive) CVE-2008-1651 (Directory traversal vulnerability in admin/login.php in EasyNews 4.0 a ...) NOT-FOR-US: EasyNews CVE-2008-1650 (SQL injection vulnerability in dynamicpages/index.php in EasyNews 4.0 ...) NOT-FOR-US: EasyNews CVE-2008-1649 (Cross-site scripting (XSS) vulnerability in staticpages/easypublish/in ...) NOT-FOR-US: EasyNews CVE-2008-1648 (Sympa before 5.4 allows remote attackers to cause a denial of service ...) {DSA-1600-1} - sympa 5.3.4-4 (medium; bug #475163) CVE-2008-1647 (The ChilkatHttp.ChilkatHttp.1 and ChilkatHttp.ChilkatHttpRequest.1 Act ...) NOT-FOR-US: ChilkatHttp CVE-2008-1646 (SQL injection vulnerability in wp-download.php in the WP-Download 1.2 ...) NOT-FOR-US: WP-Download plugin for WordPress CVE-2008-1645 (Directory traversal vulnerability in body.php in phpSpamManager (phpSM ...) NOT-FOR-US: phpSpamManager CVE-2008-1644 (SQL injection vulnerability in viewlinks.php in Sava's Link Manager 2. ...) NOT-FOR-US: Sava's Link Manager CVE-2008-1643 (Directory traversal vulnerability in the PXE TFTP Service (PXEMTFTP.ex ...) NOT-FOR-US: LANDesk Management Suite CVE-2008-1642 (Directory traversal vulnerability in index.php in Sava's GuestBook 2.0 ...) NOT-FOR-US: Sava's GuestBook CVE-2008-1641 (SQL injection vulnerability in default.asp in EfesTECH Video 5.0 allow ...) NOT-FOR-US: EfesTECH Video CVE-2008-1640 (SQL injection vulnerability in jgs_treffen.php in the JGS-XA JGS-Treff ...) NOT-FOR-US: JGS-Treffen CVE-2008-1639 (SQL injection vulnerability in index.php in Neat weblog 0.2 allows rem ...) NOT-FOR-US: Neat weblog CVE-2008-1638 (Nik Sharpener Pro, possibly 2.0, uses world-writable permissions for p ...) NOT-FOR-US: Nik Sharpener Pro CVE-2008-1637 (PowerDNS Recursor before 3.1.5 uses insufficient randomness to calcula ...) {DSA-1544-2 DSA-1544-1} - pdns-recursor 3.1.7-1 NOTE: Fix in 3.1.5 was incomplete, see CVE-2008-3217 CVE-2008-1636 (Cross-site scripting (XSS) vulnerability in index.php in JV2 Quick Gal ...) NOT-FOR-US: JV2 Quick Gallery CVE-2008-1635 (Directory traversal vulnerability in view_private.php in Keep It Simpl ...) NOT-FOR-US: Keep It Simple Guest Book CVE-2008-1634 (Cross-site scripting (XSS) vulnerability in index.php in JV2 Folder Ga ...) NOT-FOR-US: JV2 Folder Gallery CVE-2008-1633 (Unspecified vulnerability in Mondo Rescue before 2.2.5 has unknown imp ...) - mondo 1:2.2.7-1 (bug #475221) CVE-2008-1632 (Multiple SQL injection vulnerabilities in CuteFlow 2.10.0 allow remote ...) - cuteflow (bug #465372) CVE-2008-1631 (SQL injection vulnerability in login.php in CuteFlow 1.5.0 and 2.10.0 ...) - cuteflow (bug #465372) CVE-2008-1630 (Multiple cross-site scripting (XSS) vulnerabilities in CuteFlow 1.5.0 ...) - cuteflow (bug #465372) CVE-2008-1629 (Cross-site scripting (XSS) vulnerability in PHPkrm before 1.5.0 allows ...) NOT-FOR-US: PHPkrm CVE-2008-1628 (Stack-based buffer overflow in the audit_log_user_command function in ...) {DTSA-123-1} - audit 1.5.3-2.1 (medium; bug #475227) NOTE: auditd runs as root CVE-2008-1627 (CDS Invenio 0.92.1 and earlier allows remote authenticated users to de ...) NOT-FOR-US: CDS Invenio CVE-2008-1626 (SQL injection vulnerability in eggBlog before 4.0.1 allows remote atta ...) NOT-FOR-US: eggBlog CVE-2008-1625 (aavmker4.sys in avast! Home and Professional 4.7 for Windows does not ...) NOT-FOR-US: avast! Home and Professional CVE-2008-1624 (Directory traversal vulnerability in v2demo/page.php in Jshop Server 1 ...) NOT-FOR-US: Jshop Server CVE-2008-1623 (SQL injection vulnerability in admin_view_image.php in Smoothflash all ...) NOT-FOR-US: Smoothflash CVE-2008-1622 (Multiple PHP remote file inclusion vulnerabilities in GeeCarts allow r ...) NOT-FOR-US: GeeCarts CVE-2008-1621 (Multiple cross-site scripting (XSS) vulnerabilities in GeeCarts allow ...) NOT-FOR-US: GeeCarts CVE-2008-1620 (Directory traversal vulnerability in 2X TFTP service (TFTPd.exe) 3.2.0 ...) NOT-FOR-US: ThinClientServer CVE-2008-1619 (The ssm_i emulation in Xen 5.1 on IA64 architectures allows attackers ...) - xen-3 (Debian Xen does not support ia64) - xen-unstable (Debian Xen does not support ia64) - xen-3.0 (Debian Xen does not support ia64) CVE-2008-1618 (The PPTP VPN service in Watchguard Firebox before 10, when performing ...) NOT-FOR-US: Watchguard Firebox CVE-2008-1617 (Double free vulnerability in Web TransferCtrl Class 8,2,1,4 (iManFile. ...) NOT-FOR-US: WorkSite Web CVE-2008-1616 RESERVED CVE-2008-1615 (Linux kernel 2.6.18, and possibly other versions, when running on AMD6 ...) {DSA-1588-1} - linux-2.6 2.6.25-1 (medium; bug #480390) - linux-2.6.24 2.6.24-6~etchnhalf.3 CVE-2008-1614 (suPHP before 0.6.3 allows local users to gain privileges via (1) a rac ...) {DSA-1550-1 DTSA-124-1} - suphp 0.6.2-2.1 (low; bug #475431) CVE-2008-1613 (SQL injection vulnerability in ioRD.asp in RedDot CMS 7.5 Build 7.5.0. ...) NOT-FOR-US: RedDot CMS CVE-2008-1612 (The arrayShrink function (lib/Array.c) in Squid 2.6.STABLE17 allows at ...) {DSA-1646-2} - squid 2.6.18-1 (medium) CVE-2008-1611 (Stack-based buffer overflow in TFTP Server SP 1.4 for Windows allows r ...) NOT-FOR-US: TFTP Server for Windows CVE-2008-1610 (Stack-based buffer overflow in TallSoft Quick TFTP Server Pro 2.1 allo ...) NOT-FOR-US: TFTP Server Pro CVE-2008-1609 (Multiple PHP remote file inclusion vulnerabilities in just another fla ...) NOT-FOR-US: JAF CMS CVE-2008-1608 (SQL injection vulnerability in postview.php in Clever Copy 3.0 allows ...) NOT-FOR-US: Clever Copy CVE-2008-1607 (SQL injection vulnerability in haberoku.php in Serbay Arslanhan Bomba ...) NOT-FOR-US: Serbay Arslanhan Bomba Haber CVE-2008-1606 (Multiple directory traversal vulnerabilities in Elastic Path (EP) 4.1 ...) NOT-FOR-US: Elastic Path CVE-2008-1605 (The (1) ltmmCaptureCtrl Class, (2) ltmmConvertCtrl Class, and (3) ltmm ...) NOT-FOR-US: LEADTOOLS CVE-2008-1604 (Cross-site scripting (XSS) vulnerability in PerlMailer before 3.02 all ...) NOT-FOR-US: PerlMailer CVE-2008-1603 (Cross-site scripting (XSS) vulnerability in GNB DesignForm before 3.9 ...) NOT-FOR-US: GNB DesignForm CVE-2008-1602 (Stack-based buffer overflow in Orbit downloader 2.6.3 and 2.6.4 allows ...) NOT-FOR-US: Orbit downloader CVE-2003-1557 (Off-by-one buffer overflow in spamc of SpamAssassin 2.40 through 2.43, ...) - spamassassin 3.1.7-2 CVE-2003-1556 (Cross-site scripting (XSS) vulnerability in cc_guestbook.pl in CGI Cit ...) NOT-FOR-US: CGI City CC Guestbook CVE-2008-1601 (Stack-based buffer overflow in the reboot program on IBM AIX 5.2 and 5 ...) NOT-FOR-US: IBM AIX CVE-2008-1600 (The lsmcode program on IBM AIX 5.2, 5.3, and 6.1 does not properly han ...) NOT-FOR-US: IBM AIX CVE-2008-1599 (The nddstat programs on IBM AIX 5.2, 5.3, and 6.1 do not properly hand ...) NOT-FOR-US: IBM AIX CVE-2008-1598 (The kernel in IBM AIX 6.1 allows local users with ProbeVue privileges ...) NOT-FOR-US: IBM AIX CVE-2008-1597 (The WPAR system call implementation in the kernel in IBM AIX 6.1 allow ...) NOT-FOR-US: IBM AIX CVE-2008-1596 (Trusted Execution in IBM AIX 6.1 uses an incorrect pathname argument i ...) NOT-FOR-US: IBM AIX CVE-2008-1595 (The proc filesystem in the kernel in IBM AIX 5.2 and 5.3 does not prop ...) NOT-FOR-US: IBM AIX CVE-2008-1594 (The kernel in IBM AIX 5.2 and 5.3 does not properly handle resizing JF ...) NOT-FOR-US: IBM AIX CVE-2008-1593 (The checkpoint and restart feature in the kernel in IBM AIX 5.2, 5.3, ...) NOT-FOR-US: IBM AIX CVE-2008-1592 (MQSeries 5.1 in IBM WebSphere MQ 5.1 through 5.3.1 on the HP NonStop a ...) NOT-FOR-US: IBM WebSphere CVE-2008-1591 (The pnVarPrepForStore function in PostNuke 0.764 and earlier skips inp ...) NOT-FOR-US: PostNuke CVE-2008-1590 (JavaScriptCore in WebKit on Apple iPhone before 2.0 and iPod touch bef ...) NOT-FOR-US: iPhone CVE-2008-1589 (Safari on Apple iPhone before 2.0 and iPod touch before 2.0 misinterpr ...) NOT-FOR-US: iPhone CVE-2008-1588 (Safari on Apple iPhone before 2.0 and iPod touch before 2.0 allows rem ...) - webkit (mac-specific issue) NOTE: http://trac.webkit.org/changeset/23963 NOTE: as of 1.1.21, all mac-specific code is no longer even present CVE-2008-1587 RESERVED CVE-2008-1586 (ImageIO in Apple iPhone OS 1.0 through 2.1 and iPhone OS for iPod touc ...) NOT-FOR-US: Apple ImageIO CVE-2008-1585 (Apple QuickTime before 7.5 uses the url.dll!FileProtocolHandler handle ...) NOT-FOR-US: Apple QuickTime CVE-2008-1584 (Stack-based buffer overflow in Indeo.qtx in Apple QuickTime before 7.5 ...) NOT-FOR-US: Apple QuickTime CVE-2008-1583 (Heap-based buffer overflow in Apple QuickTime before 7.5 allows remote ...) NOT-FOR-US: Apple QuickTime CVE-2008-1582 (Unspecified vulnerability in Apple QuickTime before 7.5 allows remote ...) NOT-FOR-US: Apple QuickTime CVE-2008-1581 (Heap-based buffer overflow in Apple QuickTime before 7.5 on Windows al ...) NOT-FOR-US: Apple QuickTime CVE-2008-1580 (CFNetwork in Safari in Apple Mac OS X before 10.5.3 automatically send ...) NOT-FOR-US: CFNetwork Safari Apple Mac OS CVE-2008-1579 (Wiki Server in Apple Mac OS X 10.5 before 10.5.3 allows remote attacke ...) NOT-FOR-US: Wiki Server Apple Mac OS CVE-2008-1578 (The sso_util program in Single Sign-On in Apple Mac OS X before 10.5.3 ...) NOT-FOR-US: Apple Mac OS X CVE-2008-1577 (Unspecified vulnerability in the Pixlet codec in Apple Pixlet Video in ...) NOT-FOR-US: Apple Mac OS X CVE-2008-1576 (Mail in Apple Mac OS X before 10.5, when an IPv6 SMTP server is used, ...) NOT-FOR-US: Apple Mac OS X CVE-2008-1575 (Unspecified vulnerability in the Apple Type Services (ATS) server in A ...) NOT-FOR-US: Apple Mac OS X CVE-2008-1574 (Integer overflow in ImageIO in Apple Mac OS X before 10.5.3 allows rem ...) NOT-FOR-US: Apple Mac OS X CVE-2008-1573 (The BMP and GIF image decoding engine in ImageIO in Apple Mac OS X bef ...) NOT-FOR-US: Apple Mac OS X CVE-2008-1572 (Image Capture in Apple Mac OS X before 10.5 does not properly use temp ...) NOT-FOR-US: Apple Mac OS X CVE-2008-1571 (Directory traversal vulnerability in the embedded web server in Image ...) NOT-FOR-US: Apple Mac OS X CVE-2008-1566 (Cross-site scripting (XSS) vulnerability in Search.do in ManageEngine ...) NOT-FOR-US: ManageEngine Applications Manager CVE-2008-1565 (Directory traversal vulnerability in forum/irc/irc.php in the PJIRC 0. ...) NOT-FOR-US: PJIRC module for phpBB CVE-2008-1564 (Directory traversal vulnerability in Dan Costin File Transfer before 1 ...) NOT-FOR-US: Dan Costin File Transfer CVE-2008-1563 (The "decode as" feature in packet-bssap.c in the SCCP dissector in Wir ...) - wireshark 1.0.0-1 (low) [etch] - wireshark (Only 0.99.6 to 0.99.8 are affected) CVE-2008-1562 (The LDAP dissector in Wireshark (formerly Ethereal) 0.99.2 through 0.9 ...) - wireshark (Only Windows builds are affected according to #1613) CVE-2008-1561 (Multiple unspecified vulnerabilities in Wireshark (formerly Ethereal) ...) - wireshark 1.0.0-1 (low) [etch] - wireshark (Only 0.99.5 to 0.99.8 are affected) CVE-2008-1560 (Multiple cross-site scripting (XSS) vulnerabilities in Digiappz DigiDo ...) NOT-FOR-US: Digiappz DigiDomain CVE-2008-1559 (SQL injection vulnerability in the Bernard Gilly AlphaContent (com_alp ...) NOT-FOR-US: com_alphacontent component for Joomla! CVE-2008-1558 (Uncontrolled array index in the sdpplin_parse function in stream/realr ...) {DSA-1552-1 DTSA-121-1} - mplayer 1.0~rc2-10 (medium; bug #473056) CVE-2008-1557 (BolinOS 4.6.1 allows remote attackers to obtain sensitive information ...) NOT-FOR-US: BolinOS CVE-2008-1556 (Multiple cross-site scripting (XSS) vulnerabilities in BolinOS 4.6.1 a ...) NOT-FOR-US: BolinOS CVE-2008-1555 (Directory traversal vulnerability in system/_b/contentFiles/gbincluder ...) NOT-FOR-US: BolinOS CVE-2008-1554 (SQL injection vulnerability in account/index.php in TopperMod 2.0, whe ...) NOT-FOR-US: TopperMod CVE-2008-1553 (Directory traversal vulnerability in mod.php in TopperMod 1.0 allows r ...) NOT-FOR-US: TopperMod CVE-2008-1552 (The silc_pkcs1_decode function in the silccrypt library (silcpkcs1.c) ...) - silc-toolkit 1.1.7-1 (low) - silc-client (links against libsilc) NOTE: this can't result code execution but only in a crash as data_len - i always results NOTE: in -1 and malloc will never succeed and thus not reaching any free CVE-2008-1551 (SQL injection vulnerability in viewcat.php in the Photo 3.02 module fo ...) NOT-FOR-US: RunCMS CVE-2008-1550 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Cu ...) NOT-FOR-US: CubeCart CVE-2008-1549 (Multiple SQL injection vulnerabilities in Aeries Browser Interface (AB ...) NOT-FOR-US: Eagle Software Aries Student Information System CVE-2008-1548 (Multiple cross-site scripting (XSS) vulnerabilities in Aeries Browser ...) NOT-FOR-US: Eagle Software Aries Student Information System CVE-2008-1547 (Open redirect vulnerability in exchweb/bin/redir.asp in Microsoft Outl ...) NOT-FOR-US: Outlook CVE-2008-1546 (servlet/MIMEReceiveServlet in the web controller for Mitsubishi Electr ...) NOT-FOR-US: Mitsubishi Electric GB-50 and GB-50A air-conditioning control systems CVE-2008-1545 (The setRequestHeader method of the XMLHttpRequest object in Microsoft ...) NOT-FOR-US: Microsoft IE7 CVE-2008-1544 (The setRequestHeader method of the XMLHttpRequest object in Microsoft ...) NOT-FOR-US: Microsoft IE7 CVE-2008-1543 (The Advanced User Interface Pages in the ProST Web Management componen ...) NOT-FOR-US: Airspan WiMAX ProST CVE-2008-1542 (Airspan Base Station Distribution Unit (BSDU) has "topsecret" as its p ...) NOT-FOR-US: BSDU CVE-2008-1541 (Directory traversal vulnerability in cgi-bin/his-webshop.pl in HIS Web ...) NOT-FOR-US: HIS Webshop CVE-2008-1540 (SQL injection vulnerability in the Datsogallery (com_datsogallery) 1.3 ...) NOT-FOR-US: com_datsogallery module for Joomla! CVE-2008-1539 (SQL injection vulnerability in includes/dynamic_titles.php in PHP-Nuke ...) NOT-FOR-US: PHP-Nuke Platinum CVE-2008-1538 (Cross-site scripting (XSS) vulnerability in searchAction.do in ManageE ...) NOT-FOR-US: ManageEngine EventLog Analyzer CVE-2008-1537 (Directory traversal vulnerability in pb_inc/admincenter/index.php in P ...) NOT-FOR-US: PowerScripts PowerBook CVE-2008-1536 (Cross-site scripting (XSS) vulnerability in index.php in Pictures Pro ...) NOT-FOR-US: Photo Cart CVE-2008-1535 (SQL injection vulnerability in the Matti Kiviharju rekry (aka com_rekr ...) NOT-FOR-US: com_rekry component for Joomla! CVE-2008-1534 (Multiple directory traversal vulnerabilities in PowerPHPBoard 1.00b al ...) NOT-FOR-US: PowerPHPBoard CVE-2008-1533 (Unspecified vulnerability in the XML-RPC Blogger API plugin in Joomla! ...) NOT-FOR-US: Joomla! CVE-2008-1532 (Perlbal before 1.70, when buffered upload is enabled, allows remote at ...) - perlbal (Fixed before initial upload to archive) CVE-2008-1531 (The connection_state_machine function (connections.c) in lighttpd 1.4. ...) {DSA-1540-1} - lighttpd 1.4.19-2 (low; bug #475438) CVE-2005-4874 (The XMLHttpRequest object in Mozilla 1.7.8 supports the HTTP TRACE met ...) - iceweasel (old version and CVE) CVE-2003-1555 (ScozNet ScozBook 1.1 BETA allows remote attackers to obtain sensitive ...) NOT-FOR-US: ScozNet ScozBook CVE-2003-1554 (Cross-site scripting (XSS) vulnerability in scozbook/add.php in ScozNe ...) NOT-FOR-US: ScozNet ScozBook CVE-2003-1553 (Haakon Nilsen Simple Internet Publishing System (SIPS) 0.2.2 stores se ...) NOT-FOR-US: Haakon Nilsen Simple Internet Publishing System CVE-2008-1570 (Race condition in the create_lockpath function in policyd-weight 0.1.1 ...) {DSA-1531-2} - policyd-weight 0.1.14.17-1 (low) NOTE: http://www.mail-archive.com/policyd-weight-list%40ek-muc.de/msg00798.html CVE-2008-1569 (policyd-weight 0.1.14 beta-16 and earlier allows local users to modify ...) {DSA-1531-2} - policyd-weight 0.1.14.17-1 (low) CVE-2008-1568 (comix 3.6.4 allows attackers to execute arbitrary commands via a filen ...) - comix 3.6.4-1.1 (low; bug #462840) [etch] - comix (Minor issue) NOTE: comix can't be used in a non-interactive setup thus the impact level CVE-2008-1567 (phpMyAdmin before 2.11.5.1 stores the MySQL (1) username and (2) passw ...) {DSA-1557-1} - phpmyadmin 2.11.5.1 NOTE: https://www.phpmyadmin.net/security/PMASA-2008-2/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/533bb88e32aafc17e754e5ea5e26e9b02b306993 NOTE: It is a workaround for the limited security that PHP has for NOTE: session files on a shared host. This limitation is documented with NOTE: PHP, warned against and not a specific vulnerability in phpMyAdmin. NOTE: I hence consider it a security enhancement/feature, not a vulnerability. CVE-2008-1530 (GnuPG (gpg) 1.4.8 and 2.0.8 allows remote attackers to cause a denial ...) - gnupg (Only 1.4.8 is affected) NOTE: The next upload was 1.4.9-1, so no vulnerable version was ever in the NOTE: archive [etch] - gnupg (Only 1.4.8 is affected) [sarge] - gnupg (Only 1.4.8 is affected) - gnupg2 2.0.9-1 (bug #472928) [etch] - gnupg2 (Only 2.0.8 is affected) [sarge] - gnupg2 (Only 2.0.8 is affected) CVE-2008-1529 (ZyXEL Prestige routers have a minimum password length for the admin ac ...) NOT-FOR-US: ZyXEL Prestige router firmware CVE-2008-1528 (ZyXEL Prestige routers, including P-660, P-661, and P-662 models with ...) NOT-FOR-US: ZyXEL Prestige router firmware CVE-2008-1527 (ZyXEL Prestige routers, including P-660, P-661, and P-662 models with ...) NOT-FOR-US: ZyXEL Prestige router firmware CVE-2008-1526 (ZyXEL Prestige routers, including P-660, P-661, and P-662 models with ...) NOT-FOR-US: ZyXEL Prestige router firmware CVE-2008-1525 (The default SNMP configuration on ZyXEL Prestige routers, including P- ...) NOT-FOR-US: ZyXEL Prestige router firmware CVE-2008-1524 (The SNMP service on ZyXEL Prestige routers, including P-660 and P-661 ...) NOT-FOR-US: ZyXEL Prestige router firmware CVE-2008-1523 (ZyXEL Prestige routers, including P-660, P-661, and P-662 models with ...) NOT-FOR-US: ZyXEL Prestige router firmware CVE-2008-1522 (ZyXEL Prestige routers, including P-660 and P-661 models with firmware ...) NOT-FOR-US: ZyXEL Prestige router firmware CVE-2008-1521 (ZyXEL Prestige routers, including P-660 and P-661 models with firmware ...) NOT-FOR-US: ZyXEL Prestige router firmware CVE-2008-1520 RESERVED CVE-2008-1519 RESERVED CVE-2008-1518 (Stack-based buffer overflow in kl1.sys in Kaspersky Anti-Virus 6.0 and ...) NOT-FOR-US: Kaspersky Anti-Virus CVE-2008-1517 (Array index error in the xnu (Mach) kernel in Apple Mac OS X 10.5 befo ...) NOT-FOR-US: Apple Mac OS X xnu Kernel CVE-2008-1516 RESERVED CVE-2008-1515 (The SOAP interface in OTRS 2.1.x before 2.1.8 and 2.2.x before 2.2.6 a ...) - otrs2 2.2.5-2 [etch] - otrs2 (Vulnerable code not present) [etch] - otrs (Vulnerable code not present) [sarge] - otrs (Vulnerable code not present) NOTE: http://packages.qa.debian.org/o/otrs2/news/20080320T211729Z.html CVE-2008-1514 (arch/s390/kernel/ptrace.c in Linux kernel 2.6.9, and other versions be ...) {DSA-1655-1 DSA-1653-1} - linux-2.6 2.6.26-8 NOTE: s390 specific issue, counterpart for x86 not reproducible with 2.6.24 here CVE-2008-1513 (SQL injection vulnerability in index.php in Danneo CMS 0.5.1 and earli ...) NOT-FOR-US: Danneo CMS CVE-2008-1512 (Directory traversal vulnerability in admin/admin_xs.php in eXtreme Sty ...) NOT-FOR-US: XS module for phpBB CVE-2008-1511 (Multiple PHP remote file inclusion vulnerabilities in ooComments 1.0 a ...) NOT-FOR-US: ooComments CVE-2008-1510 (Cross-site scripting (XSS) vulnerability in system/workplace/admin/acc ...) NOT-FOR-US: Alkacon OpenCMS CVE-2008-1509 (SQL injection vulnerability in index.php in XLPortal 2.2.4 and earlier ...) NOT-FOR-US: XLPortal CVE-2008-1508 (SQL injection vulnerability in EfesTech E-Kontör and earlier allo ...) NOT-FOR-US: EfesTech E-Kontoer CVE-2008-1507 (PEEL, possibly 3.x and earlier, has (1) a default info@peel.fr account ...) NOT-FOR-US: Peel CVE-2008-1506 (PEEL, possibly 3.x and earlier, allows remote attackers to obtain conf ...) NOT-FOR-US: Peel CVE-2008-1505 (PHP remote file inclusion vulnerability in the SSTREAMTV custompages ( ...) NOT-FOR-US: com_custompages component for Joomla! CVE-2008-1504 (Cross-site scripting (XSS) vulnerability in setup.php3 in phpHeaven ph ...) NOT-FOR-US: phpMyChat CVE-2008-1503 (Cross-site scripting (XSS) vulnerability in the web management interfa ...) NOT-FOR-US: F5 BIG-IP CVE-2008-1501 (The send_user_mode function in s_user.c in (1) Undernet ircu 2.10.12.1 ...) - ircd-ircu (Vulnerable code not present) NOTE: vulnerable code introduced later than 2.0.12.10, see: http://hg.quakenet.org/snircd/rev/1ee48bee2f20 NOTE: no other possible NULL ptr dereferences of p found and PoC not reproducible CVE-2008-1500 (Cross-site scripting (XSS) vulnerability in index.php in TinyPortal 0. ...) NOT-FOR-US: TinyPortal CVE-2008-1499 (Cross-site scripting (XSS) vulnerability in frontend/x/manpage.html in ...) NOT-FOR-US: cPanel CVE-2008-1498 (Stack-based buffer overflow in the IMAP service in NetWin Surgemail 3. ...) NOT-FOR-US: Surgemail CVE-2008-1497 (Stack-based buffer overflow in the IMAP service in NetWin SurgeMail 38 ...) NOT-FOR-US: Surgemail CVE-2008-1496 (Multiple SQL injection vulnerabilities in PEEL, possibly 3.x and earli ...) NOT-FOR-US: PEEL CVE-2008-1495 (Unrestricted file upload vulnerability in administrer/produits.php in ...) NOT-FOR-US: PEEL CVE-2008-1494 (SQL injection vulnerability in inc/module/online.php in Easy-Clanpage ...) NOT-FOR-US: Easy-Clanpage CVE-2008-1493 (Directory traversal vulnerability in login.php in Cuteflow Bin 1.5.0 a ...) - cuteflow (bug #465372) CVE-2008-1492 (Multiple directory traversal vulnerabilities in CoronaMatrix phpAddres ...) NOT-FOR-US: CoronaMatrix CVE-2008-1491 (Stack-based buffer overflow in the DPC Proxy server (DpcProxy.exe) in ...) NOT-FOR-US: ASUS Remote Console CVE-2008-1490 (Buffer overflow in a certain Aurigma ActiveX control in ImageUploader4 ...) NOT-FOR-US: ImageUploader4 CVE-2008-1489 (Integer overflow in the MP4_ReadBox_rdrf function in libmp4.c for VLC ...) {DSA-1543-1 DTSA-119-1} - vlc 0.8.6.e-1.1 (medium; bug #472635) CVE-2008-1488 (Stack-based buffer overflow in apc.c in Alternative PHP Cache (APC) 3. ...) - php-apc (Fixed before initial upload) CVE-2008-1487 (Multiple cross-site scripting (XSS) vulnerabilities in LinPHA before 1 ...) NOT-FOR-US: LinPHA CVE-2008-1486 (SQL injection vulnerability in Phorum before 5.2.6, when mysql_use_ft ...) NOT-FOR-US: Phorum CVE-2008-1485 (Cross-site scripting (XSS) vulnerability in PunBB 1.2.16 and earlier a ...) NOT-FOR-US: PunBB CVE-2008-1484 (The password reset feature in PunBB 1.2.16 and earlier uses predictabl ...) NOT-FOR-US: PunBB CVE-2008-1483 (OpenSSH 4.3p2, and probably other versions, allows local users to hija ...) {DSA-1576-1} - openssh 1:4.7p1-5 (bug #463011) CVE-2008-1482 (Multiple integer overflows in xine-lib 1.1.11 and earlier allow remote ...) {DSA-1586-1 DTSA-120-1} - xine-lib 1.1.11.1-1 (medium; bug #472639) CVE-2008-1481 (Cross-site scripting (XSS) vulnerability in index.php in webSPELL 4.1. ...) NOT-FOR-US: webSPELL CVE-2008-1480 (rpc.metad in Sun Solaris 10 allows remote attackers to cause a denial ...) NOT-FOR-US: Sun Solaris CVE-2008-1479 (Cross-site scripting (XSS) vulnerability in index.php in cyberfrogs.ne ...) NOT-FOR-US: cfnetgs CVE-2008-1478 (Home FTP Server 1.4.5.89 allows remote attackers to cause a denial of ...) NOT-FOR-US: Home FTP Server CVE-2008-1477 (Multiple cross-site scripting (XSS) vulnerabilities in busca.php in eF ...) NOT-FOR-US: eForum CVE-2008-1475 (The xml-rpc server in Roundup 1.4.4 does not check property permission ...) - roundup 1.4.4-1.1 (medium; bug #484728) [etch] - roundup (xml-rpc code introduced in 1.4.0) CVE-2008-1474 (Multiple unspecified vulnerabilities in Roundup before 1.4.4 have unkn ...) {DSA-1554-1} - roundup 1.3.3-3.1 (low; bug #472643) CVE-2008-1473 (The Altiris Client Service (AClient.exe) in Symantec Altiris Deploymen ...) NOT-FOR-US: Symantec Altiris CVE-2008-1472 (Stack-based buffer overflow in the ListCtrl ActiveX Control (ListCtrl. ...) NOT-FOR-US: ARCserve Backup CVE-2008-1471 (The cpoint.sys driver in Panda Internet Security 2008 and Antivirus+ F ...) NOT-FOR-US: Panda Internet Security/Antivirus+ Firewall CVE-2008-1470 (Incomplete blacklist vulnerability in IISWebAgentIF.dll in the WebID R ...) NOT-FOR-US: WebID RSA Authentication Agent CVE-2008-1469 (Gallarific Free Edition 1.1 does not require authentication for (1) ph ...) NOT-FOR-US: Gallarific CVE-2008-1468 (Cross-site scripting (XSS) vulnerability in namazu.cgi in Namazu befor ...) - namazu2 2.0.18-0.1 (low; bug #472644) CVE-2008-1467 - centerim 4.22.3-1 (unimportant; bug #472649) NOTE: the victim needs to list the URLs in the message with F2 and press enter on it NOTE: the victim can see the complete URL including the commands however so the impact is really low CVE-2008-1466 (Multiple PHP remote file inclusion vulnerabilities in W-Agora 4.0 allo ...) NOT-FOR-US: W-Agora CVE-2008-1465 (SQL injection vulnerability in the Detodas Restaurante (com_restaurant ...) NOT-FOR-US: com_restaurante component for Mambo and Joomla! CVE-2008-1464 (Multiple SQL injection vulnerabilities in Gallarific Free Edition 1.1 ...) NOT-FOR-US: Gallarific CVE-2008-1463 (Cross-site scripting (XSS) vulnerability in the management GUI in Impe ...) NOT-FOR-US: Imperva SecureSphere MX Management Server CVE-2008-1462 (SQL injection vulnerability in the sections (Section) module in RunCMS ...) NOT-FOR-US: RunCMS CVE-2008-1461 (Buffer overflow in XnView 1.92.1 allows user-assisted remote attackers ...) NOT-FOR-US: XnView CVE-2008-1460 (SQL injection vulnerability in the Joovideo (com_joovideo) 1.0 and 1.2 ...) NOT-FOR-US: com_joovideo component for Mambo and Joomla! CVE-2008-1459 (SQL injection vulnerability in the Alberghi (com_alberghi) 2.1.3 and e ...) NOT-FOR-US: com_alberghi component for Mambo and Joomla! CVE-2008-1458 (Cross-site scripting (XSS) vulnerability in index.php in CS-Cart 1.3.2 ...) NOT-FOR-US: CS-Cart CVE-2008-1457 (The Event System in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server ...) NOT-FOR-US: Microsoft Windows 2000 CVE-2008-1456 (Array index vulnerability in the Event System in Microsoft Windows 200 ...) NOT-FOR-US: Microsoft Windows 2000 CVE-2008-1455 (A "memory calculation error" in Microsoft Office PowerPoint 2000 SP3, ...) NOT-FOR-US: Microsoft Office PowerPoint CVE-2008-1454 (Unspecified vulnerability in Microsoft DNS in Windows 2000 SP4, Server ...) NOT-FOR-US: Windows issue CVE-2008-1453 (The Bluetooth stack in Microsoft Windows XP SP2 and SP3, and Vista Gol ...) NOT-FOR-US: Windows Xp CVE-2008-1452 REJECTED CVE-2008-1451 (The WINS service on Microsoft Windows 2000 SP4, and Server 2003 SP1 an ...) NOT-FOR-US: Microsoft Windows CVE-2008-1450 REJECTED CVE-2008-1449 REJECTED CVE-2008-1448 (The MHTML protocol handler in a component of Microsoft Outlook Express ...) NOT-FOR-US: Microsoft Outlook Express CVE-2008-1447 (The DNS protocol, as implemented in (1) BIND 8 and 9 before 9.5.0-P1, ...) {DSA-1605-1 DSA-1604-1 DSA-1623-1 DSA-1619-1 DSA-1617-1 DSA-1603-1 DTSA-147-1} - bind9 1:9.5.0.dfsg-5 (high) NOTE: glibc stub resolver relies on source port randomisation in kernel - dnsmasq 2.43-1 (medium; bug #490123) - refpolicy 2:0.0.20080702-1 - pdnsd 1.2.6-par-11 (bug #502275) - python-dns 2.3.1-5 (low; bug #490217) - dnspython (unimportant; bug #492465) NOTE: Just a stub resolver Linux kernel provides source port randomisation - adns 1.4-2 (unimportant; bug #492698) NOTE: adns is not suitable to use with untrusted responses, documented in README.Debian - udns 0.2-1 (bug #493599) - libnet-dns-perl 0.63-2 (low; bug #492700) NOTE: Source port randomization from Lenny kernel should provide sufficient protection NOTE: since this is just a Perl nodule for DNS queries and not a high-profile server app like NOTE: Bind, it's unlikely that a home-grown fix will provide an implementation of higher NOTE: cryptographical quality. Marking the version from Lenny as fixed, since Lenny includes NOTE: a kernel which provides source port randomization - ruby1.9 1.9.0.2-6 (low) NOTE: Unbound, djbdns, pdnsd and PowerDNS are affected by the underlying protocol issue, but NOTE: already use source port randomization. NOTE: Marking non-caching stub resolvers as low since these really should be fixed, NOTE: but are much less vulnerable than a caching server. CVE-2008-1446 (Integer overflow in the Internet Printing Protocol (IPP) ISAPI extensi ...) NOT-FOR-US: Microsoft CVE-2008-1445 (Active Directory on Microsoft Windows 2000 Server SP4, XP Professional ...) NOT-FOR-US: Microsoft Windows CVE-2008-1444 (Stack-based buffer overflow in Microsoft DirectX 7.0 and 8.1 on Window ...) NOT-FOR-US: Microsoft Windows CVE-2008-1443 REJECTED CVE-2008-1442 (Heap-based buffer overflow in the substringData method in Microsoft In ...) NOT-FOR-US: Microsoft Windows CVE-2008-1441 (Microsoft Windows XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold ...) NOT-FOR-US: Microsoft Windows CVE-2008-1440 (Microsoft Windows XP SP2 and SP3, and Server 2003 SP1 and SP2, does no ...) NOT-FOR-US: Microsoft Windows CVE-2008-1439 REJECTED CVE-2008-1438 (Unspecified vulnerability in Microsoft Malware Protection Engine (mpen ...) NOT-FOR-US: Microsoft Malware Protection Engine CVE-2008-1437 (Unspecified vulnerability in Microsoft Malware Protection Engine (mpen ...) NOT-FOR-US: Microsoft Malware Protection Engine CVE-2008-1436 (Microsoft Windows XP Professional SP2, Vista, and Server 2003 and 2008 ...) NOT-FOR-US: Windows CVE-2008-1435 (Windows Explorer in Microsoft Windows Vista up to SP1, and Server 2008 ...) NOT-FOR-US: Windows issue CVE-2008-1434 (Use-after-free vulnerability in Microsoft Word in Office 2000 and XP S ...) NOT-FOR-US: Microsoft Word CVE-2008-1433 REJECTED CVE-2008-1432 (Cross-site scripting (XSS) vulnerability in SolutionSearch.do in Manag ...) NOT-FOR-US: ManageEngine SupportCenter Plus CVE-2008-1431 (RaidSonic NAS-4220-B with 2.6.0-n(2007-10-11) firmware stores a partit ...) NOT-FOR-US: RaidSonic NAS-4220-B firmware CVE-2008-1430 (SQL injection vulnerability in links.asp in ASPapp allows remote attac ...) NOT-FOR-US: ASPapp CVE-2008-1429 (Secure Internet Live Conferencing (SILC) Server before 1.1.1 allows re ...) - silc-server 1.1.1-1 (medium) CVE-2008-1428 (Multiple cross-site scripting (XSS) vulnerabilities in the Ubercart 5. ...) NOT-FOR-US: Ubercart CVE-2008-1427 (SQL injection vulnerability in the Joobi Acajoom (com_acajoom) 1.1.5 a ...) NOT-FOR-US: com_acajoom component for Joomla! CVE-2008-1426 (SQL injection vulnerability in album.asp in KAPhotoservice allows remo ...) NOT-FOR-US: KAPhotoservice CVE-2008-1425 (SQL injection vulnerability in index.php in the gallery module in Easy ...) NOT-FOR-US: Easy-Clanpage CVE-2008-1424 RESERVED CVE-2008-1423 (Integer overflow in a certain quantvals and quantlist calculation in X ...) {DSA-1591-1} - libvorbisidec 1.0.2+svn18153-0.1 (bug #669196) [squeeze] - libvorbisidec (Minor issue, no dev-deps) - libvorbis 1.2.0.dfsg-3.1 (bug #482518) CVE-2008-1422 REJECTED CVE-2008-1421 REJECTED CVE-2008-1420 (Integer overflow in residue partition value (aka partvals) evaluation ...) {DSA-1591-1} - libvorbisidec (Vulnerable code not present) - libvorbis 1.2.0.dfsg-3.1 (bug #482518) CVE-2008-1419 (Xiph.org libvorbis 1.2.0 and earlier does not properly handle a zero v ...) {DSA-1591-1} - libvorbisidec 1.0.2+svn18153-0.1 (bug #669196) [squeeze] - libvorbisidec (Minor issue, no dev-deps) - libvorbis 1.2.0.dfsg-3.1 (bug #482518) CVE-2008-1418 RESERVED CVE-2008-1416 (Multiple PHP remote file inclusion vulnerabilities in PHPauction GPL 2 ...) NOT-FOR-US: PHPauction GPL CVE-2008-1415 (Directory traversal vulnerability in index.php in Multiple Time Sheets ...) NOT-FOR-US: Multiple Time Sheets CVE-2008-1414 (Cross-site scripting (XSS) vulnerability in Multiple Time Sheets (MTS) ...) NOT-FOR-US: Multiple Time Sheets CVE-2008-1413 (Cross-site scripting (XSS) vulnerability in search.php in SNewsCMS Rus ...) NOT-FOR-US: SNewsCMS Rus CVE-2008-1412 (Unspecified vulnerability in multiple F-Secure anti-virus products, in ...) NOT-FOR-US: F-Secure anti-virus CVE-2008-1411 (The PXE Server (pxesrv.exe) in Acronis Snap Deploy 2.0.0.1076 and earl ...) NOT-FOR-US: Acronis Snap Deploy CVE-2008-1410 (Directory traversal vulnerability in the PXE Server (pxesrv.exe) in Ac ...) NOT-FOR-US: Acronis Snap Deploy CVE-2008-1409 (Multiple directory traversal vulnerabilities in the Default theme in E ...) NOT-FOR-US: Exero CMS CVE-2008-1408 (SQL injection vulnerability in includes/functions/banners-external.php ...) NOT-FOR-US: phpBP CVE-2008-1407 (SQL injection vulnerability in index.php in the WebChat 1.60 module fo ...) NOT-FOR-US: WebChat module for eXV2 CVE-2008-1406 (SQL injection vulnerability in annonces-p-f.php in the MyAnnonces 1.8 ...) NOT-FOR-US: MyAnnonces CVE-2008-1405 (PHP remote file inclusion vulnerability in code/display.php in fuzzyli ...) NOT-FOR-US: fuzzylime CVE-2008-1404 (SQL injection vulnerability in index.php in the Viso (Industry Book) 2 ...) NOT-FOR-US: Viso module for eXV2 CVE-2008-1403 (Stack-based buffer overflow in the TFTP server in BootManage TFTPD 1.9 ...) NOT-FOR-US: BootManage TFTPD CVE-2008-1402 (MG-SOFT Net Inspector 6.5.0.828 and earlier for Windows allows remote ...) NOT-FOR-US: MG-SOFT Net Inspector CVE-2008-1401 (Format string vulnerability in the Net Inspector HTTP server (mghttpd) ...) NOT-FOR-US: MG-SOFT Net Inspector CVE-2008-1400 (Directory traversal vulnerability in the Net Inspector HTTP Server (mg ...) NOT-FOR-US: MG-SOFT Net Inspector CVE-2008-1399 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Cl ...) NOT-FOR-US: Clansphere CVE-2008-1398 (SQL injection vulnerability in online.php in AuraCMS 2.0 through 2.2.1 ...) NOT-FOR-US: AuraCMS CVE-2008-1397 (Check Point VPN-1 Power/UTM, with NGX R60 through R65 and NG AI R55 so ...) NOT-FOR-US: Check Point VPN CVE-2008-1396 (Plone CMS 3.x uses invariant data (a client username and a server secr ...) - plone3 (low; bug #473571) [lenny] - plone3 (Only an issue if not following best practices, see bug #473571) CVE-2008-1395 (Plone CMS does not record users' authentication states, and implements ...) - plone3 (low; bug #473571) [lenny] - plone3 (Only an issue if not following best practices, see bug #473571) CVE-2008-1394 (Plone CMS before 3 places a base64 encoded form of the username and pa ...) - zope-cmfplone [etch] - zope-cmfplone (low) NOTE: doesn't apply to v3 NOTE: more a security enhancement CVE-2008-1393 (Plone CMS 3.0.5, and probably other 3.x versions, places a base64 enco ...) - plone3 (low; bug #473571; bug #486333) [lenny] - plone3 (Only an issue if not following best practices, see bug #473571) CVE-2008-1392 (The default configuration of VMware Workstation 6.0.2, VMware Player 2 ...) - vmware-package (low; bug #486177) [etch] - vmware-package (Contrib not supported) NOTE: vmware-package just builds vmware from downloaded tarballs, the package itself NOTE: does not download them, however it needs to update its hashes for upstream tarballs CVE-2007-6711 (Unspecified vulnerability in customer.php in FreeWebshop.org 2.2.5, 2. ...) NOT-FOR-US: FreeWebShop.org CVE-2005-4873 (Multiple stack-based buffer overflows in the phpcups PHP module for CU ...) - cups 1.1.23-10sarge1 - cupsys 1.1.23-10sarge1 CVE-2008-1476 (Cross-site scripting (XSS) vulnerability in Serendipity (S9Y) before 1 ...) {DSA-1528-1} - serendipity 1.3-1 NOTE: http://blog.s9y.org/archives/192-Serendipity-1.3-released-addresses-security.html CVE-2008-1502 (The _bad_protocol_once function in phpgwapi/inc/class.kses.inc.php in ...) {DSA-1871-2 DSA-1871-1 DSA-1691-1} - egroupware 1.4.002.dfsg-2.1 (bug #471839) - wordpress 2.5.0-1 (bug #504243) - moodle 1.8.2-1.3 (bug #489533) CVE-2008-1391 (Multiple integer overflows in libc in NetBSD 4.x, FreeBSD 6.x and 7.x, ...) {DSA-2058-1} - kfreebsd-6 (see bug #483152) - kfreebsd-7 (see bug #483152) - glibc 2.11-1 (low) - eglibc 2.11-1 (low) [lenny] - glibc (minor issue) NOTE: not sure if it is a security bug, an attacker should not be able to change the format string NOTE: http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=199eb0de8d NOTE: http://sourceware.org/bugzilla/show_bug.cgi?id=10600 NOTE: PoC php -r 'money_format("%.1073741821i",1);' I can reproduce on 32bit, not 64bit CVE-2008-1390 (The AsteriskGUI HTTP server in Asterisk Open Source 1.4.x before 1.4.1 ...) - asterisk 1:1.4.19.1~dfsg-1 (low) [etch] - asterisk (Only 1.4.x affected) [sarge] - asterisk (Only 1.4.x affected) CVE-2008-1389 (libclamav/chmunpack.c in the chm-parser in ClamAV before 0.94 allows r ...) - clamav 0.94.dfsg-1 [etch] - clamav (parsing does not continue on error) NOTE: see <20081203184852.GB30968@l03.local> CVE-2008-1388 RESERVED CVE-2008-1387 (ClamAV before 0.93 allows remote attackers to cause a denial of servic ...) - clamav 0.92.1~dfsg2-1 [etch] - clamav (Vulnerable code not present) CVE-2008-1386 (Multiple cross-site scripting (XSS) vulnerabilities in the installer i ...) - serendipity (Vulnerable code not present) NOTE: we do not ship the serendipity installer CVE-2008-1385 (Cross-site scripting (XSS) vulnerability in the Top Referrers (aka ref ...) - serendipity 1.3.1-1 (low) NOTE: etch affected, but only in specific plugin. CVE-2008-1384 (Integer overflow in PHP 5.2.5 and earlier allows context-dependent att ...) {DSA-1572-1 DTSA-135-1} - php5 5.2.6-1 NOTE: http://securityreason.com/achievement_securityalert/52 NOTE: Only exploitable through malicious script NOTE: http://cvs.php.net/viewvc.cgi/php-src/ext/standard/formatted_print.c?r1=1.104&r2=1.105&diff_format=u CVE-2008-1383 (The docert function in ssl-cert.eclass, when used by src_compile or sr ...) NOT-FOR-US: Gentoo Linux Ebuilds CVE-2008-1382 (libpng 1.0.6 through 1.0.32, 1.2.0 through 1.2.26, and 1.4.0beta01 thr ...) - libpng 1.2.26-1 (low; bug #476669) NOTE: 1.2.26-1 contains a patch to fix that [etch] - libpng 1.2.15~beta5-1+etch2 CVE-2008-1381 (ZoneMinder before 1.23.3 allows remote authenticated users, and possib ...) {DTSA-130-1} - zoneminder 1.23.3-1 (medium; bug #479034) NOTE: http://www.awe.com/mark/blog/200804272230.html CVE-2008-1380 (The JavaScript engine in Mozilla Firefox before 2.0.0.14, Thunderbird ...) {DSA-1696-1 DSA-1562-1 DSA-1558-1 DSA-1555-1} - iceweasel 2.0.0.14-1 - icedove 2.0.0.14-1 - iceape 1.1.9-2 - xulrunner 1.8.1.14-1 CVE-2008-1379 (Integer overflow in the fbShmPutImage function in the MIT-SHM extensio ...) {DSA-1595-1 DTSA-141-1} - xorg-server 2:1.4.1~git20080517-2 CVE-2008-1378 REJECTED CVE-2008-1377 (The (1) SProcRecordCreateContext and (2) SProcRecordRegisterClients fu ...) {DSA-1595-1 DTSA-141-1} - xorg-server 2:1.4.1~git20080517-2 CVE-2008-1376 (A certain Red Hat build script for nfs-utils before 1.0.9-35z.el5_2 on ...) NOT-FOR-US: Red Hat build script CVE-2008-1375 (Race condition in the directory notification subsystem (dnotify) in Li ...) {DSA-1565-1} - linux-2.6 2.6.25-2 (low) - linux-2.6.24 2.6.24-6~etchnhalf.2 CVE-2008-1374 (Integer overflow in pdftops filter in CUPS in Red Hat Enterprise Linux ...) - cupsys (Redhat-specific incomplete patch, upstream patch is complete) - cups (Redhat-specific incomplete patch, upstream patch is complete) CVE-2008-1373 (Buffer overflow in the gif_read_lzw function in CUPS 1.3.6 allows remo ...) {DSA-1625-1 DTSA-122-1} - cupsys 1.3.7-1 (medium) - cups 1.3.7-1 (medium) CVE-2008-1372 (bzlib.c in bzip2 before 1.0.5 allows user-assisted remote attackers to ...) - bzip2 1.0.5-0.1 (low; bug #471670) [etch] - bzip2 (Pure crasher, no code injection, mostly a regular bug) CVE-2008-1371 (Absolute path traversal vulnerability in install/index.php in Drake CM ...) NOT-FOR-US: Drake CMS CVE-2008-1370 (PHP remote file inclusion vulnerability in index.php in wildmary Yap B ...) NOT-FOR-US: wildmary Yap Blog CVE-2008-1369 (A certain incorrect Sun Solaris 10 image on SPARC Enterprise T5120 and ...) NOT-FOR-US: Sun Solaris CVE-2008-1368 (CRLF injection vulnerability in Microsoft Internet Explorer 5 and 6 al ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2008-1367 (gcc 4.3.x does not generate a cld instruction while compiling function ...) - linux-2.6 2.6.24-5 (bug #469058) [etch] - linux-2.6 (Only exposed with GCC 4.3) - kfreebsd-6 6.3-4 (bug #469564) - kfreebsd-7 7.0-2 (bug #469565) - gcc-4.3 4.3.0-2 (bug #469567) - glibc 2.7-8 (bug #465583) [etch] - glibc (Problem only exposed with GCC 4.3) CVE-2008-1366 (Trend Micro OfficeScan Corporate Edition 8.0 Patch 2 build 1189 and ea ...) NOT-FOR-US: Trend Micro OfficeScan Corporate Edition CVE-2008-1365 (Stack-based buffer overflow in Trend Micro OfficeScan Corporate Editio ...) NOT-FOR-US: Trend Micro OfficeScan Corporate Edition CVE-2008-1364 (Unspecified vulnerability in the DHCP service in VMware Workstation 5. ...) - vmware-package (low; bug #486177) [etch] - vmware-package (Contrib not supported) NOTE: vmware-package just builds vmware from downloaded tarballs, the package itself NOTE: does not download them, however it needs to update its hashes for upstream tarballs CVE-2008-1363 (VMware Workstation 6.0.x before 6.0.3 and 5.5.x before 5.5.6, VMware P ...) - vmware-package (Only vulnerable on windows hosted systems) CVE-2008-1362 (VMware Workstation 6.0.x before 6.0.3 and 5.5.x before 5.5.6, VMware P ...) - vmware-package (Only vulnerable on windows hosted systems) CVE-2008-1361 (VMware Workstation 6.0.x before 6.0.3 and 5.5.x before 5.5.6, VMware P ...) - vmware-package (Only vulnerable on windows hosted systems) CVE-2008-1359 (Cross-site scripting (XSS) vulnerability in Invision Power Board (IPB ...) NOT-FOR-US: Invision Power Board CVE-2008-1358 (Stack-based buffer overflow in the IMAP server in Alt-N Technologies M ...) NOT-FOR-US: MDaemon CVE-2008-1357 (Format string vulnerability in the logDetail function of applib.dll in ...) NOT-FOR-US: McAfee Common Management Agent CVE-2008-1356 (Unspecified vulnerability in xscreensaver in Sun Solaris 10 Java Deskt ...) NOT-FOR-US: Sun Solaris CVE-2008-1355 (Cross-site scripting (XSS) vulnerability in index.php in Jeebles Techn ...) NOT-FOR-US: Jeebles Directory CVE-2008-1354 (SQL injection vulnerability in MyIssuesView.asp in Advanced Data Solut ...) NOT-FOR-US: VSO-XP CVE-2008-1353 (zabbix_agentd in ZABBIX 1.4.4 allows remote attackers to cause a denia ...) - zabbix 1:1.4.5-1 (low; bug #471678) [etch] - zabbix (Minor issue) CVE-2008-1352 (Directory traversal vulnerability in search.php in EdiorCMS (ecms) 3.0 ...) NOT-FOR-US: EdiorCMS CVE-2008-1351 (SQL injection vulnerability in the Tutorials 2.1b module for XOOPS all ...) NOT-FOR-US: Tutorials module for XOOPS CVE-2008-1350 (SQL injection vulnerability in kb.php in Fully Modded phpBB (phpbbfm) ...) NOT-FOR-US: Fully Modded phpBB CVE-2008-1349 (SQL injection vulnerability in viewcat.php in the bamaGalerie (Bama Ga ...) NOT-FOR-US: bamaGalerie CVE-2008-1348 (Cross-site scripting (XSS) vulnerability in index.php in the eWebsite ...) NOT-FOR-US: eWeather module for PHP-Nuke CVE-2008-1347 (Multiple cross-site scripting (XSS) vulnerabilities in staticpages/eas ...) NOT-FOR-US: MyioSoft EasyGallery CVE-2008-1346 (SQL injection vulnerability in staticpages/easygallery/index.php in My ...) NOT-FOR-US: MyioSoft EasyGallery CVE-2008-1345 (Cross-site scripting (XSS) vulnerability in plugins/calendar/calendar_ ...) NOT-FOR-US: MyioSoft EasyCalendar CVE-2008-1344 (Multiple SQL injection vulnerabilities in MyioSoft EasyCalendar 4.0tr ...) NOT-FOR-US: MyioSoft EasyCalendar CVE-2008-1343 (Directory traversal vulnerability in (1) pkgadd and (2) pkgrm in SCO U ...) NOT-FOR-US: SCO Unixware CVE-2008-1342 (Multiple cross-site scripting (XSS) vulnerabilities in the search feat ...) NOT-FOR-US: Polymita BPM-Suite and CollagePortal CVE-2008-1341 (SQL injection vulnerability in SearchResults.aspx in LaGarde StoreFron ...) NOT-FOR-US: LaGarde StoreFront CVE-2008-1340 (Virtual Machine Communication Interface (VMCI) in VMware Workstation 6 ...) - vmware-package (low; bug #486177) [etch] - vmware-package (Contrib not supported) NOTE: vmware-package just builds vmware from downloaded tarballs, the package itself NOTE: does not download them, however it needs to update its hashes for upstream tarballs CVE-2008-1339 RESERVED CVE-2008-1338 (The Perforce service (p4s.exe) in Perforce Server 2007.3/143793 and ea ...) NOT-FOR-US: Perforce Server CVE-2008-1337 (The instant message service in Timbuktu Pro 8.6.5 RC 229 and earlier f ...) NOT-FOR-US: Timbuktu Pro for Windows CVE-2008-1336 (SQL injection vulnerability in Koobi CMS 4.2.3 through 4.3.0 allows re ...) NOT-FOR-US: Koobi CMS CVE-2008-1335 (The ipsec4_get_ulp function in the kernel in NetBSD 2.0 through 3.1 an ...) NOT-FOR-US: NetBSD CVE-2008-1334 (cgi/b on the BT Home Hub router allows remote attackers to bypass auth ...) NOT-FOR-US: BT Home Hub router CVE-2008-1333 (Format string vulnerability in Asterisk Open Source 1.6.x before 1.6.0 ...) {DSA-1525-1} - asterisk 1:1.4.18.1~dfsg-1 (medium) NOTE: Etch's release is unimportant, since not exploitable, but was fixed anyway [sarge] - asterisk (Only 1.6.x affected) CVE-2008-1332 (Unspecified vulnerability in Asterisk Open Source 1.2.x before 1.2.27, ...) {DSA-1525-1} - asterisk 1:1.4.18.1~dfsg-1 (medium) CVE-2008-1331 (cgi-data/FastJSData.cgi in OmniPCX Office with Internet Access service ...) NOT-FOR-US: OmniPCX Office CVE-2008-1330 (Unspecified vulnerability in the Windows client API in Novell GroupWis ...) NOT-FOR-US: Novell Groupwise CVE-2008-1329 (Unspecified vulnerability in the NetBackup service in CA ARCserve Back ...) NOT-FOR-US: CA ARCserve CVE-2008-1328 (Buffer overflow in the LGServer service in CA ARCserve Backup for Lapt ...) NOT-FOR-US: CA ARCserve CVE-2008-1327 (Gallarific does not require authentication for (1) users.php and (2) i ...) NOT-FOR-US: Gallarific CVE-2008-1326 (Cross-site scripting (XSS) vulnerability in search.php in Gallarific a ...) NOT-FOR-US: Gallarific CVE-2008-1325 (Multiple directory traversal vulnerabilities in index.php in Uberghey ...) NOT-FOR-US: Uberghey CMS CVE-2008-1324 (Multiple directory traversal vulnerabilities in index.php in Travelsiz ...) NOT-FOR-US: Travelsized CMS CVE-2008-1323 (Cross-site request forgery (CSRF) vulnerability in index.php in WoltLa ...) NOT-FOR-US: WoltLab Burning Board CVE-2008-1322 (The File Check Utility (fcheck.exe) in ASG-Sentry Network Manager 7.0. ...) NOT-FOR-US: ASG-Sentry Network Manager CVE-2008-1321 (The FxIAList service in ASG-Sentry Network Manager 7.0.0 and earlier d ...) NOT-FOR-US: ASG-Sentry Network Manager CVE-2008-1320 (Multiple buffer overflows in ASG-Sentry Network Manager 7.0.0 and earl ...) NOT-FOR-US: ASG-Sentry Network Manager CVE-2008-1319 (Untrusted search path and argument injection vulnerability in the Vers ...) NOT-FOR-US: Versant Object Database CVE-2008-1317 (Unspecified vulnerability in the Inter-Process Communication (IPC) mes ...) NOT-FOR-US: Sun Solaris CVE-2008-1316 (SQL injection vulnerability in qtf_ind_search_ov.php in QT-cute QuickT ...) NOT-FOR-US: QuickTalk Forum CVE-2008-1315 (SQL injection vulnerability in the ZClassifieds module for PHP-Nuke al ...) NOT-FOR-US: ZClassifieds module for PHP-Nuke CVE-2008-1314 (SQL injection vulnerability in the Johannes Hass gaestebuch 2.2 module ...) NOT-FOR-US: Johannes Hass gaestebuch CVE-2008-1313 (Multiple SQL injection vulnerabilities in index.php in Bloo 1.00 and e ...) NOT-FOR-US: Bloo CVE-2008-1312 (Unspecified vulnerability in the TFTP server in PacketTrap Networks pt ...) NOT-FOR-US: PacketTrap Networks Tool Suite CVE-2008-1311 (The TFTP server in PacketTrap pt360 Tool Suite PRO 2.0.3901.0 and earl ...) NOT-FOR-US: PacketTrap Networks Tool Suite CVE-2008-1310 (Directory traversal vulnerability in the TFTP server in PacketTrap Net ...) NOT-FOR-US: PacketTrap Networks Tool Suite CVE-2008-1309 (The RealAudioObjects.RealAudio ActiveX control in rmoc3260.dll in Real ...) NOT-FOR-US: RealPlayer CVE-2008-1308 (SQL injection vulnerability in the Sudirman Angriawan NukeC30 3.0 modu ...) NOT-FOR-US: NukeC30 module for PHP-Nuke CVE-2008-1307 (Heap-based buffer overflow in the KUpdateObj2 Class ActiveX control in ...) NOT-FOR-US: KingSoft Antivirus CVE-2008-1306 (Multiple cross-site scripting (XSS) vulnerabilities in Savvy Content M ...) NOT-FOR-US: Savvy Content Manager CVE-2008-1305 (SQL injection vulnerability in filebase.php in the Filebase mod for ph ...) NOT-FOR-US: Filebase mod for phpBb CVE-2008-1304 (Multiple cross-site scripting (XSS) vulnerabilities in WordPress 2.3.2 ...) - wordpress (Vulnerable code not present) NOTE: referring to upstream this only affected wordpress.com and not the regular wordpress code CVE-2008-1303 (The Perforce service (p4s.exe) in Perforce Server 2007.3/143793 and ea ...) NOT-FOR-US: Perforce Server CVE-2008-1302 (The Perforce service (p4s.exe) in Perforce Server 2007.3/143793 and ea ...) NOT-FOR-US: Perforce Server CVE-2008-1301 (Absolute path traversal vulnerability in system/workplace/admin/workpl ...) NOT-FOR-US: Alkacon OpenCms CVE-2008-1300 (Cross-site scripting (XSS) vulnerability in the Logfile Viewer Setting ...) NOT-FOR-US: Alkacon OpenCms CVE-2008-1299 (Cross-site scripting (XSS) vulnerability in SolutionSearch.do in Manag ...) NOT-FOR-US: ManageEngine ServiceDesk Plus CVE-2008-1298 (SQL injection vulnerability in Hadith module for PHP-Nuke allows remot ...) NOT-FOR-US: Hadith module for PHP-Nuke CVE-2008-1297 (SQL injection vulnerability in index.php in the eWriting (com_ewriting ...) NOT-FOR-US: com_ewriting module for Mambo and Joomla! CVE-2008-1296 (Multiple cross-site scripting (XSS) vulnerabilities in EncapsGallery 1 ...) NOT-FOR-US: EncapsGallery CVE-2008-1295 (SQL injection vulnerability in archives.php in Gregory Kokanosky (aka ...) NOT-FOR-US: phpMyNewsletter CVE-2008-1292 (ViewVC before 1.0.5 provides revision metadata without properly checki ...) - viewvc 1.0.5-0.1 (bug #471380) CVE-2008-1291 (ViewVC before 1.0.5 stores sensitive information under the web root wi ...) - viewvc 1.0.5-0.1 (bug #471380) CVE-2008-1290 (ViewVC before 1.0.5 includes "all-forbidden" files within search resul ...) - viewvc 1.0.5-0.1 (bug #471380) CVE-2008-1289 (Multiple buffer overflows in Asterisk Open Source 1.4.x before 1.4.18. ...) - asterisk 1:1.4.18.1~dfsg-1 (medium) [etch] - asterisk (Only 1.4.x and above affected) [sarge] - asterisk (Only 1.4.x and above affected) CVE-2007-6710 RESERVED CVE-2007-6709 (The Cisco Linksys WAG54GS Wireless-G ADSL Gateway with 1.01.03 and ear ...) NOT-FOR-US: Cisco Linksys CVE-2007-6708 (Multiple cross-site request forgery (CSRF) vulnerabilities on the Cisc ...) NOT-FOR-US: Cisco Linksys CVE-2007-6707 (Multiple cross-site scripting (XSS) vulnerabilities on the Cisco Links ...) NOT-FOR-US: Cisco Linksys CVE-2008-1360 (Cross-site scripting (XSS) vulnerability in Nagios before 2.11 allows ...) {DSA-1883-2 DSA-1883-1} - nagios2 2.11-1 (low) CVE-2008-1417 (The prerm script in axyl 2.1.7 allows local users to overwrite arbitra ...) - axyl 2.2.0 (low; bug #471227) [sarge] - axyl (Vulnerable code not present) [etch] - axyl (Vulnerable code not present) CVE-2008-1294 (Linux kernel 2.6.17, and other versions before 2.6.22, does not check ...) {DSA-1565-1} - linux-2.6 2.6.22-1 (low) CVE-2008-1318 (Unspecified vulnerability in MediaWiki 1.11 before 1.11.2 allows remot ...) - mediawiki 1:1.11.2-1 [etch] - mediawiki (Versions prior to 1.11 do not include callback feature) NOTE: http://lists.wikimedia.org/pipermail/mediawiki-announce/2008-March/000070.html CVE-2008-1288 (IBM Rational ClearQuest 7.0.1.1 and 7.0.0.2 might allow local or remot ...) NOT-FOR-US: IBM Rational ClearQuest CVE-2008-1287 (IBM Rational ClearQuest 7.0.1.1 and 7.0.0.2 generates different error ...) NOT-FOR-US: IBM Rational ClearQuest CVE-2008-1286 (Unspecified vulnerability in Sun Java Web Console 3.0.2, 3.0.3, and 3. ...) NOT-FOR-US: Sun Javav Web Console CVE-2008-1285 (Cross-site scripting (XSS) vulnerability in Sun Java Server Faces (JSF ...) NOT-FOR-US: Sun Java Server Faces CVE-2008-1284 (Directory traversal vulnerability in Horde 3.1.6, Groupware before 1.0 ...) {DSA-1519-1} - horde3 3.1.7-1 (medium; bug #470640) CVE-2008-1283 (Cross-site scripting (XSS) vulnerability in Neptune Web Server 3.0 all ...) NOT-FOR-US: Neptune Web Server CVE-2008-1282 (Buffer overflow in the BFup ActiveX control (BFup.dll) in B21Soft BFup ...) NOT-FOR-US: B21Soft BFup CVE-2008-1281 (Directory traversal vulnerability in TFTPsrvs.exe 2.5.3.1 and earlier, ...) NOT-FOR-US: Argon Technology Client Management Services CVE-2008-1280 (Acronis True Image Windows Agent 1.0.0.54 and earlier, included in Acr ...) NOT-FOR-US: Acronis True Image CVE-2008-1279 (Acronis True Image Group Server 1.5.19.191 and earlier, included in Ac ...) NOT-FOR-US: Acronis True Image CVE-2008-1278 (The RemotelyAnywhere.exe service in the Remotely Anywhere Server and W ...) NOT-FOR-US: Remotely Anywhere CVE-2008-1277 (The IMAP service (MEIMAPS.exe) in MailEnable Professional Edition and ...) NOT-FOR-US: MailEnable CVE-2008-1276 (Multiple buffer overflows in the IMAP service (MEIMAPS.EXE) in MailEna ...) NOT-FOR-US: MailEnable CVE-2008-1275 (Multiple unspecified vulnerabilities in the SMTP service in MailEnable ...) NOT-FOR-US: MailEnable CVE-2008-1274 (Untrusted search path vulnerability in man in IBM AIX 6.1.0 allows loc ...) NOT-FOR-US: IBM AIX CVE-2008-1273 (Multiple cross-site scripting (XSS) vulnerabilities in imageVue 1.7 al ...) NOT-FOR-US: imageVue CVE-2008-1272 (Multiple SQL injection vulnerabilities in BM Classifieds 20080309 and ...) NOT-FOR-US: BM Classifieds CVE-2008-1271 REJECTED CVE-2004-2759 (Shared Sun StorEdge QFS and SAM-QFS file systems, as used in Utilizati ...) NOT-FOR-US: Shared Sun StorEdge QFS and SAM-QFS CVE-2008-1270 (mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not s ...) {DSA-1521-1} - lighttpd 1.4.19-1 NOTE: user configuration error, default documented in moduserdir documentation CVE-2008-1269 (cp06_wifi_m_nocifr.cgi in the admin panel on the Alice Gate 2 Plus Wi- ...) NOT-FOR-US: Alice Gate 2 Plus router firmware CVE-2008-1268 (The FTP server on the Linksys WRT54G 7 router with 7.00.1 firmware doe ...) NOT-FOR-US: Linksys WRT54G CVE-2008-1267 (The Siemens SpeedStream 6520 router allows remote attackers to cause a ...) NOT-FOR-US: Siemens SpeedStream CVE-2008-1266 (Multiple buffer overflows in the web interface on the D-Link DI-524 ro ...) NOT-FOR-US: D-Link router CVE-2008-1265 (The Linksys WRT54G router allows remote attackers to cause a denial of ...) NOT-FOR-US: Linksys WRT54G CVE-2008-1264 (The Linksys WRT54G router has "admin" as its default FTP password, whi ...) NOT-FOR-US: Linksys WRT54G CVE-2008-1263 (The Linksys WRT54G router stores passwords and keys in cleartext in th ...) NOT-FOR-US: Linksys WRT54G CVE-2008-1262 (The administration panel on the Airspan WiMax ProST 4.1 antenna with 6 ...) NOT-FOR-US: Airspan WiMax ProST antenna CVE-2008-1261 (The Zyxel P-2602HW-D1A router with 3.40(AJZ.1) firmware provides diffe ...) NOT-FOR-US: Zyxel router CVE-2008-1260 (Multiple cross-site request forgery (CSRF) vulnerabilities on the Zyxe ...) NOT-FOR-US: Zyxel router CVE-2008-1259 (The Zyxel P-2602HW-D1A router with 3.40(AJZ.1) firmware maintains auth ...) NOT-FOR-US: Zyxel router CVE-2008-1258 (Cross-site scripting (XSS) vulnerability in prim.htm on the D-Link DI- ...) NOT-FOR-US: D-Link router CVE-2008-1257 (Cross-site scripting (XSS) vulnerability in Forms/DiagGeneral_2 on the ...) NOT-FOR-US: Zyxel router CVE-2008-1256 (The ZyXEL P-660HW series router has "admin" as its default password, w ...) NOT-FOR-US: Zyxel router CVE-2008-1255 (The ZyXEL P-660HW series router maintains authentication state by IP a ...) NOT-FOR-US: Zyxel router CVE-2008-1254 (Multiple cross-site request forgery (CSRF) vulnerabilities on the ZyXE ...) NOT-FOR-US: Zyxel router CVE-2008-1253 (Cross-site scripting (XSS) vulnerability in cgi-bin/webcm on the D-Lin ...) NOT-FOR-US: D-Link router CVE-2008-1252 (b_banner.stm (aka the login page) on the Deutsche Telekom Speedport W5 ...) NOT-FOR-US: Telekom Speedport W500 DSL router CVE-2008-1251 (Cross-site scripting (XSS) vulnerability in the web interface on the c ...) NOT-FOR-US: Snom 320 SIP Phone CVE-2008-1250 (Multiple cross-site request forgery (CSRF) vulnerabilities in the web ...) NOT-FOR-US: Snom 320 SIP Phone CVE-2008-1249 (snomControl.swf in the central phone server for the Snom 320 SIP Phone ...) NOT-FOR-US: Snom 320 SIP Phone CVE-2008-1248 (The web interface on the central phone server for the Snom 320 SIP Pho ...) NOT-FOR-US: Snom 320 SIP Phone CVE-2008-1247 (The web interface on the Linksys WRT54g router with firmware 1.00.9 do ...) NOT-FOR-US: Linksys WRT54g router CVE-2008-1246 NOT-FOR-US: Cisco PIX/ASA Finesse Operation System CVE-2008-1245 (cgi-bin/setup_virtualserver.exe on the Belkin F5D7230-4 router with fi ...) NOT-FOR-US: Belkin router CVE-2008-1244 (cgi-bin/setup_dns.exe on the Belkin F5D7230-4 router with firmware 9.0 ...) NOT-FOR-US: Belkin router CVE-2008-1243 (Cross-site scripting (XSS) vulnerability on the Linksys WRT300N router ...) NOT-FOR-US: Linksys WRT300N router CVE-2008-1242 (The control panel on the Belkin F5D7230-4 router with firmware 9.01.10 ...) NOT-FOR-US: Belkin router CVE-2008-1241 (GUI overlay vulnerability in Mozilla Firefox before 2.0.0.13 and SeaMo ...) {DSA-1534-2 DSA-1535-1 DSA-1534-1 DSA-1532-1} - iceweasel 2.0.0.13-1 - xulrunner 1.8.1.13-1 - iceape 1.1.9-1 CVE-2008-1240 (LiveConnect in Mozilla Firefox before 2.0.0.13 and SeaMonkey before 1. ...) {DSA-1534-2 DSA-1535-1 DSA-1534-1 DSA-1532-1} - iceweasel 2.0.0.13-1 - xulrunner 1.8.1.13-1 - iceape 1.1.9-1 CVE-2008-1239 RESERVED CVE-2008-1238 (Mozilla Firefox before 2.0.0.13 and SeaMonkey before 1.1.9, when gener ...) {DSA-1534-2 DSA-1535-1 DSA-1534-1 DSA-1532-1} - iceweasel 2.0.0.13-1 - xulrunner 1.8.1.13-1 - iceape 1.1.9-1 CVE-2008-1237 (Multiple unspecified vulnerabilities in Mozilla Firefox before 2.0.0.1 ...) {DSA-1574-1 DSA-1534-2 DSA-1535-1 DSA-1534-1 DSA-1532-1} - iceweasel 2.0.0.13-1 - xulrunner 1.8.1.13-1 - iceape 1.1.9-1 - icedove 2.0.0.14-1 CVE-2008-1236 (Multiple unspecified vulnerabilities in Mozilla Firefox before 2.0.0.1 ...) {DSA-1574-1 DSA-1534-2 DSA-1535-1 DSA-1534-1 DSA-1532-1} - iceweasel 2.0.0.13-1 - xulrunner 1.8.1.13-1 - iceape 1.1.9-1 - icedove 2.0.0.14-1 CVE-2008-1235 (Unspecified vulnerability in Mozilla Firefox before 2.0.0.13, Thunderb ...) {DSA-1574-1 DSA-1534-2 DSA-1535-1 DSA-1534-1 DSA-1532-1} - iceweasel 2.0.0.13-1 - xulrunner 1.8.1.13-1 - iceape 1.1.9-1 - icedove 2.0.0.14-1 CVE-2008-1234 (Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 2.0 ...) {DSA-1574-1 DSA-1534-2 DSA-1535-1 DSA-1534-1 DSA-1532-1} - iceweasel 2.0.0.13-1 - xulrunner 1.8.1.13-1 - iceape 1.1.9-1 - icedove 2.0.0.14-1 CVE-2008-1233 (Unspecified vulnerability in Mozilla Firefox before 2.0.0.13, Thunderb ...) {DSA-1574-1 DSA-1534-2 DSA-1535-1 DSA-1534-1 DSA-1532-1} - iceweasel 2.0.0.13-1 - xulrunner 1.8.1.13-1 - iceape 1.1.9-1 - icedove 2.0.0.14-1 CVE-2008-1232 (Cross-site scripting (XSS) vulnerability in Apache Tomcat 4.1.0 throug ...) - tomcat5.5 5.5.26-4 (low; bug #494504) CVE-2008-1231 (Directory traversal vulnerability in Edit.jsp in JSPWiki 2.4.104 and 2 ...) - jspwiki 2.8.0-1 (bug #470477) CVE-2008-1230 (Unrestricted file upload vulnerability in JSPWiki 2.4.104 and 2.5.139 ...) - jspwiki 2.8.0-1 (bug #470477) CVE-2008-1229 (Cross-site scripting (XSS) vulnerability in Edit.jsp in JSPWiki 2.4.10 ...) - jspwiki 2.8.0-1 (bug #470477) CVE-2008-1228 (Cross-site scripting (XSS) vulnerability in admin.php in MG2 (formerly ...) NOT-FOR-US: MG2 CVE-2008-1227 (Stack-based buffer overflow in the silc_fingerprint function in lib/si ...) - silc-toolkit 1.1.6-1 CVE-2008-1226 (Multiple cross-site scripting (XSS) vulnerabilities in Zimbra Collabor ...) NOT-FOR-US: Zimbra Collaboration Suite CVE-2008-1225 (Multiple cross-site scripting (XSS) vulnerabilities in WebCT Campus Ed ...) NOT-FOR-US: WebCT Campus Edition CVE-2008-1224 (Cross-site scripting (XSS) vulnerability in account.php in BosClassifi ...) NOT-FOR-US: BosClassifieds Classified Ads System CVE-2008-1223 (Unspecified vulnerability in Dokeos 1.8.4 before SP3 allows attackers ...) NOT-FOR-US: Dokeos CVE-2008-1222 (Cross-site scripting (XSS) vulnerability in Dokeos 1.8.4 before SP3 al ...) NOT-FOR-US: Dokeos CVE-2008-1221 (Absolute path traversal vulnerability in the FTP server in MicroWorld ...) NOT-FOR-US: MicroWorld eScan CVE-2008-1220 (SQL injection vulnerability in the 4nChat 0.91 module for PHP-Nuke all ...) NOT-FOR-US: 4nChat for PHP-Nuke CVE-2008-1219 (SQL injection vulnerability in the Kutub-i Sitte (KutubiSitte) 1.1 mod ...) NOT-FOR-US: Kutub-i Sitte for PHP-Nuke CVE-2008-1217 (Unspecified vulnerability in nlnotes.dll in the client in IBM Lotus No ...) NOT-FOR-US: IBM Lotus Notes CVE-2008-1216 (IBM Lotus Quickr 8.0 server, and possibly QuickPlace 7.x, does not pro ...) NOT-FOR-US: IBM Lotus Notes CVE-2008-1215 (Stack-based buffer overflow in the command_Expand_Interpret function i ...) NOT-FOR-US: BSD net/userppp CVE-2008-1214 (MRcgi/MRProcessIncomingForms.pl in Numara FootPrints 8.1 on Linux allo ...) NOT-FOR-US: Numara FootPrints CVE-2008-1213 (Cross-site scripting (XSS) vulnerability in Numara FootPrints for Linu ...) NOT-FOR-US: Numara FootPrints CVE-2008-1212 (Cross-site scripting (XSS) vulnerability in set_permissions.php in Pod ...) NOT-FOR-US: Podcast Generator CVE-2008-1211 (Cross-site scripting (XSS) vulnerability in BosDates 3.x and 4.x allow ...) NOT-FOR-US: BosDates CVE-2008-1210 (Stack-based buffer overflow in the ctags parsing code in Programmer's ...) NOT-FOR-US: Programmer's Notepad CVE-2008-1209 (Cross-site scripting (XSS) vulnerability in redirect.do in Xitex WebCo ...) NOT-FOR-US: Xitex WebContent M1 CVE-2008-1208 (Cross-site scripting (XSS) vulnerability in the login page in Check Po ...) NOT-FOR-US: CheckPoint VPN-1 CVE-2008-1207 (Multiple unspecified vulnerabilities in Fujitsu Interstage Smart Repos ...) NOT-FOR-US: Fujitsu Interstage CVE-2008-1206 (Format string vulnerability in the log_message function in lks.c in Li ...) NOT-FOR-US: Linux Kiss Server CVE-2008-1205 (Unspecified vulnerability in the ipsecah kernel module in Sun Solaris ...) NOT-FOR-US: Sun Solaris CVE-2008-1204 (Multiple cross-site scripting (XSS) vulnerabilities in the Administrat ...) NOT-FOR-US: Sun Java System CVE-2008-1203 (The administrator interface for Adobe ColdFusion 8 and ColdFusion MX7 ...) NOT-FOR-US: Adobe ColdFusion CVE-2008-1202 (Cross-site scripting (XSS) vulnerability in the web management interfa ...) NOT-FOR-US: Adobe LiveCycle Workflow CVE-2008-1201 (Multiple unspecified vulnerabilities in FLA file parsing in Adobe Flas ...) NOT-FOR-US: Adobe Flash CS3 Professional CVE-2008-1200 (Unspecified vulnerability in Microsoft Access allows remote user-assis ...) NOT-FOR-US: Microsoft Access CVE-2008-1198 (The default IPSec ifup script in Red Hat Enterprise Linux 3 through 5 ...) NOT-FOR-US: Red Hat specific CVE-2008-1197 (The Marvell driver for the Netgear WN802T Wi-Fi access point with firm ...) NOT-FOR-US: Marvell driver for the Netgear WN802T Wi-Fi access point CVE-2008-1196 (Stack-based buffer overflow in Java Web Start (javaws.exe) in Sun JDK ...) - sun-java6 6-05-1 (medium) - sun-java5 1.5.0-15-1 (medium) [etch] - sun-java5 (Non-free not supported) CVE-2008-1195 (Unspecified vulnerability in Sun JDK and Java Runtime Environment (JRE ...) - sun-java6 6-05-1 (low) - sun-java5 1.5.0-15-1 (low) [etch] - sun-java5 (Non-free not supported) CVE-2008-1194 (Multiple unspecified vulnerabilities in the color management library i ...) - sun-java6 6-05-1 (unimportant) - sun-java5 1.5.0-15-1 (unimportant) [etch] - sun-java5 (Non-free not supported) CVE-2008-1193 (Unspecified vulnerability in Java Runtime Environment Image Parsing Li ...) - sun-java6 6-05-1 (low) - sun-java5 1.5.0-15-1 (low) [etch] - sun-java5 (Non-free not supported) CVE-2008-1192 (Unspecified vulnerability in the Java Plug-in for Sun JDK and JRE 6 Up ...) - sun-java6 6-05-1 (medium) - sun-java5 1.5.0-15-1 (medium) [etch] - sun-java5 (Non-free not supported) CVE-2008-1191 (Unspecified vulnerability in Java Web Start in Sun JDK and JRE 6 Updat ...) - sun-java6 6-05-1 (medium) - sun-java5 1.5.0-15-1 (medium) [etch] - sun-java5 (Non-free not supported) CVE-2008-1190 (Unspecified vulnerability in Java Web Start in Sun JDK and JRE 6 Updat ...) - sun-java6 6-05-1 (medium) - sun-java5 (No more information by sun) CVE-2008-1189 (Buffer overflow in Java Web Start in Sun JDK and JRE 6 Update 4 and ea ...) - sun-java6 6-05-1 (medium) - sun-java5 1.5.0-15-1 (medium) [etch] - sun-java5 (Non-free not supported) CVE-2008-1188 (Multiple buffer overflows in the useEncodingDecl function in Java Web ...) - sun-java6 6-05-1 (medium) - sun-java5 1.5.0-15-1 (medium) [etch] - sun-java5 (Non-free not supported) CVE-2008-1187 (Unspecified vulnerability in Sun Java Runtime Environment (JRE) and JD ...) - sun-java6 6-05-1 (low) - sun-java5 1.5.0-15-1 (low) [etch] - sun-java5 (Non-free not supported) CVE-2008-1186 (Unspecified vulnerability in the Virtual Machine for Sun Java Runtime ...) - sun-java6 6-05-1 - sun-java5 1.5.0-15-1 [etch] - sun-java5 (Non-free not supported) CVE-2008-1185 (Unspecified vulnerability in the Virtual Machine for Sun Java Runtime ...) - sun-java6 6-05-1 - sun-java5 1.5.0-15-1 [etch] - sun-java5 (Non-free not supported) CVE-2008-1184 (The DNSSEC validation library (libval) library in dnssec-tools before ...) - dnssec-tools (first version in Debian was 1.4.1) CVE-2008-1183 (Multiple cross-site scripting (XSS) vulnerabilities in Crafty Syntax L ...) NOT-FOR-US: Crafty Syntax Live Help CVE-2008-1182 (Cross-site scripting (XSS) vulnerability in BSD Perimeter pfSense befo ...) NOT-FOR-US: BSD Perimeter pfSense CVE-2008-1181 (Juniper Networks Secure Access 2000 5.5 R1 (build 11711) allows remote ...) NOT-FOR-US: Juniper CVE-2008-1180 (Cross-site scripting (XSS) vulnerability in dana-na/auth/rdremediate.c ...) NOT-FOR-US: Juniper CVE-2008-1179 (Multiple cross-site scripting (XSS) vulnerabilities in include/common/ ...) - centreon-web (bug #913903) CVE-2008-1178 (Directory traversal vulnerability in include/doc/index.php in Centreon ...) - centreon-web (bug #913903) CVE-2008-1177 (SQL injection vulnerability in shop/detail.php in Affiliate Market (af ...) NOT-FOR-US: Affiliate Market CVE-2008-1176 (Cross-site scripting (XSS) vulnerability in function/sideblock.php in ...) NOT-FOR-US: Affiliate Market CVE-2008-1175 (Cross-site scripting (XSS) vulnerability in AuthentiX 6.3b1 Trial allo ...) NOT-FOR-US: AuthentiX CVE-2008-1174 (Cross-site scripting (XSS) vulnerability in editUser.asp in AuthentiX ...) NOT-FOR-US: AuthentiX CVE-2008-1173 (Cross-site scripting (XSS) vulnerability in account-inbox.php in Torre ...) NOT-FOR-US: TorrentTrader CVE-2008-1172 (Cross-site request forgery (CSRF) vulnerabilities in account-inbox.php ...) NOT-FOR-US: TorrentTrader CVE-2008-1171 NOT-FOR-US: 123 Flash Chat Module for phpBB CVE-2008-1170 (Multiple PHP remote file inclusion vulnerabilities in KCWiki 1.0 allow ...) NOT-FOR-US: KCWiki CVE-2008-1169 (Directory traversal vulnerability in the embedded HTTP server in SCI P ...) NOT-FOR-US: SCI Photo Chat Server CVE-2008-1168 (Cross-site scripting (XSS) vulnerability in Squid Analysis Report Gene ...) - sarg 2.2.5-1 CVE-2008-1167 (Stack-based buffer overflow in the useragent function in useragent.c i ...) - sarg 2.2.4-1 CVE-2008-1166 (Flyspray 0.9.9.4 generates different error messages depending on wheth ...) - flyspray CVE-2008-1165 (Multiple cross-site scripting (XSS) vulnerabilities in Flyspray 0.9.9 ...) - flyspray CVE-2008-1164 (SQL injection vulnerability in index.php in phpComasy 0.8 allows remot ...) NOT-FOR-US: phpComasy CMS CVE-2008-1163 (SQL injection vulnerability in index.php in phpArcadeScript 1.0 throug ...) NOT-FOR-US: phpArcadeScript CVE-2008-1162 (SQL injection vulnerability in album.php in PHP WEB SCRIPT Dynamic Pho ...) NOT-FOR-US: phpwebscript CVE-2008-1161 (Buffer overflow in the Matroska demuxer (demuxers/demux_matroska.c) in ...) {DSA-1536-1} - xine-lib 1.1.10.1-1 (medium) CVE-2008-1160 (ZyXEL ZyWALL 1050 has a hard-coded password for the Quagga and Zebra p ...) NOT-FOR-US: ZyXEL ZyWALL 1050 CVE-2008-1159 (Multiple unspecified vulnerabilities in the SSH server in Cisco IOS 12 ...) NOT-FOR-US: Cisco ssh server CVE-2008-1158 (The Presence Engine (PE) service in Cisco Unified Presence before 6.0( ...) NOT-FOR-US: Presence Engine (PE) Cisco Unified Presence CVE-2008-1157 (Cisco CiscoWorks Internetwork Performance Monitor (IPM) 2.6 creates a ...) NOT-FOR-US: Cisco IPM CVE-2008-1156 (Unspecified vulnerability in the Multicast Virtual Private Network (MV ...) NOT-FOR-US: Cisco IOS CVE-2008-1155 (Cisco Network Admission Control (NAC) Appliance 3.5.x, 3.6.x before 3. ...) NOT-FOR-US: Cisco CVE-2008-1154 (The Disaster Recovery Framework (DRF) master server in Cisco Unified C ...) NOT-FOR-US: Cisco IOS CVE-2008-1153 (Cisco IOS 12.1, 12.2, 12.3, and 12.4, with IPv4 UDP services and the I ...) NOT-FOR-US: Cisco IOS CVE-2008-1152 (The data-link switching (DLSw) component in Cisco IOS 12.0 through 12. ...) NOT-FOR-US: Cisco IOS CVE-2008-1151 (Memory leak in the virtual private dial-up network (VPDN) component in ...) NOT-FOR-US: Cisco IOS CVE-2008-1150 (The virtual private dial-up network (VPDN) component in Cisco IOS befo ...) NOT-FOR-US: Cisco IOS CVE-2008-1149 (phpMyAdmin before 2.11.5 accesses $_REQUEST to obtain some parameters ...) {DSA-1557-1} - phpmyadmin 4:2.11.5-1 (low) [etch] - phpmyadmin (Minor issue) [sarge] - phpmyadmin (Vulnerable code not present) NOTE: https://www.phpmyadmin.net/security/PMASA-2008-1/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/c57b39bed91f06d574a95d8a5a091e5e59492d69 NOTE: SQL injection if you can set local cookies, which means NOTE: you must be able to create pages in the same cookie domain, which seems NOTE: rare and unwise. low priority. CVE-2008-1148 (A certain pseudo-random number generator (PRNG) algorithm that uses AD ...) NOT-FOR-US: OpenBSD / NetBSD CVE-2008-1147 (A certain pseudo-random number generator (PRNG) algorithm that uses XO ...) - kfreebsd-5 [etch] - kfreebsd-5 (KFreebsd not supported) - kfreebsd-6 [lenny] - kfreebsd-6 (KFreebsd not supported) - kfreebsd-7 (bug #559107) [lenny] - kfreebsd-7 (KFreebsd not supported) CVE-2008-1146 (A certain pseudo-random number generator (PRNG) algorithm that uses XO ...) NOT-FOR-US: OpenBSD CVE-2008-1144 (The Marvell driver for the Netgear WN802T Wi-Fi access point with firm ...) NOT-FOR-US: Marvell driver for the Netgear WN802T Wi-Fi access point CVE-2008-1143 RESERVED CVE-2008-1141 (Memory leak in DLMFENC.sys 1.0.0.26 in DESlock+ 3.2.6 and earlier allo ...) NOT-FOR-US: DESlock+ CVE-2008-1140 (DLMFDISK.sys 1.2.0.27 in DESlock+ 3.2.6 and earlier allows local users ...) NOT-FOR-US: DESlock+ CVE-2008-1139 (DESlock+ 3.2.6 and earlier, when DLMFENC.sys 1.0.0.26 and DLMFDISK.sys ...) NOT-FOR-US: DESlock+ CVE-2008-1138 (DLMFENC.sys 1.0.0.26 in DESlock+ 3.2.6 and earlier allows local users ...) NOT-FOR-US: DESlock+ CVE-2008-1137 (SQL injection vulnerability in the Garys Cookbook (com_garyscookbook) ...) NOT-FOR-US: com_garyscookbook component for Mambo and Joomla! CVE-2008-1136 (The Utils::runScripts function in src/utils.cpp in vdccm 0.92 through ...) - vdccm CVE-2008-1135 (OMEGA (aka Omegasoft) INterneSErvicesLosungen (INSEL) 7 generates diff ...) NOT-FOR-US: OMEGA CVE-2008-1134 (OMEGA (aka Omegasoft) INterneSErvicesLosungen (INSEL) 7 supports authe ...) NOT-FOR-US: OMEGA CVE-2008-1133 (The Drupal.checkPlain function in Drupal 6.0 only escapes the first in ...) - drupal5 (Vulnerable code introduced in 6.x) CVE-2007-6706 (Unspecified vulnerability in nlnotes.dll in the client in IBM Lotus No ...) NOT-FOR-US: IBM Lotus Notes CVE-2007-6705 (The WebSphere MQ XA 5.3 before FP13 and 6.0.x before 6.0.2.1 client fo ...) NOT-FOR-US: WebSphere CVE-2007-6704 (Multiple cross-site scripting (XSS) vulnerabilities in F5 FirePass 410 ...) NOT-FOR-US: F5 FirePass CVE-2007-6703 (Unspecified vulnerability in vdccm before 0.10.1 in SynCE (SynCE-dccm) ...) - vdccm CVE-2007-6702 (goform/QuickStart_c0 on the GoAhead Web Server on the FS4104-AW (aka r ...) NOT-FOR-US: FS4104-AW firmware CVE-2003-1552 (Unrestricted file upload vulnerability in uploader.php in Uploader 1.1 ...) NOT-FOR-US: Uploader CVE-2003-1551 (Unspecified vulnerability in Novell GroupWise 6 SP3 WebAccess before R ...) NOT-FOR-US: Novell GroupWise CVE-2003-1550 (XOOPS 2.0, and possibly earlier versions, allows remote attackers to o ...) NOT-FOR-US: XOOPS CVE-2003-1549 (Cross-site scripting (XSS) vulnerability in header.php in MyABraCaDaWe ...) NOT-FOR-US: MyABraCaDaWeb CVE-2003-1548 (MyABraCaDaWeb 1.0.2 and earlier allows remote attackers to obtain sens ...) NOT-FOR-US: MyABraCaDaWeb CVE-2003-1547 (Cross-site scripting (XSS) vulnerability in block-Forums.php in the Sp ...) NOT-FOR-US: Splatt Forum module for PHP-Nuke CVE-2003-1546 (Cross-site scripting (XSS) vulnerability in gbook.php in Filebased gue ...) NOT-FOR-US: Filebased guestbook CVE-2008-1218 (Argument injection vulnerability in Dovecot 1.0.x before 1.0.13, and 1 ...) {DSA-1516-1} - dovecot 1:1.0.13-1 [etch] - dovecot (Vulnerable code not present) [sarge] - dovecot (Vulnerable code not present) NOTE: exploitable through code introduced in 1.0.11 NOTE: http://www.dovecot.org/list/dovecot-news/2008-March/000064.html CVE-2008-1293 (ldm in Linux Terminal Server Project (LTSP) 0.99 and 2 passes the -ac ...) {DSA-1561-1 DTSA-118-1} - ldm 2:0.1~bzr20080308-1 (bug #469462) - ltsp 5.0.40~bzr20071229-1 NOTE: In revision 5.0.40~bzr20071229-1 ldm has been split into a separate source package CVE-2008-1145 (Directory traversal vulnerability in WEBrick in Ruby 1.8 before 1.8.5- ...) - ruby1.8 1.8.6.114-1 (unimportant; bug #469475) - ruby1.9 1.9.0.1-1 (unimportant; bug #469482) [sarge] - ruby1.8 (case insensitive FS, corner case) [etch] - ruby1.8 (case insensitive FS, corner case) [etch] - ruby1.9 (case insensitive FS, corner case) NOTE: http://www.ruby-lang.org/en/news/2008/03/03/webrick-file-access-vulnerability/ CVE-2008-1199 (Dovecot before 1.0.11, when configured to use mail_extra_groups to all ...) {DSA-1516-1} - dovecot 1:1.0.12-1 (medium; bug #469457) CVE-2008-1132 (Untrusted search path vulnerability in src/mainwindow.c in Net Activit ...) NOT-FOR-US: Net Activity Viewer CVE-2008-1131 (Cross-site scripting (XSS) vulnerability in Drupal 6.0 allows remote a ...) - drupal (Vulnerable code not present, affects only 6.x branch) - drupal5 (Vulnerable code not present, affects only 6.x branch) CVE-2008-1130 (Unspecified vulnerability in IBM WebSphere MQ 6.0.x before 6.0.2.2 and ...) NOT-FOR-US: WebSphere CVE-2008-1129 (Cross-site scripting (XSS) vulnerability in admin/users/self.php in XR ...) NOT-FOR-US: XRMS CVE-2008-1128 (PHP remote file inclusion vulnerability in tourney/index.php in phpMyT ...) NOT-FOR-US: phpMyTourney CVE-2008-1127 (Format string vulnerability in the cryactio function in Crysis 1.1.1.5 ...) NOT-FOR-US: Crysis CVE-2008-1126 (PHP remote file inclusion vulnerability in main.php in Barryvan Compo ...) NOT-FOR-US: Barryvan Compo Manager CVE-2008-1125 (Multiple directory traversal vulnerabilities in Podcast Generator 1.0 ...) NOT-FOR-US: Podcast Generator CVE-2008-1124 (Multiple PHP remote file inclusion vulnerabilities in Podcast Generato ...) NOT-FOR-US: Podcast Generator CVE-2008-1123 (Multiple PHP remote file inclusion vulnerabilities in SiteBuilder Elit ...) NOT-FOR-US: SiteBuilder CVE-2008-1122 (SQL injection vulnerability in the downloads module in Koobi Pro 5.7 a ...) NOT-FOR-US: Koobi CVE-2008-1121 (SQL injection vulnerability in index.php in eazyPortal 1.0 and earlier ...) NOT-FOR-US: eazyPortal CVE-2008-1120 (Format string vulnerability in the embedded Internet Explorer componen ...) NOT-FOR-US: ICQ CVE-2008-1119 (Directory traversal vulnerability in include/doc/get_image.php in Cent ...) - centreon-web (bug #913903) CVE-2008-1118 (Timbuktu Pro 8.6.5 for Windows, and possibly 8.7 for Mac OS X, does no ...) NOT-FOR-US: Timbuktu Pro CVE-2008-1117 (Directory traversal vulnerability in the Notes (aka Flash Notes or ins ...) NOT-FOR-US: Timbuktu Pro CVE-2008-1116 (Insecure method vulnerability in the Web Scan Object ActiveX control ( ...) NOT-FOR-US: Rising Antivirus CVE-2008-1115 (Unspecified vulnerability in Sun Solaris 8 directory functions allows ...) NOT-FOR-US: Sun Solaris CVE-2008-1114 (Vocera Communications wireless handsets, when using Protected Extensib ...) NOT-FOR-US: Vocera CVE-2008-1113 (Cisco Unified Wireless IP Phone 7921, when using Protected Extensible ...) NOT-FOR-US: Cisco CVE-2008-1112 REJECTED CVE-2008-1110 (Buffer overflow in demuxers/demux_asf.c (aka the ASF demuxer) in the x ...) - xine-lib 1.1.10-1 [etch] - xine-lib (Not affected per assessment of maintainer) [sarge] - xine-lib (Not affected per assessment of maintainer) CVE-2008-1109 (Heap-based buffer overflow in Evolution 2.22.1 allows user-assisted re ...) - evolution 2.22.2-1.1 (low; bug #484639) [etch] - evolution (Minor issue) NOTE: Requires that the user accepts the iCalendar request and replies NOTE: to it from the "Calendars" window. CVE-2008-1108 (Buffer overflow in Evolution 2.22.1, when the ITip Formatter plugin is ...) - evolution 2.22.2-1.1 (low; bug #484639) [etch] - evolution (Minor issue) NOTE: Requires that the ITip Formatter plugin is disabled, which is enabled by default. CVE-2008-1107 (Multiple stack-based buffer overflows in the Danske Bank e-Sec Control ...) NOT-FOR-US: Danske Bank e-Sec Control Module CVE-2008-1106 (The management interface in Akamai Client (formerly Red Swoosh) 3322 a ...) NOT-FOR-US: Akamai Client CVE-2008-1105 (Heap-based buffer overflow in the receive_smb_raw function in util/soc ...) {DSA-1590-1} - samba 1:3.0.30-1 (medium; bug #483410) CVE-2008-1104 (Stack-based buffer overflow in Foxit Reader before 2.3 build 2912 allo ...) NOT-FOR-US: Foxit Reader CVE-2008-1103 (Multiple unspecified vulnerabilities in Blender have unknown impact an ...) - blender 2.40-1 (low) CVE-2008-1102 (Stack-based buffer overflow in the imb_loadhdr function in Blender 2.4 ...) {DSA-1567-1} - blender 2.45-5 (medium; bug #477808) CVE-2008-1101 (Buffer overflow in kvdocve.dll in the KeyView document viewing engine ...) NOT-FOR-US: KeyView CVE-2008-1100 (Buffer overflow in the cli_scanpe function in libclamav (libclamav/pe. ...) {DSA-1549-1} - clamav 0.92.1~dfsg2-1 CVE-2008-1099 (_macro_Getval in wikimacro.py in MoinMoin 1.5.8 and earlier does not p ...) {DSA-1514-1} - moin 1.5.8-5.1 CVE-2008-1098 (Multiple cross-site scripting (XSS) vulnerabilities in MoinMoin 1.5.8 ...) {DSA-1514-1} - moin 1.5.8-5.1 CVE-2008-1097 (Heap-based buffer overflow in the ReadPCXImage function in the PCX cod ...) {DSA-1858-1} - graphicsmagick 1.1.7-13 - imagemagick 7:6.2.4.5.dfsg1-1 CVE-2008-1096 (The load_tile function in the XCF coder in coders/xcf.c in (1) ImageMa ...) {DSA-1903-1 DSA-1858-1} - imagemagick 7:6.3.7.9.dfsg1-2.1 (medium; bug #414370) [lenny] - imagemagick 7:6.3.7.9.dfsg1-2.1+lenny1 - graphicsmagick 1.1.11-3.2 (medium; bug #414370) CVE-2008-1095 (Unspecified vulnerability in the Internet Protocol (IP) implementation ...) NOT-FOR-US: Sun Solaris CVE-2008-1094 (SQL injection vulnerability in index.cgi in the Account View page in B ...) NOT-FOR-US: Barracuda Spam Firewall CVE-2008-1093 (Acresso InstallShield Update Agent does not properly verify the authen ...) NOT-FOR-US: FLEXnet Connect CVE-2008-1092 (Buffer overflow in msjet40.dll before 4.0.9505.0 in Microsoft Jet Data ...) NOT-FOR-US: Microsoft Jet Database Engine CVE-2008-1091 (Unspecified vulnerability in Microsoft Word in Office 2000 and XP SP3, ...) NOT-FOR-US: Microsoft Word CVE-2008-1090 (Unspecified vulnerability in Microsoft Visio 2002 SP2, 2003 SP2 and SP ...) NOT-FOR-US: Microsoft CVE-2008-1089 (Unspecified vulnerability in Microsoft Visio 2002 SP2, 2003 SP2 and SP ...) NOT-FOR-US: Microsoft CVE-2008-1088 (Microsoft Project 2000 Service Release 1, 2002 SP1, and 2003 SP2 allow ...) NOT-FOR-US: Microsoft CVE-2008-1087 (Stack-based buffer overflow in GDI in Microsoft Windows 2000 SP4, XP S ...) NOT-FOR-US: Microsoft CVE-2008-1086 (The HxTocCtrl ActiveX control (hxvz.dll), as used in Microsoft Interne ...) NOT-FOR-US: Microsoft CVE-2008-1085 (Use-after-free vulnerability in Microsoft Internet Explorer 5.01 SP4, ...) NOT-FOR-US: Microsoft CVE-2008-1084 (Unspecified vulnerability in the kernel in Microsoft Windows 2000 SP4, ...) NOT-FOR-US: Microsoft CVE-2008-1083 (Heap-based buffer overflow in the CreateDIBPatternBrushPt function in ...) NOT-FOR-US: Microsoft CVE-2008-1082 (Opera before 9.26 allows remote attackers to "bypass sanitization filt ...) NOT-FOR-US: Opera CVE-2008-1081 (Opera before 9.26 allows user-assisted remote attackers to execute arb ...) NOT-FOR-US: Opera CVE-2008-1080 (Opera before 9.26 allows user-assisted remote attackers to read arbitr ...) NOT-FOR-US: Opera CVE-2008-1079 (The outboxWriteUnsent function in FTPThread.class in SendFile.jar for ...) NOT-FOR-US: Beehive Software SendFile.NET CVE-2008-1078 (expn in the am-utils and net-fs packages for Gentoo, rPath Linux, and ...) - am-utils (Affected code not present in the binary package) NOTE: sendmail includes a copy of the script, which has been fixed since NOTE: several years CVE-2008-1077 (SQL injection vulnerability in index.php in the Simpleboard (com_simpl ...) NOT-FOR-US: com_simpleboard component for Mambo and Joomla! CVE-2008-1076 (Cross-site scripting (XSS) vulnerability in search.php in Interspire S ...) NOT-FOR-US: Interspire Shopping Cart CVE-2008-1075 (Cross-site scripting (XSS) vulnerability in index.php in Maian Cart 1. ...) NOT-FOR-US: Maian Cart CVE-2008-1074 (PHP remote file inclusion vulnerability in lib/head_auth.php in GROUP- ...) NOT-FOR-US: GROUP-E CVE-2008-1073 (Cross-site scripting (XSS) vulnerability in the report interface in In ...) NOT-FOR-US: Internet Security Systems CVE-2008-1072 (The TFTP dissector in Wireshark (formerly Ethereal) 0.6.0 through 0.99 ...) - wireshark 0.99.8-1 (low; bug #469488) [etch] - wireshark (Only affected in conjunction with later libcairo) [sarge] - ethereal (Only affected in conjunction with later libcairo) CVE-2008-1071 (The SNMP dissector in Wireshark (formerly Ethereal) 0.99.6 through 0.9 ...) - wireshark 0.99.8-1 (low; bug #469488) [etch] - wireshark (Only affects 0.99.6 onwards) [sarge] - ethereal (Only affects 0.99.6 onwards) CVE-2008-1070 (The SCTP dissector in Wireshark (formerly Ethereal) 0.99.5 through 0.9 ...) - wireshark 0.99.8-1 (low; bug #469488) [etch] - wireshark (Only affects 0.99.5 onwards) [sarge] - ethereal (Only affects 0.99.5 onwards) CVE-2008-1069 (Multiple PHP remote file inclusion vulnerabilities in Quantum Game Lib ...) NOT-FOR-US: Quantum Game Library CVE-2008-1068 (Multiple PHP remote file inclusion vulnerabilities in Portail Web Php ...) NOT-FOR-US: Portail Web Php CVE-2008-1067 (Multiple PHP remote file inclusion vulnerabilities in phpQLAdmin 2.2.7 ...) - phpqladmin CVE-2008-1066 (The modifier.regex_replace.php plugin in Smarty before 2.6.19, as used ...) {DSA-1520-1} - smarty 2.6.18-1.1 (low; bug #469492) - moodle (low; bug #471158) - gallery2 2.2.5-2 (low; bug #471160) - mahara 0.9.2-2 (low; bug #471201) NOTE: Moodle ships Smarty but uses it in only one file, which doesn't use regex_replace CVE-2008-1065 (Multiple SQL injection vulnerabilities in index.php in the XM-Memberst ...) NOT-FOR-US: xmmemberstats module for XOOPS CVE-2008-1064 (Cross-site scripting (XSS) vulnerability in images.php in the Red Mexi ...) NOT-FOR-US: rmgs module for XOOPs CVE-2008-1063 (Cross-site scripting (XSS) vulnerability index.php in the XM-Membersta ...) NOT-FOR-US: xmmemberstats module for XOOPS CVE-2008-1062 (InterVideo IMC Server (aka IMCSvr.exe) and InterVideo Home Theater (ak ...) NOT-FOR-US: InterVideo IMC Server/InterVideo Home Theater CVE-2008-1061 (Multiple cross-site scripting (XSS) vulnerabilities in the Sniplets 1. ...) NOT-FOR-US: Sniplets plugin for WordPress CVE-2008-1060 (Eval injection vulnerability in modules/execute.php in the Sniplets 1. ...) NOT-FOR-US: Sniplets plugin for WordPress CVE-2008-1059 (PHP remote file inclusion vulnerability in modules/syntax_highlight.ph ...) NOT-FOR-US: Sniplets plugin for WordPress CVE-2008-1058 (The tcp_respond function in netinet/tcp_subr.c in OpenBSD 4.1 and 4.2 ...) NOT-FOR-US: OpenBSD CVE-2008-1057 (The ip6_check_rh0hdr function in netinet6/ip6_input.c in OpenBSD 4.2 a ...) NOT-FOR-US: OpenBSD CVE-2008-1056 (Multiple stack-based buffer overflows in Symark PowerBroker 2.8 throug ...) NOT-FOR-US: Symark PowerBroker CVE-2003-1545 (Absolute path traversal vulnerability in nukestyles.com viewpage.php a ...) NOT-FOR-US: nukestyles.com addon for PHP-Nuke CVE-2008-1111 (mod_cgi in lighttpd 1.4.18 sends the source code of CGI scripts instea ...) {DSA-1513-1} - lighttpd 1.4.18-4 (low; bug #469307) CVE-2008-1142 (rxvt 2.6.4 opens a terminal window on :0 if the DISPLAY environment va ...) - rxvt 1:2.6.4-13 (unimportant; bug #469296) CVE-2008-1055 (Format string vulnerability in webmail.exe in NetWin SurgeMail 38k4 an ...) NOT-FOR-US: SurgeMail CVE-2008-1054 (Stack-based buffer overflow in the _lib_spawn_user_getpid function in ...) NOT-FOR-US: SurgeMail CVE-2008-1053 (Multiple SQL injection vulnerabilities in the Kose_Yazilari module for ...) NOT-FOR-US: Kose_Yazilari module for PHP-Nuke CVE-2008-1052 (The administration web interface in NetWin SurgeFTP 2.3a2 and earlier ...) NOT-FOR-US: SurgeFTP CVE-2008-1051 (PHP remote file inclusion vulnerability in include/body_comm.inc.php i ...) NOT-FOR-US: phpProfiles CVE-2008-1050 (SQL injection vulnerability in index.php in Softbiz Jokes & Funny ...) NOT-FOR-US: Softbiz Jokes & Funny Pics Script CVE-2008-1049 (Unspecified vulnerability in Parallels SiteStudio before 1.7.2, and 1. ...) NOT-FOR-US: Parallels SiteStudio CVE-2008-1048 (Cross-site scripting (XSS) vulnerability in manager/xmedia.php in Plum ...) NOT-FOR-US: Plume CMS CVE-2008-1047 (Cross-site scripting (XSS) vulnerability in tiki-edit_article.php in T ...) - tikiwiki CVE-2008-1046 (PHP remote file inclusion vulnerability in footer.php in Quinsonnas Ma ...) NOT-FOR-US: Quinsonnas Mail Checker CVE-2008-1045 (Cross-site scripting (XSS) vulnerability in the file tree navigation f ...) NOT-FOR-US: OpenCMS CVE-2008-1044 (Stack-based buffer overflow in the Quantum Streaming Player (Quantum S ...) NOT-FOR-US: Quantum Streaming Player CVE-2008-1043 (PHP remote file inclusion vulnerability in templates/default/header.in ...) NOT-FOR-US: Linux Web Shop CVE-2008-1042 (Directory traversal vulnerability in include/body.inc.php in Linux Web ...) NOT-FOR-US: Linux Web Shop CVE-2008-1041 (Cross-site scripting (XSS) vulnerability in mwhois.php in Matt Wilson ...) NOT-FOR-US: MWhois CVE-2008-1040 (Buffer overflow in the Single Sign-On function in Fujitsu Interstage A ...) NOT-FOR-US: Fujitsu Interstage Application Server CVE-2008-1039 (SQL injection vulnerability in question.asp in PORAR WEBBOARD allows r ...) NOT-FOR-US: PORAR WEBBOARD CVE-2008-1038 (PHP remote file inclusion vulnerability in mod/mod.extmanager.php in D ...) NOT-FOR-US: DBHcms CVE-2008-1037 (Cross-site scripting (XSS) vulnerability in the file listing function ...) NOT-FOR-US: Packeteer PacketShaper CVE-2008-1036 (The International Components for Unicode (ICU) library in Apple Mac OS ...) {DSA-1762-1} - icu 4.0.1-1 CVE-2008-1035 (Use-after-free vulnerability in Apple iCal 3.0.1 on Mac OS X allows re ...) NOT-FOR-US: Apple iCal CVE-2008-1034 (Integer underflow in Help Viewer in Apple Mac OS X before 10.5 allows ...) NOT-FOR-US: Apple Mac OS CVE-2008-1033 (The scheduler in CUPS in Apple Mac OS X 10.5 before 10.5.3, when debug ...) - cups 1.3.7-1 CVE-2008-1032 (Incomplete blacklist vulnerability in CoreTypes in Apple Mac OS X befo ...) NOT-FOR-US: Apple Mac OS CVE-2008-1031 (CoreGraphics in Apple Mac OS X before 10.5.3 allows remote attackers t ...) NOT-FOR-US: Apple Mac OS CVE-2008-1030 (Integer overflow in the CFDataReplaceBytes function in the CFData API ...) NOT-FOR-US: Apple Mac OS CVE-2008-1029 RESERVED CVE-2008-1028 (Unspecified vulnerability in AppKit in Apple Mac OS X before 10.5 allo ...) NOT-FOR-US: Apple Mac OS CVE-2008-1027 (Apple Filing Protocol (AFP) Server in Apple Mac OS X before 10.5.3 doe ...) NOT-FOR-US: Apple Mac OS CVE-2008-1026 (Integer overflow in the PCRE regular expression compiler (JavaScriptCo ...) - webkit 0~svn31841-1 - qt4-x11 (vulnerable code not present referring to upstream) NOTE: for qt, referring to upstream this only applies to optimized code in safari 3.1 NOTE: branch and qt 4.4 is based on safari 3.0 CVE-2008-1025 (Cross-site scripting (XSS) vulnerability in Apple WebKit, as used in S ...) - qt4-x11 (QUrl handles URLs and is not vulnerable to this CVE, see bug #479644) - webkit 0~svn31841-1 (medium) CVE-2008-1024 (Apple Safari before 3.1.1, when running on Windows XP or Vista, allows ...) NOT-FOR-US: Apple Safari CVE-2008-1023 (Heap-based buffer overflow in Clip opcode parsing in Apple QuickTime b ...) NOT-FOR-US: Apple QuickTime CVE-2008-1022 (Stack-based buffer overflow in Apple QuickTime before 7.4.5 allows rem ...) NOT-FOR-US: Apple QuickTime CVE-2008-1021 (Heap-based buffer overflow in Animation codec content handling in Appl ...) NOT-FOR-US: Apple QuickTime CVE-2008-1020 (Heap-based buffer overflow in quickTime.qts in Apple QuickTime before ...) NOT-FOR-US: Apple QuickTime CVE-2008-1019 (Heap-based buffer overflow in quickTime.qts in Apple QuickTime before ...) NOT-FOR-US: Apple QuickTime CVE-2008-1018 (Heap-based buffer overflow in Apple QuickTime before 7.4.5 allows remo ...) NOT-FOR-US: Apple QuickTime CVE-2008-1017 (Heap-based buffer overflow in clipping region (aka crgn) atom handling ...) NOT-FOR-US: Apple QuickTime CVE-2008-1016 (Apple QuickTime before 7.4.5 does not properly handle movie media trac ...) NOT-FOR-US: Apple QuickTime CVE-2008-1015 (Buffer overflow in the data reference atom handling in Apple QuickTime ...) NOT-FOR-US: Apple QuickTime CVE-2008-1014 (Apple QuickTime before 7.4.5 does not properly handle external URLs in ...) NOT-FOR-US: Apple QuickTime CVE-2008-1013 (Apple QuickTime before 7.4.5 enables deserialization of QTJava objects ...) NOT-FOR-US: Apple QuickTime CVE-2008-1012 (Unspecified vulnerability in Apple AirPort Extreme Base Station Firmwa ...) NOT-FOR-US: Apple AirPort CVE-2008-1011 (Cross-site scripting (XSS) vulnerability in WebKit, as used in Apple S ...) NOTE: As far as I can see this has been addressed in revision 30871. NOTE: Please doublecheck. CVE-2008-1010 (Buffer overflow in WebKit, as used in Apple Safari before 3.1, allows ...) NOTE: As far as I can see this has been addressed in revision 31388. NOTE: Please doublecheck. CVE-2008-1009 (Cross-site scripting (XSS) vulnerability in WebCore, as used in Apple ...) NOT-FOR-US: WebCore (Apple Safari) CVE-2008-1008 (Cross-site scripting (XSS) vulnerability in WebCore, as used in Apple ...) NOT-FOR-US: WebCore (Apple Safari) CVE-2008-1007 (WebCore, as used in Apple Safari before 3.1, does not enforce the fram ...) NOT-FOR-US: WebCore (Apple Safari) CVE-2008-1006 (Cross-site scripting (XSS) vulnerability in WebCore, as used in Apple ...) NOT-FOR-US: WebCore (Apple Safari) CVE-2008-1005 (WebCore, as used in Apple Safari before 3.1, does not properly mask th ...) NOT-FOR-US: WebCore (Apple Safari) CVE-2008-1004 (Cross-site scripting (XSS) vulnerability in WebCore, as used in Apple ...) NOT-FOR-US: WebCore (Apple Safari) CVE-2008-1003 (Cross-site scripting (XSS) vulnerability in WebCore, as used in Apple ...) NOT-FOR-US: WebCore (Apple Safari) CVE-2008-1002 (Cross-site scripting (XSS) vulnerability in Apple Safari before 3.1 al ...) NOT-FOR-US: Apple Safari CVE-2008-1001 (Cross-site scripting (XSS) vulnerability in Apple Safari before 3.1, w ...) NOT-FOR-US: Apple Safari CVE-2008-1000 (Directory traversal vulnerability in ContentServer.py in the Wiki Serv ...) NOT-FOR-US: Apple Mac OS X CVE-2008-0999 (Apple Mac OS X 10.5.2 allows user-assisted attackers to cause a denial ...) NOT-FOR-US: Apple Mac OS X CVE-2008-0998 (Unspecified vulnerability in NetCfgTool in the System Configuration co ...) NOT-FOR-US: Apple Mac OS X CVE-2008-0997 (Stack-based buffer overflow in AppKit in Apple Mac OS X 10.4.11 allows ...) NOT-FOR-US: Apple Mac OS X CVE-2008-0996 (The Printing component in Apple Mac OS X 10.5.2 might save authenticat ...) NOT-FOR-US: Apple Mac OS X CVE-2008-0995 (The Printing component in Apple Mac OS X 10.5.2 uses 40-bit RC4 when p ...) NOT-FOR-US: Apple Mac OS X CVE-2008-0994 (Preview in Apple Mac OS X 10.5.2 uses 40-bit RC4 when saving a PDF fil ...) NOT-FOR-US: Apple Mac OS X CVE-2008-0993 (Podcast Capture in Podcast Producer for Apple Mac OS X 10.5.2 invokes ...) NOT-FOR-US: Apple Mac OS X CVE-2008-0992 (Array index error in pax in Apple Mac OS X 10.5.2 allows context-depen ...) - pax (issue specific to Apple's version of pax) CVE-2008-0991 RESERVED CVE-2008-0990 (notifyd in Apple Mac OS X 10.4.11 does not verify that Mach port death ...) NOT-FOR-US: Apple Mac OS X CVE-2008-0989 (Format string vulnerability in mDNSResponderHelper in Apple Mac OS X 1 ...) NOT-FOR-US: Apple Mac OS X CVE-2008-0988 (Off-by-one error in the Libsystem strnstr API in libc on Apple Mac OS ...) NOT-FOR-US: Apple Mac OS X CVE-2008-0987 (Stack-based buffer overflow in Image Raw in Apple Mac OS X 10.5.2, and ...) NOT-FOR-US: Apple Mac OS X CVE-2008-0986 (Integer overflow in the BMP::readFromStream method in the libsgl.so li ...) NOT-FOR-US: Google Android CVE-2008-0985 (Heap-based buffer overflow in the GIF library in the WebKit framework ...) NOT-FOR-US: Google Android CVE-2006-7232 (sql_select.cc in MySQL 5.0.x before 5.0.32 and 5.1.x before 5.1.14 all ...) - mysql-dfsg-4.1 - mysql-dfsg-5.0 5.0.32-1 CVE-2008-0984 (The MP4 demuxer (mp4.c) for VLC media player 0.8.6d and earlier, as us ...) {DSA-1543-1 DTSA-116-1} - vlc 0.8.6.e-1 (medium; bug #467652) CVE-2008-6426 REJECTED CVE-2008-0982 (Spyce - Python Server Pages (PSP) 2.1.3 allows remote attackers to obt ...) NOT-FOR-US: Spyce CVE-2008-0981 (Open redirect vulnerability in spyce/examples/redirect.spy in Spyce - ...) NOT-FOR-US: Spyce CVE-2008-0980 (Multiple cross-site scripting (XSS) vulnerabilities in Spyce - Python ...) NOT-FOR-US: Spyce CVE-2008-0979 (Stack consumption vulnerability in Double-Take 5.0.0.2865 and earlier, ...) NOT-FOR-US: Double-Take CVE-2008-0978 (Double-Take 5.0.0.2865 and earlier, distributed under the HP StorageWo ...) NOT-FOR-US: Double-Take CVE-2008-0977 (Double-Take 5.0.0.2865 and earlier, distributed under the HP StorageWo ...) NOT-FOR-US: Double-Take CVE-2008-0976 (Double-Take 5.0.0.2865 and earlier, distributed under the HP StorageWo ...) NOT-FOR-US: Double-Take CVE-2008-0975 (Double-Take 5.0.0.2865 and earlier, distributed under the HP StorageWo ...) NOT-FOR-US: Double-Take CVE-2008-0974 (Double-Take 5.0.0.2865 and earlier, distributed under the HP StorageWo ...) NOT-FOR-US: Double-Take CVE-2008-0973 (Buffer overflow in Double-Take (aka HP StorageWorks Storage Mirroring) ...) NOT-FOR-US: Double-Take CVE-2008-0972 RESERVED CVE-2008-0971 (Multiple cross-site scripting (XSS) vulnerabilities in index.cgi in Ba ...) NOT-FOR-US: Barracuda Networks products CVE-2008-0970 RESERVED CVE-2008-0969 RESERVED CVE-2008-0968 RESERVED CVE-2008-0967 (Untrusted search path vulnerability in vmware-authd in VMware Workstat ...) - vmware-package (low; bug #486110) [etch] - vmware-package (Contrib not supported) NOTE: vmware-package just builds vmware from downloaded tarballs, the package itself NOTE: does not download them, however it needs to update its hashes for upstream tarballs CVE-2008-0966 RESERVED CVE-2008-0965 (Multiple format string vulnerabilities in snoop on Sun Solaris 8 throu ...) NOT-FOR-US: Sun Solaris and OpenSolaris CVE-2008-0964 (Multiple stack-based buffer overflows in snoop on Sun Solaris 8 throug ...) NOT-FOR-US: Sun Solaris and OpenSolaris CVE-2008-0963 (Format string vulnerability in EMC DiskXtender MediaStor 6.20.060 allo ...) NOT-FOR-US: EMC DiskXtender CVE-2008-0962 (Stack-based buffer overflow in the File System Manager for EMC DiskXte ...) NOT-FOR-US: EMC DiskXtender CVE-2008-0961 (EMV DiskXtender 6.20.060 has a hard-coded login and password, which al ...) NOT-FOR-US: EMC DiskXtender CVE-2008-0960 (SNMPv3 HMAC verification in (1) Net-SNMP 5.2.x before 5.2.4.1, 5.3.x b ...) {DSA-1663-1 DTSA-137-1} - net-snmp 5.4.1~dfsg-8.1 (medium; bug #485945) CVE-2008-0959 (Multiple stack-based buffer overflows in the Online Media Technologies ...) NOT-FOR-US: Online Media Technologies NCTSoft NCTAudioInformation2 CVE-2008-0958 (Multiple stack-based buffer overflows in the Online Media Technologies ...) NOT-FOR-US: Online Media Technologies NCTSoft NCTAudioInformation2 CVE-2008-0957 (Multiple stack-based buffer overflows in the PhotoStockPlus Uploader T ...) NOT-FOR-US: PhotoStockPlus Uploader Tool ActiveX control CVE-2008-0956 (Multiple stack-based buffer overflows in the BackWeb Lite Install Runn ...) NOT-FOR-US: BackWeb Lite Install CVE-2008-0955 (Stack-based buffer overflow in the Creative Software AutoUpdate Engine ...) NOT-FOR-US: CTSUEng.ocx CVE-2008-0954 RESERVED CVE-2008-0953 (The StartApp function in the HPISDataManagerLib.Datamgr ActiveX contro ...) NOT-FOR-US: ActiveX control CVE-2008-0952 (The AppendStringToFile function in the HPISDataManagerLib.Datamgr Acti ...) NOT-FOR-US: ActiveX control CVE-2008-0951 (Microsoft Windows Vista does not properly enforce the NoDriveTypeAutoR ...) NOT-FOR-US: Windows Vista CVE-2008-0950 RESERVED CVE-2008-0949 (Unspecified vulnerability in IBM Informix Dynamic Server (IDS) 7.x thr ...) NOT-FOR-US: IBM Informix Dynamic Server CVE-2008-0948 (Buffer overflow in the RPC library (lib/rpc/rpc_dtablesize.c) used by ...) - krb5 1.3-1 (unimportant) NOTE: glibc properly defines FD_SETSIZE CVE-2008-0947 (Buffer overflow in the RPC library used by libgssrpc and kadmind in MI ...) {DSA-1524-1} - krb5 1.6.dfsg.3~beta1-4 (medium) CVE-2008-0946 (Directory traversal vulnerability in the IM Server (aka IMserve or IMs ...) NOT-FOR-US: Ipswitch Instant Messaging CVE-2008-0945 (Format string vulnerability in the logging function in the IM Server ( ...) NOT-FOR-US: Ipswitch Instant Messaging CVE-2008-0944 (Ipswitch Instant Messaging (IM) 2.0.8.1 and earlier allows remote atta ...) NOT-FOR-US: Ipswitch Instant Messaging CVE-2008-0943 (Multiple SQL injection vulnerabilities in Eagle Software Aeries Browse ...) NOT-FOR-US: Eagle Software Aeries CVE-2008-0942 (SQL injection vulnerability in GradebookStuScores.asp in Eagle Softwar ...) NOT-FOR-US: Eagle Software Aeries Browser Interface CVE-2008-0941 (Cross-site scripting (XSS) vulnerability in Eagle Software Aeries Brow ...) NOT-FOR-US: Eagle Software Aeries Browser Interface CVE-2008-0940 (Cross-site scripting (XSS) vulnerability in Plain Black WebGUI before ...) NOT-FOR-US: Plain Black WebGUI CVE-2008-0939 (Multiple SQL injection vulnerabilities in wppa.php in the WP Photo Alb ...) NOT-FOR-US: WP Photo Album plugin for WordPress CVE-2008-0938 (Unspecified vulnerability in the dynamic tracing framework (DTrace) in ...) NOT-FOR-US: Sun Solaris CVE-2008-0937 (SQL injection vulnerability in index.php in the Tiny Event (tinyevent) ...) NOT-FOR-US: XOOPS module CVE-2008-0936 (SQL injection vulnerability in index.php in the Prayer List (prayerlis ...) NOT-FOR-US: XOOPS module CVE-2008-0935 (Stack-based buffer overflow in the Novell iPrint Control ActiveX contr ...) NOT-FOR-US: Novell iPrint Client CVE-2008-0934 (SQL injection vulnerability in modules.php in the NukeC 2.1 module for ...) NOT-FOR-US: NukeC phpnuke module CVE-2008-0933 (Multiple race conditions in the CPU Performance Counters (cpc) subsyst ...) NOT-FOR-US: Sun Solaris CVE-2008-0931 (w_export.c in XWine 1.0.1 on Debian GNU/Linux sets insecure permission ...) {DSA-1526-1} - xwine (low; bug #468050) CVE-2008-0930 (w_editeur.c in XWine 1.0.1 for Debian GNU/Linux allows local users to ...) {DSA-1526-1} - xwine (low; bug #468050) CVE-2008-0929 REJECTED CVE-2008-0928 (Qemu 0.9.1 and earlier does not perform range checks for block device ...) {DSA-1799-1 DTSA-133-1} - qemu 0.9.1+svn20081207-1 (low; bug #469649) - xen-unstable 3.2.0-4 (bug #469654) - xen-3 3.2.0-4 (bug #469662) - xen-3.0 - kvm 63+dfsg-1 (bug #469666) CVE-2008-0927 (dhost.exe in Novell eDirectory 8.7.3 before sp10 and 8.8.2 allows remo ...) NOT-FOR-US: Novell eDirectory CVE-2008-0926 (The SOAP interface to the eMBox module in Novell eDirectory 8.7.3.9 an ...) NOT-FOR-US: Novell eDirectory CVE-2008-0925 (Cross-site scripting (XSS) vulnerability in the iMonitor interface in ...) NOT-FOR-US: Novell eDirectory CVE-2008-0924 (Stack-based buffer overflow in the DoLBURPRequest function in libnldap ...) NOT-FOR-US: Novell eDirectory CVE-2008-0923 (Directory traversal vulnerability in the Shared Folders feature for VM ...) - vmware-package (Only vulnerable on windows hosted systems) CVE-2008-0922 (SQL injection vulnerability in the Manuales 0.1 module for PHP-Nuke al ...) NOT-FOR-US: Manuales module for PHP-Nuke CVE-2008-0921 (SQL injection vulnerability in news.php in beContent 0.3.1 allows remo ...) NOT-FOR-US: beContent CVE-2008-0920 (SQL injection vulnerability in port/modifyportform.php in Open Source ...) NOT-FOR-US: OSSIM CVE-2008-0919 (Cross-site scripting (XSS) vulnerability in session/login.php in Open ...) NOT-FOR-US: OSSIM CVE-2008-0918 (SQL injection vulnerability in includes/count_dl_or_link.inc.php in th ...) NOT-FOR-US: astatsPRO component for Joomla! CVE-2008-0917 (Cross-site scripting (XSS) vulnerability in Tor World Tor Search 1.1 a ...) NOT-FOR-US: TorWorld software CVE-2008-0916 (SQL injection vulnerability in the Highwood Design hwdVideoShare (com_ ...) NOT-FOR-US: com_hwdvideoshare component for Joomla! CVE-2008-0915 (The Mediation server in IPdiva SSL VPN Server 2.2 before 2.2.8.84 and ...) NOT-FOR-US: IPdiva SSL VPN Server CVE-2008-0914 (Multiple cross-site scripting (XSS) vulnerabilities in the Mediation s ...) NOT-FOR-US: IPdiva SSL VPN Server CVE-2008-0913 (Cross-site scripting (XSS) vulnerability in Invision Power Board (IPB ...) NOT-FOR-US: Invision Power Board CVE-2008-0912 (Multiple heap-based buffer overflows in mlsrv10.exe in Sybase MobiLink ...) NOT-FOR-US: Sybase MobiLink CVE-2008-0911 (SQL injection vulnerability in productdetails.php in iScripts MultiCar ...) NOT-FOR-US: iScripts MultiCart CVE-2008-0910 (Multiple F-Secure anti-virus products, including Internet Security 200 ...) NOT-FOR-US: Internet Security, Anti-Virus, F-Secure Protection Service CVE-2008-0909 (Cross-site scripting (XSS) vulnerability in browse.asp in Schoolwires ...) NOT-FOR-US: Schoolwires Academic Portal CVE-2008-0908 (SQL injection vulnerability in browse.asp in Schoolwires Academic Port ...) NOT-FOR-US: Schoolwires Academic Portal CVE-2008-0907 (SQL injection vulnerability in the Inhalt module for PHP-Nuke allows r ...) NOT-FOR-US: Inhalt module for PHP-Nuke CVE-2008-0906 (SQL injection vulnerability in the Docum module in PHP-Nuke allows rem ...) NOT-FOR-US: Docum module for PHP-Nuke CVE-2008-0905 (Directory traversal vulnerability in globsy_edit.php in Globsy 1.0 all ...) NOT-FOR-US: Globsy CVE-2008-0904 (Unspecified vulnerability in the download servlet in BEA Plumtree Coll ...) NOT-FOR-US: BEA Plumtree Collaboration and AquaLogic Interaction CVE-2008-0903 (Unspecified vulnerability in the BEA WebLogic Server and Express proxy ...) NOT-FOR-US: BEA WebLogic Server and Express proxy plugin CVE-2008-0902 (Multiple cross-site scripting (XSS) vulnerabilities in BEA WebLogic Se ...) NOT-FOR-US: BEA WebLogic Server and Express CVE-2008-0901 (BEA WebLogic Server and Express 7.0 through 10.0 allows remote attacke ...) NOT-FOR-US: BEA WebLogic Server and Express CVE-2008-0900 (Session fixation vulnerability in BEA WebLogic Server and Express 8.1 ...) NOT-FOR-US: BEA WebLogic Server and Express CVE-2008-0899 (Cross-site scripting (XSS) vulnerability in the Administration Console ...) NOT-FOR-US: BEA WebLogic Server and Express CVE-2008-0898 (The distributed queue feature in JMS in BEA WebLogic Server 9.0 throug ...) NOT-FOR-US: BEA WebLogic Server CVE-2008-0897 (Unspecified vulnerability in BEA WebLogic Server 9.0 through 10.0 allo ...) NOT-FOR-US: BEA WebLogic Server CVE-2008-0896 (BEA WebLogic Portal 10.0 and 9.2 through MP1, when an administrator de ...) NOT-FOR-US: BEA WebLogic Portal CVE-2008-0895 (BEA WebLogic Server and WebLogic Express 6.1 through 10.0 allows remot ...) NOT-FOR-US: BEA WebLogic Server and Express CVE-2008-0894 (Apple Safari might allow remote attackers to obtain potentially sensit ...) NOT-FOR-US: Apple Safari CVE-2008-0893 (Red Hat Administration Server, as used by Red Hat Directory Server 8.0 ...) NOT-FOR-US: Red Hat Administration Server CVE-2008-0892 (The replication monitor CGI script (repl-monitor-cgi.pl) in Red Hat Ad ...) NOT-FOR-US: Red Hat Administration Server CVE-2008-0891 (Double free vulnerability in OpenSSL 0.9.8f and 0.9.8g, when the TLS s ...) {DTSA-136-1} - openssl 0.9.8g-10.1 (bug #483379) [etch] - openssl (Vulnerable code (TLS extensions) not present) CVE-2008-0890 (Red Hat Directory Server 7.1 before SP4 uses insecure permissions for ...) NOT-FOR-US: Red Hat Directory Server CVE-2008-0889 (Red Hat Directory Server 8.0, when running on Red Hat Enterprise Linux ...) NOT-FOR-US: Red Hat Directory Server CVE-2008-0888 (The NEEDBITS macro in the inflate_dynamic function in inflate.c for un ...) {DSA-1522-1} - unzip 5.52-11 CVE-2008-0887 (gnome-screensaver before 2.22.1, when a remote authentication server i ...) - gnome-screensaver 2.22.2-1 (low; bug #475154) [etch] - gnome-screensaver (Minor issue, requires attacker with high level of control, see #433964) CVE-2008-0886 REJECTED CVE-2008-0885 RESERVED CVE-2008-0884 (The Replace function in the capp-lspp-config script in the (1) lspp-ea ...) NOT-FOR-US: Red Hat Enterprise Linux NOTE: Seems Redhat specific CVE-2008-0882 (Double free vulnerability in the process_browse_data function in CUPS ...) {DSA-1530-1 DTSA-117-1} - cupsys 1.3.6-1 (medium; bug #467653) - cups 1.3.6-1 (medium; bug #467653) [sarge] - cupsys (Remote DoS is minor issue) CVE-2008-0881 (SQL injection vulnerability in modules.php in the Okul 1.0 module for ...) NOT-FOR-US: Okul module for PHP-Nuke CVE-2008-0880 (SQL injection vulnerability in modules.php in the EasyContent module f ...) NOT-FOR-US: EasyContent module for PHP-Nuke CVE-2008-0879 (SQL injection vulnerability in modules.php in the Web_Links module for ...) NOT-FOR-US: Web_Links module for PHP-Nuke CVE-2008-0878 (SQL injection vulnerability in index.php in the MyAnnonces 1.7 and ear ...) NOT-FOR-US: MyAnnonces module for RunCMS CVE-2008-0877 (Multiple cross-site scripting (XSS) vulnerabilities in Jinzora Media J ...) NOT-FOR-US: Jinzora Media Jukebox CVE-2008-0876 (Unspecified vulnerability in the SEWB3 messaging service in Hitachi SE ...) NOT-FOR-US: Hitachi SEWB3 CVE-2008-0875 (Unspecified vulnerability in Hitachi EUR Print Manager, and related Cl ...) NOT-FOR-US: Hitachi EUR Print Manager CVE-2008-0874 (SQL injection vulnerability in index.php in the eEmpregos module for X ...) NOT-FOR-US: eEmpregos module for XOOPS CVE-2008-0873 (SQL injection vulnerability in index.php in the jlmZone Classifieds mo ...) NOT-FOR-US: jlmZone Classifieds module for XOOPS CVE-2008-0872 (Cross-site scripting (XSS) vulnerability in SmarterTools SmarterMail E ...) NOT-FOR-US: SmarterTools SmarterMail Enterprise CVE-2008-0871 (Multiple stack-based buffer overflows in Now SMS/MMS Gateway 2007.06.2 ...) NOT-FOR-US: Now SMS/MMS Gateway CVE-2008-0870 (BEA WebLogic Portal 10.0 and 9.2 through Maintenance Pack 2, under cer ...) NOT-FOR-US: BEA WebLogic CVE-2008-0869 (Cross-site scripting (XSS) vulnerability in BEA WebLogic Workshop 8.1 ...) NOT-FOR-US: BEA WebLogic CVE-2008-0868 (Cross-site scripting (XSS) vulnerability in Groupspace in BEA WebLogic ...) NOT-FOR-US: BEA WebLogic CVE-2008-0867 (Cross-site scripting (XSS) vulnerability in portal/server.pt in BEA Aq ...) NOT-FOR-US: BEA WebLogic CVE-2008-0866 (Multiple cross-site scripting (XSS) vulnerabilities in BEA WebLogic Wo ...) NOT-FOR-US: BEA WebLogic CVE-2008-0865 (Unspecified vulnerability in BEA WebLogic Portal 8.1 through SP6 allow ...) NOT-FOR-US: BEA WebLogic CVE-2008-0864 (Admin Tools in BEA WebLogic Portal 8.1 SP3 through SP6 can inadvertent ...) NOT-FOR-US: BEA WebLogic CVE-2008-0863 (BEA WebLogic Server and WebLogic Express 9.0 and 9.1 exposes the web s ...) NOT-FOR-US: BEA WebLogic CVE-2008-0862 (IBM Lotus Notes 6.0, 6.5, 7.0, and 8.0 signs an unsigned applet when a ...) NOT-FOR-US: IBM Lotus Notes CVE-2008-0861 (Cross-site scripting (XSS) vulnerability in leg/Main.nsf in IBM Lotus ...) NOT-FOR-US: IBM Lotus Quickplace CVE-2008-0860 (Unspecified vulnerability in the AVG plugin in Kerio MailServer before ...) NOT-FOR-US: Kerio MailServer CVE-2008-0859 (Unspecified vulnerability in Kerio MailServer before 6.5.0 allows remo ...) NOT-FOR-US: Kerio MailServer CVE-2008-0858 (Buffer overflow in the Visnetic anti-virus plugin in Kerio MailServer ...) NOT-FOR-US: Kerio MailServer CVE-2008-0857 (SQL injection vulnerability in index.php in WoltLab Burning Board 3.0. ...) NOT-FOR-US: WoltLab Burning Board CVE-2008-0856 (Multiple SQL injection vulnerabilities in e-Vision CMS 2.02 allow remo ...) NOT-FOR-US: e-Vision CMS CVE-2008-0855 (SQL injection vulnerability in the Facile Forms (com_facileforms) comp ...) NOT-FOR-US: com_facileforms component for Joomla! and Mambo CVE-2008-0854 (SQL injection vulnerability in the com_salesrep component for Joomla! ...) NOT-FOR-US: com_salesrep component for Joomla! and Mambo CVE-2008-0853 (SQL injection vulnerability in the com_detail component for Joomla! an ...) NOT-FOR-US: com_detail component for Joomla! and Mambo CVE-2008-0852 (freeSSHd 1.2 and earlier allows remote attackers to cause a denial of ...) NOT-FOR-US: freeSSHd CVE-2008-0851 (Multiple cross-site scripting (XSS) vulnerabilities in Dokeos 1.8.4 al ...) - dokeos (bug #433352) CVE-2008-0850 (Multiple SQL injection vulnerabilities in Dokeos 1.8.4 allow remote at ...) - dokeos (bug #433352) CVE-2008-0849 (SQL injection vulnerability in index.php in the Downloads (com_downloa ...) NOT-FOR-US: com_downloads component for Mambo and Joomla! CVE-2008-0848 (Cross-site scripting (XSS) vulnerability in lostsheep.php in Crafty Sy ...) NOT-FOR-US: Crafty Syntax Live Help CVE-2008-0847 (SQL injection vulnerability in print.php in the myTopics module for XO ...) NOT-FOR-US: myTopics module for XOOPS CVE-2008-0846 (SQL injection vulnerability in index.php in the com_profile component ...) NOT-FOR-US: com_profile component for Mambo and Joomla! CVE-2008-0845 (SQL injection vulnerability in wp-people-popup.php in Dean Logan WP-Pe ...) NOT-FOR-US: WP-People plugin for WordPress CVE-2008-0844 (SQL injection vulnerability in index.php in the PccookBook (com_pccook ...) NOT-FOR-US: com_pccookbook component for Joomla! CVE-2008-0843 (StatCounteX 3.0 and 3.1 allows remote attackers to obtain sensitive in ...) NOT-FOR-US: StatCounteX CVE-2008-0842 (SQL injection vulnerability in index.php in the Classifier (com_clasif ...) NOT-FOR-US: com_clasifier component for Joomla! CVE-2008-0841 (SQL injection vulnerability in index.php in the Giorgio Nordo Ricette ...) NOT-FOR-US: com_ricette component for Joomla! CVE-2008-0840 (Directory traversal vulnerability in view_member.php in Public Warehou ...) NOT-FOR-US: LightBlog CVE-2008-0839 (SQL injection vulnerability in refer.php in the astatsPRO (com_astatsp ...) NOT-FOR-US: com_astatspro component for Joomla! CVE-2008-0838 (Multiple cross-site scripting (XSS) vulnerabilities in the web adminis ...) NOT-FOR-US: Sophos, Email Security Appliance CVE-2008-0837 (Cross-site scripting (XSS) vulnerability in the log feature in the Joh ...) NOT-FOR-US: John Godley Search Unleashed plugin for WordPress CVE-2008-0836 (Unspecified vulnerability in the vuidmice STREAMS modules in Sun Solar ...) NOT-FOR-US: Sun Solaris CVE-2008-0835 (SQL injection vulnerability in indexen.php in Simple CMS 1.0.3 and ear ...) NOT-FOR-US: Simple CMS CVE-2008-0834 (Cross-site scripting (XSS) vulnerability in Lotus Quickr for i5/OS bef ...) NOT-FOR-US: Lotus Quickr CVE-2008-0833 (SQL injection vulnerability in index.php in the com_galeria component ...) NOT-FOR-US: com_galeria component for Joomla! CVE-2008-0832 (SQL injection vulnerability in index.php in the Kemas Antonius com_qur ...) NOT-FOR-US: com_quran component for Mambo and Joomla! CVE-2008-0831 (Multiple SQL injection vulnerabilities in the Rapid Recipe (com_rapidr ...) NOT-FOR-US: com_rapidrecipe component for Joomla! CVE-2008-0830 (The Digital Photo Access Protocol (DPAP) server for iPhoto 4.0.3 allow ...) NOT-FOR-US: DPAP server for iPhoto CVE-2008-0829 (SQL injection vulnerability in jooget.php in the Joomlapixel Jooget! ( ...) NOT-FOR-US: com_jooget component for Joomla! and Mambo CVE-2008-0828 (Multiple cross-site scripting (XSS) vulnerabilities in ATutor 1.5.5 an ...) NOT-FOR-US: ATutor CVE-2008-0827 (SQL injection vulnerability in the Books module of PHP-Nuke allows rem ...) NOT-FOR-US: Books module of PHP-Nuke CVE-2008-0826 (Cross-site scripting (XSS) vulnerability in Claroline before 1.8.9 all ...) NOT-FOR-US: Claroline CVE-2008-0825 (SQL injection vulnerability in Claroline before 1.8.9 allows remote at ...) NOT-FOR-US: Claroline CVE-2008-0824 (Unspecified vulnerability in the php2phps function in Claroline before ...) NOT-FOR-US: Claroline CVE-2008-0823 (Unspecified vulnerability in the Header Image Module before 5.x-1.1 fo ...) NOT-FOR-US: Header Image Module for Drupal CVE-2008-0822 (Directory traversal vulnerability in index.php in Scribe 0.2 allows re ...) NOT-FOR-US: Scribe CVE-2008-0821 (SQL injection vulnerability in admin/traffic/knowledge_searchm.php in ...) NOT-FOR-US: PHP Live! CVE-2008-0820 NOT-FOR-US: Etomite CMS CVE-2008-0819 (Directory traversal vulnerability in index.php in PlutoStatus Locator ...) NOT-FOR-US: PlutoStatus Locator CVE-2008-0818 (Multiple directory traversal vulnerabilities in freePHPgallery 0.6 all ...) NOT-FOR-US: freePHPgallery CVE-2008-0817 (SQL injection vulnerability in the com_filebase component for Joomla! ...) NOT-FOR-US: com_filebase component for Joomla! and Mambo CVE-2008-0816 (SQL injection vulnerability in the com_sg component for Joomla! and Ma ...) NOT-FOR-US: com_sg component for Joomla! and Mambo CVE-2008-0815 (SQL injection vulnerability in the com_mezun component for Joomla! all ...) NOT-FOR-US: com_mezun component for Joomla! CVE-2008-0814 (Directory traversal vulnerability in download.php in Tracking Requirem ...) NOT-FOR-US: TRUC CVE-2008-0813 (Directory traversal vulnerability in Download.php in XPWeb 3.0.1, 3.3. ...) NOT-FOR-US: XPWeb CVE-2008-0812 (Directory traversal vulnerability in DMS/index.php in BanPro DMS 1.0 a ...) NOT-FOR-US: BanPro DMS CVE-2008-0811 (Multiple SQL injection vulnerabilities in AuraCMS 1.62 allow remote at ...) NOT-FOR-US: AuraCMS CVE-2008-0810 (SQL injection vulnerability in the com_scheduling module for Joomla! a ...) NOT-FOR-US: com_scheduling module for Joomla! and Mambo CVE-2008-0805 (Unrestricted file upload vulnerability in image.php in PHPizabi 0.848b ...) NOT-FOR-US: PHPizabi CVE-2008-0804 (PHP remote file inclusion vulnerability in usrgetform.html in Thecus N ...) NOT-FOR-US: Thecus N5200Pro NAS Server CVE-2008-0983 (lighttpd 1.4.18, and possibly other versions before 1.5.0, does not pr ...) {DSA-1609-1} - lighttpd 1.4.18-2 (medium; bug #466663) CVE-2008-0883 (acroread in Adobe Acrobat Reader 8.1.2 allows local users to overwrite ...) NOT-FOR-US: Adobe Acrobat Reader NOTE: http://www.openwall.com/lists/oss-security/2008/02/21/5 CVE-2008-0803 (Multiple PHP remote file inclusion vulnerabilities in LookStrike Lan M ...) NOT-FOR-US: LookStrike Lan Manager CVE-2008-0802 (SQL injection vulnerability in index.php in the MediaSlide (com_medias ...) NOT-FOR-US: Joomla component CVE-2008-0801 (SQL injection vulnerability in index.php in the PAXXGallery (com_paxxg ...) NOT-FOR-US: Joomla component CVE-2008-0800 (SQL injection vulnerability in index.php in the McQuiz (com_mcquiz) 0. ...) NOT-FOR-US: Joomla component CVE-2008-0799 (SQL injection vulnerability in index.php in the Quiz (com_quiz) 0.81 a ...) NOT-FOR-US: Joomla component CVE-2008-0798 (Multiple directory traversal vulnerabilities in artmedic webdesign web ...) NOT-FOR-US: artmedic webdesign CVE-2008-0797 (Directory traversal vulnerability in lib/download.php in iTheora 1.0 r ...) NOT-FOR-US: iTheora CVE-2008-0796 (SQL injection vulnerability in threads.php in Nuboard 0.5 allows remot ...) NOT-FOR-US: Nuboard CVE-2008-0795 (SQL injection vulnerability in index.php in the MGFi XfaQ (com_xfaq) 1 ...) NOT-FOR-US: Joomla component CVE-2008-0794 (Directory traversal vulnerability in user/header.php in Affiliate Mark ...) NOT-FOR-US: Affiliate Market CVE-2008-0793 (Multiple cross-site scripting (XSS) vulnerabilities in search.asp in T ...) NOT-FOR-US: Tendenci CMS CVE-2008-0792 (Multiple F-Secure anti-virus products, including Internet Security 200 ...) NOT-FOR-US: F-Secure CVE-2008-0791 (ipdsserver.exe in Intermate WinIPDS 3.3 G52-33-021 allows remote attac ...) NOT-FOR-US: Intermate WinIPDS CVE-2008-0790 (Directory traversal vulnerability in ipdsserver.exe in Intermate WinIP ...) NOT-FOR-US: Intermate WinIPDS CVE-2008-0789 (SQL injection vulnerability in countdown.php in LI-Scripts LI-Countdow ...) NOT-FOR-US: LI Countdown CVE-2008-0788 (Multiple cross-site request forgery (CSRF) vulnerabilities in MyBB 1.2 ...) NOT-FOR-US: MyBB CVE-2008-0787 (SQL injection vulnerability in inc/datahandlers/pm.php in MyBB before ...) NOT-FOR-US: MyBB CVE-2008-0786 (CRLF injection vulnerability in Cacti 0.8.7 before 0.8.7b and 0.8.6 be ...) - cacti 0.8.7b-1 [etch] - cacti (Not exploitable with Etch PHP version) NOTE: this is prevented by PHP since 4.4.2/5.1.2. CVE-2008-0785 (Multiple SQL injection vulnerabilities in Cacti 0.8.7 before 0.8.7b an ...) {DSA-1569-1} - cacti 0.8.7b-1 (low; bug #530919) CVE-2008-0784 (graph.php in Cacti 0.8.7 before 0.8.7b and 0.8.6 before 0.8.6k allows ...) - cacti 0.8.7b-1 (unimportant) NOTE: paths on Debian already known CVE-2008-0783 (Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.7 bef ...) {DSA-1569-1} - cacti 0.8.7b-1 (low; bug #530919) [etch] - cacti 0.8.6i-3.3 CVE-2008-0782 (Directory traversal vulnerability in MoinMoin 1.5.8 and earlier allows ...) {DSA-1514-1} - moin 1.5.8-5.1 CVE-2008-0781 (Multiple cross-site scripting (XSS) vulnerabilities in action/AttachFi ...) {DSA-1514-1} - moin 1.5.8-5.1 CVE-2008-0780 (Cross-site scripting (XSS) vulnerability in MoinMoin 1.5.x through 1.5 ...) {DSA-1514-1} - moin 1.5.8-5.1 CVE-2008-0932 (diatheke.pl in The SWORD Project Diatheke 1.5.9 and earlier allows rem ...) {DSA-1508-1} - sword 1.5.9-8 (high; bug #466449) NOTE: source package named sword, binary package named diatheke CVE-2008-0806 (wyrd 1.4.3b allows local users to overwrite arbitrary files via a syml ...) - wyrd 1.4.3b-4 (low; bug #466382) [etch] - wyrd (Minor issue) CVE-2008-0807 (lib/Driver/sql.php in Turba 2 (turba2) Contact Manager H3 2.1.x before ...) {DSA-1507-1} - turba2 2.1.7-1 (bug #464058) CVE-2008-0779 (The fortimon.sys device driver in Fortinet FortiClient Host Security 3 ...) NOT-FOR-US: Fortinet FortiClient 3.0 CVE-2008-0778 (Multiple stack-based buffer overflows in an ActiveX control in QTPlugi ...) NOT-FOR-US: QuickTime CVE-2008-0777 (The sendfile system call in FreeBSD 5.5 through 7.0 does not check the ...) - kfreebsd-5 [etch] - kfreebsd-5 (FreeBSD not supported) - kfreebsd-6 6.3-3 (bug #483152) - kfreebsd-7 7.0-1 (bug #483152) CVE-2008-0776 (SQL injection vulnerability in detail.php in iTechBids Gold 6.0 allows ...) NOT-FOR-US: iTechBids CVE-2008-0775 (Cross-site scripting (XSS) vulnerability in sboxDB.php in Simple Machi ...) NOT-FOR-US: Simple Machines Forum CVE-2008-0774 (Cross-site scripting (XSS) vulnerability in search.cgi in Loris Hotel ...) NOT-FOR-US: Loris Hotel Reservations CVE-2008-0773 (SQL injection vulnerability in Phil Taylor Comments (com_comments, aka ...) NOT-FOR-US: Mambo plugin CVE-2008-0772 (SQL injection vulnerability in index.php in the com_doc component for ...) NOT-FOR-US: Mambo plugin CVE-2008-0771 (Multiple SQL injection vulnerabilities in default.asp in Site2Nite all ...) NOT-FOR-US: Site2Nite CVE-2008-0770 (SQL injection vulnerability in arcade.php in ibProArcade 3.3.0 and ear ...) NOT-FOR-US: ibProArcade CVE-2008-0769 (Cross-site scripting (XSS) vulnerability in Livelink ECM 9.0.0 through ...) NOT-FOR-US: Livelink CVE-2008-0768 (Multiple stack-based and heap-based buffer overflows in the Windows RP ...) NOT-FOR-US: IBM Informix CVE-2008-0767 (ExtremeZ-IP.exe in ExtremeZ-IP File and Print Server 5.1.2x15 and earl ...) NOT-FOR-US: ExtremeZ-IP CVE-2008-0766 (Stack-based buffer overflow in RpmSrvc.exe in Brooks Remote Print Mana ...) NOT-FOR-US: Brooks Remote Print Manager CVE-2008-0765 (Multiple cross-site scripting (XSS) vulnerabilities in artmedic webdes ...) NOT-FOR-US: artmedic CVE-2008-0764 (Format string vulnerability in the logging function in Larson Network ...) NOT-FOR-US: Larson Network Print Server CVE-2008-0763 (Stack-based buffer overflow in NPSpcSVR.exe in Larson Network Print Se ...) NOT-FOR-US: Larson Network Print Server CVE-2008-0762 (SQL injection vulnerability in index.php in the com_iomezun component ...) NOT-FOR-US: com_iomezun component for Joomla! CVE-2008-0761 (SQL injection vulnerability in index.php in the Prince Clan Chess Club ...) NOT-FOR-US: Prince Clan Chess Club component for Joomla! CVE-2008-0760 (Directory traversal vulnerability in SafeNet Sentinel Protection Serve ...) NOT-FOR-US: SafeNet Sentinel Protection Server CVE-2008-0759 (ExtremeZ-IP.exe in ExtremeZ-IP File and Print Server 5.1.2x15 and earl ...) NOT-FOR-US: ExtremeZ-IP CVE-2008-0758 (Multiple directory traversal vulnerabilities in the Zidget/HTTP embedd ...) NOT-FOR-US: ExtremeZ-IP CVE-2008-0757 (Cross-site scripting (XSS) vulnerability in index.php in MercuryBoard ...) NOT-FOR-US: MercuryBoard CVE-2008-0756 (The LPD server in cyan soft Opium OPI Server 4.10.1028 and earlier; cy ...) NOT-FOR-US: cyan soft Opium OPI software CVE-2008-0755 (Format string vulnerability in the ReportSysLogEvent function in the L ...) NOT-FOR-US: cyan soft Opium OPI software CVE-2008-0754 (Multiple SQL injection vulnerabilities in index.php in the Rapid Recip ...) NOT-FOR-US: Rapid Recipe component for Joomla! CVE-2008-0753 (SQL injection vulnerability in calendar.php in Virtual War (VWar) 1.5 ...) NOT-FOR-US: Virtual War CVE-2008-0752 (SQL injection vulnerability in index.php in the Neogallery (com_neogal ...) NOT-FOR-US: Neogallery component for Joomla! CVE-2008-0751 (Cross-site scripting (XSS) vulnerability in the Freetag before 2.96 pl ...) NOT-FOR-US: Spartacus plugin (freetag) for serendipity CVE-2008-0750 (SQL injection vulnerability in philboard_forum.asp in Husrev BlackBoar ...) NOT-FOR-US: Husrev BlackBoard CVE-2008-0749 (Cross-site scripting (XSS) vulnerability in index.php in Calimero.CMS ...) NOT-FOR-US: Calimero.CMS CVE-2008-0748 (Buffer overflow in the Sony AxRUploadServer.AxRUploadControl.1 ActiveX ...) NOT-FOR-US: Sony ImageStation CVE-2008-0747 (Stack-based buffer overflow in COWON America jetAudio 7.0.5 and earlie ...) NOT-FOR-US: COWON America jetAudio CVE-2008-0746 (SQL injection vulnerability in index.php in the Gallery (com_gallery) ...) NOT-FOR-US: Gallery component for Mambo and Joomla! CVE-2008-0745 (Directory traversal vulnerability in aides/index.php in DomPHP 0.82 al ...) NOT-FOR-US: DomPHP CVE-2008-0744 (SQL injection vulnerability in user_login.asp in PreProjects.com Pre H ...) NOT-FOR-US: Pre Hotels & Resorts Management System CVE-2008-0743 (PHP remote file inclusion vulnerability in members_help.php in Joovili ...) NOT-FOR-US: Joovili CVE-2008-0742 (Multiple directory traversal vulnerabilities in PowerScripts PowerNews ...) NOT-FOR-US: PowerNews CVE-2008-0741 (Unspecified vulnerability in the PropFilePasswordEncoder utility in IB ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2008-0740 (IBM WebSphere Application Server (WAS) before 6.0.2 Fix Pack 25 (6.0.2 ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2008-0739 (SQL injection vulnerability in admin/SA_shipFedExMeter.asp in CandyPre ...) NOT-FOR-US: CandyPress CVE-2008-0738 (Multiple SQL injection vulnerabilities in CandyPress (CP) 4.1.1.26, an ...) NOT-FOR-US: CandyPress CVE-2008-0737 (SQL injection vulnerability in admin/utilities_ConfigHelp.asp in Candy ...) NOT-FOR-US: CandyPress CVE-2008-0736 (admin/SA_shipFedExMeter.asp in CandyPress (CP) 4.1.1.26, and possibly ...) NOT-FOR-US: CandyPress CVE-2008-0735 (SQL injection vulnerability in mod/gallery/ajax/gallery_data.php in Au ...) NOT-FOR-US: AuraCMS CVE-2008-0734 (SQL injection vulnerability in class_auth.php in Limbo CMS 1.0.4.2, an ...) NOT-FOR-US: Limbo CMS CVE-2008-0733 (SQL injection vulnerability in index.php in CS Team Counter Strike Por ...) NOT-FOR-US: CS Team Counter Strike Portals CVE-2007-6701 (Multiple stack-based buffer overflows in the Spooler service (nwspool. ...) NOT-FOR-US: Novell Client CVE-2006-7231 (SQL injection vulnerability in display.asp in Civica Software Civica a ...) NOT-FOR-US: Civica Software Civica CVE-2003-1544 (Unrestricted critical resource lock in Terminal Services for Windows 2 ...) NOT-FOR-US: Windows CVE-2003-1543 (Cross-site scripting (XSS) vulnerability in Bajie Http Web Server 0.95 ...) NOT-FOR-US: Bajie Http Web Server CVE-2003-1542 (Directory traversal vulnerability in plugins/file.php in phpWebFileMan ...) NOT-FOR-US: phpWebFileManager CVE-2003-1541 (PlanetMoon Guestbook tr3.a stores sensitive information under the web ...) NOT-FOR-US: PlanetMoon Guestbook CVE-2003-1540 (WF-Chat 1.0 Beta stores sensitive information under the web root with ...) NOT-FOR-US: WF-Chat CVE-2008-0732 (The init script for Apache Geronimo on SUSE Linux follows symlinks whe ...) NOT-FOR-US: Apache Geronimo CVE-2008-0731 (The Linux kernel before 2.6.18.8-0.8 in SUSE openSUSE 10.2 does not pr ...) NOT-FOR-US: SuSE kernel/apparmor CVE-2008-0730 (The (1) Simplified Chinese, (2) Traditional Chinese, (3) Korean, and ( ...) NOT-FOR-US: Sun Solaris CVE-2008-0729 (Mobile Safari on Apple iPhone 1.1.2 and 1.1.3 allows remote attackers ...) NOT-FOR-US: Apple iPhone CVE-2008-0728 (The unmew11 function in libclamav/mew.c in libclamav in ClamAV before ...) - clamav 0.92.1~dfsg-1 [etch] - clamav (Vulnerable code not present) CVE-2008-0727 (Multiple buffer overflows in oninit.exe in IBM Informix Dynamic Server ...) NOT-FOR-US: IBM Informix Dynamic Server CVE-2008-0726 (Integer overflow in Adobe Reader and Acrobat 8.1.1 and earlier allows ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2008-0725 (Multiple heap-based buffer overflows in the (1) FTP service and (2) ad ...) NOT-FOR-US: Titan FTP Server CVE-2008-0724 (The Everything Development Engine in The Everything Development System ...) NOT-FOR-US: The Everything Development System CVE-2008-0723 (Cross-site scripting (XSS) vulnerability in mynews.inc.php in MyNews 1 ...) NOT-FOR-US: MyNews CVE-2008-0722 (Cross-site scripting (XSS) vulnerability in index.php in Pagetool 1.0. ...) NOT-FOR-US: Pagetool CVE-2008-0721 (SQL injection vulnerability in index.php in the Sermon (com_sermon) 0. ...) NOT-FOR-US: Sermon component for Mambo CVE-2008-0720 (Cross-site scripting (XSS) vulnerability in Webmin 1.370 and 1.390 and ...) - webmin CVE-2008-0719 (SQL injection vulnerability in customer_testimonials.php in the Custom ...) NOT-FOR-US: osCommerce Online Merchant CVE-2008-0718 (Unspecified vulnerability in the USB Mouse STREAMS module (usbms) in S ...) NOT-FOR-US: Sun Solaris CVE-2008-0717 (Cross-site scripting (XSS) vulnerability in Caching Proxy (CP) 5.1 thr ...) NOT-FOR-US: IBM WebSphere Edge Server CVE-2008-0716 (The agent in Symantec Altiris Notification Server before 6.0 SP3 R7 al ...) NOT-FOR-US: Symantec Altiris Notification Server CVE-2008-0715 (Buffer overflow in ACDSee Photo Manager 8.1, 9.0, and 10.0 allows user ...) NOT-FOR-US: ACDSee CVE-2008-0714 (SQL injection vulnerability in users.php in Mihalism Multi Host allows ...) NOT-FOR-US: Mihalism Multi Host CVE-2008-0713 (Unspecified vulnerability in the FTP server for HP-UX B.11.11, B.11.23 ...) NOT-FOR-US: HP-UX B CVE-2008-0712 (Unspecified vulnerability in the HP HPeDiag (aka eSupportDiagnostics) ...) NOT-FOR-US: HP HPeDiag CVE-2008-0711 (Unspecified vulnerability in the embedded management console in HP iLO ...) NOT-FOR-US: HP iLO-2 management processors CVE-2008-0710 REJECTED CVE-2008-0709 (Multiple unspecified vulnerabilities in HP Select Identity 4.00, 4.01, ...) NOT-FOR-US: HP Select Identity CVE-2008-0708 (HP USB 2.0 Floppy Drive Key product options (1) 442084-B21 and (2) 442 ...) NOT-FOR-US: HP USB 2.0 Floppy Drive Key CVE-2008-0707 (HP StorageWorks Library and Tape Tools (LTT) before 4.5 SR1 on HP-UX B ...) NOT-FOR-US: HP-UX CVE-2008-0706 (Unspecified vulnerability in the BIOS F.26 and earlier for the HP Comp ...) NOT-FOR-US: BIOS F.26 CVE-2008-0705 REJECTED CVE-2008-0704 (Unspecified vulnerability in the SSH server in HP OpenVMS TCP/IP Servi ...) NOT-FOR-US: HP OpenVMS CVE-2008-0703 (Multiple directory traversal vulnerabilities in sflog! 0.96 allow remo ...) NOT-FOR-US: sflog! CVE-2008-0702 (Multiple heap-based buffer overflows in Titan FTP Server 6.03 and 6.0. ...) NOT-FOR-US: Titan FTP Server CVE-2008-0701 (ActivationHandler in Magnolia CE 3.5.x before 3.5.4 does not check per ...) NOT-FOR-US: Magnolia CE CVE-2008-0700 (Cross-site scripting (XSS) vulnerability in search.php in Crux Softwar ...) NOT-FOR-US: CruxCMS CVE-2008-0699 (Unspecified vulnerability in the ADMIN_SP_C procedure (SYSPROC.ADMIN_S ...) NOT-FOR-US: IBM DB2 CVE-2008-0698 (Buffer overflow in the DAS server in IBM DB2 UDB before 8.2 Fixpak 16 ...) NOT-FOR-US: IBM DB2 CVE-2008-0697 (Unspecified vulnerability in DB2PD in IBM DB2 UDB before 8.2 Fixpak 16 ...) NOT-FOR-US: IBM DB2 CVE-2008-0696 (IBM DB2 UDB before 8.2 Fixpak 16 does not properly check authorization ...) NOT-FOR-US: IBM DB2 CVE-2008-0695 (SQL injection vulnerability in index.php in BookmarkX script 2007 allo ...) NOT-FOR-US: BookmarkX CVE-2008-0694 (Cross-site scripting (XSS) vulnerability in the HTTP Server in IBM OS/ ...) NOT-FOR-US: IBM OS/400 V5R3M0 and V5R4M0 CVE-2008-0693 (Stack-based buffer overflow in PQCore.exe in Print Manager Plus 2008 C ...) NOT-FOR-US: Print Manager Plus CVE-2008-0692 (SQL injection vulnerability in bidhistory.php in iTechBids 3 Gold and ...) NOT-FOR-US: iTechBids CVE-2008-0691 (Multiple cross-site scripting (XSS) vulnerabilities in admin_panel.php ...) NOT-FOR-US: WP-Footnotes plugin for WordPress CVE-2008-0690 (SQL injection vulnerability in index.php in the mosDirectory (com_dire ...) NOT-FOR-US: mosDirectory component for Joomla! CVE-2008-0689 (SQL injection vulnerability in index.php in the Marketplace (com_marke ...) NOT-FOR-US: Marketplace component for Joomla! CVE-2008-0688 (Cross-site scripting (XSS) vulnerability in catalog.php in Smartscript ...) NOT-FOR-US: Smartscript Domain Trader CVE-2008-0687 (Cross-site scripting (XSS) vulnerability in siteadmin/editor_files/inc ...) NOT-FOR-US: Youtube Clone Script CVE-2008-0686 (SQL injection vulnerability in index.php in the NeoReferences (com_neo ...) NOT-FOR-US: NeoReferences component for Joomla! CVE-2008-0685 (SQL injection vulnerability in ViewCat.php in iTechClassifieds 3.0 all ...) NOT-FOR-US: iTechClassifieds CVE-2008-0684 (Cross-site scripting (XSS) vulnerability in ViewCat.php in iTechClassi ...) NOT-FOR-US: iTechClassifieds CVE-2008-0683 (SQL injection vulnerability in shiftthis-preview.php in the ShiftThis ...) NOT-FOR-US: st_newsletter plugin for WordPress CVE-2008-0682 (SQL injection vulnerability in wordspew-rss.php in the Wordspew plugin ...) NOT-FOR-US: Wordspew plugin for Wordpress CVE-2008-0681 (SQL injection vulnerability in index.php in PHPShop 0.8.1 allows remot ...) NOT-FOR-US: PHPShop CVE-2008-0680 (SNMPd in MikroTik RouterOS 3.2 and earlier allows remote attackers to ...) NOT-FOR-US: MicroTik RouterOS CVE-2008-0679 (Cross-site scripting (XSS) vulnerability in index.php in BlogPHP 2.0 a ...) NOT-FOR-US: BlogPHP CVE-2008-0678 (SQL injection vulnerability in index.php in BlogPHP 2.0 allows remote ...) NOT-FOR-US: BlogPHP CVE-2008-0677 (SQL injection vulnerability in blog.php in A-Blog 2 allows remote atta ...) NOT-FOR-US: A-Blog CVE-2008-0676 (Cross-site scripting (XSS) vulnerability in search.php in A-Blog 2 all ...) NOT-FOR-US: A-Blog CVE-2008-0675 (SQL injection vulnerability in cms/index.pl in The Everything Developm ...) NOT-FOR-US: Everything Development System CVE-2008-0674 (Buffer overflow in PCRE before 7.6 allows remote attackers to execute ...) {DSA-1499-1 DTSA-115-1} - pcre3 7.6-1 (medium) - php5 (Uses sytem copy) CVE-2008-0673 (TinTin++ 1.97.9 and WinTin++ 1.97.9 open files on the basis of an inbo ...) - tintin++ 1.97.9-2 (low; bug #465643) [etch] - tintin++ (Minor issue) CVE-2008-0672 (The process_chat_input function in TinTin++ 1.97.9 and WinTin++ 1.97.9 ...) - tintin++ 1.97.9-2 (low; bug #465643) [etch] - tintin++ (Minor issue) CVE-2008-0671 (Stack-based buffer overflow in the add_line_buffer function in TinTin+ ...) - tintin++ 1.97.9-2 (medium; bug #465643) [etch] - tintin++ (Minor issue) CVE-2008-0670 (SQL injection vulnerability in index.php in the Noticias (com_noticias ...) NOT-FOR-US: Noticias component for Joomla! CVE-2008-0669 (Cross-site scripting (XSS) vulnerability in search.cgi in Sift Unity a ...) NOT-FOR-US: Sift Unity CVE-2008-0668 (The excel_read_HLINK function in plugins/excel/ms-excel-read.c in Gnom ...) {DSA-1546-1} - gnumeric 1.8.1-1 (medium) CVE-2008-0667 (The DOC.print function in the Adobe JavaScript API, as used by Adobe A ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2008-0663 (Novell Challenge Response Client (LCM) 2.7.5 and earlier, as used with ...) NOT-FOR-US: Novell Challenge Response Client CVE-2008-0662 (The Auto Local Logon feature in Check Point VPN-1 SecuRemote/SecureCli ...) NOT-FOR-US: SecuRemote/SecureClient NGX R60 and R56 CVE-2008-0661 (Buffer overflow in dBpowerAMP Audio Player Release 2 allows remote att ...) NOT-FOR-US: dBpowerAMP Audio Player CVE-2008-0660 (Multiple stack-based buffer overflows in Aurigma Image Uploader Active ...) NOT-FOR-US: Aurigma Image Uploader CVE-2008-0659 (Stack-based buffer overflow in Aurigma Image Uploader ActiveX control ...) NOT-FOR-US: Aurigma Image Uploader CVE-2008-0658 (slapd/back-bdb/modrdn.c in the BDB backend for slapd in OpenLDAP 2.3.3 ...) {DSA-1541-1} - openldap2.3 2.4.7-6.1 (low; bug #465875) - openldap2.2 - openldap2 (slapd not built from this version) NOTE: only authenticated users can exploit this CVE-2008-0657 (Multiple unspecified vulnerabilities in the Java Runtime Environment i ...) - sun-java6 6-02-1 - sun-java5 1.5.0-14-1 [etch] - sun-java5 1.5.0-14-1etch1 CVE-2008-0656 (Unrestricted file upload vulnerability in dmclTrace.jsp in EMC Documen ...) NOT-FOR-US: Documentum Administrator and Webtop CVE-2008-0655 (Multiple unspecified vulnerabilities in Adobe Reader and Acrobat befor ...) NOT-FOR-US: Adobe Reader CVE-2008-0654 (Multiple directory traversal vulnerabilities in Azucar CMS 1.3 allow r ...) NOT-FOR-US: Azucar CMS CVE-2008-0653 (SQL injection vulnerability in index.php in the Ynews (com_ynews) 1.0. ...) NOT-FOR-US: Ynews component for Joomla! CVE-2008-0652 (SQL injection vulnerability in index.php in the Downloads (com_downloa ...) NOT-FOR-US: Downloads for Mambo and Joomla! CVE-2008-0651 (SQL injection vulnerability in login.php in Pedro Santana Codice CMS a ...) NOT-FOR-US: Pedro Santana Codice CMS CVE-2008-0650 (SQL injection vulnerability in login.php in Simple OS CMS 0.1c beta al ...) NOT-FOR-US: Simple OS CMS CVE-2008-0649 (SQL injection vulnerability in detail.php in Astanda Directory Project ...) NOT-FOR-US: Astanda Directory Project CVE-2008-0648 (Multiple PHP remote file inclusion vulnerabilities in OpenSiteAdmin 0. ...) NOT-FOR-US: OpenSiteAdmin CVE-2008-0647 (Multiple stack-based buffer overflows in the HanGamePluginCn18.HanGame ...) NOT-FOR-US: Ourgame GLWorld CVE-2008-0646 (The bdecode_recursive function in include/libtorrent/bencode.hpp in Ra ...) - deluge-torrent 0.5.8.3-1 (bug #463357) CVE-2008-0645 (Multiple PHP remote file inclusion vulnerabilities in Portail Web Php ...) NOT-FOR-US: Portail Web Php CVE-2008-0644 (Adobe ColdFusion MX 7 and ColdFusion 8 allows remote attackers to bypa ...) NOT-FOR-US: Adobe ColdFusion CVE-2008-0643 (Cross-site scripting (XSS) vulnerability in Adobe ColdFusion MX 7 and ...) NOT-FOR-US: Adobe ColdFusion CVE-2008-0642 (Cross-site scripting (XSS) vulnerability in files created by Adobe Rob ...) NOT-FOR-US: Adobe CVE-2008-0808 (Cross-site scripting (XSS) vulnerability in the meta plugin in Ikiwiki ...) {DSA-1523-1} - ikiwiki 2.31.1 (low; bug #465110) CVE-2008-0809 (Cross-site scripting (XSS) vulnerability in the htmlscrubber in Ikiwik ...) {DSA-1523-1} - ikiwiki 2.31.1 (low; bug #465110) CVE-2008-0641 RESERVED CVE-2008-0640 (Symantec Ghost Solution Suite 1.1 before 1.1 patch 2, 2.0.0, and 2.0.1 ...) NOT-FOR-US: Symantec Ghost Solution Suite CVE-2008-0639 (Stack-based buffer overflow in the EnumPrinters function in the Spoole ...) NOT-FOR-US: Novell Client CVE-2008-0638 (Heap-based buffer overflow in the Veritas Enterprise Administrator (VE ...) NOT-FOR-US: Veritas Enterprise Administrator service CVE-2008-0637 RESERVED CVE-2008-0636 (Level Platforms, Inc. (LPI) Managed Workplace Service Center 4.x, 5.x ...) NOT-FOR-US: Managed Workplace Service Center CVE-2008-0635 (Unspecified vulnerability in the delivery engine in Openads 2.4.0 thro ...) NOT-FOR-US: Openads CVE-2008-0634 (Buffer overflow in the NamoInstaller.NamoInstall.1 ActiveX control in ...) NOT-FOR-US: NamoInstaller CVE-2008-0633 (Buffer overflow in Anon Proxy Server 0.102 and earlier, when user auth ...) NOT-FOR-US: Anon Proxy Server NOTE: this is not anon-proxy CVE-2008-0632 (Unrestricted file upload vulnerability in cp_upload_image.php in Light ...) NOT-FOR-US: LightBlog CVE-2008-0631 (Multiple ActiveX controls in MailBee.dll in MailBee Objects 5.5 allow ...) NOT-FOR-US: MailBee Objects CVE-2008-0630 (Buffer overflow in url.c in MPlayer 1.0rc2 and SVN before r25823 allow ...) {DSA-1496-1 DTSA-114-1} - mplayer 1.0~rc2-8 (medium; bug #464532) CVE-2008-0629 (Buffer overflow in stream_cddb.c in MPlayer 1.0rc2 and SVN before r258 ...) {DSA-1496-1 DTSA-114-1} - mplayer 1.0~rc2-8 (medium; bug #464533) CVE-2008-0628 (The XML parsing code in Sun Java Runtime Environment JDK and JRE 6 Upd ...) - sun-java6 6-04-1 - sun-java5 (referring to sun this vulnerability is not present in java5) CVE-2008-0627 REJECTED CVE-2008-0626 REJECTED CVE-2008-0625 (Buffer overflow in the MediaGrid ActiveX control (mediagrid.dll) in Ya ...) NOT-FOR-US: Yahoo! Music Jukebox CVE-2008-0624 (Buffer overflow in the YMP Datagrid ActiveX control (datagrid.dll) in ...) NOT-FOR-US: Yahoo! JukeBox CVE-2008-0623 (Stack-based buffer overflow in the YMP Datagrid ActiveX control (datag ...) NOT-FOR-US: Yahoo! JukeBox CVE-2008-0622 (Cross-site scripting (XSS) vulnerability in RaidenHTTPD 2.0.19 and ear ...) NOT-FOR-US: RaidenHTTPD CVE-2008-0621 (Buffer overflow in SAPLPD 6.28 and earlier included in SAP GUI 7.10 an ...) NOT-FOR-US: SAP GUI CVE-2008-0620 (SAPLPD 6.28 and earlier included in SAP GUI 7.10 and SAPSprint before ...) NOT-FOR-US: SAPSprint CVE-2008-0619 (Buffer overflow in NeroMediaPlayer.exe in Nero Media Player 1.4.0.35 a ...) NOT-FOR-US: Nero Media Player CVE-2008-0618 (Multiple cross-site scripting (XSS) vulnerabilities in the DMSGuestboo ...) NOT-FOR-US: DMSGuestbook for wordpress CVE-2008-0617 (Multiple cross-site scripting (XSS) vulnerabilities in the DMSGuestboo ...) NOT-FOR-US: DMSGuestbook for wordpress CVE-2008-0616 (SQL injection vulnerability in the administration panel in the DMSGues ...) NOT-FOR-US: DMSGuestbook for wordpress CVE-2008-0615 (Directory traversal vulnerability in wp-admin/admin.php in the DMSGues ...) NOT-FOR-US: DMSGuestbook for wordpress CVE-2008-0614 (SQL injection vulnerability in index.php in Photokorn Gallery 1.543 al ...) NOT-FOR-US: Photokorn Gallery CVE-2008-0613 (Open redirect vulnerability in htdocs/user.php in XOOPS 2.0.18 allows ...) NOT-FOR-US: XOOPS CVE-2008-0612 (Directory traversal vulnerability in htdocs/install/index.php in XOOPS ...) NOT-FOR-US: XOOPS CVE-2008-0611 (SQL injection vulnerability in rmgs/images.php in the RMSOFT Gallery S ...) NOT-FOR-US: RMSOFT Gallery module for XOOPS CVE-2008-0610 (Stack-based buffer overflow in the ClientConnection::NegotiateProtocol ...) NOT-FOR-US: UltraVNC CVE-2008-0609 (Directory traversal vulnerability in index.php in DivideConcept VHD We ...) NOT-FOR-US: Web Pack 2.0 CVE-2008-0608 (The Logging Server (ftplogsrv.exe) 7.9.14.0 and earlier in IPSwitch WS ...) NOT-FOR-US: IPSwitch WS_FTP CVE-2008-0607 (SQL injection vulnerability in index.php in the Sigsiu Online Business ...) NOT-FOR-US: Sigsiu Online Business Index 2 component for Joomla! and Mambo CVE-2008-0606 (SQL injection vulnerability in index.php in the Shambo2 (com_shambo2) ...) NOT-FOR-US: Shambo2 component for Mambo and Joomla! CVE-2008-0605 (Multiple cross-site scripting (XSS) vulnerabilities in AstroSoft HelpD ...) NOT-FOR-US: AstroSoft HelpDesk CVE-2008-0604 (The LDAP authentication feature in XLight FTP Server before 2.83, when ...) NOT-FOR-US: XLight FTP Server CVE-2008-0603 (SQL injection vulnerability in index.php in the amazOOP Awesom! (com_a ...) NOT-FOR-US: amazOOP Awesom! component for Mambo and Joomla! CVE-2008-0602 (Directory traversal vulnerability in index.php in All Club CMS (ACCMS) ...) NOT-FOR-US: All Club CMS (ACCMS) CVE-2008-0601 (SQL injection vulnerability in index.php in All Club CMS (ACCMS) 0.0.1 ...) NOT-FOR-US: All Club CMS (ACCMS) CVE-2008-0600 (The vmsplice_to_pipe function in Linux kernel 2.6.17 through 2.6.24.1 ...) {DSA-1494-1 DTSA-113-1} - linux-2.6 2.6.24-4 (high) - linux-2.6.24 (Fixed before initial upload, in 2.6.24-4 of linux-2.6) CVE-2008-0599 (The init_request_info function in sapi/cgi/cgi_main.c in PHP before 5. ...) {DTSA-135-1} - php5 5.2.6-1 [etch] - php5 (Vulnerable code not yet present, introduced in 5.2.3) [etch] - php4 (Vulnerable code not yet present, introduced in 5.2.3) CVE-2008-0598 (Unspecified vulnerability in the 32-bit and 64-bit emulation in the Li ...) {DSA-1630-1} - linux-2.6 2.6.26-4 (bug #490910) - linux-2.6.24 2.6.24-6~etchnhalf.4 CVE-2008-0597 (Use-after-free vulnerability in CUPS before 1.1.22, and possibly other ...) - cupsys 1.2.1-1 - cups (Vulnerable code not present) NOTE: (mimeDeleteType included since 1.2.x NOTE: according to maintainer, applies to 1.1.x series only. exact fixed NOTE: version in 1.1 unknown but irrelevant. cups package never had 1.1 NOTE: versions in Debian. CVE-2008-0596 (Memory leak in CUPS before 1.1.22, and possibly other versions, allows ...) - cupsys 1.2.1-1 - cups (Vulnerable code not present) NOTE: see CVE-2008-0597 CVE-2008-0595 (dbus-daemon in D-Bus before 1.0.3, and 1.1.x before 1.1.20, recognizes ...) {DSA-1599-1} - dbus 1.1.20-1 CVE-2008-0594 (Mozilla Firefox before 2.0.0.12 does not always display a web forgery ...) {DSA-1506-1 DSA-1489-1 DSA-1485-2 DSA-1484-1} - iceweasel 2.0.0.12-1 - xulrunner 1.8.1.12-1 - iceape 1.1.9-1 - icedove 2.0.0.12-1 CVE-2008-0593 (Gecko-based browsers, including Mozilla Firefox before 2.0.0.12 and Se ...) {DSA-1506-1 DSA-1489-1 DSA-1485-2 DSA-1484-1} - iceweasel 2.0.0.12-1 - xulrunner 1.8.1.12-1 - iceape 1.1.8-1 - icedove 2.0.0.12-1 CVE-2008-0592 (Mozilla Firefox before 2.0.0.12 and SeaMonkey before 1.1.8 allows user ...) {DSA-1506-1 DSA-1489-1 DSA-1485-2 DSA-1484-1} - iceweasel 2.0.0.12-1 - xulrunner 1.8.1.12-1 - iceape 1.1.8-1 - icedove 2.0.0.12-1 CVE-2008-0591 (Mozilla Firefox before 2.0.0.12 and Thunderbird before 2.0.0.12 does n ...) {DSA-1506-1 DSA-1489-1 DSA-1485-2 DSA-1484-1} - iceweasel 2.0.0.12-1 - xulrunner 1.8.1.12-1 - iceape 1.1.9-1 - icedove 2.0.0.12-1 CVE-2008-0590 (Buffer overflow in Ipswitch WS_FTP Server with SSH 6.1.0.0 allows remo ...) NOT-FOR-US: WS_FTP Server with SSH CVE-2008-0589 (The ps program in bos.rte.control in IBM AIX 5.2, 5.3, and 6.1 allows ...) NOT-FOR-US: IBM AIX CVE-2008-0588 (Buffer overflow in the utape program in devices.scsi.tape.diag in IBM ...) NOT-FOR-US: IBM AIX CVE-2008-0587 (Buffer overflow in the uspchrp program in devices.chrp.base.diag in IB ...) NOT-FOR-US: IBM AIX CVE-2008-0586 (Multiple buffer overflows in IBM AIX 5.2 and 5.3 allow local users to ...) NOT-FOR-US: IBM AIX CVE-2008-0585 (sysmgt.websm.webaccess in IBM AIX 5.2 and 5.3 has world writable permi ...) NOT-FOR-US: IBM AIX CVE-2008-0584 (Multiple buffer overflows in bos.rte.control in IBM AIX 5.2 and 5.3 al ...) NOT-FOR-US: IBM AIX CVE-2008-0583 (Cross-zone scripting vulnerability in the Internet Explorer web contro ...) NOT-FOR-US: Skype CVE-2008-0582 (Cross-zone scripting vulnerability in the Internet Explorer web contro ...) NOT-FOR-US: Skype CVE-2008-0581 (Geert Moernaut LSrunasE allows local users to gain privileges by obtai ...) NOT-FOR-US: LSrunasE CVE-2008-0580 (Geert Moernaut LSrunasE and Supercrypt use an encryption key composed ...) NOT-FOR-US: LSrunasE and Supercrypt CVE-2008-0579 (SQL injection vulnerability in index.php in the buslicense (com_buslic ...) NOT-FOR-US: buslicense component for Joomla! CVE-2008-0578 (Cross-site scripting (XSS) vulnerability in the web management login p ...) NOT-FOR-US: Tripwire Enterprise/Server Management Web Interface CVE-2008-0577 (The Project Issue Tracking module 5.x-2.x-dev before 20080130 in the 5 ...) NOT-FOR-US: Project Issue Tracking module for Drupal CVE-2008-0576 (Cross-site scripting (XSS) vulnerability in the Project Issue Tracking ...) NOT-FOR-US: Project Issue Tracking module for Drupal CVE-2008-0575 (Cross-site request forgery (CSRF) vulnerability in admin/admincenter.p ...) NOT-FOR-US: webSPELL CVE-2008-0574 (Cross-site scripting (XSS) vulnerability in index.php in webSPELL 4.01 ...) NOT-FOR-US: webSPELL CVE-2008-0573 (IPSecDrv.sys 10.4.0.12 in SafeNET HighAssurance Remote and SoftRemote ...) NOT-FOR-US: SafeNET HighAssurance Remote and SoftRemote CVE-2008-0572 (Multiple PHP remote file inclusion vulnerabilities in Mindmeld 1.2.0.1 ...) NOT-FOR-US: Mindmeld CVE-2008-0571 (The point moderation form in the Userpoints 4.7.x before 4.7.x-2.3, 5. ...) NOT-FOR-US: Userpoints module for Drupal CVE-2008-0570 (The OpenID 5.x-1.0 and earlier module for Drupal does not properly ver ...) NOT-FOR-US: OpenID module for Drupal CVE-2008-0569 (The Comment Upload 4.7.x before 4.7.x-0.1 and 5.x before 5.x-0.1 modul ...) NOT-FOR-US: Comment upload module for Drupal CVE-2008-0568 (Unspecified vulnerability in the IP-authentication feature in the Secu ...) NOT-FOR-US: Secure Site module for Drupal CVE-2008-0567 (Multiple PHP remote file inclusion vulnerabilities in ChronoEngine Chr ...) NOT-FOR-US: ChronoEngine ChronoForms component for Joomla! CVE-2008-0566 (PHP remote file inclusion vulnerability in includes/smarty.php in Delt ...) NOT-FOR-US: DeltaScripts PHP Links CVE-2008-0565 (SQL injection vulnerability in vote.php in DeltaScripts PHP Links 1.3 ...) NOT-FOR-US: DeltaScripts PHP Links CVE-2008-0563 (Cross-site request forgery (CSRF) vulnerability in service/impl/UserLo ...) - liferay-portal (bug #569819) CVE-2008-0562 (SQL injection vulnerability in index.php in the Restaurant (com_restau ...) NOT-FOR-US: Restaurant component for Mambo and Joomla! CVE-2008-0561 (SQL injection vulnerability in index.php in the Arthur Konze AkoGaller ...) NOT-FOR-US: AkoGallery component for Mambo and Joomla! CVE-2008-0560 NOT-FOR-US: cforms wordpress plugin CVE-2008-0559 (Multiple directory traversal vulnerabilities in Nilson's Blogger 0.11 ...) NOT-FOR-US: cforms wordpress plugin CVE-2008-0558 (Cross-site scripting (XSS) vulnerability in Uniwin eCart Professional ...) NOT-FOR-US: Uniwin eCart Professiona CVE-2008-0557 (SQL injection vulnerability in index.php in the CatalogShop (com_catal ...) NOT-FOR-US: CatalogShop componenent for Mambo and Joomla! CVE-2008-0556 (Cross-site request forgery (CSRF) vulnerability in OpenCA PKI 0.9.2.5, ...) NOT-FOR-US: OpenCA PKI Project CVE-2008-0555 (The ExpandCert function in Apache-SSL before apache_1.3.41+ssl_1.59 do ...) - apache [etch] - apache (only exploitable in very specific setups) NOTE: Only affects the apache-ssl package, not apache or apache-perl. NOTE: Only relevant if the attacker can get a CA that is trusted by the server NOTE: to sign client certs with arbitrary CN, but cannot influence the contents NOTE: of the other DN fields. NOTE: OTOH, the configuration used in Debian's apache-ssl 1.55 (per-dir NOTE: ssl-renegotiation switched off), has obviously not been tested by upstream NOTE: with 1.59 (it doesn't even compile). NOTE: Also, upstream's fix breaks API/ABI compatibility in some corner cases. NOTE: While these cases are not really supported by Debian, all in all the low NOTE: severity of the issue is not in proportion to the risk of breaking something NOTE: with the fix. CVE-2008-0552 (Cross-site scripting (XSS) vulnerability in index.php in eTicket 1.5.6 ...) NOT-FOR-US: eTicket CVE-2008-0551 (The NamoInstaller.NamoInstall.1 ActiveX control in NamoInstaller.dll 3 ...) NOT-FOR-US: Namo Web Editor CVE-2008-0550 (Off-by-one error in Steamcast 0.9.75 and earlier allows remote attacke ...) NOT-FOR-US: Steamcast CVE-2008-0549 (Integer overflow in the OggHeaderParse function in Steamcast 0.9.75 an ...) NOT-FOR-US: Steamcast CVE-2008-0548 (Steamcast 0.9.75 and earlier allows remote attackers to cause a denial ...) NOT-FOR-US: Steamcast CVE-2008-0547 (Cross-site scripting (XSS) vulnerability in admin/utilities_ConfigHelp ...) NOT-FOR-US: CandyPress CVE-2008-0546 (Multiple SQL injection vulnerabilities in CandyPress (CP) 4.1.1.26, an ...) NOT-FOR-US: CandyPress CVE-2008-0545 (Multiple directory traversal vulnerabilities in Bubbling Library 1.32 ...) NOT-FOR-US: Bubbling Library CVE-2008-0543 (Multiple SQL injection vulnerabilities in Pre Dynamic Institution allo ...) NOT-FOR-US: Pre Dynamic Institution CVE-2008-0542 (Directory traversal vulnerability in thumbnail.php in Gerd Tentler Sim ...) NOT-FOR-US: Simple Forum CVE-2008-0541 (Multiple cross-site scripting (XSS) vulnerabilities in forum.php in Ge ...) NOT-FOR-US: Simple Forum CVE-2008-0540 (Multiple cross-site scripting (XSS) vulnerabilities in trixbox 2.4.2.0 ...) NOT-FOR-US: trixbox CVE-2008-0539 (Cross-site scripting (XSS) vulnerability in dms/policy/rep_request.php ...) NOT-FOR-US: F5 BIG-IP Application Security Manager CVE-2008-0538 (Multiple SQL injection vulnerabilities in phpIP Management 4.3.2 allow ...) NOT-FOR-US: phpIP Management CVE-2008-0537 (Unspecified vulnerability in the Supervisor Engine 32 (Sup32), Supervi ...) NOT-FOR-US: Cisco CVE-2008-0536 (Unspecified vulnerability in the SSH server in (1) Cisco Service Contr ...) NOT-FOR-US: Cisco CVE-2008-0535 (Unspecified vulnerability in the SSH server in (1) Cisco Service Contr ...) NOT-FOR-US: Cisco CVE-2008-0534 (The SSH server in (1) Cisco Service Control Engine (SCE) before 3.1.6, ...) NOT-FOR-US: Cisco CVE-2008-0533 (Multiple cross-site scripting (XSS) vulnerabilities in securecgi-bin/C ...) NOT-FOR-US: Cisco ACS CVE-2008-0532 (Multiple buffer overflows in securecgi-bin/CSuserCGI.exe in User-Chang ...) NOT-FOR-US: Cisco ACS CVE-2008-0531 (Heap-based buffer overflow in Cisco Unified IP Phone 7940, 7940G, 7960 ...) NOT-FOR-US: Cisco CVE-2008-0530 (Buffer overflow in Cisco Unified IP Phone 7940, 7940G, 7960, and 7960G ...) NOT-FOR-US: Cisco CVE-2008-0529 (Buffer overflow in the telnet server in Cisco Unified IP Phone 7906G, ...) NOT-FOR-US: Cisco CVE-2008-0528 (Buffer overflow in Cisco Unified IP Phone 7940, 7940G, 7960, and 7960G ...) NOT-FOR-US: Cisco CVE-2008-0527 (The HTTP server in Cisco Unified IP Phone 7935 and 7936 running SCCP f ...) NOT-FOR-US: Cisco CVE-2008-0526 (Cisco Unified IP Phone 7940, 7940G, 7960, and 7960G running SCCP firmw ...) NOT-FOR-US: Cisco CVE-2008-0525 (PatchLink Update client for Unix, as used by Novell ZENworks Patch Man ...) NOT-FOR-US: PatchLink Update client for Unix CVE-2008-0524 (Cross-site request forgery (CSRF) vulnerability in the management inte ...) NOT-FOR-US: Yamaha router firmware CVE-2008-0523 (Multiple cross-site scripting (XSS) vulnerabilities in SoftCart.exe in ...) NOT-FOR-US: SoftCart CVE-2008-0522 (Cross-site scripting (XSS) vulnerability in multiple Hal Networks shop ...) NOT-FOR-US: Hal Networks shopping-cart products CVE-2008-0521 (Multiple directory traversal vulnerabilities in Bubbling Library 1.32 ...) NOT-FOR-US: Bubbling Library CVE-2008-0520 (Multiple SQL injection vulnerabilities in main.php in the WassUp plugi ...) NOT-FOR-US: WassUp plugin for WordPress CVE-2008-0519 (SQL injection vulnerability in index.php in the Atapin Jokes (com_joke ...) NOT-FOR-US: Atapin Jokes component for Mambo and Joomla! CVE-2008-0518 (SQL injection vulnerability in index.php in the Recipes (com_recipes) ...) NOT-FOR-US: Recipes component for Mambo and Joomla! CVE-2008-0517 (SQL injection vulnerability in index.php in the Darko Selesi EstateAge ...) NOT-FOR-US: EstateAgent component for Mambo and Joomla! CVE-2008-0516 (PHP remote file inclusion vulnerability in spaw/dialogs/confirm.php in ...) NOT-FOR-US: SQLiteManager CVE-2008-0515 (SQL injection vulnerability in index.php in the musepoes (com_musepoes ...) NOT-FOR-US: musepoes component for Mambo and Joomla! CVE-2008-0514 (SQL injection vulnerability in index.php in the Glossary (com_glossary ...) NOT-FOR-US: Glossary component for Mambo and Joomla! CVE-2008-0513 (Directory traversal vulnerability in parser/include/class.cache_phpcms ...) NOT-FOR-US: phpCMS CVE-2008-0512 (SQL injection vulnerability in index.php in the fq (com_fq) component ...) NOT-FOR-US: fq component for Mambo and Joomla! CVE-2008-0511 (SQL injection vulnerability in index.php in the MaMML (com_mamml) comp ...) NOT-FOR-US: MaMML component for Mambo and Joomla! CVE-2008-0510 (SQL injection vulnerability in index.php in the Newsletter (com_newsle ...) NOT-FOR-US: Newsletter component for Mambo and Joomla! CVE-2008-0509 (Multiple buffer overflows in IBM AIX 4.3 allow remote attackers to cau ...) NOT-FOR-US: IBM AIX CVE-2008-0508 (Cross-site request forgery (CSRF) vulnerability in deans_permalinks_mi ...) NOT-FOR-US: Dean's Permalinks Migration plugin for WordPress CVE-2008-0507 (SQL injection vulnerability in adclick.php in the AdServe 0.2 plugin f ...) NOT-FOR-US: AdServe plugin for WordPress CVE-2008-0506 (include/imageObjectIM.class.php in Coppermine Photo Gallery (CPG) befo ...) NOT-FOR-US: Coppermine Photo Gallery CVE-2008-0505 (Multiple cross-site scripting (XSS) vulnerabilities in docs/showdoc.ph ...) NOT-FOR-US: Coppermine Photo Gallery CVE-2008-0504 (Multiple SQL injection vulnerabilities in Coppermine Photo Gallery (CP ...) NOT-FOR-US: Coppermine Photo Gallery CVE-2008-0503 (Eval injection vulnerability in admin/op/disp.php in Netwerk Smart Pub ...) NOT-FOR-US: Netwerk Smart Publisher CVE-2008-0502 (PHP remote file inclusion vulnerability in templates/Official/part_use ...) NOT-FOR-US: Connectix Boards CVE-2007-6700 (Cross-site scripting (XSS) vulnerability in cgi-bin/bgplg in the web i ...) NOT-FOR-US: openbsd CVE-2007-6699 (Multiple buffer overflows in the AIM PicEditor 9.5.1.8 ActiveX control ...) NOT-FOR-US: AIM PicEditor CVE-2007-6698 (The BDB backend for slapd in OpenLDAP before 2.3.36 allows remote auth ...) {DSA-1541-1} - openldap2.3 2.3.38-1 - openldap2.2 - openldap2 (slapd not built) CVE-2007-6696 (Multiple cross-site scripting (XSS) vulnerabilities in WebCalendar 1.1 ...) - webcalendar 1.1.6-7 (bug #466935) [lenny] - webcalendar (See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=466935#37) CVE-2007-6695 (Cross-site scripting (XSS) vulnerability in index.php in Drake CMS 0.4 ...) NOT-FOR-US: Drake CMS CVE-2008-0664 (The XML-RPC implementation (xmlrpc.php) in WordPress before 2.3.3, whe ...) {DSA-1601-1} - wordpress 2.3.3-1 (medium; bug #464170) [etch] - wordpress (vulnerable code not present) NOTE: The blog has to provide user accounts NOTE: A crafted XML-RPC request referring to a valid user can exploit this NOTE: This is specific to wordpress' implementation of xmlrpc.php, which is NOTE: not included in any other packages. - libwordpress-xmlrpc-perl CVE-2008-0553 (Stack-based buffer overflow in the ReadImage function in tkImgGIF.c in ...) {DSA-1598-1 DSA-1491-1 DSA-1490-1 DTSA-140-1} - tk8.5 8.5.0-3 - tk8.4 8.4.17-2 - tk8.3 8.3.5-12 - libtk-img 1:1.3-release-7 (bug #485785) CVE-2008-0554 (Buffer overflow in the readImageData function in giftopnm.c in netpbm ...) {DSA-1579-1} - netpbm-free 10.0-11.1 (medium; bug #464056) CVE-2008-0564 (Multiple cross-site scripting (XSS) vulnerabilities in Mailman before ...) - mailman 1:2.1.10~b3-1 (low) [etch] - mailman (Minor issue) [sarge] - mailman (Minor issue) NOTE: Someone authenticated as list admin can insert malicious script NOTE: into list templates. This already consists of a high degree of NOTE: control over the mailinglist, so not a very important issue. NOTE: This enhances the fix for CVE-2006-3636. NOTE: http://mail.python.org/pipermail/mailman-announce/2008-February/000095.html CVE-2008-0665 (wml_backend/p1_ipp/ipp.src in Website META Language (WML) 2.0.11 allow ...) {DSA-1492-1} - wml 2.0.11-3.1 (low; bug #463907) [sarge] - wml (Vulnerable code is patched to use mkdtemp) CVE-2008-0666 (Website META Language (WML) 2.0.11 allows local users to overwrite arb ...) {DSA-1492-1} - wml 2.0.11-3.1 (low; bug #463907) [sarge] - wml (Vulnerable code is patched to use mkdtemp) CVE-2008-0501 (Directory traversal vulnerability in phpMyClub 0.0.1 allows remote att ...) NOT-FOR-US: phpMyClub CVE-2008-0500 (Multiple unspecified vulnerabilities in Mambo LaiThai 4.5.5 have unkno ...) NOT-FOR-US: MamboXChange LaiThai CVE-2008-0499 (SQL injection vulnerability in Mambo LaiThai 4.5.5 allows remote attac ...) NOT-FOR-US: MamboXChange LaiThai CVE-2008-0498 (SQL injection vulnerability in main_bigware_53.tpl.php in Bigware Shop ...) NOT-FOR-US: Bigware Shop CVE-2008-0497 (Cross-site scripting (XSS) vulnerability in action.php in Nucleus CMS ...) NOT-FOR-US: Nucleus CMS CVE-2008-0496 (Cross-site scripting (XSS) vulnerability in index.php in AmpJuke 0.7.0 ...) NOT-FOR-US: AmpJuke CVE-2008-0495 (Unspecified vulnerability in the Pegasus CIM Server in IBM Hardware Ma ...) NOT-FOR-US: Pegasus CIM Server CVE-2008-0494 (Cross-site scripting (XSS) vulnerability in vpnum/userslist.php in End ...) NOT-FOR-US: Endian Firewall CVE-2008-0493 (fpx.dll 3.9.8.0 in the FlashPix plugin for IrfanView 4.10 allows remot ...) NOT-FOR-US: FlashPix plugin for IrfanView CVE-2008-0492 (Stack-based buffer overflow in the Persits.XUpload.2 ActiveX control i ...) NOT-FOR-US: Persits XUpload CVE-2008-0491 (SQL injection vulnerability in fim_rss.php in the fGallery 2.4.1 plugi ...) NOT-FOR-US: fGallery for WordPress CVE-2008-0490 (SQL injection vulnerability in functions/editevent.php in the WP-Cal 0 ...) NOT-FOR-US: WP-Cal plugin for WordPress CVE-2008-0489 (Directory traversal vulnerability in install.php in Clansphere 2007.4. ...) NOT-FOR-US: Clansphere CVE-2008-0488 (Directory traversal vulnerability in tseekdir.cgi in VB Marketing allo ...) NOT-FOR-US: VB Marketing CVE-2008-0487 (Multiple SQL injection vulnerabilities in login.asp in ASPired2Protect ...) NOT-FOR-US: ASPired2Protect CVE-2008-0486 (Array index vulnerability in libmpdemux/demux_audio.c in MPlayer 1.0rc ...) {DSA-1536-1 DSA-1496-1 DTSA-114-1} - mplayer 1.0~rc2-8 (bug #464060) - xine-lib 1.1.10.1-1 (bug #464696) [sarge] - xine-lib (Vulnerable code not present) CVE-2008-0485 (Array index error in libmpdemux/demux_mov.c in MPlayer 1.0 rc2 and ear ...) {DSA-1496-1 DTSA-114-1} - mplayer 1.0~rc2-8 (bug #464060) CVE-2008-0484 RESERVED CVE-2008-0483 RESERVED CVE-2008-0482 RESERVED CVE-2008-0481 (Directory traversal vulnerability in RTE_file_browser.asp in Web Wiz R ...) NOT-FOR-US: Web Wiz Rich Text Editor CVE-2008-0480 (Multiple directory traversal vulnerabilities in Web Wiz Forums 9.07 an ...) NOT-FOR-US: Web Wiz Forums CVE-2008-0479 (Directory traversal vulnerability in RTE_file_browser.asp in Web Wiz N ...) NOT-FOR-US: Web Wiz NewsPad CVE-2008-0478 (Directory traversal vulnerability in index.php in SetCMS 3.6.5 allows ...) NOT-FOR-US: SetCMS CVE-2008-0477 (Stack-based buffer overflow in the QMPUpgrade.Upgrade.1 ActiveX contro ...) NOT-FOR-US: Move Networks Upgrade Manager CVE-2008-0476 (ManageEngine Applications Manager 8.1 build 8100 does not check authen ...) NOT-FOR-US: ManageEngine Applications Manager CVE-2008-0475 (ManageEngine Applications Manager 8.1 build 8100 allows remote attacke ...) NOT-FOR-US: ManageEngine Applications Manager CVE-2008-0474 (Multiple cross-site scripting (XSS) vulnerabilities in ManageEngine Ap ...) NOT-FOR-US: ManageEngine Applications Manager CVE-2008-0473 (RTE_popup_save_file.asp in Web Wiz Rich Text Editor 4.0 allows remote ...) NOT-FOR-US: Web Wiz Rich Text Editor CVE-2008-0472 (Cross-site request forgery (CSRF) vulnerability in modcp.php in Woltla ...) NOT-FOR-US: Woltlab Burning Board CVE-2008-0471 (Cross-site request forgery (CSRF) vulnerability in privmsg.php in phpB ...) {DSA-1488-1} - phpbb2 2.0.22-3 (low; bug #463589) CVE-2008-0470 (A certain ActiveX control in Comodo AntiVirus 2.0 allows remote attack ...) NOT-FOR-US: Comodo AntiVirus CVE-2008-0469 (SQL injection vulnerability in index.php in Tiger Php News System (TPN ...) NOT-FOR-US: Tiger Php News System CVE-2008-0468 (SQL injection vulnerability in category.php in Flinx 1.3 and earlier a ...) NOT-FOR-US: Flinx CVE-2008-0467 (Stack-based buffer overflow in Firebird before 2.0.4, and 2.1.x before ...) {DSA-1529-1} - firebird2 [etch] - firebird2 (Fixed packages have been released through backports.org, see #1529) - firebird2.0 2.0.3.12981.ds1-5 (medium; bug #463596) CVE-2008-0466 (Web Wiz RTE_file_browser.asp in, as used in Web Wiz Rich Text Editor 4 ...) NOT-FOR-US: Web Wiz Rich Text Editor CVE-2008-0465 (Directory traversal vulnerability in optimizer.php in Seagull 0.6.3 al ...) NOT-FOR-US: Seagull CVE-2008-0464 (Directory traversal vulnerability in archiv.cgi in absofort aconon Mai ...) NOT-FOR-US: aconon Mail Enterprise SQL CVE-2008-0463 (Cross-site scripting (XSS) vulnerability in the Workflow 4.7.x before ...) NOT-FOR-US: Workflow module for Drupal CVE-2008-0462 (Cross-site scripting (XSS) vulnerability in the Archive 5.x before 5.x ...) NOT-FOR-US: Archive module for Drupal CVE-2008-0461 (SQL injection vulnerability in index.php in the Search module in PHP-N ...) NOT-FOR-US: PHP-Nuke CVE-2008-0460 (Cross-site scripting (XSS) vulnerability in api.php in (1) MediaWiki 1 ...) - mediawiki 1:1.11.1-1 (low) [etch] - mediawiki (Doesn't include API functionality) CVE-2008-0459 (Directory traversal vulnerability in update/index.php in Liquid-Silver ...) NOT-FOR-US: Liquit-Silver CMS CVE-2008-0458 (Directory traversal vulnerability in function/sources.php in SLAED CMS ...) NOT-FOR-US: SLAED CMS CVE-2008-0457 (Unrestricted file upload vulnerability in the FileUpload class running ...) NOT-FOR-US: Symantec LiveState Apache Tomcat server CVE-2008-0456 (CRLF injection vulnerability in the mod_negotiation module in the Apac ...) - apache (unimportant) - apache2 (unimportant) NOTE: This is only relevant if an attacker can upload files with arbitrary names NOTE: but not with arbitrary contents. CVE-2008-0455 (Cross-site scripting (XSS) vulnerability in the mod_negotiation module ...) - apache (unimportant) - apache2 (unimportant) NOTE: This is only relevant if an attacker can upload files with arbitrary names NOTE: but not with arbitrary contents. CVE-2008-0454 (Cross-zone scripting vulnerability in the Internet Explorer web contro ...) NOT-FOR-US: Skype CVE-2008-0453 (SQL injection vulnerability in list.php in Easysitenetwork Recipe allo ...) NOT-FOR-US: Easysitenetwork Recipe CVE-2008-0452 (Directory traversal vulnerability in articles.php in Siteman 1.1.9 all ...) NOT-FOR-US: Siteman CVE-2008-0451 (Multiple SQL injection vulnerabilities in PacerCMS 0.6 allow remote au ...) NOT-FOR-US: PacerCMS CVE-2008-0450 (Multiple PHP remote file inclusion vulnerabilities in BLOG:CMS 4.2.1.c ...) NOT-FOR-US: BLOG:CMS CVE-2008-0449 (SQL injection vulnerability in paypalresult.asp in VP-ASP Shopping Car ...) NOT-FOR-US: VP-ASP Shopping Cart CVE-2008-0448 (PHP remote file inclusion vulnerability in utils/class_HTTPRetriever.p ...) NOT-FOR-US: phpSearch CVE-2008-0447 (SQL injection vulnerability in index.php in Foojan WMS PHP Weblog 1.0 ...) NOT-FOR-US: Foojan WMS PHP Weblog CVE-2008-0446 (SQL injection vulnerability in voircom.php in LulieBlog 1.02 allows re ...) NOT-FOR-US: Foojan WMS PHP Weblog CVE-2008-0445 (The replace_inline_img function in elogd in Electronic Logbook (ELOG) ...) - elog 2.9.2+2014.05.11git44800a7-1 (low; bug #463600) CVE-2008-0444 (Cross-site scripting (XSS) vulnerability in Electronic Logbook (ELOG) ...) - elog 2.9.2+2014.05.11git44800a7-1 (low; bug #463600) CVE-2008-0443 (Heap-based buffer overflow in the FileUploader.FUploadCtl.1 ActiveX co ...) NOT-FOR-US: Lycos FileUploader Module CVE-2008-0442 (PHP remote file inclusion vulnerability in inc/linkbar.php in Small Ax ...) NOT-FOR-US: Small Axe Weblog CVE-2008-0441 (IBM Tivoli Business Service Manager (TBSM) 4.1.1 stores passwords in c ...) NOT-FOR-US: IBM Tivoli Business Service Manager CVE-2008-0440 (AlstraSoft Forum Pay Per Post Exchange 2.0 stores passwords in clearte ...) NOT-FOR-US: AlstraSoft Forum Pay Per Post Exchange CVE-2008-0439 (Cross-site scripting (XSS) vulnerability in templates/default/admincp/ ...) NOT-FOR-US: DeluxeBB CVE-2008-0438 (Cross-site scripting (XSS) vulnerability in the font rendering functio ...) NOT-FOR-US: Novemberborn sIFR CVE-2008-0437 (Multiple buffer overflows in the WebHPVCInstall.HPVirtualRooms14 Activ ...) NOT-FOR-US: HP Virtual Rooms CVE-2008-0436 (Cross-site scripting (XSS) vulnerability in profile-upload/upload.asp ...) NOT-FOR-US: PD9 Software MegaBBS CVE-2008-0435 (Directory traversal vulnerability in index.php in OZJournals 2.1.1 all ...) NOT-FOR-US: OZJournals CVE-2008-0434 (Format string vulnerability in the AXIMilter module in AXIGEN Mail Ser ...) NOT-FOR-US: AXIGEN Mail Server CVE-2008-0433 (PHP remote file inclusion vulnerability in theme/phpAutoVideo/LightTwo ...) NOT-FOR-US: Agares Media phpAutoVideo CVE-2008-0432 (Cross-site scripting (XSS) vulnerability in index.php in phpAutoVideo ...) NOT-FOR-US: Agares Media phpAutoVideo CVE-2008-0431 (Directory traversal vulnerability in administrator/download.php in IDM ...) NOT-FOR-US: IDMOS CVE-2008-0430 (SQL injection vulnerability in form.php in 360 Web Manager 3.0 allows ...) NOT-FOR-US: 360 Web Manager CVE-2008-0429 (SQL injection vulnerability in index.php in AlstraSoft Forum Pay Per P ...) NOT-FOR-US: AlstraSoft Forum Pay Per Post Exchange CVE-2008-0428 (Multiple SQL injection vulnerabilities in the login function in system ...) NOT-FOR-US: bloofoxCMS CVE-2008-0427 (Directory traversal vulnerability in file.php in bloofoxCMS 0.3 allows ...) NOT-FOR-US: bloofoxCMS CVE-2008-0426 (Multiple cross-site scripting (XSS) vulnerabilities in submit.php in P ...) NOT-FOR-US: PacerCMS CVE-2008-0425 (Absolute path traversal vulnerability in explorerdir.php in Frimousse ...) NOT-FOR-US: Frimousse CVE-2008-0424 (SQL injection vulnerability in blog.php in Mooseguy Blog System (MGBS) ...) NOT-FOR-US: Mooseguy Blog System CVE-2008-0423 (Multiple PHP remote file inclusion vulnerabilities in Lama Software al ...) NOT-FOR-US: Lama Software CVE-2008-0422 (SQL injection vulnerability in mail.php in boastMachine (aka bMachine) ...) NOT-FOR-US: bMachine CVE-2008-0421 (SQL injection vulnerability in Invision Gallery 2.0.7 and earlier allo ...) NOT-FOR-US: Invision Gallery CVE-2008-0420 (modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp in Mozilla Firefox befor ...) {DSA-1534-1 DSA-1484-1} - iceape 1.1.8-1 - iceweasel 2.0.0.12-1 - xulrunner 1.8.1.12-1 NOTE: The initial advisory claimed Thunderbird/Icedove were vulnerable, but clarified NOTE: later, see http://www.mozilla.org/security/announce/2008/mfsa2008-07.html CVE-2008-0419 (Mozilla Firefox before 2.0.0.12 and SeaMonkey before 1.1.8 allows remo ...) {DSA-1506-1 DSA-1489-1 DSA-1485-2 DSA-1484-1} - iceweasel 2.0.0.12-1 - xulrunner 1.8.1.12-1 - iceape 1.1.8-1 - icedove 2.0.0.12-1 CVE-2008-0418 (Directory traversal vulnerability in Mozilla Firefox before 2.0.0.12, ...) {DSA-1506-1 DSA-1489-1 DSA-1485-2 DSA-1484-1} - iceweasel 2.0.0.12-1 - xulrunner 1.8.1.12-1 - iceape 1.1.8-1 - icedove 2.0.0.12-1 CVE-2008-0417 (CRLF injection vulnerability in Mozilla Firefox before 2.0.0.12 allows ...) {DSA-1506-1 DSA-1489-1 DSA-1485-2 DSA-1484-1} - iceweasel 2.0.0.12-1 - xulrunner 1.8.1.12-1 - iceape 1.1.8-1 - icedove 2.0.0.12-1 CVE-2008-0416 (Multiple cross-site scripting (XSS) vulnerabilities in Mozilla Firefox ...) {DSA-1506-1 DSA-1489-1 DSA-1485-2 DSA-1484-1} - iceweasel 2.0.0.12-1 - icedove 2.0.0.12-1 - xulrunner 1.8.1.13-1 - iceape 1.1.9-1 CVE-2008-0415 (Mozilla Firefox before 2.0.0.12, Thunderbird before 2.0.0.12, and SeaM ...) {DSA-1506-1 DSA-1489-1 DSA-1485-2 DSA-1484-1} - iceweasel 2.0.0.12-1 - iceape 1.1.8-1 - icedove 2.0.0.12-1 - xulrunner 1.8.1.12-1 CVE-2008-0414 (Mozilla Firefox before 2.0.0.12 and SeaMonkey before 1.1.8 allows user ...) {DSA-1506-1 DSA-1489-1 DSA-1485-2 DSA-1484-1} - iceweasel 2.0.0.12-1 - xulrunner 1.8.1.12-1 - iceape 1.1.8-1 - icedove 2.0.0.12-1 CVE-2008-0413 (The JavaScript engine in Mozilla Firefox before 2.0.0.12, Thunderbird ...) {DSA-1506-1 DSA-1489-1 DSA-1485-2 DSA-1484-1} - iceweasel 2.0.0.12-1 - xulrunner 1.8.1.12-1 - iceape 1.1.8-1 - icedove 2.0.0.12-1 CVE-2008-0412 (The browser engine in Mozilla Firefox before 2.0.0.12, Thunderbird bef ...) {DSA-1506-1 DSA-1489-1 DSA-1485-2 DSA-1484-1} - iceweasel 2.0.0.12-1 - xulrunner 1.8.1.12-1 - iceape 1.1.8-1 - icedove 2.0.0.12-1 CVE-2008-0411 (Stack-based buffer overflow in the zseticcspace function in zicc.c in ...) {DSA-1510-1} - ghostscript 8.61.dfsg.1-1.1 (medium; bug #468190) - gs-gpl (medium) CVE-2007-6694 (The chrp_show_cpuinfo function (chrp/setup.c) in Linux kernel 2.4.21 t ...) {DSA-1565-1 DSA-1503-2 DSA-1504-1 DSA-1503-1} - linux-2.6 2.6.24-1 - linux-2.6.24 (Fixed before initial upload, upstream in 2.6.24) NOTE: Upstream commit 9ac71d00398674aaec664f30559f0a21d963862f, part of 2.6.24 CVE-2008-XXXX [exempi buffer overflow in GIF ReadHeader() function] - exempi 1.99.7-1 (bug #454297) CVE-2008-0544 (Heap-based buffer overflow in the IMG_LoadLBM_RW function in IMG_lbm.c ...) {DSA-1493-2 DSA-1493-1} - sdl-image1.2 1.2.6-3 (medium) CVE-2007-6697 (Buffer overflow in the LWZReadByte function in IMG_gif.c in SDL_image ...) {DSA-1493-2 DSA-1493-1} - sdl-image1.2 1.2.6-2 (medium) CVE-2008-0410 (HTTP File Server (HFS) before 2.2c allows remote attackers to obtain c ...) NOT-FOR-US: HTTP File Server CVE-2008-0409 (Cross-site scripting (XSS) vulnerability in HTTP File Server (HFS) bef ...) NOT-FOR-US: HTTP File Server CVE-2008-0408 (HTTP File Server (HFS) before 2.2c allows remote attackers to append a ...) NOT-FOR-US: HTTP File Server CVE-2008-0407 (HTTP File Server (HFS) before 2.2c tags HTTP request log entries with ...) NOT-FOR-US: HTTP File Server CVE-2008-0406 (HTTP File Server (HFS) before 2.2c, when account names are used as log ...) NOT-FOR-US: HTTP File Server CVE-2008-0405 (Multiple directory traversal vulnerabilities in HTTP File Server (HFS) ...) NOT-FOR-US: HTTP File Server CVE-2008-0404 (Cross-site scripting (XSS) vulnerability in Mantis before 1.1.1 allows ...) - mantis (Vulnerable code not present) NOTE: code was introduced in the 1.1.x series, which are not shipped by us yet CVE-2008-0403 (The web server in Belkin Wireless G Plus MIMO Router F5D9230-4 does no ...) NOT-FOR-US: Belkin Wireless firmware CVE-2008-0402 (Unspecified vulnerability in IBM WebSphere Business Modeler Basic and ...) NOT-FOR-US: IBM WebSphere Business Modeler CVE-2008-0401 (Buffer overflow in the logging functionality of the HTTP server in IBM ...) NOT-FOR-US: IBM Tivoli Provisioning Manager for OS Deployment before CVE-2008-0400 (Cross-site scripting (XSS) vulnerability in header.tpl.php in the mode ...) NOT-FOR-US: Singapore CVE-2008-0399 (Multiple buffer overflows in Toshiba Surveillance (Surveillix) RecordS ...) NOT-FOR-US: Toshiba Surveillance CVE-2008-0398 (Cross-site scripting (XSS) vulnerability in aflog 1.01, and possibly e ...) NOT-FOR-US: aflog CVE-2008-0397 (Multiple SQL injection vulnerabilities in aflog 1.01, and possibly ear ...) NOT-FOR-US: aflog CVE-2008-0396 (Directory traversal vulnerability in BitDefender Update Server (http.e ...) NOT-FOR-US: BitDefender Update Server CVE-2008-0395 (Kayako SupportSuite 3.11.01 allows remote attackers to obtain server c ...) NOT-FOR-US: Kayako SupportSuite CVE-2008-0394 (Buffer overflow in Citadel SMTP server 7.10 and earlier allows remote ...) NOT-FOR-US: Citadel SMTP server CVE-2008-0393 (Directory traversal vulnerability in info.php in GradMan 0.1.3 and ear ...) NOT-FOR-US: GradMan CVE-2008-0392 (Multiple buffer overflows in Microsoft Visual Basic Enterprise Edition ...) NOT-FOR-US: Microsoft Visual Basic CVE-2008-0391 (inc/elementz.php in aliTalk 1.9.1.1 does not properly verify authentic ...) NOT-FOR-US: aliTalk CVE-2008-0390 (stat.php in AuraCMS 1.62, and Mod Block Statistik for AuraCMS, allows ...) NOT-FOR-US: AuraCMS CVE-2008-0389 (Unspecified vulnerability in the serveServletsByClassnameEnabled featu ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2008-0388 (SQL injection vulnerability in the WP-Forum 1.7.4 plugin for WordPress ...) NOT-FOR-US: WP-Forum plugin for WordPress CVE-2008-0387 (Integer overflow in Firebird SQL 1.0.3 and earlier, 1.5.x before 1.5.6 ...) {DSA-1529-1} - firebird2.0 2.0.3.12981.ds1-4 (bug #460048) [lenny] - firebird2.0 2.0.3.12981.ds1-1+lenny1 - firebird2 [etch] - firebird2 (Fixed packages have been released through backports.org, see #1529) CVE-2008-0386 (Xdg-utils 1.0.2 and earlier allows user-assisted remote attackers to e ...) - xdg-utils (Ships a patch that modifies the vulnerable code and uses sed secure) NOTE: xdg-open-generic replaces the vulnerable code and runs view-mailcap or sensible-browser CVE-2008-0385 (SQL injection vulnerability in server/widgetallocator.php in Urulu 2.1 ...) NOT-FOR-US: Urulu CVE-2008-0384 (OpenBSD 4.2 allows local users to cause a denial of service (kernel pa ...) NOT-FOR-US: OpenBSD CVE-2008-0383 (Multiple SQL injection vulnerabilities in MyBB 1.2.10 and earlier allo ...) NOT-FOR-US: MyBB CVE-2008-0382 (Multiple eval injection vulnerabilities in MyBB 1.2.10 and earlier all ...) NOT-FOR-US: MyBB CVE-2008-0381 (Unspecified vulnerability in Mahara before 0.9.1 has unknown impact an ...) - mahara 0.9.1-1 (low) CVE-2008-0380 (Buffer overflow in the Digital Data Communications RtspVaPgCtrl Active ...) NOT-FOR-US: Digital Data Communications CVE-2008-0379 (Race condition in the Enterprise Tree ActiveX control (EnterpriseContr ...) NOT-FOR-US: Crystal Reports CVE-2008-0378 (Stack-based buffer overflow in SocksCap 2.40-051231 and earlier, when ...) NOT-FOR-US: SocksCap CVE-2008-0377 (MicroNews allows remote attackers to bypass authentication and gain ad ...) NOT-FOR-US: MicroNews CVE-2008-0376 (PHP remote file inclusion vulnerability in inc/linkbar.php in Small Ax ...) NOT-FOR-US: Small Axe Weblog CVE-2008-0375 (Unspecified vulnerability in OKI C5510MFP Printer CU H2.15, PU 01.03.0 ...) NOT-FOR-US: OKI C5510MFP Printer firmware CVE-2008-0374 (OKI C5510MFP Printer CU H2.15, PU 01.03.01, System F/W 1.01, and Web P ...) NOT-FOR-US: OKI C5510MFP Printer firmware CVE-2008-0373 (Unrestricted file upload vulnerability in PHP F1 Max's File Uploader a ...) NOT-FOR-US: PHP F1 Max's File Uploader CVE-2008-0372 (8e6 R3000 Internet Filter 2.0.05.33, and other versions before 2.0.11, ...) NOT-FOR-US: 8e6 R3000 Internet Filter CVE-2008-0371 (Multiple SQL injection vulnerabilities in aliTalk 1.9.1.1, when magic_ ...) NOT-FOR-US: aliTalk CVE-2008-0370 (Cross-site scripting (XSS) vulnerability in dohtaccess.html in cPanel ...) NOT-FOR-US: cPanel CVE-2008-0369 (Multiple unspecified programs in IBM Informix Dynamic Server (IDS) 10. ...) NOT-FOR-US: IBM Informix Dynamic Server CVE-2008-0368 (onedcu in IBM Informix Dynamic Server (IDS) 10.x before 10.00.xC8 allo ...) NOT-FOR-US: IBM Informix Dynamic Server CVE-2008-0367 (Mozilla Firefox 2.0.0.11, 3.0b2, and possibly earlier versions, when p ...) - iceweasel 3.0 (low) [etch] - iceweasel (Etch Packages no longer covered by security support) NOTE: Mozilla #244273 CVE-2008-0366 (CORE FORCE before 0.95.172 does not properly validate arguments to SSD ...) NOT-FOR-US: CORE FORCE CVE-2008-0365 (Multiple buffer overflows in CORE FORCE before 0.95.172 allow local us ...) NOT-FOR-US: CORE FORCE CVE-2008-0364 (Buffer overflow in (1) BitTorrent 6.0 and earlier; and (2) uTorrent 1. ...) NOT-FOR-US: BitTorrent/uTorrent CVE-2008-0363 (Multiple SQL injection vulnerabilities in Clever Copy 3.0 and earlier ...) NOT-FOR-US: Clever Copy CVE-2008-0362 (Cross-site scripting (XSS) vulnerability in gallery.php in Clever Copy ...) NOT-FOR-US: Clever Copy CVE-2008-0361 (Directory traversal vulnerability in agregar_info.php in GradMan 0.1.3 ...) NOT-FOR-US: GradMan CVE-2008-0360 (Multiple SQL injection vulnerabilities in BLOG:CMS 4.2.1b allow remote ...) NOT-FOR-US: BLOG:CMS CVE-2008-0359 (Multiple cross-site scripting (XSS) vulnerabilities in BLOG:CMS 4.2.1b ...) NOT-FOR-US: BLOG:CMS CVE-2008-0358 (SQL injection vulnerability in index.php in Pixelpost 1.7 allows remot ...) NOT-FOR-US: Pixelpost CVE-2008-0357 (Directory traversal vulnerability in pages/upload.php in Galaxyscripts ...) NOT-FOR-US: Galaxyscripts CVE-2008-0356 (Buffer overflow in the Independent Management Architecture (IMA) servi ...) NOT-FOR-US: Citrix Presentation Server CVE-2008-0355 (SQL injection vulnerability in index.php in the forum module in PHPEch ...) NOT-FOR-US: PHPEcho CMS CVE-2008-0354 (Cross-site scripting (XSS) vulnerability in the chat client in IBM Lot ...) NOT-FOR-US: IBM Lotus Sametime CVE-2008-0353 (SQL injection vulnerability in visualizza_tabelle.php in php-residence ...) NOT-FOR-US: php-residence CVE-2008-XXXX [apt-cacher arbitrary command execution] - apt-cacher 1.6.1 [etch] - apt-cacher (vulnerable code introduced in 1.6.0) [sarge] - apt-cacher (vulnerable code introduced in 1.6.0) CVE-2008-0352 (The Linux kernel 2.6.20 through 2.6.21.1 allows remote attackers to ca ...) - linux-2.6 2.6.22-1 [etch] - linux-2.6 (Vulnerable code was introduced after 2.6.19 release) CVE-2008-0351 (admin/config.php in Evilsentinel 1.0.9 and earlier allows remote attac ...) NOT-FOR-US: EvilSentinel CVE-2008-0350 (admin/index.php in Evilsentinel 1.0.9 and earlier sends a redirect to ...) NOT-FOR-US: EvilSentinel CVE-2008-0349 (Unspecified vulnerability in the PeopleTools component in Oracle Peopl ...) NOT-FOR-US: Oracle CVE-2008-0348 (Multiple unspecified vulnerabilities in the PeopleTools component in O ...) NOT-FOR-US: Oracle CVE-2008-0347 (Unspecified vulnerability in the Oracle Ultra Search component in Orac ...) NOT-FOR-US: Oracle CVE-2008-0346 (Unspecified vulnerability in the Oracle Jinitiator component in Oracle ...) NOT-FOR-US: Oracle CVE-2008-0345 (Unspecified vulnerability in the Core RDBMS component in Oracle Databa ...) NOT-FOR-US: Oracle CVE-2008-0344 (Unspecified vulnerability in the Oracle Spatial component in Oracle Da ...) NOT-FOR-US: Oracle CVE-2008-0343 (Unspecified vulnerability in the Oracle Spatial component in Oracle Da ...) NOT-FOR-US: Oracle CVE-2008-0342 (Unspecified vulnerability in the Upgrade/Downgrade component in Oracle ...) NOT-FOR-US: Oracle CVE-2008-0341 (Unspecified vulnerability in the Advanced Queuing component in Oracle ...) NOT-FOR-US: Oracle CVE-2008-0340 (Multiple unspecified vulnerabilities in Oracle Database 9.0.1.5 FIPS+, ...) NOT-FOR-US: Oracle CVE-2008-0339 (Unspecified vulnerability in the XML DB component in Oracle Database 9 ...) NOT-FOR-US: Oracle CVE-2008-0338 (Directory traversal vulnerability in the mwGetLocalFileName function i ...) NOT-FOR-US: miniweb CVE-2008-0337 (Heap-based buffer overflow in the _mwProcessReadSocket function in htt ...) NOT-FOR-US: miniweb CVE-2008-0336 (Multiple cross-site request forgery (CSRF) vulnerabilities in BugTrack ...) NOT-FOR-US: BugTracker.NET CVE-2008-0335 (Cross-site scripting (XSS) vulnerability in BugTracker.NET before 2.7. ...) NOT-FOR-US: BugTracker.NET CVE-2008-0334 (Cross-site scripting (XSS) vulnerability in pm/language/spanish/prefer ...) NOT-FOR-US: pMachine CVE-2008-0333 (Directory traversal vulnerability in download_view_attachment.aspx in ...) NOT-FOR-US: AfterLogic MailBee WebMail Pro 4.1 for ASP.NET CVE-2008-0332 (Directory traversal vulnerability in arias/help/effect.php in aria 0.9 ...) NOT-FOR-US: Aria ERP (not the aria we ship) CVE-2008-0331 (Unspecified vulnerability in Funkwerk System Software before 7.4.1 PAT ...) NOT-FOR-US: Funkwerk CVE-2008-0330 (Open System Consultants (OSC) Radiator before 4.0 allows remote attack ...) NOT-FOR-US: Radiator CVE-2008-0329 (LulieBlog 1.0.1 and 1.0.2 does not restrict access to (1) article_supp ...) NOT-FOR-US: LulieBlog CVE-2008-0328 (SQL injection vulnerability in page.php in FaScript FaName 1.0 allows ...) NOT-FOR-US: FaScript CVE-2008-0327 (SQL injection vulnerability in show.php in FaScript FaMp3 1.0 allows r ...) NOT-FOR-US: FaScript CVE-2008-0326 (SQL injection vulnerability in class/show.php in FaScript FaPersianHac ...) NOT-FOR-US: FaScript CVE-2008-0325 (SQL injection vulnerability in show.php in FaScript FaPersian Petition ...) NOT-FOR-US: FaScript CVE-2008-0324 (Cisco Systems VPN Client IPSec Driver (CVPNDRVA.sys) 5.0.02.0090 allow ...) NOT-FOR-US: Cisco CVE-2008-0323 RESERVED CVE-2008-0322 (The I2O Utility Filter driver (i2omgmt.sys) 5.1.2600.2180 for Microsof ...) NOT-FOR-US: Microsoft Windows XP driver CVE-2008-0321 RESERVED CVE-2008-0320 (Heap-based buffer overflow in the OLE importer in OpenOffice.org befor ...) {DSA-1547-1} - openoffice.org 2.4.0~ooh680m5-1 CVE-2008-0319 RESERVED CVE-2008-0318 (Integer overflow in the cli_scanpe function in libclamav in ClamAV bef ...) {DSA-1497-1} - clamav 0.92.1~dfsg-1 (medium) CVE-2008-0317 RESERVED CVE-2008-0316 RESERVED CVE-2008-0315 RESERVED CVE-2008-0314 (Heap-based buffer overflow in spin.c in libclamav in ClamAV 0.92.1 all ...) {DSA-1549-1} - clamav 0.92.1~dfsg2-1 (medium) CVE-2008-0313 (The ActiveDataInfo.LaunchProcess method in the SymAData.ActiveDataInfo ...) NOT-FOR-US: Symantec Norton products CVE-2008-0312 (Stack-based buffer overflow in the AutoFix Support Tool ActiveX contro ...) NOT-FOR-US: Symantec Norton products CVE-2008-0311 (Stack-based buffer overflow in the PGMWebHandler::parse_request functi ...) NOT-FOR-US: Borland CaliberRM CVE-2008-0310 (Directory traversal vulnerability in pkgadd in SCO UnixWare 7.1.4 befo ...) NOT-FOR-US: SCO UnixWare CVE-2008-0309 (Stack-based buffer overflow in Symantec Decomposer, as used in certain ...) NOT-FOR-US: Symantec Decomposer CVE-2008-0308 (Symantec Decomposer, as used in certain Symantec antivirus products in ...) NOT-FOR-US: Symantec Decomposer CVE-2008-0307 (Integer signedness error in vserver in SAP MaxDB 7.6.0.37, and possibl ...) - maxdb-7.5.00 CVE-2008-0306 (sdbstarter in SAP MaxDB 7.6.0.37, and possibly other versions, allows ...) - maxdb-7.5.00 CVE-2008-0305 RESERVED CVE-2008-0304 (Heap-based buffer overflow in Mozilla Thunderbird before 2.0.0.12 and ...) {DSA-1697-1 DSA-1621-1} - icedove 2.0.0.12-1 (medium) - iceape 1.1.8-1 (medium) CVE-2008-0303 (The FTP print feature in multiple Canon printers, including imageRUNNE ...) NOT-FOR-US: Canon printer firmware CVE-2008-0301 (Multiple SQL injection vulnerabilities in Mapbender 2.4.4 allow remote ...) NOT-FOR-US: Mapbender CVE-2008-0300 (mapFiler.php in Mapbender 2.4 to 2.4.4 allows remote attackers to exec ...) NOT-FOR-US: Mapbender CVE-2008-0298 (KHTML WebKit as used in Apple Safari 2.x allows remote attackers to ca ...) - webkit (Not reproducible, browser crashes not treated as security issues) - qt4-x11 (Not reproducible, browser crashes not treated as security issues) - kdelibs (Not reproducible, browser crashes not treated as security issues) - kde4libs (Not reproducible, browser crashes not treated as security issues) NOTE: Not reproducible, might be fixed before all the forks went off CVE-2008-0297 (PhotoKorn allows remote attackers to obtain database credentials via a ...) NOT-FOR-US: PhotoKorn CVE-2008-0296 (Heap-based buffer overflow in the libaccess_realrtsp plugin in VideoLA ...) {DSA-1543-1 DTSA-111-1} - vlc 0.8.6.c-6 (bug #461544; medium) CVE-2008-0295 (Heap-based buffer overflow in modules/access/rtsp/real_sdpplin.c in th ...) {DSA-1543-1 DTSA-111-1} - vlc 0.8.6.c-6 (bug #461544; medium) NOTE: this does not affect xine-lib itself, its just vlc that ships a really old version of it CVE-2008-0294 (Unspecified vulnerability in the seat-locking implementation in FreeSe ...) NOT-FOR-US: FreeSeat CVE-2008-0293 (Unspecified vulnerability in cron.php in FreeSeat before 1.1.5d, when ...) NOT-FOR-US: FreeSeat CVE-2008-0292 (Cross-site scripting (XSS) vulnerability in photo_album.pl in Dansie P ...) NOT-FOR-US: Dansie Photo Album CVE-2008-0291 (SQL injection vulnerability in showproduct.asp in RichStrong CMS allow ...) NOT-FOR-US: RichStrong CMS CVE-2007-6693 (Unspecified vulnerability in the WebCam module in Menalto Gallery befo ...) - gallery2 2.2.4-1 (bug #457644) - gallery (Vulnerable code not present) CVE-2007-6692 (Open redirect vulnerability in Menalto Gallery before 2.2.4 allows rem ...) - gallery2 2.2.4-1 (bug #457644) - gallery (Vulnerable code not present) CVE-2007-6691 (Multiple unspecified vulnerabilities in Menalto Gallery before 2.2.4 h ...) - gallery2 2.2.4-1 (bug #457644) - gallery (Vulnerable code not present) CVE-2007-6690 (The Gallery Remote module in Menalto Gallery before 2.2.4 does not che ...) - gallery2 2.2.4-1 (bug #457644) - gallery (Vulnerable code not present) CVE-2007-6689 (Menalto Gallery before 2.2.4 does not properly check for malicious fil ...) - gallery2 2.2.4-1 (bug #457644) - gallery (Vulnerable code not present) CVE-2007-6688 (Unspecified vulnerability in the Installation application in Menalto G ...) - gallery (Vulnerable code not present) - gallery2 2.2.4-1 (bug #457644) CVE-2007-6687 (Multiple cross-site scripting (XSS) vulnerabilities in Menalto Gallery ...) - gallery2 2.2.4-1 (bug #457644) - gallery (Vulnerable code not present) CVE-2007-6686 (The URL rewrite module in Menalto Gallery before 2.2.4 allows attacker ...) - gallery2 2.2.4-1 (bug #457644) - gallery (Vulnerable code not present) CVE-2007-6685 (Unspecified vulnerability in the Publish XP module Menalto Gallery bef ...) - gallery (Vulnerable code not present) - gallery2 2.2.4-1 (bug #457644) CVE-2008-0161 RESERVED CVE-2008-0290 (Multiple SQL injection vulnerabilities in Digital Hive 2.0 RC2 and ear ...) NOT-FOR-US: Digital Hive CVE-2008-0289 (PHP remote file inclusion vulnerability in view_func.php in Member Are ...) NOT-FOR-US: Member Area System CVE-2008-0288 (Multiple SQL injection vulnerabilities in ImageAlbum 2.0.0b2 allow rem ...) NOT-FOR-US: ImageAlbum CVE-2008-0287 (PHP remote file inclusion vulnerability in VisionBurst vcart 3.3.2 all ...) NOT-FOR-US: VisionBurst vcart CVE-2008-0286 (SQL injection vulnerability in admin/login.php in Article Dashboard al ...) NOT-FOR-US: Article Dashboard CVE-2008-0285 (ngIRCd 0.10.x before 0.10.4 and 0.11.0 before 0.11.0-pre2 allows remot ...) - ngircd 0.10.3-2 (bug #461067; low) [etch] - ngircd (Minor issue) CVE-2008-0284 (Cross-site scripting (XSS) vulnerability in Simple Machines Forum (SMF ...) NOT-FOR-US: Simple Machines Forum CVE-2008-0283 (PHP remote file inclusion vulnerability in /aides/index.php in DomPHP ...) NOT-FOR-US: DomPHP CVE-2008-0282 (SQL injection vulnerability in welcome/inscription.php in DomPHP 0.81 ...) NOT-FOR-US: DomPHP CVE-2008-0281 (SQL injection vulnerability in liste.php in ID-Commerce 2.0 and earlie ...) NOT-FOR-US: ID-Commerce CVE-2008-0280 (SQL injection vulnerability in index.php in MTCMS 2.0 and possibly ear ...) NOT-FOR-US: MTCMS CVE-2008-0279 (SQL injection vulnerability in liretopic.php in Xforum 1.4 and possibl ...) NOT-FOR-US: Xforum CVE-2008-0278 (SQL injection vulnerability in index.php in X7 Chat 2.0.5 and possibly ...) NOT-FOR-US: X7 Chat CVE-2008-0277 (Unspecified vulnerability in the Fileshare module for Drupal allows re ...) NOT-FOR-US: Fileshare module for Drupal CVE-2008-0276 (Cross-site scripting (XSS) vulnerability in the Devel module before 5. ...) NOT-FOR-US: Devel module for Drupal CVE-2008-0275 (The Atom 4.7 before 4.7.x-1.0 and 5.x before 5.x-1.0 module for Drupal ...) NOT-FOR-US: Atom module for Drupal CVE-2008-0274 (Cross-site scripting (XSS) vulnerability in Drupal 4.7.x and 5.x, when ...) - drupal5 5.6-1 (unimportant) NOTE: needs register_globals on CVE-2008-0273 (Interpretation conflict in Drupal 4.7.x before 4.7.11 and 5.x before 5 ...) - drupal5 5.6-1 (low) CVE-2008-0272 (Cross-site request forgery (CSRF) vulnerability in the aggregator modu ...) - drupal5 5.6-1 (low) CVE-2008-0271 (The editor deletion form in BUEditor 4.7.x before 4.7.x-1.0 and 5.x be ...) NOT-FOR-US: BUEditor CVE-2008-0270 (SQL injection vulnerability in index.php in TaskFreak! 0.6.1 and earli ...) NOT-FOR-US: TaskFreak! CVE-2008-0269 (Unspecified vulnerability in the dotoprocs function in Sun Solaris 10 ...) NOT-FOR-US: Sun Solaris CVE-2008-0268 (Cross-site scripting (XSS) vulnerability in view.php in eTicket 1.5.5. ...) NOT-FOR-US: eTicket CVE-2008-0267 (Multiple SQL injection vulnerabilities in eTicket 1.5.5.2 allow remote ...) NOT-FOR-US: eTicket CVE-2008-0266 (Cross-site request forgery (CSRF) vulnerability in admin.php in eTicke ...) NOT-FOR-US: eTicket CVE-2008-0265 (Multiple cross-site scripting (XSS) vulnerabilities in the Search func ...) NOT-FOR-US: F5 BIG-IP CVE-2008-0264 (Unspecified vulnerability in the Meta Tags (aka Nodewords) 5.x-1.6 mod ...) NOT-FOR-US: Meta Tags module for Drupal CVE-2008-0263 (The SIP module in Ingate Firewall before 4.6.1 and SIParator before 4. ...) NOT-FOR-US: Ingate Firewall CVE-2008-0262 (SQL injection vulnerability in includes/articleblock.php in Agares Php ...) NOT-FOR-US: Agares PhpAutoVideo CVE-2008-0261 (Unspecified vulnerability in the search component and module in Mambo ...) NOT-FOR-US: Mambo NOTE: Mambo is in experimental CVE-2008-0260 (minimal Gallery 0.8 allows remote attackers to obtain configuration in ...) NOT-FOR-US: minimal Gallery CVE-2008-0259 (Multiple directory traversal vulnerabilities in _mg/php/mg_thumbs.php ...) NOT-FOR-US: minimal Gallery CVE-2008-0258 (Cross-site scripting (XSS) vulnerability in index.php in PHP Running M ...) NOT-FOR-US: PHP Running Management CVE-2008-0257 (Cross-site scripting (XSS) vulnerability in search.pl in Dansie Search ...) NOT-FOR-US: Dansie Search CVE-2008-0256 (Multiple SQL injection vulnerabilities in Matteo Binda ASP Photo Galle ...) NOT-FOR-US: Matteo Binda ASP Photo Gallery CVE-2008-0255 (SQL injection vulnerability in archive.php in iGaming 1.5, and 1.3.1 a ...) NOT-FOR-US: iGaming CVE-2008-0254 (SQL injection vulnerability in activate.php in TutorialCMS (aka Photos ...) NOT-FOR-US: TutorialCMS CVE-2008-0253 (SQL injection vulnerability in full_text.php in Binn SBuilder allows r ...) NOT-FOR-US: Binn SBuilder CVE-2008-0252 (Directory traversal vulnerability in the _get_file_path function in (1 ...) {DSA-1481-1} - python-cherrypy 2.2.1-3.1 (low; bug #461069) - cherrypy3 3.0.2-2 CVE-2008-0251 (Unrestricted file upload vulnerability in PhotoPost vBGallery before 2 ...) NOT-FOR-US: PhotoPost vBGallery CVE-2008-0250 (Buffer overflow in Microsoft Visual InterDev 6.0 (SP6) allows user-ass ...) NOT-FOR-US: Microsoft Visual InterDev CVE-2008-0249 (PHP Webquest 2.6 allows remote attackers to retrieve database credenti ...) NOT-FOR-US: PHP Webquest CVE-2008-0248 (Buffer overflow in an ActiveX control in ccpm_0237.dll for StreamAudio ...) NOT-FOR-US: StreamAudio ChainCast ProxyManager CVE-2008-0247 (Heap-based buffer overflow in the Express Backup Server service (dsmsv ...) NOT-FOR-US: IBM Tivoli Storage Manager CVE-2008-0246 (admin.php in UploadScript 1.0 does not check for the original password ...) NOT-FOR-US: UploadScript CVE-2008-0245 (admin.php in UploadImage 1.0 does not check for the original password ...) NOT-FOR-US: UploadImage CVE-2008-0244 (SAP MaxDB 7.6.03 build 007 and earlier allows remote attackers to exec ...) - maxdb-7.5.00 (medium; bug #461444) NOTE: see #461456 for removal explanation CVE-2008-0243 (Unspecified vulnerability in Lotus Domino 7.0.2 before Fix Pack 3 allo ...) NOT-FOR-US: Lotus Domino CVE-2008-0242 (Unspecified vulnerability in libdevinfo in Sun Solaris 10 allows local ...) NOT-FOR-US: Sun Solari CVE-2008-0241 (Open redirect vulnerability in /idm/user/login.jsp in Sun Java System ...) NOT-FOR-US: Sun Java System Identity Manager CVE-2008-0240 (/idm/help/index.jsp in Sun Java System Identity Manager 6.0 SP1 throug ...) NOT-FOR-US: Sun Java System Identity Manager CVE-2008-0239 (Multiple cross-site scripting (XSS) vulnerabilities in Sun Java System ...) NOT-FOR-US: Sun Java System Identity Manager CVE-2008-0238 (Multiple heap-based buffer overflows in the rmff_dump_cont function in ...) NOTE: Dupe of CVE-2008-0225 CVE-2008-0299 (common.py in Paramiko 1.7.1 and earlier, when using threads or forked ...) - paramiko 1.6.4-1.1 (low; bug #460706) [etch] - paramiko (Minor issue) NOTE: http://web.archive.org/web/20100715101310/http://www.lag.net/pipermail/paramiko/2008-January/000599.html CVE-2008-0237 (The Microsoft Rich Textbox ActiveX Control (RICHTX32.OCX) 6.1.97.82 al ...) NOT-FOR-US: Microsoft Rich Textbox ActiveX Control CVE-2008-0236 (An ActiveX control for Microsoft Visual FoxPro (vfp6r.dll 6.0.8862.0) ...) NOT-FOR-US: Microsoft Visual FoxPro CVE-2008-0235 (The Microsoft VFP_OLE_Server ActiveX control allows remote attackers t ...) NOT-FOR-US: Microsoft VFP_OLE_Server ActiveX control CVE-2008-0234 (Buffer overflow in Apple Quicktime Player 7.3.1.70 and other versions ...) NOT-FOR-US: Apple Quicktime Player CVE-2008-0233 (Unrestricted file upload vulnerability in Zero CMS 1.0 Alpha and earli ...) NOT-FOR-US: Zero CMS CVE-2008-0232 (Multiple SQL injection vulnerabilities in Zero CMS 1.0 Alpha allow rem ...) NOT-FOR-US: Zero CMS CVE-2008-0231 (Multiple directory traversal vulnerabilities in index.php in Tuned Stu ...) NOT-FOR-US: Tune Studio CVE-2008-0230 (PHP remote file inclusion vulnerability in php121db.php in osDate 2.0. ...) NOT-FOR-US: osDate CVE-2008-0229 (The telnet service in LevelOne WBR-3460 4-Port ADSL 2/2+ Wireless Mode ...) NOT-FOR-US: LevelOne router firmware CVE-2008-0228 (Cross-site request forgery (CSRF) vulnerability in apply.cgi in the Li ...) NOT-FOR-US: Linksys WRT54GL firmware CVE-2008-0227 (yaSSL 1.7.5 and earlier, as used in MySQL and possibly other products, ...) {DSA-1478-1} - mysql-dfsg-4.1 - mysql-dfsg-5.0 5.0.51-3 (low; bug #460873) - cyassl (Fixed before initial upload to archive) CVE-2008-0226 (Multiple buffer overflows in yaSSL 1.7.5 and earlier, as used in MySQL ...) {DSA-1478-1} - mysql-dfsg-4.1 - mysql-dfsg-5.0 5.0.51-3 (medium; bug #460873) - cyassl (Fixed before initial upload to archive) CVE-2008-0225 (Heap-based buffer overflow in the rmff_dump_cont function in input/lib ...) {DSA-1472-1 DTSA-109-1} - xine-lib 1.1.10-1 (medium; bug #460551) CVE-2008-0224 (SQL injection vulnerability in index.php in the Newbb_plus 0.92 and ea ...) NOT-FOR-US: RunCMS CVE-2008-0223 (Buffer overflow in JustSystems JSFC.DLL, as used in multiple JustSyste ...) NOT-FOR-US: JustSystem CVE-2008-0222 (Unrestricted file upload vulnerability in ajaxfilemanager.php in the W ...) NOT-FOR-US: Wp-FileManager plugin for WordPress CVE-2008-0221 (Directory traversal vulnerability in the WebLaunch.WeblaunchCtl.1 (aka ...) NOT-FOR-US: Gateway Weblaunch CVE-2008-0220 (Multiple stack-based buffer overflows in the WebLaunch.WeblaunchCtl.1 ...) NOT-FOR-US: Gateway Weblaunch CVE-2008-0219 (SQL injection vulnerability in soporte_horizontal_w.php in PHP Webques ...) NOT-FOR-US: Webquest CVE-2008-0218 (Cross-site scripting (XSS) vulnerability in admin/index.html in Merak ...) NOT-FOR-US: Merak IceWarp Mail Server CVE-2008-0217 (The script program in FreeBSD 5.0 through 7.0-PRERELEASE invokes openp ...) - kfreebsd-5 [etch] - kfreebsd-5 (FreeBSD not supported) - kfreebsd-6 (see bug #483152) - kfreebsd-7 (see bug #483152) CVE-2008-0216 (The ptsname function in FreeBSD 6.0 through 7.0-PRERELEASE does not pr ...) - kfreebsd-5 (see bug #483152) - kfreebsd-6 (see bug #483152) - kfreebsd-7 (see bug #483152) CVE-2008-0215 (Multiple unspecified vulnerabilities in HP Storage Essentials Storage ...) NOT-FOR-US: HP SRM CVE-2008-0214 (Multiple unspecified vulnerabilities in HP Select Identity 4.00, 4.01, ...) NOT-FOR-US: HP Select Identity CVE-2008-0213 (Unspecified vulnerability in a certain ActiveX control for HP Virtual ...) NOT-FOR-US: HP Virtual Rooms CVE-2008-0212 (ovtopmd in HP OpenView Network Node Manager (OV NNM) 6.41, 7.01, and 7 ...) NOT-FOR-US: HP OpenView Network Node Manager CVE-2008-0211 (Unspecified vulnerability in the BIOS F.04 through F.11 for the HP Com ...) NOT-FOR-US: BIOS F.04 CVE-2008-0210 (Uebimiau Webmail 2.7.10 and 2.7.2 does not protect authentication stat ...) NOT-FOR-US: Uebimiau Webmail CVE-2008-0209 (Open redirect vulnerability in Forums/login.asp in Snitz Forums 2000 3 ...) NOT-FOR-US: Snitz Forums 2000 CVE-2008-0208 (Cross-site scripting (XSS) vulnerability in login.asp in Snitz Forums ...) NOT-FOR-US: Snitz Forums 2000 CVE-2008-0207 (Multiple cross-site scripting (XSS) vulnerabilities in PRO-Search 0.17 ...) NOT-FOR-US: PRO-Search CVE-2008-0206 (Multiple cross-site scripting (XSS) vulnerabilities in captcha\captcha ...) NOT-FOR-US: Captcha! CVE-2008-0205 (Multiple cross-site request forgery (CSRF) vulnerabilities in math-com ...) NOT-FOR-US: Math Comment Spam Protection plugin for WordPress CVE-2008-0204 (Multiple cross-site scripting (XSS) vulnerabilities in math-comment-sp ...) NOT-FOR-US: Math Comment Spam Protection plugin for WordPress CVE-2008-0203 (Multiple cross-site scripting (XSS) vulnerabilities in cryptographp/ad ...) NOT-FOR-US: Cryptographp plugin for WordPress CVE-2008-0202 (CRLF injection vulnerability in index.php in ExpressionEngine 1.2.1 an ...) NOT-FOR-US: ExpressionEngine CVE-2008-0201 (Cross-site scripting (XSS) vulnerability in index.php in ExpressionEng ...) NOT-FOR-US: ExpressionEngine CVE-2008-0200 (Multiple cross-site scripting (XSS) vulnerabilities in account/index.h ...) NOT-FOR-US: RotaBanner CVE-2008-0199 (PRO-Search 0.17 and earlier allows remote attackers to cause a denial ...) NOT-FOR-US: PRO-Search CVE-2008-0198 (Multiple cross-site request forgery (CSRF) vulnerabilities in wp-conta ...) NOT-FOR-US: WP-ContactForm plugin for WordPress CVE-2008-0197 (Multiple cross-site scripting (XSS) vulnerabilities in wp-contact-form ...) NOT-FOR-US: WP-ContactForm plugin for WordPress CVE-2008-0196 (Multiple directory traversal vulnerabilities in WordPress 2.0.11 and e ...) - wordpress 2.3.3-1 [etch] - wordpress (Auth is needed and attacker should have permissions to edit files) CVE-2008-0195 (WordPress 2.0.11 and earlier allows remote attackers to obtain sensiti ...) - wordpress 2.1.0-1 (unimportant) NOTE: full path and DB structure already known on Debian NOTE: poked hendry CVE-2008-0194 (Directory traversal vulnerability in wp-db-backup.php in WordPress 2.0 ...) {DSA-1502-1} - wordpress 2.1.0-1 NOTE: Vulnerable code removed since 2.1 release CVE-2008-0193 (Cross-site scripting (XSS) vulnerability in wp-db-backup.php in WordPr ...) {DSA-1502-1} - wordpress 2.1.0-1 NOTE: Vulnerable code removed since 2.1 release CVE-2008-0192 (Multiple cross-site scripting (XSS) vulnerabilities in WordPress 2.0.9 ...) - wordpress 2.0.10-1 NOTE: poked hendry CVE-2008-0191 (WordPress 2.2.x and 2.3.x allows remote attackers to obtain sensitive ...) - wordpress (unimportant) NOTE: full path and DB structure already known on Debian NOTE: poked hendry CVE-2008-0190 (Multiple cross-site scripting (XSS) vulnerabilities in templates/examp ...) NOT-FOR-US: AwesomeTemplateEngine CVE-2008-0189 REJECTED CVE-2008-0188 REJECTED CVE-2008-0187 (SQL injection vulnerability in songinfo.php in SAM Broadcaster samPHPw ...) NOT-FOR-US: SAM Broadcaster samPHPweb CVE-2008-0186 (Cross-site scripting (XSS) vulnerability in index.php in NetRisk 1.9.7 ...) NOT-FOR-US: NetRisk CVE-2008-0185 (SQL injection vulnerability in index.php in NetRisk 1.9.7 and possibly ...) NOT-FOR-US: NetRisk CVE-2008-0184 (Absolute path traversal vulnerability in index.php in Sys-Hotel on Lin ...) NOT-FOR-US: Sys-Hotel CVE-2008-0183 RESERVED CVE-2008-0182 (Cross-site request forgery (CSRF) vulnerability in the Admin portlet i ...) - liferay-portal (bug #569819) CVE-2008-0181 (Cross-site scripting (XSS) vulnerability in the Admin portlet in Lifer ...) - liferay-portal (bug #569819) CVE-2008-0180 (Cross-site scripting (XSS) vulnerability in themes/_unstyled/templates ...) - liferay-portal (bug #569819) CVE-2008-0179 (Cross-site scripting (XSS) vulnerability in service/impl/UserLocalServ ...) - liferay-portal (bug #569819) CVE-2008-0178 (Cross-site scripting (XSS) vulnerability in the Enterprise Admin Sessi ...) - liferay-portal (bug #569819) CVE-2008-0177 (The ipcomp6_input function in sys/netinet6/ipcomp_input.c in the KAME ...) - kfreebsd-7 (see bug #483152) - kfreebsd-6 (see bug #483152) - kfreebsd-5 [etch] - kfreebsd-5 (FreeBSD not supported) NOTE: Linux kernel code is not affected, the proper check is there NOTE: (somewhat difficult to spot, it happens in the caller). CVE-2008-0176 (Heap-based buffer overflow in w32rtr.exe in GE Fanuc CIMPLICITY HMI SC ...) NOT-FOR-US: GE Fanuc CIMPLICITY CVE-2008-0175 (Unrestricted file upload vulnerability in GE Fanuc Proficy Real-Time I ...) NOT-FOR-US: GE Fanuc Proficy Real-Time Information Portal CVE-2008-0174 (GE Fanuc Proficy Real-Time Information Portal 2.6 and earlier uses HTT ...) NOT-FOR-US: GE Fanuc Proficy Real-Time Information Portal CVE-2008-0172 (The get_repeat_type function in basic_regex_creator.hpp in the Boost r ...) - boost 1.34.1-5 (low; bug #461236) [etch] - boost (Minor issue) CVE-2008-0171 (regex/v4/perl_matcher_non_recursive.hpp in the Boost regex library (ak ...) - boost 1.34.1-5 (low; bug #461236) [etch] - boost (Minor issue) CVE-2008-0170 RESERVED CVE-2008-0169 (Plugin/passwordauth.pm (aka the passwordauth plugin) in ikiwiki 1.34 t ...) - ikiwiki 2.48 (medium; bug #483770) [etch] - ikiwiki (Vulnerable code introduced in 1.34) CVE-2008-0168 RESERVED CVE-2008-0167 (The write_array_file function in utils/include.pl in GForge 4.5.14 upd ...) {DSA-1577-1} - gforge 4.6.99+svn6496-1 (low) NOTE: https://rt.debian.org/Ticket/Display.html?id=672 CVE-2008-0166 (OpenSSL 0.9.8c-1 up to versions before 0.9.8g-9 on Debian-based operat ...) {DSA-1576-1 DSA-1571-1} - openssl 0.9.8g-9 (high) [sarge] - openssl (Vulnerable code not present) - openssh 4.7p1-9 (high) NOTE: http://www.debian.org/security/key-rollover/ CVE-2008-0165 (Cross-site request forgery (CSRF) vulnerability in Ikiwiki before 2.42 ...) {DSA-1553-1} - ikiwiki 2.42 CVE-2008-0164 (Multiple cross-site request forgery (CSRF) vulnerabilities in Plone CM ...) - plone3 3.1.1-1 (bug #473571) CVE-2008-0163 (Linux kernel 2.6, when using vservers, allows local users to access re ...) {DSA-1494-1} - linux-2.6 2.6.25-1 (high) CVE-2008-0162 (misc.c in splitvt 1.6.6 and earlier does not drop group privileges bef ...) {DSA-1500-1} - splitvt 1.6.6-4 CVE-2008-0302 (Untrusted search path vulnerability in apt-listchanges.py in apt-listc ...) {DSA-1465-2} - apt-listchanges 2.82 (medium) [sarge] - apt-listchanges (Vulnerable code not present) NOTE: see http://web.archive.org/web/20080206193307/http://git.madism.org:80/?p=apt-listchanges.git;a=commitdiff;h=1bcfbf3dc55413bb83a1782dc9a54515a963fb32 CVE-2008-0160 RESERVED CVE-2007-6680 (Trusted Execution in IBM AIX 6.1 uses an incorrect pathname argument i ...) NOT-FOR-US: IBM AIX CVE-2007-6679 (Unspecified vulnerability in the Administrative Console in IBM WebSphe ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2007-6678 REJECTED CVE-2007-6677 (Cross-site scripting (XSS) vulnerability in Peter's Random Anti-Spam I ...) NOT-FOR-US: Peter's Random Anti-Spam Image CVE-2003-1539 (Cross-site scripting (XSS) vulnerability in ONEdotOH Simple File Manag ...) NOT-FOR-US: ONEdotOH Simple File CVE-2008-0173 (SQL injection vulnerability in Gforge 4.6.99 and earlier allows remote ...) {DSA-1459-1} - gforge 4.6.99+svn6330-1 (medium) NOTE: this is exploitable by unauthenticated users NOTE: Requires register_globals to be On, unsupported in lenny+sid. NOTE: In lenny+sid these scripts just don't work, so no security issue. NOTE: In etch+sarge we support gforge with rg On, unfortunately. CVE-2008-0159 (SQL injection vulnerability in index.php in eggBlog 3.1.0 and earlier ...) NOT-FOR-US: eggBlog CVE-2008-0158 (Directory traversal vulnerability in index.php in Shop-Script 2.0 and ...) NOT-FOR-US: Shop-Script CVE-2008-0157 (SQL injection vulnerability in FlexBB 0.6.3 and earlier allows remote ...) NOT-FOR-US: FlexBB CVE-2008-0156 (Absolute path traversal vulnerability in index.php in Million Dollar S ...) NOT-FOR-US: Million Dollar Script CVE-2008-0155 (Cross-site scripting (XSS) vulnerability in index.php in EvilBoard 0.1 ...) NOT-FOR-US: EvilBoard CVE-2008-0154 (SQL injection vulnerability in index.php in EvilBoard 0.1a (Alpha) all ...) NOT-FOR-US: EvilBoard CVE-2008-0153 (telnetd.exe in Pragma TelnetServer 7.0.4.589 allows remote attackers t ...) NOT-FOR-US: Pragma TelnetServer CVE-2008-0152 (SLnet.exe in SeattleLab SLNet RF Telnet Server 4.1.1.3758 and earlier ...) NOT-FOR-US: SeattleLab SLNet RF Telnet Server CVE-2008-0151 (Heap-based buffer overflow in Foxit WAC Server 2.1.0.910, 2.0 Build 35 ...) NOT-FOR-US: Foxit WAC Server CVE-2008-0150 (Unspecified vulnerability in the LDAP authentication feature in Aruba ...) NOT-FOR-US: Aruba Mobility Controller CVE-2008-0149 (TUTOS 1.3 allows remote attackers to read system information via a dir ...) - tutos - tutos2 (vulnerable code not present) CVE-2008-0148 (TUTOS 1.3 does not restrict access to php/admin/cmd.php, which allows ...) - tutos - tutos2 (vulnerable code not present) CVE-2008-0147 (SQL injection vulnerability in index.php in SmallNuke 2.0.4 and earlie ...) NOT-FOR-US: SmallNuke CVE-2008-0146 (Cross-site scripting (XSS) vulnerability in the error page in W3-mSQL ...) NOT-FOR-US: W3-mSQL CVE-2008-0145 (Unspecified vulnerability in glob in PHP before 4.4.8, when open_based ...) - php4 (unimportant) NOTE: open_basedir bypasses not supported CVE-2008-0144 (PHP remote file inclusion vulnerability in index.php in NetRisk 1.9.7 ...) NOT-FOR-US: NetRisk CVE-2008-0143 (PHP remote file inclusion vulnerability in common/db.php in samPHPweb, ...) NOT-FOR-US: samPHPweb CVE-2008-0142 (Multiple SQL injection vulnerabilities in WebPortal CMS 0.6-beta allow ...) NOT-FOR-US: WebPortal CMS CVE-2008-0141 (actions.php in WebPortal CMS 0.6-beta generates predictable passwords ...) NOT-FOR-US: WebPortal CMS CVE-2008-0140 (Directory traversal vulnerability in error.php in Uebimiau Webmail 2.7 ...) NOT-FOR-US: Uebimiau Webmail CVE-2008-0139 (Eval injection vulnerability in loudblog/inc/parse_old.php in Loudblog ...) NOT-FOR-US: Loudblog CVE-2008-0138 (PHP remote file inclusion vulnerability in xoopsgallery/init_basic.php ...) NOT-FOR-US: XOOPS CVE-2008-0137 (PHP remote file inclusion vulnerability in config.inc.php in SNETWORKS ...) NOT-FOR-US: SNETWORKS CVE-2008-0136 (Snitz Forums 2000 3.4.05 allows remote attackers to obtain sensitive i ...) NOT-FOR-US: Snitz Forums 2000 CVE-2008-0135 (Snitz Forums 2000 3.4.06 and earlier stores sensitive information unde ...) NOT-FOR-US: Snitz Forums 2000 CVE-2008-0134 (Cross-site scripting (XSS) vulnerability in Forums/setup.asp in Snitz ...) NOT-FOR-US: Snitz Forums 2000 CVE-2008-0133 (Multiple SQL injection vulnerabilities in Tribisur 2.1 and earlier all ...) NOT-FOR-US: Tribisur CVE-2008-0132 (Pragma FortressSSH 5.0 Build 4 Revision 293 and earlier handles long i ...) NOT-FOR-US: Pragma FortressSSH CVE-2008-0131 (Cross-site scripting (XSS) vulnerability in login_form.asp in Instant ...) NOT-FOR-US: Instant Softwares Dating Site CVE-2008-0130 (SQL injection vulnerability in login_form.asp in Instant Softwares Dat ...) NOT-FOR-US: Instant Softwares Dating Site CVE-2008-0129 (SQL injection vulnerability in starnet/addons/slideshow_full.php in Si ...) NOT-FOR-US: Site@School CVE-2008-0128 (The SingleSignOn Valve (org.apache.catalina.authenticator.SingleSignOn ...) {DSA-1468-1} - tomcat5 (unimportant) NOTE: SSO cookies not working in 5.0, have only been fixed in 5.5.13, see #34724 - tomcat5.5 5.5.23-1 (low) NOTE: SSO cookies sent over secure connections do not require NOTE: secure connections, possibly defeating HTTPS encryption. NOTE: See: http://issues.apache.org/bugzilla/show_bug.cgi?id=41217 CVE-2008-0127 (The administration interface in McAfee E-Business Server 8.5.2 and ear ...) NOT-FOR-US: McAfee E-Business Server CVE-2008-0126 RESERVED CVE-2008-0125 (Cross-site scripting (XSS) vulnerability in phpstats.php in Michael Wa ...) NOT-FOR-US: Michael Wagner phpstats CVE-2008-0124 (Cross-site scripting (XSS) vulnerability in Serendipity (S9Y) before 1 ...) {DSA-1528-1} - serendipity 1.3~b1-1 (low; bug #469667) CVE-2008-0123 (Cross-site scripting (XSS) vulnerability in install.php for Moodle 1.8 ...) - moodle 1.9.8-1 (unimportant) NOTE: the issue itself has a quite small attack vector NOTE: and considering that the apache configuration that comes NOTE: with moodle limits connections to localhost this is no issue CVE-2008-0122 (Off-by-one error in the inet_network function in libbind in ISC BIND 9 ...) - bind [sarge] - bind (applications will use inet_network in libc) [etch] - bind (applications will use inet_network in libc) - bind9 (does not build libbind) - glibc 2.2-1 NOTE: The fix for the BIND-based resolver in GNU libc was made in 2000. NOTE: libbind9 is distinct code, not related to the old libbind. CVE-2008-0121 (A "memory calculation error" in Microsoft PowerPoint Viewer 2003 allow ...) NOT-FOR-US: Microsoft PowerPoint Viewer CVE-2008-0120 (Integer overflow in Microsoft PowerPoint Viewer 2003 allows remote att ...) NOT-FOR-US: Microsoft PowerPoint Viewer CVE-2008-0119 (Unspecified vulnerability in Microsoft Publisher in Office 2000 and XP ...) NOT-FOR-US: Microsoft Publisher CVE-2008-0118 (Unspecified vulnerability in Microsoft Office 2000 SP3, XP SP3, 2003 S ...) NOT-FOR-US: Microsoft Office CVE-2008-0117 (Unspecified vulnerability in Microsoft Excel 2000 SP3 and 2002 SP2, an ...) NOT-FOR-US: Microsoft Excel CVE-2008-0116 (Microsoft Excel 2000 SP3 through 2003 SP2, Viewer 2003, Compatibility ...) NOT-FOR-US: Microsoft Excel CVE-2008-0115 (Unspecified vulnerability in Microsoft Excel 2000 SP3 through 2007, Vi ...) NOT-FOR-US: Microsoft Excel CVE-2008-0114 (Unspecified vulnerability in Microsoft Excel 2000 SP3 through 2003 SP2 ...) NOT-FOR-US: Microsoft Excel CVE-2008-0113 (Unspecified vulnerability in Microsoft Office Excel Viewer 2003 up to ...) NOT-FOR-US: Microsoft Excel CVE-2008-0112 (Unspecified vulnerability in Microsoft Excel 2000 SP3, and Office for ...) NOT-FOR-US: Microsoft Excel CVE-2008-0111 (Unspecified vulnerability in Microsoft Excel 2000 SP3 through 2007, Vi ...) NOT-FOR-US: Microsoft Excel CVE-2008-0110 (Unspecified vulnerability in Microsoft Outlook in Office 2000 SP3, XP ...) NOT-FOR-US: Microsoft Outlook CVE-2008-0109 (Word in Microsoft Office 2000 SP3, XP SP3, Office 2003 SP2, and Office ...) NOT-FOR-US: Microsoft Office CVE-2008-0108 (Stack-based buffer overflow in wkcvqd01.dll in Microsoft Works 6 File ...) NOT-FOR-US: Microsoft Office CVE-2008-0107 (Integer underflow in SQL Server 7.0 SP4, 2000 SP4, 2005 SP1 and SP2, 2 ...) NOT-FOR-US: Microsoft SQL Server CVE-2008-0106 (Buffer overflow in Microsoft SQL Server 2005 SP1 and SP2, and 2005 Exp ...) NOT-FOR-US: Microsoft SQL Server CVE-2008-0105 (Microsoft Works 6 File Converter, as used in Office 2003 SP2 and SP3, ...) NOT-FOR-US: Microsoft Office CVE-2008-0104 (Unspecified vulnerability in Microsoft Office Publisher 2000, 2002, an ...) NOT-FOR-US: Microsoft Office CVE-2008-0103 (Unspecified vulnerability in Microsoft Office 2000 SP3, Office XP SP3, ...) NOT-FOR-US: Microsoft Office CVE-2008-0102 (Unspecified vulnerability in Microsoft Office Publisher 2000, 2002, an ...) NOT-FOR-US: Microsoft Office CVE-2008-0101 (Format string vulnerability in the swDebugf function in DuneApp.cpp in ...) - whitedune 0.28.13-1 (medium) CVE-2008-0100 (Stack-based buffer overflow in the Scene::errorf function in Scene.cpp ...) - whitedune 0.28.13-1 (medium) CVE-2008-0099 (Multiple SQL injection vulnerabilities in MyPHP Forum 3.0 and earlier ...) NOT-FOR-US: MyPHP Forum CVE-2008-0098 (Buffer overflow in RealPlayer 11 build 6.0.14.748 allows remote attack ...) NOT-FOR-US: RealPlayer CVE-2008-0097 (Format string vulnerability in the log function in Georgia SoftWorks S ...) NOT-FOR-US: Georgia SoftWorks SSH2 Server CVE-2008-0096 (Multiple buffer overflows in Georgia SoftWorks SSH2 Server (GSW_SSHD) ...) NOT-FOR-US: Georgia SoftWorks SSH2 Server CVE-2008-0095 (The SIP channel driver in Asterisk Open Source 1.4.x before 1.4.17, Bu ...) - asterisk 1:1.4.17~dfsg-1 (medium; bug #458952) [etch] - asterisk (Only Asterisk 1.4.x affected) [sarge] - asterisk (Only Asterisk 1.4.x affected) CVE-2008-0094 (Multiple directory traversal vulnerabilities in MODx Content Managemen ...) NOT-FOR-US: MODx Content Management System CVE-2008-0093 (Multiple cross-site scripting (XSS) vulnerabilities in newticket.php i ...) NOT-FOR-US: eTicket CVE-2007-6676 (The default configuration of Uber Uploader (UU) 5.3.6 and earlier does ...) NOT-FOR-US: Uber Uploader CVE-2007-6675 (The b_system_comments_show function in htdocs/modules/system/blocks/sy ...) NOT-FOR-US: XOOPS CVE-2007-6674 (Cross-site scripting (XSS) vulnerability in Default.asp in RapidShare ...) NOT-FOR-US: RapidShare Database CVE-2007-6673 (Cross-site scripting (XSS) vulnerability in Makale Scripti allows remo ...) NOT-FOR-US: Makale Scripti CVE-2007-6672 (Mortbay Jetty 6.1.5 and 6.1.6 allows remote attackers to bypass protec ...) - jetty 6.1.18-1 (medium; bug #462793; bug #559765) CVE-2007-6671 (SQL injection vulnerability in login_form.asp in Instant Softwares Dat ...) NOT-FOR-US: Instant Softwares Dating Site CVE-2007-6670 (SQL injection vulnerability in search.php in PHCDownload 1.1.0 allows ...) NOT-FOR-US: PHCDownload CVE-2007-6669 (Cross-site scripting (XSS) vulnerability in search.php in PHCDownload ...) NOT-FOR-US: PHCDownload CVE-2007-6668 (admin/uploadgames.php in MySpace Content Zone (MCZ) 3.x does not requi ...) NOT-FOR-US: MySpace Content Zone CVE-2008-0092 (Cross-site scripting (XSS) vulnerability in index.php in the search mo ...) NOT-FOR-US: Appalachian State University phpWebSite CVE-2008-0091 (Directory traversal vulnerability in download2.php in AGENCY4NET WEBFT ...) NOT-FOR-US: AGENCY4NET WEBFTP CVE-2008-0090 (A certain ActiveX control in npUpload.dll in DivX Player 6.6.0 allows ...) NOT-FOR-US: DivX Player CVE-2008-0089 (SQL injection vulnerability in uprofile.php in ClipShare allows remote ...) NOT-FOR-US: ClipShare CVE-2008-0088 (Unspecified vulnerability in Active Directory on Microsoft Windows 200 ...) NOT-FOR-US: Windows CVE-2008-0087 (The DNS client in Microsoft Windows 2000 SP4, XP SP2, Server 2003 SP1 ...) NOT-FOR-US: Microsoft Windows CVE-2008-0086 (Buffer overflow in the convert function in Microsoft SQL Server 2000 S ...) NOT-FOR-US: Microsoft SQL Server CVE-2008-0085 (SQL Server 7.0 SP4, 2000 SP4, 2005 SP1 and SP2, 2000 Desktop Engine (M ...) NOT-FOR-US: Microsoft SQL Server CVE-2008-0084 (Unspecified vulnerability in the TCP/IP support in Microsoft Windows V ...) NOT-FOR-US: Windows CVE-2008-0083 (The (1) VBScript (VBScript.dll) and (2) JScript (JScript.dll) scriptin ...) NOT-FOR-US: Microsoft Windows CVE-2008-0082 (An ActiveX control (Messenger.UIAutomation.1) in Windows Messenger 4.7 ...) NOT-FOR-US: Windows Messenger CVE-2008-0081 (Unspecified vulnerability in Microsoft Excel 2000 SP3 through 2003 SP2 ...) NOT-FOR-US: Microsoft CVE-2008-0080 (Heap-based buffer overflow in the WebDAV Mini-Redirector in Microsoft ...) NOT-FOR-US: Windows CVE-2008-0079 REJECTED CVE-2008-0078 (Unspecified vulnerability in an ActiveX control (dxtmsft.dll) in Micro ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2008-0077 (Use-after-free vulnerability in Microsoft Internet Explorer 6 SP1, 6 S ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2008-0076 (Unspecified vulnerability in Microsoft Internet Explorer 5.01, 6 SP1 a ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2008-0075 (Unspecified vulnerability in Microsoft Internet Information Services ( ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2008-0074 (Unspecified vulnerability in Microsoft Internet Information Services ( ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2008-0073 (Array index error in the sdpplin_parse function in input/libreal/sdppl ...) {DSA-1543-1 DSA-1536-1 DTSA-119-1 DTSA-128-1} - xine-lib 1.1.11-1 (medium) - vlc 0.8.6.e-2 (medium; bug #473057) NOTE: http://bugs.xine-project.org/show_bug.cgi?id=58 CVE-2008-0072 (Format string vulnerability in the emf_multipart_encrypted function in ...) {DSA-1512-1} - evolution 2.12.3-1.1 NOTE: SA29057 CVE-2008-0071 (The Web UI interface in (1) BitTorrent before 6.0.3 build 8642 and (2) ...) NOT-FOR-US: uTorrent 1.7.7 (build 8179) / BitTorrent 6.0.1 (build 7859) CVE-2008-0070 (Integer overflow in Orb Networks Orb 2.00.1014 and Winamp Remote BETA ...) NOT-FOR-US: Orb Networks Orb and Winamp Remote BETA CVE-2008-0069 (Stack-based buffer overflow in XnView 1.92 and 1.92.1 allows user-assi ...) NOT-FOR-US: XnView CVE-2008-0068 (Directory traversal vulnerability in OpenView5.exe in HP OpenView Netw ...) NOT-FOR-US: HP OpenView CVE-2008-0067 (Multiple stack-based buffer overflows in HP OpenView Network Node Mana ...) NOT-FOR-US: HP OpenView Network Node Manager (OV NNM) CVE-2008-0066 (Multiple buffer overflows in htmsr.dll in the HTML speed reader in Aut ...) NOT-FOR-US: KeyView CVE-2008-0065 (Multiple stack-based buffer overflows in in_mp3.dll in Winamp 5.21, 5. ...) NOT-FOR-US: Winamp CVE-2008-0064 (Stack-based buffer overflow in Pierre-emmanuel Gougelet (1) XnView 1.9 ...) NOT-FOR-US: XnView, nconvert GFL SDK for Windows CVE-2008-0063 (The Kerberos 4 support in KDC in MIT Kerberos 5 (krb5kdc) does not pro ...) {DSA-1524-1} - krb5 1.6.dfsg.3~beta1-4 (medium) CVE-2008-0062 (KDC in MIT Kerberos 5 (krb5kdc) does not set a global variable for som ...) {DSA-1524-1} - krb5 1.6.dfsg.3~beta1-4 (high) CVE-2008-0060 (Help Viewer in Apple Mac OS X 10.4.11 and 10.5.2 allows remote attacke ...) NOT-FOR-US: Apple Mac OS X CVE-2008-0059 (Race condition in NSXML in Foundation for Apple Mac OS X 10.4.11 allow ...) NOT-FOR-US: Apple Mac OS X CVE-2008-0058 (Race condition in the NSURLConnection cache management functionality i ...) NOT-FOR-US: Apple Mac OS X CVE-2008-0057 (Multiple integer overflows in a "legacy serialization format" parser i ...) NOT-FOR-US: Apple Mac OS X CVE-2008-0056 (Stack-based buffer overflow in Foundation in Apple Mac OS X 10.4.11 al ...) NOT-FOR-US: Apple Mac OS X CVE-2008-0055 (Foundation in Apple Mac OS X 10.4.11 creates world-writable directorie ...) NOT-FOR-US: Apple Mac OS X CVE-2008-0054 (Foundation in Apple Mac OS X 10.4.11 might allow context-dependent att ...) NOT-FOR-US: Apple Mac OS X CVE-2008-0053 (Multiple buffer overflows in the HP-GL/2-to-PostScript filter in CUPS ...) {DSA-1625-1} - cupsys 1.3.6-1 - cups 1.3.6-1 NOTE: https://bugzilla.redhat.com/attachment.cgi?id=298651 CVE-2008-0052 (CoreServices in Apple Mac OS X 10.4.11 treats .ief as a safe file type ...) NOT-FOR-US: Apple Mac OS X CVE-2008-0051 (Integer overflow in CoreFoundation in Apple Mac OS X 10.4.11 might all ...) NOT-FOR-US: Apple Mac OS X CVE-2008-0050 (CFNetwork in Apple Mac OS X 10.4.11 allows remote HTTPS proxy servers ...) NOT-FOR-US: Apple Mac OS X CVE-2008-0049 (AppKit in Apple Mac OS X 10.4.11 inadvertently makes an NSApplication ...) NOT-FOR-US: Apple Mac OS X CVE-2008-0048 (Stack-based buffer overflow in AppKit in Apple Mac OS X 10.4.11 allows ...) NOT-FOR-US: Apple Mac OS X CVE-2008-0047 (Heap-based buffer overflow in the cgiCompileSearch function in CUPS 1. ...) {DSA-1530-1} - cupsys 1.3.6-3 (medium; bug #472105) - cups 1.3.6-3 (medium; bug #472105) [sarge] - cupsys (Vulnerable code not present) CVE-2008-0046 (The Application Firewall in Apple Mac OS X 10.5.2 has an incorrect Ger ...) NOT-FOR-US: Apple Mac OS X CVE-2008-0045 (Unspecified vulnerability in AFP Server in Apple Mac OS X 10.4.11 allo ...) NOT-FOR-US: Apple Mac OS X CVE-2008-0044 (Multiple buffer overflows in AFP Client in Apple Mac OS X 10.4.11 and ...) NOT-FOR-US: Apple Mac OS X CVE-2008-0043 (Format string vulnerability in Apple iPhoto before 7.1.2 allows remote ...) NOT-FOR-US: Apple iPhoto CVE-2008-0042 (Argument injection vulnerability in Terminal.app in Terminal in Apple ...) NOT-FOR-US: Apple Mac OSX CVE-2008-0041 (Parental Controls in Apple Mac OS X 10.5 through 10.5.1 contacts www.a ...) NOT-FOR-US: Apple Mac OSX CVE-2008-0040 (Unspecified vulnerability in NFS in Apple Mac OS X 10.5 through 10.5.1 ...) NOT-FOR-US: Apple Mac OSX CVE-2008-0039 (Unspecified vulnerability in Mail in Apple Mac OS X 10.4.11 allows rem ...) NOT-FOR-US: Apple Mac OSX CVE-2008-0038 (Launch Services in Apple Mac OS X 10.5 through 10.5.1 allows an uninst ...) NOT-FOR-US: Apple Mac OSX CVE-2008-0037 (X11 in Apple Mac OS X 10.5 through 10.5.1 does not properly handle whe ...) NOT-FOR-US: Apple Mac OSX CVE-2008-0036 (Buffer overflow in Apple QuickTime before 7.4 allows remote attackers ...) NOT-FOR-US: Apple QuickTime CVE-2008-0035 (Unspecified vulnerability in Foundation, as used in Apple iPhone 1.0 t ...) NOT-FOR-US: Apple cocoa Foundation NOTE: AFAICS this is not the same as libfoundation in Debian CVE-2008-0034 (Unspecified vulnerability in Passcode Lock in Apple iPhone 1.0 through ...) NOT-FOR-US: Apple iPhone CVE-2008-0033 (Unspecified vulnerability in Apple QuickTime before 7.4 allows remote ...) NOT-FOR-US: Apple QuickTime CVE-2008-0032 (Apple QuickTime before 7.4 allows remote attackers to execute arbitrar ...) NOT-FOR-US: Apple QuickTime CVE-2008-0031 (Unspecified vulnerability in Apple QuickTime before 7.4 allows remote ...) NOT-FOR-US: Apple QuickTime CVE-2007-6667 (SQL injection vulnerability in faq.php in MyPHP Forum 3.0 and earlier ...) NOT-FOR-US: MyPHP Forum CVE-2007-6666 (SQL injection vulnerability in rss.php in Zenphoto 1.1 through 1.1.3 a ...) NOT-FOR-US: Zenphoto CVE-2007-6665 (SQL injection vulnerability in admin/login.asp in Netchemia oneSCHOOL ...) NOT-FOR-US: Netchemia CVE-2007-6664 (SQL injection vulnerability in index.php in WebPortal CMS 0.6.0 and ea ...) NOT-FOR-US: WebPortal CVE-2007-6663 (SQL injection vulnerability in (1) Puarcade.php and (2) PUarcade.html. ...) NOT-FOR-US: Pragmatic Utopia PU Arcade CVE-2007-6662 (Directory traversal vulnerability in file.php in CuteNews 2.6 allows r ...) NOT-FOR-US: CuteNews CVE-2007-6661 (2z project 0.9.6.1 allows attackers to change the password without sup ...) NOT-FOR-US: 2z project CVE-2007-6660 (2z project 0.9.6.1 allows remote attackers to obtain sensitive informa ...) NOT-FOR-US: 2z project CVE-2007-6659 (Multiple cross-site scripting (XSS) vulnerabilities in 2z project 0.9. ...) NOT-FOR-US: 2z project CVE-2007-6658 (SQL injection vulnerability in admin.php/vars.php in CustomCMS (CCMS) ...) NOT-FOR-US: CCMS CVE-2007-6657 (PHP remote file inclusion vulnerability in source/includes/load_forum. ...) NOT-FOR-US: Mihalism CVE-2007-6656 (SQL injection vulnerability in content_css.php in the TinyMCE module f ...) NOT-FOR-US: CMS Made Simple CVE-2007-6655 (PHP remote file inclusion vulnerability in includes/function.php in Ko ...) NOT-FOR-US: Kontakt Formular CVE-2007-6654 (Buffer overflow in a certain ActiveX control in Macrovision InstallShi ...) NOT-FOR-US: Macrovision InstallShield Update Service Web Agent CVE-2007-6653 (Directory traversal vulnerability in download.php in Mihalism Multi Ho ...) NOT-FOR-US: Mihalism CVE-2007-6652 (cpie.php in XCMS 1.83 and earlier sends a redirect to the web browser ...) NOT-FOR-US: XCMS CVE-2007-6651 (Directory traversal vulnerability in wiki/edit.php in Bitweaver R2 CMS ...) NOT-FOR-US: Bitweaver CVE-2007-6650 (Unrestricted file upload vulnerability in fisheye/upload.php in Bitwea ...) NOT-FOR-US: Bitweaver CVE-2007-6649 (PHP remote file inclusion vulnerability in includes/tumbnail.php in Ma ...) NOT-FOR-US: MatPo Bilder Gallery CVE-2007-6648 (Directory traversal vulnerability in index.php in SanyBee Gallery 0.1. ...) NOT-FOR-US: SanyBee Gallery CVE-2007-6647 (SQL injection vulnerability in index.php in w-Agora 4.2.1 and earlier ...) NOT-FOR-US: w-Agora CVE-2007-6646 (Multiple cross-site scripting (XSS) vulnerabilities in LiveCart 1.0.1, ...) NOT-FOR-US: LiveCart CVE-2007-6645 (Unspecified vulnerability in Joomla! before 1.5 RC4 allows remote auth ...) NOT-FOR-US: Joomla! CVE-2007-6644 (Joomla! before 1.5 RC4 allows remote authenticated administrators to p ...) NOT-FOR-US: Joomla! CVE-2007-6643 (Cross-site scripting (XSS) vulnerability in the com_poll component in ...) NOT-FOR-US: Joomla! CVE-2007-6642 (Multiple cross-site request forgery (CSRF) vulnerabilities in Joomla! ...) NOT-FOR-US: Joomla! CVE-2007-6641 (Cross-site scripting (XSS) vulnerability in dir.php in milliscripts Re ...) NOT-FOR-US: milliscripts CVE-2007-6640 (Creammonkey 0.9 through 1.1 and GreaseKit 1.2 through 1.3 does not pro ...) NOT-FOR-US: Creammonkey and GreaseKit CVE-2007-6639 (SQL injection vulnerability in index.php in IPTBB 0.5.4 and earlier al ...) NOT-FOR-US: IPTBB CVE-2007-6638 (March Networks DVR 3204 stores sensitive information under the web roo ...) NOT-FOR-US: March Networks CVE-2007-6637 (Multiple cross-site scripting (XSS) vulnerabilities in Adobe Flash Pla ...) - flashplugin-nonfree 1:1.4 (bug #459071) [sarge] - flashplugin-nonfree (Contrib not supported) [etch] - flashplugin-nonfree (Contrib not supported) NOTE: http://www.adobe.com/support/security/advisories/apsa07-06.html CVE-2007-6636 (Unspecified vulnerability in the StorageFarabDb module in Bitflu befor ...) NOT-FOR-US: Bitflu CVE-2007-6635 (FAQMasterFlexPlus, possibly 1.5 or 1.52, stores the admin password in ...) NOT-FOR-US: FAQMasterFlexPlus CVE-2007-6634 (Multiple SQL injection vulnerabilities in FAQMasterFlexPlus, possibly ...) NOT-FOR-US: FAQMasterFlexPlus CVE-2007-6633 (Multiple cross-site scripting (XSS) vulnerabilities in FAQMasterFlexPl ...) NOT-FOR-US: FAQMasterFlexPlus CVE-2007-6632 (showCode.php in xml2owl 0.1.1 allows remote attackers to execute arbit ...) NOT-FOR-US: xml2owl CVE-2007-6631 (Multiple buffer overflows in LScube libnemesi 0.6.4-rc1 and earlier al ...) NOT-FOR-US: LScube libnemesi CVE-2007-6630 (The Url_init function in utils/url.c in Netembryo 0.0.4, when used by ...) NOT-FOR-US: Netembryo CVE-2007-6629 (Interpretation conflict in LScube Feng 0.1.15 and earlier allows remot ...) NOT-FOR-US: LScube Feng CVE-2007-6628 (LScube Feng 0.1.15 and earlier allows remote attackers to cause a deni ...) NOT-FOR-US: LScube Feng CVE-2007-6627 (Integer overflow in the RTSP_remove_msg function in RTSP_lowlevel.c in ...) NOT-FOR-US: LScube Feng CVE-2007-6626 (Multiple buffer overflows in the RTSP_valid_response_msg function in R ...) NOT-FOR-US: LScube Feng CVE-2007-6625 (The Platform Service Process (asampsp) in Fan-Out Driver Platform Serv ...) NOT-FOR-US: Platform Service Process (asampsp) CVE-2007-6624 (Directory traversal vulnerability in printview.php in PNphpBB2 1.2i an ...) NOT-FOR-US: PNphpBB2 CVE-2007-6623 (Absolute path traversal vulnerability in ZeusCMS 0.3 and earlier might ...) NOT-FOR-US: ZeusCMS CVE-2007-6622 (SQL injection vulnerability in security.php in ZeusCMS 0.3 and earlier ...) NOT-FOR-US: ZeusCMS CVE-2007-6621 (Directory traversal vulnerability in joovili.images.php in Joovili 3.0 ...) NOT-FOR-US: Joovili CVE-2007-6620 (Directory traversal vulnerability in include/images.inc.php in Joovili ...) NOT-FOR-US: Joovili CVE-2007-6619 (The Setup Wizard in Atlassian JIRA Enterprise Edition before 3.12.1 do ...) NOT-FOR-US: Setup Wizard in Atlassian JIRA Enterprise Edition CVE-2007-6618 (JIRA Enterprise Edition before 3.12.1 allows remote attackers to delet ...) NOT-FOR-US: JIRA Enterprise Edition CVE-2007-6617 (Cross-site scripting (XSS) vulnerability in 500page.jsp in JIRA Enterp ...) NOT-FOR-US: JIRA Enterprise Edition CVE-2007-6616 (Cross-site scripting (XSS) vulnerability in simpleforum.cgi in SimpleF ...) NOT-FOR-US: SimpleForum CVE-2007-6615 (Directory traversal vulnerability in includes/block.php in Agares Medi ...) NOT-FOR-US: Agares Media phpAutoVideo CVE-2007-6614 (PHP remote file inclusion vulnerability in admin/frontpage_right.php i ...) NOT-FOR-US: Agares Media phpAutoVideo CVE-2007-6613 (Stack-based buffer overflow in the print_iso9660_recurse function in i ...) - libcdio 0.78.2+dfsg1-2 (low; bug #459129) [sarge] - libcdio (Packages prior to 0.78.2 didn't build the tools into binary package) [etch] - libcdio (Packages prior to 0.78.2 didn't build the tools into binary package) NOTE: applications that use libcdio are not vulnerable, problem only lies in the info tool CVE-2007-6610 (unp 1.0.12, and other versions before 1.0.14, does not properly escape ...) - unp 1.0.13 (bug #448437; low) [etch] - unp (Only used as archiver in third-party software) CVE-2007-6609 (Multiple stack-based buffer overflows in the CPLI_ReadTag_OGG function ...) NOT-FOR-US: CoolPlayer CVE-2007-6608 (Multiple cross-site scripting (XSS) vulnerabilities in OpenBiblio 0.5. ...) NOT-FOR-US: OpenBiblio CVE-2007-6607 (OpenBiblio 0.5.2-pre4 and earlier allows remote attackers to obtain se ...) NOT-FOR-US: OpenBiblio CVE-2007-6606 (OpenBiblio 0.5.2-pre4 and earlier allows remote attackers to obtain co ...) NOT-FOR-US: OpenBiblio CVE-2007-6605 (Buffer overflow in a certain ActiveX control in SkyFexClient.ocx 1.0.2 ...) NOT-FOR-US: SkyFex Client CVE-2007-6604 (Multiple directory traversal vulnerabilities in index.php in XCMS 1.82 ...) NOT-FOR-US: XCMS CVE-2007-6603 (Hot or Not Clone has insufficient access control for producing and rea ...) NOT-FOR-US: Hot or Not Clone CVE-2007-6602 (SQL injection vulnerability in app/models/identity.php in NoseRub 0.5. ...) NOT-FOR-US: NoseRub CVE-2007-6601 (The DBLink module in PostgreSQL 8.2 before 8.2.6, 8.1 before 8.1.11, 8 ...) {DSA-1463-1 DSA-1460-1} - postgresql-8.2 8.2.6-1 - postgresql-8.1 8.1.11-1 CVE-2007-6600 (PostgreSQL 8.2 before 8.2.6, 8.1 before 8.1.11, 8.0 before 8.0.15, 7.4 ...) {DSA-1463-1 DSA-1460-1} - postgresql-8.2 8.2.6-1 - postgresql-8.1 8.1.11-1 [sarge] - postgresql CVE-2007-6597 (Multiple cross-site scripting (XSS) vulnerabilities in IPortalX before ...) NOT-FOR-US: IPortalX CVE-2007-6599 (Race condition in fileserver in OpenAFS 1.3.50 through 1.4.5 and 1.5.0 ...) {DSA-1458-1} - openafs 1.4.6.dfsg1-1 (medium) NOTE: http://www.openafs.org/security/OPENAFS-SA-2007-003.txt CVE-2007-6595 (ClamAV 0.92 allows local users to overwrite arbitrary files via a syml ...) {DSA-1497-1} - clamav 0.92.1~dfsg-1 (low; bug #458532) [etch] - clamav (Minor issue, first issue doesn't apply) [sarge] - clamav (Security Support has stopped) CVE-2007-6596 (ClamAV 0.92 does not recognize Base64 UUEncoded archives, which allows ...) - clamav 0.92.1~dfsg-1 (unimportant; bug #458532) [etch] - clamav (Minor issue) [sarge] - clamav (Security Support has stopped) NOTE: this is more a feature request than a bug CVE-2007-6594 (IBM Lotus Notes 8 for Linux before 8.0.1 uses (1) unspecified weak per ...) NOT-FOR-US: Lotus Notes CVE-2007-6593 (Multiple stack-based buffer overflows in l123sr.dll in Autonomy (forme ...) NOT-FOR-US: IBM Lotus Notes CVE-2007-6592 (Apple Safari 2, when a user accepts an SSL server certificate on the b ...) NOT-FOR-US: Safari CVE-2007-6591 (KDE Konqueror 3.5.5 and 3.95.00, when a user accepts an SSL server cer ...) - kdebase 4:4.0.3-1 (low; bug #458968) [etch] - kdebase (Minor issue) [lenny] - kdebase (Minor issue) NOTE: filed http://bugs.kde.org/show_bug.cgi?id=154921 NOTE: No longer occurs in KDE 4.0.3 according to upstream bug CVE-2007-6590 REJECTED CVE-2007-6589 (The jar protocol handler in Mozilla Firefox before 2.0.0.10 and SeaMon ...) {DSA-1534-1} - iceape 1.1.7-1 (medium) - iceweasel 2.0.0.10-1 (medium) CVE-2007-6588 (Cross-site scripting (XSS) vulnerability in PHCDownload 1.10 allows re ...) NOT-FOR-US: PHCDownload CVE-2007-6587 (SQL injection vulnerability in plog-rss.php in Plogger 1.0 Beta 3.0 al ...) NOT-FOR-US: Plogger CVE-2007-6586 (SQL injection vulnerability in sezione_news.php in nicLOR-CMS allows r ...) NOT-FOR-US: nicLOR-CMS CVE-2007-6585 (PHP remote file inclusion vulnerability in confirmUnsubscription.php i ...) NOT-FOR-US: NmnNewsletter CVE-2007-6584 (Multiple directory traversal vulnerabilities in 1024 CMS 1.3.1 allow r ...) NOT-FOR-US: 1024 CMS CVE-2007-6583 (SQL injection vulnerability in admin/ops/findip/ajax/search.php in 102 ...) NOT-FOR-US: 1024 CMS CVE-2007-6582 (Directory traversal vulnerability in index.php in mBlog 1.2 allows rem ...) NOT-FOR-US: mBlog CVE-2007-6581 (Multiple directory traversal vulnerabilities in Social Engine 2.0 allo ...) NOT-FOR-US: Social Engine CVE-2007-6580 (Multiple SQL injection vulnerabilities in Wallpaper Site 1.0.09 allow ...) NOT-FOR-US: Wallpaper Site CVE-2007-6579 (Multiple SQL injection vulnerabilities in Ip Reg 0.3 allow remote atta ...) NOT-FOR-US: Ip Reg CVE-2007-6578 (SQL injection vulnerability in go.php in PHP ZLink 0.3 allows remote a ...) NOT-FOR-US: PHP ZLink CVE-2007-6577 (Multiple SQL injection vulnerabilities in index.php in zBlog 1.2 allow ...) NOT-FOR-US: zBlog CVE-2007-6576 (Multiple SQL injection vulnerabilities in Adult Script 1.6.5 and earli ...) NOT-FOR-US: Adult Script CVE-2007-6575 (SQL injection vulnerability in default.php in MMSLamp allows remote at ...) NOT-FOR-US: MMSLamp CVE-2007-6574 (Multiple cross-site scripting (XSS) vulnerabilities in Dokeos 1.8.4 an ...) NOT-FOR-US: Dokeos CVE-2007-6573 (QK SMTP Server 3 allows remote attackers to cause a denial of service ...) NOT-FOR-US: QK SMTP CVE-2007-6572 (Cross-site scripting (XSS) vulnerability in Sun Java System Web Server ...) NOT-FOR-US: Sun Java System Web Server CVE-2007-6571 (Cross-site scripting (XSS) vulnerability in Sun Java System Web Proxy ...) NOT-FOR-US: Sun Java System Web Proxy CVE-2007-6570 (Cross-site scripting (XSS) vulnerability in the View URL Database func ...) NOT-FOR-US: Sun Java System Web Proxy Server CVE-2007-6569 (Cross-site scripting (XSS) vulnerability in the View Error Log functio ...) NOT-FOR-US: Sun Java System Web Proxy Server CVE-2007-6568 (PHP remote file inclusion vulnerability in config.inc.php in XZero Com ...) NOT-FOR-US: XZero Community Classifieds CVE-2007-6567 (Directory traversal vulnerability in index.php in XZero Community Clas ...) NOT-FOR-US: XZero Community Classifieds CVE-2007-6566 (SQL injection vulnerability in post.php in XZero Community Classifieds ...) NOT-FOR-US: XZero Community Classifieds CVE-2007-6565 (Multiple SQL injection vulnerabilities in Blakord Portal 1.3.A Beta an ...) NOT-FOR-US: Blakord Portal CVE-2007-6611 (Cross-site scripting (XSS) vulnerability in view.php in Mantis before ...) {DSA-1467-1} - mantis 1.0.8-4 (low; bug #458377) CVE-2007-6683 (The browser plugin in VideoLAN VLC 0.8.6d allows remote attackers to o ...) {DSA-1543-1 DTSA-132-1} - vlc 0.8.6.c-4.1 (medium; bug #458318) - mozilla-browser-plugin 0.8.6.e-2.2 (bug #480370) NOTE: the plugin is in the same srcpkg but has its own implementation for VLCOPT [lenny] - vlc 0.8.6.c-4.1~lenny1 NOTE: see https://trac.videolan.org/vlc/ticket/1371 CVE-2007-6682 (Format string vulnerability in the httpd_FileCallBack function (networ ...) {DSA-1543-1} - vlc 0.8.6.c-4.1 (medium; bug #458318) [lenny] - vlc 0.8.6.c-4.1~lenny1 NOTE: see http://www.securityfocus.com/archive/1/485488/30/0/threaded CVE-2007-6681 (Stack-based buffer overflow in modules/demux/subtitle.c in VideoLAN VL ...) {DSA-1543-1} - vlc 0.8.6.c-4.1 (low; bug #458318) [lenny] - vlc 0.8.6.c-4.1~lenny1 NOTE: see http://www.securityfocus.com/archive/1/485488/30/0/threaded CVE-2007-6684 (The RTSP module in VideoLAN VLC 0.8.6d allows remote attackers to caus ...) - vlc 0.8.6.c-4.1 (bug #458318) [lenny] - vlc 0.8.6.c-4.1~lenny1 NOTE: That's hardly a security problem, just a bug CVE-2007-6598 (Dovecot before 1.0.10, with certain configuration options including us ...) {DSA-1457-1} - dovecot 1:1.0.10-1 (low; bug #458315) [sarge] - dovecot (Vulnerable code not present) [etch] - dovecot (very minor issue) NOTE: http://dovecot.org/list/dovecot-news/2007-December/000057.html NOTE: low, because issue is only with quite rare configurations CVE-2007-6612 (Directory traversal vulnerability in DirHandler (lib/mongrel/handlers. ...) - mongrel 1.1.3-1 (medium) CVE-2007-6564 (Cross-site scripting (XSS) vulnerability in admin.php in Limbo CMS 1.0 ...) NOT-FOR-US: Limbo CMS CVE-2007-6563 (Heap-based buffer overflow in WinAce 2.65 and earlier, and possibly ot ...) NOT-FOR-US: WinAce CVE-2007-6562 (Multiple stack-based buffer overflows in the use of FD_SET in TCPreen ...) {DSA-1443-1} - tcpreen 1.4.3-0.3 (medium; bug #457781) CVE-2007-6561 (Multiple stack-based buffer overflows in PDFLib allow user-assisted re ...) NOT-FOR-US: PDFLib CVE-2007-6560 (Multiple cross-site scripting (XSS) vulnerabilities in Logaholic befor ...) NOT-FOR-US: Logaholic CVE-2007-6559 (Multiple SQL injection vulnerabilities in Logaholic before 2.0 RC8 all ...) NOT-FOR-US: Logaholic CVE-2007-6558 (TotalPlayer 3.0 allows user-assisted remote attackers to cause a denia ...) NOT-FOR-US: TotalPlayer CVE-2007-6557 (Multiple SQL injection vulnerabilities in MeGaCheatZ 1.1 allow remote ...) NOT-FOR-US: MeGaCheatZ CVE-2007-6556 (Multiple SQL injection vulnerabilities in websihirbazi 5.1.1 allow rem ...) NOT-FOR-US: websihirbazi CVE-2007-6555 (PHP remote file inclusion vulnerability in modules/mod_pxt_latest.php ...) NOT-FOR-US: Joomla! extension CVE-2007-6554 (Multiple directory traversal vulnerabilities in TeamCal Pro 3.1.000 an ...) NOT-FOR-US: TeamCal CVE-2007-6553 (Multiple PHP remote file inclusion vulnerabilities in TeamCal Pro 3.1. ...) NOT-FOR-US: TeamCal CVE-2007-6552 (Directory traversal vulnerability in index.php in AuraCMS 2.2 allows r ...) NOT-FOR-US: AuraCMS CVE-2007-6551 (SQL injection vulnerability in showMsg.php in MailMachine Pro 2.2.4, a ...) NOT-FOR-US: MailMachine CVE-2007-6550 (form.php in PMOS Help Desk 2.4 and earlier sends a redirect to the web ...) NOT-FOR-US: PMOS Help Desk CVE-2007-6549 (Unspecified vulnerability in RunCMS before 1.6.1 has unknown impact an ...) NOT-FOR-US: RunCMS CVE-2007-6548 (Multiple direct static code injection vulnerabilities in RunCMS before ...) NOT-FOR-US: RunCMS CVE-2007-6547 (RunCMS before 1.6.1 does not require entry of the old password during ...) NOT-FOR-US: RunCMS CVE-2007-6546 (RunCMS before 1.6.1 uses a predictable session id, which makes it easi ...) NOT-FOR-US: RunCMS CVE-2007-6545 (Multiple cross-site scripting (XSS) vulnerabilities in RunCMS before 1 ...) NOT-FOR-US: RunCMS CVE-2007-6544 (Multiple SQL injection vulnerabilities in RunCMS before 1.6.1 allow re ...) NOT-FOR-US: RunCMS CVE-2007-6543 (SQL injection vulnerability in suggest-link.php in eSyndiCat Link Exch ...) NOT-FOR-US: eSyndiCat Link Exchange Script CVE-2007-6542 (PHP remote file inclusion vulnerability in admin/frontpage_right.php i ...) NOT-FOR-US: Arcadem LEArcadem LE CVE-2007-6541 (Multiple cross-site scripting (XSS) vulnerabilities in neuron news 1.0 ...) NOT-FOR-US: neuron news CVE-2007-6540 (SQL injection vulnerability in neuron news 1.0 allows remote attackers ...) NOT-FOR-US: neuron news CVE-2007-6539 (PHP local file inclusion vulnerability in index.php in IDevspot iSuppo ...) NOT-FOR-US: IDevspot iSupport CVE-2007-6538 (SQL injection vulnerability in ing/blocks/mrbs/code/web/view_entry.php ...) - moodle (Vulnerable code not present, third party module) CVE-2007-6537 (Stack-based buffer overflow in the zfile_gunzip function in zfile.c in ...) NOT-FOR-US: WinUAE CVE-2007-6536 (The Custom Button Installer dialog in Google Toolbar 4 and 5 beta pres ...) NOT-FOR-US: Google Toolbar CVE-2007-6535 (Buffer overflow in the YShortcut ActiveX control in YShortcut.dll 2006 ...) NOT-FOR-US: YShortcut ActiveX control CVE-2007-6534 (Multiple unspecified vulnerabilities in Microsoft Office Publisher all ...) NOT-FOR-US: Microsoft Office Publisher CVE-2007-6533 (Buffer overflow in Zoom Player 6.00 beta 2 and earlier allows user-ass ...) NOT-FOR-US: Zoom Player CVE-2007-6532 (Double free vulnerability in the Widget Library (libxfcegui4) in Xfce ...) - libxfcegui4 4.4.2 (low) [sarge] - libxfcegui4 (Minor issue) [etch] - libxfcegui4 (Minor issue) CVE-2007-6531 (Stack-based buffer overflow in the Panel (xfce4-panel) component in Xf ...) - xfce4-panel 4.4.2 (low) [sarge] - xfce4-panel (Minor issue) [etch] - xfce4-panel (Minor issue) CVE-2007-6530 (Buffer overflow in the XUpload.ocx ActiveX control in Persits Software ...) NOT-FOR-US: XUpload CVE-2007-6529 (Multiple unspecified vulnerabilities in TikiWiki before 1.9.9 have unk ...) - tikiwiki CVE-2007-6528 (Directory traversal vulnerability in tiki-listmovies.php in TikiWiki b ...) - tikiwiki CVE-2007-6527 (uploadimg.php in the Automatic Image Upload with Thumbnails (imgUpload ...) NOT-FOR-US: PunBB CVE-2007-6526 (Cross-site scripting (XSS) vulnerability in tiki-special_chars.php in ...) - tikiwiki CVE-2007-6525 (Unspecified vulnerability in eClient in IBM DB2 Content Manager (CM) T ...) NOT-FOR-US: IBM DB2 Content Manager CVE-2007-6524 (Opera before 9.25 allows remote attackers to obtain potentially sensit ...) NOT-FOR-US: Opera CVE-2007-6523 (Algorithmic complexity vulnerability in Opera 9.50 beta and 9.x before ...) NOT-FOR-US: Opera CVE-2007-6522 (The rich text editing functionality in Opera before 9.25 allows remote ...) NOT-FOR-US: Opera CVE-2007-6521 (Unspecified vulnerability in Opera before 9.25 allows remote attackers ...) NOT-FOR-US: Opera CVE-2007-6520 (Opera before 9.25 allows remote attackers to conduct cross-domain scri ...) NOT-FOR-US: Opera CVE-2007-6519 (Unspecified vulnerability in the File-on-File Mounting File System (FF ...) NOT-FOR-US: HP Tru64 UNIX CVE-2007-6518 (Multiple SQL injection vulnerabilities in search.php in WoltLab Burnin ...) NOT-FOR-US: WoltLab Burning Board CVE-2007-6517 (SQL injection vulnerability in the forget password section (LostPwd.as ...) NOT-FOR-US: Eagle Software Aeries Browser Interface CVE-2007-6516 (Buffer overflow in RavWare Software MAS Flic ActiveX Control (masflc.o ...) NOT-FOR-US: RavWare Software MAS Flic ActiveX Control CVE-2007-6515 (support/dispatch.cgi in SiteScape Forum allows remote attackers to exe ...) NOT-FOR-US: SiteScape CVE-2007-6513 (HP eSupportDiagnostics ActiveX control (hpediag.dll) 1.0.11.0 exports ...) NOT-FOR-US: HP eSupportDiagnostics ActiveX control CVE-2007-6512 (PHP MySQL Banner Exchange 2.2.1 stores sensitive information under the ...) NOT-FOR-US: PHP MySQL Banner Exchange CVE-2007-6511 (Websense Enterprise 6.3.1 allows remote attackers to bypass content fi ...) NOT-FOR-US: Websense Enterprise CVE-2007-6510 (Multiple stack-based buffer overflows in ProWizard 4 PC (prowiz) 1.62 ...) NOT-FOR-US: ProWizard CVE-2007-6509 (Unspecified vulnerability in Appian Enterprise Business Process Manage ...) NOT-FOR-US: Appian Enterprise Business Process Management Suite CVE-2007-6508 (Directory traversal vulnerability in view.php in xeCMS 1.0 allows remo ...) NOT-FOR-US: xeCMS CVE-2007-6514 (Apache HTTP Server, when running on Linux with a document root on a Wi ...) - linux-2.6 2.6.17-1 (low; bug #529318) - linux-2.6.24 (Fixed before initial upload, 2.6.17) NOTE: While labeled as an Apache flaw, fix required in smbfs CVE-2007-XXXX [venkman preinst symlink dos] - venkman 0.9.87.2-1 (bug #456520) [lenny] - venkman (Vulnerable code not present) [sarge] - venkman (Vulnerable code not present) [etch] - venkman (Vulnerable code not present) CVE-2007-XXXX [unace unspecified security issue related to uninitialized variable] - unace-nonfree 2.5-3 [etch] - unace-nonfree 2.5-1etch1 CVE-2007-6507 (SpntSvc.exe daemon in Trend Micro ServerProtect 5.58 for Windows, befo ...) NOT-FOR-US: Trend Micro ServerProtect CVE-2007-6506 (The HPRulesEngine.ContentCollection.1 ActiveX Control in RulesEngine.d ...) NOT-FOR-US: HP Software Update CVE-2007-6505 (Solaris 9, with Solaris Auditing enabled and certain patches for sshd ...) NOT-FOR-US: Solaris CVE-2007-6504 (Unspecified vulnerability in IIS/iibind.asp in Hosting Controller 6.1 ...) NOT-FOR-US: Hosting Controller CVE-2007-6503 (Multiple unspecified vulnerabilities in Hosting Controller 6.1 Hot fix ...) NOT-FOR-US: Hosting Controller CVE-2007-6502 (Hosting Controller 6.1 Hot fix 3.3 and earlier allows remote authentic ...) NOT-FOR-US: Hosting Controller CVE-2007-6501 (Unspecified vulnerability in Hosting Controller 6.1 Hot fix 3.3 and ea ...) NOT-FOR-US: Hosting Controller CVE-2007-6500 (Unspecified vulnerability in Hosting Controller 6.1 Hot fix 3.3 and ea ...) NOT-FOR-US: Hosting Controller CVE-2007-6499 (Unspecified vulnerability in Hosting Controller 6.1 Hot fix 3.3 and ea ...) NOT-FOR-US: Hosting Controller CVE-2007-6498 (Multiple SQL injection vulnerabilities in Hosting Controller 6.1 Hot f ...) NOT-FOR-US: Hosting Controller CVE-2007-6497 (Hosting Controller 6.1 Hot fix 3.3 and earlier (1) allows remote attac ...) NOT-FOR-US: Hosting Controller CVE-2007-6496 (Hosting Controller 6.1 Hot fix 3.3 and earlier allows remote attackers ...) NOT-FOR-US: Hosting Controller CVE-2007-6495 (inc_newuser.asp in Hosting Controller 6.1 Hot fix 3.3 and earlier allo ...) NOT-FOR-US: Hosting Controller CVE-2007-6494 (Hosting Controller 6.1 Hot fix 3.3 and earlier allows remote attackers ...) NOT-FOR-US: Hosting Controller CVE-2007-6493 (The IMWeb.IMWebControl.1 ActiveX control in IMWeb.dll 7.0.0.x, and pos ...) NOT-FOR-US: iMesh CVE-2007-6492 (The IMWeb.IMWebControl.1 ActiveX control in IMWeb.dll 7.0.0.x, and pos ...) NOT-FOR-US: iMesh CVE-2007-6491 (Multiple SQL injection vulnerabilities in Kvaliitti WebDoc 3.0 CMS all ...) NOT-FOR-US: Kvaliitti WebDoc CMS CVE-2007-6490 (Cross-site request forgery (CSRF) vulnerability in Falcon Series One C ...) NOT-FOR-US: Falcon Series One CMS CVE-2007-6489 (Multiple cross-site scripting (XSS) vulnerabilities in Falcon Series O ...) NOT-FOR-US: Falcon Series One CMS CVE-2007-6488 (Multiple PHP remote file inclusion vulnerabilities in Falcon Series On ...) NOT-FOR-US: Falcon Series One CMS CVE-2007-6487 (Unspecified vulnerability in Plain Black WebGUI 7.4.0 through 7.4.17 a ...) NOT-FOR-US: Plain Black WebGUI CVE-2007-6486 (Multiple cross-site scripting (XSS) vulnerabilities in shout.php (aka ...) NOT-FOR-US: LineShout CVE-2007-6485 (Multiple PHP remote file inclusion vulnerabilities in Centreon 1.4.1 ( ...) - centreon-web (bug #913903) CVE-2007-6484 (SQL injection vulnerability in index.php in phpRPG 0.8 allows remote a ...) NOT-FOR-US: phpRPG CVE-2007-6483 (Directory traversal vulnerability in SafeNet Sentinel Protection Serve ...) NOT-FOR-US: SafeNet Sentinel Protection and Keys Server CVE-2007-6482 (Unspecified vulnerability in the Device Manager daemon (utdevmgrd) in ...) NOT-FOR-US: utdevmgrd in Sun Ray Server Software CVE-2007-6481 (Unspecified vulnerability in the Device Manager daemon (utdevmgrd) in ...) NOT-FOR-US: utdevmgrd in Sun Ray Server Software CVE-2007-6480 (The Oracle database component in Sun Management Center (Sun MC) 3.6.1, ...) NOT-FOR-US: Oracle database component in Sun Management Center CVE-2007-6479 (Unrestricted file upload vulnerability in the "My productions" compone ...) NOT-FOR-US: Dokeos CVE-2007-6478 (Stack-based buffer overflow in Rosoft Media Player 4.1.7, 4.1.8, and p ...) NOT-FOR-US: Rosoft Media Player CVE-2007-6477 (Cross-site scripting (XSS) vulnerability in the on-line help feature i ...) NOT-FOR-US: Citrix Web Interface and NFuse CVE-2007-6476 (GF-3XPLORER 2.4 allows remote attackers to obtain configuration inform ...) NOT-FOR-US: GF-3XPLORER CVE-2007-6475 (Multiple directory traversal vulnerabilities in GF-3XPLORER 2.4 allow ...) NOT-FOR-US: GF-3XPLORER CVE-2007-6474 (Multiple cross-site scripting (XSS) vulnerabilities in GF-3XPLORER 2.4 ...) NOT-FOR-US: GF-3XPLORER CVE-2007-6473 (Heap-based buffer overflow in Texas Imperial Software WFTPD Pro Explor ...) NOT-FOR-US: WFTPD Explorer Pro CVE-2007-6472 (Multiple SQL injection vulnerabilities in phpMyRealty (PMR) 1.0.9 allo ...) NOT-FOR-US: phpMyRealty CVE-2007-6471 (Incomplete blacklist vulnerability in main.php in phPay 2.02.01 on Win ...) NOT-FOR-US: phPay CVE-2007-6470 (phpRPG 0.8 stores sensitive information under the web root with insuff ...) NOT-FOR-US: phpRPG CVE-2007-6469 (SQL injection vulnerability in index.php in phpRPG 0.8, when magic_qut ...) NOT-FOR-US: phpRPG CVE-2007-6468 (Buffer overflow in the HuffDecode function in hw_utils/hwrcon/huffman. ...) NOT-FOR-US: Hammer of Thyrion CVE-2007-6467 (SQL injection vulnerability in index.php in MKPortal 1.1 RC1 allows re ...) NOT-FOR-US: MKPortal CVE-2007-6466 (Multiple SQL injection vulnerabilities in index.php in FreeWebshop 2.2 ...) NOT-FOR-US: FreeWebshop CVE-2007-6465 (Multiple cross-site scripting (XSS) vulnerabilities in ganglia-web in ...) - ganglia-monitor-core (ganglia web-frontend not included) CVE-2007-6464 (Multiple PHP remote file inclusion vulnerabilities in Form tools 1.5.0 ...) NOT-FOR-US: Form tools CVE-2007-6463 (Multiple cross-site scripting (XSS) vulnerabilities in the admin panel ...) NOT-FOR-US: PHP Real Estate Classifieds CVE-2007-6462 (SQL injection vulnerability in fullnews.php in PHP Real Estate Classif ...) NOT-FOR-US: PHP Real Estate Classifieds CVE-2007-6461 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Fl ...) - flyspray CVE-2007-6460 (Multiple cross-site scripting (XSS) vulnerabilities in Anon Proxy Serv ...) NOT-FOR-US: Anon Proxy Server CVE-2007-6459 (Anon Proxy Server 0.100, and probably 0.101, allows remote attackers t ...) NOT-FOR-US: Anon Proxy Server CVE-2007-6458 (SQL injection vulnerability in shop/mainfile.php in 123tkShop 0.9.1 al ...) NOT-FOR-US: 123tkShop CVE-2007-6457 (Stack-based buffer overflow in the webmail feature in SurgeMail 38k4 a ...) NOT-FOR-US: NetWin SurgeMail 38k4 CVE-2007-6456 (Unspecified vulnerability in OpenOffice.org code in Planamesa NeoOffic ...) NOT-FOR-US: Planamesa NeoOffice NOTE: referring to OpenOffice security team this is what is described in CVE-2007-4575 for OO CVE-2007-6455 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Ma ...) NOT-FOR-US: Mambo NOTE: Mambo is in experimental CVE-2007-6454 (Heap-based buffer overflow in the handshakeHTTP function in servhs.cpp ...) {DSA-1583-1 DSA-1441-1} - peercast 0.1218+svn20071220+2 (medium; bug #457300) - gnome-peercast 0.5.4-1.2 (medium; bug #466539) CVE-2007-6453 (Directory traversal vulnerability in raidenhttpd-admin/workspace.php i ...) NOT-FOR-US: RaidenHTTPD CVE-2007-6452 (Unspecified vulnerability in the benchmark reporting system in Google ...) - gwt 1.6.4-1 (low; bug #563542) CVE-2007-6451 (Unspecified vulnerability in the CIP dissector in Wireshark (formerly ...) {DSA-1446-1 DTSA-104-1} - wireshark 0.99.7-1 - ethereal CVE-2007-6450 (The RPL dissector in Wireshark (formerly Ethereal) 0.9.8 to 0.99.6 all ...) {DSA-1446-1 DTSA-104-1} - wireshark 0.99.7-1 - ethereal CVE-2007-6449 REJECTED CVE-2007-6448 REJECTED CVE-2007-6447 REJECTED CVE-2007-6446 REJECTED CVE-2007-6445 REJECTED CVE-2007-6444 REJECTED CVE-2007-6443 REJECTED CVE-2007-6442 REJECTED CVE-2007-6441 (The WiMAX dissector in Wireshark (formerly Ethereal) 0.99.6 allows rem ...) {DTSA-104-1} - wireshark 0.99.7-1 [sarge] - ethereal (vulnerable code introduced in 0.99.6) [etch] - wireshark (vulnerable code introduced in 0.99.6) CVE-2007-6440 REJECTED CVE-2007-6439 (Wireshark (formerly Ethereal) 0.99.6 allows remote attackers to cause ...) {DTSA-104-1} - wireshark 0.99.7-1 [sarge] - ethereal (vulnerable code introduced in 0.99.6) [etch] - wireshark (vulnerable code introduced in 0.99.6) CVE-2007-6438 (Unspecified vulnerability in the SMB dissector in Wireshark (formerly ...) {DTSA-104-1} - wireshark 0.99.7-1 [sarge] - ethereal (vulnerable code introduced in 0.99.6) [etch] - wireshark (vulnerable code introduced in 0.99.6) CVE-2007-6437 (Balabit syslog-ng 2.0.x before 2.0.6 and 2.1.x before 2.1.8 allows rem ...) {DSA-1464-1 DTSA-105-1} - syslog-ng 2.0.6-1 (low; bug #457334) [sarge] - syslog-ng (Vulnerable code not present) CVE-2003-1538 (susehelp in SuSE Linux 8.1, Enterprise Server 8, Office Server, and Op ...) NOT-FOR-US: predating security tracker CVE-2008-0030 REJECTED CVE-2008-0029 (Cisco Application Velocity System (AVS) before 5.1.0 is installed with ...) NOT-FOR-US: Cisco CVE-2008-0028 (Unspecified vulnerability in Cisco PIX 500 Series Security Appliance a ...) NOT-FOR-US: Cisco CVE-2008-0027 (Heap-based buffer overflow in the Certificate Trust List (CTL) Provide ...) NOT-FOR-US: Cisco CVE-2008-0026 (SQL injection vulnerability in Cisco Unified CallManager/Communication ...) NOT-FOR-US: Cisco CVE-2007-6436 (Stack-based buffer overflow in JSGCI.DLL in JustSystems Ichitaro 2005, ...) NOT-FOR-US: JustSystems CVE-2007-6435 (Stack-based buffer overflow in Novell GroupWise before 6.5.7, when HTM ...) NOT-FOR-US: Novell GroupWise CVE-2007-6434 (Linux kernel 2.6.23 allows local users to create low pages in virtual ...) - linux-2.6 2.6.23-2 [etch] - linux-2.6 (Only Linux 2.6.23 and above affected) CVE-2007-6433 (The getRenderedEjbql method in the org.jboss.seam.framework.Query clas ...) - jbosseam (bug #451956) CVE-2007-6432 (Stack-based buffer overflow in AldFs32.dll in Adobe PageMaker 7.0.1 an ...) NOT-FOR-US: Adobe PageMaker CVE-2007-6431 (Unspecified vulnerability in Adobe Flash Media Server 2 before 2.0.5, ...) NOT-FOR-US: Adobe Flash Media Server CVE-2007-6430 (Asterisk Open Source 1.2.x before 1.2.26 and 1.4.x before 1.4.16, and ...) {DSA-1525-1} - asterisk 1:1.4.16.2~dfsg-1 (low; bug #457063) [etch] - asterisk (Minor issue, eventually fix in a later DSA) [sarge] - asterisk (Vulnerable code not present) CVE-2007-6429 (Multiple integer overflows in X.Org Xserver before 1.4.1 allow context ...) {DSA-1466-2 DTSA-110-1} - xorg-server 2:1.4.1~git20080105-2 CVE-2007-6428 (The ProcGetReservedColormapEntries function in the TOG-CUP extension i ...) {DSA-1466-2 DTSA-110-1} - xorg-server 2:1.4.1~git20080105-2 CVE-2007-6427 (The XInput extension in X.Org Xserver before 1.4.1 allows context-depe ...) {DSA-1466-2 DTSA-110-1} - xorg-server 2:1.4.1~git20080105-2 CVE-2007-6426 (Multiple heap-based buffer overflows in EMC RepliStor 6.2 SP2, and pos ...) NOT-FOR-US: EMC RepliStor CVE-2007-6425 (Unspecified vulnerability in HP-UX B.11.31, when running ARPA Transpor ...) NOT-FOR-US: HP-UX CVE-2007-6424 (registry.pl in Fonality Trixbox 2.0 PBX products, when running in cert ...) NOT-FOR-US: Fonality Trixbox CVE-2007-6423 - apache2 (disputed / only for Windows) CVE-2007-6422 (The balancer_handler function in mod_proxy_balancer in the Apache HTTP ...) - apache2 2.2.8-1 (low) [sarge] - apache2 (vulnerable code introduced in 2.2) [etch] - apache2 2.2.3-4+etch4 (low) CVE-2007-6421 (Cross-site scripting (XSS) vulnerability in balancer-manager in mod_pr ...) - apache2 2.2.8-1 (low) [sarge] - apache2 (vulnerable code introduced in 2.2) [etch] - apache2 2.2.3-4+etch4 (low) CVE-2007-6420 (Cross-site request forgery (CSRF) vulnerability in the balancer-manage ...) - apache2 2.2.9-1 (low) [etch] - apache2 (minor issue) [sarge] - apache2 (vulnerable code introduced in 2.2) NOTE: Won't be fixed in etch. CVE-2007-6419 (Unspecified vulnerability in rpc.yppasswdd in HP HP-UX B.11.11, B.11.2 ...) NOT-FOR-US: HP-UX CVE-2007-6417 (The shmem_getpage function (mm/shmem.c) in Linux kernel 2.6.11 through ...) {DSA-1436-1} - linux-2.6 2.6.23-2 CVE-2007-6416 (The copy_to_user function in the PAL emulation functionality for Xen 3 ...) - xen-unstable (We only have xen for i386 and amd64) - xen-3 (We only have xen for i386 and amd64) - xen-3.0 (We only have xen for i386 and amd64) CVE-2007-6415 (scponly 4.6 and earlier allows remote authenticated users to bypass in ...) {DSA-1473-1} - scponly 4.6-1.2 (high) CVE-2007-6414 (admin/administrator.php in Adult Script 1.6 and earlier sends a redire ...) NOT-FOR-US: Adult ScriptAdult Script CVE-2007-6413 (Sun Solaris 10 with the 120011-04 and 120012-04 patches, and later 120 ...) NOT-FOR-US: Sun Solaris CVE-2007-6412 (Direct static code injection vulnerability in wiki/index.php in Bitwea ...) NOT-FOR-US: Bitweaver CVE-2007-6411 (Multiple buffer overflows in the HandleEmotsConfig function in the GG ...) NOT-FOR-US: Gadu-Gadu client CVE-2007-6410 (Gadu-Gadu does not properly perform protocol handling, which allows re ...) NOT-FOR-US: Gadu-Gadu client CVE-2007-6409 (The gg protocol handler in Gadu-Gadu, when this product is installed b ...) NOT-FOR-US: Gadu-Gadu client CVE-2007-6408 (IBM Tivoli Provisioning Manager Express provides unspecified informati ...) NOT-FOR-US: IBM Tivoli Provisioning Manager Express CVE-2007-6407 (Multiple cross-site scripting (XSS) vulnerabilities in IBM Tivoli Prov ...) NOT-FOR-US: IBM Tivoli Provisioning Manager Express CVE-2007-6406 (Multiple cross-site scripting (XSS) vulnerabilities in CA (formerly Co ...) NOT-FOR-US: CA eTrust Threat Management Console CVE-2007-6405 (Sergey Lyubka Simple HTTPD (shttpd) 1.38 and earlier on Windows allows ...) NOT-FOR-US: Simple HTTPD CVE-2007-6404 (Directory traversal vulnerability in Sergey Lyubka Simple HTTPD (shttp ...) NOT-FOR-US: Simple HTTPD CVE-2007-6403 (Stack-based buffer overflow in Nullsoft Winamp 5.32 allows user-assist ...) NOT-FOR-US: Winamp CVE-2007-6402 (Stack-based buffer overflow in mplayerc.exe in Media Player Classic (M ...) NOT-FOR-US: Media Player Classic CVE-2007-6401 (Stack-based buffer overflow in mplayer2.exe in Microsoft Windows Media ...) NOT-FOR-US: Microsoft Windows Media Player CVE-2007-6400 (Directory traversal vulnerability in download_file.php in PolDoc CMS ( ...) NOT-FOR-US: PolDoc CMS CVE-2007-6399 (index.php in Flat PHP Board 1.2 and earlier allows remote authenticate ...) NOT-FOR-US: Flat PHP Board CVE-2007-6398 (Flat PHP Board 1.2 and earlier allows remote attackers to bypass authe ...) NOT-FOR-US: Flat PHP Board CVE-2007-6397 (Multiple directory traversal vulnerabilities in index.php in Flat PHP ...) NOT-FOR-US: Flat PHP Board CVE-2007-6396 (Direct static code injection vulnerability in index.php in Flat PHP Bo ...) NOT-FOR-US: Flat PHP Board CVE-2007-6395 (Flat PHP Board 1.2 and earlier stores sensitive information under the ...) NOT-FOR-US: Flat PHP Board CVE-2007-6394 (SQL injection vulnerability in index.php in Content Injector 1.53 allo ...) NOT-FOR-US: Content Injector CVE-2007-6393 (SQL injection vulnerability in albums.php in Ace Image Hosting Script ...) NOT-FOR-US: Ace Image Hosting Script CVE-2007-6392 (SQL injection vulnerability in DWdirectory 2.1 and earlier allows remo ...) NOT-FOR-US: DWdirectory CVE-2007-6391 (SQL injection vulnerability in patch/comments.php in SH-News 3.0 allow ...) NOT-FOR-US: SH-News CVE-2007-6390 (Cross-site request forgery (CSRF) vulnerability in the mycalendar plug ...) - serendipity (This is an external plugin not included in our packages) CVE-2007-6389 (The notify feature in GNOME screensaver (gnome-screensaver) 2.20.0 mig ...) - gnome-screensaver 2.22.0-1 (low; bug #455484) [etch] - gnome-screensaver (Minor issue) CVE-2007-6388 (Cross-site scripting (XSS) vulnerability in mod_status in the Apache H ...) - apache (low) - apache2 2.2.8-1 (low) [etch] - apache2 2.2.3-4+etch6 [etch] - apache 1.3.34-4.1+etch1 CVE-2007-6358 (pdftops.pl before 1.20 in alternate pdftops filter allows local users ...) {DSA-1437-1} - cups 1.3.5-1 (low; bug #456960) - cupsys 1.3.5-1 (low; bug #456960) [sarge] - cupsys (Minor issue) NOTE: the debian package is a bit confusing here as it also ships a pdftops NOTE: wrapper script as an example but the original script is installed NOTE: under /usr/lib/cups/filters CVE-2007-6356 (exiftags before 1.01 allows attackers to cause a denial of service (in ...) {DSA-1533-2 DSA-1533-1} - exiftags 1.01-0.1 (low; bug #457062) CVE-2007-6355 (Integer overflow in exiftags before 1.01 has unknown impact and attack ...) {DSA-1533-2 DSA-1533-1} - exiftags 1.01-0.1 (bug #457062) CVE-2007-6354 (Unspecified vulnerability in exiftags before 1.01 has unknown impact a ...) {DSA-1533-2 DSA-1533-1} - exiftags 1.01-0.1 (bug #457062) CVE-2007-6352 (Integer overflow in libexif 0.6.16 and earlier allows context-dependen ...) {DSA-1487-1} - libexif 0.6.16-2.1 (medium; bug #457330) CVE-2007-6351 (libexif 0.6.16 and earlier allows context-dependent attackers to cause ...) {DSA-1487-1} - libexif 0.6.16-2.1 (low; bug #457330) CVE-2007-6349 (P4Webs.exe in Perforce P4Web 2006.2 and earlier, when running on Windo ...) NOT-FOR-US: P4Web CVE-2007-6418 (The libdspam7-drv-mysql cron job in Debian GNU/Linux includes the MySQ ...) {DSA-1501-1} - dspam 3.6.8-5.1 (low; bug #448519) CVE-2008-0025 RESERVED CVE-2008-0024 RESERVED CVE-2008-0023 RESERVED CVE-2008-0022 RESERVED CVE-2008-0021 RESERVED CVE-2008-0020 (Unspecified vulnerability in the Load method in the IPersistStreamInit ...) NOT-FOR-US: Microsoft CVE-2008-0019 RESERVED CVE-2008-0018 RESERVED CVE-2008-0017 (The http-index-format MIME type parser (nsDirIndexParser) in Firefox 3 ...) {DSA-1697-1 DSA-1671-1 DSA-1669-1} - iceweasel 3.0.4-1 - xulrunner 1.9.0.4-1 - iceape 1.1.13-1 CVE-2008-0016 (Stack-based buffer overflow in the URL parsing implementation in Mozil ...) {DSA-1697-1 DSA-1696-1 DSA-1669-1 DSA-1649-1} - xulrunner 1.9.0.1-1 - iceweasel 3.0.1-1 - iceape 1.1.12-1 - icedove 2.0.0.17-1 CVE-2008-0015 (Stack-based buffer overflow in the CComVariant::ReadFromStream functio ...) NOT-FOR-US: Microsoft CVE-2008-0014 (Heap-based buffer overflow in an unspecified procedure in Trend Micro ...) NOT-FOR-US: Trend Micro CVE-2008-0013 (Heap-based buffer overflow in an unspecified procedure in Trend Micro ...) NOT-FOR-US: Trend Micro CVE-2008-0012 (Heap-based buffer overflow in an unspecified procedure in Trend Micro ...) NOT-FOR-US: Trend Micro CVE-2008-0011 (Microsoft DirectX 8.1 through 9.0c, and DirectX on Microsoft XP SP2 an ...) NOT-FOR-US: Microsoft DirectX CVE-2007-6387 (Multiple stack-based buffer overflows in the awApi4.AnswerWorks.1 Acti ...) NOT-FOR-US: Vantage Linguistics AnswerWorks ActiveX CVE-2007-6386 (Stack-based buffer overflow in PccScan.dll before build 1451 in Trend ...) NOT-FOR-US: Trend Micro AntiVirus CVE-2007-6385 (The proxy server in Kerio WinRoute Firewall before 6.4.1 does not prop ...) NOT-FOR-US: Kerio WinRoute Firewall CVE-2007-6384 (Unspecified vulnerability in the Image Converter functionality in BEA ...) NOT-FOR-US: BEA WebLogic Mobility Server CVE-2007-6383 (The DAV component in Chandler Server (Cosmo) before 0.10.1 does not ch ...) NOT-FOR-US: Chandler CVE-2007-6382 (The Event Dispatch Thread in Robocode before 1.5.1 allows remote attac ...) NOT-FOR-US: Robocode CVE-2007-6381 (SQL injection vulnerability in the indexed_search system extension in ...) {DSA-1439-1} - typo3-src 4.1.5-1 (low; bug #457446) NOTE: you need to be a logged in backend user to exploit this CVE-2007-6380 (Multiple SQL injection vulnerabilities in e-Xoops (exoops) 1.08, and 1 ...) NOT-FOR-US: e-Xoops CVE-2007-6379 (BadBlue 2.72b and earlier allows remote attackers to obtain sensitive ...) NOT-FOR-US: BadBlue CVE-2007-6378 (Directory traversal vulnerability in upload.dll in BadBlue 2.72b and e ...) NOT-FOR-US: BadBlue CVE-2007-6377 (Stack-based buffer overflow in the PassThru functionality in ext.dll i ...) NOT-FOR-US: BadBlue CVE-2007-6376 (Directory traversal vulnerability in autohtml.php in Francisco Burzi P ...) NOT-FOR-US: PHP-Nuke CVE-2007-6375 (Multiple SQL injection vulnerabilities in Bitweaver 2.0.0 and earlier ...) NOT-FOR-US: Bitweaver CVE-2007-6374 (Multiple cross-site scripting (XSS) vulnerabilities in Bitweaver 2.0.0 ...) NOT-FOR-US: Bitweaver CVE-2007-6373 (Multiple SQL injection vulnerabilities in GestDown 1.00 Beta allow rem ...) NOT-FOR-US: GestDown CVE-2007-6372 (Unspecified vulnerability in Juniper JUNOS 7.3 through 8.4 allows remo ...) NOT-FOR-US: JUNOS CVE-2007-6371 (Nokia N95 cell phone with RM-159 12.0.013 firmware allows remote attac ...) NOT-FOR-US: Nokia N95 CVE-2007-6370 REJECTED CVE-2007-6369 (Multiple directory traversal vulnerabilities in resize.php in the Pict ...) NOT-FOR-US: PictPress CVE-2007-6368 (Directory traversal vulnerability in index.php in ezContents 1.4.5 all ...) NOT-FOR-US: ezContents CVE-2007-6367 (Multiple cross-site scripting (XSS) vulnerabilities in the guestbook i ...) NOT-FOR-US: SineCMS CVE-2007-6366 (Multiple SQL injection vulnerabilities in SineCMS 2.3.4 and earlier al ...) NOT-FOR-US: SineCMS CVE-2007-6365 (Cross-site scripting (XSS) vulnerability in modules/ecal/display.php i ...) NOT-FOR-US: bcoos CVE-2007-6364 (Cross-site scripting (XSS) vulnerability in modificarPerfil.php in JLM ...) NOT-FOR-US: JLMForo System CVE-2007-6363 (IBM Tivoli Netcool Security Manager 1.3.0 before Interim Fix 1, when u ...) NOT-FOR-US: IBM Tivoli Netcool Security Manager CVE-2007-6362 (SQL injection vulnerability in index.php in the RSGallery (com_rsgalle ...) NOT-FOR-US: RSGallery CVE-2007-6361 (Gekko 0.8.2 and earlier stores sensitive information under the web roo ...) NOT-FOR-US: Gekko CVE-2007-6360 (Unspecified vulnerability in the Sun eXtended System Control Facility ...) NOT-FOR-US: Sun eXtended System Control Facility CVE-2007-6359 (The cs_validate_page function in bsd/kern/ubc_subr.c in the xnu kernel ...) NOT-FOR-US: Apple Mac OS X CVE-2007-6357 (Stack-based buffer overflow in Microsoft Office Access allows remote, ...) NOT-FOR-US: Microsoft Office Access CVE-2007-6353 (Integer overflow in exif.cpp in exiv2 library allows context-dependent ...) {DSA-1474-1} - exiv2 0.15-2 (medium; bug #456760) CVE-2007-6350 (scponly 4.6 and earlier allows remote authenticated users to bypass in ...) {DSA-1473-1} - scponly 4.6-1.1 (high; bug #437148) CVE-2007-6348 (SquirrelMail 1.4.11 and 1.4.12, as distributed on sourceforge.net befo ...) - squirrelmail (Compromised packages were never in Debian) CVE-2007-6347 (PHP remote file inclusion vulnerability in blocks/block_site_map.php i ...) NOT-FOR-US: ViArt, CMS, HelpDesk, Shop Evaluation, Shop Free CVE-2007-6346 (Cross-site scripting (XSS) vulnerability in Rainboard before 2.10 allo ...) NOT-FOR-US: Rainboard CVE-2007-6345 (SQL injection vulnerability in aurora framework before 20071208 allows ...) NOT-FOR-US: aurora CVE-2007-6344 (Directory traversal vulnerability in modules/cms/index.php in Mcms Eas ...) NOT-FOR-US: Mcms Easy Web Make CVE-2007-6343 (Cross-site scripting (XSS) vulnerability in HP OpenView Network Node M ...) NOT-FOR-US: HP OpenView Network Node Manager CVE-2007-6342 (SQL injection vulnerability in the David Castro AuthCAS module (AuthCA ...) NOT-FOR-US: Apache AuthCAS module CVE-2007-6341 (Net/DNS/RR/A.pm in Net::DNS 0.60 build 654, as used in packages such a ...) {DSA-1515-1} - libnet-dns-perl 0.63-1 (low; bug #457445) NOTE: maybe this should be unimportant as applications using net-dns should handle this croak CVE-2007-6340 (Geert Moernaut LSrunasE 1.0 and Supercrypt 1.0 use the RC4 stream ciph ...) NOT-FOR-US: Geert Moernaut LSrunasE and Supercrypt CVE-2007-6339 (The Akamai Download Manager (aka DLM or dlmanager) ActiveX control (Do ...) NOT-FOR-US: Akamai Download Manager CVE-2007-6338 (SQL injection vulnerability in userlogin.jsp in Trivantis CourseMill E ...) NOT-FOR-US: Trivantis CourseMill Enterprise Learning Management System CVE-2007-6337 (Unspecified vulnerability in the bzip2 decompression algorithm in nsis ...) {DTSA-101-1} - clamav 0.92~dfsg-1~volatile2 [sarge] - clamav (Vulnerable code not present) [etch] - clamav (Vulnerable code not present) CVE-2007-6336 (Off-by-one error in ClamAV before 0.92 allows remote attackers to exec ...) {DSA-1435-1 DTSA-101-1} - clamav 0.92~dfsg-1~volatile2 [sarge] - clamav (Vulnerable code not present) CVE-2007-6335 (Integer overflow in libclamav in ClamAV before 0.92 allows remote atta ...) {DSA-1435-1 DTSA-101-1} - clamav 0.92~dfsg-1~volatile2 [sarge] - clamav (Vulnerable code not present) CVE-2007-6334 (Ingres 2.5 and 2.6 on Windows, as used in multiple CA products and pos ...) NOT-FOR-US: Ingres on Windows CVE-2007-6333 (The HPInfoDLL.HPInfo.1 ActiveX control in HPInfoDLL.dll 1.0, as shippe ...) NOT-FOR-US: HP Info Center / HP Quick Launch Buttons CVE-2007-6332 (The HPInfoDLL.HPInfo.1 ActiveX control in HPInfoDLL.dll 1.0, as shippe ...) NOT-FOR-US: HP Info Center HP Quick Launch Buttons CVE-2007-6331 (Absolute path traversal vulnerability in the HPInfoDLL.HPInfo.1 Active ...) NOT-FOR-US: HP Info Center / HP Quick Launch Buttons CVE-2007-6330 (Meridian Prolog Manager 2007, and 7.5 and earlier, sends all usernames ...) NOT-FOR-US: Meridian Prolog Manager CVE-2007-6329 (Microsoft Office 2007 12.0.6015.5000 and MSO 12.0.6017.5000 do not sig ...) NOT-FOR-US: Microsoft Office CVE-2007-6328 - dosbox 0.72-1 (unimportant; bug #458950) NOTE: this is not a security issue, its a feature of dosbox and the first NOTE: thing documented in the manpage CVE-2007-6327 (Buffer overflow in a certain ActiveX control in Online Media Technolog ...) NOT-FOR-US: Online Media Technologies CVE-2007-6326 (Sergey Lyubka Simple HTTPD (shttpd) 1.3 on Windows allows remote attac ...) NOT-FOR-US: Simple HTTPD CVE-2007-6325 (PHP remote file inclusion vulnerability in adminbereich/designconfig.p ...) NOT-FOR-US: Fastpublish CVE-2007-6324 (PHP remote file inclusion vulnerability in head.php in CityWriter 0.9. ...) NOT-FOR-US: CityWriter CVE-2007-6323 (Multiple directory traversal vulnerabilities in MMS Gallery PHP 1.0 al ...) NOT-FOR-US: MMS Gallery PHP CVE-2007-6322 (Directory traversal vulnerability in filedownload.php in xml2owl 0.1.1 ...) NOT-FOR-US: xml2owl CVE-2007-6320 (Feature 4.7.x-dev and 5.x-dev before 20071206, a Drupal module, does n ...) NOT-FOR-US: Feature (third party drupal module) CVE-2007-6319 (Multiple unspecified vulnerabilities in Lyris ListManager 8.x before 8 ...) NOT-FOR-US: Lyris ListManager CVE-2007-6318 (SQL injection vulnerability in wp-includes/query.php in WordPress 2.3. ...) - wordpress 2.3.2-1 (low; bug #459305) [etch] - wordpress (Vulnerable code not present) NOTE: Patch: https://bugs.edge.launchpad.net/ubuntu/+source/wordpress/+bug/181416 CVE-2007-6317 (Multiple directory traversal vulnerabilities in BarracudaDrive Web Ser ...) NOT-FOR-US: BarracudaDrive CVE-2007-6316 (Cross-site scripting (XSS) vulnerability in BarracudaDrive Web Server ...) NOT-FOR-US: BarracudaDrive CVE-2007-6315 (Group Chat in BarracudaDrive Web Server before 3.8 allows remote authe ...) NOT-FOR-US: BarracudaDrive CVE-2007-6314 (BarracudaDrive Web Server before 3.8 allows remote attackers to read t ...) NOT-FOR-US: BarracudaDrive CVE-2007-6313 (MySQL Server 5.1.x before 5.1.23 and 6.0.x before 6.0.4 does not check ...) - mysql-dfsg-5.0 (this only affects >= 5.1.x, update for experimental is on its way) - mysql-dfsg-4.1 CVE-2007-6312 (Cross-site scripting (XSS) vulnerability in the logon page in Web Repo ...) NOT-FOR-US: Web Security Suite CVE-2007-6311 (SQL injection vulnerability in (1) index.php, and possibly (2) admin/i ...) NOT-FOR-US: Falt4Extreme CVE-2007-6310 (Multiple cross-site scripting (XSS) vulnerabilities in Falt4Extreme RC ...) NOT-FOR-US: Falt4Extreme CVE-2007-6309 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in we ...) NOT-FOR-US: webSPELL CVE-2007-6308 (Cross-site scripting (XSS) vulnerability in HttpLogger 0.8.1 allows re ...) NOT-FOR-US: HttpLogger CVE-2007-6307 (Multiple cross-site scripting (XSS) vulnerabilities in clickstats.php ...) NOT-FOR-US: wwwstats CVE-2007-6306 (Multiple cross-site scripting (XSS) vulnerabilities in the image map f ...) - libjfreechart-java 1.0.9-1 (low; bug #456148) [sarge] - libjfreechart-java (Contrib not supported) CVE-2007-6305 (Multiple unspecified vulnerabilities in IBM Hardware Management Consol ...) NOT-FOR-US: IBM Hardware Management Console CVE-2007-6302 (Multiple heap-based buffer overflows in avirus.exe in Novell NetMail 3 ...) NOT-FOR-US: Novell NetMail CVE-2007-6301 (Cross-site scripting (XSS) vulnerability in compose.php in OpenNewslet ...) NOT-FOR-US: OpenNewsletter CVE-2007-6300 (Cross-site request forgery (CSRF) vulnerability in Fusion News 3.9.0 a ...) NOT-FOR-US: Fusion News CVE-2007-6298 (Cross-site scripting (XSS) vulnerability in the Shoutbox module for Dr ...) NOT-FOR-US: shoutbox (third party module for Drupal) CVE-2007-6297 (Multiple cross-site scripting (XSS) vulnerabilities in PHPMyChat 0.14. ...) NOT-FOR-US: PHPMyChat CVE-2007-6296 (PHP remote file inclusion vulnerability in users_popupL.php3 in phpMyC ...) NOT-FOR-US: PHPMyChat CVE-2007-6295 (Cross-site scripting (XSS) vulnerability in the WebRunMenuFrame page i ...) NOT-FOR-US: IBM Lotus Sametime CVE-2007-6294 (Multiple unspecified vulnerabilities in IBM Hardware Management Consol ...) NOT-FOR-US: IBM Hardware Management Console CVE-2007-6293 (Multiple unspecified vulnerabilities in IBM Hardware Management Consol ...) NOT-FOR-US: IBM Hardware Management Console CVE-2007-6292 (SQL injection vulnerability in leggi_commenti.asp in MWOpen 1.4 and ea ...) NOT-FOR-US: MWOpen CVE-2007-6291 (SQL injection vulnerability in abm.aspx in Xigla Absolute Banner Manag ...) NOT-FOR-US: Xigla Absolute Banner Manager .NET CVE-2007-6290 (Multiple directory traversal vulnerabilities in js/get_js.php in SERWe ...) NOT-FOR-US: SERWeb CVE-2007-6289 (Multiple PHP remote file inclusion vulnerabilities in SerWeb 2.0.0 dev ...) NOT-FOR-US: SERWeb CVE-2007-6288 (Multiple SQL injection vulnerabilities in TCExam before 5.1.000 allow ...) NOT-FOR-US: TCExam CVE-2007-6287 (Cross-site scripting (XSS) vulnerability in the login page in Lxlabs H ...) NOT-FOR-US: HyperVM CVE-2007-6286 (Apache Tomcat 5.5.11 through 5.5.25 and 6.0.0 through 6.0.15, when the ...) - tomcat5.5 (Does not use apr connector) - tomcat5 CVE-2007-6285 (The default configuration for autofs 5 (autofs5) in some Linux distrib ...) - autofs (-hosts feature not present, auto.net has nosuid,nodev) - autofs5 5.0.3-1 NOTE: for autofs5 see 12disable_default_auto_master.dpatch CVE-2007-6284 (The xmlCurrentChar function in libxml2 before 2.6.31 allows context-de ...) {DSA-1461-1} - libxml2 2.6.30.dfsg-3.1 (medium; bug #460292) - libxml 1.8.17-14.1 (medium) CVE-2007-6283 (Red Hat Enterprise Linux 5 and Fedora install the Bind /etc/rndc.key f ...) - bind9 (On Debian this file is rw for user bind and just readable for group bind) CVE-2007-6282 (The IPsec implementation in Linux kernel before 2.6.25 allows remote r ...) {DSA-1630-1} - linux-2.6 2.6.25-1 - linux-2.6.24 2.6.24-6~etchnhalf.4 NOTE: Upstream commit 920fc941a9617f95ccb283037fe6f8a38d95bb69 CVE-2007-6281 (Heap-based buffer overflow in Open File Manager service (ofmnt.exe) in ...) NOT-FOR-US: St. Bernard Open File Manager CVE-2007-6304 (The federated engine in MySQL 5.0.x before 5.0.51a, 5.1.x before 5.1.2 ...) {DSA-1451-1} - mysql-dfsg-5.0 5.0.45-5 (low; bug #455737) - mysql-dfsg-4.1 CVE-2007-6303 (MySQL 5.0.x before 5.0.51a, 5.1.x before 5.1.23, and 6.0.x before 6.0. ...) - mysql-dfsg-5.0 5.0.45-5 (low; bug #455737) - mysql-dfsg-4.1 [etch] - mysql-dfsg-5.0 (Vulnerable code introduced after 5.0.32) CVE-2007-6299 (Multiple SQL injection vulnerabilities in Drupal and vbDrupal 4.7.x be ...) - drupal5 5.5-1 - drupal 4.7.10-1 CVE-2007-6321 (Cross-site scripting (XSS) vulnerability in RoundCube webmail 0.1rc2, ...) - roundcube 0.1~rc2-6 (low; bug #455840) NOTE: http://seclists.org/bugtraq/2007/Dec/0107.html CVE-2007-6280 RESERVED CVE-2007-6279 (Multiple double free vulnerabilities in Free Lossless Audio Codec (FLA ...) - flac 1.2.1-1 (unimportant) NOTE: According to upstream this issue is not exploitable for code injection NOTE: due to the layout of the seektable memory CVE-2007-6278 (Free Lossless Audio Codec (FLAC) libFLAC before 1.2.1 allows user-assi ...) - flac 1.2.1-1 (unimportant) NOTE: Such validations are within the responsibility of the respective applications CVE-2007-6277 (Multiple buffer overflows in Free Lossless Audio Codec (FLAC) libFLAC ...) {DSA-1469-1} - flac 1.2.1-1 CVE-2007-6276 (The accept_connections function in the virtual private network daemon ...) NOT-FOR-US: Apple Mac OS X CVE-2007-6275 (SQL injection vulnerability in modules/adresses/ratefile.php in bcoos ...) NOT-FOR-US: bcoos CVE-2007-6274 (Multiple cross-site scripting (XSS) vulnerabilities in modules/ecal/di ...) NOT-FOR-US: bcoos CVE-2007-6273 (Multiple format string vulnerabilities in the configuration file in So ...) NOT-FOR-US: SonicWALL GLobal VPN Client CVE-2007-6272 (Multiple SQL injection vulnerabilities in index.php in Joomla! 1.5 RC3 ...) NOT-FOR-US: Joomla! CVE-2007-6271 (Absolute News Manager.NET 5.1 allows remote attackers to obtain sensit ...) NOT-FOR-US: Absolute News Manager.NET CVE-2007-6270 (Multiple cross-site scripting (XSS) vulnerabilities in Absolute News M ...) NOT-FOR-US: Absolute News Manager.NET CVE-2007-6269 (Multiple SQL injection vulnerabilities in xlaabsolutenm.aspx in Absolu ...) NOT-FOR-US: Absolute News Manager.NET CVE-2007-6268 (Directory traversal vulnerability in pages/default.aspx in Absolute Ne ...) NOT-FOR-US: Absolute News Manager.NET CVE-2007-6267 (Citrix EdgeSight 4.2 and 4.5 for Presentation Server, EdgeSight 4.2 an ...) NOT-FOR-US: Citrix EdgeSight CVE-2007-6266 (Multiple SQL injection vulnerabilities in bcoos 1.0.10 and earlier all ...) NOT-FOR-US: bcoos CVE-2007-6265 (Unspecified vulnerability in avast! 4 Home and Professional Editions b ...) NOT-FOR-US: avast! CVE-2007-6264 RESERVED CVE-2007-6263 (The dataconn function in ftpd.c in netkit ftpd (netkit-ftpd) 0.17, whe ...) - linux-ftpd-ssl 0.17.18+0.3-9.1 (low; bug #454733) [sarge] - linux-ftpd-ssl (Minor issue) [etch] - linux-ftpd-ssl (Minor issue) CVE-2007-6262 (A certain ActiveX control in axvlc.dll in VideoLAN VLC 0.8.6 before 0. ...) - vlc (Windows only issue) CVE-2007-6261 (Integer overflow in the load_threadstack function in the Mach-O loader ...) NOT-FOR-US: Apple Mac OS X CVE-2007-6260 (The installation process for Oracle 10g and llg uses accounts with def ...) NOT-FOR-US: Oracle CVE-2004-2758 (Multiple unspecified vulnerabilities in the H.323 protocol implementat ...) NOT-FOR-US: Sun SunForum CVE-2007-6259 RESERVED CVE-2007-6258 (Multiple stack-based buffer overflows in the legacy mod_jk2 2.0.3-DEV ...) - libapache2-mod-jk2 2.0.4-1 CVE-2007-6257 RESERVED CVE-2007-6256 REJECTED CVE-2007-6255 (Buffer overflow in the Microsoft HeartbeatCtl ActiveX control in HRTBE ...) NOT-FOR-US: Microsoft HRTBEAT.OCX CVE-2007-6254 (Stack-based buffer overflow in the SAP Business Objects BusinessObject ...) NOT-FOR-US: SAP CVE-2007-6253 (Multiple buffer overflows in Adobe Form Designer 5.0 and Form Client 5 ...) NOT-FOR-US: Adobe Form Designer CVE-2007-6252 (Multiple stack-based buffer overflows in the Learn2 Corporation STRunn ...) NOT-FOR-US: Street Technologies CVE-2007-6251 RESERVED CVE-2007-6250 (Stack-based buffer overflow in AOL AOLMediaPlaybackControl (AOLMediaPl ...) NOT-FOR-US: AmpX ActiveX control CVE-2007-6249 (etc-update in Portage before 2.1.3.11 on Gentoo Linux relies on the um ...) NOT-FOR-US: Gentoo portage CVE-2007-6248 RESERVED CVE-2007-6247 REJECTED CVE-2007-6246 (Adobe Flash Player 9.x up to 9.0.48.0, 8.x up to 8.0.35.0, and 7.x up ...) - flashplugin-nonfree 9.0.115.0.1 [sarge] - flashplugin-nonfree (Contrib not supported) [etch] - flashplugin-nonfree (Contrib not supported) CVE-2007-6245 (Adobe Flash Player 9.x up to 9.0.48.0, 8.x up to 8.0.35.0, and 7.x up ...) - flashplugin-nonfree 9.0.115.0.1 [sarge] - flashplugin-nonfree (Contrib not supported) [etch] - flashplugin-nonfree (Contrib not supported) CVE-2007-6244 (Multiple cross-site scripting (XSS) vulnerabilities in Adobe Flash Pla ...) - flashplugin-nonfree 9.0.115.0.1 [sarge] - flashplugin-nonfree (Contrib not supported) [etch] - flashplugin-nonfree (Contrib not supported) CVE-2007-6243 (Adobe Flash Player 9.x up to 9.0.48.0, 8.x up to 8.0.35.0, and 7.x up ...) - flashplugin-nonfree 9.0.115.0.1 [sarge] - flashplugin-nonfree (Contrib not supported) [etch] - flashplugin-nonfree (Contrib not supported) CVE-2007-6242 (Unspecified vulnerability in Adobe Flash Player 9.0.48.0 and earlier m ...) - flashplugin-nonfree 9.0.115.0.1 [sarge] - flashplugin-nonfree (Contrib not supported) [etch] - flashplugin-nonfree (Contrib not supported) CVE-2007-6241 (Multiple unspecified vulnerabilities in Beehive Forum 0.7.1 have unkno ...) NOT-FOR-US: Beehive Forum CVE-2007-6240 (SQL injection vulnerability in active.asp in Snitz Forums 2000 3.4.06 ...) NOT-FOR-US: Snitz Forums CVE-2007-6239 (The "cache update reply processing" functionality in Squid 2.x before ...) {DSA-1646-2 DSA-1482-1} - squid 2.6.17-1 (medium; bug #455910) CVE-2007-6238 (Unspecified vulnerability in Apple QuickTime 7.2 on Windows XP allows ...) NOT-FOR-US: Apple QuickTime CVE-2007-6237 (cp.php in DeluxeBB 1.09 does not verify that the membercookie paramete ...) NOT-FOR-US: DeluxeBB CVE-2007-6236 (Microsoft Windows Media Player (WMP) allows remote attackers to cause ...) NOT-FOR-US: Microsoft Windows Media Player CVE-2007-6235 (A certain ActiveX control in RealNetworks RealPlayer 11 allows remote ...) NOT-FOR-US: RealNetworks RealPlayer 11 CVE-2007-6234 (index.php in FTP Admin 0.1.0 allows remote attackers to bypass authent ...) NOT-FOR-US: FTP Admin 0.1.0 CVE-2007-6233 (Directory traversal vulnerability in index.php in FTP Admin 0.1.0 allo ...) NOT-FOR-US: FTP Admin 0.1.0 CVE-2007-6232 (Cross-site scripting (XSS) vulnerability in index.php in FTP Admin 0.1 ...) NOT-FOR-US: FTP Admin 0.1.0 CVE-2007-6231 (Multiple PHP remote file inclusion vulnerabilities in tellmatic 1.0.7 ...) NOT-FOR-US: tellmatic CVE-2007-6230 (Directory traversal vulnerability in common/classes/class_HeaderHandle ...) NOT-FOR-US: Rayzz CVE-2007-6229 (PHP remote file inclusion vulnerability in common/classes/class_Header ...) NOT-FOR-US: Rayzz CVE-2007-6228 (Stack-based buffer overflow in the Helper class in the yt.ythelper.2 A ...) NOT-FOR-US: Yahoo! Toolbar CVE-2007-6227 (QEMU 0.9.0 allows local users of a Windows XP SP2 guest operating syst ...) - qemu (Windows issue) CVE-2007-6226 (The American Power Conversion (APC) AP7932 0u 30amp Switched Rack Powe ...) NOT-FOR-US: American Power Conversion (APC) CVE-2007-6225 (Unspecified vulnerability in Sun Solaris 10, when 64bit mode is used o ...) NOT-FOR-US: Sun Solaris 10 CVE-2007-6224 (The RealNetworks RealAudioObjects.RealAudio ActiveX control in rmoc326 ...) NOT-FOR-US: RealAudioObjects.RealAudio ActiveX CVE-2007-6223 (SQL injection vulnerability in garage.php in phpBB Garage 1.2.0 Beta3 ...) NOT-FOR-US: phpBB Garage CVE-2007-6222 (The CheckCustomerAccess function in functions.php in CRM-CTT Interleav ...) NOT-FOR-US: Interleave CVE-2007-6221 (TuMusika Evolution 1.7R5 allows remote attackers to obtain configurati ...) NOT-FOR-US: TuMusika CVE-2007-6220 (typespeed before 0.6.4 allows remote attackers to cause a denial of se ...) - typespeed 0.6.4-1 (unimportant; bug #454527) CVE-2007-6219 (Cross-site scripting (XSS) vulnerability in IBM Tivoli Netcool Securit ...) NOT-FOR-US: IBM Tivoli Netcool Security Manager CVE-2007-6218 (Multiple PHP remote file inclusion vulnerabilities in Ossigeno CMS 2.2 ...) NOT-FOR-US: Ossigeno CMS CVE-2007-6217 (Multiple SQL injection vulnerabilities in login.asp in Irola My-Time ( ...) NOT-FOR-US: Irola My-Time CVE-2007-6216 (Race condition in the Fibre Channel protocol (fcp) driver and Devices ...) NOT-FOR-US: Sun Solaris CVE-2007-6215 (Multiple directory traversal vulnerabilities in play.php in Web-MeetMe ...) NOT-FOR-US: Web-MeetMe CVE-2007-6214 (Directory traversal vulnerability in include/file_download.php in Lear ...) NOT-FOR-US: LearnLoop CVE-2007-6213 (Multiple directory traversal vulnerabilities in mod/chat/index.php in ...) NOT-FOR-US: WebED CVE-2007-6212 (Directory traversal vulnerability in region.php in KML share 1.1 allow ...) NOT-FOR-US: KML share CVE-2008-0010 (The copy_from_user_mmap_sem function in fs/splice.c in the Linux kerne ...) - linux-2.6 2.6.24-4 - linux-2.6.24 (Fixed before initial upload, in 2.6.24-4 of linux-2.6) [etch] - linux-2.6 (vulnerable code not present) CVE-2008-0009 (The vmsplice_to_user function in fs/splice.c in the Linux kernel 2.6.2 ...) - linux-2.6 2.6.24-4 - linux-2.6.24 (Fixed before initial upload, in 2.6.24-4 of linux-2.6) [etch] - linux-2.6 (vulnerable code not present) CVE-2008-0008 (The pa_drop_root function in PulseAudio 0.9.8, and a certain 0.9.9 bui ...) {DSA-1476-1} - pulseaudio 0.9.9-1 CVE-2008-0007 (Linux kernel before 2.6.22.17, when using certain drivers that registe ...) {DSA-1565-1 DSA-1503-2 DSA-1504-1 DSA-1503-1} - linux-2.6.24 (Fixed before initial upload, in 2.6.24-4 of linux-2.6) - linux-2.6 2.6.24-4 CVE-2008-0006 (Buffer overflow in (1) X.Org Xserver before 1.4.1, and (2) the libfont ...) {DSA-1466-2 DTSA-110-1} - xorg-server 2:1.4.1~git20080105-2 - libxfont 1:1.3.1-2 [etch] - libxfont 1:1.2.2-2.etch1 CVE-2008-0005 (mod_proxy_ftp in Apache 2.2.x before 2.2.7-dev, 2.0.x before 2.0.62-de ...) - apache2 2.2.8-1 (low) - apache (low) [etch] - apache (browser issue; low impact) [sarge] - apache (browser issue; low impact) [sarge] - apache2 (browser issue; low impact) [etch] - apache2 2.2.3-4+etch4 (low) CVE-2008-0004 REJECTED CVE-2008-0003 (Stack-based buffer overflow in the PAMBasicAuthenticator::PAMCallback ...) NOT-FOR-US: OpenPegasus CIM management server CVE-2008-0002 (Apache Tomcat 6.0.0 through 6.0.15 processes parameters in the context ...) - tomcat5.5 (Only Tomcat 6 is affected, according to upstream) CVE-2008-0001 (VFS in the Linux kernel before 2.6.22.16, and 2.6.23.x before 2.6.23.1 ...) {DSA-1479-1} - linux-2.6 2.6.24-1 - linux-2.6.24 (Fixed before initial upload, upstream in 2.6.24) CVE-2007-6207 (Xen 3.x, possibly before 3.1.2, when running on IA64 systems, does not ...) - xen-3 3.1.2-1 CVE-2007-6206 (The do_coredump function in fs/exec.c in Linux kernel 2.4.x and 2.6.x ...) {DSA-1503-2 DSA-1504-1 DSA-1503-1 DSA-1436-1} - linux-2.6 2.6.24-1 - linux-2.6.24 (Fixed before initial upload, upstream in 2.6.24) CVE-2007-6205 (Cross-site scripting (XSS) vulnerability in the remote RSS sidebar plu ...) {DSA-1528-1} - serendipity 1.2.1-1 (low) CVE-2007-6204 (Multiple stack-based buffer overflows in HP OpenView Network Node Mana ...) NOT-FOR-US: HP OpenView CVE-2007-6203 (Apache HTTP Server 2.0.x and 2.2.x does not sanitize the HTTP Method s ...) - apache2 2.2.6-3 (low) [sarge] - apache2 (minor issue) - apache (vulnerable code not present) NOTE: Might be exploitable with older flash plugins via HTTP Request Splitting [etch] - apache2 2.2.3-4+etch4 CVE-2007-6208 (sylprint.pl in claws mail tools (claws-mail-tools) allows local users ...) - claws-mail 3.1.0-2 (low; bug #454089) CVE-2007-6210 (zabbix_agentd 1.1.4 in ZABBIX before 1.4.3 runs "UserParameter" script ...) {DSA-1420-1 DTSA-93-1} - zabbix 1:1.4.2-4 (bug #452682) CVE-2007-6202 (SQL injection vulnerability in plugins/search/search.php in Neocrome S ...) NOT-FOR-US: Neocrome Seditio CMS CVE-2007-6211 (Send ICMP Nasty Garbage (sing) on Debian GNU/Linux allows local users ...) - sing 1.1-16 (low; bug #454167) [etch] - sing 1.1-13etch1 [sarge] - sing 1.1-9sarge1 CVE-2007-6209 (Util/difflog.pl in zsh 4.3.4 allows local users to overwrite arbitrary ...) - zsh 4.3.4-dev-3-2 (low; bug #454073) [etch] - zsh (Minor issue) [sarge] - zsh (Minor issue) CVE-2007-6201 (Unspecified vulnerability in Wesnoth 1.2.x before 1.2.8, and 1.3.x bef ...) - wesnoth 1:1.2.8-1 (low) [etch] - wesnoth 1.2-4 [sarge] - wesnoth 0.9.0-8 CVE-2007-6200 (Unspecified vulnerability in rsync before 3.0.0pre6, when running a wr ...) - rsync 2.6.9-6 (low; bug #453652) [etch] - rsync (Minor issue) CVE-2007-6199 (rsync before 3.0.0pre6, when running a writable rsync daemon that is n ...) - rsync 2.6.9-6 (unimportant; bug #453652) NOTE: Security feature enhancement, not really a security problem CVE-2007-6198 (portal/server.pt in the Plumtree portal in BEA AquaLogic Interaction 5 ...) NOT-FOR-US: Plumtree CVE-2007-6197 (The Plumtree portal in BEA AquaLogic Interaction 5.0.2 through 5.0.4 a ...) NOT-FOR-US: Plumtree CVE-2007-6196 (Cross-site scripting (XSS) vulnerability in util.php in Calacode @Mail ...) NOT-FOR-US: Calacode CVE-2007-6195 (Buffer overflow in the sw_rpc_agent_init function in swagentd in Softw ...) NOT-FOR-US: HP-UX CVE-2007-6194 (Unspecified vulnerability in HP Select Identity 4.01 before 4.01.012 a ...) NOT-FOR-US: HP Select Identity CVE-2007-6193 (The web management interface in Citrix NetScaler 8.0 build 47.8 stores ...) NOT-FOR-US: Citrix CVE-2007-6192 (The web management interface in Citrix NetScaler 8.0 build 47.8 uses w ...) NOT-FOR-US: Citrix CVE-2007-6191 (Multiple PHP remote file inclusion vulnerabilities in Armin Burger p.m ...) NOT-FOR-US: Armin Burger p.mapper CVE-2007-6190 (The HTTP daemon in the Cisco Unified IP Phone, when the Extension Mobi ...) NOT-FOR-US: Cisco Unified IP Phone CVE-2007-6189 (A certain ActiveX control in (1) OScan8.ocx and (2) Oscan81.ocx in Bit ...) NOT-FOR-US: BitDefender Online Anti-Virus Scanner CVE-2007-6188 (Multiple directory traversal vulnerabilities in TuMusika Evolution 1.7 ...) NOT-FOR-US: TuMusika Evolution CVE-2007-6187 (Multiple directory traversal vulnerabilities in PHP Content Architect ...) NOT-FOR-US: PHP Content Architect CVE-2007-6186 (Unspecified vulnerability in PHPDevShell before 0.7.0 has unknown impa ...) NOT-FOR-US: PHPDevShell CVE-2007-6185 (Directory traversal vulnerability in users/files.php in Eurologon CMS ...) NOT-FOR-US: Eurologon CMS CVE-2007-6184 (Directory traversal vulnerability in index.php in Project Alumni 1.0.9 ...) NOT-FOR-US: Project Alumni CVE-2007-6182 (The responder program in ISPsystem ISPmanager (aka ISPmgr) 4.2.15.1 al ...) NOT-FOR-US: ISPmanager CVE-2007-6181 (Heap-based buffer overflow in cygwin1.dll in Cygwin 1.5.7 and earlier ...) NOT-FOR-US: Cygwin CVE-2007-6180 (Race condition in the Remote Procedure Call kernel module (rpcmod) in ...) NOT-FOR-US: Solaris CVE-2007-6179 (Multiple PHP remote file inclusion vulnerabilities in Charray's CMS 0. ...) NOT-FOR-US: Charray's CMS CVE-2007-6178 (Multiple PHP remote file inclusion vulnerabilities in Easy Hosting Con ...) NOT-FOR-US: Easy Hosting Control Panel for Ubuntu CVE-2007-6177 (PHP remote file inclusion vulnerability in Exchange/include.php in PHP ...) NOT-FOR-US: PHP-CON CVE-2007-6176 (kb_whois.cgi in K+B-Bestellsystem (aka KB-Bestellsystem) allows remote ...) NOT-FOR-US: KB-Bestellsystem CVE-2007-6175 (Buffer overflow in Lhaplus 1.55 and earlier allows remote attackers to ...) NOT-FOR-US: Lhaplus CVE-2007-6174 (PHPDevShell before 0.7.0 allows remote authenticated users to gain pri ...) NOT-FOR-US: PHPDevShell CVE-2007-6173 (Cross-site scripting (XSS) vulnerability in c/portal/login in Liferay ...) - liferay-portal (bug #569819) CVE-2007-6172 (Multiple SQL injection vulnerabilities in wpQuiz 2.7 allow remote atta ...) NOT-FOR-US: wpQuiz CVE-2007-6169 (SQL injection vulnerability in admin/index2.asp in GOUAE DWD Realty al ...) NOT-FOR-US: GOUAE DWD Realty CVE-2007-6168 (SQL injection vulnerability in default.asp in VU Case Manager allows r ...) NOT-FOR-US: VU Case Manager CVE-2007-6167 (Untrusted search path vulnerability in yast2-core in SUSE Linux might ...) NOT-FOR-US: Yast2 CVE-2007-6166 (Stack-based buffer overflow in Apple QuickTime before 7.3.1, as used i ...) NOT-FOR-US: Apple QuickTime CVE-2007-6165 (Mail in Apple Mac OS X Leopard (10.5.1) allows user-assisted remote at ...) NOT-FOR-US: Apple Mac OS X CVE-2007-6164 (Multiple SQL injection vulnerabilities in Eurologon CMS allow remote a ...) NOT-FOR-US: Eurologon CMS CVE-2007-6163 (SQL injection vulnerability in admin/index2.asp in GOUAE DWD Realty al ...) NOT-FOR-US: GOUAE DWD Realty CVE-2007-6162 (Cross-site scripting (XSS) vulnerability in index.php in FMDeluxe 2.1. ...) NOT-FOR-US: FMDeluxe CVE-2007-6161 (index.php in Tilde CMS 4.x and earlier allows remote attackers to obta ...) NOT-FOR-US: Tilde CMS CVE-2007-6160 (Cross-site scripting (XSS) vulnerability in index.php in Tilde CMS 4.x ...) NOT-FOR-US: Tilde CMS CVE-2007-6159 (SQL injection vulnerability in index.php in Tilde CMS 4.x and earlier ...) NOT-FOR-US: Tilde CMS CVE-2007-6158 (Multiple SQL injection vulnerabilities in caladmin.inc.php in Proverbs ...) NOT-FOR-US: Proverbs Web Calendar CVE-2007-6157 (Cross-site scripting (XSS) vulnerability in index.php in SimpleGallery ...) NOT-FOR-US: SimpleGallery CVE-2007-6156 (Multiple cross-site scripting (XSS) vulnerabilities in base_qry_main.p ...) - acidbase 1.3.9-1 (low; bug #453838) [etch] - acidbase (vulnerable code not present, in etch acidbase exits in this case) CVE-2007-6155 RESERVED CVE-2007-6154 RESERVED CVE-2007-6153 RESERVED CVE-2007-6152 RESERVED CVE-2007-6151 (The isdn_ioctl function in isdn_common.c in Linux kernel 2.6.23 allows ...) {DSA-1503-2 DSA-1504-1 DSA-1503-1 DSA-1479-1} - linux-2.6 2.6.23-2 CVE-2007-6149 (Multiple integer overflows in the Edge server in Adobe Flash Media Ser ...) NOT-FOR-US: Adobe Flash Media Server CVE-2007-6148 (Use-after-free vulnerability in the Edge server in Adobe Flash Media S ...) NOT-FOR-US: Adobe Flash Media Server CVE-2007-6147 (Multiple PHP remote file inclusion vulnerabilities in IAPR COMMENCE 1. ...) NOT-FOR-US: IAPR COMMENCE CVE-2007-6146 (Hitachi JP1/File Transmission Server/FTP 01-00 through 08-10-02 on Win ...) NOT-FOR-US: JP1/File Transmission Server/FTP on windows CVE-2007-6145 (Unspecified vulnerability in Hitachi JP1/File Transmission Server/FTP ...) NOT-FOR-US: Hitachi JP1/File Transmission Server/FTP CVE-2007-6144 (Heap-based buffer overflow in the PPlayer.XPPlayer.1 ActiveX control i ...) NOT-FOR-US: Xunlei Thunder CVE-2007-6143 (SQL injection vulnerability in default.asp (aka the Login Page) in VU ...) NOT-FOR-US: VU Case Manager CVE-2007-6142 (Multiple cross-site scripting (XSS) vulnerabilities in ph03y3nk just a ...) NOT-FOR-US: JAF CMS CVE-2007-6141 (Cross-site scripting (XSS) vulnerability in vBTube.php in vBTube 1.1 B ...) NOT-FOR-US: vBTube CVE-2007-6140 (Multiple SQL injection vulnerabilities in Dora Emlak 2.0 allow remote ...) NOT-FOR-US: Dora Emlak CVE-2007-6139 (PHP remote file inclusion vulnerability in index.php in Mp3 ToolBox 1. ...) NOT-FOR-US: Mp3 ToolBox CVE-2007-6138 (SQL injection vulnerability in redir.asp in VU Mass Mailer allows remo ...) NOT-FOR-US: VU Mass Mailer CVE-2007-6137 (SQL injection vulnerability in news.php in Content Injector 1.52 allow ...) NOT-FOR-US: Content Injector CVE-2007-6136 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in M2 ...) NOT-FOR-US: M2Scripts MySpace Scripts CVE-2007-6135 (Cross-site scripting (XSS) vulnerability in phpslideshow.php in PHPSli ...) NOT-FOR-US: PHPSlideShow CVE-2007-6134 (SQL injection vulnerability in pkinc/public/article.php in PHPKIT 1.6. ...) NOT-FOR-US: PHPKIT CVE-2007-6133 (PHP remote file inclusion vulnerability in admin/kfm/initialise.php in ...) NOT-FOR-US: DevMass Shopping Cart CVE-2007-6183 (Format string vulnerability in the mdiag_initialize function in gtk/sr ...) {DSA-1431-1 DTSA-102-1} - ruby-gnome2 0.16.0-10 (medium; bug #453689) CVE-2007-6171 (SQL injection vulnerability in the Postgres Realtime Engine (res_confi ...) - asterisk 1:1.4.15~dfsg-1 (medium) [sarge] - asterisk (Vulnerable code not present) [etch] - asterisk (Vulnerable code not present) CVE-2007-6170 (SQL injection vulnerability in the Call Detail Record Postgres logging ...) {DSA-1417-1} - asterisk 1:1.4.15~dfsg-1 (medium) CVE-2007-6150 (The "internal state tracking" code for the random and urandom devices ...) - kfreebsd-7 7.0~cvs20080107-1 - kfreebsd-6 6.3~cvs20080107-1 - kfreebsd-5 (medium; bug #453944) [etch] - kfreebsd-5 (kfreebsd not supported) CVE-2007-6132 REJECTED CVE-2007-6131 (buttonpressed.sh in scanbuttond 0.2.3 allows local users to overwrite ...) - scanbuttond 0.2.3-6 (unimportant; bug #453239) NOTE: this is just an example script, maintainer adds a note about it NOTE: 0.2.3-6 adds a security note about this script CVE-2007-6130 (gnump3d 2.9final does not apply password protection to its plugins, wh ...) - gnump3d 3.0-1 (medium) [sarge] - gnump3d (Vulnerable code not present) [etch] - gnump3d (Vulnerable code not present) CVE-2007-6129 (Directory traversal vulnerability in scripts/include/show_content.php ...) NOT-FOR-US: Amber script CVE-2007-6128 (SQL injection vulnerability in events.php in WorkingOnWeb 2.0.1400 all ...) NOT-FOR-US: WorkingOnWeb CVE-2007-6127 (Multiple SQL injection vulnerabilities in project alumni 1.0.9 and ear ...) NOT-FOR-US: Alumni CVE-2007-6126 (Multiple cross-site scripting (XSS) vulnerabilities in project alumni ...) NOT-FOR-US: Alumni CVE-2007-6125 (SQL injection vulnerability in search_form.php in Softbiz Freelancers ...) NOT-FOR-US: Softbiz Freelancers Script CVE-2007-6124 (Cross-site scripting (XSS) vulnerability in signin.php in Softbiz Free ...) NOT-FOR-US: Softbiz Freelancers Script CVE-2007-6123 (Unspecified vulnerability in IRC Services 5.1.8 has unknown impact and ...) NOT-FOR-US: IRC Services CVE-2007-6122 (The default_encrypt function in encrypt.c in IRC Services before 5.0.6 ...) NOT-FOR-US: IRC Services CVE-2007-6110 (Cross-site scripting (XSS) vulnerability in htsearch in htdig 3.2.0b6 ...) {DSA-1429-1} - htdig 1:3.2.0b6-4 (low; bug #453278) [sarge] - htdig (Vulnerable code not present) CVE-2007-6109 (Stack-based buffer overflow in emacs allows user-assisted attackers to ...) {DTSA-98-1 DTSA-99-1} - emacs22 22.1+1-2.2 (bug #455432) - emacs21 21.4a+1-5.2 (bug #455433) [etch] - emacs21 (Minor issue, .el scripts opened need to be trusted) - xemacs21 21.4.21-4 (bug #457764) [etch] - xemacs21 (Minor issue, .el scripts opened need to be trusted) CVE-2007-6108 RESERVED CVE-2007-6107 RESERVED CVE-2007-6106 (SQL injection vulnerability in index.php in AlstraSoft E-Friends 4.98 ...) NOT-FOR-US: AlstraSoft E-Friends CVE-2007-6105 (Multiple PHP remote file inclusion vulnerabilities in TalkBack 2.2.7 a ...) NOT-FOR-US: TalkBack CVE-2007-6104 (Cross-site scripting (XSS) vulnerability in the Instant Web Publishing ...) NOT-FOR-US: FileMaker Pro CVE-2007-6103 (I Hear U (IHU) 0.5.6 and earlier allows remote attackers to cause (1) ...) - ihu 0.5.6-3.1 (unimportant; bug #453280) NOTE: Would only terminate normal phone call by hanging up, not a real security bug CVE-2007-6102 (Cross-site scripting (XSS) vulnerability in Feed to JavaScript (Feed2J ...) NOT-FOR-US: feed2js CVE-2007-6101 (Ability Mail Server before 2.61 allows remote authenticated users to c ...) NOT-FOR-US: Ability Mail Server CVE-2007-6100 (Cross-site scripting (XSS) vulnerability in libraries/auth/cookie.auth ...) - phpmyadmin 4:2.11.2.2-1 [sarge] - phpmyadmin (Vulnerable code not present) [etch] - phpmyadmin (Vulnerable code not present) NOTE: https://www.phpmyadmin.net/security/PMASA-2007-8/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/960064b55f68cd74969e8f0eee56da045f6ea57a CVE-2007-6099 (Unspecified vulnerability in Ingate Firewall before 4.6.0 and SIParato ...) NOT-FOR-US: Ingate Firewall Siparator CVE-2007-6098 (Ingate Firewall before 4.6.0 and SIParator before 4.6.0 do not log tru ...) NOT-FOR-US: Ingate Firewall Siparator CVE-2007-6097 (Unspecified vulnerability in the ICMP implementation in Ingate Firewal ...) NOT-FOR-US: Ingate Firewall Siparator CVE-2007-6096 (Ingate Firewall before 4.6.0 and SIParator before 4.6.0 use cleartext ...) NOT-FOR-US: Ingate Firewall Siparator CVE-2007-6095 (The SIP component in Ingate Firewall before 4.6.0 and SIParator before ...) NOT-FOR-US: Ingate Firewall Siparator CVE-2007-6094 (The IPsec module in the VPN component in Ingate Firewall before 4.6.0 ...) NOT-FOR-US: Ingate Firewall Siparator CVE-2007-6093 (The SRTP implementation in Ingate Firewall before 4.6.0 and SIParator ...) NOT-FOR-US: Ingate Firewall Siparator CVE-2007-6092 (Buffer overflow in libsrtp in Ingate Firewall before 4.6.0 and SIParat ...) NOT-FOR-US: Ingate Firewall Siparator CVE-2007-6091 (Multiple SQL injection vulnerabilities in files/login.asp in JiRo's Ba ...) NOT-FOR-US: JiRo's Banner System (JBS) CVE-2007-6090 (Cross-site scripting (XSS) vulnerability in index.php in Nuked-Klan 1. ...) NOT-FOR-US: Nuked-Klan CVE-2007-6089 (PHP remote file inclusion vulnerability in index.php in meBiblio 0.4.5 ...) NOT-FOR-US: meBiblio CVE-2007-6088 (PHP remote file inclusion vulnerability in includes/functions_mod_user ...) NOT-FOR-US: phpBBViet CVE-2007-6087 (Cross-site request forgery (CSRF) vulnerability in index.php in Vigile ...) NOT-FOR-US: VigileCMS CVE-2007-6086 (Directory traversal vulnerability in index.php in VigileCMS 1.4 allows ...) NOT-FOR-US: VigileCMS CVE-2007-6085 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Vi ...) NOT-FOR-US: VigileCMS CVE-2007-6084 (SQL injection vulnerability in software-description.php in HotScripts ...) NOT-FOR-US: HotScripts Clone script CVE-2007-6083 (SQL injection vulnerability in admin/index.php in IceBB 1.0-rc6 allows ...) NOT-FOR-US: IceBB CVE-2007-6082 (Direct static code injection vulnerability in acp/savenews.php in Sciu ...) NOT-FOR-US: Sciurus Hosting Panel CVE-2007-6081 (AdventNet EventLog Analyzer build 4030 for Windows, and possibly other ...) NOT-FOR-US: Windows CVE-2007-6080 (SQL injection vulnerability in modules/banners/click.php in the banner ...) NOT-FOR-US: bcoos CVE-2007-6079 (Directory traversal vulnerability in include/common.php in bcoos 1.0.1 ...) NOT-FOR-US: bcoos CVE-2007-6078 (Multiple SQL injection vulnerabilities in SkyPortal RC6 allow remote a ...) NOT-FOR-US: SkyPortal CVE-2007-6076 RESERVED CVE-2007-6075 RESERVED CVE-2007-6074 RESERVED CVE-2007-6073 RESERVED CVE-2007-6072 RESERVED CVE-2007-6071 RESERVED CVE-2007-6070 REJECTED CVE-2007-6069 RESERVED CVE-2007-6068 RESERVED CVE-2007-6067 (Algorithmic complexity vulnerability in the regular expression parser ...) {DSA-1463-1 DSA-1460-1} - postgresql-8.2 8.2.6-1 - postgresql-8.1 8.1.11-1 - tcl8.3 8.3.5-13 [etch] - tcl8.3 (Minor issue) - tcl8.4 8.4.17-1 [etch] - tcl8.4 (Minor issue) [sarge] - postgresql CVE-2007-6066 RESERVED CVE-2007-6065 RESERVED CVE-2007-6064 RESERVED CVE-2007-6063 (Buffer overflow in the isdn_net_setcfg function in isdn_net.c in Linux ...) {DSA-1503-2 DSA-1504-1 DSA-1503-1 DSA-1436-1} - linux-2.6 2.6.23-2 CVE-2007-6062 (irc-channel.c in ngIRCd before 0.10.3 allows remote attackers to cause ...) - ngircd 0.10.3-1 (bug #451875) [etch] - ngircd 0.10.0-2etch1 CVE-2007-6061 (Audacity 1.3.2 creates a temporary directory with a predictable name w ...) - audacity 1.3.4-1.1 (bug #453283; low) [etch] - audacity (Minor issue) CVE-2007-6060 (AhnLab Antivirus 3 Internet Security 2008 Platinum appends data to a f ...) NOT-FOR-US: AhnLab Antivirus 3 Internet Security 2008 Platinum CVE-2007-6059 NOT-FOR-US: Javamail CVE-2007-6058 (Multiple SQL injection vulnerabilities in index.php in ProfileCMS 1.0 ...) NOT-FOR-US: ProfileCMS CVE-2007-6057 (PHP remote file inclusion vulnerability in index.php in datecomm Socia ...) NOT-FOR-US: datecomm Social Networking Script CVE-2007-6056 (frame.html in Aida-Web (Aida Web) allows remote attackers to bypass a ...) NOT-FOR-US: Aida-Web CVE-2007-6055 (Cross-site scripting (XSS) vulnerability in c/portal/login in Liferay ...) - liferay-portal (bug #569819) CVE-2007-6054 (Cross-site scripting (XSS) vulnerability in the login page in the mana ...) NOT-FOR-US: Aruba 800 Mobility Controller CVE-2007-6053 (IBM DB2 UDB 9.1 before Fixpak 4 does not properly handle use of large ...) NOT-FOR-US: IBM DB2 CVE-2007-6052 (IBM DB2 UDB 9.1 before Fixpak 4 does not properly perform vector aggre ...) NOT-FOR-US: IBM DB2 CVE-2007-6051 (IBM DB2 UDB 9.1 before Fixpak 4 assigns incorrect privileges to the (1 ...) NOT-FOR-US: IBM DB2 CVE-2007-6050 (Unspecified vulnerability in DB2LICD in IBM DB2 UDB 9.1 before Fixpak ...) NOT-FOR-US: IBM DB2 CVE-2007-6049 (Unspecified vulnerability in the SSL LOAD GSKIT action in IBM DB2 UDB ...) NOT-FOR-US: IBM DB2 CVE-2007-6048 (IBM DB2 UDB 9.1 before Fixpak 4 uses incorrect permissions on ACLs for ...) NOT-FOR-US: IBM DB2 CVE-2007-6047 (Unspecified vulnerability in the DB2DART tool in IBM DB2 UDB 9.1 befor ...) NOT-FOR-US: IBM DB2 CVE-2007-6046 (Unspecified vulnerability in unspecified setuid programs in IBM DB2 UD ...) NOT-FOR-US: IBM DB2 CVE-2007-6045 (Unspecified vulnerability in (1) DB2WATCH and (2) DB2FREEZE in IBM DB2 ...) NOT-FOR-US: IBM DB2 CVE-2007-6044 (Multiple unspecified vulnerabilities in IBM WebSphere MQ 6.0 have unkn ...) NOT-FOR-US: IBM WebSphere CVE-2007-6043 (The CryptGenRandom function in Microsoft Windows 2000 generates predic ...) NOT-FOR-US: Windows CVE-2007-6042 (PHP remote file inclusion vulnerability in fehler.inc.php in SWSoft Co ...) NOT-FOR-US: SWSoft Confixx Professional CVE-2007-6041 (Buffer overflow in the Sequencer::queueMessage function in sequencer.c ...) NOT-FOR-US: Rigs of Rods (RoR) CVE-2007-6040 (The Belkin F5D7230-4 Wireless G Router allows remote attackers to caus ...) NOT-FOR-US: Belkin F5D7230-4 Wireless G Router CVE-2007-6039 (PHP 5.2.5 and earlier allows context-dependent attackers to cause a de ...) - php5 5.2.5-1 (unimportant; bug #453295) NOTE: Not a vulnerability per Debian PHP security policy, requires malicious NOTE: script to trigger this issue CVE-2007-6077 (The session fixation protection mechanism in cgi_process.rb in Rails 1 ...) - rails 1.2.6-1 (low; bug #452748) CVE-2007-6111 (Multiple unspecified vulnerabilities in Wireshark (formerly Ethereal) ...) {DTSA-92-1} - wireshark 0.99.7~pre1-1 (low; bug #452381) [etch] - wireshark (Vulnerable code not present) [sarge] - ethereal (Vulnerable code not present) CVE-2007-6112 (Buffer overflow in the PPP dissector Wireshark (formerly Ethereal) 0.9 ...) {DTSA-92-1} - wireshark 0.99.7~pre1-1 (medium; bug #452381) [etch] - wireshark (Vulnerable code not present) [sarge] - ethereal (Vulnerable code not present) CVE-2007-6113 (Integer signedness error in the DNP3 dissector in Wireshark (formerly ...) {DTSA-92-1} - wireshark 0.99.6pre1-1 (low) [etch] - wireshark (Minor issue, exotic dissector, very intrusive backport) CVE-2007-6114 (Multiple buffer overflows in Wireshark (formerly Ethereal) 0.99.0 thro ...) {DSA-1414-1 DTSA-92-1} - wireshark 0.99.7~pre1-1 (medium; bug #452381) [sarge] - ethereal (Vulnerable code not present) CVE-2007-6115 (Buffer overflow in the ANSI MAP dissector for Wireshark (formerly Ethe ...) {DTSA-92-1} - wireshark 0.99.7~pre1-1 (medium; bug #452381) [etch] - wireshark (Vulnerable code not present) [sarge] - ethereal (Vulnerable code not present) CVE-2007-6116 (The Firebird/Interbase dissector in Wireshark (formerly Ethereal) 0.99 ...) {DTSA-92-1} - wireshark 0.99.7~pre1-1 (low; bug #452381) [etch] - wireshark (Vulnerable code not present) [sarge] - ethereal (Vulnerable code not present) CVE-2007-6117 (Unspecified vulnerability in the HTTP dissector for Wireshark (formerl ...) {DSA-1414-1 DTSA-92-1} - wireshark 0.99.7~pre1-1 (bug #452381) [sarge] - ethereal (Vulnerable code not present) CVE-2007-6118 (The MEGACO dissector in Wireshark (formerly Ethereal) 0.9.14 to 0.99.6 ...) {DSA-1414-1 DTSA-92-1} - wireshark 0.99.7~pre1-1 (low; bug #452381) CVE-2007-6119 (The DCP ETSI dissector in Wireshark (formerly Ethereal) 0.99.6 allows ...) {DTSA-92-1} - wireshark 0.99.7~pre1-1 (low; bug #452381) [etch] - wireshark (Vulnerable code not present) [sarge] - ethereal (Vulnerable code not present) CVE-2007-6120 (The Bluetooth SDP dissector Wireshark (formerly Ethereal) 0.99.2 to 0. ...) {DSA-1414-1 DTSA-92-1} - wireshark 0.99.7~pre1-1 (low; bug #452381) [sarge] - ethereal (Vulnerable code not present) CVE-2007-6121 (Wireshark (formerly Ethereal) 0.8.16 to 0.99.6 allows remote attackers ...) {DSA-1414-1 DTSA-92-1} - wireshark 0.99.7~pre1-1 (low; bug #452381) CVE-2007-6038 (PHP remote file inclusion vulnerability in xajax_functions.php in the ...) NOT-FOR-US: Joomla! extension CVE-2007-6037 (Cross-site scripting (XSS) vulnerability in ws/generic_api_call.pl in ...) NOT-FOR-US: Citrix NetScaler CVE-2007-6036 (The parseRTSPRequestString function in LIVE555 Media Server 2007.11.01 ...) NOT-FOR-US: LIVE555 Media Server CVE-2007-6034 REJECTED CVE-2007-6033 (Invensys Wonderware InTouch 8.0 creates a NetDDE share with insecure p ...) NOT-FOR-US: Invensys Wonderware InTouch CVE-2007-6032 (SQL injection vulnerability in calendar/page.asp in Aleris Web Publish ...) NOT-FOR-US: Aleris Web Publishing Server CVE-2007-6031 (Unspecified vulnerability in VanDyke VShell 3.0.1 allows remote attack ...) NOT-FOR-US: VanDyke VShell CVE-2007-6030 (Unspecified vulnerability in Weird Solutions BOOTPTurbo 1.2 has unknow ...) NOT-FOR-US: Weird Solutions BOOTPTurbo CVE-2007-6029 (Unspecified vulnerability in ClamAV 0.91.1 and 0.91.2 allows remote at ...) NOTE: this information is based upon a vague advisory by a vulnerability NOTE: information sales organization that does not coordinate with vendors or NOTE: release actionable advisories. So maybe it is not fixed _but_ since it is NOTE: not disclosed it would be hard to fix and track it. CVE-2007-6028 (Multiple stack-based buffer overflows in the VSFlexGrid.VSFlexGridL Ac ...) NOT-FOR-US: ComponentOne FlexGrid CVE-2007-6027 (PHP remote file inclusion vulnerability in admin.jjgallery.php in the ...) NOT-FOR-US: Joomla! extension CVE-2007-6026 (Stack-based buffer overflow in Microsoft msjet40.dll 4.0.8618.0 (aka M ...) NOT-FOR-US: Microsoft Jet Engine CVE-2007-6025 (Stack-based buffer overflow in driver_wext.c in wpa_supplicant 0.6.0 a ...) - wpasupplicant 0.6.0-4 [etch] - wpasupplicant (Vulnerable code not present) [sarge] - wpasupplicant (Vulnerable code not present) CVE-2007-6024 RESERVED CVE-2007-6023 RESERVED CVE-2007-6022 RESERVED CVE-2007-6021 (Heap-based buffer overflow in Adobe PageMaker 7.0.1 and 7.0.2 allows u ...) NOT-FOR-US: Adobe PageMaker CVE-2007-6020 (Multiple stack-based buffer overflows in foliosr.dll in the Folio Flat ...) NOT-FOR-US: KeyView CVE-2007-6019 (Adobe Flash Player 9.0.115.0 and earlier, and 8.0.39.0 and earlier, al ...) - flashplugin-nonfree 1:1.4 CVE-2007-6018 (IMP Webmail Client 4.1.5, Horde Application Framework 3.1.5, and Horde ...) {DSA-1470-1} - horde3 3.1.6-1 (bug #461131; low) - imp4 (xss.php is only present in horde3 package) CVE-2007-6017 (The PVATLCalendar.PVCalendar.1 ActiveX control in pvcalendar.ocx in th ...) NOT-FOR-US: Symantec Backup Exec CVE-2007-6016 (Multiple stack-based buffer overflows in the PVATLCalendar.PVCalendar. ...) NOT-FOR-US: Symantec Backup Exec CVE-2007-6015 (Stack-based buffer overflow in the send_mailslot function in nmbd in S ...) {DSA-1427-1 DTSA-100-1} - samba 3.0.28-1 (high) CVE-2007-6014 (SQL injection vulnerability in post.php in Beehive Forum 0.7.1 and ear ...) NOT-FOR-US: Beehive Forum CVE-2007-6013 (Wordpress 1.5 through 2.3.1 uses cookie values based on the MD5 hash o ...) - wordpress 2.5.0-1 (low; bug #452251) [etch] - wordpress (Minor issue) NOTE: if untrusted people are allowed to read the database they could still NOTE: crack the hash with more work, so maybe this is unimportant? CVE-2007-6012 (SQL injection vulnerability in SearchR.asp in DocuSafe 4.1.0 and 4.1.2 ...) NOT-FOR-US: DocuSafe CVE-2004-2757 (Cross-site scripting (XSS) vulnerability in the failed login page in N ...) NOT-FOR-US: Novell iChain CVE-2004-2756 (Cross-site scripting (XSS) vulnerability in viewtopic.php in Xoops 2.x ...) NOT-FOR-US: Xoops CVE-2002-2426 (Cross-site request forgery (CSRF) vulnerability in Citrix Presentation ...) NOT-FOR-US: predating security tracker CVE-2007-6035 (SQL injection vulnerability in graph.php in Cacti before 0.8.7a allows ...) {DSA-1418-1} - cacti 0.8.7a-1 (medium; bug #452085) CVE-2007-6011 (Unspecified vulnerability in main.php of BugHotel Reservation System b ...) NOT-FOR-US: BugHotel CVE-2007-6010 (Unspecified vulnerability in pioneers (formerly gnocatan) 0.11.3 allow ...) {DTSA-89-1} - pioneers 0.11.3-2 (low; bug #449541) [etch] - pioneers (Minor issue) CVE-2007-6009 (Multiple buffer overflows in ACD products allow user-assisted remote a ...) NOT-FOR-US: ACD products CVE-2007-6008 (Heap-based buffer overflow in emlsr.dll before 2.0.0.4 in Autonomy (fo ...) NOT-FOR-US: Autonomy CVE-2007-6007 (Integer overflow in the ID_PSP.apl plug-in for ACD ACDSee Photo Manage ...) NOT-FOR-US: Pro Photo Manager CVE-2007-6006 (TestLink before 1.7.1 does not enforce an unspecified authorization me ...) NOT-FOR-US: TestLink CVE-2007-6005 (Unspecified vulnerability in the GpcContainer.GpcContainer.1 ActiveX c ...) NOT-FOR-US: WebEx CVE-2007-6004 (Multiple SQL injection vulnerabilities in index.php in Toko Instan 7.6 ...) NOT-FOR-US: Toko Instan CVE-2007-6003 (Cross-site scripting (XSS) vulnerability in cgi/b/ic/connect in the Th ...) NOT-FOR-US: SpeedTouch CVE-2007-6002 (Cross-site scripting (XSS) vulnerability in Fenriru (1) Sleipnir 2.5.1 ...) NOT-FOR-US: Fenriru CVE-2007-6001 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Ba ...) - bandersnatch (low; bug #435709) CVE-2007-6000 (KDE Konqueror 3.5.6 and earlier allows remote attackers to cause a den ...) - kdebase (unimportant; bug #451794) NOTE: not reproducible with 4:3.5.8.dfsg.1-1, poked maintainer NOTE: it seems konqueror only treats the cookie value until some special length NOTE: as cookie, after this length it will open the rest as site content. This eats alot NOTE: ram and cpu but depending on how much ram the system has, konqueror will die after NOTE: no memory is left, not treated as security problem. CVE-2007-5999 (SQL injection vulnerability in product_desc.php in Softbiz Auctions Sc ...) NOT-FOR-US: Softbiz CVE-2007-5998 (SQL injection vulnerability in ads.php in Softbiz Ad Management plus S ...) NOT-FOR-US: Softbiz CVE-2007-5997 (SQL injection vulnerability in campaign_stats.php in Softbiz Banner Ex ...) NOT-FOR-US: Softbiz Banner Exchange Network Script CVE-2007-5996 (SQL injection vulnerability in searchresult.php in Softbiz Link Direct ...) NOT-FOR-US: Softbiz Link Directory Script CVE-2007-5995 (PHP remote file inclusion vulnerability in examples/patExampleGen/bbco ...) NOT-FOR-US: patBBcode CVE-2007-5994 (PHP remote file inclusion vulnerability in check_noimage.php in Fritz ...) NOT-FOR-US: php photo album CVE-2007-5993 (Cross-site scripting (XSS) vulnerability in Visionary Technology in Li ...) NOT-FOR-US: vtls CVE-2007-5992 (SQL injection vulnerability in index.php in datecomm Social Networking ...) NOT-FOR-US: Social Networking Script CVE-2007-5991 (SQL injection vulnerability in index.php in ExoPHPdesk allows remote a ...) NOT-FOR-US: ExoPHPdesk CVE-2007-5990 (Cross-site scripting (XSS) vulnerability in ExoPHPdesk allows remote a ...) NOT-FOR-US: ExoPHPdesk CVE-2006-7230 (Perl-Compatible Regular Expression (PCRE) library before 7.0 does not ...) {DSA-1570-1} - pcre3 7.0-1 - kazehakase 0.5.2-1 [sarge] - pcre3 4.5+7.4-1 [etch] - pcre3 6.7+7.4-2 CVE-2004-2755 (Cross-site scripting (XSS) vulnerability in Symantec Web Security 2.5, ...) NOT-FOR-US: Symantec Web Security CVE-2004-2754 (SQL injection vulnerability in SSI.php in YaBB SE 1.5.4, 1.5.3, and po ...) NOT-FOR-US: YaBB CVE-2007-5989 (Unspecified vulnerability in the skype4com URI handler in Skype before ...) NOT-FOR-US: Skype CVE-2007-5988 (blocks/shoutbox_block.php in BtiTracker 1.4.4 does not verify user acc ...) NOT-FOR-US: BtiTracker CVE-2007-5987 (details.php in BtiTracker before 1.4.5, when torrent viewing is disabl ...) NOT-FOR-US: BtiTracker CVE-2007-5986 (SQL injection vulnerability in include/functions.php in BtiTracker bef ...) NOT-FOR-US: BtiTracker CVE-2007-5985 (Multiple cross-site scripting (XSS) vulnerabilities in BtiTracker befo ...) NOT-FOR-US: BtiTracker CVE-2007-5984 (classes/Url.php in Justin Hagstrom AutoIndex PHP Script before 2.2.4 a ...) NOT-FOR-US: AutoIndex CVE-2007-5983 (Cross-site scripting (XSS) vulnerability in index.php in Justin Hagstr ...) NOT-FOR-US: AutoIndex CVE-2007-5982 (Multiple cross-site scripting (XSS) vulnerabilities in X7 Chat 2.0.4, ...) NOT-FOR-US: X7 Chat CVE-2007-5981 (Lantronix SCS3200 does not properly handle public-key requests, which ...) NOT-FOR-US: Lantronix CVE-2007-5980 (Cross-site scripting (XSS) vulnerability in home/rss.php in eggblog be ...) NOT-FOR-US: eggblog CVE-2007-5979 (Cross-site scripting (XSS) vulnerability in download_plugin.php3 in F5 ...) NOT-FOR-US: F5 Firepass CVE-2007-5978 (SQL injection vulnerability in brokenlink.php in the mylinks module fo ...) NOT-FOR-US: XOOPS CVE-2007-5977 (Cross-site scripting (XSS) vulnerability in db_create.php in phpMyAdmi ...) - phpmyadmin 4:2.11.2.1-1 (unimportant; bug #451465) [etch] - phpmyadmin (Vulnerable code not present) [sarge] - phpmyadmin (Vulnerable code not present) NOTE: https://www.phpmyadmin.net/security/PMASA-2007-7/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/83adea5d6f79640648d3d5384c910820f1d085c3 NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/6225d4533abb0ffee0c985354326295a746cc79e CVE-2007-5976 (SQL injection vulnerability in db_create.php in phpMyAdmin before 2.11 ...) - phpmyadmin 4:2.11.2.1-1 (unimportant; bug #451465) CVE-2007-5975 (SQL injection vulnerability in index.php in TBSource, as used in (1) T ...) NOT-FOR-US: TBSource CVE-2007-5974 (SQL injection vulnerability in mailer.php in JPortal 2 allows remote a ...) NOT-FOR-US: JPortal CVE-2007-5973 (SQL injection vulnerability in articles.php in JPortal 2.3.1 and earli ...) NOT-FOR-US: JPortal CVE-2007-5972 (Double free vulnerability in the krb5_def_store_mkey function in lib/k ...) - krb5 1.6.dfsg.4~beta1-1 (unimportant; bug #454974) NOTE: potential attackers must have privileges to store the krb5kdc master key NOTE: http://mailman.mit.edu/pipermail/kerberos/2007-December/012717.html CVE-2007-5971 (Double free vulnerability in the gss_krb5int_make_seal_token_v3 functi ...) - krb5 1.6.dfsg.4~beta1-1 (unimportant; bug #454974) NOTE: Not exploitable in real-world circumstances: NOTE: http://mailman.mit.edu/pipermail/kerberos/2007-December/012717.html CVE-2007-5970 (MySQL 5.1.x before 5.1.23 and 6.0.x before 6.0.4 allows remote authent ...) - mysql-dfsg-5.0 (Vulnerable code not present referring to maintainer) - mysql-dfsg-4.1 - mysql-dfsg NOTE: version in experimental is affected by this NOTE: the debian maintainers do not yet have access to this issue: http://lists.mysql.com/packagers/377 CVE-2007-5969 (MySQL Community Server 5.0.x before 5.0.51, Enterprise Server 5.0.x be ...) {DSA-1451-1} - mysql-dfsg-5.0 5.0.45-4 (low; bug #455010) - mysql-dfsg-4.1 CVE-2007-5968 REJECTED CVE-2007-5967 RESERVED CVE-2007-5966 (Integer overflow in the hrtimer_start function in kernel/hrtimer.c in ...) {DSA-1436-1} - linux-2.6 2.6.23-2 CVE-2007-5965 (QSslSocket in Trolltech Qt 4.3.0 through 4.3.2 does not properly verif ...) - qt4-x11 4.3.3-1 [etch] - qt4-x11 (Vulnerable code was introduced in 4.3) - qt-x11-free (Vulnerable code was introduced in 4.3) CVE-2007-5964 (The default configuration of autofs 5 in some Linux distributions, suc ...) - autofs 3.1.4-8 (medium) - autofs5 5.0.3-1 CVE-2007-5963 (Unspecified vulnerability in kdebase allows local users to cause a den ...) - kdebase (unimportant) NOTE: This has only theoretical security impact CVE-2007-5962 (Memory leak in a certain Red Hat patch, applied to vsftpd 2.0.5 on Red ...) - vsftpd (Vulnerability in Red Hat-specific patch) CVE-2007-5961 (Cross-site scripting (XSS) vulnerability in the Red Hat Network channe ...) NOT-FOR-US: Red Hat Network channel search feature CVE-2007-5960 (Mozilla Firefox before 2.0.0.10 and SeaMonkey before 1.1.7 sets the Re ...) {DSA-1506-1 DSA-1425-1 DSA-1424-1} - iceweasel 2.0.0.10-1 - iceape 1.1.7-1 - xulrunner 1.8.1.11-1 NOTE: MFSA2007-39 CVE-2007-5959 (Multiple unspecified vulnerabilities in Mozilla Firefox before 2.0.0.1 ...) {DSA-1506-1 DSA-1425-1 DSA-1424-1} - iceweasel 2.0.0.10-1 - iceape 1.1.7-1 - xulrunner 1.8.1.11-1 NOTE: MFSA2007-38 CVE-2007-5958 (X.Org Xserver before 1.4.1 allows local users to determine the existen ...) {DSA-1466-2 DTSA-110-1} - xorg-server 2:1.4.1~git20080105-2 CVE-2006-7229 (The skge driver 1.5 in Linux kernel 2.6.15 on Ubuntu does not properly ...) - linux-2.6 2.6.20-1 [etch] - linux-2.6 (Ubuntu-specific regression) CVE-2006-7228 (Integer overflow in Perl-Compatible Regular Expression (PCRE) library ...) {DSA-1570-1} - pcre3 6.2-1 - kazehakase 0.5.2-1 [sarge] - pcre3 4.5+7.4-1 NOTE: http://www.pcre.org/changelog.txt states fixed in 6.2 CVE-2006-7227 (Integer overflow in Perl-Compatible Regular Expression (PCRE) library ...) {DSA-1570-1} - pcre3 6.2-1 - kazehakase 0.5.2-1 [sarge] - pcre3 4.5+7.4-1 NOTE: http://www.pcre.org/changelog.txt states fixed in 6.2 CVE-2005-4872 (Perl-Compatible Regular Expression (PCRE) library before 6.2 does not ...) - pcre3 6.2-1 [sarge] - pcre3 4.5+7.4-1 NOTE: http://www.pcre.org/changelog.txt states fixed in 6.2 CVE-2007-5957 (Unspecified vulnerability in IBM Informix Dynamic Server (IDS) 10.00.T ...) NOT-FOR-US: IBM Informix Dynamic Server CVE-2007-5956 (Directory traversal vulnerability in IBM Informix Dynamic Server (IDS) ...) NOT-FOR-US: IBM Informix Dynamic Server CVE-2007-5955 (Cross-site scripting (XSS) vulnerability in updir.php in UPDIR.NET bef ...) NOT-FOR-US: UPDIR.NET CVE-2007-5954 (Cross-site scripting (XSS) vulnerability in buscador.php in JLMForo Sy ...) NOT-FOR-US: JLMForo System CVE-2007-5953 (Unspecified vulnerability in Really Simple CalDAV Store (RSCDS) before ...) NOT-FOR-US: Really Simple CalDAV Store CVE-2007-5952 (Cross-site scripting (XSS) vulnerability in admin/index.php in Helios ...) NOT-FOR-US: Helios Calendar CVE-2007-5951 (SQL injection vulnerability in articles.php in E-Vendejo 0.2 allows re ...) NOT-FOR-US: E-Vendejo CVE-2007-5950 (Cross-site scripting (XSS) vulnerability in NetCommons before 1.0.11, ...) NOT-FOR-US: NetCommons CVE-2007-5949 (Cross-site scripting (XSS) vulnerability in IBM Tivoli Service Desk 6. ...) NOT-FOR-US: IBM Tivoli Service Desk CVE-2007-5948 (Multiple cross-site scripting (XSS) vulnerabilities in main.php in SF- ...) NOT-FOR-US: SF-Shoutbox CVE-2007-5947 (The jar protocol handler in Mozilla Firefox before 2.0.0.10 and SeaMon ...) {DSA-1506-1 DSA-1425-1 DSA-1424-1} - iceweasel 2.0.0.10-1 (low; bug #451624) - iceape 1.1.7-1 - xulrunner 1.8.1.11-1 NOTE: MFSA2007-37 CVE-2007-5946 (Unspecified vulnerability in the Aries PA-RISC emulator on HP-UX B.11. ...) NOT-FOR-US: HP-UX CVE-2007-5945 (USVN before 0.6.5 allows remote attackers to obtain a list of reposito ...) NOT-FOR-US: usvn CVE-2007-5944 (Cross-site scripting (XSS) vulnerability in Servlet Engine / Web Conta ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2007-5943 (Simple Machines Forum (SMF) 1.1.4 allows remote attackers to read a me ...) NOT-FOR-US: Simple Machines Forum CVE-2007-5942 (Bandersnatch 0.4 allows remote attackers to obtain sensitive informati ...) - bandersnatch (unimportant; bug #451365) NOTE: Installation path disclosure not treated as a security issue CVE-2007-5941 (Stack-based buffer overflow in the SWCtl.SWCtl ActiveX control in Adob ...) NOT-FOR-US: Adobe Shockwave CVE-2007-5940 (feynmf.pl in feynmf 1.08, as used in TeXLive 2007, allows local users ...) - texlive-bin 2005.dfsg.2-1 - feynmf 1.08-1 CVE-2007-5939 (The gss_userok function in appl/ftp/ftpd/gss_userok.c in Heimdal 0.7.2 ...) - heimdal (vulnerable code not present, ticketfile is just unlinked which is ok) CVE-2007-5938 (The iwl_set_rate function in compatible/iwl3945-base.c in iwlwifi 1.1. ...) - linux-2.6 2.6.23-2 [etch] - linux-2.6 (Vulnerable code not present) NOTE: we ship the iwl code in /debian/patches/features/all/v7-iwlwifi-add-iwlwifi-wireless-drivers.patch CVE-2007-5937 (Multiple buffer overflows in dvi2xx.c in dviljk in teTeX and TeXlive 2 ...) - texlive-bin 2007-13 [etch] - texlive-bin (Minor issue) CVE-2007-5936 (dvips in teTeX and TeXlive 2007 and earlier allows local users to obta ...) - texlive-bin 2007-13 [etch] - texlive-bin (Minor issue) CVE-2007-5935 (Stack-based buffer overflow in hpc.c in dvips in teTeX and TeXlive 200 ...) {DTSA-97-1} - texlive-bin 2007.dfsg.1-1 [etch] - texlive-bin (Minor issue) CVE-2007-5934 (The LOB functionality in PEAR MDB2 before 2.5.0a1 interprets a request ...) - php-mdb2 2.5.0b2-1 CVE-2007-5933 (Pioneers (formerly gnocatan) before 0.11.3 allows remote attackers to ...) {DTSA-89-1} - pioneers 0.11.3-2 (low; bug #449541) [etch] - pioneers (Minor issue) CVE-2006-7226 (Perl-Compatible Regular Expression (PCRE) library before 6.7 does not ...) - pcre3 6.7-1 - glib2.0 2.14.3-1 (unimportant) NOTE: glib only embeds pcre in the udeb, no attack vector [sarge] - pcre3 4.5+7.4-1 [etch] - pcre3 6.7+7.4-2 CVE-2006-7225 (Perl-Compatible Regular Expression (PCRE) library before 6.7 allows co ...) - pcre3 6.7-1 - glib2.0 2.14.3-1 (unimportant) NOTE: glib only embeds pcre in the udeb, no attack vector [sarge] - pcre3 4.5+7.4-1 [etch] - pcre3 6.7+7.4-2 CVE-2004-2753 (Unspecified vulnerability in SharedX in HP-UX B.11.00, B.11.11, and B. ...) NOT-FOR-US: HP-UX CVE-2004-2752 (Cross-site scripting (XSS) vulnerability in the Downloads module in Po ...) NOT-FOR-US: PostNuke CVE-2004-2751 (SQL injection vulnerability in the members_list module in PostNuke 0.7 ...) NOT-FOR-US: PostNuke CVE-2004-2750 (Directory traversal vulnerability in browser.php in JBrowser 1.0 throu ...) NOT-FOR-US: JBrowser CVE-2004-2749 (Directory traversal vulnerability in wra/public/wralogin in 2Wire Gate ...) NOT-FOR-US: 2Wire Gateway CVE-2003-1537 (Directory traversal vulnerability in PostNuke 0.723 and earlier allows ...) NOT-FOR-US: PostNuke CVE-2007-5932 (Multiple cross-site scripting (XSS) vulnerabilities in Fatwire Content ...) NOT-FOR-US: Fatwire Content Server CVE-2007-5931 (The reDirect function in lib/controllers/RepViewController.php in Oran ...) NOT-FOR-US: OrangeHRM CVE-2007-5930 (Cross-site scripting (XSS) vulnerability in the web interface in Cerbe ...) NOT-FOR-US: Cerberus Ftp Server CVE-2007-5929 (Buffer overflow in OpenBase 10.0.5 and earlier might allow remote auth ...) NOT-FOR-US: OpenBase CVE-2007-5928 (OpenBase 10.0.5 and earlier allows remote authenticated users to trigg ...) NOT-FOR-US: OpenBase CVE-2007-5927 (Directory traversal vulnerability in OpenBase 10.0.5 and earlier allow ...) NOT-FOR-US: OpenBase CVE-2007-5926 (OpenBase 10.0.5 and earlier allows remote authenticated users to execu ...) NOT-FOR-US: OpenBase CVE-2007-5925 (The convert_search_mode_to_innobase function in ha_innodb.cc in the In ...) {DSA-1413-1 DTSA-91-1} - mysql-dfsg-5.0 5.0.45-3 (medium; bug #451235) - mysql-dfsg-4.1 - mysql-dfsg CVE-2007-5924 (Cross-site scripting (XSS) vulnerability in the Web Server (HTTP) task ...) NOT-FOR-US: IBM Lotus Domino CVE-2007-5923 (Cross-site scripting (XSS) vulnerability in forms/smpwservices.fcc in ...) NOT-FOR-US: eTrust SiteMinder Agent CVE-2007-5922 (The modules/mdop.m in the Cypress 1.0k script for BitchX, as downloade ...) - ircii-pana (Does not ship this script) CVE-2007-5921 (Unspecified vulnerability in the ioctl interface in the Solaris Volume ...) NOT-FOR-US: Solaris CVE-2007-5920 (index.php in Domenico Mancini PicoFlat CMS before 0.4.18 allows remote ...) NOT-FOR-US: Domenico Mancini PicoFlat CMS CVE-2007-5919 (MyWebFTP, possibly 5.3.2, stores sensitive information under the web r ...) NOT-FOR-US: MyWebFTP CVE-2007-5918 (Cross-site request forgery (CSRF) vulnerability in edit.php in the MS ...) NOT-FOR-US: MS TopSites CVE-2007-5917 (Cross-site request forgery (CSRF) vulnerability in admin/admin_account ...) NOT-FOR-US: Skalinks CVE-2007-5916 (SQL injection vulnerability in the login page in phphelpdesk 0.6.16 al ...) NOT-FOR-US: phphelpdesk CVE-2007-5915 (Directory traversal vulnerability in index.php in phphelpdesk 0.6.16 a ...) NOT-FOR-US: phphelpdesk CVE-2007-5914 (Direct static code injection vulnerability in dirsys/modules/config/po ...) NOT-FOR-US: JBC Explorer CVE-2007-5913 (dirsys/modules/auth.php in JBC Explorer 7.20 RC1 and earlier does not ...) NOT-FOR-US: JBC Explorer CVE-2007-5912 (SQL injection vulnerability in mailer.php in jPORTAL 2 allows remote a ...) NOT-FOR-US: jPORTAL CVE-2007-5911 (Multiple stack-based buffer overflows in the AxMetaStream ActiveX cont ...) NOT-FOR-US: Viewpoint Media Player CVE-2007-5910 (Stack-based buffer overflow in Autonomy (formerly Verity) KeyView View ...) NOT-FOR-US: IBM Lotus Notes, Symantec Mail Security, and others CVE-2007-5909 (Multiple stack-based buffer overflows in Autonomy (formerly Verity) Ke ...) NOT-FOR-US: IBM Lotus Notes, Symantec Mail Security, and others CVE-2007-5908 REJECTED CVE-2007-5907 (Xen 3.1.1 does not prevent modification of the CR4 TSC from applicatio ...) - xen-3 3.1.2-1 (unimportant; bug #451626) - xen-3.0 (unimportant) NOTE: CONFIG_SECCOMP isn't activated in Debian kernels CVE-2007-5906 (Xen 3.1.1 allows virtual guest system users to cause a denial of servi ...) - xen-3 3.1.2-1 (medium; bug #451626) - xen-3.0 CVE-2007-5905 (Adobe ColdFusion 8 and MX 7 allows remote attackers to hijack sessions ...) NOT-FOR-US: Adobe ColdFusion CVE-2007-5904 (Multiple buffer overflows in CIFS VFS in Linux kernel 2.6.23 and earli ...) {DSA-1428-1} - linux-2.6 2.6.24-1 - linux-2.6.24 (Fixed before initial upload, upstream in 2.6.24) NOTE: Upstream commit 133672efbc1085f9af990bdc145e1822ea93bcf3 CVE-2007-5903 RESERVED CVE-2007-5902 (Integer overflow in the svcauth_gss_get_principal function in lib/rpc/ ...) - krb5 1.6.dfsg.4~beta1-1 (unimportant; bug #454974) NOTE: Not exploitable in real-world circumstances: NOTE: http://mailman.mit.edu/pipermail/kerberos/2007-December/012717.html CVE-2007-5901 (Use-after-free vulnerability in the gss_indicate_mechs function in lib ...) - krb5 1.6.dfsg.4~beta1-1 (unimportant; bug #454974) NOTE: Not exploitable in real-world circumstances: NOTE: http://mailman.mit.edu/pipermail/kerberos/2007-December/012717.html CVE-2007-5900 (PHP before 5.2.5 allows local users to bypass protection mechanisms co ...) NOTE: Apparently a dupe of CVE-2007-4659 due to temporary revoke of the patch NOTE: from CVS and later re-introduction NOTE: http://bugs.php.net/bug.php?id=41561 CVE-2007-5899 (The output_add_rewrite_var function in PHP before 5.2.5 rewrites local ...) {DSA-1444-1} - php5 5.2.5-1 (bug #453295) NOTE: http://cvs.php.net/viewvc.cgi/php-src/ext/standard/url_scanner_ex.re?r1=1.76.2.2.2.1&r2=1.76.2.2.2.2&view=patch NOTE: fixed in php5/etch svn CVE-2007-5898 (The (1) htmlentities and (2) htmlspecialchars functions in PHP before ...) {DSA-1444-1} - php5 5.2.5-1 (bug #453295) NOTE: http://cvs.php.net/viewvc.cgi/php-src/ext/standard/html.c?r1=1.111.2.2.2.14&r2=1.111.2.2.2.15&view=patch NOTE: fixed in php5/etch svn CVE-2007-5897 (Buffer overflow in MDSYS.SDO_CS in Oracle Database Server 8iR3, 9iR1, ...) NOT-FOR-US: Oracle CVE-2007-5896 (Mozilla Firefox 2.0.0.9 allows remote attackers to cause a denial of s ...) - iceweasel (unimportant) NOTE: Browser crashes not treated as security problems CVE-2007-5895 RESERVED CVE-2007-5894 - krb5 1.6.dfsg.4~beta1-1 (unimportant; bug #454974) NOTE: Not exploitable in real-world circumstances: NOTE: http://mailman.mit.edu/pipermail/kerberos/2007-December/012717.html CVE-2006-7224 REJECTED CVE-2004-2748 (viewreport.pl in NetIQ WebTrends Reporting Center Enterprise Edition 6 ...) NOT-FOR-US: WebTrends Reporting Center CVE-2004-2747 (Directory traversal vulnerability in Pablo Software Solutions Quick 'n ...) NOT-FOR-US: Quick 'n Easy FTP Server (Windows only) CVE-2004-2746 (SQL injection vulnerability in adminlogin.asp in XTREME ASP Photo Gall ...) NOT-FOR-US: XTREME ASP Photo Gallery CVE-2003-1536 (Multiple cross-site scripting (XSS) vulnerabilities in Codeworx Techno ...) NOT-FOR-US: Codeworx Technologies DCP-Portal CVE-2003-1535 (Justice Guestbook 1.3 allows remote attackers to obtain the full insta ...) NOT-FOR-US: Justice Guestbook CVE-2003-1534 (Cross-site scripting (XSS) vulnerability in jgb.php3 in Justice Guestb ...) NOT-FOR-US: Justice Guestbook CVE-2003-1533 (SQL injection vulnerability in accesscontrol.php in PhpPass 2 allows r ...) NOT-FOR-US: PhpPass CVE-2003-1532 (SQL injection vulnerability in compte.php in PhpMyShop 1.00 allows rem ...) NOT-FOR-US: PhpMyShop CVE-2003-1531 (Cross-site scripting (XSS) vulnerability in testcgi.exe in Lilikoi Sof ...) NOT-FOR-US: Lilikoi Software Ceilidh CVE-2003-1530 (SQL injection vulnerability in privmsg.php in phpBB 2.0.3 and earlier ...) - phpbb2 (Vulnerable versions too old to have been in Debian) CVE-2003-1529 (Directory traversal vulnerability in Seagull Software Systems J Walk a ...) NOT-FOR-US: Seagull Software Systems J Walk CVE-2003-1528 (nsr_shutdown in Fujitsu Siemens NetWorker 6.0 allows local users to ov ...) NOT-FOR-US: Fujitsu Siemens NetWorker CVE-2007-5893 (HTTPSocket.cpp in the C++ Sockets Library before 2.2.5 allows remote a ...) NOT-FOR-US: Sockets Library CVE-2007-5892 (Stack-based buffer overflow in the pdg2.dll ActiveX control in SSReade ...) NOT-FOR-US: SSReader CVE-2007-5891 (Multiple cross-site scripting (XSS) vulnerabilities in jsp/Login.do in ...) NOT-FOR-US: ManageEngine OpManager and OpManager CVE-2007-5890 (Directory traversal vulnerability in index.php in easyGB 2.1.1 allows ...) NOT-FOR-US: easyGB CVE-2007-5889 (Multiple PHP remote file inclusion vulnerabilities in IDMOS 1.0 Alpha ...) NOT-FOR-US: IDMOS CVE-2007-5888 (Cross-site scripting (XSS) vulnerability in displayecard.php in Copper ...) NOT-FOR-US: Coppermine Photo Gallery CVE-2007-5887 (SQL injection vulnerability in boards/printer.asp in ASP Message Board ...) NOT-FOR-US: ASP Message Board CVE-2007-5886 RESERVED CVE-2007-5885 RESERVED CVE-2007-5884 RESERVED CVE-2007-5883 RESERVED CVE-2007-5882 RESERVED CVE-2007-5881 RESERVED CVE-2007-5880 RESERVED CVE-2007-5879 RESERVED CVE-2007-5878 RESERVED CVE-2007-5877 RESERVED CVE-2007-5876 RESERVED CVE-2007-5875 RESERVED CVE-2007-5874 RESERVED CVE-2007-5873 RESERVED CVE-2007-5872 RESERVED CVE-2007-5871 RESERVED CVE-2007-5870 RESERVED CVE-2007-5869 RESERVED CVE-2007-5868 RESERVED CVE-2007-5867 RESERVED CVE-2007-5866 RESERVED CVE-2007-5865 RESERVED CVE-2007-5864 RESERVED CVE-2007-5863 (Software Update in Apple Mac OS X 10.5.1 allows remote attackers to ex ...) NOT-FOR-US: Apple Mac OS X CVE-2007-5862 (Java in Mac OS X 10.4 through 10.4.11 allows remote attackers to bypas ...) NOT-FOR-US: Cisco IP Phone 7940 CVE-2007-5861 (Unspecified vulnerability in Spotlight in Apple Mac OS X 10.4.11 allow ...) NOT-FOR-US: Apple Mac OS X CVE-2007-5860 (Unspecified vulnerability in Spin Tracer in Apple Mac OS X 10.5.1 allo ...) NOT-FOR-US: Spin Tracer (Apple Mac OS X) CVE-2007-5859 (Unspecified vulnerability in Safari RSS in Apple Mac OS X 10.4.11 allo ...) NOT-FOR-US: Safari RSS (Apple Mac OS X) CVE-2007-5858 (WebKit in Safari in Apple Mac OS X 10.4.11 and 10.5.1, iPhone 1.0 thro ...) NOT-FOR-US: Safari (Apple Mac OS X) CVE-2007-5857 (Quick Look in Apple Mac OS X 10.5.1 does not prevent a movie from acce ...) NOT-FOR-US: Quick Look (Apple Mac OS X) CVE-2007-5856 (Quick Look Apple Mac OS X 10.5.1, when previewing an HTML file, does n ...) NOT-FOR-US: Quick Look (Apple Mac OS X) CVE-2007-5855 (Mail in Apple Mac OS X 10.4.11 and 10.5.1, when an SMTP account has be ...) NOT-FOR-US: Mail (Apple Mac OS X) CVE-2007-5854 (Launch Services in Apple Mac OS X 10.4.11 and 10.5.1 does not treat HT ...) NOT-FOR-US: Launch Services (Apple Mac OS X) CVE-2007-5853 (Unspecified vulnerability in IO Storage Family in Apple Mac OS X 10.4. ...) NOT-FOR-US: IO Storage Family (Apple Mac OS X) CVE-2007-5852 RESERVED CVE-2007-5851 (iChat in Apple Mac OS X 10.4.11 allows network-adjacent remote attacke ...) NOT-FOR-US: iChat (Apple Mac OS X) CVE-2007-5850 (Heap-based buffer overflow in Desktop Services in Apple Mac OS X 10.4. ...) NOT-FOR-US: Desktop Services (Apple Mac OS X) CVE-2007-5849 (Integer underflow in the asn1_get_string function in the SNMP back end ...) {DSA-1437-1} - cupsys 1.3.5-1 (medium; bug #457453) - cups 1.3.5-1 (medium; bug #457453) [sarge] - cupsys (Vulnerable code not present) CVE-2007-5848 (Buffer overflow in CUPS in Apple Mac OS X 10.4.11 allows local admin u ...) - cupsys 1.2.0 - cups 1.2.0 NOTE: This only affects the Cups 1.1 series [sarge] - cupsys (Minor issue, may only lead to an infinite loop) CVE-2007-5847 (Race condition in the CFURLWriteDataAndPropertiesToResource API in Cor ...) NOT-FOR-US: Core Foundation (Apple Mac OS X) CVE-2007-5846 (The SNMP agent (snmp_agent.c) in net-snmp before 5.4.1 allows remote a ...) {DSA-1483-1 DTSA-88-1} - net-snmp 5.4.1~dfsg-1 NOTE: 5.4.1 already includes a fix by the upstream author CVE-2007-5845 (Directory traversal vulnerability in error.php in GuppY 4.6.3, 4.5.16, ...) NOT-FOR-US: GuppY CVE-2007-5844 (Directory traversal vulnerability in inc/includes.inc in GuppY 4.6.3 a ...) NOT-FOR-US: GuppY CVE-2007-5843 (PHP remote file inclusion vulnerability in includes/common.php in scWi ...) NOT-FOR-US: scWiki CVE-2007-5842 (Multiple PHP remote file inclusion vulnerabilities in Vortex Portal 1. ...) NOT-FOR-US: Vortex Portal CVE-2007-5841 (PHP remote file inclusion vulnerability in admin/index.php in nuBoard ...) NOT-FOR-US: nuBoard CVE-2007-5840 (PHP remote file inclusion vulnerability in starnet/themes/c-sky/main.i ...) NOT-FOR-US: SyndeoCMS CVE-2007-5838 (Aclient in Symantec Altiris Deployment Solution 6.x before 6.8.380.0 a ...) NOT-FOR-US: Symantec CVE-2007-5837 (GUI.pm in yarssr 0.2.2, when Gnome default URL handling is disabled, a ...) {DSA-1477-1} - yarssr 0.2.2-3 (bug #448721) CVE-2007-5836 (SQL injection vulnerability in Amazing Flash AFCommerce allows remote ...) NOT-FOR-US: Amazing Flash AFCommerce CVE-2007-5835 (Install.php in BosDev BosNews 4 and 5 does not require authentication ...) NOT-FOR-US: BosDev BosNews CVE-2007-5834 (Cross-site scripting (XSS) vulnerability in BosDev BosNews 4 allows re ...) NOT-FOR-US: BosDev BosNews CVE-2007-5833 (Multiple cross-site scripting (XSS) vulnerabilities in BosDev BosMarke ...) NOT-FOR-US: BosDev BosMarket Business Directory System CVE-2007-5832 (Unspecified vulnerability in selectLanguage.do in SSL-Explorer before ...) NOT-FOR-US: SSL-Explorer CVE-2007-5831 (Directory traversal vulnerability in fileSystem.do in SSL-Explorer bef ...) NOT-FOR-US: SSL-Explorer CVE-2007-5830 (Unspecified vulnerability in the administrative interface in Avaya Mes ...) NOT-FOR-US: Avaya Messaging Storage Server CVE-2007-5829 (The Disk Mount scanner in Symantec AntiVirus for Macintosh 9.x and 10. ...) NOT-FOR-US: Symantec AntiVirus CVE-2007-5828 - python-django 1.2.1 (unimportant) NOTE: this is documented in docs/csrf.txt included in the python-django package and NOTE: there is a plugin enabling this feature. This is intended behaviour pre-1.2. NOTE: https://docs.djangoproject.com/en/1.10/ref/csrf/#using-csrf CVE-2007-5827 (iSCSI Enterprise Target (iscsitarget) 0.4.15 uses weak permissions for ...) {DTSA-106-1} - iscsitarget 0.4.15-5 (bug #448873) NOTE: init script has "dump" function, which marks conffile correctly CVE-2007-5826 (Absolute path traversal vulnerability in the EDraw Flowchart ActiveX c ...) NOT-FOR-US: EDraw Flowchart CVE-2007-5825 (Format string vulnerability in the ws_addarg function in webserver.c i ...) {DSA-1597-1} - mt-daapd 0.9~r1696-1 (bug #459961) CVE-2007-5824 (webserver.c in mt-dappd in Firefly Media Server 0.2.4 and earlier allo ...) {DSA-1597-1} - mt-daapd 0.9~r1696-1.1 (bug #459961) CVE-2007-5823 (Directory traversal vulnerability in forum.php in Ben Ng Scribe 0.2 an ...) NOT-FOR-US: Ben Ng Scribe CVE-2007-5822 (Direct static code injection vulnerability in forum.php in Ben Ng Scri ...) NOT-FOR-US: Ben Ng Scribe CVE-2007-5821 (Multiple directory traversal vulnerabilities in DM Guestbook 0.4.1 and ...) NOT-FOR-US: DM Guestbook CVE-2007-5820 (Directory traversal vulnerability in index.php in Ax Developer CMS (Ax ...) NOT-FOR-US: Ax Developer CMS CVE-2007-5819 (IBM Tivoli Continuous Data Protection for Files (CDP) 3.1.0 uses weak ...) NOT-FOR-US: IBM Tivoli CVE-2007-5818 (Cross-site request forgery (CSRF) vulnerability in blocks_edit_do.php ...) NOT-FOR-US: sBlog CVE-2007-5817 (dialog.php in CONTENTCustomizer 3.1mp and earlier allows remote attack ...) NOT-FOR-US: CONTENTCustomizer CVE-2007-5816 (dialog.php in CONTENTCustomizer 3.1mp and earlier allows remote attack ...) NOT-FOR-US: CONTENTCustomizer CVE-2007-5815 (Absolute path traversal vulnerability in the WebCacheCleaner ActiveX c ...) NOT-FOR-US: WebCacheCleaner CVE-2007-5814 (Multiple buffer overflows in the SonicWall SSL-VPN NetExtender NELaunc ...) NOT-FOR-US: SonicWall SSL-VPN NetExtender CVE-2007-5813 (Multiple directory traversal vulnerabilities in download.php in ISPwor ...) NOT-FOR-US: ISPworker CVE-2007-5812 (Directory traversal vulnerability in modules/Builder/DownloadModule.ph ...) NOT-FOR-US: ModuleBuilder CVE-2007-5811 NOT-FOR-US: phpMyConferences CVE-2007-5810 (Hitachi Web Server 01-00 through 03-00-01, as used by certain Cosminex ...) NOT-FOR-US: Hitachi Web Server CVE-2007-5809 (Cross-site scripting (XSS) vulnerability in Hitachi Web Server 01-00 t ...) NOT-FOR-US: Hitachi Web Server CVE-2007-5808 (Unspecified vulnerability in the Groupmax Collaboration - Schedule com ...) NOT-FOR-US: Hitachi Groupmax Collaboration Portal CVE-2007-5807 (Buffer overflow in the register function in Ultra Star Reader ActiveX ...) NOT-FOR-US: SSReader CVE-2007-5806 (Cross-site scripting (XSS) vulnerability in Services/Utilities/classes ...) NOT-FOR-US: ILIAS CVE-2007-5805 (cfgcon in IBM AIX 5.2 and 5.3 does not properly validate the argument ...) NOT-FOR-US: IBM AIX CVE-2007-5804 (cfgcon in IBM AIX 5.2 and 5.3 does not properly validate the argument ...) NOT-FOR-US: IBM AIX CVE-2007-5803 (Multiple cross-site scripting (XSS) vulnerabilities in CGI programs in ...) {DSA-1883-2 DSA-1883-1} - nagios2 (low; bug #482445) - nagios3 3.0.2-1 (low; bug #485439) CVE-2007-5802 (Directory traversal vulnerability in index.php in Firewolf Technologie ...) NOT-FOR-US: Firewolf Technologies Synergiser CVE-2007-5801 (Unspecified vulnerability in WORK system e-commerce before 4.0.2 has u ...) NOT-FOR-US: WORK system e-commerce CVE-2007-5800 (Multiple PHP remote file inclusion vulnerabilities in the BackUpWordPr ...) NOT-FOR-US: BackUpWordPress CVE-2007-5799 (Multiple cross-site request forgery (CSRF) vulnerabilities in uddigui/ ...) NOT-FOR-US: IBM WebSphere CVE-2007-5798 (Multiple cross-site scripting (XSS) vulnerabilities in uddigui/navigat ...) NOT-FOR-US: IBM WebSphere CVE-2007-5797 (SQLLoginModule in Apache Geronimo 2.0 through 2.1 does not throw an ex ...) - geronimo (bug #481869) CVE-2007-5796 (Cross-site scripting (XSS) vulnerability in the management console in ...) NOT-FOR-US: Blue Coat ProxySG CVE-2007-5794 (Race condition in nss_ldap, when used in applications that are linked ...) {DSA-1430-1} - libnss-ldap 256-1 (bug #453868) CVE-2007-5839 (The e_hostname function in commands.c in BitchX 1.1a allows local user ...) - ircii-pana (low; bug #449149) [etch] - ircii-pana (Minor issue) [sarge] - ircii-pana (Minor issue) CVE-2007-5795 (The hack-local-variables function in Emacs before 22.2, when enable-lo ...) {DTSA-79-1} - emacs22 22.1+1-2.1 (medium; bug #449008) NOTE: Emacs 21 is not affected CVE-2007-5793 (Stonesoft StoneGate IPS before 4.0 does not properly decode Fullwidth/ ...) NOT-FOR-US: Stonesoft StoneGate IPS CVE-2007-5792 (The Vonage Motorola Phone Adapter VT 2142-VD does not encrypt RTP pack ...) NOT-FOR-US: Vonage Motorola Phone Adapter CVE-2007-5791 (The Vonage Motorola Phone Adapter VT 2142-VD does not properly verify ...) NOT-FOR-US: Vonage Motorola Phone Adapter CVE-2007-5790 (The Globe7 soft phone client 7.3 uses weak cryptography (reversed sequ ...) NOT-FOR-US: Globe7 soft phone client CVE-2007-5789 (The Grandstream HT-488 0.1 allows remote attackers to cause a denial o ...) NOT-FOR-US: Grandstream HT-488 CVE-2007-5788 (Buffer overflow in the SIP parser on the Grandstream HT-488 0.1 allows ...) NOT-FOR-US: Grandstream HT-488 CVE-2007-5787 (Micro Login System 1.0 stores sensitive information under the web root ...) NOT-FOR-US: Micro Login System CVE-2007-5786 (Multiple PHP remote file inclusion vulnerabilities in GoSamba 1.0.1 al ...) NOT-FOR-US: GoSamba CVE-2007-5785 (SQL injection vulnerability in file.php in JobSite Professional 2.0 al ...) NOT-FOR-US: JobSite CVE-2007-5784 (PHP remote file inclusion vulnerability in index.php in CaupoShop Pro ...) NOT-FOR-US: CaupoShop Pro CVE-2007-5783 (SQL injection vulnerability in emc.asp in emagiC CMS.Net 4.0 allows re ...) NOT-FOR-US: emagiC cms CVE-2007-5782 (Directory traversal vulnerability in dl.php in FireConfig 0.5 allows r ...) NOT-FOR-US: FireConfig CVE-2007-5781 (PHP remote file inclusion vulnerability in inc/sige_init.php in Sige 0 ...) NOT-FOR-US: Sige CVE-2007-5780 (PHP remote file inclusion vulnerability in pub/pub08_comments.php in t ...) NOT-FOR-US: teatro CVE-2007-5779 (Buffer overflow in the GomManager (GomWeb Control) ActiveX control in ...) NOT-FOR-US: Gretech Online Movie Player CVE-2007-5778 (Mobile Spy (1) stores login credentials in cleartext under the Retinax ...) NOT-FOR-US: Mobile Spy CVE-2007-5777 (Blue-Collar Productions i-Gallery 3.4 stores sensitive information und ...) NOT-FOR-US: Blue-Collar Productions i-Gallery CVE-2007-5776 (Directory traversal vulnerability in igallery.asp in Blue-Collar Produ ...) NOT-FOR-US: Blue-Collar Productions i-Gallery CVE-2007-5775 (Unspecified vulnerability in BitDefender allows attackers to execute a ...) NOT-FOR-US: BitDefender CVE-2007-5774 (index.php in the File Manager module in Flatnuke 3 allows remote attac ...) NOT-FOR-US: Flatnuke CVE-2007-5773 (Cross-site request forgery (CSRF) vulnerability in index.php in the Fi ...) NOT-FOR-US: Flatnuke CVE-2007-5772 (Direct static code injection vulnerability in the download module in F ...) NOT-FOR-US: Flatnuke CVE-2007-5771 (Flatnuke 3 (aka FlatnuX) allows remote attackers to obtain administrat ...) NOT-FOR-US: Flatnuke CVE-2007-5770 (The (1) Net::ftptls, (2) Net::telnets, (3) Net::imap, (4) Net::pop, an ...) {DSA-1412-1 DSA-1411-1 DSA-1410-1} - ruby1.9 1.9.0+20071016-1 - ruby1.8 1.8.6.111-1 (low; bug #451374) CVE-2007-5769 (Double free vulnerability in the getreply function in ftp.c in netkit ...) - netkit-ftp (Vulnerable code not present) CVE-2007-5768 (The Globe7 soft phone client 7.3 sends username and password informati ...) NOT-FOR-US: Globe7 soft phone client CVE-2007-5767 (Heap-based buffer overflow in the Client Trust application (clntrust.e ...) NOT-FOR-US: Geronimo Apache CVE-2007-5766 (SQL injection vulnerability in okxLOV.jsp in Oracle E-Business Suite 1 ...) NOT-FOR-US: Oracle CVE-2007-5765 RESERVED CVE-2007-5764 (Buffer overflow in the pioout program in printers.rte in IBM AIX 5.2, ...) NOT-FOR-US: IBM AIX CVE-2007-5763 REJECTED CVE-2007-5762 (NICM.SYS driver 3.0.0.4, as used in Novell NetWare Client 4.91 SP4, al ...) NOT-FOR-US: Novell NetWare Client CVE-2007-5761 (The NantSys device 5.0.0.115 in Motorola netOctopus 5.1.2 build 1011 h ...) NOT-FOR-US: Motorola netOctopus CVE-2007-5760 (Array index error in the XFree86-Misc extension in X.Org Xserver befor ...) {DSA-1466-2 DTSA-110-1} - xorg-server 2:1.4.1~git20080105-2 CVE-2007-5759 REJECTED CVE-2007-5758 (Stack-based buffer overflow in db2dasrrm in the DB2 Administration Ser ...) NOT-FOR-US: IBM DB2 CVE-2007-5757 (Untrusted search path vulnerability in db2pd in IBM DB2 Universal Data ...) NOT-FOR-US: IBM DB2 CVE-2007-5756 (Multiple array index errors in the bpf_filter_init function in NPF.SYS ...) NOT-FOR-US: WinPcap CVE-2007-5755 (Multiple stack-based buffer overflows in the AOL AmpX ActiveX control ...) NOT-FOR-US: AOL Radio CVE-2007-5754 (PHP remote file inclusion vulnerability in urlinn_includes/config.php ...) NOT-FOR-US: phpFaber CVE-2007-5753 (Unspecified vulnerability in Light FMan PHP (lfman or lightfman) befor ...) NOT-FOR-US: Light FMan PHP CVE-2007-5752 (adduser.php in PHP-AGTC Membership (AGTC-Membership) System 1.1a does ...) NOT-FOR-US: PHP-AGTC Membership CVE-2007-5750 RESERVED CVE-2007-5749 RESERVED CVE-2007-5748 RESERVED CVE-2007-5747 (Integer underflow in OpenOffice.org before 2.4 allows remote attackers ...) {DSA-1547-1} - openoffice.org 2.4.0~ooh680m5-1 CVE-2007-5746 (Integer overflow in OpenOffice.org before 2.4 allows remote attackers ...) {DSA-1547-1} - openoffice.org 2.4.0~ooh680m5-1 CVE-2007-5745 (Multiple heap-based buffer overflows in OpenOffice.org before 2.4 allo ...) {DSA-1547-1} - openoffice.org 2.4.0~ooh680m5-1 CVE-2007-5744 RESERVED CVE-2007-5743 (viewvc 1.0.3 allows improper access control to files in a repository w ...) - viewvc 1.0.3-2.1 (bug #416696) CVE-2007-5742 (Directory traversal vulnerability in the WML engine preprocessor for W ...) {DSA-1421-1 DTSA-90-1} - wesnoth 1:1.2.8-1 (medium; bug #453500) CVE-2007-5741 (Plone 2.5 through 2.5.4 and 3.0 through 3.0.2 allows remote attackers ...) {DSA-1405-2 DSA-1405-1} - zope-cmfplone 2.5.2-2 (bug #449523) [sarge] - zope-cmfplone (Upstream confirms that 2.0 branch is not vulnerable) NOTE: Fix available: NOTE: http://plone.org/about/security/advisories/cve-2007-5741 CVE-2004-2745 (Directory traversal vulnerability in Anteco Visual Technologies OwnSer ...) NOT-FOR-US: Anteco Visual Technologies OwnServer CVE-2002-2425 (Sun AnswerBook2 1.2 through 1.4.2 allows remote attackers to execute a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2424 (Cross-site scripting (XSS) vulnerability in PHP(Reactor) 1.2.7 pl1 all ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2423 (Sendmail 8.12.0 through 8.12.6 truncates log messages longer than 100 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2422 (Cross-site scripting (XSS) vulnerability in Compaq Insight Management ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2421 (acWEB 1.14 allows remote attackers to cause a denial of service (crash ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2420 (site_searcher.cgi in Super Site Searcher allows remote attackers to ex ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2419 (Direct connect text client (DCTC) client 0.83.3 allows remote attacker ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2418 (Cross-site scripting (XSS) vulnerability in acFreeProxy (aka acFP) 1.3 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2417 (acFTP 1.4 does not properly handle when an invalid password is provide ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2416 (Directory traversal vulnerability in Zeroo web server 1.5 allows remot ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2415 (Allied Telesyn AT-8024 1.3.1 and Rapier 24 switches allow remote authe ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2414 (Opera 6.0.3, when using Squid 2.4 for HTTPS proxying, does not properl ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2413 (WebSite Pro 3.1.11.0 on Windows allows remote attackers to read script ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2412 (Winamp 2.80 stores authentication credentials in plaintext in the (1) ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2411 (Buffer overflow in badmin.c in BannerWheel 1.0 allows remote attackers ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2410 (openwebmail.pl in Open WebMail 1.7 and 1.71 reveals sensitive informat ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2409 (Photon microGUI in QNX Neutrino realtime operating system (RTOS) 6.1.0 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2408 (Gordano Messaging Server (GMS) Mail 8 (a.k.a. NTMail) only filters ema ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2407 (Certain patches for QNX Neutrino realtime operating system (RTOS) 6.2. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2406 (Buffer overflow in HTTP server in LiteServe 2.0, 2.0.1 and 2.0.2 allow ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2405 (Check Point FireWall-1 4.1 and Next Generation (NG), with UserAuth con ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2404 (Buffer overflow in IISPop email server 1.161 and 1.181 allows remote a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2403 (Directory traversal vulnerability in KeyFocus web server 1.0.8 allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2402 (SURECOM broadband router EP-4501 uses a default SNMP read community st ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2401 (NT Virtual DOS Machine (NTVDM.EXE) in Windows 2000, NT and XP does not ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2400 (Buffer overflow in the httpdProcessRequest function in LibHTTPD 1.2 al ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2399 (Directory traversal vulnerability in viewAttachment.cgi in W3Mail 1.0. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2398 (The new thread posting page in APBoard 2.02 and 2.03 allows remote att ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2397 (Sygate personal firewall 5.0 could allow remote attackers to bypass fi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2396 (Buffer overflow in Advanced TFTP (atftp) 0.5 and 0.6, if installed set ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2395 (InterScan VirusWall 3.52 for Windows allows remote attackers to bypass ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2394 (InterScan VirusWall 3.6 for Linux and 3.52 for Windows allows remote a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2393 (Serv-U FTP server 3.0, 3.1 and 4.0.0.4 does not accept new connections ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2392 (Winamp 2.65 through 3.0 stores skin files in a predictable file locati ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2391 (SQL injection vulnerability in index.php of WebChat 1.5 included in XO ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2390 (Buffer overflow in the IDENT daemon (identd) in Trillian 0.6351, 0.725 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2389 (TheServer 1.74 web server stores server.ini under the web document roo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2388 (Buffer overflow in INweb POP3 mail server 2.01 allows remote attackers ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2387 (Directory traversal vulnerability in Hyperion FTP server 2.8.1 allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2386 (Cross-site scripting (XSS) vulnerability in the Quizz module for XOOPS ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2385 (Buffer overflow in hotfoon4.exe in Hotfoon 4.0 allows remote attackers ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2384 (hotfoon4.exe in Hotfoon 4.00 stores user names and passwords in cleart ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2383 (SQL injection vulnerability in f2html.pl 0.1 through 0.4 allows remote ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2382 (cvsupd.sh in CVSup 1.2 allows local users to overwrite arbitrary files ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2381 (Multiple buffer overflows in (1) tetrinet_inmessage, (2) speclist_add ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2380 (NetDSL ADSL Modem 800 with Microsoft Network firmware 5.5.11 allows re ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2379 NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2378 (Cross-site scripting (XSS) vulnerability in AN HTTP 1.41d allows remot ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2377 (Cross-site scripting (XSS) vulnerability in addentry.cgi in ZAP 1.0.3 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2376 (Cross-site scripting (XSS) vulnerability in E-Guest_sign.pl in E-Guest ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2375 (Directory traversal vulnerability in CommuniGate Pro 4.0b4 and possibl ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2374 (Unspecified vulnerability in pprosetup in Sun PatchPro 2.0 has unknown ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2373 (The default configuration of the TCP/IP printer configuration utility ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2372 (The telnet server in Infoprint 21 running controller software before 1 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2371 (Linksys WET11 firmware 1.31 and 1.32 allows remote attackers to cause ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2370 (SWS web server 0.0.4, 0.0.3 and 0.1.0 allows remote attackers to cause ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2369 (Perception LiteServe 2.0 allows remote attackers to read password prot ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2368 (Multiple buffer overflows in NEC SOCKS5 1.0 r11 and earlier allow remo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2367 (Off-by-one buffer overflow in NEC SOCKS5 1.0 r11 and earlier allows re ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2366 (Buffer overflow in the XML parser of Trillian 0.6351, 0.725 and 0.73 a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2365 (Simple WAIS (SWAIS) 1.11 allows remote attackers to execute arbitrary ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2007-5740 (The format string protection mechanism in IMAPD for Perdition Mail Ret ...) {DSA-1398-1 DTSA-84-1} - perdition 1.17.1-1 (medium; bug #448853) CVE-2007-5751 (Liferea before 1.4.6 uses weak permissions (0644) for the feedlist.opm ...) {DTSA-107-1} - liferea 1.4.6-1 (low; bug #448850) [etch] - liferea (backup feedlist introduced in 1.2.7) [sarge] - liferea (backup feedlist introduced in 1.2.7) NOTE: this file can contain credentials for rss feeds CVE-2007-5739 (Directory traversal vulnerability in component/flashupload/download.js ...) NOT-FOR-US: Korean GHBoard CVE-2007-5738 (The FlashUpload component in Korean GHBoard uses a client-side protect ...) NOT-FOR-US: Korean GHBoard CVE-2007-5737 (Unrestricted file upload vulnerability in component/upload.jsp in Kore ...) NOT-FOR-US: Korean GHBoard CVE-2007-5736 (Unrestricted file upload vulnerability in upload.php in SeeBlick 1.0 B ...) NOT-FOR-US: SeeBlick CVE-2007-5735 (eFileMan 7.1.0.87-88 stores sensitive information under the web root w ...) NOT-FOR-US: eFileMan CVE-2007-5734 (Unrestricted file upload vulnerability in eFileMan 7.1.0.87-88 allows ...) NOT-FOR-US: eFileMan CVE-2007-5733 (Unrestricted file upload vulnerability in upload/upload.php in Japanes ...) NOT-FOR-US: Japanese PHP Gallery Hosting CVE-2007-5732 (Directory traversal vulnerability in downloadfile.php in eLouai's Forc ...) NOT-FOR-US: eLouai's Force Download CVE-2007-5731 (Absolute path traversal vulnerability in Apache Jakarta Slide 2.1 and ...) - slide-webdavclient (Vulnerable code is only in the server part, but debian only has the client part) CVE-2007-5730 (Heap-based buffer overflow in QEMU 0.8.2, as used in Xen and possibly ...) {DSA-1284-1} - qemu 0.9.0-2 (bug #424070) - kvm 72+dfsg-1 - linux-2.6 (vulnerability does not affected kernel module) - linux-2.6.24 (vulnerability does not affected kernel module) CVE-2007-5729 (The NE2000 emulator in QEMU 0.8.2 allows local users to execute arbitr ...) {DSA-1284-1} - qemu 0.9.0-2 (bug #424070) - kvm 72+dfsg-1 - linux-2.6 (vulnerability does not affected kernel module) - linux-2.6.24 (vulnerability does not affected kernel module) CVE-2007-5728 (Cross-site scripting (XSS) vulnerability in phpPgAdmin 3.5 to 4.1.1, a ...) {DSA-1693-1} - phppgadmin 4.1.3-0.1 (bug #449103; low) CVE-2007-5727 (Incomplete blacklist vulnerability in the stripScripts function in com ...) NOT-FOR-US: OneOrZero Helpdesk CVE-2007-5726 (Unspecified vulnerability in the Stream Control Transmission Protocol ...) NOT-FOR-US: Sun Solaris CVE-2007-5725 (Multiple cross-site scripting (XSS) vulnerabilities in Smart-Shop allo ...) NOT-FOR-US: Smart-Shop CVE-2007-5724 (Multiple cross-site scripting (XSS) vulnerabilities in Omnistar Live a ...) NOT-FOR-US: Omnistar Live CVE-2007-5723 (Heap-based buffer overflow in the samp_send function in nuauth/sasl.c ...) {DTSA-82-1} - nufw 2.2.7-1 (low) [etch] - nufw (Vulnerable code not present) CVE-2007-5722 (Stack-based buffer overflow in a certain ActiveX control in GLChat.ocx ...) NOT-FOR-US: GlobalLink CVE-2007-5721 (PHP remote file inclusion vulnerability in _theme/breadcrumb.php in My ...) NOT-FOR-US: MySpacePros MySpace Resource Script CVE-2007-5720 (Unrestricted file upload vulnerability in the profiles script in Profi ...) NOT-FOR-US: ProfileCMS CVE-2007-5719 (SQL injection vulnerability in bb_func_search.php in miniBB 2.1 allows ...) NOT-FOR-US: miniBB CVE-2007-5717 (Unspecified vulnerability in Sun Fire X2100 M2 and X2200 M2 Embedded L ...) NOT-FOR-US: Sun Fire CVE-2007-5716 (Unspecified vulnerability in the Internet Protocol (IP) functionality ...) NOT-FOR-US: Sun Solaris 10 CVE-2007-5715 (DenyHosts 2.6 processes OpenSSH sshd "not listed in AllowUsers" log me ...) - denyhosts 2.6-2 (low) [etch] - denyhosts (Minor issue) NOTE: bug was fixed with 06_permit_rootlogin_no.dpatch CVE-2007-5714 (The Gentoo ebuild of MLDonkey before 2.9.0-r3 has a p2p user account w ...) - mldonkey (Gentoo-specific packaging flaw) CVE-2007-5713 (Off-by-one error in the GeoIP module in the AMX Mod X 1.76d plugin for ...) NOT-FOR-US: Half-Life Server CVE-2007-5712 (The internationalization (i18n) framework in Django 0.91, 0.95, 0.95.1 ...) {DSA-1640-1} - python-django 0.96-1.1 (low; bug #448838) CVE-2007-5711 (Massive Entertainment World in Conflict 1.001 and earlier allows remot ...) NOT-FOR-US: Conflict CVE-2007-5710 (Cross-site scripting (XSS) vulnerability in wp-admin/edit-post-rows.ph ...) - wordpress 2.3.1-1 (unimportant) NOTE: requires register_globals On, which we don't support CVE-2007-5709 (Stack-based buffer overflow in Sony SonicStage CONNECT Player (CP) 4.3 ...) NOT-FOR-US: Sony SonicStage CONNECT Player CVE-2007-5718 (vobcopy 0.5.14 allows local users to append data to an arbitrary file, ...) - vobcopy 1.0.2-1 (low; bug #448319) [etch] - vobcopy (Minor issue) [sarge] - vobcopy (Minor issue) CVE-2007-5706 (Absolute path traversal vulnerability in download.php in Jeebles Direc ...) NOT-FOR-US: Jeebles CVE-2007-5705 (Unspecified vulnerability in the Settings component in the administrat ...) NOT-FOR-US: Jeebles CVE-2007-5704 (Multiple SQL injection vulnerabilities in CodeWidgets.com Online Event ...) NOT-FOR-US: CodeWidgets CVE-2007-5703 (Multiple cross-site scripting (XSS) vulnerabilities in (1) Request-spk ...) NOT-FOR-US: RSA KEON CVE-2007-5702 (Cross-site scripting (XSS) vulnerability in swamp/action/LoginActions ...) NOT-FOR-US: SWAMP OpenSUSE CVE-2007-5701 (Incomplete blacklist vulnerability in the Certificate Authority (CA) i ...) NOT-FOR-US: IBM Lotus Domino CVE-2007-5700 (The Evaluate LotusScript method in IBM Lotus Domino before 7.0.3 uses ...) NOT-FOR-US: IBM Lotus Domino CVE-2007-5699 (Stack-based buffer overflow in eIQNetworks Enterprise Security Analyze ...) NOT-FOR-US: eIQNetworks CVE-2007-5698 (Cross-site scripting (XSS) vulnerability in default.asp in CREApark GO ...) NOT-FOR-US: CREApark GOLD KOY PORTALI CVE-2007-5697 (Multiple PHP remote file inclusion vulnerabilities in PHP Image 1.2 al ...) NOT-FOR-US: phpImage CVE-2007-5696 (PHP remote file inclusion vulnerability in includes.php in phpBasic al ...) NOT-FOR-US: phpBasic CVE-2007-5695 (Open redirect vulnerability in command.php in SiteBar 3.3.8 allows rem ...) {DSA-1423-1} - sitebar 3.3.8-12.1 (low; bug #448690) NOTE: there is no real exploit scenario CVE-2007-5694 (Absolute path traversal vulnerability in the translation module (trans ...) {DSA-1423-1} - sitebar 3.3.8-12.1 (low; bug #447135) CVE-2007-5693 (Eval injection vulnerability in the translation module (translator.php ...) {DSA-1423-1} - sitebar 3.3.8-12.1 (low; bug #447135) CVE-2007-5692 (Multiple cross-site scripting (XSS) vulnerabilities in SiteBar 3.3.8 a ...) {DSA-1423-1} - sitebar 3.3.8-12.1 (low; bug #448689) CVE-2007-5691 (ParseFTPList.cpp in Mozilla Firefox 2.0.0.7 allows remote FTP servers ...) - iceweasel 2.0.0.8-1 (unimportant) NOTE: Browser crashes not treated as security problems CVE-2007-5690 - zaptel 1:1.4.8~dfsg-1 (unimportant; bug #448763) NOTE: zaptel does copy argv[1] into ifr_name but zaptel is not suid root or something NOTE: similar so this is no security issue in Debian even if sethdl-new will segfault CVE-2007-5689 (The Java Virtual Machine (JVM) in Sun Java Runtime Environment (JRE) i ...) - sun-java6 6-03-1 (medium) - sun-java5 1.5.0-13-1 (medium) [etch] - sun-java5 1.5.0-14-1etch1 - openjdk-6 6b08-1 (bug #566766) CVE-2007-5688 (Multiple SQL injection vulnerabilities in directory.php in the Multi-F ...) NOT-FOR-US: Multi Host Forum Pro CVE-2007-5687 (Multiple buffer overflows in the rich text processing functionality in ...) NOT-FOR-US: JustSystems Ichitaro CVE-2007-5686 (initscripts in rPath Linux 1 sets insecure permissions for the /var/lo ...) - shadow (unimportant) NOTE: See #290803, on Debian LOG_UNKFAIL_ENAB in login.defs is set to no so NOTE: unknown usernames are not recorded on login failures CVE-2007-5685 (The safe_path function in shttp before 0.0.5 allows remote attackers t ...) NOT-FOR-US: shttp CVE-2007-5684 (Multiple directory traversal vulnerabilities in TikiWiki 1.9.8.1 and e ...) - tikiwiki CVE-2007-5683 (Multiple cross-site scripting (XSS) vulnerabilities in TikiWiki 1.9.8. ...) - tikiwiki CVE-2007-5682 (Incomplete blacklist vulnerability in tiki-graph_formula.php in TikiWi ...) - tikiwiki CVE-2007-5681 RESERVED CVE-2007-5680 RESERVED CVE-2003-1527 (BlackICE Defender 2.9.cap and Server Protection 3.5.cdf, when configur ...) NOT-FOR-US: not processed, predates tracker CVE-2002-2364 (Cross-site scripting (XSS) vulnerability in PHP Ticket 0.5 and earlier ...) NOT-FOR-US: not processed, predates tracker CVE-2002-2363 (VJE.VJE-RUN in HP-UX 11.00 adds bin to /etc/PATH, which could allow lo ...) NOT-FOR-US: not processed, predates tracker CVE-2002-2362 (Cross-site scripting (XSS) vulnerability in form_header.php in MyMarke ...) NOT-FOR-US: not processed, predates tracker CVE-2002-2361 (The installer in Yahoo! Messenger 4.0, 5.0 and 5.5 does not verify pac ...) NOT-FOR-US: not processed, predates tracker CVE-2002-2360 (The RPC module in Webmin 0.21 through 0.99, when installed without roo ...) NOT-FOR-US: not processed, predates tracker CVE-2002-2359 (Cross-site scripting (XSS) vulnerability in the FTP view feature in Mo ...) NOT-FOR-US: not processed, predates tracker CVE-2002-2358 (Cross-site scripting (XSS) vulnerability in the FTP view feature in Op ...) NOT-FOR-US: not processed, predates tracker CVE-2002-2357 (MailEnable 1.5 015 through 1.5 018 allows remote attackers to cause a ...) NOT-FOR-US: not processed, predates tracker CVE-2002-2356 (HAMweather 2.x allows remote attackers to modify administrative settin ...) NOT-FOR-US: not processed, predates tracker CVE-2002-2355 (Netgear FM114P firmware 1.3 wireless firewall, when configured to back ...) NOT-FOR-US: not processed, predates tracker CVE-2002-2354 (Netgear FM114P firmware 1.3 wireless firewall allows remote attackers ...) NOT-FOR-US: not processed, predates tracker CVE-2002-2353 (tftpd32 2.50 and 2.50.2 allows remote attackers to read or write arbit ...) NOT-FOR-US: not processed, predates tracker CVE-2002-2352 (The NBActiveX.ocx ActiveX control in NeoBook 4 allows remote attackers ...) NOT-FOR-US: not processed, predates tracker CVE-2002-2351 (Eudora 5.1 allows remote attackers to bypass security warnings and pos ...) NOT-FOR-US: not processed, predates tracker CVE-2002-2350 (Cross-site scripting (XSS) vulnerability in z_user_show.php in dbtreel ...) NOT-FOR-US: not processed, predates tracker CVE-2002-2349 (phpinfo.php in phpBBmod 1.3.3 executes the phpinfo function, which all ...) NOT-FOR-US: not processed, predates tracker CVE-2002-2348 (Cross-site scripting (XSS) vulnerability in athcgi.exe in Authoria HR ...) NOT-FOR-US: not processed, predates tracker CVE-2002-2347 (Cross-site scripting (XSS) vulnerability in Oracle Java Server Page (O ...) NOT-FOR-US: not processed, predates tracker CVE-2002-2346 (phpBB 2.0 through 2.0.3 generates names for uploaded avatar files with ...) NOT-FOR-US: not processed, predates tracker CVE-2002-2345 (Oracle 9i Application Server 9.0.2 stores the web cache administrator ...) NOT-FOR-US: not processed, predates tracker CVE-2002-2344 (Ensim WEBppliance 3.0 and 3.1 allows remote attackers to read mail int ...) NOT-FOR-US: not processed, predates tracker CVE-2002-2343 (Cross-site scripting (XSS) vulnerability in NOCC 0.9 through 0.9.5 all ...) NOT-FOR-US: not processed, predates tracker CVE-2002-2342 (Bannermatic 1, 2, and 3 stores the (1) ban.log, (2) ban.bak, (3) ban.d ...) NOT-FOR-US: not processed, predates tracker CVE-2002-2341 (Cross-site scripting (XSS) vulnerability in content blocking in SonicW ...) NOT-FOR-US: not processed, predates tracker CVE-2002-2340 (Cross-site scripting (XSS) vulnerability in read.php in Phorum 3.3.2a ...) NOT-FOR-US: not processed, predates tracker CVE-2002-2339 (Cross-site scripting (XSS) vulnerability in configure.asp in Script-Sh ...) NOT-FOR-US: not processed, predates tracker CVE-2002-2338 (The POP3 mail client in Mozilla 1.0 and earlier, and Netscape Communic ...) NOT-FOR-US: not processed, predates tracker CVE-2002-2337 (Kaspersky Anti-Hacker 1.0, when configured to automatically block atta ...) NOT-FOR-US: not processed, predates tracker CVE-2002-2336 (Norton Personal Firewall 2002 4.0, when configured to automatically bl ...) NOT-FOR-US: not processed, predates tracker CVE-2002-2335 (Killer Protection 1.0 stores the vars.inc include file under the web r ...) NOT-FOR-US: not processed, predates tracker CVE-2002-2334 (Joe text editor 2.8 through 2.9.7 does not remove the group and user s ...) NOT-FOR-US: not processed, predates tracker CVE-2002-2333 (Buffer overflow in konqueror in KDE 2.1 through 3.0 and 3.0.2 allows r ...) NOT-FOR-US: not processed, predates tracker CVE-2002-2332 (Buffer overflow in Opera 6.01 allows remote attackers to cause a denia ...) NOT-FOR-US: not processed, predates tracker CVE-2002-2331 (W3Mail 1.0.2 through 1.0.5 with server side scripting (SSI) enabled in ...) NOT-FOR-US: not processed, predates tracker CVE-2002-2330 (Cross-site scripting (XSS) vulnerability in stat.pl in StatsPlus 1.25 ...) NOT-FOR-US: not processed, predates tracker CVE-2002-2329 (ICQ client 2001b, 2002a and 2002b allows remote attackers to cause a d ...) NOT-FOR-US: not processed, predates tracker CVE-2002-2328 (Active Directory in Windows 2000, when supporting Kerberos V authentic ...) NOT-FOR-US: not processed, predates tracker CVE-2002-2327 (Unspecified vulnerability in the environmental monitoring subsystem in ...) NOT-FOR-US: not processed, predates tracker CVE-2002-2326 (The default configuration of Mail.app in Mac OS X 10.0 through 10.0.4 ...) NOT-FOR-US: not processed, predates tracker CVE-2002-2325 (The c-client library in Internet Message Access Protocol (IMAP) dated ...) NOT-FOR-US: not processed, predates tracker CVE-2002-2324 (The "System Restore" directory and subdirectories, and possibly other ...) NOT-FOR-US: not processed, predates tracker CVE-2002-2323 (Sun PC NetLink 1.0 through 1.2 does not properly set the access contro ...) NOT-FOR-US: not processed, predates tracker CVE-2002-2322 (Ultimate PHP Board (UPB) 1.0b stores the users.dat data file under the ...) NOT-FOR-US: not processed, predates tracker CVE-2002-2321 (Cross-site scripting (XSS) vulnerability in (1) showcat.php and (2) ad ...) NOT-FOR-US: not processed, predates tracker CVE-2002-2320 (MySimpleNews 1.0 allows remote attackers to delete arbitrary email mes ...) NOT-FOR-US: not processed, predates tracker CVE-2002-2319 (Static code injection vulnerability in users.php in MySimpleNews allow ...) NOT-FOR-US: not processed, predates tracker CVE-2002-2318 (Cross-site scripting (XSS) vulnerability in Falcon web server 2.0.0.10 ...) NOT-FOR-US: not processed, predates tracker CVE-2002-2317 (Memory leak in the (1) httpd, (2) nntpd, and (3) vpn driver in VelociR ...) NOT-FOR-US: not processed, predates tracker CVE-2002-2316 (Cisco Catalyst 4000 series switches running CatOS 5.5.5, 6.3.5, and 7. ...) NOT-FOR-US: not processed, predates tracker CVE-2002-2315 (Cisco IOS 11.2.x and 12.0.x does not limit the size of its redirect ta ...) NOT-FOR-US: not processed, predates tracker CVE-2002-2314 (Mozilla 1.0 allows remote attackers to steal cookies from other domain ...) NOT-FOR-US: not processed, predates tracker CVE-2002-2313 (Eudora email client 5.1.1, with "use Microsoft viewer" enabled, allows ...) NOT-FOR-US: not processed, predates tracker CVE-2002-2312 (Opera 6.0.1 allows remote attackers to upload arbitrary file contents ...) NOT-FOR-US: not processed, predates tracker CVE-2002-2311 (Microsoft Internet Explorer 6.0 and possibly others allows remote atta ...) NOT-FOR-US: not processed, predates tracker CVE-2002-2310 (ClickCartPro 4.0 stores the admin_user.db data file under the web docu ...) NOT-FOR-US: not processed, predates tracker CVE-2002-2309 (php.exe in PHP 3.0 through 4.2.2, when running on Apache, does not ter ...) NOT-FOR-US: not processed, predates tracker CVE-2002-2308 (Netscape Communicator 6.2.1 allows remote attackers to cause a denial ...) NOT-FOR-US: not processed, predates tracker CVE-2002-2307 (The default configuration of BenHur Firewall release 3 update 066 fix ...) NOT-FOR-US: not processed, predates tracker CVE-2007-5707 (OpenLDAP before 2.3.39 allows remote attackers to cause a denial of se ...) {DSA-1541-1} - openldap2.3 2.3.38-1 (medium; bug #440632) - openldap2.2 - openldap2 (slapd not built) CVE-2007-5708 (slapo-pcache (overlays/pcache.c) in slapd in OpenLDAP before 2.3.39, w ...) {DSA-1541-1 DTSA-87-1} - openldap2.3 2.3.39-1 (medium; bug #448644) CVE-2007-2983 (Multiple buffer overflows in the British Telecommunications Consumer w ...) NOT-FOR-US: British Telecommunications Consumer webhelper CVE-2003-1526 (PHP-Nuke 7.0 allows remote attackers to obtain the installation path v ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1525 (Unspecified vulnerability in My Photo Gallery 3.5, and possibly earlie ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1524 (PGPi PGPDisk 6.0.2i does not unmount a PGP partition when the switch u ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1523 (SQL injection vulnerability in the IMAP daemon in dbmail 1.1 allows re ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1522 (Cross-site scripting (XSS) vulnerability in PSCS VPOP3 Web Mail server ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1521 (Sun Java Plug-In 1.4 through 1.4.2_02 allows remote attackers to repea ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1520 (SQL injection vulnerability in FuzzyMonkey My Classifieds 2.11 allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1519 (Cross-site scripting (XSS) vulnerability in Vivisimo clustering engine ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1518 (Adiscon WinSyslog 4.21 SP1 allows remote attackers to cause a denial o ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1517 (cart.pl in Dansie shopping cart allows remote attackers to obtain the ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1516 (The org.apache.xalan.processor.XSLProcessorVersion class in Java Plug- ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1515 (Origo ASR-8100 ADSL Router 3.21 has an administration service running ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1514 (eMule 0.29c allows remote attackers to cause a denial of service (cras ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1513 (Multiple cross-site scripting (XSS) vulnerabilities in example scripts ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1512 (Buffer overflow in mIRC 6.1 and 6.11 allows remote attackers to cause ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1511 (Cross-site scripting (XSS) vulnerability in Bajie Java HTTP Server 0.9 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1510 (TinyWeb 1.9 allows remote attackers to cause a denial of service (CPU ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1509 (Real Networks RealOne Enterprise Desktop 6.0.11.774, RealOne Player 2. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1508 (Buffer overflow in mIRC 6.12, when the DCC get dialog window has been ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1507 (Planet Technology WGSD-1020 and WSW-2401 Ethernet switches use a defau ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1506 (Cross-site scripting (XSS) vulnerability in dansguardian.pl in Adelix ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1505 (Microsoft Internet Explorer 6.0 allows remote attackers to cause a den ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1504 (SQL injection vulnerability in variables.php in Goldlink 3.0 allows re ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1503 (Buffer overflow in AOL Instant Messenger (AIM) 5.2.3292 allows remote ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1502 (mod_throttle 3.0 allows local users with Apache privileges to access s ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1501 (Directory traversal vulnerability in the file upload CGI of Gast Arbei ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1500 (PHP remote file inclusion vulnerability in _functions.php in cpCommerc ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1499 (Directory traversal vulnerability in index.php in Bytehoard 0.7 allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1498 (Cross-site scripting (XSS) vulnerability in search.php for WRENSOFT Zo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1497 (Buffer overflow in the system log viewer of Linksys BEFSX41 1.44.3 all ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1496 (Unspecified vulnerability in CDE dtmailpr of HP Tru64 4.0F through 5.1 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1495 (Unspecified vulnerability in the non-SSL web agent in various HP Manag ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2007-5679 (SQL injection vulnerability in index.php in DeeEmm.com DM CMS 0.7.0.Be ...) NOT-FOR-US: DM CMS CVE-2007-5678 (SQL injection vulnerability in the Music module in phpBasic allows rem ...) NOT-FOR-US: phpBasic CVE-2007-5677 (Cross-site scripting (XSS) vulnerability in shoutbox/blocco.php in Hac ...) NOT-FOR-US: Hackish CVE-2007-5676 (PHP remote file inclusion vulnerability in modules/Forums/favorites.ph ...) NOT-FOR-US: PHP-Nuke CVE-2007-5675 (Stack-based buffer overflow in the DebugPrint function in MultiXTpm Ap ...) NOT-FOR-US: MultiXTpm Application Server CVE-2007-5674 (Directory traversal vulnerability in index.php in InstaGuide Weather ( ...) NOT-FOR-US: InstaGuide Weather CVE-2007-5673 (Cross-site scripting (XSS) vulnerability in cgi-bin/webif.exe in ifnet ...) NOT-FOR-US: ifnet WebIf CVE-2007-5672 RESERVED CVE-2007-5671 (HGFS.sys in the VMware Tools package in VMware Workstation 5.x before ...) - vmware-package (Only vulnerable on windows hosted systems) CVE-2007-5670 REJECTED CVE-2007-5669 RESERVED CVE-2007-5668 RESERVED CVE-2007-5667 (NWFILTER.SYS in Novell Client 4.91 SP 1 through SP 4 for Windows 2000, ...) NOT-FOR-US: Novell Client CVE-2007-5666 (Untrusted search path vulnerability in Adobe Reader and Acrobat 8.1.1 ...) NOT-FOR-US: Adobe Reader CVE-2007-5665 (STEngine.exe 3.5.0.20 in Novell ZENworks Endpoint Security Management ...) NOT-FOR-US: Novell ZENworks Endpoint Security Management CVE-2007-5664 (db2dasrrm in the DB2 Administration Server (DAS) in IBM DB2 Universal ...) NOT-FOR-US: IBM DB2 CVE-2007-5663 (Adobe Reader and Acrobat 8.1.1 and earlier allows remote attackers to ...) NOT-FOR-US: Adobe Reader CVE-2007-5662 RESERVED CVE-2007-5661 (The Macrovision InstallShield InstallScript One-Click Install (OCI) Ac ...) NOT-FOR-US: Macrovision InstallShield CVE-2007-5660 (Unspecified vulnerability in the Update Service ActiveX control in isu ...) NOT-FOR-US: MacroVision FLEXnet Connect and InstallShield 2008 CVE-2007-5659 (Multiple buffer overflows in Adobe Reader and Acrobat 8.1.1 and earlie ...) NOT-FOR-US: Adobe Reader CVE-2007-5658 (Heap-based buffer overflow in TIBCO SmartSockets RTserver 6.8.0 and ea ...) NOT-FOR-US: TIBCO SmartSockets RTserver CVE-2007-5657 (TIBCO SmartSockets RTserver 6.8.0 and earlier, RTworks before 4.0.4, a ...) NOT-FOR-US: TIBCO SmartSockets RTserver CVE-2007-5656 (TIBCO SmartSockets RTserver 6.8.0 and earlier, RTworks before 4.0.4, a ...) NOT-FOR-US: TIBCO SmartSockets RTserver CVE-2007-5655 (TIBCO SmartSockets RTserver 6.8.0 and earlier, RTworks before 4.0.4, a ...) NOT-FOR-US: TIBCO SmartSockets RTserver CVE-2007-5654 (LiteSpeed Web Server before 3.2.4 allows remote attackers to trigger u ...) NOT-FOR-US: LiteSpeed CVE-2007-5653 (The Component Object Model (COM) functions in PHP 5.x on Windows do no ...) - php5 (windows only) CVE-2007-5652 (IBM DB2 UDB 9.1 before Fixpak 4 does not properly manage storage of a ...) NOT-FOR-US: IBM DB2 CVE-2007-5651 (Unspecified vulnerability in the Extensible Authentication Protocol (E ...) NOT-FOR-US: Cisco IOS CVE-2007-5650 (Directory traversal vulnerability in system.php in ReloadCMS 1.2.7 all ...) NOT-FOR-US: ReloadCMS CVE-2007-5649 (Cross-site scripting (XSS) vulnerability in lostpwd.php in Creative Di ...) NOT-FOR-US: Creative Digital Resources SocketMail CVE-2007-5648 (Multiple cross-site scripting (XSS) vulnerabilities in rnote.php in rN ...) NOT-FOR-US: rnote CVE-2007-5647 (Multiple cross-site scripting (XSS) vulnerabilities in SocketKB 1.1.5 ...) NOT-FOR-US: SocketKB CVE-2007-5646 (SQL injection vulnerability in Sources/Search.php in Simple Machines F ...) NOT-FOR-US: Simple Machines Forum CVE-2007-5644 (Lussumo Vanilla 1.1.3 and earlier does not require admin privileges fo ...) NOT-FOR-US: Lussumo Vanilla CVE-2007-5643 (Multiple SQL injection vulnerabilities in Lussumo Vanilla 1.1.3 and ea ...) NOT-FOR-US: Lussumo Vanilla CVE-2007-5642 (Multiple directory traversal vulnerabilities in PHP Project Management ...) NOT-FOR-US: PHP Project Management CVE-2007-5641 (Multiple PHP remote file inclusion vulnerabilities in PHP Project Mana ...) NOT-FOR-US: PHP Project Management CVE-2007-5640 (The Nortel UNIStim IP Softphone 2050, IP Phone 1140E, and additional N ...) NOT-FOR-US: Nortel VOIP products CVE-2007-5639 (The Nortel UNIStim IP Softphone 2050, IP Phone 1140E, and other Nortel ...) NOT-FOR-US: Nortel VOIP products CVE-2007-5638 (The Nortel UNIStim IP Softphone 2050, IP Phone 1140E, and additional N ...) NOT-FOR-US: Nortel VOIP products CVE-2007-5637 (The Nortel UNIStim IP Softphone 2050, IP Phone 1140E, and additional N ...) NOT-FOR-US: Nortel VOIP products CVE-2007-5636 (Buffer overflow in the Nortel UNIStim IP Softphone 2050 allows remote ...) NOT-FOR-US: Nortel VOIP products CVE-2007-5635 (Multiple unspecified vulnerabilities in Salford Software Support Incid ...) NOT-FOR-US: Salford Software Support Incident Tracke CVE-2007-5634 (Speedfan.sys in Alfredo Milani Comparetti SpeedFan 4.33, when used on ...) NOT-FOR-US: SpeedFan CVE-2007-5633 (Speedfan.sys in Alfredo Milani Comparetti SpeedFan 4.33, when used on ...) NOT-FOR-US: SpeedFan CVE-2007-5632 (Multiple unspecified vulnerabilities in the kernel in Sun Solaris 8 th ...) NOT-FOR-US: Solaris CVE-2007-5631 (Multiple PHP remote file inclusion vulnerabilities in PeopleAggregator ...) NOT-FOR-US: PeopleAggregator CVE-2007-5630 (SQL injection vulnerability in tnews.php in BBsProcesS BBPortalS 1.5.1 ...) NOT-FOR-US: BBsProcesS BBPortalS CVE-2007-5629 (Cross-site scripting (XSS) vulnerability in admin/logon.asp in Shoppin ...) NOT-FOR-US: ShoppingTree CandyPress Store # CVE-2007-5628 (PHP remote file inclusion vulnerability in src/scripture.php in The On ...) NOT-FOR-US: TOWeLS CVE-2007-5627 (PHP remote file inclusion vulnerability in content/fnc-readmail3.php i ...) NOT-FOR-US: Socketmail CVE-2007-5626 (make_catalog_backup in Bacula 2.2.5, and probably earlier, sends a MyS ...) - bacula 5.0.0-1 (unimportant; bug #446809) NOTE: this script needs the default database password and name needs to be set which NOTE: would be a bigger problem in a non-trusted environment. Apart from NOTE: this is documented in the bacula documentation NOTE: Since bacula 5.0.0 "make_catalog_backup.pl" is used by default, which is not affected CVE-2007-5625 (Cross-site scripting (XSS) vulnerability in filename.asp in ASP Site S ...) NOT-FOR-US: Site Search SearchSimon Lite CVE-2007-5624 (Cross-site scripting (XSS) vulnerability in Nagios 2.x before 2.10 all ...) {DSA-1883-2 DSA-1883-1} - nagios2 2.9-1.1 (low; bug #448371) CVE-2007-5623 (Buffer overflow in the check_snmp function in Nagios Plugins (nagios-p ...) {DSA-1495-1} - nagios-plugins 1.4.8-2.2 (medium; bug #448372) [sarge] - nagios-plugins (Vulnerable code not present) CVE-2003-1494 (Unspecified vulnerability in HP OpenView Network Node Manager (NNM) 6. ...) NOT-FOR-US: HP OpenView Network Node Manager CVE-2003-1493 (Memory leak in HP OpenView Network Node Manager (NNM) 6.2 and 6.4 allo ...) NOT-FOR-US: HP OpenView Network Node Manager CVE-2003-1492 (Netscape Navigator 7.0.2 and Mozilla allows remote attackers to access ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1491 (Kerio Personal Firewall (KPF) 2.1.4 has a default rule to accept incom ...) NOT-FOR-US: Kerio Personal Firewall CVE-2003-1490 (SonicWall Pro running firmware 6.4.0.1 allows remote attackers to caus ...) NOT-FOR-US: SonicWall Pro CVE-2003-1489 (upload.php in Truegalerie 1.0 allows remote attackers to read arbitrar ...) NOT-FOR-US: Truegalerie CVE-2003-1488 (The (1) verif_admin.php and (2) check_admin.php scripts in Truegalerie ...) NOT-FOR-US: Truegalerie CVE-2003-1487 (Multiple "command injection" vulnerabilities in Phorum 3.4 through 3.4 ...) NOT-FOR-US: Phorum CVE-2003-1486 (Phorum 3.4 through 3.4.2 allows remote attackers to obtain the full pa ...) NOT-FOR-US: Phorum CVE-2003-1485 (Clearswift MAILsweeper 4.0 through 4.3.7 allows remote attackers to by ...) NOT-FOR-US: Clearswift MAILsweeper CVE-2003-1484 (Microsoft Internet Explorer 6.0 SP1 allows remote attackers to cause a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1483 (FlashFXP 1.4 uses a weak encryption algorithm for user passwords, whic ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1482 (The backup configuration file for Microsoft MN-500 wireless base stati ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1481 (CommuniGate Pro 3.1 through 4.0.6 sends the session ID in the referer ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1480 (MySQL 3.20 through 4.1.0 uses a weak algorithm for hashed passwords, w ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1479 (Cross-site scripting (XSS) vulnerability in webcamXP 1.02.432 and 1.02 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1478 (Konqueror in KDE 3.0.3 allows remote attackers to cause a denial of se ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1477 (MAILsweeper for SMTP 4.3.6 and 4.3.7 allows remote attackers to cause ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1476 (Cerberus FTP Server 2.1 stores usernames and passwords in plaintext, w ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1475 (Netbus 1.5 through 1.7 allows more than one client to be connected at ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1474 (slashem-tty in the FreeBSD Ports Collection is installed with write pe ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1473 (Buffer overflow in LTris 1.0.1 of FreeBSD Ports Collection 2003-02-25 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1472 (Buffer overflow in 3D-FTP client 4.0 allows remote FTP servers to caus ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1471 (MDaemon POP server 6.0.7 and earlier allows remote authenticated users ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1470 (Buffer overflow in IMAP service in MDaemon 6.7.5 and earlier allows re ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1469 (The default configuration of ColdFusion MX has the "Enable Robust Exce ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1468 (The Web_Links module in PHP-Nuke 6.0 through 6.5 final allows remote a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1467 (Multiple cross-site scripting (XSS) vulnerabilities in (1) login.php, ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1466 (Unspecified vulnerability in Phorum 3.4 through 3.4.2 allows remote at ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1465 (Directory traversal vulnerability in download.php in Phorum 3.4 throug ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1464 (Buffer overflow in Siemens 45 series mobile phones allows remote attac ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1463 (Absolute path traversal vulnerability in Alt-N Technologies WebAdmin 2 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1462 (mod_survey 3.0.0 through 3.0.15-pre6 does not check whether a survey e ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1461 (Buffer overflow in rwrite for HP-UX 11.0 could allow local users to ex ...) NOT-FOR-US: HP-UX CVE-2003-1460 (Worker Filemanager 1.0 through 2.7 sets the permissions on the destina ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1459 (Multiple PHP remote file inclusion vulnerabilities in ttCMS 2.2 and tt ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1458 (SQL injection vulnerability in Profile.php in ttCMS 2.2 and ttForum al ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1457 (Auerswald COMsuite CTI ControlCenter 3.1 creates a default "runasositr ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1456 (Album.pl 6.1 allows remote attackers to execute arbitrary commands, wh ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1455 (Multiple buffer overflows in the launch_bcrelay function in pptpctrl.c ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1454 (Invision Power Services Invision Board 1.0 through 1.1.1, when a forum ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1453 (Cross-site scripting (XSS) vulnerability in the MytextSanitizer functi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1452 (Untrusted search path vulnerability in Qualcomm qpopper 4.0 through 4. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1451 (Buffer overflow in Symantec Norton AntiVirus 2002 allows remote attack ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1450 (BitchX 75p3 and 1.0c16 through 1.0c20cvs allows remote attackers to ca ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1449 (Aladdin Knowlege Systems eSafe Gateway 3.5.126.0 does not check the en ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1448 (Memory leak in the Windows 2000 kernel allows remote attackers to caus ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1447 (IBM WebSphere Advanced Server Edition 4.0.4 uses a weak encryption alg ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1446 (Buffer overflow in the save_into_file function in save.c for Rogue 5.2 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1445 (Stack-based buffer overflow in Far Manager 1.70beta1 and earlier allow ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1444 (Kaspersky Antivirus (KAV) 4.0.9.0 allows local users to cause a denial ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1443 (Kaspersky Antivirus (KAV) 4.0.9.0 does not detect viruses in files wit ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1442 (The web administration page for the Ericsson HM220dp ADSL modem does n ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1441 (Posadis 0.50.4 through 0.50.8 allows remote attackers to cause a denia ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1440 (SpamProbe 0.8a allows remote attackers to cause a denial of service (c ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1439 (Secure Internet Live Conferencing (SILC) 0.9.11 and 0.9.12 stores pass ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1438 (Race condition in BEA WebLogic Server and Express 5.1 through 7.0.0.1, ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1437 (BEA WebLogic Express and WebLogic Server 7.0 and 7.0.0.1, stores passw ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1436 (PHP remote file inclusion vulnerability in nukebrowser.php in Nukebrow ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1435 (SQL injection vulnerability in PHP-Nuke 5.6 and 6.0 allows remote atta ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1434 (login_ldap 3.1 and 3.2 allows remote attackers to initiate unauthentic ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1433 (Epic Games Unreal Engine 226f through 436 does not validate the challe ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1432 (Epic Games Unreal Engine 226f through 436 allows remote attackers to c ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1431 (Buffer overflow in Epic Games Unreal Engine 226f through 436 allows re ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1430 (Directory traversal vulnerability in Unreal Tournament Server 436 and ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1429 (Buffer overflow in Proxomitron Naoko 4.4 allows remote attackers to ex ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2007-5622 (Double free vulnerability in the ftpprchild function in ftppr in 3prox ...) - 3proxy (bug #718219) CVE-2007-5621 (Multiple cross-site scripting (XSS) vulnerabilities in the Token modul ...) NOT-FOR-US: Token Drupal NOTE: Token is not included in the drupal packages CVE-2007-5620 (Directory traversal vulnerability in admin/inc/help.php in ZZ:FlashCha ...) NOT-FOR-US: ZZ:FlashChat CVE-2007-5619 (Unspecified vulnerability in VMware Server before 1.0.4 causes user pa ...) - vmware-package (low; bug #486177) [etch] - vmware-package (Contrib not supported) NOTE: vmware-package just builds vmware from downloaded tarballs, the package itself NOTE: does not download them, however it needs to update its hashes for upstream tarballs CVE-2007-5618 (Unquoted Windows search path vulnerability in the Authorization and ot ...) - vmware-package (Only vulnerable on windows hosted systems) [etch] - vmware-package (Contrib not supported) CVE-2007-5617 (Unspecified vulnerability in VMware Player 1.0.x before 1.0.5 and 2.0 ...) - vmware-package (low; bug #486177) [etch] - vmware-package (Contrib not supported) NOTE: vmware-package just builds vmware from downloaded tarballs, the package itself NOTE: does not download them, however it needs to update its hashes for upstream tarballs CVE-2007-5616 (ssh-signer in SSH Tectia Client and Server 5.x before 5.2.4, and 5.3.x ...) NOT-FOR-US: SSH Tectia Client and Server CVE-2007-5615 (CRLF injection vulnerability in Mortbay Jetty before 6.1.6rc0 allows r ...) - jetty 6.1.19-1 (low; bug #454529) CVE-2007-5614 (Mortbay Jetty before 6.1.6rc1 does not properly handle "certain quote ...) - jetty 6.1.19-1 (low; bug #454529) CVE-2007-5613 (Cross-site scripting (XSS) vulnerability in Dump Servlet in Mortbay Je ...) - jetty 6.1.19-1 (low; bug #454529) CVE-2007-5612 (CIM Server in IBM Director 5.20.1 and earlier allows remote attackers ...) NOT-FOR-US: IBM Director CVE-2007-5611 RESERVED CVE-2007-5610 (The DeleteSingleFile function in the HPISDataManagerLib.Datamgr Active ...) NOT-FOR-US: ActiveX control CVE-2007-5609 RESERVED CVE-2007-5608 (The DownloadFile function in the HPISDataManagerLib.Datamgr ActiveX co ...) NOT-FOR-US: ActiveX control CVE-2007-5607 (Buffer overflow in the RegistryString function in the HPISDataManagerL ...) NOT-FOR-US: ActiveX control CVE-2007-5606 (Buffer overflow in the MoveFile function in the HPISDataManagerLib.Dat ...) NOT-FOR-US: ActiveX control CVE-2007-5605 (Buffer overflow in the GetFileTime function in the HPISDataManagerLib. ...) NOT-FOR-US: ActiveX control CVE-2007-5604 (Buffer overflow in the ExtractCab function in the HPISDataManagerLib.D ...) NOT-FOR-US: ActiveX control CVE-2007-5603 (Stack-based buffer overflow in the SonicWall SSL-VPN NetExtender NELau ...) NOT-FOR-US: SonicWall SSL-VPN NetExtender CVE-2007-5602 (Multiple stack-based buffer overflows in SwiftView Viewer before 8.3.5 ...) NOT-FOR-US: SwiftView Viewer CVE-2007-5601 (Stack-based buffer overflow in the Database Component in MPAMedia.dll ...) NOT-FOR-US: RealPlayer (windows only issue) CVE-2007-5600 (Incomplete blacklist vulnerability in index.php in Artmedic CMS 3.4 an ...) NOT-FOR-US: Artmedic CMS CVE-2007-5599 (Multiple PHP remote file inclusion vulnerabilities in awrate 1.0 allow ...) NOT-FOR-US: awrate CVE-2007-5598 (Cross-site scripting (XSS) vulnerability in Weblinks for Drupal 4.7.x ...) - drupal5 (bug #447748) - drupal (bug #447746) NOTE: drupal weblinks is not included in the drupal package in debian CVE-2007-5597 (The hook_comments API in Drupal 4.7.x before 4.7.8 and 5.x before 5.3 ...) - drupal5 5.3-1 - drupal 4.7.8-1 CVE-2007-5596 (The core Upload module in Drupal 4.7.x before 4.7.8 and 5.x before 5.3 ...) - drupal5 5.3-1 - drupal 4.7.8-1 CVE-2007-5595 (CRLF injection vulnerability in the drupal_goto function in includes/c ...) - drupal5 5.3-1 - drupal 4.7.8-1 CVE-2007-5594 (Drupal 5.x before 5.3 does not apply its Drupal Forms API protection a ...) - drupal5 5.3-1 - drupal 4.7.8-1 CVE-2007-5593 (install.php in Drupal 5.x before 5.3, when the configured database ser ...) - drupal5 5.3-1 - drupal 4.7.8-1 CVE-2007-5592 (Multiple PHP remote file inclusion vulnerabilities in awzMB 4.2 beta 1 ...) NOT-FOR-US: awzMB CVE-2007-5591 (The CS1000 signaling server in Nortel Enterprise VoIP-Core-CS 1000M Ch ...) NOT-FOR-US: Nortel Enterprise VoIP-Core-CS CVE-2007-5590 (Multiple buffer overflows in Miranda before 0.7.1 allow remote attacke ...) NOT-FOR-US: Miranda CVE-2007-5588 (Cross-site scripting (XSS) vulnerability in mnoGoSearch before 3.2.43 ...) {DTSA-103-1} - mnogosearch 3.3.4-4.1 (low; bug #447753) [sarge] - mnogosearch (Minor issue) [etch] - mnogosearch (Minor issue) CVE-2007-5587 (Buffer overflow in Macrovision SafeDisc secdrv.sys before 4.3.86.0, as ...) NOT-FOR-US: Microsoft Windows CVE-2007-5586 REJECTED CVE-2007-5585 (xscreensaver 5.03 and earlier, when running without xscreensaver-gl-ex ...) {DTSA-83-1} - xscreensaver 5.03-3.1 (medium; bug #448157) [etch] - xscreensaver (Vulnerable code not present) [sarge] - xscreensaver (Vulnerable code not present) CVE-2007-5584 (Unspecified vulnerability in Cisco Firewall Services Module (FWSM) 3.2 ...) NOT-FOR-US: Cisco CVE-2007-5583 (Cisco IP Phone 7940 with firmware P0S3-08-7-00 allows remote attackers ...) NOT-FOR-US: Cisco IP Phone CVE-2007-5582 (Cross-site scripting (XSS) vulnerability in the login page in Cisco Ci ...) NOT-FOR-US: Cisco CVE-2007-5581 (Multiple cross-site scripting (XSS) vulnerabilities in mpweb/scripts/m ...) NOT-FOR-US: Cisco Unified MeetingPlace CVE-2007-5580 (Buffer overflow in a certain driver in Cisco Security Agent 4.5.1 befo ...) NOT-FOR-US: Cisco CVE-2003-1428 (Gallery 1.3.3 creates directories with insecure permissions, which all ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1427 (Directory traversal vulnerability in the web configuration interface i ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1426 (Openwebmail in cPanel 5.0, when run using suid Perl, adds the director ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1425 (guestbook.cgi in cPanel 5.0 allows remote attackers to execute arbitra ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1424 (message.php in Petitforum does not properly authenticate users, which ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1423 (Petitforum stores the liste.txt data file under the web document root ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1422 (Multiple unspecified vulnerabilities in the installer for SYSLINUX 2.0 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1421 (Unspecified vulnerability in mod_mysql_logger shared object in SuckBot ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1420 (Cross-site scripting (XSS) vulnerability in Opera 6.0 through 7.0 with ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1419 (Netscape 7.0 allows remote attackers to cause a denial of service (cra ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1418 (Apache HTTP Server 1.3.22 through 1.3.27 on OpenBSD allows remote atta ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1417 (nCipher Support Software 6.00, when using generatekey KeySafe to impor ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1416 (BisonFTP Server 4 release 2 allows remote attackers to cause a denial ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1415 (NetCharts XBRL Server 4.0.0 allows remote attackers to obtain sensitiv ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1414 (Directory traversal vulnerability in parse_xml.cg Apple Darwin Streami ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1413 (parse_xml.cgi in Apple Darwin Streaming Server 4.1.1 allows remote att ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1412 (PHP remote file inclusion vulnerability in index.php for GONiCUS Syste ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1411 (PHP remote file inclusion vulnerability in emailreader_execute_on_each ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1410 (PHP remote file inclusion vulnerability in email.php (aka email.php3) ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1409 (TOPo 1.43 allows remote attackers to obtain sensitive information by s ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1408 (Lotus Domino Server 5.0 and 6.0 allows remote attackers to read the so ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1407 (Buffer overflow in cmd.exe in Windows NT 4.0 may allow local users to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1406 (PHP remote file inclusion vulnerability in D-Forum 1.00 through 1.11 a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1405 (DotBr 0.1 allows remote attackers to execute arbitrary shell commands ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1404 (DotBr 0.1 stores config.inc with insufficient access control under the ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1403 (foo.php3 in DotBr 0.1 allows remote attackers to obtain sensitive info ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1402 (PHP remote file inclusion vulnerability in hit.php for Kietu 2.0 and 2 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2003-1401 (login.php in php-Board 1.0 stores plaintext passwords in $username.txt ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2007-5589 (Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin befo ...) {DSA-1403-1} - phpmyadmin 4:2.11.1.2-1 NOTE: https://www.phpmyadmin.net/security/PMASA-2007-6/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/c32d999eb16a9e2748a834e3ad722cc4d33f7dd5 CVE-2007-5579 (login.php in Pligg CMS 9.5 uses a guessable confirmation code when res ...) NOT-FOR-US: Pligg CMS CVE-2007-5578 (Basic Analysis and Security Engine (BASE) before 1.3.8 sends a redirec ...) - acidbase 1.3.8 (low) [etch] - acidbase (Minor issue) CVE-2007-5577 (Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before ...) NOT-FOR-US: Joomla! CVE-2007-5576 (BEA Tuxedo 8.0 before RP392 and 8.1 before RP293, and WebLogic Enterpr ...) NOT-FOR-US: BEA Tuxedo CVE-2007-5575 (Cross-site request forgery (CSRF) vulnerability in 1024 CMS 1.2.5 allo ...) NOT-FOR-US: 1024 CMS CVE-2007-5574 (PHP remote file inclusion vulnerability in djpage.php in PHPDJ 0.5 all ...) NOT-FOR-US: PHPDJPHPDJ CVE-2007-5573 (PHP remote file inclusion vulnerability in classes/core/language.php i ...) - limesurvey (bug #472802) CVE-2007-5572 (Multiple cross-site request forgery (CSRF) vulnerabilities in Simple P ...) NOT-FOR-US: SPHPBlog CVE-2007-5571 (Cisco Firewall Services Module (FWSM) 3.1(6), and 3.2(2) and earlier, ...) NOT-FOR-US: Cisco Firewall Services Module CVE-2007-5570 (Cisco Firewall Services Module (FWSM) 3.2(1), and 3.1(5) and earlier, ...) NOT-FOR-US: Cisco Firewall Services Module CVE-2007-5569 (Cisco PIX and ASA appliances with 7.1 and 7.2 software, when configure ...) NOT-FOR-US: Cisco CVE-2007-5568 (Cisco PIX and ASA appliances with 7.0 through 8.0 software, and Cisco ...) NOT-FOR-US: Cisco CVE-2007-5567 (PHP remote file inclusion vulnerability in _lib/fckeditor/upload_confi ...) - moin (Does not contain the vulnerable code) - karrigell (Does not contain the vulnerable code) - knowledgeroot (Does not contain the vulnerable code) CVE-2007-5566 NOT-FOR-US: PHPBlog CVE-2007-5565 NOT-FOR-US: phpSCMS CVE-2007-5564 (Multiple cross-site scripting (XSS) vulnerabilities in NSSboard (forme ...) NOT-FOR-US: NSSboard CVE-2007-5563 (Unspecified vulnerability in VirtueMart before 1.0.13 allows remote at ...) NOT-FOR-US: VirtueMart CVE-2007-5562 (Cross-site scripting (XSS) vulnerability in cgi-bin/welcome (aka the l ...) NOT-FOR-US: Netgear firmware CVE-2007-5561 (Format string vulnerability in the logging function in the Oracle OPMN ...) NOT-FOR-US: Oracle CVE-2007-5560 (Heap-based buffer overflow in the Juniper HTTP Service allows remote a ...) NOT-FOR-US: Juniper HTTP Service CVE-2007-5559 (Heap-based buffer overflow in the IBM ThinkVantage TPM Service allows ...) NOT-FOR-US: IBM ThinkVantage TPM Service CVE-2007-5558 (Integer overflow in the LG Mobile handset allows remote attackers to c ...) NOT-FOR-US: LG Mobile handset CVE-2007-5557 (Unspecified vulnerability in the NEC mobile handset allows remote atta ...) NOT-FOR-US: NEC mobile handset CVE-2007-5556 (Unspecified vulnerability in the Avaya VoIP Handset allows remote atta ...) NOT-FOR-US: Avaya VoIP Handset CVE-2007-5555 (Unspecified vulnerability in Symantec Altiris Deployment Solution allo ...) NOT-FOR-US: Symantec Altiris Deployment Solution CVE-2007-5554 (Oracle allows remote attackers to obtain server memory contents via cr ...) NOT-FOR-US: Oracle CVE-2007-5553 REJECTED CVE-2007-5552 (Integer overflow in Cisco IOS allows remote attackers to execute arbit ...) NOT-FOR-US: Cisco CVE-2007-5551 (Off-by-one error in Cisco IOS allows remote attackers to execute arbit ...) NOT-FOR-US: Cisco CVE-2007-5550 (Unspecified vulnerability in Cisco IOS allows remote attackers to obta ...) NOT-FOR-US: Cisco CVE-2007-5549 (Unspecified vulnerability in Command EXEC in Cisco IOS allows local us ...) NOT-FOR-US: Cisco CVE-2007-5548 (Multiple stack-based buffer overflows in Command EXEC in Cisco IOS all ...) NOT-FOR-US: Cisco CVE-2007-5547 (Cross-site scripting (XSS) vulnerability in Cisco IOS allows remote at ...) NOT-FOR-US: Cisco CVE-2007-5546 (Multiple stack-based buffer overflows in TIBCO SmartPGM FX allow remot ...) NOT-FOR-US: TIBCO SmartPGM FX CVE-2007-5545 (Format string vulnerability in TIBCO SmartPGM FX allows remote attacke ...) NOT-FOR-US: TIBCO SmartPGM FX CVE-2007-5544 (IBM Lotus Notes before 6.5.6, and 7.x before 7.0.3; and Domino before ...) NOT-FOR-US: IBM Lotus Notes CVE-2007-5543 (Stack-based buffer overflow in Miranda IM 0.6.8 and 0.7.0 allows remot ...) NOT-FOR-US: Miranda CVE-2007-5542 (Stack-based buffer overflow in Miranda IM 0.6.8 allows remote attacker ...) NOT-FOR-US: Miranda CVE-2003-1400 (Cross-site scripting (XSS) vulnerability in the Your_Account module fo ...) NOT-FOR-US: PhpNuke CVE-2003-1399 (eject 2.0.10, when installed setuid on systems such as SuSE Linux 7.3, ...) - eject 2.0.13-1 CVE-2003-1398 (Cisco IOS 12.0 through 12.2, when IP routing is disabled, accepts fals ...) NOT-FOR-US: Cisco CVE-2003-1397 (The PluginContext object of Opera 6.05 and 7.0 allows remote attackers ...) NOT-FOR-US: Opera CVE-2003-1396 (Heap-based buffer overflow in Opera 6.05 through 7.10 allows remote at ...) NOT-FOR-US: Opera CVE-2003-1395 (Buffer overflow in KaZaA Media Desktop 2.0 allows remote attackers to ...) NOT-FOR-US: KaZaA Media Desktop CVE-2003-1394 (CoffeeCup Software Password Wizard 4.0 stores sensitive information su ...) NOT-FOR-US: CoffeeCup Software Password Wizard CVE-2003-1393 (Buffer overflow in Gupta SQLBase 8.1.0 allows remote attackers to caus ...) NOT-FOR-US: Gupta SQLBase CVE-2003-1392 (CryptoBuddy 1.0 and 1.2 does not use the user-supplied passphrase to e ...) NOT-FOR-US: CryptoBuddy CVE-2003-1391 (RTS CryptoBuddy 1.0 and 1.2 uses a weak encryption algorithm for the p ...) NOT-FOR-US: CryptoBuddy CVE-2003-1390 (RTS CryptoBuddy 1.2 and earlier stores bytes 53 through 55 of a 55-byt ...) NOT-FOR-US: CryptoBuddy CVE-2003-1389 (RTS CryptoBuddy 1.2 and earlier truncates long passphrases without war ...) NOT-FOR-US: CryptoBuddy CVE-2003-1388 (Buffer overflow in Opera 7.02 Build 2668 allows remote attackers to cr ...) NOT-FOR-US: Opera CVE-2003-1387 (Buffer overflow in Opera 6.05 and 6.06, and possibly other versions, a ...) NOT-FOR-US: Opera CVE-2003-1386 (AXIS 2400 Video Server 2.00 through 2.33 allows remote attackers to ob ...) NOT-FOR-US: AXIS 2400 Video Server CVE-2003-1385 (ipchat.php in Invision Power Board 1.1.1 allows remote attackers to ex ...) NOT-FOR-US: Invision Power Board CVE-2003-1384 (Cross-site scripting (XSS) vulnerability in index.php in PY-Livredor 1 ...) NOT-FOR-US: PY-Livredor CVE-2003-1383 (WEB-ERP 0.1.4 and earlier allows remote attackers to obtain sensitive ...) NOT-FOR-US: WEB-ERP CVE-2003-1382 (Buffer overflow in ISMail 1.4.3 and earlier allow remote attackers to ...) NOT-FOR-US: ISMail CVE-2003-1381 (Format string vulnerability in AMX 0.9.2 and earlier, a plugin for Val ...) NOT-FOR-US: AMX Half-Life Server CVE-2003-1380 (Directory traversal vulnerability in BisonFTP Server 4 release 2 allow ...) NOT-FOR-US: BisonFTP Server CVE-2003-1379 (clarkconnectd in ClarkConnect Linux 1.2 allows remote attackers to obt ...) NOT-FOR-US: clarkconnectd CVE-2003-1378 (Microsoft Outlook Express 6.0 and Outlook 2000, with the security zone ...) NOT-FOR-US: Microsoft Outlook CVE-2003-1377 (Buffer overflow in the reverse DNS lookup of Smart IRC Daemon (SIRCD) ...) NOT-FOR-US: Smart IRC Daemon CVE-2003-1376 (WinZip 8.0 uses weak random number generation for password protected Z ...) NOT-FOR-US: WinZip 8.0 CVE-2003-1375 (Buffer overflow in wall for HP-UX 10.20 through 11.11 may allow local ...) NOT-FOR-US: HP-UX 10.20 CVE-2003-1374 (Buffer overflow in disable of HP-UX 11.0 may allow local users to exec ...) NOT-FOR-US: HP-UX 11.0 CVE-2002-2306 (Sharman Networks KaZaA Media Desktop 1.7.1 allows remote attackers to ...) NOT-FOR-US: KaZaA Media Desktop CVE-2002-2305 (SQL injection vulnerability in agentadmin.php in Immobilier allows rem ...) NOT-FOR-US: Immobilier CVE-2002-2304 (SQL injection vulnerability in admin/auth/checksession.php in MyPHPLin ...) NOT-FOR-US: MyPHPLinks CVE-2002-2303 (3D3.Com ShopFactory 5.8 uses client-side encryption and decryption for ...) NOT-FOR-US: ShopFactory CVE-2002-2302 (3D3.Com ShopFactory 5.5 through 5.8 allows remote attackers to modify ...) NOT-FOR-US: ShopFactory CVE-2002-2301 (Lawson Financials 8.0, when configured to use a third party relational ...) NOT-FOR-US: Lawson Financials CVE-2002-2300 (Buffer overflow in ftpd 5.4 in 3Com NBX 4.0.17 or ftpd 5.4.2 in 3Com N ...) NOT-FOR-US: 3Com NBX ftpd CVE-2002-2299 (PHP remote file inclusion vulnerability in thatfile.php in Thatware 0. ...) NOT-FOR-US: Thatware CVE-2002-2298 (PHP remote file inclusion vulnerability in config.php in Thatware 0.3 ...) NOT-FOR-US: Thatware CVE-2002-2297 (PHP remote file inclusion vulnerability in artlist.php in Thatware 0.5 ...) NOT-FOR-US: Thatware CVE-2002-2296 (Cross-site scripting (XSS) vulnerability in YaBB.pl in Yet Another Bul ...) NOT-FOR-US: YABB CVE-2002-2295 (Buffer overflow in Pico Server (pServ) 2.0 beta 1 through beta 5 allow ...) NOT-FOR-US: Pico Server CVE-2002-2294 (Multiple buffer overflows in Symantec Raptor Firewall 6.5 and 6.5.3, E ...) NOT-FOR-US: Symantec Raptor CVE-2002-2293 (Webshots Desktop screensaver allows local users to bypass the password ...) NOT-FOR-US: Webshots Desktop screensaver CVE-2002-2292 (Directory traversal vulnerability in Remote Console Applet in Halycon ...) NOT-FOR-US: Remote Console Applet in Halycon CVE-2002-2291 (Calisto Internet Talker 0.04 and earlier allows remote attackers to ca ...) NOT-FOR-US: Calisto Internet Talker CVE-2002-2290 (Mambo Site Server 4.0.11 installs with a default username and password ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2289 (soinfo.php in BadBlue 1.7.1 calls the phpinfo function, which allows r ...) NOT-FOR-US: BadBlue CVE-2002-2288 (Mambo Site Server 4.0.11 allows remote attackers to obtain the physica ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2287 (PHP remote file inclusion vulnerability in quick_reply.php for phpBB A ...) NOT-FOR-US: phpBB Advanced Quick Reply Hack CVE-2002-2286 (The parse-get function in utils.c for apt-www-proxy 0.1 allows remote ...) NOT-FOR-US: apt-www-proxy CVE-2002-2285 (eTrust InoculateIT 6.0 with the "Incremental Scan" option enabled may ...) NOT-FOR-US: eTrust CVE-2002-2284 (Netscape Communicator 4.0 through 4.79 allows remote attackers to bypa ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2283 (Microsoft Windows XP with Fast User Switching (FUS) enabled does not r ...) NOT-FOR-US: Microsoft Windows XP CVE-2002-2282 (McAfee VirusScan 4.5.1, when the WebScanX.exe module is enabled, searc ...) NOT-FOR-US: McAfee VirusScan CVE-2002-2281 (Symantec Java! JIT (Just-In-Time) Compiler for Netscape Communicator 4 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2280 (syslogd on OpenBSD 2.9 through 3.2 does not change the source IP addre ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2279 (Unspecified vulnerability in the bind function in config.inc of aldap ...) NOT-FOR-US: aldap CVE-2002-2278 (Cross-site scripting (XSS) vulnerability in mod_search/index.php in Po ...) NOT-FOR-US: PortailPHP CVE-2002-2277 (SQL injection vulnerability in mod_search/index.php in PortailPHP 0.99 ...) NOT-FOR-US: PortailPHP CVE-2002-2276 (Ultimate PHP Board (UPB) 1.0 allows remote attackers to view the physi ...) NOT-FOR-US: PHP Board CVE-2002-2275 (Fortres 101 4.1 allows local users to bypass Fortres by pressing the W ...) NOT-FOR-US: Fortres CVE-2002-2274 (akfingerd 0.5 allows local users to read arbitrary files as the akfing ...) NOT-FOR-US: akfingerd CVE-2002-2273 (Cross-site scripting (XSS) vulnerability in Webster HTTP Server allows ...) NOT-FOR-US: Webster HTTP Server CVE-2002-2272 (Tomcat 4.0 through 4.1.12, using mod_jk 1.2.1 module on Apache 1.3 thr ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2271 (Buffer overflow in BigFun 1.51b IRC client, when the Direct Client Con ...) NOT-FOR-US: BigFun CVE-2002-2270 (Unspecified vulnerability in the ied command in HP-UX 10.10, 10.20, an ...) NOT-FOR-US: HP-UX CVE-2002-2269 (Directory traversal vulnerability in Webster HTTP Server allows remote ...) NOT-FOR-US: Webster HTTP Server CVE-2002-2268 (Buffer overflow in Webster HTTP Server allows remote attackers to exec ...) NOT-FOR-US: Webster HTTP Server CVE-2002-2267 (bogopass in bogofilter 0.9.0.4 allows local users to overwrite arbitra ...) - bogofilter 0.9.0.5 CVE-2002-2266 (NetScreen ScreenOS 2.8 through 4.0, when forwarding H.323 or Netmeetin ...) NOT-FOR-US: NetScreen CVE-2002-2265 (Unspecified vulnerability in LDAP Module in System Authentication of O ...) NOT-FOR-US: Open Source Internet Solutions CVE-2002-2264 (Unspecified vulnerability in Internet Group Management Protocol (IGMP) ...) NOT-FOR-US: Internet Group Management Protocol CVE-2002-2263 (The installation program for HP-UX Visualize Conference B.11.00.11 run ...) NOT-FOR-US: HP-UX Visualize Conference CVE-2002-2262 (Unspecified vulnerability in xntpd of HP-UX 10.20 through 11.11 allows ...) NOT-FOR-US: HP-UX xntpd CVE-2002-2261 (Sendmail 8.9.0 through 8.12.6 allows remote attackers to bypass relayi ...) - sendmail 8.12.7 CVE-2002-2260 (Cross-site scripting (XSS) vulnerability in the quips feature in Mozil ...) {DSA-218} - bugzilla 2.14.2-1 CVE-2002-2259 (Buffer overflow in the French documentation patch for Gnuplot 3.7 in S ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1244 (Computer Associates InoculateIT Agent for Exchange Server does not rec ...) NOT-FOR-US: Exchange Server CVE-2007-5541 (Unspecified vulnerability in Opera before 9.24, when using an "externa ...) NOT-FOR-US: Opera CVE-2007-5540 (Unspecified vulnerability in Opera before 9.24 allows remote attackers ...) NOT-FOR-US: Opera CVE-2007-5539 (Unspecified vulnerability in Cisco Unified Intelligent Contact Managem ...) NOT-FOR-US: Cisco CVE-2007-5538 (Buffer overflow in the Centralized TFTP File Locator Service in Cisco ...) NOT-FOR-US: Cisco CVE-2007-5537 (Cisco Unified Communications Manager (CUCM, formerly CallManager) 5.1 ...) NOT-FOR-US: Cisco CVE-2007-5536 (Unspecified vulnerability in OpenSSL before A.00.09.07l on HP-UX B.11. ...) NOT-FOR-US: HP-UX CVE-2007-5535 (Unspecified vulnerability in newbb_plus in RunCms 1.5.2 has unknown im ...) NOT-FOR-US: RunCms CVE-2007-5534 (Unspecified vulnerability in the HCM component in Oracle PeopleSoft En ...) NOT-FOR-US: Oracle CVE-2007-5533 (Unspecified vulnerability in the People Tools component in Oracle Peop ...) NOT-FOR-US: Oracle CVE-2007-5532 (Unspecified vulnerability in the People Tools component in Oracle Peop ...) NOT-FOR-US: Oracle CVE-2007-5531 (Unspecified vulnerability in Oracle Help for Web, as used in Oracle Ap ...) NOT-FOR-US: Oracle CVE-2007-5530 (Unspecified vulnerability in the Database Control component in Oracle ...) NOT-FOR-US: Oracle CVE-2007-5529 (Unspecified vulnerability in the Oracle Self-Service Web Applications ...) NOT-FOR-US: Oracle CVE-2007-5528 (Multiple unspecified vulnerabilities in Oracle E-Business Suite 12.0.2 ...) NOT-FOR-US: Oracle CVE-2007-5527 (Multiple unspecified vulnerabilities in Oracle E-Business Suite 11.5.1 ...) NOT-FOR-US: Oracle CVE-2007-5526 (Unspecified vulnerability in the Oracle Portal component in Oracle App ...) NOT-FOR-US: Oracle CVE-2007-5525 (Unspecified vulnerability in the Oracle Single Sign-On component in Or ...) NOT-FOR-US: Oracle CVE-2007-5524 (Unspecified vulnerability in the Oracle Single Sign-On component in Or ...) NOT-FOR-US: Oracle CVE-2007-5523 (Unspecified vulnerability in the Oracle Internet Directory component i ...) NOT-FOR-US: Oracle CVE-2007-5522 (Unspecified vulnerability in the Oracle Portal component in Oracle App ...) NOT-FOR-US: Oracle CVE-2007-5521 (Unspecified vulnerability in the Oracle Containers for J2EE component ...) NOT-FOR-US: Oracle CVE-2007-5520 (Unspecified vulnerability in the Oracle Internet Directory component i ...) NOT-FOR-US: Oracle CVE-2007-5519 (Unspecified vulnerability in the Oracle Portal component in Oracle App ...) NOT-FOR-US: Oracle CVE-2007-5518 (Unspecified vulnerability in the Oracle HTTP Server component in Oracl ...) NOT-FOR-US: Oracle CVE-2007-5517 (Unspecified vulnerability in the Oracle Portal component in Oracle App ...) NOT-FOR-US: Oracle CVE-2007-5516 (Unspecified vulnerability in the Oracle Process Mgmt & Notificatio ...) NOT-FOR-US: Oracle CVE-2007-5515 (Unspecified vulnerability in the Spatial component in Oracle Database ...) NOT-FOR-US: Oracle CVE-2007-5514 (Multiple unspecified vulnerabilities in Oracle Database 10.2.0.3 have ...) NOT-FOR-US: Oracle CVE-2007-5513 (The XML DB (XMLDB) component in Oracle Database 9.2.0.8, 9.2.0.8DV, an ...) NOT-FOR-US: Oracle CVE-2007-5512 (Unspecified vulnerability in the Oracle Database Vault component in Or ...) NOT-FOR-US: Oracle CVE-2007-5511 (SQL injection vulnerability in Workspace Manager for Oracle Database b ...) NOT-FOR-US: Oracle CVE-2007-5510 (Multiple unspecified vulnerabilities in the Workspace Manager componen ...) NOT-FOR-US: Oracle CVE-2007-5509 (Unspecified vulnerability in the Spatial component in Oracle Database ...) NOT-FOR-US: Oracle CVE-2007-5508 (Multiple SQL injection vulnerabilities in the CTXSYS Intermedia applic ...) NOT-FOR-US: Oracle CVE-2007-5507 (The GIOP service in TNS Listener in the Oracle Net Services component ...) NOT-FOR-US: Oracle CVE-2007-5506 (The Core RDBMS component in Oracle Database 9.0.1.5+, 9.2.0.8, 9.2.0.8 ...) NOT-FOR-US: Oracle CVE-2007-5505 (Multiple unspecified vulnerabilities in Oracle Database 9.0.1.5+, 9.2. ...) NOT-FOR-US: Oracle CVE-2007-5504 (Multiple unspecified vulnerabilities in Oracle Database 9.0.1.5+ and 1 ...) NOT-FOR-US: Oracle CVE-2007-5503 (Multiple integer overflows in Cairo before 1.4.12 might allow remote a ...) {DSA-1542-1 DTSA-96-1} - libcairo 1.4.10-1.1 (medium; bug #453686) CVE-2007-5502 (The PRNG implementation for the OpenSSL FIPS Object Module 1.1.1 does ...) NOT-FOR-US: OpenSSL Fips object module CVE-2007-5501 (The tcp_sacktag_write_queue function in net/ipv4/tcp_input.c in Linux ...) - linux-2.6 2.6.23-1 (high) [etch] - linux-2.6 (Vulnerable code was introduced in 2.6.21) NOTE: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=96a2d41a3e495734b63bff4e5dd0112741b93b38 CVE-2007-5500 (The wait_task_stopped function in the Linux kernel before 2.6.23.8 che ...) {DSA-1428-1} - linux-2.6 2.6.23-2 CVE-2007-5499 REJECTED CVE-2007-5498 (The Xen hypervisor block backend driver for Linux kernel 2.6.18, when ...) - xen-unstable (Vulnerable code not present) - xen-3 (Vulnerable code not present) CVE-2007-5497 (Multiple integer overflows in libext2fs in e2fsprogs before 1.40.3 all ...) {DSA-1422-1 DTSA-95-1} - e2fsprogs 1.40.3-1 (bug #454760) CVE-2007-5496 (Cross-site scripting (XSS) vulnerability in setroubleshoot 2.0.5 allow ...) NOT-FOR-US: setroubleshoot CVE-2007-5495 (sealert in setroubleshoot 2.0.5 allows local users to overwrite arbitr ...) NOT-FOR-US: setroubleshoot CVE-2007-5494 (Memory leak in the Red Hat Content Accelerator kernel patch in Red Hat ...) - linux-2.6 (RedHat specific patch) CVE-2007-5493 (The SMS handler for Windows Mobile 2005 Pocket PC Phone edition allows ...) NOT-FOR-US: Windows Mobile CVE-2007-5492 (Static code injection vulnerability in the translation module (transla ...) {DSA-1423-1} - sitebar 3.3.8-12.1 (bug #447135) CVE-2007-5491 (Directory traversal vulnerability in the translation module (translato ...) {DSA-1423-1} - sitebar 3.3.8-12.1 (bug #447135) CVE-2007-5490 (SQL injection vulnerability in default.asp in Okul Otomasyon Portal 2. ...) NOT-FOR-US: Okul Otomasyon Portal CVE-2007-5489 (Directory traversal vulnerability in index.php in Artmedic CMS 3.4 and ...) NOT-FOR-US: Artmedic CMS CVE-2007-5487 (Stack-based buffer overflow in COWON America jetAudio Basic 7.0.3 allo ...) NOT-FOR-US: COWON America jetAudioc CVE-2007-5486 (dotProject before 2.1 does not properly check privileges when invoking ...) NOT-FOR-US: dotProject CVE-2007-5485 (SQL injection vulnerability in index.php in the mg2 1.0 module for Kws ...) NOT-FOR-US: KwsPHP CVE-2007-5484 (Directory traversal vulnerability in wxis.exe in WWWISIS 7.1 allows lo ...) NOT-FOR-US: WWWISIS CVE-2007-5483 (Unspecified vulnerability in the Administrative Scripting Tools (such ...) NOT-FOR-US: IBM WebSphere CVE-2007-5482 (Unspecified vulnerability in the FTP service in Sun StorEdge/StorageTe ...) NOT-FOR-US: Sun firmware CVE-2007-5481 (Distributed Checksum Clearinghouse (DCC) 1.3.65 allows remote attacker ...) - dcc (vulnerable code introduced in 1.3.65) CVE-2007-5480 (Multiple cross-site scripting (XSS) vulnerabilities in InnovaAge Innov ...) NOT-FOR-US: ZInnovaAge InnovaShop CVE-2007-5479 (Cross-site scripting (XSS) vulnerability in Search.asp in Xcomputer al ...) NOT-FOR-US: Xcomputer CVE-2007-5478 (Cross-site scripting (XSS) vulnerability in projects in Nabh Stringbea ...) NOT-FOR-US: Sbportal CVE-2007-5477 (Cross-site scripting (XSS) vulnerability in auth.w in djeyl.net WebMod ...) NOT-FOR-US: djeyl.net WebMod CVE-2007-5476 (Unspecified vulnerability in Adobe Flash Player 9.0.47.0 and earlier, ...) NOT-FOR-US: Opera specific flash vulnerability CVE-2007-5475 (Multiple buffer overflows in the Marvell wireless driver, as used in L ...) NOT-FOR-US: Linksys WAP4400N Wi-Fi access point CVE-2007-5474 (The driver for the Linksys WRT350N Wi-Fi access point with firmware 2. ...) NOT-FOR-US: Linksys WRT350N Wi-Fi access point CVE-2007-5473 (StaticFileHandler.cs in System.Web in Mono before 1.2.5.2, when runnin ...) - mono (Windows-specific vulnerability) CVE-2007-5472 (Cross-site scripting (XSS) vulnerability in the Server component in CA ...) NOT-FOR-US: HIPS CVE-2003-1373 (Directory traversal vulnerability in auth.php for PhpBB 1.4.0 through ...) - phpbb2 (phpbb was the vulnerable one) CVE-2003-1372 (Cross-site scripting (XSS) vulnerability in links.php script in myPHPN ...) NOT-FOR-US: myPHPNuke CVE-2003-1371 (Nuked-Klan 1.3b, and possibly earlier versions, allows remote attacker ...) NOT-FOR-US: Nuked-Klan CVE-2003-1370 (Multiple cross-site scripting (XSS) vulnerabilities in Nuked-Klan 1.2b ...) NOT-FOR-US: Nuked-Klan CVE-2003-1369 (Buffer overflow in ByteCatcher FTP client 1.04b allows remote attacker ...) NOT-FOR-US: ByteCatcher FTP client CVE-2003-1368 (Buffer overflow in the 32bit FTP client 9.49.1 allows remote attackers ...) NOT-FOR-US: 32bit FTP client CVE-2003-1367 (The which_access variable for Majordomo 2.0 through 1.94.4, and possib ...) NOT-FOR-US: Majordomo CVE-2003-1366 (chpass in OpenBSD 2.0 through 3.2 allows local users to read portions ...) NOT-FOR-US: OpenBSD 2.0 CVE-2003-1365 (The escape_dangerous_chars function in CGI::Lite 2.0 and earlier does ...) NOT-FOR-US: CGI::Lite 2.0 CVE-2003-1364 (Aprelium Technologies Abyss Web Server 1.1.2, and possibly other versi ...) NOT-FOR-US: Abyss Web Server CVE-2003-1363 (The remote web management interface of Aprelium Technologies Abyss Web ...) NOT-FOR-US: Abyss Web Server CVE-2003-1362 (Bastille B.02.00.00 of HP-UX 11.00 and 11.11 does not properly configu ...) NOT-FOR-US: HP-UX CVE-2003-1361 (Unknown vulnerability in VERITAS Bare Metal Restore (BMR) of Tivoli St ...) NOT-FOR-US: HP-UX CVE-2003-1360 (Buffer overflow in the setupterm function of (1) lanadmin and (2) land ...) NOT-FOR-US: HP-UX CVE-2003-1359 (Buffer overflow in stmkfont utility of HP-UX 10.0 through 11.22 allows ...) NOT-FOR-US: HP-UX CVE-2003-1358 (rs.F300 for HP-UX 10.0 through 11.22 uses the PATH environment variabl ...) NOT-FOR-US: HP-UX CVE-2007-5488 (Multiple SQL injection vulnerabilities in cdr_addon_mysql in Asterisk- ...) - asterisk-addons 1.4.4-1 CVE-2007-5471 (libgssapi before 0.6-13.7, as used by the ISC BIND named daemon in SUS ...) - libgssapi 0.8-1 CVE-2007-5470 (Microsoft Expression Media stores the catalog password in cleartext in ...) NOT-FOR-US: Microsoft Expression Media CVE-2007-5469 - openser 1.3.0-1 (unimportant; bug #446956) NOTE: should be only "exploitable" in local network with untrusted users CVE-2007-5468 (Cisco CallManager 5.1.1.3000-5 does not verify the Digest authenticati ...) NOT-FOR-US: Cisco CVE-2007-5467 (Integer overflow in eXtremail 2.1.1 and earlier allows remote attacker ...) NOT-FOR-US: eXtremail CVE-2007-5466 (Multiple buffer overflows in eXtremail 2.1.1 and earlier allow remote ...) NOT-FOR-US: eXtremail CVE-2007-5465 (Directory traversal vulnerability in doop CMS 1.3.7 and earlier allows ...) NOT-FOR-US: doop CMS CVE-2007-5464 (Stack-based buffer overflow in Live for Speed 0.5X10 and earlier allow ...) NOT-FOR-US: Live for Speed CVE-2007-5463 (ideal_process.php in the iDEAL payment module in ViArt Shop 3.3 beta a ...) NOT-FOR-US: ViArt Shop CVE-2007-5462 (Unspecified vulnerability in the Sun Solaris RPC services library (lib ...) NOT-FOR-US: Solaris CVE-2007-5460 (Microsoft ActiveSync 4.1, as used in Windows Mobile 5.0, uses weak enc ...) NOT-FOR-US: Microsoft ActiveSync CVE-2007-5459 (Cross-site scripting (XSS) vulnerability in the sidebar HTML page in t ...) NOT-FOR-US: MouseoverDictionary CVE-2007-5458 (SQL injection vulnerability in index.php in the newsletter module 1.0 ...) NOT-FOR-US: KwsPHP CVE-2007-5457 (Multiple PHP remote file inclusion vulnerabilities in Michael Dempfle ...) NOT-FOR-US: Joomla! extension CVE-2007-5456 (Microsoft Internet Explorer 7 and earlier allows remote attackers to b ...) NOT-FOR-US: Internet Explorer CVE-2007-5455 (Cross-site scripting (XSS) vulnerability in wxis.exe in WWWISIS 7.1 an ...) NOT-FOR-US: WWWISIS CVE-2007-5454 (Directory traversal vulnerability in index.php in PHP File Sharing Sys ...) NOT-FOR-US: PHP File Sharing CVE-2007-5453 (Multiple eval injection vulnerabilities in Php-Stats 0.1.9.2 allow rem ...) NOT-FOR-US: Php-Stats CVE-2007-5452 (Multiple SQL injection vulnerabilities in php-stats.recjs.php in Php-S ...) NOT-FOR-US: Php-Stats CVE-2007-5451 (PHP remote file inclusion vulnerability in admin.color.php in the com_ ...) NOT-FOR-US: Joomla! extension CVE-2007-5450 (Unspecified vulnerability in Safari on the Apple iPod touch (aka iTouc ...) NOT-FOR-US: Apple firmware CVE-2007-5449 (SQL injection vulnerability in searchresult.php in Softbiz Recipes Por ...) NOT-FOR-US: Softbiz Recipes Portal Script CVE-2007-5448 (Madwifi 0.9.3.2 and earlier allows remote attackers to cause a denial ...) - madwifi 1:0.9.3.2-2 (medium; bug #446824) [etch] - madwifi 1:0.9.2+r1842.20061207-2etch2 CVE-2007-5447 (ioncube_loader_win_5.2.dll in the ionCube Loader 6.5 extension for PHP ...) NOT-FOR-US: ionCube CVE-2007-5446 (Absolute path traversal vulnerability in a certain ActiveX control in ...) NOT-FOR-US: PBEmail CVE-2007-5445 (Buffer overflow in the DB Software Laboratory VImpX (VImpAX1) ActiveX ...) NOT-FOR-US: VImpX CVE-2007-5444 (CMS Made Simple 1.1.3.1 allows remote attackers to obtain the full pat ...) NOT-FOR-US: CMS Made Simpe CVE-2007-5443 (Multiple cross-site scripting (XSS) vulnerabilities in CMS Made Simple ...) NOT-FOR-US: CMS Made Simpe CVE-2007-5442 (CMS Made Simple 1.1.3.1 does not check the permissions assigned to use ...) NOT-FOR-US: CMS Made Simpe CVE-2007-5441 (CMS Made Simple 1.1.3.1 does not check the permissions assigned to use ...) NOT-FOR-US: CMS Made Simpe CVE-2007-5440 NOT-FOR-US: Crs Manager CVE-2007-5439 (CA (formerly Computer Associates) eTrust ITM (Threat Manager) 8.1 stor ...) NOT-FOR-US: eTrust ITM CVE-2007-5438 (Unspecified vulnerability in a certain ActiveX control in Reconfig.DLL ...) - vmware-package (Windows only) CVE-2007-5437 (The web console in CA (formerly Computer Associates) eTrust ITM (Threa ...) NOT-FOR-US: eTrust ITM CVE-2007-5436 (Buffer overflow in a certain ActiveX control in ScanObjectBrowser.DLL ...) NOT-FOR-US: G DATA Antivirus CVE-2007-5435 (Unspecified vulnerability in CA ERwin Process Modeler (formerly AllFus ...) NOT-FOR-US: CA ERwin Process Modeler CVE-2007-5434 (Cross-site scripting (XSS) vulnerability in PRO-search 0.17.1 and earl ...) NOT-FOR-US: PRO-search CVE-2007-5433 (Multiple cross-site scripting (XSS) vulnerabilities in index.cgi in Si ...) NOT-FOR-US: Site-Up CVE-2007-5432 (Stride 1.0 has a default administrator username of "scott" with the pa ...) NOT-FOR-US: Stride CVE-2007-5431 (include/imageupload.js in the MyFTPUploader module in Stride 1.0 conta ...) NOT-FOR-US: Stride module CVE-2007-5430 (Multiple SQL injection vulnerabilities in Stride 1.0 allow remote atta ...) NOT-FOR-US: Stride CVE-2007-5429 (Cross-site scripting (XSS) vulnerability in index.php in Nucleus 3.01 ...) NOT-FOR-US: Nucleus CVE-2007-5428 (Cross-site scripting (XSS) vulnerability in UMI CMS allows remote atta ...) NOT-FOR-US: UMI CMS CVE-2007-5427 (Cross-site scripting (XSS) vulnerability in the com_search component i ...) NOT-FOR-US: Joomla! CVE-2007-5426 (Multiple cross-site scripting (XSS) vulnerabilities in ActiveKB NX 2.5 ...) NOT-FOR-US: ActiveKB NX CVE-2007-5425 (SQL injection vulnerability in admin/index.php in Interspire ActiveKB ...) NOT-FOR-US: ActiveKB NX CVE-2007-5424 (The disable_functions feature in PHP 4 and 5 allows attackers to bypas ...) - php4 (unimportant) - php5 (unimportant) NOTE: if the function is blacklisted but not its alias it is a configuration NOTE: issue of the site not a vulnerability in php CVE-2007-5423 (tiki-graph_formula.php in TikiWiki 1.9.8 allows remote attackers to ex ...) - tikiwiki CVE-2007-5422 (Unspecified vulnerability in "Solaris Auditing" in the Basic Security ...) NOT-FOR-US: Solaris Auditing CVE-2007-5421 REJECTED CVE-2007-5420 (The 3Com 3CRWER100-75 router with 1.2.10ww software, when remote manag ...) NOT-FOR-US: 3Com 3CRWER100-75 CVE-2007-5419 (The 3Com 3CRWER100-75 router with 1.2.10ww software, when enabling an ...) NOT-FOR-US: 3Com 3CRWER100-75 CVE-2007-5418 (Multiple PHP remote file inclusion vulnerabilities in CARE2X 2G 2.2 al ...) NOT-FOR-US: CARE2X CVE-2007-5417 (Directory traversal vulnerability in index.php in boastMachine (aka bM ...) NOT-FOR-US: boastMachine CVE-2007-5416 (Drupal 5.2 and earlier does not properly unset variables when the inpu ...) - drupal5 (unimportant; bug #446887) - drupal (unimportant) NOTE: The underlying PHP issue has been fixed in DSA 1206. NOTE: Plus, register_globals is not supported in Debian CVE-2007-5415 (Cross-site scripting (XSS) vulnerability in Mozilla Firefox 2.0, when ...) - iceweasel (unimportant) NOTE: if you are on a site which allows UTF-7 sure you need to sanitize the NOTE: equivalent strings in UTF-7 NOTE: referring to the mozilla security team this is a non-issue and a duplicate of NOTE: CVE-2007-5414, mailed mitre CVE-2007-5414 (Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 2.0 ...) - iceweasel 2.0+dfsg-1 CVE-2007-5413 (httpd.tkd in Radia Integration Server in Hewlett-Packard (HP) OpenView ...) NOT-FOR-US: HP OpenView CVE-2007-5412 (Multiple PHP remote file inclusion vulnerabilities in the Quoc-Huy MP3 ...) NOT-FOR-US: Joomla! extension CVE-2007-5411 (Cross-site scripting (XSS) vulnerability in the Linksys SPA941 VoIP Ph ...) NOT-FOR-US: Linksys CVE-2007-5410 (PHP remote file inclusion vulnerability in admin.wmtrssreader.php in t ...) NOT-FOR-US: Joomla! extension CVE-2007-5409 (PHP remote file inclusion vulnerability in admin/nuseo_admin_d.php in ...) NOT-FOR-US: NuSEO CVE-2007-5408 (SQL injection vulnerability in category.php in cpDynaLinks 1.02 allows ...) NOT-FOR-US: cpDynaLinks CVE-2007-5407 (Multiple PHP remote file inclusion vulnerabilities in the JContentSubs ...) NOT-FOR-US: Joomla! extension CVE-2007-5406 (kpagrdr.dll 2.0.0.2 and 10.3.0.0 in the Applix Presents reader in Auto ...) NOT-FOR-US: KeyView CVE-2007-5405 (Multiple buffer overflows in kpagrdr.dll 2.0.0.2 and 10.3.0.0 in the A ...) NOT-FOR-US: KeyView CVE-2007-5404 (Layton HelpBox 3.7.1 generates different responses depending on whethe ...) NOT-FOR-US: Layton HelpBox CVE-2007-5403 (Multiple cross-site scripting (XSS) vulnerabilities in Layton HelpBox ...) NOT-FOR-US: Layton HelpBox CVE-2007-5402 (Multiple SQL injection vulnerabilities in Layton HelpBox 3.7.1 allow ( ...) NOT-FOR-US: Layton HelpBox CVE-2007-5401 (Unrestricted file upload vulnerability in uploadrequest.asp in Layton ...) NOT-FOR-US: Layton HelpBox CVE-2007-5400 (Heap-based buffer overflow in the Shockwave Flash (SWF) frame handling ...) NOT-FOR-US: RealPlayer CVE-2007-5399 (Multiple heap-based buffer overflows in emlsr.dll in the EML reader in ...) NOT-FOR-US: KeyView CVE-2007-5398 (Stack-based buffer overflow in the reply_netbios_packet function in nm ...) {DSA-1409-3 DSA-1409-2 DSA-1409-1} - samba 3.0.27-1 (high) CVE-2007-5397 (Heap-based buffer overflow in the activePDF Server service (aka APServ ...) NOT-FOR-US: activePDF Server CVE-2007-5396 (Format string vulnerability in the ext_yahoo_contact_added function in ...) NOT-FOR-US: Miranda CVE-2007-5395 (Stack-based buffer overflow in the separate_word function in tokenize. ...) {DSA-1432-1} - link-grammar 4.2.5-1 (medium; bug #450695) CVE-2007-5394 (Stack-based buffer overflow in AldFs32.dll in Adobe PageMaker 7.0.1 an ...) NOT-FOR-US: Adobe PageMaker CVE-2007-5393 (Heap-based buffer overflow in the CCITTFaxStream::lookChar method in x ...) {DSA-1537-1 DSA-1509-1 DSA-1480-1 DSA-1408-1 DTSA-85-1 DTSA-86-1} - poppler 0.6.2-1 (medium; bug #450628) - kdegraphics 4:3.5.8-2 (medium; bug #450630) - xpdf 3.02-1.3 (medium; bug #450629) - koffice 1:1.6.3-4 (medium; bug #450631) - cups 1.1.22-7 - gpdf - pdftohtml [etch] - pdftohtml 0.36-13etch1 - tetex-bin 3.0-12 NOTE: pdftex links to poppler since 3.0-12, thus marking as fixed - cupsys (we use xpdf-utils in sarge and poppler-utils since etch to not embedd this code) NOTE: cups uses xpdf-utils and poppler-utils - libextractor 0.5.12-1 NOTE: libextractor uses internal pdf decoder since 0.5.12-1, thus marking as fixed - swftools 0.9.2+ds1-2 CVE-2007-5392 (Integer overflow in the DCTStream::reset method in xpdf/Stream.cc in X ...) {DSA-1537-1 DSA-1509-1 DSA-1480-1 DTSA-85-1 DTSA-86-1} - poppler 0.6.2-1 (medium; bug #450628) - kdegraphics 4:3.5.8-2 (medium; bug #450630) [etch] - kdegraphics (Vulnerable code not used) - xpdf 3.02-1.3 (medium; bug #450629) - koffice 1:1.6.3-4 (medium; bug #450631) - cups 1.1.22-7 - gpdf - pdftohtml [etch] - pdftohtml 0.36-13etch1 - tetex-bin 3.0-12 NOTE: pdftex links to poppler since 3.0-12, thus marking as fixed - cupsys (we use xpdf-utils in sarge and poppler-utils since etch to not embedd this code) NOTE: cups uses xpdf-utils and poppler-utils - libextractor 0.5.12-1 NOTE: libextractor uses internal pdf decoder since 0.5.12-1, thus marking as fixed - swftools 0.9.2+ds1-2 CVE-2003-1357 (ProxyView has a default administrator password of Administrator for Em ...) NOT-FOR-US: ProxyView CVE-2003-1356 (The "file handling" in sort in HP-UX 10.01 through 10.20, and 11.00 th ...) NOT-FOR-US: HP-UX CVE-2003-1355 (Buffer overflow in the remote console (rcon) in Battlefield 1942 1.2 a ...) NOT-FOR-US: Battlefield CVE-2003-1354 (Multiple GameSpy 3D 2.62 compatible gaming servers generate very large ...) NOT-FOR-US: Battlefield CVE-2003-1353 (Multiple cross-site scripting (XSS) vulnerabilities in Outreach Projec ...) NOT-FOR-US: Outreach CVE-2003-1352 (Gabber 0.8.7 sends an email to a specific address during user login an ...) - gabber 0.8.8-1 - gabber2 (No code to send data to update@jabber.org) CVE-2003-1351 (Directory traversal vulnerability in edittag.cgi in EditTag 1.1 allows ...) NOT-FOR-US: EditTag CVE-2003-1350 (List Site Pro 2.0 allows remote attackers to hijack user accounts by i ...) NOT-FOR-US: List Site Pro 2.0 CVE-2003-1349 (Directory traversal vulnerability in NITE ftp-server (NiteServer) 1.83 ...) NOT-FOR-US: NITE ftp-server CVE-2003-1348 (Cross-site scripting (XSS) vulnerability in guestbook.cgi in ftls.org ...) NOT-FOR-US: Guestbook CVE-2003-1347 (Multiple cross-site scripting (XSS) vulnerabilities in Geeklog 1.3.7 a ...) NOT-FOR-US: Geeklog CVE-2003-1346 (D-Link wireless access point DWL-900AP+ 2.2, 2.3 and possibly 2.5 allo ...) NOT-FOR-US: DWL-900AP CVE-2003-1345 (Directory traversal vulnerability in s.dll in WebCollection Plus 5.00 ...) NOT-FOR-US: WebCollection CVE-2003-1344 (Trend Micro Virus Control System (TVCS) Log Collector allows remote at ...) NOT-FOR-US: Trend Micro Virus Control System CVE-2003-1343 (Trend Micro ScanMail for Exchange (SMEX) before 3.81 and before 6.1 mi ...) NOT-FOR-US: Trend Micro ScanMail for Exchange CVE-2003-1342 (Trend Micro Virus Control System (TVCS) 1.8 running with IIS allows re ...) NOT-FOR-US: Trend Micro Virus Control System CVE-2003-1341 (The default installation of Trend Micro OfficeScan 3.0 through 3.54 an ...) NOT-FOR-US: Trend Micro OfficeScan CVE-2002-2258 (Moby NetSuite allows remote attackers to cause a denial of service (cr ...) NOT-FOR-US: Moby NetSuite CVE-2002-2257 (Stack-based buffer overflow in the parse_field function in cgi_lib.c f ...) NOT-FOR-US: libcgi NOTE: this is another libcgi than the one we ship CVE-2002-2256 (Directory traversal vulnerability in pWins Webserver 0.2.5 and earlier ...) NOT-FOR-US: pWins CVE-2002-2255 (Cross-site scripting (XSS) vulnerability in search.php in phpBB 2.0.3 ...) - phpbb2 2.0.13-6sarge3 NOTE: might be fixed in prior versions CVE-2002-2254 (The experimental IP packet queuing feature in Netfilter / IPTables in ...) - linux-2.6 (Fixed before initial upload into the archive, during 2.4) CVE-2002-2253 (Multiple buffer overflows in Cyrus Sieve / libSieve 2.1.2 and earlier ...) - libsieve (was fixed in 2.1.3 before debian version was uploaded) CVE-2002-2252 (SQL injection vulnerability in auth.inc.php in Thatware 0.5.0 and earl ...) NOT-FOR-US: Thatware CVE-2002-2251 (Buffer overflow in the changevalue function in libcgi.h for Marcos Lui ...) NOT-FOR-US: Marcos Luiz Onisto CVE-2002-2250 (Multiple buffer overflows in Sybase Adaptive Server 12.0 and 12.5 allo ...) NOT-FOR-US: Sybase CVE-2002-2249 (PHP remote file inclusion vulnerability in News Evolution 2.0 allows r ...) NOT-FOR-US: News Evolution CVE-2002-2248 (Buffer overflow in the sun.awt.windows.WDefaultFontCharset Java class ...) NOT-FOR-US: Netscape CVE-2002-2247 (The administrator/phpinfo.php script in Mambo Site Server 4.0.11 allow ...) NOT-FOR-US: Mambo NOTE: mambo is in experimental CVE-2002-2246 (Cross-site scripting (XSS) vulnerability in VisNetic Website before 3. ...) NOT-FOR-US: VisNetic Website CVE-2002-2245 (ftpd in NetBSD 1.5 through 1.5.3 and 1.6 does not properly quote a dig ...) NOT-FOR-US: NetBSD ftpd CVE-2002-2244 (Akfingerd 0.5 and earlier versions allow local users to cause a denial ...) NOT-FOR-US: Akfingerd CVE-2002-2243 (Akfingerd 0.5 and possibly earlier versions only allows one connection ...) NOT-FOR-US: Akfingerd CVE-2002-2242 (The Apple Package Manager in KisMAC 0.02a and earlier modifies file pe ...) NOT-FOR-US: Apple Package Manager of KisMAC CVE-2002-2241 (Buffer overflow in httpd32.exe in Deerfield VisNetic WebSite before 3. ...) NOT-FOR-US: Deerfield VisNetic WebSite CVE-2002-2240 (Directory traversal vulnerability in MyServer 0.11 and 0.2 allows remo ...) NOT-FOR-US: MyServer CVE-2002-2239 (The Cisco Optical Service Module (OSM) for the Catalyst 6500 and 7600 ...) NOT-FOR-US: Cisco CVE-2002-2238 (Directory traversal vulnerability in the Kunani ODBC FTP Server 1.0.10 ...) NOT-FOR-US: Kunani ODBC FTP Server CVE-2002-2237 (tftp32 TFTP server 2.21 and earlier allows remote attackers to cause a ...) NOT-FOR-US: tftp32 TFTP CVE-2002-2236 (Format string vulnerability in the awp_log function in apt-www-proxy 0 ...) NOT-FOR-US: apt-www-proxy CVE-2002-2235 (member2.php in vBulletin 2.2.9 and earlier does not properly restrict ...) NOT-FOR-US: vBulletin CVE-2002-2234 (NetScreen ScreenOS before 4.0.1 allows remote attackers to bypass the ...) NOT-FOR-US: NetScreen ScreenOS CVE-2002-2233 (Directory traversal vulnerability in Enceladus Server Suite 3.9 allows ...) NOT-FOR-US: Enceladus Server Suite CVE-2002-2232 (Buffer overflow in Enceladus Server Suite 3.9 allows remote attackers ...) NOT-FOR-US: Enceladus Server Suite CVE-2002-2231 (Cross-site scripting (XSS) vulnerability in Ikonboard 3.1.1 allows rem ...) NOT-FOR-US: Ikonboard CVE-2002-2230 (Cross-site scripting (XSS) vulnerability in Ikonboard 3.1.1 allows rem ...) NOT-FOR-US: Ikonboard CVE-2002-2229 (Directory traversal vulnerability in Sapio Design Ltd. WebReflex 1.53 ...) NOT-FOR-US: WebReflex CVE-2002-2228 (MailScanner before 4.0 5-1 and before 3.2 6-1 allows remote attackers ...) - mailscanner 4.22.5-1 CVE-2007-5461 (Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4 ...) {DSA-1453-1 DSA-1447-1} - tomcat5.5 5.5.25-2 (low; bug #448664) - tomcat5 NOTE: patch: http://mail-archives.apache.org/mod_mbox/tomcat-users/200710.mbox/%3C47135C2D.1000705@apache.org%3E CVE-2007-5391 (Unspecified vulnerability in HP Select Identity 4.01 through 4.01.010 ...) NOT-FOR-US: HP Select Identity CVE-2007-5390 (PHP remote file inclusion vulnerability in index.php in PicoFlat CMS 0 ...) NOT-FOR-US: PicoFlat CVE-2007-5389 NOT-FOR-US: Joomla! extension CVE-2007-5388 (Multiple PHP remote file inclusion vulnerabilities in WebDesktop 0.1 a ...) NOT-FOR-US: WebDesktop CVE-2007-5387 (PHP remote file inclusion vulnerability in active/components/xmlrpc/cl ...) NOT-FOR-US: Pindorama CVE-2007-5386 (Cross-site scripting (XSS) vulnerability in scripts/setup.php in phpMy ...) {DSA-1403-1} - phpmyadmin 4:2.11.1.2-1 (bug #446451) [sarge] - phpmyadmin (vulnerable script not present) NOTE: https://www.phpmyadmin.net/security/PMASA-2007-5/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/27d5467dc3ba6e594d5e5cd291a908b48464e289 CVE-2007-5385 (Multiple cross-site scripting (XSS) vulnerabilities in the Thomson/Alc ...) NOT-FOR-US: Thomson/Alcatel SpeedTouch 7G router CVE-2007-5384 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Thom ...) NOT-FOR-US: Thomson/Alcatel SpeedTouch 7G router CVE-2007-5383 (The Thomson/Alcatel SpeedTouch 7G router, as used for the BT Home Hub ...) NOT-FOR-US: Thomson/Alcatel SpeedTouch 7G router CVE-2007-5382 (The conversion utility for converting CiscoWorks Wireless LAN Solution ...) NOT-FOR-US: CiscoWorks CVE-2007-5381 (Stack-based buffer overflow in the Line Printer Daemon (LPD) in Cisco ...) NOT-FOR-US: Line Printer Daemon (LPD) Cisco CVE-2007-5380 (Session fixation vulnerability in Rails before 1.2.4, as used for Ruby ...) - rails 1.2.5-1 CVE-2007-5379 (Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers ...) - rails 1.2.5-1 [etch] - rails (Vulnerable code not present) CVE-2007-5378 (Buffer overflow in the FileReadGIF function in tkImgGIF.c for Tk Toolk ...) {DSA-1743-1 DSA-1416-1 DSA-1415-1} - tk8.3 8.3.5-10 (medium; bug #446465) - tk8.4 8.4.16-1 (medium) - libtk-img 1.3-release-8 (medium) CVE-2007-5377 (The (1) tramp-make-temp-file and (2) tramp-make-tramp-temp-file functi ...) - tramp (the version we ship still uses make-temp-file) - emacs22 (the version we ship still uses make-temp-file) CVE-2007-5376 RESERVED CVE-2007-5375 (Interpretation conflict in the Sun Java Virtual Machine (JVM) allows u ...) - sun-java6 6-03-1 (low) - sun-java5 1.5.0-13-1 (low) [etch] - sun-java5 1.5.0-14-1etch1 - openjdk-6 6b08-1 (bug #566766) CVE-2007-5374 (cp_memberedit.php in LightBlog 8.4.1.1 does not check for administrati ...) NOT-FOR-US: LightBlog CVE-2007-5373 (ldapscripts 1.4 and 1.7 sends a password as a command line argument wh ...) {DSA-1517-1 DTSA-68-1} - ldapscripts 1.7.1-2 (bug #445582; medium) CVE-2007-5372 (Multiple SQL injection vulnerabilities in (a) LedgerSMB 1.0.0 through ...) - sql-ledger (unimportant; bug #446366) NOTE: It's documented behaviour that SQL-Ledger should only be run in an NOTE: authenticated HTTP zone and without untrusted users CVE-2007-5371 (Multiple SQL injection vulnerabilities in mutate_content.dynamic.php i ...) NOT-FOR-US: MODx CVE-2007-5370 (Multiple cross-site scripting (XSS) vulnerabilities in cgi-bin/dnewswe ...) NOT-FOR-US: NetWin CVE-2007-5369 (The GetMagicNumberString function in Massive Entertainment World in Co ...) NOT-FOR-US: conflict CVE-2007-5368 (Multiple unspecified vulnerabilities in labeld in Trusted Extensions i ...) NOT-FOR-US: Sun Solaris CVE-2007-5367 (Unspecified vulnerability in the Virtual File System (VFS) in Sun Sola ...) NOT-FOR-US: Sun Solaris CVE-2007-5366 (The Tomcat 4.1-based Servlet Service in Fujitsu Interstage Application ...) NOT-FOR-US: Fujitsu Interstage Application Server CVE-2007-5365 (Stack-based buffer overflow in the cons_options function in options.c ...) {DSA-1388-3 DSA-1388-1} - dhcp 2.0pl5dfsg1-20.2 (medium; bug #446354) - dhcp3 (dhcp3 does enforce a fixed minimum paket size if it is lower, see line 513 in options.c) NOTE: dhcp has a request for removal #446386 CVE-2007-5364 NOT-FOR-US: ViArt Shopping Cart CVE-2007-5363 (PHP remote file inclusion vulnerability in admin.panoramic.php in the ...) NOT-FOR-US: Joomla! extension CVE-2007-5362 (Multiple PHP remote file inclusion vulnerabilities in the Avant-Garde ...) NOT-FOR-US: Joomla! and mambo extension CVE-2007-5361 (The Communication Server in Alcatel-Lucent OmniPCX Enterprise 7.1 and ...) NOT-FOR-US: Alcatel-Lucent OmniPCX Enterprise CVE-2007-5360 (Buffer overflow in OpenPegasus Management server, when compiled to use ...) NOT-FOR-US: OpenPegasus Management server CVE-2007-5359 RESERVED CVE-2007-5358 (Multiple buffer overflows in the voicemail functionality in Asterisk 1 ...) - asterisk 1:1.4.13~dfsg-1 (medium) [sarge] - asterisk (Only Asterisk 1.4.x is affected) [etch] - asterisk (Only Asterisk 1.4.x is affected) CVE-2007-5357 REJECTED CVE-2007-5356 REJECTED CVE-2007-5355 (The Web Proxy Auto-Discovery (WPAD) feature in Microsoft Internet Expl ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2007-5354 REJECTED CVE-2007-5353 REJECTED CVE-2007-5352 (Unspecified vulnerability in Local Security Authority Subsystem Servic ...) NOT-FOR-US: Microsoft Windows CVE-2007-5351 (Unspecified vulnerability in Server Message Block Version 2 (SMBv2) si ...) NOT-FOR-US: Microsoft Vista CVE-2007-5350 (Unspecified vulnerability in the Windows Advanced Local Procedure Call ...) NOT-FOR-US: Microsoft Vista CVE-2007-5349 REJECTED CVE-2007-5348 (Integer overflow in GDI+ in Microsoft Internet Explorer 6 SP1, Windows ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2007-5347 (Microsoft Internet Explorer 5.01 through 7 allows remote attackers to ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2007-5346 REJECTED CVE-2007-5345 REJECTED CVE-2007-5344 (Microsoft Internet Explorer 5.01 through 7 allows remote attackers to ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2007-5343 REJECTED CVE-2007-5342 (The default catalina.policy in the JULI logging component in Apache To ...) {DSA-1447-1} - tomcat5.5 5.5.25-4 (low; bug #458237) - tomcat5 (Vulnerable code not present) CVE-2007-5341 (Remote code execution in the Venkman script debugger in Mozilla Firefo ...) - iceweasel 2.0.0.8-1 CVE-2007-5340 (Multiple vulnerabilities in the Javascript engine in Mozilla Firefox b ...) {DSA-1401-1 DSA-1396-1 DSA-1392-1 DSA-1391-1 DTSA-69-1 DTSA-71-1 DTSA-80-1} - iceweasel 2.0.0.8-1 (high) - xulrunner 1.8.1.9-1 (high) - icedove 2.0.0.9-1 (low) - iceape 1.1.5 (high) NOTE: MFSA2007-29 CVE-2007-5339 (Multiple vulnerabilities in Mozilla Firefox before 2.0.0.8, Thunderbir ...) {DSA-1401-1 DSA-1396-1 DSA-1392-1 DSA-1391-1 DTSA-69-1 DTSA-71-1 DTSA-80-1} - iceweasel 2.0.0.8-1 (high) - xulrunner 1.8.1.9-1 (bug #447734; high) - icedove 2.0.0.9-1 (low) - iceape 1.1.5 NOTE: MFSA2007-29 CVE-2007-5338 (Mozilla Firefox before 2.0.0.8 and SeaMonkey before 1.1.5 allow remote ...) {DSA-1534-2 DSA-1401-1 DSA-1396-1 DSA-1392-1 DTSA-69-1 DTSA-80-1} - iceweasel 2.0.0.8-1 - xulrunner 1.8.1.9-1 - iceape 1.1.5 NOTE: MFSA2007-35 CVE-2007-5337 (Mozilla Firefox before 2.0.0.8 and SeaMonkey before 1.1.5, when runnin ...) {DSA-1401-1 DSA-1396-1 DSA-1392-1 DTSA-69-1 DTSA-80-1} - iceweasel 2.0.0.8-1 - xulrunner 1.8.1.9-1 - iceape 1.1.5 NOTE: MFSA2007-34 CVE-2007-5336 REJECTED CVE-2007-5335 (Mozilla Firefox 2.0 before 2.0.0.8 allows remote attackers to obtain s ...) {DSA-1396-1} - iceweasel 2.0.0.8-1 (low) NOTE: Firefox 2.0-specific issue, doesn't affect xulrunner, iceape or icedove NOTE: not mentioned in debian changelog, but mozilla #390983 confirms it went into 2.0.0.8 CVE-2007-5334 (Mozilla Firefox before 2.0.0.8 and SeaMonkey before 1.1.5 can hide the ...) {DSA-1401-1 DSA-1396-1 DSA-1392-1 DTSA-69-1 DTSA-80-1} - iceweasel 2.0.0.8-1 - xulrunner 1.8.1.9-1 - iceape 1.1.5 NOTE: MFSA2007-33 CVE-2007-5333 (Apache Tomcat 6.0.0 through 6.0.14, 5.5.0 through 5.5.25, and 4.1.0 th ...) - tomcat5.5 5.5.26-1 (low; bug #465645) - tomcat5 CVE-2007-5332 (Multiple unspecified vulnerabilities in (1) mediasvr and (2) caloggerd ...) NOT-FOR-US: ARCServe BackUp CVE-2007-5331 (Queue.dll for the message queuing service (LQserver.exe) in CA BrightS ...) NOT-FOR-US: ARCServe BackUp CVE-2007-5330 (The cadbd RPC service in CA BrightStor ARCServe BackUp v9.01 through R ...) NOT-FOR-US: ARCServe BackUp CVE-2007-5329 (Unspecified vulnerability in dbasvr in CA BrightStor ARCServe BackUp v ...) NOT-FOR-US: ARCServe BackUp CVE-2007-5328 (The Message Engine RPC service in CA BrightStor ARCServe BackUp v9.01 ...) NOT-FOR-US: ARCServe BackUp CVE-2007-5327 (Stack-based buffer overflow in the RPC interface for the Message Engin ...) NOT-FOR-US: ARCServe BackUp CVE-2007-5326 (Multiple buffer overflows in (1) RPC and (2) rpcx.dll in CA BrightStor ...) NOT-FOR-US: ARCServe BackUp CVE-2007-5325 (Multiple buffer overflows in (1) the Message Engine and (2) AScore.dll ...) NOT-FOR-US: ARCServe BackUp CVE-2007-5324 REJECTED CVE-2007-5323 (The RepliStor Server Service in EMC Replistor 6.1.3 allows remote atta ...) NOT-FOR-US: RepliStor Server Service CVE-2007-5322 (Insecure method vulnerability in the FPOLE.OCX 6.0.8450.0 ActiveX cont ...) NOT-FOR-US: Microsoft Visual FoxPro CVE-2007-5321 (Directory traversal vulnerability in index.php in Verlihub Control Pan ...) NOT-FOR-US: Verlihub Control Panel CVE-2007-5320 (Multiple absolute path traversal vulnerabilities in Pegasus Imaging Im ...) NOT-FOR-US: Imaging ImagXpress CVE-2007-5319 (Unspecified vulnerability in the vuidmice STREAMS modules in Sun Solar ...) NOT-FOR-US: Solaris CVE-2007-5318 (Unspecified vulnerability in preview.php in TYPOlight webCMS 2.4.6 all ...) NOT-FOR-US: Typolight webCMS CVE-2007-5317 REJECTED CVE-2007-5316 (SQL injection vulnerability in browsecats.php in Softbiz Jobs and Recr ...) NOT-FOR-US: Softbiz Jobs CVE-2007-5315 (PHP remote file inclusion vulnerability in common.php in LiveAlbum 0.9 ...) NOT-FOR-US: LiveAlbum CVE-2007-5314 (PHP remote file inclusion vulnerability in system/funcs/xkurl.php in x ...) NOT-FOR-US: xKiosk WEB CVE-2007-5313 (PHP remote file inclusion vulnerability in install/config.php in Pictu ...) NOT-FOR-US: Picturesolution CVE-2007-5312 (Cross-site scripting (XSS) vulnerability in TorrentTrader Classic 1.07 ...) NOT-FOR-US: TorrentTrader Classic CVE-2007-5311 (Directory traversal vulnerability in backend/admin-functions.php in To ...) NOT-FOR-US: TorrentTrader Classic CVE-2007-5310 (PHP remote file inclusion vulnerability in admin.wmtportfolio.php in t ...) NOT-FOR-US: TorrentTrader Classic CVE-2007-5309 (PHP remote file inclusion vulnerability in admin.wmtgallery.php in the ...) NOT-FOR-US: Joomla! extension CVE-2007-5308 (SQL injection vulnerability in galerie.php in PHP Homepage M (phpHPm) ...) NOT-FOR-US: phpHPm) CVE-2007-5307 (ELSEIF CMS Beta 0.6 does not properly unset variables when the input d ...) NOT-FOR-US: ELSEIF CMS CVE-2007-5306 (ELSEIF CMS Beta 0.6 allows remote attackers to obtain sensitive inform ...) NOT-FOR-US: ELSEIF CMS CVE-2007-5305 (Multiple PHP remote file inclusion vulnerabilities in ELSEIF CMS Beta ...) NOT-FOR-US: ELSEIF CMS CVE-2007-5304 (Multiple cross-site scripting (XSS) vulnerabilities in ELSEIF CMS Beta ...) NOT-FOR-US: ELSEIF CMS CVE-2007-5303 (Cross-site scripting (XSS) vulnerability in news_page.php in SnewsCMS ...) NOT-FOR-US: SnewsCMS CVE-2007-5302 (Multiple cross-site scripting (XSS) vulnerabilities in HP System Manag ...) NOT-FOR-US: HP System Management Homepage CVE-2007-5300 (Off-by-one error in the do_login_loop function in libwzd-core/wzd_logi ...) {DSA-1452-1} - wzdftpd 0.8.2-2.1 (medium; bug #446192) CVE-2007-5299 (Multiple directory traversal vulnerabilities in SkaDate 5.0 and 6.0, a ...) NOT-FOR-US: SkaDate CVE-2007-5298 (Multiple PHP remote file inclusion vulnerabilities in CMS Creamotion a ...) NOT-FOR-US: CMS Creamotion CVE-2007-5297 (Cross-site scripting (XSS) vulnerability in index.php in Minki 1.30 al ...) NOT-FOR-US: Minki CVE-2007-5296 (Multiple cross-site scripting (XSS) vulnerabilities in dblisttest.asp ...) NOT-FOR-US: dbList CVE-2007-5295 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in (a ...) NOT-FOR-US: Wikepage Opus CVE-2007-5294 (PHP remote file inclusion vulnerability in core/aural.php in IDMOS 1.0 ...) NOT-FOR-US: IDMOS CVE-2007-5293 (Multiple cross-site scripting (XSS) vulnerabilities in IDMOS 1.0-beta ...) NOT-FOR-US: IDMOS CVE-2007-5292 (Cross-site scripting (XSS) vulnerability in photos.cfm in Directory Im ...) NOT-FOR-US: Directory Image Gallery CVE-2007-5291 (Cross-site scripting (XSS) vulnerability in Edit.asp in DB Manager 2.0 ...) NOT-FOR-US: DB Manager CVE-2007-5290 (Multiple cross-site scripting (XSS) vulnerabilities in MailBee WebMail ...) NOT-FOR-US: MailBee WebMail Pro CVE-2007-5289 (HP Mercury Quality Center (QC) 9.2 and earlier, and possibly TestDirec ...) NOT-FOR-US: HP Mercury Quality Center CVE-2007-5301 (Buffer overflow in the vorbis_stream_info function in input/vorbis/vor ...) {DSA-1538-1 DTSA-66-1} - alsaplayer 0.99.80~rc4-1 (low; bug #446034) CVE-2007-5288 REJECTED CVE-2007-5287 REJECTED CVE-2007-5286 REJECTED CVE-2007-5285 REJECTED CVE-2007-5284 REJECTED CVE-2007-5283 (The TSC Domain Manager in Hitachi TPBroker Object Transaction Monitor ...) NOT-FOR-US: Hitachi TPBroker CVE-2007-5282 (Hitachi Cosminexus Agent 03-00 through 03-05, and Cosminexus Library S ...) NOT-FOR-US: Hitachi Cosminexus CVE-2007-5281 (The Java Secure Socket Extension (JSSE) in the Hitachi Cosminexus Deve ...) NOT-FOR-US: Hitachi Cosminexus CVE-2007-5280 (Multiple cross-site scripting (XSS) vulnerabilities in messages.jsp in ...) NOT-FOR-US: Appfuse CVE-2007-5279 (Heap-based buffer overflow in ConeXware PowerArchiver before 10.20.21 ...) NOT-FOR-US: PowerArchiver CVE-2007-5278 (Zomplog 3.8.1 and earlier stores potentially sensitive information und ...) NOT-FOR-US: Zomplog CVE-2007-5277 (Microsoft Internet Explorer 6 drops DNS pins based on failed connectio ...) NOT-FOR-US: Internet Explorer CVE-2007-5276 (Opera 9 drops DNS pins based on failed connections to irrelevant TCP p ...) NOT-FOR-US: Opera CVE-2007-5275 (The Adobe Macromedia Flash 9 plug-in allows remote attackers to cause ...) - flashplugin-nonfree 9.0.115.0.1 (bug #449110) [sarge] - flashplugin-nonfree (Contrib not supported) [etch] - flashplugin-nonfree (Contrib not supported) CVE-2007-5274 (Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 2 and earli ...) - sun-java6 6-03-1 (low) - sun-java5 1.5.0-13-1 (low) [etch] - sun-java5 1.5.0-14-1etch1 - openjdk-6 6b08-1 (bug #566766) CVE-2007-5273 (Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 2 and earli ...) - sun-java6 6-03-1 (low) - sun-java5 1.5.0-13-1 (low) [etch] - sun-java5 1.5.0-14-1etch1 - openjdk-6 6b08-1 (bug #566766) CVE-2007-5272 (SQL injection vulnerability in kategori.asp in Furkan Tastan Blog allo ...) NOT-FOR-US: Furkan Tastan Blog CVE-2007-5271 (Multiple PHP remote file inclusion vulnerabilities in Trionic Cite CMS ...) NOT-FOR-US: Trionic Cite CMS CVE-2007-5270 (Unspecified vulnerability in the Boost module before 4.7.x-1.0, and 5. ...) - drupal (does not ship this module) CVE-2007-5269 (Certain chunk handlers in libpng before 1.0.29 and 1.2.x before 1.2.21 ...) - libpng 1.2.15~beta5-3 (low; bug #446308) [sarge] - libpng (Minor issue) [etch] - libpng 1.2.15~beta5-1+etch2 CVE-2007-5268 (pngrtran.c in libpng before 1.0.29 and 1.2.x before 1.2.21 use (1) log ...) - libpng (Vulnerable code not present in Debian version, introduced in 1.2.19) CVE-2007-5267 (Off-by-one error in ICC profile chunk handling in the png_set_iCCP fun ...) - libpng (vulnerable code not present) NOTE: the version in Debian does not use strncpy to copy the buffer so this off-by-one NOTE: is not present in this old version. Instead it allocates space for strlen(name)+1 NOTE: and uses strcpy(new_iccp_name, name) which is not nice but safe CVE-2007-5266 (Off-by-one error in ICC profile chunk handling in the png_set_iCCP fun ...) - libpng (vulnerable code not present) NOTE: the version in Debian does not use strncpy to copy the buffer so this off-by-one NOTE: is not present in this old version. Instead it allocates space for strlen(name)+1 NOTE: and uses strcpy(new_iccp_name, name) which is not nice but safe CVE-2007-5265 (Multiple format string vulnerabilities in websrv.cpp in Dawn of Time 1 ...) NOT-FOR-US: Dawn of Time CVE-2007-5264 (Battlefront Dropteam 1.3.3 and earlier sends the client's online accou ...) NOT-FOR-US: Battlefront CVE-2007-5263 (Multiple buffer overflows in Battlefront Dropteam 1.3.3 and earlier al ...) NOT-FOR-US: Battlefront CVE-2007-5262 (Multiple format string vulnerabilities in Battlefront Dropteam 1.3.3 a ...) NOT-FOR-US: Battlefront CVE-2004-2744 (Unspecified vulnerability in Tincan Limited PHPlist before 2.8.12 has ...) NOT-FOR-US: Tincan Limited PHPlist CVE-2004-2743 (upload.cgi in Mega Upload Progress Bar before 1.45 allows remote attac ...) NOT-FOR-US: Mega Upload Progress Bar CVE-2004-2742 (Cross-site scripting (XSS) vulnerability in the report viewer in Cryst ...) NOT-FOR-US: Crystal Enterprise CVE-2004-2741 (Cross-site scripting (XSS) vulnerability in the "help window" (help.ph ...) - horde2 CVE-2004-2740 (PHP remote file inclusion vulnerability in authform.inc.php in PHProje ...) NOT-FOR-US: PHProjekt CVE-2004-2739 (The setup routine (setup.php) in PHProjekt 4.2.1 and earlier allows re ...) NOT-FOR-US: PHProjekt CVE-2004-2738 (Cross-site scripting (XSS) vulnerability in check_user_id.php in ZeroB ...) NOT-FOR-US: Zero board CVE-2004-2737 (SQL injection vulnerability in problist.asp in NetSupport DNA HelpDesk ...) NOT-FOR-US: NetSupport DNA HelpDesk CVE-2004-2736 (Polar HelpDesk 3.0 allows remote attackers to bypass authentication by ...) NOT-FOR-US: Polar HelpDesk CVE-2004-2735 (Cross-site scripting (XSS) vulnerability in P4DB 2.01 and earlier allo ...) NOT-FOR-US: P4DB CVE-2004-2734 (webadmin-apache.conf in Novell Web Manager of Novell NetWare 6.5 uses ...) NOT-FOR-US: Novell NetWare CVE-2004-2733 (Web Wiz Forums 7.7a uses invalid logic to determine user privileges, w ...) NOT-FOR-US: Web Wiz Forums CVE-2004-2732 (nbmember.cgi in Netbilling 2.0 allows remote attackers to obtain sensi ...) NOT-FOR-US: Netbilling CVE-2004-2731 (Multiple integer overflows in Sbus PROM driver (drivers/sbus/char/open ...) {DSA-1503-2 DSA-1503-1} - linux-2.6 2.6.18-1 NOTE: bufsize is unsigned since (at least) 2.6.18, might be fixed in prior versions CVE-2004-2730 (Sysinternals PsTools before 2.05, including (1) PsExec before 1.54, (2 ...) NOT-FOR-US: PsTools CVE-2004-2729 (Inetd32 Administration Tool of Hummingbird Connectivity 7.1 and 9.0 al ...) NOT-FOR-US: Hummingbird Connectivity CVE-2004-2728 (Buffer overflow in the FTP server of Hummingbird Connectivity 7.1 and ...) NOT-FOR-US: Hummingbird Connectivity CVE-2004-2727 (Buffer overflow in MEHTTPS (HTTPMail) of MailEnable Professional 1.5 t ...) NOT-FOR-US: MailEnable CVE-2004-2726 (HTTPMail service in MailEnable Professional 1.18 does not properly han ...) NOT-FOR-US: MailEnable CVE-2007-5261 (Multiple SQL injection vulnerabilities in MultiCart 1.0 allow remote a ...) NOT-FOR-US: MultiCart CVE-2007-5260 (ASP-CMS 1.0 stores sensitive information under the web root with insuf ...) NOT-FOR-US: ASP-CMS CVE-2007-5259 (Cross-site request forgery (CSRF) vulnerability in Ilient SysAid 4.5.0 ...) NOT-FOR-US: SysAid CVE-2007-5258 (PHP remote file inclusion vulnerability in log.php in phpFreeLog alpha ...) NOT-FOR-US: FreeLog CVE-2007-5257 (Stack-based buffer overflow in the EDraw.OfficeViewer ActiveX control ...) NOT-FOR-US: EDraw Office Viewer CVE-2007-5256 (Multiple stack-based buffer overflows in FSD 2.052 d9 and earlier, and ...) NOT-FOR-US: FSD CVE-2007-5255 (Cross-site scripting (XSS) vulnerability in Google Mini Search Applian ...) NOT-FOR-US: Google Mini Search Appliance CVE-2007-5254 (VirusBlokAda Vba32 AntiVirus 3.12.2 uses weak permissions (Everyone:Wr ...) NOT-FOR-US: VirusBlokAda Vba32 AntiVirus CVE-2007-5253 (c32web.exe in McMurtrey/Whitaker Cart32 before 6.4 allows remote attac ...) NOT-FOR-US: Cart32 CVE-2007-5252 (Buffer overflow in NetSupport Manager (NSM) Client 10.00 and 10.20, an ...) NOT-FOR-US: NetSupport Manager/School Student CVE-2007-5251 (Multiple cross-site scripting (XSS) vulnerabilities in Helm 3.2.16 all ...) NOT-FOR-US: Helm CVE-2007-5250 (The Windows dedicated server for the Unreal engine, as used by America ...) NOT-FOR-US: Americas Army CVE-2007-5249 (Multiple buffer overflows in the logging function in the Unreal engine ...) NOT-FOR-US: Americas Army CVE-2007-5248 (Multiple format string vulnerabilities in the ID Software Doom 3 engin ...) NOT-FOR-US: Doom 3 engine CVE-2007-5247 (Multiple format string vulnerabilities in the Monolith Lithtech engine ...) NOT-FOR-US: Monolith engine CVE-2007-5246 (Multiple stack-based buffer overflows in Firebird LI 2.0.0.12748 and 2 ...) - firebird2.0 2.0.3.12981.ds1-1 - firebird1.5 (medium; bug #446472) CVE-2007-5245 (Multiple stack-based buffer overflows in Firebird LI 1.5.3.4870 and 1. ...) - firebird2.0 2.0.3.12981.ds1-1 - firebird1.5 (medium; bug #446475) CVE-2007-5244 (Stack-based buffer overflow in Borland InterBase LI 8.0.0.53 through 8 ...) NOT-FOR-US: Borland InterBase CVE-2007-5243 (Multiple stack-based buffer overflows in Borland InterBase LI 8.0.0.53 ...) NOT-FOR-US: Borland InterBase CVE-2007-5242 (Unspecified vulnerability in (1) SYS$EI1000.EXE and (2) SYS$EI1000_MON ...) NOT-FOR-US: HP OpenVMS CVE-2007-5241 (Buffer overflow in NET$CSMACD.EXE in HP OpenVMS 8.3 and earlier allows ...) NOT-FOR-US: HP OpenVMS CVE-2007-5240 (Visual truncation vulnerability in the Java Runtime Environment in Sun ...) - sun-java6 6-03-1 (low) - sun-java5 1.5.0-13-1 (low) [etch] - sun-java5 1.5.0-14-1etch1 - openjdk-6 6b08-1 (bug #566766) CVE-2007-5239 (Java Web Start in Sun JDK and JRE 6 Update 2 and earlier, JDK and JRE ...) - sun-java6 6-03-1 (low) - sun-java5 1.5.0-13-1 (low) [etch] - sun-java5 1.5.0-14-1etch1 - openjdk-6 6b08-1 (bug #566766) CVE-2007-5238 (Java Web Start in Sun JDK and JRE 6 Update 2 and earlier, JDK and JRE ...) - sun-java6 6-03-1 (unimportant) - sun-java5 1.5.0-13-1 (unimportant) [etch] - sun-java5 1.5.0-14-1etch1 - openjdk-6 6b08-1 (bug #566766) NOTE: Leaked information hardly sensitive CVE-2007-5237 (Java Web Start in Sun JDK and JRE 6 Update 2 and earlier does not prop ...) - sun-java6 6-03-1 (medium) - sun-java5 1.5.0-13-1 (medium) [etch] - sun-java5 1.5.0-14-1etch1 - openjdk-6 6b08-1 (bug #566766) CVE-2007-5236 (Java Web Start in Sun JDK and JRE 5.0 Update 12 and earlier, and SDK a ...) - sun-java6 (Windows only) - sun-java5 (Windows only) - openjdk-6 (Windows only) CVE-2007-5235 (Cross-site scripting (XSS) vulnerability in index.php in Uebimiau 2.7. ...) NOT-FOR-US: Uebimiau CVE-2007-5234 (PHP remote file inclusion vulnerability in upload/common/footer.php in ...) NOT-FOR-US: Ossigeno CMS CVE-2007-5233 (SQL injection vulnerability in index.php in Web Template Management Sy ...) NOT-FOR-US: Web Template Management System CVE-2007-5232 (Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 2 and earli ...) - sun-java6 6-03-1 (low) - sun-java5 1.5.0-13-1 (low) [etch] - sun-java5 1.5.0-14-1etch1 - openjdk-6 6b08-1 (bug #566766) CVE-2007-5231 (Unrestricted file upload vulnerability in admin/upload_files.php in Zo ...) NOT-FOR-US: Zomplog CVE-2007-5230 (admin/upload_files.php in Zomplog 3.8.1 and earlier does not check for ...) NOT-FOR-US: Zomplog CVE-2007-5229 (Cross-site request forgery (CSRF) vulnerability in the FeedBurner Feed ...) NOT-FOR-US: FeedBurner FeedSmith wordpress plugin CVE-2007-5228 (Cross-site scripting (XSS) vulnerability in the subscription functiona ...) - drupal (does not shipt this module) CVE-2007-5227 (Multiple cross-site scripting (XSS) vulnerabilities in messaging/cours ...) NOT-FOR-US: BlackBoard Learning System CVE-2007-5226 (irc_server.c in dircproxy 1.2.0 and earlier allows remote attackers to ...) - dircproxy 1.0.5-5.1 (low; bug #445883) [sarge] - dircproxy (Minor issue) [etch] - dircproxy 1.0.5-5etch1 CVE-2005-4871 (Certain XML functions in IBM DB2 8.1 run with the privileges of DB2 in ...) NOT-FOR-US: IBM DB2 CVE-2005-4870 (Stack-based buffer overflows in the (1) xmlvarcharfromfile, (2) xmlclo ...) NOT-FOR-US: IBM DB2 CVE-2005-4869 (The (1) to_char and (2) to_date function in IBM DB2 8.1 allows local u ...) NOT-FOR-US: IBM DB2 CVE-2005-4868 (Shared memory sections and events in IBM DB2 8.1 have default permissi ...) NOT-FOR-US: IBM DB2 CVE-2005-4867 (Stack-based buffer overflow in the SATENCRYPT function in IBM DB2 8.1, ...) NOT-FOR-US: IBM DB2 CVE-2005-4866 (Stack-based buffer overflow in JDBC Applet Server in IBM DB2 8.1 allow ...) NOT-FOR-US: IBM DB2 CVE-2005-4865 (Stack-based buffer overflow in call in IBM DB2 7.x and 8.1 allows remo ...) NOT-FOR-US: IBM DB2 CVE-2005-4864 (Stack-based buffer overflow in libdb2.so in IBM DB2 7.x and 8.1 allows ...) NOT-FOR-US: IBM DB2 CVE-2005-4863 (Stack-based buffer overflow in db2fmp in IBM DB2 7.x and 8.1 allows lo ...) NOT-FOR-US: IBM DB2 CVE-2004-2725 (Multiple cross-site scripting (XSS) vulnerabilities in Aztek Forum 4.0 ...) NOT-FOR-US: Aztek Forum CVE-2004-2724 (LionMax Software Chat Anywhere 2.72a allows remote attackers to cause ...) NOT-FOR-US: Chat Anywhere CVE-2004-2723 (NessusWX 1.4.4 stores account passwords in plaintext in .session files ...) NOT-FOR-US: NessusWXdd CVE-2004-2722 - nessus-core (unimportant) NOTE: this is no security issue assuming correct permissions CVE-2004-2721 (The CheckGroup function in openSkat VTMF before 2.1 generates public k ...) NOT-FOR-US: openSkat CVE-2004-2720 (Cross-site scripting (XSS) vulnerability in register.asp in Snitz Foru ...) NOT-FOR-US: Snitz Forums CVE-2004-2719 (Buffer overflow in the UrlToLocal function in PunyLib.dll of Foxmail 5 ...) NOT-FOR-US: Foxmail CVE-2004-2718 (PHPMyChat 0.14.5 does not remove or protect setup.php3 after installat ...) NOT-FOR-US: PHPMyChat CVE-2004-2717 (Multiple directory traversal vulnerabilities in admin.php3 in PHPMyCha ...) NOT-FOR-US: PHPMyChat CVE-2004-2716 (Multiple SQL injection vulnerabilities in usersL.php3 in PHPMyChat 0.1 ...) NOT-FOR-US: PHPMyChat CVE-2004-2715 (edituser.php3 in PHPMyChat 0.14.5 allow remote attackers to bypass aut ...) NOT-FOR-US: PHPMyChat CVE-2004-2714 (Unspecified vulnerability in Window Maker 0.80.2 and earlier allows at ...) - wmaker 0.90-1 CVE-2004-2713 NOT-FOR-US: ZoneAlarm CVE-2004-2712 (Buffer overflow in Gyach Enhanced (Gyach-E) before 1.0.0-SneakPeek-3 a ...) NOT-FOR-US: Gyach-E CVE-2004-2711 (Multiple buffer overflows in Gyach Enhanced (Gyach-E) before 1.0.2 all ...) NOT-FOR-US: Gyach-E CVE-2004-2710 (Multiple buffer overflows in Gyach Enhanced (Gyach-E) before 1.0.3 all ...) NOT-FOR-US: Gyach-E CVE-2004-2709 (Buffer overflow in the strip_html_tags method for Gyach Enhanced (Gyac ...) NOT-FOR-US: Gyach-E CVE-2004-2708 (Gyach Enhanced (Gyach-E) before 1.0.0 stores passwords in plaintext, w ...) NOT-FOR-US: Gyach-E CVE-2004-2707 (Multiple unspecified vulnerabilities in Gyach Enhanced (Gyach-E) befor ...) NOT-FOR-US: Gyach-E CVE-2004-2706 (Unspecified vulnerability in Gyach Enhanced (Gyach-E) before 1.0.4 all ...) NOT-FOR-US: Gyach-E CVE-2004-2705 (Unspecified vulnerability in Player vs. Player Gaming Network (PvPGN) ...) - pvpgn 1.6.4+20040826-1 CVE-2004-2704 (Hastymail 1.0.1 and earlier (stable) and 1.1 and earlier (development) ...) - hastymail CVE-2004-2703 (Clearswift MIMEsweeper 5.0.5, when it has been upgraded from MAILsweep ...) NOT-FOR-US: MIMEsweeper CVE-2004-2702 (Cross-site scripting (XSS) vulnerability in login_up.php3 in Plesk 7.0 ...) NOT-FOR-US: Plesk CVE-2004-2701 (Cross-site scripting (XSS) vulnerability in signin.aspx for AspDotNetS ...) NOT-FOR-US: AspDotNetStorefront CVE-2004-2700 (Unrestricted file upload vulnerability in AspDotNetStorefront 3.3 allo ...) NOT-FOR-US: AspDotNetStorefront CVE-2004-2699 (deleteicon.aspx in AspDotNetStorefront 3.3 allows remote attackers to ...) NOT-FOR-US: AspDotNetStorefront CVE-2004-2698 (Race condition in IMWheel 1.0.0pre11 and earlier, when running with th ...) - imwheel 1.0.0pre12-1 CVE-2004-2697 (The Inventory Scout daemon (invscoutd) 1.3.0.0 and 2.0.2 for AIX 4.3.3 ...) NOT-FOR-US: InvScoutd CVE-2004-2696 (BEA WebLogic Server and WebLogic Express 6.1, 7.0, and 8.1, when using ...) NOT-FOR-US: BEA WebLogic CVE-2004-2695 (SQL injection vulnerability in the Authorize.net callback code (subscr ...) NOT-FOR-US: vBulletin CVE-2004-2694 (Microsoft Outlook Express 6.0 allows remote attackers to bypass intend ...) NOT-FOR-US: Outlook CVE-2004-2693 (HP-UX B.11.00 and B.11.11 with B6848AB GTK+ Support Libraries installe ...) NOT-FOR-US: HP-UX CVE-2004-2692 (The exec_dir PHP patch (php-exec-dir) 4.3.2 through 4.3.7 with safe mo ...) NOT-FOR-US: php-exec-dir patch CVE-2004-2691 (Unspecified vulnerability in 3Com SuperStack 3 4400 switches with firm ...) NOT-FOR-US: 3Com firmware CVE-2004-2690 (Unrestricted file upload vulnerability in the Administration Panel for ...) NOT-FOR-US: NewsPHP CVE-2004-2689 (NewsPHP allows remote attackers to gain unauthorized administrative ac ...) NOT-FOR-US: NewsPHP CVE-2004-2688 (Cross-site scripting (XSS) vulnerability in index.php in NewsPHP allow ...) NOT-FOR-US: NewsPHP CVE-2001-1585 (SSH protocol 2 (aka SSH-2) public key authentication in the developmen ...) - openssh (fixed in 2001) CVE-2001-1584 (CardBoard 2.4 greeting card CGI by Michael Barretto allows remote atta ...) NOT-FOR-US: CardBoard CVE-2007-5225 (Integer signedness error in FIFO filesystems (named pipes) on Sun Sola ...) NOT-FOR-US: Sun Solaris CVE-2007-5224 (inc/exif.inc.php in Original Photo Gallery 0.11.2 and earlier allows r ...) NOT-FOR-US: Original Photo Gallery CVE-2007-5223 (Multiple unspecified vulnerabilities in AlstraSoft Affiliate Network P ...) NOT-FOR-US: AlstraSoft CVE-2007-5222 (SQL injection vulnerability in index.php in MAXdev MDPro (MD-Pro) 1.0. ...) NOT-FOR-US: MAXdev CVE-2007-5221 (PHP remote file inclusion vulnerability in mail/childwindow.inc.php in ...) NOT-FOR-US: Poppawid CVE-2007-5220 (SQL injection vulnerability in catalog.asp in ASP Product Catalog allo ...) NOT-FOR-US: ASP Product Catalog CVE-2007-5219 (Directory traversal vulnerability in the CLAVSetting.CLSetting.1 Activ ...) NOT-FOR-US: CyberLink Power DVD CVE-2007-5218 (Cross-site scripting (XSS) vulnerability in index.php in Don Barnes DR ...) NOT-FOR-US: Don Barnes DRBGuestbook CVE-2007-5217 (Stack-based buffer overflow in the ADM4 ActiveX control in adm4.dll in ...) NOT-FOR-US: Altnet Download Manager CVE-2007-5216 (Multiple PHP remote file inclusion vulnerabilities in eArk (e-Ark) 1.0 ...) NOT-FOR-US: eArk CVE-2007-5215 (Multiple PHP remote file inclusion vulnerabilities in Jacob Hinkle God ...) NOT-FOR-US: GodSend CVE-2007-5214 (Multiple cross-site scripting (XSS) vulnerabilities in the AXIS 2100 N ...) NOT-FOR-US: Axis Network Camera CVE-2007-5213 (Multiple cross-site request forgery (CSRF) vulnerabilities in the AXIS ...) NOT-FOR-US: Axis Network Camera CVE-2007-5212 (Multiple cross-site scripting (XSS) vulnerabilities in the AXIS 2100 N ...) NOT-FOR-US: Axis Network Camera CVE-2007-5211 (Multiple cross-site scripting (XSS) vulnerabilities in Arbor Networks ...) NOT-FOR-US: Peakflow CVE-2007-5210 (Arbor Networks Peakflow SP before 3.5.1 patch 14, and 3.6.x before 3.6 ...) NOT-FOR-US: Peakflow CVE-2007-5209 (Stack-based buffer overflow in DriveLock.exe in CenterTools DriveLock ...) NOT-FOR-US: CenterTools CVE-2007-5208 (hpssd in Hewlett-Packard Linux Imaging and Printing Project (hplip) 1. ...) {DSA-1462-1 DTSA-72-1} - hplip 1.6.10-4.3 (medium; bug #447341) [sarge] - hplip (This code was using smtp directly) CVE-2007-5206 RESERVED CVE-2007-5205 RESERVED CVE-2007-5204 RESERVED CVE-2007-5203 RESERVED CVE-2007-5202 RESERVED CVE-2007-5201 (The FTP backend for Duplicity before 0.4.9 sends the password as a com ...) - duplicity 0.4.3-2 (low; bug #442840) [etch] - duplicity (Vulnerable code introduced in 0.4.3) [sarge] - duplicity (Vulnerable code introduced in 0.4.3) NOTE: ftp is an inherently insecure protocol, any security-sensitive data would NOTE: be transferred through the scp, sftp or rsync backends. NOTE: http://lists.debian.org/debian-release/2008/01/msg00190.html CVE-2007-5200 (hugin, as used on various operating systems including SUSE openSUSE 10 ...) {DTSA-74-1} - hugin 0.6.1-1.1 (low; bug #447344) [etch] - hugin (Minor issue) CVE-2007-5199 (A single byte overflow in catalogue.c in X.Org libXfont 1.3.1 allows r ...) - libxfont 1:1.3.2-1 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=327854 NOTE: https://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=5bf703700ee4a5d6eae20da07cb7a29369667aef CVE-2007-5198 (Buffer overflow in the redir function in check_http.c in Nagios Plugin ...) {DSA-1495-1 DTSA-67-1} - nagios-plugins 1.4.8-2.2 (low; bug #445475) NOTE: Requires the webserver, which has to be checked, to be compromised CVE-2007-5197 (Buffer overflow in the Mono.Math.BigInteger class in Mono 1.2.5.1 and ...) {DSA-1397-1 DTSA-76-1} - mono 1.2.5.1-2 CVE-2007-5196 (Unspecified vulnerability in the SSL implementation in Groupwise clien ...) NOT-FOR-US: novell-groupwise-client CVE-2007-5195 (Unspecified vulnerability in the SSL implementation in Groupwise clien ...) NOT-FOR-US: novell-groupwise-client CVE-2007-5194 (The Chroot server in rMake 1.0.11 creates a /dev/zero device file with ...) NOT-FOR-US: rMake CVE-2007-5192 RESERVED CVE-2007-5191 (mount and umount in util-linux and loop-aes-utils call the setuid and ...) {DSA-1450-1 DSA-1449-1 DTSA-64-1 DTSA-70-1} - util-linux 2.13-8 (low) - loop-aes-utils 2.13-2 (low) CVE-2007-5190 (Multiple cross-site scripting (XSS) vulnerabilities in Alcatel OmniVis ...) NOT-FOR-US: Alcatel OmniVista CVE-2007-5189 (Multiple SQL injection vulnerabilities in mes_add.php in x-script Gues ...) NOT-FOR-US: X-Script CVE-2007-5188 (Unspecified vulnerability in the XOOPS uploader class in Xoops 2.0.17. ...) NOT-FOR-US: Xoops CVE-2007-5187 (SQL injection vulnerability in infusions/calendar_events_panel/show_si ...) NOT-FOR-US: Php-Fusion CVE-2007-5186 (PHP remote file inclusion vulnerability in index.php in Segue CMS 1.8. ...) NOT-FOR-US: Segue CMS CVE-2007-5185 (Multiple PHP remote file inclusion vulnerabilities in phpWCMS XT 0.0.7 ...) NOT-FOR-US: phpWCMS XT CVE-2007-5184 (Format string vulnerability in the SMBDirList function in dirlist.c in ...) NOT-FOR-US: smbFtpd CVE-2007-5183 (Cross-site scripting (XSS) vulnerability in Mailbox.mws in OdysseySuit ...) NOT-FOR-US: OdysseySuite CVE-2007-5182 (Cross-site scripting (XSS) vulnerability in mail.asp in Netkamp Emlak ...) NOT-FOR-US: Netkamp Emlak Scripti CVE-2007-5181 (SQL injection vulnerability in detay.asp in Netkamp Emlak Scripti allo ...) NOT-FOR-US: Netkamp Emlak Scripti CVE-2007-5180 (Multiple SQL injection vulnerabilities in Ohesa Emlak Portali allow re ...) NOT-FOR-US: Ohesa Emlak Portali CVE-2007-5179 (Multiple cross-site scripting (XSS) vulnerabilities in iletisim.asp in ...) NOT-FOR-US: Iletisim Formu CVE-2007-5178 (contrib/mx_glance_sdesc.php in the mx_glance 2.3.3 module for mxBB pla ...) NOT-FOR-US: mxBB CVE-2007-5177 (SQL injection vulnerability in index.php in the MambAds (com_mambads) ...) NOT-FOR-US: Mambo extension CVE-2007-5176 (Multiple cross-site scripting (XSS) vulnerabilities in GroupLink eHelp ...) NOT-FOR-US: eHelpDesk CVE-2007-5175 (PHP remote file inclusion vulnerability lib/base.php in actSite 1.991 ...) NOT-FOR-US: actSite CVE-2007-5174 (Directory traversal vulnerability in phpinc/news.php in actSite 1.56 a ...) NOT-FOR-US: actSite CVE-2007-5173 (PHP remote file inclusion vulnerability in includes/openid/Auth/OpenID ...) NOT-FOR-US: phpBB Openid CVE-2007-5207 (guilt 0.27 allows local users to overwrite arbitrary files via a symli ...) - guilt 0.27-1.2 (medium; bug #445308) CVE-2007-5193 (The default configuration for twiki 4.1.2 on Debian GNU/Linux, and pos ...) - twiki 1:4.1.2-3 (bug #444982; low) [etch] - twiki (Minor packaging flaw, doesn't warrant an update) CVE-2007-5172 (Quicksilver Forums before 1.4.1 allows remote attackers to obtain sens ...) NOT-FOR-US: Quicksilver Forums CVE-2007-5171 (Unspecified vulnerability in Quicksilver Forums before 1.4.1 allows re ...) NOT-FOR-US: Quicksilver Forums CVE-2007-5170 (Unspecified vulnerability in the embedded service processor (SP) befor ...) NOT-FOR-US: Sun Fire CVE-2007-5169 (Stack-based buffer overflow in MAIPM6.dll in Adobe PageMaker 7.0.1 and ...) NOT-FOR-US: Adobe PageMaker CVE-2007-5168 (Multiple PHP remote file inclusion vulnerabilities in ClanLite 1.23.01 ...) NOT-FOR-US: Clan lite CVE-2007-5167 (PHP remote file inclusion vulnerability in .systeme/fonctions.php in p ...) NOT-FOR-US: phpLister CVE-2007-5166 (Multiple PHP remote file inclusion vulnerabilities in SiteSys 1.0a all ...) NOT-FOR-US: SiteSys CVE-2007-5165 NOT-FOR-US: myIpacNG-stats CVE-2007-5164 NOT-FOR-US: UniversiBO CVE-2007-5163 NOT-FOR-US: nexty CVE-2007-5162 (The connect method in lib/net/http.rb in the (1) Net::HTTP and (2) Net ...) {DSA-1412-1 DSA-1411-1 DSA-1410-1} - ruby1.9 1.9.0+20071016-1 (low) - ruby1.8 1.8.6.111-1 (low; bug #444929) NOTE: fix for 1.8 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13504 CVE-2007-5161 (Cross-zone scripting vulnerability in the internal browser in i-System ...) NOT-FOR-US: Feedreader 3 NOTE: editor not included in native wordpress CVE-2007-5160 (Multiple PHP remote file inclusion vulnerabilities in Thierry Leriche ...) NOT-FOR-US: Thierry Leriche Restaurant Management System CVE-2007-5159 (The ntfs-3g package before 1.913-2.fc7 in Fedora 7, and an ntfs-3g pac ...) - ntfs-3g 1:1.913-2 (medium; bug #445315) CVE-2007-5158 (The focus handling for the onkeydown event in Microsoft Internet Explo ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2007-5157 (PHP remote file inclusion vulnerability in phfito-post.php in Alex Koc ...) NOT-FOR-US: PHP Fidonet Tosser CVE-2007-5156 (Incomplete blacklist vulnerability in editor/filemanager/upload/php/up ...) - knowledgeroot 0.9.8.4-1.1 (unimportant; bug #444928) - moin 1.5.8-4.1 (unimportant) NOTE: This problem should rather be addressed by proper httpd config NOTE: The change only adds a workaround for insecure configs - karrigell (Does not include vulnerable php code) - gforge 4.6.99+svn6169-1 (low; bug #447590) [etch] - gforge (fckeditor is not shipped in these versions) [sarge] - gforge (fckeditor is not shipped in these versions) CVE-2007-5155 (IceGUI.DLL in ICEOWS 4.20b invokes a function with incorrect arguments ...) NOT-FOR-US: ICEOWS CVE-2007-5154 (Session fixation vulnerability in Aipo and Aipo ASP 3.0.1.0 and earlie ...) NOT-FOR-US: Aipo CVE-2007-5153 (Unspecified vulnerability in Sun Java System Access Manager 7.1, when ...) NOT-FOR-US: Sun Java System Access Manager CVE-2007-5152 (Sun Java System Access Manager 7.1, when installed in a Sun Java Syste ...) NOT-FOR-US: Sun Java System Access Manager CVE-2007-5151 (SQL injection vulnerability in the abget_admin function in includes/nu ...) NOT-FOR-US: NukeSentinel CVE-2007-5150 (SQL injection vulnerability in the is_god function in includes/nukesen ...) NOT-FOR-US: NukeSentinel CVE-2007-5149 (PHP remote file inclusion vulnerability in NewsCMS/news/newstopic_inc. ...) NOT-FOR-US: North Country Public Radio Public Media Manager CVE-2007-5148 NOT-FOR-US: FrontAccounting CVE-2007-5147 (Multiple PHP remote file inclusion vulnerabilities in Puzzle Apps CMS ...) NOT-FOR-US: Puzzle Apps CMS CVE-2007-5146 (Multiple PHP remote file inclusion vulnerabilities in dedi-group Der D ...) NOT-FOR-US: Der Dirigent CVE-2007-5145 (Multiple buffer overflows in system DLL files in Microsoft Windows XP, ...) NOT-FOR-US: Windows XP CVE-2007-5144 (Buffer overflow in the GDI engine in Windows Live Messenger, as used f ...) NOT-FOR-US: Windows Live Messenger CVE-2007-5143 (F-Secure Anti-Virus for Windows Servers 7.0 64-bit edition allows loca ...) NOT-FOR-US: Anti-Virus for Windows Servers CVE-2007-5142 (Cross-site scripting (XSS) vulnerability in buscar.asp in Solidweb Nov ...) NOT-FOR-US: Solidweb Novus CVE-2007-5141 (SQL injection vulnerability in search.php in SiteX CMS 0.7.3 Beta allo ...) NOT-FOR-US: SiteX CVE-2007-5140 (PHP remote file inclusion vulnerability in includes/archive/archive_to ...) NOT-FOR-US: IntegraMOD Nederland CVE-2007-5139 (PHP remote file inclusion vulnerability in admin/include/header.php in ...) NOT-FOR-US: Chupix CVE-2007-5138 (PHP remote file inclusion vulnerability in forum/forum.php in lustig.c ...) NOT-FOR-US: lustig.cms CVE-2007-5137 (Buffer overflow in the ReadImage function in generic/tkImgGIF.c in Tcl ...) {DSA-1743-1} - tk8.4 8.4.16-1 [etch] - tk8.4 (Vulnerability was introduced in 8.4.13) [sarge] - tk8.4 (Vulnerability was introduced in 8.4.13) - tk8.3 (Vulnerability was introduced in 8.4.13) - libtk-img 1.3-release-8 CVE-2007-5136 (Cross-site scripting (XSS) vulnerability in DFD Cart 1.1.4 and earlier ...) NOT-FOR-US: DFD Cart CVE-2007-5134 (Cisco Catalyst 6500 and Cisco 7600 series devices use 127/8 IP address ...) NOT-FOR-US: Cisco firmware CVE-2007-5133 (Microsoft Windows Explorer (explorer.exe) allows user-assisted remote ...) NOT-FOR-US: Microsoft Windows Explorer CVE-2007-5132 (Race condition in the kernel in Sun Solaris 8 through 10 allows local ...) NOT-FOR-US: Solaris CVE-2007-5131 (SQL injection vulnerability in index.php in Interspire ActiveKB NX 2.x ...) NOT-FOR-US: ActiveKB CVE-2007-5130 (SimpGB 1.46.02 allows remote attackers to obtain sensitive information ...) NOT-FOR-US: SimpGB CVE-2007-5129 (SimpGB 1.46.02 stores sensitive information under the web root with in ...) NOT-FOR-US: SimpGB CVE-2007-5128 (SimpNews 2.41.03 on Windows, when PHP before 5.0.0 is used, allows rem ...) NOT-FOR-US: SimpNews CVE-2007-5127 (Multiple cross-site scripting (XSS) vulnerabilities in SimpGB 1.46.02 ...) NOT-FOR-US: SimpGB CVE-2007-5126 (Unspecified vulnerability in the client in Symantec Veritas Backup Exe ...) NOT-FOR-US: Symantec Veritas Backup Exec CVE-2007-5125 REJECTED CVE-2007-5124 (The embedded Internet Explorer server control in AOL Instant Messenger ...) NOT-FOR-US: AOL Messenger CVE-2007-5123 (SQL injection vulnerability in notas.asp in Novus 1.0 allows remote at ...) NOT-FOR-US: Solidweb Novus CVE-2007-5122 (SQL injection vulnerability in store_info.php in SoftBiz Classifieds P ...) NOT-FOR-US: SoftBiz Classifieds PLUS CVE-2007-5121 (Cross-site scripting (XSS) vulnerability in JSPWiki 2.5.139-beta allow ...) - jspwiki (The version we ship does not process a redirect parameter in Login.jsp and other source files) [sarge] - jspwiki (Contrib not supported) CVE-2007-5120 (Multiple cross-site scripting (XSS) vulnerabilities in JSPWiki 2.4.103 ...) - jspwiki 2.5.139-1 (medium; bug #445477) [sarge] - jspwiki (Contrib not supported) CVE-2007-5119 (JSPWiki 2.4.103 and 2.5.139-beta allows remote attackers to obtain sen ...) - jspwiki 2.5.139-1 (unimportant; bug #445477) [sarge] - jspwiki (Contrib not supported) CVE-2007-5118 (Unspecified vulnerability in the HID (Human Interface Device) class dr ...) NOT-FOR-US: Solaris CVE-2007-5117 (Multiple PHP remote file inclusion vulnerabilities in FrontAccounting ...) NOT-FOR-US: FrontAccounting CVE-2007-5116 (Buffer overflow in the polymorphic opcode support in the Regular Expre ...) {DSA-1400-1 DTSA-78-1} - perl 5.8.8-12 (medium; bug #450794) NOTE: http://public.activestate.com/cgi-bin/perlbrowse/30647 CVE-2003-1340 (Multiple SQL injection vulnerabilities in Francisco Burzi PHP-Nuke 5.6 ...) NOT-FOR-US: Php-Nuke CVE-2007-5135 (Off-by-one error in the SSL_get_shared_ciphers function in OpenSSL 0.9 ...) {DSA-1379-1} - openssl 0.9.8e-9 (low; bug #444435) [sarge] - openssl 0.9.7e-3sarge5 CVE-2007-5115 (Multiple PHP remote file inclusion vulnerabilities in Ekke Doerre Cont ...) NOT-FOR-US: Ekke Doerre Contenido CVE-2007-5114 NOT-FOR-US: phpmyProfiler CVE-2007-5113 (report.cgi in Google Urchin allows remote attackers to bypass authenti ...) NOT-FOR-US: Google Urchin CVE-2007-5112 (Cross-site scripting (XSS) vulnerability in session.cgi (aka the login ...) NOT-FOR-US: Google Urchin CVE-2007-5111 (A certain ActiveX control in EBCRYPT.DLL 2.0 in EB Design ebCrypt allo ...) NOT-FOR-US: ebCrypt CVE-2007-5110 (Absolute path traversal vulnerability in the EbCrypt.eb_c_PRNGenerator ...) NOT-FOR-US: ebCrypt CVE-2007-5109 (Cross-site request forgery (CSRF) vulnerability in index.php in FlatNu ...) NOT-FOR-US: flatnuke CVE-2007-5108 (Unspecified vulnerability in IAC Search & Media ask.com toolbar ha ...) NOT-FOR-US: IAC Search & Media ask.com toolbar CVE-2007-5107 (Stack-based buffer overflow in the AskJeevesToolBar.SettingsPlugin.1 A ...) NOT-FOR-US: AskJeevesToolBar CVE-2007-5106 (Cross-site scripting (XSS) vulnerability in wp-register.php in WordPre ...) - wordpress 2.0.2-1 (low) CVE-2007-5105 (Cross-site scripting (XSS) vulnerability in wp-register.php in WordPre ...) - wordpress 2.0.4-1 (low) CVE-2007-5104 (SQL injection vulnerability in index.php in the Arcade module in bcoos ...) NOT-FOR-US: bcoos CVE-2007-5103 (Directory traversal vulnerability in config.inc.php in Wordsmith 1.0 R ...) NOT-FOR-US: Wordsmith CVE-2007-5102 (PHP remote file inclusion vulnerability in config.inc.php in Wordsmith ...) NOT-FOR-US: Wordsmith CVE-2007-5101 (ChironFS before 1.0 RC7 sets user/group ownership to the mounter accou ...) NOT-FOR-US: ChironFS CVE-2007-5100 (Multiple PHP remote file inclusion vulnerabilities in phpBB Plus 1.53, ...) NOT-FOR-US: phpBB plus (phpbb2 does not include this module) CVE-2007-5099 (PHP remote file inclusion vulnerability in show.php in David Watters H ...) NOT-FOR-US: helplink CVE-2007-5098 (Multiple PHP remote file inclusion vulnerabilities in DFD Cart 1.1.4 a ...) NOT-FOR-US: DFD Cart CVE-2007-5097 NOT-FOR-US: Online Fantasy Football League CVE-2007-5096 (PHP remote file inclusion vulnerability in modules/webmail2/inc/rfc822 ...) NOT-FOR-US: guanxiCRM Business Solution CVE-2007-5095 (Microsoft Windows Media Player (WMP) 9 on Windows XP SP2 invokes Inter ...) NOT-FOR-US: Windows Media Player CVE-2007-5094 (Heap-based buffer overflow in iaspam.dll in the SMTP Server in Ipswitc ...) NOT-FOR-US: Ipswitch IMail Server CVE-2007-5093 (The disconnect method in the Philips USB Webcam (pwc) driver in Linux ...) {DSA-1503-2 DSA-1504-1 DSA-1503-1 DSA-1381-2} - linux-2.6 2.6.23-1 CVE-2007-5092 (Directory traversal vulnerability in index.php in the Dance Music modu ...) NOT-FOR-US: phpNuke module CVE-2007-5091 (Multiple cross-site scripting (XSS) vulnerabilities in eGroupWare 1.4. ...) - egroupware 1.2.107-2.dfsg-2 (low; bug #444351) CVE-2007-5090 (Unspecified vulnerability in IBM Rational ClearQuest (CQ), when a Micr ...) NOT-FOR-US: IBM Rational ClearQuest CVE-2007-5089 (PHP remote file inclusion vulnerability in php-inc/log.inc.php in sk.l ...) NOT-FOR-US: Sklog CVE-2007-5088 (Cross-site scripting (XSS) vulnerability in search/cust_bill_event.cgi ...) NOT-FOR-US: freeside CVE-2007-5087 (The ATM module in the Linux kernel before 2.4.35.3, when CLIP support ...) - linux-2.6 (2.6 code base handles ARP entries differently) CVE-2007-5086 (Kaspersky Anti-Virus (KAV) and Internet Security 7.0 build 125 do not ...) NOT-FOR-US: Kaspersky Anti-Virus and Internet Security 7.0 CVE-2007-5085 (Unspecified vulnerability in the management EJB (MEJB) in Apache Geron ...) NOT-FOR-US: Geronimo Apache CVE-2007-5084 (Multiple SQL injection vulnerabilities in Computer Associates (CA) Bri ...) NOT-FOR-US: CA BrightStor Hierarchical Storage Manager CVE-2007-5083 (Multiple integer overflows in Computer Associates (CA) BrightStor Hier ...) NOT-FOR-US: CA BrightStor Hierarchical Storage Manager CVE-2007-5082 (Multiple stack-based buffer overflows in Computer Associates (CA) Brig ...) NOT-FOR-US: CA BrightStor Hierarchical Storage Manager CVE-2002-2227 (Buffer underflow in ssldump 0.9b2 and earlier allows remote attackers ...) - ssldump 0.9b3-1 (low) CVE-2007-5081 (Heap-based buffer overflow in RealNetworks RealPlayer 8, 10, 10.1, and ...) NOT-FOR-US: RealPlayer CVE-2007-5080 (Integer overflow in RealNetworks RealPlayer 10 and 10.5, RealOne Playe ...) NOT-FOR-US: RealPlayer CVE-2007-5079 (Red Hat Enterprise Linux 4 does not properly compile and link gdm with ...) - gdm (Red Hat-specific packaging flaw) CVE-2007-5078 (Multiple cross-site scripting (XSS) vulnerabilities in eGov Manager al ...) NOT-FOR-US: eGov Manager CVE-2007-5077 RESERVED CVE-2007-5076 RESERVED CVE-2007-5075 RESERVED CVE-2007-5074 RESERVED CVE-2007-5073 RESERVED CVE-2007-5072 (Multiple cross-site scripting (XSS) vulnerabilities in Simple PHP Blog ...) NOT-FOR-US: Simple PHP Blog CVE-2007-5071 (Incomplete blacklist vulnerability in upload_img_cgi.php in Simple PHP ...) NOT-FOR-US: Simple PHP Blog CVE-2007-5070 (Heap-based buffer overflow in the EasyMailMessagePrinter ActiveX contr ...) NOT-FOR-US: Easy Mail Message Printer CVE-2007-5069 (Directory traversal vulnerability in data/compatible.php in the Nuke M ...) NOT-FOR-US: PHP-Nuke CVE-2007-5068 (SQL injection vulnerability in index.php in phpFullAnnu (PFA) 6.0 allo ...) NOT-FOR-US: phpFullAnnu CVE-2007-5067 (Multiple buffer overflows in iMatix Xitami Web Server 2.5c2 allow remo ...) NOT-FOR-US: iMatix Xitami Web Server CVE-2007-5066 (Unspecified vulnerability in Webmin before 1.370 on Windows allows rem ...) - webmin CVE-2007-5065 (PHP remote file inclusion vulnerability in admin.slideshow1.php in the ...) NOT-FOR-US: Joomla! extension CVE-2007-5064 (Buffer overflow in a certain ActiveX control in Xunlei Web Thunder 5.6 ...) NOT-FOR-US: Xunlei Web Thunder CVE-2007-5063 (Adam Scheinberg Flip 3.0 and earlier stores sensitive information unde ...) NOT-FOR-US: Adam Scheinberg Flip CVE-2007-5062 (account.php in Adam Scheinberg Flip 3.0 and earlier allows remote atta ...) NOT-FOR-US: Adam Scheinberg Flip CVE-2007-5061 (SQL injection vulnerability in mods/banners/navlist.php in Clansphere ...) NOT-FOR-US: Clansphere CVE-2007-5060 (Cross-site request forgery (CSRF) vulnerability in the cpass functiona ...) NOT-FOR-US: XCMS CVE-2007-5059 (Multiple cross-site scripting (XSS) vulnerabilities in GreenSQL allow ...) NOT-FOR-US: GreenSQL CVE-2007-5058 (Cross-site scripting (XSS) vulnerability in the Web administration int ...) NOT-FOR-US: Barracuda CVE-2007-5057 (NetSupport Manager Client before 10.20.0004 allows remote attackers to ...) NOT-FOR-US: NetSupport Manager Client CVE-2007-5056 (Eval injection vulnerability in adodb-perf-module.inc.php in ADOdb Lit ...) NOT-FOR-US: ADOdb Lite CVE-2007-5055 (Multiple directory traversal vulnerabilities in iziContents 1 RC6 and ...) NOT-FOR-US: iziContents CVE-2007-5054 (Multiple PHP remote file inclusion vulnerabilities in iziContents 1 RC ...) NOT-FOR-US: iziContents CVE-2007-5053 (Multiple incomplete blacklist vulnerabilities in iziContents 1 RC6 and ...) NOT-FOR-US: iziContents CVE-2007-5052 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Vi ...) NOT-FOR-US: Vigile CMS CVE-2007-5051 (Multiple cross-site scripting (XSS) vulnerabilities in PhpGedView 4.1. ...) {DSA-1559-1} - phpgedview 4.1.e+4.1.1-2 (low; bug #443901) CVE-2007-5050 (Directory traversal vulnerability in index.php in Neuron News 1.0 allo ...) NOT-FOR-US: Neuron News CVE-2007-5049 REJECTED CVE-2007-5048 (Heap-based buffer overflow in Lhaplus before 1.55 allows remote attack ...) NOT-FOR-US: lhaplus CVE-2007-5047 (Norton Internet Security 2008 15.0.0.60 does not properly validate cer ...) NOT-FOR-US: Norton Internet Security CVE-2007-5046 (Cross-site scripting (XSS) vulnerability in the Webmail interface for ...) NOT-FOR-US: IceWarp Merak Mail Server CVE-2007-5045 (Argument injection vulnerability in Apple QuickTime 7.1.5 and earlier, ...) - iceweasel (Only affects Firefox/Thunderbird on Windows) - icedove (Only affects Firefox/Thunderbird on Windows) CVE-2007-5044 (ZoneAlarm Pro 7.0.362.000 does not properly validate certain parameter ...) NOT-FOR-US: ZoneAlam Pro CVE-2007-5043 (Kaspersky Internet Security 7.0.0.125 does not properly validate certa ...) NOT-FOR-US: Kaspersky Internet Security CVE-2007-5042 (Outpost Firewall Pro 4.0.1025.7828 does not properly validate certain ...) NOT-FOR-US: Outpost Firewall PRO CVE-2007-5041 (G DATA InternetSecurity 2007 does not properly validate certain parame ...) NOT-FOR-US: G DATA InternetSecurity CVE-2007-5040 (Ghost Security Suite alpha 1.200 does not properly validate certain pa ...) NOT-FOR-US: Ghost Security Suite CVE-2007-5039 (Ghost Security Suite beta 1.110 does not properly validate certain par ...) NOT-FOR-US: Ghost Security Suite CVE-2007-5038 (The offer_account_by_email function in User.pm in the WebService for B ...) - bugzilla (Affected versions were never present in the archive) CVE-2007-5037 (Buffer overflow in the inotifytools_snprintf function in src/inotifyto ...) {DSA-1440-1} - inotify-tools 3.11-1 (medium; bug #443913) CVE-2007-5036 (Multiple buffer overflows in the AirDefense Airsensor M520 with firmwa ...) NOT-FOR-US: AirDefense firmware CVE-2007-5035 NOT-FOR-US: openEngine CVE-2007-5034 (ELinks before 0.11.3, when sending a POST request for an https URL, ap ...) {DSA-1380-1} - elinks 0.11.1-1.5 (low; bug #443914) CVE-2007-5033 (Cross-site scripting (XSS) vulnerability in profile.php in phpBB XS 2 ...) NOT-FOR-US: phpBB XS CVE-2007-5032 (Cross-site request forgery (CSRF) vulnerability in admin.php in Franci ...) NOT-FOR-US: Php-Nuke CVE-2007-5031 (The TSrvOptIA_NA::rebind method in SrvOptions/SrvOptIA_NA.cpp in Dibbl ...) - dibbler 0.6.1-1 (low; bug #444002) CVE-2007-5030 (Multiple integer overflows in Dibbler 0.6.0 allow remote attackers to ...) - dibbler 0.6.1-1 (low; bug #444002) CVE-2007-5029 (Dibbler 0.6.0 does not verify that certain length parameters are appro ...) - dibbler 0.6.1-1 (low; bug #444002) CVE-2007-5028 (Dibbler 0.6.0 on Linux uses weak world-writable permissions for unspec ...) - dibbler 0.6.1-1 (medium; bug #444002) CVE-2007-5027 (Multiple cross-site scripting (XSS) vulnerabilities in cgi-bin/ddns in ...) NOT-FOR-US: WBR3404TX firmware CVE-2007-5026 (dBlog CMS, probably 2.0, stores sensitive information under the web ro ...) NOT-FOR-US: dBlog CMS CVE-2007-5025 (Unspecified vulnerability in EMC VMware ACE before 1.0.3 Build 54075 a ...) NOT-FOR-US: VMware CVE-2007-5024 (EMC VMware Server before 1.0.4 Build 56528 writes passwords in clearte ...) NOT-FOR-US: VMware CVE-2007-5023 (Unquoted Windows search path vulnerability in EMC VMware Workstation b ...) NOT-FOR-US: VMware CVE-2007-5022 (Unspecified vulnerability in certain IBM Tivoli Storage Manager (TSM) ...) NOT-FOR-US: IBM Tivoli Storage Manager CVE-2007-5021 REJECTED CVE-2007-5020 (Unspecified vulnerability in Adobe Acrobat and Reader 8.1 on Windows a ...) NOT-FOR-US: Acrobat Reader CVE-2004-2687 (distcc 2.x, as used in XCode 1.5 and others, when not configured to re ...) - distcc 2.18.1-1 (low) NOTE: since 2.18.1-1 there is the --allow switch to control network access NOTE: https://github.com/distcc/distcc/issues/155 NOTE: Fix in depth is only in later version 3.3, cf. NOTE: https://bugs.debian.org/892973 CVE-2004-2686 (Directory traversal vulnerability in the vfs_getvfssw function in Sola ...) NOT-FOR-US: Solaris CVE-2003-1339 (Stack-based buffer overflow in eZnet.exe, as used in eZ (a) eZphotosha ...) NOT-FOR-US: eZnet CVE-2003-1338 (CRLF injection vulnerability in Aprelium Abyss Web Server 1.1.2 and ea ...) NOT-FOR-US: Abyss Web Server CVE-2003-1337 (Heap-based buffer overflow in Aprelium Abyss Web Server 1.1.2 and earl ...) NOT-FOR-US: Abyss Web Server CVE-2003-1336 (Buffer overflow in mIRC before 6.11 allows remote attackers to execute ...) NOT-FOR-US: mIRC CVE-2002-2226 (Buffer overflow in tftpd of TFTP32 2.21 and earlier allows remote atta ...) NOT-FOR-US: Tftpd32 CVE-2001-1583 (lpd daemon (in.lpd) in Solaris 8 and earlier allows remote attackers t ...) NOT-FOR-US: Solaris CVE-2001-1582 (Buffer overflow in the LDAP naming services library (libsldap) in Sun ...) NOT-FOR-US: Solaris CVE-2007-XXXX [mimep insecure tempfile usage and insecure calls to LaTeX and dvips] - mp 3.7.1-8 (low) [sarge] - mp (Minor issue) [etch] - mp (Minor issue) NOTE: Can be fixed in a point update CVE-2007-5019 (Buffer overflow in the Sun Java Web Start ActiveX control in Java Runt ...) - sun-java6 (unimportant) - sun-java5 (unimportant) - openjdk-6 (unimportant) NOTE: exploiting this would not work under Linux CVE-2007-5018 (Stack-based buffer overflow in IMAPD in Mercury/32 4.52 allows remote ...) NOT-FOR-US: Pegasus Mail Mercury CVE-2007-5017 (Absolute path traversal vulnerability in a certain ActiveX control in ...) NOT-FOR-US: Yahoo! Messenger CVE-2007-5016 (SQL injection vulnerability in userreviews.php in OneCMS 2.4 allows re ...) NOT-FOR-US: OneCMS CVE-2007-5015 (Multiple PHP remote file inclusion vulnerabilities in Streamline PHP M ...) NOT-FOR-US: Streamline CVE-2007-5014 (Multiple PHP remote file inclusion vulnerabilities in pSlash 0.70 allo ...) NOT-FOR-US: pSlash CVE-2007-5013 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Ph ...) NOT-FOR-US: Phormer CVE-2007-5012 (Cross-site scripting (XSS) vulnerability in picture.php in PhpWebGalle ...) NOT-FOR-US: PhpWebGallery CVE-2007-5011 (webbatch.exe in WebBatch allows remote attackers to obtain sensitive i ...) NOT-FOR-US: WebBatch CVE-2007-5010 (Cross-site scripting (XSS) vulnerability in WebBatch allows remote att ...) NOT-FOR-US: WebBatch CVE-2007-5009 (PHP remote file inclusion vulnerability in language/lang_german/lang_m ...) NOT-FOR-US: Phpbb Plus NOTE: vulnerable code not included in phpbb2 CVE-2007-5008 (The logins command in HP-UX B.11.31, B.11.23, and B.11.11 does not cor ...) NOT-FOR-US: HP-UX CVE-2007-5007 (Stack-based buffer overflow in the ir_fetch_seq function in balsa befo ...) - balsa 2.3.20-1 (low) [etch] - balsa 2.3.13-3 NOTE: Minor issue fixed in 4.0r4 point release [sarge] - balsa (Minor issue) NOTE: attacker needs to get the victim a prepared server to use CVE-2007-5006 (Multiple command handlers in CA (Computer Associates) BrightStor ARCse ...) NOT-FOR-US: CA ARCserve Backup CVE-2007-5005 (Directory traversal vulnerability in rxRPC.dll in CA (Computer Associa ...) NOT-FOR-US: CA ARCserve Backup CVE-2007-5004 (Integer overflow in CA (Computer Associates) BrightStor ARCserve Backu ...) NOT-FOR-US: CA ARCserve Backup CVE-2007-5003 (Multiple stack-based buffer overflows in CA (Computer Associates) Brig ...) NOT-FOR-US: CA ARCserve Backup CVE-2007-5002 RESERVED CVE-2007-5001 (Linux kernel before 2.4.21 allows local users to cause a denial of ser ...) - linux-2.6 (RedHat/RHEL3 specific patch only) CVE-2007-5000 (Cross-site scripting (XSS) vulnerability in the (1) mod_imap module in ...) [sarge] - apache2 (minor issue) [sarge] - apache (minor issue) - apache2 2.2.8-1 (low) - apache (low) [etch] - apache2 2.2.3-4+etch4 [etch] - apache 1.3.34-4.1+etch1 CVE-2007-4999 (libpurple in Pidgin 2.1.0 through 2.2.1, when using HTML logging, allo ...) - pidgin 2.2.2-1 (medium) CVE-2007-4998 (cp, when running with an option to preserve symlinks on multiple OSes, ...) - coreutils 4.1.2 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=356471 CVE-2007-4997 (Integer underflow in the ieee80211_rx function in net/ieee80211/ieee80 ...) {DSA-1428-1} - linux-2.6 2.6.23-1 CVE-2007-4996 (libpurple in Pidgin before 2.2.1 does not properly handle MSN nudge me ...) - pidgin 2.2.1-1 (medium) NOTE: Gaim not affected, vulnerable code was introduced in 2.2.0 CVE-2007-4995 (Off-by-one error in the DTLS implementation in OpenSSL 0.9.8 before 0. ...) {DSA-1571-1} - openssl 0.9.8f-1 (low) - openssl097 (DTLS support was introduced in 0.9.8) - openssl096 (DTLS support was introduced in 0.9.8) [sarge] - openssl (DTLS support was introduced in 0.9.8) CVE-2007-4994 (Certificate Server 7.2 in Red Hat Certificate System (RHCS) does not p ...) NOT-FOR-US: Redhat Certificate Server CVE-2007-4993 (pygrub (tools/pygrub/src/GrubConf.py) in Xen 3.0.3, when booting a gue ...) {DSA-1384-1} - xen-3 3.1.1-1 (medium; bug #444430) - xen-3.0 CVE-2007-4992 (Stack-based buffer overflow in the process_packet function in fbserver ...) - firebird1.5 (medium; bug #446373) - firebird2.0 2.0.3.12981.ds1-1 (medium) CVE-2007-4991 (The SOCKS4 Proxy in Microsoft Internet Security and Acceleration (ISA) ...) NOT-FOR-US: Microsoft Internet Security and Acceleration CVE-2007-4990 (The swap_char2b function in X.Org X Font Server (xfs) before 1.0.5 all ...) {DSA-1385-1} - xfs 1:1.0.5-1 CVE-2007-4989 REJECTED CVE-2007-4988 (Sign extension error in the ReadDIBImage function in ImageMagick befor ...) {DSA-1903-1 DSA-1858-1 DTSA-63-1} - imagemagick 7:6.2.4.5.dfsg1-2 (medium; bug #444267) - graphicsmagick 1.1.11-1 (medium; bug #444266) CVE-2007-4987 (Off-by-one error in the ReadBlobString function in blob.c in ImageMagi ...) {DSA-1858-1 DTSA-63-1} - imagemagick 7:6.2.4.5.dfsg1-2 (medium; bug #444267) CVE-2007-4986 (Multiple integer overflows in ImageMagick before 6.3.5-9 allow context ...) {DSA-1903-1 DSA-1858-1 DTSA-63-1} - imagemagick 7:6.2.4.5.dfsg1-2 (medium; bug #444267) - graphicsmagick 1.1.11-1 (medium; bug #444266) CVE-2007-4985 (ImageMagick before 6.3.5-9 allows context-dependent attackers to cause ...) {DSA-1903-1 DSA-1858-1 DTSA-63-1} - imagemagick 7:6.2.4.5.dfsg1-2 (medium; bug #444267) - graphicsmagick 1.1.11-1 (medium; bug #444266) CVE-2007-4984 (SQL injection vulnerability in index.php in the Ktauber.com StylesDemo ...) NOT-FOR-US: StylesDemo CVE-2007-4983 (Directory traversal vulnerability in the JetAudio.Interface.1 ActiveX ...) NOT-FOR-US: jetAudio CVE-2007-4982 (Multiple absolute path traversal vulnerabilities in the MW6QRCode.QRCo ...) NOT-FOR-US: QRCode CVE-2007-4981 (Cross-site scripting (XSS) vulnerability in the save function in Obedi ...) NOT-FOR-US: Obedit CVE-2007-4980 (The readRequest method in org/gcaldaemon/core/http/HTTPListener.java i ...) NOT-FOR-US: GCALDaemon CVE-2007-4979 (SQL injection vulnerability in index.php in the sondages module in Kws ...) NOT-FOR-US: KwsPHP CVE-2007-4978 (Multiple PHP remote file inclusion vulnerabilities in phpSyncML 0.1.2 ...) NOT-FOR-US: phpSyncML CVE-2007-4977 (Cross-site scripting (XSS) vulnerability in mode.php in Coppermine Pho ...) NOT-FOR-US: Coppermine Photo Gallery CVE-2007-4976 (Directory traversal vulnerability in viewlog.php in Coppermine Photo G ...) NOT-FOR-US: Coppermine Photo Gallery CVE-2007-4975 (Cross-site scripting (XSS) vulnerability in hilfe.php in b1gMail 6.3.1 ...) NOT-FOR-US: b1gMail CVE-2007-4974 (Heap-based buffer overflow in the flac_buffer_copy function in libsndf ...) {DSA-1442-1} - libsndfile 1.0.17-4 (bug #443386; medium) [sarge] - libsndfile (Vulnerable code not present) - ardour 1:2.1-1.1 (medium; bug #445889) [sarge] - ardour (Vulnerable code not present) [etch] - ardour (Vulnerable code not present) CVE-2007-4973 RESERVED CVE-2007-4972 (RegMon 7.04 does not properly validate certain parameters to System Se ...) NOT-FOR-US: NtRegmon CVE-2007-4971 (ProSecurity 1.40 Beta 2 does not properly validate certain parameters ...) NOT-FOR-US: ProSecurity CVE-2007-4970 (ProcessGuard 3.410 does not properly validate certain parameters to Sy ...) NOT-FOR-US: ProcessGuard CVE-2007-4969 (Process Monitor 1.22 does not properly validate certain parameters to ...) NOT-FOR-US: Process Monitor CVE-2007-4968 (Privatefirewall 5.0.14.2 does not properly validate certain parameters ...) NOT-FOR-US: Privatefirewal CVE-2007-4967 (Online Armor Personal Firewall 2.0.1.215 does not properly validate ce ...) NOT-FOR-US: Online Armor Personal Firewall CVE-2007-4966 (SQL injection vulnerability in www/people/editprofile.php in GForge 4. ...) NOTE: Duplicate of CVE-2007-3913 CVE-2007-4965 (Multiple integer overflows in the imageop module in Python 2.5.1 and e ...) {DSA-1620-1 DSA-1551-1} - python2.5 2.5.1-6 (low; bug #443333) [etch] - python2.5 (Minor issue) [sarge] - python2.5 (Minor issue) - python2.4 2.4.4-7 (low; bug #443335) [etch] - python2.4 (Minor issue) CVE-2007-4964 (WinImage 8.10 and earlier allows remote attackers to cause a denial of ...) NOT-FOR-US: WinImage CVE-2007-4963 (Visual truncation vulnerability in WinImage 8.10 and earlier allows re ...) NOT-FOR-US: WinImage CVE-2007-4962 (Directory traversal vulnerability in WinImage 8.10 and earlier allows ...) NOT-FOR-US: WinImage CVE-2007-4961 (The login_to_simulator method in Linden Lab Second Life, as used by th ...) - secondlife-client (low; bug #406335) CVE-2007-4960 (Argument injection vulnerability in the Linden Lab Second Life secondl ...) - secondlife-client (low; bug #406335) CVE-2007-4959 (Cross-site scripting (XSS) vulnerability in catalog_products_with_imag ...) NOT-FOR-US: osCMax CVE-2007-4958 (Multiple cross-site scripting (XSS) vulnerabilities in TinyWebGallery ...) NOT-FOR-US: TinyWebGallery CVE-2007-4957 (Multiple directory traversal vulnerabilities in download.php in Chupix ...) NOT-FOR-US: ChupixCMS CVE-2007-4956 (Multiple SQL injection vulnerabilities in KwsPHP 1.0 allow remote atta ...) NOT-FOR-US: KwsPhp CVE-2007-4955 (PHP remote file inclusion vulnerability in admin.joomlaflashfun.php in ...) NOT-FOR-US: Joomla! extension CVE-2007-4954 (PHP remote file inclusion vulnerability in admin.joom12pic.php in the ...) NOT-FOR-US: Joomla! extension CVE-2007-4953 (SQL injection vulnerability in index.php in SimpCMS allows remote atta ...) NOT-FOR-US: SimpCMS CVE-2007-4952 (SQL injection vulnerability in article.php in OmniStar Article Manager ...) NOT-FOR-US: OmniStar Article Manager CVE-2007-4951 NOT-FOR-US: YaPiG CVE-2007-4950 NOT-FOR-US: Phportal CVE-2007-4949 NOT-FOR-US: phpreactor CVE-2007-4948 (Multiple PHP remote file inclusion vulnerabilities in Webmedia Explore ...) NOT-FOR-US: Webmedia Explorer CVE-2007-4947 (Multiple PHP remote file inclusion vulnerabilities in myphpPagetool 0. ...) NOT-FOR-US: myphpPagetool CVE-2007-4946 (LetterGrade allows remote attackers to obtain sensitive information (i ...) NOT-FOR-US: LetterGrade CVE-2007-4945 (Multiple cross-site scripting (XSS) vulnerabilities in LetterGrade all ...) NOT-FOR-US: LetterGrade CVE-2007-4944 (The canvas.createPattern function in Opera 9.x before 9.22 for Linux, ...) NOT-FOR-US: Opera CVE-2007-4943 (Multiple buffer overflows in a certain ActiveX control in sparser.dll ...) NOT-FOR-US: Baofeng Storm CVE-2007-4942 (PHP remote file inclusion vulnerability in modules/Discipline/StudentF ...) NOT-FOR-US: Focus/SIS CVE-2007-4941 (KMPlayer 2.9.3.1210 and earlier allows remote attackers to cause a den ...) NOT-FOR-US: KMPlayer for windows NOTE: its not kmplayer we ship its a windows only media player CVE-2007-4940 (Multiple integer overflows in Media Player Classic (MPC) 6.4.9.0 and e ...) NOT-FOR-US: Media Player Classic CVE-2007-4939 (Heap-based buffer overflow in mplayerc.exe in Media Player Classic (MP ...) NOT-FOR-US: Media Player Classic CVE-2007-4938 (Heap-based buffer overflow in libmpdemux/aviheader.c in MPlayer 1.0rc1 ...) {DTSA-65-1} - mplayer 1.0~rc1-16.1 (bug #443478) CVE-2007-4937 (CS Guestbook stores sensitive information under the web root with insu ...) NOT-FOR-US: CS Guestbook CVE-2007-4936 (Unspecified vulnerability in Office Efficiencies SafeSquid 4.1.x has u ...) NOT-FOR-US: SafeSquid CVE-2007-4935 (Multiple PHP remote file inclusion vulnerabilities in phpFFL 1.24 allo ...) NOT-FOR-US: phpFFL CVE-2007-4934 (Multiple PHP remote file inclusion vulnerabilities in phpFFL 1.24 allo ...) NOT-FOR-US: phpFFL CVE-2007-4933 (Direct static code injection vulnerability in includes/admin/sub/conf_ ...) NOT-FOR-US: Shop-Script FREE CVE-2007-4932 (admin.php in Shop-Script FREE 2.0 and earlier sends a redirect to the ...) NOT-FOR-US: Shop-Script FREE CVE-2007-4931 (HP System Management Homepage (SMH) for Windows, when used in conjunct ...) NOT-FOR-US: HP System Management Homepage CVE-2007-4930 (Multiple cross-site request forgery (CSRF) vulnerabilities in the AXIS ...) NOT-FOR-US: Axis firmware CVE-2007-4929 (Multiple cross-site scripting (XSS) vulnerabilities in the AXIS 207W c ...) NOT-FOR-US: Axis firmware CVE-2007-4928 (The AXIS 207W camera stores a WEP or WPA key in cleartext in the confi ...) NOT-FOR-US: Axis firmware CVE-2007-4927 (axis-cgi/buffer/command.cgi on the AXIS 207W camera allows remote auth ...) NOT-FOR-US: Axis firmware CVE-2007-4926 (The AXIS 207W camera uses a base64-encoded cleartext username and pass ...) NOT-FOR-US: Axis firmware CVE-2007-4925 (The ewirePC_Decrypt function in ewirepcfunctions.php in eWire Payment ...) NOT-FOR-US: eWire Payment Client CVE-2007-4924 (The Open Phone Abstraction Library (opal), as used by (1) Ekiga before ...) - opal 2.2.11~dfsg1-1 (low) [etch] - opal 2.2.3.dfsg-3+etch1 (bug #454141) NOTE: will be fixed by regular stable update CVE-2007-4923 (PHP remote file inclusion vulnerability in admin.joomlaradiov5.php in ...) NOT-FOR-US: Joomla extension CVE-2007-4922 (SQL injection vulnerability in play.php in the jeuxflash 1.0 module fo ...) NOT-FOR-US: KwsPhp CVE-2007-4921 (PHP remote file inclusion vulnerability in _includes/settings.inc.php ...) NOT-FOR-US: Ajax File Browser CVE-2007-4920 (SQL injection vulnerability in soporte_derecha_w.php in PHP Webquest 2 ...) NOT-FOR-US: Webquest CVE-2007-4919 (Multiple SQL injection vulnerabilities in JBlog 1.0 allow (1) remote a ...) NOT-FOR-US: Jblog CVE-2007-4918 (SQL injection vulnerability in classes/gelato.class.php in Gelato allo ...) NOT-FOR-US: Gelato CVE-2007-4917 (Cross-site scripting (XSS) vulnerability in tracking.php in PHP-Stats ...) NOT-FOR-US: Php-Stats CVE-2007-4916 (Heap-based buffer overflow in the FileFind::FindFile method in (1) MFC ...) NOT-FOR-US: MFC Library CVE-2007-4915 (The Intersil isl3893 extensions for Boa 0.93.15, as used on the FreeLa ...) - boa (We don't ship this extension) CVE-2007-4914 (Unspecified vulnerability in the subscriptions manager in Invision Pow ...) NOT-FOR-US: Invision Power Board CVE-2007-4913 (ips_kernel/class_upload.php in Invision Power Board (IPB or IP.Board) ...) NOT-FOR-US: Invision Power Board CVE-2007-4912 (Cross-site scripting (XSS) vulnerability in ips_kernel/class_ajax.php ...) NOT-FOR-US: Invision Power Board CVE-2007-4911 (JSMP3OGGWt.dll in JetCast Server 2.0.0.4308 allows remote attackers to ...) NOT-FOR-US: JetCast Server CVE-2007-4910 (Unspecified vulnerability in netInvoicing before 2.7.3 has unknown imp ...) NOT-FOR-US: Netinvoicing CVE-2007-4909 (Interpretation conflict in WinSCP before 4.0.4 allows remote attackers ...) NOT-FOR-US: WinSCP CVE-2007-4908 (Directory traversal vulnerability in index.php in AuraCMS 2.1 and earl ...) NOT-FOR-US: AuraCMS CVE-2007-4907 (Multiple PHP remote file inclusion vulnerabilities in X-Cart allow rem ...) NOT-FOR-US: X-Cart CVE-2007-4906 (PHP remote file inclusion vulnerability in tasks/send_queued_emails.ph ...) NOT-FOR-US: NuclearBB CVE-2007-4905 (Unrestricted file upload vulnerability in mod/contak.php in AuraCMS 2. ...) NOT-FOR-US: AuraCMS CVE-2007-4904 (RealNetworks RealPlayer 10.1.0.3114 and earlier, and Helix Player 1.0. ...) - helix-player (unimportant; bug #443130) NOTE: Just a floating point exception by via a crafted .au file) CVE-2007-4903 (Multiple buffer overflows in a certain ActiveX control in CryptoX.dll ...) NOT-FOR-US: Ultra Crypto Component CVE-2007-4902 (Absolute path traversal vulnerability in a certain ActiveX control in ...) NOT-FOR-US: Ultra Crypto Component CVE-2007-4901 (The embedded Internet Explorer server control in AOL Instant Messenger ...) NOT-FOR-US: AOL Instant Messenger CVE-2007-4900 (Cross-site scripting (XSS) vulnerability in the logon page in RSA EnVi ...) NOT-FOR-US: RSA EnVision CVE-2007-4899 (Multiple cross-site scripting (XSS) vulnerabilities in Boinc Forum 5.1 ...) NOT-FOR-US: Boinc Forum CVE-2007-4898 (Unspecified vulnerability in the Multiwiki plugin in XWiki before 1.1 ...) NOT-FOR-US: Xwiki CVE-2007-4897 (pwlib, as used by Ekiga 2.0.5 and possibly other products, allows remo ...) {DTSA-94-1} - pwlib 1.10.10-1.1 (low; bug #454133) - pwlib-titan 1.11.2-1.1 (low; bug #454139) [etch] - pwlib 1.10.2-2+etch1 [sarge] - pwlib 1.8.4-1+sarge1.1 CVE-2007-4896 (Multiple cross-site scripting (XSS) vulnerabilities in admin/header.ph ...) NOT-FOR-US: Toms Gaestebuch CVE-2007-4895 (Directory traversal vulnerability in dwoprn.php in Sisfo Kampus 2006 ( ...) NOT-FOR-US: Sisfo Kampus CVE-2007-4894 (Multiple SQL injection vulnerabilities in Wordpress before 2.2.3 and W ...) - wordpress 2.2.3-1 (medium) [etch] - wordpress (Vulnerable code not yet introduced) CVE-2007-4893 (wp-admin/admin-functions.php in Wordpress before 2.2.3 and Wordpress m ...) - wordpress 2.2.3-1 (low) [etch] - wordpress (Vulnerable code not yet introduced) CVE-2007-4892 (Multiple SQL injection vulnerabilities in SWSoft Plesk 7.6.1, 8.1.0, 8 ...) NOT-FOR-US: Plesk (Windows) CVE-2007-XXXX [libgd2: gdImageColorTransparent can write outside buffer] - libwmf (unimportant) - racket 5.0.2-1 (unimportant; bug #601525) NOTE: Only present in one of the sample pl-scheme packages (plot) - libgd2 2.0.35.dfsg-3 [etch] - libgd2 2.0.33-5.2etch1 CVE-2007-4891 (A certain ActiveX control in PDWizard.ocx 6.0.0.9782 and earlier in Mi ...) NOT-FOR-US: PDWizard CVE-2007-4890 (Absolute directory traversal vulnerability in a certain ActiveX contro ...) NOT-FOR-US: Microsoft Visual Studio CVE-2007-4889 (The MySQL extension in PHP 5.2.4 and earlier allows remote attackers t ...) - php5 (unimportant) NOTE: basedir and safemode not supported CVE-2007-4888 (The "You are not allowed..." error handler in XWiki 1.0 B1 and 1.0 B2 ...) NOT-FOR-US: Xwiki CVE-2007-4887 (The dl function in PHP 5.2.4 and earlier allows context-dependent atta ...) - php5 5.2.5-1 (unimportant) NOTE: Only triggerable by malicious script CVE-2007-4886 (Incomplete blacklist vulnerability in index.php in AuraCMS 1.x and pro ...) NOT-FOR-US: Aura CMS CVE-2007-4885 (Avnex AV MP3 Player allows user-assisted remote attackers to cause a d ...) NOT-FOR-US: Avnex AV MP3 Player CVE-2007-4884 (Media Player Classic (MPC) allows user-assisted remote attackers to ca ...) NOT-FOR-US: Windows CVE-2007-4883 (Cross-site scripting (XSS) vulnerability in the BotQuery extension in ...) - mediawiki-extensions (We don't ship this extension) CVE-2007-4882 (Multiple cross-site scripting (XSS) vulnerabilities in TechExcel Custo ...) NOT-FOR-US: TechExcel CustomerWise CVE-2007-4881 (SQL injection vulnerability in profile/myprofile.php in psi-labs.com s ...) NOT-FOR-US: Psilabs CVE-2007-4880 (Buffer overflow in the Client Acceptor Daemon (CAD), dsmcad.exe, in ce ...) NOT-FOR-US: IBM Tivoli Storage Manager (TSM) CVE-2007-4879 (Mozilla Firefox before Firefox 2.0.0.13, and SeaMonkey before 1.1.9, c ...) {DSA-1534-2 DSA-1535-1 DSA-1534-1 DSA-1532-1} - iceweasel 2.0.0.13-1 (low; bug #444803) - iceape 1.1.9-1 (low; bug #444805) - xulrunner 1.8.1.13-1 CVE-2007-4878 RESERVED CVE-2007-4877 RESERVED CVE-2007-4876 RESERVED CVE-2007-4875 RESERVED CVE-2007-4874 (Multiple cross-site scripting (XSS) vulnerabilities in SimpNews 2.41.0 ...) NOT-FOR-US: SimpNews CVE-2007-4873 (SimpNews 2.41.03 stores sensitive information under the web root with ...) NOT-FOR-US: SimpNews CVE-2007-4872 (SimpNews 2.41.03 allows remote attackers to obtain sensitive informati ...) NOT-FOR-US: SimpNews CVE-2007-4871 RESERVED CVE-2007-4870 RESERVED CVE-2007-4869 RESERVED CVE-2007-4868 RESERVED CVE-2007-4867 RESERVED CVE-2007-4866 RESERVED CVE-2007-4865 RESERVED CVE-2007-4864 RESERVED CVE-2007-4863 (SQL injection vulnerability in example.php in SAXON 5.4 allows remote ...) NOT-FOR-US: SAXON CVE-2007-4862 (Cross-site scripting (XSS) vulnerability in admin/menu.php in SAXON 5. ...) NOT-FOR-US: SAXON CVE-2007-4861 (SAXON 5.4, with display_errors enabled, allows remote attackers to obt ...) NOT-FOR-US: SAXON CVE-2007-4860 RESERVED CVE-2007-4859 RESERVED CVE-2007-4858 RESERVED CVE-2007-4857 RESERVED CVE-2007-4856 RESERVED CVE-2007-4855 RESERVED CVE-2007-4854 RESERVED CVE-2007-4853 RESERVED CVE-2007-4852 RESERVED CVE-2007-4851 REJECTED CVE-2006-7223 (PreviewAction in XWiki 0.9.543 through 0.9.1252 does not set the Autho ...) NOT-FOR-US: Xwiki CVE-2005-4862 (The search functionality in XWiki 0.9.793 indexes cleartext user passw ...) NOT-FOR-US: Xwiki CVE-2007-4850 (curl/interface.c in the cURL library (aka libcurl) in PHP 5.2.4 and 5. ...) - php4 (unimportant) - php5 5.2.6-1 (unimportant) NOTE: Safe mode bypasses not treated as security problems CVE-2007-4849 (JFFS2, as used on One Laptop Per Child (OLPC) build 542 and possibly o ...) {DSA-1378-2 DSA-1378-1} - linux-2.6 2.6.23-1 (bug #442245; low) CVE-2007-4848 (Microsoft Internet Explorer 4.0 through 7 allows remote attackers to d ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2007-4847 (Google Picasa allows remote attackers to read image files stored by Pi ...) NOT-FOR-US: Google Picasa CVE-2007-4846 (SQL injection vulnerability in start.php in Webace-Linkscript (wls) 1. ...) NOT-FOR-US: Webace-Linkscript CVE-2007-4845 (Multiple SQL injection vulnerabilities in UPLOAD/index.php in RW::Down ...) NOT-FOR-US: RW::Download CVE-2007-4844 (X-Diesel Unreal Commander 0.92 build 565 and 573 does not properly rea ...) NOT-FOR-US: Unreal Commander CVE-2007-4843 (Directory traversal vulnerability in X-Diesel Unreal Commander 0.92 bu ...) NOT-FOR-US: Unreal Commander CVE-2007-4842 (Directory traversal vulnerability in Enriva Development Magellan Explo ...) NOT-FOR-US: Magellan Explorer CVE-2007-4841 (Mozilla Firefox before 2.0.0.8, Thunderbird before 2.0.0.8, and SeaMon ...) - iceweasel (windows only issue) - iceape (windows only issue) - xulrunner (windows only issue) - icedove (windows only issue) NOTE: MFSA2007-36 NOTE: see https://bugzilla.mozilla.org/show_bug.cgi?id=394974 CVE-2007-4840 (PHP 5.2.4 and earlier allows context-dependent attackers to cause a de ...) - glibc 2.7-1 (unimportant) NOTE: Original PHP issue only triggerable by malicious script CVE-2007-4839 (Unspecified vulnerability in the PD tools component in IBM WebSphere A ...) NOT-FOR-US: IBM WebSphere CVE-2007-4838 (Multiple buffer overflows in CellFactor Revolution 1.03 and earlier al ...) NOT-FOR-US: CellFactor Revolution CVE-2007-4837 (SQL injection vulnerability in anket.asp in Proxy Anket 3.0.1 allows r ...) NOT-FOR-US: Proxy Anket CVE-2007-4836 (Cross-site scripting (XSS) vulnerability in index.php in phpMyQuote 0. ...) NOT-FOR-US: phpMyQuote CVE-2007-4835 (SQL injection vulnerability in index.php in phpMyQuote 0.20 allows rem ...) NOT-FOR-US: phpMyQuote CVE-2007-4834 (Multiple PHP remote file inclusion vulnerabilities in phpRealty 0.02 a ...) NOT-FOR-US: phpRealty CVE-2007-4833 (Unspecified vulnerability in the Edge Component in IBM WebSphere Appli ...) NOT-FOR-US: IBM WebSphere CVE-2007-4832 (Format string vulnerability in CellFactor Revolution 1.03 and earlier ...) NOT-FOR-US: CellFactor Revolution CVE-2007-4831 (Multiple cross-site scripting (XSS) vulnerabilities in account_setting ...) NOT-FOR-US: TorrentTrader CVE-2007-4830 (Cross-site scripting (XSS) vulnerability in CMD_BANDWIDTH_BREAKDOWN in ...) NOT-FOR-US: DirectAdmin CVE-2007-4829 (Directory traversal vulnerability in the Archive::Tar Perl module 1.36 ...) - perl 5.10.0-19 [etch] - perl (Was merged into Perl as of 5.10) - libarchive-tar-perl 1.38-1 (low; bug #449544) [sarge] - libarchive-tar-perl (Minor issue) [etch] - libarchive-tar-perl (Minor issue) CVE-2007-4828 (Cross-site scripting (XSS) vulnerability in the API pretty-printing mo ...) - mediawiki 1.10.2-1 (low; bug #442255) [etch] - mediawiki (Does not include the vulnerable code) CVE-2007-4827 (Unspecified vulnerability in the Modbus/TCP Diagnostic function in Min ...) NOT-FOR-US: Modbus Slave ActiveX Control CVE-2007-4826 (bgpd in Quagga before 0.99.9 allows explicitly configured BGP peers to ...) {DSA-1382-1} - quagga 0.99.9-1 (low; bug #442133) NOTE: Upstream says that this can only be exploited by configured peers. CVE-2007-4825 (Directory traversal vulnerability in PHP 5.2.4 and earlier allows atta ...) - php5 5.2.5-1 (unimportant) - php4 (error message "Allowed memory size of 8388608 bytes exhausted...") NOTE: php5 PoC can be reproduced, basedir violations not treated as security problems CVE-2007-4824 (Multiple cross-application scripting (XAS) vulnerabilities in Google P ...) NOT-FOR-US: Google Picasa CVE-2007-4823 (Multiple buffer overflows in Google Picasa have unspecified attack vec ...) NOT-FOR-US: Google Picasa CVE-2007-4822 (Cross-site request forgery (CSRF) vulnerability in the device manageme ...) NOT-FOR-US: Buffalo AirStation firmware CVE-2007-4821 (Buffer overflow in a certain ActiveX control in officeviewer.ocx 5.2.2 ...) NOT-FOR-US: EDraw Office Viewer CVE-2007-4820 (Absolute path traversal vulnerability in blanko.preview.php in Sisfo K ...) NOT-FOR-US: Sisfo Kampus CVE-2007-4819 (Multiple cross-site scripting (XSS) vulnerabilities in Txx CMS 0.2 all ...) NOT-FOR-US: Txx CMS CVE-2007-4818 (Multiple PHP remote file inclusion vulnerabilities in Txx CMS 0.2 allo ...) NOT-FOR-US: Txx CMS CVE-2007-4817 (Unrestricted file upload vulnerability in the Restaurante (com_restaur ...) NOT-FOR-US: Joomla component NOTE: not included in standard joomla installation, joomla has an itp though CVE-2007-4816 (Multiple buffer overflows in the BaoFeng2 storm ActiveX control in Mps ...) NOT-FOR-US: BaoFeng2 CVE-2007-4815 (Multiple PHP remote file inclusion vulnerabilities in WebED in Markus ...) NOT-FOR-US: WebED CVE-2007-4814 (Buffer overflow in the SQLServer ActiveX control in the Distributed Ma ...) NOT-FOR-US: Microsoft SQL Server Enterprise Manager CVE-2007-4813 (Cross-site scripting (XSS) vulnerability in Domino Blogsphere 3.01 Bet ...) NOT-FOR-US: Domino Blogsphere CVE-2007-4812 (Buffer overflow in Apple Safari 3.0.3 522.15.5, and other versions bef ...) NOT-FOR-US: Mac OS CVE-2007-4811 (Multiple cross-site scripting (XSS) vulnerabilities in Netjuke 1.0-rc2 ...) NOT-FOR-US: Netjuke CVE-2007-4810 (Multiple SQL injection vulnerabilities in Netjuke 1.0-rc2 allow remote ...) NOT-FOR-US: Netjuke CVE-2007-4809 (Multiple PHP remote file inclusion vulnerabilities in Online Fantasy F ...) NOT-FOR-US: Online Fantasy Football League CVE-2007-4808 (Multiple SQL injection vulnerabilities in TLM CMS 3.2 allow remote att ...) NOT-FOR-US: TLM CMS CVE-2007-4807 (Multiple PHP remote file inclusion vulnerabilities in Focus/SIS 2.2 al ...) NOT-FOR-US: Focus/SIS CVE-2007-4806 (PHP remote file inclusion vulnerability in modules/Discipline/Category ...) NOT-FOR-US: Focus/SIS CVE-2007-4805 (Directory traversal vulnerability in getgalldata.php in fuzzylime (cms ...) NOT-FOR-US: Fuzzylime CMS CVE-2007-4804 (Multiple SQL injection vulnerabilities in AuraCMS 1.5rc allow remote a ...) NOT-FOR-US: AuraCMS CVE-2007-4803 (Buffer overflow in AtomixMP3 2.3 allows user-assisted remote attackers ...) NOT-FOR-US: AtomixMP3 CVE-2007-4802 (Multiple heap-based buffer overflows in GlobalLink 2.7.0.8 allow remot ...) NOT-FOR-US: GlobalLink CVE-2007-4801 RESERVED CVE-2007-4800 RESERVED CVE-2007-4799 (The perfstat kernel extension in bos.perf.perfstat in AIX 5.3 does not ...) NOT-FOR-US: AIX perfstat kernel extension CVE-2007-4798 (Unspecified vulnerability in invscout in Inventory Scout in invscout.r ...) NOT-FOR-US: invscout CVE-2007-4797 (Multiple buffer overflows in unspecified svprint (System V print) comm ...) NOT-FOR-US: System V print CVE-2007-4796 (Buffer overflow in uucp in bos.net.uucp in IBM AIX 5.2 and 5.3 allows ...) NOT-FOR-US: uucp IBM AIX CVE-2007-4795 (Buffer overflow in mkpath in bos.rte.methods in IBM AIX 5.2 and 5.3 al ...) NOT-FOR-US: mkpath IBM AIX CVE-2007-4794 (Buffer overflow in fcstat in devices.common.IBM.fc.rte in IBM AIX 5.2 ...) NOT-FOR-US: fcstat IBM AIX CVE-2007-4793 (Buffer overflow in xlplm in plm.server.rte in IBM AIX 5.2 and 5.3 allo ...) NOT-FOR-US: xlplm IBM AIX CVE-2007-4792 (Buffer overflow in ibstat in devices.common.IBM.ib.rte in IBM AIX 5.3 ...) NOT-FOR-US: ibstat IBM AIX CVE-2007-4791 (Buffer overflow in the swcons command in bos.rte.console in IBM AIX 5. ...) NOT-FOR-US: swcons IBM AIX CVE-2007-4790 (Stack-based buffer overflow in certain ActiveX controls in (1) FPOLE.O ...) NOT-FOR-US: Microsoft Visual FoxPro CVE-2007-4789 (Cisco Content Switching Modules (CSM) 4.2 before 4.2.7, and Cisco Cont ...) NOT-FOR-US: Cisco CSM CVE-2007-4788 (Cisco Content Switching Modules (CSM) 4.2 before 4.2.3a, and Cisco Con ...) NOT-FOR-US: Cisco CSM CVE-2007-4787 (The virus detection engine in Sophos Anti-Virus before 2.49.0 does not ...) NOT-FOR-US: Sophos Anti-Virus CVE-2007-4786 (Cisco Adaptive Security Appliance (ASA) running PIX 7.0 before 7.0.7.1 ...) NOT-FOR-US: Cisco ASA CVE-2007-4785 (Sony Micro Vault Fingerprint Access Software, as distributed with Sony ...) NOT-FOR-US: Sony Micro Vault CVE-2007-4784 (The setlocale function in PHP before 5.2.4 allows context-dependent at ...) - php5 5.2.5-1 (unimportant; bug #441972) NOTE: Only triggerable by malicious script CVE-2007-4783 (The iconv_substr function in PHP 5.2.4 and earlier allows context-depe ...) - php5 5.2.5-1 (unimportant; bug #441972) NOTE: Only triggerable by malicious script CVE-2007-4782 (PHP before 5.2.3 allows context-dependent attackers to cause a denial ...) - php5 5.2.3-1 (unimportant) NOTE: Only triggerable by malicious script CVE-2007-4781 (administrator/index.php in the installer component (com_installer) in ...) NOT-FOR-US: Joomla! CVE-2007-4780 (Joomla! 1.5 before RC2 (aka Endeleo) allows remote attackers to obtain ...) NOT-FOR-US: Joomla! CVE-2007-4779 (Cross-site scripting (XSS) vulnerability in Joomla! 1.5 before RC2 (ak ...) NOT-FOR-US: Joomla! CVE-2007-4778 (Multiple SQL injection vulnerabilities in the content component (com_c ...) NOT-FOR-US: Joomla! CVE-2007-4777 (SQL injection vulnerability in Joomla! 1.5 before RC2 (aka Endeleo) al ...) NOT-FOR-US: Joomla! CVE-2007-4776 (Buffer overflow in Microsoft Visual Basic 6.0 and Enterprise Edition 6 ...) NOT-FOR-US: Microsoft Visual Basic CVE-2007-4775 RESERVED CVE-2007-4774 (The Linux kernel before 2.4.36-rc1 has a race condition. It was possib ...) - linux (Fixed before src:linux-2.6 -> src:linux rename) NOTE: https://osdn.net/projects/linux-kernel-docs/scm/git/linux-2.4.36/listCommit?skip=60 CVE-2007-4773 (Systrace before 1.6.0 has insufficient escape policy enforcement. ...) - systrace CVE-2007-4772 (The regular expression parser in TCL before 8.4.17, as used in Postgre ...) {DSA-1463-1 DSA-1460-1} - postgresql-8.2 8.2.6-1 - postgresql-8.1 8.1.11-1 - tcl8.3 8.3.5-13 (low) [etch] - tcl8.3 (Minor issue) - tcl8.4 8.4.17-1 (low) [etch] - tcl8.4 (Minor issue) [sarge] - postgresql CVE-2007-4771 (Heap-based buffer overflow in the doInterval function in regexcmp.cpp ...) {DSA-1511-1} - icu 3.8-6 (bug #463688) CVE-2007-4770 (libicu in International Components for Unicode (ICU) 3.8.1 and earlier ...) {DSA-1511-1} - icu 3.8-6 (bug #463688) CVE-2007-4769 (The regular expression parser in TCL before 8.4.17, as used in Postgre ...) {DSA-1463-1 DSA-1460-1} - postgresql-8.2 8.2.6-1 - postgresql-8.1 8.1.11-1 - tcl8.3 (only builds with UCS-4 internal char encoding affected, Debian builds use UCS-2 referring to maintainer) - tcl8.4 (only builds with UCS-4 internal char encoding affected, Debian builds use UCS-2 referring to maintainer) [sarge] - postgresql CVE-2007-4768 (Heap-based buffer overflow in Perl-Compatible Regular Expression (PCRE ...) {DSA-1570-1 DSA-1399-1 DTSA-77-1} - pcre3 7.3-1 - kazehakase 0.5.2-1 - glib2.0 2.14.3-1 (unimportant) NOTE: glib only embeds pcre in the udeb, no attack vector CVE-2007-4767 (Perl-Compatible Regular Expression (PCRE) library before 7.3 does not ...) {DSA-1570-1 DSA-1399-1 DTSA-77-1} - pcre3 7.3-1 - kazehakase 0.5.2-1 - glib2.0 2.14.3-1 (unimportant) NOTE: glib only embeds pcre in the udeb, no attack vector CVE-2007-4766 (Multiple integer overflows in Perl-Compatible Regular Expression (PCRE ...) {DSA-1570-1 DSA-1399-1 DTSA-77-1} - pcre3 7.3-1 - kazehakase 0.5.2-1 - glib2.0 2.14.3-1 (unimportant) NOTE: glib only embeds pcre in the udeb, no attack vector CVE-2007-4765 RESERVED CVE-2007-4764 (Directory traversal vulnerability in pawfaliki.php in Pawfaliki 0.5.1 ...) NOT-FOR-US: Pawfaliki CVE-2007-4763 (PHP remote file inclusion vulnerability in dbmodules/DB_adodb.class.ph ...) NOT-FOR-US: PHPOF CVE-2007-4762 (Multiple SQL injection vulnerabilities in embadmin/login.asp in E-SMAR ...) NOT-FOR-US: E-SMARTCART CVE-2007-4761 (Unrestricted file upload vulnerability in upload.php in Barbo91 1.1 al ...) NOT-FOR-US: Barbo91 CVE-2007-4760 (The javadoc tool in Cosminexus Developer's Kit for Java in Cosminexus ...) NOT-FOR-US: Cosminexus Developer's Kit CVE-2007-4759 (Multiple unspecified vulnerabilities in the image-processing APIs in C ...) NOT-FOR-US: Cosminexus Developer's Kit CVE-2007-4758 (Multiple buffer overflows in the image-processing APIs in Cosminexus D ...) NOT-FOR-US: Cosminexus Developer's Kit CVE-2007-4757 (PHP remote file inclusion vulnerability in menu.php in phpMytourney al ...) NOT-FOR-US: phpMytourney CVE-2007-4756 (Directory traversal vulnerability in the FTP client in Total Commander ...) NOT-FOR-US: Total Commander CVE-2007-4755 (Alien Arena 2007 6.10 and earlier allows remote attackers to cause a d ...) - alien-arena 6.05-4.1 (low; bug #442075) CVE-2007-4754 (Format string vulnerability in the safe_bprintf function in acesrc/ace ...) - alien-arena 6.05-4.1 (medium; bug #442075) CVE-2007-4753 (The Thomson ST 2030 SIP phone with software 1.52.1 allows remote attac ...) NOT-FOR-US: Thomson ST 2030 SIP phone CVE-2007-4751 (RemoteDocs R-Viewer before 1.6.3768 stores encrypted RDZ file data in ...) NOT-FOR-US: RemoteDocs R-Viewer CVE-2007-4750 (Unspecified vulnerability in RemoteDocs R-Viewer before 1.6.3768 allow ...) NOT-FOR-US: RemoteDocs R-Viewer CVE-2007-4749 (The cmdjob utility in Autodesk Backburner 3.0.2 allows remote attacker ...) NOT-FOR-US: Autodesk Backburner CVE-2007-4752 (ssh in OpenSSH before 4.7 does not properly handle when an untrusted c ...) {DSA-1576-1} - openssh 1:4.7p1-1 (low; bug #444738) [etch] - openssh (minor issue in weak security measure) [sarge] - openssh (minor issue in weak security measure) NOTE: An exploit needs limited control over the machine running a NOTE: trusted X client, so this is only a slight privilege NOTE: escalation. The X Security extension is merely an afterthought NOTE: and is unlikely to provide strong security guarantees. CVE-2007-4748 (Buffer overflow in the PowerPlayer.dll ActiveX control in PPStream 2.0 ...) NOT-FOR-US: PowerPlayer CVE-2007-4747 (The telnet service in Cisco Video Surveillance IP Gateway Encoder/Deco ...) NOT-FOR-US: Cisco firmware CVE-2007-4746 (The Cisco Video Surveillance IP Gateway Encoder/Decoder (Standalone an ...) NOT-FOR-US: Cisco firmware CVE-2007-4745 (Multiple cross-site scripting (XSS) vulnerabilities in the AkoBook 3.4 ...) NOT-FOR-US: AkoBook CVE-2007-4744 (PHP remote file inclusion vulnerability in environment.php in AnyInven ...) NOT-FOR-US: AnyInventory CVE-2007-4742 (Claroline before 1.8.6 allows remote authenticated administrators to o ...) NOT-FOR-US: Claroline CVE-2007-4741 (Cross-site scripting (XSS) vulnerability in admin/adminusers.php in Cl ...) NOT-FOR-US: Claroline CVE-2007-4740 (The HPRevolutionRegistryManager ActiveX control in Hp.Revolution.Regis ...) NOT-FOR-US: HPRevolutionRegistryManager CVE-2007-4739 (reprepro 1.3.0 through 2.2.3 does not properly verify signatures when ...) {DSA-1394-1} - reprepro 2.2.4-1 (high; bug #440535) NOTE: patch for etch in the BTS [sarge] - reprepro (Vulnerable code introduced in 1.3.0) CVE-2007-4738 (Multiple PHP remote file inclusion vulnerabilities in SpeedTech PHP Li ...) NOT-FOR-US: SpeedTech PHP Library CVE-2007-4737 (Multiple PHP remote file inclusion vulnerabilities in SpeedTech PHP Li ...) NOT-FOR-US: SpeedTech PHP Library CVE-2007-4736 (SQL injection vulnerability in category.php in CartKeeper CKGold Shopp ...) NOT-FOR-US: CartKeeper CKGold Shopping Cart CVE-2007-4735 (Buffer overflow in Next Generation Software Virtual DJ (VDJ) 5.0 allow ...) NOT-FOR-US: Virtual DJ CVE-2007-4734 (Buffer overflow in Ots Labs OTSTurntables 1.00 allows user-assisted re ...) NOT-FOR-US: OTSTurntables CVE-2007-4733 (The Aztech DSL600EU router, when WAN access to the web interface is di ...) NOT-FOR-US: Aztech firmware CVE-2007-4732 (Unspecified vulnerability in the strfreectty function in the Special F ...) NOT-FOR-US: Special File System CVE-2004-2685 (Buffer overflow in YoungZSoft CCProxy 6.2 and earlier allows remote at ...) NOT-FOR-US: Ccproxy CVE-2007-4743 (The original patch for CVE-2007-3999 in svc_auth_gss.c in the RPCSEC_G ...) {DSA-1387-1 DSA-1367-1} - krb5 1.6.dfsg.1-7 (high; bug #441209) [sarge] - krb5 (Vulnerable code not present) - librpcsecgss 0.14-4 (high; bug #441393) NOTE: http://article.gmane.org/gmane.comp.encryption.kerberos.announce/86 NOTE: 1.6.dfsg.1-7 somehow already includes the updated version CVE-2007-4731 (Stack-based buffer overflow in the TMregChange function in TMReg.dll i ...) NOT-FOR-US: Trend Micro ServerProtect CVE-2007-4730 (Buffer overflow in the compNewPixmap function in compalloc.c in the Co ...) {DSA-1372-1 DTSA-73-1} - xorg-server 2:1.4-1 NOTE: XFree86 is not affected CVE-2007-4729 RESERVED CVE-2007-4728 RESERVED CVE-2007-4727 (Buffer overflow in the fcgi_env_add function in mod_proxy_backend_fast ...) {DSA-1362-1} - lighttpd 1.4.18-1 (medium; bug #441555) NOTE: http://www.lighttpd.net/assets/2007/9/9/lighttpd_sa_2007_12.txt NOTE: http://www.lighttpd.net/download/lighttpd-1.4.x_mod_fastcgi_overrun.patch NOTE: http://www.milw0rm.com/exploits/4391 CVE-2007-4726 (Directory traversal vulnerability in Web Oddity 0.09b allows remote at ...) NOT-FOR-US: Web Oddity CVE-2007-4725 (Stack consumption vulnerability in AkkyWareHOUSE 7-zip32.dll before 4. ...) NOT-FOR-US: AkkyWareHOUSE CVE-2007-4724 (Cross-site request forgery (CSRF) vulnerability in cal2.jsp in the cal ...) - tomcat5.5 (Version already ships fixed files) - tomcat5 (unimportant; bug #441205) - libservlet2.4-java 5.0.30-6 (unimportant) NOTE: DSA should not be required, minor issue, jsp just present as example CVE-2007-4723 (Directory traversal vulnerability in Ragnarok Online Control Panel 4.3 ...) NOT-FOR-US: Ragnarok CVE-2007-4722 (Multiple stack-based buffer overflows in the Quantum Streaming Interne ...) NOT-FOR-US: Quantum Streaming CVE-2007-4721 REJECTED CVE-2007-4720 (Unspecified vulnerability in the Shared Trace Service in Hitachi JP1/C ...) NOT-FOR-US: Hitachi CVE-2007-4719 (SQL injection vulnerability in read.php in 212cafeBoard 6.30 Beta allo ...) NOT-FOR-US: 212cafeBoard CVE-2007-4718 (Directory traversal vulnerability in inc/lib/language.lib.php in Claro ...) NOT-FOR-US: Claroline CVE-2007-4717 (Multiple cross-site scripting (XSS) vulnerabilities in Claroline befor ...) NOT-FOR-US: Claroline CVE-2007-4716 (Multiple SQL injection vulnerabilities in PHD Help Desk before 1.31 al ...) NOT-FOR-US: PHD Help Desk CVE-2007-4715 (Multiple PHP remote file inclusion vulnerabilities in Weblogicnet allo ...) NOT-FOR-US: Weblogicnet CVE-2007-4714 (SQL injection vulnerability in error_view.php in Yvora 1.0 allows remo ...) NOT-FOR-US: Yvora CVE-2007-4713 (Multiple cross-site scripting (XSS) vulnerabilities in urchin.cgi in U ...) NOT-FOR-US: Urchin CVE-2007-4712 (PHP remote file inclusion vulnerability in index.php in eNetman 1 allo ...) NOT-FOR-US: eNetman CVE-2007-4711 (Multiple cross-site scripting (XSS) vulnerabilities in Toms Gaestebuch ...) NOT-FOR-US: Toms Gaestebuch CVE-2007-4710 (Unspecified vulnerability in ColorSync in Apple Mac OS X 10.4.11 allow ...) NOT-FOR-US: Apple Mac OS X CVE-2007-4709 (Directory traversal vulnerability in CFNetwork in Apple Mac OS X 10.5. ...) NOT-FOR-US: CFNetwork (Apple Mac OS X) CVE-2007-4708 (Format string vulnerability in Address Book in Apple Mac OS X 10.4.11 ...) NOT-FOR-US: Address Book (Apple Mac OS X) CVE-2007-4707 (Multiple unspecified vulnerabilities in the Flash media handler in App ...) NOT-FOR-US: Apple QuickTime CVE-2007-4706 (Heap-based buffer overflow in Apple QuickTime before 7.3.1 allows remo ...) NOT-FOR-US: Apple QuickTime CVE-2007-4705 RESERVED CVE-2007-4704 (The Application Firewall in Apple Mac OS X 10.5 does not apply changed ...) NOT-FOR-US: Mac OS X CVE-2007-4703 (The Application Firewall in Apple Mac OS X 10.5 does not prevent a roo ...) NOT-FOR-US: Mac OS X CVE-2007-4702 (The Application Firewall in Apple Mac OS X 10.5, when "Block all incom ...) NOT-FOR-US: Mac OS X CVE-2007-4701 (WebKit on Apple Mac OS X 10.4 through 10.4.10 does not create temporar ...) NOT-FOR-US: Apple Mac OS X CVE-2007-4700 (Unspecified vulnerability in WebKit on Apple Mac OS X 10.4 through 10. ...) NOT-FOR-US: Apple Mac OS X CVE-2007-4699 (The default configuration of Safari in Apple Mac OS X 10.4 through 10. ...) NOT-FOR-US: Apple Mac OS X CVE-2007-4698 (Apple Safari 3 before Beta Update 3.0.4 on Windows, and Mac OS X 10.4 ...) NOT-FOR-US: Apple Mac OS X, Windows CVE-2007-4697 (Unspecified vulnerability in WebCore in Apple Mac OS X 10.4 through 10 ...) NOT-FOR-US: Apple Mac OS X CVE-2007-4696 (Race condition in WebCore in Apple Mac OS X 10.4 through 10.4.10 allow ...) NOT-FOR-US: Apple Mac OS X CVE-2007-4695 (Unspecified "input validation" vulnerability in WebCore in Apple Mac O ...) NOT-FOR-US: Apple Mac OS X CVE-2007-4694 (Safari in Apple Mac OS X 10.4 through 10.4.10 allows remote attackers ...) NOT-FOR-US: Apple Mac OS X CVE-2007-4693 (The SecurityAgent component in Mac OS X 10.4 through 10.4.10 allows at ...) NOT-FOR-US: Apple Mac OS X CVE-2007-4692 (The tabbed browsing feature in Apple Safari 3 before Beta Update 3.0.4 ...) NOT-FOR-US: Apple Mac OS X CVE-2007-4691 (The NSURL component in Apple Mac OS X 10.4 through 10.4.10 performs ca ...) NOT-FOR-US: Apple Mac OS X CVE-2007-4690 (Double free vulnerability in the NFS component in Apple Mac OS X 10.4 ...) NOT-FOR-US: Apple Mac OS X CVE-2007-4689 (Double free vulnerability in the Networking component in Apple Mac OS ...) NOT-FOR-US: Apple Mac OS X CVE-2007-4688 (The Networking component in Apple Mac OS X 10.4 through 10.4.10 allows ...) NOT-FOR-US: Apple Mac OS X CVE-2007-4687 (The remote_cmds component in Apple Mac OS X 10.4 through 10.4.10 conta ...) NOT-FOR-US: Apple Mac OS X CVE-2007-4686 (Integer signedness error in the ttioctl function in bsd/kern/tty.c in ...) NOT-FOR-US: Apple Mac OS X CVE-2007-4685 (The kernel in Apple Mac OS X 10.4 through 10.4.10 allows local users t ...) NOT-FOR-US: Apple Mac OS X CVE-2007-4684 (Integer overflow in the kernel in Apple Mac OS X 10.4 through 10.4.10 ...) NOT-FOR-US: Apple Mac OS X CVE-2007-4683 (Directory traversal vulnerability in the kernel in Apple Mac OS X 10.4 ...) NOT-FOR-US: Apple Mac OS X CVE-2007-4682 (CoreText in Apple Mac OS X 10.4 through 10.4.10 allows attackers to ca ...) NOT-FOR-US: Apple Mac OS X CVE-2007-4681 (Buffer overflow in CoreFoundation in Apple Mac OS X 10.3.9 and 10.4 th ...) NOT-FOR-US: Apple Mac OS X CVE-2007-4680 (CFNetwork in Apple Mac OS X 10.3.9 and 10.4 through 10.4.10 does not p ...) NOT-FOR-US: Apple Mac OS X CVE-2007-4679 (CFFTP in CFNetwork for Apple Mac OS X 10.4 through 10.4.10 allows remo ...) NOT-FOR-US: Apple Mac OS X CVE-2007-4678 (AppleRAID in Apple Mac OS X 10.3.9 and 10.4 through 10.4.10 allows att ...) NOT-FOR-US: Apple Mac OS X CVE-2007-4677 (Heap-based buffer overflow in Apple QuickTime before 7.3 allows remote ...) NOT-FOR-US: Apple QuickTime CVE-2007-4676 (Heap-based buffer overflow in Apple QuickTime before 7.3 allows remote ...) NOT-FOR-US: Apple QuickTime CVE-2007-4675 (Heap-based buffer overflow in the QuickTime VR extension 7.2.0.240 in ...) NOT-FOR-US: Apple QuickTime CVE-2007-4674 (An "integer arithmetic" error in Apple QuickTime 7.2 allows remote att ...) NOT-FOR-US: Apple QuickTime CVE-2007-4673 (Argument injection vulnerability in Apple QuickTime 7.2 for Windows XP ...) NOT-FOR-US: Apple QuickTime CVE-2007-4672 (Stack-based buffer overflow in Apple QuickTime before 7.3 allows remot ...) NOT-FOR-US: Apple QuickTime CVE-2007-4671 (Unspecified vulnerability in Safari in Apple iPhone 1.1.1, and Safari ...) NOT-FOR-US: Safari CVE-2007-4670 (Unspecified vulnerability in PHP before 5.2.4 has unknown impact and a ...) - php5 5.2.4-1 (unimportant) - php4 (unimportant) NOTE: This refers to an improved fix for MOPB 03-2007, which is CVE-2007-1285 and a non-issue CVE-2007-4669 (The Services API in Firebird before 2.0.2 allows remote authenticated ...) {DSA-1529-1} - firebird2.0 2.0.3.12981.ds1-1 (bug #441405) [etch] - firebird2 (Fixed packages have been released through backports.org, see #1529) [sarge] - firebird2 CVE-2007-4668 (Unspecified vulnerability in the server in Firebird before 2.0.2 allow ...) {DSA-1529-1} - firebird2.0 2.0.3.12981.ds1-1 (bug #441405) [etch] - firebird2 (Fixed packages have been released through backports.org, see #1529) [sarge] - firebird2 CVE-2007-4667 (Unspecified vulnerability in the Services API in Firebird before 2.0.2 ...) {DSA-1529-1} - firebird2.0 2.0.3.12981.ds1-1 (bug #441405) [etch] - firebird2 (Fixed packages have been released through backports.org, see #1529) [sarge] - firebird2 CVE-2007-4666 (Unspecified vulnerability in the server in Firebird before 2.0.2, when ...) {DSA-1529-1} - firebird2.0 2.0.3.12981.ds1-1 (bug #441405) [etch] - firebird2 (Fixed packages have been released through backports.org, see #1529) [sarge] - firebird2 CVE-2007-4665 (Unspecified vulnerability in the server in Firebird before 2.0.2 allow ...) {DSA-1529-1} - firebird2.0 2.0.3.12981.ds1-1 (bug #441405) [etch] - firebird2 (Fixed packages have been released through backports.org, see #1529) [sarge] - firebird2 CVE-2007-4664 (Unspecified vulnerability in the (1) attach database and (2) create da ...) {DSA-1529-1} - firebird2.0 2.0.3.12981.ds1-1 (bug #441405) [etch] - firebird2 (Fixed packages have been released through backports.org, see #1529) [sarge] - firebird2 CVE-2007-4663 (Directory traversal vulnerability in PHP before 5.2.4 allows attackers ...) - php5 5.2.4-1 (unimportant) NOTE: open_basedir not supported CVE-2007-4662 (Buffer overflow in the php_openssl_make_REQ function in PHP before 5.2 ...) {DSA-1444-1 DTSA-61-1} - php5 5.2.4-1 NOTE: fixed in php5/etch svn NOTE: fix is at http://cvs.php.net/viewcvs.cgi/php-src/ext/openssl/openssl.c?r1=1.146&r2=1.147 CVE-2007-4661 (The chunk_split function in string.c in PHP 5.2.3 does not properly ca ...) - php5 5.2.4-1 (unimportant) NOTE: This CVE refers to an incomplete fix for CVE-2007-2872, an issue only NOTE: triggerable by malicious script CVE-2007-4660 (Unspecified vulnerability in the chunk_split function in PHP before 5. ...) {DSA-1444-1 DTSA-61-1} - php5 5.2.4-1 NOTE: fixed in php5/etch svn NOTE: http://cvs.php.net/viewvc.cgi/php-src/ext/standard/string.c?r1=1.445.2.14.2.60&r2=1.445.2.14.2.61&pathrev=PHP_5_2 NOTE: http://cvs.php.net/viewvc.cgi/php-src/ext/standard/string.c?r1=1.445.2.14.2.61&r2=1.445.2.14.2.62&pathrev=PHP_5_2 CVE-2007-4659 (The zend_alter_ini_entry function in PHP before 5.2.4 does not properl ...) {DTSA-61-1} - php5 5.2.4-1 (low) [etch] - php5 (Backport prone to regressions, causes more problems that it does resolved, minor issue anyway) CVE-2007-4658 (The money_format function in PHP 5 before 5.2.4, and PHP 4 before 4.4. ...) {DSA-1444-1 DTSA-61-1} - php5 5.2.4-1 (low) NOTE: fixed in php5/etch svn NOTE: http://cvs.php.net/viewcvs.cgi/php-src/ext/standard/string.c?r1=1.640&r2=1.641, starting "Line 7667" NOTE: limited format string vulnerability, the will be put into strfmon and the format string chars are limited to i,n and % CVE-2007-4657 (Multiple integer overflows in PHP 4 before 4.4.8, and PHP 5 before 5.2 ...) {DSA-1578-1 DSA-1444-1 DTSA-61-1} - php5 5.2.4-1 - php4 NOTE: http://cvs.php.net/viewcvs.cgi/php-src/ext/standard/string.c?r1=1.640&r2=1.641 NOTE: Only exploitable by malicious script CVE-2007-4656 (backup-manager-upload in Backup Manager before 0.6.3 provides the FTP ...) {DSA-1518-1} - backup-manager 0.7.6-3 (bug #439392) CVE-2007-4655 (Multiple directory traversal vulnerabilities in CGI RESCUE Shopping Ba ...) NOT-FOR-US: CGI RESCUE Shopping Basket CVE-2007-4654 (Unspecified vulnerability in SSHield 1.6.1 with OpenSSH 3.0.2p1 on Cis ...) NOT-FOR-US: SSHield CVE-2007-4653 (SQL injection vulnerability in links.php in the Links MOD 1.2.2 and ea ...) NOT-FOR-US: Cisco Content Services Switch CVE-2007-4652 (The session extension in PHP before 5.2.4 might allow local users to b ...) - php5 5.2.4-1 (unimportant) NOTE: open_basedir() not supported CVE-2007-4651 (Unspecified vulnerability in Adobe Connect Enterprise Server 6 allows ...) NOT-FOR-US: Adobe Connect Enterprise Server CVE-2007-4650 (Multiple unspecified vulnerabilities in Gallery before 2.2.3 allow att ...) {DSA-1404-1} - gallery2 2.2.3-1 NOTE: does not affect gallery 1.x (package 'gallery') CVE-2005-4861 (functions.php in Ragnarok Online Control Panel (ROCP) 4.3.4a allows re ...) NOT-FOR-US: Ragnarok CVE-2007-4649 (MicroWorld eScan Virus Control 9.0.722.1, Anti-Virus 9.0.722.1, and In ...) NOT-FOR-US: MicroWorld eScan Virus Contro CVE-2007-4648 (The nvcoaft51 driver in Norman Virus Control (NVC) 5.82 uses weak perm ...) NOT-FOR-US: Norman Virus Control CVE-2007-4647 (newswire/uploadmedia.cgi in 2coolcode Our Space (Ourspace) 2.0.9 allow ...) NOT-FOR-US: Ourspace CVE-2007-4646 (Buffer overflow in the pop3 service in Hexamail Server 3.0.0.001 Lite ...) NOT-FOR-US: Hexamail CVE-2007-4645 (SQL injection vulnerability in index.php in NMDeluxe 2.0.0 allows remo ...) NOT-FOR-US: NMDeluxe CVE-2007-4644 (Format string vulnerability in the Cl_GetPackets function in cl_main.c ...) NOT-FOR-US: Doomsday/deng CVE-2007-4643 (Integer underflow in Doomsday (aka deng) 1.9.0-beta5.1 and earlier all ...) NOT-FOR-US: Doomsday/deng CVE-2007-4642 (Multiple buffer overflows in Doomsday (aka deng) 1.9.0-beta5.1 and ear ...) NOT-FOR-US: Doomsday/deng CVE-2007-4641 (Directory traversal vulnerability in index.php in Pakupaku CMS 0.4 and ...) NOT-FOR-US: Pakupaku CVE-2007-4640 (Unrestricted file upload vulnerability in index.php in Pakupaku CMS 0. ...) NOT-FOR-US: Pakupaku CVE-2007-4639 (EnterpriseDB Advanced Server 8.2 does not properly handle certain debu ...) NOT-FOR-US: EnterpriseDB CVE-2007-4638 (Blizzard Entertainment StarCraft Brood War 1.15.1 and earlier allows r ...) NOT-FOR-US: StarCraft CVE-2007-4637 (xGB.php in xGB 2.0 does not require authentication for an admin edit a ...) NOT-FOR-US: xGB CVE-2007-4636 (Multiple PHP remote file inclusion vulnerabilities in phpBG 0.9.1 allo ...) NOT-FOR-US: phpBG CVE-2007-4635 (Yahoo! Messenger 8.1.0.209 and 8.1.0.402 allows remote attackers to ca ...) NOT-FOR-US: Yahoo! Messenger CVE-2007-4634 (Multiple SQL injection vulnerabilities in Cisco CallManager and Unifie ...) NOT-FOR-US: Cisco CVE-2007-4633 (Multiple cross-site scripting (XSS) vulnerabilities in Cisco CallManag ...) NOT-FOR-US: Cisco CVE-2007-4632 (Cisco IOS 12.2E, 12.2F, and 12.2S places a "no login" line into the VT ...) NOT-FOR-US: Cisco CVE-2007-4631 (The DataLoader::doStart function in dataloader.cpp in QGit 1.5.6 and o ...) - qgit 1.5.5-1.1 (bug #440950; low) [etch] - qgit (Minor issue) CVE-2008-0061 (MaraDNS 1.0 before 1.0.41, 1.2 before 1.2.12.08, and 1.3 before 1.3.07 ...) {DSA-1445-1} - maradns 1.2.12.08-1 NOTE: http://marc.info/?l=maradns-list&m=118842373527534&w=2 CVE-2007-4630 (Cross-site scripting (XSS) vulnerability in xlaapmview.asp in Absolute ...) NOT-FOR-US: Absolute Poll Manager CVE-2007-4629 (Buffer overflow in the processLine function in maptemplate.c in MapSer ...) {DSA-1539-1} - mapserver 4.10.3-1 CVE-2007-4628 (SQL injection vulnerability in shownews.php in phpns 1.1 allows remote ...) NOT-FOR-US: phpns CVE-2007-4627 (SQL injection vulnerability in index.php in ABC eStore 3.0 allows remo ...) NOT-FOR-US: ABC eStore CVE-2007-4626 (Unspecified vulnerability in Polipo before 1.0.2 allows remote attacke ...) - polipo 1.0.2-1 (low) [sarge] - polipo (Minor issue) [etch] - polipo (Minor issue) CVE-2007-4625 (Polipo before 1.0.2 allows remote HTTP servers to cause a denial of se ...) - polipo 1.0.2-1 (low) [sarge] - polipo (Minor issue) [etch] - polipo (Minor issue) CVE-2007-4624 (Cross-site scripting (XSS) vulnerability in pframe.php in AbleDesign D ...) NOT-FOR-US: AbleDesign Dynamic Picture Frame CVE-2007-4623 (Stack-based buffer overflow in the sendrmt function in bellmail in IBM ...) NOT-FOR-US: IBM AIX CVE-2007-4622 (Integer underflow in the dns_name_fromtext function in (1) libdns_nons ...) NOT-FOR-US: IBM AIX CVE-2007-4621 (Buffer overflow in crontab in IBM AIX 5.2 allows local users to gain p ...) NOT-FOR-US: IBM AIX CVE-2007-4620 (Multiple stack-based buffer overflows in Computer Associates (CA) Aler ...) NOT-FOR-US: CA products CVE-2007-4619 (Multiple integer overflows in Free Lossless Audio Codec (FLAC) libFLAC ...) {DSA-1469-1} - flac 1.2.1-1 (medium) CVE-2007-4618 (Unspecified vulnerability in BEA WebLogic Server 6.1 Gold through SP7 ...) NOT-FOR-US: BEA WebLogic CVE-2007-4617 (Unspecified vulnerability in BEA WebLogic Server 6.1 Gold through SP7, ...) NOT-FOR-US: BEA WebLogic CVE-2007-4616 (The SSL server implementation in BEA WebLogic Server 7.0 Gold through ...) NOT-FOR-US: BEA WebLogic CVE-2007-4615 (The SSL client implementation in BEA WebLogic Server 7.0 SP7, 8.1 SP2 ...) NOT-FOR-US: BEA WebLogic CVE-2007-4614 (BEA WebLogic Server 9.1 does not properly handle propagation of an adm ...) NOT-FOR-US: BEA WebLogic CVE-2007-4613 (SSL libraries in BEA WebLogic Server 6.1 Gold through SP7, 7.0 Gold th ...) NOT-FOR-US: BEA WebLogic CVE-2007-4612 (CRLF injection vulnerability in contact.php in Moonware (aka Dale Moon ...) NOT-FOR-US: Moonware CVE-2007-4611 (SQL injection vulnerability in viewevent.php in Moonware (aka Dale Moo ...) NOT-FOR-US: Moonware CVE-2007-4610 (Unrestricted file upload vulnerability in config/upload.php in Moonwar ...) NOT-FOR-US: Moonware CVE-2007-4609 (eyeOS uses predictable checksum values in the checknum parameter for a ...) NOT-FOR-US: eyeOS CVE-2007-4608 (PHP remote file inclusion vulnerability in protection.php in ePersonne ...) NOT-FOR-US: ePersonnel CVE-2007-4607 (Buffer overflow in the EasyMailSMTPObj ActiveX control in emsmtp.dll 6 ...) NOT-FOR-US: EasyMailSMTPObj ActiveX control CVE-2007-4606 (PHP remote file inclusion vulnerability in convert/mvcw_conver.php in ...) NOT-FOR-US: Php-Nuke CVE-2007-4605 (PHP remote file inclusion vulnerability in convert/mvcw.php in Virtual ...) NOT-FOR-US: Vwar CVE-2007-4604 (SQL injection vulnerability in viewitem.php in DL PayCart 1.01 allows ...) NOT-FOR-US: DL PayCart CVE-2007-4603 (Multiple SQL injection vulnerabilities in index.php in ACG News 1.0 al ...) NOT-FOR-US: ACG news CVE-2007-4602 (SQL injection vulnerability in cms/revert-content.php in Implied by De ...) NOT-FOR-US: Micro-CMS CVE-2007-4600 (The "Protect Worksheet" functionality in Mathsoft Mathcad 12 through 1 ...) NOT-FOR-US: Mathsoft Mathcad CVE-2007-4599 (Stack-based buffer overflow in RealNetworks RealPlayer 10 and possibly ...) NOT-FOR-US: RealPlayer CVE-2007-4598 (IBM SurePOS 500 has (1) a default password of "12345" for the manager ...) NOT-FOR-US: IBM CVE-2007-4597 (SQL injection vulnerability in index.php in TurnkeyWebTools SunShop Sh ...) NOT-FOR-US: SunShop Shopping Cart CVE-2007-4596 (The perl extension in PHP does not follow safe_mode restrictions, whic ...) - php5 (unimportant) NOTE: Safe mode violations not treated as vulnerabilities CVE-2007-4595 (Cross-site scripting (XSS) vulnerability in Mayaa before 1.1.12 allows ...) NOT-FOR-US: Mayaa CVE-2007-4594 (Entrust Entelligence Security Provider (ESP) 8 does not properly valid ...) NOT-FOR-US: Entrust Entelligence Security Provider CVE-2007-4593 (Unspecified vulnerability in vstor2-ws60.sys in VMWare Workstation 6.0 ...) - vmware-package (Only vulnerable on windows hosted systems) CVE-2007-4592 (Multiple cross-site scripting (XSS) vulnerabilities in the web interfa ...) NOT-FOR-US: Rational CVE-2007-4591 (vstor-ws60.sys in VMWare Workstation 6.0 allows local users to cause a ...) - vmware-package (Only vulnerable on windows hosted systems) CVE-2007-4590 (The get_system_info command in Ignite-UX C.7.0 through C.7.3, and DynR ...) NOT-FOR-US: Ignite-UX CVE-2007-4589 (Multiple cross-site scripting (XSS) vulnerabilities in InterWorx Hosti ...) NOT-FOR-US: InterWorx Hosting Control Panel CVE-2007-4588 (Multiple cross-site scripting (XSS) vulnerabilities in InterWorx Hosti ...) NOT-FOR-US: InterWorx Hosting Control Panel CVE-2007-4587 (Cross-site scripting (XSS) vulnerability in Easy Software Cafeteria es ...) NOT-FOR-US: escafeWeb CVE-2007-4586 (Multiple buffer overflows in php_iisfunc.dll in the iisfunc extension ...) NOT-FOR-US: iisfunc (windows only) CVE-2007-4585 (Directory traversal vulnerability in activateuser.php in 2532|Gigs 1.2 ...) NOT-FOR-US: 2532|Gigs CVE-2007-4584 (Stack-based buffer overflow in BitchX 1.1 Final allows remote IRC serv ...) - ircii-pana (medium; bug #443544) CVE-2007-4583 (Multiple absolute path traversal vulnerabilities in the nvUtility.Util ...) NOT-FOR-US: ACTi Network Video Recorder CVE-2007-4582 (Buffer overflow in the nvUnifiedControl.AUnifiedControl.1 ActiveX cont ...) NOT-FOR-US: ACTi Network Video Recorder CVE-2007-4581 (SQL injection vulnerability in acrotxt.php in WBB2-Addon: Acrotxt 1 al ...) NOT-FOR-US: WBB2-Addon: Acrotxt 1 CVE-2007-4601 (A regression error in tcp-wrappers 7.6.dbs-10 and 7.6.dbs-11 might all ...) - tcp-wrappers 7.6.dbs-12 (bug #405342; medium) [etch] - tcp-wrappers (Vulnerability was introduced in -10) [sarge] - tcp-wrappers (Vulnerability was introduced in -10) CVE-2007-4580 (Buffer underflow in redlight.sys in BufferZone 2.1 and 2.5 allows loca ...) NOT-FOR-US: BufferZone (Windows) CVE-2007-4579 REJECTED CVE-2007-4578 (Sophos Anti-Virus for Windows and for Unix/Linux before 2.48.0 allows ...) NOT-FOR-US: Sophos CVE-2007-4577 (Sophos Anti-Virus for Unix/Linux before 2.48.0 allows remote attackers ...) NOT-FOR-US: Sophos CVE-2007-4576 REJECTED CVE-2007-4575 (HSQLDB before 1.8.0.9, as used in OpenOffice.org (OOo) 2 before 2.3.1, ...) {DSA-1419-1} - openoffice.org 2.3.1~rc1-1 (medium; bug #454463) - hsqldb 1.8.0.9-1 CVE-2007-4574 (Unspecified vulnerability in the "stack unwinder fixes" in kernel in R ...) - linux-2.6 (Redhat specific vulnerability) NOTE: I contacted the redhat security team about this, this was caused by an incomplete NOTE: backport for stack unwinder fixes in the linux kernel made by them. NOTE: redhat sent a reproducer to the vendor-sec list CVE-2007-4573 (The IA32 system call emulation functionality in Linux kernel 2.4.x and ...) {DSA-1504-1 DSA-1381-2 DSA-1378-2 DSA-1378-1} - linux-2.6 2.6.22-5 (medium) CVE-2007-4572 (Stack-based buffer overflow in nmbd in Samba 3.0.0 through 3.0.26a, wh ...) {DSA-1409-3 DSA-1409-2 DSA-1409-1} - samba 3.0.27-1 (high; bug #451385) CVE-2007-4571 (The snd_mem_proc_read function in sound/core/memalloc.c in the Advance ...) {DSA-1505-1 DSA-1479-1} - linux-2.6 2.6.22-5 (low; bug #444571) - alsa-driver 1.0.15-1 NOTE: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=600 NOTE: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=ccec6e2c4a74adf76ed4e2478091a311b1806212 NOTE: very easy to exploit locally CVE-2007-4570 (Algorithmic complexity vulnerability in the MCS translation daemon in ...) NOT-FOR-US: MCS translation daemon CVE-2007-4569 (backend/session.c in KDM in KDE 3.3.0 through 3.5.7, when autologin is ...) {DSA-1376-1 DTSA-60-1} - kdebase 4:3.5.7-4 [sarge] - kdebase (problem not present in code) NOTE: http://www.kde.org/info/security/advisory-20070919-1.txt CVE-2007-4568 (Integer overflow in the build_range function in X.Org X Font Server (x ...) {DSA-1385-1} - xfs 1:1.0.5-1 CVE-2007-4567 (The ipv6_hop_jumbo function in net/ipv6/exthdrs.c in the Linux kernel ...) - linux-2.6 2.6.22-1 [etch] - linux-2.6 (Introduced in 2.6.20) CVE-2007-4566 (Multiple buffer overflows in the login mechanism in sidvault in Alpha ...) NOT-FOR-US: SIDVault CVE-2007-4565 (sink.c in fetchmail before 6.3.9 allows context-dependent attackers to ...) {DSA-1377-2} - fetchmail 6.3.8-8 (bug #440006; low) [etch] - fetchmail (Hardly a security problem) [sarge] - fetchmail (problem not present in source) CVE-2007-4564 (Cosminexus Manager in Cosminexus Application Server 07-00 and later mi ...) NOT-FOR-US: Hitachi Cosminexus CVE-2007-4563 (Cosminexus Manager in Cosminexus Application Server 06-50 and later mi ...) NOT-FOR-US: Hitachi Cosminexus CVE-2007-4562 (Unspecified vulnerability in Hitachi DABroker before 03-02-/D and Cosm ...) NOT-FOR-US: Hitachi DABroker CVE-2007-4561 (Heap-based buffer overflow in the RTSP service in Helix DNA Server bef ...) NOT-FOR-US: Helix DNA Server CVE-2007-4560 (clamav-milter in ClamAV before 0.91.2, when run in black hole mode, al ...) {DSA-1366-1} - clamav 0.91.2-1~volatile1 (high) CVE-2007-4559 (Directory traversal vulnerability in the (1) extract and (2) extractal ...) - python2.3 (unimportant) - python2.4 (unimportant; bug #440097) - python2.5 (unimportant; bug #440099) NOTE: According to upstream this is the intended behaviour for the module. NOTE: Since this is a library interface to embed Tar functionality into applications NOTE: it is in order to not provide the full security safety belts one might NOTE: expect from an enduser application like tar(1). Plus, addressing this would NOTE: mean to diverge from upstream permanently and could break the behaviour NOTE: of external apps. Anyone who wants to see this "fixed" should rather file NOTE: a PEP on an improved tar interface with additional security guarantees NOTE: provided by design. CVE-2007-4558 REJECTED CVE-2007-4557 (Cross-site scripting (XSS) vulnerability in the webacc servlet in Nove ...) NOT-FOR-US: Novell CVE-2007-4556 (Struts support in OpenSymphony XWork before 1.2.3, and 2.x before 2.0. ...) NOT-FOR-US: OpenSymphony XWork CVE-2007-4555 (Cross-site scripting (XSS) vulnerability in Ipswitch WS_FTP allows rem ...) NOT-FOR-US: Ipswitch WS_FTP CVE-2007-4554 (Cross-site scripting (XSS) vulnerability in tiki-remind_password.php i ...) - tikiwiki CVE-2007-4553 (The Thomson ST 2030 SIP phone with software 1.52.1 allows remote attac ...) NOT-FOR-US: Thomson ST 2030 SIP phone CVE-2007-4552 (SQL injection vulnerability in index.php in Agares Media Arcadem 2.01 ...) NOT-FOR-US: Agares Media Arcadem CVE-2007-4551 (PHP remote file inclusion vulnerability in index.php in Agares Media A ...) NOT-FOR-US: Agares Media Arcadem CVE-2007-4550 (Format string vulnerability in ALPass 2.7 English and 3.02 Korean migh ...) NOT-FOR-US: ALPass CVE-2007-4549 (Multiple buffer overflows in ALPass 2.7 English and 3.02 Korean allow ...) NOT-FOR-US: ALPass CVE-2007-4548 (The login method in LoginModule implementations in Apache Geronimo 2.0 ...) NOT-FOR-US: Apache Geronimo CVE-2007-4547 (Unreal Commander 0.92 build 565 and 573 writes portions of heap memory ...) NOT-FOR-US: Unreal Commander CVE-2007-4546 (Unreal Commander 0.92 build 565 and 573 lists the filenames from the C ...) NOT-FOR-US: Unreal Commander CVE-2007-4545 (Multiple directory traversal vulnerabilities in Unreal Commander 0.92 ...) NOT-FOR-US: Unreal Commander CVE-2007-4544 (Cross-site scripting (XSS) vulnerability in wp-newblog.php in WordPres ...) NOT-FOR-US: WordPress multi-user (MU) CVE-2007-4543 (Cross-site scripting (XSS) vulnerability in enter_bug.cgi in Bugzilla ...) - bugzilla 2.22.1-2.2 (low; bug #440106) [etch] - bugzilla (Affected code only shipped in example, minor issue anyway) [sarge] - bugzilla (Vulnerable code not present) CVE-2007-4542 (Multiple cross-site scripting (XSS) vulnerabilities in MapServer befor ...) {DSA-1539-1} - mapserver 4.10.3-1 (bug #439346) CVE-2007-4541 (Multiple cross-site scripting (XSS) vulnerabilities in Olate Download ...) NOT-FOR-US: Olate Download CVE-2007-4540 (Multiple SQL injection vulnerabilities in download.php in Olate Downlo ...) NOT-FOR-US: Olate Download CVE-2007-4539 (The WebService (XML-RPC) interface in Bugzilla 2.23.3 through 3.0.0 do ...) - bugzilla (Affected versions were never present in the archive) CVE-2007-4538 (email_in.pl in Bugzilla 2.23.4 through 3.0.0 allows remote attackers t ...) - bugzilla (Affected versions were never present in the archive) CVE-2007-4537 (Heap-based buffer overflow in the Huffman decompression algorithm impl ...) NOT-FOR-US: Skulltag CVE-2007-4536 (TorrentTrader 1.07 and earlier sets insecure permissions for files in ...) NOT-FOR-US: TorrentTrader CVE-2007-4535 (The VStr::Resize function in str.cpp in Vavoom 1.24 and earlier allows ...) NOT-FOR-US: Vavoom CVE-2007-4534 (Buffer overflow in the VThinker::BroadcastPrintf function in p_thinker ...) NOT-FOR-US: Vavoom CVE-2007-4533 (Format string vulnerability in the Say command in sv_main.cpp in Vavoo ...) NOT-FOR-US: Vavoom CVE-2007-4532 (Soldat game server 1.4.2 and earlier, and dedicated server 2.6.2 and e ...) NOT-FOR-US: Soldat game server CVE-2007-4531 (Soldat game server 1.4.2 and earlier, and dedicated server 2.6.2 and e ...) NOT-FOR-US: Soldat game server CVE-2007-4530 (Multiple cross-site scripting (XSS) vulnerabilities in TeamSpeak Serve ...) - teamspeak-server 2.0.23.19-1 CVE-2007-4529 (The WebAdmin interface in TeamSpeak Server 2.0.20.1 allows remote auth ...) - teamspeak-server 2.0.23.19-1 CVE-2007-4528 (The Foreign Function Interface (ffi) extension in PHP 5.0.5 does not f ...) NOT-FOR-US: ffi extension for php CVE-2007-4527 (Unrestricted file upload vulnerability in phUploader.php in phphq.Net ...) NOT-FOR-US: phUploader CVE-2007-4526 (The Client Login Extension (CLE) in Novell Identity Manager before 3.5 ...) NOT-FOR-US: Novell Identity Manager CVE-2007-4525 - spip 2.0.6-1 CVE-2007-4524 (PHP remote file inclusion vulnerability in adisplay.php in PhPress 0.2 ...) NOT-FOR-US: PhPress CVE-2007-4523 (Multiple cross-site scripting (XSS) vulnerabilities in Ripe Website Ma ...) NOT-FOR-US: Ripe Website Manager CVE-2007-4522 (Multiple SQL injection vulnerabilities in Ripe Website Manager 0.8.9 a ...) NOT-FOR-US: Ripe Website Manager CVE-2007-4521 (Asterisk Open Source 1.4.5 through 1.4.11, when configured to use an I ...) - asterisk (The voicemail backend is not enabled in Debian) [sarge] - asterisk (Only Asterisk 1.4.x is affected) [etch] - asterisk (Only Asterisk 1.4.x is affected) NOTE: Patch: http://lists.digium.com/pipermail/asterisk-commits/2007-August/015743.html NOTE: the backend will be enabled in future uploads with a fixed package. CVE-2007-4520 RESERVED CVE-2007-4519 RESERVED CVE-2007-4518 RESERVED CVE-2007-4517 (Buffer overflow in the XDB.XDB_PITRIG_PKG.PITRIG_DROPMETADATA procedur ...) NOT-FOR-US: Oracle CVE-2007-4516 (The Volume Manager Scheduler Service (aka VxSchedService.exe) in Syman ...) NOT-FOR-US: Volume Manager Scheduler Service CVE-2007-4515 (Buffer overflow in a certain ActiveX control in YVerInfo.dll before 20 ...) NOT-FOR-US: Yahoo! Messenger CVE-2007-4514 (Unspecified vulnerability in HP ProCurve Manager and HP ProCurve Manag ...) NOT-FOR-US: HP ProCurve Manager CVE-2007-4513 (Multiple stack-based buffer overflows in IBM AIX 5.2 and 5.3 allow loc ...) NOT-FOR-US: IBM AIX CVE-2007-4512 (Cross-site scripting (XSS) vulnerability in Sophos Anti-Virus for Wind ...) NOT-FOR-US: Sophos Anti-Virus for Windows CVE-2007-4511 (The Sun Admin Console in Sun Application Server 9.0_0.1 does not apply ...) NOT-FOR-US: Sun Application Server CVE-2007-4510 (ClamAV before 0.91.2, as used in Kolab Server 2.0 through 2.2beta1 and ...) {DSA-1366-1} - clamav 0.91.2-1~volatile1 [sarge] - clamav (Vulnerable code not present) NOTE: Only exploitable if CL_EXPERIMENTAL is set CVE-2007-4509 (SQL injection vulnerability in index.php in the EventList component (c ...) NOT-FOR-US: EventList component for Joomla! CVE-2007-4508 (Stack-based buffer overflow in Rebellion Asura engine, as used for the ...) NOT-FOR-US: Rebellion Asura engine CVE-2007-4507 (Multiple buffer overflows in the php_ntuser component for PHP 5.2.3 al ...) NOT-FOR-US: External PHP component only relevant for Windows CVE-2007-4506 (SQL injection vulnerability in index.php in the NeoRecruit component ( ...) NOT-FOR-US: NeoRecruit component for Joomla! CVE-2007-4505 (SQL injection vulnerability in index.php in the RemoSitory component ( ...) NOT-FOR-US: RemoSitory component for Mambo CVE-2007-4504 (Directory traversal vulnerability in index.php in the RSfiles componen ...) NOT-FOR-US: RSfiles component for Joomla! CVE-2007-4503 (SQL injection vulnerability in index.php in the Nice Talk component (c ...) NOT-FOR-US: Nice Talk component for Joomla! CVE-2007-4502 (SQL injection vulnerability in index.php in the BibTeX component (com_ ...) NOT-FOR-US: BibTeX component for Joomla! CVE-2007-4501 (Unspecified vulnerability in PassphraseRequester in SSHKeychain before ...) NOT-FOR-US: SSHKeychain CVE-2007-4500 (Unspecified vulnerability in TunnelRunner in SSHKeychain before 0.8.2 ...) NOT-FOR-US: SSHKeychain CVE-2007-4499 (Unrestricted file upload vulnerability in output.php in American Finan ...) NOT-FOR-US: American Financing eMail Image Upload CVE-2007-4498 (The Grandstream SIP Phone GXV-3000 with firmware 1.0.1.7, Loader 1.0.0 ...) NOT-FOR-US: Grandstream SIP Phone CVE-2007-4497 (Unspecified vulnerability in EMC VMware Workstation before 5.5.5 Build ...) - vmware-package 0.16 CVE-2007-4496 (Unspecified vulnerability in EMC VMware Workstation before 5.5.5 Build ...) - vmware-package 0.16 CVE-2007-4495 (Unspecified vulnerability in the ata disk driver in Sun Solaris 10 on ...) NOT-FOR-US: Solaris CVE-2007-4494 (The tipafriend function in eZ publish before 3.8.9, and 3.9 before 3.9 ...) - ezpublish CVE-2007-4493 (eZ publish before 3.8.9, and 3.9 before 3.9.3, does not properly check ...) - ezpublish CVE-2007-4492 (Multiple unspecified vulnerabilities in the ata disk driver in Sun Sol ...) NOT-FOR-US: Solaris CVE-2007-4491 (SQL injection vulnerability in uyeler2.php in Gurur haber 2.0 allows r ...) NOT-FOR-US: Gurur haber CVE-2007-4490 (Multiple buffer overflows in EarthAgent.exe in Trend Micro ServerProte ...) NOT-FOR-US: Trend Micro CVE-2007-4489 (Buffer overflow in the IUAComFormX ActiveX control in uacomx.ocx 2.0.1 ...) NOT-FOR-US: eCentrex VOIP CVE-2007-4488 (Multiple cross-site scripting (XSS) vulnerabilities in the Siemens Gig ...) NOT-FOR-US: Siemens GigaSet firmware CVE-2007-4487 (Cross-site scripting (XSS) vulnerability in D22-Shoutbox for Invision ...) NOT-FOR-US: Invision Power Board CVE-2007-4486 (Multiple PHP remote file inclusion vulnerabilities in index.php in Lin ...) NOT-FOR-US: Linkliste CVE-2007-4485 (PHP remote file inclusion vulnerability in visitor.php in Butterfly on ...) NOT-FOR-US: Butterfly online visitors counter CVE-2007-4484 (PHP remote file inclusion vulnerability in login.php in My_REFERER 1.0 ...) NOT-FOR-US: My_REFERER CVE-2007-4483 (Cross-site scripting (XSS) vulnerability in index.php in the WordPress ...) {DSA-1285-1} - wordpress 2.1.3-1 (medium) CVE-2007-4482 (Cross-site scripting (XSS) vulnerability in index.php in the Pool 1.0. ...) NOT-FOR-US: Pool 1.0.7 theme for WordPress CVE-2007-4481 (Cross-site scripting (XSS) vulnerability in index.php in the (1) Blix ...) NOT-FOR-US: Rus themes for WordPress CVE-2007-4480 (Cross-site scripting (XSS) vulnerability in index.php in the Sirius 1. ...) NOT-FOR-US: Sirius 1.0 theme for WordPress CVE-2007-4479 (Cross-site scripting (XSS) vulnerability in search.html in Search Engi ...) NOT-FOR-US: Search Engine Builder CVE-2007-4478 (Cross-site scripting (XSS) vulnerability in Microsoft Internet Explore ...) NOT-FOR-US: Internet Explorer CVE-2007-4477 (The administration interface in the Planet VC-200M VDSL2 router allows ...) NOT-FOR-US: Planet VC-200M VDSL2 router CVE-2007-4476 (Buffer overflow in the safer_name_suffix function in GNU tar has unspe ...) {DSA-1566-1 DSA-1438-1} - tar 1.18-1 (low; bug #441444) - cpio 2.9-5 (low; bug #449222) CVE-2007-4475 (Stack-based buffer overflow in EAI WebViewer3D ActiveX control (webvie ...) NOT-FOR-US: EAI WebViewer3D ActiveX control CVE-2007-4474 (Multiple stack-based buffer overflows in the IBM Lotus Domino Web Acce ...) NOT-FOR-US: IBM Lotus Domino Web Access CVE-2007-4473 (Gesytec Easylon OPC Server before 2.3.44 does not properly validate se ...) NOT-FOR-US: Gesytec Easylon OPC Server CVE-2007-4472 (Multiple buffer overflows in the Broderbund Expressit 3DGreetings Play ...) NOT-FOR-US: Broderbund Expressit CVE-2007-4471 (Multiple unspecified vulnerabilities in the Intuit QuickBooks Online E ...) NOT-FOR-US: QuickBooks CVE-2007-4470 (Multiple stack-based buffer overflows in the Earth Resource Mapping NC ...) NOT-FOR-US: Earth Resource Mapping NCSView CVE-2007-4469 RESERVED CVE-2007-4468 RESERVED CVE-2007-4467 (Multiple stack-based buffer overflows in the Oracle JInitiator ActiveX ...) NOT-FOR-US: Oracle CVE-2007-4466 (Multiple stack-based buffer overflows in Electronic Arts (EA) SnoopyCt ...) NOT-FOR-US: Electronic Arts (EA) SnoopyCtrl ActiveX CVE-2006-7222 (Buffer overflow in the CFLICStream::_deltachunk function in FLICSource ...) NOT-FOR-US: Media Player Classic CVE-2003-1335 (Directory traversal vulnerability in Kai Blankenhorn Bitfolge simple a ...) NOT-FOR-US: snif CVE-2003-1334 (Cross-site scripting (XSS) vulnerability in Kai Blankenhorn Bitfolge s ...) NOT-FOR-US: snif CVE-2007-4465 (Cross-site scripting (XSS) vulnerability in mod_autoindex.c in the Apa ...) - apache (low) - apache2 2.2.6-1 (bug #453783) [sarge] - apache (browser issue, low impact) [sarge] - apache2 (browser issue, low impact) NOTE: This is really a browser bug, see CVE-2006-5152. But still unfixed in MSIE. NOTE: Etch's default configuration not vulnerable due to AddDefaultCharset, NOTE: but many users change this. NOTE: The apache2 fix is actually a workaround. It will not be applied to apache 1.3. CVE-2007-4464 (CRLF injection vulnerability in the Fileinfo 2.0.9 plugin for Total Co ...) NOT-FOR-US: Total Commander CVE-2007-4463 (The Fileinfo 2.0.9 plugin for Total Commander allows user-assisted rem ...) NOT-FOR-US: Total Commander CVE-2007-4462 (lib/Locale/Po4a/Po.pm in po4a before 0.32 allows local users to overwr ...) - po4a 0.31-1 (bug #439226) [etch] - po4a 0.29-1etch1 [sarge] - po4a 0.20-2sarge1 CVE-2007-4461 (NuFW 2.2.3, and certain other versions after 2.0, allows remote attack ...) - nufw 2.2.4-1 (bug #439227) [etch] - nufw CVE-2007-4460 (The RenderV2ToFile function in tag_file.cpp in id3lib (aka libid3) 3.8 ...) {DSA-1365-3 DSA-1365-2 DSA-1365-1} - id3lib3.8.3 3.8.3-7 (low; bug #438540) CVE-2007-4459 (Cisco IP Phone 7940 and 7960 with P0S3-08-6-00 firmware, and other SIP ...) NOT-FOR-US: Cisco IP Phone CVE-2007-4458 (PHP remote file inclusion vulnerability in includes/class/class_tpl.ph ...) NOT-FOR-US: Firesoft CVE-2007-4457 (Directory traversal vulnerability in forumreply.php in Dalai Forum 1.1 ...) NOT-FOR-US: Dalai Forum CVE-2007-4456 (SQL injection vulnerability in index.php in the SimpleFAQ (com_simplef ...) NOT-FOR-US: mambo NOTE: mambo is in experimental though CVE-2007-4455 (The SIP channel driver (chan_sip) in Asterisk Open Source 1.4.x before ...) - asterisk 1:1.4.11~dfsg-1 [sarge] - asterisk (not affected according to advisory) [etch] - asterisk (not affected according to advisory) CVE-2007-4454 (Eval injection vulnerability in environment.php in Olate Download (od) ...) NOT-FOR-US: Olate Download CVE-2007-4453 NOT-FOR-US: vBulletin CVE-2007-4452 (The client in Toribash 2.71 and earlier allows remote attackers to cau ...) NOT-FOR-US: Toribash CVE-2007-4451 (The server in Toribash 2.71 and earlier on Windows allows remote attac ...) NOT-FOR-US: Toribash CVE-2007-4450 (The server in Toribash 2.71 and earlier does not properly handle long ...) NOT-FOR-US: Toribash CVE-2007-4449 (The client in Toribash 2.71 and earlier allows remote attackers to cau ...) NOT-FOR-US: Toribash CVE-2007-4448 (The server in Toribash 2.71 and earlier does not properly handle parti ...) NOT-FOR-US: Toribash CVE-2007-4447 (Multiple buffer overflows in the client in Toribash 2.71 and earlier a ...) NOT-FOR-US: Toribash CVE-2007-4446 (Format string vulnerability in the server in Toribash 2.71 and earlier ...) NOT-FOR-US: Toribash CVE-2007-4445 (Image Space rFactor 1.250 and earlier allows remote attackers to cause ...) NOT-FOR-US: Image space rfactor CVE-2007-4444 (Multiple buffer overflows in Image Space rFactor 1.250 and earlier all ...) NOT-FOR-US: Image space rfactor CVE-2007-4443 (The UCC dedicated server for the Unreal engine, possibly 2003 and 2004 ...) NOT-FOR-US: Unreal on Windows CVE-2007-4442 (Stack-based buffer overflow in the logging function in the Unreal engi ...) NOT-FOR-US: Unreal on Windows CVE-2007-4441 (Buffer overflow in php_win32std.dll in the win32std extension for PHP ...) - php5 (Windows-specific) CVE-2007-4440 (Stack-based buffer overflow in the MercuryS SMTP server in Mercury Mai ...) NOT-FOR-US: Mercury mail system CVE-2007-4439 (PHP remote file inclusion vulnerability in popup_window.php in Squirre ...) NOT-FOR-US: Squirrelcart CVE-2007-4438 (Session fixation vulnerability in Ampache before 3.3.3.5 allows remote ...) - ampache 3.3.3.5-dfsg-1 (bug #407337) CVE-2007-4437 (SQL injection vulnerability in albums.php in Ampache before 3.3.3.5 al ...) - ampache 3.3.3.5-dfsg-1 (bug #407337) CVE-2007-4436 (The Drupal Project module before 5.x-1.0, 4.7.x-2.3, and 4.7.x-1.3 and ...) - drupal (External addon, see bug #439379) CVE-2007-4435 (Multiple SQL injection vulnerabilities in TorrentTrader before 1.07 al ...) NOT-FOR-US: TorrentTrader CVE-2007-4434 (Cross-site scripting (XSS) vulnerability in textfilesearch.asp in the ...) NOT-FOR-US: Text File Search ASP CVE-2007-4433 (Cross-site scripting (XSS) vulnerability in textfilesearch.aspx in the ...) NOT-FOR-US: Text File Search ASP CVE-2007-4432 (Untrusted search path vulnerability in the wrapper scripts for the (1) ...) NOT-FOR-US: SUSE CVE-2007-4431 (Cross-domain vulnerability in Apple Safari for Windows 3.0.3 and earli ...) NOT-FOR-US: Safari/windows CVE-2007-4430 (Unspecified vulnerability in Cisco IOS 12.0 through 12.4 allows contex ...) NOT-FOR-US: Cisco IOS CVE-2007-4429 (Unspecified vulnerability in Skype allows remote attackers to cause a ...) NOT-FOR-US: Skype CVE-2007-4428 (Lhaz 1.33 allows remote attackers to execute arbitrary code via unknow ...) NOT-FOR-US: lhaz CVE-2007-4427 (Unspecified vulnerability in the login page redirection logic in the C ...) NOT-FOR-US: InterSystems Cache CVE-2007-4426 (Live for Speed (LFS) S1 and S2 allows remote attackers to cause a deni ...) NOT-FOR-US: Live for Speed CVE-2007-4425 (Multiple buffer overflows in Live for Speed (LFS) demo, S1, and S2 all ...) NOT-FOR-US: Live for Speed CVE-2007-4424 (Apple Safari for Windows 3.0.3 and earlier does not prompt the user be ...) NOT-FOR-US: Safari CVE-2007-4423 (Stack-based buffer overflow in the AUTH_LIST_GROUPS_FOR_AUTHID functio ...) NOT-FOR-US: IBM DB2 CVE-2007-4422 (The login interface in Symantec Enterprise Firewall 6.x, when a VPN wi ...) NOT-FOR-US: Symantec Enterprise Firewall CVE-2007-4421 (SQL injection vulnerability in Admin.php in Olate Download (od) 3.4.1 ...) NOT-FOR-US: Olate Download CVE-2007-4420 (Absolute path traversal vulnerability in a certain ActiveX control in ...) NOT-FOR-US: EDraw Office Viewer Component CVE-2007-4419 (Admin.php in Olate Download (od) 3.4.1 uses an MD5 hash of the admin u ...) NOT-FOR-US: Olate Download CVE-2007-4418 (IBM DB2 UDB 8 before Fixpak 15 does not properly check authorization, ...) NOT-FOR-US: IBM DB2 CVE-2007-4417 (IBM DB2 UDB 8 before Fixpak 15 and 9.1 before Fixpak 3 does not proper ...) NOT-FOR-US: IBM DB2 CVE-2007-4416 NOT-FOR-US: BellaBook CVE-2007-4415 (Cisco VPN Client on Windows before 5.0.01.0600, and the 5.0.01.0600 In ...) NOT-FOR-US: Cisco VPN client/windows CVE-2007-4414 (Cisco VPN Client on Windows before 4.8.02.0010 allows local users to g ...) NOT-FOR-US: Cisco VPN client/windows CVE-2007-4413 (Direct static code injection vulnerability in admincp/user_help.php in ...) NOT-FOR-US: Headstart Solutions DeskPRO 3.0.2 CVE-2007-4412 (Multiple cross-site scripting (XSS) vulnerabilities in Headstart Solut ...) NOT-FOR-US: Deskpro CVE-2007-4411 (ircu 2.10.12.05 and earlier allows remote attackers to discover the hi ...) - ircd-ircu 2.10.12.10.dfsg1-1 (low; bug #439314) [etch] - ircd-ircu (Minor issue) CVE-2007-4410 (ircu 2.10.12.05 and earlier does not properly synchronize a kick actio ...) - ircd-ircu 2.10.12.10.dfsg1-1 (low; bug #439314) [etch] - ircd-ircu (Minor issue) CVE-2007-4409 (Race condition in ircu 2.10.12.01 through 2.10.12.05 allows remote att ...) - ircd-ircu (Version affected not yet in unstable, maintainer informed) CVE-2007-4408 (ircu 2.10.12.05 and earlier ignores timestamps in bounces, which allow ...) - ircd-ircu 2.10.12.10.dfsg1-1 (low; bug #439314) [etch] - ircd-ircu (Minor issue) CVE-2007-4407 (ircu 2.10.12.03 and 2.10.12.04 does not associate a timestamp with ops ...) - ircd-ircu (Version affected not yet in unstable, maintainer informed) CVE-2007-4406 (ircu 2.10.12.01 through 2.10.12.04 does not remove ops privilege after ...) - ircd-ircu (Version affected not yet in unstable, maintainer informed) CVE-2007-4405 (ircu 2.10.12.02 through 2.10.12.04 allows remote attackers to cause a ...) - ircd-ircu (Version affected not yet in unstable, maintainer informed) CVE-2007-4404 (ircu 2.10.12.01 allows remote attackers to (1) cause a denial of servi ...) - ircd-ircu (Version affected not yet in unstable, maintainer informed) CVE-2007-4403 (The mIRC Control Plug-in for Winamp allows user-assisted remote attack ...) NOT-FOR-US: mirc/winamp CVE-2007-4402 (Multiple unspecified scripts in mIRC allow user-assisted remote attack ...) NOT-FOR-US: mirc CVE-2007-4401 (Multiple CRLF injection vulnerabilities in the Advanced mIRC Integrati ...) NOT-FOR-US: mirc CVE-2007-4400 (CRLF injection vulnerability in the included media script in Konversat ...) - konversation 1.0.1-4 (low; bug #439837) [etch] - konversation (minor issue) [sarge] - konversation (minor issue) CVE-2007-4399 (CRLF injection vulnerability in the xmms.bx 1.0 script for BitchX allo ...) NOT-FOR-US: xmms.bx 1.0 script for BitchX (not included in Debian package) CVE-2007-4398 (Multiple CRLF injection vulnerabilities in the (1) now-playing.rb and ...) - irssi-scripts 20070925 (low; bug #439840) - weechat-scripts 20070425-0.1 (low; bug #439839) [etch] - irssi-scripts (minor issue) [etch] - weechat-scripts (minor issue) [sarge] - irssi-scripts (minor issue) CVE-2007-4397 (Multiple CRLF injection vulnerabilities in (1) xmms-thing 1.0, (2) XMM ...) NOT-FOR-US: various IRC now_playing scripts CVE-2007-4396 (Multiple CRLF injection vulnerabilities in (1) ixmmsa.pl 0.3, (2) l33t ...) - irssi-scripts 20070925 (low; bug #439840) [etch] - irssi-scripts (minor issue) [sarge] - irssi-scripts (minor issue) NOTE: weechat-scripts does not include the mentioned scripts CVE-2007-4395 (Multiple unspecified vulnerabilities in the Role Based Access Control ...) NOT-FOR-US: Sun Solaris 8 CVE-2007-4394 (Unspecified vulnerability in a "core clean" cron job created by the fi ...) NOT-FOR-US: findutils-locate on SUSE Linux CVE-2007-4393 (The installation script for orarun on SUSE Linux before 20070810 place ...) NOT-FOR-US: oracle CVE-2007-4392 (Winamp 5.35 allows remote attackers to cause a denial of service (prog ...) NOT-FOR-US: winamp CVE-2007-4391 (Heap-based buffer overflow in Kakadu kdu_v32m.dll in Yahoo! Messenger ...) NOT-FOR-US: kakadu CVE-2007-4390 (The Command Line Interface (CLI), aka Adonis Administration Console, o ...) NOT-FOR-US: BlueCat CVE-2007-4389 (Cross-site request forgery (CSRF) vulnerability in /xslt in 2wire 1701 ...) NOT-FOR-US: 2wire CVE-2007-4388 (2wire 1701HG and 2071 Gateway routers, with 5.29.51 and possibly 3.17. ...) NOT-FOR-US: 2wire CVE-2007-4387 (Cross-site request forgery (CSRF) vulnerability in /xslt in 2wire 1701 ...) NOT-FOR-US: 2wire CVE-2007-4386 (SQL injection vulnerability in search.php in GetMyOwnArcade allows rem ...) NOT-FOR-US: GetMyOwnArcade CVE-2007-4385 (OWASP Stinger before 2.5 allows remote attackers to bypass input valid ...) NOT-FOR-US: Stinger CVE-2007-4384 (Multiple PHP remote file inclusion vulnerabilities in depouilg.php3 in ...) NOT-FOR-US: Stephane Pineau VOTE CVE-2007-4383 NOT-FOR-US: Trackeur CVE-2007-4382 (CounterPath X-Lite 3.0 34025, and possibly eyeBeam, allows remote atta ...) NOT-FOR-US: CounterPath X-Lite CVE-2007-4381 (Unspecified vulnerability in the font parsing implementation in Sun JD ...) - sun-java5 1.5.0-10-1 CVE-2007-4380 (Aclient in Symantec Altiris Deployment Solution 6 before 6.8 SP2 (6.8. ...) NOT-FOR-US: Altiris Deployment Solution CVE-2007-4379 (Babo Violent 2 2.08.00 and earlier allows remote attackers to cause a ...) NOT-FOR-US: Babo Violent CVE-2007-4378 (Multiple format string vulnerabilities in Babo Violent 2 2.08.00 and e ...) NOT-FOR-US: Babo Violent CVE-2007-4377 (Stack-based buffer overflow in the IMAP service in SurgeMail 38k allow ...) NOT-FOR-US: SurgeMail CVE-2007-4376 (Unrestricted file upload vulnerability in banner-upload.php in Szymon ...) NOT-FOR-US: Szymon Kosok Best Top List CVE-2007-4375 (The administrative interface (aka DkService.exe) in Diskeeper 9 Profes ...) NOT-FOR-US: Diskeeper CVE-2007-4374 (Babo Violent 2 2.08.00 does not validate the sender field of a chat me ...) NOT-FOR-US: Babo Violent CVE-2007-4373 (The server in Babo Violent 2 2.08.00 and earlier does not properly imp ...) NOT-FOR-US: Babo Violent CVE-2007-4372 (Unspecified vulnerability in NetWin SurgeMail 38k on Windows Server 20 ...) NOT-FOR-US: SurgeMail CVE-2004-2684 (Unspecified vulnerability in the %template package in InterSystems Cac ...) NOT-FOR-US: InterSystems Cache CVE-2004-2683 (Unspecified vulnerability in the %XML.Utils.SchemaServer class in Inte ...) NOT-FOR-US: InterSystems Cache CVE-2003-1333 (Unspecified vulnerability in the Cache' Server Page (CSP) implementati ...) NOT-FOR-US: InterSystems Cache CVE-2007-XXXX [pam usb wrongly allows authentication without password in ssh sessions] - libpam-usb 0.4.1-1 (medium) NOTE: see http://sourceforge.net/mailarchive/forum.php?thread_name=7D75703BC8E1C149BF78A1E79AAAB169B8A2E4%40svits28.main.ad.rit.edu&forum_name=pamusb-devel CVE-2007-XXXX [lwat sometimes logs passwords in access.log] - lwat 0.15-2 (low) CVE-2007-4371 (Unrestricted file upload vulnerability in admin/pages/blog-add.php in ...) NOT-FOR-US: Neuron Blog CVE-2007-4370 (Multiple buffer overflows in the (1) client and (2) server in Racer 0. ...) NOT-FOR-US: Racer CVE-2007-4369 (Directory traversal vulnerability in go/_files in SOTEeSKLEP before 4. ...) NOT-FOR-US: SOTEeSKLEP CVE-2007-4368 (SQL injection vulnerability in /main in IBM Rational ClearQuest (CQ) W ...) NOT-FOR-US: IBM Rational ClearQuest (CQ) CVE-2007-4367 (Opera before 9.23 allows remote attackers to execute arbitrary code vi ...) NOT-FOR-US: Opera CVE-2007-4366 (WengoPhone 2.1 allows remote attackers to cause a denial of service (d ...) - wengophone 2.1.1.dfsg0-3 (bug #438419) CVE-2007-4365 (Cross-site scripting (XSS) vulnerability in eXV2 CMS 2.0.5 and earlier ...) NOT-FOR-US: eXV2 CMS CVE-2007-4364 (Fedora Commons before 2.2.1 does not properly handle certain authentic ...) NOT-FOR-US: Fedora Commons CVE-2007-4363 (Multiple cross-site scripting (XSS) vulnerabilities in the nodereferen ...) NOT-FOR-US: Drupal Content Construction Kit (CCK) CVE-2007-4362 (SQL injection vulnerability in category.php in Prozilla Webring allows ...) NOT-FOR-US: Prozilla Webring CVE-2007-4361 (NETGEAR (formerly Infrant) ReadyNAS RAIDiator before 4.00b2-p2-T1 beta ...) NOT-FOR-US: ReadyNAS RAIDiator CVE-2007-4360 (Unspecified vulnerability in Dell Remote Access Card 4 (DRAC4) with fi ...) NOT-FOR-US: Dell CVE-2007-4359 (Multiple SQL injection vulnerabilities in SkilMatch Staffing Systems J ...) NOT-FOR-US: JobLister3 CVE-2007-4358 (Zoidcom 0.6.7 and earlier allows remote attackers to cause a denial of ...) NOT-FOR-US: Zoidcom CVE-2007-4357 (Mozilla Firefox 2.0.0.6 and earlier allows remote attackers to spoof t ...) - mozilla-firefox (unimportant) - mozilla (unimportant) - iceweasel (unimportant) - iceape (unimportant) CVE-2007-4356 (Microsoft Internet Explorer 6 and 7 embeds FTP credentials in HTML fil ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2007-4355 (Buffer overflow in the at program on IBM AIX 5.3 allows local users to ...) NOT-FOR-US: AIX CVE-2007-4354 (Buffer overflow in fileplace in bos.perf.tools in IBM AIX 5.2 and 5.3 ...) NOT-FOR-US: AIX CVE-2007-4353 (Multiple buffer overflows in IBM AIX 5.2 and 5.3 allow local users in ...) NOT-FOR-US: AIX CVE-2007-4352 (Array index error in the DCTStream::readProgressiveDataUnit method in ...) {DSA-1537-1 DSA-1509-1 DSA-1480-1 DTSA-85-1 DTSA-86-1} - poppler 0.6.2-1 (medium; bug #450628) - kdegraphics 4:3.5.8-2 (medium; bug #450630) [etch] - kdegraphics (Vulnerable code not used) - xpdf 3.02-1.3 (medium; bug #450629) - koffice 1:1.6.3-4 (medium; bug #450631) - cupsys 1.1.22-7 - cups 1.1.22-7 - gpdf - pdftohtml [etch] - pdftohtml 0.36-13etch1 - tetex-bin 3.0-12 NOTE: pdftex links to poppler since 3.0-12, thus marking as fixed NOTE: cups uses xpdf-utils and poppler-utils since version 1.1.22-7 - libextractor 0.5.12-1 NOTE: libextractor uses internal pdf decoder since 0.5.12-1, thus marking as fixed - swftools 0.9.2+ds1-2 CVE-2007-4351 (Off-by-one error in the ippReadIO function in cups/ipp.c in CUPS 1.3.3 ...) {DSA-1407-1 DTSA-81-1} - cupsys 1.3.4-1 (medium; bug #448866) - cups 1.3.4-1 (medium; bug #448866) [sarge] - cupsys (Only vulnerable to code injection since 1.2.x, effects are harmless otherwise) CVE-2007-4350 (Cross-site scripting (XSS) vulnerability in the management interface i ...) NOT-FOR-US: HP SiteScope CVE-2007-4349 (The Shared Trace Service (aka OVTrace) in HP Performance Agent C.04.70 ...) NOT-FOR-US: HP OpenView Report CVE-2007-4348 (Cross-site scripting (XSS) vulnerability in the CAD service in IBM Tiv ...) NOT-FOR-US: IBM Tivoli Storage Manager CVE-2007-4347 (Multiple integer overflows in the Job Engine (bengine.exe) service in ...) NOT-FOR-US: Job Engine CVE-2007-4346 (The Job Engine (bengine.exe) service in Symantec Backup Exec for Windo ...) NOT-FOR-US: Job Engine CVE-2007-4345 (Buffer overflow in IMail Client 9.22, as shipped with IPSwitch IMail S ...) NOT-FOR-US: IMail Client CVE-2007-4344 (Multiple input validation errors in ACD ACDSee Photo Manager 9.0 build ...) NOT-FOR-US: ACDSee CVE-2007-4343 (Stack-based buffer overflow in IrfanView 3.99 and 4.00 allows user-ass ...) NOT-FOR-US: IrfanView CVE-2007-4342 (PHP remote file inclusion vulnerability in include.php in PHPCentral L ...) NOT-FOR-US: PHPCentral CVE-2007-4341 (PHP remote file inclusion vulnerability in adm/my_statistics.php in Om ...) NOT-FOR-US: Omnistar Lib2 PHP CVE-2007-4340 (PHP remote file inclusion vulnerability in index.php in phpDVD 1.0.4 a ...) NOT-FOR-US: phpDVD CVE-2007-4339 (Multiple PHP remote file inclusion vulnerabilities in PHPCentral Poll ...) NOT-FOR-US: PHPCentral Poll Script CVE-2007-4338 (index.php in Ryan Haudenschilt Family Connections (FCMS) before 0.9 al ...) NOT-FOR-US: Family Connections CVE-2007-4337 (Multiple buffer overflows in the httplib_parse_sc_header function in l ...) {DSA-1683-1} - streamripper 1.62.2-1 (low) CVE-2007-4336 (Buffer overflow in the Live Picture Corporation DXSurface.LivePicture. ...) NOT-FOR-US: Microsoft CVE-2007-4335 (Format string vulnerability in the SMTP server component in Qbik WinGa ...) NOT-FOR-US: Qbik WinGate CVE-2007-4334 (Cross-site scripting (XSS) vulnerability in whois.php in Php-stats 0.1 ...) NOT-FOR-US: Php-stats CVE-2007-4333 (Multiple cross-site scripting (XSS) vulnerabilities in signup.php in A ...) NOT-FOR-US: Article Dashboard CVE-2007-4332 (SQL injection vulnerability in article.php in Article Dashboard, when ...) NOT-FOR-US: Article Dashboard CVE-2007-4331 (PHP remote file inclusion vulnerability in index.php in FindNix allows ...) NOT-FOR-US: FindNix CVE-2007-4330 (PHP remote file inclusion vulnerability in shoutbox.php in Shoutbox 1. ...) NOT-FOR-US: Shoutbox CVE-2007-4329 (Multiple PHP remote file inclusion vulnerabilities in Web News 1.1 all ...) NOT-FOR-US: Web News CVE-2007-4328 (Multiple PHP remote file inclusion vulnerabilities in Mapos Bilder Gal ...) NOT-FOR-US: Bilder Galerie CVE-2007-4327 (Multiple PHP remote file inclusion vulnerabilities in File Uploader 1. ...) NOT-FOR-US: File Uploader CVE-2007-4326 (Multiple PHP remote file inclusion vulnerabilities in Bilder Uploader ...) NOT-FOR-US: Bilder Uploader CVE-2007-4325 (PHP remote file inclusion vulnerability in index.php in Gaestebuch 1.5 ...) NOT-FOR-US: Gaestebuch CVE-2007-4324 (ActionScript 3 (AS3) in Adobe Flash Player 9.0.47.0, and other version ...) - flashplugin-nonfree 9.0.115.0.1 [etch] - flashplugin-nonfree 9.0.115.0.1~etch1 [sarge] - flashplugin-nonfree (Non-free not supported) CVE-2007-4323 (DenyHosts 2.6 does not properly parse sshd log files, which allows rem ...) - denyhosts 2.6-2.1 (bug #438162; medium) [etch] - denyhosts 2.6-1etch1 CVE-2007-4322 (BlockHosts before 2.0.4 does not properly parse (1) sshd and (2) vsftp ...) NOT-FOR-US: BlockHosts CVE-2007-4321 (fail2ban 0.8 and earlier does not properly parse sshd log files, which ...) {DSA-1456-1} - fail2ban 0.8.0-4 (bug #438187; medium) CVE-2007-4320 (PHP remote file inclusion vulnerability in admin/addons/archive/archiv ...) NOT-FOR-US: Ncaster CVE-2007-4319 (The management interface in ZyNOS firmware 3.62(WK.6) on the Zyxel Zyw ...) NOT-FOR-US: Zyxel CVE-2007-4318 (Cross-site scripting (XSS) vulnerability in Forms/General_1 in the man ...) NOT-FOR-US: Zyxel CVE-2007-4317 (Multiple cross-site request forgery (CSRF) vulnerabilities in the mana ...) NOT-FOR-US: Zyxel CVE-2007-4316 (The management interface in ZyNOS firmware 3.62(WK.6) on the Zyxel Zyw ...) NOT-FOR-US: Zyxel CVE-2007-4315 (The AMD ATI atidsmxx.sys 3.0.502.0 driver on Windows Vista allows loca ...) NOT-FOR-US: ATI CVE-2007-4314 (pixlie.php in Pixlie 1.7 allows remote attackers to trigger the readin ...) NOT-FOR-US: Pixlie CVE-2007-4313 (PHP remote file inclusion vulnerability in public_includes/pub_blocks/ ...) NOT-FOR-US: Php Blue Dragon CMS CVE-2007-4312 (SQL injection vulnerability in index.php in Php Blue Dragon CMS 3.0.0 ...) NOT-FOR-US: Php Blue Dragon CMS CVE-2007-4311 (The xfer_secondary_pool function in drivers/char/random.c in the Linux ...) {DSA-1503-2 DSA-1503-1} - linux-2.6 (buffer is local to the function that uses sizeof on it) CVE-2007-4310 (The finger daemon (in.fingerd) in Sun Solaris 7 through 9 allows remot ...) NOT-FOR-US: Solaris CVE-2007-4309 (IBM Lotus Notes 5.x through 7.0.2 allows user-assisted remote authenti ...) NOT-FOR-US: IBM Lotus Notes CVE-2007-4308 (The (1) aac_cfg_open and (2) aac_compat_ioctl functions in the SCSI la ...) {DSA-1503-2 DSA-1504-1 DSA-1503-1 DSA-1363-1} - linux-2.6 2.6.22-4 (medium; bug #443694) CVE-2007-4307 (Multiple cross-site scripting (XSS) vulnerabilities in Storesprite 7 a ...) NOT-FOR-US: Storesprite CVE-2007-4306 (Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 2.10 ...) - phpmyadmin (unimportant) [sarge] - phpmyadmin NOTE: It seems that this requires knowledge of a unguessable session token. NOTE: Confirmed by upstream. Sarge is not affected at all. CVE-2007-4305 (Multiple race conditions in the (1) Sudo monitor mode and (2) Sysjail ...) NOT-FOR-US: NetBSD and OpenBSD CVE-2007-4304 (CerbNG for FreeBSD 4.8 does not properly implement VM protection when ...) NOT-FOR-US: CerbNG for FreeBSD CVE-2007-4303 (Multiple race conditions in (1) certain rules and (2) argument copying ...) NOT-FOR-US: CerbNG for FreeBSD CVE-2007-4302 (Multiple race conditions in certain system call wrappers in Generic So ...) NOT-FOR-US: Generic Software Wrappers Toolkit CVE-2007-4301 (Multiple cross-site scripting (XSS) vulnerabilities in the management ...) NOT-FOR-US: WebCart CVE-2007-4300 RESERVED CVE-2007-4299 RESERVED CVE-2007-4298 RESERVED CVE-2007-4297 (Multiple cross-site scripting (XSS) vulnerabilities in yorumkaydet.asp ...) NOT-FOR-US: Modulu CVE-2007-4296 (Unspecified vulnerability in assp.pl in Anti-Spam SMTP Proxy Server (A ...) NOT-FOR-US: Anti-Spam SMTP Proxy Server CVE-2007-4295 (Unspecified vulnerability in Cisco IOS 12.0 through 12.4 allows remote ...) NOT-FOR-US: Cisco CVE-2007-4294 (Unspecified vulnerability in Cisco Unified Communications Manager (CUC ...) NOT-FOR-US: Cisco CVE-2007-4293 (Cisco IOS 12.0 through 12.4 allows remote attackers to cause a denial ...) NOT-FOR-US: Cisco CVE-2007-4292 (Multiple memory leaks in Cisco IOS 12.0 through 12.4 allow remote atta ...) NOT-FOR-US: Cisco CVE-2007-4291 (Cisco IOS 12.0 through 12.4 allows remote attackers to cause a denial ...) NOT-FOR-US: Cisco CVE-2007-4290 NOT-FOR-US: Guestbook Script CVE-2007-4289 (Sun Java System Portal Server 7.0 does not properly process XSLT style ...) NOT-FOR-US: Sun Java System Portal Server CVE-2007-4288 (Microsoft Windows Media Player 11 (wmplayer.exe) allows user-assisted ...) NOT-FOR-US: Microsoft CVE-2007-4287 (PHP remote file inclusion vulnerability in fc_functions/fc_example.php ...) NOT-FOR-US: FishCart CVE-2007-4286 (Buffer overflow in the Next Hop Resolution Protocol (NHRP) functionali ...) NOT-FOR-US: Cisco CVE-2007-4285 (Unspecified vulnerability in Cisco IOS and Cisco IOS XR 12.x up to 12. ...) NOT-FOR-US: Cisco CVE-2007-4284 (Multiple cross-site scripting (XSS) vulnerabilities in Cisco Unified M ...) NOT-FOR-US: Cisco CVE-2007-4283 (PHP remote file inclusion vulnerability in bridge/yabbse.inc.php in Co ...) NOT-FOR-US: Coppermine Photo Gallery (CPG) CVE-2007-4282 (The "Extended properties for entries" (entryproperties) plugin in sere ...) - serendipity 1.1.4-1 [etch] - serendipity (introduced in 1.1.x) CVE-2007-4281 (Cross-site scripting (XSS) vulnerability in KnowledgeTree Open Source ...) - knowledgetree CVE-2007-4279 (PHP remote file inclusion vulnerability in config.php in FrontAccounti ...) NOT-FOR-US: FrontAccounting CVE-2007-4278 (Stack-based buffer overflow in the giomgr process in ESRI ArcSDE servi ...) NOT-FOR-US: ESRI ArcSDE CVE-2007-4277 (The Trend Micro AntiVirus scan engine before 8.550-1001, as used in Tr ...) NOT-FOR-US: Trend Micro AntiVirus CVE-2007-4276 (Stack-based buffer overflow in IBM DB2 UDB 8 before Fixpak 15 and 9.1 ...) NOT-FOR-US: IBM DB2 CVE-2007-4275 (Multiple untrusted search path vulnerabilities in IBM DB2 UDB 8 before ...) NOT-FOR-US: IBM DB2 CVE-2007-4274 REJECTED CVE-2007-4273 (IBM DB2 UDB 8 before Fixpak 15 and 9.1 before Fixpak 3 allows local us ...) NOT-FOR-US: IBM DB2 CVE-2007-4272 (Multiple vulnerabilities in IBM DB2 UDB 8 before Fixpak 15 and 9.1 bef ...) NOT-FOR-US: IBM DB2 CVE-2007-4271 (Directory traversal vulnerability in IBM DB2 UDB 8 before Fixpak 15 an ...) NOT-FOR-US: IBM DB2 CVE-2007-4270 (Multiple race conditions in IBM DB2 UDB 8 before Fixpak 15 and 9.1 bef ...) NOT-FOR-US: IBM DB2 CVE-2007-4269 (Integer overflow in the Networking component in Apple Mac OS X 10.4 th ...) NOT-FOR-US: Apple Mac OS X CVE-2007-4268 (Integer signedness error in the Networking component in Apple Mac OS X ...) NOT-FOR-US: Apple Mac OS X CVE-2007-4267 (Stack-based buffer overflow in the Networking component in Apple Mac O ...) NOT-FOR-US: Apple Mac OS X CVE-2007-4266 RESERVED CVE-2007-4265 (Multiple cross-site scripting (XSS) vulnerabilities in VisionProject 3 ...) NOT-FOR-US: VisionProject CVE-2007-4264 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Ka ...) NOT-FOR-US: snif CVE-2007-4280 (The Skinny channel driver (chan_skinny) in Asterisk Open Source before ...) - asterisk 1:1.4.10~dfsg-1 NOTE: https://downloads.avaya.com/elmodocs2/security/ASA-2007-019.htm [sarge] - asterisk (not affected according to advisory) [etch] - asterisk (not affected according to advisory) CVE-2007-4263 (Unspecified vulnerability in the server side of the Secure Copy (SCP) ...) NOT-FOR-US: Cisco CVE-2007-4262 (Unrestricted file upload vulnerability in EZPhotoSales 1.9.3 and earli ...) NOT-FOR-US: EZPhotoSales CVE-2007-4261 (EZPhotoSales 1.9.3 and earlier stores sensitive information under the ...) NOT-FOR-US: EZPhotoSales CVE-2007-4260 (EZPhotoSales 1.9.3 and earlier has a default "admin" account for galle ...) NOT-FOR-US: EZPhotoSales CVE-2007-4259 (EZPhotoSales 1.9.3 and earlier allows remote attackers to download arb ...) NOT-FOR-US: EZPhotoSales CVE-2007-4258 (SQL injection vulnerability in directory.php in Prozilla Pub Site Dire ...) NOT-FOR-US: Prozilla CVE-2007-4257 (Multiple buffer overflows in Live for Speed (LFS) S1 and S2 allow user ...) NOT-FOR-US: Live for Speed CVE-2007-4256 (Directory traversal vulnerability in showpage.cgi in YNP Portal System ...) NOT-FOR-US: YNP Portal System CVE-2007-4255 (Buffer overflow in the mSQL extension in PHP 5.2.3 allows context-depe ...) - php5 (unimportant) - php4 (unimportant) NOTE: Only exploitable by malicious script CVE-2007-4254 (Stack-based buffer overflow in a certain ActiveX control in VDT70.DLL ...) NOT-FOR-US: Microsoft CVE-2007-4253 (SQL injection vulnerability in the News module in modules.php in Envol ...) NOT-FOR-US: Envolution CVE-2007-4252 (Absolute path traversal vulnerability in a certain ActiveX control in ...) NOT-FOR-US: CHILKAT ASP String CVE-2007-4251 (OpenOffice.org (OOo) 2.2 does not properly handle files with multiple ...) - openoffice.org (unimportant) NOTE: Only a crasher with malformed documents CVE-2007-4250 (The isChecked function in Toolbar.DLL in Advanced Searchbar before 3.3 ...) NOT-FOR-US: Advanced Searchbar CVE-2007-4249 (The isChecked function in Toolbar.DLL in the ExportNation toolbar for ...) NOT-FOR-US: ExportNation toolbar CVE-2007-4248 (The CallCmd function in toolbar_gaming.dll in the Toolbar Gaming toolb ...) NOT-FOR-US: Toolbar Gaming toolbar CVE-2007-4247 (Windows Calendar on Microsoft Windows Vista allows remote attackers to ...) NOT-FOR-US: Microsoft CVE-2007-4246 (Unspecified vulnerability, possibly a buffer overflow, in Justsystem I ...) NOT-FOR-US: Justsystem Ichitaro CVE-2007-4245 (Cross-site scripting (XSS) vulnerability in Search.php in DiMeMa CONTE ...) NOT-FOR-US: DiMeMa CONTENTdm CVE-2007-4244 (PHP remote file inclusion vulnerability in langset.php in J! Reactions ...) NOT-FOR-US: Joomla! CVE-2007-4243 (Unspecified vulnerability in pfilter-reporter.pl in Astaro Security Ga ...) NOT-FOR-US: Astaro Security Gateway CVE-2007-4242 (The pop3 Proxy in Astaro Security Gateway (ASG) 7 does not perform vir ...) NOT-FOR-US: Astaro Security Gateway CVE-2007-4241 (Buffer overflow in ldcconn in Hewlett-Packard (HP) Controller for Cisc ...) NOT-FOR-US: Hewlett-Packard CVE-2007-4240 (The check_logout function in class/auth.php in Help Center Live (hcl) ...) NOT-FOR-US: Help Center Live CVE-2007-4239 (Cross-site scripting (XSS) vulnerability in user/forgotPassStep2.jsp i ...) NOT-FOR-US: C-SAM oneWallet CVE-2007-4238 (AIX 5.2 and 5.3 install pioinit with user and group ownership of bin, ...) NOT-FOR-US: AIX CVE-2007-4237 (Buffer overflow in the atm subset in arp in devices.common.IBM.atm.rte ...) NOT-FOR-US: AIX CVE-2007-4236 (Buffer overflow in lpd in bos.rte.printers in AIX 5.2 and 5.3 allows l ...) NOT-FOR-US: AIX CVE-2007-4235 (Multiple PHP remote file inclusion vulnerabilities in VietPHP allow re ...) NOT-FOR-US: VietPHP CVE-2007-4234 (Unspecified vulnerability in Camera Life before 2.6 allows remote atta ...) NOT-FOR-US: Camera Life CVE-2007-4233 (Multiple unspecified vulnerabilities in Camera Life before 2.6 allow a ...) NOT-FOR-US: Camera Life CVE-2007-4232 (PHP remote file inclusion vulnerability in admin/inc/change_action.php ...) NOT-FOR-US: PHPNews CVE-2007-4231 (PHP remote file inclusion vulnerability in order/login.php in IDevSpot ...) NOT-FOR-US: PhpHostBot CVE-2007-4230 NOT-FOR-US: BellaBiblio CVE-2007-4229 (Unspecified vulnerability in KDE Konqueror 3.5.7 and earlier allows re ...) - kdebase (unimportant) NOTE: Browser DoS not treated as vulnerabilities CVE-2007-4228 (rmpvc on IBM AIX 4.3 allows local users to cause a denial of service ( ...) NOT-FOR-US: AIX CVE-2007-4227 (Microsoft Windows Explorer (explorer.exe) allows user-assisted remote ...) NOT-FOR-US: Microsoft CVE-2007-4226 (Directory traversal vulnerability in the BlueCat Networks Proteus IPAM ...) NOT-FOR-US: BlueCat Networks Proteus IPAM appliance CVE-2007-4225 (Visual truncation vulnerability in KDE Konqueror 3.5.7 allows remote a ...) - kdebase 4:3.5.7-3 (bug #433072; low) [sarge] - kdebase (Minor issue) [etch] - kdebase (Minor issue) CVE-2007-4224 (KDE Konqueror 3.5.7 allows remote attackers to spoof the URL address b ...) - kdebase 4:3.5.7-3 (bug #433072; low) [sarge] - kdebase (Minor issue) [etch] - kdebase (Minor issue) CVE-2007-4223 (Dbgv.sys in Microsoft Sysinternals DebugView before 4.72 provides an u ...) NOT-FOR-US: Microsoft Sysinternals DebugView CVE-2007-4222 (Buffer overflow in the TagAttributeListCopy function in nnotes.dll in ...) NOT-FOR-US: IBM Lotus Notes CVE-2007-4221 (Multiple buffer overflows in Motorola Timbuktu Pro before 8.6.5 for Wi ...) NOT-FOR-US: Motorola Timbuktu CVE-2007-4220 (Directory traversal vulnerability in Motorola Timbuktu Pro before 8.6. ...) NOT-FOR-US: Motorola Timbuktu CVE-2007-4219 (Integer overflow in the RPCFN_SYNC_TASK function in StRpcSrv.dll, as u ...) NOT-FOR-US: Trend Micro ServerProtect CVE-2007-4218 (Multiple buffer overflows in the ServerProtect service (SpntSvc.exe) i ...) NOT-FOR-US: Trend Micro ServerProtect CVE-2007-4217 (Stack-based buffer overflow in the domacro function in ftp in IBM AIX ...) NOT-FOR-US: IBM AIX CVE-2007-4216 (vsdatant.sys 6.5.737.0 in Check Point Zone Labs ZoneAlarm before 7.0.3 ...) NOT-FOR-US: ZoneAlarm CVE-2007-4215 RESERVED CVE-2007-4214 RESERVED CVE-2007-4213 (Palm OS on Treo 650, 680, 700p, and 755p Smart phones allows remote at ...) NOT-FOR-US: Palm OS CVE-2007-4212 (Multiple cross-site scripting (XSS) vulnerabilities in the Search Modu ...) NOT-FOR-US: PHP-Nuke CVE-2007-4211 (The ACL plugin in Dovecot before 1.0.3 allows remote authenticated use ...) - dovecot 1:1.0.3-2 (low) [etch] - dovecot (minor issue) [sarge] - dovecot (minor issue) CVE-2007-4210 (Multiple SQL injection vulnerabilities in module.php in LANAI (la-nai) ...) NOT-FOR-US: LANAI CMS CVE-2007-4209 (SQL injection vulnerability in Recherche.php in Aceboard forum allows ...) NOT-FOR-US: Aceboard forum CVE-2007-4208 (SQL injection vulnerability in default.asp in Next Gen Portfolio Manag ...) NOT-FOR-US: Next Gen Portfolio Manager CVE-2007-4207 (SQL injection vulnerability in admin_console/index.asp in Gallery In A ...) NOT-FOR-US: Gallery In A Box CVE-2007-4206 (Kaspersky Anti-Spam 3.0 MP1 before Critical Fix 2 (3.0.278.4) sets inc ...) NOT-FOR-US: Kaspersky Anti-Spam CVE-2007-4205 (XHA (Linux-HA) on the BlueCat Networks Adonis DNS/DHCP Appliance 5.0.2 ...) NOT-FOR-US: BlueCat Networks Adonis CVE-2007-4204 (Hitachi Groupmax Collaboration - Schedule, as used in Groupmax Collabo ...) NOT-FOR-US: Hitachi Groupmax Collaboration CVE-2007-4203 (Session fixation vulnerability in Mambo 4.6.2 CMS allows remote attack ...) NOT-FOR-US: Mambo CVE-2007-4202 (Guidance Software EnCase Enterprise Edition (EEE) 6 does not properly ...) NOT-FOR-US: Guidance Software EnCase CVE-2007-4201 (Guidance Software EnCase 6.2 and 6.5 does not properly handle a volume ...) NOT-FOR-US: Guidance Software EnCase CVE-2007-4200 (ntfs.c in fsstat in Brian Carrier The Sleuth Kit (TSK) before 2.09 int ...) - sleuthkit 2.09-1 (unimportant) NOTE: Labelling this as a security problem is a bit far-fetched. CVE-2007-4199 (Brian Carrier The Sleuth Kit (TSK) before 2.09 allows user-assisted re ...) - sleuthkit 2.09-1 (unimportant) NOTE: Labelling this as a security problem is a bit far-fetched. CVE-2007-4198 (The fs_data_put_str function in ntfs.c in fls in Brian Carrier The Sle ...) - sleuthkit 2.09-1 (unimportant) NOTE: Labelling this as a security problem is a bit far-fetched. CVE-2007-4197 (icat in Brian Carrier The Sleuth Kit (TSK) before 2.09 omits NULL poin ...) - sleuthkit 2.09-1 (unimportant) NOTE: Labelling this as a security problem is a bit far-fetched. CVE-2007-4196 (icat in Brian Carrier The Sleuth Kit (TSK) before 2.09 misinterprets a ...) - sleuthkit 2.09-1 (unimportant) NOTE: Labelling this as a security problem is a bit far-fetched. CVE-2007-4195 (Use-after-free vulnerability in ext2fs.c in Brian Carrier The Sleuth K ...) - sleuthkit 2.09-1 (unimportant) NOTE: Labelling this as a security problem is a bit far-fetched. CVE-2007-4194 (Guidance Software EnCase 5.0 allows user-assisted remote attackers to ...) NOT-FOR-US: Guidance Software EnCase CVE-2007-4193 (Multiple cross-site request forgery (CSRF) vulnerabilities in index.ph ...) NOT-FOR-US: DVD Rental System CVE-2007-4192 (Multiple cross-site scripting (XSS) vulnerabilities in IDE Group DVD R ...) NOT-FOR-US: DVD Rental System CVE-2007-4191 (Panda Antivirus 2008 stores service executables under the product's in ...) NOT-FOR-US: Panda Antivirus CVE-2007-4190 (CRLF injection vulnerability in Joomla! before 1.0.13 (aka Sunglow) al ...) NOT-FOR-US: Joomla! CVE-2007-4189 (Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before ...) NOT-FOR-US: Joomla! CVE-2007-4188 (Session fixation vulnerability in Joomla! before 1.0.13 (aka Sunglow) ...) NOT-FOR-US: Joomla! CVE-2007-4187 (Multiple eval injection vulnerabilities in the com_search component in ...) NOT-FOR-US: Joomla! CVE-2007-4186 (PHP remote file inclusion vulnerability in admin.tour_toto.php in the ...) NOT-FOR-US: Joomla! addon CVE-2007-4185 (Joomla! 1.0.12 allows remote attackers to obtain sensitive information ...) NOT-FOR-US: Joomla! CVE-2007-4184 (SQL injection vulnerability in administrator/popups/pollwindow.php in ...) NOT-FOR-US: Joomla! CVE-2007-4183 (SQL injection vulnerability in main.php in paBugs 2.0 Beta 3 and earli ...) NOT-FOR-US: paBugs CVE-2007-4182 (Unrestricted file upload vulnerability in index.php in WikiWebWeaver 1 ...) NOT-FOR-US: WikiWebWeaver CVE-2007-4181 NOT-FOR-US: Pluck CVE-2007-4180 NOT-FOR-US: Pluck CVE-2007-4179 (Unspecified vulnerability in the Address and Routing Parameter Area (A ...) NOT-FOR-US: HPUX CVE-2007-4178 (Cross-site scripting (XSS) vulnerability in index.php in WebDirector 2 ...) NOT-FOR-US: Webdirector CVE-2007-4177 (Multiple cross-site scripting (XSS) vulnerabilities in Interact before ...) NOT-FOR-US: Interact CVE-2007-4176 (Multiple unspecified vulnerabilities in EQDKP Plus before 0.4.4.5 have ...) NOT-FOR-US: EQDKP Plus CVE-2007-4175 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Op ...) NOT-FOR-US: Openrat CMS CVE-2007-4174 (Tor before 0.1.2.16, when ControlPort is enabled, does not properly re ...) - tor 0.1.2.16-1 (medium) CVE-2007-4173 (SQL injection vulnerability in duyuruoku.asp in Hunkaray Okul Portali ...) NOT-FOR-US: Hunkaray Okul Portali CVE-2007-4172 (Multiple cross-site scripting (XSS) vulnerabilities in Open Webmail (O ...) NOT-FOR-US: Openwebmail CVE-2007-4171 (SQL injection vulnerability in komentar.php in the Forum Module for au ...) NOT-FOR-US: Aura CMS CVE-2007-4170 (Multiple PHP remote file inclusion vulnerabilities in AL-Athkar 2.0 al ...) NOT-FOR-US: AL-Athkar CVE-2007-4169 NOT-FOR-US: vgallite CVE-2007-4167 (PHP remote file inclusion vulnerability in cat_viewed.php in AL-Carica ...) NOT-FOR-US: AL-Caricatier CVE-2007-4166 (Cross-site scripting (XSS) vulnerability in index.php in the Unnamed t ...) NOT-FOR-US: Xu Yiyang CVE-2007-4165 (Cross-site scripting (XSS) vulnerability in index.php in the Blue Memo ...) - wordpress (Wordpress doesn't ship this theme) CVE-2007-4164 (CRLF injection vulnerability in the redirect feature in Sun Java Syste ...) NOT-FOR-US: IndexScript CVE-2007-4163 (Multiple SQL injection vulnerabilities in IndexScript 2.7 and 2.8 befo ...) NOT-FOR-US: IndexScript CVE-2007-4162 (TIBCO Rendezvous (RV) 7.5.2 does not protect confidentiality or integr ...) NOT-FOR-US: TIBCO Rendezvous (RV) CVE-2007-4161 (rvd in TIBCO Rendezvous (RV) 7.5.2, when -no-lead-wc is omitted, might ...) NOT-FOR-US: TIBCO Rendezvous (RV) CVE-2007-4160 (The default configuration of TIBCO Rendezvous (RV) 7.5.2 clients, when ...) NOT-FOR-US: TIBCO Rendezvous (RV) CVE-2007-4159 (index.html in the HTTP administration interface in certain daemons in ...) NOT-FOR-US: TIBCO Rendezvous (RV) CVE-2007-4158 (Memory leak in TIBCO Rendezvous (RV) daemon (rvd) 7.5.2, 7.5.3 and 7.5 ...) NOT-FOR-US: TIBCO Rendezvous (RV) CVE-2007-4157 (PHPBlogger stores sensitive information under the web root with insuff ...) NOT-FOR-US: PHPBlogger CVE-2007-4156 (Multiple SQL injection vulnerabilities in wolioCMS allow remote attack ...) NOT-FOR-US: wolioCMS CVE-2007-4155 (Absolute path traversal vulnerability in a certain ActiveX control in ...) - vmware-package 0.16 CVE-2007-4154 (SQL injection vulnerability in options.php in WordPress 2.2.1 allows r ...) {DSA-1564-1} - wordpress 2.2.2-1 CVE-2007-4153 (Multiple cross-site scripting (XSS) vulnerabilities in WordPress 2.2.1 ...) {DSA-1564-1} - wordpress 2.2.2-1 (low) NOTE: see issue 4690 and 4691 in wordpress trac CVE-2007-4152 (The Visionsoft Audit on Demand Service (VSAOD) in Visionsoft Audit 12. ...) NOT-FOR-US: Visionsoft Audit on Demand Service CVE-2007-4151 (The Visionsoft Audit on Demand Service (VSAOD) in Visionsoft Audit 12. ...) NOT-FOR-US: Visionsoft Audit on Demand Service CVE-2007-4150 (The Visionsoft Audit on Demand Service (VSAOD) in Visionsoft Audit 12. ...) NOT-FOR-US: Visionsoft Audit on Demand Service CVE-2007-4149 (The Visionsoft Audit on Demand Service (VSAOD) in Visionsoft Audit 12. ...) NOT-FOR-US: Visionsoft Audit on Demand Service CVE-2007-4148 (Heap-based buffer overflow in the Visionsoft Audit on Demand Service ( ...) NOT-FOR-US: Visionsoft Audit on Demand Service CVE-2007-4147 (Multiple unspecified vulnerabilities in Interspire ArticleLive NX befo ...) NOT-FOR-US: Interspire ArticleLive NX CVE-2007-4146 (Cross-site scripting (XSS) vulnerability in webevent.cgi in WebEvent 2 ...) NOT-FOR-US: WebEvent CVE-2007-4145 (Heap-based buffer overflow in the BlueSkychat (BlueSkyCat) ActiveX con ...) NOT-FOR-US: BlueSkychat CVE-2007-4144 (Cross-site scripting (XSS) vulnerability in sample-forms/simple-contac ...) NOT-FOR-US: MitriDAT eMail Form Processor Pro CVE-2007-4143 (user.php in the Billing Control Panel in phpCoupon allows remote authe ...) NOT-FOR-US: Billing Control Panel in phpCoupon CVE-2007-4142 (Cross-site scripting (XSS) vulnerability in IBM Lotus Sametime Server ...) NOT-FOR-US: IBM Lotus Sametime Server CVE-2007-4141 (OpenRat CMS 0.8-beta1 and earlier allows remote attackers to obtain se ...) NOT-FOR-US: OpenRat CMS CVE-2007-4140 (Buffer overflow in Live for Speed (LFS) S2 ALPHA PATCH 0.5x allows use ...) NOT-FOR-US: Live for Speed CVE-2007-4139 (Cross-site scripting (XSS) vulnerability in the Temporary Uploads edit ...) NOT-FOR-US: Temporary Uploads CVE-2007-4138 (The Winbind nss_info extension (nsswitch/idmap_ad.c) in idmap_ad.so in ...) - samba 3.0.26-1 [etch] - samba (Vulnerable code was introduced in 3.0.25) [sarge] - samba (Vulnerable code was introduced in 3.0.25) CVE-2007-4137 (Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech ...) {DSA-1426-1} - qt-x11-free 3:3.3.7-8 (medium; bug #442780) - qt4-x11 (Not exploitable according to upstream) CVE-2007-4136 (The ricci daemon in Red Hat Conga 0.10.0 allows remote attackers to ca ...) NOT-FOR-US: Conga CVE-2007-4135 (The NFSv4 ID mapper (nfsidmap) before 0.17 does not properly handle re ...) - libnfsidmap 0.18-0 (low; bug #442935) NOTE: https://issues.rpath.com/browse/RPL-1731 CVE-2007-4134 (Directory traversal vulnerability in extract.c in star before 1.5a84 a ...) - star 1.5a67-1.1 (bug #440100; low) [etch] - star (Minor issue) CVE-2007-4133 (The (1) hugetlb_vmtruncate_list and (2) hugetlb_vmtruncate functions i ...) {DSA-1504-1 DSA-1381-2} - linux-2.6 2.6.20-1 CVE-2007-4132 (Unspecified vulnerability in Red Hat Network Satellite Server 5.0.0 al ...) NOT-FOR-US: Red Hat Satellite Server CVE-2007-4131 (Directory traversal vulnerability in the contains_dot_dot function in ...) {DSA-1438-1} - tar 1.18-2 (medium; bug #439335) CVE-2007-4130 (The Linux kernel 2.6.9 before 2.6.9-67 in Red Hat Enterprise Linux (RH ...) - linux-2.6 2.6.12-1 (low) NOTE: a fix is included in 2.6, see line 854 mempolicy.c NOTE: it was maybe fixed earlier, 2.6.12 is the first version in git NOTE: which I can see and ships the fix CVE-2007-4129 (CoolKey 1.1.0 allows local users to overwrite arbitrary files via a sy ...) - coolkey 1.1.0-3 CVE-2007-4128 (SQL injection vulnerability in index.php in the Firestorm Technologies ...) NOT-FOR-US: com_gmaps for Joomla! CVE-2007-4127 NOT-FOR-US: Ralf Image Gallery CVE-2007-4126 (Unspecified vulnerability in the dynamic tracing framework (DTrace) on ...) NOT-FOR-US: Sun Solaris CVE-2007-4125 (Unspecified vulnerability in the Address and Routing Parameter Area (A ...) NOT-FOR-US: HP-UX CVE-2007-4124 (The session failover function in Cosminexus Component Container in Cos ...) NOT-FOR-US: Cosminexus CVE-2007-4123 (The Groupmax Scheduler_Facilities management tool in Hitachi Groupmax ...) NOT-FOR-US: Hitachi Groupmax CVE-2007-4122 (Unspecified vulnerability in Hitachi JP1/Cm2/Hierarchical Viewer (HV) ...) NOT-FOR-US: Hitachi Hierarchical Viewer CVE-2007-4121 (Multiple SQL injection vulnerabilities in admin.aspx in E-Commerce Scr ...) NOT-FOR-US: E-Commerce Scripts Shopping Cart Script CVE-2007-4120 NOT-FOR-US: vBulletin CVE-2007-4119 (Multiple SQL injection vulnerabilities in yonetici.asp in Berthanas Zi ...) NOT-FOR-US: Defteri CVE-2007-4118 (PHP remote file inclusion vulnerability in includes/functions.inc.php ...) NOT-FOR-US: phpVoter CVE-2007-4117 NOT-FOR-US: phpVoter CVE-2005-4860 (Spectrum Cash Receipting System before 6.504 uses weak cryptography (s ...) NOT-FOR-US: Spectrum Cash Receipting System CVE-2007-XXXX [teamspeak-server arbitrary file disclosure] - teamspeak-server 2.0.23.19-1 (bug #435707; medium) CVE-2007-XXXX [tor insufficient authentication on control port] - tor 0.1.2.16-1 CVE-2007-4116 (SQL injection vulnerability in philboard_forum.asp in Metyus Forum Por ...) NOT-FOR-US: Metyus Forum Portal CVE-2007-4115 (Multiple cross-site scripting (XSS) vulnerabilities in IT!CMS (itcms) ...) NOT-FOR-US: IT!CMS (itcms) CVE-2007-4114 (Multiple SQL injection vulnerabilities in unuttum.asp in SuskunDuygula ...) NOT-FOR-US: SuskunDuygular Uyelik Sistemi CVE-2007-4113 (Unspecified vulnerability in Advanced Webhost Billing System (AWBS) be ...) NOT-FOR-US: Advanced Webhost Billing System (AWBS) CVE-2007-4112 (Multiple SQL injection vulnerabilities in Advanced Webhost Billing Sys ...) NOT-FOR-US: Advanced Webhost Billing System (AWBS) CVE-2007-4111 (SQL injection vulnerability in the login script in Real Estate listing ...) NOT-FOR-US: Real Estate listing website CVE-2007-4110 (SQL injection vulnerability in sign_in.aspx in Message Board / Threade ...) NOT-FOR-US: Message Board / Threaded Discussion Forum Application Template CVE-2007-4109 (SQL injection vulnerability in sign_in.aspx in WebStore (Online Store ...) NOT-FOR-US: WebStore (Online StoreWebStore (Online Store Application Template) CVE-2007-4108 (SQL injection vulnerability in sign_in.aspx in WebEvents (Online Event ...) NOT-FOR-US: WebEvents (Online Event Registration Template) CVE-2007-4107 (SQL injection vulnerability in editpost.php in phpMyForum before 4.1.4 ...) NOT-FOR-US: phpMyForum CVE-2007-4106 (SQL injection vulnerability in login.asp in CodeWidgets Pay Roll - Tim ...) NOT-FOR-US: CodeWidgets Pay Roll - Time Sheet and Punch Card Application With Web Interface CVE-2007-4105 (A certain ActiveX control in BaiduBar.dll in Baidu Soba Search Bar 5.4 ...) NOT-FOR-US: Baidu Soba Search Bar CVE-2007-4104 (Multiple cross-site scripting (XSS) vulnerabilities in the WP-FeedStat ...) NOT-FOR-US: WP-FeedStats plugin for WordPress CVE-2007-4103 (The IAX2 channel driver (chan_iax2) in Asterisk Open 1.2.x before 1.2. ...) - asterisk 1:1.4.9~dfsg-1 [etch] - asterisk (Only 1.2.20, 1.2.21, 1.2.21.1 and 1.2.22 affected) [sarge] - asterisk (1.0 not affected) CVE-2007-4102 (Cross-site scripting (XSS) vulnerability in search.php for sBlog 0.7.3 ...) NOT-FOR-US: sBlog CVE-2007-4101 (Multiple PHP remote file inclusion vulnerabilities in Madoa Poll 1.1 a ...) NOT-FOR-US: Madoa Poll CVE-2007-4100 (MLDonkey before 2.9.0 does not load certain code from $MLDONKEY/web_in ...) - mldonkey 2.9.0-1 (bug #435439) [etch] - mldonkey (Minor issue) CVE-2007-4099 (Tor before 0.1.2.15 can select a guard node beyond the first listed ne ...) - tor 0.1.2.15-1 CVE-2007-4098 (Tor before 0.1.2.15 does not properly distinguish "streamids from diff ...) - tor 0.1.2.15-1 CVE-2007-4097 (Tor before 0.1.2.15 sends "destroy cells" containing the reason for te ...) - tor 0.1.2.15-1 CVE-2007-4096 (Buffer overflow in Tor before 0.1.2.15, when using BSD natd support, a ...) - tor 0.1.2.15-1 CVE-2007-4095 (SQL injection vulnerability in BSM Store Dependent Forums 1.02 allows ...) NOT-FOR-US: BSM Store Dependent Forums CVE-2007-4094 (PHP remote file inclusion vulnerability in library/authorize.php in ID ...) NOT-FOR-US: IDevSpot PhpHostBot CVE-2007-4093 (Minb Is Not a Blog (minb) stores sensitive information under the web r ...) NOT-FOR-US: Minb Is Not a Blog (minb) CVE-2007-4092 (Directory traversal vulnerability in index.php in iFoto 1.0.1 and earl ...) NOT-FOR-US: iFoto CVE-2007-4091 (Multiple off-by-one errors in the sender.c in rsync 2.6.9 might allow ...) {DSA-1360-1} - rsync 2.6.9-5 (bug #438125; medium) CVE-2007-4090 (Multiple cross-site scripting (XSS) vulnerabilities in Vikingboard 0.1 ...) NOT-FOR-US: Vikingboard CVE-2007-4089 (Vikingboard 0.1.2 allows remote attackers to obtain sensitive informat ...) NOT-FOR-US: Vikingboard CVE-2007-4088 (Multiple cross-site scripting (XSS) vulnerabilities in Vikingboard 0.1 ...) NOT-FOR-US: Vikingboard CVE-2007-4087 (AlstraSoft Video Share Enterprise allows remote attackers to obtain se ...) NOT-FOR-US: AlstraSoft Video Share Enterprise CVE-2007-4086 (Multiple SQL injection vulnerabilities in AlstraSoft Video Share Enter ...) NOT-FOR-US: AlstraSoft Video Share Enterprise CVE-2007-4085 (Multiple SQL injection vulnerabilities in AlstraSoft AskMe Pro allow r ...) NOT-FOR-US: AlstraSoft AskMe Pro CVE-2007-4084 (Multiple SQL injection vulnerabilities in AlstraSoft Affiliate Network ...) NOT-FOR-US: AlstraSoft Affiliate Network CVE-2007-4083 (Multiple cross-site scripting (XSS) vulnerabilities in AlstraSoft AskM ...) NOT-FOR-US: AlstraSoft AskMe Pro CVE-2007-4082 (Cross-site scripting (XSS) vulnerability in contact_author.php AlstraS ...) NOT-FOR-US: AlstraSoft Article Manager Pro CVE-2007-4081 (Multiple cross-site scripting (XSS) vulnerabilities in AlstraSoft Affi ...) NOT-FOR-US: AlstraSoft Affiliate Network Pro CVE-2007-4080 (Cross-site scripting (XSS) vulnerability in index.php AlstraSoft E-Fri ...) NOT-FOR-US: AlstraSoft CVE-2007-4079 (Multiple cross-site scripting (XSS) vulnerabilities in AlstraSoft SMS ...) NOT-FOR-US: AlstraSoft CVE-2007-4078 (Multiple cross-site scripting (XSS) vulnerabilities in AlstraSoft Text ...) NOT-FOR-US: AlstraSoft CVE-2007-4077 (Multiple cross-site scripting (XSS) vulnerabilities in AlstraSoft Vide ...) NOT-FOR-US: AlstraSoft CVE-2007-4076 (Multiple SQL injection vulnerabilities in index.asp in Alisveris Sites ...) NOT-FOR-US: Alisveris Sitesi Scripti CVE-2007-4075 (Cross-site scripting (XSS) vulnerability in index.asp in Alisveris Sit ...) NOT-FOR-US: Alisveris Sitesi Scripti CVE-2007-4074 (The default configuration of Centre for Speech Technology Research (CS ...) - festival 1.96~beta-6 (bug #435445; low) [etch] - festival (Minor issue) CVE-2007-4073 (Webbler CMS before 3.1.6 does not properly restrict use of "mail a fri ...) NOT-FOR-US: Webbler CMS CVE-2007-4072 (Webbler CMS before 3.1.6 provides the full installation path within HT ...) NOT-FOR-US: Webbler CMS CVE-2007-4071 (Multiple cross-site scripting (XSS) vulnerabilities in uploader/index. ...) NOT-FOR-US: Webbler CMS CVE-2007-4070 (Unspecified vulnerability in Low Bandwidth X proxy (lbxproxy) on Sun S ...) - lbxproxy CVE-2007-4069 (SQL injection vulnerability in show_cat.php in IndexScript 2.8 and ear ...) NOT-FOR-US: IndexScript CVE-2007-4068 (Multiple SQL injection vulnerabilities in Webyapar 2.0 allow remote at ...) NOT-FOR-US: Webyapar CVE-2007-4067 (Absolute path traversal vulnerability in the clInetSuiteX6.clWebDav Ac ...) NOT-FOR-US: Clever Internet ActiveX Suite CVE-2007-4066 (Multiple buffer overflows in Xiph.Org libvorbis before 1.2.0 allow con ...) {DSA-1471-1} - libvorbisidec 1.0.2+svn16259-2 (bug #669196) - libvorbis 1.2.0.dfsg-1 NOTE: svn revisionsions fixing this: https://bugzilla.redhat.com/show_bug.cgi?id=249780 CVE-2007-4065 (lib/vorbisfile.c in libvorbisfile in Xiph.Org libvorbis before 1.2.0 a ...) {DSA-1471-1} - libvorbisidec 1.0.2+svn16259-2 (bug #669196) - libvorbis 1.2.0.dfsg-1 NOTE: Just an infinite loop in an enduser multimedia libarary, not treated as a vulnerability NOTE: svn revisionions fixing this: https://bugzilla.redhat.com/show_bug.cgi?id=249780 CVE-2007-4064 (Multiple cross-site scripting (XSS) vulnerabilities in Drupal 5.x befo ...) - drupal 4.7.7-1 (low) - drupal5 5.2-1 (low) [sarge] - drupal (Only Drupal 5.x is affected) CVE-2007-4063 (Multiple cross-site request forgery (CSRF) vulnerabilities in Drupal 5 ...) - drupal5 5.2-1 (low) NOTE: DRUPAL-SA-2007-017 CVE-2007-4062 (The SCANCTRL.ScanCtrlCtrl.1 ActiveX control in scan.dll in Nessus Vuln ...) - nessus-core (Windows only) CVE-2007-4061 (Directory traversal vulnerability in a certain ActiveX control in Ness ...) - nessus-core (Windows only) CVE-2007-4060 (Multiple buffer overflows in the HttpSprockMake function in http.c in ...) NOT-FOR-US: corehttp CVE-2007-4059 (Absolute path traversal vulnerability in a certain ActiveX control in ...) - vmware-package 0.16 CVE-2007-4058 (Absolute path traversal vulnerability in a certain ActiveX control in ...) - vmware-package 0.16 CVE-2007-4057 (Unrestricted file upload vulnerability in pfs.php in Neocrome Seditio ...) NOT-FOR-US: Neocrome Seditio CVE-2007-4056 (SQL injection vulnerability in directory.php in Prozilla Adult Directo ...) NOT-FOR-US: Adult Directory CVE-2007-4055 (SQL injection vulnerability in comments_get.asp in SimpleBlog 3.0 allo ...) NOT-FOR-US: SimpleBlog CVE-2007-4054 (SQL injection vulnerability in category.php in PHP123 Top Sites allows ...) NOT-FOR-US: PHP123 Top Sites CVE-2007-4053 (SQL injection vulnerability in include/img_view.class.php in LinPHA 1. ...) NOT-FOR-US: LinPHA CVE-2007-4052 (Cross-site scripting (XSS) vulnerability in utilities/login.asp in nuk ...) NOT-FOR-US: nukedit CVE-2007-4051 (Heap-based buffer overflow in the FindFiles function in UltraDefrag 1. ...) NOT-FOR-US: UltraDefrag CVE-2007-4050 (Unspecified vulnerability in WebUI in ADempiere Bazaar before 3.3 beta ...) NOT-FOR-US: ADempiere Bazaar CVE-2007-4049 REJECTED CVE-2007-4048 (Cross-site scripting (XSS) vulnerability in index.php in phpSysInfo 2. ...) {DTSA-58-1} - phpsysinfo 2.5.1-6.1 (unimportant; bug #435935) - phpgroupware 0.9.16.012-1 (low; bug #435936; bug #472685) [etch] - phpgroupware (Affected code is not used in phpgroupware) - egroupware 1.2.107-2.dfsg-1.1 (low; bug #435937) NOTE: phpsysinfo alone doesn't maintain any data, which makes this an issue CVE-2007-4047 (geoBlog (aka BitDamaged) 1 does not require authentication for (1) del ...) NOT-FOR-US: geoBlog CVE-2007-4046 (SQL injection vulnerability in index.php in the Pony Gallery (com_pony ...) NOT-FOR-US: Pony Gallery CVE-2007-4045 (The CUPS service, as used in SUSE Linux before 20070720 and other Linu ...) - cupsys 1.2 - cups 1.2 NOTE: Since 1.2 allocation has changed and this issue is no longer exploitable CVE-2007-4044 REJECTED CVE-2007-4043 (file.cgi in Secure Computing SecurityReporter (aka Network Security An ...) NOT-FOR-US: Secure Computing SecurityReporter CVE-2007-4042 (Multiple argument injection vulnerabilities in Netscape Navigator 9 al ...) NOT-FOR-US: Netscape Navigator CVE-2007-4041 (Multiple argument injection vulnerabilities in Mozilla Firefox 2.0.0.5 ...) {DSA-1346-1 DSA-1345-1 DSA-1344-1 DTSA-51-1 DTSA-52-1 DTSA-53-1} - iceweasel 2.0.0.6-1 - xulrunner 1.8.1.9-1 - iceape 1.1.5-1 CVE-2007-4040 (Argument injection vulnerability involving Microsoft Outlook and Outlo ...) NOT-FOR-US: Micrsoft Outlook CVE-2007-4039 (Argument injection vulnerability involving Mozilla, when certain URIs ...) - icedove (Windows-specific) CVE-2007-4038 (Argument injection vulnerability in Mozilla Firefox before 2.0.0.5, wh ...) {DSA-1338-1} - iceweasel 2.0.0.5-1 CVE-2007-4037 NOT-FOR-US: Guidance Software CVE-2007-4036 NOT-FOR-US: Guidance Software CVE-2007-4035 NOT-FOR-US: Guidance Software CVE-2007-4034 (Stack-based buffer overflow in the YDPCTL.YDPControl.1 (aka Yahoo! Ins ...) NOT-FOR-US: Yahoo! Widgets CVE-2007-4033 (Buffer overflow in the intT1_EnvGetCompletePath function in lib/t1lib/ ...) {DSA-1390-1} - t1lib 5.1.0-3 (bug #439927) NOTE: originally posted as a php vuln, actually in libt1 NOTE: http://www.securityfocus.com/bid/25079 (particularly the discussions) CVE-2007-4032 (Buffer overflow in CrystalPlayer Pro 1.98 allows user-assisted remote ...) NOT-FOR-US: CrystalPlayer CVE-2007-4031 (Directory traversal vulnerability in a certain ActiveX control in Ness ...) NOT-FOR-US: Nessus ActiveX control CVE-2007-4030 RESERVED CVE-2007-4029 (libvorbis 1.1.2, and possibly other versions before 1.2.0, allows cont ...) {DSA-1471-1} - libvorbisidec 1.0.2+svn16259-2 (bug #669196) - libvorbis 1.2.0.dfsg-1 (medium; bug #437916) NOTE: svn revisions fixing this https://bugzilla.redhat.com/show_bug.cgi?id=249780 CVE-2007-4028 (Absolute path traversal vulnerability in index.php in Webspell 4.01.02 ...) NOT-FOR-US: WebSPELL CVE-2007-4027 (Buffer overflow in cli32 in Areca CLI 1.72.250 and earlier might allow ...) NOT-FOR-US: Areca CVE-2007-4026 (epesi framework before 0.8.6 does not properly verify file extensions, ...) NOT-FOR-US: epesi CVE-2007-4025 (Unspecified vulnerability in Sun Java System (SJS) Application Server ...) NOT-FOR-US: Sun Java System Application Server CVE-2007-4024 (Cross-site scripting (XSS) vulnerability in W1L3D4_aramasonuc.asp in W ...) NOT-FOR-US: W1L3D4 CVE-2007-4023 (Cross-site scripting (XSS) vulnerability in the login CGI program in A ...) NOT-FOR-US: Aruba Mobility Controller CVE-2007-4022 (Cross-site scripting (XSS) vulnerability in frontend/x/htaccess/change ...) NOT-FOR-US: cPanel CVE-2007-4021 (Multiple cross-site scripting (XSS) vulnerabilities in login.php in Br ...) NOT-FOR-US: Brain Book Software Secure CVE-2007-4020 (Multiple cross-site scripting (XSS) vulnerabilities in login.php in Ad ...) NOT-FOR-US: AdMan CVE-2007-4019 REJECTED CVE-2007-5645 REJECTED CVE-2007-4018 (Citrix Access Gateway Advanced Edition before firmware 4.5.5 allows at ...) NOT-FOR-US: Citrix CVE-2007-4017 (Cross-site request forgery (CSRF) vulnerability in the web-based admin ...) NOT-FOR-US: Citrix CVE-2007-4016 (Unspecified vulnerability in the client components in Citrix Access Ga ...) NOT-FOR-US: Citrix CVE-2007-4015 REJECTED CVE-2007-4014 (Cross-site scripting (XSS) vulnerability in a certain index.php instal ...) NOT-FOR-US: Blix themes for WordPress CVE-2007-4013 (Multiple unspecified vulnerabilities in (1) Net6Helper.DLL (aka Net6La ...) NOT-FOR-US: Citrix CVE-2007-4012 (Cisco 4100 and 4400, Airespace 4000, and Catalyst 6500 and 3750 Wirele ...) NOT-FOR-US: Cisco CVE-2007-4011 (Cisco 4100 and 4400, Airespace 4000, and Catalyst 6500 and 3750 Wirele ...) NOT-FOR-US: Cisco CVE-2007-4010 (The win32std extension in PHP 5.2.3 does not follow safe_mode and disa ...) - php5 (Windows-specific issue) CVE-2007-4009 (PHP remote file inclusion vulnerability in admin/business_inc/saveserv ...) NOT-FOR-US: SWSoft Confixx CVE-2007-4008 (Directory traversal vulnerability in custom.php in Entertainment Media ...) NOT-FOR-US: Entertainment CMS CVE-2007-4007 (PHP remote file inclusion vulnerability in index.php in Article Direct ...) NOT-FOR-US: Article Directory CVE-2007-4006 (Buffer overflow in Mike Dubman Windows RSH daemon (rshd) 1.7 has unkno ...) NOT-FOR-US: Mike Dubman Windows RSH daemon CVE-2007-4005 (Stack-based buffer overflow in Mike Dubman Windows RSH daemon (rshd) 1 ...) NOT-FOR-US: Mike Dubman Windows RSH daemon CVE-2007-4004 (Buffer overflow in the ftp client in IBM AIX 5.3 SP6 and 5.2.0 allows ...) NOT-FOR-US: IBM AIX CVE-2007-4003 (pioout in IBM AIX 5.3 SP6 allows local users to execute arbitrary code ...) NOT-FOR-US: IBM AIX CVE-2007-4002 RESERVED CVE-2007-4001 RESERVED CVE-2007-4000 (The kadm5_modify_policy_internal function in lib/kadm5/srv/svr_policy. ...) - krb5 1.6.dfsg.1-7 (high) [etch] - krb5 (Vulnerable code not present) [sarge] - krb5 (Vulnerable code not present) CVE-2007-3999 (Stack-based buffer overflow in the svcauth_gss_validate function in li ...) {DSA-1368-1 DSA-1367-1} - librpcsecgss 0.14-3 - krb5 1.6.dfsg.1-7 (high) [sarge] - krb5 (Vulnerable code not present) CVE-2007-3998 (The wordwrap function in PHP 4 before 4.4.8, and PHP 5 before 5.2.4, d ...) {DSA-1578-1 DSA-1444-1 DTSA-61-1} - php5 5.2.4-1 (low) - php4 (low) NOTE: this applies to php4 as well NOTE: i think it is medium since it can be easily used to DoS on shared hosting systems NOTE: a diff between 5.2.3 (debian) and 5.2.4 (upstream) of ext/standard/string.c NOTE: so maybe this is already fixed in 5.2.3, not sure NOTE: fixed in php5/etch svn NOTE: http://cvs.php.net/viewcvs.cgi/php-src/ext/standard/string.c?r1=1.445.2.14.2.63&r2=1.445.2.14.2.64 CVE-2007-3997 (The (1) MySQL and (2) MySQLi extensions in PHP 4 before 4.4.8, and PHP ...) - php5 5.2.4-1 (unimportant) - php4 (unimportant) NOTE: only exploitable by malicious script CVE-2007-3996 (Multiple integer overflows in libgd in PHP before 5.2.4 allow remote a ...) {DSA-1613-1} - libgd2 2.0.35.dfsg-1 (bug #443456; medium) - libwmf (unimportant) - racket 5.0.2-1 (unimportant; bug #601525) NOTE: Only present in one of the sample pl-scheme packages (plot) NOTE: Debian's PHP packages are linked dynamically against libgd NOTE: see http://www.php.net/releases/5_2_4.php CVE-2007-3995 RESERVED CVE-2007-3994 RESERVED CVE-2007-3993 (Unspecified vulnerability in the attachment filter in Kerio MailServer ...) NOT-FOR-US: Kerio MailServer CVE-2007-3992 (SQL injection vulnerability in vir_login.asp in iExpress Property Pro ...) NOT-FOR-US: iExpress Property Pro CVE-2007-3991 (Multiple cross-site scripting (XSS) vulnerabilities in cv.asp in Asp c ...) NOT-FOR-US: Asp cvmatik CVE-2007-3990 (SQL injection vulnerability in default.asp in Dora Emlak 1.0, when the ...) NOT-FOR-US: Dora Emlak CVE-2007-3989 (Multiple cross-site scripting (XSS) vulnerabilities in default.asp in ...) NOT-FOR-US: Dora Emlak CVE-2007-3988 (Session fixation vulnerability in Virtual Hosting Control System (VHCS ...) NOT-FOR-US: Virtual Hosting Control System CVE-2007-3987 (SQL injection vulnerability in SearchResults.asp in ImageRacer 1.0, wh ...) NOT-FOR-US: ImageRacer CVE-2007-3986 (file.cgi in Secure Computing SecurityReporter (aka Network Security An ...) NOT-FOR-US: Secure Computing SecurityReporter CVE-2007-3985 (Directory traversal vulnerability in file.cgi in Secure Computing Secu ...) NOT-FOR-US: Secure Computing SecurityReporter CVE-2007-3984 (Buffer overflow in a certain ActiveX control in the NixonMyPrograms cl ...) NOT-FOR-US: Zenturi ProgramChecker CVE-2007-3983 (Absolute path traversal vulnerability in the Data Dynamics DDActiveRep ...) NOT-FOR-US: ActiveReports CVE-2007-3982 (Absolute path traversal vulnerability in the Data Dynamics ActiveRepor ...) NOT-FOR-US: ActiveReports CVE-2007-3981 (SQL injection vulnerability in index.php in WSN Links Basic Edition al ...) NOT-FOR-US: WSN Links CVE-2007-3980 (PHP remote file inclusion vulnerability in page.php in RCMS Pro RGameS ...) NOT-FOR-US: RCMS Pro RGameScript Pro CVE-2007-3979 (SQL injection vulnerability in index.php in BlogSite Professional (aka ...) NOT-FOR-US: BlogSite Professional CVE-2007-3978 (Session fixation vulnerability in bwired allows remote attackers to hi ...) NOT-FOR-US: bwired CVE-2007-3977 (Cross-site scripting (XSS) vulnerability in bwired allows remote attac ...) NOT-FOR-US: bwired CVE-2007-3976 (SQL injection vulnerability in index.php in bwired allows remote attac ...) NOT-FOR-US: bwired CVE-2007-3975 (Cross-site scripting (XSS) vulnerability in index.php in Elite Forum 1 ...) NOT-FOR-US: Elite Forum CVE-2007-3974 (admin/ajoutaut.php in JBlog 1.0 does not require authentication, which ...) NOT-FOR-US: JBlog CVE-2007-3973 (Multiple cross-site scripting (XSS) vulnerabilities in JBlog 1.0 allow ...) NOT-FOR-US: JBlog CVE-2007-3972 (ESET NOD32 Antivirus before 2.2289 allows remote attackers to cause a ...) NOT-FOR-US: ESET NOD32 Antivirus CVE-2007-3971 (Integer overflow in ESET NOD32 Antivirus before 2.2289 allows remote a ...) NOT-FOR-US: ESET NOD32 Antivirus CVE-2007-3970 (Race condition in ESET NOD32 Antivirus before 2.2289 allows remote att ...) NOT-FOR-US: ESET NOD32 Antivirus CVE-2007-3969 (Buffer overflow in Panda Antivirus before 20070720 allows remote attac ...) NOT-FOR-US: Panda Antivirus CVE-2007-3968 (index.php in dirLIST before 0.1.1 allows remote attackers to list the ...) NOT-FOR-US: dirLIST CVE-2007-3967 (Directory traversal vulnerability in index.php in PHP Directory Lister ...) NOT-FOR-US: dirLIST CVE-2007-3966 (SQL injection vulnerability in Munch Pro allows remote attackers to ex ...) NOT-FOR-US: Munch Pro CVE-2007-3965 (Unspecified vulnerability in uFMOD before 1.2.5 has unknown impact and ...) NOT-FOR-US: uFMOD CVE-2007-3964 (Itaka before 0.2.1, when using Authentication mode, allows remote atta ...) NOT-FOR-US: Itaka CVE-2007-3963 (Multiple cross-site scripting (XSS) vulnerabilities in UseBB 1.0.7, an ...) NOT-FOR-US: UseBB CVE-2007-3962 (Multiple stack-based buffer overflows in fsplib.c in fsplib before 0.9 ...) NOT-FOR-US: fsplib, vulnerable code not present in lib.c from fsp source package CVE-2007-3961 (Off-by-one error in the fsp_readdir_r function in fsplib.c in fsplib b ...) NOT-FOR-US: fsplib, vulnerable code not present in lib.c from fsp source package CVE-2007-3960 (Multiple unspecified vulnerabilities in IBM WebSphere Application Serv ...) NOT-FOR-US: IBM WebSphere CVE-2007-3959 (The IM Server (aka IMserve or IMserver) 2.0.5.30 and probably earlier ...) NOT-FOR-US: Ipswitch Collaboration Suite (ICS) CVE-2007-3958 (Microsoft Windows Explorer (explorer.exe) allows user-assisted remote ...) NOT-FOR-US: Microsoft CVE-2007-3957 (Buffer overflow in Nipun Jain xserver 0.1 alpha allows remote attacker ...) NOT-FOR-US: Nipun Jain xserver CVE-2007-3956 (TeamSpeak WebServer 2.0 for Windows does not validate parameter value ...) - teamspeak-server 2.0.23.19-1 (bug #435707) CVE-2007-3955 (Buffer overflow in the IEToolbar.IEContextMenu.1 ActiveX control in Li ...) NOT-FOR-US: LinkedIn Toolbar CVE-2007-3954 (Argument injection vulnerability in Microsoft Internet Explorer, when ...) NOT-FOR-US: Microsoft CVE-2007-3953 (The OLE2 parsing in Norman Antivirus before 5.91.02 allows remote atta ...) NOT-FOR-US: Norman Antivirus CVE-2007-3952 (The OLE2 parsing in Norman Antivirus before 5.91.02 allows remote atta ...) NOT-FOR-US: Norman Antivirus CVE-2007-3951 (Multiple buffer overflows in Norman Antivirus 5.90 allow remote attack ...) NOT-FOR-US: Norman Antivirus CVE-2007-3950 (lighttpd 1.4.15, when run on 32 bit platforms, allows remote attackers ...) {DSA-1362-1} - lighttpd 1.4.16-1 (bug #434888) CVE-2007-3949 (mod_access.c in lighttpd 1.4.15 ignores trailing / (slash) characters ...) {DSA-1362-1} - lighttpd 1.4.16-1 (bug #434888) CVE-2007-3948 (connections.c in lighttpd before 1.4.16 might accept more connections ...) - lighttpd 1.4.16-1 (low; bug #434888) CVE-2007-3947 (request.c in lighttpd 1.4.15 allows remote attackers to cause a denial ...) {DSA-1362-1} - lighttpd 1.4.16-1 (bug #428368) [etch] - libghttpd (Accidentally omitted in DSA, but doesn't warrant another update itself) CVE-2007-3946 (mod_auth (http_auth.c) in lighttpd before 1.4.16 allows remote attacke ...) {DSA-1362-1} - lighttpd 1.4.16-1 (bug #434888) CVE-2007-3945 (Rule Set Based Access Control (RSBAC) before 1.3.5 does not properly u ...) NOT-FOR-US: Rule Set Based Access Control (RSBAC) CVE-2007-3944 (Multiple heap-based buffer overflows in the Perl Compatible Regular Ex ...) NOT-FOR-US: MobileSafari CVE-2007-3943 (SQL injection vulnerability in Infinite Responder before 1.48 allows r ...) NOT-FOR-US: Infinite Responder CVE-2007-3942 NOT-FOR-US: Simple Machines Forum CVE-2007-3941 (Cross-site scripting (XSS) vulnerability in profile.php in Jasmine CMS ...) NOT-FOR-US: Jasmine CMS CVE-2007-3940 (Cross-site scripting (XSS) vulnerability in default.asp in QuickerSite ...) NOT-FOR-US: QuickerSite CVE-2007-3939 (SQL injection vulnerability in index.php in SpoonLabs Vivvo Article Ma ...) NOT-FOR-US: Vivvo Article Management CMS CVE-2007-3938 (SQL injection vulnerability in index.php in MAXdev MDPro (MD-Pro) 1.0. ...) NOT-FOR-US: MAXdev MDPro (MD-Pro) CVE-2007-3937 (Multiple SQL injection vulnerabilities in A-shop 0.70 and earlier allo ...) NOT-FOR-US: A-shop CVE-2007-3936 (Directory traversal vulnerability in admin/filebrowser.asp in A-shop 0 ...) NOT-FOR-US: A-shopA-shop CVE-2007-3935 (PHP remote file inclusion vulnerability in link_main.php in the SupaNa ...) NOT-FOR-US: SupaNav CVE-2007-3934 (PHP remote file inclusion vulnerability in postscript/postscript.php i ...) NOT-FOR-US: BBS E-Market CVE-2007-3933 (SQL injection vulnerability in insertorder.cfm in QuickEStore 8.2 and ...) NOT-FOR-US: QuickEStore CVE-2007-3932 (uploadimg.php in the Expose RC35 and earlier (com_expose) component fo ...) NOT-FOR-US: Expose RC35 for Joomla CVE-2007-3931 (The wrap_setuid_third_party_application function in the installation s ...) NOT-FOR-US: Samsung SCX-4200 Driver installation script CVE-2007-3930 (Interpretation conflict between Microsoft Internet Explorer and DocuWi ...) NOT-FOR-US: Microsoft CVE-2007-3929 (Use-after-free vulnerability in the BitTorrent support in Opera before ...) NOT-FOR-US: Opera CVE-2007-3928 (Buffer overflow in Yahoo! Messenger 8.1 allows user-assisted remote au ...) NOT-FOR-US: Yahoo! Messenger CVE-2007-3927 (Multiple buffer overflows in Ipswitch IMail Server 2006 before 2006.21 ...) NOT-FOR-US: Ipswitch IMail Server CVE-2007-3926 (Ipswitch IMail Server 2006 before 2006.21 allows remote attackers to c ...) NOT-FOR-US: Ipswitch IMail Server CVE-2007-3925 (Multiple buffer overflows in the IMAP service (imapd32.exe) in Ipswitc ...) NOT-FOR-US: Ipswitch IMail Server CVE-2007-3924 (Argument injection vulnerability in Microsoft Internet Explorer, when ...) NOT-FOR-US: Microsoft CVE-2007-3923 (The Common Internet File System (CIFS) optimization in Cisco Wide Area ...) NOT-FOR-US: Cisco CVE-2007-3922 (Unspecified vulnerability in the Java Runtime Environment (JRE) Applet ...) - sun-java5 1.5.0-12-2 [etch] - sun-java5 1.5.0-14-1etch1 - sun-java6 6-02-1 - openjdk-6 6b08-1 (bug #566766) CVE-2007-3921 (gforge 3.1 and 4.5.14 allows local users to truncate arbitrary files v ...) {DSA-1402-1} - gforge 4.6.99+svn6169-1 CVE-2007-3920 (GNOME screensaver 2.20 in Ubuntu 7.10, when used with Compiz, does not ...) {DTSA-75-1} [etch] - gnome-screensaver (Affected Compiz not present in Etch version) [etch] - xorg-server (Affected Compiz not present in Etch version) - gnome-screensaver 2.20.0-1.1 - xorg-server 2:1.4.1~git20080118-1 (bug #449108; medium) CVE-2007-3919 ((1) xenbaked and (2) xenmon.py in Xen 3.1 and earlier allow local user ...) {DSA-1395-1} - xen-unstable 3.0-unstable+hg11561-1 (low; bug #464044) - xen-3 3.1.2-1 (low) CVE-2007-3918 (Cross-site scripting (XSS) vulnerability in account/verify.php in GFor ...) {DSA-1383-1} - gforge 4.6.99+svn6094-1 CVE-2007-3917 (The multiplayer engine in Wesnoth 1.2.x before 1.2.7 and 1.3.x before ...) {DSA-1386-1} - wesnoth 1.2.7-1 CVE-2007-3916 (The main function in skkdic-expr.c in SKK Tools 1.2 allows local users ...) - skktools 1.2+0.20061004-3 (low) [sarge] - skktools (Minor issue) [etch] - skktools (Minor issue) CVE-2007-3915 (Mondo 2.24 has insecure handling of temporary files. ...) - mondo 2.24-2 (low) CVE-2007-3914 RESERVED CVE-2007-3913 (SQL injection vulnerability in Gforge before 3.1 allows remote attacke ...) {DSA-1369-1 DTSA-57-1} - gforge 4.6.99+svn6086-1 CVE-2007-3912 (checkrestart in debian-goodies before 0.34 allows local users to gain ...) {DSA-1527-1} - debian-goodies 0.34 (bug #440411; medium) CVE-2007-3911 (Multiple heap-based buffer overflows in (1) clsscheduler.exe (aka sche ...) NOT-FOR-US: BakBone NetVault Reporter CVE-2007-3910 (Cross-site scripting (XSS) vulnerability in Bandersnatch 0.4 allows re ...) - bandersnatch (low; bug #435709) CVE-2007-3909 (Multiple SQL injection vulnerabilities in Bandersnatch 0.4 allow remot ...) - bandersnatch (low; bug #435709) CVE-2007-3908 (Unspecified vulnerability in HP ServiceGuard for Linux for Red Hat Ent ...) NOT-FOR-US: HP ServiceGuard CVE-2007-3907 (Unspecified vulnerability in login.pl in LedgerSMB 1.2.0 through 1.2.6 ...) NOT-FOR-US: LedgerSMB CVE-2007-3906 (Unspecified vulnerability in Kaspersky Anti-Virus for Check Point Fire ...) NOT-FOR-US: Kaspersky Anti-Virus CVE-2007-3905 (SQL injection vulnerability in Zoph before 0.7.0.1 might allow remote ...) {DSA-1389-2 DSA-1389-1} - zoph 0.7.0.2-1 (bug #435711) CVE-2007-3904 REJECTED CVE-2007-3903 (Microsoft Internet Explorer 6 and 7 allows remote attackers to execute ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2007-3902 (Use-after-free vulnerability in the CRecalcProperty function in mshtml ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2007-3901 (Stack-based buffer overflow in the DirectShow Synchronized Accessible ...) NOT-FOR-US: Microsoft DirectX CVE-2007-3900 REJECTED CVE-2007-3899 (Unspecified vulnerability in Microsoft Word 2000 SP3, Word 2002 SP3, a ...) NOT-FOR-US: Microsoft Word CVE-2007-3898 (The DNS server in Microsoft Windows 2000 Server SP4, and Server 2003 S ...) NOT-FOR-US: Microsoft Windows CVE-2007-3897 (Heap-based buffer overflow in Microsoft Outlook Express 6 and earlier, ...) NOT-FOR-US: Outlook Express CVE-2007-3896 (The URL handling in Shell32.dll in the Windows shell in Microsoft Wind ...) NOT-FOR-US: Windows CVE-2007-3895 (Buffer overflow in Microsoft DirectShow in Microsoft DirectX 7.0 throu ...) NOT-FOR-US: Microsoft DirectX CVE-2007-3894 REJECTED CVE-2007-3893 (Unspecified vulnerability in Microsoft Internet Explorer 5.01 through ...) NOT-FOR-US: Internet Explorer CVE-2007-3892 (Microsoft Internet Explorer 5.01 through 7 allows remote attackers to ...) NOT-FOR-US: Internet Explorer CVE-2007-3891 (Unspecified vulnerability in Windows Vista Weather Gadgets in Windows ...) NOT-FOR-US: Windows Vista CVE-2007-3890 (Microsoft Excel in Office 2000 SP3, Office XP SP3, Office 2003 SP2, an ...) NOT-FOR-US: Microsoft CVE-2007-3889 (Multiple SQL injection vulnerabilities in Insanely Simple Blog 0.5 and ...) NOT-FOR-US: Insanely Simple Blog CVE-2007-3888 (Multiple cross-site scripting (XSS) vulnerabilities in Insanely Simple ...) NOT-FOR-US: Insanely Simple Blog CVE-2007-3887 (Multiple cross-site scripting (XSS) vulnerabilities in mesaj_formu.asp ...) NOT-FOR-US: ASP Ziyaretci Defteri CVE-2007-3886 (Cross-site scripting (XSS) vulnerability in default.asp in Element CMS ...) NOT-FOR-US: Element CMS CVE-2007-3885 (Cross-site scripting (XSS) vulnerability in philboard_search.asp in hu ...) NOT-FOR-US: husrevforum CVE-2007-3884 (SQL injection vulnerability in philboard_forum.asp in husrevforum 1.0. ...) NOT-FOR-US: husrevforum CVE-2007-3883 (The Data Dynamics ActiveBar ActiveX control (actbar3.ocx) 3.2 and earl ...) NOT-FOR-US: Data Dynamics ActiveBar ActiveX control CVE-2007-3882 (SQL injection vulnerability in index.php in Expert Advisor allows remo ...) NOT-FOR-US: Expert Advisor CVE-2007-3881 (SQL injection vulnerability in index.php in Pictures Rating (Picture R ...) NOT-FOR-US: Pictures Rating CVE-2007-3880 (Format string vulnerability in srsexec in Sun Remote Services (SRS) Ne ...) NOT-FOR-US: Net Connect CVE-2007-3879 RESERVED CVE-2007-3878 RESERVED CVE-2007-3877 RESERVED CVE-2007-3876 (Stack-based buffer overflow in SMB in Apple Mac OS X 10.4.11 allows lo ...) NOT-FOR-US: SMB (Apple Mac OS X) CVE-2007-3875 (arclib.dll before 7.3.0.9 in CA Anti-Virus (formerly eTrust Antivirus) ...) NOT-FOR-US: CA Anti-Virus CVE-2007-3874 (Directory traversal vulnerability in the tftp/mftp daemon in the PXE s ...) NOT-FOR-US: Symantec Altiris Deployment Solution CVE-2007-3873 (Stack-based buffer overflow in vstlib32.dll 1.2.0.1012 in the SSAPI En ...) NOT-FOR-US: SSAPI Engine CVE-2007-3872 (Multiple stack-based buffer overflows in the Shared Trace Service (OVT ...) NOT-FOR-US: HP OpenView CVE-2007-3871 (Stampit Web uses guessable id values for online stamp purchases, which ...) NOT-FOR-US: Stampit CVE-2006-7221 (Multiple off-by-one errors in fsplib.c in fsplib before 0.8 allow atta ...) - gftp 2.0.18-17 (unimportant; bug #437710) CVE-2007-XXXX [dokuwiki XSS in spellchecker] - dokuwiki 0.0.20070626b-1 (unimportant; bug #434134) NOTE: IE browser bug are not treated as security issues in packages applications CVE-2007-3870 (Multiple unspecified vulnerabilities in the Human Capital Management c ...) NOT-FOR-US: Oracle CVE-2007-3869 (Multiple unspecified vulnerabilities in the Customer Relationship Mana ...) NOT-FOR-US: Oracle CVE-2007-3868 (Multiple unspecified vulnerabilities in PeopleTools in Oracle PeopleSo ...) NOT-FOR-US: Oracle CVE-2007-3867 (Multiple unspecified vulnerabilities in Oracle E-Business Suite 11.5.1 ...) NOT-FOR-US: Oracle CVE-2007-3866 (Multiple unspecified vulnerabilities in Oracle E-Business Suite 11.5.1 ...) NOT-FOR-US: Oracle CVE-2007-3865 (Unspecified vulnerability in the Oracle Customer Intelligence componen ...) NOT-FOR-US: Oracle CVE-2007-3864 (Multiple unspecified vulnerabilities in Oracle Collaboration Suite 10. ...) NOT-FOR-US: Oracle CVE-2007-3863 (Unspecified vulnerability in Oracle JDeveloper for Application Server ...) NOT-FOR-US: Oracle CVE-2007-3862 (Unspecified vulnerability in Oracle Application Server 9.0.4.3 and 10. ...) NOT-FOR-US: Oracle CVE-2007-3861 (Unspecified vulnerability in Oracle Jdeveloper in Oracle Application S ...) NOT-FOR-US: Oracle CVE-2007-3860 (Unspecified vulnerability in Oracle Application Express (formerly Orac ...) NOT-FOR-US: Oracle CVE-2007-3859 (Unspecified vulnerability in the Oracle Internet Directory component f ...) NOT-FOR-US: Oracle CVE-2007-3858 (Multiple unspecified vulnerabilities in Oracle Database 10.2.0.3 allow ...) NOT-FOR-US: Oracle CVE-2007-3857 (Multiple unspecified vulnerabilities in Oracle Database 10.1.0.5 allow ...) NOT-FOR-US: Oracle CVE-2007-3856 (Unspecified vulnerability in the Oracle Data Mining component for Orac ...) NOT-FOR-US: Oracle CVE-2007-3855 (Multiple unspecified vulnerabilities in Oracle Database 9.0.1.5+, 9.2. ...) NOT-FOR-US: Oracle CVE-2007-3854 (Multiple unspecified vulnerabilities in Oracle Database 9.0.1.5+, 9.2. ...) NOT-FOR-US: Oracle CVE-2007-3853 (Multiple unspecified vulnerabilities in Oracle Database 10.1.0.5 and 1 ...) NOT-FOR-US: Oracle CVE-2007-3852 (The init script (sysstat.in) in sysstat 5.1.2 up to 7.1.6 creates /tmp ...) - sysstat (We have our own init script not prone to this vulnerability) CVE-2007-3851 (The drm/i915 component in the Linux kernel before 2.6.22.2, when used ...) {DSA-1356-1} - linux-2.6 2.6.22-4 CVE-2007-3850 (The eHCA driver in Linux kernel 2.6 before 2.6.22, when running on Pow ...) - linux-2.6 (Debian's kernel doesn't enable CONFIG_PPC_64K_PAGES) CVE-2007-3849 (Red Hat Enterprise Linux (RHEL) 5 ships the rpm for the Advanced Intru ...) NOT-FOR-US: RedHat Advanced Intrusion Detection Environment CVE-2007-3848 (Linux kernel 2.4.35 and other versions allows local users to send arbi ...) {DSA-1503-2 DSA-1504-1 DSA-1503-1 DSA-1356-1} - linux-2.6 2.6.22-4 CVE-2007-3847 (The date handling code in modules/proxy/proxy_util.c (mod_proxy) in Ap ...) - apache2 2.2.6-1 (bug #441845; low) [etch] - apache2 2.2.3-4+etch3 (bug #441845; low) - apache (unimportant) NOTE: Apache 1.3 is non-threaded, therefore unimportant CVE-2007-3846 (Directory traversal vulnerability in Subversion before 1.4.5, as used ...) NOT-FOR-US: TortoiseSVN on Windows CVE-2007-3845 (Mozilla Firefox before 2.0.0.6, Thunderbird before 1.5.0.13 and 2.x be ...) {DSA-1391-1 DSA-1346-1 DSA-1345-1 DSA-1344-1 DTSA-51-1 DTSA-52-1 DTSA-53-1 DTSA-71-1} - iceweasel 2.0.0.6-1 (medium) - xulrunner 1.8.1.6-1 (medium) - iceape 1.1.3-2 (medium) - icedove 2.0.0.6-1 (medium) NOTE: MFSA2007-27 CVE-2007-3844 (Mozilla Firefox 2.0.0.5, Thunderbird 2.0.0.5 and before 1.5.0.13, and ...) {DSA-1391-1 DSA-1346-1 DSA-1345-1 DSA-1344-1 DTSA-51-1 DTSA-52-1 DTSA-53-1 DTSA-71-1} - iceweasel 2.0.0.6-1 (medium) - xulrunner 1.8.1.6-1 (medium) - iceape 1.1.3-2 (medium) - icedove 2.0.0.6-1 (medium) NOTE: MFSA2007-26 CVE-2007-3843 (The Linux kernel before 2.6.23-rc1 checks the wrong global variable fo ...) {DSA-1363-1} - linux-2.6 2.6.23-1 (bug #446073) CVE-2007-3842 (Cross-site scripting (XSS) vulnerability in the 8e6 R3000 Enterprise F ...) NOT-FOR-US: 8e6 R3000 Enterprise Filter CVE-2007-3841 (Unspecified vulnerability in Pidgin (formerly Gaim) 2.0.2 for Linux al ...) NOTE: this information is based upon a vague advisory by a vulnerability NOTE: information sales organization that does not coordinate with vendors or NOTE: release actionable advisories. So maybe it is not fixed _but_ since it is NOTE: not disclosed it would be hard to fix and track it. CVE-2007-3840 (SQL injection vulnerability in referralUrl.php in Traffic Stats allows ...) NOT-FOR-US: Traffic Stats CVE-2007-3839 (Cross-site scripting (XSS) vulnerability in takeprofedit.php in TBDev. ...) NOT-FOR-US: TBDev.NET CVE-2007-3838 (Cross-site scripting (XSS) vulnerability in takeprofedit.php in TBDev. ...) NOT-FOR-US: TBDev.NET CVE-2007-3837 (Heap-based buffer overflow in HydraIRC 0.3.151 allows remote IRC serve ...) NOT-FOR-US: HydraIRC CVE-2007-3836 (Format string vulnerability in HydraIRC 0.3.151 allows remote attacker ...) NOT-FOR-US: HydraIRC CVE-2007-3835 (Cross-site scripting (XSS) vulnerability in Ex Libris MetaLib 3.13 and ...) NOT-FOR-US: Ex Libris MetaLib CVE-2007-3834 (Multiple cross-site scripting (XSS) vulnerabilities in Ex Libris ALEPH ...) NOT-FOR-US: Ex Libris ALEPH CVE-2007-3833 (The AOL Instant Messenger (AIM) protocol handler in Cerulean Studios T ...) NOT-FOR-US: Trillian CVE-2007-3832 (Buffer overflow in the AOL Instant Messenger (AIM) protocol handler in ...) NOT-FOR-US: Trillian CVE-2007-3831 (PHP remote file inclusion in main.php in ISS Proventia Network IPS GX5 ...) NOT-FOR-US: ISS Proventia Network IPS CVE-2007-3830 (Cross-site scripting (XSS) vulnerability in alert.php in ISS Proventia ...) NOT-FOR-US: ISS Proventia Network IPS CVE-2007-3829 (Multiple stack-based buffer overflows in (a) InterActual Player 2.60.1 ...) NOT-FOR-US: InterActual Player CVE-2007-3828 (Unspecified vulnerability in mDNSResponder in Apple Mac OS X allows re ...) NOT-FOR-US: Apple Mac OS X CVE-2007-3827 (Mozilla Firefox allows for cookies to be set with a null domain (aka " ...) NOTE: Unreproducible for upstream NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=388097 CVE-2007-3826 (Microsoft Internet Explorer 7 on Windows XP SP2 allows remote attacker ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2007-3825 (Multiple stack-based buffer overflows in the RPC implementation in ale ...) NOT-FOR-US: CA Alert Notification Server CVE-2007-3824 (SQL injection vulnerability in katgoster.asp in MzK Blog (tr) allows r ...) NOT-FOR-US: MzK Blog CVE-2007-3823 (The Logging Server (Logsrv.exe) in IPSwitch WS_FTP 7.5.29.0 allows rem ...) NOT-FOR-US: IPSwitch WS_FTP CVE-2007-3822 (Multiple cross-site scripting (XSS) vulnerabilities in Webcit before 7 ...) NOT-FOR-US: Webcit CVE-2007-3821 (Cross-site request forgery (CSRF) vulnerability in Webcit before 7.11 ...) NOT-FOR-US: Webcit CVE-2007-3819 (Opera 9.21 allows remote attackers to spoof the data: URI scheme in th ...) NOT-FOR-US: Opera CVE-2007-3818 (Cross-site scripting (XSS) vulnerability in the LoginToboggan module 5 ...) NOT-FOR-US: LoginToboggan CVE-2007-3817 (Cross-site scripting (XSS) vulnerability in the LoginToboggan module 4 ...) NOT-FOR-US: LoginToboggan CVE-2007-3816 NOT-FOR-US: JWIG CVE-2007-3815 (Buffer overflow in pirs32.exe in Poslovni informator Republike Sloveni ...) NOT-FOR-US: Poslovni informator Republike Slovenije CVE-2007-3814 (Multiple SQL injection vulnerabilities in MKPortal 1.1.1 allow remote ...) NOT-FOR-US: MKPortal CVE-2007-3813 (PHP remote file inclusion vulnerability in include/user.php in the NoB ...) NOT-FOR-US: NoBoard BETA module for MKPortal CVE-2007-3812 (SQL injection vulnerability in forums.php in CMScout 1.23 and earlier ...) NOT-FOR-US: CMScout CVE-2007-3811 (Multiple SQL injection vulnerabilities in eSyndiCat allow remote attac ...) NOT-FOR-US: eSyndiCat CVE-2007-3810 (SQL injection vulnerability in index.php in Realtor 747 allows remote ...) NOT-FOR-US: Realtor 747 CVE-2007-3809 (Multiple SQL injection vulnerabilities in Prozilla Directory Script al ...) NOT-FOR-US: Prozilla Directory Script CVE-2007-3808 (SQL injection vulnerability in includes/search.php in paFileDB 3.6 all ...) NOT-FOR-US: paFileDB CVE-2007-3807 (Multiple cross-site scripting (XSS) vulnerabilities in SiteScape Forum ...) NOT-FOR-US: SiteScape Forum CVE-2007-3806 (The glob function in PHP 5.2.3 allows context-dependent attackers to c ...) {DSA-1578-1 DSA-1572-1 DTSA-61-1} - php5 5.2.4-1 (medium; bug #441433) - php4 [etch] - php5 (requires malicious script) [etch] - php4 (requires malicious script) [sarge] - php4 (requires malicious script) CVE-2007-3805 (The IKE implementation in Clavister CorePlus before 8.80.03, and 8.80. ...) NOT-FOR-US: Clavister CorePlus CVE-2007-3804 (The AntiVirus engine in the HTTP-ALG in Clavister CorePlus before 8.81 ...) NOT-FOR-US: Clavister CorePlus CVE-2007-3803 (The SMTP ALG in Clavister CorePlus before 8.80.04, and 8.81.00, does n ...) NOT-FOR-US: Clavister CorePlus CVE-2007-3802 REJECTED CVE-2007-3801 REJECTED CVE-2007-3800 (Unspecified vulnerability in the Real-time scanner (RTVScan) component ...) NOT-FOR-US: Symantec CVE-2007-3799 (The session_start function in ext/session in PHP 4.x up to 4.4.7 and 5 ...) {DSA-1578-1 DSA-1444-1 DTSA-61-1} NOTE: this does not affect default installs, only those who have written NOTE: custom session handlers (which isn't *that* uncommon though), and NOTE: also may not work if other cookie values are set. NOTE: fix sneaked into php 5.2.3 sans-mention: NOTE: http://cvs.php.net/viewvc.cgi/php-src/ext/session/session.c?r1=1.417.2.8.2.36&r2=1.417.2.8.2.37&pathrev=PHP_5_2 NOTE: fixed in php4/etch, php5/etch, php4/sarge svn - php4 (low) - php5 5.2.4-1 (low; bug #441433) CVE-2007-3798 (Integer overflow in print-bgp.c in the BGP dissector in tcpdump 3.9.6 ...) {DSA-1353-1} - tcpdump 3.9.5-3 (bug #434030) CVE-2007-3797 RESERVED CVE-2007-3796 (The password reset feature in the Spam Quarantine HTTP interface for M ...) NOT-FOR-US: Spam Quarantine HTTP interface for MailMarshal SMTP CVE-2007-3795 (Unspecified vulnerability in Hitachi TP1/Server Base before 03-05-/P, ...) NOT-FOR-US: Hitachi CVE-2007-3794 (Buffer overflow in Hitachi Cosminexus V4 through V7, Processing Kit fo ...) NOT-FOR-US: Hitachi CVE-2007-3793 (SQL injection vulnerability in Job Management Partner 1/NETM/DM (JP1/N ...) NOT-FOR-US: Job Management Partner CVE-2007-3792 (Multiple PHP remote file inclusion vulnerabilities in AzDG Dating Gold ...) NOT-FOR-US: AzDG Dating Gold CVE-2007-3791 (Buffer overflow in the w_read function in sockets.c in Cami Sardinha a ...) {DSA-1361-1} - postfix-policyd 1.80-2.2 (bug #435735) CVE-2007-3790 (The com_print_typeinfo function in the bz2 extension in PHP 5.2.3 allo ...) - php5 (com_print_typeinfo is a windows only func) - php4 (com_print_typeinfo is a windows only func) CVE-2007-3789 (SQL injection vulnerability in admin/index.php in Inmostore 4.0 allows ...) NOT-FOR-US: Inmostore CVE-2007-3788 (The eSoft InstaGate EX2 UTM device stores the admin password within th ...) NOT-FOR-US: eSoft InstaGate CVE-2007-3787 (The eSoft InstaGate EX2 UTM device does not require entry of the old p ...) NOT-FOR-US: eSoft InstaGate CVE-2007-3786 NOT-FOR-US: eSoft InstaGate CVE-2007-3785 (Absolute path traversal vulnerability in a certain ActiveX control in ...) NOT-FOR-US: EldoS SecureBlackbox CVE-2007-3784 (Cross-site scripting (XSS) vulnerability in the Belkin G Plus Router F ...) NOT-FOR-US: Belkin CVE-2007-3783 (SQL injection vulnerability in default.asp in enVivo!CMS allows remote ...) NOT-FOR-US: enVivo!CMS CVE-2007-3782 (MySQL Community Server before 5.0.45 allows remote authenticated users ...) {DSA-1413-1} - mysql-dfsg-5.0 5.0.42 [sarge] - mysql-dfsg (Vulnerable functionality was introduced in 5.0) [sarge] - mysql-dfsg-4.1 (Vulnerable functionality was introduced in 5.0) CVE-2007-3781 (MySQL Community Server before 5.0.45 does not require privileges such ...) {DSA-1451-1} - mysql-dfsg-5.0 5.0.45-1 [etch] - mysql-dfsg-5.0 (Minor issue, too intrusive to backport) [sarge] - mysql-dfsg (Minor issue, too intrusive to backport) [sarge] - mysql-dfsg-4.1 (Minor issue, too intrusive to backport) CVE-2007-3780 (MySQL Community Server before 5.0.45 allows remote attackers to cause ...) {DSA-1413-1} - mysql-dfsg-5.0 5.0.44 [sarge] - mysql-dfsg (Introduced with SSL support in 4.1) CVE-2007-3779 (PHP local file inclusion vulnerability in gpg_pop_init.php in the G/PG ...) NOT-FOR-US: G/PGP (GPG) Plugin for Squirrelmail CVE-2007-3778 (The G/PGP (GPG) Plugin 2.0, and 2.1dev before 20060912, for Squirrelma ...) NOT-FOR-US: G/PGP (GPG) Plugin for Squirrelmail CVE-2007-3777 (avg7core.sys 7.5.0.444 in Grisoft AVG Anti-Virus 7.5.448 and Free Edit ...) NOT-FOR-US: Grisoft AVG Anti-Virus CVE-2007-3776 (Cisco Unified Communications Manager (CUCM, formerly CallManager) and ...) NOT-FOR-US: Cisco CVE-2007-3775 (Unspecified vulnerability in Cisco Unified Communications Manager (CUC ...) NOT-FOR-US: Cisco CVE-2007-3774 (Dvbbs 7.1.0 SP1 stores sensitive information under the web root with i ...) NOT-FOR-US: Dvbbs CVE-2007-3773 (Cross-site request forgery (CSRF) vulnerability in the Email-Template ...) NOT-FOR-US: Generic YouTube Clone Script CVE-2007-3772 (Directory traversal vulnerability in news/show.php in PsNews 1.1 allow ...) NOT-FOR-US: PsNews CVE-2007-3771 (Stack-based buffer overflow in the Internet E-mail Auto-Protect featur ...) NOT-FOR-US: Symantec Antivirus CVE-2007-3770 (The terminal_helper_execute function in terminal/terminal.c in Xfce Te ...) {DSA-1393-1} - xfce4-terminal 0.2.6-3 (bug #437454) CVE-2007-3769 (Cross-site scripting (XSS) vulnerability in the mirrored server manage ...) NOT-FOR-US: SurgeFTP CVE-2007-3768 (The mirror mechanism in SurgeFTP 2.3a1 allows user-assisted, remote FT ...) NOT-FOR-US: SurgeFTP CVE-2007-3767 RESERVED CVE-2007-3766 RESERVED CVE-2007-3765 (The STUN implementation in Asterisk 1.4.x before 1.4.8, AsteriskNOW be ...) - asterisk 1:1.4.8~dfsg-1 (bug #433681) [sarge] - asterisk (1.0.x not affected) [etch] - asterisk (1.2.x not affected) NOTE: https://downloads.avaya.com/elmodocs2/security/ASA-2007-017.htm CVE-2007-3764 (The Skinny channel driver (chan_skinny) in Asterisk before 1.2.22 and ...) {DSA-1358-1} - asterisk 1:1.4.8~dfsg-1 NOTE: Etch and Sarge affected NOTE: https://downloads.avaya.com/elmodocs2/security/ASA-2007-016.htm CVE-2007-3763 (The IAX2 channel driver (chan_iax2) in Asterisk before 1.2.22 and 1.4. ...) {DSA-1358-1} - asterisk 1:1.4.8~dfsg-1 NOTE: Etch and Sarge affected NOTE: https://downloads.avaya.com/elmodocs2/security/ASA-2007-015.htm CVE-2007-3762 (Stack-based buffer overflow in the IAX2 channel driver (chan_iax2) in ...) {DSA-1358-1} - asterisk 1:1.4.8~dfsg-1 (high) NOTE: Etch and Sarge affected NOTE: https://downloads.avaya.com/elmodocs2/security/ASA-2007-014.htm CVE-2007-3820 (konqueror/konq_combo.cc in Konqueror 3.5.7 allows remote attackers to ...) - kdebase 4:3.5.7-3 (bug #433072; low) [sarge] - kdebase (Minor issue) [etch] - kdebase (Minor issue) NOTE: http://marc.info/?l=full-disclosure&m=118437069815691&w=2 CVE-2007-3761 (Cross-site scripting (XSS) vulnerability in Safari in Apple iPhone 1.1 ...) NOT-FOR-US: Safari CVE-2007-3760 (Cross-site scripting (XSS) vulnerability in Safari in Apple iPhone 1.1 ...) NOT-FOR-US: Safari CVE-2007-3759 (Safari in Apple iPhone 1.1.1, when requested to disable Javascript, do ...) NOT-FOR-US: Safari CVE-2007-3758 (Safari in Apple iPhone 1.1.1, and Safari 3 before Beta Update 3.0.4 on ...) NOT-FOR-US: Safari CVE-2007-3757 (Safari in Apple iPhone 1.1.1 allows remote user-assisted attackers to ...) NOT-FOR-US: Safari CVE-2007-3756 (Safari in Apple iPhone 1.1.1, and Safari 3 before Beta Update 3.0.4 on ...) NOT-FOR-US: Safari CVE-2007-3755 (Mail in Apple iPhone 1.1.1 allows remote user-assisted attackers to fo ...) NOT-FOR-US: Aplle iPhone CVE-2007-3754 (Mail in Apple iPhone 1.1.1, when using SSL, does not warn the user whe ...) NOT-FOR-US: Aplle iPhone CVE-2007-3753 (Apple iPhone 1.1.1, with Bluetooth enabled, allows physically proximat ...) NOT-FOR-US: Aplle iPhone CVE-2007-3752 (Heap-based buffer overflow in Apple iTunes before 7.4 allows remote at ...) NOT-FOR-US: iTunes CVE-2007-3751 (Unspecified vulnerability in QuickTime for Java in Apple QuickTime bef ...) NOT-FOR-US: Apple QuickTime CVE-2007-3750 (Heap-based buffer overflow in Apple QuickTime before 7.3 allows remote ...) NOT-FOR-US: Apple QuickTime CVE-2007-3749 (The kernel in Apple Mac OS X 10.4 through 10.4.10 does not reset the c ...) NOT-FOR-US: Apple Mac OS X CVE-2007-3748 (Buffer overflow in the UPnP IGD (Internet Gateway Device Standardized ...) NOT-FOR-US: iChat on Apple Mac OS X CVE-2007-3747 (The Java interface to CoreAudio on Apple Mac OS X 10.3.9 and 10.4.10 d ...) NOT-FOR-US: Apple Mac OS X CVE-2007-3746 (The Java interface to CoreAudio on Apple Mac OS X 10.3.9 and 10.4.10 d ...) NOT-FOR-US: Apple Mac OS X CVE-2007-3745 (The Java interface to CoreAudio on Apple Mac OS X 10.3.9 and 10.4.10 c ...) NOT-FOR-US: Apple Mac OS X CVE-2007-3744 (Heap-based buffer overflow in the UPnP IGD (Internet Gateway Device St ...) NOT-FOR-US: Apple Mac OSX CVE-2007-3743 (Stack-based buffer overflow in bookmark handling in Apple Safari 3 Bet ...) NOT-FOR-US: Apple Safari CVE-2007-3742 (WebKit in Apple Safari 3 Beta before Update 3.0.3, and iPhone before 1 ...) NOT-FOR-US: Apple Safari CVE-2007-3741 (The (1) psp (aka .tub), (2) bmp, (3) pcx, and (4) psd plugins in gimp ...) - gimp 2.2.17-1 (unimportant) NOTE: Only DoS by memleaks or double-frees, not treated as security problems CVE-2007-3740 (The CIFS filesystem in the Linux kernel before 2.6.22, when Unix exten ...) {DSA-1504-1 DSA-1378-2 DSA-1378-1} - linux-2.6 2.6.22 CVE-2007-3739 (mm/mmap.c in the hugetlb kernel, when run on PowerPC systems, does not ...) {DSA-1504-1 DSA-1378-2 DSA-1378-1} - linux-2.6 2.6.20-1 CVE-2007-3738 (Multiple unspecified vulnerabilities in Mozilla Firefox before 2.0.0.5 ...) {DSA-1534-2 DSA-1339-1 DSA-1338-1 DSA-1337-1 DTSA-45-1 DTSA-47-1 DTSA-51-1} - iceape 1.1.3-1 (medium) - xulrunner 1.8.1.5-1 (medium) - iceweasel 2.0.0.5-1 (medium) NOTE: MFSA2007-25 CVE-2007-3737 (Mozilla Firefox before 2.0.0.5 allows remote attackers to execute arbi ...) {DSA-1339-1 DSA-1338-1 DSA-1337-1 DTSA-45-1 DTSA-47-1 DTSA-51-1} - iceape 1.1.3-1 (high) - xulrunner 1.8.1.5-1 (high) - iceweasel 2.0.0.5-1 (high) NOTE: MFSA2007-21 CVE-2007-3736 (Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 2.0 ...) {DSA-1339-1 DSA-1338-1 DSA-1337-1 DTSA-45-1 DTSA-47-1 DTSA-51-1} - iceweasel 2.0.0.5-1 (high) - iceape 1.1.3-1 (high) - xulrunner 1.8.1.5-1 (high) NOTE: MFSA2007-19 CVE-2007-3735 (Multiple unspecified vulnerabilities in the JavaScript engine in Mozil ...) {DSA-1391-1 DSA-1339-1 DSA-1338-1 DSA-1337-1 DTSA-45-1 DTSA-47-1 DTSA-51-1 DTSA-71-1} - iceweasel 2.0.0.5-1 (high) - icedove 2.0.0.6-1 (low) NOTE: Affects only broken setups, enabling js in Icedove is strongly not recommended - iceape 1.1.3-1 (high) - xulrunner 1.8.1.5-1 (high) NOTE: MFSA2007-18 CVE-2007-3734 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-1391-1 DSA-1339-1 DSA-1338-1 DSA-1337-1 DTSA-45-1 DTSA-47-1 DTSA-51-1 DTSA-71-1} - iceweasel 2.0.0.5-1 (high) - icedove 2.0.0.6-1 (high; bug #444010) - iceape 1.1.3-1 (high) - xulrunner 1.8.1.5-1 (high) NOTE: MFSA2007-18 CVE-2007-3733 RESERVED CVE-2007-3732 (In Linux 2.6 before 2.6.23, the TRACE_IRQS_ON function in iret_exc cal ...) - linux-2.6 2.6.23-1 NOTE: Upstream fix: https://git.kernel.org/linus/a10d9a71bafd3a283da240d2868e71346d2aef6f (v2.6.23-rc1) CVE-2007-3731 (The Linux kernel 2.6.20 and 2.6.21 does not properly handle an invalid ...) {DSA-1378-2 DSA-1378-1} - linux-2.6 2.6.23-1 CVE-2007-3730 (The default configuration of the POP server in TCP/IP Services 5.6 for ...) NOT-FOR-US: HP OpenVMS CVE-2007-3729 (The default configuration of the POP server in TCP/IP Services 5.6 for ...) NOT-FOR-US: HP OpenVMS CVE-2007-3728 (Buffer overflow in lib/silcclient/client_notify.c of SILC Client and S ...) - silc-toolkit 1.1.2-1 [etch] - silc-toolkit (Only the 1.1.x branch is affected) NOTE: http://silcnet.org/docs/changelog/SILC Toolkit 1.1.2 CVE-2007-3727 (Multiple unspecified vulnerabilities in Webmatic before 2.7 have unkno ...) NOT-FOR-US: WebMatic CVE-2007-3726 (Integer signedness error in the SET_VALUE function in rarvm.cpp in unr ...) - unrar-nonfree 3.7.3-1.1 (low; bug #437703) [etch] - unrar-nonfree (Non-free not supported) [sarge] - unrar-nonfree (Non-free not supported) - rar 1:3.7b1-1 (low; bug #437704) [etch] - rar (Vulnerable code was fixed already) [sarge] - rar (Non-free not supported) CVE-2007-3725 (The RAR VM (unrarvm.c) in Clam Antivirus (ClamAV) before 0.91 allows u ...) {DSA-1340-1 DTSA-43-1} - clamav 0.91-1 [sarge] - clamav (Vulnerable code was introduced in 0.9x) CVE-2007-3724 (The process scheduler in the Microsoft Windows XP kernel does not make ...) NOT-FOR-US: Microsoft Windows XP CVE-2007-3723 (The process scheduler in the Sun Solaris kernel does not make use of t ...) NOT-FOR-US: Solaris CVE-2007-3722 (The 4BSD process scheduler in the FreeBSD kernel performs scheduling b ...) - kfreebsd-5 (low) [etch] - kfreebsd-5 (kfreebsd not supported) CVE-2007-3721 (The ULE process scheduler in the FreeBSD kernel gives preference to "i ...) - kfreebsd-5 (low) [etch] - kfreebsd-5 (kfreebsd not supported) CVE-2007-3720 (The process scheduler in the Linux kernel 2.4 performs scheduling base ...) - linux-2.6 (There's a separate ID for 2.6, see CVE-2007-3719) CVE-2007-3719 (The process scheduler in the Linux kernel 2.6.16 gives preference to " ...) - linux (unimportant) - linux-2.6 (unimportant) NOTE: This is the existing default behaviour of the scheduler, can be tuned NOTE: to suit individual needs CVE-2007-3718 (Multiple unspecified vulnerabilities in the SVG parsing engine in Appl ...) NOT-FOR-US: Apple Safari CVE-2007-3717 (rcp on Sun Solaris 8, 9, and 10 before 20070710 does not properly call ...) NOT-FOR-US: Sun Solaris CVE-2007-3716 (The Java XML Digital Signature implementation in Sun JDK and JRE 6 bef ...) - sun-java6 6-02-1 (medium) - openjdk-6 6b08-1 (bug #566766) CVE-2007-3715 (Sun Java System Application Server and Web Server 7.0 through 9.0 befo ...) NOT-FOR-US: Sun Java System Application Server and Web Server CVE-2007-3714 (Directory traversal vulnerability in Ada Image Server (ImgSvr) 0.6.5 a ...) NOT-FOR-US: Ada Image Server CVE-2007-3713 (Multiple buffer overflows in Konst CenterICQ 4.9.11 through 4.21 allow ...) {DSA-1433-1 DTSA-55-1} - centericq 4.22.1-2.1 (bug #438511; medium) - centerim 4.22.1-2.1 (medium) CVE-2007-3712 (Multiple cross-site scripting (XSS) vulnerabilities in HiddenChest "is ...) NOT-FOR-US: HiddenChest CVE-2007-3711 (Unspecified vulnerability in TOS 2.1.x, 2.2.x before 2.2.5, and 2.5.x ...) NOT-FOR-US: TippingPoint IPS CVE-2007-3710 (PHP remote file inclusion vulnerability in example/gamedemo/inc.functi ...) NOT-FOR-US: PHP Comet-Server CVE-2007-3709 (CRLF injection vulnerability in the redirect function in url_helper.ph ...) - codeigniter (bug #471583) CVE-2007-3708 (Cross-site scripting (XSS) vulnerability in CodeIgniter 1.5.3 before 2 ...) - codeigniter (bug #471583) CVE-2007-3707 (Directory traversal vulnerability in index.php in CodeIgniter 1.5.3 be ...) - codeigniter (bug #471583) CVE-2007-3706 (The _sanitize_globals function in CodeIgniter 1.5.3 before 20070628 al ...) - codeigniter (bug #471583) CVE-2007-3705 (SQL injection vulnerability in FuseTalk 2.0 allows remote attackers to ...) NOT-FOR-US: FuseTalk CVE-2007-3704 (Entertainment CMS allows remote attackers to bypass authentication and ...) NOT-FOR-US: Entertainment CMS CVE-2007-3703 (Stack-based buffer overflow in a certain ActiveX control in sasatl.dll ...) NOT-FOR-US: Zenturi ProgramChecker CVE-2007-3702 (Directory traversal vulnerability in the load function in cgi-bin/mail ...) NOT-FOR-US: Mail Machine CVE-2007-3701 (TippingPoint IPS before 20070710 does not properly handle a hex-encode ...) NOT-FOR-US: TippingPoint IPS CVE-2007-3700 (Sun Java System Access Manager (formerly Java System Identity Server) ...) NOT-FOR-US: Sun Java System Access Manager CVE-2007-3699 (The Decomposer component in multiple Symantec products allows remote a ...) NOT-FOR-US: Symantec CVE-2007-3698 (The Java Secure Socket Extension (JSSE) in Sun JDK and JRE 6 Update 1 ...) - sun-java5 1.5.0-12-1 - sun-java6 6-02-1 [etch] - sun-java5 1.5.0-14-1etch1 - openjdk-6 6b08-1 (bug #566766) CVE-2007-3697 (PHP remote file inclusion vulnerability in phpbb/sendmsg.php in FlashB ...) NOT-FOR-US: FlashBB CVE-2007-3696 (CA ERwin Data Model Validator (formerly AllFusion Data Model Validator ...) NOT-FOR-US: CA ERwin Data Model Validator CVE-2007-3695 (Buffer overflow in LICRCMD.EXE in CA ERwin Process Modeler (formerly A ...) NOT-FOR-US: CA ERwin CVE-2007-3694 (Cross-site scripting (XSS) vulnerability in login.php in Miro Project ...) NOT-FOR-US: Broadcast Machine CVE-2007-3693 (Cross-site scripting (XSS) vulnerability in Gobi as of 20070711, built ...) NOT-FOR-US: gobi CVE-2007-3692 (Directory traversal vulnerability in download.cgi in EZFactory KDDI Do ...) NOT-FOR-US: EZFactory KDDI Download CGI CVE-2007-3691 (Multiple SQL injection vulnerabilities in changePW.php in AV Tutorial ...) NOT-FOR-US: AV Tutorial CVE-2007-3690 (The Forward module before 4.7-1.1 and 5.x before 5.x-1.0 for Drupal al ...) NOT-FOR-US: Forward module for Drupal CVE-2007-3689 (The Print module before 4.7-1.0 and 5.x before 5.x-1.2 for Drupal allo ...) NOT-FOR-US: Print module for Drupal CVE-2007-3688 (Multiple cross-site request forgery (CSRF) vulnerabilities in DotClear ...) NOT-FOR-US: DotClear CVE-2007-3687 (SQL injection vulnerability in inferno.php in the Inferno Technologies ...) NOT-FOR-US: Inferno Technologies CVE-2007-3686 (CRLF injection vulnerability in db.php in Unobtrusive Ajax Star Rating ...) NOT-FOR-US: Unobtrusive Ajax Star Rating Bar CVE-2007-3685 (Cross-site scripting (XSS) vulnerability in rpc.php in Unobtrusive Aja ...) NOT-FOR-US: Unobtrusive Ajax Star Rating Bar CVE-2007-3684 (Multiple SQL injection vulnerabilities in Unobtrusive Ajax Star Rating ...) NOT-FOR-US: Unobtrusive Ajax Star Rating Bar CVE-2007-3683 (SQL injection vulnerability in pagetopic.php in Aigaion 1.3.3 and earl ...) NOT-FOR-US: Aigaion CVE-2007-3682 (SQL injection vulnerability in index.php in OpenLD 1.2.2 and earlier a ...) NOT-FOR-US: OpenLD CVE-2007-3681 (The IOCTL 9031 (BIOCGSTATS) handler in the NPF.SYS device driver in Wi ...) NOT-FOR-US: WinPcap CVE-2007-3680 (Stack-based buffer overflow in the odm_searchpath function in libodm i ...) NOT-FOR-US: IBM AIX CVE-2007-3679 (The Citrix EPA ActiveX control (aka the "endpoint checking control" or ...) NOT-FOR-US: Citrix CVE-2007-3678 (Stack-based buffer overflow in the MSWord text-import extension (Word ...) NOT-FOR-US: QuarkXPress CVE-2007-3677 (Multiple SQL injection vulnerabilities in Maxsi eVisit Analyst allow r ...) NOT-FOR-US: Maxsi eVisit Analyst CVE-1999-1592 (Multiple unspecified vulnerabilities in sendmail 5, as installed on Su ...) - sendmail (Concerns only ancient sendmail V5) CVE-2007-3676 (IBM DB2 Universal Database (UDB) Administration Server (DAS) 8 before ...) NOT-FOR-US: IBM DB2 CVE-2007-3675 (Multiple format string vulnerabilities in the kavwebscan.CKAVWebScan A ...) NOT-FOR-US: Kaspersky Online Scanner CVE-2007-3674 RESERVED CVE-2007-3673 (Symantec symtdi.sys before 7.0.0, as distributed in Symantec AntiVirus ...) NOT-FOR-US: Symantec AntiVirus CVE-2007-3672 (Cross-site scripting (XSS) vulnerability in ecrire/tools.php in DotCle ...) NOT-FOR-US: DotClear CVE-2007-3671 (Unspecified vulnerability in the kernel in Microsoft Windows Vista has ...) NOT-FOR-US: Microsoft Windows CVE-2007-3670 (Argument injection vulnerability in Microsoft Internet Explorer, when ...) - iceweasel (Only affects Firefox/Thunderbird on Windows) - icedove (Only affects Firefox/Thunderbird on Windows) NOTE: MFSA2007-23 CVE-2007-3669 (Multiple unspecified vulnerabilities in the Innovasys DockStudioXP Inn ...) NOT-FOR-US: InnovaDSXP2.OCX ActiveX Control CVE-2007-3668 (Multiple unspecified vulnerabilities in NMSDVDXU.DLL in NuMedia NMSDVD ...) NOT-FOR-US: NMSDVDXLib CVE-2007-3667 (Unspecified vulnerability in EXCLEXPT.DLL in ActiveReportsExcelReport ...) NOT-FOR-US: ActiveReportsExcelReport CVE-2007-3666 (Buffer overflow in RemoteCommand.DLL in Symantec Norton Ghost 12.0 all ...) NOT-FOR-US: Symantec Ghost CVE-2007-3665 (Multiple unspecified vulnerabilities in FileBackup.DLL in Symantec Nor ...) NOT-FOR-US: Symantec Ghost CVE-2007-3664 (Multiple unspecified vulnerabilities in Eltima Software RunService Act ...) NOT-FOR-US: Eltima Software CVE-2007-3663 (Divide-by-zero error in Media Player Classic (MPC) 6.4.9.0 allows user ...) NOT-FOR-US: guliverkli Media Player Classic CVE-2007-3662 (Media Player Classic (MPC) 6.4.9.0 allows user-assisted remote attacke ...) NOT-FOR-US: guliverkli Media Player Classic CVE-2007-3661 (Eltima Software Virtual Serial Port (VSPAX) ActiveX control (VSPort.DL ...) NOT-FOR-US: Eltima Software CVE-2007-3660 (The Nonnoi ASP/Barcode ActiveX control (nonnoi_ASPBarcode.dll) allows ...) NOT-FOR-US: Nonnoi CVE-2007-3659 (Buffer overflow in the doBrowserAction function in FreeWRL 1.19.3 allo ...) NOT-FOR-US: FreeWRL CVE-2007-3658 (Unspecified vulnerability in Microsoft Register Server (REGSVR) allows ...) NOT-FOR-US: Microsoft CVE-2007-3657 NOTE: Disputed Firefox issue, browser crashes not treated as security problems anyway CVE-2007-3656 (Mozilla Firefox before 1.8.0.13 and 1.8.1.x before 1.8.1.5 does not pe ...) {DSA-1339-1 DSA-1338-1 DSA-1337-1 DTSA-45-1 DTSA-47-1 DTSA-51-1} - iceweasel 2.0.0.5-1 (high) - iceape 1.1.3-1 (high) - xulrunner 1.8.1.5-1 (high) NOTE: MFSA2007-24 CVE-2007-3655 (Stack-based buffer overflow in javaws.exe in Sun Java Web Start in JRE ...) - sun-java5 1.5.0-12-1 [etch] - sun-java5 1.5.0-14-1etch1 - sun-java6 6-02-1 CVE-2007-3654 (The display driver allocattr functions in NetBSD 3.0 through 4.0_BETA2 ...) NOT-FOR-US: NetBSD CVE-2007-3653 (Multiple cross-site scripting (XSS) vulnerabilities in Farsi Script (a ...) NOT-FOR-US: Farsi Script CVE-2007-3652 (SQL injection vulnerability in class/page.php in Farsi Script (aka FaS ...) NOT-FOR-US: Farsi Script CVE-2007-3651 (class/page.php in Farsi Script (aka FaScript) FaName 1.0 allows remote ...) NOT-FOR-US: Farsi Script CVE-2007-3650 (myWebland myBloggie 2.1.6 allow remote attackers to obtain sensitive i ...) NOT-FOR-US: myWebland myBloggie CVE-2007-3649 (Absolute path traversal vulnerability in a certain ActiveX control in ...) NOT-FOR-US: Hewlett-Packard (HP) Photo Digital Imaging ActiveX control CVE-2007-3648 (SQL injection vulnerability in Webmatic before 2.6.2, and possibly oth ...) NOT-FOR-US: WebMatic CVE-2007-3647 (The isloggedin function in Php/login.inc.php in phpTrafficA 1.4.3 and ...) NOT-FOR-US: phpTrafficA CVE-2007-3646 (SQL injection vulnerability in index.php in FlashGameScript 1.7 and ea ...) NOT-FOR-US: FlashGameScript CVE-2007-3645 (archive_read_support_format_tar.c in libarchive before 2.2.4 allows us ...) {DSA-1455-1} - libarchive 2.2.4-1 (bug #432924; low) CVE-2007-3644 (archive_read_support_format_tar.c in libarchive before 2.2.4 allows us ...) {DSA-1455-1} - libarchive 2.2.4-1 (bug #432924; low) CVE-2007-3643 (admin/index.php in AV Arcade 2.1b grants administrative privileges whe ...) NOT-FOR-US: AV Arcade CVE-2007-3642 (The decode_choice function in net/netfilter/nf_conntrack_h323_asn1.c i ...) {DSA-1356-1} - linux-2.6 2.6.22-2 CVE-2007-3641 (archive_read_support_format_tar.c in libarchive before 2.2.4 does not ...) {DSA-1455-1} - libarchive 2.2.4-1 (bug #432924; low) CVE-2007-3640 (Adobe Integrated Runtime (AIR, aka Apollo) allows context-dependent at ...) NOT-FOR-US: Adobe Apollo CVE-2007-3639 (WordPress before 2.2.2 allows remote attackers to redirect visitors to ...) {DSA-1564-1} - wordpress 2.2.2-1 CVE-2007-3638 (Buffer overflow in Yahoo! Messenger 8.1 allows user-assisted remote au ...) NOT-FOR-US: Yahoo! Messenger CVE-2007-3637 (SQL injection vulnerability in MKPortal 1.1.1 allows remote attackers ...) NOT-FOR-US: MKPortal CVE-2007-3636 (Multiple unspecified vulnerabilities in the G/PGP (GPG) Plugin 2.1 for ...) NOT-FOR-US: G/PGP (GPG) Plugin for Squirrelmail CVE-2007-3635 (Multiple unspecified vulnerabilities in the G/PGP (GPG) Plugin before ...) NOT-FOR-US: G/PGP (GPG) Plugin for Squirrelmail CVE-2007-3634 (Unspecified vulnerability in the G/PGP (GPG) Plugin 2.0 for Squirrelma ...) NOT-FOR-US: G/PGP (GPG) Plugin for Squirrelmail CVE-2007-3633 (Absolute path traversal vulnerability in the Chilkat Software Chilkat ...) NOT-FOR-US: Chilkat Software CVE-2007-3632 (Multiple PHP remote file inclusion vulnerabilities in LimeSurvey (aka ...) NOTE: Moodle contains a copy of the files, but not the string NOTE: "homedir", so it is not affected. CVE-2007-3631 (SQL injection vulnerability in index.php in GameSiteScript (gss) 3.1 a ...) NOT-FOR-US: GameSiteScript CVE-2007-3630 (changePW.php in AV Tutorial Script (avtutorial) 1.0 does not require a ...) NOT-FOR-US: AV Tutorial CVE-2007-3629 (SQL injection vulnerability in oku.asp in Levent Veysi Portal 1.0 allo ...) NOT-FOR-US: Levent Veysi Portal CVE-2007-3628 (Unspecified vulnerability in the fetch function in MDB2.php in PEAR St ...) NOT-FOR-US: Structures-DataGrid-DataSource-MDB2 CVE-2007-3627 (Multiple SQL injection vulnerabilities in PHP Lite Calendar Express 2. ...) NOT-FOR-US: PHP Lite Calender Express CVE-2007-3626 (Unspecified vulnerability in the ADM daemon in Hitachi TPBroker before ...) NOT-FOR-US: Hitachi CVE-2007-3625 (The Program Neighborhood Agent in Citrix Presentation Server Clients f ...) NOT-FOR-US: Citrix CVE-2007-3624 (Heap-based buffer overflow in the Message HTTP Server in SAP Message S ...) NOT-FOR-US: SAP CVE-2007-3623 (Cross-site scripting (XSS) vulnerability in the Hitachi JP1/HiCommand ...) NOT-FOR-US: Hitachi CVE-2007-3622 (Unspecified vulnerability in DomainPOP in Alt-N Technologies MDaemon b ...) NOT-FOR-US: MDaemon CVE-2007-3621 (Multiple CRLF injection vulnerabilities in callboth.php in AsteriDex 3 ...) NOT-FOR-US: AsteriDex CVE-2007-3620 (Multiple directory traversal vulnerabilities in Maia Mailguard 1.0.2 a ...) NOT-FOR-US: Maia Mailguard CVE-2007-3619 (Directory traversal vulnerability in login.php in Maia Mailguard 1.0.2 ...) NOT-FOR-US: Maia Mailguard CVE-2007-3618 (Stack-based buffer overflow in the NetWorker Remote Exec Service (nsre ...) NOT-FOR-US: EMC Software NetWorker CVE-2007-3617 (The report module in vtiger CRM before 5.0.3 does not properly apply s ...) NOT-FOR-US: vtiger CRM CVE-2007-3616 (index.php in vtiger CRM before 5.0.3 allows remote authenticated users ...) NOT-FOR-US: vtiger CRM CVE-2007-3615 (Internet Communication Manager (aka ICMAN.exe or ICM) in SAP NetWeaver ...) NOT-FOR-US: SAP CVE-2007-3614 (Multiple stack-based buffer overflows in waHTTP.exe (aka the SAP DB We ...) NOT-FOR-US: SAP DB Web Server CVE-2007-3613 (Cross-site scripting (XSS) vulnerability in ADM:GETLOGFILE in SAP Inte ...) NOT-FOR-US: SAP CVE-2007-3612 (Stack-based buffer overflow in Visual IRC (ViRC) 2.0 allows remote IRC ...) NOT-FOR-US: Visual IRC CVE-2007-3611 (admin.php in VRNews 1.1.1, and possibly other 1.x versions, does not r ...) NOT-FOR-US: VRNews CVE-2007-3610 (SQL injection vulnerability in categories_type.php in phpVID 0.9.9 all ...) NOT-FOR-US: phpVID CVE-2007-3609 (Multiple SQL injection vulnerabilities in eMeeting Online Dating Softw ...) NOT-FOR-US: eMeeting CVE-2007-3608 (Multiple unspecified vulnerabilities in ActiveX controls in the EnjoyS ...) NOT-FOR-US: SAP CVE-2007-3607 (Multiple unspecified vulnerabilities in ActiveX controls in the EnjoyS ...) NOT-FOR-US: SAP CVE-2007-3606 (Heap-based buffer overflow in the rfcguisink.rfcguisink.1 ActiveX cont ...) NOT-FOR-US: SAP CVE-2007-3605 (Stack-based buffer overflow in the kweditcontrol.kwedit.1 ActiveX cont ...) NOT-FOR-US: SAP CVE-2007-3604 (vtiger CRM before 5.0.3 allows remote authenticated users with access ...) NOT-FOR-US: vtiger CRM CVE-2007-3603 (SQL injection vulnerability in the dashboard (include/utils/SearchUtil ...) NOT-FOR-US: vtiger CRM CVE-2007-3602 (The SOAP webservice in vtiger CRM before 5.0.3 does not ensure that au ...) NOT-FOR-US: vtiger CRM CVE-2007-3601 (vtiger CRM before 5.0.3, when a migrated build is used, allows remote ...) NOT-FOR-US: vtiger CRM CVE-2007-3600 (WordPlugin in the wordintegration component in vtiger CRM before 5.0.3 ...) NOT-FOR-US: vtiger CRM CVE-2007-3599 (vtiger CRM before 5.0.3 allows remote authenticated users to import an ...) NOT-FOR-US: vtiger CRM CVE-2007-3598 (index.php in vtiger CRM before 5.0.3 allows remote authenticated users ...) NOT-FOR-US: vtiger CRM CVE-2007-3597 (Session fixation vulnerability in Zen Cart 1.3.7 and earlier allows re ...) NOT-FOR-US: Zen Cart CVE-2007-3596 (inc/vul_check.inc in phpVideoPro before 0.8.8 permits non-alphanumeric ...) NOT-FOR-US: phpVideoPro CVE-2007-3595 REJECTED CVE-2007-3594 (Multiple cross-site scripting (XSS) vulnerabilities in AdventNet Manag ...) NOT-FOR-US: ManageEngine OpManager CVE-2007-3593 (Multiple cross-site scripting (XSS) vulnerabilities in ManageEngine Ne ...) NOT-FOR-US: ManageEngine NetflowAnalyzer CVE-2007-3592 (PM.php in Elite Bulletin Board before 1.0.10 allows remote authenticat ...) NOT-FOR-US: Elite Bulletin Board CVE-2007-3591 (Unspecified vulnerability in Profile.php in Elite Bulletin Board befor ...) NOT-FOR-US: Elite Bulletin Board CVE-2007-3590 (Cross-site scripting (XSS) vulnerability in visitenkarte.php in b1gBB ...) NOT-FOR-US: b1gBB CVE-2007-3589 (Multiple SQL injection vulnerabilities in b1gbb 2.24.0 allow remote at ...) NOT-FOR-US: b1gbb CVE-2007-3588 (SQL injection vulnerability in reply.php in VBZooM 1.12 allows remote ...) NOT-FOR-US: VBZooM CVE-2007-3587 (MyCMS 0.9.8 and earlier allows remote attackers to gain privileges via ...) NOT-FOR-US: MyCMS CVE-2007-3586 (Multiple direct static code injection vulnerabilities in MyCMS 0.9.8 a ...) NOT-FOR-US: MyCMS CVE-2007-3585 (PHP remote file inclusion vulnerability in games.php in MyCMS 0.9.8 an ...) NOT-FOR-US: MyCMS CVE-2007-3584 (SQL injection vulnerability in viewforum.php in PNphpBB2 1.2i and earl ...) NOT-FOR-US: PNphpBB2 CVE-2007-3583 (SQL injection vulnerability in details_news.php in Girlserv ads 1.5 an ...) NOT-FOR-US: Girlserv ads CVE-2007-3582 (SQL injection vulnerability in index.php in SuperCali PHP Event Calend ...) NOT-FOR-US: SuperCali PHP Event Calendar CVE-2007-3581 (The Jedox Palo 1.5 client transmits the password in cleartext, which m ...) NOT-FOR-US: Jedox CVE-2007-3580 (PHPIDS does not properly handle certain code containing newlines, as d ...) NOT-FOR-US: PHPIDS CVE-2007-3579 (PHPIDS before 20070703 does not properly handle setting the .text prop ...) NOT-FOR-US: PHPIDS CVE-2007-3578 (PHPIDS before 20070703 does not properly handle (1) arithmetic express ...) NOT-FOR-US: PHPIDS CVE-2007-3577 (PHPIDS before 20070703 does not properly handle use of the substr meth ...) NOT-FOR-US: PHPIDS CVE-2007-3576 NOT-FOR-US: Microsoft CVE-2007-3575 (SQL injection vulnerability in includes/functions in FreeDomain.co.nr ...) NOT-FOR-US: FreeDomain.co.nr Clone CVE-2007-3574 (Multiple cross-site scripting (XSS) vulnerabilities in setup.cgi on th ...) NOT-FOR-US: Linksys CVE-2007-3573 (Multiple SQL injection vulnerabilities in akocomment allow remote atta ...) NOT-FOR-US: AkoComment CVE-2007-3572 (Incomplete blacklist vulnerability in cgi-bin/runDiagnostics.cgi in th ...) NOT-FOR-US: Yoggie CVE-2007-3571 (The Apache Web Server as used in Novell NetWare 6.5 and GroupWise allo ...) NOT-FOR-US: Novell CVE-2007-3570 (The Linux Access Gateway in Novell Access Manager before 3.0 SP1 Relea ...) NOT-FOR-US: Novell CVE-2007-3569 (Multiple cross-site scripting (XSS) vulnerabilities in Oliver Library ...) NOT-FOR-US: Oliver Library Management System CVE-2007-3568 (The _LoadBMP function in imlib 1.9.15 and earlier allows context-depen ...) - imlib 1.9.15-3 (bug #437708; low) [sarge] - imlib (Minor issue, just a crash) [etch] - imlib (Minor issue, just a crash) CVE-2007-3567 (MySQLDumper 1.21b through 1.23 REV227 uses a "Limit GET" statement in ...) NOT-FOR-US: MysqlDumper CVE-2007-3566 (Stack-based buffer overflow in the database service (ibserver.exe) in ...) NOT-FOR-US: Borland InterBase CVE-2007-3565 RESERVED CVE-2007-3564 (libcurl 7.14.0 through 7.16.3, when built with GnuTLS support, does no ...) {DSA-1333-1} - curl 7.16.4-1 (low) CVE-2007-3563 (SQL injection vulnerability in includes/view_page.php in AV Arcade 2.1 ...) NOT-FOR-US: AV Arcade CVE-2007-3562 (SQL injection vulnerability in videos.php in PHP Director 0.21 and ear ...) NOT-FOR-US: PHP Director CVE-2007-3561 (Cross-site scripting (XSS) vulnerability in ara.asp in Efendy Blog 1.0 ...) NOT-FOR-US: Efendy Blog CVE-2007-3560 (Multiple unspecified vulnerabilities in Esqlanelapse before 2.6 have u ...) NOT-FOR-US: Esqlanelapse CVE-2007-3559 (Cross-site scripting (XSS) vulnerability in infusions/shoutbox_panel/s ...) NOT-FOR-US: PHP-Fusion CVE-2007-3558 (SQL injection vulnerability in Coppermine Photo Gallery (CPG) before 1 ...) NOT-FOR-US: Coppermine Photo Gallery CVE-2007-3557 (SQL injection vulnerability in admin/login.php in Wheatblog (wB) 1.1, ...) NOT-FOR-US: Wheatblog CVE-2007-3556 (Liesbeth base CMS stores sensitive information under the web root with ...) NOT-FOR-US: Liesbeth CVE-2007-3555 (Cross-site scripting (XSS) vulnerability in index.php in Moodle 1.7.1 ...) {DSA-1691-1} - moodle 1.8.2-1 (low; bug #432264) CVE-2007-3554 (Stack-based buffer overflow in the HPSDDX Class (SDD) ActiveX control ...) NOT-FOR-US: HP CVE-2007-3553 (Cross-site scripting (XSS) vulnerability in Rapid Install Web Server i ...) NOT-FOR-US: Oracle CVE-2007-3552 (Multiple unspecified vulnerabilities in bbs100 before 3.2 allow remote ...) NOT-FOR-US: bbs100 CVE-2007-3551 (Buffer overflow in bbs100 before 3.2 allows remote attackers to cause ...) NOT-FOR-US: bbs100 CVE-2007-3550 NOT-FOR-US: Microsoft Internet Explorer CVE-2007-3549 (SQL injection vulnerability in view_sub_cat.php in Buddy Zone 1.5 allo ...) NOT-FOR-US: Buddy Zone CVE-2007-3548 (Stack-based buffer overflow in W3Filer 2.1.3 allows remote FTP servers ...) NOT-FOR-US: W3Filer CVE-2007-3547 (Directory traversal vulnerability in qti_checkname.php in QuickTicket ...) NOT-FOR-US: QuickTicket CVE-2007-3546 (Cross-site scripting (XSS) vulnerability in the Windows GUI in Nessus ...) NOT-FOR-US: Nessus Windows GUI CVE-2007-3545 (Buffer overflow in Warzone 2100 Resurrection before 2.0.7 allows remot ...) NOT-FOR-US: Warzone CVE-2007-3544 (Unrestricted file upload vulnerability in (1) wp-app.php and (2) app.p ...) - wordpress 2.2.2-1 [etch] - wordpress (Vulnerable code not present) CVE-2007-3543 (Unrestricted file upload vulnerability in WordPress before 2.2.1 and W ...) - wordpress 2.2.1-1 [etch] - wordpress (Vulnerable code not present) CVE-2007-3542 (Cross-site scripting (XSS) vulnerability in admin/auth.php in Pluxml 0 ...) NOT-FOR-US: Pluxml CVE-2007-3541 (Cross-site scripting (XSS) vulnerability in Kurinton sHTTPd 20070408 a ...) NOT-FOR-US: Kurinton sHTTPd CVE-2007-3540 (Multiple cross-site scripting (XSS) vulnerabilities in search.asp in r ...) NOT-FOR-US: rwAuction CVE-2007-3539 (Multiple SQL injection vulnerabilities in QuickTicket 1.2 build:200706 ...) NOT-FOR-US: QuickTicket CVE-2007-3538 (SQL injection vulnerability in qtg_msg_view.php in QuickTalk guestbook ...) NOT-FOR-US: QuickTalk CVE-2007-3537 (IBM OS/400 (aka i5/OS) V4R2M0 through V5R3M0 on iSeries machines sends ...) NOT-FOR-US: IBM OS/400 CVE-2007-3536 (Multiple buffer overflows in the AMX NetLinx VNC (AmxVnc) ActiveX cont ...) NOT-FOR-US: AMX NetLinx VNC CVE-2007-3535 (Multiple directory traversal vulnerabilities in GL-SH Deaf Forum 6.4.4 ...) NOT-FOR-US: GL-SH Deaf Forum CVE-2007-3534 (SQL injection vulnerability in login.php in WebChat 0.78 allows remote ...) NOT-FOR-US: WebChat CVE-2007-3533 (The 3Com IntelliJack Switch NJ220 before 2.0.23 allows remote attacker ...) NOT-FOR-US: 3Com CVE-2007-3532 (NVIDIA drivers (nvidia-drivers) before 1.0.7185, 1.0.9639, and 100.14. ...) - nvidia-kernel-common 20051028+1-0.1 (bug #434398; low) [sarge] - nvidia-kernel-common (Contrib and non-free not supported) [etch] - nvidia-kernel-common (Contrib and non-free not supported) CVE-2007-3531 (The set_default_speeds function in backend/backend.c in NVidia NVClock ...) - nvclock 0.8b-1 (low) CVE-2007-3530 (PHPDirector 0.21 and earlier stores the admin account name and passwor ...) NOT-FOR-US: PHPDirector CVE-2007-3529 (videos.php in PHPDirector 0.21 and earlier allows remote attackers to ...) NOT-FOR-US: PHPDirector CVE-2007-3528 (The blowfish mode in DAR before 2.3.4 uses weak Blowfish-CBC cryptogra ...) - dar 2.3.3-1 (low; bug #425335) [etch] - dar (Minor issue) [sarge] - dar (Minor issue) CVE-2007-3527 (Integer overflow in Firebird 2.0.0 allows remote authenticated users t ...) {DSA-1529-1} - firebird2.0 2.0.3.12981.ds1-1 (bug #441405) [etch] - firebird2 (Fixed packages have been released through backports.org, see #1529) [sarge] - firebird2 CVE-2007-3526 (Multiple SQL injection vulnerabilities in Buddy Zone 1.5 and earlier a ...) NOT-FOR-US: Buddy Zone CVE-2007-3525 (Ripe Website Manager 0.8.9 and earlier allows remote attackers to obta ...) NOT-FOR-US: Ripe Website Manager CVE-2007-3524 (Multiple PHP remote file inclusion vulnerabilities in Ripe Website Man ...) NOT-FOR-US: Ripe Website Manager CVE-2007-3523 (Multiple directory traversal vulnerabilities in Module/Galerie.php in ...) NOT-FOR-US: XCMS CVE-2007-3522 (Multiple PHP remote file inclusion vulnerabilities in sPHPell 1.01 all ...) NOT-FOR-US: sPHPell CVE-2007-3521 (SQL injection vulnerability in ArcadeBuilder Game Portal Manager 1.7 a ...) NOT-FOR-US: ArcadeBuilder Game Portal Manager CVE-2007-3520 (SQL injection vulnerability in process.php in Easybe 1-2-3 Music Store ...) NOT-FOR-US: Easybe CVE-2007-3519 (SQL injection vulnerability in eventdisplay.php in phpEventCalendar 0. ...) NOT-FOR-US: phpEventCalendar CVE-2007-3518 (SQL injection vulnerability in msg.php in HispaH YouTube Clone Script ...) NOT-FOR-US: HispaH YouTube Clone Script CVE-2007-3517 (Multiple cross-site scripting (XSS) vulnerabilities in Claroline 1.8.3 ...) NOT-FOR-US: Claroline CVE-2007-3516 (Multiple cross-site scripting (XSS) vulnerabilities in kayit.asp in Go ...) NOT-FOR-US: Gorki Online Santrac Sitesi CVE-2007-3515 (SQL injection vulnerability in view_event.php in TotalCalendar 2.402 a ...) NOT-FOR-US: TotalCalendar CVE-2006-7220 (Unspecified vulnerability in SAP SAPLPD and SAPSPRINT allows remote at ...) NOT-FOR-US: SAP SAPLPD CVE-2006-7219 (eZ publish before 3.8.5 does not properly enforce permissions for edit ...) - ezpublish (Debian's version is too old) CVE-2006-7218 (eZ publish before 3.8.1 does not properly enforce permissions for "con ...) - ezpublish (Debian's version is too old) CVE-2006-7217 (Apache Derby before 10.2.1.6 does not determine schema privilege requi ...) - derby (Fixed before initial upload to Debian) NOTE: http://issues.apache.org/jira/browse/DERBY-1858 CVE-2006-7216 (Apache Derby before 10.2.1.6 does not determine privilege requirements ...) - derby (Fixed before initial upload to Debian) NOTE: http://issues.apache.org/jira/browse/DERBY-1708 CVE-2006-7215 (The Intel Core 2 Extreme processor X6800 and Core 2 Duo desktop proces ...) NOT-FOR-US: Intel processor CVE-2005-4859 (mimicboard2 (Mimic2) 086 and earlier stores sensitive information unde ...) NOT-FOR-US: mimicboard2 CVE-2005-4858 (Multiple cross-site scripting (XSS) vulnerabilities in mimic2.cgi in m ...) NOT-FOR-US: mimicboard2 CVE-2005-4857 (eZ publish 3.5 before 3.5.7, 3.6 before 3.6.5, 3.7 before 3.7.3, and 3 ...) - ezpublish CVE-2005-4856 (The admin interface in eZ publish 3.5 before 3.5.7, 3.6 before 3.6.5, ...) - ezpublish CVE-2005-4855 (Unrestricted file upload vulnerability in eZ publish 3.5 before 3.5.5, ...) - ezpublish (bug #424790) CVE-2005-4854 (eZ publish 3.5 through 3.7 before 20050830 does not use a folder's rea ...) - ezpublish (bug #424790) CVE-2005-4853 (The default configuration of the forum package in eZ publish 3.5 befor ...) - ezpublish (bug #424790) CVE-2005-4852 (The siteaccess URIMatching implementation in eZ publish 3.5 through 3. ...) - ezpublish (bug #424790) CVE-2005-4851 (eZ publish 3.4.4 through 3.7 before 20050722 applies certain permissio ...) - ezpublish (bug #424790) CVE-2005-4850 (eZ publish 3.5 through 3.7 before 20050608 requires both edit and crea ...) - ezpublish (bug #424790) CVE-2005-4849 (Apache Derby before 10.1.2.1 exposes the (1) user and (2) password att ...) - derby (Fixed before initial upload to Debian) NOTE: http://issues.apache.org/jira/browse/DERBY-530 NOTE: http://issues.apache.org/jira/browse/DERBY-559 CVE-2004-2682 (PeerSec MatrixSSL before 1.1 does not implement RSA blinding, which al ...) - matrixssl 1.1-1 CVE-2004-2681 (PeerSec MatrixSSL before 1.1 caches session keys for an indefinitely l ...) - matrixssl 1.1-1 CVE-1999-1591 (Microsoft Internet Information Services (IIS) server 4.0 SP4, without ...) NOT-FOR-US: Microsoft IIS CVE-2007-3514 (Cross-domain vulnerability in Apple Safari for Windows 3.0.2 allows re ...) NOT-FOR-US: Apple Safari CVE-2007-3513 (The lcd_write function in drivers/usb/misc/usblcd.c in the Linux kerne ...) {DSA-1356-1} - linux-2.6 2.6.22-1 NOTE: Fixed in commit 5afeb104e7901168b21aad0437fb51dc620dfdd3 NOTE: in Linus' tree. CVE-2007-3512 (Stack-based buffer overflow in Lhaca File Archiver before 1.22 allows ...) NOT-FOR-US: Lhaca CVE-2007-3511 (The focus handling for the onkeydown event in Mozilla Firefox 1.5.0.12 ...) {DSA-1401-1 DSA-1396-1 DSA-1392-1 DTSA-69-1 DTSA-80-1} - iceweasel 2.0.0.8-1 (bug #438873; low) - xulrunner 1.8.1.9-1 - iceape 1.1.5 NOTE: MFSA2007-32 CVE-2007-3510 (Buffer overflow in the IMAP service in IBM Lotus Domino before 6.5.6 F ...) NOT-FOR-US: IBM Lotus Domino CVE-2007-3509 (Heap-based buffer overflow in the RPC subsystem in Symantec Backup Exe ...) NOT-FOR-US: Symantec CVE-2007-3508 - glibc 2.6-2 (unimportant; bug #431858) NOTE: Not security-relevant CVE-2007-3507 (Stack-based buffer overflow in the local__vcentry_parse_value function ...) - flac123 0.0.11-1 (low; bug #432008) [etch] - flac123 (Minor issue) CVE-2007-3506 (The ft_bitmap_assure_buffer function in src/base/ftbimap.c in FreeType ...) - freetype 2.3.4 (bug #432013) [sarge] - freetype (Vulnerable code introduced in 2.3.x) [etch] - freetype (Vulnerable code introduced in 2.3.x) [lenny] - freetype (Vulnerable code introduced in 2.3.x) CVE-2007-3505 (Multiple directory traversal vulnerabilities in QuickTalk forum 1.3 al ...) NOT-FOR-US: QuickTalk forum CVE-2007-3504 (Directory traversal vulnerability in the PersistenceService in Sun Jav ...) - sun-java5 NOTE: Sun Alert ID 102957 says issue is Windows only CVE-2007-3503 (The Javadoc tool in Sun JDK 6 and JDK 5.0 Update 11 can generate HTML ...) [etch] - sun-java5 1.5.0-14-1etch1 - sun-java5 1.5.0-12-1 [etch] - sun-java6 (non-free) - sun-java6 6-01-1 (bug #432006) - openjdk-6 6b08-1 (bug #566766) CVE-2007-3502 (Unspecified vulnerability in the web-based product configuration syste ...) NOT-FOR-US: Kaspersky Anti-Spam CVE-2007-3501 (Cross-site scripting (XSS) vulnerability in CMD_USER_STATS in DirectAd ...) NOT-FOR-US: DirectAdmin CVE-2007-3500 (Xeweb XEForum allows remote attackers to gain privileges via a modifie ...) NOT-FOR-US: Xeweb XEForum CVE-2007-3499 (SlackRoll before 8 accepts gpg exit codes other than 0 and 1 as eviden ...) NOT-FOR-US: SlackRoll CVE-2007-3498 (Cross-site scripting (XSS) vulnerability in smoketests/configForm.php ...) NOT-FOR-US: HTML Purifier CVE-2007-3497 (Microsoft Internet Explorer 7 allows remote attackers to determine the ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2007-3496 (Cross-site scripting (XSS) vulnerability in SAP Web Dynpro Java (BC-WD ...) NOT-FOR-US: SAP Web Dynpro Java CVE-2007-3495 (Multiple cross-site scripting (XSS) vulnerabilities in the SAP Interne ...) NOT-FOR-US: SAP Internet Communication Framework CVE-2007-3494 (Papoo CMS 3.6, and possibly earlier, does not verify user privileges w ...) NOT-FOR-US: Papoo CMS CVE-2007-3493 (A certain ActiveX control in NCTWavChunksEditor2.dll 2.6.1.148 in NCTA ...) NOT-FOR-US: NCTAudioStudio CVE-2007-3492 (Conti FtpServer 1.0 allows remote authenticated users to cause a denia ...) NOT-FOR-US: Conti FtpServer CVE-2007-3491 (Buffer overflow in _mprosrv in Progress Software OpenEdge before 9.1E0 ...) NOT-FOR-US: Progress Software OpenEdge CVE-2007-3490 (Unspecified vulnerability in Microsoft Excel 2003 SP2 allows remote at ...) NOT-FOR-US: Microsoft Excel 2003 SP2 CVE-2007-3489 (Cross-site request forgery (CSRF) vulnerability in pop/WizU.html in th ...) NOT-FOR-US: Check Point VPN-1 Edge X CVE-2007-3488 (Heap-based buffer overflow in the viewer ActiveX control in Sony Netwo ...) NOT-FOR-US: Sony Network Camera SNC-P5 1.0 CVE-2007-3487 (Absolute path traversal in a certain ActiveX control in hpqxml.dll 2.0 ...) NOT-FOR-US: Hewlett-Packard (HP) Photo Digital Imaging ActiveX control CVE-2007-3486 (Cross-site scripting (XSS) vulnerability in AltaVista search engine al ...) NOT-FOR-US: AltaVista CVE-2007-3485 (Multiple cross-site scripting (XSS) vulnerabilities in Yandex.Server a ...) NOT-FOR-US: Yandex.Server CVE-2007-3484 NOT-FOR-US: Google Custom Search Engine CVE-2007-3483 (Research in Motion BlackBerry Enterprise Server 4.0 through 4.1 has a ...) NOT-FOR-US: BlackBerry Enterprise Server CVE-2007-3482 (Cross-domain vulnerability in Apple Safari for Windows 3.0.1 allows re ...) NOT-FOR-US: Apple Safari CVE-2007-3481 NOT-FOR-US: Microsoft Internet Explorer CVE-2007-3480 (PCSoft WinDEV 11 (01F110053p) allows user-assisted remote attackers to ...) NOT-FOR-US: PCSoft WinDEV CVE-2007-3479 (Stack-based buffer overflow in PCSoft WinDEV 11 (01F110053p) allows us ...) NOT-FOR-US: PCSoft WinDEV CVE-2007-3478 (Race condition in gdImageStringFTEx (gdft_draw_bitmap) in gdft.c in th ...) - libgd2 2.0.35.dfsg-1 (unimportant) NOTE: this is a crash, and does not seem to be attacker controlled. CVE-2007-3477 (The (a) imagearc and (b) imagefilledarc functions in GD Graphics Libra ...) {DSA-1613-1} - libgd2 2.0.35.dfsg-1 (low) - libwmf (unimportant) - racket 5.0.2-1 (unimportant; bug #601525) NOTE: Only present in one of the sample pl-scheme packages (plot) NOTE: CPU consumption DoS CVE-2007-3476 (Array index error in gd_gif_in.c in the GD Graphics Library (libgd) be ...) {DSA-1613-1} - libgd2 2.0.35.dfsg-1 (low) - libwmf (unimportant) - racket 5.0.2-1 (unimportant; bug #601525) NOTE: Only present in one of the sample pl-scheme packages (plot) NOTE: can write a 0 to a 4k window in heap, very unlikely to be controllable. CVE-2007-3475 (The GD Graphics Library (libgd) before 2.0.35 allows user-assisted rem ...) - libgd2 2.0.35.dfsg-1 (unimportant) NOTE: out-of-band memory read, does not appear attacker controlled. CVE-2007-3474 (Multiple unspecified vulnerabilities in the GIF reader in the GD Graph ...) NOTE: appears to be prophylactic dup of CVE-2007-3476. CVE-2007-3473 (The gdImageCreateXbm function in the GD Graphics Library (libgd) befor ...) - libgd2 2.0.35.dfsg-1 (unimportant) NOTE: this is only a NULL deref crash (same as CVE-2007-3472) CVE-2007-3472 (Integer overflow in gdImageCreateTrueColor function in the GD Graphics ...) - libgd2 2.0.35.dfsg-1 (unimportant) NOTE: this is only a NULL deref crash. CVE-2007-3471 (Buffer overflow in the dtsession Common Desktop Environment (CDE) Sess ...) NOT-FOR-US: Sun Solaris dtsession CVE-2007-3470 (Multiple unspecified vulnerabilities in the KSSL kernel module in Sun ...) NOT-FOR-US: Sun Solaris CVE-2007-3469 (Unspecified vulnerability in the TCP Loopback/Fusion implementation in ...) NOT-FOR-US: Sun Solaris CVE-2007-3468 (input.c in VideoLAN VLC Media Player before 0.8.6c allows remote attac ...) {DSA-1332-1} - vlc 0.8.6.c.debian-1 (bug #429726) CVE-2007-3467 (Integer overflow in the __status_Update function in stats.c VideoLAN V ...) {DSA-1332-1} - vlc 0.8.6.c-1 (bug #429726) CVE-2007-3466 RESERVED CVE-2007-3465 (Check Point SofaWare Safe@Office, with firmware before Embedded NGX 7. ...) NOT-FOR-US: Check Point SofaWare Safe CVE-2007-3464 (Check Point SofaWare Safe@Office, with firmware before Embedded NGX 7. ...) NOT-FOR-US: Check Point SofaWare Safe CVE-2007-3463 NOT-FOR-US: Microsoft Windows XP SP2 CVE-2007-3462 (Cross-site request forgery (CSRF) vulnerability in Check Point SofaWar ...) NOT-FOR-US: Check Point SofaWare Safe CVE-2007-3461 (SQL injection vulnerability in property.php in elkagroup Image Gallery ...) NOT-FOR-US: elkagroup Image Gallery CVE-2007-3460 (Multiple PHP remote file inclusion vulnerabilities in index.php3 in EV ...) NOT-FOR-US: EVA-Web CVE-2007-3459 (A certain ActiveX control in Avaxswf.dll 1.0.0.1 in Civitech Avax Vect ...) NOT-FOR-US: Civitech Avax Vector CVE-2007-3458 (The libsldap library in Sun Solaris 8, 9, and 10 allows local users to ...) NOT-FOR-US: Sun Solaris libsldap CVE-2007-3457 (Adobe Flash Player 8.0.34.0 and earlier insufficiently validates HTTP ...) - flashplugin-nonfree 9.0.48.0.1 [sarge] - flashplugin-nonfree (non-free not supported) [etch] - flashplugin-nonfree (non-free not supported) CVE-2007-3456 (Integer overflow in Adobe Flash Player 9.0.45.0 and earlier might allo ...) - flashplugin-nonfree 9.0.48.0.1 [sarge] - flashplugin-nonfree (non-free not supported) [etch] - flashplugin-nonfree (non-free not supported) CVE-2006-7214 (Multiple unspecified vulnerabilities in Firebird 1.5 allow remote atta ...) {DSA-1529-1} - firebird1.5 (bug #432753) - firebird2 [etch] - firebird2 (Fixed packages have been released through backports.org, see #1529) - firebird2.0 (fixed in 2.0) CVE-2006-7213 (Firebird 1.5 allows remote authenticated users without SYSDBA and owne ...) {DSA-1529-1} - firebird1.5 (bug #432753) - firebird2 [etch] - firebird2 (Fixed packages have been released through backports.org, see #1529) - firebird2.0 (fixed in 2.0) CVE-2006-7212 (Multiple buffer overflows in Firebird 1.5, one of which affects WNET, ...) {DSA-1529-1} - firebird1.5 (bug #432753) - firebird2 [etch] - firebird2 (Fixed packages have been released through backports.org, see #1529) - firebird2.0 (fixed in 2.0) CVE-2006-7211 (fb_lock_mgr in Firebird 1.5 uses weak permissions (0666) for the semap ...) {DSA-1529-1} - firebird1.5 (fixed before rename to firebird1.5) - firebird2 1.5.3.4870-4 (low; bug #362001) [etch] - firebird2 (Fixed packages have been released through backports.org, see #1529) - firebird2.0 (fixed in 2.0) [sarge] - firebird2 (Minor issue) CVE-2006-7210 (Microsoft Windows 2000, XP, and Server 2003 allows remote attackers to ...) NOT-FOR-US: Windows CVE-2005-4848 (Buffer overflow in the decompression algorithm in Research in Motion B ...) NOT-FOR-US: BlackBerry Enterprise Server CVE-2007-3455 (cgiChkMasterPwd.exe before 8.0.0.142 in Trend Micro OfficeScan Corpora ...) NOT-FOR-US: Trend Micro OfficeScan Corporate Edition CVE-2007-3454 (Stack-based buffer overflow in CGIOCommon.dll before 8.0.0.1042 in Tre ...) NOT-FOR-US: Trend Micro OfficeScan Corporate Edition CVE-2007-3453 (SQL injection vulnerability in Papoo 3.6, and possibly earlier, allows ...) NOT-FOR-US: Papoo CVE-2007-3452 (SQL injection vulnerability in essentials/minutes/doc.php in eDocStore ...) NOT-FOR-US: eDocStore CVE-2007-3451 (PHP remote file inclusion vulnerability in admin/index.php in 6ALBlog ...) NOT-FOR-US: 6ALBlog CVE-2007-3450 (SQL injection vulnerability in member.php in 6ALBlog allows remote att ...) NOT-FOR-US: 6ALBlog CVE-2007-3449 (SQL injection vulnerability in member.php in 6ALBlog allows remote att ...) NOT-FOR-US: 6ALBlog CVE-2007-3448 (Cross-site scripting (XSS) vulnerability in index.php in BugMall Shopp ...) NOT-FOR-US: BugMall Shopping Cart CVE-2007-3447 (SQL injection vulnerability in BugMall Shopping Cart 2.5 and earlier a ...) NOT-FOR-US: BugMall Shopping Cart CVE-2007-3446 (BugMall Shopping Cart 2.5 and earlier has a default username "demo" an ...) NOT-FOR-US: BugMall Shopping Cart CVE-2007-3445 (Buffer overflow in SJ Labs SJphone 1.60.303c, running under Windows Mo ...) NOT-FOR-US: SJphone CVE-2007-3444 (The Research in Motion BlackBerry 7270 with 4.0 SP1 Bundle 83 allows r ...) NOT-FOR-US: BlackBerry 7270 CVE-2007-3443 (The Research in Motion BlackBerry 7270 before 4.0 SP1 Bundle 108 does ...) NOT-FOR-US: BlackBerry 7270 CVE-2007-3442 (Format string vulnerability on the Research in Motion BlackBerry 7270 ...) NOT-FOR-US: BlackBerry 7270 CVE-2007-3441 (Format string vulnerability in the Aastra 9112i SIP Phone with firmwar ...) NOT-FOR-US: Aastra 9112i SIP Phone CVE-2007-3440 (The Snom 320 SIP Phone, running snom320 linux 3.25, snom320-SIP 6.2.3, ...) NOT-FOR-US: Snom 320 SIP Phone CVE-2007-3439 (The Snom 320 SIP Phone, running snom320 linux 3.25, snom320-SIP 6.2.3, ...) NOT-FOR-US: Snom 320 SIP Phone CVE-2007-3438 (Buffer overflow in the SIP header parsing module in the Nortel PC Clie ...) NOT-FOR-US: Nortel PC Client SIP Soft Phone CVE-2007-3437 (AOL Instant Messenger (AIM) 6.1.32.1 on Windows XP allows remote attac ...) NOT-FOR-US: AOL Instant Messenger CVE-2007-3436 (Microsoft MSN Messenger 4.7 on Windows XP allows remote attackers to c ...) NOT-FOR-US: Microsoft CVE-2007-3435 (Stack-based buffer overflow in the BeginPrint method in a certain Acti ...) NOT-FOR-US: BarCodeAx.dll CVE-2007-3434 (index.php in Pharmacy System 2 and earlier allows remote attackers to ...) NOT-FOR-US: Pharmacy System CVE-2007-3433 (SQL injection vulnerability in index.php in Pharmacy System 2 and earl ...) NOT-FOR-US: Pharmacy System CVE-2007-3432 (Unrestricted file upload vulnerability in admin/images.php in Pluxml 0 ...) NOT-FOR-US: Pluxml CVE-2007-3431 (PHP remote file inclusion vulnerability in cal.func.php in Valerio Cap ...) NOT-FOR-US: Dagger CVE-2007-3430 (SQL injection vulnerability in index.php in Simple Invoices 2007 05 25 ...) NOT-FOR-US: Simple Invoices CVE-2007-3429 (Unrestricted file upload vulnerability in signup.php in e107 0.7.8 and ...) NOT-FOR-US: e107 CVE-2007-3428 (Multiple unspecified vulnerabilities in phpTrafficA before 1.4.2 allow ...) NOT-FOR-US: phpTrafficA CVE-2007-3427 (SQL injection vulnerability in index.php in phpTrafficA 1.4.2 and earl ...) NOT-FOR-US: phpTrafficA CVE-2007-3426 (Cross-site scripting (XSS) vulnerability in index.php in phpTrafficA 1 ...) NOT-FOR-US: phpTrafficA CVE-2007-3425 (Directory traversal vulnerability in index.php in phpTrafficA 1.4.2 an ...) NOT-FOR-US: phpTrafficA CVE-2007-3424 (The moveim function in cgi-bin/cgi-lib/instantmessage.pl in web-app.or ...) NOT-FOR-US: WebAPP CVE-2007-3423 (cgi-bin/cgi-lib/instantmessage.pl in web-app.org WebAPP before 0.9.9.7 ...) NOT-FOR-US: WebAPP CVE-2007-3422 (The getcgi function in cgi-bin/cgi-lib/subs.pl in web-app.org WebAPP b ...) NOT-FOR-US: WebAPP CVE-2007-3421 (The (1) login, (2) admin profile edit, (3) reminder, (4) edit profile, ...) NOT-FOR-US: WebAPP CVE-2007-3420 (The Random Cookie Password functionality in the loaduser function in c ...) NOT-FOR-US: WebAPP CVE-2007-3419 (The editprofile3 function in cgi-bin/cgi-lib/user.pl in web-app.org We ...) NOT-FOR-US: WebAPP CVE-2007-3418 (The displaypost function in cgi-bin/cgi-lib/forum_display.pl in web-ap ...) NOT-FOR-US: WebAPP CVE-2007-3417 (Multiple cross-site scripting (XSS) vulnerabilities in cgi-bin/cgi-lib ...) NOT-FOR-US: WebAPP CVE-2007-3416 (Multiple cross-site request forgery (CSRF) vulnerabilities in the admi ...) NOT-FOR-US: WebAPP CVE-2007-3415 (Multiple SQL injection vulnerabilities in index.php in phpRaider 1.0.0 ...) NOT-FOR-US: phpRaider CVE-2007-3414 (Multiple cross-site scripting (XSS) vulnerabilities in access2asp 4.5 ...) NOT-FOR-US: access2asp CVE-2007-3413 (Multiple cross-site scripting (XSS) vulnerabilities in bosDataGrid 2.5 ...) NOT-FOR-US: bosDataGrid CVE-2007-3412 (Cross-site scripting (XSS) vulnerability in edit_image.asp in ClickGal ...) NOT-FOR-US: ClickGallery Server CVE-2007-3411 (SQL injection vulnerability in edit_image.asp in ClickGallery Server 5 ...) NOT-FOR-US: ClickGallery Server CVE-2007-3410 (Stack-based buffer overflow in the SmilTimeValue::parseWallClockValue ...) - helix-player (Debian versions of Helix player not affected according to maintainer) CVE-2007-3409 (Net::DNS before 0.60, a Perl module, allows remote attackers to cause ...) {DSA-1515-1} - libnet-dns-perl 0.60-1 (low) CVE-2007-3408 (Multiple unspecified vulnerabilities in Dia before 0.96.1-6 have unspe ...) - dia (Windows packaging with bundled FreeType libs) CVE-2007-3407 (Sergey Lyubka Simple HTTPD (shttpd) 1.38 allows remote attackers to ob ...) NOT-FOR-US: Simple HTTPD CVE-2007-3406 (Multiple absolute path traversal vulnerabilities in Microsoft Internet ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2007-3405 (Multiple cross-site scripting (XSS) vulnerabilities in defter_yaz.asp ...) NOT-FOR-US: Lebisoft zdefter CVE-2007-3404 (Directory traversal vulnerability in ShowImage.php in SiteDepth CMS 3. ...) NOT-FOR-US: SiteDepth CMS CVE-2007-3403 (Unrestricted file upload vulnerability in upload.php in dreamLog (aka ...) NOT-FOR-US: dreamLog CVE-2007-3402 (SQL injection vulnerability in index.php in pagetool 1.07 allows remot ...) NOT-FOR-US: pagetool CVE-2007-3401 (PHP remote file inclusion vulnerability in footer.inc.php in B1G b1gBB ...) NOT-FOR-US: B1GBB CVE-2007-3400 (The NCTAudioEditor2 ActiveX control in NCTWMAFile2.dll 2.6.2.157, as d ...) NOT-FOR-US: NCTAudioEditor2 ActiveX control CVE-2007-3399 (SQL injection vulnerability in include/get_userdata.php in Power Phlog ...) NOT-FOR-US: Power Phlogger CVE-2007-3398 (LiteWEB 2.7 allows remote attackers to cause a denial of service (hang ...) NOT-FOR-US: LiveWEB CVE-2007-3397 (The web container in IBM WebSphere Application Server (WAS) before 6.0 ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2007-3396 (Cross-site scripting (XSS) vulnerability in index.wkf in KeyFocus (KF) ...) NOT-FOR-US: KeyFocus CVE-2007-3395 REJECTED CVE-2007-3394 (Multiple SQL injection vulnerabilities in eNdonesia 8.4 allow remote a ...) NOT-FOR-US: eNdonesia CVE-2007-3388 (Multiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdata ...) {DSA-1426-1} - qt-x11-free 3:3.3.7-6 - qt4-x11 (This problem is not present in any version of Qt 4) NOTE: http://web.archive.org/web/20080206133848/http://trolltech.com:80/company/newsroom/announcements/press.2007-07-27.7503755960 CVE-2007-3387 (Integer overflow in the StreamPredictor::StreamPredictor function in x ...) {DSA-1357-1 DSA-1355-1 DSA-1354-1 DSA-1352-1 DSA-1350-1 DSA-1349-1 DSA-1348-1 DSA-1347-1 DTSA-49-1 DTSA-50-1 DTSA-54-1 DTSA-62-1} - poppler 0.5.4-6.1 (bug #435460) - gpdf - xpdf 3.02-1.1 (bug #435462) - kdegraphics 4:3.5.7-3 - koffice 1:1.6.3-2 - pdftohtml [etch] - pdftohtml 0.36-13etch1 - tetex-bin 3.0-12 NOTE: pdftex links to poppler since 3.0-12, thus marking as fixed - cupsys (unimportant; bug #436099) - cups (unimportant; bug #436099) NOTE: cups uses xpdf-utils - pdfkit.framework 0.8-4 NOTE: links to poppler since 0.8-4, thus marking as fixed - libextractor 0.5.12-1 NOTE: libextractor uses internal pdf decoder since 0.5.12-1, thus marking as fixed - ipe (Does not include the vulnerable code) - swftools 0.9.2+ds1-2 CVE-2007-3386 (Cross-site scripting (XSS) vulnerability in the Host Manager Servlet f ...) {DSA-1447-1} - tomcat5.5 5.5.25-1 CVE-2007-3385 (Apache Tomcat 6.0.0 to 6.0.13, 5.5.0 to 5.5.24, 5.0.0 to 5.0.30, 4.1.0 ...) {DSA-1453-1 DSA-1447-1} - tomcat5.5 5.5.25-1 - tomcat5 CVE-2007-3384 (Multiple cross-site scripting (XSS) vulnerabilities in examples/servle ...) NOT-FOR-US: tomcat 3.3 CVE-2007-3383 (Cross-site scripting (XSS) vulnerability in SendMailServlet in the exa ...) - tomcat4 (low) [sarge] - tomcat4 (Contrib not supported) NOTE: affects example app in tomcat4-webapps CVE-2007-3382 (Apache Tomcat 6.0.0 to 6.0.13, 5.5.0 to 5.5.24, 5.0.0 to 5.0.30, 4.1.0 ...) {DSA-1453-1 DSA-1447-1} - tomcat5.5 5.5.25-1 - tomcat5 CVE-2007-3381 (The GDM daemon in GNOME Display Manager (GDM) before 2.14.13, 2.16.x b ...) - gdm 2.18.4-1 (low) [sarge] - gdm (Minor issue) [etch] - gdm (Minor issue) CVE-2007-3380 (The Distributed Lock Manager (DLM) in the cluster manager for Linux ke ...) - linux-2.6 2.6.23-1 [etch] - linux-2.6 (Vulnerable code not present) CVE-2007-3379 (Unspecified vulnerability in the kernel in Red Hat Enterprise Linux (R ...) - linux-2.6 (Red Hat-specific vulnerability) CVE-2007-3378 (The (1) session_save_path, (2) ini_set, and (3) error_log functions in ...) - php4 (unimportant) - php5 5.2.4-1 (unimportant) CVE-2007-3377 (Header.pm in Net::DNS before 0.60, a Perl module, (1) generates predic ...) {DSA-1515-1} - libnet-dns-perl 0.60-1 (low) CVE-2007-3376 (Buffer overflow in Apple Safari 3.0.2 on Windows XP SP2 allows user-as ...) NOT-FOR-US: Apple Safari CVE-2007-3375 (Stack-based buffer overflow in Lhaca File Archiver before 1.21 allows ...) NOT-FOR-US: Lhaca CVE-2007-3374 (Buffer overflow in cluster/cman/daemon/daemon.c in cman (redhat-cluste ...) - redhat-cluster (Just relevant in newer versions, we don't ship this file) CVE-2007-3373 (daemon.c in cman (redhat-cluster-suite) before 20070622 does not clear ...) - redhat-cluster (Just relevant in newer versions, we don't ship this file) CVE-2006-7209 (Multiple cross-site scripting (XSS) vulnerabilities in phpTrafficA bef ...) NOT-FOR-US: phpTrafficA CVE-2006-7208 (PHP remote file inclusion vulnerability in download.php in the Adam va ...) NOT-FOR-US: phpBB component com_forum CVE-2003-1332 (Stack-based buffer overflow in the reply_nttrans function in Samba 2.2 ...) - samba (Vulnerable version not in any suite) CVE-2003-1331 (Stack-based buffer overflow in the mysql_real_connect function in the ...) - mysql-dfsg-5.0 (Newer versions in all suites apart oldstable) NOTE: oldstable is affected, everything else uses libmysqlclient15 CVE-2007-3389 (Wireshark before 0.99.6 allows remote attackers to cause a denial of s ...) - wireshark 0.99.6pre1-1 [etch] - wireshark (Only affected 0.99.5) - ethereal (Vulnerable code not present) CVE-2007-3390 (Wireshark 0.99.5 and 0.10.x up to 0.10.14, when running on certain sys ...) {DSA-1322-1} - wireshark 0.99.6pre1-1 - ethereal (Vulnerable code not present) CVE-2007-3391 (Wireshark 0.99.5 allows remote attackers to cause a denial of service ...) - wireshark 0.99.6pre1-1 [etch] - wireshark (Only affected 0.99.5) - ethereal (Vulnerable code not present) CVE-2007-3392 (Wireshark before 0.99.6 allows remote attackers to cause a denial of s ...) {DSA-1322-1} - wireshark 0.99.6pre1-1 - ethereal (Vulnerable code not present) CVE-2007-3393 (Off-by-one error in the DHCP/BOOTP dissector in Wireshark before 0.99. ...) {DSA-1322-1} - wireshark 0.99.6pre1-1 - ethereal (Vulnerable code not present) CVE-2007-3372 (The Avahi daemon in Avahi before 0.6.20 allows attackers to cause a de ...) {DSA-1690-1} - avahi 0.6.20-2 (low) [etch] - avahi (Minor issue, only affects local users) CVE-2007-3371 (PHP remote file inclusion vulnerability in plugins/widgets/htmledit/ht ...) NOT-FOR-US: Powl CVE-2007-3370 (Multiple PHP remote file inclusion vulnerabilities in Sun Board 1.00.0 ...) NOT-FOR-US: Sun Board CVE-2007-3369 (Buffer overflow in the Polycom SoundPoint IP 601 SIP phone with BootRO ...) NOT-FOR-US: Polycom SoundPoint IP 601 SIP phone CVE-2007-3368 (Buffer overflow in the HTTP server on the Polycom SoundPoint IP 601 SI ...) NOT-FOR-US: Polycom SoundPoint IP 601 SIP phone CVE-2007-3367 (Simple CGI Wrapper (scgiwrap) in cPanel before 10.9.1, and 11.x before ...) NOT-FOR-US: cPanel CVE-2007-3366 (Cross-site scripting (XSS) vulnerability in Simple CGI Wrapper (scgiwr ...) NOT-FOR-US: cPanel CVE-2007-3365 (MyServer 0.8.9 and earlier does not properly handle uppercase characte ...) NOT-FOR-US: MyServer CVE-2007-3364 (Cross-site scripting (XSS) vulnerability in the cgi-bin/post.mscgi sam ...) NOT-FOR-US: MyServer CVE-2007-3363 (Multiple unspecified vulnerabilities in ageet AGEphone before 1.6.3 al ...) NOT-FOR-US: AGEphone CVE-2007-3362 (ageet AGEphone before 1.6.2, running on Windows Mobile 5 on the HTC Hy ...) NOT-FOR-US: AGEphone CVE-2007-3361 (The Nortel PC Client SIP Soft Phone 4.1 3.5.208[20051015] allows remot ...) NOT-FOR-US: Nortel PC Client SIP Soft Phone CVE-2007-3360 (hook.c in BitchX 1.1-final allows remote IRC servers to execute arbitr ...) - ircii-pana (medium; bug #432120) NOTE: http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=10;filename=bitchx_CVE-2007-3360.patch;att=1;bug=432120 CVE-2007-3359 (Multiple PHP remote file inclusion vulnerabilities in SerWeb 0.9.6 and ...) NOT-FOR-US: SerWeb CVE-2007-3358 (PHP remote file inclusion vulnerability in html/load_lang.php in SerWe ...) NOT-FOR-US: SerWeb CVE-2007-3357 (NetClassifieds Premium Edition does not use encryption for (1) stored ...) NOT-FOR-US: NetClassifieds Premium Edition CVE-2007-3356 (NetClassifieds Premium Edition allows remote attackers to obtain sensi ...) NOT-FOR-US: NetClassifieds Premium Edition CVE-2007-3355 (Multiple cross-site scripting (XSS) vulnerabilities in NetClassifieds ...) NOT-FOR-US: NetClassifieds Premium Edition CVE-2007-3354 (Multiple SQL injection vulnerabilities in NetClassifieds Premium Editi ...) NOT-FOR-US: NetClassifieds Premium Edition CVE-2007-3353 NOT-FOR-US: MyEvent CVE-2007-3352 (Cross-site scripting (XSS) vulnerability in the preview form in Stephe ...) NOT-FOR-US: Stephen Ostermiller Contact Form CVE-2007-3351 (The SJPhone SIP soft phone 1.60.303c, when installed on the Dell Axim ...) NOT-FOR-US: SJPhone SIP CVE-2007-3350 (AOL Instant Messenger (AIM) 6.1.32.1 on Windows XP allows remote attac ...) NOT-FOR-US: AIM CVE-2007-3349 (The Aastra 9112i SIP Phone with firmware 1.4.0.1048 and boot version 1 ...) NOT-FOR-US: Aastra 9112i SIP Phone CVE-2007-3348 (The D-Link DPH-540/DPH-541 phone allows remote attackers to cause a de ...) NOT-FOR-US: D-Link DPH-540/DPH-541 phone CVE-2007-3347 (The D-Link DPH-540/DPH-541 phone accepts SIP INVITE messages that are ...) NOT-FOR-US: D-Link DPH-540/DPH-541 phone CVE-2007-3346 (Directory traversal vulnerability in index.php in PHPAccounts 0.5 allo ...) NOT-FOR-US: PHPAccounts CVE-2007-3345 (Multiple SQL injection vulnerabilities in index.php in PHPAccounts 0.5 ...) NOT-FOR-US: PHPAccounts CVE-2007-3344 (Multiple cross-site scripting (XSS) vulnerabilities in netjukebox 4.01 ...) NOT-FOR-US: netjukebox CVE-2007-3343 (Cross-site scripting (XSS) vulnerability in RaidenHTTPD before 2.0.14 ...) NOT-FOR-US: RaidenHTTPD CVE-2007-3342 (Multiple cross-site scripting (XSS) vulnerabilities in Movable Type (M ...) NOT-FOR-US: Movable Type CVE-2007-3341 (Unspecified vulnerability in the FTP implementation in Microsoft Inter ...) NOT-FOR-US: Microsoft CVE-2007-3340 (BugHunter HTTP SERVER (httpsv.exe) 1.6.2 allows remote attackers to ca ...) NOT-FOR-US: HTTP Server 1.6.2 CVE-2007-3339 (Multiple cross-site scripting (XSS) vulnerabilities in forum/include/e ...) NOT-FOR-US: ColdFusion CVE-2007-3338 (Multiple stack-based buffer overflows in Ingres database server 2006 9 ...) NOT-FOR-US: Ingres CVE-2007-3337 (wakeup in Ingres database server 2006 9.0.4, r3, 2.6, and 2.5, as used ...) NOT-FOR-US: Ingres CVE-2007-3336 (Multiple "pointer overwrite" vulnerabilities in Ingres database server ...) NOT-FOR-US: Ingres CVE-2007-3335 (Multiple SQL injection vulnerabilities in the admin panel in PHPEcho C ...) NOT-FOR-US: PHPEcho CMS CVE-2007-3334 (Multiple heap-based buffer overflows in the (1) Communications Server ...) NOT-FOR-US: Ingres CVE-2007-3333 (Stack-based buffer overflow in capture in IBM AIX 5.3 SP6 and 5.2.0 al ...) NOT-FOR-US: IBM AIX CVE-2007-3332 (Directory traversal vulnerability in Satellite.php in Satel Lite for P ...) NOT-FOR-US: Satel Lite for PhpNuke CVE-2007-3331 (Cross-site request forgery (CSRF) vulnerability in STphp EasyNews PRO ...) NOT-FOR-US: STphp EasyNews PRO CVE-2007-3330 (Cross-site scripting (XSS) vulnerability in STphp EasyNews PRO 4.0 all ...) NOT-FOR-US: STphp EasyNews PRO CVE-2007-3329 (Multiple array index errors in the (1) get_intra_block, (2) get_inter_ ...) NOT-FOR-US: Xvid CVE-2007-3328 (Multiple cross-site scripting (XSS) vulnerabilities in Interact 2.4 be ...) NOT-FOR-US: Interact CVE-2007-3327 (httpsv.exe in HTTP Server 1.6.2 allows remote attackers to obtain sens ...) NOT-FOR-US: HTTP Server 1.6.2 CVE-2007-3326 (Multiple directory traversal vulnerabilities in vBulletin 3.x.x allow ...) NOT-FOR-US: vBulletin CVE-2007-3325 (PHP remote file inclusion vulnerability in lib/language.php in LAN Man ...) NOT-FOR-US: LAN Management System CVE-2007-3324 (Multiple cross-site scripting (XSS) vulnerabilities in Comersus Cart 7 ...) NOT-FOR-US: Comersus Cart CVE-2007-3323 (SQL injection vulnerability in comersus_optReviewReadExec.asp in Comer ...) NOT-FOR-US: Comersus Shop Cart CVE-2006-7207 (Buffer overflow in ageet AGEphone before 1.4.0 might allow remote atta ...) NOT-FOR-US: AGEphone CVE-2006-7206 (Microsoft Internet Explorer 6 on Windows XP SP2 allows remote attacker ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2007-4168 REJECTED CVE-2007-3322 (The Avaya 4602 SW IP Phone (Model 4602D02A) with 2.2.2 and earlier SIP ...) NOT-FOR-US: Avaya IP Phone CVE-2007-3321 (The Avaya 4602 SW IP Phone (Model 4602D02A) with 2.2.2 and earlier SIP ...) NOT-FOR-US: Avaya IP Phone CVE-2007-3320 (The Avaya 4602SW IP Phone (Model 4602D02A) with 2.2.2 and earlier SIP ...) NOT-FOR-US: Avaya IP Phone CVE-2007-3319 (The Avaya 4602SW IP Phone (Model 4602D02A) with 2.2.2 and earlier SIP ...) NOT-FOR-US: Avaya IP Phone CVE-2007-3318 (Buffer overflow in the Session Initiation Protocol (SIP) User Access C ...) NOT-FOR-US: Avaya one-X Desktop Edition CVE-2007-3317 (The Session Initiation Protocol (SIP) User Access Client (UAC) message ...) NOT-FOR-US: Avaya one-X Desktop Edition CVE-2007-3316 (Multiple format string vulnerabilities in plugins in VideoLAN VLC Medi ...) {DSA-1332-1} - vlc 0.8.6.c-1 (medium; bug #429726) CVE-2007-3315 (Multiple PHP remote file inclusion vulnerabilities in YourFreeScreamer ...) NOT-FOR-US: YourFreeScreamer CVE-2007-3314 (Stack-based buffer overflow in peviewer.spl in Altap Servant Salamande ...) NOT-FOR-US: Altap Servant Salamander CVE-2007-3313 (Multiple SQL injection vulnerabilities in Jasmine CMS 1.0 allow remote ...) NOT-FOR-US: Jasmine CMS CVE-2007-3312 (Directory traversal vulnerability in admin/plugin_manager.php in Jasmi ...) NOT-FOR-US: Jasmine CMS CVE-2007-3311 (SQL injection vulnerability in print.php in the Articles 1.02 and earl ...) NOT-FOR-US: Articles CVE-2007-3310 (Cross-site scripting (XSS) vulnerability in arama.asp in TDizin allows ...) NOT-FOR-US: TDizin CVE-2007-3309 (Unspecified vulnerability in Simple Machines Forum (SMF) 1.1.2 allows ...) NOT-FOR-US: Simple Machines Forum CVE-2007-3308 (Simple Machines Forum (SMF) 1.1.2 uses a concatenation method with ins ...) NOT-FOR-US: Simple Machines Forum CVE-2007-3307 (SQL injection vulnerability in game_listing.php in Solar Empire 2.9.1. ...) NOT-FOR-US: Solar Empire CVE-2007-3306 (PHP remote file inclusion vulnerability in crontab/run_billing.php in ...) NOT-FOR-US: MiniBill CVE-2007-3305 (Heap-based buffer overflow in Cerulean Studios Trillian 3.x before 3.1 ...) NOT-FOR-US: Cerulean Studios Trillian CVE-2007-3304 (Apache httpd 1.3.37, 2.0.59, and 2.2.4 with the Prefork MPM module, al ...) - apache (low) - apache2 2.2.4-2 (low) [etch] - apache2 2.2.3-4+etch2 [sarge] - apache2 2.0.54-5sarge2 (low) [etch] - apache 1.3.34-4.1+etch1 CVE-2007-3303 (Apache httpd 2.0.59 and 2.2.4, with the Prefork MPM module, allows loc ...) - apache2 (unimportant) NOTE: If you can execute arbitrary code, a DoS is not a problem. CVE-2007-3302 (The CallCode ActiveX control in caller.dll 3.0 before 20070713, and 3. ...) NOT-FOR-US: CA CVE-2007-3301 (SQL injection vulnerability in forum/include/error/autherror.cfm in Fu ...) NOT-FOR-US: FuseTalk CVE-2007-3300 (Multiple F-Secure anti-virus products for Microsoft Windows and Linux ...) NOT-FOR-US: F-Secure CVE-2007-3299 (Cross-site scripting (XSS) vulnerability in AWFFull before 3.7.4, when ...) - awffull 3.7.4final-1 (unimportant) NOTE: awffull (a webalizer fork) does not have any cookie based authentication NOTE: or other sensitive data that could be leaked through this CVE-2007-3298 (SQL injection vulnerability in Spey before 0.4.1 allows remote attacke ...) NOT-FOR-US: Spey CVE-2007-3297 (Multiple PHP remote file inclusion vulnerabilities in Musoo 0.21 allow ...) NOT-FOR-US: Musoo CVE-2007-3296 (The ThunderServer.webThunder.1 ActiveX control in xunlei Web Thunderbo ...) NOT-FOR-US: Web Thunderbolt CVE-2007-3295 (Directory traversal vulnerability in Yet another Bulletin Board (YaBB) ...) NOT-FOR-US: YaBB CVE-2007-3294 (Multiple buffer overflows in libtidy, as used in the Tidy extension fo ...) - php5 (unimportant) NOTE: Only exploitable by malicious script CVE-2007-3293 (SQL injection vulnerability in categoria.php in LiveCMS 3.4 and earlie ...) NOT-FOR-US: LiveCMS CVE-2007-3292 (Unrestricted file upload vulnerability in LiveCMS 3.4 and earlier allo ...) NOT-FOR-US: LiveCMS CVE-2007-3291 (Cross-site scripting (XSS) vulnerability in LiveCMS 3.4 and earlier al ...) NOT-FOR-US: LiveCMS CVE-2007-3290 (categoria.php in LiveCMS 3.4 and earlier allows remote attackers to ob ...) NOT-FOR-US: LiveCMS CVE-2007-3289 (PHP remote file inclusion vulnerability in spaw/spaw_control.class.php ...) NOT-FOR-US: WiwiMod for XOOPS CVE-2007-3288 (Cross-site scripting (XSS) vulnerability in the skeltoac stats (Automa ...) NOT-FOR-US: skeltoac stats plugin for WordPress CVE-2007-3287 RESERVED CVE-2007-3286 (Multiple buffer overflows in unspecified ActiveX controls in COM objec ...) NOT-FOR-US: Avaya IP Softphone CVE-2007-3285 (Mozilla Firefox before 2.0.0.5, when run on Windows, allows remote att ...) - iceweasel (Affects only Firefox in Windows) NOTE: MFSA2007-22 CVE-2007-3284 (corefoundation.dll in Apple Safari 3.0.1 (552.12.2) for Windows allows ...) NOT-FOR-US: Apple Safari CVE-2007-3283 (GNOME XScreenSaver in Sun Solaris 8 and 9 before 20070417, when root i ...) - xscreensaver (Not a security issue: works as documented) CVE-2007-3282 (Buffer overflow in the Microsoft Office MSODataSourceControl ActiveX o ...) NOT-FOR-US: Microsoft Office CVE-2007-3281 (Cross-site scripting (XSS) vulnerability in index.php in Php Hosting B ...) NOT-FOR-US: Php Hosting Biller CVE-2007-3280 (The Database Link library (dblink) in PostgreSQL 8.1 implements functi ...) - postgresql-8.1 (Neither PL/pgsql nor dblink are enabled by default) - postgresql-8.2 (Neither PL/pgsql nor dblink are enabled by default) CVE-2007-3279 (PostgreSQL 8.1 and probably later versions, when the PL/pgSQL (plpgsql ...) - postgresql-8.1 (Neither PL/pgsql nor dblink are enabled by default) - postgresql-8.2 (Neither PL/pgsql nor dblink are enabled by default) CVE-2007-3278 (PostgreSQL 8.1 and probably later versions, when local trust authentic ...) {DSA-1463-1 DSA-1460-1} - postgresql-8.1 (local trust authentication is not enabled in Debian) - postgresql-8.2 (local trust authentication is not enabled in Debian) CVE-2007-3277 (Unspecified vulnerability in the localization before 1.2 module for WI ...) NOT-FOR-US: localization module for WIKINDX CVE-2007-3276 (Cross-site scripting (XSS) vulnerability in index.php in Site@School ( ...) NOT-FOR-US: Site CVE-2007-3275 (MailWasher Server before 2.2.1, when used with LDAP or Active Director ...) NOT-FOR-US: MailWasher Server CVE-2007-3274 (Apple Safari 3.0 and 3.0.1 on Windows XP SP2 allows attackers to cause ...) NOT-FOR-US: Apple Safari CVE-2007-3273 (SQL injection vulnerability in index.cfm in FuseTalk 2.0 allows remote ...) NOT-FOR-US: FuseTalk CVE-2007-3272 (Directory traversal vulnerability in index.php in MiniBB 2.0.5 allows ...) NOT-FOR-US: MiniBB CVE-2007-3271 (PHP remote file inclusion vulnerability in templates/2blue/bodyTemplat ...) NOT-FOR-US: YourFreeScreamer CVE-2007-3270 (PHP remote file inclusion vulnerability in Includes/global.inc.php in ...) NOT-FOR-US: phpMyInventory CVE-2007-3269 (Multiple cross-site scripting (XSS) vulnerabilities in Papoo Light 3.6 ...) NOT-FOR-US: Papoo Light CVE-2007-3268 (The TFTP implementation in IBM Tivoli Provisioning Manager for OS Depl ...) NOT-FOR-US: IBM Tivoli Provisioning Manager CVE-2007-3267 (Cross-site scripting (XSS) vulnerability in low.php in Fuzzylime Forum ...) NOT-FOR-US: Fuzzylime Forum CVE-2007-3266 (Directory traversal vulnerability in webif.cgi in ifnet WEBIF allows r ...) NOT-FOR-US: WEBIF CVE-2007-3265 (Cross-site scripting (XSS) vulnerability in the Samples component in I ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2007-3264 (Unspecified vulnerability in the PD tools component in IBM WebSphere A ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2007-3263 (Unspecified vulnerability in the Default Messaging Component in IBM We ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2007-3262 (Unspecified vulnerability in the Default Messaging Component in IBM We ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2007-3261 (Cross-site scripting (XSS) vulnerability in widgets/widget_search.php ...) NOT-FOR-US: dKret CVE-2007-3260 (HP System Management Homepage (SMH) before 2.1.9 for Linux, when used ...) NOT-FOR-US: HP System Management Homepage CVE-2007-3259 (Calendarix 0.7.20070307 allows remote attackers to obtain sensitive in ...) NOT-FOR-US: Calendarix CVE-2007-3258 (calendar.php in Calendarix 0.7.20070307 allows remote attackers to obt ...) NOT-FOR-US: Calendarix CVE-2007-3257 (Camel (camel-imap-folder.c) in the mailer component for Evolution Data ...) {DSA-1325-1 DSA-1321-1} - evolution 2.12.0-1 - evolution-data-server 1.10.2-2 (bug #429876) [sarge] - evolution-data-server (Vulnerable code present in a different source package) CVE-2007-3256 (Xythos Enterprise Document Manager (XEDM), Digital Locker (XDL), and p ...) NOT-FOR-US: Xythos Enterprise Document Manager CVE-2007-3255 (Multiple cross-site request forgery (CSRF) vulnerabilities in Xythos E ...) NOT-FOR-US: Xythos Enterprise Document Manager CVE-2007-3254 (Multiple cross-site scripting (XSS) vulnerabilities in Xythos Enterpri ...) NOT-FOR-US: Xythos Enterprise Document Manager CVE-2007-3253 (Multiple unspecified vulnerabilities in Astaro Security Gateway (ASG) ...) NOT-FOR-US: Astaro Security Gateway CVE-2007-3252 (PortalApp stores sensitive information under the web root with insuffi ...) NOT-FOR-US: PortalApp CVE-2007-3251 (Multiple directory traversal vulnerabilities in e-Vision CMS 2.02 and ...) NOT-FOR-US: e-Vision CMS CVE-2007-3250 (SQL injection vulnerability in mod_banners.php in Elxis CMS before 200 ...) NOT-FOR-US: Elxis CMS CVE-2007-3249 (Cross-site scripting (XSS) vulnerability in mod_lettermansubscribe.php ...) NOT-FOR-US: Letterman Subscriber CVE-2007-3248 (Unspecified vulnerability in Sun Solaris 10 before 20070614, when IPv6 ...) NOT-FOR-US: Sun Solaris CVE-2007-3247 (SQL injection vulnerability in VirtueMart before 1.0.11 allows remote ...) NOT-FOR-US: VirtueMart CVE-2005-4847 (Unspecified vulnerability in Spey 0.3.3 has unknown impact and attack ...) NOT-FOR-US: Spey CVE-2005-4846 (Format string vulnerability in Logger.cc for Spey 0.3.3 allows attacke ...) NOT-FOR-US: Spey CVE-2007-3246 (The do_set_password function in modules/chanserv/set.c in IRC Services ...) NOT-FOR-US: IRC Services CVE-2007-3245 (IRC Services before 5.0.62, and 5.1 before 5.1pre3, allows remote atta ...) NOT-FOR-US: IRC Services CVE-2007-3244 (SQL injection vulnerability in bb-includes/formatting-functions.php in ...) NOT-FOR-US: bbPress CVE-2007-3243 (Cross-site scripting (XSS) vulnerability in bb-login.php in bbPress 0. ...) NOT-FOR-US: bbPress CVE-2007-3242 (The Menu Manager Mod for (1) web-app.net WebAPP (aka WebAPP NE) 0.9.9. ...) NOT-FOR-US: WebAPP CVE-2007-3241 (Cross-site scripting (XSS) vulnerability in blogroll.php in the cordob ...) NOT-FOR-US: cordobo-green-park theme for WordPress CVE-2007-3240 (Cross-site scripting (XSS) vulnerability in 404.php in the Vistered-Li ...) NOT-FOR-US: Vistered-Little theme for WordPress CVE-2007-3239 (Cross-site scripting (XSS) vulnerability in searchform.php in the Andy ...) NOT-FOR-US: AndyBlue theme for WordPress CVE-2007-3238 (Cross-site scripting (XSS) vulnerability in functions.php in the defau ...) {DSA-1502-1} - wordpress 2.2.2-1 (low) CVE-2007-3237 (PHP remote file inclusion vulnerability in admin/spaw/spaw_control.cla ...) NOT-FOR-US: XOOPS CVE-2007-3236 (PHP remote file inclusion vulnerability in footer.php in the Horoscope ...) NOT-FOR-US: XOOPS CVE-2007-3235 (Cross-site scripting (XSS) vulnerability in low.php in Fuzzylime Forum ...) NOT-FOR-US: Fuzzylime Forum CVE-2007-3234 (SQL injection vulnerability in low.php in Fuzzylime Forum 1.0 allows r ...) NOT-FOR-US: Fuzzylime Forum CVE-2007-3233 (The TEC-IT TBarCode OCX ActiveX control (TBarCode7.ocx) 7.0.2.3524 all ...) NOT-FOR-US: TEC-IT CVE-2007-3232 (The IBM TotalStorage DS400 with firmware 4.15 uses a blank password fo ...) NOT-FOR-US: IBM CVE-2007-3231 (Buffer overflow in MeCab before 0.96 has unknown impact and attack vec ...) - mecab 0.95-1.1 (bug #429174; low) [etch] - mecab (Minor issue) [sarge] - mecab (Minor issue) CVE-2007-3230 (PHP remote file inclusion vulnerability in phphtml.php in Idan Sofer P ...) NOT-FOR-US: PHP::HTML CVE-2007-3229 (index.php in Singapore Gallery allows remote attackers to obtain sensi ...) NOT-FOR-US: Singapore Gallery CVE-2007-3228 (PHP remote file inclusion vulnerability in saf/lib/PEAR/PhpDocumentor/ ...) NOT-FOR-US: Sitellite CMS CVE-2007-3227 (Cross-site scripting (XSS) vulnerability in the to_json (ActiveRecord: ...) - rails 1.2.5-1 (bug #429177) CVE-2007-3226 (Cross-site scripting (XSS) vulnerability in dotProject before 2.1 RC2 ...) NOT-FOR-US: dotProject CVE-2007-3225 (Unspecified vulnerability in Sun Java System Directory Server (slapd) ...) NOT-FOR-US: Sun Java System Directory Server CVE-2007-3224 (Unspecified vulnerability in Sun ONE/Java System Directory Server (sla ...) NOT-FOR-US: Sun Java System Directory Server CVE-2007-3223 (Unspecified vulnerability in the NFS server in Sun Solaris 10 before 2 ...) NOT-FOR-US: Sun Solaris CVE-2007-3222 (PHP remote file inclusion vulnerability in modify.php in the XFsection ...) NOT-FOR-US: XOOPS CVE-2007-3221 (PHP remote file inclusion vulnerability in admin/spaw/spaw_control.cla ...) NOT-FOR-US: XOOPS CVE-2007-3220 (PHP remote file inclusion vulnerability in admin/editor2/spaw_control. ...) NOT-FOR-US: XOOPS CVE-2007-3219 (Unspecified vulnerability in sources/action_public/xmlout.php in Invis ...) NOT-FOR-US: Invision Power Board (IPB) CVE-2007-3218 (Cross-site scripting (XSS) vulnerability in request.php in PHP Live! 3 ...) NOT-FOR-US: PHP Live! CVE-2007-3217 (Multiple PHP remote file inclusion vulnerabilities in Prototype of an ...) NOT-FOR-US: Prototype of an PHP application CVE-2007-3216 (Multiple buffer overflows in the LGServer component of CA (Computer As ...) NOT-FOR-US: CA BrightStor products CVE-2007-3215 (PHPMailer 1.7, when configured to use sendmail, allows remote attacker ...) {DSA-1315-1} - libphp-phpmailer 1.73-4 (high; bug #429179) - flyspray 0.9.8-12 (bug #429191; bug #429195) [etch] - flyspray (Vulnerable code not) [sarge] - flyspray (Vulnerable code not included) - moodle 1.8.2-2 (bug #429190) - owl-dms 0.94-2 (bug #429197) - knowledgeroot 0.9.8.2-2 (bug #429196) [etch] - knowledgeroot (Vulnerable code not used) [etch] - owl-dms (Vulnerable code not used) - ipplan 4.85-2 (bug #429193) - glpi 0.68.3.2-1 (bug #429192) [etch] - glpi (Vulnerable code not used) - wordpress 2.2.1-1 (bug #429194) [etch] - wordpress (Vulnerable code not present) - mahara 1.0.5-2 (bug #504253) [lenny] - mahara 1.0.4-3 [etch] - phpgroupware (bug #504255; Vulnerable code not used) - phpgroupware 0.9.16.012+dfsg-9 (medium; bug #504255) - egroupware (bug #504283; Vulnerable code not used) CVE-2007-3214 (SQL injection vulnerability in style.php in e-Vision CMS 2.02 and earl ...) NOT-FOR-US: e-Vision CMS CVE-2007-3213 (Multiple cross-site scripting (XSS) vulnerabilities in comments.cgi in ...) NOT-FOR-US: Sporum Forum CVE-2007-3212 (Multiple cross-site scripting (XSS) vulnerabilities in links.php in Be ...) NOT-FOR-US: Beehive Forum CVE-2007-3211 (Cross-site scripting (XSS) vulnerability in 404.php in Domain Technolo ...) NOT-FOR-US: Domain Technologie Control (DTC) CVE-2007-3210 (Stack-based buffer overflow in nptoken.mox in the Cellosoft Tokens Obj ...) NOT-FOR-US: Cellosoft Tokens Object CVE-2007-3209 (Mail Notification 4.0, when WITH_SSL is set to 0 at compile time, uses ...) - mail-notification 4.0.dfsg.1-2 (low; bug #428157) [sarge] - mail-notification (Only affects 3.x and 4.x) [etch] - mail-notification (Minor issue, needs proper documentation in errata) CVE-2007-3208 (CRLF injection vulnerability in Yet another Bulletin Board (YaBB) 2.1 ...) NOT-FOR-US: YaBB CVE-2007-3207 (Buffer overflow in the NFS mount daemon (XNFS.NLM) in Novell NetWare 6 ...) NOT-FOR-US: Novell NetWare CVE-2007-3206 RESERVED CVE-2007-3205 (The parse_str function in (1) PHP, (2) Hardened-PHP, and (3) Suhosin, ...) - php4 (unimportant) - php5 (unimportant) NOTE: That's by design CVE-2007-3204 (SQL injection vulnerability in auth.php in Just For Fun Network Manage ...) NOTE: This is an jffnms ID, which has been wrongly reported by an external party, NOTE: The data is sufficiently sanitised with the Debian fix for CVE-2007-3192 CVE-2007-3203 (Stack-based buffer overflow in smtpdll.dll in the SMTP service in 602P ...) NOT-FOR-US: 602Pro LAN SUITE CVE-2007-3202 (Cross-site scripting (XSS) vulnerability in the rich text editor in We ...) NOT-FOR-US: Webwiz CVE-2007-3201 (Visual truncation vulnerability in Windows Privacy Tray (WinPT) 1.2.0 ...) NOT-FOR-US: Windows Privacy Tray (WinPT) CVE-2007-3200 (NMASINST in Novell Modular Authentication Service (NMAS) 3.1.2 and ear ...) NOT-FOR-US: Novell CVE-2007-3199 (Unrestricted file upload vulnerability in Link Request Contact Form 3. ...) NOT-FOR-US: Link Request Contact Form CVE-2007-3198 (Cross-site scripting (XSS) vulnerability in comments.php in Maran PHP ...) NOT-FOR-US: Maran PHP Blog CVE-2007-3197 (SQL injection vulnerability in vBSupport.php in vBSupport 1.1 before 1 ...) NOT-FOR-US: vBulletin CVE-2007-3196 (SQL injection vulnerability in vBSupport.php in vSupport Integrated Ti ...) NOT-FOR-US: VBulletin CVE-2007-3195 (Cross-site scripting (XSS) vulnerability in index.php in ERFAN WIKI 1. ...) NOT-FOR-US: ERFAN WIKI CVE-2007-3194 NOT-FOR-US: myBloggie CVE-2007-3193 (lib/WikiUser/LDAP.php in PhpWiki before 1.3.13p1, when the configurati ...) {DSA-1371-1} - phpwiki 1.3.12p3-6.1 (low; bug #429201) CVE-2007-3192 (admin/setup.php in Just For Fun Network Management System (JFFNMS) 0.8 ...) {DSA-1374-1} - jffnms 0.8.3dfsg.1-4 (medium) NOTE: 20_security.dpatch is addressing this bug however the maintainer didn't include NOTE: a note about the CVE id. CVE-2007-3191 (Just For Fun Network Management System (JFFNMS) 0.8.3 allows remote at ...) {DSA-1374-1} - jffnms 0.8.3dfsg.1-4 CVE-2007-3190 (Multiple SQL injection vulnerabilities in auth.php in Just For Fun Net ...) {DSA-1374-1} - jffnms 0.8.3dfsg.1-4 CVE-2007-3189 (Cross-site scripting (XSS) vulnerability in auth.php in Just For Fun N ...) {DSA-1374-1} - jffnms 0.8.3dfsg.1-4 CVE-2007-3188 (SQL injection vulnerability in down_indir.asp in Fullaspsite GeometriX ...) NOT-FOR-US: Fullaspsite GeometriX Download Portal CVE-2007-3187 (Multiple unspecified vulnerabilities in Apple Safari for Windows allow ...) NOT-FOR-US: Apple CVE-2007-3186 (Apple Safari Beta 3.0.1 for Windows allows remote attackers to execute ...) NOT-FOR-US: Apple CVE-2007-3185 (Apple Safari Beta 3.0.1 for Windows public beta allows remote attacker ...) NOT-FOR-US: Apple CVE-2007-3184 (Cisco Trust Agent (CTA) before 2.1.104.0, when running on MacOS X, all ...) NOT-FOR-US: Cisco CVE-2007-3183 (Multiple SQL injection vulnerabilities in Calendarix 0.7.20070307, whe ...) NOT-FOR-US: Calendarix CVE-2007-3182 (Multiple cross-site scripting (XSS) vulnerabilities in Calendarix 0.7. ...) NOT-FOR-US: Calendarix CVE-2007-3181 (Buffer overflow in fbserver.exe in Firebird SQL 2 before 2.0.1 allows ...) {DSA-1529-1} - firebird2.0 2.0.3.12981.ds1-1 (medium) [etch] - firebird2 (Fixed packages have been released through backports.org, see #1529) [sarge] - firebird2 (medium) NOTE: maybe fixed prior to 2.0.3.12981.ds1-1 (2.0.1) but couldn't find any earlier source code NOTE: in the pool to check and since this version is in testing and unstable... CVE-2007-3180 (Buffer overflow in Help and Support Center before 4.4 C on HP Windows ...) NOT-FOR-US: HP CVE-2007-3179 (Multiple SQL injection vulnerabilities in archives.php in Particle Blo ...) NOT-FOR-US: Particle Blogger CVE-2007-3178 (Multiple SQL injection vulnerabilities in Zindizayn Okul Web Sistemi 1 ...) NOT-FOR-US: Sistemi CVE-2007-3177 (Ingate Firewall and SIParator before 4.5.2 allow remote attackers to b ...) NOT-FOR-US: Ingate Firewall / SIParator CVE-2007-3176 (Unspecified vulnerability in Ingate Firewall and SIParator before 4.5. ...) NOT-FOR-US: Ingate Firewall / SIParator CVE-2007-3175 (Multiple SQL injection vulnerabilities in W2B Online Banking allow rem ...) NOT-FOR-US: W2B Online Banking CVE-2007-3174 (Cross-site scripting (XSS) vulnerability in auth.w2b in W2B Online Ban ...) NOT-FOR-US: W2B Online Banking CVE-2007-3173 (Almnzm allows remote attackers to obtain sensitive information via an ...) NOT-FOR-US: Almnzm CVE-2007-3172 (Directory traversal vulnerability in demo/pop3/error.php in Uebimiau W ...) NOT-FOR-US: UebiMiau CVE-2007-3171 (Uebimiau Webmail allows remote attackers to obtain sensitive informati ...) NOT-FOR-US: UebiMiau CVE-2007-3170 (Multiple cross-site scripting (XSS) vulnerabilities in Uebimiau Webmai ...) NOT-FOR-US: Uebimiau CVE-2007-3169 (Buffer overflow in a certain ActiveX control in the EDraw Office Viewe ...) NOT-FOR-US: EDraw Office Viewer Component CVE-2007-3168 (A certain ActiveX control in the EDraw Office Viewer Component (edrawo ...) NOT-FOR-US: EDraw Office Viewer Component CVE-2007-3167 (Stack-based buffer overflow in the Vivotek Motion Jpeg ActiveX control ...) NOT-FOR-US: Vivotek CVE-2007-3166 (Buffer overflow in Qualcomm Eudora 7.1.0.9 allows user-assisted, remot ...) NOT-FOR-US: Qualcomm Eudora CVE-2007-3165 (Tor before 0.1.2.14 can construct circuits in which an entry guard is ...) - tor 0.1.2.14-1 (medium) CVE-2007-3164 (Microsoft Internet Explorer 7, when prompting for HTTP Basic Authentic ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2007-3163 (Incomplete blacklist vulnerability in the filemanager in Frederico Cal ...) - moin 1.5.8-4.1 (unimportant; bug #429205) - knowledgeroot 0.9.8.2-2 (unimportant; bug #429204) - karrigell (unimportant; bug #429207) NOTE: This is only exploitable on NTFS filesystems NOTE: Given the state of Linux' NTFS support it seems highly unlikely NOTE: and given the state of ext3/XFS highly stupid to run a Debian-based NOTE: web server with NTFS CVE-2007-3162 (Buffer overflow in the NotSafe function in the idaiehlp ActiveX contro ...) NOT-FOR-US: Internet Download Accelerator CVE-2007-3161 (Buffer overflow in Ace-FTP Client 1.24a allows user-assisted, remote F ...) NOT-FOR-US: Ace-FTP Client CVE-2007-3160 (PHP remote file inclusion vulnerability in admin/header.php in PHP Rea ...) NOT-FOR-US: PHP Real Estate Classifieds Premium Plus CVE-2007-3159 (http.c in MiniWeb Http Server 0.8.x allows remote attackers to cause a ...) NOT-FOR-US: MiniWeb CVE-2007-3158 (download_script.asp in ASP Folder Gallery allows remote attackers to r ...) NOT-FOR-US: ASP Folder Gallery CVE-2007-3157 (IPSecDrv.sys 10.4.0.12 in SafeNET High Assurance Remote 1.4.0 Build 12 ...) NOT-FOR-US: SafeNET CVE-2007-3156 (Multiple cross-site scripting (XSS) vulnerabilities in pam_login.cgi i ...) - webmin CVE-2007-3155 (Unspecified vulnerability in eGroupWare before 1.2.107-2 has unknown i ...) - egroupware 1.2.107-2.dfsg-1 (bug #429208) CVE-2007-3154 (Unspecified vulnerability in Walter Zorn wz_tooltip.js (aka wz_tooltip ...) NOTE: Apparently a bogus issue; upstream developer of wz_tooltip.js isn't aware NOTE: of any security problem, see #429215, #429209, #429214, #429213 CVE-2007-3153 (The ares_init:randomize_key function in c-ares, on platforms other tha ...) NOT-FOR-US: c-ares CVE-2007-3152 (c-ares before 1.4.0 uses a predictable seed for the random number gene ...) NOT-FOR-US: c-ares CVE-2007-3151 (rpttop.htm in the web management interface in Packeteer PacketShaper 7 ...) NOT-FOR-US: Packeteer PacketShaper CVE-2007-3150 (Google Desktop allows user-assisted remote attackers to execute arbitr ...) NOT-FOR-US: Google Desktop CVE-2007-3149 (sudo, when linked with MIT Kerberos 5 (krb5), does not properly check ...) - sudo (Not linked with krb5) CVE-2007-3148 (Buffer overflow in the Yahoo! Webcam Viewer ActiveX control in ywcvwr. ...) NOT-FOR-US: Yahoo! Webcam Viewer CVE-2007-3147 (Buffer overflow in the Yahoo! Webcam Upload ActiveX control in ywcupl. ...) NOT-FOR-US: Yahoo! Webcam Upload CVE-2007-3146 (Zen Help Desk 2.1 stores sensitive information under the web root with ...) NOT-FOR-US: Zen Help Desk CVE-2007-3145 (Visual truncation vulnerability in Galeon 2.0.1 allows remote attacker ...) - galeon (unimportant; bug #429216) NOTE: Hardly a problem, Galeon's rotting any way and doesn't offer up-to-date NOTE: phishing protections anyway CVE-2007-3144 (Visual truncation vulnerability in Mozilla 1.7.12 allows remote attack ...) NOTE: Minor issue, exact details unknown to upstream CVE-2007-3143 (Visual truncation vulnerability in Konqueror 3.5.5 allows remote attac ...) - kdebase 4:3.5.7-3 (low) [sarge] - kdebase (Minor issue) [etch] - kdebase (Minor issue) NOTE: referring to maintainer this is definetly fixed in 4:3.5.7-3 CVE-2007-3142 (Visual truncation vulnerability in Opera 9.21 allows remote attackers ...) NOT-FOR-US: Opera CVE-2007-3141 (PHP remote file inclusion vulnerability in core/editor.php in phpWebTh ...) NOT-FOR-US: phpWebThings CVE-2007-3140 (SQL injection vulnerability in xmlrpc.php in WordPress 2.2 allows remo ...) - wordpress 2.2.1-1 (bug #428073) [etch] - wordpress (Doesn't affect 2.0.x branch) CVE-2007-3139 (config/general.php in Quick.Cart 2.2 and earlier uses a default userna ...) NOT-FOR-US: Quick.Cart CVE-2007-3138 (Directory traversal vulnerability in index.php in Open Solution Quick. ...) NOT-FOR-US: Quick.Cart CVE-2007-3137 (Multiple cross-site scripting (XSS) vulnerabilities in 4print.asp in W ...) NOT-FOR-US: WmsCMS CVE-2007-3136 (PHP remote file inclusion vulnerability in inc/nuke_include.php in new ...) NOT-FOR-US: newsSync CVE-2007-3135 (Cross-site scripting (XSS) vulnerability in atomPhotoBlog.php in Atom ...) NOT-FOR-US: Atom Photoblog CVE-2007-3134 (Multiple cross-site scripting (XSS) vulnerabilities in atomPhotoBlog.p ...) NOT-FOR-US: Atom PhotoBlog CVE-2007-3133 (SQL injection vulnerability in urunbak.asp in W1L3D4 WEBmarket 0.1 all ...) NOT-FOR-US: W1L3D4 CVE-2007-3132 (Multiple vulnerabilities in Symantec Ghost Solution Suite 2.0.0 and ea ...) NOT-FOR-US: Symantec Ghost CVE-2007-3131 (Cross-site scripting (XSS) vulnerability in add_comment.php in Light B ...) NOT-FOR-US: Light Blog CVE-2007-3130 (Multiple PHP remote file inclusion vulnerabilities in the OpenWiki (fo ...) NOT-FOR-US: OpenWiki CVE-2005-4845 (The Java Plug-in 1.4.2_03 and 1.4.2_04 controls, and the 1.4.2_03 and ...) NOT-FOR-US: Sun Java on Microsoft Windows CVE-2005-4844 (The CLSID_ApprenticeICW control allows remote attackers to cause a den ...) NOT-FOR-US: Microsoft CVE-2005-4843 (The SmartConnect Class control allows remote attackers to cause a deni ...) NOT-FOR-US: Microsoft CVE-2005-4842 (The System Monitor Source Properties control allows remote attackers t ...) NOT-FOR-US: Microsoft CVE-2005-4841 (The Outlook Progress Ctl control allows remote attackers to cause a de ...) NOT-FOR-US: Microsoft CVE-2007-3129 (Cross-site scripting (XSS) vulnerability in login.php in Utopia News P ...) NOT-FOR-US: Utopia News Pro CVE-2007-3128 (SQL injection vulnerability in content.php in WSPortal 1.0, when magic ...) NOT-FOR-US: WSPortal CVE-2007-3127 (content.php in WSPortal 1.0, when magic_quotes_gpc is disabled, allows ...) NOT-FOR-US: WSPortal CVE-2007-3126 (Gimp before 2.8.22 allows context-dependent attackers to cause a denia ...) - gimp 2.8.22-1 (unimportant; bug #885382) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=773233 NOTE: https://git.gnome.org/browse/gimp/commit/?id=46bcd82800e37b0f5aead76184430ef2fe802748 (master) NOTE: https://git.gnome.org/browse/gimp/commit/?id=323ecb73f7bf36788fb7066eb2d6678830cd5de7 (gimp-2-8) CVE-2007-3125 REJECTED CVE-2007-3124 (Buffer overflow in backup/src/vmsbackup.c (aka the backup utility) in ...) NOT-FOR-US: FreeVMS CVE-2007-3123 (unrar.c in libclamav in ClamAV before 0.90.3 and 0.91 before 0.91rc1 a ...) {DSA-1320-1 DTSA-43-1} - clamav 0.90.3-1 CVE-2007-3122 (The parsing engine in ClamAV before 0.90.3 and 0.91 before 0.91rc1 all ...) {DSA-1320-1 DTSA-43-1} - clamav 0.90.3-1 CVE-2007-3121 (Buffer overflow in the CCdecode function in contrib/ntsc-cc.c in the z ...) - zvbi 0.2.25-1 (bug #429221; unimportant) NOTE: Only exploitable through malformed closed captions NOTE: Malicious TV networks have more subtle methods to control people... CVE-2007-3120 (Cross-site scripting (XSS) vulnerability in public/code/cp_dpage.php i ...) NOT-FOR-US: All In One Control Panel (AIOCP) CVE-2007-3119 (SQL injection vulnerability in news.asp in Kartli Alisveris Sistemi (a ...) NOT-FOR-US: Kartli Alisveris Sistemi CVE-2007-3118 (Multiple PHP remote file inclusion vulnerabilities in Kravchuk letter ...) NOT-FOR-US: Kravchuk letter CVE-2007-3117 (Cross-site scripting (XSS) vulnerability in the SEO module in ADPLAN 3 ...) NOT-FOR-US: ADPLAN CVE-2007-3116 (Memory leak in server/MaraDNS.c in MaraDNS 1.2.12.06 and 1.3.05 allows ...) {DSA-1319-1} - maradns 1.2.12.06-1 [sarge] - maradns (1.0.x branch not affected) CVE-2007-3115 (Multiple memory leaks in server/MaraDNS.c in MaraDNS before 1.2.12.06, ...) {DSA-1319-1} - maradns 1.2.12.06-1 [sarge] - maradns (1.0.x branch not affected) CVE-2007-3114 (Memory leak in server/MaraDNS.c in MaraDNS before 1.2.12.05, and 1.3.x ...) {DSA-1319-1} - maradns 1.2.12.05-1 [sarge] - maradns (1.0.x branch not affected) CVE-2007-3113 (Cacti 0.8.6i, and possibly other versions, allows remote authenticated ...) {DSA-1954-1} - cacti 0.8.6j-1.1 (low; bug #429224) [sarge] - cacti (Minor issue, would only be run within authentication) [etch] - cacti (Minor issue, would only be run within authentication) CVE-2007-3112 (graph_image.php in Cacti 0.8.6i, and possibly other versions, allows r ...) {DSA-1954-1} - cacti 0.8.6j-1.1 (low; bug #429224) [sarge] - cacti (Minor issue, would only be run within authentication) [etch] - cacti (Minor issue, would only be run within authentication) CVE-2007-3111 (Buffer overflow in the Provideo Camimage ActiveX control in ISSCamCont ...) NOT-FOR-US: Provideo Camimage CVE-2007-3110 (Cross-site scripting (XSS) vulnerability in the Andy Frank Beatnik 1.0 ...) NOT-FOR-US: Andy Frank Beatnik CVE-2007-3109 (The CERN Image Map Dispatcher (htimage.exe) in Microsoft FrontPage all ...) NOT-FOR-US: Microsoft FrontPage CVE-2007-3108 (The BN_from_montgomery function in crypto/bn/bn_mont.c in OpenSSL 0.9. ...) {DSA-1571-1} - openssl 0.9.8e-6 (bug #438142; low) - openssl097 (bug #438180) [sarge] - openssl (Not exploitable in a real-world scenario) [etch] - openssl097 (Not exploitable in a real-world scenario) CVE-2007-3107 (The signal handling in the Linux kernel before 2.6.22, including 2.6.2 ...) - linux-2.6 2.6.22-1 (unimportant) NOTE: Not reproducibly reliably by an attacker, mostly a bug NOTE: This is fixed by 9a08e732533b940d2d31f4e9999dfee5e1ca3914 NOTE: in Linus' tree. CVE-2007-3106 (lib/info.c in libvorbis 1.1.2, and possibly other versions before 1.2. ...) {DSA-1471-1} - libvorbisidec 1.0.2+svn16259-2 (bug #669196) - libvorbis 1.2.0.dfsg-1 (medium) CVE-2007-3105 (Stack-based buffer overflow in the random number generator (RNG) imple ...) {DSA-1504-1 DSA-1363-1} - linux-2.6 2.6.22-4 CVE-2007-3104 (The sysfs_readdir function in the Linux kernel 2.6, as used in Red Hat ...) {DSA-1428-1} - linux-2.6 2.6.22-4 (low) CVE-2007-3103 (The init.d script for the X.Org X11 xfs font server on various Linux d ...) {DSA-1342-1} - xfs 1:1.0.8-2.1 (low) NOTE: i've checked 1.0.8, and this problem is no longer present CVE-2007-3102 (Unspecified vulnerability in the linux_audit_record_event function in ...) - openssh (This is a redhat/fedora specific issue) NOTE: this issue was introduced by a patch of redhat (openssh-4.3p1-audit.patch) NOTE: The patch fixing this (openssh-4.3p2-cve-2007-3102.patch) can be found on: NOTE: http://mirror.linux.duke.edu/pub/fedora/linux/core/updates/6/SRPMS/openssh-4.3p2-25.fc6.src.rpm CVE-2007-3101 (Multiple cross-site scripting (XSS) vulnerabilities in certain JSF app ...) NOT-FOR-US: Apache MyFaces Tomahawk CVE-2007-3100 (usr/log.c in iscsid in open-iscsi (iscsi-initiator-utils) before 2.0-8 ...) {DSA-1314-1} - open-iscsi 2.0.865-1 (low; bug #429225) CVE-2007-3099 (usr/mgmt_ipc.c in iscsid in open-iscsi (iscsi-initiator-utils) before ...) {DSA-1314-1} - open-iscsi 2.0.865-1 (medium; bug #429225) CVE-2007-3098 (The SNMPc Server (crserv.exe) process in Castle Rock Computing SNMPc b ...) NOT-FOR-US: Castle Rock Computing SNMPc CVE-2007-3097 (my.activation.php3 in F5 FirePass 4100 SSL VPN allows remote attackers ...) NOT-FOR-US: F5 Firepass 4100 SSL VPN CVE-2007-3096 (Directory traversal vulnerability in login.php in PBLang (PBL) 4.67.16 ...) NOT-FOR-US: PBLang (PBL) CVE-2007-3095 (Unspecified vulnerability in Symantec Reporting Server 1.0.197.0, and ...) NOT-FOR-US: Symantec Reporting Server CVE-2007-3094 (Unspecified vulnerability in the authentication mechanism in Solaris M ...) NOT-FOR-US: Solaris Management Console CVE-2007-3093 (Unspecified vulnerability in the logging mechanism in Solaris Manageme ...) NOT-FOR-US: Solaris Management Console CVE-2007-3092 (Microsoft Internet Explorer 6 allows remote attackers to spoof the URL ...) NOT-FOR-US: MSIE6 CVE-2007-3091 (Race condition in Microsoft Internet Explorer 6 SP1; 6 and 7 for Windo ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2007-3090 REJECTED CVE-2007-3089 (Mozilla Firefox before 2.0.0.5 does not prevent use of document.write ...) {DSA-1339-1 DSA-1338-1 DSA-1337-1 DTSA-45-1 DTSA-47-1 DTSA-51-1} - iceweasel 2.0.0.5-1 (low; bug #427691) - iceape 1.1.3-1 (low) - xulrunner 1.8.1.5-1 (low) NOTE: MFSA2007-20 CVE-2007-3088 (SQL injection vulnerability in index.php in Comicsense allows remote a ...) NOT-FOR-US: Comicsense CVE-2007-3087 (Peercast places a cleartext password in a query string, which might al ...) NOT-FOR-US: PeerCast CVE-2007-3086 (Unrestricted critical resource lock in Agnitum Outpost Firewall PRO 4. ...) NOT-FOR-US: Outpost Firewall PRO CVE-2007-3085 (Multiple PHP remote file inclusion vulnerabilities in PBSite allow rem ...) NOT-FOR-US: PBSite CVE-2007-3084 (PHP remote file inclusion vulnerability in sampleblogger.php in Comdev ...) NOT-FOR-US: Comdev Web Blogger CVE-2007-3083 (Z-Blog 1.7 stores sensitive information under the web root with insuff ...) NOT-FOR-US: Z-Blog CVE-2007-3082 (Directory traversal vulnerability in sendcard.php in Sendcard 3.4.1 an ...) NOT-FOR-US: Sendcard CVE-2007-3081 (PHP remote file inclusion vulnerability in sampleecommerce.php in Comd ...) NOT-FOR-US: Comdev eCommerce CVE-2007-3080 (SQL injection vulnerability in haberoku.asp in Hunkaray Okul Portaly 1 ...) NOT-FOR-US: Hunkaray Okul Portaly CVE-2007-3079 (listmembers.php in EQdkp 1.3.2c and earlier allows remote attackers to ...) NOT-FOR-US: EQdkp CVE-2007-3078 (Multiple cross-site scripting (XSS) vulnerabilities in Aigaion before ...) NOT-FOR-US: Aigaion CVE-2007-3077 (SQL injection vulnerability in listmembers.php in EQdkp 1.3.2 and earl ...) NOT-FOR-US: EQdkp CVE-2007-3076 (A certain ActiveX control in sasatl.dll in Zenturi ProgramChecker allo ...) NOT-FOR-US: Zenturi ProgramChecker CVE-2007-3075 (Directory traversal vulnerability in Microsoft Internet Explorer allow ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2007-3074 (Mozilla Firefox 2.0.0.4 and earlier allows remote attackers to read fi ...) {DSA-1707-1 DSA-1704-1 DSA-1697-1} - iceweasel 2.0.0.4-1 (low) - iceape 1.0.9-1 (low) - xulrunner 1.8.1.4-1 (low) CVE-2007-3073 (Directory traversal vulnerability in Mozilla Firefox 2.0.0.4 and earli ...) NOTE: Duplicate of CVE-2008-4067 CVE-2007-3072 (Directory traversal vulnerability in Mozilla Firefox before 2.0.0.4 on ...) - iceweasel (Only affects Windows versions of Firefox) CVE-2007-3071 (Buffer overflow in the GetWebStoreURL function in a certain ActiveX co ...) NOT-FOR-US: eSellerate CVE-2007-3070 (Cross-site scripting (XSS) vulnerability in index.php in BDigital Web ...) NOT-FOR-US: BDigital Web Solutions WebStudio CVE-2007-3069 (xscreensaver in Sun Solaris 10 before 20070604, when a GNOME session w ...) NOT-FOR-US: Sun Solaris CVE-2007-3068 (Stack-based buffer overflow in DVD X Player 4.1 Professional allows re ...) NOT-FOR-US: DVD X Player CVE-2007-3067 (Cross-site scripting (XSS) vulnerability in the Attunement and Key Tra ...) NOT-FOR-US: EQdkp CVE-2007-3066 (Multiple PHP remote file inclusion vulnerabilities in php(Reactor) 1.2 ...) NOT-FOR-US: IBM DB2 CVE-2007-3065 (SQL injection vulnerability in viewimage.php in Particle Soft Particle ...) NOT-FOR-US: Particle Gallery CVE-2007-3064 (Cross-site scripting (XSS) vulnerability in diary.php in My Databook a ...) NOT-FOR-US: My Datebook CVE-2007-3063 (SQL injection vulnerability in diary.php in My Databook allows remote ...) NOT-FOR-US: My Datebook CVE-2007-3062 (Cross-site scripting (XSS) vulnerability in HP System Management Homep ...) NOT-FOR-US: HP System Management Homepage CVE-2007-3061 (Cactushop 6 and earlier stores sensitive information under the web roo ...) NOT-FOR-US: Cactushop CVE-2007-3060 (Multiple cross-site scripting (XSS) vulnerabilities in PHP Live! 3.2.2 ...) NOT-FOR-US: PHP Live! CVE-2007-3059 (SendCard 3.3.0 allows remote attackers to obtain sensitive information ...) NOT-FOR-US: SendCard CVE-2007-3058 (Multiple PHP remote file inclusion vulnerabilities in Madirish Webmail ...) NOT-FOR-US: Madirish Webmail CVE-2007-3057 (PHP remote file inclusion vulnerability in include/wysiwyg/spaw_contro ...) NOT-FOR-US: XOOPS CVE-2007-3056 (Cross-site scripting (XSS) vulnerability in filedetails.php in WebSVN ...) - websvn 1.61-22.3 (unimportant; bug #439337) NOTE: Websvn does not have cookie based authentication by itself. NOTE: I therefore don't think this is serious enough for a stable update. CVE-2007-3055 (Cross-site scripting (XSS) vulnerability in index.php in Codelib Linke ...) NOT-FOR-US: Codelib Linker CVE-2007-3054 (Cross-site scripting (XSS) vulnerability in search.php in Codelib Link ...) NOT-FOR-US: Codelib Linker CVE-2007-3053 (Session fixation vulnerability in Calimero.CMS 3.3.1232 and earlier al ...) NOT-FOR-US: Calimero CVE-2007-3052 (SQL injection vulnerability in index.php in the PNphpBB2 1.2i and earl ...) NOT-FOR-US: PostNuke CVE-2007-3051 (SQL injection vulnerability in inc/class_users.php in RevokeSoft Revok ...) NOT-FOR-US: RevokeSoft RevokeBB CVE-2007-3050 (Session fixation vulnerability in chameleon cms 3.0 and earlier allows ...) NOT-FOR-US: chameleon cms CVE-2007-3049 (Cross-site scripting (XSS) vulnerability in index.php in Buttercup web ...) NOT-FOR-US: Buttercup BWFM CVE-2007-3048 - screen (not reproducible) CVE-2007-3047 (The Vonage VoIP Telephone Adapter has a default administrator username ...) NOT-FOR-US: Vonage CVE-2007-3046 (Buffer overflow in Advanced Software Production Line Vortex Library be ...) NOT-FOR-US: Advanced Software Production Line Vortex Library CVE-2007-3045 (Unspecified vulnerability in Hitachi TP1/NET/OSI-TP-Extended on HI-UX/ ...) NOT-FOR-US: Hitachi TP1 CVE-2007-3044 (Unspecified vulnerability in the Map I/O Service (xpwmap) in Hitachi X ...) NOT-FOR-US: Hitachi CVE-2007-3043 (Cross-site scripting (XSS) vulnerability in Collaboration - File Shari ...) NOT-FOR-US: Hitachi Collaboration CVE-2007-3042 (Cross-site scripting (XSS) vulnerability in Meneame before 2 allows re ...) NOT-FOR-US: Meneame CVE-2007-3041 (Unspecified vulnerability in the pdwizard.ocx ActiveX object for Inter ...) NOT-FOR-US: Microsoft CVE-2007-3040 (Stack-based buffer overflow in agentdpv.dll 2.0.0.3425 in Microsoft Ag ...) NOT-FOR-US: Windows CVE-2007-3039 (Stack-based buffer overflow in the Microsoft Message Queuing (MSMQ) se ...) NOT-FOR-US: Windows CVE-2007-3038 (The Teredo interface in Microsoft Windows Vista and Vista x64 Edition ...) NOT-FOR-US: Microsoft CVE-2007-3037 (Microsoft Windows Media Player 7.1, 9, 10, and 11 allows remote attack ...) NOT-FOR-US: Microsoft CVE-2007-3036 (Unspecified vulnerability in the (1) Windows Services for UNIX 3.0 and ...) NOT-FOR-US: Windows Services for UNIX CVE-2007-3035 (Unspecified vulnerability in Microsoft Windows Media Player 7.1, 9, 10 ...) NOT-FOR-US: Microsoft CVE-2007-3034 (Integer overflow in the AttemptWrite function in Graphics Rendering En ...) NOT-FOR-US: Microsoft CVE-2007-3033 (Cross-site scripting (XSS) vulnerability in Windows Vista Feed Headlin ...) NOT-FOR-US: Microsoft CVE-2007-3032 (Unspecified vulnerability in Windows Vista Contacts Gadget in Windows ...) NOT-FOR-US: Microsoft CVE-2007-3031 REJECTED CVE-2007-3030 (Microsoft Excel 2000 SP3, 2002 SP3, 2003 SP2, and 2003 Viewer allows u ...) NOT-FOR-US: Microsoft Excel CVE-2007-3029 (Unspecified vulnerability in Microsoft Excel 2002 SP3 and 2003 SP2 all ...) NOT-FOR-US: Microsoft Excel CVE-2007-3028 (The LDAP service in Windows Active Directory in Microsoft Windows 2000 ...) NOT-FOR-US: Microsoft CVE-2007-3027 (Race condition in Microsoft Internet Explorer 5.01, 6, and 7 allows re ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2007-3026 (Integer overflow in Panda Software AdminSecure allows remote attackers ...) NOT-FOR-US: Panda CVE-2007-3025 (Unspecified vulnerability in libclamav/phishcheck.c in ClamAV before 0 ...) - clamav (Solaris-specific bug) CVE-2007-3024 (libclamav/others.c in ClamAV before 0.90.3 and 0.91 before 0.91rc1 use ...) {DSA-1320-1 DTSA-43-1} - clamav 0.90.3-1 CVE-2007-3023 (unsp.c in ClamAV before 0.90.3 and 0.91 before 0.91rc1 does not proper ...) {DSA-1320-1 DTSA-43-1} - clamav 0.90.3-1 CVE-2007-3022 (Symantec Reporting Server 1.0.197.0, and other versions before 1.0.224 ...) NOT-FOR-US: Symantec CVE-2007-3021 (Symantec Reporting Server 1.0.197.0, and other versions before 1.0.224 ...) NOT-FOR-US: Symantec CVE-2007-3020 RESERVED CVE-2007-3019 RESERVED CVE-2007-3018 (activeWeb contentserver CMS before 5.6.2964 does not limit the file-cr ...) NOT-FOR-US: activeWeb contentserver CMS CVE-2007-3017 (The WYSIWYG editor applet in activeWeb contentserver CMS before 5.6.29 ...) NOT-FOR-US: activeWeb contentserver CMS CVE-2007-3016 RESERVED CVE-2007-3015 RESERVED CVE-2007-3014 (Multiple cross-site scripting (XSS) vulnerabilities in activeWeb conte ...) NOT-FOR-US: activeWeb contentserver CMS CVE-2007-3013 (SQL injection vulnerability in activeWeb contentserver before 5.6.2964 ...) NOT-FOR-US: activeWeb contentserver CMS CVE-2007-3012 (The web interface in Fujitsu-Siemens Computers PRIMERGY BX300 Switch B ...) NOT-FOR-US: Fujitsu-Siemens CVE-2007-3011 (The DBAsciiAccess CGI Script in the web interface in Fujitsu-Siemens C ...) NOT-FOR-US: Fujitsu-Siemens CVE-2007-3010 (masterCGI in the Unified Maintenance Tool in Alcatel OmniPCX Enterpris ...) NOT-FOR-US: Alcatel OmniPCX Enterprise Communication Server CVE-2007-3009 (Format string vulnerability in the MprLogToFile::logEvent function in ...) NOT-FOR-US: Mbedthis AppWeb CVE-2007-3008 (Mbedthis AppWeb before 2.2.2 enables the HTTP TRACE method, which has ...) NOT-FOR-US: Mbedthis AppWeb CVE-2007-3007 (PHP 5 before 5.2.3 does not enforce the open_basedir or safe_mode rest ...) - php5 5.2.3-1 (unimportant) CVE-2007-3006 (Buffer overflow in Acoustica MP3 CD Burner 4.32 allows user-assisted r ...) NOT-FOR-US: Acoustica MP3 CD Burner CVE-2007-3005 REJECTED CVE-2007-3004 REJECTED CVE-2007-3003 (Multiple SQL injection vulnerabilities in myBloggie 2.1.6 and earlier ...) NOT-FOR-US: myBloggie CVE-2007-3002 (PHP JackKnife (PHPJK) allows remote attackers to obtain sensitive info ...) NOT-FOR-US: PHP JackKnife CVE-2007-3001 (Multiple cross-site scripting (XSS) vulnerabilities in PHP JackKnife ( ...) NOT-FOR-US: PHP JackKnife CVE-2007-3000 (Multiple SQL injection vulnerabilities in PHP JackKnife (PHPJK) allow ...) NOT-FOR-US: PHP JackKnife CVE-2007-2999 (Microsoft Windows Server 2003, when time restrictions are in effect fo ...) NOT-FOR-US: Microsoft CVE-2007-2998 (The Pascal run-time library (PAS$RTL.EXE) before 20070418 on OpenVMS f ...) NOT-FOR-US: OpenVMS CVE-2007-2997 NOT-FOR-US: SalesCart Shopping Cart CVE-2007-2996 (Unspecified vulnerability in perl.rte 5.8.0.10 through 5.8.0.95 on IBM ...) NOT-FOR-US: IBM AIX CVE-2007-2995 (Unspecified vulnerability in sysmgt.websm.rte in IBM AIX 5.2.0 and 5.3 ...) NOT-FOR-US: IBM AIX CVE-2007-2994 (SQL injection vulnerability in news.php in DGNews 2.1 allows remote at ...) NOT-FOR-US: DGNews CVE-2007-2993 (Multiple cross-site scripting (XSS) vulnerabilities in OmegaMw7.asp in ...) NOT-FOR-US: OMEGA INterneSErvicesLosungen (INSEL) CVE-2007-2992 (Multiple SQL injection vulnerabilities in OmegaMw7.asp in OMEGA (aka O ...) NOT-FOR-US: OMEGA INterneSErvicesLosungen (INSEL) CVE-2007-2991 (Cross-site scripting (XSS) vulnerability in includes/send.inc.php in E ...) NOT-FOR-US: Evenzia CMS CVE-2007-2990 (Unspecified vulnerability in inetd in Sun Solaris 10 before 20070529 a ...) NOT-FOR-US: Sun Solaris CVE-2007-2989 (The libike library in Sun Solaris 9 before 20070529 contains a logic e ...) NOT-FOR-US: Sun Solaris CVE-2007-2988 (A certain admin script in Inout Meta Search Engine sends a redirect to ...) NOT-FOR-US: Inout Meta Search Engine CVE-2007-2987 (Multiple buffer overflows in certain ActiveX controls in sasatl.dll in ...) NOT-FOR-US: Zenturi ProgramChecker CVE-2007-2986 (PHP remote file inclusion vulnerability in lib/live_status.lib.php in ...) NOT-FOR-US: AdminBot CVE-2007-2985 (Pheap 2.0 allows remote attackers to bypass authentication by setting ...) NOT-FOR-US: Pheap CVE-2007-2984 (Multiple stack-based buffer overflows in the Media Technology Group CD ...) NOT-FOR-US: Media Technology Group CDPass CVE-2007-2982 (Multiple buffer overflows in the British Telecommunications Business C ...) NOT-FOR-US: British Telecommunications Business Connect CVE-2007-2981 (Buffer overflow in a certain ActiveX control in LEAD Technologies LEAD ...) NOT-FOR-US: LeadTools CVE-2007-2980 (Heap-based buffer overflow in a certain ActiveX control in LEADTOOLS L ...) NOT-FOR-US: LeadTools CVE-2007-2979 (Techno Dreams Web Directory / Search Engine 2.0 stores sensitive infor ...) NOT-FOR-US: Techno Dreams Web Directory / Search Engine CVE-2007-2978 (Session fixation vulnerability in eggblog 3.1.0 and earlier allows rem ...) NOT-FOR-US: eggblog CVE-2007-2977 (Buffer overflow in the receive function in submit/submitcommon.c in th ...) NOT-FOR-US: DOMjudge CVE-2007-2976 (Centrinity FirstClass 8.3 and earlier, and Server and Internet Service ...) NOT-FOR-US: Centrinity CVE-2007-2975 (The admin console in Ignite Realtime Openfire 3.3.0 and earlier (forme ...) NOT-FOR-US: Ignite Realtime CVE-2007-2974 (Buffer overflow in the file parsing engine in Avira Antivir Antivirus ...) NOT-FOR-US: Avira Antivirus CVE-2007-2973 (Avira Antivir Antivirus before 7.03.00.09 allows remote attackers to c ...) NOT-FOR-US: Avira Antivirus CVE-2007-2972 (The file parsing engine in Avira Antivir Antivirus before 7.04.00.24 a ...) NOT-FOR-US: Avira Antivirus CVE-2007-2971 (SQL injection vulnerability in getnewsitem.php in gCards 1.46 and earl ...) NOT-FOR-US: gCards CVE-2007-2970 (Multiple cross-site scripting (XSS) vulnerabilities in cgi/block.cgi i ...) NOT-FOR-US: 8e6 R3000 Internet Filter CVE-2007-2969 (PHP remote file inclusion vulnerability in newsletter.php in WAnewslet ...) NOT-FOR-US: WAnewsletter CVE-2007-2968 (Cross-site scripting (XSS) vulnerability in register.php in cpCommerce ...) NOT-FOR-US: cpCommerce CVE-2005-4840 (The Outlook Express Address Book control, when using Internet Explorer ...) NOT-FOR-US: Microsoft CVE-2000-1243 (Privacy leak in Dansie Shopping Cart 3.04, and probably earlier versio ...) NOT-FOR-US: Dansie Shopping Cart CVE-2007-XXXX [webpy HTTP response splitting vulnerability] - webpy 0.210-1 (bug #427715; unimportant) NOTE: This is not a vulnerability, but an additional precaution function for NOTE: a development framework. If someone wants to have this updated in Etch, this NOTE: needs to go through a point update CVE-2006-XXXX [Owl Intranet Engine multiple cross-site scripting, SQL-injection] - owl-dms 0.94-1 (medium; bug #416296) CVE-2007-2967 (Multiple F-Secure anti-virus products for Microsoft Windows and Linux ...) NOT-FOR-US: F-Secure CVE-2007-2966 (Buffer overflow in the LHA decompression component in F-Secure anti-vi ...) NOT-FOR-US: F-Secure CVE-2007-2965 (Unspecified vulnerability in the Real-time Scanning component in multi ...) NOT-FOR-US: F-Secure CVE-2007-2964 (The fsmsh.dll host module in F-Secure Policy Manager Server 7.00 and e ...) NOT-FOR-US: F-Secure CVE-2007-2963 (Multiple cross-site scripting (XSS) vulnerabilities in Invision Power ...) NOT-FOR-US: Invision Power Board CVE-2007-2962 (Cross-site scripting (XSS) vulnerability in search.php in Particle Gal ...) NOT-FOR-US: Particle Gallery CVE-2007-2961 (Unrestricted file upload vulnerability in FileCloset before 1.1.5 allo ...) NOT-FOR-US: FileCloset CVE-2007-2960 (Multiple directory traversal vulnerabilities in Scallywag 2005-04-25 a ...) NOT-FOR-US: Scallywag CVE-2007-2959 (SQL injection vulnerability in manufacturer.php in cpCommerce before 1 ...) NOT-FOR-US: cpCommerce CVE-2007-2958 (Format string vulnerability in the inc_put_error function in src/inc.c ...) - sylpheed-claws 1.0.5-5.2 (low; bug #441854) [etch] - sylpheed-claws (Minor issue) [sarge] - sylpheed-claws (Minor issue) - sylpheed 2.4.5-1 (low) [etch] - sylpheed (Minor issue) [sarge] - sylpheed (Minor issue) NOTE: the cvs referenced in redhat bugzilla is not available anymore however NOTE: http://www.colino.net/claws-mail/getpatchset.php3?ver=2.10.0cvs153 fixes the bug CVE-2007-2957 (Integer overflow in McAfee E-Business Server before 8.5.3 for Solaris, ...) NOT-FOR-US: McAfee on Solaris CVE-2007-2956 (Stack-based buffer overflow in the readRadianceHeader function in (1) ...) NOT-FOR-US: Qtpfsgui and pfstools CVE-2007-2955 (Multiple unspecified "input validation error" vulnerabilities in multi ...) NOT-FOR-US: Norton Antivirus/Internet Security/System Works CVE-2007-2954 (Multiple stack-based buffer overflows in the Spooler service (nwspool. ...) NOT-FOR-US: Novell Client CVE-2007-2953 (Format string vulnerability in the helptags_one function in src/ex_cmd ...) {DSA-1364-2 DSA-1364-1} - vim 1:7.1-056+1 (low) CVE-2007-2952 (Multiple stack-based buffer overflows in the filter service (aka k9fil ...) NOT-FOR-US: Blue Coat K9 Web Protection CVE-2007-2951 (The parseIrcUrl function in src/kvirc/kernel/kvi_ircurl.cpp in KVIrc 3 ...) - kvirc 2:3.2.4-5 (bug #434419; medium) CVE-2007-2950 (Centennial Discovery 2006 Feature Pack 1, which is used by (1) Numara ...) NOT-FOR-US: Centennial CVE-2007-2949 (Integer overflow in the seek_to_and_unpack_pixeldata function in the p ...) {DSA-1335-1} - gimp 2.2.16-1 (medium) - ingimp 2.2.16.20070710-1 NOTE: http://secunia.com/secunia_research/2007-63/advisory CVE-2007-2948 (Multiple stack-based buffer overflows in stream/stream_cddb.c in MPlay ...) {DSA-1313-1} - mplayer 1.0~rc1-14 CVE-2007-2947 (Multiple PHP remote file inclusion vulnerabilities in OpenBASE Alpha 0 ...) NOT-FOR-US: OpenBASE Alpha CVE-2007-2946 (Buffer overflow in a certain ActiveX control in LeadTools Raster Dialo ...) NOT-FOR-US: LeadTools Raster Dialog File_D Object (LTRDFD14e.DLL) CVE-2007-2945 (RMForum stores sensitive information under the web root with insuffici ...) NOT-FOR-US: RMForum CVE-2007-2944 (WabCMS 1.0 stores sensitive information under the web root with insuff ...) NOT-FOR-US: WabCMS CVE-2007-2943 (PHP remote file inclusion vulnerability in class/class.php in Webavis ...) NOT-FOR-US: Webavis CVE-2007-2942 (SQL injection vulnerability in user.php in My Little Forum 1.7 and ear ...) NOT-FOR-US: My Little Forum CVE-2007-2941 (Multiple PHP remote file inclusion vulnerabilities in the creator in v ...) NOT-FOR-US: vBulletin Google Yahoo Site Map CVE-2007-2940 (Multiple PHP remote file inclusion vulnerabilities in FlaP 1.0b (1.0 B ...) NOT-FOR-US: FlaP CVE-2007-2939 (Multiple PHP remote file inclusion vulnerabilities in Mazen's PHP Chat ...) NOT-FOR-US: Mazen's PHP Chat CVE-2007-2938 (Buffer overflow in the BaseRunner ActiveX control in the Ademco ATNBas ...) NOT-FOR-US: BaseRunner ActiveX control in the Ademco ATNBaseLoader100 Module CVE-2007-2937 (PHP remote file inclusion vulnerability in admin/admin.php in TROforum ...) NOT-FOR-US: TROforum CVE-2007-2936 (Multiple PHP remote file inclusion vulnerabilities in Frequency Clock ...) NOT-FOR-US: Frequency Clock CVE-2007-2935 (core/spellcheck/spellcheck.php in Fundanemt before 2.2.0.1 allows remo ...) NOT-FOR-US: Fundanemt CVE-2007-2934 (Directory traversal vulnerability in skins/common.css.php in Vistered ...) NOT-FOR-US: Vistered Little CVE-2007-2933 (SQL injection vulnerability in index.php in the Phil-a-Form (com_phila ...) NOT-FOR-US: Phil-a-Form CVE-2007-2932 (Cross-site scripting (XSS) vulnerability in index.php in BoastMachine ...) NOT-FOR-US: BoastMachine CVE-2007-2931 (Heap-based buffer overflow in Microsoft MSN Messenger 6.2, 7.0, and 7. ...) NOT-FOR-US: MSN Messenger CVE-2007-2930 (The (1) NSID_SHUFFLE_ONLY and (2) NSID_USE_POOL PRNG algorithms in ISC ...) - bind (bug #442910) [etch] - bind (It's documented in README.Debian that Bind 8 has architectual limitations and should not be used unless you know what you're doing) [sarge] - bind (It's documented in README.Debian that Bind 8 has architectual limitations and should not be used unless you know what you're doing) CVE-2007-2929 (The IBM Lenovo Access Support acpRunner ActiveX control, as distribute ...) NOT-FOR-US: IBM Lenovo Access Support CVE-2007-2928 (Format string vulnerability in the IBM Lenovo Access Support acpRunner ...) NOT-FOR-US: IBM Lenovo Access Support CVE-2007-2927 (Unspecified vulnerability in Atheros 802.11 a/b/g wireless adapter dri ...) NOT-FOR-US: Windows Atheros drivers CVE-2007-2926 (ISC BIND 9 through 9.5.0a5 uses a weak random number generator during ...) {DSA-1341-2} - bind9 1:9.4.1-P1-1 CVE-2007-2925 (The default access control lists (ACL) in ISC BIND 9.4.0, 9.4.1, and 9 ...) - bind9 1:9.4.1-P1-1 (medium) [etch] - bind9 (Only 9.4.x and 9.5.x are affected) [sarge] - bind9 (Only 9.4.x and 9.5.x are affected) CVE-2007-2924 (Multiple buffer overflows in RealNetworks GameHouse dldisplay ActiveX ...) NOT-FOR-US: RealNetworks GameHouse CVE-2007-2923 (The launch method in the LocalExec ActiveX control (LocalExec.ocx) in ...) NOT-FOR-US: LocalExec ActiveX control CVE-2007-2922 RESERVED CVE-2007-2921 (Multiple buffer overflows in acgm.dll in the Corel / Micrografx Active ...) NOT-FOR-US: Corel CVE-2007-2920 (Multiple stack-based buffer overflows in the Zoomify Viewer ActiveX co ...) NOT-FOR-US: Zoomify Viewer CVE-2007-2919 (Multiple stack-based buffer overflows in the FViewerLoading ActiveX co ...) NOT-FOR-US: FViewerLoading CVE-2007-2918 (Multiple stack-based buffer overflows in ActiveX controls (1) VibeC in ...) NOT-FOR-US: Logitech CVE-2007-2917 (Multiple buffer overflows in a certain ActiveX control in odapi.dll in ...) NOT-FOR-US: Authentium CVE-2007-2916 (Cross-site scripting (XSS) vulnerability in showown.php in GMTT Music ...) NOT-FOR-US: GMTT Music Distro CVE-2007-2915 (Cross-site scripting (XSS) vulnerability in RM EasyMail Plus allows re ...) NOT-FOR-US: RM EasyMail Plus CVE-2007-2914 (Multiple cross-site scripting (XSS) vulnerabilities in PsychoStats 3.0 ...) NOT-FOR-US: PsychoStats CVE-2007-2913 (Cross-site scripting (XSS) vulnerability in index.php in ClonusWiki .5 ...) NOT-FOR-US: ClonusWiki CVE-2007-2912 (Unspecified vulnerability in Jelsoft vBulletin before 3.6.6, when unau ...) NOT-FOR-US: Jelsoft vBulletin CVE-2007-2911 (SQL injection vulnerability in admincp/attachment.php in Jelsoft vBull ...) NOT-FOR-US: Jelsoft vBulletin CVE-2007-2910 (Cross-site scripting (XSS) vulnerability in Jelsoft vBulletin before 3 ...) NOT-FOR-US: Jelsoft vBulletin CVE-2007-2909 (Cross-site scripting (XSS) vulnerability in calendar.php in Jelsoft vB ...) NOT-FOR-US: Jelsoft vBulletin CVE-2007-2908 (Cross-site scripting (XSS) vulnerability in calendar.php in Jelsoft vB ...) NOT-FOR-US: vBulletin CVE-2007-2907 (Unspecified vulnerability in SSL-Explorer before 0.2.13 allows remote ...) NOT-FOR-US: SSL-Explorer CVE-2007-2906 (Java Embedding Plugin 0.9.6.1 allows remote attackers to cause a denia ...) NOT-FOR-US: Java Embedding Plugin for Mac OS X CVE-2007-2905 (SQL injection vulnerability in includes/rating.php in 2z Project 0.9.5 ...) NOT-FOR-US: 2z Project CVE-2007-2904 (Cross-site scripting (XSS) vulnerability in Sun Java System Messaging ...) NOT-FOR-US: Sun Java System Messaging Server CVE-2007-2903 (Buffer overflow in the HelpPopup method in the Microsoft Office 2000 C ...) NOT-FOR-US: Microsoft Office ActiveX control CVE-2007-2902 (SQL injection vulnerability in main/auth/my_progress.php in Dokeos 1.8 ...) NOT-FOR-US: Dokeos CVE-2007-2901 (Multiple cross-site scripting (XSS) vulnerabilities in Dokeos 1.8.0 an ...) NOT-FOR-US: Dokeos CVE-2007-2900 (Multiple PHP remote file inclusion vulnerabilities in Scallywag 2005-0 ...) NOT-FOR-US: Scallywag CVE-2007-2899 (Direct static code injection vulnerability in admin_config.php in NavB ...) NOT-FOR-US: Navboard CVE-2007-2898 (SQL injection vulnerability in includes/rating.php in 2z Project 0.9.5 ...) NOT-FOR-US: 2z Project CVE-2007-2897 (Microsoft Internet Information Services (IIS) 6.0 allows remote attack ...) NOT-FOR-US: Microsoft IIS CVE-2007-2896 (Race condition in the Symantec Enterprise Security Manager (ESM) 6.5.3 ...) NOT-FOR-US: Symantec CVE-2007-2895 (Buffer overflow in a certain ActiveX control in LTRDF14e.DLL 14.5.0.44 ...) NOT-FOR-US: LeadTools Raster Dialog File_D Object (LTRDFD14e.DLL) CVE-2007-2894 (The emulated floppy disk controller in Bochs 2.3 allows local users of ...) - bochs (unimportant) CVE-2007-2893 (Heap-based buffer overflow in the bx_ne2k_c::rx_frame function in iode ...) {DSA-1351-1} - bochs 2.3+20070705-1 (low; bug #427144) NOTE: kvm/qemu are tracked as CVE-2007-5729 and CVE-2007-5730 CVE-2007-2892 (Cross-site scripting (XSS) vulnerability in news.asp in ASP-Nuke 2.0.7 ...) NOT-FOR-US: ASP-Nuke CVE-2007-2891 (Multiple PHP remote file inclusion vulnerabilities in FirmWorX 0.1.2 a ...) NOT-FOR-US: FirmWorX CVE-2007-2890 (SQL injection vulnerability in category.php in cpCommerce 1.1.0 and ea ...) NOT-FOR-US: cpCommerce CVE-2007-2889 (SQL injection vulnerability in tracking/courseLog.php in Dokeos 1.6.5 ...) NOT-FOR-US: Dokeos CVE-2007-2888 (Stack-based buffer overflow in UltraISO 8.6.2.2011 and earlier allows ...) NOT-FOR-US: UltraISO CVE-2007-2887 (Cross-site scripting (XSS) vulnerability in index.php in Web Icerik Yo ...) NOT-FOR-US: WIYS CVE-2007-2886 (Unspecified vulnerability in the Nortel CS 1000 M media card in Enterp ...) NOT-FOR-US: Nortel CVE-2007-2885 (The NotSafe function in the MSVDTDatabaseDesigner7 ActiveX control in ...) NOT-FOR-US: Microsoft Visual Database Tools CVE-2007-2884 (Multiple stack-based buffer overflows in Microsoft Visual Basic 6 allo ...) NOT-FOR-US: Microsoft Visual Basic CVE-2007-2883 (Credant Mobile Guardian Shield for Windows 5.2.1.105 and earlier store ...) NOT-FOR-US: Credant CVE-2007-2882 (Unspecified vulnerability in the NFS client module in Sun Solaris 8 th ...) NOT-FOR-US: Sun Solaris CVE-2007-2881 (Multiple stack-based buffer overflows in the SOCKS proxy support (sock ...) NOT-FOR-US: Sun Java Web Proxy Server CVE-2007-2880 (Multiple cross-site scripting (XSS) vulnerabilities in Digirez 3.4 all ...) NOT-FOR-US: Digirez CVE-2007-2879 (Cross-site scripting (XSS) vulnerability in mods.php in GTP GNUTurk Po ...) NOT-FOR-US: GNUTurk CVE-2007-2878 (The VFAT compat ioctls in the Linux kernel before 2.6.21.2, when run o ...) {DSA-1479-1} - linux-2.6 2.6.21-3 CVE-2007-2877 (Buffer overflow in tcl/win/tclWinReg.c in Tcl (Tcl/Tk) before 8.5a6 al ...) NOTE: Not a security issue; Windows-only anyway. CVE-2007-2876 (The sctp_new function in (1) ip_conntrack_proto_sctp.c and (2) nf_conn ...) {DSA-1356-1} - linux-2.6 2.6.21-5 (medium) CVE-2007-2875 (Integer underflow in the cpuset_tasks_read function in the Linux kerne ...) {DSA-1363-1} - linux-2.6 2.6.21-5 (medium) CVE-2007-2874 (Buffer overflow in the wpa_printf function in the debugging code in wp ...) - wpasupplicant (Fedora-only issue) CVE-2007-2873 (SpamAssassin 3.1.x, 3.2.0, and 3.2.1 before 20070611, when running as ...) - spamassassin 3.2.1-1 (low) [sarge] - spamassassin (Only obscure setups affected, only locally exploitable) [etch] - spamassassin 3.1.7-2etch1 NOTE: Minor issue fixed in etch r6 point update NOTE: Only obscure setups affected, only locally exploitable CVE-2007-2872 (Multiple integer overflows in the chunk_split function in PHP 5 before ...) - php5 5.2.3-1 (unimportant) NOTE: Only triggerable by malicious script NOTE: Fix from 5.2.3 was ineffective CVE-2007-2871 (Mozilla Firefox 1.5.x before 1.5.0.12 and 2.x before 2.0.0.4, and SeaM ...) {DSA-1308-1 DSA-1306-1 DSA-1300-1 DTSA-45-1 DTSA-47-1 DTSA-51-1} NOTE: MFSA2007-17 - iceweasel 2.0.0.4-1 (low) - iceape 1.1.2-1 (low) [sarge] - mozilla (Mozilla products from Sarge no longer supported) - xulrunner 1.8.1.4-1 (low) CVE-2007-2870 (Mozilla Firefox 1.5.x before 1.5.0.12 and 2.x before 2.0.0.4, and SeaM ...) {DSA-1308-1 DSA-1306-1 DSA-1300-1 DTSA-45-1 DTSA-47-1 DTSA-51-1} NOTE: MFSA2007-16 - iceweasel 2.0.0.4-1 (medium) - iceape 1.1.2-1 (medium) [sarge] - mozilla (Mozilla products from Sarge no longer supported) - xulrunner 1.8.1.4-1 (medium) CVE-2007-2869 (The form autocomplete feature in Mozilla Firefox 1.5.x before 1.5.0.12 ...) {DSA-1308-1 DSA-1306-1 DTSA-45-1 DTSA-51-1} NOTE: MFSA2007-13 - iceweasel 2.0.0.4-1 - iceape 1.1.2-1 - mozilla - xulrunner 1.8.1.4-1 CVE-2007-2868 (Multiple vulnerabilities in the JavaScript engine for Mozilla Firefox ...) {DSA-1308-1 DSA-1306-1 DSA-1305-1 DSA-1300-1 DTSA-45-1 DTSA-46-1 DTSA-47-1 DTSA-51-1} NOTE: MFSA2007-12 - iceweasel 2.0.0.4-1 (high) - iceape 1.1.2-1 (high) [sarge] - mozilla (Mozilla products from Sarge no longer supported) - icedove 2.0.0.4-1 (low) - xulrunner 1.8.1.4-1 (high) [sarge] - mozilla-thunderbird (Mozilla products from Sarge no longer supported) CVE-2007-2867 (Multiple vulnerabilities in the layout engine for Mozilla Firefox 1.5. ...) {DSA-1308-1 DSA-1306-1 DSA-1305-1 DSA-1300-1 DTSA-45-1 DTSA-46-1 DTSA-47-1 DTSA-51-1} NOTE: MFSA2007-12 - iceweasel 2.0.0.4-1 (high) - iceape 1.1.2-1 (high) [sarge] - mozilla (Mozilla products from Sarge no longer supported) - icedove 2.0.0.4-1 (low) - xulrunner 1.8.1.4-1 (high) [sarge] - mozilla-thunderbird (Mozilla products from Sarge no longer supported) CVE-2007-2866 (Multiple SQL injection vulnerabilities in modules/admin/modules/galler ...) NOT-FOR-US: PHPEcho CMS CVE-2007-2865 (Cross-site scripting (XSS) vulnerability in sqledit.php in phpPgAdmin ...) {DSA-1693-1} - phppgadmin 4.1.2-1 (low; bug #427151) [sarge] - phppgadmin (Vulnerable code not present) NOTE: http://phppgadmin.cvs.sourceforge.net/phppgadmin/webdb/classes/Misc.php?r1=1.156&r2=1.157&pathrev=MAIN CVE-2007-2864 (Stack-based buffer overflow in the Anti-Virus engine before content up ...) NOT-FOR-US: CA Anti-Virus CVE-2007-2863 (Stack-based buffer overflow in the Anti-Virus engine before content up ...) NOT-FOR-US: CA Anti-Virus CVE-2007-2862 (Multiple SQL injection vulnerabilities in CubeCart 3.0.16 might allow ...) NOT-FOR-US: CubeCart CVE-2007-2861 (Multiple PHP remote file inclusion vulnerabilities in Simple Accessibl ...) NOT-FOR-US: SAXON CVE-2007-2860 (user.php in BoastMachine 3.0 platinum allows remote authenticated user ...) NOT-FOR-US: BoastMachine CVE-2007-2859 (Multiple PHP remote file inclusion vulnerabilities in SimpGB 1.46.0 al ...) NOT-FOR-US: SimpGB CVE-2007-2858 (SQL injection vulnerability in the IP-Search functionality in the IP-T ...) NOT-FOR-US: IP-Tracking Mod for phpBB CVE-2007-2857 (PHP remote file inclusion vulnerability in sample/xls2mysql in ABC Exc ...) NOT-FOR-US: ABC Excel Parser Pro CVE-2007-2856 (Buffer overflow in the Dart Communications PowerTCP ZIP Compression Ac ...) NOT-FOR-US: Dart Communications PowerTCP CVE-2007-2855 (Buffer overflow in a certain ActiveX control in DartZipLite.dll 1.8.5. ...) NOT-FOR-US: Dart ZipLite CVE-2007-2854 (Multiple SQL injection vulnerabilities in account_change.php in BtiTra ...) NOT-FOR-US: BtiTracker CVE-2007-2853 (The VCDAPILibApi ActiveX control in vc9api.DLL 9.0.0.57 in Virtual CD ...) NOT-FOR-US: Virtual CD CVE-2007-2852 (Multiple stack-based buffer overflows in ESET NOD32 Antivirus before 2 ...) NOT-FOR-US: ESET NOD32 Antivirus CVE-2007-2851 (A certain ActiveX control in LeadTools Raster Variant Object Library ( ...) NOT-FOR-US: LeadTools CVE-2007-2850 (The Session Reliability Service (XTE) in Citrix MetaFrame Presentation ...) NOT-FOR-US: Citrix CVE-2007-2849 (KnowledgeTree Document Management (aka KnowledgeTree Open Source) befo ...) - knowledgetree (bug #432123) CVE-2007-2848 (Stack-based buffer overflow in the SetPath function in the shComboBox ...) NOT-FOR-US: Sky Software CVE-2007-2847 (Multiple cross-site scripting (XSS) vulnerabilities in hlstats.php in ...) NOT-FOR-US: HLstats CVE-2007-2846 (Heap-based buffer overflow in the SIS unpacker in avast! Anti-Virus Ma ...) NOT-FOR-US: Avast CVE-2007-2845 (Heap-based buffer overflow in the CAB unpacker in avast! Anti-Virus Ma ...) NOT-FOR-US: Avast CVE-2007-2844 (PHP 4.x and 5.x before 5.2.1, when running on multi-threaded systems, ...) - php5 (Multi-threaded operation not supported in Debian) - php4 (Multi-threaded operation not supported in Debian) CVE-2007-2843 (Cross-domain vulnerability in Apple Safari 2.0.4 allows remote attacke ...) NOT-FOR-US: Apple Safari NOTE: Does not seem to work with Konqueror. CVE-2007-2842 RESERVED CVE-2007-2841 REJECTED CVE-2007-2840 RESERVED CVE-2007-2839 (gfax 0.4.2 and probably other versions creates temporary files insecur ...) {DSA-1329-1} - gfax 0.6 (bug #431893; low) NOTE: Vulnerable code no longer present since 0.6, so marking this as fixed version CVE-2007-2838 (The populate_conns function in src/populate_conns.c in GSAMBAD 0.1.4 a ...) {DSA-1327-1} - gsambad 0.1.6-2 (bug #431331) CVE-2007-2837 (The (1) getRule and (2) getChains functions in server/rules.cpp in fir ...) {DSA-1326-1} - fireflier 1.1.7 CVE-2007-2836 (Directory traversal vulnerability in session.rb in Hiki 0.8.0 through ...) {DSA-1324-1} - hiki 0.8.7-1 (bug #430691; medium) [sarge] - hiki (Vulnerable code not present) CVE-2007-2835 (Multiple stack-based buffer overflows in (1) CCE_pinyin.c and (2) xl_p ...) {DSA-1328-1} - unicon 3.0.4-12 (bug #431336) CVE-2007-2834 (Integer overflow in the TIFF parser in OpenOffice.org (OOo) before 2.3 ...) {DSA-1375-1} - openoffice.org 2.2.1-9 (medium) [sarge] - openoffice.org 1.1.3-9sarge8 CVE-2007-2833 (Emacs 21 allows user-assisted attackers to cause a denial of service ( ...) {DSA-1316-1} - emacs21 21.4a+1-5.1 (bug #408929; low) - emacs-snapshot NOTE: The bug is not present in emacs22 22.2+1-1. It was probably NOTE: fixed before the first emacs22 upload. CVE-2007-2832 (Cross-site scripting (XSS) vulnerability in the web application firewa ...) NOT-FOR-US: Cisco CVE-2007-2831 (Array index error in the (1) ieee80211_ioctl_getwmmparams and (2) ieee ...) - madwifi 1:0.9.3-2 (high; bug #425738) [etch] - madwifi 1:0.9.2+r1842.20061207-2etch1 CVE-2007-2830 (The ath_beacon_config function in if_ath.c in MadWifi before 0.9.3.1 a ...) - madwifi 1:0.9.3-2 (medium; bug #425738) [etch] - madwifi 1:0.9.2+r1842.20061207-2etch1 CVE-2007-2829 (The 802.11 network stack in net80211/ieee80211_input.c in MadWifi befo ...) - madwifi 1:0.9.3-2 (medium; bug #425738) [etch] - madwifi 1:0.9.2+r1842.20061207-2etch1 CVE-2007-2828 (Cross-site request forgery (CSRF) vulnerability in adsense-deluxe.php ...) NOT-FOR-US: AdSense-Deluxe CVE-2007-2827 (Heap-based buffer overflow in LEAD Technologies LEADTOOLS ISIS ActiveX ...) NOT-FOR-US: LeadTools CVE-2007-2826 (PHP remote file inclusion vulnerability in lib/addressbook.php in Madi ...) NOT-FOR-US: Madirish Webmail CVE-2007-2825 (Multiple cross-site scripting (XSS) vulnerabilities in ReadMsg.php in ...) NOT-FOR-US: @Mail CVE-2007-2824 (SQL injection vulnerability in paypal.php in AlstraSoft E-Friends 4.21 ...) NOT-FOR-US: AlstraSoft E-Friends CVE-2007-2823 (Multiple buffer overflows in HT Editor before 2.0.6 might allow remote ...) NOT-FOR-US: HT Editor CVE-2007-2822 (TutorialCMS 1.01 and earlier, when register_globals is enabled, allows ...) NOT-FOR-US: TutorialCMS CVE-2007-2821 (SQL injection vulnerability in wp-admin/admin-ajax.php in WordPress be ...) {DSA-1502-1} - wordpress 2.2-1 (high) NOTE: seems present in etch even though admin-ajax.php was not shipped yet CVE-2007-2820 (Multiple stack-based buffer overflows in the KSign KSignSWAT ActiveX C ...) NOT-FOR-US: KSign CVE-2007-2819 (Cross-site scripting (XSS) vulnerability in reportItem.do in Track+ 3. ...) NOT-FOR-US: Track+ CVE-2007-2818 (Cross-site scripting (XSS) vulnerability in cand_login.asp in CactuSof ...) NOT-FOR-US: Parodia CVE-2007-2817 (SQL injection vulnerability in read/index.php in ol'bookmarks 0.7.4 al ...) NOT-FOR-US: ol'bookmarks CVE-2007-2816 (Multiple PHP remote file inclusion vulnerabilities in ol'bookmarks 0.7 ...) NOT-FOR-US: ol'bookmarks CVE-2007-2815 (The "hit-highlighting" functionality in webhits.dll in Microsoft Inter ...) NOT-FOR-US: Microsoft IIS CVE-2007-2814 (Multiple stack-based buffer overflows in the Pegasus ImagN' ActiveX co ...) NOT-FOR-US: Pegasus ImagN' CVE-2007-2813 (Cisco IOS 12.4 and earlier, when using the crypto packages and SSL sup ...) NOT-FOR-US: Cisco CVE-2007-2812 (Cross-site scripting (XSS) vulnerability in hlstats.php in HLstats 1.3 ...) NOT-FOR-US: HLstats CVE-2007-2811 (Cross-site scripting (XSS) vulnerability in OSK Advance-Flow 4.41 and ...) NOT-FOR-US: OSK Advance-Flow CVE-2007-2810 (SQL injection vulnerability in down_indir.asp in Gazi Download Portal ...) NOT-FOR-US: Gazi Download Portal CVE-2007-2809 (Buffer overflow in the transfer manager in Opera before 9.21 for Windo ...) NOT-FOR-US: Opera CVE-2007-2808 (Cross-site scripting (XSS) vulnerability in gnatsweb.pl in Gnatsweb 4. ...) {DSA-1486-1} - gnatsweb 4.00-1.1 (low; bug #427156) CVE-2007-2807 (Stack-based buffer overflow in mod/server.mod/servrmsg.c in Eggdrop 1. ...) {DSA-1826-1 DSA-1448-1} - eggdrop 1.6.18-1.1 (medium; bug #427157) CVE-2007-2806 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Ga ...) NOT-FOR-US: GaliX CVE-2007-2805 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Cl ...) NOT-FOR-US: ClientExec CVE-2007-2804 (Multiple cross-site scripting (XSS) vulnerabilities in scripts/prodLis ...) NOT-FOR-US: CandyPress Store CVE-2007-2803 (SQL injection vulnerability in default.asp in Vizayn Urun Tanitim Site ...) NOT-FOR-US: Vizayn Urun Tanitim Sitesi CVE-2007-2802 (Cross-site scripting (XSS) vulnerability in cp/ps/Main/login/Login in ...) NOT-FOR-US: RM EasyMail Plus CVE-2007-2801 (Multiple cross-site scripting (XSS) vulnerabilities in open.php in eTi ...) NOT-FOR-US: eTicket CVE-2007-2800 (index.php in eTicket 1.5.5.1 and earlier allows remote attackers to ob ...) NOT-FOR-US: eTicket CVE-2007-2799 (Integer overflow in the "file" program 4.20, when running on 32-bit sy ...) {DSA-1343-2 DSA-1343-1} - file 4.21-1 (medium; bug #428293) CVE-2007-2798 (Stack-based buffer overflow in the rename_principal_2_svc function in ...) {DSA-1323-1} - krb5 1.6.dfsg.1-5 (high; bug #430785) CVE-2006-7205 (The array_fill function in ext/standard/array.c in PHP 4.4.2 and 5.1.2 ...) - php4 (unimportant) - php5 (unimportant) NOTE: local DoS when Apache memory limit is set high CVE-2006-7204 (The imap_body function in PHP before 4.4.4 does not implement safemode ...) - php4 (unimportant) NOTE: open_basedir bypasses not supported CVE-2003-1330 (Clearswift MAILsweeper for SMTP 4.3.6 SP1 does not execute custom "on ...) NOT-FOR-US: MAILsweeper CVE-2001-1581 (The File Blocker feature in Clearswift MAILsweeper for SMTP 4.2 allows ...) NOT-FOR-US: MAILsweeper CVE-2007-XXXX [mantis multiple issues fixed in 1.0.7] - mantis 1.0.7+dfsg-1 [sarge] - mantis 0.19.2-5sarge5 NOTE: "email notifications bypass security on custom fields" and "XSS vulnerabilities" CVE-2007-XXXX [NTFS driver for FUSE unspecified issue] - ntfs-3g 1:1.516-1 NOTE: local root exploit CVE-2007-2797 (xterm, including 192-7.el4 in Red Hat Enterprise Linux and 208-3.1 in ...) - xterm (Debian uses safe compile-time settings) CVE-2007-2796 (Arris Cadant C3 CMTS allows remote attackers to cause a denial of serv ...) NOT-FOR-US: Arris Cadant CVE-2007-2795 (Multiple buffer overflows in Ipswitch IMail before 2006.21 allow remot ...) NOT-FOR-US: Ipswitch IMail CVE-2007-2794 RESERVED CVE-2007-2793 (PHP remote file inclusion vulnerability in ImageImageMagick.php in Gee ...) NOT-FOR-US: Geeklog CVE-2007-2792 (SQL injection vulnerability in the Yet another Newsletter Component (a ...) NOT-FOR-US: com_yanc for Mambo NOTE: com_yanc component not in Mambo Debian package CVE-2007-2791 (Unspecified vulnerability in the Secure Shell (SSH) in HP Tru64 UNIX 5 ...) NOT-FOR-US: HP Tru64 CVE-2007-2790 (Cross-site scripting (XSS) vulnerability in shopcontent.asp in VP-ASP ...) NOT-FOR-US: VP-ASP Shopping Cart CVE-2007-2789 (The BMP image parser in Sun Java Development Kit (JDK) before 1.5.0_11 ...) - sun-java5 1.5.0-11-1 (medium) [etch] - sun-java5 1.5.0-14-1etch1 - sun-java6 6-01-1 (bug #422403) - openjdk-6 6b08-1 (bug #566766) CVE-2007-2788 (Integer overflow in the embedded ICC profile image parser in Sun Java ...) - sun-java5 1.5.0-11-1 (medium) [etch] - sun-java5 1.5.0-14-1etch1 - sun-java6 6-01-1 (bug #422403) - openjdk-6 6b08-1 (bug #566766) CVE-2007-2787 (Stack-based buffer overflow in the BrowseDir function in the (1) lttmb ...) NOT-FOR-US: LeadTools Raster Thumbnail Object Library CVE-2007-2786 (Ratbox IRC Daemon (aka ircd-ratbox) 2.2.5 and earlier allows remote at ...) NOT-FOR-US: ircd-ratbox CVE-2007-2785 (manage-admins.php in eSyndiCat Pro 1.x allows remote attackers to crea ...) NOT-FOR-US: eSyndiCat Pro CVE-2007-2784 (Unspecified vulnerability in globus-job-manager in Globus Toolkit 4.1. ...) NOT-FOR-US: Globus Toolkit CVE-2007-2783 (Unspecified vulnerability in Rational Soft Hidden Administrator 1.7 an ...) NOT-FOR-US: Rational Soft Hidden Administrator CVE-2007-2782 (Packeteer PacketShaper uses fixed increments in TCP initial sequence n ...) NOT-FOR-US: Packeteer PacketShaper CVE-2007-2781 (Cross-site scripting (XSS) vulnerability in include/sessionRegister.ph ...) NOT-FOR-US: WikyBlog CVE-2007-2780 (PsychoStats 3.0.6b and earlier allows remote attackers to obtain sensi ...) NOT-FOR-US: PsychoStats CVE-2007-2779 (PHP remote file inclusion vulnerability in template_csv.php in Libstat ...) NOT-FOR-US: Libstats CVE-2007-2778 (Multiple directory traversal vulnerabilities in MolyX BOARD 2.5.0 allo ...) NOT-FOR-US: MolyX BOARD CVE-2007-2777 (Unrestricted file upload vulnerability in admin/addsptemplate.php in A ...) NOT-FOR-US: AlstraSoft Template Seller Pro CVE-2007-2776 (AlstraSoft Template Seller Pro 3.25 and earlier sends a redirect to th ...) NOT-FOR-US: AlstraSoft Template Seller Pro CVE-2007-2775 (AlstraSoft Live Support 1.21 sends a redirect to the web browser but d ...) NOT-FOR-US: AlstraSoft Live Support CVE-2007-2774 (Multiple PHP remote file inclusion vulnerabilities in SunLight CMS 5.3 ...) NOT-FOR-US: SunLight CMS CVE-2007-2773 (SQL injection vulnerability in plugins/mp3playlist/mp3playlist.php in ...) NOT-FOR-US: Zomplog CVE-2007-2772 ((1) caloggerd.exe (camt70.dll) and (2) mediasvr.exe (catirpc.dll and r ...) NOT-FOR-US: CA BrightStor Backup CVE-2007-2771 (Stack-based buffer overflow in the LEAD Technologies LeadTools JPEG 20 ...) NOT-FOR-US: LeadTools JPEG 2000 CVE-2007-2770 (Stack-based buffer overflow in Eudora 7.1 allows user-assisted, remote ...) NOT-FOR-US: Eudora CVE-2007-2769 (BES before 3.5.0 in OPeNDAP 4 (Hydrax) before 1.2.1 does not properly ...) NOT-FOR-US: OPeNDAP CVE-2007-2768 (OpenSSH, when using OPIE (One-Time Passwords in Everything) for PAM, a ...) - openssh (bug #436571; unimportant) [etch] - openssh (Minor issue) [sarge] - openssh (Minor issue) NOTE: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=112279 CVE-2007-2767 (Unspecified vulnerability in BES before 3.5.0 in OPeNDAP 4 (Hydrax) be ...) NOT-FOR-US: OPeNDAP CVE-2007-2766 (lib/backup-methods.sh in Backup Manager before 0.7.6 provides the MySQ ...) - backup-manager 0.7.6-1 (low) [sarge] - backup-manager (Minor issue) [etch] - backup-manager 0.7.5-5 CVE-2007-2765 (blockhosts.py in BlockHosts before 2.0.3 does not properly parse daemo ...) NOT-FOR-US: BlockHosts CVE-2007-2764 (The embedded Linux kernel in certain Sun-Brocade SilkWorm switches bef ...) NOT-FOR-US: Sun-Brocade SilkWorm CVE-2007-2763 (Buffer overflow in the UnlockSupport function in the LockModules subsy ...) NOT-FOR-US: Sienzo Digital Music Mentor ActiveX control CVE-2007-2762 (Multiple PHP remote file inclusion vulnerabilities in Build it Fast (b ...) NOT-FOR-US: Build it Fast CVE-2007-2761 (Stack-based buffer overflow in MagicISO 5.4 build 239 and earlier allo ...) NOT-FOR-US: MagicISO CVE-2007-2760 (The canUpdate function in model/MRole.java in Adempiere before 3.1.6 d ...) NOT-FOR-US: Adempiere CVE-2007-2759 (Multiple SQL injection vulnerabilities in the insert function in the V ...) NOT-FOR-US: Adempiere CVE-2007-2758 (Multiple buffer overflows in WinImage 8.0.8000 allow user-assisted rem ...) NOT-FOR-US: WinImage CVE-2007-2757 (Multiple cross-site scripting (XSS) vulnerabilities in Redoable 1.2 al ...) NOT-FOR-US: Redoable CVE-2007-2756 (The gdPngReadData function in libgd 2.0.34 allows user-assisted attack ...) {DSA-1613-1} - libgd2 2.0.35.dfsg-1 (bug #426100; bug #426099; bug #425584; low) [etch] - libgd (Minor issue) [sarge] - libgd (Minor issue) [etch] - libgd2 (Minor issue) [sarge] - libgd2 (Minor issue) NOTE: https://web.archive.org/web/20090212193455/http://bugs.libgd.org/?do=details&task_id=86 CVE-2007-2755 (The PrecisionID Barcode 1.9 ActiveX control in PrecisionID_Barcode.dll ...) NOT-FOR-US: PrecisionID CVE-2007-2754 (Integer signedness error in truetype/ttgload.c in Freetype 2.3.4 and e ...) {DSA-1334-1 DSA-1302-1} - freetype 2.2.1-6 (bug #425625) [sarge] - freetype 2.1.7-8 CVE-2007-2753 (RunawaySoft Haber portal 1.0 stores sensitive information under the we ...) NOT-FOR-US: RunawaySoft CVE-2007-2752 (SQL injection vulnerability in devami.asp in RunawaySoft Haber portal ...) NOT-FOR-US: RunawaySoft CVE-2007-2751 (Multiple PHP remote file inclusion vulnerabilities in PHPGlossar 0.8 a ...) NOT-FOR-US: PHPGlossar CVE-2007-2750 (SQL injection vulnerability in print.php in SimpNews 2.40.01 and earli ...) NOT-FOR-US: SimpNews CVE-2007-2749 (SQL injection vulnerability in question.php in FAQEngine 4.16.03 and e ...) NOT-FOR-US: FAQEngine CVE-2007-2748 (The substr_count function in PHP 5.2.1 and earlier allows context-depe ...) - php4 (Debian shipped the correct fix from the beginning) - php5 (Debian shipped the correct fix from the beginning) CVE-2007-2747 (Directory traversal vulnerability in rdw_helpers.py in rdiffWeb before ...) NOT-FOR-US: rdiffWeb CVE-2007-2746 (The viewList function in lib/WebGUI/Asset/Wobject/DataForm.pm in Plain ...) NOT-FOR-US: Plain Black WebGUI CVE-2007-2745 (Cross-site scripting (XSS) vulnerability in printcal.pl in vDesk Webma ...) NOT-FOR-US: vDesk Webmail CVE-2007-2744 (Stack-based buffer overflow in the PrecisionID Barcode 1.9 ActiveX con ...) NOT-FOR-US: PrecisionID CVE-2007-2743 (PHP remote file inclusion vulnerability in custom_vars.php in GlossWor ...) NOT-FOR-US: GlossWord CVE-2007-2742 (Unrestricted file upload vulnerability in labs.beffa.org w2box 4.0.0 B ...) NOT-FOR-US: w2box CVE-2007-2741 (Stack-based buffer overflow in Little CMS (lcms) before 1.15 allows re ...) - lcms 1.15-1 (medium) CVE-2007-2740 (Unspecified vulnerability in xajax before 0.2.5 has unknown impact and ...) - php-xajax 0.2.5-1 (bug #426103; unimportant) NOTE: This issue was created because of an upstream changelog entry, which however NOTE: was meant for the XSS, which is the general issue. CVE-2007-2739 (Cross-site scripting (XSS) vulnerability in xajax before 0.2.5 allows ...) {DSA-1692-1} - php-xajax 0.2.5-1 (bug #426103; low) CVE-2007-2738 (SQL injection vulnerability in glossaire-p-f.php in the Glossaire 1.7 ...) NOT-FOR-US: Glossaire for Xoops CVE-2007-2737 (SQL injection vulnerability in index.php in the MyConference 1.0 modul ...) NOT-FOR-US: MyConference for Xoops CVE-2007-2736 (PHP remote file inclusion vulnerability in index.php in Achievo 1.1.0 ...) NOT-FOR-US: Achievo CVE-2007-2735 (SQL injection vulnerability in edit_day.php in the ResManager 1.2.1 an ...) NOT-FOR-US: ResManager for Xoops CVE-2007-2734 (The 3Com TippingPoint IPS do not properly handle certain full-width an ...) NOT-FOR-US: 3Com TippingPoint IPS CVE-2007-2733 (Unrestricted file upload vulnerability in Jetbox CMS allows remote aut ...) NOT-FOR-US: Jetbox CMS CVE-2007-2732 (Multiple cross-site scripting (XSS) vulnerabilities in Jetbox CMS allo ...) NOT-FOR-US: Jetbox CMS CVE-2007-2731 (CRLF injection vulnerability in formmail.php in Jetbox CMS 2.1 might a ...) NOT-FOR-US: Jetbox CMS CVE-2007-2730 (Check Point ZoneAlarm Pro before 6.5.737.000 does not properly test fo ...) NOT-FOR-US: Check Point Zone Labs ZoneAlarm Internet Security Suite CVE-2007-2729 (Comodo Firewall Pro 2.4.18.184 and Comodo Personal Firewall 2.3.6.81, ...) NOT-FOR-US: Comodo Personal Firewall CVE-2007-2728 (The soap extension in PHP calls php_rand_r with an uninitialized seed ...) - php5 5.2.3-1 (low) [etch] - php5 (Version from 5.2.0 correctly uses rand()) - php4 (no soap functions in php4) CVE-2007-2727 (The mcrypt_create_iv function in ext/mcrypt/mcrypt.c in PHP before 4.4 ...) [etch] - php5 (Version from 5.2.0 correctly uses rand()) - php5 5.2.2-1 (low) NOTE: Code not present in PHP 4. CVE-2007-2726 (BitsCast 0.13.0 allows remote attackers to cause a denial of service ( ...) NOT-FOR-US: BitsCast CVE-2007-2725 (The DB Software Laboratory DeWizardX (DEWizardAX.ocx) ActiveX control ...) NOT-FOR-US: DeWizardX CVE-2007-2724 (Cross-site scripting (XSS) vulnerability in all_photos.html in fotolog ...) NOT-FOR-US: fotolog CVE-2007-2723 (Media Player Classic 6.4.9.0 allows user-assisted remote attackers to ...) NOT-FOR-US: guliverkli Media Player Classic CVE-2007-2722 (Unspecified vulnerability in NewzCrawler 1.8 allows remote attackers t ...) NOT-FOR-US: NewzCrawler CVE-2007-2721 (The jpc_qcx_getcompparms function in jpc/jpc_cs.c for the JasPer JPEG- ...) {DSA-2036-1} - jasper 1.900.1-6 (medium; bug #413033; bug #528543) NOTE: Jasper was initially fixed in 1.900.1-3, but the fix got dropped later, see #528543 - ghostscript 8.61.dfsg.1~svn8187-1.1 (medium; bug #447188) - gs-gpl (medium; bug #561717) NOTE: see http://ghostscript.com/pipermail/gs-cvs/2007-October/007877.html CVE-2007-2720 (Group-Office before 2.16-13 does not properly validate user IDs, which ...) NOT-FOR-US: Group-Office CVE-2007-2719 (Session fixation vulnerability in HP Systems Insight Manager (SIM) 4.2 ...) NOT-FOR-US: HP Systems Insight Manager CVE-2007-2718 (Cross-site scripting (XSS) vulnerability in the WebMail system in Stal ...) NOT-FOR-US: Stalker CommuniGate Pro CVE-2007-2717 (SQL injection vulnerability in shop/page.php in iGeneric (iG) Shop 1.4 ...) NOT-FOR-US: iGeneric (iG) Shop CVE-2007-2716 (Multiple cross-site scripting (XSS) vulnerabilities in EQdkp 1.3.2c an ...) NOT-FOR-US: EQdkp CVE-2003-1329 (ftpd.c in wu-ftpd 2.6.2, when running on "operating systems that only ...) - wu-ftpd 2.6.2-4 CVE-2007-2715 (Admin/users.php in Snaps! Gallery 1.4.4 allows remote attackers to cha ...) NOT-FOR-US: Snaps! Gallery CVE-2007-2714 (Unspecified vulnerability in akismet.php in Matt Mullenweg Akismet bef ...) - wordpress 2.2-1 NOTE: See http://plugins.trac.wordpress.org/changeset/12812/akismet/trunk/akismet.php CVE-2007-2713 (ifdate 2.x sends a redirect to the web browser but does not exit when ...) NOT-FOR-US: iFdate CVE-2007-2712 (Unspecified vulnerability in MH Software Connect Daily before 3.3.3 ha ...) NOT-FOR-US: MH Software Connect Daily Web Calendar CVE-2007-2711 (Stack-based buffer overflow in TinyIdentD 2.2 and earlier allows remot ...) NOT-FOR-US: TinyIdentD CVE-2007-2710 (PHP remote file inclusion vulnerability in functions/prepend_adm.php i ...) NOT-FOR-US: NagiosQL CVE-2007-2709 (PHP remote file inclusion vulnerability in functions/prepend_adm.php i ...) NOT-FOR-US: NagiosQL CVE-2007-2708 (PHP remote file inclusion vulnerability in newsadmin.php in Feindt Com ...) NOT-FOR-US: News-Script CVE-2007-2707 (PHP remote file inclusion vulnerability in linksnet_linkslog_rss.php i ...) NOT-FOR-US: Linksnet Newsfeed CVE-2007-2706 (PHP remote file inclusion vulnerability in maint/ftpmedia.php in Media ...) NOT-FOR-US: Geeklog CVE-2007-2705 (Directory traversal vulnerability in the Test View Console in BEA WebL ...) NOT-FOR-US: BEA WebLogic Integration CVE-2007-2704 (BEA WebLogic Server 9.0 through 9.2 allows remote attackers to cause a ...) NOT-FOR-US: BEA WebLogic Server CVE-2007-2703 (BEA WebLogic Portal 9.2 GA can corrupt a visitor entitlements role if ...) NOT-FOR-US: BEA WebLogic Portal CVE-2007-2702 (Cross-site scripting (XSS) vulnerability in the GroupSpace application ...) NOT-FOR-US: BEA WebLogic Portal CVE-2007-2701 (The JMS Message Bridge in BEA WebLogic Server 7.0 through SP7 and 8.1 ...) NOT-FOR-US: BEA WebLogic CVE-2007-2700 (The WLST script generated by the configToScript command in BEA WebLogi ...) NOT-FOR-US: BEA WebLogic CVE-2007-2699 (The Administration Console in BEA WebLogic Express and WebLogic Server ...) NOT-FOR-US: BEA WebLogic CVE-2007-2698 (The Administration Console in BEA WebLogic Server 9.0 may show plainte ...) NOT-FOR-US: BEA WebLogic CVE-2007-2697 (The embedded LDAP server in BEA WebLogic Express and WebLogic Server 7 ...) NOT-FOR-US: BEA WebLogic CVE-2007-2696 (The JMS Server in BEA WebLogic Server 6.1 through SP7, 7.0 through SP6 ...) NOT-FOR-US: BEA WebLogic CVE-2007-2695 (The HttpClusterServlet and HttpProxyServlet in BEA WebLogic Express an ...) NOT-FOR-US: BEA WebLogic CVE-2007-2694 (Multiple cross-site scripting (XSS) vulnerabilities in BEA WebLogic Ex ...) NOT-FOR-US: BEA WebLogic CVE-2007-2693 (MySQL before 5.1.18 allows remote authenticated users without SELECT p ...) - mysql-dfsg-5.0 (Only MySQL 5.1 affected) [sarge] - mysql-dfsg-4.1 (Only MySQL 5.1 affected) [sarge] - mysql-dfsg (Only MySQL 5.1 affected) CVE-2007-2692 (The mysql_change_db function in MySQL 5.0.x before 5.0.40 and 5.1.x be ...) {DSA-1413-1} - mysql-dfsg-5.0 5.0.42 (bug #424778) [sarge] - mysql-dfsg-4.1 (Vulnerable functionality not implemented) [sarge] - mysql-dfsg (Vulnerable functionality not implemented) NOTE: http://bugs.mysql.com/bug.php?id=28499 CVE-2007-2691 (MySQL before 4.1.23, 5.0.x before 5.0.42, and 5.1.x before 5.1.18 does ...) {DSA-1413-1} - mysql-dfsg-5.0 5.0.41a-1 (bug #424778; bug #424830) CVE-2007-2690 (Multiple IBM ISS Proventia Series products, including the A, G, and M ...) NOT-FOR-US: ISS CVE-2007-2689 (Check Point Web Intelligence does not properly handle certain full-wid ...) NOT-FOR-US: Check Point CVE-2007-2688 (The Cisco Intrusion Prevention System (IPS) and IOS with Firewall/IPS ...) NOT-FOR-US: Cisco CVE-2007-2687 (Stack-based buffer overflow in the MicroWorld Agent service (MWAGENT.E ...) NOT-FOR-US: MicroWorld CVE-2007-2686 (Cross-site scripting (XSS) vulnerability in index.php in Jetbox CMS 2. ...) NOT-FOR-US: Jetbox CMS CVE-2007-2685 (Multiple SQL injection vulnerabilities in index.php in Jetbox CMS 2.1 ...) NOT-FOR-US: Jetbox CMS CVE-2007-2684 (Jetbox CMS 2.1 allows remote attackers to obtain sensitive information ...) NOT-FOR-US: Jetbox CMS CVE-2007-2683 (Buffer overflow in Mutt 1.4.2 might allow local users to execute arbit ...) - mutt 1.5.15+20070608-1 (low; bug #426116) [etch] - mutt (Minor issue, hardly exploitable) [sarge] - mutt (Minor issue, hardly exploitable) CVE-2007-2682 (The installer for Adobe Version Cue CS3 Server on Apple Mac OS X, as u ...) NOT-FOR-US: Adobe CVE-2007-2681 (Directory traversal vulnerability in blogs/index.php in b2evolution 1. ...) - b2evolution (unimportant) NOTE: This is a register_globals=on issue. NOTE: More than just blogs/index.php is affected (that file isn't NOTE: installed by the Debian package). CVE-2007-2680 (Cross-site scripting (XSS) vulnerability in the management interface i ...) NOT-FOR-US: Canon CVE-2007-2679 (PHP file inclusion vulnerability in index.php in Ivan Peevski gallery ...) NOT-FOR-US: Simple PHP Scripts CVE-2007-2678 (Buffer overflow in the isChecked function in toolbar.dll in Netsprint ...) NOT-FOR-US: Netsprint CVE-2007-2677 (Multiple PHP remote file inclusion vulnerabilities in phpChess Communi ...) NOT-FOR-US: phpChess CVE-2007-2676 (PHP remote file inclusion vulnerability in skins/header.php in Open Tr ...) NOT-FOR-US: Open Translation Engine CVE-2007-2675 (SQL injection vulnerability in search.php in Pre Classifieds Listings ...) NOT-FOR-US: Pre Classifieds Listings CVE-2007-2674 (SQL injection vulnerability in detail.php in Pre Shopping Mall 1.0 all ...) NOT-FOR-US: Pre Shopping Mall CVE-2007-2673 (SQL injection vulnerability in includes/funcs_vendors.php in Censura 1 ...) NOT-FOR-US: Censura CVE-2007-2672 (SQL injection vulnerability in index.php in PHP Coupon Script 3.0 allo ...) NOT-FOR-US: PHP Coupon Script CVE-2007-2671 (Mozilla Firefox 2.0.0.3 allows remote attackers to cause a denial of s ...) - iceweasel (unimportant) NOTE: Browser crashes not treated as security problems CVE-2007-2670 (PHPChain 1.0 and earlier allows remote attackers to obtain the install ...) NOT-FOR-US: PHPChain CVE-2007-2669 (Multiple cross-site scripting (XSS) vulnerabilities in PHPChain 1.0 an ...) NOT-FOR-US: PHPChain CVE-2007-2668 (Buffer overflow in webdesproxy 0.0.1 allows remote attackers to execut ...) NOT-FOR-US: webdesproxy CVE-2007-2667 (Buffer overflow in the DB Software Laboratory VImpX ActiveX control in ...) NOT-FOR-US: VImpX CVE-2007-2666 (Stack-based buffer overflow in LexRuby.cxx (SciLexer.dll) in Scintilla ...) NOT-FOR-US: notepad++ CVE-2007-2665 (PHP remote file inclusion vulnerability in block.php in PhpFirstPost 0 ...) NOT-FOR-US: PhpFirstPost CVE-2007-2664 (PHP remote file inclusion vulnerability in includes/common.php in Yaap ...) NOT-FOR-US: Yaap CVE-2007-2663 (PHP remote file inclusion vulnerability in language/1/splash.lang.php ...) NOT-FOR-US: Beacon CVE-2007-2662 (SQL injection vulnerability in EfesTECH Haber 5.0 allows remote attack ...) NOT-FOR-US: EfesTECH CVE-2007-2661 (SQL injection vulnerability in archshow.asp in BlogMe 3.0 allows remot ...) NOT-FOR-US: BlogMe CVE-2007-2660 NOT-FOR-US: PhpConcept CVE-2007-2659 (Directory traversal vulnerability in index.php in PHP Advanced Transfe ...) NOT-FOR-US: PHP Advanced Transfer Manager (phpATM) CVE-2007-2658 (Unspecified vulnerability in the ID Automation Linear Barcode 1.6.0.5 ...) NOT-FOR-US: ID Automation CVE-2007-2657 (Unspecified vulnerability in the PrecisionID Barcode 1.3 ActiveX contr ...) NOT-FOR-US: PrecisionID CVE-2007-2656 (Stack-based buffer overflow in the Hewlett-Packard (HP) Magview Active ...) NOT-FOR-US: HP CVE-2007-2655 (Unspecified vulnerability in NetWin Webmail 3.1s-1 in SurgeMail before ...) NOT-FOR-US: NetWin CVE-2007-2654 (xfs_fsr in xfsdump creates a .fsr temporary directory with insecure pe ...) - xfsdump 2.2.45-1 (bug #417894; low) [etch] - xfsdump (Minor issue) CVE-2007-2653 REJECTED CVE-2007-2652 (Multiple unspecified vulnerabilities in Free-SA before 1.2.2 allow rem ...) NOT-FOR-US: Free-SA CVE-2007-2651 (Multiple off-by-one errors in VooDoo cIRCle before 1.1.beta27 allow re ...) NOT-FOR-US: VooDoo cIRCle CVE-2007-2650 (The OLE2 parser in Clam AntiVirus (ClamAV) allows remote attackers to ...) {DSA-1320-1 DTSA-43-1} - clamav 0.90.2-1 CVE-2007-2649 (Deutsche Telekom (T-com) Speedport W 700v uses JavaScript delays for i ...) NOT-FOR-US: Speedport W 700v CVE-2007-2648 (Stack-based buffer overflow in the Clever Database Comparer 2.2 Active ...) NOT-FOR-US: Clever Database Comparer CVE-2007-2647 (Static code injection vulnerability in admin/admin_configuration.php i ...) NOT-FOR-US: MonAlbum CVE-2007-2646 (Heap-based buffer overflow in yEnc32 1.0.7.207 allows user-assisted re ...) NOT-FOR-US: yEnc32 CVE-2007-2645 (Integer overflow in the exif_data_load_data_entry function in exif-dat ...) {DSA-1487-1} - libexif 0.6.15-1 (bug #424775) CVE-2007-2644 (A certain ActiveX control in Morovia Barcode ActiveX Professional 3.3. ...) NOT-FOR-US: Morovia CVE-2007-2643 (Directory traversal vulnerability in phpThumb.php in PinkCrow Designs ...) NOT-FOR-US: maGAZIn CVE-2007-2642 (Directory traversal vulnerability in galeria.php in R2K Gallery 1.7 al ...) NOT-FOR-US: R2K Gallery CVE-2007-2641 (SQL injection vulnerability in W1L3D4_bolum.asp in W1L3D4 Philboard 0. ...) NOT-FOR-US: W1L3D4 CVE-2007-2640 (LibTMCG before 1.1.1 does not perform a range check to avoid "trivial ...) NOT-FOR-US: LibTMCG CVE-2007-2639 (Directory traversal vulnerability in TFTPdWin 0.4.2 allows remote atta ...) NOT-FOR-US: TFTPDWIN CVE-2007-2638 (eFileCabinet 3.3 allows remote attackers to bypass authentication and ...) NOT-FOR-US: eFileCabinet CVE-2007-2637 (MoinMoin before 20070507 does not properly enforce ACLs for calendars ...) {DSA-1514-1} - moin 1.5.7-2 (low) CVE-2007-2636 (Unspecified vulnerability in phpTodo before 0.8.1 allows remote attack ...) NOT-FOR-US: phpTodo CVE-2007-2635 (Unspecified vulnerability in Interchange before 5.4.2 allows remote at ...) - interchange 5.4.2-1 (low) CVE-2007-2634 (PHP remote file inclusion vulnerability in common/errormsg.php in aFor ...) NOT-FOR-US: aForum CVE-2007-2633 (Directory traversal vulnerability in H-Sphere SiteStudio 1.6 allows re ...) NOT-FOR-US: H-Sphere CVE-2007-2632 (Multiple cross-site scripting (XSS) vulnerabilities in PHP Multi User ...) NOT-FOR-US: phpMUR CVE-2007-2631 (Cross-site request forgery (CSRF) vulnerability in SquirrelMail 1.4.8- ...) NOTE: Duplicate of CVE-2007-2589 CVE-2007-2630 (Incomplete blacklist vulnerability in filemanager/browser/default/conn ...) - moin 1.5.8-4.1 (unimportant) - karrigell (Vulnerable php code not present) - knowledgeroot 0.9.8.2-2 (unimportant) CVE-2007-2629 (Bradford CampusManager Network Control Application Server 3.1(6) allow ...) NOT-FOR-US: Bradford CVE-2007-2628 (PHP remote file inclusion vulnerability in include/logout.php in Justi ...) NOT-FOR-US: PHPSecurityAdmin CVE-2007-2627 (Cross-site scripting (XSS) vulnerability in sidebar.php in WordPress, ...) - wordpress 2.2.2-1 (low) [etch] - wordpress (Vulnerable code not present) CVE-2007-2626 NOT-FOR-US: SchoolBoard CVE-2007-2625 (Cross-site scripting (XSS) vulnerability in shared/code/cp_authorizati ...) NOT-FOR-US: All In One Control Panel (AIOCP) CVE-2007-2624 (Dynamic variable evaluation vulnerability in shared/config/cp_config.p ...) NOT-FOR-US: All In One Control Panel (AIOCP) CVE-2007-2623 (Multiple buffer overflows in RControl.dll in Remote Display Dev kit 1. ...) NOT-FOR-US: Remote Display Dev kit CVE-2007-2622 (Multiple SQL injection vulnerabilities in TaskDriver 1.2 and earlier a ...) NOT-FOR-US: TaskDriver CVE-2007-2621 (SQL injection vulnerability in event_view.php in Thyme Calendar 1.3 al ...) NOT-FOR-US: Thyme Calendar CVE-2007-2620 (PHP remote file inclusion vulnerability in inc/config.inc.php in Jakub ...) NOT-FOR-US: Jakub Steiner (aka jimmac) original CVE-2007-2619 (Symantec pcAnywhere 11.5.x and 12.0.x retains unencrypted login creden ...) NOT-FOR-US: Symantec pcAnywhere CVE-2007-2618 (CRLF injection vulnerability in index.php in Drake CMS 0.4.0 allows re ...) NOT-FOR-US: Drake CMS CVE-2007-2617 (srsexec in Sun Remote Services (SRS) Net Connect Software Proxy Core p ...) NOT-FOR-US: Sun Solaris CVE-2007-2616 (Stack-based buffer overflow in the SSL version of the NMDMC.EXE servic ...) NOT-FOR-US: Novell NetMail CVE-2007-2615 (Multiple PHP remote file inclusion vulnerabilities in Crie seu PHPLoja ...) NOT-FOR-US: PHPLojaFacil CVE-2007-2614 (PHP remote file inclusion vulnerability in examples/widget8.php in php ...) NOT-FOR-US: phpHtmlLib CVE-2007-2613 (WikkaWiki (Wikka Wiki) before 1.1.6.3 allows attackers in a shared vir ...) NOT-FOR-US: WikkaWiki CVE-2007-2612 (SQL injection vulnerability in libs/Wakka.class.php in WikkaWiki (Wikk ...) NOT-FOR-US: WikkaWiki CVE-2007-2611 (Multiple PHP remote file inclusion vulnerabilities in CGX 20050314 all ...) NOT-FOR-US: CGX CVE-2007-2610 (Cross-site scripting (XSS) vulnerability in OpenLD before 1.1.9, and 1 ...) NOT-FOR-US: OpenLD CVE-2007-2609 (Multiple PHP remote file inclusion vulnerabilities in gnuedu 1.3b2 all ...) NOT-FOR-US: gnuedu CVE-2007-2608 (PHP remote file inclusion vulnerability in lib/smarty/SmartyFU.class.p ...) NOT-FOR-US: Miplex2 CVE-2007-2607 (PHP remote file inclusion vulnerability in views/print/printbar.php in ...) NOT-FOR-US: LaVague CVE-2007-2606 (Multiple buffer overflows in Firebird 2.1 allow attackers to trigger m ...) {DSA-1529-1} - firebird2.0 2.0.3.12981.ds1-1 (low; bug #444976) [etch] - firebird2 (Fixed packages have been released through backports.org, see #1529) [sarge] - firebird2 (low) NOTE: Minor issue, because conffile is restricted CVE-2007-2605 (Unspecified vulnerability in the GetPropertyById function in ISoftomat ...) NOT-FOR-US: Brujula Toolbar CVE-2007-2604 (Unspecified vulnerability in the FlexLabel ActiveX control allows remo ...) NOT-FOR-US: FlexLabel CVE-2007-2603 (Unspecified vulnerability in the Init function in the Audio CD Ripper ...) NOT-FOR-US: Audio CD Ripper CVE-2007-2602 (Buffer overflow in MIBEXTRA.EXE in Ipswitch WhatsUp Gold 11 allows att ...) NOT-FOR-US: Ipswitch WhatsUp CVE-2007-2601 (Buffer overflow in a certain ActiveX control in the GDivX Zenith Playe ...) NOT-FOR-US: GDivX Zenith Player CVE-2007-2600 (Multiple cross-site scripting (XSS) vulnerabilities in TutorialCMS (ak ...) NOT-FOR-US: TutorialCMS CVE-2007-2599 (Multiple SQL injection vulnerabilities in TutorialCMS (aka Photoshop T ...) NOT-FOR-US: TutorialCMS CVE-2007-2598 (SQL injection vulnerability in print.php in SimpleNews 1.0.0 FINAL all ...) NOT-FOR-US: PHP SimpleNEWS CVE-2007-2597 (Multiple PHP remote file inclusion vulnerabilities in telltarget CMS 1 ...) NOT-FOR-US: telltarget CMS CVE-2007-2596 (PHP remote file inclusion vulnerability in common/func.php in aForum 1 ...) NOT-FOR-US: aForum CVE-2007-2595 (RSAuction 2.73.1.3 allows remote authenticated users to move their own ...) NOT-FOR-US: RSAuction CVE-2007-2594 (PHP remote file inclusion vulnerability in inc/articles.inc.php in php ...) NOT-FOR-US: phpMyPortal CVE-2007-2593 (The Terminal Server in Microsoft Windows 2003 Server, when using TLS, ...) NOT-FOR-US: Microsoft CVE-2007-2592 (Multiple cross-site scripting (XSS) vulnerabilities in Nokia Intellisy ...) NOT-FOR-US: Nokia CVE-2007-2591 (usrmgr/userList.asp in Nokia Intellisync Mobile Suite 6.4.31.2, 6.6.0. ...) NOT-FOR-US: Nokia CVE-2007-2590 (Nokia Intellisync Mobile Suite 6.4.31.2, 6.6.0.107, and 6.6.2.2, possi ...) NOT-FOR-US: Nokia CVE-2007-2589 (Cross-site request forgery (CSRF) vulnerability in compose.php in Squi ...) {DSA-1290-1} - squirrelmail 2:1.4.10a-1 (low) NOTE: CVE id has later been assigned to a part of this issue CVE-2003-1327 (Buffer overflow in the SockPrintf function in wu-ftpd 2.6.2 and earlie ...) - wu-ftpd 2.6.2-26 (unimportant; bug #425162) NOTE: Linux' limit is 4096 chars CVE-2006-7203 (The compat_sys_mount function in fs/compat.c in Linux kernel 2.6.20 an ...) {DSA-1504-1} - linux-2.6 2.6.18.dfsg.1-9 (low) CVE-2007-2588 (Multiple buffer overflows in the Office Viewer OCX ActiveX control (oa ...) NOT-FOR-US: Office Viewer OCX ActiveX CVE-2007-2587 (The IOS FTP Server in Cisco IOS 11.3 through 12.4 allows remote authen ...) NOT-FOR-US: Cisco CVE-2007-2586 (The FTP Server in Cisco IOS 11.3 through 12.4 does not properly check ...) NOT-FOR-US: Cisco CVE-2007-2585 (Stack-based buffer overflow in the Verify function in the BarCodeWiz A ...) NOT-FOR-US: BarCodeWiz ActiveX control CVE-2007-2584 (Buffer overflow in the IsOldAppInstalled function in the McSubMgr.McSu ...) NOT-FOR-US: Subscription Manager ActiveX control CVE-2007-2583 (The in_decimal::set function in item_cmpfunc.cc in MySQL before 5.0.40 ...) {DSA-1413-1} - mysql-dfsg-5.0 5.0.41-1 (low; bug #426353) [sarge] - mysql-dfsg (Vulnerable functionality not implemented) NOTE: [sarge] Not affected, test case doesn't crash the daemon CVE-2007-2582 (Multiple buffer overflows in the DB2 JDBC Applet Server (DB2JDS) servi ...) NOT-FOR-US: IBM DB2 CVE-2007-2581 (Multiple cross-site scripting (XSS) vulnerabilities in Microsoft Windo ...) NOT-FOR-US: Microsoft CVE-2007-2580 (Unspecified vulnerability in Apple Safari allows local users to obtain ...) NOT-FOR-US: Safari CVE-2007-2579 (Multiple cross-site scripting (XSS) vulnerabilities in ACP3 4.0 beta 3 ...) NOT-FOR-US: ACP3 CVE-2007-2578 (Unspecified vulnerability in search/list/action_search/index.php in AC ...) NOT-FOR-US: ACP3 CVE-2007-2577 (Multiple SQL injection vulnerabilities in ACP3 4.0 beta 3 allow remote ...) NOT-FOR-US: ACP3 CVE-2007-2576 (Buffer overflow in the East Wind Software advdaudio.ocx 1.5.1.1 Active ...) NOT-FOR-US: advdaudio.ocx ActiveX control CVE-2007-2575 (PHP remote file inclusion vulnerability in watermark.php in the vm (ak ...) NOT-FOR-US: vm watermark 0.4.1 mod for Gallery CVE-2007-2574 (Directory traversal vulnerability in index.php in Archangel Weblog 0.9 ...) NOT-FOR-US: Archangel Weblog CVE-2007-2573 (PHP remote file inclusion vulnerability in plugin/HP_DEV/cms2.php in P ...) NOT-FOR-US: PHPtree CVE-2007-2572 (PHP remote file inclusion vulnerability in modules/noevents/templates/ ...) NOT-FOR-US: NoAh (aka PHP Content Architect, phparch) CVE-2007-2571 (SQL injection vulnerability in index.php in the wfquotes 1.0 0 module ...) NOT-FOR-US: wfquotes module for XOOPS CVE-2007-2570 (PHP remote file inclusion vulnerability in handlers/page/show.php in W ...) NOT-FOR-US: Wikivi5 CVE-2007-2569 (Multiple PHP remote file inclusion vulnerabilities in Friendly 1.0d1 a ...) NOT-FOR-US: Friendly CVE-2007-2568 (Multiple stack-based buffer overflows in VCDGear 3.55 allow user-assis ...) NOT-FOR-US: VCDGear CVE-2007-2567 (Buffer overflow in the SaveBarCode function in the Taltech Tal Bar Cod ...) NOT-FOR-US: Taltech Tal Bar Code ActiveX control CVE-2007-2566 (The SaveBarCode function in the Taltech Tal Bar Code ActiveX control a ...) NOT-FOR-US: Taltech Tal Bar Code ActiveX control CVE-2007-2565 (Cdelia Software ImageProcessing allows user-assisted remote attackers ...) NOT-FOR-US: Cdelia Software ImageProcessing CVE-2007-2564 (Multiple stack-based buffer overflows in the Sienzo Digital Music Ment ...) NOT-FOR-US: Sienzo Digital Music Mentor ActiveX control CVE-2007-2563 (Buffer overflow in the AddFile function in VersalSoft HTTP File Upload ...) NOT-FOR-US: VersalSoft HTTP File Upload ActiveX control CVE-2007-2562 (Cross-site scripting (XSS) vulnerability in index.php in Kayako eSuppo ...) NOT-FOR-US: Kayako eSupport CVE-2007-2561 (SQL injection vulnerability in index.asp in fipsCMS 2.1 allows remote ...) NOT-FOR-US: fipsCMS CVE-2007-2560 (Directory traversal vulnerability in theme/acgv.php in ACGVannu 1.3 an ...) NOT-FOR-US: ACGVannu CVE-2007-2559 (Multiple PHP remote file inclusion vulnerabilities in american cart 3. ...) NOT-FOR-US: american cart CVE-2007-2558 NOT-FOR-US: pfa CMS CVE-2007-2557 (MOStlyDB Admin in Mambo 4.6.1 does not properly check privileges, whic ...) NOT-FOR-US: Mambo CVE-2007-2556 (SQL injection vulnerability in Nuked-klaN 1.7.6 allows remote attacker ...) NOT-FOR-US: Nuked-klaN CVE-2007-2555 (Unspecified vulnerability in Default.aspx in Podium CMS allows remote ...) NOT-FOR-US: Podium CMS CVE-2007-2554 (Associated Press (AP) Newspower 4.0.1 and earlier uses a default blank ...) NOT-FOR-US: Newspower CVE-2007-2553 (Unspecified vulnerability in dop in HP Tru64 UNIX 5.1B-4, 5.1B-3, and ...) NOT-FOR-US: HP Tru64 UNIX CVE-2007-2552 (The RecentChanges feature in WikkaWiki (Wikka Wiki) before 1.1.6.3 all ...) NOT-FOR-US: WikkaWiki CVE-2007-2551 (Cross-site scripting (XSS) vulnerability in usersettings.php in WikkaW ...) NOT-FOR-US: WikkaWiki CVE-2007-2550 (Multiple CRLF injection vulnerabilities in Devellion CubeCart 3.0.15 a ...) NOT-FOR-US: CubeCart CVE-2007-2549 (SQL injection vulnerability in index.php in TurnkeyWebTools SunShop Sh ...) NOT-FOR-US: TurnkeyWebTools CVE-2007-2548 (Unspecified vulnerability in index.php in TurnkeyWebTools SunShop Shop ...) NOT-FOR-US: TurnkeyWebTools CVE-2007-2547 (Cross-site scripting (XSS) vulnerability in index.php in TurnkeyWebToo ...) NOT-FOR-US: TurnkeyWebTools CVE-2007-2546 (Session fixation vulnerability in Simple Machines Forum (SMF) 1.1.2 an ...) NOT-FOR-US: SMF CVE-2007-2545 (Multiple PHP remote file inclusion vulnerabilities in Persism CMS 0.9. ...) NOT-FOR-US: Persism CVE-2007-2544 (PHP remote file inclusion vulnerability in templates/default/tpl_messa ...) NOT-FOR-US: TopTree BBS CVE-2007-2543 (SQL injection vulnerability in game.php in the Flashgames 1.0.1 module ...) NOT-FOR-US: XOOPS CVE-2007-2542 (PHP remote file inclusion vulnerability in header.php in workbench sur ...) NOT-FOR-US: workbench survival guide CVE-2007-2541 (PHP remote file inclusion vulnerability in includes/ajax_listado.php i ...) NOT-FOR-US: Versado CVE-2007-2540 (Multiple PHP remote file inclusion vulnerabilities in PMECMS 1.0 and e ...) NOT-FOR-US: PMECMS CVE-2007-2539 (The show_files function in RunCms 1.5.2 and earlier allows remote atta ...) NOT-FOR-US: RunCms CVE-2007-2538 (SQL injection vulnerability in class/debug/debug_show.php in RunCms 1. ...) NOT-FOR-US: RunCms CVE-2007-2537 (Multiple SQL injection vulnerabilities in mainfile.php in NPDS 5.10 an ...) NOT-FOR-US: NPDS CVE-2007-2536 (PicoZip allows remote attackers to cause a denial of service (infinite ...) NOT-FOR-US: Picozip CVE-2007-2535 (WinAce allows remote attackers to cause a denial of service (infinite ...) NOT-FOR-US: WinAce CVE-2007-2534 NOT-FOR-US: phpHoo3 CVE-2007-2533 (Multiple buffer overflows in Trend Micro ServerProtect 5.58 before Sec ...) NOT-FOR-US: Trend Micro ServerProtect CVE-2007-2532 (Multiple cross-site scripting (XSS) vulnerabilities in Minh Nguyen Duo ...) NOT-FOR-US: Minh Nguyen Duong Obie Website Mini Web Shop CVE-2007-2531 (PHP remote file inclusion vulnerability in berylium-classes.php in Ber ...) NOT-FOR-US: Berylium2 CVE-2007-2530 (Multiple PHP remote file inclusion vulnerabilities in Tropicalm Crowel ...) NOT-FOR-US: Tropicalm CVE-2007-2529 (Integer signedness error in the acl (facl) system call in Solaris 10 b ...) NOT-FOR-US: Solaris 10 CVE-2007-2528 (Buffer overflow in AgRpcCln.dll for Trend Micro ServerProtect 5.58 for ...) NOT-FOR-US: Trend Micro ServerProtect CVE-2007-2527 (Multiple PHP remote file inclusion vulnerabilities in DynamicPAD befor ...) NOT-FOR-US: DynamicPAD CVE-2007-2526 (Heap-based buffer overflow in the ConnectAsyncEx function in VNC Viewe ...) NOT-FOR-US: VNC Viewer ActiveX control CVE-2007-2525 (Memory leak in the PPP over Ethernet (PPPoE) socket implementation in ...) {DSA-1503-2 DSA-1504-1 DSA-1503-1 DSA-1356-1} - linux-2.6 2.6.22-1 NOTE: Fixed in commit 202a03acf9994076055df40ae093a5c5474ad0bd in NOTE: Linus' tree. CVE-2007-2524 (Cross-site scripting (XSS) vulnerability in index.pl in Open Ticket Re ...) {DSA-1298-1} - otrs2 2.1.1-1 (bug #423524) NOTE: 2.1 and 2.2 are not affected, so recording earliest 2.1 version as fix CVE-2007-2523 (CA Anti-Virus for the Enterprise r8 and Threat Manager r8 before 20070 ...) NOT-FOR-US: CA Anti-Virus CVE-2007-2522 (Stack-based buffer overflow in the inoweb Console Server in CA Anti-Vi ...) NOT-FOR-US: CA Anti-Virus CVE-2007-2521 (PHP remote file inclusion vulnerability in common.php in E-GADS! befor ...) NOT-FOR-US: E-GADS! CVE-2007-2520 (SQL injection vulnerability in admin.php in MyNews 0.10, when magic_qu ...) NOT-FOR-US: MyNews CVE-2007-2519 (Directory traversal vulnerability in the installer in PEAR 1.0 through ...) - php5 5.2.3-1 (unimportant; bug #441433) - php4 (unimportant) NOTE: The installation of the PEAR needs to be trusted anyway, this doesn't NOTE: cross trust boundaries CVE-2007-2518 REJECTED CVE-2007-2517 RESERVED CVE-2007-2516 RESERVED CVE-2007-2515 RESERVED CVE-2007-2514 (Stack-based buffer overflow in XferWan.exe as used in multiple product ...) NOT-FOR-US: Symantec CVE-2007-2513 (Novell GroupWise 7 before SP2 20070524, and GroupWise 6 before 6.5 pos ...) NOT-FOR-US: Novell GroupWise CVE-2007-2512 (Alcatel-Lucent IP-Touch Telephone running OmniPCX Enterprise 7.0 and l ...) NOT-FOR-US: Alcatel-Lucent CVE-2007-2511 (Buffer overflow in the user_filter_factory_create function in PHP befo ...) {DTSA-39-1} - php5 5.2.2-1 NOTE: Only triggerable by malicious script CVE-2007-2510 (Buffer overflow in the make_http_soap_request function in PHP before 5 ...) {DSA-1295-1 DTSA-39-1} - php5 5.2.2-1 (low) CVE-2007-2509 (CRLF injection vulnerability in the ftp_putcmd function in PHP before ...) {DSA-1296-1 DSA-1295-1 DTSA-39-1 DTSA-40-1} - php5 5.2.2-1 (low) - php4 4.4.7-1 (low) CVE-2007-2508 (Multiple stack-based buffer overflows in Trend Micro ServerProtect 5.5 ...) NOT-FOR-US: Trend Micro CVE-2007-2507 (Directory traversal vulnerability in includes/download.php in Treble D ...) NOT-FOR-US: Treble Designs 1024 CMS CVE-2007-2506 (WebSpeed 3.x in OpenEdge 10.x in Progress Software Progress 9.1e, and ...) NOT-FOR-US: OpenEdge WebSpeed CVE-2007-2505 (Stack-based buffer overflow in InterVations MailCOPA 8.01 20070323 all ...) NOT-FOR-US: MailCOPA CVE-2007-2504 NOT-FOR-US: PHP Turbulence CVE-2007-2503 NOT-FOR-US: PHP Turbulence CVE-2007-2502 (Unspecified vulnerability in HP ProCurve 9300m Series switches with so ...) NOT-FOR-US: HP ProCurve 9300m Series switches CVE-2007-2501 (Eval injection vulnerability in codepress.html in CodePress before 0.9 ...) NOT-FOR-US: CodePress CVE-2007-2500 (server/parser/sprite_definition.cpp in GNU Gnash (aka GNU Flash Player ...) {DTSA-48-1} - gnash 0.7.2+cvs20070518.1557-1 (bug #423433) CVE-2007-2499 (Multiple cross-site scripting (XSS) vulnerabilities in DVDdb 0.6 and e ...) NOT-FOR-US: DVDdb CVE-2007-2498 (libmp4v2.dll in Winamp 5.02 through 5.34 allows user-assisted remote a ...) NOT-FOR-US: Winamp CVE-2007-2497 (RealNetworks RealPlayer 10 Gold allows remote attackers to cause a den ...) NOT-FOR-US: RealPlayer NOTE: helix-player not affected CVE-2007-2496 (The WordOCX ActiveX control in WordViewer.ocx 3.2.0.5 allows remote at ...) NOT-FOR-US: WordViewer.ocx CVE-2007-2495 (Multiple stack-based buffer overflows in the ExcelOCX ActiveX control ...) NOT-FOR-US: ExcelViewer .ocx CVE-2007-2494 (Multiple stack-based buffer overflows in the PowerPointOCX ActiveX con ...) NOT-FOR-US: PowerPointViewer .ocx CVE-2007-2493 (PHP remote file inclusion vulnerability in faq.php in the FAQ & RU ...) NOT-FOR-US: FAQ & RULES module for mxBB CVE-2007-2492 (SQL injection vulnerability in index.php in the v4bJournal module for ...) NOT-FOR-US: v4bJournal module for PostNuke CVE-2007-2491 (The PIIX4 power management subsystem in EMC VMware Workstation 5.5.3.3 ...) NOT-FOR-US: EMC VMware CVE-2007-2490 (Unspecified vulnerability in LiveData Server before 5.00.62 allows rem ...) NOT-FOR-US: LiveData Server CVE-2007-2489 (Heap-based buffer overflow in LiveData Protocol Server 5.00.045, and o ...) NOT-FOR-US: LiveData Protocol Server CVE-2007-2487 (Stack-based buffer overflow in AtomixMP3 allows remote attackers to ex ...) NOT-FOR-US: AtomixMP3 CVE-2007-2486 (Directory traversal vulnerability in download.asp in Motobit 1.3 and 1 ...) NOT-FOR-US: Motobit CVE-2007-2485 (PHP remote file inclusion vulnerability in myflash-button.php in the m ...) NOT-FOR-US: myflash plugin for WordPress CVE-2007-2484 (PHP remote file inclusion vulnerability in js/wptable-button.php in th ...) NOT-FOR-US: wp-Table plugin for WordPress CVE-2007-2483 (Directory traversal vulnerability in js/wptable-button.php in the wp-T ...) NOT-FOR-US: wp-Table plugin for WordPress CVE-2007-2482 (Directory traversal vulnerability in wordtube-button.php in the wordTu ...) NOT-FOR-US: wordTube plugin for WordPress CVE-2007-2481 (PHP remote file inclusion vulnerability in wordtube-button.php in the ...) NOT-FOR-US: wordTube plugin for WordPress CVE-2006-7202 (The dofreePDF function in includes/pdf.php in Mambo 4.6.1 does not pro ...) NOT-FOR-US: Mambo CVE-2007-XXXX [schroot may use outdated configuration information] - schroot (Upstream: "This bug was never present in a Debian release.") CVE-2007-2488 (The IAX2 channel driver (chan_iax2) in Asterisk before 20070504 does n ...) {DSA-1358-1} - asterisk 1:1.4.5~dfsg-1 (low) NOTE: no-dsa / unimportant candidate, the opposite side of the telephone line NOTE: could just as well hang-up NOTE: https://downloads.avaya.com/elmodocs2/security/ASA-2007-013.htm CVE-2007-2480 (The _udp_lib_get_port function in net/ipv4/udp.c in Linux kernel 2.6.2 ...) - linux-2.6 2.6.22-1 (medium) CVE-2007-2479 (Cerulean Studios Trillian Pro before 3.1.5.1 allows remote attackers t ...) NOT-FOR-US: Cerulean Trillian CVE-2007-2478 (Multiple heap-based buffer overflows in the IRC component in Cerulean ...) NOT-FOR-US: Cerulean Trillian CVE-2007-2477 NOT-FOR-US: phpMyChat CVE-2007-2476 (Unspecified vulnerability in Novell SecureLogin (NSL) 6 SP1 before 6.0 ...) NOT-FOR-US: Novell CVE-2007-2475 (Unspecified vulnerability in the ADSCHEMA utility in Novell SecureLogi ...) NOT-FOR-US: Novell CVE-2007-2474 (Multiple PHP remote file inclusion vulnerabilities in Turnkey Web Tool ...) NOT-FOR-US: Turnkey Web Tools SunShop Shopping Cart CVE-2007-2473 (SQL injection vulnerability in stylesheet.php in CMS Made Simple 1.0.5 ...) NOT-FOR-US: CMS Made Simple CVE-2007-2472 (Cross-site scripting (XSS) vulnerability in sendcard.php in Sendcard 3 ...) NOT-FOR-US: Sendcard CVE-2007-2471 (Directory traversal vulnerability in sendcard.php in Sendcard 3.4.1 an ...) NOT-FOR-US: Sendcard CVE-2007-2470 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Fi ...) NOT-FOR-US: FileRun CVE-2007-2469 (SQL injection vulnerability in index.php in FileRun 1.0 and earlier al ...) NOT-FOR-US: FileRun CVE-2007-2468 (Unspecified vulnerability in HP OpenVMS for Integrity Servers 8.2-1 an ...) NOT-FOR-US: HP OpenVMS CVE-2007-2467 (ZoneAlarm Pro 6.5.737.000, 6.1.744.001, and possibly earlier versions ...) NOT-FOR-US: Check Point Zone Labs ZoneAlarm Internet Security Suite CVE-2007-2466 (Unspecified vulnerability in the LDAP Software Development Kit (SDK) f ...) NOT-FOR-US: Sun Java System Directory Server CVE-2007-2465 (Unspecified vulnerability in Sun Solaris 9, when Solaris Auditing (BSM ...) NOT-FOR-US: Sun Solaris CVE-2007-2464 (Race condition in Cisco Adaptive Security Appliance (ASA) and PIX 7.1 ...) NOT-FOR-US: Cisco CVE-2007-2463 (Unspecified vulnerability in Cisco Adaptive Security Appliance (ASA) a ...) NOT-FOR-US: Cisco CVE-2007-2462 (Unspecified vulnerability in Cisco Adaptive Security Appliance (ASA) a ...) NOT-FOR-US: Cisco CVE-2007-2461 (The DHCP relay agent in Cisco Adaptive Security Appliance (ASA) and PI ...) NOT-FOR-US: Cisco CVE-2007-2460 (PHP remote file inclusion vulnerability in modules/admin/include/confi ...) NOT-FOR-US: FireFly CVE-2007-2459 (Heap-based buffer overflow in the BMP reader (bmp.c) in Imager perl mo ...) {DSA-1498-1} - libimager-perl 0.58-1 (bug #421582) CVE-2007-2458 (Multiple PHP remote file inclusion vulnerabilities in Pixaria Gallery ...) NOT-FOR-US: Pixaria Gallery CVE-2007-2457 (PHP remote file inclusion vulnerability in resources/includes/class.Sm ...) NOT-FOR-US: Pixaria Gallery CVE-2007-2456 (Multiple PHP remote file inclusion vulnerabilities in FireFly 1.1.01 a ...) NOT-FOR-US: FireFly CVE-2007-2455 (Parallels allows local users to cause a denial of service (virtual mac ...) NOT-FOR-US: Parallels CVE-2007-2454 (Heap-based buffer overflow in the VGA device in Parallels allows local ...) NOT-FOR-US: Parallels CVE-2007-2453 (The random number feature in Linux kernel 2.6 before 2.6.20.13, and 2. ...) {DSA-1356-1} - linux-2.6 2.6.21-5 (low) CVE-2007-2452 (Heap-based buffer overflow in the visit_old_format function in locate/ ...) - findutils 4.2.31-1 (low; bug #426862) [sarge] - findutils (Not vulnerable in default configuration, minor issue) [etch] - findutils 4.2.28-1etch1 (low) CVE-2007-2451 (Unspecified vulnerability in drivers/crypto/geode-aes.c in GEODE-AES i ...) - linux-2.6 2.6.21-3 [etch] - linux-2.6 (Vulnerable code not present, introduced in 2.6.20) CVE-2007-2450 (Multiple cross-site scripting (XSS) vulnerabilities in the (1) Manager ...) {DSA-1468-1} - tomcat4 (low) - tomcat5 (low) - tomcat5.5 5.5.25-1 (low) [sarge] - tomcat4 (Contrib not supported) CVE-2007-2449 (Multiple cross-site scripting (XSS) vulnerabilities in certain JSP fil ...) - tomcat4 (unimportant) - tomcat5 (unimportant) - tomcat5.5 5.5.25-1 (unimportant) NOTE: Only present in the examples, not in production code CVE-2007-2448 (Subversion 1.4.3 and earlier does not properly implement the "partial ...) - subversion 1.4.4dfsg1-1 (bug #428194; low) [etch] - subversion (Minor issue) [sarge] - subversion (Minor issue) CVE-2007-2447 (The MS-RPC functionality in smbd in Samba 3.0.0 through 3.0.25rc3 allo ...) {DSA-1291-2 DTSA-41-1} - samba 3.0.25-1 (high) CVE-2007-2446 (Multiple heap-based buffer overflows in the NDR parsing in smbd in Sam ...) {DSA-1291-2 DTSA-41-1} - samba 3.0.25-1 (high) CVE-2007-2445 (The png_handle_tRNS function in pngrutil.c in libpng before 1.0.25 and ...) {DSA-1613-1} - libgd2 2.0.35.dfsg-1 (low) [etch] - libgd2 2.0.33-5.2etch1 (low) - libpng 1.2.15~beta5-2 - libpng3 [etch] - libpng 1.2.15~beta5-1+etch2 NOTE: Only a crash, no code injection. Calling this DoS stretches things rather far CVE-2007-2444 (Logic error in the SID/Name translation functionality in smbd in Samba ...) {DSA-1291-2 DTSA-41-1} - samba 3.0.25-1 CVE-2007-2443 (Integer signedness error in the gssrpc__svcauth_unix function in svc_a ...) {DSA-1323-1} - krb5 1.6.dfsg.1-5 (bug #430787; medium) CVE-2007-2442 (The gssrpc__svcauth_gssapi function in the RPC library in MIT Kerberos ...) {DSA-1323-1} - krb5 1.6.dfsg.1-5 (bug #430787; high) CVE-2007-2441 (Caucho Resin Professional 3.1.0 and Caucho Resin 3.1.0 and earlier for ...) NOT-FOR-US: Caucho Resin Professional CVE-2007-2440 (Directory traversal vulnerability in Caucho Resin Professional 3.1.0 a ...) NOT-FOR-US: Caucho Resin Professional CVE-2007-2439 (Caucho Resin Professional 3.1.0 and Caucho Resin 3.1.0 and earlier for ...) NOT-FOR-US: Caucho Resin Professional CVE-2007-2438 (The sandbox for vim allows dangerous functions such as (1) writefile, ...) {DSA-1364-2 DSA-1364-1} - vim 1:7.1-022+1 (bug #435401; low) [sarge] - vim (Vulnerable code not present) NOTE: Exploitable through modelines, needs to be used with care in any case CVE-2007-2437 (The X render (Xrender) extension in X.org X Window System 7.0, 7.1, an ...) - xorg-server 2:1.3.0.0.dfsg-4 (unimportant; bug #422936) NOTE: etch vulnerable (patch below applies) NOTE: git url to fix the issue NOTE: http://gitweb.freedesktop.org/?p=xorg/xserver.git;a=commitdiff;h=71fc5b3e9309182978ead676965d65ca93a4e3b9 NOTE: Not considered a security problem, only exploitable by authenticated users NOTE: If an attacker convinces such a user to run his exploit code blindly she could NOTE: just as well provide a binary which does more harm CVE-2007-2436 REJECTED CVE-2007-2435 (Sun Java Web Start in JDK and JRE 5.0 Update 10 and earlier, and Java ...) - sun-java5 1.5.0-11-1 (medium; bug #423062) [etch] - sun-java5 1.5.0-14-1etch1 CVE-2007-2434 (Buffer overflow in asnsp.dll in Aventail Connect 4.1.2.13 allows remot ...) NOT-FOR-US: Aventail Connect CVE-2007-2433 (Cross-site scripting (XSS) vulnerability in index.php in Ariadne 2.4.1 ...) NOT-FOR-US: Ariadne CVE-2007-2432 (Cross-site scripting (XSS) vulnerability in utilities/search.asp in nu ...) NOT-FOR-US: Nukedit CVE-2007-2431 (Dynamic variable evaluation vulnerability in shared/config/tce_config. ...) NOT-FOR-US: TCExam CVE-2007-2430 (shared/code/tce_tmx.php in TCExam 4.0.011 and earlier allows remote at ...) NOT-FOR-US: TCExam CVE-2007-2429 (ManageEngine PasswordManager Pro (PMP) allows remote attackers to obta ...) NOT-FOR-US: ManageEngine PasswordManager Pro (PMP) CVE-2007-2428 (Multiple PHP remote file inclusion vulnerabilities in page.php in Ahhp ...) NOT-FOR-US: Ahhp-Portal CVE-2007-2427 (SQL injection vulnerability in index.php in the pnFlashGames 1.5 modul ...) NOT-FOR-US: pnFlashGames CVE-2007-2426 (PHP remote file inclusion vulnerability in myfunctions/mygallerybrowse ...) NOT-FOR-US: myGallery CVE-2007-2425 (Directory traversal vulnerability in fileview.php in Imageview 5.3 all ...) NOT-FOR-US: Imageview CVE-2007-2424 (PHP remote file inclusion vulnerability in help/index.php in The Merch ...) NOT-FOR-US: The Merchant CVE-2007-2423 (Cross-site scripting (XSS) vulnerability in index.php in MoinMoin 1.5. ...) {DSA-1514-1} - moin 1.5.7-3 (medium; bug #422408) CVE-2007-2422 NOT-FOR-US: Comdev One Admin CVE-2007-2421 (Buffer overflow in Hitachi Groupmax Mobile Option for Mobile-Phone 07- ...) NOT-FOR-US: Hitachi Groupmax CVE-2007-2420 (SQL injection vulnerability in bry.asp in Burak Yilmaz Blog 1.0 allows ...) NOT-FOR-US: Burak Yilmaz Blog CVE-2007-2419 (Multiple buffer overflows in an ActiveX control (boisweb.dll) in Macro ...) NOT-FOR-US: Macrovision CVE-2007-2418 (Heap-based buffer overflow in the Rendezvous / Extensible Messaging an ...) NOT-FOR-US: Cerulean Trillian CVE-2007-2417 (Heap-based buffer overflow in _mprosrv.exe in Progress Software Progre ...) NOT-FOR-US: Progress Software Progress and OpenEdge CVE-2007-2416 (SQL injection vulnerability in home.php in E-Annu allows remote attack ...) NOT-FOR-US: E-Annu CVE-2007-2415 (Pi3Web Web Server 2.0.3 PL1 allows remote attackers to cause a denial ...) NOT-FOR-US: Pi3Web Web Server CVE-2007-2414 (MyServer before 0.8.8 allows remote attackers to cause a denial of ser ...) NOT-FOR-US: MyServer CVE-2007-2413 REJECTED CVE-2007-2412 NOT-FOR-US: Seir Anphin CVE-2007-2411 NOT-FOR-US: Sphider CVE-2007-2410 (WebCore on Apple Mac OS X 10.3.9 and 10.4.10 retains properties of cer ...) NOT-FOR-US: Mac OS X CVE-2007-2409 (Cross-domain vulnerability in WebCore on Apple Mac OS X 10.3.9 and 10. ...) NOT-FOR-US: Mac OS X CVE-2007-2408 (WebKit in Apple Safari 3 Beta before Update 3.0.3 does not properly re ...) NOT-FOR-US: Apple Safari CVE-2007-2407 (The Samba server on Apple Mac OS X 10.3.9 and 10.4.10, when Windows fi ...) - samba (MacOS/Apple-specific vulnerability) CVE-2007-2406 (Quartz Composer on Apple Mac OS X 10.4.10 does not initialize a certai ...) NOT-FOR-US: Mac OS X CVE-2007-2405 (Integer underflow in Preview in PDFKit on Apple Mac OS X 10.4.10 allow ...) NOT-FOR-US: Mac OS X CVE-2007-2404 (CRLF injection vulnerability in CFNetwork on Apple Mac OS X 10.3.9 and ...) NOT-FOR-US: Mac OS X CVE-2007-2403 (CFNetwork on Apple Mac OS X 10.3.9 and 10.4.10 does not properly valid ...) NOT-FOR-US: Mac OS X CVE-2007-2402 (QuickTime for Java in Apple Quicktime before 7.2 does not perform suff ...) NOT-FOR-US: Apple Quicktime CVE-2007-2401 (CRLF injection vulnerability in WebCore in Apple Mac OS X 10.3.9, 10.4 ...) NOT-FOR-US: Apple CVE-2007-2400 (Race condition in Apple Safari 3 Beta before 3.0.2 on Mac OS X, Window ...) NOT-FOR-US: Apple CVE-2007-2399 (WebKit in Apple Mac OS X 10.3.9, 10.4.9 and later, and iPhone before 1 ...) NOT-FOR-US: Apple CVE-2007-2398 (Apple Safari 3.0.1 beta (522.12.12) on Windows allows remote attackers ...) NOT-FOR-US: Apple Safari CVE-2007-2397 (QuickTime for Java in Apple Quicktime before 7.2 does not properly che ...) NOT-FOR-US: Apple Quicktime CVE-2007-2396 (The JDirect support in QuickTime for Java in Apple Quicktime before 7. ...) NOT-FOR-US: Apple Quicktime CVE-2007-2395 (Unspecified vulnerability in Apple QuickTime before 7.3 allows remote ...) NOT-FOR-US: Apple QuickTime CVE-2007-2394 (Integer overflow in Apple Quicktime before 7.2 on Mac OS X 10.3.9 and ...) NOT-FOR-US: Apple Quicktime CVE-2007-2393 (The design of QuickTime for Java in Apple Quicktime before 7.2 allows ...) NOT-FOR-US: Apple Quicktime CVE-2007-2392 (Apple Quicktime before 7.2 on Mac OS X 10.3.9 and 10.4.9 allows user-a ...) NOT-FOR-US: Apple Quicktime CVE-2007-2391 (Cross-site scripting (XSS) vulnerability in Apple Safari Beta 3.0.1 fo ...) NOT-FOR-US: Apple CVE-2007-2390 (Buffer overflow in iChat in Apple Mac OS X 10.3.9 and 10.4.9 allows re ...) NOT-FOR-US: Apple CVE-2007-2389 (Apple QuickTime for Java 7.1.6 on Mac OS X and Windows does not clear ...) NOT-FOR-US: Apple CVE-2007-2388 (Apple QuickTime for Java 7.1.6 on Mac OS X and Windows does not proper ...) NOT-FOR-US: Apple CVE-2007-2387 (Apple Xserve Lights-Out Management before Firmware Update 1.0 on Intel ...) NOT-FOR-US: Apple CVE-2007-2386 (Buffer overflow in mDNSResponder in Apple Mac OS X 10.4 up to 10.4.9 a ...) NOT-FOR-US: Apple mDNSResponder CVE-2007-2385 (The Yahoo! UI framework exchanges data using JavaScript Object Notatio ...) - yui (unimportant; bug #557745) - bcfg2 (present in source but not included in any binary files) - serendipity 1.5.3-1 (low; bug #557746) - moodle (uses system libjs-yui) - jifty 0.91117-1 (low; bug #557748) - webgui (uses system libjs-yui) - loggerhead (uses system libjs-yui) NOTE: see https://web.archive.org/web/20071105202514/http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf NOTE: This allows to steal data from affected websites. Therefore web applications should NOTE: only be considered vunerabile if they process confidential data. NOTE: The frameworks should be fixed in any case. CVE-2007-2384 (The Script.aculo.us framework exchanges data using JavaScript Object N ...) NOTE: see http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf NOTE: This allows to steal data from affected websites. Therefore web applications should NOTE: only be considered vunerabile if they process confidential data. NOTE: The frameworks should be fixed in any case. CVE-2007-2383 (The Prototype (prototypejs) framework before 1.5.1 RC3 exchanges data ...) {DSA-1952-1} - prototypejs (fixed before initial upload) - auth2db 0.2.5-2+dfsg-1 (low; bug #555217) - asterisk 1:1.6.2.0~rc3-1 (low; bug #555220) [etch] - asterisk (minor issue) [lenny] - asterisk (minor issue) - libaws 2.7-1 (low; bug #555221) [etch] - libaws (minor issue) [lenny] - libaws (minor issue) - libjson-ruby (has prototype.js >= 1.5.1) - lucene2 2.9.1+ds1-2 (low; bug #555225) [etch] - lucene2 (prototype.js not present) [lenny] - lucene2 (minor issue) - glpi 0.72.3-1 (low; bug #555228) [etch] - glpi (minor issue) [lenny] - glpi (minor issue) - knowledgeroot 0.9.9.5-1 (low; bug #555229) [etch] - knowledgeroot (minor issue) [lenny] - knowledgeroot (Uses the prototype.js copy from scriptaculous) - mt-daapd 0.9~r1696.dfsg-6 (low; bug #555231) [etch] - mt-daapd (minor issue) - mediatomb 0.11.0-3 (low; bug #555232) - op-panel 0.30~dfsg-1 (low; bug #555234) - ebug-http 0.31-2.1 (low; bug #555235) [lenny] - ebug-http (Minor issue) - poker-network 1.7.6-1 (low; bug #555237) [etch] - poker-network (minor issue) - webhelpers (fixed since initial inclusion) - qwik (low; bug #555240) [etch] - qwik (minor issue) [lenny] - qwik (minor issue) - wordpress (fixed since initial inclusion) - exaile (fixed since initial inclusion) - hobix 0.5~svn20070319-4 (low; bug #555246) [lenny] - hobix (minor issue) - pixelpost 1.7.1-6 (low; bug #555248) [lenny] - pixelpost (minor issue) - symfony 1.0.21-1.1 (low; bug #555250) [lenny] - symfony (minor issue) - jscropperui 1.2.1-1 (low; bug #555255) [lenny] - jscropperui (minor issue) - rt-extension-emailcompletion (fixed since initial inclusion) - scriptaculous (fixed since initial inclusion) - activeldap (fixed since initial inclusion) - mantis (fixed since initial inclusion) - otrs2 (fixed since initial inclusion) - webcalendar 1.2~b1-2 (low; bug #555268) [lenny] - webcalendar (prototype.js not present) - plone3 (low; bug #555274) - wesnoth (fixed since initial inclusion) - libhtml-prototype-perl 1.48-3 (low; bug #558977) [etch] - libhtml-prototype-perl (minor issue) [lenny] - libhtml-prototype-perl (minor issue) NOTE: see http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf NOTE: This allows to steal data from affected websites. Therefore web applications should NOTE: only be considered vunerabile if they process confidential data. NOTE: The frameworks should be fixed in any case. CVE-2007-2382 (The Moo.fx framework exchanges data using JavaScript Object Notation ( ...) NOT-FOR-US: Moo.fx framework NOTE: see http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf NOTE: This allows to steal data from affected websites. Therefore web applications should NOTE: only be considered vunerabile if they process confidential data. NOTE: The frameworks should be fixed in any case. CVE-2007-2381 (The MochiKit framework exchanges data using JavaScript Object Notation ...) NOTE: see http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf NOTE: This allows to steal data from affected websites. Therefore web applications should NOTE: only be considered vunerabile if they process confidential data. NOTE: The frameworks should be fixed in any case. CVE-2007-2380 (The Microsoft Atlas framework exchanges data using JavaScript Object N ...) NOT-FOR-US: Microsoft Atlas CVE-2007-2379 (The jQuery framework exchanges data using JavaScript Object Notation ( ...) - jquery (unimportant) NOTE: the paper in this reference is a guideline on how to avoid writing unsafe jquery applications. there really isn't anything to fix in the library itself. NOTE: https://www.fortify.com/vulncat/en/vulncat/javascript/javascript_hijacking_ad_hoc_ajax.html CVE-2007-2378 (The Google Web Toolkit (GWT) framework exchanges data using JavaScript ...) - gwt (unimportant; bug #563542) NOTE: javascript security guidelines provided to developers to avoid these issues NOTE: https://developers.google.com/web-toolkit/articles/security_for_gwt_applications CVE-2007-2377 (The Getahead Direct Web Remoting (DWR) framework 1.1.4 exchanges data ...) NOT-FOR-US: Getahead Direct Web Remoting CVE-2007-2376 (The Dojo framework exchanges data using JavaScript Object Notation (JS ...) NOT-FOR-US: Dojo CVE-2007-2375 (The agent remote upgrade interface in Symantec Enterprise Security Man ...) NOT-FOR-US: Symantec CVE-2007-2374 (Unspecified vulnerability in Microsoft Windows 2000, XP, and Server 20 ...) NOT-FOR-US: Microsoft CVE-2007-2373 (SQL injection vulnerability in viewcat.php in the WF-Links (wflinks) 1 ...) NOT-FOR-US: WF-Links (wflinks) module for XOOPS CVE-2007-2372 (admin/send_mod.php in Gregory Kokanosky phpMyNewsletter 0.8 beta5 and ...) NOT-FOR-US: phpMyNewsletter CVE-2007-2371 (admin/index.php in Gregory Kokanosky phpMyNewsletter 0.8 beta5 and ear ...) NOT-FOR-US: phpMyNewsletter CVE-2007-2370 (SQL injection vulnerability in index.php in the John Mordo Jobs 2.4 an ...) NOT-FOR-US: Jobs module for XOOPS CVE-2007-2369 (Directory traversal vulnerability in picture.php in WebSPELL 4.01.02 a ...) NOT-FOR-US: WebSPELL CVE-2007-2368 (picture.php in WebSPELL 4.01.02 and earlier allows remote attackers to ...) NOT-FOR-US: WebSPELL CVE-2007-2367 (Buffer overflow in wserve_console.exe in Wserve HTTP Server (whttp) 4. ...) NOT-FOR-US: Wserve HTTP Server (whttp) CVE-2007-2366 (Buffer overflow in Corel Paint Shop Pro 11.20 allows user-assisted rem ...) NOT-FOR-US: Corel CVE-2007-2365 (Buffer overflow in Adobe Photoshop CS2 and CS3, Photoshop Elements 5.0 ...) NOT-FOR-US: Adobe CVE-2007-2364 (Multiple PHP remote file inclusion vulnerabilities in burnCMS 0.2 and ...) NOT-FOR-US: burnCMS CVE-2007-2363 (Buffer overflow in IrfanView 4.00 and earlier allows user-assisted rem ...) NOT-FOR-US: IrfanView CVE-2007-2362 (Multiple buffer overflows in MyDNS 1.1.0 allow remote attackers to (1) ...) {DSA-1434-1 DTSA-36-1} - mydns 1:1.1.0-8 [sarge] - mydns (Vulnerable code not present) CVE-2007-2361 (Symantec Norton Ghost, Norton Save & Recovery, LiveState Recovery, ...) NOT-FOR-US: Symantec CVE-2007-2360 (Symantec Norton Ghost, Norton Save & Recovery, LiveState Recovery, ...) NOT-FOR-US: Symantec CVE-2007-2359 (Buffer overflow in Ghost Service Manager, as used in Symantec Norton G ...) NOT-FOR-US: Symantec CVE-2007-2358 - b2evolution (Debian's version does not contain the affected variables) CVE-2007-2357 (Cross-site scripting (XSS) vulnerability in mods/Core/result.php in Si ...) NOT-FOR-US: SineCms CVE-2007-2356 (Stack-based buffer overflow in the set_color_table function in sunras. ...) {DSA-1301-1} - gimp 2.2.14-2 CVE-2007-2355 (The get_url function in DODS_Dispatch.pm for the CGI_server in OPeNDAP ...) NOT-FOR-US: OPeNDAP CVE-2007-2354 (Progress Webspeed Messenger allows remote attackers to obtain sensitiv ...) NOT-FOR-US: Progress Webspeed Messenger CVE-2007-2353 (Apache Axis 1.0 allows remote attackers to obtain sensitive informatio ...) - axis (unimportant) NOTE: only path disclosure CVE-2007-2352 (Multiple format string vulnerabilities in AFFLIB 2.2.6 allow remote at ...) NOT-FOR-US: AFFLIB CVE-2007-2351 (Unspecified vulnerability in the HP Power Manager Remote Agent (RA) 4. ...) NOT-FOR-US: HP Power Manager Remote Agent CVE-2007-2350 (admin/config.php in the music-on-hold module in freePBX 2.2.x allows r ...) NOT-FOR-US: freePBX CVE-2007-2349 (Cross-site scripting (XSS) vulnerability in Invision Power Board (IP.B ...) NOT-FOR-US: Invision Power Board CVE-2007-2348 (mirror --script in lftp before 3.5.9 does not properly quote shell met ...) - lftp 3.5.9-1 (unimportant) NOTE: Non-issue, also already documented as potentially risky CVE-2007-2347 (PHP remote file inclusion vulnerability in main/forum/komentar.php in ...) NOT-FOR-US: OneClick CMS CVE-2007-2346 (Multiple PHP remote file inclusion vulnerabilities in PHP-Generics 1.0 ...) NOT-FOR-US: PHP-Generics CVE-2007-2345 (PHP remote file inclusion vulnerability in include/include_stream.inc. ...) NOT-FOR-US: phpBrowse CVE-2007-2344 (The BOOTPD component in Enterasys NetSight Console 2.1 and NetSight In ...) NOT-FOR-US: Enterasys CVE-2007-2343 (Stack-based buffer overflow in the TFTPD component in Enterasys NetSig ...) NOT-FOR-US: Enterasys CVE-2007-2342 (SQL injection vulnerability in error.asp in CreaScripts CreaDirectory ...) NOT-FOR-US: CreaScripts Creadirectory CVE-2007-2341 (PHP remote file inclusion vulnerability in suite/index.php in phpBandM ...) NOT-FOR-US: phpBandManager CVE-2007-2340 (Multiple PHP remote file inclusion vulnerabilities in inc/include_all. ...) NOT-FOR-US: phporacleview CVE-2007-2339 (Multiple SQL injection vulnerabilities in Phorum before 5.1.22 allow r ...) NOT-FOR-US: Phorum CVE-2007-2338 (Cross-site request forgery (CSRF) vulnerability in include/admin/banli ...) NOT-FOR-US: Phorum CVE-2007-2337 (Multiple cross-site scripting (XSS) vulnerabilities in Exponent CMS 0. ...) NOT-FOR-US: Exponent CMS CVE-2007-2336 (Unspecified vulnerability in InterVations NaviCOPA Web Server 2.01 200 ...) NOT-FOR-US: NaviCOPA HTTP Server CVE-2007-2335 (Cross-site scripting (XSS) vulnerability in the RSS feed reader functi ...) NOT-FOR-US: Lunascape CVE-2007-2334 (Nortel VPN Router (aka Contivity) 1000, 2000, 4000, and 5000 before 5_ ...) NOT-FOR-US: Nortel CVE-2007-2333 (Nortel VPN Router (aka Contivity) 1000, 2000, 4000, and 5000 before 5_ ...) NOT-FOR-US: Nortel CVE-2007-2332 (Nortel VPN Router (aka Contivity) 1000, 2000, 4000, and 5000 before 6_ ...) NOT-FOR-US: Nortel CVE-2006-7201 (EMC RSA Security SiteKey does not set the secure qualifier on the Site ...) NOT-FOR-US: EMC RSA Security SiteKey CVE-2006-7200 (EMC RSA Security SiteKey issues challenge-bypass tokens that persist f ...) NOT-FOR-US: EMC RSA Security SiteKey CVE-2006-7199 (EMC RSA Security SiteKey allows remote attackers to display the correc ...) NOT-FOR-US: EMC RSA Security SiteKey CVE-2006-7198 (Unspecified vulnerability in IBM WebSphere Application Server (WAS) be ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2005-4839 (PureTLS before 0.9b5 does not clear optional Extensions and Algorithm. ...) NOT-FOR-US: PureTLS CVE-2007-2331 (PHP remote file inclusion vulnerability in cart.php in Shop-Script 2.0 ...) NOT-FOR-US: Shop-Script CVE-2007-2330 (PHP remote file inclusion vulnerability in includes_handler.php in Dyn ...) NOT-FOR-US: DynaTracker CVE-2007-2329 (PHP remote file inclusion vulnerability in searchbot.php in Searchacti ...) NOT-FOR-US: Searchactivity CVE-2007-2328 (PHP remote file inclusion vulnerability in addvip.php in phpMYTGP 1.4b ...) NOT-FOR-US: phpMYTGP CVE-2007-2327 (PHP remote file inclusion vulnerability in _editor.php in HTMLeditbox ...) NOT-FOR-US: HTMLeditbox CVE-2007-2326 (Multiple PHP remote file inclusion vulnerabilities in HYIP Manager Pro ...) - smarty (unimportant; bug #488523) - moodle 1.8.2-2 (unimportant; bug #488525) - gallery2 2.2.5-2 (unimportant; bug #488527) NOTE: this is a non-issue NOTE: to exploit this, the smarty files need to be installed in a http daemon accessible directory NOTE: (should be the case for embedded copies), however NOTE: additionally this relies on register_globals being switched on. CVE-2007-2325 (PHP remote file inclusion vulnerability in include.php in MyNewsGroups ...) NOT-FOR-US: MyNewsGroups CVE-2007-2324 (Directory traversal vulnerability in file.php in JulmaCMS 1.4 allows r ...) NOT-FOR-US: JulmaCMS CVE-2007-2323 (Multiple buffer overflows in the WinDVDX ActiveX control in InterVideo ...) NOT-FOR-US: InterVideo CVE-2007-2322 (NMMediaServer.exe in Nero MediaHome 2.5.5.0 and CE 1.3.0.4 allows remo ...) NOT-FOR-US: Nero CVE-2007-2321 (Unspecified vulnerability in the search functionality in SilverStripe ...) NOT-FOR-US: SilverStripe CVE-2007-2320 (SQL injection vulnerability in kontakt.php in Papoo 3.02 and earlier a ...) NOT-FOR-US: Papoo CVE-2007-2319 (PHP remote file inclusion vulnerability in the AutoStand 1.1 and earli ...) NOT-FOR-US: AutoStand CVE-2007-2318 (Multiple format string vulnerabilities in FileZilla before 2.2.32 allo ...) - filezilla 3.0.0~beta2-3 (bug #421776) NOTE: http://sourceforge.net/project/shownotes.php?release_id=501534&group_id=21558 CVE-2007-2317 (Multiple PHP remote file inclusion vulnerabilities in MiniBB Forum 1.5 ...) NOT-FOR-US: MiniBB CVE-2007-2316 (Unspecified vulnerability in the admin script in Open Business Managem ...) NOT-FOR-US: Open Business Management CVE-2007-2315 (MiniShare 1.5.4, and possibly earlier, allows remote attackers to caus ...) NOT-FOR-US: MiniShare CVE-2007-2314 (Multiple SQL injection vulnerabilities in Crea-Book 1.0, and possibly ...) NOT-FOR-US: Crea-Book CVE-2007-2313 (PHP remote file inclusion vulnerability in getinfo1.php in the Shotcas ...) NOT-FOR-US: Shotcast module for mxBB CVE-2007-2312 (Multiple SQL injection vulnerabilities in the Virtual War (VWar) 1.5.0 ...) NOT-FOR-US: Virtual War (VWar) CVE-2007-2311 NOT-FOR-US: BlooFoxCMS CVE-2007-2310 (Cross-site scripting (XSS) vulnerability in plugins/spaw/img_popup.php ...) NOT-FOR-US: BloofoxCMS CVE-2007-2309 (Cross-site scripting (XSS) vulnerability in cas.php in FloweRS 2.0 all ...) NOT-FOR-US: FloweRS CVE-2007-2308 (Cross-site scripting (XSS) vulnerability in cas.php in FloweRS 2.0 all ...) NOT-FOR-US: FloweRS CVE-2007-2307 (PHP remote file inclusion vulnerability in engine/engine.inc.php in We ...) NOT-FOR-US: WebKalk2 CVE-2007-2306 (Multiple cross-site scripting (XSS) vulnerabilities in the Virtual War ...) NOT-FOR-US: Virtual War (VWar) CVE-2007-2305 (Multiple SQL injection vulnerabilities in authenticate.php in Quick an ...) NOT-FOR-US: QDBlog CVE-2007-2304 (Multiple directory traversal vulnerabilities in Quick and Dirty Blog ( ...) NOT-FOR-US: QDBlog CVE-2007-2303 (Directory traversal vulnerability in includes/footer.php in News Manag ...) NOT-FOR-US: NMDeluxe CVE-2007-2302 (PHP remote file inclusion vulnerability in autoindex.php in Expow 0.8 ...) NOT-FOR-US: Expow CVE-2007-2301 (Multiple PHP remote file inclusion vulnerabilities in audioCMS arash 0 ...) NOT-FOR-US: audioCMS CVE-2007-2300 (Multiple cross-site scripting (XSS) vulnerabilities in Endy Kristanto ...) NOT-FOR-US: phpwebnews CVE-2007-2299 (Multiple SQL injection vulnerabilities in Frogss CMS 0.7 and earlier a ...) NOT-FOR-US: CMS Frogss CVE-2007-2298 (Multiple PHP remote file inclusion vulnerabilities in Garennes 0.6.1 a ...) NOT-FOR-US: Garennes CVE-2007-2297 (The SIP channel driver (chan_sip) in Asterisk before 1.2.18 and 1.4.x ...) {DSA-1358-1} - asterisk 1:1.4.2~dfsg-1 (medium; bug #419820) [sarge] - asterisk (correctly logs a warning) CVE-2007-2296 (Integer overflow in the FlipFileTypeAtom_BtoN function in Apple Quickt ...) NOT-FOR-US: Apple QuickTime CVE-2007-2295 (Heap-based buffer overflow in the JVTCompEncodeFrame function in Apple ...) NOT-FOR-US: Apple QuickTime CVE-2007-2294 (The Manager Interface in Asterisk before 1.2.18 and 1.4.x before 1.4.3 ...) {DSA-1358-1} - asterisk 1:1.4.3~dfsg-1 (low) NOTE: Etch and Sarge affected NOTE: https://downloads.avaya.com/elmodocs2/security/ASA-2007-012.htm CVE-2007-2293 (Multiple stack-based buffer overflows in the process_sdp function in c ...) - asterisk 1:1.4.3~dfsg-1 (high) [sarge] - asterisk (1.0.x not affected) [etch] - asterisk (1.2.x not affected) [lenny] - asterisk (vulnerable code not present) NOTE: https://downloads.avaya.com/elmodocs2/security/ASA-2007-010.htm CVE-2007-2292 (CRLF injection vulnerability in the Digest Authentication support for ...) {DSA-1401-1 DSA-1396-1 DSA-1392-1 DTSA-69-1 DTSA-80-1} - iceweasel 2.0.0.8-1 (low) - xulrunner 1.8.1.9-1 - iceape 1.1.5 CVE-2007-2291 (CRLF injection vulnerability in the Digest Authentication support for ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2007-2290 (Multiple PHP remote file inclusion vulnerabilities in B2 Weblog and Ne ...) NOT-FOR-US: B2 Weblog NOTE: Debian's b2evolution does not contain the string "b2inc", NOTE: and does not seem to suffer from this vulnerability. CVE-2007-2289 (PHP remote file inclusion vulnerability in admin/includes/spaw/dialogs ...) NOT-FOR-US: Download-Engine CVE-2007-2288 (PHP remote file inclusion vulnerability in info.php in Doruk100.net do ...) NOT-FOR-US: doruk100net CVE-2007-2287 (PHP remote file inclusion vulnerability in accept.php in comus 2.0 Fin ...) NOT-FOR-US: comus CVE-2007-2286 (PHP remote file inclusion vulnerability in config.php in Built2Go PHP ...) NOT-FOR-US: Built2Go CVE-2007-2285 (Directory traversal vulnerability in examples/layout/feed-proxy.php in ...) NOT-FOR-US: Jack Slocum Ext CVE-2007-2284 (Buffer overflow in ABC-View Manager 1.42 allows user-assisted remote a ...) NOT-FOR-US: ABC-View Manager CVE-2007-2283 (Buffer overflow in Fresh View 7.15 allows user-assisted remote attacke ...) NOT-FOR-US: Fresh View CVE-2007-2282 (Cisco Network Services (CNS) NetFlow Collection Engine (NFC) before 6. ...) NOT-FOR-US: Cisco CVE-2007-2281 (Integer overflow in the _ncp32._NtrpTCPReceiveMsg function in rds.exe ...) NOT-FOR-US: HP OpenView Storage Data Protector CVE-2007-2280 (Stack-based buffer overflow in OmniInet.exe (aka the backup client ser ...) NOT-FOR-US: HP OpenView Storage Data Protector CVE-2007-2279 (The Scheduler Service (VxSchedService.exe) in Symantec Storage Foundat ...) NOT-FOR-US: Symantec CVE-2007-2278 (Multiple PHP remote file inclusion vulnerabilities in DCP-Portal 6.1.1 ...) NOT-FOR-US: DCP-Portal CVE-2007-2277 (Session fixation vulnerability in Plogger allows remote attackers to h ...) NOT-FOR-US: Plogger CVE-2007-2276 NOT-FOR-US: TippingPoint IPS CVE-2007-2275 (Unspecified vulnerability in HP StorageWorks Command View Advanced Edi ...) NOT-FOR-US: HP StorageWorks CVE-2007-2274 (The BitTorrent implementation in Opera 9.2 allows remote attackers to ...) NOT-FOR-US: Opera CVE-2007-2273 (PHP remote file inclusion vulnerability in include/loading.php in Ales ...) NOT-FOR-US: wavewoo CVE-2007-2272 (PHP remote file inclusion vulnerability in docs/front-end-demo/cart2.p ...) NOT-FOR-US: Advanced Webhost Billing System CVE-2007-2271 (Directory traversal vulnerability in Rajneel Lal TotaRam USP FOSS Dist ...) NOT-FOR-US: TotaRam CVE-2007-2270 (The Linksys SPA941 VoIP Phone allows remote attackers to cause a denia ...) NOT-FOR-US: Linksys CVE-2007-2269 (Directory traversal vulnerability in top.php3 in SWsoft Plesk for Wind ...) NOT-FOR-US: Plesk CVE-2007-2268 (Multiple directory traversal vulnerabilities in SWsoft Plesk for Windo ...) NOT-FOR-US: Plesk CVE-2007-2267 (Unspecified vulnerability in Sun Cluster 3.1 and Solaris Cluster 3.2 b ...) NOT-FOR-US: Sun Cluster CVE-2007-2266 (Progress Webspeed Messenger allows remote attackers to read, create, m ...) NOT-FOR-US: Progress Webspeed Messenger CVE-2007-2265 (Cross-site scripting (XSS) vulnerability in YA Book 0.98-alpha allows ...) NOT-FOR-US: YA Book CVE-2007-2264 (Heap-based buffer overflow in RealNetworks RealPlayer 8, 10, 10.1, and ...) NOT-FOR-US: RealPlayer CVE-2007-2263 (Heap-based buffer overflow in RealNetworks RealPlayer 10.0, 10.1, and ...) NOT-FOR-US: RealPlayer CVE-2006-7197 (The AJP connector in Apache Tomcat 5.5.15 uses an incorrect length for ...) - tomcat5.5 5.5.17-1 (low) CVE-2005-4838 (Multiple cross-site scripting (XSS) vulnerabilities in the example web ...) - tomcat5.5 5.5.15-1 (low) CVE-2007-2262 (Multiple PHP remote file inclusion vulnerabilities in html/php/detail. ...) NOT-FOR-US: jmuffin CVE-2007-2261 (PHP remote file inclusion vulnerability in espaces/communiques/annotat ...) NOT-FOR-US: C-Arbre CVE-2007-2260 (Multiple PHP remote file inclusion vulnerabilities in bibtex mase beta ...) NOT-FOR-US: bibtex mase CVE-2007-2259 (SQL injection vulnerability in forum.php in EsForum 3.0 allows remote ...) NOT-FOR-US: EsForum CVE-2007-2258 (PHP remote file inclusion vulnerability in includes/init.inc.php in PH ...) NOT-FOR-US: PHPMyBibli CVE-2007-2257 (PHP remote file inclusion vulnerability in subscp.php in Fully Modded ...) NOT-FOR-US: Fully Modded phpBB2 CVE-2007-2256 (Cross-site scripting (XSS) vulnerability in you.php in TJSChat 0.95 al ...) NOT-FOR-US: TJSChat CVE-2007-2255 (Multiple PHP remote file inclusion vulnerabilities in Download-Engine ...) NOT-FOR-US: Download-Engine CVE-2007-2254 (PHP remote file inclusion vulnerability in admin/setup/level2.php in P ...) NOT-FOR-US: PHP Classifieds CVE-2007-2253 (Exponent CMS 0.96.6 Alpha and earlier allows remote attackers to obtai ...) NOT-FOR-US: Exponent CMS CVE-2007-2252 (Directory traversal vulnerability in iconspopup.php in Exponent CMS 0. ...) NOT-FOR-US: Exponent CMS CVE-2007-2251 (Unspecified vulnerability in the Roles module in Xaraya 1.1.2 and earl ...) NOT-FOR-US: Xaraya CVE-2007-2250 (admin.php in Phorum before 5.1.22 allows remote attackers to obtain th ...) NOT-FOR-US: Phorum CVE-2007-2249 (include/controlcenter/users.php in Phorum before 5.1.22 allows remote ...) NOT-FOR-US: Phorum CVE-2007-2248 (Multiple cross-site scripting (XSS) vulnerabilities in admin.php in Ph ...) NOT-FOR-US: Phorum CVE-2007-2247 (SQL injection vulnerability in modules/news/article.php in phpMySpace ...) NOT-FOR-US: phpMySpace CVE-2007-2246 (Unspecified vulnerability in HP-UX B.11.00 and B.11.11, when running s ...) NOT-FOR-US: HP-UX CVE-2007-2245 (Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin befo ...) {DSA-1370-2 DSA-1370-1} - phpmyadmin 4:2.10.1-1 (low) NOTE: https://www.phpmyadmin.net/security/PMASA-2007-4/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/b4134b65a7e7ed355121b6c2db9ea6c9624509bc CVE-2007-2244 (Multiple buffer overflows in Adobe Photoshop CS2 and CS3, Illustrator ...) NOT-FOR-US: Adobe Photoshop CVE-2007-2243 (OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is enabl ...) - openssh (bug #436571; unimportant) [etch] - openssh (Minor issue) [sarge] - openssh (Minor issue) CVE-2007-2242 (The IPv6 protocol allows remote attackers to cause a denial of service ...) {DSA-1356-1} - linux-2.6 2.6.21-1 (low; bug #421595) - kfreebsd-5 (low) [etch] - kfreebsd-5 (No security support for KFreeBSD) NOTE: This should be off by default, tweakable by a simple knob. NOTE: (FreeBSD has it turned on for hosts, too.) CVE-2007-2241 (Unspecified vulnerability in query.c in ISC BIND 9.4.0, and 9.5.0a1 th ...) - bind9 1:9.4.1-1 (medium) [etch] - bind9 (Only 9.4/9.5 branches affected) [sarge] - bind9 (Only 9.4/9.5 branches affected) CVE-2007-2240 (The IBM Lenovo Access Support acpRunner ActiveX control, as distribute ...) NOT-FOR-US: IBM Lenovo Access Support acpRunner ActiveX control CVE-2007-2239 (Stack-based buffer overflow in the SaveBMP method in the AXIS Camera C ...) NOT-FOR-US: AXIS Camera Control CVE-2007-2238 (Multiple stack-based buffer overflows in the Whale Client Components A ...) NOT-FOR-US: Whale Client Components ActiveX control CVE-2007-2237 (Microsoft Windows Graphics Device Interface (GDI+, GdiPlus.dll) allows ...) NOT-FOR-US: Microsoft CVE-2007-2236 (footer.php in PunBB 1.2.14 and earlier allows remote attackers to incl ...) NOT-FOR-US: PunBB CVE-2007-2235 (Multiple cross-site scripting (XSS) vulnerabilities in PunBB 1.2.14 an ...) NOT-FOR-US: PunBB CVE-2007-2234 (include/common.php in PunBB 1.2.14 and earlier does not properly handl ...) NOT-FOR-US: PunBB CVE-2007-2233 (cosign-bin/cosign.cgi in Cosign 2.0.2 and earlier allows remote authen ...) NOT-FOR-US: CoSign CVE-2007-2232 (The CHECK command in Cosign 2.0.1 and earlier allows remote attackers ...) NOT-FOR-US: CoSign CVE-2007-2231 (Directory traversal vulnerability in index/mbox/mbox-storage.c in Dove ...) {DSA-1359-1} - dovecot 1.0.rc29-1 [sarge] - dovecot (Vulnerable code not present) CVE-2007-2230 (SQL injection vulnerability in CA Clever Path Portal allows remote aut ...) NOT-FOR-US: CA Clever Path CVE-2007-2229 (Microsoft Windows Vista uses insecure default permissions for unspecif ...) NOT-FOR-US: Microsoft CVE-2007-2228 (rpcrt4.dll (aka the RPC runtime library) in Microsoft Windows XP SP2, ...) NOT-FOR-US: Windows CVE-2007-2227 (The MHTML protocol handler in Microsoft Outlook Express 6 and Windows ...) NOT-FOR-US: Microsoft CVE-2007-2226 REJECTED CVE-2007-2225 (A component in Microsoft Outlook Express 6 and Windows Mail in Windows ...) NOT-FOR-US: Microsoft CVE-2007-2224 (Object linking and embedding (OLE) Automation, as used in Microsoft Wi ...) NOT-FOR-US: Microsoft CVE-2007-2223 (Microsoft XML Core Services (MSXML) 3.0 through 6.0 allows remote atta ...) NOT-FOR-US: Microsoft XML CVE-2007-2222 (Multiple buffer overflows in the (1) ActiveListen (Xlisten.dll) and (2 ...) NOT-FOR-US: Microsoft CVE-2007-2221 (Unspecified vulnerability in the mdsauth.dll COM object in Microsoft W ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2007-2220 REJECTED CVE-2007-2219 (Unspecified vulnerability in the Win32 API on Microsoft Windows 2000, ...) NOT-FOR-US: Microsoft CVE-2007-2218 (Unspecified vulnerability in the Windows Schannel Security Package for ...) NOT-FOR-US: Microsoft CVE-2007-2217 (Kodak Image Viewer in Microsoft Windows 2000 SP4, and in some cases XP ...) NOT-FOR-US: Kodak Image Viewer CVE-2007-2216 (The tblinf32.dll (aka vstlbinf.dll) ActiveX control for Internet Explo ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2007-2215 REJECTED CVE-2007-2214 (Unrestricted file upload vulnerability in includes/upload_file.php in ...) NOT-FOR-US: DmCMS CVE-2007-2213 (Unspecified vulnerability in the Initialize function in NetscapeFTPHan ...) NOT-FOR-US: WS_FTP CVE-2007-2212 (Multiple SQL injection vulnerabilities in calendar.php in MyBB (aka My ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2007-2211 (SQL injection vulnerability in calendar.php in MyBB (aka MyBulletinBoa ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2007-2210 (A certain ActiveX control in askPopStp.dll in Netsprint Ask IE Toolbar ...) NOT-FOR-US: Netsprint CVE-2007-2209 (Buffer overflow in igcore15d.dll 15.1.2.0 and 15.2.0.0 for AccuSoft Im ...) NOT-FOR-US: AccuSoft CVE-2007-2208 (Multiple PHP remote file inclusion vulnerabilities in Extreme PHPBB2 3 ...) NOT-FOR-US: Extreme PHPBB2 CVE-2007-2207 (SQL injection vulnerability in contact/index.php in Ripe Website Manag ...) NOT-FOR-US: Ripe Website Manager CVE-2007-2206 (Cross-site scripting (XSS) vulnerability in contact/index.php in Ripe ...) NOT-FOR-US: Ripe Website Manager CVE-2007-2205 (PHP remote file inclusion vulnerability in modules/rtmessageadd.php in ...) NOT-FOR-US: LAN Management System CVE-2007-2204 (Multiple PHP remote file inclusion vulnerabilities in GPL PHP Board (G ...) NOT-FOR-US: GPL PHP Board CVE-2007-2203 (Cross-site scripting (XSS) vulnerability in Big Blue Guestbook allows ...) NOT-FOR-US: Big Blue Guestbook CVE-2007-2202 (PHP remote file inclusion vulnerability in inc_ACVS/SOAP/Transport.php ...) NOT-FOR-US: Accueil et Conseil en Visites et Sejours Web Services CVE-2007-2201 (Multiple PHP remote file inclusion vulnerabilities in Post Revolution ...) NOT-FOR-US: Post Revolution CVE-2007-2200 (Directory traversal vulnerability in navigator/navigator_ok.php in Pag ...) NOT-FOR-US: Pagode CVE-2007-2199 (PHP remote file inclusion vulnerability in lib/pcltar.lib.php (aka pcl ...) NOT-FOR-US: Joomla! CVE-2007-2198 (Cross-site scripting (XSS) vulnerability in LAN Management System (LMS ...) NOT-FOR-US: LAN Management System CVE-2007-2197 (Race condition in the NeatUpload ASP.NET component 1.2.11 through 1.2. ...) NOT-FOR-US: NeatUpload CVE-2007-2196 NOT-FOR-US: Jambook module for Mambo and Joomla CVE-2007-2195 (aMSN (aka Alvaro's Messenger) 0.96 and earlier allows remote attackers ...) - amsn (Appears bogus, no such port is opened; bug #557754) CVE-2007-2194 (Stack-based buffer overflow in XnView 1.90.3 allows user-assisted remo ...) NOT-FOR-US: XnView CVE-2007-2193 (Stack-based buffer overflow in the ID_X.apl plugin in ACDSee 9.0 Build ...) NOT-FOR-US: ACDSee CVE-2007-2192 (Buffer overflow in Photofiltre Studio 8.1.1 allows user-assisted remot ...) NOT-FOR-US: Photofiltre CVE-2007-2191 (Multiple cross-site scripting (XSS) vulnerabilities in freePBX 2.2.x a ...) NOT-FOR-US: freePBX CVE-2007-2190 (PHP remote file inclusion vulnerability in admin/public/webpages.php i ...) NOT-FOR-US: Eba News CVE-2007-2189 (PHP remote file inclusion vulnerability in admin/admin_album_otf.php i ...) NOT-FOR-US: mxBB Smartor Album CVE-2007-2188 (eXtremail 2.1.1 and earlier does not verify the ID field (aka transact ...) NOT-FOR-US: eXtremail CVE-2007-2187 (Stack-based buffer overflow in eXtremail 2.1.1 and earlier allows remo ...) NOT-FOR-US: eXtremail CVE-2007-2186 (Foxit Reader 2.0 allows remote attackers to cause a denial of service ...) NOT-FOR-US: Foxit Reader CVE-2007-2185 (Multiple PHP remote file inclusion vulnerabilities in Supasite 1.23b a ...) NOT-FOR-US: Supasite CVE-2007-2184 (Directory traversal vulnerability in imgsrv.php in jchit counter 1.0.0 ...) NOT-FOR-US: jchit CVE-2007-2183 (SQL injection vulnerability in index.php in PHP-Ring Webring System (a ...) NOT-FOR-US: PHP-Ring Webring System CVE-2007-2182 (Unrestricted file upload vulnerability in forum_write.php in Maran PHP ...) NOT-FOR-US: Maran PHP Forum CVE-2007-2181 (PHP remote file inclusion vulnerability in admin/login.php in Webinsta ...) NOT-FOR-US: WEBInsta CVE-2007-2180 (Buffer overflow in Nullsoft Winamp 5.3 allows user-assisted remote att ...) NOT-FOR-US: Nullsoft Winamp CVE-2007-2179 (Multiple unspecified vulnerabilities in IXceedCompression in XceddZipL ...) NOT-FOR-US: RaidenFTPD CVE-2007-2178 (Multiple unspecified vulnerabilities in Objective Development Sharity ...) NOT-FOR-US: Sharity CVE-2007-2177 (Stack-based buffer overflow in the Microgaming Download Helper ActiveX ...) NOT-FOR-US: Microgaming Download Helper CVE-2007-2176 (Unspecified vulnerability in Mozilla Firefox allows remote attackers t ...) NOT-FOR-US: Related to Apple QuickTime as well, no information about Mozilla being affected is available CVE-2007-2175 (Apple QuickTime Java extensions (QTJava.dll), as used in Safari and ot ...) NOT-FOR-US: Apple QuickTime CVE-2007-2174 (The IOCTL handling in srescan.sys in the ZoneAlarm Spyware Removal Eng ...) NOT-FOR-US: ZoneAlarm CVE-2007-2173 (Eval injection vulnerability in (1) courier-imapd.indirect and (2) cou ...) NOT-FOR-US: Gentoo's packaging of courier CVE-2007-2172 (A typo in Linux kernel 2.6 before 2.6.21-rc6 and 2.4 before 2.4.35 cau ...) {DSA-1503-2 DSA-1504-1 DSA-1503-1 DSA-1363-1 DSA-1356-1} - linux-2.6 2.6.21-1 (medium) CVE-2007-2171 (Stack-based buffer overflow in the base64_decode function in GWINTER.e ...) NOT-FOR-US: Novell GroupWise CVE-2007-2170 (The APPLSYS.FND_DM_NODES package in Oracle E-Business Suite does not c ...) NOT-FOR-US: Oracle E-Business Suite CVE-2007-2169 (Static code injection vulnerability in add.php in Mozzers SubSystem 1. ...) NOT-FOR-US: Mozzers SubSystem CVE-2007-2168 (Static code injection vulnerability in process.php in AimStats 3.2 and ...) NOT-FOR-US: AimStats CVE-2007-2167 (Static code injection vulnerability in process.php in AimStats 3.2 all ...) NOT-FOR-US: AimStats CVE-2007-2166 (PHP remote file inclusion vulnerability in administration/user/lib/gro ...) NOT-FOR-US: OpenSurveyPilot CVE-2007-2165 (The Auth API in ProFTPD before 20070417, when multiple simultaneous au ...) - proftpd 1.3.0-24 (low) [sarge] - proftpd (Minor issue) - proftpd-dfsg 1.3.0-24 (low) [etch] - proftpd-dfsg 1.3.0-19etch1 NOTE: Minor issue Fixed in 4.0r4 point release CVE-2007-2164 (Konqueror 3.5.5 release 45.4 allows remote attackers to cause a denial ...) - kdelibs (unimportant) NOTE: Browser crashes are not treated as security problems CVE-2007-2163 (Apple Safari allows remote attackers to cause a denial of service (bro ...) NOT-FOR-US: Apple Safari CVE-2007-2162 ((1) Mozilla Firefox 2.0.0.3 and (2) GNU IceWeasel 2.0.0.3 allow remote ...) - iceweasel (unimportant) NOTE: Browser crashes are not treated as security problems CVE-2007-2161 (Microsoft Internet Explorer 7 allows remote attackers to cause a denia ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2007-2160 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Data ...) NOT-FOR-US: dba module for Drupal CVE-2007-2159 (Multiple cross-site scripting (XSS) vulnerabilities in the Database Ad ...) NOT-FOR-US: dba module for Drupal CVE-2007-2158 (PHP remote file inclusion vulnerability in index.php in jGallery 1.3 a ...) NOT-FOR-US: jGallery CVE-2007-2157 (Directory traversal vulnerability in upload/force_download.php in Zomp ...) NOT-FOR-US: Zomplog CVE-2007-2156 (Multiple PHP remote file inclusion vulnerabilities in Rezervi Generic ...) NOT-FOR-US: Rezervi Generic CVE-2007-2155 (Directory traversal vulnerability in template.php in in phpFaber TopSi ...) NOT-FOR-US: phpFaber TopSites CVE-2007-2154 (PHP remote file inclusion vulnerability in services/samples/inclusionS ...) NOT-FOR-US: Cabron Connector CVE-2007-2153 (Cross-site scripting (XSS) vulnerability in atmail.php in @Mail 5.0 al ...) NOT-FOR-US: @Mail CVE-2007-2152 (Buffer overflow in the On-Access Scanner in McAfee VirusScan Enterpris ...) NOT-FOR-US: McAfee VirusScan Enterprise CVE-2007-2151 (The administration server in McAfee e-Business Server before 8.1.1 and ...) NOT-FOR-US: McAfee CVE-2007-2150 (BlueArc-FTPD in BlueArc Titan 2x00 devices with firmware 4.2.944b allo ...) NOT-FOR-US: BlueArc CVE-2007-2149 (Stephen Craton (aka WiredPHP) Chatness 2.5.3 and earlier stores userna ...) NOT-FOR-US: Chatness CVE-2007-2148 (Direct static code injection vulnerability in admin/save.php in Stephe ...) NOT-FOR-US: Chatness CVE-2007-2147 (admin/options.php in Stephen Craton (aka WiredPHP) Chatness 2.5.3 and ...) NOT-FOR-US: Chatness CVE-2007-2146 (The imagecomments function in classes.php in MiniGal b13 allow remote ...) NOT-FOR-US: MiniGal CVE-2007-2145 (The imagecomments function in classes.php in MiniGal b13 allows remote ...) NOT-FOR-US: MiniGal CVE-2007-2144 (PHP remote file inclusion vulnerability in includes/CAltInstaller.php ...) NOT-FOR-US: JoomlaPack CVE-2007-2143 (PHP remote file inclusion vulnerability in index.php in the Be2004-2 t ...) NOT-FOR-US: Be2004-2 template for Joomla CVE-2007-2142 (Multiple PHP remote file inclusion vulnerabilities in AjPortal2Php all ...) NOT-FOR-US: AjPortal2Php CVE-2007-2141 (Direct static code injection vulnerability in shoutbox.php in ShoutPro ...) NOT-FOR-US: ShoutPro CVE-2007-2140 (PHP remote file inclusion vulnerability in everything.php in Franklin ...) NOT-FOR-US: Flip-search-add-on CVE-2007-2139 (Multiple stack-based buffer overflows in the SUN RPC service in CA (fo ...) NOT-FOR-US: CA BrightStor CVE-2007-2137 (Heap-based buffer overflow in kde.dll in IBM Tivoli Monitoring Express ...) NOT-FOR-US: Tivoli CVE-2007-2136 (Stack-based buffer overflow in bgs_sdservice.exe in BMC Patrol Perform ...) NOT-FOR-US: BMC Patrol PerformAgent CVE-2007-2135 (The ADI_BINARY component in the Oracle E-Business Suite allows remote ...) NOT-FOR-US: Oracle CVE-2007-2134 (Unspecified vulnerability in the HTML Server in Oracle JD Edwards Ente ...) NOT-FOR-US: Oracle CVE-2007-2133 (Unspecified vulnerability in the PeopleSoft Enterprise Human Capital M ...) NOT-FOR-US: Oracle CVE-2007-2132 (Unspecified vulnerability in the PeopleTools component in Oracle Peopl ...) NOT-FOR-US: Oracle CVE-2007-2131 (Unspecified vulnerability in PeopleTools in Oracle PeopleSoft Enterpri ...) NOT-FOR-US: Oracle CVE-2007-2130 (Unspecified vulnerability in Workflow Cartridge, as used in Oracle Dat ...) NOT-FOR-US: Oracle CVE-2007-2129 (Unspecified vulnerability in the Agent component in Oracle Enterprise ...) NOT-FOR-US: Oracle CVE-2007-2128 (Unspecified vulnerability in the Sales Online component for Oracle E-B ...) NOT-FOR-US: Oracle CVE-2007-2127 (Multiple unspecified vulnerabilities in Oracle E-Business Suite 12.0.0 ...) NOT-FOR-US: Oracle CVE-2007-2126 (Unspecified vulnerability in Oracle E-Business Suite 11.5.10CU2 has un ...) NOT-FOR-US: Oracle CVE-2007-2125 (Unspecified vulnerability in Collaborative Workspace in Oracle Collabo ...) NOT-FOR-US: Oracle CVE-2007-2124 (Unspecified vulnerability in the Portal component in Oracle Applicatio ...) NOT-FOR-US: Oracle CVE-2007-2123 (Unspecified vulnerability in the Portal component in Oracle Applicatio ...) NOT-FOR-US: Oracle CVE-2007-2122 (Unspecified vulnerability in the Wireless component in Oracle Applicat ...) NOT-FOR-US: Oracle CVE-2007-2121 (Unspecified vulnerability in the COREid Access component in Oracle App ...) NOT-FOR-US: Oracle CVE-2007-2120 (The Oracle Discoverer servlet in Oracle Application Server 9.0.4.3, 10 ...) NOT-FOR-US: Oracle CVE-2007-2119 (Cross-site scripting (XSS) vulnerability in boundary_rules.jsp in the ...) NOT-FOR-US: Oracle CVE-2007-2118 (Unspecified vulnerability in the Upgrade/Downgrade component of Oracle ...) NOT-FOR-US: Oracle CVE-2007-2117 (Unspecified vulnerability in the Oracle Text component in Oracle Datab ...) NOT-FOR-US: Oracle CVE-2007-2116 (Unspecified vulnerability in the Advanced Replication component in Ora ...) NOT-FOR-US: Oracle CVE-2007-2115 (Unspecified vulnerability in the Change Data Capture (CDC) component i ...) NOT-FOR-US: Oracle CVE-2007-2114 (Multiple unspecified vulnerabilities in Oracle Database 10.1.0.5 and 1 ...) NOT-FOR-US: Oracle CVE-2007-2113 (SQL injection vulnerability in the Upgrade/Downgrade component (DBMS_U ...) NOT-FOR-US: Oracle CVE-2007-2112 (Unspecified vulnerability in the Authentication component for Oracle D ...) NOT-FOR-US: Oracle CVE-2007-2111 (SQL injection vulnerability in the SYS.DBMS_AQADM_SYS package in Oracl ...) NOT-FOR-US: Oracle CVE-2007-2110 (Unspecified vulnerability in the Core RDBMS component for Oracle Datab ...) NOT-FOR-US: Oracle CVE-2007-2109 (Multiple unspecified vulnerabilities in Oracle Database 10.2.0.3 have ...) NOT-FOR-US: Oracle CVE-2007-2108 (Unspecified vulnerability in the Core RDBMS component in Oracle Databa ...) NOT-FOR-US: Oracle CVE-2006-7196 (Cross-site scripting (XSS) vulnerability in the calendar application e ...) - tomcat5.5 5.5.16-1 (unimportant) - tomcat5 (unimportant) - tomcat4 (unimportant) NOTE: Only present in an example, not in production code CVE-2006-7195 (Cross-site scripting (XSS) vulnerability in implicit-objects.jsp in Ap ...) - tomcat5.5 5.5.20-1 (unimportant) - tomcat5 (unimportant) - tomcat4 (unimportant) NOTE: Only present in an example, not in production code CVE-2007-XXXX [buffer overflow in mixmaster importing type 2 messages] - mixmaster 3.0b2-5 (low; bug #418662) [etch] - mixmaster 3.0b2-4.etch1 [sarge] - mixmaster (Code generation in Sarge pads over this) CVE-2007-XXXX [heap-based buffer overflow in git-blame with long file names] [etch] - git-core (1.4.4.4 tagged 2007-1-8, bug introduced 2007-1-30) - git-core 1:1.5.1.2-1 (low) NOTE: http://git.kernel.org/?p=git/git.git;a=commit;h=1bb88be99e4fdedcd5cc5292c11b566a00028deb NOTE: http://git.kernel.org/?p=git/git.git;a=commitdiff;h=1cfe77333f274c9ba9879c2eb61057a790eb050f NOTE: http://git.kernel.org/?p=git/git.git;a=tag;h=ae9ced19800491a5d80de5ee36bc07d68868a4dd CVE-2007-2138 (Untrusted search path vulnerability in PostgreSQL before 7.3.19, 7.4.x ...) {DSA-1311-1 DSA-1309-1} - postgresql-8.2 8.2.4-1 - postgresql-8.1 8.1.9-1 - postgresql-7.4 1:7.4.17-1 CVE-2007-2107 (SQL injection vulnerability in visit.php in the Rha7 Downloads (rha7do ...) NOT-FOR-US: Rha7 Downloads CVE-2007-2106 (Directory traversal vulnerability in index.php in Kai Content Manageme ...) NOT-FOR-US: Kai Content Management System CVE-2007-2105 (Directory traversal vulnerability in admin/index.php in Monkey CMS 0.0 ...) NOT-FOR-US: Monkey CMS CVE-2007-2104 (Multiple directory traversal vulnerabilities in iXon CMS 0.30 allow re ...) NOT-FOR-US: iXon CMS CVE-2007-2103 (Multiple PHP remote file inclusion vulnerabilities in my little forum ...) NOT-FOR-US: my little forum CVE-2007-2102 (Cross-site scripting (XSS) vulnerability in weblog.php in my little we ...) NOT-FOR-US: my little weblog CVE-2007-2101 (FAC Guestbook 3.01 stores sensitive information under the web root wit ...) NOT-FOR-US: FAC Guestbook CVE-2007-2100 (FAC Guestbook 2.0 stores sensitive information under the web root with ...) NOT-FOR-US: FAC Guestbook CVE-2007-2099 (Cross-site scripting (XSS) vulnerability in htdocs/php.php in OpenConc ...) NOT-FOR-US: OpenConcept Back-End CMS CVE-2007-2098 (Multiple cross-site scripting (XSS) vulnerabilities in showpic.php in ...) NOT-FOR-US: Wabbit PHP Gallery CVE-2007-2097 NOT-FOR-US: OpenConcept Back-End CMS CVE-2007-2096 (PHP remote file inclusion vulnerability in common.php in Hinton Design ...) NOT-FOR-US: PHPHD Download System CVE-2007-2095 (PHP remote file inclusion vulnerability in chat.php in MySpeach 1.9 al ...) NOT-FOR-US: MySpeach CVE-2007-2094 (PHP remote file inclusion vulnerability in index.php in Anthologia 0.5 ...) NOT-FOR-US: Anthologia CVE-2007-2093 (Direct static code injection vulnerability in index.php in Limesoft Gu ...) NOT-FOR-US: Limesoft Guestbook CVE-2007-2092 (Direct static code injection vulnerability in index.php in Limesoft Gu ...) NOT-FOR-US: Limesoft Guestbook CVE-2007-2091 (PHP remote file inclusion vulnerability in blocks/tsdisplay4xoops_bloc ...) NOT-FOR-US: tsdisplay4xoops CVE-2007-2090 (Cross-site scripting (XSS) vulnerability in index.php in TuMusika Evol ...) NOT-FOR-US: TuMusika Evolution CVE-2007-2089 (Multiple PHP remote file inclusion vulnerabilities in the Jx Developme ...) NOT-FOR-US: Jx Development Article component for Mambo and Joomla CVE-2007-2088 (Multiple PHP remote file inclusion vulnerabilities in Sitebar 3.3.5 an ...) - sitebar 3.3.8-7 (low) NOTE: this was register globals only and is fixed in Debian anyway CVE-2007-2087 (Multiple PHP remote file inclusion vulnerabilities in CNStats 2.12, wh ...) NOT-FOR-US: CNStats CVE-2007-2086 (Multiple PHP remote file inclusion vulnerabilities in CNStats 2.9 allo ...) NOT-FOR-US: CNStats CVE-2007-2085 (Cross-site scripting (XSS) vulnerability in oe2edit.cgi in oe2edit CMS ...) NOT-FOR-US: oe2edit CMS CVE-2007-2084 NOT-FOR-US: MobilePublisherphp CVE-2007-2083 (vsdatant.sys in Check Point Zone Labs ZoneAlarm Pro before 7.0.302.000 ...) NOT-FOR-US: Check Point Zone Labs ZoneAlarm Internet Security Suite CVE-2007-2082 (Direct static code injection vulnerability in admin/settings.php in My ...) NOT-FOR-US: MyBlog CVE-2007-2081 (MyBlog 0.9.8 and earlier allows remote attackers to bypass authenticat ...) NOT-FOR-US: MyBlog CVE-2007-2080 (Multiple SQL injection vulnerabilities in XAMPP 1.6.0a for Windows all ...) NOT-FOR-US: XAMPP CVE-2007-2079 (The ADONewConnection Connect function in adodb.php in XAMPP 1.6.0a and ...) NOT-FOR-US: XAMPP CVE-2007-2078 NOT-FOR-US: Maian Weblog CVE-2007-2077 (PHP remote file inclusion vulnerability in search.php in Maian Search ...) NOT-FOR-US: Maian Search CVE-2007-2076 (PHP remote file inclusion vulnerability in index.php in Maian Gallery ...) NOT-FOR-US: Maian Gallery CVE-2007-2075 (ScramDisk 4 Linux before 1.0-1 does not perform permission checks on m ...) NOT-FOR-US: ScramDisk CVE-2007-2074 (Certain programs in containers in ScramDisk 4 Linux before 1.0-1 execu ...) NOT-FOR-US: ScramDisk CVE-2007-2073 (PHP remote file inclusion vulnerability in index.php in Ivan Gallery S ...) NOT-FOR-US: Ivan Gallery Script CVE-2007-2072 NOT-FOR-US: Ivan Gallery Script CVE-2007-2071 (Multiple cross-site scripting (XSS) vulnerabilities in Open-gorotto 2. ...) NOT-FOR-US: Open-gorotto CVE-2007-2070 (Multiple PHP remote file inclusion vulnerabilities in Turnkey Web Tool ...) NOT-FOR-US: SunShop Shopping Cart CVE-2007-2069 (Directory traversal vulnerability in scr/soustab.php in openMairie 1.1 ...) NOT-FOR-US: openMairie CVE-2007-2068 (Multiple PHP remote file inclusion vulnerabilities in the StoreFront m ...) NOT-FOR-US: StoreFront extension for Gallery CVE-2007-2067 (Multiple PHP remote file inclusion vulnerabilities in Marco Antonio Is ...) NOT-FOR-US: WebSlider CVE-2007-2066 (UseBB before 1.0.6 allows remote attackers to obtain sensitive informa ...) NOT-FOR-US: UseBB CVE-2007-2065 (PHP remote file inclusion vulnerability in db/PollDB.php in Robert Lad ...) NOT-FOR-US: ActionPoll CVE-2007-2064 (Multiple PHP remote file inclusion vulnerabilities in Robert Ladstaett ...) NOT-FOR-US: ActionPoll CVE-2007-2063 (SSH Tectia Server for IBM z/OS before 5.4.0 uses insecure world-writab ...) NOT-FOR-US: IBM zOS CVE-2007-2062 (Stack-based buffer overflow in VCDGear 3.55 and 3.56 BETA allows user- ...) NOT-FOR-US: VCDGear CVE-2007-2061 (Cross-site scripting (XSS) vulnerability in check_login.asp in AfterLo ...) NOT-FOR-US: MailBee WebMail Pro CVE-2007-2060 (Cross-zone scripting vulnerability in the Wizz RSS Reader before 2.1.9 ...) NOT-FOR-US: Wizz RSS Reader CVE-2007-2059 (Multiple buffer overflows in the ESA protocol implementation in eIQnet ...) NOT-FOR-US: eIQnetworks Enterprise Security Analyzer CVE-2007-2058 (Directory traversal vulnerability in Acubix PicoZip 4.02 allows user-a ...) NOT-FOR-US: Acubix PicoZip CVE-2007-2057 (Stack-based buffer overflow in aircrack-ng airodump-ng 0.7 allows remo ...) {DSA-1280-1 DTSA-35-1} - aircrack-ng 1:0.7-3 (medium) NOTE: http://trac.aircrack-ng.org/changeset/288 CVE-2007-2056 REJECTED CVE-2007-2055 (AFFLIB 2.2.8 and earlier allows attackers to execute arbitrary command ...) NOT-FOR-US: AFFLIB CVE-2007-2054 (Multiple format string vulnerabilities in AFFLIB before 2.2.6 allow re ...) NOT-FOR-US: AFFLIB CVE-2007-2053 (Multiple stack-based buffer overflows in AFFLIB before 2.2.6 allow rem ...) NOT-FOR-US: AFFLIB CVE-2007-2052 (Off-by-one error in the PyLocale_strxfrm function in Modules/_localemo ...) {DSA-1620-1 DSA-1551-1} - python2.4 2.4.4-3 (bug #416931; low) - python2.5 2.5.1-1 (bug #416934; low) - python2.3 (low) CVE-2007-2051 (Buffer overflow in the parsecmd function in bftpd before 1.8 has unkno ...) NOT-FOR-US: bftpd CVE-2007-2050 (Multiple directory traversal vulnerabilities in header.php in RicarGBo ...) NOT-FOR-US: RicarGBooK CVE-2007-2049 (Multiple PHP remote file inclusion vulnerabilities in the Calendar Mod ...) NOT-FOR-US: Calendar Module for Mambo CVE-2007-2048 (Directory traversal vulnerability in /console in the Management Consol ...) NOT-FOR-US: webMethods Glue CVE-2007-2047 (CRLF injection vulnerability in www/delivery/ck.php in Openads 2.3 (ak ...) NOT-FOR-US: Openads CVE-2007-2046 (Multiple CRLF injection vulnerabilities in adclick.php in (a) Openads ...) NOT-FOR-US: Openads CVE-2007-2045 (Unspecified vulnerability in the IP implementation in Sun Solaris 8 an ...) NOT-FOR-US: Sun Solaris CVE-2007-2044 (PHP remote file inclusion vulnerability in mod_weather.php in the Anto ...) NOT-FOR-US: Weather module for Mambo and Joomla CVE-2007-2043 (Multiple PHP remote file inclusion vulnerabilities in the Avant-Garde ...) NOT-FOR-US: MOSMedia Lite CVE-2007-2042 (Multiple PHP remote file inclusion vulnerabilities in the Avant-Garde ...) NOT-FOR-US: MOSMedia Lite CVE-2007-2041 (Cisco Wireless LAN Controller (WLC) before 4.0.206.0 saves the WLAN AC ...) NOT-FOR-US: Cisco CVE-2007-2040 (Cisco Aironet 1000 Series and 1500 Series Lightweight Access Points be ...) NOT-FOR-US: Cisco CVE-2007-2039 (The Network Processing Unit (NPU) in the Cisco Wireless LAN Controller ...) NOT-FOR-US: Cisco CVE-2007-2038 (The Network Processing Unit (NPU) in the Cisco Wireless LAN Controller ...) NOT-FOR-US: Cisco CVE-2007-2037 (Cisco Wireless LAN Controller (WLC) before 3.2.116.21, and 4.0.x befor ...) NOT-FOR-US: Cisco CVE-2007-2036 (The SNMP implementation in the Cisco Wireless LAN Controller (WLC) bef ...) NOT-FOR-US: Cisco CVE-2007-2035 (Cisco Wireless Control System (WCS) before 4.0.66.0 stores sensitive i ...) NOT-FOR-US: Cisco CVE-2007-2034 (Unspecified vulnerability in Cisco Wireless Control System (WCS) befor ...) NOT-FOR-US: Cisco CVE-2007-2033 (Unspecified vulnerability in Cisco Wireless Control System (WCS) befor ...) NOT-FOR-US: Cisco CVE-2007-2032 (Cisco Wireless Control System (WCS) before 4.0.96.0 has a hard-coded F ...) NOT-FOR-US: Cisco CVE-2007-2031 (Buffer overflow in the HTTP proxy service for 3proxy 0.5 to 0.5.3g, an ...) - 3proxy (bug #718219) CVE-2007-2030 (lharc.c in lha does not securely create temporary files, which might a ...) - lha 1.14i-10.2 (bug #437621; low) [sarge] - lha (Non-free not supported) [etch] - lha (Non-free not supported) CVE-2007-2029 (File descriptor leak in the PDF handler in Clam AntiVirus (ClamAV) all ...) {DSA-1281-1 DTSA-37-1} - clamav 0.90.2-1 (low; bug #418849) NOTE: closed report: https://bugzilla.clamav.net/show_bug.cgi?id=459 NOTE: Commit r3021 looks as if it's just a null pointer dereference. CVE-2007-2028 (Memory leak in freeRADIUS 1.1.5 and earlier allows remote attackers to ...) - freeradius 1.1.6-1 (low) [sarge] - freeradius (Minor issue) [etch] - freeradius (Minor issue) CVE-2007-2027 (Untrusted search path vulnerability in the add_filename_to_string func ...) - elinks 0.11.1-1.4 (bug #417789; low) [sarge] - elinks (Hardly exploitable) [etch] - elinks (Hardly exploitable) NOTE: Unrealistic attack vector, no evidence code injection is possible CVE-2007-2026 (The gnu regular expression code in file 4.20 allows context-dependent ...) - file 4.20-6 (low) [etch] - file 4.17-5etch3 [sarge] - file (version too old) CVE-2007-2025 (Unrestricted file upload vulnerability in the UpLoad feature (lib/plug ...) {DSA-1371-1} - phpwiki 1.3.12p3-6.1 (bug #441390) CVE-2007-2024 (Unrestricted file upload vulnerability in the UpLoad feature (lib/plug ...) {DSA-1371-1} - phpwiki 1.3.12p3-6.1 (bug #441390) CVE-2007-2023 (USB20.dll in Secustick USB flash drive decouples the authorization and ...) NOT-FOR-US: Secustick USB flash drive CVE-2007-2022 (Adobe Macromedia Flash Player 7 and 9, when used with Opera before 9.2 ...) - flashplugin-nonfree 9.0.48.0.1 [sarge] - flashplugin-nonfree (Non-free not supported) [etch] - flashplugin-nonfree (Non-free not supported) NOTE: Flash Plugin has a vulnerablity, which will only be disclosed in a few months NOTE: Some browser vendors produce updates, which fix this issue on the browser side, NOTE: but that it not of concern for Debian CVE-2007-2021 (Multiple PHP remote file inclusion vulnerabilities in Pineapple Techno ...) NOT-FOR-US: Pineapple Technologies Lore CVE-2007-2020 NOT-FOR-US: xodagallery CVE-2007-2019 (PHP remote file inclusion vulnerability in init.gallery.php in phpGall ...) NOT-FOR-US: phpGalleryScript CVE-2007-2018 (SQL injection vulnerability in msg.php in AlstraSoft Video Share Enter ...) NOT-FOR-US: AlstraSoft Video Share Enterprise CVE-2007-2017 (siteadmin/useredit.php in AlstraSoft Video Share Enterprise does not c ...) NOT-FOR-US: AlstraSoft Video Share Enterprise CVE-2007-2016 (Cross-site scripting (XSS) vulnerability in mysql/phpinfo.php in phpMy ...) - phpmyadmin 4:2.6.2-3 (unimportant) CVE-2007-2015 (PHP remote file inclusion vulnerability in index.php in Request It 1.0 ...) NOT-FOR-US: Request It CVE-2007-2014 (PHP remote file inclusion vulnerability in include/blocks/week_events. ...) NOT-FOR-US: MyNews CVE-2007-2013 (Cross-site scripting (XSS) vulnerability in index.php in JEx-Treme Ein ...) NOT-FOR-US: Passworschutz CVE-2007-2012 (Multiple directory traversal vulnerabilities in MimarSinan CompreXX 4. ...) NOT-FOR-US: CompreXX CVE-2007-2011 (Cross-site scripting (XSS) vulnerability in login.php in DeskPro 2.0.1 ...) NOT-FOR-US: DeskPro CVE-2007-2010 (Double free vulnerability in bftpd before 1.8 allows remote authentica ...) NOT-FOR-US: bftpd CVE-2007-2009 (PHP remote file inclusion vulnerability in index.php in SimpCMS Light ...) NOT-FOR-US: SimpCMS Light CVE-2007-2008 (Directory traversal vulnerability in admin.php in pL-PHP beta 0.9 allo ...) NOT-FOR-US: pL-PHP CVE-2007-2007 (admin.php in pL-PHP beta 0.9 allows remote attackers to bypass authent ...) NOT-FOR-US: pL-PHP CVE-2007-2006 (Multiple SQL injection vulnerabilities in login.php in pL-PHP beta 0.9 ...) NOT-FOR-US: pL-PHP CVE-2007-2005 (Multiple PHP remote file inclusion vulnerabilities in the Taskhopper 1 ...) NOT-FOR-US: Taskhopper component for Mambo and Joomla CVE-2007-2004 (Multiple SQL injection vulnerabilities in InoutMailingListManager 3.1 ...) NOT-FOR-US: InoutMailingListManager CVE-2007-2003 (InoutMailingListManager 3.1 and earlier sends a Location redirect head ...) NOT-FOR-US: InoutMailingListManager CVE-2007-2002 (InoutMailingListManager 3.1 and earlier allows remote attackers to acc ...) NOT-FOR-US: InoutMailingListManager CVE-2007-2001 (Multiple direct static code injection vulnerabilities in admin/configu ...) NOT-FOR-US: Crea-Book CVE-2007-2000 (Multiple SQL injection vulnerabilities in admin/admin.php in Crea-Book ...) NOT-FOR-US: Crea-Book CVE-2007-1999 (PHP remote file inclusion vulnerability in index.php in Weatimages 1.7 ...) NOT-FOR-US: Weatimages CVE-2007-1998 (Direct static code injection vulnerability in HIOX Guest Book (HGB) 4. ...) NOT-FOR-US: HIOX Guest Book CVE-2007-1997 (Integer signedness error in the (1) cab_unstore and (2) cab_extract fu ...) {DSA-1281-1 DTSA-37-1} - clamav 0.90.2-1 (high) CVE-2007-1996 (PHP remote file inclusion vulnerability in codebreak.php in CodeBreak, ...) NOT-FOR-US: CodeBreak CVE-2007-1995 (bgpd/bgp_attr.c in Quagga 0.98.6 and earlier, and 0.99.6 and earlier 0 ...) {DSA-1293-1} - quagga 0.99.6-5 (low; bug #418323) NOTE: The attributes are non-transitive, which means that they NOTE: are not propagated via BGP and therefore must originate NOTE: from a peer (which is explicitly configured). CVE-2007-1994 (Unspecified vulnerability in the Address and Routing Parameter Area (A ...) NOT-FOR-US: HP-UX ARPA transport CVE-2007-1993 (Buffer overflow in the pfs_mountd.rpc RPC daemon in the Portable File ...) NOT-FOR-US: HP-UX Portable File System CVE-2007-1992 (Multiple PHP remote file inclusion vulnerabilities in the com_zoom 2.5 ...) NOT-FOR-US: com_zoom CVE-2007-1991 (Cross-site scripting (XSS) vulnerability in mail/signup.asp in CmailSe ...) NOT-FOR-US: CmailServer WebMail CVE-2007-1990 (PHP remote file inclusion vulnerability in games.php in Sam Crew MyBlo ...) NOT-FOR-US: MyBlog CVE-2007-1989 (Multiple cross-site scripting (XSS) vulnerabilities in DotClear before ...) NOT-FOR-US: DotClear CVE-2007-1988 (Cross-site scripting (XSS) vulnerability in kernel/filters.inc.php in ...) NOT-FOR-US: PHPEcho CMS CVE-2007-1987 NOT-FOR-US: PHPEcho CMS CVE-2007-1986 (Multiple PHP remote file inclusion vulnerabilities in barnraiser AROUN ...) NOT-FOR-US: AROUNDMe CVE-2007-1985 (Multiple PHP remote file inclusion vulnerabilities in phpexplorator.ph ...) NOT-FOR-US: phpexplorator CVE-2007-1984 (PHP remote file inclusion vulnerability in index.php in lite-cms 0.2.1 ...) NOT-FOR-US: lite-cms CVE-2007-1983 (PHP remote file inclusion vulnerability in include/default_header.php ...) NOT-FOR-US: Cyboards PHP Lite CVE-2007-1982 (Multiple PHP remote file inclusion vulnerabilities in Really Simple PH ...) NOT-FOR-US: Really Simple PHP and Ajax CVE-2007-1981 (The safevoid_vsnprintf function in Metamod-P 1.19p29 and earlier on Wi ...) NOT-FOR-US: Metamod-P CVE-2007-1980 (SQL injection vulnerability in index.php in the Topliste 1.0 module fo ...) NOT-FOR-US: Topliste module for PHP-Fusion CVE-2007-1979 (SQL injection vulnerability in index.php in the PopnupBlog 2.52 and ea ...) NOT-FOR-US: PopnupBlog module for Xoops CVE-2007-1978 (SQL injection vulnerability in index.php in the Arcade 1.00 module for ...) NOT-FOR-US: Arcade module for PHP-Fusion CVE-2007-1977 (Cross-site scripting (XSS) vulnerability in index_cms.php in holaCMS 1 ...) NOT-FOR-US: holaCMS CVE-2007-1976 NOT-FOR-US: Virii Info module for Xoops CVE-2007-1975 (Multiple PHP remote file inclusion vulnerabilities in SLAED CMS 2 allo ...) NOT-FOR-US: SLAED CMS CVE-2007-1974 (SQL injection vulnerability in the getArticle function in class/wfsart ...) NOT-FOR-US: Xoops modules CVE-2007-1973 (Race condition in the Virtual DOS Machine (VDM) in the Windows Kernel ...) NOT-FOR-US: Microsoft Windows CVE-2007-1972 NOT-FOR-US: BMC Patrol PerformAgent CVE-2006-7194 (PHP remote file inclusion vulnerability in modules/Mysqlfinder/Mysqlfi ...) NOT-FOR-US: Agora CVE-2006-7193 NOT-FOR-US: disputed (SMARTY_DIR is a constant) CVE-2003-1325 (The SV_CheckForDuplicateNames function in Valve Software Half-Life CST ...) NOT-FOR-US: Half-Life CVE-2007-XXXX [mydms SQL injection] - mydms 1.4.4+1-5 CVE-2007-1971 (SQL injection vulnerability in fotokategori.asp in Gazi Okul Sitesi 20 ...) NOT-FOR-US: fotokategori.asp CVE-2007-1970 (Mozilla Firefox does not warn the user about HTTP elements on an HTTPS ...) - iceweasel (unimportant; bug #556267) [etch] - iceweasel (Etch Packages no longer covered by security support) [lenny] - iceweasel (Minor issue) CVE-2007-1969 (Cross-site scripting (XSS) vulnerability in admin/modify.php in Sam Cr ...) NOT-FOR-US: MyBlog CVE-2007-1968 (PHP remote file inclusion vulnerability in games.php in Sam Crew MyBlo ...) NOT-FOR-US: MyBlog CVE-2007-1967 NOT-FOR-US: stat12 CVE-2007-1966 (Session fixation vulnerability in eXV2 CMS 2.0.4.3 and earlier allows ...) NOT-FOR-US: eXV2 CMS CVE-2007-1965 (Multiple cross-site scripting (XSS) vulnerabilities in eXV2 CMS 2.0.4. ...) NOT-FOR-US: eXV2 CMS CVE-2007-1964 (member.php in MyBB (aka MyBulletinBoard), when debug mode is available ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2007-1963 (SQL injection vulnerability in the create_session function in class_se ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2007-1962 (SQL injection vulnerability in index.php in the WF-Snippets 1.02 and e ...) NOT-FOR-US: WF-Snippets module for Xoops CVE-2007-1961 (PHP remote file inclusion vulnerability in mutant_functions.php in the ...) NOT-FOR-US: Mutant portal for phpBB CVE-2007-1960 (SQL injection vulnerability in visit.php in the Rha7 Downloads (rha7do ...) NOT-FOR-US: Rha7 Downloads CVE-2007-1959 (Unspecified vulnerability in the process_cmdent function in command.cp ...) - tinymux (unimportant) CVE-2007-1958 (Buffer overflow in TinyMUX before 2.4 allows attackers to cause a deni ...) - tinymux 2.4.3.31-1 CVE-2007-1957 (Multiple PHP remote file inclusion vulnerabilities in Guernion Sylvain ...) NOT-FOR-US: Portail Web Php CVE-2007-1956 (SQL injection vulnerability in ubbthreads.php in Groupee UBB.threads 6 ...) NOT-FOR-US: Groupee UBB.threads CVE-2007-1955 (Multiple stack-based buffer overflows in the SignKorea SKCrypAX Active ...) NOT-FOR-US: SKCrypAX ActiveX control CVE-2007-1954 (Multiple directory traversal vulnerabilities in ArchiveXpert 2.02 buil ...) NOT-FOR-US: ArchiveXpert CVE-2007-1953 (Session fixation vulnerability in onelook courts on-line allows remote ...) NOT-FOR-US: onelook courts on-line CVE-2007-1952 (Session fixation vulnerability in onelook onebyone CMS allows remote a ...) NOT-FOR-US: onelook onebyone CMS CVE-2007-1951 (Session fixation vulnerability in onelook obo Shop allows remote attac ...) NOT-FOR-US: onelook obo Shop CVE-2007-1950 (Cross-site scripting (XSS) vulnerability in index_cms.php in WebBlizza ...) NOT-FOR-US: WebBlizzard CMS CVE-2007-1949 (Session fixation vulnerability in WebBlizzard CMS allows remote attack ...) NOT-FOR-US: WebBlizzard CMS CVE-2007-1948 (Buffer overflow in IrfanView 3.99 allows context-dependent attackers t ...) NOT-FOR-US: IrfanView CVE-2007-1947 (Cross-zone scripting vulnerability in the DOM templates (domplates) us ...) NOT-FOR-US: Firebug extension for Firefox CVE-2007-1946 (Integer overflow in Windows Explorer in Microsoft Windows XP SP1 might ...) NOT-FOR-US: WIndows Explorer CVE-2007-1945 (Unspecified vulnerability in the Servlet Engine/Web Container in IBM W ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2007-1944 (The Java Message Service (JMS) in IBM WebSphere Application Server (WA ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2007-1943 (Integer overflow in ACDSee Photo Manager 9.0 allows context-dependent ...) NOT-FOR-US: ACDSee Photo Manager CVE-2007-1942 (Integer overflow in FastStone Image Viewer 2.9 allows context-dependen ...) NOT-FOR-US: FastStone Image Viewer CVE-2007-1941 (Cross-site scripting (XSS) vulnerability in the Active Content Filter ...) NOT-FOR-US: Domino Web Access CVE-2007-1940 (IBM Tivoli Business Service Manager (TBSM) 4.1 before Interim Fix 1 lo ...) NOT-FOR-US: IBM Tivoli Business Service Manager CVE-2007-1939 (Cross-site scripting (XSS) vulnerability in the embedded webserver in ...) NOT-FOR-US: LanguageTool CVE-2007-1938 (Ichitaro 2005 through 2007, and possibly related products, allows remo ...) NOT-FOR-US: Ichitaro CVE-2007-1937 (PHP remote file inclusion vulnerability in smilies.php in Scorp Book 1 ...) NOT-FOR-US: Scorp Book CVE-2007-1936 (PHP remote file inclusion vulnerability in scaradcontrol.php in ScarAd ...) NOT-FOR-US: ScarAdControl CVE-2007-1935 (PHP file inclusion vulnerability in admin/index.php in ScarAdControl ( ...) NOT-FOR-US: ScarAdControl CVE-2007-1934 (Directory traversal vulnerability in member.php in the eBoard 1.0.7 mo ...) NOT-FOR-US: eBoard module for PHP-Nuke CVE-2007-1933 (Multiple directory traversal vulnerabilities in PcP-Guestbook (PcP-Boo ...) NOT-FOR-US: PcP-Guestbook CVE-2007-1932 (Directory traversal vulnerability in scarnews.inc.php in ScarNews 1.2. ...) NOT-FOR-US: ScarNews CVE-2007-1931 (SQL injection vulnerability in index.php in the slownik module in Smod ...) NOT-FOR-US: SmodCMS CVE-2007-1930 (Directory traversal vulnerability in download2.php in cattaDoc 2.21, a ...) NOT-FOR-US: cattaDoc CVE-2007-1929 (Directory traversal vulnerability in downloadpic.php in Beryo 2.0, and ...) NOT-FOR-US: Beryo CVE-2007-1928 (Directory traversal vulnerability in index.php in witshare 0.9 allows ...) NOT-FOR-US: witshare CVE-2007-1927 (Cross-site scripting (XSS) vulnerability in signup.asp in CmailServer ...) NOT-FOR-US: CmailServer WebMail CVE-2007-1926 (Cross-site scripting (XSS) vulnerability in JBMC Software DirectAdmin ...) NOT-FOR-US: JBMC Software DirectAdmin CVE-2007-1925 (The borrado function in modules/Your_Account/index.php in Tru-Zone Nuk ...) NOT-FOR-US: Tru-Zone Nuke ET CVE-2007-1924 NOT-FOR-US: phpContact CVE-2007-1923 ((1) LedgerSMB and (2) DWS Systems SQL-Ledger implement access control ...) - sql-ledger (unimportant; bug #409703) CVE-2007-1922 (The Impulse Tracker (IT) and ScreamTracker 3 (S3M) modules in IN_MOD.D ...) NOT-FOR-US: Winamp CVE-2007-1921 (LIBSNDFILE.DLL, as used by AOL Nullsoft Winamp 5.33 and possibly other ...) NOT-FOR-US: Winamp CVE-2007-1920 (SQL injection vulnerability in index.php in the aktualnosci module in ...) NOT-FOR-US: aktualnosci module in SmodBIP CVE-2007-1919 (Cross-site scripting (XSS) vulnerability in index.php in Arizona Dream ...) NOT-FOR-US: Arizona Dream Livre d'or CVE-2007-1918 (The RFC_SET_REG_SERVER_PROPERTY function in the SAP RFC Library 6.40 a ...) NOT-FOR-US: SAP RFC Library CVE-2007-1917 (Buffer overflow in the SYSTEM_CREATE_INSTANCE function in the SAP RFC ...) NOT-FOR-US: SAP RFC Library CVE-2007-1916 (Buffer overflow in the RFC_START_GUI function in the SAP RFC Library 6 ...) NOT-FOR-US: SAP RFC Library CVE-2007-1915 (Buffer overflow in the RFC_START_PROGRAM function in the SAP RFC Libra ...) NOT-FOR-US: SAP RFC Library CVE-2007-1914 (The RFC_START_PROGRAM function in the SAP RFC Library 6.40 and 7.00 be ...) NOT-FOR-US: SAP RFC Library CVE-2007-1913 (The TRUSTED_SYSTEM_SECURITY function in the SAP RFC Library 6.40 and 7 ...) NOT-FOR-US: SAP RFC Library CVE-2007-1912 (Heap-based buffer overflow in Microsoft Windows allows user-assisted r ...) NOT-FOR-US: Microsoft Windows CVE-2007-1911 (Multiple unspecified vulnerabilities in Microsoft Word 2007 allow remo ...) NOT-FOR-US: Microsoft Word CVE-2007-1910 (Buffer overflow in wwlib.dll in Microsoft Word 2007 allows remote atta ...) NOT-FOR-US: Microsoft Word CVE-2007-1909 (SQL injection vulnerability in login.php in Ryan Haudenschilt Battle.n ...) NOT-FOR-US: Battle.net Clan Script CVE-2007-1908 (PHP file inclusion vulnerability in php121db.php in PHP121 Instant Mes ...) NOT-FOR-US: PHP121 Instant Messenger CVE-2007-1907 (PHP remote file inclusion vulnerability in warn.php in Pathos Content ...) NOT-FOR-US: Pathos CMS CVE-2007-1906 (Directory traversal vulnerability in richedit/keyboard.php in eCardMAX ...) NOT-FOR-US: eCardMAX HotEditor CVE-2007-1905 (Cross-site scripting (XSS) vulnerability in auth.php in Pineapple Tech ...) NOT-FOR-US: QuizShock CVE-2007-1904 (Directory traversal vulnerability in AOL Instant Messenger (AIM) 5.9 a ...) NOT-FOR-US: AOL Instant Messenger CVE-2007-1903 (Cross-site scripting (XSS) vulnerability in search.php in SonicBB 1.0 ...) NOT-FOR-US: SonicBB CVE-2007-1902 (Multiple SQL injection vulnerabilities in SonicBB 1.0 allow remote att ...) NOT-FOR-US: SonicBB CVE-2007-1901 (SonicBB 1.0 allows remote attackers to obtain sensitive information vi ...) NOT-FOR-US: SonicBB CVE-2007-1900 (CRLF injection vulnerability in the FILTER_VALIDATE_EMAIL filter in ex ...) {DSA-1283-1 DTSA-39-1} - php5 5.2.0-11 (low) CVE-2007-1899 (Multiple SQL injection vulnerabilities in myWebland myBloggie 2.1.6 al ...) NOT-FOR-US: myWebland myBloggie CVE-2007-1898 (formmail.php in Jetbox CMS 2.1 allows remote attackers to send arbitra ...) NOT-FOR-US: Jetbox CMS CVE-2007-1897 (SQL injection vulnerability in xmlrpc (xmlrpc.php) in WordPress 2.1.2, ...) {DSA-1285-1} - wordpress 2.1.3-1 (medium) CVE-2007-1896 (Directory traversal vulnerability in chat.php in Sky GUNNING MySpeach ...) NOT-FOR-US: Sky GUNNING MySpeach CVE-2007-1895 (PHP remote file inclusion vulnerability in chat.php in Sky GUNNING MyS ...) NOT-FOR-US: Sky GUNNING MySpeach CVE-2007-1894 (Cross-site scripting (XSS) vulnerability in wp-includes/general-templa ...) {DSA-1285-1} - wordpress 2.1.3-1 (medium) CVE-2007-1893 (xmlrpc (xmlrpc.php) in WordPress 2.1.2, and probably earlier, allows r ...) {DSA-1285-1} - wordpress 2.1.3-1 (medium) CVE-2007-1892 (Stack-based buffer overflow in Akamai Technologies Download Manager Ac ...) NOT-FOR-US: Akamai CVE-2007-1891 (Stack-based buffer overflow in the GetPrivateProfileSectionW function ...) NOT-FOR-US: Akamai CVE-2007-1890 (Integer overflow in the msg_receive function in PHP 4 before 4.4.5 and ...) - php4 (unimportant) - php5 (unimportant) NOTE: local code execution only, possibly only on FreeBSD CVE-2007-1889 (Integer signedness error in the _zend_mm_alloc_int function in the Zen ...) {DSA-1283-1 DTSA-39-1} - php5 5.2.0-11 (medium) CVE-2007-1888 (Buffer overflow in the sqlite_decode_binary function in src/encode.c i ...) - sqlite 2.8.17-2.1 (unimportant; bug #441233; bug #526328) NOTE: this is really just an "unsafe" API, not really a security issue against sqlite itself. NOTE: SQLite 3 no longer contains the affected function. CVE-2007-1887 (Buffer overflow in the sqlite_decode_binary function in the bundled sq ...) {DSA-1283-1 DTSA-39-1} - php4 (SQLite not enabled in PHP 4 packages) - php5 5.2.0-11 (medium) - php4-sqlite (medium; bug #420456) NOTE: php5 is vulnerable due to improper use of the system sqlite libs CVE-2007-1886 (Integer overflow in the str_replace function in PHP 4.4.5 and PHP 5.2. ...) NOTE: Duplicate of CVE-2007-1885 CVE-2007-1885 (Integer overflow in the str_replace function in PHP 4 before 4.4.5 and ...) NOTE: Dupe of CVE-2007-0906; Fixed in DSA-1264, php5 5.2.0-9, php4 6:4.4.4-9 CVE-2007-1884 (Multiple integer signedness errors in the printf function family in PH ...) NOTE: Dupe of CVE-2007-0909; Fixed in DSA-1264, php5 5.2.0-9, php4 6:4.4.4-9 CVE-2007-1883 (PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 allows context-depende ...) - php4 (unimportant) - php5 (unimportant) NOTE: Only triggerable by malicious script CVE-2007-1882 (qcbin/servlet/tdservlet/TDAPI_GeneralWebTreatment in HP Mercury Qualit ...) NOT-FOR-US: HP Mercury Quality Center CVE-2007-1881 (Unspecified vulnerability in KLIF (klif.sys) in Kaspersky Anti-Virus, ...) NOT-FOR-US: Kaspersky Anti-Virus CVE-2007-1880 (Integer overflow in the _NtSetValueKey function in klif.sys in Kaspers ...) NOT-FOR-US: Kaspersky Anti-Virus CVE-2007-1879 (The StartUploading function in KL.SysInfo ActiveX control (AxKLSysInfo ...) NOT-FOR-US: KL.SysInfo ActiveX control CVE-2007-1878 (Cross-zone scripting vulnerability in the DOM templates (domplates) us ...) NOT-FOR-US: Firebug extension for Firefox CVE-2007-1877 (VMware Workstation before 5.5.4 allows attackers to cause a denial of ...) NOT-FOR-US: VMware CVE-2007-1876 (VMware Workstation before 5.5.4, when running a 64-bit Windows guest o ...) NOT-FOR-US: VMware CVE-2007-1875 RESERVED CVE-2007-1874 (Adobe ColdFusion MX 7 for Linux and Solaris uses insecure permissions ...) NOT-FOR-US: Adobe ColdFusion MX CVE-2007-1873 (Cross-site scripting (XSS) vulnerability in Mephisto 0.7.3 allows remo ...) NOT-FOR-US: mephisto CVE-2007-1872 (Cross-site scripting (XSS) vulnerability in toendaCMS 1.5.3 allows rem ...) NOT-FOR-US: toendaCMS CVE-2007-1871 (Cross-site scripting (XSS) vulnerability in chcounter 3.1.3 allows rem ...) NOT-FOR-US: chcounter CVE-2007-1870 (lighttpd before 1.4.14 allows attackers to cause a denial of service ( ...) {DSA-1303-1} - lighttpd 1.4.15-1 (low; bug #422254) CVE-2007-1869 (lighttpd 1.4.12 and 1.4.13 allows remote attackers to cause a denial o ...) {DSA-1303-1} - lighttpd 1.4.15-1 (medium; bug #422254) CVE-2007-1868 (The management service in IBM Tivoli Provisioning Manager for OS Deplo ...) NOT-FOR-US: IBM Tivoli Provisioning Manager CVE-2007-1867 (Buffer overflow in IrfanView 3.99 allows remote attackers to execute a ...) NOT-FOR-US: IrfanView CVE-2007-1866 (Stack-based buffer overflow in the dns_decode_reverse_name function in ...) NOT-FOR-US: dproxy-nexgen CVE-2007-1865 NOT-FOR-US: not a bug CVE-2007-1864 (Buffer overflow in the bundled libxmlrpc library in PHP before 4.4.7, ...) {DSA-1331-1 DSA-1330-1} - php4 - php5 5.2.2-1 CVE-2007-1863 (cache_util.c in the mod_cache module in Apache HTTP Server (httpd), wh ...) - apache2 2.2.4-1 (low) - apache (unimportant) [sarge] - apache2 2.0.54-5sarge2 [etch] - apache2 2.2.3-4+etch2 NOTE: Apache 1.3 is non-threaded, therefore unimportant CVE-2007-1862 (The recall_headers function in mod_mem_cache in Apache 2.2.4 does not ...) - apache2 (Only Apache 2.2.4 was affected, and all versions of 2.2.4 in Debian are fixed) CVE-2007-1861 (The nl_fib_lookup function in net/ipv4/fib_frontend.c in Linux Kernel ...) {DSA-1289-1} - linux-2.6 2.6.21-1 CVE-2007-1860 (mod_jk in Apache Tomcat JK Web Server Connector 1.2.x before 1.2.23 de ...) {DSA-1312-1} - libapache-mod-jk 1:1.2.23-1 (bug #425836) CVE-2007-1859 (XScreenSaver 4.10, when using a remote directory service for credentia ...) - xscreensaver 5.03-1 (low; bug #433964) [etch] - xscreensaver (Minor issue, requires attacker with high level of control, see #433964) [sarge] - xscreensaver (Minor issue, requires attacker with high level of control, see #433964) CVE-2007-1858 (The default SSL cipher configuration in Apache Tomcat 4.1.28 through 4 ...) NOTE: insecure ciphers should not be (and usually are not) enabled in browsers [sarge] - tomcat4 (low) [etch] - tomcat5 (low; bug #423435) - tomcat5 (low; bug #423435) - tomcat5.5 5.5.17-1 (low) - tomcat4 (low) CVE-2007-1857 RESERVED CVE-2007-1856 (Vixie Cron before 4.1-r10 on Gentoo Linux is installed with insecure p ...) - cron (Debian uses proper permission scheme) CVE-2007-1855 (Multiple PHP remote file inclusion vulnerabilities in smarty/smarty_cl ...) NOT-FOR-US: Shop-Script CVE-2007-1854 (Unspecified vulnerability in Hitachi Cosminexus Component Container 07 ...) NOT-FOR-US: Hitachi Cosminexus Component Container CVE-2007-1853 (Unspecified vulnerability in Hitachi JP1/HiCommand DeviceManager, Glob ...) NOT-FOR-US: Hitachi DeviceManager CVE-2007-1852 NOT-FOR-US: 2BGal CVE-2007-1851 (Multiple directory traversal vulnerabilities in Really Simple PHP and ...) NOT-FOR-US: Really Simple PHP and Ajax CVE-2007-1850 (Directory traversal vulnerability in classes/captcha/captcha.jpg.php i ...) NOT-FOR-US: Drake CMS CVE-2007-1849 (Directory traversal vulnerability in 404.php in Drake CMS allows remot ...) NOT-FOR-US: Drake CMS CVE-2007-1848 (Cross-site scripting (XSS) vulnerability in admin/classes/ui.dta.php i ...) NOT-FOR-US: Drake CMS CVE-2007-1847 (SQL injection vulnerability in viewcat.php in the Repository module fo ...) NOT-FOR-US: Repository module for Xoops CVE-2007-1846 (SQL injection vulnerability in index.php in the MyAds 2.04jp and earli ...) NOT-FOR-US: MyAds CVE-2007-1845 (SQL injection vulnerability in show_event.php in the Expanded Calendar ...) NOT-FOR-US: Expanded Calendar module for PHP-Fusion CVE-2007-1844 (Multiple PHP remote file inclusion vulnerabilities in Aardvark Topsite ...) NOT-FOR-US: Aardvark Topsites CVE-2007-1843 (PHP remote file inclusion vulnerability in gmapfactory/params.php in M ...) NOT-FOR-US: MapLab CVE-2007-1842 (Directory traversal vulnerability in login.php in JSBoard before 2.0.1 ...) NOT-FOR-US: JSBoard CVE-2007-1841 (The isakmp_info_recv function in src/racoon/isakmp_inf.c in racoon in ...) {DSA-1299-1 DTSA-42-1} - ipsec-tools 1:0.6.6-3.2 (medium; bug #423252) [sarge] - ipsec-tools (the older stream of development used in the sarge package is not vulnerable - a code change that went into that branch coincidentally fixed it and this change was already there in sarge) CVE-2006-7192 (Microsoft ASP .NET Framework 2.0.50727.42 does not properly handle com ...) NOT-FOR-US: Microsoft ASP .NET Framework CVE-2005-4837 (snmp_api.c in snmpd in Net-SNMP 5.2.x before 5.2.2, 5.1.x before 5.1.3 ...) - net-snmp 5.2.2-1 (medium) CVE-2005-4836 (The HTTP/1.1 connector in Apache Tomcat 4.1.15 through 4.1.40 does not ...) [sarge] - tomcat4 (affects deprecated HTTP/1.1 connector only) CVE-2007-XXXX [initramfs-tools creates /dev/root world-readable] - initramfs-tools 0.85g (low; bug #417995) CVE-2007-1840 (lib/modules.inc in LDAP Account Manager (LAM) before 1.3.0 does not es ...) {DSA-1287-1} - ldap-account-manager 1.1.1-2 (medium; bug #415379) CVE-2007-1839 (Multiple PHP remote file inclusion vulnerabilities in CodeBB 1.1b3 and ...) NOT-FOR-US: CodeBB CVE-2007-1838 (SQL injection vulnerability in view.php in the Friendfinder 3.3 and ea ...) NOT-FOR-US: Friendfinder module for Xoops CVE-2007-1837 (Multiple PHP remote file inclusion vulnerabilities in MangoBery CMS 0. ...) NOT-FOR-US: MangoBery CMS CVE-2007-1836 (The command line administration interface in Data Domain OS before 4.0 ...) NOT-FOR-US: Data Domain OS CVE-2007-1835 (PHP 4 before 4.4.5 and PHP 5 before 5.2.1, when using an empty session ...) - php4 (unimportant) - php5 (unimportant) NOTE: open_basedir bypasses not supported CVE-2007-1834 (Cisco Unified CallManager (CUCM) 5.0 before 5.0(4a)SU1 and Cisco Unifi ...) NOT-FOR-US: Cisco CVE-2007-1833 (The Skinny Call Control Protocol (SCCP) implementation in Cisco Unifie ...) NOT-FOR-US: Cisco CVE-2007-1832 (web-app.org WebAPP before 0.9.9.6 allows remote authenticated users to ...) NOT-FOR-US: WebAPP CVE-2007-1831 (web-app.org WebAPP before 0.9.9.6 allows remote authenticated users to ...) NOT-FOR-US: WebAPP CVE-2007-1830 (Unspecified vulnerability in the Username Hijacking Patch 20070312 for ...) NOT-FOR-US: WebAPP CVE-2007-1829 (Multiple unspecified vulnerabilities in web-app.net WebAPP have unknow ...) NOT-FOR-US: WebAPP CVE-2007-1828 (Multiple cross-site scripting (XSS) vulnerabilities in web-app.org Web ...) NOT-FOR-US: WebAPP CVE-2007-1827 (Multiple unspecified vulnerabilities in form input validation in web-a ...) NOT-FOR-US: WebAPP CVE-2007-1826 (Unspecified vulnerability in the IPSec Manager Service for Cisco Unifi ...) NOT-FOR-US: Cisco CVE-2007-1825 (Buffer overflow in the imap_mail_compose function in PHP 5 before 5.2. ...) NOTE: Dupe of CVE-2007-0906; Fixed in DSA-1264, php5 5.2.0-9, php4 6:4.4.4-9 CVE-2007-1824 (Buffer overflow in the php_stream_filter_create function in PHP 5 befo ...) {DSA-1283-1 DTSA-39-1} - php5 5.2.0-11 (medium) CVE-2007-1823 (T-Mobile voice mail systems allow remote attackers to retrieve or remo ...) NOT-FOR-US: T-Mobile CVE-2007-1822 (Alcatel-Lucent Lucent Technologies voice mail systems allow remote att ...) NOT-FOR-US: Alcatel-Lucent CVE-2007-1821 (Sprint Nextel Sprint voice mail systems allow remote attackers to retr ...) NOT-FOR-US: Sprint Nextel CVE-2007-1820 (Nortel Networks CallPilot and Meridian Mail voicemail systems, when a ...) NOT-FOR-US: Nortel Networks CVE-2007-1819 (Stack-based buffer overflow in the SPIDERLib.Loader ActiveX control (S ...) NOT-FOR-US: ActiveX control in TestDirector CVE-2007-1818 (PHP remote file inclusion vulnerability in MOD_forum_fields_parse.php ...) NOT-FOR-US: Forum picture and META tags module for phpBB CVE-2007-1817 (SQL injection vulnerability in index.php in the Lykos Reviews (lykos_r ...) NOT-FOR-US: Lykos Reviews module for Xoops CVE-2007-1816 (SQL injection vulnerability in viewcat.php in the Tutoriais module for ...) NOT-FOR-US: Tutorials module for Xoops CVE-2007-1815 (SQL injection vulnerability in viewcat.php in the Library module for X ...) NOT-FOR-US: Library module for Xoops CVE-2007-1814 (SQL injection vulnerability in viewcat.php in the Core module for Xoop ...) NOT-FOR-US: Core module for Xoops CVE-2007-1813 (SQL injection vulnerability in display.php in the eCal 2.24 and earlie ...) NOT-FOR-US: eCal module for Xoops CVE-2007-1812 (PHP remote file inclusion vulnerability in utilitaires/gestion_sondage ...) NOT-FOR-US: BT-Sondage CVE-2007-1811 (SQL injection vulnerability in index.php in the Tiny Event (tinyevent) ...) NOT-FOR-US: Tiny Event module for Xoops CVE-2007-1810 (SQL injection vulnerability in product_details.php in the Kshop 1.17 a ...) NOT-FOR-US: Kshop module for Xoops CVE-2007-1809 (Multiple PHP remote file inclusion vulnerabilities in GraFX Company We ...) NOT-FOR-US: WebSite Builder CVE-2007-1808 (SQL injection vulnerability in show.php in the Camportail 1.1 and earl ...) NOT-FOR-US: Camportail module for Xoops CVE-2007-1807 (SQL injection vulnerability in modules/myalbum/viewcat.php in the myAl ...) NOT-FOR-US: myAlbum-P module for Xoops CVE-2007-1806 (SQL injection vulnerability in categos.php in the RM+Soft Gallery (rmg ...) NOT-FOR-US: RM+Soft Gallery module for Xoops CVE-2007-1805 (SQL injection vulnerability in genre.php in the debaser 0.92 and earli ...) NOT-FOR-US: debaser module for Xoops CVE-2007-1804 (PulseAudio 0.9.5 allows remote attackers to cause a denial of service ...) {DTSA-44-1} - pulseaudio 0.9.6-1 (low) [etch] - pulseaudio (Minor issue) CVE-2007-1803 (Unspecified vulnerability in MailDwarf 3.01 and earlier allows remote ...) NOT-FOR-US: MailDwarf CVE-2007-1802 (Cross-site scripting (XSS) vulnerability in MailDwarf 3.01 and earlier ...) NOT-FOR-US: MailDwarf CVE-2007-1801 (Directory traversal vulnerability in inc/lang.php in sBLOG 0.7.3 Beta ...) NOT-FOR-US: sBLOG CVE-2007-1800 (Cisco Secure ACS does not require authentication when Cisco Trust Agen ...) NOT-FOR-US: Cisco CVE-2007-1799 (Directory traversal vulnerability in torrent.cpp in KTorrent before 2. ...) {DSA-1373-2 DSA-1373-1} - ktorrent 2.1.4.dfsg.1-1 (medium; bug #432007) CVE-2007-1798 (Buffer overflow in the drmgr command in IBM AIX 5.2 and 5.3 allows loc ...) NOT-FOR-US: IBM AIX CVE-2007-1797 (Multiple integer overflows in ImageMagick before 6.3.3-5 allow remote ...) {DSA-1903-1 DSA-1858-1} - imagemagick 7:6.2.4.5.dfsg1-1 (medium) - graphicsmagick 1.1.7-15 (medium) CVE-2007-1796 (Multiple unspecified vulnerabilities in JCcorp URLshrink before 1.3.2 ...) NOT-FOR-US: URLshrink CVE-2007-1795 (JCcorp URLshrink 1.3.1 allows remote attackers to execute arbitrary PH ...) NOT-FOR-US: URLshrink CVE-2007-1794 (The Javascript engine in Mozilla 1.7 and earlier on Sun Solaris 8, 9, ...) NOTE: Duplicate of CVE-2006-3805 CVE-2007-1793 (SPBBCDrv.sys in Symantec Norton Personal Firewall 2006 9.1.0.33 and 9. ...) NOT-FOR-US: Symantec Norton Personal Firewall CVE-2007-1792 (libdayzero.dll in the Filter Hub Service (filter-hub.exe) in Symantec ...) NOT-FOR-US: Symantec Mail Security CVE-2007-1791 (SQL injection vulnerability in wall.php in Picture-Engine 1.2.0 and ea ...) NOT-FOR-US: Picture-Engine CVE-2007-1790 (Multiple PHP remote file inclusion vulnerabilities in Kaqoo Auction So ...) NOT-FOR-US: Kaqoo Auction Software CVE-2007-1789 (Flyspray 0.9.9 allows remote attackers to obtain sensitive information ...) - flyspray (Code was introduced in 0.9.9, not sensitive anyway) CVE-2007-1788 (Flyspray 0.9.9, when output_buffering is disabled or "set to a low val ...) - flyspray 0.9.8-10 (medium) [sarge] - flyspray (Vulnerable code not present) CVE-2007-1787 (Multiple PHP remote file inclusion vulnerabilities in lib/timesheet.cl ...) NOT-FOR-US: Time-Assistant CVE-2007-1786 (SQL injection vulnerability in Hitachi Collaboration - Online Communit ...) NOT-FOR-US: Hitachi Collaboration CVE-2007-1785 (The RPC service in mediasvr.exe in CA BrightStor ARCserve Backup 11.5 ...) NOT-FOR-US: CA BrightStor ARCserve Backup CVE-2007-1784 (The JNILoader ActiveX control (STJNILoader.ocx) 3.1.0.26 in IBM Lotus ...) NOT-FOR-US: JNILoader ActiveX control CVE-2007-1783 REJECTED CVE-2006-7191 (Untrusted search path vulnerability in lamdaemon.pl in LDAP Account Ma ...) {DSA-1287-1} - ldap-account-manager 1.0.0-1 (medium) CVE-2006-7190 (Cross-site scripting (XSS) vulnerability in cgi-bin/user-lib/topics.pl ...) NOT-FOR-US: WebAPP CVE-2006-7189 (Cross-site scripting (XSS) vulnerability in cgi-bin/admin/logs.cgi in ...) NOT-FOR-US: WebAPP CVE-2006-7188 (The search function in cgi-lib/user-lib/search.pl in web-app.net WebAP ...) NOT-FOR-US: WebAPP CVE-2006-7187 (Cross-site scripting (XSS) vulnerability in the show_recent_searches f ...) NOT-FOR-US: WebAPP CVE-2006-7186 (cgi-lib/subs.pl in web-app.net WebAPP before 0.9.9.3.5 allows attacker ...) NOT-FOR-US: WebAPP CVE-2006-7185 (PHP remote file inclusion vulnerability in includes/user_standard.php ...) NOT-FOR-US: CMSmelborp CVE-2006-7184 (Multiple PHP remote file inclusion vulnerabilities in Exhibit Engine ( ...) NOT-FOR-US: Exhibit Engine CVE-2006-7183 (PHP remote file inclusion vulnerability in styles.php in Exhibit Engin ...) NOT-FOR-US: Exhibit Engine CVE-2007-XXXX [low-entropy default passphrase in Debian's dtc-xen] - dtc-xen 0.2.8-1 (low; bug #414480) CVE-2007-XXXX [file permission race conidition in Debian's dtc-xen] - dtc-xen 0.2.8-1 (low; bug #414482) CVE-2007-XXXX [too lenient UTF-8 decoder in kjs/function.cpp] - kdelibs 4:3.5.5a.dfsg.1-8 CVE-2007-XXXX [double-free vulnerability in the Real Media demuxer] - ffmpeg 0.cvs20060823-8 (low; bug #379922) - xmovie (this is not an issue in the avformat ffmpeg code copy) CVE-2007-XXXX [various crashes and infinite loops in ffmpeg] - ffmpeg 0.cvs20060823-8 (low; bug #407003) - xmovie CVE-2007-1782 (CruiseWorks 1.09e and earlier does not properly restrict user access t ...) NOT-FOR-US: CruiseWorks CVE-2007-1781 (Minna De Office 1.x and 2.x does not properly restrict user access to ...) NOT-FOR-US: Minna De Office CVE-2007-1780 (Cross-site scripting (XSS) vulnerability in the DHT shell (owdhtshell) ...) NOT-FOR-US: Overlay Weaver CVE-2007-1779 (Multiple SQL injection vulnerabilities in the MySQL back-end in Advanc ...) NOT-FOR-US: Advanced Website Creator CVE-2007-1778 (PHP remote file inclusion vulnerability in db/mysql.php in the Eve-Nuk ...) NOT-FOR-US: Eve-Nuke CVE-2007-1777 (Integer overflow in the zip_read_entry function in PHP 4 before 4.4.5 ...) {DSA-1283-1 DSA-1282-1 DTSA-39-1 DTSA-40-1} - php4 6:4.4.6-1 (medium) - php5 5.2.0-11 (medium) CVE-2007-1776 (SQL injection vulnerability in index.php in the DesignForJoomla.com D4 ...) NOT-FOR-US: D4J eZine CVE-2007-1775 (Unrestricted file upload vulnerability in upload.php3 in JBrowser 2.4 ...) NOT-FOR-US: JBrowser CVE-2007-1774 (Multiple cross-site scripting (XSS) vulnerabilities in aBitWhizzy allo ...) NOT-FOR-US: aBitWhizzy CVE-2007-1773 (Multiple directory traversal vulnerabilities in aBitWhizzy allow remot ...) NOT-FOR-US: aBitWhizzy CVE-2007-1772 (The FTP service in HP JetDirect print servers allows remote attackers ...) NOT-FOR-US: HP JetDirect CVE-2007-1771 (PHP remote file inclusion vulnerability in manage/javascript/formjavas ...) NOT-FOR-US: Ay System Solutions Web Content System CVE-2007-1770 (Buffer overflow in the ArcSDE service (giomgr) in Environmental System ...) NOT-FOR-US: ArcSDE CVE-2007-1769 REJECTED CVE-2007-1768 (Cross-site scripting (XSS) vulnerability in app/helpers/application_he ...) NOT-FOR-US: Mephisto CVE-2007-1767 (Unspecified vulnerability in (1) Deskbar.dll and (2) Toolbar.dll in AO ...) NOT-FOR-US: AOL CVE-2007-1766 (PHP remote file inclusion vulnerability in login/engine/db/profiledit. ...) NOT-FOR-US: Advanced Login CVE-2007-1765 (Unspecified vulnerability in Microsoft Windows 2000 SP4 through Vista ...) NOT-FOR-US: Microsoft CVE-2007-1764 (Stack-based buffer overflow in FastStone Image Viewer 2.8 allows user- ...) NOT-FOR-US: FastStone Image Viewer CVE-2007-1763 (The ATI kernel driver (atikmdag.sys) in Microsoft Windows Vista allows ...) NOT-FOR-US: Microsoft CVE-2007-1762 (Mozilla Firefox 2.0.0.1 through 2.0.0.3 does not canonicalize URLs bef ...) - iceweasel 3.0.1-1 (unimportant; bug #445515) NOTE: I don't believe this has relevant security impact, such a black list NOTE: will register URLs found in the wild and the used adresses will be NOTE: volatile anyway CVE-2007-1761 REJECTED CVE-2007-1760 REJECTED CVE-2007-1759 REJECTED CVE-2007-1758 REJECTED CVE-2007-1757 REJECTED CVE-2007-1756 (Microsoft Excel 2000 SP3, 2002 SP3, 2003 SP2, 2003 Viewer, and Office ...) NOT-FOR-US: Microsoft Excel CVE-2007-1755 REJECTED CVE-2007-1754 (PUBCONV.DLL in Microsoft Office Publisher 2007 does not properly clear ...) NOT-FOR-US: Microsoft Office CVE-2007-1753 REJECTED CVE-2007-1752 REJECTED CVE-2007-1751 (Microsoft Internet Explorer 5.01, 6, and 7 allows remote attackers to ...) NOT-FOR-US: Microsoft CVE-2007-1750 (Unspecified vulnerability in Microsoft Internet Explorer 6 allows remo ...) NOT-FOR-US: Microsoft CVE-2007-1749 (Integer underflow in the CDownloadSink class code in the Vector Markup ...) NOT-FOR-US: Vector Markup Language CVE-2007-1748 (Stack-based buffer overflow in the RPC interface in the Domain Name Sy ...) NOT-FOR-US: Microsoft Windows CVE-2007-1747 (Unspecified vulnerability in MSO.dll in Microsoft Office 2000 SP3, 200 ...) NOT-FOR-US: Microsoft Office CVE-2007-1746 RESERVED CVE-2007-1745 (The chm_decompress_stream function in libclamav/chmunpack.c in Clam An ...) {DSA-1281-1 DTSA-37-1} - clamav 0.90.2-1 (high) CVE-2007-1744 (Directory traversal vulnerability in the Shared Folders feature for VM ...) NOT-FOR-US: VMware CVE-2007-1743 (suexec in Apache HTTP Server (httpd) 2.2.3 does not verify combination ...) - apache2 (unimportant) CVE-2007-1742 (suexec in Apache HTTP Server (httpd) 2.2.3 uses a partial comparison f ...) - apache2 2.2.8-5 (unimportant) CVE-2007-1741 (Multiple race conditions in suexec in Apache HTTP Server (httpd) 2.2.3 ...) - apache2 2.2.8-5 (unimportant) CVE-2007-1740 REJECTED CVE-2007-1739 (Heap-based buffer overflow in the LDAP server in IBM Lotus Domino befo ...) NOT-FOR-US: IBM Lotus Domino CVE-2007-1738 (TrueCrypt 4.3, when installed setuid root, allows local users to cause ...) NOT-FOR-US: TrueCrypt CVE-2007-1737 (Opera 9.10 does not check URLs embedded in (1) object or (2) iframe HT ...) NOT-FOR-US: Opera CVE-2007-1736 (Mozilla Firefox 2.0.0.3 does not check URLs embedded in (1) object or ...) - iceweasel (unimportant) NOTE: I don't believe this has relevant security impact, such a black list NOTE: will register URLs found in the wild and the used adresses will be NOTE: volatile anyway CVE-2007-1735 (Stack-based buffer overflow in Corel WordPerfect Office X3 (13.0.0.565 ...) NOT-FOR-US: Corel WordPerfect CVE-2007-1734 (The DCCP support in the do_dccp_getsockopt function in net/dccp/proto. ...) - linux-2.6 2.6.20-1 (medium; bug #420875) [etch] - linux-2.6 (Vulnerable code not present) CVE-2007-1733 (Buffer overflow in InterVations NaviCOPA HTTP Server 2.01 allows remot ...) NOT-FOR-US: NaviCOPA HTTP Server CVE-2007-1732 - wordpress 2.1.3-1 (unimportant) NOTE: Administrators can post full HTML, that is a feature. Rightly disputed. CVE-2007-1731 (Multiple stack-based buffer overflows in High Performance Anonymous FT ...) NOT-FOR-US: hpaftpd CVE-2007-1730 (Integer signedness error in the DCCP support in the do_dccp_getsockopt ...) - linux-2.6 2.6.21-1 (medium) [etch] - linux-2.6 (Vulnerable code not present) CVE-2007-1729 (SQL injection vulnerability in includes/start.php in Flexbb 1.0.0 1000 ...) NOT-FOR-US: Flexbb CVE-2007-1728 (The Remote Play feature in Sony Playstation 3 (PS3) 1.60 and Playstati ...) NOT-FOR-US: Sony Playstation 3 CVE-2007-1727 (Unspecified vulnerability in HP OpenView Network Node Manager (OV NNM) ...) NOT-FOR-US: HP OpenView CVE-2007-1726 (Unrestricted file upload vulnerability in index.php in IceBB 1.0-rc5 a ...) NOT-FOR-US: IceBB CVE-2007-1725 (SQL injection vulnerability in index.php in IceBB 1.0-rc5 allows remot ...) NOT-FOR-US: IceBB CVE-2007-1724 (Unspecified vulnerability in ReactOS 0.3.1 has unknown impact and atta ...) NOT-FOR-US: ReactOS CVE-2007-1723 (Multiple cross-site scripting (XSS) vulnerabilities in the administrat ...) NOT-FOR-US: IronMail CVE-2007-1722 (Buffer overflow in the DownloadCertificateExt function in SignKorea SK ...) NOT-FOR-US: SKCommAX ActiveX control CVE-2007-1721 (Multiple PHP remote file inclusion vulnerabilities in C-Arbre 0.6PR7 a ...) NOT-FOR-US: C-Arbre CVE-2007-1720 (Directory traversal vulnerability in addressbook.php in the Addressboo ...) NOT-FOR-US: Addressbook 1.2 module for PHP-Nuke CVE-2007-1719 (Buffer overflow in eject.c in Jason W. Bacon mcweject 0.9 on FreeBSD, ...) NOT-FOR-US: mcweject CVE-2007-1718 (CRLF injection vulnerability in the mail function in PHP 4.0.0 through ...) {DSA-1283-1 DSA-1282-1 DTSA-39-1 DTSA-40-1} - php4 (medium) [sarge] - php4 (Vulnerable code not present) - php5 5.2.0-11 (medium) CVE-2007-1717 (The mail function in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 t ...) - php4 6:4.4.6-2 (unimportant) - php5 5.2.2-1 (unimportant) NOTE: This is a regular bug, not a security problem CVE-2007-1716 (pam_console does not properly restore ownership for certain console de ...) NOT-FOR-US: pam_console CVE-2007-1715 (PHP remote file inclusion vulnerability in frontpage.php in Free Image ...) NOT-FOR-US: Free Image Hosting CVE-2007-1714 (Cross-site scripting (XSS) vulnerability in index.php in CcCounter 2.0 ...) NOT-FOR-US: CcCounter CVE-2007-1713 (CRLF injection vulnerability in BSMTP.DLL in B21Soft BASP21 2003.0211, ...) NOT-FOR-US: BASP21 CVE-2007-1712 (SQL injection vulnerability in default.asp in ActiveWebSoftwares Activ ...) NOT-FOR-US: Active Auction Pro CVE-2007-1711 (Double free vulnerability in the unserializer in PHP 4.4.5 and 4.4.6 a ...) {DSA-1283-1 DSA-1282-1} - php4 6:4.4.6-2 - php5 5.2.0-9 NOTE: register_globals not supported CVE-2007-1710 (The readfile function in PHP 4.4.4, 5.1.6, and 5.2.1 allows context-de ...) - php4 (unimportant) - php5 (unimportant) NOTE: Safe mode violations not supported, insufficient measure CVE-2007-1709 (Buffer overflow in the confirm_phpdoc_compiled function in the phpDOC ...) NOT-FOR-US: PECL phpDOC CVE-2007-1708 (PHP remote file inclusion vulnerability in lib/db/ez_sql.php in ttCMS ...) NOT-FOR-US: ttCMS CVE-2007-1707 (PHP remote file inclusion vulnerability in index.php in Net Side Conte ...) NOT-FOR-US: Net-Side.net CMS CVE-2007-1706 (SQL injection vulnerability in eWebQuiz.asp in eWebQuiz 8 allows remot ...) NOT-FOR-US: eWebQuiz CVE-2007-1705 (SQL injection vulnerability in default.asp in Active Trade 2 allows re ...) NOT-FOR-US: Active Trade CVE-2007-1704 (SQL injection vulnerability in index.php in the Car Manager (com_resma ...) NOT-FOR-US: Joomla module Car Manager CVE-2007-1703 (SQL injection vulnerability in index.php in the RWCards (com_rwcards) ...) NOT-FOR-US: Joomla module RWCards CVE-2007-1702 (PHP remote file inclusion vulnerability in mod_flatmenu.php in the Fla ...) NOT-FOR-US: Flatmenu CVE-2007-1701 (PHP 4 before 4.4.5, and PHP 5 before 5.2.1, when register_globals is e ...) - php5 5.2.0-9 (unimportant) - php4 6:4.4.4-9 (unimportant) NOTE: register_globals not supported NOTE: Dupe of CVE-2007-0910 CVE-2007-1700 (The session extension in PHP 4 before 4.4.5, and PHP 5 before 5.2.1, c ...) {DSA-1283-1 DTSA-39-1} - php5 5.2.0-9 - php4 6:4.4.4-9 [etch] - php5 5.2.0-8+etch1 [etch] - php4 6:4.4.4-8+etch1 [sarge] - php4 4:4.3.10-21 NOTE: This was fixed as a side-effect of previous security fixes, noting the NOTE: status as of DSA-1286 as fixed version. likewise the oldstable NOTE: version was fixed. CVE-2007-1699 (Multiple PHP remote file inclusion vulnerabilities in the SWmenu (com_ ...) NOT-FOR-US: Mambo module SWmenu CVE-2007-1698 (download.php in Philex 0.2.3 and earlier allows remote attackers to re ...) NOT-FOR-US: Philex CVE-2007-1697 (PHP remote file inclusion vulnerability in header.inc.php in Philex 0. ...) NOT-FOR-US: Philex CVE-2007-1696 (SQL injection vulnerability in ViewNewspapers.asp in Active Newsletter ...) NOT-FOR-US: Active Newsletter CVE-2007-1695 - phpbb2 (requires register_globals to exploit) NOTE: Vulnerability is disputed, but is a non-issue anyway. CVE-2007-1694 RESERVED CVE-2007-1693 (The SIP channel module in Yet Another Telephony Engine (Yate) before 1 ...) - yate 1.2.0-1.dfsg-1 (low; bug #421994) [etch] - yate (Minor issue, fringe application) CVE-2007-1692 (The default configuration of Microsoft Windows uses the Web Proxy Auto ...) NOT-FOR-US: Microsoft CVE-2007-1691 (Stack-based buffer overflow in Second Sight Software ActiveMod ActiveX ...) NOT-FOR-US: Second Sight Software CVE-2007-1690 (Multiple stack-based buffer overflows in Second Sight Software ActiveG ...) NOT-FOR-US: Second Sight Software CVE-2007-1689 (Buffer overflow in the ISAlertDataCOM ActiveX control in ISLALERT.DLL ...) NOT-FOR-US: Norton CVE-2007-1688 (Buffer overflow in the PhPInfo ActiveX control in PhPCtrl.dll in Calli ...) NOT-FOR-US: PhPInfo ActiveX control CVE-2007-1687 (Multiple buffer overflows in the Internet Pictures Corporation iPIX Im ...) NOT-FOR-US: iPIX Image Well ActiveX control CVE-2007-1686 RESERVED CVE-2007-1685 (Buffer overflow in k9filter.exe in BlueCoat K9 Web Protection 3.2.36, ...) NOT-FOR-US: BlueCoat CVE-2007-1684 (The Run function in SolidWorks sldimdownload ActiveX control in sldimd ...) NOT-FOR-US: sldimdownload ActiveX control CVE-2007-1683 (Stack-based buffer overflow in the DoWebMenuAction function in the Inc ...) NOT-FOR-US: IncrediMail CVE-2007-1682 (Multiple stack-based buffer overflows in the FileManager ActiveX contr ...) NOT-FOR-US: FileManager ActiveX CVE-2007-1681 (Format string vulnerability in libwebconsole_services.so in Sun Java W ...) NOT-FOR-US: Sun Solaris CVE-2007-1680 (Stack-based buffer overflow in the createAndJoinConference function in ...) NOT-FOR-US: AudioConf ActiveX control CVE-2007-1679 NOTE: Allegedly a duplicate of CVE-2006-4255. NOTE: The other issue needs a CSRF attack to exploit. CVE-2007-1678 (Cross-site scripting (XSS) vulnerability in the Fizzle 0.5 extension f ...) NOT-FOR-US: Fizzle 0.5 extension for Firefox CVE-2007-1677 (Multiple buffer overflows in the ISO network protocol support in the N ...) NOT-FOR-US: NetBSD CVE-2007-1676 RESERVED CVE-2007-1675 (Buffer overflow in the CRAM-MD5 authentication mechanism in the IMAP s ...) NOT-FOR-US: IBM Lotus Domino CVE-2007-1674 (Stack-based buffer overflow in the Alert Service (aolnsrvr.exe) in LAN ...) NOT-FOR-US: LANDesk Management Suite CVE-2007-1673 (unzoo.c, as used in multiple products including AMaViS 2.4.1 and earli ...) [sarge] - zoo (Minor issue) [etch] - zoo (Minor issue) - zoo 2.10-19 (bug #424686) - unzoo 4.4-7 (bug #424690) [sarge] - unzoo (Minor issue) [etch] - unzoo (Minor issue) CVE-2007-1672 (avast! antivirus before 4.7.981 allows remote attackers to cause a den ...) NOT-FOR-US: avast CVE-2007-1671 (avpack32.dll before 7.3.0.6 in Avira AntiVir allows remote attackers t ...) NOT-FOR-US: Avira CVE-2007-1670 (Panda Software Antivirus before 20070402 allows remote attackers to ca ...) NOT-FOR-US: Panda CVE-2007-1669 (zoo decoder 2.10 (zoo-2.10), as used in multiple products including (1 ...) NOT-FOR-US: Barracuda CVE-2007-1668 RESERVED CVE-2007-1666 (The processor_request function in the debugger server for DataRescue I ...) NOT-FOR-US: IDA Pro CVE-2007-1665 (Memory leak in the token OCR functionality in ekg before 1:1.7~rc2-1et ...) {DSA-1318-1} - ekg 1:1.7~rc2-2 (low) [sarge] - ekg (Vulnerable code not present) CVE-2007-1664 (ekg before 1:1.7~rc2-1etch1 on Debian GNU/Linux Etch allows remote att ...) {DSA-1318-1} - ekg 1:1.7~rc2-2 (low) [sarge] - ekg (Vulnerable code not present) CVE-2007-1663 (Memory leak in the image message functionality in ekg before 1:1.7~rc2 ...) {DSA-1318-1} - ekg 1:1.7~rc2-2 (low) [sarge] - ekg (Vulnerable code not present) CVE-2007-1662 (Perl-Compatible Regular Expression (PCRE) library before 7.3 reads pas ...) {DSA-1570-1 DSA-1399-1 DTSA-77-1} - pcre3 7.3-1 - kazehakase 0.5.2-1 - glib2.0 2.14.3-1 (unimportant) NOTE: glib only embeds pcre in the udeb, no attack vector CVE-2007-1661 (Perl-Compatible Regular Expression (PCRE) library before 7.3 backtrack ...) {DSA-1570-1 DSA-1399-1 DTSA-77-1} - pcre3 7.3-1 - kazehakase 0.5.2-1 - glib2.0 2.14.3-1 (unimportant) NOTE: glib only embeds pcre in the udeb, no attack vector CVE-2007-1660 (Perl-Compatible Regular Expression (PCRE) library before 7.0 does not ...) {DSA-1570-1 DSA-1399-1 DTSA-77-1} - pcre3 7.3-1 - kazehakase 0.5.2-1 - glib2.0 2.14.3-1 (unimportant) NOTE: glib only embeds pcre in the udeb, no attack vector CVE-2007-1659 (Perl-Compatible Regular Expression (PCRE) library before 7.3 allows co ...) {DSA-1570-1 DSA-1399-1 DTSA-77-1} - kazehakase 0.5.2-1 - pcre3 7.3-1 - glib2.0 2.14.3-1 (unimportant) NOTE: glib only embeds pcre in the udeb, no attack vector CVE-2007-1658 (Windows Mail in Microsoft Windows Vista might allow user-assisted remo ...) NOT-FOR-US: Microsoft CVE-2007-1657 (Stack-based buffer overflow in the file_compress function in minigzip ...) - python2.5 (does not build minigzip.c) CVE-2007-1656 (Multiple SQL injection vulnerabilities in index.php in Katalog Plyt Au ...) NOT-FOR-US: Plyt Audio CVE-2007-1655 (Buffer overflow in the fun_ladd function in funmath.cpp in TinyMUX bef ...) {DSA-1317-1} - tinymux 2.4.3.31-1.1 (bug #417539) CVE-2007-1654 (Buffer overflow in the Ne7sshSftp::addOpenHandle function in ne7ssh_sf ...) NOT-FOR-US: ne7ssh CVE-2007-1653 (GlowWorm FW before 1.5.3b4 allows remote attackers to cause a denial o ...) NOT-FOR-US: GlowWorm FW CVE-2007-1652 (OpenID allows remote attackers to forcibly log a user into an OpenID e ...) NOT-FOR-US: MyOpenID.com CVE-2007-1651 (Cross-site request forgery (CSRF) vulnerability in OpenID allows remot ...) NOT-FOR-US: MyOpenID.com CVE-2007-1650 (pcapsipdump.cpp in pcapsipdump before 0.1.3 allows remote attackers to ...) NOT-FOR-US: pcapsipdump CVE-2007-1649 (PHP 5.2.1 allows context-dependent attackers to read portions of heap ...) - php5 5.2.2-1 [etch] - php5 (Only affects PHP 5.2.1) CVE-2007-1648 (0irc 1345 build 20060823 allows remote attackers to cause a denial of ...) NOT-FOR-US: 0irc CVE-2007-1647 (Moodle 1.5.2 and earlier stores sensitive information under the web ro ...) - moodle 1.5.3-1 (low) CVE-2007-1646 (Multiple cross-site scripting (XSS) vulnerabilities in SubHub 2.3.0 al ...) NOT-FOR-US: SubHub CVE-2007-1645 (Buffer overflow in FutureSoft TFTP Server 2000 on Microsoft Windows 20 ...) NOT-FOR-US: FutureSoft TFTP Server CVE-2007-1644 (The dynamic DNS update mechanism in the DNS Server service on Microsof ...) NOT-FOR-US: Microsoft DNS Server CVE-2007-1643 (Multiple PHP remote file inclusion vulnerabilities in LAN Management S ...) NOT-FOR-US: LAN Management System CVE-2007-1642 (Unspecified vulnerability in ManageEngine Firewall Analyzer allows rem ...) NOT-FOR-US: ManageEngine Firewall Analyzer CVE-2007-1641 (SQL injection vulnerability in index.php in PortailPHP 2.0 allows remo ...) NOT-FOR-US: PortailPHP CVE-2007-1640 (Multiple PHP remote file inclusion vulnerabilities in ClassWeb 2.03 an ...) NOT-FOR-US: ClassWeb CVE-2007-1639 (Unrestricted file upload vulnerability in PHProjekt 5.2.0, when magic_ ...) NOT-FOR-US: PHProjekt CVE-2007-1638 (Multiple cross-site request forgery (CSRF) vulnerabilities in the chec ...) NOT-FOR-US: PHProjekt CVE-2007-1637 (Multiple buffer overflows in the IMAILAPILib ActiveX control (IMailAPI ...) NOT-FOR-US: IMAILAPILib ActiveX control CVE-2007-1636 (Directory traversal vulnerability in index.php in RoseOnlineCMS 3 B1 a ...) NOT-FOR-US: RoseOnlineCMS CVE-2007-1635 (Static code injection vulnerability in admin/settings.php in Net Porta ...) NOT-FOR-US: Net Portal Dynamic System CVE-2007-1634 (Variable extraction vulnerability in grab_globals.php in Net Portal Dy ...) NOT-FOR-US: Net Portal Dynamic System CVE-2007-1633 (Directory traversal vulnerability in bbcode_ref.php in the Giorgio Cir ...) NOT-FOR-US: Splatt Forum CVE-2007-1632 (Unspecified vulnerability in TYPOlight webCMS before 2.2 Build 5 has u ...) NOT-FOR-US: webCMS CVE-2007-1631 NOT-FOR-US: CLBOX CVE-2007-1630 (SQL injection vulnerability in default.asp in ActiveWebSoftwares Activ ...) NOT-FOR-US: Active Link Engine CVE-2007-1629 (SQL injection vulnerability in default.asp in ActiveWebSoftwares Activ ...) NOT-FOR-US: Active Photo Gallery CVE-2007-1628 (Multiple PHP remote file inclusion vulnerabilities in Study planner (S ...) NOT-FOR-US: Study planner CVE-2007-1627 REJECTED CVE-2007-1626 (PHP remote file inclusion vulnerability in iframe.php in the iFrame Mo ...) NOT-FOR-US: iFrame Module for PHP-NUKE CVE-2007-1625 (Cross-site scripting (XSS) vulnerability in save_entry.php in realGues ...) NOT-FOR-US: realGuestbook CVE-2007-1624 (Multiple SQL injection vulnerabilities in realGuestbook 5.01 allow rem ...) NOT-FOR-US: realGuestbook CVE-2007-1623 (Multiple cross-site scripting (XSS) vulnerabilities in realGuestbook 5 ...) NOT-FOR-US: realGuestbook CVE-2007-1622 (Cross-site scripting (XSS) vulnerability in wp-admin/vars.php in WordP ...) {DSA-1285-1} - wordpress 2.1.3-1 (medium) CVE-2007-1621 (PHP remote file inclusion vulnerability in templates/head.php in Activ ...) NOT-FOR-US: Active PHP Bookmark Notes CVE-2007-1620 (Multiple PHP remote file inclusion vulnerabilities in PHP DB Designer ...) NOT-FOR-US: PHP DB Designer CVE-2007-1619 (SQL injection vulnerability in viewcomments.php in ScriptMagix Photo R ...) NOT-FOR-US: ScriptMagix CVE-2007-1618 (SQL injection vulnerability in index.php in ScriptMagix FAQ Builder 2. ...) NOT-FOR-US: ScriptMagix CVE-2007-1617 (SQL injection vulnerability in index.php in ScriptMagix Recipes 2.0 an ...) NOT-FOR-US: ScriptMagix CVE-2007-1616 (SQL injection vulnerability in index.php in ScriptMagix Lyrics 2.0 and ...) NOT-FOR-US: ScriptMagix CVE-2007-1615 (SQL injection vulnerability in index.php in ScriptMagix Jokes 2.0 and ...) NOT-FOR-US: ScriptMagix CVE-2007-1614 (Stack-based buffer overflow in the zzip_open_shared_io function in zzi ...) {DTSA-56-1} - zziplib 0.13.49-0 (bug #436701; low) [etch] - zziplib (Minor issue) NOTE: http://www.securitylab.ru/forum/read.php?FID=21&TID=40858&MID=326187#message326187 NOTE: If an attacker can supply arbitrary file names, we likely suffer from NOTE: an information disclosure issue anyway. CVE-2007-1613 (Directory traversal vulnerability in view.php in MPM Chat 2.5 allows r ...) NOT-FOR-US: MPM Chat CVE-2007-1612 (SQL injection vulnerability in index.php in Katalog Plyt Audio 1.0 and ...) NOT-FOR-US: Plyt Audio CVE-2007-1611 (Cross-site scripting (XSS) vulnerability in the RSS reader in a certai ...) NOT-FOR-US: IKANARI JIJYOU CVE-2007-1610 (Cross-site scripting (XSS) vulnerability in the RSS reader in Glue Sof ...) NOT-FOR-US: NewsGlue CVE-2007-1609 (Cross-site scripting (XSS) vulnerability in servlet/Spy in Dynamic Mon ...) NOT-FOR-US: Oracle Application Server CVE-2007-1608 (CRLF injection vulnerability in IBM WebSphere Application Server (WAS) ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2007-1607 (search.php in w-Agora (Web-Agora) allows remote attackers to obtain po ...) NOT-FOR-US: Web-Agora CVE-2007-1606 (Multiple cross-site scripting (XSS) vulnerabilities in w-Agora (Web-Ag ...) NOT-FOR-US: Web-Agora CVE-2007-1605 (w-Agora (Web-Agora) allows remote attackers to obtain sensitive inform ...) NOT-FOR-US: Web-Agora CVE-2007-1604 (Multiple unrestricted file upload vulnerabilities in w-Agora (Web-Agor ...) NOT-FOR-US: Web-Agora CVE-2007-1603 (admin/contest.php in Weekly Drawing Contest 0.0.1 allows remote attack ...) NOT-FOR-US: Weekly Drawing Contest CVE-2007-1602 (SQL injection vulnerability in check_vote.php in Weekly Drawing Contes ...) NOT-FOR-US: Weekly Drawing Contest CVE-2007-1601 NOT-FOR-US: Weekly Drawing Contest CVE-2007-1600 (PHP remote file inclusion vulnerability in module.php in Digital Eye G ...) NOT-FOR-US: Digital Eye Gallery CVE-2007-1599 (wp-login.php in WordPress allows remote attackers to redirect authenti ...) {DSA-1601-1} - wordpress 2.2.2-1 (bug #437085; low) CVE-2007-1598 (Stack-based buffer overflow in InterVations FileCOPA FTP Server 1.01 a ...) NOT-FOR-US: FileCOPA FTP CVE-2007-1597 (Unclassified NewsBoard 1.6.3 stores sensitive information under the we ...) NOT-FOR-US: Unclassified NewsBoard CVE-2007-1596 (Multiple PHP remote file inclusion vulnerabilities in the NFN Address ...) NOT-FOR-US: NFN Address Book CVE-2007-1595 (The Asterisk Extension Language (AEL) in pbx/pbx_ael.c in Asterisk doe ...) - asterisk 1:1.4.0~dfsg-1 (low) [etch] - asterisk (Only affects 1.4.x) [sarge] - asterisk (Only affects 1.4.x) CVE-2007-1593 (The administrative service in Symantec Veritas Volume Replicator (VVR) ...) NOT-FOR-US: Symantec CVE-2007-1592 (net/ipv6/tcp_ipv6.c in Linux kernel 2.6.x up to 2.6.21-rc3 inadvertent ...) {DSA-1503-2 DSA-1503-1 DSA-1304 DSA-1286-1} - linux-2.6 2.6.20-1 (medium) CVE-2007-1591 (VsapiNT.sys in the Scan Engine 8.0 for Trend Micro AntiVirus 14.10.104 ...) NOT-FOR-US: Trend Micro CVE-2006-7182 (PHP remote file inclusion vulnerability in noticias.php in MNews 2.0 a ...) NOT-FOR-US: MNews CVE-2006-7181 NOT-FOR-US: Morcego CMS CVE-2006-7180 (ieee80211_output.c in MadWifi before 0.9.3 sends unencrypted packets b ...) - madwifi 1:0.9.2+r1842.20061207-2 (low) [etch] - madwifi (Non-free not supported) CVE-2006-7179 (ieee80211_input.c in MadWifi before 0.9.3 does not properly process Ch ...) - madwifi 1:0.9.2+r1842.20061207-2 (low) [etch] - madwifi (Non-free not supported) CVE-2006-7178 (MadWifi before 0.9.3 does not properly handle reception of an AUTH fra ...) - madwifi 1:0.9.2+r1842.20061207-2 (low) [etch] - madwifi (Non-free not supported) CVE-2006-7177 (MadWifi, when Ad-Hoc mode is used, allows remote attackers to cause a ...) - madwifi 1:0.9.2+r1842.20061207-2 (low) [etch] - madwifi (Non-free not supported) CVE-2006-7176 (The version of Sendmail 8.13.1-2 on Red Hat Enterprise Linux 4 Update ...) - sendmail (Not a program flaw, a DNS error) CVE-2006-7175 (The version of Sendmail 8.13.1-2 on Red Hat Enterprise Linux 4 Update ...) - sendmail (Debian compiles with FFR_TLS correctly) CVE-2005-4835 (The ath_rate_sample function in the ath_rate/sample/sample.c sample co ...) - madwifi 1:0.9.2+r1842.20061207-2 (low) [etch] - madwifi (Non-free not supported) CVE-2003-1324 (Race condition in the can_open function in Elm ME+ 2.4, when installed ...) NOT-FOR-US: Elm, removed in 2002 CVE-2003-1323 (Elm ME+ 2.4 before PL109S, when installed setgid mail and the operatin ...) NOT-FOR-US: Elm, removed in 2002 CVE-2007-1590 (The Grandstream BudgeTone 200 IP phone, with program 1.1.1.14 and boot ...) NOT-FOR-US: Grandstream CVE-2007-1589 (TrueCrypt before 4.3, when set-euid mode is used on Linux, allows loca ...) NOT-FOR-US: Truecrypt CVE-2007-1588 (server.cpp in MyServer 0.8.5 calls Process::setuid before calling Proc ...) NOT-FOR-US: MyServer CVE-2007-1587 (templates/config/mail.tpl in Tim Soderstrom StatsDawg 0.92 allows remo ...) NOT-FOR-US: StatsDawg CVE-2007-1586 (ZynOS 3.40 allows remote attackers to cause a denial of service (link ...) NOT-FOR-US: Zyxel CVE-2007-1585 (The Linksys WAG200G with firmware 1.01.01, WRT54GC 2 with firmware 1.0 ...) NOT-FOR-US: Cisco CVE-2007-1584 (Buffer underflow in the header function in PHP 5.2.0 allows context-de ...) NOTE: Dupe of CVE-2007-0907; Fixed in DSA-1264, php5 5.2.0-9, php4 6:4.4.4-9 CVE-2007-1583 (The mb_parse_str function in PHP 4.0.0 through 4.4.6 and 5.0.0 through ...) {DSA-1283-1 DSA-1282-1 DTSA-39-1 DTSA-40-1} - php5 5.2.0-11 (medium) - php4 (medium) CVE-2007-1582 (The resource system in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 ...) - php5 (unimportant) - php4 (unimportant) NOTE: Only triggerable by malicious script CVE-2007-1581 (The resource system in PHP 5.0.0 through 5.2.1 allows context-dependen ...) - php5 (unimportant) NOTE: Only triggerable by malicious script CVE-2007-1580 (FTPDMIN 0.96 allows remote attackers to cause a denial of service (dae ...) NOT-FOR-US: FTPDMIN CVE-2007-1579 (Stack-based buffer overflow in Atrium MERCUR IMAPD allows remote attac ...) NOT-FOR-US: MERCUR IMAPD CVE-2007-1578 (Multiple integer signedness errors in the NTLM implementation in Atriu ...) NOT-FOR-US: MERCUR IMAPD CVE-2007-1577 (Directory traversal vulnerability in index.php in GeBlog 0.1 allows re ...) NOT-FOR-US: GeBlog CVE-2007-1576 (Multiple cross-site scripting (XSS) vulnerabilities in PHProjekt 5.2.0 ...) NOT-FOR-US: PHProjekt CVE-2007-1575 (Multiple SQL injection vulnerabilities in PHProjekt 5.2.0, when magic_ ...) NOT-FOR-US: PHProjekt CVE-2007-1574 (CARE2X 2.2, and possibly earlier, allows remote attackers to obtain co ...) NOT-FOR-US: CARE2X CVE-2007-1573 (SQL injection vulnerability in admincp/attachment.php in Jelsoft vBull ...) NOT-FOR-US: vBulletin CVE-2007-1572 (SQL injection vulnerability in search.asp in JGBBS 3.0 Beta 1 and earl ...) NOT-FOR-US: JGBBS CVE-2007-1571 (PHP remote file inclusion vulnerability in includes/base.php in Radica ...) NOT-FOR-US: Activist Mobilization Platform CVE-2007-1570 REJECTED CVE-2007-1569 (Stack-based buffer overflow in NewsBin Pro 4.32 allows remote attacker ...) NOT-FOR-US: NewsBin Pro CVE-2007-1568 (Stack-based buffer overflow in DaanSystems NewsReactor 20070220.21 all ...) NOT-FOR-US: NewsReactor CVE-2007-1567 (Stack-based buffer overflow in War FTP Daemon 1.65, and possibly earli ...) NOT-FOR-US: WarFTPd CVE-2007-1566 (SQL injection vulnerability in News/page.asp in NetVIOS Portal allows ...) NOT-FOR-US: NetVIOS Portal CVE-2007-1565 (Konqueror 3.5.5 allows remote attackers to cause a denial of service ( ...) - kdelibs (unimportant) CVE-2007-1564 (The FTP protocol implementation in Konqueror 3.5.5 allows remote serve ...) - kdelibs 4:3.5.5a.dfsg.1-7 CVE-2007-1563 (The FTP protocol implementation in Opera 9.10 allows remote attackers ...) NOT-FOR-US: Opera CVE-2007-1562 (The FTP protocol implementation in Mozilla Firefox before 1.5.0.11 and ...) - iceweasel 2.0.0.3-1 (low) CVE-2007-1560 (The clientProcessRequest() function in src/client_side.c in Squid 2.6 ...) - squid 2.6.5-6 (low) [sarge] - squid (Vulnerable code not present) CVE-2007-1559 (Multiple stack-based buffer overflows in SonicDVDDashVRNav.dll in Roxi ...) NOT-FOR-US: Roxio CVE-2007-1558 (The APOP protocol allows remote attackers to guess the first 3 charact ...) {DSA-1305-1 DSA-1300-1 DTSA-46-1 DTSA-47-1} NOTE: Affects various clients, but no practical security implications NOTE: MFSA2007-15 - icedove 2.0.0.4-1 - iceape 1.1.2-1 - fetchmail 6.3.8-1 (unimportant) [etch] - fetchmail 6.3.6-1etch3 - mailfilter 0.8.2-1 (unimportant) - mutt 1.5.18-6 (unimportant) NOTE: i couldn't pinpoint exact mutt fixed version, but lenny's version has the NOTE: patch and etch's version does not (http://dev.mutt.org/trac/ticket/2846) - balsa 2.3.17-1 (unimportant) - claws-mail 2.9.1-1 (unimportant) CVE-2007-1557 (Format string vulnerability in F-Secure Anti-Virus Client Security 6.0 ...) NOT-FOR-US: F-Secure CVE-2007-1556 (SQL injection vulnerability in kommentare.php in Creative Files 1.2 al ...) NOT-FOR-US: Creative Files CVE-2007-1555 (SQL injection vulnerability in forum.php in the Minerva mod 2.0.21 bui ...) NOT-FOR-US: Minerva module of phpBB CVE-2007-1554 (Direct static code injection vulnerability in admin/configuration.php ...) NOT-FOR-US: Guestbara CVE-2007-1553 (admin/configuration.php in Guestbara 1.2 and earlier allows remote att ...) NOT-FOR-US: Guestbara CVE-2007-1552 (Unrestricted file upload vulnerability in usercp.php in MetaForum 0.51 ...) NOT-FOR-US: MetaForum CVE-2007-1551 (Multiple cross-site scripting (XSS) vulnerabilities in phpx 3.5.15 all ...) NOT-FOR-US: phpx CVE-2007-1550 (Multiple SQL injection vulnerabilities in phpx 3.5.15 allow remote att ...) NOT-FOR-US: phpx CVE-2007-1549 (Unrestricted file upload vulnerability in gallery.php in phpx 3.5.15 a ...) NOT-FOR-US: phpx CVE-2007-1548 (SQL injection vulnerability in functions/functions_filters.asp in Web ...) NOT-FOR-US: Web Wiz Forums CVE-2007-1547 (The ReadRequestFromClient function in server/os/io.c in Network Audio ...) {DSA-1273-1} - nas 1.8-4 (low; bug #416038) CVE-2007-1546 (Array index error in Network Audio System (NAS) before 1.8a SVN 237 al ...) {DSA-1273-1} - nas 1.8-4 (low; bug #416038) CVE-2007-1545 (The AddResource function in server/dia/resource.c in Network Audio Sys ...) {DSA-1273-1} - nas 1.8-4 (low; bug #416038) CVE-2007-1544 (Integer overflow in the ProcAuWriteElement function in server/dia/audi ...) {DSA-1273-1} - nas 1.8-4 (low; bug #416038) CVE-2007-1543 (Stack-based buffer overflow in the accept_att_local function in server ...) {DSA-1273-1} - nas 1.8-4 (medium; bug #416038) CVE-2007-1542 (Unspecified vulnerability in the Cisco IP Phone 7940 and 7960 running ...) NOT-FOR-US: Cisco CVE-2007-1541 (Directory traversal vulnerability in am.pl in SQL-Ledger 2.6.27 only c ...) - sql-ledger 2.8.14-1 (unimportant; bug #409703) NOTE: It's documented behaviour that SQL-Ledger should only be run in an NOTE: authenticated HTTP zone and without untrusted users CVE-2007-1540 (Directory traversal vulnerability in am.pl in (1) SQL-Ledger 2.6.27 an ...) - sql-ledger 2.8.14-1 (unimportant; bug #409703) NOTE: It's documented behaviour that SQL-Ledger should only be run in an NOTE: authenticated HTTP zone and without untrusted users CVE-2007-1539 (Directory traversal vulnerability in inc/map.func.php in pragmaMX Land ...) NOT-FOR-US: pragmaMX Landkarten CVE-2007-1538 NOT-FOR-US: McAfee CVE-2007-1537 (\Device\NdisTapi (NDISTAPI.sys) in Microsoft Windows XP SP2 and 2003 S ...) NOT-FOR-US: Microsoft CVE-2007-1536 (Integer underflow in the file_printf function in the "file" program be ...) {DSA-1274-1} - file 4.20-1 (bug #415362; high) NOTE: Has got lots of reverse dependencies. NOTE: Some of them process remotely supplied untrusted input. CVE-2007-1535 (Microsoft Windows Vista establishes a Teredo address without user acti ...) NOT-FOR-US: Microsoft CVE-2007-1534 (DFSR.exe in Windows Meeting Space in Microsoft Windows Vista remains a ...) NOT-FOR-US: Microsoft CVE-2007-1533 (The Teredo implementation in Microsoft Windows Vista uses the same non ...) NOT-FOR-US: Microsoft CVE-2007-1532 (The neighbor discovery implementation in Microsoft Windows Vista allow ...) NOT-FOR-US: Microsoft CVE-2007-1531 (Microsoft Windows XP and Vista overwrites ARP table entries included i ...) NOT-FOR-US: Microsoft CVE-2007-1530 (The LLTD Mapper in Microsoft Windows Vista does not properly gather re ...) NOT-FOR-US: Microsoft CVE-2007-1529 (The LLTD Responder in Microsoft Windows Vista does not send the Mapper ...) NOT-FOR-US: Microsoft CVE-2007-1528 (The LLTD Mapper in Microsoft Windows Vista allows remote attackers to ...) NOT-FOR-US: Microsoft CVE-2007-1527 (The LLTD Mapper in Microsoft Windows Vista does not verify that an IP ...) NOT-FOR-US: Microsoft CVE-2007-1526 (Sun Java System Web Server 6.1 before 20070314 allows remote authentic ...) NOT-FOR-US: Sun Java System Web Server CVE-2007-1525 (Direct static code injection vulnerability in postpost.php in Dayfox B ...) NOT-FOR-US: Dayfox Blog CVE-2007-1524 (Directory traversal vulnerability in themes/default/ in ZomPlog 3.7.6 ...) NOT-FOR-US: ZomPlog CVE-2007-1523 (Heap-based buffer overflow in the kernel in NetBSD 3.0, certain versio ...) NOT-FOR-US: NetBSD CVE-2007-1522 (Double free vulnerability in the session extension in PHP 5.2.0 and 5. ...) {DSA-1283-1} - php5 5.2.2-1 (medium) CVE-2007-1521 (Double free vulnerability in PHP before 4.4.7, and 5.x before 5.2.2, a ...) {DSA-1283-1 DSA-1282-1 DTSA-39-1 DTSA-40-1} - php5 5.2.0-11 (medium) - php4 6:4.4.6-2 (medium) CVE-2007-1520 (The cross-site request forgery (CSRF) protection in PHP-Nuke 8.0 and e ...) NOT-FOR-US: PHP-Nuke CVE-2007-1519 (Cross-site scripting (XSS) vulnerability in modules.php in PHP-Nuke 8. ...) NOT-FOR-US: PHP-Nuke CVE-2007-1518 (SQL injection vulnerability in usergroups.php in Woltlab Burning Board ...) NOT-FOR-US: Woltlab Burning Board CVE-2007-1517 (SQL injection vulnerability in comments.php in WSN Guest 1.02 and 1.21 ...) NOT-FOR-US: WSN Guest CVE-2006-7174 (PHP remote file inclusion vulnerability in includes/functions.php in t ...) NOT-FOR-US: Dimension module of phpBB CVE-2006-7173 (Direct static code injection vulnerability in admin.php in PHP-Stats 0 ...) NOT-FOR-US: PHP-Stats CVE-2006-7172 (Multiple SQL injection vulnerabilities in php-stats.recphp.php in PHP- ...) NOT-FOR-US: PHP-Stats CVE-2003-1322 (Multiple stack-based buffer overflows in Atrium MERCUR IMAPD in MERCUR ...) NOT-FOR-US: MERCUR IMAPD CVE-2007-1561 (The channel driver in Asterisk before 1.2.17 and 1.4.x before 1.4.2 al ...) {DSA-1358-1} - asterisk 1:1.4.2~dfsg-5 (bug #415466; medium) NOTE: http://voipsa.org/pipermail/voipsec_voipsa.org/2007-March/002275.html CVE-2007-1594 (The handle_response function in chan_sip.c in Asterisk before 1.2.17 a ...) NOTE: Duplicate of CVE-2007-2297 CVE-2007-1516 (PHP remote file inclusion vulnerability in functions/update.php in Cic ...) NOT-FOR-US: CcMail CVE-2007-1515 (Multiple cross-site scripting (XSS) vulnerabilities in Horde IMP H3 4. ...) - imp4 4.1.3-4 (medium; bug #415117) CVE-2007-1514 (PHP remote file inclusion vulnerability in index.php in ViperWeb Porta ...) NOT-FOR-US: ViperWeb Portal CVE-2007-1513 (PHP remote file inclusion vulnerability in comanda.php in GraFX Compan ...) NOT-FOR-US: WebSite Builder CVE-2007-1512 (Stack-based buffer overflow in the AfxOleSetEditMenu function in the M ...) NOT-FOR-US: Microsoft Windows CVE-2007-1511 (Buffer overflow in FrontBase Relational Database Server 4.2.7 and earl ...) NOT-FOR-US: FrontBase Relational Database Server CVE-2007-1510 (SQL injection vulnerability in post.php in Particle Blogger 1.0.0 thro ...) NOT-FOR-US: Particle Blogger CVE-2007-1509 (Directory traversal vulnerability in enkrypt.php in Sascha Schroeder k ...) NOT-FOR-US: krypt CVE-2007-1508 (Cross-site scripting (XSS) vulnerability in CMD_USER_STATS in DirectAd ...) NOT-FOR-US: DirectAdmin CVE-2007-1507 (The default configuration in OpenAFS 1.4.x before 1.4.4 and 1.5.x befo ...) {DSA-1271-1} - openafs 1.4.2-6 (medium) CVE-2007-1506 (Cross-site scripting (XSS) vulnerability in PORTAL.wwv_main.render_war ...) NOT-FOR-US: Oracle Portal CVE-2007-1505 (Fujitsu FENCE-Pro before V5L01, and Systemwalker Desktop Encryption V1 ...) NOT-FOR-US: Fujistu FENCE-Pro CVE-2007-1504 (Cross-site scripting (XSS) vulnerability in the Servlet Service in Fuj ...) NOT-FOR-US: Fujitsu Interstage Application Server CVE-2007-1503 (Multiple format string vulnerabilities in comm.c in Rhapsody IRC 0.28b ...) - rhapsody (medium) CVE-2007-1502 (Multiple buffer overflows in Rhapsody IRC 0.28b allow remote attackers ...) - rhapsody (medium) CVE-2007-1501 (Stack-based buffer overflow in Avant Browser 11.0 build 26 allows remo ...) NOT-FOR-US: Avant Browse CVE-2007-1500 (The Linux Security Auditing Tool (LSAT) allows local users to overwrit ...) NOT-FOR-US: Linux Security Auditing Tool CVE-2007-1499 (Microsoft Internet Explorer 7.0 on Windows XP and Vista allows remote ...) NOT-FOR-US: Internet Explorer CVE-2007-1498 (Multiple stack-based buffer overflows in the SiteManager.SiteMgr.1 Act ...) NOT-FOR-US: SiteManager.SiteMgr.1 ActiveX control CVE-2007-1497 (nf_conntrack in netfilter in the Linux kernel before 2.6.20.3 does not ...) {DSA-1289-1} - linux-2.6 2.6.20-1 (medium) CVE-2007-1496 (nfnetlink_log in netfilter in the Linux kernel before 2.6.20.3 allows ...) {DSA-1289-1} - linux-2.6 2.6.21-1 (medium) CVE-2007-1495 (The \Device\SymEvent driver in Symantec Norton Personal Firewall 2006 ...) NOT-FOR-US: Symantec Norton Personal Firewall CVE-2007-1494 (Cross-site scripting (XSS) vulnerability in NukeSentinel before 2.5.06 ...) NOT-FOR-US: NukeSentinel CVE-2007-1493 (nukesentinel.php in NukeSentinel 2.5.06 and earlier uses a permissive ...) NOT-FOR-US: NukeSentinel CVE-2007-1492 (winmm.dll in Microsoft Windows XP allows user-assisted remote attacker ...) NOT-FOR-US: Microsoft Windows XP CVE-2007-1491 (Apache Tomcat in Avaya S87XX, S8500, and S8300 before CM 3.1.3, and Av ...) NOT-FOR-US: Avaya S87XX CVE-2007-1490 (Unspecified maintenance web pages in Avaya S87XX, S8500, and S8300 bef ...) NOT-FOR-US: Avaya S87XX CVE-2007-1489 (Unspecified vulnerability in web-app.org Web Automated Perl Portal (We ...) NOT-FOR-US: WebAPP CVE-2007-1488 (Unspecified vulnerability in Sun Java System Web Server 6.0 and 6.1 be ...) NOT-FOR-US: Sun Java System Web Server CVE-2007-1487 (Directory traversal vulnerability in index.php in Sascha Schroeder (ak ...) NOT-FOR-US: CyberTeddy WebLog CVE-2007-1486 (PHP remote file inclusion vulnerability in template.class.php in Carbo ...) NOT-FOR-US: Carbonize Lazarus Guestbook CVE-2007-1485 NOT-FOR-US: LIBFtp CVE-2007-1484 (The array_user_key_compare function in PHP 4.4.6 and earlier, and 5.x ...) - php4 (unimportant) - php5 5.2.2-1 (unimportant) NOTE: local malicious scripts only CVE-2007-1483 (Multiple PHP remote file inclusion vulnerabilities in WebCalendar 0.9. ...) - webcalendar 1.0.5-1 (high) [sarge] - webcalendar 0.9.45-4sarge7 NOTE: This was fixed in Sarge as a side-effect of an earlier fix, marking current NOTE: Sarge version as fixed version CVE-2007-1482 (Cross-site scripting (XSS) vulnerability in index.php in WBBlog allows ...) NOT-FOR-US: WBBlog CVE-2007-1481 (SQL injection vulnerability in index.php in WBBlog allows remote attac ...) NOT-FOR-US: WBBlog CVE-2007-1480 (Creative Guestbook 1.0 allows remote attackers to add an administrativ ...) NOT-FOR-US: Creative Guestbook CVE-2007-1479 (Cross-site scripting (XSS) vulnerability in Guestbook.php in Creative ...) NOT-FOR-US: Creative Guestbook CVE-2007-1478 (download.php in McGallery 0.5b allows remote attackers to read arbitra ...) NOT-FOR-US: McGallery CVE-2007-1477 NOT-FOR-US: Point Of Sale for osCommerce CVE-2007-1476 (The SymTDI device driver (SYMTDI.SYS) in Symantec Norton Personal Fire ...) NOT-FOR-US: Symantec Norton Personal Firewall CVE-2007-1475 (Multiple buffer overflows in the (1) ibase_connect and (2) ibase_pconn ...) - php4 (unimportant) NOTE: Can only be triggered by malicious script CVE-2007-1474 (Argument injection vulnerability in the cleanup cron script in Horde P ...) {DSA-1406-1} - horde3 3.1.3-4 (medium) CVE-2007-1473 (Cross-site scripting (XSS) vulnerability in framework/NLS/NLS.php in H ...) {DSA-1406-1} - horde3 3.1.4-1 (low; bug #434045) CVE-2007-1472 (Variable overwrite vulnerability in groupit/base/groupit.start.inc in ...) NOT-FOR-US: Groupit CVE-2007-1471 (admin/default.asp in Orion-Blog 2.0 allows remote attackers to bypass ...) NOT-FOR-US: Orion-Blog CVE-2007-1470 (Multiple buffer overflows in LIBFtp 5.0 allow user-assisted remote att ...) NOT-FOR-US: LIBFtp CVE-2007-1469 (SQL injection vulnerability in gallery.asp in Absolute Image Gallery 2 ...) NOT-FOR-US: Absolute Image Gallery CVE-2007-1468 (Cross-site scripting (XSS) vulnerability in IBM Rational ClearQuest (C ...) NOT-FOR-US: IBM Rational ClearQuest CVE-2007-1467 (Multiple cross-site scripting (XSS) vulnerabilities in (1) PreSearch.h ...) NOT-FOR-US: Cisco CVE-2007-1466 (Integer overflow in the WP6GeneralTextPacket::_readContents function i ...) - libwpd 0.8.9-1 (medium) [etch] - libwpd 0.8.7-6 CVE-2007-1465 (Stack-based buffer overflow in dproxy.c for dproxy 0.1 through 0.5 all ...) NOT-FOR-US: dproxy CVE-2007-1464 (Format string vulnerability in the whiteboard Jabber protocol in Inksc ...) - inkscape 0.45.1-1 (medium) [etch] - inkscape (Versions prior to 0.45 used loudmouth, which isn't affected) CVE-2007-1463 (Format string vulnerability in Inkscape before 0.45.1 allows user-assi ...) - inkscape 0.45.1-1 (low) [etch] - inkscape (Minor issue) [sarge] - inkscape (Minor issue) NOTE: shell code would be prominently inside the file names CVE-2007-1462 (The luci server component in conga preserves the password between page ...) NOT-FOR-US: conga CVE-2007-1461 (The compress.bzip2:// URL wrapper provided by the bz2 extension in PHP ...) - php5 5.2.2-1 (unimportant) NOTE: Safemode and open_basedir bypasses not supported CVE-2007-1460 (The zip:// URL wrapper provided by the PECL zip extension in PHP befor ...) - php5 5.2.2-1 (unimportant) NOTE: Safemode and open_basedir bypasses not supported CVE-2007-1459 (Multiple PHP remote file inclusion vulnerabilities in WebCreator 0.2.6 ...) NOT-FOR-US: WebCreator CVE-2007-1458 (Multiple PHP remote file inclusion vulnerabilities in CARE2X 1.1 allow ...) NOT-FOR-US: CARE2X CVE-2007-1457 (Buffer overflow in the urarlib_get function in Christian Scheurer Uniq ...) NOT-FOR-US: UniquE RAR File Library CVE-2007-1456 NOT-FOR-US: PHP Photo Album CVE-2007-1455 (Multiple absolute path traversal vulnerabilities in Fantastico, as use ...) NOT-FOR-US: Fantastico CVE-2007-1454 (ext/filter in PHP 5.2.0, when FILTER_SANITIZE_STRING is used with the ...) {DSA-1283-1 DTSA-39-1} - php5 5.2.0-11 (medium) CVE-2007-1453 (Buffer underflow in the PHP_FILTER_TRIM_DEFAULT macro in the filtering ...) {DSA-1283-1 DTSA-39-1} - php5 5.2.0-11 (medium) CVE-2007-1452 (The FDF support (ext/fdf) in PHP 5.2.0 and earlier does not implement ...) - php5 (cpdf extension not enabled in binary build) CVE-2007-1451 (GuppY 4.0 allows remote attackers to delete arbitrary files via a dire ...) NOT-FOR-US: GuppY CVE-2007-1450 (SQL injection vulnerability in mainfile.php in PHP-Nuke 8.0 and earlie ...) NOT-FOR-US: PHP-Nuke CVE-2007-1449 (Directory traversal vulnerability in mainfile.php in PHP-Nuke 8.0 and ...) NOT-FOR-US: PHP-Nuke CVE-2007-1448 (The Tape Engine in CA (formerly Computer Associates) BrightStor ARCser ...) NOT-FOR-US: BrightStor ARCserve Backup CVE-2007-1447 (The Tape Engine in CA (formerly Computer Associates) BrightStor ARCser ...) NOT-FOR-US: BrightStor ARCserve Backup CVE-2007-1446 (Multiple PHP remote file inclusion vulnerabilities in Open Education S ...) NOT-FOR-US: Open Education System CVE-2007-1445 (SQL injection vulnerability in the heme preview feature for default.as ...) NOT-FOR-US: BP Blog CVE-2007-1444 (netserver in netperf 2.4.3 allows local users to overwrite arbitrary f ...) - netperf 2.4.3-8 (bug #413658; medium) [sarge] - netperf (Non-free not supported) [etch] - netperf (Non-free not supported) CVE-2007-1443 (Multiple cross-site scripting (XSS) vulnerabilities in register.php in ...) NOT-FOR-US: Woltlab Burning Board CVE-2007-1442 (Oracle Database 10g uses a NULL pDacl parameter when calling the SetSe ...) NOT-FOR-US: Oracle Database CVE-2007-1441 (The 4thPass browser (BlackBerry Browser) on the RIM BlackBerry 8100 (P ...) NOT-FOR-US: BlackBerry 8100 CVE-2007-1440 (SQL injection vulnerability in search.asp in JGBBS 3.0 Beta 1 allows r ...) NOT-FOR-US: JGBBS CVE-2007-1439 (PHP remote file inclusion vulnerability in ressourcen/dbopen.php in bi ...) NOT-FOR-US: MySQL Commander CVE-2007-1438 (SQL injection vulnerability in devami.asp in X-Ice News System 1.0 all ...) NOT-FOR-US: X-Ice News System CVE-2006-7171 (product_review.php in Koan Software Mega Mall allows remote attackers ...) NOT-FOR-US: Mega Mall CVE-2006-7170 (Multiple SQL injection vulnerabilities in Koan Software Mega Mall allo ...) NOT-FOR-US: Mega Mall CVE-2006-7169 (PHP remote file inclusion vulnerability in includes/header_simple.php ...) NOT-FOR-US: Ultimate PHP Board CVE-2006-7168 (PHP remote file inclusion vulnerability in includes/not_mem.php in the ...) NOT-FOR-US: phpBB module Add Name CVE-2006-7167 (Unspecified vulnerability in ProRat Server 1.9 Fix2 allows remote atta ...) NOT-FOR-US: ProRat Server CVE-2006-7166 (IBM WebSphere Application Server (WAS) 5.1.1.9 and earlier allows remo ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2006-7165 (IBM WebSphere Application Server (WAS) 5.0 through 5.1.1.0 allows remo ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2006-7164 (SimpleFileServlet in IBM WebSphere Application Server 5.0.1 through 5. ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2005-4834 (IBM WebSphere Application Server (WAS) 5.0.2.5 through 5.1.1.3 allows ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2005-4833 (IBM WebSphere Application Server (WAS) 6.0 before 20050201, when servi ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2003-1321 (Buffer overflow in Avant Browser 8.02 allows remote attackers to cause ...) NOT-FOR-US: Avant Browser CVE-2007-1437 (Unspecified vulnerability in LedgerSMB before 1.1.5 and SQL-Ledger bef ...) - sql-ledger 2.8.14-1 (unimportant; bug #409703) NOTE: It's documented behaviour that SQL-Ledger should only be run in an NOTE: authenticated HTTP zone and without untrusted users CVE-2007-1436 (Unspecified vulnerability in admin.pl in SQL-Ledger before 2.6.26 and ...) - sql-ledger 2.8.14-1 (unimportant; bug #409703) NOTE: It's documented behaviour that SQL-Ledger should only be run in an NOTE: authenticated HTTP zone and without untrusted users CVE-2007-1435 (Buffer overflow in D-Link TFTP Server 1.0 allows remote attackers to c ...) NOT-FOR-US: D-Link TFTP Server CVE-2007-1434 (SQL injection vulnerability in Grayscale Blog 0.8.0, and possibly earl ...) NOT-FOR-US: Grayscale Blog CVE-2007-1433 (Cross-site scripting (XSS) vulnerability in Grayscale Blog 0.8.0, and ...) NOT-FOR-US: Grayscale Blog CVE-2007-1432 (Grayscale Blog 0.8.0, and possibly earlier versions, allows remote att ...) NOT-FOR-US: Grayscale Blog CVE-2007-1431 (Multiple unspecified vulnerabilities in PennMUSH 1.8.3 before 1.8.3p1 ...) - pennmush 1.8.2p7-1 (low; bug #436249) [sarge] - pennmush (Minor issue) [etch] - pennmush (Minor issue) CVE-2007-1430 (PHP remote file inclusion vulnerability in include/adodb-connection.in ...) NOT-FOR-US: ClipShare CVE-2007-1429 (Multiple PHP remote file inclusion vulnerabilities in Moodle 1.7.1 all ...) - moodle NOTE: Security problem with the Windows version NOTE: Debian Maintainer and Upstream state that debian is not affected NOTE: and the problem is not reproducible there CVE-2007-1428 (SQL injection vulnerability in search.php in PHP Labs JobSitePro 1.0 a ...) NOT-FOR-US: JobSitePro CVE-2007-1427 (Directory traversal vulnerability in download_pdf.php in AssetMan 2.4a ...) NOT-FOR-US: AssetMan CVE-2007-1426 (The web interface in AstroCam 2.0.0 through 2.6.5 allows remote attack ...) NOT-FOR-US: AstroCam CVE-2007-1425 (SQL injection vulnerability in index.php in Triexa SonicMailer Pro 3.2 ...) NOT-FOR-US: SonicMailer Pro CVE-2007-1424 (Multiple PHP remote file inclusion vulnerabilities in Softnews Media G ...) NOT-FOR-US: DataLife Engine CVE-2007-1423 (Multiple PHP remote file inclusion vulnerabilities in WORK system e-co ...) NOT-FOR-US: WORK system e-commerce CVE-2007-1422 (SQL injection vulnerability in goster.asp in fystyq Duyuru Scripti all ...) NOT-FOR-US: Duyuru Scripti CVE-2007-1421 (Multiple PHP remote file inclusion vulnerabilities in Premod SubDog 2 ...) NOT-FOR-US: SubDog CVE-2007-1420 (MySQL 5.x before 5.0.36 allows local users to cause a denial of servic ...) - mysql-dfsg-5.0 5.0.32-8 (bug #414790) [etch] - mysql-dfsg-5.0 5.0.32-7etch1 CVE-2007-1419 (The Java Management Extensions Remote API Remote Method Invocation ove ...) NOT-FOR-US: JMX RMI-IIOP CVE-2007-1418 (Cross-site scripting (XSS) vulnerability in skins/ace/popup-notopic.ph ...) NOT-FOR-US: DekiWiki CVE-2007-1417 (SQL injection vulnerability in index.php in HC NEWSSYSTEM 1.0-4 allows ...) NOT-FOR-US: NEWSSYSTEM CVE-2007-1416 (PHP remote file inclusion vulnerability in createurl.php in JCcorp (ak ...) NOT-FOR-US: URLshrink CVE-2007-1415 (Multiple PHP remote file inclusion vulnerabilities in PMB Services 3.0 ...) NOT-FOR-US: PMB Services CVE-2007-1414 (Multiple PHP remote file inclusion vulnerabilities in Coppermine Photo ...) NOT-FOR-US: Coppermine Photo Gallery CVE-2007-1413 (Buffer overflow in the snmpget function in the snmp extension in PHP 5 ...) - php4 (unimportant) - php5 (unimportant) NOTE: Only triggerable by malicious script CVE-2007-1412 (The cpdf_open function in the ClibPDF (cpdf) extension in PHP 4.4.6 al ...) - php4 (cpdf extension not enabled in binary build) - php5 (cpdf extension not enabled in binary build) CVE-2007-1411 (Buffer overflow in PHP 4.4.6 and earlier, and unspecified PHP 5 versio ...) - php4 (no mssql extension in Debian) - php5 (no mssql extension in Debian) CVE-2007-1410 (SQL injection vulnerability in kategori.asp in GaziYapBoz Game Portal ...) NOT-FOR-US: GaziYapBoz Game Portal CVE-2007-1409 (WordPress allows remote attackers to obtain sensitive information via ...) - wordpress (Path disclosure) CVE-2007-1408 (Multiple vulnerabilities in (1) bank.php, (2) landfill.php, (3) outpos ...) NOT-FOR-US: Vallheru CVE-2007-1407 (Unspecified vulnerability in OpenSolution Quick.Cart before 2.1 has un ...) NOT-FOR-US: Quick.Cart CVE-2007-1406 (Trac before 0.10.3.1 does not send a Content-Disposition HTTP header s ...) [etch] - trac 0.10.3-1etch1 - trac 0.10.4-1 (bug #414134; bug #420219) NOTE: Browser bug, only exploitable on IE, still fixed in a point release CVE-2007-1405 (Cross-site scripting (XSS) vulnerability in the "download wiki page as ...) [etch] - trac 0.10.3-1etch1 - trac 0.10.4-1 (bug #414134; bug #420219) NOTE: Browser bug, only exploitable on IE, still fixed in a point release CVE-2007-1404 (tftpd.exe in ProSysInfo TFTP Server TFTPDWIN 0.4.2 allows remote attac ...) NOT-FOR-US: ProSysInfo TFTP Server CVE-2007-1403 (Multiple stack-based buffer overflows in an ActiveX control in SwDir.d ...) NOT-FOR-US: ActiveX control CVE-2007-1402 (The Rediff Toolbar 2.0 ActiveX control in redifftoolbar.dll allows rem ...) NOT-FOR-US: Rediff Toolbar ActiveX control CVE-2007-1401 (Buffer overflow in the crack extension (CrackLib), as bundled with PHP ...) NOT-FOR-US: php doesn't ship with cracklib activated in debian. CVE-2007-1400 (Plash permits sandboxed processes to open /dev/tty, which allows local ...) NOT-FOR-US: Plash CVE-2007-1399 (Stack-based buffer overflow in the zip:// URL wrapper in PECL ZIP 1.8. ...) {DSA-1330-1} - php5 5.2.2-1 (medium) CVE-2007-1398 (The frag3 preprocessor in Snort 2.6.1.1, 2.6.1.2, and 2.7.0 beta, when ...) - snort (Vulnerable code not present) CVE-2007-1397 (Multiple stack-based buffer overflows in the (1) ExtractRnick and (2) ...) NOT-FOR-US: FiSH IRC Encryption CVE-2007-1396 (The import_request_variables function in PHP 4.0.7 through 4.4.6, and ...) - php5 5.2.2-1 (unimportant) NOTE: Non-issue CVE-2007-1395 (Incomplete blacklist vulnerability in index.php in phpMyAdmin 2.8.0 th ...) {DSA-1370-2 DSA-1370-1} - phpmyadmin 4:2.10.0.2-1 (medium) [sarge] - phpmyadmin (Vulnerable code not present) NOTE: https://www.phpmyadmin.net/security/PMASA-2007-2/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/6215e201eb98226837954059f6c99c9aa1c55a9a CVE-2007-1394 (Direct static code injection vulnerability in startsession.php in Flat ...) NOT-FOR-US: Flat Chat CVE-2007-1393 (PHP remote file inclusion vulnerability in mysave.php in Magic CMS 4.2 ...) NOT-FOR-US: Magic CMS CVE-2007-1392 (Directory traversal vulnerability in down.php in netForo! 0.1g allows ...) NOT-FOR-US: netForo! CVE-2007-1391 (PHP remote file inclusion vulnerability in modules/abook/foldertree.ph ...) NOT-FOR-US: WEBO CVE-2007-1390 (Multiple cross-site scripting (XSS) vulnerabilities in dynaliens 2.0 a ...) NOT-FOR-US: dynalias CVE-2007-1389 (dynaliens 2.0 and 2.1 allows remote attackers to bypass authentication ...) NOT-FOR-US: dynalias CVE-2007-1388 (The do_ipv6_setsockopt function in net/ipv6/ipv6_sockglue.c in Linux k ...) - linux-2.6 2.6.18.dfsg.1-12 CVE-2007-1387 (The DirectShow loader (loader/dshow/DS_VideoDecoder.c) in MPlayer 1.0r ...) {DSA-1536-1} - mplayer 1.0~rc1-13 (bug #414075; low) - xine-lib 1.1.2+dfsg-3 (bug #414072; low) [etch] - mplayer 1.0~rc1-12etch [sarge] - xine-lib (Only affects external, proprietary w32codecs addons) CVE-2007-1386 RESERVED CVE-2007-1385 (chunkcounter.cpp in KTorrent before 2.1.2 allows remote attackers to c ...) - ktorrent 2.0.3+dfsg1-2.1 (bug #414832; medium) CVE-2007-1384 (Directory traversal vulnerability in torrent.cpp in KTorrent before 2. ...) - ktorrent 2.0.3+dfsg1-2.1 (bug #414832; medium) CVE-2007-1383 (Integer overflow in the 16 bit variable reference counter in PHP 4 all ...) - php4 (unimportant) NOTE: Only triggerable by malicious PHP scripts, PHP5 not "affected" CVE-2007-1382 (The PHP COM extensions for PHP on Windows systems allow context-depend ...) NOT-FOR-US: Windows PHP COM extensions CVE-2007-1381 (The wddx_deserialize function in wddx.c 1.119.2.10.2.12 and 1.119.2.10 ...) - php5 (Affected only a php5 CVS version, not a release) CVE-2007-1380 (The php_binary serialization handler in the session extension in PHP b ...) {DSA-1283-1 DSA-1282-1 DTSA-39-1 DTSA-40-1} [etch] - php5 5.2.0-8+etch1 - php4 6:4.4.6-1 (low) - php5 5.2.0-11 (low) CVE-2007-1379 (The ovrimos_close function in the Ovrimos extension for PHP before 4.4 ...) - php4 (Ovrimus support not included in Debian's PHP packages) CVE-2007-1378 (The ovrimos_longreadlen function in the Ovrimos extension for PHP befo ...) - php4 (Ovrimus support not included in Debian's PHP packages) CVE-2007-1377 (AcroPDF.DLL in Adobe Reader 8.0, when accessed from Mozilla Firefox, N ...) NOT-FOR-US: Adobe Reader CVE-2007-1376 (The shmop functions in PHP before 4.4.5, and before 5.2.1 in the 5.x s ...) {DSA-1283-1 DTSA-39-1} - php4 - php5 5.2.0-11 NOTE: Only triggerable by malicious script CVE-2007-1375 (Integer overflow in the substr_compare function in PHP 5.2.1 and earli ...) {DSA-1283-1 DTSA-39-1} - php5 5.2.0-11 (low) NOTE: Should be fixed, could be used as a stepstone for further attacks CVE-2007-1374 (Cross-site scripting (XSS) vulnerability in pop_profile.asp in Snitz F ...) NOT-FOR-US: Snitz Forums CVE-2007-1373 (Stack-based buffer overflow in Mercury/32 (aka Mercury Mail Transport ...) NOT-FOR-US: Mercury Mail Transport System CVE-2007-1372 (PHP remote file inclusion vulnerability in styles/internal/header.php ...) NOT-FOR-US: PostGuestbook CVE-2007-1371 (Multiple buffer overflows in Conquest 8.2a and earlier (1) allow local ...) - conquest 8.2b-1 (low) [sarge] - conquest (Minor issue) [etch] - conquest (Minor issue) CVE-2007-1370 (Zend Platform 2.2.3 and earlier has incorrect ownership for scd.sh and ...) NOT-FOR-US: Zend Platform CVE-2007-1369 (ini_modifier (sgid-zendtech) in Zend Platform 2.2.3 and earlier allows ...) NOT-FOR-US: Zend Platform CVE-2007-1368 (The Project issue tracking module before 4.7.x-1.3, 4.7.x-2.* before 4 ...) NOT-FOR-US: Drupal module Project CVE-2007-1367 (Cross-site scripting (XSS) vulnerability in the login page in Avaya Co ...) NOT-FOR-US: Avaya Communications Manager CVE-2007-1366 (QEMU 0.8.2 allows local users to crash a virtual machine via the divis ...) {DSA-1284-1 DTSA-38-1 DTSA-133-1} - qemu 0.9.0-2 (bug #424070) - kvm 66+dfsg-1.1 CVE-2007-1365 (Buffer overflow in kern/uipc_mbuf2.c in OpenBSD 3.9 and 4.0 allows rem ...) NOT-FOR-US: OpenBSD Kernel CVE-2007-1364 (DropAFew before 0.2.1 does not require authorization for certain privi ...) NOT-FOR-US: DropAFew CVE-2007-1363 (Multiple SQL injection vulnerabilities in DropAFew before 0.2.1 allow ...) NOT-FOR-US: DropAFew CVE-2007-1362 (Mozilla Firefox 1.5.x before 1.5.0.12 and 2.x before 2.0.0.4, and SeaM ...) {DSA-1308-1 DSA-1306-1 DSA-1300-1 DTSA-45-1 DTSA-47-1 DTSA-51-1} NOTE: MFSA2007-14 - iceape 1.1.2-1 (low) - iceweasel 2.0.0.4-1 (low) - xulrunner 1.8.1.4-1 (low) CVE-2007-1361 (Cross-site scripting (XSS) vulnerability in virtuemart_parser.php in V ...) NOT-FOR-US: VirtueMart CVE-2007-1360 (Unspecified vulnerability in the Nodefamily module for Drupal 5.x befo ...) NOT-FOR-US: Drupal module Nodefamily CVE-2007-1359 (Interpretation conflict in ModSecurity (mod_security) 2.1.0 and earlie ...) - libapache-mod-security 2.1.2-1 CVE-2007-1358 (Cross-site scripting (XSS) vulnerability in certain applications using ...) - tomcat4 (low) [sarge] - tomcat4 (Contrib not supported) CVE-2007-1357 (The atalk_sum_skb function in AppleTalk for Linux kernel 2.6.x before ...) {DSA-1304 DSA-1286-1} - linux-2.6 2.6.20-1 CVE-2007-1356 REJECTED CVE-2007-1355 (Multiple cross-site scripting (XSS) vulnerabilities in the appdev/samp ...) - tomcat4 (unimportant) - tomcat5 (unimportant) - tomcat5.5 5.5.25-1 (unimportant) NOTE: Just an example application for documentation purposes CVE-2007-1354 (The Access Control functionality (JMXOpsAccessControlFilter) in JMX Co ...) NOT-FOR-US: JBoss Application Server CVE-2007-1353 (The setsockopt function in the L2CAP and HCI Bluetooth support in the ...) {DSA-1503-2 DSA-1504-1 DSA-1503-1 DSA-1356-1} - linux-2.6 2.6.22-1 (low) CVE-2007-1352 (Integer overflow in the FontFileInitTable function in X.Org libXfont b ...) {DSA-1294-1} - libxfont 1:1.2.2-2 (medium) CVE-2007-1351 (Integer overflow in the bdfReadCharacters function in bdfread.c in (1) ...) {DSA-1454-1 DSA-1294-1} - libxfont 1:1.2.2-2 (medium) - freetype 2.3.5-1 (medium; bug #426771) CVE-2007-1350 (Stack-based buffer overflow in webadmin.exe in Novell NetMail 3.5.2 al ...) NOT-FOR-US: Novell NetMail CVE-2007-1349 (PerlRun.pm in Apache mod_perl before 1.30, and RegistryCooker.pm in mo ...) - apache (low) - libapache2-mod-perl2 2.0.2-5 (low; bug #433549) [etch] - libapache2-mod-perl2 (Minor issue) [etch] - apache 1.3.34-4.1+etch1 CVE-2007-1348 REJECTED CVE-2007-1347 (Microsoft Windows Explorer on Windows 2000 SP4 FR and XP SP2 FR, and p ...) NOT-FOR-US: Microsoft Windows Explorer CVE-2007-1346 (Unspecified vulnerability in ipmitool for Sun Fire X2100M2 and X2200M2 ...) NOT-FOR-US: Sun Fire Server CVE-2007-1345 (Unspecified vulnerability in cube.exe in the GINA component for CA (Co ...) NOT-FOR-US: CA eTrust Admin CVE-2007-1344 (Multiple buffer overflows in src/ezstream.c in Ezstream before 0.3.0 a ...) NOT-FOR-US: Ezstream CVE-2007-1343 (includes/functions.php in Craig Knudsen WebCalendar before 1.0.5 does ...) {DSA-1267-1} - webcalendar 1.0.5-1 (high) CVE-2007-1342 (Cross-site scripting (XSS) vulnerability in admincp/index.php in Jelso ...) NOT-FOR-US: vBulletin CVE-2007-1341 (include/auth/auth.php in Simple Invoices before 2007 03 05 does not us ...) NOT-FOR-US: Simple Invoices CVE-2007-1340 (PHP remote file inclusion vulnerability in eintrag.php in Weltennetz N ...) NOT-FOR-US: News-Letterman CVE-2007-1339 (SQL injection vulnerability in index.php in Links Management Applicati ...) NOT-FOR-US: Links Management Application CVE-2007-1338 (The default configuration of the AirPort utility in Apple AirPort Extr ...) NOT-FOR-US: Apple AirPort Extreme CVE-2007-1337 (The virtual machine process (VMX) in VMware Workstation before 5.5.4 d ...) NOT-FOR-US: VMware CVE-2007-1336 RESERVED CVE-2007-1335 RESERVED CVE-2007-1334 RESERVED CVE-2007-1333 RESERVED CVE-2007-1332 (Multiple cross-site request forgery (CSRF) vulnerabilities in TKS Bank ...) NOT-FOR-US: TKS Banking Solutions ePortfolio CVE-2007-1331 (Multiple cross-site scripting (XSS) vulnerabilities in TKS Banking Sol ...) NOT-FOR-US: TKS Banking Solutions ePortfolio CVE-2007-1330 (Comodo Firewall Pro (CFP) (formerly Comodo Personal Firewall) 2.4.18.1 ...) NOT-FOR-US: Comodo Firewall Pro CVE-2007-1329 (Directory traversal vulnerability in SQL-Ledger, and LedgerSMB before ...) - sql-ledger (unimportant; bug #409703) NOTE: It's documented behaviour that SQL-Ledger should only be run in an NOTE: authenticated HTTP zone and without untrusted users CVE-2007-1328 (Cross-site scripting (XSS) vulnerability in formulaire.php in Bernard ...) NOT-FOR-US: JOLY BJ Webring CVE-2007-1327 (The SILC_SERVER_CMD_FUNC function in apps/silcd/command.c in silc-serv ...) NOT-FOR-US: silc daemon CVE-2007-1326 (SQL injection vulnerability in index.php in Serendipity 1.1.1 allows r ...) - serendipity (unimportant) NOTE: http://blog.s9y.org/archives/164-Serendipity-1.1.2-released.html CVE-2007-1325 (The PMA_ArrayWalkRecursive function in libraries/common.lib.php in php ...) {DSA-1370-2 DSA-1370-1} - phpmyadmin 4:2.10.0.2-1 [sarge] - phpmyadmin (Vulnerable code not present) NOTE: https://www.phpmyadmin.net/security/PMASA-2007-3/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/b81f9a364c2a2204e6acbdff5b71e6cc6daead1e CVE-2007-1324 (SnapGear 560, 585, 580, 640, 710, and 720 appliances before the 3.1.4u ...) NOT-FOR-US: SnapGear CVE-2007-1323 REJECTED CVE-2007-1322 (QEMU 0.8.2 allows local users to halt a virtual machine by executing t ...) {DSA-1284-1 DTSA-38-1 DTSA-133-1} - qemu 0.9.0-2 (bug #424070) - kvm 66+dfsg-1.1 CVE-2007-1321 (Integer signedness error in the NE2000 emulator in QEMU 0.8.2, as used ...) {DSA-1284-1 DTSA-38-1 DTSA-133-1} - qemu 0.9.0-2 (bug #424070) - kvm 66+dfsg-1.1 CVE-2007-1320 (Multiple heap-based buffer overflows in the cirrus_invalidate_region f ...) {DSA-1384-1 DSA-1284-1 DTSA-38-1 DTSA-133-1} - qemu 0.9.0-2 (bug #424070) - kvm 66+dfsg-1.1 - xen-3 3.1.0-2 (bug #444007; medium) - xen-3.0 CVE-2007-1319 (Unspecified vulnerability in the IOPCServer::RemoveGroup function in t ...) NOT-FOR-US: DeviceXPlorer OLE CVE-2007-1318 RESERVED CVE-2007-1317 RESERVED CVE-2007-1316 RESERVED CVE-2007-1315 RESERVED CVE-2007-1314 RESERVED CVE-2007-1313 (NETxAutomation NETxEIB OPC Server before 3.0.1300 does not properly va ...) NOT-FOR-US: NETxAutomation NETxEIB OPC Server CVE-2007-1312 RESERVED CVE-2007-1311 RESERVED CVE-2007-1310 RESERVED CVE-2007-1309 (Novell Access Management 3 SSLVPN Server allows remote authenticated u ...) NOT-FOR-US: Novell Access Management CVE-2007-1308 (ecma/kjs_html.cpp in KDE JavaScript (KJS), as used in Konqueror in KDE ...) - kdelibs (unimportant) NOTE: Browser crashes not treated as security problems CVE-2007-1307 (Unspecified vulnerability in Lenovo Intel PRO/1000 LAN adapter before ...) NOT-FOR-US: Microsoft Windows Driver for Intel PRO/1000 LAN CVE-2007-1306 (Asterisk 1.4 before 1.4.1 and 1.2 before 1.2.16 allows remote attacker ...) {DSA-1358-1} - asterisk 1:1.2.16~dfsg-1 (medium) CVE-2007-1305 (Multiple cross-site scripting (XSS) vulnerabilities in add2.php in Sav ...) NOT-FOR-US: Sava's Guestbook CVE-2007-1304 (Multiple SQL injection vulnerabilities in add2.php in Sava's Guestbook ...) NOT-FOR-US: Sava's Guestbook CVE-2007-1303 (Directory traversal vulnerability in rb.cgi in RRDBrowse 1.6 and earli ...) NOT-FOR-US: RRDBrowse CVE-2007-1302 (SQL injection vulnerability in guestbook.php in LI-Guestbook 1.1, when ...) NOT-FOR-US: LI-Guestbook CVE-2007-1301 (Stack-based buffer overflow in the IMAP service in MailEnable Enterpri ...) NOT-FOR-US: MailEnable Enterprise CVE-2007-1300 (DOURAN Software Technologies ISPUtil 3.32.84.1, and possibly earlier v ...) NOT-FOR-US: ISPUtil CVE-2007-1299 (PHP remote file inclusion vulnerability in index.php in Mani Stats Rea ...) NOT-FOR-US: Mani Stats Reader CVE-2007-1298 (SQL injection vulnerability in subcat.php in AJ Auction 1.0 allows rem ...) NOT-FOR-US: AJ Auction CVE-2007-1297 (SQL injection vulnerability in view_profile.php in AJDating 1.0 allows ...) NOT-FOR-US: AJ Dating CVE-2007-1296 (SQL injection vulnerability in postingdetails.php in AJ Classifieds 1. ...) NOT-FOR-US: AJ Classifieds CVE-2007-1295 (SQL injection vulnerability in topic_title.php in AJ Forum 1.0 allows ...) NOT-FOR-US: AJ Forum CVE-2007-1294 (A certain ActiveX control in the DivXBrowserPlugin (npdivx32.dll) in D ...) NOT-FOR-US: DivXBrowserPlugin ActiveX control CVE-2007-1293 (SQL injection vulnerability in Rigter Portal System (RPS) 6.2, when ma ...) NOT-FOR-US: Rigter Portal System CVE-2007-1292 (SQL injection vulnerability in inlinemod.php in Jelsoft vBulletin befo ...) NOT-FOR-US: vBulletin CVE-2007-1291 (Multiple cross-site scripting (XSS) vulnerabilities in Tyger Bug Track ...) NOT-FOR-US: TygerBT CVE-2007-1290 (SQL injection vulnerability in ViewReport.php in Tyger Bug Tracking Sy ...) NOT-FOR-US: TygerBT CVE-2007-1289 (SQL injection vulnerability in ViewBugs.php in Tyger Bug Tracking Syst ...) NOT-FOR-US: TygerBT CVE-2007-1288 (Multiple PHP remote file inclusion vulnerabilities in Webmobo WB News ...) NOT-FOR-US: WB News CVE-2006-7163 (DreameeSoft Password Master 1.0 stores the database in an unencrypted ...) NOT-FOR-US: DreameeSoft Password Master CVE-2006-7162 (PuTTY 0.59 and earlier uses weak file permissions for (1) ppk files co ...) - putty 0.59-1 (bug #400804; unimportant) NOTE: Unsafe default, but not a vulnerability NOTE: Sensitive operations like key generation should only be done in private home CVE-2006-7161 (SQL injection vulnerability in giris_yap.asp in Hazir Site 2.0 allows ...) NOT-FOR-US: Hazir Site CVE-2006-7160 (The Sandbox.sys driver in Outpost Firewall PRO 4.0, and possibly earli ...) NOT-FOR-US: Outpost Firewall PRO CVE-2006-7159 (Directory traversal vulnerability in include/prune_torrents.php in BTI ...) NOT-FOR-US: BTI-Tracker CVE-2006-7158 (Cross-site scripting (XSS) vulnerability in Oracle Application Express ...) NOT-FOR-US: Oracle Application Express CVE-2006-7157 (Buffer overflow in Google Earth v4.0.2091 (beta) allows remote user-as ...) NOT-FOR-US: Google Earth CVE-2006-7156 (PHP remote file inclusion vulnerability in addon_keywords.php in Keywo ...) NOT-FOR-US: miniBB module Keyword Replacer CVE-2006-7155 (Novell BorderManager 3.8 SP4 generates the same ISAKMP cookies for the ...) NOT-FOR-US: Novell BorderManager CVE-2006-7154 (Iono allows remote attackers to obtain the full server path via certai ...) NOT-FOR-US: Iono CVE-2006-7153 (PHP remote file inclusion vulnerability in index.php in MiniBB Forum 2 ...) NOT-FOR-US: MiniBB Forum CVE-2006-7152 (default.asp in ASP-Nuke Community 1.5 and earlier allows remote attack ...) NOT-FOR-US: ASP-Nuke Community CVE-2006-7151 (Untrusted search path vulnerability in the libtool-ltdl library (liblt ...) - libtool (Specific to Fedora build) CVE-2006-7150 (Multiple SQL injection vulnerabilities in Mambo 4.6.x allow remote att ...) NOT-FOR-US: Mambo CVE-2006-7149 (Multiple cross-site scripting (XSS) vulnerabilities in Mambo 4.6.x all ...) NOT-FOR-US: Mambo CVE-2006-7148 (PHP remote file inclusion vulnerability in includes/bb_usage_stats.php ...) NOT-FOR-US: phpBB module maluinfo CVE-2006-7147 (PHP remote file inclusion vulnerability in includes/functions_mod_user ...) NOT-FOR-US: phpBB module Import Tools CVE-2006-7146 NOT-FOR-US: communityPortals CVE-2006-7145 (edit_user.php in Call Center Software 0.93 and earlier allows remote a ...) NOT-FOR-US: Call Center Software CVE-2006-7144 (SQL injection vulnerability in Call Center Software 0.93 and earlier a ...) NOT-FOR-US: Call Center Software CVE-2006-7143 (Cross-site scripting (XSS) vulnerability in Call Center Software 0.93 ...) NOT-FOR-US: Call Center Software CVE-2006-7142 (The centralized management feature for Utimaco Safeguard stores hard-c ...) NOT-FOR-US: Utimaco Safeguard CVE-2006-7141 NOT-FOR-US: Oracle Database CVE-2006-7140 (The libike library, as used by in.iked, elfsign, and kcfd in Sun Solar ...) NOT-FOR-US: Sun Solaris CVE-2006-7139 (Kmail 1.9.1 on KDE 3.5.2, with "Prefer HTML to Plain Text" enabled, al ...) - kdepim (unimportant) NOTE: Annoying bug, but neglectable "security implications" CVE-2006-7138 (SQL injection vulnerability in wwv_flow_utilities.gen_popup_list in th ...) NOT-FOR-US: Oracle APEX CVE-2006-7137 (Cross-site scripting (XSS) vulnerability in TinyPortal before 0.8.6 al ...) NOT-FOR-US: TinyPortal CVE-2006-7136 (Multiple PHP remote file inclusion vulnerabilities in PHP Poll Creator ...) NOT-FOR-US: PHP Poll Creator CVE-2006-7135 (PHP remote file inclusion vulnerability in lib/functions.inc.php in PH ...) NOT-FOR-US: PHP Poll Creator CVE-2007-XXXX [unsafe temporary file in lintian's objdump-info] - lintian 1.23.28 (low) [sarge] - lintian (Vulnerable code not present) CVE-2007-1287 (A regression error in the phpinfo function in PHP 4.4.3 to 4.4.6, and ...) - php4 (unimportant) [sarge] - php4 (Regression introduced in 4.4.3) NOTE: Non-issue, explicit debug feature CVE-2007-1286 (Integer overflow in PHP 4.4.4 and earlier allows remote context-depend ...) {DSA-1283-1 DSA-1282-1 DTSA-39-1 DTSA-40-1} - php4 6:4.4.6-1 (low) - php5 5.2.0-11 (low) CVE-2007-1285 (The Zend Engine in PHP 4.x before 4.4.7, and 5.x before 5.2.2, allows ...) - php5 5.2.2-1 (unimportant) - php4 (unimportant) NOTE: Needs to be sanisited within apps, only crashes the current instance anyway CVE-2007-1284 RESERVED CVE-2007-1283 RESERVED CVE-2007-1282 (Integer overflow in Mozilla Thunderbird before 1.5.0.10 and SeaMonkey ...) {DSA-1336-1} - icedove 1.5.0.10.dfsg1-1 (medium) CVE-2007-1281 (Kaspersky AntiVirus Engine 6.0.1.411 for Windows and 5.5-10 for Linux ...) NOT-FOR-US: Kaspersky AntiVirus Engine CVE-2007-1280 (Cross-site scripting (XSS) vulnerability in Adobe RoboHelp X5, 6, and ...) NOT-FOR-US: Adobe CVE-2007-1279 (Unspecified vulnerability in the installer for Adobe Bridge 1.0.3 upda ...) NOT-FOR-US: Adobe CVE-2007-1278 (Unspecified vulnerability in the IIS connector in Adobe JRun 4.0 Updat ...) NOT-FOR-US: Adobe JRun and Coldfusion CVE-2007-1277 (WordPress 2.1.1, as downloaded from some official distribution sites d ...) - wordpress (orig.tar.gz not compromised) CVE-2007-1276 (Multiple cross-site scripting (XSS) vulnerabilities in chooser.cgi in ...) - webmin CVE-2007-1275 RESERVED CVE-2007-1274 RESERVED CVE-2006-7134 (Unrestricted file upload vulnerability in main_user.php in Upload Tool ...) NOT-FOR-US: Upload Tool for PHP CVE-2006-7133 (Directory traversal vulnerability in upload/bin/download.php in Upload ...) NOT-FOR-US: Upload Tool for PHP CVE-2006-7132 (Directory traversal vulnerability in pmd-config.php in PHPMyDesk 1.0be ...) NOT-FOR-US: PHPMyDesk CVE-2006-7131 (PHP remote file inclusion vulnerability in extras/mt.php in Jinzora 2. ...) NOT-FOR-US: Jinzora CVE-2006-7130 (PHP remote file inclusion vulnerability in backend/primitives/cache/me ...) NOT-FOR-US: Jinzora CVE-2006-7129 (ISS BlackICE PC Protection 3.6 cpj and cpu, and possibly earlier versi ...) NOT-FOR-US: ISS BlackICE CVE-2006-7128 (PHP remote file inclusion vulnerability in forum/forum.php JAF CMS 4.0 ...) NOT-FOR-US: JAF CMS CVE-2006-7127 (Multiple PHP remote file inclusion vulnerabilities in JAF CMS 4.0 and ...) NOT-FOR-US: JAF CMS CVE-2006-7126 (SQL injection vulnerability in Joomla BSQ Sitestats 1.8.0 and 2.2.1 al ...) NOT-FOR-US: Joomla component BSQ Sitestats CVE-2006-7125 (Cross-site scripting (XSS) vulnerability in Joomla BSQ Sitestats 1.8.0 ...) NOT-FOR-US: Joomla component BSQ Sitestats CVE-2006-7124 (PHP remote file inclusion vulnerability in external/rssfeeds.php in BS ...) NOT-FOR-US: Joomla component BSQ Sitestats CVE-2006-7123 (Multiple SQL injection vulnerabilities in BSQ Sitestats (component for ...) NOT-FOR-US: Joomla component BSQ Sitestats CVE-2006-7122 (Cross-site scripting (XSS) vulnerability in the IP Address Lookup func ...) NOT-FOR-US: Joomla component BSQ Sitestats CVE-2006-7121 (The HTTP server in Linksys SPA-921 VoIP Desktop Phone allows remote at ...) NOT-FOR-US: Linksys SPA-921 CVE-2006-7120 NOT-FOR-US: OSL maintain CVE-2006-7119 (PHP remote file inclusion vulnerability in kernel/system/startup.php i ...) NOT-FOR-US: PHPGiggle CVE-2006-7118 (SQL injection vulnerability in index.asp in DMXReady Site Engine Manag ...) NOT-FOR-US: DMXReady Site Engine Manager CVE-2006-7117 (Multiple directory traversal vulnerabilities in Kubix 0.7 and earlier ...) NOT-FOR-US: Kubix CVE-2006-7116 (SQL injection vulnerability in includes/functions.php in Kubix 0.7 and ...) NOT-FOR-US: Kubix CVE-2006-7115 (SQL injection vulnerability in PHPKit 1.6.1 RC2 allows remote attacker ...) NOT-FOR-US: PHPKit CVE-2006-7114 (P-News 2.0 stores db/user.txt under the web document root with insuffi ...) NOT-FOR-US: P-News CVE-2006-7113 (Unrestricted file upload vulnerability in P-News 2.0 allows remote att ...) NOT-FOR-US: P-News CVE-2006-7112 (Directory traversal vulnerability in error.php in MD-Pro 1.0.76 and ea ...) NOT-FOR-US: MD-Pro CVE-2006-7111 (Unspecified vulnerability in Futomi's CGI Cafe KMail CGI 1.0.3 and ear ...) NOT-FOR-US: KMail CGI CVE-2006-7110 (Directory traversal vulnerability in the delete function in IMCE befor ...) NOT-FOR-US: Drupal module IMCE CVE-2006-7109 (Unrestricted file upload vulnerability in IMCE before 1.6, a Drupal mo ...) NOT-FOR-US: Drupal module IMCE CVE-2007-XXXX [buffer overruns in GIT's http-push.c, fixed in 1.5.0.3] - git-core 1:1.5.0.3-1 (bug #413629; low) [etch] - git-core 1:1.4.4.4-2 (bug #413629; low) CVE-2007-1273 (Integer overflow in the ktruser function in NetBSD-current before 2006 ...) NOT-FOR-US: NetBSD Kernel CVE-2007-1272 RESERVED CVE-2007-1271 (Buffer overflow in VMware ESX Server 3.0.0 and 3.0.1 might allow attac ...) NOT-FOR-US: VMware ESX Server CVE-2007-1270 (Double free vulnerability in VMware ESX Server 3.0.0 and 3.0.1 allows ...) NOT-FOR-US: VMware ESX Server CVE-2007-1269 (GNUMail 1.1.2 and earlier does not properly use the --status-fd argume ...) - gnumail (unimportant) NOTE: this is a "feature request", since gnupg is fixed from CVE-2007-1263 CVE-2007-1268 (Mutt 1.5.13 and earlier does not properly use the --status-fd argument ...) - mutt (unimportant) NOTE: this is a "feature request", since gnupg is fixed from CVE-2007-1263 CVE-2007-1267 (Sylpheed 2.2.7 and earlier does not properly use the --status-fd argum ...) - sylpheed (unimportant) NOTE: this is a "feature request", since gnupg is fixed from CVE-2007-1263 CVE-2007-1266 (Evolution 2.8.1 and earlier does not properly use the --status-fd argu ...) - evolution (unimportant) NOTE: this is a "feature request", since gnupg is fixed from CVE-2007-1263 CVE-2007-1265 (KMail 1.9.5 and earlier does not properly use the --status-fd argument ...) - kdepim (unimportant) NOTE: this is a "feature request", since gnupg is fixed from CVE-2007-1263 CVE-2007-1264 (Enigmail 0.94.2 and earlier does not properly use the --status-fd argu ...) - enigmail 2:0.95.0+1-1 (unimportant; bug #415225) NOTE: this is a "feature request", since gnupg is fixed from CVE-2007-1263 CVE-2007-1263 (GnuPG 1.4.6 and earlier and GPGME before 1.1.4, when run from the comm ...) {DSA-1266-1} - gnupg 1.4.6-2 (bug #413922; low) - gpgme1.0 1.1.2-3 (bug #414170; low) - gnupg2 2.0.3-1 [sarge] - gnupg2 (Minor issue) [etch] - gnupg2 (Minor issue) CVE-2007-1262 (Multiple cross-site scripting (XSS) vulnerabilities in the HTML filter ...) {DSA-1290-1} - squirrelmail 2:1.4.10a-1 CVE-2007-1261 (Unspecified vulnerability in the reports system in OpenBiblio before 0 ...) NOT-FOR-US: OpenBiblio CVE-2007-1260 (Stack-based buffer overflow in the connectHandle function in server.cp ...) NOT-FOR-US: WebMod CVE-2007-1259 (Multiple unspecified vulnerabilities in WebAPP before 0.9.9.6 have unk ...) NOT-FOR-US: WebAPP CVE-2007-1258 (Unspecified vulnerability in Cisco IOS 12.2SXA, SXB, SXD, and SXF; and ...) NOT-FOR-US: Cisco CVE-2007-1257 (The Network Analysis Module (NAM) in Cisco Catalyst Series 6000, 6500, ...) NOT-FOR-US: Cisco CVE-2007-1256 (Mozilla Firefox 2.0.0.2 allows remote attackers to spoof the address b ...) - iceweasel (unimportant) NOTE: Not exploitable CVE-2007-1255 (Unrestricted file upload vulnerability in admin.bbcode.php in Connecti ...) NOT-FOR-US: Connectix Boards CVE-2007-1254 (SQL injection vulnerability in part.userprofile.php in Connectix Board ...) NOT-FOR-US: Connectix Boards CVE-2007-1253 (Eval injection vulnerability in the (a) kmz_ImportWithMesh.py Script f ...) - blender 2.42a-6 (medium) [sarge] - blender (bug was introduced in version 2.42) NOTE: http://lists.alioth.debian.org/pipermail/secure-testing-team/2007-March/001095.html CVE-2007-1252 (Buffer overflow in Symantec Mail Security for SMTP 5.0 before Patch 17 ...) NOT-FOR-US: Symantec Mail Security CVE-2007-1251 (Format string vulnerability in the new_warning function in ntserv/warn ...) NOT-FOR-US: Netrek Vanilla Server CVE-2007-1250 (SQL injection vulnerability in section/default.asp in ANGEL Learning M ...) NOT-FOR-US: Learning Management Suite CVE-2007-1249 (MoveSortedContentAction in C1 Financial Services Contelligent 9.1.4 do ...) NOT-FOR-US: Contelligent CVE-2007-1248 (Multiple cross-site scripting (XSS) vulnerabilities in built2go News M ...) NOT-FOR-US: News Manager Blog CVE-2007-1247 (Multiple PHP remote file inclusion vulnerabilities in aWeb Labs aWebNe ...) NOT-FOR-US: aWebNews CVE-2007-1246 (The DMO_VideoDecoder_Open function in loader/dmo/DMO_VideoDecoder.c in ...) {DSA-1536-1} - mplayer 1.0~rc1-13 (bug #414075; medium) - xine-lib 1.1.2+dfsg-3 (bug #414072; medium) [etch] - mplayer 1.0~rc1-12etch [sarge] - xine-lib (Only affects external, proprietary w32codecs addons) NOTE: vlc checked, and is not affected. CVE-2007-1245 (IrfanView 3.99 allows remote attackers to cause a denial of service (a ...) NOT-FOR-US: IrfanView CVE-2007-1244 (Cross-site request forgery (CSRF) vulnerability in the AdminPanel in W ...) - wordpress 2.1.2-1 (medium) [etch] - wordpress 2.0.10 CVE-2007-1243 (Audins Audiens 3.3 allows remote attackers to bypass authentication an ...) NOT-FOR-US: Audins Audiens CVE-2007-1242 (SQL injection vulnerability in system/index.php in Audins Audiens 3.3 ...) NOT-FOR-US: Audins Audiens CVE-2007-1241 (Cross-site scripting (XSS) vulnerability in setup.php in Audins Audien ...) NOT-FOR-US: Audins Audiens CVE-2007-1240 (Multiple cross-site scripting (XSS) vulnerabilities in Docebo CMS 3.0. ...) NOT-FOR-US: Docebo CMS CVE-2007-1239 (Microsoft Excel 2003 does not properly parse .XLS files, which allows ...) NOT-FOR-US: Microsoft Office CVE-2007-1238 (Microsoft Office 2003 allows user-assisted remote attackers to cause a ...) NOT-FOR-US: Microsoft Office CVE-2007-1237 (sitex allows remote attackers to obtain potentially sensitive informat ...) NOT-FOR-US: sitex CVE-2007-1236 (sitex allows remote attackers to obtain sensitive information via a re ...) NOT-FOR-US: sitex CVE-2007-1235 (Unrestricted file upload vulnerability in sitex allows remote attacker ...) NOT-FOR-US: sitex CVE-2007-1234 (Multiple cross-site scripting (XSS) vulnerabilities in sitex allow rem ...) NOT-FOR-US: sitex CVE-2007-1233 (PHP remote file inclusion vulnerability in downloadcounter.php in STWC ...) NOT-FOR-US: STWC-Counter CVE-2007-1232 (Directory traversal vulnerability in SQLiteManager 1.2.0 allows remote ...) NOT-FOR-US: SQLiteManager CVE-2007-1231 (Multiple cross-site scripting (XSS) vulnerabilities in SQLiteManager 1 ...) NOT-FOR-US: SQLiteManager CVE-2007-1230 (Multiple cross-site scripting (XSS) vulnerabilities in wp-includes/fun ...) - wordpress 2.1.2-1 (medium) [etch] - wordpress 2.0.10 CVE-2007-1229 (Cross-site scripting (XSS) vulnerability in the Nullsoft ShoutcastServ ...) NOT-FOR-US: Nullsoft ShoutcastServer CVE-2007-1228 (IBM DB2 UDB 8.2 before Fixpak 7 (aka fixpack 14), and DB2 9 before Fix ...) NOT-FOR-US: IBM DB2 CVE-2007-1227 (VShieldCheck in McAfee VirusScan for Mac (Virex) before 7.7 patch 1 al ...) NOT-FOR-US: McAfee VirusScan CVE-2007-1226 (McAfee VirusScan for Mac (Virex) before 7.7 patch 1 has weak permissio ...) NOT-FOR-US: McAfee VirusScan CVE-2007-1225 (The connection log file implementation in Grok Developments NetProxy 4 ...) NOT-FOR-US: Grok Developments NetProxy CVE-2007-1224 (Grok Developments NetProxy 4.03 allows remote attackers to bypass URL ...) NOT-FOR-US: Grok Developments NetProxy CVE-2007-1223 (Unspecified vulnerability in Hitachi OSAS/FT/W before 20070223 allows ...) NOT-FOR-US: Hitachi OSAS/FT/W CVE-2007-1222 (Parallels Desktop for Mac before 20070216 implements Drag and Drop by ...) NOT-FOR-US: Parallels Desktop CVE-2007-1221 (The Hypervisor in Microsoft Xbox 360 kernel 4532 and 4548 allows attac ...) NOT-FOR-US: Microsoft Xbox 360 CVE-2007-1220 (The Hypervisor in Microsoft Xbox 360 kernel 4532 and 4548 does not pro ...) NOT-FOR-US: Microsoft Xbox 360 CVE-2007-1219 (PHP remote file inclusion vulnerability in actions/del.php in Admin Ph ...) NOT-FOR-US: Phorum CVE-2007-1217 (Buffer overflow in the bufprint function in capiutil.c in libcapi, as ...) - isdnutils 1:3.9.20060704-3 (bug #408530; low) [sarge] - isdnutils (Not exploitable over ISDN network) - asterisk-chan-capi 0.7.1-1.1 (bug #411293; unimportant) - linux-2.6 2.6.21-1 (bug #411294; unimportant) NOTE: Not exploitable over ISDN network, only theoretically through a dedicated CAPI server CVE-2007-1216 (Double free vulnerability in the GSS-API library (lib/gssapi/krb5/k5un ...) {DSA-1276-1} - krb5 1.4.4-8 (high) CVE-2007-1215 (Buffer overflow in the Graphics Device Interface (GDI) in Microsoft Wi ...) NOT-FOR-US: Microsoft GDI CVE-2007-1214 (Microsoft Excel 2000 SP3, 2002 SP3, 2003 SP2, 2003 Viewer, and 2004 fo ...) NOT-FOR-US: Microsoft Excel CVE-2007-1213 (The TrueType Fonts rasterizer in Microsoft Windows 2000 SP4 allows loc ...) NOT-FOR-US: Microsoft Windows CVE-2007-1212 (Buffer overflow in the Graphics Device Interface (GDI) in Microsoft Wi ...) NOT-FOR-US: Microsoft GDI CVE-2007-1211 (Unspecified kernel GDI functions in Microsoft Windows 2000 SP4; XP SP2 ...) NOT-FOR-US: Microsoft Windows CVE-2007-1210 REJECTED CVE-2007-1209 (Use-after-free vulnerability in the Client/Server Run-time Subsystem ( ...) NOT-FOR-US: Windows Vista CVE-2007-1208 REJECTED CVE-2007-1207 REJECTED CVE-2007-1206 (The Virtual DOS Machine (VDM) in the Windows Kernel in Microsoft Windo ...) NOT-FOR-US: Microsoft Windows CVE-2007-1205 (Unspecified vulnerability in Microsoft Agent (msagent\agentsvr.exe) in ...) NOT-FOR-US: Microsoft Windows CVE-2007-1204 (Stack-based buffer overflow in the Universal Plug and Play (UPnP) serv ...) NOT-FOR-US: Microsoft Windows CVE-2007-1203 (Unspecified vulnerability in Microsoft Excel 2000 SP3, 2002 SP3, 2003 ...) NOT-FOR-US: Microsoft Excel CVE-2007-1202 (Word (or Word Viewer) in Microsoft Office 2000 SP3, XP SP3, 2003 SP2, ...) NOT-FOR-US: Microsoft Word CVE-2007-1201 (Unspecified vulnerability in certain COM objects in Microsoft Office W ...) NOT-FOR-US: Microsoft Office CVE-2007-1200 RESERVED CVE-2007-1199 (Adobe Reader and Acrobat Trial allow remote attackers to read arbitrar ...) NOT-FOR-US: Acrobat Reader CVE-2007-1198 (Cross-site scripting (XSS) vulnerability in TaskFreak! before 0.5.7 al ...) NOT-FOR-US: TaskFreak! CVE-2007-1197 (Multiple unspecified vulnerabilities in Epiware before 4.7.5 have unkn ...) NOT-FOR-US: Epiware CVE-2007-1196 (Unspecified vulnerability in Citrix Presentation Server Client for Win ...) NOT-FOR-US: Citrix CVE-2007-1195 (Multiple buffer overflows in XM Easy Personal FTP Server 5.3.0 allow r ...) NOT-FOR-US: XM Easy Personal FTP Server CVE-2007-1194 (Norman SandBox Analyzer does not use the proper range for Interrupt De ...) NOT-FOR-US: SandBox Analyzer CVE-2007-1193 (Multiple unspecified vulnerabilities in the Login page in OrangeHRM be ...) NOT-FOR-US: OrangeHRM CVE-2007-1192 (Thomas R. Pasawicz HyperBook Guestbook 1.30 stores sensitive informati ...) NOT-FOR-US: HyperBook Guestbook CVE-2007-1191 (The Social Bookmarks (del.icio.us) plug-in 8F in Quicksilver writes us ...) NOT-FOR-US: Quicksilver plugin Social Bookmarks CVE-2007-1190 (Unspecified vulnerability in the EmbeddedWB Web Browser ActiveX contro ...) NOT-FOR-US: EmbeddedWB ActiveX control CVE-2007-1189 (Integer overflow in the envwrite function in the Alcatel-Lucent Bell L ...) NOT-FOR-US: Alcatel-Lucent Bell Labs Plan 9 CVE-2007-1188 (WebAPP before 0.9.9.5 allows remote attackers to submit Search form in ...) NOT-FOR-US: WebAPP CVE-2007-1187 (WebAPP before 0.9.9.5 allows remote authenticated users, without admin ...) NOT-FOR-US: WebAPP CVE-2007-1186 (WebAPP before 0.9.9.5 does not "censor" the Latest Member real name, w ...) NOT-FOR-US: WebAPP CVE-2007-1185 (The (1) Search, (2) Edit Profile, (3) Recommend, and (4) User Approval ...) NOT-FOR-US: WebAPP CVE-2007-1184 (The default configuration of WebAPP before 0.9.9.5 has a CAPTCHA setti ...) NOT-FOR-US: WebAPP CVE-2007-1183 (WebAPP before 0.9.9.5 allows remote authenticated users to spoof anoth ...) NOT-FOR-US: WebAPP CVE-2007-1182 (WebAPP before 0.9.9.5 allows remote Guest users to edit a Guest profil ...) NOT-FOR-US: WebAPP CVE-2007-1181 (WebAPP before 0.9.9.5 passes (1) Unused Informations and (2) the usern ...) NOT-FOR-US: WebAPP CVE-2007-1180 (WebAPP before 0.9.9.5 does not check referrers in certain forms, which ...) NOT-FOR-US: WebAPP CVE-2007-1179 (WebAPP before 0.9.9.5 does not properly manage e-mail addresses in cer ...) NOT-FOR-US: WebAPP CVE-2007-1178 (WebAPP before 0.9.9.5 does not check access in certain contexts relate ...) NOT-FOR-US: WebAPP CVE-2007-1177 (WebAPP before 0.9.9.5 does not properly filter certain characters in c ...) NOT-FOR-US: WebAPP CVE-2007-1176 (Multiple cross-site scripting (XSS) vulnerabilities in WebAPP before 0 ...) NOT-FOR-US: WebAPP CVE-2007-1175 (Cross-site scripting (XSS) vulnerability in an admin feature in WebAPP ...) NOT-FOR-US: WebAPP CVE-2007-1174 (Multiple cross-site scripting (XSS) vulnerabilities in WebAPP before 2 ...) NOT-FOR-US: WebAPP CVE-2007-1173 (Multiple buffer overflows in the CentennialIPTransferServer service (X ...) NOT-FOR-US: CentennialIPTransferServer CVE-2007-1172 (SQL injection vulnerability in nukesentinel.php in NukeSentinel 2.5.05 ...) NOT-FOR-US: WebAPP CVE-2007-1171 (SQL injection vulnerability in includes/nsbypass.php in NukeSentinel 2 ...) NOT-FOR-US: NukeSentinel CVE-2007-1170 (SimBin GTR - FIA GT Racing Game 1.5.0.0 and earlier, GT Legends 1.1.0. ...) NOT-FOR-US: SimBin Racing CVE-2007-1169 (The web interface in Trend Micro ServerProtect for Linux (SPLX) 1.25, ...) NOT-FOR-US: Trend Micro ServerProtect CVE-2007-1168 (Trend Micro ServerProtect for Linux (SPLX) 1.25, 1.3, and 2.5 before 2 ...) NOT-FOR-US: Trend Micro ServerProtect CVE-2007-1167 (inc/filebrowser/browser.php in deV!L`z Clanportal (DZCP) 1.4.5 and ear ...) NOT-FOR-US: Clanportal CVE-2007-1166 (SQL injection vulnerability in result.php in Nabopoll 1.2 allows remot ...) NOT-FOR-US: Nabopoll CVE-2007-1165 (Multiple PHP remote file inclusion vulnerabilities in DBGuestbook 1.1 ...) NOT-FOR-US: DBGuestbook CVE-2007-1164 (Multiple PHP remote file inclusion vulnerabilities in DBImageGallery 1 ...) NOT-FOR-US: DBImageGallery CVE-2007-1163 (SQL injection vulnerability in printview.php in webSPELL 4.01.02 and e ...) NOT-FOR-US: webSPELL CVE-2007-1162 (A certain ActiveX control in the Common Controls Replacement Project ( ...) NOT-FOR-US: Common Controls ActiveX control CVE-2007-1161 (Cross-site scripting (XSS) vulnerability in call_entry.php in Call Cen ...) NOT-FOR-US: Call Center Software CVE-2006-7108 (login in util-linux-2.12a skips pam_acct_mgmt and chauth_tok when auth ...) - util-linux 2.17.2-9 (unimportant) NOTE: likely fixed far before this, which is the version in squeeze that was checked CVE-2006-7107 (PHP remote file inclusion vulnerability in upgrade.php in Coalescent S ...) NOT-FOR-US: freePBX CVE-2006-7106 (PHP remote file inclusion vulnerability in config.inc.php3 in Power Ph ...) NOT-FOR-US: Power Phlogger CVE-2006-7105 - smarty (described vulnerability never existed) CVE-2006-7104 (PHP remote file inclusion vulnerability in htmltemplate.php in the Cha ...) NOT-FOR-US: MOStlyContent Editor CVE-2006-7103 (Multiple directory traversal vulnerabilities in EZOnlineGallery 1.3 an ...) NOT-FOR-US: EZOnlineGallery CVE-2006-7102 (Multiple PHP remote file inclusion vulnerabilities in phpBurningPortal ...) NOT-FOR-US: phpBurningPortal quiz-modul CVE-2006-7101 (SQL injection vulnerability in admin.php in PHPWind 5.0.1 and earlier ...) NOT-FOR-US: PHPWind CVE-2006-7100 (PHP remote file inclusion vulnerability in includes/functions_mod_user ...) NOT-FOR-US: phpBB Insert User CVE-2006-7099 (Directory traversal vulnerability in index.php in SolarPay allows remo ...) NOT-FOR-US: SolarPay CVE-2006-7098 (The Debian GNU/Linux 033_-F_NO_SETSID patch for the Apache HTTP Server ...) - apache 1.3.34-4.1 (low; bug #357561) CVE-2006-7097 (Multiple unspecified vulnerabilities in TaskFreak! before 0.1.4 have u ...) NOT-FOR-US: TaskFreak! CVE-2006-7096 (Buffer overflow in the network_host_handle_join function in host.c in ...) NOT-FOR-US: dimension 3 engine CVE-2006-7095 (Integer signedness error in the network_receive_packet function in soc ...) NOT-FOR-US: dimension 3 engine CVE-2006-7094 (ftpd, as used by Gentoo and Debian Linux, sets the gid to the effectiv ...) - linux-ftpd 0.17-23 (bug #384454; low) CVE-2005-4832 (SQL injection vulnerability in the Oracle Database Server 10g allows r ...) NOT-FOR-US: Oracle Database Server CVE-2005-4831 (viewcvs in ViewCVS 0.9.2 allows remote attackers to set the Content-Ty ...) - viewvc 0.9.4+svn20060318-1 (low) CVE-2005-4830 (CRLF injection vulnerability in viewcvs in ViewCVS 0.9.2 allows remote ...) - viewvc 0.9.4+svn20060318-1 (low) NOTE: referring to http://www.securityfocus.com/archive/1/461427/100/0/threaded this NOTE: has been fixed in cvs for 0.9.3 CVE-2004-2680 (mod_python (libapache2-mod-python) 3.1.4 and earlier does not properly ...) - libapache2-mod-python 3.2.8-1 (low) CVE-2007-1218 (Off-by-one buffer overflow in the parse_elements function in the 802.1 ...) {DSA-1272-1} - tcpdump 3.9.5-2 (bug #413430; low) CVE-2007-1160 (webSPELL 4.0, and possibly later versions, allows remote attackers to ...) NOT-FOR-US: webSPELL CVE-2007-1159 (Cross-site scripting (XSS) vulnerability in modules/out.php in Pyropho ...) NOT-FOR-US: Pyrophobia CVE-2007-1158 (Directory traversal vulnerability in index.php in the Pagesetter 6.2.0 ...) NOT-FOR-US: Pagesetter CVE-2007-1157 (Cross-site request forgery (CSRF) vulnerability in jmx-console/HtmlAda ...) NOT-FOR-US: JBoss CVE-2007-1156 (JBrowser allows remote attackers to bypass authentication and access c ...) NOT-FOR-US: JBrowser CVE-2007-1155 (Unrestricted file upload vulnerability in webSPELL allows remote authe ...) NOT-FOR-US: webSPELL CVE-2007-1154 (SQL injection vulnerability in webSPELL allows remote attackers to exe ...) NOT-FOR-US: webSPELL CVE-2007-1153 (Multiple PHP remote file inclusion vulnerabilities in CutePHP CuteNews ...) NOT-FOR-US: CuteNews CVE-2007-1152 (Multiple directory traversal vulnerabilities in Pyrophobia 2.1.3.1 all ...) NOT-FOR-US: Pyrophobia CVE-2007-1151 (Cross-site scripting (XSS) vulnerability in LoveCMS 1.4 allows remote ...) NOT-FOR-US: LoveCMS CVE-2007-1150 (Unrestricted file upload vulnerability in LoveCMS 1.4 allows remote au ...) NOT-FOR-US: LoveCMS CVE-2007-1149 (Multiple directory traversal vulnerabilities in LoveCMS 1.4 allow remo ...) NOT-FOR-US: LoveCMS CVE-2007-1148 (PHP remote file inclusion vulnerability in install/index.php in LoveCM ...) NOT-FOR-US: LoveCMS CVE-2007-1147 (PHP remote file inclusion vulnerability in view.php in hbm allows remo ...) NOT-FOR-US: hbm CVE-2007-1146 (PHP remote file inclusion vulnerability in function.php in arabhost al ...) NOT-FOR-US: arabhost CVE-2007-1145 (Multiple cross-site scripting (XSS) vulnerabilities in Kayako SupportS ...) NOT-FOR-US: Kayako SupportSuite CVE-2007-1144 (Directory traversal vulnerability in jwpn-photos.php in J-Web Pics Nav ...) NOT-FOR-US: J-Web Pics Navigator CVE-2007-1143 (Directory traversal vulnerability in pn-menu.php in J-Web Pics Navigat ...) NOT-FOR-US: J-Web Pics Navigator CVE-2007-1142 (Cross-site scripting (XSS) vulnerability in Magic News Plus 1.0.2 allo ...) NOT-FOR-US: Magic News Plus CVE-2007-1141 (PHP remote file inclusion vulnerability in preview.php in Magic News P ...) NOT-FOR-US: Magic News Plus CVE-2007-1140 (Directory traversal vulnerability in edit.php in pheap allows remote a ...) NOT-FOR-US: pheap CVE-2007-1139 (Unrestricted file upload vulnerability in Cromosoft Simple Plantilla P ...) NOT-FOR-US: Simple Plantilla PHP CVE-2007-1138 (Absolute path traversal vulnerability in list_main_pages.php in Cromos ...) NOT-FOR-US: Simple Plantilla PHP CVE-2007-1137 (putmail.py in Putmail before 1.4 does not detect when a user attempts ...) NOT-FOR-US: Putmail CVE-2007-1136 (index.php in WebMplayer before 0.6.1-Alpha allows remote attackers to ...) NOT-FOR-US: WebMplayer CVE-2007-1135 (Multiple SQL injection vulnerabilities in WebMplayer before 0.6.1-Alph ...) NOT-FOR-US: WebMplayer CVE-2007-1134 (Unspecified vulnerability in Watchtower (WT) before 0.12 has unknown i ...) NOT-FOR-US: Watchtower CVE-2007-1133 (PHP remote file inclusion vulnerability in fcring.php in FCRing 1.3 al ...) NOT-FOR-US: FCRing CVE-2007-1132 (Multiple cross-site scripting (XSS) vulnerabilities in the "Contact Us ...) NOT-FOR-US: MTCMS CVE-2007-1131 (PHP remote file inclusion vulnerability in sinapis.php in Sinapis Foru ...) NOT-FOR-US: Sinapis Forum CVE-2007-1130 (PHP remote file inclusion vulnerability in sinagb.php in Sinapis Gaste ...) NOT-FOR-US: Sinapis Gastebuch CVE-2007-1129 (Multiple unrestricted file upload vulnerabilities in MTCMS 3.2 allow r ...) NOT-FOR-US: MTCMS CVE-2007-1128 (shopkitplus allows remote attackers to obtain sensitive information vi ...) NOT-FOR-US: shopkitplus CVE-2007-1127 (Directory traversal vulnerability in enc/stylecss.php in shopkitplus a ...) NOT-FOR-US: shopkitplus CVE-2007-1126 (Directory traversal vulnerability in index.php in xtcommerce allows re ...) NOT-FOR-US: xtcommerce CVE-2007-1125 (Cross-site scripting (XSS) vulnerability in gallery.php in XeroXer Sim ...) NOT-FOR-US: XeroXer Simple CVE-2007-1124 (Directory traversal vulnerability in gallery.php in XeroXer Simple one ...) NOT-FOR-US: XeroXer Simple CVE-2007-1123 (Multiple PHP remote file inclusion vulnerabilities in ZPanel 2.0 allow ...) NOT-FOR-US: ZPanel CVE-2007-1122 (Multiple SQL injection vulnerabilities in Mathis Dirksen-Thedens Zephy ...) NOT-FOR-US: ZephyrSoft Toolbox Address Book Continued CVE-2007-1121 (Multiple SQL injection vulnerabilities in Mathis Dirksen-Thedens Zephy ...) NOT-FOR-US: ZephyrSoft Toolbox Address Book Continued CVE-2007-1120 (The (1) Import.LoadFromURL and (2) Export.asText.SaveToFile functions ...) NOT-FOR-US: TeeChart Pro ActiveX control CVE-2007-1119 (Unspecified vulnerability in Novell ZENworks 7 Desktop Management Supp ...) NOT-FOR-US: Novell ZENworks CVE-2007-1118 (Multiple PHP remote file inclusion vulnerabilities in eFiction 3.1.1 a ...) NOT-FOR-US: eFiction CVE-2007-1117 (Unspecified vulnerability in Publisher 2007 in Microsoft Office 2007 a ...) NOT-FOR-US: Microsoft Office CVE-2007-1116 (The CheckLoadURI function in Mozilla Firefox 1.8 lists the about: URI ...) {DSA-1308-1 DSA-1306-1 DSA-1300-1 DTSA-45-1 DTSA-47-1 DTSA-51-1} - iceweasel 2.0.0.4-1 (low) - iceape 1.1.2-1 (low) - xulrunner 1.8.1.4-1 (bug #415919; bug #415944; bug #415945; low) NOTE: according to a blog comment at http://www.gnucitizen.org/projects/hscan-redux/, NOTE: older mozillas are not vulnerable CVE-2007-1115 (The child frames in Opera 9 before 9.20 inherit the default charset fr ...) NOT-FOR-US: Opera CVE-2007-1114 (The child frames in Microsoft Internet Explorer 7 inherit the default ...) NOT-FOR-US: Microsoft IE CVE-2007-1113 RESERVED CVE-2007-1112 (Kaspersky Anti-Virus 6.0 and Internet Security 6.0 exposes unsafe meth ...) NOT-FOR-US: Kaspersky Anti-Virus CVE-2007-1111 (Multiple cross-site scripting (XSS) vulnerabilities in ActiveCalendar ...) NOT-FOR-US: ActiveCalendar CVE-2007-1110 (Directory traversal vulnerability in data/showcode.php in ActiveCalend ...) NOT-FOR-US: ActiveCalendar CVE-2007-1109 (Multiple cross-site scripting (XSS) vulnerabilities in Phpwebgallery 1 ...) NOT-FOR-US: Phpwebgallery CVE-2007-1108 (PHP remote file inclusion vulnerability in index.php in Christian Schn ...) NOT-FOR-US: CS-Gallery CVE-2007-1107 (SQL injection vulnerability in thumbnails.php in Coppermine Photo Gall ...) NOT-FOR-US: Coppermine Photo Gallery CVE-2007-1106 (PHP remote file inclusion vulnerability in includes/functions_nomoketo ...) NOT-FOR-US: NoMoKeTos Rules CVE-2007-1105 (PHP remote file inclusion vulnerability in functions.php in Extreme ph ...) NOT-FOR-US: phpBB Extreme CVE-2007-1104 (PHP remote file inclusion vulnerability in top.php in PHP Module Imple ...) NOT-FOR-US: PHP Module Implementation CVE-2007-1103 (Tor does not verify a node's uptime and bandwidth advertisements, whic ...) - tor (unimportant) NOTE: Minor issue, just puts more noise on the node CVE-2007-1102 (Photostand 1.2.0 allows remote attackers to obtain sensitive informati ...) NOT-FOR-US: Photostand CVE-2007-1101 (Multiple cross-site scripting (XSS) vulnerabilities in Photostand 1.2. ...) NOT-FOR-US: Photostand CVE-2007-1100 (Directory traversal vulnerability in download.php in Ahmet Sacan Pickl ...) NOT-FOR-US: Pickle CVE-2007-1099 (dbclient in Dropbear SSH client before 0.49 does not sufficiently warn ...) - dropbear 0.49-1 (unimportant; bug #412899) [etch] - dropbear 0.48.1-2 (unimportant) NOTE: That's a lack of a security feature (strict hostkey checking in openssh NOTE: termininoloy) and an awkward interface, but not a vulnerability per se NOTE: Especially as dropbear is specifically labeled a stripped down SSH implementation CVE-2007-1098 (Multiple unspecified vulnerabilities in ScryMUD before 2.1.11 have unk ...) NOT-FOR-US: ScryMUD CVE-2007-1097 (Unrestricted file upload vulnerability in the onAttachFiles function i ...) NOT-FOR-US: Wiclear CVE-2007-1096 (Cross-site scripting (XSS) vulnerability in ps_cart.php in VirtueMart ...) NOT-FOR-US: VirtueMart CVE-2007-1095 (Mozilla Firefox before 2.0.0.8 and SeaMonkey before 1.1.5 do not prope ...) {DSA-1401-1 DSA-1396-1 DSA-1392-1 DTSA-69-1 DTSA-80-1} - iceweasel 2.0.0.8-1 (low; bug #445514) - xulrunner 1.8.1.9-1 - iceape 1.1.5 NOTE: MFSA2007-30 CVE-2007-1094 (Microsoft Internet Explorer 7 allows remote attackers to cause a denia ...) NOT-FOR-US: Microsoft IE CVE-2007-1093 (Multiple unspecified vulnerabilities in JP1/Cm2/Network Node Manager ( ...) NOT-FOR-US: Network Node Manager CVE-2007-1092 (Mozilla Firefox 1.5.0.9 and 2.0.0.1, and SeaMonkey before 1.0.8 allow ...) - iceweasel 2.0.0.2+dfsg-1 (low) CVE-2007-1091 (Microsoft Internet Explorer 7 allows remote attackers to prevent users ...) NOT-FOR-US: Microsoft IE CVE-2007-1090 (Microsoft Windows Explorer on Windows XP and 2003 allows remote user-a ...) NOT-FOR-US: Microsoft Windows CVE-2007-1089 (IBM DB2 Universal Database (UDB) 9.1 GA through 9.1 FP1 allows local u ...) NOT-FOR-US: IBM DB2 CVE-2007-1088 (Stack-based buffer overflow in IBM DB2 8.x before 8.1 FixPak 15 and 9. ...) NOT-FOR-US: IBM DB2 CVE-2007-1087 (IBM DB2 8.x before 8.1 FixPak 15 and 9.1 before Fix Pack 2 does not pr ...) NOT-FOR-US: IBM DB2 CVE-2007-1086 (Unspecified binaries in IBM DB2 8.x before 8.1 FixPak 15 and 9.1 befor ...) NOT-FOR-US: IBM DB2 CVE-2007-1085 (Cross-site scripting (XSS) vulnerability in Google Desktop allows remo ...) NOT-FOR-US: Google Desktop CVE-2007-1084 (Mozilla Firefox 2.0.0.1 and earlier does not prompt users before savin ...) - iceweasel (unimportant; bug #556268) - iceape (unimportant) - epiphany-browser (unimportant; bug #556272) NOTE: only epiphany-gecko backend affected - galeon 2.0.7-2 (unimportant; bug #556270) - kazehakase 0.5.8-2 (bug #556271) [lenny] - kazehakase 0.5.4-2lenny1 - conkeror (doesn't support bookmarks) - webkit (doesn't support javascript embedded in bookmarks) CVE-2007-1083 (Buffer overflow in the Configuration Checker (ConfigChk) ActiveX contr ...) NOT-FOR-US: ConfigChk ActiveX control CVE-2007-1082 (FTP Explorer 1.0.1 Build 047, and other versions before 1.0.1.52, allo ...) NOT-FOR-US: FTP Explorer CVE-2007-1081 (The start function in class.t3lib_formmail.php in TYPO3 before 4.0.5, ...) - typo3-src 4.0.5+debian-1 [etch] - typo3-src 4.0.2+debian-3 CVE-2007-1080 (Multiple heap-based buffer overflows in TurboFTP 5.30 Build 572 allow ...) NOT-FOR-US: TurboFTP CVE-2007-1079 (Stack-based buffer overflow in Rhino Software, Inc. FTP Voyager 14.0.0 ...) NOT-FOR-US: FTP Voyager CVE-2007-1078 (PHP remote file inclusion vulnerability in index.php in FlashGameScrip ...) NOT-FOR-US: FlashGameScript CVE-2007-1077 (SQL injection vulnerability in page.asp in Design4Online UserPages2 2. ...) NOT-FOR-US: UserPages2 CVE-2007-1076 (Multiple directory traversal vulnerabilities in phpTrafficA 1.4.1, and ...) NOT-FOR-US: phpTrafficA CVE-2007-1075 (TurboFTP 5.30 Build 572 allows remote servers to cause a denial of ser ...) NOT-FOR-US: TurboFTP CVE-2007-1074 (Multiple buffer overflows in NewsBin Pro 5.33 and NewsBin Pro 4.x allo ...) NOT-FOR-US: NewsBin Pro CVE-2007-1073 (Static code injection vulnerability in install.php in mcRefer allows r ...) NOT-FOR-US: mcRefer CVE-2007-1072 (The command line interface (CLI) in Cisco Unified IP Phone 7906G, 7911 ...) NOT-FOR-US: Cisco CVE-2007-1071 (Integer overflow in the gifGetBandProc function in ImageIO in Apple Ma ...) NOT-FOR-US: Apple ImageIO CVE-2007-1069 (The memory management in VMware Workstation before 5.5.4 allows attack ...) NOT-FOR-US: VMware CVE-2007-1068 (The (1) TTLS CHAP, (2) TTLS MSCHAP, (3) TTLS MSCHAPv2, (4) TTLS PAP, ( ...) NOT-FOR-US: Cisco CVE-2007-1067 (Cisco Secure Services Client (CSSC) 4.x, Trust Agent 1.x and 2.x, Cisc ...) NOT-FOR-US: Cisco CVE-2007-1066 (Cisco Secure Services Client (CSSC) 4.x, Trust Agent 1.x and 2.x, Cisc ...) NOT-FOR-US: Cisco CVE-2007-1065 (Cisco Secure Services Client (CSSC) 4.x, Trust Agent 1.x and 2.x, Cisc ...) NOT-FOR-US: Cisco CVE-2007-1064 (Cisco Secure Services Client (CSSC) 4.x, Trust Agent 1.x and 2.x, Cisc ...) NOT-FOR-US: Cisco CVE-2007-1063 (The SSH server in Cisco Unified IP Phone 7906G, 7911G, 7941G, 7961G, 7 ...) NOT-FOR-US: Cisco CVE-2007-1062 (The Cisco Unified IP Conference Station 7935 3.2(15) and earlier, and ...) NOT-FOR-US: Cisco CVE-2007-1061 (SQL injection vulnerability in index.php in Francisco Burzi PHP-Nuke 8 ...) NOT-FOR-US: PHP-Nuke CVE-2007-1060 (Multiple PHP remote file inclusion vulnerabilities in Interspire SendS ...) NOT-FOR-US: SendStudio CVE-2007-1059 (PHP remote file inclusion vulnerability in function.php in Ultimate Fu ...) NOT-FOR-US: Ultimate Fun Book CVE-2007-1058 (SQL injection vulnerability in user_pages/page.asp in Online Web Build ...) NOT-FOR-US: Online Web Building CVE-2007-1057 (The Net Direct client for Linux before 6.0.5 in Nortel Application Swi ...) NOT-FOR-US: Nortel Application Switch CVE-2007-1056 (VMware Workstation 5.5.3 build 34685 does not provide per-user restric ...) NOT-FOR-US: VMware CVE-2007-1055 (Cross-site scripting (XSS) vulnerability in the AJAX features in index ...) - mediawiki 1.7.1-9 (bug #406238; medium) CVE-2007-1054 (Cross-site scripting (XSS) vulnerability in the AJAX features in index ...) - mediawiki 1.7.1-9 (bug #406238; medium) CVE-2007-1053 NOT-FOR-US: phpXmms CVE-2007-1052 NOT-FOR-US: PBLang CVE-2007-1051 (Comodo Firewall Pro (formerly Comodo Personal Firewall) 2.4.17.183 and ...) NOT-FOR-US: Comodo Firewall Pro CVE-2007-1050 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Ab ...) NOT-FOR-US: MyCalendar CVE-2007-1048 (PHP remote file inclusion vulnerability in admin_rebuild_search.php in ...) NOT-FOR-US: phpbb_wordsearch CVE-2007-1047 (Unspecified vulnerability in Distributed Checksum Clearinghouse (DCC) ...) - dcc (medium; bug #439718) CVE-2007-1046 (Dem_trac allows remote attackers to read log file contents via a direc ...) NOT-FOR-US: Dem_trac CVE-2007-1045 (mAlbum 0.3 has default accounts (1) "login"/"pass" for its administrat ...) NOT-FOR-US: mAlbum CVE-2007-1044 (Pearson Education PowerSchool 4.3.6 allows remote attackers to list th ...) NOT-FOR-US: PowerSchool CVE-2007-1043 (Ezboo webstats, possibly 3.0.3, allows remote attackers to bypass auth ...) NOT-FOR-US: Ezboo CVE-2007-1042 (Directory traversal vulnerability in news.php in Xpression News (X-New ...) NOT-FOR-US: Xpression News CVE-2007-1041 (Multiple stack-based buffer overflows in S&H Computer Systems News ...) NOT-FOR-US: News Rover CVE-2007-1040 (Directory traversal vulnerability in archives.php in Xpression News (X ...) NOT-FOR-US: Xpression News CVE-2007-1039 (Unspecified vulnerability in Peanut Knowledge Base (PeanutKB) 0.0.3 an ...) NOT-FOR-US: Peanut Knowledge Base CVE-2007-1038 (Shemes.com Grabit 1.5.3, and possibly earlier, allows remote attackers ...) NOT-FOR-US: Grabit CVE-2007-1037 (Stack-based buffer overflow in News File Grabber 4.1.0.1 and earlier a ...) NOT-FOR-US: News File Grabber CVE-2006-7093 (Cross-site scripting (XSS) vulnerability in Mambo LaiThai 4.5.4 Securi ...) NOT-FOR-US: Mambo LaiThai CVE-2006-7092 (SQL injection vulnerability in includes/mambo.php in Mambo LaiThai 4.5 ...) NOT-FOR-US: Mambo LaiThai CVE-2006-7091 (PHP remote file inclusion vulnerability in config.php in phpht Topsite ...) NOT-FOR-US: Topsites FREE CVE-2006-7090 (PHP remote file inclusion vulnerability in phpbb_security.php in phpBB ...) NOT-FOR-US: phpBB Security CVE-2006-7089 (SQL injection vulnerability in connexion.php in Ban 0.1 allows remote ...) NOT-FOR-US: Ban CVE-2006-7088 (Multiple SQL injection vulnerabilities in Simple PHP Forum before 0.4 ...) NOT-FOR-US: Simple PHP Forum CVE-2006-7087 (CRLF injection vulnerability in the mail function in Dotdeb PHP before ...) NOT-FOR-US: Dotdeb PHP CVE-2006-7086 (The (1) dlback.php and (2) dlback.cgi scripts in Hot Links allow remot ...) NOT-FOR-US: Hot Links CVE-2006-7085 (Rigter Portal System (RPS) 1.0, 2.0, and 3.0 allows remote attackers t ...) NOT-FOR-US: Rigter Portal System CVE-2006-7084 REJECTED CVE-2006-7083 (Directory traversal vulnerability in index.php in Rigter Portal System ...) NOT-FOR-US: Rigter Portal System CVE-2006-7082 (Rigter Portal System (RPS) 1.0, 2.0, and 3.0 allows remote attackers t ...) NOT-FOR-US: Rigter Portal System CVE-2006-7081 (Multiple PHP remote file inclusion vulnerabilities in PhpNews 1.0 allo ...) NOT-FOR-US: PhpNews CVE-2006-7080 (Directory traversal vulnerability in the avatar upload feature in exV2 ...) NOT-FOR-US: exV2 CVE-2006-7079 (Variable extraction vulnerability in include/common.php in exV2 2.0.4. ...) NOT-FOR-US: exV2 CVE-2006-7078 (Multiple cross-site scripting (XSS) vulnerabilities in Professional Ho ...) NOT-FOR-US: Professional Home Page Tools Login Script CVE-2006-7077 (SQL injection vulnerability in guestbook.php in Advanced Guestbook 2.4 ...) NOT-FOR-US: Advanced Guestbook CVE-2006-7076 (Cross-site scripting (XSS) vulnerability in guestbook.php in Advanced ...) NOT-FOR-US: Advanced Guestbook CVE-2006-7075 (Buffer overflow in the meta_read_flac function in meta_decoder.c for A ...) - aqualung 0.9~beta6-1 (medium) CVE-2006-7074 (admin.php in SmartSiteCMS 1.0 allows remote attackers to bypass authen ...) NOT-FOR-US: SmartSiteCMS CVE-2006-7073 (Cross-site scripting (XSS) vulnerability in Opentools Attachment Mod b ...) NOT-FOR-US: Opentools Attachment Mod CVE-2006-7072 (Cross-site scripting (XSS) vulnerability in GeoClassifieds Enterprise ...) NOT-FOR-US: GeoClassifieds Enterprise CVE-2006-7071 (SQL injection vulnerability in classes/class_session.php in Invision P ...) NOT-FOR-US: Invision Power Board CVE-2006-7070 (Unrestricted file upload vulnerability in manager/media/ibrowser/scrip ...) NOT-FOR-US: Etomite CMS CVE-2006-7069 (PHP remote file inclusion vulnerability in smarty_config.php in Socket ...) NOT-FOR-US: Socketwiz Bookmarks CVE-2006-7068 (PHP remote file inclusion vulnerability in CliServ Web Community 0.65 ...) NOT-FOR-US: CliServ Web Community CVE-2006-7067 (Oracle 10g R2 and possibly other versions allows remote attackers to t ...) NOT-FOR-US: Oracle CVE-2006-7066 (Microsoft Internet Explorer 6 on Windows XP SP2 allows remote attacker ...) NOT-FOR-US: Microsoft IE CVE-2006-7065 (Microsoft Internet Explorer allows remote attackers to cause a denial ...) NOT-FOR-US: Microsoft IE CVE-2006-7064 (Cross-site scripting (XSS) vulnerability in forum/admin.php for Invisi ...) NOT-FOR-US: Invision Power Board CVE-2006-7063 (Directory traversal vulnerability in profile.php in TinyPHPforum 3.6 a ...) NOT-FOR-US: TinyPHPforum CVE-2006-7062 (calendar.php in Kamgaing Email System (kmail) 2.3 and earlier allows r ...) NOT-FOR-US: Kamgaing Email System CVE-2006-7061 (Scriptsez.net E-Dating System stores data files with predictable names ...) NOT-FOR-US: E-Dating System CVE-2006-7060 (cindex.php in Scriptsez.net E-Dating System allows remote attackers to ...) NOT-FOR-US: E-Dating System CVE-2006-7059 (Multiple cross-site scripting (XSS) vulnerabilities in Scriptsez.net E ...) NOT-FOR-US: E-Dating System CVE-2006-7058 (Multiple cross-site scripting (XSS) vulnerabilities in Sphider before ...) NOT-FOR-US: Sphider CVE-2006-7057 (SQL injection vulnerability in search.php in Sphider before 1.3.1c all ...) NOT-FOR-US: Sphider CVE-2006-7056 (Multiple PHP remote file inclusion vulnerabilities in DreamCost HostAd ...) NOT-FOR-US: HostAdmin CVE-2006-7055 (PHP remote file inclusion vulnerability in index.php in TotalCalendar ...) NOT-FOR-US: TotalCalendar CVE-2006-7054 (The DNS module in Arkoon FAST360 UTM appliances 3.0 up to 3.0/29, 3.1 ...) NOT-FOR-US: FAST360 UTM CVE-2006-7053 (Unspecified vulnerability in Arkoon FAST360 UTM appliances 3.0 through ...) NOT-FOR-US: FAST360 UTM CVE-2006-7052 (Multiple PHP remote file inclusion vulnerabilities in DotWidget For Ar ...) NOT-FOR-US: DotWidget CVE-2006-7051 (The sys_timer_create function in posix-timers.c for Linux kernel 2.6.x ...) - linux-2.6 2.6.23-1 (low) [etch] - linux-2.6 (Design limitation, use resource limits if it poses a problem) CVE-2006-7050 (Cross-site scripting (XSS) vulnerability in WikkaWiki (Wikka Wiki) bef ...) NOT-FOR-US: WikkaWiki CVE-2006-7049 (The Method method in WikkaWiki (Wikka Wiki) before 1.1.6.2 calls the s ...) NOT-FOR-US: WikkaWiki CVE-2006-7048 (Multiple PHP remote file inclusion vulnerabilities in Claroline 1.7.5 ...) NOT-FOR-US: Claroline CVE-2006-7047 (include.php in Shoutpro 1.0 might allow remote attackers to bypass IP ...) NOT-FOR-US: Shoutpro CVE-2006-7046 (PHP remote file inclusion vulnerability in cmpro.intern/login.inc.php ...) NOT-FOR-US: Clan Manager Pro CVE-2006-7045 (PHP remote file inclusion vulnerability in Clan Manager Pro (CMPRO) 1. ...) NOT-FOR-US: Clan Manager Pro CVE-2006-7044 (PHP remote file inclusion vulnerability in comment.core.inc.php in Cla ...) NOT-FOR-US: Clan Manager Pro CVE-2006-7043 (Multiple cross-site scripting (XSS) vulnerabilities in Chipmunk Blogge ...) NOT-FOR-US: Chipmunk CVE-2006-7042 (Cross-site scripting (XSS) vulnerability in directory/index.php in Chi ...) NOT-FOR-US: Chipmunk CVE-2006-7041 (The SMTP service in MERCUR Messaging 2005 before Service Pack 4 allows ...) NOT-FOR-US: MERCUR Messaging CVE-2006-7040 (Unspecified vulnerability in MERCUR Messaging 2005 before Service Pack ...) NOT-FOR-US: MERCUR Messaging CVE-2006-7039 (The IMAP4 service in MERCUR Messaging 2005 before Service Pack 4 allow ...) NOT-FOR-US: MERCUR Messaging CVE-2006-7038 (Multiple buffer overflows in MERCUR Messaging 2005 before Service Pack ...) NOT-FOR-US: MERCUR Messaging CVE-2006-7037 (Mathcad 12 through 13.1 allows local users to bypass the security feat ...) NOT-FOR-US: MathCAD CVE-2006-7036 (PHP remote file inclusion vulnerability in register.php for Andys Chat ...) NOT-FOR-US: Andy's Chat CVE-2006-7035 (Directory traversal vulnerability in make_thumbnail.php in Super Link ...) NOT-FOR-US: Super Link Exchange Script CVE-2006-7034 (SQL injection vulnerability in directory.php in Super Link Exchange Sc ...) NOT-FOR-US: Super Link Exchange Script CVE-2006-7033 (Cross-site scripting (XSS) vulnerability in Super Link Exchange Script ...) NOT-FOR-US: Super Link Exchange Script CVE-2006-7032 (PHP remote file inclusion vulnerability in phpbb/getmsg.php in FlashBB ...) NOT-FOR-US: FlashBB CVE-2006-7031 (Microsoft Internet Explorer 6.0.2900 SP2 and earlier allows remote att ...) NOT-FOR-US: Microsoft IE CVE-2006-7030 (Microsoft Internet Explorer 6 SP2 and earlier allows remote attackers ...) NOT-FOR-US: Microsoft IE CVE-2006-7029 (Microsoft Internet Explorer 6 SP2 and earlier allows remote attackers ...) NOT-FOR-US: Microsoft IE CVE-2006-7028 (Single CPU Sun systems running Solaris 7, 8, or 9, such as Netra, allo ...) NOT-FOR-US: Sun Solaris CVE-2006-7027 (Microsoft Internet Security and Acceleration (ISA) Server 2004 logs un ...) NOT-FOR-US: Microsoft ISA CVE-2006-7026 (PHP remote file inclusion vulnerability in sources/join.php in Aardvar ...) NOT-FOR-US: Topsites PHP CVE-2006-7025 (SQL injection vulnerability in admin/config.php in Bookmark4U 2.0 and ...) NOT-FOR-US: Bookmark4U CVE-2005-4829 (VirtueMart before 1.0.1 does not properly handle errors when a user is ...) NOT-FOR-US: VirtueMart CVE-2004-2679 (Check Point Firewall-1 4.1 up to NG AI R55 allows remote attackers to ...) NOT-FOR-US: CheckPoint Firewall CVE-2004-2678 (Unspecified vulnerability in HP Tru64 UNIX 5.1B PK2(BL22) and PK3(BL24 ...) NOT-FOR-US: HP Tru64 UNIX CVE-2004-2677 (Format string vulnerability in qwik-smtpd.c in QwikMail SMTP (qwik-smt ...) NOT-FOR-US: QwikMail SMTP CVE-2003-1320 (SonicWALL firmware before 6.4.0.1 allows remote attackers to cause a d ...) NOT-FOR-US: SonicWALL CVE-2002-2225 (SafeNet VPN client allows remote attackers to cause a denial of servic ...) NOT-FOR-US: SafeNet VPN CVE-2002-2224 (Buffer overflow in PGPFreeware 7.03 running on Windows NT 4.0 SP6 allo ...) NOT-FOR-US: PGPFreeware CVE-2002-2223 (Buffer overflow in NetScreen-Remote 8.0 allows remote attackers to cau ...) NOT-FOR-US: NetScreen-Remote CVE-2002-2222 (isakmpd/message.c in isakmpd in FreeBSD before isakmpd-20020403_1, and ...) NOT-FOR-US: FreeBSD CVE-2007-XXXX [vserver patch allows renice of processes in different context] - linux-2.6 2.6.18.dfsg.1-12 (bug #412143) CVE-2007-XXXX [apg generates insecure passwords on 64-bit architectures] - apg 2.2.3.dfsg.1-2 (low; bug #412618) [etch] - apg (Minor issue) [sarge] - apg (Minor issue) CVE-2007-XXXX [mt-daapd remote access & default password] - mt-daapd 0.9~r1586-1 (unimportant; bug #404640) NOTE: User-unfriendly packaging flaw, but not a vulnerability per se CVE-2007-XXXX [amavids-new uses contrib/non-free packers without security support in default config] - amavisd-new 1:2.5.2-1 (unimportant; bug #410588) NOTE: Doesn't affect a standard Debian installation, only users, which install NOTE: proprietary apps, it should be fixed for sanity, but not a direct vulnerability CVE-2006-XXXX [pure-ftpd-mysql: any problems with a home dir will allow rw to the entire filesystem] - pure-ftpd 1.0.21-1 (low) NOTE: oldstable is affected CVE-2007-1049 (Cross-site scripting (XSS) vulnerability in the wp_explain_nonce funct ...) {DTSA-34-1} - wordpress 2.1.1-1 (low) CVE-2007-1070 (Multiple stack-based buffer overflows in Trend Micro ServerProtect for ...) NOT-FOR-US: Trend Micro ServerProtect CVE-2007-1036 (The default configuration of JBoss does not restrict access to the (1) ...) NOT-FOR-US: JBoss CVE-2007-1035 (Unspecified vulnerability in certain demonstration scripts in getID3 1 ...) NOT-FOR-US: Mediafield and Audio modules for Drupal NOTE: this is not a php-getid3 problem, but related to the way these modules embed getid3 CVE-2007-1034 (SQL injection vulnerability in the category file in modules.php in the ...) NOT-FOR-US: Emporium for PHP-Nuke CVE-2007-1033 (Unspecified vulnerability in the Secure site 4.7.x-1.x-dev and 5.x-1.x ...) NOT-FOR-US: Secure site for Drupal CVE-2007-1032 (Unspecified vulnerability in phpMyFAQ 1.6.9 and earlier, when register ...) NOT-FOR-US: phpMyFAQ CVE-2007-1031 (Directory traversal vulnerability in include/db_conn.php in SpoonLabs ...) NOT-FOR-US: Vivvo Article Management CMS CVE-2007-1030 (Niels Provos libevent 1.2 and 1.2a allows remote attackers to cause a ...) - libevent (vulnerable version 1.2 was never uploaded) CVE-2007-1029 (Stack-based buffer overflow in the Connect method in the IMAP4 compone ...) NOT-FOR-US: Quiksoft EasyMail Objects CVE-2007-1028 (Cross-site scripting (XSS) vulnerability in the Barry Jaspan Image Pag ...) NOT-FOR-US: Image Pager CVE-2007-1027 (Certain setuid DB2 binaries in IBM DB2 before 9 Fix Pack 2 for Linux a ...) NOT-FOR-US: IBM DB2 CVE-2007-1026 (SQL injection vulnerability in view.php in XLAtunes 0.1 and earlier al ...) NOT-FOR-US: XLAtunes CVE-2007-1025 (PHP remote file inclusion vulnerability in inc/functions_inc.php in VS ...) NOT-FOR-US: VS-Link-Partner CVE-2007-1024 (PHP remote file inclusion vulnerability in include.php in Meganoide's ...) NOT-FOR-US: Meganoide's news CVE-2007-1023 (SQL injection vulnerability in pop_profile.asp in Snitz Forums 2000 3. ...) NOT-FOR-US: Snitz Forums 2000 CVE-2007-1022 (SQL injection vulnerability in h_goster.asp in Turuncu Portal 1.0 allo ...) NOT-FOR-US: Turuncu Portal CVE-2007-1021 (SQL injection vulnerability in inc_listnews.asp in CodeAvalanche News ...) NOT-FOR-US: CodeAvalanche News CVE-2007-1020 (Cross-site scripting (XSS) vulnerability in index.php in CedStat 1.31 ...) NOT-FOR-US: CedStat CVE-2007-1019 (SQL injection vulnerability in news.php in webSPELL 4.01.02, when regi ...) NOT-FOR-US: webSPELL CVE-2007-1018 (PHP remote file inclusion vulnerability in tpl/header.php in VirtualSy ...) NOT-FOR-US: VS-News-System CVE-2007-1017 (PHP remote file inclusion vulnerability in show_news_inc.php in Virtua ...) NOT-FOR-US: VS-News-System CVE-2007-1016 (SQL injection vulnerability in Aktueldownload Haber script allows remo ...) NOT-FOR-US: Aktueldownload Haber CVE-2007-1015 (SQL injection vulnerability in HaberDetay.asp in Aktueldownload Haber ...) NOT-FOR-US: Aktueldownload Haber CVE-2007-1014 (Stack-based buffer overflow in VicFTPS before 5.0 allows remote attack ...) NOT-FOR-US: VicFTPS CVE-2007-1013 (PHP remote file inclusion vulnerability in generate.php in VirtualSyst ...) NOT-FOR-US: VirtualSystem Htaccess Password Generator CVE-2007-1012 (Cross-site scripting (XSS) vulnerability in faq.php in DeskPRO 1.1.0 a ...) NOT-FOR-US: DeskPRO CVE-2007-1011 (PHP remote file inclusion vulnerability in functions_inc.php in VS-Gas ...) NOT-FOR-US: VS-Gastebuch CVE-2007-1010 (Multiple PHP remote file inclusion vulnerabilities in ZebraFeeds 1.0, ...) NOT-FOR-US: ZebraFeeds CVE-2007-1009 (Macrovision InstallAnywhere Enterprise before 8.0.1 uses the InstallSc ...) NOT-FOR-US: InstallAnywhere CVE-2007-1008 (Apple iTunes 7.0.2 allows user-assisted remote attackers to cause a de ...) NOT-FOR-US: Apple iTunes CVE-2007-1007 (Format string vulnerability in GnomeMeeting 1.0.2 and earlier allows r ...) {DSA-1262-1} - gnomemeeting (high) CVE-2007-1006 (Multiple format string vulnerabilities in the gm_main_window_flash_mes ...) - ekiga 2.0.3-2.1 (bug #411944; high) CVE-2007-1005 (Heap-based buffer overflow in SW3eng.exe in the eID Engine service in ...) NOT-FOR-US: eTrust Intrusion Detection CVE-2007-1004 (Mozilla Firefox might allow remote attackers to conduct spoofing and p ...) - iceweasel 2.0.0.4-1 (low) - iceape 1.0.9-1 (low) - xulrunner 1.8.0.4-1 (low) NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=370555 CVE-2007-1003 (Integer overflow in ALLOCATE_LOCAL in the ProcXCMiscGetXIDList functio ...) {DSA-1294-1} - xorg-server 2:1.1.1-21 (medium) CVE-2007-1002 (Format string vulnerability in the write_html function in calendar/gui ...) {DSA-1325-1} - evolution 2.10.2-1 [sarge] - evolution (Vulnerable code not present) CVE-2007-1001 (Multiple integer overflows in the (1) createwbmp and (2) readwbmp func ...) - libgd2 2.0.33-1 (medium) NOTE: This has been fixed in libgd2 for a while, and php is linked against libgd2. CVE-2007-1000 (The ipv6_getsockopt_sticky function in net/ipv6/ipv6_sockglue.c in the ...) - linux-2.6 2.6.18.dfsg.1-12 (medium) CVE-2007-0999 (Format string vulnerability in Ekiga 2.0.3, and probably other version ...) - ekiga 2.0.3-5 (bug #414069; high) CVE-2007-0998 (The VNC server implementation in QEMU, as used by Xen and possibly oth ...) - xen-3.0 (bug #436250; medium) [etch] - xen-3.0 NOTE: Fedora disabled the VNC access to the Qemu monitor NOTE: An adjusted patch has been sent to the debian bugreport CVE-2007-0997 (Race condition in the tee (sys_tee) system call in the Linux kernel 2. ...) - linux-2.6 2.6.18-1 CVE-2007-0996 (The child frames in Mozilla Firefox before 1.5.0.10 and 2.x before 2.0 ...) {DSA-1336-1} NOTE: MFSA-2007-02 - iceweasel 2.0.0.2+dfsg-1 (low) - xulrunner 1.8.0.10-1 (low) CVE-2007-0995 (Mozilla Firefox before 1.5.0.10 and 2.x before 2.0.0.2, and SeaMonkey ...) {DSA-1336-1} NOTE: MFSA-2007-02 - iceweasel 2.0.0.2+dfsg-1 (low) - iceape 1.0.8-1 (low) - xulrunner 1.8.0.10-1 (low) [sarge] - mozilla-thunderbird (Mozilla products from Sarge no longer supported) [sarge] - mozilla-firefox (Mozilla products from Sarge no longer supported) [sarge] - mozilla (Mozilla products from Sarge no longer supported) CVE-2007-0994 (A regression error in Mozilla Firefox 2.x before 2.0.0.2 and 1.x befor ...) {DSA-1336-1} - iceweasel 2.0.0.2+dfsg-2 (medium) CVE-2007-0993 REJECTED CVE-2007-0992 REJECTED CVE-2007-0991 REJECTED CVE-2007-0990 REJECTED CVE-2007-0989 REJECTED CVE-2007-0988 (The zend_hash_init function in PHP 5 before 5.2.1 and PHP 4 before 4.4 ...) {DSA-1264-1} [etch] - php4 6:4.4.4-8+etch1 [etch] - php5 5.2.0-8+etch1 - php4 6:4.4.4-9 - php5 5.2.0-9 CVE-2007-0987 (Directory traversal vulnerability in index.php in Jupiter CMS 1.1.5 al ...) NOT-FOR-US: Jupiter CMS CVE-2007-0986 (PHP remote file inclusion vulnerability in index.php in Jupiter CMS 1. ...) NOT-FOR-US: Jupiter CMS CVE-2007-0985 (SQL injection vulnerability in nickpage.php in phpCC 4.2 beta and earl ...) NOT-FOR-US: phpCC CVE-2007-0984 (SQL injection vulnerability in admin_poll.asp in PollMentor 2.0 allows ...) NOT-FOR-US: PollMentor CVE-2007-0983 (PHP remote file inclusion vulnerability in _admin/nav.php in AT Conten ...) NOT-FOR-US: AT Contenator CVE-2007-0982 (Cross-site scripting (XSS) vulnerability in error.php in TaskFreak! 0. ...) NOT-FOR-US: TaskFreak! CVE-2007-0981 (Mozilla based browsers, including Firefox before 1.5.0.10 and 2.x befo ...) {DSA-1336-1} NOTE: MFSA-2007-07 - iceweasel 2.0.0.1+dfsg-3 (bug #411192; high) - xulrunner 1.8.0.10-1 (high) - iceape 1.0.8-1 (high) [sarge] - mozilla-firefox (Mozilla products from Sarge no longer supported) [sarge] - mozilla (Mozilla products from Sarge no longer supported) CVE-2007-0980 (Unspecified vulnerability in HP Serviceguard for Linux; packaged for S ...) NOT-FOR-US: HP Serviceguard CVE-2007-0979 (Unspecified vulnerability in LifeType before 1.1.6, and 1.2 before 1.2 ...) NOT-FOR-US: LifeType CVE-2007-0978 (Buffer overflow in swcons in IBM AIX 5.3 allows local users to gain pr ...) NOT-FOR-US: IBM AIX CVE-2007-0977 (IBM Lotus Domino R5 and R6 WebMail, with "Generate HTML for all fields ...) NOT-FOR-US: IBM Lotus Domino CVE-2007-0976 (Buffer overflow in the ActSoft DVD-Tools ActiveX control (dvdtools.ocx ...) NOT-FOR-US: ActSoft DVD-Tools ActiveX control CVE-2007-0975 (Variable extraction vulnerability in Ian Bezanson Apache Stats before ...) NOT-FOR-US: Apache Stats CVE-2007-0974 (Multiple unspecified vulnerabilities in Ian Bezanson DropBox before 0. ...) NOT-FOR-US: DropBox CVE-2007-0973 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Ju ...) NOT-FOR-US: Jupiter CMS CVE-2007-0972 (Unrestricted file upload vulnerability in modules/emoticons.php in Jup ...) NOT-FOR-US: Jupiter CMS CVE-2007-0971 (Multiple SQL injection vulnerabilities in Jupiter CMS 1.1.5 allow remo ...) NOT-FOR-US: Jupiter CMS CVE-2007-0970 (Multiple SQL injection vulnerabilities in WebTester 5.0.20060927 and e ...) NOT-FOR-US: WebTester CVE-2007-0969 (Multiple cross-site scripting (XSS) vulnerabilities in WebTester 5.0.2 ...) NOT-FOR-US: WebTester CVE-2007-0968 (Unspecified vulnerability in Cisco Firewall Services Module (FWSM) bef ...) NOT-FOR-US: Cisco CVE-2007-0967 (Cisco Firewall Services Module (FWSM) 3.x before 3.1(3.1) allows remot ...) NOT-FOR-US: Cisco CVE-2007-0966 (Cisco Firewall Services Module (FWSM) 3.x before 3.1(3.11), when the H ...) NOT-FOR-US: Cisco CVE-2007-0965 (Cisco FWSM 3.x before 3.1(3.2), when authentication is configured to u ...) NOT-FOR-US: Cisco CVE-2007-0964 (Cisco FWSM 3.x before 3.1(3.18), when authentication is configured to ...) NOT-FOR-US: Cisco CVE-2007-0963 (Unspecified vulnerability in Cisco Firewall Services Module (FWSM) 3.x ...) NOT-FOR-US: Cisco CVE-2007-0962 (Cisco PIX 500 and ASA 5500 Series Security Appliances 7.0 before 7.0(4 ...) NOT-FOR-US: Cisco CVE-2007-0961 (Cisco PIX 500 and ASA 5500 Series Security Appliances 6.x before 6.3(5 ...) NOT-FOR-US: Cisco CVE-2007-0960 (Unspecified vulnerability in Cisco PIX 500 and ASA 5500 Series Securit ...) NOT-FOR-US: Cisco CVE-2007-0959 (Cisco PIX 500 and ASA 5500 Series Security Appliances 7.2.2, when conf ...) NOT-FOR-US: Cisco CVE-2007-0958 (Linux kernel 2.6.x before 2.6.20 allows local users to read unreadable ...) {DSA-1304 DSA-1286-1} - linux-2.6 2.6.20-1 CVE-2007-0957 (Stack-based buffer overflow in the krb5_klog_syslog function in the ka ...) {DSA-1276-1} - krb5 1.4.4-8 (high) CVE-2007-0956 (The telnet daemon (telnetd) in MIT krb5 before 1.6.1 allows remote att ...) {DSA-1276-1} - krb5 1.4.4-8 (high) CVE-2007-0955 (The NTLM_UnPack_Type3 function in MENTLM.dll in MailEnable Professiona ...) NOT-FOR-US: Mail Enable Professional CVE-2007-0954 (MOHA Chat 0.1b7 and earlier does not require authentication for use of ...) NOT-FOR-US: MOHA Chat CVE-2007-0953 (Cross-site scripting (XSS) vulnerability in search.pl in @Mail 4.61 an ...) NOT-FOR-US: @Mail CVE-2007-0952 (Multiple cross-site scripting (XSS) vulnerabilities in Scriptsez.net V ...) NOT-FOR-US: Virtual Calendar CVE-2007-0951 (SQL injection vulnerability in listmain.asp in Fullaspsite ASP Hosting ...) NOT-FOR-US: Fullaspsite ASP Hosting Site CVE-2007-0950 (Cross-site scripting (XSS) vulnerability in listmain.asp in Fullaspsit ...) NOT-FOR-US: Fullaspsite ASP Hosting Site CVE-2007-0949 (Stack-based buffer overflow in iTinySoft Studio Total Video Player 1.0 ...) NOT-FOR-US: iTinySoft CVE-2007-0948 (Heap-based buffer overflow in Microsoft Virtual PC 2004 and PC for Mac ...) NOT-FOR-US: Microsoft Virtual PC CVE-2007-0947 (Use-after-free vulnerability in Microsoft Internet Explorer 7 on Windo ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2007-0946 (Unspecified vulnerability in Microsoft Internet Explorer 7 on Windows ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2007-0945 (Microsoft Internet Explorer 6 SP1 on Windows 2000 SP4; 6 and 7 on Wind ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2007-0944 (Unspecified vulnerability in the CTableCol::OnPropertyChange method in ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2007-0943 (Unspecified vulnerability in Internet Explorer 5.01 and 6 SP1 allows r ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2007-0942 (Microsoft Internet Explorer 5.01 SP4 on Windows 2000 SP4; 6 SP1 on Win ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2007-0941 REJECTED CVE-2007-0940 (Unspecified vulnerability in the Cryptographic API Component Object Mo ...) NOT-FOR-US: Microsoft CAPICOM CVE-2007-0939 (Cross-site scripting (XSS) vulnerability in Microsoft Content Manageme ...) NOT-FOR-US: Microsoft Content Management Server CVE-2007-0938 (Microsoft Content Management Server (MCMS) 2001 SP1 and 2002 SP2 does ...) NOT-FOR-US: Microsoft Content Management Server CVE-2007-0937 REJECTED CVE-2007-0936 (Multiple unspecified vulnerabilities in Microsoft Visio 2002 allow rem ...) NOT-FOR-US: Microsoft CVE-2007-0935 REJECTED CVE-2007-0934 (Unspecified vulnerability in Microsoft Visio 2002 allows remote user-a ...) NOT-FOR-US: Microsoft CVE-2007-0933 (Buffer overflow in the wireless driver 6.0.0.18 for D-Link DWL-G650+ ( ...) NOT-FOR-US: D-Link CVE-2007-0932 (The (1) Aruba Mobility Controllers 200, 600, 2400, and 6000 and (2) Al ...) NOT-FOR-US: Aruba Mobility Controller CVE-2007-0931 (Heap-based buffer overflow in the management interfaces in (1) Aruba M ...) NOT-FOR-US: Aruba Mobility Controller CVE-2007-0930 (Variable extract vulnerability in Apache Stats before 0.0.3beta allows ...) NOT-FOR-US: Apache Stats CVE-2007-0929 (Directory traversal vulnerability in php rrd browser before 0.2.1 allo ...) NOT-FOR-US: prb (php rrd browser) CVE-2007-0928 (Virtual Calendar stores sensitive information under the web root with ...) NOT-FOR-US: Virtual Calendar CVE-2007-0927 (Heap-based buffer overflow in uTorrent 1.6 allows remote attackers to ...) NOT-FOR-US: uTorrent CVE-2007-0926 (The dologin function in guestbook.php in KvGuestbook 1.0 Beta allows r ...) NOT-FOR-US: KvGuestbook CVE-2007-0925 (Cross-site scripting (XSS) vulnerability in search/SearchResults.aspx ...) NOT-FOR-US: Community Server CVE-2007-0924 (Till Gerken phpPolls 1.0.3 allows remote attackers to bypass authentic ...) NOT-FOR-US: phpPolls CVE-2007-0923 (buscador/buscador.htm in Portal Search allows remote attackers to obta ...) NOT-FOR-US: Portal Search CVE-2007-0922 (Cross-site scripting (XSS) vulnerability in buscador/buscador.htm in P ...) NOT-FOR-US: Portal Search CVE-2007-0921 (Portal Search allows remote attackers to redirect a URL to an arbitrar ...) NOT-FOR-US: Portal Search CVE-2007-0920 (SQL injection vulnerability in philboard_forum.asp in Philboard 1.14 a ...) NOT-FOR-US: Philboard CVE-2007-0919 (Directory traversal vulnerability in Nickolas Grigoriadis Mini Web ser ...) NOT-FOR-US: MiniWebsvr CVE-2007-0918 (The ATOMIC.TCP signature engine in the Intrusion Prevention System (IP ...) NOT-FOR-US: Cisco CVE-2007-0917 (The Intrusion Prevention System (IPS) feature for Cisco IOS 12.4XE to ...) NOT-FOR-US: Cisco CVE-2007-0916 (Unspecified vulnerability in the Address and Routing Parameter Area (A ...) NOT-FOR-US: HP-UX CVE-2007-0915 (Distributed SLS daemon (SLSd) on HP-UX B.11.11 allows remote attackers ...) NOT-FOR-US: HP-UX CVE-2007-0914 (Race condition in the TCP subsystem for Solaris 10 allows remote attac ...) NOT-FOR-US: Sun Solaris CVE-2007-0913 (Unspecified vulnerability in Microsoft Powerpoint allows remote user-a ...) NOT-FOR-US: Microsoft CVE-2006-7024 (Multiple PHP remote file inclusion vulnerabilities in Harpia CMS 1.0.5 ...) NOT-FOR-US: Harpia CMS CVE-2006-7023 (Multiple cross-site scripting (XSS) vulnerabilities in fx-APP 0.0.8.1 ...) NOT-FOR-US: fx-APP CVE-2006-7022 (The Tools module in fx-APP 0.0.8.1 allows remote attackers to misrepre ...) NOT-FOR-US: fx-APP CVE-2006-7021 (PHP remote file inclusion vulnerability in manager/tools/link/dbinstal ...) NOT-FOR-US: Plume CMS CVE-2006-7020 (CRLF injection vulnerability in (1) include/inc_act/act_formmailer.php ...) NOT-FOR-US: phpwcms CVE-2006-7019 (phpwcms 1.2.5-DEV and earlier, and 1.1 before RC4, allows remote attac ...) NOT-FOR-US: phpwcms CVE-2006-7018 (phpwcms 1.2.5-DEV and earlier, and 1.1 before RC4, allows remote attac ...) NOT-FOR-US: phpwcms CVE-2006-7017 (Multiple PHP remote file inclusion vulnerabilities in Indexu 5.0.1 all ...) NOT-FOR-US: Indexu CVE-2006-7016 (phpjobboard allows remote attackers to bypass authentication and gain ...) NOT-FOR-US: Jobline CVE-2006-7015 NOT-FOR-US: Jobline CVE-2006-7014 (admin.php in BloggIT 1.01 and earlier does not properly establish a us ...) NOT-FOR-US: BloggIT CVE-2006-7013 NOT-FOR-US: Simple Machine Forum CVE-2006-7012 (scart.cgi in SCart 2.0 allows remote attackers to execute arbitrary co ...) NOT-FOR-US: SCart CVE-2006-7011 NOT-FOR-US: FlashChat CVE-2007-0912 (Cross-Site Request Forgery (CSRF) vulnerability in admin/admin.adm.php ...) NOT-FOR-US: JPortal CVE-2007-0911 (Off-by-one error in the str_ireplace function in PHP 5.2.1 might allow ...) - php5 5.2.2-1 (bug #410561; bug #410995; medium) [etch] - php5 (A regression only affecting 5.2.1) CVE-2007-0910 (Unspecified vulnerability in PHP before 5.2.1 allows attackers to "clo ...) {DSA-1264-1} - php5 5.2.0-9 (bug #410561; bug #410995; medium) [etch] - php5 5.2.0-8+etch1 - php4 6:4.4.4-9 [etch] - php4 6:4.4.4-8+etch1 CVE-2007-0909 (Multiple format string vulnerabilities in PHP before 5.2.1 might allow ...) {DSA-1264-1} - php5 5.2.0-9 (bug #410561; bug #410995; medium) [etch] - php5 5.2.0-8+etch1 - php4 6:4.4.4-9 [etch] - php4 6:4.4.4-8+etch1 CVE-2007-0908 (The WDDX deserializer in the wddx extension in PHP 5 before 5.2.1 and ...) {DSA-1264-1} - php5 5.2.0-9 [etch] - php5 5.2.0-8+etch1 - php4 6:4.4.4-9 NOTE: this extension is not enabled by default in the php packages CVE-2007-0907 (Buffer underflow in PHP before 5.2.1 allows attackers to cause a denia ...) {DSA-1264-1} - php5 5.2.0-9 (bug #410561; bug #410995; medium) [etch] - php5 5.2.0-8+etch1 CVE-2007-0906 (Multiple buffer overflows in PHP before 5.2.1 allow attackers to cause ...) {DSA-1264-1} NOTE: (4) is a non-issue, as we don't use the bundled sqlite - php5 5.2.0-9 (bug #410561; bug #410995; medium) - php4 6:4.4.4-9 [etch] - php4 6:4.4.4-8+etch1 [etch] - php5 5.2.0-8+etch1 CVE-2007-0905 (PHP before 5.2.1 allows attackers to bypass safe_mode and open_basedir ...) - php5 5.2.0-9 (bug #410561; bug #410995; unimportant) NOTE: we normally don't spend much time on safe_mode and open_basedir NOTE: issues, but the because the attack vectors are "unspecified", it NOTE: might be harder for us to try and sort out the fixes for this NOTE: from the session fixes in CVE-2007-0906 (see there for more info) CVE-2007-0904 (SQL injection vulnerability in projects.php in LightRO CMS 1.0 allows ...) NOT-FOR-US: LightRO CMS CVE-2007-0903 (Unspecified vulnerability in the mod_roster_odbc module in ejabberd be ...) - ejabberd 1.1.2-5 CVE-2007-0902 (Unspecified vulnerability in the "Show debugging information" feature ...) - moin (unimportant) NOTE: this is a version information disclosure. CVE-2007-0901 (Multiple cross-site scripting (XSS) vulnerabilities in Info pages in M ...) - moin 1.5 (bug #411084; medium) NOTE: Despite what the CVE says, this is not a problem in the 1.5.x code CVE-2007-0900 (Multiple PHP remote file inclusion vulnerabilities in TagIt! Tagboard ...) NOT-FOR-US: TagIt! Tagboard CVE-2007-0899 (There is a possible heap overflow in libclamav/fsg.c before 0.100.0. ...) {DSA-1263-1} - clamav 0.90-1 [etch] - clamav 0.88.7-2 CVE-2007-0898 (Directory traversal vulnerability in clamd in Clam AntiVirus ClamAV be ...) {DSA-1263-1} - clamav 0.90-1 (bug #411117) [etch] - clamav 0.88.7-2 CVE-2007-0897 (Clam AntiVirus ClamAV before 0.90 does not close open file descriptors ...) {DSA-1263-1} - clamav 0.90-1 (bug #411118) [etch] - clamav 0.88.7-2 CVE-2007-0896 (Cross-site scripting (XSS) vulnerability in the (1) Sage before 1.3.10 ...) - firefox-sage 1.3.10-1 [etch] - firefox-sage (HTML mode not enabled in Etch) NOTE: http://secunia.com/advisories/24086/ NOTE: might not affect Debian version because HTML mode is disabled. sf: pinged maintainer CVE-2007-0451 (Apache SpamAssassin before 3.1.8 allows remote attackers to cause a de ...) - spamassassin 3.1.7-2 (bug #410843) NOTE: http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5318 CVE-2007-0895 (Race condition in recursive directory deletion with the (1) -r or (2) ...) NOT-FOR-US: Sun Solaris CVE-2007-0894 (MediaWiki before 1.9.2 allows remote attackers to obtain sensitive inf ...) - mediawiki (unimportant) NOTE: Only path disclosure CVE-2007-0893 (Directory traversal vulnerability in phpMyVisites before 2.2 allows re ...) NOT-FOR-US: phpMyVisites CVE-2007-0892 (CRLF injection vulnerability in phpMyVisites before 2.2 allows remote ...) NOT-FOR-US: phpMyVisites CVE-2007-0891 (Cross-site scripting (XSS) vulnerability in the GetCurrentCompletePath ...) NOT-FOR-US: phpMyVisites CVE-2007-0890 (Cross-site scripting (XSS) vulnerability in scripts/passwdmysql in cPa ...) NOT-FOR-US: cPanel CVE-2007-0889 (Kiwi CatTools before 3.2.0 beta uses weak encryption ("reversible enco ...) NOT-FOR-US: Kiwi CatTools CVE-2007-0888 (Directory traversal vulnerability in the TFTP server in Kiwi CatTools ...) NOT-FOR-US: Kiwi CatTools CVE-2007-0887 (axigen 1.2.6 through 2.0.0b1 does not properly parse login credentials ...) NOT-FOR-US: Axigen CVE-2007-0886 (Heap-based buffer underflow in axigen 1.2.6 through 2.0.0b1 allows rem ...) NOT-FOR-US: Axigen CVE-2007-0885 (Cross-site scripting (XSS) vulnerability in jira/secure/BrowseProject. ...) NOT-FOR-US: Rainbow.Zen CVE-2007-0884 (Buffer overflow in Roaring Penguin MIMEDefang 2.59 and 2.60 allows rem ...) - mimedefang (Only versions 2.59 and 2.60 vulnerable) CVE-2007-0883 (Directory traversal vulnerability in portalgroups/portalgroups/getfile ...) NOT-FOR-US: IP3 NetAccess CVE-2007-0882 (Argument injection vulnerability in the telnet daemon (in.telnetd) in ...) NOT-FOR-US: Sun Solaris CVE-2007-0881 (PHP remote file inclusion vulnerability in the Seitenschutz plugin for ...) NOT-FOR-US: OPENi-CMS CVE-2007-0880 (Capital Request Forms stores sensitive information under the web root ...) NOT-FOR-US: Capital Request Forms CVE-2007-0879 (Buffer overflow in SmidgeonSoft PEBrowse Professional 8.2.1.0 allows u ...) NOT-FOR-US: PEBrowse CVE-2007-0878 (Unspecified vulnerability in Microsoft Internet Explorer on Windows Mo ...) NOT-FOR-US: Microsoft CVE-2007-0877 (Unspecified vulnerability in March Networks DVR 3000 and 4000 Digital ...) NOT-FOR-US: March Networks DVR CVE-2007-0876 (Cross-site scripting (XSS) vulnerability in Quick Digital Image Galler ...) NOT-FOR-US: Quick Digital Image Gallery CVE-2007-0875 NOT-FOR-US: mcRefer CVE-2007-0874 (Allons_voter 1.0 allows remote attackers to bypass authentication and ...) NOT-FOR-US: Allons_voter CVE-2007-0873 (nabopoll 1.1.2 allows remote attackers to bypass authentication and ac ...) NOT-FOR-US: nabopoll CVE-2007-0872 (Directory traversal vulnerability in the Plain Old Webserver (POW) add ...) NOT-FOR-US: Plain Old Webserver CVE-2007-0871 (Unrestricted file upload vulnerability in eXtremePow eXtreme File Host ...) NOT-FOR-US: eXtreme File Hosting CVE-2006-7010 (The mosgetparam implementation in Joomla! before 1.0.10, does not set ...) NOT-FOR-US: Joomla! CVE-2006-7009 (Joomla! before 1.0.10 allows remote attackers to spoof the frontend su ...) NOT-FOR-US: Joomla! CVE-2006-7008 (Unspecified vulnerability in Joomla! before 1.0.10 has unknown impact ...) NOT-FOR-US: Joomla! CVE-2006-7007 (Buffer overflow in Tiny FTPd 1.4 and earlier allows remote attackers t ...) NOT-FOR-US: Tiny FTPd CVE-2006-7006 NOT-FOR-US: Somery CVE-2006-7005 (SQL injection vulnerability in item.php in PSY Auction allows remote a ...) NOT-FOR-US: PSY Auction CVE-2006-7004 (Cross-site scripting (XSS) vulnerability in email_request.php in PSY A ...) NOT-FOR-US: PSY Auction CVE-2006-7003 (PHP remote file inclusion vulnerability in admin/index.php in Fusion P ...) NOT-FOR-US: Fusion Polls CVE-2006-7002 (Cross-site scripting (XSS) vulnerability in add_comment.php in Wheatbl ...) NOT-FOR-US: Wheatblog CVE-2006-7001 (Directory traversal vulnerability in avatar.php in PhpMyChat Plus 1.9 ...) NOT-FOR-US: PhpMyChat Plus CVE-2006-7000 (Headstart Solutions DeskPRO allows remote attackers to obtain the full ...) NOT-FOR-US: DeskPRO CVE-2006-6999 (attachment.php in Headstart Solutions DeskPRO allows remote attackers ...) NOT-FOR-US: DeskPRO CVE-2006-6998 (install/loader_help.php in Headstart Solutions DeskPRO allows remote a ...) NOT-FOR-US: DeskPRO CVE-2006-6997 (Unspecified vulnerability in a cryptographic feature in MailEnable Sta ...) NOT-FOR-US: MailEnable CVE-2006-6996 (Multiple cross-site scripting (XSS) vulnerabilities in warforge.NEWS 1 ...) NOT-FOR-US: warforge.NEWS CVE-2006-6995 (mycontacts.php in V3 Chat allows remote authenticated users to gain pr ...) NOT-FOR-US: V3 Chat CVE-2006-6994 (Unrestricted file upload vulnerability in add.asp in OzzyWork Gallery, ...) NOT-FOR-US: OzzyWork Gallery CVE-2006-6993 (Multiple SQL injection vulnerabilities in pages/addcomment2.php in Neu ...) NOT-FOR-US: Neuron Blog CVE-2005-4828 (Kolab Server 2.0.0 and 2.0.1 does not properly handle when a large ema ...) - kolabd (Only vulnerable in 2.0-2.1; not packaged Debian) CVE-2007-XXXX [dokuwiki conf directory accessible by web users] - dokuwiki 0.0.20061106-3 (bug #410557) CVE-2007-0870 (Unspecified vulnerability in Microsoft Word 2000 allows remote attacke ...) NOT-FOR-US: Microsoft CVE-2007-0869 (Cross-site scripting (XSS) vulnerability in the Attachment Manager (ad ...) NOT-FOR-US: vBulletin CVE-2007-0868 (Unspecified vulnerability in the Chat Room functionality in Yahoo! Mes ...) NOT-FOR-US: Yahoo! Messenger CVE-2007-0867 (PHP remote file inclusion vulnerability in classes/menu.php in Site-As ...) NOT-FOR-US: Site-Assistant CVE-2007-0866 (Unspecified vulnerability in HP OpenView Storage Data Protector on HP- ...) NOT-FOR-US: HP OpenView CVE-2007-0865 (SQL injection vulnerability in comments.php in LushiNews 1.01 and earl ...) NOT-FOR-US: LushiWarPlaner CVE-2007-0864 (SQL injection vulnerability in register.php in LushiWarPlaner 1.0 allo ...) NOT-FOR-US: LushiWarPlaner CVE-2007-0863 NOT-FOR-US: Trevorchan CVE-2007-0862 NOT-FOR-US: gnopaste CVE-2007-0861 NOT-FOR-US: phpCOIN CVE-2007-0860 NOT-FOR-US: local Calendar System CVE-2007-0859 (The Find feature in Palm OS Treo smart phones operates despite the sys ...) NOT-FOR-US: Palm OS Treo CVE-2006-6992 (Cross-domain vulnerability in GoSuRF Browser 2.62 allows remote attack ...) NOT-FOR-US: GoSuRF Browser CVE-2006-6991 (Cross-domain vulnerability in Fast Browser Pro 8.1 allows remote attac ...) NOT-FOR-US: Fast Browser Pro CVE-2006-6990 (Cross-domain vulnerability in Enigma Browser 3.8.8 allows remote attac ...) NOT-FOR-US: Enigma Browser CVE-2006-6989 (Cross-domain vulnerability in NetCaptor 4.5.7 Personal Edition allows ...) NOT-FOR-US: NetCaptor CVE-2006-6988 (Cross-domain vulnerability in Slim Browser 4.07 build 100 allows remot ...) NOT-FOR-US: Slim Browser CVE-2006-6987 (Cross-domain vulnerability in FineBrowser Freeware 3.2.2 allows remote ...) NOT-FOR-US: FineBrowser Freeware CVE-2006-6986 (Cross-domain vulnerability in PhaseOut 5.4.4 allows remote attackers t ...) NOT-FOR-US: PhaseOut CVE-2006-6985 (Cross-domain vulnerability in Maxthon 1.5.6 build 42 allows remote att ...) NOT-FOR-US: Maxthon CVE-2006-6984 (Cross-domain vulnerability in GreenBrowser 3.4.0622 allows remote atta ...) NOT-FOR-US: GreenBrowser CVE-2006-6983 (Cross-domain vulnerability in MYweb4net Browser 3.8.8.0 allows remote ...) NOT-FOR-US: MYweb4net Browser CVE-2007-XXXX [ikiwiki allows web user to edit images and other non-page format files in the wiki] - ikiwiki 1.42 (low) [etch] - ikiwiki 1.33.1 CVE-2007-0858 RESERVED CVE-2007-0857 (Multiple cross-site scripting (XSS) vulnerabilities in MoinMoin before ...) - moin 1.5.3-1.2 (bug #410338; medium; bug #410552) CVE-2007-0856 (TmComm.sys 1.5.0.1052 in the Trend Micro Anti-Rootkit Common Module (R ...) NOT-FOR-US: Trend Micro Anti-Rootkit Common Module CVE-2007-0855 (Stack-based buffer overflow in RARLabs Unrar, as packaged in WinRAR an ...) - rar 1:3.7b1-1 (high; bug #410582) [sarge] - rar (Non-free) [etch] - rar (Non-free) - unrar-nonfree 1:3.7.3-1 (high; bug #410580) [sarge] - unrar-nonfree 1:3.5.2-0.2 [etch] - unrar-nonfree 1:3.5.4-1.1 NOTE: amavid-new automatically uses "rar -p-" or "unrar -p-", NOTE: which probably turns this into remote code execution NOTE: clamav can also call unrar -p-, but AFAICS not in default configuration NOTE: unrar-free and clamav (which embeds unrar-free code) not affected CVE-2007-0854 (Remote file inclusion vulnerability in scripts2/objcache in cPanel Web ...) NOT-FOR-US: cPanel WebHost Manager CVE-2007-0853 (SQL injection vulnerability in DevTrack 6.0.3 allows remote attackers ...) NOT-FOR-US: DevTrack CVE-2007-0852 (Cross-site scripting (XSS) vulnerability in DevTrack 6.x allows remote ...) NOT-FOR-US: DevTrack CVE-2007-0851 (Buffer overflow in the Trend Micro Scan Engine 8.000 and 8.300 before ...) NOT-FOR-US: Trend Micro Scan Engine CVE-2007-0850 (scripts/cronscript.php in SysCP 1.2.15 and earlier includes and execut ...) NOT-FOR-US: SysCP CVE-2007-0849 (scripts/cronscript.php in SysCP 1.2.15 and earlier does not properly q ...) NOT-FOR-US: SysCP CVE-2007-0848 (PHP remote file inclusion vulnerability in classes/class_mail.inc.php ...) NOT-FOR-US: Maian Recipe CVE-2007-0847 (SQL injection vulnerability in mod/PM/reply.php in Open Tibia Server C ...) NOT-FOR-US: Open Tibia Server CMS CVE-2007-0846 (Cross-site scripting (XSS) vulnerability in forum.php in Open Tibia Se ...) NOT-FOR-US: Open Tibia Server CMS CVE-2007-0845 (admin/index.php in Advanced Poll 2.0.0 through 2.0.5-dev allows remote ...) NOT-FOR-US: Advanced Poll CVE-2007-0843 (The ReadDirectoryChangesW API function on Microsoft Windows 2000, XP, ...) NOT-FOR-US: Microsoft Windows CVE-2007-0842 (The 64-bit versions of Microsoft Visual C++ 8.0 standard library (MSVC ...) NOT-FOR-US: Microsoft CVE-2007-0841 (Multiple unspecified vulnerabilities in vbDrupal before 4.7.6.0 have u ...) NOT-FOR-US: vbDrupal CVE-2007-0840 (Cross-site scripting (XSS) vulnerability in HLstats before 1.35 allows ...) NOT-FOR-US: HLstats CVE-2007-0839 (Multiple PHP remote file inclusion vulnerabilities in index/index_albu ...) NOT-FOR-US: WebMatic CVE-2007-0838 (FreeProxy before 3.92 Build 1626 allows malicious users to cause a den ...) NOT-FOR-US: FreeProxy CVE-2007-0837 (PHP remote file inclusion vulnerability in examples/inc/top.inc.php in ...) NOT-FOR-US: AgerMenu CVE-2007-0836 (admin.php in Coppermine Photo Gallery 1.4.10, and possibly earlier, al ...) NOT-FOR-US: Coppermine Photo Gallery CVE-2007-0835 (admin.php in Coppermine Photo Gallery 1.4.10, and possibly earlier, al ...) NOT-FOR-US: Coppermine Photo Gallery CVE-2007-0834 (Cross-site scripting (XSS) vulnerability in FlashChat 4.7.8 allows rem ...) NOT-FOR-US: FlashChat CVE-2007-0833 (VMware Workstation 5.5.3 34685, when the "Enable copy and paste to and ...) NOT-FOR-US: VMware CVE-2007-0832 (VMware Workstation 5.5.3 34685 does not immediately change the availab ...) NOT-FOR-US: VMware CVE-2007-0831 (** DISPUTED ** Multiple PHP remote file inclusion vulnerabilities in A ...) NOT-FOR-US: Atsphp CVE-2007-0830 NOT-FOR-US: vBulletin CVE-2007-0829 (avast! Server Edition before 4.7.726 does not demand a password in a c ...) NOT-FOR-US: avast! CVE-2007-0828 (PHP remote file inclusion vulnerability in affichearticles.php3 in MyS ...) NOT-FOR-US: MySQLNewsEngine CVE-2007-0827 (The Alibaba Alipay PTA Module ActiveX control (PTA.DLL) allows remote ...) NOT-FOR-US: Alibaba Alipay PTA Module ActiveX control CVE-2007-0826 (SQL injection vulnerability in forum.asp in Kisisel Site 2007 allows r ...) NOT-FOR-US: Kisisel Site CVE-2007-0825 (FlashFXP 3.4.0 build 1145 allows remote servers to cause a denial of s ...) NOT-FOR-US: FlashFXP CVE-2007-0824 (PHP remote file inclusion vulnerability in inhalt.php in LightRO CMS 1 ...) NOT-FOR-US: LightRO CMS CVE-2007-0823 (xterm on Slackware Linux 10.2 stores information that had been display ...) - xterm (Not a security problem) CVE-2007-0822 (umount, when running with the Linux 2.6.15 kernel on Slackware Linux 1 ...) - util-linux (Not a security problem) CVE-2007-0821 (Multiple directory traversal vulnerabilities in Cedric CLAIRE PortailP ...) NOT-FOR-US: PortailPhp CVE-2007-0820 (Multiple PHP remote file inclusion vulnerabilities in Cedric CLAIRE Po ...) NOT-FOR-US: PortailPhp CVE-2007-0819 (HP Network Node Manager (NNM) Remote Console 7.50, 7.51, and 7.53 assi ...) NOT-FOR-US: HP Network Node Manager CVE-2007-0818 REJECTED CVE-2007-0817 (Cross-site scripting (XSS) vulnerability in Adobe ColdFusion web serve ...) NOT-FOR-US: Adobe ColdFusion web server CVE-2007-0816 (The RPC Server service (catirpc.exe) in CA (formerly Computer Associat ...) NOT-FOR-US: (CA) BrightStor CVE-2007-0815 (Cross-site scripting (XSS) vulnerability in images_archive.asp in Uapp ...) NOT-FOR-US: Uphotogallery CVE-2007-0814 (Multiple cross-site scripting (XSS) vulnerabilities in Adrenalin's ASP ...) NOT-FOR-US: ASP Chat CVE-2007-0813 (Cross-site scripting (XSS) vulnerability in Home production MySearchEn ...) NOT-FOR-US: MySearchEngine CVE-2007-0812 (SQL injection vulnerability in pms.php in Woltlab Burning Board (wBB) ...) NOT-FOR-US: Woltlab Burning Board CVE-2007-0811 (Microsoft Internet Explorer 6.0 SP1 on Windows 2000, and 6.0 SP2 on Wi ...) NOT-FOR-US: Microsoft CVE-2007-0810 (PHP remote file inclusion vulnerability in MVCnPHP/BaseView.php in Gee ...) NOT-FOR-US: GeekLog CVE-2007-0809 (PHP remote file inclusion vulnerability in includes/class_template.php ...) NOT-FOR-US: Categories Hierarchy CVE-2007-0808 (PHP remote file inclusion vulnerability in Mina Ajans Script allows re ...) NOT-FOR-US: Mina Ajans Script CVE-2007-0807 (Cross-site scripting (XSS) vulnerability in info.php in flashChat 4.7. ...) NOT-FOR-US: flashChat CVE-2007-0806 (Les News 2.2 allows remote attackers to bypass authentication and gain ...) NOT-FOR-US: Les News CVE-2007-0805 (The ps (/usr/ucb/ps) command on HP Tru64 UNIX 5.1 1885 allows local us ...) NOT-FOR-US: HP Tru64 UNIX CVE-2007-0804 (Directory traversal vulnerability in admin/subpages.php in GGCMS 1.1.0 ...) NOT-FOR-US: GGCMS CVE-2007-0803 (Multiple buffer overflows in STLport before 5.0.3 allow remote attacke ...) - stlport5 5.0.3-1 (bug #410864; low) [etch] - stlport5 5.0.2-12 [sarge] - stlport5 (Vulnerable code not compiled in) CVE-2007-0802 (Mozilla Firefox 2.0.0.1 allows remote attackers to bypass the Phishing ...) - iceweasel 2.0.0.16-1 (low) NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=367538 CVE-2007-0801 (The nsExternalAppHandler::SetUpTempFile function in Mozilla Firefox 1. ...) - iceweasel 2.0.0.2+dfsg-1 (low) - firefox 45.0-1 (low) - firefox-esr 45.0esr-1 (low) - iceape 1.0.8-1 (low) - xulrunner 1.8.0.10-1 (low) CVE-2007-0800 (Cross-zone vulnerability in Mozilla Firefox 1.5.0.9 considers blocked ...) NOTE: MFSA-2007-05 - iceweasel 2.0.0.2+dfsg-1 (medium) - iceape 1.0.8-1 (medium) - xulrunner 1.8.0.10-1 (medium) [sarge] - mozilla-firefox (Mozilla products from Sarge no longer supported) [sarge] - mozilla (Mozilla products from Sarge no longer supported) CVE-2007-0799 (SQL injection vulnerability in badword.asp in Ublog Reload 1.0.5 allow ...) NOT-FOR-US: Ublog Reload CVE-2007-0798 (Multiple cross-site scripting (XSS) vulnerabilities in Ublog Reload 1. ...) NOT-FOR-US: Ublog Reload CVE-2007-0797 (PHP remote file inclusion vulnerability in theme/settings.php in bluev ...) NOT-FOR-US: SMA-DB CVE-2007-0796 (Blue Coat Systems WinProxy 6.1a and 6.0 r1c, and possibly earlier, all ...) NOT-FOR-US: WinProxy CVE-2007-0795 (Multiple PHP remote file inclusion vulnerabilities in Wap Portal Serve ...) NOT-FOR-US: Wap Portal Server CVE-2007-0794 NOT-FOR-US: GlobalMegaCorp dvddb CVE-2007-0793 (PHP remote file inclusion vulnerability in inc/common.php in GlobalMeg ...) NOT-FOR-US: GlobalMegaCorp dvddb CVE-2007-0792 (The mod_perl initialization script in Bugzilla 2.23.3 does not set the ...) - bugzilla (Only development version 2.23.3 is affected) CVE-2007-0791 (Cross-site scripting (XSS) vulnerability in Atom feeds in Bugzilla 2.2 ...) - bugzilla 2.22.1-2.1 (bug #409824; low) [etch] - bugzilla (Minor issue, far-fetched attack, minor impact) [sarge] - bugzilla (Vulnerable code not present) CVE-2007-0790 (Heap-based buffer overflow in SmartFTP 2.0.1002 allows remote FTP serv ...) NOT-FOR-US: SmartFTP CVE-2007-0789 (SQL injection vulnerability in Mambo before 4.5.5 allows remote attack ...) - mambo 4.6.1-1 (medium) NOTE: only the 4.5.x tree was vulnerable CVE-2007-0788 (Cross-site scripting (XSS) vulnerability in MediaWiki 1.9.x before 1.9 ...) - mediawiki (Only in 1.9 branch, fixed in 1.9.2) CVE-2007-0787 (PHP remote file inclusion vulnerability in controller.php in Simple In ...) NOT-FOR-US: Simple Invoices CVE-2007-0786 (SQL injection vulnerability in view.php in Noname Media Photo Galerie ...) NOT-FOR-US: Noname Media Photo Galerie Standard CVE-2007-0785 (PHP remote file inclusion vulnerability in previewtheme.php in Flipsou ...) NOT-FOR-US: Flipsource Flip CVE-2007-0784 (SQL injection vulnerability in login.asp for tPassword in the Raymond ...) NOT-FOR-US: RBL ASP tPassword CVE-2007-0783 RESERVED CVE-2007-0782 RESERVED CVE-2007-0781 RESERVED CVE-2007-0780 (browser.js in Mozilla Firefox 1.5.x before 1.5.0.10 and 2.x before 2.0 ...) NOTE: MFSA-2007-05 - iceweasel 2.0.0.2+dfsg-1 (medium) - iceape 1.0.8-1 (medium) - xulrunner 1.8.0.10-1 (medium) [sarge] - mozilla-firefox (Vulnerable code not present) [sarge] - mozilla (Vulnerable code not present) CVE-2007-0779 (GUI overlay vulnerability in Mozilla Firefox 1.5.x before 1.5.0.10 and ...) NOTE: MFSA-2007-04 - iceweasel 2.0.0.2+dfsg-1 (low) - iceape 1.0.8-1 (low) - xulrunner 1.8.0.10-1 (low) [sarge] - mozilla-firefox (Mozilla products from Sarge no longer supported) [sarge] - mozilla (introduced in firefox 1.5) CVE-2007-0778 (The page cache feature in Mozilla Firefox before 1.5.0.10 and 2.x befo ...) {DSA-1336-1} NOTE: MFSA-2007-03 - iceweasel 2.0.0.2+dfsg-1 (low) - iceape 1.0.8-1 (low) - xulrunner 1.8.0.10-1 (low) [sarge] - mozilla-firefox (Mozilla products from Sarge no longer supported) [sarge] - mozilla (Mozilla products from Sarge no longer supported) CVE-2007-0777 (The JavaScript engine in Mozilla Firefox before 1.5.0.10 and 2.x befor ...) NOTE: MFSA-2007-01 - iceweasel 2.0.0.2+dfsg-1 (high) - iceape 1.0.8-1 (high) - icedove 1.5.0.10.dfsg1-1 (low) - xulrunner 1.8.0.10-1 (high) [sarge] - mozilla-firefox (Mozilla products from Sarge no longer supported) [sarge] - mozilla-thunderbird (Mozilla products from Sarge no longer supported) [sarge] - mozilla (Mozilla products from Sarge no longer supported) CVE-2007-0776 (Heap-based buffer overflow in the _cairo_pen_init function in Mozilla ...) NOTE: MFSA-2007-01 - iceweasel 2.0.0.2+dfsg-1 (high) - iceape 1.0.8-1 (high) - icedove 1.5.0.10.dfsg1-1 (low) - xulrunner 1.8.0.10-1 (high) [sarge] - mozilla-firefox (Only affected Firefox 2.0 et al) [sarge] - mozilla-thunderbird (Only affected Firefox 2.0 et al) [sarge] - mozilla (Only affected Firefox 2.0 et al) CVE-2007-0775 (Multiple unspecified vulnerabilities in the layout engine in Mozilla F ...) {DSA-1336-1} NOTE: MFSA-2007-01 - iceweasel 2.0.0.2+dfsg-1 (high) - iceape 1.0.8-1 (high) - icedove 1.5.0.10.dfsg1-1 (low) - xulrunner 1.8.0.10-1 (high) [sarge] - mozilla-firefox (Mozilla products from Sarge no longer supported) [sarge] - mozilla-thunderbird (Mozilla products from Sarge no longer supported) [sarge] - mozilla (Mozilla products from Sarge no longer supported) NOTE: Only one of the crashes can be triggered in Sarge, 326864 CVE-2007-0774 (Stack-based buffer overflow in the map_uri_to_worker function (native/ ...) - libapache-mod-jk 1:1.2.21-1 (medium) [sarge] - libapache-mod-jk [etch] - libapache-mod-jk NOTE: affects only 1.2.19 and 1.2.20 CVE-2007-0773 (The Linux kernel before 2.6.9-42.0.8 in Red Hat 4.4 allows local users ...) - linux-2.6 2.6.12-1 CVE-2007-0772 (The Linux kernel 2.6.13 and other versions before 2.6.20.1 allows remo ...) - linux-2.6 2.6.18.dfsg.1-11 CVE-2007-0771 (The utrace support in Linux kernel 2.6.18, and other versions, allows ...) - linux-2.6 (RHEL-specific backport, only present in -mm tree) CVE-2007-0770 (Buffer overflow in GraphicsMagick and ImageMagick allows user-assisted ...) {DSA-1260} - graphicsmagick 1.1.7-12 - imagemagick 7:6.2.4.5.dfsg1-0.14 (bug #410435) CVE-2007-1667 (Multiple integer overflows in (1) the XGetPixel function in ImUtil.c i ...) {DSA-1903-1 DSA-1858-1 DSA-1294-1} - xfree86 (bug #414046; medium) - libx11 2:1.0.3-7 (bug #414045; medium) - graphicsmagick 1.1.7-14 (bug #417862; medium) - imagemagick 7:6.2.4.5.dfsg1-1 (medium) NOTE: Discovered through CVE-2007-0770. NOTE: With certain mail user agents, this issue is likely exploitable NOTE: without much user interaction. CVE-2006-6982 (3proxy 0.5 to 0.5.2 does not offer NTLM authentication before basic au ...) - 3proxy (bug #718219) CVE-2006-6981 (3proxy 0.5 to 0.5.2, when NT-encoded passwords are being used, allows ...) - 3proxy (bug #718219) CVE-2006-6980 (The magnatune.com album browser in Amarok allows attackers to cause a ...) - amarok 1.4.4-4 (bug #410850; unimportant) NOTE: This could only be exploited through the Magnatune shop CVE-2006-6979 (The ruby handlers in the Magnatune component in Amarok do not properly ...) - amarok 1.4.4-1 (bug #410850; low) [sarge] - amarok (Vulnerable code not present) CVE-2006-6978 (Cross-site scripting (XSS) vulnerability in the "Basic Toolbar Selecti ...) NOT-FOR-US: FCKEditor CVE-2006-6977 (Cross-site scripting (XSS) vulnerability in the "Basic Toolbar Selecti ...) NOT-FOR-US: FreeTextBox CVE-2006-6976 (PHP remote file inclusion vulnerability in centipaid_class.php in Cent ...) NOT-FOR-US: CentiPaid CVE-2006-6975 NOT-FOR-US: CentiPaid CVE-2006-6974 (Headstart Solutions DeskPRO stores sensitive information under the web ...) NOT-FOR-US: DeskPRO CVE-2006-6973 (Headstart Solutions DeskPRO does not require authentication for certai ...) NOT-FOR-US: DeskPRO CVE-2006-6972 (SQL injection in torrents.php in BtitTracker 1.3.2 and earlier allows ...) NOT-FOR-US: BtitTracker CVE-2006-6971 (Mozilla Firefox 2.0, possibly only when running on Windows, allows rem ...) - iceweasel (Windows only) CVE-2006-6970 (Opera 9.10 Final allows remote attackers to bypass the Fraud Protectio ...) NOT-FOR-US: Opera CVE-2006-6969 (Jetty before 4.2.27, 5.1 before 5.1.12, 6.0 before 6.0.2, and 6.1 befo ...) - jetty 5.1.10-4 (medium; bug #445283) NOTE: http://jetty.cvs.sourceforge.net/jetty/Jetty/src/org/mortbay/jetty/servlet/AbstractSessionManager.java?r1=1.52&r2=1.53&view=patch CVE-2005-4827 (Internet Explorer 6.0, and possibly other versions, allows remote atta ...) NOT-FOR-US: Microsoft CVE-2003-1319 (Multiple buffer overflows in SmartFTP 1.0.973, and other versions befo ...) NOT-FOR-US: SmartFTP CVE-2007-0844 (The auth_via_key function in pam_ssh.c in pam_ssh before 1.92, when th ...) - libpam-ssh 1.91.0-9.2 (bug #410236; low) [etch] - libpam-ssh (Minor issue) [sarge] - libpam-ssh (Minor issue) CVE-2007-0769 NOT-FOR-US: Phorum CVE-2007-0768 (Multiple cross-site scripting (XSS) vulnerabilities in the Contact Det ...) NOT-FOR-US: Yahoo! Messenger CVE-2007-0767 (Cross-site scripting (XSS) vulnerability in the core in Phorum before ...) NOT-FOR-US: Phorum CVE-2007-0766 (Stack-based buffer overflow in Remotesoft .NET Explorer 2.0.1 allows u ...) NOT-FOR-US: .NET Explorer CVE-2007-0765 (SQL injection vulnerability in news.php in dB Masters Curium CMS 1.03 ...) NOT-FOR-US: Curium CMS CVE-2007-0764 (Unrestricted file upload vulnerability in F3Site 2.1 and earlier allow ...) NOT-FOR-US: F3Site CVE-2007-0763 (Cross-site scripting (XSS) vulnerability in the news comment functiona ...) NOT-FOR-US: F3Site CVE-2007-0762 (PHP remote file inclusion vulnerability in includes/functions.php in p ...) NOT-FOR-US: phpBB++ CVE-2007-0761 (PHP remote file inclusion vulnerability in config.php in phpBB ezBoard ...) NOT-FOR-US: phpBB ezBoard converter CVE-2007-0760 (EQdkp 1.3.1 and earlier authenticates administrative requests by verif ...) NOT-FOR-US: EQdkp CVE-2007-0759 (Multiple SQL injection vulnerabilities in EasyMoblog 0.5.1 allow remot ...) NOT-FOR-US: EasyMoblog CVE-2007-0758 (PHP remote file inclusion vulnerability in lang.php in PHPProbid 5.24 ...) NOT-FOR-US: PHPProbid CVE-2007-0757 (PHP remote file inclusion vulnerability in index.php in Miguel Nunes C ...) NOT-FOR-US: CoD2 DreamStats CVE-2007-0756 (Chicken of the VNC (cotv) 2.0 allows remote attackers to cause a denia ...) NOT-FOR-US: Chicken of the VNC CVE-2007-0755 RESERVED CVE-2007-0754 (Heap-based buffer overflow in Apple QuickTime before 7.1.3 allows user ...) NOT-FOR-US: Apple QuickTime CVE-2007-0753 (Format string vulnerability in the VPN daemon (vpnd) in Apple Mac OS X ...) NOT-FOR-US: Apple CVE-2007-0752 (The PPP daemon (pppd) in Apple Mac OS X 10.4.8 checks ownership of the ...) NOT-FOR-US: Apple CVE-2007-0751 (A cleanup script in crontabs in Apple Mac OS X 10.3.9 and 10.4.9 might ...) NOT-FOR-US: Apple CVE-2007-0750 (Integer overflow in CoreGraphics in Apple Mac OS X 10.4 up to 10.4.9 a ...) NOT-FOR-US: Apple CVE-2007-0749 (Multiple stack-based buffer overflows in the is_command function in pr ...) NOT-FOR-US: Apple Darwin Streaming Server CVE-2007-0748 (Heap-based buffer overflow in Apple Darwin Streaming Proxy, when using ...) NOT-FOR-US: Apple Darwin Streaming Server CVE-2007-0747 (load_webdav in Apple Mac OS X 10.3.9 through 10.4.9 does not properly ...) NOT-FOR-US: Apple Mac OS X CVE-2007-0746 (Heap-based buffer overflow in the VideoConference framework in Apple M ...) NOT-FOR-US: Apple Mac OS X CVE-2007-0745 (The Apple Security Update 2007-004 uses an incorrect configuration fil ...) NOT-FOR-US: Apple Mac OS X CVE-2007-0744 (SMB in Apple Mac OS X 10.3.9 through 10.4.9 does not properly clean th ...) NOT-FOR-US: Apple Mac OS X CVE-2007-0743 (URLMount in Apple Mac OS X 10.3.9 through 10.4.9 passes the username a ...) NOT-FOR-US: Apple Mac OS X CVE-2007-0742 (The WebFoundation framework in Apple Mac OS X 10.3.9 and earlier allow ...) NOT-FOR-US: Apple Mac OS X CVE-2007-0741 (Buffer overflow in natd in network_cmds in Apple Mac OS X 10.3.9 throu ...) NOT-FOR-US: Apple Mac OS X CVE-2007-0740 (Alias Manager in Apple Mac OS X 10.3.9 and 10.4.9 does not display fil ...) NOT-FOR-US: Apple CVE-2007-0739 (The Login Window in Apple Mac OS X 10.4 through 10.4.9 displays the so ...) NOT-FOR-US: Apple Mac OS X CVE-2007-0738 (The Login Window in Apple Mac OS X 10.4 through 10.4.9 does not displa ...) NOT-FOR-US: Apple Mac OS X CVE-2007-0737 (The Login Window in Apple Mac OS X 10.3.9 through 10.4.9 does not prop ...) NOT-FOR-US: Apple Mac OS X CVE-2007-0736 (Integer overflow in the RPC library in Libinfo in Apple Mac OS X 10.3. ...) NOT-FOR-US: Apple Mac OS X CVE-2007-0735 (Use-after-free vulnerability in Libinfo in Apple Mac OS X 10.3.9 throu ...) NOT-FOR-US: Apple Mac OS X CVE-2007-0734 (fsck, as used by the AirPort Disk feature of the AirPort Extreme Base ...) NOT-FOR-US: AirPort Extreme Base Station CVE-2007-0733 (Unspecified vulnerability in ImageIO in Apple Mac OS X 10.3.9 and 10.4 ...) NOT-FOR-US: Apple Mac ImageIO CVE-2007-0732 (Unspecified vulnerability in the CoreServices daemon in CarbonCore in ...) NOT-FOR-US: Apple Mac OS X CVE-2007-0731 (Stack-based buffer overflow in the Apple-specific Samba module (SMB Fi ...) NOT-FOR-US: Apple Mac CVE-2007-0730 (Server Manager (servermgrd) in Apple Mac OS X 10.3.9 and 10.4 through ...) NOT-FOR-US: Apple Mac Server Manager CVE-2007-0729 (Apple File Protocol (AFP) Client in Apple Mac OS X 10.3.9 through 10.4 ...) NOT-FOR-US: Apple Mac OS X CVE-2007-0728 (Unspecified vulnerability in Apple Mac OS X 10.3.9 and 10.4 through 10 ...) NOT-FOR-US: Apple Mac CVE-2007-0727 REJECTED CVE-2007-0726 (The SSH key generation process in OpenSSH in Apple Mac OS X 10.3.9 and ...) NOT-FOR-US: Apple OpenSSH CVE-2007-0725 (Buffer overflow in the AirPortDriver module for AirPort in Apple Mac O ...) NOT-FOR-US: Apple Mac OS X CVE-2007-0724 (The IOKit HID interface in Apple Mac OS X 10.3.9 and 10.4 through 10.4 ...) NOT-FOR-US: Apple Mac CVE-2007-0723 (Unspecified vulnerability in the authentication feature for DirectoryS ...) NOT-FOR-US: Mac OS X CVE-2007-0722 (Integer overflow in Apple Mac OS X 10.3.9 and 10.4 through 10.4.8 allo ...) NOT-FOR-US: Apple Mac CVE-2007-0721 (Unspecified vulnerability in diskimages-helper in Apple Mac OS X 10.3. ...) NOT-FOR-US: Apple Mac CVE-2007-0720 (The CUPS service on multiple platforms allows remote attackers to caus ...) - cups 1.2.7-1 (bug #434734; low) - cupsys 1.2.7-1 (bug #434734; low) [sarge] - cupsys (Minor, conceptual design problem) [etch] - cupsys (Minor, conceptual design problem) CVE-2007-0719 (Stack-based buffer overflow in Apple Mac OS X 10.3.9 and 10.4 through ...) NOT-FOR-US: Apple Mac CVE-2007-0718 (Heap-based buffer overflow in Apple QuickTime before 7.1.5 allows remo ...) NOT-FOR-US: Apple QuickTime CVE-2007-0717 (Integer overflow in Apple QuickTime before 7.1.5 allows remote user-as ...) NOT-FOR-US: Apple QuickTime CVE-2007-0716 (Stack-based buffer overflow in Apple QuickTime before 7.1.5 allows rem ...) NOT-FOR-US: Apple QuickTime CVE-2007-0715 (Heap-based buffer overflow in Apple QuickTime before 7.1.5 allows remo ...) NOT-FOR-US: Apple QuickTime CVE-2007-0714 (Integer overflow in Apple QuickTime before 7.1.5 allows remote user-as ...) NOT-FOR-US: Apple QuickTime CVE-2007-0713 (Heap-based buffer overflow in Apple QuickTime before 7.1.5 allows remo ...) NOT-FOR-US: Apple QuickTime CVE-2007-0712 (Heap-based buffer overflow in Apple QuickTime before 7.1.5 allows remo ...) NOT-FOR-US: Apple QuickTime CVE-2007-0711 (Integer overflow in Apple QuickTime before 7.1.5, when installed on Wi ...) NOT-FOR-US: Apple QuickTime CVE-2007-0710 (The Bonjour functionality in iChat in Apple Mac OS X 10.3.9 allows rem ...) NOT-FOR-US: Apple iChat CVE-2007-0709 (cmdmon.sys in Comodo Firewall Pro (formerly Comodo Personal Firewall) ...) NOT-FOR-US: Comodo Firewall Pro CVE-2007-0708 (cmdmon.sys in Comodo Firewall Pro (formerly Comodo Personal Firewall) ...) NOT-FOR-US: Comodo Firewall Pro CVE-2007-0707 (Stack-based buffer overflow in GOM Player 2.0.12.3375 allows user-assi ...) NOT-FOR-US: GOM Player CVE-2007-0706 (Cross-zone scripting vulnerability in Darksky RSS bar for Internet Exp ...) NOT-FOR-US: Darksky RSS CVE-2007-0705 (Cross-zone scripting vulnerability in Sleipnir 2.49 and earlier, and P ...) NOT-FOR-US: Sleipnir CVE-2007-0704 (PHP remote file inclusion vulnerability in install.php in Somery 0.4.6 ...) NOT-FOR-US: Somery CVE-2007-0703 (PHP remote file inclusion vulnerability in library/StageLoader.php in ...) NOT-FOR-US: WebBuilder CVE-2007-0702 (Multiple PHP remote file inclusion vulnerabilities in phpEventMan 1.0. ...) NOT-FOR-US: phpEventMan CVE-2007-0701 (PHP remote file inclusion vulnerability in inc/common.inc.php in Epist ...) NOT-FOR-US: Epistemon CVE-2007-0700 (Directory traversal vulnerability in index.php in Guernion Sylvain Por ...) NOT-FOR-US: Portail Web CVE-2007-0699 (PHP remote file inclusion vulnerability in includes/includes.php in Gu ...) NOT-FOR-US: Portail Web CVE-2007-0698 (Multiple SQL injection vulnerabilities in ACGVannu 1.3 and earlier all ...) NOT-FOR-US: ACGVannu CVE-2007-0697 (index2.php in ACGVannu 1.3 and earlier allows remote attackers to chan ...) NOT-FOR-US: ACGVannu CVE-2007-0696 (Cross-site scripting (XSS) vulnerability in error messages in Free LAN ...) NOT-FOR-US: Free LAN Intranet Portal CVE-2007-0695 (Multiple SQL injection vulnerabilities in Free LAN In(tra|ter)net Port ...) NOT-FOR-US: Free LAN Intranet Portal CVE-2007-0694 (Cross-site scripting (XSS) vulnerability in footer.php in DGNews 2.1 a ...) NOT-FOR-US: DGNews CVE-2007-0693 (SQL injection vulnerability in news.php in DGNews 2.1 allows remote at ...) NOT-FOR-US: DGNews CVE-2007-0692 (DGNews 2.1 allows remote attackers to obtain sensitive information via ...) NOT-FOR-US: DGNews CVE-2007-0691 REJECTED CVE-2007-0690 (myEvent 1.6 allows remote attackers to obtain sensitive information vi ...) NOT-FOR-US: myEvent CVE-2007-0689 (MyBB 1.2.4 allows remote attackers to obtain sensitive information via ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2006-6968 (Cross-site scripting (XSS) vulnerability in the group moderation contr ...) NOT-FOR-US: Phorum CVE-2006-6967 REJECTED CVE-2006-6966 (phpGraphy before 0.9.13a does not properly unset variables when the in ...) NOT-FOR-US: phpGraphy CVE-2007-XXXX [remctl ACL bypass vulnerability] - remctl 2.2-2 [sarge] - remctl (Vulnerable code not present) CVE-2007-0688 (SQL injection vulnerability in oku.asp in Hunkaray Duyuru Scripti allo ...) NOT-FOR-US: Hunkaray Duyuru Scripti CVE-2007-0687 (SQL injection vulnerability in i-search.php in Michelle's L2J Dropcalc ...) NOT-FOR-US: L2J Dropcalc CVE-2007-0686 (The Intel 2200BG 802.11 Wireless Mini-PCI driver 9.0.3.9 (w29n51.sys) ...) NOT-FOR-US: Intel 2200BG Cards drive. CVE-2007-0685 (Internet Explorer on Windows Mobile 5.0 and Windows Mobile 2003 and 20 ...) NOT-FOR-US: Internet Explorer CVE-2007-0684 (PHP remote file inclusion vulnerability in portal.php in Cerulean Port ...) NOT-FOR-US: Cerulean Portal System CVE-2007-0683 (PHP remote file inclusion vulnerability in includes/functions.php in O ...) NOT-FOR-US: Omegaboard CVE-2007-0682 (PHP remote file inclusion vulnerability in theme/include_mode/template ...) NOT-FOR-US: JV2 Folder Gallery CVE-2007-0681 (profile.php in ExtCalendar 2 and earlier allows remote attackers to ch ...) NOT-FOR-US: ExtCalendar CVE-2007-0680 (PHP remote file inclusion vulnerability in includes/functions.php in P ...) NOT-FOR-US: Phpbb Tweaked it is a module to phpbb CVE-2007-0679 (PHP remote file inclusion vulnerability in lang/leslangues.php in Nico ...) NOT-FOR-US: PHPMyRing CVE-2007-0678 (SQL injection vulnerability in windows.asp in Fullaspsite Asp Hosting ...) NOT-FOR-US: Fullaspsite Asp Hosting Sites CVE-2007-0677 (PHP remote file inclusion vulnerability in fw/class.Quick_Config_Brows ...) NOT-FOR-US: Cadre PHP Framework CVE-2007-0676 (SQL injection vulnerability in faq.php in ExoPHPDesk 1.2.1 and earlier ...) NOT-FOR-US: ExoPHPDesk CVE-2007-0675 (A certain ActiveX control in sapi.dll (aka the Speech API) in Speech C ...) NOT-FOR-US: Windows Vista CVE-2007-0674 (Pictures and Videos on Windows Mobile 5.0 and Windows Mobile 2003 and ...) NOT-FOR-US: Windows Mobile CVE-2007-0673 (LGSERVER.EXE in BrightStor ARCserve Backup for Laptops & Desktops ...) NOT-FOR-US: (CA) BrightStor CVE-2007-0672 (LGSERVER.EXE in BrightStor Mobile Backup 4.0 allows remote attackers t ...) NOT-FOR-US: (CA) BrightStor CVE-2007-0671 (Unspecified vulnerability in Microsoft Excel 2000, XP, 2003, and 2004 ...) NOT-FOR-US: Microsoft Excel CVE-2007-0670 (Buffer overflow in bos.rte.libc in IBM AIX 5.2 and 5.3 allows local us ...) NOT-FOR-US: IBM AIX CVE-2007-0669 (Unspecified vulnerability in Twiki 4.0.0 through 4.1.0 allows local us ...) - twiki 1:4.0.5-9 (bug #410256) CVE-2007-0668 (The Loopback Filesystem (LOFS) in Sun Solaris 10 allows local users in ...) NOT-FOR-US: Sun Solaris. CVE-2007-0667 (The redirect function in Form.pm for (1) LedgerSMB before 1.1.5 and (2 ...) - sql-ledger (bug #409703; unimportant) NOTE: It's documented behaviour that SQL-Ledger should only be run in an NOTE: authenticated HTTP zone and without untrusted users [etch] - sql-ledger (Should only be used with trusted users) NOTE: sql-ledger 2.6.22-2 adds a note to README.Debian that sql-ledger NOTE: is not secure with untrusted users. CVE-2007-0666 (Ipswitch WS_FTP Server 5.04 allows FTP site administrators to execute ...) NOT-FOR-US: WS_FTP Server CVE-2007-0665 (Format string vulnerability in the SCP module in Ipswitch WS_FTP 2007 ...) NOT-FOR-US: WS_FTP Server CVE-2007-0664 (thttpd before 2.25b-r6 in Gentoo Linux is started from the system root ...) - thttpd (Gentoo-specific packaging flaw) NOTE: In accordance with Debian Policy is not possible start Webserver NOTE: in root directory (/). CVE-2007-0663 (SQL injection vulnerability in index.php in Eclectic Designs Cascadian ...) NOT-FOR-US: Eclectic Designs CascadianFAQ CVE-2007-0662 (PHP remote file inclusion vulnerability in includes/usercp_viewprofile ...) NOT-FOR-US: Hailboards CVE-2007-0661 (Intel Enterprise Southbridge 2 Baseboard Management Controller (BMC), ...) NOT-FOR-US: Intel BMC CVE-2007-0660 (Cross-site scripting (XSS) vulnerability in the IFrame module before 0 ...) NOT-FOR-US: DotNetNuke CVE-2007-0659 (download.php in the MuddyDogPaws FileDownload snippet before 2.5 for M ...) NOT-FOR-US: MODx MuddyDogPaws FileDownload CVE-2007-0658 (The (1) Textimage 4.7.x before 4.7-1.2 and 5.x before 5.x-1.1 module f ...) NOT-FOR-US: Drupal addon module "Textimage" CVE-2007-0657 (Unspecified vulnerability in Nexuiz 2.2.2 allows remote attackers to r ...) - nexuiz 2.2.3-1 (medium) [etch] - nexuiz (Vulnerable code not present, was introduced in 2.2.2) CVE-2007-0656 (PHP remote file inclusion vulnerability in includes/functions.php in p ...) NOT-FOR-US: phpBB2-MODificat it is a module to phpbb2 CVE-2007-0655 (The MicroWorld Agent service (MWAGENT.EXE) in MicroWorld Technologies ...) NOT-FOR-US: MicroWorld CVE-2007-0654 (Integer underflow in X MultiMedia System (xmms) 1.2.10 allows user-ass ...) {DSA-1277-1} - xmms 1:1.2.10+20070301-2 (bug #416423; low) CVE-2007-0653 (Integer overflow in X MultiMedia System (xmms) 1.2.10, and possibly ot ...) {DSA-1277-1} - xmms 1:1.2.10+20070301-2 (bug #416423; low) CVE-2007-0652 (Cross-site request forgery (CSRF) vulnerability in MailEnable Professi ...) NOT-FOR-US: MailEnable Professional CVE-2007-0651 (Multiple cross-site scripting (XSS) vulnerabilities in MailEnable Prof ...) NOT-FOR-US: MailEnable Professional CVE-2007-0650 (Buffer overflow in the open_sty function in mkind.c for makeindex 2.14 ...) - tetex-bin (Only vulnerable if compiled w/o kpathsea support, Debian does) CVE-2007-0649 (Variable overwrite vulnerability in interface/globals.php in OpenEMR 2 ...) NOT-FOR-US: OpenEMR CVE-2007-0648 (Cisco IOS after 12.3(14)T, 12.3(8)YC1, 12.3(8)YG, and 12.4, with voice ...) NOT-FOR-US: Cisco CVE-2007-0647 (Format string vulnerability in Help Viewer 3.0.0 allows remote user-as ...) NOT-FOR-US: AppleKit CVE-2007-0646 (Format string vulnerability in iMovie HD 6.0.3, and Safari in Apple Ma ...) NOT-FOR-US: iMovie CVE-2007-0645 (Format string vulnerability in iPhoto 6.0.5 allows remote user-assiste ...) NOT-FOR-US: iPhoto CVE-2007-0644 (Format string vulnerability in Apple Safari 2.0.4 (419.3) allows remot ...) NOT-FOR-US: Apple Safari CVE-2007-0643 (Stack-based buffer overflow in Bloodshed Dev-C++ 4.9.9.2 allows user-a ...) NOT-FOR-US: Bloodshed Dev-C++ CVE-2007-0642 (SQL injection vulnerability in tForum 2.00 in the Raymond BERTHOU scri ...) NOT-FOR-US: Raymond BERTHOU script collection CVE-2007-0641 (Buffer overflow in the EnumPrintersA function in dapcnfsd.dll 0.6.4.0 ...) NOT-FOR-US: Shaffer Solutions (SSC) CVE-2007-0640 (Buffer overflow in ZABBIX before 1.1.5 has unknown impact and attack v ...) - zabbix 1:1.1.4-8 (bug #409257) CVE-2007-0639 (Multiple static code injection vulnerabilities in error.php in GuppY 4 ...) NOT-FOR-US: GuppY CVE-2007-0638 (show.php in Vlad Alexa Mancini PHPFootball 1.6 allows remote attackers ...) NOT-FOR-US: PHPFootball CVE-2007-0637 (Directory traversal vulnerability in zd_numer.php in Galeria Zdjec 3.0 ...) NOT-FOR-US: Galeria Zdjec CVE-2007-0636 (Unspecified vulnerability in inotify before 0.3.5 has unknown impact a ...) NOT-FOR-US: incron CVE-2007-0635 (Multiple PHP remote file inclusion vulnerabilities in EncapsCMS 0.3.6 ...) NOT-FOR-US: EncapsCMS CVE-2007-0634 (Unspecified vulnerability in Sun Solaris 10 before 20070130 allows rem ...) NOT-FOR-US: Sun Solaris CVE-2007-XXXX [kaya buffer overflow, cross-site scripting and data leak] - kaya 0.2.0-6 (bug #409062) CVE-2007-XXXX [file descriptor leak when a Compose file uses the "include" directive] - libx11 2:1.0.3-5 (low) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=9279 CVE-2007-0633 (PHP remote file inclusion vulnerability in include/themes/themefunc.ph ...) NOT-FOR-US: MyNews CVE-2007-0632 (SQL injection vulnerability in artreplydelete.asp in ASP EDGE 1.3a and ...) NOT-FOR-US: ASP EDGE CVE-2007-0631 (SQL injection vulnerability in index.php in Eclectic Designs Cascadian ...) NOT-FOR-US: Eclectic Designs CascadianFAQ CVE-2007-0630 (Multiple SQL injection vulnerabilities in the generate_csv function in ...) NOT-FOR-US: xNews CVE-2007-0629 (The www_purgeList method in Plain Black WebGUI before 7.3.8 does not p ...) NOT-FOR-US: Plain Black WebGUI CVE-2007-0628 (Multiple cross-site scripting (XSS) vulnerabilities in Sun Java System ...) NOT-FOR-US: Sun Java System Access Manager CVE-2007-0627 (Michael Still gtalkbot before 1.2 places username and password argumen ...) NOT-FOR-US: gtalkbot CVE-2007-0626 (The comment_form_add_preview function in comment.module in Drupal befo ...) - drupal 4.7.6-1 CVE-2007-0625 (nxconfigure.sh in NoMachine NX Server before 2.1.0-18 does not validat ...) NOT-FOR-US: NoMachine NX Server CVE-2007-0624 (user.php in MAXdev MDPro 1.0.76 allows remote attackers to obtain the ...) NOT-FOR-US: MAXdev MDPro CVE-2007-0623 (SQL injection vulnerability in index.php in MAXdev MDPro 1.0.76 allows ...) NOT-FOR-US: MAXdev MDPro CVE-2007-0622 (Cross-site request forgery (CSRF) vulnerability in MyBB (aka MyBulleti ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2007-0621 REJECTED CVE-2007-0620 (download.php in FD Script 1.3.2 and earlier allows remote attackers to ...) NOT-FOR-US: FD Script CVE-2007-0619 (chmlib before 0.39 allows user-assisted remote attackers to execute ar ...) - chmlib 2:0.39-1 (bug #408603; medium) CVE-2007-0618 (Unspecified vulnerability in (1) pop3d, (2) pop3ds, (3) imapd, and (4) ...) NOT-FOR-US: IBM AIX CVE-2007-0617 (The SpamBlocker.dll ActiveX control in Earthlink TotalAccess is marked ...) NOT-FOR-US: Earthlink TotalAccess CVE-2007-0616 (Directory traversal vulnerability in zen/template-functions.php in zen ...) NOT-FOR-US: zenphoto CVE-2007-0615 (Unspecified vulnerability in Hitachi JP1/HIBUN Advanced Edition Manage ...) NOT-FOR-US: Hitachi CVE-2007-0614 (The Bonjour functionality in mDNSResponder, iChat 3.1.6, and InstantMe ...) NOT-FOR-US: Apple CVE-2007-0613 (The Bonjour functionality in mDNSResponder, iChat 3.1.6, and InstantMe ...) NOT-FOR-US: Apple CVE-2007-0612 (Multiple ActiveX controls in Microsoft Windows 2000, XP, 2003, and Vis ...) NOT-FOR-US: Microsoft ActiveX CVE-2007-0611 (Multiple cross-site scripting (XSS) vulnerabilities in Free LAN In(tra ...) NOT-FOR-US: Free LAN Intranet Portal CVE-2007-0610 (Cross-site scripting (XSS) vulnerability in the mailform feature in CM ...) NOT-FOR-US: CMSimple CVE-2007-0609 (Directory traversal vulnerability in Advanced Guestbook 2.4.2 allows r ...) NOT-FOR-US: Advanced Guestbook CVE-2007-0608 (Advanced Guestbook 2.4.2 allows remote attackers to obtain sensitive i ...) NOT-FOR-US: Advanced Guestbook CVE-2007-0607 (W-Agora (Web-Agora) 4.2.1, when register_globals is enabled, stores gl ...) NOT-FOR-US: Web-Agora CVE-2007-0606 (w-agora 4.2.1 allows remote attackers to obtain sensitive information ...) NOT-FOR-US: Web-Agora CVE-2007-0605 (Cross-site scripting (XSS) vulnerability in picture.php in Advanced Gu ...) NOT-FOR-US: Advanced Guestbook CVE-2007-0604 (Cross-site scripting (XSS) vulnerability in Movable Type (MT) before 3 ...) NOT-FOR-US: Movable Type CVE-2007-0603 (PGP Desktop before 9.5.1 does not validate data objects received over ...) NOT-FOR-US: PGP Desktop CVE-2007-0602 (Buffer overflow in libvsapi.so in the VSAPI library in Trend Micro Vir ...) NOT-FOR-US: Trend Micro AntiVirus CVE-2007-0601 (common/safety.php in Aztek Forum 4.00 allows remote attackers to enter ...) NOT-FOR-US: Aztek Forum CVE-2007-0600 (SQL injection vulnerability in news_page.asp in Martyn Kilbryde Newspo ...) NOT-FOR-US: makit news CVE-2007-0599 (Variable overwrite vulnerability in common/config.php in Aztek Forum 4 ...) NOT-FOR-US: Aztek Forum CVE-2007-0598 (SQL injection vulnerability in forum/load.php in Aztek Forum 4.00 allo ...) NOT-FOR-US: Aztek Forum CVE-2007-0597 (Aztek Forum 4.00 allows remote attackers to obtain sensitive informati ...) NOT-FOR-US: Aztek Forum CVE-2007-0596 (PHP remote file inclusion vulnerability in index/main.php in Aztek For ...) NOT-FOR-US: Aztek Forum CVE-2007-0595 (Cross-site scripting (XSS) vulnerability in search in High 5 Review Si ...) NOT-FOR-US: high5 Review CVE-2007-0594 (Siteman 2.0.x2 stores sensitive information under the web root with in ...) NOT-FOR-US: Siteman CVE-2007-0593 (Siteman 1.1.11 stores sensitive information under the web root with in ...) NOT-FOR-US: Siteman CVE-2007-0592 (Cross-site scripting (XSS) vulnerability in EzDatabase 2.1.3 allows re ...) NOT-FOR-US: EzDatabase CVE-2007-0591 (PHP remote file inclusion vulnerability in configure.php in Vu Le An V ...) NOT-FOR-US: VirtualPath CVE-2007-0590 (Cross-site scripting (XSS) vulnerability in busca2.asp in Forum Livre ...) NOT-FOR-US: Forum Livre CVE-2007-0589 (SQL injection vulnerability in Forum Livre 1.0 allows remote attackers ...) NOT-FOR-US: Forum Livre CVE-2007-0588 (The InternalUnpackBits function in Apple QuickDraw, as used by Quickti ...) NOT-FOR-US: Apple CVE-2007-0587 RESERVED CVE-2007-0586 RESERVED CVE-2007-0585 (include/debug.php in Webfwlog 0.92 and earlier, when register_globals ...) NOT-FOR-US: Webfwlog CVE-2007-0584 (PHP remote file inclusion vulnerability in membres/membreManager.php i ...) NOT-FOR-US: PhP Generic CVE-2007-0583 (Multiple cross-site scripting (XSS) vulnerabilities in HTTP Commander ...) NOT-FOR-US: HTTP Commander CVE-2007-0582 (SQL injection vulnerability in default.asp in ChernobiLe 1.0 allows re ...) NOT-FOR-US: ChernobiLe CVE-2007-0581 (PHP remote file inclusion vulnerability in functions.php in EclipseBB ...) NOT-FOR-US: EclipseBB CVE-2007-0580 (PHP remote file inclusion vulnerability in menu.php in Foro Domus 2.10 ...) NOT-FOR-US: Foro Domus CVE-2007-0579 (Unspecified vulnerability in the calendar component in Horde Groupware ...) NOT-FOR-US: Horde Groupware CVE-2007-0578 (The http_open function in httpget.c in mpg123 before 0.64 allows remot ...) - mpg123 0.61-5 (bug #409296; unimportant) NOTE: Not much of a security problem; user will abort mpg123 and never listen to NOTE: the faulty stream again CVE-2007-0577 (PHP remote file inclusion vulnerability in function.inc.php in ACGVcli ...) NOT-FOR-US: ACGVclick CVE-2007-0576 (PHP remote file inclusion vulnerability in xt_counter.php in Xt-Stats ...) NOT-FOR-US: Xt-Stats CVE-2007-0575 (Multiple SQL injection vulnerabilities in the administrative login pag ...) NOT-FOR-US: ASPCode.net AdMentor CVE-2007-0574 (SQL injection vulnerability in rss/show_webfeed.php in SpoonLabs Vivvo ...) NOT-FOR-US: SpoonLabs Vivvo Article Management CMS CVE-2007-0573 (PHP remote file inclusion vulnerability in includes/config.inc.php in ...) NOT-FOR-US: nsGalPHP CVE-2007-0572 (PHP remote file inclusion vulnerability in include/irc/phpIRC.php in D ...) NOT-FOR-US: Drunken:Golem Gaming Portal CVE-2007-0571 (PHP remote file inclusion vulnerability in include/lib/lib_head.php in ...) NOT-FOR-US: phpMyReports CVE-2007-0570 (PHP remote file inclusion vulnerability in ains_main.php in Johannes G ...) NOT-FOR-US: Ad Fundum Integratable News Script CVE-2007-0569 (SQL injection vulnerability in xNews.php in xNews 1.3 allows remote at ...) NOT-FOR-US: xNews CVE-2007-0568 (PHP remote file inclusion vulnerability in system/lib/package.php in M ...) NOT-FOR-US: MyPHPCommander CVE-2007-0567 (Cross-site scripting (XSS) vulnerability in admin.php in Interactive-S ...) NOT-FOR-US: Interactive-Scripts.Com CVE-2007-0566 (SQL injection vulnerability in news_detail.asp in ASP NEWS 3 and earli ...) NOT-FOR-US: ASP NEWS CVE-2007-0565 (CGI-Rescue Shopping Basket Professional 7.50 and earlier allows remote ...) NOT-FOR-US: CGI RESCUE CVE-2007-0564 (The license registering interface in Symantec Web Security (SWS) befor ...) NOT-FOR-US: Symantec CVE-2007-0563 (Multiple cross-site scripting (XSS) vulnerabilities in Symantec Web Se ...) NOT-FOR-US: Symantec CVE-2007-0562 (Windows Explorer (explorer.exe) 6.0.2900.2180 in Microsoft Windows XP ...) NOT-FOR-US: Windows Explorer CVE-2007-0561 (Multiple PHP remote file inclusion vulnerabilities in Xero Portal 1.2 ...) NOT-FOR-US: Xero Portal CVE-2007-0560 (SQL injection vulnerability in user.asp in ASP EDGE 1.2b and earlier a ...) NOT-FOR-US: ASP EDGE CVE-2007-0559 (PHP remote file inclusion vulnerability in config.php in RPW 1.0.2 all ...) NOT-FOR-US: RPW CVE-2007-0558 (PHP remote file inclusion vulnerability in modules/mail/main.php in In ...) NOT-FOR-US: vHostAdmin CVE-2005-4826 (Unspecified vulnerability in the VLAN Trunking Protocol (VTP) feature ...) NOT-FOR-US: Cisco CVE-2007-0557 (rMake before 1.0.4 drops root privileges in a way that retains the ori ...) NOT-FOR-US: rPath CVE-2007-0556 (The query planner in PostgreSQL before 8.0.11, 8.1 before 8.1.7, and 8 ...) - postgresql-8.2 8.2.2-1 - postgresql-8.1 8.1.7-1 - postgresql-7.4 (only PostgreSQL 8.x) - postgresql (only PostgreSQL 8.x) CVE-2007-0555 (PostgreSQL 7.3 before 7.3.13, 7.4 before 7.4.16, 8.0 before 8.0.11, 8. ...) {DSA-1261-1} - postgresql-8.2 8.2.2-1 - postgresql-8.1 8.1.7-1 - postgresql-7.4 1:7.4.16-1 - postgresql (only transitional package) CVE-2007-0554 (SQL injection vulnerability in print.asp in Guo Xu Guos Posting System ...) NOT-FOR-US: Guos Posting System CVE-2007-0553 (Multiple cross-site scripting (XSS) vulnerabilities in index.inc.php i ...) NOT-FOR-US: PHProxy CVE-2007-0552 (Cross-site scripting (XSS) vulnerability in install/default/error404.h ...) NOT-FOR-US: Onnac CVE-2007-0551 (Multiple PHP remote file inclusion vulnerabilities in cmsimple/cms.php ...) NOT-FOR-US: CMSimple CVE-2007-0550 (Cross-site scripting (XSS) vulnerability in search.php in 212cafeBoard ...) NOT-FOR-US: 212cafe Guestbook CVE-2007-0549 (Cross-site scripting (XSS) vulnerability in list3.php in 212cafeBoard ...) NOT-FOR-US: 212cafe Guestbook CVE-2007-0548 (KarjaSoft Sami HTTP Server 2.0.1 allows remote attackers to cause a de ...) NOT-FOR-US: KarjaSoft CVE-2007-0547 (Cross-site scripting (XSS) vulnerability in CGI-RESCUE WebFORM 4.3 and ...) NOT-FOR-US: CGI RESCUE CVE-2007-0546 (Toxiclab Shoutbox 1 stores sensitive information under the web root wi ...) NOT-FOR-US: Toxiclab Shoutbox CVE-2007-0545 (Maxtricity Tagger 0.1 stores sensitive information under the web root ...) NOT-FOR-US: Maxtricity Tagger CVE-2007-0544 (Cross-site scripting (XSS) vulnerability in private.php in MyBB (aka M ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2007-0543 (ZixForum 1.14 and earlier stores sensitive information under the web r ...) NOT-FOR-US: ZixForum CVE-2007-0542 (Cross-site scripting (XSS) vulnerability in show.php in 212cafe Guestb ...) NOT-FOR-US: 212cafe Guestbook CVE-2007-0541 (WordPress allows remote attackers to determine the existence of arbitr ...) {DTSA-33-1} - wordpress 2.1.0-1 (low) CVE-2007-0540 (WordPress allows remote attackers to cause a denial of service (bandwi ...) {DSA-1564-1} - wordpress 2.1.0-1 (low) CVE-2007-0539 (The wp_remote_fopen function in WordPress before 2.1 allows remote att ...) {DTSA-33-1} - wordpress 2.1.0-1 (low) CVE-2007-0538 (Telligent Community Server 2.1 and earlier allows remote attackers to ...) NOT-FOR-US: Telligent CVE-2007-0537 (The KDE HTML library (kdelibs), as used by Konqueror 3.5.5, does not p ...) - kdelibs 4:3.5.5a.dfsg.1-6 (bug #409868; medium) CVE-2007-0536 (The chroot helper in rMake for rPath Linux 1 does not drop supplementa ...) NOT-FOR-US: rPath CVE-2007-0535 (Multiple eval injection vulnerabilities in Vote! Pro 4.0, and possibly ...) NOT-FOR-US: Vote! Pro CVE-2007-0534 (Multiple cross-site scripting (XSS) vulnerabilities in the (1) Project ...) NOT-FOR-US: Drupal module "Project" CVE-2007-0533 (The AToZed IntraWeb component 8.0 and earlier for Borland Delphi and K ...) NOT-FOR-US: Borland Delphi CVE-2007-0532 (Tuan Do Uploader (aka php-uploader) 6 beta 1 stores sensitive informat ...) NOT-FOR-US: Uploader CVE-2007-0531 (PHP remote file inclusion vulnerability in includes/login.php in FreeW ...) NOT-FOR-US: FreeWebShop CVE-2007-0530 NOT-FOR-US: Advanced Guestbook CVE-2007-0529 (Cross-site scripting (XSS) vulnerability in index.html (aka the admini ...) NOT-FOR-US: PHP Link Directory CVE-2007-0528 (The admin web console implemented by the Centrality Communications (ak ...) NOT-FOR-US: Centrality Communications CVE-2007-0527 (SQL injection vulnerability in the is_remembered function in class.log ...) NOT-FOR-US: Website Baker CVE-2007-0526 (Multiple cross-site scripting (XSS) vulnerabilities in Bitweaver 1.3.1 ...) NOT-FOR-US: Bitweaver CVE-2007-0525 (Multiple buffer overflows in Nickolas Grigoriadis Mini Web server (Min ...) NOT-FOR-US: Mini Web server CVE-2007-0524 (The LG Chocolate KG800 phone allows remote attackers to cause a denial ...) NOT-FOR-US: LG CVE-2007-0523 (The Nokia N70 phone allows remote attackers to cause a denial of servi ...) NOT-FOR-US: Nokia CVE-2007-0522 (The Motorola MOTORAZR V3 phone allows remote attackers to cause a deni ...) NOT-FOR-US: Motorola CVE-2007-0521 (The Sony Ericsson K700i and W810i phones allow remote attackers to cau ...) NOT-FOR-US: Sony Ericsson CVE-2007-0520 (SQL injection vulnerability in banner.php in Unique Ads (UDS) 1.x allo ...) NOT-FOR-US: Unique Ads CVE-2007-0519 (Cross-site scripting (XSS) vulnerability in memcp.php in XMB U2U Insta ...) NOT-FOR-US: XMB Host CVE-2007-0518 (Scriptsez Smart PHP Subscriber (aka subscribe) stores sensitive inform ...) NOT-FOR-US: Scriptsez CVE-2007-0517 (Scriptsez Random PHP Quote 1.0 stores sensitive information under the ...) NOT-FOR-US: Scriptsez CVE-2007-0516 (Yana Framework before 2.8.5a allows remote authenticated users with pe ...) NOT-FOR-US: Yana CVE-2007-0515 (Unspecified vulnerability in Microsoft Word allows user-assisted remot ...) NOT-FOR-US: Microsoft CVE-2007-0514 (Multiple cross-site scripting (XSS) vulnerabilities in multiple Hitach ...) NOT-FOR-US: Hitachi CVE-2007-0513 (Hitachi HiRDB Datareplicator 7HiRDB, 7(64), 6, 6(64), 5.0, and 5.0(64) ...) NOT-FOR-US: Hitachi CVE-2007-0512 (Hitachi TP1/LiNK 05-00 through 05-03-/F, 03-04 through 03-06-/K, and 0 ...) NOT-FOR-US: Hitachi CVE-2007-0511 (Multiple PHP remote file inclusion vulnerabilities in phpXMLDOM (phpXD ...) NOT-FOR-US: phpXD CVE-2007-0510 (Multiple buffer overflows in (1) graphs.c, (2) output.c, and (3) prese ...) - awffull (unimportant) NOTE: This appears to be a bug without a vulnerability vector. CVE-2007-0509 (Multiple unspecified vulnerabilities in MaklerPlus before 1.2 have unk ...) NOT-FOR-US: MaklerPlus CVE-2007-0507 (SQL injection vulnerability in the Acidfree module for Drupal before 4 ...) NOT-FOR-US: Drupal module "Acidfree" CVE-2007-0506 (The project_issue_access function in the Project issue tracking 4.7.0 ...) NOT-FOR-US: Drupal module "Project" CVE-2007-0505 (Unrestricted file upload vulnerability in the Project issue tracking 4 ...) NOT-FOR-US: Drupal module "Project" CVE-2007-0504 (Eval injection vulnerability in poll_frame.php in Vote! Pro 4.0, and p ...) NOT-FOR-US: Vote! Pro CVE-2007-0503 (Unspecified vulnerability in kcms_calibrate in Sun Solaris 8 and 9 bef ...) NOT-FOR-US: Sun CVE-2007-0502 (SQL injection vulnerability in gallery.php in webSPELL 4.01.02 allows ...) NOT-FOR-US: webSPELL CVE-2007-0501 (PHP remote file inclusion vulnerability in index.php in Mafia Scum Too ...) NOT-FOR-US: Advanced Random Generators CVE-2007-0500 (PHP remote file inclusion vulnerability in include/includes.php in Bra ...) NOT-FOR-US: Bradabra CVE-2007-0499 (PHP remote file inclusion vulnerability in config.php in Sangwan Kim p ...) NOT-FOR-US: phpIndexPage CVE-2007-0498 (PHP remote file inclusion vulnerability in up.php in MySpeach 2.1 beta ...) NOT-FOR-US: MySpeach CVE-2007-0497 (PHP remote file inclusion vulnerability in upload/top.php in Upload-Se ...) NOT-FOR-US: Upload-Service CVE-2007-0496 (PHP remote file inclusion vulnerability in lib/nl/nl.php in Neon Labs ...) NOT-FOR-US: Neon Lab CVE-2007-0495 (PHP remote file inclusion vulnerability in include/config.inc.php in P ...) NOT-FOR-US: PhpSherpa CVE-2007-0492 (Multiple SQL injection vulnerabilities in gallery.php in webSPELL 4.01 ...) NOT-FOR-US: webSPELL CVE-2007-0491 (PHP remote file inclusion vulnerability in up.php in Sky GUNNING MySpe ...) NOT-FOR-US: MySpeach CVE-2007-0490 (index.php in Open-Realty 2.3.4 allows remote attackers to obtain sensi ...) NOT-FOR-US: Open-Realty CVE-2007-0489 (PHP remote file inclusion vulnerability in includes/functions.visohotl ...) NOT-FOR-US: VisoHotlink CVE-2007-0488 (The Huawei Versatile Routing Platform 1.43 2500E-003 firmware on the Q ...) NOT-FOR-US: Huawei CVE-2007-0487 NOT-FOR-US: FreeForum CVE-2007-0486 NOT-FOR-US: Openads CVE-2007-0485 (PHP remote file inclusion vulnerability in defines.php in WebChat 0.77 ...) NOT-FOR-US: Webdev CVE-2007-0484 (Multiple SQL injection vulnerabilities in Enthusiast 3.1 allow remote ...) NOT-FOR-US: ReviewPost CVE-2007-0483 (Multiple cross-site scripting (XSS) vulnerabilities in Enthusiast 3.1 ...) NOT-FOR-US: ReviewPost CVE-2007-0482 (cgi-bin/main in Sun Ray Server Software 2.0 and 3.0 before 20070123 al ...) NOT-FOR-US: Sun CVE-2007-0481 (Cisco IOS allows remote attackers to cause a denial of service (crash) ...) NOT-FOR-US: Cisco CVE-2007-0480 (Cisco IOS 9.x, 10.x, 11.x, and 12.x and IOS XR 2.0.x, 3.0.x, and 3.2.x ...) NOT-FOR-US: Cisco CVE-2007-0479 (Memory leak in the TCP listener in Cisco IOS 9.x, 10.x, 11.x, and 12.x ...) NOT-FOR-US: Cisco CVE-2007-0478 (WebCore on Apple Mac OS X 10.3.9 and 10.4.10, as used in Safari, does ...) NOT-FOR-US: Apple Safari CVE-2007-0477 (Cross-site scripting (XSS) vulnerability in Openads 2.0.x before 2.0.1 ...) NOT-FOR-US: Openads CVE-2007-0476 (The gencert.sh script, when installing OpenLDAP before 2.1.30-r10, 2.2 ...) - openldap2 (Gentoo packaging bug) CVE-2007-0475 (Multiple stack-based buffer overflows in utilities/smb4k_*.cpp in Smb4 ...) - smb4k 0.8.1-1 (low) [etch] - smb4k (Minor issue) NOTE: not all problems fixed in 0.8.0 CVE-2007-0474 (Smb4K before 0.8.0 allow local users, when present on the Smb4K sudoer ...) - smb4k 0.8.1-1 (low) [etch] - smb4k (Minor issue) NOTE: not fixed in 0.8.0, see NOTE: https://web.archive.org/web/20070712072042/http://developer.berlios.de/bugs/?func=detailbug&bug_id=9631&group_id=769 CVE-2007-0473 (The writeFile function in core/smb4kfileio.cpp in Smb4K before 0.8.0 d ...) - smb4k 0.8.0-1 (low) [etch] - smb4k (Minor issue) CVE-2007-0472 (Multiple race conditions in Smb4K before 0.8.0 allow local users to (1 ...) - smb4k 0.8.0-1 (low) [etch] - smb4k (Minor issue) CVE-2006-6965 (CRLF injection vulnerability in lib/exe/fetch.php in DokuWiki 2006-03- ...) - dokuwiki 0.0.20061106-1 (low) CVE-2006-6964 (MailEnable Professional before 1.78 provides a cleartext user password ...) NOT-FOR-US: MailEnable CVE-2006-6963 (Multiple PHP remote file inclusion vulnerabilities in Docebo LMS 3.0.3 ...) NOT-FOR-US: Docebo CVE-2006-6962 (PHP remote file inclusion vulnerability in rsgallery2.html.php in the ...) NOT-FOR-US: RS Gallery2 CVE-2006-6961 (WebRoot Spy Sweeper 4.5.9 and earlier does not detect malware based on ...) NOT-FOR-US: WebRoot Spy Sweeper CVE-2006-6960 (The Compression Sweep feature in WebRoot Spy Sweeper 4.5.9 and earlier ...) NOT-FOR-US: WebRoot Spy Sweeper CVE-2006-6959 (WebRoot Spy Sweeper 4.5.9 and earlier allows local users to bypass the ...) NOT-FOR-US: WebRoot Spy Sweeper CVE-2006-6958 (Multiple PHP remote file inclusion vulnerabilities in phpBlueDragon 2. ...) NOT-FOR-US: phpBlueDragon CMS CVE-2006-6957 (PHP remote file inclusion vulnerability in addons/mod_media/body.php i ...) NOT-FOR-US: Docebo CVE-2006-6956 (Microsoft Internet Explorer allows remote attackers to cause a denial ...) NOT-FOR-US: Microsoft CVE-2006-6955 (Opera allows remote attackers to cause a denial of service (applicatio ...) NOT-FOR-US: Opera CVE-2006-6954 (Flock beta 1 0.7 allows remote attackers to cause a denial of service ...) - iceweasel (unimportant) NOTE: Browser crashes not treated as security problems NOTE: Tested the proof of concept in iceweasel 2.0.0.1 and it crash. NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=239840 CVE-2006-6953 (The virtual keyboard implementation in GlobeTrotter Mobility Manager c ...) NOT-FOR-US: GlobeTrotter Mobility Manager CVE-2006-6952 (Computer Associates Host Intrusion Prevention System (HIPS) drivers (1 ...) NOT-FOR-US: Computer Associates (CA) CVE-2005-4825 (Cisco Clean Access 3.5.5 and earlier on the Secure Smart Manager allow ...) NOT-FOR-US: Cisco CVE-2004-2676 (The Spy Sweeper Enterprise Client (SpySweeperTray.exe) in WebRoot Spy ...) NOT-FOR-US: WebRoot Spy Sweeper CVE-2007-0508 (PHP remote file inclusion vulnerability in lib/selectlang.php in BBClo ...) - bbclone 0.4.6-8 (bug #408839; medium) CVE-2007-XXXX [hinfo code injection] - hinfo 1.02-3.1 (bug #402316; low) [sarge] - hinfo (Package completely broken, hardly usable for an attack) CVE-2007-0494 (ISC BIND 9.0.x, 9.1.x, 9.2.0 up to 9.2.7, 9.3.0 up to 9.3.3, 9.4.0a1 u ...) {DSA-1254-1} - bind9 1:9.3.4-2 (medium; bug #408432) - bind CVE-2007-0493 (Use-after-free vulnerability in ISC BIND 9.3.0 up to 9.3.3, 9.4.0a1 up ...) - bind9 1:9.3.4-2 (medium; bug #408432) [sarge] - bind9 (Vulnerable code not present) - bind CVE-2007-XXXX [gstreamer ffmpeg missing checks of packet sizes, chunk sizes, and fragment positions] - gstreamer0.10-ffmpeg 0.10.1-6 - gst-ffmpeg 0.8.7-10 [etch] - ffmpeg 0.cvs20060823-5 - ffmpeg 0.cvs20060823-6 - xmovie (this is not an issue in the avformat ffmpeg code copy) - mplayer 1.0~rc1-12 CVE-2007-0471 (sre/params.php in the Integrity Clientless Security (ICS) component in ...) NOT-FOR-US: Check Point CVE-2007-0470 (Multiple unspecified vulnerabilities in tip in Sun Solaris 8, 9, and 1 ...) NOT-FOR-US: Sun Solaris CVE-2007-0469 (The extract_files function in installer.rb in RubyGems before 0.9.1 do ...) - libgems-ruby 0.9.3-1 (low; bug #408299) [etch] - libgems-ruby (Minor issue, needs implicit trust on installed data) CVE-2007-0468 (Stack-based buffer overflow in rcdll.dll in msdev.exe in Visual C++ (M ...) NOT-FOR-US: Visual C++ CVE-2007-0467 (crashdump in Apple Mac OS X 10.4.8 allows local users in the admin gro ...) NOT-FOR-US: Apple CVE-2007-0466 (Telestream Flip4Mac Windows Media Components for Quicktime 2.1.0.33 al ...) NOT-FOR-US: Telestream CVE-2007-0465 (Format string vulnerability in Apple Installer 2.1.5 on Mac OS X 10.4. ...) NOT-FOR-US: Apple CVE-2007-0464 (The _CFNetConnectionWillEnqueueRequests function in CFNetwork 129.19 o ...) NOT-FOR-US: CFNetwork on Apple Mac OS CVE-2007-0463 (Format string vulnerability in Apple Software Update 2.0.5 on Mac OS X ...) NOT-FOR-US: Apple CVE-2007-0462 (The _GetSrcBits32ARGB function in Apple QuickDraw, as used by Quicktim ...) NOT-FOR-US: Apple CVE-2007-0461 (Multiple memory leaks in the Dazuko anti-virus helper module before 2. ...) - dazuko-source (bug #408300) [sarge] - dazuko-source (Vulnerable code not present) CVE-2007-0460 (Multiple buffer overflows in ulogd for SUSE Linux 9.3 up to 10.1, and ...) - ulogd 1.23-6 (medium) CVE-2007-0459 (packet-tcp.c in the TCP dissector in Wireshark (formerly Ethereal) 0.9 ...) - wireshark 0.99.4-5 (low) [sarge] - ethereal (Vulnerable code not present) CVE-2007-0458 (Unspecified vulnerability in the HTTP dissector in Wireshark (formerly ...) - wireshark 0.99.4-5 (low) [sarge] - ethereal (Vulnerable code not present) CVE-2007-0457 (Unspecified vulnerability in the IEEE 802.11 dissector in Wireshark (f ...) - wireshark 0.99.4-5 (low) [sarge] - ethereal (Vulnerable code not present) CVE-2007-0456 (Unspecified vulnerability in the LLT dissector in Wireshark (formerly ...) - wireshark 0.99.4-5 (low) [sarge] - ethereal (Vulnerable code not present) CVE-2007-0455 (Buffer overflow in the gdImageStringFTEx function in gdft.c in GD Grap ...) {DSA-1936-1} - libgd2 2.0.35.dfsg-1 (bug #408982; low) [sarge] - libgd2 (Minor issue, hardly exploitable) [etch] - libgd2 (Minor issue, hardly exploitable) CVE-2007-0454 (Format string vulnerability in the afsacl.so VFS module in Samba 3.0.6 ...) {DSA-1257} - samba 3.0.23d-5 (medium) CVE-2007-0453 (Buffer overflow in the nss_winbind.so.1 library in Samba 3.0.21 throug ...) - samba (Solaris-specific vulnerability) CVE-2007-0452 (smbd in Samba 3.0.6 through 3.0.23d allows remote authenticated users ...) {DSA-1257} - samba 3.0.23d-5 (low) CVE-2007-0450 (Directory traversal vulnerability in Apache HTTP Server and Tomcat 5.x ...) - tomcat5 (unimportant) - tomcat5.5 5.5.23-1 (unimportant) NOTE: This only adds an additional control settings for path delimiters, the NOTE: necessary proxies still need to be secured or fixed individually (e.g. NOTE: as done for mod_jk in a DSA CVE-2007-0449 (Multiple buffer overflows in LGSERVER.EXE in CA BrightStor ARCserve Ba ...) NOT-FOR-US: CA BrightStor CVE-2007-0448 (The fopen function in PHP 5.2.0 does not properly handle invalid URI h ...) - php5 (unimportant) NOTE: open_basedir bypasses not supported CVE-2007-0447 (Heap-based buffer overflow in the Decomposer component in multiple Sym ...) NOT-FOR-US: Symantec CVE-2007-0446 (Stack-based buffer overflow in magentproc.exe for Hewlett-Packard Merc ...) NOT-FOR-US: HP Mercury CVE-2007-0445 (Heap-based buffer overflow in the arj.ppl module in the OnDemand Scann ...) NOT-FOR-US: Kaspersky Anti-Virus CVE-2007-0444 (Stack-based buffer overflow in the print provider library (cpprov.dll) ...) NOT-FOR-US: Citrix CVE-2007-0443 (Multiple buffer overflows in the CDDBControl ActiveX control in Gracen ...) NOT-FOR-US: GraceNote ActiveX Control CVE-2007-0442 (Unspecified vulnerability in IBM OS/400 R530 and R535 has unknown impa ...) NOT-FOR-US: IBM OS/400 CVE-2007-0441 (Unspecified vulnerability in HP OpenView Network Node Manager (OV NNM) ...) NOT-FOR-US: OpenView Network Node Manager CVE-2007-0440 RESERVED CVE-2007-0439 RESERVED CVE-2007-0438 RESERVED CVE-2007-0437 (Multiple cross-site scripting (XSS) vulnerabilities in the sample Cach ...) NOT-FOR-US: InterSystems Cache CVE-2007-0436 (Barron McCann X-Kryptor Driver BMS1446HRR (Xgntr BMS1351 Install BMS14 ...) NOT-FOR-US: X-Kryptor CVE-2005-4824 (PHP remote file inclusion vulnerability in web/classes.php in Sitefram ...) NOT-FOR-US: siteframe CVE-2007-0435 (T-Com Speedport 500V routers with firmware 1.31 allow remote attackers ...) NOT-FOR-US: T-Com Speedport CVE-2007-0434 (BEA AquaLogic Enterprise Security 2.0 through 2.0 SP2, 2.1 through 2.1 ...) NOT-FOR-US: BEA CVE-2007-0433 (Unspecified vulnerability in BEA AquaLogic Enterprise Security 2.0 thr ...) NOT-FOR-US: BEA CVE-2007-0432 (BEA AquaLogic Service Bus 2.0, 2.1, and 2.5 does not properly reject m ...) NOT-FOR-US: BEA CVE-2007-0431 (AVM Fritz!Box 7050, and possibly other product models, allows remote a ...) NOT-FOR-US: AVM CVE-2007-0430 (The shared_region_map_file_np function in Apple Mac OS X 10.4.8 and ea ...) NOT-FOR-US: Apple Mac OS CVE-2007-0429 (DivXBrowserPlugin (aka DivX Web Player) npdivx32.dll, as distributed w ...) NOT-FOR-US: DivX Web Player CVE-2007-0428 (Unspecified vulnerability in the chtbl_lookup function in hash.c for W ...) - wzdftpd 0.8.1-1 (medium) CVE-2007-0427 (Stack-based buffer overflow in Microsoft Help Workshop 4.03.0002 allow ...) NOT-FOR-US: Microsoft CVE-2007-0426 (BEA WebLogic Portal 9.2, when running in a WebLogic Server clustered e ...) NOT-FOR-US: BEA CVE-2007-0425 (Unspecified vulnerability in BEA WebLogic Platform and Server 8.1 thro ...) NOT-FOR-US: BEA CVE-2007-0424 (Unspecified vulnerability in the BEA WebLogic Server proxy plug-in for ...) NOT-FOR-US: BEA CVE-2007-0423 (BEA WebLogic Portal 9.2 does not properly handle when an administrator ...) NOT-FOR-US: BEA CVE-2007-0422 (BEA WebLogic Server 9.0, 9.1, and 9.2 Gold, when running on Solaris 9, ...) NOT-FOR-US: BEA CVE-2007-0421 (BEA WebLogic Server 6.1 through 6.1 SP7, and 7.0 through 7.0 SP7 allow ...) NOT-FOR-US: BEA CVE-2007-0420 (BEA WebLogic Server 9.0, 9.1, and 9.2 Gold allows remote attackers to ...) NOT-FOR-US: BEA CVE-2007-0419 (The BEA WebLogic Server proxy plug-in before June 2006 for the Apache ...) NOT-FOR-US: BEA CVE-2007-0418 (BEA WebLogic Server 7.0 through 7.0 SP6, 8.1 through 8.1 SP5, 9.0, and ...) NOT-FOR-US: BEA CVE-2007-0417 (BEA WebLogic Server 7.0 through 7.0 SP7, 8.1 through 8.1 SP5, 9.0, and ...) NOT-FOR-US: BEA CVE-2007-0416 (The WSEE runtime (WS-Security runtime) in BEA WebLogic Server 9.0 and ...) NOT-FOR-US: BEA CVE-2007-0415 (BEA WebLogic Server 8.1 through 8.1 SP5 does not properly enforce acce ...) NOT-FOR-US: BEA CVE-2007-0414 (BEA WebLogic Server 6.1 through 6.1 SP7, 7.0 through 7.0 SP6, 8.1 thro ...) NOT-FOR-US: BEA CVE-2007-0413 (BEA WebLogic Server 8.1 through 8.1 SP5 stores cleartext data in a bac ...) NOT-FOR-US: BEA CVE-2007-0412 (BEA WebLogic Server 6.1 through 6.1 SP7, 7.0 through 7.0 SP7, and 8.1 ...) NOT-FOR-US: BEA CVE-2007-0411 (BEA WebLogic Server 8.1 through 8.1 SP5, 9.0, 9.1, and 9.2 Gold, when ...) NOT-FOR-US: BEA CVE-2007-0410 (Unspecified vulnerability in the thread management in BEA WebLogic 7.0 ...) NOT-FOR-US: BEA CVE-2007-0409 (BEA WebLogic 7.0 through 7.0 SP6, 8.1 through 8.1 SP4, and 9.0 initial ...) NOT-FOR-US: BEA CVE-2007-0408 (BEA Weblogic Server 8.1 through 8.1 SP4 does not properly validate cli ...) NOT-FOR-US: BEA CVE-2007-0407 (Cross-site scripting (XSS) vulnerability in Operation/User.pm in Plain ...) NOT-FOR-US: Poplar Gedcom Viewer CVE-2007-0406 (Multiple buffer overflows in the (1) main function in (a) client.c, an ...) - gxine 0.5.8-2 (medium; bug #405876) CVE-2007-0405 (The LazyUser class in the AuthenticationMiddleware for Django 0.95 doe ...) - python-django 0.95.1-1 (bug #407786) CVE-2007-0404 (bin/compile-messages.py in Django 0.95 does not quote argument strings ...) - python-django 0.95.1-1 (bug #407786) CVE-2007-0403 (SQL injection vulnerability in admin/memberlist.php in Easebay Resourc ...) NOT-FOR-US: Easebay Resources CVE-2007-0402 (Cross-site scripting (XSS) vulnerability in admin/edit_member.php in E ...) NOT-FOR-US: Easebay Resources CVE-2007-0401 (SQL injection vulnerability in admin/memberlist.php in Easebay Resourc ...) NOT-FOR-US: Easebay Resources CVE-2007-0400 (Cross-site scripting (XSS) vulnerability in admin/memberlist.php in Ea ...) NOT-FOR-US: Easebay Resources CVE-2007-0399 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Si ...) NOT-FOR-US: Simple Machines Forum CVE-2007-0398 (Multiple cross-site scripting (XSS) vulnerabilities in forum.php3 in A ...) NOT-FOR-US: MisterSPa-forum CVE-2006-6951 (Cross-site scripting (XSS) vulnerability in blog.php in OdysseusBlog a ...) NOT-FOR-US: Odysseus Blog CVE-2006-6950 (Directory traversal vulnerability in Conti FTPServer 1.0 Build 2.8 all ...) NOT-FOR-US: Conti FtpServer CVE-2006-6949 (Conti FTPServer 1.0 Build 2.8 stores user passwords in cleartext in My ...) NOT-FOR-US: Conti FtpServer CVE-2006-6948 (MyODBC Japanese conversion edition 3.51.06, 2.50.29, and 2.50.25 allow ...) NOT-FOR-US: JVN CVE-2006-6947 (The FTP server in the NEC MultiWriter 1700C allows remote attackers to ...) NOT-FOR-US: NEC CVE-2006-6946 (The web server in the NEC MultiWriter 1700C allows remote attackers to ...) NOT-FOR-US: NEC CVE-2007-XXXX [wordpress unregister_globals workaround from 2.0.7] - wordpress 2.0.7 (bug #407116; unimportant) NOTE: Non-issue, hash issue fixed since months in Sarge and Etch, NOTE: register_globals unsupported anyway CVE-2007-0397 (The Cisco Security Monitoring, Analysis and Response System (CS-MARS) ...) NOT-FOR-US: Cisco CVE-2007-0396 (Unspecified vulnerability in HP-UX B.11.23, when running IPFilter in c ...) NOT-FOR-US: HP-UX CVE-2007-0395 (PHP remote file inclusion vulnerability in libraries/grab_globals.lib. ...) NOT-FOR-US: ComVironment CVE-2007-0394 (HP HP-UX B11.11 does not properly verify the status of file descriptor ...) NOT-FOR-US: HP-UX CVE-2007-0393 (Sun Solaris 9 does not properly verify the status of file descriptors ...) NOT-FOR-US: Sun Solaris CVE-2007-0392 (IBM AIX 5.3 does not properly verify the status of file descriptors be ...) NOT-FOR-US: IBM AIX CVE-2007-0391 (Format string vulnerability in the log creation functionality of BitDe ...) NOT-FOR-US: BitDefender CVE-2007-0390 (Cross-site scripting (XSS) vulnerability in index.php in sabros.us 1.7 ...) NOT-FOR-US: sabros.us CVE-2007-0389 (Directory traversal vulnerability in ArsDigita Community System (ACS) ...) NOT-FOR-US: ArsDigita Community System CVE-2007-0388 (SQL injection vulnerability in search.php in Woltlab Burning Board (wB ...) NOT-FOR-US: Woltlab Burning Board CVE-2007-0387 (SQL injection vulnerability in models/category.php in the Weblinks com ...) NOT-FOR-US: Joomla! CVE-2007-0386 (Unspecified vulnerability in the rating section in PostNuke 0.764 has ...) NOT-FOR-US: PostNuke CVE-2007-0385 (The faq section in PostNuke 0.764 allows remote attackers to obtain se ...) NOT-FOR-US: PostNuke CVE-2007-0384 (Cross-site scripting (XSS) vulnerability in preview in the reviews sec ...) NOT-FOR-US: PostNuke CVE-2007-0383 NOT-FOR-US: WDaemon CVE-2007-0382 (Multiple SQL injection vulnerabilities in letterman.class.php in the L ...) NOT-FOR-US: Letterman 1.2.3 (com_letterman) component for Joomla! CVE-2007-0381 (Multiple SQL injection vulnerabilities in ATutor 1.5.3.2 allow remote ...) NOT-FOR-US: ATutor CVE-2007-0380 (DocMan 1.3 RC2 allows remote attackers to obtain sensitive information ...) NOT-FOR-US: DocMan CVE-2007-0379 (Cross-site scripting (XSS) vulnerability in DocMan 1.3 RC2 allows remo ...) NOT-FOR-US: DocMan CVE-2007-0378 (Multiple SQL injection vulnerabilities in DocMan 1.3 RC2 allow attacke ...) NOT-FOR-US: DocMan CVE-2007-0377 (Multiple SQL injection vulnerabilities in Xoops 2.0.16 allow remote at ...) NOT-FOR-US: Xoops CVE-2007-0376 (Cross-site scripting (XSS) vulnerability in Virtuemart 1.0.7 allows re ...) NOT-FOR-US: Virtuemart CVE-2007-0375 (Joomla! 1.5.0 Beta allows remote attackers to obtain sensitive informa ...) NOT-FOR-US: Joomla! CVE-2007-0374 (SQL injection vulnerability in (1) Joomla! 1.0.11 and 1.5 Beta, and (2 ...) - mambo 4.6.1-5 (bug #407995; low) CVE-2007-0373 (Multiple SQL injection vulnerabilities in Joomla! 1.5.0 Beta allow rem ...) NOT-FOR-US: Joomla! CVE-2007-0372 (Multiple SQL injection vulnerabilities in Francisco Burzi PHP-Nuke 7.9 ...) NOT-FOR-US: PHP-Nuke CVE-2007-0371 (A certain ActiveX control in the Common Controls Replacement Project ( ...) NOT-FOR-US: Common Controls Replacement Project (CCRP) CVE-2007-0370 (Unrestricted file upload vulnerability in index.php in phpBP RC3 (2.20 ...) NOT-FOR-US: phpBP CVE-2007-0369 (SQL injection vulnerability in phpBP RC3 (2.204) and earlier allows re ...) NOT-FOR-US: phpBP CVE-2007-0368 (Stack-based buffer overflow in mbse-bbs 0.70 and earlier allows local ...) NOT-FOR-US: mbse CVE-2007-0367 (Rumpus 5.1 and earlier has weak permissions for certain files and dire ...) NOT-FOR-US: Maxum Rumpus CVE-2007-0366 (Untrusted search path vulnerability in Rumpus 5.1 and earlier allows l ...) NOT-FOR-US: Maxum Rumpus CVE-2007-0365 (Multiple cross-site scripting (XSS) vulnerabilities in All In One Cont ...) NOT-FOR-US: All In One Control Panel CVE-2007-0364 (Multiple cross-site scripting (XSS) vulnerabilities in nicecoder.com I ...) NOT-FOR-US: nicecoder.com INDEXU CVE-2006-6945 (SQL injection vulnerability in Virtuemart 1.0.7 allows remote attacker ...) NOT-FOR-US: VirtueMart CVE-2007-XXXX [libjabber DoS] - centericq 4.21.0-18 (unimportant; bug #406982) NOTE: Affected function isn't used in the source CVE-2007-XXXX [python-django flup/FastCGI/debugging issue] - python-django 0.95.1-1 (bug #407607) CVE-2007-XXXX [gstreamer-ffmpeg unspecified issue related to sps and pps ids] - gstreamer0.10-ffmpeg 0.10.1-5 - gst-ffmpeg 0.8.7-9 - mplayer 1.0~rc1-12 [etch] - ffmpeg 0.cvs20060823-5 - ffmpeg 0.cvs20060823-6 - xmovie (this is not an issue in the avformat ffmpeg code copy) CVE-2007-XXXX [netpbm heap corruption] - netpbm-free 2:10.0-11 (bug #407605) CVE-2007-0363 (Cross-site scripting (XSS) vulnerability in admin-search.php in (1) Op ...) NOT-FOR-US: Openads CVE-2007-0362 (Cross-site scripting (XSS) vulnerability in the RSS feed component in ...) NOT-FOR-US: FreshReader CVE-2007-0361 (PHP remote file inclusion vulnerability in mep/frame.php in PHPMyphoru ...) NOT-FOR-US: PHPMyphorum CVE-2007-0360 (PHP remote file inclusion vulnerability in lang/index.php in Oreon 1.2 ...) NOT-FOR-US: Oreon CVE-2007-0359 (PHP remote file inclusion vulnerability in frontpage.php in Uberghey C ...) NOT-FOR-US: Travelsized CMS CVE-2007-0358 (Unspecified vulnerability in the FTP server implementation in HP Jetdi ...) NOT-FOR-US: HP Jetdirect CVE-2007-0357 (Directory traversal vulnerability in the AVM IGD CTRL Service in Fritz ...) NOT-FOR-US: AVM CVE-2007-0356 (The Common Controls Replacement Project (CCRP) FolderTreeview (FTV) Ac ...) NOT-FOR-US: Common Controls Replacement Project (CCRP) CVE-2007-0355 (Buffer overflow in the Apple Minimal SLP v2 Service Agent (slpd) in Ma ...) NOT-FOR-US: Apple CVE-2007-0354 (SQL injection vulnerability in email.php in MGB OpenSource Guestbook 0 ...) NOT-FOR-US: MGB OpenSource Guestbook CVE-2007-0353 (Cross-site scripting (XSS) vulnerability in (1) index.php and (2) logi ...) NOT-FOR-US: myBloggie CVE-2007-0352 (Stack-based buffer overflow in Microsoft Help Workshop 4.03.0002 allow ...) NOT-FOR-US: Microsoft CVE-2007-0351 (Microsoft Windows XP and Windows Server 2003 do not properly handle us ...) NOT-FOR-US: Microsoft CVE-2007-0350 (Multiple SQL injection vulnerabilities in (a) index.php and (b) dl.php ...) NOT-FOR-US: FileMailer CVE-2007-0349 (Directory traversal vulnerability in upgrade.php in nicecoder.com INDE ...) NOT-FOR-US: INDEXU CVE-2007-0348 (Stack-based buffer overflow in the IASystemInfo.dll ActiveX control in ...) NOT-FOR-US: ActiveX control in InterActual Player CVE-2007-0347 (The is_eow function in format.c in CVSTrac before 2.0.1 does not prope ...) - cvstrac 2.0.1-1 [etch] - cvstrac (Vulnerable code not present) [sarge] - cvstrac (Vulnerable code not present) NOTE: the vulnerable code can't be found on other places in 1.1.5 and also similar things NOTE: are done like using %q instead of %s for user supplied data CVE-2007-0346 (SQL injection vulnerability in index.php in SmE FileMailer 1.21 allows ...) NOT-FOR-US: FileMailer CVE-2007-0345 (The (1) Activity Monitor.app/Contents/Resources/pmTool, (2) Keychain A ...) NOT-FOR-US: Apple CVE-2007-0344 (Multiple format string vulnerabilities in (1) _invitedToRoom: and (2) ...) - colloquy CVE-2007-0343 (OpenBSD before 20070116 allows remote attackers to cause a denial of s ...) NOT-FOR-US: OpenBSD CVE-2007-0342 (WebCore in Apple WebKit build 18794 allows remote attackers to cause a ...) NOT-FOR-US: Apple WebKit CVE-2007-0341 (Cross-site scripting (XSS) vulnerability in phpMyAdmin 2.8.1 and earli ...) - phpmyadmin 4:2.9.1.1-2 (medium) [sarge] - phpmyadmin (Vulnerable code not present) CVE-2007-0340 (SQL injection vulnerability in inc/header.inc.php in ThWboard 3.0b2.84 ...) NOT-FOR-US: ThWboard CVE-2007-0339 (SQL injection vulnerability in index.php (aka the login form) in Scrip ...) NOT-FOR-US: FileMailer CVE-2007-0338 (Heap-based buffer overflow in Dream FTP Server allows remote attackers ...) NOT-FOR-US: BolinTech Dream FTP Server CVE-2007-0337 (Directory traversal vulnerability in sesskglogadmin.php in KGB 1.9 and ...) NOT-FOR-US: KGB CVE-2007-0336 (Undercover.app/Contents/Resources/uc in Rixstep Undercover allows loca ...) NOT-FOR-US: Rixstep CVE-2007-0335 (Multiple directory traversal vulnerabilities in Jax Petition Book 1.0. ...) NOT-FOR-US: Jax Petition Book CVE-2007-0334 (Unspecified vulnerability in the SIP module in InGate Firewall and SIP ...) NOT-FOR-US: Outpost Firewall Pro CVE-2007-0333 (Agnitum Outpost Firewall PRO 4.0 allows local users to bypass access r ...) NOT-FOR-US: Outpost Firewall Pro CVE-2007-0332 ((1) admin/adminlien.php3 and (2) admin/modif.php3 in liens_dynamiques ...) NOT-FOR-US: liens_dynamiques CVE-2007-0331 (Cross-site scripting (XSS) vulnerability in liens.php3 in liens_dynami ...) NOT-FOR-US: liens_dynamiques CVE-2007-0330 (Buffer overflow in wsbho2k0.dll, as used by wsftpurl.exe, in Ipswitch ...) NOT-FOR-US: Ipswitch WS_FTP CVE-2007-0329 (download.php in Joonas Viljanen JV2 Folder Gallery allows remote attac ...) NOT-FOR-US: Joonas Viljanen JV2 Folder Gallery CVE-2007-0328 (The DWUpdateService ActiveX control in the agent (agent.exe) in Macrov ...) NOT-FOR-US: Macrovision CVE-2007-0327 RESERVED CVE-2007-0326 (Multiple stack-based buffer overflows in the PhotoChannel Networks PNI ...) NOT-FOR-US: PNI Digital Media Photo Upload CVE-2007-0325 (Multiple buffer overflows in the Trend Micro OfficeScan Web-Deployment ...) NOT-FOR-US: Trend Micro OfficeScan CVE-2007-0324 (Multiple buffer overflows in the LizardTech DjVu Browser Plug-in befor ...) NOT-FOR-US: LizardTech DjVu Browser Plug-in CVE-2007-0323 (Buffer overflow in the SetLanguage function in Research In Motion (RIM ...) NOT-FOR-US: Research In Motion (RIM) TeamOn Import Object ActiveX control CVE-2007-0322 (Multiple stack-based buffer overflows in the Intuit QuickBooks Online ...) NOT-FOR-US: Intuit QuickBooks CVE-2007-0321 (Buffer overflow in the Update Service Agent ActiveX Control in isusweb ...) NOT-FOR-US: FLEXnet Connect CVE-2007-0320 (Multiple buffer overflows in (a) an ActiveX control (iftw.dll) and (b) ...) NOT-FOR-US: InstallFromTheWeb CVE-2007-0319 (Multiple stack-based buffer overflows in the Motive ActiveEmailTest.Em ...) NOT-FOR-US: Motive ActiveEmailTest CVE-2007-0318 (The do_hfs_truncate function in Mac OS X 10.4.8 allows context-depende ...) NOT-FOR-US: Apple Mac OS CVE-2007-0317 (Format string vulnerability in the LogMessage function in FileZilla be ...) - filezilla 3.0.0~beta2-3 (medium; bug #407683) CVE-2007-0316 (Multiple SQL injection vulnerabilities in All In One Control Panel (AI ...) NOT-FOR-US: All In One Control Panel (AIOCP) CVE-2007-0315 (Multiple buffer overflows in FileZilla before 2.2.30a allow remote att ...) - filezilla (fixed before the first Debian upload) CVE-2007-0314 (Multiple PHP remote file inclusion vulnerabilities in Article System 1 ...) NOT-FOR-US: Article System CVE-2007-0313 (Unspecified vulnerability in GONICUS System Administration (GOsa) befo ...) - gosa 2.5.8-1 (medium) [etch] - gosa 2.5.6-2.1 CVE-2007-0312 (wcSimple Poll stores sensitive information under the web root with ins ...) NOT-FOR-US: wcSimple CVE-2007-0311 (Texas Imperial Software WFTPD and WFTPD Pro Server 3.25 and earlier al ...) NOT-FOR-US: Texas Imperial Software WFTPD Pro Server CVE-2007-0310 (BMC Remedy Action Request System 5.01.02 Patch 1267 generates differen ...) NOT-FOR-US: BMC Software CVE-2007-0309 (SQL injection vulnerability in blocks/block-Old_Articles.php in Franci ...) NOT-FOR-US: PHP-Nuke CVE-2007-0308 (Cross-site scripting (XSS) vulnerability in Plain Black WebGUI before ...) NOT-FOR-US: Poplar Gedcom Viewer CVE-2007-0307 (PHP remote file inclusion vulnerability in include/common.php in Popla ...) NOT-FOR-US: Poplar Gedcom Viewer CVE-2007-0306 (SQL injection vulnerability in visu_user.asp in Digiappz DigiAffiliate ...) NOT-FOR-US: Digiappz CVE-2007-0305 (SQL injection vulnerability in etkinlikbak.asp in Okul Web Otomasyon S ...) NOT-FOR-US: Okul Merkezi Portal CVE-2007-0304 (SQL injection vulnerability in duyuru.asp in MiNT Haber Sistemi 2.7 al ...) NOT-FOR-US: MiNT Haber Sistemi CVE-2007-0303 (Multiple unspecified vulnerabilities in Zina 1.0rc1 and earlier have u ...) NOT-FOR-US: Zina CVE-2007-0302 (Multiple cross-site scripting (XSS) vulnerabilities in InstantASP 4.1. ...) NOT-FOR-US: InstantASP CVE-2007-0301 (PHP remote file inclusion vulnerability in _admin/admin_menu.php in Fd ...) NOT-FOR-US: FdWeB CVE-2007-0300 (PHP remote file inclusion vulnerability in i-accueil.php in TLM CMS 1. ...) NOT-FOR-US: TLM CMS CVE-2007-0299 (Integer overflow in the byte_swap_sbin function in bsd/ufs/ufs/ufs_byt ...) NOT-FOR-US: Apple Mac OS CVE-2007-0298 (PHP remote file inclusion vulnerability in show.php in LunarPoll, when ...) NOT-FOR-US: LunarPoll CVE-2006-6944 (phpMyAdmin before 2.9.1.1 allows remote attackers to bypass Allow/Deny ...) {DSA-1370-2 DSA-1370-1} - phpmyadmin 4:2.9.1.1-2 (medium) NOTE: https://www.phpmyadmin.net/security/PMASA-2006-9/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/663eb2b85ed30c1226c5d617bb06c5afe1d3caf5 CVE-2006-6943 (PhpMyAdmin before 2.9.1.1 allows remote attackers to obtain the full s ...) - phpmyadmin 4:2.9.1.1-2 (unimportant) NOTE: Only path disclosure CVE-2006-6942 (Multiple cross-site scripting (XSS) vulnerabilities in PhpMyAdmin befo ...) {DSA-1370-2 DSA-1370-1} - phpmyadmin 4:2.9.1.1-2 (medium) NOTE: All versions 2.9.1 is vulnerable, solution is 2.9.1.1 or newer. NOTE: https://www.phpmyadmin.net/security/PMASA-2006-7/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/59d245f36ab4e0b8a49c44b1f9045fc9aef939b2 CVE-2006-6941 (index.php in FreeWebshop 2.2.2 and earlier allows remote attackers to ...) NOT-FOR-US: FreeWebshop CVE-2006-6940 (Buffer overflow in the ParseHeader function in clsOWA.cls in POP3/SMTP ...) NOT-FOR-US: OWA CVE-2003-1318 (Twilight Webserver 1.3.3.0 allows remote attackers to cause a denial o ...) NOT-FOR-US: Twilight Webserver CVE-2007-0297 (Unspecified vulnerability in Oracle PeopleSoft Enterprise and JD Edwar ...) NOT-FOR-US: Oracle CVE-2007-0296 (Unspecified vulnerability in Oracle PeopleSoft Enterprise and JD Edwar ...) NOT-FOR-US: Oracle CVE-2007-0295 (Unspecified vulnerability in Oracle PeopleSoft Enterprise and JD Edwar ...) NOT-FOR-US: Oracle CVE-2007-0294 (Unspecified vulnerability in Oracle Enterprise Manager 10.2.0.1 has un ...) NOT-FOR-US: Oracle CVE-2007-0293 (Multiple unspecified vulnerabilities in Oracle Enterprise Manager 10.1 ...) NOT-FOR-US: Oracle CVE-2007-0292 (Multiple unspecified vulnerabilities in Oracle Enterprise Manager 10.1 ...) NOT-FOR-US: Oracle CVE-2007-0291 (Unspecified vulnerability in Oracle E-Business Suite and Applications ...) NOT-FOR-US: Oracle CVE-2007-0290 (Multiple unspecified vulnerabilities in Oracle E-Business Suite and Ap ...) NOT-FOR-US: Oracle CVE-2007-0289 (Multiple unspecified vulnerabilities in Oracle Collaboration Suite 9.0 ...) NOT-FOR-US: Oracle CVE-2007-0288 (Unspecified vulnerability in Oracle Application Server 10.1.4.0 has un ...) NOT-FOR-US: Oracle CVE-2007-0287 (Unspecified vulnerability in Oracle Application Server 9.0.4.3, 10.1.2 ...) NOT-FOR-US: Oracle CVE-2007-0286 (Unspecified vulnerability in Oracle Application Server 10.1.2.0.2 and ...) NOT-FOR-US: Oracle CVE-2007-0285 (Unspecified vulnerability in Oracle Application Server 9.0.4.3, 10.1.2 ...) NOT-FOR-US: Oracle CVE-2007-0284 (Multiple unspecified vulnerabilities in Oracle Application Server 9.0. ...) NOT-FOR-US: Oracle CVE-2007-0283 (Unspecified vulnerability in Oracle Application Server 9.0.4.3 and Col ...) NOT-FOR-US: Oracle CVE-2007-0282 (Unspecified vulnerability in Oracle HTTP Server 9.0.1.5, Application S ...) NOT-FOR-US: Oracle CVE-2007-0281 (Multiple unspecified vulnerabilities in Oracle HTTP Server 9.0.1.5, 9. ...) NOT-FOR-US: Oracle CVE-2007-0280 (Unspecified vulnerability in Oracle HTTP Server 9.0.1.5, Application S ...) NOT-FOR-US: Oracle CVE-2007-0279 (Multiple unspecified vulnerabilities in Oracle HTTP Server 9.2.0.8 and ...) NOT-FOR-US: Oracle CVE-2007-0278 (Multiple unspecified vulnerabilities in Oracle Database 8.1.7.4, 9.0.1 ...) NOT-FOR-US: Oracle CVE-2007-0277 (Unspecified vulnerability in Oracle Database client-only 10.1.0.4 has ...) NOT-FOR-US: Oracle CVE-2007-0276 (Multiple unspecified vulnerabilities in Oracle Database 8.1.7.4 and 9. ...) NOT-FOR-US: Oracle CVE-2007-0275 (Cross-site scripting (XSS) vulnerability in Oracle Reports Web Cartrid ...) NOT-FOR-US: Oracle CVE-2007-0274 (Multiple unspecified vulnerabilities in Oracle Database 9.2.0.7 and 10 ...) NOT-FOR-US: Oracle CVE-2007-0273 (Unspecified vulnerability in Oracle Database 9.0.1.5, 9.2.0.8, 10.1.0. ...) NOT-FOR-US: Oracle CVE-2007-0272 (Multiple buffer overflows in MDSYS.MD in Oracle Database 8.1.7.4, 9.0. ...) NOT-FOR-US: Oracle CVE-2007-0271 (Unspecified vulnerability in Oracle Database 9.0.1.5 and 9.2.0.7 has u ...) NOT-FOR-US: Oracle CVE-2007-0270 (Buffer overflow in SYS.DBMS_DRS in Oracle Database 9.2.0.7 and 10.1.0. ...) NOT-FOR-US: Oracle CVE-2007-0269 (Unspecified vulnerability in Oracle Database 9.2.0.8, 10.1.0.5, and 10 ...) NOT-FOR-US: Oracle CVE-2007-0268 (Multiple unspecified vulnerabilities in Oracle Database 9.0.1.5, 9.2.0 ...) NOT-FOR-US: Oracle CVE-2007-0267 (The ufs_lookup function in the Mac OS X 10.4.8 and FreeBSD 6.1 kernels ...) NOT-FOR-US: UFS filesystem on MacOS/FreeBSD CVE-2007-0266 (SQL injection vulnerability in boxx/ShowAppendix.asp in Ezboxx Portal ...) NOT-FOR-US: Ezboxx Portal CVE-2007-0265 (Multiple cross-site scripting (XSS) vulnerabilities in Ezboxx Portal S ...) NOT-FOR-US: Ezboxx Portal CVE-2007-0264 (Buffer overflow in Winzip32.exe in WinZip 9.0 allows local users to ca ...) NOT-FOR-US: Winzip CVE-2007-0263 (Unspecified vulnerability in Total Commander before 6.5.6 allows user- ...) NOT-FOR-US: Total Commander CVE-2007-0262 (WordPress 2.0.6, and 2.1Alpha 3 (SVN:4662), does not properly verify t ...) {DTSA-33-1} - wordpress 2.0.8-1 (bug #407289) CVE-2007-0261 (snews.php in sNews 1.5.30 and earlier does not properly exit when auth ...) NOT-FOR-US: sNews CVE-2007-0260 NOT-FOR-US: Naig CVE-2007-0259 (Ezboxx Portal System Beta 0.7.6 and earlier allows remote attackers to ...) NOT-FOR-US: Ezboxx Portal CVE-2007-0258 (Cross-site scripting (XSS) vulnerability in index.php in (1) Fastilo 2 ...) NOT-FOR-US: Fastilo CVE-2007-0257 - kernel-patch-grsecurity2 2.1.10-1 (bug #407350) NOTE: exploitable as per http://grsecurity.net/pipermail/grsecurity/2007-January/000830.html CVE-2007-0256 (VideoLAN VLC 0.8.6a allows remote attackers to cause a denial of servi ...) - vlc 0.8.6.c-1 (unimportant; bug #407290) CVE-2007-0255 (XINE 0.99.4 allows user-assisted remote attackers to cause a denial of ...) NOTE: I've been looking into this, but I can't find a copy of the VLC code anywhere NOTE: This appears to be a generic crash CVE-2007-0254 (Format string vulnerability in the errors_create_window function in er ...) - xine-ui 0.99.4+dfsg+cvs20061111-1 (low; bug #407369) NOTE: If've verified the Etch version to contain the necessary format strings CVE-2007-0253 - kernel-patch-grsecurity2 2.1.10-1 (unimportant; bug #407350) NOTE: See CVE-2007-0257 CVE-2007-0252 (Unspecified vulnerability in easy-content filemanager allows remote at ...) NOT-FOR-US: easy-content CVE-2007-0251 (Integer underflow in the DecodeGRE function in src/decode.c in Snort 2 ...) - snort (DecodeGRE function not in unstable version) NOTE: unstable contains version 2.3.3-11, and the last upstream is 2.6.1.2 NOTE: This is fixed in upstream CVS so it's very likely to never affect Debian. CVE-2007-0250 (index.php in Nwom topsites 3.0 allows remote attackers to obtain poten ...) NOT-FOR-US: NWOM Topsites 3.0 CVE-2007-0249 (Cross-site scripting (XSS) vulnerability in index.php in Nwom topsites ...) NOT-FOR-US: NWOM Topsites 3.0 CVE-2007-0247 (squid/src/ftp.c in Squid before 2.6.STABLE7 allows remote FTP servers ...) - squid 2.6.5-4 (low) [sarge] - squid (Vulnerable code not present) CVE-2007-0246 (plugins/scmcvs/www/cvsweb.php in the CVSWeb CGI in GForge 4.5.16 befor ...) {DSA-1297-1} - gforge-plugin-scmcvs 4.5.14-6 CVE-2007-0245 (Heap-based buffer overflow in OpenOffice.org (OOo) 2.2.1 and earlier a ...) {DSA-1307-1} - openoffice.org 2.2.1~rc1-1 [lenny] - openoffice.org 2.0.4.dfsg.2-7etch1 CVE-2007-0244 (pptpgre.c in PoPToP Point to Point Tunneling Server (pptpd) before 1.3 ...) {DSA-1288-2 DSA-1288-1} - pptpd 1.3.4-1 CVE-2007-0243 (Buffer overflow in Sun JDK and Java Runtime Environment (JRE) 5.0 Upda ...) - sun-java5 1.5.0-10-1 CVE-2007-0242 (The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does n ...) {DSA-1292-1} - qt4-x11 4.2.2-2 - qt-x11-free 3:3.3.7-4 CVE-2007-0241 RESERVED - linux-2.6 2.6.18.dfsg.1-12 CVE-2007-0240 (Cross-site scripting (XSS) vulnerability in Zope 2.10.2 and earlier al ...) {DSA-1275-1} - zope2.9 2.9.7-1 [etch] - zope2.9 2.9.6-4etch1 CVE-2007-0239 (OpenOffice.org (OOo) Office Suite allows user-assisted remote attacker ...) {DSA-1270-1} - openoffice.org 2.0.4.dfsg.2-6 [etch] - openoffice.org 2.0.4.dfsg.2-5etch1 CVE-2007-0238 (Stack-based buffer overflow in filter\starcalc\scflt.cxx in the StarCa ...) {DSA-1270-1} - openoffice.org 2.0.4.dfsg.2-6 [etch] - openoffice.org 2.0.4.dfsg.2-5etch1 CVE-2007-0237 (The ndeb-binary feature in Lookup (lookup-el) allows local users to ov ...) {DSA-1269-1} - lookup-el 1.4-5 (low) CVE-2007-0236 (Double free vulnerability in the _ATPsndrsp function in Apple Mac OS X ...) NOT-FOR-US: Mac OS X CVE-2007-0235 (Stack-based buffer overflow in the glibtop_get_proc_map_s function in ...) {DSA-1255-1} - libgtop2 2.14.4-3 (medium; bug #407020) NOTE: libgtop does not contain the affected code. CVE-2007-0234 REJECTED CVE-2007-0233 (wp-trackback.php in WordPress 2.0.6 and earlier does not properly unse ...) - wordpress 2.1.0-1 (unimportant) NOTE: This is argubly a php bug, CVE-2006-3017 CVE-2007-0232 (PHP remote file inclusion vulnerability in routines/fieldValidation.ph ...) NOT-FOR-US: Jshop Server CVE-2007-0231 (Cross-site scripting (XSS) vulnerability in Movable Type (MT) 3.33, wh ...) NOT-FOR-US: Movable Type CVE-2007-0230 (** DISPUTED ** PHP remote file inclusion vulnerability in install.php ...) NOT-FOR-US: CS-Cart CVE-2007-0229 (Integer overflow in the ffs_mountfs function in Mac OS X 10.4.8 and Fr ...) NOT-FOR-US: MacOS X CVE-2007-0228 (The DataCollector service in EIQ Networks Network Security Analyzer al ...) NOT-FOR-US: EIQ Networks Network Security Analyzer CVE-2007-0227 (slocate 3.1 does not properly manage database entries that specify nam ...) - slocate 3.1-1.1 (bug #411937; low) [sarge] - slocate (Performs correct access checks) [etch] - slocate (Minor issue) NOTE: slocate will allow users to find files in directories with the NOTE: executable bit set but without the readable bit set. This is NOTE: an information leak. CVE-2007-0226 (SQL injection vulnerability in wbsearch.aspx in uniForum 4 and earlier ...) NOT-FOR-US: uniForum CVE-2007-0225 (Cross-site scripting (XSS) vulnerability in shopcustadmin.asp in VP-AS ...) NOT-FOR-US: Shopping Cart CVE-2007-0224 (SQL injection vulnerability in shopgiftregsearch.asp in VP-ASP Shoppin ...) NOT-FOR-US: Shopping Cart CVE-2007-0223 (SQL injection vulnerability in shared/code/cp_functions_downloads.php ...) NOT-FOR-US: All In One Control Panel (AIOCP) CVE-2007-0222 (Directory traversal vulnerability in the EmChartBean server side compo ...) NOT-FOR-US: Oracle Application Server CVE-2007-0221 (Integer overflow in the IMAP (IMAP4) support in Microsoft Exchange Ser ...) NOT-FOR-US: Microsoft CVE-2007-0220 (Cross-site scripting (XSS) vulnerability in Outlook Web Access (OWA) i ...) NOT-FOR-US: Microsoft CVE-2007-0219 (Microsoft Internet Explorer 5.01, 6, and 7 uses certain COM objects fr ...) NOT-FOR-US: Microsoft CVE-2007-0218 (Microsoft Internet Explorer 5.01 and 6 allows remote attackers to exec ...) NOT-FOR-US: Microsoft CVE-2007-0217 (The wininet.dll FTP client code in Microsoft Internet Explorer 5.01 an ...) NOT-FOR-US: Microsoft CVE-2007-0216 (wkcvqd01.dll in Microsoft Works 6 File Converter, as used in Office 20 ...) NOT-FOR-US: Microsoft Office CVE-2007-0215 (Stack-based buffer overflow in Microsoft Excel 2000 SP3, 2002 SP3, 200 ...) NOT-FOR-US: Microsoft Excel CVE-2007-0214 (The HTML Help ActiveX control (Hhctrl.ocx) in Microsoft Windows 2000 S ...) NOT-FOR-US: Microsoft CVE-2007-0213 (Microsoft Exchange Server 2000 SP3, 2003 SP1 and SP2, and 2007 does no ...) NOT-FOR-US: Microsoft CVE-2007-0212 REJECTED CVE-2007-0211 (The hardware detection functionality in the Windows Shell in Microsoft ...) NOT-FOR-US: Microsoft CVE-2007-0210 (The Window Image Acquisition (WIA) Service in Microsoft Windows XP SP2 ...) NOT-FOR-US: Microsoft CVE-2007-0209 (Microsoft Word in Office 2000 SP3, XP SP3, Office 2003 SP2, Works Suit ...) NOT-FOR-US: Microsoft CVE-2007-0208 (Microsoft Word in Office 2000 SP3, XP SP3, Office 2003 SP2, Works Suit ...) NOT-FOR-US: Microsoft CVE-2007-0207 REJECTED CVE-2007-0206 (Unspecified vulnerability in HP OpenView Network Node Manager (OV NNM) ...) NOT-FOR-US: OpenView Network Node Manager CVE-2006-6939 (GNU ed before 0.3 allows local users to overwrite arbitrary files via ...) - ed 0.2-19 CVE-2006-6938 (Directory traversal vulnerability in includes/common.php in NitroTech ...) NOT-FOR-US: NitroTech CMS CVE-2006-6937 (SQL injection vulnerability in displaypic.asp in Xtreme ASP Photo Gall ...) NOT-FOR-US: ASP Photo Gallery CVE-2006-6936 (Cross-site scripting (XSS) vulnerability in Xtreme ASP Photo Gallery a ...) NOT-FOR-US: ASP Photo Gallery CVE-2006-6935 (SQL injection vulnerability in the login component in Portix-PHP 0.4.2 ...) NOT-FOR-US: Portix CVE-2006-6934 (Multiple cross-site scripting (XSS) vulnerabilities in Portix-PHP 0.4. ...) NOT-FOR-US: Portix CVE-2006-6933 (Easy Chat Server 2.1 stores sensitive information under the web root w ...) NOT-FOR-US: Easy Chat Server CVE-2006-6932 (Multiple SQL injection vulnerabilities in Image Gallery with Access Da ...) NOT-FOR-US: Image Gallery CVE-2006-6931 (Algorithmic complexity vulnerability in Snort before 2.6.1, during pre ...) - snort 2.7.0-1 (low; bug #407421) [sarge] - snort (Minor issue) [etch] - snort (Minor issue) CVE-2006-6930 (SQL injection vulnerability in viewad.asp in Rapid Classified 3.1 allo ...) NOT-FOR-US: Rapid Classified CVE-2006-6929 (Multiple cross-site scripting (XSS) vulnerabilities in Rapid Classifie ...) NOT-FOR-US: Rapid Classified CVE-2006-6928 (Multiple cross-site scripting (XSS) vulnerabilities in Rialto 1.6 allo ...) NOT-FOR-US: Rialto CVE-2006-6927 (Multiple SQL injection vulnerabilities in Rialto 1.6 allow remote atta ...) NOT-FOR-US: Rialto CVE-2006-6926 (Buffer overflow in eXtremail 2.1 has unknown impact and attack vectors ...) NOT-FOR-US: eXtremail CVE-2006-6925 (Multiple cross-site scripting (XSS) vulnerabilities in bitweaver 1.3.1 ...) NOT-FOR-US: bitweaver CVE-2006-6924 (bitweaver 1.3.1 and earlier allows remote attackers to obtain sensitiv ...) NOT-FOR-US: bitweaver CVE-2006-6923 (SQL injection vulnerability in newsletters/edition.php in bitweaver 1. ...) NOT-FOR-US: bitweaver CVE-2006-6922 (SQL injection vulnerability in Deadlock User Management System (phpdea ...) NOT-FOR-US: Deadlock CVE-2006-6921 (Unspecified versions of the Linux kernel allow local users to cause a ...) - linux-2.6 2.6.18-1 (low) CVE-2005-4823 (Buffer overflow in the HP HTTP Server 5.0 through 5.95 of the HP Web-e ...) NOT-FOR-US: HP CVE-2007-XXXX [udev wrong permissions on raid devices] - udev 0.105-2 (bug #404927) [sarge] - udev (Doesn't affect Sarge) CVE-2007-XXXX [yacas insecure rpath] - yacas 1.0.57-3 (bug #399226; bug #399227; low) CVE-2007-0248 (The aclMatchExternal function in Squid before 2.6.STABLE7 allows remot ...) - squid 2.6.5-4 (low; bug #407202) [sarge] - squid (Vulnerable code not present) NOTE: reference - http://secunia.com/advisories/23767/ CVE-2007-XXXX [bcfg2 password disclosure] - bcfg2 0.8.7.3-1 (low; bug #406285) [etch] - bcfg2 0.8.6.1-1.1etch1 CVE-2007-XXXX [mysql 5.0 several DoS vulns] - mysql-dfsg-5.0 5.0.32-1 CVE-2007-0205 (Directory traversal vulnerability in admin/skins.php for @lex Guestboo ...) NOT-FOR-US: @alex CVE-2006-6920 (Cross-site scripting (XSS) vulnerability in Nucleus before 3.24 allows ...) NOT-FOR-US: Nucleus CVE-2006-6919 (Firefox Sage extension 1.3.8 and earlier allows remote attackers to ex ...) - firefox-sage 1.3.6-3 NOTE: 1.3.6-3 disabled HTML mode entirely CVE-2006-6918 (Unspecified vulnerability in the Admin login for Georgian discussion b ...) NOT-FOR-US: GeoBB CVE-2006-6917 (Multiple buffer overflows in Computer Associates (CA) BrightStor ARCse ...) NOT-FOR-US: Computer Associates (CA) CVE-2006-6916 (Getahead Direct Web Remoting (DWR) before 1.1.3 allows attackers to ca ...) NOT-FOR-US: Getahead CVE-2007-0204 (Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin befo ...) - phpmyadmin 4:2.9.1.1-2 (bug #406486; low) [sarge] - phpmyadmin (vulnerable code not present) CVE-2007-0203 (Multiple unspecified vulnerabilities in phpMyAdmin before 2.9.2-rc1 ha ...) - phpmyadmin 4:2.9.1.1-2 (bug #406486; low) [sarge] - phpmyadmin (vulnerable code not present) NOTE: duplicate of CVE-2006-6374? CVE-2007-0202 (SQL injection vulnerability in index.php in @lex Guestbook 4.0.2 and e ...) NOT-FOR-US: @lex CVE-2007-0201 (Buffer overflow in the cmd_usr function in ftp-gw in TIS Internet Fire ...) NOT-FOR-US: TIS CVE-2007-0200 (PHP remote file inclusion vulnerability in template.php in Geoffrey Go ...) NOT-FOR-US: Geoffrey Golliher Axiom Photo/News Gallery CVE-2007-0199 (The Data-link Switching (DLSw) feature in Cisco IOS 11.0 through 12.4 ...) NOT-FOR-US: Cisco CVE-2007-0198 (The JTapi Gateway process in Cisco Unified Contact Center Enterprise, ...) NOT-FOR-US: Cisco CVE-2007-0197 (Finder 10.4.6 on Apple Mac OS X 10.4.8 allows user-assisted remote att ...) NOT-FOR-US: Apple Mac OS CVE-2007-0196 (SQL injection vulnerability in admin_check_user.asp in Motionborg Web ...) NOT-FOR-US: Motionborg Web Real Estate CVE-2007-0195 (my.activation.php3 in F5 FirePass 5.4 through 5.5.1 and 6.0 displays d ...) NOT-FOR-US: F5 CVE-2007-0194 (admin.php in MKPortal M1.1 RC1 allows remote attackers to obtain sensi ...) NOT-FOR-US: MKPortal CVE-2007-0193 (FON La Fonera routers do not properly limit DNS service access by unau ...) NOT-FOR-US: FON La Fonera CVE-2007-0192 (Cross-site request forgery (CSRF) vulnerability in the save_main opera ...) NOT-FOR-US: MKPortal CVE-2007-0191 (Cross-site scripting (XSS) vulnerability in admin.php in MKPortal allo ...) NOT-FOR-US: MKPortal CVE-2007-0190 (PHP remote file inclusion vulnerability in edit_address.php in edit-x ...) NOT-FOR-US: edit-x ecommerce CVE-2007-0189 NOT-FOR-US: GeoBB CVE-2007-0188 (F5 FirePass 5.4 through 5.5.1 does not properly enforce host access re ...) NOT-FOR-US: F5 CVE-2007-0187 (F5 FirePass 5.4 through 5.5.2 and 6.0 allows remote attackers to acces ...) NOT-FOR-US: F5 CVE-2007-0186 (Multiple cross-site scripting (XSS) vulnerabilities in F5 FirePass SSL ...) NOT-FOR-US: F5 CVE-2007-0185 (Getahead Direct Web Remoting (DWR) before 1.1.4 allows attackers to ca ...) NOT-FOR-US: Getahead CVE-2007-0184 (Getahead Direct Web Remoting (DWR) before 1.1.4 allows attackers to ob ...) NOT-FOR-US: Getahead CVE-2007-0183 (Cross-site scripting (XSS) vulnerability in /search in iPlanet Web Ser ...) NOT-FOR-US: iPlanet Web CVE-2007-0182 (Multiple PHP remote file inclusion vulnerabilities in magic photo stor ...) NOT-FOR-US: Magic photo storage website CVE-2007-0181 (PHP remote file inclusion vulnerability in include/common_function.php ...) NOT-FOR-US: Magic Photo Storage website CVE-2007-0180 (Stack-based buffer overflow in EF Commander 5.75 allows user-assisted ...) NOT-FOR-US: EF Commander CVE-2007-0179 (SQL injection vulnerability in comment.php in PHPKIT 1.6.1 R2 allows r ...) NOT-FOR-US: PHPKIT CVE-2007-0178 (PHP remote file inclusion vulnerability in info.php in Easy Banner Pro ...) NOT-FOR-US: Easy Banner Pro CVE-2007-0177 (Cross-site scripting (XSS) vulnerability in the AJAX module in MediaWi ...) - mediawiki 1.7.1-6 (bug #406238; medium) NOTE: vendor advisory: http://sourceforge.net/forum/forum.php?forum_id=652721 CVE-2007-0176 (Cross-site scripting (XSS) vulnerability in search/advanced_search.php ...) {DSA-1475-1} - gforge 4.6.99+svn6347-1 (low; bug #406244) [sarge] - gforge (Vulnerable code not present) CVE-2007-0175 (Cross-site scripting (XSS) vulnerability in htsrv/login.php in b2evolu ...) {DSA-1568-1} - b2evolution 0.9.2-4 (bug #410568; low) CVE-2007-0174 (Multiple stack-based multiple buffer overflows in the BRWOSSRE2UC.dll ...) NOT-FOR-US: Sina UC2006 CVE-2007-0173 (Directory traversal vulnerability in index.php in L2J Statistik Script ...) NOT-FOR-US: L2J Statistik Script CVE-2007-0172 (Multiple PHP remote file inclusion vulnerabilities in AllMyGuests 0.3. ...) NOT-FOR-US: AllMyGuest CVE-2007-0171 (PHP remote file inclusion vulnerability in index.php in AllMyLinks 0.5 ...) NOT-FOR-US: AllMyLinks CVE-2007-0170 (PHP remote file inclusion vulnerability in index.php in AllMyVisitors ...) NOT-FOR-US: AllmyVisitors CVE-2007-0169 (Multiple buffer overflows in Computer Associates (CA) BrightStor ARCse ...) NOT-FOR-US: Computer Associates (CA) CVE-2007-0168 (The Tape Engine service in Computer Associates (CA) BrightStor ARCserv ...) NOT-FOR-US: Computer Associates (CA) CVE-2007-0167 (Multiple PHP file inclusion vulnerabilities in WGS-PPC (aka PPC Search ...) NOT-FOR-US: PPC Search CVE-2007-0166 (The jail rc.d script in FreeBSD 5.3 up to 6.2 does not verify pathname ...) - kfreebsd-5 CVE-2007-0165 (Unspecified vulnerability in libnsl in Sun Solaris 8 and 9 allows remo ...) NOT-FOR-US: Solaris CVE-2007-0164 (Camouflage 1.2.1 embeds password information in the carrier file, whic ...) NOT-FOR-US: Camouflage CVE-2007-0163 (SecureKit Steganography 1.7.1 and 1.8 embeds password information in t ...) NOT-FOR-US: Steganography CVE-2007-0162 (Unsanity Application Enhancer (APE) 2.0.2 installs with insecure permi ...) NOT-FOR-US: Mac OS X CVE-2007-0161 (The PML Driver HPZ12 (HPZipm12.exe) in the HP all-in-one drivers, as u ...) NOT-FOR-US: HP all-in-one drivers CVE-2007-0160 (Stack-based buffer overflow in the LiveJournal support (hooks/ljhook.c ...) - centericq 4.21.0-17 (low) [sarge] - centericq (Not exploitable with official LiveJournal server) NOTE: The bug really exist but, is not exploitable because the LiveJournal server NOTE: has a length restriction on both the username (15 characters) and the real name NOTE: (50 characters). In my opnion is only exploitable if the user try connect in NOTE: fake LiveJournal server. All version of Debian centericq packages have a NOTE: compromised code. CVE-2007-0159 (Directory traversal vulnerability in the GeoIP_update_database_general ...) - geoip 1.3.17-1.1 (bug #406628; low) [sarge] - geoip (Minor issue) CVE-2007-0158 (thttpd 2007 has buffer underflow. ...) - thttpd CVE-2007-0157 (Array index error in the uri_lookup function in the URI parser for neo ...) - neon26 0.26.2-3.1 (medium; bug #404723) NOTE: neon25 doesn't have the uri_lookup macro CVE-2007-0156 (M-Core stores the database under the web document root, which allows r ...) NOT-FOR-US: M-Core CVE-2007-0155 (HarikaOnline 2.0 stores sensitive information under the web root with ...) NOT-FOR-US: HarikaOnline CVE-2007-0154 (Webulas stores sensitive information under the web root with insuffici ...) NOT-FOR-US: Webulas CVE-2007-0153 (AJLogin 3.5 stores sensitive information under the web root with insuf ...) NOT-FOR-US: AJLogin CVE-2007-0152 (OhhASP stores sensitive information under the web root with insufficie ...) NOT-FOR-US: OhhASP CVE-2007-0151 (MitiSoft stores sensitive information under the web root with insuffic ...) NOT-FOR-US: MitiSoft CVE-2007-0150 (Multiple PHP remote file inclusion vulnerabilities in index.php in Day ...) NOT-FOR-US: Dayfox CVE-2007-0149 (EMembersPro 1.0 stores sensitive information under the web root with i ...) NOT-FOR-US: EMembersPro CVE-2007-0148 (Format string vulnerability in OmniGroup OmniWeb 5.5.1 allows remote a ...) NOT-FOR-US: OminiGroup CVE-2007-0147 (Cuyahoga before 1.0.1 installs the FCKEditor component with an incorre ...) NOT-FOR-US: Cuyahoga CVE-2007-0146 (Multiple cross-site scripting (XSS) vulnerabilities in Fix and Chips C ...) NOT-FOR-US: Fix and Chips CVE-2007-0145 (PHP remote file inclusion vulnerability in bn_smrep1.php in BinGoPHP N ...) NOT-FOR-US: BinGoPHP CVE-2007-0144 (Cross-site scripting (XSS) vulnerability in search.asp in Digitizing Q ...) NOT-FOR-US: DIGITIZING QUOTE AND ORDERING SYSTEM CVE-2007-0143 (Multiple PHP remote file inclusion vulnerabilities in NUNE News Script ...) NOT-FOR-US: NUNE News CVE-2007-0142 (SQL injection vulnerability in orange.asp in ShopStoreNow E-commerce S ...) NOT-FOR-US: ShopStoreNow CVE-2007-0141 (Cross-site scripting (XSS) vulnerability in yald.php in Yet Another Li ...) NOT-FOR-US: YALD CVE-2007-0140 (SQL injection vulnerability in down.asp in Kolayindir Download (Yenion ...) NOT-FOR-US: Kolayindir CVE-2006-6915 (ftpd in IBM AIX 5.2.0 and 5.3.0 allows remote authenticated users to c ...) NOT-FOR-US: IBM CVE-2006-6914 (Unspecified vulnerability in ftpd in IBM AIX 5.2.0 and 5.3.0 allows re ...) NOT-FOR-US: IBM CVE-2006-6913 (Unspecified vulnerability in phpMyFAQ 1.6.7 and earlier allows remote ...) NOT-FOR-US: phpMyFAQ CVE-2006-6912 (SQL injection vulnerability in phpMyFAQ 1.6.7 and earlier allows remot ...) NOT-FOR-US: phpMyFAQ CVE-2006-6911 (SQL injection vulnerability in search.asp in Digitizing Quote And Orde ...) NOT-FOR-US: DIGITIZING QUOTE AND ORDERING SYSTEM CVE-2004-2675 (ArGoSoft FTP Server before 1.4.1.6 allows remote authenticated users t ...) NOT-FOR-US: ArgoSoft FTP Server CVE-2004-2674 (Directory traversal vulnerability in ArGoSoft FTP Server before 1.4.1. ...) NOT-FOR-US: ArgoSoft FTP Server CVE-2004-2673 (Multiple buffer overflows in ArGoSoft FTP Server before 1.4.1.6 allow ...) NOT-FOR-US: ArgoSoft FTP Server CVE-2004-2672 (Unspecified vulnerability in ArGoSoft FTP server before 1.4.2.2 allows ...) NOT-FOR-US: ArgoSoft FTP Server CVE-2007-0139 (Unspecified vulnerability in the DECnet-Plus 7.3-2 feature in DECnet/O ...) NOT-FOR-US: DECnet-Plus CVE-2007-0138 (formbankcgi.exe in Fersch Formbankserver 1.9, when the PATH_INFO begin ...) NOT-FOR-US: Formbankserver CVE-2007-0137 (Cross-site scripting (XSS) vulnerability in SimpleBoxes/SerendipityNZ ...) NOT-FOR-US: Serene Bach CVE-2007-0136 (Multiple cross-site scripting (XSS) vulnerabilities in Drupal before 4 ...) - drupal 4.7.5-1 NOTE: vendor advisory: http://drupal.org/node/104233 - DRUPAL-SA-2007-001 CVE-2007-0135 (PHP remote file inclusion vulnerability in inc/init.inc.php in Aratix ...) NOT-FOR-US: Aratix CVE-2007-0134 (Multiple eval injection vulnerabilities in iGeneric iG Shop 1.0 allow ...) NOT-FOR-US: IG Shop CVE-2007-0133 (Multiple SQL injection vulnerabilities in display_review.php in iGener ...) NOT-FOR-US: IG Shop CVE-2007-0132 (SQL injection vulnerability in compare_product.php in iGeneric iG Shop ...) NOT-FOR-US: IG Shop CVE-2007-0131 (JAMWiki before 0.5.0 does not properly check permissions during moves ...) NOT-FOR-US: JAMWiki CVE-2007-0130 (SQL injection vulnerability in user.php in iGeneric iG Calendar 1.0 al ...) NOT-FOR-US: iG Calendar CVE-2007-0129 (SQL injection vulnerability in main.asp in LocazoList 2.01a beta5 and ...) NOT-FOR-US: LocazoList CVE-2007-0128 (SQL injection vulnerability in info_book.asp in Digirez 3.4 and earlie ...) NOT-FOR-US: Digirez CVE-2007-0127 (The Javascript SVG support in Opera before 9.10 does not properly vali ...) NOT-FOR-US: Opera CVE-2007-0126 (Heap-based buffer overflow in Opera 9.02 allows remote attackers to ex ...) NOT-FOR-US: Opera CVE-2007-0125 (Kaspersky Labs Antivirus Engine 6.0 for Windows and 5.5-10 for Linux b ...) NOT-FOR-US: Kaspersky Labs CVE-2007-0124 (Unspecified vulnerability in Drupal before 4.6.11, and 4.7 before 4.7. ...) - drupal 4.7.5-1 (low) CVE-2007-0123 (Unrestricted file upload vulnerability in Uber Uploader 4.2 allows rem ...) NOT-FOR-US: Uber Uploader CVE-2007-0122 (Multiple SQL injection vulnerabilities in Coppermine Photo Gallery 1.4 ...) NOT-FOR-US: Coppermine Photo Gallery CVE-2007-0121 (Cross-site scripting (XSS) vulnerability in search.asp in RI Blog 1.3 ...) NOT-FOR-US: RI Blog CVE-2007-0120 (Acunetix Web Vulnerability Scanner (WVS) 4.0 Build 20060717 and earlie ...) NOT-FOR-US: Acunetix Web Vulnerability Scanner CVE-2007-0119 (Multiple cross-site scripting (XSS) vulnerabilities in EditTag 1.2 all ...) NOT-FOR-US: EditTag CVE-2007-0118 (Multiple absolute path traversal vulnerabilities in EditTag 1.2 allow ...) NOT-FOR-US: EditTag CVE-2007-0117 (DiskManagementTool in the DiskManagement.framework 92.29 on Mac OS X 1 ...) NOT-FOR-US: Mac OS CVE-2007-0116 (Digger Solutions Intranet Open Source (IOS) stores sensitive informati ...) NOT-FOR-US: Digger Solutions Intranet Open Source (IOS) CVE-2007-0115 (Static code injection vulnerability in Coppermine Photo Gallery 1.4.10 ...) NOT-FOR-US: Coppermine Photo Gallery CVE-2007-0114 (Sun Java System Content Delivery Server 5.0 and 5.0 PU1 allows remote ...) NOT-FOR-US: Sun Java System Content Delivery Server CVE-2007-0113 (Buffer overflow in Packeteer PacketShaper PacketWise 8.x allows remote ...) NOT-FOR-US: PacketWise CVE-2007-0112 (SQL injection vulnerability in cats.asp in createauction allows remote ...) NOT-FOR-US: createauction CVE-2007-0111 (Buffer overflow in Resco Photo Viewer for PocketPC 4.11 and 6.01, as u ...) NOT-FOR-US: PocketPC CVE-2007-0110 (Cross-site scripting (XSS) vulnerability in nidp/idff/sso in Novell Ac ...) NOT-FOR-US: Novell Access Manager CVE-2007-0109 (wp-login.php in WordPress 2.0.5 and earlier displays different error m ...) - wordpress 2.0.6-1 (low) NOTE: http://trac.wordpress.org/changeset/4665 CVE-2007-0108 (nwgina.dll in Novell Client 4.91 SP3 for Windows 2000/XP/2003 does not ...) NOT-FOR-US: Novell Client CVE-2007-0105 (Stack-based buffer overflow in the CSAdmin service in Cisco Secure Acc ...) NOT-FOR-US: Cisco CVE-2007-0104 (The Adobe PDF specification 1.3, as implemented by (a) xpdf 3.0.1 patc ...) - kdegraphics 4:3.5.5-3 (unimportant) - koffice (unimportant) - poppler 0.4.5-5.1 (unimportant) - xpdf 3.02 (bug #406852; unimportant) - swftools (first version that entered the archive is based on xpdf 3.02) NOTE: hardly a security issue; if someone sends someone a crafted PDF file triggering NOTE: such an endless loop the user will simply abort kpdf and never look at NOTE: that file again, this is only denial of service by a _very_ far stretch NOTE: of imagination. I suppose KDE Security only issued an update for it NOTE: because the shared underlying code was part of the Month of Apple Bugs NOTE: and they wanted to debunk claims of code injection. CVE-2007-0103 (The Adobe PDF specification 1.3, as implemented by Adobe Acrobat befor ...) NOT-FOR-US: Acrobat Reader CVE-2007-0102 (The Adobe PDF specification 1.3, as implemented by Apple Mac OS X Prev ...) NOT-FOR-US: Apple Mac OS X CVE-2007-0101 (Cross-site request forgery (CSRF) vulnerability in SPINE allows remote ...) NOT-FOR-US: SPINE CVE-2007-0100 (The Perforce client does not restrict the set of files that it overwri ...) NOT-FOR-US: Perforce CVE-2007-0099 (Race condition in the msxml3 module in Microsoft XML Core Services 3.0 ...) NOT-FOR-US: Microsoft CVE-2007-0098 (Directory traversal vulnerability in language.php in VerliAdmin 0.3 an ...) NOT-FOR-US: VerliAdmin CVE-2007-0097 (Multiple stack-based buffer overflows in the (1) LoadTree and (2) Read ...) NOT-FOR-US: ConeXware PowerArchive CVE-2007-0096 (CarbonCommunities stores sensitive information under the web root with ...) NOT-FOR-US: Carbon Communities CVE-2007-0095 (phpMyAdmin 2.9.1.1 allows remote attackers to obtain sensitive informa ...) - phpmyadmin 4:2.9.1.1-1 (bug #399329; unimportant) NOTE: Only path disclosure CVE-2007-0094 (Sven Moderow GuestBook 0.3a stores sensitive information under the web ...) NOT-FOR-US: Sven Moderow GuestBook CVE-2007-0093 (SQL injection vulnerability in page.php in Simple Web Content Manageme ...) NOT-FOR-US: Simple Web Content Management System CVE-2007-0092 (SQL injection vulnerability in productdetail.asp in E-SMARTCART 1.0 al ...) NOT-FOR-US: E-SMARTCART CVE-2007-0091 (newsCMSlite stores sensitive information under the web root with insuf ...) NOT-FOR-US: newsCMSlite CVE-2007-0090 (WineGlass stores sensitive information under the web root with insuffi ...) NOT-FOR-US: WineGlass CVE-2007-0089 (jgbbs stores sensitive information under the web root with insufficien ...) NOT-FOR-US: jgbbs CVE-2007-0088 (Multiple directory traversal vulnerabilities in openmedia allow remote ...) NOT-FOR-US: openmedia CVE-2007-0087 NOT-FOR-US: Microsoft IIS CVE-2007-0086 - apache (unimportant) - apache2 (unimportant) CVE-2007-0085 (Unspecified vulnerability in sys/dev/pci/vga_pci.c in the VGA graphics ...) NOT-FOR-US: OpenBSD VGA wscons driver CVE-2007-0084 NOT-FOR-US: Windows NT CVE-2007-0083 (Cross-site scripting (XSS) vulnerability in Nuked Klan 1.7 and earlier ...) NOT-FOR-US: Nuked Klan CVE-2007-0082 (users_adm/start1.php in IMGallery 2.5 and earlier does not properly ha ...) NOT-FOR-US: IMGallery CVE-2007-0081 (Sunbelt Kerio Personal Firewall (SKPF) 4.3.268 and 4.3.246, and possib ...) NOT-FOR-US: Sunbelt Kerio Personal Firewall CVE-2007-0080 - freeradius (unimportant) NOTE: Data triggering the buffer overflow can only be controlled by root CVE-2007-0079 (rblog stores sensitive information under the web root with insufficien ...) NOT-FOR-US: rblog CVE-2007-0078 (BattleBlog stores sensitive information under the web root with insuff ...) NOT-FOR-US: BattleBlog CVE-2007-0077 (lblog stores sensitive information under the web root with insufficien ...) NOT-FOR-US: lblog CVE-2007-0076 (Openforum stores sensitive information under the web root with insuffi ...) NOT-FOR-US: Openforum CVE-2007-0075 (AspBB stores sensitive information under the web root with insufficien ...) NOT-FOR-US: AspBB CVE-2007-0074 (Heap-based buffer overflow in an unspecified procedure in Trend Micro ...) NOT-FOR-US: Trend Micro CVE-2007-0073 (Heap-based buffer overflow in an unspecified procedure in Trend Micro ...) NOT-FOR-US: Trend Micro CVE-2007-0072 (Heap-based buffer overflow in an unspecified procedure in Trend Micro ...) NOT-FOR-US: Trend Micro CVE-2007-0071 (Integer overflow in Adobe Flash Player 9.0.115.0 and earlier, and 8.0. ...) - flashplugin-nonfree 1:1.4 NOTE: Fix came from Adobe via new Adobe Flash Player, debian package didn't change CVE-2007-0070 RESERVED CVE-2007-0069 (Unspecified vulnerability in the kernel in Microsoft Windows XP SP2, S ...) NOT-FOR-US: Microsoft Windows CVE-2007-0068 (IBM Lotus Domino 7.0.x before 7.0.3 does not revalidate the signature ...) NOT-FOR-US: IBM Lotus Domino CVE-2007-0067 (Unspecified vulnerability in the Lotus Domino Web Server 6.0, 6.5.x be ...) NOT-FOR-US: Lotus Domino Server CVE-2007-0066 (The kernel in Microsoft Windows 2000 SP4, XP SP2, and Server 2003, whe ...) NOT-FOR-US: Microsoft Windows CVE-2007-0065 (Heap-based buffer overflow in Object Linking and Embedding (OLE) Autom ...) NOT-FOR-US: Microsoft Windows CVE-2007-0064 (Heap-based buffer overflow in Windows Media Format Runtime 7.1, 9, 9.5 ...) NOT-FOR-US: Windows CVE-2007-0063 (Integer underflow in the DHCP server in EMC VMware Workstation before ...) - vmware-package 0.16 CVE-2007-0062 (Integer overflow in the ISC dhcpd 3.0.x before 3.0.7 and 3.1.x before ...) - vmware-package 0.16 CVE-2007-0061 (The DHCP server in EMC VMware Workstation before 5.5.5 Build 56455 and ...) - vmware-package 0.16 CVE-2007-0060 (Stack-based buffer overflow in the Message Queuing Server (Cam.exe) in ...) NOT-FOR-US: CA CVE-2007-0059 (Cross-zone scripting vulnerability in Apple Quicktime 3 to 7.1.3 allow ...) NOT-FOR-US: Apple Quicktime CVE-2007-0058 (Cisco Clean Access (CCA) 3.5.x through 3.5.9 and 3.6.x through 3.6.1.1 ...) NOT-FOR-US: Cisco CVE-2007-0057 (Cisco Clean Access (CCA) 3.6.x through 3.6.4.2 and 4.0.x through 4.0.3 ...) NOT-FOR-US: Cisco CVE-2007-0056 (Multiple cross-site scripting (XSS) vulnerabilities in AShop Deluxe 4. ...) NOT-FOR-US: AShop Deluxe CVE-2007-0055 (Directory traversal vulnerability in formbankcgi.exe/AbfrageForm in Fo ...) NOT-FOR-US: Formbankserver CVE-2007-0054 (Cross-site scripting (XSS) vulnerability in gbrowse.php in Belchior Fo ...) NOT-FOR-US: Belchior Foundry vCard PRO CVE-2007-0053 (SQL injection vulnerability in detail.asp in ASP SiteWare autoDealer 2 ...) NOT-FOR-US: ASP SiteWare autoDealer CVE-2007-0052 (SQL injection vulnerability in haberdetay.asp in Vizayn Haber allows r ...) NOT-FOR-US: Vizayn Haber CVE-2007-0051 (Format string vulnerability in Apple iPhoto 6.0.5 (316), and other ver ...) NOT-FOR-US: Apple iPhoto CVE-2006-6910 (formbankcgi.exe in Fersch Formbankserver 1.9, when the PATH_INFO begin ...) NOT-FOR-US: Fersch Formbankserver CVE-2006-6909 (Stack-based buffer overflow in http.c in Karl Dahlke Edbrowse (aka Com ...) NOT-FOR-US: Karl Dahlke Edbrowse CVE-2006-6908 (Buffer overflow in the Bluetooth Stack COM Server in the Widcomm Bluet ...) NOT-FOR-US: Bluetooth Stack COM Server (Windows) CVE-2006-6907 (Unspecified vulnerability in the Bluesoil Bluetooth stack has unknown ...) NOT-FOR-US: Bluesoil Bluetooth CVE-2006-6906 (Unspecified vulnerability in the Bluetooth stack on Mac OS 10.4.7 and ...) NOT-FOR-US: Bluetooth stack on Mac OS CVE-2006-6905 (Unspecified vulnerability in the Widcomm Bluetooth stack allows remote ...) NOT-FOR-US: Widcomm Bluetooth CVE-2006-6904 (Unspecified vulnerability in the Broadcom Bluetooth stack allows remot ...) NOT-FOR-US: Broadcom CVE-2006-6903 (Unspecified vulnerability in the Toshiba Bluetooth stack allows remote ...) NOT-FOR-US: Toshiba Bluetooth stack CVE-2006-6902 (Unspecified vulnerability in the Bluetooth stack in Microsoft Windows ...) NOT-FOR-US: Windows Mobile CVE-2006-6901 (Unspecified vulnerability in the Bluetooth stack in Microsoft Windows ...) NOT-FOR-US: Microsoft Windows CVE-2006-6900 (Unspecified vulnerability in the Bluetooth stack in Apple Mac OS 10.4 ...) NOT-FOR-US: Mac OS CVE-2006-6899 (hidd in BlueZ (bluez-utils) before 2.25 allows remote attackers to obt ...) - bluez-utils 3.7-1 (bug #408889; medium) CVE-2006-6898 (Widcomm Bluetooth for Windows (BTW) before 4.0.1.1500 allows remote at ...) NOT-FOR-US: Widcomm Bluetooth CVE-2006-6897 (Directory traversal vulnerability in Widcomm Bluetooth for Windows (BT ...) NOT-FOR-US: Widcomm Bluetooth CVE-2006-6896 (The Bluetooth stack in the Plantronic Headset does not properly implem ...) NOT-FOR-US: Plantronic Headset CVE-2006-6895 (The Bluetooth stack in the Sony Ericsson T60 does not properly impleme ...) NOT-FOR-US: Sony Ericsson T60 CVE-2006-6894 (Multiple unspecified vulnerabilities in SPINE before 1.2 have unknown ...) NOT-FOR-US: SPINE CVE-2006-6893 (Tor allows remote attackers to discover the IP address of a hidden ser ...) - tor (unimportant) NOTE: It could be argued that this is a laws-of-physics vulnerability NOTE: that is a fundamental design limitation of certain hardware NOTE: implementations. CVE-2006-6892 (Cross-site scripting (XSS) vulnerability in the GetLocation function i ...) NOT-FOR-US: Jonathon J. Freeman OvBB CVE-2006-6891 (Vz (Adp) Forum 2.0.3 stores sensitive information under the web root w ...) NOT-FOR-US: Vz Scripts ADP Forum CVE-2006-6890 (Voodoo chat 1.0RC1b stores sensitive information under the web root wi ...) NOT-FOR-US: Voodoo chat CVE-2006-6889 (FreeStyle Wiki (fswiki) 3.6.2 and earlier stores sensitive information ...) NOT-FOR-US: FreeStyle Wiki CVE-2006-6888 (P-News 1.16 and 1.17 store sensitive information under the web root wi ...) NOT-FOR-US: P-News CVE-2006-6887 (Unrestricted file upload vulnerability in logahead UNU 1.0 allows remo ...) NOT-FOR-US: logahead UNU CVE-2006-6886 (phpwcms 1.2.5-DEV allows remote attackers to obtain sensitive informat ...) NOT-FOR-US: phpwcms CVE-2006-6885 (An ActiveX control in SwDir.dll in Macromedia Shockwave 10 allows remo ...) - flashplugin-nonfree (Windows-specific) CVE-2006-6884 (Buffer overflow in the WZFILEVIEW.FileViewCtrl.61 ActiveX control (aka ...) NOT-FOR-US: Sky Software CVE-2006-6883 NOT-FOR-US: PHPIrc_bot CVE-2006-6882 (Cross-site scripting (XSS) vulnerability in golden book allows remote ...) NOT-FOR-US: Golden Book CVE-2006-6881 (Buffer overflow in the Get_Wep function in cofvnet.c for ATMEL Linux P ...) NOT-FOR-US: ATMEL WLAN drivers CVE-2006-6880 (Multiple SQL injection vulnerabilities in code/guestadd.php in PHP-Upd ...) NOT-FOR-US: PHP-Update CVE-2006-6879 (Unrestricted file upload vulnerability in admin/uploads.php in PHP-Upd ...) NOT-FOR-US: PHP-Update CVE-2006-6878 (admin/uploads.php in PHP-Update 2.7 and earlier allows remote attacker ...) NOT-FOR-US: PHP-Update CVE-2006-6877 (Directory traversal vulnerability in index.php in Matteo Lucarelli 3ed ...) NOT-FOR-US: Matteo Lucarelli 3editor CVE-2006-6876 (Buffer overflow in the fetchsms function in the SMS handling module (l ...) - openser 1.1.1-1 (medium) [etch] - openser 1.1.0-9etch1 NOTE: http://web.archive.org/web/20151126200215/http://www.openser.org/pub/openser/1.1.1/ChangeLog CVE-2006-6875 (Buffer overflow in the validateospheader function in the Open Settleme ...) - openser 1.1.1-1 (medium) [etch] - openser 1.1.0-9etch1 NOTE: http://web.archive.org/web/20151126200215/http://www.openser.org/pub/openser/1.1.1/ChangeLog CVE-2006-6874 (Multiple cross-site scripting (XSS) vulnerabilities in friend.php in e ...) NOT-FOR-US: eNdonesia CMS CVE-2006-6873 (Multiple SQL injection vulnerabilities in mod.php in eNdonesia 8.4 all ...) NOT-FOR-US: eNdonesia CMS CVE-2006-6872 (Directory traversal vulnerability in mod.php in eNdonesia 8.4 allows r ...) NOT-FOR-US: eNdonesia CMS CVE-2006-6871 (Multiple cross-site scripting (XSS) vulnerabilities in eNdonesia 8.4 a ...) NOT-FOR-US: eNdonesia CMS CVE-2006-6869 (Directory traversal vulnerability in includes/search/search_mdforum.ph ...) NOT-FOR-US: MAXdev CVE-2006-6868 (Multiple cross-site scripting (XSS) vulnerabilities in Zen Cart Web Sh ...) NOT-FOR-US: Zen Cart CVE-2006-6867 (Multiple PHP remote file inclusion vulnerabilities in Vladimir Menshak ...) NOT-FOR-US: buratinable templator (aka bubla) CVE-2006-6866 (STphp EasyNews PRO 4.0 stores sensitive information under the web root ...) NOT-FOR-US: Ahead4 CVE-2006-6865 (Directory traversal vulnerability in SAFileUpSamples/util/viewsrc.asp ...) NOT-FOR-US: Softartisans CVE-2006-6864 (PHP remote file inclusion vulnerability in E2_header.inc.php in Enigma ...) NOT-FOR-US: Enigma2 CVE-2006-6863 NOT-FOR-US: Enigma2 CVE-2006-6862 (Multiple cross-site scripting (XSS) vulnerabilities in Outfront Spooky ...) NOT-FOR-US: Outfront Spooky Login CVE-2006-6861 (Multiple SQL injection vulnerabilities in Outfront Spooky Login 2.7 al ...) NOT-FOR-US: Outfront Spooky Login CVE-2006-6860 (Buffer overflow in the sendToMythTV function in MythControlServer.c in ...) NOT-FOR-US: MythControl CVE-2006-6859 (SQL injection vulnerability in coupon_detail.asp in Website Designs Fo ...) NOT-FOR-US: Website Designs for Less CVE-2004-2671 (mod.php in eNdonesia 8.3 allows remote attackers to obtain sensitive i ...) NOT-FOR-US: eNdonesia CMS CVE-2004-2670 (Multiple cross-site scripting (XSS) vulnerabilities in mod.php in eNdo ...) NOT-FOR-US: eNdonesia CVE-2003-1317 (Cross-site scripting (XSS) vulnerability in mod.php in eNdonesia 8.2 a ...) NOT-FOR-US: eNdonesia CMS CVE-2003-1316 (mod.php in eNdonesia 8.2 allows remote attackers to obtain sensitive i ...) NOT-FOR-US: eNdonesia CMS CVE-2006-XXXX [ssmtp password leak] - ssmtp 2.61-10.1 (bug #369542; low) CVE-2006-6870 (The consume_labels function in avahi-core/dns.c in Avahi before 0.6.16 ...) - avahi 0.6.16-1 (low) CVE-2007-0106 (Cross-site scripting (XSS) vulnerability in the CSRF protection scheme ...) - wordpress 2.0.6-1 (bug #405691; medium) NOTE: http://www.hardened-php.net/advisory_022007.141.html CVE-2007-0107 (WordPress before 2.0.6, when mbstring is enabled for PHP, decodes alte ...) - wordpress 2.0.6-1 (bug #405691; medium) NOTE: http://www.hardened-php.net/advisory_012007.140.html CVE-2007-0050 NOT-FOR-US: OpenPinboard CVE-2007-0049 (Geckovich TaskTracker Pro 1.5 and earlier allows remote attackers to a ...) NOT-FOR-US: TaskTracker CVE-2007-0048 (Adobe Acrobat Reader Plugin before 8.0.0, and possibly the plugin dist ...) NOT-FOR-US: Adobe Acrobat Reader with Internet Explorer CVE-2007-0047 (CRLF injection vulnerability in Adobe Acrobat Reader Plugin before 8.0 ...) NOT-FOR-US: Adobe Acrobat Reader with Internet Explorer CVE-2007-0046 (Double free vulnerability in the Adobe Acrobat Reader Plugin before 8. ...) NOT-FOR-US: Adobe Acrobat Reader Plugin CVE-2007-0045 (Multiple cross-site scripting (XSS) vulnerabilities in Adobe Acrobat R ...) {DSA-1336-1} NOT-FOR-US: Adobe Acrobat Reader Plugin NOTE: a fix for this is also in iceweasle 2.0.0.2+dfsg-1 (MFSA-2007-02) NOTE: and icape 1.0.8-1 CVE-2007-0044 (Adobe Acrobat Reader Plugin before 8.0.0 for the Firefox, Internet Exp ...) NOT-FOR-US: Adobe Acrobat Reader Plugin CVE-2007-0043 (The Just In Time (JIT) Compiler service in Microsoft .NET Framework 1. ...) NOT-FOR-US: Microsoft .NET CVE-2007-0042 (Interpretation conflict in ASP.NET in Microsoft .NET Framework 1.0, 1. ...) NOT-FOR-US: Microsoft .NET CVE-2007-0041 (The PE Loader service in Microsoft .NET Framework 1.0, 1.1, and 2.0 fo ...) NOT-FOR-US: Microsoft .NET CVE-2007-0040 (The LDAP service in Windows Active Directory in Microsoft Windows 2000 ...) NOT-FOR-US: Microsoft Windows CVE-2007-0039 (The Exchange Collaboration Data Objects (EXCDO) functionality in Micro ...) NOT-FOR-US: Microsoft CVE-2007-0038 (Stack-based buffer overflow in the animated cursor code in Microsoft W ...) NOT-FOR-US: Microsoft CVE-2007-0037 REJECTED CVE-2007-0036 REJECTED CVE-2007-0035 (Word (or Word Viewer) in Microsoft Office 2000 SP3, XP SP3, 2003 SP2, ...) NOT-FOR-US: Microsoft Word CVE-2007-0034 (Buffer overflow in the Advanced Search (Finder.exe) feature of Microso ...) NOT-FOR-US: Microsoft Outlook CVE-2007-0033 (Microsoft Outlook 2002 and 2003 allows user-assisted remote attackers ...) NOT-FOR-US: Microsoft Outlook CVE-2007-0032 REJECTED CVE-2007-0031 (Heap-based buffer overflow in Microsoft Excel 2000 SP3, 2002 SP3, 2003 ...) NOT-FOR-US: Microsoft Excel CVE-2007-0030 (Microsoft Excel 2000 SP3, 2002 SP3, 2003 SP2, 2004 for Mac, and v.X fo ...) NOT-FOR-US: Microsoft Excel CVE-2007-0029 (Microsoft Excel 2000 SP3, 2002 SP3, 2003 SP2, 2004 for Mac, and v.X fo ...) NOT-FOR-US: Microsoft Excel CVE-2007-0028 (Microsoft Excel 2000, 2002, 2003, Viewer 2003, Office 2004 for Mac, an ...) NOT-FOR-US: Microsoft Excel CVE-2007-0027 (Microsoft Excel 2000 SP3, 2002 SP3, 2003 SP2, 2004 for Mac, and v.X fo ...) NOT-FOR-US: Microsoft Excel CVE-2007-0026 (The OLE Dialog component in Microsoft Windows 2000 SP4, XP SP2, and 20 ...) NOT-FOR-US: Microsoft CVE-2007-0025 (The MFC component in Microsoft Windows 2000 SP4, XP SP2, and 2003 SP1 ...) NOT-FOR-US: Microsoft CVE-2007-0024 (Integer overflow in the Vector Markup Language (VML) implementation (v ...) NOT-FOR-US: Microsoft IE CVE-2007-0023 (The CFUserNotificationSendRequest function in UserNotificationCenter.a ...) NOT-FOR-US: Apple Mac OS X CVE-2007-0022 (Untrusted search path vulnerability in writeconfig in Apple Mac OS X 1 ...) NOT-FOR-US: Apple Mac OS X CVE-2007-0021 (Format string vulnerability in Apple iChat 3.1.6 allows remote attacke ...) NOT-FOR-US: Apple iChat CVE-2007-0020 (Heap-based buffer overflow in the SFTP protocol handler for Panic Tran ...) NOT-FOR-US: Panic Transmit CVE-2007-0019 (Multiple heap-based buffer overflows in rumpusd in Rumpus 5.1 and earl ...) NOT-FOR-US: Maxum Rumpus CVE-2007-0018 (Stack-based buffer overflow in the NCTAudioFile2.AudioFile ActiveX con ...) NOT-FOR-US: NCTAudioFile2 ActiveX control CVE-2007-0017 (Multiple format string vulnerabilities in (1) the cdio_log_handler fun ...) {DSA-1252-1} - vlc 0.8.6-svn20061012.debian-1.2 (bug #405425; medium) CVE-2007-0016 (Stack-based buffer overflow in MoviePlay 4.76 allows remote attackers ...) NOT-FOR-US: MoviePlay CVE-2006-6858 (Miredo 0.9.8 through 1.0.5 does not properly authenticate a Teredo bub ...) - miredo 1.0.4-2 (bug #405412; bug #405111; medium) CVE-2006-6857 (Cross-site scripting (XSS) vulnerability in modules/credits/credits.ph ...) NOT-FOR-US: Docebo LMS CVE-2006-6856 (Direct static code injection vulnerability in WebText CMS 0.4.5.2 and ...) NOT-FOR-US: WebText CMS CVE-2006-6855 (AIDeX Mini-WebServer 1.1 early release 3 allows remote attackers to ca ...) NOT-FOR-US: AIDeX Mini-WebServer CVE-2006-6854 (The qcamvc_video_init function in qcamvc.c in De Marchi Daniele QuickC ...) NOT-FOR-US: QuickCam VC (linux-uvc and qc-usb in Debian are not related) CVE-2006-6853 (Buffer overflow in Durian Web Application Server 3.02 freeware on Wind ...) NOT-FOR-US: Durian Web Application Server CVE-2006-6852 (Eval injection vulnerability in tDiary 2.0.3 and 2.1.4.200 61127 allow ...) - tdiary 2.0.2+20060303-5 (bug #403345; bug #404940; medium) CVE-2006-6851 (Multiple cross-site scripting (XSS) vulnerabilities in contact_us.php ...) NOT-FOR-US: ac4p Mobilelib gold CVE-2006-6850 (PHP remote file inclusion vulnerability in include.php in the Roster M ...) NOT-FOR-US: Shadowed Portal / Roster Module CVE-2006-6849 (administration/index.php in Cahier de texte (CDT) 2.2 does not properl ...) NOT-FOR-US: Cahier de texte (CDT) CVE-2006-6848 (SQL injection vulnerability in admin.asp in ASPTicker 1.0 allows remot ...) NOT-FOR-US: ASPTicker CVE-2006-6847 (An ActiveX control in ierpplug.dll for RealNetworks RealPlayer 10.5 al ...) NOT-FOR-US: RealPlayer for Windows CVE-2006-6846 (Multiple SQL injection vulnerabilities in While You Were Out (WYWO) In ...) NOT-FOR-US: WYWO - InOut Board CVE-2006-6845 (Cross-site scripting (XSS) vulnerability in index.php in CMS Made Simp ...) NOT-FOR-US: CMS Made Simple CVE-2006-6844 (Cross-site scripting (XSS) vulnerability in the optional user comment ...) NOT-FOR-US: CMS Made Simple CVE-2006-6843 (PHP remote file inclusion vulnerability in the BE IT EasyPartner 0.0.9 ...) NOT-FOR-US: EasyPartner component for Joomla! CVE-2006-6842 (SQL injection vulnerability in admin/admin_acronyms.php in the Acronym ...) NOT-FOR-US: Acronym Mod for phpBB2 CVE-2006-6841 (Certain forms in phpBB before 2.0.22 lack session checks, which has un ...) {DSA-1488-1} - phpbb2 2.0.21-6 (bug #405980) CVE-2006-6840 (Unspecified vulnerability in phpBB before 2.0.22 has unknown impact an ...) {DSA-1488-1} - phpbb2 2.0.21-6 (bug #405980) CVE-2006-6839 (Unspecified vulnerability in phpBB before 2.0.22 has unknown impact an ...) {DSA-1488-1} - phpbb2 2.0.21-6 (bug #405980) CVE-2006-6838 (Rediff Bol Downloader ActiveX (OCX) control allows remote attackers to ...) NOT-FOR-US: Rediff Bol Downloader ActiveX (OCX) control CVE-2006-6837 (Multiple stack-based buffer overflows in the (1) LoadTree, (2) ReadHea ...) NOT-FOR-US: Total Commander CVE-2007-XXXX [webcam-server unspecified vulnerability] - webcam-server 0.50-2 CVE-2007-0015 (Buffer overflow in Apple QuickTime 7.1.3 allows remote attackers to ex ...) NOT-FOR-US: Apple Quicktime CVE-2007-0014 (ChainKey Java Code Protection allows attackers to decompile Java class ...) NOT-FOR-US: ChainKey Java Code Protection CVE-2007-0013 RESERVED CVE-2007-0012 (Sun JRE 5.0 before update 14 allows remote attackers to cause a denial ...) - sun-java5 (unimportant) - sun-java6 (unimportant) - openjdk-6 (unimportant) NOTE: not a security issue, browser dos treated as regular bugs, also likely Windows-specific CVE-2007-0011 (The web portal interface in Citrix Access Gateway (aka Citrix Advanced ...) NOT-FOR-US: Citrix Access Gateway CVE-2006-6836 (Multiple unspecified vulnerabilities in osp-cert in IBM OS/400 V5R3M0 ...) NOT-FOR-US: IBM CVE-2006-6835 (SQL injection vulnerability in Journal.inc.php in Neocrome Land Down U ...) NOT-FOR-US: Land Down Under CVE-2006-6834 (Multiple unspecified vulnerabilities in Joomla! before 1.0.12 have unk ...) NOT-FOR-US: Joomla! CVE-2006-6833 (com_categories in Joomla! before 1.0.12 does not validate input, which ...) NOT-FOR-US: Joomla! CVE-2006-6832 (Cross-site scripting (XSS) vulnerability in Joomla! before 1.0.12 allo ...) NOT-FOR-US: Joomla! CVE-2006-6831 (SQL injection vulnerability in faqDsp.asp in aFAQ 1.0 allows remote at ...) NOT-FOR-US: aFAQ CVE-2006-6830 (PHP remote file inclusion vulnerability in b2verifauth.php in b2 Blog ...) NOT-FOR-US: b2 Blog CVE-2006-6829 (Efkan Forum 1.0 and earlier store sensitive information under the web ...) NOT-FOR-US: Efkan Forum CVE-2006-6828 (Multiple SQL injection vulnerabilities in Efkan Forum 1.0 and earlier ...) NOT-FOR-US: Efkan Forum CVE-2006-6827 (Flash8b.ocx in Macromedia Flash 8 allows remote attackers to cause a d ...) - flashplugin-nonfree (Windows-specific) CVE-2006-6826 (Unspecified vulnerability in the tab editor for Personal .NET Portal b ...) NOT-FOR-US: Personal .NET Portal CVE-2006-6825 (Calendar MX BASIC 1.0.2 and earlier store sensitive information under ...) NOT-FOR-US: Calendar MX CVE-2006-6824 (Multiple cross-site scripting (XSS) vulnerabilities in Jim Hu and Chad ...) NOT-FOR-US: iCalendar CVE-2006-6823 (PHP remote file inclusion vulnerability in plugins/metasearch/plug.inc ...) NOT-FOR-US: Yrch! CVE-2006-6822 (myprofile.asp in Enthrallweb eClassifieds does not properly validate t ...) NOT-FOR-US: Enthrallweb eClassifieds CVE-2006-6821 (myprofile.asp in Enthrallweb eNews does not properly validate the MM_r ...) NOT-FOR-US: Enthrallweb eNews CVE-2006-6820 (myprofile.asp in Enthrallweb eCoupons does not properly validate the M ...) NOT-FOR-US: Enthrallweb eCoupons CVE-2006-6819 (AlstraSoft Web Host Directory stores sensitive information under the w ...) NOT-FOR-US: AlstraSoft Web Host Directory CVE-2006-6818 (AlstraSoft Web Host Directory allows remote attackers to bypass authen ...) NOT-FOR-US: AlstraSoft Web Host Directory CVE-2006-6817 (AlstraSoft Web Host Directory allows remote attackers to obtain sensit ...) NOT-FOR-US: AlstraSoft Web Host Directory CVE-2006-6816 (Multiple SQL injection vulnerabilities in DMXReady Secure Login Manage ...) NOT-FOR-US: DMXReady Secure Login Manager CVE-2006-6815 (Multiple cross-site scripting (XSS) vulnerabilities in DMXReady Secure ...) NOT-FOR-US: DMXReady Secure Login Manager CVE-2006-6814 (Directory traversal vulnerability in FolderManager/FolderManager.aspx ...) NOT-FOR-US: Hosting Controller CVE-2006-6813 (SQL injection vulnerability in detail.asp in Mxmania File Upload Manag ...) NOT-FOR-US: Mxmania File Upload Manager CVE-2006-6812 (Multiple PHP remote file inclusion vulnerabilities in myPHPCalendar 10 ...) NOT-FOR-US: myPHPCalendar CVE-2006-6811 (KsIRC 1.3.12 allows remote attackers to cause a denial of service (cra ...) - kdenetwork 4:3.5.5-4 (low; bug #405828) [sarge] - kdenetwork (Minor issue) CVE-2006-6810 (Unspecified vulnerability in the clear_user_list function in src/main. ...) NOT-FOR-US: DB Hub CVE-2006-6809 (Multiple PHP remote file inclusion vulnerabilities in process.php in V ...) NOT-FOR-US: buratinable templator (aka bubla) CVE-2006-6808 (Cross-site scripting (XSS) vulnerability in wp-admin/templates.php in ...) - wordpress 2.0.6-1 (bug #405299) CVE-2006-6807 (SQL injection vulnerability in list.asp in Softwebs Nepal (aka Ananda ...) NOT-FOR-US: Ananda Real Estate CVE-2006-6806 (SQL injection vulnerability in newsdetail.asp in Enthrallweb eMates 1. ...) NOT-FOR-US: Enthrallweb eMates CVE-2006-6805 (SQL injection vulnerability in newsdetail.asp in Enthrallweb eJobs all ...) NOT-FOR-US: Enthrallweb eJobs CVE-2006-6804 (SQL injection vulnerability in bus_details.asp in Dragon Business Dire ...) NOT-FOR-US: Dragon Business Directory - Pro CVE-2006-6803 (SQL injection vulnerability in Types.asp in Enthrallweb eCars 1.0 allo ...) NOT-FOR-US: Enthrallweb eCars CVE-2006-6802 (SQL injection vulnerability in actualpic.asp in Enthrallweb ePages all ...) NOT-FOR-US: Enthrallweb ePages CVE-2006-6801 (PHP remote file inclusion vulnerability in misc.php in SH-News 0.93, w ...) NOT-FOR-US: SH-News CVE-2006-6800 (PHP remote file inclusion in eventcal/mod_eventcal.php in the event mo ...) NOT-FOR-US: Limbo CMS CVE-2006-6799 (SQL injection vulnerability in Cacti 0.8.6i and earlier, when register ...) {DSA-1250-1} - cacti 0.8.6i-3 (bug #404818; high) CVE-2006-6798 RESERVED CVE-2006-6797 (The Client Server Run-Time Subsystem (CSRSS) in Microsoft Windows allo ...) NOT-FOR-US: Microsoft CVE-2006-6796 (PHP remote file inclusion vulnerability in admin/admin_settings.php in ...) NOT-FOR-US: MTCMS CVE-2006-6795 (PHP remote file inclusion vulnerability in gallery/displayCategory.php ...) NOT-FOR-US: myPHPNuke CVE-2006-6794 (SQL injection vulnerability in default.asp in Efkan Forum 1.0 allows r ...) NOT-FOR-US: Efkan Forum CVE-2006-6793 (PHP remote file inclusion vulnerability in ataturk.php in Okul Merkezi ...) NOT-FOR-US: Okul Merkezi Portal CVE-2006-6792 (SQL injection vulnerability in calendar_detail.asp in Calendar MX BASI ...) NOT-FOR-US: Calendar MX CVE-2006-6791 (SQL injection vulnerability in SelGruFra.asp in chatwm 1.0 allows remo ...) NOT-FOR-US: chatwm CVE-2006-6790 (Direct static code injection vulnerability in chat/login.php in Ultima ...) NOT-FOR-US: Ultimate PHP Board CVE-2006-6789 (PHP remote file inclusion vulnerability in includes/archive/archive_to ...) NOT-FOR-US: Phpbbxtra CVE-2006-6788 (Multiple PHP remote file inclusion vulnerabilities in LuckyBot 3 allow ...) NOT-FOR-US: LuckyBot CVE-2006-6787 (SQL injection vulnerability in admin/admin_mail_adressee.asp in Newsle ...) NOT-FOR-US: Newsletter MX CVE-2006-6786 (Open Newsletter 2.5 and earlier allows remote authenticated administra ...) NOT-FOR-US: Open Newsletter CVE-2006-6785 (The (1) settings.php and (2) subscribers.php scripts in Open Newslette ...) NOT-FOR-US: Open Newsletter CVE-2006-6784 (SQL injection vulnerability in Netbula Anyboard allows remote attacker ...) NOT-FOR-US: Netbula Anyboard CVE-2006-6783 (logahead UNU 1.0 before 20061226 allows remote attackers to upload arb ...) NOT-FOR-US: logahead UNU CVE-2006-6782 (Cross-site scripting (XSS) vulnerability in pnamazu 2006.02.28 and ear ...) NOT-FOR-US: pnamazu CVE-2006-6781 (HLstats 1.20 through 1.34 allows remote attackers to obtain sensitive ...) NOT-FOR-US: HLstats CVE-2006-6780 (SQL injection vulnerability in the login form in HLstats 1.20 through ...) NOT-FOR-US: HLstats CVE-2006-6779 (Cross-site scripting (XSS) vulnerability in Jelsoft vBulletin allows r ...) NOT-FOR-US: vBulletin CVE-2006-6778 (Cross-site scripting (XSS) vulnerability in shownews.php in TimberWolf ...) NOT-FOR-US: TimberWolf CVE-2006-6777 (Cross-site scripting (XSS) vulnerability in index.cfm in Future Intern ...) NOT-FOR-US: Future Internet CVE-2006-6776 (Multiple SQL injection vulnerabilities in Future Internet allow remote ...) NOT-FOR-US: Future Internet CVE-2006-6775 (acFTP 1.5 allows remote authenticated users to cause a denial of servi ...) NOT-FOR-US: acFTP CVE-2006-6774 (PHP remote file inclusion vulnerability in socios/maquetacion_socio.ph ...) NOT-FOR-US: Content Federator CVE-2006-6773 (pages/register/register.php in Fishyshoop 0.930 beta allows remote att ...) NOT-FOR-US: Fishyshoop CVE-2006-6772 (Format string vulnerability in the inputAnswer function in file.c in w ...) - w3m 0.5.1-5.1 (bug #404564; low) - w3mmee (Does not include this format string vuln in the code) [sarge] - w3m (Minor issue, only exploitable in dump mode) CVE-2006-6771 (Multiple PHP remote file inclusion vulnerabilities in Irokez CMS 0.7.1 ...) NOT-FOR-US: Irokez CMS CVE-2006-6770 (Multiple PHP remote file inclusion vulnerabilities in Jinzora Media Ju ...) NOT-FOR-US: Jinzora Media Jukebox CVE-2006-6769 (Multiple cross-site scripting (XSS) vulnerabilities in PHP Live! 3.2.2 ...) NOT-FOR-US: PHP Live! CVE-2005-4822 (SQL injection vulnerability in projects/project-edit.asp in Digger Sol ...) NOT-FOR-US: Digger Solutions Intranet Open Source (IOS) CVE-2005-4821 (Multiple SQL injection vulnerabilities in Land Down Under (LDU) v801 a ...) NOT-FOR-US: Land Down Under CVE-2005-4820 (SMC Wireless Router model SMC7904WBRA allows remote attackers to cause ...) NOT-FOR-US: SMC CVE-2005-4819 (Cross-site scripting (XSS) vulnerability in Lotus Domino versions befo ...) NOT-FOR-US: Lotus Domino CVE-2005-4818 (Multiple SQL injection vulnerabilities in Copernicus Europa allow remo ...) NOT-FOR-US: Copernicus Europa CVE-2005-4817 (Format string vulnerability in ui.c in Textbased MSN Client (TMSNC) be ...) - tmsnc 0.2.5-1 CVE-2004-2669 (Multiple SQL injection vulnerabilities in Land Down Under (LDU) v701 a ...) NOT-FOR-US: Land Down Under CVE-2004-2668 (SQL injection vulnerability in Interchange before 4.8.9 allows remote ...) - interchange 4.9.8-1 CVE-2004-2667 (Cross-site scripting (XSS) vulnerability in Lotus Domino 6.0.x before ...) NOT-FOR-US: Lotus Domino CVE-2003-1315 (SQL injection vulnerability in auth.php in Land Down Under (LDU) v601 ...) NOT-FOR-US: Land Down Under (LDU) CVE-2006-6768 (Multiple cross-site scripting (XSS) vulnerabilities in default.asp in ...) NOT-FOR-US: PWP Technologies The Classified Ad System CVE-2006-6767 (oftpd before 0.3.7 allows remote attackers to cause a denial of servic ...) - oftpd CVE-2006-6766 (Multiple SQL injection vulnerabilities in cwmExplorer 1.1.0 and earlie ...) NOT-FOR-US: cwmExplorer CVE-2006-6765 (Multiple PHP file inclusion vulnerabilities in src/admin/pt_upload.php ...) NOT-FOR-US: Pagetool CVE-2006-6764 (PHP remote file inclusion vulnerability in authenticate.php in Keep It ...) NOT-FOR-US: Keep It Simple Guest Book (KISGB) CVE-2006-6763 (Multiple PHP remote file inclusion vulnerabilities in the Keep It Simp ...) NOT-FOR-US: Keep It Simple Guest Book (KISGB) CVE-2006-6762 (The IMAP daemon (IMAPD) in Novell NetMail before 3.52e FTF2 allows rem ...) NOT-FOR-US: Novell NetMail CVE-2006-6761 (Stack-based buffer overflow in the IMAP daemon (IMAPD) in Novell NetMa ...) NOT-FOR-US: Novell NetMail CVE-2006-6760 (Multiple PHP remote file inclusion vulnerabilities in template.php in ...) NOT-FOR-US: phpMyAnime (aka phpmymanga) CVE-2006-6759 (A certain ActiveX control in rpau3260.dll in RealNetworks RealPlayer 1 ...) NOT-FOR-US: RealNetworks RealPlayer CVE-2006-6758 (Directory traversal vulnerability in Http explorer 1.02 allows remote ...) NOT-FOR-US: Http explorer CVE-2006-6757 (Directory traversal vulnerability in index.php in cwmExplorer 1.0 allo ...) NOT-FOR-US: cwmExplorer CVE-2006-6756 (The code function in install.fct.php in Ixprim 1.2 produces a guessabl ...) NOT-FOR-US: Ixprim CVE-2006-6755 (Ixprim 1.2 allows remote attackers to obtain sensitive information via ...) NOT-FOR-US: Ixprim CVE-2006-6754 (Multiple SQL injection vulnerabilities in Ixprim 1.2 allow remote atta ...) NOT-FOR-US: Ixprim CVE-2006-6753 (Event Viewer (eventvwr.exe) in Microsoft Windows does not properly dis ...) NOT-FOR-US: Microsoft CVE-2006-6752 (Buffer overflow in FTPRush 1.0.0.610 might allow attackers to gain pri ...) NOT-FOR-US: FTPRush CVE-2006-6751 (Format string vulnerability in XM Easy Personal FTP Server 5.2.1 allow ...) NOT-FOR-US: XM Easy Personal FTP Server CVE-2006-6750 (Format string vulnerability in XM Easy Personal FTP Server 5.0.1 allow ...) NOT-FOR-US: XM Easy Personal FTP Server CVE-2006-6748 (PHP remote file inclusion vulnerability in i-accueil.php in Newxooper ...) NOT-FOR-US: Newxooper CVE-2006-6747 (SQL injection vulnerability in show_news.php in Xt-News 0.1 allows rem ...) NOT-FOR-US: Xt-News CVE-2006-6746 (Multiple cross-site scripting (XSS) vulnerabilities in Xt-News 0.1 all ...) NOT-FOR-US: Xt-News CVE-2006-6745 (Multiple unspecified vulnerabilities in Sun Java Development Kit (JDK) ...) - sun-java5 1.5.0-08-1 CVE-2006-6744 (phpProfiles before 2.1.1 does not have an index.php or other index fil ...) NOT-FOR-US: phpProfiles CVE-2006-6743 (phpProfiles before 2.1.1 uses world writable permissions for certain p ...) NOT-FOR-US: phpProfiles CVE-2006-6742 (Multiple buffer overflows in FTP Print Server 2.4 and 2.4.5 in HP Lase ...) NOT-FOR-US: HP CVE-2006-6741 (Cross-site request forgery (CSRF) vulnerability in urlobox in MKPortal ...) NOT-FOR-US: MKPortal CVE-2006-6740 (Multiple PHP remote file inclusion vulnerabilities in phpProfiles 3.1. ...) NOT-FOR-US: phpProfiles CVE-2006-6739 (PHP remote file inclusion vulnerability in buycd.php in Paristemi 0.8. ...) NOT-FOR-US: Paristemi CVE-2006-6738 (PHP remote file inclusion vulnerability in statistic.php in cwmCounter ...) NOT-FOR-US: cwmCounter CVE-2006-6737 (Unspecified vulnerability in Sun Java Development Kit (JDK) and Java R ...) - sun-java5 1.5.0-07-1 CVE-2006-6736 (Unspecified vulnerability in Sun Java Development Kit (JDK) and Java R ...) - sun-java5 1.5.0-07-1 CVE-2006-6735 (modules/viewcategory.php in Minh Nguyen Duong Obie Website Mini Web Sh ...) NOT-FOR-US: Website Mini Web Shop CVE-2006-6734 (Cross-site scripting (XSS) vulnerability in modules/viewcategory.php i ...) NOT-FOR-US: Website Mini Web Shop CVE-2006-6733 (Cross-site scripting (XSS) vulnerability in support/view.php in Suppor ...) NOT-FOR-US: Support Cards 1 (osTicket) CVE-2006-6732 (PHP remote file inclusion vulnerability in archive.php in cwmVote 1.0 ...) NOT-FOR-US: cwmVote CVE-2006-6731 (Multiple buffer overflows in Sun Java Development Kit (JDK) and Java R ...) - sun-java5 1.5.0-08-1 CVE-2006-6730 (OpenBSD and NetBSD permit usermode code to kill the display server and ...) NOTE: Access to DMA-capable hardware such as graphics cards can, NOTE: by design, bypass security restrictions. Not a real issue. CVE-2006-6729 (Cross-site scripting (XSS) vulnerability in a-blog 1.51 and earlier al ...) NOT-FOR-US: a-blog CVE-2006-6728 (Unspecified vulnerability in the info request mechanism in LAN Messeng ...) NOT-FOR-US: LAN Messenger CVE-2006-6727 (PHP remote file inclusion vulnerability in inertianews_class.php in in ...) NOT-FOR-US: inertianews CVE-2006-6726 (PHP remote file inclusion vulnerability in inertianews_main.php in ine ...) NOT-FOR-US: inertianews CVE-2006-6725 (Multiple directory traversal vulnerabilities in PHPBuilder 0.0.2 and e ...) NOT-FOR-US: PHPBuilder CVE-2006-6724 (BolinTech Dream FTP Server 1.02 allows remote authenticated users, inc ...) NOT-FOR-US: BolinTech Dream FTP Server CVE-2006-6723 (The Workstation service in Microsoft Windows 2000 SP4 and XP SP2 allow ...) NOT-FOR-US: Microsoft CVE-2006-6722 (Bandwebsite (aka Bandsite portal system) 1.5 allows remote attackers t ...) NOT-FOR-US: Bandwebsite (aka Bandsite portal system) CVE-2006-6721 (Multiple cross-site scripting (XSS) vulnerabilities in shout.php in Kn ...) NOT-FOR-US: Knusperleicht ShoutBox CVE-2006-6720 (PHP remote file inclusion vulnerability in admin/index_sitios.php in A ...) NOT-FOR-US: Azucar CMS CVE-2006-6719 (The ftp_syst function in ftp-basic.c in Free Software Foundation (FSF) ...) - wget 1.13-1 (unimportant) NOTE: An FTP server crashing a download utility is a bug, but not a DoS security issue NOTE: http://git.savannah.gnu.org/cgit/wget.git/commit/?id=bd7f4ef701ce5db64659db496d3f47aeedfadac2 (v1.13) CVE-2006-6718 (The Allied Telesis AT-9000/24 Ethernet switch has a default password f ...) NOT-FOR-US: Allied Telesis CVE-2006-6717 (The Allied Telesis AT-9000/24 Ethernet switch accepts management packe ...) NOT-FOR-US: Allied Telesis CVE-2006-6716 (SQL injection vulnerability in administration/administre2.php in Eric ...) NOT-FOR-US: uploader&downloader CVE-2006-6715 (PHP remote file inclusion vulnerability in footer.inc.php in PowerClan ...) NOT-FOR-US: PowerClan CVE-2006-6714 (Multiple memory leaks in Hitachi Directory Server 2 P-2444-A124 before ...) NOT-FOR-US: Hitachi Directory Server CVE-2006-6713 (Buffer overflow in Hitachi Directory Server 2 P-2444-A124 before 02-11 ...) NOT-FOR-US: Hitachi Directory Server CVE-2006-6712 (Cross-site scripting (XSS) vulnerability in SugarCRM Open Source 4.5.0 ...) - sugarcrm-ce-5.0 (bug #457876) CVE-2006-6711 (PHP remote file inclusion vulnerability in compteur/mapage.php in Newx ...) NOT-FOR-US: Newxooper CVE-2006-6710 (Multiple PHP remote file inclusion vulnerabilities in PgmReloaded 0.8. ...) NOT-FOR-US: PgmReloaded CVE-2006-6709 (Multiple SQL injection vulnerabilities in MGinternet Property Site Man ...) NOT-FOR-US: MGinternet Property Site Manager CVE-2006-6708 (Cross-site scripting (XSS) vulnerability in listings.asp in MGinternet ...) NOT-FOR-US: MGinternet Property Site Manager CVE-2006-6707 (Stack-based buffer overflow in the NeoTraceExplorer.NeoTraceLoader Act ...) NOT-FOR-US: NeoTraceExplorer.NeoTraceLoader ActiveX control CVE-2006-6706 (SQL injection vulnerability in Soumu Workflow for Groupmax 01-00 throu ...) NOT-FOR-US: Soumu Workflow CVE-2006-6705 (Multiple unspecified vulnerabilities in the template files in Soumu Wo ...) NOT-FOR-US: Soumu Workflow CVE-2006-6704 (Cross-site scripting (XSS) vulnerability in the Webadmin in @Mail befo ...) NOT-FOR-US: @Mail CVE-2006-6703 (Multiple cross-site scripting (XSS) vulnerabilities in Oracle Portal 9 ...) NOT-FOR-US: Oracle Portal CVE-2006-6702 (Cross-site scripting (XSS) vulnerability in Global.pm in @Mail before ...) NOT-FOR-US: @Mail CVE-2006-6701 (Cross-site request forgery (CSRF) vulnerability in util.pl in @Mail We ...) NOT-FOR-US: @Mail CVE-2006-6700 (Cross-site scripting (XSS) vulnerability in @Mail WebMail allows remot ...) NOT-FOR-US: @Mail CVE-2006-6699 (Multiple CRLF injection vulnerabilities in Oracle Portal 9.0.2 and pos ...) NOT-FOR-US: Oracle Portal CVE-2006-6698 (The GConf daemon (gconfd) in GConf 2.14.0 creates temporary files unde ...) - gconf2 2.24.0-1 (unimportant; bug #404743) NOTE: Minor nuisance, not much of a security problem CVE-2005-4816 (Buffer overflow in mod_radius in ProFTPD before 1.3.0rc2 allows remote ...) {DSA-1245-1} - proftpd-dfsg 1.2.10+1.3.0rc5-1 (bug #404751; medium) CVE-2003-1314 (PHP remote file inclusion vulnerability in admin/auth.php in EternalMa ...) NOT-FOR-US: EternalMart Guestbook (EMGB) CVE-2003-1313 (Multiple PHP remote file inclusion vulnerabilities in EternalMart Mail ...) NOT-FOR-US: EternalMart Mailing List Manager (EMLM) CVE-2006-6749 (Buffer overflow in the parse_expression function in parse_config in Op ...) - openser 1.1.0-8 (medium; bug #404591) CVE-2006-XXXX [insecure rpath in libflash-mozplugin] - libflash 0.4.13-9 (low; bug #399508) [etch] - libflash (Not exploitable through directory writable by an unprivileged user) CVE-2006-6697 (CRLF injection vulnerability in webapp/jsp/calendar.jsp in Oracle Port ...) NOT-FOR-US: Oracle CVE-2006-6696 (Double free vulnerability in Microsoft Windows 2000, XP, 2003, and Vis ...) NOT-FOR-US: Microsoft CVE-2006-6695 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Ca ...) NOT-FOR-US: Carsen Klock TextSend CVE-2006-6694 (Directory traversal vulnerability in include/config.php in E-Uploader ...) NOT-FOR-US: E-Uploader CVE-2006-6693 (Multiple buffer overflows in zabbix before 20061006 allow attackers to ...) - zabbix 1:1.1.2-4 (medium; bug #391388) CVE-2006-6692 (Multiple format string vulnerabilities in zabbix before 20061006 allow ...) - zabbix 1:1.1.2-4 (medium; bug #391388) CVE-2006-6691 (Multiple PHP remote file inclusion vulnerabilities in Valdersoft Shopp ...) NOT-FOR-US: Valdersoft Shopping Cart CVE-2006-6690 (rtehtmlarea/pi1/class.tx_rtehtmlarea_pi1.php in Typo3 4.0.0 through 4. ...) - typo3-src 4.0.2+debian-2 (high; bug #403906) NOTE: http://typo3.org/news-single-view/?tx_newsimporter_pi1%5BshowItem%5D=0&cHash=e4a40a11a9 CVE-2006-6689 (Multiple PHP remote file inclusion vulnerabilities in Paristemi 0.8.3 ...) NOT-FOR-US: Paristemi CVE-2006-6688 (Web Automated Perl Portal (WebAPP) 0.9.9.4, and 0.9.9.3.4 Network Edit ...) NOT-FOR-US: Web Automated Perl Portal (WebAPP) CVE-2006-6687 (Cross-site scripting (XSS) vulnerability in Web Automated Perl Portal ...) NOT-FOR-US: Web Automated Perl Portal (WebAPP) CVE-2006-6686 (PHP remote file inclusion vulnerability in sender.php in Carsen Klock ...) NOT-FOR-US: Carsen Klock TextSend CVE-2006-6685 (Heap-based buffer overflow in Pedro Lineu Orso chetcpasswd 2.3.3 allow ...) - chetcpasswd (medium) CVE-2006-6684 (Heap-based buffer overflow in Pedro Lineu Orso chetcpasswd before 2.4 ...) - chetcpasswd (medium) CVE-2006-6683 (Pedro Lineu Orso chetcpasswd 2.4.1 and earlier verifies and updates us ...) - chetcpasswd (medium) CVE-2006-6682 (Pedro Lineu Orso chetcpasswd 2.3.3 provides a different error message ...) - chetcpasswd (medium) CVE-2006-6681 (Pedro Lineu Orso chetcpasswd 2.3.3 does not have a rate limit for clie ...) - chetcpasswd (medium) CVE-2006-6680 (Pedro Lineu Orso chetcpasswd before 2.3.1 does not document the need f ...) - chetcpasswd (low) CVE-2006-6679 (Pedro Lineu Orso chetcpasswd before 2.4 relies on the X-Forwarded-For ...) - chetcpasswd (medium) CVE-2006-6678 (The edit_textarea function in form-file.c in Netrik 1.15.4 and earlier ...) {DSA-1251-1} - netrik 1.15.3-1.1 (medium; bug #404233) CVE-2006-6677 (ESET NOD32 Antivirus before 1.1743 allows remote attackers to cause a ...) NOT-FOR-US: ESET NOD32 Antivirus CVE-2006-6676 (Integer overflow in the (a) OLE2 and (b) CHM parsers for ESET NOD32 An ...) NOT-FOR-US: ESET NOD32 Antivirus CVE-2006-6675 (Cross-site scripting (XSS) vulnerability in Novell NetWare 6.5 Support ...) NOT-FOR-US: Novell CVE-2006-6674 (Ozeki HTTP-SMS Gateway 1.0, and possibly earlier, stores usernames and ...) NOT-FOR-US: Ozeki HTTP-SMS Gateway CVE-2006-6673 (WinFtp Server 2.0.2 allows remote attackers to cause a denial of servi ...) NOT-FOR-US: WinFtp Server CVE-2006-6672 (Multiple SQL injection vulnerabilities in Burak Yylmaz Download Portal ...) NOT-FOR-US: Download Portal CVE-2006-6671 (SQL injection vulnerability in down.asp in Burak Yylmaz Download Porta ...) NOT-FOR-US: Download Portal CVE-2006-6670 (Unspecified vulnerability in Nortel CallPilot 4.x Server has unknown i ...) NOT-FOR-US: Nortel CallPilot CVE-2006-6669 (Cross-site scripting (XSS) vulnerability in export_handler.php in WebC ...) {DSA-1279-1} - webcalendar 1.0.5-2 (low; bug #404234) CVE-2006-6668 (Cross-site scripting (XSS) vulnerability in VerliAdmin 0.3 and earlier ...) NOT-FOR-US: VerliAdmin CVE-2006-6667 (Multiple SQL injection vulnerabilities in VerliAdmin 0.3 and earlier a ...) NOT-FOR-US: VerliAdmin CVE-2006-6666 (PHP remote file inclusion vulnerability in index.php in VerliAdmin 0.3 ...) NOT-FOR-US: VerliAdmin CVE-2006-6665 (Buffer overflow in Astonsoft DeepBurner Pro and Free 1.8.0 and earlier ...) NOT-FOR-US: DeepBurner CVE-2006-6664 (Format string vulnerability in Marathon Aleph One before 0.17.1 and 20 ...) NOT-FOR-US: Aleph One CVE-2006-6663 (The server component in Marathon Aleph One before 0.17.1 and 2006-12-1 ...) NOT-FOR-US: Aleph One CVE-2006-6662 (Unspecified vulnerability in Linux User Management (novell-lum) on SUS ...) NOT-FOR-US: Linux User Management (novell-lum) CVE-2006-6661 (Variable overwrite vulnerability in blog.php in PHP-Update 2.7 and ear ...) NOT-FOR-US: PHP-Update CVE-2006-6660 (The nodeType function in KDE libkhtml 4.2.0 and earlier, as used by Ko ...) - kdelibs (at least it is fixed in 4:3.5.5a.dfsg.1-5) NOTE: is DoS only, anyway CVE-2002-2221 (Untrusted search path vulnerability in Pedro Lineu Orso chetcpasswd 2. ...) - chetcpasswd (medium) CVE-2002-2220 (Buffer overflow in Pedro Lineu Orso chetcpasswd before 1.12, when conf ...) - chetcpasswd (medium) CVE-2002-2219 (chetcpasswd.cgi in Pedro Lineu Orso chetcpasswd before 2.1 allows remo ...) - chetcpasswd (low) CVE-2007-0010 (The GdkPixbufLoader function in GIMP ToolKit (GTK+) in GTK 2 (gtk2) be ...) {DSA-1256-1} - gtk+2.0 2.8.20-5 CVE-2007-0009 (Stack-based buffer overflow in the SSLv2 support in Mozilla Network Se ...) {DSA-1336-1} NOTE: MFSA-2007-06 - iceweasel 2.0.0.2+dfsg-1 (low) - iceape 1.0.8-1 (low) - xulrunner 1.8.0.10-1 (low) - icedove 1.5.0.10.dfsg1-1 [sarge] - mozilla-firefox (Mozilla products from Sarge no longer supported) [sarge] - mozilla (Mozilla products from Sarge no longer supported) CVE-2007-0008 (Integer underflow in the SSLv2 support in Mozilla Network Security Ser ...) {DSA-1336-1} NOTE: MFSA-2007-06 - iceweasel 2.0.0.2+dfsg-1 (low) - iceape 1.0.8-1 (low) - xulrunner 1.8.0.10-1 (low) - icedove 1.5.0.10.dfsg1-1 [sarge] - mozilla-firefox (Mozilla products from Sarge no longer supported) [sarge] - mozilla (Mozilla products from Sarge no longer supported) CVE-2007-0007 (gnucash 2.0.4 and earlier allows local users to overwrite arbitrary fi ...) - gnucash 2.0.5-1 (bug #411942; medium) CVE-2007-0006 (The key serial number collision avoidance code in the key_alloc_serial ...) - linux-2.6 2.6.18.dfsg.1-12 CVE-2007-0005 (Multiple buffer overflows in the (1) read and (2) write handlers in th ...) {DSA-1286-1} - linux-2.6 2.6.20-1 CVE-2007-0004 (The NFS client implementation in the kernel in Red Hat Enterprise Linu ...) NOTE: if security relevant at all, it's 2.4.* only - linux-2.6 (2.4 only) CVE-2007-0003 (pam_unix.so in Linux-PAM 0.99.7.0 allows context-dependent attackers t ...) - pam (Only pam 0.99.7 affected) CVE-2007-0002 (Multiple heap-based buffer overflows in WordPerfect Document importer/ ...) {DSA-1270-1 DSA-1268-1} - libwpd 0.8.9-1 NOTE: openoffice.org changelog indicates libwpd is included but not used - openoffice.org 2.0.4.dfsg.2-6 [etch] - openoffice.org 2.0.4.dfsg.2-5etch1 [etch] - libwpd 0.8.7-6 CVE-2007-0001 (The file watch implementation in the audit subsystem (auditctl -w) in ...) - linux-2.6 (Red Hat specific vulnerability) CVE-2006-6659 (The Microsoft Office Outlook Recipient ActiveX control (ole32.dll) in ...) NOT-FOR-US: Microsoft CVE-2006-6658 (Inktomi Search 4.1.4 allows remote attackers to obtain sensitive infor ...) NOT-FOR-US: Inktomi CVE-2006-6657 (The if_clone_list function in NetBSD-current before 20061027, NetBSD 3 ...) NOT-FOR-US: NetBSD CVE-2006-6656 (Unspecified vulnerability in ptrace in NetBSD-current before 20061027, ...) NOT-FOR-US: NetBSD CVE-2006-6655 (The procfs implementation in NetBSD-current before 20061023, NetBSD 3. ...) NOT-FOR-US: NetBSD CVE-2006-6654 (The sendmsg function in NetBSD-current before 20061023, NetBSD 3.0 and ...) NOT-FOR-US: NetBSD CVE-2006-6653 (The accept function in NetBSD-current before 20061023, NetBSD 3.0 and ...) NOT-FOR-US: NetBSD CVE-2006-6652 (Buffer overflow in the glob implementation (glob.c) in libc in NetBSD- ...) NOT-FOR-US: NetBSD CVE-2006-6651 (Race condition in W29N51.SYS in the Intel 2200BG wireless driver 9.0.3 ...) NOT-FOR-US: Intel CVE-2006-6650 (PHP remote file inclusion vulnerability in charts_constants.php in the ...) NOT-FOR-US: mxBB CVE-2006-6649 (Cross-site scripting (XSS) vulnerability in display.php in HyperVM 1.2 ...) NOT-FOR-US: HyperVM CVE-2006-6648 (PHP remote file inclusion vulnerability in main.inc.php in planetluc.c ...) NOT-FOR-US: RateMe CVE-2006-6647 (Cross-site scripting (XSS) vulnerability in the MySite 4.7.x before 4. ...) NOT-FOR-US: MySite for Drupal CVE-2006-6646 (Multiple cross-site scripting (XSS) vulnerabilities in Drupal (1) Proj ...) NOT-FOR-US: Drupal Project Issue Tracking CVE-2006-6645 (PHP remote file inclusion vulnerability in language/lang_english/lang_ ...) NOT-FOR-US: Web Links module for mxBB CVE-2006-6644 (PHP remote file inclusion vulnerability in pages/meeting_constants.php ...) NOT-FOR-US: Meeting module for mxBB CVE-2006-6643 (Fightersoft Multimedia Star FTP server 1.10 allows remote attackers to ...) NOT-FOR-US: Fightersoft Multimedia Star FTP server CVE-2006-6642 (SQL injection vulnerability in haber.asp in Contra Haber Sistemi 1.0 a ...) NOT-FOR-US: Sistemi CVE-2006-6641 (Unspecified vulnerability in CA CleverPath Portal before maintenance v ...) NOT-FOR-US: CA CleverPath Portal CVE-2006-6640 (Multiple cross-site scripting (XSS) vulnerabilities in Omniture SiteCa ...) NOT-FOR-US: SiteCatalyst CVE-2006-6639 (Multiple unspecified vulnerabilities in chetcpasswd 2.4.1 allow local ...) - chetcpasswd (medium) CVE-2006-6638 (IBM DB2 8.1 before FixPak 14 allows remote attackers to cause a denial ...) NOT-FOR-US: IBM CVE-2006-6637 (The Servlet Engine and Web Container in IBM WebSphere Application Serv ...) NOT-FOR-US: IBM CVE-2006-6636 (Unspecified vulnerability in the Utility Classes for IBM WebSphere App ...) NOT-FOR-US: IBM CVE-2006-6635 (PHP remote file inclusion vulnerability in includes/functions.php in J ...) NOT-FOR-US: JumbaCMS CVE-2006-6634 (Multiple PHP remote file inclusion vulnerabilities in the ExtCalThai ( ...) NOT-FOR-US: ExtCalThai for Mambo CVE-2006-6633 (PHP remote file inclusion vulnerability in include/yapbb_session.php i ...) NOT-FOR-US: YapBB CVE-2006-6632 (PHP remote file inclusion vulnerability in genepi.php in Genepi 1.6 an ...) NOT-FOR-US: Genepi CVE-2006-6631 (PHP remote file inclusion vulnerability in lib/xml/oai/GetRecord.php i ...) NOT-FOR-US: osprey CVE-2006-6630 (PHP remote file inclusion vulnerability in ListRecords.php in osprey 1 ...) NOT-FOR-US: osprey CVE-2006-6629 (lib/WeBWorK/PG/Translator.pm in WeBWorK Program Generation (PG) Langua ...) NOT-FOR-US: WeBWorK CVE-2006-6628 (Integer overflow in OpenOffice.org (OOo) 2.1 allows user-assisted remo ...) - openoffice.org 2.0.4.dfsg.2-3 (unimportant; bug #404105) NOTE: No code injection possible, just a crash CVE-2006-6627 (Integer overflow in the packed PE file parsing implementation in BitDe ...) NOT-FOR-US: BitDefender CVE-2006-6626 (Cross-site scripting (XSS) vulnerability in an unspecified component o ...) - moodle 1.6-1 NOTE: Does not affect moodle 1.6 according to SecurityFocus. CVE-2006-6625 (Cross-site scripting (XSS) vulnerability in mod/forum/discuss.php in M ...) - moodle 1.6.3-2 (low) NOTE: "SC#341 fixed initilaization of navtail variable" NOTE: http://moodle.cvs.sourceforge.net/moodle/moodle/mod/forum/discuss.php?view=log CVE-2006-6624 (The FTP Server in Sambar Server 6.4 allows remote authenticated users ...) NOT-FOR-US: Sambar CVE-2006-6623 (Sygate Personal Firewall 5.6.2808 relies on the Process Environment Bl ...) NOT-FOR-US: Sygate CVE-2006-6622 (Soft4Ever Look 'n' Stop (LnS) 2.05p2 before 20061215 relies on the Pro ...) NOT-FOR-US: Soft4Ever Look 'n' Stop CVE-2006-6621 (Filseclab Personal Firewall 3.0.0.8686 relies on the Process Environme ...) NOT-FOR-US: Filseclab Personal Firewall CVE-2006-6620 (Comodo Personal Firewall 2.3.6.81 relies on the Process Environment Bl ...) NOT-FOR-US: Comodo Personal Firewall CVE-2006-6619 (AVG Anti-Virus plus Firewall 7.5.431 relies on the Process Environment ...) NOT-FOR-US: AVG Anti-Virus plus Firewall CVE-2006-6618 (AntiHook 3.0.0.23 - Desktop relies on the Process Environment Block (P ...) NOT-FOR-US: AntiHook 3.0.0.23 - Desktop CVE-2006-6617 (projectserver/logon/pdsrequest.asp in Microsoft Project Server 2003 al ...) NOT-FOR-US: Microsoft CVE-2006-6616 (index.php in w00t Gallery 1.4.0 allows remote authenticated users with ...) NOT-FOR-US: w00t Gallery CVE-2006-6615 (PHP remote file inclusion vulnerability in includes/act_constants.php ...) NOT-FOR-US: Activity Games module for mxBB CVE-2006-6614 (The save_log_local function in Fully Automatic Installation (FAI) 2.10 ...) - fai 3.1.3 (low; bug #402644) [sarge] - fai (Minor issue, only in rare configs and use cases) CVE-2006-6613 (Directory traversal vulnerability in language.php in phpAlbum 0.4.1 Be ...) NOT-FOR-US: phpAlbum CVE-2006-6612 (PHP remote file inclusion vulnerability in basic.inc.php in PhpMyCms 0 ...) NOT-FOR-US: PhpMyCms CVE-2006-6611 (PHP remote file inclusion vulnerability in interface.php in Barman 0.0 ...) NOT-FOR-US: Barman CVE-2006-6610 (clientcommands in Nexuiz before 2.2.1 has unknown impact and remote at ...) - nexuiz 2.2.1-1 (low) NOTE: Only game console command execution possible, not shell commands CVE-2006-6609 (Nexuiz before 2.2.1 allows remote attackers to cause a denial of servi ...) - nexuiz 2.2.1-1 CVE-2006-6608 (Unspecified vulnerability in SSH key based authentication in HP Integr ...) NOT-FOR-US: HP CVE-2006-6607 (The Java Key Store (JKS) for WebSphere Application Server (WAS) for IB ...) NOT-FOR-US: IBM CVE-2006-6606 (Multiple SQL injection vulnerabilities in Clarens jclarens before 0.6. ...) NOT-FOR-US: jclarens CVE-2006-6605 (Stack-based buffer overflow in the POP service in MailEnable Standard ...) NOT-FOR-US: MailEnable CVE-2006-6604 (Directory traversal vulnerability in downloaddetails.php in TorrentFlu ...) - torrentflux 2.1-7 (medium; bug #400582) CVE-2006-6603 (Buffer overflow in the YMMAPI.YMailAttach ActiveX control (ymmapi.dll) ...) NOT-FOR-US: YMMAPI.YMailAttach CVE-2006-6602 (explorer.exe in Windows Explorer 6.00.2900.2180 in Microsoft Windows X ...) NOT-FOR-US: Windows CVE-2006-6601 (Windows Media Player 10.00.00.4036 in Microsoft Windows XP SP2 allows ...) NOT-FOR-US: Microsoft CVE-2006-6600 (Cross-site scripting (XSS) vulnerability in dir.php in TorrentFlux 2.2 ...) - torrentflux 2.1-7 (medium; bug #400582) CVE-2006-6599 (maketorrent.php in TorrentFlux 2.2 allows remote authenticated users t ...) - torrentflux 2.1-7 (medium; bug #400582) CVE-2006-6598 (Directory traversal vulnerability in viewnfo.php in (1) TorrentFlux be ...) - torrentflux 2.1-6 CVE-2006-6597 (Argument injection vulnerability in HyperAccess 8.4 allows user-assist ...) NOT-FOR-US: HyperAccess CVE-2006-6596 (HyperAccess 8.4 allows user-assisted remote attackers to execute arbit ...) NOT-FOR-US: HyperAccess CVE-2006-6595 (Multiple SQL injection vulnerabilities in ScriptMate User Manager 2.1 ...) NOT-FOR-US: ScriptMate User Manager CVE-2006-6594 (SQL injection vulnerability in utilities/usermessages.asp in ScriptMat ...) NOT-FOR-US: ScriptMate User Manager CVE-2006-6593 (PHP remote file inclusion vulnerability in zufallscodepart.php in AMAZ ...) NOT-FOR-US: AMAZONIA MOD for phpBB CVE-2006-6592 (Multiple PHP remote file inclusion vulnerabilities in Bloq 0.5.4 allow ...) NOT-FOR-US: Bloq CVE-2006-6591 (PHP remote file inclusion vulnerability in fonctions/template.php in E ...) NOT-FOR-US: EXlor CVE-2006-6590 (PHP remote file inclusion vulnerability in usercp_menu.php in AR Membe ...) NOT-FOR-US: AR Memberscript CVE-2006-6589 (Cross-site scripting (XSS) vulnerability in ecommerce/control/keywords ...) NOT-FOR-US: Apache Open For BusinessProject (OFBiz) CVE-2006-6588 (The forum implementation in the ecommerce component in the Apache Open ...) NOT-FOR-US: Apache Open For BusinessProject (OFBiz) CVE-2006-6587 (Cross-site scripting (XSS) vulnerability in the forum implementation i ...) NOT-FOR-US: Apache Open For BusinessProject (OFBiz) CVE-2006-6586 (Multiple PHP remote file inclusion vulnerabilities in Vortex Blog (vBl ...) NOT-FOR-US: Vortex Blog CVE-2006-6585 (The Extensions manager in Mozilla Firefox 2.0 does not properly popula ...) - iceweasel 2.0.0.1+dfsg-1 - firefox 45.0-1 - firefox-esr 45.0esr-1 CVE-2006-6584 (Multiple buffer overflows in italkplus (Italk+) before 0.92.1 allow re ...) NOT-FOR-US: italkplus (Italk+) CVE-2006-6583 (ScriptMate User Manager 2.1 and earlier allow remote attackers to obta ...) NOT-FOR-US: ScriptMate User Manager CVE-2006-6582 (Multiple cross-site scripting (XSS) vulnerabilities in ScriptMate User ...) NOT-FOR-US: ScriptMate User Manager CVE-2006-6581 (PHP remote file inclusion vulnerability in tests/debug_test.php in Ver ...) NOT-FOR-US: PHP_Debug CVE-2006-6580 (admin/change.php in ProNews 1.5 does not check whether a user is permi ...) NOT-FOR-US: ProNews CVE-2006-6579 (Microsoft Windows XP has weak permissions (FILE_WRITE_DATA and FILE_RE ...) NOT-FOR-US: Microsoft CVE-2006-6578 (Microsoft Internet Information Services (IIS) 5.1 permits the IUSR_Mac ...) NOT-FOR-US: Microsoft CVE-2006-6577 (SQL injection vulnerability in polls.php in Neocrome Land Down Under ( ...) NOT-FOR-US: Neocrome Land Down Under CVE-2006-6576 (Heap-based buffer overflow in Golden FTP Server (goldenftpd) 1.92 allo ...) NOT-FOR-US: Golden FTP Server CVE-2006-6575 (PHP remote file inclusion vulnerability in ldap.php in Brian Drawert Y ...) NOT-FOR-US: Yet Another PHP LDAP Admin Project (yaplap) CVE-2006-6574 (Mantis before 1.1.0a2 does not implement per-item access control for I ...) {DSA-1467-1} - mantis 1.0.6+dfsg-3 (bug #402802) [sarge] - mantis 0.19.2-5sarge5 CVE-2004-2666 (Mantis before 20041016 provides a complete Issue History (Bug History) ...) - mantis 0.19.2-1 CVE-2003-1312 (siteminderagent/SmMakeCookie.ccc in Netegrity SiteMinder places a sess ...) NOT-FOR-US: Netegrity SiteMinder CVE-2003-1311 (siteminderagent/SmMakeCookie.ccc in Netegrity SiteMinder does not ensu ...) NOT-FOR-US: Netegrity SiteMinder CVE-2006-XXXX [gaim crash when receiving an invalid UPnP response] - gaim 1:2.0.0+beta5-9 (low) [sarge] - gaim (minor issue) CVE-2006-XXXX [dsniff urlsnarf missing output sanitization] - dsniff 2.4b1+debian-16 (unimportant; bug #400624) NOTE: While older terminals were vulnerable to some attacks involving terminal NOTE: sequences, the lack of shell escaping is not a vulnerability in dsniff CVE-2006-XXXX [archivemail insecure temporary file issues] - archivemail 0.6.2-2 [sarge] - archivemail (minor issue) CVE-2006-XXXX [pythonpaste web root esacpe] - paste 1.0.1-1 NOTE: http://pythonpaste.org/archives/message/20061218.050654.e8997561.en.html CVE-2006-XXXX [moodle unspecified security bug in the forum module (discuss.php)] - moodle 1.6.3-2 CVE-2006-XXXX [znc file access security hole] - znc 0.045-3 (bug #403141; medium) CVE-2006-6573 (Unspecified vulnerability in Citrix Access Gateway 4.5 Advanced Editio ...) NOT-FOR-US: Citrix CVE-2006-6572 (Unspecified vulnerability in Citrix Advanced Access Control (AAC) Opti ...) NOT-FOR-US: Citrix CVE-2006-6571 (Multiple cross-site scripting (XSS) vulnerabilities in form.php in Gen ...) NOT-FOR-US: GenesisTrader CVE-2006-6570 (Unrestricted file upload vulnerability in upload.php in GenesisTrader ...) NOT-FOR-US: GenesisTrader CVE-2006-6569 (form.php in GenesisTrader 1.0 allows remote attackers to read source c ...) NOT-FOR-US: GenesisTrader CVE-2006-6568 (Directory traversal vulnerability in includes/kb_constants.php in the ...) NOT-FOR-US: Knowledge Base (mx_kb) 2.0.2 module for mxBB CVE-2006-6567 (PHP remote file inclusion vulnerability in includes/kb_constants.php i ...) NOT-FOR-US: Knowledge Base (mx_kb) 2.0.2 module for mxBB CVE-2006-6566 (PHP remote file inclusion vulnerability in includes/profilcp_constants ...) NOT-FOR-US: Profile Control Panel (CPanel) module for mxBB CVE-2006-6565 (FileZilla Server before 0.9.22 allows remote attackers to cause a deni ...) NOT-FOR-US: FileZilla Server CVE-2006-6564 (FileZilla Server before 0.9.22 allows remote attackers to cause a deni ...) NOT-FOR-US: FileZilla Server CVE-2006-6563 (Stack-based buffer overflow in the pr_ctrls_recv_request function in c ...) - proftpd-dfsg 1.3.0-17 (medium) [sarge] - proftpd (Vulnerable code not activated in binary build) CVE-2006-6562 RESERVED CVE-2006-6561 (Unspecified vulnerability in Microsoft Word 2000, 2002, and Word Viewe ...) NOT-FOR-US: Microsoft CVE-2006-6560 (PHP remote file inclusion vulnerability in includes/common.php in the ...) NOT-FOR-US: mx_modsdb 1.0.0 module for MxBBmx_modsdb 1.0.0 module for MxBB CVE-2006-6559 (SQL injection vulnerability in ProductDetails.asp in Lotfian Request F ...) NOT-FOR-US: Lotfian Request For Travel CVE-2006-6558 (Crob FTP Server 3.6.1 b.263 allows remote attackers to cause a denial ...) NOT-FOR-US: Crob FTP Server CVE-2006-6557 (Multiple unspecified vulnerabilities in Skulls! before 0.2.6 have unkn ...) NOT-FOR-US: Skulls! CVE-2006-6556 (The eyeHome function in apps/eyeHome.eyeapp/aplic.php in EyeOS before ...) NOT-FOR-US: EyeOS CVE-2006-6555 (Multiple SQL injection vulnerabilities in EasyFill before 0.5.1 allow ...) NOT-FOR-US: EasyFill CVE-2006-6554 (Unspecified vulnerability in Kerio MailServer before 6.3.1 allows remo ...) NOT-FOR-US: Kerio MailServer CVE-2006-6553 (PHP remote file inclusion vulnerability in includes/newssuite_constant ...) NOT-FOR-US: NewsSuite 1.03 module for mxBB CVE-2006-6552 (PHP remote file inclusion vulnerability in admin/plugins/NP_UserSharin ...) NOT-FOR-US: BLOG:CMS CVE-2006-6551 (PHP remote file inclusion vulnerability in libs/tucows/api/cartridges/ ...) NOT-FOR-US: Tucows Client Code Suite (CCS) CVE-2006-6550 NOT-FOR-US: Phorum CVE-2006-6549 NOT-FOR-US: Rad Upload CVE-2006-6548 (Multiple cross-site scripting (XSS) vulnerabilities in cPanel WebHost ...) NOT-FOR-US: cPanel WebHost Manager CVE-2006-6547 (Buffer overflow in the readAA function in read_aa.cpp in Winamp iPod P ...) NOT-FOR-US: Winamp CVE-2006-6546 (PHP remote file inclusion vulnerability in inc/shows.inc.php in cutene ...) NOT-FOR-US: cutenews CVE-2006-6545 (PHP remote file inclusion vulnerability in includes/common.php in the ...) NOT-FOR-US: ErrorDocs 1.0.0 and earlier module for mxBB CVE-2006-6544 (Cross-site scripting (XSS) vulnerability in CM68 News allows remote at ...) NOT-FOR-US: CM68 News CVE-2006-6543 (Multiple SQL injection vulnerabilities in login.asp in AppIntellect Sp ...) NOT-FOR-US: AppIntellect SpotLight CRM CVE-2006-6542 (SQL injection vulnerability in news.php in Fantastic News 2.1.4 and ea ...) NOT-FOR-US: Fantastic News CVE-2006-6541 NOT-FOR-US: Animated Smiley Generator CVE-2006-6540 (SQL injection vulnerability in bt-trackback.php in Bluetrait before 1. ...) NOT-FOR-US: Bluetrait CVE-2006-6539 (Multiple buffer overflows in Winamp Web Interface (Wawi) 7.5.13 and ea ...) NOT-FOR-US: Winamp Web Interface CVE-2006-6538 (D-LINK DWL-2000AP+ firmware 2.11 allows remote attackers to cause (1) ...) NOT-FOR-US: D-LINK CVE-2006-6537 (IBM WebSphere Host On-Demand 6.0, 7.0, 8.0, 9.0, and possibly 10, allo ...) NOT-FOR-US: IBM CVE-2006-6536 (Cross-site scripting (XSS) vulnerability in hata.asp in Cilem Haber Fr ...) NOT-FOR-US: Cilem Haber Free Edition CVE-2006-6535 (The dev_queue_xmit function in Linux kernel 2.6 can fail before callin ...) {DSA-1304} - linux-2.6 (Fixed before upload into the archive; 2.6.10) CVE-2006-6534 (Multiple cross-site scripting (XSS) vulnerabilities in osCommerce 3.0a ...) NOT-FOR-US: osCommerce CVE-2006-6533 (Directory traversal vulnerability in admin/templates_boxes_layout.php ...) NOT-FOR-US: osCommerce CVE-2006-6532 (Multiple cross-site scripting (XSS) vulnerabilities in Vt-Forum Lite 1 ...) NOT-FOR-US: Vt-Forum Lite CVE-2006-6531 (Cross-site scripting (XSS) vulnerability in the Help Tip module before ...) NOT-FOR-US: Help Tip module for Drupal CVE-2006-6530 (SQL injection vulnerability in the Help Tip module before 4.7.x-1.0 fo ...) NOT-FOR-US: Help Tip module for Drupal CVE-2006-6529 (The Chatroom Module before 4.7.x.-1.0 for Drupal displays private mess ...) NOT-FOR-US: Chatroom Module for Drupal CVE-2006-6528 (The Chatroom Module before 4.7.x.-1.0 for Drupal broadcasts Chatroom v ...) NOT-FOR-US: Chatroom Module for Drupal CVE-2006-6527 (PHP remote file inclusion vulnerability in guest.php in Gizzar 0316200 ...) NOT-FOR-US: Gizzar CVE-2006-6526 (PHP remote file inclusion vulnerability in index.php in Gizzar 0316200 ...) NOT-FOR-US: Gizzar CVE-2006-6525 (SQL injection vulnerability in vdateUsr.asp in EzHRS HR Assist 1.05 an ...) NOT-FOR-US: EzHRS HR Assist CVE-2006-6524 (SQL injection vulnerability in vdateUsr.asp in EzHRS HR Assist 1.05 an ...) NOT-FOR-US: EzHRS HR Assist CVE-2006-6523 (Cross-site scripting (XSS) vulnerability in mail/manage.html in BoxTra ...) NOT-FOR-US: BoxTrapper in cPanel CVE-2006-6522 (Multiple cross-site scripting (XSS) vulnerabilities in WikiTimeScale T ...) NOT-FOR-US: WikiTimeScale TwoZero CVE-2006-6521 (SQL injection vulnerability in lire-avis.php in Messageriescripthp 2.0 ...) NOT-FOR-US: Messageriescripthp CVE-2006-6520 (Multiple cross-site scripting (XSS) vulnerabilities in Messageriescrip ...) NOT-FOR-US: Messageriescripthp CVE-2006-6519 (SQL injection vulnerability in lire-avis.php in ProNews 1.5 allows rem ...) NOT-FOR-US: ProNews CVE-2006-6518 (Multiple cross-site scripting (XSS) vulnerabilities in ProNews 1.5 all ...) NOT-FOR-US: ProNews CVE-2006-6517 (Multiple cross-site scripting (XSS) vulnerabilities in KDPics 1.16 and ...) NOT-FOR-US: KDPics CVE-2006-6516 (Multiple PHP remote file inclusion vulnerabilities in KDPics 1.16 and ...) NOT-FOR-US: KDPics CVE-2006-6515 (Mantis before 1.1.0a2 sets the default value of $g_bug_reminder_thresh ...) - mantis 1.0.6+dfsg-1 (unimportant) NOTE: http://www.mantisbt.org/bugs/print_bug_page.php?bug_id=5163 NOTE: Not a security bug, only a very annoying feature. CVE-2006-6514 (Winamp Web Interface (Wawi) 7.5.13 and earlier uses an insufficient co ...) NOT-FOR-US: Winamp Web Interface (Wawi) CVE-2006-6513 (The CControl::Download function (/dl URI) in Winamp Web Interface (Waw ...) NOT-FOR-US: Winamp Web Interface (Wawi) CVE-2006-6512 (Directory traversal vulnerability in the Browse function (/browse URI) ...) NOT-FOR-US: Winamp Web Interface (Wawi) CVE-2006-6511 (dadaIMC .99.3 uses an insufficiently restrictive FilesMatch directive ...) NOT-FOR-US: dadaIMC CVE-2006-6510 (An unspecified ActiveX control in SiteKiosk before 6.5.150 is installe ...) NOT-FOR-US: SiteKiosk CVE-2006-6509 (Cross-site scripting (XSS) vulnerability in the skinning feature in Si ...) NOT-FOR-US: SiteKiosk CVE-2006-6508 (Cross-site request forgery (CSRF) vulnerability in phpBB 2.0.21 allows ...) {DSA-1488-1} NOTE: This is covered/duped by CVE-2006-6841 - phpbb2 2.0.21-6 CVE-2006-6507 (Mozilla Firefox 2.0 before 2.0.0.1 allows remote attackers to bypass C ...) NOTE: MFSA-2006-76 - iceweasel 2.0.0.1+dfsg-1 (high) - xulrunner (maintainer reported) - iceape (maintainer reported) CVE-2006-6506 (The "Feed Preview" feature in Mozilla Firefox 2.0 before 2.0.0.1 sends ...) NOTE: MFSA-2006-75 - iceweasel 2.0.0.1+dfsg-1 (low) - iceape (maintainer reported) CVE-2006-6505 (Multiple heap-based buffer overflows in Mozilla Thunderbird before 1.5 ...) {DSA-1265-1} NOTE: MFSA-2006-74 [sarge] - mozilla-thunderbird (Mozilla products from Sarge no longer supported) - icedove 1.5.0.9.dfsg1-1 (high) - iceape 1.0.7-1 (high) - mozilla CVE-2006-6504 (Mozilla Firefox 2.x before 2.0.0.1, 1.5.x before 1.5.0.9, and SeaMonke ...) NOTE: MFSA-2006-73 - iceweasel 2.0.0.1+dfsg-1 (high) - xulrunner 1.8.0.9-1 (high) - iceape 1.0.7-1 (high) - firefox 45.0-1 (high) - firefox-esr 45.0esr-1 (high) NOTE: Flaw was introduced in Firefox 1.5.0.4 - icedove 1.5.0.9.dfsg1-1 (high) CVE-2006-6503 (Mozilla Firefox 2.x before 2.0.0.1, 1.5.x before 1.5.0.9, Thunderbird ...) {DSA-1265-1 DSA-1258-1 DSA-1253-1} NOTE: MFSA-2006-72 - iceweasel 2.0.0.1+dfsg-1 (high) - xulrunner 1.8.0.9-1 (high) - iceape 1.0.7-1 (high) - firefox 45.0-1 (high) - firefox-esr 45.0esr-1 (high) - mozilla (high) - mozilla-firefox (high) - mozilla-thunderbird (high) - icedove 1.5.0.9.dfsg1-1 (high) CVE-2006-6502 (Use-after-free vulnerability in the LiveConnect bridge code for Mozill ...) {DSA-1265-1 DSA-1258-1 DSA-1253-1} NOTE: MFSA-2006-71 - iceweasel 2.0.0.1+dfsg-1 (high) - xulrunner 1.8.0.9-1 (high) - iceape 1.0.7-1 (high) - firefox 45.0-1 (high) - firefox-esr 45.0esr-1 (high) - mozilla (high) - mozilla-firefox (high) - mozilla-thunderbird (unimportant) - icedove 1.5.0.9.dfsg1-1 (unimportant) NOTE: Not exploitable in standard Icedove configuration CVE-2006-6501 (Unspecified vulnerability in Mozilla Firefox 2.x before 2.0.0.1, 1.5.x ...) {DSA-1265-1 DSA-1258-1 DSA-1253-1} NOTE: MFSA-2006-70 - iceweasel 2.0.0.1+dfsg-1 (high) - xulrunner 1.8.0.9-1 (high) - iceape 1.0.7-1 (high) - firefox 45.0-1 (high) - firefox-esr 45.0esr-1 (high) - mozilla (high) - mozilla-firefox (high) - mozilla-thunderbird (low) - icedove 1.5.0.9.dfsg1-1 (low) CVE-2006-6500 (Heap-based buffer overflow in Mozilla Firefox 2.x before 2.0.0.1, 1.5. ...) NOTE: MFSA-2006-69 - iceweasel (windows only) - xulrunner (Windows only) - iceape (windows only) - firefox (windows only) - mozilla (windows only) - mozilla-firefox (windows only) - mozilla-thunderbird (windows only) - icedove (windows only) CVE-2006-6499 (The js_dtoa function in Mozilla Firefox 2.x before 2.0.0.1, 1.5.x befo ...) {DSA-1265-1 DSA-1258-1 DSA-1253-1} NOTE: MFSA-2006-68 - iceweasel 2.0.0.1+dfsg-1 (high) - xulrunner 1.8.0.9-1 (high) - iceape 1.0.7-1 (high) - firefox 45.0-1 (high) - firefox-esr 45.0esr-1 (high) - mozilla (high) - mozilla-firefox (high) - mozilla-thunderbird (low) - icedove 1.5.0.9.dfsg1-1 (low) NOTE: Is it possible to reduce the floating point precision in Linux as a non-priv NOTE: user? I don't think so CVE-2006-6498 (Multiple unspecified vulnerabilities in the JavaScript engine for Mozi ...) {DSA-1265-1 DSA-1258-1 DSA-1253-1} NOTE: MFSA-2006-68 - iceweasel 2.0.0.1+dfsg-1 (high) - xulrunner 1.8.0.9-1 (high) - iceape 1.0.7-1 (high) - firefox 45.0-1 (high) - firefox-esr 45.0esr-1 (high) - mozilla (high) - mozilla-firefox (high) - mozilla-thunderbird (low) - icedove 1.5.0.9.dfsg1-1 (low) CVE-2006-6497 (Multiple unspecified vulnerabilities in the layout engine for Mozilla ...) {DSA-1265-1 DSA-1258-1 DSA-1253-1} NOTE: MFSA-2006-68 - iceweasel 2.0.0.1+dfsg-1 (medium) - xulrunner 1.8.0.9-1 (medium) - iceape 1.0.7-1 (medium) - firefox 45.0-1 (medium) - firefox-esr 45.0esr-1 (medium) - mozilla (medium) - mozilla-firefox (medium) - mozilla-thunderbird (low) - icedove 1.5.0.9.dfsg1-1 (low) CVE-2006-6496 (The (1) VetMONNT.sys and (2) VetFDDNT.sys drivers in CA Anti-Virus 200 ...) NOT-FOR-US: CA Anti-Virus CVE-2006-6495 (Stack-based buffer overflow in ld.so.1 in Sun Solaris 8, 9, and 10 all ...) NOT-FOR-US: Solaris CVE-2006-6494 (Directory traversal vulnerability in ld.so.1 in Sun Solaris 8, 9, and ...) NOT-FOR-US: Solaris CVE-2006-6493 (Buffer overflow in the krbv4_ldap_auth function in servers/slapd/kerbe ...) - openldap2.3 (kerberos support not enabled) - openldap2 (kerberos support not enabled) CVE-2006-6492 REJECTED CVE-2006-6491 REJECTED CVE-2006-6490 (Multiple buffer overflows in the SupportSoft (1) SmartIssue (tgctlsi.d ...) NOT-FOR-US: SupportSoft ActiveX CVE-2006-6489 (The SISCO OSI stack, as used in SISCO MMS-EASE, ICCP Toolkit for MMS-E ...) NOT-FOR-US: SISCO OSI stack CVE-2006-6488 (Stack-based buffer overflow in the DoModal function in the Dialog Wrap ...) NOT-FOR-US: ICONICS CVE-2006-6487 (Cross-site scripting (XSS) vulnerability in index.php in DT Guestbook ...) NOT-FOR-US: DT Guestbook CVE-2006-6486 (SQL injection vulnerability in EasyPage allows remote attackers to exe ...) NOT-FOR-US: EasyPage CVE-2006-6485 (Multiple cross-site scripting (XSS) vulnerabilities in ShopSite 8.1 an ...) NOT-FOR-US: ShopSite CVE-2006-6484 (The IMAP service for MailEnable Professional and Enterprise Edition 2. ...) NOT-FOR-US: MailEnable CVE-2006-6483 (Adobe ColdFusion MX 7.x before 7.0.2 does not properly filter HTML tag ...) NOT-FOR-US: ColdFusion CVE-2006-6482 (Adobe ColdFusion MX7 allows remote attackers to obtain sensitive infor ...) NOT-FOR-US: ColdFusion CVE-2006-6481 (Clam AntiVirus (ClamAV) 0.88.6 allows remote attackers to cause a deni ...) {DSA-1238-1} - clamav 0.88.7-1 (low; bug #401874) CVE-2006-6480 (admin/admin_membre/fiche_membre.php in AnnonceScriptHP 2.0 allows remo ...) NOT-FOR-US: AnnonceScriptHP CVE-2006-6479 (Multiple cross-site scripting (XSS) vulnerabilities in AnnonceScriptHP ...) NOT-FOR-US: AnnonceScriptHP CVE-2006-6478 (Multiple SQL injection vulnerabilities in AnnonceScriptHP 2.0 allow re ...) NOT-FOR-US: AnnonceScriptHP CVE-2006-6477 (FRAgent.exe in Mandiant First Response (MFR) before 1.1.1, when run in ...) NOT-FOR-US: Mandiant First Response (MFR) CVE-2006-6476 (FRAgent.exe in Mandiant First Response (MFR) before 1.1.1, when run in ...) NOT-FOR-US: Mandiant First Response (MFR) CVE-2006-6475 (FRAgent.exe in Mandiant First Response (MFR) before 1.1.1, when run in ...) NOT-FOR-US: Mandiant First Response (MFR) CVE-2006-6474 (Untrusted search path vulnerability in McAfee VirusScan for Linux 4510 ...) NOT-FOR-US: McAfee CVE-2006-6473 (Multiple unspecified vulnerabilities in Xerox WorkCentre and WorkCentr ...) NOT-FOR-US: Xerox WorkCentre CVE-2006-6472 (The httpd.conf file in Xerox WorkCentre and WorkCentre Pro before 12.0 ...) NOT-FOR-US: Xerox WorkCentre CVE-2006-6471 (Xerox WorkCentre and WorkCentre Pro before 12.050.03.000, 13.x before ...) NOT-FOR-US: Xerox WorkCentre CVE-2006-6470 (The SNMP Agent in Xerox WorkCentre and WorkCentre Pro before 12.050.03 ...) NOT-FOR-US: Xerox WorkCentre CVE-2006-6469 (Xerox WorkCentre and WorkCentre Pro before 12.050.03.000, 13.x before ...) NOT-FOR-US: Xerox WorkCentre CVE-2006-6468 (Xerox WorkCentre and WorkCentre Pro before 12.050.03.000, 13.x before ...) NOT-FOR-US: Xerox WorkCentre CVE-2006-6467 (Xerox WorkCentre and WorkCentre Pro before 12.050.03.000, 13.x before ...) NOT-FOR-US: Xerox WorkCentre CVE-2006-6466 (Multiple cross-site scripting (XSS) vulnerabilities in WBmap.php in Wi ...) NOT-FOR-US: WikyBlog CVE-2006-6465 NOT-FOR-US: WikyBlog CVE-2006-6464 (viewcart in Midicart accepts negative numbers in the Qty (quantity) fi ...) NOT-FOR-US: Midicart CVE-2006-6463 (Unrestricted file upload vulnerability in admin/add.php in Midicart al ...) NOT-FOR-US: Midicart CVE-2006-6462 (PHP remote file inclusion vulnerability in engine/oldnews.inc.php in C ...) NOT-FOR-US: CM68 News CVE-2006-6461 (tr1.php in Yourfreeworld Stylish Text Ads Script allows remote attacke ...) NOT-FOR-US: Yourfreeworld Stylish Text Ads Script CVE-2006-6460 (Yourfreeworld.com Short Url & Url Tracker Script allows remote att ...) NOT-FOR-US: Yourfreeworld.com Short Url Script CVE-2006-6459 (Cross-site scripting (XSS) vulnerability in toplist.php in PhpBB Topli ...) NOT-FOR-US: Toplist for phpBB CVE-2006-6458 (The Trend Micro scan engine before 8.320 for Windows and before 8.150 ...) NOT-FOR-US: Trend Micro (Windows) CVE-2006-6457 (tiki-wiki_rss.php in Tikiwiki 1.9.5, 1.9.2, and possibly other version ...) - tikiwiki (bug #404472) NOTE: Might be a mis-report, check with upstream CVE-2006-6456 (Unspecified vulnerability in Microsoft Word 2000, 2002, and 2003 and W ...) NOT-FOR-US: Microsoft Word CVE-2006-6455 (Multiple SQL injection vulnerabilities in admin/default.asp in DUware ...) NOT-FOR-US: DUware CVE-2006-6454 (execInBackground.php in J-OWAMP Web Interface 2.1b and earlier allows ...) NOT-FOR-US: J-OWAMP Web Interface CVE-2006-6453 (PHP remote file inclusion vulnerability in JOWAMP_ShowPage.php in J-OW ...) NOT-FOR-US: J-OWAMP Web Interface CVE-2006-6452 (Multiple cross-site scripting (XSS) vulnerabilities in the MyArticles ...) NOT-FOR-US: RunCMS CVE-2006-6451 (Multiple cross-site scripting (XSS) vulnerabilities in SWsoft Plesk 8. ...) NOT-FOR-US: Plesk CVE-2006-6450 (Multiple SQL injection vulnerabilities in dagent/downloadreport.asp in ...) NOT-FOR-US: Novell ZENworks Patch Management CVE-2006-6449 (Vt-Forum Lite 1.3 and earlier store sensitive information under the we ...) NOT-FOR-US: Vt-Forum Lite CVE-2006-6448 (Multiple SQL injection vulnerabilities in Vt-Forum Lite 1.3 and earlie ...) NOT-FOR-US: Vt-Forum CVE-2006-6447 (Multiple cross-site scripting (XSS) vulnerabilities in Vt-Forum Lite 1 ...) NOT-FOR-US: Vt-Forum Lite CVE-2006-6446 (SQL injection vulnerability in index.php in iWare Professional 5.0.4, ...) NOT-FOR-US: iWare Professional CVE-2006-6445 (Directory traversal vulnerability in error.php in Envolution 1.1.0 and ...) NOT-FOR-US: Envolution CVE-2006-6444 (Stack-based buffer overflow in Nostra DivX Player 2.1, 2.2.00.0, and p ...) NOT-FOR-US: Nostra DivX Player CVE-2006-6443 (Buffer overflow in the Novell Distributed Print Services (NDPS) Print ...) NOT-FOR-US: Novell Distributed Print Services CVE-2006-6442 (Stack-based buffer overflow in the SetClientInfo function in the CDDBC ...) NOT-FOR-US: America Online CVE-2006-6441 (Xerox WorkCentre and WorkCentre Pro before 12.050.03.000, 13.x before ...) NOT-FOR-US: Xerox WorkCentre and WorkCentre Pro CVE-2006-6440 (Multiple unspecified vulnerabilities in Xerox WorkCentre and WorkCentr ...) NOT-FOR-US: Xerox WorkCentre and WorkCentre Pro CVE-2006-6439 (Xerox WorkCentre and WorkCentre Pro before 12.050.03.000, 13.x before ...) NOT-FOR-US: Xerox WorkCentre and WorkCentre Pro CVE-2006-6438 (Xerox WorkCentre and WorkCentre Pro before 12.050.03.000, 13.x before ...) NOT-FOR-US: Xerox WorkCentre and WorkCentre Pro CVE-2006-6437 (ops3-dmn in Xerox WorkCentre and WorkCentre Pro before 12.050.03.000, ...) NOT-FOR-US: Xerox WorkCentre and WorkCentre Pro CVE-2006-6436 (Cross-site scripting (XSS) vulnerability in the Network controller in ...) NOT-FOR-US: Xerox WorkCentre and WorkCentre Pro CVE-2006-6435 (The SNMP implementation in Xerox WorkCentre and WorkCentre Pro before ...) NOT-FOR-US: Xerox WorkCentre and WorkCentre Pro CVE-2006-6434 (Unspecified vulnerability in the Web User Interface in Xerox WorkCentr ...) NOT-FOR-US: Xerox WorkCentre and WorkCentre Pro CVE-2006-6433 (Xerox WorkCentre and WorkCentre Pro before 12.060.17.000, 13.x before ...) NOT-FOR-US: Xerox WorkCentre and WorkCentre Pro CVE-2006-6432 (Unspecified vulnerability in the Scan-to-mailbox feature in Xerox Work ...) NOT-FOR-US: Xerox WorkCentre and WorkCentre Pro CVE-2006-6431 (Unspecified vulnerability in Xerox WorkCentre and WorkCentre Pro befor ...) NOT-FOR-US: Xerox WorkCentre and WorkCentre Pro CVE-2006-6430 (Web services in Xerox WorkCentre and WorkCentre Pro before 12.060.17.0 ...) NOT-FOR-US: Xerox WorkCentre and WorkCentre Pro CVE-2006-6429 (Xerox WorkCentre and WorkCentre Pro before 12.060.17.000, 13.x before ...) NOT-FOR-US: Xerox WorkCentre and WorkCentre Pro CVE-2006-6428 (Xerox WorkCentre and WorkCentre Pro before 12.060.17.000, 13.x before ...) NOT-FOR-US: Xerox WorkCentre and WorkCentre Pro CVE-2006-6427 (The Web User Interface in Xerox WorkCentre and WorkCentre Pro before 1 ...) NOT-FOR-US: Xerox WorkCentre and WorkCentre Pro CVE-2006-6426 (PHP remote file inclusion vulnerability in design/thinkedit/render.php ...) NOT-FOR-US: ThinkEdit CVE-2006-6425 (Stack-based buffer overflow in the IMAP daemon (IMAPD) in Novell NetMa ...) NOT-FOR-US: Novell NetMail CVE-2006-6424 (Multiple buffer overflows in Novell NetMail before 3.52e FTF2 allow re ...) NOT-FOR-US: Novell NetMail CVE-2006-6423 (Stack-based buffer overflow in the IMAP service for MailEnable Profess ...) NOT-FOR-US: MailEnable CVE-2006-6422 (Agileco AgileBill 1.4.x and AgileVoice 1.4.x do not properly handle ce ...) NOT-FOR-US: AgileBill AgileVoice CVE-2006-6421 (Cross-site scripting (XSS) vulnerability in the private message box im ...) - phpbb2 2.0.21-6 (medium) [sarge] - phpbb2 CVE-2006-6420 (Multiple cross-site scripting (XSS) vulnerabilities in jce.php in the ...) NOT-FOR-US: Joomla Content Editor (JCE) CVE-2006-6419 (jce.php in the JCE Admin Component in Ryan Demmer Joomla Content Edito ...) NOT-FOR-US: Joomla Content Editor (JCE) CVE-2006-6418 (Buffer overflow in the POSIX Threads library (libpthread) on HP Tru64 ...) NOT-FOR-US: HP Tru64 UNIX CVE-2006-6417 (PHP remote file inclusion vulnerability in inc/CONTROL/import/import-m ...) - b2evolution (vulnerable code added later) CVE-2006-6416 (Multiple PHP remote file inclusion vulnerabilities in PhpLeague - Univ ...) NOT-FOR-US: PhpLeague CVE-2006-6415 NOT-FOR-US: phpAdsNew CVE-2006-6414 (Multiple SQL injection vulnerabilities in dettaglio.asp in dol storye ...) NOT-FOR-US: dol storye CVE-2006-6413 (Cross-site scripting (XSS) vulnerability in Amateras sns 3.11 and earl ...) NOT-FOR-US: Amateras sns CVE-2006-6412 RESERVED CVE-2006-6411 (PhoneCtrl.exe in Linksys WIP 330 Wireless-G IP Phone 1.00.06A allows r ...) NOT-FOR-US: Linksys CVE-2006-6410 (Buffer overflow in an ActiveX control in VMWare 5.5.1 allows local use ...) NOT-FOR-US: VMWare CVE-2006-6409 (F-Secure Anti-Virus for Linux Gateways 4.65 allows remote attackers to ...) NOT-FOR-US: F-Secure CVE-2006-6408 (Kaspersky Anti-Virus for Linux Mail Servers 5.5.10 allows remote attac ...) NOT-FOR-US: Kaspersky CVE-2006-6407 (F-Prot Antivirus for Linux x86 Mail Servers 4.6.6 allows remote attack ...) NOT-FOR-US: F-Prot CVE-2006-6406 (Clam AntiVirus (ClamAV) 0.88.6 allows remote attackers to bypass virus ...) {DSA-1238-1} - clamav 0.88.7-1 (medium; bug #401873) CVE-2006-6405 (BitDefender Mail Protection for SMB 2.0 allows remote attackers to byp ...) NOT-FOR-US: BitDefender CVE-2006-6404 (INNOVATION Data Processing FDR/UPSTREAM 3.3.0 (GA Oct 2003) allows rem ...) NOT-FOR-US: Innovation Data Processing's FDR Backup CVE-2006-6403 (mystats.php in MyStats 1.0.8 and earlier allows remote attackers to ob ...) NOT-FOR-US: MyStats CVE-2006-6402 (SQL injection vulnerability in mystats.php in MyStats 1.0.8 and earlie ...) NOT-FOR-US: MyStats CVE-2006-6401 (Multiple cross-site scripting (XSS) vulnerabilities in mystats.php in ...) NOT-FOR-US: MyStats CVE-2006-6400 (Buffer overflow in JustSystems Hanako 2004 through 2006, Hanako viewer ...) NOT-FOR-US: JustSystems CVE-2006-6399 (SQL injection vulnerability in Superfreaker Studios UPublisher 1.0 all ...) NOT-FOR-US: Superfreaker Studios UPublisher CVE-2006-6398 (Multiple SQL injection vulnerabilities in Superfreaker Studios UPublis ...) NOT-FOR-US: Superfreaker Studios UPublisher CVE-2006-6397 NOTE: not a vuln CVE-2006-6396 (Stack-based buffer overflow in BlazeVideo HDTV Player 2.1, and possibl ...) NOT-FOR-US: BlazeVideo HDTV Player CVE-2006-6395 (Multiple memory leaks in Ulrik Petersen Emdros Database Engine before ...) NOT-FOR-US: Ulrik Petersen Emdros Database Engine CVE-2006-6394 (SQL injection vulnerability in certain database classes in Jonas Gauff ...) NOT-FOR-US: Jonas Gauffin Publicera CVE-2006-6393 (Cross-site scripting (XSS) vulnerability in Jonas Gauffin Publicera 1. ...) NOT-FOR-US: Jonas Gauffin Publicera CVE-2006-6392 (Directory traversal vulnerability in index.php in plx Web Studio (aka ...) NOT-FOR-US: plxWebDev CVE-2006-6391 (Multiple directory traversal vulnerabilities in Open Solution Quick.Ca ...) NOT-FOR-US: Open Solution Quick.Cart CVE-2006-6390 (Multiple directory traversal vulnerabilities in Open Solution Quick.Ca ...) NOT-FOR-US: Open Solution Quick.Cart CVE-2006-6389 (Multiple cross-site scripting (XSS) vulnerabilities in ac4p Mobile all ...) NOT-FOR-US: ac4p Mobile CVE-2006-6388 (Cross-site scripting (XSS) vulnerability in naprednaPretraga.php in LI ...) NOT-FOR-US: LINK Content Management Server CVE-2006-6387 (Multiple SQL injection vulnerabilities in LINK Content Management Serv ...) NOT-FOR-US: LINK Content Management Server CVE-2006-6386 (Cross-site scripting (XSS) vulnerability in the CVS management/tracker ...) NOT-FOR-US: CVS management/tracker (drupal plugin) CVE-2006-6384 (Absolute path traversal vulnerability in abitwhizzy.php before 2006120 ...) NOT-FOR-US: abitwhizzy.php CVE-2006-6383 (PHP 5.2.0 and 4.4 allows local users to bypass safe_mode and open_base ...) - php5 (unimportant) - php4 (unimportant) NOTE: safe-mode and basedir violations not treated as security issues CVE-2006-6382 (The control panel for Positive Software H-Sphere before 2.5.0 RC3 crea ...) NOT-FOR-US: Positive Software H-Sphere CVE-2006-6381 (Directory traversal vulnerability in getfile.asp in Ultimate HelpDesk ...) NOT-FOR-US: Ultimate HelpDesk CVE-2006-6380 (Cross-site scripting (XSS) vulnerability in index.asp in Ultimate Help ...) NOT-FOR-US: Ultimate HelpDesk CVE-2006-6379 (Buffer overflow in the BrightStor Backup Discovery Service in multiple ...) NOT-FOR-US: BrightStor Backup Discovery Service CVE-2006-6378 (BTSaveMySql 1.2 stores sensitive data under the web root with insuffic ...) NOT-FOR-US: BTSaveMySql CVE-2006-6377 (Uploadscript 1.2 and earlier stores sensitive data under the web root ...) NOT-FOR-US: Uploadscript CVE-2006-6376 (Multiple directory traversal vulnerabilities in fm.php in Simple File ...) NOT-FOR-US: Simple File Manager CVE-2006-6375 (Cross-site scripting (XSS) vulnerability in display.php in Simple Mach ...) NOT-FOR-US: Simple machines Forum CVE-2006-6374 (Multiple CRLF injection vulnerabilities in PhpMyAdmin 2.7.0-pl2 allow ...) - phpmyadmin (low; bug #404744) [sarge] - phpmyadmin (doesn't use sessions at all) [etch] - phpmyadmin (not exploitable with Etch's php versions) NOTE: not exploitable with PHP 5.1.2+ and 4.4.2+ NOTE: https://www.phpmyadmin.net/security/PMASA-2007-1/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/c9d93f63940fe960d3b6341d8bfb7b707c87e744 CVE-2006-6373 (PhpMyAdmin 2.7.0-pl2 allows remote attackers to obtain sensitive infor ...) - phpmyadmin 4:2.9.1.1-1 (unimportant) NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/98575f4e563c9323df597e2a9783e637b00b87e9 NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/416285c4930ed24504edf58774384db4ffec1f86 NOTE: The commits are both the same but they seem to be cherry-picks one of the other at some point NOTE: https://www.phpmyadmin.net/security/PMASA-2006-8/ NOTE: path is known in Debian anyway CVE-2006-6372 (Multiple cross-site scripting (XSS) vulnerabilities in pbguestbook.php ...) NOT-FOR-US: JAB Guest Book CVE-2006-6371 (Cross-site scripting (XSS) vulnerability in pbguestbook.php in JAB Gue ...) NOT-FOR-US: JAB Guest Book CVE-2006-6370 (SQL injection vulnerability in forum/modules/gallery/post.php in Invis ...) NOT-FOR-US: Invision Gallery CVE-2006-6369 (SQL injection vulnerability in lib/entry_reply_entry.php in Invision C ...) NOT-FOR-US: Invision Community Blog Mod CVE-2000-1242 (The HTTP service in American Power Conversion (APC) PowerChute uses a ...) NOT-FOR-US: APC PowerChute CVE-2006-6385 (Stack-based buffer overflow in Intel PRO 10/100, PRO/1000, and PRO/10G ...) NOT-FOR-US: Affects only Windows despite other claims CVE-2006-6368 (PHP remote file inclusion vulnerability in login.php.inc in awrate 1.0 ...) NOT-FOR-US: awrate CVE-2006-6367 (Multiple SQL injection vulnerabilities in detail.asp in DUware DUdownl ...) NOT-FOR-US: Duware CVE-2006-6366 (Cross-site scripting (XSS) vulnerability in includes/elements/spellche ...) NOT-FOR-US: Cerberus Helpdesk CVE-2006-6365 (SQL injection vulnerability in detail.asp in DUware DUpaypal 3.1, and ...) NOT-FOR-US: Duware CVE-2006-6364 (Cross-site scripting (XSS) vulnerability in error.php in Inside System ...) NOT-FOR-US: Inside Systems Mail (ISMail) CVE-2006-6363 (Cross-site scripting (XSS) vulnerability in admin.pl in BlueSocket Sec ...) NOT-FOR-US: BlueSocket Secure Controller CVE-2006-6362 REJECTED CVE-2006-6361 (Heap-based buffer overflow in the uploadprogress_php_rfc1867_file func ...) NOT-FOR-US: Bitflux Upload Progress Mete CVE-2006-6360 (PHP remote file inclusion vulnerability in activate.php in PHP Upload ...) NOT-FOR-US: PHP Upload Center CVE-2006-6359 (Cross-site scripting (XSS) vulnerability in Stefan Frech online-bookma ...) NOT-FOR-US: Stefan Frech online-bookmarks CVE-2006-6358 (SQL injection vulnerability in the login function in auth.inc in Stefa ...) NOT-FOR-US: Stefan Frech online-bookmarks CVE-2006-6357 (Cross-site scripting (XSS) vulnerability in templates/cat_temp.php in ...) NOT-FOR-US: PHPNews CVE-2006-6356 (Multiple cross-site scripting (XSS) vulnerabilities in templates/link_ ...) NOT-FOR-US: PHPNews CVE-2006-6355 (SQL injection vulnerability in default.asp in DuWare DuClassmate allow ...) NOT-FOR-US: DuWare CVE-2006-6354 (Multiple SQL injection vulnerabilities in detail.asp in DuWare DuNews ...) NOT-FOR-US: DuWare CVE-2006-6353 (Multiple unspecified vulnerabilities in BOMArchiveHelper in Mac OS X a ...) NOT-FOR-US: Mac OS X CVE-2006-6352 (FRISK Software F-Prot Antivirus before 4.6.7 allows user-assisted remo ...) NOT-FOR-US: F-Prot Antivirus CVE-2006-6351 (KhaledMuratList stores sensitive data under the web root with insuffic ...) NOT-FOR-US: KhaledMuratList CVE-2006-6350 (listpics 5 stores sensitive data under the web root with insufficient ...) NOT-FOR-US: listpics 5 CVE-2006-6349 (Multiple SQL injection vulnerabilities in PWP Technologies The Classif ...) NOT-FOR-US: PWP Technologies The Classified Ad System CVE-2006-6348 (Cross-site scripting (XSS) vulnerability in board.php in mowdBB RC-6 a ...) NOT-FOR-US: mowdBB CVE-2006-6347 (Unrestricted file upload vulnerability in TFT-Gallery allows remote au ...) NOT-FOR-US: TFT-Gallery CVE-2006-6346 (Unspecified vulnerability in SAP Internet Graphics Service (IGS) 6.40 ...) NOT-FOR-US: SAP CVE-2006-6345 (Directory traversal vulnerability in SAP Internet Graphics Service (IG ...) NOT-FOR-US: SAP CVE-2006-6344 (Multiple unspecified vulnerabilities in Neocrome Seditio 1.10 and earl ...) NOT-FOR-US: Neocrome Seditio CVE-2006-6343 (SQL injection vulnerability in polls.php in Neocrome Seditio 1.10 and ...) NOT-FOR-US: Neocrome Seditio CVE-2006-6342 (Multiple SQL injection vulnerabilities in KLF-DESIGN (aka Kim L. Frase ...) NOT-FOR-US: KLF-DESIGN CVE-2006-6341 (Multiple PHP remote file inclusion vulnerabilities in mg.applanix 1.3. ...) NOT-FOR-US: mg.applanix CVE-2006-6340 (keystone.exe in nVIDIA nView allows attackers to cause a denial of ser ...) NOT-FOR-US: nVIDIA nView CVE-2006-6339 (SQL injection vulnerability in sites/index.php in deV!L`z Clanportal ( ...) NOT-FOR-US: deV!L`z Clanportal CVE-2006-6338 (Unrestricted file upload vulnerability in upload/index.php in deV!L`z ...) NOT-FOR-US: deV!L`z Clanportal CVE-2006-6337 (Multiple SQL injection vulnerabilities in giris.asp in Aspee and Dogan ...) NOT-FOR-US: Aspee Ziyaretci Defteri CVE-2006-6336 (Heap-based buffer overflow in the Mail Management Server (MAILMA.exe) ...) NOT-FOR-US: Eudora WorldMail CVE-2006-6335 (Multiple buffer overflows in Sophos Anti-Virus scanning engine before ...) NOT-FOR-US: Sophos Anti-Virus CVE-2006-6334 (Heap-based buffer overflow in the SendChannelData function in wfica.oc ...) NOT-FOR-US: Citrix Presentation Server Client CVE-2006-6333 (The tr_rx function in ibmtr.c for Linux kernel 2.6.19 assigns the wron ...) - linux-2.6 2.6.20-1 [etch] - linux-2.6 (Only affects 2.6.19, introduced after 2.6.18) CVE-2006-6332 (Stack-based buffer overflow in net80211/ieee80211_wireless.c in MadWif ...) - madwifi 1:0.9.2+r1842.20061207-2 (high; bug #402836; bug #402111) [etch] - madwifi (Non-free not supported) CVE-2006-6331 (metaInfo.php in TorrentFlux 2.2, when $cfg["enable_file_priority"] is ...) - torrentflux 2.1-7 (bug #400582; medium) CVE-2006-6330 (index.php for TorrentFlux 2.2 allows remote registered users to execut ...) - torrentflux 2.1-6 (bug #399169; medium) CVE-2006-6329 (index.php for TorrentFlux 2.2 allows remote attackers to delete files ...) - torrentflux 2.1-6 (bug #399169) CVE-2006-6328 (Directory traversal vulnerability in index.php for TorrentFlux 2.2 all ...) - torrentflux 2.1-5 (bug #395930; medium) NOTE: duplicate of CVE-2006-5609 CVE-2006-6327 RESERVED CVE-2006-6326 RESERVED CVE-2006-6325 RESERVED CVE-2006-6324 RESERVED CVE-2006-6323 RESERVED CVE-2006-6322 RESERVED CVE-2006-6321 RESERVED CVE-2006-6320 RESERVED CVE-2006-6319 RESERVED CVE-2006-6318 (The show_elog_list function in elogd.c in elog 2.6.2 and earlier allow ...) {DSA-1242-1} - elog 2.6.2+r1754-1 CVE-2006-6317 RESERVED CVE-2006-6316 RESERVED CVE-2006-6315 RESERVED CVE-2006-6314 RESERVED CVE-2006-6313 RESERVED CVE-2006-6312 RESERVED CVE-2006-6311 (Microsoft Internet Explorer 6.0.2900.2180 allows remote attackers to c ...) NOT-FOR-US: Microsoft CVE-2006-6310 (Microsoft Internet Explorer 6.0 SP1 and earlier allows remote attacker ...) NOT-FOR-US: Microsoft CVE-2006-6309 (Multiple array index errors in IBM Tivoli Storage Manager (TSM) before ...) NOT-FOR-US: Tivoli CVE-2006-6308 NOT-FOR-US: Symantec LiveState CVE-2006-6307 (srvloc.sys in Novell Client for Windows before 4.91 SP3 allows remote ...) NOT-FOR-US: Novell Netware CVE-2006-6306 (Format string vulnerability in Novell Modular Authentication Services ...) NOT-FOR-US: Novell Netware CVE-2006-6305 (Unspecified vulnerability in Net-SNMP 5.3 before 5.3.0.1, when configu ...) - net-snmp (Only affects version 5.3.0) CVE-2006-6304 (The do_coredump function in fs/exec.c in the Linux kernel 2.6.19 sets ...) - linux-2.6 (Only affects plain 2.6.19) CVE-2006-6303 (The read_multipart function in cgi.rb in Ruby before 1.8.5-p2 does not ...) NOTE: http://www.ruby-lang.org/en/news/2006/12/04/another-dos-vulnerability-in-cgi-library/ - ruby1.8 1.8.5-4 (low) CVE-2006-6300 (Cross-site scripting (XSS) vulnerability in CuteNews 1.3.6 allows remo ...) NOT-FOR-US: CuteNews CVE-2006-6299 (Integer overflow in Msg.dll in Novell ZENworks 7 Asset Management (ZAM ...) NOT-FOR-US: Novell ZENworks CVE-2006-6298 (SQL injection vulnerability in uye_giris_islem.asp in Metyus Okul Yone ...) NOT-FOR-US: Metyus Okul Yonetim Sistemi CVE-2006-6297 (Stack consumption vulnerability in the KFILE JPEG (kfile_jpeg) plugin ...) - kdegraphics (unimportant) NOTE: Generic bug, treating it as a security problem is quite a stretch CVE-2006-6296 (The RpcGetPrinterData function in the Print Spooler (spoolsv.exe) serv ...) NOT-FOR-US: Microsoft CVE-2006-6295 (PHP remote file inclusion vulnerability in includes/mx_common.php in t ...) NOT-FOR-US: MxBB Portal CVE-2006-6294 (Multiple unspecified vulnerabilities in FRISK Software F-Prot Antiviru ...) NOT-FOR-US: F-Prot Antivirus CVE-2006-6293 (Heap-based buffer overflow in FRISK Software F-Prot Antivirus before 4 ...) NOT-FOR-US: F-Prot Antivirus CVE-2006-6292 (Apple Airport Extreme firmware 0.1.27 in Mac OS X 10.4.8 on Mac mini, ...) NOT-FOR-US: Apple Airport CVE-2006-6291 (Stack overflow in the IMAP module (MEIMAPS.EXE) in MailEnable Professi ...) NOT-FOR-US: MailEnable Professional CVE-2006-6290 (Multiple stack-based buffer overflows in the IMAP module (MEIMAPS.EXE) ...) NOT-FOR-US: MailEnable CVE-2006-6289 (Woltlab Burning Board (wBB) Lite 1.0.2 does not properly unset variabl ...) NOT-FOR-US: Woltlab Burning Board CVE-2006-6288 (Multiple buffer overflows in Niek Albers CoolPlayer 216 and earlier al ...) NOT-FOR-US: Niek Albers CoolPlayer CVE-2006-6287 (Stack-based buffer overflow in AtomixMP3 2.3 and earlier allows remote ...) NOT-FOR-US: AtomixMP3 CVE-2006-6286 (Palm Desktop 4.1.4 and earlier stores user data with weak permissions ...) NOT-FOR-US: Palm Desktop CVE-2006-6285 NOT-FOR-US: Kai Blankenhorn Bitfolge CVE-2006-6284 (Directory traversal vulnerability in admin.php in Vikingboard 0.1.2 al ...) NOT-FOR-US: Vikingboard CVE-2006-6283 (Multiple cross-site scripting (XSS) vulnerabilities in Vikingboard 0.1 ...) NOT-FOR-US: Vikingboard CVE-2006-6282 (members.php in Vikingboard 0.1.2 allows remote attackers to trigger a ...) NOT-FOR-US: Vikingboard CVE-2006-6281 (PHP remote file inclusion vulnerability in check_status.php in dicshun ...) NOT-FOR-US: dicshunary CVE-2006-6280 (SQL injection vulnerability in viewthread.php in Oxygen (O2PHP Bulleti ...) NOT-FOR-US: Oxygen (O2PHP Bulletin Board) CVE-2006-6279 (index.php in @lex Guestbook 4.0.1 allows remote attackers to obtain se ...) NOT-FOR-US: @lex Guestbook CVE-2006-6278 (Cross-site scripting (XSS) vulnerability in index.php in @lex Guestboo ...) NOT-FOR-US: @lex Guestbook CVE-2006-6277 (Directory traversal vulnerability in admin/FileServer.php in ContentSe ...) NOT-FOR-US: ContentServ CVE-2006-6276 (HTTP request smuggling vulnerability in Sun Java System Proxy Server b ...) NOT-FOR-US: Sun Java System Proxy Server CVE-2006-6275 (Race condition in the kernel in Sun Solaris 8 through 10 allows local ...) NOT-FOR-US: Solaris CVE-2006-6274 (SQL injection vulnerability in articles.asp in Expinion.net iNews (1) ...) NOT-FOR-US: Expinion.net iNews CVE-2006-6302 (fail2ban 0.7.4 and earlier does not properly parse sshd log files, whi ...) - fail2ban (looks fixed in 0.6, see #401793) CVE-2006-6301 (DenyHosts 2.5 does not properly parse sshd log files, which allows rem ...) - denyhosts 2.6-1 (medium; bug #401795) CVE-2006-6273 (sp_index.php in Simple PHP Gallery 1.1 allows remote attackers to obta ...) NOT-FOR-US: Simple PHP Gallery CVE-2006-6272 (Cross-site scripting (XSS) vulnerability in sp_index.php in Simple PHP ...) NOT-FOR-US: Simple PHP Gallery CVE-2006-6271 (Multiple cross-site scripting (XSS) vulnerabilities in PHPOLL 0.96 all ...) NOT-FOR-US: PHPOLL CVE-2006-6270 (Multiple SQL injection vulnerabilities in ASPMForum allow remote attac ...) NOT-FOR-US: ASPMForum CVE-2006-6269 (Multiple SQL injection vulnerabilities in Infinitytechs Restaurants CM ...) NOT-FOR-US: Infinitytechs Restaurants CM CVE-2006-6268 (SQL injection vulnerability in system/core/profile/profile.inc.php in ...) NOT-FOR-US: Neocrome Land Down Under CVE-2006-6267 (PostNuke 0.7.5.0, and certain minor versions, allows remote attackers ...) NOT-FOR-US: PostNuke CVE-2006-6266 (Teredo clients, when following item 6 of RFC4380 section 5.2.3, start ...) NOTE: It seems that no significant packet amplification takes place. NOTE: Probably harmless. CVE-2006-6265 (Teredo clients, when located behind a restricted NAT, allow remote att ...) NOTE: Potential firewall bypass is inherent to tunneling software. NOTE: Not a bug. CVE-2006-6264 (Teredo creates trusted peer entries for arbitrary incoming source Tere ...) NOTE: Potential firewall bypass is inherent to tunneling software. NOTE: Not a bug. CVE-2006-6263 (Teredo clients, when source routing is enabled, recognize a Routing he ...) NOTE: Potential firewall bypass is inherent to tunneling software. NOTE: Not a bug. CVE-2006-6262 (Directory traversal vulnerability in mboard.php in PHPJunkYard (aka Kl ...) NOT-FOR-US: PHPJunkYard MBoard CVE-2006-6261 (Buffer overflow in Quintessential Player 4.50.1.82 and earlier allows ...) NOT-FOR-US: Quintessential Player CVE-2006-6260 (SQL injection vulnerability in login.asp in Redbinaria Sistema Integra ...) NOT-FOR-US: Redbinaria Sistema Integrado de Administracion de Portales (SIAP) CVE-2006-6259 (Multiple directory traversal vulnerabilities in (a) class/functions.ph ...) NOT-FOR-US: AlternC CVE-2006-6258 (The phpmyadmin subsystem in AlternC 0.9.5 and earlier transmits the SQ ...) NOT-FOR-US: AlternC CVE-2006-6257 (The file manager in AlternC 0.9.5 and earlier, when warnings are enabl ...) NOT-FOR-US: AlternC CVE-2006-6256 (Cross-site scripting (XSS) vulnerability in the file manager in admin/ ...) NOT-FOR-US: AlternC CVE-2006-6255 (Direct static code injection vulnerability in util.php in the NukeAI 0 ...) NOT-FOR-US: NukeAI CVE-2006-6254 (administration/telecharger.php in Cahier de texte 2.0 allows remote at ...) NOT-FOR-US: Cahier de texte CVE-2006-6253 (Cahier de texte 2.0 stores sensitive information under the web root, p ...) NOT-FOR-US: Cahier de texte CVE-2006-6252 (Microsoft Windows Live Messenger 8.0 and earlier, when gestual emotico ...) NOT-FOR-US: Microsoft Windows Live Messenger CVE-2006-6251 (Stack-based buffer overflow in VUPlayer 2.44 and earlier allows remote ...) NOT-FOR-US: VUPlayer CVE-2006-6250 (Format string vulnerability in Songbird Media Player 0.2 and earlier a ...) NOT-FOR-US: Songbird Media Player CVE-2006-6249 (Cross-site scripting (XSS) vulnerability in Chama Cargo 4.36 and earli ...) NOT-FOR-US: Chama Cargo CVE-2006-6248 (index.php in GPhotos 1.5 allows remote attackers to obtain sensitive i ...) NOT-FOR-US: GPhotos CVE-2006-6247 (Multiple SQL injection vulnerabilities in Uapplication UPhotoGallery 1 ...) NOT-FOR-US: UPhotoGallery CVE-2006-6246 (Photo Organizer 2.32b and earlier does not properly check the ownershi ...) NOT-FOR-US: Photo Organizer CVE-2006-6245 (Multiple SQL injection vulnerabilities in Photo Organizer (PO) 2.32b a ...) NOT-FOR-US: Photo Organizer CVE-2006-6244 (Coalescent Systems freePBX (formerly Asterisk Management Portal) befor ...) NOT-FOR-US: Coalescent Systems freePBX CVE-2006-6243 (Multiple SQL injection vulnerabilities in index.asp in FipsSHOP allow ...) NOT-FOR-US: FipsSHOP CVE-2006-6242 (Multiple directory traversal vulnerabilities in Serendipity 1.0.3 and ...) - serendipity 1.0.4-1 (unimportant; bug #401614) NOTE: Only exploitable with register_globals CVE-2006-6241 (Sorin Chitu Telnet-FTP Server 1.0 allows remote authenticated users to ...) NOT-FOR-US: Sorin Chitu Telnet-FTP Server CVE-2006-6240 (Directory traversal vulnerability in Sorin Chitu Telnet-FTP Server 1.0 ...) NOT-FOR-US: Sorin Chitu Telnet-FTP Server CVE-2006-6239 (webadmin in MailEnable NetWebAdmin Professional 2.32 and Enterprise 2. ...) NOT-FOR-US: MailEnable NetWebAdmin CVE-2006-6238 (The AutoFill feature in Apple Safari 2.0.4 does not properly verify th ...) NOT-FOR-US: Apple Safari CVE-2006-6237 (SQL injection vulnerability in the decode_cookie function in thread.ph ...) NOT-FOR-US: Woltlab Burning Board Lite CVE-2006-6236 (Adobe Reader (Adobe Acrobat Reader) 7.0 through 7.0.8 allows remote at ...) NOT-FOR-US: Acrobat Reader CVE-2006-6235 (A "stack overwrite" vulnerability in GnuPG (gpg) 1.x before 1.4.6, 2.x ...) {DSA-1231-1} - gnupg 1.4.6-1 (high; bug #401894; bug #401898; bug #401914) - gnupg2 2.0.0-5.2 (high; bug #401895; bug #401913) CVE-2006-6234 (Multiple SQL injection vulnerabilities in the Content module in PHP-Nu ...) NOT-FOR-US: PHP-Nuke CVE-2006-6233 (SQL injection vulnerability in the Downloads module for unknown versio ...) NOT-FOR-US: PostNuke CVE-2006-6232 (PHP remote file inclusion vulnerability in admin/index.php in DreamAcc ...) NOT-FOR-US: DreamAccount CVE-2006-6231 (vuBB 0.2.1 and earlier allows remote attackers to obtain sensitive inf ...) NOT-FOR-US: VuBB CVE-2006-6230 (SQL injection vulnerability in vuBB 0.2.1 and earlier allows remote at ...) NOT-FOR-US: VuBB CVE-2006-6229 (Codewalkers ltwCalendar (aka PHP Event Calendar) before 4.2.1 logs fai ...) NOT-FOR-US: Codewalkers ltwCalendar CVE-2006-6228 (Cross-site scripting (XSS) vulnerability in Codewalkers ltwCalendar (a ...) NOT-FOR-US: Codewalkers ltwCalendar CVE-2006-6227 (The Core::Receive function in neonet/core.cpp for NeoEngine 0.8.2 and ...) NOT-FOR-US: NeoEngine CVE-2006-6226 (Multiple format string vulnerabilities in NeoEngine 0.8.2 and earlier, ...) NOT-FOR-US: NeoEngine CVE-2006-6225 (Multiple PHP remote file inclusion vulnerabilities in GeekLog 1.4 allo ...) NOT-FOR-US: GeekLog CVE-2006-6224 (PHP remote file inclusion vulnerability in the installation scripts in ...) NOT-FOR-US: Puntal CVE-2006-6223 (Cross-site scripting (XSS) vulnerability in Google Search Appliance an ...) NOT-FOR-US: Google Search Appliance CVE-2006-6222 (Stack-based buffer overflow in the NetBackup bpcd daemon (bpcd.exe) in ...) NOT-FOR-US: Symantec Veritas NetBackup CVE-2006-6221 (2X ThinClientServer Enterprise Edition before 4.0.2248 allows remote a ...) NOT-FOR-US: 2X ThinClientServer Enterprise Edition CVE-2006-6220 (Multiple SQL injection vulnerabilities in Recipes Website (Recipes Com ...) NOT-FOR-US: Recipes Complete Website CVE-2006-6219 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in de ...) NOT-FOR-US: dev4u CMS CVE-2006-6218 (Multiple SQL injection vulnerabilities in index.php in dev4u CMS allow ...) NOT-FOR-US: dev4u CMS CVE-2006-6217 (PHP remote file inclusion vulnerability in formdisp.php in the Mermaid ...) NOT-FOR-US: Mermaid module for PHP-NUKE CVE-2006-6216 (SQL injection vulnerability in admin_hacks_list.php in the Nivisec Hac ...) NOT-FOR-US: Nivisec Hacks List CVE-2006-6215 (Multiple SQL injection vulnerabilities in Wallpaper Website (Wallpaper ...) NOT-FOR-US: Wallpaper Complete Website CVE-2006-6214 (SQL injection vulnerability in wallpaper.php in Wallpaper Website (Wal ...) NOT-FOR-US: Wallpaper Complete Website CVE-2006-6213 (index.php in PEGames uses the extract function to overwrite critical v ...) NOT-FOR-US: PEGames CVE-2006-6212 (PHP remote file inclusion vulnerability in centre.php in Site News (si ...) NOT-FOR-US: Site News CVE-2006-6211 (Multiple cross-site scripting (XSS) vulnerabilities in BirdBlog 1.4.0 ...) NOT-FOR-US: BirdBlog CVE-2006-6210 (SQL injection vulnerability in listpics.asp in ASP ListPics 5.0 allows ...) NOT-FOR-US: ASP ListPics CVE-2006-6209 (Multiple SQL injection vulnerabilities in MidiCart ASP Shopping Cart a ...) NOT-FOR-US: MidiCart ASP Shopping Cart CVE-2006-6208 (Multiple SQL injection vulnerabilities in Enthrallweb eClassifieds all ...) NOT-FOR-US: Enthreallweb eClassifieds CVE-2006-6207 NOT-FOR-US: Evolve Merchant CVE-2006-6206 (SQL injection vulnerability in item.asp in WarHound General Shopping C ...) NOT-FOR-US: WarHound General Shopping Cart CVE-2006-6205 (Multiple cross-site scripting (XSS) vulnerabilities in result.asp in E ...) NOT-FOR-US: Enthrallweb eHomes CVE-2006-6204 (Multiple SQL injection vulnerabilities in Enthrallweb eHomes allow rem ...) NOT-FOR-US: Enthrallweb eHomes CVE-2006-6203 (Directory traversal vulnerability in startdown.php in the Flyspray ME ...) NOT-FOR-US: Flyspray componenten for Mamba, this appears to be different from the Flyspray bug tracker CVE-2006-6202 (PHP remote file inclusion vulnerability in modules/NukeAI/util.php in ...) NOT-FOR-US: PHP-Nuke CVE-2006-6201 (Heap-based buffer overflow in Borland idsql32.dll 5.1.0.4, as used by ...) NOT-FOR-US: Borland idsql32.dll CVE-2006-6200 (Multiple SQL injection vulnerabilities in the (1) rate_article and (2) ...) NOT-FOR-US: PHP-Nuke CVE-2006-6199 (Stack-based buffer overflow in BlazeVideo BlazeDVD Standard and Profes ...) NOT-FOR-US: BlazeVideo BlazeDVD CVE-2006-6198 (Multiple cross-site scripting (XSS) vulnerabilities in cPanel WebHost ...) NOT-FOR-US: cPanel CVE-2006-6197 (Multiple cross-site scripting (XSS) vulnerabilities in b2evolution 1.8 ...) - b2evolution (0.9 releases not vulnerable) CVE-2006-6196 (Cross-site scripting (XSS) vulnerability in the search functionality i ...) NOT-FOR-US: Fixit iDMS Pro Image Gallery CVE-2006-6195 (Multiple SQL injection vulnerabilities in Fixit iDMS Pro Image Gallery ...) NOT-FOR-US: Fixit iDMS Pro Image Gallery CVE-2006-6194 (Multiple SQL injection vulnerabilities in index.asp in Ultimate Survey ...) NOT-FOR-US: Ultimate Survey Pro CVE-2006-6193 (SQL injection vulnerability in edit.asp in BasicForum 1.1 and earlier ...) NOT-FOR-US: BasicForum CVE-2006-6192 (Unspecified scripts in the admin directory in 8pixel.net SimpleBlog 3. ...) NOT-FOR-US: 8pixel.net SimpleBlog CVE-2006-6191 (SQL injection vulnerability in admin/edit.asp in 8pixel.net simpleblog ...) NOT-FOR-US: 8pixel.net SimpleBlog CVE-2006-6190 (SQL injection vulnerability in anna.pl in Anna^ IRC Bot before 0.30 (a ...) NOT-FOR-US: Anna^ IRC Bot CVE-2006-6189 (SQL injection vulnerability in displayCalendar.asp in ClickTech Click ...) NOT-FOR-US: ClickTech Click Blog CVE-2006-6188 (Cross-site scripting (XSS) vulnerability in view_search.asp in ClickTe ...) NOT-FOR-US: ClickTech Click Gallery CVE-2006-6187 (Multiple SQL injection vulnerabilities in ClickTech Click Gallery allo ...) NOT-FOR-US: ClickTech Click Gallery CVE-2006-6186 (Multiple directory traversal vulnerabilities in enomphp 4.0 allow remo ...) NOT-FOR-US: enomphp CVE-2006-6185 (Directory traversal vulnerability in script.php in Wabbit PHP Gallery ...) NOT-FOR-US: Wabbit PHP Gallery CVE-2006-6184 (Multiple stack-based buffer overflows in Allied Telesyn TFTP Server (A ...) NOT-FOR-US: Allied Telesyn TFTP Server CVE-2006-6183 (Multiple stack-based buffer overflows in 3Com 3CTftpSvc 2.0.1, and pos ...) NOT-FOR-US: 3Com 3CTftpSvc CVE-2006-6182 (The Gabriele Teotino GNotebook 0.7.0.1 gadget for Google Desktop store ...) NOT-FOR-US: Gabriele Teotino GNotebook CVE-2006-6181 (Multiple SQL injection vulnerabilities in default.asp in ClickTech Cli ...) NOT-FOR-US: ClickTech ClickContact CVE-2006-6180 (Cross-site scripting (XSS) vulnerability in articles.asp in Expinion.n ...) NOT-FOR-US: iNews Publisher CVE-2006-6179 (Buffer overflow in PCCSRV\Web_console\RemoteInstallCGI\CgiRemoteInstal ...) NOT-FOR-US: Trend Micro OfficeScan CVE-2006-6178 (Buffer overflow in PCCSRV\Web_console\RemoteInstallCGI\Wizard.exe for ...) NOT-FOR-US: Trend Micro OfficeScan CVE-1999-1590 (Directory traversal vulnerability in Muhammad A. Muquit wwwcount (Coun ...) NOT-FOR-US: Muhammad A. Muquit wwwcoun CVE-2006-XXXX [libxslt segfault / DoS] - libxslt 1.1.19-1 (low) [sarge] - libxslt (vulnerability added later) CVE-2006-6177 (SQL injection vulnerability in system/core/users/users.profile.inc.php ...) NOT-FOR-US: Neocrome Seditio CVE-2006-6176 (Cross-site scripting (XSS) vulnerability in admin.php in Blogn before ...) NOT-FOR-US: Blogn CVE-2006-6175 (Directory traversal vulnerability in lib/FBView.php in Horde Kronolith ...) - kronolith2 2.1.4-1 (bug #400899; bug #401061) - kronolith (Vulnerable code not present) CVE-2006-6174 (Cross-site scripting (XSS) vulnerability in tDiary before 2.0.3 and 2. ...) - tdiary 2.0.2+20060303-4.1 (bug #400447; bug #400650) CVE-2006-6173 (Buffer overflow in the shared_region_make_private_np function in vm/vm ...) NOT-FOR-US: Mac OS X CVE-2006-6172 (Buffer overflow in the asmrp_eval function in the RealMedia RTSP strea ...) {DSA-1244-1} - xine-lib 1.1.2+dfsg-2 (medium; bug #401740) - mplayer 1.0~rc1-11 (medium) CVE-2006-6171 {DSA-1218} - proftpd-dfsg 1.3.0-13 (low; bug #399070) CVE-2006-6170 (Buffer overflow in the tls_x509_name_oneline function in the mod_tls m ...) {DSA-1222-1} - proftpd-dfsg 1.3.0-16 (medium; bug #400793) CVE-2003-1310 (The DeviceIoControl function in the Norton Device Driver (NAVAP.sys) i ...) NOT-FOR-US: Norton CVE-2003-1309 (The DeviceIoControl function in the TrueVector Device Driver (VSDATANT ...) NOT-FOR-US: ZoneAlarm CVE-2006-6168 (tiki-register.php in TikiWiki before 1.9.7 allows remote attackers to ...) - tikiwiki 1.9.7+dfsg-1 (low) CVE-2006-6167 NOT-FOR-US: Active PHP Bookmarks CVE-2006-6166 (Cross-site scripting (XSS) vulnerability in jce.php in the JCE Admin C ...) NOT-FOR-US: Joomla Content Editor (JCE) for Joomla! CVE-2006-6165 NOTE: non-issue CVE-2006-6164 (The _dl_unsetenv function in loader.c in the ELF ld.so in OpenBSD 3.9 ...) NOT-FOR-US: OpenBSD CVE-2006-6163 (Cross-site scripting (XSS) vulnerability in tiki-setup_base.php in Tik ...) - tikiwiki 1.9.7+dfsg-1 (low) CVE-2006-6162 (Cross-site scripting (XSS) vulnerability in tiki-edit_structures.php i ...) - tikiwiki 1.9.7+dfsg-1 (low) CVE-2006-6161 (Multiple SQL injection vulnerabilities in Doug Luxem Liberum Help Desk ...) NOT-FOR-US: Doug Luxem Liberum Help Desk CVE-2006-6160 (SQL injection vulnerability in details.asp in Doug Luxem Liberum Help ...) NOT-FOR-US: Doug Luxem Liberum Help Desk CVE-2006-6159 (Multiple cross-site scripting (XSS) vulnerabilities in newticket.php i ...) NOT-FOR-US: DeskPRO CVE-2006-6158 (Multiple cross-site scripting (XSS) vulnerabilities in (a) PMOS Help D ...) NOT-FOR-US: PMOS Help Desk CVE-2006-6157 (SQL injection vulnerability in index.php in ContentNow 1.39 and earlie ...) NOT-FOR-US: ContentNow CVE-2006-6156 (Cross-site scripting (XSS) vulnerability in auth/message.php in HIOX S ...) NOT-FOR-US: HIOX Star Rating System Script (HSRS) CVE-2006-6155 (Multiple SQL injection vulnerabilities in addrating.php in HIOX Star R ...) NOT-FOR-US: HIOX Star Rating System Script (HSRS) CVE-2006-6154 (PHP remote file inclusion vulnerability in addcode.php in HIOX Star Ra ...) NOT-FOR-US: HIOX Star Rating System Script (HSRS) CVE-2006-6153 (Multiple cross-site scripting (XSS) vulnerabilities in vSpin.net Class ...) NOT-FOR-US: vSpin.net CVE-2006-6152 (Multiple SQL injection vulnerabilities in vSpin.net Classified System ...) NOT-FOR-US: vSpin.net CVE-2006-6151 (PHP remote file inclusion vulnerability in centre.php in Messagerie Lo ...) NOT-FOR-US: Messagerie Locale CVE-2006-6150 (PHP remote file inclusion vulnerability in memory/OWLMemoryProperty.ph ...) NOT-FOR-US: OWLLib CVE-2006-6149 (SQL injection vulnerability in index.asp in JiRos FAQ Manager 1.0 allo ...) NOT-FOR-US: JiRos FAQ Manager CVE-2006-6148 (Multiple cross-site scripting (XSS) vulnerabilities in submitlink.asp ...) NOT-FOR-US: JiRos FAQ Manager CVE-2006-6147 (Multiple SQL injection vulnerabilities in JiRos Links Manager allow re ...) NOT-FOR-US: JiRos Links Manager CVE-2006-6146 (Buffer overflow in the HPDF_Page_Circle function in hpdf_page_operator ...) NOT-FOR-US: libharu CVE-2006-6145 (CRYPTOCard CRYPTO-Server before 6.4.56 stores LDAP credentials in plai ...) NOT-FOR-US: CRYPTOCard CVE-2006-6144 (The "mechglue" abstraction interface of the GSS-API library for Kerber ...) - krb5 (Only 1.5 onwards are vulnerable) CVE-2006-6143 (The RPC library in Kerberos 5 1.4 through 1.4.4, and 1.5 through 1.5.1 ...) - krb5 1.4.4-6 (high) [sarge] - krb5 CVE-2006-6142 (Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1. ...) {DSA-1241-1} - squirrelmail 2:1.4.9a-1 CVE-2006-6141 (Buffer overflow in Tftpd32 3.01 allows remote attackers to cause a den ...) NOT-FOR-US: Tftpd32 CVE-2006-6140 (PHP remote file inclusion vulnerability in Sisfo Kampus 2006 (Semarang ...) NOT-FOR-US: Sisfo Kampus CVE-2006-6139 (Directory traversal vulnerability in downloadexcel.php in Sisfo Kampus ...) NOT-FOR-US: Sisfo Kampus CVE-2006-6138 (Directory traversal vulnerability in download.php in Sisfo Kampus 0.8 ...) NOT-FOR-US: Sisfo Kampus CVE-2006-6137 (Multiple PHP remote file inclusion vulnerabilities in Sisfo Kampus 0.8 ...) NOT-FOR-US: Sisfo Kampus CVE-2006-6136 (IBM WebSphere Application Server 6.1.0 before Fix Pack 3 (6.1.0.3) doe ...) NOT-FOR-US: IBM WebSphere CVE-2006-6135 (Multiple unspecified vulnerabilities in IBM WebSphere Application Serv ...) NOT-FOR-US: IBM WebSphere CVE-2006-6134 (Heap-based buffer overflow in the WMCheckURLScheme function in WMVCORE ...) NOT-FOR-US: Windows Media CVE-2006-6133 (Stack-based buffer overflow in Visual Studio Crystal Reports for Micro ...) NOT-FOR-US: Business Objects Crystal Reports CVE-2006-6132 (Multiple SQL injection vulnerabilities in Link Exchange Lite allow rem ...) NOT-FOR-US: Link Exchange Lite CVE-2006-6131 (Untrusted search path vulnerability in (1) WSAdminServer and (2) WSWeb ...) NOT-FOR-US: Kerio WebSTAR CVE-2006-6130 (Apple Mac OS X AppleTalk allows local users to cause a denial of servi ...) NOT-FOR-US: Apple Mac OS X CVE-2006-6169 (Heap-based buffer overflow in the ask_outfile_name function in openfil ...) {DSA-1231-1} - gnupg 1.4.5-3 (medium; bug #401765) - gnupg2 2.0.0-5.1 (medium; bug #400777) CVE-2006-XXXX [smb4k security issue] - smb4k 0.7.5-1 [sarge] - smb4k (Vulnerable code not present) CVE-2006-6129 (Integer overflow in the fatfile_getarch2 in Apple Mac OS X allows loca ...) NOT-FOR-US: Apple Mac OS X CVE-2006-6128 (The ReiserFS functionality in Linux kernel 2.6.18, and possibly other ...) - linux (Kernel rejects the malformed filesystem) - linux-2.6 [squeeze] - linux-2.6 (Kernel rejects the malformed filesystem) NOTE: It's not obvious when or how this was fixed CVE-2006-6127 (Apple Mac OS X kernel allows local users to cause a denial of service ...) NOT-FOR-US: Apple Mac OS X CVE-2006-6126 (Apple Mac OS X allows local users to cause a denial of service (memory ...) NOT-FOR-US: Apple Mac OS X CVE-2006-6125 (Heap-based buffer overflow in the wireless driver (WG311ND5.SYS) 2.3.1 ...) NOT-FOR-US: NetGear CVE-2006-6124 (Cross-site scripting (XSS) vulnerability in SeleniumServer Web Server ...) NOT-FOR-US: SeleniumServer Web Server CVE-2006-6123 (Coppermine Photo Gallery (CPG) 1.4.8 stable, with register_globals ena ...) NOT-FOR-US: Coppermine Photo Gallery (CPG) CVE-2006-6122 (Multiple buffer overflows in TIN before 1.8.2 have unspecified impact ...) - tin 1:1.8.2-1 CVE-2006-6121 (Acer Notebook LunchApp.APlunch ActiveX control allows remote attackers ...) NOT-FOR-US: Acer CVE-2006-6120 (Integer overflow in the KPresenter import filter for Microsoft PowerPo ...) - koffice 1:1.6.1-1 (bug #401230; medium) CVE-2006-6119 (mmgallery 1.55 allows remote attackers to obtain sensitive information ...) NOT-FOR-US: mmgallery CVE-2006-6118 (Cross-site scripting (XSS) vulnerability in thumbs.php in mmgallery 1. ...) NOT-FOR-US: mmgallery CVE-2006-6117 (SQL injection vulnerability in index1.asp in fipsGallery 1.5 and earli ...) NOT-FOR-US: fipsGallery CVE-2006-6116 (SQL injection vulnerability in default2.asp in fipsForum 2.6 and earli ...) NOT-FOR-US: fipsForum CVE-2006-6115 (SQL injection vulnerability in index.asp in fipsCMS 4.5 and earlier al ...) NOT-FOR-US: fipsCMS CVE-2006-6114 REJECTED CVE-2006-6113 (Monkey Boards 0.3.5 allows remote attackers to obtain sensitive inform ...) NOT-FOR-US: Monkey Boards CVE-2006-6112 (LifeType 1.0.x and 1.1.x have insufficient access control for all of t ...) NOT-FOR-US: LifeType CVE-2006-6111 (Multiple SQL injection vulnerabilities in Alan Ward A-Cart Pro 2.0 all ...) NOT-FOR-US: Alan Ward A-Cart Pro CVE-2006-6110 (Multiple SQL injection vulnerabilities in an unspecified BPG-InfoTech ...) NOT-FOR-US: BPG-InfoTech Content Management System CVE-2006-6109 (Multiple SQL injection vulnerabilities in CandyPress Store 3.5.2.14 al ...) NOT-FOR-US: CandyPress Store CVE-2006-6108 (Cross-site scripting (XSS) vulnerability in EC-CUBE before 1.0.1a-beta ...) NOT-FOR-US: EC-CUBE CVE-2006-6107 (Unspecified vulnerability in the match_rule_equal function in bus/sign ...) - dbus 1.0.2-1 (low) [sarge] - dbus (Minor issue) CVE-2006-6106 (Multiple buffer overflows in the cmtp_recv_interopmsg function in the ...) {DSA-1503-2 DSA-1503-1 DSA-1304} - linux-2.6 2.6.18.dfsg.1-9 CVE-2006-6105 (Format string vulnerability in the host chooser window (gdmchooser) in ...) - gdm 2.16.4-1 (medium; bug #403219) [sarge] - gdm (Vulnerable code not present) CVE-2006-6104 (The System.Web class in the XSP for ASP.NET server 1.1 through 2.0 in ...) - mono 1.2.2.1-1 (low) CVE-2006-6103 (Integer overflow in the ProcDbeSwapBuffers function in the DBE extensi ...) {DSA-1249-1} - xorg-server 2:1.1.1-15 CVE-2006-6102 (Integer overflow in the ProcDbeGetVisualInfo function in the DBE exten ...) {DSA-1249-1} - xorg-server 2:1.1.1-15 CVE-2006-6101 (Integer overflow in the ProcRenderAddGlyphs function in the Render ext ...) {DSA-1249-1} - xorg-server 2:1.1.1-15 CVE-2006-6100 REJECTED CVE-2006-6099 REJECTED CVE-2006-6098 REJECTED CVE-2006-6097 (GNU tar 1.16 and 1.15.1, and possibly other versions, allows user-assi ...) {DSA-1223-1} - tar 1.16-2 (high; bug #399845) CVE-2006-6096 (Cross-site scripting (XSS) vulnerability in activenews_search.asp in A ...) NOT-FOR-US: ActiveNews Manage CVE-2006-6095 (Multiple SQL injection vulnerabilities in ActiveNews Manager allow rem ...) NOT-FOR-US: ActiveNews Manage CVE-2006-6094 (Multiple SQL injection vulnerabilities in ActiveNews Manager allow rem ...) NOT-FOR-US: ActiveNews Manage CVE-2006-6093 (Multiple PHP remote file inclusion vulnerabilities in adminprint.php i ...) NOT-FOR-US: PicturesPro Photo Cart CVE-2006-6092 (Multiple SQL injection vulnerabilities in vehiclelistings.asp in 20/20 ...) NOT-FOR-US: Auto Gallery CVE-2006-6091 (Cross-site scripting (XSS) vulnerability in Grim Pirate GrimBB before ...) NOT-FOR-US: GrimBB CVE-2006-6090 (Multiple SQL injection vulnerabilities in BaalAsp forum allow remote a ...) NOT-FOR-US: BaalAsp CVE-2006-6089 (Multiple cross-site scripting (XSS) vulnerabilities in addpost1.asp in ...) NOT-FOR-US: BaalAsp forum CVE-2006-6088 (Multiple cross-site scripting (XSS) vulnerabilities in BlueCollar i-Ga ...) NOT-FOR-US: i-Gallery CVE-2006-6087 (Cross-site scripting (XSS) vulnerability in weblog.php in my little we ...) NOT-FOR-US: my little weblog CVE-2006-6086 (PHP remote file inclusion vulnerability in src/ark_inc.php in e-Ark 1. ...) NOT-FOR-US: e-Ark CVE-2006-6085 (Kile before 1.9.3 does not assign a backup file the same permissions a ...) - kile 1:1.9.3-1 (low) [sarge] - kile (Minor issue) CVE-2006-6084 (Directory traversal vulnerability in abitwhizzy.php in aBitWhizzy allo ...) NOT-FOR-US: aBitWhizzy CVE-2006-6083 (SQL injection vulnerability in search.asp in CreaScripts Creadirectory ...) NOT-FOR-US: CreaScripts Creadirectory CVE-2006-6082 (Multiple cross-site scripting (XSS) vulnerabilities in CreaScripts Cre ...) NOT-FOR-US: CreaScripts Creadirectory CVE-2006-6081 (PHP remote file inclusion vulnerability in Smarty_Compiler.class.php i ...) NOT-FOR-US: Telaen CVE-2006-6080 (Multiple SQL injection vulnerabilities in categories.asp in gNews Publ ...) NOT-FOR-US: gNews CVE-2006-6079 (Multiple PHP remote file inclusion vulnerabilities in LoudMouth 2.4 al ...) NOT-FOR-US: LoudMouth (PHP thingy, not libloudmouth) CVE-2006-6078 (PHP remote file inclusion vulnerability in common.inc.php in a-ConMan ...) NOT-FOR-US: a-ConMan CVE-2006-6077 (The (1) Password Manager in Mozilla Firefox 2.0, and 1.5.0.8 and earli ...) {DSA-1336-1} NOTE: MFSA-2007-02 - iceweasel 2.0.0.2+dfsg-1 (high; bug #409220) - iceape 1.0.8-1 (high) [sarge] - mozilla-firefox (Mozilla products from Sarge no longer supported) [sarge] - mozilla (Mozilla products from Sarge no longer supported) - xulrunner 1.8.0.10-1 (medium) NOTE: Epiphany affected by xulrunner CVE-2006-6076 (Buffer overflow in the Tape Engine (tapeeng.exe) in CA (formerly Compu ...) NOT-FOR-US: BrightStor CVE-2006-6075 (Cross-site scripting (XSS) vulnerability in addpost1.asp in BaalAsp fo ...) NOT-FOR-US: BaalAsp forum CVE-2006-6074 (Multiple SQL injection vulnerabilities in Enthrallweb eShopping Cart a ...) NOT-FOR-US: Enthrallweb eShopping Cart CVE-2006-6073 (Multiple SQL injection vulnerabilities in Enthrallweb eShopping Cart a ...) NOT-FOR-US: Enthrallweb eShopping Cart CVE-2006-6072 (SQL injection vulnerability in bpg/publications_list.asp in BPG-InfoTe ...) NOT-FOR-US: BPG-InfoTech Easy Publisher CVE-2006-6071 (TWiki 4.0.5 and earlier, when running under Apache 1.3 using ApacheLog ...) - twiki 1:4.0.5-2 (bug #401303; low) CVE-2006-6070 (SQL injection vulnerability in module/account/register/register.asp in ...) NOT-FOR-US: ASP Nuke CVE-2006-6069 (index.php in mAlbum 0.3 and earlier allows remote attackers to obtain ...) NOT-FOR-US: mAlbum CVE-2006-6068 (Directory traversal vulnerability in the cached_album function in func ...) NOT-FOR-US: mAlbum CVE-2006-6067 (Multiple SQL injection vulnerabilities in 20/20 DataShed (aka Real Est ...) NOT-FOR-US: DataShed CVE-2006-6066 (Multiple SQL injection vulnerabilities in Dragon Calendar / Events Lis ...) NOT-FOR-US: Dragon Calendar CVE-2006-6065 (PHP remote file inclusion vulnerability in includes/mx_common.php in t ...) NOT-FOR-US: CalSnails Module for MxBB Portal CVE-2006-6064 (Multiple buffer overflows in the Message Parsing Interpreter (MPI) in ...) NOT-FOR-US: Fuzzball MUCK CVE-2006-6063 (Stack-based buffer overflow in Un4seen XMPlay 3.3.0.5 and earlier allo ...) NOT-FOR-US: XMPlay CVE-2006-6062 (Unspecified vulnerability in Apple Mac OS X 10.4.8, and possibly other ...) NOT-FOR-US: Apple Mac OS X CVE-2006-6061 (com.apple.AppleDiskImageController in Apple Mac OS X 10.4.8, and possi ...) NOT-FOR-US: Apple Mac OS X CVE-2006-6060 (The NTFS filesystem code in Linux kernel 2.6.x up to 2.6.18, and possi ...) {DSA-1304} - linux-2.6 2.6.18.dfsg.1-10 (unimportant) NOTE: Mounting filesystem partitions should be limited to root CVE-2006-6059 (Buffer overflow in MA521nd5.SYS driver 5.148.724.2003 for NetGear MA52 ...) NOT-FOR-US: NetGear CVE-2006-6058 (The minix filesystem code in Linux kernel 2.6.x before 2.6.24, includi ...) {DSA-1504-1 DSA-1436-1} - linux-2.6 2.6.22-6 NOTE: Mounting filesystem partitions should be limited to root CVE-2006-6057 (The Linux kernel 2.6.x up to 2.6.18, and possibly other versions, on F ...) - linux-2.6 (Debian kernels up to 2.6.18 didn't include GFS) CVE-2006-6056 (Linux kernel 2.6.x up to 2.6.18 and possibly other versions, when SELi ...) {DSA-1304} - linux-2.6 2.6.18.dfsg.1-10 (unimportant) NOTE: Mounting filesystem partitions should be limited to root CVE-2006-6055 (Stack-based buffer overflow in A5AGU.SYS 1.0.1.41 for the D-Link DWL-G ...) NOT-FOR-US: D-Link CVE-2006-6054 (The ext2 file system code in Linux kernel 2.6.x allows local users to ...) {DSA-1503-2 DSA-1504-1 DSA-1503-1} - linux-2.6 2.6.18.dfsg.1-10 (unimportant) NOTE: Mounting filesystem partitions should be limited to root CVE-2006-6053 (The ext3fs_dirhash function in Linux kernel 2.6.x allows local users t ...) {DSA-1503-2 DSA-1503-1 DSA-1304} - linux-2.6 2.6.18.dfsg.1-10 (unimportant) NOTE: Mounting filesystem partitions should be limited to root CVE-2006-6052 (NetEpi Case Manager before 0.98 generates different error messages dep ...) NOT-FOR-US: NetEpi Case Manager CVE-2006-6051 (PHP remote file inclusion vulnerability in reporter.logic.php in the M ...) NOT-FOR-US: MosReporter (com_reporter) component for Joomla! CVE-2006-6050 (Multiple SQL injection vulnerabilities in ClickTech Texas Rank'em allo ...) NOT-FOR-US: Rank'em CVE-2006-6049 (PHP remote file inclusion vulnerability in shambo2.php in the Shambo2 ...) NOT-FOR-US: Shambo2 (com_shambo2) component for Mambo CVE-2006-6048 (SQL injection vulnerability in index.php in Etomite CMS 0.6.1.2, when ...) NOT-FOR-US: Etomite CMS CVE-2006-6047 (Directory traversal vulnerability in manager/index.php in Etomite 0.6. ...) NOT-FOR-US: Etomite CMSEtomite CMS CVE-2006-6046 (Multiple cross-site scripting (XSS) vulnerabilities in eggblog 3.1.0 a ...) NOT-FOR-US: eggblog CVE-2006-6045 (Multiple PHP remote file inclusion vulnerabilities in Comdev One Admin ...) NOT-FOR-US: omdev One Admin CVE-2006-6044 (PHP remote file inclusion vulnerability in gallery_top.inc.php in PHPQ ...) NOT-FOR-US: PHPQuickGallery CVE-2006-6043 (PHP file inclusion vulnerability in loginform-inc.php in Oliver (forme ...) NOT-FOR-US: Oliver (formerly Webshare) CVE-2006-6042 (PHP remote file inclusion vulnerability in core/editor.php in phpWebTh ...) NOT-FOR-US: phpWebThings CVE-2006-6041 (Multiple PHP remote file inclusion vulnerabilities in Laurent Van den ...) NOT-FOR-US: WORK system e-commerce CVE-2006-6040 (Multiple cross-site scripting (XSS) vulnerabilities in admincp/index.p ...) NOT-FOR-US: vBulletin CVE-2006-6039 (SQL injection vulnerability in matchdetail.php in Powie's PHP MatchMak ...) NOT-FOR-US: MatchMaker CVE-2006-6038 (SQL injection vulnerability in editpoll.php in Powie's PHP Forum (pFor ...) NOT-FOR-US: Powie's PHP Forum CVE-2006-6037 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Da ...) NOT-FOR-US: Travelsized CMS CVE-2006-6036 (SQL injection vulnerability in OpenHuman before 1.0 allows remote atta ...) NOT-FOR-US: OpenHuman CVE-2006-6035 (Cross-site scripting (XSS) vulnerability in list.php in BLOG:CMS 4.1.3 ...) NOT-FOR-US: BLOG:CMS CVE-2006-6034 (Multiple SQL injection vulnerabilities in SitesOutlet E-commerce Kit-1 ...) NOT-FOR-US: SitesOutlet E-commerce Kit-1 CVE-2006-6033 (Multiple directory traversal vulnerabilities in Simple PHP Blog (SPHPB ...) NOT-FOR-US: Simple PHP Blog CVE-2006-6032 (Multiple cross-site scripting (XSS) vulnerabilities in Simple PHP Blog ...) NOT-FOR-US: Simple PHP Blog CVE-2006-6031 (Multiple SQL injection vulnerabilities in Greater Cincinnati Internet ...) NOT-FOR-US: ASPCart CVE-2006-6030 (Multiple SQL injection vulnerabilities in E-Calendar Pro 3.0 allow rem ...) NOT-FOR-US: E-Calendar ProE-Calendar Pro CVE-2006-6029 (SQL injection vulnerability in vir_Login.asp in Property Pro 1.0 allow ...) NOT-FOR-US: Property Pro CVE-2006-6028 (Directory traversal vulnerability in textview.php in Anton Vlasov DoSe ...) NOT-FOR-US: DoSePa CVE-2006-6027 (Adobe Reader (Adobe Acrobat Reader) 7.0 through 7.0.8 allows remote at ...) NOT-FOR-US: Adobe Reader CVE-2006-6026 (Heap-based buffer overflow in Real Networks Helix Server and Helix Mob ...) NOT-FOR-US: Helix DNA Server CVE-2006-6025 (QUALCOMM Eudora WorldMail 4.0 allows remote attackers to cause a denia ...) NOT-FOR-US: QUALCOMM Eudora WorldMail CVE-2006-6024 (Multiple buffer overflows in Eudora Worldmail, possibly Worldmail 3 ve ...) NOT-FOR-US: Eudora Worldmail CVE-2006-6023 NOT-FOR-US: Bloo CVE-2006-6022 (Cross-site scripting (XSS) vulnerability in login_form.asp in BestWebA ...) NOT-FOR-US: BestWebApp Dating Site CVE-2006-6021 (SQL injection vulnerability in the login component in BestWebApp Datin ...) NOT-FOR-US: BestWebApp Dating Site CVE-2006-6020 (Cross-site scripting (XSS) vulnerability in announce.php in Blog Torre ...) NOT-FOR-US: Blog Torrent Preview CVE-2006-6019 (Cross-site scripting (XSS) vulnerability in extensions/googiespell/goo ...) NOT-FOR-US: Bloo CVE-2006-6018 NOT-FOR-US: My-BIC CVE-2006-6017 (WordPress before 2.0.5 does not properly store a profile containing a ...) - wordpress 2.0.5-0.1 CVE-2006-6016 (wp-admin/user-edit.php in WordPress before 2.0.5 allows remote authent ...) - wordpress 2.0.5-0.1 CVE-2006-6015 (Buffer overflow in the JavaScript implementation in Safari on Apple Ma ...) - kdebase (unimportant; bug #400121) NOTE: Browser crashes are not treated as security problems CVE-2006-6014 (The NetBSD-current kernel before 20061028 does not properly perform bo ...) NOT-FOR-US: NetBSD CVE-2006-6013 (Integer signedness error in the fw_ioctl (FW_IOCTL) function in the Fi ...) - kfreebsd-5 5.4-21 [etch] - kfreebsd-5 (no security support) CVE-2006-6012 (Cross-site scripting (XSS) vulnerability in csm/asp/listings.asp in MG ...) NOT-FOR-US: Car Site Manager CVE-2006-6011 (Unspecified vulnerability in SAP Web Application Server before 6.40 pa ...) NOT-FOR-US: SAP CVE-2006-6010 (SAP allows remote attackers to obtain potentially sensitive informatio ...) NOT-FOR-US: SAP CVE-2006-6009 (Unspecified vulnerability in the Java Runtime Environment (JRE) Swing ...) - sun-java5 1.5.0-08-1 CVE-2006-6008 (ftpd in Linux Netkit (linux-ftpd) 0.17, and possibly other versions, d ...) {DSA-1217} - linux-ftpd 0.17-23 CVE-2006-6007 (save_profile.asp in WebEvents (Online Event Registration Template) 2.0 ...) NOT-FOR-US: WebEvents (Online Event Registration Template) CVE-2006-6006 REJECTED CVE-2006-6005 REJECTED CVE-2006-6004 REJECTED CVE-2006-6003 REJECTED CVE-2006-6002 REJECTED CVE-2006-6001 REJECTED CVE-2006-6000 REJECTED CVE-2006-5999 REJECTED CVE-2006-5998 REJECTED CVE-2006-5997 REJECTED CVE-2006-5996 REJECTED CVE-2006-5995 REJECTED CVE-2006-5994 (Unspecified vulnerability in Microsoft Word 2000 and 2002, Office Word ...) NOT-FOR-US: Microsoft Word CVE-2006-5993 REJECTED CVE-2006-5992 REJECTED CVE-2006-5991 (Multiple SQL injection vulnerabilities in wwweb concepts CactuShop all ...) NOT-FOR-US: CactuShop CVE-2006-5990 (VMWare VirtualCenter client 2.x before 2.0.1 Patch 1 (Build 33643) and ...) NOT-FOR-US: VMWare CVE-2006-5989 (Off-by-one error in the der_get_oid function in mod_auth_kerb 5.0 allo ...) {DSA-1247-1} - libapache-mod-auth-kerb 5.3-1 (low; bug #400589) CVE-2006-5988 (Unspecified vulnerability in Windows 2000 Advanced Server SP4 running ...) NOT-FOR-US: Windows CVE-2006-5987 (SQL injection vulnerability in default.asp in ASPintranet, possibly 1. ...) NOT-FOR-US: ASPintranet CVE-2006-5986 (admin/options.php in Extreme CMS 0.9, and possibly earlier, does not r ...) NOT-FOR-US: Extreme CMS CVE-2006-5985 (Multiple cross-site scripting (XSS) vulnerabilities in admin/options.p ...) NOT-FOR-US: Extreme CMS CVE-2006-5984 (Multiple cross-site scripting (XSS) vulnerabilities in Helm Web Hostin ...) NOT-FOR-US: Helm Hosting Control Panel CVE-2006-5983 (Multiple cross-site scripting (XSS) vulnerabilities in JBMC Software D ...) NOT-FOR-US: DirectAdmin CVE-2006-5982 (SeleniumServer FTP Server 1.0, and possibly earlier, stores user passw ...) NOT-FOR-US: Selenium Server CVE-2006-5981 (Multiple directory traversal vulnerabilities in SeleniumServer FTP Ser ...) NOT-FOR-US: Selenium Server CVE-2006-5980 (adm_lgn_admin.asp in Renasoft NetJetServer 2.5.3.939, and possibly ear ...) NOT-FOR-US: NetJetServer CVE-2006-5979 (Renasoft NetJetServer 2.5.3.939, and possibly earlier, uses insecure p ...) NOT-FOR-US: NetJetServer CVE-2006-5978 (Unspecified vulnerability in E-Xoopport before 2.2.0 has unknown impac ...) NOT-FOR-US: E-Xoopport CVE-2006-5977 (Multiple SQL injection vulnerabilities in MultiCalendars allow remote ...) NOT-FOR-US: MultiCalendars CVE-2006-5976 (Multiple SQL injection vulnerabilities in admin_login.asp in BlogMe 3. ...) NOT-FOR-US: BlogMe CVE-2006-5975 (Multiple cross-site scripting (XSS) vulnerabilities in comments.asp in ...) NOT-FOR-US: BlogMe CVE-2006-5974 (fetchmail 6.3.5 and 6.3.6 before 6.3.6-rc4, when refusing a message de ...) - fetchmail 6.3.6-1 (low) [sarge] - fetchmail (Vulnerable code not present) CVE-2006-5973 (Off-by-one buffer overflow in Dovecot 1.0test53 through 1.0.rc14, and ...) - dovecot 1.0.rc15-1 [sarge] - dovecot (Vulnerable code not present) CVE-2005-4815 (SAP 6.4 before 6.40 patch 4, 6.2 before 6.20 patch 1364, 4.6 before 4. ...) NOT-FOR-US: SAP CVE-2006-XXXX [Firefox Sage Extension Feed Script Insertion Vulnerability] - firefox-sage (medium; bug #399170) NOTE: Debian's version has HTML disabled CVE-2006-5972 (Stack-based buffer overflow in WG111v2.SYS in NetGear WG111v2 wireless ...) NOT-FOR-US: NetGear CVE-2006-5971 (Absolute path traversal vulnerability in admin/logfile.txt in Verity U ...) NOT-FOR-US: Verity Ultraseek CVE-2006-5970 (Verity Ultraseek before 5.7 allows remote attackers to obtain sensitiv ...) NOT-FOR-US: Verity Ultraseek CVE-2006-5969 (CRLF injection vulnerability in the evalFolderLine function in fvwm 2. ...) - fvwm 1:2.5.18-2 (low; bug #400303) [sarge] - fvwm (Minor issue) CVE-2006-5968 (MDaemon 9.0.5, 9.0.6, 9.51, and 9.53, and possibly other versions, ins ...) NOT-FOR-US: MDaemon CVE-2006-5967 (Race condition in Panda ActiveScan 5.53.00, and other versions before ...) NOT-FOR-US: Panda ActiveScan CVE-2006-5966 (Panda ActiveScan 5.53.00, and other versions before 5.54.01, allows re ...) NOT-FOR-US: Panda ActiveScan CVE-2006-5965 (PassGo SSO Plus 2.1.0.32, and probably earlier versions, uses insecure ...) NOT-FOR-US: PassGo SSO Plus CVE-2006-5964 (choShilA.bpl in PentaZip 8.5.1.190 and PentaSuite-PRO 8.5.1.221 allows ...) NOT-FOR-US: PentaZip CVE-2006-5963 (Directory traversal vulnerability in PentaZip 8.5.1.190 and PentaSuite ...) NOT-FOR-US: PentaZip CVE-2006-5962 (Multiple SQL injection vulnerabilities in Hpecs Shopping Cart allow re ...) NOT-FOR-US: Hpecs Shopping Cart CVE-2006-5961 (Buffer overflow in Mercury Mail Transport System 4.01b for Windows has ...) NOT-FOR-US: Mercury Mail Transport CVE-2006-5960 (Multiple cross-site scripting (XSS) vulnerabilities in account_login.a ...) NOT-FOR-US: A+ Store E-Commerce CVE-2006-5959 (SQL injection vulnerability in browse.asp in A+ Store E-Commerce allow ...) NOT-FOR-US: A+ Store E-Commerce CVE-2006-5958 (Multiple cross-site scripting (XSS) vulnerabilities in INFINICART allo ...) NOT-FOR-US: INFINICART CVE-2006-5957 NOT-FOR-US: INFINICART CVE-2006-5956 (XLineSoft PHPRunner 3.1 stores the (1) database server name, (2) datab ...) NOT-FOR-US: PHPRunner CVE-2006-5955 (SQL injection vulnerability in listings.asp in 20/20 DataShed (aka Rea ...) NOT-FOR-US: DataShed CVE-2006-5954 (SQL injection vulnerability in page.asp in NetVIOS 2.0 and earlier all ...) NOT-FOR-US: NetVIOS CVE-2006-5953 (SQL injection vulnerability in viewcart.asp in Evolve shopping cart (a ...) NOT-FOR-US: Evolve shopping cart CVE-2006-5952 (SQL injection vulnerability in admin/default.asp in ASP Smiley 1.0 all ...) NOT-FOR-US: ASP Smiley CVE-2006-5951 (PHP remote file inclusion vulnerability in pipe.php in Exophpdesk 1.2 ...) NOT-FOR-US: Exophpdesk CVE-2006-5950 (Unspecified vulnerability in ALTools ALFTP FTP Server 4.1 beta 1, and ...) NOT-FOR-US: ALTools ALFTP FTP Server CVE-2006-5949 (Directory traversal vulnerability in ALTools ALFTP FTP Server 4.1 beta ...) NOT-FOR-US: ALTools ALFTP FTP Server CVE-2006-5948 (PHP remote file inclusion vulnerability in pntUnit/Inspect.php in phpP ...) NOT-FOR-US: phpPeanuts CVE-2006-5947 (Multiple directory traversal vulnerabilities in Conxint FTP Server 2.2 ...) NOT-FOR-US: Conxint FTP Server CVE-2006-5946 (SQL injection vulnerability in demo/glossary/glossary.asp in FunkyASP ...) NOT-FOR-US: FunkyASP Glossary CVE-2006-5945 (Multiple SQL injection vulnerabilities in MGinternet Car Site Manager ...) NOT-FOR-US: MGinternet Car Site Manager CVE-2006-5944 (Cross-site scripting (XSS) vulnerability in csm/asp/listings.asp in MG ...) NOT-FOR-US: MGinternet Car Site Manager CVE-2006-5943 (Multiple SQL injection vulnerabilities in inventory/display/imager.asp ...) NOT-FOR-US: Less Inventory Manager CVE-2006-5942 (Cross-site scripting (XSS) vulnerability in inventory/display/display_ ...) NOT-FOR-US: Less Inventory Manager CVE-2006-5941 REJECTED CVE-2006-5940 (Unspecified vulnerability in Grisoft AVG Anti-Virus before 7.1.407 has ...) NOT-FOR-US: Grisoft AVG Anti-Virus CVE-2006-5939 (Grisoft AVG Anti-Virus before 7.1.407 allows remote attackers to cause ...) NOT-FOR-US: Grisoft AVG Anti-Virus CVE-2006-5938 (Grisoft AVG Anti-Virus before 7.1.407 has unknown impact and remote at ...) NOT-FOR-US: Grisoft AVG Anti-Virus CVE-2006-5937 (Multiple integer overflows in Grisoft AVG Anti-Virus before 7.1.407 al ...) NOT-FOR-US: Grisoft AVG Anti-Virus CVE-2006-5936 (SQL injection vulnerability in dept.asp in SiteXpress E-Commerce Syste ...) NOT-FOR-US: SiteXpress E-Commerce CVE-2006-5935 (SQL injection vulnerability in index.php in ShopSystems 4.0 and earlie ...) NOT-FOR-US: ShopSystems CVE-2006-5934 (SQL injection vulnerability in admin/default.asp in Estate Agent Manag ...) NOT-FOR-US: Estate Agent Manager CVE-2006-5933 (SQL injection vulnerability in update.asp in UltraSite 1.0 allows remo ...) NOT-FOR-US: UltraSite CVE-2006-5932 (Kahua before 0.7, when running multiple applications under a single su ...) NOT-FOR-US: Kahua CVE-2006-5931 (Multiple PHP remote file inclusion vulnerabilities in Aigaion Web base ...) NOT-FOR-US: Aigaion CVE-2006-5930 (Multiple PHP remote file inclusion vulnerabilities in Aigaion Web base ...) NOT-FOR-US: Aigaion CVE-2006-5929 (PHP remote file inclusion vulnerability in firepjs.php in Phpjobschedu ...) NOT-FOR-US: Phpjobscheduler CVE-2006-5928 (Multiple PHP remote file inclusion vulnerabilities in Phpjobscheduler ...) NOT-FOR-US: Phpjobscheduler CVE-2006-5927 (SQL injection vulnerability in cpLogin.asp in ASP Scripter Easy Portal ...) NOT-FOR-US: ASP Scripter Easy Portal CVE-2006-5926 (Multiple SQL injection vulnerabilities in mail.php in Vallheru before ...) NOT-FOR-US: Vallheru CVE-2006-5925 (Links web browser 1.00pre12 and Elinks 0.9.2 with smbclient installed ...) {DSA-1240-1 DSA-1228-1 DSA-1226-1} - links 0.99+1.00pre12-1.1 (medium; bug #399188) - elinks 0.11.1-1.2 (medium; bug #399187) - links2 2.1pre25-2 (medium; bug #400718) CVE-2006-5924 (Cross-site scripting (XSS) vulnerability in index.php in Efficient IP ...) NOT-FOR-US: Efficient IP iPmanager (IPm) CVE-2006-5923 (PHP remote file inclusion vulnerability in index.php in Chris Mac gtca ...) NOT-FOR-US: gtcatalog CVE-2006-5922 (index.php in Wheatblog (wB) allows remote attackers to obtain sensitiv ...) NOT-FOR-US: Wheatblog CVE-2006-5921 (Multiple cross-site scripting (XSS) vulnerabilities in add_comment.php ...) NOT-FOR-US: Wheatblog CVE-2006-5920 NOT-FOR-US: Exporia CVE-2006-5919 (PHP remote file inclusion vulnerability in admin/e_data/visEdit_contro ...) NOT-FOR-US: KnowledgeBuilder CVE-2006-5918 (Unrestricted file upload vulnerability in RapidKill (aka PHP Rapid Kil ...) NOT-FOR-US: RapidKill CVE-2006-5917 (Multiple SQL injection vulnerabilities in OmniStar Article Manager all ...) NOT-FOR-US: OmniStar Article Manager CVE-2006-5916 (Intego VirusBarrier X4 allows context-dependent attackers to bypass vi ...) NOT-FOR-US: Intego VirusBarrier CVE-2006-5915 (Multiple cross-site scripting (XSS) vulnerabilities in ls.php in SAMED ...) NOT-FOR-US: LandShop CVE-2006-5914 (SQL injection vulnerability in ls.php in SAMEDIA LandShop allows remot ...) NOT-FOR-US: LandShop CVE-2006-5913 (Microsoft Internet Explorer 7 allows remote attackers to (1) cause a s ...) NOT-FOR-US: Microsoft CVE-2006-5912 (Unspecified vulnerability in Campware Campsite before 2.6.2 has unknow ...) NOT-FOR-US: Campware Campsite CVE-2006-5911 (Multiple PHP remote file inclusion vulnerabilities in Campware Campsit ...) NOT-FOR-US: Campware Campsite CVE-2006-5910 (Multiple PHP remote file inclusion vulnerabilities in Campware Campsit ...) NOT-FOR-US: Campware Campsite CVE-2006-5909 (generaloptions.php in Paul Tarjan Stanford Conference And Research For ...) NOT-FOR-US: Stanford Conference And Research Forum (SCARF) CVE-2006-5908 (Multiple SQL injection vulnerabilities in the login_user function in y ...) NOT-FOR-US: Yet Another News System CVE-2006-5907 (SQL injection vulnerability in modules/bannieres/bannieres.php in Jean ...) NOT-FOR-US: SCRIPT BANNIERES CVE-2006-5906 NOT-FOR-US: SCRIPT BANNIERES CVE-2006-5905 (Web Directory Pro allows remote attackers to (1) backup the database a ...) NOT-FOR-US: Web Directory Pro CVE-2006-5904 (Multiple PHP remote file inclusion vulnerabilities in MWChat Pro 7.0 a ...) NOT-FOR-US: MWChat Pro CVE-2006-5903 (Rahul Jonna Gmail File Space (GSpace) allows remote attackers to perfo ...) NOT-FOR-US: GSpace CVE-2006-5902 (viksoe GMail Drive shell extension allows remote attackers to perform ...) NOT-FOR-US: viksoe GMail Drive CVE-2006-5901 (Hawking Technology wireless router WR254-CA uses a hardcoded IP addres ...) NOT-FOR-US: Hawking Technology wireless router WR254-CA CVE-2006-5900 (Cross-site scripting (XSS) vulnerability in the incubator/tests/Zend/H ...) NOT-FOR-US: Zend Framework Preview CVE-2006-5899 NOT-FOR-US: @cid stat CVE-2006-5898 (Directory traversal vulnerability in localization/languages.lib.php3 i ...) NOT-FOR-US: PhpMyChat CVE-2006-5897 (Multiple directory traversal vulnerabilities in PhpMyChat Plus 1.9 and ...) NOT-FOR-US: PhpMyChat Plus CVE-2006-5896 (REMLAB Web Mech Designer 2.0.5 allows remote attackers to obtain the f ...) NOT-FOR-US: Web Mech Designer CVE-2006-5895 (PHP remote file inclusion vulnerability in core/core.php in EncapsCMS ...) NOT-FOR-US: EncapsCMS CVE-2006-5894 (Directory traversal vulnerability in lang.php in Rama CMS 0.68 and ear ...) NOT-FOR-US: Rama CMS CVE-2006-5893 (Multiple PHP remote file inclusion vulnerabilities in iWonder Designs ...) NOT-FOR-US: iWonder Designs Storystream CVE-2006-5892 (SQL injection vulnerability in MoreInfo.asp in The Net Guys ASPired2Po ...) NOT-FOR-US: The Net Guys ASPired2Poll CVE-2006-5891 (SQL injection vulnerability in detail.asp in Superfreaker Studios USto ...) NOT-FOR-US: Superfreaker Studios UStore CVE-2006-5890 (SQL injection vulnerability in detail.asp in Superfreaker Studios USup ...) NOT-FOR-US: Superfreaker Studios UStore CVE-2006-5889 (SQL injection vulnerability in printLog.php in BrewBlogger (BB) 1.3.1 ...) NOT-FOR-US: BrewBlogger CVE-2006-5888 (SQL injection vulnerability in viewarticle.asp in Superfreaker Studios ...) NOT-FOR-US: Superfreaker Studios UPublisher CVE-2006-5887 (SQL injection vulnerability in CampusNewsDetails.asp in Dynamic Datawo ...) NOT-FOR-US: Dynamic Dataworx NuSchool CVE-2006-5886 (SQL injection vulnerability in propertysdetails.asp in Dynamic Datawor ...) NOT-FOR-US: Dynamic Dataworx NuRealestate (NuRems) CVE-2006-5885 (SQL injection vulnerability in Products.asp in NuStore 1.0 allows remo ...) NOT-FOR-US: NuStore CVE-2003-1308 (CRLF injection vulnerability in fvwm-menu-directory for fvwm 2.5.x bef ...) - fvwm 2.5.10-1 CVE-2006-5884 (Multiple unspecified vulnerabilities in DirectAnimation ActiveX contro ...) NOT-FOR-US: DirectAnimation ActiveX controls for Microsoft Internet Explorer CVE-2006-5883 (Multiple cross-site scripting (XSS) vulnerabilities in cPanel 10 allow ...) NOT-FOR-US: cPanel 10 CVE-2006-5882 (Stack-based buffer overflow in the Broadcom BCMWL5.SYS wireless device ...) NOT-FOR-US: Broadcom BCMWL5.SYS CVE-2006-5881 (SQL injection vulnerability in cl_CatListing.asp in Dynamic Dataworx N ...) NOT-FOR-US: Dynamic Dataworx NuCommunity CVE-2006-5880 (SQL injection vulnerability on the subMenu page in switch.asp in Munch ...) NOT-FOR-US: Munch Pro CVE-2006-5879 (SQL injection vulnerability in default1.asp in ASPPortal 4.0.0 beta an ...) NOT-FOR-US: ASPPortal CVE-2006-5878 (Cross-site request forgery (CSRF) vulnerability in Edgewall Trac 0.10 ...) {DSA-1209} - trac 0.10.1-1 (bug #397683) CVE-2006-5877 (The enigmail extension before 0.94.2 does not properly handle large, e ...) - enigmail 2:0.94.2-1 (bug #406604) CVE-2006-5876 (The soup_headers_parse function in soup-headers.c for libsoup HTTP lib ...) {DSA-1248-1} - libsoup 2.2.98-2 (bug #405197; medium) CVE-2006-5875 (eoc.py in Enemies of Carlotta (EoC) before 1.2.4 allows remote attacke ...) {DSA-1236-1} - enemies-of-carlotta 1.2.4-1 (medium) CVE-2006-5874 (Clam AntiVirus (ClamAV) 0.88 and earlier allows remote attackers to ca ...) {DSA-1232-1} - clamav 0.86-1 CVE-2006-5873 (Buffer overflow in the cluster_process_heartbeat function in cluster.c ...) {DSA-1230-1} - l2tpns 2.1.21-1 (medium; bug #401742) NOTE: http://secunia.com/advisories/23230/ CVE-2006-5872 (login.pl in SQL-Ledger before 2.6.21 and LedgerSMB before 1.1.5 allows ...) {DSA-1239-1} - sql-ledger 2.6.21-1 CVE-2006-5871 (smbfs in Linux kernel 2.6.8 and other versions, and 2.4.x before 2.4.3 ...) {DSA-1237 DSA-1233} - linux-2.6 (Current Linux versions already implement intended behaviour) CVE-2006-5870 (Multiple integer overflows in OpenOffice.org (OOo) 2.0.4 and earlier, ...) {DSA-1246-1} - openoffice.org 2.0.4-1 (medium; bug #405986; bug #405679) CVE-2006-5869 (pstotext before 1.9 allows user-assisted attackers to execute arbitrar ...) {DSA-1220} - pstotext 1.9-4 (bug #356988; medium) CVE-2006-5868 (Multiple buffer overflows in Imagemagick 6.0 before 6.0.6.2, and 6.2 b ...) {DSA-1213} - imagemagick 7:6.2.4.5.dfsg1-0.11 CVE-2006-5867 (fetchmail before 6.3.6-rc4 does not properly enforce TLS and may trans ...) {DSA-1259-1} - fetchmail 6.3.6-1 (low) CVE-2006-5866 (Directory traversal vulnerability in Mdoc/view-sourcecode.php for phpM ...) NOT-FOR-US: phpManta CVE-2006-5865 (PHP remote file inclusion vulnerability in language.inc.php in MyAlbum ...) NOT-FOR-US: Script Dowload CVE-2006-5863 (PHP remote file inclusion vulnerability in inc/session.php for LetterI ...) NOT-FOR-US: LetterIt CVE-2006-5862 (Directory traversal vulnerability in the session mechanism of the web ...) NOT-FOR-US: Network Administration Visualized CVE-2006-5861 (The Independent Management Architecture (IMA) service (ImaSrv.exe) in ...) NOT-FOR-US: Citrix CVE-2006-5860 (Cross-site scripting (XSS) vulnerability in the administrator console ...) NOT-FOR-US: Adobe JRun CVE-2006-5859 (Cross-site scripting (XSS) vulnerability in Adobe ColdFusion MX 7 7.0 ...) NOT-FOR-US: Adobe ColdFusion CVE-2006-5858 (Adobe ColdFusion MX 7 through 7.0.2, and JRun 4, when run on Microsoft ...) NOT-FOR-US: Adobe CVE-2006-5857 (Adobe Reader and Acrobat 7.0.8 and earlier allows user-assisted remote ...) NOT-FOR-US: Adobe CVE-2006-5856 (Stack-based buffer overflow in the Adobe Download Manager before 2.2 a ...) NOT-FOR-US: Adobe Download Manager CVE-2006-5855 (Multiple buffer overflows in IBM Tivoli Storage Manager (TSM) before 5 ...) NOT-FOR-US: Tivoli CVE-2006-5854 (Multiple buffer overflows in the Spooler service (nwspool.dll) in Nove ...) NOT-FOR-US: Novell Netware CVE-2006-5853 (Cross-site scripting (XSS) vulnerability in logon.aspx in Immediacy CM ...) NOT-FOR-US: Immediacy CMS CVE-2006-5852 (Untrusted search path vulnerability in openexec in OpenBase SQL before ...) NOT-FOR-US: OpenBase SQL CVE-2006-5851 (openexec in OpenBase SQL before 10.0.1 allows local users to create ar ...) NOT-FOR-US: OpenBase SQL CVE-2006-5850 (Stack-based buffer overflow in Essentia Web Server 2.15 for Windows al ...) NOT-FOR-US: Essentia Web Server CVE-2006-5849 (PHP remote file inclusion vulnerability in inc/irayofuncs.php in Irayo ...) NOT-FOR-US: IrayoBlog CVE-2006-5848 REJECTED CVE-2006-5847 (Cross-site scripting (XSS) vulnerability in index.php in FreeWebshop 2 ...) NOT-FOR-US: FreeWebshop CVE-2006-5846 (Directory traversal vulnerability in index.php in FreeWebshop 2.2.2 an ...) NOT-FOR-US: FreeWebshop CVE-2006-5845 (Unrestricted file upload vulnerability in index.php in Speedywiki 2.0 ...) NOT-FOR-US: Speedywiki CVE-2006-5844 (Speedywiki 2.0 allows remote attackers to obtain the full path of the ...) NOT-FOR-US: Speedywiki CVE-2006-5843 (Cross-site scripting (XSS) vulnerability in index.php in Speedywiki 2. ...) NOT-FOR-US: Speedywiki CVE-2006-5842 (The keystore file in Unicore Client before 5.6 build 5, when running o ...) NOT-FOR-US: Unicore CVE-2006-5841 (Multiple PHP remote file inclusion vulnerabilities in dodosmail.php in ...) NOT-FOR-US: DodosMail CVE-2006-5840 NOT-FOR-US: Abarcar Realty Portal CVE-2006-5839 (PHP remote file inclusion vulnerability in ad_main.php in PHPAdventure ...) NOT-FOR-US: PHPAdventure CVE-2006-5838 (PHP remote file inclusion vulnerability in lib/class.Database.php in N ...) NOT-FOR-US: NewP News Publication System CVE-2006-5837 (Static code injection vulnerability in chat_panel.php in the SimpleCha ...) NOT-FOR-US: SimpleChat 1.0.0 module for iWare Professional CMS CVE-2006-5836 (The fpathconf syscall function in bsd/kern/kern_descrip.c in the Darwi ...) NOT-FOR-US: Darwin kernel (XNU) 8.8.1 in Apple Mac OS X CVE-2006-5835 (The Notes Remote Procedure Call (NRPC) protocol in IBM Lotus Notes Dom ...) NOT-FOR-US: IBM Lotus Notes Domino CVE-2006-5834 (Directory traversal vulnerability in general.php in OpenSolution Quick ...) NOT-FOR-US: OpenSolution Quick.Cms.Lite CVE-2006-5833 (gbcms_php_files/up_loader.php GreenBeast CMS 1.3 does not require auth ...) NOT-FOR-US: GreenBeast CMS CVE-2006-5832 (All In One Control Panel (AIOCP) 1.3.007 and earlier allows remote att ...) NOT-FOR-US: All In One Control Panel (AIOCP) CVE-2006-5831 (PHP remote file inclusion vulnerability in admin/code/index.php in All ...) NOT-FOR-US: All In One Control Panel (AIOCP) CVE-2006-5830 (Multiple cross-site scripting (XSS) vulnerabilities in All In One Cont ...) NOT-FOR-US: All In One Control Panel (AIOCP) CVE-2006-5829 (Multiple SQL injection vulnerabilities in All In One Control Panel (AI ...) NOT-FOR-US: All In One Control Panel (AIOCP) CVE-2006-5828 (SQL injection vulnerability in detail.php in DeltaScripts PHP Classifi ...) NOT-FOR-US: PHP Classifieds CVE-2006-5827 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in ph ...) NOT-FOR-US: phpComasy CMS CVE-2006-5826 (Buffer overflow in Texas Imperial Software WFTPD Pro Server 3.23.1.1 a ...) NOT-FOR-US: Texas Imperial Software WFTPD Pro Server CVE-2006-5825 (Cross-site scripting (XSS) vulnerability in index.php in Kayako Suppor ...) NOT-FOR-US: Kayako SupportSuite CVE-2006-5824 (Integer overflow in the ffs_rdextattr function in FreeBSD 6.1 allows l ...) - kfreebsd-5 [etch] - kfreebsd-5 (no security support for freebsd) CVE-2006-5823 (The zlib_inflate function in Linux kernel 2.6.x allows local users to ...) {DSA-1503-2 DSA-1504-1 DSA-1503-1} - linux-2.6 2.6.18.dfsg.1-10 (low) CVE-2006-5822 (Stack-based buffer overflow in the NetBackup bpcd daemon (bpcd.exe) in ...) NOT-FOR-US: Symantec Veritas NetBackup CVE-2006-5821 (Heap-based buffer overflow in the IMA_SECURE_DecryptData1 function in ...) NOT-FOR-US: Citrix CVE-2006-5820 (The LinkSBIcons method in the SuperBuddy ActiveX control (Sb.SuperBudd ...) NOT-FOR-US: SuperBuddy ActiveX control CVE-2006-5819 (Verity Ultraseek before 5.7 allows remote attackers to use the server ...) NOT-FOR-US: Verity Ultraseek CVE-2006-5864 (Stack-based buffer overflow in the ps_gettext function in ps.c for GNU ...) {DSA-1243-1 DSA-1214} - gv 1:3.6.2-3 (medium; bug #398292) - evince 0.4.0-3 (medium; bug #400904; bug #400906; bug #402063) CVE-2006-5818 (Multiple buffer overflows in tunekrnl in IBM Lotus Domino 6.x before 6 ...) NOT-FOR-US: Lotus Domino CVE-2006-5817 (prl_dhcpd in Parallels Desktop for Mac Build 1940 uses insecure permis ...) NOT-FOR-US: Parallels CVE-2006-5816 (Multiple PHP remote file inclusion vulnerabilities in Dmitry Sheiko Bu ...) NOT-FOR-US: Business Card Web Builder CVE-2006-5815 (Stack-based buffer overflow in the sreplace function in ProFTPD 1.3.0 ...) {DSA-1222-1} - proftpd-dfsg 1.3.0-15 (bug #399070; high) CVE-2006-5814 (Unspecified vulnerability in Novell eDirectory allows remote attackers ...) NOT-FOR-US: Novell eDirectory CVE-2006-5813 (Unspecified vulnerability in Novell eDirectory 8.8 allows attackers to ...) NOT-FOR-US: Novell eDirectory CVE-2006-5812 (Unspecified vulnerability in Kerio MailServer allows attackers to caus ...) NOT-FOR-US: Kerio CVE-2006-5811 (PHP remote file inclusion vulnerability in library/translation.inc.php ...) NOT-FOR-US: OpenEMR CVE-2006-5810 (Cross-site scripting (XSS) vulnerability in modules/wfdownloads/newlis ...) NOT-FOR-US: XOOPS CVE-2006-5809 (Multiple unspecified vulnerabilities in Jonathon J. Freeman OvBB befor ...) NOT-FOR-US: OvBB CVE-2006-5808 (The installation of Cisco Secure Desktop (CSD) before 3.1.1.45 uses in ...) NOT-FOR-US: Cisco CVE-2006-5807 (Cisco Secure Desktop (CSD) before 3.1.1.45 allows local users to escap ...) NOT-FOR-US: Cisco CVE-2006-5806 (SSL VPN Client in Cisco Secure Desktop before 3.1.1.45, when configure ...) NOT-FOR-US: Cisco CVE-2006-5805 (Microsoft Internet Explorer 7 allows remote attackers to cause a secur ...) NOT-FOR-US: Microsoft CVE-2006-5804 (PHP remote file inclusion vulnerability in admin.php in Advanced Guest ...) NOT-FOR-US: Advanced Guestbook CVE-2006-5803 (PHP remote file inclusion vulnerability in modules/mx_smartor/album.ph ...) NOT-FOR-US: mxBB Smartor Album CVE-2006-5802 (SQL injection vulnerability in message_details.php in The Web Drivers ...) NOT-FOR-US: The Web Drivers Simple Forum CVE-2006-5801 (The owserver module in owfs and owhttpd 2.5p5 and earlier does not pro ...) NOT-FOR-US: owfs CVE-2006-5800 (Cross-site scripting (XSS) vulnerability in default.asp in xenis.creat ...) NOT-FOR-US: Xenis.creator CVE-2006-5799 (Multiple cross-site scripting (XSS) vulnerabilities in default.asp in ...) NOT-FOR-US: Xenis.creator CVE-2006-5798 (SQL injection vulnerability in default.asp in Xenis.creator CMS allows ...) NOT-FOR-US: Xenis.creator CVE-2006-5797 (Multiple SQL injection vulnerabilities in default.asp in Xenis.creator ...) NOT-FOR-US: Xenis.creator CVE-2006-5796 (Multiple PHP remote file inclusion vulnerabilities in Soholaunch Pro E ...) NOT-FOR-US: Soholaunch Pro CVE-2006-5795 (Multiple PHP remote file inclusion vulnerabilities in OpenEMR 2.8.1 an ...) NOT-FOR-US: OpenEMR CVE-2006-5794 (Unspecified vulnerability in the sshd Privilege Separation Monitor in ...) - openssh 1:4.3p2-6 (unimportant) NOTE: Not a direct vulnerability CVE-2006-5793 (The sPLT chunk handling code (png_set_sPLT function in pngset.c) in li ...) - libpng 1.2.13-0 (low; bug #398706) [sarge] - libpng (Minor issue) CVE-2006-XXXX [obexpushd arbitrary command execution] - obexpushd 0.4+svn10-1 (bug #397297; medium) CVE-2006-XXXX [motion insecure tempfile creation] - motion 3.2.3-2 (bug #393846; low) [sarge] - motion (Minor issue) CVE-2006-5792 (Unspecified vulnerability in XLink Omni-NFS Enterprise allows remote a ...) NOT-FOR-US: XLink Omni-NFS Enterprise CVE-2006-5791 (Multiple cross-site scripting (XSS) vulnerabilities in elogd.c in ELOG ...) {DSA-1242-1} - elog 2.6.2+r1754-1 (medium; bug #392016) CVE-2006-5790 (Multiple format string vulnerabilities in elogd.c in ELOG 2.6.2 and ea ...) {DSA-1242-1} - elog 2.6.2+r1754-1 (medium; bug #392016) CVE-2006-5789 (War FTP Daemon (WarFTPd) 1.82.00-RC11 allows remote authenticated user ...) NOT-FOR-US: WarFTPd CVE-2006-5788 (PHP remote file inclusion vulnerability in (1) index.php and (2) admin ...) NOT-FOR-US: IPrimal Forums CVE-2006-5787 (admin/index.php in IPrimal Forums as of 20061105 allows remote attacke ...) NOT-FOR-US: IPrimal Forums CVE-2006-5786 (Directory traversal vulnerability in class2.php in e107 0.7.5 and earl ...) NOT-FOR-US: e107 CVE-2006-5785 (Unspecified vulnerability in SAP Web Application Server 6.40 before pa ...) NOT-FOR-US: SAP Web Application Server CVE-2006-5784 (Unspecified vulnerability in enserver.exe in SAP Web Application Serve ...) NOT-FOR-US: SAP Web Application Server CVE-2006-5783 NOTE: irreproducible firefox issue CVE-2006-5782 (radexecd.exe in HP OpenView Client Configuraton Manager (CCM) does not ...) NOT-FOR-US: HP OpenView CVE-2006-5781 (Stack-based buffer overflow in the handshake function in iodine 0.3.2 ...) NOT-FOR-US: iodine CVE-2006-5780 (Stack-based buffer overflow in nfsd.exe in XLink Omni-NFS Server 5.2 a ...) NOT-FOR-US: XLink Omni-NFS CVE-2006-5779 (OpenLDAP before 2.3.29 allows remote attackers to cause a denial of se ...) - openldap2.2 (bug #397673) - openldap2.3 2.3.29-1 CVE-2006-5777 (Creasito E-Commerce Content Manager 1.3.08 allows remote attackers to ...) NOT-FOR-US: Creasito E-Commerce Content Manager CVE-2006-5776 NOT-FOR-US: Ariadne CVE-2006-5775 (Cross-site scripting (XSS) vulnerability in profile.php in FunkBoard 0 ...) NOT-FOR-US: FunkBoard CVE-2006-5774 (Cross-site scripting (XSS) vulnerability in Hyper NIKKI System before ...) NOT-FOR-US: Hyper NIKKI System CVE-2006-5773 (Directory traversal vulnerability in index.php in FreeWebshop 2.2.1 an ...) NOT-FOR-US: FreeWebshop CVE-2006-5772 (Multiple SQL injection vulnerabilities in index.php in FreeWebshop 2.2 ...) NOT-FOR-US: FreeWebshop CVE-2006-5771 (Cross-site scripting (XSS) vulnerability in Arkoon SSL360 1.0 and 2.0 ...) NOT-FOR-US: Arkoon SSL360 CVE-2006-5770 (Multiple cross-site scripting (XSS) vulnerabilities in ac4p Mobile all ...) NOT-FOR-US: Mobile CVE-2006-5769 (Multiple cross-site scripting (XSS) vulnerabilities in admin.tool CMS ...) NOT-FOR-US: admin.tool CMS CVE-2006-5768 (Multiple PHP remote file inclusion vulnerabilities in Cyberfolio 2.0 R ...) NOT-FOR-US: Cyberfolio CVE-2006-5767 (PHP remote file inclusion vulnerability in includes/xhtml.php in Drake ...) NOT-FOR-US: Drake CMS CVE-2006-5766 (PHP remote file inclusion vulnerability in volume.php in Article Syste ...) NOT-FOR-US: Article System CVE-2006-5765 (SQL injection vulnerability in rss.php in Article Script 1.6.3 and ear ...) NOT-FOR-US: Article Script CVE-2006-5764 (PHP remote file inclusion vulnerability in contact.php in Free File Ho ...) NOT-FOR-US: Free File Hosting CVE-2006-5763 (Multiple PHP remote file inclusion vulnerabilities in Free File Hostin ...) NOT-FOR-US: Free File Hosting CVE-2006-5762 (PHP remote file inclusion vulnerability in forgot_pass.php in Free Fil ...) NOT-FOR-US: Free File Hosting CVE-2006-5761 (Cross-site scripting (XSS) vulnerability in index.php in Rhadrix If-CM ...) NOT-FOR-US: Rhadrix If-CMS CVE-2006-5760 (Multiple PHP remote file inclusion vulnerabilities in phpDynaSite 3.2. ...) NOT-FOR-US: phpDynaSite CVE-2006-5759 (index.php in Rhadrix If-CMS, possibly 1.01 and 2.07, allows remote att ...) NOT-FOR-US: Rhadrix If-CMS CVE-2006-5758 (The Graphics Rendering Engine in Microsoft Windows 2000 through 2000 S ...) NOT-FOR-US: Microsoft CVE-2006-5757 (Race condition in the __find_get_block_slow function in the ISO9660 fi ...) {DSA-1304} - linux-2.6 2.6.18.dfsg.1-10 (low) CVE-2006-5756 REJECTED CVE-2006-5755 (Linux kernel before 2.6.18, when running on x86_64 systems, does not p ...) {DSA-1381-2} - linux-2.6 2.6.18.dfsg.1-10 CVE-2006-5754 (The aio_setup_ring function in Linux kernel does not properly initiali ...) {DSA-1304} - linux-2.6 (Fixed before initial upload; 2.6.10) CVE-2006-5753 (Unspecified vulnerability in the listxattr system call in Linux kernel ...) {DSA-1503-2 DSA-1503-1 DSA-1356-1 DSA-1304} - linux-2.6 2.6.20-1 CVE-2006-5752 (Cross-site scripting (XSS) vulnerability in mod_status.c in the mod_st ...) - apache2 2.2.4-2 (low) [sarge] - apache2 2.0.54-5sarge2 [etch] - apache2 2.2.3-4+etch2 - apache (low) [etch] - apache 1.3.34-4.1+etch1 CVE-2006-5751 (Integer overflow in the get_fdb_entries function in net/bridge/br_ioct ...) {DSA-1233} - linux-2.6 2.6.18-8 (medium) CVE-2006-5750 (Directory traversal vulnerability in the DeploymentFileRepository clas ...) NOT-FOR-US: JBoss CVE-2006-5749 (The isdn_ppp_ccp_reset_alloc_state function in drivers/isdn/isdn_ppp.c ...) - linux-2.6 2.6.18.dfsg.1-10 CVE-2006-5748 (Multiple unspecified vulnerabilities in the JavaScript engine in Mozil ...) {DSA-1227-1 DSA-1225-1 DSA-1224-1} NOTE: MFSA-2006-65 - firefox 45.0-1 (high) - firefox-esr 45.0esr-1 (high) - iceweasel 2.0+dfsg-1 (high) - icedove 1.5.0.8-1 (medium) - mozilla (high) - xulrunner 1.8.0.8-1 (high) CVE-2006-5747 (Unspecified vulnerability in Mozilla Firefox before 1.5.0.8, Thunderbi ...) NOTE: MFSA-2006-65 - firefox 45.0-1 (high) - firefox-esr 45.0esr-1 (high) - iceweasel 2.0+dfsg-1 (high) - icedove 1.5.0.8-1 (medium) - mozilla (medium) - xulrunner 1.5.0.8-1 (high) - mozilla-firefox - mozilla-thunderbird [sarge] - mozilla (Vulnerable code not present) [sarge] - mozilla-firefox (Vulnerable code not present) [sarge] - mozilla-thunderbird (Vulnerable code not present) CVE-2006-5746 (The console in AirMagnet Enterprise before 7.5 build 6307 does not pro ...) NOT-FOR-US: AirMagnet CVE-2006-5745 (Unspecified vulnerability in the setRequestHeader method in the XMLHTT ...) NOT-FOR-US: Microsoft CVE-2006-5744 (Multiple SQL injection vulnerabilities in Highwall Enterprise and High ...) NOT-FOR-US: Highwall Enterprise CVE-2006-5743 (Multiple cross-site scripting (XSS) vulnerabilities in Highwall Enterp ...) NOT-FOR-US: Highwall Enterprise CVE-2006-5742 (The AirMagnet Enterprise console and Remote Sensor console (Laptop) in ...) NOT-FOR-US: AirMagnet Enterprise CVE-2006-5741 (Multiple cross-site scripting (XSS) vulnerabilities in AirMagnet Enter ...) NOT-FOR-US: AirMagnet Enterprise CVE-2006-5739 (PHP remote file inclusion vulnerability in cpadmin/cpa_index.php in Le ...) NOT-FOR-US: communityPortals CVE-2006-5738 (Multiple SQL injection vulnerabilities in PunBB before 1.2.14 allow re ...) NOT-FOR-US: PunBB CVE-2006-5737 (PunBB uses a predictable cookie_seed value that can be derived from th ...) NOT-FOR-US: PunBB CVE-2006-5736 (SQL injection vulnerability in search.php in PunBB before 1.2.14, when ...) NOT-FOR-US: PunBB CVE-2006-5735 (Directory traversal vulnerability in include/common.php in PunBB befor ...) NOT-FOR-US: PunBB CVE-2006-5734 (Multiple PHP remote file inclusion vulnerabilities in ATutor 1.5.3.2 a ...) NOT-FOR-US: ATutor CVE-2006-5733 (Directory traversal vulnerability in error.php in PostNuke 0.763 and e ...) NOT-FOR-US: PostNuke CVE-2006-5732 (SQL injection vulnerability in logout.php in T.G.S. CMS 0.1.7 and earl ...) NOT-FOR-US: T.G.S. CMS CVE-2006-5731 (Directory traversal vulnerability in classes/index.php in Lithium CMS ...) NOT-FOR-US: Lithium CMS CVE-2006-5730 (PHP remote file inclusion vulnerability in manager/media/browser/mcpuk ...) NOT-FOR-US: Modx CMS CVE-2006-5729 (Yazd Discussion Forum before 3.0 beta does not properly manage forum p ...) NOT-FOR-US: Yazd Discussion Forum CVE-2006-5728 (XM Easy Personal FTP Server 5.2.1 and earlier allows remote authentica ...) NOT-FOR-US: XM Easy Personal FTP Server CVE-2006-5727 (PHP remote file inclusion vulnerability in admin/controls/cart.php in ...) NOT-FOR-US: sazcart CVE-2006-5726 (alloccgblk in the UFS filesystem in Solaris 10 allows local users to c ...) NOT-FOR-US: Solaris CVE-2006-5725 (The SSL server in AEP Smartgate 4.3b allows remote attackers to determ ...) NOT-FOR-US: AEP Smartgate CVE-2006-5724 (Heap-based buffer overflow the "Answering Service" function in ICQ 200 ...) NOT-FOR-US: ICQ CVE-2006-5723 (SQL injection vulnerability in DataparkSearch Engine 4.42 and earlier ...) NOT-FOR-US: DataparkSearch Engine CVE-2006-5722 (Multiple PHP remote file inclusion vulnerabilities in Segue CMS 1.5.9 ...) NOT-FOR-US: Segue CMS CVE-2006-5721 (The \Device\SandBox driver in Outpost Firewall PRO 4.0 (964.582.059) a ...) NOT-FOR-US: Outpost Firewall PRO CVE-2006-5720 (SQL injection vulnerability in modules/journal/search.php in the Journ ...) NOT-FOR-US: PHP-Nuke CVE-2006-5719 (SQL injection vulnerability in libs/sessions.lib.php in BytesFall Expl ...) NOT-FOR-US: BytesFall Explorer (bfExplorer) CVE-2006-5718 (Cross-site scripting (XSS) vulnerability in error.php in phpMyAdmin 2. ...) - phpmyadmin 4:2.9.0.3-1 (low; bug #396638) [sarge] - phpmyadmin (Vulnerable code not present) NOTE: https://www.phpmyadmin.net/security/PMASA-2006-6/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/39893dd0c956de6505d5a4d4590ad3e1f64bdffa CVE-2006-5717 (Multiple cross-site scripting (XSS) vulnerabilities in Zend Google Dat ...) NOT-FOR-US: Zend Google Data Client Library (ZendGData) CVE-2006-5716 (Directory traversal vulnerability in aff_news.php in FreeNews 2.1 allo ...) NOT-FOR-US: FreeNews CVE-2006-5715 (Easy File Sharing (EFS) Easy Address Book 1.2, when run on an NTFS fil ...) NOT-FOR-US: Easy File Sharing (EFS) Easy Address Book CVE-2006-5714 (Easy File Sharing (EFS) Web Server 4.0, when running on an NTFS file s ...) NOT-FOR-US: Easy File Sharing (EFS) Web Server CVE-2006-5713 (Cross-site scripting (XSS) vulnerability in Easy File Sharing (EFS) We ...) NOT-FOR-US: Easy File Sharing (EFS) Web Server CVE-2006-5712 (Cross-site scripting (XSS) vulnerability in Mirapoint WebMail allows r ...) NOT-FOR-US: Mirapoint WebMail CVE-2006-5711 (ECI Telecom B-FOCuS Wireless 802.11b/g ADSL2+ Router allows remote att ...) NOT-FOR-US: ECI Telecom CVE-2006-5710 (The Airport driver for certain Orinoco based Airport cards in Darwin k ...) NOT-FOR-US: Apple Mac OS X CVE-2006-5709 (Unspecified vulnerability in WorldClient in Alt-N Technologies MDaemon ...) NOT-FOR-US: Alt-N Technologies MDaemon CVE-2006-5708 (Multiple unspecified vulnerabilities in MDaemon and WorldClient in Alt ...) NOT-FOR-US: Alt-N Technologies MDaemon CVE-2006-5707 (SQL injection vulnerability in index.php in PHPEasyData Pro 1.4.1 and ...) NOT-FOR-US: PHPEasyData CVE-2006-5706 (Unspecified vulnerabilities in PHP, probably before 5.2.0, allow local ...) - php5 5.2.0-1 (unimportant) - php4 (unimportant) NOTE: lack of basedir restrictions are not security-relevant by Debian PHP security policy CVE-2006-5705 (Multiple directory traversal vulnerabilities in plugins/wp-db-backup.p ...) - wordpress 2.0.5-0.1 CVE-2006-5704 (HP NonStop Server G06.29, when running Standard Security T6533G06 befo ...) NOT-FOR-US: HP CVE-2006-5703 (Cross-site scripting (XSS) vulnerability in tiki-featured_link.php in ...) - tikiwiki 1.9.6+dfsg-1 (low) CVE-2006-5702 (Tikiwiki 1.9.5 allows remote attackers to obtain sensitive information ...) - tikiwiki 1.9.6+dfsg-1 (medium) CVE-2006-5701 (Double free vulnerability in squashfs module in the Linux kernel 2.6.x ...) - linux-2.6 (Vulnerable code not present) - squashfs 1:3.1r2-6.1 NOTE: Mounting filesystem partitions should be limited to root CVE-2006-5700 REJECTED CVE-2006-5699 REJECTED CVE-2006-5698 REJECTED CVE-2006-5697 REJECTED CVE-2006-5696 REJECTED CVE-2006-5695 REJECTED CVE-2006-5694 REJECTED CVE-2006-5693 REJECTED CVE-2006-5692 REJECTED CVE-2006-5691 REJECTED CVE-2006-5690 REJECTED CVE-2006-5689 REJECTED CVE-2006-5688 REJECTED CVE-2006-5687 REJECTED CVE-2006-5686 REJECTED CVE-2006-5685 REJECTED CVE-2006-5684 REJECTED CVE-2006-5683 REJECTED CVE-2006-5682 REJECTED CVE-2006-5681 (QuickTime for Java on Mac OS X 10.4 through 10.4.8, when used with Qua ...) NOT-FOR-US: QuickTime on Mac OS X CVE-2006-5680 (The libarchive library in FreeBSD 6-STABLE after 2006-09-05 and before ...) - libarchive 1.3.1-1 (unimportant) CVE-2006-5679 (Integer overflow in the ffs_mountfs function in FreeBSD 6.1 allows loc ...) - kfreebsd-5 (medium) [etch] - kfreebsd-5 (no security support for freebsd) CVE-2006-5678 NOT-FOR-US: Les Visiteurs CVE-2006-5677 (resmom/start_exec.c in pbs_mom in TORQUE Resource Manager 2.0.0p8 and ...) - torque 2.1.6-1 CVE-2006-5676 (SQL injection vulnerability in consult/classement.php in Uni-Vert PhpL ...) NOT-FOR-US: PhpLeague CVE-2006-5675 (Multiple unspecified vulnerabilities in Pentaho Business Intelligence ...) NOT-FOR-US: Pentaho Business Intelligence (BI) Suite CVE-2006-5674 (Multiple PHP remote file inclusion vulnerabilities in miniBB 2.0.2 and ...) NOT-FOR-US: miniBB CVE-2006-5673 (PHP remote file inclusion vulnerability in bb_func_txt.php in miniBB 2 ...) NOT-FOR-US: miniBB CVE-2006-5672 (PHP remote file inclusion vulnerability in web/init_mysource.php in My ...) NOT-FOR-US: MySource CMS CVE-2006-5671 (PHP remote file inclusion vulnerability in contact.php in Free Image H ...) NOT-FOR-US: Free Image Hosting CVE-2006-5670 (PHP remote file inclusion vulnerability in forgot_pass.php in Free Ima ...) NOT-FOR-US: Free Image Hosting CVE-2006-5669 (PHP remote file inclusion vulnerability in gestion/savebackup.php in G ...) NOT-FOR-US: Gepi CVE-2006-5668 (Unspecified vulnerability in Ampache 3.3.2 and earlier, when register_ ...) NOT-FOR-US: Ampache CVE-2006-5667 (Multiple PHP remote file inclusion vulnerabilities in P-Book 1.17 and ...) NOT-FOR-US: P-Book CVE-2006-5666 (SQL injection vulnerability in includes/menu.inc.php in E-Annu 1.0 all ...) NOT-FOR-US: E-Annu CVE-2006-5665 (PHP remote file inclusion vulnerability in admin/modules_data.php in t ...) NOT-FOR-US: phpBB module Spider Friendly CVE-2006-5664 (The installation script in IBM Informix Dynamic Server 10.00, Informix ...) NOT-FOR-US: IBM Informix CVE-2006-5663 (IBM Informix Dynamic Server 10.00, Informix Client Software Developmen ...) NOT-FOR-US: IBM Informix CVE-2006-5662 (SQL injection vulnerability in easy notesManager (eNM) 0.0.1 allows re ...) NOT-FOR-US: easy notesManager (eNM) CVE-2006-5661 (Cross-site scripting (XSS) vulnerability in nquser.php in VIRtech Netq ...) NOT-FOR-US: Netquery CVE-2006-5660 (Cisco Security Agent Management Center (CSAMC) 5.1 before 5.1.0.79 doe ...) NOT-FOR-US: Cisco CVE-2006-5659 (PAM_extern before 0.2 sends a password as a command line argument, whi ...) NOT-FOR-US: PAM_extern CVE-2006-5658 (BlooMooWeb ActiveX control (AidemATL.dll) allows remote attackers to ( ...) NOT-FOR-US: BlooMooWeb ActiveX control CVE-2006-5657 (Multiple off-by-one errors in src/text.c in Vilistextum before 2.6.9 h ...) NOT-FOR-US: Vilistextum CVE-2006-5656 (Memory leak in the push_align function in src/util.c in Vilistextum be ...) NOT-FOR-US: Vilistextum CVE-2006-5655 (SQL injection vulnerability in index.php in OpenDocMan 1.2p3 allows re ...) NOT-FOR-US: OpenDocMan CVE-2006-5654 (Unspecified vulnerability in the Network Security Services (NSS) in Su ...) NOT-FOR-US: Sun Java System Web Server CVE-2006-5653 (Cross-site scripting (XSS) vulnerability in the errorHTML function in ...) NOT-FOR-US: Sun Java System Messenger Express CVE-2006-5652 (Cross-site scripting (XSS) vulnerability in Sun iPlanet Messaging Serv ...) NOT-FOR-US: Sun CVE-2006-5651 (list.php in DigiOz Guestbook before 1.7.1 allows remote attackers to o ...) NOT-FOR-US: DigiOz Guestbook CVE-2006-5650 (The ICQPhone.SipxPhoneManager ActiveX control in America Online ICQ 5. ...) NOT-FOR-US: ICQPhone.SipxPhoneManager CVE-2006-5649 (Unspecified vulnerability in the "alignment check exception handling" ...) {DSA-1237 DSA-1233} - linux-2.6 2.6.18-4 CVE-2006-5648 (Ubuntu Linux 6.10 for the PowerPC (PPC) allows local users to cause a ...) - linux-2.6 2.6.18-1 (low) CVE-2006-5647 (Sophos Anti-Virus and Endpoint Security before 6.0.5, Anti-Virus for L ...) NOT-FOR-US: Sophos CVE-2006-5646 (Heap-based buffer overflow in Sophos Anti-Virus and Endpoint Security ...) NOT-FOR-US: Sophos CVE-2006-5645 (Sophos Anti-Virus and Endpoint Security before 6.0.5, Anti-Virus for L ...) NOT-FOR-US: Sophos CVE-2006-5644 RESERVED CVE-2006-5643 (Cross-site scripting (XSS) vulnerability in search_de.html in foresite ...) NOT-FOR-US: foresite CMS CVE-2006-5642 (Unspecified vulnerability in NmnLogger 1.0.0 and earlier has unknown i ...) NOT-FOR-US: NmnLogger CVE-2006-5641 (SQL injection vulnerability in MainAnnounce2.asp in Techno Dreams Anno ...) NOT-FOR-US: Techno Dreams CVE-2006-5640 (SQL injection vulnerability in guestbookview.asp in Techno Dreams Gues ...) NOT-FOR-US: Techno Dreams CVE-2006-5639 (Unspecified vulnerability in the random number generator in OpenWBEM ( ...) NOT-FOR-US: OpenWBEM CVE-2006-5638 (Multiple SQL injection vulnerabilities in cherche.php in PHPMyRing 4.2 ...) NOT-FOR-US: PHPMyRing CVE-2006-5637 (PHP remote file inclusion vulnerability in faq_reply.php in Faq Admini ...) NOT-FOR-US: Faq Administrator CVE-2006-5636 (PHP remote file inclusion vulnerability in common.php in Simple Websit ...) NOT-FOR-US: Simple Website Software CVE-2006-5635 (SQL injection vulnerability in forum/search.asp in Web Wiz Forums allo ...) NOT-FOR-US: Web Wiz Forums CVE-2006-5634 (Multiple PHP remote file inclusion vulnerabilities in phpProfiles 2.1 ...) NOT-FOR-US: phpProfiles CVE-2006-5633 (Firefox 1.5.0.7 and 2.0, and Seamonkey 1.1b, allows remote attackers t ...) - firefox 45.0-1 (unimportant) - firefox-esr 45.0esr-1 (unimportant) - iceweasel (unimportant) - icedove (unimportant) - mozilla (unimportant) - xulrunner (unimportant) - mozilla-firefox (unimportant) - mozilla-thunderbird (unimportant) CVE-2006-5632 (Cross-site scripting (XSS) vulnerability in change_pass.php in iG Shop ...) NOT-FOR-US: iG Shop CVE-2006-5631 (Cross-site scripting (XSS) vulnerability in change_pass.php in iG Shop ...) NOT-FOR-US: iG Shop CVE-2006-5630 (Hosting Controller 6.1 before Hotfix 3.3 allows remote attackers to (1 ...) NOT-FOR-US: Hosting Controller CVE-2006-5629 (Multiple SQL injection vulnerabilities in Hosting Controller 6.1 befor ...) NOT-FOR-US: Hosting Controller CVE-2006-5628 (SQL injection vulnerability in login.asp in UNISOR Content Management ...) NOT-FOR-US: UNISOR Content Management System (CMS) CVE-2006-5627 (Multiple PHP remote file inclusion vulnerabilities in QnECMS 2.5.6 and ...) NOT-FOR-US: QnECMS CVE-2006-5626 (Cross-site scripting (XSS) vulnerability in cms_images/js/htmlarea/htm ...) NOT-FOR-US: phpFaber CVE-2006-5625 (PHP remote file inclusion vulnerability in wwwdev/nxheader.inc.php in ...) NOT-FOR-US: N/X 2002 Professional Edition Web Content Management System (WCMS) CVE-2006-5624 (Multiple PHP remote file inclusion vulnerabilities in Multi-Page Comme ...) NOT-FOR-US: Multi-Page Comment System (MPCS) CVE-2006-5623 (PHP remote file inclusion vulnerability in ip.inc.php in Electronic En ...) NOT-FOR-US: Electronic Engineering Tool (EE Tool) CVE-2006-5622 (SQL injection vulnerability in picmgr.php in Coppermine Photo Gallery ...) NOT-FOR-US: Coppermine Photo Gallery CVE-2006-5621 (PHP remote file inclusion vulnerability in end.php in ask_rave 0.9 PR, ...) NOT-FOR-US: ask_rave CVE-2006-5620 (PHP remote file inclusion vulnerability in include/menu_builder.php in ...) NOT-FOR-US: MiniBILL CVE-2006-5619 (The seqfile handling (ip6fl_get_n function in ip6_flowlabel.c) in Linu ...) {DSA-1233} - linux-2.6 2.6.18-4 (low) CVE-2006-5618 (Directory traversal vulnerability in script/cat_for_aff.php in Netref ...) NOT-FOR-US: Netref CVE-2006-5617 (Directory traversal vulnerability in index.php in Thepeak File Upload ...) NOT-FOR-US: Thepeak File Upload Manager CVE-2006-5616 (Multiple unspecified vulnerabilities in OpenPBS, as used in SUSE Linux ...) NOT-FOR-US: OpenPBS CVE-2006-5615 (PHP remote file inclusion vulnerability in publish.php in Textpattern ...) NOT-FOR-US: Textpattern CVE-2006-5614 (Microsoft Windows NAT Helper Components (ipnathlp.dll) on Windows XP S ...) NOT-FOR-US: Microsoft CVE-2006-5613 (PHP remote file inclusion in Core/core.inc.php in MP3 Streaming DownSa ...) NOT-FOR-US: MP3 Streaming DownSampler (mp3SDS) CVE-2006-5612 (PHP remote file inclusion vulnerability in aide.php3 (aka aide.php) in ...) NOT-FOR-US: GestArt CVE-2006-5611 (Unspecified vulnerability in Toshiba Bluetooth Stack before 4.20.01 ha ...) NOT-FOR-US: Toshiba CVE-2006-5610 (PHP remote file inclusion vulnerability in player/includes/common.php ...) NOT-FOR-US: Teake Nutma Foing CVE-2006-5609 (Directory traversal vulnerability in dir.php in TorrentFlux 2.1 allows ...) - torrentflux 2.1-5 (bug #395930; medium) CVE-2006-5608 (SQL injection vulnerability in Extended Tracker (xtracker) 4.7 before ...) NOT-FOR-US: Extended Tracker (xtracker) for Drupal CVE-2006-5607 (Directory traversal vulnerability in /cgi-bin/webcm in INCA IM-204 all ...) NOT-FOR-US: INCA IM-204 CVE-2006-5606 (Multiple SQL injection vulnerabilities in BytesFall Explorer (bfExplor ...) NOT-FOR-US: BytesFall Explorer (bfExplorer) CVE-2006-5605 (Multiple cross-site scripting (XSS) vulnerabilities in phpcards.footer ...) NOT-FOR-US: phpCards CVE-2006-5604 (Directory traversal vulnerability in phpcards.header.php in phpCards 1 ...) NOT-FOR-US: phpCards CVE-2006-5603 (SQL injection vulnerability in pop_mail.asp in Snitz Forums 2000 3.4.0 ...) NOT-FOR-US: Snitz Forums CVE-2006-5600 (Axalto Protiva 1.1, possibly only non-commercial versions, stores pass ...) NOT-FOR-US: Axalto Protiva CVE-2006-5599 (Cross-site scripting (XSS) vulnerability in Oracle Application Express ...) NOT-FOR-US: Oracle CVE-2006-5598 (Cross-site scripting (XSS) vulnerability in index.php for GOOP Gallery ...) NOT-FOR-US: GOOP Gallery CVE-2006-5597 (join.asp in MiniHTTP Web Forum & File Server PowerPack 4.0 allows ...) NOT-FOR-US: MiniHTTP Web Forum CVE-2006-5596 (Directory traversal vulnerability in the SSL server in AEP Smartgate 4 ...) NOT-FOR-US: AEP Smartgate CVE-2006-5595 (Unspecified vulnerability in the AirPcap support in Wireshark (formerl ...) - wireshark 0.99.4-1 (bug #396258) CVE-2006-5594 (PHP remote file inclusion vulnerability in University of British Colum ...) NOT-FOR-US: iPeer CVE-2006-5593 (Buffer overflow in Desknet's (niokeru) before 5.0J R1.0 might allow re ...) NOT-FOR-US: Desknet's (niokeru) CVE-2006-5592 (Admin/adpoll.asp in PacPoll 4.0 and earlier allows remote attackers to ...) NOT-FOR-US: PacPoll CVE-2006-5591 (Multiple SQL injection vulnerabilities in Admin/check.asp in PacPoll 4 ...) NOT-FOR-US: PacPoll CVE-2006-5590 (PHP remote file inclusion vulnerability in index.php in ArticleBeach S ...) NOT-FOR-US: ArticleBeach Script CVE-2006-5589 (Multiple SQL injection vulnerabilities in LedgerSMB (LSMB) 1.1.0 and e ...) NOT-FOR-US: LedgerSMB (LSMB) CVE-2006-5588 (Multiple PHP remote file inclusion vulnerabilities in CMS Faethon 2.0 ...) NOT-FOR-US: CMS Faethon CVE-2006-5587 (Multiple PHP remote file inclusion vulnerabilities in MDweb 1.3 and ea ...) NOT-FOR-US: MDweb CVE-2006-5586 (The Graphics Rendering Engine in Microsoft Windows 2000 SP4 and XP SP2 ...) NOT-FOR-US: Microsoft GDI CVE-2006-5585 (The Client-Server Run-time Subsystem in Microsoft Windows XP SP2 and S ...) NOT-FOR-US: Microsoft CVE-2006-5584 (The Remote Installation Service (RIS) in Microsoft Windows 2000 SP4 us ...) NOT-FOR-US: Microsoft CVE-2006-5583 (Buffer overflow in the SNMP Service in Microsoft Windows 2000 SP4, XP ...) NOT-FOR-US: Microsoft CVE-2006-5582 REJECTED CVE-2006-5581 (Unspecified vulnerability in Microsoft Internet Explorer 6 allows remo ...) NOT-FOR-US: Microsoft CVE-2006-5580 RESERVED CVE-2006-5579 (Microsoft Internet Explorer 6 allows remote attackers to execute arbit ...) NOT-FOR-US: Microsoft CVE-2006-5578 (Microsoft Internet Explorer 6 and earlier allows remote attackers to r ...) NOT-FOR-US: Microsoft CVE-2006-5577 (Microsoft Internet Explorer 6 and earlier allows remote attackers to o ...) NOT-FOR-US: Microsoft CVE-2006-5576 REJECTED CVE-2006-5575 REJECTED CVE-2006-5574 (Unspecified vulnerability in the Brazilian Portuguese Grammar Checker ...) NOT-FOR-US: Microsoft CVE-2006-5573 REJECTED CVE-2006-5572 REJECTED CVE-2006-5571 (Stack-based buffer overflow in /scripts/cruise/cws.exe in CruiseWorks ...) NOT-FOR-US: CruiseWorks CVE-2006-5570 (Directory traversal vulnerability in /scripts/cruise/cws.exe in Cruise ...) NOT-FOR-US: CruiseWorks CVE-2006-5569 (FtpXQ Server 3.0.1 installs with two default testing accounts, which a ...) NOT-FOR-US: FtpXQ CVE-2006-5568 (FtpXQ Server 3.0.1 allows remote attackers to cause a denial of servic ...) NOT-FOR-US: FtpXQ CVE-2006-5567 (Multiple heap-based buffer overflows in AOL Nullsoft WinAmp before 5.3 ...) NOT-FOR-US: WinAmp CVE-2006-5566 (CRLF injection vulnerability in premium/index.php in Shop-Script allow ...) NOT-FOR-US: Shop-Script CVE-2006-5565 (CRLF injection vulnerability in MAXdev MD-Pro 1.0.76 allows remote att ...) NOT-FOR-US: MAXdev MD-Pro CVE-2006-5564 (Cross-site scripting (XSS) vulnerability in user.php in MAXdev MD-Pro ...) NOT-FOR-US: MAXdev MD-Pro CVE-2006-5563 (Unspecified vulnerability in Yahoo! Messenger (Service 18) before 8.1. ...) NOT-FOR-US: Yahoo! Messenger CVE-2006-5562 (PHP remote file inclusion vulnerability in include/database.php in Sou ...) NOT-FOR-US: SourceForge (gforge is not affected) CVE-2006-5561 (SQL injection vulnerability in admincp.php in Discuz! GBK 5.0.0 allows ...) NOT-FOR-US: Discuz! GBK CVE-2006-5560 (Cross-site scripting (XSS) vulnerability in heading.php in Boesch Prog ...) NOT-FOR-US: ProgSys CVE-2006-5559 (The Execute method in the ADODB.Connection 2.7 and 2.8 ActiveX control ...) NOT-FOR-US: ADODB.Connection 2.7 ActiveX control CVE-2006-5558 (Format string vulnerability in the swask command in HP-UX B.11.11 and ...) NOT-FOR-US: HP-UX CVE-2006-5557 (Stack-based buffer overflow in the (1) swpackage and (2) swmodify comm ...) NOT-FOR-US: HP-UX CVE-2006-5556 (Buffer overflow in the localtime_r function, and certain other functio ...) NOT-FOR-US: swask CVE-2006-5555 (PHP remote file inclusion vulnerability in constantes.inc.php in EPNad ...) NOT-FOR-US: EPNadmin CVE-2006-5554 (Directory traversal vulnerability in index.php in Imageview 5 allows r ...) NOT-FOR-US: Imageview CVE-2006-5553 (Cisco Security Agent (CSA) for Linux 4.5 before 4.5.1.657 and 5.0 befo ...) NOT-FOR-US: Cisco CVE-2006-5552 (Multiple heap-based buffer overflows in RevilloC MailServer 1.21 and e ...) NOT-FOR-US: RevilloC MailServer CVE-2006-5551 (Stack-based buffer overflow in QK SMTP 3.01 and earlier might allow re ...) NOT-FOR-US: QK SMTP CVE-2006-5550 (The kernel in FreeBSD 6.1 and OpenBSD 4.0 allows local users to cause ...) - kfreebsd-5 (low) [etch] - kfreebsd-5 (no security support for freebsd) CVE-2006-5549 NOT-FOR-US: Adobe PHP SDK CVE-2006-5548 (PHP remote file inclusion vulnerability in OTSCMS/OTSCMS.php in Open T ...) NOT-FOR-US: Open Tibia Server Content Management System CVE-2006-5547 (PHP remote file inclusion vulnerability in OTSCMS/OTSCMS.php in Open T ...) NOT-FOR-US: Open Tibia Server Content Management System CVE-2006-5546 (PHP remote file inclusion vulnerability in OTSCMS/OTSCMS.php in Open T ...) NOT-FOR-US: Open Tibia Server Content Management System CVE-2006-5545 (Premium Antispam in Symantec Mail Security for Domino Server 5.1.x bef ...) NOT-FOR-US: Symantec CVE-2006-5544 (Visual truncation vulnerability in Microsoft Internet Explorer 7 allow ...) NOT-FOR-US: Microsoft CVE-2006-5543 (PHP remote file inclusion vulnerability in misc/function.php3 in PHP G ...) NOT-FOR-US: PHP Generator of Object SQL Database CVE-2006-5542 (backend/tcop/postgres.c in PostgreSQL 8.1.x before 8.1.5 allows remote ...) - postgresql-8.1 8.1.5-1 (unimportant) NOTE: All crashes can only be triggered by authenticated users, these are not NOTE: treated as vulnerabilities. CVE-2006-5541 (backend/parser/parse_coerce.c in PostgreSQL 7.4.1 through 7.4.14, 8.0. ...) - postgresql-7.4 1:7.4.14-1 (unimportant) - postgresql-8.1 8.1.5-1 (unimportant) [sarge] - postgresql (unimportant) NOTE: All crashes can only be triggered by authenticated users, these are not NOTE: treated as vulnerabilities. CVE-2006-5540 (backend/parser/analyze.c in PostgreSQL 8.1.x before 8.1.5 allows remot ...) - postgresql-8.1 8.1.5-1 (unimportant) NOTE: All crashes can only be triggered by authenticated users, these are not NOTE: treated as vulnerabilities. CVE-2006-5539 (PHP remote file inclusion vulnerability in login/secure.php in UeberPr ...) NOT-FOR-US: UeberProject Management System CVE-2006-5538 (D-Link DSL-G624T firmware 3.00B01T01.YA-C.20060616 allows remote attac ...) NOT-FOR-US: D-Link CVE-2006-5537 (Multiple cross-site scripting (XSS) vulnerabilities in cgi-bin/webcm i ...) NOT-FOR-US: D-Link CVE-2006-5536 (Directory traversal vulnerability in cgi-bin/webcm in D-Link DSL-G624T ...) NOT-FOR-US: D-Link CVE-2006-5535 (Multiple cross-site scripting (XSS) vulnerabilities in WebHostManager ...) NOT-FOR-US: WebHostManager cPanel CVE-2006-5534 (Multiple cross-site scripting (XSS) vulnerabilities in index.htm in Zw ...) NOT-FOR-US: Zwahlen Online Shop Freeware CVE-2006-5533 (Multiple PHP remote file inclusion vulnerabilities in AROUNDMe 0.6.9, ...) NOT-FOR-US: AROUNDMe CVE-2006-5532 (Cross-site scripting (XSS) vulnerability in rmgs/images.php in RMSOFT ...) NOT-FOR-US: RMSOFT Gallery System CVE-2006-5531 (PHP remote file inclusion vulnerability in embedded.php in Ascended Gu ...) NOT-FOR-US: Ascended Guestbook CVE-2006-5530 (Multiple cross-site scripting (XSS) vulnerabilities in Boesch SimpNews ...) NOT-FOR-US: SimpNews CVE-2006-5529 (Cross-site scripting (XSS) vulnerability in smumdadotcom_ascyb_alumni/ ...) NOT-FOR-US: SchoolAlumni Portal CVE-2006-5528 (Directory traversal vulnerability in mod.php in SchoolAlumni Portal 2. ...) NOT-FOR-US: SchoolAlumni Portal CVE-2006-5527 (PHP remote file inclusion vulnerability in lib.editor.inc.php in Intel ...) NOT-FOR-US: InteliEditor CVE-2006-5526 (Multiple PHP remote file inclusion vulnerabilities in Teake Nutma Foin ...) NOT-FOR-US: Fully Modded phpBB (phpbbfm) / Teake Nutma Foing CVE-2006-5525 (Incomplete blacklist vulnerability in mainfile.php in PHP-Nuke 7.9 and ...) NOT-FOR-US: PHP-Nuke CVE-2006-5524 (Cross-site scripting (XSS) vulnerability in index.php in phplist 2.10. ...) - phplist (bug #612288) CVE-2006-5523 (PHP remote file inclusion vulnerability in common.php in EZ-Ticket 0.0 ...) NOT-FOR-US: EZ-Ticket CVE-2006-5522 (Multiple PHP remote file inclusion vulnerabilities in Johannes Erdfelt ...) NOT-FOR-US: Kawf CVE-2006-5521 (PHP remote file inclusion vulnerability in DNS/RR.php in Net_DNS 0.03 ...) NOT-FOR-US: Net_DNS CVE-2006-5520 (PHP remote file inclusion vulnerability in functions.php in DeltaScrip ...) NOT-FOR-US: PHP Classifieds CVE-2006-5519 (PHP remote file inclusion vulnerability in Savant2/Savant2_Plugin_opti ...) - egroupware (there is no path variable used to include plugin.php) CVE-2006-5518 (Multiple PHP remote file inclusion vulnerabilities in Christopher Fowl ...) NOT-FOR-US: RSSonate CVE-2006-5517 (Multiple PHP remote file inclusion vulnerabilities in Rhode Island Ope ...) NOT-FOR-US: Open Meetings Filing Application CVE-2006-5516 (Multiple cross-site scripting (XSS) vulnerabilities in actions/userset ...) NOT-FOR-US: WikiNi CVE-2006-5515 (Cross-site scripting (XSS) vulnerability in lib-history.inc.php in php ...) NOT-FOR-US: phpPgAds / phpAdsNew CVE-2006-5514 (SQL injection vulnerability in quiz.php in Web Group Communication Cen ...) NOT-FOR-US: Web Group Communication CVE-2006-5513 (SQL injection vulnerability in GeoNetwork opensource before 2.0.3 allo ...) NOT-FOR-US: GeoNetwork opensource CVE-2005-4814 (Unrestricted file upload vulnerability in Segue CMS before 1.3.6, when ...) NOT-FOR-US: Segue CMS CVE-2006-5740 (Unspecified vulnerability in the LDAP dissector in Wireshark (formerly ...) - wireshark 0.99.4-1 (bug #396258; medium) CVE-2006-5602 (Multiple memory leaks in xsupplicant before 1.2.6, and possibly other ...) - xsupplicant 1.2.4.dfsg.1-3 (bug #396204; medium) CVE-2006-5601 (Stack-based buffer overflow in the eap_do_notify function in eap.c in ...) - xsupplicant 1.2.4.dfsg.1-3 (bug #396204; medium) CVE-2006-XXXX [several possible mysql 5.0 local DoS vulnerabilities] - mysql-dfsg-5.0 5.0.26-1 (low) CVE-2006-5512 (Cross-site scripting (XSS) vulnerability in article.htm in Zwahlen Onl ...) NOT-FOR-US: Zwahlen Online Shop CVE-2006-5511 (Direct static code injection vulnerability in delete.php in JaxUltraBB ...) NOT-FOR-US: JaxUltraBB CVE-2006-5510 (Directory traversal vulnerability in explorer_load_lang.php in PH Pexp ...) NOT-FOR-US: Pexplorer CVE-2006-5509 (Eval injection vulnerability in addentry.php in WoltLab Burning Book 1 ...) NOT-FOR-US: Burning Book CVE-2006-5508 (Multiple SQL injection vulnerabilities in addentry.php in WoltLab Burn ...) NOT-FOR-US: Burning Book CVE-2006-5507 (Multiple PHP remote file inclusion vulnerabilities in Der Dirigent (De ...) NOT-FOR-US: Der Dirigent CVE-2006-5506 (Multiple PHP remote file inclusion vulnerabilities in WiClear 0.10 all ...) NOT-FOR-US: WiClear CVE-2006-5505 (Multiple PHP file inclusion vulnerabilities in 2BGal 3.0 allow remote ...) NOT-FOR-US: 2BGal CVE-2006-5504 (Cross-site scripting (XSS) vulnerability in index.php in Simple Machin ...) NOT-FOR-US: Simple Machines Forum CVE-2006-5503 (Cross-site scripting (XSS) vulnerability in index.php in Simple Machin ...) NOT-FOR-US: Simple Machines Forum CVE-2006-5502 (Heap-based buffer overflow in the AOL.PicDownloadCtrl.1 ActiveX contro ...) NOT-FOR-US: AOL Security Edition CVE-2006-5501 (Buffer overflow in the AOL.PicDownloadCtrl.1 ActiveX control (YGPPicDo ...) NOT-FOR-US: AOL Security Edition CVE-2006-5500 (Multiple SQL injection vulnerabilities in the checkUser function in in ...) NOT-FOR-US: XchangeBoard CVE-2006-5499 (Multiple cross-site scripting (XSS) vulnerabilities in Serendipity (s9 ...) - serendipity 1.0.2-1 CVE-2006-5498 (Directory traversal vulnerability in themes/program/themesettings.inc. ...) NOT-FOR-US: Segue CMS CVE-2006-5497 (PHP remote file inclusion vulnerability in themes/program/themesetting ...) NOT-FOR-US: Segue CMS CVE-2006-5496 (Multiple cross-site scripting (XSS) vulnerabilities in Timothy Claason ...) NOT-FOR-US: Timothy Claason KnowledgeBank CVE-2006-5495 (Multiple PHP remote file inclusion vulnerabilities in Trawler Web CMS ...) NOT-FOR-US: Trawler Web CMS CVE-2006-5494 (Multiple PHP remote file inclusion vulnerabilities in modules/My_eGall ...) NOT-FOR-US: pandaBB for PHP-Nuke CVE-2006-5493 (PHP remote file inclusion vulnerability in template/purpletech/base_in ...) NOT-FOR-US: DigitalHive CVE-2006-5492 (Unspecified vulnerability in Maerys Archive (Maarch) before 2.0.1 allo ...) NOT-FOR-US: Maarch CVE-2006-5491 (Multiple SQL injection vulnerabilities in include/index.php in UltraCM ...) NOT-FOR-US: UltraCMS CVE-2006-5490 (Multiple SQL injection vulnerabilities in Segue Content Management Sys ...) NOT-FOR-US: Segue CMS CVE-2006-5489 (Research in Motion (RIM) BlackBerry Enterprise Server 4.1 SP2 before H ...) NOT-FOR-US: RIM BlackBerry Enterprise Server CVE-2006-5488 (SQL injection vulnerability in XchangeBoard 1.70, and possibly earlier ...) NOT-FOR-US: XchangeBoard CVE-2006-5487 (Directory traversal vulnerability in Marshal MailMarshal SMTP 5.x, 6.x ...) NOT-FOR-US: Marshal MailMarshal SMTP CVE-2006-5486 (Cross-site scripting (XSS) vulnerability in Webmail in Sun Java System ...) NOT-FOR-US: Sun Java System Messaging Server CVE-2006-5485 (Multiple PHP remote file inclusion vulnerabilities in SpeedBerg 1.2bet ...) NOT-FOR-US: SpeedBerg CVE-2006-5484 (SSH Tectia Client/Server/Connector 5.1.0 and earlier, Manager 2.2.0 an ...) NOT-FOR-US: SSH Tectia CVE-2006-5483 (p1003_1b.c in FreeBSD 6.1 allows local users to cause an unspecified d ...) - kfreebsd-5 (low) [etch] - kfreebsd-5 (no security support for freebsd) CVE-2006-5482 (ufs_vnops.c in FreeBSD 6.1 allows local users to cause an unspecified ...) - kfreebsd-5 (low) [etch] - kfreebsd-5 (no security support for freebsd) CVE-2006-5481 (Multiple PHP remote file inclusion vulnerabilities in 2le.net Castor P ...) NOT-FOR-US: Castor CVE-2006-5480 (PHP remote file inclusion vulnerability in lib/rs.php in 2le.net Casto ...) NOT-FOR-US: Castor CVE-2006-5479 (The NCP Engine in Novell eDirectory before 8.7.3.8 FTF1 allows remote ...) NOT-FOR-US: Novell eDirectory CVE-2006-5478 (Multiple stack-based buffer overflows in Novell eDirectory 8.8.x befor ...) NOT-FOR-US: Novell eDirectory CVE-2006-5477 (Drupal 4.6.x before 4.6.10 and 4.7.x before 4.7.4 allows form submissi ...) - drupal (Our version of drupal is too old) CVE-2006-5476 (Cross-site request forgery (CSRF) vulnerability in Drupal 4.6.x before ...) - drupal (Our version of drupal is too old) CVE-2006-5475 (Multiple cross-site scripting (XSS) vulnerabilities in the XML parser ...) - drupal (Our version of drupal is too old) CVE-2006-5474 (The "forgot password" function in OneOrZero Helpdesk before 1.6.5.4 ge ...) NOT-FOR-US: OneOrZero Helpdesk CVE-2006-5473 NOT-FOR-US: Softerra PHP Developer Library CVE-2006-5472 (PHP remote file inclusion vulnerability in Softerra PHP Developer Libr ...) NOT-FOR-US: Softerra PHP Developer Library CVE-2006-5471 (PHP remote file inclusion vulnerability in example/lib/grid3.lib.php i ...) NOT-FOR-US: Softerra PHP Developer Library CVE-2006-5470 REJECTED CVE-2006-5469 (Unspecified vulnerability in the WBXML dissector in Wireshark (formerl ...) - wireshark 0.99.4-1 (bug #396258; medium) CVE-2006-5468 (Unspecified vulnerability in the HTTP dissector in Wireshark (formerly ...) - wireshark 0.99.4-1 (bug #396258; medium) CVE-2006-5467 (The cgi.rb CGI library for Ruby 1.8 allows remote attackers to cause a ...) {DSA-1235-1 DSA-1234-1} - ruby1.8 1.8.5-3 (low; bug #398457) - ruby1.9 1.9.0+20070606-1 (low) [etch] - ruby1.9 (Minor issue) CVE-2006-5466 (Heap-based buffer overflow in the showQueryPackage function in librpm ...) - rpm 4.4.1-11 (low; bug #397076) [sarge] - rpm (You need to trust the RPMs you're installing) NOTE: Only hypothetical, far-fetched attacks feasible CVE-2006-5465 (Buffer overflow in PHP before 5.2.0 allows remote attackers to execute ...) {DSA-1206-1} - php4 4:4.4.4-4 (high; bug #396764) - php5 5.1.6-6 (high; bug #396766) CVE-2006-5464 (Multiple unspecified vulnerabilities in the layout engine in Mozilla F ...) {DSA-1227-1 DSA-1225-1 DSA-1224-1} NOTE: MFSA-2006-65 - firefox 45.0-1 (low) - firefox-esr 45.0esr-1 (low) - iceweasel 2.0+dfsg-1 (low) - icedove 1.5.0.8-1 (low) - mozilla (low) - xulrunner 1.8.0.8-1 (low) CVE-2006-5463 (Unspecified vulnerability in Mozilla Firefox before 1.5.0.8, Thunderbi ...) {DSA-1227-1 DSA-1225-1 DSA-1224-1} NOTE: MFSA-2006-67 - firefox 45.0-1 (high) - firefox-esr 45.0esr-1 (high) - iceweasel 2.0+dfsg-1 (high) - icedove 1.5.0.8-1 (medium) - mozilla (high) - xulrunner 1.8.0.8-1 (high) CVE-2006-5462 (Mozilla Network Security Service (NSS) library before 3.11.3, as used ...) {DSA-1227-1 DSA-1225-1 DSA-1224-1} NOTE: MFSA-2006-66 NOTE: this is the similar to CVE-2006-4339, see also CVE-2006-4340 NOTE: the fixes for CVE-2006-4340 were incomplete - firefox 45.0-1 (high) - firefox-esr 45.0esr-1 (high) - iceweasel 2.0+dfsg-1 (high) - icedove 1.5.0.8-1 (medium) - mozilla (high) - xulrunner 1.8.0.8-1 (high) CVE-2006-5461 (Avahi before 0.6.15 does not verify the sender identity of netlink mes ...) - avahi 0.6.15-1 (low) CVE-2006-XXXX [diffmon information leakage] - diffmon 20020222-2.2 (bug #382132) CVE-2006-5460 NOT-FOR-US: phpht Topsites CVE-2006-5459 (Multiple PHP remote file inclusion vulnerabilities in Download-Engine ...) NOT-FOR-US: Download-Engine CVE-2006-5458 (PHP remote file inclusion vulnerability in common.php in Hinton Design ...) NOT-FOR-US: phpht Topsites CVE-2006-5457 (Multiple cross-site scripting (XSS) vulnerabilities in the registratio ...) NOT-FOR-US: Casino Script (Masvet) CVE-2006-5456 (Multiple buffer overflows in GraphicsMagick before 1.1.7 and ImageMagi ...) {DSA-1213} - graphicsmagick 1.1.7-9 (medium) - imagemagick 7:6.2.4.5.dfsg1-0.11 (bug #393025) CVE-2006-5455 (Cross-site request forgery (CSRF) vulnerability in editversions.cgi in ...) - bugzilla 2.22.1-1 (bug #395094; low) [sarge] - bugzilla (CSRF infrastructure not present, too intrusive to backport) CVE-2006-5454 (Bugzilla 2.18.x before 2.18.6, 2.20.x before 2.20.3, 2.22.x before 2.2 ...) - bugzilla 2.22.1-1 (bug #395094; low) [sarge] - bugzilla (Vulnerable code not present) CVE-2006-5453 (Multiple cross-site scripting (XSS) vulnerabilities in Bugzilla 2.18.x ...) {DSA-1208-1} - bugzilla 2.22.1-1 (bug #395094; low) CVE-2006-5452 (Buffer overflow in dtmail on HP Tru64 UNIX 4.0F through 5.1B and HP-UX ...) NOT-FOR-US: HP Tru64 CVE-2006-5451 (Multiple cross-site scripting (XSS) vulnerabilities in TorrentFlux 2.1 ...) - torrentflux 2.1-5 (bug #395099; low) CVE-2006-5450 (SQL injection vulnerability in index.asp in Kinesis Interactive Cinema ...) NOT-FOR-US: Kinesis Interactive Cinema System (KICS) CMS CVE-2006-5449 (procmail in Ingo H3 before 1.1.2 Horde module allows remote authentica ...) {DSA-1204-1} - ingo1 1.1.2-1 (bug #396099) CVE-2006-5448 (The drmstor.dll ActiveX object in Microsoft Windows Digital Rights Man ...) NOT-FOR-US: Microsoft CVE-2006-5447 (Cross-site scripting (XSS) vulnerability in index.php in DEV Web Manag ...) NOT-FOR-US: DEV Web Management System (WMS) CVE-2006-5446 (SQL injection vulnerability in lobby/config.php in Casinosoft Casino S ...) NOT-FOR-US: Casinosoft Casino Script (aka Masvet) CVE-2006-5445 (Unspecified vulnerability in the SIP channel driver (channels/chan_sip ...) - asterisk 1:1.2.13~dfsg-1 (medium; bug #395080) CVE-2006-5444 (Integer overflow in the get_input function in the Skinny channel drive ...) {DSA-1229-1} - asterisk 1:1.2.13~dfsg-1 (medium; bug #395080; bug #394025) CVE-2006-5443 (Unspecified vulnerability in XIAO Gang WWW Interactive Mathematics Ser ...) - wims 3.60-1 (bug #395102) CVE-2006-5442 (ViewVC 1.0.2 and earlier does not specify a charset in its HTTP header ...) - viewvc 1.0.3-1 (medium; bug #397669) CVE-2006-5441 (PHP remote file inclusion vulnerability in adminfoot.php in Comdev Web ...) NOT-FOR-US: Comdev Web Blogger CVE-2006-5440 (PHP remote file inclusion vulnerability in adminfoot.php in Comdev For ...) NOT-FOR-US: Comdev Web Blogger CVE-2006-5439 (PHP remote file inclusion vulnerability in adminfoot.php in Comdev Mis ...) NOT-FOR-US: Comdev Web Blogger CVE-2006-5438 (PHP remote file inclusion vulnerability in adminfoot.php in Comdev For ...) NOT-FOR-US: Comdev Web Blogger CVE-2006-5437 NOT-FOR-US: phpAdsNew CVE-2006-5436 (PHP remote file inclusion vulnerability in index.php in FreeFAQ 1.0.e ...) NOT-FOR-US: FreeFAQ CVE-2006-5435 - phpbb2 (not vulnerable) CVE-2006-5434 (PHP remote file inclusion vulnerability in p-news.php in P-News 1.16 a ...) NOT-FOR-US: P-News CVE-2006-5433 (PHP remote file inclusion vulnerability in modules/guestbook/index.php ...) NOT-FOR-US: ALiCE-CMS CVE-2006-5432 (Multiple direct static code injection vulnerabilities in db/txt.inc.ph ...) NOT-FOR-US: phpPowerCards CVE-2006-5431 (PHP remote file inclusion vulnerability in gorum/dbproperty.php in PHP ...) NOT-FOR-US: PHPOutsourcing Zorum CVE-2006-5430 (Cross-site scripting (XSS) vulnerability in the search functionality i ...) NOT-FOR-US: db-central (dbc) Enterprise CMS CVE-2006-5429 (Multiple PHP remote file inclusion vulnerabilities in Barry Nauta BRIM ...) NOT-FOR-US: BRIM CVE-2006-5428 (rpc.php in Cerberus Helpdesk 3.2.1 does not verify a client's privileg ...) NOT-FOR-US: Cerberus Helpdesk CVE-2006-5427 (PHP remote file inclusion vulnerability in plugins/main.php in Php AMX ...) NOT-FOR-US: Php AMX CVE-2006-5426 (PHP remote file inclusion vulnerability in lib/lcUser.php in LoCal Cal ...) NOT-FOR-US: LoCal Calendar System CVE-2006-5425 (XORP (eXtensible Open Router Platform) 1.2 and 1.3 allows remote attac ...) NOT-FOR-US: XORP (eXtensible Open Router Platform) CVE-2006-5424 (Unspecified vulnerability in Justsystem Ichitaro 2006, 2006 trial vers ...) NOT-FOR-US: Justsystem Ichitaro CVE-2006-5423 (PHP remote file inclusion vulnerability in admin/admin_module.php in L ...) NOT-FOR-US: Lou Portail CVE-2006-5422 (PHP remote file inclusion vulnerability in calcul-page.php in Lodel (p ...) NOT-FOR-US: Lodel CVE-2006-5421 (WSN Forum 1.3.4 and earlier allows remote attackers to execute arbitra ...) NOT-FOR-US: WSN Forum CVE-2006-5420 (Kerio WinRoute Firewall 6.2.2 and earlier allows remote attackers to c ...) NOT-FOR-US: Kerio WinRoute Firewall CVE-2006-5419 (PHP remote file inclusion vulnerability in client.php in University of ...) NOT-FOR-US: Specimen Image Database (SID) CVE-2006-5418 (PHP remote file inclusion vulnerability in archive/archive_topic.php i ...) NOT-FOR-US: pbpbb archive for search engines (SearchIndexer) (aka phpBBSEI) for phpBB CVE-2006-5417 (McAfee Network Agent (mcnasvc.exe) 1.0.178.0, as used by multiple McAf ...) NOT-FOR-US: McAfee CVE-2006-5416 (Cross-site scripting (XSS) vulnerability in my.acctab.php3 in F5 Netwo ...) NOT-FOR-US: F5 CVE-2006-5415 (PHP remote file inclusion vulnerability in includes/functions_newshr.p ...) NOT-FOR-US: News Defilante Horizontale CVE-2006-5414 (Barry Nauta BRIM before 1.2.1 allows remote authenticated users to rea ...) NOT-FOR-US: Barry Nauta BRIM CVE-2006-5413 (Multiple PHP remote file inclusion vulnerabilities in SuperMod 3.0.0 f ...) NOT-FOR-US: SuperMod for YABB (YaBBSM) CVE-2006-5412 (admin.php in PHP Outburst Easynews 4.4.1 and earlier, when register_gl ...) NOT-FOR-US: PHP Outburst Easynews CVE-2006-5411 (Unrestricted file upload vulnerability in upload.php for Free Web Publ ...) NOT-FOR-US: Free Web Publishing System (FreeWPS) CVE-2006-5410 (PHP remote file inclusion vulnerability in templates/tmpl_dfl/scripts/ ...) NOT-FOR-US: BoonEx Dolphin CVE-2006-5409 (Multiple SQL injection vulnerabilities in the wireless IDS management ...) NOT-FOR-US: Highwall Enterprise and Highwall Endpoint CVE-2006-5408 (Multiple cross-site scripting (XSS) vulnerabilities in the wireless ID ...) NOT-FOR-US: Highwall Enterprise and Highwall Endpoint CVE-2006-5407 (PHP remote file inclusion vulnerability in open_form.php in osTicket a ...) NOT-FOR-US: osTicket CVE-2006-5406 (Passgo Defender 5.2 creates the application directory with insecure pe ...) NOT-FOR-US: Passgo Defender CVE-2006-5405 (Unspecified vulnerability in Toshiba Bluetooth wireless device driver ...) NOT-FOR-US: Toshiba Bluetooth wireless device driver CVE-2006-5404 (Unspecified vulnerability in an ActiveX control used in Symantec Autom ...) NOT-FOR-US: Symantec CVE-2006-5403 (Stack-based buffer overflow in an ActiveX control used in Symantec Aut ...) NOT-FOR-US: Symantec CVE-2006-5402 (Multiple PHP remote file inclusion vulnerabilities in PHPmybibli 3.0.1 ...) NOT-FOR-US: PHPMyBibli CVE-2006-5401 (PHP remote file inclusion vulnerability in template/barnraiser_01/p_ne ...) NOT-FOR-US: AROUNDMe CVE-2006-5400 (PHP remote file inclusion vulnerability in forum/track.php in CyberBra ...) NOT-FOR-US: CyberBrau CVE-2006-5399 (PHP remote file inclusion vulnerability in classes/Import_MM.class.php ...) NOT-FOR-US: PHPRecipeBook CVE-2006-5398 (SQL injection vulnerability in comments.php in Simplog 0.9.3.1 allows ...) NOT-FOR-US: Simplog CVE-2006-5397 (The Xinput module (modules/im/ximcp/imLcIm.c) in X.Org libX11 1.0.2 an ...) - libx11 2:1.0.3-3 (low; bug #398460) CVE-2006-5396 (The tcp_fuse_rcv_drain function in the Sun Solaris 10 kernel before 20 ...) NOT-FOR-US: Sun Solaris CVE-2006-5395 (Buffer overflow in Microsoft Class Package Export Tool (aka clspack.ex ...) NOT-FOR-US: Microsoft CVE-2006-5394 (The default configuration of Cisco Secure Desktop (CSD) has an uncheck ...) NOT-FOR-US: Cisco CVE-2006-5393 (Cisco Secure Desktop (CSD) does not require that the ClearPageFileAtSh ...) NOT-FOR-US: Cisco CVE-2006-5392 (Multiple PHP remote file inclusion vulnerabilities in OpenDock FullCor ...) NOT-FOR-US: OpenDock FullCore CVE-2006-5391 (Xfire 1.64 and earlier allows remote attackers to cause a denial of se ...) NOT-FOR-US: Xfire CVE-2006-5390 (PHP remote file inclusion vulnerability in includes/functions_mod_user ...) NOT-FOR-US: ACP User Registration (MMW) module for phpBB CVE-2006-5389 (tools/tellhim.php in PHP-Wyana allows remote attackers to obtain sensi ...) NOT-FOR-US: PHP-Wyana CVE-2006-5388 (SQL injection vulnerability in index.php in WebSPELL 4.01.01 and earli ...) NOT-FOR-US: WebSPELL CVE-2006-5387 (PHP remote file inclusion vulnerability in mods/iai/includes/constants ...) NOT-FOR-US: PlusXL phpBB module CVE-2006-5386 (PHP remote file inclusion vulnerability in process.php in NuralStorm W ...) NOT-FOR-US: NuralStorm Webmail CVE-2006-5385 (PHP remote file inclusion vulnerability in admin/admin_spam.php in the ...) NOT-FOR-US: SpamOborona phpBB module CVE-2006-5384 (PHP remote file inclusion vulnerability in modification/SendAlertEmail ...) NOT-FOR-US: CDS Agenda CVE-2006-5383 (SQL injection vulnerability in comadd.php in Def-Blog 1.0.1 and earlie ...) NOT-FOR-US: Def-Blog CVE-2006-5382 (3Com Switch SS3 4400 switches, firmware 5.11, 6.00 and 6.10 and earlie ...) NOT-FOR-US: 3Com CVE-2003-1307 NOTE: More of an apache flaw than a php flaw. And just one more reason NOTE: why you have lost as soon as an attacker can execute arbitrary NOTE: php scripts. NOTE: http://www.securityfocus.com/bid/9302 NOTE: Probably an unfixable design flaw. But if you can execute a malicious NOTE: program, you can do $BADSTUFF anyway. - apache (unimportant) - apache2 (unimportant) CVE-2006-XXXX [unspecified steam cache vulnerability] - steam (affects the old steam environment for corporate knowledge management package shipped in lenny and before, not the new Valve steam package) CVE-2006-5381 (Contenido CMS stores sensitive data under the web root with insufficie ...) NOT-FOR-US: Contenido CMS CVE-2006-5380 NOT-FOR-US: Contenido CMS CVE-2006-5379 (The accelerated rendering functionality of NVIDIA Binary Graphics Driv ...) - nvidia-graphics-drivers 1.0.8776-1 (bug #393573) [sarge] - nvidia-graphics-drivers (1.0.7174 not affected) NOTE: see http://nvidia.custhelp.com/cgi-bin/nvidia.cfg/php/enduser/std_adp.php?p_faqid=1971 CVE-2006-5378 (Unspecified vulnerability in JD Edwards HTML Server in JD Edwards Ente ...) NOT-FOR-US: EnterpriseOne CVE-2006-5377 (Unspecified vulnerability in PeopleSoft component in Oracle PeopleSoft ...) NOT-FOR-US: PeopleSoft CVE-2006-5376 (Multiple unspecified vulnerabilities in PeopleTools component in Oracl ...) NOT-FOR-US: PeopleSoft CVE-2006-5375 (Multiple unspecified vulnerabilities in PeopleTools component in Oracl ...) NOT-FOR-US: PeopleSoft CVE-2006-5374 (Unspecified vulnerability in Oracle Pharmaceutical Applications 4.5.1 ...) NOT-FOR-US: Oracle CVE-2006-5373 (Unspecified vulnerability in Oracle Install Base component in Oracle E ...) NOT-FOR-US: Oracle CVE-2006-5372 (Multiple unspecified vulnerabilities in Oracle E-Business Suite 11.5.1 ...) NOT-FOR-US: Oracle CVE-2006-5371 (Unspecified vulnerability in Oracle Email Center component in Oracle E ...) NOT-FOR-US: Oracle CVE-2006-5370 (Multiple unspecified vulnerabilities in Oracle E-Business Suite 11.5.1 ...) NOT-FOR-US: Oracle CVE-2006-5369 (Unspecified vulnerability in Oracle Application Object Library in Orac ...) NOT-FOR-US: Oracle CVE-2006-5368 (Unspecified vulnerability in Oracle Exchange component in Oracle E-Bus ...) NOT-FOR-US: Oracle CVE-2006-5367 (Multiple unspecified vulnerabilities in Oracle E-Business Suite 11.5.7 ...) NOT-FOR-US: Oracle CVE-2006-5366 (Multiple unspecified vulnerabilities in Oracle Collaboration Suite 9.0 ...) NOT-FOR-US: Oracle CVE-2006-5365 (Unspecified vulnerability in Oracle Forms in Oracle Application Server ...) NOT-FOR-US: Oracle CVE-2006-5364 (Unspecified vulnerability in Oracle Containers for J2EE component in O ...) NOT-FOR-US: Oracle CVE-2006-5363 (Unspecified vulnerability in Oracle Single Sign-On component in Oracle ...) NOT-FOR-US: Oracle CVE-2006-5362 (Unspecified vulnerability in Oracle Containers for J2EE component in O ...) NOT-FOR-US: Oracle CVE-2006-5361 (Unspecified vulnerability in Oracle Containers for J2EE in Oracle Appl ...) NOT-FOR-US: Oracle CVE-2006-5360 (Unspecified vulnerability in Oracle Forms component in Oracle Applicat ...) NOT-FOR-US: Oracle CVE-2006-5359 (Multiple unspecified vulnerabilities in Oracle Reports Developer compo ...) NOT-FOR-US: Oracle CVE-2006-5358 (Unspecified vulnerability in Oracle Forms component in Oracle Applicat ...) NOT-FOR-US: Oracle CVE-2006-5357 (Unspecified vulnerability in Oracle HTTP Server component in Oracle Ap ...) NOT-FOR-US: Oracle CVE-2006-5356 (Unspecified vulnerability in Oracle Containers for J2EE component in O ...) NOT-FOR-US: Oracle CVE-2006-5355 (Unspecified vulnerability in Oracle Single Sign-On component in Oracle ...) NOT-FOR-US: Oracle CVE-2006-5354 (Unspecified vulnerability in Oracle HTTP Server 9.2.0.7 and 10.1.0.5, ...) NOT-FOR-US: Oracle CVE-2006-5353 (Unspecified vulnerability in Oracle HTTP Server component in Oracle Ap ...) NOT-FOR-US: Oracle CVE-2006-5352 (Multiple unspecified vulnerabilities in Oracle Application Express 1.5 ...) NOT-FOR-US: Oracle CVE-2006-5351 (Multiple unspecified vulnerabilities in Oracle Application Express (fo ...) NOT-FOR-US: Oracle CVE-2006-5350 (Unspecified vulnerability in Oracle HTTP Server 9.2.0.7 and Oracle E-B ...) NOT-FOR-US: Oracle CVE-2006-5349 (Unspecified vulnerability in Oracle HTTP Server 9.2.0.7, when running ...) NOT-FOR-US: Oracle CVE-2006-5348 (Unspecified vulnerability in Oracle HTTP Server 9.2.0.7, Oracle Collab ...) NOT-FOR-US: Oracle CVE-2006-5347 (Unspecified vulnerability in Oracle HTTP Server 9.2.0.7 and Oracle Col ...) NOT-FOR-US: Oracle CVE-2006-5346 (Unspecified vulnerability in Oracle HTTP Server 9.2.0.7, as used in Or ...) NOT-FOR-US: Oracle CVE-2006-5345 (Unspecified vulnerability in Oracle Spatial component in Oracle Databa ...) NOT-FOR-US: Oracle CVE-2006-5344 (Multiple unspecified vulnerabilities in Oracle Spatial component in Or ...) NOT-FOR-US: Oracle CVE-2006-5343 (Unspecified vulnerability in Database Scheduler component in Oracle Da ...) NOT-FOR-US: Oracle CVE-2006-5342 (Unspecified vulnerability in Oracle Spatial component in Oracle Databa ...) NOT-FOR-US: Oracle CVE-2006-5341 (Multiple unspecified vulnerabilities in XMLDB component in Oracle Data ...) NOT-FOR-US: Oracle CVE-2006-5340 (Multiple unspecified vulnerabilities in Oracle Spatial component in Or ...) NOT-FOR-US: Oracle CVE-2006-5339 (Unspecified vulnerability in Oracle Spatial component in Oracle Databa ...) NOT-FOR-US: Oracle CVE-2006-5338 (Unspecified vulnerability in the Core RDBMS component in Oracle Databa ...) NOT-FOR-US: Oracle CVE-2006-5337 (Unspecified vulnerability in the Core RDBMS component in Oracle Databa ...) NOT-FOR-US: Oracle CVE-2006-5336 (Multiple unspecified vulnerabilities in the Change Data Capture (CDC) ...) NOT-FOR-US: Oracle CVE-2006-5335 (Multiple unspecified vulnerabilities in Oracle Database 10.1.0.5 and 1 ...) NOT-FOR-US: Oracle CVE-2006-5334 (Unspecified vulnerability in Oracle Spatial component in Oracle Databa ...) NOT-FOR-US: Oracle CVE-2006-5333 (Unspecified vulnerability in Oracle Spatial component in Oracle Databa ...) NOT-FOR-US: Oracle CVE-2006-5332 (Unspecified vulnerability in xdb.dbms_xdbz in the XMLDB component for ...) NOT-FOR-US: Oracle CVE-2006-5331 (The altivec_unavailable_exception function in arch/powerpc/kernel/trap ...) - linux (Fixed before src:linux-2.6 -> src:linux rename) NOTE: Fixed by: https://git.kernel.org/linus/6c4841c2b6c32a134f9f36e5e08857138cc12b10 (2.6.19-rc3) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=213229 CVE-2006-5330 (CRLF injection vulnerability in Adobe Flash Player plugin 9.0.16 and e ...) - flashplugin-nonfree 9.0.31.0.1 (bug #402822; medium) NOTE: It is not clear if this is already fix in 9.0.21.78.X (previous version) NOTE: or not but it's fix in 9.0.31.0.1 for sure. [sarge] - flashplugin-nonfree (Contrib not supported, only installer package) [etch] - flashplugin-nonfree (Contrib not supported, only installer package) CVE-2006-5329 REJECTED CVE-2006-5328 (OpenBase SQL 10.0 and earlier, as used in Apple Xcode 2.2 2.2 and earl ...) NOT-FOR-US: OpenBase SQL CVE-2006-5327 (Untrusted search path vulnerability in OpenBase SQL 10.0 and earlier, ...) NOT-FOR-US: OpenBase SQL CVE-2006-5326 (PHP remote file inclusion vulnerability in language/lang/lang_contact_ ...) NOT-FOR-US: Prillian French module for phpBB CVE-2006-5325 (Multiple PHP remote file inclusion vulnerabilities in Dimitri Seitz Se ...) NOT-FOR-US: dwingmods for phpBB CVE-2006-5324 (The Web Services Notification (WSN) security component of IBM WebSpher ...) NOT-FOR-US: IBM WebSphere CVE-2006-5323 (Unspecified vulnerability in IBM WebSphere Application Server before 6 ...) NOT-FOR-US: IBM WebSphere CVE-2006-5322 (Multiple SQL injection vulnerabilities in phplist before 2.10.3 allow ...) - phplist (bug #612288) CVE-2006-5321 (Multiple cross-site scripting (XSS) vulnerabilities in phplist before ...) - phplist (bug #612288) CVE-2006-5320 (Directory traversal vulnerability in getimg.php in Album Photo Sans No ...) NOT-FOR-US: Album Photo Sans Nom CVE-2006-5319 (Directory traversal vulnerability in redir.php in Foafgen 0.3 allows r ...) NOT-FOR-US: Foafgen CVE-2006-5318 (PHP remote file inclusion vulnerability in index.php in Nayco JASmine ...) NOT-FOR-US: Nayco JASmine CVE-2006-5317 (PHP remote file inclusion vulnerability in index.php in eboli allows r ...) NOT-FOR-US: eboli CVE-2006-5316 (registroTL stores sensitive information under the web root with insuff ...) NOT-FOR-US: registroTL CVE-2006-5315 (PHP remote file inclusion vulnerability in main.php in registroTL allo ...) NOT-FOR-US: registroTL CVE-2006-5314 (PHP remote file inclusion vulnerability in ftag.php in TribunaLibre 3. ...) NOT-FOR-US: TribunaLibre CVE-2006-5313 (Hastymail 1.5 and earlier before 20061008 allows remote authenticated ...) - hastymail CVE-2006-5312 (PHP remote file inclusion vulnerability in shoutbox.php in the Ajax Sh ...) NOT-FOR-US: Ajax Shoutbox CVE-2006-5311 (PHP remote file inclusion vulnerability in includes/archive/archive_to ...) NOT-FOR-US: Buzlas CVE-2006-5310 (PHP remote file inclusion vulnerability in common/visiteurs/include/me ...) NOT-FOR-US: phpMyConferences CVE-2006-5309 (PHP remote file inclusion vulnerability in language/lang_french/lang_p ...) NOT-FOR-US: Prillian French module for phpBB CVE-2006-5308 (Multiple PHP remote file inclusion vulnerabilities in Open Conference ...) NOT-FOR-US: Open Conference Systems CVE-2006-5307 (Multiple PHP remote file inclusion vulnerabilities in AFGB GUESTBOOK 2 ...) NOT-FOR-US: AFGB GUESTBOOK CVE-2006-5306 (Multiple PHP remote file inclusion vulnerabilities in the Journals Sys ...) NOT-FOR-US: Journals System module for phpBB CVE-2006-5305 (PHP remote file inclusion vulnerability in lat2cyr.php in the lat2cyr ...) NOT-FOR-US: lat2cyr CVE-2006-5304 (PHP remote file inclusion vulnerability in inc/settings.php in IncCMS ...) NOT-FOR-US: IncCMS Core CVE-2006-5303 (Secure Computing SafeWord RemoteAccess 2.1 allows local users to obtai ...) NOT-FOR-US: Secure Computing SafeWord RemoteAccess CVE-2006-5302 (Multiple PHP remote file inclusion vulnerabilities in Redaction System ...) NOT-FOR-US: Redaction System CVE-2006-5301 (PHP remote file inclusion vulnerability in includes/antispam.php in th ...) NOT-FOR-US: SpamBlockerMODv module for phpBB CVE-2006-5300 (Unspecified vulnerability in HP Version Control Agent before 2.1.5 all ...) NOT-FOR-US: HP CVE-2006-5299 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Gc ...) NOT-FOR-US: Gcontact CVE-2006-5298 (The mutt_adv_mktemp function in the Mutt mail client 1.5.12 and earlie ...) - mutt 1.5.13-1.1 (bug #396104; low) [sarge] - mutt (Minor issue, tmp dirs on NFS cause problems in many scenarios) CVE-2006-5297 (Race condition in the safe_open function in the Mutt mail client 1.5.1 ...) - mutt 1.5.13-1.1 (bug #396104; low) [sarge] - mutt (Minor issue, tmp dirs on NFS cause problems in many scenarios) CVE-2006-5296 (PowerPoint in Microsoft Office 2003 does not properly handle a contain ...) NOT-FOR-US: Microsoft CVE-2006-5294 (Cross-site scripting (XSS) vulnerability in index.php in phplist befor ...) - phplist (bug #612288) CVE-2006-5293 (Cross-site scripting (XSS) vulnerability in index.php in PhpOutsourcin ...) NOT-FOR-US: PhpOutsourcing Noah's Classifieds CVE-2006-5292 (PHP remote file inclusion vulnerability in photo_comment.php in Exhibi ...) NOT-FOR-US: Exhibit Engine CVE-2006-5291 (PHP remote file inclusion vulnerability in admin/includes/spaw/spaw_co ...) NOT-FOR-US: Download-Engine CVE-2006-5290 (The ESS/ Network Controller and MicroServer Web Server components of X ...) NOT-FOR-US: Xerox WorkCentre CVE-2006-5289 (Multiple PHP remote file inclusion vulnerabilities in Vtiger CRM 4.2 a ...) NOT-FOR-US: Vtiger CRM CVE-2006-5288 (Cisco 2700 Series Wireless Location Appliances before 2.1.34.0 have a ...) NOT-FOR-US: Cisco CVE-2006-5287 (Multiple SQL injection vulnerabilities in sign.php in Xeobook 0.93 all ...) NOT-FOR-US: Xeobook CVE-2006-5286 (Unspecified vulnerability in IKE.NLM in Novell BorderManager 3.8 allow ...) NOT-FOR-US: Novell BorderManager CVE-2006-5285 (SQL injection vulnerability in index.php in XeoPort 0.81, and possibly ...) NOT-FOR-US: XeoPort CVE-2006-5284 (PHP remote file inclusion vulnerability in auth/phpbb.inc.php in Shen ...) NOT-FOR-US: PHP News Reader (aka pnews) CVE-2006-5283 (PHP remote file inclusion vulnerability in ftag.php in Minichat 6.0 al ...) NOT-FOR-US: Minichat CVE-2006-5282 (Multiple PHP remote file inclusion vulnerabilities in SH-News 3.1 and ...) NOT-FOR-US: SH-News CVE-2006-5281 (PHP remote file inclusion vulnerability in naboard_pnr.php in n@board ...) NOT-FOR-US: n@board CVE-2006-5280 (PHP remote file inclusion vulnerability in includes/import-archive.php ...) NOT-FOR-US: communityPortals CVE-2006-5279 RESERVED CVE-2006-5278 (Integer overflow in the Real-Time Information Server (RIS) Data Collec ...) NOT-FOR-US: Cisco CVE-2006-5277 (Off-by-one error in the Certificate Trust List (CTL) Provider service ...) NOT-FOR-US: Cisco CVE-2006-5276 (Stack-based buffer overflow in the DCE/RPC preprocessor in Snort befor ...) - snort (snort versions 2.3.x do not contain the DCE RPC preprocessor) CVE-2006-5275 RESERVED CVE-2006-5274 (Integer overflow in McAfee ePolicy Orchestrator 3.5 through 3.6.1, Pro ...) NOT-FOR-US: McAfee CVE-2006-5273 (Heap-based buffer overflow in McAfee ePolicy Orchestrator 3.5 through ...) NOT-FOR-US: McAfee CVE-2006-5272 (Stack-based buffer overflow in McAfee ePolicy Orchestrator 3.5 through ...) NOT-FOR-US: McAfee CVE-2006-5271 (Integer underflow in McAfee ePolicy Orchestrator 3.5 through 3.6.1, Pr ...) NOT-FOR-US: McAfee CVE-2006-5270 (Integer overflow in the Microsoft Malware Protection Engine (mpengine. ...) NOT-FOR-US: Microsoft CVE-2006-5269 (Heap-based buffer overflow in an unspecified procedure in Trend Micro ...) NOT-FOR-US: Trend Micro CVE-2006-5268 (Unspecified vulnerability in Trend Micro ServerProtect 5.7 and 5.58 al ...) NOT-FOR-US: Trend Micro CVE-2006-5267 RESERVED CVE-2006-5266 (Multiple buffer overflows in Microsoft Dynamics GP (formerly Great Pla ...) NOT-FOR-US: Microsoft issue CVE-2006-5265 (Unspecified vulnerability in Microsoft Dynamics GP (formerly Great Pla ...) NOT-FOR-US: Microsoft issue CVE-2006-5264 (Cross-site scripting (XSS) vulnerability in sql.php in MysqlDumper 1.2 ...) NOT-FOR-US: MysqlDumper CVE-2006-5263 (Directory traversal vulnerability in templates/header.php3 in phpMyAge ...) NOT-FOR-US: phpMyAgenda CVE-2006-5262 (CRLF injection vulnerability in lib/session.php in Hastymail 1.5 and e ...) - hastymail CVE-2006-5261 (Multiple PHP remote file inclusion vulnerabilities in PHPMyNews 1.4 an ...) NOT-FOR-US: PHPMyNews CVE-2006-5260 (PHP remote file inclusion vulnerability in compteur.php in Compteur 2 ...) NOT-FOR-US: Compteur 2 CVE-2006-5259 (PHP remote file inclusion vulnerability in param_editor.php in Compteu ...) NOT-FOR-US: Compteur 2 CVE-2006-5258 (The spell checking component of (1) Asbru Web Content Management befor ...) NOT-FOR-US: Asbru Web Content Management CVE-2006-5257 (PHP remote file inclusion vulnerability in modules/forum/include/confi ...) NOT-FOR-US: Ciamos Content Management System CVE-2006-5256 (PHP remote file inclusion vulnerability in claroline/inc/lib/import.li ...) NOT-FOR-US: Claroline CVE-2006-5255 NOT-FOR-US: gCards CVE-2006-5254 (PHP remote file inclusion vulnerability in registration_detailed.inc.p ...) NOT-FOR-US: Detailed User Registration (com_registration_detailed), aka regdetailed CVE-2006-5253 (PHP remote file inclusion vulnerability in strload.php in Dayana Netwo ...) NOT-FOR-US: phpOnline (aka PHP-Online) CVE-2006-5252 (PHP remote file inclusion vulnerability in includes/core.lib.php in We ...) NOT-FOR-US: Webmedia Explorer CVE-2006-5251 (PHP remote file inclusion vulnerability in index.php in Deep CMS 2.0a ...) NOT-FOR-US: Deep CMS CVE-2006-5250 (PHP remote file inclusion vulnerability in lib/googlesearch/GoogleSear ...) NOT-FOR-US: BlueShoes CVE-2006-5249 (PHP remote file inclusion vulnerability in tagmin/delTagUser.php in Ta ...) NOT-FOR-US: TagIt! Tagboard CVE-2006-5248 (Eazy Cart stores sensitive information under the web root with insuffi ...) NOT-FOR-US: Eazy Cart CVE-2006-5247 (Multiple cross-site scripting (XSS) vulnerabilities in Eazy Cart allow ...) NOT-FOR-US: Eazy Cart CVE-2006-5246 (Eazy Cart allows remote attackers to change prices and other critical ...) NOT-FOR-US: Eazy Cart CVE-2006-5245 (Eazy Cart allows remote attackers to bypass authentication and gain ad ...) NOT-FOR-US: Eazy Cart CVE-2006-5244 (Multiple PHP remote file inclusion vulnerabilities in OpenDock Easy Bl ...) NOT-FOR-US: Easy Blog CVE-2006-5243 (Multiple PHP remote file inclusion vulnerabilities in OpenDock Easy Do ...) NOT-FOR-US: Easy Blog CVE-2006-5242 (SQL injection vulnerability in Etomite Content Management System (CMS) ...) NOT-FOR-US: Etomite Content Management System CVE-2006-5241 (Multiple PHP remote file inclusion vulnerabilities in OpenDock Easy Ga ...) NOT-FOR-US: Easy Gallery CVE-2006-5240 (PHP remote file inclusion vulnerability in engine/require.php in Docmi ...) NOT-FOR-US: Docmint CVE-2006-5239 (Multiple cross-site scripting (XSS) vulnerabilities in eXpBlog 0.3.5 a ...) NOT-FOR-US: eXpBlog CVE-2006-5238 (Unspecified vulnerability in the file upload module in Blue Smiley Org ...) NOT-FOR-US: Blue Smiley Organizer CVE-2006-5237 (SQL injection vulnerability in Blue Smiley Organizer before 4.46 allow ...) NOT-FOR-US: Blue Smiley Organizer CVE-2006-5236 (SQL injection vulnerability in search.php in 4images 1.7.x allows remo ...) NOT-FOR-US: 4images CVE-2006-5235 (PHP remote file inclusion vulnerability in includes/functions_kb.php i ...) NOT-FOR-US: Dimension of phpBB CVE-2006-5234 NOT-FOR-US: phpWebSite CVE-2006-5233 (Polycom SoundPoint IP 301 VoIP Desktop Phone, firmware version 1.4.1.0 ...) NOT-FOR-US: Polycom SoundPoint IP 301 VoIP Desktop Phone CVE-2006-5232 NOT-FOR-US: iSearch CVE-2006-5231 (Grandstream GXP-2000 VoIP Desktop Phone, firmware version 1.1.0.5, all ...) NOT-FOR-US: Grandstream GXP-2000 VoIP Desktop Phone CVE-2006-5230 (PHP remote file inclusion vulnerability in forum.php in FreeForum 0.9. ...) NOT-FOR-US: FreeForum CVE-2006-5295 (Unspecified vulnerability in ClamAV before 0.88.5 allows remote attack ...) {DSA-1196-1} - clamav 0.88.5-1 (high; bug #393445) CVE-2006-5229 (OpenSSH portable 4.1 on SUSE Linux, and possibly other platforms and v ...) NOTE: This issues depends on the stack of selected authentication modules, while NOTE: some are resilient against such timing attacks, some aren't NOTE: This is inside responsibility of an admin CVE-2006-5228 (Multiple SQL injection vulnerabilities in the Google Gadget login.php ...) NOT-FOR-US: ackerTodo CVE-2006-5227 (Cross-site scripting (XSS) vulnerability in admin.php in TorrentFlux 2 ...) - torrentflux 2.1-4 (bug #392501; low) CVE-2006-5226 (PHP remote file inclusion vulnerability in moteur/moteur.php in Prolog ...) NOT-FOR-US: Freenews CVE-2006-5225 (Multiple SQL injection vulnerabilities in AAIportal before 1.4.0 allow ...) NOT-FOR-US: AAIportal CVE-2006-5224 (PHP remote file inclusion vulnerability in includes/logger_engine.php ...) NOT-FOR-US: Security Suite IP Logger in dwingmods for phpBB CVE-2006-5223 (PHP remote file inclusion vulnerability in includes/functions_user_vie ...) NOT-FOR-US: User Viewed Posts Tracker module for phpBB CVE-2006-5222 (Multiple PHP remote file inclusion vulnerabilities in Dimension of php ...) NOT-FOR-US: Dimension of phpBB CVE-2006-5221 (Multiple SQL injection vulnerabilities in Cahier de texte 2.0 allow re ...) NOT-FOR-US: Cahier de textes CVE-2006-5220 (Multiple PHP remote file inclusion vulnerabilities in WebYep 1.1.9, wh ...) NOT-FOR-US: WebYep CVE-2006-5219 (SQL injection vulnerability in blog/index.php in the blog module in Mo ...) - moodle 1.6.2+20060930-1 (medium; bug #390294) [sarge] - moodle (Vulnerable code not present) CVE-2006-5218 (Integer overflow in the systrace_preprepl function (STRIOCREPLACE) in ...) NOT-FOR-US: systrace in OpenBSD and NetBSD CVE-2006-5217 (SQL injection vulnerability in giris_yap.asp in Emek Portal 2.1 allows ...) NOT-FOR-US: Emek Portal CVE-2006-5216 (Stack-based buffer overflow in Sergey Lyubka Simple HTTPD (shttpd) 1.3 ...) NOT-FOR-US: Simple HTTPD CVE-2006-5215 (The Xsession script, as used by X Display Manager (xdm) in NetBSD befo ...) - xdm 1:1.0.5-1 (low) [sarge] - xfree86 (Minor issue) NOTE: probably fixed earlier than 1:1.0.5 CVE-2006-5214 (Race condition in the Xsession script, as used by X Display Manager (x ...) - xdm 1:1.0.5-1 (low) - xorg 1:7.1.0-13 (low) [sarge] - xfree86 (Minor issue) NOTE: probably fixed earlier than 1:1.0.5 CVE-2006-5213 (Sun Solaris 10 before 20061006 uses "incorrect and insufficient permis ...) NOT-FOR-US: Solaris CVE-2006-5212 (Trend Micro OfficeScan 6.0 in Client/Server/Messaging (CSM) Suite for ...) NOT-FOR-US: Trend Micro OfficeScan CVE-2006-5211 (Trend Micro OfficeScan 6.0 in Client/Server/Messaging (CSM) Suite for ...) NOT-FOR-US: Trend Micro OfficeScan CVE-2006-5210 (Directory traversal vulnerability in IronWebMail before 6.1.1 HotFix-1 ...) NOT-FOR-US: IronWebMail CVE-2006-5209 (PHP remote file inclusion vulnerability in admin/admin_topic_action_lo ...) NOT-FOR-US: Admin Topic Action Logging Mod for phpBB CVE-2006-5208 (Multiple SQL injection vulnerabilities in PHP Classifieds 7.1 allow re ...) NOT-FOR-US: PHP Classifieds CVE-2006-5207 (PHP remote file inclusion vulnerability in images/smileys/smileys_pack ...) NOT-FOR-US: phpMyTeam CVE-2006-5206 (SQL injection vulnerability in Invision Gallery 2.0.7 allows remote at ...) NOT-FOR-US: Invision Gallery CVE-2006-5205 (Directory traversal vulnerability in Invision Gallery 2.0.7 allows rem ...) NOT-FOR-US: Invision Gallery CVE-2006-5204 (Cross-site scripting (XSS) vulnerability in action_admin/member.php in ...) NOT-FOR-US: Invision Power Board (IPB) CVE-2006-5203 (Invision Power Board (IPB) 2.1.7 and earlier allows remote restricted ...) NOT-FOR-US: Invision Power Board (IPB) CVE-2006-5202 (Linksys WRT54g firmware 1.00.9 does not require credentials when makin ...) NOT-FOR-US: Linksys CVE-2006-5201 (Multiple packages on Sun Solaris, including (1) NSS; (2) Java JDK and ...) - sun-java5 1.5.0-10-1 (bug #393042) NOTE: this is similar to CVE-2006-4339 CVE-2006-5200 (Unspecified vulnerability in Adobe Breeze 5 Licensed Server and Breeze ...) NOT-FOR-US: Adobe CVE-2006-5199 (Adobe Contribute Publishing Server leaks the administrator password in ...) NOT-FOR-US: Adobe CVE-2006-5198 (The WZFILEVIEW.FileViewCtrl.61 ActiveX control (aka Sky Software "File ...) NOT-FOR-US: WinZip CVE-2006-5197 (PDshopPro stores sensitive information under the web root with insuffi ...) NOT-FOR-US: PDshopPro CVE-2006-5196 (The HTTP interface in the Motorola SURFboard SB4200 Cable Modem allows ...) NOT-FOR-US: Motorola SURFboard CVE-2006-5195 (Multiple cross-site scripting (XSS) vulnerabilities in Wheatblog 1.0 a ...) NOT-FOR-US: Wheatblog CVE-2006-5194 (Cross-site scripting (XSS) vulnerability in index.php in net2ftp 0.93 ...) NOT-FOR-US: net2ftp CVE-2006-5193 (PHP remote file inclusion vulnerability in index.php in Josh Schmidt W ...) NOT-FOR-US: WikyBlog CVE-2006-5192 (PHP remote file inclusion vulnerability in includes/footer.php in phpG ...) NOT-FOR-US: phpGreetz CVE-2006-5191 (PHP remote file inclusion vulnerability in includes/functions_static_t ...) NOT-FOR-US: Nivisec Static Topics module for phpBB CVE-2006-5190 (Multiple cross-site scripting (XSS) vulnerabilities in osCommerce 2.2 ...) NOT-FOR-US: osCommerce CVE-2006-5189 (PHP remote file inclusion vulnerability in funzioni/lib/show_hlp.php i ...) NOT-FOR-US: klinza professional cms CVE-2006-5188 (Directory traversal vulnerability in download.php in webGENEius GOOP G ...) NOT-FOR-US: webGENEius GOOP Gallery CVE-2006-5187 (PHP remote file inclusion vulnerability in includes/functions.php in B ...) NOT-FOR-US: Bulletin Board Ace (BBaCE) CVE-2006-5186 (PHP remote file inclusion vulnerability in functions.php in phpMyProfi ...) NOT-FOR-US: phpMyProfiler CVE-2006-5185 (Eval injection vulnerability in Template.php in HAMweather 3.9.8.4 and ...) NOT-FOR-US: HAMweather CVE-2006-5184 (SQL injection vulnerability in PKR Internet Taskjitsu before 2.0.6 all ...) NOT-FOR-US: PKR Internet Taskjitsu CVE-2006-5183 (Multiple PHP remote file inclusion vulnerabilities in Dayfox Designs D ...) NOT-FOR-US: Dayfox Blog CVE-2006-5182 (PHP remote file inclusion vulnerability in frontpage.php in Dan Jensen ...) NOT-FOR-US: Travelsized CMS CVE-2006-5181 (Multiple PHP remote file inclusion vulnerabilities in Joshua Muheim ph ...) NOT-FOR-US: phpMyWebmin CVE-2006-5180 (PHP remote file inclusion vulnerability in include/main.inc.php in Seb ...) NOT-FOR-US: Newswriter SW CVE-2006-5179 (Intoto iGateway VPN and iGateway SSL-VPN allow context-dependent attac ...) NOT-FOR-US: Intoto iGateway CVE-2006-5178 (Race condition in the symlink function in PHP 5.1.6 and earlier allows ...) - php5 5.2.0-1 (bug #391281; unimportant) - php4 4:4.4.4-1 (bug #391282; unimportant) NOTE: open_basedir is not supported CVE-2006-5177 (The NTLM authentication in MailEnable Professional 2.0 and Enterprise ...) NOT-FOR-US: MailEnable Professional CVE-2006-5176 (Buffer overflow in NTLM authentication in MailEnable Professional 2.0 ...) NOT-FOR-US: MailEnable Professional CVE-2006-5175 (Cross-site request forgery (CSRF) vulnerability in the administrative ...) NOT-FOR-US: TeraStation HD-HTGL CVE-2006-5174 (The copy_from_user function in the uaccess code in Linux kernel 2.6 be ...) {DSA-1237 DSA-1233} - linux-2.6 2.6.18-5 NOTE: s390 only, fix in 2.6.18-3 was reverted in 2.6.18-4 CVE-2006-5173 (Linux kernel does not properly save or restore EFLAGS during a context ...) - linux-2.6 2.6.18-1 CVE-2006-5172 (Stack-based buffer overflow in the RPC interface in Mediasvr.exe in Co ...) NOT-FOR-US: Computer Associates (CA) Brightstor CVE-2006-5171 (Stack-based buffer overflow in the RPC interface in Mediasvr.exe in Co ...) NOT-FOR-US: Computer Associates (CA) Brightstor CVE-2006-5170 (pam_ldap in nss_ldap on Red Hat Enterprise Linux 4, Fedora Core 3 and ...) {DSA-1203-1} - libpam-ldap 180-1.2 (bug #392984; medium) CVE-2006-5169 (Cross-site scripting (XSS) vulnerability in John Himmelman (aka DaRk2k ...) NOT-FOR-US: PowerPortal CVE-2006-5168 (Cross-site scripting (XSS) vulnerability in the search functionality i ...) NOT-FOR-US: Pebble CVE-2005-4813 (Unspecified vulnerability in Report Application Server (Crystalras.exe ...) NOT-FOR-US: Business Objects Crystal Reports CVE-2003-1306 (Microsoft URLScan 2.5, with the RemoveServerHeader option enabled, all ...) NOT-FOR-US: Microsoft CVE-2006-XXXX [zabbix format string vulnerabilities] - zabbix 1:1.1.2-4 (bug #391388) CVE-2006-XXXX [zabbix buffer overflows] - zabbix 1:1.1.2-4 (bug #391388) CVE-2006-5167 (Multiple PHP remote file inclusion vulnerabilities in BasiliX 1.1.1 an ...) NOT-FOR-US: BasiliX CVE-2006-5166 (PHP remote file inclusion vulnerability in functions.php in PHP Web Sc ...) NOT-FOR-US: PHP Web Scripts Easy Banner Free CVE-2006-5165 (PHP remote file inclusion vulnerability in inc/functions.inc.php in Sk ...) NOT-FOR-US: Skrypty PPA Gallery CVE-2006-5164 (Multiple cross-site scripting (XSS) vulnerabilities in cart.php in Sum ...) NOT-FOR-US: digiSHOP CVE-2006-5163 (IBM Informix Dynamic Server 10.UC3RC1 Trial for Linux and possibly oth ...) NOT-FOR-US: IBM CVE-2006-5162 (wininet.dll in Microsoft Internet Explorer 6.0 SP2 and earlier allows ...) NOT-FOR-US: Microsoft CVE-2006-5161 (IBM Client Security Password Manager stores and distributes saved pass ...) NOT-FOR-US: IBM CVE-2006-5160 - firefox (no real issues) CVE-2006-5159 NOT-FOR-US: Bogus Firefox issue CVE-2006-5158 (The nlmclnt_mark_reclaim in clntlock.c in NFS lockd in Linux kernel be ...) - linux-2.6 2.6.15 CVE-2006-5157 (Format string vulnerability in the ActiveX control (ATXCONSOLE.OCX) in ...) NOT-FOR-US: TrendMicro OfficeScan CVE-2006-5156 (Buffer overflow in McAfee ePolicy Orchestrator before 3.5.0.720 and Pr ...) NOT-FOR-US: McAfee CVE-2006-5155 (PHP remote file inclusion vulnerability in core/pdf.php in VideoDB 2.2 ...) NOT-FOR-US: VideoDB CVE-2006-5154 (PHP remote file inclusion vulnerability in cp/sig.php in DeluxeBB 1.09 ...) NOT-FOR-US: DeluxeBB CVE-2006-5153 (The (1) fwdrv.sys and (2) khips.sys drivers in Sunbelt Kerio Personal ...) NOT-FOR-US: Kerio Personal Firewall CVE-2006-5152 (Cross-site scripting (XSS) vulnerability in Microsoft Internet Explore ...) NOT-FOR-US: Microsoft CVE-2006-5151 (Unspecified vulnerability in HP Ignite-UX server before C.6.9.150 for ...) NOT-FOR-US: HP CVE-2006-5150 (SQL injection vulnerability in the reports system in OpenBiblio before ...) NOT-FOR-US: OpenBiblio CVE-2006-5149 (Multiple directory traversal vulnerabilities in OpenBiblio before 0.5. ...) NOT-FOR-US: OpenBiblio CVE-2006-5148 (Multiple PHP remote file inclusion vulnerabilities in Forum82 2.5.2b a ...) NOT-FOR-US: Forum82 CVE-2006-5147 (PHP remote file inclusion vulnerability in wamp_dir/setup/yesno.phtml ...) NOT-FOR-US: VAMP Webmail CVE-2006-5146 (Multiple cross-site scripting (XSS) vulnerabilities in Yblog allow rem ...) NOT-FOR-US: Yblog CVE-2006-5145 (Multiple SQL injection vulnerabilities in OlateDownload 3.4.0 allow re ...) NOT-FOR-US: OlateDownload CVE-2006-5144 (Cross-site scripting (XSS) vulnerability in userupload.php in OlateDow ...) NOT-FOR-US: OlateDownload CVE-2006-5143 (Multiple buffer overflows in CA BrightStor ARCserve Backup r11.5 SP1 a ...) NOT-FOR-US: Backup Agent RPC Server CVE-2006-5142 (Stack-based buffer overflow in CA BrightStor ARCserve Backup R11.5 cli ...) NOT-FOR-US: CA BrightStor ARCserver Backup CVE-2006-5141 (PHP remote file inclusion vulnerability in script.php in Kevin A. Gord ...) NOT-FOR-US: Open Geo Targeting (aka geotarget) CVE-2006-5140 (SQL injection vulnerability in display.php in Lappy512 PHP Krazy Image ...) NOT-FOR-US: Image Host Script (phpkimagehost) CVE-2006-5139 (Unspecified vulnerability in MkPortal allows remote attackers to corru ...) NOT-FOR-US: MkPortal CVE-2006-5138 (Groupee UBB.threads 6.5.1.1 allows remote attackers to obtain sensitiv ...) NOT-FOR-US: Groupee UBB.threads CVE-2006-5137 (Multiple direct static code injection vulnerabilities in Groupee UBB.t ...) NOT-FOR-US: Groupee UBB.threads CVE-2006-5136 (Multiple PHP remote file inclusion vulnerabilities in ubbt.inc.php in ...) NOT-FOR-US: Groupee UBB.threads CVE-2006-5135 (Multiple PHP remote file inclusion vulnerabilities in A-Blog 2 allow r ...) NOT-FOR-US: A-Blog CVE-2006-5134 (Mercury SiteScope 8.2 (8.1.2.0) allows remote authenticated users to c ...) NOT-FOR-US: Mercury SiteScope CVE-2006-5133 (Buffer overflow in GuildFTPd 0.999.13 allows remote attackers to have ...) NOT-FOR-US: GuildFTPd CVE-2006-5132 (Multiple PHP remote file inclusion vulnerabilities in phpMyAgenda 3.0 ...) NOT-FOR-US: phpMyAgenda CVE-2006-5131 (module/shout/jafshout.php (aka the shoutbox) in ph03y3nk just another ...) NOT-FOR-US: just another flat file (JAF) CMS CVE-2006-5130 (Multiple cross-site scripting (XSS) vulnerabilities in ph03y3nk just a ...) NOT-FOR-US: ust another flat file (JAF) CMS CVE-2006-5129 (Multiple cross-site scripting (XSS) vulnerabilities in ph03y3nk just a ...) NOT-FOR-US: ust another flat file (JAF) CMS CVE-2006-5128 (SQL injection vulnerability in index.php in Bartels Schoene ConPresso ...) NOT-FOR-US: ConPresso CVE-2006-5127 (Multiple cross-site scripting (XSS) vulnerabilities in Bartels Schoene ...) NOT-FOR-US: ConPresso CVE-2006-5126 (PHP remote file inclusion vulnerability in index.php in John Himmelman ...) NOT-FOR-US: PowerPortal CVE-2006-5125 (Directory traversal vulnerability in window.php, possibly used by home ...) NOT-FOR-US: phpMyWebmin CVE-2006-5124 (Multiple PHP remote file inclusion vulnerabilities in Joshua Muheim ph ...) NOT-FOR-US: phpMyWebmin CVE-2006-5123 (Multiple PHP remote file inclusion vulnerabilities in Albrecht Guenthe ...) NOT-FOR-US: PHProjekt CVE-2006-5122 (Multiple cross-site scripting (XSS) vulnerabilities in Mercury SiteSco ...) NOT-FOR-US: SiteScope CVE-2006-5121 (SQL injection vulnerability in modules/Downloads/admin.php in the Admi ...) NOT-FOR-US: PostNuke CVE-2006-5120 (Multiple cross-site scripting (XSS) vulnerabilities in Scott Metoyer R ...) NOT-FOR-US: Red Mombin CVE-2006-5119 (Multiple cross-site scripting (XSS) vulnerabilities in Zen Cart 1.3.5 ...) NOT-FOR-US: Zen Cart CVE-2006-5118 (PHP remote file inclusion vulnerability in index.php3 in the PDD packa ...) NOT-FOR-US: PHPSelect Web Development Division CVE-2006-5117 (phpMyAdmin before 2.9.1-rc1 has a libraries directory under the web do ...) - phpmyadmin 4:2.9.0.2-0.1 (bug #391090; unimportant) NOTE: Only path disclosure CVE-2006-5116 (Multiple cross-site request forgery (CSRF) vulnerabilities in phpMyAdm ...) {DSA-1207-1} - phpmyadmin 4:2.9.0.2-0.1 (bug #391090; bug #400553; low) [sarge] - phpmyadmin (Vulnerable code not present) NOTE: https://www.phpmyadmin.net/security/PMASA-2006-5/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/b3906852bbcb5c4e116cc20e214b7f6793ca97aa NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/ac2f606a21d474596a4b2cada961385439cbc8f0 NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/50319d634c620044a0542495939cd68530f00259 CVE-2006-5115 (Directory traversal vulnerability in kgcall.php in KGB 1.87 allows rem ...) NOT-FOR-US: KGB CVE-2006-5114 (Multiple cross-site scripting (XSS) vulnerabilities in wgate in SAP In ...) NOT-FOR-US: SAP CVE-2006-5113 (Directory traversal vulnerability in common.php in Yuuki Yoshizawa Exp ...) NOT-FOR-US: Exporia CVE-2006-5112 (Buffer overflow in InterVations NaviCOPA Web Server 2.01 allows remote ...) NOT-FOR-US: NaviCOPA Web Server CVE-2006-5111 (The libksba library 0.9.12 and possibly other versions, as used by gpg ...) - libksba 0.9.14-1 (low; bug #391278) [sarge] - libksba (Minor issue) CVE-2006-5110 (Cross-site scripting (XSS) vulnerability in home.php in PHP Invoice 2. ...) NOT-FOR-US: PHP Invoice CVE-2006-5109 (Devellion CubeCart 2.0.x allows remote attackers to obtain sensitive i ...) NOT-FOR-US: CubeCart CVE-2006-5108 (Multiple cross-site scripting (XSS) vulnerabilities in Devellion CubeC ...) NOT-FOR-US: CubeCart CVE-2006-5107 (Multiple SQL injection vulnerabilities in Devellion CubeCart 2.0.x all ...) NOT-FOR-US: CubeCart CVE-2006-5106 (Cross-site scripting (XSS) vulnerability in FacileForms before 1.4.7 f ...) NOT-FOR-US: FacileForms for Mambo and Joomla! CVE-2006-5105 (Multiple PHP remote file inclusion vulnerabilities in SyntaxCMS 1.1.1 ...) NOT-FOR-US: SyntaxCMS CVE-2006-5104 (SQL injection vulnerability in global.php in Jelsoft vBulletin 2.x all ...) NOT-FOR-US: vBulletin CVE-2006-5103 (PHP remote file inclusion vulnerability in admin/index2.php in bbsNew ...) NOT-FOR-US: bbsNew CVE-2006-5102 (PHP remote file inclusion vulnerability in include/editfunc.inc.php in ...) NOT-FOR-US: Newswriter SW CVE-2006-5101 (PHP remote file inclusion vulnerability in include.php in Comdev CSV I ...) NOT-FOR-US: Comdev CSV Importer CVE-2006-5100 (PHP remote file inclusion vulnerability in parse/parser.php in WEB//NE ...) NOT-FOR-US: WEB//NEWS (aka webnews) CVE-2006-5099 (lib/exec/fetch.php in DokuWiki before 2006-03-09e, when conf[imconvert ...) - dokuwiki 0.0.20060309-5.2 (bug #391291; medium) CVE-2006-5098 (lib/exec/fetch.php in DokuWiki before 2006-03-09e allows remote attack ...) - dokuwiki 0.0.20060309-5.2 (bug #391291; medium) CVE-2006-5097 NOT-FOR-US: net2ftp CVE-2006-5096 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Vi ...) NOT-FOR-US: VirtueMart CVE-2006-5095 NOT-FOR-US: MyPhotos CVE-2006-5094 (PHP remote file inclusion vulnerability in includes/functions_kb.php i ...) NOT-FOR-US: phpBB XS CVE-2006-5093 (PHP remote file inclusion vulnerability in index.php in Tagmin Control ...) NOT-FOR-US: TagIt! Tagboard CVE-2006-5092 (PHP remote file inclusion vulnerability in navigation/menu.php in A-Bl ...) NOT-FOR-US: A-Blog CVE-2006-5091 (Unspecified vulnerability in HP-UX B.11.11 and B.11.23 CIFS Server (Sa ...) NOT-FOR-US: HP-UX Samba CVE-2006-5090 (Multiple cross-site scripting (XSS) vulnerabilities in Phoenix Evoluti ...) NOT-FOR-US: Phoenix Evolution CMS (PECMS) CVE-2006-5089 NOT-FOR-US: My-BIC CVE-2006-5088 (PHP remote file inclusion vulnerability in connected_users.lib.php3 in ...) NOT-FOR-US: phpMyChat CVE-2006-5087 (Multiple PHP remote file inclusion vulnerabilities in evoBB 0.3 and ea ...) NOT-FOR-US: evoBB CVE-2006-5086 (Blog Pixel Motion 2.1.1 allows remote attackers to change the username ...) NOT-FOR-US: Blog Pixel Motion CVE-2006-5085 (Static code injection vulnerability in config.php in Blog Pixel Motion ...) NOT-FOR-US: Blog Pixel Motion CVE-2006-5084 (Format string vulnerability in the NSRunAlertPanel function in eBay Sk ...) NOT-FOR-US: Skype CVE-2006-5083 (PHP remote file inclusion vulnerability in includes/functions_portal.p ...) NOT-FOR-US: Integrated MODs (IM) Portal CVE-2006-5082 (Unspecified vulnerability in Sugar Suite Open Source (SugarCRM) before ...) - sugarcrm-ce-5.0 (bug #457876) CVE-2006-5081 (PHP remote file inclusion vulnerability in acc.php in QuickBlogger (QB ...) NOT-FOR-US: QuickBlogger CVE-2006-5080 (Cross-site scripting (XSS) vulnerability in the search function in Six ...) NOT-FOR-US: Movable Type CVE-2006-5079 (PHP remote file inclusion vulnerability in class.mysql.php in Matt Hum ...) NOT-FOR-US: paBugs CVE-2006-5078 (PHP remote file inclusion vulnerability in view/general.php in Kristia ...) NOT-FOR-US: Polaring CVE-2006-5077 (PHP remote file inclusion vulnerability in admin/admin_topic_action_lo ...) NOT-FOR-US: Minerva CVE-2006-5076 (Multiple PHP remote file inclusion vulnerabilities in OpenConcept Back ...) NOT-FOR-US: OpenConcept Back-End CVE-2006-5075 (The Kernel SSL Proxy service (svc:/network/ssl/proxy) in Sun Solaris 1 ...) NOT-FOR-US: Solaris CVE-2006-5074 (Cross-site scripting (XSS) vulnerability in home.php in PHP Invoice 2. ...) NOT-FOR-US: PHP Invoice CVE-2006-5073 (Unspecified vulnerability in Sun Solaris 8, 9 and 10 allows remote att ...) NOT-FOR-US: Solaris CVE-2006-5072 (The System.CodeDom.Compiler classes in Novell Mono create temporary fi ...) - mono 1.1.17.1-5 CVE-2006-5071 (Multiple cross-site scripting (XSS) vulnerabilities in eyeOS before 0. ...) NOT-FOR-US: eyeOS CVE-2006-5070 (PHP remote file inclusion vulnerability in fsl2/objects/fs_form_links. ...) NOT-FOR-US: faceStones Personal CVE-2006-5069 (Cross-site scripting (XSS) vulnerability in class.tx_indexedsearch.php ...) - typo3-src (only versions 4.0.0+4.0.1 affected) CVE-2006-5068 (PHP remote file inclusion vulnerability in admin/index.php in Brudaswe ...) NOT-FOR-US: BrudaNews CVE-2006-5067 NOT-FOR-US: PHP System Administration Toolkit (PHPSaTK) CVE-2006-5066 (Multiple cross-site scripting (XSS) vulnerabilities in DanPHPSupport 0 ...) NOT-FOR-US: DanPHPSupport CVE-2006-5065 (PHP remote file inclusion vulnerability in libs/dbmax/mysql.php in Zoo ...) NOT-FOR-US: ZoomStats CVE-2006-5064 (Multiple cross-site scripting (XSS) vulnerabilities in BirdBlog 1.4 an ...) NOT-FOR-US: BirdBlog CVE-2006-5063 (Cross-site scripting (XSS) vulnerability in Elog 2.6.1 allows remote a ...) {DSA-1242-1} - elog 2.6.2+r1719-1 (bug #389361) CVE-2006-5062 (PHP remote file inclusion vulnerability in templates/pb/language/lang_ ...) NOT-FOR-US: PBLang (PBL) CVE-2006-5061 (PHP remote file inclusion vulnerability in mcf.php in Advanced-Clan-Sc ...) NOT-FOR-US: Advanced-Clan-Script (AVCX) CVE-2006-5060 (Cross-site scripting (XSS) vulnerability in login.php in Jamroom 3.0.1 ...) NOT-FOR-US: Jamroom CVE-2006-5059 (Multiple cross-site scripting (XSS) vulnerabilities in WWWthreads 5.4. ...) NOT-FOR-US: WWWthreads CVE-2006-5058 (Buffer overflow in (1) Call of Duty 1.5b and earlier, (2) Call of Duty ...) NOT-FOR-US: Call of Duty CVE-2006-5057 (Multiple cross-site scripting (XSS) vulnerabilities in Ktools.net Phot ...) NOT-FOR-US: PhotoStore CVE-2006-5056 (Cross-site scripting (XSS) vulnerability in index.php in Opial Audio/V ...) NOT-FOR-US: Opial Audio/Video Download Management CVE-2006-5055 (PHP remote file inclusion vulnerability in admin/testing/tests/0004_in ...) NOT-FOR-US: syntaxCMS CVE-2006-5054 (SQL injection vulnerability in uye/uye_ayrinti.asp in iyzi Forum 1 Bet ...) NOT-FOR-US: iyzi Forum CVE-2006-5053 (PHP remote file inclusion vulnerability in webnews/template.php in Web ...) NOT-FOR-US: Web-News CVE-2006-5052 (Unspecified vulnerability in portable OpenSSH before 4.4, when running ...) [etch] - openssh (Minor issue) - openssh 1:4.6p1-1 (low) CVE-2006-5051 (Signal handler race condition in OpenSSH before 4.4 allows remote atta ...) {DSA-1638-1 DSA-1212 DSA-1189-1} - openssh 1:4.6p1-1 (low) - openssh-krb5 (high) NOTE: From my analysis only openssh with Kerberos support should be vulnerable NOTE: However, we'll fix openssh as well just to make sure CVE-2006-5050 (Directory traversal vulnerability in httpd in Rob Landley BusyBox allo ...) - busybox (bug #390555; irreproducible) [sarge] - busybox (Vulnerable code not present) CVE-2006-5049 (Unspecified vulnerability in Classifieds (com_classifieds) component 1 ...) NOT-FOR-US: Classifieds (com_classifieds) component for Joomla! CVE-2006-5048 (Multiple PHP remote file inclusion vulnerabilities in Security Images ...) NOT-FOR-US: Security Images (com_securityimages) component for Joomla! CVE-2006-5047 (Unspecified vulnerability in rsgallery2.html.php in RS Gallery2 compon ...) NOT-FOR-US: RS Gallery2 component for Joomla! (com_rsgallery2) CVE-2006-5046 (Unspecified vulnerability in RS Gallery2 (com_rsgallery2) 1.11.3 and e ...) NOT-FOR-US: RS Gallery2 component for Joomla! (com_rsgallery2) CVE-2006-5045 (Unspecified vulnerability in PollXT component (com_pollxt) 1.22.07 and ...) NOT-FOR-US: PollXT component (com_pollxt) for Joomla! CVE-2006-5044 (Unspecified vulnerability in Prince Clan (Princeclan) Chess component ...) NOT-FOR-US: Prince Clan (Princeclan) Chess componen (com_pcchess) for Mambo and Joomla! CVE-2006-5043 (Multiple PHP remote file inclusion vulnerabilities in the Joomlaboard ...) NOT-FOR-US: JoomlaBoard (com_joomlaboard) for Joomla! CVE-2006-5042 (Unspecified vulnerability in mosMedia (com_mosmedia) 1.0.8 and earlier ...) NOT-FOR-US: mosMedia (com_mosmedia) for Joomla! CVE-2006-5041 (Unspecified vulnerability in Hot Properties (possibly com_hotpropertie ...) NOT-FOR-US: Hot Properties (possibly com_hotproperties) for Joomla! CVE-2006-5040 (Unspecified vulnerability in SEF404x (com_sef) for Joomla! has unspeci ...) NOT-FOR-US: SEF404x (com_sef) for Joomla! CVE-2006-5039 (Unspecified vulnerability in Events 1.3 beta module (com_events) for J ...) NOT-FOR-US: Events 1.3 beta module (com_events) for Joomla! CVE-2006-5038 (The FiWin SS28S WiFi VoIP SIP/Skype Phone, firmware version 01_02_07, ...) NOT-FOR-US: FiWin CVE-2006-5037 NOT-FOR-US: MySource Matrix CVE-2006-5036 NOT-FOR-US: MySource Matrix CVE-2006-5035 (Multiple cross-site scripting (XSS) vulnerabilities in Paul Smith Comp ...) NOT-FOR-US: vCAP CVE-2006-5034 (Directory traversal vulnerability in Paul Smith Computer Services vCAP ...) NOT-FOR-US: vCAP CVE-2006-5033 (Unspecified vulnerability in StoresAndCalendarsList.cgi in Paul Smith ...) NOT-FOR-US: vCAP CVE-2006-5032 (PHP remote file inclusion vulnerability in dix.php3 in PHPartenaire 1. ...) NOT-FOR-US: PHPartenaire CVE-2006-5031 (Directory traversal vulnerability in app/webroot/js/vendors.php in Cak ...) - cakephp 1.1.13.4450-1 CVE-2006-5030 (SQL injection vulnerability in modules/messages/index.php in exV2 2.0. ...) NOT-FOR-US: exV2 CVE-2006-5029 (SQL injection vulnerability in thread.php in WoltLab Burning Board (wB ...) NOT-FOR-US: WoltLab Burning Board (wBB) CVE-2006-5028 (Directory traversal vulnerability in filemanager/filemanager.php in SW ...) NOT-FOR-US: Plesk CVE-2006-5027 (Jeroen Vennegoor JevonCMS, possibly pre alpha, allows remote attackers ...) NOT-FOR-US: JevonCMS CVE-2006-5026 (Multiple unspecified vulnerabilities in Paisterist Simple HTTP Scanner ...) NOT-FOR-US: Paisterist Simple HTTP Scanner (sHTTPScanner) CVE-2006-5025 (Multiple unspecified vulnerabilities in Paisterist Simple HTTP Scanner ...) NOT-FOR-US: Paisterist Simple HTTP Scanner (sHTTPScanner) CVE-2006-5024 (Multiple unspecified vulnerabilities in Paisterist Simple HTTP Scanner ...) NOT-FOR-US: Paisterist Simple HTTP Scanner (sHTTPScanner) CVE-2006-5023 (SQL injection vulnerability in kategori.asp in xweblog 2.1 and earlier ...) NOT-FOR-US: xweblog CVE-2006-5022 (PHP remote file inclusion vulnerability in includes/global.php in Josh ...) NOT-FOR-US: pNews System 1.1.0 (aka PowerNews) CVE-2006-5021 (Multiple PHP remote file inclusion vulnerabilities in redgun RedBLoG 0 ...) NOT-FOR-US: RedBLoG CVE-2006-5020 (Multiple PHP remote file inclusion vulnerabilities in SolidState 0.4 a ...) NOT-FOR-US: SolidState CVE-2006-5019 (Google Mini 4.4.102.M.36 and earlier allows remote attackers to obtain ...) NOT-FOR-US: Google Mini CVE-2006-5018 (ContentKeeper 123.25 and earlier places passwords in cleartext in an I ...) NOT-FOR-US: ContentKeeper CVE-2006-5017 (SQL injection vulnerability in admin/all_users.php in Szava Gyula and ...) NOT-FOR-US: e-Vision CMS CVE-2006-5016 (Unrestricted file upload vulnerability in admin/x_image.php in Szava G ...) NOT-FOR-US: e-Vision CMS CVE-2006-5015 (PHP remote file inclusion vulnerability in hit.php in Kietu 3.2 allows ...) NOT-FOR-US: Kietu CVE-2006-5014 (Unspecified vulnerability in cPanel before 10.9.0 12 Tree allows remot ...) NOT-FOR-US: cPanel CVE-2006-5013 (Sun Solaris 10 before patch 118855-16 (20060925), when run on x64 syst ...) NOT-FOR-US: Solaris CVE-2006-5012 (Unspecified vulnerability in Sun Solaris 8, 9, and 10 before 20060925 ...) NOT-FOR-US: Solaris CVE-2006-5011 (Untrusted search path vulnerability in snappd in IBM AIX 5.2.0 and 5.3 ...) NOT-FOR-US: AIX CVE-2006-5010 (Untrusted search path vulnerability in acctctl in IBM AIX 5.3.0 allows ...) NOT-FOR-US: AIX CVE-2006-5009 (Unspecified vulnerability in xlock in IBM AIX 5.2.0 and 5.3.0 allows l ...) NOT-FOR-US: AIX CVE-2006-5008 (Unspecified vulnerability in utape in IBM AIX 5.2.0 and 5.3.0 allows a ...) NOT-FOR-US: AIX CVE-2006-5007 (Untrusted search path vulnerability in uucp in IBM AIX 5.2.0 and 5.3.0 ...) NOT-FOR-US: AIX CVE-2006-5006 (Buffer overflow in cfgmgr in IBM AIX 5.2.0 and 5.3.0 allows local user ...) NOT-FOR-US: AIX CVE-2006-5005 (Unspecified vulnerability in bos.net.tcp.client in IBM AIX 5.2.0 and 5 ...) NOT-FOR-US: AIX CVE-2006-5004 (Unspecified vulnerability in the rdist command in IBM AIX 5.2.0 and 5. ...) NOT-FOR-US: AIX CVE-2006-5003 (Unspecified vulnerability in the named8 command in IBM AIX 5.2.0 and 5 ...) NOT-FOR-US: AIX CVE-2006-5002 (Unspecified vulnerability in IBM Inventory Scout for AIX 2.2.0.0 throu ...) NOT-FOR-US: AIX CVE-2006-5001 (Unspecified vulnerability in the log analyzer in WS_FTP Server 5.05 be ...) NOT-FOR-US: WS_FTP CVE-2006-5000 (Multiple buffer overflows in WS_FTP Server 5.05 before Hotfix 1, and p ...) NOT-FOR-US: WS_FTP CVE-2006-4999 RESERVED CVE-2006-4998 RESERVED CVE-2006-4997 (The clip_mkip function in net/atm/clip.c of the ATM subsystem in Linux ...) {DSA-1237 DSA-1233} - linux-2.6 2.6.18-1 CVE-2006-4996 (Unspecified vulnerability in JoomlaLib (com_joomlalib) before 1.2.2 fo ...) NOT-FOR-US: JoomlaLib (com_joomlalib) for Joomla! CVE-2006-4995 (PHP remote file inclusion vulnerability in BSQ Sitestats (bsq_sitestat ...) NOT-FOR-US: BSQ Sitestats for Joomla! CVE-2006-4994 (Multiple unquoted Windows search path vulnerabilities in Apache Friend ...) NOT-FOR-US: XAMPP CVE-2006-4993 (Multiple PHP remote file inclusion vulnerabilities in AllMyGuests 0.4. ...) NOT-FOR-US: AllMyGuests CVE-2006-4992 (Multiple PHP remote file inclusion vulnerabilities in JD-WordPress for ...) NOT-FOR-US: JD-WordPress for Joomla! CVE-2006-4991 (RSA Keon Certificate Authority (KeonCA) Manager 6.5.1 and 6.6 allows p ...) NOT-FOR-US: RSA Keon Certificate Authority (KeonCA) Manager CVE-2006-4990 (Multiple PHP remote file inclusion vulnerabilities in PhotoPost allow ...) NOT-FOR-US: PhotoPost CVE-2006-4989 (Patrick Michaelis Wili-CMS allows remote attackers to obtain sensitive ...) NOT-FOR-US: Wili-CMS CVE-2006-4988 (Multiple cross-site scripting (XSS) vulnerabilities in Patrick Michael ...) NOT-FOR-US: Wili-CMS CVE-2006-4987 (Multiple PHP remote file inclusion vulnerabilities in Patrick Michaeli ...) NOT-FOR-US: Wili-CMS CVE-2006-4986 (Grayscale BandSite CMS allows remote attackers to obtain sensitive inf ...) NOT-FOR-US: BandSite CMS CVE-2006-4985 (Multiple cross-site scripting (XSS) vulnerabilities in Grayscale BandS ...) NOT-FOR-US: BandSite CMS CVE-2006-4984 (Multiple PHP remote file inclusion vulnerabilities in Grayscale BandSi ...) NOT-FOR-US: BandSite CMS CVE-2006-4983 (Cisco NAC allows quarantined devices to communicate over the network w ...) NOT-FOR-US: Cisco CVE-2006-4982 (Cisco NAC maintains an exception list that does not record device prop ...) NOT-FOR-US: Cisco CVE-2006-4981 (Symantec Sygate NAC allows physically proximate attackers to bypass co ...) NOT-FOR-US: Symantec CVE-2006-4980 (Buffer overflow in the repr function in Python 2.3 through 2.6 before ...) {DSA-1198-1 DSA-1197-1} - python2.5 2.5-1 (bug #391589) - python2.4 2.4.3-9 (bug #391589) - python2.3 2.3.5-16 (bug #393053) - python2.2 (Compiled without UCS-4 support) CVE-2006-4979 (Direct static code injection vulnerability in cfgphpquiz/install.php i ...) NOT-FOR-US: PhpQuiz CVE-2006-4978 (Multiple SQL injection vulnerabilities in Walter Beschmout PhpQuiz 1.2 ...) NOT-FOR-US: PhpQuiz CVE-2006-4977 (Multiple unrestricted file upload vulnerabilities in (1) back/upload_i ...) NOT-FOR-US: PhpQuiz CVE-2006-4976 (The Date Library in John Lim ADOdb Library for PHP allows remote attac ...) - libphp-adodb (unimportant) - gallery2 (unimportant) - phppgadmin 5.1+ds-1 (unimportant) - egroupware (unimportant) - phpwiki (unimportant) - moodle (unimportant) NOTE: full path is known in Debian anyway CVE-2006-4975 (Yahoo! Messenger for WAP permits saving messages that contain JavaScri ...) NOT-FOR-US: Yahoo! Messenger CVE-2006-4974 (Buffer overflow in Ipswitch WS_FTP Limited Edition (LE) 5.08 allows re ...) NOT-FOR-US: WS_FTP CVE-2006-4973 (Cross-site scripting (XSS) vulnerability in Default.aspx in Perpetual ...) NOT-FOR-US: DotNetNuke CVE-2006-4972 (Cross-site scripting (XSS) vulnerability in archive/index.php/forum-4. ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2006-4971 (MyBB (aka MyBulletinBoard) allows remote attackers to obtain sensitive ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2006-4970 (PHP remote file inclusion vulnerability in enc/content.php in WAHM E-C ...) NOT-FOR-US: Pie Cart Pro CVE-2006-4969 (Multiple PHP remote file inclusion vulnerabilities in WAHM E-Commerce ...) NOT-FOR-US: Pie Cart Pro CVE-2006-4968 (PHP remote file inclusion vulnerability in includes/functions_admin.ph ...) NOT-FOR-US: PNphpBB NOTE: code in phpBB is different and not affected CVE-2006-4967 (Multiple cross-site scripting (XSS) vulnerabilities in NextAge Cart al ...) NOT-FOR-US: NextAge Cart CVE-2006-4966 (PHP remote file inclusion vulnerability in inc/ifunctions.php in chump ...) NOT-FOR-US: phpQuestionnaire CVE-2006-4965 (Apple QuickTime 7.1.3 Player and Plug-In allows remote attackers to ex ...) NOT-FOR-US: Apple NOTE: also used for related MFSA-2007-28, but still a QuickTime/Windows only issue CVE-2006-4964 (Cross-site scripting (XSS) vulnerability in MAXdev MDPro 1.0.76 before ...) NOT-FOR-US: MAXdev MDPro CVE-2006-4963 (Directory traversal vulnerability in index.php in Exponent CMS 0.96.3 ...) NOT-FOR-US: Exponent CMS CVE-2006-4962 (Directory traversal vulnerability in pbd_engine.php in Php Blue Dragon ...) NOT-FOR-US: Php Blue Dragon CVE-2006-4961 (SQL injection vulnerability in the GetModuleConfig function in public_ ...) NOT-FOR-US: Php Blue Dragon CVE-2006-4960 (Cross-site scripting (XSS) vulnerability in index.php Php Blue Dragon ...) NOT-FOR-US: Php Blue Dragon CVE-2006-4959 (Sun Secure Global Desktop (SSGD, aka Tarantella) before 4.3 allows rem ...) NOT-FOR-US: Sun Secure Global Desktop CVE-2006-4958 (Multiple cross-site scripting (XSS) vulnerabilities in Sun Secure Glob ...) NOT-FOR-US: Sun Secure Global Desktop CVE-2006-4957 (SQL injection vulnerability in the GetMember function in functions.php ...) NOT-FOR-US: MyReview CVE-2006-4956 (Cross-site scripting (XSS) vulnerability in the updateuser servlet in ...) NOT-FOR-US: Neon WebMail for Java CVE-2006-4955 (Directory traversal vulnerability in the downloadfile servlet in Neon ...) NOT-FOR-US: Neon WebMail for Java CVE-2006-4954 (The updateuser servlet in Neon WebMail for Java before 5.08 does not v ...) NOT-FOR-US: Neon WebMail for Java CVE-2006-4953 (Multiple SQL injection vulnerabilities in Neon WebMail for Java before ...) NOT-FOR-US: Neon WebMail for Java CVE-2006-4952 (The updatemail servlet in Neon WebMail for Java before 5.08 allows rem ...) NOT-FOR-US: Neon WebMail for Java CVE-2006-4951 (Neon WebMail for Java before 5.08 allows remote attackers to execute a ...) NOT-FOR-US: Neon WebMail for Java CVE-2006-4950 (Cisco IOS 12.2 through 12.4 before 20060920, as used by Cisco IAD2430, ...) NOT-FOR-US: Cisco CVE-2006-4949 (Cross-site scripting (XSS) vulnerability in the Drupal 4.6 Site Profil ...) NOT-FOR-US: Profile Directory (profile_pages.module) for Drupal CVE-2006-4948 (Stack-based buffer overflow in tftpd.exe in ProSysInfo TFTP Server TFT ...) NOT-FOR-US: TFTPDWIN CVE-2006-4947 (Cross-site scripting (XSS) vulnerability in the Drupal 4.7 Search Keyw ...) NOT-FOR-US: Search Keywords module for Drupal CVE-2006-4946 (PHP remote file inclusion vulnerability in include/startup.inc.php in ...) NOT-FOR-US: CMSDevelopment Business Card Web Builder (BCWB) CVE-2006-4945 (Multiple PHP remote file inclusion vulnerabilities in Cardway (aka Fre ...) NOT-FOR-US: DigitalWebShop CVE-2006-4944 (PHP remote file inclusion vulnerability in includes/pear/Net/DNS/RR.ph ...) NOT-FOR-US: ProgSys CVE-2006-4943 (course/jumpto.php in Moodle before 1.6.2 does not validate the session ...) - moodle 1.6.2-1 [sarge] - moodle (File not present) CVE-2006-4942 (Moodle before 1.6.2, when the configuration lacks (1) algebra or (2) t ...) - moodle 1.6.2-1 CVE-2006-4941 (Multiple cross-site scripting (XSS) vulnerabilities in Moodle before 1 ...) - moodle 1.6.2-1 CVE-2006-4940 (login/forgot_password.php in Moodle before 1.6.2 allows remote attacke ...) - moodle 1.6.2-1 [sarge] - moodle (Function not present) CVE-2006-4939 (backup/backup_scheduled.php in Moodle before 1.6.2 generates trace dat ...) - moodle 1.6.2-1 (unimportant) NOTE: Path disclosure CVE-2006-4938 (help.php in Moodle before 1.6.2 does not check the existence of certai ...) - moodle 1.6.2-1 (unimportant) NOTE: Path disclosure CVE-2006-4937 (lib/setup.php in Moodle before 1.6.2 sets the error reporting level to ...) - moodle 1.6.2-1 CVE-2006-4936 (Moodle before 1.6.2 does not properly validate the module instance id ...) - moodle 1.6.2-1 CVE-2006-4935 (The Database module in Moodle before 1.6.2 does not properly handle up ...) - moodle 1.6.2-1 CVE-2006-4934 RESERVED CVE-2006-4933 RESERVED CVE-2006-4932 RESERVED CVE-2006-4931 RESERVED CVE-2006-4930 RESERVED CVE-2006-4929 RESERVED CVE-2006-4928 RESERVED CVE-2006-4927 (The (a) NAVENG (NAVENG.SYS) and (b) NAVEX15 (NAVEX15.SYS) device drive ...) NOT-FOR-US: Symantec AntiVirus CVE-2006-4926 (The NDIS-TDI Hooking Engine, as used in the (1) KLICK (KLICK.SYS) and ...) NOT-FOR-US: Kaspersky Labs CVE-2005-4812 (The SISCO OSI stack for Windows, as used by MMS-EASE 7.10 and earlier, ...) NOT-FOR-US: SISCO OSI stack for Windows CVE-2005-4811 (The hugepage code (hugetlb.c) in Linux kernel 2.6, possibly 2.6.12 and ...) {DSA-1304} - linux-2.6 2.6.14 CVE-2006-4925 (packet.c in ssh in OpenSSH allows remote attackers to cause a denial o ...) - openssh 1:5.1p1-5 (unimportant) NOTE: That's a non-issue CVE-2006-4924 (sshd in OpenSSH before 4.4, when using the version 1 SSH protocol, all ...) {DSA-1212 DSA-1189-1} - openssh 1:4.3p2-4 (low; bug #389995) - openssh-krb5 (low) CVE-2006-4923 (Cross-site scripting (XSS) vulnerability in search.php in eSyndiCat Po ...) NOT-FOR-US: eSyndiCat Portal System CVE-2006-4922 (Unrestricted file upload vulnerability in starnet/editors/htmlarea/pop ...) NOT-FOR-US: Site@School CVE-2006-4921 (PHP remote file inclusion vulnerability in Site@School (S@S) 2.4.03 an ...) NOT-FOR-US: Site@School CVE-2006-4920 (Multiple PHP remote file inclusion vulnerabilities in Site@School (S@S ...) NOT-FOR-US: Site@School CVE-2006-4919 (Directory traversal vulnerability in starnet/editors/htmlarea/popups/i ...) NOT-FOR-US: Site@School CVE-2006-4918 (Multiple PHP remote file inclusion vulnerabilities in Simple Discussio ...) NOT-FOR-US: Simple Discussion Board CVE-2006-4917 (Cross-site scripting (XSS) vulnerability in search.php in PT News 1.7. ...) NOT-FOR-US: PT News CVE-2006-4916 (SQL injection vulnerability in uye_profil.asp in Tekman Portal (TR) 1. ...) NOT-FOR-US: Tekman Portal CVE-2006-4915 (Cross-site scripting (XSS) vulnerability in index.php in Innovate Port ...) NOT-FOR-US: Innovate Portal CVE-2006-4914 (Directory traversal vulnerability in A.l-Pifou 1.8p2 allows remote att ...) NOT-FOR-US: A.l-Pifou CVE-2006-4913 (Directory traversal vulnerability in chat/getStartOptions.php in Alstr ...) NOT-FOR-US: AlstraSoft E-friends CVE-2006-4912 (PHP remote file inclusion vulnerability in PHP DocWriter 0.3 and earli ...) NOT-FOR-US: PHP DocWriter CVE-2006-4911 (Unspecified vulnerability in Cisco IPS 5.0 before 5.0(6p2) and 5.1 bef ...) NOT-FOR-US: Cisco CVE-2006-4910 (The web administration interface (mainApp) to Cisco IDS before 4.1(5c) ...) NOT-FOR-US: Cisco CVE-2006-4909 (Cross-site scripting (XSS) vulnerability in Cisco Guard DDoS Mitigatio ...) NOT-FOR-US: Cisco CVE-2006-4908 (OSU 3.11alpha and 3.10a allows remote attackers to obtain sensitive in ...) NOT-FOR-US: OSU CVE-2006-4907 (OSU 3.11alpha and 3.10a allows remote attackers to obtain sensitive in ...) NOT-FOR-US: OSU CVE-2006-4906 (SQL injection vulnerability in modules/calendar/week.php in More.group ...) NOT-FOR-US: More.groupware CVE-2006-4905 (PHP remote file inclusion vulnerability in index.php in Artmedic Links ...) NOT-FOR-US: Artmedic Links CVE-2006-4904 (Dynamic variable evaluation vulnerability in cmpi.php in Qualiteam X-C ...) NOT-FOR-US: X-Cart CVE-2006-4903 RESERVED CVE-2006-4902 (The NetBackup bpcd daemon (bpcd.exe) in Symantec Veritas NetBackup 5.0 ...) NOT-FOR-US: Symantec Veritas NetBackup CVE-2006-4901 (Computer Associates (CA) eTrust Security Command Center 1.0 and r8 up ...) NOT-FOR-US: CA eTrust CVE-2006-4900 (Directory traversal vulnerability in Computer Associates (CA) eTrust S ...) NOT-FOR-US: CA eTrust CVE-2006-4899 (The ePPIServlet script in Computer Associates (CA) eTrust Security Com ...) NOT-FOR-US: CA eTrust CVE-2006-4898 (PHP remote file inclusion vulnerability in include/phpxd/phpXD.php in ...) NOT-FOR-US: guanxiCRM CVE-2006-4897 (CMtextS 1.0 and earlier stores users_logins/admin.txt under the web do ...) NOT-FOR-US: CMtextS CVE-2006-4896 REJECTED CVE-2006-4895 (IDevSpot NexieAffiliate 1.9 and earlier allows remote attackers to del ...) NOT-FOR-US: IDevSpot NexieAffiliate CVE-2006-4894 (Cross-site scripting (XSS) vulnerability in forms/lostpassword.php in ...) NOT-FOR-US: IDevSpot NexieAffiliate CVE-2006-4893 (PHP remote file inclusion vulnerability in bb_usage_stats/includes/bb_ ...) NOT-FOR-US: phpBB XS CVE-2006-4892 (SQL injection vulnerability in faqview.asp in Techno Dreams FAQ Manage ...) NOT-FOR-US: Techno Dreams FAQ CVE-2006-4891 (SQL injection vulnerability in ArticlesTableview.asp in Techno Dreams ...) NOT-FOR-US: Techno Dreams CVE-2006-4890 (Multiple PHP remote file inclusion vulnerabilities in UNAK-CMS 1.5 and ...) NOT-FOR-US: UNAK-CMS CVE-2006-4889 (Multiple PHP remote file inclusion vulnerabilities in Telekorn SignKor ...) NOT-FOR-US: Telekorn SignKorn Guestbook CVE-2006-4888 (Microsoft Internet Explorer 6 and earlier allows remote attackers to c ...) NOT-FOR-US: Microsoft CVE-2006-4887 (Apple Remote Desktop (ARD) for Mac OS X 10.2.8 and later does not drop ...) NOT-FOR-US: Apple CVE-2006-4886 (The VirusScan On-Access Scan component in McAfee VirusScan Enterprise ...) NOT-FOR-US: McAfee CVE-2006-4885 (PHP remote file inclusion vulnerability in Shadowed Portal 5.599 and e ...) NOT-FOR-US: Shadowed Portal CVE-2006-4884 (Multiple cross-site scripting (XSS) vulnerabilities in IDevSpot iSuppo ...) NOT-FOR-US: IDevSpot iSupport CVE-2006-4883 (Multiple cross-site scripting (XSS) vulnerabilities in IDevSpot BizDir ...) NOT-FOR-US: IDevSpot BizDirectory CVE-2006-4882 (SQL injection vulnerability in Review.asp in Julian Roberts Charon Car ...) NOT-FOR-US: Cart 3 CVE-2006-4881 (Multiple cross-site scripting (XSS) vulnerabilities in David Bennett P ...) NOT-FOR-US: PHP-Post (PHPp) CVE-2006-4880 (David Bennett PHP-Post (PHPp) 1.0 and earlier allows remote attackers ...) NOT-FOR-US: PHP-Post (PHPp) CVE-2006-4879 (SQL injection vulnerability in profile.php in David Bennett PHP-Post ( ...) NOT-FOR-US: PHP-Post (PHPp) CVE-2006-4878 (Directory traversal vulnerability in footer.php in David Bennett PHP-P ...) NOT-FOR-US: PHP-Post (PHPp) CVE-2006-4877 (Variable overwrite vulnerability in David Bennett PHP-Post (PHPp) 1.0 ...) NOT-FOR-US: PHP-Post (PHPp) CVE-2006-4876 (Multiple SQL injection vulnerabilities in Jupiter CMS allow remote att ...) NOT-FOR-US: Jupiter CMS CVE-2006-4875 (Unrestricted file upload vulnerability in modules/galleryuploadfunctio ...) NOT-FOR-US: Jupiter CMS CVE-2006-4874 (Multiple cross-site scripting (XSS) vulnerabilities in Jupiter CMS all ...) NOT-FOR-US: Jupiter CMS CVE-2006-4873 (Jupiter CMS allows remote attackers to obtain sensitive information vi ...) NOT-FOR-US: Jupiter CMS CVE-2006-4872 (SQL injection vulnerability in search.asp in Keyvan1 (aka Keyvan Jangh ...) NOT-FOR-US: ECardPro CVE-2006-4871 (SQL injection vulnerability in search_run.asp in Keyvan1 (aka Keyvan J ...) NOT-FOR-US: EShoppingPro CVE-2006-4870 (Multiple PHP remote file inclusion vulnerabilities in AEDating 4.1, an ...) NOT-FOR-US: AEDating CVE-2006-4869 (PHP remote file inclusion vulnerability in phpunity-postcard.php in ph ...) NOT-FOR-US: phpunity.postcard CVE-2006-4868 (Stack-based buffer overflow in the Vector Graphics Rendering engine (v ...) NOT-FOR-US: Microsoft CVE-2006-4867 (SQL injection vulnerability in mods.php in GNUTurk 2G and earlier allo ...) NOT-FOR-US: GNUTurk CVE-2006-4866 (Buffer overflow in kextload in Apple OS X, as used by TDIXSupport in R ...) NOT-FOR-US: Apple CVE-2006-4865 (Walter Beschmout PhpQuiz allows remote attackers to obtain sensitive i ...) NOT-FOR-US: PhpQuiz CVE-2006-4864 (PHP remote file inclusion vulnerability in index.php in All Enthusiast ...) NOT-FOR-US: ReviewPost CVE-2006-4863 NOT-FOR-US: mcLinksCounter CVE-2006-4862 (SQL injection vulnerability in default.aspx in easypage allows remote ...) NOT-FOR-US: easypage CVE-2006-4861 (SQL injection vulnerability in loginprocess.asp in Mohammed Mehdi Panj ...) NOT-FOR-US: Complain Center CVE-2006-4860 (Multiple unspecified vulnerabilities in (1) index.php, (2) minixml.inc ...) NOT-FOR-US: Limbo CVE-2006-4859 (Unrestricted file upload vulnerability in contact.html.php in the Cont ...) NOT-FOR-US: Limbo CVE-2006-4858 (PHP remote file inclusion vulnerability in install.serverstat.php in t ...) NOT-FOR-US: Serverstat (com_serverstat) component for Mambo CVE-2006-4857 (SQL injection vulnerability in default.asp (aka the login page) in Cli ...) NOT-FOR-US: ClickBlog CVE-2006-4856 (Multiple cross-site scripting (XSS) vulnerabilities in Roller WebLogge ...) NOT-FOR-US: WebLogger CVE-2006-4855 (The \Device\SymEvent driver in Symantec Norton Personal Firewall 2006 ...) NOT-FOR-US: Symantec CVE-2006-4854 REJECTED CVE-2006-4853 (SQL injection vulnerability in kategorix.asp in Haberx 1.02 through 1. ...) NOT-FOR-US: Haberx CVE-2006-4852 (SQL injection vulnerability in browse.asp in QuadComm Q-Shop 3.5 allow ...) NOT-FOR-US: QuadComm Q-Shop CVE-2006-4851 (PHP remote file inclusion vulnerability in system/_b/contentFiles/gBHT ...) NOT-FOR-US: BolinOS CVE-2006-4850 (PHP remote file inclusion vulnerability in system/_b/contentFiles/gBIn ...) NOT-FOR-US: BolinOS CVE-2006-4849 (PHP remote file inclusion vulnerability in header.php in MobilePublish ...) NOT-FOR-US: MobilePublisherPHP CVE-2006-4848 NOT-FOR-US: Hitweb CVE-2006-4847 (Multiple buffer overflows in Ipswitch WS_FTP Server 5.05 before Hotfix ...) NOT-FOR-US: WS_FTP CVE-2006-4846 (Unspecified vulnerability in Citrix Access Gateway with Advanced Acces ...) NOT-FOR-US: Citrix CVE-2006-4845 (PHP remote file inclusion vulnerability in includes/footer.html.inc.ph ...) NOT-FOR-US: TeamCal CVE-2006-4844 (PHP remote file inclusion vulnerability in inc/claro_init_local.inc.ph ...) NOT-FOR-US: Claroline CVE-2006-4843 (Cross-site scripting (XSS) vulnerability in the Active Content Filter ...) NOT-FOR-US: IBM Lotus Domino CVE-2006-4842 (The Netscape Portable Runtime (NSPR) API 4.6.1 and 4.6.2, as used in S ...) - xulrunner 1.8.0.9-1 (low; bug #405062) [sarge] - mozilla (Minor issue) NOTE: could not find setuid binary in sid, but evolution-data-server has a setgid mail binary NOTE: see https://bugzilla.mozilla.org/show_bug.cgi?id=351470 CVE-2006-4841 RESERVED CVE-2006-4840 REJECTED CVE-2006-4839 (Sophos Anti-Virus 5.1 allows remote attackers to cause a denial of ser ...) NOT-FOR-US: Sophos CVE-2006-4838 (Multiple cross-site scripting (XSS) vulnerabilities in DCP-Portal SE 6 ...) NOT-FOR-US: DCP-Portal CVE-2006-4837 (Multiple PHP remote file inclusion vulnerabilities in DCP-Portal SE 6. ...) NOT-FOR-US: DCP-Portal CVE-2006-4836 (SQL injection vulnerability in login.php in DCP-Portal SE 6.0 allows r ...) NOT-FOR-US: DCP-Portal CVE-2006-4835 (Bluview Blue Magic Board (BMB) (aka BMForum) 5.5 allows remote attacke ...) NOT-FOR-US: Blue Magic Board (BMB) (aka BMForum) CVE-2006-4834 (PHP remote file inclusion vulnerability in index.php in Jule Slootbeek ...) NOT-FOR-US: phpQuiz CVE-2006-4833 (Verso NetPerformer FRAD ACT SDM-95xx 7.xx (R1) and earlier, SDM-93xx 1 ...) NOT-FOR-US: NetPerformer CVE-2006-4832 (Buffer overflow in the telnet service in Verso NetPerformer FRAD ACT S ...) NOT-FOR-US: NetPerformer CVE-2006-4831 (Unspecified vulnerability in IP over DNS is now easy (iodine) before 0 ...) NOT-FOR-US: IP over DNS is now easy (iodine) CVE-2006-4830 (Directory traversal vulnerability in EditBlogTemplatesPlugin.java in D ...) NOT-FOR-US: Blojsom CVE-2006-4829 (Multiple cross-site scripting (XSS) vulnerabilities in David Czarnecki ...) NOT-FOR-US: Blojsom CVE-2006-4828 (PHP remote file inclusion vulnerability in zipndownload.php in PhotoPo ...) NOT-FOR-US: PhotoPost CVE-2006-4827 (Multiple PHP remote file inclusion vulnerabilities in Vmist Downstat 1 ...) NOT-FOR-US: Vmist Downstat CVE-2006-4826 (PHP remote file inclusion vulnerability in bottom.php in Shadowed Port ...) NOT-FOR-US: Shadowed Portal CVE-2006-4825 (Multiple cross-site scripting (XSS) vulnerabilities in cl_files/index. ...) NOT-FOR-US: PHP Event Calendar CVE-2006-4824 (PHP remote file inclusion vulnerability in lib/activeutil.php in Quick ...) NOT-FOR-US: Quicksilver Forums (QSF) CVE-2006-4823 (PHP remote file inclusion vulnerability in scripts/news_page.php in Re ...) NOT-FOR-US: Magic News CVE-2006-4822 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in eM ...) NOT-FOR-US: emuCMS CVE-2006-4821 (Cross-site scripting (XSS) vulnerability in the Drupal 4.7 Userreview ...) NOT-FOR-US: Drupal Userreview module CVE-2006-4820 (Unspecified vulnerability in X.25 on HP-UX B.11.00, B.11.11, and B.11. ...) NOT-FOR-US: HP-UX CVE-2006-4819 (Heap-based buffer overflow in Opera 9.0 and 9.01 allows remote attacke ...) NOT-FOR-US: Opera CVE-2006-4818 RESERVED CVE-2006-4817 RESERVED CVE-2006-4816 RESERVED CVE-2006-4815 RESERVED CVE-2006-4814 (The mincore function in the Linux kernel before 2.4.33.6 does not prop ...) {DSA-1503-2 DSA-1503-1 DSA-1304} - linux-2.6 2.6.18.dfsg.1-9 (low) - kernel-patch-openvz 028.18.1 CVE-2006-4813 (The __block_prepare_write function in fs/buffer.c for Linux kernel 2.6 ...) {DSA-1233} - linux-2.6 2.6.13-1 CVE-2006-4812 (Integer overflow in PHP 5 up to 5.1.6 and 4 before 4.3.0 allows remote ...) - php4 - php5 5.1.6-5 (bug #391586) CVE-2006-4811 (Integer overflow in Qt 3.3 before 3.3.7, 4.1 before 4.1.5, and 4.2 bef ...) {DSA-1200-1} - qt-x11-free 3:3.3.7-1 (bug #394192; bug #394313) - qt4-x11 4.2.1-1 (bug #394192) CVE-2006-4810 (Buffer overflow in the readline function in util/texindex.c, as used b ...) {DSA-1219} - texinfo 4.8.dfsg.1-4 CVE-2006-4809 (Stack-based buffer overflow in loader_pnm.c in imlib2 before 1.2.1, an ...) - imlib2 1.3.0.0debian1-3 (medium; bug #397371) CVE-2006-4808 (Heap-based buffer overflow in loader_tga.c in imlib2 before 1.2.1, and ...) - imlib2 1.3.0.0debian1-3 (medium; bug #397371) CVE-2006-4807 (loader_tga.c in imlib2 before 1.2.1, and possibly other versions, allo ...) - imlib2 1.3.0.0debian1-3 (medium; bug #397371) CVE-2006-4806 (Multiple integer overflows in imlib2 allow user-assisted remote attack ...) - imlib2 1.3.0.0debian1-3 (medium; bug #397371) CVE-2006-4805 (epan/dissectors/packet-xot.c in the XOT dissector (dissect_xot_pdu) in ...) {DSA-1201-1} - wireshark 0.99.4-1 (bug #396258; medium) CVE-2006-4804 RESERVED CVE-2006-4803 (The Fan-Out Linux and UNIX receiver scripts in Novell Identity Manager ...) NOT-FOR-US: Novell Identity Manager CVE-2006-4802 (Format string vulnerability in the Real Time Virus Scan service in Sym ...) NOT-FOR-US: Symantec CVE-2006-4801 (Race condition in Deja Vu, as used in Roxio Toast Titanium 7 and possi ...) NOT-FOR-US: Roxio Toast CVE-2006-4800 (Multiple buffer overflows in libavcodec in ffmpeg before 0.4.9_p200605 ...) {DSA-1215} - ffmpeg 0.cvs20060329-1 - xmovie - xine-lib 1.1.2-1 - gst-ffmpeg 0.8.7-7 (medium; bug #401304) - gstreamer0.10-ffmpeg 0.10.1-3 (medium; bug #401311) - mplayer 1.0~rc1-1 NOTE: according to the changelog, libxine (starting from 1.1.2-4) links dynamically against ffmpeg CVE-2006-4799 (Buffer overflow in ffmpeg for xine-lib before 1.1.2 might allow contex ...) {DSA-1215} - xine-lib 1.1.2-1 (bug #369876; medium) NOTE: according to the changelog, libxine (starting from 1.1.2-4) links dynamically against ffmpeg CVE-2006-4798 (SQL-Ledger before 2.4.4 stores a password in a query string, which mig ...) - sql-ledger 2.4.5-1 CVE-2006-4797 (Cross-site scripting (XSS) vulnerability in tag.php in CloudNine Inter ...) NOT-FOR-US: CJ Tag Board CVE-2006-4796 (Cross-site scripting (XSS) vulnerability in forum.asp in Snitz Forums ...) NOT-FOR-US: Snitz Forums CVE-2006-4795 (Unspecified vulnerability in the Address and Routing Parameter Area (A ...) NOT-FOR-US: HP-UX CVE-2006-4794 (Multiple cross-site scripting (XSS) vulnerabilities in e107 0.7.5 allo ...) NOT-FOR-US: e107 CVE-2006-4793 (Multiple SQL injection vulnerabilities in icerik.asp in TualBLOG 1.0 a ...) NOT-FOR-US: TualBLOG CVE-2004-2665 (Unspecified vulnerability in the Address and Routing Parameter Area (A ...) NOT-FOR-US: HP-UX CVE-2006-5778 (ftpd in linux-ftpd 0.17, and possibly other versions, performs a chdir ...) {DSA-1217} - linux-ftpd 0.17-23 (low; bug #384454) CVE-2006-XXXX [ejabberd HTML code injection] - ejabberd 1.1.1-8 CVE-2006-4792 RESERVED CVE-2006-4791 RESERVED CVE-2006-4789 (Buffer overflow in Open Movie Editor 0.0.20060901 allows local users t ...) NOT-FOR-US: Open Movie Editor CVE-2006-4788 (PHP remote file inclusion vulnerability in includes/log.inc.php in Tel ...) NOT-FOR-US: SignKorn Guestbook CVE-2006-4787 (AlphaMail before 1.0.16 allows local users to obtain sensitive informa ...) NOT-FOR-US: AlphaMail CVE-2006-4786 (Moodle 1.6.1 and earlier allows remote attackers to obtain sensitive i ...) - moodle 1.6.2-1 (low) CVE-2006-4785 (SQL injection vulnerability in blog/edit.php in Moodle 1.6.1 and earli ...) - moodle 1.6.2-1 (medium; bug #387177) CVE-2006-4784 (Multiple cross-site scripting (XSS) vulnerabilities in Moodle 1.6.1 an ...) - moodle 1.6.2-1 (low) CVE-2006-4783 (SQL injection vulnerability in squads.php in WebSPELL 4.01.01 and earl ...) NOT-FOR-US: WebSPELL CVE-2006-4782 (src/index.php in WebSPELL 4.01.01 and earlier, when register_globals i ...) NOT-FOR-US: WebSPELL CVE-2006-4781 (Heap-based buffer overflow in FutureSoft TFTP Server Multithreaded (MT ...) NOT-FOR-US: FutureSoft TFTP Server CVE-2006-4780 (PHP remote file inclusion vulnerability in includes/functions.php in p ...) NOT-FOR-US: phpBB XS CVE-2006-4779 (PHP remote file inclusion vulnerability in includes/functions_portal.p ...) NOT-FOR-US: Vitrax Premodded phpBB CVE-2006-4778 (SQL injection vulnerability in Creative Commons Tools ccHost before 3. ...) NOT-FOR-US: Creative Commons Tools ccHost CVE-2006-4777 (Heap-based buffer overflow in the DirectAnimation Path Control (Direct ...) NOT-FOR-US: DirectAnimation.PathControl CVE-2006-4776 (Heap-based buffer overflow in the VLAN Trunking Protocol (VTP) feature ...) NOT-FOR-US: Cisco CVE-2006-4775 (The VLAN Trunking Protocol (VTP) feature in Cisco IOS 12.1(19) and Cat ...) NOT-FOR-US: Cisco CVE-2006-4774 (The VLAN Trunking Protocol (VTP) feature in Cisco IOS 12.1(19) allows ...) NOT-FOR-US: Cisco CVE-2006-4773 (Sun StorEdge 6130 Array Controllers with firmware 06.12.10.11 and earl ...) NOT-FOR-US: Sun StorEdge CVE-2006-4772 (HotPlug CMS stores sensitive information under the web root with insuf ...) NOT-FOR-US: HotPlug CMS CVE-2006-4771 (Cross-site scripting (XSS) vulnerability in haut.php in ForumJBC 4 all ...) NOT-FOR-US: ForumJBC CVE-2006-4770 (PHP remote file inclusion vulnerability in menu.php in MiniPort@l 2.0 ...) NOT-FOR-US: MiniPort@l CVE-2006-4769 (PHP remote file inclusion vulnerability in abf_js.php in p4CMS 1.05 al ...) NOT-FOR-US: p4CMS CVE-2006-4768 (Multiple direct static code injection vulnerabilities in add_go.php in ...) NOT-FOR-US: Stefan Ernst Newsscript (aka WM-News) CVE-2006-4767 (Multiple directory traversal vulnerabilities in Stefan Ernst Newsscrip ...) NOT-FOR-US: Stefan Ernst Newsscript (aka WM-News) CVE-2006-4766 (Directory traversal vulnerability in print.php in Stefan Ernst Newsscr ...) NOT-FOR-US: Stefan Ernst Newsscript (aka WM-News) CVE-2006-4765 (NETGEAR DG834GT Wireless ADSL router running firmware 1.01.28 allows a ...) NOT-FOR-US: NETGEAR CVE-2006-4764 (PHP remote file inclusion vulnerability in common.php in Thomas LETE W ...) NOT-FOR-US: WTools CVE-2006-4763 (IBM Lotus Domino Web Access (DWA) 7.0.1 does not expire a client's Lig ...) NOT-FOR-US: IBM Lotus Domino Web Access CVE-2006-4762 (Multiple cross-site scripting (XSS) vulnerabilities in Ykoon RssReader ...) NOT-FOR-US: Ykoon RssReader CVE-2006-4761 (Multiple cross-site scripting (XSS) vulnerabilities in Luke Hutteman S ...) NOT-FOR-US: SharpReader CVE-2006-4760 (Multiple cross-site scripting (XSS) vulnerabilities in Benjamin Pasero ...) NOT-FOR-US: RSSOwl CVE-2006-4759 (PunBB 1.2.12 does not properly handle an avatar directory pathname end ...) NOT-FOR-US: PunBB CVE-2006-4758 (phpBB 2.0.21 does not properly handle pathnames ending in %00, which a ...) {DSA-1488-1} - phpbb2 2.0.21-4 (bug #388120; unimportant) NOTE: Only exploitable by admins, which you'd need to trust CVE-2006-4757 (Multiple SQL injection vulnerabilities in the admin section in e107 0. ...) NOT-FOR-US: e107 CVE-2006-4756 (SQL injection vulnerability in alpha.php in phpMyDirectory 10.4.6 and ...) NOT-FOR-US: phpMyDirectory CVE-2006-4755 (Cross-site scripting (XSS) vulnerability in alpha.php in phpMyDirector ...) NOT-FOR-US: phpMyDirectory CVE-2006-4754 (Cross-site scripting (XSS) vulnerability in index.php in PHProg before ...) NOT-FOR-US: PHProg CVE-2006-4753 (Directory traversal vulnerability in index.php in PHProg before 1.1 al ...) NOT-FOR-US: PHProg CVE-2006-4752 (Laurentiu Matei eXpandable Home Page (XHP) CMS 0.5.1 allows remote att ...) NOT-FOR-US: Laurentiu Matei eXpandable Home Page (XHP) CMS CVE-2006-4751 (Cross-site scripting (XSS) vulnerability in index.php in Laurentiu Mat ...) NOT-FOR-US: Laurentiu Matei eXpandable Home Page (XHP) CMS CVE-2006-4750 (PHP remote file inclusion vulnerability in openi-admin/base/fileloader ...) NOT-FOR-US: OPENi-CMS CVE-2006-4749 (Multiple PHP remote file inclusion vulnerabilities in PHP Advanced Tra ...) NOT-FOR-US: PHP Advanced Transfer Manager (phpATM) CVE-2006-4748 (Multiple SQL injection vulnerabilities in F-ART BLOG:CMS 4.1 allow rem ...) NOT-FOR-US: F-ART BLOG:CMS CVE-2006-4747 (Multiple cross-site scripting (XSS) vulnerabilities in IdevSpot TextAd ...) NOT-FOR-US: IdevSpot TextAds CVE-2006-4746 (PHP remote file inclusion vulnerability in news/include/customize.php ...) NOT-FOR-US: Web Server Creator CVE-2006-4745 (ScaryBear PocketExpense Pro 3.9.1 uses an internally recorded key to p ...) NOT-FOR-US: ScaryBear PocketExpense Pro CVE-2006-4744 (Abidia (1) O-Anywhere and (2) Abidia Wireless transmit authentication ...) NOT-FOR-US: Abidia (1) O-Anywhere and (2) Abidia Wireless CVE-2006-4743 (WordPress 2.0.2 through 2.0.5 allows remote attackers to obtain sensit ...) - wordpress 2.0.5-0.1 (unimportant) NOTE: path disclosure only CVE-2006-4742 (Cross-site scripting (XSS) vulnerability in user_add.php in IDevSpot P ...) NOT-FOR-US: PhpLinkExchange CVE-2006-4741 (PHP remote file inclusion vulnerability in bits_listings.php in IDevSp ...) NOT-FOR-US: PhpLinkExchange CVE-2006-4740 (Jetbox CMS allows remote attackers to obtain sensitive information via ...) NOT-FOR-US: Jetbox CMS CVE-2006-4739 (Multiple cross-site scripting (XSS) vulnerabilities in Jetbox CMS allo ...) NOT-FOR-US: Jetbox CMS CVE-2006-4738 (PHP remote file inclusion vulnerability in phpthumb.php in Jetbox CMS ...) NOT-FOR-US: Jetbox CMS CVE-2006-4737 (SQL injection vulnerability in index.php in Jetbox CMS allows remote a ...) NOT-FOR-US: Jetbox CMS CVE-2006-4736 (Multiple SQL injection vulnerabilities in index.php in CMS.R. 5.5 allo ...) NOT-FOR-US: CMS.R CVE-2006-4735 (Kellan Elliott-McCrea MagpieRSS allows remote attackers to obtain sens ...) - magpierss (unimportant) NOTE: path disclosure only CVE-2006-4734 (Multiple SQL injection vulnerabilities in tiki-g-admin_processes.php i ...) - tikiwiki 1.9.5+dfsg1-2 (medium; bug #388122) CVE-2006-4733 (PHP remote file inclusion vulnerability in sipssys/code/box.inc.php in ...) NOT-FOR-US: simple, integrated publishing system (SIPS) CVE-2006-4732 (Unspecified vulnerability in Microsoft Visual Basic (VB) 6 has an unkn ...) NOT-FOR-US: Microsoft CVE-2002-2218 (CRLF injection vulnerability in the setUserValue function in sipssys/c ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1241 (Unspecified vulnerability in Haakon Nilsen simple, integrated publishi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2006-4731 (Multiple directory traversal vulnerabilities in (1) login.pl and (2) a ...) {DSA-1239-1} - sql-ledger 2.6.19-1 CVE-2006-4730 RESERVED CVE-2006-4729 RESERVED CVE-2006-4728 RESERVED CVE-2006-4727 (Cross-site scripting (XSS) vulnerability in emfadmin/statusView.do in ...) NOT-FOR-US: Tumbleweed EMF Administration Module CVE-2006-4726 (Cross-site scripting (XSS) vulnerability in Adobe ColdFusion MX 6.1 th ...) NOT-FOR-US: Adobe CVE-2006-4725 (Adobe ColdFusion MX 7 and 7.01 allows local users to bypass security r ...) NOT-FOR-US: Adobe CVE-2006-4724 (Unspecified vulnerability in the ColdFusion Flash Remoting Gateway in ...) NOT-FOR-US: Adobe CVE-2006-4723 (PHP remote file inclusion vulnerability in raidenhttpd-admin/slice/che ...) NOT-FOR-US: RaidenHTTPD CVE-2006-4722 (PHP remote file inclusion vulnerability in Open Bulletin Board (OpenBB ...) NOT-FOR-US: Open Bulletin Board (OpenBB) CVE-2006-4721 (Directory traversal vulnerability in admin.php in CCleague Pro Sports ...) NOT-FOR-US: CCleague Pro Sports CMS CVE-2006-4720 (PHP remote file inclusion vulnerability in random2.php in mcGalleryPRO ...) NOT-FOR-US: mcGalleryPRO CVE-2006-4719 (Multiple PHP remote file inclusion vulnerabilities in MyABraCaDaWeb 1. ...) NOT-FOR-US: MyABraCaDaWeb CVE-2006-4718 (Multiple cross-site scripting (XSS) vulnerabilities in livre_or.php in ...) NOT-FOR-US: KorviBlog CVE-2006-4717 (The login redirection mechanism in the Drupal 4.7 Pubcookie module bef ...) NOT-FOR-US: Pubcookie module for Drupal CVE-2006-4716 (PHP remote file inclusion vulnerability in demarrage.php in Fire Soft ...) NOT-FOR-US: Fire Soft Board (FSB) CVE-2006-4715 (SQL injection vulnerability in pdf_version.php in SpoonLabs Vivvo Arti ...) NOT-FOR-US: SpoonLabs Vivvo Article Management CMS CVE-2006-4714 (PHP remote file inclusion vulnerability in index.php in SpoonLabs Vivv ...) NOT-FOR-US: SpoonLabs Vivvo Article Management CMS CVE-2006-4713 (PHP remote file inclusion vulnerability in config.php in PSYWERKS PUMA ...) NOT-FOR-US: PSYWERKS PUMA CVE-2006-4712 (Multiple cross-site scripting (XSS) vulnerabilities in Sage 1.3.6 allo ...) - firefox-sage 1.3.6-3 (bug #388149; medium) CVE-2006-4711 (Multiple cross-site scripting (XSS) vulnerabilities in Sage allow remo ...) - firefox-sage 1.3.6-3 (bug #388149; medium) CVE-2006-4710 (Multiple cross-site scripting (XSS) vulnerabilities in NewsGator FeedD ...) NOT-FOR-US: NewsGator FeedDemon CVE-2006-4709 (SQL injection vulnerability in topic.php in Vikingboard 0.1b allows re ...) NOT-FOR-US: Vikingboard CVE-2006-4708 (Multiple cross-site scripting (XSS) vulnerabilities in Vikingboard 0.1 ...) NOT-FOR-US: Vikingboard CVE-2006-4707 (Cross-site scripting (XSS) vulnerability in admin/global.php (aka the ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2006-4706 (Cross-site scripting (XSS) vulnerability in inc/functions_post.php in ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2006-4705 (SQL injection vulnerability in login.php in dwayner79 and Dominic Gamb ...) NOT-FOR-US: Timesheet (aka Timesheet.php) CVE-2006-4704 (Cross-zone scripting vulnerability in the WMI Object Broker (WMIScript ...) NOT-FOR-US: Microsoft CVE-2006-4703 REJECTED CVE-2006-4702 (Buffer overflow in the Windows Media Format Runtime in Microsoft Windo ...) NOT-FOR-US: Microsoft CVE-2006-4701 REJECTED CVE-2006-4700 REJECTED CVE-2006-4699 REJECTED CVE-2006-4698 REJECTED CVE-2006-4697 (Microsoft Internet Explorer 5.01, 6, and 7 uses certain COM objects fr ...) NOT-FOR-US: Microsoft CVE-2006-4696 (Unspecified vulnerability in the Server service in Microsoft Windows 2 ...) NOT-FOR-US: Microsoft CVE-2006-4695 (Unspecified vulnerability in certain COM objects in Microsoft Office W ...) NOT-FOR-US: Microsoft Office CVE-2006-4694 (Unspecified vulnerability in PowerPoint in Microsoft Office 2000, Offi ...) NOT-FOR-US: Microsoft CVE-2006-4693 (Unspecified vulnerability in Microsoft Word 2004 for Mac and v.X for M ...) NOT-FOR-US: Microsoft Word CVE-2006-4692 (Argument injection vulnerability in the Windows Object Packager (packa ...) NOT-FOR-US: Microsoft Word CVE-2006-4691 (Stack-based buffer overflow in the NetpManageIPCConnect function in th ...) NOT-FOR-US: Microsoft CVE-2006-4690 REJECTED CVE-2006-4689 (Unspecified vulnerability in the driver for the Client Service for Net ...) NOT-FOR-US: Microsoft CVE-2006-4688 (Buffer overflow in Client Service for NetWare (CSNW) in Microsoft Wind ...) NOT-FOR-US: Microsoft CVE-2006-4687 (Microsoft Internet Explorer 5.01 through 6 allows remote attackers to ...) NOT-FOR-US: Microsoft CVE-2006-4686 (Buffer overflow in the Extensible Stylesheet Language Transformations ...) NOT-FOR-US: Microsoft CVE-2006-4685 (The XMLHTTP ActiveX control in Microsoft XML Parser 2.6 and XML Core S ...) NOT-FOR-US: Microsoft CVE-2006-4684 (The docutils module in Zope (Zope2) 2.7.0 through 2.7.9 and 2.8.0 thro ...) {DSA-1176-1} - zope2.7 - zope2.8 2.8.8-2 CVE-2006-4683 (IBM Director before 5.10 allows remote attackers to obtain sensitive i ...) NOT-FOR-US: IBM Director CVE-2006-4682 (Multiple unspecified vulnerabilities in IBM Director before 5.10 allow ...) NOT-FOR-US: IBM Director CVE-2006-4681 (Directory traversal vulnerability in Redirect.bat in IBM Director befo ...) NOT-FOR-US: IBM Director CVE-2006-4680 (The Remote UI in Canon imageRUNNER includes usernames and passwords wh ...) NOT-FOR-US: Canon imageRUNNER CVE-2006-4679 (DokuWiki before 2006-03-09c enables the debug feature by default, whic ...) - dokuwiki 0.0.20060309-5.1 (low; bug #388082) CVE-2006-4678 (PHP remote file inclusion vulnerability in News Evolution 3.0.3 allows ...) NOT-FOR-US: News Evolution CVE-2006-4677 NOT-FOR-US: phpopenchat CVE-2006-4676 (TIBCO RendezVous 7.4.11 and earlier logs base64-encoded usernames and ...) NOT-FOR-US: TIBCO RendezVous CVE-2006-4675 (Unrestricted file upload vulnerability in lib/exe/media.php in DokuWik ...) - dokuwiki 0.0.20060309-5.1 (medium; bug #388082) CVE-2006-4674 (Direct static code injection vulnerability in doku.php in DokuWiki bef ...) - dokuwiki 0.0.20060309-5.1 (medium; bug #388082) CVE-2006-4673 (Global variable overwrite vulnerability in maincore.php in PHP-Fusion ...) NOT-FOR-US: PHP-Fusion CVE-2006-4672 (PHP remote file inclusion vulnerability in profitCode ppalCart 2.5 EE, ...) NOT-FOR-US: ppalCart CVE-2006-4671 (PHP remote file inclusion vulnerability in headlines.php in Fantastic ...) NOT-FOR-US: Fantastic News CVE-2006-4670 (Multiple PHP remote file inclusion vulnerabilities in PhotoKorn Galler ...) NOT-FOR-US: PhotoKorn Gallery CVE-2006-4669 (PHP remote file inclusion vulnerability in admin/system/include.php in ...) NOT-FOR-US: Somery CVE-2006-4668 (Cross-site scripting (XSS) vulnerability in index.php in Rob Hensley A ...) NOT-FOR-US: AckerTodo CVE-2006-4667 (Multiple SQL injection vulnerabilities in RunCMS 1.4.1 allow remote at ...) NOT-FOR-US: RunCMS CVE-2006-4666 (Multiple PHP remote file inclusion vulnerabilities in Stefan Ernst New ...) NOT-FOR-US: Newsscript (aka WM-News) CVE-2006-4665 (Cross-site scripting (XSS) vulnerability in index.php in MKPortal M1.1 ...) NOT-FOR-US: MKPortal CVE-2006-4664 (PHP remote file inclusion vulnerability in includes/functions_portal.p ...) NOT-FOR-US: Premod Shadow CVE-2006-4663 NOT-FOR-US: User problem CVE-2006-4662 (Heap-based buffer overflow in the MCRegEx__Search function in AOL ICQ ...) NOT-FOR-US: AOL ICQ CVE-2006-4661 (AOL ICQ Toolbar 1.3 for Internet Explorer (toolbaru.dll) does not prop ...) NOT-FOR-US: AOL ICQ Toolbar CVE-2006-4660 (Multiple cross-site scripting (XSS) vulnerabilities in the RSS Feed mo ...) NOT-FOR-US: AOL ICQ Toolbar CVE-2006-4659 (The Panda Platinum Internet Security 2006 10.02.01 and 2007 11.00.00 u ...) NOT-FOR-US: Panda Platinum Internet Security CVE-2006-4658 (Panda Platinum Internet Security 2006 10.02.01 and 2007 11.00.00 uses ...) NOT-FOR-US: Panda Platinum Internet Security CVE-2006-4657 (Panda Platinum Internet Security 2006 10.02.01 and 2007 11.00.00 store ...) NOT-FOR-US: Panda Platinum Internet Security CVE-2006-4656 (PHP remote file inclusion vulnerability in admin/editeur/spaw_control. ...) NOT-FOR-US: Web Provence SL_Site CVE-2006-4655 (Buffer overflow in the Strcmp function in the XKEYBOARD extension in X ...) NOT-FOR-US: X11R6.4 CVE-2006-4654 (Format string vulnerability in Easy Address Book Web Server 1.2 allows ...) NOT-FOR-US: Address Book Web Server CVE-2006-4653 ((1) Amazing Little Poll and (2) Amazing Little Picture Poll store sens ...) NOT-FOR-US: Amazing Little Poll CVE-2006-4652 ((1) Amazing Little Poll and (2) Amazing Little Picture Poll have a def ...) NOT-FOR-US: Amazing Little Poll CVE-2006-4651 (Directory traversal vulnerability in download/index.php, and possibly ...) NOT-FOR-US: Php download CVE-2006-4650 (Cisco IOS 12.0, 12.1, and 12.2, when GRE IP tunneling is used and the ...) NOT-FOR-US: Cisco CVE-2006-4649 (PHP remote file inclusion vulnerability in bp_news.php in BinGo News ( ...) NOT-FOR-US: BinGo News CVE-2006-4648 (PHP remote file inclusion vulnerability in bp_ncom.php in BinGo News ( ...) NOT-FOR-US: BinGo News CVE-2006-4647 (PHP remote file inclusion vulnerability in news.php in Sponge News 2.2 ...) NOT-FOR-US: Sponge News CVE-2006-4646 (Cross-site scripting (XSS) vulnerability in the Drupal 4.7 Pathauto mo ...) NOT-FOR-US: Drupal Pathauto module CVE-2006-4645 (PHP remote file inclusion vulnerability in akarru.gui/main_content.php ...) NOT-FOR-US: Social BookMarking Engine CVE-2006-4644 (PHP remote file inclusion vulnerability in modules/home.module.php in ...) NOT-FOR-US: phpFullAnnu CVE-2006-4643 (SQL injection vulnerability in consult/joueurs.php in Uni-Vert PhpLeag ...) NOT-FOR-US: PhpLeague CVE-2006-4642 (AuditWizard 6.3.2, when using "Remote Audit," logs the administrator p ...) NOT-FOR-US: AuditWizard CVE-2006-4641 (SQL injection vulnerability in kategori.asp in Muratsoft Haber Portal ...) NOT-FOR-US: Muratsoft Haber Portal CVE-2006-4640 (Unspecified vulnerability in Adobe Flash Player before 9.0.16.0 allows ...) - flashplugin-nonfree 7.0.68.0.1 [sarge] - flashplugin-nonfree (Contrib not supported) CVE-2006-4639 (Multiple PHP remote file inclusion vulnerabilities in C-News.fr C-News ...) NOT-FOR-US: C-News.fr C-News CVE-2006-4638 (PHP remote file inclusion vulnerability in article.php in ACGV News 0. ...) NOT-FOR-US: ACGV News CVE-2006-4637 (Multiple PHP remote file inclusion vulnerabilities in ACGV News 0.9.1 ...) NOT-FOR-US: ACGV News CVE-2006-4636 (Directory traversal vulnerability in SZEWO PhpCommander 3.0 and earlie ...) NOT-FOR-US: PhpCommander CVE-2006-4635 (Unspecified vulnerability in MySource Classic 2.14.6, and possibly ear ...) NOT-FOR-US: MySource Classic CVE-2006-4634 (Cross-site scripting (XSS) vulnerability in index.php in VBZooM allows ...) NOT-FOR-US: VBZooM CVE-2006-4633 (index.php in SoftBB 0.1, and possibly earlier, allows remote attackers ...) NOT-FOR-US: SoftBB CVE-2006-4632 (Multiple SQL injection vulnerabilities in SoftBB 0.1, and possibly ear ...) NOT-FOR-US: SoftBB CVE-2006-4631 (Direct static code injection vulnerability in admin/save_opt.php in So ...) NOT-FOR-US: SoftBB CVE-2006-4630 (PHP remote file inclusion vulnerability in jscript.php in Sky GUNNING ...) NOT-FOR-US: MySpeach CVE-2006-4629 (PHP remote file inclusion vulnerability in affichage/commentaires.php ...) NOT-FOR-US: C-News.fr C-News CVE-2006-4628 (Cross-site scripting (XSS) vulnerability in VCD-db before 0.983 allows ...) NOT-FOR-US: VCD-db CVE-2006-4627 (System Information ActiveX control (msinfo.dll), when accessed via Mic ...) NOT-FOR-US: System Information ActiveX control CVE-2006-4626 (Heap-based buffer overflow in alwil avast! Anti-virus Engine before 4. ...) NOT-FOR-US: avast! Anti-virus Engine CVE-2006-4625 (PHP 4.x up to 4.4.4 and PHP 5 up to 5.1.6 allows local users to bypass ...) - php4 4:4.4.4-1 (bug #391282; unimportant) - php5 5.2.0-1 (bug #391281; unimportant) NOTE: open_basedir violations not supported in Debian's PHP CVE-2006-4624 (CRLF injection vulnerability in Utils.py in Mailman before 2.1.9rc1 al ...) {DSA-1188-1} - mailman 1:2.1.8-3 CVE-2006-4623 (The Unidirectional Lightweight Encapsulation (ULE) decapsulation compo ...) {DSA-1304} - linux-2.6 2.6.18-1 CVE-2002-2217 (Multiple PHP remote file inclusion vulnerabilities in Web Server Creat ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2006-4790 (verify.c in GnuTLS before 1.4.4, when using an RSA key with exponent 3 ...) {DSA-1182-1} NOTE: GNUTLS-SA-2006-4 - gnutls13 1.4.4-1 (high) - gnutls12 (high) - gnutls11 (high) CVE-2006-XXXX [gnutls Adaptive Chosen Ciphertext Attack] NOTE: GNUTLS-SA-2006-3 (withdrawn) - gnutls13 1.4.3-1 (unimportant) - gnutls12 (unimportant) - gnutls11 (unimportant) CVE-2006-4622 (PHP remote file inclusion vulnerability in annonce.php in AnnonceV (ak ...) NOT-FOR-US: AnnonceV CVE-2006-4621 (PHP remote file inclusion vulnerability in settings.php in Pheap 1.2, ...) NOT-FOR-US: Pheap CVE-2006-4620 (The useredit_account.wdm module in Alt-N WebAdmin 3.2.5 running with M ...) NOT-FOR-US: Alt-N WebAdmin CVE-2006-4619 (The start update window in update.exe in Avira AntiVir PersonalEdition ...) NOT-FOR-US: Avira CVE-2006-4618 (PHP remote file inclusion vulnerability in adodb-postgres7.inc.php in ...) - libphp-adodb (vulnerable code seems to be In-link specific) - egroupware (vulnerable code seems to be In-link specific) - moodle (vulnerable code seems to be In-link specific) - phppgadmin (vulnerable code seems to be In-link specific) - gallery2 (vulnerable code seems to be In-link specific) - phpwiki (vulnerable code seems to be In-link specific) CVE-2006-4617 (Unrestricted file upload vulnerability in fileupload.html in vtiger CR ...) NOT-FOR-US: vtiger CRM CVE-2006-4616 (SMTP service in MailEnable Standard, Professional, and Enterprise befo ...) NOT-FOR-US: MailEnable CVE-2006-4615 (Shape Services IM+ Mobile Instant Messenger for Pocket PC 3.10 stores ...) NOT-FOR-US: Shape Services CVE-2006-4614 (PDAapps Verichat for Pocket PC 1.30bh stores usernames and passwords i ...) NOT-FOR-US: PDAapps Verichat CVE-2006-4613 (Multiple unspecified vulnerabilities in SnapGear before 3.1.4u1 allow ...) NOT-FOR-US: SnapGear CVE-2006-4612 (SQL injection vulnerability in ReplyNew.asp in ZIXForum 1.12 allows re ...) NOT-FOR-US: ZIXForum CVE-2006-4611 (Buffer overflow in the _tor_resolve function in dsocks.c in dsocks bef ...) NOT-FOR-US: dsocks CVE-2006-4610 (PHP remote file inclusion vulnerability in index.php in GrapAgenda 0.1 ...) NOT-FOR-US: GrapAgenda CVE-2006-4609 NOT-FOR-US: PHProjekt CVE-2006-4608 (Multiple cross-site scripting (XSS) vulnerabilities in Longino Jacome ...) NOT-FOR-US: php-Revista CVE-2006-4607 (admin/index.php in Longino Jacome php-Revista 1.1.2 allows remote atta ...) NOT-FOR-US: php-Revista CVE-2006-4606 (Multiple SQL injection vulnerabilities in Longino Jacome php-Revista 1 ...) NOT-FOR-US: php-Revista CVE-2006-4605 (PHP remote file inclusion vulnerability in index.php in Longino Jacome ...) NOT-FOR-US: php-Revista CVE-2006-4604 (PHP remote file inclusion vulnerability in LFXlib/access_manager.php i ...) NOT-FOR-US: Lanifex Database of Managed Objects (DMO) CVE-2006-4603 (NCH Swift Sound Web Dictate 1.02 allows remote attackers to bypass aut ...) NOT-FOR-US: Swift Sound Web Dictate CVE-2006-4601 (SQL injection vulnerability in index.php in Annuaire 1Two 2.2 allows r ...) NOT-FOR-US: 1Two CVE-2006-4600 (slapd in OpenLDAP before 2.3.25 allows remote authenticated users with ...) - openldap2.3 2.3.25-1 - openldap2.2 (low) - openldap2 (low) (slapd not built from this version) CVE-2006-4599 (SQL injection vulnerability in aut_verifica.inc.php in Autentificator ...) NOT-FOR-US: Autentificator CVE-2006-4598 (Multiple SQL injection vulnerabilities in links.php in ssLinks 1.22 al ...) NOT-FOR-US: ssLinks CVE-2006-4597 (SQL injection vulnerability in devam.asp in ICBlogger 2.0 and earlier ...) NOT-FOR-US: ICBlogger CVE-2006-4596 (PHP remote file inclusion in MyBace Light Skrip, when register_globals ...) NOT-FOR-US: MyBace Light Skrip CVE-2006-4595 (muforum (µforum) 0.4c stores membres/members.dat under the web do ...) NOT-FOR-US: muforum CVE-2006-4594 (Multiple PHP remote file inclusion vulnerabilities in PHP Advanced Tra ...) NOT-FOR-US: phpAtm CVE-2006-4593 (Cross-site scripting (XSS) vulnerability in index.php in SoftBB 0.1 an ...) NOT-FOR-US: SoftBB CVE-2006-4592 (Incomplete blacklist vulnerability in default.asp in 8pixel.net Simple ...) NOT-FOR-US: Simple Blog CVE-2006-4591 (Multiple PHP remote file inclusion vulnerabilities in AlstraSoft Templ ...) NOT-FOR-US: AltraSoft Template Seller CVE-2006-4590 (SQL injection vulnerability in admin/default.asp in Jetstat.com JS ASP ...) NOT-FOR-US: Jetstat.com JS ASP Faq Manager CVE-2006-4589 (PHP remote file inclusion vulnerability in 0_admin/modules/Wochenkarte ...) NOT-FOR-US: DynCMS CVE-2006-4588 (vtiger CRM 4.2.4, and possibly earlier, allows remote attackers to byp ...) NOT-FOR-US: vtiger CRM CVE-2006-4587 (Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM 4.2. ...) NOT-FOR-US: vtiger CRM CVE-2006-4586 (The admin panel in Tr Forum 2.0 accepts a username and password hash f ...) NOT-FOR-US: Tr Forum CVE-2006-4585 (SQL injection vulnerability in admin/editer.php in Tr Forum 2.0 allows ...) NOT-FOR-US: Tr Forum CVE-2006-4584 (Tr Forum 2.0 allows remote attackers to bypass authentication and add ...) NOT-FOR-US: Tr Forum CVE-2006-4583 (Multiple PHP remote file inclusion vulnerabilities in FlashChat before ...) NOT-FOR-US: FlashChat CVE-2006-4582 (Cross-site request forgery (CSRF) vulnerability in The Address Book 1. ...) NOT-FOR-US: The Address Book CVE-2006-4581 (Unrestricted file upload vulnerability in The Address Book 1.04e valid ...) NOT-FOR-US: The Address Book CVE-2006-4580 (register.php in The Address Book 1.04e allows remote attackers to bypa ...) NOT-FOR-US: The Address Book CVE-2006-4579 (Directory traversal vulnerability in users.php in The Address Book 1.0 ...) NOT-FOR-US: The Address Book CVE-2006-4578 (export.php in The Address Book 1.04e writes username and password hash ...) NOT-FOR-US: The Address Book CVE-2006-4577 (Multiple cross-site scripting (XSS) vulnerabilities in The Address Boo ...) NOT-FOR-US: The Address Book CVE-2006-4576 (Cross-site scripting (XSS) vulnerability in The Address Book 1.04e all ...) NOT-FOR-US: The Address Book CVE-2006-4575 (Multiple SQL injection vulnerabilities in The Address Book 1.04e allow ...) NOT-FOR-US: The Address Book CVE-2006-4574 (Off-by-one error in the MIME Multipart dissector in Wireshark (formerl ...) - wireshark 0.99.4-1 (bug #396258; medium) CVE-2006-4573 (Multiple unspecified vulnerabilities in the "utf8 combining characters ...) {DSA-1202-1} - screen 4.0.3-0.1 (bug #395225; bug #395999; medium) CVE-2006-4572 (ip6_tables in netfilter in the Linux kernel before 2.6.16.31 allows re ...) - linux-2.6 2.6.18.dfsg.1-9 (medium) CVE-2006-4571 (Multiple unspecified vulnerabilities in Firefox before 1.5.0.7, Thunde ...) {DSA-1210 DSA-1192-1 DSA-1191-1} NOTE: MFSA-2006-64 - mozilla (high) - firefox 1.5.dfsg+1.5.0.7-1 (high) - thunderbird 1.5.0.7-1 (high) - xulrunner 1.8.0.7-1 (high) CVE-2006-4570 (Mozilla Thunderbird before 1.5.0.7 and SeaMonkey before 1.0.5, with "L ...) {DSA-1192-1 DSA-1191-1} NOTE: MFSA-2006-63 - thunderbird 1.5.0.7-1 - mozilla CVE-2006-4569 (The popup blocker in Mozilla Firefox before 1.5.0.7 opens the "blocked ...) NOTE: MFSA-2006-62 - firefox 1.5.dfsg+1.5.0.7-1 (low) - xulrunner 1.8.0.7-1 (low) - thunderbird 1.5.0.7-1 [sarge] - mozilla-firefox (Regression only affecting 1.5) CVE-2006-4568 (Mozilla Firefox before 1.5.0.7 and SeaMonkey before 1.0.5 allows remot ...) {DSA-1210 DSA-1192-1 DSA-1191-1} NOTE: MFSA-2006-61 - mozilla (low) - firefox 1.5.dfsg+1.5.0.7-1 (low) - xulrunner 1.8.0.7-1 (low) - thunderbird 1.5.0.7-1 CVE-2006-4567 (Mozilla Firefox before 1.5.0.7 and Thunderbird before 1.5.0.7 makes it ...) NOTE: MFSA-2006-58 - firefox 1.5.dfsg+1.5.0.7-1 (unimportant) - thunderbird 1.5.0.7-1 (unimportant) [sarge] - mozilla-firefox (unimportant) [sarge] - mozilla-thunderbird (unimportant) NOTE: The internal update mechanism is disabled in Debian CVE-2006-4566 (Mozilla Firefox before 1.5.0.7, Thunderbird before 1.5.0.7, and SeaMon ...) {DSA-1210 DSA-1192-1 DSA-1191-1} NOTE: MFSA-2006-57 - mozilla (high) - firefox 1.5.dfsg+1.5.0.7-1 (high) - thunderbird 1.5.0.7-1 (low) - xulrunner 1.8.0.7-1 (high) CVE-2006-4565 (Heap-based buffer overflow in Mozilla Firefox before 1.5.0.7, Thunderb ...) {DSA-1210 DSA-1192-1 DSA-1191-1} NOTE: MFSA-2006-57 - mozilla (high) - firefox 1.5.dfsg+1.5.0.7-1 (high) - xulrunner 1.8.0.7-1 (high) - thunderbird 1.5.0.7-1 (low) CVE-2006-4564 (SQL injection vulnerability in Sources/ManageBoards.php in Simple Mach ...) NOT-FOR-US: Simple Machines Forum CVE-2006-4563 (Cross-site scripting (XSS) vulnerability in the MyHeadlines before 4.3 ...) NOT-FOR-US: PHP-Nuke CVE-2006-4562 NOT-FOR-US: Symantec CVE-2006-4561 (Mozilla Firefox 1.5.0.6 allows remote attackers to execute arbitrary J ...) - xulrunner 1.8.0.7-1 (low) - firefox 1.5.dfsg+1.5.0.7-1 (low) [sarge] - mozilla (Mozilla products from Sarge no longer supported) [sarge] - mozilla-firefox (Mozilla products from Sarge no longer supported) CVE-2006-4560 (Internet Explorer 6 on Windows XP SP2 allows remote attackers to execu ...) NOT-FOR-US: Internet Explorer CVE-2006-4559 (Multiple PHP remote file inclusion vulnerabilities in Yet Another Comm ...) NOT-FOR-US: Yet Another Community System (YACS) CMS CVE-2006-4558 (DeluxeBB 1.06 and earlier, when run on the Apache HTTP Server with the ...) NOT-FOR-US: DeluxeBB CVE-2006-4557 NOT-FOR-US: Discloser CVE-2006-4556 NOT-FOR-US: JIM component for Mambo and Joomla! CVE-2006-4555 (Buffer overflow in the Retro64 / Miniclip CR64Loader ActiveX control a ...) NOT-FOR-US: Miniclip CR64Loader ActiveX control CVE-2006-4554 (Stack-based buffer overflow in the ReadFile function in the ZOO-proces ...) NOT-FOR-US: BeCubed Compression Plus CVE-2006-4553 (PHP remote file inclusion vulnerability in plugin.class.php in the com ...) NOT-FOR-US: com_comprofiler Components for Mambo and Joomla! CVE-2006-4552 (Cross-site scripting (XSS) vulnerability in CHXO Feedsplitter 2006-01- ...) NOT-FOR-US: CHXO Feedsplitter CVE-2006-4551 (Eval injection vulnerability in CHXO Feedsplitter 2006-01-21 allows re ...) NOT-FOR-US: CHXO Feedsplitter CVE-2006-4550 (Directory traversal vulnerability in CHXO Feedsplitter 2006-01-21 allo ...) NOT-FOR-US: CHXO Feedsplitter CVE-2006-4549 (CHXO Feedsplitter 2006-01-21 allows remote attackers to read the sourc ...) NOT-FOR-US: CHXO Feedsplitter CVE-2006-4548 (e107 0.75 and earlier does not properly unset variables when the input ...) NOTE: this should be fixed in PHP (CVE-2006-3017) CVE-2006-4547 (Lyris ListManager 8.95 allows remote authenticated users to obtain sen ...) NOT-FOR-US: Lyris ListManager CVE-2006-4546 (Lyris ListManager 8.95 allows remote authenticated users, who have adm ...) NOT-FOR-US: Lyris ListManager CVE-2006-4545 NOT-FOR-US: ModuleBased CMS Pre-Alpha CVE-2006-4544 (Multiple PHP remote file inclusion vulnerabilities in ExBB 1.9.1, when ...) NOT-FOR-US: ExBB CVE-2006-4543 (Cross-site scripting (XSS) vulnerability in index.php in HLStats 1.34 ...) NOT-FOR-US: HLStats CVE-2006-4542 (Webmin before 1.296 and Usermin before 1.226 do not properly handle a ...) {DSA-1199-1} - webmin (bug #391284) - usermin CVE-2006-4541 (RapDrv.sys in BlackICE PC Protection 3.6.cpn, cpj, cpiE, and possibly ...) NOT-FOR-US: BlackICE PC Protection CVE-2006-4540 (Cross-site scripting (XSS) vulnerability in learncenter.asp in Learn.c ...) NOT-FOR-US: Learn.com LearnCenter CVE-2006-4539 ((1) includes/widgets/module_company_tickets.php and (2) includes/widge ...) NOT-FOR-US: Cerberus Helpdesk CVE-2006-4538 (Linux kernel 2.6.17 and earlier, when running on IA64 or SPARC platfor ...) {DSA-1237 DSA-1233} - linux-2.6 2.6.17-9 CVE-2006-4537 (NET$SESSION_CONTROL.EXE in DECnet-Plus in OpenVMS ALPHA 7.3-2 and Alph ...) NOT-FOR-US: OpenVMS CVE-2006-4536 (SQL injection vulnerability in module/rejestracja.php in CMS Frogss 0. ...) NOT-FOR-US: CMS Frogss CVE-2006-4535 (The Linux kernel 2.6.17.10 and 2.6.17.11 and 2.6.18-rc5 allows local u ...) {DSA-1184-2 DSA-1183-1} - linux-2.6 2.6.18-1 CVE-2006-4534 (Unspecified vulnerability in Microsoft Word 2000, 2002, and Office 200 ...) NOT-FOR-US: Microsoft CVE-2006-4533 (Multiple PHP remote file inclusion vulnerabilities in Plume CMS 1.0.6 ...) NOT-FOR-US: Plume CMS CVE-2006-4532 (PHP remote file inclusion vulnerability in articles/article.php in Yet ...) NOT-FOR-US: Yet Another Community System (YACS) CMS CVE-2006-4531 (PHP remote file inclusion vulnerability in lib/config.php in Pheap CMS ...) NOT-FOR-US: Pheap CMS CVE-2006-4530 (Direct static code injection vulnerability in include/change.php in me ...) NOT-FOR-US: membrepass CVE-2006-4529 (SQL injection vulnerability in recherchemembre.php in membrepass 1.5. ...) NOT-FOR-US: membrepass CVE-2006-4528 (Multiple cross-site scripting (XSS) vulnerabilities in membrepass 1.5 ...) NOT-FOR-US: membrepass CVE-2006-4527 (includes/content/gateway.inc.php in CubeCart 3.0.12 and earlier, when ...) NOT-FOR-US: CubeCart CVE-2006-4526 (SQL injection vulnerability in includes/content/viewCat.inc.php in Cub ...) NOT-FOR-US: CubeCart CVE-2006-4525 (Cross-site scripting (XSS) vulnerability in CubeCart 3.0.12 and earlie ...) NOT-FOR-US: CubeCart CVE-2006-4524 (Multiple SQL injection vulnerabilities in login_verif.asp in Digiappz ...) NOT-FOR-US: Digiappz Freekot CVE-2006-4523 (The web-based management interface in 2Wire, Inc. HomePortal and Offic ...) NOT-FOR-US: 2Wire CVE-2006-4522 (Unspecified vulnerability in dtterm in IBM AIX 5.2 and 5.3 allows loca ...) NOT-FOR-US: IBM AIX CVE-2004-2664 (John Lim ADOdb Library for PHP before 4.23 allows remote attackers to ...) - libphp-adodb - egroupware - moodle - phppgadmin 4.0.1-2 (unimportant) - gallery2 - phpwiki (unimportant) CVE-2006-XXXX [hostapd dos] - hostapd 1:0.5.4-1 [sarge] - hostapd (Vulnerable code not present) CVE-2006-4521 (The BerDecodeLoginDataRequest function in the libnmasldap.so NMAS modu ...) NOT-FOR-US: Novell eDirectory CVE-2006-4520 (ncp in Novell eDirectory before 8.7.3 SP9, and 8.8.x before 8.8.1 FTF2 ...) NOT-FOR-US: Novell eDirectory CVE-2006-4519 (Multiple integer overflows in the image loader plug-ins in GIMP before ...) {DSA-1335-1} - gimp 2.2.16-1 (medium) NOTE: Security problems were fixed in 2.2.16, but only 2.2.17 fixes a PSD regression CVE-2006-4518 (Qbik WinGate 6.1.4 and earlier allows remote attackers to cause a deni ...) NOT-FOR-US: Qbik WinGate CVE-2006-4517 (Novell iManager 2.5 and 2.0.2 allows remote attackers to cause a denia ...) NOT-FOR-US: Novell iManager CVE-2006-4516 (Integer signedness error in FreeBSD 6.0-RELEASE allows local users to ...) - kfreebsd-5 (low) [etch] - kfreebsd-5 (no security support for freebsd) CVE-2006-4515 RESERVED CVE-2006-4514 (Heap-based buffer overflow in the ole_info_read_metabat function in Gn ...) {DSA-1221-1} - libgsf 1.14.2-1 CVE-2006-4513 (Multiple integer overflows in the WV library in wvWare (formerly mswor ...) - wv 1.2.4-1 (bug #396256; medium) - abiword 2.4.6-1 [sarge] - abiword 2.4.6-1.1 (bug #396360) NOTE: exact abiword fixed version not known, but <= 2.4.6-1 CVE-2006-4512 RESERVED CVE-2006-4511 (Messenger Agents (nmma.exe) in Novell GroupWise 2.0.2 and 1.0.6 allows ...) NOT-FOR-US: Novell GroupWise CVE-2006-4510 (The evtFilteredMonitorEventsRequest function in the LDAP service in No ...) NOT-FOR-US: Novell eDirectory CVE-2006-4509 (Integer overflow in the evtFilteredMonitorEventsRequest function in th ...) NOT-FOR-US: Novell eDirectory CVE-2006-4508 (Unspecified vulnerability in (1) Tor 0.1.0.x before 0.1.0.18 and 0.1.1 ...) - tor 0.1.1.23-1 CVE-2006-4507 (Unspecified vulnerability in the TIFF viewer (possibly libTIFF) in the ...) NOT-FOR-US: Sony NOTE: According to the original advisory, this is just CVE-2006-3459 CVE-2006-4506 (idmlib.sh in nxdrv in Novell Identity Manager (IDM) 3.0.1 allows local ...) NOT-FOR-US: Novell Identity Manager CVE-2006-4505 (CRLF injection vulnerability in links.php in NX5Linx 1.0 allows remote ...) NOT-FOR-US: NX5Linx CVE-2006-4504 (SQL injection vulnerability in NX5Linx 1.0 allows remote attackers to ...) NOT-FOR-US: NX5Linx CVE-2006-4503 (Directory traversal vulnerability in link.php in NX5Linx 1.0 allows re ...) NOT-FOR-US: NX5Linx CVE-2006-4502 (ezPortal/ztml CMS 1.0 allows remote attackers to bypass authentication ...) NOT-FOR-US: ezPortal/ztml CMS CVE-2006-4501 (SQL injection vulnerability in index.php in ezPortal/ztml CMS 1.0 allo ...) NOT-FOR-US: ezPortal/ztml CMS CVE-2006-4500 (Cross-site scripting (XSS) vulnerability in index.php in ezPortal/ztml ...) NOT-FOR-US: ezPortal/ztml CMS CVE-2006-4499 (ModernBill 5.0.4 and earlier uses cURL with insecure settings for CURL ...) NOT-FOR-US: ModernBill CVE-2006-4498 (PHP remote file inclusion vulnerability in sommaire_admin.php in PhpAl ...) NOT-FOR-US: PortailPHP CVE-2006-4497 (SQL injection vulnerability in comments.php in IwebNegar 1.1 allows re ...) NOT-FOR-US: IwebNegar CVE-2006-4496 (Cross-site scripting (XSS) vulnerability in comments.php in IwebNegar ...) NOT-FOR-US: IwebNegar CVE-2006-4495 (Microsoft Internet Explorer allows remote attackers to cause a denial ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2006-4494 (Microsoft Visual Studio 6.0 allows remote attackers to cause a denial ...) NOT-FOR-US: Microsoft CVE-2006-4493 (xbiff2 1.9 creates $HOME/.xbiff2rc in a user's home directory with ins ...) NOT-FOR-US: xbiff2 NOTE: xbase-clients contains xbiff, but it is not affected as it doesn't use a .xbiffrc CVE-2006-4492 (Unspecified vulnerability in Cybozu Office 6.5 Build 1.2 for Windows a ...) NOT-FOR-US: Cybozu Office CVE-2006-4491 (Directory traversal vulnerability in Cybozu Collaborex, AG before 1.2( ...) NOT-FOR-US: Cybozu Collaborex CVE-2006-4490 (Multiple directory traversal vulnerabilities in Cybozu Office before 6 ...) NOT-FOR-US: Cybozu Office CVE-2006-4489 (Multiple PHP remote file inclusion vulnerabilities in MiniBill 2006-07 ...) NOT-FOR-US: MiniBill CVE-2006-4488 (PHP remote file inclusion vulnerability in modules/userstop/userstop.p ...) NOT-FOR-US: ExBB Italia CVE-2006-4487 (DUware DUpoll 3.0 and 3.1 stores _private/Dupoll.mdb under the web doc ...) NOT-FOR-US: DUpoll CVE-2006-4486 (Integer overflow in memory allocation routines in PHP before 5.1.6, wh ...) {DSA-1331-1} - php5 5.1.6-1 - php4 4:4.4.4-1 CVE-2006-4485 (The stripos function in PHP before 5.1.5 has unknown impact and attack ...) - php5 5.1.6-1 - php4 (Vulnerable function doesn't exist) CVE-2006-4484 (Buffer overflow in the LWZReadByte_ function in ext/gd/libgd/gd_gif_in ...) - libgd2 2.0.33-5.1 (medium; bug #384838) - xloadimage (unimportant; bug #384841) NOTE: xloadimage is a crasher only, not a security problem CVE-2006-4483 (The cURL extension files (1) ext/curl/interface.c and (2) ext/curl/str ...) - php5 5.1.6-1 (unimportant) - php4 4:4.4.4-1 (unimportant) NOTE: Safe mode violations not supported, insufficient measure CVE-2006-4482 (Multiple heap-based buffer overflows in the (1) str_repeat and (2) wor ...) {DSA-1206-1} - php5 5.1.6-1 (medium) - php4 4:4.4.4-1 (medium) CVE-2006-4481 (The (1) file_exists and (2) imap_reopen functions in PHP before 5.1.5 ...) - php5 5.1.6-1 (unimportant) - php4 4:4.4.4-1 (unimportant) NOTE: Basedir violations not supported CVE-2006-4480 (Incomplete blacklist vulnerability in the nk_CSS function in nuked.php ...) NOT-FOR-US: Nuked-Klan CVE-2006-4479 (Cross-site scripting (XSS) vulnerability in loginreq2.php in Visual Sh ...) NOT-FOR-US: ezContents CVE-2006-4478 (SQL injection vulnerability in headeruserdata.php in Visual Shapers ez ...) NOT-FOR-US: ezContents CVE-2006-4477 (Multiple PHP remote file inclusion vulnerabilities in Visual Shapers e ...) NOT-FOR-US: ezContents CVE-2006-4476 (Multiple unspecified vulnerabilities in Joomla! before 1.0.11, related ...) NOT-FOR-US: Joomla! CVE-2006-4475 (Joomla! before 1.0.11 does not limit access to the Admin Popups functi ...) NOT-FOR-US: Joomla! CVE-2006-4474 (Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before ...) NOT-FOR-US: Joomla! CVE-2006-4473 (Unspecified vulnerability in com_content in Joomla! before 1.0.11, whe ...) NOT-FOR-US: Joomla! CVE-2006-4472 (Multiple unspecified vulnerabilities in Joomla! before 1.0.11 allow at ...) NOT-FOR-US: Joomla! CVE-2006-4471 (The Admin Upload Image functionality in Joomla! before 1.0.11 allows r ...) NOT-FOR-US: Joomla! CVE-2006-4470 (Joomla! before 1.0.11 omits some checks for whether _VALID_MOS is defi ...) NOT-FOR-US: Joomla! CVE-2006-4469 (Unspecified vulnerability in PEAR.php in Joomla! before 1.0.11 allows ...) NOT-FOR-US: Joomla! CVE-2006-4468 (Multiple unspecified vulnerabilities in Joomla! before 1.0.11, related ...) NOT-FOR-US: Joomla! CVE-2006-4467 (Simple Machines Forum (SMF) 1.1RCx before 1.1RC3, and 1.0.x before 1.0 ...) NOT-FOR-US: Simple Machines Forum CVE-2006-4466 (Joomla! before 1.0.11 does not properly unset variables when the input ...) NOT-FOR-US: Joomla! CVE-2006-4465 NOT-FOR-US: Microsoft CVE-2006-4464 (The Nokia Browser, possibly Nokia Symbian 60 Browser 3rd edition, allo ...) NOT-FOR-US: Nokia CVE-2006-4463 (SQL injection vulnerability in the administrator control panel in Jets ...) NOT-FOR-US: JS ASP Faq Manager CVE-2006-4462 (Gonafish.com LinksCaffe 2.0 and 3.0 do not properly restrict access to ...) NOT-FOR-US: LinksCaffe CVE-2006-4461 (Paessler IPCheck Server Monitor before 5.3.3.639/640 does not properly ...) NOT-FOR-US: Paessler IPCheck Server Monitor (not related to ipcheck in Debian) CVE-2006-4460 (Cross-site scripting (XSS) vulnerability in PHP iAddressBook before 0. ...) NOT-FOR-US: iAddressBook CVE-2006-4459 (Integer overflow in AnywhereUSB/5 1.80.00 allows local users to cause ...) NOT-FOR-US: AnywhereUSB/5 CVE-2006-4458 (Directory traversal vulnerability in calendar/inc/class.holidaycalc.in ...) - phpgroupware 0.9.16.011-1 (bug #386061; medium) CVE-2006-4457 (PHP remote file inclusion vulnerability in index.php in phpECard 2.1.4 ...) NOT-FOR-US: phpECard CVE-2006-4456 (PHP remote file inclusion vulnerability in functions.php in phpECard 2 ...) NOT-FOR-US: phpECard CVE-2006-4455 - xchat (not reproducible) CVE-2006-4454 (Cross-site scripting (XSS) vulnerability in hlstats.php in HLstats 1.3 ...) NOT-FOR-US: HLstats CVE-2006-4453 (Cross-site scripting (XSS) vulnerability in PmWiki before 2.1.18 allow ...) NOT-FOR-US: PmWiki CVE-2006-4452 (PHP remote file inclusion vulnerability in security/include/_class.sec ...) NOT-FOR-US: Web3news CVE-2006-4451 (Direct static code injection vulnerability in CJ Tag Board 3.0 allows ...) NOT-FOR-US: Tag Board CVE-2006-4450 (usercp_avatar.php in PHPBB 2.0.20, when avatar uploading is enabled, a ...) - phpbb2 2.0.21-1 (unimportant) NOTE: That's by design and even disabled by default CVE-2006-4449 (Cross-site scripting (XSS) vulnerability in attachment.php in MyBullet ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2006-4448 (Multiple PHP remote file inclusion vulnerabilities in interact 2.2, wh ...) NOT-FOR-US: interact CVE-2006-4447 (X.Org and XFree86, including libX11, xdm, xf86dga, xinit, xload, xtran ...) {DSA-1193-1} - xbase-clients 1:7.1.ds-2 (unimportant) - xtrans 1.0.0-6 (unimportant) - xorg-server 1:1.0.2-9 (low) - libx11 2:1.0.0-7 (unimportant) - xdm 1:1.0.5-1 (unimportant) - xterm (unimportant) CVE-2006-4446 (Heap-based buffer overflow in DirectAnimation.PathControl COM object ( ...) NOT-FOR-US: Microsoft CVE-2006-4445 NOT-FOR-US: CuteNews CVE-2006-4444 (Multiple SQL injection vulnerabilities in Cybozu Garoon 2.1.0 for Wind ...) NOT-FOR-US: Cybozu Garoon CVE-2006-4443 (PHP remote file inclusion vulnerability in myajaxphp.php in AlstraSoft ...) NOT-FOR-US: AlstraSoft Video Share Enterprise CVE-2006-4442 (Cross-site scripting (XSS) vulnerability in PHP iAddressBook before 0. ...) NOT-FOR-US: iAddressBook CVE-2006-4441 (Multiple PHP remote file inclusion vulnerabilities in Ay System Soluti ...) NOT-FOR-US: Ay System Solutions CMS CVE-2006-4440 (PHP remote file inclusion vulnerability in main.php in Ay System Solut ...) NOT-FOR-US: Ay System Solutions CMS CVE-2006-4439 (pkgadd in Sun Solaris 10 before 20060825 installs files with insecure ...) NOT-FOR-US: Solaris CVE-2006-4438 (Heap-based buffer overflow in SpIDer for Dr.Web Scanner for Linux 4.33 ...) NOT-FOR-US: SpIDer for Dr.Web Scanner CVE-2006-4437 (Eval injection vulnerability in Tagger LE allows remote attackers to e ...) NOT-FOR-US: Tagger LE CVE-2005-4810 (Microsoft Internet Explorer 7.0 Beta3 and earlier allows remote attack ...) NOT-FOR-US: Microsoft CVE-2005-4809 (Mozilla Firefox 1.0.1 and possibly other versions, including Mozilla a ...) - mozilla (low) - firefox (at least 1.5.0.6 is not vulnerable) - xulrunner [sarge] - mozilla (Conceptual problem, not fixable in a backport) CVE-2003-1305 (Microsoft Internet Explorer allows remote attackers to cause a denial ...) NOT-FOR-US: Microsoft CVE-2006-4602 (Unrestricted file upload vulnerability in jhot.php in TikiWiki 1.9.4 S ...) - tikiwiki 1.9.4+dfsg2-3 CVE-2006-4436 (isakmpd in OpenBSD 3.8, 3.9, and possibly earlier versions, creates Se ...) {DSA-1175-1} - isakmpd 20041012-4 (bug #385894; medium) CVE-2006-4435 (OpenBSD 3.8, 3.9, and possibly earlier versions allows context-depende ...) NOT-FOR-US: OpenBSD CVE-2006-4434 (Use-after-free vulnerability in Sendmail before 8.13.8 allows remote a ...) {DSA-1164} - sendmail 8.13.8-1 (bug #385054; medium) CVE-2006-4433 (PHP before 4.4.3 and 5.x before 5.1.4 does not limit the character set ...) - php4 4:4.4.4-1 (unimportant) - php5 5.1.4-0.1 (unimportant) NOTE: Sanitising this is an application's job CVE-2006-4432 (Directory traversal vulnerability in Zend Platform 2.2.1 and earlier a ...) NOT-FOR-US: Zend Platform CVE-2006-4431 (Multiple buffer overflows in the (a) Session Clustering Daemon and the ...) NOT-FOR-US: Zend Platform CVE-2006-4430 (The Cisco Network Admission Control (NAC) 3.6.4.1 and earlier allows r ...) NOT-FOR-US: Cisco CVE-2006-4429 NOT-FOR-US: PHlyMail Lite CVE-2006-4428 NOT-FOR-US: Jupiter CMS CVE-2006-4427 (index.php in eFiction before 2.0.7 allows remote attackers to bypass a ...) NOT-FOR-US: eFiction CVE-2006-4426 (PHP remote file inclusion vulnerability in AES/modules/auth/phpsecurit ...) NOT-FOR-US: AlberT-EasySite CVE-2006-4425 (Multiple PHP remote file inclusion vulnerabilities in phpCOIN 1.2.3 al ...) NOT-FOR-US: phpCOIN CVE-2006-4424 (PHP remote file inclusion vulnerability in coin_includes/constants.php ...) NOT-FOR-US: phpCOIN CVE-2006-4423 (Multiple PHP remote file inclusion vulnerabilities in Bigace 1.8.2 all ...) NOT-FOR-US: Bigace CVE-2006-4422 NOT-FOR-US: Jetbox CMS CVE-2006-4421 (Cross-site scripting (XSS) vulnerability in template/default/thanks_co ...) NOT-FOR-US: Yet Another PHP Image Gallery CVE-2006-4420 (Directory traversal vulnerability in include_lang.php in Phaos 0.9.2 a ...) NOT-FOR-US: Phaos CVE-2006-4419 (SQL injection vulnerability in note.php in ProManager 0.73 allows remo ...) NOT-FOR-US: ProManager CVE-2006-4418 (Directory traversal vulnerability in index.php for Wikepage 2006.2a Op ...) NOT-FOR-US: Wikepage CVE-2006-4417 (SQL injection vulnerability in edituser.php in Xoops before 2.0.15 all ...) NOT-FOR-US: Xoops CVE-2006-4416 (Untrusted search path vulnerability in the mkvg command in IBM AIX 5.2 ...) NOT-FOR-US: IBM AIX CVE-2006-4415 RESERVED CVE-2006-4414 RESERVED CVE-2006-4413 (Apple Remote Desktop before 3.1 uses insecure permissions for certain ...) NOT-FOR-US: Apple Remote Desktop CVE-2006-4412 (WebKit in Apple Mac OS X 10.3.x through 10.3.9 and 10.4 through 10.4.8 ...) NOT-FOR-US: Apple Mac OS X CVE-2006-4411 (The VPN service in Apple Mac OS X 10.3.x through 10.3.9 and 10.4.x thr ...) NOT-FOR-US: Apple Mac OS X CVE-2006-4410 (The Security Framework in Apple Mac OS X 10.3.9, and 10.4.x before 10. ...) NOT-FOR-US: Apple Mac OS X CVE-2006-4409 (The Online Certificate Status Protocol (OCSP) service in the Security ...) NOT-FOR-US: Apple Mac OS X CVE-2006-4408 (The Security Framework in Apple Mac OS X 10.4 through 10.4.8 allows re ...) NOT-FOR-US: Apple Mac OS X CVE-2006-4407 (The Security Framework in Apple Mac OS X 10.3.x up to 10.3.9 does not ...) NOT-FOR-US: Apple Mac OS X CVE-2006-4406 (Buffer overflow in PPP on Apple Mac OS X 10.4.x up to 10.4.8 and 10.3. ...) NOT-FOR-US: Apple Mac OS X CVE-2006-4405 RESERVED CVE-2006-4404 (The Installer application in Apple Mac OS X 10.4.8 and earlier, when u ...) NOT-FOR-US: Apple Mac OS X CVE-2006-4403 (The FTP server in Apple Mac OS X 10.4.8 and earlier, when FTP Access i ...) NOT-FOR-US: Apple Mac OS X CVE-2006-4402 (Heap-based buffer overflow in the Finder in Apple Mac OS X 10.4.8 and ...) NOT-FOR-US: Apple Mac OS X CVE-2006-4401 (Unspecified vulnerability in CFNetwork in Mac OS 10.4.8 and earlier al ...) NOT-FOR-US: Apple Mac OS X CVE-2006-4400 (Stack-based buffer overflow in the Apple Type Services (ATS) server in ...) NOT-FOR-US: Apple Mac OS X CVE-2006-4399 (User interface inconsistency in Workgroup Manager in Apple Mac OS X 10 ...) NOT-FOR-US: Mac OS CVE-2006-4398 (Multiple buffer overflows in the Apple Type Services (ATS) server in M ...) NOT-FOR-US: Apple Mac OS X CVE-2006-4397 (Unchecked error condition in LoginWindow in Apple Mac OS X 10.4 throug ...) NOT-FOR-US: Mac OS CVE-2006-4396 (The Apple Type Services (ATS) server in Mac OS X 10.4.8 and earlier do ...) NOT-FOR-US: Apple Mac OS X CVE-2006-4395 (Unspecified vulnerability in QuickDraw Manager in Apple Mac OS X 10.3. ...) NOT-FOR-US: Mac OS CVE-2006-4394 (A logic error in LoginWindow in Apple Mac OS X 10.4 through 10.4.7, al ...) NOT-FOR-US: Mac OS CVE-2006-4393 (Unspecified vulnerability in LoginWindow in Apple Mac OS X 10.4 throug ...) NOT-FOR-US: Mac OS CVE-2006-4392 (The Mach kernel, as used in operating systems including (1) Mac OS X 1 ...) NOT-FOR-US: Mac OS CVE-2006-4391 (Buffer overflow in Apple ImageIO on Apple Mac OS X 10.4 through 10.4.7 ...) NOT-FOR-US: Mac OS CVE-2006-4390 (CFNetwork in Apple Mac OS X 10.4 through 10.4.7 and 10.3.9 allows remo ...) NOT-FOR-US: Mac OS CVE-2006-4389 (Apple QuickTime before 7.1.3 allows user-assisted remote attackers to ...) NOT-FOR-US: Apple QuickTime CVE-2006-4388 (Integer overflow in Apple QuickTime before 7.1.3 allows user-assisted ...) NOT-FOR-US: Apple QuickTime CVE-2006-4387 (Apple Mac OS X 10.4 through 10.4.7, when the administrator clears the ...) NOT-FOR-US: Mac OS CVE-2006-4386 (Integer overflow in Apple QuickTime before 7.1.3 allows user-assisted ...) NOT-FOR-US: Apple QuickTime CVE-2006-4385 (Buffer overflow in Apple QuickTime before 7.1.3 allows user-assisted r ...) NOT-FOR-US: Apple QuickTime CVE-2006-4384 (Heap-based buffer overflow in Apple QuickTime before 7.1.3 allows user ...) NOT-FOR-US: Apple QuickTime CVE-2006-4383 RESERVED CVE-2006-4382 (Multiple buffer overflows in Apple QuickTime before 7.1.3 allow user-a ...) NOT-FOR-US: Apple QuickTime CVE-2006-4381 (Integer overflow in Apple QuickTime before 7.1.3 allows user-assisted ...) NOT-FOR-US: Apple QuickTime CVE-2006-4380 (MySQL before 4.1.13 allows local users to cause a denial of service (p ...) {DSA-1169} - mysql-dfsg-5.0 (only 4.1 affected) - mysql-dfsg (only 4.1 affected) - mysql-dfsg-4.1 CVE-2006-4379 (Stack-based buffer overflow in the SMTP Daemon in Ipswitch Collaborati ...) NOT-FOR-US: Ipswitch Collaboration 2006 Suite CVE-2006-4378 NOT-FOR-US: Rssxt component for Joomla! (com_rssxt) CVE-2006-4377 (Multiple SQL injection vulnerabilities in Guder und Koch Netzwerktechn ...) NOT-FOR-US: Eichhorn Portal CVE-2006-4376 (Multiple cross-site scripting (XSS) vulnerabilities in Guder und Koch ...) NOT-FOR-US: Eichhorn Portal CVE-2006-4375 NOT-FOR-US: Contacts XTD (ContXTD) component for Mambo (com_contxtd) CVE-2006-4374 (IrfanView 3.98 (with plugins) allows user-assisted attackers to cause ...) NOT-FOR-US: IrfanView CVE-2006-4373 (PHP remote file inclusion vulnerability in modules/visitors2/include/c ...) NOT-FOR-US: pSlash CVE-2006-4372 (PHP remote file inclusion vulnerability in admin.lurm_constructor.php ...) NOT-FOR-US: Lurm Constructor component (com_lurm_constructor) for Mambo CVE-2006-4371 (Multiple directory traversal vulnerabilities in Alt-N WebAdmin 3.2.3 a ...) NOT-FOR-US: Alt-N WebAdmin CVE-2006-4370 (Alt-N WebAdmin 3.2.3 and 3.2.4 running with MDaemon 9.0.5, and possibl ...) NOT-FOR-US: Alt-N WebAdmin CVE-2006-4369 (Absolute path traversal vulnerability in includes/functions_portal.php ...) NOT-FOR-US: IntegraMOD Portal CVE-2006-4368 (PHP remote file inclusion vulnerability in includes/functions_portal.p ...) NOT-FOR-US: IntegraMOD Portal CVE-2006-4367 (SQL injection vulnerability in alltopics.php in the All Topics Hack 1. ...) NOT-FOR-US: All Topics Hack for phpBB CVE-2006-4366 (PHP remote file inclusion vulnerability in index.php in RedBLoG 0.5 al ...) NOT-FOR-US: RedBLoG CVE-2006-4365 (Multiple PHP remote file inclusion vulnerabilities in VistaBB 2.0.33 a ...) NOT-FOR-US: VistaBB CVE-2006-4364 (Multiple heap-based buffer overflows in the POP3 server in Alt-N Techn ...) NOT-FOR-US: Alt-N Technologies MDaemon CVE-2006-4363 (PHP remote file inclusion vulnerability in admin.cropcanvas.php in the ...) NOT-FOR-US: CropImage component (com_cropimage) for Mambo CVE-2006-4362 (Cross-site scripting (XSS) vulnerability in getad.php in Diesel Paid M ...) NOT-FOR-US: Diesel Paid Mail CVE-2006-4361 (Multiple cross-site scripting (XSS) vulnerabilities in jobseekers/forg ...) NOT-FOR-US: Diesel Job Site CVE-2006-4360 (Cross-site scripting (XSS) vulnerability in E-commerce 4.7 for Drupal ...) NOT-FOR-US: E-commerce for Drupal CVE-2006-4359 (Stack-based buffer overflow in Trident Software PowerZip 7.06 Build 38 ...) NOT-FOR-US: PowerZip CVE-2006-4358 (Cross-site scripting (XSS) vulnerability in index.php in Diesel Pay al ...) NOT-FOR-US: Diesel Pay CVE-2006-4357 (PHP remote file inclusion vulnerability in clients/index.php in Diesel ...) NOT-FOR-US: Diesel Smart Traffic CVE-2006-4356 (SQL injection vulnerability in Drupal Easylinks Module (easylinks.modu ...) NOT-FOR-US: Easylinks Module for Drupal CVE-2006-4355 (Cross-site scripting (XSS) vulnerability in Drupal Easylinks Module (e ...) NOT-FOR-US: Easylinks Module for Drupal CVE-2006-4354 (PHP remote file inclusion vulnerability in e/class/CheckLevel.php in P ...) NOT-FOR-US: Phome Empire CMS CVE-2006-4353 (Unspecified vulnerability in Sun Java System Content Delivery Server 4 ...) NOT-FOR-US: Sun Java System Content Delivery Server CVE-2006-4352 (The ArrowPoint cookie functionality for Cisco 11000 series Content Ser ...) NOT-FOR-US: Cisco CVE-2006-4351 (Cross-site scripting (XSS) vulnerability in index.php in OneOrZero 1.6 ...) NOT-FOR-US: OneOrZero CVE-2006-4350 (SQL injection vulnerability in index.php in OneOrZero 1.6.4.1 allows r ...) NOT-FOR-US: OneOrZero CVE-2006-4349 NOT-FOR-US: ToendaCMS CVE-2006-4348 (PHP remote file inclusion vulnerability in config.kochsuite.php in the ...) NOT-FOR-US: Kochsuite (com_kochsuite) component for Mambo and Joomla! CVE-2006-4347 (SQL injection vulnerability in user logon authentication request handl ...) NOT-FOR-US: Cool Manager CVE-2006-4346 (Asterisk 1.2.10 supports the use of client-controlled variables to det ...) - asterisk 1:1.2.11.dfsg-1 (medium; bug #385060) CVE-2006-4345 (Stack-based buffer overflow in channels/chan_mgcp.c in MGCP in Asteris ...) - asterisk 1:1.2.11.dfsg-1 (medium; bug #385060) CVE-2006-4344 (CRLF injection vulnerability in CGI-Rescue Mail F/W System (formd) bef ...) NOT-FOR-US: CGI-Rescue Mail F/W System CVE-2006-4343 (The get_server_hello function in the SSLv2 client code in OpenSSL 0.9. ...) {DSA-1195-1 DSA-1185-2} - openssl 0.9.8c-2 (bug #389940) - openssl097 0.9.7k-2 - openssl096 CVE-2006-4342 (The kernel in Red Hat Enterprise Linux 3, when running on SMP systems, ...) - linux-2.6 (Flaw specific to Red Hat backport) CVE-2006-4341 REJECTED CVE-2006-4340 (Mozilla Network Security Service (NSS) library before 3.11.3, as used ...) {DSA-1210 DSA-1192-1 DSA-1191-1} NOTE: MFSA-2006-60, this is the similar to CVE-2006-4339 - mozilla (high) - firefox 1.5.dfsg+1.5.0.7-1 (high) - thunderbird 1.5.0.7-1 (high) - xulrunner 1.8.0.7-1 (high) CVE-2006-4339 (OpenSSL before 0.9.7, 0.9.7 before 0.9.7k, and 0.9.8 before 0.9.8c, wh ...) {DSA-1174-1 DSA-1173-1} - openssl 0.9.8b-3 (medium) - openssl097 0.9.7i-2 (medium) - openssl096 CVE-2006-4338 (unlzh.c in the LHZ component in gzip 1.3.5 allows context-dependent at ...) {DSA-1181-1} - gzip 1.3.5-15 (medium) - lha 1.14i-10.1 (medium; bug #401301) [sarge] - lha (Non-free not supported) [etch] - lha (Non-free not supported) CVE-2006-4337 (Buffer overflow in the make_table function in the LHZ component in gzi ...) {DSA-1181-1} - gzip 1.3.5-15 (high) - lha 1.14i-10.1 (high; bug #401301) [sarge] - lha (Non-free not supported) [etch] - lha (Non-free not supported) CVE-2006-4336 (Buffer underflow in the build_tree function in unpack.c in gzip 1.3.5 ...) {DSA-1181-1} - gzip 1.3.5-15 (high) CVE-2006-4335 (Array index error in the make_table function in unlzh.c in the LZH dec ...) {DSA-1181-1} - gzip 1.3.5-15 (high) - lha 1.14i-10.1 (high; bug #401301) [sarge] - lha (Non-free not supported) [etch] - lha (Non-free not supported) CVE-2006-4334 (Unspecified vulnerability in gzip 1.3.5 allows context-dependent attac ...) {DSA-1974-1 DSA-1181-1} - gzip 1.3.5-15 (high) CVE-2006-4333 (The SSCOP dissector in Wireshark (formerly Ethereal) before 0.99.3 all ...) {DSA-1171} - wireshark 0.99.2-5.1 (low; bug #384529) - ethereal (low; bug #384528) CVE-2006-4332 (Unspecified vulnerability in the DHCP dissector in Wireshark (formerly ...) - wireshark (windows only) - ethereal (windows only) CVE-2006-4331 (Multiple off-by-one errors in the IPSec ESP preference parser in Wires ...) - wireshark 0.99.2-5.1 (medium; bug #384529) - ethereal (only wireshark 0.99.2 affected) CVE-2006-4330 (Unspecified vulnerability in the SCSI dissector in Wireshark (formerly ...) - wireshark 0.99.2-5 (medium; bug #384529) - ethereal (only wireshark 0.99.2 affected) CVE-2006-4329 (Multiple PHP remote file inclusion vulnerabilities in Shadows Rising R ...) NOT-FOR-US: Shadows Rising CVE-2006-4328 (SQL injection vulnerability in admin.php in CloudNine Interactive Link ...) NOT-FOR-US: CloudNine CVE-2006-4327 (Multiple cross-site scripting (XSS) vulnerabilities in add_url.php in ...) NOT-FOR-US: CloudNine CVE-2006-4326 (Stack-based buffer overflow in Justsystem Ichitaro 9.x through 13.x, I ...) NOT-FOR-US: Ichitaro CVE-2006-4325 (Cross-site scripting (XSS) vulnerability in gbook.php in Doika guestbo ...) NOT-FOR-US: Doika CVE-2006-4324 (Cross-site scripting (XSS) vulnerability in add_url2.php in CityForFre ...) NOT-FOR-US: CityForFree CVE-2006-4323 (SQL injection vulnerability in list.php in CityForFree indexcity 1.0, ...) NOT-FOR-US: CityForFree CVE-2006-4322 (PHP remote file inclusion vulnerability in estateagent.php in the Esta ...) NOT-FOR-US: Mambo CVE-2006-4321 (PHP remote file inclusion vulnerability in cpg.php in the Coppermine P ...) NOT-FOR-US: Mambo CVE-2006-4320 (PHP remote file inclusion vulnerability in sef.php in the OpenSEF 2.0. ...) NOT-FOR-US: OpenSEF for Joomla CVE-2006-4319 (Buffer overflow in the format command in Solaris 8, 9, and 10 allows l ...) NOT-FOR-US: Solaris CVE-2006-4318 (Buffer overflow in WFTPD Server 3.23 allows remote attackers to execut ...) NOT-FOR-US: WFTPD CVE-2006-4317 (Cross-site scripting (XSS) vulnerability in attachment.php in WoltLab ...) NOT-FOR-US: WoltLab CVE-2006-4316 (SSH Tectia Management Agent 2.1.2 allows local users to gain root priv ...) NOT-FOR-US: SSH Tectia Management Agent CVE-2006-4315 (Unquoted Windows search path vulnerability in multiple SSH Tectia prod ...) NOT-FOR-US: SSH Tectia Management Agent CVE-2006-4314 (The manager server in Symantec Enterprise Security Manager (ESM) 6 and ...) NOT-FOR-US: Symantec CVE-2006-4313 (Multiple unspecified vulnerabilities in Cisco VPN 3000 series concentr ...) NOT-FOR-US: Cisco CVE-2006-4312 (Cisco PIX 500 Series Security Appliances and ASA 5500 Series Adaptive ...) NOT-FOR-US: Cisco CVE-2006-4311 (PHP remote file inclusion vulnerability in Sonium Enterprise Adressboo ...) NOT-FOR-US: Sonium Enterprise Adressbook CVE-2006-4310 (Mozilla Firefox 1.5.0.6 allows remote attackers to cause a denial of s ...) {DSA-1227-1 DSA-1225-1 DSA-1224-1} - firefox 45.0-1 - firefox-esr 45.0esr-1 - iceweasel 2.0+dfsg-1 - mozilla - mozilla-firefox - xulrunner 1.8.0.8-1 CVE-2006-4309 (VNC server on the AK-Systems Windows Terminal 1.2.5 ExVLP is not passw ...) NOT-FOR-US: AK-Systems Windows Terminal CVE-2006-4308 (Multiple cross-site scripting (XSS) vulnerabilities in Blackboard Lear ...) NOT-FOR-US: Blackboard Learning System CVE-2006-4307 (Unspecified vulnerability in the format command in Sun Solaris 8 and 9 ...) NOT-FOR-US: Solaris CVE-2006-4306 (Unspecified vulnerability in Sun Solaris 8 and 9 before 20060821 allow ...) NOT-FOR-US: Solaris CVE-2006-4305 (Buffer overflow in SAP DB and MaxDB before 7.6.00.30 allows remote att ...) {DSA-1190-1} - maxdb-7.5.00 7.5.00.34-5 (high; bug #386182) CVE-2006-4304 (Buffer overflow in the sppp driver in FreeBSD 4.11 through 6.1, NetBSD ...) - kfreebsd-5 5.4-18 (bug #391289) [etch] - kfreebsd-5 (Etch doesn't have security support for the FreeBSD kernel) CVE-2006-4303 (Race condition in (1) libnsl and (2) TLI/XTI API routines in Sun Solar ...) NOT-FOR-US: Solaris CVE-2006-4302 (The Java Plug-in J2SE 1.3.0_02 through 5.0 Update 5, and Java Web Star ...) - sun-java5 1.5.0-07-1 CVE-2006-4301 (Microsoft Internet Explorer 6.0 SP1 allows remote attackers to cause a ...) NOT-FOR-US: Microsoft CVE-2006-4300 (SQL injection vulnerability in comments.asp in SimpleBlog 2.0 and earl ...) NOT-FOR-US: SimpleBlog CVE-2006-4299 (Cross-site scripting (XSS) vulnerability in tiki-searchindex.php in Ti ...) - tikiwiki 1.9.4+dfsg2-2 (low; bug #384796) CVE-2006-4298 (Multiple directory traversal vulnerabilities in cache.php in osCommerc ...) NOT-FOR-US: osCommerce CVE-2006-4297 (SQL injection vulnerability in shopping_cart.php in osCommerce before ...) NOT-FOR-US: osCommerce CVE-2006-4296 (PHP remote file inclusion vulnerability in classes/Tar.php in bigAPE-B ...) NOT-FOR-US: bigAPE-Backup component (com_babackup) for Mambo CVE-2006-4295 (Cross-site scripting (XSS) vulnerability in ascan_6.asp in Panda Activ ...) NOT-FOR-US: Panda ActiveScan CVE-2006-4294 (Directory traversal vulnerability in viewfile in TWiki 4.0.0 through 4 ...) - twiki 1:4.0.4-3 (bug #389267; low) CVE-2006-4293 (Multiple cross-site scripting (XSS) vulnerabilities in cPanel 10 allow ...) NOT-FOR-US: cPanel CVE-2006-4292 (Unspecified vulnerability in Niels Provos Honeyd before 1.5b allows re ...) - honeyd 1.5b-1 (low; bug #384806) [sarge] - honeyd (Minor issue) CVE-2006-4291 (PHP remote file inclusion vulnerability in handlers/email/mod.listmail ...) NOT-FOR-US: PHlyMail Lite CVE-2006-4290 (Directory traversal vulnerability in Sony VAIO Media Server 2.x, 3.x, ...) NOT-FOR-US: Sony CVE-2006-4289 (Buffer overflow in Sony VAIO Media Server 2.x, 3.x, 4.x, and 5.x befor ...) NOT-FOR-US: Sony CVE-2006-4288 (PHP remote file inclusion vulnerability in admin.a6mambocredits.php in ...) NOT-FOR-US: a6mambocredits component (com_a6mambocredits) for Mambo CVE-2006-4287 (Multiple PHP remote file inclusion vulnerabilities in NES Game and NES ...) NOT-FOR-US: NES Game and NES System CVE-2006-4286 NOT-FOR-US: contentpublisher component (com_contentpublisher) for Mambo CVE-2006-4285 (PHP remote file inclusion vulnerability in news.php in Fantastic News ...) NOT-FOR-US: Fantastic News CVE-2006-4284 (SQL injection vulnerability in comments.asp in LBlog 1.05 and earlier ...) NOT-FOR-US: LBlog CVE-2006-4283 (Multiple PHP remote file inclusion vulnerabilities in SOLMETRA SPAW Ed ...) NOT-FOR-US: SOLMETRA SPAW Editor CVE-2006-4282 (PHP remote file inclusion vulnerability in MamboLogin.php in the Mambo ...) NOT-FOR-US: MamboWiki component (com_mambowiki) for Mambo and Joomla! CVE-2006-4281 (PHP remote file inclusion vulnerability in akocomments.php in AkoComme ...) NOT-FOR-US: AkoComment 1.1 module (com_akocomment) for Mambo CVE-2006-4280 NOT-FOR-US: ANJEL (formerly MaMML) Component (com_anjel) for Mambo CVE-2006-4279 (SQL injection vulnerability in topic_post.php in XennoBB 2.2.1 and ear ...) NOT-FOR-US: XennoBB CVE-2006-4278 (PHP remote file inclusion vulnerability in includes/layout/plain.foote ...) NOT-FOR-US: SportsPHool CVE-2006-4277 (Multiple PHP remote file inclusion vulnerabilities in Tutti Nova 1.6 a ...) NOT-FOR-US: Tutti Nova CVE-2006-4276 (PHP remote file inclusion vulnerability in Tutti Nova 1.6 and earlier ...) NOT-FOR-US: Tutti Nova CVE-2006-4275 (PHP remote file inclusion vulnerability in catalogshop.php in the Cata ...) NOT-FOR-US: CatalogShop component for Mambo (com_catalogshop) CVE-2006-4274 REJECTED CVE-2006-4273 (Cross-site scripting (XSS) vulnerability in Jelsoft vBulletin 3.5.4 an ...) NOT-FOR-US: Jelsoft vBulletin CVE-2006-4272 NOT-FOR-US: Jelsoft vBulletin CVE-2006-4271 NOT-FOR-US: Jelsoft vBulletin CVE-2006-4270 (PHP remote file inclusion vulnerability in mambelfish.class.php in the ...) NOT-FOR-US: mambelfish component (com_mambelfish) for Mambo CVE-2006-4269 NOT-FOR-US: x-shop component (com_x-shop) for Mambo and Joomla! CVE-2006-4268 (Multiple cross-site scripting (XSS) vulnerabilities in CubeCart 3.0.11 ...) NOT-FOR-US: CubeCart CVE-2006-4267 (Multiple SQL injection vulnerabilities in CubeCart 3.0.11 and earlier ...) NOT-FOR-US: CubeCart CVE-2006-4266 (Symantec Norton Personal Firewall 2006 9.1.0.33, and possibly earlier, ...) NOT-FOR-US: Symantec CVE-2006-4265 (Kaspersky Anti-Hacker 1.8.180, when Stealth Mode is enabled, allows re ...) NOT-FOR-US: Kaspersky CVE-2006-4264 NOT-FOR-US: lmtg_myhomepage Component (com_lmtg_myhomepage) for Mambo CVE-2006-4263 (Multiple PHP remote file inclusion vulnerabilities in the Product Scro ...) NOT-FOR-US: mambo-phpshop (com_phpshop) for Mambo and Joomla! CVE-2006-4262 (Multiple buffer overflows in cscope 15.5 and earlier allow user-assist ...) {DSA-1186-1} - cscope 15.5+cvs20060902-1 (low; bug #385893) CVE-2006-4261 REJECTED CVE-2006-4260 (Directory traversal vulnerability in index.php in Fotopholder 1.8 allo ...) NOT-FOR-US: Fotopholder CVE-2006-4259 (Cross-site scripting (XSS) vulnerability in index.php in Fotopholder 1 ...) NOT-FOR-US: Fotopholder CVE-2006-4258 (Absolute path traversal vulnerability in the get functionality in Anti ...) NOT-FOR-US: Anti-Spam SMTP Proxy CVE-2006-4257 (IBM DB2 Universal Database (UDB) before 8.1 FixPak 13 allows remote au ...) NOT-FOR-US: IBM DB2 CVE-2006-4256 (index.php in Horde Application Framework before 3.1.2 allows remote at ...) {DSA-1406-1} - horde3 3.1.3-1 (low; bug #383416) CVE-2006-4255 (Cross-site scripting (XSS) vulnerability in horde/imp/search.php in Ho ...) - imp4 4.1.3-1 (low; bug #383416) CVE-2006-4254 (Unspecified vulnerability in setlocale in IBM AIX 5.1.0 through 5.3.0 ...) NOT-FOR-US: IBM AIX CVE-2006-4253 (Concurrency vulnerability in Mozilla Firefox 1.5.0.6 and earlier allow ...) NOTE: MFSA-2006-59 - xulrunner 1.8.0.7-1 (medium) - firefox 1.5.dfsg+1.5.0.7-1 (medium) - mozilla (medium) - thunderbird 1.5.0.7-1 (low) - mozilla-firefox (unimportant) [sarge] - mozilla (unimportant) [sarge] - mozilla-thunderbird (unimportant) NOTE: On Sarge this is only a crasher, code injection is only possible for Firefox 1.5 et al. CVE-2006-4252 (PowerDNS Recursor 3.1.3 and earlier allows remote attackers to cause a ...) - pdns-recursor 3.1.4-1 (bug #398559) - pdns (Recursor module has been moved to pdns-recursor) CVE-2006-4251 (Buffer overflow in PowerDNS Recursor 3.1.3 and earlier might allow rem ...) {DSA-1211} - pdns-recursor 3.1.4-1 (bug #398557; high) - pdns 2.9.20-4 NOTE: Recursor module has been moved to pdns-recursor CVE-2006-4250 (Buffer overflow in man and mandb (man-db) 2.4.3 and earlier allows loc ...) {DSA-1278-1} - man-db 2.4.3-5 CVE-2006-4249 (Unspecified vulnerability in PlonePAS in Plone 2.5 and 2.5.1, when ano ...) - zope-cmfplone 2.5.1-3 (bug #401796) [sarge] - zope-cmfplone (Vulnerable code not present) CVE-2006-4248 (thttpd on Debian GNU/Linux, and possibly other distributions, allows l ...) {DSA-1205-1} - thttpd 2.23beta1-5 (bug #396277) CVE-2006-4247 (Unspecified vulnerability in the Password Reset Tool before 0.4.1 on P ...) [sarge] - zope-cmfplone (Vulnerable code not present) - zope-cmfplone 2.5.1-1 CVE-2006-4246 (Usermin before 1.220 (20060629) allows remote attackers to read arbitr ...) {DSA-1177-1} - usermin (bug #374609) CVE-2006-4245 (archivemail 0.6.2 uses temporary files insecurely leading to a possibl ...) - archivemail 0.6.2-2 (bug #385253) CVE-2006-4244 (SQL-Ledger 2.4.4 through 2.6.17 authenticates users by verifying that ...) {DSA-1239-1} - sql-ledger 2.6.18-1 (medium; bug #386519) CVE-2006-4243 (linux vserver 2.6 before 2.6.17 suffers from privilege escalation in r ...) - linux-2.6 2.6.17-9 CVE-2006-4242 (PHP remote file inclusion vulnerability in install.jim.php in the JIM ...) NOT-FOR-US: JIM component for Joomla or Mambo CVE-2006-4241 (PHP remote file inclusion vulnerability in processor/reporter.sql.php ...) NOT-FOR-US: Reporter Mambo component (com_reporter) CVE-2006-4240 (PHP remote file inclusion vulnerability in index.php in Fusion News 3. ...) NOT-FOR-US: Fusion News CVE-2006-4239 (PHP remote file inclusion vulnerability in include/urights.php in Outr ...) NOT-FOR-US: Outreach Project Tool CVE-2006-4238 (SQL injection vulnerability in torrents.php in WebTorrent (WTcom) 0.2. ...) NOT-FOR-US: WebTorrent (WTcom) CVE-2006-4237 (PHP remote file inclusion vulnerability in pageheaderdefault.inc.php i ...) NOT-FOR-US: Invisionix Roaming System Remote (IRSR) CVE-2006-4236 (Multiple PHP remote file inclusion vulnerabilities in POWERGAP allow r ...) NOT-FOR-US: POWERGAP CVE-2006-4235 (Buffer overflow in the import project functionality in Sony SonicStage ...) NOT-FOR-US: Sony CVE-2006-4234 (PHP remote file inclusion vulnerability in classes/query.class.php in ...) NOT-FOR-US: dotProject CVE-2006-4233 (Globus Toolkit 3.2.x, 4.0.x, and 4.1.0 before 20060815 allow local use ...) NOT-FOR-US: Globus Toolkit CVE-2006-4232 (Race condition in the grid-proxy-init tool in Globus Toolkit 3.2.x, 4. ...) NOT-FOR-US: Globus Toolkit CVE-2006-4231 (IrfanView 3.98 (with plugins) allows remote attackers to cause a denia ...) NOT-FOR-US: IrfanView CVE-2006-4230 (Multiple PHP remote file inclusion vulnerabilities in index.php in Liz ...) NOT-FOR-US: Lizge Web Portal CVE-2006-4229 (PHP remote file inclusion vulnerability in archive.php in the mosListM ...) NOT-FOR-US: mosListMessenger Component (com_lm) for Mambo and Joomla! CVE-2006-4228 (Symantec Veritas NetBackup PureDisk Remote Office Edition 6.0 before M ...) NOT-FOR-US: Symantec CVE-2006-4227 (MySQL before 5.0.25 and 5.1 before 5.1.12 evaluates arguments of suid ...) - mysql-dfsg-5.0 5.0.24-3 (low; bug #384798) CVE-2006-4226 (MySQL before 4.1.21, 5.0 before 5.0.25, and 5.1 before 5.1.12, when ru ...) {DSA-1169} - mysql-dfsg-5.0 5.0.24-3 (low; bug #384798) [sarge] - mysql-dfsg (Vulnerable code not present) CVE-2006-4225 REJECTED CVE-2006-4224 (Cross-site scripting (XSS) vulnerability in calendar.php in Virtual Wa ...) NOT-FOR-US: Virtual War CVE-2006-4223 (IBM WebSphere Application Server (WAS) before 6.0.2.13 allows context- ...) NOT-FOR-US: IBM WebSphere Application CVE-2006-4222 (Multiple unspecified vulnerabilities in IBM WebSphere Application Serv ...) NOT-FOR-US: IBM WebSphere Application CVE-2006-4221 (Stack-based buffer overflow in the IBM Access Support eGatherer Active ...) NOT-FOR-US: IBM CVE-2006-4220 (Multiple cross-site scripting (XSS) vulnerabilities in webacc in Novel ...) NOT-FOR-US: Novell GroupWise WebAccess CVE-2006-4219 (The Terminal Services COM object (tsuserex.dll) allows remote attacker ...) NOT-FOR-US: Terminal Services COM object CVE-2006-4218 (Directory traversal vulnerability in Zen Cart 1.3.0.2 and earlier allo ...) NOT-FOR-US: Zen Cart CVE-2006-4217 (PHP remote file inclusion vulnerability in modules/usersonline/users.p ...) NOT-FOR-US: WEBInsta CMS CVE-2006-4216 REJECTED CVE-2006-4215 (PHP remote file inclusion vulnerability in index.php in Zen Cart 1.3.0 ...) NOT-FOR-US: Zen Cart CVE-2006-4214 (Multiple SQL injection vulnerabilities in Zen Cart 1.3.0.2 and earlier ...) NOT-FOR-US: Zen Cart CVE-2006-4213 (PHP remote file inclusion vulnerability in config.php in David Kent No ...) NOT-FOR-US: Thatware CVE-2006-4212 (SQL injection vulnerability in b0zz and Chris Vincent Owl Intranet Eng ...) NOT-FOR-US: Owl Intranet Engine CVE-2006-4211 (Cross-site scripting (XSS) vulnerability in b0zz and Chris Vincent Owl ...) NOT-FOR-US: Owl Intranet Engine CVE-2006-4210 (nu_mail.inc.php in Andreas Kansok phPay 2.02 and 2.02.1, when register ...) NOT-FOR-US: phPay CVE-2006-4209 (PHP remote file inclusion vulnerability in install3.php in WEBInsta Ma ...) NOT-FOR-US: WEBInsta Mailing List Manager CVE-2006-4208 (Directory traversal vulnerability in wp-db-backup.php in Skippy WP-DB- ...) - wordpress 2.0.5-0.1 (unimportant; bug #384800) NOTE: Only exploitable by admin users, someone with the privilege to backup NOTE: your data must be trustworthy CVE-2006-4207 (Multiple PHP remote file inclusion vulnerabilities in Bob Jewell Discl ...) NOT-FOR-US: Discloser CVE-2006-4206 (Cross-site scripting (XSS) vulnerability in calendar.asp in ASPPlaygro ...) NOT-FOR-US: ASPPlayground.NET Forum Advanced Edition CVE-2006-4205 (Multiple PHP remote file inclusion vulnerabilities in WebDynamite Proj ...) NOT-FOR-US: WebDynamite ProjectButler CVE-2006-4204 (Multiple PHP remote file inclusion vulnerabilities in PHProjekt 5.1 an ...) NOT-FOR-US: PHProjekt CVE-2006-4203 (PHP remote file inclusion vulnerability in help.mmp.php in the MMP Com ...) NOT-FOR-US: MMP Component (com_mmp) for Mambo CVE-2006-4202 (SQL injection vulnerability in proje_goster.php in Spidey Blog Script ...) NOT-FOR-US: Spidey Blog Script CVE-2006-4201 (Unspecified vulnerability in the backup agent and Cell Manager in HP O ...) NOT-FOR-US: HP OpenView Storage Data Protector CVE-2006-4200 (Unspecified vulnerability in 04WebServer 1.83 and earlier allows remot ...) NOT-FOR-US: 04WebServer CVE-2006-4199 (Cross-site scripting (XSS) vulnerability in Soft3304 04WebServer 1.83 ...) NOT-FOR-US: 04WebServer CVE-2006-4198 (PHP remote file inclusion vulnerability in includes/session.php in Whe ...) NOT-FOR-US: Wheatblog CVE-2006-4197 (Multiple buffer overflows in libmusicbrainz (aka mb_client or MusicBra ...) {DSA-1162} - libmusicbrainz-2.1 2.1.4-1 (medium; bug #383030) - libmusicbrainz-2.0 (medium; bug #383031) CVE-2006-4196 (PHP remote file inclusion vulnerability in index.php in WEBInsta CMS 0 ...) NOT-FOR-US: WEBInsta CMS CVE-2006-4195 (PHP remote file inclusion vulnerability in param.peoplebook.php in the ...) NOT-FOR-US: Peoplebook Component for Mambo (com_peoplebook) CVE-2005-4808 (Buffer overflow in reset_vars in config/tc-crx.c in the GNU as (gas) a ...) - binutils 2.17-1 (low) [sarge] - binutils (Only a security-problems in far-fetched configurations) CVE-2005-4807 (Stack-based buffer overflow in the as_bad function in messages.c in th ...) - binutils 2.17-1 (low) [sarge] - binutils (Only a security-problems in far-fetched configurations) CVE-2004-2663 (The (1) SetDebugging and (2) RunEgatherer methods in IBM Access Suppor ...) NOT-FOR-US: IBM CVE-2004-2662 (Soft3304 04WebServer before 1.41 allows remote attackers to cause a de ...) NOT-FOR-US: 04WebServer CVE-2004-2661 (Soft3304 04WebServer before 1.41 does not properly check file names, w ...) NOT-FOR-US: 04WebServer CVE-2002-2216 (Soft3304 04WebServer before 1.20 does not properly process URL strings ...) NOT-FOR-US: 04WebServer CVE-2006-XXXX [gallery2 session ID disclosure] - gallery2 2.1.2-1 CVE-2006-XXXX [insecure filehandling in mysql_upgrade] - mysql-dfsg-5.0 5.0.24-1 NOTE: mysql_upgrade not in 4.x CVE-2006-4194 NOT-FOR-US: Cisco CVE-2006-4193 (Microsoft Internet Explorer 6.0 SP1 and possibly other versions allows ...) NOT-FOR-US: MS IE CVE-2006-4192 (Multiple buffer overflows in MODPlug Tracker (OpenMPT) 1.17.02.43 and ...) - libmodplug 1:0.7-5.2 (medium; bug #383574) - gst-plugins-bad0.10 0.10.3-3.1 (medium; bug #407956) CVE-2006-4191 (Directory traversal vulnerability in memcp.php in XMB (Extreme Message ...) NOT-FOR-US: XMB CVE-2006-4190 (Directory traversal vulnerability in autohtml.php in the AutoHTML modu ...) NOT-FOR-US: PHP-Nuke module AutoHTML CVE-2006-4189 (Multiple PHP remote file inclusion vulnerabilities in Dolphin 5.1 allo ...) NOT-FOR-US: Dolphin CVE-2006-4188 (Unspecified vulnerability in the LP subsystem in HP-UX B.11.00, B.11.0 ...) NOT-FOR-US: HP-UX CVE-2006-4187 (Unspecified vulnerability in HP-UX B.11.00, B.11.11 and B.11.23, when ...) NOT-FOR-US: HP-UX CVE-2006-4186 (The iManager in eMBoxClient.jar in Novell eDirectory 8.7.3.8 writes pa ...) NOT-FOR-US: Novell eDirectory CVE-2006-4185 (Unspecified vulnerability in the NCPENGINE in Novell eDirectory 8.7.3. ...) NOT-FOR-US: Novell eDirectory CVE-2006-4184 (SmartLine DeviceLock before 5.73 Build 305 does not properly enforce a ...) NOT-FOR-US: SmartLine DeviceLock CVE-2006-4183 (Heap-based buffer overflow in Microsoft DirectX SDK (February 2006) an ...) NOT-FOR-US: Microsoft CVE-2006-4182 (Integer overflow in ClamAV 0.88.1 and 0.88.4, and other versions befor ...) {DSA-1196-1} - clamav 0.88.5-1 (high; bug #393445) CVE-2006-4181 (Format string vulnerability in the sqllog function in the SQL accounti ...) NOT-FOR-US: GNU Radius CVE-2006-4180 REJECTED CVE-2006-4179 RESERVED CVE-2006-4178 (Integer signedness error in the i386_set_ldt call in FreeBSD 5.5, and ...) - kfreebsd-5 (bug #391289; low) [etch] - kfreebsd-5 (Etch doesn't have security support for the FreeBSD kernel) CVE-2006-4177 (Heap-based buffer overflow in the NCP engine in Novell eDirectory befo ...) NOT-FOR-US: Novell eDirectory CVE-2006-4176 RESERVED CVE-2006-4175 (The LDAP server (ns-slapd) in Sun Java System Directory Server 5.2 Pat ...) NOT-FOR-US: Sun Java System Directory Server CVE-2006-4174 RESERVED CVE-2006-4173 RESERVED CVE-2006-4172 (Integer overflow vulnerability in the i386_set_ldt call in FreeBSD 5.5 ...) - kfreebsd-5 (bug #391289; low) [etch] - kfreebsd-5 (Etch doesn't have security support for the FreeBSD kernel) CVE-2006-4171 RESERVED CVE-2006-4170 REJECTED CVE-2006-4169 (Multiple directory traversal vulnerabilities in the G/PGP (GPG) Plugin ...) NOT-FOR-US: G/PGP (GPG) plugin for Squirrelmail CVE-2006-4168 (Integer overflow in the exif_data_load_data_entry function in libexif/ ...) {DSA-1310-1} - libexif 0.6.16-1 (bug #430012) CVE-2006-4167 RESERVED CVE-2006-4166 (PHP remote file inclusion vulnerability in TinyWebGallery 1.5 and earl ...) NOT-FOR-US: TinyWebGallery CVE-2006-4165 (Cross-site scripting (XSS) vulnerability in NetCommons 1.0.8 and earli ...) NOT-FOR-US: NetCommons CVE-2006-4164 (PHP remote file inclusion vulnerability in inc/header.inc.php in phpPr ...) NOT-FOR-US: phpPrintAnalyzer CVE-2006-4163 NOT-FOR-US: miniBloggie CVE-2006-4162 (Cross-site scripting (XSS) vulnerability in Dragonfly CMS 9.0.6.1 and ...) NOT-FOR-US: Dragonfly CMS CVE-2006-4161 (Directory traversal vulnerability in the avatar_gallery action in prof ...) NOT-FOR-US: XennoBB CVE-2006-4160 (Multiple PHP remote file inclusion vulnerabilities in Tony Bibbs and V ...) NOT-FOR-US: MVCnPHP CVE-2006-4159 (Multiple PHP remote file inclusion vulnerabilities in Chaussette 08070 ...) NOT-FOR-US: Chaussette CVE-2006-4158 (PHP remote file inclusion vulnerability in Login.php in Spaminator 1.7 ...) NOT-FOR-US: Spaminator CVE-2006-4157 (Cross-site scripting (XSS) vulnerability in index.php in Yet another B ...) NOT-FOR-US: Yet another Bulletin Board (YaBB) CVE-2006-4156 NOT-FOR-US: pearlabs mafia moblog CVE-2006-4155 (Unspecified vulnerability in func_topic_threaded.php (aka threaded vie ...) NOT-FOR-US: Invision Power Board (IPB) CVE-2006-4154 (Format string vulnerability in the mod_tcl module 1.0 for Apache 2.x a ...) NOT-FOR-US: mod_tcl CVE-2006-4153 RESERVED CVE-2006-4152 RESERVED CVE-2006-4151 RESERVED CVE-2006-4150 RESERVED CVE-2006-4149 RESERVED CVE-2006-4148 RESERVED CVE-2006-4147 RESERVED CVE-2006-4146 (Buffer overflow in the (1) DWARF (dwarfread.c) and (2) DWARF2 (dwarf2r ...) - gdb 7.3-1 (unimportant) NOTE: Every sensible use of gdb involves executing the debugged binary NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commit;h=d53d4ac5aaf62c631e8d915e049eaf3f52fe24c8 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=204841 NOTE: https://bugs.launchpad.net/ubuntu/+source/gdb/+bug/62695 CVE-2006-4145 (The Universal Disk Format (UDF) filesystem driver in Linux kernel 2.6. ...) {DSA-1184-2} - linux-2.6 2.6.17-7 CVE-2006-4143 (Netgear FVG318 running firmware 1.0.40 allows remote attackers to caus ...) NOT-FOR-US: Netgear CVE-2006-4142 (SQL injection vulnerability in extra/online.php in Virtual War (VWar) ...) NOT-FOR-US: Virtual War (VWar) CVE-2006-4141 (SQL injection vulnerability in news.php in Virtual War (VWar) 1.5.0 an ...) NOT-FOR-US: Virtual War (VWar) CVE-2006-4140 (Directory traversal vulnerability in IPCheck Server Monitor before 5.3 ...) NOT-FOR-US: IPCheck Server Monitor CVE-2006-4139 (Race condition in Sun Solaris 10 allows attackers to cause a denial of ...) NOT-FOR-US: Solaris CVE-2006-4138 (Multiple unspecified vulnerabilities in Microsoft Windows Help File vi ...) NOT-FOR-US: Microsoft CVE-2006-4137 (IBM WebSphere Application Server before 6.1.0.1 allows attackers to ob ...) NOT-FOR-US: IBM WebSphere CVE-2006-4136 (Multiple unspecified vulnerabilities in IBM WebSphere Application Serv ...) NOT-FOR-US: IBM WebSphere CVE-2006-4135 NOT-FOR-US: Calendarix CVE-2006-4134 (Unspecified vulnerability related to a "design flaw" in SAP Internet G ...) NOT-FOR-US: SAP CVE-2006-4133 (Heap-based buffer overflow in SAP Internet Graphics Service (IGS) 6.40 ...) NOT-FOR-US: SAP CVE-2006-4132 (ArcSoft MMS Composer 1.5.5.6 and possibly earlier, and 2.0.0.13 and po ...) NOT-FOR-US: ArcSoft MMS Composer CVE-2006-4131 (Multiple buffer overflows in ArcSoft MMS Composer 1.5.5.6, and possibl ...) NOT-FOR-US: ArcSoft MMS Composer CVE-2006-4130 (PHP remote file inclusion vulnerability in admin.remository.php in the ...) NOT-FOR-US: Remository Component (com_remository) for Mambo and Joomla! CVE-2006-4129 (PHP remote file inclusion vulnerability in admin.webring.docs.php in t ...) NOT-FOR-US: Webring Component (com_webring) for Joomla! CVE-2006-4128 (Multiple heap-based buffer overflows in Symantec VERITAS Backup Exec f ...) NOT-FOR-US: Symantec VERITAS CVE-2006-4127 (Multiple format string vulnerabilities in DConnect Daemon 0.7.0 and ea ...) NOT-FOR-US: DConnect Daemon (dcd) CVE-2006-4126 (The dc_chat function in cmd.dc.c in DConnect Daemon 0.7.0 and earlier ...) NOT-FOR-US: DConnect Daemon (dcd) CVE-2006-4125 (Stack-based buffer overflow in main.c in DConnect Daemon 0.7.0 and ear ...) NOT-FOR-US: DConnect Daemon (dcd) CVE-2006-4124 (The libXm library in LessTif 0.95.0 and earlier allows local users to ...) - lesstif2 1:0.94.4-1 (bug #382411; medium) CVE-2006-4123 (PHP remote file inclusion vulnerability in boitenews4/index.php in Boi ...) NOT-FOR-US: Boite de News CVE-2006-4122 (Simple one-file guestbook 1.0 and earlier allows remote attackers to b ...) NOT-FOR-US: Simple one-file guestbook CVE-2006-4121 (PHP remote file inclusion vulnerability in owimg.php3 in See-Commerce ...) NOT-FOR-US: See-Commerce CVE-2006-4120 (Cross-site scripting (XSS) vulnerability in the Recipe module (recipe. ...) NOT-FOR-US: Recipe module (recipe.module) for Drupal CVE-2006-4119 (SQL injection vulnerability in gc.php in GeheimChaos 0.5 and earlier a ...) NOT-FOR-US: GeheimChaos CVE-2006-4118 (Multiple SQL injection vulnerabilities in GeheimChaos 0.5 and earlier ...) NOT-FOR-US: GeheimChaos CVE-2006-4117 (The squeue_drain function in Sun Solaris 10, possibly only when run on ...) NOT-FOR-US: Solaris CVE-2006-4116 (Multiple stack-based buffer overflows in Lhaz before 1.32 allow user-a ...) NOT-FOR-US: Lhaz CVE-2006-4115 (PHP remote file inclusion vulnerability in common.inc.php in PgMarket ...) NOT-FOR-US: PgMarket CVE-2006-4114 (SQL injection vulnerability in view_com.php in Nicolas Grandjean PHPMy ...) NOT-FOR-US: PHPMyRing CVE-2006-4113 (PHP remote file inclusion vulnerability in genpage-cgi.php in Brian Fr ...) NOT-FOR-US: hitweb CVE-2006-4112 (Unspecified vulnerability in the "dependency resolution mechanism" in ...) - rails 1.1.6-1 (bug #382255; medium) CVE-2006-4111 (Ruby on Rails before 1.1.5 allows remote attackers to execute Ruby cod ...) - rails 1.1.5-1 (bug #382255; medium) CVE-2006-4110 (Apache 2.2.2, when running on Windows, allows remote attackers to read ...) - apache2 (Affects Apache on Windows only) CVE-2006-4109 (Cross-site scripting (XSS) vulnerability in Bibliography (biblio.modul ...) NOT-FOR-US: Bibliography (biblio.module) for Drupal CVE-2006-4108 (SQL injection vulnerability in Bibliography (biblio.module) 4.6 before ...) NOT-FOR-US: Bibliography (biblio.module) for Drupal CVE-2006-4107 (SQL injection vulnerability in the Job Search module (job.module) 4.6 ...) NOT-FOR-US: Job Search module (job.module) for Drupal CVE-2006-4106 (Cross-site scripting (XSS) vulnerability in blursoft blur6ex 0.3 allow ...) NOT-FOR-US: blur6ex CVE-2006-4105 (Cross-site scripting (XSS) vulnerability in Fill Threads Database (FTD ...) NOT-FOR-US: Fill Threads Database CVE-2006-4104 (Cross-site scripting (XSS) vulnerability in admin.cgi in mojoscripts.c ...) NOT-FOR-US: mojoGallery CVE-2006-4103 (PHP remote file inclusion vulnerability in article-raw.php in Jason Al ...) NOT-FOR-US: phNNTP CVE-2006-4102 (PHP remote file inclusion vulnerability in tpl.inc.php in Falko Timme ...) NOT-FOR-US: SQLiteWebAdmin CVE-2006-4101 RESERVED CVE-2006-4100 RESERVED CVE-2006-4099 (Business Objects Crystal Enterprise 9 and 10 generates predictable ses ...) NOT-FOR-US: Business Objects CVE-2006-4098 (Stack-based buffer overflow in the CSRadius service in Cisco Secure Ac ...) NOT-FOR-US: Cisco CVE-2006-4097 (Multiple unspecified vulnerabilities in the CSRadius service in Cisco ...) NOT-FOR-US: Cisco CVE-2006-4096 (BIND before 9.2.6-P1 and 9.3.x before 9.3.2-P1 allows remote attackers ...) {DSA-1172-1} - bind (Not vulnerable according to CERT advisory) - bind9 1:9.3.2-P1-1 (medium; bug #386245; bug #386237) CVE-2006-4095 (BIND before 9.2.6-P1 and 9.3.x before 9.3.2-P1 allows remote attackers ...) {DSA-1172-1} - bind (Not vulnerable according to CERT advisory) - bind9 1:9.3.2-P1-1 (medium; bug #386245; bug #386237) CVE-2006-4094 RESERVED CVE-2006-4093 (Linux kernel 2.x.6 before 2.6.17.9 and 2.4.x before 2.4.33.1 on PowerP ...) {DSA-1184-2 DSA-1237} - linux-2.6 2.6.17-7 CVE-2006-4092 (Simpliciti Locked Browser does not properly limit a user's actions to ...) NOT-FOR-US: Simpliciti Locked Browser CVE-2006-4091 (Multiple cross-site scripting (XSS) vulnerabilities in Archangel Manag ...) NOT-FOR-US: Archangel Weblog CVE-2006-4090 (Cross-site scripting (XSS) vulnerability in Webligo BlogHoster 2.2 all ...) NOT-FOR-US: Webligo BlogHoster CVE-2006-4089 (Multiple buffer overflows in Andy Lo-A-Foe AlsaPlayer 0.99.76 and earl ...) {DSA-1179-1} - alsaplayer 0.99.76-9 (medium; bug #382842) CVE-2006-4088 (Multiple cross-site scripting (XSS) vulnerabilities in CivicSpace 0.8. ...) NOT-FOR-US: CivicSpace CVE-2006-4087 (Cross-site scripting (XSS) vulnerability in admin.cgi in mojoscripts.c ...) NOT-FOR-US: mojoGallery CVE-2006-4086 (Cross-site scripting (XSS) vulnerability in index.php in Elaine Aquino ...) NOT-FOR-US: Online Zone Journals (OZJournals) CVE-2006-4085 (PHP remote file inclusion vulnerability in Olaf Noehring The Search En ...) NOT-FOR-US: The Search Engine Project (TSEP) CVE-2006-4084 (Unspecified vulnerability in phpAutoMembersArea (phpAMA) before 3.2.4 ...) NOT-FOR-US: phpAutoMembersArea (phpAMA) CVE-2006-4083 (PHP remote file inclusion vulnerability in viewevent.php in myWebland ...) NOT-FOR-US: myEvent CVE-2006-4082 (Barracuda Spam Firewall (BSF), possibly 3.3.03.053, contains a hardcod ...) NOT-FOR-US: Barracuda Spam Firewall CVE-2006-4081 (preview_email.cgi in Barracuda Spam Firewall (BSF) 3.3.01.001 through ...) NOT-FOR-US: Barracuda Spam Firewall CVE-2006-4080 (DeluxeBB 1.08, and possibly earlier, uses cookies that include the MD5 ...) NOT-FOR-US: DeluxeBB CVE-2006-4079 (Cross-site scripting (XSS) vulnerability in newpost.php in DeluxeBB 1. ...) NOT-FOR-US: DeluxeBB CVE-2006-4078 (pm.php (aka the PM system) in DeluxeBB 1.08, and possibly earlier, all ...) NOT-FOR-US: DeluxeBB CVE-2006-4077 (PHP remote file inclusion vulnerability in CheckUpload.php in Vincenzo ...) NOT-FOR-US: Comet WebFileManager CVE-2006-4076 (Multiple PHP remote file inclusion vulnerabilities in Wim Fleischhauer ...) NOT-FOR-US: docpile: wim's edition CVE-2006-4075 (Multiple PHP remote file inclusion vulnerabilities in Wim Fleischhauer ...) NOT-FOR-US: docpile: wim's edition CVE-2006-4074 (PHP remote file inclusion vulnerability in lib/tpl/default/main.php in ...) NOT-FOR-US: JD-Wiki Component (com_jd-wiki) for Joomla! CVE-2006-4073 (Multiple PHP remote file inclusion vulnerabilities in Fabian Hainz php ...) NOT-FOR-US: phpCC CVE-2006-4072 (Multiple SQL injection vulnerabilities in Club-Nuke [XP] 2.0 LCID 2048 ...) NOT-FOR-US: Club-Nuke [XP] CVE-2006-4144 (Integer overflow in the ReadSGIImage function in sgi.c in ImageMagick ...) {DSA-1213} - imagemagick 7:6.2.4.5.dfsg1-0.10 (medium; bug #383314) - graphicsmagick 1.1.7-7 (medium; bug #383333) CVE-2006-XXXX [crash in the certificate verification logic] NOTE: GNUTLS-SA-2006-2 - gnutls11 (unimportant) - gnutls12 1.2.11-3 (unimportant) - gnutls13 1.4.2-1 (unimportant) NOTE: Normal bug, no reliable denial of service potential CVE-2006-4071 (Sign extension vulnerability in the createBrushIndirect function in th ...) NOT-FOR-US: Microsoft CVE-2006-4070 (Format string vulnerability in Imendio Planner 0.13 allows user-assist ...) NOT-FOR-US: Imendio Planner CVE-2006-4069 (Multiple cross-site scripting (XSS) vulnerabilities in Elaine Aquino O ...) NOT-FOR-US: Online Zone Journals (OZJournals) CVE-2006-4068 (The pswd.js script relies on the client to calculate whether a usernam ...) NOT-FOR-US: pswd.js CVE-2006-4067 (Cross-site scripting (XSS) vulnerability in cake/libs/error.php in Cak ...) - cakephp 1.1.13.4450-1 CVE-2006-4066 (The Graphical Device Interface Plus library (gdiplus.dll) in Microsoft ...) NOT-FOR-US: Microsoft CVE-2006-4065 (Multiple PHP remote file inclusion vulnerabilities in Dmitry Sheiko SA ...) NOT-FOR-US: SAPID Gallery CVE-2006-4064 (SQL injection vulnerability in default.asp in YenerTurk Haber Script 1 ...) NOT-FOR-US: YenerTurk Haber Script CVE-2006-4063 (Multiple PHP remote file inclusion vulnerabilities in Csaba Godor SAPI ...) NOT-FOR-US: SAPID Blog CVE-2006-4062 (PHP remote file inclusion vulnerability in usr/extensions/get_tree.inc ...) NOT-FOR-US: SAPID Shop CVE-2006-4061 NOT-FOR-US: phpPrintAnalyzer CVE-2006-4060 (PHP remote file inclusion vulnerability in calendar.php in Visual Even ...) NOT-FOR-US: Visual Events Calendar CVE-2006-4059 (Multiple PHP remote file inclusion vulnerabilities in USOLVED NEWSolve ...) NOT-FOR-US: USOLVED NEWSolved Lite CVE-2006-4058 (Cross-site scripting (XSS) vulnerability in archive.php in Simplog 0.9 ...) NOT-FOR-US: Simplog CVE-2006-4057 (Buffer overflow in the preview_create function in gui.cpp in Mitch Mur ...) NOT-FOR-US: Eremove CVE-2006-4056 (Multiple SQL injection vulnerabilities in the authentication process i ...) NOT-FOR-US: katzlbt The Address Book CVE-2006-4055 (Multiple PHP remote file inclusion vulnerabilities in Olaf Noehring Th ...) NOT-FOR-US: The Search Engine Project (TSEP) CVE-2006-4054 (Multiple PHP remote file inclusion vulnerabilities in ME Download Syst ...) NOT-FOR-US: ME Download System CVE-2006-4053 (PHP remote file inclusion vulnerability in templates/header.php in ME ...) NOT-FOR-US: ME Download System CVE-2006-4052 (Multiple PHP remote file inclusion vulnerabilities in Turnkey Web Tool ...) NOT-FOR-US: Turnkey Web Tools PHP Simple Shop CVE-2006-4051 (PHP remote file inclusion vulnerability in global.php in Turnkey Web T ...) NOT-FOR-US: Turnkey Web Tools PHP Live Helper CVE-2006-4050 (PHP remote file inclusion vulnerability in auto_check_renewals.php in ...) NOT-FOR-US: phpAutoMembersArea (phpAMA) CVE-2006-4049 (Unspecified vulnerability in the utxconfig utility in Sun Ray Server S ...) NOT-FOR-US: Sun CVE-2006-4048 (Netious CMS 0.4 initializes session IDs based on the client IP address ...) NOT-FOR-US: Netious CMS CVE-2006-4047 (SQL injection vulnerability in index.php in Netious CMS 0.4 and earlie ...) NOT-FOR-US: Netious CMS CVE-2006-4045 (PHP remote file inclusion vulnerability in news.php in Torbstoff News ...) NOT-FOR-US: Torbstoff News CVE-2006-4044 (PHP remote file inclusion vulnerability in Beautifier/Core.php in Brad ...) NOT-FOR-US: phpCodeCabinet CVE-2006-4043 (index.php in myWebland myBloggie 2.1.4 and earlier allows remote attac ...) NOT-FOR-US: myWebland myBloggie CVE-2006-4042 (Multiple SQL injection vulnerabilities in trackback.php in myWebland m ...) NOT-FOR-US: myWebland myBloggie CVE-2006-4041 (SQL injection vulnerability in Pike before 7.6.86, when using a Postgr ...) - pike7.6 7.6.86-1 [sarge] - pike7.6 (unimportant; bug #382607; bug #383766) [sarge] - pike7.2 (unimportant; bug #382607; bug #383766) NOTE: No applications using pike+postgres in Sarge, fix provides NOTE: new functions for proper quoting CVE-2006-4040 (PHP remote file inclusion vulnerability in myevent.php in myWebland my ...) NOT-FOR-US: myWebland myEvent CVE-2006-4039 (Multiple SQL injection vulnerabilities in eintragen.php in GaesteChaos ...) NOT-FOR-US: GaesteChaos CVE-2006-4038 (Multiple cross-site scripting (XSS) vulnerabilities in eintragen.php i ...) NOT-FOR-US: GaesteChaos CVE-2006-4037 (Unspecified vulnerability in Fenestrae Faxination Server allows remote ...) NOT-FOR-US: Fenestrae Faxination Server CVE-2006-4036 (PHP remote file inclusion vulnerability in includes/usercp_register.ph ...) NOT-FOR-US: ZoneX Publishers CVE-2006-4035 (SQL injection vulnerability in counterchaos.php in CounterChaos 0.48c ...) NOT-FOR-US: CounterChaos CVE-2006-4034 (PHP remote file inclusion vulnerability in include/html/config.php in ...) NOT-FOR-US: ModernGigabyte ModernBill CVE-2006-4033 (Heap-based buffer overflow in Lhaplus.exe in Lhaplus 1.52, and possibl ...) NOT-FOR-US: Lhaplus CVE-2006-4032 (Unspecified vulnerability in Cisco IOS CallManager Express (CME) allow ...) NOT-FOR-US: Cisco CVE-2006-4031 (MySQL 4.1 before 4.1.21 and 5.0 before 5.0.24 allows a local user to a ...) - mysql-dfsg-5.0 5.0.24-1 (bug #382415; low) - mysql-dfsg (bug #380271; low) [sarge] - mysql-dfsg-4.1 (Now documented design error, no real fix feasible) [sarge] - mysql-dfsg (Now documented design error, no real fix feasible) CVE-2006-4030 (Unspecified vulnerability in the stats module in Gallery 1.5.1-RC2 and ...) {DSA-1148-1} - gallery 1.5.3-1 - gallery2 (vulnerable code not present) CVE-2006-4029 (Stack-based buffer overflow in sipd.dll in AGEphone 1.24 and 1.38.1 al ...) NOT-FOR-US: AGEphone CVE-2006-4028 (Multiple unspecified vulnerabilities in WordPress before 2.0.4 have un ...) - wordpress 2.0.4-1 CVE-2006-4027 RESERVED CVE-2006-XXXX [realtime-lsm-source: wrong permissions might lead to local root] - realtime-lsm 0.8.7-2 (bug #382161; low) [sarge] - realtime-lsm NOTE: only to user 1017 or group 1001 and only while root is building the module CVE-2006-4026 (PHP remote file inclusion vulnerability in SAPID CMS 123 rc3 allows re ...) NOT-FOR-US: SAPID CMS CVE-2006-4025 (SQL injection vulnerability in profile.php in XennoBB 2.1.0 and earlie ...) NOT-FOR-US: XennoBB CVE-2006-4024 (The FESTAHES_Load function in pce/hes.c in Festalon 0.5.0 through 0.5. ...) - festalon (vuln. code introduced in 0.5.0) CVE-2006-4023 (The ip2long function in PHP 5.1.4 and earlier may incorrectly validate ...) - php5 (unimportant; bug #382257) - php4 (unimportant; bug #382270) NOTE: Not every lack of protection of programmer's flaws is a vulnerability NOTE: See notes by Sean for details NOTE: > the entry states that this is more likely a bug in any NOTE: > applications not performing further validation/sanitizing, NOTE: > and i tend to agree based on the php.net documentation, which NOTE: > states: "ip2long() should not be used as the sole form of IP NOTE: > validation. Combine it with long2ip()". CVE-2006-4022 (Intel 2100 PRO/Wireless Network Connection driver PROSet before 7.1.4. ...) NOT-FOR-US: Intel Windows driver CVE-2006-4021 (The cryptographic module in ScatterChat 1.0.x allows attackers to iden ...) NOT-FOR-US: ScatterChat CVE-2006-4020 (scanf.c in PHP 5.1.4 and earlier, and 4.4.3 and earlier, allows contex ...) - php5 5.1.6-1 (unimportant; bug #382256; bug #382262) - php4 4:4.4.4-1 (unimportant; bug #382261) NOTE: Only exploitable by malicious, local user CVE-2006-4019 (Dynamic variable evaluation vulnerability in compose.php in SquirrelMa ...) {DSA-1154} - squirrelmail 2:1.4.8-1 (bug #382621) CVE-2006-4018 (Heap-based buffer overflow in the pefromupx function in libclamav/upx. ...) {DSA-1153} - clamav 0.88.4-1 (high; bug #382004; bug #382007) CVE-2006-4017 (Cross-site scripting (XSS) vulnerability in the search module in Inter ...) NOT-FOR-US: Inter Network Marketing (INM) CMS G3 CVE-2006-4016 (Cross-site scripting (XSS) vulnerability in /toendaCMS in toendaCMS st ...) NOT-FOR-US: toendaCMS CVE-2006-4015 (Hewlett-Packard (HP) ProCurve 3500yl, 6200yl, and 5400zl switches with ...) NOT-FOR-US: Hewlett-Packard CVE-2006-4014 (Symantec Brightmail AntiSpam (SBAS) before 6.0.4, when the Control Cen ...) NOT-FOR-US: Symantec CVE-2006-4013 (Multiple directory traversal vulnerabilities in Symantec Brightmail An ...) NOT-FOR-US: Symantec CVE-2006-4012 (Multiple PHP remote file inclusion vulnerabilities in circeOS SaveWeb ...) NOT-FOR-US: circeOS SaveWeb CVE-2006-4011 (PHP remote file inclusion vulnerability in esupport/admin/autoclose.ph ...) NOT-FOR-US: Kayako eSupport CVE-2006-4010 (SQL injection vulnerability in war.php in Virtual War (Vwar) 1.5.0 and ...) NOT-FOR-US: Virtual War CVE-2006-4009 (Cross-site scripting (XSS) vulnerability in war.php in Virtual War (Vw ...) NOT-FOR-US: Virtual War CVE-2006-4008 (PHP remote file inclusion vulnerability in index.php in Knusperleicht ...) NOT-FOR-US: Knusperleicht Guestbook CVE-2006-4007 (PHP remote file inclusion vulnerability in index.php in Knusperleicht ...) NOT-FOR-US: Knusperleicht Faq CVE-2006-4006 (The do_gameinfo function in BomberClone 0.11.6 and earlier, and possib ...) {DSA-1180-1} - bomberclone 0.11.7-1 (bug #382082; medium) CVE-2006-4005 (BomberClone 0.11.6 and earlier allows remote attackers to cause a deni ...) {DSA-1180-1} - bomberclone 0.11.7-1 (bug #382082; medium) CVE-2006-4004 (Directory traversal vulnerability in index.php in vbPortal 3.0.2 throu ...) NOT-FOR-US: vbPortal CVE-2006-4003 (The config method in Henrik Storner Hobbit monitor before 4.1.2p2 perm ...) NOT-FOR-US: Henrik Storner Hobbit monitor CVE-2006-4002 (Cross-site scripting (XSS) vulnerability in user.module in Drupal 4.6 ...) {DSA-1147-1} - drupal 4.5.8-2 (bug #382087; medium) CVE-2006-4001 (Login.pm in Barracuda Spam Firewall (BSF) 3.3.01.001 through 3.3.03.05 ...) NOT-FOR-US: Barracuda Spam Firewall CVE-2006-4000 (Directory traversal vulnerability in cgi-bin/preview_email.cgi in Barr ...) NOT-FOR-US: Barracuda Spam Firewall CVE-2006-3999 (ISS BlackICE PC Protection 3.6.cpj, 3.6.cpiE, and possibly earlier ver ...) NOT-FOR-US: ISS BlackICE CVE-2006-3998 (PHP remote file inclusion vulnerability in conf.php in WoWRoster (aka ...) NOT-FOR-US: WoWRoster CVE-2006-3997 (PHP remote file inclusion vulnerability in hsList.php in WoWRoster (ak ...) NOT-FOR-US: WoWRoster CVE-2006-3996 (SQL injection vulnerability in links/index.php in ATutor 1.5.3.1 and e ...) NOT-FOR-US: ATutor CVE-2006-3995 (Multiple PHP remote file inclusion vulnerabilities in (1) uhp_config.p ...) NOT-FOR-US: UHP (User Home Pages) 0.5 component (aka com_uhp) for Mambo CVE-2006-3994 (SQL injection vulnerability in the u2u_send_recp function in u2u.inc.p ...) NOT-FOR-US: XMB (aka extreme message board) CVE-2006-3993 (PHP remote file inclusion vulnerability in copyright.php in Olaf Noehr ...) NOT-FOR-US: The Search Engine Project CVE-2006-3992 (Unspecified vulnerability in the Centrino (1) w22n50.sys, (2) w22n51.s ...) NOT-FOR-US: Intel CVE-2006-3991 (PHP remote file inclusion vulnerability in index.php in Vlad Vostrykh ...) NOT-FOR-US: Voodoo chat CVE-2006-3990 (Multiple PHP remote file inclusion vulnerabilities in Paul M. Jones Sa ...) - egroupware NOTE: According to upstream egroupware is not affected, see #382207 CVE-2006-3989 (PHP remote file inclusion vulnerability in index.php in Knusperleicht ...) NOT-FOR-US: Knusperleicht CVE-2006-3988 (PHP remote file inclusion vulnerability in index.php in Knusperleicht ...) NOT-FOR-US: Knusperleicht CVE-2006-3987 (Multiple PHP remote file inclusion vulnerabilities in index.php in Knu ...) NOT-FOR-US: Knusperleicht CVE-2006-3986 (PHP remote file inclusion vulnerability in index.php in Knusperleicht ...) NOT-FOR-US: Knusperleicht CVE-2006-3985 (Stack-based buffer overflow in DZIPS32.DLL 6.0.0.4 in ConeXware PowerA ...) NOT-FOR-US: ConeXware CVE-2006-3984 (PHP remote file inclusion vulnerability in phpAdsNew/view.inc.php in A ...) NOT-FOR-US: Phpauction CVE-2006-3983 (PHP remote file inclusion vulnerability in editprofile.php in php(Reac ...) NOT-FOR-US: php(Reactor) CVE-2006-3982 (PHP remote file inclusion vulnerability in quickie.php in Knusperleich ...) NOT-FOR-US: Knusperleicht CVE-2006-3981 (PHP remote file inclusion vulnerability in about.mgm.php in Mambo Gall ...) NOT-FOR-US: Mambo Gallery Manager for Mambo CVE-2006-3980 (PHP remote file inclusion vulnerability in administrator/components/co ...) NOT-FOR-US: Mambo Gallery Manager for Mambo CVE-2006-3979 (The AdminAPI of ColdFusion MX 7 allows attackers to bypass authenticat ...) NOT-FOR-US: ColdFusion MX CVE-2006-3978 (Unspecified vulnerability in a Verity third party library, as used on ...) NOT-FOR-US: Adobe ColdFusion MX CVE-2006-3977 (Unspecified vulnerability in CA eTrust Antivirus WebScan before 1.1.0. ...) NOT-FOR-US: CA eTrust Antivirus WebScan CVE-2006-3976 (Unspecified vulnerability in CA eTrust Antivirus WebScan before 1.1.0. ...) NOT-FOR-US: CA eTrust Antivirus WebScan CVE-2006-3975 (Unspecified vulnerability in CA eTrust Antivirus WebScan allows remote ...) NOT-FOR-US: CA eTrust Antivirus WebScan CVE-2006-3974 (Cross-site scripting (XSS) vulnerability in cgi-bin/admin in 3Com Offi ...) NOT-FOR-US: 3Com CVE-2006-3973 (My Firewall Plus 5.0 Build 1119 does not verify if explorer.exe is run ...) NOT-FOR-US: My Firewall Plus CVE-2006-3972 (Directory traversal vulnerability in includes/operator_chattranscript. ...) NOT-FOR-US: Ajax Chat CVE-2006-3971 (Cross-site scripting (XSS) vulnerability in visitor/livesupport/chat.p ...) NOT-FOR-US: Ajax Chat CVE-2006-XXXX [Buffer overflow in XML::Parser::Expat triggered by utf8] - libxml-parser-perl 2.34-4.2 (bug #378411; medium) CVE-2006-XXXX [Buffer overflow in XML::Parser::Expat triggered by deep nesting] - libxml-parser-perl 2.34-4.1 (bug #378412; medium) CVE-2006-3970 (PHP remote file inclusion vulnerability in lmo.php in the LMO Componen ...) NOT-FOR-US: LMO for joomla CVE-2006-3969 (PHP remote file inclusion vulnerability in administrator/components/co ...) NOT-FOR-US: Colophon for joomla CVE-2006-3968 (The crypto provider in Sun Solaris 10 3/05 HW2 without patch 121236-01 ...) NOT-FOR-US: Solaris CVE-2006-3967 (PHP remote file inclusion vulnerability in component/option,com_moskoo ...) NOT-FOR-US: moskool CVE-2006-3966 (PHP remote file inclusion vulnerability in /lib/tree/layersmenu.inc.ph ...) NOT-FOR-US: MyNewsGroups CVE-2006-3965 (Banex PHP MySQL Banner Exchange 2.21 stores lib.inc under the web docu ...) NOT-FOR-US: Banex PHP MySQL Banner Exchange CVE-2006-3964 (PHP remote file inclusion vulnerability in members.php in Banex PHP My ...) NOT-FOR-US: Banex PHP MySQL Banner Exchange CVE-2006-3963 (Multiple SQL injection vulnerabilities in Banex PHP MySQL Banner Excha ...) NOT-FOR-US: Banex PHP MySQL Banner Exchange CVE-2006-3962 (PHP remote file inclusion vulnerability in administrator/components/co ...) NOT-FOR-US: com_bayesiannaivefilter for mambo CVE-2006-3961 (Buffer overflow in McSubMgr ActiveX control (mcsubmgr.dll) in McAfee S ...) NOT-FOR-US: McAfee CVE-2006-3960 (SQL injection vulnerability in top.php in X-Scripts X-Poll, probably 2 ...) NOT-FOR-US: X-Scripts X-Poll CVE-2006-3959 (SQL injection vulnerability in protect.php in X-Scripts X-Protection 1 ...) NOT-FOR-US: X-Scripts X-Protection CVE-2006-3958 (Multiple unspecified cross-site scripting (XSS) vulnerabilities in Tas ...) NOT-FOR-US: Taskjitsu CVE-2006-3957 (PHP remote file inclusion vulnerability in payment.php in BosDev BosDa ...) NOT-FOR-US: BosDates CVE-2006-3956 (Multiple cross-site scripting (XSS) vulnerabilities in contact.php in ...) NOT-FOR-US: Advanced Webhost Billing System CVE-2006-3955 (Multiple PHP remote file inclusion vulnerabilities in MiniBB Forum 1.5 ...) NOT-FOR-US: MiniBB Forum CVE-2006-3954 (Directory traversal vulnerability in usercp.php in MyBB (aka MyBulleti ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2006-3953 (Cross-site scripting (XSS) vulnerability in usercp.php in MyBB (aka My ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2006-3952 (Stack-based buffer overflow in EFS Software Easy File Sharing FTP Serv ...) NOT-FOR-US: EFS Software Easy File Sharing FTP CVE-2006-3951 (PHP remote file inclusion vulnerability in moodle.php in Mam-moodle al ...) NOT-FOR-US: Mam-moodle alpha component (com_moodle) for Mambo CVE-2006-3950 (SQL injection vulnerability in x-statistics.php in X-Scripts X-Statist ...) NOT-FOR-US: X-Statistics CVE-2006-3949 (PHP remote file inclusion vulnerability in artlinks.dispnew.php in the ...) NOT-FOR-US: com_artlinks for Mambo CVE-2006-3948 (Cross-site scripting (XSS) vulnerability in modules.php in PHP-Nuke IN ...) NOT-FOR-US: php-nuke CVE-2006-3947 (PHP remote file inclusion vulnerability in components/com_mambatstaff/ ...) NOT-FOR-US: Mambatstaff CVE-2006-3946 (WebCore in Apple Mac OS X 10.3.9 and 10.4 through 10.4.7 allows remote ...) NOT-FOR-US: Apple Safari 2.0.4 NOTE: konqueror 3.5.x is not affected NOTE: PoC http://web.archive.org/web/20130701013045/http://browserfun.blogspot.com/2006/07/mobb-31-safari-khtmlparserpoponeblock.html CVE-2006-3945 (The CSS functionality in Opera 9 on Windows XP SP2 allows remote attac ...) NOT-FOR-US: Opera CVE-2006-3944 (Microsoft Internet Explorer 6 on Windows XP SP2 allows remote attacker ...) NOT-FOR-US: Microsoft CVE-2006-3943 (Stack-based buffer overflow in NDFXArtEffects in Microsoft Internet Ex ...) NOT-FOR-US: Microsoft CVE-2006-3942 (The server driver (srv.sys) in Microsoft Windows NT 4.0, 2000, XP, and ...) NOT-FOR-US: Microsoft CVE-2006-3941 (Unspecified vulnerability in the daemons for Sun N1 Grid Engine 5.3 an ...) NOT-FOR-US: N1 Grid Engine CVE-2006-3940 (Multiple SQL injection vulnerabilities in phpbb-Auction allow remote a ...) NOT-FOR-US: phpbb-Auction CVE-2006-3939 (ScriptsCenter ezUpload Pro 2.2.0 allows remote attackers to perform ad ...) NOT-FOR-US: ScriptsCenter ezUpload Pro CVE-2006-3938 (DotClear allows remote attackers to obtain sensitive information via a ...) NOT-FOR-US: DotClear CVE-2006-3937 (post.php in x_atrix xGuestBook 1.02 allows remote attackers to obtain ...) NOT-FOR-US: x_atrix xGuestBook CVE-2006-3936 (system/workplace/editors/editor.jsp in Alkacon OpenCms before 6.2.2 al ...) NOT-FOR-US: Alkacon OpenCms CVE-2006-3935 (system/workplace/views/admin/admin-main.jsp in Alkacon OpenCms before ...) NOT-FOR-US: Alkacon OpenCms CVE-2006-3934 (Absolute path traversal vulnerability in downloadTrigger.jsp in Alkaco ...) NOT-FOR-US: Alkacon OpenCms CVE-2006-3933 (Cross-site scripting (XSS) vulnerability in Alkacon OpenCms before 6.2 ...) NOT-FOR-US: OpenCms CVE-2006-3932 (SQL injection vulnerability in links.php in Gonafish LinksCaffe 3.0 al ...) NOT-FOR-US: LinksCaffe CVE-2006-3931 (Buffer overflow in the daemon function in midirecord.cc in Tuomas Aira ...) NOT-FOR-US: Midirecord CVE-2006-3930 (PHP remote file inclusion vulnerability in admin.a6mambohelpdesk.php i ...) NOT-FOR-US: a6mambohelpdesk Mambo Component 18RC1 CVE-2006-3929 (Cross-site scripting (XSS) vulnerability in the Forms/rpSysAdmin scrip ...) NOT-FOR-US: Zyxel CVE-2006-3928 (PHP remote file inclusion vulnerability in index.php in WMNews 0.2a an ...) NOT-FOR-US: WMNews CVE-2006-3927 (Cross-site scripting (XSS) vulnerability in auctionsearch.php in PhpPr ...) NOT-FOR-US: PhpProBid CVE-2006-3926 (Multiple SQL injection vulnerabilities in PhpProBid 5.24 allow remote ...) NOT-FOR-US: PhpProBid CVE-2006-3925 (Stack-based buffer overflow in ITIRecorder.MicRecorder ActiveX control ...) NOT-FOR-US: ITIRecorder.MicRecorder ActiveX control CVE-2006-3924 (Multiple cross-site scripting (XSS) vulnerabilities in Dokeos before 1 ...) NOT-FOR-US: Dokeos CVE-2006-3923 (Cross-site scripting (XSS) vulnerability in add.php in Fire-Mouse Topl ...) NOT-FOR-US: Fire-Mouse Toplist CVE-2006-3922 (PHP remote file inclusion vulnerability in mod_membre/inscription.php ...) NOT-FOR-US: PortailPHP CVE-2006-3921 (Sun Java System Application Server (SJSAS) 7 through 8.1 and Web Serve ...) NOT-FOR-US: Sun Java System Application Server CVE-2006-3920 (The TCP implementation in Sun Solaris 8, 9, and 10 before 20060726 all ...) NOT-FOR-US: Sun Solaris CVE-2006-3919 (SQL injection vulnerability in index.php in SD Studio CMS allows remot ...) NOT-FOR-US: SD Studio CMS CVE-2006-3918 (http_protocol.c in (1) IBM HTTP Server 6.0 before 6.0.2.13 and 6.1 bef ...) {DSA-1167-1} - apache2 2.0.55-4.1 (bug #381376; low) [sarge] - apache2 2.0.54-5sarge2 - apache 1.3.34-3 (bug #381381; medium) CVE-2006-3917 (PHP remote file inclusion vulnerability in inc/gabarits.php in R. Cors ...) NOT-FOR-US: PHP Forge CVE-2006-3916 (Cross-site scripting (XSS) vulnerability in snews.php in sNews (aka So ...) NOT-FOR-US: Solucija News CVE-2006-3915 (Microsoft Internet Explorer 6 on Windows XP SP2 allows remote attacker ...) NOT-FOR-US: Microsoft CVE-2006-3914 (Cross-site scripting (XSS) vulnerability in Blackboard Academic Suite ...) NOT-FOR-US: Academic Suite CVE-2006-3913 (Buffer overflow in Freeciv 2.1.0-beta1 and earlier, and SVN 15 Jul 200 ...) {DSA-1142-1} - freeciv 2.0.8-3 (bug #381378; medium) CVE-2006-3912 (Stack-based buffer overflow in the SFX module in WinRAR before 3.60 be ...) NOT-FOR-US: WinRAR CVE-2006-3911 (PHP remote file inclusion vulnerability in OSI Codes PHP Live! 3.2.1 a ...) NOT-FOR-US: PHP Live CVE-2006-3910 (Internet Explorer 6 on Windows XP SP2, when Outlook is installed, allo ...) NOT-FOR-US: Microsoft CVE-2006-3909 (Cross-site scripting (XSS) vulnerability in calendar.php in WWWthreads ...) NOT-FOR-US: WWWthreads CVE-2006-3908 (Format string vulnerability in the flush_output function in ConsoleStr ...) - gnelib 0.75+svn20091130-1 NOTE: issue was fixed back in 2006 but there hasn't been any NOTE: release since 0.70 which is affected CVE-2006-3907 (Siemens SpeedStream 2624 allows remote attackers to cause a denial of ...) NOT-FOR-US: Siemens CVE-2006-3906 (Internet Key Exchange (IKE) version 1 protocol, as implemented on Cisc ...) NOT-FOR-US: Cisco CVE-2006-3905 (SQL injection vulnerability in Webland MyBloggie 2.1.3 allows remote a ...) NOT-FOR-US: Webland MyBloggie CVE-2006-3904 (SQL injection vulnerability in manager/index.php in Etomite CMS 0.6.1 ...) NOT-FOR-US: Etomite CMS CVE-2006-3903 (CRLF injection vulnerability in (1) index.php and (2) admin.php in myW ...) NOT-FOR-US: Webland MyBloggie CVE-2006-3902 (Cross-site scripting (XSS) vulnerability in index.php in phpFaber TopS ...) NOT-FOR-US: phpFaber TopSites CVE-2006-3901 (Multiple stack-based buffer overflows in Tumbleweed Email Firewall (EM ...) NOT-FOR-US: Tumbleweed Email Firewall CVE-2006-3900 (Cross-site scripting (XSS) vulnerability in guestbook.php in TP-Book 1 ...) NOT-FOR-US: TP-Book CVE-2006-3899 (Microsoft Internet Explorer 6.0 on Windows XP SP2 allows remote attack ...) NOT-FOR-US: Microsoft CVE-2006-3898 (Microsoft Internet Explorer 6.0 on Windows XP SP2 allows remote attack ...) NOT-FOR-US: Microsoft CVE-2006-3897 (Stack overflow in Microsoft Internet Explorer 6 on Windows 2000 allows ...) NOT-FOR-US: Microsoft CVE-2006-3896 (The NeoScale Systems CryptoStor 700 series appliance before 2.6 relies ...) NOT-FOR-US: NeoScale Systems CryptoStor CVE-2006-3895 RESERVED CVE-2006-3894 (The RSA Crypto-C before 6.3.1 and Cert-C before 2.8 libraries, as used ...) NOT-FOR-US: RSA BSAFE CVE-2006-3893 (Multiple buffer overflows in the ActiveX controls in Newtone ImageKit ...) NOT-FOR-US: Newtone ImageKit CVE-2006-3892 (The Management Console server in EMC NetWorker (formerly Legato NetWor ...) NOT-FOR-US: EMC NetWorker CVE-2006-3891 RESERVED CVE-2006-3890 (Stack-based buffer overflow in the Sky Software FileView ActiveX contr ...) NOT-FOR-US: Sky Software FileView ActiveX CVE-2006-3889 RESERVED CVE-2006-3888 (Buffer overflow in AOL You've Got Pictures (YGP) Pic Downloader YGPPDo ...) NOT-FOR-US: AOL CVE-2006-3887 (Buffer overflow in AOL You've Got Pictures (YGP) Screensaver ActiveX c ...) NOT-FOR-US: AOL CVE-2006-3886 (SQL injection vulnerability in Shalwan MusicBox 2.3.4 and earlier allo ...) NOT-FOR-US: Shalwan MusicBox CVE-2006-3885 (Directory traversal vulnerability in Check Point Firewall-1 R55W befor ...) NOT-FOR-US: Check Point Firewall-1 CVE-2006-3884 (Multiple SQL injection vulnerabilities in links.php in Gonafish LinksC ...) NOT-FOR-US: Gonafish LinksCaffe CVE-2006-3883 (Multiple cross-site scripting (XSS) vulnerabilities in Gonafish LinksC ...) NOT-FOR-US: Gonafish LinksCaffe CVE-2006-3882 (Shalwan MusicBox 2.3.4 and earlier allows remote attackers to obtain c ...) NOT-FOR-US: Shalwan MusicBox CVE-2006-3881 (Cross-site scripting (XSS) vulnerability in Shalwan MusicBox 2.3.4 and ...) NOT-FOR-US: Shalwan MusicBox CVE-2006-3880 NOT-FOR-US: Zen Cart CVE-2006-3879 (Integer overflow in the loadChunk function in loaders/load_gt2.c in li ...) - libmikmod (Debian's 3.1.1 version doesn't have GT2 support) CVE-2006-3878 (Opsware Network Automation System (NAS) 6.0 installs /etc/init.d/mysql ...) NOT-FOR-US: Opsware Network Automation System CVE-2006-3877 (Unspecified vulnerability in PowerPoint in Microsoft Office 2000, Offi ...) NOT-FOR-US: Microsoft CVE-2006-3876 (Unspecified vulnerability in PowerPoint in Microsoft Office 2000, Offi ...) NOT-FOR-US: Microsoft CVE-2006-3875 (Unspecified vulnerability in Microsoft Excel 2000, 2002, 2003, 2004 fo ...) NOT-FOR-US: Microsoft CVE-2006-3874 REJECTED CVE-2006-3873 (Heap-based buffer overflow in URLMON.DLL in Microsoft Internet Explore ...) NOT-FOR-US: Microsoft CVE-2006-3872 REJECTED CVE-2006-3871 REJECTED CVE-2006-3870 REJECTED CVE-2006-3869 (Heap-based buffer overflow in URLMON.DLL in Microsoft Internet Explore ...) NOT-FOR-US: Microsoft CVE-2006-3868 (Unspecified vulnerability in Microsoft Office XP and 2003 allows remot ...) NOT-FOR-US: Microsoft CVE-2006-3867 (Unspecified vulnerability in Microsoft Excel 2000, 2002, 2003, 2004 fo ...) NOT-FOR-US: Microsoft CVE-2006-3866 REJECTED CVE-2006-3865 REJECTED CVE-2006-3864 (Unspecified vulnerability in mso.dll in Microsoft Office 2000, XP, and ...) NOT-FOR-US: Microsoft CVE-2006-3863 REJECTED CVE-2006-3862 (Buffer overflow in IBM Informix Dynamic Server (IDS) 9.40.TC5 through ...) NOT-FOR-US: IBM Informix Dynamic Server CVE-2006-3861 (IBM Informix Dynamic Server (IDS) before 9.40.xC7 and 10.00 before 10. ...) NOT-FOR-US: IBM Informix Dynamic Server CVE-2006-3860 (IBM Informix Dynamic Server (IDS) before 9.40.xC7 and 10.00 before 10. ...) NOT-FOR-US: IBM Informix Dynamic Server CVE-2006-3859 (IBM Informix Dynamic Server (IDS) allows remote authenticated users to ...) NOT-FOR-US: IBM Informix Dynamic Server CVE-2006-3858 (IBM Informix Dynamic Server (IDS) before 9.40.xC8 and 10.00 before 10. ...) NOT-FOR-US: IBM Informix Dynamic Server CVE-2006-3857 (Multiple buffer overflows in IBM Informix Dynamic Server (IDS) before ...) NOT-FOR-US: IBM Informix Dynamic Server CVE-2006-3856 (IBM Informix Dynamic Server (IDS) before 9.40.xC7 and 10.00 before 10. ...) NOT-FOR-US: IBM Informix Dynamic Server CVE-2006-3855 (The ifx_load_internal function in IBM Informix Dynamic Server (IDS) al ...) NOT-FOR-US: IBM Informix Dynamic Server CVE-2006-3854 (Buffer overflow in IBM Informix Dynamic Server (IDS) 9.40.TC7, 9.40.TC ...) NOT-FOR-US: IBM Informix Dynamic Server CVE-2006-3853 (Buffer overflow in IBM Informix Dynamic Server (IDS) before 9.40.TC7 a ...) NOT-FOR-US: IBM Informix Dynamic Server CVE-2006-3852 (Cross-site scripting (XSS) vulnerability in index.php in Micro GuestBo ...) NOT-FOR-US: Micro GuestBook CVE-2006-3851 (SQL injection vulnerability in upgradev1.php in X7 Chat 2.0.4 and earl ...) NOT-FOR-US: X7 Chat CVE-2006-3850 NOT-FOR-US: Vanilla CMS CVE-2006-3849 (Stack-based buffer overflow in Warzone 2100 and Warzone Resurrection 2 ...) NOT-FOR-US: Warzone CVE-2006-3848 (Cross-site scripting (XSS) vulnerability in CGI wrapper for IP Calcula ...) - ipcalc 0.41-1 (bug #381469; low) [sarge] - ipcalc (No exploit potential) CVE-2006-3847 (PHP remote file inclusion vulnerability in (1) admin.php, and possibly ...) NOT-FOR-US: MoSpray CVE-2006-3846 (PHP remote file inclusion vulnerability in extadminmenus.class.php in ...) NOT-FOR-US: MultiBanners CVE-2006-3845 (Stack-based buffer overflow in lzh.fmt in WinRAR 3.00 through 3.60 bet ...) NOT-FOR-US: WinRAR CVE-2006-3844 (Buffer overflow in Quick 'n Easy FTP Server 3.0 allows remote authenti ...) NOT-FOR-US: Quick 'n Easy FTP Server CVE-2006-3843 (PHP remote file inclusion vulnerability in com_calendar.php in Calenda ...) NOT-FOR-US: Calendar Mambo Module CVE-2006-3842 (Cross-site scripting (XSS) vulnerability in Zoho Virtual Office 3.2 Bu ...) NOT-FOR-US: Zoho Virtual Office CVE-2006-3841 (Cross-site scripting (XSS) vulnerability in WebScarab before 20060718- ...) NOT-FOR-US: WebScarab CVE-2006-3840 (The SMB Mailslot parsing functionality in PAM in multiple ISS products ...) NOT-FOR-US: various ISS products CVE-2006-3839 RESERVED CVE-2006-3838 (Multiple stack-based buffer overflows in eIQnetworks Enterprise Securi ...) NOT-FOR-US: eIQnetworks Enterprise CVE-2006-XXXX [syslog-ng dos] - syslog-ng 2.0rc1-2 (low) [sarge] - syslog-ng (Vulnerable code not present) CVE-2006-XXXX [courier-authdaemon: wrong socket permissions may lead to password disclosure] - courier-authlib 0.58-3.1 (bug #378571; medium) [sarge] - courier-authlib (bug #378571; medium) CVE-2006-4046 (Multiple stack-based buffer overflows in Open Cubic Player 2.6.0pre6 a ...) - ocp 0.1.10rc6-1 (medium; bug #381098) CVE-2006-XXXX [uqwk buffer overflow] - uqwk 2.21-13 (bug #376577; low) [sarge] - uqwk (Minor issue) CVE-2006-3837 (delcookie.php in Professional Home Page Tools Guestbook changes the ex ...) NOT-FOR-US: Professional Home Page Tools Guestbook CVE-2006-3836 (Directory traversal vulnerability in index.php in UNIDOmedia Chameleon ...) NOT-FOR-US: UNIDOmedia Chameleon CVE-2006-3835 (Apache Tomcat 5 before 5.5.17 allows remote attackers to list director ...) - tomcat5 (bug #380361; maintainter can't reproduce) - tomcat5.5 (bug #380376; maintainer can't reproduce) CVE-2006-3834 (EJ3 TOPo 2.2.178 includes the password in cleartext in the ID field to ...) NOT-FOR-US: EJ3 TOPo CVE-2006-3833 (index.php in EJ3 TOPo 2.2.178 allows remote attackers to overwrite exi ...) NOT-FOR-US: EJ3 TOPo CVE-2006-3832 (SQL injection vulnerability in index.php in Gerrit van Aaken Loudblog ...) NOT-FOR-US: Gerrit van Aaken Loudblog CVE-2006-3831 (The Backup selection in Kailash Nadh boastMachine (formerly bMachine) ...) NOT-FOR-US: Kailash Nadh boastMachine (formerly bMachine) CVE-2006-3830 (The Languages selection in the admin interface in Kailash Nadh boastMa ...) NOT-FOR-US: Kailash Nadh boastMachine (formerly bMachine) CVE-2006-3829 (Cross-site request forgery (CSRF) vulnerability in bmc/admin.php in Ka ...) NOT-FOR-US: Kailash Nadh boastMachine (formerly bMachine) CVE-2006-3828 (Incomplete blacklist vulnerability in Kailash Nadh boastMachine (forme ...) NOT-FOR-US: Kailash Nadh boastMachine (formerly bMachine) CVE-2006-3827 (SQL injection vulnerability in bmc/Inc/core/admin/search.inc.php in Ka ...) NOT-FOR-US: Kailash Nadh boastMachine (formerly bMachine) CVE-2006-3826 (Multiple cross-site scripting (XSS) vulnerabilities in Kailash Nadh bo ...) NOT-FOR-US: Kailash Nadh boastMachine (formerly bMachine) CVE-2006-3825 (The IPv4 implementation in Sun Solaris 10 before 20060721 allows local ...) NOT-FOR-US: Solaris CVE-2006-3824 (systeminfo.c for Sun Solaris allows local users to read kernel memory ...) NOT-FOR-US: Solaris CVE-2006-3823 (SQL injection vulnerability in index.php in GeodesicSolutions (1) GeoA ...) NOT-FOR-US: GeodesicSolutions GeoAuctions Premier and GeoClassifieds Basic CVE-2006-3822 (SQL injection vulnerability in index.php in GeodesicSolutions GeoAucti ...) NOT-FOR-US: GeodesicSolutions GeoAuctions CVE-2006-3821 (Multiple cross-site scripting (XSS) vulnerabilities in ATutor 1.5.3 al ...) NOT-FOR-US: ATutor CVE-2006-3820 (Cross-site scripting (XSS) vulnerability in loudblog/index.php in Loud ...) NOT-FOR-US: Loudblog CVE-2006-3819 (Eval injection vulnerability in the configure script in TWiki 4.0.0 th ...) - twiki (only 4.0.x is affected) CVE-2006-3818 (Cross-site scripting (XSS) vulnerability in the login page in Novell G ...) NOT-FOR-US: Novell GroupWise WebAccess CVE-2006-3817 (Cross-site scripting (XSS) vulnerability in Novell GroupWise WebAccess ...) NOT-FOR-US: Novell GroupWise WebAccess CVE-2006-3816 (Krusader 1.50-beta1 up to 1.70.0 stores passwords for remote connectio ...) - krusader (bug #380063; file in directory with 0700 permissions) CVE-2006-3815 (heartbeat.c in heartbeat before 2.0.6 sets insecure permissions in a s ...) {DSA-1128} - heartbeat 1.2.4-13 (bug #379904; bug #380289) CVE-2006-3814 (Buffer overflow in the Loader_XM::load_instrument_internal function in ...) {DSA-1166} - cheesetracker 0.9.9-6 (bug #380364; low) CVE-2006-3813 (A regression error in the Perl package for Red Hat Enterprise Linux 4 ...) NOT-FOR-US: Perl in Red Hat Enterprise Linux 4 CVE-2006-3812 (Mozilla Firefox before 1.5.0.5, Thunderbird before 1.5.0.5, and SeaMon ...) NOTE: MFSA-2006-56 [sarge] - mozilla - mozilla (medium) - xulrunner 1.8.0.5-1 (medium) [sarge] - mozilla-firefox (Only Firefox 1.5 is affected) - firefox 1.5.dfsg+1.5.0.5-1 (medium) - thunderbird 1.5.0.5-1 (unimportant) [sarge] - mozilla-thunderbird (unimportant) CVE-2006-3811 (Multiple vulnerabilities in Mozilla Firefox before 1.5.0.5, Thunderbir ...) {DSA-1161 DSA-1160 DSA-1159} NOTE: MFSA-2006-55 - mozilla (high) - xulrunner 1.8.0.5-1 (high) - mozilla-firefox (high) - firefox 1.5.dfsg+1.5.0.5-1 (high) - thunderbird 1.5.0.5-1 (medium) - mozilla-thunderbird (medium) CVE-2006-3810 (Cross-site scripting (XSS) vulnerability in Mozilla Firefox 1.5 before ...) {DSA-1159} NOTE: MFSA-2006-54 - mozilla (mozilla 1.7 not affected) - xulrunner 1.8.0.5-1 (high) - mozilla-firefox (only firefox >= 1.5) - firefox 1.5.dfsg+1.5.0.5-1 (high) - thunderbird 1.5.0.5-1 (medium) CVE-2006-3809 (Mozilla Firefox before 1.5.0.5, Thunderbird before 1.5.0.5, and SeaMon ...) {DSA-1161 DSA-1160 DSA-1159} NOTE: MFSA-2006-53 - mozilla (medium) - xulrunner 1.8.0.5-1 (medium) - mozilla-firefox (medium) - firefox 1.5.dfsg+1.5.0.5-1 (medium) - thunderbird 1.5.0.5-1 (medium) - mozilla-thunderbird (medium) CVE-2006-3808 (Mozilla Firefox before 1.5.0.5 and SeaMonkey before 1.0.3 allows remot ...) {DSA-1161 DSA-1160 DSA-1159} NOTE: MFSA-2006-52 - mozilla (medium) - xulrunner 1.8.0.5-1 (medium) - mozilla-firefox (medium) - firefox 1.5.dfsg+1.5.0.5-1 (medium) - thunderbird 1.5.0.5-1 CVE-2006-3807 (Mozilla Firefox before 1.5.0.5, Thunderbird before 1.5.0.5, and SeaMon ...) {DSA-1161 DSA-1160 DSA-1159} NOTE: MFSA-2006-51 - mozilla (high) - xulrunner 1.8.0.5-1 (high) - mozilla-firefox (high) - firefox 1.5.dfsg+1.5.0.5-1 (high) - thunderbird 1.5.0.5-1 (medium) - mozilla-thunderbird (medium) CVE-2006-3806 (Multiple integer overflows in the Javascript engine in Mozilla Firefox ...) {DSA-1161 DSA-1160 DSA-1159} NOTE: MFSA-2006-50 - mozilla (high) - xulrunner 1.8.0.5-1 (high) - mozilla-firefox (high) - firefox 1.5.dfsg+1.5.0.5-1 (high) - thunderbird 1.5.0.5-1 (medium) - mozilla-thunderbird (medium) CVE-2006-3805 (The Javascript engine in Mozilla Firefox before 1.5.0.5, Thunderbird b ...) {DSA-1161 DSA-1160 DSA-1159} NOTE: MFSA-2006-50 - mozilla (high) - xulrunner 1.8.0.5-1 (high) - mozilla-firefox (high) - firefox 1.5.dfsg+1.5.0.5-1 (high) - thunderbird 1.5.0.5-1 (medium) - mozilla-thunderbird (medium) CVE-2006-3804 (Heap-based buffer overflow in Mozilla Thunderbird before 1.5.0.5 and S ...) NOTE: MFSA-2006-49 - mozilla-firefox (only firefox >= 1.5) [sarge] - mozilla (mozilla 1.7 not affected) - mozilla (high) - thunderbird 1.5.0.5-1 (high) - mozilla-thunderbird (high) CVE-2006-3803 (Race condition in the JavaScript garbage collection in Mozilla Firefox ...) NOTE: MFSA-2006-48 - mozilla (mozilla 1.7 not affected) - xulrunner 1.8.0.5-1 (high) - mozilla-firefox (only firefox >= 1.5) - firefox 1.5.dfsg+1.5.0.5-1 (high) - thunderbird 1.5.0.5-1 (medium) - mozilla-thunderbird CVE-2006-3802 (Mozilla Firefox before 1.5.0.5, Thunderbird before 1.5.0.5, and SeaMon ...) NOTE: MFSA-2006-47 - mozilla (mozilla 1.7 not affected) - xulrunner 1.8.0.5-1 (medium) - mozilla-firefox (only firefox >= 1.5) - firefox 1.5.dfsg+1.5.0.5-1 (medium) - thunderbird 1.5.0.5-1 (medium) - mozilla-thunderbird CVE-2006-3801 (Mozilla Firefox 1.5 before 1.5.0.5 and SeaMonkey before 1.0.3 does not ...) NOTE: MFSA-2006-44 - mozilla-firefox (only firefox >= 1.5) - mozilla-thunderbird (only firefox >= 1.5) - mozilla (mozilla 1.7 not affected) - firefox 1.5.dfsg+1.5.0.5-1 (high) - xulrunner 1.8.0.5-1 (high) - thunderbird 1.5.0.5-1 (medium) CVE-2006-3800 (Cross-site scripting (XSS) vulnerability in Amazing Flash AFCommerce S ...) NOT-FOR-US: AFCommerce CVE-2006-3799 (DeluxeBB 1.07 and earlier allows remote attackers to bypass SQL inject ...) NOT-FOR-US: DeluxeBB CVE-2006-3798 (DeluxeBB 1.07 and earlier allows remote attackers to overwrite the (1) ...) NOT-FOR-US: DeluxeBB CVE-2006-3797 (SQL injection vulnerability in DeluxeBB 1.07 and earlier allows remote ...) NOT-FOR-US: DeluxeBB CVE-2006-3796 (DeluxeBB 1.07 and earlier does not properly handle a username composed ...) NOT-FOR-US: DeluxeBB CVE-2006-3795 (Multiple cross-site scripting (XSS) vulnerabilities in DeluxeBB before ...) NOT-FOR-US: DeluxeBB CVE-2006-3794 NOT-FOR-US: AFCommerce CVE-2006-3793 (PHP remote file inclusion vulnerability in constants.php in SiteDepth ...) NOT-FOR-US: SiteDepth CVE-2006-3792 (SQL injection vulnerability in ServerClientUfo::recv_packet in server_ ...) NOT-FOR-US: UFO2000 CVE-2006-3791 (The decode_stringmap function in server_transport.cpp for UFO2000 svn ...) NOT-FOR-US: UFO2000 CVE-2006-3790 (The decode_stringmap function in server_transport.cpp for UFO2000 svn ...) NOT-FOR-US: UFO2000 CVE-2006-3789 (Multiple array index errors in the (1) recv_rules, (2) recv_select_uni ...) NOT-FOR-US: UFO2000 CVE-2006-3788 (Multiple buffer overflows in multiplay.cpp in UFO2000 svn 1057 allow r ...) NOT-FOR-US: UFO2000 CVE-2006-3787 (kpf4ss.exe in Sunbelt Kerio Personal Firewall 4.3.x before 4.3.268 doe ...) NOT-FOR-US: Sunbelt Kerio Personal Firewall CVE-2006-3786 (Symantec pcAnywhere 12.5 uses weak integrity protection for .cif (aka ...) NOT-FOR-US: Symantec pcAnywhere CVE-2006-3785 (Symantec pcAnywhere 12.5 obfuscates the passwords in a GUI textbox wit ...) NOT-FOR-US: Symantec pcAnywhere CVE-2006-3784 (Symantec pcAnywhere 12.5 uses weak default permissions for the "Symant ...) NOT-FOR-US: Symantec pcAnywhere CVE-2006-3783 (Sun Solaris 10 allows local users to cause a denial of service (panic) ...) NOT-FOR-US: Solaris CVE-2006-3782 (Unspecified vulnerability in the kernel debugger (kmdb) in Sun Solaris ...) NOT-FOR-US: Solaris CVE-2006-3781 (Unspecified vulnerability in Sun Solaris 10 allows context-dependent a ...) NOT-FOR-US: Solaris CVE-2006-3780 (Keyifweb Keyif Portal 2.0 stores sensitive information under the web r ...) NOT-FOR-US: Keyifweb Keyif Portal CVE-2006-3779 (Citrix MetaFrame up to XP 1.0 Feature 1, except when running on Window ...) NOT-FOR-US: Citrix CVE-2006-3778 (IBM Lotus Notes 6.0, 6.5, and 7.0 does not properly handle replies to ...) NOT-FOR-US: IBM CVE-2006-3777 (PHP remote file inclusion vulnerability in index.php in IDevSpot PhpLi ...) NOT-FOR-US: IDevSpot PhpLinkExchange CVE-2006-3776 (PHP remote file inclusion vulnerability in order/index.php in IDevSpot ...) NOT-FOR-US: IDevSpot (1) PhpHostBot 1.0 and (2) AutoHost 3.0 CVE-2006-3775 (SQL injection vulnerability in the init function in class_session.php ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2006-3774 (PHP remote file inclusion vulnerability in performs.php in the perForm ...) NOT-FOR-US: perForms component (com_performs) for Joomla! CVE-2006-3773 (PHP remote file inclusion vulnerability in smf.php in the SMF-Forum 1. ...) NOT-FOR-US: MF-Forum Bridge Component (com_smf) For Joomla! and Mambo CVE-2006-3772 (PHP-Post 0.21 and 1.0, and possibly earlier versions, when auto-login ...) NOT-FOR-US: PHP-Post CVE-2006-3771 (Multiple PHP remote file inclusion vulnerabilities in component.php in ...) NOT-FOR-US: iManage CMS CVE-2006-3770 (Multiple SQL injection vulnerabilities in index.php in phpFaber TopSit ...) NOT-FOR-US: phpFaber TopSites CVE-2006-3769 (Multiple cross-site scripting (XSS) vulnerabilities in Top XL 1.1 and ...) NOT-FOR-US: Top XL CVE-2006-3768 (Integer underflow in filecpnt.exe in FileCOPA FTP Server 1.01 before 2 ...) NOT-FOR-US: FileCOPA FTP Server CVE-2006-3767 (Cross-site scripting (XSS) vulnerability in showprofile.php in Darren' ...) NOT-FOR-US: Darren's $5 Script Archive osDate CVE-2006-3766 (Darren's $5 Script Archive osDate 1.1.7 and earlier allows users to bo ...) NOT-FOR-US: Darren's $5 Script Archive osDate CVE-2006-3765 (Multiple cross-site scripting (XSS) vulnerabilities in Huttenlocher We ...) NOT-FOR-US: uttenlocher Webdesign hwdeGUEST CVE-2006-3764 (Till Gerken phpPolls 1.0.3 allows remote attackers to create a new pol ...) NOT-FOR-US: phpPolls CVE-2006-3763 (SQL injection vulnerability in category.php in Diesel Joke Site allows ...) NOT-FOR-US: Diesel Joke Site CVE-2006-3762 (The Touch Control ActiveX control 2.0.0.55 allows remote attackers to ...) NOT-FOR-US: Touch Control ActiveX control CVE-2006-3761 (Cross-site scripting (XSS) vulnerability in inc/functions_post.php in ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2006-3760 (Multiple SQL injection vulnerabilities in MyBB (aka MyBulletinBoard) 1 ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2006-3759 (Unspecified vulnerability in MyBB (aka MyBulletinBoard) 1.1.4, related ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2006-3758 (inc/init.php in Archive Mode (Light) in MyBB (aka MyBulletinBoard) 1.1 ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2006-3757 (index.php in Zen Cart 1.3.0.2 allows remote attackers to obtain sensit ...) NOT-FOR-US: Zen Cart CVE-2006-3756 (Cross-site scripting (XSS) vulnerability in Geeklog 1.4.0sr4 and earli ...) NOT-FOR-US: Geeklog CVE-2006-3755 (PHP remote file inclusion vulnerability in Include/editor/class.rich.p ...) NOT-FOR-US: FlushCMS CVE-2006-3754 (PHP remote file inclusion vulnerability in Include/editor/rich_files/c ...) NOT-FOR-US: FlushCMS CVE-2006-3753 (setcookie.php for the administration login in Professional Home Page T ...) NOT-FOR-US: Professional Home Page Tools Guestbook CVE-2006-3752 (Multiple SQL injection vulnerabilities in class.php in Professional Ho ...) NOT-FOR-US: Professional Home Page Tools Guestbook CVE-2006-3751 (PHP remote file inclusion vulnerability in popups/ImageManager/config. ...) NOT-FOR-US: HTMLArea3 CVE-2006-3750 (PHP remote file inclusion vulnerability in server.php in the Hashcash ...) NOT-FOR-US: Hashcash Component (com_hashcash) for Joomla CVE-2006-3749 (PHP remote file inclusion vulnerability in sitemap.xml.php in Sitemap ...) NOT-FOR-US: Sitemap component (com_sitemap) for Mambo CVE-2006-3748 (PHP remote file inclusion vulnerability in includes/abbc/abbc.class.ph ...) NOT-FOR-US: LoudMouth Component for Mambo CVE-2006-3747 (Off-by-one error in the ldap scheme handling in the Rewrite module (mo ...) {DSA-1132-1 DSA-1131-1} - apache 1.3.34-3 (medium; bug #380231) - apache2 2.0.55-4.1 (medium; bug #380182) CVE-2006-3746 (Integer overflow in parse_comment in GnuPG (gpg) 1.4.4 allows remote a ...) {DSA-1141-1 DSA-1140-1} - gnupg 1.4.5-1 (medium; bug #381204) - gnupg2 1.9.20-2 (medium) CVE-2006-3745 (Unspecified vulnerability in the sctp_make_abort_user function in the ...) {DSA-1184-2 DSA-1183-1} - linux-2.6 2.6.17-7 CVE-2006-3744 (Multiple integer overflows in ImageMagick before 6.2.9 allows user-ass ...) {DSA-1168-1} - imagemagick 7:6.2.4.5.dfsg1-0.10 (bug #385062) - graphicsmagick 1.1.7-7 CVE-2006-3743 (Multiple buffer overflows in ImageMagick before 6.2.9 allow user-assis ...) {DSA-1168-1} - imagemagick 7:6.2.4.5.dfsg1-0.10 (bug #385062) - graphicsmagick 1.1.7-8 CVE-2006-3742 (The KDE PAM configuration shipped with Fedora Core 5 causes KDM passwo ...) - kdebase NOTE: only in Fedora CVE-2006-3741 (The perfmonctl system call (sys_perfmonctl) in Linux kernel 2.4.x and ...) {DSA-1233} - linux-2.6 2.6.18-1 CVE-2006-3740 (Integer overflow in the scan_cidfont function in X.Org 6.8.2 and XFree ...) {DSA-1193-1} - libxfont 1:1.2.2-1 CVE-2006-3739 (Integer overflow in the CIDAFM function in X.Org 6.8.2 and XFree86 X s ...) {DSA-1193-1} - libxfont 1:1.2.2-1 CVE-2006-3738 (Buffer overflow in the SSL_get_shared_ciphers function in OpenSSL 0.9. ...) {DSA-1195-1 DSA-1185-2} - openssl 0.9.8c-2 (bug #389940) - openssl097 0.9.7k-2 - openssl096 CVE-2006-XXXX [htdig: several unspecified security problems] - htdig 1:3.2.0b6-1 CVE-2006-XXXX [ldap account manager sets trivial password instead of disabling it] - ldap-account-manager 1.0.2-1.1 (bug #368804; medium) [sarge] - ldap-account-manager CVE-2006-XXXX [ldap account manager wrongly unlocks some passwords] - ldap-account-manager 1.0.3-1 (bug #375453; medium) [sarge] - ldap-account-manager CVE-2006-3737 (Cross-site scripting (XSS) vulnerability in filemanager/filemanager.ph ...) NOT-FOR-US: Plesk CVE-2006-3736 (PHP remote file inclusion vulnerability in core/videodb.class.xml.php ...) NOT-FOR-US: VideoDB for Mambo CVE-2006-3735 (Multiple PHP remote file inclusion vulnerabilities in Mail2Forum (modu ...) NOT-FOR-US: Mail2Forum CVE-2006-3734 (Multiple unspecified vulnerabilities in the Command Line Interface (CL ...) NOT-FOR-US: Cisco CVE-2006-3733 (jmx-console/HtmlAdaptor in the jmx-console in the JBoss web applicatio ...) NOT-FOR-US: Cisco CVE-2006-3732 (Cisco Security Monitoring, Analysis and Response System (CS-MARS) befo ...) NOT-FOR-US: Cisco CVE-2006-3731 (Mozilla Firefox 1.5.0.4 and earlier allows remote user-assisted attack ...) - firefox 1.5.dfsg+1.5.0.6-1 (bug #379050; low) [sarge] - mozilla-firefox (Unreproducible on Sarge) CVE-2006-3730 (Integer overflow in Microsoft Internet Explorer 6 on Windows XP SP2 al ...) NOT-FOR-US: MSIE CVE-2006-3729 (DataSourceControl in Internet Explorer 6 on Windows XP SP2 with Office ...) NOT-FOR-US: MSIE CVE-2006-3728 (Unspecified vulnerability in the kernel in Solaris 10 with patch 11882 ...) NOT-FOR-US: Solaris CVE-2006-3727 (Multiple SQL injection vulnerabilities in Eskolar CMS 0.9.0.0 allow re ...) NOT-FOR-US: Eskolar CMS CVE-2006-3726 (Buffer overflow in FileCOPA FTP Server before 1.01 released on 18th Ju ...) NOT-FOR-US: FileCOPA FTP Server CVE-2006-3725 (Norton Personal Firewall 2006 9.1.0.33 allows local users to cause a d ...) NOT-FOR-US: Norton Personal Firewall CVE-2006-3724 (Unspecified vulnerability in JD Edwards HTML Server for Oracle OneWorl ...) NOT-FOR-US: Oracle CVE-2006-3723 (Unspecified vulnerability in PeopleSoft Enterprise Portal for Oracle P ...) NOT-FOR-US: Oracle CVE-2006-3722 (Unspecified vulnerability in PeopleSoft Enterprise Portal for Oracle P ...) NOT-FOR-US: Oracle CVE-2006-3721 (Multiple unspecified vulnerabilities in Oracle Management Service for ...) NOT-FOR-US: Oracle CVE-2006-3720 (Unspecified vulnerability in Enterprise Config Management for Oracle E ...) NOT-FOR-US: Oracle CVE-2006-3719 (Unspecified vulnerability in CORE: Repository for Oracle Enterprise Ma ...) NOT-FOR-US: Oracle CVE-2006-3718 (Multiple unspecified vulnerabilities in Oracle Exchange for Oracle E-B ...) NOT-FOR-US: Oracle CVE-2006-3717 (Multiple unspecified vulnerabilities in Oracle E-Business Suite and Ap ...) NOT-FOR-US: Oracle CVE-2006-3716 (Multiple unspecified vulnerabilities in Oracle E-Business Suite and Ap ...) NOT-FOR-US: Oracle CVE-2006-3715 (Unspecified vulnerability in Calendar for Oracle Collaboration Suite 1 ...) NOT-FOR-US: Oracle CVE-2006-3714 (Unspecified vulnerability in OC4J for Oracle Application Server 10.1.2 ...) NOT-FOR-US: Oracle CVE-2006-3713 (Unspecified vulnerability in OC4J for Oracle Application Server 10.1.3 ...) NOT-FOR-US: Oracle CVE-2006-3712 (Unspecified vulnerability in OC4J for Oracle Application Server 9.0.4. ...) NOT-FOR-US: Oracle CVE-2006-3711 (Unspecified vulnerability in OC4J for Oracle Application Server 9.0.2. ...) NOT-FOR-US: Oracle CVE-2006-3710 (Unspecified vulnerability in OC4J for Oracle Application Server 9.0.2. ...) NOT-FOR-US: Oracle CVE-2006-3709 (Unspecified vulnerability in OC4J for Oracle Application Server 9.0.2. ...) NOT-FOR-US: Oracle CVE-2006-3708 (Unspecified vulnerability in OC4J for Oracle Application Server 9.0.2. ...) NOT-FOR-US: Oracle CVE-2006-3707 (Unspecified vulnerability in OC4J for Oracle Application Server 9.0.2. ...) NOT-FOR-US: Oracle CVE-2006-3706 (Unspecified vulnerability in OC4J for Oracle Application Server 9.0.2. ...) NOT-FOR-US: Oracle CVE-2006-3705 (Multiple unspecified vulnerabilities in Oracle Database 10.1.0.5 have ...) NOT-FOR-US: Oracle CVE-2006-3704 (Unspecified vulnerability in the Oracle ODBC Driver for Oracle Databas ...) NOT-FOR-US: Oracle CVE-2006-3703 (Unspecified vulnerability in InterMedia for Oracle Database 9.0.1.5, 9 ...) NOT-FOR-US: Oracle CVE-2006-3702 (Multiple unspecified vulnerabilities in Oracle Database 8.1.7.4, 9.0.1 ...) NOT-FOR-US: Oracle CVE-2006-3701 (Unspecified vulnerability in the Dictionary component in Oracle Databa ...) NOT-FOR-US: Oracle CVE-2006-3700 (Multiple unspecified vulnerabilities in Oracle Database 9.2.0.6 and 10 ...) NOT-FOR-US: Oracle CVE-2006-3699 (Unspecified vulnerability in the Core RDBMS component in Oracle Databa ...) NOT-FOR-US: Oracle CVE-2006-3698 (Multiple unspecified vulnerabilities in Oracle Database 10.1.0.5 have ...) NOT-FOR-US: Oracle CVE-2006-3697 (Agnitum Outpost Firewall Pro 3.51.759.6511 (462), as used in (1) Lavas ...) NOT-FOR-US: Outpost Firewall Pro CVE-2006-3696 (filtnt.sys in Outpost Firewall Pro before 3.51.759.6511 (462) allows l ...) NOT-FOR-US: Outpost Firewall Pro CVE-2006-3694 (Multiple unspecified vulnerabilities in Ruby before 1.8.5 allow remote ...) {DSA-1157 DSA-1139-1} - ruby1.8 1.8.4-3 (bug #378029; medium) - ruby1.9 1.9.0+20060609-1 (medium) CVE-2006-3693 (Rocks Clusters 4.1 and earlier allows local users to gain privileges v ...) NOT-FOR-US: Rocks Clusters CVE-2006-3692 NOT-FOR-US: ListMessenger CVE-2006-3691 (Multiple SQL injection vulnerabilities in VBZooM 1.11 and earlier allo ...) NOT-FOR-US: VBZooM CVE-2006-3690 (Multiple PHP remote file inclusion vulnerabilities in MiniBB Forum 1.5 ...) NOT-FOR-US: MiniBB CVE-2006-3689 NOT-FOR-US: Codeworks Gnomedia SubberZ[Lite] CVE-2006-3688 (SQL injection vulnerability in Room.php in Francisco Charrua Photo-Gal ...) NOT-FOR-US: Francisco Charrua Photo-Gallery CVE-2006-3687 (Stack-based buffer overflow in the Universal Plug and Play (UPnP) serv ...) NOT-FOR-US: D-Link CVE-2006-3686 (Unspecified vulnerability in [SYSEXE]SMPUTIL.EXE in HP OpenVMS 7.3-2 a ...) NOT-FOR-US: HP OpenVMS CVE-2006-3685 (PHP remote file inclusion vulnerability in CzarNews 1.12 through 1.14 ...) NOT-FOR-US: CzarNews CVE-2006-3684 (PHP remote file inclusion vulnerability in calendar.php in SoftComplex ...) NOT-FOR-US: SoftComplex PHP Event Calendar CVE-2006-3683 (PHP remote file inclusion vulnerability in poll.php in Flipper Poll 1. ...) NOT-FOR-US: Flipper Poll CVE-2006-3682 (awstats.pl in AWStats 6.5 build 1.857 and earlier allows remote attack ...) - awstats 6.5-2 (bug #378960; low) [sarge] - awstats 6.4-1sarge3 NOTE: A previous DSA introduced a fix that renders this vulnerability in ineffective CVE-2006-3681 (Multiple cross-site scripting (XSS) vulnerabilities in awstats.pl in A ...) - awstats 6.5-2 (bug #378960; unimportant) NOTE: Path disclosure is not an issue for Debian CVE-2006-3680 (Cross-site scripting (XSS) vulnerability in photocycle in Photocycle 1 ...) NOT-FOR-US: Photocycle CVE-2006-3679 (FatWire Content Server 5.5.0 allows remote attackers to bypass access ...) NOT-FOR-US: FatWire Content Server CVE-2006-3678 (TippingPoint IPS running the TippingPoint Operating System (TOS) befor ...) NOT-FOR-US: TippingPoint CVE-2006-3677 (Mozilla Firefox 1.5 before 1.5.0.5 and SeaMonkey before 1.0.3 allows r ...) NOTE: MFSA-2006-45 - mozilla (mozilla 1.7 not affected) - xulrunner 1.8.0.5-1 (high) - mozilla-firefox (only firefox >= 1.5) - firefox 1.5.dfsg+1.5.0.5-1 (high) - thunderbird - mozilla-thunderbird CVE-2006-3676 (admin/gallery_admin.php in planetGallery before 14.07.2006 allows remo ...) NOT-FOR-US: planetGallery CVE-2006-3675 (Password Safe 2.11, 2.16 and 3.0BETA1 does not respect the configurati ...) NOT-FOR-US: Password Safe NOTE: mypasswordsafe and pwsafe might use code from Password Safe, NOTE: but the problematic functionality is not present CVE-2006-3674 (nNetObject.cpp in Armagetron Advanced 2.8.2 and earlier allows remote ...) - armagetron 0.2.8.2.1-1 (bug #379062; low) [sarge] - armagetron (Minor game DoS) [etch] - armagetron (Minor game DoS) CVE-2006-3673 (nNetObject.cpp in Armagetron Advanced 2.8.2 and earlier allows remote ...) - armagetron 0.2.8.2.1-1 (bug #379062; low) [sarge] - armagetron (Minor game DoS) [etch] - armagetron (Minor game DoS) CVE-2006-3672 (KDE Konqueror 3.5.1 and earlier allows remote attackers to cause a den ...) - kdelibs 4:3.5.4-1 (bug #378962; unimportant) CVE-2006-3671 (Cross-site request forgery (CSRF) vulnerability in the communicate fun ...) {DTSA-31-1} - hyperestraier 1.3.3-1 (bug #379060; low) CVE-2006-3670 (Stack-based buffer overflow in Winlpd 1.26 allows remote attackers to ...) NOT-FOR-US: Winlpd CVE-2006-3669 (Mercury Messenger, possibly 1.7.1.1 and other versions, when running o ...) NOT-FOR-US: Mercury Messenger CVE-2006-3668 (Heap-based buffer overflow in the it_read_envelope function in Dynamic ...) {DSA-1123} - libdumb 1:0.9.3-5 (bug #379064; medium) CVE-2006-3667 (Unspecified vulnerability in Sybase/Financial Fusion Consumer Banking ...) NOT-FOR-US: Sybase/Financial Fusion Consumer Banking Suite CVE-2006-3666 (SQL injection vulnerability in AjaxPortal 3.0, with magic_quotes_gpc d ...) NOT-FOR-US: AjaxPortal CVE-2006-3665 (SquirrelMail 1.4.6 and earlier, with register_globals enabled, allows ...) - squirrelmail 2:1.4.7-1 (unimportant) NOTE: Operation with registers_globals not supported CVE-2006-3664 (Unspecified vulnerability in NIS server on Sun Solaris 8, 9, and 10 al ...) NOT-FOR-US: Sun Solaris CVE-2006-3663 (Finjan Vital Security Appliance 5100/8100 NG 8.3.5 stores passwords in ...) NOT-FOR-US: Finjan Appliance CVE-2006-3662 NOT-FOR-US: ATutor CVE-2006-3661 (Cross-site scripting (XSS) vulnerability in Index.PHP in CuteNews 1.4. ...) NOT-FOR-US: CuteNews CVE-2006-3660 (Unspecified vulnerability in Microsoft PowerPoint 2003 has unknown imp ...) NOT-FOR-US: Microsoft PowerPoint CVE-2006-3659 (Microsoft Internet Explorer 6 allows remote attackers to cause a denia ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2006-3658 (Microsoft Internet Explorer 6 allows remote attackers to cause a denia ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2006-3657 (Microsoft Internet Explorer 6 allows remote attackers to cause a denia ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2006-3656 (Unspecified vulnerability in Microsoft PowerPoint 2003 allows user-ass ...) NOT-FOR-US: Microsoft PowerPoint CVE-2006-3655 (Unspecified vulnerability in mso.dll in Microsoft PowerPoint 2003 allo ...) NOT-FOR-US: Microsoft PowerPoint CVE-2006-3654 (Buffer overflow in wksss.exe 8.4.702.0 in Microsoft Works Spreadsheet ...) NOT-FOR-US: Microsoft Works Spreadsheet CVE-2006-3653 (wksss.exe 8.4.702.0 in Microsoft Works Spreadsheet 8.0 allows remote a ...) NOT-FOR-US: Microsoft Works Spreadsheet CVE-2006-3652 (Microsoft Internet Security and Acceleration (ISA) Server 2004 allows ...) NOT-FOR-US: Microsoft Internet Security and Acceleration Server CVE-2006-3651 (Unspecified vulnerability in Microsoft Word 2000, 2002, and Office 200 ...) NOT-FOR-US: Microsoft CVE-2006-3650 (Microsoft Office 2000, XP, 2003, 2004 for Mac, and v.X for Mac do not ...) NOT-FOR-US: Microsoft CVE-2006-3649 (Buffer overflow in Microsoft Visual Basic for Applications (VBA) SDK 6 ...) NOT-FOR-US: Microsoft CVE-2006-3648 (Unspecified vulnerability in Microsoft Windows 2000 SP4, XP SP1 and SP ...) NOT-FOR-US: Microsoft CVE-2006-3647 (Integer overflow in Microsoft Word 2000, 2002, 2003, 2004 for Mac, and ...) NOT-FOR-US: Microsoft CVE-2006-3646 REJECTED CVE-2006-3645 REJECTED CVE-2006-3644 REJECTED CVE-2006-3643 (Cross-site scripting (XSS) vulnerability in Internet Explorer 5.01 and ...) NOT-FOR-US: Microsoft CVE-2006-3642 REJECTED CVE-2006-3641 REJECTED CVE-2006-3640 (Microsoft Internet Explorer 5.01 and 6 allows certain script to persis ...) NOT-FOR-US: Microsoft CVE-2006-3639 (Microsoft Internet Explorer 5.01 and 6 does not properly identify the ...) NOT-FOR-US: Microsoft CVE-2006-3638 (Microsoft Internet Explorer 5.01 and 6 does not properly handle uninit ...) NOT-FOR-US: Microsoft CVE-2006-3637 (Microsoft Internet Explorer 5.01 SP4 and 6 does not properly handle va ...) NOT-FOR-US: Microsoft CVE-2006-3636 (Multiple cross-site scripting (XSS) vulnerabilities in Mailman before ...) {DSA-1188-1} - mailman 1:2.1.8-3 CVE-2006-3635 (The ia64 subsystem in the Linux kernel before 2.6.26 allows local user ...) - linux (Fixed before initial rename to src:linux) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=199440 NOTE: Fixed by: https://git.kernel.org/linus/4dcc29e1574d88f4465ba865ed82800032f76418 (2.6.26-rc5) CVE-2006-3634 (The (1) __futex_atomic_op and (2) futex_atomic_cmpxchg_inatomic functi ...) - linux-2.6 2.6.17-1 (medium) CVE-2006-3633 (OSSP shiela 1.1.5 and earlier allows remote authenticated users to exe ...) NOT-FOR-US: shiela CVE-2006-3632 (Buffer overflow in Wireshark (aka Ethereal) 0.8.16 to 0.99.0 allows re ...) {DSA-1127} - ethereal (bug #378745; high) - wireshark 0.99.2-1 (high) CVE-2006-3631 (Unspecified vulnerability in the SSH dissector in Wireshark (aka Ether ...) {DSA-1127} - ethereal (bug #378745; high) - wireshark 0.99.2-1 (high) CVE-2006-3630 (Multiple off-by-one errors in Wireshark (aka Ethereal) 0.9.7 to 0.99.0 ...) {DSA-1127} - ethereal (bug #378745; high) - wireshark 0.99.2-1 (high) CVE-2006-3629 (Unspecified vulnerability in the MOUNT dissector in Wireshark (aka Eth ...) {DSA-1127} - ethereal (bug #378745; high) - wireshark 0.99.2-1 (high) CVE-2006-3628 (Multiple format string vulnerabilities in Wireshark (aka Ethereal) 0.1 ...) {DSA-1127} - ethereal (bug #378745; high) - wireshark 0.99.2-1 (high) CVE-2006-3627 (Unspecified vulnerability in the GSM BSSMAP dissector in Wireshark (ak ...) - ethereal (bug #378745; high) - wireshark 0.99.2-1 (high) [sarge] - ethereal (Vulnerable code not present) CVE-2006-3625 (FLV Players 8 allows remote attackers to obtain sensitive information ...) NOT-FOR-US: FLV Players CVE-2006-3624 (Multiple cross-site scripting (XSS) vulnerabilities in FLV Players 8 a ...) NOT-FOR-US: FLV Players CVE-2006-3623 (Directory traversal vulnerability in Framework Service component in Mc ...) NOT-FOR-US: McAfee ePolicy Orchestrator CVE-2006-3622 (The showtopic module in Koobi Pro CMS 5.6 allows remote attackers to o ...) NOT-FOR-US: Koobi Pro CMS CVE-2006-3621 (SQL injection vulnerability in the showtopic module in Koobi Pro CMS 5 ...) NOT-FOR-US: Koobi Pro CMS CVE-2006-3620 (Cross-site scripting (XSS) vulnerability in the showtopic module in Ko ...) NOT-FOR-US: Koobi Pro CMS CVE-2006-3619 (Directory traversal vulnerability in FastJar 0.93, as used in Gnu GCC ...) {DSA-1170} - gcc-4.1 4.1.1-11 (bug #368397; low) - gcc-3.4 3.4.4-0 NOTE: gcc-3.4 no longer builds the fastjar package CVE-2006-3618 (SQL injection vulnerability in pblguestbook.php in Pixelated By Lev (P ...) NOT-FOR-US: Pixelated By Lev (PBL) Guestbook CVE-2006-3617 (Cross-site scripting (XSS) vulnerability in pblguestbook.php in Pixela ...) NOT-FOR-US: Pixelated By Lev (PBL) Guestbook CVE-2006-3616 (Multiple cross-site scripting (XSS) vulnerabilities in Carbonize Lazar ...) NOT-FOR-US: Carbonize Lazarus Guestbook CVE-2006-3615 (Multiple PHP remote file inclusion vulnerabilities in Phorum 5.1.14, w ...) NOT-FOR-US: Phorum CVE-2006-3614 (index.php in Orbitcoders OrbitMATRIX 1.0 allows remote attackers to tr ...) NOT-FOR-US: Orbitcoders OrbitMATRIX CVE-2006-3613 (Multiple cross-site scripting (XSS) vulnerabilities in Chamberland Tec ...) NOT-FOR-US: Chamberland Technology ezWaiter CVE-2006-3612 (Cross-site scripting (XSS) vulnerability in Phorum 5.1.14 allows remot ...) NOT-FOR-US: Phorum CVE-2006-3611 (Directory traversal vulnerability in pm.php in Phorum 5 allows remote ...) NOT-FOR-US: Phorum CVE-2006-3610 (index.php in Orbitcoders OrbitMATRIX 1.0 allows remote attackers to ob ...) NOT-FOR-US: Orbitcoders OrbitMATRIX CVE-2006-3609 (Cross-site scripting (XSS) vulnerability in index.php in Orbitcoders O ...) NOT-FOR-US: Orbitcoders OrbitMATRIX CVE-2006-3608 (The Gallery module in Simone Vellei Flatnuke 2.5.7 and earlier, when G ...) NOT-FOR-US: Simone Vellei Flatnuke CVE-2006-3607 (Multiple cross-site scripting (XSS) vulnerabilities in Softbiz Banner ...) NOT-FOR-US: Softbiz Banner Exchange Script (aka Banner Exchange Network Script) CVE-2006-3606 (Unspecified vulnerability in Sun Solaris X Inter Client Exchange libra ...) NOTE: Sun Solaris CVE-2006-3605 (Microsoft Internet Explorer 6 allows remote attackers to cause a denia ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2006-3604 (Directory traversal vulnerability in FlexWATCH Network Camera 3.0 and ...) NOT-FOR-US: FlexWATCH Network Camera CVE-2006-3603 (Cross-site scripting (XSS) vulnerability in index.php in FlexWATCH Net ...) NOT-FOR-US: FlexWATCH Network Camera CVE-2006-3602 (Directory traversal vulnerability in jscripts/tiny_mce/tiny_mce_gzip.p ...) NOTE: this is CVE-2005-4600 NOT-FOR-US: Farsinews CVE-2006-3601 NOT-FOR-US: DotNetNuke CVE-2006-3600 (Multiple stack-based buffer overflows in the LookupTRM::lookup functio ...) {DSA-1135-1} - libtunepimp 0.4.2-4 (bug #378091; medium) CVE-2006-3599 (SQL injection vulnerability in the Nuke Advanced Classifieds module fo ...) NOT-FOR-US: Nuke Advanced Classifieds module for PHP-Nuke CVE-2006-3598 (SQL injection vulnerability in the Sections module for PHP-Nuke allows ...) NOT-FOR-US: Sections module for PHP-Nuke CVE-2006-3597 (passwd before 1:4.0.13 on Ubuntu 6.06 LTS leaves the root password bla ...) - shadow (fix for a mistake in the Ubuntu installer) CVE-2006-3596 (The device driver for Intel-based gigabit network adapters in Cisco In ...) NOT-FOR-US: Cisco CVE-2006-3595 (The default configuration of IOS HTTP server in Cisco Router Web Setup ...) NOT-FOR-US: Cisco CVE-2006-3594 (Buffer overflow in Cisco Unified CallManager (CUCM) 5.0(1) through 5.0 ...) NOT-FOR-US: Cisco CVE-2006-3593 (The command line interface (CLI) in Cisco Unified CallManager (CUCM) 5 ...) NOT-FOR-US: Cisco CVE-2006-3592 (Unspecified vulnerability in the command line interface (CLI) in Cisco ...) NOT-FOR-US: Cisco CVE-2006-3591 (Microsoft Internet Explorer 6 allows remote attackers to cause a denia ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2006-3626 (Race condition in Linux kernel 2.6.17.4 and earlier allows local users ...) {DSA-1111} - linux-2.6 2.6.17-4 (bug #378324; high) CVE-2006-XXXX [insufficient form variable escaping] - webauth 3.5.2-1 CVE-2006-3590 (mso.dll, as used by Microsoft PowerPoint 2000 through 2003, allows use ...) NOT-FOR-US: Microsoft PowerPoint CVE-2006-3589 (vmware-config.pl in VMware for Linux, ESX Server 2.x, and Infrastructu ...) NOT-FOR-US: VMware CVE-2006-3588 (Unspecified vulnerability in Adobe (Macromedia) Flash Player 8.0.24.0 ...) - flashplugin-nonfree 7.0.68.0.1 [sarge] - flashplugin-nonfree (Contrib not supported) CVE-2006-3587 (Unspecified vulnerability in Adobe (Macromedia) Flash Player 8.0.24.0 ...) - flashplugin-nonfree 7.0.68.0.1 [sarge] - flashplugin-nonfree (Contrib not supported) CVE-2006-3586 (SQL injection vulnerability in Jetbox CMS 2.1 SR1 allows remote attack ...) NOT-FOR-US: Jetbox CMS CVE-2006-3585 (Multiple cross-site scripting (XSS) vulnerabilities in Jetbox CMS 2.1 ...) NOT-FOR-US: Jetbox CMS CVE-2006-3584 (Dynamic variable evaluation vulnerability in index.php in Jetbox CMS 2 ...) NOT-FOR-US: Jetbox CMS CVE-2006-3583 (Session fixation vulnerability in Jetbox CMS 2.1 SR1 allows remote att ...) NOT-FOR-US: Jetbox CMS CVE-2006-3582 (Multiple heap-based buffer overflows in Audacious AdPlug 2.0 and earli ...) - adplug 2.0.1-1 (bug #378279; medium) CVE-2006-3581 (Multiple stack-based buffer overflows in Audacious AdPlug 2.0 and earl ...) - adplug 2.0.1-1 (bug #378279; medium) CVE-2006-3580 (SQL injection vulnerability in pages.asp in ASP Stats Generator before ...) NOT-FOR-US: ASP Stats Generator CVE-2006-3579 (Cross-site scripting (XSS) vulnerability in Fujitsu ServerView 2.50 up ...) NOT-FOR-US: Fujitsu ServerView CVE-2006-3578 (Directory traversal vulnerability in Fujitsu ServerView 2.50 up to 3.6 ...) NOT-FOR-US: Fujitsu ServerView CVE-2006-3577 (SQL injection vulnerability in index.php in LifeType 1.0.5 allows remo ...) NOT-FOR-US: LifeType CVE-2006-3576 (SQL injection vulnerability in search.php in SenseSites CommonSense CM ...) NOT-FOR-US: SenseSites CommonSense CVE-2006-3575 (Unknown vulnerability in the Buffer Overflow Protection in McAfee Viru ...) NOT-FOR-US: McAfee VirusScan Enterprise CVE-2006-3574 (Multiple cross-site scripting (XSS) vulnerabilities in Hitachi Groupma ...) NOT-FOR-US: Hitachi Groupmax Collaboration Portal and Web Client and uCosminexus Collaboration Portal and Forum/File Sharing CVE-2006-3573 (Format string vulnerability in the WriteText function in agl_text.cpp ...) NOT-FOR-US: Milan Mimica Sparklet CVE-2006-3572 (SQL injection vulnerability in forumthread.php in Papoo 3 RC3 and earl ...) NOT-FOR-US: Papoo CVE-2006-3571 (Multiple cross-site scripting (XSS) vulnerabilities in interna/hilfe.p ...) NOT-FOR-US: Papoo CVE-2006-3570 (Cross-site scripting (XSS) vulnerability in the webform module in Drup ...) - drupal (webform module is not in Debian Drupal 4.5 package) CVE-2006-3569 (Unspecified vulnerability in NetApp Data ONTAP 7.0x through 7.0.4P8D9, ...) NOT-FOR-US: IBM Data ONTAP CVE-2006-3568 (Multiple cross-site scripting (XSS) vulnerabilities in guestbook.php i ...) NOT-FOR-US: Fantastic Guestbook CVE-2006-3567 (Cross-site scripting (XSS) vulnerability in the web administration int ...) NOT-FOR-US: Juniper CVE-2006-3566 (search.results.php in HiveMail 3.1 and earlier allows remote attackers ...) NOT-FOR-US: HiveMail CVE-2006-3565 (SQL injection vulnerability in search.results.php in HiveMail 1.3 and ...) NOT-FOR-US: HiveMail CVE-2006-3564 (Multiple cross-site scripting (XSS) vulnerabilities in HiveMail 1.3 an ...) NOT-FOR-US: HiveMail CVE-2006-3563 (Cross-site scripting (XSS) vulnerability in gallery/thumb.php in Winge ...) NOT-FOR-US: Winged Gallery CVE-2006-3562 (PHP remote file inclusion vulnerabilities in plume cms 1.0.4 allow rem ...) NOT-FOR-US: Plume CMS CVE-2006-3561 (BT Voyager 2091 Wireless firmware 2.21.05.08m_A2pB018c1.d16d and earli ...) NOT-FOR-US: BT Voyager CVE-2006-3560 (SQL injection vulnerability in topics.php in Blue Dojo Graffiti Forums ...) NOT-FOR-US: Blue Dojo Graffiti Forums CVE-2006-3559 (Multiple SQL injection vulnerabilities in Arif Supriyanto auraCMS 1.62 ...) NOT-FOR-US: auraCMS CVE-2006-3558 (Multiple cross-site scripting (XSS) vulnerabilities in Arif Supriyanto ...) NOT-FOR-US: auraCMS CVE-2006-3557 (MT Orumcek Toplist 2.2 stores DB/orumcektoplist.mdb under the web root ...) NOT-FOR-US: MT Orumcek Toplist CVE-2006-3556 (PHP remote file inclusion vulnerability in extcalendar.php in Mohamed ...) NOT-FOR-US: Mohamed Moujami ExtCalendar CVE-2006-3555 (Multiple cross-site scripting (XSS) vulnerabilities in submit.php in P ...) NOT-FOR-US: PHP-Fusion CVE-2006-3554 (Directory traversal vulnerability in index.php in MKPortal 1.0.1 Final ...) NOT-FOR-US: MKPortal CVE-2006-3553 (PlaNet Concept planetNews allows remote attackers to bypass authentica ...) NOT-FOR-US: planetNews CVE-2006-3552 (Premium Anti-Spam in Ipswitch IMail Secure Server 2006 and Collaborati ...) NOT-FOR-US: Ipswitch IMail Secure Server 2006 and Collaboration Suite 2006 Premium CVE-2006-3551 (NCP Secure Enterprise Client (aka VPN/PKI client) 8.30 Build 59, and p ...) NOT-FOR-US: NCP VPN/PKI Client (apparently nothing to do with Novell) CVE-2006-3550 (Multiple cross-site scripting (XSS) vulnerabilities in F5 Networks Fir ...) NOT-FOR-US: F5 Netowrks FirePass CVE-2006-3549 (services/go.php in Horde Application Framework 3.0.0 through 3.0.10 an ...) {DSA-1406-1} - horde3 3.1.2-1 (bug #378281; low) CVE-2006-3548 (Multiple cross-site scripting (XSS) vulnerabilities in Horde Applicati ...) {DSA-1406-1} - horde3 3.1.2-1 (bug #378281; low) CVE-2006-3547 NOT-FOR-US: EMC VMware Player CVE-2006-3546 (Patrice Freydiere ImgSvr (aka ADA Image Server) allows remote attacker ...) NOT-FOR-US: Patrice Freydiere ImgSvr CVE-2006-3545 (** DISPUTED ** Microsoft Internet Explorer 7.0 Beta allows remote atta ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2006-3544 NOT-FOR-US: Invision Power Board CVE-2006-3543 NOT-FOR-US: Invision Power Board CVE-2006-3542 (Multiple cross-site scripting (XSS) vulnerabilities in Garry Glendown ...) NOT-FOR-US: Garry Glendown Shopping Cart CVE-2006-3541 (SQL injection vulnerability in Meine Links (aka My Links) in Kyberna k ...) NOT-FOR-US: Meine Links (aka My Links) in Kyberna ky2help CVE-2006-3540 (Check Point Zone Labs ZoneAlarm Internet Security Suite 6.5.722.000, 6 ...) NOT-FOR-US: Check Point Zone Labs ZoneAlarm Internet Security Suite CVE-2006-3539 (Multiple cross-site scripting (XSS) vulnerabilities in DKScript.com Dr ...) NOT-FOR-US: DKScript.com Dragon's Kingdom Script CVE-2006-3538 (Multiple cross-site scripting (XSS) vulnerabilities in demo.php in Bea ...) NOT-FOR-US: BeatificFaith Eprayer CVE-2006-3537 (PHP remote file inclusion vulnerability in index.php in Randshop befor ...) NOT-FOR-US: Randshop CVE-2006-3536 (Direct static code injection vulnerability in code/class_db_text.php i ...) NOT-FOR-US: EJ3 TOPo CVE-2006-3535 (Directory traversal vulnerability in Nullsoft SHOUTcast DSP before 1.9 ...) NOT-FOR-US: Nullsoft SHOUTcast DSP CVE-2006-3534 (Directory traversal vulnerability in Nullsoft SHOUTcast DSP before 1.9 ...) NOT-FOR-US: Nullsoft SHOUTcast DSP CVE-2006-3533 (Multiple cross-site scripting (XSS) vulnerabilities in Pivot 1.30 RC2 ...) - pivot (bug #305786) CVE-2006-3532 (PHP file inclusion vulnerability in includes/edit_new.php in Pivot 1.3 ...) - pivot (bug #305786) CVE-2006-3531 (includes/editor/insert_image.php in Pivot 1.30 RC2 and earlier creates ...) - pivot (bug #305786) CVE-2006-3530 (PHP remote file inclusion vulnerability in com_pccookbook/pccookbook.p ...) NOT-FOR-US: PccookBook Component for Mambo and Joomla CVE-2003-1304 (EarlyImpact ProductCart 1.0 through 2.0 stores database/EIPC.mdb under ...) NOT-FOR-US: EarlyImpact ProductCart CVE-2006-3529 (Memory leak in Juniper JUNOS 6.4 through 8.0, built before May 10, 200 ...) NOT-FOR-US: Juniper JUNOS CVE-2006-3528 (Multiple PHP remote file inclusion vulnerabilities in Simpleboard Mamb ...) NOT-FOR-US: Simpleboard Mambo module CVE-2006-3527 (Multiple PHP remote file inclusion vulnerabilities in BosClassifieds C ...) NOT-FOR-US: BosClassifieds Classified Ads CVE-2006-3526 (Multiple cross-site scripting (XSS) vulnerabilities in guestbook.php i ...) NOT-FOR-US: Sport-slo Advanced Guestbook CVE-2006-3525 (SQL injection vulnerability in category.php in PHCDownload 1.0.0 Final ...) NOT-FOR-US: PHCDownload CVE-2006-3524 (Buffer overflow in SIPfoundry sipXtapi released before 20060324 allows ...) NOT-FOR-US: SIPfoundry sipXtapi CVE-2006-3523 (Clearswift MIMEsweeper for Web before 5.1.15 Hotfix allows remote atta ...) NOT-FOR-US: Clearswift MIMEsweeper CVE-2006-3522 (Cross-site scripting (XSS) vulnerability in Clearswift MIMEsweeper for ...) NOT-FOR-US: Clearswift MIMEsweeper CVE-2006-3521 (Multiple cross-site scripting (XSS) vulnerabilities in index/siteforge ...) NOT-FOR-US: SiteForge Collaborative Development Platform CVE-2006-3520 (PHP remote file inclusion vulnerability in skins/advanced/advanced1.ph ...) NOT-FOR-US: Sabdrimer Pro CVE-2006-3519 (Multiple cross-site scripting (XSS) vulnerabilities in The Banner Engi ...) NOT-FOR-US: The Banner Engine CVE-2006-3518 (SQL injection vulnerability in SayfalaAltList.asp in Webvizyon Portal ...) NOT-FOR-US: Webvizyon Portal CVE-2006-3517 (PHP remote file inclusion vulnerability in stats.php in RW::Download, ...) NOT-FOR-US: RW::Download CVE-2006-3516 (Multiple SQL injection vulnerabilities in FreeHost allow remote attack ...) NOT-FOR-US: FreeHost CVE-2006-3515 (SQL injection vulnerability in the loginADP function in ajaxp.php in A ...) NOT-FOR-US: AjaxPortal CVE-2006-3514 (Multiple cross-site scripting (XSS) vulnerabilities in admin/actions.p ...) NOT-FOR-US: PHP-Blogger CVE-2006-3513 (danim.dll in Microsoft Internet Explorer 6 allows remote attackers to ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2006-3512 (Internet Explorer 6 on Windows XP allows remote attackers to cause a d ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2006-3511 (Internet Explorer 6 on Windows XP SP2 allows remote attackers to cause ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2006-3510 (The Remote Data Service Object (RDS.DataControl) in Microsoft Internet ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2006-3509 (Integer overflow in the API for the AirPort wireless driver on Apple M ...) NOT-FOR-US: Apple CVE-2006-3508 (Heap-based buffer overflow in the AirPort wireless driver on Apple Mac ...) NOT-FOR-US: Apple CVE-2006-3507 (Multiple stack-based buffer overflows in the AirPort wireless driver o ...) NOT-FOR-US: Apple CVE-2006-3506 (Buffer overflow in the Xsan Filesystem driver on Mac OS X 10.4.7 and O ...) NOT-FOR-US: Mac OS X CVE-2006-3505 (WebKit in Apple Mac OS X 10.3.9 and 10.4.7 allows remote attackers to ...) NOT-FOR-US: Apple Mac OS CVE-2006-3504 (The Download Validation in LaunchServices for Apple Mac OS X 10.4.7 ca ...) NOT-FOR-US: Apple Mac OS CVE-2006-3503 (Integer overflow in ImageIO in Apple Mac OS X 10.4.7 allows user-assis ...) NOT-FOR-US: Apple Mac OS CVE-2006-3502 (Unspecified vulnerability in ImageIO in Apple Mac OS X 10.4.7 allows u ...) NOT-FOR-US: Apple Mac OS CVE-2006-3501 (Integer overflow in ImageIO for Apple Mac OS X 10.4.7 allows user-assi ...) NOT-FOR-US: Apple Mac OS CVE-2006-3500 (The dynamic linker (dyld) in Apple Mac OS X 10.4.7 allows local users ...) NOT-FOR-US: Apple Mac OS CVE-2006-3499 (The dynamic linker (dyld) in Apple Mac OS X 10.3.9 allows local users ...) NOT-FOR-US: Apple Mac OS CVE-2006-3498 (Stack-based buffer overflow in bootpd in the DHCP component for Apple ...) NOT-FOR-US: Apple Mac OS CVE-2006-3497 (Unspecified vulnerability in the "compression state handling" in Bom f ...) NOT-FOR-US: Apple Mac OS CVE-2006-3496 (AFP Server in Apple Mac OS X 10.3.9 and 10.4.7 allows remote attackers ...) NOT-FOR-US: Apple Mac OS CVE-2006-3495 (AFP Server in Apple Mac OS X 10.3.9 and 10.4.7 stores reconnect keys i ...) NOT-FOR-US: Apple Mac OS CVE-2006-3494 (Multiple cross-site scripting (XSS) vulnerabilities in Buddy Zone 1.0. ...) NOT-FOR-US: Buddy Zone CVE-2006-3493 (Buffer overflow in LsCreateLine function (mso_203) in mso.dll and mso9 ...) NOT-FOR-US: Microsoft Office CVE-2006-3492 (The CORBA::ORBInvokeRec::set_answer_invoke function in orb.cc in MICO ...) NOT-FOR-US: MICO CVE-2006-3491 (Stack-based buffer overflow in Kaillera Server 0.86 and earlier allows ...) NOT-FOR-US: Kaillera Server CVE-2006-3490 (F-Secure Anti-Virus 2003 through 2006 and other versions, Internet Sec ...) NOT-FOR-US: F-Secure Anti-Virus CVE-2006-3489 (F-Secure Anti-Virus 2003 through 2006 and other versions, Internet Sec ...) NOT-FOR-US: F-Secure Anti-Virus CVE-2006-3488 (Absolute path traversal vulnerability in administrador.asp in VirtuaSt ...) NOT-FOR-US: VirtuaStore CVE-2006-3487 (VirtuaStore 2.0 stores sensitive files under the web root with insuffi ...) NOT-FOR-US: VirtuaStore CVE-2006-3485 (Multiple SQL injection vulnerabilities in AstroDog Press Some Chess 1. ...) NOT-FOR-US: AstroDog Press Some Chess CVE-2006-3484 (Multiple cross-site scripting (XSS) vulnerabilities in ATutor before 1 ...) NOT-FOR-US: ATutor CVE-2006-3483 (PHPMailList 1.8.0 stores sensitive information under the web document ...) NOT-FOR-US: PHPMailList CVE-2006-3482 (Cross-site scripting (XSS) vulnerability in maillist.php in PHPMailLis ...) NOT-FOR-US: PHPMailList CVE-2006-3481 (Multiple SQL injection vulnerabilities in Joomla! before 1.0.10 allow ...) NOT-FOR-US: Joomla! CVE-2006-3480 (Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before ...) NOT-FOR-US: Joomla! CVE-2006-3479 (Cross-site request forgery (CSRF) vulnerability in the del_block funct ...) NOT-FOR-US: Nuked-Klan CVE-2006-3478 (PHP remote file inclusion vulnerability in styles/default/global_heade ...) NOT-FOR-US: MyPHP CMS CVE-2006-3477 (Unspecified vulnerability in the POP service in Stalker CommuniGate Pr ...) NOT-FOR-US: Stalker CommuniGate Pro CVE-2006-3476 (Cross-site scripting (XSS) vulnerability in comments.php in PhpWebGall ...) NOT-FOR-US: PhpWebGallery CVE-2006-3475 (Multiple PHP remote file inclusion vulnerabilities in free QBoard 1.1 ...) NOT-FOR-US: QBoard CVE-2006-3474 (Multiple SQL injection vulnerabilities in Belchior Foundry vCard PRO a ...) NOT-FOR-US: Belchior Foundry vCard PRO CVE-2006-3473 (CRLF injection vulnerability in form_mail Drupal Module before 1.8.2.2 ...) - drupal (form_mail Module not in debian) CVE-2006-3472 (Microsoft Internet Explorer 6.0 and 6.0 SP1 allows remote attackers to ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2006-3471 (Microsoft Internet Explorer 6 on Windows XP allows remote attackers to ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2006-3470 (The Dell Openmanage CD launches X11 and SSH daemons that do not requir ...) NOT-FOR-US: Dell Openmanage CD CVE-2006-3469 (Format string vulnerability in time.cc in MySQL Server 4.1 before 4.1. ...) {DSA-1112} - mysql-dfsg-5.0 5.0.22-1 (bug #375694) CVE-2006-3468 (Linux kernel 2.6.x, when using both NFS and EXT3, allows remote attack ...) {DSA-1184-2} - linux-2.6 2.6.17-6 CVE-2006-3467 (Integer overflow in FreeType before 2.2 allows remote attackers to cau ...) {DSA-1193-1 DSA-1178-1} - freetype 2.2.1-5 (bug #379920; medium) - libxfont 1:1.2.0-2 (medium; bug #383353) CVE-2006-3466 REJECTED CVE-2006-3465 (Unspecified vulnerability in the custom tag support for the TIFF libra ...) {DSA-1137-1} - tiff 3.8.2-6 - tiff3 (fixed prior to initial upload) CVE-2006-3464 (TIFF library (libtiff) before 3.8.2 allows context-dependent attackers ...) {DSA-1137-1} - tiff 3.8.2-6 - tiff3 (fixed prior to initial upload) CVE-2006-3463 (The EstimateStripByteCounts function in TIFF library (libtiff) before ...) {DSA-1137-1} - tiff 3.8.2-6 - tiff3 (fixed prior to initial upload) CVE-2006-3462 (Heap-based buffer overflow in the NeXT RLE decoder in the TIFF library ...) {DSA-1137-1} - tiff 3.8.2-6 - tiff3 (fixed prior to initial upload) CVE-2006-3461 (Heap-based buffer overflow in the PixarLog decoder in the TIFF library ...) {DSA-1137-1} - tiff 3.8.2-6 - tiff3 (fixed prior to initial upload) CVE-2006-3460 (Heap-based buffer overflow in the JPEG decoder in the TIFF library (li ...) {DSA-1137-1} - tiff 3.8.2-6 - tiff3 (fixed prior to initial upload) CVE-2006-3459 (Multiple stack-based buffer overflows in the TIFF library (libtiff) be ...) {DSA-1137-1} - tiff 3.8.2-6 - tiff3 (fixed prior to initial upload) CVE-2006-3486 - mysql-dfsg-5.0 5.0.22-4 (unimportant; bug #378102) [sarge] - mysql-dfsg-4.1 (Vulnerable code not present) [sarge] - mysql-dfsg (Vulnerable code not present) NOTE: Only DoS possible, only root can trigger this -> non-issue CVE-2006-3457 (Symantec On-Demand Agent (SODA) before 2.5 MR2 Build 2157, and the Vir ...) NOT-FOR-US: Symantec CVE-2006-3456 (The Symantec NAVOPTS.DLL ActiveX control (aka Symantec.Norton.AntiViru ...) NOT-FOR-US: Symantec CVE-2006-3455 (The SAVRT.SYS device driver, as used in Symantec AntiVirus Corporate E ...) NOT-FOR-US: Symantec CVE-2006-3454 (Multiple format string vulnerabilities in Symantec AntiVirus Corporate ...) NOT-FOR-US: Symantec CVE-2006-3453 (Buffer overflow in Adobe Acrobat 6.0 to 6.0.4 allows remote attackers ...) NOT-FOR-US: Adobe acrobat CVE-2006-3452 (Adobe Reader and Acrobat 6.0.4 and earlier, on Mac OSX, has insecure f ...) NOT-FOR-US: Adobe acrobat CVE-2006-3451 (Microsoft Internet Explorer 5 SP4 and 6 do not properly garbage collec ...) NOT-FOR-US: Microsoft CVE-2006-3450 (Microsoft Internet Explorer 6 allows remote attackers to execute arbit ...) NOT-FOR-US: Microsoft CVE-2006-3449 (Unspecified vulnerability in Microsoft PowerPoint 2000 through 2003, p ...) NOT-FOR-US: Microsoft CVE-2006-3448 (Buffer overflow in the Step-by-Step Interactive Training in Microsoft ...) NOT-FOR-US: Microsoft CVE-2006-3447 REJECTED CVE-2006-3446 REJECTED CVE-2006-3445 (Integer overflow in the ReadWideString function in agentdpv.dll in Mic ...) NOT-FOR-US: Microsoft CVE-2006-3444 (Unspecified vulnerability in the kernel in Microsoft Windows 2000 SP4, ...) NOT-FOR-US: Microsoft CVE-2006-3443 (Untrusted search path vulnerability in Winlogon in Microsoft Windows 2 ...) NOT-FOR-US: Microsoft CVE-2006-3442 (Unspecified vulnerability in Pragmatic General Multicast (PGM) in Micr ...) NOT-FOR-US: Microsoft CVE-2006-3441 (Buffer overflow in the DNS Client service in Microsoft Windows 2000 SP ...) NOT-FOR-US: Microsoft CVE-2006-3440 (Buffer overflow in the Winsock API in Microsoft Windows 2000 SP4, XP S ...) NOT-FOR-US: Microsoft CVE-2006-3439 (Buffer overflow in the Server Service in Microsoft Windows 2000 SP4, X ...) NOT-FOR-US: Microsoft CVE-2006-3438 (Unspecified vulnerability in Microsoft Hyperlink Object Library (hlink ...) NOT-FOR-US: Microsoft CVE-2006-3437 REJECTED CVE-2006-3436 (Cross-site scripting (XSS) vulnerability in Microsoft .NET Framework 2 ...) NOT-FOR-US: Microsoft CVE-2006-3435 (PowerPoint in Microsoft Office 2000, XP, 2003, 2004 for Mac, and v.X f ...) NOT-FOR-US: Microsoft CVE-2006-3434 (Unspecified vulnerability in Microsoft Office 2000, XP, 2003, 2004 for ...) NOT-FOR-US: Microsoft CVE-2006-3433 REJECTED CVE-2006-3432 REJECTED CVE-2006-3431 (Buffer overflow in certain Asian language versions of Microsoft Excel ...) NOT-FOR-US: Microsoft Excel CVE-2006-3430 (SQL injection vulnerability in checkprofile.asp in (1) PatchLink Updat ...) NOT-FOR-US: Novell PatchLink Update Server CVE-2006-3429 (Cross-site scripting (XSS) vulnerability in TigerTom TTCalc 1.0 allows ...) NOT-FOR-US: TTCalc CVE-2006-3428 (Cross-site scripting (XSS) vulnerability in TigerTom TTCalc 1.0 allows ...) NOT-FOR-US: TTCalc CVE-2006-3427 (Microsoft Internet Explorer 6 allows remote attackers to cause a denia ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2006-3426 (Directory traversal vulnerability in (a) PatchLink Update Server (PLUS ...) NOT-FOR-US: Novell PatchLink Update Server CVE-2006-3425 (FastPatch for (a) PatchLink Update Server (PLUS) before 6.1 P1 and 6.2 ...) NOT-FOR-US: Novell PatchLink Update Server CVE-2006-3424 (Multiple buffer overflows in WebEx Downloader ActiveX Control, possibl ...) NOT-FOR-US: WebEx Downloader ActiveX Control CVE-2006-3423 (WebEx Downloader ActiveX Control and WebEx Downloader Java before 2.1. ...) NOT-FOR-US: WebEx Downloader ActiveX Control CVE-2006-3422 (PHP remote file inclusion vulnerability in WonderEdit Pro CMS allows r ...) NOT-FOR-US: WonderEdit Pro CMS CVE-2006-3421 (PHP remote file inclusion vulnerability in SmartSiteCMS 1.0 and earlie ...) NOT-FOR-US: SmartSiteCMS CVE-2006-3420 (Cross-site request forgery (CSRF) vulnerability in editpost.php in MyB ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2006-3419 (Tor before 0.1.1.20 uses OpenSSL pseudo-random bytes (RAND_pseudo_byte ...) - tor 0.1.1.20-1 CVE-2006-3418 (Tor before 0.1.1.20 does not validate that a server descriptor's finge ...) - tor 0.1.1.20-1 CVE-2006-3417 (Tor client before 0.1.1.20 prefers entry points based on is_fast or is ...) - tor 0.1.1.20-1 CVE-2006-3416 - tor 0.1.1.20-1 CVE-2006-3415 (Tor before 0.1.1.20 uses improper logic to validate the "OR" destinati ...) - tor 0.1.1.20-1 CVE-2006-3414 (Tor before 0.1.1.20 supports server descriptors that contain hostnames ...) - tor 0.1.1.20-1 CVE-2006-3413 (The privoxy configuration file in Tor before 0.1.1.20, when run on App ...) - tor 0.1.1.20-1 CVE-2006-3412 (Tor before 0.1.1.20 does not sufficiently obey certain firewall option ...) - tor 0.1.1.20-1 CVE-2006-3411 (TLS handshakes in Tor before 0.1.1.20 generate public-private keys bas ...) - tor 0.1.1.20-1 CVE-2006-3410 (Tor before 0.1.1.20 creates "internal circuits" primarily consisting o ...) - tor 0.1.1.20-1 CVE-2006-3409 (Integer overflow in Tor before 0.1.1.20 allows remote attackers to exe ...) - tor 0.1.1.20-1 CVE-2006-3408 (Unspecified vulnerability in the directory server (dirserver) in Tor b ...) - tor 0.1.1.20-1 CVE-2006-3407 (Tor before 0.1.1.20 allows remote attackers to spoof log entries or po ...) - tor 0.1.1.20-1 CVE-2006-3406 (Directory traversal vulnerability in qtofm.php in QTOFileManager 1.0 a ...) NOT-FOR-US: QTOFileManager CVE-2006-3405 (Cross-site scripting (XSS) vulnerability in qtofm.php in QTOFileManage ...) NOT-FOR-US: QTOFileManager CVE-2006-3403 (The smdb daemon (smbd/service.c) in Samba 3.0.1 through 3.0.22 allows ...) {DSA-1110} - samba 3.0.23a-1 (bug #378070) CVE-2006-3402 (SQL injection vulnerability in VirtuaStore 2.0 allows remote attackers ...) NOT-FOR-US: VirtuaStore CVE-2006-3401 (Stack-based buffer overflow in Quake 3 Engine as used by Quake 3: Aren ...) NOT-FOR-US: Quake 3 CVE-2006-3400 (Stack-based buffer overflow in the CG_ServerCommand function in Quake ...) NOT-FOR-US: Soldier of Fortune 2 CVE-2006-3399 (Cross-site scripting (XSS) vulnerability in wiki.php in MoniWiki befor ...) NOT-FOR-US: MoniWiki CVE-2006-3398 (The "change password forms" in Taskjitsu before 2.0.1 includes passwor ...) NOT-FOR-US: Taskjitsu CVE-2006-3397 (Multiple cross-site scripting (XSS) vulnerabilities in Taskjitsu befor ...) NOT-FOR-US: Taskjitsu CVE-2006-3396 (PHP remote file inclusion vulnerability in galleria.html.php in Galler ...) NOT-FOR-US: Galleria Mambo Module CVE-2006-3395 (PHP remote file inclusion vulnerability in top.php in SiteBuilder-FX 3 ...) NOT-FOR-US: SiteBuilder-FX CVE-2006-3394 (SQL injection vulnerability in the files mod in index.php in BXCP 0.3. ...) NOT-FOR-US: BXCP CVE-2006-3393 (Papyrus NASCAR Racing 4 4.1.3.1.6 and earlier, 2002 Season 1.1.0.2 and ...) NOT-FOR-US: Papyrus NASCAR Racing CVE-2006-3392 (Webmin before 1.290 and Usermin before 1.220 calls the simplify_path f ...) {DSA-1199-1} - webmin (medium; bug #381537) CVE-2006-3391 (The Execute function in iMBCContents ActiveX Control before 2.0.0.59 a ...) NOT-FOR-US: iMBCContents CVE-2006-3390 (WordPress 2.0.3 allows remote attackers to obtain the installation pat ...) - wordpress 2.0.4-1 (unimportant) NOTE: http://wordpress.org/news/2006/07/wordpress-204/ CVE-2006-3389 (index.php in WordPress 2.0.3 allows remote attackers to obtain sensiti ...) - wordpress 2.0.4-1 (unimportant) NOTE: http://wordpress.org/news/2006/07/wordpress-204/ CVE-2006-3388 (Cross-site scripting (XSS) vulnerability in phpMyAdmin before 2.8.2 al ...) - phpmyadmin 4:2.8.2-0.1 (bug #377748; low) [sarge] - phpmyadmin (Vulnerable code not present) NOTE: https://www.phpmyadmin.net/security/PMASA-2006-4/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/6d6f47bdb2c7f5519dcc6497a6ebf9ebc305e6de CVE-2006-3387 (Directory traversal vulnerability in sources/post.php in Fusion News 1 ...) NOT-FOR-US: Fusion News CVE-2006-3386 (index.php in Vincent Leclercq News 5.2 allows remote attackers to obta ...) NOT-FOR-US: Vincent Leclercq News CVE-2006-3385 (Cross-site scripting (XSS) vulnerability in divers.php in Vincent Lecl ...) NOT-FOR-US: Vincent Leclercq News CVE-2006-3384 (SQL injection vulnerability in divers.php in Vincent Leclercq News 5.2 ...) NOT-FOR-US: Vincent Leclercq News CVE-2006-3383 (Cross-site scripting (XSS) vulnerability in index.php in mAds 1.0 allo ...) NOT-FOR-US: mAds CVE-2006-3382 (Cross-site scripting (XSS) vulnerability in search.php in mAds 1.0 all ...) NOT-FOR-US: mAds CVE-2006-3381 (SturGeoN Upload allows remote attackers to execute arbitrary PHP code ...) NOT-FOR-US: SturGeoN CVE-2006-3380 (Algorithmic complexity vulnerability in FreeStyle Wiki before 3.6.2 al ...) NOT-FOR-US: FreeStyle Wiki CVE-2006-3379 (Algorithmic complexity vulnerability in Hiki Wiki 0.6.0 through 0.6.5 ...) {DSA-1119} - hiki 0.8.6-1 (bug #378059; low) CVE-2006-3378 (passwd command in shadow in Ubuntu 5.04 through 6.06 LTS, when called ...) {DSA-1150-1} - shadow 1:4.0.14-1 (bug #379174) CVE-2006-3377 (Cross-site scripting (XSS) vulnerability in JMB Software AutoRank PHP ...) NOT-FOR-US: JMB Software AutoRank PHP CVE-2006-3376 (Integer overflow in player.c in libwmf 0.2.8.4, as used in multiple pr ...) {DSA-1194-1} - libwmf 0.2.8.4-2 (bug #381538; medium) CVE-2006-3375 (PHP remote file inclusion vulnerability in includes/header.inc.php in ...) NOT-FOR-US: Randshop CVE-2006-3374 (PHP remote file inclusion vulnerability in index.php in Randshop 1.2 a ...) NOT-FOR-US: Randshop CVE-2006-3373 (Unspecified vulnerability in the client/bin/logfetch script in Hobbit ...) NOT-FOR-US: Hobbit CVE-2006-3372 (Apple Safari 2.0.4/419.3 allows remote attackers to cause a denial of ...) NOT-FOR-US: Apple Safari CVE-2006-3371 (Eupla Foros 1.0 stores the inc/config.inc file under the web document ...) NOT-FOR-US: Eupla Foros CVE-2006-3370 (Blueboy 1.0.3 stores bb_news_config.inc under the web document root wi ...) NOT-FOR-US: Blueboy CVE-2006-3369 (Kamikaze-QSCM 0.1 stores config.inc under the web document root with i ...) NOT-FOR-US: Kamikaze-QSCM CVE-2006-3368 (Efone 20000723 stores config.inc under the web document root with insu ...) NOT-FOR-US: Efone CVE-2006-3367 (Mp3 JudeBox Server (Mp3NetBox) Beta 1 stores config.inc under the web ...) NOT-FOR-US: Mp3NetBox CVE-2006-3366 (Multiple cross-site scripting (XSS) vulnerabilities in V3 Chat allow r ...) NOT-FOR-US: V3 Chat CVE-2006-3365 (V3 Chat allows remote attackers to obtain the installation path via (1 ...) NOT-FOR-US: V3 Chat CVE-2006-3364 (SQL injection vulnerability in index.php in the NP_SEO plugin in BLOG: ...) NOT-FOR-US: BLOG:CMS CVE-2006-3363 (PHP remote file inclusion vulnerability in index.php in the Glossaire ...) NOT-FOR-US: Glossaire for Xoops CVE-2006-3362 (Unrestricted file upload vulnerability in connectors/php/connector.php ...) - knowledgeroot (fixed before first upload; see bug #381912) CVE-2006-3361 (PHP remote file inclusion vulnerability in Stud.IP 1.3.0-2 and earlier ...) NOT-FOR-US: Stud.IP CVE-2006-3360 (Directory traversal vulnerability in index.php in phpSysInfo 2.5.1 all ...) - phpsysinfo (unimportant) - egroupware (unimportant) - phpgroupware (unimportant) NOTE: Only the existence of files inside the WWW root is leaked. If this is NOTE: a threat to your setup you most probably shouldn't install a script which NOTE: exposes all your system data, either. CVE-2006-3359 (Multiple SQL injection vulnerabilities in index.php in NewsPHP 2006 PR ...) NOT-FOR-US: NewsPHP CVE-2006-3358 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Ne ...) NOT-FOR-US: NewsPHP CVE-2006-3357 (Heap-based buffer overflow in HTML Help ActiveX control (hhctrl.ocx) i ...) NOT-FOR-US: HTML Help ActiveX control CVE-2006-3356 (The TIFFFetchAnyArray function in ImageIO in Apple OS X 10.4.7 and ear ...) NOT-FOR-US: Apple CVE-2006-3355 (Heap-based buffer overflow in httpdget.c in mpg123 before 0.59s-rll al ...) - mpg123 0.60-1 (bug #377264; medium) [sarge] - mpg123 (Non-free not supported) CVE-2006-3354 (Microsoft Internet Explorer 6 allows remote attackers to cause a denia ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2006-3353 (Opera 9 allows remote attackers to cause a denial of service (crash) v ...) NOT-FOR-US: Opera CVE-2006-3352 NOTE: firefox, but invalid CVE-2006-3351 (Buffer overflow in Windows Explorer (explorer.exe) on Windows XP and 2 ...) NOT-FOR-US: Windows Explorer CVE-2006-3695 (Trac before 0.9.6 does not disable the "raw" or "include" commands whe ...) {DSA-1152} - trac 0.9.6-1 (medium) [sarge] - trac 0.8.1-3sarge5 CVE-2006-3458 (Zope 2.7.0 to 2.7.8, 2.8.0 to 2.8.7, and 2.9.0 to 2.9.3 (Zope2) does n ...) {DSA-1113} - zope2.7 (bug #377285; medium) - zope2.8 2.8.7-2 (bug #377277; medium) - zope2.9 2.9.3-3 (bug #377286; medium) CVE-2006-3404 (Buffer overflow in the xcf_load_vector function in app/xcf/xcf-load.c ...) {DSA-1116} - gimp 2.2.11-3.1 (bug #377049; medium) CVE-2006-3350 (Stack-based buffer overflow in AutoVue SolidModel Professional Desktop ...) NOT-FOR-US: AutoVue SolidModel Professional Desktop CVE-2006-3349 (Multiple SQL injection vulnerabilities in SmS Script allow remote atta ...) NOT-FOR-US: SmS Script CVE-2006-3348 (Multiple SQL injection vulnerabilities in HSPcomplete 3.2.2 and 3.3 Be ...) NOT-FOR-US: HSPcomplete CVE-2006-3347 (SQL injection vulnerability in index.php in deV!Lz Clanportal DZCP 1.3 ...) NOT-FOR-US: deV!Lz Clanportal DZCP CVE-2006-3346 (SQL injection vulnerability in tree.php in MyNewsGroups 0.6 allows rem ...) NOT-FOR-US: MyNewsGroups CVE-2006-3345 (Cross-site scripting (XSS) vulnerability in AliPAGER, possibly 1.5 and ...) NOT-FOR-US: AliPAGER CVE-2006-3344 (Siemens Speedstream Wireless Router 2624 allows local users to bypass ...) NOT-FOR-US: Siemens Speedstream Wireless Router CVE-2006-3343 (PHP remote file inclusion vulnerability in recipe/cookbook.php in Cris ...) NOT-FOR-US: CrisoftRicette CVE-2006-3342 (Cross-site scripting (XSS) vulnerability in index.php in Arctic 1.0.2 ...) NOT-FOR-US: Arctic CVE-2006-3341 (SQL injection vulnerability in annonces-p-f.php in MyAds module 2.04jp ...) NOT-FOR-US: MyAds module for Xoops CVE-2006-3340 (Multiple PHP remote file inclusion vulnerabilities in Pearl For Mambo ...) NOT-FOR-US: Pearl For Mambo CVE-2006-3339 (secure/ConfigureReleaseNote.jspa in Atlassian JIRA 3.6.2-#156 allows r ...) NOT-FOR-US: Atlassian CVE-2006-3338 (Cross-site scripting (XSS) vulnerability in Atlassian JIRA 3.6.2-#156 ...) NOT-FOR-US: Atlassian CVE-2006-3337 (Cross-site scripting (XSS) vulnerability in frontend/x/files/select.ht ...) NOT-FOR-US: cPanel (not the Chinese language tool in Debian) CVE-2006-3336 (TWiki 01-Dec-2000 up to 4.0.3 allows remote attackers to bypass the up ...) - twiki 1:4.0.4-3 (low; bug #381907) NOTE: only in some server configurations CVE-2006-3335 (Unspecified vulnerability in mkdir in HP-UX B.11.00, B.11.04, B.11.11, ...) NOT-FOR-US: HP-UX CVE-2006-3334 (Buffer overflow in the png_decompress_chunk function in pngrutil.c in ...) - libpng 1.2.8rel-5.2 (bug #377298; bug #397892; unimportant) NOTE: A static 50 char array consumes 13 machine words on 32bit archs, so the overflow NOTE: cannot overwrite other memory sections CVE-2006-3333 (Cross-site scripting (XSS) vulnerability in index.php in Zorum Forum 3 ...) NOT-FOR-US: Zorum Forum CVE-2006-3332 (SQL injection vulnerability in index.php in Zorum Forum 3.5 allows rem ...) NOT-FOR-US: Zorum Forum CVE-2006-3331 (Opera before 9.0 does not reset the SSL security bar after displaying ...) NOT-FOR-US: Opera CVE-2006-3330 (Cross-site scripting (XSS) vulnerability in AddAsset1.php in PHP/MySQL ...) NOT-FOR-US: PHP/MySQL Classifieds CVE-2006-3329 (SQL injection vulnerability in search.php in PHP/MySQL Classifieds (PH ...) NOT-FOR-US: PHP/MySQL Classifieds CVE-2006-3328 (new_ticket.cgi in Hostflow 2.2.1-15 allows remote attackers to steal a ...) NOT-FOR-US: Hostflow CVE-2006-3327 (Cross-site scripting (XSS) vulnerability in Custom dating biz dating s ...) NOT-FOR-US: Custom dating biz dating script CVE-2006-3326 (Directory traversal vulnerability in QuickZip 3.06.3 allows remote use ...) NOT-FOR-US: QuickZip CVE-2006-3325 (client/cl_parse.c in the id3 Quake 3 Engine 1.32c and the Icculus Quak ...) - ioquake3 1.36+svn1788j-1 - tremulous 1.1.0-6 (bug #660834) [squeeze] - tremulous 1.1.0-7~squeeze1 CVE-2006-3324 (The Automatic Downloading option in the id3 Quake 3 Engine and the Icc ...) - ioquake3 1.36+svn1788j-1 - tremulous 1.1.0-6 (bug #660832) [squeeze] - tremulous 1.1.0-7~squeeze1 CVE-2006-3323 (PHP remote file inclusion vulnerability in admin/admin.php in MF Piada ...) NOT-FOR-US: MF Piadas CVE-2006-3322 (SQL injection vulnerability in includes/functions_logging.php in phpRa ...) NOT-FOR-US: phpRaid CVE-2006-3321 (Multiple cross-site scripting (XSS) vulnerabilities in openforum.asp i ...) NOT-FOR-US: OpenForum CVE-2006-3320 (Cross-site scripting (XSS) vulnerability in command.php in SiteBar 3.3 ...) {DSA-1130-1} - sitebar 3.3.8-1.1 (bug #377299; low) CVE-2006-3319 (Cross-site scripting (XSS) vulnerability in rss/index.php in PHP iCale ...) NOT-FOR-US: PHP iCalendar CVE-2006-3318 (SQL injection vulnerability in register.php for phpRaid 3.0.6 and poss ...) NOT-FOR-US: phpRaid CVE-2006-3317 (PHP remote file inclusion vulnerability in phpRaid 3.0.6 allows remote ...) NOT-FOR-US: phpRaid CVE-2006-3316 (Multiple PHP remote file inclusion vulnerabilities in phpRaid 3.0.5 al ...) NOT-FOR-US: phpRaid CVE-2006-3315 (PHP remote file inclusion vulnerability in page.php in an unspecified ...) NOT-FOR-US: "unspecified RahnemaCo.com product, possibly eShop" CVE-2006-3314 (PHP remote file inclusion vulnerability in page.php in an unspecified ...) NOT-FOR-US: "unspecified RahnemaCo.com product, possibly eShop" CVE-2006-3313 (Cross-site scripting (XSS) vulnerability in search.jsp in Netsoft smar ...) NOT-FOR-US: Netsoft smartNet CVE-2006-3312 (Multiple cross-site scripting (XSS) vulnerabilities in ashmans and Bil ...) NOT-FOR-US: QaTraq CVE-2006-3311 (Buffer overflow in Adobe Flash Player 8.0.24.0 and earlier, Flash Prof ...) - flashplugin-nonfree 7.0.68.0.1 [sarge] - flashplugin-nonfree (Contrib not supported) CVE-2006-3310 RESERVED CVE-2006-3309 (SQL injection vulnerability in SPT--ForumTopics.php in Scout Portal To ...) NOT-FOR-US: Scout Portal CVE-2006-3308 (Unspecified vulnerability in the wpprop code for Project EROS bbsengin ...) NOT-FOR-US: bbsengine CVE-2006-3307 (Multiple SQL injection vulnerabilities in Project EROS bbsengine befor ...) NOT-FOR-US: bbsengine CVE-2006-3306 (Cross-site scripting (XSS) vulnerability in the preparestring function ...) NOT-FOR-US: bbsengine CVE-2006-3305 (Multiple cross-site scripting (XSS) vulnerabilities in UebiMiau Webmai ...) NOT-FOR-US: UebiMiau CVE-2006-3304 (SQL injection vulnerability in cp.php in DeluxeBB 1.07 and earlier all ...) NOT-FOR-US: DeluxeBB CVE-2006-3303 (Multiple cross-site scripting (XSS) vulnerabilities in pm.php in Delux ...) NOT-FOR-US: DeluxeBB CVE-2006-3302 (PHP remote file inclusion vulnerability in mod_cbsms.php in CBSMS Mamb ...) NOT-FOR-US: CBSMS Mambo module CVE-2006-3301 (Multiple cross-site scripting (XSS) vulnerabilities in phpQLAdmin 2.2. ...) - phpqladmin (bug #376442; low) CVE-2006-3300 (PHP remote file inclusion vulnerability in sms_config/gateway.php in P ...) NOT-FOR-US: phpmysms CVE-2006-3299 (Cross-site scripting (XSS) vulnerability in index.php in Usenet Script ...) NOT-FOR-US: Usenet Script CVE-2006-3298 (Yahoo! Messenger 7.5.0.814 and 7.0.438 allows remote attackers to caus ...) NOT-FOR-US: Offical Yahoo! Messenger client CVE-2006-3297 (Cross-site scripting (XSS) vulnerability in error.php in UebiMiau Webm ...) NOT-FOR-US: UebiMiau CVE-2006-3296 (SQL injection vulnerability in view.php in Open Guestbook 0.5 allows r ...) NOT-FOR-US: Open Guestbook CVE-2006-3295 (Cross-site scripting (XSS) vulnerability in header.php in Open Guestbo ...) NOT-FOR-US: Open Guestbook CVE-2006-3294 (PHP remote file inclusion vulnerability in mod_cbsms_messages.php in C ...) NOT-FOR-US: CBSMS Mambo module CVE-2006-3293 (parse_notice (TiCPU) in EnergyMech (emech) before 3.0.2 allows remote ...) NOT-FOR-US: EnergyMech CVE-2006-3292 (SQL injection vulnerability in the Search gadget in Jaws 0.6.2 allows ...) NOT-FOR-US: Jaws CVE-2006-3291 (The web interface on Cisco IOS 12.3(8)JA and 12.3(8)JA1, as used on th ...) NOT-FOR-US: Cisco CVE-2006-3290 (HTTP server in Cisco Wireless Control System (WCS) for Linux and Windo ...) NOT-FOR-US: Cisco CVE-2006-3289 (Cross-site scripting (XSS) vulnerability in the login page of the HTTP ...) NOT-FOR-US: Cisco CVE-2006-3288 (Unspecified vulnerability in the TFTP server in Cisco Wireless Control ...) NOT-FOR-US: Cisco CVE-2006-3287 (Cisco Wireless Control System (WCS) for Linux and Windows 4.0(1) and e ...) NOT-FOR-US: Cisco CVE-2006-3286 (The internal database in Cisco Wireless Control System (WCS) for Linux ...) NOT-FOR-US: Cisco CVE-2006-3285 (The internal database in Cisco Wireless Control System (WCS) for Linux ...) NOT-FOR-US: Cisco CVE-2006-3284 (Cross-site scripting (XSS) vulnerability in Dating Agent PRO 4.7.1 all ...) NOT-FOR-US: Dating Agent PRO CVE-2006-3283 (SQL injection vulnerability in Dating Agent PRO 4.7.1 allows remote at ...) NOT-FOR-US: Dating Agent PRO CVE-2006-3282 (requirements.php in Dating Agent PRO 4.7.1 allows remote attackers to ...) NOT-FOR-US: Dating Agent PRO CVE-2006-3281 (Microsoft Internet Explorer 6.0 does not properly handle Drag and Drop ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2006-3280 (Cross-domain vulnerability in Microsoft Internet Explorer 6.0 allows r ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2006-3279 (Cross-site scripting (XSS) vulnerability in aeDating 4.1 allows remote ...) NOT-FOR-US: aeDating CVE-2006-3278 (Cross-site scripting (XSS) vulnerability in H-Sphere 2.5.1 Beta 1 and ...) NOT-FOR-US: H-Sphere CVE-2006-3277 (The SMTP service of MailEnable Standard 1.92 and earlier, Professional ...) NOT-FOR-US: MailEnable CVE-2006-3276 (Heap-based buffer overflow in RealNetworks Helix DNA Server 10.0 and 1 ...) NOT-FOR-US: Helix DNA Server CVE-2006-3275 (SQL injection vulnerability in profile.php in YaBB SE 1.5.5 and earlie ...) NOT-FOR-US: YaBB CVE-2006-3274 (Directory traversal vulnerability in Webmin before 1.280, when run on ...) - webmin (only windows) CVE-2006-3273 (Cross-site scripting (XSS) vulnerability in menu.php in Some Chess 1.5 ...) NOT-FOR-US: Some Chess CVE-2006-3272 (Cross-site request forgery (CSRF) vulnerability in menu.php in Some Ch ...) NOT-FOR-US: Some Chess CVE-2006-3271 (Multiple SQL injection vulnerabilities in Softbiz Dating 1.0 allow rem ...) NOT-FOR-US: Softbiz Dating CVE-2006-3270 (SQL injection vulnerability in cms_admin.php in THoRCMS 1.3.1 allows r ...) NOT-FOR-US: THoRCMS CVE-2006-3269 (PHP remote file inclusion vulnerability in includes/functions_cms.php ...) NOT-FOR-US: THoRCMS CVE-2006-3268 (Unspecified vulnerability in the Windows Client API in Novell GroupWis ...) NOT-FOR-US: Novell GroupWise CVE-2006-3267 (SQL injection vulnerability in index.php in Infinite Core Technologies ...) NOT-FOR-US: Infinite Core Technologies CVE-2006-3266 (Multiple PHP remote file inclusion vulnerabilities in Bee-hive Lite 1. ...) NOT-FOR-US: Bee-hive CVE-2006-3265 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Qd ...) NOT-FOR-US: Qdig CVE-2006-3264 (Cross-site scripting (XSS) vulnerability in mclient.cgi in Namo DeepSe ...) NOT-FOR-US: Namo DeepSearch CVE-2006-3263 (SQL injection vulnerability in the Weblinks module (weblinks.php) in M ...) - mambo 4.5.3h-2 (medium) CVE-2006-3262 (SQL injection vulnerability in the Weblinks module (weblinks.php) in M ...) - mambo 4.5.3h-2 (medium) CVE-2006-3261 (Cross-site scripting (XSS) vulnerability in Trend Micro Control Manage ...) NOT-FOR-US: Trend Micro Control Manager CVE-2006-3260 (Cross-site scripting (XSS) vulnerability in index.php in vlbook 1.02 a ...) NOT-FOR-US: vlbook CVE-2006-3259 (Multiple cross-site scripting (XSS) vulnerabilities in e107 0.7.5 allo ...) NOT-FOR-US: e107 CVE-2006-3258 (Multiple cross-site scripting (XSS) vulnerabilities in index.html in B ...) NOT-FOR-US: BNBT TrinEdit and EasyTracker CVE-2006-3257 (Multiple cross-site scripting (XSS) vulnerabilities in Claroline 1.7.7 ...) NOT-FOR-US: Claroline CVE-2006-3256 (SQL injection vulnerability in report.php in Woltlab Burning Board (WB ...) NOT-FOR-US: Woltlab Burning Board CVE-2006-3255 (SQL injection vulnerability in showmods.php in Woltlab Burning Board ( ...) NOT-FOR-US: Woltlab Burning Board CVE-2006-3254 (SQL injection vulnerability in newthread.php in Woltlab Burning Board ...) NOT-FOR-US: Woltlab Burning Board CVE-2006-3253 NOT-FOR-US: vBulletin CVE-2006-3252 (Buffer overflow in the Online Registration Facility for Algorithmic Re ...) NOT-FOR-US: Algorithmic Research PrivateWire VPN CVE-2006-3251 (Heap-based buffer overflow in the array_push function in hashcash.c fo ...) {DSA-1114} - hashcash 1.21 (bug #376444) CVE-2006-3250 (Heap-based buffer overflow in Windows Live Messenger 8.0 allows user-a ...) NOT-FOR-US: Windows Live Messenger CVE-2006-3249 NOT-FOR-US: Phorum CVE-2006-3248 REJECTED CVE-2006-3247 (Multiple cross-site scripting (XSS) vulnerabilities in show.php in GL- ...) NOT-FOR-US: GL-SH Deaf Forum CVE-2006-3246 (Cross-site scripting (XSS) vulnerability in show.php in GL-SH Deaf For ...) NOT-FOR-US: GL-SH Deaf Forum CVE-2006-3245 (Multiple cross-site scripting (XSS) vulnerabilities in activatemember ...) NOT-FOR-US: mvnForum CVE-2006-3244 (Multiple SQL injection vulnerabilities in Anthill 0.2.6 and earlier al ...) NOT-FOR-US: Anthill CVE-2006-3243 (SQL injection vulnerability in usercp.php in MyBB (MyBulletinBoard) 1. ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2006-3242 (Stack-based buffer overflow in the browse_get_namespace function in im ...) {DSA-1108} - mutt 1.5.11+cvs20060403-2 (low; bug #375828) CVE-2006-3241 (Cross-site scripting (XSS) vulnerability in messages.php in XennoBB 1. ...) NOT-FOR-US: XennoBB CVE-2006-3240 (Cross-site scripting (XSS) vulnerability in classes/ui.class.php in do ...) NOT-FOR-US: dotProject CVE-2006-3239 (SQL injection vulnerability in message.php in VBZooM 1.11 and earlier ...) NOT-FOR-US: VBZooM CVE-2006-3238 (Multiple SQL injection vulnerabilities in VBZooM 1.00 and earlier allo ...) NOT-FOR-US: VBZooM CVE-2006-3237 (Cross-site scripting (XSS) vulnerability in index.php in Enterprise Gr ...) NOT-FOR-US: Enterprise Groupware System CVE-2006-3236 (Multiple SQL injection vulnerabilities in thinkWMS 1.0 and earlier all ...) NOT-FOR-US: thinkWMS CVE-2006-3235 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Fi ...) NOT-FOR-US: FineShop CVE-2006-3234 (Multiple SQL injection vulnerabilities in index.php in FineShop 3.0 an ...) NOT-FOR-US: FineShop CVE-2006-3233 (Cross-site scripting (XSS) vulnerability in openwebmail-read.pl in Ope ...) NOT-FOR-US: OpenWebMail CVE-2006-3232 (Unspecified vulnerability in IBM WebSphere Application Server before 6 ...) NOT-FOR-US: IBM WebSphere CVE-2006-3231 (Unspecified vulnerability in IBM WebSphere Application Server (WAS) be ...) NOT-FOR-US: IBM WebSphere CVE-2006-3230 (Cross-site scripting (XSS) vulnerability in index.tmpl in Azureus Trac ...) NOT-FOR-US: Azureus plugin that isn't distributed by default CVE-2006-3229 (Cross-site scripting (XSS) vulnerability in Open WebMail (OWM) 2.52, a ...) NOT-FOR-US: OpenWebMail CVE-2006-3228 (Buffer overflow in in_midi.dll for WinAmp 2.90 up to 5.23, including 5 ...) NOT-FOR-US: WinAmp CVE-2006-3227 (Interpretation conflict between Internet Explorer and other web browse ...) NOT-FOR-US: Internet Explorer CVE-2006-3226 (Cisco Secure Access Control Server (ACS) 4.x for Windows uses the clie ...) NOT-FOR-US: Cisco CVE-2006-3225 (Cross-site scripting (XSS) vulnerability in Sun ONE Application Server ...) NOT-FOR-US: Sun ONE Application Server CVE-2006-3224 (Apple Safari 2.0.3 (417.9.3) on Mac OS X 10.4.6 allows remote attacker ...) NOT-FOR-US: Apple Safari CVE-2006-3223 (Format string vulnerability in CA Integrated Threat Management (ITM), ...) NOT-FOR-US: CA Integrated Threat Management (ITM), eTrust Antivirus (eAV), and eTrust PestPatrol (ePP) CVE-2006-3222 (The FTP proxy module in Fortinet FortiOS (FortiGate) before 2.80 MR12 ...) NOT-FOR-US: Fortinet FortiOS CVE-2006-3221 (SQL injection vulnerability in index.php in DataLife Engine 4.1 and ea ...) NOT-FOR-US: DataLife CVE-2006-3220 (SQL injection vulnerability in studienplatztausch.php in Woltlab Burni ...) NOT-FOR-US: Woltlab Burning Board CVE-2006-3219 (SQL injection vulnerability in thread.php in Woltlab Burning Board (WB ...) NOT-FOR-US: Woltlab Burning Board CVE-2006-3218 (SQL injection vulnerability in profile.php in Woltlab Burning Board (W ...) NOT-FOR-US: Woltlab Burning Board CVE-2006-3217 (JaguarEditControl (JEdit) ActiveX Control 1.1.0.20 and earlier allows ...) NOT-FOR-US: JaguarEditControl CVE-2006-3216 (Clearswift MAILsweeper for SMTP before 4.3.20 and MAILsweeper for Exch ...) NOT-FOR-US: MAILsweeper CVE-2006-3215 (Clearswift MAILsweeper for SMTP before 4.3.20 and MAILsweeper for Exch ...) NOT-FOR-US: MAILsweeper CVE-2006-3214 (Unspecified vulnerability in Hitachi Groupmax Address Server 7 and ear ...) NOT-FOR-US: Hitachi Groupmax CVE-2006-3213 (SQL injection vulnerability in WeBBoA Hosting 1.1 allows remote attack ...) NOT-FOR-US: WeBBoA Hosting CVE-2006-3212 (Cross-site scripting (XSS) vulnerability in sign.php in cjGuestbook 1. ...) NOT-FOR-US: cjGuestbook CVE-2006-3211 (Cross-site scripting (XSS) vulnerability in sign.php in cjGuestbook 1. ...) NOT-FOR-US: cjGuestbook CVE-2006-3210 (Ralf Image Gallery (RIG) 0.7.4 and other versions before 1.0, when reg ...) NOT-FOR-US: Ralf Image Gallery CVE-2006-3209 (** DISPUTED ** The Task scheduler (at.exe) on Microsoft Windows XP spa ...) NOT-FOR-US: Microsoft Windows CVE-2006-3208 (Direct static code injection vulnerability in Ultimate PHP Board (UPB) ...) NOT-FOR-US: Ultimate PHP Board CVE-2006-3207 (Directory traversal vulnerability in newpost.php in Ultimate PHP Board ...) NOT-FOR-US: Ultimate PHP Board CVE-2006-3206 (register.php in Ultimate PHP Board (UPB) 1.9.6 and earlier allows remo ...) NOT-FOR-US: Ultimate PHP Board CVE-2006-3205 (Ultimate PHP Board (UPB) 1.9.6 and earlier allows remote attackers to ...) NOT-FOR-US: Ultimate PHP Board CVE-2006-3204 (Ultimate PHP Board (UPB) 1.9.6 and earlier uses a cryptographically we ...) NOT-FOR-US: Ultimate PHP Board CVE-2006-3203 (The installation of Ultimate PHP Board (UPB) 1.9.6 and earlier include ...) NOT-FOR-US: Ultimate PHP Board CVE-2006-3202 (The ip6_savecontrol function in NetBSD 2.0 through 3.0, under certain ...) NOT-FOR-US: NetBSD's KAME stack CVE-2006-3201 (Unspecified vulnerability in the kernel in HP-UX B.11.00, B.11.11, and ...) NOT-FOR-US: HP-UX CVE-2006-3200 (Unspecified versions of Internet Explorer allow remote attackers to ca ...) NOT-FOR-US: Internet Explorer CVE-2006-3199 (Opera 9 allows remote attackers to cause a denial of service (crash) v ...) NOT-FOR-US: Opera CVE-2006-3198 (Integer overflow in Opera 8.54 and earlier allows remote attackers to ...) NOT-FOR-US: Opera CVE-2006-3197 (Cross-site scripting (XSS) vulnerability in Invision Power Board (IPB) ...) NOT-FOR-US: Invision Power Board CVE-2006-3196 (index.php in singapore 0.10.0 and earlier allows remote attackers to o ...) NOT-FOR-US: singapore CVE-2006-3195 (Cross-site scripting (XSS) vulnerability in index.php in singapore 0.1 ...) NOT-FOR-US: singapore CVE-2006-3194 (Directory traversal vulnerability in index.php in singapore 0.10.0 and ...) NOT-FOR-US: singapore CVE-2006-3193 (Multiple PHP remote file inclusion vulnerabilities in Grayscale BandSi ...) NOT-FOR-US: BandSite CVE-2006-3192 (PHP remote file inclusion vulnerability in Ad Manager Pro 2.6 allows r ...) NOT-FOR-US: Ad Manager CVE-2006-3191 (Cross-site scripting (XSS) vulnerability in comment.php in MPCS 0.2 al ...) NOT-FOR-US: MPCS CVE-2006-3190 (SQL injection vulnerability in administration/includes/login/auth.php ...) NOT-FOR-US: HotPlug CMS CVE-2006-3189 (Cross-site scripting (XSS) vulnerability in administration/tblcontent/ ...) NOT-FOR-US: HotPlug CMS CVE-2006-3188 (Multiple SQL injection vulnerabilities in Sharky e-shop 3.05 and earli ...) NOT-FOR-US: Sharky e-shop CVE-2006-3187 (Multiple cross-site scripting (XSS) vulnerabilities in Sharky e-shop 3 ...) NOT-FOR-US: Sharky e-shop CVE-2006-3186 (Multiple cross-site scripting (XSS) vulnerabilities in CMS Faethon 1.3 ...) NOT-FOR-US: CMS Faethon CVE-2006-3185 (PHP remote file inclusion vulnerability in data/header.php in CMS Faet ...) NOT-FOR-US: CMS Faethon CVE-2006-3184 (Direct static code injection vulnerability in ASP Stats Generator befo ...) NOT-FOR-US: ASP Stats Generator CVE-2006-3183 (Cross-site scripting (XSS) vulnerability in index.php in MobeScripts M ...) NOT-FOR-US: Mobile Space Community CVE-2006-3182 (Directory traversal vulnerability in index.php in MobeScripts Mobile S ...) NOT-FOR-US: Mobile Space Community CVE-2006-3181 (SQL injection vulnerability in index.php in MobeScripts Mobile Space C ...) NOT-FOR-US: Mobile Space Community CVE-2006-3180 (Cross-site scripting (XSS) vulnerability in ftp_index.php in Confixx P ...) NOT-FOR-US: Confixx Pro CVE-2006-3179 (Cross-site scripting (XSS) vulnerability in tools_ftp_pwaendern.php in ...) NOT-FOR-US: Confixx Pro CVE-2006-3178 (Directory traversal vulnerability in extract_chmLib example program in ...) {DSA-1144-1} - chmlib 0.38-1 (bug #374085; low) CVE-2006-3177 (PHP remote file inclusion vulnerability in Admin/rtf_parser.php in The ...) NOT-FOR-US: The Bible Portal Project CVE-2006-3176 (SQL injection vulnerability in xarancms_haupt.php in xarancms 2.0 allo ...) NOT-FOR-US: xarancms CVE-2006-3175 (Multiple PHP remote file inclusion vulnerabilities in mcGuestbook 1.3 ...) NOT-FOR-US: mcGuestbook CVE-2006-3174 (Cross-site scripting (XSS) vulnerability in search.php in SquirrelMail ...) - squirrelmail 2:1.4.7-1 (bug #375782; unimportant) NOTE: Operation with registers_globals not supported CVE-2006-3173 (Multiple PHP remote file inclusion vulnerabilities in Content*Builder ...) NOT-FOR-US: Content*Builder CVE-2006-3172 (Multiple PHP remote file inclusion vulnerabilities in Content*Builder ...) NOT-FOR-US: Content*Builder CVE-2006-3171 (CRLF injection vulnerability in CS-Forum before 0.82 allows remote att ...) NOT-FOR-US: CS-Forum CVE-2006-3170 (CS-Forum before 0.82 allows remote attackers to obtain sensitive infor ...) NOT-FOR-US: CS-Forum CVE-2006-3169 (Multiple cross-site scripting (XSS) vulnerabilities in CS-Forum 0.81 a ...) NOT-FOR-US: CS-Forum CVE-2006-3168 (SQL injection vulnerability in CS-Forum before 0.82 allows remote atta ...) NOT-FOR-US: CS-Forum CVE-2006-3167 (Free Realty before 2.9 allows remote attackers to obtain the full path ...) NOT-FOR-US: Free Realty CVE-2006-3166 (Cross-site scripting (XSS) vulnerability in propview.php in Free Realt ...) NOT-FOR-US: Free Realty CVE-2006-3165 (SQL injection vulnerability in propview.php in Free Realty 2.9-0.7 and ...) NOT-FOR-US: Free Realty CVE-2006-3164 (SQL injection vulnerability in category.php in TPL Design tplShop 2.0 ...) NOT-FOR-US: tplShop CVE-2006-3163 (Multiple SQL injection vulnerabilities in galeria.php in IMGallery 2.4 ...) NOT-FOR-US: IMGallery CVE-2006-3162 (PHP remote file inclusion vulnerability in include/inc_foot.php in Sma ...) NOT-FOR-US: SmartSiteCMS CVE-2006-3161 (SQL injection vulnerability in misc.php in SaphpLesson 1.1 and earlier ...) NOT-FOR-US: SaphpLesson CVE-2006-3160 (Cross-site scripting (XSS) vulnerability in fm.php in ONEdotOH Simple ...) NOT-FOR-US: Simple File Manager CVE-2006-3159 (pipe_master in Sun ONE/iPlanet Messaging Server 5.2 HotFix 1.16 (built ...) NOT-FOR-US: Sun ONE/iPlanet Messaging Server CVE-2006-3158 (index.php in Eduha Meeting does not properly restrict file extensions ...) NOT-FOR-US: Eduha Meeting CVE-2006-3157 (Cross-site scripting (XSS) vulnerability in index.php in Thinkfactory ...) NOT-FOR-US: UltimateGoogle CVE-2006-3156 (Cross-site scripting (XSS) vulnerability in index.cgi in Ultimate eSho ...) NOT-FOR-US: Ultimate eShop CVE-2006-3155 (Multiple cross-site scripting (XSS) vulnerabilities in Ultimate Auctio ...) NOT-FOR-US: Ultimate Auction CVE-2006-3154 (SQL injection vulnerability in index.pl in Ultimate Estate 1.0 and ear ...) NOT-FOR-US: Ultimate Estate CVE-2006-3153 (Cross-site scripting (XSS) vulnerability in index.pl in Ultimate Estat ...) NOT-FOR-US: Ultimate Estate CVE-2006-3152 (Multiple SQL injection vulnerabilities in phpTRADER 4.9 SP5 and earlie ...) NOT-FOR-US: phpTRADER CVE-2006-3151 (Cross-site scripting (XSS) vulnerability in index.php in AssoCIateD (a ...) NOT-FOR-US: AssoCIateD CVE-2006-3150 (SQL injection vulnerability in index.php in CavoxCms 1.0.16 and earlie ...) NOT-FOR-US: CavoxCms CVE-2006-3149 (Cross-site scripting (XSS) vulnerability in topic.php in phpMyForum 4. ...) NOT-FOR-US: phpMyForum CVE-2006-3148 (SQL injection vulnerability, possibly in search.inc.php, in Open-Realt ...) NOT-FOR-US: Open-Realty CVE-2006-3147 (Unspecified vulnerability in Hosting Controller before 6.1 (aka Hotfix ...) NOT-FOR-US: Hosting Controller CVE-2006-3146 (The TOSRFBD.SYS driver for Toshiba Bluetooth Stack 4.00.29 and earlier ...) NOT-FOR-US: Toshiba drivers for Windows CVE-2006-3145 (Buffer overflow in pamtofits of NetPBM 10.30 through 10.33 allows remo ...) - netpbm-free (Debian's version is too old; affects 10.30 to 10.33 only) CVE-2006-3144 (PHP remote file inclusion vulnerability in micro_cms_files/microcms-in ...) NOT-FOR-US: IBD Micro CMS CVE-2006-3143 (Cross-site scripting (XSS) vulnerability in icue_login.asp in Maximus ...) NOT-FOR-US: Maximus SchoolMAX CVE-2006-3142 (SQL injection vulnerability in forum.php in VBZooM 1.11 allows remote ...) NOT-FOR-US: VBZooM CVE-2006-3141 (Cross-site scripting (XSS) vulnerability in details.cfm in Tradingeye ...) NOT-FOR-US: Tradingeye Shop CVE-2006-3140 (SQL injection vulnerability in index.php in openCI 1.0 BETA 0.20.1 and ...) NOT-FOR-US: openCI CVE-2006-3139 (Multiple SQL injection vulnerabilities in war.php in Virtual War (VWar ...) NOT-FOR-US: Virtual War CVE-2006-3138 (Multiple cross-site scripting (XSS) vulnerabilities in phpMyDirectory ...) NOT-FOR-US: phpMyDirectory CVE-2006-3137 (Cross-site scripting (XSS) vulnerability in productDetail.asp in Edge ...) NOT-FOR-US: Edge eCommerce Shop CVE-2006-3136 NOT-FOR-US: Nucleus CVE-2006-3135 (Multiple SQL injection vulnerabilities in CMS Mundo 1.0 build 008, and ...) NOT-FOR-US: CMS Mundo CVE-2006-3134 (Buffer overflow in GraceNote CDDBControl ActiveX Control, as used by m ...) NOT-FOR-US: GraceNote ActiveX Control CVE-2006-3133 RESERVED CVE-2006-3132 (Cross-site scripting (XSS) vulnerability in qtofm.php4 in QTOFileManag ...) NOT-FOR-US: QTOFileManager CVE-2006-3131 (Multiple cross-site scripting (XSS) vulnerabilities in Clubpage allow ...) NOT-FOR-US: Clubpage CVE-2006-3130 (SQL injection vulnerability in index.php in Clubpage allows remote att ...) NOT-FOR-US: Clubpage CVE-2006-3129 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in NC ...) NOT-FOR-US: LinkList CVE-2006-3128 (choose_file.php in easy-CMS 0.1.2, when mod_mime is installed, does no ...) NOT-FOR-US: easy-CMS CVE-2006-3127 (Memory leak in Network Security Services (NSS) 3.11, as used in Sun Ja ...) - mozilla (SunSolve claims it is only in 3.11; latest released is 3.10) CVE-2006-3126 (c2faxrecv in capi4hylafax 01.02.03 allows remote attackers to execute ...) {DSA-1165} - capi4hylafax 1:01.03.00.99.svn.300-3 CVE-2006-3125 (Array index error in tetrinet.c in gtetrinet 0.7.8 and earlier allows ...) {DSA-1163} - gtetrinet 0.7.10-1 CVE-2006-3124 (Buffer overflow in the HTTP header parsing in Streamripper before 1.61 ...) {DSA-1158} - streamripper 1.61.25-2 CVE-2006-3123 (Multiple integer overflows in the (1) dodecrypt and (2) doencrypt func ...) {DSA-1138-1} - cfs 1.4.1-17 CVE-2006-3122 (The supersede_lease function in memory.c in ISC DHCP (dhcpd) server 2. ...) {DSA-1143-1} - dhcp 2.0pl5-19.5 (bug #380273) CVE-2006-3121 (The peel_netstring function in cl_netstring.c in the heartbeat subsyst ...) {DSA-1151-1} - heartbeat-2 2.0.6-2 - heartbeat 1.2.4-14 CVE-2006-3120 (Format string vulnerability in Brian Wotring Osiris before 4.2.1 allow ...) {DSA-1129} - osiris 4.2.0-2 (medium) CVE-2006-3119 (The fbgs framebuffer Postscript/PDF viewer in fbi before 2.01 has a ty ...) {DSA-1124} - fbi 2.05-1 CVE-2006-3118 (spread uses a temporary file with a static filename based on the port ...) - spread 3.17.3-4 (bug #375617; low) [sarge] - spread (Minimal security implications) CVE-2006-3117 (Heap-based buffer overflow in OpenOffice.org (aka StarOffice) 1.1.x up ...) {DSA-1104} - openoffice.org 2.0.3-1 CVE-2006-3116 (Multiple PHP remote file inclusion vulnerabilities in phpRaid 3.0.4 an ...) NOT-FOR-US: phpRaid CVE-2006-3115 (SQL injection vulnerability in view.php in phpRaid 3.0.4, and possibly ...) NOT-FOR-US: phpRaid CVE-2006-3114 (PC Tools AntiVirus 2.1.0.51 uses insecure default permissions on the " ...) NOT-FOR-US: PC Tools AntiVirus CVE-2006-3113 (Mozilla Firefox 1.5 before 1.5.0.5, Thunderbird before 1.5.0.5, and Se ...) NOTE: MFSA-2006-46 - mozilla (mozilla 1.7 not affected) - xulrunner 1.8.0.5-1 (high) - mozilla-firefox (only firefox >= 1.5) - firefox 1.5.dfsg+1.5.0.5-1 (high) - thunderbird 1.5.0.5-1 (medium) - mozilla-thunderbird CVE-2006-3112 (Chipmailer 1.09 allows remote attackers to obtain sensitive informatio ...) NOT-FOR-US: Chipmailer CVE-2006-3111 (Multiple SQL injection vulnerabilities in main.php in Chipmailer 1.09 ...) NOT-FOR-US: Chipmailer CVE-2006-3110 (Cross-site scripting (XSS) vulnerability in main.php in Chipmailer 1.0 ...) NOT-FOR-US: Chipmailer CVE-2006-3109 (Cross-site scripting (XSS) vulnerability in Cisco CallManager 3.3 befo ...) NOT-FOR-US: Cisco CVE-2006-3108 (Cross-site scripting (XSS) vulnerability in EmailArchitect Email Serve ...) NOT-FOR-US: EmailArchitect CVE-2006-3107 (Multiple PHP remote file inclusion vulnerabilities in Docebo 3.0.3 and ...) NOT-FOR-US: Docebo CVE-2006-3106 (Cross-site scripting (XSS) vulnerability in index.php in phpMyDesktop| ...) NOT-FOR-US: phpMyDesktop CVE-2006-3105 (CRLF injection vulnerability in Bitweaver 1.3 allows remote attackers ...) NOT-FOR-US: Bitweaver CVE-2006-3104 (users/index.php in Bitweaver 1.3 allows remote attackers to obtain sen ...) NOT-FOR-US: Bitweaver CVE-2006-3103 (Cross-site scripting (XSS) vulnerability in Bitweaver 1.3 allows remot ...) NOT-FOR-US: Bitweaver CVE-2006-3102 (Race condition in articles/BitArticle.php in Bitweaver 1.3, when run o ...) NOT-FOR-US: Bitweaver CVE-2006-3101 (Cross-site scripting (XSS) vulnerability in LogonProxy.cgi in Cisco Se ...) NOT-FOR-US: Cisco CVE-2006-3099 RESERVED CVE-2006-3098 RESERVED CVE-2006-3097 (Unspecified vulnerability in Support Tools Manager (xstm, cstm, and st ...) NOT-FOR-US: HP-UX Support Tools Manager CVE-2006-3096 (Multiple SQL injection vulnerabilities in iPostMX 2005 2.0 and earlier ...) NOT-FOR-US: iPostMX CVE-2006-3095 (Multiple cross-site scripting (XSS) vulnerabilities in iPostMX 2005 2. ...) NOT-FOR-US: iPostMX CVE-2006-3094 (Multiple SQL injection vulnerabilities in Calendarix Basic 0.7.2006040 ...) NOT-FOR-US: Calendarix Basic CVE-2006-3093 (Multiple unspecified vulnerabilities in Adobe Acrobat Reader (acroread ...) NOT-FOR-US: Adobe Reader CVE-2006-3092 (PhpMyFactures 1.2 and earlier allows remote attackers to bypass authen ...) NOT-FOR-US: PhpMyFactures CVE-2006-3091 (PhpMyFactures 1.0, and possibly 1.2 and earlier, allows remote attacke ...) NOT-FOR-US: PhpMyFactures CVE-2006-3090 (Multiple SQL injection vulnerabilities in PhpMyFactures 1.0, and possi ...) NOT-FOR-US: PhpMyFactures CVE-2006-3089 (Multiple cross-site scripting (XSS) vulnerabilities in PhpMyFactures 1 ...) NOT-FOR-US: PhpMyFactures CVE-2006-3088 (Cross-site scripting (XSS) vulnerability in index.php in Car Classifie ...) NOT-FOR-US: Car Classifieds CVE-2006-3087 (Multiple cross-site scripting (XSS) vulnerabilities in EZGallery 1.5 a ...) NOT-FOR-US: EZGallery CVE-2006-3086 (Stack-based buffer overflow in the HrShellOpenWithMonikerDisplayName f ...) NOT-FOR-US: Microsoft CVE-2006-3084 (The (1) ftpd and (2) ksu programs in (a) MIT Kerberos 5 (krb5) up to 1 ...) {DSA-1146-1} - krb5 1.4.3-9 (medium) CVE-2006-3083 (The (1) krshd and (2) v4rcp applications in (a) MIT Kerberos 5 (krb5) ...) {DSA-1146-1} - krb5 1.4.3-9 (medium) CVE-2006-3082 (parse-packet.c in GnuPG (gpg) 1.4.3 and 1.9.20, and earlier versions, ...) {DSA-1115 DSA-1107} - gnupg 1.4.3-2 (bug #375052; bug #375473; low) - gnupg2 1.9.20-1.1 (bug #375053; low) CVE-2006-3081 (mysqld in MySQL 4.1.x before 4.1.18, 5.0.x before 5.0.19, and 5.1.x be ...) {DSA-1112} - mysql-dfsg-5.0 5.0.19-1 (bug #373913; high) CVE-2006-3100 (termpkg 3.3 suffers from buffer overflow. ...) - termpkg 3.3-7 (bug #358028; medium) CVE-2006-3085 (xt_sctp in netfilter for Linux kernel before 2.6.17.1 allows attackers ...) - linux-2.6 2.6.16-15 CVE-2006-XXXX [webalizer-stonesteps XSS] - webalizer-stonesteps 2.4.1.2-1 CVE-2006-3080 (Cross-site scripting (XSS) vulnerability in viewposts.cfm in aXentForu ...) NOT-FOR-US: aXentForum CVE-2006-3079 (Cross-site scripting (XSS) vulnerability in index.cfm in SSPwiz Plus 1 ...) NOT-FOR-US: SSPwiz Plus CVE-2006-3078 (Multiple SQL injection vulnerabilities in APBoard 2.2-r3 and earlier a ...) NOT-FOR-US: APBoard CVE-2006-3077 (Cross-site scripting (XSS) vulnerability in guestbook.cfm in aXentGues ...) NOT-FOR-US: aXentGuestbook CVE-2006-3076 (PHP remote file inclusion vulnerability in software_upload/public_incl ...) NOT-FOR-US: PhpBlueDragon CVE-2006-3075 (Multiple PHP remote file inclusion vulnerabilities in PictureDis Profe ...) NOT-FOR-US: PictureDis Professional CVE-2006-3074 (klif.sys in Kaspersky Internet Security 6.0 and 7.0, Kaspersky Anti-Vi ...) NOT-FOR-US: Several Kaspersky products CVE-2006-3073 (Multiple cross-site scripting (XSS) vulnerabilities in the WebVPN feat ...) NOT-FOR-US: Cisco CVE-2006-3072 (M4 Macro Library in Symantec Security Information Manager before 4.0.2 ...) NOT-FOR-US: Symantec Security Information Manager CVE-2006-3071 (Cross-site scripting (XSS) vulnerability in index.php in MP3 Search/Ar ...) NOT-FOR-US: MP3 Search/Archive CVE-2006-3070 (write_ok.php in Zeroboard 4.1 pl8, when installed on Apache with mod_m ...) NOT-FOR-US: Zeroboard CVE-2006-3069 NOT-FOR-US: DoubleSpeak CVE-2006-3068 (IBM DB2 Universal Database (UDB) before 8.2 FixPak 12 allows remote at ...) NOT-FOR-US: IBM DB2 CVE-2006-3067 (Multiple unspecified vulnerabilities in IBM DB2 Universal Database (UD ...) NOT-FOR-US: IBM DB2 CVE-2006-3066 (Buffer overflow in the TCP/IP listener in IBM DB2 Universal Database ( ...) NOT-FOR-US: IBM DB2 CVE-2006-3065 (SQL injection vulnerability in engine/shards/blog.php in blur6ex 0.3.4 ...) NOT-FOR-US: blur6ex CVE-2006-3064 (SQL injection vulnerability in the add_hit function in include/functio ...) NOT-FOR-US: Coppermine Photo Gallery CVE-2006-3063 (Multiple cross-site scripting (XSS) vulnerabilities in myPHP Guestbook ...) NOT-FOR-US: myPHP Guestbook CVE-2006-3062 (Cross-site scripting (XSS) vulnerability in index.php in myPHP Guestbo ...) NOT-FOR-US: myPHP Guestbook CVE-2006-3061 (Multiple cross-site scripting (XSS) vulnerabilities in 5 Star Review a ...) NOT-FOR-US: 5 Star Review CVE-2006-3060 (Cross-site scripting (XSS) vulnerability in P.A.I.D 2.2 allows remote ...) NOT-FOR-US: P.A.I.D CVE-2006-3059 (Unspecified vulnerability in Microsoft Excel 2000 through 2004 allows ...) NOT-FOR-US: Microsoft Excel CVE-2006-3058 RESERVED CVE-2006-3057 (Unspecified vulnerability in NetworkManager daemon for DHCP (dhcdbd) a ...) - dhcdbd 1.14-1 CVE-2006-3056 (SQL injection vulnerability in language.php in VBZooM 1.01 allows remo ...) NOT-FOR-US: VBZooM CVE-2006-3055 (Multiple SQL injection vulnerabilities in VBZooM 1.02 allow remote att ...) NOT-FOR-US: VBZooM CVE-2006-3054 (Multiple SQL injection vulnerabilities in VBZooM 1.11 allow remote att ...) NOT-FOR-US: VBZooM CVE-2006-3053 NOT-FOR-US: PHORUM CVE-2006-3052 (Cross-site scripting (XSS) vulnerability in Event Registration allows ...) NOT-FOR-US: Event Registration CVE-2006-3051 (Cross-site scripting (XSS) vulnerability in list.php in SixCMS 6.0, an ...) NOT-FOR-US: SixCMS CVE-2006-3050 (Directory traversal vulnerability in detail.php in SixCMS 6.0, and oth ...) NOT-FOR-US: SixCMS CVE-2006-3049 (Multiple cross-site scripting (XSS) vulnerabilities in booking3.php in ...) NOT-FOR-US: Mole Group Ticket Booking Script CVE-2006-3048 (SQL injection vulnerability in TikiWiki 1.9.3.2 and possibly earlier v ...) - tikiwiki 1.9.4-1 (medium) CVE-2006-3047 (Cross-site scripting (XSS) vulnerability in TikiWiki 1.9.3.2 and possi ...) - tikiwiki 1.9.4-1 (medium) CVE-2006-3046 (Unspecified vulnerability in the admin login feature in Subtext 1.5, i ...) NOT-FOR-US: Subtext CVE-2006-3045 (PHP remote file inclusion vulnerability in manage_songs.php in Foing 0 ...) NOT-FOR-US: Foing CVE-2006-3044 (Cross-site scripting (XSS) vulnerability in LogiSphere 1.6.0 allows re ...) NOT-FOR-US: LogiSphere CVE-2006-3043 (Cross-site scripting (XSS) vulnerability in search.cfm in CreaFrameXe ...) NOT-FOR-US: CFXe-CMS CVE-2006-3042 NOT-FOR-US: ISPConfig CVE-2006-3041 NOT-FOR-US: Codewalkers Ltwcalendar CVE-2006-3040 NOT-FOR-US: Amr Talkbox CVE-2006-3039 (Cross-site scripting (XSS) vulnerability in index.php in Cescripts Rea ...) NOT-FOR-US: Cescripts Realty Home Rent CVE-2006-3038 (Cross-site scripting (XSS) vulnerability in index.php in Cescripts Rea ...) NOT-FOR-US: Cescripts Realty Home Rent CVE-2006-3037 (Multiple cross-site scripting (XSS) vulnerabilities in publish.php in ...) NOT-FOR-US: ST AdManager Lite CVE-2006-3036 (Multiple cross-site scripting (XSS) vulnerabilities in 35mmslidegaller ...) NOT-FOR-US: 35mmslidegallery CVE-2006-3035 (Multiple cross-site scripting (XSS) vulnerabilities in addwords.php in ...) NOT-FOR-US: MyScrapbook CVE-2006-3034 (MyScrapbook 3.1 allows remote attackers to obtain sensitive informatio ...) NOT-FOR-US: MyScrapbook CVE-2006-3033 (Cross-site scripting (XSS) vulnerability in MyScrapbook 3.1 allows rem ...) NOT-FOR-US: MyScrapbook CVE-2006-3032 (Multiple cross-site scripting (XSS) vulnerabilities in Xtreme ASP Phot ...) NOT-FOR-US: Xtreme ASP Photo Gallery CVE-2006-3031 (Multiple cross-site scripting (XSS) vulnerabilities in index.asp in fi ...) NOT-FOR-US: fipsCMS CVE-2006-3030 (Multiple cross-site scripting (XSS) vulnerabilities in DwZone Shopping ...) NOT-FOR-US: DwZone Shopping Cart CVE-2006-3029 (Cross-site scripting (XSS) vulnerability in default.asp in ClickTech C ...) NOT-FOR-US: ClickTech Clickcart CVE-2006-3028 (PHP remote file inclusion vulnerability in stat_modules/users_age/modu ...) NOT-FOR-US: Minerva CVE-2006-3027 (Multiple SQL injection vulnerabilities in Enthrallwebe ePhotos 2.2 and ...) NOT-FOR-US: Enthrallwebe ePhotos CVE-2006-3026 (Multiple cross-site scripting (XSS) vulnerabilities in ClickGallery 5. ...) NOT-FOR-US: ClickGallery CVE-2006-3025 (Cross-site scripting (XSS) vulnerability in Cal.PHP3 in Chris Lea Luci ...) NOT-FOR-US: Chris Lea Lucid Calendar CVE-2006-3024 (Multiple cross-site scripting (XSS) vulnerabilities in EvGenius Counte ...) NOT-FOR-US: EvGenius Counter CVE-2006-3023 (Multiple cross-site scripting (XSS) vulnerabilities in thumbnails.asp ...) NOT-FOR-US: Uapplication Uphotogallery CVE-2006-3022 (Cross-site scripting (XSS) vulnerability in zoom.php in fipsGallery 1. ...) NOT-FOR-US: fipsGallery CVE-2006-3021 (Multiple cross-site scripting (XSS) vulnerabilities in BlueCollar i-Ga ...) NOT-FOR-US: BlueCollar i-Gallery CVE-2006-3020 (Multiple cross-site scripting (XSS) vulnerabilities in FullPhoto.asp i ...) NOT-FOR-US: WS-Album CVE-2006-3019 (Multiple PHP remote file inclusion vulnerabilities in phpCMS 1.2.1pl2 ...) NOT-FOR-US: phpCMS CVE-2006-3018 (Unspecified vulnerability in the session extension functionality in PH ...) - php5 5.1.4-0.1 (unimportant) - php4 (unimportant) NOTE: Sanitising is the application's responsibilitys CVE-2006-3017 (zend_hash_del_key_or_index in zend_hash.c in PHP before 4.4.3 and 5.x ...) {DSA-1206-1} - php5 5.1.4-0.1 (medium) - php4 4:4.4.4-1 (medium; bug #381998) CVE-2006-3016 (Unspecified vulnerability in session.c in PHP before 5.1.3 has unknown ...) - php5 5.1.4-0.1 (unimportant) - php4 4:4.4.4-1 (unimportant; bug #382259) NOTE: Sanitising is the application's responsibilitys CVE-2006-3015 (Argument injection vulnerability in WinSCP 3.8.1 build 328 allows remo ...) NOT-FOR-US: WinSCP CVE-2006-3014 (Microsoft Excel allows user-assisted attackers to execute arbitrary ja ...) NOT-FOR-US: Microsoft Excel / Flashplayer for Windows CVE-2006-3013 (Interpretation conflict in resetpw.php in phpBannerExchange before 2.0 ...) NOT-FOR-US: phpBannerExchange CVE-2006-3012 (SQL injection vulnerability in phpBannerExchange before 2.0 Update 6 a ...) NOT-FOR-US: phpBannerExchange CVE-2006-3011 (The error_log function in basic_functions.c in PHP before 4.4.4 and 5. ...) - php4 4:4.4.4-1 (unimportant) - php5 5.1.6-1 (unimportant) NOTE: Safe mode violations are not supported CVE-2003-1303 (Buffer overflow in the imap_fetch_overview function in the IMAP functi ...) NOT-FOR-US: Microsoft Internet Explore CVE-2003-1302 (The IMAP functionality in PHP before 4.3.1 allows remote attackers to ...) - php4 4:4.3.2+rc3-1 CVE-2002-2215 (The imap_header function in the IMAP functionality for PHP before 4.3. ...) - php4 4:4.3.2+rc3-1 CVE-2002-2214 (The php_if_imap_mime_header_decode function in the IMAP functionality ...) - php4 4:4.3.2+rc3-1 CVE-1999-1589 (Unspecified vulnerability in crontab in IBM AIX 3.2 allows local users ...) NOT-FOR-US: IBM AIX CVE-2006-3010 (Multiple SQL injection vulnerabilities in Open Business Management (OB ...) NOT-FOR-US: Open Business Management CVE-2006-3009 (Multiple cross-site scripting (XSS) vulnerabilities in Open Business M ...) NOT-FOR-US: Open Business Management CVE-2006-3008 REJECTED CVE-2006-3007 (Multiple cross-site scripting (XSS) vulnerabilities in SHOUTcast 1.9.5 ...) NOT-FOR-US: SHOUTcast CVE-2006-3006 (Cross-site scripting (XSS) vulnerability in iFoto 0.20, and possibly o ...) NOT-FOR-US: iFoto CVE-2006-3005 (The JPEG library in media-libs/jpeg before 6b-r7 on Gentoo Linux is bu ...) - libjpeg6b (--maxmem is set during configure) - libjpeg-mmx (bug #373672; low) [sarge] - libjpeg-mmx (If this poses a threat, the admin can apply resource limits) CVE-2006-3004 (Multiple cross-site scripting (XSS) vulnerabilities in Ez Ringtone Man ...) NOT-FOR-US: Ez Ringtone CVE-2006-3003 (details.php in Easy Ad-Manager allows remote attackers to obtain the f ...) NOT-FOR-US: Easy Ad-Manager CVE-2006-3002 (Cross-site scripting (XSS) vulnerability in details.php in Easy Ad-Man ...) NOT-FOR-US: OkScripts product CVE-2006-3001 (Cross-site scripting (XSS) vulnerability in search.php in OkScripts Ok ...) NOT-FOR-US: OkScripts product CVE-2006-3000 (Cross-site scripting (XSS) vulnerability in search.php in OkScripts Ok ...) NOT-FOR-US: OkScripts product CVE-2006-2999 (Cross-site scripting (XSS) vulnerability in search.php in OkScripts Qu ...) NOT-FOR-US: OkScripts product CVE-2006-2998 (PHP remote file inclusion vulnerability in board/post.php in free QBoa ...) NOT-FOR-US: QBoard CVE-2006-2997 (Cross-site scripting (XSS) vulnerability in ZMS 2.9 and earlier, when ...) - zope-zms (bug #373667; unimportant) [sarge] - zope-zms (Only exploitable with register_globals) NOTE: register_globals is an unsupported mode of operation in Debian CVE-2006-2996 (PHP remote file inclusion vulnerability in inc/design.inc.php in LoveC ...) NOT-FOR-US: aePartner CVE-2006-2995 (Multiple PHP remote file inclusion vulnerabilities in WebprojectDB 0.1 ...) NOT-FOR-US: WebprojectDB CVE-2006-2994 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in ph ...) NOT-FOR-US: phazizGuestbook CVE-2006-2993 (Multiple SQL injection vulnerabilities in My Photo Scrapbook 1.0 and e ...) NOT-FOR-US: My Photo Scrapbook CVE-2006-2992 (Cross-site scripting (XSS) vulnerability in display.asp in My Photo Sc ...) NOT-FOR-US: My Photo Scrapbook CVE-2006-2991 (Multiple cross-site scripting (XSS) vulnerabilities in Ringlink 3.2 al ...) NOT-FOR-US: Ringlink CVE-2006-2990 (Cross-site scripting (XSS) vulnerability in default.asp in VanillaSoft ...) NOT-FOR-US: VanillaSoft CVE-2006-2989 (Cross-site scripting (XSS) vulnerability in listpics.asp in ASP ListPi ...) NOT-FOR-US: ASP ListPics CVE-2006-2988 (Cross-site scripting (XSS) vulnerability in dictionary.php in Chemical ...) NOT-FOR-US: Chemical Dictionary CVE-2006-2987 (Multiple SQL injection vulnerabilities in Dominios Europa PICRATE (aka ...) NOT-FOR-US: PICRATE CVE-2006-2986 (Multiple cross-site scripting (XSS) vulnerabilities in Baby Katie Medi ...) NOT-FOR-US: vSCAL and vsREAL CVE-2006-2985 (SQL injection vulnerability in index.php in IntegraMOD 1.4.0 and earli ...) NOT-FOR-US: IntegraMOD CVE-2006-2984 (Cross-site scripting (XSS) vulnerability in index.php in IntegraMOD 1. ...) NOT-FOR-US: IntegraMOD CVE-2006-2983 (PHP remote file inclusion vulnerability in Enterprise Timesheet and Pa ...) NOT-FOR-US: Enterprise Timesheet and Payroll Systems (EPS) CVE-2006-2982 (Multiple PHP remote file inclusion vulnerabilities in Enterprise Times ...) NOT-FOR-US: Enterprise Timesheet and Payroll Systems (EPS) CVE-2006-2981 (SQL injection vulnerability in vs_search.php in Arantius Vice Stats be ...) NOT-FOR-US: Arantius Vice Stats CVE-2006-2980 (SQL injection vulnerability in block_forum_topic_new.php in ViArt Shop ...) NOT-FOR-US: ViArt CVE-2006-2979 (Multiple cross-site scripting (XSS) vulnerabilities in ViArt Shop Free ...) NOT-FOR-US: ViArt CVE-2006-2978 (Mafia Moblog 0.6M1 and earlier allows remote attackers to obtain the i ...) NOT-FOR-US: Moblog CVE-2006-2977 (SQL injection vulnerability in big.php in Mafia Moblog 0.6M1 and earli ...) NOT-FOR-US: Moblog CVE-2006-2976 (Unspecified vulnerability in usermgr.php in Coppermine Photo Gallery b ...) NOT-FOR-US: Coppermine CVE-2006-2975 (Multiple cross-site scripting (XSS) vulnerabilities in pblguestbook.ph ...) NOT-FOR-US: PBL Guestbook CVE-2006-2974 (Multiple cross-site scripting (XSS) vulnerabilities in EmailArchitect ...) NOT-FOR-US: EmailArchitect CVE-2006-2973 (Multiple SQL injection vulnerabilities in month.php in PHP Lite Calend ...) NOT-FOR-US: PHP Lite Calendar CVE-2006-2972 (SQL injection vulnerability in vs_resource.php in Arantius Vice Stats ...) NOT-FOR-US: Arantius Vice Stats CVE-2006-2971 (Integer overflow in the recv_packet function in 0verkill 0.16 allows r ...) - overkill 0.16-9 (bug #373687; low) [sarge] - overkill (Only DoS against an obscure game, no code injection possible) CVE-2006-2970 (videoPage.php in L0j1k tinyMuw 0.1.0 allows remote attackers to obtain ...) NOT-FOR-US: tinyMuw CVE-2006-2969 (Cross-site scripting (XSS) vulnerability in L0j1k tinyMuw 0.1.0 allow ...) NOT-FOR-US: tinyMuw CVE-2006-2968 (Cross-site scripting (XSS) vulnerability in search.php in PHP Labware ...) NOT-FOR-US: LabWiki CVE-2006-2967 (Syworks SafeNET allows local users to bypass restrictions on network r ...) NOT-FOR-US: SafeNET CVE-2006-2966 (Cross-site scripting (XSS) vulnerability in Particle Soft Particle Wik ...) NOT-FOR-US: Particle Wiki CVE-2006-2965 (Multiple cross-site scripting (XSS) vulnerabilities in Particle Soft P ...) NOT-FOR-US: Particle Whois CVE-2006-2964 (Multiple PHP remote file inclusion vulnerabilities in Xtreme Scripts D ...) NOT-FOR-US: Xtreme Downloads CVE-2006-2963 (Cross-site scripting (XSS) vulnerability in Suchergebnisse.asp in Caba ...) NOT-FOR-US: Cabacos Web CMS CVE-2006-2962 (PHP remote file inclusion vulnerability in sql_fcnsOLD.php in Emergeni ...) NOT-FOR-US: Empris CVE-2006-2961 (Stack-based buffer overflow in CesarFTP 0.99g and earlier allows remot ...) NOT-FOR-US: CesarFTP CVE-2006-2960 (PHP remote file inclusion vulnerability in includes/joomla.php in Joom ...) NOT-FOR-US: Joomla! CVE-2006-2959 (SQL injection vulnerability in inc_header.asp in Snitz Forum 3.4.05 an ...) NOT-FOR-US: Snitz Forum CVE-2006-2958 (Directory traversal vulnerability in FilZip 3.05 allows remote attacke ...) NOT-FOR-US: FilZip CVE-2006-2957 (Cross-site scripting (XSS) vulnerability in i.List 1.5 beta and earlie ...) NOT-FOR-US: i.List CVE-2006-2956 (Multiple cross-site scripting (XSS) vulnerabilities in i.List 1.5 beta ...) NOT-FOR-US: i.List CVE-2006-2955 (Multiple cross-site scripting (XSS) vulnerabilities in KAPhotoservice ...) NOT-FOR-US: KAPhotoservice CVE-2006-2954 (SQL injection vulnerability in files.asp in OfficeFlow 2.6 and earlier ...) NOT-FOR-US: OfficeFlow CVE-2006-2953 (Cross-site scripting (XSS) vulnerability in default.asp in OfficeFlow ...) NOT-FOR-US: OfficeFlow CVE-2006-2952 (Directory traversal vulnerability in Net Portal Dynamic System (NPDS) ...) NOT-FOR-US: NPDS CVE-2006-2951 (Multiple cross-site scripting (XSS) vulnerabilities in Net Portal Dyna ...) NOT-FOR-US: NPDS CVE-2006-2950 (Net Portal Dynamic System (NPDS) 5.10 and earlier allows remote attack ...) NOT-FOR-US: NPDS CVE-2006-2949 (Cross-site scripting (XSS) vulnerability in private.php in MyBB 1.1.2 ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2006-2948 (A-CART 2.0 stores the acart2_0.mdb file under the web document root wi ...) NOT-FOR-US: A-CART CVE-2006-2947 (Dmx Forum 2.1a allows remote attackers to obtain username and password ...) NOT-FOR-US: Dmx Forum CVE-2006-2946 (Dmx Forum 2.1a stores _includes/bd.inc under the web root with insuffi ...) NOT-FOR-US: Dmx Forum CVE-2006-2945 (Unspecified vulnerability in the user profile change functionality in ...) - dokuwiki 0.0.20060309-4 (bug #373689; low) CVE-2006-2944 (Unspecified vulnerability in CGI-RESCUE FORM2MAIL 1.21 and earlier all ...) NOT-FOR-US: FORM2MAIL CVE-2006-2943 (Unspecified vulnerability in CGI-RESCUE WebFORM 4.1 and earlier allows ...) NOT-FOR-US: WebFORM CVE-2006-2942 (TWiki 4.0.0, 4.0.1, and 4.0.2 allows remote attackers to gain Twiki ad ...) - twiki (Debian's version is old and does not include affected file) CVE-2006-2941 (Mailman before 2.1.9rc1 allows remote attackers to cause a denial of s ...) - mailman (Mailman uses the system version of the affected Python lib) CVE-2006-2940 (OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions ...) {DSA-1195-1 DSA-1185-2} - openssl 0.9.8c-2 (bug #389940) - openssl097 0.9.7k-2 - openssl096 CVE-2006-2939 REJECTED CVE-2006-2938 REJECTED CVE-2006-2937 (OpenSSL 0.9.7 before 0.9.7l and 0.9.8 before 0.9.8d allows remote atta ...) {DSA-1185-2} - openssl 0.9.8c-2 (bug #389940) - openssl097 0.9.7k-2 - openssl096 CVE-2006-2936 (The ftdi_sio driver (usb/serial/ftdi_sio.c) in Linux kernel 2.6.x up t ...) {DSA-1184-2} - linux-2.6 2.6.17-5 (low) CVE-2006-2935 (The dvd_read_bca function in the DVD handling code in drivers/cdrom/cd ...) {DSA-1184-2 DSA-1183-1} - linux-2.6 2.6.17-5 (low) CVE-2006-2934 (SCTP conntrack (ip_conntrack_proto_sctp.c) in netfilter for Linux kern ...) - linux-2.6 2.6.17-3 CVE-2006-2933 (kdesktop_lock in kdebase before 3.1.3-5.11 for KDE in Red Hat Enterpri ...) [sarge] - kdebase (Only KDE < 3.2 vulnerable) - kdebase 3.5.2-1 (medium) NOTE: exact fixed version not known, however bug only affects < 3.2 CVE-2006-2932 (A regression error in the restore_all code path of the 4/4GB split sup ...) - linux-2.6 (vulnerable code not present) CVE-2006-2931 (CMS Mundo before 1.0 build 008 does not properly verify uploaded image ...) NOT-FOR-US: CMS Mundo CVE-2006-2930 (Unspecified vulnerability in Sun Grid Engine 5.3 and Sun N1 Grid Engin ...) NOT-FOR-US: Sun CVE-2006-2929 (PHP remote file inclusion vulnerability in contrib/forms/evaluation/C_ ...) NOT-FOR-US: OpenEMR CVE-2006-2928 (Multiple PHP remote file inclusion vulnerabilities in CMS-Bandits 2.5 ...) NOT-FOR-US: CMS-Bandits CVE-2006-2927 (Multiple cross-site scripting (XSS) vulnerabilities in post.asp in Cod ...) NOT-FOR-US: CAForum CVE-2006-2926 (Stack-based buffer overflow in the WWW Proxy Server of Qbik WinGate 6. ...) NOT-FOR-US: Qbik CVE-2006-2925 (Cross-site scripting (XSS) vulnerability in the web interface in Ingat ...) NOT-FOR-US: Ingate CVE-2006-2924 (Ingate Firewall in the SIP module before 4.4.1 and SIParator before 4. ...) NOT-FOR-US: Ingate CVE-2006-2923 (The iax_net_read function in the iaxclient open source library, as use ...) - iaxclient 0.0+svn20060520-2 CVE-2006-2922 (Multiple PHP remote file inclusion vulnerabilities in MiraksGalerie 2. ...) NOT-FOR-US: MiraksGalerie CVE-2006-2921 (PHP remote file inclusion vulnerability in cmpro_header.inc.php in Cla ...) NOT-FOR-US: CMPro CVE-2006-2920 (Sylpheed-Claws before 2.2.2 and Sylpheed before 2.2.6 allow remote att ...) - sylpheed 2.2.6-1 (low) [sarge] - sylpheed (Minor evasion of phishing protection feature) - sylpheed-gtk1 1.0.6-3 (bug #373187; low) - sylpheed-claws 1.0.5-3 (bug #372891; low) [sarge] - sylpheed-claws (Minor evasion of phishing protection feature) - sylpheed-claws-gtk2 2.3.0-1 (bug #372889; low) CVE-2006-2919 (Unspecified vulnerability in Microsoft NetMeeting 3.01 allows remote a ...) NOT-FOR-US: Microsoft CVE-2006-2918 (The Lanap BotDetect APS.NET CAPTCHA component before 1.5.4.0 stores th ...) NOT-FOR-US: Lanap BotDetect APS.NET CAPTCHA component CVE-2006-2917 (Directory traversal vulnerability in the IMAP server in WinGate 6.1.2. ...) NOT-FOR-US: WinGate CVE-2006-2916 (artswrapper in aRts, when running setuid root on Linux 2.6.0 or later ...) - arts 1.5.3-2 (bug #374003; low) [sarge] - arts (Not setuid root in Debian) NOTE: artswrapper is not suid root by default, but README.Debian describes it CVE-2006-2915 (Multiple SQL injection vulnerabilities in DeluxeBB 1.06 allow remote a ...) NOT-FOR-US: DeluxeBB CVE-2006-2914 (PHP remote file inclusion vulnerability in DeluxeBB 1.06 allows remote ...) NOT-FOR-US: DeluxeBB CVE-2006-2913 (Cross-site scripting (XSS) vulnerability in SelectaPix 1.31 allows rem ...) NOT-FOR-US: SelectaPix CVE-2006-2912 (Multiple SQL injection vulnerabilities in SelectaPix 1.31 allow remote ...) NOT-FOR-US: SelectaPix CVE-2006-2911 (SQL injection vulnerability in controlpanel/index.php in CMS Mundo bef ...) NOT-FOR-US: CMS Mundo CVE-2006-2910 (Buffer overflow in jetAudio 6.2.6.8330 (Basic), and possibly other ver ...) NOT-FOR-US: jetAudio CVE-2006-2909 (Stack-based buffer overflow in the info tip shell extension (zipinfo.d ...) NOT-FOR-US: PicoZip CVE-2006-2908 (The domecode function in inc/functions_post.php in MyBulletinBoard (My ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2006-2907 RESERVED CVE-2006-2906 (The LZW decoding in the gdImageCreateFromGifPtr function in the Thomas ...) {DSA-1117} - libgd2 2.0.33-5 (bug #372912; low) - tetex-bin (Links dynamically, see #382506) CVE-2006-2905 (Partial Links 1.2.2 allows remote attackers to obtain sensitive inform ...) NOT-FOR-US: Partial Links CVE-2006-2904 (SQL injection vulnerability in index.php in Partial Links 1.2.2 allows ...) NOT-FOR-US: Partial Links CVE-2006-2903 (Cross-site scripting (XSS) vulnerability in admin.php in Particle Link ...) NOT-FOR-US: Partial Links CVE-2006-2902 (Directory traversal vulnerability in Particle Links 1.2.2 might allow ...) NOT-FOR-US: Partial Links CVE-2006-2901 (The web server for D-Link Wireless Access-Point (DWL-2100ap) firmware ...) NOT-FOR-US: D-Link CVE-2006-2900 (Internet Explorer 6 allows user-assisted remote attackers to read arbi ...) NOT-FOR-US: Microsoft CVE-2006-2899 (Unspecified vulnerability in ESTsoft InternetDISK versions before 2006 ...) NOT-FOR-US: ESTsoft InternetDISK CVE-2006-2898 (The IAX2 channel driver (chan_iax2) for Asterisk 1.2.x before 1.2.9 an ...) {DSA-1126} - asterisk 1:1.2.10.dfsg-2 (bug #380054) - iax 0.2.2-5 [sarge] - iax (Vulnerable code not present) - iaxmodem 0.1.8.dfsg-2 CVE-2006-2897 (Cross-site scripting (XSS) vulnerability in FunkBoard 0.71 allows remo ...) NOT-FOR-US: Funkboard CVE-2006-2896 (profile.php in FunkBoard CF0.71 allows remote attackers to change arbi ...) NOT-FOR-US: Funkboard CVE-2006-2895 (Cross-site scripting (XSS) vulnerability in MediaWiki 1.6.0 up to vers ...) - mediawiki (Affects only 1.6.0-1.6.6) CVE-2006-2894 (Mozilla Firefox 1.5.0.4, 2.0.x before 2.0.0.8, Mozilla Suite 1.7.13, M ...) {DSA-1401-1 DSA-1392-1 DTSA-69-1 DTSA-80-1} - iceweasel 2.0.0.8 - xulrunner 1.8.1.9-1 - iceape 1.1.5 CVE-2006-2893 (index.php in GANTTy 1.0.3 allows remote attackers to obtain the full p ...) NOT-FOR-US: GANTTy CVE-2006-2892 (Cross-site scripting (XSS) vulnerability in index.php in GANTTy 1.0.3 ...) NOT-FOR-US: GANTTy CVE-2006-2891 (Cross-site scripting (XSS) vulnerability in admin/index.php for Pixelp ...) NOT-FOR-US: Pixelpost CVE-2006-2890 (Pixelpost 1-5rc1-2 and earlier, when register_globals is enabled, allo ...) NOT-FOR-US: Pixelpost CVE-2006-2889 (Multiple SQL injection vulnerabilities in index.php in Pixelpost 1-5rc ...) NOT-FOR-US: Pixelpost CVE-2006-2888 (PHP remote file inclusion vulnerability in _wk/wk_lang.php in Wikiwig ...) NOT-FOR-US: Wikiwig CVE-2006-2887 (Multiple SQL injection vulnerabilities in myNewsletter 1.1.2 and earli ...) NOT-FOR-US: myNewsletter CVE-2006-2886 (view.php in KnowledgeTree Open Source 3.0.3 and earlier allows remote ...) - knowledgetree (bug #373137; low) CVE-2006-2885 (Multiple cross-site scripting (XSS) vulnerabilities in KnowledgeTree O ...) - knowledgetree (bug #373137; low) CVE-2006-2884 (SQL injection vulnerability in index.php in Kmita FAQ 1.0 allows remot ...) NOT-FOR-US: Kmita CVE-2006-2883 (Cross-site scripting (XSS) vulnerability in search.php in Kmita FAQ 1. ...) NOT-FOR-US: Kmita CVE-2006-2882 (Multiple cross-site scripting (XSS) vulnerabilities submit.asp in ASPS ...) NOT-FOR-US: ASPScriptz CVE-2006-2881 (Multiple PHP remote file inclusion vulnerabilities in DreamAccount 3.1 ...) NOT-FOR-US: DreamAccount CVE-2006-2880 (Cross-site scripting (XSS) vulnerability in the Contributed Packages f ...) NOT-FOR-US: pyblosxom package doesn't ship plugins CVE-2006-2879 (SQL injection vulnerability in newscomments.php in Alex News-Engine 1. ...) NOT-FOR-US: Alex News-Engine CVE-2006-2878 (The spellchecker (spellcheck.php) in DokuWiki 2006/06/04 and earlier a ...) - dokuwiki 0.0.20060309-4 (bug #370369; bug #370785; high) CVE-2006-2877 (PHP remote file inclusion vulnerability in Bookmark4U 2.0.0 and earlie ...) NOT-FOR-US: Bookmark4U CVE-2006-2876 (Cross-site scripting (XSS) vulnerability in cat.php in PHP Pro Publish ...) NOT-FOR-US: PHP Pro Publish CVE-2006-2875 (Stack-based buffer overflow in the CL_ParseDownload function of Quake ...) - tremulous 1.1.0-6 (bug #660827) [squeeze] - tremulous 1.1.0-7~squeeze1 - ioquake3 1.36+svn1788j-1 CVE-2006-2874 (Unspecified vulnerability in OSADS Alliance Database before 1.4 has un ...) NOT-FOR-US: OSADS CVE-2006-2873 (Cross-site scripting (XSS) vulnerability in hava.asp in Enigma Haber 4 ...) NOT-FOR-US: Enigma Haber CVE-2006-2872 (PHP remote file inclusion vulnerability in config.php in Rumble 1.02 a ...) NOT-FOR-US: Rumble CVE-2006-2871 NOT-FOR-US: CyBoards CVE-2006-2870 (Cross-site scripting (XSS) vulnerability in forum_search.asp in Intell ...) NOT-FOR-US: Intelligent Solutions Inc. CVE-2006-2869 (Unspecified vulnerability in the CHM unpacker in avast! before 4.7.844 ...) NOT-FOR-US: Avast CVE-2006-2868 (Multiple PHP remote file inclusion vulnerabilities in Claroline 1.7.6 ...) NOT-FOR-US: Claroline CVE-2006-2867 (SQL injection vulnerability in editpost.php in CoolForum 0.8.3 beta an ...) NOT-FOR-US: CoolForum CVE-2006-2866 (PHP remote file inclusion vulnerability in layout/prepend.php in DotCl ...) NOT-FOR-US: DotClear CVE-2006-2865 NOTE: phpbb2, but invalid CVE-2006-2864 (Multiple PHP remote file inclusion vulnerabilities in BlueShoes Framew ...) NOT-FOR-US: BlueShoes CVE-2006-2863 (PHP remote file inclusion vulnerability in class.cs_phpmailer.php in C ...) NOT-FOR-US: CS-Cart CVE-2006-2862 (SQL injection vulnerability in viewimage.php in Particle Gallery 1.0.0 ...) NOT-FOR-US: Particle Gallery CVE-2006-2861 (SQL injection vulnerability in index.php in Particle Wiki 1.0.2 and ea ...) NOT-FOR-US: Particle Wiki CVE-2006-2860 (PHP remote file inclusion vulnerability in Webspotblogging 3.0.1 allow ...) NOT-FOR-US: Webspotblogging CVE-2006-2859 NOT-FOR-US: MyBloggie CVE-2006-2858 (SQL injection vulnerability in viewmsg.asp in LocazoList Classifieds 1 ...) NOT-FOR-US: LocazoList CVE-2006-2857 (SQL injection vulnerability in index.php in LifeType 1.0.4 allows remo ...) NOT-FOR-US: LifeType CVE-2006-2856 (ActiveState ActivePerl 5.8.8.817 for Windows configures the site/lib d ...) NOT-FOR-US: ActiveState CVE-2006-2855 (SQL injection vulnerability in index.php in xueBook 1.0 allows remote ...) NOT-FOR-US: xueBook CVE-2006-2854 (SQL injection vulnerability in index.php in iBWd Guestbook 1.0 allows ...) NOT-FOR-US: iBWd CVE-2006-2853 (SQL injection vulnerability in content.php in abarcar Realty Portal 5. ...) NOT-FOR-US: abarcar CVE-2006-2852 (PHP remote file inclusion vulnerability in dotWidget CMS 1.0.6 and ear ...) NOT-FOR-US: dotWidget CVE-2006-2851 (Cross-site scripting (XSS) vulnerability in index.php in dotProject 2. ...) NOT-FOR-US: dotProject CVE-2006-2850 (Cross-site scripting (XSS) vulnerability in recentchanges.php in PHP L ...) NOT-FOR-US: LabWiki CVE-2006-2849 (PHP remote file inclusion vulnerability in includes/webdav/server.php ...) NOT-FOR-US: Bytehoard CVE-2006-2848 (links.asp in aspWebLinks 2.0 allows remote attackers to change the adm ...) NOT-FOR-US: aspWebLinks CVE-2006-2847 (SQL injection vulnerability in links.asp in aspWebLinks 2.0 allows rem ...) NOT-FOR-US: aspWebLinks CVE-2006-2846 (Cross-site scripting (XSS) vulnerability in Print.PHP in VisionGate Po ...) NOT-FOR-US: VisionGate CVE-2006-2845 (PHP remote file inclusion vulnerability in Redaxo 3.0 up to 3.2 allows ...) NOT-FOR-US: Redaxo CVE-2006-2844 (Multiple PHP remote file inclusion vulnerabilities in Redaxo 3.0 allow ...) NOT-FOR-US: Redaxo CVE-2006-2843 (PHP remote file inclusion vulnerability in Redaxo 2.7.4 allows remote ...) NOT-FOR-US: Redaxo CVE-2006-2841 (Multiple PHP remote file inclusion vulnerabilities in AssoCIateD (aka ...) NOT-FOR-US: AssoCIateD CVE-2006-2840 (Cross-site scripting (XSS) vulnerability in (1) uploads.php and (2) "u ...) NOT-FOR-US: PmWiki CVE-2006-2839 (Directory traversal vulnerability in PG Problem Editor module (PGProbl ...) NOT-FOR-US: WeBWorK CVE-2006-2838 (Buffer overflow in the web console in F-Secure Anti-Virus for Microsof ...) NOT-FOR-US: F-Secure CVE-2006-2837 (Cross-site scripting (XSS) vulnerability in Techno Dreams Guest Book a ...) NOT-FOR-US: Techno Dreams CVE-2006-2836 (SQL injection vulnerability in comment.php in Pineapple Technologies L ...) NOT-FOR-US: Pineapple Technologies Lore CVE-2006-2835 (SQL injection vulnerability in saphplesson 2.0 allows remote attackers ...) NOT-FOR-US: saphplesson CVE-2006-2834 (PHP remote file inclusion vulnerability in includes/common.php in gnop ...) NOT-FOR-US: gnopaste CVE-2006-2833 (Cross-site scripting (XSS) vulnerability in the taxonomy module in Dru ...) {DSA-1125} - drupal 4.5.8-1.1 (medium) CVE-2006-2832 (Cross-site scripting (XSS) vulnerability in the upload module (upload. ...) {DSA-1125} - drupal 4.5.8-1.1 (medium) CVE-2006-2831 (Drupal 4.6.x before 4.6.8 and 4.7.x before 4.7.2, when running under c ...) {DSA-1125} NOTE: Although not in the changelog, sesse@ (responsible for 4.5.8-1.1) NOTE: says he pulled in the entire patch for DRUPAL-SA-2006-007, which NOTE: fixes CVE-2006-2831. - drupal 4.5.8-1.1 (medium) CVE-2006-2830 (Buffer overflow in TIBCO Rendezvous before 7.5.1, TIBCO Runtime Agent ...) NOT-FOR-US: TIBCO CVE-2006-2829 (Buffer overflow in Hawk Monitoring Agent (HMA) for TIBCO Hawk before 4 ...) NOT-FOR-US: TIBCO CVE-2006-2828 (Global variable overwrite vulnerability in PHP-Nuke allows remote atta ...) NOT-FOR-US: PHP-Nuke CVE-2006-2827 NOT-FOR-US: X-Cart CVE-2006-2826 (SQL injection vulnerability in sessions.inc in PHP Base Library (PHPLi ...) NOT-FOR-US: PHPLIB CVE-2006-2825 (cPanel does not automatically synchronize the PHP open_basedir configu ...) NOT-FOR-US: cPanel the vhost manager, not cpanel the Chinese desktop configuration tool CVE-2006-2824 (Logicalware MailManager before 2.0.10 does not remove 0xc8 0x27 (0xc8 ...) NOT-FOR-US: Logicalware CVE-2006-2823 (Katrien De Graeve a.shopKart 2.0 (aka ashopKart20) stores sensitive in ...) NOT-FOR-US: ashopKart CVE-2006-2822 (SQL injection vulnerability in admin/default.asp in Dusan Drobac CodeA ...) NOT-FOR-US: cforum CVE-2006-2821 (Multiple cross-site scripting (XSS) vulnerabilities in DeltaScripts Pr ...) NOT-FOR-US: DeltaScripts CVE-2006-2820 (Cross-site scripting (XSS) vulnerability in HotWebScripts.com Weblog O ...) NOT-FOR-US: HotWebScripts CVE-2006-2819 (PHP remote file inclusion vulnerability in Wiki.php in Barnraiser Iglo ...) NOT-FOR-US: Barnraiser Igloo CVE-2006-2818 (PHP remote file inclusion vulnerability in common-menu.php in Cameron ...) NOT-FOR-US: Cameron McKay Informium CVE-2006-2817 (SQL injection vulnerability in bolum.php in tekno.Portal allows remote ...) NOT-FOR-US: tekno.Portal CVE-2006-2816 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in co ...) NOT-FOR-US: CoolPHP CVE-2006-2815 (Multiple cross-site scripting (XSS) vulnerabilities in Two Shoes M-Fac ...) NOT-FOR-US: SimpleBoard CVE-2006-2814 (Multiple buffer overflows in the (1) vGetPost and (2) main functions i ...) NOT-FOR-US: iShopCart CVE-2006-2813 (Directory traversal vulnerability in easy-scart.cgi in iShopCart allow ...) NOT-FOR-US: iShopCart CVE-2006-2812 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Do ...) NOT-FOR-US: PICRATE CVE-2006-2811 (Multiple PHP remote file inclusion vulnerabilities in Cantico Ovidenti ...) NOT-FOR-US: Ovidentia CVE-2006-2810 (Multiple cross-site scripting (XSS) vulnerabilities in Belchior Foundr ...) NOT-FOR-US: Belchior vCard CVE-2006-2809 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in ar ...) NOT-FOR-US: ar-blog CVE-2006-2808 (Cross-site scripting (XSS) vulnerability in Lycos Tripod htmlGEAR gues ...) NOT-FOR-US: Lycos CVE-2006-2807 (ASPwebSoft Speedy Asp Discussion Forum allows remote attackers to chan ...) NOT-FOR-US: ASPwebSoft CVE-2006-2806 (The SMTP server in Apache Java Mail Enterprise Server (aka Apache Jame ...) NOT-FOR-US: Apache James CVE-2005-2468 (Multiple SQL injection vulnerabilities in MySQL Eventum 1.5.5 and earl ...) NOT-FOR-US: MySQL Eventum CVE-2005-2467 (Multiple cross-site scripting (XSS) vulnerabilities in MySQL Eventum 1 ...) NOT-FOR-US: MySQL Eventum CVE-2005-2466 (Multiple SQL injection vulnerabilities in the auth_user function in ad ...) NOT-FOR-US: OpenBook CVE-2005-2465 (Cross-site scripting (XSS) vulnerability in pm.php in PCXP/TOPPE CMS a ...) NOT-FOR-US: PC-EXPERIENCE/TOPPE CMS CVE-2005-2464 (login.php in PCXP/TOPPE CMS allows remote attackers to bypass authenti ...) NOT-FOR-US: PC-EXPERIENCE/TOPPE CMS CVE-2005-2463 (Kayako liveResponse 2.x allows remote attackers to obtain sensitive in ...) NOT-FOR-US: Kayako liveResponse CVE-2005-2462 (Kayako liveResponse 2.x, when logging in a user, records the password ...) NOT-FOR-US: Kayako liveResponse CVE-2005-2461 (Multiple SQL injection vulnerabilities in the calendar feature in Kaya ...) NOT-FOR-US: Kayako liveResponse CVE-2005-2460 (Multiple cross-site scripting (XSS) vulnerabilities in Kayako liveResp ...) NOT-FOR-US: Kayako liveResponse CVE-2006-2842 - squirrelmail 2:1.4.7-1 (unimportant; bug #373731) NOTE: Only exploitable with register_globals enabled CVE-2006-XXXX [webalizer: symlink vulnerability] - webalizer 2.01.10-29 (low; bug #359745) [sarge] - webalizer (Minor issue) NOTE: Only exploitable in far-fetched scenarios, running it as root is insecure anyway CVE-2006-2805 (SQL injection vulnerability in VBulletin 3.0.10 allows remote attacker ...) NOT-FOR-US: vBulletin CVE-2006-2804 (Cross-site scripting (XSS) vulnerability in index.cfm in Goss Intellig ...) NOT-FOR-US: Goss iCM CVE-2006-2803 (Multiple cross-site scripting (XSS) vulnerabilities in PHP ManualMaker ...) NOT-FOR-US: PHP ManualMaker CVE-2006-2802 (Buffer overflow in the HTTP Plugin (xineplug_inp_http.so) for xine-lib ...) {DSA-1105} - xine-lib 1.1.1-2 (bug #369876; medium) CVE-2006-2801 (Multiple SQL injection vulnerabilities in Unak CMS 1.5 RC2 and earlier ...) NOT-FOR-US: Unak CMS CVE-2006-2800 (Multiple cross-site scripting (XSS) vulnerabilities in Unak CMS 1.5 RC ...) NOT-FOR-US: Unak CMS CVE-2006-2799 (Cross-site scripting (XSS) vulnerability in content_footer.php in toen ...) NOT-FOR-US: toendaCMS CVE-2006-2798 (Multiple cross-site scripting (XSS) vulnerabilities in phpCommunityCal ...) NOT-FOR-US: phpCommunityCalendar CVE-2006-2797 (Multiple SQL injection vulnerabilities in phpCommunityCalendar 4.0.3 a ...) NOT-FOR-US: phpCommunityCalendar CVE-2006-2796 (Cross-site scripting (XSS) vulnerability in gallery.php in Captivate 1 ...) NOT-FOR-US: Captivate gallery.php CVE-2006-2795 (Multiple cross-site scripting (XSS) vulnerabilities in XiTi Tracking S ...) NOT-FOR-US: XiTi Tracking Script CVE-2006-2794 (Hesabim.asp in ASPSitem 2.0 and earlier allows remote attackers to rea ...) NOT-FOR-US: ASPSitem CVE-2006-2793 (SQL injection vulnerability in Anket.asp in ASPSitem 2.0 and earlier a ...) NOT-FOR-US: ASPSitem CVE-2006-2792 (SQL injection vulnerability in misc.php in Woltlab Burning Board (WBB) ...) NOT-FOR-US: wbboard CVE-2006-2791 (Directory traversal vulnerability in index.php in iBoutique.MALL and p ...) NOT-FOR-US: iBoutique.MALL CVE-2006-2790 (A package component in Sun Storage Automated Diagnostic Environment (S ...) NOT-FOR-US: Sun StorADE CVE-2006-2789 (Evolution 2.2.x and 2.3.x in GNOME 2.7 and 2.8, when "load images if s ...) - evolution 2.4.0-1 (low) [sarge] - evolution (Not reproducible on Sarge's evolution) NOTE: Verified that the patch has been applied in 2.4.0-1, NOTE: may have been fixed earlier. CVE-2006-2788 (Double free vulnerability in the getRawDER function for nsIX509Cert in ...) {DSA-1210 DSA-1192-1 DSA-1191-1} - mozilla (high) - firefox 1.5.dfsg+1.5.0.4 (high) - xulrunner 1.8.0.4-1 (high) CVE-2006-2787 (EvalInSandbox in Mozilla Firefox and Thunderbird before 1.5.0.4 allows ...) {DSA-1134-1 DSA-1120 DSA-1118} NOTE: MFSA-2006-31 - firefox 1.5.dfsg+1.5.0.4-1 (medium) - thunderbird 1.5.0.4-1 (medium) - mozilla 2:1.7.13-0.3 (medium) - xulrunner 1.8.0.4-1 (medium) CVE-2006-2786 (HTTP response smuggling vulnerability in Mozilla Firefox and Thunderbi ...) {DSA-1134-1 DSA-1120 DSA-1118} NOTE: MFSA-2006-33 - firefox 1.5.dfsg+1.5.0.4-1 (medium) - thunderbird 1.5.0.4-1 (medium) - mozilla 2:1.7.13-0.3 (medium) - xulrunner 1.8.0.4-1 (medium) CVE-2006-2785 (Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 1.5 ...) {DSA-1134-1 DSA-1120 DSA-1118} NOTE: MFSA-2006-34 - firefox 1.5.dfsg+1.5.0.4-1 (medium) - mozilla 2:1.7.13-0.3 (medium) - xulrunner 1.8.0.4-1 (medium) CVE-2006-2784 (The PLUGINSPAGE functionality in Mozilla Firefox before 1.5.0.4 allows ...) {DSA-1134-1 DSA-1120 DSA-1118} NOTE: MFSA-2006-36 - firefox 1.5.dfsg+1.5.0.4-1 (medium) - mozilla (medium) - xulrunner 1.8.0.4-1 (medium) CVE-2006-2783 (Mozilla Firefox and Thunderbird before 1.5.0.4 strip the Unicode Byte- ...) {DSA-1134-1 DSA-1120 DSA-1118} NOTE: MFSA-2006-42 - firefox 1.5.dfsg+1.5.0.4-1 (medium) - thunderbird 1.5.0.4-1 (medium) - mozilla 2:1.7.13-0.3 (medium) - xulrunner 1.8.0.4-1 (medium) - webkit 1.0.1-1 (bug #535793) NOTE: http://trac.webkit.org/changeset/33380 - qt4-x11 4:4.6.2-4 (low; bug #561760) [lenny] - qt4-x11 (Minor impact, no apps in Lenny which use qtwebkit ) NOTE: QT4 might be fixed earlier, but only 4.6.2 was checked against, Lenny is affected - kdelibs (bug #561765) CVE-2006-2782 (Firefox 1.5.0.2 does not fix all test cases associated with CVE-2006-1 ...) {DSA-1134-1 DSA-1120 DSA-1118} NOTE: MFSA-2006-41 - firefox 1.5.dfsg+1.5.0.4-1 (medium) - mozilla 2:1.7.13-0.3 (medium) - xulrunner 1.8.0.4-1 (medium) CVE-2006-2781 (Double free vulnerability in nsVCard.cpp in Mozilla Thunderbird before ...) {DSA-1134-1 DSA-1118} NOTE: MFSA-2006-40 - thunderbird 1.5.0.4-1 (high) - mozilla 2:1.7.13-0.3 (high) CVE-2006-2780 (Integer overflow in Mozilla Firefox and Thunderbird before 1.5.0.4 all ...) {DSA-1134-1 DSA-1120 DSA-1118} NOTE: MFSA-2006-32 - firefox 1.5.dfsg+1.5.0.4-1 (high) - thunderbird 1.5.0.4-1 (high) - mozilla 2:1.7.13-0.3 (high) - xulrunner 1.8.0.4-1 (high) CVE-2006-2779 (Mozilla Firefox and Thunderbird before 1.5.0.4 allow remote attackers ...) {DSA-1160 DSA-1159 DSA-1134-1 DSA-1120 DSA-1118} NOTE: MFSA-2006-32 - firefox 1.5.dfsg+1.5.0.4-1 (high) - thunderbird 1.5.0.4-1 (high) - mozilla 2:1.7.13-0.3 (high) - xulrunner 1.8.0.4-1 (high) CVE-2006-2778 (The crypto.signText function in Mozilla Firefox and Thunderbird before ...) {DSA-1134-1 DSA-1120 DSA-1118} NOTE: MFSA-2006-38 - firefox 1.5.dfsg+1.5.0.4-1 (high) - thunderbird 1.5.0.4-1 (high) - mozilla 2:1.7.13-0.3 (high) - xulrunner 1.8.0.4-1 (high) CVE-2006-2777 (Unspecified vulnerability in Mozilla Firefox before 1.5.0.4 and SeaMon ...) {DSA-1134-1 DSA-1120 DSA-1118} NOTE: MFSA-2006-43 - firefox 1.5.dfsg+1.5.0.4-1 (high) - mozilla 2:1.7.13-0.3 (high) - xulrunner 1.8.0.4-1 (high) CVE-2006-2776 (Certain privileged UI code in Mozilla Firefox and Thunderbird before 1 ...) {DSA-1134-1 DSA-1120 DSA-1118} NOTE: MFSA-2006-37 - firefox 1.5.dfsg+1.5.0.4-1 (high) - thunderbird 1.5.0.4-1 (high) - mozilla 2:1.7.13-0.3 (high) - xulrunner 1.8.0.4-1 (high) CVE-2006-2775 (Mozilla Firefox and Thunderbird before 1.5.0.4 associates XUL attribut ...) {DSA-1134-1 DSA-1120 DSA-1118} NOTE: MFSA-2006-35 - firefox 1.5.dfsg+1.5.0.4-1 (high) - thunderbird 1.5.0.4-1 (high) - mozilla 2:1.7.13-0.3 (high) - xulrunner 1.8.0.4-1 (high) CVE-2006-2774 (Cross-site scripting (XSS) vulnerability in search.php in QontentOne C ...) NOT-FOR-US: QontentOne CVE-2006-2773 (admin/redigera/redigera2.asp in Hogstorps hogstorp Guestbook 2.0 does ...) NOT-FOR-US: Hogstorps CVE-2006-2772 (Cross-site scripting (XSS) vulnerability in add.asp in Hogstorps hogst ...) NOT-FOR-US: Hogstorps CVE-2006-2771 (admin/radera/tabort.asp in Hogstorps hogstorp guestbook 2.0 does not v ...) NOT-FOR-US: Hogstorps CVE-2006-2770 (Directory traversal vulnerability in randompic.php in pppBLOG 0.3.8 an ...) NOT-FOR-US: pppBLOG CVE-2006-2769 (The HTTP Inspect preprocessor (http_inspect) in Snort 2.4.0 through 2. ...) - snort 2.3.3-8 (low; bug #381726) [sarge] - snort (Minor impact) CVE-2006-2768 (PHP remote file inclusion vulnerability in METAjour 2.1, when register ...) NOT-FOR-US: METAjour CVE-2006-2767 (PHP remote file inclusion vulnerability in Ottoman 1.1.2, when registe ...) NOT-FOR-US: Ottoman CVE-2006-2766 (Buffer overflow in INETCOMM.DLL, as used in Microsoft Internet Explore ...) NOT-FOR-US: Microsoft CVE-2006-2765 (Cross-site scripting (XSS) vulnerability in news_information.php in In ...) NOT-FOR-US: Interlink CVE-2006-2764 (Cross-site scripting (XSS) vulnerability in GuestbookXL 1.3 allows rem ...) NOT-FOR-US: GuestbookXL CVE-2006-2763 (SQL injection vulnerability in Pre News Manager 1.0 allows remote atta ...) NOT-FOR-US: Pre News Manager CVE-2006-2762 (PHP remote file inclusion vulnerability in includes/config.php in WebC ...) {DSA-1096-1} - webcalendar 1.0.4-1 (medium) CVE-2006-2761 (SQL injection vulnerability in Hitachi HITSENSER3 HITSENSER3/PRP, HITS ...) NOT-FOR-US: Hitachi CVE-2006-2760 (SQL injection vulnerability in modules.php in 4nNukeWare 4nForum 0.91 ...) NOT-FOR-US: 4nForum CVE-2006-2759 (jetty 6.0.x (jetty6) beta16 allows remote attackers to read arbitrary ...) - jetty (vulnerable code not in Debian version) CVE-2006-2758 (Directory traversal vulnerability in jetty 6.0.x (jetty6) beta16 allow ...) - jetty (vulnerable code not in Debian version) CVE-2006-2757 (Cross-site scripting (XSS) vulnerability in Chipmunk guestbook allows ...) NOT-FOR-US: Chipmunk guestbook CVE-2006-2756 (Eitsop My Web Server 1.0 allows remote attackers to cause a denial of ...) NOT-FOR-US: Eitsop CVE-2006-2755 (Cross-site scripting (XSS) vulnerability in index.php in UBBThreads 5. ...) NOT-FOR-US: UBBThreads CVE-2006-2754 (Stack-based buffer overflow in st.c in slurpd for OpenLDAP before 2.3. ...) - openldap2.3 2.3.24-1 (bug #375494; bug #377047; unimportant) NOTE: File is only written and read by slurpd, only editable by root CVE-2006-2752 (The RedCarpet /etc/ximian/rcd.conf configuration file in Novell Linux ...) NOT-FOR-US: RedCarpet CVE-2006-2751 (Cross-site scripting (XSS) vulnerability in Open Searchable Image Cata ...) NOT-FOR-US: OSIC CVE-2006-2750 (Cross-site scripting (XSS) vulnerability in the do_mysql_query functio ...) NOT-FOR-US: OSIC CVE-2006-2749 (SQL injection vulnerability in search.php in Open Searchable Image Cat ...) NOT-FOR-US: OSIC CVE-2006-2748 (SQL injection vulnerability in the do_mysql_query function in core.php ...) NOT-FOR-US: OSIC CVE-2006-2747 (Directory traversal vulnerability in index.php in PhpMyDesktop|arcade ...) NOT-FOR-US: PhpMyDesktop CVE-2006-2746 (Multiple cross-site scripting (XSS) vulnerabilities in F@cile Interact ...) NOT-FOR-US: F@cile CVE-2006-2745 (Multiple PHP remote file inclusion vulnerabilities in F@cile Interacti ...) NOT-FOR-US: F@cile CVE-2006-2744 (PHP remote file inclusion vulnerability in p-popupgallery.php in F@cil ...) NOT-FOR-US: F@cile CVE-2006-2743 (Drupal 4.6.x before 4.6.7 and 4.7.0, when running on Apache with mod_m ...) {DSA-1125} - drupal 4.5.8-1.1 (bug #368835; medium) CVE-2006-2742 (SQL injection vulnerability in Drupal 4.6.x before 4.6.7 and 4.7.0 all ...) {DSA-1125} - drupal 4.5.8-1.1 (medium) CVE-2006-2741 (Cross-site scripting (XSS) vulnerability in Epicdesigns tinyBB 0.3 all ...) NOT-FOR-US: tinyBB CVE-2006-2740 (Multiple SQL injection vulnerabilities in Epicdesigns tinyBB 0.3 allow ...) NOT-FOR-US: tinyBB CVE-2006-2739 (PHP remote file inclusion vulnerability in footers.php in Epicdesigns ...) NOT-FOR-US: tinyBB CVE-2006-2738 (The open source version of Open-Xchange 0.8.2 and earlier uses a stati ...) NOT-FOR-US: Open-Xchange CVE-2006-2737 (utilities/register.asp in Nukedit 4.9.6 and earlier allows remote atta ...) NOT-FOR-US: Nukedit CVE-2006-2736 (PHP remote file inclusion vulnerability in blend_data/blend_common.php ...) NOT-FOR-US: Blend Portal CVE-2006-2735 (PHP remote file inclusion vulnerability in language/lang_english/lang_ ...) NOT-FOR-US: Amod CVE-2006-2734 (enter.asp in Mini-Nuke 2.3 and earlier makes it easier for remote atta ...) NOT-FOR-US: Mini-Nuke CVE-2006-2733 (membership.asp in Mini-Nuke 2.3 and earlier uses plaintext security co ...) NOT-FOR-US: Mini-Nuke CVE-2006-2732 (SQL injection vulnerability in Your_Account.asp in Mini-Nuke 2.3 and e ...) NOT-FOR-US: Mini-Nuke CVE-2006-2731 (Multiple SQL injection vulnerabilities in Enigma Haber 4.3 and earlier ...) NOT-FOR-US: Enigma Haber CVE-2006-2730 (PHP remote file inclusion vulnerability in admin/lib_action_step.php i ...) NOT-FOR-US: Hot Open Tickets CVE-2006-2729 (Cross-site scripting (XSS) vulnerability in superalbum/index.php in Ph ...) NOT-FOR-US: Photoalbum CVE-2006-2728 (Cross-site scripting (XSS) vulnerability in superalbum/index.php in Ph ...) NOT-FOR-US: Photoalbum CVE-2006-2727 (home/register.php in Eggblog before 3.0 allows remote attackers to cha ...) NOT-FOR-US: Eggblog CVE-2006-2726 (PHP remote file inclusion vulnerability in Fastpublish CMS 1.6.9.d all ...) NOT-FOR-US: Fastpublish CVE-2006-2725 (SQL injection vulnerability in rss/posts.php in Eggblog before 3.07 al ...) NOT-FOR-US: Eggblog CVE-2006-2724 (Cross-site scripting (XSS) vulnerability in PunBB 1.2.11 allows remote ...) NOT-FOR-US: PunBB CVE-2006-2723 (Unspecified versions of Mozilla Firefox allow remote attackers to caus ...) - firefox 45.0-1 (unimportant) - firefox-esr 45.0esr-1 (unimportant) - iceweasel (unimportant) - mozilla (unimportant) - mozilla-firefox (unimportant) - xulrunner (unimportant) NOTE: Non-issue CVE-2006-2722 (SQL injection vulnerability in view_album.php in SelectaPix 1.4 allows ...) NOT-FOR-US: SelectaPix CVE-2006-2721 (Cross-site scripting (XSS) vulnerability in news.php in VARIOMAT allow ...) NOT-FOR-US: VARIOMAT CVE-2006-2720 (SQL injection vulnerability in news.php in VARIOMAT allows remote atta ...) NOT-FOR-US: VARIOMAT CVE-2006-2719 (JIWA Financials 6.4.14 stores usernames and passwords for all accounts ...) NOT-FOR-US: JIWA CVE-2006-2718 (JIWA Financials 6.4.14 passes a Microsoft SQL Server account's usernam ...) NOT-FOR-US: JIWA CVE-2006-2717 (Unspecified vulnerability in Secure Elements Class 5 AVR client and se ...) NOT-FOR-US: C5 EVM CVE-2006-2716 (Secure Elements Class 5 AVR server (aka C5 EVM) before 2.8.1 uses a ha ...) NOT-FOR-US: C5 EVM CVE-2006-2715 (The Administration Console in Secure Elements Class 5 AVR (aka C5 EVM) ...) NOT-FOR-US: C5 EVM CVE-2006-2714 (Secure Elements Class 5 AVR client (aka C5 EVM) before 2.8.1 does not ...) NOT-FOR-US: C5 EVM CVE-2006-2713 (Secure Elements Class 5 AVR client (aka C5 EVM) before 2.8.1 generates ...) NOT-FOR-US: C5 EVM CVE-2006-2712 (Secure Elements Class 5 AVR (aka C5 EVM) client and server before 2.8. ...) NOT-FOR-US: C5 EVM CVE-2006-2711 (Secure Elements Class 5 AVR (aka C5 EVM) 2.8.1 and earlier, and possib ...) NOT-FOR-US: C5 EVM CVE-2006-2710 (Secure Elements Class 5 AVR (aka C5 EVM) before 2.8.1 uses the same in ...) NOT-FOR-US: C5 EVM CVE-2006-2709 (Secure Elements Class 5 AVR (aka C5 EVM) before 2.8.1 do not validate ...) NOT-FOR-US: C5 EVM CVE-2006-2708 (Secure Elements Class 5 AVR client (aka C5 EVM) before 2.8.1 allows re ...) NOT-FOR-US: C5 EVM CVE-2006-2707 (Secure Elements Class 5 AVR server (aka C5 EVM) before 2.8.1 does not ...) NOT-FOR-US: C5 EVM CVE-2006-2706 (Secure Elements Class 5 AVR server (aka C5 EVM) before 2.8.1 allows re ...) NOT-FOR-US: C5 EVM CVE-2006-2705 (Secure Elements Class 5 AVR server (aka C5 EVM) before 2.8.1 allows re ...) NOT-FOR-US: C5 EVM CVE-2006-2704 (Secure Elements Class 5 AVR server and client (aka C5 EVM) before 2.8. ...) NOT-FOR-US: C5 EVM CVE-2006-2703 (The RedCarpet command-line client (rug) does not verify SSL certificat ...) NOT-FOR-US: RedCarpet CVE-2006-2702 (vars.php in WordPress 2.0.2, possibly when running on Mac OS X, allows ...) - wordpress 2.0.3-1 (bug #369014; medium) CVE-2006-2701 (SQL injection vulnerability in Geeklog 1.4.0sr2 and earlier allows rem ...) NOT-FOR-US: Geeklog CVE-2006-2700 (SQL injection vulnerability in admin/auth.inc.php in Geeklog 1.4.0sr2 ...) NOT-FOR-US: Geeklog CVE-2006-2699 (Cross-site scripting (XSS) vulnerability in getimage.php in Geeklog 1. ...) NOT-FOR-US: Geeklog CVE-2006-2698 (Geeklog 1.4.0sr2 and earlier allows remote attackers to obtain the ful ...) NOT-FOR-US: Geeklog CVE-2006-2697 (Multiple SQL injection vulnerabilities in Easy-Content Forums 1.0 allo ...) NOT-FOR-US: Easy-Content CVE-2006-2696 (Cross-site scripting (XSS) vulnerabilities in Easy-Content Forums 1.0 ...) NOT-FOR-US: Easy-Content CVE-2006-2695 (admin/upprocess.php in DGNews 1.5 and earlier allows remote attackers ...) NOT-FOR-US: DGNews CVE-2006-2694 (Multiple PHP remote file inclusion vulnerabilities in EzUpload Pro 2.1 ...) NOT-FOR-US: EzUpload CVE-2006-2693 (Directory traversal vulnerability in admin/admin_hacks_list.php in Niv ...) NOT-FOR-US: Nivisec CVE-2006-2692 (Multiple unspecified vulnerabilities in aMuleWeb for AMule before 2.1. ...) - amule 2.1.2-1 (medium) CVE-2006-2691 (Unspecified "information leakage" vulnerabilities in aMuleWeb for AMul ...) - amule 2.1.2-1 (medium) CVE-2006-2690 (An unspecified script in EVA-Web 2.1.2 and earlier, probably index.php ...) NOT-FOR-US: EVA-Web CVE-2006-2689 (Multiple cross-site scripting (XSS) vulnerabilities in EVA-Web 2.1.2 a ...) NOT-FOR-US: EVA-Web CVE-2006-2688 (SQL injection vulnerability in the employees node (class.employee.inc) ...) NOT-FOR-US: Achievo CVE-2006-2687 (Cross-site scripting (XSS) vulnerability in adduser.php in PHP-AGTC Me ...) NOT-FOR-US: AGTC CVE-2006-2686 (PHP remote file inclusion vulnerabilities in ActionApps 2.8.1 allow re ...) NOT-FOR-US: ActionApps CVE-2006-2685 (PHP remote file inclusion vulnerability in Basic Analysis and Security ...) - acidbase 1.2.5-1 (bug #370576; low) CVE-2006-2684 (Cross-site scripting (XSS) vulnerability in the search module in CMS M ...) NOT-FOR-US: Mundo CVE-2006-2683 (PHP remote file inclusion vulnerability in 404.php in open-medium.CMS ...) NOT-FOR-US: open-medium CVE-2006-2682 (PHP remote file inclusion vulnerability in BE_config.php in Back-End C ...) NOT-FOR-US: Back-End CVE-2006-2681 (PHP remote file inclusion vulnerability in SocketMail Lite and Pro 2.2 ...) NOT-FOR-US: SocketMail CVE-2006-2680 (Cross-site scripting (XSS) vulnerability in index.php in AZ Photo Albu ...) NOT-FOR-US: AZ Photo Album CVE-2006-2679 (Unspecified vulnerability in the VPN Client for Windows Graphical User ...) NOT-FOR-US: Cisco CVE-2006-2678 (Multiple cross-site scripting (XSS) vulnerabilities in Pre News Manage ...) NOT-FOR-US: Pre News Manager CVE-2006-2677 (SiteScape Forum 7.2 and possibly earlier stores the avf.rc configurait ...) NOT-FOR-US: SiteScape Forum CVE-2006-2676 (Dispatch.cgi/_user/uservCard/ in SiteScape Forum 7.2 and possibly earl ...) NOT-FOR-US: SiteScape Forum CVE-2006-2675 (PHP remote file inclusion vulnerability in ubbt.inc.php in UBBThreads ...) NOT-FOR-US: UBBThreads CVE-2006-2674 (Multiple SQL injection vulnerabilities in Tamber Forum 1.9.13 and earl ...) NOT-FOR-US: Tamber Forum CVE-2006-2673 (Cross-site scripting (XSS) vulnerability in search.html in Bulletin Bo ...) NOT-FOR-US: Elite-Board CVE-2006-2672 (Multiple cross-site scripting (XSS) vulnerabilities in Realty Pro One ...) NOT-FOR-US: Realty Pro One CVE-2006-2671 (SQL injection vulnerability in ChatPat 1.0 allows remote attackers to ...) NOT-FOR-US: ChatPat CVE-2006-2670 (Multiple cross-site scripting (XSS) vulnerabilities in ChatPat 1.0 all ...) NOT-FOR-US: ChatPat CVE-2006-2669 (Multiple cross-site scripting (XSS) vulnerabilities in Pre Shopping Ma ...) NOT-FOR-US: Pre Shopping Mall CVE-2006-2668 (Multiple PHP remote file inclusion vulnerabilities in Docebo LMS 2.05 ...) NOT-FOR-US: Docebo LMS CVE-2006-2667 (Direct static code injection vulnerability in WordPress 2.0.2 and earl ...) - wordpress 2.0.3-1 (bug #369014; medium) CVE-2006-2666 (PHP remote file inclusion vulnerability in includes/mailaccess/pop3.ph ...) NOT-FOR-US: V-Webmail CVE-2006-2665 (PHP remote file inclusion vulnerability in includes/mailaccess/pop3/co ...) NOT-FOR-US: V-Webmail CVE-2006-2664 (Cross-site scripting (XSS) vulnerability in iFdate 1.2 allows remote a ...) NOT-FOR-US: iFdate CVE-2006-2663 (Multiple cross-site scripting (XSS) vulnerabilities in iFlance 1.1 all ...) NOT-FOR-US: iFlance CVE-2006-2662 (VMware Server before RC1 does not clear user credentials from memory a ...) NOT-FOR-US: VMware Server CVE-2006-2661 (ftutil.c in Freetype before 2.2 allows remote attackers to cause a den ...) {DSA-1095-1} - freetype 2.2.1-1 (medium) CVE-2006-2660 (Buffer consumption vulnerability in the tempnam function in PHP 5.1.4 ...) - php4 4:4.4.4-1 (unimportant) - php5 5.1.6-1 (unimportant) NOTE: using a long enough path (>MAXPATHLEN) allows you to have NOTE: tempnam create a file without the temp extension. sounds like NOTE: another shoot yourself in the foot issue, since the local user NOTE: could just as easily create the file manually, and if the NOTE: tempnam function is taking unsanitized input, it's an NOTE: application error CVE-2006-2658 (Directory traversal vulnerability in the xsp component in mod_mono in ...) - xsp 1.1.15-1 CVE-2006-2657 REJECTED CVE-2006-2655 (The build process for ypserv in FreeBSD 5.3 up to 6.1 accidentally dis ...) NOT-FOR-US: build process for ypserv in FreeBSD CVE-2006-2654 (Directory traversal vulnerability in smbfs smbfs on FreeBSD 4.10 up to ...) NOT-FOR-US: FreeBSD-specific (see CVE-2006-1864 for Linux-specific CVE) CVE-2006-2653 (Cross-site scripting (XSS) vulnerability in login_error.shtml for D-Li ...) NOT-FOR-US: D-Link CVE-2006-2652 (Cross-site scripting (XSS) vulnerability in WikiNi 0.4.2 and earlier a ...) NOT-FOR-US: WikiNi CVE-2006-2651 (Cross-site scripting (XSS) vulnerability in index.php in Vacation Rent ...) NOT-FOR-US: Vacation Rental Script CVE-2006-2650 (SQL injection vulnerability in cosmicshop/search.php in CosmicShopping ...) NOT-FOR-US: CosmicShoppingCart CVE-2006-2649 (Multiple cross-site scripting (XSS) vulnerabilities in (a) search.php, ...) NOT-FOR-US: CosmicShoppingCart CVE-2006-2648 (Cross-site scripting (XSS) vulnerability in perform_search.asp for ASP ...) NOT-FOR-US: ASPBB CVE-2006-2647 (Untrusted search path vulnerability in update_flash for IBM AIX 5.1, 5 ...) NOT-FOR-US: IBM AIX CVE-2006-2646 (Buffer overflow in Alt-N MDaemon, possibly 9.0.1 and earlier, allows r ...) NOT-FOR-US: Alt-N MDaemon CVE-2006-2645 (PHP remote file inclusion vulnerability in manager/frontinc/prepend.ph ...) NOT-FOR-US: Plume CVE-2006-2644 (AWStats 6.5, and possibly other versions, allows remote authenticated ...) {DSA-1075-1} - awstats 6.5-2 (bug #365910) CVE-2006-XXXX [specialy crafted WAV turns mkvmerge into a malloc bomb] - mkvtoolnix 1.7.0-2 (bug #370144; low) CVE-2006-XXXX ['Cache' shell injection vulnerability] - wordpress 2.0.3-1 (high; bug #369014) CVE-2006-2753 (SQL injection vulnerability in MySQL 4.1.x before 4.1.20 and 5.0.x bef ...) {DSA-1092-1} - mysql-dfsg (Vulnerable code was introduced in 4.1, see #369741) - mysql (Vulnerable code was introduced in 4.1, see #369754) - mysql-dfsg-5.0 5.0.22-1 (bug #369735; medium) - mysql-dfsg-4.1 (bug #369754; medium) CVE-2006-2659 (libs/comverp.c in Courier MTA before 0.53.2 allows attackers to cause ...) {DSA-1101} - courier 0.53.2-1 (bug #368834) CVE-2006-2656 (Stack-based buffer overflow in the tiffsplit command in libtiff 3.8.2 ...) {DSA-1091-1} - tiff 3.8.2-3 (bug #369819; low) - tiff3 (fixed prior to initial upload) CVE-2006-2643 (Cross-site scripting (XSS) vulnerability in index.php in Monster Top L ...) NOT-FOR-US: Monster Top List CVE-2006-2642 NOT-FOR-US: Php-residence CVE-2006-2641 NOT-FOR-US: John Frank Asset Manager CVE-2006-2640 (Cross-site scripting (XSS) vulnerability in OmegaMw7a.ASP in OMEGA (ak ...) NOT-FOR-US: OMEGA INterneSErvicesLosungen (INSEL) CVE-2006-2639 (Cross-site scripting (XSS) vulnerability in the input forms in prattmi ...) NOT-FOR-US: PHPSimpleChoose CVE-2006-2638 (SQL injection vulnerability in member.asp in qjForum allows remote att ...) NOT-FOR-US: qjForum CVE-2006-2637 (Cross-site scripting (XSS) vulnerability in view.php in TuttoPhp (1) M ...) NOT-FOR-US: TuttoPhp CVE-2006-2636 (newsadmin.asp in Katy Whitton NewsCMSLite allows remote attackers to b ...) NOT-FOR-US: Katy Whitton NewsCMSLite CVE-2006-2635 (Multiple cross-site scripting (XSS) vulnerabilities in Tikiwiki (aka T ...) - tikiwiki 1.9.4-1 (medium) CVE-2006-2634 (Cross-site scripting (XSS) vulnerability in Neocrome Land Down Under ( ...) NOT-FOR-US: Neocrome Seditio CVE-2006-2633 (Absolute path traversal vulnerability in the copy action in index.php ...) NOT-FOR-US: Andrew Godwin ByteHoard CVE-2006-2632 (Cross-site scripting (XSS) vulnerability in Andrew Godwin ByteHoard 2. ...) NOT-FOR-US: Andrew Godwin ByteHoard CVE-2006-2631 (phpFoX allows remote authenticated users to modify arbitrary accounts ...) NOT-FOR-US: phpFoX CVE-2006-2630 (Stack-based buffer overflow in Symantec Antivirus 10.1 and Client Secu ...) NOT-FOR-US: Symantec CVE-2006-2629 (Race condition in Linux kernel 2.6.15 to 2.6.17, when running on SMP p ...) - linux-2.6 2.6.18-1 (low) CVE-2006-2628 RESERVED CVE-2006-2627 RESERVED CVE-2006-2626 RESERVED CVE-2006-2625 RESERVED CVE-2006-2624 RESERVED CVE-2006-2623 RESERVED CVE-2006-2622 RESERVED CVE-2006-2621 RESERVED CVE-2006-2620 RESERVED CVE-2006-2619 RESERVED CVE-2006-2618 (Cross-site scripting (XSS) vulnerability in (1) AlstraSoft Web Host Di ...) NOT-FOR-US: AlstraSoft Web Host Directory CVE-2006-2617 ((1) AlstraSoft Web Host Directory 1.2, aka (2) HyperStop WebHost Direc ...) NOT-FOR-US: AlstraSoft Web Host Directory CVE-2006-2616 (SQL injection vulnerability in the search script in (1) AlstraSoft Web ...) NOT-FOR-US: AlstraSoft Web Host Directory CVE-2006-2615 (ping.php in Russcom.Ping allows remote attackers to execute arbitrary ...) NOT-FOR-US: Russcom.Ping CVE-2006-2614 (Sun N1 System Manager 1.1 for Solaris 10 before patch 121161-01 record ...) NOT-FOR-US: Sun Solaris CVE-2006-2613 (Mozilla Suite 1.7.13, Mozilla Firefox 1.5.0.3 and possibly other versi ...) NOTE: Installation path disclosure is uninteresting on Debian systems. NOTE: The profile path might be more sensitive, but exploit that NOTE: requires another, real security bug. CVE-2006-2612 (Novell Client for Windows 4.8 and 4.9 does not restrict access to the ...) NOT-FOR-US: Novell Client for Windows NOTE: The Windows clipboard is a public resource anyway. CVE-2006-2611 (Cross-site scripting (XSS) vulnerability in includes/Sanitizer.php in ...) - mediawiki1.7 (Fixed in 1.7 prior to release) - mediawiki1.5 CVE-2006-2610 (Cross-site scripting (XSS) vulnerability in view.php in phpRaid 2.9.5 ...) NOT-FOR-US: phpRaid CVE-2006-2609 (artmedic newsletter 4.1.2 and possibly other versions, when register_g ...) NOT-FOR-US: artmedic newsletter CVE-2006-2608 (artmedic newsletter 4.1 and possibly other versions, when register_glo ...) NOT-FOR-US: artmedic newsletter CVE-2004-2660 (Memory leak in direct-io.c in Linux kernel 2.6.x before 2.6.10 allows ...) {DSA-1184-2} - linux-2.6 (fixed before the first upload) CVE-2003-1301 (Sun Java Runtime Environment (JRE) 1.x before 1.4.2_11 and 1.5.x befor ...) - sun-java5 1.5.0-06-1 (low; bug #384734) CVE-2006-XXXX [mono xsp file disclosure] - xsp 1.1.15-1 (medium) CVE-2006-2607 (do_command.c in Vixie cron (vixie-cron) 4.1 does not check the return ...) - cron 3.0pl1-64 (bug #85609; bug #86775; medium) CVE-2006-2606 (Cross-site scripting (XSS) vulnerability in Chatty, possibly 1.0.2 and ...) NOT-FOR-US: Chatty CVE-2006-2605 (Cross-site scripting (XSS) vulnerability in DSChat 1.0 and earlier all ...) NOT-FOR-US: DSChat CVE-2006-2604 REJECTED CVE-2006-2603 REJECTED CVE-2006-2602 REJECTED CVE-2006-2601 REJECTED CVE-2006-2600 REJECTED CVE-2006-2599 REJECTED CVE-2006-2598 REJECTED CVE-2006-2597 REJECTED CVE-2006-2596 REJECTED CVE-2006-2595 REJECTED CVE-2006-2594 REJECTED CVE-2006-2593 REJECTED CVE-2006-2592 (Unspecified vulnerability in DSChat 1.0 allows remote attackers to exe ...) NOT-FOR-US: DSChat CVE-2006-2591 (Unspecified vulnerability in e107 before 0.7.5 has unknown impact and ...) NOT-FOR-US: e107 CVE-2006-2590 (SQL injection vulnerability in e107 before 0.7.5 allows remote attacke ...) NOT-FOR-US: e107 CVE-2006-2589 (SQL injection vulnerability in rss.php in MyBB (aka MyBulletinBoard) 1 ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2006-2588 (Russcom PHPImages allows remote attackers to upload files of arbitrary ...) NOT-FOR-US: Russcom PHPImages CVE-2006-2587 (Buffer overflow in the WebTool HTTP server component in (1) PunkBuster ...) NOT-FOR-US: WebTool HTTP server CVE-2006-2586 (Cross-site scripting (XSS) vulnerability in IpLogger 1.7 and earlier a ...) NOT-FOR-US: IpLogger CVE-2006-2585 (SQL injection vulnerability in Destiney Links Script 2.1.2 allows remo ...) NOT-FOR-US: Destiney Links Script CVE-2006-2584 (Multiple cross-site scripting (XSS) vulnerabilities in post.php in Sky ...) NOT-FOR-US: SkyeBox CVE-2006-2583 (PHP remote file inclusion vulnerability in nucleus/libs/PLUGINADMIN.ph ...) NOT-FOR-US: Nucleus CVE-2006-2582 (The editing form in RWiki 2.1.0pre1 through 2.1.0 allows remote attack ...) NOT-FOR-US: RWiki CVE-2006-2581 (Cross-site scripting (XSS) vulnerability in Wiki content in RWiki 2.1. ...) NOT-FOR-US: RWiki CVE-2005-4806 (Multiple unspecified vulnerabilities in Sun Java System Web Proxy Serv ...) NOT-FOR-US: Sun Java System Web Proxy Server CVE-2005-4805 (Unspecified vulnerability in Sun Java System Application Server 7 Stan ...) NOT-FOR-US: Sun Java System Application Server CVE-2005-4804 (Unspecified vulnerability in Sun Java System Application Server Platfo ...) NOT-FOR-US: Sun Java System Application Server CVE-2006-2580 (Multiple unspecified vulnerabilities in HP OpenView Network Node Manag ...) NOT-FOR-US: HP OpenView Network Node Manager CVE-2006-2579 (Unspecified vulnerability in HP OpenView Storage Data Protector 5.1 an ...) NOT-FOR-US: HP OpenView Storage Data Protector CVE-2006-2578 (admin/cron.php in eSyndicat Directory 1.2, when register_globals is en ...) NOT-FOR-US: eSyndicat Directory CVE-2006-2577 (Multiple PHP remote file inclusion vulnerabilities in Docebo 3.0.3 and ...) NOT-FOR-US: Docebo CVE-2006-2576 (Multiple PHP remote file inclusion vulnerabilities in Docebo 3.0.3 and ...) NOT-FOR-US: Docebo CVE-2006-2575 (The setFrame function in Lib/2D/Surface.hpp for NetPanzer 0.8 and earl ...) - netpanzer 0.8+svn20060319-2 (bug #370146; low) [sarge] - netpanzer (Minor DoS against a game) CVE-2006-2574 (Multiple unspecified vulnerabilities in Software Distributor in HP-UX ...) NOT-FOR-US: Software Distributor in HP-UX CVE-2006-2573 (SQL injection vulnerability in index.php in DGBook 1.0, with magic_quo ...) NOT-FOR-US: DGBook CVE-2006-2572 (Cross-site scripting (XSS) vulnerability in index.php in DGBook 1.0 al ...) NOT-FOR-US: DGBook CVE-2006-2571 (Cross-site scripting (XSS) vulnerability in search.html in Alkacon Ope ...) NOT-FOR-US: Alkacon OpenCms CVE-2006-2570 (PHP remote file inclusion vulnerability in CaLogic Calendars 1.2.2 all ...) NOT-FOR-US: CaLogic Calendars CVE-2006-2569 (SQL injection vulnerability in links.php in 4R Linklist 1.0 RC2 and ea ...) NOT-FOR-US: Linklist CVE-2006-2568 (PHP remote file inclusion vulnerability in addpost_newpoll.php in UBB. ...) NOT-FOR-US: UBB.threads CVE-2006-2567 (Cross-site scripting (XSS) vulnerability in submit_article.php in Alst ...) NOT-FOR-US: Alstrasoft Article Manager Pro CVE-2006-2566 (Alstrasoft Article Manager Pro 1.6 allows remote attackers to obtain s ...) NOT-FOR-US: Alstrasoft Article Manager Pro CVE-2006-2565 (SQL injection vulnerability in Alstrasoft Article Manager Pro 1.6 allo ...) NOT-FOR-US: Alstrasoft Article Manager Pro CVE-2006-2564 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Al ...) NOT-FOR-US: Alstrasoft Article Manager Pro CVE-2006-2563 (The cURL library (libcurl) in PHP 4.4.2 and 5.1.4 allows attackers to ...) - php4 4:4.4.4-1 (bug #370166; unimportant) - php5 5.1.6-1 (bug #370165; unimportant) NOTE: Safe mode violations are not supported CVE-2006-2562 (ZyXEL P-335WT router allows remote attackers to bypass access restrict ...) NOT-FOR-US: ZyXEL P-335WT router CVE-2006-2561 (Edimax BR-6104K router allows remote attackers to bypass access restri ...) NOT-FOR-US: Edimax BR-6104K router CVE-2006-2560 (Sitecom WL-153 router firmware before 1.38 allows remote attackers to ...) NOT-FOR-US: Sitecom WL-153 router CVE-2006-2559 (Linksys WRT54G Wireless-G Broadband Router allows remote attackers to ...) NOT-FOR-US: Linksys WRT54G router CVE-2006-2558 (Cross-site scripting (XSS) vulnerability in IpLogger 1.7 and earlier a ...) NOT-FOR-US: IpLogger CVE-2006-2557 (PHP remote file inclusion vulnerability in extras/poll/poll.php in Flo ...) NOT-FOR-US: Newsportal CVE-2006-2556 (Cross-site scripting (XSS) vulnerability in Florian Amrhein NewsPortal ...) - newsportal (bug #149069) NOTE: RFP #149069 closed after no activity since too long time CVE-2006-2555 (The parse_command function in Genecys 0.2 and earlier allows remote at ...) NOT-FOR-US: Genecys CVE-2006-2554 (Buffer overflow in the tell_player_surr_changes function in Genecys 0. ...) NOT-FOR-US: Genecys CVE-2006-2553 (Cross-site scripting (XSS) vulnerability in Jemscripts DownloadControl ...) NOT-FOR-US: DownloadControl CVE-2006-2552 (Jemscripts DownloadControl 1.0 allows remote attackers to obtain sensi ...) NOT-FOR-US: DownloadControl CVE-2006-2551 (Unspecified vulnerability in the kernel in HP-UX B.11.00 allows local ...) NOT-FOR-US: HP-UX CVE-2002-2213 (The DNS resolver in unspecified versions of Infoblox DNS One, when res ...) NOT-FOR-US: Infoblox DNS One CVE-2002-2212 (The DNS resolver in unspecified versions of Fujitsu UXP/V, when resolv ...) NOT-FOR-US: Fujitsu UXP/V CVE-2002-2211 (BIND 4 and BIND 8, when resolving recursive DNS queries for arbitrary ...) - bind (unimportant) - bind9 (does not send parallel queries) NOTE: Disabling recursion does not close all attack vectors. NOTE: Browser reflection attacks will still work. NOTE: Bind 8 design limitations that are only addressed in bind 9 are not NOTE: treated a security issues, DNS admins need to be aware what they are using CVE-2006-2550 (perlpodder before 0.5 allows remote attackers to execute arbitrary cod ...) NOT-FOR-US: perlpodder CVE-2006-2549 (Stack-based buffer overflow in PDF Form Filling and Flattening Tool be ...) NOT-FOR-US: PDF Form Filling and Flattening Tool CVE-2006-2548 (Prodder before 0.5, and perlpodder before 0.5, allows remote attackers ...) NOT-FOR-US: prodder/perlpodder CVE-2006-2547 (Unspecified vulnerability in the sapdba command in SAP with Informix b ...) NOT-FOR-US: Sap CVE-2006-2546 (A recommended admin password reset mechanism for BEA WebLogic Server 8 ...) NOT-FOR-US: BEA CVE-2006-2545 (Multiple cross-site scripting (XSS) vulnerabilities in Xtreme Topsites ...) NOT-FOR-US: Xtreme Topsites CVE-2006-2544 (Multiple SQL injection vulnerabilities in Xtreme Topsites 1.1, with ma ...) NOT-FOR-US: Xtreme Topsites CVE-2006-2543 (Xtreme Topsites 1.1 allows remote attackers to trigger MySQL errors an ...) NOT-FOR-US: Xtreme Topsites CVE-2006-2542 (xmcdconfig in xmcd for Debian GNU/Linux 2.6-17.1 creates /var/lib/cddb ...) {DSA-1086-1} - xmcd 2.6-17.2 (bug #366816; medium) CVE-2006-2541 (SQL injection vulnerability in settings.asp in Zixforum 1.12 allows re ...) NOT-FOR-US: Zixforum CVE-2006-2540 (Privacy leak in install.php for Diesel PHP Job Site sends sensitive in ...) NOT-FOR-US: Diesel CVE-2006-2539 (Sybase EAServer 5.0 for HP-UX Itanium, 5.2 for IBM AIX, HP-UX PA-RISC, ...) NOT-FOR-US: Sybase CVE-2006-2538 (IE Tab 1.0.9 plugin for Mozilla Firefox 1.5.0.3 allows remote user-ass ...) NOT-FOR-US: Windows-only Firefox plugin CVE-2006-2537 (Multiple format string vulnerabilities in (a) OpenBOR 2.0046 and earli ...) NOT-FOR-US: *BOR CVE-2006-2536 (Cross-site scripting (XSS) vulnerability in Destiney Links Script 2.1. ...) NOT-FOR-US: Destiney CVE-2006-2535 (index.php in Destiney Links Script 2.1.2 allows remote attackers to ob ...) NOT-FOR-US: Destiney CVE-2006-2534 (Destiney Links Script 2.1.2 does not protect library and other support ...) NOT-FOR-US: Destiney CVE-2006-2533 (Cross-site scripting (XSS) vulnerability in (1) addWeblog.php and (2) ...) NOT-FOR-US: Destiney CVE-2006-2532 (stats.php in Destiney Rated Images Script 0.5.0 allows remote attacker ...) NOT-FOR-US: Destiney CVE-2006-2531 (Ipswitch WhatsUp Professional 2006 only verifies the user's identity v ...) NOT-FOR-US: Ipswitch CVE-2006-2530 (avatar_upload.asp in Avatar MOD 1.3 for Snitz Forums 3.4, and possibly ...) NOT-FOR-US: Snitz mod CVE-2006-2529 (editor/filemanager/upload/php/upload.php in FCKeditor before 2.3 Beta, ...) - knowledgeroot (fixed before first upload; see bug #381912) CVE-2006-2528 (PHP remote file inclusion vulnerability in classified_right.php in php ...) NOT-FOR-US: phpBazar CVE-2006-2527 (Admin/admin.php in phpBazar 2.1.0 and earlier allows remote attackers ...) NOT-FOR-US: phpBazar CVE-2006-2526 (PHP remote file inclusion vulnerability in index.php in PHP Easy Galer ...) NOT-FOR-US: PHP Easy Galerie CVE-2006-2525 (SQL injection vulnerability in UseBB 1.0 RC1 and earlier allows remote ...) NOT-FOR-US: UseBB CVE-2006-2524 (Cross-site scripting (XSS) vulnerability in UseBB 1.0 RC1 and earlier ...) NOT-FOR-US: UseBB CVE-2006-2523 (PHP remote file inclusion vulnerability in config.php in phpListPro 2. ...) NOT-FOR-US: phpListPro CVE-2006-2522 (Dayfox Blog 2.0 and earlier stores user credentials in edit/slog_users ...) NOT-FOR-US: Dayfox CVE-2006-2521 (PHP remote file inclusion vulnerability in cron.php in phpMyDirectory ...) NOT-FOR-US: phpMyDirectory CVE-2006-2520 (Directory traversal vulnerability in BitZipper 4.1.2 SR-1 and earlier ...) NOT-FOR-US: BitZipper CVE-2006-2519 (Directory traversal vulnerability in include/inc_ext/spaw/spaw_control ...) NOT-FOR-US: phpwcms CVE-2006-2518 (Cross-site scripting (XSS) vulnerability in phpwcms 1.2.5-DEV allows r ...) NOT-FOR-US: phpwcms CVE-2006-2517 (SQL injection vulnerability in MyWeb Portal Office, Standard Edition, ...) NOT-FOR-US: MyWeb CVE-2006-2516 (mainfile.php in XOOPS 2.0.13.2 and earlier, when register_globals is e ...) NOT-FOR-US: XOOPS CVE-2006-2515 (Cross-site scripting (XSS) vulnerability in index.php in Hiox Guestboo ...) NOT-FOR-US: Hiox CVE-2006-2514 (Coppermine galleries before 1.4.6, when running on Apache with mod_mim ...) NOT-FOR-US: Coppermine CVE-2006-2513 (Unspecified vulnerability in the installation process in Sun Java Syst ...) NOT-FOR-US: Sun CVE-2006-2512 (SQL injection vulnerability in Hitachi EUR Professional Edition, EUR V ...) NOT-FOR-US: Hitachi CVE-2006-2511 (The ActiveX version of FrontRange iHEAT allows remote authenticated us ...) NOT-FOR-US: FrontRange CVE-2006-2510 (Cross-site scripting (XSS) vulnerability in the URL submission form in ...) NOT-FOR-US: YourFreeWorld.com CVE-2006-2509 (SQL injection vulnerability in login.php in YourFreeWorld.com Short Ur ...) NOT-FOR-US: YourFreeWorld.com CVE-2006-2508 (SQL injection vulnerability in tr1.php in YourFreeWorld.com Stylish Te ...) NOT-FOR-US: YourFreeWorld.com CVE-2006-2507 (Multiple PHP remote file inclusion vulnerabilities in Teake Nutma Foin ...) NOT-FOR-US: phpbb2 mod CVE-2006-2506 (Multiple cross-site scripting (XSS) vulnerabilities in search.php in S ...) NOT-FOR-US: Sphider CVE-2006-2505 (Oracle Database Server 10g Release 2 allows local users to execute arb ...) NOT-FOR-US: Oracle CVE-2006-2504 (Multiple SQL injection vulnerabilities in mono AZBOARD 1.0 and earlier ...) NOT-FOR-US: AZBOARD CVE-2006-2503 (SQL injection vulnerability in misc.php in DeluxeBB 1.06 allows remote ...) NOT-FOR-US: DeluxeBB CVE-2006-2502 (Stack-based buffer overflow in pop3d in Cyrus IMAPD (cyrus-imapd) 2.3. ...) - cyrus-imapd-2.2 (Vulnerable code not present) CVE-2006-2501 (Cross-site scripting (XSS) vulnerability in Sun ONE Web Server 6.0 SP9 ...) NOT-FOR-US: Sun CVE-2006-2500 (Cross-site scripting (XSS) vulnerability in add_news.asp in CodeAvalan ...) NOT-FOR-US: CodeAvalanche News CVE-2006-2499 (SQL injection vulnerability in default.asp in CodeAvalanche News (CANe ...) NOT-FOR-US: CodeAvalanche News CVE-2006-2498 (Invision Power Board (IPB) before 2.1.6 allows remote attackers to exe ...) NOT-FOR-US: Invision CVE-2006-2497 (Multiple cross-site scripting (XSS) vulnerabilities in AspBB 0.5.2 all ...) NOT-FOR-US: AspBB CVE-2006-2496 (Buffer overflow in iMonitor 2.4 in Novell eDirectory 8.8 allows remote ...) NOT-FOR-US: Novell CVE-2006-2495 (Cross-site request forgery (CSRF) vulnerability in the Entry Manager i ...) - serendipity 1.0-1 CVE-2006-2494 (Stack-based buffer overflow in IntelliTamper 2.07 allows remote attack ...) NOT-FOR-US: IntelliTampe CVE-2006-2493 REJECTED CVE-2005-1755 (PHP remote file inclusion vulnerability in poll_vote.php in PHP Poll C ...) NOT-FOR-US: PHP Poll Creator CVE-2005-1754 NOT-FOR-US: JavaMail API NOTE: vulnerable file not in Debian CVE-2005-1753 NOT-FOR-US: JavaMail API NOTE: vulnerable file not in Debian CVE-2005-1752 (viewFile.php in the scm component of Gforge before 4.0 allows remote a ...) - gforge 3.1-30 NOTE: viewFile.php disabled in 3.1-30 CVE-2006-2492 (Buffer overflow in Microsoft Word in Office 2000 SP3, Office XP SP3, O ...) NOT-FOR-US: Microsoft CVE-2006-2491 (Cross-site scripting (XSS) vulnerability in (1) index.php and (2) bmc/ ...) NOT-FOR-US: BoastMachine CVE-2006-2490 (Multiple cross-site scripting (XSS) vulnerabilities in Mobotix IP Netw ...) NOT-FOR-US: Mobotix CVE-2006-2489 (Integer overflow in CGI scripts in Nagios 1.x before 1.4.1 and 2.x bef ...) {DSA-1072-1} - nagios 2:1.4-1 (bug #366682; bug #366803; bug #368193; high) - nagios2 2.3-1 (bug #366683; bug #368199; high) CVE-2006-2488 (Multiple cross-site scripting (XSS) vulnerabilities in Spymac WebOS (W ...) NOT-FOR-US: Spymac CVE-2006-2487 (Multiple PHP remote file inclusion vulnerabilities in ScozNews 1.2.1 a ...) NOT-FOR-US: ScozNews CVE-2006-2486 (SQL injection vulnerability in find.php in YapBB 1.2 Beta2 and earlier ...) NOT-FOR-US: YapBB CVE-2006-2485 (PHP remote file inclusion vulnerability in includes/class_template.php ...) NOT-FOR-US: Quezza CVE-2006-2484 (Cross-site scripting (XSS) vulnerability in index.html in IceWarp WebM ...) NOT-FOR-US: IceWarp CVE-2006-2483 (PHP remote file inclusion vulnerability in cart_content.php in Squirre ...) NOT-FOR-US: Squirrelcart CVE-2006-2482 (Heap-based buffer overflow in the TZipTV component in (1) ZipTV for De ...) NOT-FOR-US: ZipTV CVE-2006-2481 (VMware ESX Server 2.0.x before 2.0.2 and 2.x before 2.5.2 patch 4 stor ...) NOT-FOR-US: VMware ESX CVE-2006-2480 (Format string vulnerability in Dia 0.94 allows user-assisted attackers ...) - dia 0.95.0-4 (bug #368202; low) [sarge] - dia (Hardly exploitable, would require obviously malformed file names) CVE-2006-2479 (The Update functionality in Bitrix Site Manager 4.1.x does not verify ...) NOT-FOR-US: Bitrix CVE-2006-2478 (Bitrix Site Manager 4.1.x allows remote attackers to redirect users to ...) NOT-FOR-US: Bitrix CVE-2006-2477 (Cross-site scripting (XSS) vulnerability in the administrative interfa ...) NOT-FOR-US: Bitrix CVE-2006-2476 (Bitrix Site Manager 4.1.x stores updater.log under the web document ro ...) NOT-FOR-US: Bitrix CVE-2006-2475 (Directory traversal vulnerability in (1) edit_mailtexte.cgi and (2) be ...) NOT-FOR-US: Cosmoshop CVE-2006-2474 (SQL injection vulnerability in lshop.cgi in Cosmoshop 8.11.106 and ear ...) NOT-FOR-US: Cosmoshop CVE-2006-2473 NOT-FOR-US: OpenWiki CVE-2006-2472 (Unspecified vulnerability in BEA WebLogic Server 9.1 and 9.0, 8.1 thro ...) NOT-FOR-US: BEA CVE-2006-2471 (Multiple vulnerabilities in BEA WebLogic Server 8.1 through SP4, 7.0 t ...) NOT-FOR-US: BEA CVE-2006-2470 (Unspecified vulnerability in the WebLogic Server Administration Consol ...) NOT-FOR-US: BEA CVE-2006-2469 (The HTTP handlers in BEA WebLogic Server 9.0, 8.1 up to SP5, 7.0 up to ...) NOT-FOR-US: BEA CVE-2006-2468 (The WebLogic Server Administration Console in BEA WebLogic Server 8.1 ...) NOT-FOR-US: BEA CVE-2006-2467 (BEA WebLogic Server 8.1 up to SP4, 7.0 up to SP6, and 6.1 up to SP7 di ...) NOT-FOR-US: BEA CVE-2006-2466 (BEA WebLogic Server 8.1 up to SP4 and 7.0 up to SP6 allows remote atta ...) NOT-FOR-US: BEA CVE-2006-2465 (Buffer overflow in MP3Info 0.8.4 allows attackers to execute arbitrary ...) - mp3info 0.8.4-9.1 (bug #368207; low) [sarge] - mp3info (Hardly exploitable) CVE-2006-2464 (stopWebLogic.sh in BEA WebLogic Server 8.1 before Service Pack 4 and 7 ...) NOT-FOR-US: BEA CVE-2006-2463 (view_album.php in SelectaPix 1.31 and earlier allows remote attackers ...) NOT-FOR-US: SelectaPix CVE-2006-2462 (BEA WebLogic Server 8.1 before Service Pack 4 and 7.0 before Service P ...) NOT-FOR-US: BEA CVE-2006-2461 (BEA WebLogic Server before 8.1 Service Pack 4 does not properly set th ...) NOT-FOR-US: BEA CVE-2006-2460 (Sugar Suite Open Source (SugarCRM) 4.2 and earlier, when register_glob ...) - sugarcrm-ce-5.0 (bug #457876) CVE-2006-2459 (SQL injection vulnerability in messages.php in PHP-Fusion 6.00.307 and ...) NOT-FOR-US: PHP-Fusion CVE-2006-2458 (Multiple heap-based buffer overflows in Libextractor 0.5.13 and earlie ...) {DSA-1081-1} - libextractor 0.5.14-1 CVE-2006-2457 RESERVED CVE-2006-2456 RESERVED CVE-2006-2455 RESERVED CVE-2006-2454 RESERVED CVE-2006-2453 (Multiple unspecified format string vulnerabilities in Dia have unspeci ...) - dia 0.95.0-4 (bug #368202; medium) [sarge] - dia (Hardly exploitable, would require obviously malformed file names) CVE-2006-2452 (GNOME GDM 2.8, 2.12, 2.14, and 2.15, when the "face browser" feature i ...) - gdm 2.16.1-1 (bug #375281; medium) [sarge] - gdm (Vulnerable code has only been introduced with 2.8) CVE-2006-2451 (The suid_dumpable support in Linux kernel 2.6.13 up to versions before ...) - linux-2.6 2.6.17-3 (high) CVE-2006-2450 (auth.c in LibVNCServer 0.7.1 allows remote attackers to bypass authent ...) - libvncserver 0.8.2-1 (high; bug #376824) CVE-2006-2449 (KDE Display Manager (KDM) in KDE 3.2.0 up to 3.5.3 allows local users ...) {DSA-1156} - kdebase 4:3.5.2-2 (bug #374002; medium) CVE-2006-2448 (Linux kernel before 2.6.16.21 and 2.6.17, when running on PowerPC, doe ...) - linux-2.6 2.6.16-15 CVE-2006-2447 (SpamAssassin before 3.1.3, when running with vpopmail and the paranoid ...) {DSA-1090-1} - spamassassin 3.1.3-1 (medium) CVE-2006-2446 (Race condition between the kfree_skb and __skb_unlink functions in the ...) {DSA-1184-2 DSA-1183-1} - linux-2.6 2.6.16-1 NOTE: I'm not sure at which point this was merged, but I checked 2.6.16 and the NOTE: patch is included there CVE-2006-2445 (Race condition in run_posix_cpu_timers in Linux kernel before 2.6.16.2 ...) - linux-2.6 2.6.16-15 CVE-2006-2444 (The snmp_trap_decode function in the SNMP NAT helper for Linux kernel ...) {DSA-1184-2 DSA-1183-1} - linux-2.6 2.6.16-15 CVE-2006-2442 (kphone 4.2 creates .qt/kphonerc with world-readable permissions, which ...) {DSA-1062-1} - kphone 1:4.2-3 (bug #337830; medium) CVE-2006-2439 (Stack-based buffer overflow in ZipCentral 4.01 allows remote user-assi ...) NOT-FOR-US: ZipCentral CVE-2006-2438 (Directory traversal vulnerability in the viewfile servlet in the docum ...) NOT-FOR-US: Caucho CVE-2006-2437 (The viewfile servlet in the documentation package (resin-doc) for Cauc ...) NOT-FOR-US: Caucho CVE-2006-2436 (WebSphere Application Server 5.0.2 (or any earlier cumulative fix) sto ...) NOT-FOR-US: IBM CVE-2006-2435 (Unspecified vulnerability in IBM WebSphere Application Server 5.0.2 an ...) NOT-FOR-US: IBM CVE-2006-2434 (Unspecified vulnerability in WebSphere 5.1.1 (or any earlier cumulativ ...) NOT-FOR-US: IBM CVE-2006-2433 (Unspecified vulnerability in IBM WebSphere Application Server 6.0.2, 6 ...) NOT-FOR-US: IBM CVE-2006-2432 (IBM WebSphere Application Server 5.0.2 (or any earlier cumulative fix) ...) NOT-FOR-US: IBM CVE-2006-2431 (Cross-site scripting (XSS) vulnerability in the 500 Internal Server Er ...) NOT-FOR-US: IBM CVE-2006-2430 (IBM WebSphere Application Server 5.0.2 and earlier, 5.1.1 and earlier, ...) NOT-FOR-US: IBM CVE-2006-2429 (Unspecified vulnerability in IBM WebSphere Application Server 6.0.2, 6 ...) NOT-FOR-US: IBM CVE-2006-2428 (add.asp in DUware DUbanner 3.1 allows remote attackers to execute arbi ...) NOT-FOR-US: Duware CVE-2006-2427 (freshclam in (1) Clam Antivirus (ClamAV) 0.88 and (2) ClamXav 1.0.3h a ...) - clamav (clamav-freshclam doesn't ship freshclam setuid or setgid) CVE-2006-2426 (Sun Java Runtime Environment (JRE) 1.5.0_6 and earlier, JDK 1.5.0_6 an ...) {DSA-1769-1} - sun-java5 1.5.0-10-1 (bug #384734) - sun-java6 6-13-1 (bug #521414) [lenny] - sun-java6 (Non-free not supported) - openjdk-6 6b14-1.5~pre1-3 (bug #566766) CVE-2006-2425 (Multiple cross-site scripting (XSS) vulnerabilities in PRV.php in PhpR ...) NOT-FOR-US: phpRemoteView CVE-2006-2424 (PHP remote file inclusion vulnerability in ezUserManager 1.6 and earli ...) NOT-FOR-US: ezUserManager CVE-2006-2423 (Cross-site scripting (XSS) vulnerability in ftplogin/index.php in Conf ...) NOT-FOR-US: Confixx CVE-2006-2422 (phpCOIN 1.2.3 and earlier stores messages based upon e-mail addresses, ...) NOT-FOR-US: phpCOIN CVE-2006-2421 (Stack-based buffer overflow in Pragma FortressSSH 4.0.7.20 allows remo ...) NOT-FOR-US: Pragma CVE-2006-2420 (Bugzilla 2.20rc1 through 2.20 and 2.21.1, when using RSS 1.0, allows r ...) NOTE: "this issue normally would not be included in CVE, it is being identified since the Bugzilla developers have addressed it." - bugzilla (unimportant) CVE-2006-2419 (Cross-site scripting (XSS) vulnerability in index.php in Directory Lis ...) NOT-FOR-US: Directory Listing Script CVE-2006-2418 (Cross-site scripting (XSS) vulnerabilities in certain versions of phpM ...) {DSA-1207-1} - phpmyadmin 4:2.8.1-1 (bug #368082; medium) CVE-2006-2417 (Cross-site scripting (XSS) vulnerability in phpMyAdmin 2.8.0.x before ...) - phpmyadmin 4:2.8.1-1 (bug #368082; medium) [sarge] - phpmyadmin (Vulnerable code not present) CVE-2006-2416 (SQL injection vulnerability in class2.php in e107 0.7.2 and earlier al ...) NOT-FOR-US: e107 CVE-2006-2415 (Multiple cross-site scripting (XSS) vulnerabilities in FlexChat 2.0 an ...) NOT-FOR-US: FlexChat CVE-2006-2414 (Directory traversal vulnerability in Dovecot 1.0 beta and 1.0 allows r ...) {DSA-1080-1} - dovecot 1.0.beta8-1 (low) [sarge] - dovecot (vulnerability introduced in 1.0) CVE-2006-2413 (GNUnet before SVN revision 2781 allows remote attackers to cause a den ...) - gnunet 0.7.0e-1 (bug #368159; medium) [sarge] - gnunet (according to maintainer) CVE-2006-2412 (The raydium_network_read function in network.c in Raydium SVN revision ...) NOT-FOR-US: Raydium CVE-2006-2411 (Buffer overflow in raydium_network_read function in network.c in Raydi ...) NOT-FOR-US: Raydium CVE-2006-2410 (raydium_network_netcall_exec function in network.c in Raydium SVN revi ...) NOT-FOR-US: Raydium CVE-2006-2409 (Format string vulnerability in the raydium_log function in console.c i ...) NOT-FOR-US: Raydium CVE-2006-2408 (Multiple buffer overflows in Raydium before SVN revision 310 allow rem ...) NOT-FOR-US: Raydium CVE-2006-2407 (Stack-based buffer overflow in (1) WeOnlyDo wodSSHServer ActiveX Compo ...) NOT-FOR-US: ActiveX component CVE-2006-2406 (Directory traversal vulnerability in bb_lib/abbc.css.php in Unclassifi ...) NOT-FOR-US: Unclassified NewsBoard CVE-2006-2405 (Directory traversal vulnerability in unb_lib/abbc.conf.php in Unclassi ...) NOT-FOR-US: Unclassified NewsBoard CVE-2006-2404 (Directory traversal vulnerability in popup.php in RadScripts RadLance ...) NOT-FOR-US: RadScripts CVE-2006-2403 (Buffer overflow in FileZilla before 2.2.23 allows remote attackers to ...) - filezilla (fixed before the first Debian upload) CVE-2006-2402 (Buffer overflow in the changeRegistration function in servernet.cpp fo ...) NOT-FOR-US: Outgun CVE-2006-2401 (The leetnet functions (leetnet/rudp.cpp) in Outgun 1.0.3 bot 2 and ear ...) NOT-FOR-US: Outgun CVE-2006-2400 (The leetnet functions (leetnet/rudp.cpp) in Outgun 1.0.3 bot 2 and ear ...) NOT-FOR-US: Outgun CVE-2006-2399 (Stack-based buffer overflow in the ServerNetworking::incoming_client_d ...) NOT-FOR-US: Outgun CVE-2006-2398 (Directory traversal vulnerability in index.php in GPhotos 1.5 and earl ...) NOT-FOR-US: GPhotos web gallery CVE-2006-2397 (Multiple cross-site scripting (XSS) vulnerabilities in GPhotos 1.5 and ...) NOT-FOR-US: GPhotos web gallery CVE-2006-2396 (Cross-site scripting (XSS) vulnerability in phpODP 1.5h allows remote ...) NOT-FOR-US: phpODP CVE-2006-2395 (PHP remote file inclusion vulnerability in resources/includes/popp.con ...) NOT-FOR-US: PopPhoto CVE-2006-2394 (Cross-site scripting (XSS) vulnerability in chat.php in PHP Live Helpe ...) NOT-FOR-US: PHP Live Support CVE-2006-2393 (The client_cmd function in Empire 4.3.2 and earlier allows remote atta ...) NOT-FOR-US: Debian's 'empire' is a different game CVE-2006-2392 (PHP remote file inclusion vulnerability in public_includes/pub_popup/p ...) NOT-FOR-US: PHP Blue Dragon Platinum CVE-2006-2391 (Buffer overflow in EMC Retrospect Client 5.1 through 7.5 allows remote ...) NOT-FOR-US: EMC Retrospect CVE-2006-2390 (Cross-site scripting (XSS) vulnerability in OZJournals 1.2 allows remo ...) NOT-FOR-US: OZJournals CVE-2006-2389 (Unspecified vulnerability in Microsoft Office 2003 SP1 and SP2, Office ...) NOT-FOR-US: Microsoft CVE-2006-2388 (Microsoft Office Excel 2000 through 2004 allows user-assisted attacker ...) NOT-FOR-US: Microsoft CVE-2006-2387 (Unspecified vulnerability in Microsoft Excel 2000, 2002, 2003, 2004 fo ...) NOT-FOR-US: Microsoft CVE-2006-2386 (Unspecified vulnerability in Microsoft Outlook Express 6 and earlier a ...) NOT-FOR-US: Microsoft CVE-2006-2385 (Unspecified vulnerability in Microsoft Internet Explorer 5.01 SP4 and ...) NOT-FOR-US: Microsoft CVE-2006-2384 (Microsoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allows remo ...) NOT-FOR-US: Microsoft CVE-2006-2383 (Unspecified vulnerability in Microsoft Internet Explorer 5.01 SP4 and ...) NOT-FOR-US: Microsoft CVE-2006-2382 (Heap-based buffer overflow in Microsoft Internet Explorer 5.01 SP4 and ...) NOT-FOR-US: Microsoft CVE-2006-2381 REJECTED CVE-2006-2380 (Microsoft Windows 2000 SP4 does not properly validate an RPC server du ...) NOT-FOR-US: Microsoft CVE-2006-2379 (Buffer overflow in the TCP/IP Protocol driver in Microsoft Windows 200 ...) NOT-FOR-US: Microsoft CVE-2006-2378 (Buffer overflow in the ART Image Rendering component (jgdw400.dll) in ...) NOT-FOR-US: Microsoft CVE-2006-2377 REJECTED CVE-2006-2376 (Integer overflow in the PolyPolygon function in Graphics Rendering Eng ...) NOT-FOR-US: Microsoft CVE-2006-2375 REJECTED CVE-2006-2374 (The Server Message Block (SMB) driver (MRXSMB.SYS) in Microsoft Window ...) NOT-FOR-US: Microsoft CVE-2006-2373 (The Server Message Block (SMB) driver (MRXSMB.SYS) in Microsoft Window ...) NOT-FOR-US: Microsoft CVE-2006-2372 (Buffer overflow in the DHCP Client service for Microsoft Windows 2000 ...) NOT-FOR-US: Microsoft CVE-2006-2371 (Buffer overflow in the Remote Access Connection Manager service (RASMA ...) NOT-FOR-US: Microsoft CVE-2006-2370 (Buffer overflow in the Routing and Remote Access service (RRAS) in Mic ...) NOT-FOR-US: Microsoft CVE-2006-2369 (RealVNC 4.1.1, and other products that use RealVNC such as AdderLink I ...) - vnc4 4.1.1+X4.3.0-10 (high) [sarge] - vnc4 (vuln not in 4.0) CVE-2006-2368 (Cross-site scripting (XSS) vulnerability in index.php in Clansys (aka ...) NOT-FOR-US: Clansys CVE-2006-2367 (Cross-site scripting (XSS) vulnerability in index.php in Clansys (aka ...) NOT-FOR-US: Clansys CVE-2006-2366 (ircp_io.c in libopenobex for ircp 1.2, when ircp is run with the -r op ...) - libopenobex 1.2-3 (bug #366484) CVE-2006-2365 (Cross-site scripting (XSS) vulnerability in a_login.php in Vizra allow ...) NOT-FOR-US: Vizra CVE-2006-2364 (Cross-site scripting (XSS) vulnerability in the validation feature in ...) NOT-FOR-US: Macromedia CVE-2006-2363 (SQL injection vulnerability in the weblinks option (weblinks.html.php) ...) NOT-FOR-US: Limbo CVE-2006-2362 (Buffer overflow in getsym in tekhex.c in libbfd in Free Software Found ...) - binutils 2.17-1 (low; bug #368237) [sarge] - binutils (Very minor issue) CVE-2006-2361 (PHP remote file inclusion vulnerability in pafiledb_constants.php in D ...) NOT-FOR-US: phpbb mod CVE-2006-2360 (SQL injection vulnerability in charts.php in the Chart mod for phpBB a ...) NOT-FOR-US: phpbb mod CVE-2006-2359 (Cross-site scripting (XSS) vulnerability in charts.php in the Chart mo ...) NOT-FOR-US: phpbb mod CVE-2006-2192 RESERVED CVE-2005-4803 (graphviz before 2.2.1 allows local users to overwrite arbitrary files ...) {DSA-857-1} - graphviz 2.2.1-1sarge1 (bug #336985; low) CVE-2005-4802 (Flexbackup 1.2.1 and earlier allows local users to overwrite files and ...) {DSA-1216} - flexbackup 1.2.1-3 (bug #334350; low) CVE-2005-4801 (Multiple cross-site request forgery (CSRF) vulnerabilities in Yet Anot ...) NOT-FOR-US: YaPIG CVE-2005-4800 (Direct static code injection vulnerability in Yet Another PHP Image Ga ...) NOT-FOR-US: YaPIG CVE-2005-4799 (Multiple cross-site scripting (XSS) vulnerabilities in Yet Another PHP ...) NOT-FOR-US: YaPIG CVE-2006-2358 (Multiple cross-site scripting (XSS) vulnerabilities in various scripts ...) NOT-FOR-US: Web Labs CMS CVE-2006-2357 (Ipswitch WhatsUp Professional 2006 and WhatsUp Professional 2006 Premi ...) NOT-FOR-US: Ipswitch WhatsUp CVE-2006-2356 (NmConsole/utility/RenderMap.asp in Ipswitch WhatsUp Professional 2006 ...) NOT-FOR-US: Ipswitch WhatsUp CVE-2006-2355 (Ipswitch WhatsUp Professional 2006 and Ipswitch WhatsUp Professional 2 ...) NOT-FOR-US: Ipswitch WhatsUp CVE-2006-2354 (NmConsole/Login.asp in Ipswitch WhatsUp Professional 2006 and Ipswitch ...) NOT-FOR-US: Ipswitch WhatsUp CVE-2006-2353 (NmConsole/DeviceSelection.asp in Ipswitch WhatsUp Professional 2006 an ...) NOT-FOR-US: Ipswitch WhatsUp CVE-2006-2352 (Multiple cross-site scripting (XSS) vulnerabilities in IPswitch WhatsU ...) NOT-FOR-US: Ipswitch WhatsUp CVE-2006-2351 (Multiple cross-site scripting (XSS) vulnerabilities in IPswitch WhatsU ...) NOT-FOR-US: Ipswitch WhatsUp CVE-2006-2350 REJECTED CVE-2006-2349 (E-Business Designer (eBD) 3.1.4 and earlier allows remote attackers to ...) NOT-FOR-US: E-Business Designer CVE-2006-2348 (Cross-site scripting (XSS) vulnerability in form_grupo.html in E-Busin ...) NOT-FOR-US: E-Business Designer CVE-2006-2347 (E-Business Designer (eBD) 3.1.4 and earlier allows remote attackers to ...) NOT-FOR-US: E-Business Designer CVE-2006-2346 (vpopmail 5.4.14 and 5.4.15, with cleartext passwords enabled, allows r ...) - vpopmail (vulnerability introduced in 5.4.14) NOTE: Unable to reach CVS to determine if prior versions are affected NOTE: Micah will return to this one CVE-2006-2345 (Cross-site scripting (XSS) vulnerability in inc/elementz.php in AliPAG ...) NOT-FOR-US: AliPAGER CVE-2006-2344 (SQL injection vulnerability in inc/elementz.php in AliPAGER 1.5, with ...) NOT-FOR-US: AliPAGER CVE-2006-2343 (Cross-site scripting (XSS) vulnerability in Search.do in ManageEngine ...) NOT-FOR-US: ManageEngine OpManager CVE-2006-2342 (IBM WebSphere Application Server 6.0.2 before FixPack 3 allows remote ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2006-2341 (The HTTP proxy in Symantec Gateway Security 5000 Series 2.0.1 and 3.0, ...) NOT-FOR-US: Symantec Gateway Security CVE-2006-2340 (Cross-site scripting (XSS) vulnerability in PassMasterFlex and PassMas ...) NOT-FOR-US: PassMasterFlex CVE-2006-2339 (SQL injection vulnerability in index.php in evoTopsites 2.x and evoTop ...) NOT-FOR-US: evoTopsites CVE-2006-2338 (PlaNet Concept plaNetStat 20050127 allows remote attackers to gain adm ...) NOT-FOR-US: PlaNet CVE-2006-2337 (Directory traversal vulnerability in webcm in the D-Link DSL-G604T Wir ...) NOT-FOR-US: D-Link CVE-2006-2336 (SQL injection vulnerability in showthread.php in MyBB (aka MyBulletinB ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2006-2335 (Jelsoft vBulletin accepts uploads of Cascading Style Sheets (CSS) and ...) NOT-FOR-US: vBulletin CVE-2006-2334 (The RtlDosPathNameToNtPathName_U API function in NTDLL.DLL in Microsof ...) NOT-FOR-US: Windows CVE-2006-2333 (Multiple SQL injection vulnerabilities in MyBB (aka MyBulletinBoard) 1 ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2006-2332 (Mozilla Firefox 1.5.0.3 allows remote attackers to cause a denial of s ...) NOTE: 1.5.dfsg+1.5.0.3-2 didn't crash or do anything but stutter on the sample pages, marking it fixed in there - firefox 1.5.dfsg+1.5.0.3-2 CVE-2006-2331 (Multiple directory traversal vulnerabilities in PHP-Fusion 6.00.306 al ...) NOT-FOR-US: PHP-Fusion CVE-2006-2330 (PHP-Fusion 6.00.306 and earlier, running under Apache HTTP Server 1.3. ...) NOT-FOR-US: PHP-Fusion CVE-2006-2329 (AngelineCMS 0.6.5 and earlier allow remote attackers to obtain sensiti ...) NOT-FOR-US: AngelineCMS CVE-2006-2328 (SQL injection vulnerability in lib/adodb/server.php in AngelineCMS 0.6 ...) NOT-FOR-US: AngelineCMS CVE-2006-2327 (Multiple integer overflows in the DPRPC library (DPRPCNLM.NLM) NDPS/iP ...) NOT-FOR-US: Novell CVE-2006-2326 (Directory traversal vulnerability in index.php in OnlyScript.info Onli ...) NOT-FOR-US: OnlyScript.info CVE-2006-2325 (Cross-site scripting (XSS) vulnerability in index.php in OnlyScript.in ...) NOT-FOR-US: OnlyScript.info CVE-2006-2324 (180solutions Zango downloads "required Adware components" without chec ...) NOT-FOR-US: 180solutions CVE-2006-2323 (Multiple PHP remote file inclusion vulnerabilities in SmartISoft phpLi ...) NOT-FOR-US: SmartISoft CVE-2006-2322 (The transparent proxy feature of the Cisco Application Velocity System ...) NOT-FOR-US: Cisco CVE-2006-2321 (Multiple cross-site scripting (XSS) vulnerabilities in Ideal Science I ...) NOT-FOR-US: Ideal Science CVE-2006-2320 (Multiple SQL injection vulnerabilities in Ideal Science Ideal BB 1.5.4 ...) NOT-FOR-US: Ideal Science CVE-2006-2319 (Ideal Science Ideal BB 1.5.4a and earlier does not properly check file ...) NOT-FOR-US: Ideal Science CVE-2006-2318 (Incomplete blacklist vulnerability in Ideal Science Ideal BB 1.5.4a an ...) NOT-FOR-US: Ideal Science CVE-2006-2317 (Unspecified vulnerability in Ideal Science Ideal BB 1.5.4a and earlier ...) NOT-FOR-US: Ideal Science CVE-2006-2316 (S24EvMon.exe in the Intel PROset/Wireless software, possibly 10.1.0.33 ...) NOT-FOR-US: Intel Windows software CVE-2006-2315 NOT-FOR-US: ISPConfig CVE-2006-2314 (PostgreSQL 8.1.x before 8.1.4, 8.0.x before 8.0.8, 7.4.x before 7.4.13 ...) {DSA-1087-1} - postgresql 7.5.4 (medium; bug #368645) - postgresql-7.4 1:7.4.13-1 (medium) - postgresql-8.1 8.1.4-1 (medium) - pygresql 3.8-1.1 (medium) [sarge] - pygresql (Already includes proper quoting) NOTE: Beginning with version 7.5.4, postgresql is a transition NOTE: package which does not contain actual code. That's why NOTE: it's marked as fixed here. (Previous versions are vulnerable.) NOTE: The following packages needed to adapted to cope with the new system: NOTE: psycopg 1.1.21-5 (bug #369230) NOTE: python-pgsql 2.4.0-8 (bug #369250) NOTE: pygresql 1:3.8-1.1 (bug #369239) NOTE: dovecot 1.0.beta8-3 (bug #369359) NOTE: postfix 2.2.10-2 (bug #369349) CVE-2006-2313 (PostgreSQL 8.1.x before 8.1.4, 8.0.x before 8.0.8, 7.4.x before 7.4.13 ...) {DSA-1087-1} - postgresql 7.5.4 (high; bug #368645) - postgresql-7.4 1:7.4.13-1 (high) - postgresql-8.1 8.1.4-1 (high) NOTE: Beginning with version 7.5.4, postgresql is a transition NOTE: package which does not contain actual code. That's why NOTE: it's marked as fixed here. (Previous versions are vulnerable.) CVE-2006-2312 (Argument injection vulnerability in the URI handler in Skype 2.0.*.104 ...) NOT-FOR-US: Skype CVE-2006-2311 (Cross-site scripting (XSS) vulnerability in BlueDragon Server and Serv ...) NOT-FOR-US: BlueDragon Server and Server JX CVE-2006-2310 (BlueDragon Server and Server JX 6.2.1.286 for Windows allows remote at ...) NOT-FOR-US: BlueDragon Server and Server JX CVE-2006-2309 (The HTTP service in EServ/3 3.25 allows remote attackers to obtain sen ...) NOT-FOR-US: EServ CVE-2006-2308 (Directory traversal vulnerability in the IMAP service in EServ/3 3.25 ...) NOT-FOR-US: EServ CVE-2006-2307 (Cross-site scripting (XSS) vulnerability in Website Baker CMS before 2 ...) NOT-FOR-US: Website Baker CVE-2006-2306 (Cross-site scripting (XSS) vulnerability in moreinfo.asp in EPublisher ...) NOT-FOR-US: EPublisherPro CVE-2006-2305 (Multiple cross-site scripting (XSS) vulnerabilities in Jadu CMS allow ...) NOT-FOR-US: Jadu CVE-2006-2304 (Multiple integer overflows in the DPRPC library (DPRPCW32.DLL) in Nove ...) NOT-FOR-US: Novell software for Windows CVE-2006-2303 (Cross-Application Scripting (XAS) vulnerability in ICQ Client 5.04 bui ...) NOT-FOR-US: Windows ICQ client CVE-2006-2302 (SQL injection vulnerability in admin_default.asp in DUGallery 2.x allo ...) NOT-FOR-US: DUGallery CVE-2006-2301 (SQL injection vulnerability in admin_default.asp in OzzyWork Galeri al ...) NOT-FOR-US: OzzyWork CVE-2006-2300 (Multiple SQL injection vulnerabilities in EImagePro allow remote attac ...) NOT-FOR-US: EImagePro CVE-2006-2299 RESERVED CVE-2006-2298 (The Internet Key Exchange version 1 (IKEv1) implementation in the libi ...) NOT-FOR-US: Solaris CVE-2006-2297 (Heap-based buffer overflow in Microsoft Infotech Storage System Librar ...) NOT-FOR-US: Microsoft Infotech Storage System CVE-2006-2296 (SQL injection vulnerability in search_result.asp in EDirectoryPro 2.0 ...) NOT-FOR-US: EDirectoryPro CVE-2006-2295 (Directory traversal vulnerability in Dynamic Galerie 1.0 allows remote ...) NOT-FOR-US: Dynamic Galerie CVE-2006-2294 (Cross-site scripting (XSS) vulnerability in Dynamic Galerie 1.0 allows ...) NOT-FOR-US: Dynamic Galerie CVE-2006-2293 (SQL injection vulnerability in all_calendars.asp in MultiCalendars 3.0 ...) NOT-FOR-US: MultiCalendars CVE-2006-2292 (Multiple SQL injection vulnerabilities in IA-Calendar allow remote att ...) NOT-FOR-US: IA-Calendar CVE-2006-2291 (Cross-site scripting (XSS) vulnerability in calendar_new.asp in IA-Cal ...) NOT-FOR-US: IA-Calendar CVE-2006-2290 (Multiple cross-site scripting (XSS) vulnerabilities in kommentar.php i ...) NOT-FOR-US: 2005-Comments-Script CVE-2006-2289 (Buffer overflow in avahi-core in Avahi before 0.6.10 allows local user ...) - avahi 0.6.10-1 (medium) CVE-2006-2288 (Avahi before 0.6.10 allows local users to cause a denial of service (m ...) - avahi 0.6.10-1 (low) CVE-2006-2287 (Multiple cross-site scripting (XSS) vulnerabilities in Vision Source 0 ...) NOT-FOR-US: Vision Source CVE-2006-2286 (Multiple PHP remote file inclusion vulnerabilities in claro_init_globa ...) NOT-FOR-US: Dokeos CVE-2006-2285 (PHP remote file inclusion vulnerability in authldap.php in Dokeos 1.6. ...) NOT-FOR-US: Dokeos CVE-2006-2284 (Multiple PHP remote file inclusion vulnerabilities in Claroline 1.7.5 ...) NOT-FOR-US: Claroline CVE-2006-2283 (Multiple PHP remote file inclusion vulnerabilities in SpiffyJr phpRaid ...) NOT-FOR-US: phpRaid CVE-2006-2282 (Cross-site scripting (XSS) vulnerability in X7 Chat 2.0.2 and earlier ...) NOT-FOR-US: X7 Chat CVE-2006-2281 (X-Scripts X-Poll (xpoll) 2.30 allows remote attackers to execute arbit ...) NOT-FOR-US: X-Scripts X-Poll CVE-2006-2280 (Directory traversal vulnerability in website.php in openEngine 1.8 Bet ...) NOT-FOR-US: openEngine CVE-2006-2279 (Multiple SQL injection vulnerabilities in SaphpLesson 3.0 allow remote ...) NOT-FOR-US: SaphpLesson CVE-2006-2278 (SaphpLesson 3.0 does not initialize array variables, which allows remo ...) NOT-FOR-US: SaphpLesson CVE-2006-2277 (Multiple Apple Mac OS X 10.4 applications might allow context-dependen ...) NOT-FOR-US: Apple Mac OS X CVE-2006-2276 (bgpd in Quagga 0.98 and 0.99 before 20060504 allows local users to cau ...) {DSA-1059-1} - quagga 0.99.4-1 (bug #366980; low) CVE-2006-2275 (Linux SCTP (lksctp) before 2.6.17 allows remote attackers to cause a d ...) - linux-2.6 2.6.16-13 CVE-2006-2274 (Linux SCTP (lksctp) before 2.6.17 allows remote attackers to cause a d ...) {DSA-1103 DSA-1097-1} - linux-2.6 2.6.16-13 CVE-2006-2273 (The InstallProduct routine in the Verisign VUpdater.Install (aka i-Nav ...) NOT-FOR-US: Verisign CVE-2006-2272 (Linux SCTP (lksctp) before 2.6.17 allows remote attackers to cause a d ...) {DSA-1103 DSA-1097-1} - linux-2.6 2.6.16-13 CVE-2006-2271 (The ECNE chunk handling in Linux SCTP (lksctp) before 2.6.17 allows re ...) {DSA-1103 DSA-1097-1} - linux-2.6 2.6.16-13 CVE-2005-4798 (Buffer overflow in NFS readlink handling in the Linux Kernel 2.4 up to ...) {DSA-1184-2 DSA-1183-1} - linux-2.6 CVE-2006-2270 (PHP remote file inclusion vulnerability in includes/config.php in Jetb ...) NOT-FOR-US: Jetbox CMS CVE-2006-2269 (Cross-site scripting (XSS) vulnerability in myWebland MyBloggie 2.1.3 ...) NOT-FOR-US: myWebland MyBloggie CVE-2006-2268 (SQL injection vulnerability in FlexCustomer 0.0.4 and earlier allows r ...) NOT-FOR-US: FlexCustomer CVE-2006-2267 (Kerio WinRoute Firewall before 6.2.1 allows remote attackers to cause ...) NOT-FOR-US: Kerio WinRoute Firewall CVE-2006-2266 (SQL injection vulnerability in Chirpy! 0.1 allows remote attackers to ...) NOT-FOR-US: Chirpy! CVE-2006-2265 (Cross-site scripting vulnerability in admin/main.asp in Ocean12 Calend ...) NOT-FOR-US: Ocean12 Calendar Manager Pro CVE-2006-2264 (Multiple SQL injection vulnerabilities in Ocean12 Calendar Manager Pro ...) NOT-FOR-US: Ocean12 Calendar Manager Pro CVE-2006-2263 (SQL injection vulnerability in shopcurrency.asp in VP-ASP 6.00 allows ...) NOT-FOR-US: VP-ASP CVE-2006-2262 (Cross-site scripting (XSS) vulnerability in index.php in singapore 0.9 ...) NOT-FOR-US: singapore CVE-2006-2261 (PHP remote file inclusion vulnerability in day.php in ACal 2.2.6 allow ...) NOT-FOR-US: ACal CVE-2006-2260 (Cross-site scripting (XSS) vulnerability in the project module (projec ...) - drupal (bug #366947) CVE-2006-2259 (SQL injection vulnerability in Logon.asp in MaxxSchedule 1.0 allows re ...) NOT-FOR-US: MaxxSchedule CVE-2006-2258 (Cross-site scripting (XSS) vulnerability in Logon.asp in MaxxSchedule ...) NOT-FOR-US: MaxxSchedule CVE-2006-2257 (Cross-site scripting (XSS) vulnerability in index.php in easyEvent 1.2 ...) NOT-FOR-US: easyEvent CVE-2006-2256 (PHP remote file inclusion vulnerability in includes/dbal.php in EQdkp ...) NOT-FOR-US: EQdkp CVE-2006-2255 (Multiple SQL injection vulnerabilities in Creative Community Portal 1. ...) NOT-FOR-US: Creative Community Portal CVE-2006-2254 (Buffer overflow in filecpnt.exe in FileCOPA 1.01 allows remote attacke ...) NOT-FOR-US: FileCOPA CVE-2006-2253 (PHP remote file inclusion vulnerability in visible_count_inc.php in St ...) NOT-FOR-US: Statit CVE-2006-2252 (Cross-site scripting vulnerability in submit.php in OpenFAQ 0.4.0 allo ...) NOT-FOR-US: OpenFAQ CVE-2006-2251 (SQL injection vulnerability in the do_mmod function in mod.php in Invi ...) NOT-FOR-US: Invision Community Blog CVE-2006-2250 (CuteNews 1.4.1 allows remote attackers to obtain sensitive information ...) NOT-FOR-US: CuteNews CVE-2006-2249 (Multiple cross-site scripting (XSS) vulnerabilities in search.php in C ...) NOT-FOR-US: CuteNews CVE-2006-2248 (Xeneo Web Server 2.2.22.0 allows remote attackers to obtain the source ...) NOT-FOR-US: Xeneo Web Server CVE-2006-2247 (WebCalendar 1.0.1 to 1.0.3 generates different error messages dependin ...) {DSA-1056-1} - webcalendar 1.0.2-2.2 (medium; bug #366927) CVE-2006-2246 (Cross-site scripting (XSS) vulnerability in UBlog 1.6 Access Edition a ...) NOT-FOR-US: UBlog CVE-2006-2245 (PHP remote file inclusion vulnerability in auction\auction_common.php ...) NOT-FOR-US: Auction mod 1.3m for phpBB CVE-2006-2244 (Multiple SQL injection vulnerabilities in Web4Future News Portal allow ...) NOT-FOR-US: Web4Future News Portal CVE-2006-2243 (Multiple cross-site scripting (XSS) vulnerabilities in Web4Future News ...) NOT-FOR-US: Web4Future News Portal CVE-2006-2242 (acFTP 1.4 allows remote attackers to cause a denial of service (applic ...) NOT-FOR-US: acFTP CVE-2006-2241 (PHP remote file inclusion vulnerability in show.php in Fast Click SQL ...) NOT-FOR-US: Fast Click SQL Lite CVE-2006-2240 (Unspecified vulnerability in the (1) web cache or (2) web proxy in Fuj ...) NOT-FOR-US: Fujitsu NetShelter/FW CVE-2006-2239 (SQL injection vulnerability in readarticle.php in Newsadmin 1.1 allows ...) NOT-FOR-US: Newsadmin CVE-2006-2238 (Heap-based buffer overflow in Apple QuickTime before 7.1 allows remote ...) NOT-FOR-US: Apple CVE-2006-2237 (The web interface for AWStats 6.4 and 6.5, when statistics updates are ...) {DSA-1058-1} - awstats 6.5-2 (bug #365909; bug #365910; medium) CVE-2006-2236 (Buffer overflow in the Quake 3 Engine, as used by (1) ET 2.60, (2) Ret ...) - tremulous 1.1.0-6 (bug #660827) [squeeze] - tremulous 1.1.0-7~squeeze1 - ioquake3 1.36+svn1788j-1 CVE-2006-2235 (CodeMunkyX (aka free-php.net) Simple Poll 1.0, when authentication is ...) NOT-FOR-US: Simple Poll CVE-2006-2234 (Multiple cross-site scripting (XSS) vulnerabilities in TyroCMS beta 1. ...) NOT-FOR-US: TyroCMS CVE-2006-2233 (Buffer overflow in BankTown Client Control (aka BtCxCtl20Com) 1.4.2.51 ...) NOT-FOR-US: BankTown Client Control CVE-2006-2232 (Cross-site scripting (XSS) vulnerability in Scriptsez Cute Guestbook 2 ...) NOT-FOR-US: Scriptsez Cute Guestbook CVE-2006-2231 (Multiple cross-site scripting (XSS) vulnerabilities in addguest.cgi in ...) NOT-FOR-US: Big Webmaster Guestbook Script CVE-2006-2230 (Multiple format string vulnerabilities in xiTK (xitk/main.c) in xine 0 ...) {DSA-1093-1} - xine-ui 0.99.4-2 (medium; bug #363370; bug #372172) CVE-2006-2229 (OpenVPN 2.0.7 and earlier, when configured to use the --management opt ...) - openvpn (unimportant) NOTE: One needs to explicitly set the IP to something else than 127.0.0.1 NOTE: in order to be vulnerable. The man page recommends not to do it. CVE-2006-2228 (Cross-site scripting (XSS) vulnerability in w-Agora (aka Web-Agora) 4. ...) NOT-FOR-US: Web-Agora CVE-2006-2227 (Cross-site scripting (XSS) vulnerability in misc.php in PunBB 1.2.11 a ...) NOT-FOR-US: PunBB CVE-2006-2226 (Buffer overflow in XM Easy Personal FTP Server 4.2 and 5.0.1 allows re ...) NOT-FOR-US: Easy Personal FTP Server CVE-2006-2225 (Buffer overflow in XM Easy Personal FTP Server 4.3 and earlier allows ...) NOT-FOR-US: Easy Personal FTP Server CVE-2006-2224 (RIPd in Quagga 0.98 and 0.99 before 20060503 does not properly enforce ...) {DSA-1059-1} - quagga 0.99.3-2 (bug #365940; medium) CVE-2006-2223 (RIPd in Quagga 0.98 and 0.99 before 20060503 does not properly impleme ...) {DSA-1059-1} - quagga 0.99.3-2 (bug #365940; medium) CVE-2006-2222 (Buffer overflow in zawhttpd 0.8.23, and possibly previous versions, al ...) NOT-FOR-US: zawhttpd CVE-2006-2221 (A third-party installer generation tool, possibly BitRock InstallBuild ...) - ejabberd (only binary distribution is affected) CVE-2006-2220 (phpBB 2.0.20 does not properly verify user-specified input variables u ...) - phpbb2 (unimportant) NOTE: SQL query disclosure CVE-2006-2219 (phpBB 2.0.20 does not verify user-specified input variable types befor ...) - phpbb2 (unimportant) NOTE: path disclosure CVE-2006-2218 (Unspecified vulnerability in Internet Explorer 6.0 on Microsoft Window ...) NOT-FOR-US: MS IE CVE-2006-2217 (SQL injection vulnerability in index.php in Invision Power Board allow ...) NOT-FOR-US: Invision Power Board CVE-2006-2216 (Open Bulletin Board (OpenBB) 1.0.8 allows remote attackers to obtain t ...) NOT-FOR-US: OpenBB CVE-2006-2215 REJECTED CVE-2005-4797 (Directory traversal vulnerability in printd line printer daemon (lpd) ...) NOT-FOR-US: Solaris CVE-2005-4796 (Unspecified vulnerability in the XView library (libxview.so) in Solari ...) - xview (xview on Solaris) NOTE: Is only relevant for suid binaries, but xview is not really suitable for NOTE: those anyway. Exact information is not available, but a similar problem NOTE: is already fixed in the Debian package. CVE-2005-4795 (Unspecified vulnerability in the multi-language environment library (l ...) NOT-FOR-US: Solaris CVE-2006-XXXX [cyrus-imapd allows user probes] - cyrus-imapd-2.2 2.2.13-3 - kolab-cyrus-imapd 2.2.13-1 CVE-2006-2214 (Multiple SQL injection vulnerabilities in 4images 1.7.1 and earlier al ...) NOT-FOR-US: 4images CVE-2006-2213 (Hostapd 0.3.7-2 allows remote attackers to cause a denial of service ( ...) {DSA-1065-1} - hostapd 1:0.5.0-1 (bug #365897; high) CVE-2006-2212 (Buffer overflow in KarjaSoft Sami FTP Server 2.0.2 and earlier allows ...) NOT-FOR-US: KarjaSoft Sami FTP Server CVE-2006-2211 (Absolute path traversal vulnerability in index.php in 321soft PhP-Gall ...) NOT-FOR-US: 321soft PhP-Gallery CVE-2006-2210 (Cross-site scripting (XSS) vulnerability in index.php in 321soft PhP-G ...) NOT-FOR-US: 321soft PhP-Gallery CVE-2006-2209 (Multiple SQL injection vulnerabilities in index.php in PHP Arena paChe ...) NOT-FOR-US: paCheckBook CVE-2006-2208 (Multiple cross-site scripting (XSS) vulnerabilities in mynews.inc.php ...) NOT-FOR-US: paCheckBook CVE-2006-2207 RESERVED CVE-2006-2206 (The MS-Logon authentication scheme in UltraVNC (aka Ultr@VNC) 1.0.1 us ...) NOT-FOR-US: UltraVNC CVE-2006-2205 (The audio_write function in NetBSD 3.0 allows local users to cause a d ...) NOT-FOR-US: NetBSD kernel CVE-2006-2204 (SQL injection vulnerability in the topic deletion functionality (post_ ...) NOT-FOR-US: Invision Power Board CVE-2006-2203 (Unspecified vulnerability in Kerio MailServer before 6.1.4 has unknown ...) NOT-FOR-US: Kerio MailServer CVE-2006-2202 (SQL injection vulnerability in post.php in Invision Gallery 2.0.6 allo ...) NOT-FOR-US: Invision Gallery CVE-2006-2201 (Unspecified vulnerability in CA Resource Initialization Manager (CAIRI ...) NOT-FOR-US: CA Resource Initialization Manager CVE-2006-2200 (Stack-based buffer overflow in libmms, as used by (a) MiMMS 0.0.9 and ...) - libmms 0.2-7 (bug #374577; medium) - mimms 2.0.0-1 (bug #374577; medium) - xine-lib 1.1.2-2 (bug #374577; unimportant) NOTE: Not exploitable within xine, as alloced buffer are large enough CVE-2006-2199 (Unspecified vulnerability in Java Applets in OpenOffice.org 1.1.x (aka ...) {DSA-1104} - openoffice.org 2.0.3-1 CVE-2006-2198 (OpenOffice.org (aka StarOffice) 1.1.x up to 1.1.5 and 2.0.x before 2.0 ...) {DSA-1104} - openoffice.org 2.0.3-1 CVE-2006-2197 (Integer overflow in wv2 before 0.2.3 might allow context-dependent att ...) {DSA-1100} - wv2 0.2.2-6 (medium) CVE-2006-2196 (Unspecified vulnerability in pinball 0.3.1 allows local users to gain ...) {DSA-1102} - pinball 0.3.1-6 CVE-2006-2195 (Cross-site scripting (XSS) vulnerability in horde 3 (horde3) before 3. ...) {DSA-1099-1 DSA-1098-1} - horde3 3.1.1-3 CVE-2006-2194 (The winbind plugin in pppd for ppp 2.4.4 and earlier does not check th ...) {DSA-1106} - ppp 2.4.4rel-1 (medium) CVE-2006-2193 (Buffer overflow in the t2p_write_pdf_string function in tiff2pdf in li ...) {DSA-1091-1} - tiff 3.8.2-4 (bug #371064; bug #370355; medium) - tiff3 (fixed prior to initial upload) CVE-2006-2191 - mailman 1:2.1.9-1 (unimportant) NOTE: https://mail.python.org/pipermail/mailman-announce/2006-September/000087.html NOTE: not exploitable CVE-2006-2190 (Cross-site scripting (XSS) vulnerability in ow-shared.pl in OpenWebMai ...) NOT-FOR-US: OpenWebMail CVE-2006-2189 (SQL injection vulnerability in search.php in Servous sBLOG 0.7.2 allow ...) NOT-FOR-US: Servous sBLOG CVE-2006-2188 (Multiple cross-site scripting (XSS) vulnerabilities in CMScout 1.10 an ...) NOT-FOR-US: CMScout CVE-2006-2187 (Multiple cross-site scripting (XSS) vulnerabilities in zenphoto 1.0.1 ...) NOT-FOR-US: zenphoto CVE-2006-2186 (zenphoto 1.0.1 beta and earlier allow remote attackers to obtain sensi ...) NOT-FOR-US: zenphoto CVE-2006-2185 (PORTAL.NLM in Novell Netware 6.5 SP5 writes the username and password ...) NOT-FOR-US: Novell CVE-2006-2184 (Cross-site scripting (XSS) vulnerability in search.php in PHPKB Knowle ...) NOT-FOR-US: PHPKB Knowledge Base CVE-2006-2183 (Untrusted search path vulnerability in Truecrypt 4.1, when running sui ...) NOT-FOR-US: Truecrypt CVE-2006-2182 (Multiple PHP remote file inclusion vulnerabilities in (1) eday.php, (2 ...) NOT-FOR-US: albinator CVE-2006-2181 (Multiple cross-site scripting (XSS) vulnerabilities in Albinator 2.0.8 ...) NOT-FOR-US: albinator CVE-2006-2180 (Buffer overflow in Golden FTP Server Pro 2.70 allows remote attackers ...) NOT-FOR-US: Golden FTP Server Pro CVE-2006-2179 (Multiple SQL injection vulnerabilities in CyberBuild allow remote atta ...) NOT-FOR-US: CyberBuild CVE-2006-2178 (Multiple cross-site scripting (XSS) vulnerabilities in CyberBuild allo ...) NOT-FOR-US: CyberBuild CVE-2006-2177 (Cross-site scripting (XSS) vulnerability in viewcat.php in geoBlog 1.0 ...) NOT-FOR-US: geoBlog CVE-2006-2176 (Multiple cross-site scripting (XSS) vulnerabilities in links.php in PH ...) NOT-FOR-US: PHP Linkliste CVE-2006-2175 (PHP remote file inclusion vulnerability in FtrainSoft Fast Click 2.3.8 ...) NOT-FOR-US: Fast Click CVE-2006-2174 (Multiple cross-site scripting (XSS) vulnerabilities in admin/server_da ...) NOT-FOR-US: Virtual Hosting Control System (VHCS) CVE-2006-2173 (Buffer overflow in FileZilla FTP Server 2.2.22 allows remote authentic ...) NOT-FOR-US: FileZilla FTP Server CVE-2006-2172 (Buffer overflow in Gene6 FTP Server 3.1.0 allows remote authenticated ...) NOT-FOR-US: Gene6 FTP Server CVE-2006-2171 (Buffer overflow in WDM.exe in WarFTPD allows remote attackers to execu ...) NOT-FOR-US: WarFTPD CVE-2006-2170 (Buffer overflow in ArgoSoft FTP Server 1.4.3.6 allows remote attackers ...) NOT-FOR-US: ArgoSoft FTP Server CVE-2006-2169 (RT: Request Tracker 3.5.HEAD allows remote attackers to obtain sensiti ...) - request-tracker3.4 (file not included in 3.4) CVE-2006-2168 (FileProtection Express 1.0.1 and earlier allows remote attackers to by ...) NOT-FOR-US: FileProtection Express CVE-2006-2167 (Cross-site scripting (XSS) vulnerability in SloughFlash SF-Users 1.0, ...) NOT-FOR-US: SloughFlash CVE-2006-2166 (Unspecified vulnerability in the HTTP management interface in Cisco Un ...) NOT-FOR-US: Cisco CVE-2006-2165 (Multiple cross-site scripting (XSS) vulnerabilities in Avactis Shoppin ...) NOT-FOR-US: Avactis CVE-2006-2164 (Multiple SQL injection vulnerabilities in Avactis Shopping Cart 0.1.2 ...) NOT-FOR-US: Avactis CVE-2006-2163 (Cross-site scripting (XSS) vulnerability in index.php in Pinnacle Cart ...) NOT-FOR-US: Pinnacle CVE-2006-2162 (Buffer overflow in CGI scripts in Nagios 1.x before 1.4 and 2.x before ...) {DSA-1072-1} - nagios 2:1.4-1 (bug #366682; bug #366803; medium) - nagios2 2.3-1 (bug #366683; medium) CVE-2006-2161 (Buffer overflow in (1) TZipBuilder 1.79.03.01, (2) Abakt 0.9.2 and 0.9 ...) NOT-FOR-US: TZipBuilder/Abakt CVE-2006-2160 (Cross-site scripting (XSS) vulnerability in Russcom Network Loginphp ( ...) NOT-FOR-US: Russcom CVE-2006-2159 (CRLF injection vulnerability in help.php in Russcom Network Loginphp a ...) NOT-FOR-US: Russcom CVE-2006-2158 (Dynamic variable evaluation vulnerability in index.php in Stadtaus Gue ...) NOT-FOR-US: Stadtaus CVE-2006-2157 (SQL injection vulnerability in gallery.php in Plogger Beta 2.1 and ear ...) NOT-FOR-US: Plogger CVE-2006-2156 (Directory traversal vulnerability in help/index.php in X7 Chat 2.0 and ...) NOT-FOR-US: X7 Chat CVE-2006-2155 (EMC Retrospect for Windows 6.5 before 6.5.382, 7.0 before 7.0.344, and ...) NOT-FOR-US: EMC Retrospect CVE-2006-2154 (EMC Retrospect for Windows 6.5 before 6.5.382, 7.0 before 7.0.344, and ...) NOT-FOR-US: EMC Retrospect CVE-2006-2153 (Cross-site scripting (XSS) vulnerability in HTM_PASSWD in DirectAdmin ...) NOT-FOR-US: DirectAdmin CVE-2006-2152 (PHP remote file inclusion vulnerability in admin/addentry.php in phpBB ...) NOT-FOR-US: phpBB Advanced Guestbook CVE-2006-2151 (PHP remote file inclusion vulnerability in toplist.php in phpBB TopLis ...) NOT-FOR-US: phpBB TopList CVE-2006-2150 (PHP remote file inclusion vulnerability in top/list.php in phpBB TopLi ...) NOT-FOR-US: phpBB TopList CVE-2006-2149 (PHP remote file inclusion vulnerability in sources/lostpw.php in Aardv ...) NOT-FOR-US: Aardvark Topsites CVE-2006-2147 (resmgrd in resmgr for SUSE Linux and other distributions does not prop ...) {DSA-1047-1} - resmgr 1.0-4 (low) CVE-2006-2146 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in HB ...) NOT-FOR-US: HB-NS CVE-2006-2145 (Multiple SQL injection vulnerabilities in index.php in HB-NS 1.1.6 all ...) NOT-FOR-US: HB-NS CVE-2006-2144 (PHP remote file inclusion vulnerability in kopf.php in DMCounter 0.9.2 ...) NOT-FOR-US: DMCounter CVE-2006-2143 (Multiple cross-site scripting (XSS) vulnerabilities in TextFileBB 1.0. ...) NOT-FOR-US: TextFileBB CVE-2006-2142 (PHP remote file inclusion vulnerability in classes/adodbt/sql.php in L ...) NOT-FOR-US: Limbo CVE-2006-2141 (Cross-site scripting (XSS) vulnerability in popup_image in Collaborati ...) NOT-FOR-US: Collaborative Portal Server CVE-2006-2140 (Multiple cross-site scripting (XSS) vulnerabilities in OrbitHYIP 2.0 a ...) NOT-FOR-US: OrbitHYIP CVE-2006-2139 (Multiple SQL injection vulnerabilities in PHP Newsfeed 20040723 allow ...) NOT-FOR-US: PHP Newsfeed CVE-2006-2138 (Cross-site scripting (XSS) vulnerability in neomail.pl in NeoMail 1.29 ...) NOT-FOR-US: NeoMail CVE-2006-2137 (PHP remote file inclusion vulnerability in master.php in OpenPHPNuke a ...) NOT-FOR-US: OpenPHPNuke CVE-2006-2136 (SQL injection vulnerability in news.php in AZNEWS allows remote attack ...) NOT-FOR-US: AZNEWS CVE-2006-2135 (SQL injection vulnerability in login.php in Ruperts News allows remote ...) NOT-FOR-US: Ruperts News CVE-2006-2134 (PHP remote file inclusion vulnerability in /includes/kb_constants.php ...) NOT-FOR-US: phpbb2 mod CVE-2005-4794 (Cisco IP Phones 7902/7905/7912, ATA 186/188, Unity Express, ACNS, and ...) NOT-FOR-US: Cisco CVE-2006-2148 (Multiple buffer overflows in client.c in CGI:IRC (CGIIRC) before 0.5.8 ...) {DSA-1052-1} - cgiirc 0.5.9-1 (bug #365680; medium) [sarge] - cgiirc 0.5.4-6sarge1 (bug #365680; medium) CVE-2006-2133 (SQL injection vulnerability in index.php in BoonEx Barracuda 1.1 and e ...) NOT-FOR-US: BoonEx Barracuda CVE-2006-2132 (SQL injection vulnerability in detail.asp in DUclassified allows remot ...) NOT-FOR-US: DUclassified CVE-2006-2131 (include/class_poll.php in Advanced Poll 2.0.4 uses the HTTP_X_FORWARDE ...) NOT-FOR-US: Advanced Poll CVE-2006-2130 (SQL injection vulnerability in include/class_poll.php in Advanced Poll ...) NOT-FOR-US: Advanced Poll CVE-2006-2129 (Direct static code injection vulnerability in Pro Publish 2.0 allows r ...) NOT-FOR-US: Pro Publish CVE-2006-2128 (Multiple SQL injection vulnerabilities in Pro Publish 2.0 allow remote ...) NOT-FOR-US: Pro Publish CVE-2006-2127 (SQL injection vulnerability in weblog_posting.php in Blog Mod 0.2.x al ...) NOT-FOR-US: Blog Mod CVE-2006-2126 (SQL injection vulnerability in pocategories.php in MaxTrade 1.0.1 and ...) NOT-FOR-US: MaxTrade CVE-2006-2125 REJECTED CVE-2006-2124 (Multiple cross-site scripting (XSS) vulnerabilities in SunShop 3.5 and ...) NOT-FOR-US: SunShop CVE-2006-2123 (Multiple SQL injection vulnerabilities in the report interface in Netw ...) NOT-FOR-US: Network Administration Visualiazed CVE-2006-2122 (PHP remote file inclusion vulnerability in index.php in CoolMenus allo ...) NOT-FOR-US: CoolMenus CVE-2006-2121 (PHP remote file include vulnerability in admin/config_settings.tpl.php ...) NOT-FOR-US: I-RATER Platinum CVE-2006-2120 (The TIFFToRGB function in libtiff before 3.8.1 allows remote attackers ...) {DSA-1078-1} - tiff 3.8.1 (bug #366588; medium) - tiff3 (fixed prior to initial upload) CVE-2006-2119 (PHP remote file inclusion vulnerability in event/index.php in Artmedic ...) NOT-FOR-US: Artmedic CVE-2006-2118 (JMK's Picture Gallery allows remote attackers to bypass authentication ...) NOT-FOR-US: JMK CVE-2006-2117 (Cross-site scripting (XSS) vulnerability in Thyme 1.3 allows remote at ...) NOT-FOR-US: Thyme CVE-2006-2116 (planetGallery allows remote attackers to gain administrator privileges ...) NOT-FOR-US: planetGallery CVE-2006-2115 (Format string vulnerability in SWS web Server 0.1.7 allows remote atta ...) NOT-FOR-US: SWS CVE-2006-2114 (Buffer overflow in SWS web Server 0.1.7 allows remote attackers to exe ...) NOT-FOR-US: SWS CVE-2006-2113 (The embedded HTTP server in Fuji Xerox Printing Systems (FXPS) print e ...) NOT-FOR-US: Fuji Xerox Printing Systems CVE-2006-2112 (Fuji Xerox Printing Systems (FXPS) print engine, as used in products i ...) NOT-FOR-US: Fuji Xerox Printing Systems CVE-2006-2111 (A component in Microsoft Outlook Express 6 allows remote attackers to ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2006-2110 (Virtual Private Server (Vserver) 2.0.x before 2.0.2-rc18 and 2.1.x bef ...) {DSA-1060-1} - kernel-patch-vserver 2:2.0.1-4 (low) - linux-2.6 2.6.16-11 (low) CVE-2006-2109 (Cross-site scripting (XSS) vulnerability in the parse_query_str functi ...) NOTE: #357204: request for removal - jsboard 2.0.10-2 (bug #368305; low) CVE-2006-2108 (parser.exe in Océ (OCE) 3121/3122 Printer allows remote attackers ...) NOT-FOR-US: OCE CVE-2006-2107 (Buffer overflow in BL4 SMTP Server 0.1.4 and earlier allows remote att ...) NOT-FOR-US: BL4 CVE-2006-2106 (Cross-site scripting (XSS) vulnerability in Edgewall Software Trac 0.9 ...) - trac 0.9.5-1 (medium) [sarge] - trac (medium) NOTE: http://trac.edgewall.org/changeset/3201 NOTE: http://trac.edgewall.org/changeset/3287 NOTE: the second reference fixes a regression in the first. i *believe* NOTE: that these correctly solve the problem, though we really ought NOTE: to run this by upstream or the reporter. CVE-2006-2105 (Directory traversal vulnerability in index.php in Jupiter CMS 1.1.4 an ...) NOT-FOR-US: Jupiter CVE-2006-2104 (Multiple cross-site scripting (XSS) vulnerabilities in Kamgaing Email ...) NOT-FOR-US: Kamgaing CVE-2006-2103 (SQL injection vulnerability in MyBB (MyBulletinBoard) 1.1.1 allows rem ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2006-2102 (Directory traversal vulnerability in PowerISO 2.9 allows remote attack ...) NOT-FOR-US: PowerISO CVE-2006-2101 (Directory traversal vulnerability in WinISO 5.3 allows remote attacker ...) NOT-FOR-US: WinISO CVE-2006-2100 (Directory traversal vulnerability in Magic ISO 5.0 Build 0166 allows r ...) NOT-FOR-US: Magic ISO CVE-2006-2099 (Directory traversal vulnerability in UltraISO 8.0.0.1392 allows remote ...) NOT-FOR-US: UltraISO CVE-2006-2098 (PHP remote file inclusion vulnerability in Thumbnail AutoIndex before ...) NOT-FOR-US: Thumbnail AutoIndex CVE-2006-2097 (SQL injection vulnerability in func_msg.php in Invision Power Board (I ...) NOT-FOR-US: Invision CVE-2006-2096 (plug.php in Land Down Under (LDU) 802 and earlier allows remote attack ...) NOT-FOR-US: LDU CVE-2006-2095 (Phex before 2.8.6 allows remote attackers to cause a denial of service ...) NOT-FOR-US: Phex CVE-2006-2094 (Microsoft Internet Explorer before Windows XP Service Pack 2 and Windo ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2006-2093 (Nessus before 2.2.8, and 3.x before 3.0.3, allows user-assisted attack ...) - libnasl 2.2.8-1 (bug #365898; low) [sarge] - libnasl (Hardly exploitable, see #365898) CVE-2006-2092 (Unspecified vulnerability in HP StorageWorks Secure Path for Windows 4 ...) NOT-FOR-US: HP CVE-2006-2091 (admin.php in Virtual War (VWar) 1.5 and versions before 1.2 allows rem ...) NOT-FOR-US: Virtual War CVE-2006-2090 (Multiple SQL injection vulnerabilities in misc.php in MySmartBB 1.1.x ...) NOT-FOR-US: MySmartBB CVE-2006-2089 (Multiple cross-site scripting (XSS) vulnerabilities in misc.php in MyS ...) NOT-FOR-US: OpenBB CVE-2006-2088 (Multiple cross-site scripting (XSS) vulnerabilities in Devsyn Open Bul ...) NOT-FOR-US: OpenBB CVE-2006-2087 (The Gmax Mail client in Hitachi Groupmax before 20060426 allows remote ...) NOT-FOR-US: Hitachi Groupmax CVE-2006-2086 (Buffer overflow in JuniperSetupDLL.dll, loaded from JuniperSetup.ocx b ...) NOT-FOR-US: juniper SSL-VPN CVE-2006-2085 (Multiple buffer overflows in (1) CxAce60.dll and (2) CxAce60u.dll in S ...) NOT-FOR-US: SpeedProject Squeez CVE-2006-2084 (Multiple cross-site scripting (XSS) vulnerabilities in FarsiNews 2.5.3 ...) NOT-FOR-US: FarsiNews CVE-2006-2083 (Integer overflow in the receive_xattr function in the extended attribu ...) - rsync 2.6.8-1 (bug #365614; high) [sarge] - rsync (xattr patch appeared in 2.6.7) [woody] - rsync (xattr patch appeared in 2.6.7) CVE-2006-2082 (Directory traversal vulnerability in Quake 3 engine, as used in produc ...) - ioquake3 1.36+svn1788j-1 - tremulous 1.1.0-6 (bug #660831) [squeeze] - tremulous 1.1.0-7~squeeze1 CVE-2006-2081 (Oracle Database Server 10g Release 2 allows local users to execute arb ...) NOT-FOR-US: Oracle CVE-2006-2080 (SQL injection vulnerability in portfolio_photo_popup.php in Verosky Me ...) NOT-FOR-US: Verosky CVE-2006-2079 (Cross-site scripting (XSS) vulnerability in portfolio.php in Verosky M ...) NOT-FOR-US: Verosky CVE-2006-2078 (Multiple unspecified vulnerabilities in multiple FITELnet products, in ...) NOT-FOR-US: FITELnet CVE-2006-2077 (Buffer overflow in Paul Rombouts pdnsd before 1.2.4 has unknown impact ...) - pdnsd 1.2.4par-0.1 (bug #368268; medium) CVE-2006-2076 (Memory leak in Paul Rombouts pdnsd before 1.2.4 allows remote attacker ...) - pdnsd 1.2.4par-0.1 (bug #368268; medium) CVE-2006-2075 (Unspecified vulnerability in MyDNS 1.1.0 allows remote attackers to ca ...) [sarge] - mydns 1.0.0-4sarge1 - mydns 1.1.0+pre-3 (medium; bug #348826) CVE-2006-2074 (Unspecified vulnerability in Juniper Networks JUNOSe E-series routers ...) NOT-FOR-US: Juniper Networks JUNOSe CVE-2006-2073 (Unspecified vulnerability in ISC BIND allows remote attackers to cause ...) - bind9 1:9.3.3-1 (low) NOTE: Only exploitable by trusted users after TSIG transaction NOTE: https://lists.isc.org/pipermail/bind-users/2011-October/085298.html CVE-2006-2072 (Multiple unspecified vulnerabilities in DeleGate 9.x before 9.0.6 and ...) NOT-FOR-US: DeleGate CVE-2005-4793 (Multiple unspecified vulnerabilities in the web utility function in Hi ...) NOT-FOR-US: Hitachi CVE-2005-4792 (SQL injection vulnerability in index.php in Appalachian State Universi ...) NOT-FOR-US: phpWebSite CVE-2004-2659 (Opera offers an Open button to verify that a user wishes to execute a ...) NOT-FOR-US: Opera CVE-2006-2071 (Linux kernel 2.4.x and 2.6.x up to 2.6.16 allows local users to bypass ...) - linux-2.6 2.6.16-8 CVE-2006-2070 (Cross-site scripting (XSS) vulnerability in member.php in DevBB 1.0.0 ...) NOT-FOR-US: DevBB CVE-2006-2069 (The recursor in PowerDNS before 3.0.1 allows remote attackers to cause ...) - pdns-recursor 3.0.1-1 (medium) CVE-2006-2068 (Unspecified vulnerability in Hitachi JP1 products allow remote attacke ...) NOT-FOR-US: Hitachi JP1 CVE-2006-2067 (SQL injection vulnerability in vb_board_functions.php in MKPortal 1.1, ...) NOT-FOR-US: MKPortal CVE-2006-2066 (Multiple cross-site scripting (XSS) vulnerabilities pm_popup.php in MK ...) NOT-FOR-US: MKPortal CVE-2006-2065 (SQL injection vulnerability in save.php in PHPSurveyor 0.995 and earli ...) NOT-FOR-US: PHPSurveyor CVE-2006-2064 (Unspecified vulnerability in the libpkcs11 library in Sun Solaris 10 m ...) NOT-FOR-US: Sun CVE-2006-2063 (Multiple cross-site scripting (XSS) vulnerabilities in Leadhound Full ...) NOT-FOR-US: Leadhound CVE-2006-2062 (Multiple SQL injection vulnerabilities in Leadhound Full and LITE 2.1, ...) NOT-FOR-US: Leadhound CVE-2006-2061 (SQL injection vulnerability in lib/func_taskmanager.php in Invision Po ...) NOT-FOR-US: Invision CVE-2006-2060 (Directory traversal vulnerability in action_admin/paysubscriptions.php ...) NOT-FOR-US: Invision CVE-2006-2059 (action_public/search.php in Invision Power Board (IPB) 2.1.x and 2.0.x ...) NOT-FOR-US: Invision CVE-2006-2058 (Argument injection vulnerability in Avant Browser 10.1 Build 17 allows ...) NOT-FOR-US: Avant CVE-2006-2057 (Argument injection vulnerability in Mozilla Firefox 1.0.6 allows user- ...) NOT-FOR-US: Only on Windows CVE-2006-2056 (Argument injection vulnerability in Internet Explorer 6 for Windows XP ...) NOT-FOR-US: Microsoft CVE-2006-2055 (Argument injection vulnerability in Microsoft Outlook 2003 SP1 allows ...) NOT-FOR-US: Micrsoft Outlook CVE-2006-2054 (3Com Baseline Switch 2848-SFP Plus Model #3C16486 with firmware before ...) NOT-FOR-US: 3Com CVE-2006-2053 (Multiple SQL injection vulnerabilities in QuickEStore 7.9 and earlier ...) NOT-FOR-US: QuickEStore CVE-2006-2052 (Cross-site scripting (XSS) vulnerability in Verosky Media Instant Phot ...) NOT-FOR-US: Verosky CVE-2006-2051 (Multiple cross-site scripting (XSS) vulnerabilities in myadmin/index.p ...) NOT-FOR-US: NextAge CVE-2006-2050 (SQL injection vulnerability in dcboard.cgi in DCScripts DCForumLite 3. ...) NOT-FOR-US: DCScripts CVE-2006-2049 (Cross-site scripting (XSS) vulnerability in dcboard.cgi in DCScripts D ...) NOT-FOR-US: DCScripts CVE-2006-2048 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Ed ...) NOT-FOR-US: phpWebFTP CVE-2006-2047 (Application Dynamics Cartweaver ColdFusion 2.16.11 and earlier allows ...) NOT-FOR-US: ColdFusion CVE-2006-2046 (Multiple SQL injection vulnerabilities in Application Dynamics Cartwea ...) NOT-FOR-US: ColdFusion CVE-2006-2045 (The (1) shadow password file in na-img-4.0.34.bin for the IP3 Networks ...) NOT-FOR-US: IP3 CVE-2006-2044 (na-img-4.0.34.bin for the IP3 Networks NetAccess NA75 has a default us ...) NOT-FOR-US: IP3 CVE-2006-2043 (na-img-4.0.34.bin for the IP3 Networks NetAccess NA75 allows local use ...) NOT-FOR-US: IP3 CVE-2006-2042 (Adobe Dreamweaver 8 before 8.0.2 and MX 2004 can generate code that al ...) NOT-FOR-US: Adobe CVE-2006-2041 (PhpWebGallery before 1.6.0RC1 allows remote attackers to obtain arbitr ...) NOT-FOR-US: PhpWebGallery CVE-2006-2040 (Multiple SQL injection vulnerabilities in photokorn 1.53 and 1.542 all ...) NOT-FOR-US: photokorn CVE-2006-2039 (Multiple SQL injection vulnerabilities in the osTicket module in Help ...) NOT-FOR-US: Help Center Live CVE-2006-2038 (Multiple SQL injection vulnerabilities in ampleShop 2.1 and earlier al ...) NOT-FOR-US: ampleShop CVE-2006-2037 (Cross-site scripting (XSS) vulnerability in index.php in Thwboard 3.0 ...) NOT-FOR-US: Thwboard CVE-2006-2036 (iOpus Secure Email Attachments (SEA), probably 1.0, does not properly ...) NOT-FOR-US: iOpus CVE-2006-2035 (Websense, when configured to permit access to the dynamic content cate ...) NOT-FOR-US: Websense CVE-2006-2034 (SQL injection vulnerability in function/showprofile.php in FlexBB 0.5. ...) NOT-FOR-US: FlexBB CVE-2006-2033 (PHP remote file inclusion vulnerability in Core CoreNews 2.0.1 and ear ...) NOT-FOR-US: Core CVE-2006-2032 (Multiple SQL injection vulnerabilities in Core CoreNews 2.0.1 and earl ...) NOT-FOR-US: Core CVE-2006-2031 (Cross-site scripting (XSS) vulnerability in index.php in phpMyAdmin 2. ...) - phpmyadmin 4:2.8.1-1 (bug #363519; low) [sarge] - phpmyadmin (Vulnerable code not present) NOTE: https://www.phpmyadmin.net/security/PMASA-2006-2/ NOTE: The first linked commit is the official one for linked in PMASA NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/79f778db99ac05e2028166d5a61ed25591e348c3 NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/fad722d2f488375f9cc94c0c75326e661c280ecc CVE-2006-2030 (The Allied Telesyn AT-9724TS switch allows remote attackers to cause a ...) NOT-FOR-US: Allied Telesyn CVE-2006-2029 (Multiple SQL injection vulnerabilities in Jeremy Ashcraft Simplog 0.9. ...) NOT-FOR-US: Simplog CVE-2006-2028 (Cross-site scripting (XSS) vulnerability in imagelist.php in Jeremy As ...) NOT-FOR-US: Simplog CVE-2006-2027 (Buffer overflow in Unicode processing in the logging functionality in ...) NOT-FOR-US: Pablo Software CVE-2006-2026 (Double free vulnerability in tif_jpeg.c in libtiff before 3.8.1 allows ...) {DSA-1054-1} [sarge] - tiff 3.7.2-3sarge1 [woody] - tiff 3.5.5-7woody1 - tiff 3.8.1 - tiff3 (fixed prior to initial upload) CVE-2006-2025 (Integer overflow in the TIFFFetchData function in tif_dirread.c for li ...) {DSA-1054-1} [sarge] - tiff 3.7.2-3sarge1 [woody] - tiff 3.5.5-7woody1 - tiff 3.8.1 - tiff3 (fixed prior to initial upload) CVE-2006-2024 (Multiple vulnerabilities in libtiff before 3.8.1 allow context-depende ...) {DSA-1054-1} [sarge] - tiff 3.7.2-3sarge1 [woody] - tiff 3.5.5-7woody1 - tiff 3.8.1 - tiff3 (fixed prior to initial upload) CVE-2006-2023 (Integer overflow in the RTSP_msg_len function in rtsp/RTSP_msg_len.c i ...) NOT-FOR-US: Fenice CVE-2006-2022 (Buffer overflow in the parse_url function in the RTSP module (rtsp/par ...) NOT-FOR-US: Fenice CVE-2006-2021 (Absolute path traversal vulnerability in recordings/misc/audio.php in ...) NOT-FOR-US: Asterisk@Home CVE-2006-2020 (Asterisk Recording Interface (ARI) in Asterisk@Home before 2.8 stores ...) NOT-FOR-US: Asterisk@Home CVE-2006-2019 (Apple Mac OS X Safari 2.0.3, 1.3.1, and possibly other versions allows ...) NOT-FOR-US: Apple CVE-2005-4791 (Multiple untrusted search path vulnerabilities in SUSE Linux 10.0 caus ...) {DTSA-107-1} - beagle 0.2.13-1 (low) [etch] - beagle (Minor issue) - banshee 0.11.2+dfsg-1 (low) - liferea 1.4.9-1 (low; bug #451548) [etch] - liferea (Minor issue) - blam 1.8.4-1 (low) [etch] - blam (Minor issue) NOTE: lintian bug filed: #451559 CVE-2005-4790 (Multiple untrusted search path vulnerabilities in SUSE Linux 9.3 and 1 ...) - tomboy 0.8.1-2 (low) [etch] - tomboy (Minor issue) CVE-2005-4789 (resmgr in SUSE Linux 9.2 and 9.3, and possibly other distributions, do ...) - resmgr CVE-2005-4788 (resmgr in SUSE Linux 9.2 and 9.3, and possibly other distributions, al ...) - resmgr CVE-2004-2658 (resmgr in SUSE CORE 9 does not properly identify terminal names, which ...) - resmgr CVE-2006-XXXX [librsvg2 crash on certain svg files] - librsvg 2.14.3-2 (bug #361653; bug #361540; medium) CVE-2006-2018 (SQL injection vulnerability in calendar.php in vBulletin 3.0.x allows ...) NOT-FOR-US: vBulletin CVE-2006-2017 (Dnsmasq 2.29 allows remote attackers to cause a denial of service (app ...) - dnsmasq 2.30-1 (medium) [sarge] - dnsmasq (Vulnerability was introduced in 2.28) CVE-2006-2016 (Multiple cross-site scripting (XSS) vulnerabilities in phpLDAPadmin 0. ...) {DSA-1057-1} - phpldapadmin 0.9.8.3-1 (bug #365313; low) - egroupware 1.2-104.dfsg-1 (bug #365314; low) NOTE: egroupware 1.2-1.dfsg-1 dropped phpldapadmin CVE-2006-2015 (Cross-site scripting (XSS) vulnerability in SL_site 1.0 allows remote ...) NOT-FOR-US: SL_site CVE-2006-2014 (Directory traversal vulnerability in gallerie.php in SL_site 1.0 allow ...) NOT-FOR-US: SL_site CVE-2006-2013 (SQL injection vulnerability in page.php in SL_site 1.0 allows remote a ...) NOT-FOR-US: SL_site CVE-2006-2012 (Format string vulnerability in Skulltag 0.96f and earlier allows remot ...) NOT-FOR-US: Skulltag CVE-2006-2011 (Cross-site scripting (XSS) vulnerability in member.php in 4images 1.7 ...) NOT-FOR-US: 4images CVE-2006-2010 (Multiple SQL injection vulnerabilities in check_login.asp in Bloggage ...) NOT-FOR-US: Bloggage CVE-2006-2009 (PHP remote file inclusion vulnerability in agenda.php3 in phpMyAgenda ...) NOT-FOR-US: phpMyAgenda CVE-2006-2008 (PHP remote file inclusion vulnerability in movie_cls.php in Built2Go P ...) NOT-FOR-US: Built2Go CVE-2006-2007 (Heap-based buffer overflow in Winny 2.0 b7.1 and earlier allows remote ...) NOT-FOR-US: Winny CVE-2006-2006 (Multiple directory traversal vulnerabilities in IZArc Archiver 3.5 bet ...) NOT-FOR-US: IZArc Archiver CVE-2006-2005 (Eval injection vulnerability in index.php in ClanSys 1.1 allows remote ...) NOT-FOR-US: ClanSys CVE-2006-2004 (Multiple SQL injection vulnerabilities in RI Blog 1.1 allow remote att ...) NOT-FOR-US: RI Blog CVE-2006-2003 (Cross-site scripting (XSS) vulnerability in cgi-bin/guest in Community ...) NOT-FOR-US: Community Architect Guestbook CVE-2006-2002 (PHP remote file inclusion vulnerability in stats.php in MyGamingLadder ...) NOT-FOR-US: MyGamingLadder CVE-2006-2001 (Cross-site scripting (XSS) vulnerability in index.php in Scry Gallery ...) NOT-FOR-US: Scry Gallery CVE-2006-2000 (Cross-site scripting (XSS) vulnerability in /lms/a2z.jsp in logMethods ...) NOT-FOR-US: logMethods CVE-2006-1999 (The multiplayer menu in OpenTTD 0.4.7 allows remote attackers to cause ...) NOT-FOR-US: OpenTTD CVE-2006-1998 (OpenTTD 0.4.7 and earlier allows local users to cause a denial of serv ...) NOT-FOR-US: OpenTTD CVE-2006-1997 (Unspecified vulnerability in Sybase Pylon Anywhere groupware synchroni ...) NOT-FOR-US: Sybase Pylon Anywhere CVE-2006-1996 (Scry Gallery 1.1 allows remote attackers to obtain sensitive informati ...) NOT-FOR-US: Scry Gallery CVE-2006-1995 (Directory traversal vulnerability in index.php in Scry Gallery 1.1 all ...) NOT-FOR-US: Scry Gallery CVE-2006-1994 (PHP remote file inclusion vulnerability in dForum 1.5 and earlier allo ...) NOT-FOR-US: dForum CVE-2006-1992 (mshtml.dll 6.00.2900.2873, as used in Microsoft Internet Explorer, all ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2006-1991 (The substr_compare function in string.c in PHP 5.1.2 allows context-de ...) - php4 (substr_compare does not exist in PHP 4.4.2) - php5 5.1.4-0.1 (bug #365312; medium) CVE-2006-1990 (Integer overflow in the wordwrap function in string.c in PHP 4.4.2 and ...) - php4 4:4.4.2-1.1 (bug #365311; unimportant) - php5 5.1.4-0.1 (bug #365312; unimportant) NOTE: This could only be exploited by a malicious, local user, which is an NOTE: unsupported use case CVE-2006-1989 (Buffer overflow in the get_database function in the HTTP client in Fre ...) {DSA-1050-1} - clamav 0.88.2 [sarge] - clamav 0.84-2.sarge.9 CVE-2006-1988 (The WebTextRenderer(WebInternal) _CG_drawRun:style:geometry: function ...) NOT-FOR-US: Apple Safari NOTE: PoC exploit does not work with konqueror 4:3.5.2-2 CVE-2006-1987 (Apple Safari 2.0.3 allows remote attackers to cause a denial of servic ...) NOT-FOR-US: Apple Safari NOTE: PoC exploit does not work with konqueror 4:3.5.2-2 CVE-2006-1986 (Apple Safari 2.0.3 allows remote attackers to cause a denial of servic ...) NOT-FOR-US: Apple Safari NOTE: PoC exploit does not work with konqueror 4:3.5.2-2 CVE-2006-1985 (Heap-based buffer overflow in BOM BOMArchiveHelper 10.4 (6.3) Build 31 ...) NOT-FOR-US: BOMArchiveHelper CVE-2006-1984 (Unspecified vulnerability in the _cg_TIFFSetField function in Mac OS X ...) NOT-FOR-US: Mac OS X CVE-2006-1983 (Multiple heap-based buffer overflows in Mac OS X 10.4.6 and earlier al ...) NOT-FOR-US: Mac OS X CVE-2006-1982 (Heap-based buffer overflow in the LZWDecodeVector function in Mac OS X ...) NOT-FOR-US: Mac OS X CVE-2006-1981 (Unspecified vulnerability in Java InputMethods on Mac OS X 10.4.5 may ...) NOT-FOR-US: Mac OS X CVE-2006-1980 (Cross-site scripting (XSS) vulnerability in W2B Online Banking allows ...) NOT-FOR-US: W2B Online Banking CVE-2006-1979 (Cross-site scripting (XSS) vulnerability in mwguest.php in Manic Web M ...) NOT-FOR-US: Manic Web MWGuest CVE-2006-1978 (SQL injection vulnerability in inc/start.php in FlexBB 0.5.5 and earli ...) NOT-FOR-US: FlexBB CVE-2006-1977 (Cross-site scripting (XSS) vulnerability in FlexBB 0.5.7 BETA and earl ...) NOT-FOR-US: FlexBB CVE-2006-1993 (Mozilla Firefox 1.5.0.2, when designMode is enabled, allows remote att ...) {DSA-1055-1 DSA-1053-1} - firefox 1.5.dfsg+1.5.0.3-1 (bug #364810; high) - mozilla (high) [sarge] - mozilla-thunderbird (Not directly exploitable in Thunderbird) CVE-2006-XXXX [typo3 mailforms can be abused to send spam] - typo3-src 4.0.2-1 (bug #364350) CVE-2006-XXXX [moinmoin XSS] - moin 1.5.3-1 CVE-2006-1976 (Cross-site scripting (XSS) vulnerability in addRequest.php in Prayer R ...) NOT-FOR-US: Prayer Request Board CVE-2006-1975 (Cross-site scripting (XSS) vulnerability in guestbook_newentry.php in ...) NOT-FOR-US: PHP-Gastebuch CVE-2006-1974 (SQL injection vulnerability in index.php in MyBB (MyBulletinBoard) bef ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2006-1973 (Multiple unspecified vulnerabilities in Linksys RT31P2 VoIP router all ...) NOT-FOR-US: Linksys router CVE-2006-1972 (Cross-site scripting (XSS) vulnerability in EasyGallery.php in Wingnut ...) NOT-FOR-US: EasyGallery CVE-2006-1971 (Cross-site scripting (XSS) vulnerability in login.php in KRANKIKOM Con ...) NOT-FOR-US: KRANKIKOM ContentBoxX CVE-2006-1970 (Cross-site scripting (XSS) vulnerability in classifieds/viewcat.cgi in ...) NOT-FOR-US: KCScripts Classifieds CVE-2006-1969 (Cross-site scripting (XSS) vulnerability in search/search.cgi in an un ...) NOT-FOR-US: KCScripts CVE-2006-1968 (Cross-site scripting (XSS) vulnerability in news/NsVisitor.cgi in KCSc ...) NOT-FOR-US: KCScripts CVE-2006-1967 (Cross-site scripting (XSS) vulnerability in calendar/Visitor.cgi in KC ...) NOT-FOR-US: KCScripts CVE-2006-1966 (An unspecified Fortinet product, possibly Fortinet28, allows remote at ...) NOT-FOR-US: Fortinet CVE-2006-1965 (Multiple cross-site scripting (XSS) vulnerabilities in aasi media Net ...) NOT-FOR-US: Net Clubs Pro CVE-2006-1964 (SQL injection vulnerability in Haberler.asp in ASPSitem 1.83 and earli ...) NOT-FOR-US: ASPSitem CVE-2006-1963 (Directory traversal vulnerability in main.php in PCPIN Chat 5.0.4 and ...) NOT-FOR-US: PCPIN Chat CVE-2006-1962 (SQL injection vulnerability in PCPIN Chat 5.0.4 and earlier allows rem ...) NOT-FOR-US: PCPIN Chat CVE-2006-1961 (Cisco CiscoWorks Wireless LAN Solution Engine (WLSE) and WLSE Express ...) NOT-FOR-US: Cisco CVE-2006-1960 (Cross-site scripting (XSS) vulnerability in the appliance web user int ...) NOT-FOR-US: Cisco CVE-2006-1959 (PHP remote file inclusion vulnerability in direct.php in ActualScripts ...) NOT-FOR-US: ActualScripts ActualAnalyzer Lite CVE-2006-1958 (Multiple SQL injection vulnerabilities in WWWThreads RC 3 allow remote ...) NOT-FOR-US: WWWThreads CVE-2006-1957 (The com_rss option (rss.php) in (1) Mambo and (2) Joomla! allows remot ...) - mambo 4.6.1-4 (bug #364769; medium) CVE-2006-1956 (The com_rss option (rss.php) in (1) Mambo and (2) Joomla! allows remot ...) - mambo 4.6.1-4 (bug #364769; medium) CVE-2006-1955 (PHP remote file inclusion vulnerability in authent.php4 in Nicolas Fis ...) NOT-FOR-US: RechnungsZentrale CVE-2006-1954 (SQL injection vulnerability in authent.php4 in Nicolas Fischer (aka NF ...) NOT-FOR-US: RechnungsZentrale CVE-2006-1953 (Directory traversal vulnerability in Caucho Resin 3.0.17 and 3.0.18 fo ...) NOT-FOR-US: Caucho CVE-2006-1952 (Directory traversal vulnerability in WinAgents TFTP Server for Windows ...) NOT-FOR-US: WinAgents TFTP Server for Windows CVE-2006-1951 (Directory traversal vulnerability in SolarWinds TFTP Server 8.1 and ea ...) NOT-FOR-US: SolarWinds TFTP Server CVE-2006-1950 (Multiple cross-site scripting (XSS) vulnerabilities in banners.cgi in ...) NOT-FOR-US: PerlCoders BannerFarm CVE-2006-1949 (SQL injection vulnerability in plexcart.pl in NicPlex PlexCart X3 and ...) NOT-FOR-US: NicPlex PlexCart CVE-2006-1948 (The "Add Sender to Address Book" operation (AddSenderToAddressBook.lss ...) NOT-FOR-US: Lotus Notes CVE-2006-1947 (Multiple SQL injection vulnerabilities in plexum.php in NicPlex Plexum ...) NOT-FOR-US: NicPlex PlexCart CVE-2006-1946 (Multiple cross-site scripting (XSS) vulnerabilities in Visale 1.0 and ...) NOT-FOR-US: Visale CVE-2006-1945 (Cross-site scripting (XSS) vulnerability in awstats.pl in AWStats 6.5 ...) {DSA-1075-1} - awstats 6.5-2 (bug #364443; medium) NOTE: this might be the same core issue as CVE-2005-2732 CVE-2006-1944 (Multiple cross-site scripting (XSS) vulnerabilities in SibSoft Communi ...) NOT-FOR-US: SibSoft CommuniMail CVE-2006-1943 (Multiple cross-site scripting (XSS) vulnerabilities in Smarter Scripts ...) NOT-FOR-US: Smarter Scripts IntelliLink Pro CVE-2006-1942 (Mozilla Firefox 1.5.0.2 and possibly other versions before 1.5.0.4, Ne ...) {DSA-1134-1 DSA-1120 DSA-1118} NOTE: MFSA-2006-39 - firefox 1.5.dfsg+1.5.0.4-1 (low) - thunderbird (Windows-specific) - mozilla 2:1.7.13-0.3 (low) - xulrunner (Windows-specific) CVE-2006-1941 (Neon Responder 5.4 for LANsurveyor allows remote attackers to cause a ...) NOT-FOR-US: Neon Responder CVE-2006-1940 (Unspecified vulnerability in Ethereal 0.10.4 up to 0.10.14 allows remo ...) {DSA-1049-1} - ethereal 0.99.0-1 (bug #364758; medium) [sarge] - ethereal 0.10.10-2sarge5 (bug #364758; medium) [woody] - ethereal 0.9.4-1woody15 (bug #364758; medium) CVE-2006-1939 (Multiple unspecified vulnerabilities in Ethereal 0.9.x up to 0.10.14 a ...) {DSA-1049-1} - ethereal 0.99.0-1 (bug #364758; medium) [sarge] - ethereal 0.10.10-2sarge5 (bug #364758; medium) [woody] - ethereal 0.9.4-1woody15 (bug #364758; medium) CVE-2006-1938 (Multiple unspecified vulnerabilities in Ethereal 0.8.x up to 0.10.14 a ...) {DSA-1049-1} - ethereal 0.99.0-1 (bug #364758; medium) [sarge] - ethereal 0.10.10-2sarge5 (bug #364758; medium) [woody] - ethereal 0.9.4-1woody15 (bug #364758; medium) CVE-2006-1937 (Multiple unspecified vulnerabilities in Ethereal 0.10.x up to 0.10.14 ...) {DSA-1049-1} - ethereal 0.99.0-1 (bug #364758; medium) [sarge] - ethereal 0.10.10-2sarge5 (bug #364758; medium) [woody] - ethereal 0.9.4-1woody15 (bug #364758; medium) CVE-2006-1936 (Buffer overflow in Ethereal 0.8.5 up to 0.10.14 allows remote attacker ...) {DSA-1049-1} - ethereal 0.99.0-1 (bug #364758; medium) [sarge] - ethereal 0.10.10-2sarge5 (bug #364758; medium) [woody] - ethereal 0.9.4-1woody15 (bug #364758; medium) CVE-2006-1935 (Buffer overflow in Ethereal 0.9.15 up to 0.10.14 allows remote attacke ...) {DSA-1049-1} - ethereal 0.99.0-1 (bug #364758; medium) [sarge] - ethereal 0.10.10-2sarge5 (bug #364758; medium) [woody] - ethereal 0.9.4-1woody15 (bug #364758; medium) CVE-2006-1934 (Multiple buffer overflows in Ethereal 0.10.x up to 0.10.14 allow remot ...) {DSA-1049-1} - ethereal 0.99.0-1 (bug #364758; medium) [sarge] - ethereal 0.10.10-2sarge5 (bug #364758; medium) [woody] - ethereal 0.9.4-1woody15 (bug #364758; medium) CVE-2006-1933 (Multiple unspecified vulnerabilities in Ethereal 0.10.x up to 0.10.14 ...) {DSA-1049-1} - ethereal 0.99.0-1 (bug #364758; medium) [sarge] - ethereal 0.10.10-2sarge5 (bug #364758; medium) [woody] - ethereal 0.9.4-1woody15 (bug #364758; medium) CVE-2006-1932 (Off-by-one error in the OID printing routine in Ethereal 0.10.x up to ...) {DSA-1049-1} - ethereal 0.99.0-1 (bug #364758; medium) [sarge] - ethereal 0.10.10-2sarge5 (bug #364758; medium) [woody] - ethereal 0.9.4-1woody15 (bug #364758; medium) CVE-2006-1931 (The HTTP/XMLRPC server in Ruby before 1.8.2 uses blocking sockets, whi ...) {DSA-1157} NOTE: the redhat bugzilla entry says this is fixed in 1.8.3 - ruby1.8 1.8.3 (bug #365520) CVE-2006-1930 NOT-FOR-US: Green Minute CVE-2006-1929 (PHP remote file inclusion vulnerability in include/common.php in I-Rat ...) NOT-FOR-US: I-Rater Platinum CVE-2006-1928 (Cisco IOS XR, when configured for Multi Protocol Label Switching (MPLS ...) NOT-FOR-US: Cisco CVE-2006-1927 (Cisco IOS XR, when configured for Multi Protocol Label Switching (MPLS ...) NOT-FOR-US: Cisco CVE-2006-1926 (SQL injection vulnerability in showtopic.php in ThWboard 2.84 beta 3 a ...) NOT-FOR-US: ThWboard CVE-2006-1925 (Directory traversal vulnerability in the editnews module (inc/editnews ...) NOT-FOR-US: CuteNews CVE-2006-1924 (SQL injection vulnerability in functions/db_api.php in LinPHA 1.1.1 al ...) NOT-FOR-US: LinPHA CVE-2006-1923 (Multiple cross-site scripting (XSS) vulnerabilities in LinPHA before 1 ...) NOT-FOR-US: LinPHA CVE-2006-1922 (PHP remote file inclusion vulnerability in (1) about.php or (2) auth.p ...) NOT-FOR-US: TotalCalendar CVE-2006-1921 (nettools.php in PHP Net Tools 2.7.1 allows remote attackers to execute ...) NOT-FOR-US: PHP Net Tools CVE-2006-1920 (SQL injection vulnerability in index.php in PMTool 1.2.2 allows remote ...) NOT-FOR-US: PMTool CVE-2006-1919 (PHP remote file inclusion vulnerability in index.php in Internet Photo ...) NOT-FOR-US: Internet Photoshow CVE-2006-1918 (Multiple cross-site scripting (XSS) vulnerabilities in Papoo 2.1.5 all ...) NOT-FOR-US: Papoo CVE-2006-1917 (SQL injection vulnerability in member.php in Blackorpheus ClanMemberSk ...) NOT-FOR-US: Blackorpheus ClanMemberSkript CVE-2006-1916 (Multiple cross-site scripting (XSS) vulnerabilities in profile.php in ...) NOT-FOR-US: DbbS CVE-2006-1915 (SQL injection vulnerability in topics.php in DbbS 2.0-alpha and earlie ...) NOT-FOR-US: DbbS CVE-2006-1914 (DbbS 2.0-alpha and earlier allows remote attackers to obtain sensitive ...) NOT-FOR-US: DbbS CVE-2006-1913 (Cross-site scripting (XSS) vulnerability in jax_guestbook.php in Jax G ...) NOT-FOR-US: Jax Guestbook CVE-2006-1912 (MyBB (MyBulletinBoard) 1.1.0 does not set the constant KILL_GLOBAL var ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2006-1911 (Cross-site scripting (XSS) vulnerability in MyBB (MyBulletinBoard) 1.1 ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2006-1910 (config.php in S9Y Serendipity 1.0 beta 2 allows remote attackers to in ...) - serendipity 1.0-1 CVE-2006-1909 (Directory traversal vulnerability in index.php in Coppermine 1.4.4 all ...) NOT-FOR-US: Coppermine CVE-2006-1908 (Cross-site scripting vulnerability in addevent.php in myEvent 1.x allo ...) NOT-FOR-US: myEvent CVE-2006-1907 (Multiple SQL injection vulnerabilities in myEvent 1.x allow remote att ...) NOT-FOR-US: myEvent CVE-2005-4787 NOT-FOR-US: Turnkey Web Tools SunShop Shopping Cart CVE-2004-2657 - mozilla-firefox - firefox CVE-1999-1588 (Buffer overflow in nlps_server in Sun Solaris x86 2.4, 2.5, and 2.5.1 ...) NOT-FOR-US: Sun Solaris CVE-2006-1906 (Cross-site scripting (XSS) vulnerability in index.php in jjgan852 phpL ...) NOT-FOR-US: phpLister CVE-2006-1905 (Multiple format string vulnerabilities in xiTK (xitk/main.c) in xine 0 ...) - xine-ui 0.99.4-1 (bug #363370; unimportant) NOTE: This is a non-issue: An attacker would need to trick the user into opening NOTE: an MP3 file with a very obviously manipulated filename containing the shellcode CVE-2006-1904 (Cross-site scripting (XSS) vulnerability in index.php in AnimeGenesis ...) NOT-FOR-US: AnimeGenesis Gallery CVE-2006-1903 (Multiple cross-site scripting (XSS) vulnerabilities in UserLand Manila ...) NOT-FOR-US: UserLand Manila CVE-2006-1902 (fold_binary in fold-const.c in GNU Compiler Collection (gcc) 4.1 impro ...) - gcc-4.1 4.1.0-2 (bug #356896; unimportant) NOTE: Turned out to be a non-issue CVE-2006-1901 (Mozilla Camino 1.0 and earlier allow remote attackers to cause a denia ...) NOT-FOR-US: Mozilla Camino CVE-2006-1900 (Multiple buffer overflows in World Wide Web Consortium (W3C) Amaya 9.4 ...) - amaya 9.51-1 (bug #362575; medium) CVE-2006-1899 (Multiple cross-site scripting (XSS) vulnerabilities in dev Neuron Blog ...) NOT-FOR-US: Neuron Blog CVE-2006-1898 (Multiple cross-site scripting (XSS) vulnerabilities in Ralph Capper Ti ...) NOT-FOR-US: Tiny PHP Forum CVE-2006-1897 (Webplus (aka talentsoft) Web+Shop 5.3.6, when Redirect URL for "Script ...) NOT-FOR-US: Webplus (aka talentsoft) Web+Shop CVE-2006-1896 (Unspecified vulnerability in phpBB allows remote authenticated users w ...) {DSA-1066-1} - phpbb2 2.0.18-3 (bug #365533; medium) CVE-2006-1895 (Direct static code injection vulnerability in includes/template.php in ...) - phpbb2 (bug #365535) CVE-2006-1894 (Cross-site scripting (XSS) vulnerability in RevoBoard 1.8, as derived ...) NOT-FOR-US: RevoBoard / PunBB CVE-2006-1893 (Cross-site scripting (XSS) vulnerability in print.php in ar-blog 5.2 a ...) NOT-FOR-US: ar-blog CVE-2006-1892 (avast! 4 Linux Home Edition 1.0.5 allows local users to modify permiss ...) NOT-FOR-US: avast! 4 Linux Home Edition CVE-2006-1891 (Cross-site scripting (XSS) vulnerability in Martin Scheffler betaboard ...) NOT-FOR-US: betaboard CVE-2006-1890 (Multiple PHP remote file inclusion vulnerabilities in myWebland myEven ...) NOT-FOR-US: myWebland CVE-2006-1889 (Cross-site scripting (XSS) vulnerability in the search action handler ...) NOT-FOR-US: Boardsolution CVE-2006-1888 (phpGraphy 0.9.11 and earlier allows remote attackers to bypass authent ...) NOT-FOR-US: phpGraphy CVE-2006-1887 (Unspecified vulnerability in Oracle JD Edwards EnterpriseOne Security ...) NOT-FOR-US: Oracle JD Edwards EnterpriseOne CVE-2006-1886 (Unspecified vulnerability in the PeopleTools component in Oracle Peopl ...) NOT-FOR-US: Oracle CVE-2006-1885 (Multiple unspecified vulnerabilities in the Reporting Framework compon ...) NOT-FOR-US: Oracle CVE-2006-1884 (Unspecified vulnerability in the Oracle Thesaurus Management System co ...) NOT-FOR-US: Oracle CVE-2006-1883 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle CVE-2006-1882 (Multiple unspecified vulnerabilities in Oracle E-Business Suite and Ap ...) NOT-FOR-US: Oracle CVE-2006-1881 (Unspecified vulnerability in the Financials for Asia/Pacific component ...) NOT-FOR-US: Oracle CVE-2006-1880 (Multiple unspecified vulnerabilities in Oracle E-Business Suite and Ap ...) NOT-FOR-US: Oracle CVE-2006-1879 (Multiple unspecified vulnerabilities in the Email Server component in ...) NOT-FOR-US: Oracle CVE-2006-1878 (Cross-site scripting (XSS) vulnerability in index.php in phpFaber TopS ...) NOT-FOR-US: phpFaber TopSites CVE-2006-1877 (Unspecified vulnerability in Oracle Database Server 8.1.7.4, 9.0.1.5, ...) NOT-FOR-US: Oracle CVE-2006-1876 (Unspecified vulnerability in Oracle Database Server 9.2.0.7 and 10.1.0 ...) NOT-FOR-US: Oracle CVE-2006-1875 (Unspecified vulnerability in Oracle Database Server 9.0.1.5, 9.2.0.7, ...) NOT-FOR-US: Oracle CVE-2006-1874 (Unspecified vulnerability in Oracle Database Server 8.1.7.4, 9.0.1.5, ...) NOT-FOR-US: Oracle CVE-2006-1873 (Unspecified vulnerability in Oracle Database Server 9.2.0.7, 10.1.0.4, ...) NOT-FOR-US: Oracle CVE-2006-1872 (Unspecified vulnerability in Oracle Database Server 9.0.1.5 and 9.2.0. ...) NOT-FOR-US: Oracle CVE-2006-1871 (SQL injection vulnerability in Oracle Database Server 9.2.0.7 and 10.1 ...) NOT-FOR-US: Oracle CVE-2006-1870 (Unspecified vulnerability in Oracle Database Server 8.1.7.4, 9.0.1.5, ...) NOT-FOR-US: Oracle CVE-2006-1869 (Unspecified vulnerability in Oracle Database Server 8.1.7.4 and 9.0.1. ...) NOT-FOR-US: Oracle CVE-2006-1868 (Buffer overflow in the Advanced Replication component in Oracle Databa ...) NOT-FOR-US: Oracle CVE-2006-1867 (Unspecified vulnerability in Oracle Database Server 9.2.0.6 has unknow ...) NOT-FOR-US: Oracle CVE-2006-1866 (Multiple unspecified vulnerabilities in Oracle Database Server 8.1.7.4 ...) NOT-FOR-US: Oracle CVE-2006-1865 (Argument injection vulnerability in Beagle before 0.2.5 allows attacke ...) - beagle 0.2.6-2 (bug #365371; medium) CVE-2006-1864 (Directory traversal vulnerability in smbfs in Linux 2.6.16 and earlier ...) {DSA-1103 DSA-1097-1} - linux-2.6 2.6.16-13 CVE-2006-1863 (Directory traversal vulnerability in CIFS in Linux 2.6.16 and earlier ...) {DSA-1103} - linux-2.6 2.6.16-10 CVE-2006-1862 (The virtual memory implementation in Linux kernel 2.6.x allows local u ...) - linux-2.6 (seems to be RedHat-specific) CVE-2006-1861 (Multiple integer overflows in FreeType before 2.2 allow remote attacke ...) {DSA-1095-1} - freetype 2.2.1-1 CVE-2006-1860 (lease_init in fs/locks.c in Linux kernel before 2.6.16.16 allows attac ...) - linux-2.6 2.6.16-14 CVE-2006-1859 (Memory leak in __setlease in fs/locks.c in Linux kernel before 2.6.16. ...) - linux-2.6 2.6.16-14 CVE-2006-1858 (SCTP in Linux kernel before 2.6.16.17 allows remote attackers to cause ...) {DSA-1103 DSA-1097-1} - linux-2.6 2.6.16-14 CVE-2006-1857 (Buffer overflow in SCTP in Linux kernel before 2.6.16.17 allows remote ...) {DSA-1103 DSA-1097-1} - linux-2.6 2.6.16-14 CVE-2006-1856 (Certain modifications to the Linux kernel 2.6.16 and earlier do not ad ...) {DSA-1184-2} - linux-2.6 2.6.16-12 CVE-2006-1855 (choose_new_parent in Linux kernel before 2.6.11.12 includes certain de ...) {DSA-1184-2} NOTE: probably fixed before, but this is the oldest linux-2.6 in the changelog - linux-2.6 2.6.12-1 CVE-2006-1854 NOT-FOR-US: BluePay Manager CVE-2006-1853 (Multiple SQL injection vulnerabilities in ModernBill 4.3.2 and earlier ...) NOT-FOR-US: ModernBill CVE-2006-1852 (SQL injection vulnerability in category.php in Article Publisher Pro 1 ...) NOT-FOR-US: Article Publisher Pro CVE-2006-1851 (xFlow 5.46.11 and earlier allows remote attackers to determine the ins ...) NOT-FOR-US: xFlow CVE-2006-1850 (Multiple cross-site scripting (XSS) vulnerabilities in xFlow 5.46.11 a ...) NOT-FOR-US: xFlow CVE-2006-1849 (Multiple SQL injection vulnerabilities in members_only/index.cgi in xF ...) NOT-FOR-US: xFlow CVE-2006-1848 (Multiple cross-site scripting (XSS) vulnerabilities in stats_view.php ...) NOT-FOR-US: LinPHA CVE-2006-1847 (SQL injection vulnerability in the Your_Account module in PHP-Nuke 7.8 ...) NOT-FOR-US: PHP-Nuke CVE-2006-1846 (Cross-site scripting (XSS) vulnerability in the Your_Account module in ...) NOT-FOR-US: PHP-Nuke CVE-2006-1845 REJECTED CVE-2006-1844 (The Debian installer for the (1) shadow 4.0.14 and (2) base-config 2.5 ...) [sarge] - shadow 1:4.0.3-31sarge8 [sarge] - base-config NOTE: The installer is fixed separately, but the postinst of the shadow update NOTE: corrects permissions of a faulty install NOTE: seems to be a duplicate of CVE-2006-1376 - shadow 1:4.0.14-9 (bug #358210; bug #356939) - base-config 2.68 (bug #254068; low) CVE-2006-1843 (Cross-site scripting (XSS) vulnerability in global.php in ShoutBOOK 1. ...) NOT-FOR-US: ShoutBOOK CVE-2006-1842 (Cross-site scripting (XSS) vulnerability in global.php in ShoutBOOK 1. ...) NOT-FOR-US: ShoutBOOK CVE-2006-1841 (Cross-site scripting (XSS) vulnerability in search.php in boastMachine ...) NOT-FOR-US: boastMachine CVE-2006-1840 (Multiple format string vulnerabilities in Empire Server before 4.3.1 a ...) NOT-FOR-US: Wolfpack Empire Server (vms-empire in Debian is a different game) CVE-2006-1839 (PHP remote file inclusion vulnerability in language.php in PHP Album 0 ...) NOT-FOR-US: PHP Album CVE-2006-1838 (edit_kategorie.php in Fuju News 1.0 allows remote attackers to bypass ...) NOT-FOR-US: Fuju News CVE-2006-1837 (SQL injection vulnerability in archiv2.php in Fuju News 1.0 allows rem ...) NOT-FOR-US: Fuju News CVE-2006-1836 (Untrusted search path vulnerability in unspecified components in Syman ...) NOT-FOR-US: Symantec LiveUpdate CVE-2006-1835 (Cross-site scripting (XSS) vulnerability in yearcal.php in Calendarix ...) NOT-FOR-US: Calendarix CVE-2006-1834 (Integer signedness error in Opera before 8.54 allows remote attackers ...) NOT-FOR-US: Opera CVE-2006-1833 (Intel RNG Driver in NetBSD 1.6 through 3.0 may incorrectly detect the ...) NOT-FOR-US: NetBSD CVE-2006-1832 (sysinfo.cgi in sysinfo 1.21 allows remote attackers to obtain the inst ...) NOT-FOR-US: sysinfo CVE-2006-1831 (Direct static code injection vulnerability in sysinfo.cgi in sysinfo 1 ...) NOT-FOR-US: sysinfo CVE-2006-1830 (Sun Java Studio Enterprise 8, when installed as root, creates certain ...) NOT-FOR-US: Sun Java Studio Enterprise CVE-2006-1829 (EAServer Manager in Sybase EAServer 5.2 and 5.3 allows remote authenti ...) NOT-FOR-US: EAServer Manager in Sybase EAServer CVE-2006-1828 (SQL injection vulnerability in php121language.php in PHP121 1.4 allows ...) NOT-FOR-US: PHP121 CVE-2006-1827 (Integer signedness error in format_jpeg.c in Asterisk 1.2.6 and earlie ...) {DSA-1048-1} - asterisk 1:1.2.7.1.dfsg-1 (bug #364195; medium) [sarge] - asterisk 1:1.0.7.dfsg.1-2sarge2 (bug #364195; medium) [woody] - asterisk 0.1.11-3woody1 (bug #364195; medium) CVE-2005-4786 (Buffer overflow in the archive decompression library (vrAZMain.dll 5.8 ...) NOT-FOR-US: HAURI anti-virus CVE-2006-1826 (Multiple cross-site scripting (XSS) vulnerabilities in Snipe Gallery 3 ...) NOT-FOR-US: Snipe Gallery CVE-2006-1825 (Cross-site scripting (XSS) vulnerability in index.php in phpLinks 2.1. ...) NOT-FOR-US: phpLinks CVE-2006-1824 (Multiple cross-site scripting (XSS) vulnerabilities in PhpGuestbook.ph ...) NOT-FOR-US: PhpGuestbook CVE-2006-1823 (Directory traversal vulnerability in FarsiNews 2.5.3 Pro and earlier a ...) NOT-FOR-US: FarsiNews CVE-2006-1822 (Cross-site scripting (XSS) vulnerability in search.php in FarsiNews 2. ...) NOT-FOR-US: FarsiNews CVE-2006-1821 (Directory traversal vulnerability in index.php in ModX 0.9.1 allows re ...) NOT-FOR-US: ModX CMS CVE-2006-1820 (Cross-site scripting (XSS) vulnerability in index.php in ModX 0.9.1 al ...) NOT-FOR-US: ModX CMS CVE-2006-1819 (Directory traversal vulnerability in the loadConfig function in index. ...) NOT-FOR-US: phpWebSite CVE-2006-1818 (Multiple cross-site scripting (XSS) vulnerabilities in warforge.NEWS 1 ...) NOT-FOR-US: warforge.NEWS CVE-2006-1817 (SQL injection vulnerability in authcheck.php in warforge.NEWS 1.0, wit ...) NOT-FOR-US: warforge.NEWS CVE-2006-1816 (PHP remote file inclusion vulnerability in VBulletin 3.5.1, 3.5.2, and ...) NOT-FOR-US: VBulletin CVE-2006-1815 (Multiple cross-site scripting (XSS) vulnerabilities in register.php in ...) NOT-FOR-US: Tritanium Bulletin Board CVE-2006-1814 (NetBSD 1.6, 2.0, 2.1 and 3.0 allows local users to cause a denial of s ...) NOT-FOR-US: NetBSD kernel CVE-2006-1813 (Directory traversal vulnerability in index.php in phpWebFTP 3.2 and ea ...) NOT-FOR-US: phpWebFTP CVE-2006-1812 (phpWebFTP 3.2 and earlier stores script.js under the web document root ...) NOT-FOR-US: phpWebFTP CVE-2006-1811 (Multiple SQL injection vulnerabilities in FlexBB 0.5.5 BETA allow remo ...) NOT-FOR-US: FlexBB CVE-2006-1810 (Multiple cross-site scripting (XSS) vulnerabilities in FlexBB 0.5.5 BE ...) NOT-FOR-US: FlexBB CVE-2006-1809 (index.php in Lifetype 1.0.3 allows remote attackers to obtain sensitiv ...) NOT-FOR-US: Lifetype CVE-2006-1808 (Cross-site scripting (XSS) vulnerability in index.php in Lifetype 1.0. ...) NOT-FOR-US: Lifetype CVE-2006-1807 (Multiple SQL injection vulnerabilities in index.php in Musicbox 2.3.3 ...) NOT-FOR-US: Musicbox CVE-2006-1806 (Cross-site scripting (XSS) vulnerability in index.php in Musicbox 2.3. ...) NOT-FOR-US: Musicbox CVE-2006-1805 (SQL injection vulnerability in member.php in PowerClan 1.14 allows rem ...) NOT-FOR-US: PowerClan CVE-2006-1804 (SQL injection vulnerability in sql.php in phpMyAdmin 2.7.0-pl1 allows ...) - phpmyadmin 4:2.8.1-1 (bug #363519; low) [sarge] - phpmyadmin NOTE: https://www.phpmyadmin.net/security/PMASA-2006-3/ NOTE: The first linked commit is the official commit from PMASA NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/fde2f613ad402e442a3b54d628ad85444faaeabe NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/0bf717892f9207c6161dc7800eb63e940478ec47 CVE-2006-1803 (Cross-site scripting (XSS) vulnerability in sql.php in phpMyAdmin 2.7. ...) - phpmyadmin 4:2.8.1-1 (bug #363519; low) [sarge] - phpmyadmin (CSRF code not present in Sarge, too intrusive to backport) NOTE: maintainer considers this not-affected. CVE-2006-1802 (Cross-site scripting (XSS) vulnerability in index.php in TinyWebGaller ...) NOT-FOR-US: TinyWebGallery CVE-2006-1801 (Cross-site scripting (XSS) vulnerability in planetsearchplus.php in pl ...) NOT-FOR-US: planetSearch+ CVE-2006-1800 (Directory traversal vulnerability in posts.php in SimpleBBS 1.0.6 thro ...) NOT-FOR-US: SimpleBBS CVE-2006-1799 (censtore.cgi in Censtore 7.3.002 and earlier allows remote attackers t ...) NOT-FOR-US: Censtore CVE-2006-1798 (SQL injection vulnerability in rateit.php in RateIt 2.2 allows remote ...) NOT-FOR-US: RateIt CVE-2006-1797 (The kernel in NetBSD-current before September 28, 2005 allows local us ...) NOT-FOR-US: NetBSD kernel CVE-2006-1796 (Cross-site scripting (XSS) vulnerability in the paging links functiona ...) - wordpress 2.0.1 (bug #328909) CVE-2006-1795 (Cross-site scripting (XSS) vulnerability in tablepublisher.cgi in UPDI ...) NOT-FOR-US: UPDI Network Enterprise CVE-2006-1794 (SQL injection vulnerability in Mambo 4.5.3, 4.5.3h, and possibly earli ...) NOTE: only in experimental - mambo 4.5.3h-1 (bug #354468) CVE-2006-1793 (Directory traversal vulnerability in runCMS 1.2 and earlier allows rem ...) NOT-FOR-US: runCMS CVE-2006-1792 (Unspecified vulnerability in the POP service in MailEnable Standard Ed ...) NOT-FOR-US: MailEnable CVE-2006-1791 (Directory traversal vulnerability in acc.php in QuickBlogger 1.4 allow ...) NOT-FOR-US: QuickBlogger CVE-2006-1790 (A regression fix in Mozilla Firefox 1.0.7 allows remote attackers to c ...) {DSA-1051-1 DSA-1046-1} - firefox 1.5 - mozilla-firefox (problematic fix not backported into 1.0.4-2sarge5) [sarge] - mozilla-thunderbird 1.0.2-2.sarge1.0.8 - thunderbird 1.5.0.2-1 - mozilla 2:1.7.13-0.1 CVE-2005-4785 (Cross-site scripting (XSS) vulnerability in QuickBlogger 1.4 and earli ...) NOT-FOR-US: QuickBlogger CVE-2006-1789 (Directory traversal vulnerability in pajax_call_dispatcher.php in PAJA ...) NOT-FOR-US: pajax CVE-2006-1788 (Adobe Document Server for Reader Extensions 6.0, during log on, provid ...) NOT-FOR-US: Adobe CVE-2006-1787 (Adobe Document Server for Reader Extensions 6.0 includes a user's sess ...) NOT-FOR-US: Adobe CVE-2006-1786 (Cross-site scripting (XSS) vulnerability in Adobe Document Server for ...) NOT-FOR-US: Adobe CVE-2006-1785 (Adobe Document Server for Reader Extensions 6.0 allows remote authenti ...) NOT-FOR-US: Adobe CVE-2006-1784 (PHP remote file inclusion vulnerability in admin/configset.php in Sphi ...) NOT-FOR-US: Sphider CVE-2006-1783 (Cross-site scripting (XSS) vulnerability in PatroNet CMS allows remote ...) NOT-FOR-US: PatroNet CMS CVE-2006-1782 (Unspecified vulnerability in Solaris 8 and 9 allows local users to obt ...) NOT-FOR-US: Sun Solaris CVE-2006-1781 (PHP remote file inclusion vulnerability in functions.php in Circle R M ...) NOT-FOR-US: Circle R Monster Top List CVE-2006-1780 (The Bourne shell (sh) in Solaris 8, 9, and 10 allows local users to ca ...) NOT-FOR-US: Sun Solaris CVE-2006-1779 (Cross-site scripting (XSS) vulnerability in login.php in Jeremy Ashcra ...) NOT-FOR-US: Simplog CVE-2006-1778 (Multiple SQL injection vulnerabilities in Jeremy Ashcraft Simplog 0.9. ...) NOT-FOR-US: Simplog CVE-2006-1777 (Directory traversal vulnerability in doc/index.php in Jeremy Ashcraft ...) NOT-FOR-US: Simplog CVE-2006-1776 (PHP remote file inclusion vulnerability in doc/index.php in Jeremy Ash ...) NOT-FOR-US: Simplog CVE-2006-1775 (Multiple cross-site scripting (XSS) vulnerabilities in phpBB 2.0.19 al ...) - phpbb2 (unimportant) NOTE: Only exploitable by authenticated admin users CVE-2006-1774 (HP System Management Homepage (SMH) 2.1.3.132, when running on CompaqH ...) NOT-FOR-US: HP System Management Homepage CVE-2006-1773 (SQL injection vulnerability in include.php in PHPKIT 1.6.1 Release 2 a ...) NOT-FOR-US: PHPKIT CVE-2006-1772 (debconf in Debian GNU/Linux, when configuring mnogosearch in the mnogo ...) - mnogosearch 3.2.37-3.1 (bug #361775) [sarge] - mnogosearch (Minor issue) CVE-2006-1771 (Directory traversal vulnerability in misc in pbcs.dll in SAXoTECH SAXo ...) NOT-FOR-US: SAXoPRESS CVE-2006-1770 (Multiple PHP remote file inclusion vulnerabilities in Azerbaijan Desig ...) NOT-FOR-US: AzDGVote CVE-2006-1769 (Multiple cross-site scripting (XSS) vulnerabilities in UserLand Manila ...) NOT-FOR-US: UserLand Manila CVE-2006-1768 (Multiple cross-site scripting (XSS) vulnerabilities in register.php in ...) NOT-FOR-US: Tritanium Bulletin Board CVE-2006-1767 (Multiple PHP remote file inclusion vulnerabilities in nicecoder.com IN ...) NOT-FOR-US: INDEXU CVE-2006-1766 (Multiple SQL injection vulnerabilities in Papoo 2.1.5, and 3 beta1 and ...) NOT-FOR-US: Papoo CVE-2006-1765 (Cross-site scripting (XSS) vulnerability in index.php in JBook 1.3 all ...) NOT-FOR-US: JBook CVE-2006-1764 (Hosting Controller 6.1 stores forum/db/forum.mdb under the web documen ...) NOT-FOR-US: Hosting Controller CVE-2006-1763 (Multiple SQL injection vulnerabilities in index.php in blur6ex 0.3.452 ...) NOT-FOR-US: blur6ex CVE-2006-1762 (Directory traversal vulnerability in index.php in blur6ex 0.3.452 allo ...) NOT-FOR-US: blur6ex CVE-2006-1761 (Cross-site scripting vulnerability in index.php in blur6ex 0.3.452 all ...) NOT-FOR-US: blur6ex CVE-2006-1760 (Multiple cross-site scripting (XSS) vulnerabilities in JetPhoto allow ...) NOT-FOR-US: JetPhoto CVE-2006-1759 (Cross-site scripting (XSS) vulnerability in allgemein_transfer.php in ...) NOT-FOR-US: SWSoft Confixx CVE-2006-1758 (SQL injection vulnerability in index.php in Vegadns 0.99 allows remote ...) NOT-FOR-US: Vegadns CVE-2006-1757 (Cross-site scripting (XSS) vulnerability in index.php in Vegadns 0.99 ...) NOT-FOR-US: Vegadns CVE-2006-1756 (MD News 1 allows remote attackers to bypass authentication via a direc ...) NOT-FOR-US: MD News 1 CVE-2006-1755 (SQL injection vulnerability in admin.php in MD News 1 allows remote at ...) NOT-FOR-US: MD News 1 CVE-2006-1754 (SQL injection vulnerability in index.php in SWSoft Confixx 3.0.6, 3.0. ...) NOT-FOR-US: SWSoft Confixx CVE-2006-1753 (A cron job in fcheck before 2.7.59 allows local users to overwrite arb ...) {DSA-1035-1} - fcheck 2.7.59-8 CVE-2006-1752 (Multiple cross-site scripting (XSS) vulnerabilities in the backend in ...) NOT-FOR-US: MvBlog CVE-2006-1751 (Multiple SQL injection vulnerabilities in MvBlog before 1.6 allow remo ...) NOT-FOR-US: MvBlog CVE-2006-1750 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Au ...) NOT-FOR-US: Autogallery CVE-2006-1749 (PHP remote file inclusion vulnerability in config.php in phpListPro 2. ...) NOT-FOR-US: phpListPro CVE-2006-1748 (Cross-site scripting (XSS) vulnerability in XMB Forum 1.9.5 allows rem ...) NOT-FOR-US: XMB Forum CVE-2006-1747 (PHP remote file inclusion vulnerability in Virtual War (VWar) 1.5.0 al ...) NOT-FOR-US: Virtual War CVE-2006-1746 (Directory traversal vulnerability in PHPList 2.10.2 and earlier allows ...) - phplist (bug #612288) CVE-2006-1745 (Cross-site scripting (XSS) vulnerability in login.php in Bitweaver 1.3 ...) NOT-FOR-US: Bitweaver CVE-2006-1743 (Multiple SQL injection vulnerabilities in form.php in JBook 1.4 allow ...) NOT-FOR-US: JBook CVE-2006-1742 (The JavaScript engine in Mozilla Firefox and Thunderbird 1.x before 1. ...) {DSA-1051-1 DSA-1046-1 DSA-1044-1} - firefox 1.5.dfsg+1.5.0.2-2 (medium) - mozilla-firefox 1.5.dfsg+1.5.0.2-2 (medium) - mozilla 2:1.7.13-0.1 (medium) - thunderbird 1.5.0.2-1 (low) [sarge] - mozilla-thunderbird 1.0.2-2.sarge1.0.8 (low) - xulrunner 1.8.0.1-9 NOTE: The Mozilla Foundation labels this as "critical", but it's not NOTE: clear if this bug is exploitable. CVE-2006-1741 (Mozilla Firefox 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite b ...) {DSA-1051-1 DSA-1046-1 DSA-1044-1} - firefox 1.5.dfsg+1.5.0.2-2 (medium) - mozilla-firefox 1.5.dfsg+1.5.0.2-2 (medium) - mozilla 2:1.7.13-0.1 (medium) - thunderbird 1.5.0.2-1 (low) [sarge] - mozilla-thunderbird 1.0.2-2.sarge1.0.8 (low) CVE-2006-1740 (Mozilla Firefox 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite b ...) {DSA-1051-1 DSA-1046-1 DSA-1044-1} - firefox 1.5.dfsg+1.5.0.2-2 (low) - mozilla-firefox 1.5.dfsg+1.5.0.2-2 (low) - mozilla 2:1.7.13-0.1 (low) - thunderbird 1.5.0.2-1 (low) [sarge] - mozilla-thunderbird 1.0.2-2.sarge1.0.8 (low) CVE-2006-1739 (The CSS border-rendering code in Mozilla Firefox and Thunderbird 1.x b ...) {DSA-1051-1 DSA-1046-1 DSA-1044-1} - firefox 1.5.dfsg+1.5.0.2-2 (medium) - mozilla-firefox 1.5.dfsg+1.5.0.2-2 (medium) - mozilla 2:1.7.13-0.1 (medium) - thunderbird 1.5.0.2-1 (low) [sarge] - mozilla-thunderbird 1.0.2-2.sarge1.0.8 (low) CVE-2006-1738 (Unspecified vulnerability in Mozilla Firefox and Thunderbird 1.x befor ...) {DSA-1051-1 DSA-1046-1 DSA-1044-1} - firefox 1.5.dfsg+1.5.0.2-2 (medium) - mozilla-firefox 1.5.dfsg+1.5.0.2-2 (medium) - mozilla 2:1.7.13-0.1 (medium) - thunderbird 1.5.0.2-1 (low) [sarge] - mozilla-thunderbird 1.0.2-2.sarge1.0.8 (low) CVE-2006-1737 (Integer overflow in Mozilla Firefox and Thunderbird 1.x before 1.5 and ...) {DSA-1051-1 DSA-1046-1 DSA-1044-1} - firefox 1.5.dfsg+1.5.0.2-2 (medium) - mozilla-firefox 1.5.dfsg+1.5.0.2-2 (medium) - mozilla 2:1.7.13-0.1 (medium) - thunderbird 1.5.0.2-1 (low) [sarge] - mozilla-thunderbird 1.0.2-2.sarge1.0.8 (low) CVE-2006-1736 (Mozilla Firefox 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite b ...) {DSA-1051-1 DSA-1046-1 DSA-1044-1} - firefox 1.5.dfsg+1.5.0.2-2 (low) - mozilla-firefox 1.5.dfsg+1.5.0.2-2 (low) - mozilla 2:1.7.13-0.1 (low) [sarge] - mozilla-thunderbird 1.0.2-2.sarge1.0.8 CVE-2006-1735 (Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, ...) {DSA-1051-1 DSA-1046-1 DSA-1044-1} - firefox 1.5.dfsg+1.5.0.2-2 (high) - mozilla-firefox 1.5.dfsg+1.5.0.2-2 (high) - mozilla 2:1.7.13-0.1 (high) - thunderbird 1.5.0.2-1 (medium) [sarge] - mozilla-thunderbird 1.0.2-2.sarge1.0.8 (medium) CVE-2006-1734 (Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, ...) {DSA-1051-1 DSA-1046-1 DSA-1044-1} - firefox 1.5.dfsg+1.5.0.2-2 (high) - mozilla-firefox 1.5.dfsg+1.5.0.2-2 (high) - mozilla 2:1.7.13-0.1 (high) - thunderbird 1.5.0.2-1 (medium) [sarge] - mozilla-thunderbird 1.0.2-2.sarge1.0.8 (medium) CVE-2006-1733 (Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, ...) {DSA-1051-1 DSA-1046-1 DSA-1044-1} - firefox 1.5.dfsg+1.5.0.2-2 (high) - mozilla-firefox 1.5.dfsg+1.5.0.2-2 (high) - mozilla 2:1.7.13-0.1 (high) - thunderbird 1.5.0.2-1 (medium) [sarge] - mozilla-thunderbird 1.0.2-2.sarge1.0.8 (medium) CVE-2006-1732 (Unspecified vulnerability in Mozilla Firefox and Thunderbird 1.x befor ...) {DSA-1051-1 DSA-1046-1 DSA-1044-1} - firefox 1.5.dfsg+1.5.0.2-2 (medium) - mozilla-firefox 1.5.dfsg+1.5.0.2-2 (medium) - mozilla 2:1.7.13-0.1 (medium) - thunderbird 1.5.0.2-1 (low) [sarge] - mozilla-thunderbird 1.0.2-2.sarge1.0.8 (low) - xulrunner 1.8.0.1-9 CVE-2006-1731 (Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, ...) {DSA-1051-1 DSA-1046-1 DSA-1044-1} - firefox 1.5.dfsg+1.5.0.2-2 (medium) - mozilla-firefox 1.5.dfsg+1.5.0.2-2 (medium) - mozilla 2:1.7.13-0.1 (medium) - thunderbird 1.5.0.2-1 (low) [sarge] - mozilla-thunderbird 1.0.2-2.sarge1.0.8 (low) CVE-2006-1730 (Integer overflow in Mozilla Firefox and Thunderbird 1.x before 1.5.0.2 ...) {DSA-1051-1 DSA-1046-1 DSA-1044-1} - firefox 1.5.dfsg+1.5.0.2-1 (high) - mozilla-firefox 1.5.dfsg+1.5.0.2-1 (high) - mozilla 2:1.7.13-0.1 (high) - thunderbird 1.5.0.2-1 (medium) [sarge] - mozilla-thunderbird 1.0.2-2.sarge1.0.8 (medium) NOTE: MFSA2006-22 says that it is not clear whether Thunderbird is NOTE: exploitable in the default configuration. - xulrunner 1.8.0.1-9 CVE-2006-1729 (Mozilla Firefox 1.x before 1.5.0.2 and 1.0.x before 1.0.8, Mozilla Sui ...) {DSA-1134-1 DSA-1051-1 DSA-1046-1 DSA-1044-1} - firefox 1.5.dfsg+1.5.0.2-1 (medium) - mozilla-firefox 1.5.dfsg+1.5.0.2-1 (medium) - mozilla 2:1.7.13-0.1 (medium) [sarge] - mozilla-thunderbird 1.0.2-2.sarge1.0.8 (medium) - xulrunner 1.8.0.1-9 NOTE: Can likely be used to steal OpenSSH keys and the like. CVE-2006-1728 (Unspecified vulnerability in Mozilla Firefox and Thunderbird 1.x befor ...) {DSA-1051-1 DSA-1046-1 DSA-1044-1} - firefox 1.5.dfsg+1.5.0.2-1 (high) - mozilla-firefox 1.5.dfsg+1.5.0.2-1 (high) - mozilla (high) - thunderbird 1.5.0.2-1 (medium) [sarge] - mozilla-thunderbird 1.0.2-2.sarge1.0.8 (medium) - xulrunner 1.8.0.1-9 CVE-2006-1727 (Unspecified vulnerability in Mozilla Firefox and Thunderbird 1.x befor ...) {DSA-1051-1 DSA-1046-1 DSA-1044-1} - firefox 1.5.dfsg+1.5.0.2-1 (medium) - mozilla-firefox 1.5.dfsg+1.5.0.2-1 (medium) - mozilla 2:1.7.13-0.1 (medium) - thunderbird 1.5.0.2-1 (medium) [sarge] - mozilla-thunderbird 1.0.2-2.sarge1.0.8 (medium) - xulrunner 1.8.0.1-9 NOTE: If print preview (and this bug) can be triggered from JavaScript, NOTE: the urgency should probably be raised. CVE-2006-1726 (Unspecified vulnerability in Firefox and Thunderbird 1.5 before 1.5.0. ...) - firefox 1.5.dfsg+1.5.0.2-1 (high) - thunderbird 1.5.0.2-1 (medium) - xulrunner 1.8.0.1-9 NOTE: New bug in Firefox 1.5. CVE-2006-1725 (Mozilla Firefox 1.5 before 1.5.0.2 and SeaMonkey before 1.0.1 causes c ...) - firefox 1.5.dfsg+1.5.0.2-1 (low) - xulrunner 1.8.0.1-9 NOTE: New bug in Firefox 1.5. CVE-2006-1724 (Unspecified vulnerability in Firefox and Thunderbird before 1.5.0.2, 1 ...) {DSA-1051-1 DSA-1046-1 DSA-1044-1} - firefox 1.5.dfsg+1.5.0.2-1 (medium) - mozilla (medium) - thunderbird 1.5.0.2-1 (low) [sarge] - mozilla-thunderbird 1.0.2-2.sarge1.0.8 (low) - xulrunner 1.8.0.1-9 NOTE: MFSA2006-20 says exploitability has not been confirmed. NOTE: Thunderbird is potentially affected as well, but not in the NOTE: default configuration. CVE-2006-1723 (Unspecified vulnerability in Firefox and Thunderbird before 1.5.0.2, a ...) {DSA-1051-1 DSA-1046-1} - firefox 1.5.dfsg+1.5.0.2 (medium) [sarge] - mozilla-firefox (Mozilla products from Sarge no longer supported) - mozilla (medium) - thunderbird 1.5.0.2-1 (low) - xulrunner 1.8.0.1-9 NOTE: This is probably: https://bugzilla.mozilla.org/show_bug.cgi?id=320459 CVE-2006-1722 (Cross-site scripting (XSS) vulnerability in suche.htm in ShopXS 4.0 al ...) NOT-FOR-US: ShopXS CVE-2006-1721 (digestmd5.c in the CMU Cyrus Simple Authentication and Security Layer ...) {DSA-1042-1} - cyrus-sasl2 2.1.19.dfsg1-0.2 (bug #361937; low) - cyrus-sasl2-mit (does not install digest-md5) CVE-2006-1720 (Cross-site scripting (XSS) vulnerability in search.php in SaphpLesson ...) NOT-FOR-US: SaphpLesson CVE-2006-1719 (Internet Explorer 6 allows remote attackers to cause a denial of servi ...) NOT-FOR-US: Internet Explorer CVE-2006-1718 (Magus Perde Clever Copy 3.0 and earlier stores sensitive information u ...) NOT-FOR-US: Clever Copy CVE-2006-1717 (Cross-site scripting (XSS) vulnerability in newthread.php in MyBB (aka ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2006-1716 (Cross-site scripting (XSS) vulnerability in inc/functions_post.php in ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2006-1715 (Multiple directory traversal vulnerabilities in Christian Kindahl TUGZ ...) NOT-FOR-US: TUGZip CVE-2006-1714 (CRLF injection vulnerability in index.php in Christoph Roeder phpMyFor ...) NOT-FOR-US: phpMyForum CVE-2006-1713 (Cross-site scripting (XSS) vulnerability in index.php in Christoph Roe ...) NOT-FOR-US: phpMyForum CVE-2006-1710 (SQL injection vulnerability in admin.php in Design Nation DNGuestbook ...) NOT-FOR-US: DNGuestbook CVE-2005-4784 (Multiple buffer overflows in the POSIX readdir_r function, as used in ...) NOTE: this does not affect linux CVE-2005-4783 (kernfs_xread in kernfs_vnops.c in NetBSD before 20050831 does not chec ...) NOT-FOR-US: NetBSD CVE-2005-4782 (NetBSD 2.0 before 2.0.4, 2.1 before 2.1.1, and 3, when the kernel is c ...) NOT-FOR-US: NetBSD CVE-2005-4781 (Multiple SQL injection vulnerabilities in SergiDs Top Music module 3.0 ...) NOT-FOR-US: SergiD Top Music module CVE-2005-4780 NOT-FOR-US: LightHouse CMS CVE-2005-4779 (verifiedexecioctl in verified_exec.c in NetBSD 2.0.2 calls NDINIT with ...) NOT-FOR-US: NetBSD CVE-2005-4778 (The powersave daemon in SUSE Linux 10.0 before 20051007 has an unspeci ...) - powersave 0.12.7-1 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=119628&x=18&y=11&=Find CVE-2005-4777 (Tashcom ASPEdit 2.9 stores the administration password (aka the FTP pa ...) NOT-FOR-US: Tashcom ASPEdit CVE-2005-4776 (Integer overflow in the FreeBSD compatibility code (freebsd_misc.c) in ...) NOT-FOR-US: NetBSD CVE-2005-4775 (Michael Scholz and Sebastian Stein Contineo 2.0, when the admin accoun ...) NOT-FOR-US: Contineo CVE-2005-4774 (Cross-site scripting (XSS) vulnerability in Xerver 4.17 allows remote ...) NOT-FOR-US: Xerver CVE-2005-4773 (The configuration of VMware ESX Server 2.x, 2.0.x, 2.1.x, and 2.5.x al ...) NOT-FOR-US: VMware CVE-2004-2656 (Multiple cross-site scripting (XSS) vulnerabilities in Slashdot Like A ...) - slash (Vulnerable code introduced in 2002, while Debian's is older!, see #390469) CVE-2006-1744 (Buffer overflow in pl_main.c in sail in BSDgames before 2.17-7 allows ...) {DSA-1036-1} - bsdgames 2.17-7 (bug #360989) CVE-2006-1712 (Cross-site scripting (XSS) vulnerability in the private archive script ...) - mailman 0:2.1.7-2.1.8rc1-1 [sarge] - mailman (Only affects Mailman 2.1.7) CVE-2006-1711 (Plone 2.0.5, 2.1.2, and 2.5-beta1 does not restrict access to the (1) ...) {DSA-1032-1} - zope-cmfplone 2.1.2-2 CVE-2006-1709 (Cross-site scripting (XSS) vulnerability in shop_main.cgi in interakti ...) NOT-FOR-US: interaktiv.shop CVE-2006-1708 (SQL injection vulnerability in member.php in Clansys 1.1 allows remote ...) NOT-FOR-US: Clansys CVE-2006-1707 (index.php in Shopweezle 2.0 allows remote attackers to include arbitra ...) NOT-FOR-US: Shopweezle CVE-2006-1706 (Multiple SQL injection vulnerabilities in Shopweezle 2.0 allow remote ...) NOT-FOR-US: Shopweezle CVE-2006-1705 (Oracle Database 9.2.0.0 to 10.2.0.3 allows local users with "SELECT" p ...) NOT-FOR-US: Oracle CVE-2006-1704 (Sire 2.0 nws allows remote attackers to upload arbitrary image files w ...) NOT-FOR-US: Sire 2.0 nws CVE-2006-1703 (PHP remote file inclusion vulnerability in lire.php in Sire 2.0 nws al ...) NOT-FOR-US: Sire 2.0 nws CVE-2006-1702 (PHP remote file inclusion vulnerability in spip_login.php3 in SPIP 1.8 ...) - spip 2.0.6-1 CVE-2006-1701 (Cross-site scripting (XSS) vulnerability in the Pages module in Shadow ...) NOT-FOR-US: Shadowed Portal CVE-2006-1700 (Buy.php in Aweb Scripts Seller uses predictable cookies for authentica ...) NOT-FOR-US: Aweb Scripts Seller CVE-2006-1699 (Cross-site scripting (XSS) vulnerability in index.php in Aweb Banner G ...) NOT-FOR-US: Aweb Banner CVE-2006-1698 (Cross-site scripting (XSS) vulnerability in Matt Wright Guestbook 2.3. ...) NOT-FOR-US: Matt Wright Guestbook CVE-2006-1697 (Cross-site scripting (XSS) vulnerability in Matt Wright Guestbook 2.3. ...) NOT-FOR-US: Matt Wright Guestbook CVE-2006-1696 (Cross-site scripting (XSS) vulnerability in Gallery before 1.5.3 allow ...) - gallery 1.5.3-1 (bug #361758) CVE-2006-1695 (The fbgs script in the fbi package 2.01-1.4, when the TMPDIR environme ...) {DSA-1068-1} - fbi 2.05-1 (bug #361370) CVE-2006-1694 (SQL injection vulnerability in members.php in XBrite Members 1.1 and e ...) NOT-FOR-US: XBrite Members CVE-2006-1693 (Unspecified vulnerability in GlobalSCAPE Secure FTP Server before 3.1. ...) NOT-FOR-US: GlobalSCAPE Secure FTP Server CVE-2006-1692 (Multiple SQL injection vulnerabilities in MWNewsletter 1.0.0b allow re ...) NOT-FOR-US: MWNewsletter CVE-2006-1691 (SQL injection vulnerability in MWNewsletter 1.0.0b allows remote attac ...) NOT-FOR-US: MWNewsletter CVE-2006-1690 (Cross-site scripting (XSS) vulnerability in subscribe.php in MWNewslet ...) NOT-FOR-US: MWNewsletter CVE-2006-1689 (Unspecified vulnerability in su in HP HP-UX B.11.11, when using the LD ...) NOT-FOR-US: HP-UX CVE-2006-1688 (Multiple PHP remote file inclusion vulnerabilities in SQuery 4.5 and e ...) NOT-FOR-US: SQuery / Autonomous LAN party CVE-2006-1687 (Cross-site scripting (XSS) vulnerability in APT-webshop-system 4.0 PRO ...) NOT-FOR-US: APT-webshop-system CVE-2006-1686 (Unspecified vulnerability in modules.php in APT-webshop-system 4.0 PRO ...) NOT-FOR-US: APT-webshop-system CVE-2006-1685 (Multiple SQL injection vulnerabilities in modules.php in APT-webshop-s ...) NOT-FOR-US: APT-webshop-system CVE-2006-1684 (Unspecified vulnerability in ecotwo Shopsystem 1.0-192 and earlier all ...) NOT-FOR-US: ecotwo Shopsystem CVE-2006-1683 (SQL injection vulnerability in admin/login.php in Chipmunk Guestbook a ...) NOT-FOR-US: Chipmunk Guestbook CVE-2006-1682 (Cross-site scripting (XSS) vulnerability in webplus.exe in TalentSoft ...) NOT-FOR-US: TalentSoft Web+Shop CVE-2006-1681 (Cross-site scripting (XSS) vulnerability in Cherokee HTTPD 0.5 and ear ...) - cherokee 0.5.1-1 CVE-2006-1680 (Jupiter CMS 1.1.5, when display_errors is enabled, allows remote attac ...) NOT-FOR-US: Jupiter CMS CVE-2006-1679 (Cross-site scripting (XSS) vulnerability in modules/online.php in Jupi ...) NOT-FOR-US: Jupiter CMS CVE-2006-1678 (Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin befo ...) {DSA-1207-1} - phpmyadmin 4:2.8.0.3-1 (bug #362567) NOTE: https://www.phpmyadmin.net/security/PMASA-2006-1/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/0933619b6b2534b221817ea3f631cb984c258d6b CVE-2006-1677 (MAXdev MDPro 1.0.73 and 1.0.72, and possibly other versions before 1.0 ...) NOT-FOR-US: MAXdev MD-Pro CVE-2006-1676 (SQL injection vulnerability in the display function in the Topics modu ...) NOT-FOR-US: MAXdev MD-Pro CVE-2006-1675 (Multiple cross-site scripting (XSS) vulnerabilities in PHPWebGallery 1 ...) NOT-FOR-US: PHPWebGallery CVE-2006-1674 (Cross-site scripting (XSS) vulnerability in search.php in PHPWebGaller ...) NOT-FOR-US: PHPWebGallery CVE-2006-1673 (Cross-site scripting (XSS) vulnerability in vbugs.php in Dark_Wizard v ...) NOT-FOR-US: Dark_Wizard vBug Tracker CVE-2006-1672 (The installation of Cisco Transport Controller (CTC) for Cisco Optical ...) NOT-FOR-US: Cisco CVE-2006-1671 (Control cards for Cisco Optical Networking System (ONS) 15000 series n ...) NOT-FOR-US: Cisco CVE-2006-1670 (Control cards for Cisco Optical Networking System (ONS) 15000 series n ...) NOT-FOR-US: Cisco CVE-2006-1669 (SQL injection vulnerability in chat/messagesL.php3 in phpHeaven Team P ...) NOT-FOR-US: PHPMyChat CVE-2006-1668 (newimage.php in Eric Gerdes Crafty Syntax Image Gallery (CSIG) (aka PH ...) NOT-FOR-US: Crafty Syntax Image Gallery CVE-2006-1667 (SQL injection vulnerability in slides.php in Eric Gerdes Crafty Syntax ...) NOT-FOR-US: Crafty Syntax Image Gallery CVE-2006-1666 (SQL injection vulnerability in forum.php in Arab Portal 2.0.1 stable a ...) NOT-FOR-US: Arab Portal CVE-2006-1665 (Multiple cross-site scripting (XSS) vulnerabilities in Arab Portal 2.0 ...) NOT-FOR-US: Arab Portal CVE-2006-1664 (Buffer overflow in xine_list_delete_current in libxine 1.14 and earlie ...) - xine-lib (Not reproducible with Debian version, see bug #363127) - vlc (affected part of xine-lib code copy not present) CVE-2006-1663 REJECTED CVE-2006-1662 (The frontpage option in Limbo CMS 1.0.4.2 and 1.0.4.1 allows remote at ...) NOT-FOR-US: Limbo CMS CVE-2006-1661 (Multiple cross-site scripting (XSS) vulnerabilities in SKForum 1.5 and ...) NOT-FOR-US: SKForum CVE-2006-1660 (Cross-site scripting (XSS) vulnerability in image_desc.php in Softbiz ...) NOT-FOR-US: Softbiz Image Gallery CVE-2006-1659 (Multiple SQL injection vulnerabilities in Softbiz Image Gallery allow ...) NOT-FOR-US: Softbiz Image Gallery CVE-2006-1658 (Direct static code injection vulnerability in ticker.db.php in Chucky ...) NOT-FOR-US: Chucky A. Ivey N.T. CVE-2006-1657 (Cross-site scripting (XSS) vulnerability in index.php in Chucky A. Ive ...) NOT-FOR-US: Chucky A. Ivey N.T. CVE-2005-4772 (liby2util in Yet another Setup Tool (YaST) in SUSE Linux before 200510 ...) NOT-FOR-US: YaST CVE-2005-4771 (Trusted Mobility Agent PC Policy in Trust Digital Trusted Mobility Sui ...) NOT-FOR-US: Trusted Mobility Agent CVE-2005-4770 (SQL injection vulnerability in an unspecified Accelerated Enterprise S ...) NOT-FOR-US: Accelerated E Solutions CVE-2005-4769 (SQL injection vulnerability in addrbook.php in Belchior Foundry vCard ...) NOT-FOR-US: Belchior Foundry vCard CVE-2005-4768 (SQL injection vulnerability in manage_account.php in Tux Racer TuxBank ...) NOT-FOR-US: Tux Racer TuxBank CVE-2004-2655 (rdesktop 1.3.1 with xscreensaver 4.14, and possibly other versions, wh ...) - xscreensaver 4.18-1 (low) CVE-2006-XXXX [linphone insecure password leakage] - linphone 1.3.5-1 (bug #361913) CVE-2006-1656 (vserver in util-vserver 0.30.209 executes a command as root when the s ...) - util-vserver 0.30.210-1 (bug #360438; unimportant) CVE-2006-1655 (Multiple buffer overflows in mpg123 0.59r allow user-assisted attacker ...) {DSA-1074-1} - mpg123 0.59r-22 (bug #361863) - mp3gain 1.5.2-r2-6 (low) [wheezy] - mp3gain 1.5.2-r2-2+deb7u1 [squeeze] - mp3gain (Minor issue) CVE-2006-1654 (Directory traversal vulnerability in the HP Color LaserJet 2500 Toolbo ...) NOT-FOR-US: HP Colour LaserJet 2500 and 4600 Toolbox CVE-2006-1653 (PHP remote file inclusion vulnerability in loadkernel.php in AngelineC ...) NOT-FOR-US: AngelineCMS CVE-2006-1652 (Multiple buffer overflows in (a) UltraVNC (aka Ultr@VNC) 1.0.1 and ear ...) NOT-FOR-US: UltraVNC CVE-2006-1651 NOT-FOR-US: MS ISA CVE-2006-1650 (Firefox 1.5.0.1 allows remote attackers to spoof the address bar and p ...) NOTE: other reports indicate that Firefox is not vulnerable CVE-2006-1649 (The "restore to" selection in the "quarantine a file" capability of ES ...) NOT-FOR-US: Eset Software NOD32 Antivirus 2.5 CVE-2006-1648 (SMART SynchronEyes Student and Teacher 6.0, and possibly earlier versi ...) NOT-FOR-US: SMART SynchronEyes CVE-2006-1647 (An unspecified "logical programming mistake" in SMART SynchronEyes Stu ...) NOT-FOR-US: SMART SynchronEyes CVE-2006-1646 (The Internet Key Exchange version 1 (IKEv1) implementation (isakmp_agg ...) NOT-FOR-US: This is a slightly different racoon version, the Linux fork in Debian was already addressed in CVE-2005-3732 CVE-2006-1645 (Cross-site scripting (XSS) vulnerability in Anton Vlasov and Rostislav ...) NOT-FOR-US: ReloadCMS CVE-2006-1644 (login.php in Interact 2.1.1 generates different responses depending on ...) NOT-FOR-US: Interact CVE-2006-1643 (SQL injection vulnerability in login.php in Interact 2.1.1 allows remo ...) NOT-FOR-US: Interact CVE-2006-1642 (Cross-site scripting (XSS) vulnerability in Interact 2.1.1 allows remo ...) NOT-FOR-US: Interact CVE-2006-1641 (Multiple SQL injection vulnerabilities in CzarNews 1.14 allow remote a ...) NOT-FOR-US: CzarNews CVE-2006-1640 (Cross-site scripting (XSS) vulnerability in news.php in CzarNews 1.14 ...) NOT-FOR-US: CzarNews CVE-2006-1639 (SQL injection vulnerability in index.php in wpBlog 0.4 allows remote a ...) NOT-FOR-US: wpBlog CVE-2006-1638 (Multiple SQL injection vulnerabilities in aWebBB 1.2 allow remote atta ...) NOT-FOR-US: aWebBB CVE-2006-1637 (Multiple cross-site scripting (XSS) vulnerabilities in aWebBB 1.2 allo ...) NOT-FOR-US: aWebBB CVE-2006-1636 (PHP remote file inclusion vulnerability in get_header.php in VWar 1.5. ...) NOT-FOR-US: VWar CVE-2006-1635 (LucidCMS 2.0.0 RC4 allows remote attackers to obtain sensitive informa ...) NOT-FOR-US: LucidCMS CVE-2006-1634 (Cross-site scripting (XSS) vulnerability in index.php in LucidCMS 2.0. ...) NOT-FOR-US: LucidCMS CVE-2006-1633 RESERVED CVE-2006-1632 RESERVED CVE-2006-1631 (Unspecified vulnerability in the HTTP compression functionality in Cis ...) NOT-FOR-US: Cisco CVE-2006-1629 (OpenVPN 2.0 through 2.0.5 allows remote malicious servers to execute a ...) {DSA-1045-1} - openvpn 2.0.6-1 (bug #360559; medium) CVE-2006-1628 (Adobe LiveCycle Workflow 7.01 and LiveCycle Forum Manager 7.01 allows ...) NOT-FOR-US: Adobe LiveCycle CVE-2006-1627 (Adobe Document Server for Reader Extensions 6.0 does not provide prope ...) NOT-FOR-US: Adobe Document Server CVE-2006-1626 (Internet Explorer 6 for Windows XP SP2 and earlier allows remote attac ...) NOT-FOR-US: Internet Explorer CVE-2006-1625 (Cross-site scripting (XSS) vulnerability in inc/functions_post.php in ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2006-1624 (The default configuration of syslogd in the Linux sysklogd package doe ...) - sysklogd (unimportant) NOTE: No sane person will open a network socket for syslog without apropriate NOTE: firewall rules. The default is not to listen to the network. CVE-2006-1623 (Unspecified vulnerability in main.php in an unspecified "file created ...) NOT-FOR-US: FleXiBle Development CVE-2006-1622 (Cross-site scripting (XSS) vulnerability in PHPSelect linksubmit allow ...) NOT-FOR-US: PHPSelect CVE-2006-1621 (Directory traversal vulnerability in admin/folders/saveuploadfiles.asp ...) NOT-FOR-US: Hosting Controller CVE-2006-1620 (admin/accounts/AccountActions.asp in Hosting Controller 2002 RC 1 allo ...) NOT-FOR-US: Hosting Controller CVE-2006-1619 (IBM WebSphere Application Server 4.0.1 through 4.0.3 allows remote att ...) NOT-FOR-US: WebSphere CVE-2006-1618 (Format string vulnerability in the (1) Con_message and (2) conPrintf f ...) NOT-FOR-US: Doomsday/deng CVE-2006-1617 (Multiple cross-site scripting (XSS) vulnerabilities in Advanced Poll 2 ...) NOT-FOR-US: Advanced Poll CVE-2006-1616 (Multiple SQL injection vulnerabilities in Advanced Poll 2.02 allow rem ...) NOT-FOR-US: Advanced Poll CVE-2006-1613 (Multiple SQL injection vulnerabilities in aWebNews 1.0 allow remote at ...) NOT-FOR-US: aWebNews CVE-2006-1612 (Multiple cross-site scripting (XSS) vulnerabilities in visview.php in ...) NOT-FOR-US: aWebNews CVE-2006-1611 (Directory traversal vulnerability in KGB Archiver before 1.1.5.22 allo ...) NOT-FOR-US: KGB Archiver CVE-2006-1610 (PHP remote file inclusion vulnerability in lib/armygame.php in SQuery ...) NOT-FOR-US: SQuery / Autonomous LAN party CVE-2006-1609 (Unspecified vulnerability in Hitachi XFIT/S, XFIT/S/JCA, XFIT/S/ZGN, a ...) NOT-FOR-US: Hitachi XFIT CVE-2006-1608 (The copy function in file.c in PHP 4.4.2 and 5.1.2 allows local users ...) - php4 4:4.4.4-1 (bug #361856; unimportant) - php5 5.1.4-0.1 (bug #361915; unimportant) NOTE: Safe mode violations not supported CVE-2006-1607 (Unspecified vulnerability in the banner module in Exponent CMS before ...) NOT-FOR-US: Exponent CMS CVE-2006-1606 (Unspecified vulnerability in the image module in Exponent CMS before 0 ...) NOT-FOR-US: Exponent CMS CVE-2006-1605 (Unspecified vulnerability in the image module in Exponent CMS before 0 ...) NOT-FOR-US: Exponent CMS CVE-2006-1604 (Unspecified vulnerability in Exponent CMS before 0.96.5 RC 1 has unkno ...) NOT-FOR-US: Exponent CMS CVE-2006-1603 (Cross-site scripting (XSS) vulnerability in profile.php in phpBB 2.0.1 ...) - phpbb2 (According to Jeroen a non-issue, see notes) NOTE: jmm: unable to everify, the variable in question is only printed NOTE: at one single page, and there it doesn't get taken from GET nor POST in my tests NOTE: and, shock, the password isn't saved unhashed in the DB, so having NOTE: javascript in your password can't be exposed otherwise NOTE: I'd forget about it unless someone comes with a proof of concept CVE-2006-1602 (PHP remote file inclusion vulnerability in includes/functions_common.p ...) NOT-FOR-US: PHPNuke Clan CVE-2006-1601 (Unspecified vulnerability in SunPlex Manager in Sun Cluster 3.1 4/04 a ...) NOT-FOR-US: Sun Cluster CVE-2006-1600 (SQL injection vulnerability in category.php in PhpWebGallery 1.4.1 all ...) NOT-FOR-US: PhpWebGallery CVE-2006-1599 (Unspecified vulnerability in VCEngine.php in v-creator before 1.3-pre3 ...) NOT-FOR-US: v-creator CVE-2006-1598 (AN HTTPD 1.42n, and possibly other versions before 1.42p, allows remot ...) NOT-FOR-US: AN HTTPD CVE-2006-1597 RESERVED CVE-2006-1596 (PHP remote file inclusion vulnerability in learnPath/include/scormExpo ...) NOT-FOR-US: Claroline CVE-2006-1595 (Cross-site scripting (XSS) vulnerability in document/rqmkhtml.php in C ...) NOT-FOR-US: Claroline CVE-2006-1594 (Multiple directory traversal vulnerabilities in document/rqmkhtml.php ...) NOT-FOR-US: Claroline CVE-2006-1593 (The (1) ZD_MissingPlayer, (2) ZD_UseItem, and (3) ZD_LoadNewClientLeve ...) NOT-FOR-US: X-Doom, ZDaemon NOTE: vulnerable functions don't exist in lxdoom, prboom CVE-2006-1592 (Buffer overflow in the is_client_wad_ok function in w_wad.cpp for (1) ...) NOT-FOR-US: X-Doom, ZDaemon NOTE: vulnerable functions don't exist in lxdoom, prboom CVE-2006-1591 (Heap-based buffer overflow in Microsoft Windows Help winhlp32.exe allo ...) NOT-FOR-US: Microsoft Windows Help CVE-2006-1590 (Cross-site scripting (XSS) vulnerability in the PrintFreshPage functio ...) - acidbase 1.2.5-1 (bug #363548; unimportant) [sarge] - acidbase (Hardly exploitable) - acidlab (bug #363549; unimportant) [sarge] - acidlab (Hardly exploitable) NOTE: Not exploitable with the default configuration anyway. CVE-2006-1589 (The elf_load_file function in NetBSD 2.0 through 3.0 allows local user ...) NOT-FOR-US: NetBSD kernel CVE-2006-1588 (The bridge ioctl (if_bridge code) in NetBSD 1.6 through 3.0 does not c ...) NOT-FOR-US: NetBSD kernel CVE-2006-1587 (NetBSD 1.6 up to 3.0, when a user has "set record" in .mailrc with the ...) NOT-FOR-US: NetBSD CVE-2002-2210 (The installation of OpenOffice 1.0.1 allows local users to overwrite f ...) - openoffice.org 1.0.2 CVE-2006-1614 (Integer overflow in the cli_scanpe function in the PE header parser (l ...) {DSA-1024-1} - clamav 0.88.1-1 CVE-2006-1630 (The cli_bitset_set function in libclamav/others.c in Clam AntiVirus (C ...) {DSA-1024-1} - clamav 0.88.1-1 CVE-2006-1615 (Multiple format string vulnerabilities in the logging code in Clam Ant ...) {DSA-1024-1} - clamav 0.88.1-1 CVE-2006-1586 (SQL injection vulnerability in admin_login.asp in ISP of Egypt SiteMan ...) NOT-FOR-US: Egypt SiteMan CVE-2006-1585 (Multiple SQL injection vulnerabilities in MonAlbum 0.8.7 allow remote ...) NOT-FOR-US: MonAlbum CVE-2006-1584 (Unspecified vulnerability in index.php in Warcraft III Replay Parser f ...) NOT-FOR-US: Warcraft III Replay CVE-2006-1583 (Cross-site scripting (XSS) vulnerability in index.php in Warcraft III ...) NOT-FOR-US: Warcraft III Replay CVE-2006-1582 (Cross-site scripting (XSS) vulnerability in index.php in Blank'N'Berg ...) NOT-FOR-US: Blank'N'Berg CVE-2006-1581 (Directory traversal vulnerability in index.php in Blank'N'Berg 0.2 all ...) NOT-FOR-US: Blank'N'Berg CVE-2006-1580 (Multiple cross-site scripting (XSS) vulnerabilities in Bugzero 4.3.1 a ...) NOT-FOR-US: Bugzero CVE-2006-1579 (SQL injection vulnerability in topics.php in Dynamic Bulletin Board Sy ...) NOT-FOR-US: Dynamic Bulletin Board System CVE-2006-1578 (Multiple SQL injection vulnerabilities in Keystone Digital Library Sui ...) NOT-FOR-US: Keystone Digital Library Suite CVE-2006-1577 (Multiple cross-site scripting (XSS) vulnerabilities in view_all_set.ph ...) {DSA-1133-1} [woody] - mantis (Vulnerable code not present) - mantis 0.19.4-3.1 (bug #361138) CVE-2006-1576 (Direct static code injection vulnerability in QLnews 1.2 allows remote ...) NOT-FOR-US: QLnews CVE-2006-1575 (Multiple cross-site scripting (XSS) vulnerabilities in news.php in QLn ...) NOT-FOR-US: QLnews CVE-2006-1574 (Cross-site scripting (XSS) vulnerability in Groupmax World Wide Web, W ...) NOT-FOR-US: Groupmax World Wide Web et. al. CVE-2006-1573 (PHP remote file inclusion vulnerability in index.php in MediaSlash Gal ...) NOT-FOR-US: MediaSlash Gallery CVE-2006-1572 (SQL injection vulnerability in post.php in Oxygen 1.1.3 allows remote ...) NOT-FOR-US: Oxygen CVE-2006-1571 (Multiple SQL injection vulnerabilities in loginprocess.php in qliteNew ...) NOT-FOR-US: qliteNews CVE-2006-1570 (Cross-site scripting (XSS) vulnerability in Esqlanelapse 2.0 and 2.2 a ...) NOT-FOR-US: Esqlanelapse CVE-2006-1569 (Multiple SQL injection vulnerabilities in RedCMS 0.1 allow remote atta ...) NOT-FOR-US: RedCMS CVE-2006-1568 (Multiple cross-site scripting (XSS) vulnerabilities in register.php in ...) NOT-FOR-US: RedCMS CVE-2006-1567 (Cross-site scripting (XSS) vulnerability in searchresults.asp in SiteS ...) NOT-FOR-US: SiteSearch Indexer CVE-2006-1566 (Untrusted search path vulnerability in libtunepimp-perl 0.4.2-1 in Deb ...) - libtunepimp 0.4.2-3 (bug #359241; low) [sarge] - libtunepimp (rpath not set to /tmp in Sarge) CVE-2006-1565 (Untrusted search path vulnerability in libgpib-perl 3.2.06-2 in Debian ...) - gpib 3.2.06-3 (bug #359239; low) [sarge] - gpib (rpath not set to /tmp in Sarge) CVE-2006-1564 (Untrusted search path vulnerability in libapache2-svn 1.3.0-4 for Subv ...) - subversion 1.3.0-5 (bug #359234; low) [sarge] - subversion (No rpaths set in Sarge) CVE-2006-1563 (Direct static code injection vulnerability in config.php in vscripts ( ...) NOT-FOR-US: VBook CVE-2006-1562 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in vs ...) NOT-FOR-US: VBook CVE-2006-1561 (SQL injection vulnerability in index.php in vscripts (aka Kuba Kunkiew ...) NOT-FOR-US: VBook CVE-2006-1560 (Multiple SQL injection vulnerabilities in SkinTech phpNewsManager 1.48 ...) NOT-FOR-US: SkinTech phpNewsManager CVE-2006-1559 (SQL injection vulnerability in PHP Script Index allows remote attacker ...) NOT-FOR-US: PHP Script Index CVE-2006-1558 (Cross-site scripting (XSS) vulnerability in search.php in PHP Script I ...) NOT-FOR-US: PHP Script Index CVE-2006-1557 (Multiple SQL injection vulnerabilities in X-Changer 0.2 allow remote a ...) NOT-FOR-US: X-Changer CVE-2006-1556 (Multiple cross-site scripting (XSS) vulnerabilities in view_caricatier ...) NOT-FOR-US: AL-Caricatier CVE-2006-1555 (VSNS Lemon 3.2.0 allows remote attackers to bypass authentication and ...) NOT-FOR-US: VSNS Lemon CVE-2006-1554 (Cross-site scripting (XSS) vulnerability in VSNS Lemon 3.2.0 allows re ...) NOT-FOR-US: VSNS Lemon CVE-2006-1553 (SQL injection vulnerability in functions/final_functions.php in VSNS L ...) NOT-FOR-US: VSNS Lemon CVE-2006-1552 (Integer overflow in ImageIO in Apple Mac OS X 10.4 up to 10.4.5 allows ...) NOT-FOR-US: Apple CVE-2006-1551 (Eval injection vulnerability in pajax_call_dispatcher.php in PAJAX 0.5 ...) NOT-FOR-US: PAJAX CVE-2006-1549 (PHP 4.4.2 and 5.1.2 allows local users to cause a crash (segmentation ...) - php4 (bug #361854; unimportant) - php5 5.1.4-0.1 (bug #361917; unimportant) [sarge] - php4 (there are easier ways to segfault your own program) CVE-2005-4767 (BEA WebLogic Server and WebLogic Express 8.1 SP5 and earlier, and 7.0 ...) NOT-FOR-US: BEA WebLogic CVE-2005-4766 (BEA WebLogic Server and WebLogic Express 8.1 SP4 and earlier, and 7.0 ...) NOT-FOR-US: BEA WebLogic CVE-2005-4765 (BEA WebLogic Server and WebLogic Express 8.1 SP4 and earlier and 7.0 S ...) NOT-FOR-US: BEA WebLogic CVE-2005-4764 (BEA WebLogic Server and WebLogic Express 9.0, 8.1, and 7.0 lock out th ...) NOT-FOR-US: BEA WebLogic CVE-2005-4763 (BEA WebLogic Server and WebLogic Express 8.1 SP4 and earlier, 7.0 SP6 ...) NOT-FOR-US: BEA WebLogic CVE-2005-4762 (BEA WebLogic Server and WebLogic Express 8.1 SP4 and earlier, 7.0 SP6 ...) NOT-FOR-US: BEA WebLogic CVE-2005-4761 (BEA WebLogic Server and WebLogic Express 8.1 SP4 and earlier, 7.0 SP5 ...) NOT-FOR-US: BEA WebLogic CVE-2005-4760 (BEA WebLogic Server and WebLogic Express 8.1 SP3 and earlier, and 7.0 ...) NOT-FOR-US: BEA WebLogic CVE-2005-4759 (BEA WebLogic Server and WebLogic Express 8.1 and 7.0, during a migrati ...) NOT-FOR-US: BEA WebLogic CVE-2005-4758 (Unspecified vulnerability in the Administration server in BEA WebLogic ...) NOT-FOR-US: BEA WebLogic CVE-2005-4757 (BEA WebLogic Server and WebLogic Express 8.1 SP3 and earlier, and 7.0 ...) NOT-FOR-US: BEA WebLogic CVE-2005-4756 (BEA WebLogic Server and WebLogic Express 8.1 SP4 and earlier, and 7.0 ...) NOT-FOR-US: BEA WebLogic CVE-2005-4755 (BEA WebLogic Server and WebLogic Express 8.1 SP3 and earlier (1) store ...) NOT-FOR-US: BEA WebLogic CVE-2005-4754 (BEA WebLogic Server and WebLogic Express 8.1 SP3 and earlier allow rem ...) NOT-FOR-US: BEA WebLogic CVE-2005-4753 (BEA WebLogic Server and WebLogic Express 8.1 SP4 and earlier, and 7.0 ...) NOT-FOR-US: BEA WebLogic CVE-2005-4752 (BEA WebLogic Server and WebLogic Express 8.1 SP4 and earlier, and 7.0 ...) NOT-FOR-US: BEA WebLogic CVE-2005-4751 (Multiple cross-site scripting (XSS) vulnerabilities in BEA WebLogic Se ...) NOT-FOR-US: BEA WebLogic CVE-2005-4750 (BEA WebLogic Server and WebLogic Express 8.1 SP4 and earlier, 7.0 SP5 ...) NOT-FOR-US: BEA WebLogic CVE-2005-4749 (HTTP request smuggling vulnerability in BEA WebLogic Server and WebLog ...) NOT-FOR-US: BEA WebLogic CVE-2006-1548 (Cross-site scripting (XSS) vulnerability in (1) LookupDispatchAction a ...) - libstruts1.2-java 1.2.9-1 (bug #360551) [sarge] - libstruts1.2-java (Only in contrib, relies on proprietary Java) CVE-2006-1547 (ActionForm in Apache Software Foundation (ASF) Struts before 1.2.9 wit ...) - libstruts1.2-java 1.2.9-1 (bug #360551) [sarge] - libstruts1.2-java (Only in contrib, relies on proprietary Java) CVE-2006-1546 (Apache Software Foundation (ASF) Struts before 1.2.9 allows remote att ...) - libstruts1.2-java 1.2.9-1 (bug #360551) [sarge] - libstruts1.2-java (Only in contrib, relies on proprietary Java) CVE-2006-1545 (Direct static code injection vulnerability in admin/config.php in vscr ...) NOT-FOR-US: VNews CVE-2006-1544 (Multiple cross-site scripting (XSS) vulnerabilities in news.php in vsc ...) NOT-FOR-US: VNews CVE-2006-1543 (Multiple SQL injection vulnerabilities in vscripts (aka Kuba Kunkiewic ...) NOT-FOR-US: VNews CVE-2006-1542 (Stack-based buffer overflow in Python 2.4.2 and earlier, running on Li ...) NOT-FOR-US: Bogus issue, this doesn't trigger any local overflow NOTE: Should be rejected CVE-2006-1541 (SQL injection vulnerability in Default.asp in EzASPSite 2.0 RC3 and ea ...) NOT-FOR-US: EzASPSite CVE-2006-1540 (MSO.DLL in Microsoft Office 2000, Office XP (2002), and Office 2003 al ...) NOT-FOR-US: Microsoft CVE-2006-1539 (Multiple buffer overflows in the checkscores function in scores.c in t ...) - bsdgames 2.17-6 (bug #361160) [sarge] - bsdgames (Minor impact) CVE-2006-1538 (The Enova X-Wall ASIC encrypts with a key obtained via Microwire from ...) NOT-FOR-US: Enova X-Wall ASIC CVE-2006-1537 (Craig Knudsen WebCalendar 1.1.0-CVS allows remote attackers to obtain ...) - webcalendar (unimportant) CVE-2006-1536 (Multiple SQL injection vulnerabilities in Phoetux.net PhxContacts 0.93 ...) NOT-FOR-US: Phoetux.net PhxContacts CVE-2006-1535 (Cross-site scripting (XSS) vulnerability in login.php in Phoetux.net P ...) NOT-FOR-US: Phoetux.net PhxContacts CVE-2006-1534 (Multiple SQL injection vulnerabilities in Null news allow remote attac ...) NOT-FOR-US: Null news CVE-2006-1533 (SQL injection vulnerability in newsletter.php in Sourceworkshop newsle ...) NOT-FOR-US: Sourceworkshop newsletter CVE-2006-1532 (Cross-site scripting (XSS) vulnerability in search.php in PHP Classifi ...) NOT-FOR-US: PHP Classifieds CVE-2006-1531 (Unspecified vulnerability in Firefox and Thunderbird before 1.5.0.2, a ...) {DSA-1046-1} - firefox 1.5.0.2 (medium) - mozilla-firefox (pre-1.5 version not vulnerable) - thunderbird 1.5.0.2-1 (low) - mozilla-thunderbird (pre-1.5 version not vulnerable) - xulrunner 1.8.0.1-9 NOTE: MFSA2006-20 says exploitability has not been confirmed. NOTE: Thunderbird is potentially affected as well, but not in the NOTE: default configuration. CVE-2006-1530 (Unspecified vulnerability in Firefox and Thunderbird before 1.5.0.2, a ...) {DSA-1046-1} - firefox 1.5.0.2 (medium) - mozilla-firefox (pre-1.5 version not vulnerable) - thunderbird 1.5.0.2-1 (low) - mozilla-thunderbird (pre-1.5 version not vulnerable) - xulrunner 1.8.0.1-9 NOTE: MFSA2006-20 says exploitability has not been confirmed. NOTE: Thunderbird is potentially affected as well, but not in the NOTE: default configuration. CVE-2006-1529 (Unspecified vulnerability in Firefox and Thunderbird before 1.5.0.2, a ...) {DSA-1046-1} - firefox 1.5.0.2-1 (medium) - mozilla-firefox (pre-1.5 version not vulnerable) - thunderbird 1.5.0.2-1 (low) - mozilla-thunderbird (pre-1.5 version not vulnerable) - xulrunner 1.8.0.1-9 NOTE: MFSA2006-20 says exploitability has not been confirmed. NOTE: Thunderbird is potentially affected as well, but not in the NOTE: default configuration. CVE-2006-1528 (Linux kernel before 2.6.13 allows local users to cause a denial of ser ...) {DSA-1184-2 DSA-1183-1} - linux-2.6 2.6.13-1 CVE-2006-1527 (The SCTP-netfilter code in Linux kernel before 2.6.16.13 allows remote ...) - linux-2.6 2.6.16-12 (low) CVE-2006-1526 (Buffer overflow in the X render (Xrender) extension in X.org X server ...) - xorg-server 1:1.0.2-8 (bug #378464) [sarge] - xfree86 (Vulnerable code not present) CVE-2006-1525 (ip_route_input in Linux kernel 2.6 before 2.6.16.8 allows local users ...) {DSA-1103 DSA-1097-1} - linux-2.6 2.6.16-9 CVE-2006-1524 (madvise_remove in Linux kernel 2.6.16 up to 2.6.16.6 does not follow f ...) {DSA-1103 DSA-1097-1} - linux-2.6 2.6.16-8 CVE-2006-1523 (The __group_complete_signal function in the RCU signal handling (signa ...) {DSA-1103} - linux-2.6 2.6.16-7 CVE-2006-1522 (The sys_add_key function in the keyring code in Linux kernel 2.6.16.1 ...) - linux-2.6 2.6.16-7 CVE-2006-1521 REJECTED CVE-2006-1520 (Format string vulnerability in ANSI C Sender Policy Framework library ...) NOTE: Debian ships debugging disabled (this isn't a problem with a debugging command-line flag) - libspf (bug #368780; low) CVE-2006-1519 REJECTED CVE-2006-1518 (Buffer overflow in the open_table function in sql_base.cc in MySQL 5.0 ...) {DSA-1079-1 DSA-1073-1 DSA-1071-1} - mysql-dfsg-5.0 5.0.21-1 (bug #365939; medium) - mysql-dfsg-4.1 (bug #365939; medium) - mysql-dfsg (bug #365939; bug #356751; medium) - mysql (bug #365939; medium) CVE-2006-1517 (sql_parse.cc in MySQL 4.0.x up to 4.0.26, 4.1.x up to 4.1.18, and 5.0. ...) {DSA-1079-1 DSA-1073-1 DSA-1071-1} - mysql-dfsg-5.0 5.0.21-1 (bug #365939; low) - mysql-dfsg-4.1 (bug #365939; low) - mysql-dfsg (bug #365939; bug #356751; low) - mysql (bug #365939; low) CVE-2006-1516 (The check_connection function in sql_parse.cc in MySQL 4.0.x up to 4.0 ...) {DSA-1079-1 DSA-1073-1 DSA-1071-1} - mysql-dfsg-5.0 5.0.21-1 (bug #365939; bug #365938; bug #366044; low) - mysql-dfsg-4.1 (bug #365939; bug #366043; low) - mysql-dfsg (bug #365939; bug #356751; low) - mysql (bug #365939; low) CVE-2006-1515 (Buffer overflow in the addnewword function in typespeed 0.4.4 and earl ...) {DSA-1084-1} - typespeed 0.4.4-10 CVE-2006-1514 (Multiple buffer overflows in the abcmidi-yaps translator in abcmidi 20 ...) {DSA-1043-1} - abcmidi 20060422-1 CVE-2006-1513 (Multiple buffer overflows in abc2ps before 1.3.3 allow user-assisted a ...) {DSA-1041-1} - abc2ps (bug #373685; low) CVE-2006-1512 REJECTED CVE-2006-1511 (Buffer overflow in the ILASM assembler in the Microsoft .NET 1.0 and 1 ...) NOT-FOR-US: Microsoft CVE-2006-1510 (Buffer overflow in calloc.c in the Microsoft Windows XP SP2 ntdll.dll ...) NOT-FOR-US: Microsoft CVE-2006-1509 (/sbin/passwd in HP-UX B.11.00, B.11.11, and B.11.23 before 20060326 "d ...) NOT-FOR-US: HP-UX CVE-2006-1508 (Multiple cross-site scripting (XSS) vulnerabilities in MH Software Con ...) NOT-FOR-US: MH Software Connect Daily Web Calendar CVE-2006-1507 (Cross-site scripting (XSS) vulnerability in PHPKIT 1.6.03 allows remot ...) NOT-FOR-US: PHPKIT CVE-2006-1506 (Unspecified vulnerability in rsh in Sun Microsystems Sun Grid Engine 5 ...) NOT-FOR-US: Sun Microsystems Sun Grid Engine 5.3 CVE-2006-1505 (base_maintenance.php in Basic Analysis and Security Engine (BASE) befo ...) - acidbase 1.2.4-1 (bug #361139) CVE-2006-1504 (Multiple cross-site scripting (XSS) vulnerabilities in Arab Portal 2.0 ...) NOT-FOR-US: Arab Portal CVE-2006-1503 (PHP remote file inclusion vulnerability in includes/functions_install. ...) NOT-FOR-US: Virtual Wa CVE-2006-1502 (Multiple integer overflows in MPlayer 1.0pre7try2 allow remote attacke ...) NOT-FOR-US: MPlayer NOTE: I can't find the vulnerable code in xine-lib CVE-2006-1501 (SQL injection vulnerability in index.php in OneOrZero 1.6.3.0 allows r ...) NOT-FOR-US: OneOrZero CVE-2006-1500 (SQL injection vulnerability in index.php in Tilde CMS 3.0 allows remot ...) NOT-FOR-US: Tilde CMS 3.0 CVE-2006-1499 (SQL injection vulnerability in vCounter.php in vCounter 1.0 allows rem ...) NOT-FOR-US: vCounter CVE-2006-1497 (Directory traversal vulnerability in index.php in ViHor Design allows ...) NOT-FOR-US: ViHor Design CVE-2006-1496 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Vi ...) NOT-FOR-US: ViHor Design CVE-2006-1495 (SQL injection vulnerability in general/sendpassword.php in (1) PHPColl ...) NOT-FOR-US: PHPCollab / NetOffice CVE-2006-1494 (Directory traversal vulnerability in file.c in PHP 4.4.2 and 5.1.2 all ...) - php4 4:4.4.4-1 (bug #361855; unimportant) - php5 5.1.4-0.1 (bug #361916; unimportant) NOTE: open_basedir violations are not supported CVE-2006-1493 (Cross-site scripting (XSS) vulnerability in dir.php in Explorer XP all ...) NOT-FOR-US: Explorer XP CVE-2006-1492 (Directory traversal vulnerability in dir.php in Explorer XP allows rem ...) NOT-FOR-US: Explorer XP CVE-2006-1489 (Multiple SQL injection vulnerabilities in FusionZONE CouponZONE local. ...) NOT-FOR-US: FusionZONE CouponZONE CVE-2005-4748 (PHP remote file include vulnerability in functions_admin.php in Virtua ...) NOT-FOR-US: Virtual War CVE-2006-XXXX [unixodbc rpath set to /home] - unixodbc 2.2.11-11 (bug #358142; low) [sarge] - unixodbc (rpath not set to /home in Sarge) CVE-2006-XXXX [fftw rpath set to user home] - fftw 2.1.3-17 (bug #358157; low) [sarge] - fftw (No rpath set in Sarge) CVE-2006-XXXX [gauche-config rpath set to user home] - gauche 0.8.7-1 (bug #358139; low) [sarge] - gauche (gauche-config is a shell script in Sarge) CVE-2006-XXXX [tcpquota rpath set to user home] - tcpquota 1.6.15-11 (bug #358369; low) [sarge] - tcpquota (Only exploitable with strange AFS cell name) CVE-2006-XXXX [hamlib3-perl rpath set to user home] - hamlib 1.2.5-3 (bug #358166; low) [sarge] - hamlib (Only exploitable with strange user name) CVE-2006-1550 (Multiple buffer overflows in the xfig import code (xfig-import.c) in D ...) {DSA-1025-1} - dia 0.94.0-18 (bug #360566) CVE-2006-1498 (Cross-site scripting (XSS) vulnerability in MediaWiki before 1.5.8 and ...) - mediawiki 1.4.15-1 - mediawiki1.5 1.5.8-1 CVE-2006-1491 (Eval injection vulnerability in Horde Application Framework versions 3 ...) {DSA-1034-1 DSA-1033-1} - horde3 3.1.1-1 (bug #361967) CVE-2006-1490 (PHP before 5.1.3-RC1 might allow remote attackers to obtain portions o ...) - php5 5.1.4-0.1 (bug #359907; low) - php4 4:4.4.2-1.1 (bug #359904; low) [sarge] - php4 (Application's responsibility to sanitize input) CVE-2006-1488 (ActiveCampaign SupportTrio 2.5 allows remote attackers to obtain the f ...) NOT-FOR-US: ActiveCampaign SupportTrio CVE-2006-1487 (Cross-site scripting (XSS) vulnerability in ActiveCampaign SupportTrio ...) NOT-FOR-US: ActiveCampaign SupportTrio CVE-2006-1486 (Multiple cross-site scripting (XSS) vulnerabilities in index.cfm in re ...) NOT-FOR-US: realestateZONE CVE-2006-1485 (gm-upload.cgi in Greymatter 1.3.1 allows remote authenticated users wi ...) NOT-FOR-US: Greymatter CVE-2006-1484 (Genius VideoCAM NB Driver does not drop privileges when saving files, ...) NOT-FOR-US: Genius VideoCAM NB Driver CVE-2006-1483 (Blazix Web Server before 1.2.6, when running on Windows, allows remote ...) NOT-FOR-US: Blazix Web Server CVE-2006-1482 (Cross-site scripting (XSS) vulnerability in index.php in ConfTool 1.1 ...) NOT-FOR-US: ConfTool CVE-2006-1481 (SQL injection vulnerability in search.php in PHP Ticket 0.71 allows re ...) NOT-FOR-US: PHP Ticket CVE-2006-1480 (Directory traversal vulnerability in start.php in WebAlbum 2.02 allows ...) NOT-FOR-US: WebAlbum CVE-2006-1479 (Multiple cross-site scripting (XSS) vulnerabilities in Serge Rey gtd-p ...) NOT-FOR-US: Serge Rey gtd-php CVE-2006-1478 (Directory traversal vulnerability in (1) initiate.php and (2) possibly ...) NOT-FOR-US: Turnkey Web Tools PHP Live Helper CVE-2006-1477 (Multiple PHP remote file inclusion vulnerabilities in Turnkey Web Tool ...) NOT-FOR-US: Turnkey Web Tools PHP Live Helper CVE-2006-1476 (Windows Firewall in Microsoft Windows XP SP2 produces incorrect applic ...) NOT-FOR-US: Windows Firewall CVE-2006-1475 (Windows Firewall in Microsoft Windows XP SP2 does not produce applicat ...) NOT-FOR-US: Windows Firewall CVE-2006-1474 (Cross-site scripting (XSS) vulnerability in the "failed" functionality ...) NOT-FOR-US: Raindance Web Conferencing Pro CVE-2006-1473 (Integer overflow in AFP Server for Apple Mac OS X 10.3.9 and 10.4.7 al ...) NOT-FOR-US: Apple CVE-2006-1472 (Unspecified vulnerability in AFP Server in Apple Mac OS X 10.3.9 allow ...) NOT-FOR-US: Apple CVE-2006-1471 (Format string vulnerability in the CF_syslog function launchd in Apple ...) NOT-FOR-US: Apple CVE-2006-1470 (OpenLDAP in Apple Mac OS X 10.4 up to 10.4.6 allows remote attackers t ...) - openldap2 (Vulnerable code not present) - openldap2.2 (medium) CVE-2006-1469 (Stack-based buffer overflow in ImageIO in Apple Mac OS X 10.4 up to 10 ...) NOT-FOR-US: Apple CVE-2006-1468 (Unspecified vulnerability in Apple File Protocol (AFP) server in Apple ...) NOT-FOR-US: Apple CVE-2006-1467 (Integer overflow in the AAC file parsing code in Apple iTunes before 6 ...) NOT-FOR-US: Apple iTunes CVE-2006-1466 (Xcode Tools before 2.3 for Mac OS X 10.4, when running the WebObjects ...) NOT-FOR-US: Apple CVE-2006-1465 (Buffer overflow in Apple QuickTime before 7.1 allows remote attackers ...) NOT-FOR-US: Apple CVE-2006-1464 (Buffer overflow in Apple QuickTime before 7.1 allows remote attackers ...) NOT-FOR-US: Apple CVE-2006-1463 (Heap-based buffer overflow in Apple QuickTime before 7.1 allows remote ...) NOT-FOR-US: Apple CVE-2006-1462 (Multiple integer overflows in Apple QuickTime before 7.1 allow remote ...) NOT-FOR-US: Apple CVE-2006-1461 (Multiple buffer overflows in Apple QuickTime before 7.1 allow remote a ...) NOT-FOR-US: Apple CVE-2006-1460 (Multiple buffer overflows in Apple QuickTime before 7.1 allow remote a ...) NOT-FOR-US: Apple CVE-2006-1459 (Multiple integer overflows in Apple QuickTime before 7.1 allow remote ...) NOT-FOR-US: Apple CVE-2006-1458 (Integer overflow in Apple QuickTime Player before 7.1 allows remote at ...) NOT-FOR-US: Apple CVE-2006-1457 (Safari on Apple Mac OS X 10.4.6, when "Open `safe' files after downloa ...) NOT-FOR-US: Apple CVE-2006-1456 (Buffer overflow in QuickTime Streaming Server in Apple Mac OS X 10.3.9 ...) NOT-FOR-US: Apple CVE-2006-1455 (QuickTime Streaming Server in Apple Mac OS X 10.3.9 and 10.4.6 allows ...) NOT-FOR-US: Apple CVE-2006-1454 (Heap-based buffer overflow in Apple QuickTime before 7.1 allows remote ...) NOT-FOR-US: Apple CVE-2006-1453 (Stack-based buffer overflow in Apple QuickTime before 7.1 allows remot ...) NOT-FOR-US: Apple CVE-2006-1452 (Stack-based buffer overflow in Preview in Apple Mac OS 10.4 up to 10.4 ...) NOT-FOR-US: Apple CVE-2006-1451 (MySQL Manager in Apple Mac OS X 10.3.9 and 10.4.6, when setting up a n ...) NOT-FOR-US: MySQL Manager CVE-2006-1450 (Mail in Apple Mac OS X 10.3.9 and 10.4.6 allows remote attackers to ex ...) NOT-FOR-US: Apple CVE-2006-1449 (Integer overflow in Mail in Apple Mac OS X 10.3.9 and 10.4.6 allows re ...) NOT-FOR-US: Apple CVE-2006-1448 (Finder in Apple Mac OS X 10.3.9 and 10.4.6 allows user-assisted attack ...) NOT-FOR-US: Apple CVE-2006-1447 (LaunchServices in Apple Mac OS X 10.4.6 allows remote attackers to cau ...) NOT-FOR-US: Apple CVE-2006-1446 (Keychain in Apple Mac OS X 10.3.9 and 10.4.6 might allow an applicatio ...) NOT-FOR-US: Apple CVE-2006-1445 (Buffer overflow in the FTP server (FTPServer) in Apple Mac OS X 10.3.9 ...) NOT-FOR-US: Apple CVE-2006-1444 (CoreGraphics in Apple Mac OS X 10.4.6, when "Enable access for assisti ...) NOT-FOR-US: Apple CVE-2006-1443 (Integer underflow in CoreFoundation in Apple Mac OS X 10.3.9 and 10.4. ...) NOT-FOR-US: Apple CVE-2006-1442 (The bundle API in CoreFoundation in Apple Mac OS X 10.3.9 and 10.4.6 l ...) NOT-FOR-US: Apple CVE-2006-1441 (Integer overflow in CFNetwork in Apple Mac OS X 10.4.6 allows remote a ...) NOT-FOR-US: Apple CVE-2006-1440 (BOM in Apple Mac OS X 10.3.9 and 10.4.6 allows attackers to overwrite ...) NOT-FOR-US: Apple CVE-2006-1439 (NSSecureTextField in AppKit in Apple Mac OS X 10.4.6 does not re-enabl ...) NOT-FOR-US: Apple CVE-2006-1438 (Multiple cross-site scripting (XSS) vulnerabilities in Andy's PHP Know ...) NOT-FOR-US: aphpkb CVE-2006-1437 (UPOINT @1 Event Publisher stores sensitive information under the web d ...) NOT-FOR-US: UPOINT CVE-2006-1436 (Multiple cross-site scripting (XSS) vulnerabilities in UPOINT @1 Event ...) NOT-FOR-US: UPOINT CVE-2006-1435 (Cross-site scripting (XSS) vulnerability in genmessage.php in Accounti ...) NOT-FOR-US: Accounting Receiving and Inventory Administration (ARIA), different from debian aria CVE-2006-1434 (Cross-site scripting (XSS) vulnerability in inscription.php in Annuair ...) NOT-FOR-US: Annuaire (Directory) CVE-2006-1433 (Annuaire (Directory) 1.0 allows remote attackers to obtain sensitive i ...) NOT-FOR-US: Annuaire (Directory) CVE-2006-1432 (fusionZONE couponZONE 4.2 allows remote attackers to obtain the full p ...) NOT-FOR-US: fusionZONE couponZONE CVE-2006-1431 (Cross-site scripting (XSS) vulnerability in local.cfm in fusionZONE co ...) NOT-FOR-US: fusionZONE couponZONE CVE-2006-1430 (Multiple cross-site scripting (XSS) vulnerabilities in CONTROLzx HMS ( ...) NOT-FOR-US: CONTROLzx HMS CVE-2006-1429 (Cross-site scripting (XSS) vulnerability in accountlogon.cfm in classi ...) NOT-FOR-US: classifiedZONE CVE-2006-1428 (Multiple cross-site scripting (XSS) vulnerabilities in phpCOIN 1.2.2 a ...) NOT-FOR-US: phpCOIN CVE-2006-1427 (Multiple cross-site scripting (XSS) vulnerabilities in WebAPP 0.9.9.3. ...) NOT-FOR-US: WebAPP CVE-2006-1426 (Multiple SQL injection vulnerabilities in Pixel Motion Blog allow remo ...) NOT-FOR-US: Blog Pixel Motion CVE-2006-1425 (Cross-site scripting (XSS) vulnerability in track.php in phpmyfamily 1 ...) NOT-FOR-US: phpmyfamily CVE-2006-1424 REJECTED CVE-2006-1423 (SQL injection vulnerability in showflat.php in UBB.threads 5.5.1, 6.0 ...) NOT-FOR-US: UBB.threads CVE-2006-1422 (SQL injection vulnerability in details_view.php in PHP Booking Calenda ...) NOT-FOR-US: PHP Booking Calendar CVE-2006-1421 (Multiple SQL injection vulnerabilities in akocomment.php in AkoComment ...) NOT-FOR-US: AkoComment CVE-2006-1420 (SQL injection vulnerability in print.php in SaphpLesson 2.0 allows rem ...) NOT-FOR-US: SaphpLesson CVE-2006-1419 (SQL injection vulnerability in the Calendar module in nuked-klan 1.7.5 ...) NOT-FOR-US: nuked-klan CVE-2006-1418 (Cross-site scripting (XSS) vulnerability in default.asp in Caloris Pla ...) NOT-FOR-US: Caloris Planitia E-School Management CVE-2006-1417 (Multiple cross-site scripting (XSS) vulnerabilities in Caloris Planiti ...) NOT-FOR-US: Caloris Planitia Online Quiz System CVE-2006-1416 (Cross-site scripting (XSS) vulnerability in afmsearch.aspx in Absolute ...) NOT-FOR-US: Absolute FAQ Manager .NET CVE-2006-1415 (Cross-site scripting (XSS) vulnerability in iforget.aspx in dotNetBB 2 ...) NOT-FOR-US: dotNetBB CVE-2006-1414 (Multiple cross-site scripting (XSS) vulnerabilities in toast.asp in To ...) NOT-FOR-US: Toast Forums CVE-2006-1413 (Multiple cross-site scripting (XSS) vulnerabilities in EZHomepagePro 1 ...) NOT-FOR-US: EZHomepagePro CVE-2006-1412 (TFT Gallery 0.10 stores sensitive information under the web root with ...) NOT-FOR-US: TFT Gallery CVE-2006-1411 (Cross-site scripting (XSS) vulnerability in Absolute Image Gallery XE ...) NOT-FOR-US: Absolute Image Gallery CVE-2006-1410 (Multiple cross-site scripting (XSS) vulnerabilities in XIGLA Absolute ...) NOT-FOR-US: XIGLA Absolute Live Support CVE-2006-1409 (Buffer overflow in Vavoom 1.19.1 and earlier allows remote attackers t ...) NOT-FOR-US: Vavoom NOTE: code in prboom and lxdoom looks completely different CVE-2006-1408 (Vavoom 1.19.1 and earlier allows remote attackers to cause a denial of ...) NOT-FOR-US: Vavoom NOTE: code in prboom and lxdoom looks completely different CVE-2006-1407 (Multiple cross-site scripting (XSS) vulnerabilities in Helm Web Hostin ...) NOT-FOR-US: Helm Web Hosting Control Panel CVE-2006-1406 (Multiple cross-site scripting (XSS) vulnerabilities in wbadmlog.aspx i ...) NOT-FOR-US: uniForum CVE-2006-1405 (Cross-site scripting (XSS) vulnerability in search.aspx in SweetSuite. ...) NOT-FOR-US: SweetSuite.NET Content Management System CVE-2006-1404 (Multiple cross-site scripting (XSS) vulnerabilities in bol.cgi in Blan ...) NOT-FOR-US: BlankOL CVE-2006-1403 (Format string vulnerability in the PrintString function in c_console.c ...) NOT-FOR-US: csDoom NOTE: prboom, lxdoom not affected CVE-2006-1402 (Buffer overflow in client/server Doom (csDoom) 0.7 and earlier allows ...) NOT-FOR-US: csDoom NOTE: prboom, lxdoom not affected CVE-2006-1401 (Multiple cross-site scripting (XSS) vulnerabilities in search.php in C ...) NOT-FOR-US: Calendar Express CVE-2006-1400 (Cross-site scripting (XSS) vulnerability in MyTasks/PersonalTaskEdit.a ...) NOT-FOR-US: Metisware Instructor CVE-2006-1399 (Cross-site scripting (XSS) vulnerability in searchresult.php in Meetin ...) NOT-FOR-US: Meeting Reserve CVE-2006-1398 (Cross-site scripting (XSS) vulnerability in guestbook.php in G-Book 1. ...) NOT-FOR-US: G-Book CVE-2006-1397 (Multiple cross-site scripting (XSS) vulnerabilities in (a) phpAdsNew a ...) NOT-FOR-US: phpAdsNew CVE-2005-4747 (Cross-site scripting (XSS) vulnerability in WebHost Automation Ltd Hel ...) NOT-FOR-US: WebHost Automation Ltd Helm CVE-2005-4746 (Multiple buffer overflows in FreeRADIUS 1.0.3 and 1.0.4 allow remote a ...) {DSA-1145-1} - freeradius 1.0.5-1 CVE-2005-4745 (SQL injection vulnerability in the rlm_sqlcounter module in FreeRADIUS ...) {DSA-1145-1} - freeradius 1.0.5-1 CVE-2005-4744 (Off-by-one error in the sql_error function in sql_unixodbc.c in FreeRA ...) {DSA-1089-1} - freeradius 1.0.5-1 CVE-1999-1587 (/usr/ucb/ps in Sun Microsystems Solaris 8 and 9, and certain earlier r ...) NOT-FOR-US: Solaris CVE-2006-1396 (Multiple cross-site scripting (XSS) vulnerabilities in Cholod MySQL Ba ...) NOT-FOR-US: Cholod CVE-2006-1395 (SQL injection vulnerability in mb.cgi in Cholod MySQL Based Message Bo ...) NOT-FOR-US: Cholod CVE-2006-1394 (Multiple cross-site scripting (XSS) vulnerabilities in the Microsoft I ...) NOT-FOR-US: Pubcookie CVE-2006-1393 (Multiple cross-site scripting (XSS) vulnerabilities in the mod_pubcook ...) NOT-FOR-US: Pubcookie CVE-2006-1392 (Multiple cross-site scripting (XSS) vulnerabilities in index.cgi in th ...) NOT-FOR-US: Pubcookie CVE-2006-1391 (The (a) Quick 'n Easy Web Server before 3.1.1 and (b) Baby ASP Web Ser ...) NOT-FOR-US: Quick 'n Easy/Baby Web Server CVE-2006-1390 (The configuration of NetHack 3.4.3-r1 and earlier, Falcon's Eye 1.9.4a ...) NOT-FOR-US: Shortcoming of Gentoo-specific games packaging CVE-2006-1389 (Unspecified vulnerability in swagentd in HP-UX B.11.00, B.11.04, and B ...) NOT-FOR-US: HP-UX CVE-2006-1388 (Unspecified vulnerability in Microsoft Internet Explorer 6.0 allows re ...) NOT-FOR-US: Internet Explorer CVE-2006-1387 (TWiki 4.0, 4.0.1, and 20010901 through 20040904 allows remote authenti ...) - twiki 1:4.0.4-3 (bug #367973) CVE-2006-1386 (The (1) rdiff and (2) preview scripts in TWiki 4.0 and 4.0.1 ignore ac ...) - twiki (only affects 4.0.0 - 4.1.0, version in Debian too young) CVE-2006-1385 (Stack-based buffer overflow in the parseTaggedData function in WavePac ...) NOT-FOR-US: Cisco CVE-2006-1384 (Cross-site scripting (XSS) vulnerability in apwc_win_main.jsp in the w ...) NOT-FOR-US: IBM Tivoli Business Systems Manager CVE-2006-1383 (Directory traversal vulnerability in Baby FTP Server (BabyFTP) 1.24 al ...) NOT-FOR-US: Baby FTP Server CVE-2006-1382 (PHP remote file inclusion vulnerability in impex/ImpExData.php in vBul ...) NOT-FOR-US: vBulletin CVE-2006-1381 (Trend Micro OfficeScan 5.5, and probably other versions before 6.5, us ...) NOT-FOR-US: Trend Micro CVE-2006-1380 (ISNTSmtp directory in Trend Micro InterScan Messaging Security Suite ( ...) NOT-FOR-US: Trend Micro CVE-2006-1379 (Trend Micro PC-cillin Internet Security 2006 14.00.1485 and 14.10.0.10 ...) NOT-FOR-US: Trend Micro CVE-2003-1300 (Baby FTP Server (BabyFTP) 1.2, and possibly other versions before May ...) NOT-FOR-US: Baby FTP Server CVE-2003-1299 (Directory traversal vulnerability in Baby FTP Server 1.2, and possibly ...) NOT-FOR-US: Baby FTP Server CVE-2002-2209 (Unspecified "security vulnerability" in Baby FTP Server versions befor ...) NOT-FOR-US: Baby FTP Server CVE-2006-1378 (PasswordSafe 3.0 beta, when running on Windows before XP, uses a weak ...) NOT-FOR-US: PasswordSafe CVE-2006-1377 (Cross-site scripting (XSS) vulnerability in img.php in (1) EasyMoblog ...) NOT-FOR-US: EasyMoblog CVE-2006-1376 (The installation of Debian GNU/Linux 3.1r1 from the network install CD ...) [sarge] - shadow 1:4.0.3-31sarge8 [sarge] - base-config NOTE: The installer is fixed separately, but the postinst of the shadow update NOTE: corrects permissions of a faulty install - shadow 1:4.0.14-9 (bug #358210; bug #356939) - base-config 2.68 (bug #254068; low) CVE-2006-1375 (AdMan 1.0.20051221 and earlier allows remote attackers to obtain the f ...) NOT-FOR-US: AdMan CVE-2006-1374 (SQL injection vulnerability in viewStatement.php in AdMan 1.0.20051221 ...) NOT-FOR-US: AdMan CVE-2006-1373 (Cross-site scripting (XSS) vulnerability in status_image.php in PHP Li ...) NOT-FOR-US: PHP Live! CVE-2006-1372 (Multiple SQL injection vulnerabilities in 1WebCalendar 4.0 and earlier ...) NOT-FOR-US: 1WebCalendar CVE-2006-1371 (Laurentiu Matei eXpandable Home Page (XHP) CMS 0.5 and earlier allows ...) NOT-FOR-US: Laurentiu Matei eXpandable Home Page CVE-2006-1370 (Buffer overflow in RealNetworks RealPlayer 10.5 6.0.12.1040 through 6. ...) NOT-FOR-US: Real Player, according to Real Helix not affected CVE-2006-1369 (Cross-site scripting (XSS) vulnerability in Invision Power Board (IPB) ...) NOT-FOR-US: Invision Power Board CVE-2006-1368 (Buffer overflow in the USB Gadget RNDIS implementation in the Linux ke ...) {DSA-1103 DSA-1097-1} - linux-2.6 2.6.16-1 CVE-2006-1367 (The Motorola PEBL U6 08.83.76R, the Motorola V600, and possibly the Mo ...) NOT-FOR-US: Motorola hardware CVE-2006-1366 (Buffer overflow in the Motorola PEBL U6 08.83.76R, and possibly other ...) NOT-FOR-US: Motorola hardware CVE-2006-1365 (The Motorola PEBL U6, the Motorola V600, and possibly the Motorola E39 ...) NOT-FOR-US: Motorola hardware CVE-2006-1364 (Microsoft w3wp (aka w3wp.exe) does not properly handle when the AspCom ...) NOT-FOR-US: Microsoft CVE-2006-1363 (images.php in Justin White (aka YTZ) Free Web Publishing System (FreeW ...) NOT-FOR-US: Justin White (aka YTZ) Free Web Publishing System CVE-2006-1362 (Multiple SQL injection vulnerabilities in Mini-Nuke CMS System 1.8.2 a ...) NOT-FOR-US: Mini-Nuke CVE-2006-1361 (Cross-site scripting (XSS) vulnerability in OSWiki before 0.3.1 allows ...) NOT-FOR-US: OSWiki CVE-2006-1360 (Multiple SQL injection vulnerabilities in MusicBox 2.3 Beta 2 allow re ...) NOT-FOR-US: MusicBox CVE-2006-1359 (Microsoft Internet Explorer 6 and 7 Beta 2 allows remote attackers to ...) NOT-FOR-US: Microsoft CVE-2006-1358 (Unspecified vulnerability in BEA WebLogic Portal 8.1 up to SP5 causes ...) NOT-FOR-US: BEA WebLogic CVE-2006-1357 (Cross-site scripting (XSS) vulnerability in my.support.php3 in F5 Fire ...) NOT-FOR-US: F5 Firepass 4100 SSL VPN CVE-2006-1356 (Stack-based buffer overflow in the count_vcards function in LibVC 3, a ...) - libvc 003-4 CVE-2006-1355 (avast! Antivirus 4.6.763 and earlier sets "BUILTIN\Everyone" permissio ...) NOT-FOR-US: avast AV CVE-2006-1354 (Unspecified vulnerability in FreeRADIUS 1.0.0 up to 1.1.0 allows remot ...) {DSA-1089-1} - freeradius 1.1.0-1.2 (bug #359042; high) CVE-2006-1353 (Multiple SQL injection vulnerabilities in ASPPortal 3.1.1 and earlier ...) NOT-FOR-US: ASPPortal CVE-2006-1352 (BEA WebLogic Server and WebLogic Express 8.1 SP4 and earlier, 7.0 SP6 ...) NOT-FOR-US: BEA WebLogic CVE-2006-1351 (BEA WebLogic Server 6.1 SP7 and earlier allows remote attackers to rea ...) NOT-FOR-US: BEA WebLogic CVE-2006-1350 (PHP remote file include vulnerability in index.php in 99Articles.com ( ...) NOT-FOR-US: 99Articles.com CVE-2006-1349 (Multiple cross-site scripting (XSS) vulnerabilities in Musicbox 2.3 Be ...) NOT-FOR-US: MusicBox CVE-2006-1348 (Cross-site scripting (XSS) vulnerability in index.php in Greg Neustaet ...) NOT-FOR-US: Greg Neustaetter gCards CVE-2006-1347 (SQL injection vulnerability in loginfunction.php in Greg Neustaetter g ...) NOT-FOR-US: Greg Neustaetter gCards CVE-2006-1346 (Directory traversal vulnerability in inc/setLang.php in Greg Neustaett ...) NOT-FOR-US: Greg Neustaetter gCards CVE-2006-1345 (polls.php in MyBB (aka MyBulletinBoard) 1.10 allows remote attackers t ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2006-1344 (Cross-site scripting (XSS) vulnerability in VeriSign haydn.exe, as use ...) NOT-FOR-US: VeriSign haydn.exe CVE-2006-1343 (net/ipv4/netfilter/ip_conntrack_core.c in Linux kernel 2.4 and 2.6, an ...) {DSA-1184-2 DSA-1097-1} - linux-2.6 2.6.16-15 CVE-2006-1342 (net/ipv4/af_inet.c in Linux kernel 2.4 does not clear sockaddr_in.sin_ ...) - linux-2.6 (Only affects 2.4 kernels) CVE-2003-1298 (Multiple directory traversal vulnerabilities in siteman.php3 in AnyPor ...) NOT-FOR-US: Veritas Backup CVE-2000-1240 (Unspecified vulnerability in siteman.php3 in AnyPortal(php) before 22 ...) NOT-FOR-US: AnyPortal CVE-2006-1341 (SQL injection vulnerability in events.php in Maian Events 1.0 allows r ...) NOT-FOR-US: Maian Events CVE-2006-1340 (CuteNews 1.4.1 and possibly other versions allows remote attackers to ...) NOT-FOR-US: CuteNews CVE-2006-1339 (Directory traversal vulnerability in inc/functions.inc.php in CuteNews ...) NOT-FOR-US: CuteNews CVE-2006-1338 (Webmail in MailEnable Professional Edition before 1.73 and Enterprise ...) NOT-FOR-US: MailEnable CVE-2006-1337 (Buffer overflow in the POP 3 (POP3) service in MailEnable Standard Edi ...) NOT-FOR-US: MailEnable CVE-2006-1336 (Cross-site scripting vulnerability in calendar.php in ExtCalendar 1.0 ...) NOT-FOR-US: ExtCalendar CVE-2006-1335 (gnome screensaver before 2.14, when running on an X server with AllowD ...) - gnome-screensaver 2.14.1-1 (bug #357885) CVE-2006-1334 (Multiple SQL injection vulnerabilities in Maian Weblog 2.0 allow remot ...) NOT-FOR-US: Maian Weblog CVE-2006-1333 (Multiple SQL injection vulnerabilities in BetaParticle Blog 6.0 and ea ...) NOT-FOR-US: BetaParticle Blog CVE-2006-1332 (Noah's Classifieds 1.3 and earlier allows remote attackers to obtain s ...) NOT-FOR-US: Noah's Classifieds CVE-2006-1331 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in No ...) NOT-FOR-US: Noah's Classifieds CVE-2006-1330 (Multiple SQL injection vulnerabilities in phpWebsite 0.83 and earlier ...) NOT-FOR-US: phpWebsite CVE-2006-1329 (The SASL negotiation in Jabber Studio jabberd before 2.0s11 allows rem ...) - jabberd2 2.0s11-1 (bug #357874) CVE-2006-1328 (SQL injection vulnerability in count.php in Skull-Splitter PHP Downloa ...) NOT-FOR-US: Skull-Splitter PHP CVE-2006-1327 (SQL injection vulnerability in reg.php in SoftBB 0.1 allows remote att ...) NOT-FOR-US: SoftBB CVE-2006-1326 (Multiple cross-site scripting (XSS) vulnerabilities in Invision Power ...) NOT-FOR-US: Invision Power Board CVE-2006-1325 (Cross-site scripting (XSS) vulnerability in Streber 0.055 allows remot ...) NOT-FOR-US: Streber CVE-2006-1324 (Cross-site scripting (XSS) vulnerability in acp/lib/class_db_mysql.php ...) NOT-FOR-US: Woltlab Burning Board CVE-2006-1323 (Directory traversal vulnerability in WinHKI 1.6 and earlier allows use ...) NOT-FOR-US: WinHKI CVE-2006-1322 (Novell Netware NWFTPD 5.06.05 allows remote attackers to cause a denia ...) NOT-FOR-US: Netware CVE-2006-1318 (Microsoft Office 2003 SP1 and SP2, Office XP SP3, Office 2000 SP3, Off ...) NOT-FOR-US: Microsoft Office CVE-2006-1317 REJECTED CVE-2006-1316 (Unspecified vulnerability in Microsoft Office 2003 SP1 and SP2, Office ...) NOT-FOR-US: Microsoft CVE-2006-1315 (The Server Service (SRV.SYS driver) in Microsoft Windows 2000 SP4, XP ...) NOT-FOR-US: Microsoft CVE-2006-1314 (Heap-based buffer overflow in the Server Service (SRV.SYS driver) in M ...) NOT-FOR-US: Microsoft CVE-2006-1313 (Microsoft JScript 5.1, 5.5, and 5.6 on Windows 2000 SP4, and 5.6 on Wi ...) NOT-FOR-US: Microsoft JScript CVE-2006-1312 REJECTED CVE-2006-1311 (The RichEdit component in Microsoft Windows 2000 SP4, XP SP2, and 2003 ...) NOT-FOR-US: Microsoft CVE-2006-1310 REJECTED CVE-2006-1309 (Microsoft Excel 2000 through 2004 allows user-assisted attackers to ex ...) NOT-FOR-US: Microsoft CVE-2006-1308 (Unspecified vulnerability in Microsoft Excel 2000 through 2004 allows ...) NOT-FOR-US: Microsoft CVE-2006-1307 REJECTED CVE-2006-1306 (Microsoft Excel 2000 through 2004 allows user-assisted attackers to ex ...) NOT-FOR-US: Microsoft CVE-2006-1305 (Microsoft Outlook 2000, 2002, and 2003 allows user-assisted remote att ...) NOT-FOR-US: Microsoft CVE-2006-1304 (Buffer overflow in Microsoft Excel 2000 through 2003 allows user-assis ...) NOT-FOR-US: Microsoft CVE-2006-1303 (Multiple unspecified vulnerabilities in Microsoft Internet Explorer 5. ...) NOT-FOR-US: Microsoft CVE-2006-1302 (Buffer overflow in Microsoft Excel 2000 through 2003 allows user-assis ...) NOT-FOR-US: Microsoft CVE-2006-1301 (Microsoft Excel 2000 through 2004 allows user-assisted attackers to ex ...) NOT-FOR-US: Microsoft CVE-2006-1300 (Microsoft .NET framework 2.0 (ASP.NET) in Microsoft Windows 2000 SP4, ...) NOT-FOR-US: Microsoft CVE-2006-1299 REJECTED CVE-2006-1298 (Format string vulnerability in the Job Engine service (bengine.exe) in ...) NOT-FOR-US: Veritas Backup CVE-2006-1297 (Unspecified vulnerability in Veritas Backup Exec for Windows Server Re ...) NOT-FOR-US: Veritas Backup CVE-2006-1296 (Untrusted search path vulnerability in Beagle 0.2.2.1 might allow loca ...) - beagle 0.2.3-1 (bug #357392; low) CVE-2006-1295 (Cross-site scripting (XSS) vulnerability in recherche.php3 in SPIP 1.8 ...) - spip 2.0.6-1 CVE-2006-1294 (PHP remote file include vulnerability in PageController.php in Knowled ...) NOT-FOR-US: KnowledgebasePublisher CVE-2006-1293 (Cross-site scripting (XSS) vulnerability in index.php in Contrexx CMS ...) NOT-FOR-US: Contrexx CVE-2006-1292 (Directory traversal vulnerability in Jim Hu and Chad Little PHP iCalen ...) NOT-FOR-US: Jim Hu and Chad Little PHP iCalendar CVE-2006-1291 (publish.ical.php in Jim Hu and Chad Little PHP iCalendar 2.21 and earl ...) NOT-FOR-US: Jim Hu and Chad Little PHP iCalendar CVE-2006-1290 (Multiple cross-site scripting (XSS) vulnerabilities in Milkeyway Capti ...) NOT-FOR-US: Milkeyway Captive Portal CVE-2006-1289 (Multiple SQL injection vulnerabilities in Milkeyway Captive Portal 0.1 ...) NOT-FOR-US: Milkeyway Captive Portal CVE-2006-1288 (Multiple SQL injection vulnerabilities in Invision Power Board (IPB) 2 ...) NOT-FOR-US: Invision Power Board CVE-2006-1287 (Cross-site scripting (XSS) vulnerability in Invision Power Board (IPB) ...) NOT-FOR-US: Invision Power Board CVE-2006-1286 (Buffer overflow in the login dialog in dbisqlc.exe in SQLAnywhere for ...) NOT-FOR-US: Symantec Ghost CVE-2006-1285 (SQLAnywhere in Symantec Ghost 8.0 and 8.2, as used in Symantec Ghost S ...) NOT-FOR-US: Symantec Ghost CVE-2006-1284 (The installation of SQLAnywhere in Symantec Ghost 8.0 and 8.2, as used ...) NOT-FOR-US: Symantec Ghost CVE-2006-1283 (opiepasswd in One-Time Passwords in Everything (OPIE) in FreeBSD 4.10- ...) - libpam-opie (FreeBSD specific vulnerability) CVE-2006-1282 (CRLF injection vulnerability in inc/function.php in MyBulletinBoard (M ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2006-1281 (Cross-site scripting (XSS) vulnerability in member.php in MyBulletinBo ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2006-1280 (CGI::Session 4.03-1 does not set proper permissions on temporary files ...) - libcgi-session-perl 4.07-1 (low; bug #356555) [sarge] - libcgi-session-perl (Minor issues) CVE-2006-1279 (CGI::Session 4.03-1 allows local users to overwrite arbitrary files vi ...) - libcgi-session-perl 4.11-1 (low; bug #356555) [sarge] - libcgi-session-perl (Minor issues) CVE-2006-1278 (SQL injection vulnerability in @1 File Store 2006.03.07 allows remote ...) NOT-FOR-US: @1 File Store CVE-2006-1277 (Cross-site scripting (XSS) vulnerability in signup.php in @1 File Stor ...) NOT-FOR-US: @1 File Store CVE-2006-1276 (admin.php in Himpfen Consulting Company PHP SimpleNEWS 1.0.0 allows re ...) NOT-FOR-US: PHP SimpleNEWS CVE-2006-1275 (GGZ Gaming Zone 0.0.12 allows remote attackers to cause a denial of se ...) NOT-FOR-US: GGZ Gaming Zone CVE-2006-1274 (Classic Planer in AntiVir PersonalEdition Classic 7 does not drop priv ...) NOT-FOR-US: Antivir CVE-2006-1273 NOT-FOR-US: Reportedly problem with a firefox addon CVE-2006-1272 (Multiple cross-site scripting (XSS) vulnerabilities in member.php in M ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2006-1271 (SQL injection vulnerability in index.php in OxyNews allows remote atta ...) NOT-FOR-US: OxyNews CVE-2006-1270 (Multiple cross-site scripting (XSS) vulnerabilities in zones.php in In ...) NOT-FOR-US: Inprotect CVE-2006-1269 (Buffer overflow in the parse function in parse.c in zoo 2.10 might all ...) - zoo 2.10-18 (bug #367858; low) [sarge] - zoo (Attack vector very far-fetched, hardly exploitable) CVE-2006-1268 (The Internet Key Exchange implementation in Funkwerk X2300 7.2.1 allow ...) NOT-FOR-US: Funkwerk X2300 CVE-2006-1267 (Invision Power Board 2.1.4 allows remote attackers to hijack sessions ...) NOT-FOR-US: Invision Power Board CVE-2006-1266 (Cross-site scripting (XSS) vulnerability in Service_Requests.asp in VP ...) NOT-FOR-US: VPMi Enterprise CVE-2006-1265 (SQL injection vulnerability in discussion.class.php in xhawk.net discu ...) NOT-FOR-US: xhawk.net discussion CVE-2006-1264 (Cross-site scripting (XSS) vulnerability in xhawk.net discussion 2.0 b ...) NOT-FOR-US: xhawk.net discussion CVE-2006-1263 (Multiple "unannounced" cross-site scripting (XSS) vulnerabilities in W ...) - wordpress 2.0.2-1 CVE-2006-1262 (Multiple SQL injection vulnerabilities in ASPPortal 3.00 have unknown ...) NOT-FOR-US: ASPPortal CVE-2006-1261 (Multiple cross-site scripting (XSS) vulnerabilities in ASPPortal 3.00 ...) NOT-FOR-US: ASPPortal CVE-2006-1260 (Horde Application Framework 3.0.9 allows remote attackers to read arbi ...) {DSA-1034-1 DSA-1033-1} - horde3 3.1-1 (bug #358812) CVE-2006-1259 (Multiple SQL injection vulnerabilities in Maian Support 1.0 allow remo ...) NOT-FOR-US: Maian Support CVE-2006-1258 (Cross-site scripting (XSS) vulnerability in phpMyAdmin 2.8.0.1 allows ...) - phpmyadmin 4:2.8.0.2-2 (bug #382228) [sarge] - phpmyadmin (Vulnerable code not present) CVE-2006-1257 (The sample files in the authfiles directory in Microsoft Commerce Serv ...) NOT-FOR-US: Microsoft CVE-2006-1256 (Cross-site scripting (XSS) vulnerability in guestbook.php in Soren Boy ...) NOT-FOR-US: Soren Boysen (SkullSplitter) PHP Guestbook CVE-2006-1255 (Stack-based buffer overflow in the IMAP service in Mercur Messaging 5. ...) NOT-FOR-US: Mercur Messaging CVE-2006-1254 (Unspecified vulnerability in BorderWare MXtreme 5.0 and 6.0 allows rem ...) NOT-FOR-US: BorderWare MXtreme CVE-2006-1253 (Unspecified vulnerability in glFTPd before 2.01 RC5 allows remote atta ...) NOT-FOR-US: glFTPd CVE-2006-1252 (Eval injection vulnerability in cal.php in Light Weight Calendar (LWC) ...) NOT-FOR-US: Light Weight Calendar CVE-2006-1251 (Argument injection vulnerability in greylistclean.cron in sa-exim 4.2 ...) - sa-exim 4.2.1-1 (bug #345071; bug #356301) CVE-2006-1250 (Unspecified vulnerability in the Webmail module in Winmail before 4.3 ...) NOT-FOR-US: Winmail CVE-2006-1249 (Integer overflow in Apple QuickTime Player 7.0.3 and 7.0.4 and iTunes ...) NOT-FOR-US: Apple Quicktime CVE-2006-1248 (Unspecified vulnerability in usermod in HP-UX B.11.00, B.11.11, and B. ...) NOT-FOR-US: HP-UX CVE-2006-1247 (rm_mlcache_file in bos.rte.install in AIX 5.1.0 through 5.3.0 allows l ...) NOT-FOR-US: AIX CVE-2006-1246 (Unspecified vulnerability in mklvcopy in BOS.RTE.LVM in IBM AIX 5.3 al ...) NOT-FOR-US: AIX CVE-2006-1245 (Buffer overflow in mshtml.dll in Microsoft Internet Explorer 6.0.2900. ...) NOT-FOR-US: Microsoft CVE-2005-4743 (Multiple SQL injection vulnerabilities in index.php in NeLogic Nephp P ...) NOT-FOR-US: NeLogic Nephp Publisher CVE-2005-4742 (Unspecified vulnerability in Echelog 0.6.2 allows attackers to "exploi ...) NOT-FOR-US: Echelog CVE-2005-4741 (NetBSD 1.6, NetBSD 2.0 through 2.1, and NetBSD-current before 20051031 ...) NOT-FOR-US: NetBSD CVE-2005-4740 (IBM DB2 Universal Database (UDB) 810 before version 8 FixPak 10 allows ...) NOT-FOR-US: IBM DB2 CVE-2005-4739 (IBM DB2 Universal Database (UDB) 820 before version 8 FixPak 10 (s0508 ...) NOT-FOR-US: IBM DB2 CVE-2005-4738 (IBM DB2 Universal Database (UDB) 810 before ESE AIX 5765F4100 does not ...) NOT-FOR-US: IBM DB2 CVE-2005-4737 (IBM DB2 Universal Database (UDB) 820 before ESE AIX 5765F4100 allows r ...) NOT-FOR-US: IBM DB2 CVE-2005-4736 (IBM DB2 Universal Database (UDB) 820 before 8.2 FP10 allows remote aut ...) NOT-FOR-US: IBM DB2 CVE-2005-4735 (IBM DB2 Universal Database (UDB) 810 before 8.1 FP10 allows remote aut ...) NOT-FOR-US: IBM DB2 CVE-2005-4734 (Stack-based buffer overflow in IISWebAgentIF.dll in RSA Authentication ...) NOT-FOR-US: RSA Authentication Agent for Web CVE-2005-4733 (NetBSD 2.0 before 20050316 and NetBSD-current before 20050112 allow lo ...) NOT-FOR-US: NetBSD CVE-2005-4732 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Tu ...) NOT-FOR-US: TuxBank CVE-2003-1297 (Easy File Sharing (EFS) Web Server 1.2 stores the (1) option.ini (aka ...) NOT-FOR-US: Easy File Sharing (EFS) Web Server CVE-2003-1296 (Easy File Sharing (EFS) Web Server 1.2 allows remote authenticated use ...) NOT-FOR-US: Easy File Sharing (EFS) Web Server CVE-2005-XXXX [xsupplicant information leak] - xsupplicant 1.0.1-5 (bug #317703; low) CVE-2006-1244 (Unspecified vulnerability in certain versions of xpdf after 3.00, as u ...) {DSA-1019-1 DSA-982-1} - xpdf (All issues previously fixed) NOTE: Discussion has shown that the revamp patch doesn't fix new vulnerabilities - gpdf 2.10.0-3 - koffice 2.3.3-1 NOTE: xpdf (and therewith the questionable code) is not part of koffice for some time now CVE-2006-1243 (Directory traversal vulnerability in install05.php in Simple PHP Blog ...) NOT-FOR-US: Simple PHP Blog CVE-2006-1242 (The ip_push_pending_frames function in Linux 2.4.x and 2.6.x before 2. ...) {DSA-1103 DSA-1097-1} - linux-2.6 2.6.16-4 CVE-2006-1241 (Firebird 1.5.2.4731 installs (1) fb_lock_mgr, (2) gds_drop, and (3) fb ...) - firebird2 (Not setuid in Debian) CVE-2006-1240 (Buffer overflow in inet_server.cpp in (1) fb_inet_server and (2) fbser ...) - firebird2 (Not setuid in Debian) CVE-2006-1239 (Cross-site scripting (XSS) vulnerability in issue/createissue.aspx in ...) NOT-FOR-US: Gemini CVE-2006-1238 (SQL injection vulnerability in DSLogin 1.0, with magic_quotes_gpc disa ...) NOT-FOR-US: DSLogin CVE-2006-1237 (Multiple SQL injection vulnerabilities in DSNewsletter 1.0, with magic ...) NOT-FOR-US: DSNewsletter CVE-2005-4731 (The Next action in PEAR HTML_QuickForm_Controller 1.0.4 includes the S ...) NOT-FOR-US: PEAR HTML_QuickForm_Controller CVE-2000-1239 (The HTTP interface of Tivoli Lightweight Client Framework (LCF) in IBM ...) NOT-FOR-US: Tivoli CVE-2006-1236 (Buffer overflow in the SetUp function in socket/request.c in CrossFire ...) {DSA-1009-1} - crossfire 1.9.0-2 (medium) CVE-2006-1235 (Directory traversal vulnerability in admin/deleteuser.php in HitHost 1 ...) NOT-FOR-US: HitHost CVE-2006-1234 (SQL injection vulnerability in index.php in DSCounter 1.2, with magic_ ...) NOT-FOR-US: DSCounter CVE-2006-1233 (Multiple cross-site scripting (XSS) vulnerabilities in WMNews allow re ...) NOT-FOR-US: WMNews CVE-2006-1232 (Multiple SQL injection vulnerabilities in DSDownload 1.0, with magic_q ...) NOT-FOR-US: DSDownload CVE-2006-1231 (CAPI4HylaFAX 1.3, when compiled with GENERATE_DEBUGSFFDATAFILE set, al ...) - capi4hylafax (Affected DEFINE not defined) CVE-2006-1230 (Multiple cross-site scripting (XSS) vulnerabilities in create.php in v ...) NOT-FOR-US: vCard CVE-2006-1229 (SQL injection vulnerability in search.asp in Hosting Controller 6.1 (H ...) NOT-FOR-US: Hosting Controller CVE-2006-1228 (Session fixation vulnerability in Drupal 4.5.x before 4.5.8 and 4.6.x ...) {DSA-1007-1} - drupal 4.5.8-1 CVE-2006-1227 (Drupal 4.5.x before 4.5.8 and 4.6.x before 4.5.8, when menu.module is ...) {DSA-1007-1} - drupal 4.5.8-1 CVE-2006-1226 (Cross-site scripting (XSS) vulnerability in Drupal 4.5.x before 4.5.8 ...) {DSA-1007-1} - drupal 4.5.8-1 CVE-2006-1225 (CRLF injection vulnerability in Drupal 4.5.x before 4.5.8 and 4.6.x be ...) {DSA-1007-1} - drupal 4.5.8-1 CVE-2006-1224 (Directory traversal vulnerability in dwnld.php in GuppY 4.5.11 allows ...) NOT-FOR-US: GuppY CVE-2006-1223 (Cross-site scripting (XSS) vulnerability in Jupiter Content Manager 1. ...) NOT-FOR-US: Jupiter Content Manager CVE-2006-1222 (Multiple cross-site scripting (XSS) vulnerabilities in zeroboard 4.1 p ...) NOT-FOR-US: zeroboard CVE-2006-1221 (Untrusted search path vulnerability in the TrueVector service (VSMON.e ...) NOT-FOR-US: TrueVector CVE-2005-4730 (Unspecified vulnerability in PEAR Text_Password 1.0 has unknown impact ...) NOT-FOR-US: PEAR Text_Password CVE-2006-XXXX [Insufficient filename sanitising in darcsweb] - darcsweb 0.15-1 CVE-2006-1220 (Integer overflow in the mach_msg_send function in the kernel for Mac O ...) NOT-FOR-US: MacOS X CVE-2006-1219 (Directory traversal vulnerability in Gallery 2.0.3 and earlier, and 2. ...) - gallery2 2.0.4-1 CVE-2006-1218 (Unspecified vulnerability in the HTTP proxy in Novell BorderManager 3. ...) NOT-FOR-US: Novell BorderManager CVE-2006-1217 (SQL injection vulnerability in DSPoll 1.1 allows remote attackers to e ...) NOT-FOR-US: DSPoll CVE-2006-1216 (Cross-site scripting (XSS) vulnerability in bigshow.php in Runcms 1.x ...) NOT-FOR-US: Runcms CVE-2006-1215 (Cross-site scripting (XSS) vulnerability in misc.php in Woltlab Burnin ...) NOT-FOR-US: Woltlab BB CVE-2006-1214 (UnrealIRCd 3.2.3 allows remote attackers to cause an unspecified denia ...) NOT-FOR-US: UnrealIRCd CVE-2006-1213 (JiRo's Banner System Experience and Professional 1.0 and earlier allow ...) NOT-FOR-US: JiRo's Banner System Experience and Professional CVE-2006-1212 (Unspecified vulnerability in index.php in Core CoreNews 2.0.1 allows r ...) NOT-FOR-US: CoreNews CVE-2006-1211 (IBM Tivoli Micromuse Netcool/NeuSecure 3.0.236 configures a MySQL data ...) NOT-FOR-US: Tivoli CVE-2006-1210 (The web interface for IBM Tivoli Micromuse Netcool/NeuSecure 3.0.236 i ...) NOT-FOR-US: Tivoli CVE-2006-1209 (PHP Advanced Transfer Manager 1.00 through 1.30 stores sensitive infor ...) NOT-FOR-US: PHP Advanced Transfer Manager CVE-2006-1208 (Sergey Korostel PHP Upload Center allows remote attackers to execute a ...) NOT-FOR-US: Sergey Korostel PHP Upload Center CVE-2006-1207 (PHP Upload Center stores password hashes under the web root with insuf ...) NOT-FOR-US: PHP Upload Center CVE-2006-1206 (Matt Johnston Dropbear SSH server 0.47 and earlier, as used in embedde ...) - dropbear 0.48-1 CVE-2006-1205 (Multiple cross-site scripting (XSS) vulnerabilities in myWebland myBlo ...) NOT-FOR-US: myBloggie CVE-2006-1204 (Multiple cross-site scripting (XSS) vulnerabilities in txtForum 1.0.4- ...) NOT-FOR-US: txtForum CVE-2006-1203 (PHP remote file include vulnerability in common.php in txtForum 1.0.4- ...) NOT-FOR-US: txtForum CVE-2006-1202 (Multiple cross-site scripting (XSS) vulnerabilities in textfileBB 1.0 ...) NOT-FOR-US: textfileBB CVE-2006-1201 (Directory traversal vulnerability in resetpw.php in eschew.net phpBann ...) NOT-FOR-US: phpBannerExchange CVE-2006-1200 (Direct static code injection vulnerability in add_link.txt in daverave ...) NOT-FOR-US: daverave Link Bank CVE-2006-1199 (Cross-site scripting (XSS) vulnerability in iframe.php in daverave Lin ...) NOT-FOR-US: daverave Link Bank CVE-2006-1198 (Comvigo IM Lock 2006 uses a simple substitution cipher to encrypt a pa ...) NOT-FOR-US: Comvigo IM Lock CVE-2006-1197 (SafeDisc installs the driver service for the secdrv.sys driver with in ...) NOT-FOR-US: SafeDisc CVE-2006-1196 (Multiple cross-site scripting (XSS) vulnerabilities in QwikiWiki 1.5 a ...) NOT-FOR-US: QwikiWiki CVE-2006-1195 (The enet_protocol_handle_send_fragment function in protocol.c for ENet ...) NOT-FOR-US: Enet lib (Cube, Sauerbraten) CVE-2006-1194 (Integer signedness error in the enet_protocol_handle_incoming_commands ...) NOT-FOR-US: Enet lib (Cube, Sauerbraten) CVE-2006-1193 (Cross-site scripting (XSS) vulnerability in Microsoft Exchange Server ...) NOT-FOR-US: Microsoft Exchange Server CVE-2006-1192 (Microsoft Internet Explorer 5.01 through 6 allows remote attackers to ...) NOT-FOR-US: Microsoft CVE-2006-1191 (Microsoft Internet Explorer 5.01 through 6 does not always correctly i ...) NOT-FOR-US: Microsoft CVE-2006-1190 (Microsoft Internet Explorer 5.01 through 6 does not always return the ...) NOT-FOR-US: Microsoft CVE-2006-1189 (Buffer overflow in URLMON.DLL in Microsoft Internet Explorer 5.01 thro ...) NOT-FOR-US: Microsoft CVE-2006-1188 (Microsoft Internet Explorer 5.01 through 6 allows remote attackers to ...) NOT-FOR-US: Microsoft CVE-2006-1187 REJECTED CVE-2006-1186 (Microsoft Internet Explorer 5.01 through 6 allows remote attackers to ...) NOT-FOR-US: Microsoft CVE-2006-1185 (Unspecified vulnerability in Microsoft Internet Explorer 5.01 through ...) NOT-FOR-US: Microsoft CVE-2006-1184 (Microsoft Distributed Transaction Coordinator (MSDTC) for Windows NT 4 ...) NOT-FOR-US: Microsoft CVE-2006-1183 (The Ubuntu 5.10 installer does not properly clear passwords from the i ...) - base-config (UBuntu specific) - shadow (UBuntu specific) CVE-2006-1182 (Adobe Graphics Server 2.0 and 2.1 (formerly AlterCast) and Adobe Docum ...) NOT-FOR-US: Adobe Graphics Server CVE-2006-1181 RESERVED CVE-2006-1180 RESERVED CVE-2006-1179 RESERVED CVE-2006-1178 (Tamarack MMSd before 7.992 allows remote attackers to cause a denial o ...) NOT-FOR-US: Tamarack MMSd CVE-2006-1177 RESERVED CVE-2006-1176 (Buffer overflow in eBay Enhanced Picture Services (aka EPUImageControl ...) NOT-FOR-US: eBay Enhanced Picture Services CVE-2006-1175 (The WeOnlyDo! SFTP (wodSFTP) ActiveX control is marked as safe for scr ...) NOT-FOR-US: WeOnlyDo! SFTP CVE-2006-1174 (useradd in shadow-utils before 4.0.3, and possibly other versions befo ...) - shadow 1:4.0.15-10 (low) [sarge] - shadow (Vulnerable code was introduced later) CVE-2006-1173 (Sendmail before 8.13.7 allows remote attackers to cause a denial of se ...) {DSA-1155} - sendmail 8.13.7-1 (low; bug #373801) CVE-2006-1172 (Stack-based buffer overflow in the createPKCS10 function in Cryptomath ...) NOT-FOR-US: ActiveX control CVE-2006-1171 REJECTED CVE-2006-1170 REJECTED CVE-2006-1169 REJECTED CVE-2006-1168 (The decompress function in compress42.c in (1) ncompress 4.2.4 and (2) ...) {DSA-1149-1} - ncompress 4.2.4-16 CVE-2006-1167 (SGI ProPack 3 SP6 kernel displays the frame buffer contents of the las ...) NOT-FOR-US: SGI CVE-2006-1165 (Cross-site scripting (XSS) vulnerability in the mediamanager module in ...) - dokuwiki 0.0.20060309-3 (bug #357436) CVE-2006-1164 (Nodez 4.6.1.1 and earlier stores sensitive data in the list.gtdat file ...) NOT-FOR-US: Nodez CVE-2006-1163 (Cross-site scripting (XSS) vulnerability in Nodez 4.6.1.1 allows remot ...) NOT-FOR-US: Nodez CVE-2006-1162 (Directory traversal vulnerability in Nodez 4.6.1.1 and earlier allows ...) NOT-FOR-US: Nodez CVE-2006-1161 (Absolute path traversal vulnerability in Easy File Sharing (EFS) Web S ...) NOT-FOR-US: Easy File Sharing (EFS) Web Server CVE-2006-1160 (Cross-site scripting (XSS) vulnerability in Easy File Sharing (EFS) We ...) NOT-FOR-US: Easy File Sharing (EFS) Web Server CVE-2006-1159 (Format string vulnerability in Easy File Sharing (EFS) Web Server 3.2 ...) NOT-FOR-US: Easy File Sharing (EFS) Web Server CVE-2006-1158 (Kerio MailServer before 6.1.3 Patch 1 allows remote attackers to cause ...) NOT-FOR-US: Kerio MailServer CVE-2006-1157 (Cross-site scripting (XSS) vulnerability in Vz Scripts ADP Forum 2.0.3 ...) NOT-FOR-US: Vz Scripts ADP Forum CVE-2006-1156 (SQL injection vulnerability in manas tungare Site Membership Script be ...) NOT-FOR-US: manas tungare Site Membership Script CVE-2006-1155 (Cross-site scripting (XSS) vulnerability in manas tungare Site Members ...) NOT-FOR-US: manas tungare Site Membership Script CVE-2006-1154 (PHP remote file inclusion vulnerability in archive.php in Fantastic Ne ...) NOT-FOR-US: Fantastic News CVE-2006-1153 (SQL injection vulnerability in D2-Shoutbox 4.2 allows remote attackers ...) NOT-FOR-US: D2-Shoutbox CVE-2006-1152 (PHP remote file inclusion vulnerability in index.php in M-Phorum 0.2 a ...) NOT-FOR-US: M-Phorum CVE-2006-1151 (Cross-site scripting vulnerability in index.php in M-Phorum 0.2 allows ...) NOT-FOR-US: M-Phorum CVE-2006-1150 (Buffer overflow in Tenes Empanadas Graciela (TEG) 0.11.1, automaticall ...) - teg 0.11.1-3 (bug #357645; low) [sarge] - teg (Only DoS against exotic, mostly single player game) CVE-2006-1149 (PHP remote file inclusion vulnerability in lib/OWL_API.php in OWL Intr ...) NOT-FOR-US: OWL Intranet Engine CVE-2006-1148 (Multiple stack-based buffer overflows in the procConnectArgs function ...) - peercast 0.1217.toots.20060314-1 CVE-2006-1147 (The Com_sprintf function in q_shared.c in Alien Arena 2006 Gold Editio ...) NOT-FOR-US: Alien Arena Gold CVE-2006-1146 (Stack-based buffer overflow in the Cmd_Say_f function in g_cmds.c in A ...) NOT-FOR-US: Alien Arena Gold CVE-2006-1145 (Format string vulnerability in the safe_cprintf function in acebot_cmd ...) NOT-FOR-US: Alien Arena Gold CVE-2006-1144 (Cross-site scripting (XSS) vulnerability in HitHost 1.0.0 allows remot ...) NOT-FOR-US: Hit Host CVE-2006-1143 (Cross-site scripting (XSS) vulnerability in FTPoed Blog Engine 1.1 all ...) NOT-FOR-US: FTPoed Blog Engine CVE-2006-1142 (Unspecified vulnerability in Ravenous Web Server before 0.7.1 allows r ...) NOT-FOR-US: Ravenous Web Server CVE-2006-1141 (Buffer overflow in qmailadmin.c in QmailAdmin before 1.2.10 allows rem ...) - qmailadmin (bug #357896; medium) CVE-2006-1140 (SQL injection vulnerability in rss.php in RedBLoG 0.5 allows remote at ...) NOT-FOR-US: RedBLoG CVE-2006-1139 (Unspecified vulnerability in the ESS/ Network Controller in Xerox Copy ...) NOT-FOR-US: Xerox CopyCentre CVE-2006-1138 (Unspecified vulnerability in the web server code in Xerox CopyCentre a ...) NOT-FOR-US: Xerox CopyCentre CVE-2006-1137 (Multiple unspecified vulnerabilities in Xerox CopyCentre and Xerox Wor ...) NOT-FOR-US: Xerox CopyCentre CVE-2006-1136 (Buffer overflow in the PostScript file interpreter code for Xerox Copy ...) NOT-FOR-US: Xerox CopyCentre CVE-2006-1135 (Multiple cross-site scripting (XSS) vulnerabilities in sBlog 0.7.2 all ...) NOT-FOR-US: sBlog CVE-2006-1134 (SQL injection vulnerability in CyBoards PHP Lite 1.25, when magic_quot ...) NOT-FOR-US: CyBoards CVE-2006-1133 (Multiple cross-site scripting (XSS) vulnerabilities in vbzoom 1.11 all ...) NOT-FOR-US: vbzoom CVE-2006-1132 (SQL injection vulnerability in show.php in vbzoom 1.11 allow remote at ...) NOT-FOR-US: vbzoom CVE-2006-1131 (Cross-site scripting (XSS) vulnerability in read.php in bitweaver CMS ...) NOT-FOR-US: bitweaver CVE-2006-1130 (Cross-site scripting (XSS) vulnerability in EKINboard 1.0.3 allows rem ...) NOT-FOR-US: EKINboard CVE-2006-1129 (SQL injection vulnerability in config.php in EKINboard 1.0.3 allows re ...) NOT-FOR-US: EKINboard CVE-2005-4729 (SQL injection vulnerability in show.php in VBZooM Forum allows remote ...) NOT-FOR-US: VBZooM CVE-2006-1166 (Monotone 0.25 and earlier, when a user creates a file in a directory c ...) - monotone 0.26pre1-0.1 (low) [sarge] - monotone (Only exploitable in very far-fetched situation) NOTE: Needs a case-insensitive file system (e.g. VFAT or Samba) on the client NOTE: and massive social engineering CVE-2006-1128 (Directory traversal vulnerability in the session handling class (Galle ...) - gallery2 2.0.3 CVE-2006-1127 (Cross-site scripting (XSS) vulnerability in Gallery 2 up to 2.0.2 allo ...) - gallery2 2.0.3 CVE-2006-1126 (Gallery 2 up to 2.0.2 allows remote attackers to spoof their IP addres ...) - gallery2 2.0.3 CVE-2006-1125 (Grisoft AVG Free 7.1, and other versions including 7.0.308, sets Every ...) NOT-FOR-US: Grisoft AVG CVE-2006-1124 (Buffer overflow in RevilloC MailServer and Proxy 1.21 allows remote at ...) NOT-FOR-US: RevilloC MailServer and Proxy CVE-2006-1123 (SQL injection vulnerability in D2KBlog 1.0.3 and earlier allows remote ...) NOT-FOR-US: D2KBlog CVE-2006-1122 (Cross-site scripting (XSS) vulnerability in Default.asp in D2KBlog 1.0 ...) NOT-FOR-US: D2KBlog CVE-2006-1121 (Cross-site scripting (XSS) vulnerability in CuteNews 1.4.1 allows remo ...) NOT-FOR-US: CuteNews CVE-2006-1120 (Multiple cross-site scripting (XSS) vulnerabilities in DCP-Portal 6.1. ...) NOT-FOR-US: DCP-Portal CVE-2006-1119 (fantastico in Cpanel does not properly handle when it has insufficient ...) NOT-FOR-US: Cpanel (PHP) CVE-2006-1118 (SQL injection vulnerability in bmail before Aardvark PR9.1 allows remo ...) NOT-FOR-US: Aardvark CVE-2006-1117 (nCipher firmware before V10, as used by (1) nShield, (2) nForce, (3) n ...) NOT-FOR-US: nCipher CVE-2006-1116 (The CBC-MAC integrity functions in the nCipher nCore API before 2.18 t ...) NOT-FOR-US: nCipher CVE-2006-1115 (nCipher HSM before 2.22.6, when generating a Diffie-Hellman public/pri ...) NOT-FOR-US: nCipher CVE-2006-1114 (Multiple directory traversal vulnerabilities in Loudblog before 0.42 a ...) NOT-FOR-US: Loudblog CVE-2006-1113 (SQL injection vulnerability in podcast.php in Loudblog before 0.42 all ...) NOT-FOR-US: Loudblog CVE-2006-1112 (Aztek Forum 4.0 allows remote attackers to obtain sensitive informatio ...) NOT-FOR-US: Aztek Forum CVE-2006-1111 (Aztek Forum 4.0 allows remote attackers to obtain sensitive informatio ...) NOT-FOR-US: Aztek Forum CVE-2006-1110 (Cross-site scripting (XSS) vulnerability in Aztek Forum 4.0 allows rem ...) NOT-FOR-US: Aztek Forum CVE-2006-1109 (SQL injection vulnerability in index.asp in Total Ecommerce 1.0 allows ...) NOT-FOR-US: Total Ecommerce CVE-2006-1108 (SQL injection vulnerability in news.php in NMDeluxe before 1.0.1 allow ...) NOT-FOR-US: NMDeluxe CVE-2006-1107 (Cross-site scripting (XSS) vulnerability in news.php in NMDeluxe befor ...) NOT-FOR-US: NMDeluxe CVE-2006-1106 (Cross-site scripting (XSS) vulnerability in Pixelpost 1.5 beta 1 and e ...) NOT-FOR-US: Pixelpost CVE-2006-1105 (Pixelpost 1.5 beta 1 and earlier allows remote attackers to obtain con ...) NOT-FOR-US: Pixelpost CVE-2006-1104 (Multiple SQL injection vulnerabilities in Pixelpost 1.5 beta 1 and ear ...) NOT-FOR-US: Pixelpost CVE-2006-1103 (engine/server.cpp in Sauerbraten 2006_02_28, as derived from the Cube ...) NOT-FOR-US: Sauerbraten / cube engine CVE-2006-1102 (Sauerbraten 2006_02_28, as derived from the Cube engine, allows remote ...) NOT-FOR-US: Sauerbraten / cube engine CVE-2006-1101 (The (1) sgetstr and (2) getint functions in Sauerbraten 2006_02_28, as ...) NOT-FOR-US: Sauerbraten / cube engine CVE-2006-1100 (Buffer overflow in the sgetstr function in shared/cube.h in Sauerbrate ...) NOT-FOR-US: Sauerbraten / cube engine CVE-2006-1099 (PHP remote file include vulnerability in logIT 1.3 and 1.4 allows remo ...) NOT-FOR-US: logIT CVE-2006-1098 (** DISPUTED ** Multiple SQL injection vulnerabilities in NZ Ecommerce ...) NOT-FOR-US: NZ Ecommerce CVE-2006-1097 (Multiple cross-site scripting (XSS) vulnerabilities in Datenbank MOD 2 ...) NOT-FOR-US: Woltlab Burning Board CVE-2006-1096 NOT-FOR-US: NZ Ecommerce CVE-2006-1095 (Directory traversal vulnerability in the FileSession object in Mod_pyt ...) NOTE: only version 3.2.7 is vulnerable, 3.2.8 is out NOTE: currently 3.1.3 is in Debian; very unlikely that 3.2.7 will be packaged CVE-2006-1094 (SQL injection vulnerability in Datenbank MOD 2.7 and earlier for Woltl ...) NOT-FOR-US: Woltlab Burning Board CVE-2006-1093 (Unspecified vulnerability in IBM WebSphere 5.0.2.10 through 5.0.2.15 a ...) NOT-FOR-US: IBM WebSphere CVE-2006-1092 (Unspecified vulnerability in the pagedata subsystem of the process fil ...) NOT-FOR-US: Solaris CVE-2006-1091 (Kaspersky Antivirus 5.0.5 and 5.5.3 allows remote attackers to cause a ...) NOT-FOR-US: Kaspersky Antivirus CVE-2006-1090 (register.php in PunBB 1.2.10 allows remote attackers to cause an unspe ...) NOT-FOR-US: PunBB CVE-2006-1089 (Cross-site scripting (XSS) vulnerability in header.php in PunBB 1.2.10 ...) NOT-FOR-US: PunBB CVE-2006-1088 (PHP-Stats 0.1.9.1 and earlier allows remote attackers to obtain potent ...) NOT-FOR-US: PHP-Stats CVE-2006-1087 (Direct static code injection vulnerability in the modify_config action ...) NOT-FOR-US: PHP-Stats CVE-2006-1086 REJECTED CVE-2006-1085 (admin.php in PHP-Stats 0.1.9.1 and earlier allows remote attackers to ...) NOT-FOR-US: PHP-Stats CVE-2006-1084 (Multiple SQL injection vulnerabilities in PHP-Stats 0.1.9.1 and earlie ...) NOT-FOR-US: PHP-Stats CVE-2006-1083 (Multiple directory traversal vulnerabilities in PHP-Stats 0.1.9.1 and ...) NOT-FOR-US: PHP-Stats CVE-2006-1082 (Multiple cross-site scripting (XSS) vulnerabilities in phpArcadeScript ...) NOT-FOR-US: phpArcadeScript CVE-2006-1081 (SQL injection vulnerability in forgotten_password.php in Jonathan Beck ...) NOT-FOR-US: PluggedOut Nexus CVE-2006-1080 (Cross-site scripting (XSS) vulnerability in login.php in Game-Panel 2. ...) NOT-FOR-US: Game-Panel CVE-2006-1079 (htpasswd, as used in Acme thttpd 2.25b and possibly other products suc ...) - thttpd 2.23beta1-2.4 (bug #253816; low) NOTE: apache's htpasswd not vulnerable, but source contains note about NOTE: not being safe for sudo NOTE: filed whishlist bug to add this to manpage CVE-2006-1078 (Multiple buffer overflows in htpasswd, as used in Acme thttpd 2.25b, a ...) - thttpd 2.23beta1-2.4 (bug #253816; low) NOTE: apache's htpasswd not vulnerable CVE-2006-1077 (Multiple cross-site scripting (XSS) vulnerabilities in the commentary ...) NOT-FOR-US: Evo-Dev evoBlog CVE-2006-1076 (SQL injection vulnerability in index.php, possibly during a showtopic ...) NOT-FOR-US: checkInvision Power Board CVE-2006-1075 (Format string vulnerability in the visualization function in Jason Boe ...) NOT-FOR-US: Liero Xtreme CVE-2006-1074 (Jason Boettcher Liero Xtreme 0.62b and earlier allow remote attackers ...) NOT-FOR-US: Liero Xtreme CVE-2006-1073 (Directory traversal vulnerability in index.php in Daverave Simplog 1.0 ...) NOT-FOR-US: Daverave Simplog CVE-2006-1072 (Cross-site scripting (XSS) vulnerability in Daverave Simplog 1.0.2 and ...) NOT-FOR-US: Daverave Simplog CVE-2006-1071 (Cross-site scripting (XSS) vulnerability in index.php in DVguestbook 1 ...) NOT-FOR-US: DVguestbook CVE-2006-1070 (Cross-site scripting (XSS) vulnerability in dv_gbook.php in DVguestboo ...) NOT-FOR-US: DVguestbook CVE-2006-1069 (Unspecified vulnerability in the session handling for Geeklog 1.4.x be ...) NOT-FOR-US: Geeklog CVE-2006-1068 (Netgear 614 and 624 routers, possibly running VXWorks, allow remote at ...) NOT-FOR-US: VXWorks CVE-2006-1067 (Linksys WRT54G routers version 5 (running VXWorks) allow remote attack ...) NOT-FOR-US: VXWorks CVE-2006-1066 (Linux kernel 2.6.16-rc2 and earlier, when running on x86_64 systems wi ...) {DSA-1017-1} - linux-2.6 2.6.16-1 CVE-2006-1065 (SQL injection vulnerability in search.php in MyBulletinBoard (MyBB) 1. ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2006-1064 (Multiple cross-site scripting (XSS) vulnerabilities in Lurker 2.0 and ...) {DSA-999-1} - lurker 2.1-1 CVE-2006-1063 (Unspecified vulnerability in Lurker 2.0 and earlier allows remote atta ...) {DSA-999-1} - lurker 2.1-1 CVE-2006-1062 (Unspecified vulnerability in lurker.cgi for Lurker 2.0 and earlier all ...) {DSA-999-1} - lurker 2.1-1 CVE-2006-1061 (Heap-based buffer overflow in cURL and libcURL 7.15.0 through 7.15.2 a ...) - curl 7.15.3-1 [woody] - curl (Vulnerable code not present) [sarge] - curl (Vulnerable code not present) CVE-2006-1060 (Heap-based buffer overflow in zgv before 5.8 and xzgv before 0.8 might ...) {DSA-1038-1 DSA-1037-1} - xzgv 0.8-5.1 (bug #362288; medium) - zgv 5.9-2 CVE-2006-1059 (The winbindd daemon in Samba 3.0.21 to 3.0.21c writes the machine trus ...) - samba 3.0.22-1 [woody] - samba [sarge] - samba CVE-2006-1058 (BusyBox 1.1.1 does not use a salt when generating passwords, which mak ...) - busybox 1:1.1.3-1 (low; bug #360578) [woody] - busybox [sarge] - busybox CVE-2006-1057 (Race condition in daemon/slave.c in gdm before 2.14.1 allows local use ...) {DSA-1040-1} - gdm 2.14.4-1 CVE-2006-1056 (The Linux kernel before 2.6.16.9 and the FreeBSD kernel, when running ...) {DSA-1103 DSA-1097-1} - linux-2.6 2.6.16-9 - kfreebsd-5 5.4-17 - xen-3.0 3.0.2+hg9656-1 CVE-2006-1055 (The fill_write_buffer function in sysfs/file.c in Linux kernel 2.6.12 ...) - linux-2.6 2.6.16-6 CVE-2006-1054 REJECTED CVE-2006-1053 RESERVED CVE-2006-1052 (The selinux_ptrace logic in hooks.c in SELinux for Linux 2.6.6 allows ...) {DSA-1184-2} - linux-2.6 2.6.15+2.6.16-rc5-0experimental.1 (low) CVE-2006-1051 (SQL injection vulnerability in Akarru Social BookMarking Engine before ...) NOT-FOR-US: Akurru Social BookMarking Engine CVE-2006-1050 NOT-FOR-US: Kwik-Pay Payroll CVE-2005-4728 (Untrusted search path vulnerability (RPATH) in amaya 9.2.1 on Debian G ...) - amaya 9.4-1 (bug #341424) [sarge] - amaya (The Sarge version doesn't have an rpath set) CVE-2006-1319 (chpst in runit 1.3.3-1 for Debian GNU/Linux, when compiled on little e ...) - runit 1.4.1-1 (bug #356016; medium) [sarge] - runit CVE-2006-1049 (Multiple SQL injection vulnerabilities in the Admin functionality in J ...) NOT-FOR-US: Joomla! CVE-2006-1048 (Joomla! 1.0.7 and earlier allows attackers to bypass intended access r ...) NOT-FOR-US: Joomla! CVE-2006-1047 (Unspecified vulnerability in the "Remember Me login functionality" in ...) NOT-FOR-US: Joomla! CVE-2006-1046 (server.cpp in Monopd 0.9.3 allows remote attackers to cause a denial o ...) - monopd 0.9.3-2 (bug #355797; low) [sarge] - monopd (Very minor security ramifications) CVE-2006-1045 (The HTML rendering engine in Mozilla Thunderbird 1.5, when "Block load ...) {DSA-1051-1 DSA-1046-1} - thunderbird 1.5.0.2-1 [sarge] - mozilla-thunderbird 1.0.2-2.sarge1.0.8 - firefox 1.5.dfsg+1.5.0.2-1 - xulrunner 1.8.0.1-9 CVE-2006-1044 (Multiple buffer overflows in LISTSERV 14.3 and 14.4, including LISTSER ...) NOT-FOR-US: LISTSERV CVE-2006-1043 (Stack-based buffer overflow in Microsoft Visual Studio 6.0 and Microso ...) NOT-FOR-US: Microsoft CVE-2006-1042 (Multiple SQL injection vulnerabilities in Gregarius 0.5.2 allow remote ...) NOT-FOR-US: Gregarius CVE-2006-1041 (Multiple cross-site scripting (XSS) vulnerabilities in Gregarius 0.5.2 ...) NOT-FOR-US: Gregarius CVE-2006-1040 (Cross-site scripting (XSS) vulnerability in vBulletin 3.0.12 and 3.5.3 ...) NOT-FOR-US: vBulletin CVE-2006-1039 (SAP Web Application Server (WebAS) Kernel before 7.0 allows remote att ...) NOT-FOR-US: SAP CVE-2006-1038 (Buffer overflow in SecureCRT 5.0.4 and earlier and SecureFX 3.0.4 and ...) NOT-FOR-US: SecureCRT CVE-2006-1037 (SQL injection vulnerability in the Oracle Diagnostics module 2.2 and e ...) NOT-FOR-US: Oracle CVE-2006-1036 (Multiple unspecified vulnerabilities in the Oracle Diagnostics module ...) NOT-FOR-US: Oracle CVE-2006-1035 (Unspecified vulnerability in the Oracle Diagnostics module 2.2 and ear ...) NOT-FOR-US: Oracle CVE-2006-1034 (Multiple cross-site scripting (XSS) vulnerabilities in Woltlab Burning ...) NOT-FOR-US: Woltlab Burning Board CVE-2006-1033 (Multiple cross-site scripting (XSS) vulnerabilities in Dragonfly CMS b ...) NOT-FOR-US: Dragonfly CMS CVE-2006-1032 (Eval injection vulnerability in the decode function in rpc_decoder.php ...) NOT-FOR-US: phpRPC CVE-2006-1031 (config/config_inc.php in iGENUS Webmail 2.02 and earlier allows remote ...) NOT-FOR-US: iGENUS Webmail CVE-2006-1030 (Unspecified vulnerability in mod_templatechooser in Joomla! 1.0.7 allo ...) NOT-FOR-US: Joomla! CVE-2006-1029 (The cross-site scripting (XSS) countermeasures in class.inputfilter.ph ...) NOT-FOR-US: Joomla! CVE-2006-1028 (feedcreator.class.php (aka the syndication component) in Joomla! 1.0.7 ...) NOT-FOR-US: Joomla! CVE-2006-1027 (feedcreator.class.php (aka the syndication component) in Joomla! 1.0.7 ...) NOT-FOR-US: Joomla! CVE-2006-1026 (JFacets before 0.2 allows remote attackers to gain privileges as any a ...) NOT-FOR-US: JFacets CVE-2006-1025 (Cross-site scripting (XSS) vulnerability in manage.asp in Addsoft Stor ...) NOT-FOR-US: Addsoft StoreBot CVE-2006-1024 (SQL injection vulnerability in MgrLogin.asp in Addsoft StoreBot 2005 P ...) NOT-FOR-US: Addsoft StoreBot CVE-2006-1023 (Directory traversal vulnerability in HP System Management Homepage (SM ...) NOT-FOR-US: HP System Management CVE-2006-1022 (PHP remote file include vulnerability in sol_menu.php in PeHePe Uyelik ...) NOT-FOR-US: PeHePe Uyelik Sistemi CVE-2006-1021 (Cross-site scripting (XSS) vulnerability in sol_menu.php in PeHePe Uye ...) NOT-FOR-US: PeHePe Uyelik Sistemi CVE-2006-1020 (SQL injection vulnerability in forumlib.php in Johnny_Vegas Vegas Foru ...) NOT-FOR-US: Johnny_Vegas Vegas Forum CVE-2006-1019 (Cross-site scripting (XSS) vulnerability in fce.php in UKiBoard 3.0.1 ...) NOT-FOR-US: UkiBoard CVE-2006-1018 (SQL injection vulnerability in poems.php in DCI-Designs Dawaween 1.03 ...) NOT-FOR-US: DCI-Design Dawaween CVE-2006-1017 (The c-client library 2000, 2001, or 2004 for PHP before 4.4.4 and 5.x ...) NOT-FOR-US: c-client CVE-2006-1016 (Buffer overflow in the IsComponentInstalled method in Internet Explore ...) NOT-FOR-US: Windows CVE-2006-1015 (Argument injection vulnerability in certain PHP 3.x, 4.x, and 5.x appl ...) - php5 5.1.4-0.1 (bug #368595; unimportant) - php4 (bug #368592; unimportant) NOTE: It's the application's job to sanitize input passed to a function CVE-2006-1014 (Argument injection vulnerability in certain PHP 4.x and 5.x applicatio ...) - php5 5.1.4-0.1 (bug #368595; unimportant) - php4 (bug #368592; unimportant) NOTE: It's the application's job to sanitize input passed to a function CVE-2006-1013 (PHP remote file include vulnerability in index.php in SMartBlog (aka S ...) NOT-FOR-US: SMartBlog CVE-2006-1012 (SQL injection vulnerability in WordPress 1.5.2, and possibly other ver ...) - wordpress 2.0.1-1 CVE-2006-1011 (LetterMerger 1.2 stores user information in Access database files with ...) NOT-FOR-US: LetterMerger CVE-2006-1010 (Buffer overflow in socket/request.c in CrossFire before 1.9.0, when ol ...) {DSA-1001-1} - crossfire 1.9.0-1 CVE-2006-1009 (M4 Project enigma-suite before 0.73.3 (Windows) has a default password ...) NOT-FOR-US: M4 Project enigma-suite CVE-2006-1008 (Multiple cross-site scripting (XSS) vulnerabilities in N8cms 1.1 and 1 ...) NOT-FOR-US: N8cms CVE-2006-1007 (Multiple SQL injection vulnerabilities in N8cms 1.1 and 1.2 allow remo ...) NOT-FOR-US: N8cms CVE-2006-1006 (Multiple SQL injection vulnerabilities in sendcard.php in sendcard bef ...) NOT-FOR-US: sendcard CVE-2006-1005 (agencyprofile.asp in Parodia 6.2 and earlier might allow remote attack ...) NOT-FOR-US: Parodia CVE-2006-1004 (Cross-site scripting (XSS) vulnerability in agencyprofile.asp in Parod ...) NOT-FOR-US: Parodia CVE-2006-1003 (The backup configuration option in NETGEAR WGT624 Wireless Firewall Ro ...) NOT-FOR-US: NETGEAR hardware issue CVE-2006-1002 (NETGEAR WGT624 Wireless DSL router has a default account of super_user ...) NOT-FOR-US: NETGEAR hardware issue CVE-2006-1001 (SQL injection vulnerability in the board module in LanSuite LanParty I ...) NOT-FOR-US: LanSuite LanParty Intranet System CVE-2006-1000 (Multiple SQL injection vulnerabilities in Pentacle In-Out Board 3.0 an ...) NOT-FOR-US: Pentacle In-Out Board CVE-2006-0999 (The SSL server implementation in NILE.NLM in Novell NetWare 6.5 and No ...) NOT-FOR-US: Novell CVE-2006-0998 (The SSL server implementation in NILE.NLM in Novell NetWare 6.5 and No ...) NOT-FOR-US: Novell CVE-2006-0997 (The SSL server implementation in NILE.NLM in Novell NetWare 6.5 and No ...) NOT-FOR-US: Novell CVE-2006-0996 (Cross-site scripting (XSS) vulnerability in phpinfo (info.c) in PHP 5. ...) - php4 4:4.4.4-1 (bug #361853; unimportant) - php5 5.1.4-0.1 (bug #361914; unimportant) NOTE: Non-issue, explicit debug feature CVE-2006-0995 (EMC Dantz Retrospect 7 backup client 7.0.107, and other versions befor ...) NOT-FOR-US: EMC Dantz Retrospect CVE-2006-0994 (Multiple Sophos Anti-Virus products, including Anti-Virus for Windows ...) NOT-FOR-US: Sophos CVE-2006-0993 (The web management interface in 3Com TippingPoint SMS Server before 2. ...) NOT-FOR-US: 3Com CVE-2006-0992 (Stack-based buffer overflow in Novell GroupWise Messenger before 2.0 P ...) NOT-FOR-US: Novell GroupWise CVE-2006-0991 (Buffer overflow in the NetBackup Sharepoint Services server daemon (bp ...) NOT-FOR-US: Veritas NetBackup CVE-2006-0990 (Stack-based buffer overflow in the NetBackup Catalog daemon (bpdbm) in ...) NOT-FOR-US: Veritas NetBackup CVE-2006-0989 (Stack-based buffer overflow in the volume manager daemon (vmd) in Veri ...) NOT-FOR-US: Veritas NetBackup CVE-2006-0988 (The default configuration of the DNS Server service on Windows Server ...) NOT-FOR-US: MS Windows issue CVE-2006-0987 (The default configuration of ISC BIND before 9.4.1-P1, when configured ...) - bind (bug #355787; unimportant) - bind9 1:9.4.0-1 (bug #356266; unimportant) NOTE: This is within the responsibilities of a local admin, especially when NOTE: operating a DNS server, affected sites can configure AllowRecursion CVE-2006-0986 (WordPress 2.0.1 and earlier allows remote attackers to obtain sensitiv ...) - wordpress 2.0.2-1 (bug #355055; unimportant) CVE-2006-0985 (Multiple cross-site scripting (XSS) vulnerabilities in the "post comme ...) - wordpress 2.0.2-1 (bug #355055; medium) CVE-2006-0984 (Cross-site scripting (XSS) vulnerability in inc_header.php in EJ3 TOPo ...) NOT-FOR-US: EJ3 TOPo not in debian CVE-2006-0983 (Cross-site scripting (XSS) vulnerability in index.php in QwikiWiki 1.4 ...) NOT-FOR-US: QWikiWiki not in debian CVE-2006-0982 (The on-access scanner for McAfee Virex 7.7 for Macintosh, in some circ ...) NOT-FOR-US: McAfee Virex 7.7 for Macintosh CVE-2006-0981 (Directory traversal vulnerability in e-merge WinAce 2.6 and earlier al ...) NOT-FOR-US: WinAce CVE-2006-0980 (Multiple cross-site scripting (XSS) vulnerabilities in Jay Eckles CGI ...) NOT-FOR-US: Jay Eckles CGI Calendar CVE-2006-0979 (Unspecified vulnerability in the local weblog publisher in Nidelven IT ...) NOT-FOR-US: Nidelven IT Issue Dealer CVE-2006-0978 (Multiple cross-site scripting (XSS) vulnerabilities in the View Header ...) NOT-FOR-US: ArGoSoft Mail Server CVE-2006-0977 (Craig Morrison Mail Transport System Professional (aka MTS Pro) acts a ...) NOT-FOR-US: MTS Pro CVE-2006-0976 (Directory traversal vulnerability in scan_lang_insert.php in Boris Her ...) NOT-FOR-US: SPiD CVE-2006-0975 REJECTED CVE-2006-0974 (Cross-site scripting (XSS) vulnerability in failure.asp in Battleaxe b ...) NOT-FOR-US: bttlxeForum 2.0 CVE-2006-0973 (SQL injection vulnerability in topics.php in Appalachian State Univers ...) NOT-FOR-US: phpWebSite CVE-2006-0972 (SQL injection vulnerability in news.php in Tony Baird Fantastic News 2 ...) NOT-FOR-US: Tony Baird Fantastic News CVE-2006-0971 (Directory traversal vulnerability in Lionel Reyero DirectContact 0.3b ...) NOT-FOR-US: DirectContact CVE-2006-0970 (PHP remote file inclusion vulnerability in index.php in one or more Ac ...) NOT-FOR-US: ActiveCampaign products CVE-2006-0969 (PHP remote file inclusion vulnerability in index.php in Top sites de P ...) NOT-FOR-US: PixelArtKingdom TopSites CVE-2006-0968 (The ncprwsnt service in NCP Network Communication Secure Client 8.11 B ...) NOT-FOR-US: NCP Network Communication Secure Client CVE-2006-0967 (NCP Network Communication Secure Client 8.11 Build 146, and possibly o ...) NOT-FOR-US: NCP Network Communication Secure Client CVE-2006-0966 (NCP Network Communication Secure Client 8.11 Build 146, and possibly o ...) NOT-FOR-US: NCP Network Communication Secure Client CVE-2006-0965 (NCP Network Communication Secure Client 8.11 Build 146, and possibly o ...) NOT-FOR-US: NCP Network Communication Secure Client CVE-2006-0964 (Client Firewall in NCP Network Communication Secure Client 8.11 Build ...) NOT-FOR-US: NCP Network Communication Secure Client CVE-2006-0963 (Multiple buffer overflows in STLport 5.0.2 might allow local users to ...) - stlport5 5.0.2-1 (bug #358471; medium) CVE-2006-0962 (SQL injection vulnerability in vuBB 0.2 allows remote attackers to exe ...) NOT-FOR-US: VuBB CVE-2006-0961 (SQL injection vulnerability in yazdir.asp in Cilem Hiber 1.1 allows re ...) NOT-FOR-US: Cilem Hiber CVE-2006-0960 (uConfig agent in Compex NetPassage WPE54G router allows remote attacke ...) NOT-FOR-US: Compex NetPassage WPE54G router CVE-2006-0959 (SQL injection vulnerability in misc.php in MyBulletinBoard (MyBB) 1.03 ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2006-0958 (Cross-site scripting (XSS) vulnerability in func.inc.php in ZoneO-Soft ...) NOT-FOR-US: ZoneO-Soft freeForum CVE-2006-0957 (Direct static code injection vulnerability in func.inc.php in ZoneO-So ...) NOT-FOR-US: ZoneO-Soft freeForum CVE-2006-0956 (nuauth in NuFW before 1.0.21 does not properly handle blocking TLS soc ...) - nufw 1.0.23-1 (bug #358475; low) CVE-2006-0955 RESERVED CVE-2006-0954 RESERVED CVE-2006-0953 RESERVED CVE-2006-0952 RESERVED CVE-2006-0951 (The GUI (nod32.exe) in NOD32 2.5 runs with SYSTEM privileges when the ...) NOT-FOR-US: NOD32 CVE-2006-0950 (unalz 0.53 allows user-assisted attackers to overwrite arbitrary files ...) - unalz 0.55-1 (bug #356832; low) [sarge] - unalz (Minor issue) CVE-2006-0949 (RaidenHTTPD 1.1.47 allows remote attackers to obtain source code of sc ...) NOT-FOR-US: RaidenHTTPD CVE-2006-0948 (AOL 9.0 Security Edition revision 4184.2340, and probably other versio ...) NOT-FOR-US: AOL CVE-2006-0947 (Thomson SpeedTouch modem running firmware 5.3.2.6.0 allows remote atta ...) NOT-FOR-US: Thomson modem firmware CVE-2006-0946 (Cross-site scripting (XSS) vulnerability in Thomson SpeedTouch modems ...) NOT-FOR-US: Thomson modem firmware CVE-2006-0945 (PHP remote file include vulnerability in admin/index.php in Archangel ...) NOT-FOR-US: Archangel Weblog CVE-2006-0944 (Archangel Weblog 0.90.02 allows remote attackers to bypass authenticat ...) NOT-FOR-US: Archangel Weblog CVE-2006-0943 (SQL injection vulnerability in the sondages module in index.php in Pws ...) NOT-FOR-US: PwsPHP CVE-2006-0942 (SQL injection vulnerability in profil.php in PwsPHP 1.2.3, and possibl ...) NOT-FOR-US: PwsPHP CVE-2006-0941 (Multiple cross-site scripting (XSS) vulnerabilities in post.php in Sho ...) NOT-FOR-US: ShoutLIVE CVE-2006-0940 (Multiple direct static code injection vulnerabilities in savesettings. ...) NOT-FOR-US: ShoutLIVE CVE-2006-0939 (SQL injection vulnerability in DCI-Taskeen 1.03 allows remote attacker ...) NOT-FOR-US: DCI-Taskeen CVE-2006-0938 (Cross-site scripting (XSS) vulnerability in eZ publish 3.7.3 and earli ...) - ezpublish CVE-2006-1320 (util.c in rssh 2.3.0 in Debian GNU/Linux does not use braces to make a ...) {DSA-1109} - rssh 2.3.0-1.1 (bug #346322; bug #363978; low) CVE-2006-1321 (Cross-site scripting (XSS) vulnerability in webcheck before 1.9.6 allo ...) - webcheck 1.9.6 CVE-2006-0937 (U.N.U. Mailgust 1.9 allows remote attackers to obtain sensitive inform ...) NOT-FOR-US: U.N.U. Mailgust CVE-2006-0936 (Free Host Shop Website Generator 3.3 allows remote authenticated users ...) NOT-FOR-US: Free Host Shop Website Generator CVE-2006-0935 (Microsoft Word 2003 allows remote attackers to cause a denial of servi ...) NOT-FOR-US: Microsoft CVE-2006-0934 (Cross-site scripting (XSS) vulnerability in webinsta Limbo 1.0.4.2 all ...) NOT-FOR-US: webinsta Limbo CVE-2006-0933 (Cross-site scripting (XSS) vulnerability in PHPX 3.5.9 allows remote a ...) NOT-FOR-US: PHPX CVE-2006-0932 (Directory traversal vulnerability in zip.lib.php 0.1.1 in PEAR::Archiv ...) NOT-FOR-US: zip.lib.php CVE-2006-0931 (Directory traversal vulnerability in PEAR::Archive_Tar 1.2, and other ...) - php5 (bug #368545; unimportant) - php4 (bug #368545; unimportant) NOTE: is this really a vulnerability in pear? it seems it should be a bug NOTE: in any application not checking for such archives. NOTE: Lack of a security feature is not a vulnerability CVE-2006-0930 (Directory traversal vulnerability in Webmail in ArGoSoft Mail Server P ...) NOT-FOR-US: ArgoSoft Mail Server CVE-2006-0929 (Directory traversal vulnerability in the IMAP server in ArGoSoft Mail ...) NOT-FOR-US: ArgoSoft Mail Server CVE-2006-0928 (The POP3 Server in ArGoSoft Mail Server Pro 1.8 allows remote attacker ...) NOT-FOR-US: ArgoSoft Mail Server CVE-2006-0927 (Multiple cross-site scripting (XSS) vulnerabilities in the JGS-XA JGS- ...) NOT-FOR-US: Woltlab Burning Board CVE-2006-0926 (Multiple directory traversal vulnerabilities in Allume StuffIt Standar ...) NOT-FOR-US: StuffIt CVE-2006-0925 (Format string vulnerability in the IMAP4rev1 server in Alt-N MDaemon 8 ...) NOT-FOR-US: Alt-N MDaemon CVE-2006-0924 (Cross-site scripting (XSS) vulnerability in Brown Bear iCal 3.10 allow ...) NOT-FOR-US: iCal CVE-2006-0923 (Multiple cross-site scripting (XSS) vulnerabilities in MyPHPNuke (MPN) ...) NOT-FOR-US: MyPHPNuke CVE-2006-0922 (CubeCart 3.0 through 3.6 does not properly check authorization for an ...) NOT-FOR-US: CubeCart CVE-2006-0921 (Multiple directory traversal vulnerabilities in connector.php in FCKed ...) - knowledgeroot (fixed before first upload; see bug #381912) CVE-2006-0920 (Oi! Email Marketing System 3.0 (aka Oi! 3) stores the server's FTP pas ...) NOT-FOR-US: Oi! Email Marketing System CVE-2006-0919 (SQL injection vulnerability in index.php (aka the login page) in Oi! E ...) NOT-FOR-US: Oi! Email Marketing System CVE-2006-0918 (Buffer overflow in RITLabs The Bat! 3.60.07 allows remote attackers to ...) NOT-FOR-US: The Bat! CVE-2006-0917 (Melange Chat Server (aka M-Chat), when accessed via a web browser, aut ...) NOT-FOR-US: Melange Chat Server CVE-2006-0916 (Bugzilla 2.19.3 through 2.20 does not properly handle "//" sequences i ...) - bugzilla 2.20.1-1 (bug #354457; high) [woody] - bugzilla (Only 2.17 and above are affected) [sarge] - bugzilla (Only 2.17 and above are affected) CVE-2006-0915 (Bugzilla 2.16.10 does not properly handle certain characters in the (1 ...) - bugzilla 2.20.1-1 (bug #354457; high) [woody] - bugzilla (Only 2.17 and above are affected) [sarge] - bugzilla (Only 2.17 and above are affected) CVE-2006-0914 (Bugzilla 2.16.10, 2.17 through 2.18.4, and 2.20 does not properly hand ...) - bugzilla 2.20.1-1 (bug #354457; high) [woody] - bugzilla (Only 2.17 and above are affected) [sarge] - bugzilla (Only 2.17 and above are affected) CVE-2006-0913 (SQL injection vulnerability in whineatnews.pl in Bugzilla 2.17 through ...) - bugzilla 2.20.1-1 (bug #354457; high) [woody] - bugzilla (Only 2.17 and above are affected) [sarge] - bugzilla (Only 2.17 and above are affected) CVE-2006-0912 (Oreka before 0.5 allows remote attackers to cause a denial of service ...) NOT-FOR-US: Oreka CVE-2006-0911 (NmService.exe in Ipswitch WhatsUp Professional 2006 allows remote atta ...) NOT-FOR-US: WhatsUp Professional CVE-2006-0910 (Invision Power Board (IPB) 2.1.4 and earlier allows remote attackers t ...) NOT-FOR-US: Invision Power Board CVE-2006-0909 (Invision Power Board (IPB) 2.1.4 and earlier allows remote attackers t ...) NOT-FOR-US: Invision Power Board CVE-2006-0908 (PHP-Nuke 7.8 Patched 3.2 allows remote attackers to bypass SQL injecti ...) NOT-FOR-US: PHP-Nuke CVE-2006-0907 (SQL injection vulnerability in PHP-Nuke before 7.8 Patched 3.2 allows ...) NOT-FOR-US: PHP-Nuke CVE-2006-0906 (SQL injection vulnerability in D3Jeeb Pro 3 allows remote attackers to ...) NOT-FOR-US: D3Jeeb Pro CVE-2006-0905 (A "programming error" in fast_ipsec in FreeBSD 4.8-RELEASE through 6.1 ...) - kfreebsd-5 5.4-16 CVE-2006-0904 REJECTED CVE-2006-0903 (MySQL 5.0.18 and earlier allows local users to bypass logging mechanis ...) {DSA-1079-1 DSA-1073-1 DSA-1071-1} - mysql-dfsg-5.0 5.0.19-3 (bug #359701; bug #366162; bug #366163) CVE-2006-0902 RESERVED CVE-2006-0901 (Unspecified vulnerability in the hsfs filesystem in Solaris 8, 9, and ...) NOT-FOR-US: Solaris CVE-2006-0900 (nfsd in FreeBSD 6.0 kernel allows remote attackers to cause a denial o ...) - kfreebsd-5 5.4-15 CVE-2006-0899 (Directory traversal vulnerability in index.php in 4Images 1.7.1 and ea ...) NOT-FOR-US: 4Images CVE-2006-0898 (Crypt::CBC Perl module 2.16 and earlier, when running in RandomIV mode ...) {DSA-996-1} - libcrypt-cbc-perl 2.17-1 CVE-2006-0897 NOT-FOR-US: VCS Virtual Program Management Intranet CVE-2006-0896 (Cross-site scripting (XSS) vulnerability in Sources/Register.php in Si ...) NOT-FOR-US: Simple Machine Forum CVE-2006-0895 (NOCC Webmail 1.0 allows remote attackers to obtain the installation pa ...) NOT-FOR-US: NOCC Webmail CVE-2006-0894 (Multiple cross-site scripting (XSS) vulnerabilities in NOCC Webmail 1. ...) NOT-FOR-US: NOCC Webmail CVE-2006-0893 (NOCC Webmail 1.0 allows remote attackers to obtain sensitive informati ...) NOT-FOR-US: NOCC Webmail CVE-2006-0892 (NOCC Webmail 1.0 stores e-mail attachments in temporary files with pre ...) NOT-FOR-US: NOCC Webmail CVE-2006-0891 (Multiple directory traversal vulnerabilities in NOCC Webmail 1.0 allow ...) NOT-FOR-US: NOCC Webmail CVE-2006-0890 (Directory traversal vulnerability in SpeedProject Squeez 5.1, as used ...) NOT-FOR-US: SpeedProject Squeez CVE-2006-0889 (Cross-site scripting (XSS) vulnerability in Calcium 3.10.1 allows remo ...) NOT-FOR-US: Calcium CVE-2006-0888 (index.php in Invision Power Board (IPB) 2.0.1, with Code Confirmation ...) NOT-FOR-US: Invision Power Board CVE-2006-0887 (Eval injection vulnerability in sessions.inc in PHP Base Library (PHPL ...) NOT-FOR-US: PHPLIB CVE-2006-0886 (Cross-site scripting (XSS) vulnerability in register.php in DEV web ma ...) NOT-FOR-US: DEV web management system CVE-2006-0885 (Cross-site scripting (XSS) vulnerability in show_news.php in CuteNews ...) NOT-FOR-US: CuteNews CVE-2006-0884 (The WYSIWYG rendering engine ("rich mail" editor) in Mozilla Thunderbi ...) {DSA-1051-1 DSA-1046-1} [sarge] - mozilla-thunderbird 1.0.2-2.sarge1.0.8 - thunderbird 1.5.0.2-1 - firefox 1.5.dfsg+1.5.0.2-1 - xulrunner 1.8.0.1-9 - mozilla 2:1.7.13-0.1 CVE-2003-1295 (Unspecified vulnerability in xscreensaver 4.12, and possibly other ver ...) - xscreensaver 4.21-1 NOTE: Might be fixed earlier, but I've verified that the SuSE patch is included NOTE: in the Sarge version --jmm CVE-2003-1294 (Xscreensaver before 4.15 creates temporary files insecurely in (1) dri ...) - xscreensaver 4.15-1 CVE-2006-0883 (OpenSSH on FreeBSD 5.3 and 5.4, when used with OpenPAM, does not prope ...) - openssh 1:3.8.1p1-4 [woody] - openssh CVE-2006-0882 (Directory traversal vulnerability in include.php in Noah's Classifieds ...) NOT-FOR-US: Noah's Classifieds CVE-2006-0881 (Multiple PHP remote file include vulnerabilities in gorum/gorumlib.php ...) NOT-FOR-US: Noah's Classifieds CVE-2006-0880 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in No ...) NOT-FOR-US: Noah's Classifieds CVE-2006-0879 (SQL injection vulnerability in the search tool in Noah's Classifieds 1 ...) NOT-FOR-US: Noah's Classifieds CVE-2006-0878 (Noah's Classifieds 1.3 allows remote attackers to obtain the installat ...) NOT-FOR-US: Noah's Classifieds CVE-2006-0877 (Cross-site scripting vulnerability in Easy Forum 2.5 allows remote att ...) NOT-FOR-US: Easy Forum CVE-2006-0876 (POPFile before 0.22.4 allows remote attackers to cause a denial of ser ...) {DSA-1061-1} - popfile 0.22.4-1 (bug #354464; medium) CVE-2006-0875 (Cross-site scripting vulnerability in ratefile.php in RunCMS 1.3a5 all ...) NOT-FOR-US: runCMS CVE-2006-0874 (Multiple unspecified vulnerabilities in Intensive Point iUser Ecommerc ...) NOT-FOR-US: Intensive Point iUser Ecommerce CVE-2006-0873 (Absolute path traversal vulnerability in docs/showdocs.php in Coppermi ...) NOT-FOR-US: Coppermine Photo Gallery CVE-2006-0872 (Directory traversal vulnerability in init.inc.php in Coppermine Photo ...) NOT-FOR-US: Coppermine Photo Gallery CVE-2006-0871 (Directory traversal vulnerability in the _setTemplate function in Mamb ...) - mambo 4.5.3h-1 (bug #354468) NOTE: only in experimental CVE-2006-0870 (SQL injection vulnerability in pages.asp in Mini-Nuke CMS System 1.8.2 ...) NOT-FOR-US: Mini-Nuke CMS CVE-2006-0869 (Directory traversal vulnerability in the "remember me" feature in live ...) NOT-FOR-US: PHP PEAR LiveUser CVE-2006-0868 (Multiple unspecified injection vulnerabilities in unspecified Auth Con ...) - php-auth 1.2.4-0.1 (bug #354474) CVE-2006-0867 (Buffer overflow in certain versions of South River (aka SRT) WebDrive, ...) NOT-FOR-US: WebDrive CVE-2006-0866 (PunBB 1.2.10 and earlier allows remote attackers to conduct brute forc ...) NOT-FOR-US: PunBB CVE-2006-0865 (PunBB 1.2.10 and earlier allows remote attackers to cause a denial of ...) NOT-FOR-US: PunBB CVE-2006-0864 (filescan in Global Hauri ViRobot 2.0 20050817 does not verify the Cook ...) NOT-FOR-US: Global Hauri ViRobot CVE-2006-0863 (InfoVista PortalSE 2.0 Build 20087 on Solaris 8 allows remote attacker ...) NOT-FOR-US: InfoVista PortalSE CVE-2006-0862 (Unspecified vulnerability in InfoVista PortalSE 2.0 Build 20087 on Sol ...) NOT-FOR-US: InfoVista PortalSE CVE-2006-0861 (Michael Salzer Guestbox 0.6, and other versions before 0.8, allows rem ...) NOT-FOR-US: Michael Salzer Guestbox CVE-2006-0860 (Multiple cross-site scripting (XSS) vulnerabilities in Michael Salzer ...) NOT-FOR-US: Michael Salzer Guestbox CVE-2006-0859 (Michael Salzer Guestbox 0.6, and other versions before 0.8, allows rem ...) NOT-FOR-US: Michael Salzer Guestbox CVE-2006-0858 (Unquoted Windows search path vulnerability in (1) snsmcon.exe, (2) the ...) NOT-FOR-US: StarForce Safe'n'Sec Personal CVE-2006-0857 (Cross-site scripting (XSS) vulnerability in Chatbox Plugin 1.0 in e107 ...) NOT-FOR-US: e107 CMS Chatbox plugin CVE-2006-0856 (SQL injection vulnerability in login.php in Scriptme SmE GB Host 1.21 ...) NOT-FOR-US: SmE GB Host CVE-2006-0855 (Stack-based buffer overflow in the fullpath function in misc.c for zoo ...) {DSA-991-1} - zoo 2.10-17 (bug #354461) CVE-2006-0854 (PHP remote file inclusion vulnerability in common.php in Intensive Poi ...) NOT-FOR-US: Intensive Point iUser Ecommerce CVE-2006-0853 (Buffer overflow in the IMAP service of TrueNorth Internet Anywhere (IA ...) NOT-FOR-US: TrueNorth Internet Anywhere CVE-2006-0852 (Direct static code injection vulnerability in write.php in Admbook 1.2 ...) NOT-FOR-US: Admbook CVE-2006-0851 (SQL injection vulnerability in the forum module of ilchClan 1.05g and ...) NOT-FOR-US: ilchClan CVE-2006-0850 (SQL injection vulnerability in include/includes/user/login.php in ilch ...) NOT-FOR-US: ilchClan CVE-2006-0849 RESERVED CVE-2006-0848 (The "Open 'safe' files after downloading" option in Safari on Apple Ma ...) NOT-FOR-US: Apple Safari CVE-2006-0847 (Directory traversal vulnerability in the staticfilter component in Che ...) - cherrypy2.1 2.1.1-1 (bug #353542) - python-cherrypy 2.1.1-1 (bug #354479) CVE-2006-0846 (Multiple cross-site scripting (XSS) vulnerabilities in Leif M. Wright' ...) NOT-FOR-US: Leif M. Wright's Blog CVE-2006-0845 (Leif M. Wright's Blog 3.5 allows remote authenticated users with admin ...) NOT-FOR-US: Leif M. Wright's Blog CVE-2006-0844 (Leif M. Wright's Blog 3.5 does not make a password comparison when aut ...) NOT-FOR-US: Leif M. Wright's Blog CVE-2006-0843 (Leif M. Wright's Blog 3.5 stores the config file and other txt files u ...) NOT-FOR-US: Leif M. Wright's Blog CVE-2006-0842 (Cross-site scripting (XSS) vulnerability in Calacode @Mail 4.3 allows ...) NOT-FOR-US: Calacode @Mail CVE-2006-0841 (Multiple cross-site scripting (XSS) vulnerabilities in Mantis 1.00rc4 ...) {DSA-1133-1} - mantis 0.19.4-3.1 (bug #378353) CVE-2006-0840 (manage_user_page.php in Mantis 1.00rc4 and earlier does not properly h ...) {DSA-944-1} - mantis 1.0 NOTE: This was actually fixed upstream in Mantis 1.0.0rc5, NOTE: which was never uploaded. CVE-2006-0839 (The frag3 preprocessor in Sourcefire Snort 2.4.3 does not properly rea ...) - snort (frag3 is only in 2.4, currently there is 2.3.3 in sid) CVE-2006-0838 (IBM Tivoli Micromuse Netcool/NeuSecure 3.0.236 stores cleartext passwo ...) NOT-FOR-US: Tivoli CVE-2006-0837 (IBM Tivoli Micromuse Netcool/NeuSecure 3.0.236 has world-readable perm ...) NOT-FOR-US: Tivoli CVE-2006-0836 (Mozilla Thunderbird 1.5 allows user-assisted attackers to cause an uns ...) NOTE: Denial of service by tricking someone into importing a manipulated LDIF file NOTE: That's a bug, but calling it a security problem is very far-fetched CVE-2006-0835 (SQL injection vulnerability in dropbase.php in MitriDAT Web Calendar P ...) NOT-FOR-US: MitriDAT Web Calendar CVE-2006-0834 (Uniden UIP1868P VoIP Telephone and Router has a default password of ad ...) NOT-FOR-US: Uniden UIP1868P VoIP Telephone CVE-2006-0833 (Multiple cross-site scripting (XSS) vulnerabilities in Barracuda Direc ...) NOT-FOR-US: Barracuda Directory CVE-2006-0832 (Multiple SQL injection vulnerabilities in admin.asp in WPC.easy allow ...) NOT-FOR-US: WPC.easy CVE-2006-0831 (PHP remote file include vulnerability in index.php in Tasarim Rehberi ...) NOT-FOR-US: Tasarim Rehberi CVE-2006-0830 (The scripting engine in Internet Explorer allows remote attackers to c ...) NOT-FOR-US: Microsoft CVE-2006-0829 (Cross-site scripting vulnerability in E-Blah Platinum 9.7 allows remot ...) NOT-FOR-US: E-Blah Platinum CVE-2006-0828 (Unspecified vulnerability in ESS/ Network Controller and MicroServer W ...) NOT-FOR-US: Xerox WorkCentre / ESS/ Network Controller CVE-2006-0827 (Cross-site scripting vulnerability in ESS/ Network Controller and Micr ...) NOT-FOR-US: Xerox WorkCentre / ESS/ Network Controller CVE-2006-0826 (Unspecified vulnerability in ESS/ Network Controller and MicroServer W ...) NOT-FOR-US: Xerox WorkCentre / ESS/ Network Controller CVE-2006-0825 (Multiple unspecified vulnerabilities in ESS/ Network Controller and Mi ...) NOT-FOR-US: Xerox WorkCentre / ESS/ Network Controller CVE-2006-0824 (Multiple unspecified vulnerabilities in lib-common.php in Geeklog 1.4. ...) NOT-FOR-US: Geeklog CVE-2006-0823 (Multiple SQL injection vulnerabilities in Geeklog 1.4.0 before 1.4.0sr ...) NOT-FOR-US: Geeklog CVE-2006-0822 (Unspecified vulnerability in EmuLinker Kaillera Server before 0.99.17 ...) NOT-FOR-US: EmuLinker Kaillera Server CVE-2006-0821 (SQL injection vulnerability in index.php in BXCP 0.299 allows remote a ...) NOT-FOR-US: BXCP CVE-2006-0820 (Cross-site scripting (XSS) vulnerability in Dwarf HTTP Server 1.3.2 al ...) NOT-FOR-US: Dwarf HTTP Server CVE-2006-0819 (Dwarf HTTP Server 1.3.2 allows remote attackers to obtain the source c ...) NOT-FOR-US: Dwarf HTTP Server CVE-2006-0818 (Absolute path directory traversal vulnerability in (1) MERAK Mail Serv ...) NOT-FOR-US: MERAK Mail Server and VisNetic MailServer CVE-2006-0817 (Absolute path directory traversal vulnerability in (a) MERAK Mail Serv ...) NOT-FOR-US: MERAK Mail Server and VisNetic MailServer CVE-2006-0816 (Orion Application Server before 2.0.7, when running on Windows, allows ...) NOT-FOR-US: Orion Application Server CVE-2006-0815 (NetworkActiv Web Server 3.5.15 allows remote attackers to read script ...) NOT-FOR-US: NetworkActiv Web Server CVE-2006-0814 (response.c in Lighttpd 1.4.10 and possibly previous versions, when run ...) NOT-FOR-US: Lighttpd under windows CVE-2006-0813 (Heap-based buffer overflow in WinACE 2.60 allows user-assisted attacke ...) NOT-FOR-US: WinACE CVE-2006-0812 (The VisNetic AntiVirus Plug-in (DKAVUpSch.exe) for Mail Server 4.6.0.4 ...) NOT-FOR-US: WinACE VisNetic AntiVirus CVE-2005-4727 (Cross-site scripting (XSS) vulnerability in gbook.cgi in gBook before ...) NOT-FOR-US: gBook CVE-2004-2654 (The clientAbortBody function in client_side.c in Squid Web Proxy Cache ...) - squid 2.5.6 CVE-2006-0811 (Cross-site scripting (XSS) vulnerability in reguser.php in Skate Board ...) NOT-FOR-US: Skate Board CVE-2006-0810 (Unspecified vulnerability in config.php in Skate Board 0.9 allows remo ...) NOT-FOR-US: Skate Board CVE-2006-0809 (Multiple SQL injection vulnerabilities in Skate Board 0.9 allow remote ...) NOT-FOR-US: Skate Board CVE-2006-0808 (MUTE 0.4 allows remote attackers to cause a denial of service (message ...) NOT-FOR-US: MUTE CVE-2006-0807 (Stack-based buffer overflow in NJStar Chinese and Japanese Word Proces ...) NOT-FOR-US: NJStar CVE-2006-0806 (Multiple cross-site scripting (XSS) vulnerabilities in ADOdb 4.71, as ...) {DSA-1031-1 DSA-1030-1 DSA-1029-1} - libphp-adodb 4.72-0.1 (bug #358872; medium) - moodle 1.6.1+20060825-1 (bug #360396; medium) - cacti 0.8.6d-1 (medium) NOTE: according to maintainer, "Moodle neither uses nor plans to use NOTE: ADODB_Pager, so it's not affected by #360396, but include patch for NOTE: it anyway, just in case somebody decides to use it out of the blue CVE-2006-0805 (The CAPTCHA functionality in php-Nuke 6.0 through 7.9 uses fixed chall ...) NOT-FOR-US: php-Nuke CVE-2006-0804 (Off-by-one error in TIN 1.8.0 and earlier might allow attackers to exe ...) - tin 1:1.8.2-1 [sarge] - tin (Vulnerable code not present) CVE-2006-0803 (The signature verification functionality in the YaST Online Update (YO ...) NOT-FOR-US: YaSt Online Update CVE-2006-0802 (Cross-site scripting (XSS) vulnerability in the NS-Languages module fo ...) NOT-FOR-US: PostNuke CVE-2006-0801 (SQL injection vulnerability in the NS-Languages module for PostNuke 0. ...) NOT-FOR-US: PostNuke CVE-2006-0800 (Interpretation conflict in PostNuke 0.761 and earlier allows remote at ...) NOT-FOR-US: PostNuke CVE-2006-0799 (Microsoft Internet Explorer allows remote attackers to spoof a legitim ...) NOT-FOR-US: Microsoft CVE-2006-0798 (Multiple directory traversal vulnerabilities in the IMAP service in Ma ...) NOT-FOR-US: Macallan Mail Solution CVE-2006-0797 (Nokia N70 cell phone allows remote attackers to cause a denial of serv ...) NOT-FOR-US: Nokia cell phone CVE-2006-0796 (Cross-site scripting (XSS) vulnerability in default.php in Clever Copy ...) NOT-FOR-US: Clever Copy CVE-2006-0795 (Absolute path traversal vulnerability in convert.cgi in Quirex 2.0.2 a ...) NOT-FOR-US: Quirex CVE-2006-0794 (help.php in V-webmail 1.6.2 allows remote attackers to obtain the inst ...) NOT-FOR-US: V-webmail CVE-2006-0793 (frameset.php in V-webmail 1.6.2 allows remote attackers to conduct phi ...) NOT-FOR-US: V-webmail CVE-2006-0792 (Cross-site scripting (XSS) vulnerability in preferences.personal.php i ...) NOT-FOR-US: V-webmail CVE-2006-0791 (PHP remote file inclusion vulnerability in index.php in DreamCost Host ...) NOT-FOR-US: DreamCost HostAdmin CVE-2006-0790 (Rockliffe MailSite 7.0 and earlier allows remote attackers to cause a ...) NOT-FOR-US: Rockliffe MailSite CVE-2006-0789 (Certain unspecified Kyocera printers have a default "admin" account wi ...) NOT-FOR-US: Kyocera printers CVE-2006-0788 (Kyocera 3830 (aka FS-3830N) printers have a back door that allows remo ...) NOT-FOR-US: Kyocera printers CVE-2006-0787 (wimpy_trackplays.php in Plaino Wimpy MP3 Player, possibly 5.2 and earl ...) NOT-FOR-US: Plaino Wimpy CVE-2006-0786 (Incomplete blacklist vulnerability in include.php in PHPKIT 1.6.1 Rele ...) NOT-FOR-US: PHPKIT CVE-2006-0785 (Absolute path traversal vulnerability in include.php in PHPKIT 1.6.1 R ...) NOT-FOR-US: PHPKIT CVE-2006-0784 (D-Link DWL-G700AP with firmware 2.00 and 2.01 allows remote attackers ...) NOT-FOR-US: D-Link hardware CVE-2006-0783 (Cross-site scripting (XSS) vulnerability in page.php in in Siteframe B ...) NOT-FOR-US: Siteframe Beaumont CVE-2006-0782 (Unspecified vulnerability in weblog.pl in PerlBlog 1.09b and earlier a ...) NOT-FOR-US: PerlBlog CVE-2006-0781 (Directory traversal vulnerability in weblog.pl in PerlBlog 1.09b and e ...) NOT-FOR-US: PerlBlog CVE-2006-0780 (Multiple cross-site scripting (XSS) vulnerabilities in weblog.pl in Pe ...) NOT-FOR-US: PerlBlog CVE-2006-0779 (Cross-site scripting (XSS) vulnerability in u2u.php in XMB Forums 1.9. ...) NOT-FOR-US: XMB Forums CVE-2006-0778 (Multiple SQL injection vulnerabilities in XMB Forums 1.9.3 and earlier ...) NOT-FOR-US: XMB Forums CVE-2006-0777 (Unspecified vulnerability in guestex.pl in Teca Scripts Guestex 1.0 al ...) NOT-FOR-US: Teca Scripts Guestex CVE-2006-0776 (Cross-site scripting (XSS) vulnerability in guestex.pl in Teca Scripts ...) NOT-FOR-US: Teca Scripts Guestex CVE-2006-0775 (Multiple SQL injection vulnerabilities in show.php in BirthSys 3.1 all ...) NOT-FOR-US: BirthSys CVE-2006-0774 (SQL injection vulnerability in deleteSession() in DB_eSession library ...) NOT-FOR-US: DB_eSession CVE-2006-0773 (Cross-site scripting (XSS) vulnerability in Hitachi Business Logic - C ...) NOT-FOR-US: Hitachi Business Logic CVE-2006-0772 (SQL injection vulnerability in Hitachi Business Logic - Container 02-0 ...) NOT-FOR-US: Hitachi Business Logic CVE-2006-0771 (Format string vulnerability in PunkBuster 1.180 and earlier, as used b ...) NOT-FOR-US: PunkBuster CVE-2006-0770 (Cross-site scripting (XSS) vulnerability in calendar.php in MyBulletin ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2006-0769 (Unspecified vulnerability in in.rexecd in Solaris 10 allows local user ...) NOT-FOR-US: Solaris CVE-2006-0768 (Kadu 0.4.3 allows remote attackers to cause a denial of service (appli ...) NOT-FOR-US: Kadu CVE-2006-0767 (CGIWrap before 3.10 allows remote attackers to obtain sensitive inform ...) - cgiwrap 3.9-3.1 [sarge] - cgiwrap (Only leaks information about the existance of users on a system) CVE-2006-0766 (ICQ Inc. (formerly Mirabilis) ICQ 2003a, 2003b, Lite 4.0, Lite 4.1, an ...) NOT-FOR-US: ICQ CVE-2006-0765 (GUI display truncation vulnerability in ICQ Inc. (formerly Mirabilis) ...) NOT-FOR-US: ICQ CVE-2006-0764 (The Authentication, Authorization, and Accounting (AAA) capability in ...) NOT-FOR-US: Cisco CVE-2006-0763 (Cross-site scripting (XSS) vulnerability in dowebmailforward.cgi in cP ...) NOT-FOR-US: cPanel (not the same as in the cpanel package) CVE-2006-0762 (WinAbility Folder Guard 4.11 allows local users to gain unauthorized a ...) NOT-FOR-US: WinAbility Folder Guard CVE-2006-0761 (Buffer overflow in BlackBerry Attachment Service in Research in Motion ...) NOT-FOR-US: BlackBerry CVE-2006-0760 (LightTPD 1.4.8 and earlier, when the web root is on a case-insensitive ...) NOT-FOR-US: LightTPD on windows CVE-2006-0759 (Multiple SQL injection vulnerabilities in HiveMail 1.3 and earlier all ...) NOT-FOR-US: HiveMail CVE-2006-0758 (Multiple cross-site scripting (XSS) vulnerabilities in HiveMail 1.3 an ...) NOT-FOR-US: HiveMail CVE-2006-0757 (Multiple eval injection vulnerabilities in HiveMail 1.3 and earlier al ...) NOT-FOR-US: HiveMail CVE-2006-0756 (** DISPUTED ** dotProject 2.0.1 and earlier leaves (1) phpinfo.php and ...) NOT-FOR-US: dotProject CVE-2006-0755 (** DISPUTED ** Multiple PHP remote file include vulnerabilities in dot ...) NOT-FOR-US: dotProject CVE-2006-0754 (** DISPUTED ** dotProject 2.0.1 and earlier allows remote attackers to ...) NOT-FOR-US: dotProject CVE-2006-0753 (Memory leak in Microsoft Internet Explorer 6 for Windows XP Service Pa ...) NOT-FOR-US: Microsoft CVE-2006-0752 (Niels Provos Honeyd before 1.5 replies to certain illegal IP packet fr ...) - honeyd 1.5a-1 (bug #353064; low) [sarge] - honeyd (Too insignificant) CVE-2006-0751 (Multiple unspecified vulnerabilities in the (1) Filesystem in USErspac ...) NOT-FOR-US: Network Object Oriented File System (NOOFS) CVE-2006-0750 (SQL injection vulnerability in army.php in supersmashbrothers (SSB) Ar ...) NOT-FOR-US: supersmashbrothers CVE-2006-0749 (nsHTMLContentSink.cpp in Mozilla Firefox and Thunderbird 1.x before 1. ...) {DSA-1051-1 DSA-1046-1 DSA-1044-1} - firefox 1.5.dfsg+1.5.0.2 (low) - mozilla-firefox 1.5.dfsg+1.5.0.2 (low) - mozilla 2:1.7.13-0.1 (low) - thunderbird 1.5.0.2-1 (low) [sarge] - mozilla-thunderbird 1.0.2-2.sarge1.0.8 (low) CVE-2006-0748 (Mozilla Firefox and Thunderbird 1.x before 1.5.0.2 and 1.0.x before 1. ...) {DSA-1051-1 DSA-1046-1 DSA-1044-1} - firefox 1.5.dfsg+1.5.0.2-1 (high) - mozilla-firefox 1.5.dfsg+1.5.0.2-1 (high) - mozilla 2:1.7.13-0.1 (high) - thunderbird 1.5.0.2-1 (high) [sarge] - mozilla-thunderbird 1.0.2-2.sarge1.0.8 (high) - xulrunner 1.8.0.1-9 CVE-2006-0747 (Integer underflow in Freetype before 2.2 allows remote attackers to ca ...) {DSA-1095-1} - freetype 2.2.1-1 (medium) CVE-2006-0746 (Certain patches for kpdf do not include all relevant patches from xpdf ...) {DSA-1008-1} - kdegraphics 4:3.5.0-3 NOTE: Only affected the 3.3.2 KDE backport CVE-2006-0745 (X.Org server (xorg-server) 1.0.0 and later, X11R6.9.0, and X11R7.0 ina ...) - xorg-x11 6.9.0.dfsg.1-5 (bug #360388; medium) - xorg-server 1:1.0.2-1 (bug #378465; medium) - xfree86 CVE-2006-0744 (Linux kernel before 2.6.16.5 does not properly handle uncanonical retu ...) {DSA-1103} - linux-2.6 2.6.16-7 CVE-2006-0743 (Format string vulnerability in LocalSyslogAppender in Apache log4net 1 ...) NOT-FOR-US: Log4Net CVE-2006-0742 (The die_if_kernel function in arch/ia64/kernel/unaligned.c in Linux ke ...) {DSA-1103 DSA-1097-1} - linux-2.6 2.6.15-8 CVE-2006-0741 (Linux kernel before 2.6.15.5, when running on Intel processors, allows ...) {DSA-1103 DSA-1097-1} - linux-2.6 2.6.15-8 CVE-2006-0740 RESERVED CVE-2006-0739 (eStara SIP softphone allows remote attackers to cause a denial of serv ...) NOT-FOR-US: eStara SIP softphone CVE-2006-0738 (Multiple format string vulnerabilities in eStara SIP softphone allow r ...) NOT-FOR-US: eStara SIP softphone CVE-2006-0737 (eStara SIP softphone allows remote attackers to cause a denial of serv ...) NOT-FOR-US: eStara SIP softphone CVE-2006-0736 (Stack-based buffer overflow in the pam_micasa PAM authentication modul ...) NOT-FOR-US: pam_micasa / Novell CVE-2005-4726 (MUTE 0.4 uses improper flood protection algorithms, which allows remot ...) NOT-FOR-US: MUTE CVE-2005-4725 (Geeklog before 1.3.11sr3 allows remote attackers to bypass intended ac ...) NOT-FOR-US: Geeklog CVE-2005-4724 (SQL injection vulnerability in post.php in PhpTagCool 1.0.3 allows rem ...) NOT-FOR-US: PhpTagCool CVE-2006-2440 (Heap-based buffer overflow in the libMagick component of ImageMagick 6 ...) {DSA-1168-1} - imagemagick 6:6.2.4.5-0.6 (bug #345595) CVE-2006-0735 (Cross-site scripting (XSS) vulnerability in BBcode.pm in M. Blom HTML: ...) NOT-FOR-US: My Blog CVE-2006-0734 (The SV_CheckForDuplicateNames function in Valve Software Half-Life CST ...) NOT-FOR-US: Half-Life CVE-2006-0733 (** DISPUTED ** Cross-site scripting (XSS) vulnerability in WordPress 2 ...) - wordpress (unimportant) CVE-2006-0732 (Directory traversal vulnerability in SAP Business Connector (BC) 4.6 a ...) NOT-FOR-US: SAP Business Connector CVE-2006-0731 (WmRoot/adapter-index.dsp in SAP Business Connector Core Fix 7 and earl ...) NOT-FOR-US: SAP Business Connector CVE-2006-0730 (Multiple unspecified vulnerabilities in Dovecot before 1.0beta3 allow ...) - dovecot 1.0.beta3-1 (bug #353341; medium) [sarge] - dovecot (Vulnerable code was introduced in 1.0beta1) CVE-2006-0729 (SQL injection vulnerability in functions.php in Teca Diary PE 1.0 allo ...) NOT-FOR-US: Teca Diary CVE-2006-0728 (SQL injection vulnerability in search.php in webSPELL 4.01.00 and earl ...) NOT-FOR-US: webSPELL CVE-2006-0727 (SQL injection vulnerability in mstrack.php in MusOX DF MSAnalysis (DFM ...) NOT-FOR-US: MusOX DF CVE-2006-0726 (Cross-site scripting (XSS) vulnerability in linking.php in CPG-Nuke Dr ...) NOT-FOR-US: CPG-Nuke CVE-2006-0725 (PHP remote file inclusion vulnerability in prepend.php in Plume CMS 1. ...) NOT-FOR-US: Plume CMS CVE-2006-0724 (profile.php in Reamday Enterprises Magic News Lite 1.2.3, when registe ...) NOT-FOR-US: Reamday Enterprises Magic News Lite CVE-2006-0723 (PHP remote file inclusion vulnerability in preview.php in Reamday Ente ...) NOT-FOR-US: Reamday Enterprises Magic News Lite CVE-2006-0722 (settings.php in Reamday Enterprises Magic Downloads 1.1.3, when regist ...) NOT-FOR-US: Reamday Enterprises Magic News Lite CVE-2006-0721 (SQL injection vulnerability in pmlite.php in RunCMS 1.2 and 1.3a allow ...) NOT-FOR-US: RunCMS CVE-2006-0720 (Stack-based buffer overflow in Nullsoft Winamp 5.12 and 5.13 allows us ...) NOT-FOR-US: Winamp CVE-2006-0719 (SQL injection vulnerability in member_login.php in PHP Classifieds 6.1 ...) NOT-FOR-US: PHP Classifieds CVE-2006-0718 (The Internet Key Exchange version 1 (IKEv1) implementation in Avaya VS ...) NOT-FOR-US: Avaya VSU CVE-2006-0717 (IBM Tivoli Directory Server 6.0 allows remote attackers to cause a den ...) NOT-FOR-US: Tivoli CVE-2006-0716 (SQL injection vulnerability in index.php in sNews 1.3 allows remote at ...) NOT-FOR-US: sNews CVE-2006-0715 (Cross-site scripting (XSS) vulnerability in sNews 1.3 allows remote at ...) NOT-FOR-US: sNews CVE-2006-0714 (Directory traversal vulnerability in the installation file (sql/instal ...) - flyspray (Vulnerable code not included in Debian) CVE-2006-0713 (Directory traversal vulnerability in LinPHA 1.0 allows remote attacker ...) NOT-FOR-US: LinPHA CVE-2006-0712 (mail_html template in Squishdot 1.5.0 and earlier does not properly va ...) NOT-FOR-US: Squishdot CVE-2006-0711 (The (1) addfolder and (2) deletefolder functions in neomail-prefs.pl i ...) NOT-FOR-US: NeoMail CVE-2006-0710 (Double free vulnerability in isode.eddy in Isode M-Vault Server 11.3 a ...) NOT-FOR-US: Isode M-Vault CVE-2006-0709 (Buffer overflow in Metamail 2.7-50 allows remote attackers to cause a ...) {DSA-995-1} - metamail 2.7-51 (bug #352482; bug #353539) CVE-2006-0708 (Multiple buffer overflows in NullSoft Winamp 5.13 and earlier allow re ...) NOT-FOR-US: Winamp CVE-2006-0707 (PyBlosxom before 1.3.2, when running on certain webservers, allows rem ...) - pyblosxom 1.3.2-1 (high) [sarge] - pyblosxom (Vulnerable path handling code not present) CVE-2006-0706 (Cross-site scripting vulnerability in eintrag.php in Gästebuch (G ...) NOT-FOR-US: Gaestebuch CVE-2006-0705 (Format string vulnerability in a logging function as used by various S ...) NOT-FOR-US: Proprietary SFTP servers CVE-2006-0704 (iE Integrator 4.4.220114, when configured without a "bespoke error pag ...) NOT-FOR-US: iE Integrator CVE-2006-0703 (Unspecified vulnerability in index.php in imageVue 16.1 has unknown im ...) NOT-FOR-US: imageVue CVE-2006-0702 (admin/upload.php in imageVue 16.1 allows remote attackers to upload ar ...) NOT-FOR-US: imageVue CVE-2006-0701 (readfolder.php in imageVue 16.1 allows remote attackers to list direct ...) NOT-FOR-US: imageVue CVE-2006-0700 (imageVue 16.1 allows remote attackers to obtain folder permission sett ...) NOT-FOR-US: imageVue CVE-2006-0699 (Cross-site scripting (XSS) vulnerability in search.php in QWikiWiki 1. ...) NOT-FOR-US: QWikiWiki CVE-2006-0698 (Unspecified vulnerabilities in Zen Cart before 1.2.7 allow remote atta ...) NOT-FOR-US: Zen Cart CVE-2006-0697 (Zen Cart before 1.2.7 does not protect the admin/includes directory, w ...) NOT-FOR-US: Zen Cart CVE-2006-0696 (SQL injection vulnerability in Zen Cart before 1.2.7 allows remote att ...) NOT-FOR-US: Zen Cart CVE-2006-0695 (Ansilove before 1.03 does not filter uploaded file extensions, which a ...) NOT-FOR-US: Ansilove CVE-2006-0694 (Unspecified vulnerability in the loaders (load_*.php) in Ansilove befo ...) NOT-FOR-US: Ansilove CVE-2006-0693 (Multiple SQL injection vulnerabilities in rb_auth.php in Roberto Butti ...) NOT-FOR-US: Roberto Butti CALimba CVE-2006-0692 (Multiple SQL injection vulnerabilities in Carey Briggs PHP/MYSQL Times ...) NOT-FOR-US: Carey Briggs Timesheet CVE-2006-0691 (edituser.php in TTS Time Tracking Software 3.0 does not verify that th ...) NOT-FOR-US: TTS Time Tracking Software CVE-2006-0690 (Multiple SQL injection vulnerabilities in TTS Time Tracking Software 3 ...) NOT-FOR-US: TTS Time Tracking Software CVE-2006-0689 (Cross-site scripting (XSS) vulnerability in the Registration Form in T ...) NOT-FOR-US: TTS Time Tracking Software CVE-2006-0688 (PHP remote file include vulnerability in application.php in nicecoder. ...) NOT-FOR-US: nicecoder.com indexu CVE-2006-0687 (process.php in DocMGR 0.54.2 does not initialize the $siteModInfo vari ...) NOT-FOR-US: DocMGR CVE-2006-0686 (add_user.php in Virtual Hosting Control System (VHCS) 2.4.7.1 and earl ...) NOT-FOR-US: Virtual Hosting Control System CVE-2006-0685 (The check_login function in login.php in Virtual Hosting Control Syste ...) NOT-FOR-US: Virtual Hosting Control System CVE-2006-0684 (change_password.php in Virtual Hosting Control System (VHCS) 2.4.7.1 a ...) NOT-FOR-US: Virtual Hosting Control System CVE-2006-0683 (Cross-site scripting (XSS) vulnerability in Virtual Hosting Control Sy ...) NOT-FOR-US: Virtual Hosting Control System CVE-2006-0682 (Multiple cross-site scripting (XSS) vulnerabilities in bbcodes system ...) NOT-FOR-US: e107 CVE-2006-0681 (Format string vulnerability in powerd.c in Power Daemon (powerd) 2.0.2 ...) NOT-FOR-US: powerd NOTE: powerd supposedly normally comes with sysvinit, but not in debian CVE-2006-0680 (Unspecified vulnerability in WebGUI before 6.8.6-gamma allows remote a ...) NOT-FOR-US: WebGUI CVE-2006-0679 (SQL injection vulnerability in index.php in the Your_Account module in ...) NOT-FOR-US: PHP-Nuke CVE-2006-0678 (PostgreSQL 7.3.x before 7.3.14, 7.4.x before 7.4.12, 8.0.x before 8.0. ...) NOTE: Only vulnerable when compiled with asserts - postgresql (unimportant) - postgresql-8.0 8.0.7-1 (unimportant) - postgresql-8.1 8.1.3-1 (unimportant) CVE-2005-4723 (D-Link DI-524 Wireless Router, DI-624 Wireless Router, and DI-784 allo ...) NOT-FOR-US: D-Link hardware CVE-2005-4722 (_Request_Message.cfm in tmsPUBLISHER 3.3 allows remote attackers to ob ...) NOT-FOR-US: tmsPUBLISHER CVE-2005-4721 (Cross-site scripting (XSS) vulnerability in search.cfm in tmsPUBLISHER ...) NOT-FOR-US: tmsPUBLISHER CVE-2005-4720 (Mozilla Firefox 1.0.7 and earlier on Linux allows remote attackers to ...) {DSA-1044-1} - mozilla-firefox 1.5.dfsg+1.5.0.2 (low) - firefox 1.5.dfsg-1 CVE-2005-4719 (Multiple SQL injection vulnerabilities in Sysbotz Systems Panel 1.0.6 ...) NOT-FOR-US: Sysbotz Systems Panel CVE-2005-4718 (Opera 8.02 and earlier allows remote attackers to cause a denial of se ...) NOT-FOR-US: Opera CVE-2005-4717 (Microsoft Internet Explorer 6.0 on Windows NT 4.0 SP6a, Windows 2000 S ...) NOT-FOR-US: Microsoft CVE-2005-4716 (Hitachi TP1/Server Base and TP1/NET/Library 2 on IBM AIX allow remote ...) NOT-FOR-US: Hitachi TP1 CVE-2006-0677 (telnetd in Heimdal 0.6.x before 0.6.6 and 0.7.x before 0.7.2 allows re ...) {DSA-977-1} - heimdal 0.7.2-1 CVE-2006-0676 (Cross-site scripting (XSS) vulnerability in header.php in PHP-Nuke 6.0 ...) NOT-FOR-US: PHP-Nuke CVE-2006-0675 (Cross-site scripting (XSS) vulnerability in search.php in Siteframe 5. ...) NOT-FOR-US: SiteFrame CVE-2006-0674 (Buffer overflow in the arp command of IBM AIX 5.3 L, 5.3, 5.2.2, 5.2 L ...) NOT-FOR-US: IBM AIX CVE-2006-0673 (Multiple SQL injection vulnerabilities in cms/index.php in Magic Calen ...) NOT-FOR-US: Magic Calendar Lite CVE-2006-0672 (Unspecified vulnerability in HP PSC 1210 All-in-One Drivers before 1.0 ...) NOT-FOR-US: HP PSC 1210 All-in-One printer CVE-2006-0671 (Buffer overflow in Sony Ericsson K600i, V600i, W800i, and T68i cell ph ...) NOT-FOR-US: Sony Ericsson CVE-2006-0670 (Buffer overflow in l2cap.c in hcidump 1.29 allows remote attackers to ...) {DSA-990-1} - bluez-hcidump 1.30-1 (bug #351881; medium) CVE-2006-0669 NOT-FOR-US: Forum Light CVE-2006-0668 (SQL injection vulnerability in index.php in PwsPHP 1.2.3 allows remote ...) NOT-FOR-US: PwsPHP CVE-2006-0667 (lscfg in IBM AIX 5.2 and 5.3 allows local users to modify arbitrary fi ...) NOT-FOR-US: AIX CVE-2006-0666 (Unspecified vulnerability in the (1) unix_mp and (2) unix_64 kernels i ...) NOT-FOR-US: AIX CVE-2006-0665 (Unspecified vulnerability in (1) query_store.php and (2) manage_proj_c ...) {DSA-1133-1} - mantis 0.19.4-3 [woody] - mantis (Complete rewrite in 0.19) CVE-2006-0664 (Cross-site scripting (XSS) vulnerability in config_defaults_inc.php in ...) {DSA-1133-1} - mantis 0.19.4-3 [woody] - mantis (Complete rewrite in 0.19) CVE-2006-0663 (Multiple cross-site scripting (XSS) vulnerabilities in Lotus Domino iN ...) NOT-FOR-US: Lotus Domino CVE-2006-0662 (Cross-site scripting (XSS) vulnerability in Lotus Domino iNotes Client ...) NOT-FOR-US: Lotus Domino CVE-2006-0661 (Cross-site scripting (XSS) vulnerability in Scriptme SmE GB Host 1.21 ...) NOT-FOR-US: SmE GB Host CVE-2006-0660 (Multiple directory traversal vulnerabilities in FarsiNews 2.5 and earl ...) NOT-FOR-US: FarsiNews CVE-2006-0659 (Multiple PHP remote file include vulnerabilities in RunCMS 1.2 and ear ...) NOT-FOR-US: Runcms CVE-2006-0658 (Incomplete blacklist vulnerability in connector.php in FCKeditor 2.0 a ...) - knowledgeroot (fixed before first upload; see bug #381912) - moin 1.5.8-4.1 [etch] - moin (Vulnerable php code not present) - karrigell (Vulnerable php code not present) CVE-2006-0657 (Cross-site scripting (XSS) vulnerability in Softcomplex PHP Event Cale ...) NOT-FOR-US: Softcomplex CVE-2006-0656 (Directory traversal vulnerability in HP Systems Insight Manager 4.2 th ...) NOT-FOR-US: HP CVE-2006-0655 (Multiple cross-site scripting (XSS) vulnerabilities in (1) link_edited ...) NOT-FOR-US: Hinton Design phpht Topsites CVE-2006-0654 (check.php in Hinton Design phpht Topsites 1.3 does not validate passwo ...) NOT-FOR-US: Hinton Design phpht Topsites CVE-2006-0653 (Multiple SQL injection vulnerabilities in Hinton Design phpht Topsites ...) NOT-FOR-US: Hinton Design phpht Topsites CVE-2006-0652 (WHMCompleteSolution (WHMCS) before 2.3 assigns incorrect permissions t ...) NOT-FOR-US: WHMCompleteSolution CVE-2006-0651 (SQL injection vulnerability in index.php in vwdev allows remote attack ...) NOT-FOR-US: vwdev CVE-2006-0650 (Cross-site scripting (XSS) vulnerability in cpaint2.inc.php in the CPA ...) NOT-FOR-US: CPAINT CVE-2006-0649 (Cross-site scripting (XSS) vulnerability in DataparkSearch before 4.37 ...) NOT-FOR-US: DataparkSearch CVE-2006-0648 (Multiple directory traversal vulnerabilities in PHP iCalendar 2.0.1, 2 ...) NOT-FOR-US: PHP iCalendar CVE-2006-0647 (LDAP service in Sun Java System Directory Server 5.2, running on Linux ...) NOT-FOR-US: Sun Java System Directory Server CVE-2006-0646 (ld in SUSE Linux 9.1 through 10.0, and SLES 9, in certain circumstance ...) - binutils (SuSE specific vulnerability) CVE-2006-0645 (Tiny ASN.1 Library (libtasn1) before 0.2.18, as used by (1) GnuTLS 1.2 ...) {DSA-986-1 DSA-985-1} - libtasn1-2 (bug #352182; bug #365234) NOTE: upload of libtasn1-2 0.3.1-1 was reverted in 1:0.2.17-2 because of soname change - libtasn1-3 0.3.4-1 - gnutls13 1.3.5-1 - gnutls12 1.2.11-1 - gnutls11 CVE-2005-4715 (Multiple SQL injection vulnerabilities in modules.php in PHP-Nuke 7.8, ...) NOT-FOR-US: PHP-Nuke CVE-2005-4714 (Format string vulnerability in the vmps_log function in OpenVMPS (VLAN ...) NOT-FOR-US: OpenVMPS CVE-2005-4713 (Unspecified vulnerability in the SQL logging facility in PAM-MySQL 0.6 ...) - pam-mysql 0.6.2-1 (bug #353589; low) [sarge] - pam-mysql (Vulnerable code not present) CVE-2005-4712 (CRLF injection vulnerability in process_signup.php in PHP Handicapper ...) NOT-FOR-US: Handicapper CVE-2006-XXXX [dpkg-sig: insecure temp file bug] - dpkg-sig 0.13 (bug #352723; low) [sarge] - dpkg-sig (Only affected in debug mode) CVE-2006-2441 (Pioneers meta-server before 0.9.55, when the server-console is not ins ...) - pioneers 0.9.55-1 (bug #351986; medium) [sarge] - gnocatan (Not exploitable in Sarge per maintainer) CVE-2006-0644 (Multiple directory traversal vulnerabilities in install.php in CPG-Nuk ...) NOT-FOR-US: CPG-Nuke Dragonfly CMS CVE-2006-0643 (Cross-site scripting (XSS) vulnerability in WiredRed e/pop Web Confere ...) NOT-FOR-US: WiredRed e/pop Web Conferencing CVE-2006-0642 (Trend Micro ServerProtect 5.58, and possibly InterScan Messaging Secur ...) NOT-FOR-US: Trend Micro CVE-2006-0641 (Orbicule Undercover uses a third-party web server to determine the IP ...) NOT-FOR-US: Orbicule Undercover CVE-2006-0640 (Orbicule Undercover allows attackers with physical or root access to d ...) NOT-FOR-US: Orbicule Undercover CVE-2006-0639 (Cross-site scripting (XSS) vulnerability in search.php in MyBB (aka My ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2006-0638 (SQL injection vulnerability in moderation.php in MyBB (aka MyBulletinB ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2006-0637 (Buffer overflow in cram.dll in QUALCOMM Eudora WorldMail 3.0 allows re ...) NOT-FOR-US: QUALCOMM Eudora WorldMail CVE-2006-0636 (desktop.php in eyeOS 0.8.9 and earlier tests for the existence of the ...) NOT-FOR-US: eyeOS CVE-2006-0635 (Tiny C Compiler (TCC) 0.9.23 (aka TinyCC) evaluates the "i>sizeof(i ...) - tcc 0.9.24~cvs20070502-1 (bug #352202; low) [sarge] - tcc (Only incorrect code gen, hardly any production use) [etch] - tcc (Documented as insecure; only incorrect code gen, hardly any production use) CVE-2006-0634 (Borland C++Builder 6 (BCB6) with Update Pack 4 Enterprise edition (ent ...) NOT-FOR-US: Borland C++Builder CVE-2006-0633 (The make_password function in ipsclass.php in Invision Power Board (IP ...) NOT-FOR-US: Invision Power Board CVE-2006-0632 (The gen_rand_string function in phpBB 2.0.19 uses insufficiently rando ...) - phpbb2 2.0.20 (low) [sarge] - phpbb2 (Minor issue) NOTE: According to maintainers phpbb2 doesn't have useful countermeasures against NOTE: brute-force password guessing and as password seeding is based on milliseconds NOTE: NTP-timed attacks may even be in the area of a couple thousands attempts NOTE: instead of a million NOTE: Fixed in 2.0.20 CVE-2006-0631 (CRLF injection vulnerability in mailback.pl in Erik C. Thauvin mailbac ...) NOT-FOR-US: Erik C. Thauvin mailback CVE-2006-0630 (RITLabs The Bat! before 3.0.0.15 displays certain important headers fr ...) NOT-FOR-US: The Bat! CVE-2006-0629 (Unspecified vulnerability in AOL Instant Messenger (AIM) 5.9.3861 allo ...) NOT-FOR-US: AIM CVE-2006-0628 (myquiz.pl in Dale Ray MyQuiz 1.01 allows remote attackers to execute a ...) NOT-FOR-US: Dale Ray MyQuiz CVE-2006-0627 (Cross-site scripting (XSS) vulnerability in Clever Copy 2.0, 2.0a, and ...) NOT-FOR-US: Clever Copy CVE-2006-0624 (SQL injection vulnerability in check.asp in Whomp Real Estate Manager ...) NOT-FOR-US: Whomp Real Estate Manager CVE-2006-0623 (QNX Neutrino RTOS 6.3.0 ships /etc/rc.d/rc.local with world-writable p ...) NOT-FOR-US: QNX CVE-2006-0622 (QNX Neutrino RTOS 6.3.0 allows local users to cause a denial of servic ...) NOT-FOR-US: QNX CVE-2006-0621 (Multiple buffer overflows in QNX Neutrino RTOS 6.2.0 allow local users ...) NOT-FOR-US: QNX CVE-2006-0620 (Race condition in phfont in QNX Neutrino RTOS 6.2.1 allows local users ...) NOT-FOR-US: QNX CVE-2006-0619 (Multiple stack-based buffer overflows in QNX Neutrino RTOS 6.3.0 allow ...) NOT-FOR-US: QNX CVE-2006-0618 (Format string vulnerability in fontsleuth in QNX Neutrino RTOS 6.3.0 a ...) NOT-FOR-US: QNX CVE-2006-0617 (Multiple unspecified vulnerabilities in Sun Java JDK and JRE 5.0 Updat ...) NOT-FOR-US: Sun Java CVE-2006-0616 (Unspecified vulnerability in Sun Java JDK and JRE 5.0 Update 4 and ear ...) NOT-FOR-US: Sun Java CVE-2006-0615 (Multiple unspecified vulnerabilities in Sun Java JDK and JRE 5.0 Updat ...) NOT-FOR-US: Sun Java CVE-2006-0614 (Unspecified vulnerability in Sun Java JDK and JRE 5.0 Update 3 and ear ...) NOT-FOR-US: Sun Java CVE-2006-0613 (Unspecified vulnerability in Java Web Start after 1.0.1_02, as used in ...) NOT-FOR-US: Sun Java CVE-2006-0612 (Powersave daemon before 0.10.15.2 allows local users to gain privilege ...) - powersave 0.11.2-1 CVE-2006-0611 (Directory traversal vulnerability in compose.pl in @Mail 4.3 and earli ...) NOT-FOR-US: @Mail CVE-2006-0610 (Multiple SQL injection vulnerabilities in 2200net Calendar system 1.2, ...) NOT-FOR-US: 2200net Calender system CVE-2006-0609 (Cross-site scripting (XSS) vulnerability in add.php in Hinton Design p ...) NOT-FOR-US: Hinton Design phphd CVE-2006-0608 (Multiple SQL injection vulnerabilities in Hinton Design phphd 1.0 allo ...) NOT-FOR-US: Hinton Design phphd CVE-2006-0607 (check.php in Hinton Design phphd 1.0 does not check passwords when cer ...) NOT-FOR-US: Hinton Design phphd CVE-2006-0606 (SQL injection vulnerability in Unknown Domain Shoutbox 2005.07.21 allo ...) NOT-FOR-US: Unknown Domain Shoutbox CVE-2006-0605 (Multiple cross-site scripting (XSS) vulnerabilities in Unknown Domain ...) NOT-FOR-US: Unknown Domain Shoutbox CVE-2006-0604 (check.php in Hinton Design phphg Guestbook 1.2 does not check the user ...) NOT-FOR-US: Hinton Design phphd CVE-2006-0603 (Multiple cross-site scripting vulnerabilities in signed.php in Hinton ...) NOT-FOR-US: Hinton Design phphd CVE-2006-0602 (Multiple SQL injection vulnerabilities in Hinton Design phphg Guestboo ...) NOT-FOR-US: Hinton Design phphd CVE-2006-0601 RESERVED CVE-2006-0596 RESERVED CVE-2006-0595 RESERVED CVE-2006-0594 RESERVED CVE-2005-4711 (SQL injection vulnerability in Neocrome Land Down Under (LDU) 801 allo ...) NOT-FOR-US: Land Down Under CVE-2005-4710 (Unspecified vulnerability in multiple Autodesk and AutoCAD products an ...) NOT-FOR-US: AutoCAD CVE-2006-0598 (Buffer overflow in elogd.c in elog before 2.5.7 r1558-4 allows attacke ...) {DSA-967-1} - elog 2.6.1+r1642-1 CVE-2006-0597 (Multiple stack-based buffer overflows in elogd.c in elog before 2.5.7 ...) {DSA-967-1} - elog 2.6.1+r1642-1 CVE-2006-0599 (The (1) elog.c and (2) elogd.c components in elog before 2.5.7 r1558-4 ...) {DSA-967-1} - elog 2.6.1+r1642-1 CVE-2006-0600 (elog before 2.5.7 r1558-4 allows remote attackers to cause a denial of ...) {DSA-967-1} - elog 2.6.1+r1642-1 CVE-2006-0593 (Cross-site scripting (XSS) vulnerability in PHP-Fusion before 6.00.304 ...) NOT-FOR-US: PHP-Fusion CVE-2006-0592 (Unspecified vulnerability in the Lexmark Printer Sharing LexBce Server ...) NOT-FOR-US: Lexmark Printer CVE-2006-0591 (The crypt_gensalt functions for BSDI-style extended DES-based and Free ...) NOT-FOR-US: crypt_blowfish implementation from OWL, does not seem to be in Debian CVE-2006-0590 (MyTopix 1.2.3 allows remote attackers to obtain the installation path ...) NOT-FOR-US: MyTopix CVE-2006-0589 (MyTopix 1.2.3 allows remote attackers to obtain the installation path ...) NOT-FOR-US: MyTopix CVE-2006-0588 (SQL injection vulnerability in search.php in MyTopix 1.2.3 allows remo ...) NOT-FOR-US: MyTopix CVE-2006-0587 (Unspecified vulnerability in util.php in Gallery before 1.5.2-pl2 allo ...) - gallery 1.5.2-pl2-1 CVE-2006-0586 (Multiple SQL injection vulnerabilities in Oracle 10g Release 1 before ...) NOT-FOR-US: Oracle CVE-2006-0585 (jscript.dll in Microsoft Internet Explorer 6.0 SP1 and earlier allows ...) NOT-FOR-US: Microsoft CVE-2006-0584 (The PSCipher function in PeopleSoft People Tools 8.4x uses PKCS #5 wit ...) NOT-FOR-US: PeopleSoft People Tools CVE-2006-0583 (SQL injection vulnerability in mailarticle.php in Clever Copy 3.0 and ...) NOT-FOR-US: Clever Copy CVE-2006-0582 (Unspecified vulnerability in rshd in Heimdal 0.6.x before 0.6.6 and 0. ...) {DSA-977-1} - heimdal 0.7.2-1 CVE-2006-0581 (SQL injection vulnerability in Hosting Controller 6.1 Hotfix 2.8 allow ...) NOT-FOR-US: Hosting Controller CVE-2006-0580 (IBM Lotus Domino Server 7.0 allows remote attackers to cause a denial ...) NOT-FOR-US: Lotus Domino CVE-2006-0579 (Multiple integer overflows in (1) the new_demux_packet function in dem ...) - mplayer (fixed before first upload; 1.0pre7try3) NOTE: code not in ffmpeg and xine-lib CVE-2006-0578 (Blue Coat Proxy Security Gateway OS (SGOS) 4.1.2.1 does not enforce CO ...) NOT-FOR-US: Blue Coat Proxy Security Gateway OS CVE-2006-0577 (Lexmark X1185 printer allows local users to gain SYSTEM privileges by ...) NOT-FOR-US: Lexmark printer CVE-2006-0576 (Untrusted search path vulnerability in opcontrol in OProfile 0.9.1 and ...) - oprofile 0.9.1-9 (bug #352910; low) [sarge] - oprofile (requires sudo access to be vulnerable) CVE-2006-0575 (convert-fcrontab in Fcron 2.9.5 and 3.0.0 allows remote attackers to c ...) - fcron (Not included in Debian package) CVE-2006-0574 (Cross-site scripting (XSS) vulnerability in mime/handle.html in cPanel ...) NOT-FOR-US: cPanel CVE-2006-0573 (Multiple cross-site scripting (XSS) vulnerabilies in cPanel 10 and ear ...) NOT-FOR-US: cPanel CVE-2006-0572 (phpstatus 1.0 does not require passwords when using cookies to identif ...) NOT-FOR-US: phpstatus CVE-2006-0571 (Multiple cross-site scripting (XSS) vulnerabilities in phpstatus 1.0 a ...) NOT-FOR-US: phpstatus CVE-2006-0570 (Multiple SQL injection vulnerabilities in phpstatus 1.0, when gpc_magi ...) NOT-FOR-US: phpstatus CVE-2006-0569 (Cross-site scripting (XSS) vulnerability in user_class.php in Papoo 2. ...) NOT-FOR-US: Papoo CVE-2006-0568 (Cross-site scripting (XSS) vulnerability in throw.main in Outblaze all ...) NOT-FOR-US: Outblaze CVE-2006-0567 (Directory traversal vulnerability in Files Xaraya module before 0.5.1, ...) NOT-FOR-US: Xaraya CVE-2006-0566 (The LDAP component in CommuniGate Pro Core Server 5.0.7 allows remote ...) NOT-FOR-US: Communigate Pro CVE-2006-0565 (PHP remote file include vulnerability in inc/backend_settings.php in L ...) NOT-FOR-US: LoudBlog CVE-2006-0564 (Stack-based buffer overflow in Microsoft HTML Help Workshop 4.74.8702. ...) NOT-FOR-US: Microsoft CVE-2006-0563 (SQL injection vulnerability in exec.php in PluggedOut Blog 1.9.9c allo ...) NOT-FOR-US: PluggedOut Blog CVE-2006-0562 (Cross-site scripting (XSS) vulnerability in problem.php in PluggedOut ...) NOT-FOR-US: PluggedOut Blog CVE-2006-0561 (Cisco Secure Access Control Server (ACS) 3.x for Windows stores ACS ad ...) NOT-FOR-US: Cisco CVE-2006-0560 REJECTED CVE-2006-0559 (Format string vulnerability in the SMTP server for McAfee WebShield 4. ...) NOT-FOR-US: McAfee WebShield CVE-2006-0558 (perfmon (perfmon.c) in Linux kernel on IA64 architectures allows local ...) {DSA-1103} - linux-2.6 2.6.16-1 (bug #365375; low) CVE-2006-0557 (sys_mbind in mempolicy.c in Linux kernel 2.6.16 and earlier does not s ...) {DSA-1103} - linux-2.6 2.6.15-8 CVE-2006-0556 REJECTED CVE-2006-0555 (The Linux Kernel before 2.6.15.5 allows local users to cause a denial ...) {DSA-1103} - linux-2.6 2.6.15-8 CVE-2006-0554 (Linux kernel 2.6 before 2.6.15.5 allows local users to obtain sensitiv ...) {DSA-1103} - linux-2.6 2.6.15-8 CVE-2006-0553 (PostgreSQL 8.1.0 through 8.1.2 allows authenticated database users to ...) - postgresql-8.1 8.1.3-1 CVE-2006-0552 (Unspecified vulnerability in the Net Listener component of Oracle Data ...) NOT-FOR-US: Oracle CVE-2006-0551 (SQL injection vulnerability in the Data Pump Metadata API in Oracle Da ...) NOT-FOR-US: Oracle CVE-2006-0550 (Buffer overflow in an unspecified Oracle Client utility might allow re ...) NOT-FOR-US: Oracle CVE-2006-0549 (SQL injection vulnerability in the SYS.DBMS_METADATA_UTIL package in O ...) NOT-FOR-US: Oracle CVE-2006-0548 (SQL injection vulnerability in the Oracle Text component of Oracle Dat ...) NOT-FOR-US: Oracle CVE-2006-0547 (Oracle Database 8i, 9i, and 10g allow remote authenticated users to ex ...) NOT-FOR-US: Oracle CVE-2006-0546 (Unspecified vulnerability in index.php in a certain application availa ...) NOT-FOR-US: Strange app at www.egeinternet.com CVE-2006-0545 (SQL injection vulnerability in showflat.php in Groupee (formerly known ...) NOT-FOR-US: UBB.threads CVE-2006-0544 (urlmon.dll in Microsoft Internet Explorer 7.0 beta 2 (aka 7.0.5296.0) ...) NOT-FOR-US: Microsoft CVE-2006-0543 (Cerulean Trillian 3.1.0.120 allows remote attackers to cause a denial ...) NOT-FOR-US: Cerulean Trillian CVE-2006-0542 (Multiple SQL injection vulnerabilities in config.php in NukedWeb Guest ...) NOT-FOR-US: NukedWeb CVE-2006-0541 (Multiple cross-site scripting (XSS) vulnerabilities in Tachyon Vanilla ...) NOT-FOR-US: Tachyon Vanilla Guestbook CVE-2006-0540 (Multiple SQL injection vulnerabilities in Tachyon Vanilla Guestbook 1. ...) NOT-FOR-US: Tachyon Vanilla Guestbook CVE-2006-0539 (The convert-fcrontab program in fcron 3.0.0 might allow local users to ...) - fcron (Vulnerable app in the Debian package, not setuid anyway) CVE-2006-0538 (CipherTrust IronMail 5.0.1, when "Denial of Service Protection" is ena ...) NOT-FOR-US: IronMail CVE-2006-0537 (Buffer overflow in the POP3 server in Kinesphere Corporation eXchange ...) NOT-FOR-US: eXchange POP3 CVE-2006-0536 (Cross-site scripting (XSS) vulnerability in neomail.pl in NeoMail 1.27 ...) NOT-FOR-US: NeoMail CVE-2006-0535 (Multiple cross-site scripting (XSS) vulnerabilities in Community Serve ...) NOT-FOR-US: Community Server CVE-2006-0534 (Multiple cross-site scripting (XSS) vulnerabilities in default.asp in ...) NOT-FOR-US: CyberShop Ultimate E-commerce CVE-2006-0533 (Cross-site scripting (XSS) vulnerability in webmailaging.cgi in cPanel ...) NOT-FOR-US: cPanel NOTE: Not Debian's cpanel CVE-2006-0532 (Cross-site scripting (XSS) vulnerability in resultat.asp in SoftMaker ...) NOT-FOR-US: SoftMaker Shop CVE-2006-0531 (Unspecified vulnerability in Sun Java System Access Manager 7.0 allows ...) NOT-FOR-US: Sun Java System Access Manager CVE-2003-1293 (Multiple cross-site scripting (XSS) vulnerabilities in NukedWeb GuestB ...) NOT-FOR-US: NukedWeb CVE-2006-0530 (Computer Associates (CA) Message Queuing (CAM / CAFT) before 1.07 Buil ...) NOT-FOR-US: CA Message Queuing NOTE: CA Message Queuing is embeded in a lot of products, but they all seem NOTE: to be commercial products (see list in referenced URL) CVE-2006-0529 (Computer Associates (CA) Message Queuing (CAM / CAFT) before 1.07 Buil ...) NOT-FOR-US: CA Message Queuing NOTE: CA Message Queuing is embeded in a lot of products, but they all seem NOTE: to be commercial products (see list in referenced URL) CVE-2006-0528 (The cairo library (libcairo), as used in GNOME Evolution and possibly ...) - evolution 2.2.3-4 (low) [sarge] - evolution (Vulnerability was apparantly introduced in 2.3.1) [woody] - evolution (Vulnerability was apparantly introduced in 2.3.1) CVE-2006-0527 (BIND 4 (BIND4) and BIND 8 (BIND8), if used as a target forwarder, allo ...) - bind 1:8.4.7-1 (low) [sarge] - bind (Architectual limitatiom, upgrade to BIND 9 as a a fix) NOTE: BIND 8 is unsuitable for forwarder use because of its NOTE: architecture. Upgrade to BIND 9 as a fix. NOTE: This was fixed in sid by documenting it as an unfixable design limitation CVE-2006-0526 (The default configuration of the America Online (AOL) client software ...) NOT-FOR-US: AOL CVE-2006-0525 (Multiple Adobe products, including (1) Photoshop CS2, (2) Illustrator ...) NOT-FOR-US: Windows issue CVE-2006-0524 (Cross-site scripting (XSS) vulnerability in ashnews.php in Derek Ashau ...) NOT-FOR-US: Derek Ashauer ashnews CVE-2006-0523 (SQL injection vulnerability in global.php in MyBB before 1.03 allows r ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2006-0522 (SQL injection vulnerability in the Authentication Servlet in Symantec ...) NOT-FOR-US: Symantec Sygate Management Server CVE-2006-0521 (Cross-site scripting (XSS) vulnerability in results.php in BrowserCRM ...) NOT-FOR-US: Browser CRM CVE-2006-0520 (SQL injection vulnerability index.php in Dragoran Portal module 1.3 fo ...) NOT-FOR-US: Invision Power Board CVE-2006-0519 (SPIP 1.8.2-e and earlier and 1.9 Alpha 2 (5539) and earlier allows rem ...) - spip 2.0.6-1 (medium; bug #351336) CVE-2006-0518 (Cross-site scripting (XSS) vulnerability in index.php3 in SPIP 1.8.2-e ...) - spip 2.0.6-1 (medium; bug #351335) CVE-2006-0517 (Multiple SQL injection vulnerabilities in formulaires/inc-formulaire_f ...) - spip 2.0.6-1 (medium; bug #351334) CVE-2006-0625 (Directory traversal vulnerability in Spip_RSS.PHP in SPIP 1.8.2g and e ...) - spip 2.0.6-1 (medium; bug #352076) NOTE: http://www.securityfocus.com/bid/16556 CVE-2006-0626 (SQL injection vulnerability in spip_acces_doc.php3 in SPIP 1.8.2g and ...) - spip 2.0.6-1 (medium; bug #352077) NOTE: http://www.securityfocus.com/bid/16551 CVE-2006-0516 (Unspecified vulnerability in the kernel processing in Solaris 10 64 bi ...) NOT-FOR-US: Solaris CVE-2006-0515 (Cisco PIX/ASA 7.1.x before 7.1(2) and 7.0.x before 7.0(5), PIX 6.3.x b ...) NOT-FOR-US: Cisco CVE-2006-0514 RESERVED CVE-2006-0513 (Directory traversal vulnerability in pkmslogout in Tivoli Web Server P ...) NOT-FOR-US: Tivoli CVE-2006-0512 (PADL MigrationTools 46 creates temporary files insecurely, which allow ...) {DSA-1187-1} - migrationtools 46-2.1 (bug #338920; medium) CVE-2006-0511 (** DISPUTED ** Blackboard Academic Suite 6.0 and earlier does not prop ...) NOT-FOR-US: Blackboard Academic Suite CVE-2006-0510 (SQL injection vulnerability in userlogin.jsp in Daffodil CRM 1.5 allow ...) NOT-FOR-US: Daffodil CVE-2006-0509 (Multiple cross-site scripting (XSS) vulnerabilities in clients.php in ...) NOT-FOR-US: Cerberus Helpdesk CVE-2006-0508 (Easy CMS stores the images directory under the web document root with ...) NOT-FOR-US: Easy CMS CVE-2006-0507 (Multiple cross-site scripting (XSS) vulnerabilities in Easy CMS allow ...) NOT-FOR-US: Easy CMS CVE-2006-0506 (Cross-site scripting (XSS) vulnerability in index.php in Nuked-klaN 1. ...) NOT-FOR-US: Nuked-klaN CVE-2006-0505 (zbattle.net Zbattle client 1.09 SR-1 beta allows remote attackers to c ...) NOT-FOR-US: Zbattle CVE-2006-0504 (Unspecified vulnerability in MailEnable Enterprise Edition before 1.2 ...) NOT-FOR-US: MailEnable Enterprise Edition CVE-2006-0503 (IMAP service in MailEnable Professional Edition before 1.72 allows rem ...) NOT-FOR-US: MailEnable Professional Edition CVE-2006-0502 (PHP remote file inclusion vulnerability in loginout.php in FarsiNews 2 ...) NOT-FOR-US: FarsiNews CVE-2006-0501 (Cross-site scripting (XSS) vulnerability in MyCO Guestbook 1.0 allows ...) NOT-FOR-US: MyCo Guestbook CVE-2006-0500 (MyCO Guestbook 1.0 stores the admin directory under the web document r ...) NOT-FOR-US: MyCo Guestbook CVE-2006-0499 (Cross-site scripting (XSS) vulnerability in rlink.php in Rlink 1.0.0 m ...) NOT-FOR-US: Rlink module add-on for phpbb (not included in Debian package) CVE-2005-4709 (The popSubjectContext method in the SecurityAssociation class in JBoss ...) NOT-FOR-US: JBoss Enterprise Java Beans CVE-2005-4708 (Adobe Macromedia MX 2004 products, Captivate, Contribute 2, Contribute ...) NOT-FOR-US: Adobe Macromedia MX products (Captivate, Contribute and eLicensing client) CVE-2003-1292 (PHP remote file include vulnerability in Derek Ashauer ashNews 0.83 al ...) NOT-FOR-US: Derek Ashauer ashNews CVE-2006-0498 (Multiple cross-site scripting (XSS) vulnerabilities in PHP GEN before ...) NOT-FOR-US: PHP GEN CVE-2006-0497 (Multiple SQL injection vulnerabilities in PHP GEN before 1.4 allow rem ...) NOT-FOR-US: PHP GEN CVE-2006-0496 (Cross-site scripting (XSS) vulnerability in Mozilla 1.7.12 and possibl ...) - iceweasel 3.0-1 (unimportant; bug #349339) - mozilla-firefox (unimportant; bug #349339) - iceape (unimportant) - xulrunner (unimportant) NOTE: This is not a direct vulnerability, but rather the lack of protection NOTE: for shooting into own's own foot, so we should treat it as a security NOTE: enhancement bug and not as a vulnerability. CVE-2006-0495 (Cross-site scripting (XSS) vulnerability in the Add Thread to Favorite ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2006-0494 (Directory traversal vulnerability in MyBB (aka MyBulletinBoard) 1.02 a ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2006-0493 (Cross-site scripting (XSS) vulnerability in MG2 (formerly known as Min ...) NOT-FOR-US: MG2 CVE-2006-0492 (Multiple SQL injection vulnerabilities in Calendarix allow remote atta ...) NOT-FOR-US: Calendarix CVE-2006-0491 (SQL injection vulnerability in SZUserMgnt.class.php in SZUserMgnt 1.4 ...) NOT-FOR-US: SZUserMgnt CVE-2006-0490 (SQL injection vulnerability in login.asp in ASPThai.Net ASPThai Forums ...) NOT-FOR-US: ASPThai Forums CVE-2006-0489 (** DISPUTED ** Buffer overflow in the font command of mIRC, probably 6 ...) NOT-FOR-US: mIRC CVE-2006-0488 (The VDM (Virtual DOS Machine) emulation environment for MS-DOS applica ...) NOT-FOR-US: Microsoft CVE-2006-0487 (Multiple unspecified vulnerabilities in Tumbleweed MailGate Email Fire ...) NOT-FOR-US: Tumbleweed MailGate Email Firewall CVE-2006-0486 (Certain Cisco IOS releases in 12.2S based trains with maintenance rele ...) NOT-FOR-US: IOS CVE-2006-0485 (The TCL shell in Cisco IOS 12.2(14)S before 12.2(14)S16, 12.2(18)S bef ...) NOT-FOR-US: IOS CVE-2006-0484 (Directory traversal vulnerability in Vis.pl, as part of the FACE CONTR ...) NOT-FOR-US: FACE CONTROL product CVE-2006-0483 (Cisco VPN 3000 series concentrators running software 4.7.0 through 4.7 ...) NOT-FOR-US: Cisco CVE-2006-0482 (Linux kernel 2.6.15.1 and earlier, when running on SPARC architectures ...) {DSA-1017-1} - linux-2.6 2.6.15-4 CVE-2006-0481 (Heap-based buffer overflow in the alpha strip capability in libpng 1.2 ...) - libpng 1.2.8rel-3 (bug #352902; bug #352918) [sarge] - libpng (Only 1.2.7 affected) [woody] - libpng (Only 1.2.7 affected) [sarge] - libpng3 1.2.8rel-1 CVE-2006-0480 (Cross-site scripting (XSS) vulnerability in the Articles module in sPa ...) NOT-FOR-US: sPaiz-Nuke CVE-2006-0479 (pmwiki.php in PmWiki 2.1 beta 20, with register_globals enabled, allow ...) NOT-FOR-US: PmWiki CVE-2006-0478 (CRE Loaded 6.15 allows remote attackers to perform privileged actions, ...) NOT-FOR-US: CRE Loaded CVE-2006-0477 (Buffer overflow in git-checkout-index in GIT before 1.1.5 allows remot ...) - git-core 1.1.5-1 (bug #350274) CVE-2006-0476 (Buffer overflow in Nullsoft Winamp 5.12 allows remote attackers to exe ...) NOT-FOR-US: Winamp CVE-2006-0475 (PHP-Ping 1.3 does not properly validate ping counts, which allows remo ...) NOT-FOR-US: PHP-Ping CVE-2006-0474 (Multiple integer overflows in Shareaza 2.2.1.0 allow remote attackers ...) NOT-FOR-US: Shareaza CVE-2006-0473 (Cross-site scripting (XSS) vulnerability in the bbcode function in web ...) NOT-FOR-US: My little homepage CVE-2006-0472 (Cross-site scripting (XSS) vulnerability in guestbook.php in my little ...) NOT-FOR-US: My little homepage CVE-2006-0471 (Cross-site scripting (XSS) vulnerability in the bbcode function in fun ...) NOT-FOR-US: My little homepage CVE-2006-0470 (Cross-site scripting (XSS) vulnerability in search.php in MyBulletinBo ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2006-0469 (Cross-site scripting (XSS) vulnerability in UebiMiau 2.7.9, and possib ...) NOT-FOR-US: uebimiau NOTE: this had an ITP back in 2002, but it never was done (bug #164116) CVE-2006-0468 (CommuniGate Pro Core Server before 5.0.7 allows remote attackers to ca ...) NOT-FOR-US: CommuniGate Pro CVE-2005-4707 (Multiple cross-site scripting (XSS) vulnerabilities in PHP GEN before ...) NOT-FOR-US: PHP GEN CVE-2005-4706 (Unspecified vulnerability in the "privilege management" feature of Sun ...) NOT-FOR-US: Solaris 10 CVE-2005-4705 (BEA WebLogic Server and WebLogic Express 8.1 through SP4, 7.0 through ...) NOT-FOR-US: BEA WebLogic CVE-2005-4704 (Unspecified vulnerability in BEA WebLogic Server and WebLogic Express ...) NOT-FOR-US: BEA WebLogic CVE-2005-4703 (Apache Tomcat 4.0.3, when running on Windows, allows remote attackers ...) NOT-FOR-US: Windows Tomcat vulnerability CVE-2005-4702 (SQL injection vulnerability in the favorites module in index.php in IP ...) NOT-FOR-US: IPBProArcade CVE-2005-4701 (Unspecified vulnerability in Process File System (procfs) in Sun Solar ...) NOT-FOR-US: Solaris 10 CVE-2005-4700 (TellMe 1.2 and earlier, when the Server (o_Server) and HEAD (o_Head) o ...) NOT-FOR-US: TellMe CVE-2005-4699 (Argument injection vulnerability in TellMe 1.2 and earlier allows remo ...) NOT-FOR-US: TellMe CVE-2005-4698 (Cross-site scripting (XSS) vulnerability in TellMe 1.2 and earlier all ...) NOT-FOR-US: TellMe CVE-2005-4697 (The Microsoft Wireless Zero Configuration system (WZCS) allows local u ...) NOT-FOR-US: Microsoft CVE-2005-4696 (The Microsoft Wireless Zero Configuration system (WZCS) stores WEP key ...) NOT-FOR-US: Microsoft CVE-2005-4695 (Symantec Brightmail AntiSpam 6.0 build 1 and 2 allows remote attackers ...) NOT-FOR-US: Symantec Brightmail AntiSpam CVE-2005-4694 (Unspecified vulnerability in the www_add method in Asset.pm in Plain B ...) NOT-FOR-US: WebGUI CVE-2005-4693 (Gaim-Encryption 2.38-1 on Debian Linux allows remote attackers to caus ...) - gaim-encryption 3.0~beta5-3 (low; bug #337127) [sarge] - gaim-encryption (Minor issue) CVE-2005-4692 (Unspecified vulnerability in mroovca stats (mroovcastats) before 0.4.5 ...) NOT-FOR-US: mroovca CVE-2005-4691 (imake in NetBSD before 2.0.3, NetBSD-current before 12 September 2005, ...) NOT-FOR-US: NetBSD CVE-2005-4690 (Six Apart Movable Type 3.16 allows local users with blog-creation priv ...) NOT-FOR-US: Six Apart Movable Type CVE-2005-4689 (Six Apart Movable Type 3.16 stores account names and password hashes i ...) NOT-FOR-US: Six Apart Movable Type CVE-2005-4688 (PunBB 1.2.9 does not require password entry when changing the e-mail a ...) NOT-FOR-US: PunBB CVE-2005-4687 (PunBB 1.2.9, used alone or with F-ART BLOG:CMS, may trust a client's I ...) NOT-FOR-US: PunBB CVE-2005-4686 (PunBB 1.2.9, when used alone or with F-ART BLOG:CMS, includes config.p ...) NOT-FOR-US: PunBB CVE-2005-4685 (Firefox and Mozilla can associate a cookie with multiple domains when ...) NOTE: see CVE-2005-4684 - firefox (unimportant) - iceweasel (unimportant) - mozilla (unimportant) [sarge] - mozilla (Hardly exploitable) - xulrunner (unimportant) CVE-2005-4684 (Konqueror can associate a cookie with multiple domains when the DNS re ...) NOTE: http://www.redhat.com/archives/fedora-extras-commits/2006-August/msg01104.html says "ignore (kdebase) not fixed upstream, low, can't fix" - kdebase (unimportant) [sarge] - kdebase (Hardly exploitable) CVE-2005-4683 (PADL MigrationTools 46, when a failure occurs, stores contents of /etc ...) - migrationtools 46-2.1 (bug #338920; unimportant) NOTE: The temp fix makes use of TMPDIR CVE-2005-4682 (Cross-site scripting (XSS) vulnerability in error.asp in AudienceView ...) NOT-FOR-US: AudienceView CVE-2005-4681 (** DISPUTED ** Buffer overflow in mIRC 5.91, 6.03, 6.12, and 6.16 allo ...) NOT-FOR-US: mIRC CVE-2005-4680 (Sophos Anti-Virus before 4.02, 4.5.x before 4.5.9, 4.6.x before 4.6.9, ...) NOT-FOR-US: Sophos Anti-Virus CVE-2005-4679 (Internet Explorer 6 for Windows XP Service Pack 2 allows remote attack ...) NOT-FOR-US: Internet Explorer 6 CVE-2005-4678 (Apple Safari 2.0.2 (aka 416.12) allows remote attackers to spoof the U ...) NOT-FOR-US: Apple CVE-2005-4677 (SQL injection vulnerability in additional_images.php (aka the Addition ...) NOT-FOR-US: osCommerce CVE-2005-4676 (Buffer overflow in Andreas Huggel Exiv2 before 0.9 does not null termi ...) - exiv2 0.9 CVE-2003-1291 (VMware ESX Server 1.5.2 before Patch 4 allows local users to execute a ...) NOT-FOR-US: VMware CVE-2006-0467 (Unspecified vulnerability in Pioneers (formerly gnocatan) before 0.9.4 ...) {DSA-964-1} [woody] - gnocatan 0.6.1-5woody3 [sarge] - gnocatan 0.8.1.59-1sarge1 - pioneers 0.9.49-1 (bug #350237; medium) CVE-2006-0466 (Cross-site scripting (XSS) vulnerability in search.asp in Goldstag Con ...) NOT-FOR-US: Goldstag Content Management System CVE-2006-0465 (Cross-site scripting (XSS) vulnerability in risultati_ricerca.php in a ...) NOT-FOR-US: active121 Site Manager CVE-2006-0464 (Multiple SQL injection vulnerabilities in index.php in IdeoContent Man ...) NOT-FOR-US: IdeoContent Manager CVE-2006-0463 (Cross-site scripting (XSS) vulnerability in IdeoContent Manager allows ...) NOT-FOR-US: IdeoContent Manager CVE-2006-0462 (SQL injection vulnerability in comentarios.php in AndoNET Blog 2004.09 ...) NOT-FOR-US: AndoNET Blog CVE-2006-0461 (Cross-site scripting (XSS) vulnerability in core.input.php in Expressi ...) NOT-FOR-US: ExpressionEngine CVE-2006-0460 (Multiple buffer overflows in BomberClone before 0.11.6.2 allow remote ...) {DSA-997-1} - bomberclone 0.11.6.2-1 CVE-2006-0459 (flex.skl in Will Estes and John Millaway Fast Lexical Analyzer Generat ...) {DSA-1020-1} - flex 2.5.33-1 CVE-2006-0458 (The DCC ACCEPT command handler in irssi before 0.8.9+0.8.10rc5-0ubuntu ...) - irssi-text (Only 0.8.10rc versions are affected) CVE-2006-0457 (Race condition in the (1) add_key, (2) request_key, and (3) keyctl fun ...) - linux-2.6 2.6.15-6 CVE-2006-0456 (The strnlen_user function in Linux kernel before 2.6.16 on IBM S/390 c ...) {DSA-1103} - linux-2.6 2.6.16-1 CVE-2006-0455 (gpgv in GnuPG before 1.4.2.1, when using unattended signature verifica ...) {DSA-978-1} - gnupg 1.4.2.2-1 (bug #353017; bug #353019; bug #354620; medium) - gnupg2 (Vulnerable code not activated) CVE-2006-0454 (Linux kernel before 2.6.15.3 down to 2.6.12, while constructing an ICM ...) - linux-2.6 2.6.15-5 [sarge] - kernel-source-2.6.8 [sarge] - kernel-source-2.4.27 CVE-2006-0453 (The LDAP component in Fedora Directory Server 1.0 allow remote attacke ...) NOT-FOR-US: Fedora Directory Server CVE-2006-0452 (dn2ancestor in the LDAP component in Fedora Directory Server 1.0 allow ...) NOT-FOR-US: Fedora Directory Server CVE-2006-0451 (Multiple memory leaks in the LDAP component in Fedora Directory Server ...) NOT-FOR-US: Fedora Directory Server CVE-2006-0450 (phpBB 2.0.19 and earlier allows remote attackers to cause a denial of ...) - phpbb2 (unimportant) NOTE: As discussed with the phpbb maintainers; this is only a lack of feature NOTE: (phpbb2 doesn't allow a kind of rate control for maximum login/searches for NOTE: a certain time frame), but not a directly fixable security problem CVE-2006-0449 (Early termination vulnerability in the IMAP service in E-Post Mail 4.0 ...) NOT-FOR-US: E-Post Mail / SPA-PRO Mail CVE-2006-0448 (Multiple directory traversal vulnerabilities in (1) EPSTIMAP4S.EXE and ...) NOT-FOR-US: E-Post Mail / SPA-PRO Mail CVE-2006-0447 (Multiple buffer overflows in E-Post Mail Server 4.10 and SPA-PRO Mail ...) NOT-FOR-US: E-Post Mail / SPA-PRO Mail CVE-2006-0446 (Unspecified vulnerability in WeBWorK 2.1.3 and 2.2-pre1 allows remote ...) NOT-FOR-US: WeBWorK CVE-2006-0445 (index.php in Phpclanwebsite 1.23.1 allows remote authenticated users t ...) NOT-FOR-US: Phpclanwebsite CVE-2006-0444 (SQL injection vulnerability in index.php in Phpclanwebsite (aka PCW) 1 ...) NOT-FOR-US: Phpclanwebsite CVE-2006-0443 (Cross-site scripting (XSS) vulnerability in archive.php in CheesyBlog ...) NOT-FOR-US: CheesyBlog CVE-2006-0442 (Multiple cross-site scripting (XSS) vulnerabilities in usercp.php in M ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2006-0441 (Stack-based buffer overflow in Sami FTP Server 2.0.1 allows remote att ...) NOT-FOR-US: Sami FTP Server CVE-2006-0440 (Text Rider 2.4 allows attackers to bypass authentication and upload fi ...) NOT-FOR-US: Text Rider CVE-2006-0439 (Text Rider 2.4 stores sensitive data in the data directory under the w ...) NOT-FOR-US: Text Rider CVE-2006-0438 (Cross-site request forgery (CSRF) vulnerability in phpBB 2.0.19, when ...) - phpbb2 (unimportant) NOTE: No real world risk according to maintainer CVE-2006-0437 (Cross-site scripting (XSS) vulnerability in admin_smilies.php in phpBB ...) - phpbb2 (unimportant) NOTE: Intended behaviour according to maintainer CVE-2006-0436 (Unspecified vulnerability in HP HP-UX B.11.00, B.11.04, and B.11.11 al ...) NOT-FOR-US: HP-UX CVE-2006-0435 (Unspecified vulnerability in Oracle PL/SQL (PLSQL), as used in Databas ...) NOT-FOR-US: Oracle CVE-2006-0434 (Directory traversal vulnerability in action.php in phpXplorer allows r ...) NOT-FOR-US: phpXplorer CVE-2005-4675 (Cross-site scripting (XSS) vulnerability in list.php in Complete PHP C ...) NOT-FOR-US: Complete PHP Counter CVE-2005-4674 (Multiple SQL injection vulnerabilities in list.php in Complete PHP Cou ...) NOT-FOR-US: Complete PHP Counter CVE-2005-4673 (ioFTPD 0.5.84 u responds with different messages depending on whether ...) NOT-FOR-US: ioFTPD CVE-2005-4672 (Cross-site scripting (XSS) vulnerability in image-editor-52/index.php ...) NOT-FOR-US: CityPost Simple Image-Editor CVE-2005-4671 (Cross-site scripting (XSS) vulnerability in simple-upload-53.php in Ci ...) NOT-FOR-US: CityPost Simple PHP Upload CVE-2005-4670 (Cross-site scripting (XSS) vulnerability in message.php in CityPost Au ...) NOT-FOR-US: CityPost Simple PHP Upload CVE-2005-4669 (SQL injection vulnerability in RT Internet Solutions (RTIS) WebAdmin a ...) NOT-FOR-US: RT Internet Solutions (RTIS) WebAdmin CVE-2005-4668 (The embedded HSQLDB in ParosProxy before 3.2.7, when running with JDK ...) NOT-FOR-US: ParoxProxy CVE-2006-0433 (Selective Acknowledgement (SACK) in FreeBSD 5.3 and 5.4 does not prope ...) - kfreebsd-5 5.4-13 CVE-2006-0432 (Unspecified vulnerability in BEA WebLogic Server and WebLogic Express ...) NOT-FOR-US: BEA WebLogic CVE-2006-0431 (Unspecified vulnerability in BEA WebLogic Server and WebLogic Express ...) NOT-FOR-US: BEA WebLogic CVE-2006-0430 (Certain configurations of BEA WebLogic Server and WebLogic Express 9.0 ...) NOT-FOR-US: BEA WebLogic CVE-2006-0429 (BEA WebLogic Server and WebLogic Express 9.0 causes new security provi ...) NOT-FOR-US: BEA WebLogic CVE-2006-0428 (Unspecified vulnerability in BEA WebLogic Portal 8.1 SP3 through SP5, ...) NOT-FOR-US: BEA WebLogic CVE-2006-0427 (Unspecified vulnerability in BEA WebLogic Server and WebLogic Express ...) NOT-FOR-US: BEA WebLogic CVE-2006-0426 (BEA WebLogic Server and WebLogic Express 8.1 through SP4, when configu ...) NOT-FOR-US: BEA WebLogic CVE-2006-0425 (BEA WebLogic Portal 8.1 through SP4 allows remote attackers to obtain ...) NOT-FOR-US: BEA WebLogic CVE-2006-0424 (BEA WebLogic Server and WebLogic Express 8.1 through SP4, 7.0 through ...) NOT-FOR-US: BEA WebLogic CVE-2006-0423 (BEA WebLogic Portal 8.1 through SP3 stores the password for the RDBMS ...) NOT-FOR-US: BEA WebLogic CVE-2006-0422 (Multiple unspecified vulnerabilities in BEA WebLogic Server and WebLog ...) NOT-FOR-US: BEA WebLogic CVE-2006-0421 (By design, BEA WebLogic Server and WebLogic Express 7.0 and 6.1, when ...) NOT-FOR-US: BEA WebLogic CVE-2006-0420 (BEA WebLogic Server and WebLogic Express 8.1 through SP4 and 7.0 throu ...) NOT-FOR-US: BEA WebLogic CVE-2006-0419 (BEA WebLogic Server and WebLogic Express 9.0, 8.1 through SP5, and 7.0 ...) NOT-FOR-US: BEA WebLogic CVE-2005-4667 (Buffer overflow in UnZip 5.50 and earlier allows user-assisted attacke ...) {DSA-1012-1} - unzip 5.52-7 (low; bug #349794) CVE-2006-0418 (Eval injection vulnerability in 123 Flash Chat Server 5.0 and 5.1 allo ...) NOT-FOR-US: 123 Flash Chat Server CVE-2006-0417 (SQL injection vulnerability in login.php in miniBloggie 1.0 and earlie ...) NOT-FOR-US: miniBloggie CVE-2006-0416 (SleeperChat 0.3f and earlier allows remote attackers to bypass authent ...) NOT-FOR-US: SleeperChat CVE-2006-0415 (Cross-site scripting (XSS) vulnerability in index.php in SleeperChat 0 ...) NOT-FOR-US: SleeperChat CVE-2006-0414 (Tor before 0.1.1.20 allows remote attackers to identify hidden service ...) - tor 0.1.1.11-alpha-1 (bug #349283) CVE-2006-0413 (Multiple SQL injection vulnerabilities in index.php in NewsPHP allow r ...) NOT-FOR-US: NewsPHP CVE-2006-0412 (SQL injection vulnerability in CyberShop allows remote attackers to ex ...) NOT-FOR-US: CyberShop CVE-2006-0411 (claro_init_local.inc.php in Claroline 1.7.2 uses guessable session coo ...) NOT-FOR-US: Claroline CVE-2006-0410 (SQL injection vulnerability in ADOdb before 4.71, when using PostgreSQ ...) {DSA-1031-1 DSA-1030-1 DSA-1029-1} - libphp-adodb 4.72-0.1 (bug #349985; medium) - moodle 1.6-1 (bug #360395; medium) - cacti 0.8.6d-1 (medium) CVE-2006-0409 (Cross-site scripting (XSS) vulnerability in index.php in Pixelpost Pho ...) NOT-FOR-US: Pixelpost Photoblog CVE-2006-0408 (rsh utility in Sun Grid Engine (SGE) before 6.0u7_1 allows local users ...) NOT-FOR-US: Sun Grid Engine CVE-2006-0407 (Cross-site scripting (XSS) vulnerability in post.php in AZ Bulletin Bo ...) NOT-FOR-US: AZ Bulletin Board CVE-2006-0406 (search.php in MyBB 1.0.2 allows remote attackers to obtain sensitive i ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2006-0405 (The TIFFFetchShortPair function in tif_dirread.c in libtiff 3.8.0 allo ...) - tiff 3.8.0-2 (bug #350715) - tiff3 (fixed prior to initial upload) [sarge] - tiff (Vulnerability was introduced later) [woody] - tiff (Vulnerability was introduced later) CVE-2006-0404 (Note-A-Day Weblog 2.2 stores sensitive data under the web document roo ...) NOT-FOR-US: Note-A-Day Weblog CVE-2006-0403 (Multiple SQL injection vulnerabilities in e-moBLOG 1.3 allow remote at ...) NOT-FOR-US: e-moBLOG CVE-2006-0402 (SQL injection vulnerability in Zoph before 0.5pre1 allows remote attac ...) {DSA-989-1} - zoph 0.5-1 (bug #350717) CVE-2006-0401 (Unspecified vulnerability in Mac OS X before 10.4.6, when running on a ...) NOT-FOR-US: Apple CVE-2006-0400 (CoreTypes in Apple Mac OS X 10.4 up to 10.4.5 allows remote attackers ...) NOT-FOR-US: Apple CVE-2006-0399 (Unspecified vulnerability in Safari, LaunchServices, and/or CoreTypes ...) NOT-FOR-US: Apple CVE-2006-0398 (Unspecified vulnerability in Safari, LaunchServices, and/or CoreTypes ...) NOT-FOR-US: Apple CVE-2006-0397 (Unspecified vulnerability in Safari, LaunchServices, and/or CoreTypes ...) NOT-FOR-US: Apple CVE-2006-0396 (Buffer overflow in Mail in Apple Mac OS X 10.4 up to 10.4.5, when patc ...) NOT-FOR-US: Apple CVE-2006-0395 (The Download Validation in Mail in Mac OS X 10.4 does not properly rec ...) NOT-FOR-US: Apple CVE-2006-0394 REJECTED CVE-2006-0393 (OpenSSH in Apple Mac OS X 10.4.7 allows remote attackers to cause a de ...) NOT-FOR-US: Apple CVE-2006-0392 (Buffer overflow in Apple Mac OS X 10.4.7 allows user-assisted attacker ...) NOT-FOR-US: Apple CVE-2006-0391 (Directory traversal vulnerability in the BOM framework in Mac OS X 10. ...) NOT-FOR-US: Apple CVE-2006-0390 REJECTED CVE-2006-0389 (Cross-site scripting (XSS) vulnerability in Syndication (Safari RSS) i ...) NOT-FOR-US: Apple CVE-2006-0388 (Safari in Mac OS X 10.3 before 10.3.9 and 10.4 before 10.4.5 allows re ...) NOT-FOR-US: Apple CVE-2006-0387 (Stack-based buffer overflow in Safari in Mac OS X 10.4.5 and earlier, ...) NOT-FOR-US: Apple CVE-2006-0386 (FileVault in Mac OS X 10.4.5 and earlier does not properly mount user ...) NOT-FOR-US: Apple CVE-2006-0385 RESERVED CVE-2006-0384 (automount in Mac OS X 10.4.5 and earlier allows remote file servers to ...) NOT-FOR-US: Apple CVE-2006-0383 (IPSec when used with VPN networks in Mac OS X 10.4 through 10.4.5 allo ...) NOT-FOR-US: Apple CVE-2006-0382 (Apple Mac OS X 10.4.5 and allows local users to cause a denial of serv ...) NOT-FOR-US: Apple CVE-2006-0381 (A logic error in the IP fragment cache functionality in pf in FreeBSD ...) - kfreebsd-5 5.4-14 CVE-2006-0380 (A logic error in FreeBSD kernel 5.4-STABLE and 6.0 causes the kernel t ...) NOT-FOR-US: FreeBSD, possibly affects kfreebsd-5 CVE-2006-0379 (FreeBSD kernel 5.4-STABLE and 6.0 does not completely initialize a buf ...) NOT-FOR-US: FreeBSD, possibly affects kfreebsd-5 CVE-2006-0378 (Cross-site scripting (XSS) vulnerability in Netrix X-Site Manager allo ...) NOT-FOR-US: Netrix X-Site Manager CVE-2006-0377 (CRLF injection vulnerability in SquirrelMail 1.4.0 to 1.4.5 allows rem ...) {DSA-988-1} - squirrelmail 2:1.4.6-1 (bug #354063; bug #355424) CVE-2006-0376 (The 802.11 wireless client in certain operating systems including Wind ...) NOT-FOR-US: Windows CVE-2006-0375 (Advantage Century Telecommunication (ACT) P202S IP Phone 1.01.21 runni ...) NOT-FOR-US: Advantage Century Telecommunication (ACT) P202S IP Phone CVE-2006-0374 (Advantage Century Telecommunication (ACT) P202S IP Phone 1.01.21 runni ...) NOT-FOR-US: Advantage Century Telecommunication (ACT) P202S IP Phone CVE-2006-0373 (Cross-site scripting (XSS) vulnerability in register.aspx in Douran Fo ...) NOT-FOR-US: Douran FollowWeb CVE-2006-0372 (Multiple SQL injection vulnerabilities in config.php in Insane Visions ...) NOT-FOR-US: Insane Visions BlogPHP CVE-2006-0371 (Directory traversal vulnerability in index.php in Noah Medling RCBlog ...) NOT-FOR-US: Noah Medling RCBlog CVE-2006-0370 (Noah Medling RCBlog 1.03 stores the data and config directories under ...) NOT-FOR-US: Noah Medling RCBlog CVE-2006-0369 - mysql-dfsg-4.1 (unimportant) NOTE: This isn't a security hole, it's expected behaviour CVE-2006-0368 (Cisco CallManager 3.2 and earlier, 3.3 before 3.3(5)SR1, 4.0 before 4. ...) NOT-FOR-US: Cisco CVE-2006-0367 (Unspecified vulnerability in Cisco CallManager 3.2 and earlier, 3.3 be ...) NOT-FOR-US: Cisco CVE-2006-0366 (Cross-site scripting (XSS) vulnerability in Phpclanwebsite (aka PCW) a ...) NOT-FOR-US: Phpclanwebsite CVE-2006-0365 (Cross-site scripting (XSS) vulnerability in XMB (aka extreme message b ...) NOT-FOR-US: XMB CVE-2006-0364 (Cross-site scripting (XSS) vulnerability in MyBulletinBoard (MyBB) all ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2006-0363 (The "Remember my Password" feature in MSN Messenger 7.5 stores passwor ...) NOT-FOR-US: MSN Messenger CVE-2006-0362 (TippingPoint Intrusion Prevention System (IPS) TOS before 2.1.4.6324, ...) NOT-FOR-US: TippingPoint IPS CVE-2006-0361 (Cross-site scripting (XSS) vulnerability in addcomment.php in Bit 5 Bl ...) NOT-FOR-US: Bit 5 Blog CVE-2006-0360 (MPM SIP HP-180W Wireless IP Phone WE.00.17 allows remote attackers to ...) NOT-FOR-US: MPM SIP IP Phone CVE-2006-0359 (Buffer overflow in CounterPath eyeBeam SIP Softphone allows remote att ...) NOT-FOR-US: eyeBeam SIP Softphone CVE-2006-0358 (Multiple SQL injection vulnerabilities in PowerPortal, possibly 1.1 be ...) NOT-FOR-US: PowerPortal CVE-2006-0357 (Grant Averett Cerberus FTP Server 2.32, and possibly earlier versions, ...) NOT-FOR-US: Grant Averett Cerberus FTP Server CVE-2006-0356 (Ari Pikivirta Home Ftp Server 1.0.7 allows remote attackers to cause a ...) NOT-FOR-US: Ari Pikivirta Home Ftp Server CVE-2006-0355 (Helmsman Research (aka CoolUtils) HomeFtp 1.1 allows remote attackers ...) NOT-FOR-US: Helmsman Research (aka CoolUtils) HomeFtp CVE-2006-0354 (Cisco IOS before 12.3-7-JA2 on Aironet Wireless Access Points (WAP) al ...) NOT-FOR-US: Cisco CVE-2006-0352 (The default configuration of Fluffington FLog 1.01 installs users.0.da ...) NOT-FOR-US: Fluffington FLog CVE-2006-0351 (Unspecified "critical denial-of-service vulnerability" in MyDNS before ...) {DSA-963-1} [sarge] - mydns 1.0.0-4sarge1 - mydns 1.1.0+pre-3 (medium; bug #348826) CVE-2006-0350 (Cross-site scripting (XSS) vulnerability in eggblog 2.0 allow remote a ...) NOT-FOR-US: eggblog CVE-2006-0349 (SQL injection vulnerability in eggblog 2.0 allows remote attackers to ...) NOT-FOR-US: eggblog CVE-2006-0348 (Format string vulnerability in the write_logfile function in ELOG befo ...) {DSA-967-1} - elog 2.6.1+r1642-1 (bug #349528; medium) CVE-2006-0347 (Directory traversal vulnerability in ELOG before 2.6.1 allows remote a ...) {DSA-967-1} - elog 2.6.1+r1642-1 (bug #349528; medium) CVE-2006-0346 (Cross-site scripting (XSS) vulnerability in SaralBlog 1.0 allows remot ...) NOT-FOR-US: SaralBlog CVE-2006-0345 (Multiple SQL injection vulnerabilities in SaralBlog 1.0 allow remote a ...) NOT-FOR-US: SaralBlog CVE-2006-0344 (Directory traversal vulnerability in Intervations FileCOPA FTP Server ...) NOT-FOR-US: FileCOPA FTP Server CVE-2006-0343 (Unspecified vulnerability in the Port Discovery Standard and Advanced ...) NOT-FOR-US: Hitachi JP1/NetInsight II CVE-2006-0342 (RockLiffe MailSite HTTP Mail management agent (httpma) 7.0.3.1 allows ...) NOT-FOR-US: RockLiffe MailSite CVE-2006-0341 (Cross-site scripting (XSS) vulnerability in WCONSOLE.DLL in Rockliffe ...) NOT-FOR-US: RockLiffe MailSite CVE-2006-0340 (Unspecified vulnerability in Stack Group Bidding Protocol (SGBP) suppo ...) NOT-FOR-US: Cisco CVE-2006-0339 (Buffer overflow in BitComet Client 0.60 allows remote attackers to exe ...) NOT-FOR-US: BitComet CVE-2006-0338 (Multiple F-Secure Anti-Virus products and versions for Windows and Lin ...) NOT-FOR-US: F-Secure CVE-2006-0337 (Buffer overflow in multiple F-Secure Anti-Virus products and versions ...) NOT-FOR-US: F-Secure CVE-2006-0336 (Kerio WinRoute Firewall before 6.1.4 Patch 2 allows attackers to cause ...) NOT-FOR-US: Kerio Firewall CVE-2006-0335 (Multiple unspecified vulnerabilities in Kerio WinRoute Firewall before ...) NOT-FOR-US: Kerio Firewall CVE-2006-0334 (Cross-site scripting (XSS) vulnerability in search.php in My Amazon St ...) NOT-FOR-US: My Amazon Store Manager CVE-2006-0333 (Cross-site scripting (XSS) vulnerability in ar-blog 5.2 allows remote ...) NOT-FOR-US: ar-blog CVE-2006-0332 (Pantomime in Ecartis 1.0.0 snapshot 20050909 stores e-mail attachments ...) - ecartis 1.0.0+cvs.20030911-11 (low; bug #348824) [sarge] - ecartis (No real fix available, only rare setups affected, minor exploit potential) CVE-2006-0331 (Buffer overflow in Change passwd 3.1 (chpasswd) SquirrelMail plugin al ...) NOT-FOR-US: Squirrelmail plugin CVE-2006-0330 (Cross-site scripting (XSS) vulnerability in Gallery before 1.5.2 allow ...) {DSA-1148-1} - gallery 1.5.2-1 CVE-2006-0329 (SQL injection vulnerability in HITSENSER Data Mart Server BS, BS-S, BS ...) NOT-FOR-US: HITSENSER Data Mart Server BS CVE-2006-0328 (Format string vulnerability in Tftpd32 2.81 allows remote attackers to ...) NOT-FOR-US: Tftpd32, different from the tftpd in Debian CVE-2006-0327 (TYPO3 3.7.1 allows remote attackers to obtain sensitive information vi ...) - typo3-src 4.0.2-1 (bug #364351; unimportant) NOTE: Only path disclosure CVE-2006-0326 RESERVED CVE-2006-0325 (Etomite Content Management System 0.6, and possibly earlier versions, ...) NOT-FOR-US: Etomite CMS CVE-2006-0324 (SQL injection vulnerability in WebspotBlogging 3.0 allows remote attac ...) NOT-FOR-US: WebspotBlogging CVE-2006-0323 (Buffer overflow in swfformat.dll in multiple RealNetworks products and ...) NOT-FOR-US: Real Player (initial advisory claimed Helix affected, which is incorrect CVE-2006-0322 (Unspecified vulnerability the edit comment formatting functionality in ...) - mediawiki 1.4.15-1 (low) CVE-2005-4666 (Cross-site scripting (XSS) vulnerability in PHlyMail before 3.3 Beta1 ...) NOT-FOR-US: PHlyMail CVE-2006-0353 (unix_random.c in lshd for lsh 2.0.1 leaks file descriptors related to ...) {DSA-956-1} - lsh-utils 2.0.1cdbs-4 (low; bug #349303) NOTE: woody seems to be vulnerable as well (looking at the source code). CVE-2006-0283 (Unspecified vulnerability in Oracle Database Server 10.1.0.4.2, Applic ...) NOT-FOR-US: Oracle CVE-2006-0321 (fetchmail 6.3.0 and other versions before 6.3.2 allows remote attacker ...) - fetchmail 6.3.2-1 (bug #348747; low) [sarge] - fetchmail (regression in fetchmail 6.3.0 and 6.3.1) [woody] - fetchmail (regression in fetchmail 6.3.0 and 6.3.1) CVE-2006-0320 (SQL injection vulnerability in admin/processlogin.php in Bit 5 Blog 8. ...) NOT-FOR-US: Bit 5 Blog CVE-2006-0319 (Directory traversal vulnerability in the FTP server (port 22003/tcp) i ...) NOT-FOR-US: Farmers WIFE CVE-2006-0318 (SQL injection vulnerability in index.php in BlogPHP 1.0, when magic_qu ...) NOT-FOR-US: BlogPHP CVE-2006-0317 (Cross-site scripting (XSS) vulnerability in rkrt_stats.php in RedKerne ...) NOT-FOR-US: RedKernel Referrer Tracker CVE-2006-0316 (Buffer overflow in YGPPicFinder.DLL in AOL You've Got Pictures (YGP) P ...) NOT-FOR-US: AOL You've Got Pictures (YGP) Picture Finder Tool ActiveX Control CVE-2006-0315 (index.php in EZDatabase before 2.1.2 does not properly cleanse the p p ...) NOT-FOR-US: EZDatabase CVE-2006-0314 (PDFdirectory before 1.0 stores sensitive data in plaintext, which allo ...) NOT-FOR-US: PDFdirectory CVE-2006-0313 (Multiple SQL injection vulnerabilities in PDFdirectory before 1.0 allo ...) NOT-FOR-US: PDFdirectory CVE-2006-0312 (create.php in aoblogger 2.3 allows remote attackers to bypass authenti ...) NOT-FOR-US: aoblogger CVE-2006-0311 (SQL injection vulnerability in login.php in aoblogger 2.3 allows remot ...) NOT-FOR-US: aoblogger CVE-2006-0310 (Cross-site scripting (XSS) vulnerability in aoblogger 2.3 allows remot ...) NOT-FOR-US: aoblogger CVE-2006-0309 (Linksys BEFVP41 VPN Router 2.0 with firmware 1.01.04 allows remote att ...) NOT-FOR-US: Linksys hardware issue CVE-2006-0308 (PHP remote file inclusion vulnerability in htmltonuke.php in the htmlt ...) NOT-FOR-US: HTMLtoNuke CVE-2006-0307 (The DM Primer in the DM Deployment Common Component in Computer Associ ...) NOT-FOR-US: CA BrightStor products CVE-2006-0306 (The DM Primer (dmprimer.exe) in the DM Deployment Common Component in ...) NOT-FOR-US: CA BrightStor products CVE-2006-0305 (Clipcomm CPW-100E VoIP 802.11b Wireless Handset Phone running firmware ...) NOT-FOR-US: Clipcomm hardware CVE-2006-0304 (Buffer overflow in Dual DHCP DNS Server 1.0 allows remote attackers to ...) NOT-FOR-US: dual dns server CVE-2006-0303 (Multiple unspecified vulnerabilities in the (1) publishing component, ...) NOT-FOR-US: Joomla! CVE-2006-0302 (ZyXel P2000W VoIP 802.11b Wireless Phone running firmware WV.00.02 all ...) NOT-FOR-US: ZyXel hardware CVE-2006-0301 (Heap-based buffer overflow in Splash.cc in xpdf, as used in other prod ...) {DSA-1019-1 DSA-998-1 DSA-984-1 DSA-983-1 DSA-982-1 DSA-979-1 DSA-974-1 DSA-972-1 DSA-971-1} - poppler 0.4.5-1 (medium) - tetex-bin 3.0-12 (medium) [sarge] - tetex-bin (tetex2 uses an older version, which is not affected) - kdegraphics 4:3.5.1-2 (medium) - gpdf 2.10.0-3 (medium) - xpdf 3.01-6 (bug #350785; bug #350783; medium) - koffice 1.5.0-1 (medium) - libextractor 0.5.10-1 (medium) - pdfkit.framework 0.8-4 (medium) - swftools (splash/ is not included, therefore no vulnerable code) CVE-2006-0300 (Buffer overflow in tar 1.14 through 1.15.90 allows user-assisted attac ...) {DSA-987-1} - tar 1.15.1-3 (bug #354091; high) - dpkg (has completely different tar implementation) [woody] - tar CVE-2006-0299 (The E4X implementation in Mozilla Firefox before 1.5.0.1, Thunderbird ...) [sarge] - mozilla-firefox (Only Firefox 1.5 is affected) - mozilla (E4X not implemented in Mozilla 1.7) - firefox 1.5.dfsg+1.5.0.1-1 (bug #351442) [sarge] - mozilla-thunderbird (Only 1.5 is affected) - thunderbird 1.5.0.2-1 CVE-2006-0298 (The XML parser in Mozilla Firefox before 1.5.0.1 and SeaMonkey before ...) [sarge] - mozilla-firefox (Only Firefox 1.5 is affected) - mozilla (Mozilla 1.7 is not affected) - firefox 1.5.dfsg+1.5.0.1-1 (bug #351442) [sarge] - mozilla-thunderbird (Only 1.5 is affected) - thunderbird 1.5.0.2-1 CVE-2006-0297 (Multiple integer overflows in Mozilla Firefox 1.5, Thunderbird 1.5 if ...) [sarge] - mozilla-firefox (Only Firefox 1.5 is affected) - mozilla (Mozilla 1.7 is not affected) - firefox 1.5.dfsg+1.5.0.1-1 (bug #351442) [sarge] - mozilla-thunderbird (Only 1.5 is affected) - thunderbird 1.5.0.2-1 - xulrunner 1.8.0.1-9 CVE-2006-0296 (The XULDocument.persist function in Mozilla, Firefox before 1.5.0.1, a ...) {DSA-1051-1 DSA-1046-1 DSA-1044-1} - firefox 1.5.dfsg+1.5.0.1-1 (bug #351442) - mozilla 2:1.7.13-0.1 - thunderbird 1.5.0.2-1 CVE-2006-0295 (Mozilla Firefox 1.5, Thunderbird 1.5 if Javascript is enabled in mail, ...) - firefox 1.5.dfsg+1.5.0.1-1 (bug #351442) [sarge] - mozilla-firefox [sarge] - mozilla-thunderbird (Only 1.5 is affected) - thunderbird 1.5.0.2-1 CVE-2006-0294 (Mozilla Firefox before 1.5.0.1, Thunderbird 1.5 if running Javascript ...) - firefox 1.5.dfsg+1.5.0.1-1 (bug #351442) [sarge] - mozilla-firefox (Only Firefox 1.5 is affected) [sarge] - mozilla-thunderbird (Only 1.5 is affected) - mozilla-thunderbird - thunderbird 1.5.0.2-1 CVE-2006-0293 (The function allocation code (js_NewFunction in jsfun.c) in Firefox 1. ...) {DSA-1051-1 DSA-1046-1} - firefox 1.5.dfsg+1.5.0.1-1 (bug #351442) [sarge] - mozilla-firefox (Only Firefox 1.5 is affected) [sarge] - mozilla-thunderbird 1.0.2-2.sarge1.0.8 - mozilla 2:1.7.13-0.1 CVE-2006-0292 (The Javascript interpreter (jsinterp.c) in Mozilla and Firefox before ...) {DSA-1051-1 DSA-1046-1 DSA-1044-1} - firefox 1.5.dfsg+1.5.0.1-1 (bug #351442) [sarge] - mozilla-firefox 1.0.4-2sarge6 [sarge] - mozilla-thunderbird 1.0.2-2.sarge1.0.8 - thunderbird 1.5.0.2-1 - mozilla 2:1.7.13-0.1 CVE-2006-0291 (Multiple unspecified vulnerabilities in Oracle Database Server 10.2.0. ...) NOT-FOR-US: Oracle CVE-2006-0290 (Unspecified vulnerability in Oracle Database Server 9.2.0.7, Applicati ...) NOT-FOR-US: Oracle CVE-2006-0289 (Multiple unspecified vulnerabilities in Oracle Application Server 6.0. ...) NOT-FOR-US: Oracle CVE-2006-0288 (Multiple unspecified vulnerabilities in the Oracle Reports Developer c ...) NOT-FOR-US: Oracle CVE-2006-0287 (Unspecified vulnerability in the Oracle HTTP Server component of Oracl ...) NOT-FOR-US: Oracle CVE-2006-0286 (Unspecified vulnerability in the Oracle HTTP Server component of Oracl ...) NOT-FOR-US: Oracle CVE-2006-0285 (Unspecified vulnerability in the Java Net component of Oracle Database ...) NOT-FOR-US: Oracle CVE-2006-0284 (Multiple unspecified vulnerabilities in Oracle Application Server 9.0. ...) NOT-FOR-US: Oracle CVE-2006-0282 (Unspecified vulnerability in Oracle Database Server 8.1.7.4, 9.0.1.5, ...) NOT-FOR-US: Oracle CVE-2006-0281 (Unspecified vulnerability in Oracle JD Edwards HTML Server 8.95.F1 SP2 ...) NOT-FOR-US: Oracle CVE-2006-0280 (Unspecified vulnerability in Oracle PeopleSoft Enterprise Portal 8.4 B ...) NOT-FOR-US: Oracle CVE-2006-0279 (Multiple unspecified vulnerabilities in Oracle E-Business Suite and Ap ...) NOT-FOR-US: Oracle CVE-2006-0278 (Multiple unspecified vulnerabilities in Oracle E-Business Suite and Ap ...) NOT-FOR-US: Oracle CVE-2006-0277 (Multiple unspecified vulnerabilities in Oracle E-Business Suite and Ap ...) NOT-FOR-US: Oracle CVE-2006-0276 (Multiple unspecified vulnerabilities in Oracle Collaboration Suite Rel ...) NOT-FOR-US: Oracle CVE-2006-0275 (Unspecified vulnerability in the Oracle Reports Developer component of ...) NOT-FOR-US: Oracle CVE-2006-0274 (Unspecified vulnerability in the Oracle Reports Developer component of ...) NOT-FOR-US: Oracle CVE-2006-0273 (Unspecified vulnerability in the Portal component of Oracle Applicatio ...) NOT-FOR-US: Oracle CVE-2006-0272 (Unspecified vulnerability in the XML Database component of Oracle Data ...) NOT-FOR-US: Oracle CVE-2006-0271 (Unspecified vulnerability in the Upgrade & Downgrade component of ...) NOT-FOR-US: Oracle CVE-2006-0270 (Unspecified vulnerability in the Transparent Data Encryption (TDE) Wal ...) NOT-FOR-US: Oracle CVE-2006-0269 (Unspecified vulnerability in the Streams Capture component of Oracle D ...) NOT-FOR-US: Oracle CVE-2006-0268 (Unspecified vulnerability in the Security component of Oracle Database ...) NOT-FOR-US: Oracle CVE-2006-0267 (Unspecified vulnerability in the Query Optimizer component of Oracle D ...) NOT-FOR-US: Oracle CVE-2006-0266 (Unspecified vulnerability in the Query Optimizer component of Oracle D ...) NOT-FOR-US: Oracle CVE-2006-0265 (Multiple unspecified vulnerabilities in Oracle Database server 8.1.7.4 ...) NOT-FOR-US: Oracle CVE-2006-0264 REJECTED CVE-2006-0263 (Multiple unspecified vulnerabilities in Oracle Database server 8.1.7.4 ...) NOT-FOR-US: Oracle CVE-2006-0262 (Unspecified vulnerability in the Net Foundation Layer component of Ora ...) NOT-FOR-US: Oracle CVE-2006-0261 (Multiple unspecified vulnerabilities in Oracle Database server 8.1.7.4 ...) NOT-FOR-US: Oracle CVE-2006-0260 (Multiple unspecified vulnerabilities in Oracle Database server 9.2.0.7 ...) NOT-FOR-US: Oracle CVE-2006-0259 (Multiple unspecified vulnerabilities in Oracle Database server 10.1.0. ...) NOT-FOR-US: Oracle CVE-2006-0258 (Unspecified vulnerability in the Connection Manager component of Oracl ...) NOT-FOR-US: Oracle CVE-2006-0257 (Unspecified vulnerability in the Change Data Capture component of Orac ...) NOT-FOR-US: Oracle CVE-2006-0256 (Unspecified vulnerability in the Advanced Queuing component of Oracle ...) NOT-FOR-US: Oracle CVE-2006-0255 (Unquoted Windows search path vulnerability in Check Point VPN-1 Secure ...) NOT-FOR-US: Check Point VPN CVE-2006-0254 (Multiple cross-site scripting (XSS) vulnerabilities in Apache Geronimo ...) - geronimo (bug #481869) CVE-2006-0253 (Buffer overflow in the Bluetooth OBEX Object Push service in "Blue Nei ...) NOT-FOR-US: AmbiCom Blue Neighbors CVE-2006-0252 (SQL injection vulnerability in Benders Calendar 1.0 allows remote atta ...) NOT-FOR-US: Benders Calendar CVE-2006-0251 (Cross-site scripting (XSS) vulnerability in fom.cgi in Faq-O-Matic 2.7 ...) - faqomatic 2.712-3 CVE-2006-0250 (Format string vulnerability in the snmp_input function in snmptrapd in ...) NOT-FOR-US: cmu-snmp-linux fork from CMU SNMP NOTE: This bug is present in a fork, not in the mainline NOTE: CMU-SNMP/UCD-SNMP/NET-SNMP versions. CVE-2006-0249 (SQL injection vulnerability in viewcat.php in BitDamaged geoBlog MOD_1 ...) NOT-FOR-US: geoBlog CVE-2006-0248 (Virata-EmWeb web server 6_1_0, as used in (1) Intracom JetSpeed 500 an ...) NOT-FOR-US: Virata-EmWeb web server CVE-2006-0247 (Cross-site scripting (XSS) vulnerability in anyboard.cgi in Netbula An ...) NOT-FOR-US: Anyboard CVE-2006-0246 (Cross-site scripting (XSS) vulnerability in down.pl in Widexl Download ...) NOT-FOR-US: Widexl Download Tracker CVE-2006-0245 (Multiple cross-site scripting (XSS) vulnerabilities in CubeCart 3.0.7- ...) NOT-FOR-US: CubeCart CVE-2006-0244 (** DISPUTED ** Directory traversal vulnerability in workspaces.php in ...) NOT-FOR-US: phpXplorer CVE-2006-0243 (Cross-site scripting (XSS) vulnerability in SMBCMS 2.1 allows remote a ...) NOT-FOR-US: SMBCMS CVE-2006-0242 (Cross-site scripting vulnerability in index.php in PHP Fusebox 4.0.6 a ...) NOT-FOR-US: PHP Fusebox CVE-2006-0241 (Cross-site scripting vulnerability in WBNews 1.1.0 and earlier allows ...) NOT-FOR-US: WBNews CVE-2006-0240 (Multiple SQL injection vulnerabilities in Simple Blog 2.1 allow remote ...) NOT-FOR-US: Simple Blog CVE-2006-0239 (Multiple cross-site scripting (XSS) vulnerabilities in Simple Blog 2.1 ...) NOT-FOR-US: Simple Blog CVE-2006-0238 (SQL injection vulnerability in wp-stats.php in GaMerZ WP-Stats 2.0 all ...) NOT-FOR-US: GaMerZ WP-Stats CVE-2006-0237 (Cross-site scripting (XSS) vulnerability in index.php in GTP iCommerce ...) NOT-FOR-US: GTP iCommerce CVE-2006-0236 (GUI display truncation vulnerability in Mozilla Thunderbird 1.0.2, 1.0 ...) [sarge] - mozilla-thunderbird (Mozilla products from Sarge no longer supported) CVE-2006-0235 (SQL injection vulnerability in WhiteAlbum 2.5 allows remote attackers ...) NOT-FOR-US: WhiteAlbum CVE-2006-0234 (SQL injection vulnerability in index.php in microBlog 2.0 RC-10 allows ...) NOT-FOR-US: microBlog CVE-2006-0233 (Cross-site scripting (XSS) vulnerability in functions.php in microBlog ...) NOT-FOR-US: microBlog CVE-2006-0232 (Symantec Scan Engine 5.0.0.24, and possibly other versions before 5.1. ...) NOT-FOR-US: Symantec Scan Engine CVE-2006-0231 (Symantec Scan Engine 5.0.0.24, and possibly other versions before 5.1. ...) NOT-FOR-US: Symantec Scan Engine CVE-2006-0230 (Symantec Scan Engine 5.0.0.24, and possibly other versions before 5.1. ...) NOT-FOR-US: Symantec Scan Engine CVE-2006-0229 (Unquoted Windows search path vulnerability in Wehntrust might allow lo ...) NOT-FOR-US: Wehntrust CVE-2006-0228 (The RBAC functionality in grsecurity before 2.1.8 does not properly ha ...) - kernel-patch-grsecurity2 2.1.8-1 (bug #349246; medium) - kernel-patch-2.4-grsecurity (bug #349247; medium) CVE-2006-0227 (Multiple unspecified vulnerabilities in lpsched in Sun Solaris 8, 9, a ...) NOT-FOR-US: lpsched in Sun Solaris CVE-2006-0226 (Integer overflow in IEEE 802.11 network subsystem (ieee80211_ioctl.c) ...) NOT-FOR-US: freebsd kernel CVE-2006-0225 (scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands vi ...) - openssh 1:4.3p2-1 (low; bug #349645; bug #352254) [sarge] - openssh (Protocol flaws inherited from rcp) - dropbear 0.48-1 (unimportant) NOTE: dropbear doesn't include scp in binary package CVE-2006-0224 (Buffer overflow in Library of Assorted Spiffy Things (LibAST) 0.6.1 an ...) {DSA-976-1} - libast 0.7-1 CVE-2005-4665 (Cross-site scripting (XSS) vulnerability in PunBB 1.2.6 and earlier al ...) NOT-FOR-US: PunBB CVE-2006-0223 (Directory traversal vulnerability in Shanghai TopCMM 123 Flash Chat Se ...) NOT-FOR-US: TopCMM CVE-2006-0222 (Cross-site scripting (XSS) vulnerability in fullview.php in AlstraSoft ...) NOT-FOR-US: AlstraSoft Template Seller Pro CVE-2006-0221 (SQL injection vulnerability in index.asp in the Admin Panel in Dragon ...) NOT-FOR-US: Dragon Design Services Network (DDSN) CVE-2006-0220 (Multiple cross-site scripting (XSS) vulnerabilities in DCP-Portal 5.3 ...) NOT-FOR-US: DCP-Portal CVE-2006-0219 (The original distribution of MyBulletinBoard (MyBB) to update from old ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2006-0218 (Multiple unspecified vulnerabilities in MyBulletinBoard (MyBB) before ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2006-0217 (Multiple cross-site scripting (XSS) vulnerabilities in Ultimate Auctio ...) NOT-FOR-US: Ultimate Auction CVE-2006-0216 (admin.php in QualityEBiz Quality PPC (QPPC) 1.0 build 1644 allows remo ...) NOT-FOR-US: QualityEBiz Quality PPC CVE-2006-0215 (Cross-site scripting (XSS) vulnerability in admin.php in QualityEBiz Q ...) NOT-FOR-US: QualityEBiz Quality PPC CVE-2006-0214 (Eval injection vulnerability in ezDatabase 2.0 and earlier allows remo ...) NOT-FOR-US: ezDatabase CVE-2006-0213 (Kolab Server 2.0.1, 2.0.2 and development versions pre-2.1-20051215 an ...) NOT-FOR-US: Kolab Server NOTE: libkolab-perl are extensions for this server, but server does not seem to be in debian CVE-2006-0212 (Directory traversal vulnerability in OBEX Push services in Toshiba Blu ...) NOT-FOR-US: Toshiba Bluetooth Stack CVE-2006-0211 (Cross-site scripting (XSS) vulnerability in forgotPassword.asp in Helm ...) NOT-FOR-US: Helm Hosting Control Panel CVE-2006-0210 (Cross-site scripting (XSS) vulnerability in index.php in Interspire Tr ...) NOT-FOR-US: Interspire TrackPoint NX CVE-2006-0209 (SQL injection vulnerability in general_functions.php in TankLogger 2.4 ...) NOT-FOR-US: TankLogger CVE-2006-0208 (Multiple cross-site scripting (XSS) vulnerabilities in PHP 4.4.1 and 5 ...) - php5 5.1.2-1 - php4 4:4.4.2-1 (bug #354682; low) [sarge] - php4 (html_errors shouldn't be used) CVE-2006-0207 (Multiple HTTP response splitting vulnerabilities in PHP 5.1.1 allow re ...) {DSA-1331-1} - php5 5.1.2-1 (bug #347894) - php4 4:4.4.2-1 (bug #354683) CVE-2006-0206 (Eval injection vulnerability in Light Weight Calendar (LWC) 1.0 (20040 ...) NOT-FOR-US: Light Weight Calendar CVE-2006-0205 (Multiple SQL injection vulnerabilities in Wordcircle 2.17 allow remote ...) NOT-FOR-US: Wordcircle CVE-2006-0204 (Multiple cross-site scripting (XSS) vulnerabilities in Wordcircle 2.17 ...) NOT-FOR-US: Wordcircle CVE-2006-0203 (membership.asp in Mini-Nuke CMS System 1.8.2 and earlier does not veri ...) NOT-FOR-US: Mini-Nuke CVE-2006-0202 (Dave Nielsen and Patrick Breitenbach PayPal Web Services (aka PHP Tool ...) NOT-FOR-US: PayPal Web Services CVE-2006-0201 (Dave Nielsen and Patrick Breitenbach PayPal Web Services (aka PHP Tool ...) NOT-FOR-US: PayPal Web Services CVE-2006-0200 (Format string vulnerability in the error-reporting feature in the mysq ...) - php5 5.1.2-1 (bug #347894; unimportant) - php4 (vulnerable code was introduced in PHP5) NOTE: Not built into the binary packages CVE-2006-0199 (SQL injection vulnerability in news.asp in Mini-Nuke CMS System 1.8.2 ...) NOT-FOR-US: Mini-Nuke CVE-2006-0198 (Cross-site scripting (XSS) vulnerability in a certain module, possibly ...) NOT-FOR-US: XOOPS CVE-2006-0197 (The XClientMessageEvent struct used in certain components of X.Org 6.8 ...) NOTE: Historic X11 bug #349251 CVE-2006-0196 (Unspecified vulnerability in Serial line sniffer (aka slsnif) 0.4.4 al ...) NOT-FOR-US: slsnif CVE-2006-0195 (Interpretation conflict in the MagicHTML filter in SquirrelMail 1.4.0 ...) {DSA-988-1} - squirrelmail 2:1.4.6-1 (bug #354062) CVE-2006-0194 (Cross-site scripting (XSS) vulnerability in default.asp in FogBugz 4.0 ...) NOT-FOR-US: FogBugz CVE-2006-0193 (Cross-site scripting (XSS) vulnerability in the Hosting Control Panel ...) NOT-FOR-US: Positive Software H-Sphere CVE-2006-0192 (SQL injection vulnerability in Login_Validate.asp in ASPSurvey 1.10 al ...) NOT-FOR-US: ASPSurvey CVE-2006-0191 (Unspecified vulnerability in Sun Solaris 10 allows local users to caus ...) NOT-FOR-US: Sun Solaris CVE-2006-0190 (Unspecified vulnerability in Sun Solaris 9 and 10 for the x86 platform ...) NOT-FOR-US: Sun Solaris CVE-2006-0189 (Buffer overflow in eStara Softphone 3.0.1.14 through 3.0.1.46 allows r ...) NOT-FOR-US: eStara Softphone CVE-2006-0188 (webmail.php in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to ...) {DSA-988-1} - squirrelmail 2:1.4.6-1 (bug #354064) CVE-2005-4664 (SQL injection vulnerability in OcoMon 1.21, and possibly other version ...) NOT-FOR-US: OcoMon CVE-2005-4663 (Cross-site scripting (XSS) vulnerability in OcoMon 1.20, and possibly ...) NOT-FOR-US: OcoMon CVE-2005-4662 (Multiple SQL injection vulnerabilities in OcoMon 1.20, and possibly ea ...) NOT-FOR-US: OcoMon CVE-2005-4661 (The notifyendsubs cron job in Campsite before 2.3.3 sends an e-mail me ...) NOT-FOR-US: Campsite CVE-2005-4660 (Race condition in IPCop (aka IPCop Firewall) before 1.4.10 might allow ...) NOT-FOR-US: IPCop CVE-2005-4659 (IPCop (aka IPCop Firewall) before 1.4.10 has world-readable permission ...) NOT-FOR-US: IPCop CVE-2005-4658 (Multiple cross-site scripting (XSS) vulnerabilities in ASP-Programmers ...) NOT-FOR-US: ASP-Programmers.com ASPKnowledgebase CVE-2005-4657 (Ocean12 Calendar Manager Pro 1.01 allows remote attackers to bypass au ...) NOT-FOR-US: Ocean12 CVE-2005-4656 (SQL injection vulnerability in index.php in TClanPortal 1.1.3 and earl ...) NOT-FOR-US: TClanPortal CVE-2005-4655 (Cross-site scripting (XSS) vulnerability in submit.php in PHP-Fusion 6 ...) NOT-FOR-US: PHP-Fusion CVE-2005-4654 (Multiple unspecified vulnerabilities in Oracle for OpenView (OfO) 8.1. ...) NOT-FOR-US: Oracle CVE-2005-4653 (Unspecified vulnerability in ss.php in AL-Caricatier 2.5 and earlier a ...) NOT-FOR-US: AL-Caricatier CVE-2005-4652 (SQL injection vulnerability in PHlyMail 3.02.01 allows remote attacker ...) NOT-FOR-US: PHlyMail CVE-2005-4651 (SQL injection vulnerability in index.php in AlstraSoft EPay Pro 2.0 al ...) NOT-FOR-US: AlstraSoft EPay Pro CVE-2005-4650 (Joomla! 1.03 does not restrict the number of "Search" Mambots, which a ...) NOT-FOR-US: Joomla! CVE-2005-4649 (Multiple cross-site scripting (XSS) vulnerabilities in Advanced Guestb ...) NOT-FOR-US: Advanced Guestbook CVE-2005-4648 (Buffer overflow in Illustrate dBpowerAMP Music Converter 11.5 and earl ...) NOT-FOR-US: Illustrate dBpowerAMP Music Converter CVE-2003-1290 (BEA WebLogic Server and WebLogic Express 6.1, 7.0, and 8.1, with RMI a ...) NOT-FOR-US: BEA WebLogic Server CVE-2006-2443 (The Debian package of knowledgetree 2.0.7 creates environment.php with ...) - knowledgetree 2.0.7-2 (bug #348306; medium) CVE-2006-0187 (By design, Microsoft Visual Studio 2005 automatically executes code in ...) NOT-FOR-US: Microsoft CVE-2006-0186 REJECTED CVE-2006-0185 (Multiple cross-site scripting vulnerabilities in the (1) Pool or (2) N ...) NOT-FOR-US: PHP-Nuke CVE-2006-0184 (Multiple SQL injection vulnerabilities in AspTopSites allow remote att ...) NOT-FOR-US: AspTopSites CVE-2006-0183 (Direct static code injection vulnerability in edit.php in ACal Calenda ...) NOT-FOR-US: ACal Calendar Project CVE-2006-0182 (login.php in ACal Calendar Project 2.2.5 allows remote attackers to by ...) NOT-FOR-US: ACal Calendar Project CVE-2006-0181 (Cisco Security Monitoring, Analysis and Response System (CS-MARS) befo ...) NOT-FOR-US: Cisco CVE-2006-0180 (Cross-site scripting (XSS) vulnerability in CaLogic Calendars 1.2.2 al ...) NOT-FOR-US: CaLogic Calendars CVE-2006-0179 (The Cisco IP Phone 7940 allows remote attackers to cause a denial of s ...) NOT-FOR-US: Cisco CVE-2006-0178 (Format string vulnerability in /bin/ftp in UNICOS 9.0.2.2 allows local ...) NOT-FOR-US: Cray UNICOS CVE-2006-0177 (Multiple buffer overflows in Cray UNICOS 9.0.2.2 might allow local use ...) NOT-FOR-US: Cray UNICOS CVE-2006-0176 (Buffer overflow in certain functions in src/fileio.c and src/unix/file ...) - xmame 0.104-1 (medium; bug #349653) NOTE: Only xmame-svgalib is vulnerable, the xmame-x package has a debconf NOTE: question, that makes it very clear that setuid root is only for single-user NOTE: systems and xmame-sdl and xmess aren't setuid at all [sarge] - xmame (XMame is non-free software) CVE-2006-0175 (Cross-site scripting (XSS) vulnerability in search_form.asp in Web Wiz ...) NOT-FOR-US: Web Wiz Forums CVE-2006-0174 (Hummingbird Collaboration (aka Hummingbird Enterprise Collaboration) 5 ...) NOT-FOR-US: Hummingbird Collaboration CVE-2006-0173 (Hummingbird Collaboration (aka Hummingbird Enterprise Collaboration) 5 ...) NOT-FOR-US: Hummingbird Collaboration CVE-2006-0172 (Cross-site scripting (XSS) vulnerability in the file manager utility i ...) NOT-FOR-US: Hummingbird Collaboration CVE-2006-0171 (PHP remote file include vulnerability in index.php in OrjinWeb E-comme ...) NOT-FOR-US: OrjinWeb E-commerce CVE-2006-0170 REJECTED CVE-2006-0169 (addresses.php3 in MyPhPim 01.05 does not restrict uploaded files, whic ...) NOT-FOR-US: MyPhPim CVE-2006-0168 (Cross-site scripting (XSS) vulnerability in MyPhPim 01.05 allows remot ...) NOT-FOR-US: MyPhPim CVE-2006-0167 (SQL injection vulnerability in MyPhPim 01.05 allows remote attackers t ...) NOT-FOR-US: MyPhPim CVE-2006-0166 (Symantec Norton SystemWorks and SystemWorks Premier 2005 and 2006 stor ...) NOT-FOR-US: Symantec SystemWorks CVE-2006-0165 (Cross-site scripting (XSS) vulnerability in the DataForm Entries funct ...) NOT-FOR-US: WebGUI CVE-2006-0164 (phgstats.inc.php in phgstats before 0.5.1, if register_globals is enab ...) NOT-FOR-US: phgstats CVE-2006-0163 (SQL injection vulnerability in the search module (modules/Search/index ...) NOT-FOR-US: PHP-Nuke CVE-2006-0161 (Unspecified vulnerability in uucp in Sun Solaris 8 and 9 has unknown i ...) NOT-FOR-US: Solaris CVE-2005-4647 (Multiple SQL injection vulnerabilities in PEARLINGER Pearl Forums 2.4 ...) NOT-FOR-US: PEARLINGER Pearl Forums CVE-2005-4646 (Unspecified vulnerability in index.php in PEARLINGER Pearl Forums 2.4 ...) NOT-FOR-US: PEARLINGER Pearl Forums CVE-2005-4645 (SQL injection vulnerability in index.php in 3CFR allows remote attacke ...) NOT-FOR-US: 3CFR CVE-2005-4644 (Cross-site scripting (XSS) vulnerability in the HTML WikiProcessor in ...) {DSA-951-2} - trac 0.9.3-1 [sarge] - trac 0.8.1-3sarge4 (medium) CVE-2005-4643 (SQL injection vulnerability in index.php in Antharia OnContent // CMS ...) NOT-FOR-US: Antharia OnContent CVE-2005-4642 (Multiple cross-site scripting (XSS) vulnerabilities in HydroBB 1.0.0 B ...) NOT-FOR-US: HydroBB CVE-2006-0160 (SQL injection vulnerability in add_post.php3 in Venom Board 1.22 allow ...) NOT-FOR-US: Venom Board CVE-2006-0159 (SQL injection vulnerability in escribir.php in Foro Domus 2.10 allows ...) NOT-FOR-US: Foro Domus CVE-2006-0158 (SQL injection vulnerability in index.php in CyberDoc SiteSuite CMS all ...) NOT-FOR-US: CyberDoc SiteSuite CMS CVE-2006-0157 (settings.php in Reamday Enterprises Magic News Plus 1.0.3 allows remot ...) NOT-FOR-US: Reamday Enterprises Magic News Plus CVE-2006-0156 (Cross-site scripting (XSS) vulnerability in Foxrum 4.0.4f allows remot ...) NOT-FOR-US: Foxforum CVE-2006-0155 (Cross-site scripting (XSS) vulnerability in posts.php in 427BB 2.2 and ...) NOT-FOR-US: 427BB CVE-2006-0154 (SQL injection vulnerability in showthread.php in 427BB 2.2 and 2.2.1 a ...) NOT-FOR-US: 427BB CVE-2006-0153 (427BB 2.2 and 2.2.1 verifies authentication credentials based on the u ...) NOT-FOR-US: 427BB CVE-2006-0152 (Cross-site scripting (XSS) in search_result.php in phpChamber 1.2 and ...) NOT-FOR-US: phpChamber CVE-2006-0151 (sudo 1.6.8 and other versions does not clear the PYTHONINSPECT environ ...) {DSA-946-2} - sudo 1.6.8p12-1 (medium) NOTE: The whole black list approach is flawed, for the DSA we'll switch to NOTE: a white list approach of known to be safe env vars. CVE-2006-0150 (Multiple format string vulnerabilities in the auth_ldap_log_reason fun ...) {DSA-952-1} - libapache-auth-ldap (bug #347416) CVE-2006-0149 (Cross-site scripting (XSS) vulnerability in SimpBook 1.0, with html_en ...) NOT-FOR-US: SimpBook CVE-2006-0148 (NetSarang Xlpd 2.1 allows remote attackers to cause a denial of servic ...) NOT-FOR-US: NetSarang Xlpd CVE-2006-0147 (Dynamic code evaluation vulnerability in tests/tmssql.php test script ...) {DSA-1031-1 DSA-1030-1 DSA-1029-1} - libphp-adodb 4.72-0.1 (medium; bug #349985) - cacti 0.8.6d-1 (medium) - moodle 1.6.3-2 (medium) NOTE: exact moodle fixed version not known, but at least <= 1.6.3-2 CVE-2006-0146 (The server.php test script in ADOdb for PHP before 4.70, as used in mu ...) {DSA-1031-1 DSA-1030-1 DSA-1029-1} - libphp-adodb 4.72-0.1 (medium; bug #349985) - cacti 0.8.6d-1 (medium) - moodle 1.6.3-2 (medium) NOTE: exact moodle fixed version not known, but at least <= 1.6.3-2 CVE-2006-0145 (The kernfs_xread function in kernfs in NetBSD 1.6 through 2.1, and Ope ...) NOT-FOR-US: NetBSD CVE-2006-0144 (The proxy server feature in go-pear.php in PHP PEAR 0.2.2, as used in ...) NOT-FOR-US: Neither php-pear nor php4-pear ship this file CVE-2006-0143 (Microsoft Windows Graphics Rendering Engine (GRE) allows remote attack ...) NOT-FOR-US: Windows CVE-2006-0142 (Cross-site scripting (XSS) vulnerability in andromeda.php in Andromeda ...) NOT-FOR-US: Andromeda CVE-2006-0141 (Qualcomm Eudora Internet Mail Server (EIMS) before 3.2.8 allows remote ...) NOT-FOR-US: Eudora CVE-2006-0140 (Cross-site scripting (XSS) vulnerability in post.php in NavBoard V16 S ...) NOT-FOR-US: Navboard CVE-2006-0139 (The send-private-message functionality (send-private-message.asp) in P ...) NOT-FOR-US: PD9 Software MegaBBS CVE-2005-4641 (SQL injection vulnerability in home.php in eazyCMS 2.0 allows remote a ...) NOT-FOR-US: eazyCMS CVE-2005-4640 (SQL injection vulnerability in index.php in class-1 Poll Software 0.4 ...) NOT-FOR-US: class-1 Poll CVE-2005-4639 (Buffer overflow in the CA-driver (dst_ca.c) for TwinHan DST Frontend/C ...) - linux-2.6 2.6.15-1 (low) CVE-2005-4638 (index.php in Kayako SupportSuite 3.00.26 and earlier allow remote atta ...) NOT-FOR-US: Kayako SupportSuite CVE-2005-4637 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Ka ...) NOT-FOR-US: Kayako SupportSuite CVE-2005-4636 (OpenOffice.org 2.0 and earlier, when hyperlinks has been disabled, doe ...) - openoffice.org (unimportant) NOTE: This is a non-issue IMO (neilm). OOo just launches a web browser. NOTE: If the admin doesn't web browsing, why is one installed/enabled? CVE-2004-2653 (Unspecified vulnerability in PD9 Software MegaBBS 2.0 and 2.1 allows a ...) NOT-FOR-US: PD9 Software MegaBBS CVE-2006-0162 (Heap-based buffer overflow in libclamav/upx.c in Clam Antivirus (ClamA ...) {DSA-947-1} - clamav 0.88-1 CVE-2006-0138 (aMSN (aka Alvaro's Messenger) allows remote attackers to cause a denia ...) - amsn 0.98.9-1 (low; bug #557754) [squeeze] - amsn (minor issue) [etch] - amsn (minor issue) [lenny] - amsn (minor issue) CVE-2006-0137 (SQL injection vulnerability in linkcategory.php in Phanatic Softwares ...) NOT-FOR-US: Phanatic Softwares Chimera Web Portal System CVE-2006-0136 (Multiple cross-site scripting (XSS) vulnerabilities in the guestbook m ...) NOT-FOR-US: Phanatic Softwares Chimera Web Portal System CVE-2006-0135 (SQL injection vulnerability in login.php in TheWebForum (twf) 1.2.1 al ...) NOT-FOR-US: TheWebForum CVE-2006-0134 (Cross-site scripting (XSS) vulnerability in register.php in TheWebForu ...) NOT-FOR-US: TheWebForum CVE-2006-0133 (Multiple directory traversal vulnerabilities in AIX 5.3 ML03 allow loc ...) NOT-FOR-US: AIX CVE-2006-0132 (Directory traversal vulnerability in webftp.php in SysCP WebFTP 1.2.6 ...) NOT-FOR-US: SysCP WebFTP CVE-2006-0131 (boastMachine 3.1 allows remote attackers to obtain sensitive informati ...) NOT-FOR-US: boastMachine CVE-2006-0130 (Mail Management Agent (MAILMA) (aka Mail Management Server) in Rocklif ...) NOT-FOR-US: Mail Management Agent CVE-2006-0129 (Mail Management Agent (MAILMA) (aka Mail Management Server) in Rocklif ...) NOT-FOR-US: Mail Management Agent CVE-2006-0128 (Buffer overflow in the IMAP service of Rockliffe MailSite before 6.1.2 ...) NOT-FOR-US: Rockliffe MailSite CVE-2006-0127 (Directory traversal vulnerability in the IMAP service of Rockliffe Mai ...) NOT-FOR-US: Rockliffe MailSite CVE-2006-0126 (rxvt-unicode before 6.3, on certain platforms that use openpty and non ...) - rxvt-unicode 6.3-1 [sarge] - rxvt-unicode (rxvt-unicode author disagrees with CVE, GNU/Linux not affected - see 6.3 entry in http://dist.schmorp.de/rxvt-unicode/Changes) [woody] - rxvt-unicode (rxvt-unicode author disagrees with CVE, GNU/Linux not affected - see 6.3 entry in http://dist.schmorp.de/rxvt-unicode/Changes) CVE-2006-0125 (Unspecified vulnerability in appserv/main.php in AppServ 2.4.5 allows ...) NOT-FOR-US: AppServ CVE-2006-0124 (Cross-site scripting (XSS) vulnerability in crear.php in ADN Forum 1.0 ...) NOT-FOR-US: ADN Forum CVE-2006-0123 (Multiple SQL injection vulnerabilities in ADN Forum 1.0b allow remote ...) NOT-FOR-US: ADN Forum CVE-2006-0122 (Cross-site scripting (XSS) vulnerability in Public/Index.asp in Aquife ...) NOT-FOR-US: Aquifer CMS CVE-2006-0121 (Multiple memory leaks in IBM Lotus Notes and Domino Server before 6.5. ...) NOT-FOR-US: Notes/Domino CVE-2006-0120 (Multiple unspecified vulnerabilities in IBM Lotus Notes and Domino Ser ...) NOT-FOR-US: Notes/Domino CVE-2006-0119 (Multiple unspecified vulnerabilities in IBM Lotus Notes and Domino Ser ...) NOT-FOR-US: Notes/Domino CVE-2006-0118 (Unspecified vulnerability in IBM Lotus Notes and Domino Server before ...) NOT-FOR-US: Notes/Domino CVE-2006-0117 (Buffer overflow in IBM Lotus Notes and Domino Server before 6.5.5 allo ...) NOT-FOR-US: Notes/Domino CVE-2006-0116 (Cross-site scripting vulnerability search.inetstore in iNETstore Ebusi ...) NOT-FOR-US: iNETstore Ebusiness Software CVE-2006-0115 (Multiple SQL injection vulnerabilities in OnePlug Solutions OnePlug CM ...) NOT-FOR-US: OnePlug Solutions OnePlug CMS CVE-2006-0114 (The vCard functions in Joomla! 1.0.5 use predictable sequential IDs fo ...) NOT-FOR-US: Joomla! CVE-2006-0113 (Enhanced Simple PHP Gallery 1.7 allows remote attackers to obtain the ...) NOT-FOR-US: Enhanced Simple PHP Gallery CVE-2006-0112 (Cross-site scripting (XSS) vulnerability in index.php in Enhanced Simp ...) NOT-FOR-US: Enhanced Simple PHP Gallery CVE-2006-0111 (Cross-site scripting vulnerability in index.php in Boxcar Media Shoppi ...) NOT-FOR-US: Boxcar Media Shopping Cart CVE-2006-0110 (Cross-site scripting (XSS) vulnerability in escribir.php in Foro Domus ...) NOT-FOR-US: Foro Domus CVE-2006-0109 (Cross-site scripting vulnerability in category.php in Modular Merchant ...) NOT-FOR-US: Modular Merchant Shopping Cart CVE-2006-0108 (SQL injection vulnerability in mcl_login.asp in Timecan CMS allows rem ...) NOT-FOR-US: Timecan CMS CVE-2006-0107 (SQL injection vulnerability in Timecan CMS allows remote attackers to ...) NOT-FOR-US: Timecan CMS CVE-2006-0105 (PostgreSQL 8.0.x before 8.0.6 and 8.1.x before 8.1.2, when running on ...) NOT-FOR-US: PostgreSQL on Windows CVE-2006-0104 (Directory traversal vulnerability in TinyPHPForum 3.6 and earlier allo ...) NOT-FOR-US: TinyPHPForum CVE-2006-0103 (TinyPHPForum 3.6 and earlier stores the (1) users/[USERNAME].hash and ...) NOT-FOR-US: TinyPHPForum CVE-2006-0102 (Cross-site scripting (XSS) vulnerability in TinyPHPForum (TPF) 3.6 and ...) NOT-FOR-US: TinyPHPForum CVE-2006-0101 (Multiple cross-site scripting (XSS) vulnerabilities in sBLOG 0.7.1 Bet ...) NOT-FOR-US: sBLOG CVE-2006-0100 (Buffer overflow in NicoFTP 3.0.1.19 and earlier might allow local user ...) NOT-FOR-US: NicoFTP CVE-2006-0099 (PHP remote file include vulnerability in (1) include/templates/categor ...) NOT-FOR-US: Valdersoft Shopping Cart CVE-2006-0098 (The dupfdopen function in sys/kern/kern_descrip.c in OpenBSD 3.7 and 3 ...) NOT-FOR-US: OpenBSD CVE-2006-0097 (Stack-based buffer overflow in the create_named_pipe function in libmy ...) - php4 (Windows specific) - php5 (Windows specific) CVE-2006-0096 (wan/sdla.c in Linux kernel 2.6.x before 2.6.11 and 2.4.x before 2.4.29 ...) {DSA-1017-1} - linux-2.6 (Fixed before upload into archive; 2.6.11) - kernel-source-2.4.27 2.4.27-8 CVE-2006-0095 (dm-crypt in Linux kernel 2.6.15 and earlier does not clear a structure ...) {DSA-1017-1} - linux-2.6 2.6.16-1 - kernel-source-2.4.27 (2.4 doesn't have dm-crypt) CVE-2006-0094 (PHP remote file include vulnerability in forum.php in oaBoard 1.0 allo ...) NOT-FOR-US: oaBoard CVE-2006-0093 (Cross-site scripting (XSS) vulnerability in index.php in @Card ME PHP ...) NOT-FOR-US: @Card ME PHP CVE-2006-0092 REJECTED CVE-2006-0091 (Cross-site scripting (XSS) vulnerability in webmail in Open-Xchange 0. ...) NOT-FOR-US: Open-Xchange CVE-2006-0090 (Directory traversal vulnerability in index.php in IDV Directory Viewer ...) NOT-FOR-US: IDV Directory Viewer CVE-2006-0089 (Buffer overflow in ESRI ArcPad 7.0.0.156 allows remote attackers to ca ...) NOT-FOR-US: ESRI ArcPad CVE-2006-0088 (SQL injection vulnerability in intouch.lib.php in inTouch 0.5.1 Alpha ...) NOT-FOR-US: inTouch CVE-2006-0087 (SQL injection vulnerability in (1) pages.php and (2) detail.php in Liz ...) NOT-FOR-US: Lizard Cart CVE-2006-0086 (Cross-site scripting vulnerability in index.php in Next Generation Ima ...) NOT-FOR-US: Next Generation Image Gallery CVE-2006-0085 (SQL injection vulnerability in Nkads 1.0 alfa 3 allows remote attacker ...) NOT-FOR-US: Nkads CVE-2006-0084 (Cross-site scripting vulnerability in index.php in raSMP 2.0.0 and ear ...) NOT-FOR-US: raSMP CVE-2005-4635 (The nl_fib_input function in fib_frontend.c in the Linux kernel before ...) NOTE: Unclear, whether this is really exploitable, re-pinged Dann and Horms CVE-2005-4634 (SQL injection vulnerability in index.php in ActiveCampaign SupportTrio ...) NOT-FOR-US: ActiveCampaign SupportTrio CVE-2005-4633 REJECTED CVE-2005-4632 (SQL injection vulnerability in poll_frame.php in Vote! Pro 4.0 and ear ...) NOT-FOR-US: Vote!Pro CVE-2005-4631 (SQL injection vulnerability in index.php in Zina 0.12.07 and earlier a ...) NOT-FOR-US: Zina CVE-2005-4630 (SQL injection vulnerability in index.php in ClientExec 2.3 allows remo ...) NOT-FOR-US: ClientExec CVE-2005-4629 (SQL injection vulnerability in SMBCMS 2.1 allows remote attackers to e ...) NOT-FOR-US: SMBCMS CVE-2005-4628 (SQL injection vulnerability in index.php in HelpDeskPoint 2.38 and ear ...) NOT-FOR-US: HelpDeskPoint CVE-2005-4627 (Cross-site scripting (XSS) vulnerability in index.php in (1) GmailSite ...) NOT-FOR-US: GmailSite CVE-2005-4626 (The default configuration of Recruitment Software installs admin/site. ...) NOT-FOR-US: Recruitment Software CVE-2005-4625 (Drivers for certain display adapters, including (1) an unspecified ATI ...) NOT-FOR-US: Strange Windows drivers CVE-2005-4624 (The m_join function in channel.c for PTnet ircd 1.5 and 1.6 allows rem ...) NOT-FOR-US: PTnet ircd CVE-2005-4623 (upload.exe in eFileGo 3.01 allows remote attackers to cause a denial o ...) NOT-FOR-US: eFileGo CVE-2005-4622 (Directory traversal vulnerability in eFileGo 3.01 allows remote attack ...) NOT-FOR-US: eFileGo CVE-2005-4621 (Cross-site scripting (XSS) vulnerability in the editavatar page in vBu ...) NOT-FOR-US: vBulletin CVE-2005-4620 (Buffer overflow in WinRAR 3.50 and earlier allows local users to execu ...) NOT-FOR-US: WinRAR CVE-2005-4619 (SQL injection vulnerability in index.php in phpoutsourcing Zorum Forum ...) NOT-FOR-US: phpoutsourcing Zorum Forum CVE-2005-4618 (Buffer overflow in sysctl in the Linux Kernel 2.6 before 2.6.15 allows ...) {DSA-1018-1 DSA-1017-1} - linux-2.6 2.6.15-1 CVE-2006-0083 (Format string vulnerability in the logging code of SMS Server Tools (s ...) {DSA-930-2 DSA-930-1} - smstools 1.16-1.1 (bug #347221; medium) CVE-2006-0106 (gdi/driver.c and gdi/printdrv.c in Wine 20050930, and other versions, ...) {DSA-954-1 CVE-2005-4560} - wine 0.9.2-1 (bug #346197; medium) CVE-2006-0082 (Format string vulnerability in the SetImageInfo function in image.c fo ...) {DSA-1213} - imagemagick 6:6.2.4.5-0.6 (bug #345876) CVE-2005-XXXX [World-readable config file with sensitive data in b2evolution] - b2evolution 0.9.1b-4 (bug #344000) CVE-2006-0081 (ialmnt5.sys in the ialmrnt5 display driver in Intel Graphics Accelerat ...) NOT-FOR-US: Intel CVE-2006-0080 (Cross-site scripting (XSS) vulnerability in vBulletin 3.5.2, and possi ...) NOT-FOR-US: vBulletin CVE-2006-0079 (SQL injection vulnerability in auth.php in ScozNet ScozBook BETA 1.1 a ...) NOT-FOR-US: ScozNet CVE-2006-0078 (Multiple cross-site scripting (XSS) vulnerabilities in B-net Software ...) NOT-FOR-US: B-Net Software CVE-2006-0077 (Off-by-one error in the getfattr function in File::ExtAttr before 0.03 ...) NOT-FOR-US: File::ExtAttr CVE-2006-0076 (PHP remote file include vulnerability in forum.php in oaBoard 1.0 allo ...) NOT-FOR-US: oaBoard CVE-2006-0075 (Direct static code injection vulnerability in phpBook 1.3.2 and earlie ...) NOT-FOR-US: phpBook CVE-2006-0074 (SQL injection vulnerability in profile.php in PHPenpals allows remote ...) NOT-FOR-US: PHPenpals CVE-2006-0073 (Cross-site scripting (XSS) vulnerability in DiscusWare Discus Freeware ...) NOT-FOR-US: DiscusWare Discus CVE-2006-0072 (Buffer overflow in termsh on SCO OpenServer 5.0.7 allows remote attack ...) NOT-FOR-US: SCO Openserver CVE-2006-0071 (The ebuild for pinentry before 0.7.2-r2 on Gentoo Linux sets setgid bi ...) - pinentry (Gentoo-specific packaging flaw) CVE-2006-0070 - drupal (According to upstream advisory is junk, behaviour intentional) NOTE: This will probably be REJECTED anyway CVE-2006-0069 (Cross-site scripting (XSS) vulnerability in addentry.php in Chipmunk G ...) NOT-FOR-US: Chipmunk Guestbook CVE-2006-0068 (SQL injection vulnerability in Primo Cart 1.0 and earlier allows remot ...) NOT-FOR-US: Primo Cart CVE-2006-0067 (SQL injection vulnerability in login.php in VEGO Links Builder 2.00 an ...) NOT-FOR-US: VEGO Links Builder CVE-2006-0066 (SQL injection vulnerability in index.php in PHPjournaler 1.0 allows re ...) NOT-FOR-US: PHPjournaler CVE-2006-0065 (SQL injection vulnerability in (1) functions.php, (2) functions_update ...) NOT-FOR-US: VEGO Web Forum CVE-2006-0064 (PHP remote file include vulnerability in includes/orderSuccess.inc.php ...) NOT-FOR-US: CubeCart CVE-2006-0063 (Cross-site scripting (XSS) vulnerability in phpBB 2.0.19, when "Allowe ...) - phpbb2 2.0.21-1 (unimportant) [sarge] - phpbb2 (Affects only an inherently unsafe option only suitable for trusted users) NOTE: According to the maintainer only affects a config option that is strongly NOTE: discouraged due to potential security problems NOTE: (Upstream fix was in 2.0.20.) CVE-2005-4617 (SQL injection vulnerability in tickets.php in cSupport 1.0 and earlier ...) NOT-FOR-US: cSupport CVE-2005-4616 (SQL injection vulnerability in index.php in iSupport 1.06 allows remot ...) NOT-FOR-US: iSupport CVE-2005-4615 (SQL injection vulnerability in news.php in DapperDesk 3.0.1 and earlie ...) NOT-FOR-US: DapperDesk CVE-2005-4614 (Multiple SQL injection vulnerabilities in digiSHOP 3.1.17 and earlier ...) NOT-FOR-US: digiSHOP CVE-2005-4613 (Cross-site scripting (XSS) vulnerability in VUBB alpha rc1 allows remo ...) NOT-FOR-US: VUBB alpha CVE-2005-4612 (Multiple SQL injection vulnerabilities in VUBB alpha rc1 allow remote ...) NOT-FOR-US: VUBB alpha CVE-2005-4611 (SQL injection vulnerability in search.php in Free ClickBank 1.0 and ea ...) NOT-FOR-US: Free ClickBank CVE-2005-4610 (Format string vulnerability in the server for Dopewars before 1.5.12, ...) - dopewars (According to upstream Windows-specific) CVE-2005-4609 (index.php in BugPort 1.147 and earlier allows remote attackers to obta ...) NOT-FOR-US: BugPort CVE-2005-4608 (SQL injection vulnerability in index.php in BugPort 1.147 allows remot ...) NOT-FOR-US: BugPort CVE-2005-4607 (Cross-site scripting (XSS) vulnerability in index.php in BugPort 1.147 ...) NOT-FOR-US: BugPort CVE-2005-4606 (SQL injection vulnerability in check_user.asp in multiple Web Wiz prod ...) NOT-FOR-US: Web Wiz CVE-2005-4605 (The procfs code (proc_misc.c) in Linux 2.6.14.3 and other versions bef ...) {DSA-1017-1} - linux-2.6 2.6.15-1 - kernel-source-2.4.27 (2.4's proc_file_lseek contains a sanity check) CVE-2005-XXXX [xshisen follows symlinks for shared gid games files] - xshisen 1.51-1-2 (bug #291613) CVE-2006-0062 (xlockmore 5.13 allows potential xlock bypass when FVWM switches to the ...) - xlockmore 1:5.13-2.1 (bug #309760) CVE-2006-0061 (xlockmore 5.13 and 5.22 segfaults when using libpam-opensc and returns ...) - xlockmore 1:5.22-1.2 (bug #318123; bug #399003; low) [sarge] - xlockmore (Minor issue) CVE-2006-0060 RESERVED CVE-2006-0059 (Heap-based buffer overflow in the ISO Transport Service over TCP (RFC ...) NOT-FOR-US: LiveData CVE-2006-0058 (Signal handler race condition in Sendmail 8.13.x before 8.13.6 allows ...) {DSA-1015-1} - sendmail 8.13.6-1 (bug #358440; high) CVE-2006-0057 (Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers t ...) NOT-FOR-US: Windows CVE-2006-0056 (Double free vulnerability in the authentication and authentication tok ...) - pam-mysql 0.6.2-1 (bug #353589; medium) [sarge] - pam-mysql (Vulnerable code not present) CVE-2006-0055 (The ispell_op function in ee on FreeBSD 4.10 to 6.0 uses predictable f ...) - ee 1:1.4.2-5 (bug #348322) CVE-2006-0054 (The ipfw firewall in FreeBSD 6.0-RELEASE allows remote attackers to ca ...) NOT-FOR-US: FreeBSD CVE-2005-4604 (Buffer overflow in MTink in the printer-filters-utils package allows l ...) - mtink (mtink not installed SUID root) CVE-2005-4603 (Cross-site scripting (XSS) vulnerability in printthread.php in MyBB 1. ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2005-4602 (SQL injection vulnerability in inc/function_upload.php in MyBB before ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2005-4600 (Directory traversal vulnerability in tiny_mce_gzip.php in TinyMCE Comp ...) - knowledgeroot (fixed before first upload; see bug #381912) - moodle (has newer version) - wordpress 2.5.1-3 [etch] - wordpress (Vulnerable code not present) NOTE: this was possibly fixed before 2.5.1 in wordpress but since 2.5.1-3 wordpress NOTE: uses the system copy of tinymce and the exact fixed version is not NOTE: really determinably anymore CVE-2005-4599 (Cross-site scripting (XSS) vulnerability in tiny_mce_gzip.php in TinyM ...) - knowledgeroot (fixed before first upload; see bug #381912) CVE-2005-4598 (Cross-site scripting (XSS) vulnerability in home.php in OoApp Guestboo ...) NOT-FOR-US: OoApp Guestbook CVE-2005-4597 (Cross-site scripting (XSS) vulnerability in index.php in iPei Guestboo ...) NOT-FOR-US: iPei Guestbook CVE-2005-4596 (Cross-site scripting (XSS) vulnerability in read.php in AdesGuestbook ...) NOT-FOR-US: AdesGuestbook CVE-2005-4595 (Untrusted search path vulnerability (RPATH) in XnView 1.70 and NView 4 ...) NOT-FOR-US: NView and XnView, different from nview from nvi CVE-2005-4594 (Stack-based buffer overflow in TUGZip 3.4.0.0 allows remote attackers ...) NOT-FOR-US: TUGZip CVE-2005-4593 (PHP remote file inclusion vulnerability in phpDocumentor 1.3.0 rc4 and ...) NOT-FOR-US: phpDocumentor CVE-2005-4592 (Heap-based buffer overflow in bogofilter and bogolexer 0.96.2 allows r ...) - bogofilter 0.96.3 [sarge] - bogofilter (Only some 0.96 CVS versions were affected) CVE-2005-4591 (Heap-based buffer overflow in bogofilter 0.96.2, 0.95.2, 0.94.14, 0.94 ...) - bogofilter 0.96.3 [sarge] - bogofilter (Sarge version doesn't include Unicode) CVE-2005-4590 (Spb Kiosk Engine 1.0.0.1 allows local users to bypass restrictions on ...) NOT-FOR-US: Spb Kiosk Engine CVE-2005-4589 (Spb Kiosk Engine 1.0.0.1 stores the administrator's passcode in the re ...) NOT-FOR-US: Spb Kiosk Engine CVE-2005-4588 (Cross-site scripting (XSS) vulnerability in Koobi 5 allows remote atta ...) NOT-FOR-US: Koobi CVE-2005-4587 (Juniper NetScreen-Security Manager (NSM) 2004 FP2 and FP3 allow remote ...) NOT-FOR-US: Juniper CVE-2005-4586 (Multiple SQL injection vulnerabilities in PHPSurveyor before 0.991 all ...) NOT-FOR-US: PHPSurveyor CVE-2005-XXXX [snort: DoS in verbose mode] - snort 2.3.3-2 (bug #328134; low) [woody] - snort (Only exploitable in obscure setups not used in production environments, see #328134) [sarge] - snort (Only exploitable in obscure setups not used in production environments, see #328134) CVE-2005-4601 (The delegate code in ImageMagick 6.2.4.5-0.3 allows remote attackers t ...) {DSA-957-2} - imagemagick 6:6.2.4.5-0.6 (bug #345238; medium) NOTE: Exploitable through Gnus and Thunderbird. - graphicsmagick 1.1.7-1 CVE-2006-0053 (Imager (libimager-perl) before 0.50 allows user-assisted attackers to ...) {DSA-1028-1} - libimager-perl 0.50-1 (bug #359661) CVE-2006-0052 (The attachment scrubber (Scrubber.py) in Mailman 2.1.5 and earlier, wh ...) {DSA-1027-1} - mailman 2.1.6-1 (bug #358892) CVE-2006-0051 (Buffer overflow in playlistimport.cpp in Kaffeine Player 0.4.2 through ...) {DSA-1023-1} - kaffeine 0.8-1 CVE-2006-0050 (snmptrapfmt in Debian 3.0 allows local users to overwrite arbitrary fi ...) {DSA-1013-1} - snmptrapfmt 1.10 CVE-2006-0049 (gpg in GnuPG before 1.4.2.2 does not properly verify non-detached sign ...) {DSA-993-2} - gnupg 1.4.2.2-1 (bug #356125; medium) - gnupg2 (Vulnerable code not activated) CVE-2006-0048 (Francesco Stablum tcpick 0.2.1 allows remote attackers to cause a deni ...) - tcpick 0.2.1-3 (bug #360571; low) [sarge] - tcpick (Minor issue) CVE-2006-0047 (packets.c in Freeciv 2.0 before 2.0.8 allows remote attackers to cause ...) {DSA-994-1} - freeciv 2.0.8-1 (medium; bug #355211) CVE-2006-0046 (squid_redirect script in adzapper before 2006-01-29 allows remote atta ...) {DSA-966-1} - adzapper 20060115-1 CVE-2006-0045 (crawl before 4.0.0 does not securely call programs when saving and loa ...) {DSA-949-1} - crawl 1:4.0.0beta26-7 (medium) CVE-2006-0044 (Unspecified vulnerability in context.py in Albatross web application t ...) {DSA-942-1} - albatross 1.33-1 CVE-2005-4585 (Unspecified vulnerability in the GTP dissector for Ethereal 0.9.1 to 0 ...) - ethereal 0.10.14-1 (bug #345243; low) NOTE: This affects Woody and Sarge CVE-2005-4584 (BZFlag server 2.0.4 and earlier allows remote attackers to cause a den ...) - bzflag 2.0.6.20060412-1 (bug #345245; low) [sarge] - bzflag (Minor DoS against a game) CVE-2005-4583 (Unspecified vulnerability in the Management Interface in VMware ESX Se ...) NOT-FOR-US: VMWare CVE-2005-4582 (Electric Sheep 2.6.3 does not require authentication or integrity chec ...) - electricsheep 2.6.3+cvs20051206-1 (unimportant) NOTE: Even an authenticated server might serve unwanted content, so NOTE: this can't be considered a real vulnerability. CVE-2005-4581 (Buffer overflow in Electric Sheep 2.6.3 client allows local users to e ...) - electricsheep 2.6.3+cvs20051206-1 (unimportant) NOTE: This does not seem to be exploitable. CVE-2005-4580 (Cross-site scripting (XSS) vulnerability in Day Communique 4 allows re ...) NOT-FOR-US: Day Communique CVE-2005-4579 (Multiple HTTP response splitting vulnerabilities in Hitachi Business L ...) NOT-FOR-US: Hitachi Business Logic CVE-2005-4578 (Multiple SQL injection vulnerabilities in Hitachi Business Logic - Con ...) NOT-FOR-US: Hitachi Business Logic CVE-2005-4577 (Multiple cross-site scripting (XSS) vulnerabilities in Hitachi Busines ...) NOT-FOR-US: Hitachi Business Logic CVE-2005-4576 (Multiple cross-site scripting (XSS) vulnerabilities in the UpdateEngin ...) NOT-FOR-US: Fatwire Update Engine CVE-2005-4575 (PaperThin CommonSpot Content Server 4.5 and earlier allow remote attac ...) NOT-FOR-US: CommonSpot Content Server CVE-2005-4574 (Cross-site scripting (XSS) vulnerability in loader.cfm in PaperThin Co ...) {DSA-1201-1} NOT-FOR-US: CommonSpot Content Server CVE-2005-4573 (PHP remote file include vulnerability in plog-admin-functions.php in P ...) NOT-FOR-US: Plogger CVE-2005-4572 (Multiple SQL injection vulnerabilities in myEZshop Shopping Cart allow ...) NOT-FOR-US: myEZshop Shopping Cart CVE-2005-4571 (Cross-site scripting (XSS) vulnerability in myEZshop Shopping Cart all ...) NOT-FOR-US: myEZshop Shopping Cart CVE-2005-4570 (The Internet Key Exchange version 1 (IKEv1) implementations in Fortine ...) NOT-FOR-US: FortiOS CVE-2005-4569 (Stack-based buffer overflow in index.fts in FTGate Technology (formerl ...) NOT-FOR-US: FTGate CVE-2005-4568 (Multiple format string vulnerabilities in FTGate Technology (formerly ...) NOT-FOR-US: FTGate CVE-2005-4567 (Multiple cross-site scripting (XSS) vulnerabilities in FTGate Technolo ...) NOT-FOR-US: FTGate CVE-2005-4566 (Buffer overflow in the Internet Key Exchange version 1 (IKEv1) impleme ...) NOT-FOR-US: NetVanta CVE-2005-4565 (Format string vulnerability in the Internet Key Exchange version 1 (IK ...) NOT-FOR-US: NetVanta CVE-2005-4564 (The Internet Key Exchange version 1 (IKEv1) implementation in ADTRAN N ...) NOT-FOR-US: NetVanta CVE-2005-4563 (SQL injection vulnerability in main.php in Enterprise Heart Enterprise ...) NOT-FOR-US: Enterprise Heart Enterprise Connector CVE-2005-4562 REJECTED CVE-2005-4561 REJECTED CVE-2005-4560 (The Windows Graphical Device Interface library (GDI32.DLL) in Microsof ...) {CVE-2006-0106} NOT-FOR-US: Microsoft CVE-2005-4559 (mail/include.html in IceWarp Web Mail 5.5.1, as used by Merak Mail Ser ...) NOT-FOR-US: IceWarp Web Mail CVE-2005-4558 (IceWarp Web Mail 5.5.1, as used by Merak Mail Server 8.3.0r and VisNet ...) NOT-FOR-US: IceWarp Web Mail CVE-2005-4557 (dir/include.html in IceWarp Web Mail 5.5.1, as used by Merak Mail Serv ...) NOT-FOR-US: IceWarp Web Mail CVE-2005-4556 (PHP remote file include vulnerability in IceWarp Web Mail 5.5.1, as us ...) NOT-FOR-US: IceWarp Web Mail CVE-2005-4555 (Cross-site scripting (XSS) vulnerability in add.php in DEV web managem ...) NOT-FOR-US: DEV web management system CVE-2005-4554 (Multiple SQL injection vulnerabilities in DEV web management system 1. ...) NOT-FOR-US: DEV web management system CVE-2005-4553 (Buffer overflow in Golden FTP Server 1.92 allows remote attackers to e ...) NOT-FOR-US: Golden FTP Server CVE-2005-4552 (The (1) slsmgr and (2) slsadmin programs in Sun Solaris PC NetLink 2.0 ...) NOT-FOR-US: Sun Solaris PC NetLink CVE-2005-4551 (Cross-site scripting (XSS) vulnerability in sign.php in codegrrl SimpB ...) NOT-FOR-US: codegrrl SimpBook CVE-2005-4550 (The PORTAL schema in Oracle Application Server (OracleAS) Discussion F ...) NOT-FOR-US: Oracle CVE-2005-4549 (Cross-site scripting (XSS) vulnerability in Oracle Application Server ...) NOT-FOR-US: Oracle CVE-2005-4548 (SQL injection vulnerability in the "user area" in RWS Statistics Count ...) NOT-FOR-US: RWS Statistics Counter CVE-2005-4547 (Cross-site scripting (XSS) vulnerability in home/search.php in eggblog ...) NOT-FOR-US: eggblog CVE-2005-4546 (search.php in eggblog 2.0 allows remote attackers to obtain the full p ...) NOT-FOR-US: eggblog CVE-2005-4545 (Cross-site scripting (XSS) vulnerability in search.asp in NetDirect Sh ...) NOT-FOR-US: NetDirect ShopEngine CVE-2005-4544 REJECTED CVE-2005-4543 REJECTED CVE-2005-4542 REJECTED CVE-2005-4541 REJECTED CVE-2005-4540 REJECTED CVE-2005-4539 REJECTED CVE-2005-4538 REJECTED CVE-2005-4537 REJECTED CVE-2005-4536 (Mail::Audit module in libmail-audit-perl 2.1-5, when logging is enable ...) {DSA-960-3} - libmail-audit-perl 2.1-5.1 (bug #344029; medium) CVE-2005-4535 REJECTED CVE-2005-4533 (Argument injection vulnerability in scponlyc in scponly 4.1 and earlie ...) {DSA-969-1} - scponly 4.6-1 (bug #344418) CVE-2005-4532 (scponlyc in scponly 4.1 and earlier, when the operating system support ...) {DSA-969-1} - scponly 4.6-1 (bug #344418) CVE-2005-4531 REJECTED CVE-2005-4530 (Multiple cross-site scripting (XSS) vulnerabilities in AlstraSoft EPay ...) NOT-FOR-US: EPay Enterprise CVE-2005-4529 (The Chatspot 2.0.0a7 module for phpBB might allow remote attackers to ...) NOT-FOR-US: phpBB addon CVE-2005-4528 (SQL injection vulnerability in the Chatspot 2.0.0a7 module for phpBB a ...) NOT-FOR-US: phpBB addon CVE-2005-4527 (Multiple SQL injection vulnerabilities in Direct News 4.9 allow remote ...) NOT-FOR-US: Direct News CVE-2005-4526 (Clearswift MIMEsweeper For Web (a.k.a. WEBsweeper) 4.0 through 5.1 all ...) NOT-FOR-US: MIMEsweeper For Web CVE-2005-4525 (SmcGui.exe in Sygate Protection Agent 5.0 build 6144 allows local user ...) NOT-FOR-US: Sygate CVE-2005-4524 (Mantis 1.0.0rc3 does not properly handle "Make note private" when a bu ...) {DSA-944-1} - mantis 0.19.4-1 (bug #345288) CVE-2005-4523 (Mantis 1.0.0rc3 and earlier discloses private bugs via public RSS feed ...) {DSA-944-1} - mantis 0.19.4-1 (bug #345288) CVE-2005-4522 (Multiple cross-site scripting (XSS) vulnerabilities in the view_filter ...) {DSA-944-1} - mantis 0.19.4-1 (bug #345288) CVE-2005-4521 (CRLF injection vulnerability in Mantis 1.0.0rc3 and earlier allows rem ...) {DSA-944-1} - mantis 0.19.4-1 (bug #345288) CVE-2005-4520 (Unspecified "port injection" vulnerabilities in filters in Mantis 1.0. ...) {DSA-944-1} - mantis 0.19.4-1 (bug #345288) CVE-2005-4519 (Multiple SQL injection vulnerabilities in the manage user page (manage ...) {DSA-944-1} - mantis 0.19.4-1 (bug #345288) CVE-2005-4518 (Mantis before 0.19.4 allows remote attackers to bypass the file upload ...) {DSA-944-1} - mantis 0.19.4-1 (bug #345288) CVE-2005-4517 (SQL injection vulnerability in PHP-Fusion 6.00.200 through 6.00.300 al ...) NOT-FOR-US: PHP-Fusion CVE-2005-4516 (Multiple cross-site scripting (XSS) vulnerabilities in PHP-Fusion 6.00 ...) NOT-FOR-US: PHP-Fusion CVE-2005-4515 NOT-FOR-US: WebDB CVE-2005-4514 NOT-FOR-US: Webwasher CVE-2005-4513 (Cross-site scripting (XSS) vulnerability in WANDSOFT e-SEARCH allows r ...) NOT-FOR-US: WANDSOFT e-SEARCH CVE-2005-4512 (Cross-site scripting (XSS) vulnerability in WAXTRAPP 3.0.1 and earlier ...) NOT-FOR-US: WAXTRAPP CVE-2005-4511 (Format string vulnerability in TN3270 Resource Gateway 1.1.0 allows lo ...) NOT-FOR-US: TN3270 Resource Gateway CVE-2005-4510 (Directory traversal vulnerability in server.np in NetPublish Server 7 ...) NOT-FOR-US: Netpublish Server CVE-2005-4509 (SQL injection vulnerability in index.asp in pTools allows remote attac ...) NOT-FOR-US: pTools CVE-2005-4508 (Nexus Concepts Dev Hound 2.24 and earlier allows remote attackers to o ...) NOT-FOR-US: Nexus Concepts Dev Hound CVE-2005-4507 (Multiple cross-site scripting (XSS) vulnerabilities in Nexus Concepts ...) NOT-FOR-US: Nexus Concepts Dev Hound CVE-2005-4506 (Nexus Concepts Dev Hound 2.24 and earlier stores username and password ...) NOT-FOR-US: Nexus Concepts Dev Hound CVE-2005-4505 (Unquoted Windows search path vulnerability in McAfee VirusScan Enterpr ...) NOT-FOR-US: McAfee CVE-2005-4504 (The khtml::RenderTableSection::ensureRows function in KHTMLParser in A ...) - kdelibs NOTE: Konqueror from sid doesn't crash, will test an older version later CVE-2005-4503 (httprint v202, and possibly other versions before v301, allows remote ...) NOT-FOR-US: httprint CVE-2005-4502 (Cross-site scripting (XSS) vulnerability in httprint v202, and possibl ...) NOT-FOR-US: httprint CVE-2005-4501 (MediaWiki before 1.5.4 uses a hard-coded "internal placeholder string" ...) - mediawiki 1.4.13-1 (bug #345280) CVE-2005-4500 (SQL injection vulnerability in MusicBox 2.3 allows remote attackers to ...) NOT-FOR-US: MusicBox CVE-2005-4499 (The Downloadable RADIUS ACLs feature in Cisco PIX and VPN 3000 concent ...) NOT-FOR-US: Cisco CVE-2005-4498 (Cross-site scripting (XSS) vulnerability in Text-e 1.6.4 and earlier a ...) NOT-FOR-US: Text-e CVE-2005-4497 (Cross-site scripting (XSS) vulnerability in Tangora Portal CMS 4.0 and ...) NOT-FOR-US: Tangora Portal CVE-2005-4496 (Cross-site scripting (XSS) vulnerability in search in SyntaxCMS 1.2.1 ...) NOT-FOR-US: Syntax CMS CVE-2005-4495 NOT-FOR-US: SpireMedia CVE-2005-4494 (Cross-site scripting (XSS) vulnerability in SPIP 1.8.2 and earlier all ...) - spip 2.0.6-1 (medium; bug #352078) CVE-2005-4493 (Cross-site scripting (XSS) vulnerability in SpearTek 6.0 and earlier a ...) NOT-FOR-US: SpearTek CVE-2005-4492 (Cross-site scripting (XSS) vulnerability in Starphire SiteSage 5.0.18 ...) NOT-FOR-US: Starphire SiteSage CVE-2005-4491 (Multiple cross-site scripting (XSS) vulnerabilities in Sitekit CMS 6.6 ...) NOT-FOR-US: Sitekit CMS CVE-2005-4490 (Multiple cross-site scripting (XSS) vulnerabilities in SCOOP! 2.3 and ...) NOT-FOR-US: SCOOP! CVE-2005-4489 (Cross-site scripting (XSS) vulnerability in Scoop 1.1 RC1 and earlier ...) NOT-FOR-US: Scoop CVE-2005-4488 (Multiple cross-site scripting (XSS) vulnerabilities in index.tpl in Re ...) NOT-FOR-US: Redakto WCMS CVE-2005-4487 (Cross-site scripting (XSS) vulnerability in RAMSite R|1 CMS 1.0 and ea ...) NOT-FOR-US: RAMSite CVE-2005-4486 NOT-FOR-US: Quantum Art CVE-2005-4485 (Multiple cross-site scripting (XSS) vulnerabilities in ProjectApp 3.3 ...) NOT-FOR-US: ProjectApp CVE-2005-4484 (Multiple cross-site scripting (XSS) vulnerabilities in IntranetApp 3.3 ...) NOT-FOR-US: IntranetApp CVE-2005-4483 (Cross-site scripting (XSS) vulnerability in login.asp in SiteEnable 3. ...) NOT-FOR-US: SiteEnable CVE-2005-4482 (Cross-site scripting (XSS) vulnerability in login.asp in PortalApp 3.3 ...) NOT-FOR-US: PortalApp CVE-2005-4481 NOT-FOR-US: Polypoly CVE-2005-4480 (Cross-site scripting (XSS) vulnerability in Plexcor CMS 4.0 and earlie ...) NOT-FOR-US: Plexcor CMS CVE-2005-4479 (SQL injection vulnerability in article.php in phpSlash 0.8.1 and earli ...) NOT-FOR-US: phpSlash CVE-2005-4478 (Multiple SQL injection vulnerabilities in Papoo 2.1.2 and earlier allo ...) NOT-FOR-US: Papoo CVE-2005-4477 (Cross-site scripting (XSS) vulnerability in papaya CMS 4.0.4 and earli ...) NOT-FOR-US: papaya CMS CVE-2005-4476 (Cross-site scripting (XSS) vulnerability in store/search/results.html ...) NOT-FOR-US: OpenEdit CVE-2005-4475 (Cross-site scripting (XSS) vulnerability in OpenCms 6.0.3 and earlier ...) NOT-FOR-US: OpenCms CVE-2005-4534 (The shadow database feature (syncshadowdb) in Bugzilla 2.9 through 2.1 ...) {DSA-1208-1} - bugzilla 2.18 (bug #329387; low) NOTE: The vulnerable script has been removed in the 2.18 upstream release CVE-2005-XXXX [Insecure tempfile in libjpeg6b's exifautotran] - libjpeg6b 6b-11 (bug #340079; low) [woody] - libjpeg6b (Does not include exifautotran) [sarge] - libjpeg6b (Creates tempfile in cwd, only very far-fetched attack vectors applicable) CVE-2006-0043 (Buffer overflow in the realpath function in nfs-server rpc.mountd, as ...) {DSA-975-1} - nfs-user-server 2.2beta47-22 (high; bug #350020) NOTE: nfs-utils (kernel NFS server) is not affected NOTE: (it uses PATH_MAX for the buffer passed to realpath). CVE-2006-0042 (Unspecified vulnerability in (1) apreq_parse_headers and (2) apreq_par ...) {DSA-1000-2} - libapreq2 2.07-1 CVE-2006-0041 REJECTED CVE-2006-0040 (GNOME Evolution 2.4.2.1 and earlier allows remote attackers to cause a ...) - evolution 2.10.1 (bug #398064; low) [etch] - evolution (Minor issue) [sarge] - evolution (Not reproducable on Sarge) CVE-2006-0039 (Race condition in the do_add_counters function in netfilter for Linux ...) {DSA-1103 DSA-1097-1} - linux-2.6 2.6.16-14 CVE-2006-0038 (Integer overflow in the do_replace function in netfilter for Linux bef ...) {DSA-1103 DSA-1097-1} - linux-2.6 2.6.16-1 CVE-2006-0037 (ip_nat_pptp in the PPTP NAT helper (netfilter/ip_nat_helper_pptp.c) in ...) - linux-2.6 2.6.15-3 [sarge] - kernel-source-2.6.8 (Vulnerable code not present) [sarge] - kernel-source-2.4.27 (Vulnerable code not present) CVE-2006-0036 (ip_nat_pptp in the PPTP NAT helper (netfilter/ip_nat_helper_pptp.c) in ...) - linux-2.6 2.6.15-3 [sarge] - kernel-source-2.6.8 (Vulnerable code not present) [sarge] - kernel-source-2.4.27 (Vulnerable code not present) CVE-2006-0035 (The netlink_rcv_skb function in af_netlink.c in Linux kernel 2.6.14 an ...) - linux-2.6 2.6.15-3 CVE-2006-0019 (Heap-based buffer overflow in the encodeURI and decodeURI functions in ...) {DSA-948-1} - kdelibs 4:3.5.1-1 (medium) CVE-2005-4474 (Buffer overflow in the "Add to archive" command in WinRAR 3.51 allows ...) NOT-FOR-US: WinRAR CVE-2005-4473 (Unspecified vulnerability in Macromedia JRun 4 web server (JWS) allows ...) NOT-FOR-US: Macromedia JRun 4 web server CVE-2005-4472 (Stack-based buffer overflow in the Macromedia JRun 4 web server (JWS) ...) NOT-FOR-US: Macromedia JRun 4 web server CVE-2005-4471 (POP3 service in Avaya Modular Messaging Message Storage Server (MSS) 2 ...) NOT-FOR-US: Avaya Modular Messaging Message Storage Server CVE-2005-4470 (Heap-based buffer overflow in the get_bhead function in readfile.c in ...) {DSA-1039-1 DTSA-29-1} - blender 2.40-1 (bug #344398; medium) [woody] - blender (Woody has it in non-free and it is binary-only) CVE-2005-4469 (Multiple direct static code injection vulnerabilities in PHPGedView 3. ...) NOT-FOR-US: PHPGedView CVE-2005-4468 (PHP remote file include vulnerability in help_text_vars.php in PHPGedV ...) NOT-FOR-US: PHPGedView CVE-2005-4467 (Directory traversal vulnerability in help_text_vars.php in PHPGedView ...) NOT-FOR-US: PHPGedView CVE-2005-4466 (Heap-based buffer overflow in the SIPParser function in i3sipmsg.dll i ...) NOT-FOR-US: SIP Proxy CVE-2005-4465 (The Internet Key Exchange version 1 (IKEv1) implementation in NEC UNIV ...) NOT-FOR-US: NEC UNIVERGE IX1000, IX2000, and IX3000 CVE-2005-4464 (Ingate Firewall before 4.3.4 and SIParator before 4.3.4 allows remote ...) NOT-FOR-US: Ingate Firewall / SIParator CVE-2005-4463 (WordPress before 1.5.2 allows remote attackers to obtain sensitive inf ...) - wordpress 1.5.2-1 (unimportant) NOTE: Only path disclosure CVE-2005-4462 (PHP remote file include vulnerability in usermods.php in Tolva PHP web ...) NOT-FOR-US: Tolva PHP website system CVE-2005-4461 (SQL injection vulnerability in index.php in Beehive Forum 0.6.2 and ea ...) NOT-FOR-US: Beehive Forum CVE-2005-4460 (Cross-site scripting (XSS) vulnerability in Beehive Forum 0.6.2 and ea ...) NOT-FOR-US: Beehive Forum CVE-2005-4459 (Heap-based buffer overflow in the NAT networking components vmnat.exe ...) NOT-FOR-US: VMWare CVE-2005-4458 (Group.pm in Metadot Portal Server 6.4.4 and earlier does not properly ...) NOT-FOR-US: Metadot Portal Server CVE-2005-4457 (MailEnable Enterprise 1.1 before patch ME-10009 allows remote attacker ...) NOT-FOR-US: MailEnable CVE-2005-4456 (Multiple buffer overflows in MailEnable Professional 1.71 and Enterpri ...) NOT-FOR-US: MailEnable CVE-2005-4455 (cleanhtml.pl 1.129 in LiveJournal CVS before Dec 13 2005 allows remote ...) NOT-FOR-US: livejournal NOTE: liblivejournal-perl doesn't seem to embed any of the affected code CVE-2005-4454 (Validate-before-filter vulnerability in cleanhtml.pl 1.129 in LiveJour ...) NOT-FOR-US: livejournal NOTE: liblivejournal-perl doesn't seem to embed any of the affected code CVE-2005-4453 (UserProfile.cs in Ultraapps Issue Manager before 2.1 allows remote aut ...) NOT-FOR-US: Ultraapps Issue Manager CVE-2005-4452 (Information Call Center stores the CallCenterData.mdb database under t ...) NOT-FOR-US: Information Call Center CVE-2005-4451 (Unspecified vulnerability in Software Distributor in HP-UX B.11.11 all ...) NOT-FOR-US: HP-UX CVE-2005-4450 (Cross-site request forgery (CSRF) vulnerability in phpMyAdmin 2.7.0 al ...) NOTE: According to the description possibly a dupe of the non-issue CVE-2005-4349 CVE-2005-4449 (verify.php in FlatNuke 2.5.6 allows remote authenticated administrator ...) NOT-FOR-US: FlatNuke CVE-2005-4448 (FlatNuke 2.5.6 verifies authentication credentials based on an MD5 che ...) NOT-FOR-US: FlatNuke CVE-2005-4447 (SQL injection vulnerability in articles\articles_funcs.php in phpCOIN ...) NOT-FOR-US: phpCOIN CVE-2005-4446 (Cross-site scripting (XSS) vulnerability in index.asp in ASPBite 8.x a ...) NOT-FOR-US: ASPBite CVE-2005-4445 (Off-by-one error in Pegasus Mail 4.21a through 4.21c and 4.30PB1 allow ...) NOT-FOR-US: Pegasus Mail CVE-2005-4444 (Stack-based buffer overflow in the trace message functionality in Pega ...) NOT-FOR-US: Pegasus Mail CVE-2005-4443 (Untrusted search path vulnerability in Gauche before 0.8.6-r1 on Gento ...) - gauche (Gentoo-specific packaging flaw) CVE-2005-4442 (Untrusted search path vulnerability in OpenLDAP before 2.2.28-r3 on Ge ...) - openldap2 (Gentoo-specific packaging flaw) - openldap2.2 (Gentoo-specific packaging flaw) CVE-2005-4441 (The PVLAN protocol allows remote attackers to bypass network segmentat ...) NOT-FOR-US: VLAN protocol flaws, likely fixed in current kernels CVE-2005-4440 (The 802.1q VLAN protocol allows remote attackers to bypass network seg ...) NOT-FOR-US: VLAN protocol flaws, likely fixed in current kernels CVE-2005-4439 (Buffer overflow in ELOG elogd 2.6.0-beta4 allows remote attackers to c ...) {DSA-967-1} - elog 2.6.1+r1642-1 (bug #349528; high) CVE-2005-4438 (Heap-based buffer overflow in Dec2Rar.dll 3.2.14.3, as distributed in ...) NOT-FOR-US: Dec2Rar CVE-2005-4437 (MD5 Neighbor Authentication in Extended Interior Gateway Routing Proto ...) NOT-FOR-US: IOS CVE-2005-4436 (Extended Interior Gateway Routing Protocol (EIGRP) 1.2, as implemented ...) NOT-FOR-US: IOS CVE-2005-4435 (Cross-site scripting (XSS) vulnerability in index.php AbleDesign D-Man ...) NOT-FOR-US: AbleDesign D-Man CVE-2005-4434 (Cross-site scripting (XSS) vulnerability in AbleDesign ReSearch 2.x al ...) NOT-FOR-US: AbleDesign ReSearch CVE-2005-4433 (Cross-site scripting (XSS) vulnerability in search.php in Esselbach St ...) NOT-FOR-US: Esselbach Storyteller CMS CVE-2005-4432 (Cross-site scripting (XSS) vulnerability in index.php in PlaySMS 0.8 a ...) NOT-FOR-US: PlaySMS CVE-2005-4431 (SQL injection vulnerability in WowBB 1.65 allows remote attackers to e ...) NOT-FOR-US: WowBB CVE-2005-4430 (SQL injection vulnerability in LogicBill 1.0 and earlier allows remote ...) NOT-FOR-US: LogicBill CVE-2005-4429 (SQL injection vulnerability in CS-Cart 1.3.0 allows remote attackers t ...) NOT-FOR-US: CS-Cart CVE-2005-4428 (Cross-site scripting (XSS) vulnerability in index.php in Cerberus Help ...) NOT-FOR-US: Cerberus Helpdesk CVE-2005-4427 (Multiple SQL injection vulnerabilities in Cerberus Helpdesk allow remo ...) NOT-FOR-US: Cerberus Helpdesk CVE-2005-4426 (Interpretation conflict in YaBB before 2.1 allows remote authenticated ...) NOT-FOR-US: YaBB CVE-2005-4425 (Unspecified vulnerability in Kerio WinRoute Firewall before 6.1.3 allo ...) NOT-FOR-US: Kerio Firewall CVE-2005-4424 (Directory traversal vulnerability in PHPKIT 1.6.1 R2 and earlier might ...) NOT-FOR-US: PHPKIT CVE-2005-4423 (Unrestricted file upload vulnerability in PHPFM before 0.2.3 allows re ...) NOT-FOR-US: PHPFM CVE-2005-4422 (Unrestricted file upload vulnerability in toendaCMS before 0.6.2 Stabl ...) NOT-FOR-US: toendaCMS CVE-2005-4421 (Dev-Editor 3.0 allows remote attackers to access any directory outside ...) NOT-FOR-US: Dev-Editor CVE-2005-4420 (Cross-site scripting (XSS) vulnerability in Honeycomb Archive Enterpri ...) NOT-FOR-US: Honeycomb Archive Enterprise CVE-2005-4419 (Multiple SQL injection vulnerabilities in CategoryResults.cfm in Honey ...) NOT-FOR-US: Honeycomb Archive Enterprise CVE-2005-4417 (The default configuration of Widcomm Bluetooth for Windows (BTW) 4.0.1 ...) NOT-FOR-US: Widcomm Bluetooth for Windows CVE-2005-4416 (SQL injection vulnerability in index.php in TML CMS 0.5 allows remote ...) NOT-FOR-US: TML CMS CVE-2005-4415 (Cross-site scripting (XSS) vulnerability in index.php in TML CMS 0.5 a ...) NOT-FOR-US: TML CMS CVE-2005-4414 (Unspecified vulnerability in Teamwork 3 before alpha 1.7 has unknown i ...) NOT-FOR-US: Teamwork 3 CVE-2005-4413 (Multiple cross-site scripting (XSS) vulnerabilities in sample scripts ...) NOT-FOR-US: Websphere CVE-2005-4412 (Citrix Program Neighborhood client before 9.150 caches the user passwo ...) NOT-FOR-US: Citrix CVE-2005-4411 (Buffer overflow in Mercury Mail Transport System 4.01b allows remote a ...) NOT-FOR-US: Mercury Mail Transport System CVE-2005-4410 (Cross-site scripting (XSS) vulnerability in NQcontent 3 allows remote ...) NOT-FOR-US: NQcontent CVE-2005-4409 (Cross-site scripting (XSS) vulnerability in MMBase 1.7.4 and earlier a ...) NOT-FOR-US: MMBase CVE-2005-4408 (Multiple SQL injection vulnerabilities in Miraserver 1.0 RC4 and earli ...) NOT-FOR-US: Miraserver CVE-2005-4407 (Cross-site scripting (XSS) vulnerability in index.cfm in Mercury CMS 4 ...) NOT-FOR-US: Mercury CMS CVE-2005-4406 (SQL injection vulnerability in index.cfm in Mercury CMS 4.0 and earlie ...) NOT-FOR-US: Mercury CMS CVE-2005-4405 (redqueen.cgi in Red Queen 1.02 and earlier allows remote attackers to ...) NOT-FOR-US: Red Queen CVE-2005-4404 (SQL injection vulnerability in default.asp in Media2 CMS Shop 18.x all ...) NOT-FOR-US: Media2 CMS CVE-2005-4403 (SQL injection vulnerability in index.php in Marwel 2.7 and earlier all ...) NOT-FOR-US: Marwel CVE-2005-4402 (Buffer overflow in MailEnable Professional 1.71 and earlier, and Enter ...) NOT-FOR-US: MailEnable Professional CVE-2005-4401 (Cross-site scripting (XSS) vulnerability in Lutece 1.2.3 and earlier a ...) NOT-FOR-US: Lutece CVE-2005-4400 (Cross-site scripting (XSS) vulnerability in downloads/portal_ent in Li ...) NOT-FOR-US: Liferay Portal Professional CVE-2005-4399 (Cross-site scripting (XSS) vulnerability in search/index.php in Libert ...) NOT-FOR-US: Libertas Enterprise CMS CVE-2005-4398 NOT-FOR-US: lemoon CVE-2005-4397 (SQL injection vulnerability in RunScript.asp iCMS allows remote attack ...) NOT-FOR-US: iCMS CVE-2005-4396 (Cross-site scripting (XSS) vulnerability in admin/Default.asp in iCMS ...) NOT-FOR-US: iCMS CVE-2005-4395 (Cross-site scripting (XSS) vulnerability in FarCry 3.0 and earlier all ...) NOT-FOR-US: FarCry CVE-2005-4394 (Cross-site scripting (XSS) vulnerability in EPiX 3.1.2 and earlier all ...) NOT-FOR-US: EPiX CVE-2005-4393 (Cross-site scripting (XSS) vulnerability in show.cfm in e-publish CMS ...) NOT-FOR-US: e-publish CMS CVE-2005-4392 (SQL injection vulnerability in printer_friendly.cfm in e-publish CMS 2 ...) NOT-FOR-US: e-publish CMS CVE-2005-4391 (Cross-site scripting (XSS) vulnerability in damoon allows remote attac ...) NOT-FOR-US: damoon CVE-2005-4390 (SQL injection vulnerability in index.php in ContentServ 3.1 and earlie ...) NOT-FOR-US: ContentServ CVE-2005-4389 (search.cfm in CONTENS 3.0 and earlier allows remote attackers to obtai ...) NOT-FOR-US: CONTENS CVE-2005-4388 (Cross-site scripting (XSS) vulnerability in search.cfm in CONTENS 3.0 ...) NOT-FOR-US: CONTENS CVE-2005-4387 (Cross-site scripting (XSS) vulnerability in home.php in contenite 0.11 ...) NOT-FOR-US: contenite CVE-2005-4386 (Cross-site scripting (XSS) vulnerability in Colony CMS 2.75 and earlie ...) NOT-FOR-US: Colony CMS CVE-2005-4385 (Cross-site scripting (XSS) vulnerability in search.htm in Cofax 2.0 RC ...) NOT-FOR-US: Cofax CVE-2005-4384 (CitySoft Community Enterprise 4.x allows remote attackers to obtain th ...) NOT-FOR-US: CitySoft Community Enterprise CVE-2005-4383 (Cross-site scripting (XSS) vulnerability in index.cfm in CitySoft Comm ...) NOT-FOR-US: CitySoft Community Enterprise CVE-2005-4382 (SQL injection vulnerability in CitySoft Community Enterprise 4.x allow ...) NOT-FOR-US: CitySoft Community Enterprise CVE-2005-4381 (Multiple cross-site scripting (XSS) vulnerabilities in Caravel CMS 3.0 ...) NOT-FOR-US: Caravel CMS CVE-2005-4380 (Multiple SQL injection vulnerabilities in Bitweaver 1.1 and 1.1.1 beta ...) NOT-FOR-US: Bitweaver CVE-2005-4379 (Multiple cross-site scripting (XSS) vulnerabilities in Bitweaver 1.1 a ...) NOT-FOR-US: Bitweaver CVE-2005-4378 (SQL injection vulnerability in Page.asp in Baseline CMS 1.95 and earli ...) NOT-FOR-US: Baseline CMS CVE-2005-4377 (Cross-site scripting (XSS) vulnerability in Page.asp in Baseline CMS 1 ...) NOT-FOR-US: Baseline CMS CVE-2005-4376 (Directory traversal vulnerability in Amaxus 3 and earlier allows remot ...) NOT-FOR-US: Amaxus CVE-2005-4375 (Cross-site scripting (XSS) vulnerability in Amaxus 3 and earlier allow ...) NOT-FOR-US: Amaxus CVE-2005-4374 (Multiple cross-site scripting (XSS) vulnerabilities in Allinta 2.3.2 a ...) NOT-FOR-US: Allinta CVE-2005-4373 (Adaptive Website Framework (AWF) 2.10 and earlier allows remote attack ...) NOT-FOR-US: Adaptive Website Framework CVE-2005-4372 (Cross-site scripting (XSS) vulnerability in account.html in Adaptive W ...) NOT-FOR-US: Adaptive Website Framework CVE-2005-4371 (Acidcat 2.1.13 and earlier stores the database under the web root with ...) NOT-FOR-US: Acidcat CVE-2005-4370 (SQL injection vulnerability in main_content.asp in Acidcat 2.1.13 and ...) NOT-FOR-US: Acidcat CVE-2005-4369 (Cross-site scripting (XSS) vulnerability in Acuity CMS 2.6.2 allows re ...) NOT-FOR-US: Acuity CMS CVE-2005-4368 (roundcube webmail Alpha, with a default high verbose level ($rcmail_co ...) - roundcube (Quotes are stripped now and if the task can't be found there is a default of mail) CVE-2005-4367 (Cross-site scripting (XSS) vulnerability in register_domain.php in DRZ ...) NOT-FOR-US: DRZES HMS CVE-2005-4366 (Multiple SQL injection vulnerabilities in DRZES HMS 3.2 allow remote a ...) NOT-FOR-US: DRZES HMS CVE-2005-4365 (Multiple cross-site scripting (XSS) vulnerabilities in FLIP 0.9.0.1029 ...) NOT-FOR-US: FLIP CVE-2005-4364 (Cross-site scripting (XSS) vulnerability in index.cfm in Hot Banana We ...) NOT-FOR-US: Hot Banana Web Content Management Suite CVE-2005-4363 (Cross-site scripting (XSS) vulnerability in the search engine in Komod ...) NOT-FOR-US: Komodo CMS CVE-2005-4362 (SQL injection vulnerability in page.php in Komodo CMS 2.1 allows remot ...) NOT-FOR-US: Komodo CMS CVE-2005-4361 (Cross-site scripting (XSS) vulnerability in search.html in Magnolia Co ...) NOT-FOR-US: Magnolia Content Management Suite CVE-2005-4360 (The URL parser in Microsoft Internet Information Services (IIS) 5.1 on ...) NOT-FOR-US: IIS CVE-2005-4359 (SQL injection vulnerability in includes/core.inc.php in ODFaq 2.1.0 al ...) NOT-FOR-US: ODFaq CVE-2005-4358 (admin/admin_disallow.php in phpBB 2.0.18 allows remote attackers to ob ...) - phpbb2 (unimportant) CVE-2005-4357 (Cross-site scripting (XSS) vulnerability in phpBB 2.0.18, when "Allowe ...) - phpbb2 2.0.21-1 (bug #344674; low) [sarge] - phpbb2 (Affects only an inherently unsafe option only suitable for trusted users) NOTE: According to the maintainer only affects a config option that is strongly NOTE: discouraged due to potential security problems CVE-2005-4356 (SQL injection vulnerability in UStore allows remote attackers to execu ...) NOT-FOR-US: UStore CVE-2005-4355 (Multiple cross-site scripting (XSS) vulnerabilities in UStore allow re ...) NOT-FOR-US: UStore CVE-2005-4354 (Cross-site scripting (XSS) vulnerability in webglimpse.cgi in Webglimp ...) NOT-FOR-US: Webglimpse CVE-2005-4353 (SQL injection vulnerability in index.php in toendaCMS 0.6.2.1, when co ...) NOT-FOR-US: toendaCMS CVE-2005-4352 (The securelevels implementation in NetBSD 2.1 and earlier, and Linux 2 ...) - linux-2.6 2.6.18-3 CVE-2005-4351 (The securelevels implementation in FreeBSD 7.0 and earlier, OpenBSD up ...) - linux-2.6 2.6.18-3 CVE-2005-4350 (Unspecified vulnerability in WBEM Services A.01.x before A.01.05.12 an ...) NOT-FOR-US: WBEM Services CVE-2005-4349 [SQL injection vulnerability in server_privileges.php in phpMyAdmin 2.7....] - phpmyadmin 4:3.2.0-1 (unimportant) NOTE: A big commit that included a lot of fixes/versions NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/644366eaf1bd10dd087bfc8c46ed98a337c04ab4#diff-4cb9ef0ba2c5556cd595ceb5dd85fd33R2070 NOTE: Only for authenticated used, will possibly be rejected CVE-2002-2208 (Extended Interior Gateway Routing Protocol (EIGRP), as implemented in ...) NOT-FOR-US: IOS CVE-2005-4348 (fetchmail before 6.3.1 and before 6.2.5.5, when configured for multidr ...) {DSA-939-1} - fetchmail 6.3.1-1 (bug #343836; bug #345944; low) CVE-2005-4418 (util-vserver before 0.30.208-1 with kernel-patch-vserver before 1.9.5. ...) {DSA-1011-1} - util-vserver 0.30.208-1 CVE-2005-4347 (The Linux 2.4 kernel patch in kernel-patch-vserver before 1.9.5.5 and ...) {DSA-1011-1} - util-vserver 0.30.208-1 (bug #329090; medium) - kernel-patch-vserver 2.3 (bug #329087; medium) NOTE: both util-vserver and the kernel-patch-vserver need to be upgraded to fix this vulnerability CVE-2005-4346 (Invalid SQL syntax error in blog.php in phpBB Blog 2.2.2 and earlier a ...) NOT-FOR-US: phpBB Blog CVE-2005-4345 (Adobe (formerly Macromedia) ColdFusion MX 7.0 exposes the password has ...) NOT-FOR-US: ColdFusion MX CVE-2005-4344 (Adobe (formerly Macromedia) ColdFusion MX 7.0 does not honor when the ...) NOT-FOR-US: ColdFusion MX CVE-2005-4343 (Adobe (formerly Macromedia) ColdFusion MX 6.0, 6.1, 6.1 with JRun, and ...) NOT-FOR-US: ColdFusion MX CVE-2005-4342 (ColdFusion Sandbox on Adobe (formerly Macromedia) ColdFusion MX 6.0, 6 ...) NOT-FOR-US: ColdFusion MX CVE-2005-4341 (Blackboard Learning and Community Portal System in Academic Suite 6.3. ...) NOT-FOR-US: Academic Suite CVE-2005-4340 REJECTED CVE-2005-4339 (Cross-site scripting (XSS) vulnerability in Blackboard Learning and Co ...) NOT-FOR-US: Academic Suite CVE-2005-4338 (announcement.pl in Blackboard Learning and Community Portal System in ...) NOT-FOR-US: Academic Suite CVE-2005-4337 (The login page in Blackboard Learning and Community Portal System in A ...) NOT-FOR-US: Academic Suite CVE-2005-4336 (Cross-site scripting (XSS) vulnerability in ProjectForum 4.7.0 and ear ...) NOT-FOR-US: ProjectForum CVE-2005-4335 (ProjectForum 4.7.0 and earlier allows remote attackers to cause a deni ...) NOT-FOR-US: ProjectForum CVE-2005-4334 (SQL injection vulnerability in ZixForum 1.12 allows remote attackers t ...) NOT-FOR-US: ZixForum CVE-2005-4333 (Multiple cross-site scripting (XSS) vulnerabilities in Binary Board Sy ...) NOT-FOR-US: Binary Board System CVE-2005-4332 (Cisco Clean Access 3.5.5 and earlier on the Secure Smart Manager allow ...) NOT-FOR-US: Secure Smart Manager CVE-2005-4331 (SQL injection vulnerability in merchant.ihtml in iHTML Merchant Versio ...) NOT-FOR-US: iHTML Merchant CVE-2005-4330 (SQL injection vulnerability in browse.ihtml in iHTML Merchant Mall all ...) NOT-FOR-US: iHTML Merchant CVE-2005-4329 (SQL injection vulnerability in pafiledb.php in PHP Arena paFileDB Extr ...) NOT-FOR-US: paFileDB CVE-2005-4328 (Cross-site scripting (XSS) vulnerability in webglimpse.cgi in Webglimp ...) NOT-FOR-US: WebGlimpse CVE-2005-4327 (Multiple cross-site scripting (XSS) vulnerabilities in Michael Arndt W ...) NOT-FOR-US: Michael Arndt WebCal CVE-2005-4326 (The web interface for American Power Conversion (APC) PowerChute Netwo ...) NOT-FOR-US: APC hardware issue CVE-2005-4325 (Multiple unspecified vulnerabilities in Driverse before 0.56b have unk ...) NOT-FOR-US: Driverse CVE-2005-4324 (Hitachi Groupmax Mail SMTP 06-50 through 06-52-/A and 07-00 through 07 ...) NOT-FOR-US: Hitachi Groupmax Mail SMTP CVE-2005-4323 (Unspecified vulnerability in Hitachi Cosminexus Collaboration Portal 0 ...) NOT-FOR-US: Hitachi Cosminexus Collaboration Portal CVE-2005-4322 (Multiple cross-site scripting (XSS) vulnerabilities in Hitachi Cosmine ...) NOT-FOR-US: Hitachi Cosminexus Collaboration Portal CVE-2005-4321 (The Internet Key Exchange version 1 (IKEv1) implementation in Apani Ne ...) NOT-FOR-US: Apani Networks EpiForce CVE-2005-4320 (Limbo CMS 1.0.4.2 and earlier allows remote attackers to obtain the in ...) NOT-FOR-US: Limbo CMS CVE-2005-4319 (Directory traversal vulnerability in index2.php in Limbo CMS 1.0.4.2 a ...) NOT-FOR-US: Limbo CMS CVE-2005-4318 (SQL injection vulnerability in index.php in Limbo CMS 1.0.4.2 and earl ...) NOT-FOR-US: Limbo CMS CVE-2005-4317 (Limbo CMS 1.0.4.2 and earlier, with register_globals off, does not pro ...) NOT-FOR-US: Limbo CMS CVE-2005-4316 (HP-UX B.11.00, B.11.04, B.11.11, and B.11.23 allows remote attackers t ...) NOT-FOR-US: HP-UX CVE-2005-4315 (SQL injection vulnerability in the search function in Plexum PLEXCART ...) NOT-FOR-US: Plexum PLEXCART CVE-2005-4314 (Cross-site scripting (XSS) vulnerability in ppcal.cgi in PPCal Shoppin ...) NOT-FOR-US: PPCal Shopping Cart CVE-2005-4313 (SQL injection vulnerability in index.php in AlmondSoft Almond Personal ...) NOT-FOR-US: AlmondSoft Almond Personals CVE-2005-4312 (SQL injection vulnerability in index.php in AlmondSoft Almond Classifi ...) NOT-FOR-US: AlmondSoft Almond Personals CVE-2005-4311 (Cross-site scripting (XSS) vulnerability in DCForum 6.25 and earlier, ...) NOT-FOR-US: DCForum CVE-2005-4310 (SSH Tectia Server 5.0.0 (A, F, and T), when allowing host-based authen ...) NOT-FOR-US: SSH Tectia Server CVE-2005-4309 (SQL injection vulnerability in ezUpload Pro 2.2 and earlier allows rem ...) NOT-FOR-US: ezUpload Pro CVE-2005-4308 (index.php in ezUpload Pro 2.2 and earlier allows remote attackers to i ...) NOT-FOR-US: ezUpload Pro CVE-2005-4307 (Cross-site scripting (XSS) vulnerability in ScareCrow 2.13 and earlier ...) NOT-FOR-US: ScareCrow CVE-2005-4306 (Multiple cross-site scripting (XSS) vulnerabilities in SiteNet BBS 2.0 ...) NOT-FOR-US: SiteNet BBS CVE-2005-4305 (Cross-site scripting (XSS) vulnerability in Edgewall Trac 0.9, 0.9.1, ...) - trac 0.9.3-1 (bug #344006) [sarge] - trac (medium) NOTE: upstream bts at http://trac.edgewall.org/ticket/2473 claims this is NOTE: fixed in http://trac.edgewall.org/changeset/2724 but it's a fairly NOTE: invasive set of patches to backport. basically most instances NOTE: of input being escape()'d are no longer done so, and instead a NOTE: Markup() function replaces them, and special checks are done NOTE: on rendered HTML output to prevent XSS code from being displayed. CVE-2005-4304 (index.php in ezDatabase 2.1.2 and earlier allows remote attackers to o ...) NOT-FOR-US: ezDatabase CVE-2005-4303 (SQL injection vulnerability in index.php for ezDatabase 2.1.2 and earl ...) NOT-FOR-US: ezDatabase CVE-2005-4302 (Directory traversal vulnerability in index.php in ezDatabase 2.1.2 and ...) NOT-FOR-US: ezDatabase CVE-2005-4301 (Cross-site scripting (XSS) vulnerability in phpXplorer 0.9.12 and earl ...) NOT-FOR-US: pgpXplorer CVE-2005-4300 (Format string vulnerability in the lire_pop function in pop.c in libre ...) NOT-FOR-US: libremail CVE-2005-4299 (Cross-site scripting (XSS) vulnerability in atl.cgi in Atlant Pro 4.02 ...) NOT-FOR-US: Atlant Pro CVE-2005-4298 (Cross-site scripting (XSS) vulnerability in atl.cgi in AtlantForum 4.0 ...) NOT-FOR-US: AtlantForum CVE-2005-4297 (Cross-site scripting (XSS) vulnerability in bbBoard 2.56 and earlier a ...) NOT-FOR-US: bbBoard CVE-2005-4296 (AppServ Open Project 2.5.3 allows remote attackers to cause a denial o ...) NOT-FOR-US: AppServ Open Project CVE-2005-4295 (Cross-site scripting (XSS) vulnerability in Absolute Image Gallery XE ...) NOT-FOR-US: Absolute Image Gallery XE CVE-2005-4294 (Cross-site scripting (XSS) vulnerability in Alkacon OpenCms before 6.0 ...) NOT-FOR-US: Alkacon OpenCms CVE-2005-4293 (Cross-site scripting (XSS) vulnerability in cp-app.cgi in ClickCartPro ...) NOT-FOR-US: ClickCartPro CVE-2005-4292 (Cross-site scripting (XSS) vulnerability in CommerceSQL 1.0 and earlie ...) NOT-FOR-US: CommerceSQL CVE-2005-4291 (Cross-site scripting (XSS) vulnerability in cart.cgi in ECTOOLS Online ...) NOT-FOR-US: ECTOOLS Onlineshop CVE-2005-4290 (Cross-site scripting (XSS) vulnerability in index.cgi in ECW-Cart 2.03 ...) NOT-FOR-US: ECW-Cart CVE-2005-4289 (Cross-site scripting (XSS) vulnerability in EDCstore.pl in eDatCat 0.3 ...) NOT-FOR-US: eDatCat CVE-2005-4288 (Cross-site scripting (XSS) vulnerability in index.php in MarmaraWeb E- ...) NOT-FOR-US: MarmaraWeb E-commerce CVE-2005-4287 (PHP remote file include vulnerability in MarmaraWeb E-commerce allows ...) NOT-FOR-US: MarmaraWeb E-commerce CVE-2005-4286 (Unspecified vulnerability in PhpLogCon before 1.2.2 allows remote atta ...) NOT-FOR-US: PhpLogCon CVE-2005-4285 (Cross-site scripting (XSS) vulnerability in pdestore.cgi in Dick Copit ...) NOT-FOR-US: Dick Copits PDEstore CVE-2005-4284 (Cross-site scripting (XSS) vulnerability in StaticStore Search Engine ...) NOT-FOR-US: StaticStore Search Engine CVE-2005-4283 (Cross-site scripting (XSS) vulnerability in The CITY Shop 1.3 and earl ...) NOT-FOR-US: The CITY Shop CVE-2005-4282 (Cross-site scripting (XSS) vulnerability in Zaygo DomainCart 2.0 and e ...) NOT-FOR-US: Zaygo DomainCart CVE-2005-4281 (Cross-site scripting (XSS) vulnerability in Zaygo HostingCart 2.0 and ...) NOT-FOR-US: Zaygo HostingCart CVE-2005-4280 (Untrusted search path vulnerability in CMake before 2.2.0-r1 on Gentoo ...) - cmake (Gentoo-specific packaging flaw) CVE-2005-4279 (Untrusted search path vulnerability in Qt-UnixODBC before 3.3.4-r1 on ...) - qt-x11-free (Gentoo-specific packaging flaw) CVE-2005-4278 (Untrusted search path vulnerability in Perl before 5.8.7-r1 on Gentoo ...) - perl (Gentoo-specific packaging flaw) CVE-2005-4277 (Cross-site scripting (XSS) vulnerability in index.php in toendaCMS bef ...) NOT-FOR-US: toendaCMS CVE-2005-4276 (Westell Versalink 327W allows remote attackers to cause a denial of se ...) NOT-FOR-US: Westell Versalink CVE-2005-4275 (Scientific Atlanta DPX2100 Cable Modem allows remote attackers to caus ...) NOT-FOR-US: Scientific Atlanta DPX2100 Cable Modem CVE-2005-4274 (Unspecified vulnerability in Business Objects WebIntelligence 6.5x all ...) NOT-FOR-US: Business Objects WebIntelligence CVE-2005-4273 (Multiple unspecified vulnerabilities in (1) getShell and (2) getComman ...) NOT-FOR-US: AIX CVE-2005-4272 (Multiple buffer overflows in IBM AIX 5.1, 5.2, and 5.3 allow remote at ...) NOT-FOR-US: AIX CVE-2005-4271 (Buffer overflow in the malloc debug system in IBM AIX 5.3 allows local ...) NOT-FOR-US: AIX CVE-2005-4270 (Buffer overflow in Watchfire AppScan QA 5.0.609 and 5.0.134 allows rem ...) NOT-FOR-US: Watchfire AppScan CVE-2005-4269 (mshtml.dll in Microsoft Windows XP, Server 2003, and Internet Explorer ...) NOT-FOR-US: Microsoft Windows CVE-2005-4268 (Buffer overflow in cpio 2.6-8.FC4 on 64-bit platforms, when creating a ...) - cpio 2.6-10 (bug #344134; medium) [sarge] - cpio (medium) [woody] - cpio (medium) CVE-2005-4267 (Stack-based buffer overflow in Qualcomm WorldMail 3.0 allows remote at ...) NOT-FOR-US: Qualcomm WorldMail CVE-2004-2652 (The DecodeTCPOptions function in decode.c in Snort before 2.3.0, when ...) - snort 2.3.0-1 CVE-2004-2651 (Multiple cross-site scripting (XSS) vulnerabilities in YaCy before 0.3 ...) NOT-FOR-US: YaCy CVE-2003-1289 (The iBCS2 system call translator for statfs in NetBSD 1.5 through 1.5. ...) NOT-FOR-US: NetBSD CVE-2005-XXXX [rageirc IRC daemon always allows login with empty password] NOTE: not reproducible - rageircd (bug #343543; medium) CVE-2005-4266 (WorldClient.dll in Alt-N MDaemon and WorldClient 8.1.3 trusts a Sessio ...) NOT-FOR-US: Alt-N MDaemon and WorldClient CVE-2005-4265 REJECTED CVE-2005-4264 (Multiple SQL injection vulnerabilities in index.php in PHP Support Tic ...) NOT-FOR-US: PHP Support Tickets CVE-2005-4263 (SQL injection vulnerability in the News module in Envolution allows re ...) NOT-FOR-US: Envolution CVE-2005-4262 (Cross-site scripting (XSS) vulnerability in the News module in Envolut ...) NOT-FOR-US: Envolution CVE-2005-4261 (Unspecified vulnerability in Positive Software Corporation CP+ (cpplus ...) NOT-FOR-US: CP+ CVE-2005-4260 (Interpretation conflict in includes/mainfile.php in PHP-Nuke 7.9 and l ...) NOT-FOR-US: PHP-Nuke CVE-2005-4259 (Multiple SQL injection vulnerabilities in ASPBB 0.4 allow remote attac ...) NOT-FOR-US: ASPBB CVE-2005-4258 (Unspecified Cisco Catalyst Switches allow remote attackers to cause a ...) NOT-FOR-US: Cisco CVE-2005-4257 (Linksys WRT54GS and BEFW11S4 allows remote attackers to cause a denial ...) NOT-FOR-US: Linksys hardware CVE-2005-4256 (Cross-site scripting (XSS) vulnerability in forum.asp in ASP-DEV XM Fo ...) NOT-FOR-US: ASP-DEV XM Forum CVE-2005-4255 (Cross-site scripting (XSS) vulnerability in TextSearch in WikkaWiki 1. ...) NOT-FOR-US: WikkaWiki CVE-2005-4254 (SQL injection vulnerability in view_Results.php in DreamLevels DreamPo ...) NOT-FOR-US: DreamLevels DreamPoll CVE-2005-4253 (Cross-site scripting (XSS) vulnerability in getdox.php in Torrential 1 ...) NOT-FOR-US: Torrential CVE-2005-4252 (Cross-site scripting (XSS) vulnerability in mcGallery PRO 2.2 and earl ...) NOT-FOR-US: mcGallery PRO CVE-2005-4251 (Multiple SQL injection vulnerabilities in mcGallery PRO 2.2 and earlie ...) NOT-FOR-US: mcGallery PRO CVE-2005-4250 (Directory traversal vulnerability in mcGallery PRO 2.2 and earlier all ...) NOT-FOR-US: mcGallery PRO CVE-2005-4249 (ADP Forum 2.0 through 2.0.3 stores sensitive information in plaintext ...) NOT-FOR-US: ADP Forum CVE-2005-4248 (Multiple cross-site scripting (XSS) vulnerabilities in QuickPayPro 3.1 ...) NOT-FOR-US: QuickPayPro CVE-2005-4247 (Cross-site scripting (XSS) vulnerability in index.php in Plogger Beta ...) NOT-FOR-US: Plogger CVE-2005-4246 (SQL injection vulnerability in Plogger Beta 2 and earlier allows remot ...) NOT-FOR-US: Plogger CVE-2005-4245 (Cross-site scripting (XSS) vulnerability in search.php in Snipe Galler ...) NOT-FOR-US: Snipe Gallery CVE-2005-4244 (SQL injection vulnerability in Snipe Gallery 3.1.4 and earlier allows ...) NOT-FOR-US: Snipe Gallery CVE-2005-4243 (Multiple SQL injection vulnerabilities in QuickPayPro 3.1 allow remote ...) NOT-FOR-US: QuickPayPro CVE-2005-4241 (Cross-site scripting (XSS) vulnerability in the category page in VCD-d ...) NOT-FOR-US: VCD-db CVE-2005-4240 (SQL injection vulnerability in search.php in VCD-db 0.98 and earlier a ...) NOT-FOR-US: VCD-db CVE-2005-4239 (Cross-site scripting (XSS) vulnerability in Search/DisplayResults.php ...) NOT-FOR-US: PHP JackKnife CVE-2005-4238 (Cross-site scripting (XSS) vulnerability in view_filters_page.php in M ...) {DSA-944-1} - mantis 0.19.4-1 (bug #345288) CVE-2005-4237 (Cross-site scripting (XSS) vulnerability in MySQL Auction 3.0 and earl ...) NOT-FOR-US: MySQL Auction CVE-2005-4236 (Cross-site scripting (XSS) vulnerability in search.php in CKGOLD allow ...) NOT-FOR-US: CKGOLD CVE-2005-4235 (Cross-site scripting (XSS) vulnerability in knowledgebase.php in WHMCo ...) NOT-FOR-US: WHMCompleteSolution CVE-2005-4234 (SQL injection vulnerability in gallery.php in EncapsGallery 1.0.0 and ...) NOT-FOR-US: EncapsGallery CVE-2005-4233 (SQL injection vulnerability in advertiser_statistic.php in Ad Manager ...) NOT-FOR-US: Ad Manager Pro CVE-2005-4232 NOT-FOR-US: Jamit Job Board CVE-2005-4231 (Cross-site scripting (XSS) vulnerability in Link Up Gold 2.5 and earli ...) NOT-FOR-US: Link Up Gold CVE-2005-4230 (SQL injection vulnerability in poll.php in Link Up Gold 2.5 and earlie ...) NOT-FOR-US: Link Up Gold CVE-2005-4229 (Cross-site scripting (XSS) vulnerability in auction.pl in EveryAuction ...) NOT-FOR-US: EveryAuction CVE-2005-4228 (Multiple SQL injection vulnerabilities in PhpWebGallery 1.5.1 and earl ...) NOT-FOR-US: PhpWebGallery CVE-2005-4227 (Multiple "potential" SQL injection vulnerabilities in DCP-Portal 6.1.1 ...) NOT-FOR-US: DCP-Portal CVE-2005-4226 (Multiple "potential" SQL injection vulnerabilities in phpWebThings 1.4 ...) NOT-FOR-US: pgpWebThings CVE-2005-4225 (Multiple "potential" SQL injection vulnerabilities in myBloggie 2.1.3 ...) NOT-FOR-US: myBloggie CVE-2005-4224 (Multiple "potential" SQL injection vulnerabilities in e107 0.7 might a ...) NOT-FOR-US: e107 CVE-2005-4223 (Multiple "potential" SQL injection vulnerabilities in Utopia News Pro ...) NOT-FOR-US: Utopia News Pro CVE-2005-4222 (Multiple cross-site scripting (XSS) vulnerabilities in guestbook.cgi i ...) NOT-FOR-US: Lars Ellingsen Guestserver CVE-2005-4221 (SQL injection vulnerability in link.php in Arab Portal System 2 Beta 2 ...) NOT-FOR-US: Arab Portal System CVE-2005-4220 (Netgear RP114, and possibly other versions and devices, allows remote ...) NOT-FOR-US: Netgear hardware issue CVE-2005-4219 (setting.php in Innovative CMS (ICMS, formerly Imoel-CMS) contains user ...) NOT-FOR-US: Innovative CMS CVE-2005-4218 (SQL injection vulnerability in forum.php in PHPWebThings 1.4 allows re ...) NOT-FOR-US: PHPWebThings CVE-2005-4217 (Perl in Apple Mac OS X Server 10.3.9 does not properly drop privileges ...) - perl (MacOS specific vulnerability) CVE-2005-4216 (The Administration Service (FMSAdmin.exe) in Macromedia Flash Media Se ...) NOT-FOR-US: Macromedia Flash Media Server CVE-2005-4215 (Motorola SB5100E Cable Modem allows remote attackers to cause a denial ...) NOT-FOR-US: Motorola hardware CVE-2005-4214 (phpCOIN 1.2.2 allows remote attackers to obtain the installation path ...) NOT-FOR-US: phpCOIN CVE-2005-4213 (SQL injection vulnerability in mod.php in phpCOIN 1.2.2 allows remote ...) NOT-FOR-US: phpCOIN CVE-2005-4212 (Directory traversal vulnerability in coin_includes/db.php in phpCOIN 1 ...) NOT-FOR-US: phpCOIN CVE-2005-4211 (PHP remote file inclusion vulnerability in coin_includes/db.php in php ...) NOT-FOR-US: phpCOIN CVE-2005-4210 (Opera before 8.51, when running on Windows with Input Method Editor (I ...) NOT-FOR-US: Opera CVE-2005-4209 (WorldClient webmail in Alt-N MDaemon 8.1.3 allows remote attackers to ...) NOT-FOR-US: Alt-N MDaemon CVE-2005-4208 (Directory traversal vulnerability in Flatnuke 2.5.6 allows remote atta ...) NOT-FOR-US: Flatnuke CVE-2005-4207 (SQL injection vulnerability in BTGrup Admin WebController Script allow ...) NOT-FOR-US: BTGrup Admin WebController Script CVE-2005-4206 (Blackboard Learning and Community Portal System in Academic Suite 6.3. ...) NOT-FOR-US: Blackboard Learning and Community Port Systems CVE-2005-4205 (Cross-site scripting (XSS) vulnerability in searchdb.asp in LocazoList ...) NOT-FOR-US: LocazoList CVE-2005-4204 (Cross-site scripting (XSS) vulnerability in LogiSphere 0.9.9j allows r ...) NOT-FOR-US: LogiSphere CVE-2005-4203 (LogiSphere 0.9.9j does not restrict the number of messages that can be ...) NOT-FOR-US: LogiSphere CVE-2005-4202 (Multiple directory traversal vulnerabilities in LogiSphere 0.9.9j allo ...) NOT-FOR-US: LogiSphere CVE-2005-4201 (Directory traversal vulnerability in My Album Online 1.0 allows remote ...) NOT-FOR-US: My Album Online CVE-2005-4200 (Multiple unspecified vulnerabilities in MyBulletinBoard (MyBB) before ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2005-4199 (Multiple SQL injection vulnerabilities in MyBulletinBoard (MyBB) befor ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2005-4198 (SQL injection vulnerability in index.php in Netref 3.0 allows remote a ...) NOT-FOR-US: Netref CVE-2005-4197 (tunnelform.yaws in Nortel SSL VPN 4.2.1.6 allows remote attackers to e ...) NOT-FOR-US: Nortel SSL VPN CVE-2005-4196 (Multiple cross-site scripting (XSS) vulnerabilities in Scout Portal To ...) NOT-FOR-US: Scout Portal Toolkit CVE-2005-4195 (Multiple SQL injection vulnerabilities in Scout Portal Toolkit (SPT) 1 ...) NOT-FOR-US: Scout Portal Toolkit CVE-2005-4194 (Buffer overflow in MediaServerList.exe in Sights 'n Sounds Streaming M ...) NOT-FOR-US: Sights 'n Sounds Streaming Media Server CVE-2005-4193 (Cross-site scripting (XSS) vulnerability in UseBB before 0.7 allows re ...) NOT-FOR-US: UseBB CVE-2005-4242 (Multiple cross-site scripting (XSS) vulnerabilities in Horde Turba H3 ...) - turba2 2.0.5-1 (bug #342946; medium) CVE-2005-4192 (Multiple cross-site scripting (XSS) vulnerabilities in templates/notep ...) - mnemo2 2.0.3-1 (bug #342944; medium) CVE-2005-4191 (Multiple cross-site scripting (XSS) vulnerabilities in templates/taskl ...) - nag2 2.0.4-1 (bug #342945; medium) CVE-2005-4190 (Multiple cross-site scripting (XSS) vulnerabilities in Horde Applicati ...) {DSA-1033-1} - horde3 3.0.9-1 (bug #342942; bug #354512; medium) CVE-2005-4189 (Multiple cross-site scripting (XSS) vulnerabilities in Horde Kronolith ...) {DSA-970-1} - kronolith2 2.0.6-1 (bug #342943; medium) - kronolith (bug #349261; medium) CVE-2005-4188 RESERVED CVE-2005-4187 RESERVED CVE-2005-4186 RESERVED CVE-2005-4185 RESERVED CVE-2005-4184 RESERVED CVE-2005-4183 RESERVED CVE-2005-4182 RESERVED CVE-2005-4181 RESERVED CVE-2005-4180 RESERVED CVE-2005-4179 RESERVED CVE-2005-4177 (Cross-site scripting (XSS) vulnerability in book.cfm in Magic Book Per ...) NOT-FOR-US: Magic Book Personal and Professional CVE-2005-4176 (AWARD Bios Modular 4.50pg does not clear the keyboard buffer after rea ...) NOT-FOR-US: AWARD BIOS CVE-2005-4175 (Insyde BIOS V190 does not clear the keyboard buffer after reading the ...) NOT-FOR-US: Insyde BIOS CVE-2005-4174 (eFiction 1.0, 1.1, and 2.0, in unspecified environments, might allow r ...) NOT-FOR-US: eFiction CVE-2005-4173 (eFiction 1.0, 1.1, and 2.0 allows remote attackers to obtain sensitive ...) NOT-FOR-US: eFiction CVE-2005-4172 (eFiction 1.0, 1.1, and 2.0 allows remote attackers to obtain sensitive ...) NOT-FOR-US: eFiction CVE-2005-4171 (The "Upload new image" command in the "Manage Images" eFiction 1.1, wh ...) NOT-FOR-US: eFiction CVE-2005-4170 (SQL injection vulnerability in eFiction 1.1 allows remote attackers to ...) NOT-FOR-US: eFiction CVE-2005-4169 (Multiple SQL injection vulnerabilities in eFiction 1.0 allow remote at ...) NOT-FOR-US: eFiction CVE-2005-4168 (Multiple SQL injection vulnerabilities in eFiction 1.0, 1.1, and 2.0 a ...) NOT-FOR-US: eFiction CVE-2005-4167 (Cross-site scripting (XSS) vulnerability in eFiction 1.0 and 1.1 allow ...) NOT-FOR-US: eFiction CVE-2005-4166 (Cross-site scripting (XSS) vulnerability in password.asp in DUWare DUp ...) NOT-FOR-US: DUportal CVE-2005-4165 (Multiple SQL injection vulnerabilities in ASP-DEV ASP Resources Forum ...) NOT-FOR-US: ASP-DEV ASP Resources Forum CVE-2005-4178 (Buffer overflow in Dropbear server before 0.47 allows authenticated us ...) {DSA-923-1} - dropbear 0.47-1 (high) CVE-2005-4164 (SQL injection vulnerability in view.php in PHP-addressbook 1.2 allows ...) NOT-FOR-US: PHP-addressbook CVE-2005-4163 (Directory traversal vulnerability in captcha.php in Captcha PHP 0.9 al ...) NOT-FOR-US: Captcha CVE-2005-4162 (Cross-site scripting (XSS) vulnerability in cal_make.pl in ACME PerlCa ...) NOT-FOR-US: ACME PerlCal CVE-2005-4161 NOT-FOR-US: MilliScripts CVE-2005-4160 (Directory traversal vulnerability in getdox.php in Torrential 1.2 allo ...) NOT-FOR-US: Torrential CVE-2005-4159 NOT-FOR-US: Simple Machines Forum CVE-2005-4158 (Sudo before 1.6.8 p12, when the Perl taint flag is off, does not clear ...) {DSA-946-2} - sudo 1.6.8p12-1 (bug #342948; medium) CVE-2005-4157 (Unspecified vulnerability in Kerio WinRoute Firewall before 6.1.3 allo ...) NOT-FOR-US: Kerio Firewall CVE-2005-4156 (Unspecified vulnerability in Mambo 4.5 (1.0.0) through 4.5 (1.0.9), wi ...) NOT-FOR-US: Mambo CVE-2005-4155 (registration.PHP in ATutor 1.5.1 pl2 allows remote attackers to execut ...) NOT-FOR-US: ATutor CVE-2005-4154 (Unspecified vulnerability in PEAR installer 1.4.2 and earlier allows u ...) - php5 5.1.1-1 NOTE: PHP 5 in Debian is vulnerable according to the changelog. CVE-2005-4153 (Mailman 2.1.4 through 2.1.6 allows remote attackers to cause a denial ...) {DSA-955-1} - mailman 2.1.5-10 CVE-2005-4152 (Soti Pocket Controller-Professional 5.0 allows remote attackers to tur ...) NOT-FOR-US: Soti Pocket Controller-Professional CVE-2005-4151 (The Wipe Free Space utility in PGP Desktop Home 8.0 and Desktop Profes ...) NOT-FOR-US: PGP Desktop Home CVE-2005-4150 (Cross-site scripting (XSS) vulnerability in the portal login page in C ...) NOT-FOR-US: CA Clever Path CVE-2005-4149 (Lyris ListManager 8.8 through 8.9b allows remote attackers to obtain s ...) NOT-FOR-US: Lyris ListManager CVE-2005-4148 (Lyris ListManager 8.5, and possibly other versions before 8.8, include ...) NOT-FOR-US: Lyris ListManager CVE-2005-4147 (The TCLHTTPd service in Lyris ListManager before 8.9b allows remote at ...) NOT-FOR-US: Lyris ListManager CVE-2005-4146 (Lyris ListManager before 8.9b allows remote attackers to obtain sensit ...) NOT-FOR-US: Lyris ListManager CVE-2005-4145 (The MSDE version of Lyris ListManager 5.0 through 8.9b configures the ...) NOT-FOR-US: Lyris ListManager CVE-2005-4144 (Lyris ListManager 5.0 through 8.9a allows remote attackers to add "ORD ...) NOT-FOR-US: Lyris ListManager CVE-2005-4143 (SQL injection vulnerability in Lyris ListManager 5.0 through 8.9a allo ...) NOT-FOR-US: Lyris ListManager CVE-2005-4142 (The web interface for subscribing new users in Lyris ListManager 5.0 t ...) NOT-FOR-US: Lyris ListManager CVE-2005-4141 (Multiple SQL injection vulnerabilities in ASPMForum allow remote attac ...) NOT-FOR-US: ASPMForum CVE-2005-4140 (SQL injection vulnerability in admin/login/index.php in Website Baker ...) NOT-FOR-US: Website Baker CVE-2005-4139 (Multiple SQL injection vulnerabilities in ThWboard before 3 Beta 2.84 ...) NOT-FOR-US: ThWboard CVE-2005-4138 (Multiple cross-site scripting (XSS) vulnerabilities in ThWboard before ...) NOT-FOR-US: ThWboard CVE-2005-4137 (SQL injection vulnerability in viewinvoice.php in DRZES HMS 3.2 allows ...) NOT-FOR-US: DRZES HMS CVE-2005-4136 (Cross-site scripting (XSS) vulnerability in login.php in DRZES HMS 3.2 ...) NOT-FOR-US: DRZES HMS CVE-2005-4135 (Direct static code injection vulnerability in includes/newtopic.php in ...) NOT-FOR-US: SimpleBBS CVE-2005-4134 (Mozilla Firefox 1.5, Netscape 8.0.4 and 7.2, and K-Meleon before 0.9.1 ...) {DSA-1051-1 DSA-1046-1 DSA-1044-1} - firefox 1.5.dfsg+1.5.0.2-2 (unimportant) - mozilla 2:1.7.13-0.1 (unimportant) [sarge] - mozilla-thunderbird 1.0.2-2.sarge1.0.8 (unimportant) NOTE: Not exploitable beyond a sluggish browser startup, see NOTE: http://web.archive.org/web/20141206010602/https://www.mozilla.org/security/history-title.html CVE-2005-4133 (Sun Update Connection in Sun Solaris 10, when configured to use a web ...) NOT-FOR-US: Solaris CVE-2005-4132 (Unspecified "security leak" vulnerability in Contenido before 4.6.4, w ...) NOT-FOR-US: Contenido CVE-2005-4131 (Unspecified vulnerability in Microsoft Excel 2000, 2002, and 2003, in ...) NOT-FOR-US: Excel CVE-2005-4130 NOT-FOR-US: Pre-Notification for RealMedia vulnerability, which never appeared CVE-2005-4129 REJECTED CVE-2005-4128 REJECTED CVE-2005-4127 REJECTED CVE-2005-4126 NOT-FOR-US: Pre-Notification for RealMedia vulnerability, which never appeared CVE-2005-4125 REJECTED CVE-2005-4124 REJECTED CVE-2005-4123 REJECTED CVE-2005-4122 REJECTED CVE-2005-4121 REJECTED CVE-2005-4120 REJECTED CVE-2005-4119 REJECTED CVE-2005-4118 REJECTED CVE-2005-4117 REJECTED CVE-2005-4116 REJECTED CVE-2005-4115 REJECTED CVE-2005-4114 REJECTED CVE-2005-4113 REJECTED CVE-2005-4112 REJECTED CVE-2005-4111 REJECTED CVE-2005-4110 REJECTED CVE-2005-4109 REJECTED CVE-2005-4108 REJECTED CVE-2005-4107 REJECTED CVE-2005-4106 REJECTED CVE-2005-4105 REJECTED CVE-2005-4104 REJECTED CVE-2005-4103 REJECTED CVE-2005-4102 REJECTED CVE-2005-4101 REJECTED CVE-2005-4100 REJECTED CVE-2005-4099 REJECTED CVE-2005-4098 REJECTED CVE-2005-4097 REJECTED CVE-2005-4096 REJECTED CVE-2004-2650 (Spooler in Apache Foundation James 2.2.0 allows local users to cause a ...) NOT-FOR-US: Apache James CVE-2005-4095 (Directory traversal vulnerability in connector.php in the fckeditor2rc ...) NOT-FOR-US: DoceboLMS CVE-2005-4094 (connector.php in the fckeditor2rc2 addon in DoceboLMS 2.0.4 allows rem ...) NOT-FOR-US: DoceboLMS CVE-2005-4093 (Check Point VPN-1 SecureClient NG with Application Intelligence R56, N ...) NOT-FOR-US: Check Point CVE-2005-4092 (Multiple heap-based buffer overflows in QuickTime.qts in Apple QuickTi ...) NOT-FOR-US: Apple QuickTime CVE-2005-4091 (Cross-site scripting (XSS) vulnerability in 1search.cgi in 1-Script 1- ...) NOT-FOR-US: 1-Script 1-Search CVE-2005-4090 (Unspecified vulnerability in HP-UX B.11.00 to B.11.23, when IPSEC is r ...) NOT-FOR-US: HP-UX CVE-2005-4089 (Microsoft Internet Explorer allows remote attackers to bypass cross-do ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2005-4088 (SQL injection vulnerability in index.php in phpForumPro 2.2 allows rem ...) NOT-FOR-US: phpForumPro CVE-2005-4087 (PHP remote file include vulnerability in acceptDecline.php in Sugar Su ...) - sugarcrm-ce-5.0 (bug #457876) CVE-2005-4086 (Directory traversal vulnerability in acceptDecline.php in Sugar Suite ...) - sugarcrm-ce-5.0 (bug #457876) CVE-2005-4085 (Buffer overflow in BlueCoat (a) WinProxy before 6.1a and (b) the web c ...) NOT-FOR-US: BlueCoat WinProxy CVE-2005-4084 (xs_edit.php in the phpBB eXtreme Styles module 2.2.1 and earlier allow ...) NOT-FOR-US: phpBB eXtreme Styles module CVE-2005-4083 (Directory traversal vulnerability in xs_edit.php in the eXtreme Styles ...) NOT-FOR-US: phpBB eXtreme Styles module CVE-2005-4082 (The dhcp.client program for QNX 4.25 vmware is setuid, possibly by def ...) NOT-FOR-US: QNX CVE-2005-4081 (Multiple SQL injection vulnerabilities in Alisveristr E-commerce allow ...) NOT-FOR-US: Alisveristr E-commerce CVE-2005-4080 (Horde IMP 4.0.4 and earlier does not sanitize strings containing UTF16 ...) - imp4 4.0.4-1 (bug #342654; unimportant) NOTE: Internet Explorer bug, most definitely fixed since long, didn't check though CVE-2005-4079 (The register_globals emulation in phpMyAdmin 2.7.0 rc1 allows remote a ...) - phpmyadmin (Affects only 2.7.0) NOTE: https://www.phpmyadmin.net/security/PMASA-2005-9/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/5f3b086ed22b8ca49472d27a014df3908b0388ac CVE-2005-4078 (Multiple cross-site scripting (XSS) vulnerabilities in Ideal BB.NET 1. ...) NOT-FOR-US: Ideal BB.NET CVE-2005-4076 (Buffer overflow in Appfluent Technology Database IDS 2.0 allows local ...) NOT-FOR-US: Appfluent Technology Database IDS 2.0 CVE-2005-4075 (Multiple cross-site scripting (XSS) vulnerabilities in index.cfm in CF ...) NOT-FOR-US: CF_Nuke CVE-2005-4074 (Directory traversal vulnerability in index.cfm in CF_Nuke 4.6 and earl ...) NOT-FOR-US: CF_Nuke CVE-2005-4073 (SQL injection vulnerability in view_archive.cfm in CFMagic Magic List ...) NOT-FOR-US: Magic List Pro CVE-2005-4072 (Cross-site scripting (XSS) vulnerability in CFMagic Magic Forum Person ...) NOT-FOR-US: Magic Personal Forum CVE-2005-4071 (Multiple SQL injection vulnerabilities in CFMagic Magic Forum Personal ...) NOT-FOR-US: Magic Personal Forum CVE-2005-4070 REJECTED CVE-2005-4069 (SunnComm MediaMax DRM 5.0.21.0, as used by Sony BMG, assigns insecure ...) NOT-FOR-US: Sony root kit CVE-2005-4068 (Unspecified "absolute path vulnerability" in umountall in IBM AIX 5.1 ...) NOT-FOR-US: AIX CVE-2005-4067 REJECTED CVE-2005-4066 (Total Commander 6.53 uses weak encryption to store FTP usernames and p ...) NOT-FOR-US: Total Commander CVE-2005-4065 (SQL injection vulnerability in the search module in Edgewall Trac befo ...) {DSA-951-2} - trac 0.9.2-1 (bug #342232; medium) [sarge] - trac 0.8.1-3sarge4 CVE-2005-4064 (Multiple SQL injection vulnerabilities in A-FAQ 1.0 allow remote attac ...) NOT-FOR-US: A-FAQ CVE-2005-4063 (Multiple cross-site scripting (XSS) vulnerabilities in NetAuctionHelp ...) NOT-FOR-US: NetAuctionHelp CVE-2005-4062 (Cross-site scripting (XSS) vulnerability in CPSearch.asp in XcClassifi ...) NOT-FOR-US: XcClassified CVE-2005-4061 (Cross-site scripting (XSS) vulnerability in PASearch.asp in XcPhotoAlb ...) NOT-FOR-US: XcPhotoAlbum CVE-2005-4060 (Cross-site scripting (XSS) vulnerability in search.asp in rwAuction Pr ...) NOT-FOR-US: rwAuction CVE-2005-4059 (SQL injection vulnerability in searchdb.asp in LocazoList 1.03c and ea ...) NOT-FOR-US: LocazoList CVE-2005-4058 (SQL injection vulnerability in saralblog 1 and earlier allows remote a ...) NOT-FOR-US: saralblog CVE-2005-4057 (Cross-site scripting (XSS) vulnerability in search.php in PluggedOut N ...) NOT-FOR-US: PluggedOut Nexus CVE-2005-4056 (SQL injection vulnerability in search.php in PluggedOut Nexus 0.1 allo ...) NOT-FOR-US: PluggedOut Nexus CVE-2005-4055 (SQL injection vulnerability in index.php in Cars Portal 1.1 and earlie ...) NOT-FOR-US: Cars Portal CVE-2005-4054 (SQL injection vulnerability in index.php in PluggedOut Blog 1.9.5 and ...) NOT-FOR-US: PluggedOut Bot CVE-2005-4053 (Cross-site scripting (XSS) vulnerability in coWiki 0.3.4 allows remote ...) NOT-FOR-US: coWiki CVE-2005-4052 (e107 0.6174 allows remote attackers to redirect users to other web sit ...) NOT-FOR-US: e107 CVE-2005-4051 (e107 0.6174 allows remote attackers to vote multiple times for a downl ...) NOT-FOR-US: e107 CVE-2005-4050 (Buffer overflow in multiple Multi-Tech Systems MultiVOIP devices with ...) NOT-FOR-US: MultiVOIP hardware CVE-2005-4049 (Multiple SQL injection vulnerabilities in Blog System 1.2 allow remote ...) NOT-FOR-US: Blog System CVE-2005-4048 (Heap-based buffer overflow in the avcodec_default_get_buffer function ...) {DSA-1005-1 DSA-1004-1 DSA-992-1} - ffmpeg 0.cvs20050918-5.1 (bug #342207; medium) - xmovie - xine-lib 1.0.1-1.5 (bug #342208; medium) - mplayer (Fixed before initial upload) - gst-ffmpeg 0.8.7-5 (bug #343503; medium) - vlc 0.8.4.debian-2 (medium) NOTE: kino, smilutils, motion and vlc link statically against libavcodec, need a recompile once ffmpeg is fixed NOTE: smilutils, motion, kino link statically against libavcodec, but don't use the vulnerable function CVE-2005-4047 (Cross-site scripting (XSS) vulnerability in kb.asp in IISWorks ASPKnow ...) NOT-FOR-US: IISWorks ASPKnowledgeBase CVE-2005-4046 (Unspecified vulnerability in Reverse SSL Proxy Plug-in for Sun Java Sy ...) NOT-FOR-US: Sun Java System Application Server CVE-2005-4045 (Unspecified vulnerability in System Communications Services 6 Delegate ...) NOT-FOR-US: Sun Java System Messaging Server CVE-2005-4044 (Cross-site scripting (XSS) vulnerability in search.cgi in Amazon Searc ...) NOT-FOR-US: Amazon Search Directory CVE-2005-4043 (SQL injection vulnerability in view.php in Hobosworld HobSR 1.0 and ea ...) NOT-FOR-US: Hobosworld HobSR CVE-2005-4042 (Cross-site scripting (XSS) vulnerability in Warm Links 1.0.0 and earli ...) NOT-FOR-US: Warm Links CVE-2005-4041 (Cross-site scripting (XSS) vulnerability in search.cgi in MR CGI Guy H ...) NOT-FOR-US: MR CGI Guy Hot Links SQL CVE-2005-4040 (SQL injection vulnerability in FileLister 0.51 and earlier allows remo ...) NOT-FOR-US: FileLister CVE-2005-4039 (Directory traversal vulnerability in arhiva.php in Web4Future Portal S ...) NOT-FOR-US: Web4Future Portal Solutions News Portal CVE-2005-4038 (SQL injection vulnerability in comentarii.php in Web4Future Portal Sol ...) NOT-FOR-US: Web4Future Portal Solutions News Portal CVE-2005-4037 (SQL injection vulnerability in functions.php in Web4Future Affiliate M ...) NOT-FOR-US: Web4Future Affiliate Manager CVE-2005-4036 (Cross-site scripting (XSS) vulnerability in index.cgi in Web4Future Ke ...) NOT-FOR-US: Web4Future Keyboard Frequency Counter CVE-2005-4035 (Multiple SQL injection vulnerabilities in Web4Future eCommerce Enterpr ...) NOT-FOR-US: Web4Future eCommerce Enterprise Edition CVE-2005-4034 (Multiple SQL injection vulnerabilities in Web4Future eDating Professio ...) NOT-FOR-US: Web4Future eDating Professional CVE-2005-4033 (Nodezilla 0.4.13-corno-fulgure does not properly protect the evl_data ...) NOT-FOR-US: Nodezilla CVE-2005-4032 (Cross-site scripting (XSS) vulnerability in search.cgi in Easy Search ...) NOT-FOR-US: Easy Search System CVE-2005-4031 (Eval injection vulnerability in MediaWiki 1.5.x before 1.5.3 allows re ...) - mediawiki (Only affects the 1.5 branch) CVE-2005-4030 (SQL injection vulnerability in Quicksilver Forums before 1.5.1 allows ...) NOT-FOR-US: Quicksilver Forums CVE-2005-4029 (WebEOC before 6.0.2 allows remote attackers to obtain valid usernames ...) NOT-FOR-US: WebEOC CVE-2005-4028 (Multiple cross-site scripting (XSS) vulnerabilities in aMember allow r ...) NOT-FOR-US: aMember CVE-2005-4027 (SQL injection vulnerability in SimpleBBS 1.1 allows remote attackers t ...) NOT-FOR-US: SimpleBBS CVE-2005-4026 (search.php in Geeklog 1.4.x before 1.4.0rc1, and 1.3.x before 1.3.11sr ...) NOT-FOR-US: Geeklog CVE-2005-4025 (Help Desk Reloaded Free Help Desk does not remove or protect install.p ...) NOT-FOR-US: Help Desk Reloaded Free Help Desk CVE-2005-4024 (Cross-site scripting (XSS) vulnerability in Interspire FastFind 2004 a ...) NOT-FOR-US: Interspire FastFind CVE-2005-4023 (Unspecified vulnerability in the zipcart module in Gallery 2.0 before ...) - gallery2 2.0.2-1 (medium) CVE-2005-4022 (Cross-site scripting (XSS) vulnerability in the "Add Image From Web" f ...) - gallery2 2.0.2-1 (medium) CVE-2005-4021 (The installer for Gallery 2.0 before 2.0.2 stores the install log unde ...) - gallery2 2.0.2-1 (low) CVE-2005-4020 (SQL injection vulnerability in create.php in Widget Imprint 1.0.26 and ...) NOT-FOR-US: Widget Imprint CVE-2005-4019 (SQL injection vulnerability in index.php in Relative Real Estate Syste ...) NOT-FOR-US: Relative Real Estate Systems CVE-2005-4018 (SQL injection vulnerability in ls.php in Landshop Real Estate Commerce ...) NOT-FOR-US: Landshop Real Estate Commerce System CVE-2005-4017 (property.php in Widget Property 1.1.19 allows remote attackers to obta ...) NOT-FOR-US: Widget Property CVE-2005-4016 (SQL injection vulnerability in Widget Property 1.1.19 allows remote at ...) NOT-FOR-US: Widget Property CVE-2005-4015 (PHP Web Statistik 1.4 does not rotate the log database or limit the si ...) NOT-FOR-US: PHP Web Statistik CVE-2005-4014 (stat.php in PHP Web Statistik 1.4 allows remote attackers to cause a d ...) NOT-FOR-US: PHP Web Statistik CVE-2005-4013 (PHP Web Statistik 1.4 stores the stat.cfg file under the web root with ...) NOT-FOR-US: PHP Web Statistik CVE-2005-4012 (Multiple cross-site scripting (XSS) vulnerabilities in PHP Web Statist ...) NOT-FOR-US: PHP Web Statistik CVE-2005-4011 (SQL injection vulnerability in calendar.php in Codewalkers ltwCalendar ...) NOT-FOR-US: Codewalkers ltwCalendar CVE-2005-4010 (SQL injection vulnerability in KBase Express 1.0.0 and earlier allows ...) NOT-FOR-US: Kbase Express CVE-2005-4009 (Multiple SQL injection vulnerabilities in PHP Lite Calendar Express 2. ...) NOT-FOR-US: PHP Lite Calender Express CVE-2005-4008 (SQL injection vulnerability in jax_calendar.php in Jax Calendar 1.34 a ...) NOT-FOR-US: Jax Calendar CVE-2005-4077 (Multiple off-by-one errors in the cURL library (libcurl) 7.11.2 throug ...) {DSA-919-2} - curl 7.15.1-1 (bug #342339; bug #342696; medium) CVE-2005-4007 (Multiple unspecified vulnerabilities in SAPID CMS before 1.2.3.03, rel ...) NOT-FOR-US: SAPID CMS CVE-2005-4006 (SAPID CMS before 1.2.3.03 allows remote attackers to bypass authentica ...) NOT-FOR-US: SAPID CMS CVE-2005-4005 (SQL injection vulnerability in messages.php in PHP-Fusion 6.00.109 all ...) NOT-FOR-US: PHP-Fusion CVE-2005-4004 (Cross-site scripting (XSS) vulnerability in search.asp in MyTemplateSi ...) NOT-FOR-US: MyTemplateSite CVE-2005-4003 (Multiple SQL injection vulnerabilities in Absolute Shopping Package So ...) NOT-FOR-US: Absolute Shopping Package Solutions (ASPS) Shopping Cart CVE-2005-4002 (WebEOC before 6.0.2 uses the same secret key for all installations, wh ...) NOT-FOR-US: WebEOC CVE-2005-4001 (Multiple SQL injection vulnerabilities in phpYellowTM Pro Edition and ...) NOT-FOR-US: phpYellowTM Pro Edition CVE-2005-4000 (Cross-site scripting (XSS) vulnerability in archive.asp in SiteBeater ...) NOT-FOR-US: SiteBeater News System CVE-2005-3999 (Cross-site scripting (XSS) vulnerability in Search.asp in SiteBeater M ...) NOT-FOR-US: SiteBeater MP3 Catalog CVE-2005-3998 (Cross-site scripting (XSS) vulnerability in search.asp in Solupress Ne ...) NOT-FOR-US: Solupress News CVE-2005-3997 (Zen Cart 1.2.6d and earlier, under certain PHP configurations, allows ...) NOT-FOR-US: Zen Cart CVE-2005-3996 (SQL injection vulnerability in admin/password_forgotten.php in Zen Car ...) NOT-FOR-US: Zen Cart CVE-2005-3995 (Format string vulnerability in the dosyslog function in the OBEX serve ...) NOT-FOR-US: Sobexsrv NOTE: Checked obexserver source package, not vulnerable CVE-2005-3994 REJECTED CVE-2005-3993 (Multiple unspecified vulnerabilities in MailEnable Professional 1.6 an ...) NOT-FOR-US: MailEnable CVE-2005-3992 (Multiple buffer overflows in WinEggDropShell remote access trojan (RAT ...) NOT-FOR-US: WinEggDropShell CVE-2005-3991 (Multiple cross-site scripting (XSS) vulnerabilities in phpMyChat 0.14. ...) NOT-FOR-US: phpMyChat CVE-2005-3990 REJECTED CVE-2005-3989 (Memory leak in Avaya TN2602AP IP Media Resource 320 circuit pack befor ...) NOT-FOR-US: Avaya hardware CVE-2005-3988 (SQL injection vulnerability in article.php in Pineapple Technologies L ...) NOT-FOR-US: Pineapple Technologies Lore CVE-2005-3987 (Multiple SQL injection vulnerabilities in Tradesoft CMS allow remote a ...) NOT-FOR-US: Tradesoft CMS CVE-2005-3986 (Multiple SQL injection vulnerabilities in Instant Photo Gallery 1 and ...) NOT-FOR-US: Instant Photo Gallery CVE-2005-3985 (The Internet Key Exchange version 1 (IKEv1) implementation in Astaro S ...) NOT-FOR-US: Astaro Security Linux CVE-2005-3984 (SQL injection vulnerability in WebCalendar 1.0.1 allows remote attacke ...) {DSA-1002-1} - webcalendar 1.0.2-1 (bug #342090) CVE-2005-3983 (Unknown vulnerability in the login page for HP Systems Insight Manager ...) NOT-FOR-US: HP Systems Insight Manager CVE-2005-3982 (CRLF injection vulnerability in layers_toggle.php in WebCalendar 1.0.1 ...) {DSA-1002-1} - webcalendar 1.0.2-1 (bug #342090) CVE-2005-3981 NOT-FOR-US: Windows CVE-2005-3980 (SQL injection vulnerability in the ticket query module in Edgewall Tra ...) - trac 0.9.1-1 (bug #341697; medium) [sarge] - trac CVE-2005-3979 (relocate_server.php in Coppermine Photo Gallery (CPG) 1.4.2 and 1.4 be ...) NOT-FOR-US: Coppermine Photo Gallery CVE-2005-3978 (Multiple SQL injection vulnerabilities in NetClassifieds Premium Editi ...) NOT-FOR-US: NetClassifieds Premium Edition CVE-2005-3977 (Cross-site scripting (XSS) vulnerability in QualityEBiz Quality PPC 15 ...) NOT-FOR-US: QualityEBiz Quality PPC CVE-2005-3976 (SQL injection vulnerability in type.asp, as used in multiple DUware pr ...) NOT-FOR-US: Multipke DuWare products CVE-2005-3975 (Interpretation conflict in file.inc in Drupal 4.5.0 through 4.5.5 and ...) {DSA-958-1} - drupal 4.5.6-1 (bug #348811; medium) CVE-2005-3974 (Drupal 4.5.0 through 4.5.5 and 4.6.0 through 4.6.3, when running on PH ...) {DSA-958-1} - drupal 4.5.6-1 (low) CVE-2005-3973 (Multiple cross-site scripting (XSS) vulnerabilities in Drupal 4.5.0 th ...) {DSA-958-1} - drupal 4.5.6-1 (bug #348811; medium) CVE-2005-3972 (Cross-site scripting (XSS) vulnerability in extremesearch.php in Extre ...) NOT-FOR-US: Extreme Search Corporate Edition CVE-2005-3971 (Cross-site scripting (XSS) vulnerability in the login form in Citrix M ...) NOT-FOR-US: Citrix CVE-2005-3970 (Cross-site scripting (XSS) vulnerability in MXChange before 0.2.0-pre1 ...) NOT-FOR-US: MXChange CVE-2005-3969 (SQL injection vulnerability in MXChange before 0.2.0-pre10 PL492 allow ...) NOT-FOR-US: MXChange CVE-2005-3968 (SQL injection vulnerability in auth.inc.php in PHPX 3.5.9 and earlier ...) NOT-FOR-US: PHPX CVE-2005-3967 (Cross-site scripting (XSS) vulnerability in the dosearchsite.action mo ...) NOT-FOR-US: Atlassian Confluence CVE-2005-3966 (Cross-site scripting (XSS) vulnerability in search.jsp in Java Search ...) NOT-FOR-US: Java Search Engine CVE-2005-3965 REJECTED CVE-2005-3964 (Multiple buffer overflows in libUil (libUil.so) in OpenMotif 2.2.3, an ...) - openmotif 2.2.3-1.4 (bug #342092; medium) [sarge] - openmotif (Non-free) CVE-2005-3963 (SQL injection vulnerability in session.php in DotClear before 1.2.3 al ...) NOT-FOR-US: DotClear CVE-2004-2649 (Eudora 6.1.0.6 allows remote attackers to obfuscate URLs displayed in ...) NOT-FOR-US: Eudora CVE-2004-2648 (FreezeX 1.00.100.0666 allows local users with administrator privileges ...) NOT-FOR-US: FreezeX CVE-2004-2647 (Free Web Chat 2.0 allows remote attackers to cause a denial of service ...) NOT-FOR-US: Free Web Chat CVE-2004-2646 (The addUser function in UserManager.java in Free Web Chat 2.0 allows r ...) NOT-FOR-US: Free Web Chat CVE-2004-2645 (Unspecified vulnerability in ASN.1 Compiler (asn1c) before 0.9.7 has u ...) - asn1c (Fixed before upload into archive; 0.9.7) CVE-2004-2644 (Unspecified vulnerability in ASN.1 Compiler (asn1c) before 0.9.7 has u ...) - asn1c (Fixed before upload into archive; 0.9.7) CVE-2004-2643 (Directory traversal vulnerability in Microsoft cabarc allows remote at ...) NOT-FOR-US: Microsoft cabarc CVE-2004-2642 (Yeemp 0.9.9 and earlier does not properly encrypt inbound files, which ...) NOT-FOR-US: Yeemp CVE-2004-2641 (Unspecified vulnerability in Sun Fire 3800/4800/4810/6800, Sun Fire V1 ...) NOT-FOR-US: Sun appliances CVE-2004-2640 (Directory traversal vulnerability in lstat.cgi in LinuxStat before 2.3 ...) NOT-FOR-US: LinuxStat CVE-2004-2639 (Unspecified vulnerability in Journalness 3.0.7 and earlier allows remo ...) NOT-FOR-US: Journalness CVE-2004-2638 (The Admin Access With Levels plugin in osCommerce 1.5.1 allows remote ...) NOT-FOR-US: osCommerce CVE-2004-2637 (The NAT implementation in Zonet ZSR1104WE Wireless Router Runtime Code ...) NOT-FOR-US: Zyxel hardware CVE-2004-2636 (TinyWeb 1.9 allows remote attackers to read source code of scripts via ...) NOT-FOR-US: TinyWeb CVE-2004-2635 (An ActiveX control for McAfee Security Installer Control System 4.0.0. ...) NOT-FOR-US: McAfee CVE-2004-2634 (The (1) bos.rte.serv_aid or (2) bos.rte.console filesets in IBM AIX 5. ...) NOT-FOR-US: AIX CVE-2004-2633 (Unspecified vulnerability in Sesamie 1.0 allows remote anonymous attac ...) NOT-FOR-US: Sesamie CVE-2004-2632 (phpMyAdmin 2.5.1 up to 2.5.7 allows remote attackers to modify configu ...) - phpmyadmin 1:2.5.7-pl1-1 CVE-2004-2631 (Eval injection vulnerability in left.php in phpMyAdmin 2.5.1 up to 2.5 ...) - phpmyadmin 1:2.5.7-pl1-1 NOTE: https://www.phpmyadmin.net/security/PMASA-2004-1/ CVE-2004-2630 (The MIME transformation system (transformations/text_plain__external.i ...) - phpmyadmin 2:2.6.0-pl2-1 NOTE: https://www.phpmyadmin.net/security/PMASA-2004-2/ CVE-2004-2629 (Multiple vulnerabilities in the H.323 protocol implementation for Firs ...) NOT-FOR-US: Click to Meet express CVE-2004-2628 (Multiple directory traversal vulnerabilities in thttpd 2.07 beta 0.4, ...) - thttpd (Windows-specific vulnerabilities) CVE-2004-2627 (Java 2 Micro Edition (J2ME) does not properly validate bytecode, which ...) NOT-FOR-US: J2ME CVE-2004-2626 (GUI overlay vulnerability in the Java API in Siemens S55 cellular phon ...) NOT-FOR-US: Siemens cell phone CVE-2004-2625 (Cross-site scripting (XSS) vulnerability in Outblaze Email allows remo ...) NOT-FOR-US: Outblaze Email CVE-2004-2624 (Cross-site scripting (XSS) vulnerability in "TextSearch" in WackoWiki ...) NOT-FOR-US: WackoWiki CVE-2004-2623 (Unknown vulnerability in Rippy the Aggregator before 0.10, when regist ...) NOT-FOR-US: Rippy the Aggregator CVE-2004-2622 (AClient.exe in Altiris Deployment Solution 6.x and 5.x does not requir ...) NOT-FOR-US: Altiris Deployment Solution CVE-2004-2621 (Nortel Contivity VPN Client 2.1.7, 3.00, 3.01, 4.91, and 5.01, when op ...) NOT-FOR-US: Nortel Contivity VPN client CVE-2004-2620 (The MIMEH_read_headers function in ripMIME 1.3.1.0 does not properly h ...) NOT-FOR-US: ripMIME CVE-2004-2619 (ripMIME 1.3.2.3 and earlier allows remote attackers to bypass e-mail p ...) NOT-FOR-US: ripMIME CVE-2004-2618 (Cross-site scripting (XSS) vulnerability in Pegasi Web Server (PWS) 0. ...) NOT-FOR-US: Pegasi Web Server CVE-2004-2617 (Directory traversal vulnerability in Pegasi Web Server (PWS) 0.2.2 all ...) NOT-FOR-US: Pegasi Web Server CVE-2004-2616 (The file server in ActivePost Standard 3.1 and earlier allows remote a ...) NOT-FOR-US: ActivePost Standard CVE-2004-2615 (The documentation for CuteNews 1.3.6 and possibly other versions speci ...) NOT-FOR-US: Cutenews CVE-2004-2614 (Buffer overflow in MyWeb 3.3 allows remote attackers to cause a denial ...) NOT-FOR-US: MyWeb CVE-2004-2613 (Unspecified vulnerability in procfs in the Linux-VServer stable branch ...) - kernel-patch-ctx 1:1.28-1 (bug #262903; medium) CVE-2004-2612 (BNC 2.9.0 only grants access when an incorrect password is provided, w ...) NOT-FOR-US: BNC CVE-2004-2611 (The Change Permissions function in the Sophster suite before 0.9.6 28 ...) NOT-FOR-US: Sophster suite CVE-2004-2610 (mntd_mount.c in mntd before 0.4.2 might allow local users to gain priv ...) NOT-FOR-US: mntd CVE-2004-2609 (The stuffit.com executable on Symantec PowerQuest DeployCenter 5.5 boo ...) NOT-FOR-US: Symantec PowerQuest DeployCenter CVE-2004-2608 (SmartWebby Smart Guest Book stores SmartGuestBook.mdb (aka the "news d ...) NOT-FOR-US: SmartWebby Smart Guest Book CVE-2003-1288 (Multiple race conditions in Linux-VServer 1.22 with Linux kernel 2.4.2 ...) - kernel-patch-ctx 1:1.29-1 CVE-2004-2607 (A numeric casting discrepancy in sdla_xfer in Linux kernel 2.6.x up to ...) {DSA-1018-1} - linux-2.6 (Fixed before upload into archive; 2.6.6) CVE-2005-3962 (Integer overflow in the format string functionality (Perl_sv_vcatpvfn) ...) {DSA-943-1} - perl 5.8.7-9 (bug #341542; medium) CVE-2006-0034 (Heap-based buffer overflow in the CRpcIoManagerServer::BuildContext fu ...) NOT-FOR-US: Microsoft CVE-2006-0033 (Unspecified vulnerability in Microsoft Office 2003 SP1 and SP2, Office ...) NOT-FOR-US: Microsoft CVE-2006-0032 (Cross-site scripting (XSS) vulnerability in the Indexing Service in Mi ...) NOT-FOR-US: Microsoft CVE-2006-0031 (Stack-based buffer overflow in Microsoft Excel 2000, 2002, and 2003, i ...) NOT-FOR-US: Microsoft CVE-2006-0030 (Unspecified vulnerability in Microsoft Excel 2000, 2002, and 2003, in ...) NOT-FOR-US: Microsoft CVE-2006-0029 (Unspecified vulnerability in Microsoft Excel 2000, 2002, and 2003, in ...) NOT-FOR-US: Microsoft CVE-2006-0028 (Unspecified vulnerability in Microsoft Excel 2000, 2002, and 2003, in ...) NOT-FOR-US: Microsoft CVE-2006-0027 (Unspecified vulnerability in Microsoft Exchange allows remote attacker ...) NOT-FOR-US: Microsoft CVE-2006-0026 (Buffer overflow in Microsoft Internet Information Services (IIS) 5.0, ...) NOT-FOR-US: Microsoft CVE-2006-0025 (Stack-based buffer overflow in Microsoft Windows Media Player 9 and 10 ...) NOT-FOR-US: Microsoft Windows Media Player CVE-2006-0024 (Multiple unspecified vulnerabilities in Adobe Flash Player 8.0.22.0 an ...) - flashplugin-nonfree 7.0.61-4 (bug #357038; bug #357105) [sarge] - flashplugin-nonfree (Only affects proprietary Flash plugin) CVE-2006-0023 (Microsoft Windows XP SP1 and SP2 before August 2004, and possibly othe ...) NOT-FOR-US: Microsoft CVE-2006-0022 (Unspecified vulnerability in Microsoft PowerPoint in Microsoft Office ...) NOT-FOR-US: Microsoft PowerPoint CVE-2006-0021 (Microsoft Windows XP SP1 and SP2, and Server 2003 up to SP1, allows re ...) NOT-FOR-US: Microsoft CVE-2006-0020 (An unspecified Microsoft WMF parsing application, as used in Internet ...) NOT-FOR-US: Microsoft CVE-2006-0018 REJECTED CVE-2005-3961 (export_handler.php in WebCalendar 1.0.1 allows remote attackers to ove ...) {DSA-1002-1} - webcalendar 1.0.2-1 (bug #341208; medium) CVE-2005-3960 (Kadu 0.4.2 and 0.5.0pre allows remote attackers to cause a denial of s ...) NOT-FOR-US: Kadu CVE-2005-3959 (Multiple cross-site scripting (XSS) vulnerabilities in FreeWebStat 1.0 ...) NOT-FOR-US: FreeWebStat CVE-2005-3958 (SQL injection vulnerability in index.php in Entergal MX 2.0 allows rem ...) NOT-FOR-US: Entergal MX CVE-2005-3957 (Unspecified vulnerability in the Trackback functionality in DotClear 1 ...) NOT-FOR-US: DotClear CVE-2005-3956 (Multiple SQL injection vulnerabilities in index.php in DMANews 0.904 a ...) NOT-FOR-US: DMANews CVE-2005-3955 (Multiple cross-site scripting (XSS) vulnerabilities in MagpieRSS 7.1, ...) NOT-FOR-US: MagpieRSS CVE-2005-3954 (Cross-site scripting (XSS) vulnerability in blogBuddies 0.3 allows rem ...) NOT-FOR-US: blogBuddies CVE-2005-3953 (SQL injection vulnerability in Bedeng PSP 1.1 allows remote attackers ...) NOT-FOR-US: Bedeng PSP CVE-2005-3952 (SQL injection vulnerability in PHP Labs Top Auction allows remote atta ...) NOT-FOR-US: PHP Labs Top Auction CVE-2005-3951 (SQL injection vulnerability in survey.php in PHP Labs Survey Wizard al ...) NOT-FOR-US: PHP Labs Survey Wizard CVE-2005-3950 (nuauth in NuFW 1.0.x before 1.0.16 and 1.1 allows authenticated users ...) - nufw 1.0.16-1 (bug #341544; medium) CVE-2005-3949 (Multiple SQL injection vulnerabilities in WebCalendar 1.0.1 allow remo ...) {DSA-1002-1} - webcalendar 1.0.2-1 (bug #341208; medium) CVE-2005-3948 (Directory traversal vulnerability in main.php in PHPAlbum 0.2.3 and ea ...) NOT-FOR-US: PHPAlbum CVE-2005-3947 (Directory traversal vulnerability in index.php in PHP Upload Center al ...) NOT-FOR-US: PHP Upload Center CVE-2005-3946 (Opera 8.50 allows remote attackers to cause a denial of service (crash ...) NOT-FOR-US: Opera CVE-2005-3945 (The SynAttackProtect protection in Microsoft Windows 2003 before SP1 a ...) NOT-FOR-US: Microsoft CVE-2005-3944 (SQL injection vulnerability in survey.php in ilyav Survey System 1.1 a ...) NOT-FOR-US: ilyav Survey System CVE-2005-3943 (Multiple SQL injection vulnerabilities in ilyav FAQ System 1.1 and ear ...) NOT-FOR-US: ilyav Survey System CVE-2005-3942 (SQL injection vulnerability in knowledgebase-control.php in Orca Knowl ...) NOT-FOR-US: Orca Knowledgebase CVE-2005-3941 (SQL injection vulnerability in blog.php in Orca Blog 1.3b and earlier ...) NOT-FOR-US: Orca Blog CVE-2005-3940 (SQL injection vulnerability in ringmaker.php in Orca Ringmaker 2.3c an ...) NOT-FOR-US: Orca Ringmaker CVE-2005-3939 (Multiple SQL injection vulnerabilities in WSN Knowledge Base 1.2.0 and ...) NOT-FOR-US: WSN Knowledge Base CVE-2005-3938 (SQL injection vulnerability in Softbiz FAQ Script 1.1 and earler allow ...) NOT-FOR-US: Softbiz FAQ CVE-2005-3937 (SQL injection vulnerability in Softbiz B2B Trading Marketplace Script ...) NOT-FOR-US: Softbiz B2B CVE-2005-3936 (PHP file include vulnerability in SocketKB 1.1.0 and earlier allows re ...) NOT-FOR-US: SocketKB CVE-2005-3935 (SQL injection vulnerability in SocketKB 1.1.0 and earlier allows remot ...) NOT-FOR-US: SocketKB CVE-2005-3934 (Buffer overflow in Symantec pcAnywhere 11.0.1, 11.5.1, and all other 3 ...) NOT-FOR-US: pcAnywhere CVE-2005-3933 (SQL injection vulnerability in index.php in 88Script's Event Calendar ...) NOT-FOR-US: 88Script's Event Calendar CVE-2005-3932 (SQL injection vulnerability in okiraku.php in O-Kiraku Nikki 1.3 and e ...) NOT-FOR-US: O-Kiraku Nikki CVE-2005-3931 (SQL injection vulnerability in default.asp in ASP-Rider 1.6 allows rem ...) NOT-FOR-US: ASP-Rider CVE-2005-3930 (SQL injection vulnerability in index.php in N-13 News 1.2 allows remot ...) NOT-FOR-US: N-13 News CVE-2005-3929 (Directory traversal vulnerability in the create function in xarMLSXML2 ...) NOT-FOR-US: Xaraya NOTE: xarMLSXML2PHPBackend.php, 'nuff said CVE-2005-3928 (Buffer overflow in phgrafx in QNX 6.2.1 and 6.3.0 allows local users t ...) NOT-FOR-US: QNX CVE-2005-3927 (Multiple directory traversal vulnerabilities in GuppY 4.5.9 and earlie ...) NOT-FOR-US: GuppY CVE-2005-3926 (Direct static code injection vulnerability in error.php in GuppY 4.5.9 ...) NOT-FOR-US: GuppY CVE-2005-3925 (Multiple SQL injection vulnerabilities in Central Manchester CLC Helpd ...) NOT-FOR-US: Central Manchester CLC Helpdesk Issue Manager CVE-2005-3924 (SQL injection vulnerability in themes/kategorie/index.php in Randshop ...) NOT-FOR-US: Randshop CVE-2005-3923 (NetObjects Fusion 9 (NOF9) allows remote attackers to obtain sensitive ...) NOT-FOR-US: NetObjects Fusion CVE-2005-3922 (Heap-based buffer overflow in pskcmp.dll in Panda Software Antivirus l ...) NOT-FOR-US: Panda Antivirus CVE-2005-3921 (Cross-site scripting (XSS) vulnerability in Cisco IOS Web Server for I ...) NOT-FOR-US: IOS CVE-2005-3920 (SQL injection vulnerability in Babe Logger 2 allows remote attackers t ...) NOT-FOR-US: Babe Logger CVE-2005-3919 (Cross-site scripting (XSS) vulnerability in PBLang 4.65 allows remote ...) NOT-FOR-US: PBLang CVE-2005-3918 NOT-FOR-US: OvBB CVE-2005-3917 (SQL injection vulnerability in usersession in CommodityRentals 2.0 Onl ...) NOT-FOR-US: CommidityRentals CVE-2005-3916 (SQL injection vulnerability in memberlist.php in WSN Forum 1.21 allows ...) NOT-FOR-US: WSN Forum CVE-2005-3915 (The Internet Key Exchange version 1 (IKEv1) implementation in Claviste ...) NOT-FOR-US: Clavister Web Client CVE-2005-3914 (Multiple SQL injection vulnerabilities in AFFcommerce 1.1.4 allow remo ...) NOT-FOR-US: AFFcommerce CVE-2005-3913 (Unspecified vulnerability in the domain alias management in Virtual Ho ...) NOT-FOR-US: Virtual Hosting Control System CVE-2005-3912 (Format string vulnerability in miniserv.pl Perl web server in Webmin b ...) {DSA-1199-1} - webmin (Fixed through corrected Perl) NOTE: No longer exploitable with Perl 5.8.7-9, thus no dedicated Webmin updated CVE-2005-3911 (Multiple SQL injection vulnerabilities in calendar.php in BosDates 4.0 ...) NOT-FOR-US: BosDates CVE-2005-3910 (merchants/index.php in Post Affiliate Pro 2.0.4 and earlier, with magi ...) NOT-FOR-US: Post Affiliate Pro CVE-2005-3909 (SQL injection vulnerability in merchants/index.php in Post Affiliate P ...) NOT-FOR-US: Post Affiliate Pro CVE-2005-3908 (Cross-site scripting (XSS) vulnerability in search.php in GhostScripte ...) NOT-FOR-US: GhostScripter Amazon Shop CVE-2005-3907 (Unspecified vulnerability in Java Runtime Environment in Java JDK and ...) NOT-FOR-US: Sun Java CVE-2005-3906 (Multiple unspecified vulnerabilities in reflection APIs in Java SDK an ...) NOT-FOR-US: Sun Java CVE-2005-3905 (Unspecified vulnerability in reflection APIs in Java SDK and JRE 1.3.1 ...) NOT-FOR-US: Sun Java CVE-2005-3904 (Unspecified vulnerability in Java Management Extensions (JMX) in Java ...) NOT-FOR-US: Sun Java CVE-2005-3903 (Buffer overflow in uidadmin in SCO Unixware 7.1.3 and 7.1.4 allows loc ...) NOT-FOR-US: SCO Unixware CVE-2005-3902 (Cross-site scripting (XSS) vulnerability in gui/errordocs/index.php in ...) NOT-FOR-US: Virtual Hosting Control System CVE-2005-3901 (Macromedia Flash Communication Server MX 1.0 and 1.5 does not sufficie ...) NOT-FOR-US: Flash MX CVE-2005-3900 (Macromedia Breeze Communication Server and Breeze Live Server does 5.1 ...) NOT-FOR-US: Macromedia Breeze CVE-2005-3899 (The automatic update feature in Google Talk allows remote attackers to ...) NOT-FOR-US: Google Talk CVE-2005-3898 REJECTED CVE-2005-3897 (Apple Safari 2.0.2 allows remote attackers to cause a denial of servic ...) NOT-FOR-US: Safari NOTE: Not reproducible with konqueror 4:3.4.2-4. CVE-2005-3896 (Mozilla allows remote attackers to cause a denial of service (CPU cons ...) NOTE: maintainers don't believe it is a security bug and can't reproduce after 1.5.dfsg-1 - firefox 1.5.dfsg-1 (bug #340283; bug #345469; unimportant) - mozilla-firefox 1.4.99+1.5rc3.dfsg-2 (bug #340283; bug #345469; unimportant) - mozilla (bug #340282; unimportant) CVE-2005-3895 (Open Ticket Request System (OTRS) 1.0.0 through 1.3.2 and 2.0.0 throug ...) {DSA-973-1} - otrs 2.0.4p01-1 (bug #340352; medium) CVE-2005-3894 (Multiple cross-site scripting (XSS) vulnerabilities in index.pl in Ope ...) {DSA-973-1} - otrs 2.0.4p01-1 (bug #340352; medium) CVE-2005-3893 (Multiple SQL injection vulnerabilities in index.pl in Open Ticket Requ ...) {DSA-973-1} - otrs 2.0.4p01-1 (bug #340352; medium) CVE-2005-3892 (Gadu-Gadu 7.20 allows remote attackers to eavesdrop on a user via a we ...) NOT-FOR-US: Gadu-Gadu CVE-2005-3891 (Stack-based buffer overflow in Gadu-Gadu 7.20 allows remote attackers ...) NOT-FOR-US: Gadu-Gadu CVE-2005-3890 (Gadu-Gadu 7.20 allows remote attackers to cause a denial of service (c ...) NOT-FOR-US: Gadu-Gadu CVE-2005-3889 (Gadu-Gadu 7.20 allows remote attackers to cause a denial of service vi ...) NOT-FOR-US: Gadu-Gadu CVE-2005-3888 (Memory leak in Gadu-Gadu 7.20 allows remote attackers to cause a denia ...) NOT-FOR-US: Gadu-Gadu CVE-2005-3887 (Gadu-Gadu 7.20 does not properly handle MS-DOS device names in filenam ...) NOT-FOR-US: Gadu-Gadu CVE-2005-3886 (Unspecified vulnerability in Cisco Security Agent (CSA) 4.5.0 and 4.5. ...) NOT-FOR-US: Cisco CVE-2005-3885 (The ps2epsi extension shell script (ps2epsi.sh) in Inkscape before 0.4 ...) {DSA-916-1} - inkscape 0.42-1 (bug #321501; low) CVE-2005-3884 (Multiple SQL injection vulnerabilities in the search action in Zainu 2 ...) NOT-FOR-US: Zaimu CVE-2005-3883 (CRLF injection vulnerability in the mb_send_mail function in PHP befor ...) - php4 4:4.4.2-1 (bug #341726; medium) - php5 5.1.1-1 (bug #341368; medium) [sarge] - php4 (application's job to sanitize input) CVE-2005-3882 (SQL injection vulnerability in answer.php in FAQSystems FAQRing Knowle ...) NOT-FOR-US: FAQRing Knowledge Base CVE-2005-3881 (SQL injection vulnerability in search.php in AtlantisFAQ Knowledge Bas ...) NOT-FOR-US: AtlantisFAQ Knowledge Base CVE-2005-3880 (Multiple SQL injection vulnerabilities in Omnistar KBase 4.0 and earli ...) NOT-FOR-US: Omnistar KBase CVE-2005-3879 (Multiple SQL injection vulnerabilities in Softbiz Resource Repository ...) NOT-FOR-US: Softbiz Resource Repository Script CVE-2005-3878 (Directory traversal vulnerability in index.php in PHP Doc System 1.5.1 ...) NOT-FOR-US: PHP Doc System CVE-2005-3877 (Multiple SQL injection vulnerabilities in Simple Document Management S ...) NOT-FOR-US: Simple Document Management System CVE-2005-3876 (Multiple SQL injection vulnerabilities in adcbrowres.php in AD Center ...) NOT-FOR-US: AD Center ADC2000 NG Pro CVE-2005-3875 (Multiple SQL injection vulnerabilities in Enterprise Connector 1.0.2 a ...) NOT-FOR-US: Enterprise Connector CVE-2005-3874 (SQL injection vulnerability in netzbr.php in Netzbrett 1.5.1 and earli ...) NOT-FOR-US: Netzbrett CVE-2005-3873 (SQL injection vulnerability in topic.php in ShockBoard 3.0 and 4.0 all ...) NOT-FOR-US: ShockBoard CVE-2005-3872 (Multiple SQL injection vulnerabilities in Ugroup 2.6.2 and earlier all ...) NOT-FOR-US: Ugroup CVE-2005-3871 (Multiple SQL injection vulnerabilities in Joels Bulletin board (JBB) 0 ...) NOT-FOR-US: JBB CVE-2005-3870 (Multiple SQL injection vulnerabilities in edmobbs9r.php in edmoBBS 0.9 ...) NOT-FOR-US: edmoBBS CVE-2005-3869 (Cross-site scripting (XSS) vulnerability in index.php in Google API Se ...) NOT-FOR-US: Google API CVE-2005-3868 (Multiple SQL injection vulnerabilities in K-Search 1.0 and earlier all ...) NOT-FOR-US: K-Search CVE-2005-3867 (Cross-site scripting (XSS) vulnerability in RevenuePilot Search Engine ...) NOT-FOR-US: RevenuePilot Search Engine CVE-2005-3866 (Cross-site scripting (XSS) vulnerability in SearchFeed Search Engine 1 ...) NOT-FOR-US: SearchFeed Search Engine CVE-2005-3865 (SQL injection vulnerability in index.php in AllWeb search 3.0 and earl ...) NOT-FOR-US: AllWeb search CVE-2005-3864 (SQL injection vulnerability in index.php in SourceWell 1.1.2 and earli ...) NOT-FOR-US: SourceWell CVE-2005-3863 (Stack-based buffer overflow in kkstrtext.h in ktools library 0.3 and e ...) {DSA-1088-1 DSA-1083-1 DTSA-23-1} - centericq 4.21.0-6 (bug #340959; medium) - orpheus 1.5-5 (bug #368402; medium) - motor 2:3.4.0-6 (bug #368400; medium) NOTE: DTSA is for centericq only NOTE: This affects Sarge and Woody centericq NOTE: This affects Sarge and Woody motor CVE-2005-3862 (Buffer overflow in unalz before 0.53 allows remote attackers to execut ...) {DSA-959-1} - unalz 0.55-1 (bug #340842; medium) CVE-2005-3861 (PHP remote file inclusion vulnerability in content.php in phpGreetz 0. ...) NOT-FOR-US: phpGreetz CVE-2005-3860 (PHP remote file inclusion vulnerability in athena.php in Oliver May At ...) NOT-FOR-US: Oliver May Athena PHP Website Administration CVE-2005-3859 (PHP remote file inclusion vulnerability in q-news.php in Q-News 2.0 al ...) NOT-FOR-US: Q-News CVE-2005-3858 (Memory leak in the ip6_input_finish function in ip6_input.c in Linux k ...) {DSA-1018-1 DSA-1017-1} - linux-2.6 2.6.12-6 CVE-2005-3856 (The Popular URL capability (popularurls.cpp) in Krusader 1.60.0 and 1. ...) - krusader 1.70.0-1 (bug #336169; low) [sarge] - krusader NOTE: This seems to be a dupe of CVE-2006-3816, pinged MITRE CVE-2005-3855 (SQL injection vulnerability in process.php in 1-2-3 music store allows ...) NOT-FOR-US: 1-2-3 music store CVE-2005-3854 (Cross-site scripting (XSS) vulnerability in index.php in EasyPageCMS a ...) NOT-FOR-US: EasyPageCMS CVE-2005-3853 (SQL injection vulnerability in snews.php in sNews 1.3 and earlier allo ...) NOT-FOR-US: sNews CVE-2005-3852 (SQL injection vulnerability in search.asp in Online Work Order Suite ( ...) NOT-FOR-US: Online Work Order Suite CVE-2005-3851 (Cross-site scripting (XSS) vulnerability in search.asp in Online Atten ...) NOT-FOR-US: Online Attendance System CVE-2005-3850 (Cross-site scripting (XSS) vulnerability in search.asp in Online Knowl ...) NOT-FOR-US: Online Knowledge Base System CVE-2005-3846 (SQL injection vulnerability in news.php in Fantastic News 2.1.1 and ea ...) NOT-FOR-US: Fantastic News CVE-2005-3845 (SQL injection vulnerability in invoices.php in EZ Invoice Inc 2.0 allo ...) NOT-FOR-US: EZ Invoice Inc CVE-2005-3844 (SQL injection vulnerability in phpWordPress PHP News and Article Manag ...) NOT-FOR-US: phpWordpress, this is not the same as Wordpress CVE-2005-3843 (SQL injection vulnerability in faq.php in Nicecoder iDesk 1.0 allows r ...) NOT-FOR-US: Nicecode iDesk CVE-2005-3842 (SQL injection vulnerability in index.php in pdjk-support suite 1.1a an ...) NOT-FOR-US: pdjk-support suite CVE-2005-3841 (Cross-site scripting (XSS) vulnerability in kPlaylist 1.6 (build 400), ...) NOT-FOR-US: kPlaylist CVE-2005-3840 (SQL injection vulnerability in kb.php in Omnistar Live 5.2 and earlier ...) NOT-FOR-US: Omnistar Live CVE-2005-3839 (Cross-site scripting (XSS) vulnerability in SupportPRO Supportdesk all ...) NOT-FOR-US: SupportPRO Supportdesk CVE-2005-3838 (Multiple SQL injection vulnerabilities in search.php in IsolSoft Suppo ...) NOT-FOR-US: IsolSoft Support Center CVE-2005-3837 (Cross-site scripting (XSS) vulnerability in the search module in sCssB ...) NOT-FOR-US: sCssBoard CVE-2005-3836 (SQL injection vulnerability in DeskLance 2.3 and earlier allows remote ...) NOT-FOR-US: DeskLance CVE-2005-3835 (PHP remote file inclusion vulnerability in support/index.php in DeskLa ...) NOT-FOR-US: DeskLance CVE-2005-3834 (Cross-site scripting (XSS) vulnerability in search.php in Tunez 1.21 a ...) NOT-FOR-US: Tunez CVE-2005-3833 (SQL injection vulnerability in songinfo.php in Tunez 1.21 and earlier ...) NOT-FOR-US: Tunez CVE-2005-3832 (Stack-based buffer overflow in (1) CxUux60.dll and (2) CxUux60u.dll, a ...) NOT-FOR-US: SpeedProject products CVE-2005-3831 (Stack-based buffer overflow in (1) CxZIP60.dll and (2) CxZIP60u.dll, a ...) NOT-FOR-US: SpeedProject products CVE-2005-3830 (index.php in ActiveCampaign SupportTrio 1.4 and earlier allows remote ...) NOT-FOR-US: ActiveCampaign SupportTrio CVE-2005-3829 (index.php in ActiveCampaign KnowledgeBuilder 2.4 and earlier allows re ...) NOT-FOR-US: ActiveCampaign SupportTrio CVE-2005-3828 (SQL injection vulnerability in index.php in ActiveCampaign KnowledgeBu ...) NOT-FOR-US: ActiveCampaign SupportTrio CVE-2005-3827 (SQL injection vulnerability in product_cat in AgileBill 1.4.92 and ear ...) NOT-FOR-US: AgileBill CVE-2005-3826 (Multiple SQL injection vulnerabilities in Ezyhelpdesk 1.0 allow remote ...) NOT-FOR-US: Ezyhelpdesk CVE-2005-3825 (SQL injection vulnerability in index.php in Comdev Vote Caster 3.1 and ...) NOT-FOR-US: Comdev Vote Caster CVE-2005-3824 (The uploads module in vTiger CRM 4.2 and earlier allows remote attacke ...) NOT-FOR-US: vTiger CRM CVE-2005-3823 (The Users module in vTiger CRM 4.2 and earlier allows remote attackers ...) NOT-FOR-US: vTiger CRM CVE-2005-3822 (Multiple SQL injection vulnerabilities in vTiger CRM 4.2 and earlier a ...) NOT-FOR-US: vTiger CRM CVE-2005-3821 (Cross-site scripting (XSS) vulnerability in vTiger CRM 4.2 and earlier ...) NOT-FOR-US: vTiger CRM CVE-2005-3820 (Multiple directory traversal vulnerabilities in index.php in vTiger CR ...) NOT-FOR-US: vTiger CRM CVE-2005-3819 (Multiple SQL injection vulnerabilities in vTiger CRM 4.2 and earlier a ...) NOT-FOR-US: vTiger CRM CVE-2005-3818 (Multiple cross-site scripting (XSS) vulnerabilities in vTiger CRM 4.2 ...) NOT-FOR-US: vTiger CRM CVE-2005-3817 (Multiple SQL injection vulnerabilities in Softbiz Web Host Directory S ...) NOT-FOR-US: Softbiz Web Host Directory CVE-2005-3816 (Multiple SQL injection vulnerabilities in forum.php in freeForum 1.1 a ...) NOT-FOR-US: freeForum CVE-2005-3815 (SQL injection vulnerability in forum.php in Orca Forum 4.3b and earlie ...) NOT-FOR-US: Orca Forum CVE-2005-3814 (Multiple cross-site scripting (XSS) vulnerabilities in SmartPPC Pro al ...) NOT-FOR-US: SmartPPC Pro CVE-2005-3813 (IMAP service (meimaps.exe) of MailEnable Professional 1.7 and Enterpri ...) NOT-FOR-US: MailEnable CVE-2005-3812 (freeFTPd 1.0.10 allows remote authenticated users to cause a denial of ...) NOT-FOR-US: freeFTPd CVE-2005-3811 (Directory traversal vulnerability in admin/main.php in AMAX Magic Winm ...) NOT-FOR-US: AMAX Magic Winmail Server CVE-2005-3806 (The IPv6 flow label handling code (ip6_flowlabel.c) in Linux kernels 2 ...) {DSA-1018-1 DSA-1017-1} - linux-2.6 2.6.14-1 (medium) CVE-2005-3805 (A locking problem in POSIX timer cleanup handling on exit in Linux ker ...) - linux-2.6 2.6.14-1 (medium) CVE-2005-3804 (Cisco IP Phone (VoIP) 7920 1.0(8) listens to UDP port 17185 to support ...) NOT-FOR-US: Cisco CVE-2005-3803 (Cisco IP Phone (VoIP) 7920 1.0(8) contains certain hard-coded ("fixed" ...) NOT-FOR-US: Cisco CVE-2005-3802 (Belkin F5D7232-4 and F5D7230-4 wireless routers with firmware 4.03.03 ...) NOT-FOR-US: Belkin hardware CVE-2005-3801 (CounterPane PasswordSafe 1.x and 2.x allows local users to test possib ...) NOT-FOR-US: PasswordSafe CVE-2005-3800 (Macromedia Contribute Publishing Server (CPS) before 1.11 uses a weak ...) NOT-FOR-US: Macromedia Contribute Publishing Server CVE-2005-3799 (phpBB 2.0.18 allows remote attackers to obtain sensitive information v ...) - phpbb2 (unimportant) NOTE: Not a real security problem, error messages might disclose the installation NOTE: which is known for the Debian package anyway CVE-2005-3798 (SQL injection vulnerability in admin/index.php in AlstraSoft Template ...) NOT-FOR-US: AlstraSoft Template Seller CVE-2005-3797 (PHP remote file inclusion vulnerability in payment_paypal.php in Alstr ...) NOT-FOR-US: AlstraSoft Template Seller CVE-2005-3796 (Direct static code injection vulnerability in admin_options_manage.php ...) NOT-FOR-US: AlstraSoft Affiliate Network CVE-2005-3795 (Multiple cross-site scripting (XSS) vulnerabilities in AlstraSoft Affi ...) NOT-FOR-US: AlstraSoft Affiliate Network CVE-2005-3794 (AlstraSoft Affiliate Network Pro 7.2 allows remote attackers to obtain ...) NOT-FOR-US: AlstraSoft Affiliate Network CVE-2005-3793 (Multiple SQL injection vulnerabilities in AlstraSoft Affiliate Network ...) NOT-FOR-US: AlstraSoft Affiliate Network CVE-2005-3792 (Multiple SQL injection vulnerabilities in the Search module in PHP-Nuk ...) NOT-FOR-US: PHP-Nuke CVE-2005-3791 (HTTP response splitting vulnerability in phpAdsNew and phpPgAds 2.0.6 ...) NOT-FOR-US: phpAdsNew and phpPgAds CVE-2005-3790 (Multiple cross-site scripting (XSS) vulnerabilities in act_newsletter. ...) NOT-FOR-US: phpwcms CVE-2005-3789 (Multiple directory traversal vulnerabilities in phpwcms 1.2.5 allow re ...) NOT-FOR-US: phpwcms CVE-2005-3788 (Race condition in Cisco Adaptive Security Appliance (ASA) 7.0(0), 7.0( ...) NOT-FOR-US: Cisco CVE-2005-3787 (Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin befo ...) {DSA-880-1} - phpmyadmin 4:2.6.4-pl4-1 (bug #360726) NOTE: https://www.phpmyadmin.net/security/PMASA-2005-7/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/0191fc3c33feb809cf668f018ad53dc35061fe4c NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/2e5c10aa2fc10fb1004aac7db78ebdaac21b9220 NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/053d90b6019959c3a503d6b12b9cd23dc31df2be CVE-2005-3786 (Novell ZENworks for Desktops 4.0.1, ZENworks for Servers 3.0.2, and ZE ...) NOT-FOR-US: Novell ZENworks CVE-2005-3785 (Second-order symlink vulnerability in eix-sync.in in Ebuild IndeX (eix ...) NOT-FOR-US: Ebuild IndeX CVE-2005-3784 (The auto-reap of child processes in Linux kernel 2.6 before 2.6.15 inc ...) {DSA-1017-1} - linux-2.6 2.6.15-1 (medium) - kernel-source-2.4.27 CVE-2005-3783 (The ptrace functionality (ptrace.c) in Linux kernel 2.6 before 2.6.14. ...) {DSA-1018-1 DSA-1017-1} - linux-2.6 2.6.14-3 (medium) CVE-2005-3782 (Mac OS X 10.4.3 up to 10.4.6, when loginwindow uses the "Name and pass ...) NOT-FOR-US: Apple CVE-2004-2606 (The Web interface in Linksys WRT54G 2.02.7 and BEFSR41 version 3, with ...) NOT-FOR-US: Linksys hardware CVE-2004-2605 (aStats 1.6.5 allows local users to overwrite arbitrary files via a sym ...) - astats (bug #287604) CVE-2004-2604 (Cross-site scripting (XSS) vulnerability in index.php in PHProxy allow ...) NOT-FOR-US: PHProxy CVE-2004-2603 (Cross-site scripting (XSS) vulnerability in the Search module in UberT ...) NOT-FOR-US: UberTec Help Center Live CVE-2004-2602 (PHP remote file inclusion vulnerability in UberTec Help Center Live (H ...) NOT-FOR-US: UberTec Help Center Live CVE-2004-2601 (PHP remote file inclusion vulnerability in UberTec Help Center Live (H ...) NOT-FOR-US: UberTec Help Center Live CVE-2004-2600 (The firmware for Intelligent Platform Management Interface (IPMI) 1.5- ...) NOT-FOR-US: Intel hardware CVE-2004-2599 (Multiple buffer overflows in Quake II server before R1Q2, as used in m ...) - quake2 (bug #280573; low) [sarge] - quake2 (Documented to be insecure, contrib) NOTE: There is a big note in the quake2 package stating that it is not secure. NOTE: Otherwise severity would be high. CVE-2004-2598 (Quake II server before R1Q2, as used in multiple products, allows remo ...) - quake2 (bug #280573; low) [sarge] - quake2 (Documented to be insecure, contrib) CVE-2004-2597 (Quake II server before R1Q2, as used in multiple products, allows remo ...) - quake2 (bug #280573; low) [sarge] - quake2 (Documented to be insecure, contrib) CVE-2004-2596 (Quake II server before R1Q2, as used in multiple products, allows remo ...) - quake2 (bug #280573; low) [sarge] - quake2 (Documented to be insecure, contrib) CVE-2004-2595 (Absolute path traversal vulnerability in Quake II server before R1Q2 o ...) - quake2 (bug #280573; low) [sarge] - quake2 (Documented to be insecure, contrib) CVE-2004-2594 (Absolute path traversal vulnerability in Quake II server before R1Q2 o ...) - quake2 (bug #280573; low) [sarge] - quake2 (Documented to be insecure, contrib) CVE-2004-2593 (Buffer overflow in command-packet processing of Quake II server before ...) - quake2 (bug #280573; low) [sarge] - quake2 (Documented to be insecure, contrib) CVE-2004-2592 (Quake II server before R1Q2, as used in multiple products, allows remo ...) - quake2 (bug #280573; low) [sarge] - quake2 (Documented to be insecure, contrib) CVE-2004-2591 (The data-overwrite capability of ButtUglySoftware CleanCache 2.19 does ...) NOT-FOR-US: ButtUglySoftware CleanCache CVE-2004-2590 (Unspecified vulnerability in meindlSOFT Cute PHP Library (aka cphplib) ...) NOT-FOR-US: meindlSOFT Cute PHP Library CVE-2004-2589 (Gaim before 0.82 allows remote servers to cause a denial of service (a ...) - gaim 0.82-1 (medium) CVE-2004-2588 (Intentional information leak in phpinfo.php in XMB (aka extreme messag ...) NOT-FOR-US: XMB CVE-2004-2587 (login.aspx in SmarterTools SmarterMail 1.6.1511 and 1.6.1529 allows re ...) NOT-FOR-US: SmarterTools SmarterMail CVE-2004-2586 (Directory traversal vulnerability in frmGetAttachment.aspx in SmarterT ...) NOT-FOR-US: SmarterTools SmarterMail CVE-2004-2585 (Cross-site scripting (XSS) vulnerability in frmCompose.aspx in Smarter ...) NOT-FOR-US: SmarterTools SmarterMail CVE-2004-2584 (frmAddfolder.aspx in SmarterTools SmarterMail 1.6.1511 and 1.6.1529 al ...) NOT-FOR-US: SmarterTools SmarterMail CVE-2004-2583 (SMTP service in SmarterTools SmarterMail 1.6.1511 and 1.6.1529 allows ...) NOT-FOR-US: SmarterTools SmarterMail CVE-2004-2582 (Novell iChain 2.3 includes the build number in the VIA line of the pro ...) NOT-FOR-US: iChain CVE-2004-2581 (Novell iChain 2.3 allows attackers to cause a denial of service via a ...) NOT-FOR-US: iChain CVE-2004-2580 (Cross-site scripting (XSS) vulnerability in Novell iChain 2.3 allows r ...) NOT-FOR-US: iChain CVE-2004-2579 (ACLCHECK module in Novell iChain 2.3 allows attackers to bypass access ...) NOT-FOR-US: iChain CVE-2004-2578 (phpGroupWare before 0.9.16.002 transmits the (1) header admin and (2) ...) - phpgroupware 0.9.16.002-1 CVE-2004-2577 (The acl_check function in phpGroupWare 0.9.16RC2 always returns True, ...) - phpgroupware 0.9.14-0.RC3.1 CVE-2004-2576 (class.vfs_dav.inc.php in phpGroupWare 0.9.16.000 does not create .htac ...) - phpgroupware 0.9.16.000.1.cvs.20040620-1 CVE-2004-2575 (phpGroupWare 0.9.14.005 and earlier allow remote attackers to obtain s ...) - phpgroupware 0.9.14.007 CVE-2004-2574 (Cross-site scripting (XSS) vulnerability in index.php in phpGroupWare ...) - phpgroupware 0.9.14.007 CVE-2004-2573 (PHP remote file inclusion vulnerability in tables_update.inc.php in ph ...) - phpgroupware 0.9.14.007 CVE-2005-3848 (Memory leak in the icmp_push_reply function in Linux 2.6 before 2.6.12 ...) {DSA-1018-1 DSA-1017-1} - linux-2.6 2.6.13-1 CVE-2005-3847 (The handle_stop_signal function in signal.c in Linux kernel 2.6.11 up ...) {DSA-1017-1} - linux-2.6 2.6.13-1 CVE-2005-3849 (Cross-site scripting (XSS) vulnerability in the Search module in PmWik ...) NOT-FOR-US: PmWiki CVE-2003-XXXX [Insecure tempfile in x-face-el] - x-face-el 1.3.6.23-1 NOTE: DSA-340 CVE-2005-3781 (Unspecified vulnerability in in.named in Solaris 9 allows attackers to ...) NOT-FOR-US: Solaris CVE-2005-3780 (Multiple buffer overflows in IPUpdate 1.1 might allow attackers to exe ...) NOT-FOR-US: IPUpdate CVE-2005-3779 (Unspecified vulnerability in xterm for HP-UX 11.00, 11.11, and 11.23 a ...) NOT-FOR-US: HP-UX CVE-2005-3778 (Unspecified vulnerability in MyBulletinBoard (MyBB) before 1.0 PR2 Rev ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2005-3777 (MyBulletinBoard (MyBB) 1.0 PR2 Rev 686 allows remote attackers to dele ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2005-3776 (Multiple cross-site scripting (XSS) vulnerabilities in MyBulletinBoard ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2005-3775 (PHP remote file inclusion vulnerability in pollvote.php in PollVote al ...) NOT-FOR-US: PollVote CVE-2005-3774 (Cisco PIX 6.3 and 7.0 allows remote attackers to cause a denial of ser ...) NOT-FOR-US: Cisco CVE-2005-3773 (Unspecified vulnerability in Joomla! before 1.0.4 has unknown impact a ...) NOT-FOR-US: Joomla! CVE-2005-3772 (Multiple SQL injection vulnerabilities in Joomla! before 1.0.4 allow r ...) NOT-FOR-US: Joomla! CVE-2005-3771 (Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before ...) NOT-FOR-US: Joomla! CVE-2005-3770 (Multiple cross-site scripting (XSS) vulnerabilities in PHP-Post (PHPp) ...) NOT-FOR-US: PHP-Post CVE-2005-3769 (SQL injection vulnerability in files.php in PHP Download Manager 1.1.3 ...) NOT-FOR-US: PHP Download Manager CVE-2005-3768 (Buffer overflow in the Internet Key Exchange version 1 (IKEv1) impleme ...) NOT-FOR-US: Symantec appliances CVE-2005-3767 (Exponent CMS 0.96.3 and later versions does not properly restrict the ...) NOT-FOR-US: Exponent CMS CVE-2005-3766 (Exponent CMS 0.96.3 and later versions stores sensitive user pages und ...) NOT-FOR-US: Exponent CMS CVE-2005-3765 (Exponent CMS 0.96.3 and later versions performs a chmod on uploaded fi ...) NOT-FOR-US: Exponent CMS CVE-2005-3764 (The image gallery (imagegallery) component in Exponent CMS 0.96.3 and ...) NOT-FOR-US: Exponent CMS CVE-2005-3763 (Exponent CMS 0.96.3 and later versions includes the full installation ...) NOT-FOR-US: Exponent CMS CVE-2005-3762 (SQL injection vulnerability in the navigation module (navigationmodule ...) NOT-FOR-US: Exponent CMS CVE-2005-3761 (Cross-site scripting (XSS) vulnerability in Exponent CMS 0.96.3 and la ...) NOT-FOR-US: Exponent CMS CVE-2005-3760 (Double free vulnerability in the BBOORB module in IBM WebSphere Applic ...) NOT-FOR-US: WebSphere CVE-2005-3758 (Cross-site scripting (XSS) vulnerability in Google Mini Search Applian ...) NOT-FOR-US: Google search appliance CVE-2005-3757 (The Saxon XSLT parser in Google Mini Search Appliance, and possibly Go ...) NOTE: XSLTs can call arbitrary java methods in libsaxon-java. This behaviour NOTE: is well documented and can be switched off. Let's hope that all users NOTE: of saxon are aware of this. A warning has been added to the readme. NOTE: Current rdependencies: - ooo2dbk (uses it's own xslt unless overridden by command line arg) CVE-2005-3756 (Google Mini Search Appliance, and possibly Google Search Appliance, al ...) NOT-FOR-US: Google search appliance CVE-2005-3755 (Directory traversal vulnerability in Google Mini Search Appliance, and ...) NOT-FOR-US: Google search appliance CVE-2005-3754 (Cross-site scripting (XSS) vulnerability in Google Mini Search Applian ...) NOT-FOR-US: Google search appliance CVE-2005-3750 (Opera before 8.51 on Linux and Unix systems allows remote attackers to ...) NOT-FOR-US: Opera CVE-2005-3749 (Unspecified "absolute path vulnerabilities" in the diagela command (di ...) NOT-FOR-US: AIX CVE-2005-3748 (SQL injection vulnerability in the Search module in Tru-Zone Nuke ET 3 ...) NOT-FOR-US: Tru-Zone Nuke ET CVE-2005-3747 (Unspecified vulnerability in Jetty before 5.1.6 allows remote attacker ...) - jetty 5.1.8-1 (bug #340582; medium) CVE-2005-3746 (SQL injection vulnerability in thread.php in APBoard allows remote att ...) NOT-FOR-US: APBoard CVE-2005-3745 (Cross-site scripting (XSS) vulnerability in Apache Struts 1.2.7, and p ...) - libstruts1.2-java 1.2.8-1 (bug #340583; medium) [sarge] - libstruts1.2-java (Only in contrib, relies on proprietary Java) CVE-2005-3744 (SQL injection vulnerability in index.php in phpComasy 0.7.5 and earlie ...) NOT-FOR-US: phpComasy CVE-2005-3743 (SQL injection vulnerability in results.php in SimplePoll allows remote ...) NOT-FOR-US: SimplePoll CVE-2005-3742 (Cross-site scripting (XSS) vulnerability in popup.php in Advanced Poll ...) NOT-FOR-US: Advanced Poll CVE-2005-3741 (Almond Classifieds does not properly verify the password, which allows ...) NOT-FOR-US: Almond Classifieds CVE-2005-3740 (Multiple SQL injection vulnerabilities in PHP-Fusion 6.00.206 and earl ...) NOT-FOR-US: PHP-Fusion CVE-2005-3739 (Unspecified vulnerability in subheader.php in PHP-Fusion 6.00.206 and ...) NOT-FOR-US: PHP-Fusion CVE-2005-3738 (globals.php in Mambo Site Server 4.0.14 and earlier, when register_glo ...) NOT-FOR-US: Mambo CVE-2005-3737 (Buffer overflow in the SVG importer (style.cpp) of inkscape 0.41 throu ...) {DSA-916-1 DTSA-24-1} - inkscape 0.43-1 (bug #330894; medium) CVE-2005-3736 (Multiple cross-site scripting (XSS) vulnerabilities in e-Quick Cart al ...) NOT-FOR-US: e-Quick Cart CVE-2005-3735 (Multiple SQL injection vulnerabilities in e-Quick Cart allow remote at ...) NOT-FOR-US: e-Quick Cart CVE-2005-3734 (Cross-site scripting (XSS) vulnerability in the "add content" page in ...) NOT-FOR-US: phpMyFAQ CVE-2005-3733 (The Internet Key Exchange version 1 (IKEv1) implementation in Juniper ...) NOT-FOR-US: Juniper products using IKE CVE-2005-3732 (The Internet Key Exchange version 1 (IKEv1) implementation (isakmp_agg ...) {DSA-965-1} - ipsec-tools 1:0.6.3-1 (bug #340584; low) CVE-2004-2572 (AMAX Magic Winmail Server 3.6 allows remote attackers to obtain sensit ...) NOT-FOR-US: AMAX Magic Winmail CVE-2004-2571 (Multiple buffer overflows in EnderUNIX isoqlog 2.1.1 allow remote atta ...) - isoqlog 2.2-0.1 CVE-2004-2570 (Opera before 7.54 allows remote attackers to modify properties and met ...) NOT-FOR-US: Opera CVE-2004-2568 (Multiple cross-site scripting (XSS) vulnerabilities in ReciPants 1.1.1 ...) NOT-FOR-US: ReciPants CVE-2004-2567 (Multiple SQL injection vulnerabilities in ReciPants 1.1.1 allow remote ...) NOT-FOR-US: ReciPants CVE-2004-2566 (Multiple cross-site scripting (XSS) vulnerabilities in LiveWorld produ ...) NOT-FOR-US: LiveWorld CVE-2004-2565 (Multiple directory traversal vulnerabilities in Sambar Server 6.1 Beta ...) NOT-FOR-US: Sambar CVE-2004-2564 (Multiple cross-site scripting (XSS) vulnerabilities in Sambar Server 6 ...) NOT-FOR-US: Sambar CVE-2004-2563 (Serena TeamTrack 6.1.1 allows remote attackers to obtain sensitive inf ...) NOT-FOR-US: Serena TeamTrack CVE-2004-2562 (SQL injection vulnerability in jobedit.asp in Leigh Business Enterpris ...) NOT-FOR-US: Leigh Business Enterprises CVE-2004-2561 (Multiple SQL injection vulnerabilities in Internet Software Sciences W ...) NOT-FOR-US: ISS Web+Center CVE-2004-2560 (DokuWiki before 2004-10-19, when used on a web server that permits exe ...) - dokuwiki (Fixed before upload into the archive) CVE-2004-2559 (DokuWiki before 2004-10-19 allows remote attackers to access administr ...) - dokuwiki (Fixed before upload into the archive) CVE-2003-1287 (Sambar Server before 6.0 beta 3 allows attackers with physical access ...) NOT-FOR-US: Sambar CVE-2003-1286 (HTTP Proxy in Sambar Server before 6.0 beta 6, when security.ini lacks ...) NOT-FOR-US: Sambar CVE-2003-1285 (Multiple cross-site scripting (XSS) vulnerabilities in Sambar Server b ...) NOT-FOR-US: Sambar CVE-2003-1284 (Sambar Server before 6.0 beta 6 allows remote attackers to obtain sens ...) NOT-FOR-US: Sambar CVE-2005-3808 (Integer overflow in the invalidate_inode_pages2_range function in mm/t ...) - linux-2.6 2.6.14-4 (medium) [sarge] - kernel-source-2.4.27 (Vulnerable code not present) [sarge] - kernel-source-2.6.8 (Vulnerable code not present) CVE-2005-3809 (The nfattr_to_tcp function in ip_conntrack_proto_tcp.c in ctnetlink in ...) - linux-2.6 2.6.14-4 (medium) [sarge] - kernel-source-2.4.27 (Vulnerable code not present) [sarge] - kernel-source-2.6.8 (Vulnerable code not present) CVE-2005-3810 (ip_conntrack_proto_icmp.c in ctnetlink in Linux kernel 2.6.14 up to 2. ...) - linux-2.6 2.6.14-4 (medium) [sarge] - kernel-source-2.4.27 (Vulnerable code not present) [sarge] - kernel-source-2.6.8 (Vulnerable code not present) CVE-2005-3759 (Multiple cross-site scripting (XSS) vulnerabilities in Horde before 3. ...) {DSA-909-1} - horde3 3.0.7-1 (bug #340323; medium) CVE-2004-2569 (ipmenu 0.0.3 before Debian GNU/Linux ipmenu_0.0.3-5 allows local users ...) {DSA-907-1} - ipmenu 0.0.3-5 CVE-2005-3731 (Unspecified vulnerability in yaSSL before 1.0.6 has unknown impact and ...) - cyassl (Fixed before initial upload to archive) CVE-2005-3730 (Multiple cross-site scripting (XSS) vulnerabilities in HTTPTranslatorS ...) NOT-FOR-US: Revize CMS CVE-2005-3729 (Idetix Software Systems Revize CMS allows remote attackers to obtain s ...) NOT-FOR-US: Revize CMS CVE-2005-3728 (Idetix Software Systems Revize CMS stores conf/revize.xml under the we ...) NOT-FOR-US: Revize CMS CVE-2005-3727 (SQL injection vulnerability in debug/query_results.jsp in Idetix Softw ...) NOT-FOR-US: Revize CMS CVE-2005-3726 (SQL injection vulnerability in Interspire ArticleLive NX 0.3 allows re ...) NOT-FOR-US: ArticleLive NX CVE-2005-3725 (Zyxel P2000W Version 1 VOIP WIFI Phone Wj.00.10 uses hardcoded IP addr ...) NOT-FOR-US: Zyxel WIFI Phone CVE-2005-3724 (Zyxel P2000W Version 1 VOIP WIFI Phone Wj.00.10 allows remote attacker ...) NOT-FOR-US: Zyxel WIFI Phone CVE-2005-3723 (Hitachi IP5000 VOIP WIFI Phone 1.5.6 does not allow the user to disabl ...) NOT-FOR-US: Hitachi WIFI Phone CVE-2005-3722 (The SNMP v1/v2c daemon in Hitachi IP5000 VOIP WIFI Phone 1.5.6 allows ...) NOT-FOR-US: Hitachi WIFI Phone CVE-2005-3721 (The default configuration of the HTTP server in Hitachi IP5000 VOIP WI ...) NOT-FOR-US: Hitachi WIFI Phone CVE-2005-3720 (The default index page in the HTTP server in Hitachi IP5000 VOIP WIFI ...) NOT-FOR-US: Hitachi WIFI Phone CVE-2005-3719 (Hitachi IP5000 VOIP WIFI Phone 1.5.6 has a hard-coded administrator pa ...) NOT-FOR-US: Hitachi WIFI Phone CVE-2005-3718 (UTStarcom F1000 VOIP WIFI Phone s2.0 running VxWorks 5.5.1 with kernel ...) NOT-FOR-US: UTStarcom WIFI Phone CVE-2005-3717 (The telnet daemon in UTStarcom F1000 VOIP WIFI Phone s2.0 running VxWo ...) NOT-FOR-US: UTStarcom WIFI Phone CVE-2005-3716 (The SNMP daemon in UTStarcom F1000 VOIP WIFI Phone s2.0 running VxWork ...) NOT-FOR-US: UTStarcom WIFI Phone CVE-2005-3715 (Senao SI-680H Wireless VoIP Phone Firmware 0.03.0839 leaves the VxWork ...) NOT-FOR-US: Senao Wireless VoIP Phone CVE-2005-3699 (Opera Web Browser 8.50 and 8.0 through 8.0.2 allows remote attackers t ...) NOT-FOR-US: Opera CVE-2005-3698 (PHP Easy Download allows remote attackers to bypass authentication via ...) NOT-FOR-US: PHP Easy Download CVE-2005-3697 (Unspecified vulnerability in the administration interface in Uresk Lin ...) NOT-FOR-US: Uresk Links Lite CVE-2005-3696 (SQL injection vulnerability in Arki-DB 1.0 and 2.0 allows remote attac ...) NOT-FOR-US: Arki-DB CVE-2005-3695 (Cross-site scripting (XSS) vulnerability in admin/config/confMgr.php i ...) NOT-FOR-US: LiteSpeed Webserver CVE-2005-3694 (centericq 4.20.0-r3 with "Enable peer-to-peer communications" set allo ...) {DSA-912-1} - centericq 4.21.0-4 (bug #334089; low) CVE-2005-3693 (The AxWebRemoveCtrl ActiveX control for uninstalling the SunnComm Medi ...) NOT-FOR-US: SunnComm MediaMax DRM CVE-2005-3692 (Cross-site scripting (XSS) vulnerability in AMAX Magic Winmail Server ...) NOT-FOR-US: AMAX Magic Winmail Server CVE-2005-3691 (Directory traversal vulnerability in the IMAP service (meimaps.exe) of ...) NOT-FOR-US: MailEnable Professional CVE-2005-3690 (Stack-based buffer overflow in the IMAP service (meimaps.exe) of MailE ...) NOT-FOR-US: MailEnable Professional CVE-2005-3689 (post.php in XMB 1.9.2 allows remote attackers to obtain the installati ...) NOT-FOR-US: XMB CVE-2005-3688 (Cross-site scripting (XSS) vulnerability in members.php in XMB 1.9.3 a ...) NOT-FOR-US: XMB CVE-2005-3687 (cancel_account.php in WHM AutoPilot 2.5.30 and earlier allows remote a ...) NOT-FOR-US: WHM AutoPilot CVE-2005-3686 (SQL injection vulnerability in search.inc.php in Unclassified NewsBoar ...) NOT-FOR-US: Unclassified Newsboard CVE-2005-3685 (Cross-site scripting (XSS) vulnerability in shopadmin.asp in VP-ASP Sh ...) NOT-FOR-US: VP-ASP Shopping Cart CVE-2005-3684 (Multiple buffer overflows in freeFTPd 1.0.8, without logging enabled, ...) NOT-FOR-US: freeFTPd CVE-2005-3683 (Stack-based buffer overflow in freeFTPd before 1.0.9 with Logging enab ...) NOT-FOR-US: freeFTPd CVE-2005-3682 (Multiple SQL injection vulnerabilities in Wizz Forum 1.20 allow remote ...) NOT-FOR-US: Wizz Forum CVE-2005-3681 (SQL injection vulnerability in viewcat.php in XOOPS WF-Downloads modul ...) NOT-FOR-US: Xoops CVE-2005-3680 (Directory traversal vulnerability in editor_registry.php in XOOPS 2.2. ...) NOT-FOR-US: Xoops CVE-2005-3679 (SQL injection vulnerability in admin/index.php in ActiveCampaign 1-2-A ...) NOT-FOR-US: ActiveCampaign 1-2-All Broadcast Email CVE-2005-3678 (Google Talk before 1.0.0.76, with email notification enabled, allows r ...) NOT-FOR-US: Google Talk CVE-2005-3677 (Buffer overflow in RealNetworks RealPlayer 10 and 10.5 allows remote a ...) - helix-player CVE-2005-3676 (SQL injection vulnerability in download.php in PhpWebThings 1.4.4 allo ...) NOT-FOR-US: PhpWebThings CVE-2005-3675 (The Transmission Control Protocol (TCP) allows remote attackers to cau ...) NOTE: Generic protocol weakness, likely hard to fix at the kernel NOTE: level without performance impact. CVE-2005-3674 (The Internet Key Exchange version 1 (IKEv1) implementation in the libi ...) NOT-FOR-US: libike from Solaris CVE-2005-3673 (The Internet Key Exchange version 1 (IKEv1) implementation in Check Po ...) NOT-FOR-US: Check Point's IKE implementation CVE-2005-3672 (The Internet Key Exchange version 1 (IKEv1) implementation in Stonesof ...) NOT-FOR-US: StoneGate's IKE implementation CVE-2005-3671 (The Internet Key Exchange version 1 (IKEv1) implementation in Openswan ...) - openswan 1:2.4.4-1 (bug #339082; low) [sarge] - openswan (Only exploitable in inherently insecure mode of operation) NOTE: Initial 2.4.3 didn't fix all the issues from the NISCC report CVE-2005-3670 (Multiple unspecified vulnerabilities in the Internet Key Exchange vers ...) NOT-FOR-US: HP-UX's IKE implementation CVE-2005-3669 (Multiple unspecified vulnerabilities in the Internet Key Exchange vers ...) NOT-FOR-US: Cisco CVE-2005-3668 (Multiple buffer overflows in multiple unspecified implementations of I ...) NOT-FOR-US: Just a "meta CVE" for all the IKE issues, will possibly be rejected CVE-2005-3667 (Multiple unspecified vulnerabilities in multiple unspecified implement ...) NOT-FOR-US: Just a "meta CVE" for all the IKE issues, will possibly be rejected CVE-2005-3666 (Multiple unspecified format string vulnerabilities in multiple unspeci ...) NOT-FOR-US: Just a "meta CVE" for all the IKE issues, will possibly be rejected CVE-2005-3665 (Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin befo ...) {DSA-1207-1} - phpmyadmin 4:2.6.4-pl4-2 (bug #340438; medium) NOTE: https://www.phpmyadmin.net/security/PMASA-2005-8/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/05c719aba3b99820daa3187e055c6ef4540b53cc CVE-2004-2558 (Unspecified vulnerability in IBM Tivoli SecureWay Policy Director 3.8, ...) NOT-FOR-US: Tivoli CVE-2004-2557 (NetGear WG602 (aka WG602v1) Wireless Access Point 1.7.14 has a hardcod ...) NOT-FOR-US: Netgear hardware CVE-2004-2556 (NetGear WG602 (aka WG602v1) Wireless Access Point firmware 1.04.0 and ...) NOT-FOR-US: Netgear hardware CVE-2004-2555 (Riverdeep FoolProof Security 3.9.x on Windows 98 and Windows ME uses w ...) NOT-FOR-US: FoolProof Security CVE-2004-2554 (Novell Client Firewall (NCF) 2.0, as based on the Agnitum Outpost Fire ...) NOT-FOR-US: Novell Client Firewall CVE-2004-2553 (The Ignition Project ignitionServer 0.1.2 through 0.1.2-R2 allows remo ...) NOT-FOR-US: ignitionServer CVE-2004-2552 (Buffer overflow in XBoard 4.2.7 and earlier might allow local users to ...) - xboard 4.2.7-3 (bug #343560; unimportant) CVE-2004-2551 (Multiple SQL injection vulnerabilities in Layton HelpBox 3.0.1 allow r ...) NOT-FOR-US: Layton HelpBox CVE-2004-2550 (Multiple cross-site scripting (XSS) vulnerabilities in unspecified Per ...) NOT-FOR-US: SandSurfer CVE-2004-2549 (Nortel Wireless LAN (WLAN) Access Point (AP) 2220, 2221, and 2225 allo ...) NOT-FOR-US: Nortel hardware CVE-2004-2548 (Multiple cross-site scripting (XSS) vulnerabilities in NetWin (1) Surg ...) NOT-FOR-US: SurgeMail CVE-2004-2547 (NetWin (1) SurgeMail before 2.0c and (2) WebMail allow remote attacker ...) NOT-FOR-US: SurgeMail CVE-2004-2546 (Multiple memory leaks in Samba before 3.0.6 allow attackers to cause a ...) - samba 3.0.6-1 CVE-2004-2545 (Secure Computing Corporation Sidewinder G2 6.1.0.01 allows remote atta ...) NOT-FOR-US: Sidewinder G2 CVE-2004-2544 (Admin Console in Secure Computing Corporation Sidewinder G2 6.1.0.01 e ...) NOT-FOR-US: Sidewinder G2 CVE-2004-2543 (Secure Computing Corporation Sidewinder G2 6.1.0.01 might allow remote ...) NOT-FOR-US: Sidewinder G2 CVE-2004-2542 (Multiple SQL injection vulnerabilities in Dynix (formerly known as epi ...) NOT-FOR-US: Dynix WebPac CVE-2004-2541 (Buffer overflow in Cscope 15.5, and possibly multiple overflows, allow ...) {DSA-1064-1} - cscope 15.5+cvs20050816-1.1 (bug #340177; medium) NOTE: Sarge and Woody are affected CVE-2005-XXXX [unsafe file permissions in vpnc] - vpnc 0.3.3+SVN20051028-3 (bug #340105; unimportant) NOTE: Only an example file CVE-2006-0017 RESERVED CVE-2006-0016 RESERVED CVE-2006-0015 (Cross-site scripting (XSS) vulnerability in _vti_bin/_vti_adm/fpadmdll ...) NOT-FOR-US: Microsoft CVE-2006-0014 (Buffer overflow in Microsoft Outlook Express 5.5 and 6 allows remote a ...) NOT-FOR-US: Microsoft CVE-2006-0013 (Buffer overflow in the Web Client service (WebClnt.dll) for Microsoft ...) NOT-FOR-US: Microsoft CVE-2006-0012 (Unspecified vulnerability in Windows Explorer in Microsoft Windows 200 ...) NOT-FOR-US: Microsoft CVE-2006-0011 REJECTED CVE-2006-0010 (Heap-based buffer overflow in T2EMBED.DLL in Microsoft Windows 2000 SP ...) NOT-FOR-US: Microsoft CVE-2006-0009 (Buffer overflow in Microsoft Office 2000 SP3, XP SP3, and other versio ...) NOT-FOR-US: Microsoft CVE-2006-0008 (The ShellAbout API call in Korean Input Method Editor (IME) in Korean ...) NOT-FOR-US: Microsoft CVE-2006-0007 (Buffer overflow in GIFIMP32.FLT, as used in Microsoft Office 2003 SP1 ...) NOT-FOR-US: Microsoft CVE-2006-0006 (Heap-based buffer overflow in the bitmap processing routine in Microso ...) NOT-FOR-US: Microsoft CVE-2006-0005 (Buffer overflow in the plug-in for Microsoft Windows Media Player (WMP ...) NOT-FOR-US: Microsoft CVE-2006-0004 (Microsoft PowerPoint 2000 in Office 2000 SP3 has an interaction with I ...) NOT-FOR-US: Microsoft CVE-2006-0003 (Unspecified vulnerability in the RDS.Dataspace ActiveX control, which ...) NOT-FOR-US: RDS.Dataspace CVE-2006-0002 (Unspecified vulnerability in Microsoft Outlook 2000 through 2003, Exch ...) NOT-FOR-US: Microsoft CVE-2006-0001 (Stack-based buffer overflow in Microsoft Publisher 2000 through 2003 a ...) NOT-FOR-US: Microsoft CVE-2005-3714 (The network interface for Apple AirPort Express 6.x before Firmware Up ...) NOT-FOR-US: Apple AirPort CVE-2005-3713 (Heap-based buffer overflow in Apple Quicktime before 7.0.4 allows remo ...) NOT-FOR-US: Apple Quicktime CVE-2005-3712 (Heap-based buffer overflow in rsync in Mac OS X 10.4 through 10.4.5 al ...) NOT-FOR-US: Apple CVE-2005-3711 (Integer overflow in Apple Quicktime before 7.0.4 allows remote attacke ...) NOT-FOR-US: Apple Quicktime CVE-2005-3710 (Integer overflow in Apple Quicktime before 7.0.4 allows remote attacke ...) NOT-FOR-US: Apple Quicktime CVE-2005-3709 (Integer underflow in Apple Quicktime before 7.0.4 allows remote attack ...) NOT-FOR-US: Apple Quicktime CVE-2005-3708 (Integer overflow in Apple Quicktime before 7.0.4 allows remote attacke ...) NOT-FOR-US: Apple Quicktime CVE-2005-3707 (Buffer overflow in Apple Quicktime before 7.0.4 allows remote attacker ...) NOT-FOR-US: Apple Quicktime CVE-2005-3706 (Heap-based buffer overflow in LibSystem in Mac OS X 10.4 through 10.4. ...) NOT-FOR-US: Mac OS X CVE-2005-3705 (Heap-based buffer overflow in WebKit in Mac OS X and OS X Server 10.3. ...) NOT-FOR-US: Mac OS X CVE-2005-3704 (System log server in Mac OS X and OS X Server 10.4 through 10.4.3 allo ...) NOT-FOR-US: Mac OS X CVE-2005-3703 REJECTED CVE-2005-3702 (Safari in Mac OS X and OS X Server 10.3.9 and 10.4.3 allows remote att ...) NOT-FOR-US: Safari CVE-2005-3701 (Unspecified vulnerability in passwordserver in Mac OS X Server 10.3.9 ...) NOT-FOR-US: Mac OS X CVE-2005-3700 (Unknown vulnerability in iodbcadmintool in the ODBC Administrator util ...) NOT-FOR-US: Mac OS X CVE-2005-3664 (Heap-based buffer overflow in Kaspersky Anti-Virus Engine, as used in ...) NOT-FOR-US: Kaspersky AV CVE-2005-3663 (Unquoted Windows search path vulnerability in Kaspersky Anti-Virus 5.0 ...) NOT-FOR-US: Kaspersky AV CVE-2005-3662 (Off-by-one buffer overflow in pnmtopng before 2.39, when using the -al ...) {DSA-904-1} - netpbm-free 2:10.0-10.1 (medium; bug #351639) CVE-2005-3661 (Dell TrueMobile 2300 Wireless Broadband Router running firmware 3.0.0. ...) NOT-FOR-US: Dell hardware issue CVE-2005-3660 (Linux kernel 2.4 and 2.6 allows attackers to cause a denial of service ...) - linux (unimportant) - linux-2.6 (unimportant) NOTE: Design limitation, for rare corner cases, where this poses a problem advanced NOTE: resource management systems can be deployed CVE-2005-3659 (nsrd.exe in EMC Legato NetWorker 7.1.x before 7.1.4 and 7.2.x before 7 ...) NOT-FOR-US: EMC Legato NetWorker CVE-2005-3658 (Multiple heap-based buffer overflows in EMC Legato NetWorker 7.1.x bef ...) NOT-FOR-US: EMC Legato NetWorker CVE-2005-3657 (The ActiveX control in MCINSCTL.DLL for McAfee VirusScan Security Cent ...) NOT-FOR-US: McAfee CVE-2005-3656 (Multiple format string vulnerabilities in logging functions in mod_aut ...) {DSA-935-1} [sarge] - libapache2-mod-auth-pgsql 2.0.2b1-5sarge0 - libapache2-mod-auth-pgsql 2.0.2b1-7 - libapache-mod-auth-pgsql (Does not contain the vulnerable ap_log_rerror() function) CVE-2005-3655 (Heap-based buffer overflow in Novell Open Enterprise Server Remote Man ...) NOT-FOR-US: Novell Open Enterprise Server CVE-2005-3654 (Blue Coat Systems Inc. WinProxy before 6.1a allows remote attackers to ...) NOT-FOR-US: Blue Coat WinProxy CVE-2005-3653 (Heap-based buffer overflow in the iGateway service for various Compute ...) NOT-FOR-US: IGateway CVE-2005-3652 (Heap-based buffer overflow in Citrix Program Neighborhood client 9.0 a ...) NOT-FOR-US: Citrix CVE-2005-3651 (Stack-based buffer overflow in the dissect_ospf_v3_address_prefix func ...) {DSA-920-1} - ethereal 0.10.13-1.1 (bug #342911; medium) CVE-2005-3650 (The CodeSupport.ocx ActiveX control, as used by Sony to uninstall the ...) NOT-FOR-US: Sony Root Kit Uninstaller CVE-2005-3649 (jumpto.php in Moodle 1.5.2 allows remote attackers to redirect users t ...) NOTE: only exploitable in certian configurations (non-default) NOTE: warning added.. - moodle 1.5.3+20060108-1 (bug #338592; low) [sarge] - moodle (Isn't explotable in sarge) CVE-2005-3648 (Multiple SQL injection vulnerabilities in the get_record function in d ...) - moodle 1.5.3+20060108-1 (bug #338592; low) [sarge] - moodle (Only exploitable in strange PHP setups) CVE-2005-3647 (Folder Guard allows local users to bypass protections by running from ...) NOT-FOR-US: Folder Guard CVE-2005-3646 (Multiple SQL injection vulnerabilities in lib-sessions.inc.php in phpA ...) NOT-FOR-US: phpAdsNews CVE-2005-3645 (phpAdsNew and phpPgAds 2.0.6 and possibly earlier versions allows remo ...) NOT-FOR-US: phpAdsNews CVE-2005-3644 (PNP_GetDeviceList (upnp_getdevicelist) in UPnP for Microsoft Windows 2 ...) NOT-FOR-US: Windows CVE-2005-3643 (IBM DB2 Database server running on Windows XP with Simple File Sharing ...) NOT-FOR-US: DB2 CVE-2005-3642 (IBM Informix Dynamic Database server running on Windows XP with Simple ...) NOT-FOR-US: Informix CVE-2005-3641 (Oracle Databases running on Windows XP with Simple File Sharing enable ...) NOT-FOR-US: Oracle CVE-2005-3640 (Multiple buffer overflows in the IMAP Groupware Mail server of Floosie ...) NOT-FOR-US: FTGate CVE-2005-3639 (PHP file inclusion vulnerability in the osTicket module in Help Center ...) NOT-FOR-US: Help Center Live CVE-2005-3638 (Cross-site scripting (XSS) vulnerabilities in Ekinboard 1.0.3 allow re ...) NOT-FOR-US: Ekinboard CVE-2005-3637 REJECTED CVE-2005-3636 (Cross-site scripting (XSS) vulnerability in SAP Web Application Server ...) NOT-FOR-US: SAP Web Application Server CVE-2005-3635 (Multiple cross-site scripting (XSS) vulnerabilities in SAP Web Applica ...) NOT-FOR-US: SAP Web Application Server CVE-2005-3634 (frameset.htm in the BSP runtime in SAP Web Application Server (WAS) 6. ...) NOT-FOR-US: SAP Web Application Server CVE-2005-3633 (HTTP response splitting vulnerability in frameset.htm in SAP Web Appli ...) NOT-FOR-US: SAP Web Application Server CVE-2005-3632 (Multiple buffer overflows in pnmtopng in netpbm 10.0 and earlier allow ...) {DSA-904-1} - netpbm-free 2:10.0-10.1 (medium; bug #351639) CVE-2005-3631 (udev does not properly set permissions on certain files in /dev/input, ...) - udev (Red Hat specific) CVE-2005-3630 (Fedora Directory Server before 10 allows remote attackers to obtain se ...) NOT-FOR-US: Fedora Directory Server CVE-2005-3629 (initscripts in Red Hat Enterprise Linux 4 does not properly handle cer ...) NOTE: current sudo cleans the environment, so we are not affected - sysvconfig (sudo cleans env anyway) CVE-2005-3628 (Buffer overflow in the JBIG2Bitmap::JBIG2Bitmap function in JBIG2Strea ...) {DSA-962-1 DSA-961-1 DSA-950-1 DSA-940-1 DSA-938-1 DSA-937-1 DSA-936-1 DSA-932-1 DSA-931-1 DTSA-28-1} - kdegraphics 4:3.5.0-3 - gpdf 2.10.0-2 (bug #342286) - xpdf 3.01-4 - koffice 1:1.4.2-6 (bug #342294) - libextractor 0.5.9-1 - pdfkit.framework 0.8-4 - pdftohtml 0.36-12 - cupsys 1.1.22-7 - cups 1.1.22-7 NOTE: cupsys switched to an external PDF implementation in 1.1.22-7. - tetex-bin 3.0-12 NOTE: tetex-bin switched to poppler in 3.0-12. CVE-2005-3627 (Stream.cc in Xpdf, as used in products such as gpdf, kpdf, pdftohtml, ...) {DSA-962-1 DSA-961-1 DSA-950-1 DSA-940-1 DSA-938-1 DSA-937-1 DSA-936-1 DSA-932-1 DSA-931-1 DTSA-28-1} - poppler 0.4.4-1 (bug #346076) - kdegraphics 4:3.5.0-3 - gpdf 2.10.0-2 (bug #342286) - xpdf 3.01-4 - koffice 1:1.4.2-6 (bug #342294) - libextractor 0.5.9-1 - pdfkit.framework 0.8-4 - pdftohtml 0.36-12 - cupsys 1.1.22-7 - cups 1.1.22-7 NOTE: cupsys switched to an external PDF implementation in 1.1.22-7. - tetex-bin 3.0-12 NOTE: tetex-bin switched to poppler in 3.0-12. CVE-2005-3626 (Xpdf, as used in products such as gpdf, kpdf, pdftohtml, poppler, teTe ...) {DSA-962-1 DSA-961-1 DSA-950-1 DSA-940-1 DSA-938-1 DSA-937-1 DSA-936-1 DSA-932-1 DSA-931-1 DTSA-28-1} - poppler 0.4.3-2 - kdegraphics 4:3.5.0-3 - xpdf 3.01-4 - gpdf 2.10.0-2 (bug #342286) - koffice 1:1.4.2-6 (bug #342294) - libextractor 0.5.9-1 - pdfkit.framework 0.8-4 - pdftohtml 0.36-12 - cupsys 1.1.22-7 - cups 1.1.22-7 NOTE: cupsys switched to an external PDF implementation in 1.1.22-7. - tetex-bin 3.0-12 NOTE: tetex-bin switched to poppler in 3.0-12. CVE-2005-3625 (Xpdf, as used in products such as gpdf, kpdf, pdftohtml, poppler, teTe ...) {DSA-962-1 DSA-961-1 DSA-950-1 DSA-940-1 DSA-938-1 DSA-937-1 DSA-936-1 DSA-932-1 DSA-931-1 DTSA-28-1} - poppler 0.4.4-1 (bug #346076) - tetex-bin 3.0-12 - kdegraphics 4:3.5.0-3 - xpdf 3.01-4 - gpdf 2.10.0-2 (bug #342286) - koffice 1:1.4.2-6 (bug #342294) - libextractor 0.5.9-1 - pdfkit.framework 0.8-4 - pdftohtml 0.36-12 - cups 1.1.22-7 - cupsys 1.1.22-7 NOTE: cupsys switched to an external PDF implementation in 1.1.22-7. NOTE: tetex-bin switched to poppler in 3.0-12. CVE-2005-3624 (The CCITTFaxStream::CCITTFaxStream function in Stream.cc for xpdf, gpd ...) {DSA-962-1 DSA-961-1 DSA-950-1 DSA-940-1 DSA-938-1 DSA-937-1 DSA-936-1 DSA-932-1 DSA-931-1 DTSA-28-1} - poppler 0.4.4-1 (bug #346076) - tetex-bin 3.0-12 - gpdf 2.10.0-2 (bug #342286) - kdegraphics 4:3.5.0-3 - xpdf 3.01-4 - koffice 1:1.4.2-6 (bug #342294) - libextractor 0.5.9-1 - pdfkit.framework 0.8-4 - pdftohtml 0.36-12 - cups 1.1.22-7 - cupsys 1.1.22-7 NOTE: cupsys switched to an external PDF implementation in 1.1.22-7. NOTE: tetex-bin switched to poppler in 3.0-12. CVE-2005-3623 (nfs2acl.c in the Linux kernel 2.6.14.4 does not check for MAY_SATTR pr ...) [sarge] - kernel-source-2.6.8 (Does not contain NFS ACLs) - linux-2.6 2.6.14-7 CVE-2005-3622 (phpMyAdmin 2.7.0-beta1 and earlier allows remote attackers to obtain t ...) - phpmyadmin (unimportant) CVE-2005-3620 (The management interface for VMware ESX Server 2.0.x before 2.0.2 patc ...) NOT-FOR-US: VMware ESX CVE-2005-3619 (Cross-site scripting (XSS) vulnerability in the management interface f ...) NOT-FOR-US: VMware ESX CVE-2005-3618 (Cross-site request forgery (CSRF) vulnerability in the management inte ...) NOT-FOR-US: VMWare ESX CVE-2005-3617 RESERVED CVE-2005-3616 RESERVED CVE-2005-3615 RESERVED CVE-2005-3614 RESERVED CVE-2005-3613 RESERVED CVE-2005-3612 RESERVED CVE-2005-3611 RESERVED CVE-2005-3610 RESERVED CVE-2005-3609 RESERVED CVE-2005-3608 RESERVED CVE-2005-3607 RESERVED CVE-2005-3606 RESERVED CVE-2005-3605 RESERVED CVE-2005-3604 RESERVED CVE-2005-3603 RESERVED CVE-2005-3602 RESERVED CVE-2005-3601 RESERVED CVE-2005-3600 RESERVED CVE-2005-3599 RESERVED CVE-2005-3598 RESERVED CVE-2005-3597 REJECTED CVE-2005-3596 (SQL injection vulnerability in ASPKnowledgebase allows remote attacker ...) NOT-FOR-US: ASPKnowledgebase CVE-2005-3595 (By default Microsoft Windows XP Home Edition installs with a blank pas ...) NOT-FOR-US: Windows XP CVE-2005-3594 (game_score.php in e107 allows remote attackers to insert high scores v ...) NOT-FOR-US: e107 CVE-2005-3592 (index.php CuteNews 1.4.0 and earlier allows remote attackers to obtain ...) NOT-FOR-US: CuteNews CVE-2005-3591 (Macromedia Flash plugin (1) Flash.ocx 7.0.19.0 (Windows) and earlier a ...) - flashplugin-nonfree 7.0.61-1 (bug #339290; high) [sarge] - flashplugin-nonfree (Only affects proprietary Flash plugin) CVE-2005-3589 (Buffer overflow in FileZilla Server Terminal 0.9.4d may allow remote a ...) NOT-FOR-US: FileZilla Server CVE-2005-3588 (SQL injection vulnerability in admin.php in Advanced Guestbook 2.2 all ...) NOT-FOR-US: Advanced Guestbook CVE-2005-3587 (Improper boundary checks in petite.c in Clam AntiVirus (ClamAV) before ...) {DSA-947-1} - clamav 0.87.1-1 (medium) NOTE: sarge is affected (not in oldstable) CVE-2005-3586 (content.php in Mambo 4.5.2 through 4.5.2.3 allows remote attackers to ...) NOT-FOR-US: Mambo CVE-2005-3585 (SQL injection vulnerability in forum.php in PhpWebThings 1.4.4 allows ...) NOT-FOR-US: PhpWebThings CVE-2005-3584 (Cross-site scripting (XSS) vulnerability in forum.php in PhpWebThings ...) NOT-FOR-US: PhpWebThings CVE-2005-3583 ((1) Java Runtime Environment (JRE) and (2) Software Development Kit (S ...) NOT-FOR-US: Sun Java CVE-2005-3582 (ImageMagick before 6.2.4.2-r1 allows local users in the portage group ...) - imagemagick (Gentoo-specific packaging flaw) CVE-2005-3581 (GDAL before 1.3.0-r1 allows local users in the portage group to increa ...) - gdal (Gentoo-specific packaging flaw) CVE-2005-3580 (QDBM before 1.8.33-r2 allows local users in the portage group to incre ...) - qdbm (Gentoo-specific packaging flaw) CVE-2005-3579 (ts.exe (aka ts.cgi) in Walla TeleSite 3.0 and earlier allows remote at ...) NOT-FOR-US: Walla TeleSite CVE-2005-3578 (SQL injection vulnerability in ts.exe (aka ts.cgi) in Walla TeleSite 3 ...) NOT-FOR-US: Walla TeleSite CVE-2005-3577 (Cross-site scripting vulnerability (XSS) in ts.exe (aka ts.cgi) in Wal ...) NOT-FOR-US: Walla TeleSite CVE-2005-3576 (ts.exe in Walla TeleSite 3.0 and earlier allows remote attackers to ac ...) NOT-FOR-US: Walla TeleSite CVE-2005-3575 (SQL injection vulnerability in show.php in Cyphor 0.19 and earlier all ...) NOT-FOR-US: Cyphor CVE-2005-3574 (PHP file inclusion vulnerability in index.php of iCMS allows remote at ...) NOT-FOR-US: iCMS CVE-2005-3573 (Scrubber.py in Mailman 2.1.5-8 does not properly handle UTF8 character ...) {DSA-955-1} - mailman 2.1.5-10 (bug #327732; bug #339095; medium) CVE-2005-3572 (SQL injection vulnerability in index.php in Peel 2.6 through 2.7 allow ...) NOT-FOR-US: Peel CVE-2005-3571 (PHP file inclusion vulnerability in protection.php in CodeGrrl (a) PHP ...) NOT-FOR-US: protection.php from several crappy web apps not in Debian CVE-2005-3570 (Unspecified cross-site scripting (XSS) vulnerability in Horde before 2 ...) {DSA-914-1} - horde2 2.2.9-1 (bug #338983) CVE-2005-3569 (INSO service in IBM DB2 Content Manager before 8.2 Fix Pack 10 on AIX ...) NOT-FOR-US: DB2 CVE-2005-3568 (db2fmp process in IBM DB2 Content Manager before 8.2 Fix Pack 10 allow ...) NOT-FOR-US: DB2 CVE-2005-3567 (slapd daemon in IBM Tivoli Directory Server (ITDS) 5.2.0 and 6.0.0 bin ...) NOT-FOR-US: Tivoli CVE-2005-3566 (Buffer overflow in various ha commands of VERITAS Cluster Server for U ...) NOT-FOR-US: VERITAS Cluster Server CVE-2005-3565 (Unknown vulnerability in remshd daemon in HP-UX B.11.00, B.11.11, and ...) NOT-FOR-US: HP-UX CVE-2005-3564 (envd daemon in HP-UX B.11.00 through B.11.11 allows local users to obt ...) NOT-FOR-US: HP-UX CVE-2005-3563 REJECTED CVE-2005-3562 REJECTED CVE-2005-3561 REJECTED CVE-2005-3560 (Zone Labs (1) ZoneAlarm Pro 6.0, (2) ZoneAlarm Internet Security Suite ...) NOT-FOR-US: Zone Labs CVE-2005-3559 (Directory traversal vulnerability in vmail.cgi in Asterisk 1.0.9 throu ...) {DSA-1048-1} - asterisk 1:1.2.7.1.dfsg-2 (bug #338116; medium) CVE-2005-3558 (PHP file inclusion vulnerability in index.php in OSTE 1.0 allows remot ...) NOT-FOR-US: OSTE CVE-2005-3557 (Directory traversal vulnerability in admin/defaults.php in PHPlist 2.1 ...) - phplist (bug #612288) CVE-2005-3556 (Multiple cross-site scripting (XSS) vulnerabilities in PHPlist 2.10.1 ...) - phplist (bug #612288) CVE-2005-3555 (Multiple SQL injection vulnerabilities in PHPlist 2.10.1 and earlier a ...) - phplist (bug #612288) CVE-2005-3554 (Multiple eval injection vulnerabilities in the help function in PHPKIT ...) NOT-FOR-US: PHPKIT CVE-2005-3553 (Multiple SQL injection vulnerabilities in include.php in PHPKIT 1.6.1 ...) NOT-FOR-US: PHPKIT CVE-2005-3552 (Multiple cross-site scripting (XSS) vulnerabilities in PHPKIT 1.6.1 R2 ...) NOT-FOR-US: PHPKIT CVE-2005-3551 (toendaCMS before 0.6.2 stores user account and session data in the web ...) NOT-FOR-US: toendaCMS CVE-2005-3550 (Directory traversal vulnerability in admin.php in toendaCMS before 0.6 ...) NOT-FOR-US: toendaCMS CVE-2005-3549 (Direct code injection vulnerability in Task Manager in Invision Power ...) NOT-FOR-US: Invision Power Board CVE-2005-3548 (Directory traversal vulnerability in Task Manager in Invision Power Bo ...) NOT-FOR-US: Invision Power Board CVE-2005-3547 (Cross-site scripting (XSS) vulnerability in Invision Power Board 2.1 a ...) NOT-FOR-US: Invision Power Board CVE-2005-3546 (suid.cgi scripts in F-Secure (1) Internet Gatekeeper for Linux before ...) NOT-FOR-US: F-Secure Internet Gatekeeper and Antivirus Gateway CVE-2005-3545 (SQL injection vulnerability in index.php of the report module in ibPro ...) NOT-FOR-US: ibProArcade CVE-2005-3544 (Cross-site scripting (XSS) vulnerability in u2u.php in XMB 1.9.3 allow ...) NOT-FOR-US: XMB CVE-2005-3543 (SQL injection vulnerability in search.php in Phorum 5.0.0alpha through ...) NOT-FOR-US: Phorum CVE-2005-3542 REJECTED CVE-2005-3541 RESERVED CVE-2005-3540 (Buffer overflow in petris before 1.0.1 allows remote attackers to exec ...) {DSA-929-1} - petris 1.0.1-5 CVE-2005-3539 (Multiple eval injection vulnerabilities in HylaFAX 4.2.3 and earlier a ...) {DSA-933-1} - hylafax 2:4.2.4-2 (bug #347298) NOTE: First patch had regressions CVE-2005-3538 (hfaxd in HylaFAX 4.2.3, when PAM support is disabled, accepts arbitrar ...) - hylafax 2:4.2.4-1 [sarge] - hylafax (Affected only 4.2.3) [woody] - hylafax (Affected only 4.2.3) CVE-2005-3537 (A "missing request validation" error in phpBB 2 before 2.0.18 allows r ...) {DSA-925-1} - phpbb2 2.0.18-1 (bug #336582; medium) CVE-2005-3536 (SQL injection vulnerability in phpBB 2 before 2.0.18 allows remote att ...) {DSA-925-1} - phpbb2 2.0.18-1 (bug #336582; medium) CVE-2005-3535 (Buffer overflow in KETM 0.0.6 allows local users to execute arbitrary ...) {DSA-926-1} - ketm 0.0.6-17sarge1 (low) CVE-2005-3534 (Buffer overflow in the Network Block Device (nbd) server 2.7.5 and ear ...) {DSA-924-1} - nbd 1:2.8.3-1 CVE-2005-3533 (Buffer overflow in OSH before 1.7-15 allows local users to execute arb ...) {DSA-918-1} - osh 1.7-15 CVE-2005-3532 (authpam.c in courier-authdaemon for Courier Mail Server 0.37.3 through ...) {DSA-917-1} - courier 0.47-12 (bug #211920; medium) CVE-2005-3531 (fusermount in FUSE before 2.4.1, if installed setuid root, allows loca ...) {DTSA-27-1} - fuse 2.4.1-0.1 (bug #340398; low) [sarge] - fuse (Minor local DoS) CVE-2005-3530 (Cross-site scripting (XSS) vulnerability in Antville 1.1 allows remote ...) NOT-FOR-US: Antville CVE-2005-3529 (tiki-view_forum_thread.php in TikiWiki 1.9.0 through 1.9.2 allows remo ...) NOT-FOR-US: TikiWiki CVE-2005-3528 (Cross-site scripting (XSS) vulnerability in tiki-view_forum_thread.php ...) NOT-FOR-US: TikiWiki CVE-2005-3527 (Race condition in do_coredump in signal.c in Linux kernel 2.6 allows l ...) - linux-2.6 2.6.14-1 (low) - kernel-source-2.4.27 (Vulnerable code was introduced later) [sarge] - kernel-source-2.6.8 (Vulnerable code was introduced later) NOTE: http://svn.debian.org/wsvn/kernel/patch-tracking/CVE-2005-3527?op=file&rev=0&sc=0 CVE-2005-3526 (Buffer overflow in the IMAP daemon in Ipswitch Collaboration Suite 200 ...) NOT-FOR-US: Ipswitch Collaboration Suite CVE-2005-3525 (Stack-based buffer overflow in an ActiveX control for the installer fo ...) NOT-FOR-US: Adobe CVE-2005-3522 (Cross-site scripting (XSS) vulnerability in index.jsp in ManageEngine ...) NOT-FOR-US: ManageEngine NetflowAnalyzer CVE-2005-3521 (SQL injection vulnerability in resetcore.php in e107 0.617 through 0.6 ...) NOT-FOR-US: e107 CVE-2005-3520 (Multiple cross-site scripting (XSS) vulnerabilities in MySource 2.14.0 ...) NOT-FOR-US: MySource CVE-2005-3519 (Multiple PHP file inclusion vulnerabilities in MySource 2.14.0 allow r ...) NOT-FOR-US: MySource CVE-2005-3518 (SQL injection vulnerability in search.php in PunBB 1.2.7 and 1.2.8 all ...) NOT-FOR-US: PunBB CVE-2005-3517 (Chipmunk Scripts Guestbook allows remote attackers to obtain the insta ...) NOT-FOR-US: Chipmunk Scripts Guestbook CVE-2005-3516 (Cross-site scripting (XSS) vulnerability in recommend.php in Chipmunk ...) NOT-FOR-US: Chipmunk Directory CVE-2005-3515 (Cross-site scripting (XSS) vulnerability in recommend.php in Chipmunk ...) NOT-FOR-US: Chipmunk Topsites CVE-2005-3514 (Multiple cross-site scripting (XSS) vulnerabilities in Chipmunk Forum ...) NOT-FOR-US: Chipmunk Forum CVE-2005-3513 (index.php in VUBB alpha rc1 allows remote attackers to obtain the inst ...) NOT-FOR-US: VUBB CVE-2005-3512 (Cross-site scripting (XSS) vulnerability in index.php in VUBB alpha rc ...) NOT-FOR-US: VUBB CVE-2005-3511 (Multiple cross-site scripting (XSS) vulnerabilities in Spymac Web OS 4 ...) NOT-FOR-US: Spymac Web OS CVE-2005-3510 (Apache Tomcat 5.5.0 to 5.5.11 allows remote attackers to cause a denia ...) - tomcat5 (Debian's 5.0 version is not vulnerable) CVE-2005-3509 (Multiple SQL injection vulnerabilities in JPortal allow remote attacke ...) NOT-FOR-US: JPortal CVE-2005-3508 (SQL injection vulnerability in showGallery.php in Gallery (Galerie) 2. ...) NOT-FOR-US: Tonio gallery (not the one in the gallery debian package) CVE-2005-3507 (Directory traversal vulnerability in CuteNews 1.4.1 allows remote atta ...) NOT-FOR-US: CuteNews CVE-2005-3506 (Cross-site scripting (XSS) vulnerability in proxy.asp in Sambar Server ...) NOT-FOR-US: Sambar CVE-2005-3505 (Cross-site scripting (XSS) vulnerability in the Entropy Chat script in ...) NOT-FOR-US: Entropy Chat Script CVE-2005-3504 (Buffer overflow in swcons in IBM AIX 5.2, when debug malloc is enabled ...) NOT-FOR-US: AIX CVE-2005-3503 (chfn in pwdutils 3.0.4 and earlier on SuSE Linux, and possibly other o ...) NOT-FOR-US: SuSE fork of passwd CVE-2005-3502 (attachment_send.php in Cerberus Helpdesk allows remote attackers to vi ...) NOT-FOR-US: Cerberus Helpdesk CVE-2005-3499 (Frisk F-Prot Antivirus allows remote attackers to bypass protection vi ...) NOT-FOR-US: F-Prot Antivirus CVE-2005-3498 (IBM WebSphere Application Server 5.0.x before 5.02.15, 5.1.x before 5. ...) NOT-FOR-US: WebSphere CVE-2005-3497 NOT-FOR-US: PHP Handicapper CVE-2005-3496 (Cross-site scripting (XSS) vulnerability in PHP Handicapper allows rem ...) NOT-FOR-US: PHP Handicapper CVE-2005-3495 (Ar-blog 5.2 and earlier allows remote attackers to bypass authenticati ...) NOT-FOR-US: Ar-blog CVE-2005-3494 (Cross-site scripting (XSS) vulnerability in Ar-blog 5.2 and earlier al ...) NOT-FOR-US: Ar-blog CVE-2005-3493 (Battle Carry .005 and earlier allows remote attackers to cause a denia ...) NOT-FOR-US: Battle Carry CVE-2005-3492 (FlatFrag 0.3 and earlier allows remote attackers to cause a denial of ...) NOT-FOR-US: FlatFrag CVE-2005-3491 (Multiple buffer overflows in the receiver function in loop.c in FlatFr ...) NOT-FOR-US: FlatFrag CVE-2005-3490 (Directory traversal vulnerability in the web server in Asus Video Secu ...) NOT-FOR-US: Asus Video Security CVE-2005-3489 (Buffer overflow in Asus Video Security 3.5.0.0 and earlier, when using ...) NOT-FOR-US: Asus Video Security CVE-2005-3488 (Scorched 3D 39.1 (bf) and earlier allows remote attackers to cause a d ...) - scorched3d 39.1+cvs20050929-2 (bug #337403; medium) CVE-2005-3487 (Multiple buffer overflows in Scorched 3D 39.1 (bf) and earlier allow r ...) - scorched3d 39.1+cvs20050929-2 (bug #337403; medium) CVE-2005-3486 (Multiple format string vulnerabilities in Scorched 3D 39.1 (bf) and ea ...) - scorched3d 39.1+cvs20050929-2 (bug #337403; medium) CVE-2005-3485 (Buffer overflow in Glider Collect'n kill 1.0.0.0 allows remote attacke ...) NOT-FOR-US: Glider Collect'n kill CVE-2005-3484 (Directory traversal vulnerability in NeroNET 1.2.0.2 and earlier allow ...) NOT-FOR-US: NeroNET CVE-2005-3483 (Buffer overflow in GO-Global for Windows 3.1.0.3270 and earlier allows ...) NOT-FOR-US: GO-Global CVE-2004-2540 (readObject in (1) Java Runtime Environment (JRE) and (2) Software Deve ...) NOT-FOR-US: Proprietary Java CVE-2003-1283 (KaZaA Media Desktop (KMD) 2.0 launches advertisements in the Internet ...) NOT-FOR-US: Kazaa CVE-2003-1282 (IBM Net.Data allows remote attackers to obtain sensitive information s ...) NOT-FOR-US: IBM Net.Data CVE-2003-1281 (cgihtml 1.69 allows local users to overwrite arbitrary files via a sym ...) NOT-FOR-US: cgihtml CVE-2003-1280 (Directory traversal vulnerability in cgihtml 1.69 allows remote attack ...) NOT-FOR-US: cgihtml CVE-2003-1279 (S-PLUS 6.0 allows local users to overwrite arbitrary files and possibl ...) NOT-FOR-US: S-PLUS CVE-2003-1278 (Cross-site scripting vulnerability (XSS) in OpenTopic 2.3.1 allows rem ...) NOT-FOR-US: OpenTopic CVE-2003-1277 (Cross-site scripting (XSS) vulnerabilities in Yet Another Bulletin Boa ...) NOT-FOR-US: YaBB CVE-2003-1276 (Netfone.exe of NetTelephone 3.5.6 uses weak encryption for user PIN's ...) NOT-FOR-US: NetTelephone CVE-2003-1275 (Pocket Internet Explorer (PIE) 3.0 allows remote attackers to cause a ...) NOT-FOR-US: Pocket Internet Explorer CVE-2003-1274 (Winamp 3.0 allows remote attackers to cause a denial of service (crash ...) NOT-FOR-US: Winamp CVE-2003-1273 (Winamp 3.0 allows remote attackers to cause a denial of service (crash ...) NOT-FOR-US: Winamp CVE-2003-1272 (Multiple buffer overflows in Winamp 3.0 allow remote attackers to caus ...) NOT-FOR-US: Winamp CVE-2003-1271 (Cross-site scripting vulnerability (XSS) in AN HTTP 1.41e allows remot ...) NOT-FOR-US: AN HTTP CVE-2003-1270 (AN HTTP 1.41e allows remote attackers to cause a denial of service (bo ...) NOT-FOR-US: AN HTTP CVE-2003-1269 (AN HTTP 1.41e allows remote attackers to obtain the root web server pa ...) NOT-FOR-US: AN HTTP CVE-2003-1268 (Multiple SQL injection vulnerabilities in (1) addcustomer.asp, (2) add ...) NOT-FOR-US: a.shopKart CVE-2003-1267 (GuildFTPd 0.999 allows remote attackers to cause a denial of service ( ...) NOT-FOR-US: GuildFTPd CVE-2003-1266 (The (1) FTP, (2) POP3, (3) SMTP, and (4) NNTP servers in EServer 2.92 ...) NOT-FOR-US: EServer CVE-2003-1265 (Netscape 7.0 and Mozilla 5.0 do not immediately delete messages in the ...) NOT-FOR-US: Ancient Mozilla issue CVE-2003-1264 (TFTP server in Longshine Wireless Access Point (WAP) LCS-883R-AC-B, an ...) NOT-FOR-US: Longshine hardware CVE-2003-1263 (ICAL.EXE in iCal 3.7 allows remote attackers to cause a denial of serv ...) NOT-FOR-US: iCal CVE-2003-1262 (Buffer overflow in the http_fetch function of HTTP Fetcher 1.0.0 and 1 ...) - libhttpfetcher 1.1.0-1 CVE-2003-1261 (Buffer overflow in CuteFTP 5.0 and 5.0.1 allows local users to cause a ...) NOT-FOR-US: CuteFTP CVE-2003-1260 (Buffer overflow in CuteFTP 5.0 allows remote attackers to execute arbi ...) NOT-FOR-US: CuteFTP CVE-2003-1259 (Buffer overflow in CuteFTP 4.2 and 5.0 allows remote attackers to caus ...) NOT-FOR-US: CuteFTP CVE-2003-1258 (activate.php in versatileBulletinBoard (vBB) 0.9.5 and 0.9.6 allows re ...) NOT-FOR-US: versatileBulletinBoard CVE-2003-1257 (find_theni_home.php in E-theni allows remote attackers to obtain sensi ...) NOT-FOR-US: E-theni CVE-2003-1256 (aff_liste_langue.php in E-theni allows remote attackers to execute arb ...) NOT-FOR-US: E-theni CVE-2003-1255 (add_bookmark.php in Active PHP Bookmarks (APB) 1.1.01 allows remote at ...) NOT-FOR-US: Active PHP Bookmarks CVE-2003-1254 (Active PHP Bookmarks (APB) 1.1.01 allows remote attackers to execute a ...) NOT-FOR-US: Active PHP Bookmarks CVE-2003-1253 (PHP remote file inclusion vulnerability in Bookmark4U 1.8.3 allows rem ...) NOT-FOR-US: Bookmark4U CVE-2003-1252 (register.php in S8Forum 3.0 allows remote attackers to execute arbitra ...) NOT-FOR-US: S8Forum CVE-2003-1251 (The (1) menu.inc.php, (2) datasets.php and (3) mass_operations.inc.php ...) NOT-FOR-US: N/X 2000 CVE-2003-1250 (Efficient Networks 5861 DSL router, when running firmware 5.3.80 confi ...) NOT-FOR-US: Efficient Networks hardware issue CVE-2003-1249 (WebIntelligence 2.7.1 uses guessable user session cookies, which allow ...) NOT-FOR-US: WebIntelligence CVE-2003-1248 (H-Sphere WebShell 2.3 allows remote attackers to execute arbitrary com ...) NOT-FOR-US: WebShell CVE-2003-1247 (Multiple buffer overflows in H-Sphere WebShell 2.3 allow remote attack ...) NOT-FOR-US: WebShell CVE-2003-1246 (NtCreateSymbolicLinkObject in ntdll.dll in Integrity Protection Driver ...) NOT-FOR-US: Integrity Protection Driver CVE-2003-1245 (index2.php in Mambo 4.0.12 allows remote attackers to gain administrat ...) NOT-FOR-US: Mambo CVE-2003-1244 (SQL injection vulnerability in page_header.php in phpBB 2.0, 2.0.1 and ...) - phpbb2 (Fixed before upload into archive; 2.0.3) CVE-2003-1243 (Cross-site scripting vulnerability (XSS) in Sage 1.0 b3 allows remote ...) NOT-FOR-US: Sage CVE-2003-1242 (Sage 1.0 b3 allows remote attackers to obtain the root web server path ...) NOT-FOR-US: Sage CVE-2003-1241 (Cross-site scripting vulnerability (XSS) in (1) admin_index.php, (2) a ...) NOT-FOR-US: MyGuestbook CVE-2003-1240 (PHP remote file inclusion vulnerability in CuteNews 0.88 allows remote ...) NOT-FOR-US: CuteNews CVE-2003-1239 (Directory traversal vulnerability in sendphoto.php in WihPhoto 0.86 al ...) NOT-FOR-US: WihPhoto CVE-2003-1238 (Cross-site scripting vulnerability (XSS) in Nuked-Klan 1.3 beta and ea ...) NOT-FOR-US: Nuked-Klan CVE-2003-1237 (Cross-site scripting vulnerability (XSS) in WWWBoard 2.0A2.1 and earli ...) NOT-FOR-US: WWWBoard CVE-2003-1236 (Multiple format string vulnerabilities in the logger function in netzi ...) NOT-FOR-US: Tanne CVE-2003-1235 (BRW WebWeaver 1.03 allows remote attackers to obtain sensitive server ...) NOT-FOR-US: BRW WebWeaver CVE-2003-1234 (Integer overflow in the f_count counter in FreeBSD before 4.2 through ...) NOT-FOR-US: Old FreeBSD bug, should be fixed wrt the KFreeBSD port CVE-2002-2207 (Buffer overflow in ssldump 0.9b2 and earlier, when running in decrypti ...) - ssldump 0.9b3 CVE-2002-2206 (The POP3 proxy service (POPROXY.EXE) in Norton AntiVirus 2001 allows l ...) NOT-FOR-US: Norton AntiVirus CVE-2002-2205 (Buffer overflow in Webresolve 0.1.0 and earlier allows remote attacker ...) NOT-FOR-US: webresolve CVE-2002-2204 (The default --checksig setting in RPM Package Manager 4.0.4 checks tha ...) NOTE: verified with rpm 4.4.1, but this can hardly affect debian at NOTE: all since it requires rpm be configured to trust some key, NOTE: which in debian requires a manual and non-documented NOTE: initialization of the rpm database which is not configured in NOTE: the package CVE-2002-2203 (Unknown vulnerability in the System Serial Console terminal in Solaris ...) NOT-FOR-US: Solaris CVE-2002-2202 (Outlook Express 6.0 does not delete messages from dbx files, even when ...) NOT-FOR-US: Outlook Express CVE-2002-2201 (The Printer Administration module for Webmin 0.990 and earlier allows ...) - webmin 1.000 (high) CVE-2002-2200 (Benjamin Lefevre Dobermann FORUM 0.5 and earlier allows remote attacke ...) NOT-FOR-US: (Benjamin Lefevre Dobermann FORUM) CVE-2002-2199 (The default aide.conf file in Advanced Intrusion Detection Environment ...) NOTE: freebsd misconfiguration CVE-2002-2198 (Buffer overflow in ZMailer before 2.99.51_1 allows remote attackers to ...) - zmailer 2.99.56-1 (high) NOTE: May have been fixed earlier, 2.99.51 was never uploaded to Debian. CVE-2002-2197 (Unknown vulnerability in Sun Solaris 8.0 allows local users to cause a ...) NOT-FOR-US: Solaris CVE-2002-2196 (Samba before 2.2.5 does not properly terminate the enum_csc_policy dat ...) - samba 2.2.5 (high) CVE-2002-2195 (Buffer overflow in the version update check for Winamp 2.80 and earlie ...) NOT-FOR-US: Winamp CVE-2002-2194 REJECTED CVE-2002-2193 (Cross-site scripting (XSS) vulnerability in mojo.cgi for Mojo Mail 2.7 ...) NOT-FOR-US: Mojo Mail CVE-2002-2192 (Cross-site scripting (XSS) vulnerability in Perception LiteServe 2.0.1 ...) NOT-FOR-US: Perception LiteServe CVE-2002-2191 (Lotus Domino 5.0.9a and earlier, even when configured with the 'Domino ...) NOT-FOR-US: (Lotus Domino CVE-2002-2190 (ArtsCore Studios CuteCast Forum 1.2 stores passwords in plaintext unde ...) NOT-FOR-US: ArtsCore Studios CuteCast Forum CVE-2002-2189 (Cross-site scripting (XSS) vulnerability in ActiveXperts Software Acti ...) NOT-FOR-US: ActiveXperts Software ActiveWebserver CVE-2002-2188 (OpenBSD before 3.2 allows local users to cause a denial of service (ke ...) NOT-FOR-US: OpenBSD kernel CVE-2002-2187 (Unknown "file disclosure" vulnerability in Macromedia JRun 3.0, 3.1, a ...) NOT-FOR-US: Macromedia JRun CVE-2002-2186 (Macromedia JRun 3.0, 3.1, and 4.0 allow remote attackers to view the s ...) NOT-FOR-US: Macromedia JRun CVE-2002-2185 (The Internet Group Management Protocol (IGMP) allows local users to ca ...) NOTE: fixed in IRIX.. CVE-2002-2184 (Digi-Net Technologies DigiChat 3.5 allows chat users to obtain the IP ...) NOT-FOR-US: DigiChat CVE-2002-2183 (phpShare.php in phpShare before 0.6 beta 3 allows remote attackers to ...) NOT-FOR-US: phpShare CVE-2002-2182 (Buffer overflow in Seunghyun Seo's MSN666 MSN Sniffer 1.0 and 1.0.1 al ...) NOT-FOR-US: MSN666 CVE-2002-2181 (SonicWall Content Filtering allows local users to access prohibited we ...) NOT-FOR-US: SonicWall CVE-2002-2180 (The setitimer(2) system call in OpenBSD 2.0 through 3.1 does not prope ...) NOT-FOR-US: OpenBSD kernel CVE-2002-2179 (The dynamic initialization feature of the ClearPath MCP environment al ...) NOT-FOR-US: ClearPath MCP CVE-2002-2178 (Cross-site scripting (XSS) vulnerability in article.php module for php ...) NOT-FOR-US: phpWebSite CVE-2002-2177 (BEA WebLogic Server and Express 6.1 through 7.0.0.1 buffers HTTP reque ...) NOT-FOR-US: BEA CVE-2002-2176 (SQL injection vulnerability in Gender MOD 1.1.3 allows remote attacker ...) NOT-FOR-US: Gender MOD CVE-2002-2175 (phpSquidPass before 0.2 uses an incomplete regular expression to find ...) NOT-FOR-US: phpSquidPass CVE-2002-2174 (The Telnet proxy of 602Pro LAN SUITE 2002 does not restrict the number ...) NOT-FOR-US: 602Pro LAN SUITE CVE-2002-2173 (Buffer overflow in the IRC module of Trillian 0.725 and 0.73 allowing ...) NOT-FOR-US: Cerulean Trillian CVE-2002-2172 (Informed (1) Designer and (2) Filler 3.05 does not zero out newly allo ...) NOT-FOR-US: Informed Designer, Informed Filler CVE-2002-2171 (Cross-site scripting (XSS) vulnerability in acWEB 1.8 and 1.14 allows ...) NOT-FOR-US: acWEB CVE-2002-2170 (Working Resources Inc. BadBlue Enterprise Edition 1.7 through 1.74 att ...) NOT-FOR-US: BadBlue Enterprise Edition CVE-2002-2169 (Cross-site scripting vulnerability AOL Instant Messenger (AIM) 4.5 and ...) NOT-FOR-US: AIM CVE-2002-2168 (SQL injection vulnerability in Thorsten Korner 123tkShop before 0.3.1 ...) NOT-FOR-US: 123tkShop CVE-2002-2167 (Directory traversal vulnerability in function_foot_1.inc.php for Thors ...) NOT-FOR-US: 123tkShop CVE-2002-2166 (Cross-site scripting (XSS) vulnerability in FuseTalk 2.0 and 3.0 allow ...) NOT-FOR-US: FuseTalk CVE-2002-2165 (The IMHO Webmail module 0.97.3 and earlier for Roxen leaks the REFERER ...) NOT-FOR-US: IMHO Webmail for Roxen CVE-2002-2164 (Buffer overflow in Microsoft Outlook Express 5.0, 5.5, and 6.0 allows ...) NOT-FOR-US: MSIE CVE-2002-2163 (KvPoll 1.1 allows remote authenticated users to vote more than once by ...) NOT-FOR-US: KvPoll CVE-2002-2162 (Cerulean Studios Trillian 0.73 and earlier use weak encrypttion (XOR) ...) NOT-FOR-US: Cerulean Trillian CVE-2002-2161 (Kerio Personal Firewall (KPF) 2.1.4 and earlier allows remote attacker ...) NOT-FOR-US: Kerio Personal Firewall CVE-2002-2160 REJECTED CVE-2002-2159 (Linksys EtherFast Cable/DSL BEFSR11, BEFSR41 and BEFSRU31 with the fir ...) NOT-FOR-US: Linksys hardware CVE-2002-2158 (zenTrack 2.0.3 and earlier allows remote attackers to obtain the full ...) NOT-FOR-US: zenTrack CVE-2002-2157 REJECTED CVE-2002-2156 (Buffer overflow in Trillian 0.73 allows remote IRC servers to execute ...) NOT-FOR-US: Cerulean Trillian CVE-2002-2155 (Format string vulnerability in the error handling of IRC invite respon ...) NOT-FOR-US: Cerulean Trillian CVE-2002-2154 (Directory traversal vulnerability in Monkey HTTP Daemon 0.1.4 allows r ...) NOT-FOR-US: Monkey HTTP Daemon CVE-2002-2153 (Format string vulnerability in the administrative pages of the PL/SQL ...) NOT-FOR-US: Oracle Application Server CVE-2002-2152 (The Czech edition of Software602's Web Server before 2002.0.02.0916 al ...) NOT-FOR-US: Software602 CVE-2002-2151 REJECTED CVE-2002-2150 (Firewalls from multiple vendors empty state tables more slowly than th ...) NOTE: SYN floods etc generally filed as issues in linux specifically NOTE: if it is affected CVE-2002-2149 (Buffer overflow in Lucent Access Point 300, 600, and 1500 Service Rout ...) NOT-FOR-US: Lucent Access Point CVE-2002-2148 (Lucent Ascend MAX Router 5.0 and earlier, Lucent Ascend Pipeline Route ...) NOT-FOR-US: Lucent MAX Router CVE-2002-2147 REJECTED CVE-2002-2146 (cgitest.exe in Savant Web Server 3.1 and earlier allows remote attacke ...) NOT-FOR-US: Savant Web Server CVE-2002-2145 (Savant Web Server 3.1 and earlier allows remote attackers to bypass au ...) NOT-FOR-US: Savant Web Server CVE-2002-2144 (Directory traversal vulnerability in BearShare 4.0.5 and 4.0.6 allows ...) NOT-FOR-US: BearShare CVE-2002-2143 (The admin.html file in MySimple News 1.0 stores its administrative pas ...) NOT-FOR-US: MySimple News CVE-2002-2142 (An undocumented extension for the Servlet mappings in the Servlet 2.3 ...) NOT-FOR-US: BEA CVE-2002-2141 (BEA WebLogic Server and Express 7.0 and 7.0.0.1, when running Servlets ...) NOT-FOR-US: BEA CVE-2002-2140 (Buffer overflow in Cisco PIX Firewall 5.2.x to 5.2.8, 6.0.x to 6.0.3, ...) NOT-FOR-US: Cisco CVE-2002-2139 (Cisco PIX Firewall 6.0.3 and earlier, and 6.1.x to 6.1.3, do not delet ...) NOT-FOR-US: Cisco CVE-2002-2138 (RFC-NETBIOS in HP Advanced Server/9000 B.04.05 through B.04.09, when r ...) NOT-FOR-US: HP Advanced Server CVE-2002-2137 (GlobalSunTech Wireless Access Points (1) WISECOM GL2422AP-0T, and poss ...) NOT-FOR-US: GlobalSunTech Wireless Access Points CVE-2002-2136 REJECTED CVE-2002-2135 REJECTED CVE-2002-2134 (haut.php in PEEL 1.0b allows remote attackers to execute arbitrary PHP ...) NOT-FOR-US: PEEL CVE-2002-2133 (Telindus 1100 ASDL router running firmware 6.0.x uses weak encryption ...) NOT-FOR-US: Telindus 1100 ASDL router CVE-2002-2132 (Windows File Protection (WFP) in Windows 2000 and XP does not remove o ...) NOT-FOR-US: Windows CVE-2002-2131 (Directory traversal vulnerability in Perl-HTTPd before 1.0.2 allows re ...) NOT-FOR-US: Perl-HTTPd CVE-2002-2130 (publish_xp_docs.php in Gallery 1.3.2 allows remote attackers to execut ...) - gallery 1.3.3 (high) CVE-2002-2129 (Cross-site scripting vulnerability (XSS) in editform.php for w-Agora 4 ...) NOT-FOR-US: w-Agora CVE-2002-2128 (editform.php in w-Agora 4.1.5 allows local users to execute arbitrary ...) NOT-FOR-US: w-Agora CVE-2002-2127 (Integrity Protection Driver (IPD) 1.2 and earlier blocks access to \De ...) NOT-FOR-US: Integrity Protection Driver (IPD) CVE-2002-2126 (restrictEnabled in Integrity Protection Driver (IPD) 1.2 delays driver ...) NOT-FOR-US: Integrity Protection Driver (IPD) CVE-2002-2125 (Internet Explorer 6.0 does not warn users when an expired certificate ...) NOT-FOR-US: MSIE CVE-2000-1238 (BEA Systems WebLogic Express and WebLogic Server 5.1 SP1-SP6 allows re ...) NOT-FOR-US: BEA Weblogic CVE-2005-3621 (CRLF injection vulnerability in phpMyAdmin before 2.6.4-pl4 allows rem ...) {DSA-1207-1} - phpmyadmin 4:2.6.4-pl4-1 (bug #339437; medium) NOTE: https://www.phpmyadmin.net/security/PMASA-2005-6/ CVE-2005-3524 (Buffer overflow in the SSL-ready version of linux-ftpd (linux-ftpd-ssl ...) {DSA-896-1} - linux-ftpd-ssl 0.17.18+0.3-5 (bug #339074; high) CVE-2005-3807 (Memory leak in the VFS file lease handling in locks.c in Linux kernels ...) - linux-2.6 2.6.14-4 CVE-2005-3857 (The time_out_leases function in locks.c for Linux kernel before 2.6.15 ...) {DSA-1018-1 DSA-1017-1} - linux-2.6 2.6.14-4 (low) CVE-2005-XXXX [user logout in drupal has no effect] [sarge] - drupal (bug was introduced after 4.5.3) - drupal 4.5.5-3 (bug #336719; medium) CVE-2005-XXXX [double free() in libungif] - libungif4 4.1.4-1 (bug #338542; medium) CVE-2005-3523 (Format string vulnerability in friendsd2 in GpsDrive allows remote att ...) {DSA-891-1} - gpsdrive 2.09-2sarge1 (bug #337495; medium) CVE-2005-XXXX [Insecure temp files in note] - note 1.3.1-3 (bug #337492; unimportant) NOTE: Second issue not shipped in binary, only example, first issue not sufficiently NOTE: predictable for a real world attack CVE-2005-3500 (The tnef_attachment function in tnef.c for Clam AntiVirus (ClamAV) bef ...) {DSA-887-1 DTSA-21-1} - clamav 0.87.1-1 (medium) CVE-2005-3501 (The cabd_find function in cabd.c of the libmspack library (mspack) for ...) {DSA-887-1 DTSA-21-1} - clamav 0.87.1-1 (medium) CVE-2005-3482 (Cisco 1200, 1131, and 1240 series Access Points, when operating in Lig ...) NOT-FOR-US: Cisco CVE-2005-3481 (Cisco IOS 12.0 to 12.4 might allow remote attackers to execute arbitra ...) NOT-FOR-US: IOS CVE-2005-3480 (login.asp in Ringtail CaseBook 6.1.0 displays different error messages ...) NOT-FOR-US: Ringtail CaseBook CVE-2005-3479 (Cross-site scripting (XSS) vulnerability in login.asp in Ringtail Case ...) NOT-FOR-US: Ringtail CaseBook CVE-2005-3478 (SQL injection vulnerability in index.php in PHPCafe.net Tutorials Mana ...) NOT-FOR-US: PHPCafe Tutorial Manager CVE-2005-3477 (Multiple interpretation error in the image upload handling code in Inv ...) NOT-FOR-US: Invision Gallery CVE-2005-3476 (Unspecified vulnerability in HP OpenVMS Integrity 8.2-1 and 8.2, and O ...) NOT-FOR-US: OpenVMS CVE-2005-3475 (Hasbani Web Server (WindWeb) 2.0 allows remote attackers to cause a de ...) NOT-FOR-US: Hasbani Web Server CVE-2005-3474 (The aries.sys driver in Sony First4Internet XCP DRM software hides any ...) NOT-FOR-US: XCP DRM CVE-2005-3473 (Multiple cross-site scripting (XSS) vulnerabilities in Simple PHP Blog ...) NOT-FOR-US: Simple PHP Blog CVE-2005-3472 (Unspecified vulnerability in Sun Java System Communications Express 20 ...) NOT-FOR-US: Sun Java System Communications Express CVE-2005-3471 (Directory traversal vulnerability in the ruleset view for MailWatch fo ...) NOT-FOR-US: MailWatch for MailScanner CVE-2005-3470 (SQL injection vulnerability in in the authenticate function in MailWat ...) NOT-FOR-US: MailWatch for MailScanner CVE-2005-3469 (SQL injection vulnerability in index.php in News2Net 3.0.0.0 allows re ...) NOT-FOR-US: News2Net CVE-2005-3468 (Directory traversal vulnerability in F-Secure Anti-Virus for Microsoft ...) NOT-FOR-US: F-Secure CVE-2005-3467 (Serv-U FTP Server before 6.1.0.4 allows attackers to cause a denial of ...) NOT-FOR-US: Serv-U FTP Server CVE-2005-3466 (Unspecified vulnerability in Enterprise CRM Sales in Oracle 8.81 up to ...) NOT-FOR-US: Oracle CVE-2005-3465 (Unspecified vulnerability in JDEdwards HTML Server in Oracle Enterpris ...) NOT-FOR-US: Oracle CVE-2005-3464 (Unspecified vulnerability in PeopleTools in Oracle PeopleSoft Enterpri ...) NOT-FOR-US: Oracle CVE-2005-3463 (Unspecified vulnerability in PeopleTools in Oracle PeopleSoft Enterpri ...) NOT-FOR-US: Oracle CVE-2005-3462 (Unspecified vulnerability in PeopleTools in Oracle PeopleSoft Enterpri ...) NOT-FOR-US: Oracle CVE-2005-3461 (Unspecified vulnerability in PeopleTools in Oracle PeopleSoft Enterpri ...) NOT-FOR-US: Oracle CVE-2005-3460 (Unspecified vulnerability in Oracle Agent in Oracle Enterprise Manager ...) NOT-FOR-US: Oracle CVE-2005-3459 (Unspecified vulnerability in Oracle E-Business Suite and Applications ...) NOT-FOR-US: Oracle CVE-2005-3458 (Unspecified vulnerability in Oracle E-Business Suite and Applications ...) NOT-FOR-US: Oracle CVE-2005-3457 (Unspecified vulnerability in Oracle E-Business Suite and Applications ...) NOT-FOR-US: Oracle CVE-2005-3456 (Multiple unspecified vulnerabilities in Oracle E-Business Suite and Ap ...) NOT-FOR-US: Oracle CVE-2005-3455 (Multiple unspecified vulnerabilities in Oracle E-Business Suite and Ap ...) NOT-FOR-US: Oracle CVE-2005-3454 (Multiple unspecified vulnerabilities in Oracle Collaboration Suite 10g ...) NOT-FOR-US: Oracle CVE-2005-3453 (Multiple unspecified vulnerabilities in Web Cache in Oracle Applicatio ...) NOT-FOR-US: Oracle CVE-2005-3452 (Unspecified vulnerability in Web Cache in Oracle Application Server 1. ...) NOT-FOR-US: Oracle CVE-2005-3451 (Unspecified vulnerability in SQL*ReportWriter in Oracle Application Se ...) NOT-FOR-US: Oracle CVE-2005-3450 (Unspecified vulnerability in the HTTP Server in Oracle Application Ser ...) NOT-FOR-US: Oracle CVE-2005-3449 (Multiple unspecified vulnerabilities in Oracle Application Server 9.0 ...) NOT-FOR-US: Oracle CVE-2005-3448 (Unspecified vulnerability in the OC4J Module in Oracle Application Ser ...) NOT-FOR-US: Oracle CVE-2005-3447 (Unspecified vulnerability in Single Sign-On in Oracle Database Server ...) NOT-FOR-US: Oracle CVE-2005-3446 (Unspecified vulnerability in Internet Directory in Oracle Database Ser ...) NOT-FOR-US: Oracle CVE-2005-3445 (Multiple unspecified vulnerabilities in HTTP Server in Oracle Database ...) NOT-FOR-US: Oracle CVE-2005-3444 (Multiple unspecified vulnerabilities in the Programmatic Interface in ...) NOT-FOR-US: Oracle CVE-2005-3443 (Unspecified vulnerability in the Spatial component in Oracle Database ...) NOT-FOR-US: Oracle CVE-2005-3442 (Multiple unspecified vulnerabilities in Oracle Database Server 8i up t ...) NOT-FOR-US: Oracle CVE-2005-3441 (Unspecified vulnerability in Intelligent Agent in Oracle Database Serv ...) NOT-FOR-US: Oracle CVE-2005-3440 (Unspecified vulnerability in Database Scheduler in Oracle Database Ser ...) NOT-FOR-US: Oracle CVE-2005-3439 (Multiple unspecified vulnerabilities in Oracle Database Server 10g up ...) NOT-FOR-US: Oracle CVE-2005-3438 (Multiple unspecified vulnerabilities in Oracle Database Server 9i up t ...) NOT-FOR-US: Oracle CVE-2005-3437 (Unspecified vulnerability in the PL/SQL component in Oracle Database S ...) NOT-FOR-US: Oracle CVE-2005-3436 (Cross-site scripting (XSS) vulnerability in Nuked-Klan 1.7 allows remo ...) NOT-FOR-US: Nuked-Klan CVE-2005-3435 (admin_news.php in Archilles Newsworld up to 1.3.0 allows attackers to ...) NOT-FOR-US: Archilles Newsworld CVE-2005-3434 (Archilles Newsworld before 1.5.0-rc1 stores (1) account.nwd and (2) se ...) NOT-FOR-US: Archilles Newsworld CVE-2005-3433 (Buffer overflow in Mirabilis ICQ 2003a allows user-assisted attackers ...) NOT-FOR-US: Mirabilis ICQ CVE-2005-3432 (MiniGal 2 (MG2) 0.5.1 allows remote attackers to list password protect ...) NOT-FOR-US: MiniGal2 CVE-2005-3431 (Absolute path traversal vulnerability in Rockliffe MailSite Express be ...) NOT-FOR-US: MailSite Express CVE-2005-3430 (Incomplete blacklist vulnerability in Rockliffe MailSite Express befor ...) NOT-FOR-US: MailSite Express CVE-2005-3429 (Rockliffe MailSite Express before 6.1.22, with the option to save logi ...) NOT-FOR-US: MailSite Express CVE-2005-3428 (Cross-site scripting (XSS) vulnerability in Rockliffe MailSite Express ...) NOT-FOR-US: MailSite Express CVE-2005-3427 (The Cisco Management Center (MC) for IPS Sensors (IPS MC) 2.1 can omit ...) NOT-FOR-US: IPS Sensors CVE-2005-3426 (Cisco CSS 11500 Content Services Switch (CSS) with SSL termination ser ...) NOT-FOR-US: Cisco CVE-2005-3425 (Cross-site scripting (XSS) vulnerability in GNUMP3D before 2.9.6 allow ...) {DSA-877-1} - gnump3d 2.9.6-1 CVE-2005-3424 (Cross-site scripting (XSS) vulnerability in GNUMP3D before 2.9.5 allow ...) {DSA-877-1} - gnump3d 2.9.5-1 (low) CVE-2005-3423 (Multiple SQL injection vulnerabilities in Subdreamer 2.2.1 allow remot ...) NOT-FOR-US: Subdreamer CVE-2005-3422 (Cross-site scripting (XSS) vulnerability in error.asp in ASP Fast Foru ...) NOT-FOR-US: ASP Fast Forum CVE-2005-3421 (estcmd in Hyper Estraier 1.0.1 on Windows systems allows remote attack ...) NOT-FOR-US: Hyper Estraier CVE-2005-3420 (usercp_register.php in phpBB 2.0.17 allows remote attackers to modify ...) {DSA-925-1} - phpbb2 2.0.18-1 (bug #336582; bug #336587) NOTE: http://www.hardened-php.net/advisory_172005.75.html NOTE: http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=336756 NOTE: Remote code execution may be possible, especially in conjunction NOTE: with PHP bugs. CVE-2005-3419 (SQL injection vulnerability in usercp_register.php in phpBB 2.0.17 all ...) {DSA-925-1} - phpbb2 2.0.18-1 (bug #336582; bug #336587) CVE-2005-3418 (Multiple cross-site scripting (XSS) vulnerabilities in phpBB 2.0.17 an ...) {DSA-925-1} - phpbb2 2.0.18-1 (bug #336582; bug #336587) CVE-2005-3417 (phpBB 2.0.17 and earlier, when the register_long_arrays directive is d ...) {DSA-925-1} - phpbb2 2.0.18-1 (bug #336582; bug #336587) CVE-2005-3416 (phpBB 2.0.17 and earlier, when register_globals is enabled and the ses ...) {DSA-925-1} - phpbb2 2.0.18-1 (bug #336582; bug #336587) CVE-2005-3415 (phpBB 2.0.17 and earlier allows remote attackers to bypass protection ...) {DSA-925-1} - phpbb2 2.0.18-1 (bug #336582; bug #336587) CVE-2005-3414 (eyeOS 0.8.4 stores usrinfo.xml under the web document root with insuff ...) NOT-FOR-US: eyeOS CVE-2005-3413 (Cross-site scripting (XSS) vulnerability in desktop.php in eyeOS 0.8.4 ...) NOT-FOR-US: eyeOS CVE-2005-3412 (Cross-site scripting (XSS) vulnerability in Elite Forum 1.0.0.0 allows ...) NOT-FOR-US: Elite Forum CVE-2005-3411 (Cross-site scripting (XSS) vulnerability in post.asp in Snitz Forums 2 ...) NOT-FOR-US: Snitz Forums CVE-2005-3410 RESERVED CVE-2005-3409 (OpenVPN 2.x before 2.0.4, when running in TCP mode, allows remote atta ...) {DSA-885-1} - openvpn 2.0.5-1 (bug #337334; low) CVE-2005-3408 (SQL injection vulnerability in news.php in gCards version 1.43 allows ...) NOT-FOR-US: gCards CVE-2005-3407 (SQL injection vulnerability in phpESP 1.7.5 and earlier allows remote ...) NOT-FOR-US: phpESP CVE-2005-3406 (Cross-site scripting (XSS) vulnerability in phpESP 1.7.5 and earlier a ...) NOT-FOR-US: phpESP CVE-2005-3405 (ATutor 1.4.1 through 1.5.1-pl1 allows remote attackers to execute arbi ...) NOT-FOR-US: ATutor CVE-2005-3404 (Multiple PHP file inclusion vulnerabilities in ATutor 1.4.1 through 1. ...) NOT-FOR-US: ATutor CVE-2005-3403 (Multiple cross-site scripting (XSS) vulnerabilities in ATutor 1.4.1 th ...) NOT-FOR-US: ATutor CVE-2005-3402 (The SMTP client in Mozilla Thunderbird 1.0.5 BETA, 1.0.7, and possibly ...) NOTE: That's a non-issue; only a feature request for an improvement in a corner case. NOTE: If someone wants to use security-sensitive communication a TLS-secured server NOTE: should be used. CVE-2005-3401 (Multiple interpretation error in TheHacker 5.8.4.128 allows remote att ...) NOT-FOR-US: TheHacker CVE-2005-3400 (Multiple interpretation error in Fortinet 2.48.0.0 allows remote attac ...) NOT-FOR-US: Fortinet CVE-2005-3399 (Multiple interpretation error in CAT-QuickHeal 8.0 allows remote attac ...) NOT-FOR-US: CAT-QuickHeal CVE-2005-3398 (The default configuration of the web server for the Solaris Management ...) NOT-FOR-US: Solaris Management Console CVE-2005-3397 (Cross-site scripting (XSS) vulnerability in Comersus BackOffice allows ...) NOT-FOR-US: Comersus BackOffice CVE-2005-3396 (Buffer overflow in the chcons (chcon) command in IBM AIX 5.2 and 5.3, ...) NOT-FOR-US: AIX CVE-2005-3395 (SQL injection vulnerability in Invision Gallery 2.0.3 allows remote at ...) NOT-FOR-US: Invision Gallery CVE-2005-3394 (Multiple SQL injection vulnerabilities in forum.php in oaboard forum 1 ...) NOT-FOR-US: oaboard CVE-2005-3393 (Format string vulnerability in the foreign_option function in options. ...) {DSA-885-1} - openvpn 2.0.5-1 (bug #336751; medium) CVE-2005-3392 (Unspecified vulnerability in PHP before 4.4.1, when using the virtual ...) - php4 4:4.4.2-1 (bug #336645; bug #354681; low) [sarge] - php4 (Safe mode violations not supported) - php5 5.1.1-1 (bug #336654; low) NOTE: According to CVE, this is a safe mode violation, NOTE: therefore low impact. (According to SuSE, it's an NOTE: information leak.) CVE-2005-3391 (Multiple vulnerabilities in PHP before 4.4.1 allow remote attackers to ...) - php4 4:4.4.2-1 (bug #336645; bug #354678; low) [sarge] - php4 (Safe mode violations not supported) - php5 5.1.1-1 (bug #336654; low) NOTE: This is a safe mode violation, therefore low impact. CVE-2005-3390 (The RFC1867 file upload feature in PHP 4.x up to 4.4.0 and 5.x up to 5 ...) - php4 4:4.4.2-1 (bug #336645; bug #354680; low) - php5 5.1.1-1 (bug #336654; low) [sarge] - php4 (Operation with register_globals not supported) NOTE: http://www.hardened-php.net/advisory_202005.79.html NOTE: http://www.hardened-php.net/globals-problem CVE-2005-3389 (The parse_str function in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5, whe ...) - php4 4:4.4.2-1 (bug #336645; bug #354690; low) - php5 5.1.1-1 (bug #336654; low) [sarge] - php4 (application's job to sanitize input) NOTE: http://www.hardened-php.net/advisory_192005.78.html CVE-2005-3388 (Cross-site scripting (XSS) vulnerability in the phpinfo function in PH ...) {CVE-2002-1954} - php4 4:4.4.2-1 (bug #336645; low) - php5 5.1.1-1 (bug #336654; low) [sarge] - php4 (not worth an update) NOTE: http://www.hardened-php.net/advisory_182005.77.html NOTE: fixed in CVS, estimated release of PHP5.1 to fix this issue CVE-2005-3387 (The startup script in packages/RedHat/ntop.init in ntop before 3.2, wh ...) - ntop (Red Hat specific packaging flaw) CVE-2005-3386 (SQL injection vulnerability in Techno Dreams Web Directory script allo ...) NOT-FOR-US: Techno Dreams scripts CVE-2005-3385 (SQL injection vulnerability in Techno Dreams Mailing List script allow ...) NOT-FOR-US: Techno Dreams scripts CVE-2005-3384 (SQL injection vulnerability in Techno Dreams Guest Book script allows ...) NOT-FOR-US: Techno Dreams scripts CVE-2005-3383 (SQL injection vulnerability in Techno Dreams Announcement script allow ...) NOT-FOR-US: Techno Dreams scripts CVE-2005-3382 (Multiple interpretation error in Sophos 3.91 with the 2.28.4 engine al ...) NOT-FOR-US: Sophos CVE-2005-3381 (Multiple interpretation error in Ukrainian National Antivirus (UNA) 1. ...) NOT-FOR-US: Ukranian National Antivirus CVE-2005-3380 (Multiple interpretation error in Panda Titanium 2005 4.02.01 allows re ...) NOT-FOR-US: Panda Titanium CVE-2005-3379 (Multiple interpretation error in Trend Micro (1) PC-Cillin 2005 12.0.1 ...) NOT-FOR-US: Trend Micro CVE-2005-3378 (Multiple interpretation error in Norman 5.81 with the 5.83.02 engine a ...) NOT-FOR-US: Norman CVE-2005-3377 (Multiple interpretation error in (1) McAfee Internet Security Suite 7. ...) NOT-FOR-US: McAfee CVE-2005-3376 (Multiple interpretation error in Kaspersky 5.0.372 allows remote attac ...) NOT-FOR-US: Kaspersky CVE-2005-3375 (Multiple interpretation error in Ikarus demo version allows remote att ...) NOT-FOR-US: Ikarus CVE-2005-3374 (Multiple interpretation error in F-Prot 3.16c allows remote attackers ...) NOT-FOR-US: F-Prot CVE-2005-3373 (Multiple interpretation error in Dr.Web 4.32b allows remote attackers ...) NOT-FOR-US: Dr. Web CVE-2005-3372 (Multiple interpretation error in eTrust CA 7.0.1.4 with the 11.9.1 eng ...) NOT-FOR-US: eTrust CVE-2005-3371 (Multiple interpretation error in AVG 7 7.0.323 allows remote attackers ...) NOT-FOR-US: AVG CVE-2005-3370 (Multiple interpretation error in ArcaVir 2005 package 2005-06-21 allow ...) NOT-FOR-US: ArcaVir CVE-2005-3369 (Multiple SQL injection vulnerabilities in the Info-DB module (info_db. ...) NOT-FOR-US: Woltlab Burning Board CVE-2005-3368 (Cross-site scripting (XSS) vulnerability in the Search_Enhanced module ...) NOT-FOR-US: PHP-Nuke CVE-2005-3367 (Cross-site scripting (XSS) vulnerability in journal.php in SparkleBlog ...) NOT-FOR-US: SparkleBlog CVE-2005-3366 (PHP file inclusion vulnerability in index.php in PHP iCalendar 2.0a2 t ...) NOT-FOR-US: PHP iCalendar CVE-2005-3365 (Multiple SQL injection vulnerabilities in DCP-Portal 6 and earlier all ...) NOT-FOR-US: DCP-Portal CVE-2005-3364 (Multiple SQL injection vulnerabilities in DboardGear allow remote atta ...) NOT-FOR-US: DboardGear CVE-2005-3363 (SQL injection vulnerability in Saphp Lesson, possibly saphp Lesson1.1 ...) NOT-FOR-US: saphp Lesson CVE-2005-3362 REJECTED CVE-2005-3361 (Cross-site scripting (XSS) vulnerability in forum/index.php in FlatNuk ...) NOT-FOR-US: FlatNuke CVE-2005-3360 (The installation of Trend Micro PC-Cillin Internet Security 2005 12.00 ...) NOT-FOR-US: Trend Micro PC-Cillin Internet Security 2005 CVE-2005-3359 (The atm module in Linux kernel 2.6 before 2.6.14 allows local users to ...) {DSA-1103} - linux-2.6 2.6.14 CVE-2005-3358 (Linux kernel before 2.6.15 allows local users to cause a denial of ser ...) {DSA-1017-1} - linux-2.6 (Fixed before upload into archive; 2.6.11) CVE-2005-3357 (mod_ssl in Apache 2.0 up to 2.0.55, when configured with an SSL vhost ...) - apache2 2.0.55-4 (bug #351246; low) [sarge] - apache2 2.0.54-5sarge2 CVE-2005-3356 (The mq_open system call in Linux kernel 2.6.9, in certain situations, ...) {DSA-1017-1} - linux-2.6 2.6.15-4 CVE-2005-3355 (Directory traversal vulnerability in GNU Gnump3d before 2.9.8 has unkn ...) {DSA-901-1} - gnump3d 2.9.8-1 CVE-2005-3354 (Stack-based buffer overflow in the ldif_get_line function in ldif.c of ...) {DSA-908-1 DSA-906-1} - sylpheed 2.0.4-1 (bug #338434; medium) - sylpheed-gtk1 1.0.6-1 (medium) - sylpheed-claws 1.0.5-2 (bug #338436; medium) - sylpheed-claws-gtk2 1.9.100-1 (bug #339529; medium) CVE-2005-3353 (The exif_read_data function in the Exif module in PHP before 4.4.1 all ...) {DSA-1206-1} - php4 4:4.4.2-1 (bug #339577; medium) - php5 5.1.1-1 (bug #336654; medium) CVE-2005-3352 (Cross-site scripting (XSS) vulnerability in the mod_imap module of Apa ...) {DSA-1167-1} - apache 1.3.34-2 (bug #343466; low) - apache2 2.0.55-4 (bug #343467; bug #349793; low) [sarge] - apache2 2.0.54-5sarge2 NOTE: Version(s): prior to 1.3.35-dev, 2.0.56-dev are affected NOTE: Means oldstable and stable are affected CVE-2005-3351 (SpamAssassin 3.0.4 allows attackers to bypass spam detection via an e- ...) - spamassassin 3.1.0a-1 (bug #339526; low) [sarge] - spamassassin (DoS affects only a single message) [woody] - spamassassin (DoS affects only a single message) CVE-2005-3350 (libungif library before 4.1.0 allows attackers to corrupt memory and p ...) {DSA-890-1} - libungif4 4.1.3-4 (bug #337972; high) - giflib 4.1.4-1 (bug #395382) CVE-2005-3349 (GNU Gnump3d before 2.9.8 allows local users to modify or delete arbitr ...) {DSA-901-1} - gnump3d 2.9.8-1 CVE-2005-3348 (HTTP response splitting vulnerability in index.php in phpSysInfo 2.4 a ...) {DSA-899-1 DSA-898-1 DSA-897-1} - phpsysinfo 2.3-7 (bug #339079) - egroupware 1.0.0.009.dfsg-3-3 - phpgroupware 0.9.16.008-2 CVE-2005-3347 (Multiple directory traversal vulnerabilities in index.php in phpSysInf ...) {DSA-899-1 DSA-898-1 DSA-897-1} - phpsysinfo 2.3-7 (bug #339079) - egroupware 1.0.0.009.dfsg-3-3 - phpgroupware 0.9.16.008-2 CVE-2005-3346 (Buffer overflow in the environment variable substitution code in main. ...) {DSA-918-1} - osh 1.7-15 (bug #338312; bug #323424; bug #323482; bug #311369; medium) CVE-2005-3345 (rssh 2.0.0 through 2.2.3 allows local users to bypass access restricti ...) - rssh 2.3.0-1 (bug #344395; bug #344424) [sarge] - rssh 2.2.3-1.sarge.1 NOTE: Update was introduced through s-p-u, not a DSA CVE-2005-3344 (The default installation of Horde 3.0.4 contains an administrative acc ...) {DSA-884-1} - horde3 3.0.5-2 (bug #332290; bug #332289; medium) CVE-2005-3343 (tkdiff before 4.1.1 allows local users to overwrite arbitrary files vi ...) {DSA-927-1} - tkdiff 1:4.0.2-2 (low) CVE-2005-3342 (noweb 2.10c and earlier allows local users to overwrite arbitrary file ...) {DSA-968-1} - noweb 2.10c-3.2 (low) CVE-2005-3340 (The tuxpaint-import.sh script in Tux Paint (tuxpaint) 0.9.14 and earli ...) {DSA-941-1} - tuxpaint 1:0.9.15b-1 (low) CVE-2003-1233 (Pedestal Software Integrity Protection Driver (IPD) 1.3 and earlier al ...) NOT-FOR-US: Integrity Protection Driver CVE-2002-2124 (The recvn and sendn functions in nylon 0.2 do not check when the recv ...) NOT-FOR-US: nylon CVE-2005-XXXX [ntop format string vulnerability] - ntop 3:4.0.3+dfsg1-1 (bug #335996; unimportant) NOTE: Not exploitable CVE-2005-3341 (DHIS tools DNS package (dhis-tools-dns) before 5.0 allows local users ...) {DSA-928-1} - dhis-tools-dns 5.0-5 CVE-2005-3339 (Mantis before 0.19.3 caches the User ID longer than necessary, which h ...) {DSA-905-1} - mantis 0.19.3-0.1 (bug #330682) CVE-2005-3338 (Unspecified vulnerability in Mantis before 0.19.3, when using reminder ...) {DSA-905-1} - mantis 0.19.3-0.1 (bug #330682; low) CVE-2005-3337 (Multiple cross-site scripting (XSS) vulnerabilities in Mantis before 0 ...) NOTE: This is a duplicate of CVE-2005-3091 (first issue) and CVE-2005-2557 (second NOTE: issue). This will be rejected. CVE-2005-3336 (SQL injection vulnerability in Mantis 1.0.0RC2 and 0.19.2 allows remot ...) {DSA-905-1} - mantis 0.19.3-0.1 (high) CVE-2005-3335 (PHP file inclusion vulnerability in bug_sponsorship_list_view_inc.php ...) {DSA-905-1} - mantis 0.19.3-0.1 (bug #335938; medium) CVE-2005-3334 (Cross-site scripting (XSS) vulnerability in index.php in Flyspray 0.9. ...) {DSA-953-1} - flyspray 0.9.8-4 (bug #335997; low) NOTE: Sarge is confirmed vulnerable CVE-2005-3333 (SQL injection vulnerability in eBASEweb 3.0 allows remote attackers to ...) NOT-FOR-US: eBASEweb CVE-2005-3332 (PHP remote file include vulnerability in admin/define.inc.php in Belch ...) NOT-FOR-US: Belchior Foundry vCard CVE-2005-3331 (viewpatch in mgdiff 1.0 allows local users to overwrite arbitrary file ...) - mgdiff 1.0-28 (bug #335188; unimportant) CVE-2005-3330 (The _httpsrequest function in Snoopy 1.2, as used in products such as ...) - wordpress (bug #335817; unimportant) NOTE: Upstream claims the modified Snoopy class is secure CVE-2005-3329 (Cross-site scripting (XSS) vulnerability in RSA Authentication Agent f ...) NOT-FOR-US: RSA Authentication Agent CVE-2005-3328 (PHP remote file inclusion vulnerability in common.php in PunBB 1.1.2 t ...) NOT-FOR-US: PunBB CVE-2005-3327 (Network Appliance Data ONTAP 7.0 and earlier allows iSCSI Initiators t ...) NOT-FOR-US: Data ONTAP CVE-2005-3326 (SQL injection vulnerability in usercp.php in MyBulletinBoard (MyBB) al ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2005-3325 (Multiple SQL injection vulnerabilities in (1) acid_qry_main.php in Ana ...) {DSA-893-1} - acidbase 1.2.1-1 (bug #335998; bug #336788; medium) NOTE: the fix from 1.2-2 did not address the problem fully - acidlab 0.9.6b20-13 CVE-2005-3324 (SQL injection vulnerability in chat.php in MWChat 6.8 allows remote at ...) NOT-FOR-US: MWChat CVE-2005-3323 (docutils in Zope 2.6, 2.7 before 2.7.8, and 2.8 before 2.8.2 allows re ...) {DSA-910-1} - zope2.8 2.8.1-7 (bug #334055; bug #334054; high) - zope2.7 2.7.8-1 (bug #334055; bug #334054; high) CVE-2005-3322 (Unspecified vulnerability in Squid on SUSE Linux 9.0 allows remote att ...) - squid NOTE: see bug #334882 for details CVE-2005-3321 (chkstat in SuSE Linux 9.0 through 10.0 allows local users to modify pe ...) NOT-FOR-US: SuSE-specific tool CVE-2005-3320 (Cross-site scripting (XSS) vulnerability in SiteTurn Domain Manager Pr ...) NOT-FOR-US: SiteTurn Domain Manager CVE-2005-3319 (The apache2handler SAPI (sapi_apache2.c) in the Apache module (mod_php ...) - php4 4:4.4.2-1 (bug #336004; bug #354684; low) - php5 5.1.1-1 (bug #336005; low) [sarge] - php4 NOTE: can't reproduce, error may not be present in 4.3. NOTE: tentatively marking as not-affected in sarge. CVE-2005-3318 (Buffer overflow in the _chm_decompress_block function in CHM lib (chml ...) {DSA-886-1} - chmlib 0.37-1 (bug #335931; medium) CVE-2005-3317 (Multiple stack-based buffer overflows in ZipGenius 5.5.1.468 and 6.0.2 ...) NOT-FOR-US: ZipGenius CVE-2005-3316 (The installation of ON Symantec Discovery 4.5.x and Symantec Discovery ...) NOT-FOR-US: Symantec Discovery CVE-2005-3315 (Multiple SQL injection vulnerabilities in Novell ZENworks Patch Manage ...) NOT-FOR-US: Novell ZENworks CVE-2005-3314 (Stack-based buffer overflow in the IMAP daemon in Novell Netmail 3.5.2 ...) NOT-FOR-US: Novell Netmail CVE-2005-3313 (The IRC protocol dissector in Ethereal 0.10.13 allows remote attackers ...) [woody] - ethereal (Only affects version 0.10.13) [sarge] - ethereal (Only affects version 0.10.13) - ethereal 0.10.14-1 (medium) CVE-2005-3312 (The HTML rendering engine in Microsoft Internet Explorer 6.0 allows re ...) NOT-FOR-US: Microsoft CVE-2005-3311 (BMC Software Control-M 6.1.03 for Solaris, and possibly other platform ...) NOT-FOR-US: BMC Software Control-M CVE-2005-3310 (Interpretation conflict in phpBB 2.0.17, with remote avatars and avata ...) {DSA-925-1} - phpbb2 2.0.18-1 (bug #335662; low) CVE-2005-3309 (Multiple SQL injection vulnerabilities in Zomplog 3.4 allow remote att ...) NOT-FOR-US: Zomplog CVE-2005-3308 (Multiple cross-site scripting (XSS) vulnerabilities in Zomplog 3.4 all ...) NOT-FOR-US: Zomplog CVE-2005-3307 (Directory traversal vulnerability in index.php for FlatNuke 2.5.6 allo ...) NOT-FOR-US: FlatNuke CVE-2005-3306 (Cross-site scripting (XSS) vulnerability in index.php for FlatNuke 2.5 ...) NOT-FOR-US: FlatNuke CVE-2005-3305 (Multiple SQL injection vulnerabilities in Nuked Klan 1.7 allow remote ...) NOT-FOR-US: Nuked Klan CVE-2005-3304 (Multiple SQL injection vulnerabilities in PHP-Nuke 7.8 allow remote at ...) NOT-FOR-US: PHP-Nuke CVE-2005-3303 (The FSG unpacker (fsg.c) in Clam AntiVirus (ClamAV) 0.80 through 0.87 ...) {DSA-887-1 DTSA-21-1} - clamav 0.87.1-1 (high) CVE-2004-2539 (Unknown vulnerability in Network Appliance NetCache 5.2 and Data ONTAP ...) NOT-FOR-US: NetCache CVE-2004-2538 (Direct static code injection vulnerability in the PCG simple applicati ...) NOT-FOR-US: phpCodeGenie CVE-2004-2537 (Unspecified vulnerability in SurgeMail before 2.2c10 has unknown impac ...) NOT-FOR-US: SurgeMail CVE-2004-2536 (The exit_thread function (process.c) in Linux kernel 2.6 through 2.6.5 ...) - linux-2.6 (Fixed before upload into archive; 2.6.6) - kernel-source-2.4.27 [sarge] - kernel-source-2.6.8 (Fixed before upload into archive; 2.6.6) CVE-2004-2535 (The person-to-person secure messaging feature in Sticker before 3.1.0 ...) NOT-FOR-US: Sticker CVE-2004-2534 (Fastream NETFile Server 7.1.2 does not properly handle keep-alive conn ...) NOT-FOR-US: NETFile Server CVE-2004-2533 (Serv-U FTP Server 4.1 (possibly 4.0) allows remote attackers to cause ...) NOT-FOR-US: Serv-U FTP Server CVE-2004-2532 (Serv-U FTP server before 5.1.0.0 has a default account and password fo ...) NOT-FOR-US: Serv-U FTP Server CVE-2004-2531 (X.509 Certificate Signature Verification in Gnu transport layer securi ...) - gnutls11 1.0.16-8 (bug #336006; low) - gnutls12 (fixed before upload) CVE-2004-2530 (Visual truncation vulnerability in Gadu-Gadu allows remote attackers t ...) NOT-FOR-US: Gadu-Gadu CVE-2004-2529 (Gadu-Gadu allows remote attackers to bypass the "image send" option by ...) NOT-FOR-US: Gadu-Gadu CVE-2004-2528 (Cross-site scripting (XSS) vulnerability in sresult.exe in Webcam Watc ...) NOT-FOR-US: Webcam Watchdog CVE-2004-2527 (The local and remote desktop login screens in Microsoft Windows XP bef ...) NOT-FOR-US: Microsoft CVE-2004-2526 (Directory traversal vulnerability in ldacgi.exe in IBM Tivoli Director ...) NOT-FOR-US: Tivoli CVE-2004-2525 (Cross-site scripting (XSS) vulnerability in compat.php in Serendipity ...) - serendipity 1.0-1 CVE-2004-2524 (clogin.php in Benchmark Designs' WHM AutoPilot 2.4.5 and earlier allow ...) NOT-FOR-US: WHM AutoPilot CVE-2004-2523 (Format string vulnerability in the msg command (cat_message function i ...) NOT-FOR-US: OpenFTPD CVE-2004-2522 (Cross-site scripting (XSS) vulnerability in web.tmpl in Gattaca Server ...) NOT-FOR-US: Gattaca CVE-2004-2521 (Mail server in Gattaca Server 2003 1.1.10.0 allows remote attackers to ...) NOT-FOR-US: Gattaca CVE-2004-2520 (POP3 protocol in Gattaca Server 2003 1.1.10.0 allows remote authentica ...) NOT-FOR-US: Gattaca CVE-2004-2519 (Gattaca Server 2003 1.1.10.0 allows remote attackers to cause a denial ...) NOT-FOR-US: Gattaca CVE-2004-2518 (Gattaca Server 2003 1.1.10.0 allows remote attackers to obtain sensiti ...) NOT-FOR-US: Gattaca CVE-2004-2517 (myServer 0.7.1 allows remote attackers to cause a denial of service (c ...) NOT-FOR-US: myServer CVE-2004-2516 (Directory traversal vulnerability in myServer 0.7 allows remote attack ...) NOT-FOR-US: myServer CVE-2004-2515 (Format string vulnerability in VMware Workstation 4.5.2 build-8848, if ...) NOT-FOR-US: VMWare Workstation CVE-2004-2514 (Cross-site scripting (XSS) vulnerability in modules/private_messages/i ...) NOT-FOR-US: PowerPortal CVE-2004-2513 (Buffer overflow in the IMAP service of Mercury (Pegasus) Mail 4.01 all ...) NOT-FOR-US: Mercury Mail CVE-2004-2512 (CRLF injection vulnerability in calendar.php in DCP-Portal 5.3.2 and e ...) NOT-FOR-US: DCP-Portal CVE-2004-2511 (Multiple cross-site scripting (XSS) vulnerabilities in DCP-Portal 5.3. ...) NOT-FOR-US: DCP-Portal CVE-2004-2510 (Cross-site scripting (XSS) vulnerability in showflat.php in Infopop UB ...) NOT-FOR-US: Infopop UBB.Threads CVE-2004-2509 (Cross-site scripting (XSS) vulnerabilities in (1) calendar.php, (2) lo ...) NOT-FOR-US: Infopop UBB.Threads CVE-2004-2508 (Cross-site scripting (XSS) vulnerability in main.cgi in Linksys WVC11B ...) NOT-FOR-US: Linksys hardware CVE-2004-2507 (Absolute path traversal vulnerability in main.cgi in Linksys WVC11B Wi ...) NOT-FOR-US: Linksys hardware CVE-2004-2506 (Unparsed web content delivery vulnerability in WIKINDX before 0.9.9g a ...) NOT-FOR-US: WIKINDX CVE-2004-2505 (Macromedia ColdFusion MX before 6.1 does not restrict the size of erro ...) NOT-FOR-US: ColdFusion CVE-2004-2504 (The GUI in Alt-N Technologies MDaemon 7.2 and earlier, including 6.8, ...) NOT-FOR-US: Alt-N Technologies Mdaemon CVE-2004-2503 (INweb Mail Server 2.40 allows remote attackers to cause a denial of se ...) NOT-FOR-US: Inweb Mail Server CVE-2004-2502 (im-switch before 11.4-46.1 in Fedora Core 2 allows local users to over ...) - im-switch (Debian's version is somehow derived from RH, but not affected) CVE-2004-2501 (Buffer overflow in the IMAP service of MailEnable Professional Edition ...) NOT-FOR-US: MailEnable Professional CVE-2004-2500 (Unknown vulnerability in IlohaMail before 0.8.14-rc1 has unknown impac ...) - ilohamail 0.8.14-0rc1 CVE-2004-2499 (Unspecified vulnerability in Hitachi Web Page Generator and Web Page G ...) NOT-FOR-US: Hitachi Web Page Generator CVE-2004-2498 (Unspecified vulnerability in the error handler in Hitachi Web Page Gen ...) NOT-FOR-US: Hitachi Web Page Generator CVE-2004-2497 (Cross-site scripting (XSS) vulnerability in the error handler in Hitac ...) NOT-FOR-US: Hitachi Web Page Generator CVE-2004-2496 (The HTTP daemon in OpenText FirstClass 7.1 and 8.0 allows remote attac ...) NOT-FOR-US: OpenText FirstClass CVE-2004-2495 (The (1) Webmail, (2) admin, and (3) SMTP services in Ability Mail Serv ...) NOT-FOR-US: Ability Mail Server CVE-2004-2494 (Cross-site scripting (XSS) vulnerability in _error in Ability Mail Ser ...) NOT-FOR-US: Ability Mail Server CVE-2004-2493 (Directory traversal vulnerability in Groupmax World Wide Web (GmaxWWW) ...) NOT-FOR-US: GmaxWWW CVE-2004-2492 (Cross-site scripting (XSS) vulnerability in Groupmax World Wide Web (G ...) NOT-FOR-US: GmaxWWW CVE-2004-2491 (A race condition in Opera web browser 7.53 Build 3850 causes Opera to ...) NOT-FOR-US: Opera CVE-2004-2490 (Buffer overflow in IBM Informix Dynamic Server (IDS) 9.40.xC1 and 9.40 ...) NOT-FOR-US: Informix Dynamic Server CVE-2004-2489 (Format string vulnerability in IBM Informix Dynamic Server (IDS) befor ...) NOT-FOR-US: Informix Dynamic Server CVE-2004-2488 (Directory traversal vulnerability in Nexgen FTP Server before 2.2.3.23 ...) NOT-FOR-US: Nexgen FTP Server CVE-2004-2487 (Directory traversal vulnerability in Nexgen FTP Server before 2.2.3.23 ...) NOT-FOR-US: Nexgen FTP Server CVE-2004-2486 (The DSS verification code in Dropbear SSH Server before 0.43 frees uni ...) - dropbear 0.43-2 CVE-2004-2485 (Unspecified vulnerability in PHP Live! before 2.8.2, due to a "major s ...) NOT-FOR-US: PHP Live! CVE-2004-2484 (Cross-site scripting (XSS) vulnerability in PHP Gift Registry 1.3.5 an ...) NOT-FOR-US: PHP Gift Registry CVE-2005-XXXX [kernel: Signedness problems in net/core/filter] - linux-2.6 2.6.12-2 [sarge] - kernel-source-2.4.27 [sarge] - kernel-source-2.6.8 NOTE: http://kernel.suse.com/cgit/kernel/commit/?h=v2.6.12.5&id=4717ecd49ce5c556d38e8c7b6fdc9fac5d35c00e CVE-2005-XXXX [Insecure temp file usage in thttpd's syslogtocern] - thttpd 2.23beta1-4 (low) [sarge] - thttpd (Minor issue in addon package) CVE-2005-3301 (Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin befo ...) {DSA-880-1} - phpmyadmin 4:2.6.4-pl3-1 (bug #335513; medium) CVE-2005-3300 (The register_globals emulation layer in grab_globals.php for phpMyAdmi ...) {DSA-880-1} - phpmyadmin 4:2.6.4-pl3-1 (bug #335306; high) CVE-2005-3299 (PHP file inclusion vulnerability in grab_globals.lib.php in phpMyAdmin ...) - phpmyadmin 4:2.6.4-pl2-1 (bug #333433; high) [sarge] - phpmyadmin (Not affected according to maintainer; #333433) NOTE: https://www.phpmyadmin.net/security/PMASA-2005-4/ CVE-2005-3298 (Multiple buffer overflows in OpenWBEM on SuSE Linux 9 allow remote att ...) NOT-FOR-US: OpenWBEM CVE-2005-3297 (Multiple integer overflows in OpenWBEM on SuSE Linux 9 allow remote at ...) NOT-FOR-US: OpenWBEM CVE-2005-3296 (The FTP server in HP-UX 10.20, B.11.00, and B.11.11, allows remote att ...) NOT-FOR-US: HP-UX CVE-2005-3295 (Unspecified vulnerability in HP-UX B.11.23 on Itanium platforms allows ...) NOT-FOR-US: HP-UX CVE-2005-3294 (Typsoft FTP Server 1.11, with "Sub Directory Include" enabled, allows ...) NOT-FOR-US: Typsoft FTP Server CVE-2005-3293 (Xerver 4.17 allows remote attackers to (1) obtain source code of scrip ...) NOT-FOR-US: Xerver CVE-2005-3292 (Multiple cross-site scripting (XSS) vulnerabilities in Xeobook 0.93 al ...) NOT-FOR-US: Xeobook CVE-2005-3291 (Stani's Python Editor (SPE) 0.7.5 is installed with world-writable per ...) - spe (Gentoo-specific packaging flaw) CVE-2005-3290 (SQL injection vulnerability in Accelerated Mortgage Manager allows rem ...) NOT-FOR-US: Accelerated Mortgage manager CVE-2005-3289 (LSCFG in IBM AIX 5.2 and 5.3 does not create temporary files securely, ...) NOT-FOR-US: AIX CVE-2005-3288 (Mailsite Express allows remote attackers to upload and execute files w ...) NOT-FOR-US: Mailsite Express CVE-2005-3287 (Incomplete blacklist vulnerability in Mailsite Express allows remote a ...) NOT-FOR-US: Mailsite Express CVE-2005-3286 (The FWDRV driver in Kerio Personal Firewall 4.2 and Server Firewall 1. ...) NOT-FOR-US: Kerio Personal Firewall CVE-2005-3285 (Cross-site scripting (XSS) vulnerability in comersus_backoffice_search ...) NOT-FOR-US: Comersus Backoffice Plus CVE-2005-3284 (Multiple buffer overflows in AhnLab V3 AntiVirus V3Pro 2004 before 6.0 ...) NOT-FOR-US: AhnLab CVE-2005-3283 (Cross-site scripting (XSS) vulnerability in TikiWiki before 1.9.1.1 al ...) NOT-FOR-US: TikiWiki CVE-2005-3282 (Splatt Forum 3.0 to 3.2 allows remote attackers to bypass authenticati ...) NOT-FOR-US: Splatt Forum CVE-2005-3281 (Directory traversal vulnerability in NukeFixes 3.1 for PHP-Nuke 7.8 al ...) NOT-FOR-US: PHP-Nuke addon CVE-2005-3280 (Paros 3.2.5 uses a default password for the "sa" account in the underl ...) NOT-FOR-US: Paros CVE-2005-3279 (Stack-based buffer overflow in the vgasco_printf function in Jan Kybic ...) - bmv 1.2-18 (bug #335497; unimportant) NOTE: Vulnerable code not activated in binary package CVE-2005-3278 (Integer overflow in the openpsfile function in gsinterf.c for Jan Kybi ...) {DSA-981-1} - bmv 1.2-18 (bug #335497; medium) NOTE: Sarge and Woody are affected (and the patch applied to fix this in unstable works on both of them, an easy DSA) CVE-2005-3277 (The LPD service in HP-UX 10.20 11.11 (11i) and earlier allows remote a ...) NOT-FOR-US: HP-UX CVE-2005-XXXX [adduser's deluser creates backup files with world readable permissions] - adduser 3.77 (bug #331720; low) [sarge] - adduser (Very minimal security ramifications, admin's reponsibility) CVE-2005-XXXX [Pavuk Digest Authentication Buffer Overflow] - pavuk 0.9.33-1 (bug #264684; high) NOTE: second hole mentioned in bug report CVE-2005-3751 (HTTP request smuggling vulnerability in Pound before 1.9.4 allows remo ...) {DSA-934-1} - pound 1.9.4-1 (low) NOTE: see http://www.apsis.ch/pound/pound_list/archive/2005/2005-10/1129827166000/index_html?fullMode=1#1129827166000 CVE-2005-3276 (The sys_get_thread_area function in process.c in Linux 2.6 before 2.6. ...) {DSA-922-1} - linux-2.6 2.6.12-2 - kernel-source-2.4.27 CVE-2005-3275 (The NAT code (1) ip_nat_proto_tcp.c and (2) ip_nat_proto_udp.c in Linu ...) {DSA-922-1 DSA-921-1} - linux-2.6 2.6.13-1 (low) - kernel-source-2.4.27 2.4.27-11 (low) CVE-2005-3274 (Race condition in ip_vs_conn_flush in Linux 2.6 before 2.6.13 and 2.4 ...) {DSA-922-1} - linux-2.6 2.6.13-1 (low) CVE-2005-3273 (The rose_rt_ioctl function in rose_route.c for Radionet Open Source En ...) {DSA-922-1} - linux-2.6 2.6.12-1 - kernel-source-2.4.27 CVE-2005-3272 (Linux kernel before 2.6.12 allows remote attackers to poison the bridg ...) {DSA-922-1} - linux-2.6 2.6.12-1 - kernel-source-2.4.27 CVE-2005-3271 (Exec in Linux kernel 2.6 does not properly clear posix-timers in multi ...) {DSA-922-1} - linux-2.6 (Fixed before upload into archive; 2.6.9) - kernel-source-2.4.27 CVE-2005-3270 (Untrusted search path vulnerability in DiskMountNotify for Symantec No ...) NOT-FOR-US: Symantec Antivirus CVE-2005-3269 (Stack-based buffer overflow in help.cgi in the HTTP administrative int ...) NOT-FOR-US: Sun Java System Directory Server CVE-2005-3268 (yiff server (yiff-server) 2.14.2 on Debian GNU/Linux runs as root and ...) - yiff 2.14.2-8 (bug #334616; low) [sarge] - yiff (Only a minor privacy leak) CVE-2005-3267 (Integer overflow in Skype client before 1.4.x.84 on Windows, before 1. ...) NOT-FOR-US: Skype CVE-2005-3266 REJECTED CVE-2005-3265 (Buffer overflow in Skype for Windows 1.1.x.0 through 1.4.x.83 allows r ...) NOT-FOR-US: Skype CVE-2005-3264 (Cross-site scripting (XSS) vulnerability in thread.php for Zeroblog 1. ...) NOT-FOR-US: Zeroblog CVE-2005-3263 (Stack-based buffer overflow in UNACEV2.DLL for RARLAB WinRAR 2.90 thro ...) NOT-FOR-US: WinRAR CVE-2005-3262 (Format string vulnerability in RARLAB WinRAR 2.90 through 3.50 allows ...) NOT-FOR-US: WinRAR CVE-2005-3261 (getversions.php in versatileBulletinBoard (vBB) 1.0.0 RC2 lists the ve ...) NOT-FOR-US: versatileBulletinBoard CVE-2005-3260 (Multiple cross-site scripting (XSS) vulnerabilities in versatileBullet ...) NOT-FOR-US: versatileBulletinBoard CVE-2005-3259 (Multiple SQL injection vulnerabilities in versatileBulletinBoard (vBB) ...) NOT-FOR-US: versatileBulletinBoard CVE-2005-3258 (The rfc1738_do_escape function in ftp.c for Squid 2.5 STABLE11 and ear ...) - squid (bug #334882; medium) NOTE: Bug was introduced in a patch to squid-2.5.STABLE10, NOTE: this patch was never applied to the Debian package. CVE-2005-3256 (The key selection dialogue in Enigmail before 0.92.1 can incorrectly s ...) {DSA-889-1} - enigmail 2:0.93-1 (bug #335731; medium) CVE-2005-3253 (Wireless Access Points (AP) for (1) Avaya AP-3 through AP-6 2.5 to 2.5 ...) NOT-FOR-US: Avaya Wireless Access Points CVE-2005-3252 (Stack-based buffer overflow in the Back Orifice (BO) preprocessor for ...) - snort (Vulnerable code was introduced later, see bug #334606) CVE-2005-3251 (Directory traversal vulnerability in the gallery script in Gallery 2.0 ...) - gallery2 2.0.1-1 (medium) CVE-2005-3250 (Unknown vulnerability in Solaris 10 allows local users to cause a deni ...) NOT-FOR-US: Solaris CVE-2005-3249 (Unspecified vulnerability in the WSP dissector in Ethereal 0.10.1 to 0 ...) {DSA-1171} [woody] - ethereal (This only affects Ethereal 0.10.1 to 0.10.12) - ethereal 0.10.13-1 (bug #334880; medium) NOTE: Sarge is vulnerable CVE-2005-3248 (Unspecified vulnerability in the X11 dissector in Ethereal 0.10.12 and ...) {DSA-1171} [woody] - ethereal (This only affects Ethereal 0.10.1 to 0.10.12) - ethereal 0.10.13-1 (bug #334880; medium) NOTE: Sarge is vulnerable CVE-2005-3247 (The SigComp UDVM in Ethereal 0.10.12 allows remote attackers to cause ...) [woody] - ethereal (This only affects Ethereal 0.10.12) [sarge] - ethereal (This only affects Ethereal 0.10.12) - ethereal 0.10.13-1 (bug #334880; medium) CVE-2005-3246 (Ethereal 0.10.12 and earlier allows remote attackers to cause a denial ...) {DSA-1171} [woody] - ethereal (This only affects Ethereal 0.9.14 to 0.10.12) - ethereal 0.10.13-1 (bug #334880; medium) NOTE: Sarge is vulnerable CVE-2005-3245 (Unspecified vulnerability in the ONC RPC dissector in Ethereal 0.10.3 ...) - ethereal 0.10.13-1 (bug #334880; medium) CVE-2005-3244 (The BER dissector in Ethereal 0.10.3 to 0.10.12 allows remote attacker ...) {DSA-1171} [woody] - ethereal (This only affects Ethereal 0.10.3 to 0.10.12) - ethereal 0.10.13-1 (bug #334880; medium) NOTE: Sarge is vulnerable CVE-2005-3243 (Multiple buffer overflows in Ethereal 0.10.12 and earlier might allow ...) {DSA-1171} - ethereal 0.10.13-1 (bug #334880; medium) NOTE: The SLIMP3 issue affects Woody/Sarge, the AgentX issue only Sarge CVE-2005-3242 (Ethereal 0.10.12 and earlier allows remote attackers to cause a denial ...) {DSA-1171} [woody] - ethereal (This only affects Ethereal 0.9.7 to 0.10.12) - ethereal 0.10.13-1 (bug #334880; medium) NOTE: Sarge is vulnerable CVE-2005-3241 (Multiple vulnerabilities in Ethereal 0.10.12 and earlier allow remote ...) {DSA-1171} - ethereal 0.10.13-1 (bug #334880; medium) NOTE: The ISAKMP issue only affects sid, the other three Woody and Sarge CVE-2005-3240 (Race condition in Microsoft Internet Explorer allows user-assisted att ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2005-3238 (Multiple unspecified vulnerabilities in Solaris 10 SCTP Socket Option ...) NOT-FOR-US: Solaris CVE-2005-3257 (The VT implementation (vt_ioctl.c) in Linux kernel 2.6.12, and possibl ...) {DSA-1018-1 DSA-1017-1} - linux-2.6 2.6.14-4 (bug #334113; medium) CVE-2005-3237 (Cross-site scripting (XSS) vulnerability in Cyphor 0.19 allows remote ...) NOT-FOR-US: Cyphor CVE-2005-3236 (Multiple SQL injection vulnerabilities in Cyphor 0.19 allow remote att ...) NOT-FOR-US: Cyphor CVE-2005-3235 (Multiple interpretation error in unspecified versions of Proland Prote ...) NOT-FOR-US: Proland Protector Plus CVE-2005-3234 (Multiple interpretation error in unspecified versions of Grisoft AVG A ...) NOT-FOR-US: Grisoft AVG Antivirus CVE-2005-3233 (Multiple interpretation error in unspecified versions of Trustix Antiv ...) NOT-FOR-US: Trustix Antivirus CVE-2005-3232 (Multiple interpretation error in unspecified versions of TheHacker all ...) NOT-FOR-US: TheHacker CVE-2005-3231 (Multiple interpretation error in unspecified versions of CAT Quick Hea ...) NOT-FOR-US: CAT Quick Heal CVE-2005-3230 (Multiple interpretation error in unspecified versions of Panda Antivir ...) NOT-FOR-US: Panda Antivirus CVE-2005-3229 (Multiple interpretation error in unspecified versions of ClamAV Antivi ...) - clamav (predates any supported Debian release) NOTE: Should rather be fixed in the buggy (fringe, proprietary) RAR unpackers CVE-2005-3228 (Multiple interpretation error in unspecified versions of Ikarus AntiVi ...) NOT-FOR-US: Ikarus Antivirus CVE-2005-3227 (Multiple interpretation error in unspecified versions of UNA Antivirus ...) NOT-FOR-US: UNA Antivirus CVE-2005-3226 (Multiple interpretation error in unspecified versions of ArcaVir Antiv ...) NOT-FOR-US: ArcaVir CVE-2005-3225 (Multiple interpretation error in unspecified versions of (1) eTrust-Ir ...) NOT-FOR-US: eTrust Antivirus CVE-2005-3224 (Multiple interpretation error in unspecified versions of AntiVir Antiv ...) NOT-FOR-US: AntiVir CVE-2005-3223 (Multiple interpretation error in unspecified versions of Rising Antivi ...) NOT-FOR-US: Rising Antivirus CVE-2005-3222 (Multiple interpretation error in unspecified versions of VBA32 Antivir ...) NOT-FOR-US: VBA32 Antivirus CVE-2005-3221 (Multiple interpretation error in unspecified versions of Fortinet Anti ...) NOT-FOR-US: Fortinet Antivirus CVE-2005-3220 (Multiple interpretation error in unspecified versions of Norman Virus ...) NOT-FOR-US: Norman Antivirus CVE-2005-3219 (Multiple interpretation error in unspecified versions of Avira Antivir ...) NOT-FOR-US: Avira Antivirus CVE-2005-3218 (Multiple interpretation error in unspecified versions of Dr.Web Antivi ...) NOT-FOR-US: Dr. Web Antivirus CVE-2005-3217 (Multiple interpretation error in unspecified versions of Symantec Anti ...) NOT-FOR-US: Symantec Antivirus CVE-2005-3216 (Multiple interpretation error in unspecified versions of Sophos Antivi ...) NOT-FOR-US: Sophos Antivirus CVE-2005-3215 (Multiple interpretation error in unspecified versions of McAfee Antivi ...) NOT-FOR-US: McAfee Antivirus CVE-2005-3214 (Multiple interpretation error in unspecified versions of Avast Antivir ...) NOT-FOR-US: Avast Antovirus CVE-2005-3213 (Multiple interpretation error in unspecified versions of F-Prot Antivi ...) NOT-FOR-US: F-Prot Antivirus CVE-2005-3212 (Multiple interpretation error in unspecified versions of NOD32 Antivir ...) NOT-FOR-US: NOD32 Antivirus CVE-2005-3211 (Multiple interpretation error in unspecified versions of BitDefender A ...) NOT-FOR-US: BitDefender Antivirus CVE-2005-3210 (Multiple interpretation error in unspecified versions of Kaspersky Ant ...) NOT-FOR-US: Kaspersky Antivirus CVE-2005-3209 (Aenovo products (1) aeNovo, (2) aeNovoShop, and (3) aeNovoWYSI store p ...) NOT-FOR-US: aeNovo apps CVE-2005-3208 (Multiple SQL injection vulnerabilities in (1) aeNovo, (2) aeNovoShop a ...) NOT-FOR-US: aeNovo apps CVE-2005-3207 (The forms servlet (f90servlet) in Oracle Forms 4.5.10.22 allows remote ...) NOT-FOR-US: Oracle CVE-2005-3206 (iSQL*Plus (isqlplus) for Oracle9i Database Server Release 2 9.0.2.4 al ...) NOT-FOR-US: Oracle CVE-2005-3205 (Cross-site scripting (XSS) vulnerability in iSQL*Plus (iSQLPlus) in Or ...) NOT-FOR-US: Oracle CVE-2005-3204 (Cross-site scripting (XSS) vulnerability in Oracle XML DB 9iR2 allows ...) NOT-FOR-US: Oracle CVE-2005-3203 (The manual installation of Oracle HTML DB (HTMLDB) 1.3 through 1.3.6 s ...) NOT-FOR-US: Oracle CVE-2005-3202 (Multiple cross-site scripting (XSS) vulnerabilities in Oracle HTML DB ...) NOT-FOR-US: Oracle CVE-2005-3201 (SQL injection vulnerability in news.php for Utopia News Pro (UNP) 1.1. ...) NOT-FOR-US: Utopia News Pro CVE-2005-3200 (Multiple cross-site scripting (XSS) vulnerabilities in Utopia News Pro ...) NOT-FOR-US: Utopia News Pro CVE-2005-3199 (Multiple SQL injection vulnerabilities in aradmin.asp for aspReady FAQ ...) NOT-FOR-US: aspReady CVE-2005-3198 (Webroot Desktop Firewall before 1.3.0build52 allows local users to dis ...) NOT-FOR-US: Webroot Desktop Firewall CVE-2005-3197 (Stack-based buffer overflow in PWIWrapper.dll for Webroot Desktop Fire ...) NOT-FOR-US: Webroot Desktop Firewall CVE-2005-3196 (Planet Technology Corp FGSW2402RS switch with firmware 1.2 has a defau ...) NOT-FOR-US: Planet Technology switch CVE-2005-3195 REJECTED CVE-2005-3194 (Multiple buffer overflows in ALZip 6.12 (Korean), 6.1 (International), ...) NOT-FOR-US: ALZip CVE-2005-3193 (Heap-based buffer overflow in the JPXStream::readCodestream function i ...) {DSA-984-1 DSA-982-1 DSA-979-1 DSA-961-1 DSA-950-1 DSA-937-1 DSA-936-1 DSA-932-1 DSA-931-1 DTSA-28-1} - xpdf 3.01-3 (bug #342281; bug #342337; medium) - gpdf 2.10.0-1 (bug #342286; medium) - pdftohtml (Vulnerable xpdf code not contained) - kdegraphics 4:3.4.3-4 (bug #342287; medium) NOTE: Previous kdegraphics fix was incomplete - poppler 0.4.2-1.1 (bug #342288; medium) - tetex-bin 3.0-11 (bug #342292; medium) - koffice (Vulnerable xpdf code not contained) - libextractor 0.5.8-1 (medium) - cupsys 1.1.23-13 (unimportant) - cups 1.1.23-13 (unimportant) - pdfkit.framework 0.8-4 CVE-2005-3192 (Heap-based buffer overflow in the StreamPredictor function in Xpdf 3.0 ...) {DSA-1019-1 DSA-983-1 DSA-962-1 DSA-961-1 DSA-950-1 DSA-940-1 DSA-937-1 DSA-936-1 DSA-932-1 DSA-931-1} - xpdf 3.01-3 (bug #342281; bug #342337; medium) - gpdf 2.10.0-1 (bug #342286; medium) - pdftohtml 0.36-12 (bug #342289; medium) - kdegraphics 4:3.4.3-4 (bug #342287; medium) NOTE: Previous kdegraphics fix was incomplete - poppler 0.4.3-2 (bug #342288; medium) NOTE: Intial poppler patch in 0.4.2-1.1 was incomplete - tetex-bin 3.0-11 (bug #342292; medium) - koffice 1:1.4.2-5 (bug #342294; medium) - libextractor 0.5.8-1 (medium) - cupsys 1.1.23-13 (unimportant) - cups 1.1.23-13 (unimportant) - pdfkit.framework 0.8-4 CVE-2005-3191 (Multiple heap-based buffer overflows in the (1) DCTStream::readProgres ...) {DSA-984-1 DSA-983-1 DSA-982-1 DSA-979-1 DSA-962-1 DSA-961-1 DSA-950-1 DSA-940-1 DSA-938-1 DSA-937-1 DSA-936-1 DSA-932-1 DSA-931-1} - xpdf 3.01-3 (bug #342281; bug #342337; medium) - gpdf 2.10.0-1 (bug #342286; medium) - pdftohtml 0.36-12 (bug #342289; medium) - kdegraphics 4:3.4.3-4 (bug #342287; medium) NOTE: Previous kdegraphics fix was incomplete - pdfkit.framework 0.8-4 - poppler 0.4.2-1.1 (bug #342288; medium) - tetex-bin 3.0-11 (bug #342292; medium) - koffice 1:1.4.2-5 (bug #342294; medium) - libextractor 0.5.8-1 (medium) - cups 1.1.23-13 (unimportant) - cupsys 1.1.23-13 (unimportant) CVE-2005-3190 (Buffer overflow in Computer Associates (CA) iGateway 3.0 and 4.0 befor ...) NOT-FOR-US: iGateway CVE-2005-3189 (Directory traversal vulnerability in Qualcomm WorldMail IMAP Server al ...) NOT-FOR-US: Qualcomm WorldMail IMAP Server CVE-2005-3188 (Buffer overflow in Nullsoft Winamp 5.094 allows remote attackers to ex ...) NOT-FOR-US: Winamp CVE-2005-3187 (The listening daemon in Blue Coat Systems Inc. WinProxy before 6.1a al ...) NOT-FOR-US: WinProxy CVE-2005-3186 (Integer overflow in the GTK+ gdk-pixbuf XPM image rendering library in ...) {DSA-913-1 DSA-911-1} - gtk+2.0 2.6.10-2 (bug #339431; medium) - gdk-pixbuf 0.22.0-11 (bug #339431; bug #339458; medium) CVE-2005-3184 (Buffer overflow vulnerability in the unicode_to_bytes in the Service L ...) [woody] - ethereal (Affects only Ethereal 0.10.10 to 0.10.12) - ethereal 0.10.13-1 (bug #334880; medium) NOTE: Sarge is vulnerable CVE-2005-3183 (The HTBoundary_put_block function in HTBound.c for W3C libwww (w3c-lib ...) - w3c-libwww 5.4.0-11 (bug #334443; low) [sarge] - w3c-libwww (Minor DoS) CVE-2005-3182 (Buffer overflow in the HTTP management interface for GFI MailSecurity ...) NOT-FOR-US: GFI MailSecurity CVE-2005-XXXX [xscreensaver does not maintain screen locks during upgrade] - xscreensaver 4.23-2 (bug #334193; low) [sarge] - xscreensaver (Unproblematic for users running stable) CVE-2005-3185 (Stack-based buffer overflow in the ntlm_output function in http-ntlm.c ...) {DSA-919-2} - wget 1.10.2-1 (medium) [sarge] - wget (Does not contain NTML authentication code) [woody] - wget (Does not contain NTML authentication code) - curl 7.15.0-1 (bug #333734; medium) CVE-2005-3239 (The OLE2 unpacker in clamd in Clam AntiVirus (ClamAV) 0.87-1 allows re ...) {DSA-887-1 DTSA-21-1} - clamav 0.87.1-1 (bug #333566; medium) CVE-2005-3181 (The audit system in Linux kernel 2.6.6, and other versions before 2.6. ...) {DSA-1017-1} - linux-2.6 2.6.13+2.6.14-rc4-0experimental1 (low) - kernel-source-2.4.27 (2.4 kernels don't have CONFIG_AUDITSYSCALL) CVE-2005-XXXX [Missing safemode checks in PHP's _php_image_output functions] - php5 5.0.5-2 (unimportant) - php4 4:4.4.0-3 (unimportant) NOTE: Safe mode violations not supported CVE-2005-3180 (The Orinoco driver (orinoco.c) in Linux kernel 2.6.13 and earlier does ...) {DSA-1017-1} - linux-2.6 2.6.13+2.6.14-rc4-0experimental.1 (medium) CVE-2005-3119 (Memory leak in the request_key_auth_destroy function in request_key_au ...) - linux-2.6 2.6.13-2 (low) - kernel-source-2.4.27 NOTE: 2.6.12 itself not affected, fixed in SVN CVE-2005-3179 (drm.c in Linux kernel 2.6.10 to 2.6.13 creates a debug file in sysfs w ...) - linux-2.6 2.6.13+2.6.14-rc4-0experimental.1 (medium) - kernel-source-2.4.27 CVE-2005-3178 (Buffer overflow in xloadimage 4.1 and earlier, and xli, might allow us ...) {DSA-859-1 DSA-858-1} - xloadimage 4.1-15 (bug #332524; medium) - xli 1.17.0-20 (medium) NOTE: xli couldn't load the provided test images when I checked? CVE-2005-3302 (Eval injection vulnerability in bvh_import.py in Blender 2.36 allows a ...) {DSA-1039-1} - blender 2.37a-1 (bug #330895; medium) [woody] - blender (Woody's blender does not contain the bvh_import.py script) CVE-2005-3177 (CHKDSK in Microsoft Windows 2000 before Update Rollup 1 for SP4, Windo ...) NOT-FOR-US: Microsoft CVE-2005-3176 (Microsoft Windows 2000 before Update Rollup 1 for SP4 does not record ...) NOT-FOR-US: Microsoft CVE-2005-3175 (Microsoft Windows 2000 before Update Rollup 1 for SP4 allows a local a ...) NOT-FOR-US: Microsoft CVE-2005-3174 (Microsoft Windows 2000 before Update Rollup 1 for SP4 allows users to ...) NOT-FOR-US: Microsoft CVE-2005-3173 (Microsoft Windows 2000 before Update Rollup 1 for SP4 does not apply g ...) NOT-FOR-US: Microsoft CVE-2005-3172 (The WideCharToMultiByte function in Microsoft Windows 2000 before Upda ...) NOT-FOR-US: Microsoft CVE-2005-3171 (Microsoft Windows 2000 before Update Rollup 1 for SP4 records Event ID ...) NOT-FOR-US: Microsoft CVE-2005-3170 (The LDAP client on Microsoft Windows 2000 before Update Rollup 1 for S ...) NOT-FOR-US: Microsoft CVE-2005-3169 (Microsoft Windows 2000 before Update Rollup 1 for SP4, when the "audit ...) NOT-FOR-US: Microsoft CVE-2005-3168 (The SECEDIT command on Microsoft Windows 2000 before Update Rollup 1 f ...) NOT-FOR-US: Microsoft CVE-2005-3167 (Incomplete blacklist vulnerability in MediaWiki before 1.4.11 does not ...) - mediawiki 1.4.11-1 (bug #332408; medium) CVE-2005-3166 (Unspecified vulnerability in "edit submission handling" for MediaWiki ...) - mediawiki 1.4.11-1 (bug #332408) CVE-2005-3165 (Multiple cross-site scripting (XSS) vulnerabilities in MediaWiki befor ...) - mediawiki 1.4.9 CVE-2005-3164 (The AJP connector in Apache Tomcat 4.0.1 through 4.0.6 and 4.1.0 throu ...) NOT-FOR-US: Hitachi Cosminexus Application Server CVE-2005-3163 (Unspecified vulnerability in Polipo 0.9.8 and earlier allows attackers ...) - polipo 0.9.9-1 (bug #332411; low) [sarge] - polipo (Minor issue) CVE-2005-3162 REJECTED CVE-2005-3161 (Multiple SQL injection vulnerabilities in PHP-Fusion before 6.00.110 a ...) NOT-FOR-US: PHP-Fusion CVE-2005-3160 (Multiple SQL injection vulnerabilities in photogallery.php in PHP-Fusi ...) NOT-FOR-US: PHP-Fusion CVE-2005-3159 (SQL injection vulnerability in messages.php in PHP-Fusion allows remot ...) NOT-FOR-US: PHP-Fusion CVE-2005-3158 (SQL injection vulnerability in messages.php in PHP-Fusion 6.00.106 and ...) NOT-FOR-US: PHP-Fusion CVE-2005-3157 (SQL injection vulnerability in messages.php in PHP-Fusion 6.00.109 all ...) NOT-FOR-US: PHP-Fusion CVE-2005-3156 (Directory traversal vulnerability in printfaq.php in EasyGuppy (Guppy ...) NOT-FOR-US: EasyGuppy CVE-2005-3155 (Buffer overflow in the W3C logging for MailEnable Enterprise 1.1 and P ...) NOT-FOR-US: MailEnable Enterprise CVE-2005-3154 (Format string vulnerability in the logging functionality in BitDefende ...) NOT-FOR-US: Bitdefender Antivirus CVE-2005-3153 (login.php in myBloggie 2.1.3 beta and earlier allows remote attackers ...) NOT-FOR-US: MyBloggie CVE-2005-3152 (Multiple cross-site scripting (XSS) vulnerabilities in CubeCart 3.0.3 ...) NOT-FOR-US: CubeCart CVE-2005-3151 (Buffer overflow in blenderplay in Blender Player 2.37a allows attacker ...) - blender (bug #332413; unimportant) NOTE: To exploit this an attacker would need to trick a user into opening a file NOTE: with a very suspicious file, no automatic processing of Blender files NOTE: This might even be fixed in 2.42 CVE-2005-3150 (Format string vulnerability in the Log_Flush function in Weex 2.6.1.5, ...) {DSA-855-1} - weex 2.6.1-6sarge1 (bug #332424; medium) CVE-2005-3149 (Uim 0.4.x before 0.4.9.1 and 0.5.0 and earlier does not properly handl ...) {DSA-895-1 DTSA-22-1} - uim 1:0.4.7-2 (bug #331620; medium) CVE-2005-3148 (StoreBackup before 1.19 does not properly set the uid and guid for sym ...) {DSA-1022-1} - storebackup 1.19-1 (bug #332434) CVE-2005-3147 (StoreBackup before 1.19 creates the backup root with world-readable pe ...) {DSA-1022-1} - storebackup 1.19-1 (bug #332434; medium) CVE-2005-3146 (StoreBackup before 1.19 allows local users to perform unauthorized ope ...) {DSA-1022-1} - storebackup 1.19-2 (bug #332434; medium) NOTE: The upstream fix only mitigated the issue, but didn't fix it CVE-2005-3145 (httpAdapter.c in sblim-sfcb before 0.9.2 allows remote attackers to ca ...) NOT-FOR-US: Standard Based Linux Instrumentation CVE-2005-3144 (httpAdapter.c in sblim-sfcb before 0.9.2 allows remote attackers to ca ...) NOT-FOR-US: Standard Based Linux Instrumentation CVE-2005-3143 (Unspecified vulnerability in the Mailbox Server for 4D WebStar before ...) NOT-FOR-US: Mailbox Server for 4D WebStar CVE-2005-3142 (Heap-based buffer overflow in Kaspersky Antivirus (KAV) 5.0 and Kasper ...) NOT-FOR-US: Kaspersky Antivirus CVE-2005-3141 (Cerulean Studios Trillian 3.0 allows remote attackers to cause a denia ...) NOT-FOR-US: Cerulean Trillian CVE-2005-3140 (Procom NetFORCE 800 4.02 M10 Build 20 and possibly other versions send ...) NOT-FOR-US: Procom NetFORCE CVE-2005-3137 (The (1) cfmailfilter and (2) cfcron.in files for cfengine 1.6.5 allow ...) {DSA-836-1 DSA-835-1} - cfengine (bug #332433; low) - cfengine2 2.1.17-1 (bug #332432; low) NOTE: maintainer does not think it's a hole, script is unused/broken CVE-2005-3136 (Directory traversal vulnerability in Virtools Web Player 3.0.0.100 and ...) NOT-FOR-US: Virtools Web Player CVE-2005-3135 (Buffer overflow in Virtools Web Player 3.0.0.100 and earlier allows re ...) NOT-FOR-US: Virtools Web Player CVE-2005-3134 (Citrix Metaframe Presentation Server 3.0 and 4.0 allows remote attacke ...) NOT-FOR-US: Citrix CVE-2005-3133 (Multiple directory traversal vulnerabilities in MERAK Mail Server 8.2. ...) NOT-FOR-US: MERAK Mail Server CVE-2005-3132 (MERAK Mail Server 8.2.4r with Icewarp Web Mail 5.5.1, and possibly ear ...) NOT-FOR-US: MERAK Mail Server CVE-2005-3131 (Multiple cross-site scripting (XSS) vulnerabilities in MERAK Mail Serv ...) NOT-FOR-US: MERAK Mail Server CVE-2005-3130 (SQL injection vulnerability in lucidCMS 1.0.11 allows remote attackers ...) NOT-FOR-US: lucidCMS CVE-2005-3129 (Cross-site request forgery (CSRF) vulnerability in Serendipity 0.8.4 a ...) - serendipity 1.0-1 CVE-2005-3128 (Cross-site scripting (XSS) vulnerability in add.php in Address Add Plu ...) NOT-FOR-US: Address Add Plugin for Squirrelmail CVE-2005-3127 (Cross-site scripting (XSS) vulnerability in index.php in lucidCMS 1.0. ...) NOT-FOR-US: lucidCMS CVE-2005-3126 (The (1) kantiword (kantiword.sh) and (2) gantiword (gantiword.sh) scri ...) {DSA-945-1} - antiword 0.35-2 (low) CVE-2005-3125 REJECTED CVE-2005-3124 (syslogtocern in Acme thttpd before 2.23 allows local users to write ar ...) {DSA-883-1} - thttpd 2.23beta1-4 CVE-2005-3123 (Directory traversal vulnerability in GNUMP3D before 2.9.6 allows remot ...) {DSA-877-1} - gnump3d 2.9.6-1 (medium) CVE-2005-3122 REJECTED CVE-2005-3121 (A rule file in module-assistant before 0.9.10 causes a temporary file ...) {DSA-867-1} - module-assistant 0.9.10 CVE-2005-3120 (Stack-based buffer overflow in the HTrjis function in Lynx 2.8.6 and e ...) {DSA-1085-1 DSA-876-1 DSA-874-1} - lynx 2.8.5-2sarge1 (bug #335033; high) - lynx-cur 2.8.6-16 (bug #334423; high) - lynx-ssl CVE-2005-3118 (Mason before 1.0.0 does not install the init script after the user use ...) {DSA-845-1} - mason 1.0.0-3 CVE-2005-3117 REJECTED CVE-2005-3116 (Stack-based buffer overflow in a shared library as used by the Volume ...) NOT-FOR-US: VERITAS Backup CVE-2005-3115 (mpeg-tools before 1.5b-r2 creates multiple temporary files insecurely, ...) NOT-FOR-US: mpeg-tools CVE-2005-3114 (Buffer overflow in the ActiveX control for NateOn Messenger (NateonDow ...) NOT-FOR-US: NateOn Messenger CVE-2005-3113 (The ActiveX control for NateOn Messenger (NateonDownloadManager.ocx) a ...) NOT-FOR-US: NateOn Messenger CVE-2005-3112 (The "reset password" feature in Macromedia Breeze 5.0 stores passwords ...) NOT-FOR-US: Macromedia Breeze CVE-2005-3110 (Race condition in ebtables netfilter module (ebtables.c) in Linux 2.6, ...) {DSA-922-1} - linux-2.6 (Fixed before upload into archive; 2.6.11.11) - kernel-source-2.4.27 CVE-2005-3109 (The HFS and HFS+ (hfsplus) modules in Linux 2.6 allow attackers to cau ...) {DSA-922-1} - linux-2.6 (Fixed before upload into archive; 2.6.11.12) - kernel-source-2.4.27 CVE-2005-3108 (mm/ioremap.c in Linux 2.6 on 64-bit x86 systems allows local users to ...) {DSA-922-1} - linux-2.6 (Fixed before upload into archive; 2.6.11.12) - kernel-source-2.4.27 CVE-2005-3107 (fs/exec.c in Linux 2.6, when one thread is tracing another thread that ...) {DSA-922-1} - linux-2.6 (Fixed before upload into archive; in 2.6.11) - kernel-source-2.4.27 CVE-2005-3106 (Race condition in Linux 2.6, when threads are sharing memory mapping v ...) {DSA-922-1} - linux-2.6 (Fixed before upload into archive; 2.6.11) CVE-2005-3105 (The mprotect code (mprotect.c) in Linux 2.6 on Itanium IA64 Montecito ...) {DSA-922-1} - kernel-source-2.4.27 (bug #332569; unimportant) NOTE: Montecito CPUs are not available on the market yet - linux-2.6 2.6.12-1 CVE-2005-XXXX [Minor local DoS as libldap] - openldap 2.4.13 (bug #253838; low) - openldap2.3 [lenny] - openldap (Minor issue) [etch] - openldap2.3 (Minor issue) CVE-2005-XXXX [Insecure bounds checking in mpack's content parser] - mpack 1.6-1 (bug #216566) CVE-2005-XXXX [coreutils ignores umask when using -m in mkdir, mkfifo and mknod] - coreutils 5.93-1 (bug #306076; low) [sarge] - coreutils (Minor issue, hardly exploitable) [woody] - coreutils (Minor issue, hardly exploitable) CVE-2005-XXXX [tar's rmt command may have undesired side effects] - tar (bug #290435; unimportant) [sarge] - tar (Hardly exploitable) CVE-2004-XXXX [Unspecified buffer overflow in libmng] - libmng 1.0.8-1 (bug #250106) CVE-2004-XXXX [Multiple buffer overflows in isoqlog] - isoqlog 2.2-0.1 (bug #254101; bug #202634) CVE-2002-XXXX [libnss-ldap: DoS through truncated DNS queries] - libnss-ldap 199-1 (bug #169793) CVE-2005-3752 (Unspecified vulnerability in ldapdiff before 1.1.1 has unknown impact ...) - ldapdiff (The version in Debian doesn't contain the vulnerable code, see #306878) CVE-2004-XXXX [asciijump: /var/games/asciijump world writable] - asciijump 0.0.6-1.2 (bug #269186) CVE-2004-XXXX [Barrendero spool world-readable] - barrendero 1.1-1 (bug #279163) CVE-2005-XXXX [hdup inproperly preserves permissions on directories] - hdup 2.0.14-2 (bug #302790; low) NOTE: Minor issue, workaround and patch documented since version above [sarge] - hdup (Mostly a design limitation, very limited security implications) CVE-2001-XXXX [crypt++ passes passwords through the command line] - crypt++el 2.91-2.1 (bug #105562; low) CVE-2004-XXXX [Two vulnerabilities in sredird] - sredird 2.2.1-1.1 (bug #267098) CVE-2003-XXXX [fuzz: Insecure temp file usage] - fuzz 0.6-7.1 (bug #183047) CVE-2005-XXXX [DoS triggering endless loops in findutils -follow option] - findutils 4.2.22-1 (bug #313081) [woody] - findutils (Only code between 4.2.18 and 4.2.22 affected) [sarge] - findutils (Only code between 4.2.18 and 4.2.22 affected) CVE-2005-3138 (Bugzilla 2.18rc1 through 2.18.3, 2.19 through 2.20rc2, and 2.21 allows ...) [woody] - bugzilla (Only Bugzilla >= 2.18 is affected) [sarge] - bugzilla (Only Bugzilla >= 2.18 is affected) - bugzilla 2.18.4-1 (bug #331206; medium) CVE-2005-3139 (Bugzilla 2.19.1 through 2.20rc2 and 2.21, with user matching turned on ...) [woody] - bugzilla (Only Bugzilla >= 2.19 is affected) [sarge] - bugzilla (Only Bugzilla >= 2.19 is affected) - bugzilla 2.18.4-1 (bug #331206; medium) CVE-2005-2966 (The Python SVG import plugin (diasvg_import.py) for DIA 0.94 and earli ...) {DSA-847-1} - dia 0.94.0-15 (bug #330890; medium) CVE-2005-XXXX [Insecure temp files in linux-wlan-ng] - linux-wlan-ng 0.2.0+0.2.1pre21-1.1 (bug #290047; low) CVE-2002-XXXX [sanitizer bypassal through quoted file names] - sanitizer 1.76-1 (bug #149799; medium) [sarge] - sanitizer (Sarge version already fixed) NOTE: This was fixed earlier in fact, but it's unknown when CVE-2005-XXXX [Heap overflow in libosip URI parsing] - libosip2 2.0.9-1 (bug #308737) CVE-2005-XXXX [rkhunter: Insecure temporary file] - rkhunter 1.2.7-14 (bug #330627; medium) CVE-2005-3104 (mt-comments.cgi in Movable Type before 3.2 allows attackers to redirec ...) NOT-FOR-US: Movable Type CVE-2005-3103 (Cross-site scripting (XSS) vulnerability in Movable Type before 3.2 al ...) NOT-FOR-US: Movable Type CVE-2005-3102 (The administrative interface in Movable Type allows attackers to uploa ...) NOT-FOR-US: Movable Type CVE-2005-3101 (The password reset feature in Movable Type before 3.2 generates differ ...) NOT-FOR-US: Movable Type CVE-2005-3100 (Unspecified "PPTP Remote DoS Vulnerability" in Astaro Security Linux 4 ...) NOT-FOR-US: Astato Security Linux CVE-2005-3099 (Unspecified vulnerability in the (1) Xsun and (2) Xprt commands in Sol ...) NOT-FOR-US: Solaris CVE-2005-3098 (poppassd in Qualcomm qpopper 4.0.8 allows local users to modify arbitr ...) - qpopper (bug #330123; Vulnerable code not shipped in binary) CVE-2005-3097 (Directory traversal vulnerability in Avi Alkalay contribute.cgi (aka c ...) NOT-FOR-US: Avi Alkalay CVE-2005-3096 (Avi Alkalay nslookup.cgi program, dated 16 June 2002, allows remote at ...) NOT-FOR-US: Avi Alkalay CVE-2005-3095 (Avi Alkalay notify program, dated 19 Aug 2001, allows remote attackers ...) NOT-FOR-US: Avi Alkalay CVE-2005-3094 (Avi Alkalay man-cgi script allows remote attackers to execute arbitrar ...) NOT-FOR-US: Avi Alkalay CVE-2005-3093 (Nokia 7610 and 3210 phones allows attackers to cause a denial of servi ...) NOT-FOR-US: Nokia cell phones CVE-2005-3092 (Heap-based buffer overflow in Image-Line Software FL Studio 5.0.1 allo ...) NOT-FOR-US: Image-Line Software FL Studio CVE-2005-3091 (Cross-site scripting (XSS) vulnerability in Mantis before 1.0.0rc1 all ...) {DSA-905-1} - mantis 0.19.3-0.1 (bug #330682; low) CVE-2005-3090 (Cross-site scripting (XSS) vulnerability in bug_actiongroup_page.php i ...) - mantis 0.19.2-4 (bug #330682; medium) CVE-2005-3089 (Firefox 1.0.6 allows attackers to cause a denial of service (crash) vi ...) - mozilla-firefox 1.0.7-1 (unimportant) NOTE: Browser crashes not treated as security problems CVE-2005-3088 (fetchmailconf before 1.49 in fetchmail 6.2.0, 6.2.5 and 6.2.5.2 create ...) {DSA-900-3} - fetchmail 6.2.5.4-1 (bug #336096; low) CVE-2005-3111 (The handler code for backupninja 0.8 and earlier creates temporary fil ...) {DSA-827-1} - backupninja 0.8-2 (medium) CVE-2005-XXXX [microcode.ctl downloads microcode w/o user confirmation] - microcode.ctl 0.20080131-1 (bug #282583; unimportant) NOTE: The validity of the microcode is ensure inside the CPU CVE-2001-XXXX [gnupg: inproper flagging of signatures as being local] - gnupg 1.0.7-1 (bug #107374) CVE-2005-3087 (The SecureW2 3.0 TLS implementation uses weak random number generators ...) NOT-FOR-US: SecureW2 TLS CVE-2005-3086 (Directory traversal vulnerability in admin/about.php in contentServ 3. ...) NOT-FOR-US: contentSrv CVE-2005-3085 (Multiple cross-site scripting (XSS) vulnerabilities in rss.php in Rive ...) NOT-FOR-US: Riverdark Studios RSS Syndicator CVE-2005-3084 (Buffer overflow in the TIFF library in the Photo Viewer for Sony PSP 2 ...) NOT-FOR-US: Sony PSP CVE-2005-3083 (Cross-site scripting (XSS) vulnerability in index.php in CMS Made Simp ...) NOT-FOR-US: CMS Made Simple CVE-2005-3082 (SQL injection vulnerability in admin.php in SEO-Board 1.0.2 allows rem ...) NOT-FOR-US: SEO-Board CVE-2005-3081 (wzdftpd 0.5.4 allows remote authenticated users to execute arbitrary c ...) {DSA-1006-1} - wzdftpd 0.5.5-1 (high) CVE-2005-3080 (contrib/example.php in GeSHi before 1.0.7.3 allows remote attackers to ...) NOT-FOR-US: GeSHi CVE-2005-3079 (PunBB before 1.2.8 allows remote attackers to perform "code inclusion" ...) NOT-FOR-US: PunBB CVE-2005-3078 (Cross-site scripting (XSS) vulnerability in PunBB before 1.2.8 allows ...) NOT-FOR-US: PunBB CVE-2005-3077 (Microsoft Internet Explorer 5.2.3 for Mac OS allows remote attackers t ...) NOT-FOR-US: Microsoft CVE-2005-3076 (Simplog 0.9.1 might allow remote attackers to execute arbitrary SQL co ...) NOT-FOR-US: Simplog CVE-2005-3075 (SQL injection vulnerability in Zengaia before 0.2 allows remote attack ...) NOT-FOR-US: Zengaia CVE-2005-3074 (SQL injection vulnerability in rsyslogd in RSyslog before 1.0.1 and be ...) NOT-FOR-US: RSyslog CVE-2005-3073 (Unspecified vulnerability in Interchange 5.0.1 allows attackers 4.9.3, ...) - interchange 5.2.1-1 (bug #329705) CVE-2005-3072 (SQL injection vulnerability in pages/forum/submit.html in Interchange ...) - interchange 5.2.1-1 (bug #329705; medium) CVE-2005-3071 (Unspecified vulnerability in Unix File System (UFS) on Solaris 8 and 9 ...) NOT-FOR-US: Solaris CVE-2005-3070 (HylaFax 4.2.1 and earlier does not create or verify ownership of the U ...) - hylafax 1:4.2.2+rc1 (bug #329384; unimportant) NOTE: This was judged non-exploitable CVE-2005-3069 (xferfaxstats in HylaFax 4.2.1 and earlier allows local users to overwr ...) {DSA-865-1} - hylafax 1:4.2.2+rc1 (bug #329384; low) CVE-2005-3068 (Unspecified vulnerability in Eric Integrated Development Environment ( ...) {DSA-869-1} - eric 3.7.2-1 (bug #330608; medium) CVE-2005-3067 (Cross-site scripting (XSS) vulnerability in perldiver.cgi in PerlDiver ...) NOT-FOR-US: PerlDiver CVE-2005-3066 (Cross-site scripting (XSS) vulnerability in perldiver.pl in PerlDiver ...) NOT-FOR-US: PerlDiver CVE-2005-3065 (MultiTheftAuto 0.5 patch 1 and earlier allows remote attackers to caus ...) NOT-FOR-US: MultiTheftAuto CVE-2005-3064 (MultiTheftAuto 0.5 patch 1 and earlier does not properly verify client ...) NOT-FOR-US: MultiTheftAuto CVE-2005-3063 (SQL injection vulnerability in MailGust 1.9 allows remote attackers to ...) NOT-FOR-US: MailGust CVE-2005-3062 (PHP remote file inclusion vulnerability in index.php in AlstraSoft E-F ...) NOT-FOR-US: AlstraSoft E-Friends CVE-2005-3061 (Multiple stack-based buffer overflows in PowerArchiver 8.10 through 9. ...) NOT-FOR-US: PowerArchiver CVE-2003-XXXX [Insecure temp files in lilo] - lilo 1:22.4-1 (bug #173238; bug #292073; low) CVE-2005-XXXX [Multiple security issues when using distcc without ssh auth] - distcc 2.18.3-3 (bug #298929; low) [sarge] - distcc (Only affects distcc in a very non-standard way not recommended for unstrusted environments) CVE-2004-XXXX [phpwiki shares a cookie for all wikis on a host] - phpwiki 1.3.12p2-1 (bug #282565; medium) CVE-1999-XXXX [Insecure access control on GNU Mach's IO ports] - gnumach 1:20050801-3 (bug #46709) NOTE: Nearly six years old :-) CVE-2005-3060 (Buffer overflow in getconf in IBM AIX 5.2 to 5.3 allows local users to ...) NOT-FOR-US: AIX CVE-2005-3059 (Multiple unspecified vulnerabilities in Opera 8.50 on Linux and Window ...) NOT-FOR-US: Opera CVE-2005-3058 (Interpretation conflict in Fortinet FortiGate 2.8, running FortiOS 2.8 ...) NOT-FOR-US: FortiGate CVE-2005-3057 (The FTP component in FortiGate 2.8 running FortiOS 2.8MR10 and v3beta, ...) NOT-FOR-US: FortiGate CVE-2005-3056 (TWiki allows arbitrary shell command execution via the Include functio ...) - twiki 20040902-2 (bug #330733; high) CVE-2005-3055 (Linux kernel 2.6.8 to 2.6.14-rc2 allows local users to cause a denial ...) {DSA-1017-1} - linux-2.6 2.6.14-1 (bug #330287; bug #332587; medium) - kernel-source-2.4.27 CVE-2005-3054 (fopen_wrappers.c in PHP 4.4.0, and possibly other versions, does not p ...) - php4 4:4.4.0-3 (bug #353585; bug #354685; medium) - php5 5.0.5-2 (bug #353585; medium) [sarge] - php4 (open_basedir violations not supported) CVE-2005-3053 (The sys_set_mempolicy function in mempolicy.c in Linux kernel 2.6.x al ...) {DSA-1017-1} - linux-2.6 2.6.12-3 (bug #330343; bug #330353; medium) CVE-2005-3052 (SQL injection vulnerability in module/down.inc.php in jportal 2.3.1 al ...) NOT-FOR-US: jportal CVE-2005-3051 (Stack-based buffer overflow in the ARJ plugin (arj.dll) 3.9.2.0 for 7- ...) NOT-FOR-US: 7-Zip CVE-2005-3050 (PhpMyFaq 1.5.1 allows remote attackers to obtain sensitive information ...) NOT-FOR-US: PhpMyFaq CVE-2005-3049 (PhpMyFaq 1.5.1 stores data files under the web document root with insu ...) NOT-FOR-US: PhpMyFaq CVE-2005-3048 (Directory traversal vulnerability in index.php in PhpMyFaq 1.5.1 allow ...) NOT-FOR-US: PhpMyFaq CVE-2005-3047 (Multiple cross-site scripting (XSS) vulnerabilities in PhpMyFaq 1.5.1 ...) NOT-FOR-US: PhpMyFaq CVE-2005-3046 (SQL injection vulnerability in password.php in PhpMyFaq 1.5.1 allows r ...) NOT-FOR-US: PhpMyFaq CVE-2005-3045 (SQL injection vulnerability in search.php in My Little Forum 1.5 and 1 ...) NOT-FOR-US: My Little Forum CVE-2003-1232 (Emacs 21.2.1 does not prompt or warn the user before executing Lisp co ...) - emacs21 21.3-1 (bug #286183; medium) CVE-2005-XXXX [egroupware unsafe use of /tmp for storing a log file] - egroupware 1.0.0.009.dfsg-3-1 (bug #329597; low) [sarge] - egroupware (Minor issue) CVE-2005-XXXX [SQL injection vulnerability in egroupware in account deletion] - egroupware 1.0.0.009.dfsg-3-1 (bug #329597; low) [sarge] - egroupware (Minor issue) CVE-2005-XXXX [Insecure pidfile handling in mailleds] - mailleds 0.93-11.1 (bug #329365; low) [sarge] - mailleds (Hardly exploitable) CVE-2005-XXXX [kdebase uses urandom as an entropy source] - kdebase (bug #325369; unimportant) NOTE: Only affects the unofficial BSD/Hurd ports or 2.2 kernels NOTE: on Linux urandom should provide sufficient entropy CVE-2005-3753 (Linux kernel before after 2.6.12 and before 2.6.13.1 might allow attac ...) - linux-2.6 2.6.12-7 (low) CVE-2005-3043 (SQL injection vulnerability in AddItem.asp in Mall23 eCommerce allows ...) NOT-FOR-US: Mall23 eCommerce CVE-2005-3042 (miniserv.pl in Webmin before 1.230 and Usermin before 1.160, when "ful ...) - webmin 1.230-1 (high; bug #329741) [sarge] - webmin (Vulnerable code not present, see #329741) - usermin 1.160-1 (high; bug #329742) NOTE: SNS Advisory 83, http://marc.info:80/?m=112733083203821 CVE-2005-3041 (Unspecified "drag-and-drop vulnerability" in Opera Web Browser before ...) NOT-FOR-US: Opera CVE-2005-3040 (Directory traversal vulnerability in the web interface (ISALogin.dll) ...) NOT-FOR-US: TAC Vista CVE-2005-3039 (SQL injection vulnerability in infopage.asp in Mall23 eCommerce allows ...) NOT-FOR-US: Mall23 eCommerce CVE-2005-3038 (Unspecified vulnerability in Hosting Controller 6.1 before Hotfix 2.4 ...) NOT-FOR-US: Hosting Controller CVE-2005-3037 (Cross-site scripting (XSS) vulnerability in Handy Address Book Server ...) NOT-FOR-US: Handy Address Book Server CVE-2005-3036 (File Transfer Anywhere 3.01 stores sensitive password information in p ...) NOT-FOR-US: File Transfer Anywhere CVE-2005-3035 (Compuware DriverStudio Remote Control service (DSRsvc.exe) 2.7 and 3.0 ...) NOT-FOR-US: Compuware DriverStudio CVE-2005-3034 (Compuware DriverStudio Remote Control service (DSRsvc.exe) 2.7 and 3.0 ...) NOT-FOR-US: Compuware DriverStudio CVE-2005-3033 (Stack-based buffer overflow in vxWeb 1.1.4 allows remote attackers to ...) NOT-FOR-US: vxWeb - WinCE software CVE-2005-3032 (Buffer overflow in vxTftpSrv 1.7.0 allows remote attackers to cause a ...) NOT-FOR-US: vxTfpSrv - WinCE software CVE-2005-3031 (Buffer overflow in vxFtpSrv 0.9.7 allows remote attackers to execute a ...) NOT-FOR-US: vxTfpSrv - WinCE software CVE-2005-3030 (Directory traversal vulnerability in the archive decompression library ...) NOT-FOR-US: Ahnlab Anti virus CVE-2005-3029 (Stack-based buffer overflow in AhnLab V3Pro 2004 build 6.0.0.383, V3 V ...) NOT-FOR-US: Ahnlab Anti virus CVE-2005-3028 REJECTED CVE-2005-3027 (Sybari Antigen 8.0 SR2 does not properly filter SMTP messages, which a ...) NOT-FOR-US: Sybari Antigen anti spam solution CVE-2005-3026 (Directory traversal vulnerability in index.php in Alstrasoft Epay Pro ...) NOT-FOR-US: Epay Pro CVE-2005-3025 (Multiple cross-site scripting (XSS) vulnerabilities in vBulletin 3.0.7 ...) NOT-FOR-US: vBulletin CVE-2005-3024 (Multiple SQL injection vulnerabilities in vBulletin 3.0.7 and earlier ...) NOT-FOR-US: vBulletin CVE-2005-3023 (Multiple cross-site scripting (XSS) vulnerabilities in vBulletin 3.0.9 ...) NOT-FOR-US: vBulletin CVE-2005-3022 (Multiple SQL injection vulnerabilities in vBulletin 3.0.9 and earlier ...) NOT-FOR-US: vBulletin CVE-2005-3021 (image.php in vBulletin 3.0.9 and earlier allows remote attackers with ...) NOT-FOR-US: vBulletin CVE-2005-3020 (Multiple cross-site scripting (XSS) vulnerabilities in vBulletin befor ...) NOT-FOR-US: vBulletin CVE-2005-3019 (Multiple SQL injection vulnerabilities in vBulletin before 3.0.9 allow ...) NOT-FOR-US: vBulletin CVE-2005-3018 (Apple Safari allows remote attackers to cause a denial of service (app ...) NOT-FOR-US: Safari CVE-2005-3017 (PHP file inclusion vulnerability in index.php in Content2Web 1.0.1 all ...) NOT-FOR-US: Content2Web CVE-2005-3016 (Multiple unspecified vulnerabilities in the WYSIWYG editor in PHP-Nuke ...) NOT-FOR-US: PHP-Nuke CVE-2005-3015 (Cross-site scripting (XSS) vulnerability in IBM Lotus Domino 6.5.2 all ...) NOT-FOR-US: Lotus Domino CVE-2005-3014 (Cross-site scripting (XSS) vulnerability in Ensim webplliance allows r ...) NOT-FOR-US: Ensim webppliance CVE-2005-3013 (Buffer overflow in liby2util in Yet another Setup Tool (YaST) for SuSE ...) NOT-FOR-US: YaST CVE-2005-3012 (The MasterDataCD::createImage function in masterdatacd.cpp for SimpleC ...) NOT-FOR-US: SimpleCDR-X CVE-2005-3011 (The sort_offline function for texindex in texinfo 4.8 and earlier allo ...) {DSA-1219} - texinfo 4.8-1 (bug #328365; low) [sarge] - texinfo (Minor issue, hardly exploitable) CVE-2005-3010 (Direct static code injection vulnerability in the flood protection fea ...) NOT-FOR-US: CuteNews CVE-2005-3009 (Cross-site scripting (XSS) vulnerability in CuteNews allows remote att ...) NOT-FOR-US: CuteNews CVE-2005-3008 (Tofu 0.2 allows remote attackers to execute arbitrary Python code via ...) NOT-FOR-US: Tofu CVE-2005-3007 (Opera before 8.50 allows remote attackers to spoof the content type of ...) NOT-FOR-US: Opera CVE-2005-3006 (The mail client in Opera before 8.50 opens attached files from the use ...) NOT-FOR-US: Opera CVE-2005-3005 (Helpdesk Software Hesk allows remote attackers to bypass authenticatio ...) NOT-FOR-US: Helpdesk Software Hesk CVE-2005-3004 (SQL injection vulnerability in Interakt MX Shop 3.2.0 allows remote at ...) NOT-FOR-US: Interakt MX Shop CVE-2005-3003 (SQL injection vulnerability in index.php in NooTopList 1.0.0 release 1 ...) NOT-FOR-US: NooTopList CVE-2005-3002 (Multi-Computer Control System (MCCS) 1.0 allows remote attackers to ca ...) NOT-FOR-US: Multi-Computer Control System CVE-2005-3001 (Unspecified vulnerability in the "tl" driver in Solaris 10 allows loca ...) NOT-FOR-US: Solaris CVE-2005-3000 (Multiple cross-site scripting (XSS) vulnerabilities in viewers/txt.php ...) NOT-FOR-US: PHP Advanced Transfer Manager CVE-2005-2999 (PHP Advanced Transfer Manager 1.30 allows remote attackers to obtain s ...) NOT-FOR-US: PHP Advanced Transfer Manager CVE-2005-2998 (PHP Advanced Transfer Manager 1.30 has a default password for the admi ...) NOT-FOR-US: PHP Advanced Transfer Manager CVE-2005-2997 (Multiple directory traversal vulnerabilities in PHP Advanced Transfer ...) NOT-FOR-US: PHP Advanced Transfer Manager CVE-2005-2996 (Multiple heap-based and stack-based buffer overflows in certain DCOM s ...) NOT-FOR-US: VERITAS storage solutions CVE-2005-2995 (bacula 1.36.3 and earlier allows local users to modify or read sensiti ...) - bacula 1.38.9-1 (bug #329271; low) NOTE: Sarge affected, didn't exist in Woody CVE-2005-2994 (Unspecified vulnerability in the web client for IBM Rational ClearQues ...) NOT-FOR-US: IBM Rational ClearQuest CVE-2005-2993 (Unspecified vulnerability in the FTP Daemon (ftpd) for HP Tru64 UNIX 4 ...) NOT-FOR-US: HP Tru64 CVE-2005-2991 (ncompress 4.2.4 and earlier allows local users to overwrite arbitrary ...) - ncompress (bug #329052; unimportant) NOTE: see bug close message, Debian's ncompress doesn't expose affected scripts CVE-2005-2992 (arc 5.21j and earlier allows local users to overwrite arbitrary files ...) {DSA-843-1} - arc 5.21m-1 (low) CVE-2005-2990 (AuthInfo.java in LineContol Java Client (jlc) before 0.8.1 stores sens ...) NOT-FOR-US: LineControl Java Client CVE-2005-2989 (Multiple SQL injection vulnerabilities in DeluxeBB 1.0 and 1.0.5 allow ...) NOT-FOR-US: DeluxeBB CVE-2005-2988 (HP LaserJet 2430, and possibly other printers that use Jetdirect contr ...) NOT-FOR-US: HP printers CVE-2005-2987 (SQL injection vulnerability in login.php in Digital Scribe 1.4 allows ...) NOT-FOR-US: Digital Scribe CVE-2005-2986 (The v3flt2k.sys driver in AhnLab V3Pro 2004 Build 6.0.0.383, V3 VirusB ...) NOT-FOR-US: AhnLab antivirus and related products CVE-2005-2985 (SQL injection vulnerability in search_result.php in AEwebworks aeDatin ...) NOT-FOR-US: aeDating script CVE-2005-2984 (Avocent CCM console server running firmware 2.1 CCM4850 allows remote ...) NOT-FOR-US: Avocent hardware issue CVE-2005-2983 (SQL injection vulnerability in Oracle Reports that use Lexical Referen ...) NOT-FOR-US: Oracle CVE-2005-2982 (Cross-site scripting (XSS) vulnerability in CompaqHTTPServer 2.1 allow ...) NOT-FOR-US: CompaqHTTPServer CVE-2005-2981 (Cross-site scripting (XSS) vulnerability in Orion 1.3.8 and 1.4.5 allo ...) NOT-FOR-US: Orion CVE-2005-2980 (Cross-site scripting (XSS) vulnerability in index.php in phpoutsourcin ...) NOT-FOR-US: phpoutsourcing Noah's classifieds CVE-2005-2979 (SQL injection vulnerability in index.php in phpoutsourcing Noah's clas ...) NOT-FOR-US: phpoutsourcing Noah's classifieds CVE-2005-2978 (pnmtopng in netpbm before 10.25, when using the -trans option, uses un ...) {DSA-878-1} - netpbm-free 2:10.0-10 CVE-2005-2977 (The SELinux version of PAM before 0.78 r3 allows local users to perfor ...) - pam 0.99.7.1-2 (bug #336344; low) [etch] - pam 0.79-5 [sarge] - pam (Does not contain SELinux support) [woody] - pam (Does not contain SELinux support) CVE-2005-2976 (Integer overflow in io-xpm.c in gdk-pixbuf 0.22.0 in GTK+ before 2.8.7 ...) {DSA-913-1 DSA-911-1} - gdk-pixbuf 0.22.0-11 (bug #339431; medium) - gtk+2.0 2.6.10-2 CVE-2005-2975 (io-xpm.c in the gdk-pixbuf XPM image rendering library in GTK+ before ...) {DSA-913-1 DSA-911-1} - gdk-pixbuf 0.22.0-11 (bug #339431; low) - gtk+2.0 2.6.10-2 (bug #339431; low) CVE-2005-2974 (libungif library before 4.1.0 allows attackers to cause a denial of se ...) {DSA-890-1} - libungif4 4.1.3-4 (bug #337972; unimportant) - giflib 4.1.4-1 (bug #395382; unimportant) NOTE: Just a bug, hardly security implications CVE-2005-2973 (The udp_v6_get_port function in udp.c in Linux 2.6 before 2.6.14-rc5, ...) {DSA-1018-1 DSA-1017-1} - linux-2.6 2.6.13+2.6.14-rc4-0experimental.1 (low) CVE-2005-2972 (Multiple stack-based buffer overflows in the RTF import feature in Abi ...) {DSA-894-1} - abiword 2.4.1-1 (bug #333740; medium) CVE-2005-2971 (Heap-based buffer overflow in the KWord RTF importer for KOffice 1.2.0 ...) {DSA-872-1} - koffice 1:1.3.5-5 (bug #333497; medium) CVE-2005-2970 (Memory leak in the worker MPM (worker.c) for Apache 2, in certain circ ...) - apache2 2.0.55-1 (bug #340337; low) [sarge] - apache2 2.0.54-5sarge2 NOTE: this occurs in the binary package apache2-mpm-worker CVE-2005-2969 (The SSL/TLS server implementation in OpenSSL 0.9.7 before 0.9.7h and 0 ...) {DSA-888-1 DSA-882-1 DSA-881-1 DSA-875-1} - openssl 0.9.8-3 (bug #333500; low) - openssl097 0.9.7g-5 (bug #333500; low) - openssl094 - openssl095 - openssl096 CVE-2005-2968 (Firefox 1.0.6 and Mozilla 1.7.10 allows attackers to execute arbitrary ...) {DSA-868-1} - mozilla-firefox (Debian ships a non-vulnerable wrapper script) - mozilla (Debian ships a non-vulnerable wrapper script) - mozilla-thunderbird 1.0.6-4 (bug #329667; bug #329664; high) CVE-2005-2967 (Format string vulnerability in input_cdda.c in xine-lib 1-beta through ...) {DSA-863-1} - xine-lib 1.0.1-1.4 (bug #332919; bug #333682; medium) CVE-2005-2965 REJECTED CVE-2005-2964 (Stack-based buffer overflow in AbiWord before 2.2.10 allows attackers ...) {DSA-894-1} - abiword 2.2.10-1 (bug #329839; medium) CVE-2005-2963 (The mod_auth_shadow module 1.0 through 1.5 and 2.0 for Apache with Aut ...) {DSA-844-1} - mod-auth-shadow 1.4-2 (bug #323789; medium) CVE-2005-2962 (The post-installation script for ntlmaps before 0.9.9 sets world-reada ...) {DSA-830-1} - ntlmaps 0.9.9-4 CVE-2005-2961 (Buffer overflow in the get_string_ahref function for ProZilla 1.3.7.4 ...) {DSA-834-1} NOTE: prozilla is not in sarge or etch CVE-2005-2960 (cfengine 1.6.5 and 2.1.16 allows local users to overwrite arbitrary fi ...) {DSA-836-1 DSA-835-1} - cfengine (bug #332433; low) - cfengine2 2.1.17-1 (bug #332432; low) NOTE: maintainer does not think it's a hole, script is unused/broken CVE-2005-2959 (Incomplete blacklist vulnerability in sudo 1.6.8 and earlier allows lo ...) {DSA-870-1} - sudo 1.6.8p9-3 (medium) CVE-2005-2958 (Multiple format string vulnerabilities in the GNOME Data Access librar ...) {DSA-871-1} - libgda2 1.2.2-1 (medium) CVE-2005-2957 (Stack-based buffer overflow in AVIRA Desktop for Windows 1.00.00.68 wi ...) NOT-FOR-US: AVIRA Desktop CVE-2005-2956 (ATutor 1.5.1, and possibly earlier versions, stores temporary chat log ...) NOT-FOR-US: ATutor CVE-2005-2955 (config.inc.php in ATutor 1.5.1, and possibly earlier versions, uses an ...) NOT-FOR-US: ATutor CVE-2005-2954 (SQL injection vulnerability in password_reminder.php in ATutor before ...) NOT-FOR-US: ATutor CVE-2005-2953 (Cross-site scripting (XSS) vulnerability in merchant.mvc in MIVA Merch ...) NOT-FOR-US: MIVA Merchant CVE-2005-2952 (Directory traversal vulnerability in s.pl in Subscribe Me Pro 2.044.09 ...) NOT-FOR-US: Subscribe Me Pro CVE-2005-2951 (Directory traversal vulnerability in security.inc.php in AzDGDatingLit ...) NOT-FOR-US: AzDGDating lite CVE-2005-2950 (Cross-site scripting (XSS) vulnerability in Sawmill 7.0.0 through 7.1. ...) NOT-FOR-US: Sawmill CVE-2005-2949 (pam_per_user before 0.4 does not verify if the user name changes betwe ...) NOT-FOR-US: pam_per_user (not in Debian) CVE-2005-2948 (KillProcess 2.20 and earlier allows local users to bypass kill list re ...) NOT-FOR-US: KillProcess CVE-2005-2947 (Buffer overflow in KillProcess 2.20 and earlier allows user-assisted a ...) NOT-FOR-US: KillProcess CVE-2005-2946 (The default configuration on OpenSSL before 0.9.8 uses MD5 for creatin ...) - openssl 0.9.8-1 (bug #314465; unimportant) NOTE: MD5 is still good enough for most applications, second preimage attacks NOTE: haven't been presented yet CVE-2005-2944 (The perform_file_save function in GNOME Workstation Command Center (gw ...) NOT-FOR-US: GNOME Workstation Command Center CVE-2005-2943 (Stack-based buffer overflow in sendmail in XMail before 1.22 allows re ...) {DSA-902-1} - xmail 1.22-1 (bug #333863; medium) CVE-2005-2942 REJECTED CVE-2005-2941 RESERVED CVE-2005-2940 (Unquoted Windows search path vulnerability in Microsoft Antispyware 1. ...) NOT-FOR-US: Microsoft Antispyware CVE-2005-2939 (Unquoted Windows search path vulnerability in VMWare Workstation 5.0.0 ...) NOT-FOR-US: VMWare CVE-2005-2938 (Unquoted Windows search path vulnerability in iTunesHelper.exe in iTun ...) NOT-FOR-US: iTunes CVE-2005-2937 REJECTED CVE-2005-2936 (Unquoted Windows search path vulnerability in RealNetworks RealPlayer ...) NOT-FOR-US: Real Player CVE-2005-2935 (Unquoted Windows search path vulnerability in Microsoft AntiSpyware mi ...) NOT-FOR-US: Microsoft AntiSpyware CVE-2005-2934 (Unspecified vulnerability in ptrace in SCO UnixWare 7.1.3 and 7.1.4 al ...) NOT-FOR-US: SCO CVE-2005-2933 (Buffer overflow in the mail_valid_net_parse_work function in mail.c fo ...) {DSA-861-1} - uw-imap 7:2002edebian1-12 (medium; bug #332215) - pine 4.64-1 (medium; bug #348407) - alpine (alpine is based on pine 4.64, this bug was in a previous version of pine) [sarge] - pine (pine is non-free; doesn't permit distribution of modified binaries) CVE-2005-2932 (Multiple Check Point Zone Labs ZoneAlarm products before 7.0.362, incl ...) NOT-FOR-US: Check Point Zone Labs ZoneAlarm CVE-2005-2931 (Format string vulnerability in the SMTP service in IMail Server 8.20 i ...) NOT-FOR-US: Ipswitch Collaboration Suite CVE-2005-2929 (Lynx 2.8.5, and other versions before 2.8.6dev.15, allows remote attac ...) - lynx (Debian's default config is not vulnerable) CVE-2005-2928 RESERVED CVE-2005-2927 (Stack-based buffer overflow in ppp in SCO Unixware 7.1.3 and 7.1.4, an ...) NOT-FOR-US: SCO Unixware CVE-2005-2926 (Stack-based buffer overflow in (1) backupsh and (2) authsh in SCO Open ...) NOT-FOR-US: SCO Unixware CVE-2005-2925 (runpriv in SGI IRIX allows local users to bypass intended restrictions ...) NOT-FOR-US: IRIX CVE-2005-2924 RESERVED CVE-2005-2923 (The IMAP server in IMail Server 8.20 in Ipswitch Collaboration Suite ( ...) NOT-FOR-US: Ipswitch Collaboration Suite CVE-2005-2922 (Heap-based buffer overflow in the embedded player in multiple RealNetw ...) - helix-player 1.0.7-1 (bug #358754; medium) CVE-2005-2921 RESERVED CVE-2005-2916 (Linksys WRT54G 3.01.03, 3.03.6, 4.00.7, and possibly other versions be ...) NOT-FOR-US: Linksys routers CVE-2005-2915 (ezconfig.asp in Linksys WRT54G router 3.01.03, 3.03.6, non-default con ...) NOT-FOR-US: Linksys routers CVE-2005-2914 (ezconfig.asp in Linksys WRT54G router 3.01.03, 3.03.6, non-default con ...) NOT-FOR-US: Linksys routers CVE-2005-2913 REJECTED CVE-2005-2912 (Linksys WRT54G router allows remote attackers to cause a denial of ser ...) NOT-FOR-US: Linksys routers CVE-2005-2911 RESERVED CVE-2005-2910 RESERVED CVE-2005-2909 RESERVED CVE-2005-2908 RESERVED CVE-2005-2907 RESERVED CVE-2005-2906 RESERVED CVE-2005-2905 RESERVED CVE-2005-2904 (Zebedee 2.4.1, when "allowed redirection port" is not set, allows remo ...) NOT-FOR-US: Zebedee CVE-2005-2903 (Heap-based buffer overflow in NOD32 2.5 with nod32.002 1.033 build 112 ...) NOT-FOR-US: NOD32 Anti virus CVE-2005-2902 (SQL injection vulnerability in class-1 Forum Software 0.24.4 allows re ...) NOT-FOR-US: class-1 Forum CVE-2005-2901 (Multiple Cross-site scripting (XSS) vulnerabilities in CjWeb2Mail 3.0 ...) NOT-FOR-US: CjWeb2Mail CVE-2005-2900 (Cross-site scripting (XSS) vulnerability in top.php in CjLinkOut 1.0 a ...) NOT-FOR-US: CjLinkOut CVE-2005-2899 (Multiple cross-site scripting (XSS) vulnerabilities in details.php in ...) NOT-FOR-US: CjTagBoard CVE-2005-2898 NOT-FOR-US: Filezilla CVE-2005-2897 (WEB//NEWS 1.4 allows remote attackers to obtain sensitive information ...) NOT-FOR-US: WEB//NEWS CVE-2005-2896 (SQL injection vulnerability in WEB//NEWS 1.4 allows remote attackers t ...) NOT-FOR-US: WEB//NEWS CVE-2005-2895 (setcookie.php in PBLang 4.65, and possibly earlier versions, allows re ...) NOT-FOR-US: PBLang CVE-2005-2894 (Cross-site scripting (XSS) vulnerability in the user registration in P ...) NOT-FOR-US: PBLang CVE-2005-2893 (Direct static code injection vulnerability in setcookie.php in PBLang ...) NOT-FOR-US: PBLang CVE-2005-2892 (Directory traversal vulnerability in setcookie.php in PBLang 4.65, and ...) NOT-FOR-US: PBLang CVE-2005-2891 (WebArchiveX.dll 5.5.0.76 installed before September 6th, 2005 is marke ...) NOT-FOR-US: WebArchiveX CVE-2005-2890 (SecureOL VE2 1.05.1008 does not properly restrict public access to phy ...) NOT-FOR-US: SecureOL CVE-2005-2889 (Check Point NGX R60 does not properly verify packets against the prede ...) NOT-FOR-US: Check Point CVE-2005-2888 (Multiple SQL injection vulnerabilities in MyBulletinBoard (MyBB) Previ ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2005-2887 (MAXdev MD-Pro 1.0.73, and possibly earlier versions, allows remote att ...) NOT-FOR-US: MAXDev MD-Pro CVE-2005-2886 (Multiple cross-site scripting (XSS) vulnerabilities in MAXdev MD-Pro 1 ...) NOT-FOR-US: MAXDev MD-Pro CVE-2005-2885 (The Downloads page in MAXdev MD-Pro 1.0.73, and possibly earlier versi ...) NOT-FOR-US: MAXDev MD-Pro CVE-2005-2884 (Cross-site scripting (XSS) vulnerability in events.php in Land Down Un ...) NOT-FOR-US: Land Down Under CVE-2005-2883 REJECTED CVE-2005-2882 (Multiple cross-site scripting (XSS) vulnerabilities in phpCommunityCal ...) NOT-FOR-US: phpCommunityCalendar CVE-2005-2881 (phpCommunityCalendar 4.0.3 allows remote attackers to bypass authentic ...) NOT-FOR-US: phpCommunityCalendar CVE-2005-2880 (Multiple SQL injection vulnerabilities in phpCommunityCalendar 4.0.3, ...) NOT-FOR-US: phpCommunityCalendar CVE-2005-2879 (Advansysperu Software USB Lock Auto-Protect (AP) 1.5 uses a weak encry ...) NOT-FOR-US: Advansysperu Software USB Lock Auto-Protect CVE-2005-2945 (arc 5.21j and earlier create temporary files with world-readable permi ...) {DSA-843-1} - arc 5.21m-1 (bug #329053; low) CVE-2005-2917 (Squid 2.5.STABLE10 and earlier, while performing NTLM authentication, ...) {DSA-828-1} - squid 2.5.10-7 NOTE: Patch was added to -6, but not listed in dpatch's list of patches CVE-2005-XXXX [user password file created by gajim is world-readable] - gajim 0.8.2-1 (bug #325080; low) CVE-2005-XXXX [mkzopeinstance.py creates world-readable inituser file] - zope2.7 2.7.8-1 (bug #313644; bug #313621; low) [sarge] - zope2.7 (Inside the responsibility of the admin) CVE-2005-XXXX [wine-safe does not prompt the user/is registered in mailcap] - wine 0.0.20050830-1 (bug #327261; bug #327262; low) [sarge] - wine (Minor issue) CVE-2005-2920 (Buffer overflow in libclamav/upx.c in Clam AntiVirus (ClamAV) before 0 ...) {DSA-824-1 DTSA-19-1} - clamav 0.87-1 (bug #328660; bug #329280; medium) CVE-2005-2919 (libclamav/fsg.c in Clam AntiVirus (ClamAV) before 0.87 allows remote a ...) {DSA-824-1 DTSA-19-1} - clamav 0.87-1 (bug #328660; medium) CVE-2005-2918 (The open_cmd_tube function in mount.c for gtkdiskfree 1.9.3 and earlie ...) {DSA-822-1} - gtkdiskfree 1.9.3-4sarge1 (bug #328566; low) CVE-2005-3044 (Multiple vulnerabilities in Linux kernel before 2.6.13.2 allow local u ...) {DSA-1017-1} - linux-2.6 2.6.12-7 (medium) - kernel-source-2.4.27 (code is vulnerable but there is no amd64 for 2.4 in Sarge) CVE-2005-2877 (The history (revision control) function in TWiki 02-Sep-2004 and earli ...) NOTE: proactively fixed by the robustness patch - twiki 20040902-2 CVE-2005-2876 (umount in util-linux 2.8 to 2.12q, 2.13-pre1, and 2.13-pre2, and other ...) {DSA-825-1 DSA-823-1} - util-linux 2.12p-8 (bug #328141; bug #329063; medium) - loop-aes-utils 2.12p-9 (bug #328626; medium) CVE-2005-2875 (Py2Play allows remote attackers to execute arbitrary Python code via p ...) {DSA-856-1} - py2play 0.1.8-1 (bug #326976; medium) CVE-2005-2874 (The is_path_absolute function in scheduler/client.c for the daemon in ...) - cups 1.1.23-1 - cupsys 1.1.23-1 CVE-2005-2871 (Buffer overflow in the International Domain Name (IDN) support in Mozi ...) {DSA-868-1 DSA-866-1 DSA-837-1} - mozilla-firefox 1.0.6-5 (bug #327452; bug #327802; bug #327366; medium) - mozilla 2:1.7.12-1 (bug #327455; medium) - mozilla-thunderbird 1.0.7-1 NOTE: epiphany-browser is apparently fixed fix the mozilla NOTE: upload; see bug #327366 CVE-2005-2930 (Stack-based buffer overflow in the _chm_find_in_PMGL function in chm_l ...) {DSA-886-1} - chmlib 0.36-1 (bug #327431; medium) CVE-2005-2802 REJECTED CVE-2005-2878 (Format string vulnerability in search.c in the imap4d server in GNU Ma ...) {DSA-841-1 DTSA-20-1} - mailutils 1:0.6.90-3 (bug #327424; high) CVE-2005-2870 (Unknown vulnerability in the net-svc script on Solaris 10 allows remot ...) NOT-FOR-US: Solaris CVE-2005-2869 (Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin befo ...) {DSA-880-1} - phpmyadmin 4:2.6.4-pl1-1 (bug #327345; bug #328501; medium) CVE-2005-2868 (ZipTorrent 1.3.7.3 stores sensitive information in plaintext in the pr ...) NOT-FOR-US: ZipTorrent CVE-2005-2867 (SQL injection vulnerability in BlueWhaleCRM allows remote attackers to ...) NOT-FOR-US: BlueWhaleCRM CVE-2005-2866 (Mercora IMRadio 4.0.0.0 stores usernames and passwords in plaintext in ...) NOT-FOR-US: Mercora IMRadio CVE-2005-2865 (Multiple PHP remote file inclusion vulnerabilities in aMember Pro 2.3. ...) NOT-FOR-US: aMember Pro CVE-2005-2864 (URBAN 1.5.3_1 allows local users to overwrite arbitrary files via a sy ...) NOT-FOR-US: URBAN CVE-2005-2863 (Cross-site scripting (XSS) vulnerability in openwebmail-main.pl in Ope ...) NOT-FOR-US: OpenWebmail CVE-2005-2862 (ADSL Road Runner modem in the Annex A family has a service running on ...) NOT-FOR-US: ADSL hardware CVE-2005-2861 (Cross-site scripting (XSS) vulnerability in N-Stealth Commercial Editi ...) NOT-FOR-US: N-Stealth CVE-2005-2860 (Cross-site scripting (XSS) vulnerability in Nikto 1.35 and earlier all ...) - nikto 1.35-1.1 (bug #327339; medium) CVE-2005-2859 (Savant Web Server stores user credentials in plaintext in the Savant\U ...) NOT-FOR-US: Savant Web Server CVE-2005-2858 (The Fetch.FetchContact.1 ActiveX control (Fetch.dll) for Rediff Bol 7. ...) NOT-FOR-US: Rediff BOL) CVE-2005-2857 (Free SMTP Server 2.2 allows remote attackers to use the server as an o ...) NOT-FOR-US: Free SMTP Server CVE-2005-2856 (Stack-based buffer overflow in the WinACE UNACEV2.DLL third-party comp ...) NOT-FOR-US: ALZip CVE-2005-2855 (Cross-site scripting (XSS) vulnerability in Unclassified NewsBoard 1.5 ...) NOT-FOR-US: Unclassified Newsboard CVE-2005-2854 (CRLF injection vulnerability in thesitewizard.com chfeedback.pl Feedba ...) NOT-FOR-US: thesitewizard.com chfeedback.pl CVE-2005-2853 (Multiple cross-site scripting (XSS) vulnerabilities in GuppY 4.5.3a an ...) NOT-FOR-US: GuppY CVE-2005-2852 (Unknown vulnerability in CIFS.NLM in Novell Netware 6.5 SP2 and SP3, 5 ...) NOT-FOR-US: Novell Netware CVE-2005-2851 (smb4k 0.4 and other versions before 0.6.3 allows local users to read s ...) {DTSA-25-1} - smb4k 0.6.4-1 (bug #337471; medium) NOTE: fix in 0.6.3-1 was incomplete according to maintainer CVE-2005-2850 (SlimFTPd 3.17 allows remote attackers to cause a denial of service (cr ...) NOT-FOR-US: SlimFTPD CVE-2005-2849 (Argument injection vulnerability in Barracuda Spam Firewall running fi ...) NOT-FOR-US: Barracuda antispam solution CVE-2005-2848 (Directory traversal vulnerability in img.pl in Barracuda Spam Firewall ...) NOT-FOR-US: Barracuda antispam solution CVE-2005-2847 (img.pl in Barracuda Spam Firewall running firmware 3.1.16 and 3.1.17 a ...) NOT-FOR-US: Barracuda antispam solution CVE-2005-2846 (PHP remote file inclusion vulnerability in lang.php in CMS Made Simple ...) NOT-FOR-US: CMS Made Simple CVE-2005-2845 (Ariba Spend Management System sends the username and password to the s ...) NOT-FOR-US: Ariba Spend Management System CVE-2005-2844 (Buffer overflow in MMClient.exe in Indiatimes Messenger 6.0 allows rem ...) NOT-FOR-US: Indiatimes Messenger CVE-2005-2843 (Helpdesk software Hesk 0.92 does not properly verify usernames and pas ...) NOT-FOR-US: Hesk CVE-2005-2842 (Buffer overflow in dwrcs.exe in DameWare Mini Remote Control before 4. ...) NOT-FOR-US: DameWare Mini CVE-2005-2841 (Buffer overflow in Firewall Authentication Proxy for FTP and/or Telnet ...) NOT-FOR-US: IOS CVE-2005-2840 (Multiple unknown vulnerabilities in MAXdev MD-Pro 1.0.72 and earlier h ...) NOT-FOR-US: MAXdev CVE-2005-2839 (Multiple cross-site scripting (XSS) vulnerabilities in MAXdev MD-Pro 1 ...) NOT-FOR-US: MAXdev CVE-2005-2838 (SQL injection vulnerability in login.php in myBloggie 2.1.3-beta and e ...) NOT-FOR-US: myBloggie CVE-2005-2837 (Multiple eval injection vulnerabilities in PlainBlack Software WebGUI ...) NOT-FOR-US: WebGUI CVE-2005-2836 (Multiple cross-site scripting (XSS) vulnerabilities in Phorum 5.0.17a ...) NOT-FOR-US: Phorum CVE-2005-2835 RESERVED CVE-2005-2834 RESERVED CVE-2005-2833 RESERVED CVE-2005-2832 RESERVED CVE-2005-2831 (Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers t ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2005-2830 (Microsoft Internet Explorer 5.01, 5.5, and 6, when using an HTTPS prox ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2005-2829 (Multiple design errors in Microsoft Internet Explorer 5.01, 5.5, and 6 ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2005-2828 RESERVED CVE-2005-2827 (The thread termination routine in the kernel for Windows NT 4.0 and 20 ...) NOT-FOR-US: Windows NT CVE-2005-2826 RESERVED CVE-2005-2825 RESERVED CVE-2005-2824 RESERVED CVE-2005-2823 RESERVED CVE-2005-2822 RESERVED CVE-2005-2821 RESERVED CVE-2005-2820 (Cross-site scripting (XSS) vulnerability in SqWebMail 5.0.4 allows rem ...) {DSA-820-1} - courier 0.47-9 (bug #327181; medium) CVE-2005-2819 (DownFile 1.3 allows remote attackers to gain administrator privileges ...) NOT-FOR-US: DownFile CVE-2005-2818 (Cross-site scripting (XSS) vulnerability in DownFile 1.3 allows remote ...) NOT-FOR-US: DownFile CVE-2005-2817 (Simple Machines Forum (SMF) 1-0-5 and earlier supports the use of URLs ...) NOT-FOR-US: Simple Machines Forum CVE-2005-2816 (Cross-site scripting (XSS) vulnerability in Greymatter allows remote a ...) NOT-FOR-US: Greymatter CVE-2005-2815 (print.php in FlatNuke 2.5.6 allows remote attackers to obtain sensitiv ...) NOT-FOR-US: FlatNuke CVE-2005-2814 (Cross-site scripting (XSS) vulnerability in FlatNuke 2.5.6 allows remo ...) NOT-FOR-US: FlatNuke CVE-2005-2813 (Directory traversal vulnerability in FlatNuke 2.5.6 and possibly earli ...) NOT-FOR-US: FlatNuke CVE-2005-2812 (man2web allows remote attackers to execute arbitrary commands via -P a ...) NOT-FOR-US: man2web CVE-2005-2811 (Untrusted search path vulnerability in Net-SNMP 5.2.1.2 and earlier, o ...) - net-snmp (Gentoo Portage specific configuration flaw) CVE-2005-2810 (Multiple stack-based buffer overflows in urban before 1.5.3 allow loca ...) NOT-FOR-US: urban game CVE-2005-2809 (silc daemon (silcd.c) in Secure Internet Live Conferencing (SILC) 1.0 ...) NOT-FOR-US: silc daemon CVE-2005-2808 (frox 0.7.16 and 0.7.17 does not properly parse certain Deny ACLs, whic ...) - frox 0.7.18-1 (medium) CVE-2005-2807 (frox 0.7.18, when running setuid root, does not properly drop privileg ...) - frox (does not run setuid root in the Debian package) CVE-2005-2806 (client.cpp in BNBT EasyTracker 7.7r3.2004.10.27 and earlier allows rem ...) NOT-FOR-US: BNBT EasyTracker CVE-2005-2805 (forum_post.php in e107 0.6 allows remote attackers to post to non-exis ...) NOT-FOR-US: e107 CVE-2005-2804 (Integer overflow in the registry parsing code in GroupWise 6.5.3, and ...) NOT-FOR-US: GroupWise CVE-2005-2803 (Cross-site scripting (XSS) vulnerability in Hiki 0.8.1 to 0.8.2 allows ...) [sarge] - hiki (code not present in sarge) - hiki 0.8.3-1 CVE-2005-2800 (Memory leak in the seq_file implementation in the SCSI procfs interfac ...) {DSA-1017-1} - linux-2.6 2.6.12-6 (low) - kernel-source-2.4.27 (seq_file introduced in 2.6) CVE-2005-2799 (Buffer overflow in apply.cgi in Linksys WRT54G 3.01.03, 3.03.6, and po ...) NOT-FOR-US: Linksys routers CVE-2005-2798 (sshd in OpenSSH before 4.2, when GSSAPIDelegateCredentials is enabled, ...) - openssh 1:4.2p1-1 (bug #326065; unimportant) NOTE: Not enabled in the binary build, see #326065 - openssh-krb5 (bug #327233; medium) [sarge] - openssh-krb5 (Intended bahaviour, see #327233) CVE-2005-2797 (OpenSSH 4.0, and other versions before 4.2, does not properly handle d ...) - openssh 1:4.2p1-1 (bug #326065; unimportant) NOTE: GSSAPI features not activated in binary builds CVE-2005-2796 (The sslConnectTimeout function in ssl.c for Squid 2.5.STABLE10 and ear ...) {DSA-809-1} - squid 2.5.10-5 (medium) CVE-2005-2795 RESERVED CVE-2005-2794 (store.c in Squid 2.5.STABLE10 and earlier allows remote attackers to c ...) {DSA-809-3 DSA-809-1} - squid 2.5.10-5 (medium) CVE-2005-2793 (PHP remote file inclusion vulnerability in welcome.php in phpLDAPadmin ...) [sarge] - phpldapadmin (code not present in sarge) - phpldapadmin 0.9.6c-7 (bug #325785; medium) - egroupware (copy included is older and not vulnerable; bug #339583) CVE-2005-2792 (Directory traversal vulnerability in welcome.php in phpLDAPadmin 0.9.6 ...) [sarge] - phpldapadmin (code not present in sarge) - phpldapadmin 0.9.6c-7 (bug #325785; medium) - egroupware (copy included is older and not vulnerable; bug #339583) CVE-2005-2791 (BFCommand & Control Server Manager BFCC 1.22_A and earlier, and BF ...) NOT-FOR-US: BFCC CVE-2005-2790 (BFCommand & Control Server Manager BFCC 1.22_A and earlier, and BF ...) NOT-FOR-US: BFCC CVE-2005-2789 (BFCommand & Control Server Manager BFCC 1.22_A and earlier, and BF ...) NOT-FOR-US: BFCC CVE-2005-2788 (Multiple SQL injection vulnerabilities in Land Down Under (LDU) 801 an ...) NOT-FOR-US: Land Down Under CVE-2005-2787 (comment_delete_cgi.php in Simple PHP Blog allows remote attackers to d ...) NOT-FOR-US: Simple PHP Blog CVE-2005-2786 (Directory traversal vulnerability in bestmail_edit.cgi in cosmoshop 8. ...) NOT-FOR-US: cosmoshop CVE-2005-2785 (cosmoshop 8.10.78 and earlier stores passwords in plaintext in the dat ...) NOT-FOR-US: cosmoshop CVE-2005-2784 (SQL injection vulnerability in the login function for the administrati ...) NOT-FOR-US: cosmoshop CVE-2005-2783 (Cross-site scripting (XSS) vulnerability in PHP-Fusion 6.00.107 and ea ...) NOT-FOR-US: PHP-Fusion CVE-2005-2782 (PHP remote file inclusion vulnerability in al_initialize.php for AutoL ...) NOT-FOR-US: AutoLinks Pro CVE-2005-2781 (The Avatar upload feature in FUD Forum before 2.7.0 does not properly ...) {DSA-1063-1} - phpgroupware 0.9.16.009-1 (bug #340094; medium) - egroupware 1.0.0.009.dfsg-3-4 (bug #340495; medium) [woody] - phpgroupware (fudforum not included until 0.9.16) NOTE: Sarge affected, woody isn't CVE-2005-2780 (Cross-site scripting (XSS) vulnerability in Land Down Under (LDU) allo ...) NOT-FOR-US: Land Down Under CVE-2005-2779 (The iTAN Online-Banking Security System allows remote attackers to obt ...) NOT-FOR-US: iTAN CVE-2005-2778 (SQL injection vulnerability in member.php in MyBulletinBoard (MyBB) al ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2005-2777 (Looking Glass 20040427 allows remote attackers to execute arbitrary co ...) NOT-FOR-US: Looking Glass CVE-2005-2776 (Multiple cross-site scripting (XSS) vulnerabilities in Looking Glass 2 ...) NOT-FOR-US: Looking Glass CVE-2005-2775 (php_api.php in phpWebNotes 2.0.0 uses the extract function to modify k ...) NOT-FOR-US: Looking Glass CVE-2005-2774 (Format string vulnerability in Lithium II mod 1.24 for Quake 2 allows ...) NOT-FOR-US: Litium Quake mod CVE-2005-2773 (HP OpenView Network Node Manager 6.2 through 7.50 allows remote attack ...) NOT-FOR-US: HP OpenView CVE-2005-2772 (Multiple stack-based buffer overflows in University of Minnesota gophe ...) {DSA-832-1} - gopher 3.0.11 (bug #327722; high) CVE-2005-2771 (WRQ Reflection for Secure IT Windows Server 6.0 (formerly known as F-S ...) NOT-FOR-US: Reflection for Secure IT CVE-2005-2770 (WRQ Reflection for Secure IT Windows Server 6.0 (formerly known as F-S ...) NOT-FOR-US: Reflection for Secure IT CVE-2005-2769 (Cross-site scripting (XSS) vulnerability in SqWebMail 5.0.4 and possib ...) {DSA-820-1} - courier 0.47-9 (bug #327727; medium) CVE-2005-2768 (Heap-based buffer overflow in the Sophos Antivirus Library, as used by ...) NOT-FOR-US: Sophos AntiVirus CVE-2005-2767 (Buffer overflow in LeapFTP allows remote attackers to execute arbitrar ...) NOT-FOR-US: LeapFTP CVE-2005-XXXX [Four potentially DoS exploitable deadlocks and leaks in kernel 2.6] - linux-2.6 2.6.12-6 (low) CVE-2005-2766 (Symantec AntiVirus Corporate Edition 9.0.1.x and 9.0.4.x, and possibly ...) NOT-FOR-US: Symantec AntiVirus CVE-2005-2765 (The user interface in the Windows Firewall does not properly display c ...) NOT-FOR-US: Microsoft Windows CVE-2005-2764 (Multiple buffer overflows in OpenTTD before 0.4.0.1 allow attackers to ...) NOT-FOR-US: OpenTTD CVE-2005-2763 (Multiple format string vulnerabilities in OpenTTD before 0.4.0.1 allow ...) NOT-FOR-US: OpenTTD CVE-2005-2762 (Avaya VPNRemote before 4.2.33 stores credentials in cleartext in proce ...) NOT-FOR-US: VPNRemote CVE-2005-2760 RESERVED CVE-2005-2759 (** SPLIT ** The jlucaller program in LiveUpdate for Symantec Norton An ...) NOT-FOR-US: Symantec Antivirus CVE-2005-2758 (Integer signedness error in the administrative interface for Symantec ...) NOT-FOR-US: Symantec Antivirus CVE-2005-2757 (Heap-based buffer overflow in CoreFoundation in Mac OS X and OS X Serv ...) NOT-FOR-US: Mac OS X CVE-2005-2756 (Apple QuickTime before 7.0.3 allows user-assisted attackers to overwri ...) NOT-FOR-US: Apple QuickTime CVE-2005-2755 (Apple QuickTime Player before 7.0.3 allows user-assisted attackers to ...) NOT-FOR-US: Apple QuickTime CVE-2005-2754 (Integer overflow in Apple QuickTime before 7.0.3 allows user-assisted ...) NOT-FOR-US: Apple QuickTime CVE-2005-2753 (Integer overflow in Apple QuickTime before 7.0.3 allows user-assisted ...) NOT-FOR-US: Apple QuickTime CVE-2005-2752 (An unspecified kernel interface in Mac OS X 10.4.2 and earlier does no ...) NOT-FOR-US: Mac OS X CVE-2005-2751 (memberd in Mac OS X 10.4 up to 10.4.2, in certain situations, does not ...) NOT-FOR-US: Mac OS X CVE-2005-2750 (Software Update in Mac OS X 10.4.2, when the user marks all updates to ...) NOT-FOR-US: Mac OS X CVE-2005-2749 (Unspecified vulnerability in the Finder Get Info window for Mac OS X 1 ...) NOT-FOR-US: Mac OS X CVE-2005-2748 (The malloc function in the libSystem library in Apple Mac OS X 10.3.9 ...) NOT-FOR-US: Mac OS X CVE-2005-2747 (Buffer overflow in ImageIO for Apple Mac OS X 10.4.2, as used by appli ...) NOT-FOR-US: Mac OS X CVE-2005-2746 (Mail.app in Mail for Apple Mac OS X 10.3.9 and 10.4.2 includes message ...) NOT-FOR-US: Mac OS X CVE-2005-2745 (Mail.app in Mail for Apple Mac OS X 10.3.9, when using Kerberos 5 for ...) NOT-FOR-US: Mac OS X CVE-2005-2744 (Buffer overflow in QuickDraw Manager for Apple OS X 10.3.9 and 10.4.2, ...) NOT-FOR-US: Mac OS X CVE-2005-2743 (The Java extensions for QuickTime 6.52 and earlier in Apple Mac OS X 1 ...) NOT-FOR-US: Mac OS X CVE-2005-2742 (SecurityAgent in Apple Mac OS X 10.4.2, under certain circumstances, c ...) NOT-FOR-US: Mac OS X CVE-2005-2741 (Authorization Services in securityd for Apple Mac OS X 10.3.9 allows l ...) NOT-FOR-US: Mac OS X CVE-2005-2740 REJECTED CVE-2005-2739 (Keychain Access in Mac OS X 10.4.2 and earlier keeps a password visibl ...) NOT-FOR-US: Mac OS X CVE-2005-2738 (Java 1.4.2 before 1.4.2 Release 2 on Apple Mac OS X does not prevent m ...) NOT-FOR-US: Java / Apple CVE-2005-2737 (Cross-site scripting (XSS) vulnerability in PhotoPost PHP Pro 5.1 allo ...) NOT-FOR-US: PhotoPost CVE-2005-2736 (Cross-site scripting (XSS) vulnerability in YaPig 0.95 and earlier all ...) NOT-FOR-US: YaPig CVE-2005-2735 (Cross-site scripting (XSS) vulnerability in phpGraphy 0.9.9a and earli ...) NOT-FOR-US: phpGraphy CVE-2005-2734 (Cross-site scripting (XSS) vulnerability in Gallery 1.5.1-RC2 and earl ...) {DSA-1148-1} - gallery 1.5-2 (bug #325285; medium) CVE-2005-2733 (upload_img_cgi.php in Simple PHP Blog (SPHPBlog) does not properly res ...) NOT-FOR-US: Simple PHP Blog CVE-2005-2732 (AWStats 6.4, and possibly earlier versions, allows remote attackers to ...) NOTE: path disclosure, so not very important on debian systems NOTE: unreproducible according to bug #327729 CVE-2005-2731 (Directory traversal vulnerability in Astaro Security Linux 6.0, when u ...) NOT-FOR-US: Astato specific CVE-2005-2730 (The HTTP proxy in Astaro Security Linux 6.0 allows remote attackers to ...) NOT-FOR-US: Astato specific CVE-2005-2729 (The HTTP proxy in Astaro Security Linux 6.0 does not properly filter H ...) NOT-FOR-US: Astato specific CVE-2005-2728 (The byte-range filter in Apache 2.0 before 2.0.54 allows remote attack ...) {DSA-805-1} NOTE: The CVE description is wrong, this has been merged for 2.0.55 - apache2 2.0.54-5 (bug #326435; medium) CVE-2005-2727 (Home Ftp Server 1.0.7 stores sensitive user information and server inf ...) NOT-FOR-US: Home Ftp Server CVE-2005-2726 (Directory traversal vulnerability in Home Ftp Server 1.0.7 allows remo ...) NOT-FOR-US: Home Ftp Server CVE-2005-2725 (The inputtrap utility in QNX RTOS 6.1.0, 6.3, and possibly earlier ver ...) NOT-FOR-US: QNX CVE-2005-2723 (SQL injection vulnerability in auth.php in PaFileDB 3.1, when authmeth ...) NOT-FOR-US: PaFileDB CVE-2005-2722 (Foojan PHP Weblog allows remote attackers to obtain sensitive informat ...) NOT-FOR-US: Foojan PHP Weblog CVE-2005-2721 (Multiple cross-site scripting (XSS) vulnerabilities in (1) index.php o ...) NOT-FOR-US: Foojan PHP Weblog CVE-2005-2720 (Stack-based buffer overflow in the ACE archive decompression library ( ...) NOT-FOR-US: HAURI Antivirus CVE-2005-2719 (Ventrilo 2.1.2 through 2.3.0 allows remote attackers to cause a denial ...) NOT-FOR-US: Ventrilo CVE-2005-2718 (Buffer overflow in ad_pcm.c in MPlayer 1.0pre7 and earlier allows remo ...) NOT-FOR-US: MPlayer CVE-2005-2717 (PHP remote file inclusion vulnerability in WebCalendar before 1.0.1 al ...) {DSA-799-1} - webcalendar 0.9.45-7 (bug #326223; medium) CVE-2005-2715 (Format string vulnerability in the Java user interface service (bpjava ...) NOT-FOR-US: VERITAS NetBackup Data and Business Center CVE-2005-2714 (passwd in Directory Services in Mac OS X 10.3.x before 10.3.9 and 10.4 ...) NOT-FOR-US: Apple CVE-2005-2713 (passwd in Directory Services in Mac OS X 10.3.x before 10.3.9 and 10.4 ...) NOT-FOR-US: Apple CVE-2005-2712 (The LDAP server (nldap.exe) in IBM Lotus Domino before 7.0.1, 6.5.5, a ...) NOT-FOR-US: IBM CVE-2005-2711 (ISS BlackIce 3.6, as used in multiple products including BlackICE PC P ...) NOT-FOR-US: ISS CVE-2005-2710 (Format string vulnerability in Real HelixPlayer and RealPlayer 10 allo ...) {DSA-826-1} NOTE: see http://www.open-security.org/advisories/13 - helix-player 1.0.6-1 (bug #330364; high) CVE-2005-2709 (The sysctl functionality (sysctl.c) in Linux kernel before 2.6.14.1 al ...) {DSA-1018-1 DSA-1017-1} - linux-2.6 2.6.14-3 CVE-2005-2708 (The search_binary_handler function in exec.c in Linux 2.4 kernel on 64 ...) - kernel-source-2.4.27 (amd64/2.4 not supported) CVE-2005-2707 (Firefox before 1.0.7 and Mozilla Suite before 1.7.12 allows remote att ...) {DSA-868-1 DSA-866-1 DSA-838-1} - mozilla-firefox 1.0.7-1 (bug #329778; medium) - mozilla 2:1.7.12-1 (medium) - mozilla-thunderbird 1.0.7-1 CVE-2005-2706 (Firefox before 1.0.7 and Mozilla before Suite 1.7.12 allows remote att ...) {DSA-868-1 DSA-866-1 DSA-838-1} - mozilla-firefox 1.0.7-1 (bug #329778; high) - mozilla 2:1.7.12-1 (high) - mozilla-thunderbird 1.0.7-1 CVE-2005-2705 (Integer overflow in the JavaScript engine in Firefox before 1.0.7 and ...) {DSA-868-1 DSA-866-1 DSA-838-1} - mozilla-firefox 1.0.7-1 (bug #329778; high) - mozilla 2:1.7.12-1 (high) - mozilla-thunderbird 1.0.7-1 CVE-2005-2704 (Firefox before 1.0.7 and Mozilla Suite before 1.7.12 allows remote att ...) {DSA-868-1 DSA-866-1 DSA-838-1} - mozilla-firefox 1.0.7-1 (bug #329778; medium) - mozilla 2:1.7.12-1 (medium) - mozilla-thunderbird 1.0.7-1 CVE-2005-2703 (Firefox before 1.0.7 and Mozilla Suite before 1.7.12 allows remote att ...) {DSA-868-1 DSA-866-1 DSA-838-1} - mozilla-firefox 1.0.7-1 (bug #329778; medium) - mozilla 2:1.7.12-1 (medium) - mozilla-thunderbird 1.0.7-1 CVE-2005-2702 (Firefox before 1.0.7 and Mozilla Suite before 1.7.12 allows remote att ...) {DSA-868-1 DSA-866-1 DSA-838-1} - mozilla-firefox 1.0.7-1 (bug #329778; high) - mozilla 2:1.7.12-1 (high) - mozilla-thunderbird 1.0.7-1 CVE-2005-2701 (Heap-based buffer overflow in Firefox before 1.0.7 and Mozilla Suite b ...) {DSA-868-1 DSA-866-1 DSA-838-1} - mozilla-firefox 1.0.7-1 (bug #329778; medium) - mozilla 2:1.7.12-1 (bug #329778; medium) - mozilla-thunderbird 1.0.7-1 CVE-2005-2700 (ssl_engine_kernel.c in mod_ssl before 2.8.24, when using "SSLVerifyCli ...) {DSA-807-1 DSA-805-1} - libapache-mod-ssl 2.8.24-1 (medium) - apache2 2.0.54-5 (bug #327210; medium) CVE-2005-2699 (Unrestricted file upload vulnerability in admin/admin.php in PHPKit 1. ...) NOT-FOR-US: PHPKit CVE-2005-2698 (Cross-site scripting (XSS) vulnerability in browse.php in Nephp Publis ...) NOT-FOR-US: Nephp Publisher Enterprise CVE-2005-2697 (SQL injection vulnerability in search.php for MyBulletinBoard (MyBB) 1 ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2005-2696 (IBM Lotus Notes does not properly restrict access to password hashes i ...) NOT-FOR-US: Notes CVE-2005-2695 (Unspecified vulnerability in the SSL certificate checking functionalit ...) NOT-FOR-US: Cisco CVE-2005-2694 (Buffer overflow in WinAce 2.6.0.5, and possibly earlier versions, allo ...) NOT-FOR-US: WinAce CVE-1999-1586 (loadmodule in SunOS 4.1.x, as used by xnews, does not properly sanitiz ...) NOT-FOR-US: SunOS CVE-1999-1585 (The (1) rcS and (2) mountall programs in Sun Solaris 2.x, possibly bef ...) NOT-FOR-US: Solaris CVE-1999-1584 (Unknown vulnerability in (1) loadmodule, and (2) modload if modload is ...) NOT-FOR-US: SunOS CVE-2005-2724 (Cross-site scripting (XSS) vulnerability in SqWebMail 5.0.4 allows rem ...) {DSA-793-1} - courier 0.47-8 (medium; bug #325631) CVE-2005-2801 (xattr.c in the ext2 and ext3 file system code for Linux kernel 2.6 doe ...) {DSA-922-1 DSA-921-1} - linux-2.6 (Fixed before upload into archive; 2.6.11) CVE-2005-2873 (The ipt_recent kernel module (ipt_recent.c) in Linux kernel 2.6.12 and ...) [sarge] - kernel-source-2.4.27 (Unfixable design issues) [sarge] - kernel-source-2.6.8 (Unfixable design issues) - kernel-source-2.6.8 (bug #332231; low) - linux-2.6 2.6.18-1 (bug #332381; low) NOTE: Dave Miller didn't like the proposed fix and considers a complete rewrite NOTE: of ipt_recent the best solution, which seems to occur soon CVE-2005-2872 (The ipt_recent kernel module (ipt_recent.c) in Linux kernel before 2.6 ...) {DSA-922-1 DSA-921-1} - kernel-source-2.4.27 2.4.27-11 (bug #322237; medium) - linux-2.6 2.6.12-1 CVE-2005-2761 (Cross-site scripting (XSS) vulnerability in phpGroupWare 0.9.16.000 al ...) {DSA-798-1} - phpgroupware 0.9.16.008-1 CVE-2005-2716 (The event_pin_code_request function in the btsrv daemon (btsrv.c) in N ...) {DSA-796-1} - affix 2.1.2-3 (bug #325444; medium) CVE-2005-XXXX [Insecure tempfile usage in tleds] - tleds 1.05beta10-9 (bug #276789; low) CVE-2005-2693 (cvsbug in CVS 1.12.12 and earlier creates temporary files insecurely, ...) {DSA-806-1 DSA-802-1} NOTE: cvsbug was removed from the cvs binary package in 1:1.11.5-4. NOTE: The copy in the cvs source package was fixed in 1:1.12.9-15. - cvs 1:1.11.5-4 (bug #325106; low) - gcvs 1.0final-8 (bug #324969; low) CVE-2005-2692 (Multiple SQL injection vulnerabilities in RunCMS 1.2 and earlier allow ...) NOT-FOR-US: RunCMS CVE-2005-2691 (includes/common.php in RunCMS 1.2 and earlier calls the extract functi ...) NOT-FOR-US: RunCMS CVE-2005-2690 (SQL injection vulnerability in the Downloads module in PostNuke 0.760- ...) NOT-FOR-US: PostNuke CVE-2005-2689 (Multiple cross-site scripting (XSS) vulnerabilities in PostNuke 0.760- ...) NOT-FOR-US: PostNuke CVE-2005-2688 (Multiple cross-site scripting (XSS) vulnerabilities in SaveWebPortal 3 ...) NOT-FOR-US: SaveWebPortal CVE-2005-2687 (PHP remote file inclusion vulnerability in SaveWebPortal 3.4 allows re ...) NOT-FOR-US: SaveWebPortal CVE-2005-2686 (Directory traversal vulnerability in SaveWebPortal 3.4 allows remote a ...) NOT-FOR-US: SaveWebPortal CVE-2005-2685 (SaveWebPortal 3.4 allows remote attackers to execute arbitrary PHP cod ...) NOT-FOR-US: SaveWebPortal CVE-2005-XXXX [Insecure temp files in firehol] - firehol 1.231-4 (unimportant) NOTE: Only exploitable inside modified binary installation CVE-2005-2684 (nquser.php in Virtual Edge Netquery 3.11 allows remote attackers to ex ...) NOT-FOR-US: Virtual Edge Netquery CVE-2005-2683 (Multiple SQL injection vulnerabilities in PHPKit 1.6.1 allow remote at ...) NOT-FOR-US: PHPKit CVE-2005-2682 (aspell_setup.php in the SpellChecker plugin in DTLink AreaEdit before ...) NOT-FOR-US: DTLink AreaEdit CVE-2005-2681 (Unspecified vulnerability in the command line processing (CLI) logic i ...) NOT-FOR-US: Cisco CVE-2005-2680 (Unspecified vulnerability in BEA WebLogic Portal 8.1 through SP4, when ...) NOT-FOR-US: BEA WebLogic Portal CVE-2005-2679 (Buffer overflow in Sysinternals Process Explorer 9.23, and other versi ...) NOT-FOR-US: Sysinternals Process Explorer CVE-2005-2678 (Microsoft IIS 5.1 and 6 allows remote attackers to spoof the SERVER_NA ...) NOT-FOR-US: MSIE CVE-2005-2677 (ACNews stores the database in a file under the web document root with ...) NOT-FOR-US: ACNews CVE-2005-2676 (Cross-site scripting (XSS) vulnerability in displayimage.php in Copper ...) NOT-FOR-US: Coppermine CVE-2005-2675 (** DISPUTED ** Note: the vendor has disputed this issue. Multiple SQL ...) NOT-FOR-US: Land Down Under CVE-2005-2674 (** DISPUTED ** Note: the vendor has disputed this issue. Multiple cros ...) NOT-FOR-US: Land Down Under CVE-2005-2673 (SQL injection vulnerability in modcp.php in WoltLab Burning Board 2.2. ...) NOT-FOR-US: Burning Board CVE-2005-2671 REJECTED CVE-2005-2670 (Directory traversal vulnerability in HAURI Anti-Virus products includi ...) NOT-FOR-US: HAURI CVE-2005-2669 (Computer Associates (CA) Message Queuing (CAM / CAFT) 1.05, 1.07 befor ...) NOT-FOR-US: Computer Associates CVE-2005-2668 (Multiple buffer overflows in Computer Associates (CA) Message Queuing ...) NOT-FOR-US: Computer Associates CVE-2005-2667 (Unknown vulnerability in Computer Associates (CA) Message Queuing (CAM ...) NOT-FOR-US: Computer Associates CVE-2005-2666 (SSH, as implemented in OpenSSH before 4.0 and possibly other implement ...) - openssh 1:4.0p1-1 (unimportant) NOTE: Lack of a security feature, not a vulnerability CVE-2005-2665 (Stack-based buffer overflow in expires.c in Elm 2.5 PL5 through PL7, a ...) NOT-FOR-US: elm-me+ is no longer in unstable or testing CVE-2005-2664 (Whisper 32 1.16, and possibly earlier versions, stores passwords in pl ...) NOT-FOR-US: Whisper CVE-2005-2663 (masqmail before 0.2.18 allows local users to overwrite arbitrary files ...) {DSA-848-1} - masqmail 0.2.21-1 (low; bug #329307) CVE-2005-2662 (masqmail before 0.2.18 allows remote attackers to execute arbitrary co ...) {DSA-848-1} - masqmail 0.2.21-1 (high; bug #329307) CVE-2005-2661 (Format string vulnerability in the ParseBannerAndCapability function i ...) {DSA-852-1} - up-imapproxy 1.2.4-2 (high) CVE-2005-2660 (apachetop 0.12.5 and earlier, when running in debug mode, allows local ...) {DSA-839-1} - apachetop 0.12.5-3 CVE-2005-2659 (Buffer overflow in the LZX decompression in CHM Lib (chmlib) 0.35, as ...) {DSA-886-1} - chmlib 0.37-2 (medium) CVE-2005-2658 (Buffer overflow in utility.cpp in Turquoise SuperStat (turqstat) 2.2.4 ...) {DSA-812-1} - turqstat 2.2.4-1 (medium) CVE-2005-2657 (Unknown vulnerability in common-lisp-controller 4.18 and earlier allow ...) {DSA-811-2} - common-lisp-controller 4.18 (bug #328633; medium) CVE-2005-2656 (Polygen before 1.0.6 generates precompiled grammar objects with world- ...) {DSA-794-1} NOTE: Fix in -8 had problems - polygen 1.0.6-9 (bug #325468; low) CVE-2005-2655 (lockmail in maildrop before 1.5.3 does not drop privileges before exec ...) {DSA-791-1 DTSA-11-1} - maildrop 2.0.2-7 (bug #325135; medium) CVE-2005-2654 (phpldapadmin before 0.9.6c allows remote attackers to gain anonymous a ...) {DSA-790-1} - phpldapadmin 0.9.6c-5 (bug #322423; medium) - egroupware (copy included is older and not vulnerable; bug #339583) CVE-2005-XXXX [cplay - still unsafe temporary file handling vulnerable to symlink attacks] - cplay 1.49-8 (bug #324913; low) [woody] - cplay (CPLAY_TMP doesn't exist in this version) [sarge] - cplay (Hardly exploitable) CVE-2005-2672 (pwmconfig in LM_sensors before 2.9.1 creates temporary files insecurel ...) {DSA-814-1 DTSA-17-1} - lm-sensors 1:2.9.1-7 (bug #324193; medium) CVE-2005-2653 (Cross-site scripting (XSS) vulnerability in BBCaffe 2.0 allows remote ...) NOT-FOR-US: BBCaffe CVE-2005-2652 (Zorum 3.5 allows remote attackers to obtain the full installation path ...) NOT-FOR-US: Zorum CVE-2005-2651 (gorum/prod.php in Zorum 3.5 allows remote attackers to execute arbitra ...) NOT-FOR-US: Zorum CVE-2005-2650 (Cross-site scripting (XSS) vulnerability in sign.asp in Emefa Guestboo ...) NOT-FOR-US: Emefa Guestbook CVE-2005-2649 (Cross-site scripting (XSS) vulnerability in ATutor 1.5.1 allows remote ...) NOT-FOR-US: ATutor CVE-2005-2648 (Directory traversal vulnerability in index.php in W-Agora 4.2.0 and ea ...) NOT-FOR-US: W-Agora CVE-2005-2647 (Cross-site scripting (XSS) vulnerability in Xerox MicroServer Web Serv ...) NOT-FOR-US: Xerox MicroServer Web Server in Document Centre CVE-2005-2646 (Unknown vulnerability in Xerox MicroServer Web Server in Document Cent ...) NOT-FOR-US: Xerox MicroServer Web Server in Document Centre CVE-2005-2645 (Unknown vulnerability in Xerox MicroServer Web Server in Document Cent ...) NOT-FOR-US: Xerox MicroServer Web Server in Document Centre CVE-2005-2644 (Buffer overflow in JaguarEditControl.dll in Isemarket JaguarControl al ...) NOT-FOR-US: JaguarControl CVE-2005-2643 (Tor 0.1.0.13 and earlier, and experimental versions 0.1.1.4-alpha and ...) - tor 0.1.0.14-1 (bug #323786; medium) CVE-2005-2642 (Buffer overflow in the mutt_decode_xbit function in Handler.c for Mutt ...) - mutt (bug #323956; high) NOTE: Status is not clear; upstream is unresponsive. NOTE: this bug was closed as it was unreproducable in Debian CVE-2005-2641 (Unknown vulnerability in pam_ldap before 180 does not properly handle ...) {DSA-785-1} - libpam-ldap 178-1sarge1 (bug #324899) CVE-2004-2483 (Kerio WinRoute Firewall before 6.0.9 uses information from PTR queries ...) NOT-FOR-US: Kerio WinRoute Firewall CVE-2004-2482 (Microsoft Outlook 2000 and 2003, when configured to use Microsoft Word ...) NOT-FOR-US: Outlook CVE-2004-2481 (MyProxy 6.58 allows remote authenticated users in the Users Tab to con ...) NOT-FOR-US: MyProxy CVE-2004-2480 (Squid Web Proxy Cache 2.3.STABLE5 allows remote attackers to bypass se ...) NOTE: could not reproduce this with squid 2.5, neither could the redhat guys NOTE: see https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=166522 - squid 2.5 CVE-2004-2479 (Squid Web Proxy Cache 2.5 might allow remote attackers to obtain sensi ...) - squid 2.5.8 CVE-2004-2478 (Unspecified vulnerability in Jetty HTTP Server, as used in (1) IBM Tra ...) NOTE: "the original vendor report is too vague to know whether this issue is already identified by another CVE name." CVE-2004-2477 (DiamondCS Process Guard Free 2.000 allows local users to disable the p ...) NOT-FOR-US: DiamondCS CVE-2005-2640 (Behavioral discrepancy information leak in Juniper Netscreen VPN runni ...) NOT-FOR-US: Juniper CVE-2005-2639 (Buffer overflow in Chris Moneymaker's World Poker Championship 1.0 all ...) NOT-FOR-US: World Poker Championship CVE-2005-2638 (Multiple cross-site scripting (XSS) vulnerabilities in PHPFreeNews 1.4 ...) NOT-FOR-US: PHPFreeNews CVE-2005-2637 (Multiple SQL injection vulnerabilities in PHPFreeNews 1.40 and earlier ...) NOT-FOR-US: PHPFreeNews CVE-2005-2636 (SQL injection vulnerability in lib-view-direct.inc.php in phpAdsNew an ...) NOT-FOR-US: phpAdsNew CVE-2005-2635 (Multiple directory traversal vulnerabilities in phpAdsNew and phpPgAds ...) NOT-FOR-US: phpAdsNew CVE-2005-2634 (Buffer overflow in the Log-SCR function in the "Log to Screen" feature ...) NOT-FOR-US: WinFTP Server CVE-2005-2633 (Multiple PHP file inclusion vulnerabilities in (1) admin_o.php, (2) bo ...) NOT-FOR-US: PHPTB Topic Board CVE-2005-2632 (SQL injection vulnerability in login_admin_mediabox404.php in mediabox ...) NOT-FOR-US: Mediabox 404 CVE-2005-2631 (Cisco Clean Access (CCA) 3.3.0 to 3.3.9, 3.4.0 to 3.4.5, and 3.5.0 to ...) NOT-FOR-US: Cisco CVE-2005-2630 (Heap-based buffer overflow in DUNZIP32.DLL for RealPlayer 8, 10, and 1 ...) - helix-player (Only Windows version of Real are affected) CVE-2005-2629 (Integer overflow in RealNetworks RealPlayer 8, 10, and 10.5, RealOne P ...) {DSA-915-1} - helix-player 1.0.6-1 (bug #340270; medium) CVE-2005-2628 (Macromedia Flash 6 and 7 (Flash.ocx) allows remote attackers to execut ...) - flashplugin-nonfree 7.0.61-1.1 (bug #339290; high) [sarge] - flashplugin-nonfree (Only affects proprietary Flash plugin) CVE-2005-2627 (Multiple integer underflows in Kismet before 2005-08-R1 allow remote a ...) {DSA-788-1 DTSA-1-1} - kismet 2005.08.R1-1 (bug #323386; high) CVE-2005-2626 (Unspecified vulnerability in Kismet before 2005-08-R1 allows remote at ...) {DSA-788-1 DTSA-1-1} - kismet 2005.08.R1-1 (bug #323386; high) CVE-2004-2476 (Microsoft Internet Explorer 6.0 allows remote attackers to cause a den ...) NOT-FOR-US: MS IE CVE-2004-2475 (Cross-site scripting (XSS) vulnerability in Google Toolbar 2.0.114.1 a ...) NOT-FOR-US: Google Toolbar CVE-2004-2474 (SQL injection vulnerability in PHPNews 1.2.3 allows remote attackers t ...) NOT-FOR-US: PHPNews CVE-2004-2473 (wmFrog weather monitor 0.1.6 and other versions before 0.2.0 allows lo ...) NOT-FOR-US: wmFrog CVE-2004-2472 (Agnitum Outpost Pro Firewall 2.1 allows remote attackers to cause a de ...) NOT-FOR-US: Outpost Pro CVE-2004-2471 (SQL injection vulnerability in the sloth TCL script in QuoteEngine bef ...) NOT-FOR-US: QuoteEngine CVE-2004-2470 (Unspecified vulnerability in MadBMS before 1.1.5 has unknown impact an ...) NOT-FOR-US: MadBMS CVE-2004-2469 (Unspecified vulnerability in Reservation.class.php for phpScheduleIt 1 ...) NOT-FOR-US: phpScheduleIt CVE-2004-2468 (Cross-site scripting (XSS) vulnerability in SillySearch 2.3 and earlie ...) NOT-FOR-US: SillySearch CVE-2004-2467 (chat.ghp in Easy Chat Server 1.2 allows remote attackers to add a larg ...) NOT-FOR-US: Easy Chat Server CVE-2004-2466 (chat.ghp in Easy Chat Server 1.2 allows remote attackers to cause a de ...) NOT-FOR-US: Easy Chat Server CVE-2004-2465 (Cross-site scripting (XSS) vulnerability in chat.ghp in Easy Chat Serv ...) NOT-FOR-US: Easy Chat Server CVE-2004-2464 (Directory traversal vulnerability in ADA Image Server (ImgSvr) 0.4 all ...) NOT-FOR-US: ADA Image Server CVE-2004-2463 (Buffer overflow in ADA Image Server (ImgSvr) 0.4 allows remote attacke ...) NOT-FOR-US: ADA Image Server CVE-2004-2462 (cplay 1.49 on Linux allows local users to overwrite arbitrary files vi ...) - cplay 1.49-3 (medium) CVE-2004-2461 (Buffer overflow in pop3.c in gnubiff before 2.0.0 allows attackers to ...) - gnubiff 2.0.0 (medium) CVE-2004-2460 (Unknown vulnerability in POP3 in gnubiff before 2.0.0 allows remote at ...) - gnubiff 2.0.0 (medium) CVE-2004-2459 (Unknown vulnerability in gnubiff 1.2.0 and earlier allows local users ...) - gnubiff 2.0.0 (medium) CVE-2004-2458 (Open WebMail 2.30 and earlier, when use_syshomedir is disabled or crea ...) NOT-FOR-US: Open WebMail CVE-2004-2457 (Unspecified vulnerability in 3Com OfficeConnect ADSL 11g Router allows ...) NOT-FOR-US: 3Com OfficeConnect ADSL 11g Router CVE-2004-2456 (SQL injection vulnerability in index.php in miniBB 1.7f and earlier al ...) NOT-FOR-US: miniBB CVE-2004-2455 (Sweex Wireless Broadband Router/Accesspoint 802.11g (LC000060) allows ...) NOT-FOR-US: Sweex Wireless Broadband Router/Accesspoint 802.11g CVE-2004-2454 (aMSN 0.90 for Microsoft Windows allows local users to obtain sensitive ...) NOT-FOR-US: aMSN 0.90 for Microsoft Windows CVE-2004-2453 (Unknown vulnerability in Tutti Nova 0.10 through 0.12 (Beta) and 0.9.4 ...) NOT-FOR-US: Tutti Nova CVE-2004-2452 (Unknown vulnerability in Hitachi Cosminexus Portal Framework 01-00, 01 ...) NOT-FOR-US: Hitachi Cosminexus Portal Framework CVE-2004-2451 (Roger Wilco 1.4.1.6 and earlier, or Roger Wilco Base Station 0.30a or ...) NOT-FOR-US: Roger Wilco CVE-2004-2450 (The client and server for Roger Wilco 1.4.1.6 and earlier or Roger Wil ...) NOT-FOR-US: Roger Wilco CVE-2004-2449 (Roger Wilco 1.4.1.6 and earlier or Roger Wilco Base Station 0.30a and ...) NOT-FOR-US: Roger Wilco CVE-2004-2448 (S-Mart Shopping Cart or RediCart 3.9.5b stores smart.cfg under the web ...) NOT-FOR-US: S-Mart Shopping Cart or RediCart CVE-2004-2447 (Cross-site scripting (XSS) vulnerability in 1st Class Mail Server 4.01 ...) NOT-FOR-US: *1st Class Mail Server CVE-2004-2446 (Directory traversal vulnerability in 1st Class Mail Server 4.01 allows ...) NOT-FOR-US: *1st Class Mail Server CVE-2004-2445 (Directory traversal vulnerability in index.php in Jaws 0.3 BETA allows ...) NOT-FOR-US: Jaws CVE-2004-2444 (Cross-site scripting (XSS) vulnerability in index.php in Jaws 0.3 allo ...) NOT-FOR-US: Jaws CVE-2004-2443 (Jaws 0.3 allows remote attackers to bypass authentication and via an H ...) NOT-FOR-US: Jaws CVE-2004-2442 (Multiple interpretation error in various F-Secure Anti-Virus products, ...) NOT-FOR-US: F-Secure Anti-Virus CVE-2004-2441 (Unspecified vulnerability in Kerio MailServer before 6.0.3 has unknown ...) NOT-FOR-US: Kerio CVE-2004-2440 (Unspecified vulnerability in cmdline.c in proxytunnel 1.1.3 and earlie ...) - proxytunnel 1.2.0-1 CVE-2004-2439 (The remote upgrade capability in HP LaserJet 4200 and 4300 printers do ...) NOT-FOR-US: HP printers CVE-2004-2438 (Cross-site scripting (XSS) vulnerability in PHP-Fusion 4.01 allows rem ...) NOT-FOR-US: PHP-Fusion CVE-2004-2437 (SQL injection vulnerability in PHP-Fusion 4.01 allows remote attackers ...) NOT-FOR-US: PHP-Fusion CVE-2004-2436 (Computer Associates Unicenter Common Services 3.0 and earlier stores t ...) NOT-FOR-US: Computer Associates Unicenter Common Services CVE-2004-2435 (Cross-site scripting (XSS) vulnerability in PeopleSoft Human Resources ...) NOT-FOR-US: PeopleSoft Human Resources Management System (HRMS) CVE-2005-2625 (Incomplete blacklist vulnerability in the checkBlacklist function in C ...) NOT-FOR-US: CPAINT ajax toolkit CVE-2005-2624 (Eval injection vulnerability in CPAINT 1.3-SP allows remote attackers ...) NOT-FOR-US: CPAINT ajax toolkit CVE-2005-2623 (ECW-Shop 6.0.2 allows remote attackers to reduce the total cost of the ...) NOT-FOR-US: ECW Shop CVE-2005-2622 (Cross-site scripting (XSS) vulnerability in index.php in ECW-Shop 6.0. ...) NOT-FOR-US: ECW Shop CVE-2005-2621 (index.php in ECW-Shop 6.0.2 allows remote attackers to obtain sensitiv ...) NOT-FOR-US: ECW Shop CVE-2005-2620 (grpWise.exe for Novell GroupWise client 5.5 through 6.5.2 stores the p ...) NOT-FOR-US: Novell GroupWise CVE-2005-2619 (Directory traversal vulnerability in kvarcve.dll in Autonomy (formerly ...) NOT-FOR-US: Autonomy CVE-2005-2618 (Multiple stack-based buffer overflows in Autonomy (formerly Verity) Ke ...) NOT-FOR-US: Autonomy CVE-2004-2434 (Microsoft Internet Explorer 6.0 SP1 allows remote attackers to cause a ...) NOT-FOR-US: MS IE CVE-2004-2433 (Buffer overflow in the IsValidFile function in the ADM ActiveX control ...) NOT-FOR-US: ADM ActiveX control CVE-2004-2432 (WinAgents TFTP Server 3.0 allows remote attackers to cause a denial of ...) NOT-FOR-US: WinAgents TFTP Server CVE-2004-2431 (Unknown vulnerability in The Ignition Project ignitionServer 0.1.2 thr ...) NOT-FOR-US: ignitionServer CVE-2004-2430 (Trend OfficeScan Corporate Edition 5.58 and possibly earler does not d ...) NOT-FOR-US: Trend OfficeScan CVE-2004-2429 (Multiple stack-based and heap-based buffer overflows in EnderUNIX spam ...) NOT-FOR-US: EnderUNIX spamGuard CVE-2004-2428 (Abczone.it WWWguestbook 1.1 stores db/dbase.mdb under the web document ...) NOT-FOR-US: WWWguestbook CVE-2004-2427 (Axis Network Camera 2.40 and earlier, and Video Server 3.12 and earlie ...) NOT-FOR-US: Axis Network Camera CVE-2004-2426 (Directory traversal vulnerability in Axis Network Camera 2.40 and earl ...) NOT-FOR-US: Axis Network Camera CVE-2004-2425 (Axis Network Camera 2.40 and earlier, and Video Server 3.12 and earlie ...) NOT-FOR-US: Axis Network Camera CVE-2004-2424 (BEA WebLogic Server and WebLogic Express 8.1 through 8.1 SP2 allow rem ...) NOT-FOR-US: BEA CVE-2004-2423 (Unknown vulnerability in the Web calendaring component of Ipswitch IMa ...) NOT-FOR-US: Ipswitch IMail Server CVE-2004-2422 (Multiple features in Ipswitch IMail Server before 8.13 allow remote at ...) NOT-FOR-US: Ipswitch IMail Server CVE-2004-2421 (Unknown vulnerability in Hitachi Job Management Partner (JP1) JP1/File ...) NOT-FOR-US: Hitachi Job Management Partner CVE-2004-2420 (Hitachi Job Management Partner (JP1) JP1/File Transmission Server/FTP ...) NOT-FOR-US: Hitachi Job Management Partner CVE-2004-2419 (Keene Digital Media Server 1.0.2 allows local users to obtain username ...) NOT-FOR-US: Keene Digital Media Server CVE-2004-2418 (Buffer overflow in SlimFTPd 3.15 and earlier allows local users to exe ...) NOT-FOR-US: slimftpd not in debian CVE-2004-2417 (Format string vulnerability in smtp.c for smtp.proxy 1.1.3 and earlier ...) NOT-FOR-US: smtp.proxy CVE-2004-2416 (Buffer overflow in the logging component of CCProxy allows remote atta ...) NOT-FOR-US: ccproxy CVE-2004-2415 (Davenport before 0.9.10 allows attackers to cause a denial of service ...) NOT-FOR-US: Davenport CVE-2004-2414 (Novell NetWare 6.5 SP 1.1, when installing or upgrading using the Over ...) NOT-FOR-US: Novell NetWare CVE-2004-2413 (SQL injection vulnerability in VP-ASP Shopping Cart 4.0 through 5.0 al ...) NOT-FOR-US: VP-ASP Shopping Cart CVE-2004-2412 (Multiple SQL injection vulnerabilities in VP-ASP Shopping Cart 4.0 thr ...) NOT-FOR-US: VP-ASP Shopping Cart CVE-2004-2411 (The CleanseMessage function in shop$db.asp for VP-ASP Shopping Cart 4. ...) NOT-FOR-US: VP-ASP Shopping Cart CVE-2004-2410 (Unknown vulnerability in sh_hash_compdata for Samhain 1.8.9 through 2. ...) - samhain 2.0.2 CVE-2004-2409 (Buffer overflow in the sh_hash_compdata function for Samhain 1.8.9 thr ...) - samhain 2.0.2 CVE-2004-2408 (Linux VServer 1.27 and earlier, 1.3.9 and earlier, and 1.9.1 and earli ...) - kernel-patch-vserver 1.9.2 CVE-2004-2407 (Unknown vulnerability in phpGroupWare before 0.9.14.002 has unknown at ...) - phpgroupware 0.9.14.002 CVE-2004-2406 (Unknown "overflow" in the phpgw_config table for phpGroupWare before 0 ...) - phpgroupware 0.9.14.002 CVE-2004-2405 (Buffer overflow in multiple F-Secure Anti-Virus products, including F- ...) NOT-FOR-US: F-Secure Anti-Virus CVE-2004-2404 REJECTED CVE-2004-2403 (Cross-site request forgery (CSRF) vulnerability in YaBB 1 GOLD SP 1.3. ...) NOT-FOR-US: YaBB CVE-2004-2402 (Cross-site scripting (XSS) vulnerability in YaBB.pl in YaBB 1 GOLD SP ...) NOT-FOR-US: YaBB CVE-2004-2401 (Stack-based buffer overflow in Ipswitch IMail Express Web Messaging be ...) NOT-FOR-US: Ipswitch IMail CVE-2004-2400 (WinFTP Server 1.6 stores username and password credentials in plaintex ...) NOT-FOR-US: WinFTP Server CVE-2004-2399 (Secure Computing Corporation Sidewinder G2 6.1.0.01 allows remote atta ...) NOT-FOR-US: Sidewinder CVE-2004-2398 (Netenberg Fantastico De Luxe 2.8 uses database file names that contain ...) NOT-FOR-US: Netenberg Fantastico De Luxe CVE-2004-2397 (The web-based Management Console in Blue Coat Security Gateway OS 3.0 ...) NOT-FOR-US: Blue Coat CVE-2004-2396 (passwd 0.68 does not check the return code for the pam_start function, ...) NOTE: shadow is a different code base, and does not have this problem CVE-2004-2395 (Memory leak in passwd 0.68 allows local users to cause a denial of ser ...) NOTE: shadow is a different code base, and does not have this problem CVE-2004-2394 (Off-by-one error in passwd 0.68 and earlier, when using the --stdin op ...) NOTE: shadow is a different code base, and does not have this problem CVE-2004-2393 (Java Secure Socket Extension (JSSE) 1.0.3 through 1.0.3_2 does not pro ...) NOT-FOR-US: Sun JSSE CVE-2004-2392 (libuser 0.51.7 allows attackers to cause a denial of service (crash or ...) NOT-FOR-US: libuser CVE-2004-2391 (Jabber Gadu-Gadu Transport (a.k.a. jabber-gg-transport) 2.0.x before 2 ...) NOT-FOR-US: jabber-gg-transport CVE-2004-2390 (The roster import functionality in Jabber Gadu-Gadu Transport (a.k.a. ...) NOT-FOR-US: jabber-gg-transport CVE-2004-2389 (Unknown vulnerability in Jabber Gadu-Gadu Transport (a.k.a. jabber-gg- ...) NOT-FOR-US: jabber-gg-transport CVE-2003-1231 (Cross-site scripting (XSS) vulnerability in index.php in ECW-Shop 5.5 ...) NOT-FOR-US: ECW-Shop CVE-2003-1230 (The implementation of SYN cookies (syncookies) in FreeBSD 4.5 through ...) NOT-FOR-US: (FreeBSD) NOTE: old freebsd, before it was introduced in Debian CVE-2003-1229 (X509TrustManager in (1) Java Secure Socket Extension (JSSE) in SDK and ...) NOT-FOR-US: Sun JSSE and JRE CVE-2005-2617 (The syscall32_setup_pages function in syscall32.c for Linux kernel 2.6 ...) {DTSA-16-1} NOTE: http://lists.debian.org/debian-kernel/2005/08/msg00991.html - amd64 specific DOS - linux-2.6 2.6.12-6 CVE-2005-2616 (Multiple PHP file include vulnerabilities in ezUpload 2.2 allow remote ...) NOT-FOR-US: ezUpload CVE-2005-2615 (Unknown vulnerability in session.php in EQdkp before 1.3.0 has unknown ...) NOT-FOR-US: EQdkp CVE-2005-2614 (Discuz! 4.0 rc4 does not properly restrict types of files that are upl ...) NOT-FOR-US: Discuz CVE-2005-2613 (Unknown vulnerability in CPAINT Ajax Toolkit before 1.3-SP allows atta ...) NOT-FOR-US: CPAINT Ajax CVE-2005-2612 (Direct code injection vulnerability in WordPress 1.5.1.3 and earlier a ...) - wordpress 1.5.2-1 (bug #323040; high) CVE-2005-2611 (VERITAS Backup Exec for Windows Servers 8.6 through 10.0, Backup Exec ...) NOT-FOR-US: VERITAS Backup Exec for Windows Servers CVE-2005-2610 (Cross-site scripting (XSS) vulnerability in index.php in VegaDNS 0.8.1 ...) NOT-FOR-US: VegaDNS CVE-2005-2609 (index.php in VegaDNS 0.8.1, 0.9.8, and possibly other versions, allows ...) NOT-FOR-US: VegaDNS CVE-2005-2608 (SafeHTML before 1.3.5 does not properly filter script in UTF-7 and CSS ...) NOT-FOR-US: SafeHTML CVE-2005-2607 (PHP file include vulnerability in download.php in PHPSimplicity Simpli ...) NOT-FOR-US: PHPSimplicity CVE-2005-2606 (Unknown vulnerability in the "frontend authentication" in PHlyMail 3.0 ...) NOT-FOR-US: PHlyMail CVE-2005-2605 (Unknown vulnerability in Lasso Professional Server8.0.4 and 8.0.5 allo ...) NOT-FOR-US: Lasso Professional Server CVE-2005-2604 (index.php for My Image Gallery (Mig ) 1.4.1 allows remote attackers to ...) NOT-FOR-US: My Image Gallery (Mig) CVE-2005-2603 (Cross-site scripting (XSS) vulnerability in index.php for My Image Gal ...) NOT-FOR-US: My Image Gallery (Mig) CVE-2005-2602 (Mozilla Thunderbird 1.0 and Firefox 1.0.6 allows remote attackers to o ...) - mozilla-firefox (According to Bugzilla Windows/Mac only) CVE-2005-2601 (SQL injection vulnerability in MidiCart allows remote attackers to exe ...) NOT-FOR-US: MidiCart CVE-2005-2600 (FUDForum 2.6.15 with "Tree View" enabled, as used in other products su ...) {DSA-899-1 DSA-798-1} - egroupware 1.0.0.009.dfsg-3-2 (bug #323928; medium) - phpgroupware 0.9.16.008-1 (bug #323929; medium) CVE-2005-2599 (Hummingbird FTP for Connectivity 10.0 uses weak encryption (trivial en ...) NOT-FOR-US: Hummingbird FTP for Connectivity CVE-2005-2598 (Multiple directory traversal vulnerabilities in Dokeos 1.6 and earlier ...) NOT-FOR-US: Dokeos CVE-2005-2597 (AOL Client Software 9.0 uses insecure permissions for its installation ...) NOT-FOR-US: AOL Client CVE-2005-2596 (User.php in Gallery, as used in Postnuke, allows users with any Admin ...) {DSA-879-1} - gallery 1.5-2 (medium) CVE-2005-2595 (Cross-site scripting (XSS) vulnerability in Dada Mail before 2.10 Alph ...) NOT-FOR-US: Dada Mail CVE-2005-2594 (Apple Safari 1.3 (132) on Mac OS X 1.3.9 allows remote attackers to ca ...) NOT-FOR-US: Apple Safari CVE-2005-2593 (Parlano MindAlign 5.0 and later versions uses weak encryption, with un ...) NOT-FOR-US: MindAlign CVE-2005-2592 (Unknown vulnerability in Parlano MindAlign 5.0 and later versions allo ...) NOT-FOR-US: MindAlign CVE-2005-2591 (Parlano MindAlign 5.0 and later versions allows remote attackers to li ...) NOT-FOR-US: MindAlign CVE-2005-2590 (Cross-site scripting (XSS) vulnerability in Parlano MindAlign 5.0 and ...) NOT-FOR-US: MindAlign CVE-2005-2589 (Unknown vulnerability in Linksys WRT54GS wireless router with firmware ...) NOT-FOR-US: WRT54GS wireless router CVE-2005-2588 (Multiple cross-site scripting (XSS) vulnerabilities in DVBBS 7.1 SP2 a ...) NOT-FOR-US: DVBBS CVE-2005-2587 (SQL injection vulnerability in emailvalidate.php in PHPTB Topic Boards ...) NOT-FOR-US: PHPTB Topic Boards CVE-2005-2586 (Mentor ADSL-FR4II router running firmware 2.00.0111 stores the web adm ...) NOT-FOR-US: Mentor ADSL-FR4II router CVE-2005-2585 (Mentor ADSL-FR4II router running firmware 2.00.0111 allows remote atta ...) NOT-FOR-US: Mentor ADSL-FR4II router CVE-2005-2584 (The web administration interface in Mentor ADSL-FR4II router running f ...) NOT-FOR-US: Mentor ADSL-FR4II router CVE-2005-2583 (Mentor ADSL-FR4II router running firmware 2.00.0111 has an undocumente ...) NOT-FOR-US: Mentor ADSL-FR4II router CVE-2005-2582 (Kaspersky Anti-Virus for Unix/Linux File Servers 5.0-5 uses world-writ ...) NOT-FOR-US: Kaspersky CVE-2005-2581 (Grandstream BudgeTone 101 and 102 running firmware 1.0.6.7 and possibl ...) NOT-FOR-US: Grandstream BudgeTone CVE-2005-2580 (Multiple SQL injection vulnerabilities in MyBulletinBoard (MyBB) 1.00 ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2005-2579 (Nortel Contivity VPN Client V05_01.030, when configuring a certificate ...) NOT-FOR-US: Contivity CVE-2005-2578 REJECTED CVE-2005-2577 (Wyse Winterm 1125SE running firmware 4.2.09f or 4.4.061f allows remote ...) NOT-FOR-US: Wyse Winterm CVE-2005-2576 (CaLogic 1.22, and possibly earlier versions, allows remote attackers t ...) NOT-FOR-US: CaLogic CVE-2005-2575 (SQL injection vulnerability in u2u.inc.php in XMB Forum 1.9.1 allows r ...) NOT-FOR-US: XMB Forum CVE-2005-2574 (xmb.php in XMB Forum 1.9.1 extracts and defines all provided variables ...) NOT-FOR-US: XMB Forum CVE-2005-2573 (The mysql_create_function function in sql_udf.cc for MySQL 4.0 before ...) - mysql (Windows specific mysql holes) - mysql-dfsg-4.1 (Windows specific mysql holes) - mysql-dfsg-5.0 (Windows specific mysql holes) CVE-2005-2572 (MySQL, when running on Windows, allows remote authenticated users with ...) - mysql (Windows specific mysql holes) - mysql-dfsg-4.1 (Windows specific mysql holes) - mysql-dfsg-5.0 (Windows specific mysql holes) CVE-2005-2571 (FunkBoard 0.66CF, and possibly earlier versions, does not properly res ...) NOT-FOR-US: FunkBoard CVE-2005-2570 (FunkBoard 0.66CF, and possibly earlier versions, allows remote attacke ...) NOT-FOR-US: FunkBoard CVE-2005-2569 (Multiple cross-site scripting (XSS) vulnerabilities in FunkBoard 0.66C ...) NOT-FOR-US: FunkBoard CVE-2005-2568 (Eval injection vulnerability in the template engine for SysCP 1.2.10 a ...) NOT-FOR-US: SysCP CVE-2005-2567 (PHP remote file inclusion vulnerability in SysCP 1.2.10 and earlier al ...) NOT-FOR-US: SysCP CVE-2005-2566 (Multiple SQL injection vulnerabilities in Open Bulletin Board (OpenBB) ...) NOT-FOR-US: OpenBB CVE-2005-2565 (Gravity Board X (GBX) 1.1 allows remote attackers to obtain sensitive ...) NOT-FOR-US: Gravity Board X (GBX) CVE-2005-2564 (Direct static code injection vulnerability in editcss.php in Gravity B ...) NOT-FOR-US: Gravity Board X (GBX) CVE-2005-2563 (Multiple cross-site scripting (XSS) vulnerabilities in Gravity Board X ...) NOT-FOR-US: Gravity Board X (GBX) CVE-2005-2562 (SQL injection vulnerability in Gravity Board X (GBX) 1.1 allows remote ...) NOT-FOR-US: Gravity Board X (GBX) CVE-2005-2561 (Multiple SQL injection vulnerabilities in MYFAQ 1.0 allow remote attac ...) NOT-FOR-US: MYFAQ CVE-2005-2560 (Cross-site scripting (XSS) vulnerability in index.cfm in CFBB 1.1.0 al ...) NOT-FOR-US: CFBB CVE-2005-2559 (doping.php in ePing plugin 1.02 and earlier for e107 portal allows rem ...) NOT-FOR-US: e107 portal CVE-2005-2558 (Stack-based buffer overflow in the init_syms function in MySQL 4.0 bef ...) {DSA-833-2 DSA-831-1 DSA-829-1} - mysql-dfsg-4.1 4.1.13 (medium) - mysql-dfsg-5.0 5.0.7beta-1 (medium) - mysql-dfsg 4.0.24-10sarge1 (bug #322133; medium) CVE-2005-2557 (Cross-site scripting (XSS) vulnerability in view_all_set.php in Mantis ...) {DSA-778-1} - mantis 0.19.2-4 (low) CVE-2005-2556 (core/database_api.php in Mantis 0.19.0a1 through 1.0.0a3, with registe ...) {DSA-778-1} - mantis 0.19.2-4 (medium) CVE-2005-2555 (Linux kernel 2.6.x does not properly restrict socket policy access to ...) {DSA-1018-1 DSA-1017-1 DTSA-16-1} - linux-2.6 2.6.12-6 (medium) CVE-2004-2388 (rexecd for AIX 4.3.3 does not properly use a local copy of the pwd str ...) NOT-FOR-US: rexecd CVE-2004-2387 (Buffer overflow in the HandleCPCCommand function of sercd before 2.3.1 ...) NOT-FOR-US: sercd CVE-2004-2386 (Format string vulnerability in the LogMsg function in sercd before 2.3 ...) NOT-FOR-US: sercd CVE-2004-2385 (EMU Webmail 5.2.7 allows remote attackers to obtain sensitive path inf ...) NOT-FOR-US: EMU Webmail CVE-2004-2384 (NullSoft Winamp 5.02 allows remote attackers to cause a denial of serv ...) NOT-FOR-US: Winamp CVE-2004-2383 (Microsoft Internet Explorer 5.0 through 6.0 allows remote attackers to ...) NOT-FOR-US: Microsoft CVE-2004-2382 (The PerfectNav plugin for Microsoft Internet Explorer allows remote at ...) NOT-FOR-US: Microsoft CVE-2004-2381 (HttpRequest.java in Jetty HTTP Server before 4.2.19 allows remote atta ...) - jetty 4.2.19-1 (medium) CVE-2004-2380 (Directory traversal vulnerability in postfile.exe for Twilight Utiliti ...) NOT-FOR-US: Twilight Utilities Web Server CVE-2004-2379 (Multiple cross-site scripting (XSS) vulnerabilities in @Mail 3.64 for ...) NOT-FOR-US: @Mail CVE-2004-2378 (@Mail 3.64 for Windows allows remote attackers to cause a denial of se ...) NOT-FOR-US: @Mail CVE-2004-2377 (Alcatel OmniSwitch 7000 and 7800 allows remote attackers to cause a de ...) NOT-FOR-US: Alcatel OmniSwitch CVE-2004-2376 (Buffer overflow in postfile.exe for Twilight Utilities Web Server 2.0. ...) NOT-FOR-US: Twilight Utilities Web Server CVE-2004-2375 (Buffer overflow in the POP3 server in 1st Class Mail Server 4.0 allows ...) NOT-FOR-US: 1st Class Mail Server CVE-2004-2374 (BadBlue 2.4 allows remote attackers to obtain the location of the serv ...) NOT-FOR-US: BadBlue CVE-2004-2373 (The Buddy icon file for AOL Instant Messenger (AIM) 4.3 through 5.5 is ...) NOT-FOR-US: AIM CVE-2004-2372 (Buffer overflow in Bochs before 2.1.1, if installed setuid, allows loc ...) - bochs 2.1.1-1 CVE-2004-2371 (Multiple Red Storm web-based games, including Ghost Recon 1.4 and earl ...) NOT-FOR-US: Red Storm Games CVE-2004-2370 (Stack-based buffer overflow in Trillian 0.71 through 0.74f and Trillia ...) NOT-FOR-US: Cerulean Trillian CVE-2004-2369 (Directory traversal vulnerability in webadmin.nsf for Lotus Domino R6 ...) NOT-FOR-US: Lotus Domino CVE-2004-2368 (PHP remote file inclusion vulnerability in header.php in Opt-X 0.7.2 a ...) NOT-FOR-US: Opt-X CVE-2004-2367 (The Control Panel applet in WFTPD and WFTPD Pro 3.21 R1 and R2 allows ...) NOT-FOR-US: WFTPD CVE-2004-2366 (Buffer overflow in GlobalSCAPE Secure FTP Server 2.0 B03.11.2004.2 all ...) NOT-FOR-US: GlobalScape Secure FTP Server CVE-2004-2365 (Memory leak in Microsoft Windows XP and Windows Server 2003 allows loc ...) NOT-FOR-US: Microsoft CVE-2004-2364 (Cross-site request forgery (CSRF) vulnerability in PHPX 3.0 through 3. ...) NOT-FOR-US: PHPX CMS CVE-2004-2363 (Validate-Before-Canonicalize vulnerability in the checkURI function in ...) NOT-FOR-US: PHPX CMS CVE-2004-2362 (PHPX 3.2.6 and earlier allows remote attackers to obtain the physical ...) NOT-FOR-US: PHPX CMS CVE-2004-2361 (Digital Reality game engine, as used in Haegemonia 1.0 through 1.0.7 a ...) NOT-FOR-US: Digital Reality game engine, as used in Haegemonia 1.0 through 1.0.7 and Desert Rats vs. Afrika Korps 1.0 CVE-2004-2360 (Targem Battle Mages 1.0 allows remote attackers to cause a denial of s ...) NOT-FOR-US: Targem Battle Mages CVE-2004-2359 (Dell TrueMobile 1300 WLAN Mini-PCI Card Util TrayApplet 3.10.39.0 does ...) NOT-FOR-US: Dell TrueMobile 1300 WLAN Mini-PCI Card Util TrayApplet CVE-2004-2358 (Cross-site scripting (XSS) vulnerability in admin_words.php for phpBB ...) - phpbb2 2.0.6c (low) CVE-2004-2357 (The embedded MySQL 4.0 server for Proofpoint Protection Server does no ...) NOT-FOR-US: roofpoint Protection Server CVE-2004-2356 (Early termination vulnerability in Fizmez Web Server 1.0 allows remote ...) NOT-FOR-US: Fizmez CVE-2004-2355 (Cross-site scripting (XSS) vulnerability in Crafty Syntax Live Help (C ...) NOT-FOR-US: Crafty Syntax Live Help CVE-2004-2354 (SQL injection vulnerability in 4nGuestbook 0.92 for PHP-Nuke 6.5 throu ...) NOT-FOR-US: 4nGuestbook CVE-2004-2353 (BugPort before 1.099 stores its configuration file (conf/config.conf) ...) NOT-FOR-US: BugPort CVE-2004-2352 (Cross-site scripting (XSS) vulnerability in GBook for PHP-Nuke 1.0 all ...) NOT-FOR-US: GBook CVE-2004-2351 (Cross-site scripting (XSS) vulnerability in GBook for Php-Nuke 1.0 all ...) NOT-FOR-US: GBook CVE-2004-2350 (SQL injection vulnerability in search.php for phpBB 1.0 through 2.0.6 ...) - phpbb2 2.0.8 (low) CVE-2004-2349 (Multiple SQL injection vulnerabilities in Tunez before 1.20-pre2 allow ...) NOT-FOR-US: Tunez CVE-2004-2348 (Sybari AntiGen for Domino 7.0 Build 722 SR2 allows remote attackers to ...) NOT-FOR-US: Sybari AntiGen for Domino CVE-2004-2347 (blog.cgi in Leif M. Wright Web Blog 1.1 and 1.1.5 allows remote attack ...) NOT-FOR-US: Leif M. Wright Web Blog CVE-2004-2346 (Multiple cross-site scripting (XSS) vulnerabilities in Forum Web Serve ...) NOT-FOR-US: Forum Web Server CVE-2004-2345 (Unknown multiple vulnerabilities in Oracle9i Database Server 9.0.1.4, ...) NOT-FOR-US: Oracle CVE-2004-2344 (Unknown vulnerability in the ASN.1/H.323/H.225 stack of VocalTec VGW12 ...) NOT-FOR-US: VocalTec CVE-2004-2343 (** DISPUTED ** Apache HTTP Server 2.0.47 and earlier allows local user ...) NOTE: apache disputes this and I agree -- joeyh CVE-2004-2342 (ChatterBox 2.0 allows remote attackers to cause a denial of service (s ...) NOT-FOR-US: ChatterBox CVE-2004-2341 (PHP file include injection vulnerability in isearch.inc.php for iSearc ...) NOT-FOR-US: iSearch CVE-2004-2340 NOT-FOR-US: PunkBuster Screenshot Database CVE-2004-2339 (** DISPUTED ** Microsoft Windows 2000, XP, and possibly 2003 allows lo ...) NOT-FOR-US: Microsoft CVE-2004-2338 (OpenBSD 3.3 and 3.4 does not properly parse Accept and Deny rules with ...) NOT-FOR-US: OpenBSD CVE-2004-2337 (The /.inlook/.crypt file for inlook 0.7.3 and earlier is installed wit ...) NOT-FOR-US: inlook CVE-2004-2336 (Unknown vulnerability in Novell GroupWise and GroupWise WebAccess 6.0 ...) NOT-FOR-US: Novel Groupwise CVE-2004-2335 (The Macromedia installers and e-licensing client on Mac OS X, as used ...) NOT-FOR-US: Macromedia installers and e-licensing client on Mac OS X CVE-2004-2334 (Multiple cross-site scripting (XSS) vulnerabilities in EMU Webmail 5.2 ...) NOT-FOR-US: EMU Webmail CVE-2004-2333 (Bodington 2.1.0 RC1 and earlier does not secure the file upload area, ...) NOT-FOR-US: Bodington CVE-2004-2332 (Multiple cross-site scripting (XSS) vulnerabilities in CPAN WWW::Form ...) NOT-FOR-US: WWW::Form CVE-2004-2331 (ColdFusion MX 6.1 and 6.1 J2EE allows local users to bypass sandbox se ...) NOT-FOR-US: ColdFusion CVE-2004-2330 (ColdFusion MX 6.1 and 6.1 J2EE allows remote attackers to cause a deni ...) NOT-FOR-US: ColdFusion CVE-2004-2329 (Kerio Personal Firewall (KPF) 2.1.5 allows local users to execute arbi ...) NOT-FOR-US: Kerio Personal Firewal CVE-2004-2328 (Clearswift MAILsweeper for SMTP before 4.3_13 allows remote attackers ...) NOT-FOR-US: Clearswift MAILsweeper CVE-2004-2327 (Vizer Web Server 1.9.1 allows remote attackers to cause a denial of se ...) NOT-FOR-US: Vizer CVE-2004-2326 (SQL injection vulnerability in IP3 Networks NetAccess Appliance before ...) NOT-FOR-US: IP3 Networks NetAccess CVE-2004-2325 (Cross-site scripting (XSS) vulnerability in EditModule.aspx for DotNet ...) NOT-FOR-US: DotNetNuke CVE-2004-2324 (SQL injection vulnerability in DotNetNuke (formerly IBuySpy Workshop) ...) NOT-FOR-US: DotNetNuke CVE-2004-2323 (DotNetNuke (formerly IBuySpy Workshop) 1.0.6 through 1.0.10d allows re ...) NOT-FOR-US: DotNetNuke CVE-2004-2322 (SQL injection vulnerability in the (1) announce and (2) notes modules ...) NOT-FOR-US: phpWebSite CVE-2004-2321 (BEA WebLogic Server and Express 8.1 SP1 and earlier allows local users ...) NOT-FOR-US: BEA WebLogic CVE-2004-2320 (The default configuration of BEA WebLogic Server and Express 8.1 SP2 a ...) NOT-FOR-US: BEA WebLogic CVE-2004-2319 (IBM Informix Dynamic Server (IDS) before 9.40.xC3 allows local users t ...) NOT-FOR-US: IBM Informatik Dynamic Server CVE-2004-2318 (The administrative interface (surgeftpmgr.cgi) for SurgeFTP Server 1.0 ...) NOT-FOR-US: SurgeFTP Server CVE-2004-2317 (Information leak in Mbedthis AppWeb HTTP server 1.0 through 1.1.2 allo ...) NOT-FOR-US: AppWeb HTTP server CVE-2004-2316 (Mbedthis AppWeb HTTP server before 1.0.2 allows remote attackers to ca ...) NOT-FOR-US: AppWeb HTTP server CVE-2004-2315 (Mbedthis AppWeb HTTP server before 1.0.2 allows remote attackers to ca ...) NOT-FOR-US: AppWeb HTTP server CVE-2004-2314 (The Telnet listener for Novell iChain Server before 2.2 Field Patch 3b ...) NOT-FOR-US: Novell iChain Server CVE-2004-2313 (Inter7 SqWebMail 3.4.1 through 3.6.1 generates different error message ...) - courier (unimportant) NOTE: This is a lack of a security feature, but not a direct vulnerability CVE-2004-2312 (Buffer overflow in GNU make for IBM AIX 4.3.3, when installed setgid, ...) NOT-FOR-US: AIX only CVE-2004-2311 (Directory traversal vulnerability in webadmin.nsf in Lotus Domino R6 6 ...) NOT-FOR-US: Lotus Domino CVE-2004-2310 (Cross-site scripting (XSS) vulnerability in webadmin.nsf in Lotus Domi ...) NOT-FOR-US: Lotus Domino CVE-2004-2309 (Directory traversal vulnerability in Crob FTP Server 3.5.1 allows loca ...) NOT-FOR-US: Crob FTP Server CVE-2004-2308 (Cross-site scripting (XSS) vulnerability in cPanel 9.1.0 and possibly ...) NOT-FOR-US: cPanel; see www.cpanel.net; has nothing to do with Debian package cpanel CVE-2004-2307 (Microsoft Internet Explorer 6.0.2600 on Windows XP allows remote attac ...) NOT-FOR-US: MS IE CVE-2004-2306 (Sun Solaris 7 through 9, when Basic Security Module (BSM) is enabled a ...) NOT-FOR-US: Solaris CVE-2004-2305 (Computer Associates eTrust Antivirus EE 6.0 through 7.0 allows remote ...) NOT-FOR-US: Computer Associates CVE-2004-2304 (Integer overflow in Trillian 0.74 and earlier, and Trillian Pro 2.01 a ...) NOT-FOR-US: Cerulean Trillian CVE-2004-2303 (MTools Mformat before 3.9.9, when installed setuid root, creates files ...) - mtools 3.9.9 CVE-2003-1228 (Buffer overflow in the prepare_reply function in request.c for Mathopd ...) - mathopd 1.5b14 CVE-2003-1227 (PHP remote file include vulnerability in index.php for Gallery 1.4 and ...) - gallery 1.4.1 CVE-2003-1226 (BEA WebLogic Server and Express 7.0 and 7.0.0.1 stores certain secrets ...) NOT-FOR-US: BEA CVE-2003-1225 (The default CredentialMapper for BEA WebLogic Server and Express 7.0 a ...) NOT-FOR-US: BEA CVE-2003-1224 (Weblogic.admin for BEA WebLogic Server and Express 7.0 and 7.0.0.1 dis ...) NOT-FOR-US: BEA CVE-2003-1223 (The Node Manager for BEA WebLogic Express and Server 6.1 through 8.1 S ...) NOT-FOR-US: BEA CVE-2003-1222 (BEA Weblogic Express and Server 8.0 through 8.1 SP 1, when using a for ...) NOT-FOR-US: BEA CVE-2003-1221 (BEA WebLogic Express and Server 7.0 through 8.1 SP 1, under certain ci ...) NOT-FOR-US: BEA CVE-2003-1220 (BEA WebLogic Server proxy plugin for BEA Weblogic Express and Server 6 ...) NOT-FOR-US: BEA CVE-2002-2123 (PHP remote file inclusion vulnerability in publish_xp_docs.php for Gal ...) - gallery 1.3.3 CVE-2005-XXXX [DoS against clamav through infinite loop in cli_rmdirs] - clamav 0.86.2-1 (low) [sarge] - clamav 0.84-2.sarge.2 CVE-2005-2554 (The web server for Network Associates ePolicy Orchestrator Agent 3.5.0 ...) NOT-FOR-US: Network Associated ePolicy Orchestrator Agent CVE-2005-2553 (The find_target function in ptrace32.c in the Linux kernel 2.4.x befor ...) {DSA-921-1} - kernel-source-2.4.27 2.4.27-12 (bug #323363; medium) CVE-2005-2552 (Unknown vulnerability in HP ProLiant DL585 servers running Integrated ...) NOT-FOR-US: Integrated Light Out in HP servers CVE-2005-2551 (Buffer overflow in dhost.exe in iMonitor for Novell eDirectory 8.7.3 o ...) NOT-FOR-US: Novell eDirectory CVE-2005-2547 (security.c in hcid for BlueZ 2.16, 2.17, and 2.18 allows remote attack ...) {DSA-782-1 DTSA-9-1} - bluez-utils 2.19-1 (bug #323365; medium) CVE-2005-2546 (Arab Portal 2.0 allows remote attackers to obtain sensitive informatio ...) NOT-FOR-US: Arab Portal CVE-2005-2545 (Multiple cross-site scripting (XSS) vulnerabilities in PHPOpenChat 3.0 ...) NOT-FOR-US: PHPOpenChat CVE-2005-2544 (PHP remote file inclusion vulnerability in config.php in Comdev eComme ...) NOT-FOR-US: Comdev eCommerce CVE-2005-2543 (Directory traversal vulnerability in wce.download.php in Comdev eComme ...) NOT-FOR-US: Comdev eCommerce CVE-2005-2542 (Invision Power Board (IPB) 1.0.3 allows remote attackers to inject arb ...) NOT-FOR-US: Invision Power Board CVE-2005-2541 (Tar 1.15.1 does not properly warn the user when extracting setuid or s ...) NOTE: This is intended behaviour, after all tar is an archiving tool and you NOTE: need to give -p as a command line flag - tar (bug #328228; unimportant) CVE-2005-2540 (CRLF injection vulnerability in FlatNuke 2.5.5 and possibly earlier ve ...) NOT-FOR-US: FlatNuke CVE-2005-2539 (Multiple cross-site scripting (XSS) vulnerabilities in FlatNuke 2.5.5 ...) NOT-FOR-US: FlatNuke CVE-2005-2538 (FlatNuke 2.5.5 and possibly earlier versions allows remote attackers t ...) NOT-FOR-US: FlatNuke CVE-2005-2537 (FlatNuke 2.5.5 and possibly earlier versions allows remote attackers t ...) NOT-FOR-US: FlatNuke CVE-2005-2536 (pstotext before 1.8g does not properly use the "-dSAFER" option when c ...) {DSA-792-1} - pstotext 1.9-2 (bug #319758; medium) CVE-2005-2535 (Buffer overflow in the Discovery Service in BrightStor ARCserve Backup ...) NOT-FOR-US: ARCserve Backup CVE-2005-2534 (Race condition in OpenVPN before 2.0.1, when --duplicate-cn is not ena ...) {DSA-851-1} - openvpn 2.0.2-1 (bug #324167; high) CVE-2005-2533 (OpenVPN before 2.0.1, when running in "dev tap" Ethernet bridging mode ...) {DSA-851-1} - openvpn 2.0.2-1 (bug #324167; high) CVE-2005-2532 (OpenVPN before 2.0.1 does not properly flush the OpenSSL error queue w ...) {DSA-851-1} - openvpn 2.0.2-1 (bug #324167; high) CVE-2005-2531 (OpenVPN before 2.0.1, when running with "verb 0" and without TLS authe ...) {DSA-851-1} - openvpn 2.0.2-1 (bug #324167; high) CVE-2005-2530 (Unspecified vulnerability in Java 1.3.1 before 1.3.1_16 on Apple Mac O ...) NOT-FOR-US: Java / Apple CVE-2005-2529 (Unspecified vulnerability in Java 1.4.2 before 1.4.2 Release 2 on Appl ...) NOT-FOR-US: Java / Apple CVE-2005-2528 REJECTED CVE-2005-2527 (Race condition in Java 1.4.2 before 1.4.2 Release 2 on Apple Mac OS X ...) NOT-FOR-US: Java / Apple CVE-2005-2526 (CUPS in Mac OS X 10.3.9 and 10.4.2 allows remote attackers to cause a ...) NOT-FOR-US: MacOS X CVE-2005-2525 (CUPS in Mac OS X 10.3.9 and 10.4.2 does not properly close file descri ...) NOT-FOR-US: MacOS X CVE-2005-2524 (Safari after 2.0 in Apple Mac OS X 10.3.9 allows remote attackers to b ...) NOT-FOR-US: MacOS X CVE-2005-2523 (Multiple cross-site scripting (XSS) vulnerabilities in Weblog Server i ...) NOT-FOR-US: Weblog Server in Mac OS X CVE-2005-2522 (Safari in WebKit in Mac OS X 10.4 to 10.4.2 directly accesses URLs wit ...) NOT-FOR-US: Mac OS X CVE-2005-2521 (Buffer overflow in traceroute in Mac OS X 10.3.9 allows local users to ...) NOT-FOR-US: Mac OS X CVE-2005-2520 (The password assistant in Mac OS X 10.4 to 10.4.2, when used to create ...) NOT-FOR-US: Mac OS X CVE-2005-2519 (slpd in Directory Services in Mac OS X 10.3.9 creates insecure tempora ...) NOT-FOR-US: Mac OS X CVE-2005-2518 (Buffer overflow in servermgrd in Mac OS X 10.3.9 and 10.4.2 allows rem ...) NOT-FOR-US: Mac OS X CVE-2005-2517 (Safari in Mac OS X 10.3.9 and 10.4.2 submits forms from an XSL formatt ...) NOT-FOR-US: Mac OS X CVE-2005-2516 (Safari in Mac OS X 10.3.9 and 10.4.2, when rendering Rich Text Format ...) NOT-FOR-US: Mac OS X CVE-2005-2515 (Quartz Composer Screen Saver in Mac OS X 10.4.2 allows local users to ...) NOT-FOR-US: Mac OS X CVE-2005-2514 (Buffer overflow in ping in Mac OS X 10.3.9 allows local users to execu ...) NOT-FOR-US: Mac OS X CVE-2005-2513 (Unknown vulnerability in HItoolbox for Mac OS X 10.4.2 allows VoiceOve ...) NOT-FOR-US: Mac OS X CVE-2005-2512 (Mail.app in Mac OS 10.4.2 and earlier, when printing or forwarding an ...) NOT-FOR-US: Mac OS X CVE-2005-2511 (Unknown vulnerability in Mac OS X 10.4.2 and earlier, when using Kerbe ...) NOT-FOR-US: Mac OS X CVE-2005-2510 (The Server Admin tool in servermgr_ipfilter for Mac OS X 10.4 to 10.4. ...) NOT-FOR-US: Mac OS X CVE-2005-2509 (Unknown vulnerability in loginwindow in Mac OS X 10.4.2 and earlier, w ...) NOT-FOR-US: Mac OS X CVE-2005-2508 (dsidentity in Directory Services in Mac OS X 10.4.2 allows local users ...) NOT-FOR-US: Mac OS X CVE-2005-2507 (Buffer overflow in Directory Services in Mac OS X 10.3.9 and 10.4.2 al ...) NOT-FOR-US: Mac OS X CVE-2005-2506 (Algorithmic complexity vulnerability in CoreFoundation in Mac OS X 10. ...) NOT-FOR-US: Mac OS X CVE-2005-2505 (Buffer overflow in CoreFoundation in Mac OS X 10.3.9 allows attackers ...) NOT-FOR-US: Mac OS X CVE-2005-2504 (The System Profiler in Mac OS X 10.4.2 labels a Bluetooth device with ...) NOT-FOR-US: Mac OS X CVE-2005-2503 (AppKit for Mac OS X 10.3.9 and 10.4.2 allows attackers with physical a ...) NOT-FOR-US: Mac OS X CVE-2005-2502 (Buffer overflow in AppKit for Mac OS X 10.3.9 and 10.4.2, as used in a ...) NOT-FOR-US: Mac OS X CVE-2005-2501 (Buffer overflow in AppKit for Mac OS X 10.3.9 and 10.4.2 allows extern ...) NOT-FOR-US: Mac OS X CVE-2005-2500 (Buffer overflow in the xdr_xcode_array2 function in xdr.c in Linux ker ...) - linux-2.6 2.6.12-1 (medium) CVE-2005-2499 (slocate before 2.7 does not properly process very long paths, which al ...) - slocate (Uses secure glibc code, see #324951) CVE-2005-2498 (Eval injection vulnerability in PHPXMLRPC 1.1.1 and earlier (PEAR XML- ...) {DSA-842-1 DSA-840-1 DSA-798-1 DSA-789-1 DTSA-15-1} - drupal 4.5.5-1 (bug #323347; high) - phpgroupware 0.9.16.008-1 (bug #323349; high) - egroupware 1.0.0.009.dfsg-1 (bug #323350; high) - phpwiki (unimportant) NOTE: phpwiki has disabled the XMLRPC in the last upload, it orphaned as well, should be fixed anyway - php4 4:4.3.10-16 (bug #323366; high) - php5 5.0.5-1 (high) CVE-2005-2497 REJECTED CVE-2005-2496 (The xntpd ntp (ntpd) daemon before 4.2.0b, when run with the -u option ...) {DSA-801-1} NOTE: I suspect DSA-801 is fixed by the non-root patches from Ubuntu?? - ntp 1:4.2.0a+stable-2sarge1 (medium) [etch] - ntp 1:4.2.0a+stable-2sarge1 (medium) CVE-2005-2495 (Multiple integer overflows in XFree86 before 4.3.0 allow user-assisted ...) {DSA-816-1} - xorg-x11 6.8.2.dfsg.1-7 (medium) CVE-2005-2494 (kcheckpass in KDE 3.2.0 up to 3.4.2 allows local users to gain root ac ...) {DSA-815-1} - kdebase 4:3.4.2-3 (bug #327039; medium) CVE-2005-2493 RESERVED CVE-2005-2492 (The raw_sendmsg function in the Linux kernel 2.6 before 2.6.13.1 allow ...) - linux-2.6 2.6.12-7 (bug #327416; medium) CVE-2005-2491 (Integer overflow in pcre_compile.c in Perl Compatible Regular Expressi ...) {DSA-821-1 DSA-819-1 DSA-817-1 DSA-800-1 DTSA-10-1} - pcre3 6.3-1 (bug #324531; medium) - gnumeric 1.5.1-1 (bug #326628; bug #326898; unimportant) - goffice 0.1.0-3 (bug #326898; unimportant) - vfu (does not include the vulnerable part of pcre) NOTE: gnumeric/goffice includes one as well; not exploitable as affected code not used - python2.1 2.1.3dfsg-3 (medium) - python2.2 2.2.3dfsg-4 (medium) - python2.3 2.3.5-8 (medium) CVE-2005-2490 (Stack-based buffer overflow in the sendmsg function call in the Linux ...) {DSA-1017-1} - linux-2.6 2.6.12-7 (bug #327416; medium) CVE-2004-2302 (Race condition in the sysfs_read_file and sysfs_write_file functions i ...) {DSA-922-1 DTSA-16-1} - linux-2.6 (Fixed before upload into archive; 2.6.10) - kernel-source-2.4.27 CVE-2005-XXXX [Buffer overflow in Description parsing] - bidwatcher (bug #319489; low) [sarge] - bidwatcher (Totally broken due to Ebay changes, no users, no exploits) CVE-2005-XXXX [Does not do escaping in mysql version - both a worrying flaw and stops adduser working] - dbmail 2.2.1-1 (bug #303991; bug #290833; medium) CVE-2005-XXXX [downloads.ini writable by group users, world-readable] - mldonkey 2.5.28.1-1 (bug #300560; low) CVE-2005-XXXX [Should include "UNRESTRICTED access to your computer" warning somewhere] - classpath 2:0.92-1 (bug #267040; bug #301134; high) [etch] - classpath (Doesn't build the gcjwebplugin binary package) CVE-2005-XXXX [Inconsistent escaping of user supplied data in dbauthpgsql.c] - dbmail 2.2.1-1 (bug #290833; medium) CVE-2005-2548 (vlan_dev.c in the VLAN code for Linux kernel 2.6.8 allows remote attac ...) {DSA-922-1 DTSA-16-1} NOTE: Will appear in next kernel DSA, fixed in 2.6 since 2.6.9-rc2 - kernel-source-2.6.8 2.6.8-16sarge1 (bug #309308; low) NOTE: 2.6.12-1 contained a partially broken fix - linux-2.6 2.6.12-6 (bug #309308; low) CVE-2005-2489 (Web Content Management News System allows remote attackers to create a ...) NOT-FOR-US: Web Content Management News System CVE-2005-2488 (Cross-site scripting (XSS) vulnerability in Web Content Management New ...) NOT-FOR-US: Web Content Management News System CVE-2005-2487 (Unknown vulnerability in Sun McData switches and directors 4300, 4500, ...) NOT-FOR-US: Sun switches CVE-2005-2486 (SQL injection vulnerability in mod_forum/read_message.php in PortailPH ...) NOT-FOR-US: PortailPHP CVE-2005-2485 (Cross-site scripting (XSS) vulnerability in the Helpdesk in Logicampus ...) NOT-FOR-US: Logicampus CVE-2005-2484 (Buffer overflow in the rdb_query function for Denora IRC Stats 1.0 mig ...) NOT-FOR-US: Denora IRC stats CVE-2005-2483 (Eval injection vulnerability in Karrigell before 2.1.8 allows remote a ...) NOT-FOR-US: Karrigell CVE-2005-2482 (The StateToOptions function in msfweb in Metasploit Framework 2.4 and ...) NOT-FOR-US: Metasploit Framework CVE-2005-2481 (ColdFusion Fusebox 4.1.0 allows remote attackers to obtain sensitive i ...) NOT-FOR-US: Fusebox CVE-2005-2480 (Cross-site scripting (XSS) vulnerability in ColdFusion Fusebox 4.1.0 a ...) NOT-FOR-US: Fusebox CVE-2005-2479 (Quick 'n Easy FTP Server 3.0 allows remote attackers to cause a denial ...) NOT-FOR-US: Quick 'n Easy FTP Server CVE-2005-2478 (SQL injection vulnerability in SilverNews 2.0.3 allows remote attacker ...) NOT-FOR-US: Silvernews CVE-2005-2477 (shop_display_products.php in Naxtor Shopping Cart 1.0 allows remote at ...) NOT-FOR-US: Naxtor Shopping Cart CVE-2005-2476 (Cross-site scripting (XSS) vulnerability in lost_passowrd.php in Naxto ...) NOT-FOR-US: Naxtor Shopping Cart CVE-2005-2475 (Race condition in Unzip 5.52 allows local users to modify permissions ...) {DSA-903-1} - unzip 5.52-4 (bug #321927; low) CVE-2005-2474 (ChurchInfo allows remote attackers to execute obtain sensitive informa ...) NOT-FOR-US: ChurchInfo CVE-2005-2473 (Multiple SQL injection vulnerabilities in ChurchInfo allow remote atta ...) NOT-FOR-US: ChurchInfo CVE-2005-2472 (Multiple buffer overflows in BusinessMail 4.60.00 allow remote attacke ...) NOT-FOR-US: BusinessMail CVE-2005-2471 (pstopnm in netpbm does not properly use the "-dSAFER" option when call ...) {DSA-1021-1} - netpbm-free 2:10.0-9 (bug #319757; low) CVE-2005-2470 (Buffer overflow in a "core application plug-in" for Adobe Reader 5.1 t ...) NOT-FOR-US: Adobe CVE-2005-2469 (Stack-based buffer overflow in the NMAP Agent for Novell NetMail 3.52C ...) NOT-FOR-US: Novell NetMail CVE-2005-2459 (The huft_build function in inflate.c in the zlib routines in the Linux ...) {DSA-922-1 DSA-921-1 DTSA-16-1} - linux-2.6 2.6.12-3 (bug #323173) - kernel-source-2.4.27 2.4.27-12 (medium) CVE-2005-2458 (inflate.c in the zlib routines in the Linux kernel before 2.6.12.5 all ...) {DSA-922-1 DSA-921-1 DTSA-16-1} - linux-2.6 2.6.12-3 (bug #323173; medium) - kernel-source-2.4.27 2.4.27-12 (medium) CVE-2004-2301 (Eudora before 6.1.1 allows remote attackers to cause a denial of servi ...) NOT-FOR-US: Eudora CVE-2004-2300 (Buffer overflow in snmpd in ucd-snmp 4.2.6 and earlier, when installed ...) - net-snmp (snmpd is neither setuid nor setgid in Debian) CVE-2004-2299 (Buffer overflow in Omnicron OmniHTTPd 3.0a and earlier allows remote a ...) NOT-FOR-US: Omnicron CVE-2004-2298 (Novell Internet Messaging System (NIMS) 2.6 and 3.0, and NetMail 3.1 a ...) NOT-FOR-US: Novell Internet Messaging System CVE-2002-2122 (Pointsec before 1.2 for PalmOS stores a user's PIN number in memory in ...) NOT-FOR-US: Pointsec CVE-2002-2121 (SurfControl SuperScout Email filter for SMTP 3.5.1 allows remote attac ...) NOT-FOR-US: SurfControl CVE-2002-2120 (Multiple buffer overflows in QNX RTOS 4.25 may allow attackers to exec ...) NOT-FOR-US: QNX CVE-2002-2119 (Novell eDirectory 8.6.2 and 8.7 use case insensitive passwords, which ...) NOT-FOR-US: Novell eDirectory CVE-2002-2118 (Buffer overflow in Blue World Lasso Web Data Engine 3.6.5 allows remot ...) NOT-FOR-US: Blue World Lasso Web Data Engine CVE-2002-2117 (Microsoft Windows XP allows remote attackers to cause a denial of serv ...) NOT-FOR-US: Microsoft CVE-2002-2116 (Netgear RM-356 and RT-338 series SOHO routers allow remote attackers t ...) NOT-FOR-US: Netgear RM-356 and RT-338 series SOHO routers CVE-2002-2115 (Cross-site scripting (XSS) vulnerability in Hyper NIKKI System (HNS) L ...) NOT-FOR-US: Hyper NIKKI System (HNS) Lite CVE-2002-2114 (Artekopia Netjuke before 1.0 b7 allows remote attackers to execute arb ...) - netjuke 1.0b7 CVE-2002-2113 (search.cgi in AGH HTMLsearch 1.0 allows remote attackers to execute ar ...) NOT-FOR-US: HTMLsearch CVE-2002-2112 (RCA Digital Cable Modem DCM225 and DCM225E, and other modems that must ...) NOT-FOR-US: RCA Digital Cable Modem CVE-2002-2111 (Fwmon before 1.0.10 allows remote attackers to cause a denial of servi ...) NOT-FOR-US: Fwmon CVE-2002-2110 (The RCA Digital Cable Modems DCM225 and DCM225E allow remote attackers ...) NOT-FOR-US: RCA Digital Cable Modems DCM225 and DCM225E CVE-2002-2109 (Matt Wright FormMail 1.9 and earlier allows remote attackers to bypass ...) NOTE: debian's nms-formmail is a reimplementation of old formmail CVE-2002-2108 (Unknown vulnerability in the "VAIO Manual" software in certain Sony VA ...) NOT-FOR-US: Sony VAIO CVE-2002-2107 (Cross-site scripting (XSS) vulnerability in the lookup script in Verid ...) NOT-FOR-US: OpenKeyServer CVE-2002-2106 (PHP remote file inclusion vulnerability in WikkiTikkiTavi before 0.21 ...) NOT-FOR-US: WikkiTikkiTavi CVE-2002-2105 (Microsoft Windows XP allows local users to prevent the system from boo ...) NOT-FOR-US: Microsoft CVE-2002-2104 (graph.php in Ganglia PHP RRD Web Client 1.0.2 allows remote attackers ...) NOT-FOR-US: Ganglia PHP RRD Web Client NOTE: not ganglia-monitor CVE-2002-2103 (Apache before 1.3.24, when writing to the log file, records a spoofed ...) - apache 1.3.24 (low) CVE-2002-2102 (InfBlocks.java in JCraft JZlib before 0.0.7 allow remote attackers to ...) - jzlib 0.0.7 (low) CVE-2002-2101 (Microsoft Outlook 2002 allows remote attackers to execute arbitrary Ja ...) NOT-FOR-US: Microsoft CVE-2002-2100 (Microsoft Outlook 2002 allows remote attackers to embed bypass the fil ...) NOT-FOR-US: Microsoft CVE-2002-2099 (Buffer overflow in the GNU DataDisplay Debugger (DDD) 3.3.1 allows loc ...) - ddd (ddd is not setuid/gid so not exploitable) CVE-2002-2098 (Buffer overflow in axspawn.c in Axspawn-pam before 0.2.1a allows remot ...) NOT-FOR-US: Axspawn-pam CVE-2002-2097 (The compression code in MaraDNS before 0.9.01 allows remote attackers ...) - maradns 0.9.01 (low) CVE-2002-2096 (Buffer overflow in Novell Remote Manager module, httpstk.nlm, in NetWa ...) NOT-FOR-US: Netware CVE-2002-2095 (Joe Testa hellbent 01 webserver allows attackers to read files that ar ...) NOT-FOR-US: Joe Testa hellbent 01 webserver CVE-2002-2094 (Joe Testa hellbent 01 allows remote attackers to determine the full pa ...) NOT-FOR-US: Joe Testa hellbent 01 webserver CVE-2002-2093 (The Video Control Panel on SGI O2/IRIX 6.5, when the Default Input is ...) NOT-FOR-US: SGI IRIX CVE-2002-2092 (Race condition in exec in OpenBSD 4.0 and earlier, NetBSD 1.5.2 and ea ...) NOT-FOR-US: OpenBSD/NetBSD/FreeBSD CVE-2002-2091 (Format string vulnerability in Deception Finger Daemon, decfingerd, 0. ...) NOT-FOR-US: decfingerd CVE-2002-2090 (Caucho Technology Resin server 2.1.1 to 2.1.2 allows remote attackers ...) NOT-FOR-US: aucho Technology Resin server CVE-2002-2089 (Buffer overflow in rcp in Solaris 9.0 allows local users to execute ar ...) NOT-FOR-US: Solaris CVE-2002-2088 (The MOSIX Project clump/os 5.4 creates a default VNC account without a ...) NOT-FOR-US: clump/os CVE-2002-2087 (Buffer overflow in Borland InterBase 6.0 allows local users to execute ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1580 (Directory traversal vulnerability in ScriptEase viewcode.jse for Netwa ...) NOT-FOR-US: ScriptEase CVE-2001-1579 (The timed program (in.timed) in UnixWare 7 and OpenUnix 8.0.0 does not ...) NOT-FOR-US: UnixWare/OpenUnix CVE-2001-1578 (Unknown vulnerability in SCO OpenServer 5.0.6 and earlier allows local ...) NOT-FOR-US: SCO CVE-2001-1577 (Unknown vulnerability in CDE in Caldera OpenUnix 7.1.0, 7.1.1, and 8.0 ...) NOT-FOR-US: CDE CVE-2001-1576 (Buffer overflow in cron in Caldera UnixWare 7 allows local users to ex ...) NOTE: insufficient info to check, but not same code base CVE-2001-1575 (Apple Personal Web Sharing (PWS) 1.1, 1.5, and 1.5.5, when Web Sharing ...) NOT-FOR-US: Apple CVE-2001-1574 (Buffer overflow in (1) HttpSaveCVP.dll and (2) HttpSaveCSP.dll in Tren ...) NOT-FOR-US: Trend Micro InterScan VirusWall CVE-2001-1573 (Buffer overflow in smtpscan.dll for Trend Micro InterScan VirusWall 3. ...) NOT-FOR-US: Trend Micro InterScan VirusWall CVE-2005-XXXX [wine: Unsafe use of temporary files in winelauncher] - wine 0.0.20050830-1 (bug #321470; unimportant) NOTE: Not shipped in binary package CVE-2005-XXXX [DoS to users to prevent usage of showpartial through _hard_ links] - metamail 2.7-48 (bug #321473; low) [sarge] - metamail (Hardly exploitable, minor Dos) CVE-2005-XXXX [Insecure usage of temporary files in x11perfcomp and other security issues] - xfree86 (bug #321447; low) [woody] - xfree86 (Hardly exploitable) [sarge] - xfree86 (Hardly exploitable) - x11-apps 7.7~1 (bug #321447; low) [squeeze] - x11-apps (Minor issue) CVE-2005-XXXX [gs-esp: Insecure usage of /tmp in source code] - ghostscript 8.61.dfsg.1~svn8187-1 (bug #291452; unimportant) NOTE: Not included in the binary package CVE-2005-XXXX [Format string bug in sysklogd's syslog_tst sources] NOTE: binary not shipped - sysklogd (bug #281448; unimportant) CVE-2005-XXXX [fftw3-dev: Insecure tempfile usage in fftw-wisdom-to-conf script] - fftw3 3.0.1-12 (low; bug #321566) [sarge] - fftw3 (Minor issue) CVE-2005-XXXX [clamav-getfile: Insecure use of temporary files] - clamav-getfiles 0.5-1 (bug #321446; medium) [sarge] - clamav-getfiles (Sarge version uses mktemp) CVE-2005-3254 (The CGIwrap program before 3.9 on Debian GNU/Linux uses an incorrect m ...) {DTSA-6-1} - cgiwrap 3.9-3.1 (bug #316881; low) [sarge] - cgiwrap (Minor impact) CVE-2005-3255 (The (1) cgiwrap and (2) php-cgiwrap packages before 3.9 in Debian GNU/ ...) {DTSA-6-1} - cgiwrap 3.9-3.1 (bug #316901; low) [sarge] - cgiwrap (Minor information disclosure, only debugging libs) CVE-2004-2162 (Multiple cross-site scripting (XSS) vulnerabilities in TUTOS 1.1 allow ...) {DSA-980-1} - tutos 1.1.20031017-2.1 (bug #318633; medium) CVE-2004-2161 (SQL injection vulnerability in file_overview.php in TUTOS 1.1 allows r ...) {DSA-980-1} - tutos 1.1.20031017-2.1 (bug #318633; medium) CVE-2005-2550 (Format string vulnerability in Evolution 1.4 through 2.3.6.1 allows re ...) {DSA-1016-1 DTSA-13-1} - evolution 2.2.3-3 (high; bug #322535) CVE-2005-2549 (Multiple format string vulnerabilities in Evolution 1.5 through 2.3.6. ...) {DSA-1016-1 DTSA-13-1} - evolution 2.2.3-3 (high; bug #322535) CVE-2005-XXXX [libnet-ssleay-perl: /tmp/entropy insecure] - libnet-ssleay-perl 1.25-1.1 (bug #296112; low) CVE-2005-XXXX [nvi: init.d recover file security bugs] - nvi 1.79-22 (bug #298114; medium) CVE-2005-XXXX [bugzilla: Maintainer's postinst script use temporary files in an unsafe way] [woody] - bugzilla (Vulnerable script is not present) [sarge] - bugzilla (Vulnerable script is not present) - bugzilla 2.18.3-2 (bug #321567; low) CVE-2005-XXXX [Crypto weakness in Tor's handshaking process] - tor 0.1.0.14-1 (medium) CVE-2005-2457 (The driver for compressed ISO file systems (zisofs) in the Linux kerne ...) {DSA-1018-1 DSA-1017-1 DTSA-16-1} - linux-2.6 2.6.12-3 (medium) CVE-2005-2456 (Array index overflow in the xfrm_sk_policy_insert function in xfrm_use ...) {DSA-922-1 DSA-921-1 DTSA-16-1} - linux-2.6 2.6.12-2 (bug #321401; medium) - kernel-source-2.4.27 2.4.27-11 (medium) CVE-2005-2455 (Greasemonkey before 0.3.5 allows remote web servers to (1) read arbitr ...) NOT-FOR-US: Greasemonkey CVE-2005-2454 (IBM Lotus Notes 6.5.4 and 6.5.5, and 7.0.0 and 7.0.1, uses insecure de ...) NOT-FOR-US: IBM Lotus Notes CVE-2005-2453 (Cross-site scripting (XSS) vulnerability in NetworkActiv Web Server 1. ...) NOT-FOR-US: NetworkActiv Web Server CVE-2005-2452 (libtiff up to 3.7.0 allows remote attackers to cause a denial of servi ...) NOTE: CVE description is broken, this only affects 3.6, it's been fixed in 3.7 - tiff 3.7.0-1 - tiff3 (fixed prior to initial upload) CVE-2005-2451 (Cisco IOS 12.0 through 12.4 and IOS XR before 3.2, with IPv6 enabled, ...) NOT-FOR-US: IOS CVE-2005-2450 (Multiple integer overflows in the (1) TNEF, (2) CHM, or (3) FSG file f ...) {DSA-776-1 DTSA-3-1} - clamav 0.86.2-1 (medium) CVE-2005-2449 (Race condition in sandbox before 1.2.11 allows local users to create o ...) NOT-FOR-US: sandbox CVE-2005-2448 (Multiple "endianness errors" in libgadu in ekg before 1.6rc2 allow rem ...) {DSA-1318-1 DSA-813-1 DTSA-2-1 DTSA-4-1} - ekg 1:1.5+20050718+1.6rc3-1 (low) - centericq 4.20.0-9 (bug #323185; medium) CVE-2005-2447 REJECTED CVE-2005-2446 REJECTED CVE-2005-2445 (SQL injection vulnerability in viewPrd.asp in Product Cart 2.6 allows ...) NOT-FOR-US: Product Cart CVE-2005-2444 (Trillian Pro 3.1 build 121, when checking Yahoo e-mail, stores the pas ...) NOT-FOR-US: Cerulean Trillian CVE-2005-2443 (Kshout 2.x and 3.x stores settings.dat under the web document root wit ...) NOT-FOR-US: KShout CVE-2005-2442 (Cross-Application Scripting (XAS) vulnerability in SPI Dynamics WebIns ...) NOT-FOR-US: SPI Dynamics Web Inspect CVE-2005-2441 (Multiple cross-site scripting (XSS) vulnerabilities in VBzoom allow re ...) NOT-FOR-US: VBzoom CVE-2005-2440 (SQL injection vulnerability in login.asp in Thomson Web Skill Vantage ...) NOT-FOR-US: Thomson Web Skill Vantage Manager CVE-2005-2439 (SQL injection vulnerability in UseBB 0.5.1 and earlier, when magic_quo ...) NOT-FOR-US: UseBB CVE-2005-2438 (Cross-site scripting (XSS) vulnerability in UseBB 0.5.1 and earlier al ...) NOT-FOR-US: UseBB CVE-2005-2436 (browse.php in Website Baker Project allows remote attackers to obtain ...) NOT-FOR-US: Website Baker CVE-2005-2435 (Cross-site scripting (XSS) vulnerability in browse.php in Website Bake ...) NOT-FOR-US: Website Baker CVE-2005-2434 (Linksys WRT54G router uses the same private key and certificate for ev ...) NOT-FOR-US: Linksys hardware CVE-2005-2433 (PhpList allows remote attackers to obtain sensitive information via a ...) - phplist (bug #612288) CVE-2005-2432 (SQL injection vulnerability in PhpList allows remote attackers to modi ...) - phplist (bug #612288) CVE-2005-2431 (The (1) lost password and (2) account pending features in GForge 4.5 d ...) - gforge 4.5.14-2 (bug #328224; unimportant) NOTE: Direct flooding is possible as well in most circumstances. NOTE: (Upstream fix was in gforge 4.5.0.1.) CVE-2005-2430 (Multiple cross-site scripting (XSS) vulnerabilities in GForge 4.5 allo ...) {DSA-1094-1} - gforge 4.5.14-9 (bug #328224; medium) CVE-2005-2429 (Firefox, when opening Microsoft Word documents, does not properly set ...) - mozilla-firefox (Only affects Firefox on Windows platforms) CVE-2005-2428 (Lotus Domino R5 and R6 WebMail, with "Generate HTML for all fields" en ...) NOT-FOR-US: Lotus Domino CVE-2005-2427 (Cross-site scripting (XSS) vulnerability in viewCart.asp in CartWIZ al ...) NOT-FOR-US: CartWIZ CVE-2005-2426 (FTPshell Server 3.38 allows remote authenticated users to cause a deni ...) NOT-FOR-US: FTPshell Server CVE-2005-2425 (Stack-based buffer overflow in Ares FileShare 1.1 allows remote attack ...) NOT-FOR-US: Ares FileShare CVE-2005-2424 (The management interface for Siemens SANTIS 50 running firmware 4.2.8. ...) NOT-FOR-US: Siemens hardware CVE-2005-2423 (Beehive Forum allows remote attackers to obtain sensitive information ...) NOT-FOR-US: Beehive CVE-2005-2422 (Cross-site scripting (XSS) vulnerability in index.php in Beehive Forum ...) NOT-FOR-US: Beehive CVE-2005-2421 (Multiple SQL injection vulnerabilities in index.php and other pages in ...) NOT-FOR-US: Beehive CVE-2005-2420 (flsearch.pl in FtpLocate 2.02 allows remote attackers to execute arbit ...) NOT-FOR-US: FtpLocate CVE-2005-2419 (B-FOCuS Router 312+ allows remote attackers to bypass authentication a ...) NOT-FOR-US: hardware issue CVE-2005-2418 REJECTED CVE-2005-2417 (Contrexx before 1.0.5 allows remote attackers to obtain sensitive info ...) NOT-FOR-US: Contrexx CVE-2005-2416 (Multiple cross-site scripting (XSS) vulnerabilities in Contrexx before ...) NOT-FOR-US: Contrexx CVE-2005-2415 (Multiple SQL injection vulnerabilities in Contrexx before 1.0.5 allow ...) NOT-FOR-US: Contrexx CVE-2005-2414 (Race condition in the xpcom library, as used by web browsers such as F ...) - firefox 1.5.dfsg-1 (unimportant) - mozilla-firefox 1.5.dfsg-1 (bug #327549; unimportant) - mozilla 1.5.dfsg-1 (bug #327550; unimportant) - iceweasel NOTE: The turned out to be non-exploitable CVE-2005-2413 (PHP remote file inclusion vulnerability in apa_phpinclude.inc.php in A ...) NOT-FOR-US: Atomic Photo Album CVE-2005-2412 (PHP remote file inclusion vulnerability in block.php in PHP FirstPost ...) NOT-FOR-US: First Post CVE-2005-2411 (Cross-Site Request Forgery (CSRF) vulnerability in tDiary 2.1.1, and t ...) {DSA-808-1} - tdiary 2.0.2-1 (bug #319315; medium) CVE-2005-2410 (Format string vulnerability in the nm_info_handler function in Network ...) NOT-FOR-US: Network Manager CVE-2005-2409 (Format string vulnerability in util.c in nbsmtp 0.99 and earlier, whil ...) NOT-FOR-US: nbsmtp CVE-2005-2408 REJECTED CVE-2005-2407 (A design error in Opera 8.01 and earlier allows user-assisted attacker ...) NOT-FOR-US: Opera CVE-2005-2406 (Opera 8.01 allows remote attackers to conduct cross-site scripting (XS ...) NOT-FOR-US: Opera CVE-2005-2405 (Opera 8.01, when the "Arial Unicode MS" font (ARIALUNI.TTF) is install ...) NOT-FOR-US: Opera CVE-2004-2297 (The Reviews module in PHP-Nuke 6.0 to 7.3 allows remote attackers to c ...) NOT-FOR-US: PHP-Nuke CVE-2004-2296 (The preview_review function in the Reviews module in PHP-Nuke 6.0 to 7 ...) NOT-FOR-US: PHP-Nuke CVE-2004-2295 (SQL injection vulnerability in the Reviews module in PHP-Nuke 6.0 to 7 ...) NOT-FOR-US: PHP-Nuke CVE-2004-2294 (Canonicalize-before-filter error in the send_review function in the Re ...) NOT-FOR-US: PHP-Nuke CVE-2004-2293 (Multiple cross-site scripting (XSS) vulnerabilities in PHP-Nuke 6.0 to ...) NOT-FOR-US: PHP-Nuke CVE-2004-2292 (Buffer overflow in Alt-N MDaemon 7.0.1 allows remote attackers to caus ...) NOT-FOR-US: Alt-N Technologies Mdaemon CVE-2004-2291 (Microsoft Windows Internet Explorer 5.5 and 6.0 allows remote attacker ...) NOT-FOR-US: Microsoft CVE-2004-2290 (Microsoft Windows XP Explorer allows attackers to execute arbitrary co ...) NOT-FOR-US: Microsoft CVE-2004-2289 (Microsoft Windows XP Explorer allows local users to execute arbitrary ...) NOT-FOR-US: Microsoft CVE-2004-2288 (Cross-site scripting (XSS) vulnerability in index.php in Jelsoft vBull ...) NOT-FOR-US: vBulletin CVE-2004-2287 (Directory traversal vulnerability in explorer.php in DSM Light Web Fil ...) NOT-FOR-US: Light Web File Manager CVE-2004-2286 (Integer overflow in the duplication operator in ActivePerl allows remo ...) NOT-FOR-US: ActivePerl CVE-2004-2285 REJECTED CVE-2003-1219 (Cross-site scripting (XSS) vulnerability in the tep_href_link function ...) NOT-FOR-US: osCommerce CVE-2005-2404 (SQL injection vulnerability in sendcard.php in Sendcard 3.2.3 allows r ...) NOT-FOR-US: Sendcard CVE-2005-2403 (The login protocol in RealChat 3.5.1b does not use authentication, whi ...) NOT-FOR-US: RealChat CVE-2005-2402 (Cross-site scripting (XSS) vulnerability in search.php in PHPSiteSearc ...) NOT-FOR-US: PHPSiteSearch CVE-2005-2401 (PHP-Fusion allows remote attackers to inject arbitrary Cascading Style ...) NOT-FOR-US: PHP-Fusion CVE-2005-2400 (The inc.login.php scripts in PHPFinance 0.3 allows remote attackers to ...) NOT-FOR-US: PHPFinance CVE-2005-2399 (PHP Surveyor 0.98 allows remote attackers to trigger SQL errors via mi ...) NOT-FOR-US: PHP Surveyor CVE-2005-2398 (Multiple SQL injection vulnerabilities in PHP Surveyor 0.98 allows rem ...) NOT-FOR-US: PHP Surveyor CVE-2005-2397 (Cross-site scripting (XSS) vulnerability in guestbook.php in phpBook 1 ...) NOT-FOR-US: phpBook CVE-2005-2396 (Cross-site scripting (XSS) vulnerability in MediaWiki 1.4.6 and earlie ...) - mediawiki 1.4.9 (bug #276057) CVE-2005-2395 (Mozilla Firefox 1.0.4 and 1.0.5 does not choose the challenge with the ...) - firefox (bug #320539; unimportant) - iceweasel (bug #320539; unimportant) - mozilla-firefox 1.4.99+1.5rc3.dfsg-2 (bug #320539; unimportant) - mozilla (bug #320538; unimportant) NOTE: Firefox and Mozilla follow RFC behaviour. This is more a lack of security NOTE: feature (client-side preference for stronger methods) and not a vulnerabilit NOTE: This also seems like a rare setup. CVE-2005-2394 (show_news.php in CuteNews 1.3.6 allows remote attackers to obtain the ...) NOT-FOR-US: CuteNews CVE-2005-2393 (Cross-site scripting (XSS) vulnerability in CuteNews 1.3.6 allows remo ...) NOT-FOR-US: CuteNews CVE-2005-2392 (Cross-site scripting (XSS) vulnerability in index.php for CMSimple 2.4 ...) NOT-FOR-US: CMSimple CVE-2005-2391 (Unknown vulnerability in 3Com OfficeConnect Wireless 11g Access Point ...) NOT-FOR-US: 3Com OfficeConnect Wireless 11g AP CVE-2005-2390 (Multiple format string vulnerabilities in ProFTPD before 1.3.0rc2 allo ...) {DSA-795-2} - proftpd 1.2.10-20 (low) NOTE: ftpshut fixed in -19, SQLShowInfo in -20 CVE-2005-2389 (NDMP server in Veritas NetBackup 5.1 allows attackers to cause a denia ...) NOT-FOR-US: Veritas NetBackup CVE-2005-2388 (Buffer overflow in a certain USB driver, as used on Microsoft Windows, ...) NOT-FOR-US: some windows USB driver CVE-2005-2387 (Multiple stack-based buffer overflows in GoodTech SMTP server 5.16 all ...) NOT-FOR-US: GoodTech SMTP server CVE-2005-2386 (Cross-site scripting (XSS) vulnerability in viewCart.asp in CartWIZ 1. ...) NOT-FOR-US: CartWIZ CVE-2005-2385 (Buffer overflow in a third-party compression library (UNACEV2.DLL), as ...) NOT-FOR-US: UNACEV2.DLL CVE-2005-2384 (Directory traversal vulnerability in a third-party compression library ...) NOT-FOR-US: UNACEV2.DLL CVE-2005-2383 (SQL injection vulnerability in auth.php in PHPNews 1.2.5 allows remote ...) NOT-FOR-US: PHPNews CVE-2005-2382 (Oray PeanutHull 3.0.1.0 and earlier does not properly drop SYSTEM priv ...) NOT-FOR-US: Oray PeanutHull CVE-2005-2381 (PHP Surveyor 0.98 allows remote attackers to obtain sensitive informat ...) NOT-FOR-US: PHP Surveyor CVE-2005-2380 (Multiple cross-site scripting vulnerabilities in PHP Surveyor 0.98 all ...) NOT-FOR-US: PHP Surveyor CVE-2005-2379 (Multiple cross-site scripting (XSS) vulnerabilities in Oracle Reports ...) NOT-FOR-US: Oracle Reports CVE-2005-2378 (Directory traversal vulnerability in Oracle Reports allows remote atta ...) NOT-FOR-US: Oracle Reports CVE-2005-2377 (nss_ldap 181 to versions before 213, as used in Mandrake Corporate Ser ...) - libnss-ldap (Mandrake specfic vulnerability) CVE-2005-2376 (Buffer overflow in Race Driver 1.20 and earlier allows remote attacker ...) NOT-FOR-US: Race Driver CVE-2005-2375 (Format string vulnerability in Race Driver 1.20 and earlier allows rem ...) NOT-FOR-US: Race Driver CVE-2005-2374 (Belkin 54g wireless routers do not properly set an administrative pass ...) NOT-FOR-US: Belkin 54g wireless routers CVE-2005-2373 (Buffer overflow in SlimFTPd 3.15 and 3.16 allows remote authenticated ...) NOT-FOR-US: SlimFTPd CVE-2005-2372 (Oracle Forms 4.5 through 10g starts form executables from arbitrary di ...) NOT-FOR-US: Oracle Forms CVE-2005-2371 (Directory traversal vulnerability in Oracle Reports 6.0, 6i, 9i, and 1 ...) NOT-FOR-US: Oracle Reports CVE-2005-2370 (Multiple "memory alignment errors" in libgadu, as used in ekg before 1 ...) {DSA-1318-1 DSA-813-1 DSA-769-1 DTSA-2-1 DTSA-5-1} - gaim 1:1.4.0-5 (low) - centericq 4.20.0-9 (bug #323185; low) - ekg 1:1.5+20050712+1.6rc2-1 (low) CVE-2005-2369 (Multiple integer signedness errors in libgadu, as used in ekg before 1 ...) {DSA-813-1 DTSA-2-1} - centericq 4.20.0-9 (bug #323185; medium) - gaim 1:1.5.0-1 (bug #350071; medium) [woody] - gaim (affected code libgadu not present in woody) [sarge] - gaim (old version of libgadu in gaim is not affected) - ekg 1:1.5+20050712+1.6rc2-1 (medium) [sarge] - ekg NOTE: The fixes from centericq for integer overflows are all present in ekg from stable CVE-2005-2368 (vim 6.3 before 6.3.082, with modelines enabled, allows external user-a ...) {DTSA-12-1} - vim 1:6.3-085+1 (bug #320017; medium) [sarge] - vim 1:6.3-071+1sarge1 NOTE: For some reason this was fixed through an upload to s-p-u, not stable-security CVE-2005-2367 (Format string vulnerability in the proto_item_set_text function in Eth ...) {DSA-853-1} - ethereal 0.10.12-1 (bug #320183; bug #320192; medium) CVE-2005-2366 (Unknown vulnerability in the BER dissector in Ethereal 0.10.11 allows ...) {DSA-853-1} - ethereal 0.10.12-1 (bug #320183; low) CVE-2005-2365 (Unknown vulnerability in the SMB dissector in Ethereal 0.9.0 through 0 ...) {DSA-853-1} - ethereal 0.10.12-1 (bug #320183; low) CVE-2005-2364 (Unknown vulnerability in the (1) GIOP dissector, (2) WBXML, or (3) CAM ...) {DSA-853-1} - ethereal 0.10.12-1 (bug #320183; low) CVE-2005-2363 (Unknown vulnerability in the (1) SMPP dissector, (2) 802.3 dissector, ...) {DSA-853-1} - ethereal 0.10.12-1 (bug #320183; low) CVE-2005-2362 (Unknown vulnerability several dissectors in Ethereal 0.9.0 through 0.1 ...) - ethereal 0.10.12-1 (bug #320183; low) NOTE: This affects partially Woody and Sarge CVE-2005-2361 (Unknown vulnerability in the (1) AgentX dissector, (2) PER dissector, ...) {DSA-853-1} - ethereal 0.10.12-1 (bug #320183; low) CVE-2005-2360 (Unknown vulnerability in the LDAP dissector in Ethereal 0.8.5 through ...) {DSA-853-1} - ethereal 0.10.12-1 (bug #320183; low) CVE-2005-2359 (The AES-XCBC-MAC algorithm in IPsec in FreeBSD 5.3 and 5.4, when used ...) - kfreebsd-5 5.3-1 (medium) CVE-2005-2358 (EMC Navisphere Manager 6.4.1.0.0 allows remote attackers to list arbit ...) NOT-FOR-US: EMC Navisphere Manager CVE-2005-2357 (Directory traversal vulnerability in EMC Navisphere Manager 6.4.1.0.0 ...) NOT-FOR-US: EMC Navisphere Manager CVE-2005-2355 REJECTED CVE-2005-2347 RESERVED CVE-2005-2346 (Buffer overflow in Novell GroupWise 6.5 Client allows remote attackers ...) NOT-FOR-US: Novell CVE-2005-2345 REJECTED CVE-2005-2344 (The BlackBerry Attachment Service in Research in Motion (RIM) BlackBer ...) NOT-FOR-US: Research in Motion CVE-2005-2343 (Research in Motion (RIM) BlackBerry Handheld web browser for BlackBerr ...) NOT-FOR-US: Research in Motion CVE-2005-2342 (Research in Motion (RIM) BlackBerry Router allows remote attackers to ...) NOT-FOR-US: Research in Motion CVE-2005-2341 (Heap-based buffer overflow in Research in Motion (RIM) BlackBerry Atta ...) NOT-FOR-US: Research in Motion CVE-2005-2340 (Heap-based buffer overflow in Apple Quicktime before 7.0.4 allows remo ...) NOT-FOR-US: Apple Quicktime CVE-2005-2339 (Cross-site scripting (XSS) vulnerability in the Unicode version of mse ...) NOT-FOR-US: unicode msearch CVE-2005-2338 (Multiple cross-site scripting (XSS) vulnerabilities in XOOPS 2.0.12 JP ...) NOT-FOR-US: Xoops CVE-2005-2337 (Ruby 1.6.x up to 1.6.8, 1.8.x up to 1.8.2, and 1.9.0 development up to ...) {DSA-864-1 DSA-862-1 DSA-860-1} - ruby - ruby1.6 1.6.8-13 (medium) - ruby1.8 1.8.3-1 (bug #332742; medium) - ruby1.9 1.9.0+20050921-1 (medium) CVE-2005-2336 (Cross-site scripting (XSS) vulnerability in Hiki 0.8.0 to 0.8.2 allows ...) [sarge] - hiki (code not present in sarge) - hiki 0.8.2-1 CVE-2005-2334 (Y.SAK allows remote attackers to execute arbitrary commands via shell ...) NOT-FOR-US: Y.SAK CVE-2005-2333 (Cross-site scripting (XSS) vulnerability in smilies_popup.php in SEO-B ...) NOT-FOR-US: smilies_popup.php CVE-2005-2332 (Cross-site scripting (XSS) vulnerability in PHPPageProtect 1.0.0a allo ...) NOT-FOR-US: PHPPageProtect CVE-2005-2331 (PHP remote file inclusion vulnerability in display.php in MooseGallery ...) NOT-FOR-US: MooseGallery CVE-2005-2330 (Directory traversal vulnerability in extras/update.php in osCommerce 2 ...) NOT-FOR-US: osCommerce CVE-2005-2329 (MRV Communications In-Reach LX-8000S, LX-4000S, and LX-1000S 3.5.0, wh ...) NOT-FOR-US: MRV Communications In-Reach LX-8000S, LX-4000S, and LX-1000S CVE-2005-2328 (PHP remote file inclusion vulnerability in im.php in Laffer 0.3.2.6 an ...) NOT-FOR-US: Laffer CVE-2005-2327 (Cross-site scripting (XSS) vulnerability in e107 0.617 and earlier all ...) NOT-FOR-US: e107 CVE-2005-2326 (Cross-site scripting (XSS) vulnerability in Clever Copy 2.0 and 2.0a a ...) NOT-FOR-US: Clever Copy CVE-2005-2325 (Clever Copy 2.0 and 2.0a allows remote attackers to obtain the full pa ...) NOT-FOR-US: Clever Copy CVE-2005-2324 (Cross-site scripting (XSS) vulnerability in Clever Copy 2.0 and 2.0a a ...) NOT-FOR-US: Clever Copy CVE-2005-2323 (Multiple SQL injection vulnerabilities in Class-1 Forum 0.24.4 and 0.2 ...) NOT-FOR-US: Class-1 Forum CVE-2005-2322 (Cross-site scripting (XSS) vulnerability in Class-1 Forum 0.24.4 and 0 ...) NOT-FOR-US: Class-1 Forum CVE-2005-2321 (PHP remote file inclusion vulnerability in CaLogic 1.2.2 allows remote ...) NOT-FOR-US: CaLogic CVE-2005-2319 (PHP remote file include vulnerability in Yawp library 1.0.6 and earlie ...) NOT-FOR-US: Yawp CVE-2005-2318 (Cross-site scripting (XSS) vulnerability in showerr.asp in DVBBS 7.1 S ...) NOT-FOR-US: DVBBS CVE-2005-2317 (Shorewall 2.4.x before 2.4.1, 2.2.x before 2.2.5, and 2.0.x before 2.0 ...) {DSA-849-1} - shorewall 2.4.1-2 (bug #318946; medium) CVE-2005-2316 (Domain Name Relay Daemon (DNRD) before 2.19.1 allows remote attackers ...) NOT-FOR-US: dnrd CVE-2005-2315 (Buffer overflow in Domain Name Relay Daemon (DNRD) before 2.19.1 allow ...) NOT-FOR-US: dnrd CVE-2005-2314 (inc.login.php in PHPsFTPd 0.2 through 0.4 allows remote attackers to o ...) NOT-FOR-US: PHPsFTPd CVE-2005-2313 (Check Point SecuRemote NG with Application Intelligence R54 allows att ...) NOT-FOR-US: Check Point SecuRemote NG with Application Intelligence CVE-2005-2312 (management.php in Realnode Emilda 1.2.2 and earlier allows remote atta ...) NOT-FOR-US: Realnode Emilda CVE-2005-2311 (SMS 1.9.2m and earlier allows local users to overwrite arbitrary files ...) - sms-pl 2.1.0-1 (bug #320540; unimportant) NOTE: vulnerable contrib file only in source package CVE-2005-2310 (Buffer overflow in Winamp 5.03a, 5.09 and 5.091, and other versions be ...) NOT-FOR-US: Winamp CVE-2005-2309 (Opera 8.01 allows remote attackers to cause a denial of service (CPU c ...) NOT-FOR-US: Opera CVE-2005-2308 (The JPEG decoder in Microsoft Internet Explorer allows remote attacker ...) NOT-FOR-US: MSIE CVE-2005-2307 (netman.dll in Microsoft Windows Connections Manager Library allows loc ...) NOT-FOR-US: Microsoft CVE-2005-2306 (Race condition in Macromedia JRun 4.0, ColdFusion MX 6.1 and 7.0, when ...) NOT-FOR-US: Macromedia JRun 4.0, ColdFusion MX 6.1 and 7.0 CVE-2005-2305 (DG Remote Control Server 1.6.2 allows remote attackers to cause a deni ...) NOT-FOR-US: DG Remote Control Server CVE-2005-2304 (Microsoft MSN Messenger 9.0 and Internet Explorer 6.0 allows remote at ...) NOT-FOR-US: Microsoft CVE-2005-2303 REJECTED CVE-2005-2302 (PowerDNS before 2.9.18, when allowing recursion to a restricted range ...) {DSA-771-1} - pdns 2.9.18-1 (medium; bug #318798) CVE-2005-2301 (PowerDNS before 2.9.18, when running with an LDAP backend, does not pr ...) {DSA-771-1} - pdns 2.9.18-1 (medium; bug #318798) CVE-2005-2300 (Skype 1.1.0.20 and earlier allows local users to overwrite arbitrary f ...) NOT-FOR-US: Skype CVE-2005-2299 (Multiple cross-site scripting (XSS) vulnerabilities in Simple Message ...) NOT-FOR-US: Simple Message Board CVE-2005-2298 (BitDefender Engine 1.6.1 and earlier does not properly scan all attach ...) NOT-FOR-US: BitDefender can be used by AMaViS but is not shipped in Debian CVE-2005-2297 (Stack-based buffer overflow in TreeAction.do in Sybase EAServer 4.2.5 ...) NOT-FOR-US: Sybase EAServer CVE-2005-2296 (YabbSE 1.5.5c allows remote attackers to obtain sensitive information ...) NOT-FOR-US: YabbSE CVE-2005-2295 (NetPanzer 0.8 and earlier allows remote attackers to cause a denial of ...) - netpanzer 0.8+svn20060319-1 (bug #318329; low) [sarge] - netpanzer (Minor DoS against a game) CVE-2005-2294 (Oracle Forms 4.5, 6.0, 6i, and 9i on Unix, when a large number of reco ...) NOT-FOR-US: Oracle CVE-2005-2293 (Oracle Formsbuilder 9.0.4 stores database usernames and passwords in a ...) NOT-FOR-US: Oracle CVE-2005-2292 (Oracle JDeveloper 9.0.4, 9.0.5, and 10.1.2 stores cleartext passwords ...) NOT-FOR-US: Oracle CVE-2005-2291 (Oracle JDeveloper 9.0.4, 9.0.5, and 10.1.2 passes the cleartext passwo ...) NOT-FOR-US: Oracle CVE-2005-2290 (wps_shop.cgi in WPS Web Portal System 0.7.0 allows remote attackers to ...) NOT-FOR-US: WPS CVE-2005-2289 (PHPCounter 7.2 allows remote attackers to obtain sensitive information ...) NOT-FOR-US: PHPCounter CVE-2005-2288 (Cross-site scripting (XSS) vulnerability in PHPCounter 7.2 allows remo ...) NOT-FOR-US: PHPCounter CVE-2005-2287 (SoftiaCom wMailServer 1.0 and 2.0 allows remote attackers to cause a d ...) NOT-FOR-US: SoftiaCom wMailServer CVE-2005-2286 (WebEOC before 6.0.2 does not properly check user authorization, which ...) NOT-FOR-US: WebEOC CVE-2005-2285 (WebEOC before 6.0.2 stores sensitive information in locations such as ...) NOT-FOR-US: WebEOC CVE-2005-2284 (Multiple SQL injection vulnerabilities in WebEOC before 6.0.2 allow re ...) NOT-FOR-US: WebEOC CVE-2005-2283 (WebEOC before 6.0.2 does not properly restrict the size of an uploaded ...) NOT-FOR-US: WebEOC CVE-2005-2282 (Multiple cross-site scripting (XSS) vulnerabilities in WebEOC before 6 ...) NOT-FOR-US: WebEOC CVE-2005-2281 (WebEOC before 6.0.2 uses a weak encryption scheme for passwords, which ...) NOT-FOR-US: WebEOC CVE-2005-2280 (Cisco Security Agent (CSA) 4.5 allows remote attackers to cause a deni ...) NOT-FOR-US: Cisco CVE-2005-2279 (Cisco ONS 15216 Optical Add/Drop Multiplexer (OADM) running firmware 2 ...) NOT-FOR-US: Cisco CVE-2005-2278 (Stack-based buffer overflow in the IMAP daemon (imapd) in MailEnable P ...) NOT-FOR-US: MailEnable CVE-2005-2277 (Bluetooth FTP client (BTFTP) in Nokia Affix 2.1.2 and 3.2.0 allows rem ...) {DSA-762-1} - affix 2.1.2-2 (bug #318328; medium) CVE-2005-2276 (Cross-site scripting (XSS) vulnerability in Novell Groupwise WebAccess ...) NOT-FOR-US: Novell Groupwise WebAccess CVE-2004-2284 (The read_list_from_file function in vacation.pl for OpenWebmail before ...) NOT-FOR-US: OpenWebmail CVE-2004-2283 (Unknown vulnerability in DansGuardian before 2.6.1-13 allows remote at ...) - dansguardian 2.6.1-13 (medium) CVE-2004-2282 (DansGuardian before 2.7.7-2 allows remote attackers to bypass URL filt ...) - dansguardian 2.7.7-2 CVE-2004-2281 (Multiple unknown vulnerabilities in IBM Lotus Notes 6.5.x before 6.5.4 ...) NOT-FOR-US: IBM Lotus Notes CVE-2004-2280 (Buffer overflow in IBM Lotus Notes 6.5.x before 6.5.3 and 6.0.x before ...) NOT-FOR-US: IBM Lotus Notes CVE-2004-2279 (Cross-site scripting (XSS) vulnerability in Invision Power Board 1.3 F ...) NOT-FOR-US: Invision Power Board CVE-2004-2278 (Unknown cross-site scripting (XSS) vulnerability in the web GUI in vHo ...) NOT-FOR-US: vHost CVE-2004-2277 (Buffer overflow in aGSM Half-Life client allows remote Half-Life serve ...) NOT-FOR-US: aGSM Half-Life CVE-2004-2276 (F-Secure Anti-Virus 5.41 and 5.42 on Windows, Client Security 5.50 and ...) NOT-FOR-US: F-Secure Anti-Virus CVE-2004-2275 (i-mall.cgi in I-Mall Commerce allows remote attackers to execute arbit ...) NOT-FOR-US: I-Mall Commerce CVE-2004-2274 (Unknown vulnerability in Jigsaw before 2.2.4 has unknown impact and at ...) NOT-FOR-US: w3m Jigsaw CVE-2004-2273 (efFingerD 0.2.12 allows remote attackers to cause a denial of service ...) NOT-FOR-US: efFingerD CVE-2004-2272 (Buffer overflow in the sockFinger_DataArrival function in efFingerD 0. ...) NOT-FOR-US: efFingerD CVE-2004-2271 (Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers ...) NOT-FOR-US: MiniShare CVE-2004-2270 (Unknown vulnerability in IBM Parallel Environment (PE) 3.2 and 4.1 all ...) NOT-FOR-US: IBM Parallel Environment CVE-2004-2269 (Stack-based buffer overflow in pads.c in Passive Asset Detection Syste ...) - pads 1.1.1 (high) CVE-2004-2268 (PimenGest2 before 1.1.1 allows remote attackers to obtain the database ...) NOT-FOR-US: PimenGest2 CVE-2004-2267 (Cross-site scripting (XSS) vulnerability in Ansel 2.1 and earlier allo ...) NOT-FOR-US: Ansel CVE-2004-2266 (SQL injection vulnerability in Ansel 2.1 and earlier allows remote att ...) NOT-FOR-US: Ansel CVE-2004-2265 (UUDeview 0.5.20 and earlier handles temporary files insecurely during ...) - uudeview 0.5.20-2.1 (bug #320541; low) [sarge] - uudeview (Hardly exploitable) NOTE: dnprogs apparetly not vulnerable, unsafe code is not called (#358500) CVE-2004-2264 (** DISPUTED ** Format string bug in the open_altfile function in filen ...) - less (less is not suid, explotability unlikely) CVE-2004-2263 (SQL injection vulnerability in the valid function in fr_left.php in Pl ...) NOT-FOR-US: PlaySMS CVE-2004-2262 (ImageManager in e107 before 0.617 does not properly check the types of ...) NOT-FOR-US: e107 CVE-2004-2261 (Cross-site scripting (XSS) vulnerability in e107 allows remote attacke ...) NOT-FOR-US: e107 CVE-2004-2260 (Opera Browser 7.23, and other versions before 7.50, updates the addres ...) NOT-FOR-US: Opera CVE-2004-2259 (vsftpd before 1.2.2, when under heavy load, allows attackers to cause ...) - vsftpd 2.0.1-1 (low) CVE-2004-2258 (Xconfig in Hummingbird Exceed before 9.0.0.1, when the Screen Definiti ...) NOT-FOR-US: Hummingbird Exceed CVE-2004-2257 (phpMyFAQ 1.4.0 allows remote attackers to access the Image Manager to ...) NOT-FOR-US: phpMyFAQ CVE-2004-2256 (Directory traversal vulnerability in phpMyFAQ 1.4.0 alpha allows remot ...) NOT-FOR-US: phpMyFAQ CVE-2004-2255 (Directory traversal vulnerability in phpMyFAQ 1.3.12 allows remote att ...) NOT-FOR-US: phpMyFAQ CVE-2004-2254 (SurgeLDAP 1.0g (Build 12), and possibly other versions before 1.0h, al ...) NOT-FOR-US: SurgeLDAP CVE-2004-2253 (Directory traversal vulnerability in user.cgi in SurgeLDAP 1.0g and ea ...) NOT-FOR-US: SurgeLDAP CVE-2004-2252 (The firewall in Astaro Security Linux before 4.024 sends responses to ...) NOT-FOR-US: Astaro suite CVE-2004-2251 (The PPTP server in Astaro Security Linux before 4.024 provides informa ...) NOT-FOR-US: Astaro suite CVE-2004-2250 (Unknown vulnerability in the "access code" in RemoteEditor before 0.1. ...) NOT-FOR-US: RemoteEditor CVE-2004-2249 (Unknown vulnerability in the "access code" in SecureEditor before 0.1. ...) NOT-FOR-US: SecureEditor CVE-2004-2248 (Unknown vulnerability in RemoteEditor before 0.1.1 has unknown impact ...) NOT-FOR-US: RemoteEditor CVE-2004-2247 (Unknown vulnerability in the "admin of paypal email addresses" in Audi ...) NOT-FOR-US: AudienceConnect CVE-2004-2246 (Cross-site scripting (XSS) vulnerability in Goollery before 0.04b allo ...) NOT-FOR-US: Goollery CVE-2004-2245 (Cross-site scripting (XSS) vulnerability in Goollery 0.03 allows remot ...) NOT-FOR-US: Goollery CVE-2004-2244 (The XML parser in Oracle 9i Application Server Release 2 9.0.3.0 and 9 ...) NOT-FOR-US: Oracle CVE-2004-2243 (Phorum allows remote attackers to hijack sessions of other users by st ...) NOT-FOR-US: Phorum CVE-2004-2242 (Cross-site scripting (XSS) vulnerability in search.php in Phorum, poss ...) NOT-FOR-US: Phorum CVE-2004-2241 (Cross-site scripting (XSS) vulnerability in Phorum 5.0.11 and earlier ...) NOT-FOR-US: Phorum CVE-2004-2240 (Multiple SQL injection vulnerabilities in Phorum 5.0.11 and earlier al ...) NOT-FOR-US: Phorum CVE-2004-2239 (Buffer overflow in vsybase.c in vpopmail 5.4.2 and earlier might allow ...) - vpopmail (bug #320608; low) CVE-2005-XXXX [SQL injecton vulnerabilities in vpopmail prior to 5.4.6] NOTE: see http://archives.neohapsis.com/archives/bugtraq/2004-08/0286.html NOTE: maintainer says does not apply to debian, see #320608 CVE-2004-2238 (** DISPUTED ** Format string vulnerability in vsybase.c in vpopmail 5. ...) NOTE: format string vuln in vpopmail doesn't seem to be real CVE-2004-2237 (Unknown vulnerability in Moodle before 1.3.4 has unknown impact and at ...) - moodle 1.4-1 CVE-2004-2236 (Unknown vulnerability in Moodle before 1.3.3 has unknown impact and at ...) - moodle 1.3.3-1 CVE-2004-2235 (Unknown vulnerability in Moodle before 1.2 has unknown impact and atta ...) - moodle 1.2.1-1 CVE-2004-2234 (Unknown vulnerability in Moodle before 1.2 allows teachers to log in a ...) - moodle 1.2.1-1 CVE-2004-2233 (Unknown "front page vulnerability with Moodle servers" for Moodle befo ...) - moodle 1.3.2-1 CVE-2004-2232 (SQL injection vulnerability in sql.php in the Glossary module in Moodl ...) - moodle 1.4.2-1 CVE-2004-2231 (Zero G Software InstallAnywhere 5.0.6, 5.0.7, and earlier allows local ...) NOT-FOR-US: InstallAnywhere CVE-2004-2230 (Heap-based buffer overflow in isakmpd on OpenBSD 3.4 through 3.6 allow ...) NOT-FOR-US: OpenBSD CVE-2004-2229 (Multiple unknown vulnerabilities in Oracle 9i Lite Mobile Server 5.0.0 ...) NOT-FOR-US: Oracle CVE-2004-2228 (Mozilla Firefox before 1.0 is installed with world-writable permission ...) - mozilla-firefox (Only affects Firefox on MacOS) CVE-2004-2227 (Mozilla Firefox before 1.0 truncates long filenames in the file downlo ...) - mozilla-firefox 1.0-1 CVE-2004-2226 (Mozilla Mail 1.7.1 and 1.7.3, and Thunderbird before 0.9, when HTML-Ma ...) - mozilla-thunderbird 1.0-3 CVE-2004-2225 (Mozilla Firefox before 0.10.1 allows remote attackers to delete arbitr ...) - mozilla-firefox 0.99+1.0RC1-1 CVE-2004-2224 (Appfoundry Message Foundry 2.75 .0003 allows remote attackers to cause ...) NOT-FOR-US: Message Foundry CVE-2004-2223 (FsPHPGallery before 1.2 allows remote attackers to cause a denial of s ...) NOT-FOR-US: FsPHPGallery CVE-2004-2222 (Directory traversal vulnerability in index.php in FsPHPGallery before ...) NOT-FOR-US: FsPHPGallery CVE-2004-2221 (Buffer overflow in SoftCart.exe in Mercantec SoftCart 4.00b allows rem ...) NOT-FOR-US: SoftCart CVE-2004-2220 (F-Secure Anti-Virus for Microsoft Exchange 6.30 and 6.31 does not prop ...) NOT-FOR-US: F-Secure Anti-Virus CVE-2004-2219 (Microsoft Internet Explorer 6 allows remote attackers to spoof the add ...) NOT-FOR-US: Microsoft CVE-2004-2218 (SQL injection vulnerability in pmwh.php in PHPMyWebHosting 0.3.4 and e ...) NOT-FOR-US: PHPMyWebHosting CVE-2004-2217 (Multiple unknown vulnerabilities in yhttpd in yChat before 0.7 allow r ...) NOT-FOR-US: yChat CVE-2004-2216 (Unknown vulnerability in Sun Java System Web Server 6.0 SP7 and earlie ...) NOT-FOR-US: Sun Java CVE-2004-2215 (RXVT-Unicode 3.4 and 3.5 does not properly close file descriptors, whi ...) - rxvt-unicode 3.8-1 CVE-2004-2214 (Mbedthis AppWeb HTTP server before 1.1.3 allows remote attackers to by ...) NOT-FOR-US: AppWeb HTTP server CVE-2004-2213 (Mbedthis AppWeb HTTP server before 1.1.3 allows remote attackers to ob ...) NOT-FOR-US: AppWeb HTTP server CVE-2005-XXXX [Integer overflow in ffmpeg's MPEG encoding] - ffmpeg 0.cvs20050811-1 (bug #320150; medium) - xmovie CVE-2005-XXXX [xgalaga score file segfault] - xgalaga 2.0.34-31 (bug #319686; low) [sarge] - xgalaga (Minor issue) CVE-2005-XXXX [xemeraldia games file overwrite] - xemeraldia 0.4-1 (bug #319661; low) [sarge] - xemeraldia (Very minor issue) CVE-2005-2335 (Buffer overflow in the POP3 client in Fetchmail before 6.2.5.2 allows ...) {DSA-774-1} NOTE: previous fix in -15 was broken - fetchmail 6.2.5-16 (bug #320357; bug #212762; medium) CVE-2005-2320 (WebCalendar before 1.0.0 does not properly restrict access to assistan ...) {DSA-766-1} - webcalendar 0.9.45-7 (bug #315671; medium) CVE-2005-2437 (Website Baker Project does not properly verify the file extensions of ...) NOT-FOR-US: Website Baker CVE-2005-2275 RESERVED CVE-2005-2274 (Microsoft Internet Explorer 6.0 does not clearly associate a Javascrip ...) NOT-FOR-US: MSIE CVE-2005-2273 (Opera 7.x and 8 before 8.01 does not clearly associate a Javascript di ...) NOT-FOR-US: Opera CVE-2005-2272 (Safari version 2.0 (412) does not clearly associate a Javascript dialo ...) NOT-FOR-US: Sfari CVE-2005-2271 (iCab 2.9.8 does not clearly associate a Javascript dialog box with the ...) NOT-FOR-US: iCab CVE-2005-2270 (Firefox before 1.0.5 and Mozilla before 1.7.9 does not properly clone ...) {DSA-810-1 DSA-779-2 DSA-781-1 DSA-779-1 DTSA-8-2 DTSA-14-1} - mozilla-firefox 1.0.5-1 (high) - mozilla 2:1.7.9-1 (bug #318062; bug #325851; high) - mozilla-thunderbird 1.0.6-1 (high) CVE-2005-2269 (Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 does no ...) {DSA-810-1 DSA-779-2 DSA-781-1 DSA-779-1 DTSA-8-2 DTSA-14-1} - mozilla-firefox 1.0.5-1 (high) - mozilla 2:1.7.9-1 (medium; bug #318062) - mozilla-thunderbird 1.0.6-1 (medium; bug #318728) CVE-2005-2268 (Firefox before 1.0.5 and Mozilla before 1.7.9 does not clearly associa ...) {DSA-810-1 DSA-779-2 DSA-779-1 DTSA-8-2 DTSA-14-1} - mozilla-firefox 1.0.5-1 (medium) - mozilla 2:1.7.9-1 (medium; bug #318062) CVE-2005-2267 (Firefox before 1.0.5 allows remote attackers to steal information and ...) {DSA-779-2 DSA-779-1 DTSA-8-2} - mozilla-firefox 1.0.4-2sarge3 (medium) CVE-2005-2266 (Firefox before 1.0.5 and Mozilla before 1.7.9 allows a child frame to ...) {DSA-810-1 DSA-779-2 DSA-781-1 DSA-779-1 DTSA-8-2 DTSA-14-1} - mozilla-firefox 1.0.5-1 (medium) - mozilla 2:1.7.9-1 (medium; bug #318062) - mozilla-thunderbird 1.0.6-1 (low; bug #318728) CVE-2005-2265 (Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 and 7.2 ...) {DSA-810-1 DSA-779-2 DSA-781-1 DSA-779-1 DTSA-8-2 DTSA-14-1} - mozilla-firefox 1.0.5-1 (high) - mozilla 2:1.7.9-1 (medium; bug #318062) - mozilla-thunderbird 1.0.6-1 (medium; bug #318728) CVE-2005-2264 (Firefox before 1.0.5 allows remote attackers to steal sensitive inform ...) {DSA-779-2 DSA-779-1 DTSA-8-2} - mozilla-firefox 1.0.4-2sarge3 (medium) CVE-2005-2263 (The InstallTrigger.install method in Firefox before 1.0.5 and Mozilla ...) {DSA-810-1 DSA-779-2 DSA-779-1 DTSA-8-2 DTSA-14-1} - mozilla-firefox 1.0.5-1 (medium) - mozilla 2:1.7.9-1 (medium; bug #318062) CVE-2005-2262 (Firefox 1.0.3 and 1.0.4, and Netscape 8.0.2, allows remote attackers t ...) {DSA-779-2 DSA-779-1 DTSA-8-2} - mozilla-firefox 1.0.4-2sarge3 (medium) CVE-2005-2261 (Firefox before 1.0.5, Thunderbird before 1.0.5, Mozilla before 1.7.9, ...) {DSA-810-1 DSA-779-2 DSA-781-1 DSA-779-1 DTSA-8-2 DTSA-14-1} - mozilla-firefox 1.0.5-1 (medium) - mozilla 2:1.7.9-1 (medium; bug #318062) - mozilla-thunderbird 1.0.6-1 (medium; bug #318728) CVE-2005-2260 (The browser user interface in Firefox before 1.0.5, Mozilla before 1.7 ...) {DSA-810-1 DSA-779-2 DSA-779-1 DTSA-8-2 DTSA-14-1} - mozilla-firefox 1.0.5-1 (medium) - mozilla 2:1.7.9-1 (medium; bug #318062) CVE-2002-2086 (Multiple cross-site scripting (XSS) vulnerabilities in magicHTML of Sq ...) NOT-FOR-US: magicHTML CVE-2002-2085 (Directory traversal vulnerability in page.cgi of WWWeBBB Forum 3.82 be ...) NOT-FOR-US: WWWeBBB forum CVE-2002-2084 (Directory traversal vulnerability in index.php of Portix 0.4.02 allows ...) NOT-FOR-US: Portix CVE-2002-2083 (The Novell Netware client running on Windows 95 allows local users to ...) NOT-FOR-US: Novell Netware CVE-2002-2082 (FTGate and FTGate Pro 1.05 lock user mailboxes before authentication s ...) NOT-FOR-US: FTGate CVE-2002-2081 (cphost.dll in Microsoft Site Server 3.0 allows remote attackers to cau ...) NOT-FOR-US: Microsoft CVE-2002-2080 (Floositek FTGate PRO 1.05 allows remote attackers to cause a denial of ...) NOT-FOR-US: FTGate CVE-2002-2079 (mosix-protocol-stack in Multicomputer Operating System for UnIX (MOSIX ...) - kernel-patch-openmosix (bug #319621; low) CVE-2002-2078 (Heap-based buffer overflow in Floositek (1) FTGate Pro 1.05 and (2) FT ...) NOT-FOR-US: FTGate CVE-2002-2077 (The DCOM client in Windows 2000 before SP3 does not properly clear mem ...) NOT-FOR-US: Microsoft CVE-2002-2076 (Directory traversal vulnerability in Lil' HTTP server 2.1 and 2.2 allo ...) NOT-FOR-US: Lil' HTTP server CVE-2002-2075 (ICQ 2001a and 2002b allows remote attackers to cause a denial of servi ...) NOT-FOR-US: ICQ CVE-2002-2074 (SQL injection vulnerability in Mailidx before 20020105 allows remote a ...) NOT-FOR-US: Mailidx CVE-2002-2073 (Cross-site scripting (XSS) vulnerability in the default ASP pages on M ...) NOT-FOR-US: Microsoft CVE-2002-2072 (java.security.AccessController in Sun Java Virtual Machine (JVM) in JR ...) NOT-FOR-US: Sun Java CVE-2002-2071 (Compaq Tru64 4.0 d allows remote attackers to cause a denial of servic ...) NOT-FOR-US: Tru64 CVE-2002-2070 (SecureClean 3 build 2.0 does not clear Windows alternate data streams ...) NOT-FOR-US: SecureClean CVE-2002-2069 (PGP 6.x and 7.x does not clear Windows alternate data streams that are ...) NOT-FOR-US: Proprietary PGP CVE-2002-2068 (Eraser 5.3 does not clear Windows alternate data streams that are atta ...) NOT-FOR-US: Eraser CVE-2002-2067 (East-Tec Eraser 2002 does not clear Windows alternate data streams tha ...) NOT-FOR-US: Eraser CVE-2002-2066 (BestCrypt BCWipe 1.0.7 and 2.0 through 2.35.1 does not clear Windows a ...) NOT-FOR-US: BCWipe CVE-2002-2065 (WebCalendar 0.9.34 and earlier with 'browsing in includes directory' e ...) NOT-FOR-US: WebCalender CVE-2002-2064 (isadmin.php in PhpWebGallery 1.0 allows remote attackers to gain admin ...) NOT-FOR-US: PhpWebGallery CVE-2002-2063 (AtGuard 3.2 allows remote attackers to bypass firwall filters and exec ...) NOT-FOR-US: AtGuard CVE-2002-2062 (Cross-site scripting (XSS) vulnerability in ftp.htt in Internet Explor ...) NOT-FOR-US: Microsoft CVE-2002-2061 (Heap-based buffer overflow in Netscape 6.2.3 and Mozilla 1.0 and earli ...) NOTE: fixed in upstream 1.0.1 NOTE: see http://web.archive.org/web/20090628044831/http://www.mozilla.org/releases/mozilla1.0.1/security-fixes-1.0.1.html - mozilla 2:1.1-1 (low) CVE-2002-2060 (Buffer overflow in Links 2.0 pre4 allows remote attackers to crash cli ...) - links2 (Fixed before upload into archiv; 2.0pre5) CVE-2002-2059 (BIOS D845BG, D845HV, D845PT and D845WN on Intel motherboards does not ...) NOT-FOR-US: Intel motherboards CVE-2002-2058 (TeeKai Tracking Online 1.0 uses weak encryption of web usage statistic ...) NOT-FOR-US: TeeKai CVE-2002-2057 (TeeKai Forum 1.2 uses weak encryption of web usage statistics in data/ ...) NOT-FOR-US: TeeKai CVE-2002-2056 (Cross-site scripting (XSS) vulnerability in TeeKai Forum 1.2 allows re ...) NOT-FOR-US: TeeKai CVE-2002-2055 (Cross-site scripting (XSS) vulnerability in userlog.php in TeeKai Trac ...) NOT-FOR-US: TeeKai CVE-2002-2054 (TeeKai Forum 1.2 allows remote attackers to authenticate as the admini ...) NOT-FOR-US: TeeKai CVE-2002-2053 (The design of the Hot Standby Routing Protocol (HSRP), as implemented ...) NOT-FOR-US: Cisco CVE-2002-2052 (Cisco 2611 router running IOS 12.1(6.5), possibly an interim release, ...) NOT-FOR-US: Cisco CVE-2002-2051 (The processor_web plugin for ModLogAn 0.5.0 through 0.7.11, when used ...) - modlogan 0.7.12-1 (low) CVE-2002-2050 (Directory traversal vulnerability in processor_web plugin for ModLogAn ...) - modlogan 0.7.12-1 (low) CVE-2002-2049 (configure for Dsniff 2.3, fragroute 1.2, and fragrouter 1.6, when down ...) NOTE: one day upstream webserver compromise CVE-2002-2048 (Buffer overflow in PFinger 0.7.8 client allows remote attackers to exe ...) NOT-FOR-US: PFinger CVE-2002-2047 (The file preview functionality in Sketch 0.6.12 and earlier allows rem ...) - sketch 0.6.13-1 (low) CVE-2002-2046 (x_news.php in X-News (x_news) 1.1 and earlier allows remote attackers ...) NOT-FOR-US: X-News CVE-2002-2045 (x_stat_admin.php in x-stat 2.3 and earlier allows remote attackers to ...) NOT-FOR-US: x-stat CVE-2002-2044 (Cross-site scripting (XSS) vulnerability in x_stat_admin.php in x-stat ...) NOT-FOR-US: x-stat CVE-2002-2043 (SQL injection vulnerability in the LDAP and MySQL authentication patch ...) NOTE: old patch CVE-2002-2042 (ptrace in the QNX realtime operating system (RTOS) 4.25 and 6.1.0 allo ...) NOT-FOR-US: QNX CVE-2002-2041 (Multiple buffer overflows in realtime operating system (RTOS) 6.1.0 al ...) NOT-FOR-US: QNX CVE-2002-2040 (The (1) phrafx and (2) phgrafx-startup programs in QNX realtime operat ...) NOT-FOR-US: QNX CVE-2002-2039 (/bin/su in QNX realtime operating system (RTOS) 4.25 and 6.1.0 allows ...) NOT-FOR-US: QNX CVE-2002-2038 (Next Generation POSIX Threading (NGPT) 1.9.0 uses a filesystem-based s ...) NOT-FOR-US: NGPT NOTE: http://lists.debian.org/debian-user/2003/10/msg03627.html NOTE: NPTL does not have this problem. CVE-2002-2037 (The Cisco Media Gateway Controller (MGC) in (1) SC2200 7.4 and earlier ...) NOT-FOR-US: Cisco CVE-2002-2036 (Sun Ray Server Software (SRSS) 1.3, when Non-Smartcard Mobility (NSCM) ...) NOT-FOR-US: Sun CVE-2002-2035 (SQL injection vulnerability in RealityScape MyLogin 2000 1.0.0 and ear ...) NOT-FOR-US: RealityScape CVE-2002-2034 (The Email Sanitizer before 1.133 for Procmail allows remote attackers ...) NOT-FOR-US: Email Sanitizer CVE-2002-2033 (faqmanager.cgi in FAQManager 2.2.5 and earlier allows remote attackers ...) NOT-FOR-US: FAQManager CVE-2002-2032 (sql_layer.php in PHP-Nuke 5.4 and earlier does not restrict access to ...) NOT-FOR-US: PHPNuke CVE-2002-2031 (Internet Explorer 5.0, 5.0.1 and 5.5 with JavaScript execution enabled ...) NOT-FOR-US: Microsoft CVE-2002-2030 (Stack-based buffer overflow in SQLData Enterprise Server 3.0 allows re ...) NOT-FOR-US: Microsoft CVE-2002-2029 (PHP, when installed on Windows with Apache and ScriptAlias for /php/ s ...) NOT-FOR-US: PHP, Mircrosoft CVE-2002-2028 (The screensaver on Windows NT 4.0, 2000, XP, and 2002 does not verify ...) NOT-FOR-US: Microsoft CVE-2002-2027 (Database of Our Owlish Wisdom (DOOW) 0.1 through 0.2.1 does not proper ...) NOT-FOR-US: DOOW CVE-2002-2026 (Buffer overflow in BrowseFTP 1.62 client allows remote FTP servers to ...) NOT-FOR-US: BrowseFTP CVE-2002-2025 (Lotus Domino server 5.0.9a and earlier allows remote attackers to caus ...) NOT-FOR-US: Lotus Domino CVE-2002-2024 (Horde IMP 2.2.7 allows remote attackers to obtain the full web root pa ...) - imp 3:2.2.6-5 (high) CVE-2002-2023 (The get_parameter_from_freqency_source function in beep2 1.0, 1.1 and ...) NOT-FOR-US: We use the OTHER beep program :P CVE-2002-2022 (Format string vulnerability in Kaffe OpenVM 1.0.6 and earlier allows l ...) NOTE: only affects old-stable CVE-2002-2021 (Cross-site scripting (XSS) vulnerability in WoltLab Burning Board (wbb ...) NOT-FOR-US: wbboard CVE-2002-2020 (Netgear RP114 Cable/DSL Web Safe Router Firmware 3.26 uses a default a ...) NOT-FOR-US: Netgear hardware CVE-2002-2019 (PHP remote file inclusion vulnerability in include_once.php in osComme ...) NOT-FOR-US: osCommerce CVE-2002-2018 (sastcpd in SAS/Base 8.0 might allow local users to gain privileges by ...) NOT-FOR-US: SAS/Base CVE-2002-2017 (sastcpd in SAS/Base 8.0 allows local users to execute arbitrary code b ...) NOT-FOR-US: SAS/Base CVE-2002-2016 (User-mode Linux (UML) 2.4.17-8 does not restrict access to kernel addr ...) - user-mode-linux 2.4.17-9 (high) CVE-2002-2015 (PHP file inclusion vulnerability in user.php in PostNuke 0.703 allows ...) NOT-FOR-US: PostNuke CVE-2002-2014 (Lotus Domino 5.0.8 web server returns different error messages when a ...) NOT-FOR-US: Lotus Domino CVE-2002-2013 (Mozilla 0.9.6 and earlier and Netscape 6.2 and earlier allows remote a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2012 (Unknown vulnerability in Apache 1.3.19 running on HP Secure OS for Lin ...) NOT-FOR-US: Apache CVE-2002-2011 (Cross-site scripting (XSS) vulnerability in the fom CGI program (fom.c ...) NOT-FOR-US: faqomatic CVE-2002-2010 (Cross-site scripting (XSS) vulnerability in htsearch.cgi in htdig (ht: ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-2009 (Apache Tomcat 4.0.1 allows remote attackers to obtain the web root pat ...) NOT-FOR-US: Tomcat CVE-2002-2008 (Apache Tomcat 4.0.3 for Windows allows remote attackers to obtain the ...) NOT-FOR-US: Tomcat CVE-2002-2007 (The default installations of Apache Tomcat 3.2.3 and 3.2.4 allows remo ...) NOT-FOR-US: Tomcat CVE-2002-2006 (The default installation of Apache Tomcat 4.0 through 4.1 and 3.0 thro ...) NOT-FOR-US: Tomcat CVE-2002-2005 (Unknown vulnerability in Java web start 1.0.1_01, 1.0.1, 1.0 and 1.0.1 ...) NOT-FOR-US: Sun CVE-2002-2004 (portmapper in Compaq Tru64 4.0G and 5.0A allows remote attackers to ca ...) NOT-FOR-US: Compaq CVE-2002-2003 (ypbind in Compaq Tru64 4.0F, 4.0G, 5.0A, 5.1 and 5.1A allows remote at ...) NOT-FOR-US: Compaq CVE-2002-2002 (Buffer overflow in libc in Compaq Tru64 4.0F, 5.0, 5.1 and 5.1A allows ...) NOT-FOR-US: Compaq CVE-2002-2001 (jmcce 1.3.8 in Mandrake 8.1 creates log files in /tmp with predictable ...) NOT-FOR-US: jmcce CVE-2002-2000 (ACMS 4.3 and 4.4 in OpenVMS Alpha 7.2 and 7.3 does not properly use pr ...) NOT-FOR-US: OpenVMS CVE-2002-1999 (HP Praesidium Webproxy 1.0 running on HP-UX 11.04 VVOS could allow rem ...) NOT-FOR-US: VVOS CVE-2002-1998 (Buffer overflow in rpc.cmsd in SCO UnixWare 7.1.1 and Open UNIX 8.0.0 ...) NOT-FOR-US: UnixWare CVE-2002-1997 (ZoneAlarm Pro 3.0 MailSafe allows remote attackers to bypass filtering ...) NOT-FOR-US: ZoneAlarm CVE-2002-1996 (Cross-site scripting (XSS) vulnerability in PostNuke 0.71 and earlier ...) NOT-FOR-US: Postnuke CVE-2002-1995 (Cross-site scripting (XSS) vulnerability in phptonuke.php for PHP-Nuke ...) NOT-FOR-US: Postnuke CVE-2002-1994 (advserver.exe in Advanced Web Server (AdvServer) Professional 1.030000 ...) NOT-FOR-US: Windows CVE-2002-1993 (webbbs_post.pl in WebBBS 4 and 5.0 allows remote attackers to execute ...) NOT-FOR-US: WebBBS CVE-2002-1992 (Buffer overflow in jrun.dll in ColdFusion MX, when used with IIS 4 or ...) NOT-FOR-US: Windows CVE-2002-1991 (PHP file inclusion vulnerability in osCommerce 2.1 execute arbitrary c ...) NOT-FOR-US: osCommerce CVE-2002-1990 (Resin 2.0.5 through 2.1.2 allows remote attackers to reveal physical p ...) NOT-FOR-US: Resin CVE-2002-1989 (Resin 2.1.1 allows remote attackers to cause a denial of service (thre ...) NOT-FOR-US: Resin CVE-2002-1988 (Resin 2.1.1 allows remote attackers to cause a denial of service (memo ...) NOT-FOR-US: Resin CVE-2002-1987 (Directory traversal vulnerability in view_source.jsp in Resin 2.1.2 al ...) NOT-FOR-US: Resin CVE-2001-1572 (The MAC module in Netfilter in Linux kernel 2.4.1 through 2.4.11, when ...) NOTE: presumably fixed in linux 2.4.12 CVE-2001-1571 (The Remote Desktop client in Windows XP sends the most recent user acc ...) NOT-FOR-US: Microsoft CVE-2001-1570 (Windows XP with fast user switching and account lockout enabled allows ...) NOT-FOR-US: Microsoft CVE-2001-1569 (Openwave WAP gateway does not verify the fully qualified domain name U ...) NOT-FOR-US: Openwave WAP gateway CVE-2001-1568 (CMG WAP gateway does not verify the fully qualified domain name URL wi ...) NOT-FOR-US: CMG WAP gateway CVE-2001-1567 (Lotus Domino server 5.0.9a and earlier allows remote attackers to bypa ...) NOT-FOR-US: Lotus Domino CVE-2001-1566 (Format string vulnerability in libvanessa_logger 0.0.1 in Perdition 0. ...) - vanessa-logger 0.0.2 CVE-2001-1565 (Point to Point Protocol daemon (pppd) in MacOS x 10.0 and 10.1 through ...) NOT-FOR-US: MacOS CVE-2001-1564 (setrlimit in HP-UX 10.01, 10.10, 10.24, 10.20, 11.00, 11.04 and 11.11 ...) NOT-FOR-US: HP-UX CVE-2001-1563 (Unknown vulnerability in Tomcat 3.2.1 running on HP Secure OS for Linu ...) NOT-FOR-US: Tomcat 3.2.1 running on HP Secure OS CVE-2001-1562 (Format string vulnerability in nvi before 1.79 allows local users to g ...) - nvi 1.79-16a.1 NOTE: was DSA 085 CVE-2001-1561 (Buffer overflow in Xvt 2.1 in Debian Linux 2.2 allows local users to e ...) NOTE: DSA 082 - xvt 2.1-13 CVE-2001-1560 (Win32k.sys (aka Graphics Device Interface (GDI)) in Windows 2000 and X ...) NOT-FOR-US: Microsoft CVE-2001-1559 (The uipc system calls (uipc_syscalls.c) in OpenBSD 2.9 and 3.0 provide ...) NOT-FOR-US: OpenBSD CVE-2001-1558 (Unknown vulnerability in IP defragmenter (frag2) in Snort before 1.8.3 ...) - snort 1.8.3 CVE-2001-1557 (Buffer overflow in ftpd in IBM AIX 4.3 and 5.1 allows attackers to gai ...) NOT-FOR-US: AIX CVE-2001-1556 (The log files in Apache web server contain information directly suppli ...) NOTE: documented issue in apache, unlikely to be changed NOTE: see http://httpd.apache.org/docs/logs.html CVE-2001-1555 (pt_chmod in Solaris 8 does not call fdetach to reset terminal privileg ...) NOT-FOR-US: Solaris CVE-2001-1554 (IBM AIX 430 does not properly unlock IPPMTU_LOCK, which allows remote ...) NOT-FOR-US: AIX CVE-2001-1553 (Buffer overflow in setiathome for SETI@home 3.03, if installed setuid, ...) - setiathome (not suid in debian) CVE-2001-1552 (ssdpsrv.exe in Windows ME allows remote attackers to cause a denial of ...) NOT-FOR-US: Microsoft CVE-2001-1551 (Linux kernel 2.2.19 enables CAP_SYS_RESOURCE for setuid processes, whi ...) NOTE: no info in CVE db about fix CVE-2001-1550 (CentraOne 5.2 and Centra ASP with basic authentication enabled creates ...) NOT-FOR-US: Centra CVE-2001-1549 (Tiny Personal Firewall 1.0 and 2.0 allows local users to bypass filter ...) NOT-FOR-US: Tiny Personal Firewall CVE-2001-1548 (ZoneAlarm 2.1 through 2.6 and ZoneAlarm Pro 2.4 and 2.6 allows local u ...) NOT-FOR-US: Tiny Personal Firewall CVE-2001-1547 (Outlook Express 6.0, with "Do not allow attachments to be saved or ope ...) NOT-FOR-US: Outlook CVE-2001-1546 (Pathways Homecare 6.5 uses weak encryption for user names and password ...) NOT-FOR-US: Pathways Homecare CVE-2001-1545 (Macromedia JRun 3.0 and 3.1 appends the jsessionid to URL requests (a. ...) NOT-FOR-US: Macromedia JRun CVE-2001-1544 (Directory traversal vulnerability in Macromedia JRun Web Server (JWS) ...) NOT-FOR-US: Macromedia JRun CVE-2001-1543 (Axis network camera 2120, 2110, 2100, 200+ and 200 contains a default ...) NOT-FOR-US: Axis network camera CVE-2001-1542 (NAI WebShield SMTP 4.5 and possibly 4.5 MR1a does not filter improperl ...) NOT-FOR-US: NAI WebShield SMTP CVE-2001-1541 (Buffer overflow in Unix-to-Unix Copy Protocol (UUCP) in BSDI BSD/OS 3. ...) NOT-FOR-US: BSDI UUCP CVE-2001-1540 (IPRoute 0.973, 0.974 and 1.18 allows remote attackers to cause a denia ...) NOT-FOR-US: IPRoute router software NOTE: This is not for iproute/iproute2. NOTE: From Chris Gragsone's message on BUGTRAQ: NOTE: "IPRoute, by David F. Mischler, is PC-based router software NOTE: "for networks running the Internet Protocol (IP)." CVE-2001-1539 (Stack consumption vulnerability in Internet Explorer The JavaScript se ...) NOT-FOR-US: MSIE CVE-2001-1538 (SpeedXess HA-120 DSL router has a default administrative password of " ...) NOT-FOR-US: SpeedXess HA-120 DSL router CVE-2001-1537 (The default "basic" security setting' in config.php for TWIG webmail 2 ...) NOTE: current twig package seems to have secure cookies enabled NOTE: still uses "basic" security setting. CVE-2001-1536 (Autogalaxy stores usernames and passwords in cleartext in cookies, whi ...) NOT-FOR-US: Autogalaxy CVE-2001-1535 (Slashcode 2.0 creates new accounts with an 8-character random password ...) - slash 2.2.6-8 (bug #328927; low) [sarge] - slash (Lack of a security feature, minor security problem) CVE-2001-1534 (mod_usertrack in Apache 1.3.11 through 1.3.20 generates session ID's u ...) - apache (bug #328919; unimportant) - apache2 (unimportant) NOTE: Cookies are only used for invading user privacy, NOTE: not for authentication, so apache and apache2 should be fine. CVE-2001-1533 (** DISPUTED * Microsoft Internet Security and Acceleration (ISA) Serve ...) NOT-FOR-US: Microsoft CVE-2001-1532 (WebX stores authentication information in the HTTP_REFERER variable, w ...) NOT-FOR-US: WebX CVE-2001-1531 (Buffer overflow in Claris Emailer 2.0v2 allows remote attackers to cau ...) NOT-FOR-US: Claris Emailer CVE-2001-1530 (run.cgi in Webmin 0.80 and 0.88 creates temporary files with world-wri ...) NOTE: verified current webmin is ok CVE-2001-1529 (Buffer overflow in rpc.yppasswdd (yppasswd server) in AIX allows attac ...) NOT-FOR-US: AIX CVE-2001-1528 (AmTote International homebet program returns different error messages ...) NOT-FOR-US: AmTote International homebet CVE-2001-1527 (easyNews 1.5 and earlier stores administration passwords in cleartext ...) NOT-FOR-US: easynews CVE-2001-1526 (Cross-site scripting (XSS) vulnerability in the comments action in ind ...) NOT-FOR-US: easynews CVE-2001-1525 (Directory traversal vulnerability in the comments action in easyNews 1 ...) NOT-FOR-US: easynews CVE-2001-1524 (Cross-site scripting (XSS) vulnerability in PHP-Nuke 5.3.1 and earlier ...) NOT-FOR-US: PHP-Nuke CVE-2001-1523 (Cross-site scripting (XSS) vulnerability in the DMOZGateway module for ...) NOT-FOR-US: PHP-Nuke CVE-2001-1522 (Cross-site scripting (XSS) vulnerability in im.php in IMessenger for P ...) NOT-FOR-US: PHP-Nuke CVE-2001-1521 (Cross-site scripting (XSS) vulnerability in user.php in PostNuke 0.64 ...) NOT-FOR-US: PHP-Nuke CVE-2001-1520 (Xircom REX 6000 allows local users to obtain the 10 digit PIN by start ...) NOT-FOR-US: Xircom REX CVE-2001-1519 (** DISPUTED ** RunAs (runas.exe) in Windows 2000 allows local users to ...) NOT-FOR-US: RunAs CVE-2001-1518 (RunAs (runas.exe) in Windows 2000 only creates one session instance at ...) NOT-FOR-US: RunAs CVE-2001-1517 (** DISPUTED ** RunAs (runas.exe) in Windows 2000 stores cleartext auth ...) NOT-FOR-US: RunAs CVE-2001-1516 (Cross-site scripting (XSS) vulnerability in phpReview 0.9.0 rc2 and ea ...) NOT-FOR-US: phpReview CVE-2001-1515 (Macintosh clients, when using NT file system volumes on Windows 2000 S ...) NOT-FOR-US: Macintosh clients, when using NT file system volumes on Windows CVE-2001-1514 (ColdFusion 4.5 and 5, when running on Windows with the advanced securi ...) NOT-FOR-US: ColdFusion CVE-2001-1513 (Macromedia JRun 3.0 and 3.1 allows remote attackers to obtain duplicat ...) NOT-FOR-US: JRun CVE-2001-1512 (Unknown vulnerability in Allaire JRun 3.1 allows remote attackers to d ...) NOT-FOR-US: JRun CVE-2001-1511 (JRun 3.0 and 3.1 running on JRun Web Server (JWS) and IIS allows remot ...) NOT-FOR-US: JRun CVE-2001-1510 (Allaire JRun 2.3.3, 3.0 and 3.1 running on IIS 4.0 and 5.0, iPlanet, A ...) NOT-FOR-US: JRun CVE-2001-1509 (geteuid in Itanium Architecture (IA) running on HP-UX 11.20 does not p ...) NOT-FOR-US: HP-UX CVE-2001-1508 (Buffer overflow in lpstat in SCO OpenServer 5.0 through 5.0.6a allows ...) - lprng (Not suid in Debian) - cups (Not suid in Debian) - cupsys (Not suid in Debian) CVE-2001-1507 (OpenSSH before 3.0.1 with Kerberos V enabled does not properly authent ...) - openssh 1:3.0.1 CVE-2000-1237 (The POP3 server in FTGate returns an -ERR code after receiving an inva ...) NOT-FOR-US: FTGate CVE-2000-1236 (SQL injection vulnerability in mod_sql in Oracle Internet Application ...) NOT-FOR-US: Oracle CVE-2000-1235 (The default configurations of (1) the port listener and (2) modplsql i ...) NOT-FOR-US: Oracle CVE-2000-1234 (violation.php3 in Phorum 3.0.7 allows remote attackers to send e-mails ...) NOT-FOR-US: Phorum CVE-2000-1233 (SQL injection vulnerability in read.php3 and other scripts in Phorum 3 ...) NOT-FOR-US: Phorum CVE-2000-1232 (upgrade.php3 in Phorum 3.0.7 could allow remote attackers to modify ce ...) NOT-FOR-US: Phorum CVE-2000-1231 (code.php3 in Phorum 3.0.7 allows remote attackers to read arbitrary fi ...) NOT-FOR-US: Phorum CVE-2000-1230 (Backdoor in auth.php3 in Phorum 3.0.7 allows remote attackers to acces ...) NOT-FOR-US: Phorum CVE-2000-1229 (Directory traversal vulnerability in Phorum 3.0.7 allows remote Phorum ...) NOT-FOR-US: Phorum CVE-2000-1228 (Phorum 3.0.7 allows remote attackers to change the administrator passw ...) NOT-FOR-US: Phorum CVE-2005-2259 (The dispallclosed2 function in dispallclosed.pl for multiple USANet Cr ...) NOT-FOR-US: USANet CVE-2005-2258 (PHP remote file inclusion vulnerability in photolist.inc.php in Squito ...) NOT-FOR-US: Squito Gallery CVE-2005-2257 (The saveProfile function in PhpSlash 0.8.0 allows remote attackers to ...) NOT-FOR-US: PhpSlash CVE-2005-2256 (Encoded directory traversal vulnerability in phpPgAdmin 3.1 to 3.5.3 a ...) {DSA-759-1} - phppgadmin 3.5.4-1 (bug #318284; medium) CVE-2005-2255 (Directory traversal vulnerability in PhpAuction 2.5 allows remote atta ...) NOT-FOR-US: PhpAuction CVE-2005-2254 (Multiple cross-site scripting (XSS) vulnerabilities in PhpAuction 2.5 ...) NOT-FOR-US: PhpAuction CVE-2005-2253 (SQL injection vulnerability in PhpAuction 2.5 allow remote attackers t ...) NOT-FOR-US: PhpAuction CVE-2005-2252 (PhpAuction 2.5 allows remote attackers to bypass authentication and ga ...) NOT-FOR-US: PhpAuction CVE-2005-2251 (PHP remote file inclusion vulnerability in secure.php in PHPSecurePage ...) NOT-FOR-US: PHPSecurePages (phpSP) CVE-2005-2250 (Buffer overflow in Bluetooth FTP client (BTFTP) in Nokia Affix 2.1.2 a ...) {DSA-762-1} - affix 2.1.2-2 (bug #318327; medium) CVE-2005-2249 (Multiple unknown vulnerabilities in Jinzora 2.0.1 have unknown impact ...) NOT-FOR-US: Jinzora CVE-2005-2248 (Directory traversal vulnerability in DownloadProtect before 1.0.3 allo ...) NOT-FOR-US: DownloadProtect CVE-2005-2247 (Multiple unknown vulnerabilities in Moodle before 1.5.1 have unknown i ...) NOTE: no details available - moodle 1.5.1-1 CVE-2005-2246 (Multiple PHP remote file inclusion vulnerabilities in iPhotoAlbum 1.1 ...) NOT-FOR-US: iPhotoAlbum CVE-2005-2245 (Unknown vulnerability in F5 BIG-IP 9.0.2 through 9.1 allows attackers ...) NOT-FOR-US: BIG-IP CVE-2005-2244 (The aupair service (aupair.exe) in Cisco CallManager (CCM) 3.2 and ear ...) NOT-FOR-US: Cisco CVE-2005-2243 (Memory leak in inetinfo.exe in Cisco CallManager (CCM) 3.2 and earlier ...) NOT-FOR-US: Cisco CVE-2005-2242 (Cisco CallManager (CCM) 3.2 and earlier, 3.3 before 3.3(5), 4.0 before ...) NOT-FOR-US: Cisco CVE-2005-2241 (Cisco CallManager (CCM) 3.2 and earlier, 3.3 before 3.3(5), 4.0 before ...) NOT-FOR-US: Cisco CVE-2005-2240 (xpvm.tcl in xpvm 1.2.5 allows local users to overwrite arbitrary files ...) {DSA-1003-1} - xpvm 1.2.5-8 (bug #318285; medium) CVE-2005-2239 (oftpd 0.3.7 allows remote attackers to cause a denial of service via a ...) - oftpd 20040304-1 (bug #318286; medium) NOTE: This was fixed in the patch set maintained by Werner Koch, it's included CVE-2005-2238 (ftpd in IBM AIX 5.1, 5.2 and 5.3 allows remote authenticated users to ...) NOT-FOR-US: AIX CVE-2005-2237 (Format string vulnerability in the swcons command in IBM AIX 5.3, and ...) NOT-FOR-US: AIX CVE-2005-2236 (Format string vulnerability in the paginit command in IBM AIX 5.3, and ...) NOT-FOR-US: AIX CVE-2005-2235 (Buffer overflow in the diagTasksWebSM command in IBM AIX 5.1, 5.2 and ...) NOT-FOR-US: AIX CVE-2005-2234 (Buffer overflow in the getlvname command in IBM AIX 5.1, 5.2 and 5.3, ...) NOT-FOR-US: AIX CVE-2005-2233 (Buffer overflow in multiple "p" commands in IBM AIX 5.1, 5.2 and 5.3 m ...) NOT-FOR-US: AIX CVE-2005-2232 (Buffer overflow in invscout in IBM AIX 5.1.0 through 5.3.0 might allow ...) NOT-FOR-US: AIX CVE-2005-2231 (High Availability Linux Project Heartbeat 1.2.3 allows local users to ...) {DSA-761-2} - heartbeat 1.2.3-12 (bug #318287; medium) CVE-2005-2230 (Electronic Mail Operator (elmo) 1.3.2-r1 and earlier creates the elmos ...) - elmo 1.3.0-1.1 (bug #318291; low) [sarge] - elmo (Minor issue) CVE-2005-2229 (Blog Torrent 0.92 and earlier stores sensitive files under the web doc ...) NOT-FOR-US: Blog Torrent CVE-2005-2228 (Web Wiz Forums 7.9 and 8.0 allows remote attackers to view message tit ...) NOT-FOR-US: Web Wiz Forums CVE-2005-2227 (Softiacom wMailserver 1.0 stores passwords in plaintext in the Darsite ...) NOT-FOR-US: Softiacom wMailserver CVE-2005-2226 (Microsoft Outlook Express 6.0 leaks the default news server account wh ...) NOT-FOR-US: Outlook CVE-2005-2225 (Microsoft MSN Messenger allows remote attackers to cause a denial of s ...) NOT-FOR-US: Microsoft CVE-2005-2224 (aspnet_wp.exe in Microsoft ASP.NET web services allows remote attacker ...) NOT-FOR-US: Microsoft CVE-2005-2223 (Unknown vulnerability in the SMTP service in MailEnable Standard befor ...) NOT-FOR-US: MailEnable CVE-2005-2222 (Unknown vulnerability in the HTTPMail service in MailEnable Profession ...) NOT-FOR-US: MailEnable CVE-2005-2221 NOT-FOR-US: Dragonfly CVE-2005-2220 NOT-FOR-US: Dragonfly CVE-2005-2219 (Hosting Controller 6.1 Hotfix 2.1 allows remote authenticated users to ...) NOT-FOR-US: Hosting Controller CVE-2005-2218 (The device file system (devfs) in FreeBSD 5.x does not properly check ...) - kfreebsd5-source 5.3-17 (medium) CVE-2005-2217 (Dansie Shopping Cart stores the vars.dat file under the web root with ...) NOT-FOR-US: Dansie Shopping Cart CVE-2005-2216 (PHP remote file inclusion vulnerability in gals.php in PhotoGal Photo ...) NOT-FOR-US: PhotoGal CVE-2005-2215 (Cross-site scripting (XSS) vulnerability in MediaWiki before 1.4.x bef ...) - mediawiki 1.4.9 CVE-2005-2214 (apt-setup in Debian GNU/Linux installs the apt.conf file with insecure ...) - apt-setup (bug #305142; unimportant) NOTE: That's by design. We want to provide non-root users access to the source code, NOTE: thus it needs to be world-readable. Also, the password can't be too sensitive NOTE: as it'll be sent non-encrypted over the wire. CVE-2005-2213 (Buffer overflow in the mms_interp_header function in mms.c in MMS Ripp ...) NOT-FOR-US: MMS Ripper CVE-2005-2212 (Backup Manager 0.5.8a creates an archive repository with world readabl ...) NOTE: duplicate of CVE-2005-1856 NOTE: Mitre contacted - micah April 20, 2006 NOTE: Mitre re-contacted - micah June 5, 2006 CVE-2005-2211 (Backup Manager 0.5.8a creates temporary files insecurely, which allows ...) NOTE: duplicate of CVE-2005-1855 NOTE: Mitre contacted - micah April 20, 2006 NOTE: Mitre re-contacted - micah June 5, 2006 CVE-2005-2210 (Stack-based buffer overflow in Internet Download Manager 4.05 allows r ...) NOT-FOR-US: Internet Download Manager CVE-2005-2209 (Capturix ScanShare 1.06 build 50 stores sensitive information such as ...) NOT-FOR-US: ScanShare CVE-2005-2208 (PrivaShare 1.1b allows remote attackers to cause a denial of service ( ...) NOT-FOR-US: PrivaShare CVE-2005-2207 (Cross-site scripting (XSS) vulnerability in store/login.asp in CartWIZ ...) NOT-FOR-US: CartWIZ CVE-2005-2206 (Multiple SQL injection vulnerabilities in CartWIZ allow remote attacke ...) NOT-FOR-US: CartWIZ CVE-2005-2205 (The ReadLog function in kaiseki.cgi in pngren allows remote attackers ...) NOT-FOR-US: kaiseki.cgi CVE-2005-2204 (Cross-site scripting (XSS) vulnerability in Computer Associates (CA) e ...) NOT-FOR-US: SiteMinder CVE-2005-2203 (login.php in phpWishlist before 0.1.15 allows remote attackers to bypa ...) NOT-FOR-US: phpWishlist CVE-2005-2202 (Cross-site scripting (XSS) vulnerability in the MicroServer Web Server ...) NOT-FOR-US: Xerox Hardware issue CVE-2005-2201 (Unknown vulnerability in the MicroServer Web Server for Xerox WorkCent ...) NOT-FOR-US: Xerox hardware CVE-2005-2200 (Multiple unknown vulnerabilities in the MicroServer Web Server for Xer ...) NOT-FOR-US: Xerox hardware CVE-2005-2199 (PHP remote file inclusion vulnerability in inc/functions.inc.php in PP ...) NOT-FOR-US: PPA web photo gallery CVE-2005-2198 (PHP remote file inclusion vulnerability in lang.php in SPiD before 1.3 ...) NOT-FOR-US: SPiD CVE-2005-2197 (SQL injection vulnerability in sql.cls.php in Id Board 1.1.3 allows re ...) NOT-FOR-US: Id Board CVE-2005-2196 (The Apple AirPort card uses a default WEP key when not connected to a ...) NOT-FOR-US: Apple Airport CVE-2005-2195 (Apple Darwin Streaming Server 5.5 and earlier allows remote attackers ...) NOT-FOR-US: Apple Darwin Streaming Server CVE-2005-2194 (Unspecified vulnerability in the Apple Mac OS X kernel before 10.4.2 a ...) NOT-FOR-US: Apple CVE-2005-2193 (SQL injection vulnerability in the user profile edit module in profile ...) NOT-FOR-US: PunBB CVE-2005-2192 (SimplePHPBlog 0.4.0 stores password hashes in config/password.txt with ...) NOT-FOR-US: SimplePHPBlog CVE-2005-2191 (Multiple cross-site scripting (XSS) vulnerabilities in Comersus shoppi ...) NOT-FOR-US: Comersus CVE-2005-2190 (Multiple SQL injection vulnerabilities in Comersus shopping cart allow ...) NOT-FOR-US: Comersus CVE-2005-2189 (Lantronix SecureLinx console server running firmware 2.0 and 3.0 store ...) NOT-FOR-US: Lantronix SecureLinx CVE-2005-2188 (McAfee IntruShield Security Management System obtains the user ID from ...) NOT-FOR-US: McAfee IntruShield CVE-2005-2187 (McAfee IntruShield Security Management System allows remote authentica ...) NOT-FOR-US: McAfee IntruShield CVE-2005-2186 (Multiple cross-site scripting (XSS) vulnerabilities in McAfee IntruShi ...) NOT-FOR-US: McAfee IntruShield CVE-2005-2185 (eRoom does not set an expiration for Cookies, which allows remote atta ...) NOT-FOR-US: eRoom CVE-2005-2184 (eRoom 6.x does not properly restrict files that can be attached, which ...) NOT-FOR-US: eRoom CVE-2005-2183 (class.xmail.php in PhpXmail 0.7 through 1.1 does not properly handle l ...) NOT-FOR-US: PhpXmail CVE-2005-2182 (Grandstream BudgeTone (BT) 100 Voice over IP (VoIP) phones do not prop ...) NOT-FOR-US: PhpXmail CVE-2005-2181 (Cisco 7940/7960 Voice over IP (VoIP) phones do not properly check the ...) NOT-FOR-US: SIP phone hardware issue CVE-2005-2180 (gen-index in GNATS 4.0, 4.1.0, and possibly earlier versions, when ins ...) - gnats 4.0 (bug #318481; high) CVE-2005-2179 (PHP remote file inclusion vulnerability in BlogModel.php in Jaws 0.5.2 ...) NOT-FOR-US: Jaws CVE-2005-2178 (probe.cgi allows remote attackers to execute arbitrary commands via sh ...) NOTE: How bizarre, they assign a CVE Id without knowing which product contains NOTE: the affected probe.cgi CVE-2005-2177 (Net-SNMP 5.0.x before 5.0.10.2, 5.2.x before 5.2.1.2, and 5.1.3, when ...) {DSA-873-1} - net-snmp 5.2.1.2-1 (bug #318420; low) - ucd-snmp 4.2.5-5.1 (bug #337394; low) [sarge] - ucd-snmp (Minor issue) CVE-2005-2176 (Novell NetMail automatically processes HTML in an attachment without p ...) NOT-FOR-US: Novell NetMail CVE-2005-2175 (The web interface for Lotus Notes mail automatically processes HTML in ...) NOT-FOR-US: Notes CVE-2005-2174 (Bugzilla 2.17.x, 2.18 before 2.18.2, 2.19.x, and 2.20 before 2.20rc1 i ...) [woody] - bugzilla (Only Bugzilla >= 2.17 is affected) [sarge] - bugzilla (Only Bugzilla >= 2.17 is affected) - bugzilla 2.18.3-1 (low) CVE-2005-2173 (The Flag::validate and Flag::modify functions in Bugzilla 2.17.1 to 2. ...) [woody] - bugzilla (Only Bugzilla >= 2.17 is affected) [sarge] - bugzilla (Only Bugzilla >= 2.17 is affected) - bugzilla 2.18.3-1 (low) CVE-2005-2172 RESERVED CVE-2005-2171 RESERVED CVE-2005-2170 (The LCF component (lcfd) in IBM Tivoli Management Framework Endpoint a ...) NOT-FOR-US: Tivoli CVE-2004-2212 (SQL injection vulnerability in forum.asp in AliveSites Forums 2.0 allo ...) NOT-FOR-US: AliveSites CVE-2004-2211 (Cross-site scripting (XSS) vulnerability in AliveSites Forums 2.0 allo ...) NOT-FOR-US: AliveSites CVE-2004-2210 (Multiple cross-site scripting (XSS) vulnerabilities in Express-Web Con ...) NOT-FOR-US: Express-Web CVE-2004-2209 (SQL injection vulnerability in Ideal Science IdealBB 1.4.9 through 1.5 ...) NOT-FOR-US: IdealBB CVE-2004-2208 (CRLF injection vulnerability in Ideal Science IdealBB 1.4.9 through 1. ...) NOT-FOR-US: IdealBB CVE-2004-2207 (Cross-site scripting (XSS) vulnerability in Ideal Science IdealBB 1.4. ...) NOT-FOR-US: IdealBB CVE-2004-2206 (SQL injection vulnerability in NatterChat 1.12 allows remote attackers ...) NOT-FOR-US: NatterChat CVE-2004-2205 (Unknown vulnerability in Veritas Cluster Server 1.0.1 through 4.0 allo ...) NOT-FOR-US: Veritas CVE-2004-2204 (Macromedia ColdFusion MX 6.0 and 6.1 application server, when running ...) NOT-FOR-US: Cold Fusion CVE-2004-2203 (Ansel 1.2 through 2.0 uses insecure default permissions, which allows ...) NOT-FOR-US: Ansel CVE-2004-2202 (Multiple SQL injection vulnerabilities in DUware DUclassified 4.0 thro ...) NOT-FOR-US: DUclassified CVE-2004-2201 (SQL injection vulnerability in DUware DUforum 3.0 through 3.1 allows r ...) NOT-FOR-US: DUforum CVE-2004-2200 (Cross-site scripting (XSS) vulnerability in DUware DUforum 3.0 through ...) NOT-FOR-US: DUforum CVE-2004-2199 (Cross-site scripting (XSS) vulnerability in DUware DUclassified 4.0 al ...) NOT-FOR-US: DUclassified CVE-2004-2198 (account.asp in DUware DUclassmate 1.0 through 1.1 allows remote attack ...) NOT-FOR-US: DUclassmate CVE-2004-2197 (kdocker.cpp in kdocker 0.1 through 0.8 does not properly check the own ...) NOT-FOR-US: kdocker CVE-2004-2196 (Zanfi CMS lite 1.1 allows remote attackers to obtain the full path of ...) NOT-FOR-US: Zanfi CVE-2004-2195 (PHP remote file inclusion vulnerability in index.php in Zanfi CMS lite ...) NOT-FOR-US: Zanfi CVE-2004-2194 (MailEnable Professional Edition before 1.53 and Enterprise Edition bef ...) NOT-FOR-US: MailEnable CVE-2004-2193 (Cross-site scripting (XSS) vulnerability in trade.php for CJOverkill 4 ...) NOT-FOR-US: CJOverkill CVE-2004-2192 (SQL injection vulnerability in tttadmin/settings.php in Turbo Traffic ...) NOT-FOR-US: Turbo Traffic Trader CVE-2004-2191 (Cross-site scripting (XSS) vulnerability in ttt-webmaster.php in Turbo ...) NOT-FOR-US: Turbo Traffic Trader CVE-2004-2190 (Directory traversal vulnerability in Unzoo 4.4-2 has unknown impact an ...) - unzoo 4.4-3 (bug #306164) CVE-2004-2189 (SQL injection vulnerability in DMXReady Site Chassis Manager allows re ...) NOT-FOR-US: DMXReady CVE-2004-2188 (Cross-site scripting (XSS) vulnerability in DMXReady Site Chassis Mana ...) NOT-FOR-US: DMXReady CVE-2004-2187 (Unknown vulnerability in ImagePage for MediaWiki 1.3.5, related to "fi ...) - mediawiki 1.4.9 (bug #276057) CVE-2004-2186 (SQL injection vulnerability in MediaWiki 1.3.5 allows remote attackers ...) - mediawiki 1.4.9 (bug #276057) CVE-2004-2185 (Multiple cross-site scripting (XSS) vulnerabilities in MediaWiki 1.3.5 ...) - mediawiki 1.4.9 (bug #276057) CVE-2004-2184 (Directory traversal vulnerability in Digicraft Yak! server 2.0 through ...) NOT-FOR-US: Digicraft Yak! CVE-2004-2183 (Unknown vulnerability in WeHelpBUS 0.1 allows remote attackers to exec ...) NOT-FOR-US: WeHelpBUS CVE-2004-2182 (Session fixation vulnerability in Macromedia JRun 4.0 allows remote at ...) NOT-FOR-US: Macromedia JRun CVE-2004-2181 (Multiple SQL injection vulnerabilities in WowBB Forum 1.61 allow remot ...) NOT-FOR-US: WowBB Forum CVE-2004-2180 (Multiple cross-site scripting (XSS) vulnerabilities in WowBB Forum 1.6 ...) NOT-FOR-US: WowBB Forum CVE-2004-2179 (asycpict.dll, as used in Microsoft products such as Front Page 97 and ...) NOT-FOR-US: Microsoft CVE-2004-2178 (SQL injection vulnerability in DevoyBB Web Forum 1.0.0 allows remote a ...) NOT-FOR-US: DevoyBB CVE-2004-2177 (Cross-site scripting (XSS) vulnerability in DevoyBB Web Forum 1.0.0 al ...) NOT-FOR-US: DevoyBB CVE-2004-2176 (The Internet Connection Firewall (ICF) in Microsoft Windows XP SP2 is ...) NOT-FOR-US: Microsoft CVE-2004-2175 (Multiple SQL injection vulnerabilities in ReviewPost PHP Pro allow rem ...) NOT-FOR-US: ReviewPost CVE-2004-2174 (Cross-site scripting (XSS) vulnerability in Custva.asp in EarlyImpact ...) NOT-FOR-US: EarlyImpact CVE-2004-2173 (SQL injection vulnerability in advSearch_h.asp in EarlyImpact ProductC ...) NOT-FOR-US: EarlyImpact CVE-2004-2172 (EarlyImpact ProductCart uses a weak encryption scheme to encrypt passw ...) NOT-FOR-US: EarlyImpact CVE-2004-2171 (Cross-site scripting (XSS) vulnerability in Cherokee before 0.4.8 allo ...) - cherokee 0.4.8 CVE-2004-2170 (Directory traversal vulnerability in sample_showcode.html in Caravan 2 ...) NOT-FOR-US: Caravan CVE-2004-2169 (Application Access Server (A-A-S) 1.0.37 and earlier allows remote aut ...) NOT-FOR-US: Application Access Server (A-A-S) CVE-2004-2168 (BaSoMail 1.24 allows remote attackers to cause a denial of service (CP ...) NOT-FOR-US: BaSoMail CVE-2004-2167 (Multiple buffer overflows in LaTeX2rtf 1.9.15, and possibly other vers ...) - latex2rtf 1.9.16 CVE-2004-2166 (The print-from-email feature in the Canon ImageRUNNER (iR) 5000i and C ...) NOT-FOR-US: Canon ImageRUNNER CVE-2004-2165 (Lords of the Realm III 1.01 and earlier, when in the lobby stage, allo ...) NOT-FOR-US: Lords of the Realm CVE-2004-2164 (shoprestoreorder.asp in VP-ASP 5.0 does not close the database connect ...) NOT-FOR-US: VP-ASP CVE-2004-2163 (login_radius on OpenBSD 3.2, 3.5, and possibly other versions does not ...) NOT-FOR-US: OpenBSD CVE-2004-2160 (Format string vulnerability in xml_elem.c for XMLStarlet Command Line ...) - xmlstarlet 1.0.0-1 CVE-2004-2159 (Multiple buffer overflows in XMLStarlet Command Line XML Toolkit 0.9.3 ...) - xmlstarlet 1.0.0-1 CVE-2004-2158 (SQL injection vulnerability in Serendipity 0.7-beta1 allows remote att ...) - serendipity 1.0-1 CVE-2004-2157 (Cross-site scripting (XSS) vulnerability in Comment.php in Serendipity ...) - serendipity 1.0-1 CVE-2004-2156 (Multiple unknown vulnerabilities in Online Recruitment Agency 1.0 have ...) NOT-FOR-US: Online Recruitment Agency CVE-2004-2155 (Online-bookmarks before 0.4.6 allows remote attackers to bypass its au ...) NOT-FOR-US: Online-bookmarks CVE-2005-2348 REJECTED CVE-2005-2169 (Directory traversal vulnerability in source.php in Quick & Dirty P ...) NOT-FOR-US: PHPSource Printer CVE-2005-2168 (delete.php in Plague News System 0.6 and earlier allows remote unauthe ...) NOT-FOR-US: Plague CVE-2005-2167 (Cross-site scripting (XSS) vulnerability in index.php in Plague News S ...) NOT-FOR-US: Plague CVE-2005-2166 (SQL injection vulnerability in index.php in Plague News System 0.6 and ...) NOT-FOR-US: Plague CVE-2005-2165 (read.cgi in GlobalNoteScript allows remote attackers to execute arbitr ...) NOT-FOR-US: GlobalNoteScript CVE-2005-2164 (SQL injection vulnerability in Covide Groupware-CRM allows remote atta ...) NOT-FOR-US: Covide CVE-2005-2163 (Cross-site scripting (XSS) vulnerability in index.php in AutoIndex PHP ...) NOT-FOR-US: AutoIndex PHP Script CVE-2005-2162 (PHP remote file inclusion vulnerability in form.inc.php3 in MyGuestboo ...) NOT-FOR-US: MyGuestbook CVE-2005-2161 (Cross-site scripting (XSS) vulnerability in phpBB 2.0.16 allows remote ...) {DSA-768-1} - phpbb2 2.0.13+1-6sarge1 (bug #317739; high) CVE-2005-2160 (IMail stores usernames and passwords in cleartext in a cookie, which a ...) NOT-FOR-US: IMail CVE-2005-2159 (mshftp.dll in PlanetDNS PlanetFileServer 2.0.1.3 allows remote attacke ...) NOT-FOR-US: PlanetDNS CVE-2005-2158 (A regression error in the embedded HSQLDB in JBoss jBPM 2.0 allows rem ...) NOT-FOR-US: JBoss CVE-2005-2157 (PHP remote file inclusion vulnerability in survey.inc.php for nabopoll ...) NOT-FOR-US: nabopoll CVE-2005-2156 (SQL injection vulnerability in news.php in PHPNews 1.2.5 allows remote ...) NOT-FOR-US: PHPNews CVE-2005-2155 (PHP remote file inclusion vulnerability in EasyPHPCalendar 6.1.5 and e ...) NOT-FOR-US: EasyPHPCalender CVE-2005-2154 (PHP local file inclusion vulnerability in (1) view.php and (2) open.ph ...) NOT-FOR-US: osTicket CVE-2005-2153 (SQL injection vulnerability in class.ticket.php in osTicket 1.3.1 beta ...) NOT-FOR-US: osTicket CVE-2005-2152 (SQL injection vulnerability in Geeklog before 1.3.11 allows remote att ...) NOT-FOR-US: Geeklog CVE-2005-2151 (spf.c in Courier Mail Server does not properly handle DNS failures whe ...) {DSA-784-1} - courier 0.47-6 (bug #320290; low) CVE-2005-2150 (Windows NT 4.0 and Windows 2000 before URP1 for Windows 2000 SP4 does ...) NOT-FOR-US: Microsoft CVE-2005-2149 (config.php in Cacti 0.8.6e and earlier allows remote attackers to set ...) {DSA-764-1} - cacti 0.8.6f-1 (bug #316590; high) CVE-2005-2148 (Cacti 0.8.6e and earlier does not perform proper input validation to p ...) {DSA-764-1} - cacti 0.8.6f-1 (bug #316590; high) CVE-2005-2147 (Trac before 0.8.4 allows remote attackers to read or upload arbitrary ...) {DSA-739-1} - trac 0.8.4-1 [sarge] - trac 0.8.1-3sarge1 CVE-2005-2146 (SSH Tectia Server 4.3.1 and earlier, and SSH Secure Shell for Windows ...) NOT-FOR-US: SSH Tectia Server CVE-2005-2145 (The kernel driver in Prevx Pro 2005 1.0 does not verify the source of ...) NOT-FOR-US: Prevx Pro CVE-2005-2144 (Prevx Pro 2005 1.0 allows local users to bypass file protection and mo ...) NOT-FOR-US: Prevx Pro CVE-2005-2143 (Microsoft Front Page allows attackers to cause a denial of service (cr ...) NOT-FOR-US: Microsoft CVE-2005-2142 (Directory traversal vulnerability in Golden FTP Server 2.60 allows rem ...) NOT-FOR-US: Golden FTP Server CVE-2005-2141 (TCP Chat 1.0 allows remote attackers to cause a denial of service (cra ...) NOT-FOR-US: TCP Chat CVE-2005-2140 (Directory traversal vulnerability in default.asp for FSboard 2.0 allow ...) NOT-FOR-US: FSboard CVE-2005-2139 (PHP remote file inclusion vulnerability in user_check.php for Pavsta A ...) NOT-FOR-US: Pavsta CVE-2005-2138 (Cross-site scripting (XSS) vulnerability in index.php in Comdev eComme ...) NOT-FOR-US: Comdev eCommerce CVE-2005-2137 (Unknown vulnerability in NateOn Messenger 3.0 allows remote attackers ...) NOT-FOR-US: NateOn Messenger CVE-2005-2136 (Raritan Dominion SX (DSX) Console Servers DSX16, DSX32, DSX4, DSX8, an ...) NOT-FOR-US: Raritan Dominion SX CVE-2005-2135 (SQL injection vulnerability in verify.asp in EtoShop Dynamic Biz Websi ...) NOT-FOR-US: EtoShop CVE-2005-2134 (The (1) clcs and (2) emuxki drivers in NetBSD 1.6 through 2.0.2 allow ...) NOT-FOR-US: NetBSD CVE-2005-2133 REJECTED CVE-2005-2132 (RPC portmapper (rpcbind) in SCO UnixWare 7.1.1 m5, 7.1.3 mp5, and 7.1. ...) NOT-FOR-US: SCO UnixWare CVE-2005-2131 RESERVED CVE-2005-2130 RESERVED CVE-2005-2129 RESERVED CVE-2005-2128 (QUARTZ.DLL in Microsoft Windows Media Player 9 allows remote attackers ...) NOT-FOR-US: Windows CVE-2005-2127 (Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers t ...) NOT-FOR-US: Windows CVE-2005-2126 (The FTP client in Windows XP SP1 and Server 2003, and Internet Explore ...) NOT-FOR-US: Windows CVE-2005-2125 RESERVED CVE-2005-2124 (Unspecified vulnerability in the Graphics Rendering Engine (GDI32.DLL) ...) NOT-FOR-US: Windows CVE-2005-2123 (Multiple integer overflows in the Graphics Rendering Engine (GDI32.DLL ...) NOT-FOR-US: Windows CVE-2005-2122 (Windows Shell for Microsoft Windows 2000 SP4, XP SP1 and SP2, and Serv ...) NOT-FOR-US: Windows CVE-2005-2121 RESERVED CVE-2005-2120 (Stack-based buffer overflow in the Plug and Play (PnP) service (UMPNPM ...) NOT-FOR-US: Windows CVE-2005-2119 (The MIDL_user_allocate function in the Microsoft Distributed Transacti ...) NOT-FOR-US: Microsoft CVE-2005-2118 (Windows Shell for Microsoft Windows 2000 SP4, XP SP1 and SP2, and Serv ...) NOT-FOR-US: Windows CVE-2005-2117 (Web View in Windows Explorer on Microsoft Windows 2000 SP4, XP SP1 and ...) NOT-FOR-US: Windows CVE-2004-2154 (CUPS before 1.1.21rc1 treats a Location directive in cupsd.conf as cas ...) - cups 1.1.20final+rc1-1 (low) - cupsys 1.1.20final+rc1-1 (low) CVE-2005-2116 REJECTED CVE-2005-2115 (Soldier of Fortune II 1.02x and 1.03 allows remote attackers to cause ...) NOT-FOR-US: Soldier of Fortune CVE-2005-2114 (Mozilla 1.7.8, Firefox 1.0.4, Camino 0.8.4, Netscape 8.0.2, and K-Mele ...) NOTE: cannot reproduce with firefox 1.0.5-1 and Sarge's Mozilla using POC exploits [sarge] - mozilla (Unreproducible) - mozilla 2:1.7.10-1 (bug #318723; medium) CVE-2005-2113 (SQL injection vulnerability in the loginUser function in the XMLRPC se ...) NOT-FOR-US: Xoops CVE-2005-2112 (Multiple cross-site scripting (XSS) vulnerabilities in XOOPS 2.0.11 an ...) NOT-FOR-US: Xoops CVE-2005-2111 (login.cgi in Community Link Pro Web Editor allows remote attackers to ...) NOT-FOR-US: Community Link Pro Web Editor CVE-2005-2110 (WordPress 1.5.1.2 and earlier allows remote attackers to obtain sensit ...) - wordpress 1.5.1.3-1 (bug #316402) CVE-2005-2109 (wp-login.php in WordPress 1.5.1.2 and earlier allows remote attackers ...) - wordpress 1.5.1.3-1 (bug #316402) CVE-2005-2108 (SQL injection vulnerability in XMLRPC server in WordPress 1.5.1.2 and ...) - wordpress 1.5.1.3-1 (bug #316402) CVE-2005-2107 (Multiple cross-site scripting (XSS) vulnerabilities in post.php in Wor ...) - wordpress 1.5.1.3-1 (bug #316402) CVE-2005-2106 (Unknown vulnerability in Drupal 4.5.0 through 4.5.3, 4.6.0, and 4.6.1 ...) {DSA-745-1} - drupal 4.5.4-1 (bug #316362) CVE-2005-2105 (Cisco IOS 12.2T through 12.4 allows remote attackers to bypass Authent ...) NOT-FOR-US: IOS CVE-2005-2104 (sysreport before 1.3.7 allows local users to obtain sensitive informat ...) NOT-FOR-US: sysreport CVE-2005-2103 (Buffer overflow in the AIM and ICQ module in Gaim before 1.5.0 allows ...) {DTSA-5-1} - gaim 1:1.4.0-5 (high; bug #323706) CVE-2005-2102 (The AIM/ICQ module in Gaim before 1.5.0 allows remote attackers to cau ...) {DTSA-5-1} - gaim 1:1.4.0-5 (medium; bug #323706) CVE-2005-2101 (langen2kvtml in KDE 3.0 to 3.4.2 creates insecure temporary files in / ...) {DSA-818-1} - kdeedu 4:3.4.2-1 (low) CVE-2005-2100 (The rw_vm function in usercopy.c in the 4GB split patch for the Linux ...) - linux-2.6 (Red Hat specific according to Horms) - kernel-source-2.4.27 (Red Hat specific according to Horms) CVE-2005-2099 (The Linux kernel before 2.6.12.5 does not properly destroy a keyring t ...) {DTSA-16-1} NOTE: 2.6.8 and 2.4.27 not affected - linux-2.6 2.6.12-3 (bug #323039; medium) CVE-2005-2098 (The KEYCTL_JOIN_SESSION_KEYRING operation in the Linux kernel before 2 ...) {DTSA-16-1} NOTE: 2.6.8 and 2.4.27 not affected - linux-2.6 2.6.12-3 (bug #323039; medium) CVE-2005-2097 (xpdf and kpdf do not properly validate the "loca" table in PDF files, ...) {DSA-1136-1 DSA-984-1 DSA-982-1 DSA-936-1 DSA-780-1 DTSA-28-1} - kdegraphics 4:3.4.2-1 (bug #322458; low) - xpdf 3.00-15 (bug #322462; low) [woody] - tetex-bin (pdftex doesn't include or use the vulnerable code) - tetex-bin 3.0-12 NOTE: tetex links to poppler since 3.0-12 [sarge] - tetex-bin (tetex2 uses an older version, which is not affected) - gpdf 2.10.0-4 (bug #334454; low) NOTE: Cups switched to xpdf-utils - cupsys 1.1.22-7 (bug #324464) - cups 1.1.22-7 (bug #324464) [woody] - cupsys (Vulnerable code not present) - poppler 0.4.0-1 (low) - libextractor 0.5.8-1 (medium) CVE-2005-2096 (zlib 1.2 and later versions allows remote attackers to cause a denial ...) {DSA-1026-1 DSA-797-2 DSA-797-1 DSA-740-1} NOTE: Several packages ship embedded copies of zlib, there are a lot probably more NOTE: Florian Weimer is doing a comprehensive audit using clamav NOTE: to search for static zlib signatures in binaries in Debian NOTE: Not all of the listed packages have been checked for actual NOTE: exploitability using this hole. NOTE: oldstable (woody) had zlib 1.1, which is not affected [woody] - dpkg (Woody contains zlib 1.1, which is not affected) - dpkg 1.13.11 (bug #317967; unimportant) NOTE: You need to trust debs anyway, when installing them - zsync 0.4.0-2 (bug #317968; medium) [woody] - dump (Woody contains zlib 1.1, which is not affected) [sarge] - dump (Backups do not contain untrusted data) - dump 0.4b40-1 (bug #317966; low) [woody] - aide (Woody contains zlib 1.1, which is not affected) - aide 0.10-6.1.1 (bug #317523; unimportant) NOTE: aide only uses zlib to compress/decompress internal data [woody] - amd64-libs (Woody contains zlib 1.1, which is not affected) - amd64-libs 1.3 (bug #317970; medium) [woody] - ia32-libs (Woody contains zlib 1.1, which is not affected) - ia32-libs 1.6 (bug #317971; medium) - dar (zlib not used on unstrusted input, see #317989) [woody] - bacula (Woody contains zlib 1.1, which is not affected) - bacula 1.36.3-2 (bug #318014; medium) [sarge] - bacula (Backups do not contain untrusted data) [woody] - sash (Woody contains zlib 1.1, which is not affected) - sash 3.7-6 (bug #318246; bug #318069; medium) [woody] - libphysfs (Woody contains zlib 1.1, which is not affected) - libphysfs 1.0.0-5 (bug #318091; unimportant) - oops 1.5.23.cvs-3 (bug #318097; medium) [woody] - rpm (Woody contains zlib 1.1, which is not affected) - rpm 4.0.4-31.1 (bug #318099; unimportant) NOTE: You need to trust rpms anyway, when installing them - rageircd 2.0.0-3sid1 (bug #309196; medium) - systemimager-ssh (bug #318101; unimportant) NOTE: see dannf's first bug comment; systemimager-ssh doesn't use compression [woody] - texmacs (Woody contains zlib 1.1, which is not affected) - texmacs 1:1.0.5-3 (bug #318100; medium) [sarge] - texmacs (Hardly exploitable) - zlib 1:1.2.2-7 (bug #317133; medium) - pvpgn 1.7.8-2 (bug #332236) - mysql-dfsg-4.1 4.1.13-1 (bug #319858; unimportant) - mrtg (Only used for internal compression, current versions link dynamically) - rsync (Uses zlib 1.1, which is not affected) NOTE: rsync upstream updated the internal zlib copy in 2.6.6 without real need, NOTE: as the included version was never affected, despite claiming them so. CVE-2005-2095 (options_identities.php in SquirrelMail 1.4.4 and earlier uses the extr ...) {DSA-756-1} - squirrelmail 2:1.4.4-6sarge1 (bug #317094) CVE-2005-2094 (Sun SunONE web server 6.1 SP1 allows remote attackers to poison the we ...) NOT-FOR-US: Sun CVE-2005-2093 (Oracle 9i Application Server (Oracle9iAS) 9.0.2 allows remote attacker ...) NOT-FOR-US: Oracle CVE-2005-2092 (BEA Systems WebLogic 8.1 SP1 allows remote attackers to poison the web ...) NOT-FOR-US: BEA WebLogic CVE-2005-2091 (IBM WebSphere 5.1 and WebSphere 5.0 allows remote attackers to poison ...) NOT-FOR-US: Websphere CVE-2005-2090 (Jakarta Tomcat 5.0.19 (Coyote/1.1) and Tomcat 4.1.24 (Coyote/1.0) allo ...) - tomcat4 4.1.28-1 NOTE: tomcat5 in experimental has this fix as well CVE-2005-2089 (Microsoft IIS 5.0 and 6.0 allows remote attackers to poison the web ca ...) NOT-FOR-US: Microsoft CVE-2005-2088 (The Apache HTTP server before 1.3.34, and 2.0.x before 2.0.55, when ac ...) {DSA-805-1 DSA-803-1} - apache 1.3.33-8 (bug #322607; medium) - apache2 2.0.54-5 (bug #316173; medium) CVE-2005-2087 (Internet Explorer 5.01 SP4 up to 6 on various Windows operating system ...) NOT-FOR-US: Microsoft CVE-2005-2086 (PHP remote file inclusion vulnerability in viewtopic.php in phpBB 2.0. ...) - phpbb2 (phpbb versions in Debian not affected) CVE-2005-2085 (Buffer overflow in Inframail Advantage Server Edition 6.0 through 6.7 ...) NOT-FOR-US: Inframail CVE-2005-2084 (Cross-site scripting (XSS) vulnerability in SearchResults.aspx in Comm ...) NOT-FOR-US: Community Forum CVE-2005-2083 (Format string vulnerability in IMAP4 in IA eMailServer Corporate Editi ...) NOT-FOR-US: IA eMailServer CVE-2005-2082 (im_trbbs.cgi in imTRSET 1.02 and earlier allows remote attackers to ex ...) NOT-FOR-US: imTRSET CVE-2005-2081 (Stack-based buffer overflow in the function that parses commands in As ...) - asterisk 1:1.0.9.dfsg-1 (bug #315532; unimportant) NOTE: Can only be exploited by users who already have the privilege to execute arbitrary commands CVE-2005-2080 (Unknown vulnerability in Remote Agent for Windows Servers (RAWS) in VE ...) NOT-FOR-US: Veritas Backup CVE-2005-2079 (Heap-based buffer overflow in the Admin Plus Pack Option for VERITAS B ...) NOT-FOR-US: Veritas Backup CVE-2005-1932 (Lpanel 1.59 and earlier, and other versions before 1.597, allows remot ...) NOT-FOR-US: Lpanel CVE-2005-1931 (GoodTech SMTP Server 5.14 allows remote attackers to cause a denial of ...) NOT-FOR-US: GoodTech SMTP Server CVE-2004-2153 (Multiple unknown vulnerabilities in Real Estate Management Software 1. ...) NOT-FOR-US: Real Estate Management Software CVE-2004-2152 (Cross-site scripting (XSS) vulnerability in 'raw' page output mode for ...) - mediawiki 1.4.9 (bug #276057) CVE-2004-2151 (Chatman 1.1.1 RC1 and earlier allows remote attackers to cause a denia ...) NOT-FOR-US: Chatman CVE-2004-2150 (Nettica Corporation INTELLIPEER Email Server 1.01 displays different e ...) NOT-FOR-US: INTELLIPEER Email Server CVE-2004-2149 (Buffer overflow in the prepared statements API in libmysqlclient for M ...) - mysql-dfsg-4.1 4.1.5-1 CVE-2004-2148 (Unknown local vulnerability in the "change user" feature of Slava Asta ...) - fprobe-ng 1.1-1 - fprobe 1.1-4 NOTE: fprobe was fixed in upstrem release 1.0.6 and since 1.1-4 fprobe-ng package NOTE: replaced fprobe therefore marking as fixed in 1.1-4 CVE-2004-2147 (Unknown versions of Symantec Norton AntiVirus and Microsoft Outlook al ...) NOT-FOR-US: Symantec Antivirus CVE-2004-2146 (CRLF injection vulnerability in PD9 Software MegaBBS 2 and 2.1 allows ...) NOT-FOR-US: MegaBBS CVE-2004-2145 (SQL injection vulnerability in PD9 Software MegaBBS 2 and 2.1 allows r ...) NOT-FOR-US: MegaBBS CVE-2004-2144 (Baal Smart Forms before 3.2 allows remote attackers to bypass authenti ...) NOT-FOR-US: Baal Smart Forms CVE-2004-2143 (SQL injection vulnerability in the ReMOSitory Server add-on module to ...) NOT-FOR-US: Mambo Portal CVE-2004-2142 (Unknown vulnerability in the remote tape support (remote.c) in the RMT ...) - sdd 1.52-1 CVE-2004-2141 REJECTED CVE-2004-2140 (CRLF injection vulnerability in YaBB 1 Gold before 1.3.2 allows remote ...) NOT-FOR-US: YaBB CVE-2004-2139 (Unknown vulnerability in Adminedit.pl YaBB 1 Gold before 1.3.2 allows ...) NOT-FOR-US: YaBB CVE-2004-2138 (Cross-site scripting (XSS) vulnerability in AWSguest.php in AllWebScri ...) NOT-FOR-US: MySQLGuest CVE-2005-2078 (BisonFTP Server V4R1 allows remote authenticated users to cause a deni ...) NOT-FOR-US: BisonFTP Server CVE-2005-2077 (Cross-site scripting (XSS) vulnerability in error.asp for Hosting Cont ...) NOT-FOR-US: Hosting Controller CVE-2005-2076 (HP Version Control Repository Manager (VCRM) before 2.1.1.730 does not ...) NOT-FOR-US: HP Version Control Repository Manager CVE-2005-2075 (PHP-Fusion 5.0 and 6.0 stores the database file with a predictable fil ...) NOT-FOR-US: PHP-Fusion CVE-2005-2074 (Cross-site scripting (XSS) vulnerability in PHP-Fusion 6.0.105 allows ...) NOT-FOR-US: PHP-Fusion CVE-2005-2073 (Unknown vulnerability in IBM DB2 8.1.4 through 8.1.9 and 8.2.0 through ...) NOT-FOR-US: DB2 CVE-2005-2072 (The runtime linker (ld.so) in Solaris 8, 9, and 10 trusts the LD_AUDIT ...) NOT-FOR-US: Solaris CVE-2005-2071 (traceroute in Sun Solaris 10 on x86 systems allows local users to exec ...) NOT-FOR-US: Solaris CVE-2005-2070 (The ClamAV Mail fILTER (clamav-milter) 0.84 through 0.85d, when used i ...) {DSA-737-1 DTSA-3-1} - clamav 0.86.1 (bug #318755; medium) CVE-2005-2069 (pam_ldap and nss_ldap, when used with OpenLDAP and connecting to a sla ...) {DSA-785-1} - openldap2.2 2.2.26-3 (bug #316674; medium) - openldap2 2.1.30-11 (medium) - libpam-ldap 178-1sarge1 (bug #316972; medium) - libnss-ldap 238-1.1 (bug #316973; medium) CVE-2005-2068 (FreeBSD 4.x through 4.11 and 5.x through 5.4 allows remote attackers t ...) - kfreebsd-source CVE-2005-2067 (SQL injection vulnerability in article.asp in unknown versions of aspn ...) NOT-FOR-US: ASP Nuke CVE-2005-2066 (SQL injection vulnerability in comment_post.asp in ASP Nuke 0.80 allow ...) NOT-FOR-US: ASP Nuke CVE-2005-2065 (HTTP response splitting vulnerability in language_select.asp in ASP Nu ...) NOT-FOR-US: ASP Nuke CVE-2005-2064 (Multiple cross-site scripting vulnerabilities in ASP Nuke 0.80 allow r ...) NOT-FOR-US: ASP Nuke CVE-2005-2063 (Multiple cross-site scripting (XSS) vulnerabilities in ActiveBuyAndSel ...) NOT-FOR-US: ActiveBuyAndSell CVE-2005-2062 (Multiple SQL injection vulnerabilities in ActiveBuyAndSell 6.2 allow r ...) NOT-FOR-US: ActiveBuyAndSell CVE-2005-2061 (Infopop UBB.Threads before 6.5.2 Beta allows remote attackers to inclu ...) NOT-FOR-US: Infopop UBB.Threads CVE-2005-2060 (Multiple HTTP Response Splitting vulnerabilities in (1) toggleshow.php ...) NOT-FOR-US: Infopop UBB.Threads CVE-2005-2059 (Multiple cross-site request forgery (CSRF) vulnerabilities in (1) adda ...) NOT-FOR-US: Infopop UBB.Threads CVE-2005-2058 (Multiple SQL injection vulnerabilities in Infopop UBB.Threads before 6 ...) NOT-FOR-US: Infopop UBB.Threads CVE-2005-2057 (Multiple cross-site scripting (XSS) vulnerabilities in Infopop UBB.Thr ...) NOT-FOR-US: Infopop UBB.Threads CVE-2005-2056 (The Quantum archive decompressor in Clam AntiVirus (ClamAV) before 0.8 ...) {DSA-737-1 DTSA-3-1} - clamav 0.86.1-1 (bug #318756; medium) CVE-2005-2055 (RealPlayer 8, 10, 10.5 (6.0.12.1040-1069), and Enterprise and RealOne ...) NOT-FOR-US: Affected only Real Player, not Helix Player NOTE: http://service.real.com/help/faq/security/050623_player/EN/ CVE-2005-2054 (Unknown vulnerability in RealPlayer 10 and 10.5 (6.0.12.1040-1069) and ...) NOT-FOR-US: Real Player NOTE: This didn't affected Helix, although the changelog claimed so, see NOTE: http://service.real.com/help/faq/security/050623_player/EN/ CVE-2002-1986 (Perception LiteServe 2.0 through 2.0.1 allows remote attackers to obta ...) NOT-FOR-US: Perception LiteServe CVE-2002-1985 (iSMTP 5.0.1 allows remote attackers to cause a denial of service via a ...) NOT-FOR-US: iSMTP CVE-2002-1984 (Microsoft Internet Explorer 5.0.1 through 6.0 on Windows 2000 or Windo ...) NOT-FOR-US: Microsoft CVE-2002-1983 (The timer implementation in QNX RTOS 6.1.0 allows local users to cause ...) NOT-FOR-US: QNX CVE-2002-1982 (Directory traversal vulnerability in the list_directory function in Ic ...) NOTE: verified current version is not vulnerable to exploit CVE-2002-1981 (Microsoft SQL Server 2000 through SQL Server 2000 SP2 allows the "publ ...) NOT-FOR-US: Microsoft CVE-2002-1980 (Buffer overflow in Volume Manager daemon (vold) of Sun Solaris 2.5.1 t ...) NOT-FOR-US: Solaris CVE-2002-1979 (WatchGuard SOHO products running firmware 5.1.6 and earlier, and Vclas ...) NOT-FOR-US: Watchguard SOHO CVE-2002-1978 (IPFilter 3.1.1 through 3.4.28 allows remote attackers to bypass firewa ...) NOT-FOR-US: IPFilter CVE-2002-1977 (Network Associates PGP 7.0.4 and 7.1 does not time out according to th ...) NOT-FOR-US: Proprietary PGP CVE-2002-1976 (ifconfig, when used on the Linux kernel 2.2 and later, does not report ...) - net-tools (unimportant) NOTE: This seems to be a misunderstanding of what the PROMISC flag NOTE: is about. ifconfig reports properly when it is set using NOTE: "ifconfig promisc". CVE-2002-1975 (Sharp Zaurus PDA SL-5000D and SL-5500 uses a salt of "A0" to encrypt t ...) NOT-FOR-US: Zaurus hardware CVE-2002-1974 (The FTP service in Zaurus PDAs SL-5000D and SL-5500 does not require a ...) NOT-FOR-US: Zaurus hardware CVE-2002-1973 (Buffer overflow in CHttpServer::OnParseError in the ISAPI extension (I ...) NOT-FOR-US: Microsoft CVE-2002-1972 (Unknown vulnerability in Parallel port powerSwitch (aka pp_powerSwitch ...) NOT-FOR-US: pp_powerSwitch CVE-2002-1971 (The ping utility in networking_utils.php in Sourcecraft Networking_Uti ...) NOT-FOR-US: Sourcecraft Networking Utils CVE-2002-1970 (SnortCenter 0.9.5, when configured to push Snort rules, stores the rul ...) NOT-FOR-US: SnortCenter CVE-2002-1969 (Magic Notebook 1.0b and 1.1b allows remote attackers to cause a denial ...) NOT-FOR-US: Magic Notebook CVE-2002-1968 (Com21 DOXport 1100 series cable modem running firmware 2.1.1.106, and ...) NOT-FOR-US: Com21 hardware CVE-2002-1967 (Buffer overflow in XiRCON 1.0 Beta 4 allows remote attackers to cause ...) NOT-FOR-US: XiRCON CVE-2002-1966 (Directory traversal vulnerability in magiccard.cgi in My Postcards Pla ...) NOT-FOR-US: My Postcards Platinum CVE-2002-1965 (Cross-site scripting (XSS) vulnerability in Errors.gsl in Imatix Xitam ...) NOT-FOR-US: Imatix Xitami CVE-2002-1964 (Unknown vulnerability in WesMo phpEventCalendar 1.1 allows remote atta ...) NOT-FOR-US: phpEventCalender CVE-2002-1963 (Linux kernel 2.4.1 through 2.4.19 sets root's NR_RESERVED_FILES limit ...) NOTE: No kernels in Sarge or sid affected CVE-2002-1962 (Finjan Software SurfinGate 6.0 and 6.0 1 allows remote attackers to by ...) NOT-FOR-US: SurfinGate CVE-2002-1961 (Finjan Software SurfinGate 6.0 and 6.0 1 allows remote attackers to by ...) NOT-FOR-US: SurfinGate CVE-2002-1960 (Cross-site scripting (XSS) vulnerability in Cybozu Share360 1.1 allows ...) NOT-FOR-US: Cybozu Share CVE-2002-1959 (Nagios 1.0b1 through 1.0b3 allows remote attackers to execute arbitrar ...) NOTE: Nagios was packaged for Debian after these vulnerable versions have been released CVE-2002-1958 (Cross-site scripting (XSS) vulnerability in kmMail 1.0, 1.0a, and 1.0b ...) NOT-FOR-US: kmMail CVE-2002-1957 (Buffer overflow in the netlog function in pen.c for Pen 0.9.1 and 0.9. ...) - pen (pen was introduced after this old vulnerability) CVE-2002-1956 (ROX Filer 1.1.9 and 1.2 is installed with world writable permissions, ...) - rox 1.3.0-1 CVE-2002-1955 (Iomega NAS A300U uses cleartext LANMAN authentication when mounting CI ...) NOT-FOR-US: Iomega hardware issue CVE-2002-1954 (Cross-site scripting (XSS) vulnerability in the phpinfo function in PH ...) NOTE: According to http://bugs.php.net/bug.php?id=19881 this only affects a NOTE: php function that displays the PHP logo and version information. In the bug NOTE: log the developers seem unwilling to fix this, as it only affects a debug NOTE: function. NOTE: can not reproduce in any versions of php4 in the archive. - php4 (bug #349260; low) - php5 5.1.1-1 (bug #336654; low) CVE-2002-1953 (Heap-based buffer overflow in the goim handler of AOL Instant Messenge ...) NOT-FOR-US: AIM CVE-2002-1952 (phpRank 1.8 does not properly check the return codes for MySQL operati ...) NOT-FOR-US: phpRank CVE-2002-1951 (Buffer overflow in GoAhead WebServer 2.1 allows remote attackers to ex ...) NOT-FOR-US: GoAhead WebServer CVE-2002-1950 (Cross-site scripting (XSS) vulnerability in phpRank 1.8 allows remote ...) NOT-FOR-US: phpRank CVE-2002-1949 (The Network Attached Storage (NAS) Administration Web Page for Iomega ...) NOT-FOR-US: Iomega NAS CVE-2002-1948 (Multiple buffer overflows in Gringotts 0.5.9 allows local users to exe ...) - gringotts (fixed before Gringotts was in Debian) CVE-2002-1947 (Webmin 0.21 through 1.0 uses the same built-in SSL key for all install ...) - webmin 1.000-2 CVE-2002-1946 (Videsh Sanchar Nigam Limited (VSNL) Integrated Dialer Software 1.2.000 ...) NOT-FOR-US: VNSL CVE-2002-1945 (Buffer overflow in SmartMail Server 1.0 Beta 10 allows remote attacker ...) NOT-FOR-US: SmailMail CVE-2002-1944 (Motorola Surfboard 4200 cable modem allows remote attackers to cause a ...) NOT-FOR-US: Motorola Surfboard CVE-2002-1943 (SafeTP 1.46, when network address translation (NAT) is being used, lea ...) NOT-FOR-US: SafeTP CVE-2002-1942 (Imatix Xitami 2.5 b5 does not properly terminate certain Keep-Alive co ...) NOT-FOR-US: Imatix CVE-2002-1941 (Buffer overflow in RadioBird WebServer 4 Everyone 1.28 allows remote a ...) NOT-FOR-US: RadioBird CVE-2002-1940 (LCC-Win32 3.2 compiler, when running on Windows 95, 98, or ME, writes ...) NOT-FOR-US: LCC-Win32 CVE-2002-1939 (FlashFXP 1.4 prints FTP passwords in plaintext when there are transfer ...) NOT-FOR-US: FlashFXP CVE-2002-1938 (Virgil CGI Scanner 0.9 allows remote attackers to execute arbitrary co ...) NOT-FOR-US: Virgil CGI Scanner CVE-2002-1937 (Symantec Firewall/VPN Appliance 100 through 200R hardcodes the adminis ...) NOT-FOR-US: Symantex Appliance CVE-2002-1936 (UTStarcom BAS 1000 3.1.10 creates several default or back door account ...) NOT-FOR-US: UTStarcom CVE-2002-1935 (Pingtel Xpressa 1.2.5 through 2.0.1 uses predictable (1) Call-ID, (2) ...) NOT-FOR-US: Pingtel Xpressa CVE-2002-1934 (Pingtel xpressa SIP-based voice-over-IP phone 1.2.5 through 2.0.1 leak ...) NOT-FOR-US: Pingtel Xpressa CVE-2002-1933 (The terminal services screensaver for Microsoft Windows 2000 does not ...) NOT-FOR-US: Microsoft CVE-2002-1932 (Microsoft Windows XP and Windows 2000, when configured to send adminis ...) NOT-FOR-US: Microsoft CVE-2002-1931 (Cross-site scripting (XSS) vulnerability in PHP Arena paFileDB 1.1.3 a ...) NOT-FOR-US: PHP Arena CVE-2002-1930 (Buffer overflow in AN HTTPd 1.38 through 1.4.1c allows remote attacker ...) NOT-FOR-US: AN HTTPd CVE-2002-1929 (Cross-site scripting (XSS) vulnerability in pafiledb.php in PHP Arena ...) NOT-FOR-US: PHP Arena CVE-2002-1928 (602Pro LAN SUITE 2002 allows remote attackers to view the directory tr ...) NOT-FOR-US: 602Pro LAN SUITE CVE-2002-1927 (Aquonics File Manager 1.5 allows users with edit privileges to modify ...) NOT-FOR-US: Aquonics File Manager CVE-2002-1926 (Directory traversal vulnerability in source.php in Aquonics File Manag ...) NOT-FOR-US: Aquonics File Manager CVE-2002-1925 (Tiny Personal Firewall 3.0 through 3.0.6 allows remote attackers to ca ...) NOT-FOR-US: Tiny Personal Firewall CVE-2002-1924 (PowerChute plus 5.0.2 creates a "Pwrchute" directory during installati ...) NOT-FOR-US: Powerchute CVE-2002-1923 (The default configuration in MySQL 3.20.32 through 3.23.52, when runni ...) - mysql (Windows specific) CVE-2002-1922 (Cross-site scripting (XSS) vulnerability in global.php in Jelsoft vBul ...) NOT-FOR-US: vBulletin CVE-2002-1921 (The default configuration of MySQL 3.20.32 through 3.23.52, when runni ...) - mysql (Windows specific) CVE-2002-1920 (Buffer overflow in FtpXQ 2.5 allows remote attackers to cause a denial ...) NOT-FOR-US: FtpXQ CVE-2002-1919 (SQL injection vulnerability in shopadmin.asp in VP-ASP 4.0 allows remo ...) NOT-FOR-US: VS-ASP CVE-2002-1918 (Buffer overflow in Microsoft Active Data Objects (ADO) in Microsoft MD ...) NOT-FOR-US: Microsoft ADO CVE-2002-1917 (CRLF injection vulnerability in the "User Profile: Send Email" feature ...) NOT-FOR-US: Geeklog CVE-2002-1916 (Pirch and RusPirch, when auto-log is enabled, allows remote attackers ...) NOT-FOR-US: Pirch CVE-2002-1915 (tip on multiple BSD-based operating systems allows local users to caus ...) NOT-FOR-US: tip CVE-2002-1914 (dump 0.4 b10 through b29 allows local users to cause a denial of servi ...) - dump 0.4b31-1 CVE-2002-1913 (phptonuke.php in myPHPNuke 1.8.8 allows remote attackers to read arbit ...) NOT-FOR-US: myPHPNuke CVE-2002-1912 (SkyStream EMR5000 1.16 through 1.18 does not drop packets or disable t ...) NOT-FOR-US: SkyStream CVE-2002-1911 (ZoneAlarm Pro 3.0 and 3.1, when configured to block all traffic, allow ...) NOT-FOR-US: ZoneAlarm CVE-2002-1910 (Click2Learn Ingenium Learning Management System 5.1 and 6.1 uses weak ...) NOT-FOR-US: Ingenium Learning Management System CVE-2002-1909 (Click2Learn Ingenium Learning Management System 5.1 and 6.1 stores the ...) NOT-FOR-US: Ingenium Learning Management System CVE-2002-1908 (Microsoft IIS 5.0 and 5.1 allows remote attackers to cause a denial of ...) NOT-FOR-US: Microsoft IIS CVE-2002-1907 (TelCondex SimpleWebServer 2.06.20817 allows remote attackers to cause ...) NOT-FOR-US: TelCondex CVE-2002-1906 (The web server for Polycom ViaVideo 2.2 and 3.0 allows remote attacker ...) NOT-FOR-US: ViaVideo CVE-2002-1905 (Buffer overflow in the web server of Polycom ViaVideo 2.2 and 3.0 allo ...) NOT-FOR-US: ViaVideo CVE-2002-1904 (Buffer overflow in the Log function in util.c in GazTek ghttpd 1.4 thr ...) NOT-FOR-US: ghttpd CVE-2002-1903 (Pine 4.2.1 through 4.4.4 puts Unix usernames and/or uid into Sender: a ...) - pine 4.62-1 (low) - alpine (alpine is based on pine 4.64, this bug was in a previous version of pine) NOTE: checked listed version, and it didn't have the problem NOTE: pine is non-free (alpine is free) CVE-2002-1902 (CGIForum 1.0 through 1.05 allows remote attackers to cause a denial of ...) NOT-FOR-US: CGIForum CVE-2002-1901 (Cross-site scripting (XSS) vulnerability in Bodo Bauer BBGallery 1.0 a ...) NOT-FOR-US: BBGallery CVE-2002-1900 (Cross-site scripting (XSS) vulnerability in Pinboard 1.0 allows remote ...) NOT-FOR-US: Pinboard CVE-2002-1899 (Cross-site scripting (XSS) vulnerability in IceWarp Web Mail 3.3.3 and ...) NOT-FOR-US: IceWarp Web Mail CVE-2002-1898 (Terminal 1.3 in Apple Mac OS X 10.2 allows remote attackers to execute ...) NOT-FOR-US: Mac OS X CVE-2002-1897 (MyWebServer LLC MyWebServer 1.0.2 allows remote attackers to cause a d ...) NOT-FOR-US: MyWebserver CVE-2002-1896 (Buffer overflow in Alsaplayer 0.99.71, when installed setuid root, all ...) - alsaplayer 0.99.72-1 CVE-2002-1895 (The servlet engine in Jakarta Apache Tomcat 3.3 and 4.0.4, when using ...) - tomcat4 (Windows-specific Tomcat problems) CVE-2002-1894 (Cross-site scripting (XSS) vulnerability in viewtopic.php in phpBB 2.0 ...) - phpbb2 (Debian package not vulnerable, see #316071, 316295) CVE-2002-1893 (Cross-site scripting (XSS) vulnerability in ArGoSoft Mail Server Pro 1 ...) NOT-FOR-US: ArGoSoft Mail Server CVE-2002-1892 (NETGEAR FVS318 running firmware 1.1 stores the username and password i ...) NOT-FOR-US: Netgear hardware CVE-2002-1891 (Buffer overflow in IRCIT 0.3.1 IRC client allows remote attackers to e ...) NOT-FOR-US: IRCIT CVE-2002-1890 (rhmask 1.0-9 in Red Hat Linux 7.1 allows local users to overwrite arbi ...) NOT-FOR-US: RedHat specific CVE-2002-1889 (Off-by-one buffer overflow in the context_action function in context.c ...) NOT-FOR-US: Logsurfer CVE-2002-1888 (CommonName Toolbar 3.5.2.0 sends unqualified domain name requests to t ...) NOT-FOR-US: CommonName Toolbar CVE-2002-1887 (PHP remote file inclusion vulnerability in customize.php for phpMyNews ...) NOT-FOR-US: phpMyNewsletter CVE-2002-1886 (TightAuction 3.0 stores config.inc under the web document root with in ...) NOT-FOR-US: TightAuction CVE-2002-1885 (PHP remote file inclusion vulnerability in showhits.php3 for PowerPhlo ...) NOT-FOR-US: PPhlogger CVE-2002-1884 (index.php in Py-Membres 3.1 allows remote attackers to log in as an ad ...) NOT-FOR-US: Py-Membres CVE-2002-1883 (Trolltech Qt Assistant 1.0 in Trolltech Qt 3.0.3, when loaded from the ...) - qt-x11-free 2:3.0.4-1 CVE-2002-1882 (Unknown vulnerability in AolSecurityPrivate.class in Oracle E-Business ...) NOT-FOR-US: Oracle CVE-2002-1881 (Macromedia Flash Player 4.0 r12 through 6.0.47.0 allows remote attacke ...) - flashplugin-nonfree 6.0.61.0-1 CVE-2002-1880 (LokwaBB 1.2.2 allows remote attackers to read arbitrary messages by mo ...) NOT-FOR-US: LokwaBB CVE-2002-1879 (SQL injection vulnerability in LokwaBB 1.2.2 allows remote attackers t ...) NOT-FOR-US: LokwaBB CVE-2002-1878 (PHP remote file inclusion vulnerability in w-Agora 4.1.3 allows remote ...) NOT-FOR-US: w-Agora CVE-2002-1877 (NETGEAR FM114P allows remote attackers to bypass access restrictions f ...) NOT-FOR-US: Netgear hardware CVE-2002-1876 (Microsoft Exchange 2000 allows remote authenticated attackers to cause ...) NOT-FOR-US: Microsoft CVE-2002-1875 (Entercept Agent 2.5 agent for Windows, released before May 21, 2002, a ...) NOT-FOR-US: Entercept Agent CVE-2002-1874 (astrocam.cgi in AstroCam 0.9-1-1 through 1.4.0 allows remote attackers ...) NOT-FOR-US: Astrocam CVE-2002-1873 (Microsoft Exchange 2000, when used with Microsoft Remote Procedure Cal ...) NOT-FOR-US: Microsoft CVE-2002-1872 (Microsoft SQL Server 6.0 through 2000, with SQL Authentication enabled ...) NOT-FOR-US: Microsoft CVE-2002-1871 (pkgadd in Sun Solaris 2.5.1 through 8 installs files setuid/setgid roo ...) NOT-FOR-US: Solaris CVE-2002-1870 (Simple Web Server (SWS) 0.0.4 through 0.1.0 does not properly handle w ...) NOT-FOR-US: Simple Web Server CVE-2002-1869 (Heysoft EventSave 5.1 and 5.2 and Heysoft EventSave+ 5.1 and 5.2 does ...) NOT-FOR-US: Heysoft EventSave CVE-2002-1868 (Dispair 0.1 and 0.2 allows remote attackers to execute arbitrary shell ...) NOT-FOR-US: Dispair CVE-2002-1867 (The default configuration of BizDesign ImageFolio 2.23 through 2.26 do ...) NOT-FOR-US: ImageFolio CVE-2002-1866 (Simple Web Server (SWS) 0.0.4 through 0.1.0 does not close file descri ...) NOT-FOR-US: Simple Web Server CVE-2002-1865 (Buffer overflow in the Embedded HTTP server, as used in (1) D-Link DI- ...) NOT-FOR-US: Embedded HTTP server CVE-2002-1864 (Directory traversal vulnerability in Simple Web Server (SWS) 0.0.4 thr ...) NOT-FOR-US: Simple Web Server CVE-2002-1863 (Iomega Network Attached Storage (NAS) A300U, and possibly other models ...) NOT-FOR-US: Iomega NAS CVE-2002-1862 (SmartMail Server 2.0 allows remote attackers to cause a denial of serv ...) NOT-FOR-US: SmartMail Server CVE-2002-1861 (Sybase Enterprise Application Server 4.0, when running on Windows, all ...) NOT-FOR-US: Sybase ASE CVE-2002-1860 (Pramati Server 3.0, when running on Windows, allows remote attackers t ...) NOT-FOR-US: Pramati CVE-2002-1859 (Orion Application Server 1.5.3, when running on Windows, allows remote ...) NOT-FOR-US: Orion CVE-2002-1858 (Oracle Oracle9i Application Server 1.0.2.2 and 9.0.2 through 9.0.2.0.1 ...) NOT-FOR-US: Oracle CVE-2002-1857 (jo! jo Webserver 1.0, when running on Windows, allows remote attackers ...) NOT-FOR-US: jo! jo Webserver CVE-2002-1856 (HP Application Server 8.0, when running on Windows, allows remote atta ...) NOT-FOR-US: HP Application Server CVE-2002-1855 (Macromedia JRun 3.0 through 4.0, when running on Windows, allows remot ...) NOT-FOR-US: Macromedia JRun CVE-2002-1854 (Rlaj whois CGI script (whois.cgi) 1.0 allows remote attackers to execu ...) NOT-FOR-US: rlaj whois.cgi CVE-2002-1853 (Cross-site scripting (XSS) vulnerability in MyNewsGroups 0.4 and 0.4.1 ...) NOT-FOR-US: MyNewsGroups CVE-2002-1852 (Cross-site scripting (XSS) vulnerability in Monkey 0.5.0 allows remote ...) - monkey 0.9.2-1 NOTE: Vulnerable code verified not be present in any Debian version CVE-2002-1851 (Buffer overflow in WS_FTP Pro 7.5 allows remote attackers to execute c ...) NOT-FOR-US: WS_FTP Pro CVE-2002-1850 (mod_cgi in Apache 2.0.39 and 2.0.40 allows local users and possibly re ...) - apache2 2.0.42-1 CVE-2002-1849 (ParaChat Server 4.0 does not log users off if the browser's back butto ...) NOT-FOR-US: ParaChat CVE-2002-1848 (TightVNC before 1.2.4 running on Windows stores unencrypted passwords ...) NOT-FOR-US: TightVNC on Windows only CVE-2002-1847 (Buffer overflow in mplay32.exe of Microsoft Windows Media Player (WMP) ...) NOT-FOR-US: Microsoft Windows Media Player CVE-2002-1846 (Yet Another Bulletin Board (YaBB) 1.40 and 1.41 does not require a use ...) NOT-FOR-US: YaBB CVE-2002-1845 (Cross-site scripting (XSS) vulnerability in index.php in Yet Another B ...) NOT-FOR-US: YaBB CVE-2002-1844 (Microsoft Windows Media Player (WMP) 6.3, when installed on Solaris, i ...) NOT-FOR-US: Microsoft Windows Media Player CVE-2002-1843 (Perlbot 1.9.2 allows remote attackers to execute arbitrary commands vi ...) NOT-FOR-US: Perlbot CVE-2002-1842 (Perlbot 1.0 beta allows remote attackers to execute arbitrary commands ...) NOT-FOR-US: Perlbot CVE-2002-1841 (The document management module in NOLA 1.1.1 and 1.1.2 does not restri ...) NOT-FOR-US: Nogusta NOLA CVE-2002-1840 (irssi IRC client 0.8.4, when downloaded after 14-March-2002, could con ...) NOT-FOR-US: some irssi tarballs contained a backdoor CVE-2002-1839 (Trend Micro InterScan VirusWall for Windows NT 3.52 does not record th ...) NOT-FOR-US: Trend Micro InterScan VirusWall (Windows NT 3.52) CVE-2002-1838 (Charities.cron 1.0.2 through 1.6.0 allows local users to write to arbi ...) NOT-FOR-US: Charities.cron CVE-2002-1837 (The getAlbumToDisplay function in idsShared.pm for Image Display Syste ...) NOT-FOR-US: Image Display System CVE-2002-1836 (The default configuration of Xerox DocuTech 6110 and DocuTech 6115 exp ...) NOT-FOR-US: Xerox Docutech CVE-2002-1835 (The default configuration of Xerox DocuTech 6110 and DocuTech 6115 run ...) NOT-FOR-US: Xerox Docutech CVE-2002-1834 (The default configuration of Xerox DocuTech 6110 and DocuTech 6115 all ...) NOT-FOR-US: Xerox Docutech CVE-2002-1833 (The default configurations for DocuTech 6110 and DocuTech 6115 have a ...) NOT-FOR-US: Xerox Docutech CVE-2002-1832 (Unknown vulnerability in the "ipopts decode" functionality in Firestor ...) NOT-FOR-US: Firestorm IDS CVE-2002-1831 (Microsoft MSN Messenger Service 1.0 through 4.6 allows remote attacker ...) NOT-FOR-US: Microsoft MSN Messenger Service CVE-2002-1830 (Open Bulletin Board (OpenBB) 1.0.0 RC3 allows remote attackers to bypa ...) NOT-FOR-US: Open Bulletin Board CVE-2002-1829 (Cross-site scripting (XSS) vulnerability in codeparse.php in Open Bull ...) NOT-FOR-US: Open Bulletin Board CVE-2002-1828 (Savant Webserver 3.1 allows remote attackers to cause a denial of serv ...) NOT-FOR-US: Savant Webserver CVE-2002-1827 (Sendmail 8.9.0 through 8.12.3 allows local users to cause a denial of ...) - sendmail 8.12-4 CVE-2002-1826 (grsecurity 1.9.4 for Linux kernel 2.4.18 allows local users to bypass ...) - kernel-patch-2.4-grsecurity 1.9.6-1 CVE-2002-1825 (Format string vulnerability in PerlRTE_example1.pl in WASD 7.1, 7.2.0 ...) NOT-FOR-US: WASD CVE-2002-1824 (Microsoft Internet Explorer 6.0, when handling an expired CA-CERT in a ...) NOT-FOR-US: MSIE CVE-2002-1823 (Buffer overflow in the HttpGetRequest function in Zeroo HTTP server 1. ...) NOT-FOR-US: Zeroo CVE-2002-1822 (IBM HTTP Server 1.0 on AS/400 allows remote attackers to obtain the pa ...) NOT-FOR-US: IBM HTTP Server on AS/400 CVE-2002-1821 (Ultimate PHP Board (UPB) 1.0 and 1.0b allows remote authenticated user ...) NOT-FOR-US: Ultimate PHP Board CVE-2002-1820 (register.php in Ultimate PHP Board (UPB) 1.0 and 1.0b uses an administ ...) NOT-FOR-US: Ultimate PHP Board CVE-2002-1819 (Directory traversal vulnerability in TinyHTTPD 0.1 .0 allows remote at ...) NOT-FOR-US: TinyHTTPD CVE-2002-1818 (ezhttpbench.php in eZ httpbench 1.1 allows remote attackers to read ar ...) NOT-FOR-US: httpbench CVE-2002-1817 (Unknown vulnerability in Veritas Cluster Server (VCS) 1.2 for WindowsN ...) NOT-FOR-US: Veritas CVE-2002-1816 (Off-by-one buffer overflow in the sock_gets function in sockhelp.c for ...) NOT-FOR-US: ATPhttpd CVE-2002-1815 (Directory traversal vulnerability in source.php and source.cgi in Aquo ...) NOT-FOR-US: Aquonics CVE-2002-1814 (Buffer overflow in efstools in Bonobo, when installed setuid, allows l ...) - bonobo (efstool not suid on Debian) CVE-2002-1813 (Directory traversal vulnerability in AOL Instant Messenger (AIM) 4.8.2 ...) NOT-FOR-US: AIM CVE-2002-1812 (Buffer overflow in gdam123 0.933 and 0.942 allows local users to execu ...) NOT-FOR-US: gdam123 CVE-2002-1811 (Belkin F5D6130 Wireless Network Access Point running firmware AP14G8 a ...) NOT-FOR-US: Belkin F5D6130 Wireless Network Access Point CVE-2002-1810 (D-Link DWL-900AP+ Access Point 2.1 and 2.2 allows remote attackers to ...) NOT-FOR-US: D-Link DWL-900AP+ Access Point CVE-2002-1809 (The default configuration of the Windows binary release of MySQL 3.23. ...) NOT-FOR-US: MySQL windows binary CVE-2002-1808 (Cross-site scripting (XSS) vulnerability in Meunity Community System 1 ...) NOT-FOR-US: Meunity CVE-2002-1807 (Cross-site scripting (XSS) vulnerability in phpWebSite 0.8.3 allows re ...) NOT-FOR-US: phpWebSite CVE-2002-1806 (Cross-site scripting (XSS) vulnerability in Drupal 4.0.0 allows remote ...) NOT-FOR-US: Drupal CVE-2002-1805 (Cross-site scripting (XSS) vulnerability in DaCode 1.2.0 allows remote ...) - dacode (bug #322605; low) [sarge] - dacode (Minor issue; attacker would need to bypass moderator review/approval) NOTE: Sarge is affected (has same version as testing/unstable) CVE-2002-1804 (Cross-site scripting (XSS) vulnerability in NPDS 4.8 allows remote att ...) NOT-FOR-US: NPDS CVE-2002-1803 (Cross-site scripting (XSS) vulnerability in PHP-Nuke 6.0 allows remote ...) NOT-FOR-US: PHP-Nuke CVE-2002-1802 (Cross-site scripting (XSS) vulnerability in Xoops 1.0 RC3 allows remot ...) NOT-FOR-US: Xoops CVE-2002-1801 (ImageFolio 2.23 through 2.27 allows remote attackers to obtain sensiti ...) NOT-FOR-US: ImageFolio CVE-2002-1800 (phpRank 1.8 stores the administrative password in plaintext on the ser ...) NOT-FOR-US: phpRank CVE-2002-1799 (Cross-site scripting (XSS) vulnerability in phpRank 1.8 allows remote ...) NOT-FOR-US: phpRank CVE-2002-1798 (MidiCart PHP, PHP Plus, and PHP Maxi allows remote attackers to (1) up ...) NOT-FOR-US: MidiCart CVE-2002-1797 (ChaiVM for HP color LaserJet 4500 and 4550 or HP LaserJet 4100 and 815 ...) NOT-FOR-US: ChaiVM CVE-2002-1796 (ChaiVM EZloader for HP color LaserJet 4500 and 4550 and HP LaserJet 41 ...) NOT-FOR-US: ChaiVM CVE-2002-1795 (Cross-site scripting (XSS) vulnerability in connect.asp in Microsoft T ...) NOT-FOR-US: Microsoft CVE-2002-1794 (Unknown vulnerability in pam_authz in the LDAP-UX Integration product ...) NOT-FOR-US: HP ldapux-pamauthz CVE-2002-1793 (HTTP Server mod_ssl module running on HP-UX 11.04 with Virtualvault OS ...) NOT-FOR-US: HP Virtualvault OS CVE-2002-1792 (Buffer overflow in Fake Identd 0.9 through 1.4 allows remote attackers ...) NOT-FOR-US: Fake Identd CVE-2002-1791 (SGI IRIX 6.5 through 6.5.17 creates temporary desktop files with world ...) NOT-FOR-US: SGI IRIX CVE-2002-1790 (The SMTP service in Microsoft Internet Information Services (IIS) 4.0 ...) NOT-FOR-US: microsoft CVE-2002-1789 (Format string vulnerability in newsx NNTP client before 1.4.8 allows l ...) - newsx 1.4pl6.0-2 CVE-2002-1788 (Format string vulnerability in the nn_exitmsg function in nn 6.6.0 thr ...) - nn 6.6.4-1 CVE-2002-1787 (Buffer overflow in uux in eoe.sw.uucp package of SGI IRIX 6.5 through ...) NOT-FOR-US: SGI IRIX CVE-2002-1786 (SGI IRIX 6.5 through 6.5.14 applies a umask of 022 to root core dumps, ...) NOT-FOR-US: SGI IRIX CVE-2002-1785 (Cross-site scripting (XSS) vulnerability in Zeus Administration Server ...) NOT-FOR-US: Zeus Administration Server CVE-2002-1784 (Unknown vulnerability in inetd in HP Tru64 Unix 4.0f through 5.1a allo ...) NOT-FOR-US: HP Tru64 CVE-2002-1783 (CRLF injection vulnerability in PHP 4.2.1 through 4.2.3, when allow_ur ...) - php4 4:4.3.10-15 CVE-2000-1227 (Windows NT 4.0 and Windows 2000 hosts allow remote attackers to cause ...) NOT-FOR-US: microsoft CVE-2005-2053 (Just another flat file (JAF) CMS before 3.0 Final allows remote attack ...) NOT-FOR-US: JAF CMS CVE-2005-2052 (Heap-based buffer overflow in vidplin.dll in RealPlayer 10 and 10.5 (6 ...) NOT-FOR-US: Real Player NOTE: This didn't affected Helix, although the changelog claimed so, see NOTE: http://service.real.com/help/faq/security/050623_player/EN/ CVE-2005-2051 (Buffer overflow in the VERITAS Backup Exec Web Administration Console ...) NOT-FOR-US: BEWAC CVE-2005-2050 (Unknown vulnerability in Tor before 0.1.0.10 allows remote attackers t ...) - tor 0.0.9.10-1 (medium) CVE-2005-2049 (Multiple SQL injection vulnerabilities in DUware DUclassmate 1.2 allow ...) NOT-FOR-US: Duware CVE-2005-2048 (Multiple SQL injection vulnerabilities in DUware DUforum 3.1, and poss ...) NOT-FOR-US: Duware CVE-2005-2047 (Multiple SQL injection vulnerabilities in DUware DUpaypal Pro 3.0 allo ...) NOT-FOR-US: Duware CVE-2005-2046 (Multiple SQL injection vulnerabilities in DUware DUamazon Pro 3.0 and ...) NOT-FOR-US: Duware CVE-2005-2045 (Multiple SQL injection vulnerabilities in DUware DUportal PRO 3.4.3 al ...) NOT-FOR-US: Duware CVE-2005-2044 (Multiple cross-site scripting (XSS) vulnerabilities in ATutor 1.4.3 an ...) NOT-FOR-US: ATutor CVE-2005-2043 (Directory traversal vulnerability in XAMPP before 1.4.14 allows remote ...) NOT-FOR-US: XAMPP CVE-2005-2042 (Cross-site scripting (XSS) vulnerability in ajax-spell before 1.8 allo ...) NOT-FOR-US: ajax-spell CVE-2005-2041 (Buffer overflow in addschup in HAURI ViRobot 2.0, and possibly other p ...) NOT-FOR-US: ViRobot CVE-2005-2040 (Multiple buffer overflows in the getterminaltype function in telnetd f ...) {DSA-758-1} - heimdal 0.6.3-11 (bug #315065; bug #315086; high) CVE-2005-2039 (Unknown vulnerability in "various plugins" for NanoBlogger 3.2.1 and e ...) - nanoblogger (3.1 version in Debian was not affected by this vulnerability, see #315492) CVE-2005-2038 (Fortibus CMS 4.0.0 allows remote attackers to modify information of ot ...) NOT-FOR-US: Fortibus CMS CVE-2005-2037 (Multiple SQL injection vulnerabilities in Fortibus CMS 4.0.0 allow rem ...) NOT-FOR-US: Fortibus CMS CVE-2005-2036 (modifyUser.asp in Cool Cafe (Cool Café) Chat 1.2.1 allows remote ...) NOT-FOR-US: Cool Cafe Chat CVE-2005-2035 (SQL injection vulnerability in login.asp for Cool Cafe (Cool Café ...) NOT-FOR-US: Cool Cafe Chat CVE-2005-2034 (Cross-site scripting (XSS) vulnerability in folderview.asp for BlueCol ...) NOT-FOR-US: iGallery CVE-2005-2033 (Directory traversal vulnerability in folderview.asp for Blue-Collar Pr ...) NOT-FOR-US: iGallery CVE-2005-2032 (Unknown vulnerability in lpadmin on Sun Solaris 7, 8, and 9 allows loc ...) NOT-FOR-US: Solaris CVE-2005-2031 (Multiple SQL injection vulnerabilities in socialMPN allow remote attac ...) NOT-FOR-US: socialMPN CVE-2005-2030 (Ultimate PHP Board (UPB) 1.9.6 GOLD uses weak encryption for passwords ...) NOT-FOR-US: Ultimate PHP Board CVE-2005-2029 (amaroK Web Frontend 1.3 stores the globals.inc file under the web root ...) NOT-FOR-US: external script that allow interaction between amarok and a browser CVE-2005-2028 (SQL injection vulnerability in index.php for MercuryBoard 1.1.4 and ea ...) NOT-FOR-US: MercuryBoard CVE-2005-2027 (Enterasys Vertical Horizon VH-2402S before firmware 2.05.05.09 does no ...) NOT-FOR-US: Enterasys hardware issue CVE-2005-2026 (Enterasys Vertical Horizon VH-2402S before firmware 2.05.05.09 has a h ...) NOT-FOR-US: Enterasys hardware issue CVE-2005-2025 (Cisco VPN 3000 Concentrator before 4.1.7.F allows remote attackers to ...) NOT-FOR-US: Cisco CVE-2005-2024 (Vipul Razor Agents (razor-agents) before 2.70 allows remote attackers ...) {DSA-738-1} NOTE: varying and apparently innacurate info about what versions fix it - razor 2.720-1 (low) CVE-2005-2023 (The send_pinentry_environment function in asshelp.c in gpg2 on SUSE Li ...) - gnupg2 1.9.15-1 CVE-2005-2022 (Unknown vulnerability in Webmail in iPlanet Messaging Server 5.2 Patch ...) NOT-FOR-US: iPlanet CVE-2005-2021 (Cross-site scripting (XSS) vulnerability in cPanel 9.1 and earlier all ...) NOT-FOR-US: cPanel CVE-2005-2020 (Directory traversal vulnerability in the web server for 3Com Network S ...) NOT-FOR-US: 3com Network Supervisor CVE-2005-2019 (ipfw in FreeBSD 5.4, when running on Symmetric Multi-Processor (SMP) o ...) NOT-FOR-US: FreeBSD ipfw CVE-2005-2018 RESERVED CVE-2005-2017 (Symantec AntiVirus 9 Corporate Edition allows local users to gain priv ...) NOT-FOR-US: Symantec AntiVirus CVE-2005-2016 RESERVED CVE-2005-2015 RESERVED CVE-2005-2014 (The "upload a language pack" feature in paFAQ 1.0 Beta 4 allows remote ...) NOT-FOR-US: paFAQ CVE-2005-2013 (paFAQ 1.0 Beta 4 allows remote attackers to obtain sensitive informati ...) NOT-FOR-US: paFAQ CVE-2005-2012 (Multiple SQL injection vulnerabilities in login in paFAQ 1.0 Beta 4 al ...) NOT-FOR-US: paFAQ CVE-2005-2011 (Multiple cross-site scripting (XSS) vulnerabilities in paFAQ 1.0 Beta ...) NOT-FOR-US: paFAQ CVE-2005-2010 (Cross-site scripting (XSS) vulnerability in trackback.asp in Ublog Rel ...) NOT-FOR-US: Ublog Reload CVE-2005-2009 (Multiple SQL injection vulnerabilities in Ublog Reload 1.0.5 allow rem ...) NOT-FOR-US: Ublog Reload CVE-2005-2008 (Yaws Webserver 1.55 and earlier allows remote attackers to obtain the ...) - yaws 1.56-1 (low) CVE-2005-2007 (Directory traversal vulnerability in Edgewall Trac 0.8.3 and earlier a ...) - trac 0.8.4-1 (bug #315145) [sarge] - trac 0.8.1-3sarge1 CVE-2005-2006 (JBOSS 3.2.2 through 3.2.7 and 4.0.2 allows remote attackers to obtain ...) NOT-FOR-US: JBOSS CVE-2005-2005 (Ultimate PHP Board (UPB) 1.9.6 GOLD and earlier stores the users.dat f ...) NOT-FOR-US: Ultimate PHP Board CVE-2005-2004 (Multiple cross-site scripting vulnerabilities in Ultimate PHP Board (U ...) NOT-FOR-US: Ultimate PHP Board CVE-2005-2003 (Ultimate PHP Board (UPB) 1.9.6 GOLD allows remote attackers to obtain ...) NOT-FOR-US: Ultimate PHP Board CVE-2005-2002 (SQL injection vulnerability in content.php in Mambo 4.5.2.2 and earlie ...) NOT-FOR-US: Mambo CVE-2005-2001 (Directory traversal vulnerability in pafiledb.php in paFileDB 3.1 and ...) NOT-FOR-US: paFileDB CVE-2005-2000 (Multiple SQL injection vulnerabilities in paFileDB 3.1 and earlier all ...) NOT-FOR-US: paFileDB CVE-2005-1999 (Multiple cross-site scripting (XSS) vulnerabilities in pafiledb.php in ...) NOT-FOR-US: paFileDB CVE-2005-1998 (Directory traversal vulnerability in admin.php in McGallery 1.1 allows ...) NOT-FOR-US: McGallery CVE-2005-1997 (show.php in McGallery 1.1 allows remote attackers to connect to arbitr ...) NOT-FOR-US: McGallery CVE-2005-1996 (PHP remote file inclusion vulnerability in start.php in Bitrix Site Ma ...) NOT-FOR-US: Bitrix Site Manager CVE-2005-1995 (Bitrix Site Manager 4.0.x allows remote attackers to obtain sensitive ...) NOT-FOR-US: Bitrix Site Manager CVE-2005-1994 (Finjan SurfinGate 7.0SP2 and SP3 allows remote attackers to download b ...) NOT-FOR-US: Finjan SurfinGate CVE-2005-1993 (Race condition in sudo 1.3.1 up to 1.6.8p8, when the ALL pseudo-comman ...) {DSA-735-2 DSA-735-1} - sudo 1.6.8p9-1 (bug #315718; bug #315115; medium) CVE-2005-1992 (The XMLRPC server in utils.rb for the ruby library (libruby) 1.8 sets ...) {DSA-748-1} - ruby1.8 1.8.2-8 (bug #315064; medium) - ruby1.9 1.9.0+20050623-1 (bug #315064; medium) CVE-2005-1991 RESERVED CVE-2005-1990 (Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to cause a ...) NOT-FOR-US: MSIE CVE-2005-1989 (Unknown vulnerability in Internet Explorer 5.0, 5.5, and 6.0 allows re ...) NOT-FOR-US: MSIE CVE-2005-1988 (Unknown vulnerability in Internet Explorer 5.0, 5.5, and 6.0 allows re ...) NOT-FOR-US: MSIE CVE-2005-1987 (Buffer overflow in Collaboration Data Objects (CDO), as used in Micros ...) NOT-FOR-US: Microsoft CVE-2005-1986 RESERVED CVE-2005-1985 (The Client Service for NetWare (CSNW) on Microsoft Windows 2000 SP4, X ...) NOT-FOR-US: Microsoft CVE-2005-1984 (Buffer overflow in the Print Spooler service (Spoolsv.exe) for Microso ...) NOT-FOR-US: Spoolsv.exe CVE-2005-1983 (Stack-based buffer overflow in the Plug and Play (PnP) service for Mic ...) NOT-FOR-US: Microsoft CVE-2005-1982 (Unknown vulnerability in the PKINIT Protocol for Microsoft Windows 200 ...) NOT-FOR-US: Microsoft CVE-2005-1981 (Unknown vulnerability in Microsoft Windows 2000 Server and Windows Ser ...) NOT-FOR-US: Microsoft CVE-2005-1980 (Distributed Transaction Controller in Microsoft Windows allows remote ...) NOT-FOR-US: Microsoft CVE-2005-1979 (Distributed Transaction Controller in Microsoft Windows allows remote ...) NOT-FOR-US: Microsoft CVE-2005-1978 (COM+ in Microsoft Windows does not properly "create and use memory str ...) NOT-FOR-US: Microsoft CVE-2005-1977 RESERVED CVE-2005-1976 (Novell NetMail 3.5.2a, 3.5.2b, and 3.5.2c, when running on Linux, sets ...) NOT-FOR-US: Novell NetMail CVE-2002-1782 (The default configuration of University of Washington IMAP daemon (wu- ...) - uw-imap 7:2002ddebian1-2 (bug #315499; unimportant) NOTE: This only applies to very exotic setups. It's also documented in the FAQ NOTE: and if someone has such a setup she will have to recompile the package with NOTE: the security features enabled. CVE-2002-1781 (Multiple buffer overflows in DeleGate 7.7.0 through 7.8.1 allow remote ...) NOT-FOR-US: DeleGate CVE-2002-1780 (BPM Studio Pro 4.2 by ALCATech GmbH includes a webserver that allows a ...) NOT-FOR-US: BPM Studio Pro CVE-2002-1779 (The "block fragmented IP Packets" option in Symantec Norton Personal F ...) NOT-FOR-US: Norton CVE-2002-1778 (Symantec Norton Personal Firewall 2002 allows remote attackers to bypa ...) NOT-FOR-US: Norton CVE-2002-1777 (** DISPUTED ** NOTE: this issue has been disputed by the vendor. Syman ...) NOT-FOR-US: Symantec CVE-2002-1776 (** DISPUTED ** NOTE: this issue has been disputed by the vendor. Syman ...) NOT-FOR-US: Symantec CVE-2002-1775 (** DISPUTED ** NOTE: this issue has been disputed by the vendor. Syman ...) NOT-FOR-US: Symantec CVE-2002-1774 (** DISPUTED ** NOTE: this issue has been disputed by the vendor. Syman ...) NOT-FOR-US: Symantec CVE-2002-1773 (Buffer overflow in ICQ 2.6x for MacOS X 10.0 through 10.1.2 allows rem ...) NOT-FOR-US: ICQ for MacOS X CVE-2002-1772 (Novell Netware 5.0 through 5.1 may allow local users to gain "Domain A ...) NOT-FOR-US: Novell Netware CVE-2002-1771 (Matt Wright FormMail 1.9 and earlier allows remote attackers to send s ...) NOT-FOR-US: FormMail CVE-2002-1770 (Qualcomm Eudora 5.1 allows remote attackers to execute arbitrary code ...) NOT-FOR-US: Eudora CVE-2002-1769 (Microsoft Site Server 3.0 prior to SP4 installs a default user, LDAP_A ...) NOT-FOR-US: Microsoft CVE-2002-1768 (Cisco IOS 11.1 through 12.2, when HSRP support is not enabled, allows ...) NOT-FOR-US: Cisco CVE-2002-1767 (Buffer overflow in tnslsnr of Oracle 8i Database Server 8.1.5 for Linu ...) NOT-FOR-US: Oracle CVE-2002-1766 (Buffer overflow in Composer in Netscape 4.77 allows local users to ove ...) NOT-FOR-US: Netscape NOTE: didn't check mozilla CVE-2002-1765 (Evolution 1.0.3 and 1.0.4 allows remote attackers to cause a denial of ...) - evolution 1.0.5 CVE-2002-1764 (acroread in Adobe Acrobat Reader 4.05 on Linux allows local users to o ...) NOT-FOR-US: acrobat CVE-2002-1763 (The dtscreen Sun Solaris 8 CDE screensaver crashes when the "Shift" an ...) NOT-FOR-US: dtscreen Sun Solaris 8 CDE screensaver CVE-2002-1762 (Microsoft Baseline Security Analyzer (MBSA) 1.0 stores security scans ...) NOT-FOR-US: Microsoft CVE-2002-1761 (Directory traversal vulnerability in PHProjekt 2.0 through 3.1 allows ...) NOT-FOR-US: PHProjekt CVE-2002-1760 (Multiple SQL injection vulnerabilities in PHProjekt 2.0 through 3.1 al ...) NOT-FOR-US: PHProjekt CVE-2002-1759 (The upload function in PHProjekt 2.0 through 3.1 does not properly ver ...) NOT-FOR-US: PHProjekt CVE-2002-1758 (PHProjekt 2.0 through 3.1 allows remote attackers to view or modify da ...) NOT-FOR-US: PHProjekt CVE-2002-1757 (PHProjekt 2.0 through 3.1 relies on the $PHP_SELF variable for authent ...) NOT-FOR-US: PHProjekt CVE-2002-1756 (ACDSee 4.0 allows remote attackers to cause a denial of service (crash ...) NOT-FOR-US: ACDSee CVE-2002-1755 (tinc 1.0pre3 and 1.0pre4 VPN does not authenticate forwarded packets, ...) - tinc 1.0pre5 CVE-2002-1754 (Buffer overflow in Novell NetWare Client 4.80 through 4.83 allows loca ...) NOT-FOR-US: Novell NetWare CVE-2002-1753 (csNewsPro.cgi in CGIScript.net csNews Professional (csNewsPro) allows ...) NOT-FOR-US: csNews CVE-2002-1752 (csChatRBox.cgi in CGIScript.net csChat-R-Box allows remote attackers t ...) NOT-FOR-US: csChat-R-Box CVE-2002-1751 (csLiveSupport.cgi in CGIScript.net csLiveSupport allows remote attacke ...) NOT-FOR-US: csLiveSupport CVE-2002-1750 (csGuestbook.cgi in CGISCRIPT.NET csGuestbook 1.0 allows remote attacke ...) NOT-FOR-US: csGuestbook CVE-2002-1749 (Windows 2000 Terminal Services, when using the disconnect feature of t ...) NOT-FOR-US: Windows 2000 Terminal Services CVE-2002-1748 (Unknown vulnerability in Slash 2.1.x and 2.2 through 2.2.2, as used in ...) - slash 2.2.3 CVE-2002-1747 (Vtun 2.5b1 does not authenticate forwarded packets, which allows remot ...) - vtun 2.5b2 CVE-2002-1746 (Vtun 2.5b1 allows remote attackers to inject data into user sessions b ...) - vtun 2.5b2 CVE-2002-1745 (Off-by-one error in the CodeBrws.asp sample script in Microsoft IIS 5. ...) NOT-FOR-US: Microsoft CVE-2002-1744 (Directory traversal vulnerability in CodeBrws.asp in Microsoft IIS 5.0 ...) NOT-FOR-US: Microsoft CVE-2002-1743 (AOL ICQ 2002a Build 3722 allows remote attackers to cause a denial of ...) NOT-FOR-US: AOL ICQ CVE-2002-1742 (SOAP::Lite 0.50 through 0.52 allows remote attackers to load arbitrary ...) - soap-lite 0.55 CVE-2002-1741 (Directory traversal vulnerability in WorldClient.cgi in WorldClient fo ...) NOT-FOR-US: WorldClient CVE-2002-1740 (Buffer overflow in WorldClient.cgi in WorldClient in Alt-N Technologie ...) NOT-FOR-US: WorldClient CVE-2002-1739 (Alt-N Technologies Mdaemon 5.0 through 5.0.6 uses a weak encryption al ...) NOT-FOR-US: Alt-N Technologies Mdaemon CVE-2002-1738 (Alt-N Technologies MDaemon 5.0.5.0 and earlier creates a default MDaem ...) NOT-FOR-US: Alt-N Technologies Mdaemon CVE-2002-1737 (Astaro Security Linux 2.016 creates world-writable files and directori ...) NOT-FOR-US: Astaro Security Linux CVE-2002-1736 (Unknown vulnerability in CGINews before 1.06 allow remote attackers to ...) NOT-FOR-US: CGINews CVE-2002-1735 (Buffer overflow in dlogin 1.0a could allow local users to gain privile ...) NOT-FOR-US: dlogin CVE-2002-1734 (NewsPro 1.01 allows remote attackers to gain unauthorized administrato ...) NOT-FOR-US: NewsPro CVE-2002-1733 (Cross-site scripting (XSS) vulnerability in the web-based message boar ...) NOT-FOR-US: Prospero MessageBoards CVE-2002-1732 (Multiple cross-site scripting (XSS) vulnerabilities in Actinic Catalog ...) NOT-FOR-US: Actinic Catalog CVE-2002-1731 (The System Request menu in IBM AS/400 allows local users to list valid ...) NOT-FOR-US: IBM AS/400 CVE-2002-1730 (ASPjar Guestbook 1.00 allows remote attackers to delete arbitrary mess ...) NOT-FOR-US: ASPjar Guestbook CVE-2002-1729 (Cross-site scripting vulnerability (XSS) in ASPjar Guestbook 1.00 allo ...) NOT-FOR-US: ASPjar Guestbook CVE-2002-1728 (askSam Web Publisher 1.0 and 4.0 allows remote attackers to determine ...) NOT-FOR-US: askSam Web Publisher CVE-2002-1727 (Cross-site scripting vulnerability (XSS) in (1) as_web.exe and (2) as_ ...) NOT-FOR-US: askSam Web Publisher CVE-2002-1726 (secure_inc.php in PhotoDB 1.4 allows remote attackers to bypass authen ...) NOT-FOR-US: PhotoDB CVE-2002-1725 (phpimageview.php in PHPImageView 1.0 allows remote attackers to obtain ...) NOT-FOR-US: PHPImageView CVE-2002-1724 (Cross-site scripting vulnerability (XSS) in phpimageview.php for PHPIm ...) NOT-FOR-US: PHPImageView CVE-2002-1723 (Powerboards 2.2b allows remote attackers to view the full path to the ...) NOT-FOR-US: Powerboards CVE-2002-1722 (Logitech iTouch keyboards allows attackers with physical access to the ...) NOT-FOR-US: microsoft CVE-2002-1721 (Off-by-one error in alterMIME 0.1.10 and 0.1.11 allows remote attacker ...) - altermime (fixed before the first Debian upload) CVE-2002-1720 (SQL injection vulnerability in Spooky Login 2.0 through 2.5 allows rem ...) NOT-FOR-US: Spooky Login CVE-2002-1719 (Unknown vulnerability in Bavo 0.3 allows remote attackers to modify po ...) NOT-FOR-US: Bavo CVE-2002-1718 (Microsoft Internet Information Server (IIS) 5.1 may allow remote attac ...) NOT-FOR-US: microsoft CVE-2002-1717 (Microsoft Internet Information Server (IIS) 5.1 allows remote attacker ...) NOT-FOR-US: microsoft CVE-2002-1716 (The Host() function in the Microsoft spreadsheet component on Microsof ...) NOT-FOR-US: microsoft CVE-2002-1715 (SSH 1 through 3, and possibly other versions, allows local users to by ...) - openssh ("SecurityFocus staff have been unable to reproduce this vulnerability with OpenSSH version 3.1p1.") CVE-2002-1714 (Microsoft Internet Explorer 5.0 through 6.0 allows remote attackers to ...) NOT-FOR-US: microsoft CVE-2002-1713 (The Standard security setting for Mandrake-Security package (msec) in ...) NOT-FOR-US: msec CVE-2002-1712 (Microsoft Windows 2000 allows remote attackers to cause a denial of se ...) NOT-FOR-US: microsoft CVE-2002-1711 (BasiliX 1.1.0 saves attachments in a world readable /tmp/BasiliX direc ...) NOT-FOR-US: BasiliX CVE-2002-1710 (The attachment capability in Compose Mail in BasiliX Webmail 1.1.0 doe ...) NOT-FOR-US: BasiliX CVE-2002-1709 (SQL injection vulnerability in BasiliX Webmail 1.10 allows remote atta ...) NOT-FOR-US: BasiliX CVE-2002-1708 (Cross-site scripting vulnerability (XSS) in BasiliX Webmail 1.10 allow ...) NOT-FOR-US: BasiliX CVE-2002-1707 (install.php in phpBB 2.0 through 2.0.1, when "allow_url_fopen" and "re ...) - phpbb2 2.0.6c-1 CVE-2002-1706 (Cisco IOS software 11.3 through 12.2 running on Cisco uBR7200 and uBR7 ...) NOT-FOR-US: Cisco CVE-2002-1705 (Microsoft Internet Explorer 5.5 through 6.0 allows remote attackers to ...) NOT-FOR-US: microsoft CVE-2002-1704 (Zeroboard 4.1, when the "allow_url_fopen" and "register_globals" varia ...) NOT-FOR-US: Zeroboard CVE-2002-1703 (Cross-site scripting vulnerability (XSS) in auction.cgi for Mewsoft Ne ...) NOT-FOR-US: NetAuction CVE-2002-1702 (Cross-site scripting vulnerability (XSS) in DeltaScripts PHP Classifie ...) NOT-FOR-US: DeltaScripts PHP Classifieds CVE-2002-1700 (Cross-site scripting vulnerability (XSS) in the missing template handl ...) NOT-FOR-US: ColdFusion CVE-2002-1699 (SQL injection vulnerability in ASP Client Check (ASPCC) 1.3 and 1.5 al ...) NOT-FOR-US: ASP Client Check CVE-2002-1698 (Buffer overflow in Microsoft MSN Messenger Service 1.0 through 4.6 all ...) NOT-FOR-US: Microsoft CVE-2002-1697 (Electronic Code Book (ECB) mode in VTun 2.0 through 2.5 uses a weak en ...) - vtun 2.6-1 CVE-2002-1696 (Microsoft Outlook plug-in PGP version 7.0, 7.0.3, and 7.0.4 silently s ...) NOT-FOR-US: Microsoft Outlook plugin CVE-2002-1695 (Norton Internet Security 2001 opens log files with FILE_SHARE_READ and ...) NOT-FOR-US: Norton CVE-2002-1694 (Microsoft Internet Information Server (IIS) 4.0 opens log files with F ...) NOT-FOR-US: Microsoft CVE-2002-1692 (Buffer overflow in backup utility of Microsoft Windows 95 allows attac ...) NOT-FOR-US: Microsoft CVE-2002-1691 (Alcatel OmniPCX 4400 installs known user accounts and passwords in the ...) NOT-FOR-US: Alcatel hardware issue CVE-2002-1690 (Unknown vulnerability in AIX before 4.0 with unknown attack vectors an ...) NOT-FOR-US: AIX CVE-2002-1689 (Unknown vulnerability in the login program on AIX before 4.0 could all ...) NOT-FOR-US: AIX CVE-2002-1688 (The browser history feature in Microsoft Internet Explorer 5.5 through ...) NOT-FOR-US: Microsoft CVE-2002-1687 (Buffer overflow in the diagnostics library in AIX allows local users t ...) NOT-FOR-US: AIX CVE-2002-1686 (Buffer overflow in lscfg of unknown versions of AIX has unknown impact ...) NOT-FOR-US: AIX CVE-2002-1685 (Cross-site scripting vulnerability (XSS) in BadBlue Enterprise Edition ...) NOT-FOR-US: BadBlue Enterprise Edition CVE-2002-1684 (Directory traversal vulnerability in (1) Deerfield D2Gfx 1.0.2 or (2) ...) NOT-FOR-US: Deerfield D2Gfx CVE-2002-1683 (Cross-site scripting (XSS) vulnerability in BadBlue Personal Edition 1 ...) NOT-FOR-US: BadBlue Personal Edition CVE-2002-1682 (NewsReactor 1.0 uses a weak encryption scheme, which could allow local ...) NOT-FOR-US: NewsReactor CVE-2002-1681 (Cross-site scripting (XSS) vulnerability in Slashcode CVS releases Jun ...) - slash (Only present in intermediate CVS version, not released in Debian) CVE-2002-1680 (Cross-site scripting (XSS) vulnerability in CGI Online Worldweb Shoppi ...) NOT-FOR-US: COWS CVE-2002-1679 (Cross-site scripting (XSS) vulnerability in Jelsoft vBulletin 2.2.0 al ...) NOT-FOR-US: vBulletin CVE-2002-1678 (Cross-site scripting (XSS) vulnerability in memberlist.php in Jelsoft ...) NOT-FOR-US: vBulletin CVE-2002-1677 (14all.cgi 1.1p15 in mrtgconfig allows remote attackers to determine th ...) NOT-FOR-US: mrtgconfig CVE-2002-1676 (BindView NetInventory 1.0, when used with NetRC 1.0, allows local user ...) NOT-FOR-US: BindView NetInventory CVE-2002-1675 (Format string vulnerability in the Cio_PrintF function of cio_main.c i ...) NOT-FOR-US: Unreal IRCd CVE-2002-1674 (procfs on FreeBSD before 4.5 allows local users to cause a denial of s ...) - kfreebsd-source (kfreebsd/Debian uses a much more recent kernel) CVE-2002-1673 (The web interface for Webmin 0.92 does not properly quote or filter sc ...) - webmin 0.93 (medium) CVE-2002-1672 (Webmin 0.92, when installed from an RPM, creates /var/webmin with inse ...) - webmin (packaging flaw of an unknown RPM based distro) NOTE: Permissions of Debian's webmin package look sane and FHS compliant CVE-2002-1671 (Microsoft Internet Explorer 5.0, 5.01, and 5.5 allows remote attackers ...) NOT-FOR-US: Microsoft CVE-2002-1670 (Microsoft Windows XP Professional upgrade edition overwrites previousl ...) NOT-FOR-US: Microsoft CVE-2002-1669 (pkg_add in FreeBSD 4.2 through 4.4 creates a temporary directory with ...) NOT-FOR-US: FreeBSD CVE-2002-1668 (HP-UX 11.11 and earlier allows local users to cause a denial of servic ...) NOT-FOR-US: HP-UX CVE-2002-1667 (The virtual memory management system in FreeBSD 4.5-RELEASE and earlie ...) - kfreebsd-source (kfreebsd/Debian uses a much more recent kernel) CVE-2002-1666 (Unknown vulnerability in Oracle E-Business Suite 11i.1 through 11i.6 a ...) NOT-FOR-US: Oracle CVE-2001-1506 (Unknown vulnerability in the file system protection subsystem in HP Se ...) NOT-FOR-US: HP Secure OS layer CVE-2001-1505 (tinc 1.0pre3 and 1.0pre4 allows remote attackers to inject data into u ...) - tinc 1.0pre5-1 CVE-2001-1504 (Lotus Notes R5 Client 4.6 allows remote attackers to execute arbitrary ...) NOT-FOR-US: Lotus Notes CVE-2001-1503 (The finger daemon (in.fingerd) in Sun Solaris 2.5 through 8 and SunOS ...) NOT-FOR-US: Sun CVE-2001-1502 (webcart.cgi in Mountain Network Systems WebCart 8.4 allows remote atta ...) NOT-FOR-US: WebCart CVE-2001-1501 (The glob functionality in ProFTPD 1.2.1, and possibly other versions a ...) NOTE: Fix went into proftpd CVS on 2002-12-12 - proftpd 1.2.8-1 CVE-2001-1500 (ProFTPD 1.2.2rc2, and possibly other versions, does not properly verif ...) - proftpd 1.2.4-1 CVE-2001-1499 (Check Point VPN-1 4.1SP4 using SecuRemote returns different error mess ...) NOT-FOR-US: Check Point CVE-2001-1498 (Buffer overflow in mod_bf 0.2 allows local users to execute arbitrary ...) NOT-FOR-US: mod_bf CVE-2001-1497 (Microsoft Internet Explorer 4.0 through 6.0 could allow local users to ...) NOT-FOR-US: Microsoft CVE-2001-1496 (Off-by-one buffer overflow in Basic Authentication in Acme Labs thttpd ...) - thttpd 2.21 CVE-2001-1495 (network_query.php in Network Query Tool 1.0 allows remote attackers to ...) NOT-FOR-US: Network Query Tool CVE-2001-1494 (script command in the util-linux package before 2.11n allows local use ...) - util-linux 2.11n-1 CVE-2001-1492 REJECTED CVE-2001-1491 (Opera 5.11 allows remote attackers to cause a denial of service (CPU c ...) NOT-FOR-US: Opera CVE-2001-1490 (Mozilla 0.9.6 allows remote attackers to cause a denial of service (CP ...) NOTE: mozilla is quite easily DOSable with all sorts of large html NOTE: files, probably not worth following up on. CVE-2001-1489 (Microsoft Internet Explorer 6 allows remote attackers to cause a denia ...) NOT-FOR-US: Microsoft CVE-2001-1488 (Open Projects Network Internet Relay Chat (IRC) daemon u2.10.05.18 doe ...) NOT-FOR-US: Open Projects ircd CVE-2001-1487 (popauth utility in Qualcomm Qpopper 4.0 and earlier allows local users ...) - qpopper (Vulnerable code verified not present) CVE-2001-1484 (Alcatel ADSL modems allow remote attackers to access the Trivial File ...) NOT-FOR-US: Alcatel hardware issue CVE-2001-1483 (One-Time Passwords In Everything (a.k.a OPIE) 2.32 and 2.4 allows remo ...) - libpam-opie (bug #112279; unimportant) NOTE: This is documented and not really important. In contrast to passwords NOTE: used by humans [sarge] - libpam-opie (Documented shortcoming, minor impact) CVE-2001-1482 (SQL injection vulnerability in bb_memberlist.php for phpBB 1.4.2 allow ...) NOTE: phpbb was initially uploaded as version 2 or phpbb has been removed now CVE-2001-1481 (Xitami 2.4 through 2.5 b4 stores the Administrator password in plainte ...) NOT-FOR-US: Xitami CVE-2001-1480 (Java Runtime Environment (JRE) and SDK 1.2 through 1.3.0_04 allows unt ...) NOT-FOR-US: Sun Java CVE-2001-1479 (smcboot in Sun SMC (Sun Management Center) 2.0 in Solaris 8 allows loc ...) NOT-FOR-US: Sun CVE-2001-1478 (Buffer overflow in xlock in UnixWare 7.1.0 and 7.1.1 and Open Unix 8.0 ...) NOT-FOR-US: UnixWare CVE-2000-1226 (Snort 1.6, when running in straight ASCII packet logging mode or IDS m ...) - snort 1.6.1-1 CVE-2000-1225 (Xitami 2.5b installs the testcgi.exe program by default in the cgi-bin ...) NOT-FOR-US: Xitami CVE-2005-1975 (Multiple cross-site scripting (XSS) vulnerabilities in Annuaire 1Two 1 ...) NOT-FOR-US: Annuaire CVE-2005-1974 (Unspecified vulnerability in Java 2 Platform, Standard Edition (J2SE) ...) NOT-FOR-US: Sun Java CVE-2005-1973 (Java Web Start in Java 2 Platform Standard Edition (J2SE) 5.0 and 5.0 ...) NOT-FOR-US: Sun Java CVE-2005-1972 (Multiple SQL injection vulnerabilities in InteractivePHP FusionBB .11 ...) NOT-FOR-US: InteractivePHP FusionBB CVE-2005-1971 (Directory traversal vulnerability in InteractivePHP FusionBB .11 Beta ...) NOT-FOR-US: InteractivePHP FusionBB CVE-2005-1970 (Symantec pcAnywhere 10.5x and 11.x before 11.5, with "Launch with Wind ...) NOT-FOR-US: pcAnywhere CVE-2005-1969 (Cross-site scripting (XSS) vulnerability in Pragma Systems Telnetserve ...) NOT-FOR-US: Pragma Telnetserver CVE-2005-1968 (Cross-site scripting (XSS) vulnerability in ProductCart Ecommerce befo ...) NOT-FOR-US: ProductCart Ecommerce CVE-2005-1967 (Multiple SQL injection vulnerabilities in ProductCart Ecommerce before ...) NOT-FOR-US: ProductCart Ecommerce CVE-2005-1966 (The eTrace_validaddr function in eTrace plugin for e107 portal allows ...) NOT-FOR-US: e107 CVE-2005-1965 (PHP remote file inclusion vulnerability in siteframe.php for Broadpool ...) NOT-FOR-US: Broadpool Siteframe CVE-2005-1964 (PHP remote file inclusion vulnerability in utilit.php for Ovidentia Po ...) NOT-FOR-US: Ovidentia Portal CVE-2005-1963 (Cerberus Helpdesk 0.97.3 allows remote attackers to obtain sensitive i ...) NOT-FOR-US: Cerberus Helpdesk CVE-2005-1962 (Cross-site scripting (XSS) vulnerability in Cerberus Helpdesk 0.97.3 a ...) NOT-FOR-US: Cerberus Helpdesk CVE-2005-1961 (Unknown vulnerability in ObjectWeb Consortium C-JDBC before 1.3.1 allo ...) NOT-FOR-US: C-JDBC CVE-2005-1960 (The getemails function in C.J. Steele Tattle allows remote attackers t ...) NOT-FOR-US: C.J. Steele Tattle CVE-2005-1959 (jammail.pl in jamchen JamMail 1.8 allows remote attackers to execute a ...) NOT-FOR-US: JamMail CVE-2005-1958 REJECTED CVE-2005-1957 (mtnpeak.net File Upload Manager does not properly check user authentic ...) NOT-FOR-US: File Upload Manager CVE-2005-1956 (File Upload Manager allows remote attackers to upload arbitrary files ...) NOT-FOR-US: File Upload Manager CVE-2005-1955 (Cross-site scripting (XSS) vulnerability in index.php in singapore 0.9 ...) NOT-FOR-US: singapore CVE-2005-1954 (singapore 0.9.11 allows remote attackers to obtain sensitive informati ...) NOT-FOR-US: singapore CVE-2005-1953 (Heap-based buffer overflow in the CGI extension for Pico Server (pServ ...) NOT-FOR-US: Pico Server CVE-2005-1952 (Directory traversal vulnerability in Pico Server (pServ) 3.3 allows re ...) NOT-FOR-US: Pico Server CVE-2005-1951 (Multiple HTTP Response Splitting vulnerabilities in osCommerce 2.2 Mil ...) NOT-FOR-US: osCommerce CVE-2005-1950 (hints.pl in Webhints 1.03 allows remote attackers to execute arbitrary ...) NOT-FOR-US: Webhints CVE-2005-1949 (The eping_validaddr function in functions.php for the ePing plugin for ...) NOT-FOR-US: e107 CVE-2005-1948 (Multiple SQL injection vulnerabilities in Invision Gallery before 1.3. ...) NOT-FOR-US: Invision Gallery CVE-2005-1947 (Cross-site request forgery (CSRF) vulnerability in Invision Gallery be ...) NOT-FOR-US: Invision Gallery CVE-2005-1946 (Multiple SQL injection vulnerabilities in Invision Blog before 1.1.2 F ...) NOT-FOR-US: Invision Blog CVE-2005-1945 (Cross-site scripting (XSS) vulnerability in the convert_highlite_words ...) NOT-FOR-US: Invision Blog CVE-2005-1944 (xmysqladmin 1.0 and earlier allows local users to delete arbitrary fil ...) NOT-FOR-US: xmysqladmin CVE-2005-1943 (Multiple SQL injection vulnerabilities in Loki download manager 2.0 al ...) NOT-FOR-US: Loki download manager CVE-2005-1942 (Cisco switches that support 802.1x security allow remote attackers to ...) NOT-FOR-US: Cisco CVE-2005-1941 (SilverCity before 0.9.5-r1 installs (1) cgi-styler-form.py, (2) cgi-st ...) NOT-FOR-US: SilverCity CVE-2005-1940 RESERVED CVE-2005-1939 (Directory traversal vulnerability in Ipswitch WhatsUp Small Business 2 ...) NOT-FOR-US: Ipswitch WhatsUp CVE-2005-1938 REJECTED CVE-2005-1937 (A regression error in Firefox 1.0.3 and Mozilla 1.7.7 allows remote at ...) {DSA-810-1 DSA-777-1 DSA-775-1 DTSA-7-1 DTSA-8-2 DTSA-14-1} - mozilla-firefox 1.0.6-1 (medium) - mozilla 2:1.7.10-1 (medium) [woody] - mozilla (regression of a previous security fix) CVE-2004-2137 (Outlook Express 6.0, when sending multipart e-mail messages using the ...) NOT-FOR-US: Microsoft CVE-2005-1936 (Unknown vulnerability in the web server for the ESS/ Network Controlle ...) NOT-FOR-US: Xerox hardware issue CVE-2005-1935 (Heap-based buffer overflow in the BERDecBitString function in Microsof ...) NOT-FOR-US: Microsoft CVE-2005-1933 (Dashboard in Apple Mac OS X Tiger 10.4 allows attackers to execute arb ...) NOT-FOR-US: Apple CVE-2005-1934 (Gaim before 1.3.1 allows remote attackers to cause a denial of service ...) {DSA-734-1} - gaim 1:1.3.1-1 (bug #315356; low) CVE-2005-1930 (Directory traversal vulnerability in the Crystal Report component (rpt ...) NOT-FOR-US: Trend Micro ServerProtect CVE-2005-1929 (Multiple heap-based buffer overflows in (1) isaNVWRequest.dll and (2) ...) NOT-FOR-US: Trend Micro ServerProtect CVE-2005-1928 (Trend Micro ServerProtect EarthAgent for Windows Management Console 5. ...) NOT-FOR-US: Trend Micro ServerProtect CVE-2005-1927 RESERVED CVE-2005-1926 RESERVED CVE-2005-1925 (Multiple directory traversal vulnerabilities in Tikiwiki before 1.9.1 ...) NOT-FOR-US: Tikiwiki CVE-2005-1924 (The G/PGP (GPG) Plugin 2.1 and earlier for Squirrelmail allow remote a ...) NOT-FOR-US: External Squirrelmail plugin not packaged in Debian CVE-2005-1923 (The ENSURE_BITS macro in mszipd.c for Clam AntiVirus (ClamAV) 0.83, an ...) {DSA-737-1 DTSA-3-1} - clamav 0.86.1 (bug #316401; bug #316462; medium) CVE-2005-1922 (The MS-Expand file handling in Clam AntiVirus (ClamAV) before 0.86 all ...) {DSA-737-1 DTSA-3-1} - clamav 0.86.1-1 (low) CVE-2005-1921 (Eval injection vulnerability in PEAR XML_RPC 1.3.0 and earlier (aka XM ...) {DSA-789-1 DSA-746-1 DSA-747-1 DSA-745-1 DTSA-15-1} - serendipity 1.0-1 - drupal 4.5.4-1 (high; bug #316362) - phpgroupware 0.9.16.006-1 (high) - egroupware 1.0.0.007-3.dfsg-1 (bug #317263; high) - phpwiki 1.3.7-4 (bug #316714; high) - php4 4:4.3.10-16 (high; bug #316447) - horde3 (horde3 ships different XMLRPC code) CVE-2005-1920 (The (1) Kate and (2) Kwrite applications in KDE KDE 3.2.x through 3.4. ...) {DSA-804-2} - kdelibs 4:3.4.2-1 (bug #319016; medium) CVE-2005-1919 REJECTED CVE-2005-1918 (The original patch for a GNU tar directory traversal vulnerability (CV ...) - tar 1.14-2.2 NOTE: 1.14-2.2 is ok, maybe Debian was not-affected anyway CVE-2005-1917 (kpopper 1.0 and earlier allows local users to create and overwrite arb ...) NOT-FOR-US: kpopper, there is a kpopper in kerberos4kth-servers, but this is not the same one CVE-2005-1916 (linki.py in ekg 2005-06-05 and earlier allows local users to overwrite ...) {DSA-760-1 DTSA-4-1} - ekg 1:1.5+20050712+1.6rc2-1 (bug #318059; bug #317027; low) CVE-2005-1915 (The log4sh_readProperties function in log4sh 1.2.5 and earlier allows ...) NOT-FOR-US: log4sh CVE-2005-1914 (CenterICQ 4.20.0 and earlier creates temporary files with predictable ...) {DSA-754-1 DTSA-2-1} - centericq 4.20.0-7 (medium) CVE-2005-1913 (The Linux kernel 2.6 before 2.6.12.1 allows local users to cause a den ...) {DTSA-16-1} - linux-2.6 2.6.12-1 (medium) - kernel-source-2.6.11 2.6.11-6 (medium) CVE-2005-1912 REJECTED CVE-2005-1911 (The fetchnews NNTP client in leafnode 1.11.2 and earlier can hang whil ...) - leafnode 1.11.3.rel-1 (bug #338886; low) [sarge] - leafnode 1.11.2.rel-1.0sarge0 CVE-2005-1910 (SQL injection vulnerability in login.asp for WWWeb Concepts Events Sys ...) NOT-FOR-US: WWWeb Concepts Events System CVE-2005-1909 (The web server control panel in 602LAN SUITE 2004 allows remote attack ...) NOT-FOR-US: 602LAN SUITE CVE-2005-1908 (Perception LiteWeb allows remote attackers to bypass access controls f ...) NOT-FOR-US: Perception LiteWeb CVE-2005-1907 (The ISA Firewall service in Microsoft Internet Security and Accelerati ...) NOT-FOR-US: Microsoft CVE-2005-1906 (SQL injection vulnerability in login.asp in livingmailing 1.3 allows r ...) NOT-FOR-US: livingmailing CVE-2005-1905 (The klif.sys driver in Kaspersky Labs Anti-Virus 5.0.227, 5.0.228, and ...) NOT-FOR-US: Kaspersky CVE-2005-1904 (SQL injection vulnerability in login.asp in JiRo's Upload System (JUS) ...) NOT-FOR-US: JiRo's Upload Systems CVE-2005-1903 (Buffer overflow in the IMAP service for SPA-PRO Mail @Solomon 4.00 all ...) NOT-FOR-US: SPA-PRO Mail CVE-2005-1902 (Directory traversal vulnerability in the IMAP service for SPA-PRO Mail ...) NOT-FOR-US: SPA-PRO Mail CVE-2005-1901 (Multiple cross-site scripting (XSS) vulnerabilities in Sawmill before ...) NOT-FOR-US: Sawmill CVE-2005-1900 (Sawmill before 7.1.6 allows remote attackers to bypass authentication ...) NOT-FOR-US: Sawmill CVE-2005-1899 (Rakkarsoft RakNet network library 2.33 and earlier, when released befo ...) NOT-FOR-US: RakNet CVE-2005-1898 (The passthrough functionality in phpThumb.php in phpThumb() before 1.5 ...) NOT-FOR-US: phpThumb CVE-2005-1897 (Unknown vulnerability in FlexCast Audio Video Streaming Server before ...) NOT-FOR-US: FlexCast CVE-2005-1896 (Directory traversal vulnerability in thumb.php in FlatNuke 2.5.3 allow ...) NOT-FOR-US: FlatNuke CVE-2005-1895 (Cross-site scripting (XSS) vulnerability in FlatNuke 2.5.3 allows remo ...) NOT-FOR-US: FlatNuke CVE-2005-1894 (Direct code injection vulnerability in FlatNuke 2.5.3 allows remote at ...) NOT-FOR-US: FlatNuke CVE-2005-1893 (FlatNuke 2.5.3 allows remote attackers to obtain sensitive information ...) NOT-FOR-US: FlatNuke CVE-2005-1892 (FlatNuke 2.5.3 allows remote attackers to cause a denial of service or ...) NOT-FOR-US: FlatNuke CVE-2005-1891 (The GIF parser in ateimg32.dll in AOL Instant Messenger (AIM) 5.9.3797 ...) NOT-FOR-US: AOL Instant Messenger CVE-2005-1890 (Unknown vulnerability in Mortiforo before 0.9.1 allows users to access ...) NOT-FOR-US: Mortiforo CVE-2005-1889 (Unknown vulnerability in Sun ONE Application Server 6.5 SP1 Maintenanc ...) NOT-FOR-US: Sun ONE CVE-2005-1888 (Cross-site scripting (XSS) vulnerability in MediaWiki before 1.4.5 all ...) - mediawiki 1.4.9 (bug #276057) CVE-2005-1887 (Unknown vulnerability in the Sun Solaris C library (libc and libprojec ...) NOT-FOR-US: Solaris CVE-2005-1886 (Cross-site scripting (XSS) vulnerability in view.php in YaPiG 0.92b, 0 ...) NOT-FOR-US: YaPiG CVE-2005-1885 (view.php in YaPiG 0.92b, 0.93u and 0.94u allows remote attackers to ob ...) NOT-FOR-US: YaPiG CVE-2005-1884 (Directory traversal vulnerability in the (1) rmdir or (2) mkdir comman ...) NOT-FOR-US: YaPiG CVE-2005-1883 (global.php in YaPiG 0.92b allows remote attackers to include arbitrary ...) NOT-FOR-US: YaPiG CVE-2005-1882 (PHP remote file inclusion vulnerability in last_gallery.php in YaPiG 0 ...) NOT-FOR-US: YaPiG CVE-2005-1881 (upload.php in YaPiG 0.92b, 0.93u and 0.94u does not properly restrict ...) NOT-FOR-US: YaPiG CVE-2005-1880 (everybuddy 0.4.3 and earlier allows local users to overwrite arbitrary ...) NOT-FOR-US: everybuddy CVE-2005-1879 (LutelWall 0.97 and earlier allows local users to overwrite arbitrary f ...) NOT-FOR-US: LutelWall CVE-2005-1878 (GIPTables Firewall 1.1 and earlier allows local users to overwrite arb ...) NOT-FOR-US: GIPTables CVE-2005-1877 (Cross-site scripting (XSS) vulnerability in view_ticket.php in Lpanel ...) NOT-FOR-US: Lpanel CVE-2005-1876 (Direct code injection vulnerability in CuteNews 1.3.6 and earlier allo ...) NOT-FOR-US: CuteNews CVE-2005-1875 (Multiple SQL injection vulnerabilities in list.php in Exhibit Engine ( ...) NOT-FOR-US: Exhibit Engine CVE-2005-1874 (Directory traversal vulnerability in Dzip before 2.9 allows remote att ...) NOT-FOR-US: Dzip CVE-2005-1873 (Multiple buffer overflows in Crob FTP 3.6.1, and possibly earlier vers ...) NOT-FOR-US: Crob CVE-2005-1872 (Buffer overflow in the administrative console in IBM WebSphere Applica ...) NOT-FOR-US: WebSphere CVE-2005-1871 (Unknown vulnerability in the privilege system in Drupal 4.4.0 through ...) - drupal 4.5.3-1 CVE-2005-1870 (PHP remote file inclusion vulnerability in childwindow.inc.php in Popp ...) NOT-FOR-US: Popper CVE-2005-1869 (PHP remote file inclusion vulnerability in start_lobby.php in MWChat 6 ...) NOT-FOR-US: MWChat CVE-2005-1868 (I-Man 0.9, and possibly earlier versions, allows remote attackers to e ...) NOT-FOR-US: I-Man CVE-2005-1867 (Symantec Brightmail AntiSpam before 6.0.2 has a hard-coded database ad ...) NOT-FOR-US: Symantec CVE-2005-1866 (Cross-site scripting (XSS) vulnerability in calendar.php in Calendarix ...) NOT-FOR-US: Calendarix CVE-2005-1865 (Multiple SQL injection vulnerabilities in Calendarix Advanced 1.5 allo ...) NOT-FOR-US: Calendarix CVE-2005-1864 (PHP remote file inclusion vulnerability in cal_admintop.php in Calenda ...) NOT-FOR-US: Calendarix CVE-2003-1218 REJECTED CVE-2003-1217 REJECTED CVE-2005-1863 REJECTED CVE-2005-1862 REJECTED CVE-2005-1861 REJECTED CVE-2005-1860 REJECTED CVE-2005-1859 (Unknown vulnerability in arshell in the Array Service (arrayd) for SGI ...) NOT-FOR-US: arshell CVE-2005-1857 (Format string vulnerability in simpleproxy before 3.4 allows remote ma ...) {DSA-786-1} - simpleproxy 3.2-4 (medium) CVE-2005-1856 (The CD-burning feature in backup-manager 0.5.8 and earlier uses a fixe ...) {DSA-787-1} - backup-manager 0.5.8-2 (bug #315582; low) NOTE: maybe a duplicate of CVE-2005-2212, author contacted CVE-2005-1855 (Backup Manager (backup-manager) before 0.5.8 creates backup files with ...) {DSA-787-1} - backup-manager 0.5.8-2 (medium) NOTE: maybe a duplicate of CVE-2005-2211, author contacted CVE-2005-1854 (Unknown vulnerability in apt-cacher in Debian 3.1, related to "missing ...) {DSA-772-1} - apt-cacher 0.9.10 (high) CVE-2005-1853 (gopher.c in the Gopher client 3.0.5 does not properly create temporary ...) {DSA-770-1} - gopher 3.0.8 (low) CVE-2005-1852 (Multiple integer overflows in libgadu, as used in Kopete in KDE 3.2.3 ...) {DSA-767-1 DTSA-4-1} - kdenetwork 4:3.3.2-5 (bug #319443; unimportant) NOTE: Kopete embeds the vulnerable code, but it's only used as a fallback when NOTE: no shared lib version is found. As the Debian package has a dependency on NOTE: it the maintainer does not intent to fix it, see # 319443 - ekg 1:1.5+20050712+1.6rc3-1 (bug #318970; medium) CVE-2005-1851 (A certain contributed script for ekg Gadu Gadu client 1.5 and earlier ...) {DSA-760-1 DTSA-4-1} - ekg 1:1.5+20050712+1.6rc2-1 (low) CVE-2005-1850 (Certain contributed scripts for ekg Gadu Gadu client 1.5 and earlier c ...) {DSA-760-1 DTSA-4-1} - ekg 1:1.5+20050712+1.6rc2-1 (low) CVE-2005-1849 (inftrees.h in zlib 1.2.2 allows remote attackers to cause a denial of ...) {DSA-1026-1 DSA-797-2 DSA-797-1 DSA-763-1} NOTE: This is only contrib code not built in the binary packages AFAIK - zlib 1:1.2.3-1 (low) - zsync 0.4.1-1 (low) - sash 3.7-5sarge1 (low) NOTE: zsync 0.4.0-2 (mentioned in DSA-797-1) was never uploaded. CVE-2005-1848 (The dhcpcd DHCP client before 1.3.22 allows remote attackers to cause ...) {DSA-750-1} - dhcpcd 1:1.3.22pl4-22 (medium) CVE-2005-1847 (Multiple buffer overflows in YaMT before 0.5_2 allow attackers to exec ...) NOT-FOR-US: YaMT CVE-2005-1846 (Multiple directory traversal vulnerabilities in YaMT before 0.5_2 allo ...) NOT-FOR-US: YaMT CVE-2005-1845 REJECTED CVE-2005-1844 REJECTED CVE-2005-1843 (VCNative for Adobe Version Cue 1.0 and 1.0.1, as used in Creative Suit ...) NOT-FOR-US: Windows CVE-2005-1842 (VCNative for Adobe Version Cue 1.0 and 1.0.1, as used in Creative Suit ...) NOT-FOR-US: Windows CVE-2005-1841 (The control for Adobe Reader 5.0.9 and 5.0.10 on Linux, Solaris, HP-UX ...) NOT-FOR-US: acroread CVE-2005-1858 (FUSE 2.x before 2.3.0 does not properly clear previously used memory f ...) {DSA-744-1} - fuse 2.3.0-1 CVE-2005-2349 (Zoo 2.10 has Directory traversal ...) - zoo 2.10-4 (low; bug #309594) CVE-2005-2350 (Cross-site scripting (XSS) vulnerability in websieve v0.62 allows remo ...) - websieve (bug #311838; low) CVE-2005-1840 (Directory traversal vulnerability in class.layout_phpcms.php in phpCMS ...) NOT-FOR-US: phpCMS CVE-2005-1839 (Multiple SQL injection vulnerabilities in Doug Luxem Liberum Help Desk ...) NOT-FOR-US: Liberum CVE-2005-1838 (Multiple cross-site scripting vulnerabilities in castnewPost.asp in Li ...) NOT-FOR-US: Liberum CVE-2005-1837 (Fortinet firewall running FortiOS 2.x contains a hardcoded username wi ...) NOT-FOR-US: Fortinet firewall CVE-2005-1836 (NEXTWEB (i)Site allows remote attackers to cause a denial of service ( ...) NOT-FOR-US: NEXTWEB CVE-2005-1835 (NEXTWEB (i)Site stores databases under the web document root with insu ...) NOT-FOR-US: NEXTWEB CVE-2005-1834 (SQL injection vulnerability in login.asp in NEXTWEB (i)Site allows rem ...) NOT-FOR-US: NEXTWEB CVE-2005-1833 (Multiple SQL injection vulnerabilities in MyBulletinBoard (MyBB) 1.00 ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2005-1832 (Multiple cross-site scripting (XSS) vulnerabilities in MyBulletinBoard ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2005-1831 - sudo (Unreproducable, seems like a broken PAM setup on the submitter's side) CVE-2005-1830 (The DbgMsg.sys driver in Compuware SoftICE DriverStudio 3.1 and 3.2 al ...) NOT-FOR-US: SoftICE CVE-2005-1829 (Microsoft Internet Explorer 6 SP2 allows remote attackers to cause a d ...) NOT-FOR-US: Microsoft CVE-2005-1828 (D-Link DSL-504T stores usernames and passwords in cleartext in the rou ...) NOT-FOR-US: D-Link hardware issue CVE-2005-1827 (D-Link DSL-504T allows remote attackers to bypass authentication and g ...) NOT-FOR-US: D-Link hardware issue CVE-2005-1826 (Buffer overflow in HP Radia Notify Daemon 3.1.0.0 (formerly by Novadig ...) NOT-FOR-US: HP Radia CVE-2005-1825 (Multiple stack-based buffer overflows in the nvd_exec function in HP R ...) NOT-FOR-US: HP Radia CVE-2005-1824 (The sql_escape_string function in auth/sql.c for the mailutils SQL aut ...) - mailutils 1:0.6.1-2 CVE-2005-1823 (Multiple cross-site scripting (XSS) vulnerabilities in Qualiteam X-Car ...) NOT-FOR-US: Qualiteam X-Cart CVE-2005-1822 (Multiple SQL injection vulnerabilities in Qualiteam X-Cart 4.0.8 allow ...) NOT-FOR-US: Qualiteam X-Cart CVE-2005-1821 (PHP remote file inclusion vulnerability in pdl_header.inc.php in Power ...) NOT-FOR-US: PowerDownload CVE-2005-1820 (zboard.php in Zeroboard version 4.1pl2 to 4.1pl5 allows remote attacke ...) NOT-FOR-US: Zeroboard CVE-2005-1819 (Cross-site scripting (XSS) vulnerability in NikoSoft WebMail before 0. ...) NOT-FOR-US: NikoSoft WebMail CVE-2005-1818 (Multiple SQL injection vulnerabilities in NewLife Blogger before 3.3.1 ...) NOT-FOR-US: NewLife Blogger CVE-2005-1817 (Invision Power Board (IPB) 1.0 through 1.3 allows remote attackers to ...) NOT-FOR-US: Invision Power Board CVE-2005-1816 (Invision Power Board (IPB) 1.0 through 2.0.4 allows non-root admins to ...) NOT-FOR-US: Invision Power Board CVE-2005-1815 (Multiple buffer overflows in Hummingbird Connectivity inetD 10.0.0.1 a ...) NOT-FOR-US: Hummingbird Connectivity CVE-2005-1814 (Stack-based buffer overflow in PicoWebServer 1.0 allows remote attacke ...) NOT-FOR-US: PicoWebServer CVE-2005-1813 (Directory traversal vulnerability in FutureSoft TFTP Server Evaluation ...) NOT-FOR-US: FutureSoft TFTP Server CVE-2005-1812 (Multiple stack-based buffer overflows in FutureSoft TFTP Server Evalua ...) NOT-FOR-US: FutureSoft TFTP Server CVE-2005-1811 (Cross-site scripting (XSS) vulnerability in usercp.php for MyBulletinB ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2005-1810 (SQL injection vulnerability in template-functions-category.php in Word ...) - wordpress 1.5.1.2-1 CVE-2005-1809 (Sony Ericsson P900 Beamer allows remote attackers to cause a denial of ...) NOT-FOR-US: Sony hardware issue CVE-2005-1808 (Firefly Studios Stronghold 2 1.2 and earlier allows remote attackers t ...) NOT-FOR-US: Stronghold game CVE-2005-1807 (The Data function in class.smtp.php in PHPMailer 1.7.2 and earlier all ...) - libphp-phpmailer 1.73 CVE-2005-1806 (Format string vulnerability in PeerCast 0.1211 and earlier allows remo ...) NOT-FOR-US: PeerCast CVE-2005-1805 (SQL injection vulnerability in login.asp in an unknown product by Onli ...) NOT-FOR-US: Online Solutions for Educators CVE-2005-1804 (Multiple SQL injection vulnerabilities in Net Portal Dynamic System (N ...) NOT-FOR-US: Net Portal Dynamic System CVE-2005-1803 (Multiple cross-site scripting (XSS) vulnerabilities in Net Portal Dyna ...) NOT-FOR-US: Net Portal Dynamic System CVE-2005-1802 (Nortel VPN Router (aka Contivity) allows remote attackers to cause a d ...) NOT-FOR-US: Nortel hardware CVE-2005-1801 (The vCard viewer in Nokia 9500 allows attackers to cause a denial of s ...) NOT-FOR-US: Nokia hardware CVE-2005-1800 (Cross-site scripting (XSS) vulnerability in Jaws Glossary gadget 0.4 t ...) NOT-FOR-US: Jaws glossary gadget CVE-2005-1799 (Cross-site scripting (XSS) vulnerability in FreeStyle Wiki 3.5.7 and W ...) NOT-FOR-US: FreeStyle Wiki CVE-2005-1798 (Directory traversal vulnerability in ServersCheck Monitoring Software ...) NOT-FOR-US: ServersCheck CVE-2005-1797 (The design of Advanced Encryption Standard (AES), aka Rijndael, allows ...) NOTE: Cryptographic attack on AES, cannot be fixed CVE-2005-1796 (Format string vulnerability in the curses_msg function in the Ncurses ...) {DSA-749-1} - ettercap 1:0.7.1-1.1 (bug #311615) CVE-2005-1795 (The filecopy function in misc.c in Clam AntiVirus (ClamAV) before 0.85 ...) NOT-FOR-US: ClamAV on Mac OS X CVE-2005-1794 (Microsoft Terminal Server using Remote Desktop Protocol (RDP) 5.2 stor ...) NOT-FOR-US: Microsoft CVE-2005-1793 (User32.DLL in Microsoft Windows 98SE, and possibly other operating sys ...) NOT-FOR-US: Microsoft CVE-2005-1792 (Memory leak in Windows Management Instrumentation (WMI) service allows ...) NOT-FOR-US: Microsoft CVE-2005-1791 (Microsoft Internet Explorer 6 SP2 (6.0.2900.2180) crashes when the use ...) NOT-FOR-US: Microsoft CVE-2005-1790 (Microsoft Internet Explorer 6 SP2 6.0.2900.2180 and 6.0.2800.1106, and ...) {CVE-2005-3896} NOT-FOR-US: Microsoft NOTE: The exploit causes Mozilla to crash, see CVE-2005-3896. CVE-2005-1789 (SQL injection vulnerability in SignIn.asp in India Software Solution s ...) NOT-FOR-US: India Software Solution shopping cart CVE-2005-1788 (SQL injection vulnerability in resellerresources.asp in Hosting Contro ...) NOT-FOR-US: Hosting Controller CVE-2005-1787 (setup.php in phpStat 1.5 allows remote attackers to bypass authenticat ...) NOT-FOR-US: phpStat CVE-2005-1786 (SQL injection vulnerability in admin.asp in FunkyASP AD System 1.1 all ...) NOT-FOR-US: FunkyASP CVE-2005-1785 (SQL injection vulnerability in ad/login.asp in ZonGG 1.2 allows remote ...) NOT-FOR-US: ZonGG CVE-2005-1784 (Hosting Controller 6.1 HotFix 2.0 and earlier allows remote attackers ...) NOT-FOR-US: Hosting Controller CVE-2005-1783 (BookReview beta 1.0 allows remote attackers to obtain the path of the ...) NOT-FOR-US: BookReview CVE-2005-1782 (Multiple cross-site scripting (XSS) vulnerabilities in BookReview beta ...) NOT-FOR-US: BookReview CVE-2005-1781 (Unknown vulnerability in SMTP authentication for MailEnable allows rem ...) NOT-FOR-US: MailEnable CVE-2005-1780 (SQL injection vulnerability in admin/login.asp in Active News Manager ...) NOT-FOR-US: Active News Manager CVE-2005-1779 (SQL injection vulnerability in password.asp in MaxWebPortal 1.35, 1.36 ...) NOT-FOR-US: MaxWebPortal CVE-2005-1778 (Cross-site scripting (XSS) vulnerability in readpmsg.php in PostNuke 0 ...) NOT-FOR-US: PostNuke CVE-2005-1777 (SQL injection vulnerability in readpmsg.php in PostNuke 0.750 allows r ...) NOT-FOR-US: PostNuke CVE-2005-1776 (Buffer overflow in the READ_TCP_STRING function in game_message_functi ...) NOT-FOR-US: C'Nedra CVE-2005-1775 (Terminator 3: War of the Machines 1.16 and earlier allows remote attac ...) NOT-FOR-US: Terminator game CVE-2005-1774 (WEB-DAV Linux File System (davfs2) 0.2.3 does not properly enforce Uni ...) - davfs2 0.2.4-1 (bug #310757; medium) CVE-2005-1773 (Multiple unknown vulnerabilities in L-Soft LISTSERV 14.3, 1.8e, and 1. ...) NOT-FOR-US: Listserv CVE-2005-1772 (Buffer overflow in the client cd-key hash in Terminator 3: War of the ...) NOT-FOR-US: Terminator game CVE-2005-1771 (Unknown vulnerability in HP-UX trusted systems B.11.00 through B.11.23 ...) NOT-FOR-US: HPUX CVE-2005-1770 (Buffer overflow in the Aavmker4 device driver in Avast! Antivirus 4.6 ...) NOT-FOR-US: Avast CVE-2005-1769 (Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1. ...) {DSA-756-1} - squirrelmail 2:1.4.4-6sarge1 (bug #314374; medium) CVE-2005-1768 (Race condition in the ia32 compatibility code for the execve system ca ...) {DSA-921-1} - kernel-source-2.4.27 2.4.27-11 (medium; bug #319629) CVE-2005-1767 (traps.c in the Linux kernel 2.6.x and 2.4.x executes stack segment fau ...) {DSA-922-1 DSA-921-1} - linux-2.6 2.6.12-1 - kernel-source-2.4.27 2.4.27-11 NOTE: amd64 is not supported for 2.4 (the issue is amd64 speficic) CVE-2005-1766 (Heap-based buffer overflow in rtffplin.cpp in RealPlayer 10.5 6.0.12.1 ...) {DSA-826-1} - helix-player 1.0.5-1 (bug #316276; high) NOTE: Helix Player is affected according to: NOTE: CVE-2005-1765 (syscall in the Linux kernel 2.6.8.1 and 2.6.10 for the AMD64 platform, ...) {DSA-922-1 DTSA-16-1} - linux-2.6 2.6.12-1 (medium) - kernel-source-2.4.27 CVE-2005-1764 (Linux 2.6.11 on 64-bit x86 (x86_64) platforms does not use a guard pag ...) - linux-2.6 (Fixed before upload into archive; 2.6.11) - kernel-source-2.4.27 CVE-2005-1763 (Buffer overflow in ptrace in the Linux Kernel for 64-bit architectures ...) {DSA-922-1} - linux-2.6 (Fixed before upload into archive; 2.6.12-rc5) CVE-2005-1762 (The ptrace call in the Linux kernel 2.6.8.1 and 2.6.10 for the AMD64 p ...) {DSA-922-1 DSA-921-1 DTSA-16-1} - linux-2.6 (Fixed before upload into archive; 2.6.12-rc5) - kernel-source-2.4.27 2.4.27-11 CVE-2005-1761 (Linux kernel 2.6 and 2.4 on the IA64 architecture allows local users t ...) {DSA-1018-1 DSA-922-1 DTSA-16-1} - linux-2.6 2.6.12-1 (medium) CVE-2005-1760 (sysreport 1.3.15 and earlier includes contents of the up2date file in ...) NOT-FOR-US: sysreport CVE-2005-1759 (Race condition in shtool 2.0.1 and earlier allows local users to modif ...) - shtool 2.0.1-2 (low) [sarge] - shtool (Minor issue) - mysql-ocaml 1.0.3-6 (unimportant) - php4 4:4.4.0-1 (unimportant) CVE-2005-1758 (Buffer overflow in the IMAP command continuation function in Novell Ne ...) NOT-FOR-US: Novell CVE-2005-1757 (Buffer overflow in the Modweb agent for Novell NetMail 3.52 before 3.5 ...) NOT-FOR-US: Novell CVE-2005-1756 (Cross-site scripting (XSS) vulnerability in the ModWeb agent for Novel ...) NOT-FOR-US: Novell CVE-2005-1751 (Race condition in shtool 2.0.1 and earlier allows local users to creat ...) {DSA-789-1 DTSA-15-1} - shtool 2.0.1-2 (bug #311206; low) [sarge] - shtool (Minor issue) - mysql-ocaml 1.0.3-6 (bug #314464; unimportant) - php4 4:4.3.10-16 (low) CVE-2004-2136 (dm-crypt on Linux kernel 2.6.x, when used on certain file systems with ...) - linux-2.6 2.6.10-1 (low) - linux-2.6.24 (fixed before initial upload) CVE-2004-2135 (cryptoloop on Linux kernel 2.6.x, when used on certain file systems wi ...) - linux-2.6 2.6.32-2 (unimportant) - linux-2.6.24 (unimportant) NOTE: minor issue; solution (removal of cryptoloop) would be a significant change NOTE: if backported to the stable releases NOTE: mitigation: use dm-crypt or loop-aes for disk encrytion instead of cryptoloop CVE-2004-2134 (Oracle toplink mapping workBench uses a weak encryption algorithm for ...) NOT-FOR-US: Oracle CVE-2004-2133 (Certain third-party packages for CVSup 16.1h, such as SuSE Linux, cont ...) NOT-FOR-US: CVSup third party modules CVE-2004-2132 (Directory traversal vulnerability in PJreview_Neo.cgi in PJ CGI Neo re ...) NOT-FOR-US: PJ CGI Nero CVE-2004-2131 (Stack-based buffer overflow in ontape for IBM Informix Dynamic Server ...) NOT-FOR-US: Informix Dynamic Server CVE-2004-2130 (Multiple cross-site scripting (XSS) vulnerabilities in privmsg.php in ...) - phpbb2 2.0.6d-2 CVE-2004-2129 (SurfNOW 2.2 allows remote attackers to cause a denial of service (cras ...) NOT-FOR-US: SurfNOW CVE-2004-2128 (Cross-site scripting (XSS) vulnerability in BRS WebWeaver 1.07 allows ...) NOT-FOR-US: WebWeaver CVE-2004-2127 (Directory traversal vulnerability in Web Blog 1.1 allows remote attack ...) NOT-FOR-US: Web Blog CVE-2004-2126 (The upgrade for BlackICE PC Protection 3.6 and earlier sets insecure p ...) NOT-FOR-US: BlackICE CVE-2004-2125 (Buffer overflow in blackd.exe for BlackICE PC Protection 3.6 and other ...) NOT-FOR-US: BlackICE CVE-2004-2124 (The register_globals simulation capability in Gallery 1.3.1 through 1. ...) - gallery 1.4.4-pl1-1 CVE-2004-2123 (Multiple cross-site scripting (XSS) vulnerabilities in Nextplace.com E ...) NOT-FOR-US: Nextplace CVE-2004-2122 (Cross-site scripting (XSS) vulnerability in intraforum_db.cgi in Intra ...) NOT-FOR-US: Intra Forum CVE-2004-2121 (Multiple directory traversal vulnerabilities in Borland Web Server (BW ...) NOT-FOR-US: Borland Web Server CVE-2004-2120 (Reptile Web Server allows remote attackers to cause a denial of servic ...) NOT-FOR-US: Reptile Web Server CVE-2004-2119 (Cross-site scripting (XSS) vulnerability in Tiny Server 1.1 allows rem ...) NOT-FOR-US: Tiny Server CVE-2004-2118 (Tiny Server 1.1 allows remote attackers to cause a denial of service ( ...) NOT-FOR-US: Tiny Server CVE-2004-2117 (Tiny Server 1.1 allows remote attackers to cause a denial of service ( ...) NOT-FOR-US: Tiny Server CVE-2004-2116 (Directory traversal vulnerability in Tiny Server 1.1 allows remote att ...) NOT-FOR-US: Tiny Server CVE-2004-2115 (Multiple cross-site scripting (XSS) vulnerabilities in Oracle HTTP Ser ...) NOT-FOR-US: Oracle CVE-2004-2114 (Stack-based and heap-based buffer overflows in ProxyNow! 2.75 and earl ...) NOT-FOR-US: ProxyNow! CVE-2004-2113 (Cross-site scripting (XSS) vulnerability in BremsServer 1.2.4 allows r ...) NOT-FOR-US: BremsServer CVE-2004-2112 (Directory traversal vulnerability in BremsServer 1.2.4 allows remote a ...) NOT-FOR-US: BremsServer CVE-2004-2111 (Stack-based buffer overflow in the site chmod command in Serv-U FTP Se ...) NOT-FOR-US: Serv-U FTP Server CVE-2004-2110 (SQL injection vulnerability in register.php in Phorum before 3.4.6 all ...) NOT-FOR-US: Phorum CVE-2004-2109 (Multiple cross-site scripting (XSS) vulnerabilities in (1) imagezoom.a ...) NOT-FOR-US: Q-Shop CVE-2004-2108 (Multiple SQL injection vulnerabilities in QuadComm Q-Shop allow remote ...) NOT-FOR-US: Q-Shop CVE-2004-2107 (Finjan SurfinGate 6.0 and 7.0, when running in proxy mode, does not au ...) NOT-FOR-US: Finjan SurfinGate CVE-2004-2106 (Novell NetWare Enterprise Web Server 5.1 and 6.0 allows remote attacke ...) NOT-FOR-US: Novell NetWare CVE-2004-2105 (The webacc servlet in Novell NetWare Enterprise Web Server 5.1 and 6.0 ...) NOT-FOR-US: Novell NetWare CVE-2004-2104 (Novell NetWare Enterprise Web Server 5.1 and 6.0 allows remote attacke ...) NOT-FOR-US: Novell NetWare CVE-2004-2103 (Cross-site scripting (XSS) vulnerability in Novell NetWare Enterprise ...) NOT-FOR-US: Novell NetWare CVE-2004-2102 (Cross-site scripting (XSS) vulnerability in FREESCO 2.05, a modified v ...) NOT-FOR-US: Freesco CVE-2004-2101 (The sysinfo script in GeoHttpServer allows remote attackers to cause a ...) NOT-FOR-US: GeoHttpServer CVE-2004-2100 (GeoHttpServer, when configured to authenticate users, allows remote at ...) NOT-FOR-US: GeoHttpServer CVE-2004-2099 (Buffer overflow in Need for Speed Hot Pursuit 2.0 client (NFSHP2), ver ...) NOT-FOR-US: Need for Speed game CVE-2004-2098 (Cross-site scripting (XSS) vulnerability in the banner engine (TBE) 5. ...) NOT-FOR-US: Banner engine CVE-2004-2097 (Multiple scripts on SuSE Linux 9.0 allow local users to overwrite arbi ...) - fvwm (Used mktemp) - xbase-clients (x11perfcomp uses mkdir atomically) - lvm10 (does not contain lvmcreate_initrd) CVE-2004-2096 (Cross-site scripting (XSS) vulnerability in Mephistoles httpd 0.6.0 fi ...) NOT-FOR-US: Mephistoles CVE-2004-2095 (Honeyd before 0.8 replies to TCP packets with the SYN and RST flags se ...) - honeyd 0.8-1 CVE-2004-2094 (Cross-site scripting (XSS) vulnerability in WebcamXP 1.06.945 allows r ...) NOT-FOR-US: WebcamXP CVE-2003-1216 (SQL injection vulnerability in search.php for phpBB 2.0.6 and earlier ...) - phpbb2 2.0.8a-1 CVE-2003-1215 (SQL injection vulnerability in groupcp.php for phpBB 2.0.6 and earlier ...) - phpbb2 2.0.8a-1 CVE-2002-1665 (Buffer overflow in Yahoo! Messenger before February 2002 allows remote ...) NOT-FOR-US: Yahoo Messenger CVE-2002-1664 (Yahoo! Messenger before February 2002 allows remote attackers to add a ...) NOT-FOR-US: Yahoo Messenger CVE-2005-XXXX [Unspecified issue in moodle's admin/delete.php] - moodle 1.4.4.dfsg.1-3 CVE-2005-2351 (Mutt before 1.5.20 patch 7 allows an attacker to cause a denial of ser ...) - mutt 1.5.20-7 (bug #311296; unimportant) [sarge] - mutt (Minor annoyance, not a real DoS) NOTE: An "attacker" could achieve the same by simply filling up /tmp CVE-2005-XXXX [gforge arbitrary code execution through viewFile.php] NOTE: viewFile.php has been removed along with other files in -26, so Debian is NOTE: no longer affected. - gforge 3.1-26 CVE-2005-XXXX [osh buffer overflow] - osh 1.7-13 (bug #311369) CVE-2005-XXXX [xile buffer overrun in terminal code] - zile 2.0.4-2 CVE-2005-1750 (SQL injection vulnerability in login.asp in ezdwc NewsletterEz 3.0 all ...) NOT-FOR-US: ezwdc NewsletterEz CVE-2005-1749 (Buffer overflow in BEA WebLogic Server and WebLogic Express 6.1 Servic ...) NOT-FOR-US: BEA Weblogic CVE-2005-1748 (The embedded LDAP server in BEA WebLogic Server and Express 8.1 throug ...) NOT-FOR-US: BEA Weblogic CVE-2005-1747 (Multiple cross-site scripting (XSS) vulnerabilities in BEA WebLogic Se ...) NOT-FOR-US: BEA Weblogic CVE-2005-1746 (The cluster cookie parsing code in BEA WebLogic Server 7.0 through Ser ...) NOT-FOR-US: BEA Weblogic CVE-2005-1745 (The UserLogin control in BEA WebLogic Portal 8.1 through Service Pack ...) NOT-FOR-US: BEA Weblogic CVE-2005-1744 (BEA WebLogic Server and WebLogic Express 7.0 through Service Pack 5 do ...) NOT-FOR-US: BEA Weblogic CVE-2005-1743 (BEA WebLogic Server and WebLogic Express 8.1 through Service Pack 3 an ...) NOT-FOR-US: BEA Weblogic CVE-2005-1742 (BEA WebLogic Server and WebLogic Express 8.1 SP2 and SP3 allows users ...) NOT-FOR-US: BEA Weblogic CVE-2005-1741 (Gearbox Software Halo: Combat Evolved 1.6 allows remote attackers to c ...) NOT-FOR-US: Halo CVE-2005-1740 (fixproc in Net-snmp 5.x before 5.2.1-r1 creates temporary files insecu ...) - net-snmp (fixproc not installed in Debian package) CVE-2005-1739 (The XWD Decoder in ImageMagick before 6.2.2.3, and GraphicsMagick befo ...) - imagemagick 6:6.0.6.2-2.4 (bug #310690; bug #310812) CVE-2005-1738 (Format string vulnerability in the logPrintBadfile function in delbadf ...) NOT-FOR-US: Iron Bars Shell CVE-2005-1737 (Multiple unknown vulnerabilities in PROMS 0.11 allow "non-authorized u ...) NOT-FOR-US: PROMS CVE-2005-1736 (PROMS 0.11 does not properly handle "certain combinations of rights," ...) NOT-FOR-US: PROMS CVE-2005-1735 (Multiple cross-site scripting (XSS) vulnerabilities in PROMS before 0. ...) NOT-FOR-US: PROMS CVE-2005-1734 (Multiple SQL injection vulnerabilities in PROMS before 0.11 allow remo ...) NOT-FOR-US: PROMS CVE-2005-1733 (Cookie Cart stores the password file under the web document root with ...) NOT-FOR-US: Cookie Cart CVE-2005-1732 (Cookie Cart allows remote attackers to read the Order Notification lis ...) NOT-FOR-US: Cookie Cart CVE-2005-1731 REJECTED CVE-2005-1730 (Multiple vulnerabilities in the OpenSSL ASN.1 parser, as used in Novel ...) NOT-FOR-US: Novell iManager CVE-2005-1729 (Novell eDirectory 8.7.3 allows remote attackers to cause a denial of s ...) NOT-FOR-US: Novell CVE-2005-1728 (MCX Client for Apple Mac OS X 10.4.x up to 10.4.1 insecurely logs Port ...) NOT-FOR-US: Apple CVE-2005-1727 (Apple Mac OS X 10.4.x up to 10.4.1 sets insecure world- and group-writ ...) NOT-FOR-US: Apple CVE-2005-1726 (The CoreGraphics Window Server in Mac OS X 10.4.1 allows local users w ...) NOT-FOR-US: Apple CVE-2005-1725 (launchd 106 in Apple Mac OS X 10.4.x up to 10.4.1 allows local users t ...) NOT-FOR-US: Apple CVE-2005-1724 (NFS on Apple Mac OS X 10.4.x up to 10.4.1 does not properly obey the - ...) NOT-FOR-US: Apple CVE-2005-1723 (LaunchServices in Apple Mac OS X 10.4.x up to 10.4.1 does not properly ...) NOT-FOR-US: Apple CVE-2005-1722 (Unknown vulnerability in the CoreGraphics Window Server for Mac OS X 1 ...) NOT-FOR-US: Apple CVE-2005-1721 (Buffer overflow in the legacy client support for AFP Server for Mac OS ...) NOT-FOR-US: Apple CVE-2005-1720 (AFP Server for Mac OS X 10.4.1, when using an ACL enabled volume, does ...) NOT-FOR-US: Apple CVE-2005-1719 (Unknown vulnerability in ALWIL avast! antivirus 4 (4.6.6230) and earli ...) NOT-FOR-US: avast! antivirus CVE-2005-1718 (Buffer overflow in LS Games War Times 1.03 and earlier allows remote a ...) NOT-FOR-US: War Times CVE-2005-1717 (ZyXEL Prestige 650R-31 router running ZyNOS FW v3.40(KO.1) allows remo ...) NOT-FOR-US: Zyxel hardware CVE-2005-1716 (TOPo 2.2 (2.2.178) stores data files in the data directory under the w ...) NOT-FOR-US: TOPo CVE-2005-1715 (Cross-site scripting (XSS) vulnerability in index.php for TOPo 2.2 (2. ...) NOT-FOR-US: TOPo CVE-2005-1714 (Cross-site scripting (XSS) vulnerability in NetWin SurgeMail 3.0c2 all ...) NOT-FOR-US: SurgeMail CVE-2005-1713 (Multiple cross-site scripting (XSS) vulnerabilities in Serendipity 0.8 ...) NOT-FOR-US: Serendipity CVE-2005-1712 (Unknown vulnerability in Serendipity 0.8, when used with multiple auth ...) NOT-FOR-US: Serendipity CVE-2005-1711 (Gibraltar Firewall 2.2 and earlier, when using the ClamAV update to 0. ...) NOT-FOR-US: Gibraltar Firewall CVE-2005-1710 (Multiple cross-site scripting (XSS) vulnerabilities in Blue Coat Repor ...) NOT-FOR-US: Blue Coat CVE-2005-1709 (Unknown vulnerability in Blue Coat Reporter before 7.1.2 allows remote ...) NOT-FOR-US: Blue Coat CVE-2005-1708 (templates.admin.users.user_form_processing in Blue Coat Reporter befor ...) NOT-FOR-US: Blue Coat CVE-2005-1707 (The fn_show_postinst function in Gentoo webapp-config before 1.10-r14 ...) NOT-FOR-US: Gentoo CVE-2005-1706 (Unknown vulnerability in MailScanner 4.41.3 and earlier, related to "i ...) - mailscanner 4.42.9 (bug #310774; low) [sarge] - mailscanner (Minor issue) CVE-2005-1705 (gdb before 6.3 searches the current working directory to load the .gdb ...) - gdb 6.3-6 CVE-2005-1704 (Integer overflow in the Binary File Descriptor (BFD) library for gdb b ...) - gdb 6.3-6 CVE-2005-1703 (Warrior Kings: Battles 1.23 and earlier allows remote attackers to cau ...) NOT-FOR-US: Warrior Kings: Battles CVE-2005-1702 (Format string vulnerability in Warrior Kings: Battles 1.23 and earlier ...) NOT-FOR-US: Warrior Kings: Battles CVE-2005-1701 (SQL injection vulnerability in PortailPHP 1.3 allows remote attackers ...) NOT-FOR-US: PortailPHP CVE-2005-1700 (SQL injection vulnerability in pnadmin.php in the Xanthia module in Po ...) NOT-FOR-US: PostNuke CVE-2005-1699 (Directory traversal vulnerability in pnadminapi.php in the Xanthia mod ...) NOT-FOR-US: PostNuke CVE-2005-1698 (PostNuke 0.750 and 0.760RC3 allows remote attackers to obtain sensitiv ...) NOT-FOR-US: PostNuke CVE-2005-1697 (The RSS module in PostNuke 0.750 and 0.760RC2 and RC3 allows remote at ...) NOT-FOR-US: PostNuke CVE-2005-1696 (Multiple cross-site scripting (XSS) vulnerabilities in PostNuke 0.750 ...) NOT-FOR-US: PostNuke CVE-2005-1695 (Multiple cross-site scripting (XSS) vulnerabilities in the RSS module ...) NOT-FOR-US: PostNuke CVE-2005-1694 (Multiple SQL injection vulnerabilities in Xanthia.php in the Xanthia m ...) NOT-FOR-US: PostNuke CVE-2005-1693 (Integer overflow in Computer Associates Vet Antivirus library, as used ...) NOT-FOR-US: CA Antivirus CVE-2005-1692 (Format string vulnerability in gxine 0.4.1 through 0.4.4, and other ve ...) - gxine 0.4.7-0.1 (bug #310712; medium) CVE-2005-1691 (Directory traversal vulnerability in Internet Graphics Server in SAP b ...) NOT-FOR-US: SAP CVE-2005-1690 REJECTED CVE-2005-1689 (Double free vulnerability in the krb5_recvauth function in MIT Kerbero ...) {DSA-757-1} - krb5 1.3.6-4 (medium) CVE-2005-1688 (Wordpress 1.5 and earlier allows remote attackers to obtain sensitive ...) - wordpress 1.5.1-1 CVE-2005-1687 (SQL injection vulnerability in wp-trackback.php in Wordpress 1.5 and e ...) - wordpress 1.5.1-1 CVE-2005-1686 (Format string vulnerability in gedit 2.10.2 may allow attackers to cau ...) {DSA-753-1} NOTE: Only exploitable under rare circumstances - gedit 2.10.3-1 (low) CVE-2005-1685 (episodex guestbook allows remote attackers to bypass authentication an ...) NOT-FOR-US: episodex CVE-2005-1684 (Cross-site scripting (XSS) vulnerability in default.asp for episodex g ...) NOT-FOR-US: episodex CVE-2005-1683 (Buffer overflow in winword.exe 10.2627.6714 and earlier in Microsoft W ...) NOT-FOR-US: Microsoft CVE-2005-1682 NOT-FOR-US: Solstice Internet Mail Server CVE-2005-1681 (PHP remote file inclusion vulnerability in common.php in phpATM 1.21, ...) NOT-FOR-US: phpATM CVE-2005-1680 (D-Link DSL-502T, DSL-504T, DSL-562T, and DSL-G604T, when /cgi-bin/firm ...) NOT-FOR-US: D-Link hardware CVE-2005-1679 (Stack-based buffer overflow in the error directive in picasm 1.12b and ...) - picasm 1.12c-1 CVE-2005-1678 (Groove Virtual Office before 3.1 build 2338, before 3.1a build 2364, a ...) NOT-FOR-US: Groove CVE-2005-1677 (Unknown vulnerability in Groove Virtual Office before 3.1 build 2338, ...) NOT-FOR-US: Groove CVE-2005-1676 (Multiple cross-site scripting (XSS) vulnerabilities in Groove Mobile W ...) NOT-FOR-US: Groove CVE-2005-1675 (Groove Virtual Office before 3.1 build 2338, before 3.1a build 2364, a ...) NOT-FOR-US: Groove CVE-2005-1674 (Cross-Site Request Forgery (CSRF) vulnerability in Help Center Live al ...) NOT-FOR-US: Help Center Live CVE-2005-1673 (Multiple SQL injection vulnerabilities in Help Center Live allow remot ...) NOT-FOR-US: Help Center Live CVE-2005-1672 (Multiple cross-site scripting (XSS) vulnerabilities in Help Center Liv ...) NOT-FOR-US: Help Center Live CVE-2005-1671 (The Logfile feature in Yahoo! Messenger 5.x through 6.0 can be activat ...) NOT-FOR-US: Yahoo Messenger CVE-2005-1670 (Unknown vulnerability in Extreme BlackDiamond 10808 and 8800 switches ...) NOT-FOR-US: Extreme BlackDiamond hardware CVE-2005-1669 (Cross-site scripting (XSS) vulnerability in Opera 8.0 Final Build 1095 ...) NOT-FOR-US: Opera CVE-2005-1668 (YusASP Web Asset Manager 1.0 allows remote attackers to gain privilege ...) NOT-FOR-US: YusASP Web Asset Manager CVE-2005-1667 (DataTrac Activity Console 1.1 allows remote attackers to cause a denia ...) NOT-FOR-US: DataTrac Activity Console CVE-2005-1666 (Multiple buffer overflows in Orenosv HTTP/FTP Server 0.8.1 allow remot ...) NOT-FOR-US: Orenosv CVE-2005-1665 (The __VIEWSTATE functionality in Microsoft ASP.NET 1.x, when not crypt ...) NOT-FOR-US: Microsoft CVE-2005-1664 (The __VIEWSTATE functionality in Microsoft ASP.NET 1.x allows remote a ...) NOT-FOR-US: Microsoft CVE-2005-1663 (Jeuce Personal Web Server 2.13 allows remote attackers to cause a deni ...) NOT-FOR-US: Jeuce Personal Web Server CVE-2005-1662 (Directory traversal vulnerability in Jeuce Personal Web Server 2.13 al ...) NOT-FOR-US: Jeuce Personal Web Server CVE-2005-1661 (Jeuce Personal Webserver 2.13 allows remote attackers to cause a denia ...) NOT-FOR-US: Jeuce Personal Web Server CVE-2005-1660 (HTMLJunction EZGuestbook stores the guestbook.mdb file under the web d ...) NOT-FOR-US: EZGuestbook CVE-2005-1659 (Cross-site scripting (XSS) vulnerability in filemanager.cpp in MyServe ...) NOT-FOR-US: MyServer CVE-2005-1658 (Directory traversal vulnerability in filemanager.cpp in MyServer 0.8 a ...) NOT-FOR-US: MyServer CVE-2005-1657 (Multiple directory traversal vulnerabilities in Mercur Messaging 2005 ...) NOT-FOR-US: Mercur Messaging CVE-2005-1656 (Mercur Messaging 2005 SP2 allows remote attackers to read the source c ...) NOT-FOR-US: Mercur Messaging CVE-2005-1655 (AOL Instant Messenger 5.5.x and earlier allows remote attackers to cau ...) NOT-FOR-US: AOL Instant Messenger CVE-2005-1654 (Hosting Controller 6.1 Hotfix 1.9 and earlier allows remote attackers ...) NOT-FOR-US: Hosting Controller CVE-2004-2093 (Buffer overflow in the open_socket_out function in socket.c for rsync ...) - rsync 2.6.1-1 CVE-2004-2092 (eTrust InoculateIT for Linux 6.0 uses insecure permissions for multipl ...) NOT-FOR-US: InoculateIT CVE-2004-2091 (Microsoft Baseline Security Analyzer (MBSA) 1.2 does not correctly ide ...) NOT-FOR-US: Microsoft CVE-2004-2090 (Microsoft Internet Explorer 5.0.1 through 6.0 allows remote attackers ...) NOT-FOR-US: Microsoft CVE-2004-2089 (Matrix FTP Server allows remote attackers to cause a denial of service ...) NOT-FOR-US: Matrix FTP Server CVE-2004-2088 (Sophos Anti-Virus 3.78 allows remote attackers to bypass virus scannin ...) NOT-FOR-US: Sophos CVE-2004-2087 (Unknown vulnerability in SandSurfer before 1.7.0 allows remote attacke ...) NOT-FOR-US: SandSurfer CVE-2004-2086 (Stack-based buffer overflow in results.stm for Sambar Server before th ...) NOT-FOR-US: Sambar CVE-2004-2085 (Multiple cross-site scripting (XSS) vulnerabilities in Brad Fears phpC ...) NOT-FOR-US: phpcodeCabinet CVE-2004-2084 (Cross-site scripting (XSS) vulnerability in search.php in JShop E-Comm ...) NOT-FOR-US: JShop CVE-2004-2083 (Opera Web Browser 7.0 through 7.23 allows remote attackers to trick us ...) NOT-FOR-US: Opera CVE-2004-2082 (The samiftp.dll library in Sami FTP Server 1.1.3 allows remote authent ...) NOT-FOR-US: Sami FTP Server CVE-2004-2081 (The samiftp.dll library in Sami FTP Server 1.1.3 allows local users to ...) NOT-FOR-US: Sami FTP Server CVE-2004-2080 (Red-M Red-Alert 2.7.5 with software 3.1 build 24 converts multiple spa ...) NOT-FOR-US: Red-Alert CVE-2004-2079 (Red-M Red-Alert 2.7.5 with software 3.1 build 24 binds authentication ...) NOT-FOR-US: Red-Alert CVE-2004-2078 (Red-M Red-Alert 2.7.5 with software 3.1 build 24 allows remote attacke ...) NOT-FOR-US: Red-Alert CVE-2004-2077 (Nadeo Game Engine for Nadeo TrackMania and Nadeo Virtual Skipper 3 all ...) NOT-FOR-US: Nadeo CVE-2004-2076 (Cross-site scripting (XSS) vulnerability in search.php for Jelsoft vBu ...) NOT-FOR-US: Jelsoft Bulletin CVE-2004-2075 (Sophos Anti-Virus 3.78 allows remote attackers to cause a denial of se ...) NOT-FOR-US: Sophos CVE-2004-2074 (Format string vulnerability in Dream FTP 1.02 allows local users to ca ...) NOT-FOR-US: Dream FTP CVE-2004-2073 (Linux-VServer 1.24 allows local users with root privileges on a virtua ...) - kernel-patch-vserver 1.9.4-1 CVE-2004-2072 (Cross-site scripting (XSS) vulnerability in index.php for Mambo Open S ...) NOT-FOR-US: Mambo CVE-2004-2071 (Macallan Mail Solution 2.8.4.6 (Build 260), and possibly earlier versi ...) NOT-FOR-US: Macallan CVE-2003-1214 (Unknown vulnerability in the server login for VisualShapers ezContents ...) NOT-FOR-US: VisualShapers CVE-2003-1213 (The default installation of MaxWebPortal 1.30 stores the portal databa ...) NOT-FOR-US: MaxWebPortal CVE-2003-1212 (MaxWebPortal 1.30 allows remote attackers to perform unauthorized acti ...) NOT-FOR-US: MaxWebPortal CVE-2003-1211 (Cross-site scripting (XSS) vulnerability in search.asp for MaxWebPorta ...) NOT-FOR-US: PHP-Nuke CVE-2003-1210 (Multiple SQL injection vulnerabilities in the Downloads module for PHP ...) NOT-FOR-US: MaxWebPortal CVE-2003-1209 (The Post_Method function in Monkey HTTP Daemon before 0.6.2 allows rem ...) NOT-FOR-US: Monkey CVE-2003-1208 (Multiple buffer overflows in Oracle 9i 9 before 9.2.0.3 allow local us ...) NOT-FOR-US: Oracle CVE-2003-1207 (Crob FTP Server 3.5.1 allows remote authenticated users to cause a den ...) NOT-FOR-US: Crob CVE-2003-1206 (Format string vulnerability in Crob FTP Server 2.60.1 allows remote at ...) NOT-FOR-US: Crob CVE-2003-1205 (Crob FTP Server 2.60.1 allows remote authenticated users to cause a de ...) NOT-FOR-US: Crob CVE-2003-1204 (Multiple cross-site scripting (XSS) vulnerabilities in Mambo Site Serv ...) NOT-FOR-US: Mambo CVE-2003-1203 (Cross-site scripting (XSS) vulnerability in index.php for Mambo Site S ...) NOT-FOR-US: Mambo CVE-2002-1663 (The Post_Method function in method.c for Monkey HTTP Daemon before 0.5 ...) NOT-FOR-US: Monkey CVE-2002-1662 (Multiple cross-site scripting (XSS) vulnerabilities in Mambo Site Serv ...) NOT-FOR-US: Mambo CVE-2000-1224 (Caucho Technology Resin 1.2 and possibly earlier allows remote attacke ...) NOT-FOR-US: Caucho Technology Resin CVE-2005-XXXX [Two DoS condition in ekg] - ekg 1:1.5+20050411-3 CVE-2005-XXXX [lcrash affected by libbfd integer overflows] - lcrash 7.0.0.pre.cvs.20050322-3 CVE-2005-XXXX [Multiple security problems in lbreakout2] - lbreakout2 2.5.2-2 CVE-2005-1653 (Cross-site scripting (XSS) vulnerability in message.htm for Woppoware ...) NOT-FOR-US: Woppoware CVE-2005-1652 (message.htm for Woppoware PostMaster 4.2.2 (build 3.2.5) allows remote ...) NOT-FOR-US: Woppoware CVE-2005-1651 (Directory traversal vulnerability in message.htm for Woppoware PostMas ...) NOT-FOR-US: Woppoware CVE-2005-1650 (The web mail service in Woppoware PostMaster 4.2.2 (build 3.2.5) gener ...) NOT-FOR-US: Woppoware CVE-2005-1649 (The IPv6 support in Windows XP SP2, 2003 Server SP1, and Longhorn, wit ...) NOT-FOR-US: Windows CVE-2005-1648 (Gurgens (GASoft) Ultimate Forum 1.0 stores the db/Genid.dat database f ...) NOT-FOR-US: GASoft CVE-2005-1647 (Gurgens (GASoft) Guest Book 2.1 stores the db/Genid.dat database file ...) NOT-FOR-US: GASoft CVE-2005-1646 (The default installation of Fastream NETFile FTP/Web Server 7.4.6, whi ...) NOT-FOR-US: Fastream NETFile CVE-2005-1645 (Keyvan1 ImageGallery stores the image.mdb database under the web docum ...) NOT-FOR-US: Keyvan1 Gallery CVE-2005-1644 (Cross-site scripting (XSS) vulnerability in guestbook.php for 1Two Liv ...) NOT-FOR-US: Livre d'Or CVE-2005-1643 (The ZCom_BitStream::Deserialize function in Zoidcom 1.0 beta 4 and ear ...) NOT-FOR-US: Zoidcom CVE-2005-1642 (SQL injection vulnerability in the verify_email function in Woltlab Bu ...) NOT-FOR-US: Woltlab Burning Board CVE-2005-1641 (mod_channel in The Ignition Project ignitionServer 0.3.0 to 0.3.6, and ...) NOT-FOR-US: Ignition Project CVE-2005-1640 (mod_channel.bas in The Ignition Project ignitionServer 0.3.0 to 0.3.6, ...) NOT-FOR-US: Ignition Project CVE-2005-1639 (SQL injection vulnerability in Sigmaweb.DLL in Sigma ISP Manager 6.6 a ...) NOT-FOR-US: Sigma CVE-2005-1638 (The _writeAttrs function in SafeHTML before 1.3.2 does not properly ha ...) NOT-FOR-US: SafeHTML CVE-2005-1637 (Multiple SQL injection vulnerabilities in NPDS 4.8 and 5.0 allow remot ...) NOT-FOR-US: NPDS CVE-2005-1636 (mysql_install_db in MySQL 4.1.x before 4.1.12 and 5.x up to 5.0.4 crea ...) {DSA-783-1} - mysql-dfsg 4.0.12-2 (bug #319526; low) - mysql-dfsg-4.1 4.1.12 (medium; bug #319526) - mysql-dfsg-5.0 5.0.11beta-3 (medium) CVE-2005-1635 (JGS-XA JGS-Portal 3.0.2 and earlier allows remote attackers to obtain ...) NOT-FOR-US: JGS-Portal CVE-2005-1634 (Multiple cross-site scripting (XSS) vulnerabilities in JGS-XA JGS-Port ...) NOT-FOR-US: JGS-Portal CVE-2005-1633 (Multiple SQL injection vulnerabilities in JGS-XA JGS-Portal 3.0.2 and ...) NOT-FOR-US: JGS-Portal CVE-2005-1632 (Cheetah 0.9.15 and 0.9.16 searches the /tmp directory for modules befo ...) - cheetah 0.9.16-1 CVE-2005-1631 (booby.php in Booby 1.0.0 and earlier allows remote attackers to view p ...) NOT-FOR-US: Booby CVE-2005-1630 (Unknown vulnerability in Attachment Mod before 2.3.13, related to a "s ...) NOT-FOR-US: phpbb attachment mod CVE-2005-1629 (SQL injection vulnerability in member.php for Photopost PHP Pro allows ...) NOT-FOR-US: Photopost CVE-2005-1628 (apage.cgi in WebAPP 0.9.9.2.1, and possibly earlier versions, allows r ...) NOT-FOR-US: WebAPP CVE-2005-1627 (Unknown vulnerability in Viewglob before 2.0.1, related to "a potentia ...) - viewglob 2.0.1-1 [sarge] - viewglob (1.x version in Sarge is not vulnerable) CVE-2005-1626 (Multiple buffer overflows in handlers.c for Pico Server (pServ) before ...) NOT-FOR-US: Pico Server CVE-2005-1625 (Stack-based buffer overflow in the UnixAppOpenFilePerform function in ...) NOT-FOR-US: Acrobat Reader CVE-2005-1624 RESERVED CVE-2005-1623 RESERVED CVE-2005-1622 (Cross-site scripting (XSS) vulnerability in productsByCategory.asp in ...) NOT-FOR-US: MetaCart CVE-2005-1621 (Directory traversal vulnerability in the pnModFunc function in pnMod.p ...) NOT-FOR-US: Postnuke mod CVE-2005-1620 (Cross-site scripting (XSS) vulnerability in Skull-Splitter Guestbook 1 ...) NOT-FOR-US: Skull-Splitter Guestbook CVE-2005-1619 (Multiple cross-site scripting (XSS) vulnerabilities in (1) start_page. ...) NOT-FOR-US: PHPMyChat CVE-2005-1618 (The YMSGR URL handler in Yahoo! Messenger 5.x through 6.0 allows remot ...) NOT-FOR-US: Yahoo Messenger CVE-2005-1617 (Willings WebCam and WebCam Lite 2.8 and earlier stores the password in ...) NOT-FOR-US: Willings WebCAM CVE-2005-1616 (viewforum.php in Ultimate PHP Board (UPB) 1.8 through 1.9.6 allows rem ...) NOT-FOR-US: Ultimate PHP Board CVE-2005-1615 (viewforum.php in Ultimate PHP Board (UPB) 1.8 through 1.9.6 may allow ...) NOT-FOR-US: Ultimate PHP Board CVE-2005-1614 (Cross-site scripting (XSS) vulnerability in viewforum.php in Ultimate ...) NOT-FOR-US: Ultimate PHP Board CVE-2005-1613 (Cross-site scripting (XSS) vulnerability in member.php in Open Bulleti ...) NOT-FOR-US: OpenBB CVE-2005-1612 (SQL injection vulnerability in read.php in Open Bulletin Board (OpenBB ...) NOT-FOR-US: OpenBB CVE-2005-1611 (Cross-site scripting (XSS) vulnerability in WebX in Web Crossing 5.x a ...) NOT-FOR-US: Web Crossing CVE-2005-1610 (Cross-site scripting (XSS) vulnerability in security.php for Tru-Zone ...) NOT-FOR-US: Tru-Zone NukeET CVE-2005-1609 (Unknown vulnerability in Sun StorEdge 6130 Arrays (SE6130) with serial ...) NOT-FOR-US: Sun StorEdge 6130 Arrays CVE-2005-1608 (Multiple unknown vulnerabilities in the Blocks module in Spidean AutoT ...) NOT-FOR-US: Spidean AutoTheme 1.7 and AT-Lite for PostNuke CVE-2005-1607 (Cross-site scripting (XSS) vulnerability in shop.cgi in Remote Cart al ...) NOT-FOR-US: Remote Cart CVE-2005-1606 (H-Sphere Winbox 2.4.2 and 2.4.3 RC1 stores sensitive information such ...) NOT-FOR-US: H-Sphere Winbox CVE-2005-1605 (Cross-site scripting (XSS) vulnerability in the guestbook for SiteStud ...) NOT-FOR-US: guestbook for SiteStudio CVE-2005-1604 (PHP Advanced Transfer Manager (phpATM) 1.21 allows remote attackers to ...) NOT-FOR-US: phpATM CVE-2005-1603 (NiteEnterprises Remote File Manager 1.0 allows remote attackers to cau ...) NOT-FOR-US: NiteEnterprises Remote File Manager CVE-2005-1602 (SQL injection vulnerability in login.asp for Net56 Browser Based File ...) NOT-FOR-US: Net56 Browser Based File Manager CVE-2005-1601 (MRO Maximo Self Service 4 and 5 stores certain information under the w ...) NOT-FOR-US: MRO Maximo Self Service CVE-2005-1600 (A "mathematical flaw" in the implementation of the El Gamal signature ...) NOT-FOR-US: LibTomCrypt CVE-2005-1599 (Cross-site scripting (XSS) vulnerability in Kryloff Technologies Subje ...) NOT-FOR-US: Kryloff Technologies Subject Search Server CVE-2005-1598 (SQL injection vulnerability in Invision Power Board (IPB) 2.0.3 and ea ...) NOT-FOR-US: Invision Power Board CVE-2005-1597 (Cross-site scripting (XSS) vulnerability in (1) search.php and (2) top ...) NOT-FOR-US: Invision Power Board CVE-2005-1596 (index.php in Fusion SBX 1.2 and earlier does not properly use the extr ...) NOT-FOR-US: Fusion SBX CVE-2005-1595 (CodeThat ShoppingCart 1.3.1 stores config.ini under the web root, whic ...) NOT-FOR-US: CodeThat ShoppingCart CVE-2005-1594 (SQL injection vulnerability in catalog.php for CodeThat ShoppingCart 1 ...) NOT-FOR-US: CodeThat ShoppingCart CVE-2005-1593 (Cross-site scripting (XSS) vulnerability in catalog.php for CodeThat S ...) NOT-FOR-US: CodeThat ShoppingCart CVE-2005-1592 (Multiple "javascript vulerabilities in BB code" in BirdBlog before 1.3 ...) NOT-FOR-US: BirdBlog CVE-2005-1591 (Unknown vulnerability in NIS+ on Solaris 7, 8, and 9 allows remote att ...) NOT-FOR-US: Solaris CVE-2005-1590 (The Altiris Client Service for Windows (ACLIENT.EXE) 6.0.88 allows loc ...) NOT-FOR-US: Altiris Client Service for Windows CVE-2004-2070 (The Altiris Client Service for Windows 5.6 SP1 Hotfix E (5.6.181) allo ...) NOT-FOR-US: Altiris Client Service for Windows CVE-2003-1197 (Cross-site scripting (XSS) vulnerability in index.php for Ledscripts.c ...) NOT-FOR-US: LedForums CVE-2003-1168 (HTTP Commander 4.0 allows remote attackers to obtain sensitive informa ...) NOT-FOR-US: HTTP Commander CVE-2005-XXXX [clamav: DoS through multiple empty Content-Disposition header lines] - clamav 0.85.1-1 (low) [sarge] - clamav 0.84-2.sarge.1 CVE-2005-XXXX [libxpm4: new s_popen() function is insecure garbage] - xfree86 4.3.0.dfsg.1-14 (bug #308783) - xorg-x11 (Xfree-specific, inspected the Subversion tree) CVE-2005-1589 (The pkt_ioctl function in the pktcdvd block device ioctl handler (pktc ...) - linux-2.6 (Fixed before upload into archive; 2.6.12-rc5) [sarge] - kernel-source-2.6.8 CVE-2005-1588 NOT-FOR-US: Quick.cart CVE-2005-1587 (Cross-site scripting (XSS) vulnerability in index.php for Quick.cart 0 ...) NOT-FOR-US: Quick.cart CVE-2005-1586 (Quick.Forum 2.1.6 stores potentially sensitive information such as use ...) NOT-FOR-US: Quick.Forum CVE-2005-1585 (Multiple SQL injection vulnerabilities in Quick.Forum 2.1.6 allow remo ...) NOT-FOR-US: Quick.Forum CVE-2005-1584 (Cross-site scripting (XSS) vulnerability in index.php for Quick.Forum ...) NOT-FOR-US: Quick.Forum CVE-2005-1583 (1Two News 1.0 allows remote attackers to (1) delete images for new sto ...) NOT-FOR-US: 1Two News CVE-2005-1582 (Cross-site scripting (XSS) vulnerability in index.php for 1Two News 1. ...) NOT-FOR-US: 1Two News CVE-2005-1581 (Cross-site scripting (XSS) vulnerability in Bug Report 1.0 allows remo ...) NOT-FOR-US: bug_list.php CVE-2005-1580 (users.ini.php in BoastMachine 3.0 does not properly restrict the types ...) NOT-FOR-US: BoastMachine CVE-2005-1579 (Apple QuickTime Player 7.0 on Mac OS X 10.4 allows remote attackers to ...) NOT-FOR-US: Apple CVE-2005-1578 (EnCase Forensic Edition 4.18a does not support Device Configuration Ov ...) NOT-FOR-US: EnCase CVE-2005-1577 (APG Technology ClassMaster does not properly restrict access to sensit ...) NOT-FOR-US: APG Classmaster CVE-2005-1576 (The file download dialog in Mozilla Firefox 0.10.1 and 1.0 for Windows ...) NOTE: appears windows specific CVE-2005-1575 (The file download dialog in Mozilla Firefox 0.10.1 and 1.0 for Windows ...) NOTE: appears windows specific CVE-2005-1574 (Windows Media Player 9 and 10, in certain cases, allows content protec ...) NOT-FOR-US: Windows CVE-2005-1573 (SQL injection vulnerability in admin_login.asp for ASP Virtual News Ma ...) NOT-FOR-US: ASP Virtual News Manager CVE-2005-1572 (ShowOff! 1.5.4 allows remote attackers to cause a denial of service (s ...) NOT-FOR-US: ShowOff CVE-2005-1571 (Multiple directory traversal vulnerabilities in ShowOff! 1.5.4 allow r ...) NOT-FOR-US: ShowOff CVE-2005-1570 (forum.asp in bttlxeForum 2.0 allows remote attackers to obtain full pa ...) NOTE: for-for-us (bttlxeForum) CVE-2005-1569 (Cross-site scripting (XSS) vulnerability in DirectTopics 2.1 and 2.2 a ...) NOT-FOR-US: DirectTopics CVE-2005-1568 (topic.php in DirectTopics 2.1 and 2.2 allows remote attackers to obtai ...) NOT-FOR-US: DirectTopics CVE-2005-1567 (SQL injection vulnerability in topic.php in DirectTopics 2.1 and 2.2 a ...) NOT-FOR-US: DirectTopics CVE-2005-1566 (Acrowave AAP-3100AR wireless router allows remote attackers to bypass ...) NOT-FOR-US: Acrowave AAP-3100AR wireless router CVE-2005-1565 (Bugzilla 2.17.1 through 2.18, 2.19.1, and 2.19.2, when a user is promp ...) [woody] - bugzilla (Only Bugzilla >= 2.17 is affected) [sarge] - bugzilla (Only Bugzilla >= 2.17 is affected) - bugzilla 2.18-7 (bug #308789; medium) CVE-2005-1564 (post_bug.cgi in Bugzilla 2.10 through 2.18, 2.19.1, and 2.19.2 allows ...) - bugzilla 2.16.7-7sarge1 CVE-2005-1563 (Bugzilla 2.10 through 2.18, 2.19.1, and 2.19.2 displays a different er ...) - bugzilla 2.16.7-7sarge1 CVE-2005-1562 (Multiple SQL injection vulnerabilities in MaxWebPortal 1.3.5 and earli ...) NOT-FOR-US: MaxWebPortal CVE-2005-1561 (Multiple cross-site scripting (XSS) vulnerabilities in post.asp in Max ...) NOT-FOR-US: MaxWebPortal CVE-2005-1560 (The SSH module in Neteyes Nexusway allows remote attackers to execute ...) NOT-FOR-US: Nexusway CVE-2005-1559 (The web module in Neteyes Nexusway allows remote attackers to execute ...) NOT-FOR-US: Nexusway CVE-2005-1558 (The web module in Neteyes Nexusway allows remote attackers to bypass a ...) NOT-FOR-US: Nexusway CVE-2005-1557 (Multiple cross-site scripting (XSS) vulnerabilities in WebApp Guestboo ...) NOT-FOR-US: WebApp Guestbook PRO CVE-2005-1556 (Gamespy cd-key validation system allows remote attackers to cause a de ...) NOT-FOR-US: Gamespy cd-key validation system CVE-2005-1555 (Cross-site scripting (XSS) vulnerability in the JRun Web Server in Col ...) NOT-FOR-US: JRun CVE-2005-1554 (SQL injection vulnerability in view_user.php in WowBB 1.6, 1.61, and 1 ...) NOT-FOR-US: WowBB CVE-2005-1553 (GeoVision Digital Video Surveillance System 6.04, 6.1 and 7.0 uses a w ...) NOT-FOR-US: GeoVision Digital Video Surveillance System CVE-2005-1552 (GeoVision Digital Video Surveillance System 6.04, 6.1 and 7.0, when se ...) NOT-FOR-US: GeoVision Digital Video Surveillance System CVE-2005-1551 (Sophos Anti-Virus 3.93 does not check downloaded files for viruses whe ...) NOT-FOR-US: Sophos Anti-Virus CVE-2005-1550 (easymsgb.pl in Easy Message Board allows remote attackers to execute a ...) NOT-FOR-US: easy message board CVE-2005-1549 (Directory traversal vulnerability in easymsgb.pl in Easy Message Board ...) NOT-FOR-US: easy message board CVE-2005-1548 (SQL injection vulnerability in index.php in Advanced Guestbook 2.3.1 a ...) NOT-FOR-US: Advanced Guestbook CVE-2005-1547 (Heap-based buffer overflow in the demo version of Bakbone Netvault, an ...) NOT-FOR-US: Bakbone Netvault CVE-2005-1546 (Buffer overflow in the PE parser in HT Editor before 0.8.0 allows remo ...) {DSA-743-1} - ht 0.8.0-3 (bug #308587) CVE-2005-1545 (Integer overflow in the ELF parser in HT Editor before 0.8.0 allows re ...) {DSA-743-1} - ht 0.8.0-3 (bug #308587) CVE-2005-1544 (Stack-based buffer overflow in libTIFF before 3.7.2 allows remote atta ...) {DSA-755-1} NOTE: CVE info about vulnerable version number is bogus - tiff 3.7.2-3 (bug #309739) - tiff3 (fixed prior to initial upload) CVE-2005-1543 (Multiple stack-based and heap-based buffer overflows in Remote Managem ...) NOT-FOR-US: Novell Zenworks CVE-2005-1542 RESERVED CVE-2005-1541 RESERVED CVE-2005-1540 RESERVED CVE-2005-1539 RESERVED CVE-2005-1538 RESERVED CVE-2005-1537 RESERVED CVE-2005-1536 RESERVED CVE-2005-1535 RESERVED CVE-2005-1534 RESERVED CVE-2005-1533 RESERVED CVE-2005-1532 (Firefox before 1.0.4 and Mozilla Suite before 1.7.8 do not properly li ...) {DSA-781-1} - mozilla-firefox 1.0.4 - mozilla 2:1.7.8 - mozilla-thunderbird 1.0.6-1 (bug #318728; high) CVE-2005-1531 (Firefox before 1.0.4 and Mozilla Suite before 1.7.8 does not properly ...) - mozilla-firefox 1.0.4 - mozilla 2:1.7.8 CVE-2005-1530 (Sophos Anti-Virus 5.0.1, with "Scan inside archive files" enabled, all ...) NOT-FOR-US: Sophos CVE-2005-1529 RESERVED CVE-2005-1528 (Untrusted search path vulnerability in the crttrap command in QNX Neut ...) NOT-FOR-US: QNX CVE-2005-1527 (Eval injection vulnerability in awstats.pl in AWStats 6.4 and earlier, ...) {DSA-892-1} - awstats 6.4-1.1 (bug #322591; bug #334833; bug #336137; medium) CVE-2005-1526 (PHP remote file inclusion vulnerability in config_settings.php in Cact ...) {DSA-764-1} - cacti 0.8.6e-1 (bug #315703; high) CVE-2005-1525 (SQL injection vulnerability in config_settings.php for Cacti before 0. ...) {DSA-764-1} - cacti 0.8.6e-1 (bug #315703; high) CVE-2005-1524 (PHP file inclusion vulnerability in top_graph_header.php in Cacti 0.8. ...) {DSA-764-1} - cacti 0.8.6e-1 (bug #315703; high) CVE-2005-1523 (Format string vulnerability in imap4d server in GNU Mailutils 0.5 and ...) {DSA-732-1} - mailutils 1:0.6.1-3 CVE-2005-1522 (The imap4d server for GNU Mailutils 0.5 and 0.6, and other versions be ...) {DSA-732-1} - mailutils 1:0.6.1-3 CVE-2005-1521 (Integer overflow in the fetch_io function of the imap4d server in GNU ...) {DSA-732-1} - mailutils 1:0.6.1-3 CVE-2005-1520 (Buffer overflow in the header_get_field_name function in header.c for ...) {DSA-732-1} - mailutils 1:0.6.1-3 CVE-2005-1519 (Squid 2.5 STABLE9 and earlier, when the DNS client port is unfiltered ...) {DSA-751-1} - squid 2.5.9-9 (bug #309504) CVE-2005-1518 (Unknown vulnerability in Solaris 7 through 9, when using Federated Nam ...) NOT-FOR-US: Solaris CVE-2005-1517 (Unknown vulnerability in Cisco Firewall Services Module (FWSM) 2.3.1 a ...) NOT-FOR-US: Cisco CVE-2005-XXXX [Buffer overflow in libotr] - libotr 2.0.2-1 CVE-2005-XXXX [vpnc: config file path security hole] - vpnc 0.3.2+SVN20050326-2 CVE-2005-XXXX [Several buffer overflows in termpkg] - termpkg 3.3-2 CVE-2005-XXXX [Integer overflow in binutils' ELF parsing] NOTE: 2.16.1cvs20050902-1 mentions this in the changelog as well, but it's NOTE: already fixed since 2.15-6 - binutils 2.15-6 CVE-2005-XXXX [kmd affected by binutils's ELF parser vulnerability] - kmd 0.9.19-1.1 CVE-2005-XXXX [unrar: opens /tmp/debug_unrar.txt] NOTE: Source package has been renamed from unrar to unrar-free - unrar-free 1:0.0.1-2 CVE-2005-1512 (The Admin panel in PwsPHP 1.2.2 does not properly verify uploaded pict ...) NOT-FOR-US: PwsPHP CVE-2005-1511 (PwsPHP 1.2.2 allows remote attackers to bypass authentication and post ...) NOT-FOR-US: PwsPHP CVE-2005-1510 (PwsPHP 1.2.2 allows remote attackers to obtain sensitive information v ...) NOT-FOR-US: PwsPHP CVE-2005-1509 (SQL injection vulnerability in profil.php in PwsPHP 1.2.2 allows remot ...) NOT-FOR-US: PwsPHP CVE-2005-1508 (Multiple cross-site scripting (XSS) vulnerabilities in PwsPHP 1.2.2 al ...) NOT-FOR-US: PwsPHP CVE-2005-1507 (Buffer overflow in the Tomcat plugin in 4d WebSTAR 5.33 and 5.4 allows ...) NOT-FOR-US: WebSTAR CVE-2005-1506 (SQL injection vulnerability in out.php in CJ Ultra (CJUltra) Plus 1.0. ...) NOT-FOR-US: CJ Ultra Plus CVE-2005-1505 (The new account wizard in Mail.app 2.0 in Mac OS 10.4, when configurin ...) NOT-FOR-US: MacOS CVE-2005-1504 (GameSpy SDK CD-Key Validation Toolkit, as used by many online games, a ...) NOT-FOR-US: GameSpy SDK CD-Key Validation Toolkit CVE-2005-1503 (Multiple SQL injection vulnerabilities in MidiCart PHP Shopping Cart a ...) NOT-FOR-US: MidiCart CVE-2005-1502 (Cross-site scripting (XSS) vulnerability in MidiCart PHP Shopping Cart ...) NOT-FOR-US: MidiCart CVE-2005-1501 (MidiCart PHP Shopping Cart allows remote attackers to obtain sensitive ...) NOT-FOR-US: MidiCart CVE-2005-1500 (Multiple SQL injection vulnerabilities in myBloggie 2.1.1 allow remote ...) NOT-FOR-US: myBloggie CVE-2005-1499 (delcomment.php in myBloggie 2.1.1 allows remote attackers to delete ar ...) NOT-FOR-US: myBloggie CVE-2005-1498 (Multiple cross-site scripting (XSS) vulnerabilities in myBloggie 2.1.1 ...) NOT-FOR-US: myBloggie CVE-2005-1497 (index.php in myBloggie 2.1.1 allows remote attackers to obtain sensiti ...) NOT-FOR-US: myBloggie CVE-2005-1496 (The DBMS_Scheduler in Oracle 10g allows remote attackers with CREATE J ...) NOT-FOR-US: Oracle CVE-2005-1495 (Oracle Database 9i and 10g disables Fine Grained Audit (FGA) after the ...) NOT-FOR-US: Oracle CVE-2005-1494 (Multiple cross-site scripting (XSS) vulnerabilities in admin.cgi in Me ...) NOT-FOR-US: MegaBook CVE-2005-1493 (Directory traversal vulnerability in SimpleCam 1.2 allows remote attac ...) NOT-FOR-US: SimpleCam CVE-2005-1492 (Cross-site scripting (XSS) vulnerability in user.cgi in Gossamer Threa ...) NOT-FOR-US: Gossamer Threads Links CVE-2005-1491 (Merak Mail Server 8.0.3 with Icewarp Web Mail 5.4.2 allows remote auth ...) NOT-FOR-US: Merak Mail Server 8.0.3 with Icewarp Web Mail 5.4.2 CVE-2005-1490 (Merak Mail Server 8.0.3 with Icewarp Web Mail 5.4.2, when the mailbox. ...) NOT-FOR-US: Merak Mail Server 8.0.3 with Icewarp Web Mail 5.4.2 CVE-2005-1489 (Unknown vulnerability in Merak Mail Server 8.0.3 with Icewarp Web Mail ...) NOT-FOR-US: Merak Mail Server 8.0.3 with Icewarp Web Mail 5.4.2 CVE-2005-1488 (Multiple cross-site scripting (XSS) vulnerabilities in Merak Mail Serv ...) NOT-FOR-US: Merak Mail Server 8.0.3 with Icewarp Web Mail 5.4.2 CVE-2005-1487 NOT-FOR-US: FishCart CVE-2005-1486 (Multiple cross-site scripting vulnerabilities in FishCart 3.1 allow re ...) NOT-FOR-US: FishCart CVE-2005-1485 (Golden FTP Server Pro 2.52 allows remote attackers to obtain sensitive ...) NOT-FOR-US: Golden FTP Server Pro CVE-2005-1484 (Directory traversal vulnerability in Golden FTP server pro 2.52 allows ...) NOT-FOR-US: Golden FTP Server Pro CVE-2005-1483 (Multiple cross-site scripting (XSS) vulnerabilities in ArticleLive 200 ...) NOT-FOR-US: ArticleLive CVE-2005-1482 (ArticleLive 2005 allows remote attackers to gain privileges by modifyi ...) NOT-FOR-US: ArticleLive CVE-2005-1481 (Multiple SQL injection vulnerabilities in Aaron Outpost ASP Inline Cor ...) NOT-FOR-US: ASP Inline Corporate Calendar CVE-2005-1480 (Directory traversal vulnerability in RaidenFTPD before 2.4.2241 allows ...) NOT-FOR-US: RaidenFTPD CVE-2005-1479 (SQL injection vulnerability in jgs_portal.php in JGS-Portal 3.0.1 and ...) NOT-FOR-US: JGS-Portal CVE-2005-1478 (Format string vulnerability in dSMTP (dsmtp.exe) in DMail 3.1a allows ...) NOT-FOR-US: DMail CVE-2005-1516 (DList (dlist.exe) in DMail 3.1a allows remote attackers to bypass auth ...) NOT-FOR-US: DMail CVE-2005-1515 (Integer signedness error in the qmail_put and substdio_put functions i ...) {DSA-4692-1 DLA-2234-1} - qmail 1.03-38 - netqmail 1.06-6.2 NOTE: https://www.openwall.com/lists/oss-security/2020/05/19/8 CVE-2005-1514 (commands.c in qmail, when running on 64 bit platforms with a large amo ...) {DSA-4692-1 DLA-2234-1} - qmail 1.03-38 - netqmail 1.06-6.2 NOTE: https://www.openwall.com/lists/oss-security/2020/05/19/8 CVE-2005-1513 (Integer overflow in the stralloc_readyplus function in qmail, when run ...) {DSA-4692-1 DLA-2234-1} - qmail 1.03-38 - netqmail 1.06-6.2 NOTE: https://www.openwall.com/lists/oss-security/2020/05/19/8 NOTE: https://www.openwall.com/lists/oss-security/2020/06/16/2 CVE-2004-2067 (SQL injection vulnerability in controlpanel.php in Jaws Framework and ...) NOT-FOR-US: JAWS CVE-2004-2066 (SQL injection vulnerability in session.php in LinPHA 0.9.4 allows remo ...) NOT-FOR-US: LinPHA CVE-2004-2065 (DansGuardian 2.8 and earlier allows remote attackers to bypass the ext ...) - dansguardian 2.5.2-0-0.1 CVE-2004-2064 (Cross-site scripting (XSS) vulnerability in lostBook 1.1 and earlier a ...) NOT-FOR-US: lostBook CVE-2004-2063 (Cross-site scripting (XSS) vulnerability in antiboard.php in AntiBoard ...) NOT-FOR-US: AntiBoard CVE-2004-2062 (SQL injection vulnerability in antiboard.php in AntiBoard 0.7.2 and ea ...) NOT-FOR-US: AntiBoard CVE-2004-2061 (RiSearch 1.0.01 and RiSearch Pro 3.2.06 allows remote attackers to use ...) NOT-FOR-US: RiSearch CVE-2004-2060 (ASPRunner 2.4 stores the database under the web root in the db directo ...) NOT-FOR-US: ASPRunner CVE-2004-2059 (Multiple cross-site scripting vulnerabilities in ASPRunner 2.4 allow r ...) NOT-FOR-US: ASPRunner CVE-2004-2058 (ASPRunner 2.4 allows remote attackers to gain sensitive information vi ...) NOT-FOR-US: ASPRunner CVE-2004-2057 (SQL injection vulnerability in ASPRunner 2.4 allows remote attackers t ...) NOT-FOR-US: ASPRunner CVE-2004-2056 (SQL injection vulnerability in action.php in Nucleus CMS 3.01 allows r ...) NOT-FOR-US: ASPRunner CVE-2004-2055 (Cross-site scripting (XSS) vulnerability in search.php for PhpBB 2.0.4 ...) - phpbb2 2.0.10-1 CVE-2004-2054 (CRLF injection vulnerability in PhpBB 2.0.4 and 2.0.9 allows remote at ...) - phpbb2 2.0.10-1 CVE-2004-2053 (PHP remote file inclusion vulnerability in index.php in EasyIns Stadtp ...) NOT-FOR-US: Easyins Stadtportal CVE-2004-2052 (eSeSIX Thintune thin clients running firmware 2.4.38 and earlier accep ...) NOT-FOR-US: eSeSIX Thintune CVE-2004-2051 (The Phoenix browser in eSeSIX Thintune thin clients running firmware 2 ...) NOT-FOR-US: eSeSIX Thintune CVE-2004-2050 (eSeSIX Thintune thin clients running firmware 2.4.38 and earlier allow ...) NOT-FOR-US: eSeSIX Thintune CVE-2004-2049 (eSeSIX Thintune thin clients running firmware 2.4.38 and earlier store ...) NOT-FOR-US: eSeSIX Thintune CVE-2004-2048 (radmin in eSeSIX Thintune thin clients running firmware 2.4.38 and ear ...) NOT-FOR-US: no_package CVE-2004-2047 (Directory traversal vulnerability in EasyWeb FileManager 1.0 RC-1 for ...) NOT-FOR-US: no_package CVE-2004-2046 (Unknown vulnerability in APC PowerChute Business Edition 6.0 through 7 ...) NOT-FOR-US: no_package CVE-2004-2045 (The HTTP administration interface on Conceptronic CADSLR1 ADSL router ...) NOT-FOR-US: no_package CVE-2004-2044 (PHP-Nuke 7.3, and other products that use the PHP-Nuke codebase such a ...) NOT-FOR-US: no_package CVE-2004-2043 (Buffer overflow in ibserver for Firebird Database 1.0 and other versio ...) {DSA-1014-1} - firebird2 1.5.3.4870-3 (bug #357580) CVE-2004-2042 (Multiple SQL injection vulnerabilities in e107 0.615 allow remote atta ...) NOT-FOR-US: no_package CVE-2004-2041 (PHP remote file inclusion vulnerability in secure_img_render.php in e1 ...) NOT-FOR-US: no_package CVE-2004-2040 (Multiple cross-site scripting (XSS) vulnerabilities in e107 0.615 allo ...) NOT-FOR-US: no_package CVE-2004-2039 (e107 0.615 allows remote attackers to obtain sensitive information via ...) NOT-FOR-US: no_package CVE-2004-2038 (Cross-site scripting (XSS) vulnerability in Land Down Under (LDU) befo ...) NOT-FOR-US: no_package CVE-2004-2037 (Buffer overflow in Mollensoft Lightweight FTP Server 3.6 allows remote ...) NOT-FOR-US: no_package CVE-2004-2036 (SQL injection vulnerability in the art_print function in print.inc.php ...) NOT-FOR-US: no_package CVE-2004-2035 (MiniShare 1.3.2 allows remote attackers to cause a denial of service ( ...) NOT-FOR-US: no_package CVE-2004-2034 (Buffer overflow in the (1) WTHoster and (2) WebDriver modules in WildT ...) NOT-FOR-US: no_package CVE-2004-2033 (Orenosv 0.5.9f allows remote attackers to cause a denial of service (c ...) NOT-FOR-US: no_package CVE-2004-2032 (Netgear RP114 allows remote attackers to bypass the keyword based URL ...) NOT-FOR-US: no_package CVE-2004-2031 (Cross-site scripting (XSS) vulnerability in user.php in e107 allows re ...) NOT-FOR-US: no_package CVE-2004-2030 (Multiple cross-site scripting (XSS) vulnerabilities in index.jsp for L ...) NOT-FOR-US: no_package CVE-2004-2029 (The Util_DecodeHTTPAuth function in BNBT BitTorrent Tracker Beta 7.5 R ...) NOT-FOR-US: no_package CVE-2004-2028 (Cross-site scripting (XSS) vulnerability in stats.php in e107 allows r ...) NOT-FOR-US: no_package CVE-2004-2027 (Buffer overflow in Icecast 2.0.0 and earlier allows remote attackers t ...) - icecast2 2.0.1.debian-1 CVE-2004-2026 (Format string vulnerability in the logmsg function in svc.c for Pound ...) - pound 1.7-1 CVE-2004-2025 (SQL injection vulnerability in application_top.php for Zen Cart 1.1.3 ...) NOT-FOR-US: no_package CVE-2004-2024 (The distribution of Zen Cart 1.1.4 before patch 2 includes certain deb ...) NOT-FOR-US: no_package CVE-2004-2023 (SQL injection vulnerability in login.php in Zen Cart 1.1.2d, 1.1.4 bef ...) NOT-FOR-US: no_package CVE-2004-2022 (ActivePerl 5.8.x and others, and Larry Wall's Perl 5.6.1 and others, w ...) NOT-FOR-US: various perls on Windows CVE-2004-2021 (Directory traversal vulnerability in file_manager.php in osCommerce 2. ...) NOT-FOR-US: osCommerce CVE-2004-2020 (Multiple cross-site scripting (XSS) vulnerabilities in Php-Nuke 6.x th ...) NOT-FOR-US: php-nuke CVE-2004-2019 (The WebLinks module in Php-Nuke 6.x through 7.3 allows remote attacker ...) NOT-FOR-US: php-nuke CVE-2004-2018 (PHP remote file inclusion vulnerability in index.php in Php-Nuke 6.x t ...) NOT-FOR-US: php-nuke CVE-2004-2017 (Multiple cross-site scripting (XSS) vulnerabilities in Turbo Traffic T ...) NOT-FOR-US: Turbo Traffic Trader C (TTT-C) CVE-2004-2016 (Stack-based buffer overflow in the HTTP server in NetChat 7.3 and earl ...) NOT-FOR-US: netchat CVE-2004-2015 (Cross-site scripting (XSS) vulnerability in WebCT Campus Edition allow ...) NOT-FOR-US: WebCT CVE-2004-2014 (Wget 1.9 and 1.9.1 allows local users to overwrite arbitrary files via ...) - wget 1.9.1-12 CVE-2004-2013 (Integer overflow in the SCTP_SOCKOPT_DEBUG_NAME SCTP socket option in ...) NOTE: kernel 2.4.23-pre5 to 2.4.25; 2.4.26 and 2.6 are reported ok CVE-2004-2012 (The systrace_exit function in the systrace utility for NetBSD-current ...) NOT-FOR-US: NetBSD CVE-2004-2011 (msxml3.dll in Internet Explorer 6.0.2600.0 allows remote attackers to ...) NOT-FOR-US: MSIE CVE-2004-2010 (PHP remote file inclusion vulnerability in index.php in phpShop 0.7.1 ...) NOT-FOR-US: phpShop CVE-2004-2009 (NukeJokes 1.7 and 2 Beta allows remote attackers to obtain the full pa ...) NOT-FOR-US: NukeJokes CVE-2004-2008 (SQL injection vulnerability in modules.php in NukeJokes 1.7 and 2 Beta ...) NOT-FOR-US: NukeJokes CVE-2004-2007 (Cross-site scripting (XSS) vulnerability in modules.php in NukeJokes 1 ...) NOT-FOR-US: NukeJokes CVE-2004-2006 (Trend Micro OfficeScan 3.0 - 6.0 has default permissions of "Everyone ...) NOT-FOR-US: OfficeScan CVE-2004-2005 (Buffer overflow in Eudora for Windows 5.2.1, 6.0.3, and 6.1 allows rem ...) NOT-FOR-US: Eudora CVE-2004-2004 (The Live CD in SUSE LINUX 9.1 Personal edition is configured without a ...) NOT-FOR-US: SUSE Live CD CVE-2004-2003 (Buffer overflow in the ssl_prcert function in the SSLway filter (sslwa ...) NOT-FOR-US: DeleGate CVE-2004-2002 (Unknown vulnerability in SGI IRIX 6.5 through 6.5.22m allows remote at ...) NOT-FOR-US: IRIX CVE-2004-2001 (ifconfig "-arp" in SGI IRIX 6.5 through 6.5.22m does not properly disa ...) NOT-FOR-US: IRIX CVE-2004-2000 (SQL injection vulnerability in the Downloads module in Php-Nuke 6.x th ...) NOT-FOR-US: Php-Nuke CVE-2004-1999 (Cross-site scripting (XSS) vulnerability in the Downloads module in Ph ...) NOT-FOR-US: Windows CVE-2004-1998 (The Downloads module in Php-Nuke 6.x through 7.2 allows remote attacke ...) NOT-FOR-US: php-nuke CVE-2004-1997 (Kolab stores OpenLDAP passwords in plaintext in the slapd.conf file, w ...) NOT-FOR-US: kolab CVE-2004-1996 (Cross-site scripting (XSS) vulnerability in Simple Machines Forum (SMF ...) NOT-FOR-US: Simple Machines Forum CVE-2004-1995 (Cross-Site Request Forgery (CSRF) vulnerability in FuseTalk 2.0 allows ...) NOT-FOR-US: FuseTalk CVE-2004-1994 (FuseTalk 4.0 allows remote attackers to ban other users via a direct r ...) NOT-FOR-US: FuseTalk CVE-2004-1993 (The patch to the checklogin function in omail.pl for omail webmail 0.9 ...) NOT-FOR-US: omail CVE-2004-1992 (Buffer overflow in Serv-U FTP server before 5.0.0.6 allows remote atta ...) NOT-FOR-US: Serv-U CVE-2004-1991 (Directory traversal vulnerability in Aldo's Web Server (aweb) 1.5 allo ...) NOT-FOR-US: aweb CVE-2004-1990 (Aldo's Web Server (aweb) 1.5 allows remote attackers to gain sensitive ...) NOT-FOR-US: aweb CVE-2004-1989 (PHP remote file inclusion vulnerability in theme.php in Coppermine Pho ...) NOT-FOR-US: Coppermine CVE-2004-1988 (PHP remote file inclusion vulnerability in init.inc.php in Coppermine ...) NOT-FOR-US: Coppermine CVE-2004-1987 (picmgmtbatch.inc.php in Coppermine Photo Gallery 1.2.2b and 1.2.0 RC4 ...) NOT-FOR-US: Coppermine CVE-2004-1986 (Directory traversal vulnerability in modules.php in Coppermine Photo G ...) NOT-FOR-US: Coppermine CVE-2004-1985 (Cross-site scripting (XSS) vulnerability in menu.inc.php in Coppermine ...) NOT-FOR-US: Coppermine CVE-2004-1984 (Coppermine Photo Gallery 1.2.2b and 1.2.0 RC4 allows remote attackers ...) NOT-FOR-US: Coppermine CVE-2004-1983 (The arch_get_unmapped_area function in mmap.c in the PaX patches for L ...) - kernel-patch-adamantix (Only affects PaX for kernel 2.6) CVE-2004-1982 (Post.pl in YaBB 1 Gold SP 1.2 allows remote attackers to modify record ...) NOT-FOR-US: YaBB CVE-2004-1981 (The web interface for Crystal Reports allows remote attackers to cause ...) NOT-FOR-US: Crystal Reports CVE-2004-1980 (Directory traversal vulnerability in glossary.php in PROPS 0.6.1 allow ...) NOT-FOR-US: PROPS CVE-2004-1979 (Cross-site scripting (XSS) vulnerability in do_search.php in PROPS 0.6 ...) NOT-FOR-US: PROPS CVE-2004-1978 (Cross-site scripting (XSS) vulnerability in help.php in Moodle before ...) - moodle 1.3 CVE-2004-1977 (3com NBX IP VOIP NetSet Configuration Manager allows remote attackers ...) NOT-FOR-US: 3com NBX IP VOIP NetSet Configuration Manager CVE-2004-1976 (SMC Barricade broadband router 7008ABR and 7004VBR enable remote admin ...) NOT-FOR-US: SMC Barricade broadband router 7008ABR and 7004VBR CVE-2004-1975 (Cross-site scripting (XSS) vulnerability in the category module in paf ...) NOT-FOR-US: paFileDB CVE-2004-1974 (paFileDB 3.1 allows remote attackers to gain sensitive information via ...) NOT-FOR-US: paFileDB CVE-2004-1973 (DiGi Web Server allows remote attackers to cause a denial of service ( ...) NOT-FOR-US: DiGi Web Server CVE-2004-1972 (SQL injection vulnerability in modules.php in PHP-Nuke Video Gallery M ...) NOT-FOR-US: PHP-Nuke CVE-2004-1971 (modules.php in PHP-Nuke Video Gallery Module 0.1 Beta 5 allows remote ...) NOT-FOR-US: PHP-Nuke CVE-2004-1970 (Samsung SmartEther SS6215S switch, and possibly other Samsung switches ...) NOT-FOR-US: Samsung SmartEther SS6215Sswitch CVE-2004-1969 (The avatar upload capability in Open Bulletin Board (OpenBB) 1.0.6 and ...) NOT-FOR-US: OpenBB CVE-2004-1968 (The readmsg action in myhome.php in Open Bulletin Board (OpenBB) 1.0.6 ...) NOT-FOR-US: OpenBB CVE-2004-1967 (Cross-site request forgery (CSRF) vulnerabilities in (1) cp_forums.php ...) NOT-FOR-US: OpenBB CVE-2004-1966 (Multiple SQL injection vulnerabilities in Open Bulletin Board (OpenBB) ...) NOT-FOR-US: OpenBB CVE-2004-1965 (Multiple cross-site scripting (XSS) vulnerabilities in Open Bulletin B ...) NOT-FOR-US: OpenBB CVE-2004-1964 (Cross-site scripting (XSS) vulnerability in nqt.php in Network Query T ...) NOT-FOR-US: Network Query Tool (NQT) CVE-2004-1963 (nqt.php in Network Query Tool (NQT) 1.6 allows remote attackers to obt ...) NOT-FOR-US: Network Query Tool (NQT) CVE-2004-1962 (SQL injection vulnerability in index.php in Protector System 1.15b1 al ...) NOT-FOR-US: Protector System CVE-2004-1961 (blocker.php in Protector System 1.15b1 allows remote attackers to bypa ...) NOT-FOR-US: Protector System CVE-2004-1960 (Cross-site scripting (XSS) vulnerability in blocker_query.php in Prote ...) NOT-FOR-US: Protector System CVE-2004-1959 (blocker_query.php in Protector System 1.15b1 for PHP-Nuke allows remot ...) NOT-FOR-US: Protector System CVE-2004-1958 (Directory traversal vulnerability in manifest.ini in Unreal engine all ...) NOT-FOR-US: Unreal engine CVE-2004-1957 (Multiple cross-site scripting (XSS) vulnerabilities in PostNuke 0.726 ...) NOT-FOR-US: PostNuke CVE-2004-1956 (PostNuke 0.7.2.6 allows remote attackers to gain information via a dir ...) NOT-FOR-US: PostNuke CVE-2004-1955 (SQL injection vulnerability in modules.php in phProfession 2.5 allows ...) NOT-FOR-US: phProfession CVE-2004-1954 (Cross-site scripting (XSS) vulnerability in modules.php in phProfessio ...) NOT-FOR-US: phProfession CVE-2004-1953 (phProfession 2.5 allows remote attackers to gain sensitive information ...) NOT-FOR-US: phProfession CVE-2004-1952 (SQL injection vulnerability in Advanced Guestbook 2.2 allows remote at ...) NOT-FOR-US: Advanced Guestbook CVE-2004-1951 (xine 1.x alpha, 1.x beta, and 1.0rc through 1.0rc3a, and xine-ui 0.9.2 ...) - xine-ui 0.99.1 CVE-2004-1950 (phpBB 2.0.8a and earlier trusts the IP address that is in the X-Forwar ...) - phpbb2 2.0.9 CVE-2004-1949 (SQL injection vulnerability in PostNuke 7.2.6 and earlier allows remot ...) NOT-FOR-US: PostNuke CVE-2004-1948 (NcFTP client 3.1.6 and 3.1.7, when the username and password are inclu ...) - ncftp 2:3.1.8-1 (low) CVE-2004-1947 (The AVXSCANONLINE.AvxScanOnlineCtrl.1 ActiveX control in BitDefender S ...) NOT-FOR-US: bitdefender CVE-2004-1946 (Format string vulnerability in the PRINT_ERROR function in common.c fo ...) - cherokee 0.4.21b01-1 CVE-2004-1945 (Buffer overflow in Kinesphere eXchange POP3 allows remote attackers to ...) NOT-FOR-US: Kinesphere eXchange POP3 CVE-2004-1944 (Eudora 6.1 and 6.0.3 for Windows allows remote attackers to cause a de ...) NOT-FOR-US: Eudora CVE-2004-1943 (PHP remote file inclusion vulnerability in album_portal.php in phpBB m ...) NOT-FOR-US: phpbb as modified by przemo CVE-2004-1942 (The Solaris 9 patches 113579-02 through 113579-05, and 114342-02 throu ...) NOT-FOR-US: Solaris CVE-2004-1941 (Fastream NETFile FTP/Web Server 6.5.1.980 allows remote attackers to c ...) NOT-FOR-US: Fastream NETFile FTP/Web Server CVE-2004-1940 (sipclient.cpp in KPhone 4.0.1 and earlier allows remote attackers to c ...) - kphone 1:4.0.2 CVE-2004-1939 (Cross-site scripting (XSS) vulnerability in Zaep AntiSpam 2.0 allows r ...) NOT-FOR-US: Zaep CVE-2004-1938 (SQL injection vulnerability in userlogin.php in Phorum 3.4.7 allows re ...) NOT-FOR-US: Phorum CVE-2004-1937 (Multiple directory traversal vulnerabilities in Nuked-KlaN 1.4b and 1. ...) NOT-FOR-US: Nuked-KlaN CVE-2004-1936 (ZoneAlarm Pro 4.5.538.001 and possibly other versions allows remote at ...) NOT-FOR-US: ZoneAlarm CVE-2004-1935 (Cross-site scripting (XSS) vulnerability in SCT Campus Pipeline allows ...) NOT-FOR-US: SCT Campus Pipeline CVE-2004-1934 (PHP remote file inclusion vulnerability in affich.php in Gemitel 3.50 ...) NOT-FOR-US: Gemitel CVE-2004-1933 (Citadel/UX 5.00 through 6.14 installs the database directory and files ...) NOT-FOR-US: Citadel CVE-2004-1932 (SQL injection vulnerability in (1) auth.php and (2) admin.php in PHP-N ...) NOT-FOR-US: PhpNuke CVE-2004-1930 (Cross-site scripting (XSS) vulnerability in the cookiedecode function ...) NOT-FOR-US: PhpNuke CVE-2004-1929 (SQL injection vulnerability in the bblogin function in functions.php i ...) NOT-FOR-US: PhpNuke CVE-2004-1928 (The image upload feature in Tiki CMS/Groupware (TikiWiki) 1.8.1 and ea ...) NOT-FOR-US: tikiwiki CVE-2004-1927 (Directory traversal vulnerability in the map feature (tiki-map.phtml) ...) NOT-FOR-US: tikiwiki CVE-2004-1926 (Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allows remote attacker ...) NOT-FOR-US: tikiwiki CVE-2004-1925 (Multiple SQL injection vulnerabilities in Tiki CMS/Groupware (TikiWiki ...) NOT-FOR-US: tikiwiki CVE-2004-1924 (Multiple cross-site scripting (XSS) vulnerabilities in Tiki CMS/Groupw ...) NOT-FOR-US: tikiwiki CVE-2004-1923 (Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allows remote attacker ...) NOT-FOR-US: tikiwiki CVE-2004-1922 (Microsoft Internet Explorer 5.5 and 6.0 allocates memory based on the ...) NOT-FOR-US: MSIE CVE-2004-1921 (X-Micro WLAN 11b Broadband Router 1.6.0.1 has a hardcoded "1502" usern ...) NOT-FOR-US: X-Micro WLAN 11b Broadband Router CVE-2004-1920 (X-Micro WLAN 11b Broadband Router 1.2.2, 1.2.2.3, 1.2.2.4, and 1.6.0.0 ...) NOT-FOR-US: X-Micro WLAN 11b Broadband Router CVE-2004-1919 (The hash_strcmp function in hasch.c in Crackalaka 1.0.8 allows remote ...) NOT-FOR-US: Crackalaka CVE-2004-1918 (RSniff 1.0 allows remote attackers to cause a denial of service (conne ...) NOT-FOR-US: rsniff CVE-2004-1917 (Format string vulnerability in test_func_func in LCDProc 0.4.1 and ear ...) - lcdproc 0.4.5 CVE-2004-1916 (Multiple buffer overflows in LCDProc 0.4.1, and possibly other 0.4.x v ...) - lcdproc 0.4.5 CVE-2004-1915 (Buffer overflow in the parse_all_client_messages function in LCDproc 0 ...) - lcdproc 0.4.5 CVE-2004-1914 (SQL injection vulnerability in modules.php in NukeCalendar 1.1.a, as u ...) NOT-FOR-US: phpnuke CVE-2004-1913 (Cross-site scripting (XSS) vulnerability in modules.php in NukeCalenda ...) NOT-FOR-US: phpnuke CVE-2004-1912 (The (1) modules.php, (2) block-Calendar.php, (3) block-Calendar1.php, ...) NOT-FOR-US: phpnuke CVE-2004-1911 (Cross-site scripting (XSS) vulnerability in AzDGDatingLite 2.1.1 allow ...) NOT-FOR-US: AzDGDatingLite CVE-2004-1910 (rufsi.dll in Symantec Virus Detection allows remote attackers to cause ...) NOT-FOR-US: Symantec CVE-2004-1909 (Claim Anti-Virus (ClamAV) 0.68 and earlier allows remote attackers to ...) - clamav 0.68.1 CVE-2004-1908 (McFreeScan.CoMcFreeScan.1 ActiveX object in Mcafee FreeScan allows rem ...) NOT-FOR-US: Mcafee FreeScan CVE-2004-1907 (The Web Filtering functionality in Kerio Personal Firewall (KPF) 4.0.1 ...) NOT-FOR-US: Kerio Personal Firewall CVE-2004-1906 (Mcafee FreeScan allows remote attackers to cause a denial of service a ...) NOT-FOR-US: Mcafee FreeScan CVE-2004-1905 (ascontrol.dll in Panda ActiveScan 5.0 allows remote attackers to cause ...) NOT-FOR-US: Panda ActiveScan CVE-2004-1904 (Buffer overflow in ascontrol.dll in Panda ActiveScan 5.0 allows remote ...) NOT-FOR-US: Panda ActiveScan CVE-2004-1903 (Buffer overflow in blaxxun 3D 7.0 allows remote attackers to execute a ...) NOT-FOR-US: blaxxun CVE-2004-1902 (The Citrix MetaFrame Password Manager 2.0, when a central credential s ...) NOT-FOR-US: Citrix MetaFrame Password Manager CVE-2004-1901 (Portage before 2.0.50-r3 allows local users to overwrite arbitrary fil ...) NOT-FOR-US: gentoo portage CVE-2004-1900 (Format string vulnerability in the logging function in IGI 2 Covert St ...) NOT-FOR-US: IGI 2 Covert Strike server CVE-2004-1899 (The administration interface in Monit 1.4 through 4.2 allows remote at ...) - monit 1:4.2.1 CVE-2004-1898 (Stack-based buffer overflow in the administration interface in Monit 1 ...) - monit 1:4.2.1-1 CVE-2004-1897 (Administration interface in Monit 1.4 through 4.2 allows remote attack ...) - monit 1:4.2.1-1 CVE-2004-1896 (Heap-based buffer overflow in in_mod.dll in Nullsoft Winamp 2.91 throu ...) NOT-FOR-US: no_package CVE-2004-1895 (YaST Online Update (YOU) in SuSE 8.2 and 9.0 allows local users to ove ...) NOT-FOR-US: no_package CVE-2004-1894 (TEXutil in ConTEXt, when executed with the --silent option, allows loc ...) NOT-FOR-US: no_package CVE-2004-1893 (Dreamweaver MX, when "Using Driver On Testing Server" or "Using DSN on ...) NOT-FOR-US: no_package CVE-2004-1892 (Stack-based buffer overflow in DecodeBase16 function, as used in the ( ...) NOT-FOR-US: no_package CVE-2004-1891 (The ftp_syslog function in ftpd in SGI IRIX 6.5.20 "doesn't work with ...) NOT-FOR-US: no_package CVE-2004-1890 (Unknown vulnerability in ftpd in SGI IRIX 6.5.20 through 6.5.23 allows ...) NOT-FOR-US: no_package CVE-2004-1889 (Unknown vulnerability in ftpd in SGI IRIX 6.5.20 through 6.5.23 allows ...) NOT-FOR-US: no_package CVE-2004-1888 (display.cgi in Aborior Encore WebForum allows remote to execute arbitr ...) NOT-FOR-US: no_package CVE-2004-1887 (Ada Image Server (ImgSvr) 0.4 allows remote attackers to view director ...) NOT-FOR-US: no_package CVE-2004-1886 REJECTED CVE-2004-1885 (Ipswitch WS_FTP Server 4.0.2 allows remote authenticated users to exec ...) NOT-FOR-US: no_package CVE-2004-1884 (Ipswitch WS_FTP Server 4.0.2 has a backdoor XXSESS_MGRYY username with ...) NOT-FOR-US: no_package CVE-2004-1883 (Multiple buffer overflows in Ipswitch WS_FTP Server 4.0.2 (1) allow re ...) NOT-FOR-US: no_package CVE-2004-1882 (Cross-site scripting (XSS) vulnerability in popuplargeimage.asp in Cac ...) NOT-FOR-US: no_package CVE-2004-1881 (SQL injection vulnerability in (1) mailorder.asp or (2) payonline.asp ...) NOT-FOR-US: no_package CVE-2004-1880 (Memory leak in the back-bdb backend for OpenLDAP 2.1.12 and earlier al ...) - openldap2 2.1.17-1 CVE-2004-1879 (Cross-site scripting (XSS) vulnerability in PHPKIT 1.6.03 allows allow ...) NOT-FOR-US: no_package CVE-2004-1878 (LINBOX LIN:BOX allows remote attackers to bypass authentication, obtai ...) NOT-FOR-US: no_package CVE-2004-1877 (The p_submit_url value in the sample login form in the Oracle 9i Appli ...) NOT-FOR-US: no_package CVE-2004-1876 (The "%f" feature in the VirusEvent directive in Clam AntiVirus daemon ...) - clamav 0.70-1 CVE-2004-1875 (Multiple cross-site scripting (XSS) vulnerabilities in cPanel 9.1.0-R8 ...) NOT-FOR-US: no_package CVE-2004-1874 (Multiple cross-site scripting (XSS) vulnerabilities in (1) deliver.asp ...) NOT-FOR-US: no_package CVE-2004-1873 (SQL injection vulnerability in category.asp in A-CART Pro and A-CART 2 ...) NOT-FOR-US: no_package CVE-2004-1872 (Cross-site scripting (XSS) vulnerability in WebCT Campus Edition 4.1.1 ...) NOT-FOR-US: no_package CVE-2004-1871 (Multiple cross-site scripting (XSS) vulnerabilities in PhotoPost PHP P ...) NOT-FOR-US: no_package CVE-2004-1870 (Multiple SQL injection vulnerabilities in PhotoPost PHP Pro 4.6.x and ...) NOT-FOR-US: no_package CVE-2004-1869 (Etherlords I 1.07 and earlier and Etherlords II 1.03 and earlier allow ...) NOT-FOR-US: no_package CVE-2004-1868 (Stack-based buffer overflow in WinSig.exe in eSignal 7.5 and 7.6 allow ...) NOT-FOR-US: no_package CVE-2004-1867 (Cross-site scripting (XSS) vulnerability in guest.cgi in Fresh Guest B ...) NOT-FOR-US: no_package CVE-2004-1866 (nstxd in Nstx 1.1 beta3 and earlier allows remote attackers to cause a ...) - nstx 1.1-beta4-1 CVE-2004-1865 (Cross-site scripting (XSS) vulnerability in the administration panel i ...) NOT-FOR-US: no_package CVE-2004-1864 (SQL injection vulnerability in Extreme Messageboard (XMB) 1.9 beta all ...) NOT-FOR-US: no_package CVE-2004-1863 (Multiple cross-site scripting (XSS) vulnerabilities in XMB (aka extrem ...) NOT-FOR-US: no_package CVE-2004-1862 (Multiple cross-site scripting (XSS) vulnerabilities in Extreme Message ...) NOT-FOR-US: no_package CVE-2004-1861 (Invision NetSupport School Pro uses a weak encryption algorithm to enc ...) NOT-FOR-US: no_package CVE-2004-1860 (Buffer overflow in Check Point SmartDashboard in Check Point NG AI R54 ...) NOT-FOR-US: no_package CVE-2004-1859 (Directory traversal vulnerability in Trend Micro Interscan Web Viruswa ...) NOT-FOR-US: no_package CVE-2004-1858 (HP Web Jetadmin 7.5.2546 allows remote attackers to cause a denial of ...) NOT-FOR-US: no_package CVE-2004-1857 (Directory traversal vulnerability in setinfo.hts in HP Web Jetadmin 7. ...) NOT-FOR-US: no_package CVE-2004-1856 (devices_update_printer_fw_upload.hts in HP Web JetAdmin 7.5.2546, when ...) NOT-FOR-US: no_package CVE-2004-1855 (Dark Age of Camelot before 1.68 live patch does not sign the RSA publi ...) NOT-FOR-US: no_package CVE-2004-1854 (Buffer overflow in the logging function in Picophone 1.63 and earlier ...) NOT-FOR-US: no_package CVE-2004-1853 (Buffer overflow in Terminator 3: War of the Machines 1.0 allows remote ...) NOT-FOR-US: no_package CVE-2004-1852 (DameWare Mini Remote Control 3.x before 3.74 and 4.x before 4.2 transm ...) NOT-FOR-US: no_package CVE-2004-1851 (Dameware Mini Remote Control 4.1.0.0 uses insufficiently random data t ...) NOT-FOR-US: no_package CVE-2004-1850 (The Rage 1.01 and earlier allows remote attackers to cause a denial of ...) NOT-FOR-US: no_package CVE-2004-1849 (Multiple cross-site scripting (XSS) vulnerabilities in cPanel 9.1.0 al ...) NOT-FOR-US: no_package CVE-2004-1848 (Ipswitch WS_FTP Server 4.0.2 allows remote attackers to cause a denial ...) NOT-FOR-US: no_package CVE-2004-1847 (News Manager Lite 2.5 allows remote attackers to bypass authentication ...) NOT-FOR-US: no_package CVE-2004-1846 (Multiple SQL injection vulnerabilities in News Manager Lite 2.5 allow ...) NOT-FOR-US: no_package CVE-2004-1845 (Multiple cross-site scripting (XSS) vulnerabilities in News Manager Li ...) NOT-FOR-US: no_package CVE-2004-1844 (Cross-site scripting (XSS) vulnerability in Member Management System 2 ...) NOT-FOR-US: no_package CVE-2004-1843 (SQL injection vulnerability in Member Management System 2.1 allows rem ...) NOT-FOR-US: no_package CVE-2004-1842 (Cross-site request forgery (CSRF) vulnerability in Php-Nuke 6.x throug ...) NOT-FOR-US: no_package CVE-2004-1841 (SQL injection vulnerability in MS Analysis module 2.0 for PHP-Nuke all ...) NOT-FOR-US: no_package CVE-2004-1840 (Multiple cross-site scripting (XSS) vulnerabilities in MS Analysis mod ...) NOT-FOR-US: no_package CVE-2004-1839 (MS Analysis module 2.0 for PHP-Nuke allows remote attackers to obtain ...) NOT-FOR-US: no_package CVE-2004-1838 (Directory traversal vulnerability in xweb 1.0 allows remote attackers ...) NOT-FOR-US: no_package CVE-2004-1837 (Cross-site scripting (XSS) vulnerability in Mod_survey 3.0.x before 3. ...) NOT-FOR-US: no_package CVE-2004-1836 (SQL injection vulnerability in index.php in Invision Power Top Site Li ...) NOT-FOR-US: no_package CVE-2004-1835 (Multiple SQL injection vulnerabilities in index.php in Invision Galler ...) NOT-FOR-US: no_package CVE-2004-1834 (mod_disk_cache in Apache 2.0 through 2.0.49 stores client headers, inc ...) - apache2 2.0.53-1 CVE-2004-1833 (The admin.ib file in Borland Interbase 7.1 for Linux has default world ...) NOT-FOR-US: no_package CVE-2004-1832 (Buffer overflow in the GUI admin service in Mac OS X Server 10.3 allow ...) NOT-FOR-US: no_package CVE-2004-1831 (Buffer overflow in Chrome 1.2.0.0 and earlier allows remote attackers ...) NOT-FOR-US: no_package CVE-2004-1830 (error.php in Error Manager 2.1 for PHP-Nuke 6.0 allows remote attacker ...) NOT-FOR-US: no_package CVE-2004-1829 (Multiple cross-site scripting (XSS) vulnerabilities in error.php in Gi ...) NOT-FOR-US: no_package CVE-2004-1828 (Vcard 2.9 and possibly other versions does not require authorization t ...) NOT-FOR-US: no_package CVE-2004-1827 (Cross-site scripting (XSS) vulnerability in YaBB 1 Gold(SP1.3) and YaB ...) NOT-FOR-US: no_package CVE-2004-1826 (SQL injection vulnerability in index.php in Mambo Open Source 4.5 stab ...) NOT-FOR-US: no_package CVE-2004-1825 (Cross-site scripting (XSS) vulnerability in index.php in Mambo Open So ...) NOT-FOR-US: no_package CVE-2004-1824 (Cross-site scripting (XSS) vulnerability in Jelsoft vBulletin before 3 ...) NOT-FOR-US: no_package CVE-2004-1823 (Multiple cross-site scripting (XSS) vulnerabilities in Jelsoft vBullet ...) NOT-FOR-US: no_package CVE-2004-1822 (Multiple cross-site scripting (XSS) vulnerabilities in Phorum 3.1 thro ...) NOT-FOR-US: no_package CVE-2004-1821 (SQL injection vulnerability in 4nalbum 0.92 for PHP-Nuke 6.5 through 7 ...) NOT-FOR-US: no_package CVE-2004-1820 (PHP remote file inclusion vulnerability in displaycategory.php in 4nal ...) NOT-FOR-US: no_package CVE-2004-1819 (4nalbum 0.92 for PHP-Nuke 6.5 through 7.0 allows remote attackers to o ...) NOT-FOR-US: no_package CVE-2004-1818 (Cross-site scripting (XSS) vulnerability in nmimage.php in 4nalbum 0.9 ...) NOT-FOR-US: no_package CVE-2004-1817 (Cross-site scripting (XSS) vulnerability in modules.php in Php-Nuke 7. ...) NOT-FOR-US: no_package CVE-2004-1816 (Unknown vulnerability in Sun Java System Application Server 7.0 Update ...) NOT-FOR-US: no_package CVE-2004-1815 (Unknown vulnerability in ColdFusion MX 6.0 and 6.1, and JRun 4.0, when ...) NOT-FOR-US: no_package CVE-2004-1814 (Directory traversal vulnerability in VocalTec VGW4/8 Gateway 8.0 allow ...) NOT-FOR-US: no_package CVE-2004-1813 (VocalTec VGW4/8 Gateway 8.0 allows remote attackers to bypass authenti ...) NOT-FOR-US: no_package CVE-2004-1812 (Multiple stack-based buffer overflows in Agent Common Services (1) cam ...) NOT-FOR-US: no_package CVE-2004-1811 (The SSL HTTP Server in HP Web-enabled Management Software 5.0 through ...) NOT-FOR-US: no_package CVE-2004-1810 (The Javascript engine in Opera 7.23 allows remote attackers to cause a ...) NOT-FOR-US: no_package CVE-2004-1809 (Cross-site scripting (XSS) vulnerability in phpBB 2.0.6d and earlier a ...) - phpbb2 2.0.10-1 NOTE: probably fixed in 2.0.6d-3 CVE-2004-1808 (Extcompose in metamail does not verify the output file before writing ...) NOTE: according to Jeroen van Wolffelaar this is not a bug in metamail NOTE: see bug #308875 CVE-2004-1807 (Cross-site scripting (XSS) vulnerability in index.cfm in CFWebstore 5. ...) NOT-FOR-US: no_package CVE-2004-1806 (SQL injection vulnerability in index.cfm in CFWebstore 5.0 allows remo ...) NOT-FOR-US: no_package CVE-2004-1805 (Format string vulnerability in games using the Epic Games Unreal Engin ...) NOT-FOR-US: no_package CVE-2004-1804 (wMCam server 2.1.348 allows remote attackers to cause a denial of serv ...) NOT-FOR-US: no_package CVE-2004-1802 (Chat Anywhere 2.72 and earlier allows remote attackers to hide their I ...) NOT-FOR-US: no_package CVE-2004-1801 (Directory traversal vulnerability in PWebServer 0.3.3 allows remote at ...) NOT-FOR-US: no_package CVE-2004-1800 (Unknown vulnerability in Sysbotz SimpleData 4.0.1 and possibly earlier ...) NOT-FOR-US: no_package CVE-2004-1799 (PF in certain OpenBSD versions, when stateful filtering is enabled, do ...) NOT-FOR-US: no_package CVE-2004-1798 (RealOne player 6.0.11.868 allows remote attackers to execute arbitrary ...) NOT-FOR-US: no_package CVE-2004-1797 (Cross-site scripting (XSS) vulnerability in search.php for FreznoShop ...) NOT-FOR-US: no_package CVE-2004-1796 (PHP remote file inclusion vulnerability in HotNews 0.7.2 and earlier a ...) NOT-FOR-US: no_package CVE-2004-1795 (Info Touch Surfnet kiosk allows local users to access the underlying f ...) NOT-FOR-US: no_package CVE-2004-1794 (Cross-site scripting (XSS) vulnerability in the VCard4J Toolkit allows ...) NOT-FOR-US: no_package CVE-2004-1793 (Stack-based buffer overflow in swnet.dll in YaSoft Switch Off 2.3 and ...) NOT-FOR-US: no_package CVE-2004-1792 (swnet.dll in YaSoft Switch Off 2.3 and earlier allows remote attackers ...) NOT-FOR-US: no_package CVE-2004-1791 (The web management interface in Edimax AR-6004 ADSL Routers uses a def ...) NOT-FOR-US: Edimax Router CVE-2004-1790 (Cross-site scripting (XSS) vulnerability in the web management interfa ...) NOT-FOR-US: Edimax Router CVE-2004-1789 (Cross-site scripting (XSS) vulnerability in the web management interfa ...) NOT-FOR-US: ZyWALL CVE-2004-1788 (ASP-Nuke 1.3 and earlier places user credentials under the web documen ...) NOT-FOR-US: ASP-Nuke CVE-2004-1787 (SQL injection vulnerability in PostCalendar 4.0.0 allows remote attack ...) NOT-FOR-US: PostCalendar CVE-2004-1786 (PortalApp places user credentials under the web root with insufficient ...) NOT-FOR-US: PortalApp CVE-2004-1785 (SQL injection vulnerability in calendar.php for Invision Power Board 1 ...) NOT-FOR-US: Invision Power Board CVE-2004-1784 (Buffer overflow in the web server of Webcam Watchdog 3.63 allows remot ...) NOT-FOR-US: web server of Webcam Watchdog CVE-2004-1783 (Directory traversal vulnerability in Net2Soft Flash FTP Server 1.0 all ...) NOT-FOR-US: Net2Soft Flash FTP Server CVE-2004-1782 (athenareg.php in Athena Web Registration allows remote attackers to ex ...) NOT-FOR-US: Athena Web Registration CVE-2004-1781 (Info Touch Surfnet kiosk allows local users to crash Surfnet and acces ...) NOT-FOR-US: Info Touch Surfnet kiosk CVE-2004-1780 (Info Touch Surfnet kiosk allows local users to deposit extra time into ...) NOT-FOR-US: Info Touch Surfnet kiosk CVE-2004-1779 (Cross-site scripting (XSS) vulnerability in board.php for ThWboard bef ...) NOT-FOR-US: ThWboard CVE-2003-1202 (The checklogin function in omail.pl for omail webmail 0.98.4 and earli ...) NOT-FOR-US: omail webmail CVE-2003-1201 (ldbm_back_exop_passwd in the back-ldbm backend in passwd.c for OpenLDA ...) - openldap2 2.1.17-1 CVE-2003-1200 (Stack-based buffer overflow in FORM2RAW.exe in Alt-N MDaemon 6.5.2 thr ...) NOT-FOR-US: MDaemon CVE-2003-1199 (Cross-site scripting (XSS) vulnerability in MyProxy 20030629 allows re ...) NOT-FOR-US: MyProxy CVE-2003-1198 (connection.c in Cherokee web server before 0.4.6 allows remote attacke ...) - cherokee 0.4.21b01-1 CVE-2003-1196 (SQL injection vulnerability in viewtopic.asp in VieBoard 2.6 allows re ...) NOT-FOR-US: VieBoard CVE-2003-1195 (SQL injection vulnerability in getmember.asp in VieBoard 2.6 Beta 1 al ...) NOT-FOR-US: VieBoard CVE-2003-1194 (Cross-site scripting (XSS) vulnerability in Booby .1 through 0.2.3 all ...) NOT-FOR-US: Booby CVE-2003-1193 (Multiple SQL injection vulnerabilities in the Portal DB (1) List of Va ...) NOT-FOR-US: Portal DB CVE-2003-1192 (Stack-based buffer overflow in IA WebMail Server 3.1.0 allows remote a ...) NOT-FOR-US: IA WebMail Server CVE-2003-1191 (chatbox.php in e107 0.554 and 0.603 allows remote attackers to cause a ...) NOT-FOR-US: e107 CVE-2003-1190 (Cross-site scripting (XSS) vulnerability in PHPRecipeBook 1.24 through ...) NOT-FOR-US: PHPRecipeBook CVE-2003-1189 (Unknown vulnerability in Nokia IPSO 3.7, configured as IP Clusters, al ...) NOT-FOR-US: Nokia IPSO CVE-2003-1188 (Unichat allows remote attackers to cause a denial of service (crash) b ...) NOT-FOR-US: Unichat CVE-2003-1187 (Cross-site scripting (XSS) vulnerability in include.php in PHPKIT 1.6. ...) NOT-FOR-US: PHPKIT CVE-2003-1186 (Buffer overflow in TelCondex SimpleWebServer 2.12.30210 Build3285 allo ...) NOT-FOR-US: TelCondex SimpleWebServer CVE-2003-1185 (Multiple SQL injection vulnerabilities in ThWboard before Beta 2.8.2 a ...) NOT-FOR-US: ThWboard CVE-2003-1184 (Multiple cross-site scripting (XSS) vulnerabilities in ThWboard Beta 2 ...) NOT-FOR-US: ThWboard CVE-2003-1183 (The WebCache component in Oracle Files 9.0.3.1.0, 9.0.3.2.0, and 9.0.3 ...) NOT-FOR-US: Oracle Collaboration Suite CVE-2003-1182 (Cross-site scripting (XSS) vulnerability in MPM Guestbook 1.2 allows r ...) NOT-FOR-US: MPM Guestbook CVE-2003-1181 (Advanced Poll 2.0.2 allows remote attackers to obtain sensitive inform ...) NOT-FOR-US: Advanced Poll CVE-2003-1180 (Directory traversal vulnerability in Advanced Poll 2.0.2 allows remote ...) NOT-FOR-US: Advanced Poll CVE-2003-1179 (Multiple PHP remote file inclusion vulnerabilities in Advanced Poll 2. ...) NOT-FOR-US: Advanced Poll CVE-2003-1178 (Eval injection vulnerability in comments.php in Advanced Poll 2.0.2 al ...) NOT-FOR-US: Advanced Poll CVE-2003-1177 (Buffer overflow in the base64 decoder in MERCUR Mailserver 4.2 before ...) NOT-FOR-US: MERCUR Mailserver CVE-2003-1176 (post_message_form.asp in Web Wiz Forums 6.34 through 7.5, when quote m ...) NOT-FOR-US: Web Wiz Forums CVE-2003-1175 (Cross-site scripting (XSS) vulnerability in index.php in Sympoll 1.5 a ...) NOT-FOR-US: Sympoll CVE-2003-1174 (Buffer overflow in NullSoft Shoutcast Server 1.9.2 allows local users ...) NOT-FOR-US: NullSoft Shoutcast Server CVE-2003-1173 (Centrinity FirstClass 7.1 allows remote attackers to access sensitive ...) NOT-FOR-US: Centrinity FirstClass CVE-2003-1172 (Directory traversal vulnerability in the view-source sample file in Ap ...) NOT-FOR-US: Apache Software Foundation Cocoon CVE-2003-1171 (Heap-based buffer overflow in the sec_filter_out function in mod_secur ...) - libapache-mod-security 1.8.4-1 CVE-2003-1170 (Format string vulnerability in main.cpp in kpopup 0.9.1 and 0.9.5pre2 ...) NOT-FOR-US: kpopup CVE-2003-1169 (DATEV Nutzungskontrolle 2.1 and 2.2 has insecure write permissions for ...) NOT-FOR-US: DATEV Nutzungskontrolle CVE-2003-1167 (misc.cpp in KPopup 0.9.1 trusts the PATH variable when executing killa ...) NOT-FOR-US: kpopup CVE-2003-1166 (Directory traversal vulnerability in (1) Openfile.aspx and (2) Html.as ...) NOT-FOR-US: HTTP Commander CVE-2003-1165 (Buffer overflow in BRS WebWeaver 1.06 and earlier allows remote attack ...) NOT-FOR-US: BRS WebWeaver CVE-2003-1164 (Cross-site scripting (XSS) vulnerability in Mldonkey 2.5-4 allows remo ...) - mldonkey 2.5.11-1 CVE-2003-1163 (hash.c in Ganglia gmond 2.5.3 allows remote attackers to cause a denia ...) NOT-FOR-US: Ganglia gmond CVE-2003-1162 (index.php in Tritanium Bulletin Board 1.2.3 allows remote attackers to ...) NOT-FOR-US: Tritanium Bulletin Board CVE-2003-1161 (exit.c in Linux kernel 2.6-test9-CVS, as stored on kernel.bkbits.net, ...) - linux-2.6 (Never released, only temporary in Bitkeeper) CVE-2003-1160 (FlexWATCH Network video server 132 allows remote attackers to bypass a ...) NOT-FOR-US: FlexWATCH CVE-2003-1159 (Plug and Play Web Server Proxy 1.0002c allows remote attackers to caus ...) NOT-FOR-US: Plug and Play Web Server CVE-2003-1158 (Multiple buffer overflows in the FTP service in Plug and Play Web Serv ...) NOT-FOR-US: Plug and Play Web Server CVE-2003-1157 (Cross-site scripting (XSS) vulnerability in login.asp in Citrix MetaFr ...) NOT-FOR-US: Citrix CVE-2003-1156 (Java Runtime Environment (JRE) and Software Development Kit (SDK) 1.4. ...) NOT-FOR-US: Sun JRE/SDK CVE-2003-1155 (X-CD-Roast 0.98 alpha10 through alpha14 allows local users to overwrit ...) - xcdroast 0.98+0alpha15-1 (bug #310046) CVE-2003-1154 (MAILsweeper for SMTP 4.3 allows remote attackers to bypass virus prote ...) NOT-FOR-US: MAILsweeper CVE-2003-1153 (byteHoard 0.7 and 0.71 allows remote attackers to list arbitrary files ...) NOT-FOR-US: byteHoard CVE-2003-1152 (WebTide 7.04 allows remote attackers to list arbitrary directories via ...) NOT-FOR-US: WebTide CVE-2003-1151 (Cross-site scripting (XSS) vulnerability in Fastream NETFile Server 6. ...) NOT-FOR-US: Fastream CVE-2003-1150 (Buffer overflow in the portmapper service (PMAP.NLM) in Novell NetWare ...) NOT-FOR-US: Novell portmapper CVE-2003-1149 (Cross-site scripting (XSS) vulnerability in Symantec Norton Internet S ...) NOT-FOR-US: Symantec Norton Internet Security CVE-2003-1148 (Multiple PHP remote file inclusion vulnerabilities in J-Pierre DEZELUS ...) NOT-FOR-US: Les Visiteurs CVE-2003-1147 REJECTED CVE-2003-1146 (Cross-site scripting (XSS) vulnerability in John Beatty Easy PHP Photo ...) NOT-FOR-US: Easy PHP Photo Album CVE-2003-1145 (Cross-site scripting (XSS) vulnerability in friendmail.php in OpenAuto ...) NOT-FOR-US: OpenAutoClassifieds CVE-2003-1144 (Buffer overflow in the log viewing interface in Perception LiteServe 1 ...) NOT-FOR-US: Perception LiteServe CVE-2003-1143 (Croteam Serious Sam demo test 2 2.1a, Serious Sam: the First Encounter ...) NOT-FOR-US: Croteam Serious Sam demo CVE-2003-1142 (Help in NIPrint LPD-LPR Print Server 4.10 and earlier executes Windows ...) NOT-FOR-US: NIPrint LPD-LPR CVE-2003-1141 (Buffer overflow in NIPrint 4.10 allows remote attackers to execute arb ...) NOT-FOR-US: NIPrint LPD-LPR CVE-2003-1140 (Buffer overflow in Musicqueue 1.2.0 allows local users to execute arbi ...) NOT-FOR-US: Musicqueue CVE-2003-1139 (Musicqueue 1.2.0 allows local users to overwrite arbitrary files by tr ...) NOT-FOR-US: Musicqueue CVE-2003-1138 (The default configuration of Apache 2.0.40, as shipped with Red Hat Li ...) - apache2 (Red Hat specific default config) CVE-2003-1137 (Charles Steinkuehler sh-httpd 0.3 and 0.4 allows remote attackers to r ...) NOT-FOR-US: sh-httpd CVE-2003-1136 (Cross-site scripting (XSS) vulnerability in Chi Kien Uong Guestbook 1. ...) NOT-FOR-US: Chi Kien Uong Guestbook CVE-2003-1135 (Buffer overflow in Yahoo! Messenger 5.6 allows remote attackers to cau ...) NOT-FOR-US: Yahoo! Messenger CVE-2003-1134 (Sun Java 1.3.1, 1.4.1, and 1.4.2 allows local users to cause a denial ...) NOT-FOR-US: Sun JVM CVE-2003-1133 (Rit Research Labs The Bat! 1.0.11 through 2.0 creates new accounts wit ...) NOT-FOR-US: The Bat! CVE-2002-1660 (calendar.php in vBulletin before 2.2.0 allows remote attackers to exec ...) NOT-FOR-US: vBulletin CVE-2002-1659 (user_profile.asp in PortalApp 2.2 allows local users to gain privilege ...) NOT-FOR-US: PortalApp CVE-2001-1477 (The Domain gateway in BEA Tuxedo 7.1 does not perform authorization ch ...) NOT-FOR-US: BEA Tuxedo CVE-2005-1477 (The install function in Firefox 1.0.3 allows remote web sites on the b ...) - mozilla-firefox 1.0.4-1 CVE-2005-1476 (Firefox 1.0.3 allows remote attackers to execute arbitrary Javascript ...) - mozilla-firefox 1.0.4-1 CVE-2005-1475 (The XMLHttpRequest object in Opera 8.0 Final Build 1095 allows remote ...) NOT-FOR-US: Opera CVE-2005-1474 (Dashboard in Apple Mac OS X 10.4.1 allows remote attackers to install ...) NOT-FOR-US: Apple CVE-2005-1473 (SecurityAgent in Apple Mac OS X 10.4.1 allows attackers with physical ...) NOT-FOR-US: Apple CVE-2005-1472 (Certain system calls in Apple Mac OS X 10.4.1 do not properly enforce ...) NOT-FOR-US: Apple CVE-2005-1471 (Heap-based buffer overflow in RSA SecurID Web Agent 5, 5.2, and 5.3 al ...) NOT-FOR-US: RSA SecurID Web Agent CVE-2005-XXXX [mailutils: sql injection vulnerability in sql authentication module] - mailutils 1:0.6.1-2 CVE-2005-XXXX [maradns: More frequent rekeying to mitigate possible AES attacks] - maradns 1.0.27-1 CVE-2005-2352 (I race condition in Temp files was found in gs-gpl before 8.56 addons ...) - gs-gpl 8.56.dfsg.1-1 (bug #291373; unimportant) CVE-2005-XXXX [Possible SQL injection in freeradius] - freeradius 1.0.2-4 CVE-2005-2353 (run-mozilla.sh in Thunderbird, with debugging enabled, allows local us ...) {DSA-1051-1 DSA-1046-1} - mozilla-thunderbird 1.0.6-1 (bug #306893; low) [sarge] - mozilla-thunderbird 1.0.2-2.sarge1.0.8 (low) - firefox 1.5.dfsg+1.5.0.2-1 - thunderbird 1.5.0.2-1 - xulrunner 1.8.0.1-9 CVE-2005-XXXX [Directory traversal in unzoo] - unzoo 4.4-4 CVE-2005-XXXX [Logging bypassing through SIGHUP in syslog-ng] - syslog-ng 1.6.5-2.1 CVE-2005-XXXX [trackballs: Follows symlinks as gid games] - trackballs 1.1.1-1 (bug #302454; medium) [sarge] - trackballs (Hardly exploitable) NOTE: CVE request sent to mitre (who sent this? any response?) NOTE: Trackballs doesn't run as gid games anymore, high-score files are NOTE: stored in user's home directories instead. CVE-2005-1470 (Multiple unknown vulnerabilities in the (1) TZSP, (2) MGCP, (3) ISUP, ...) - ethereal 0.10.10-2sarge2 CVE-2005-1469 (Unknown vulnerability in the GSM dissector in Ethereal before 0.10.11 ...) - ethereal 0.10.10-2sarge2 CVE-2005-1468 (Multiple unknown vulnerabilities in the (1) WSP, (2) Q.931, (3) H.245, ...) - ethereal 0.10.10-2sarge2 CVE-2005-1467 (Unknown vulnerability in the NDPS dissector in Ethereal before 0.10.11 ...) - ethereal 0.10.10-2sarge2 CVE-2005-1466 (Unknown vulnerability in the DICOM dissector in Ethereal before 0.10.1 ...) - ethereal 0.10.10-2sarge2 CVE-2005-1465 (Unknown vulnerability in the NCP dissector in Ethereal before 0.10.11 ...) - ethereal 0.10.10-2sarge2 CVE-2005-1464 (Multiple unknown vulnerabilities in the (1) KINK, (2) L2TP, (3) MGCP, ...) - ethereal 0.10.10-2sarge2 CVE-2005-1463 (Multiple format string vulnerabilities in the (1) DHCP and (2) ANSI A ...) - ethereal 0.10.10-2sarge2 CVE-2005-1462 (Double free vulnerability in the ICEP dissector in Ethereal before 0.1 ...) - ethereal 0.10.10-2sarge2 CVE-2005-1461 (Multiple buffer overflows in the (1) SIP, (2) CMIP, (3) CMP, (4) CMS, ...) - ethereal 0.10.10-2sarge2 CVE-2005-1460 (Multiple unknown dissectors in Ethereal before 0.10.11 allow remote at ...) - ethereal 0.10.10-2sarge2 CVE-2005-1459 (Multiple unknown vulnerabilities in the (1) WSP, (2) BER, (3) SMB, (4) ...) - ethereal 0.10.10-2sarge2 CVE-2005-1458 (Multiple unknown "other problems" in the KINK dissector in Ethereal be ...) - ethereal 0.10.10-2sarge2 CVE-2005-1457 (Multiple unknown vulnerabilities in the (1) AIM, (2) LDAP, (3) FibreCh ...) - ethereal 0.10.10-2sarge2 CVE-2005-1456 (Multiple unknown vulnerabilities in the (1) DHCP and (2) Telnet dissec ...) - ethereal 0.10.10-2sarge2 CVE-2005-1455 (Buffer overflow in the sql_escape_func function in the SQL module for ...) - freeradius 1.0.2-4 CVE-2005-1454 (SQL injection vulnerability in the radius_xlat function in the SQL mod ...) - freeradius 1.0.2-4 CVE-2005-1453 (fetchnews in leafnode 1.9.48 to 1.11.1 allows remote NNTP servers to c ...) - leafnode 1.11.2.rel-1 CVE-2004-2069 (sshd.c in OpenSSH 3.6.1p2 and 3.7.1p2 and possibly other versions, whe ...) - openssh 1:3.8p1 CVE-2004-2068 (fetchnews in leafnode 1.9.47 and earlier allows remote attackers to ca ...) - leafnode (Leafnode2 development branch) CVE-2002-1661 (The leafnode server in leafnode 1.9.20 to 1.9.29 allows remote attacke ...) - leafnode (Leafnode2 development branch) CVE-2005-XXXX [Missing input validation in xtradius] - xtradius 1.2.1-beta2-2 (bug #307796; unimportant) CVE-2005-XXXX [fai tempfile vulnerability] - fai 2.8.2 CVE-2005-2354 (Nvu 0.99+1.0pre uses an old copy of Mozilla XPCOM which can result in ...) NOTE: have not checked to see which security holes are in it exactly - nvu (bug #306822; medium) CVE-2005-2356 RESERVED NOTE: This was assigned to an eskuel non-issue before due to Red Hat typos CVE-2005-XXXX [Buffer overflow in elog's header buffer] - elog 2.5.7+r1558-3 (bug #349528; high) CVE-2005-XXXX [Unspeficied security issue in ipsec-tool's single DES support] - ipsec-tools 1:0.5.2-1 CVE-2005-1452 (Serendipity before 0.8 allows Chief users to "hide plugins installed b ...) - serendipity 1.0-1 CVE-2005-1451 (The media manager in Serendipity before 0.8 allows remote attackers to ...) - serendipity 1.0-1 CVE-2005-1450 (Unknown vulnerability in "the function used to validate path-names for ...) - serendipity 1.0-1 CVE-2005-1449 (Unknown vulnerability in serendipity_config_local.inc.php for Serendip ...) - serendipity 1.0-1 CVE-2005-1448 (Cross-site scripting (XSS) vulnerability in the BBCode plugin for Sere ...) - serendipity 1.0-1 CVE-2005-1447 (PHP remote file inclusion vulnerability in main.php in SitePanel 2.6.1 ...) NOT-FOR-US: SitePanel CVE-2005-1446 (SitePanel 2.6.1 and earlier (SitePanel2) allows remote attackers to up ...) NOT-FOR-US: SitePanel CVE-2005-1445 (Multiple directory traversal vulnerabilities in SitePanel 2.6.1 and ea ...) NOT-FOR-US: SitePanel CVE-2005-1444 (Multiple cross-site scripting (XSS) vulnerabilities in SitePanel 2.6.1 ...) NOT-FOR-US: SitePanel CVE-2005-1443 (Multiple cross-site scripting (XSS) vulnerabilities in index.php for I ...) NOT-FOR-US: Invision Power Board CVE-2005-1442 (Buffer overflow in the Lotus Notes client for Domino 6.5 before 6.5.4 ...) NOT-FOR-US: Lotus Domino CVE-2005-1441 (Format string vulnerability in Lotus Domino 6.0.x before 6.0.5 and 6.5 ...) NOT-FOR-US: Lotus Domino CVE-2005-1440 (Multiple cross-site scripting (XSS) vulnerabilities in ViArt Shop Ente ...) NOT-FOR-US: ViArt Shop CVE-2005-1439 (Directory traversal vulnerability in attachments.php in osTicket allow ...) NOT-FOR-US: osTicket CVE-2005-1438 (PHP remote file inclusion vulnerability in main.php in osTicket allows ...) NOT-FOR-US: osTicket CVE-2005-1437 (Multiple SQL injection vulnerabilities in osTicket allow remote attack ...) NOT-FOR-US: osTicket CVE-2005-1436 (Multiple cross-site scripting (XSS) vulnerabilities in osTicket allow ...) NOT-FOR-US: osTicket CVE-2005-1435 (Open WebMail (OWM) before 2.51 20050430 allows remote authenticated us ...) - openwebmail CVE-2005-1434 (Multiple unknown vulnerabilities in OpenView Network Node Manager (OV ...) NOT-FOR-US: HP OpenView CVE-2005-1433 (Multiple unknown vulnjerabilities HP OpenView Event Correlation Servic ...) NOT-FOR-US: HP OpenView CVE-2005-1432 RESERVED CVE-2005-1431 (The "record packet parsing" in GnuTLS 1.2 before 1.2.3 and 1.0 before ...) - gnutls11 1.0.16-13.1 (bug #309111; bug #307641) CVE-2005-1430 (Mac OS X 10.3.x and earlier uses insecure permissions for a pseudo ter ...) NOT-FOR-US: Mac OS X CVE-2005-1429 (SQL injection vulnerability in login.asp in WWWguestbook 1.1 allows re ...) NOT-FOR-US: WWWguestbook CVE-2005-1428 (edit_image.asp in Uapplication Uphotogallery allows remote attackers t ...) NOT-FOR-US: Uapplication Uphotogallery CVE-2005-1427 (Uapplication Uphotogallery stores the database under the web document ...) NOT-FOR-US: Uapplication Uphotogallery CVE-2005-1426 (Uapplication Ublog Reload stores sensitive information under the web r ...) NOT-FOR-US: Uapplication Ublog CVE-2005-1425 (Uapplication Uguestbook 1.0 stores sensitive information under the web ...) NOT-FOR-US: Uapplication Uguestbook CVE-2005-1424 (StumbleInside GoText 1.01 stores sensitive username, mail address,and ...) NOT-FOR-US: GoText CVE-2005-1423 (Directory traversal vulnerability in the mail program in 602LAN SUITE ...) NOT-FOR-US: 602 LAN SUITE CVE-2005-1422 (Raysoft/Raybase Video Cam Server 1.0.0 beta allows remote attackers to ...) NOT-FOR-US: Raysoft Video Cam Server CVE-2005-1421 (Directory traversal vulnerability in Raysoft/Raybase Video Cam Server ...) NOT-FOR-US: Raysoft Video Cam Server CVE-2005-1420 (Raysoft/Raybase Video Cam Server 1.0.0 beta allows remote attackers to ...) NOT-FOR-US: Raysoft Video Cam Server CVE-2005-1419 (SQL injection vulnerability in the admin login panel for Ocean12 Maili ...) NOT-FOR-US: Ocean12 Mailing list manager CVE-2005-1418 (NetLeaf Limited NotJustBrowsing 1.0.3 stores the View Lock Password in ...) NOT-FOR-US: Netleaf CVE-2005-1417 (Multiple SQL injection vulnerabilities in MaxWebPortal 2.x, 1.35, and ...) NOT-FOR-US: MaxWebPortal CVE-2005-1416 (Directory traversal vulnerability in 04WebServer 1.81 allows remote at ...) NOT-FOR-US: 04WebServer CVE-2005-1415 (Buffer overflow in GlobalSCAPE Secure FTP Server 3.0.2 allows remote a ...) NOT-FOR-US: GlobalSCAPE Secure FTP Server CVE-2005-1414 (ExoticSoft FilePocket 1.2 stores sensitive proxy information, includin ...) NOT-FOR-US: FilePocket CVE-2005-1413 (Multiple SQL injection vulnerabilities in enVivo!CMS allow remote atta ...) NOT-FOR-US: enVivo CVE-2005-1412 (SQL injection vulnerability in verify.asp for Ecomm Professional Guest ...) NOT-FOR-US: ECommPro CVE-2005-1411 (Cybration ICUII 7.0 stores passwords in plaintext in the world-readabl ...) NOT-FOR-US: ICUII CVE-2005-1410 (The tsearch2 module in PostgreSQL 7.4 through 8.0.x declares the (1) d ...) - postgresql 7.4.7-6 CVE-2005-1409 (PostgreSQL 7.3.x through 8.0.x gives public EXECUTE access to certain ...) - postgresql 7.4.7-6 CVE-2005-1408 (Apple Keynote 2.0 and 2.0.1 allows remote attackers to read arbitrary ...) NOT-FOR-US: Apple CVE-2005-1407 (Skype for Windows 1.2.0.0 to 1.2.0.46 allows local users to bypass the ...) NOT-FOR-US: Skype CVE-2005-1406 (The kernel in FreeBSD 4.x to 4.11 and 5.x to 5.4 does not properly cle ...) - kfreebsd5-source 5.3-10 CVE-2005-1405 (HTTP response splitting vulnerability in the @SetHTTPHeader function i ...) NOT-FOR-US: Lotus Domino CVE-2005-1404 (MyPHP Forum 1.0 allows remote attackers to spoof the username by modif ...) NOT-FOR-US: MyPHP Forum CVE-2005-1403 (Multiple cross-site scripting (XSS) vulnerabilities in JustWilliam's A ...) NOT-FOR-US: JW Amazon Web Store CVE-2005-1402 (Integer signedness error in certain older versions of the NeL library, ...) NOT-FOR-US: NeL libarary CVE-2005-1401 (Format string vulnerability in the client for Mtp-Target 1.2.2 and ear ...) NOT-FOR-US: Mtp-Target CVE-2005-1400 (The i386_get_ldt system call in FreeBSD 4.7 to 4.11 and 5.x to 5.4 all ...) - kfreebsd5-source 5.3-10 CVE-2005-1399 (FreeBSD 4.6 to 4.11 and 5.x to 5.4 uses insecure default permissions f ...) - kfreebsd5-source 5.3-10 CVE-2004-1778 (Skype 0.92.0.12 and 1.0.0.1 for Linux, and possibly other versions, cr ...) NOT-FOR-US: Skype CVE-2004-1777 (A "range check error" in Skype for Windows before 0.98.0.28 allows loc ...) NOT-FOR-US: Skype CVE-2005-1398 (phpcart.php in PHPCart 3.2 allows remote attackers to change product p ...) NOT-FOR-US: PHPCart CVE-2005-1397 (SQL injection vulnerability in search.php for PHP-Calendar before 0.10 ...) NOT-FOR-US: PHPCalender CVE-2005-1396 (Race condition in Ce/Ceterm (aka ARPUS/Ce) 2.5.4 and earlier allows lo ...) NOT-FOR-US: ARPUS Ceterm CVE-2005-1395 (Buffer overflow in Ce/Ceterm (aka ARPUS/Ce) 2.5.4 and earlier may allo ...) NOT-FOR-US: ARPUS Ceterm CVE-2005-1394 (Format string vulnerability in ArcGIS for ESRI ArcInfo Workstation 9.0 ...) NOT-FOR-US: ArcGIS CVE-2005-1393 (Multiple buffer overflows in ArcGIS for ESRI ArcInfo Workstation 9.0 a ...) NOT-FOR-US: ArcGIS CVE-2005-1392 (The SQL install script in phpMyAdmin 2.6.2 is created with world-reada ...) - phpmyadmin (Only part of examples that an admin would need to modify anyway) CVE-2005-1391 (Buffer overflow in the add_port function in APSIS Pound 1.8.2 and earl ...) {DSA-934-1} [sarge] - pound 1.8.2-1sarge1 - pound 1.8.2-1.1 (bug #307852; bug #311548; medium) CVE-2005-1390 REJECTED CVE-2005-1389 REJECTED CVE-2005-1388 (Cross-site scripting (XSS) vulnerability in SURVIVOR before 0.9.6 allo ...) NOT-FOR-US: SURVIVOR CVE-2005-1387 (Cocktail 3.5.4 and possibly earlier in Mac OS X passes the administrat ...) NOT-FOR-US: Mac OS X CVE-2005-1386 (PHP-Nuke 7.6 and earlier allows remote attackers to obtain sensitive i ...) NOT-FOR-US: PHP-Nuke CVE-2005-1385 (Safari 1.3 allows remote attackers to cause a denial of service (appli ...) NOT-FOR-US: Safari CVE-2005-1384 (Multiple SQL injection vulnerabilities in phpCoin 1.2.2 allow remote a ...) NOT-FOR-US: phpCoin CVE-2005-1383 (The OHS component 1.0.2 through 10.x, when UseWebcacheIP is disabled, ...) NOT-FOR-US: Oracle CVE-2005-1382 (The webcacheadmin module in Oracle Webcache 9i allows remote attackers ...) NOT-FOR-US: Oracle CVE-2005-1381 (Multiple cross-site scripting (XSS) vulnerabilities in Oracle Webcache ...) NOT-FOR-US: Oracle CVE-2005-1380 (Cross-site scripting (XSS) vulnerability in BEA Admin Console 8.1 allo ...) NOT-FOR-US: BEA Weblogic CVE-2005-1379 (The LAM runtime environment package (lam-runtime-7.0.6-2mdk) on Mandra ...) - lam (Mandrake specific packaging flaw) CVE-2005-1378 (SQL injection vulnerability in posting_notes.php in the notes module f ...) NOT-FOR-US: phpbb mod CVE-2005-1377 (Multiple PHP remote file inclusion vulnerabilities in Claroline 1.5.3 ...) NOT-FOR-US: Claroline CVE-2005-1376 (Multiple directory traversal vulnerabilities in (1) document.php or (2 ...) NOT-FOR-US: Claroline CVE-2005-1375 (Multiple SQL injection vulnerabilities in Claroline 1.5.3 through 1.6 ...) NOT-FOR-US: Claroline CVE-2005-1374 (Multiple cross-site scripting (XSS) vulnerabilities in Claroline 1.5.3 ...) NOT-FOR-US: Claroline CVE-2005-1373 (Multiple SQL injection vulnerabilities in index.php in Dream4 Koobi CM ...) NOT-FOR-US: Koobi CMS CVE-2005-1372 (nvstatsmngr.exe process in BakBone NetVault 7.1 does not properly drop ...) NOT-FOR-US: NetVault CVE-2005-1371 (BPFTPServer service in BulletProof FTP Server 2.4.0.31 does not proper ...) NOT-FOR-US: NetVault CVE-2005-1370 (Unknown vulnerability in Radia Management Agent (RMA) in HP OpenView R ...) NOT-FOR-US: HP OpenView CVE-2005-1369 (The (1) it87 and (2) via686a drivers in I2C for Linux 2.6.x before 2.6 ...) - kernel-source-2.4.27 - kernel-source-2.6.8 2.6.8-16 - linux-2.6 (Fixed before upload into archive; 2.6.11.8) CVE-2005-1368 (The key_user_lookup function in security/keys/key.c in Linux kernel 2. ...) [sarge] - kernel-source-2.6.8 - kernel-source-2.4.27 - linux-2.6 (Fixed before upload into archive; 2.6.11.8) CVE-2005-1367 (Pico Server (pServ) 3.2 and earlier allows local users to read arbitra ...) NOT-FOR-US: pServ CVE-2005-1366 (Pico Server (pServ) 3.2 and earlier allows remote attackers to obtain ...) NOT-FOR-US: pServ CVE-2005-1365 (Pico Server (pServ) 3.2 and earlier allows remote attackers to execute ...) NOT-FOR-US: pServ CVE-2005-XXXX [Insecure mailbox generation in passwd's useradd] - shadow 4.0.8 [sarge] - shadow (was introduced after version 4.0.3) [woody] - shadow (was introduced after version 4.0.3) CVE-2005-1364 (Multiple SQL injection vulnerabilities in MetaBid Auctions allow remot ...) NOT-FOR-US: MetaBid Auctions CVE-2005-1363 (Multiple SQL injection vulnerabilities in MetaCart 2.0 for PayFlow all ...) NOT-FOR-US: MetaCart CVE-2005-1362 (Multiple SQL injection vulnerabilities in MetaCart 2.0 for Paypal allo ...) NOT-FOR-US: MetaCart CVE-2005-1361 (Multiple SQL injection vulnerabilities in MetaCart e-Shop 8.0 allow re ...) NOT-FOR-US: MetaCart CVE-2005-1360 (PHP remote file inclusion vulnerability in error.php in GrayCMS 1.1 al ...) NOT-FOR-US: GrayCMS CVE-2005-1359 (Cross-site scripting (XSS) vulnerability in text.cgi script allows rem ...) NOT-FOR-US: text.cgi CVE-2005-1358 (text.cgi script allows remote attackers to execute arbitrary commands ...) NOT-FOR-US: text.cgi CVE-2005-1357 (text.cgi script allows remote attackers to read arbitrary files via a ...) NOT-FOR-US: text.cgi CVE-2005-1356 (Cross-site scripting (XSS) vulnerability in includer.cgi script in The ...) NOT-FOR-US: includer.cgi CVE-2005-1355 (includer.cgi in The Includer allows remote attackers to read arbitrary ...) NOT-FOR-US: includer.cgi CVE-2005-1354 (The forum.pl script allows remote attackers to execute arbitrary comma ...) NOT-FOR-US: forum.pl CVE-2005-1353 (The forum.pl script allows remote attackers to read arbitrary files vi ...) NOT-FOR-US: forum.pl CVE-2005-1352 (Cross-site scripting (XSS) vulnerability in the ad.cgi script allows r ...) NOT-FOR-US: ad.cgi CVE-2005-1351 (The ad.cgi script allows remote attackers to execute arbitrary command ...) NOT-FOR-US: ad.cgi CVE-2005-1350 (The ad.cgi script allows remote attackers to read arbitrary files via ...) NOT-FOR-US: ad.cgi CVE-2005-1349 (Buffer overflow in Convert-UUlib (Convert::UUlib) before 1.051 allows ...) {DSA-727-1} - libconvert-uulib-perl 1.0.5.1 CVE-2005-1348 (Buffer overflow in HTTPMail in MailEnable Enterprise 1.04 and earlier ...) NOT-FOR-US: MailEnable CVE-2005-1347 NOT-FOR-US: acrobat CVE-2005-1346 (Multiple Symantec AntiVirus products, including Norton AntiVirus 2005 ...) NOT-FOR-US: Symantec CVE-2005-1345 (Squid 2.5.STABLE9 and earlier does not trigger a fatal error when it i ...) {DSA-721-1} - squid 2.5.9-7 CVE-2005-1344 (Buffer overflow in htdigest in Apache 2.0.52 may allow attackers to ex ...) - apache2 2.0.54-3 (bug #322604) CVE-2005-1343 (Stack-based buffer overflow in the VPN daemon (vpnd) for Mac OS X befo ...) NOT-FOR-US: vpnd for Mac OS X CVE-2005-1342 (The x-man-page: URI handler for Apple Terminal 1.4.4 in Mac OS X 10.3. ...) NOT-FOR-US: Apple Terminal CVE-2005-1341 (Apple Terminal 1.4.4 allows attackers to execute arbitrary commands vi ...) NOT-FOR-US: Apple Terminal CVE-2005-1340 (The HTTP proxy service in Server Admin for Mac OS X 10.3.9 does not re ...) NOT-FOR-US: Mac OS X CVE-2005-1339 (lukemftpd in Mac OS X 10.3.9 allows remote authenticated users to esca ...) - lukemftpd (our lukemftpd uses pw->pw_name when checking /etc/ftpchroot) CVE-2005-1338 (Mac OS X 10.3.9, when using an LDAP server that does not use ldap_exte ...) NOT-FOR-US: Mac OS X CVE-2005-1337 (Apple Help Viewer 2.0.7 and 3.0.0 in Mac OS X 10.3.9 allows remote att ...) NOT-FOR-US: Mac OS X CVE-2005-1336 (Buffer overflow in the Foundation framework for Mac OS X 10.3.9 allows ...) NOT-FOR-US: Mac OS X CVE-2005-1335 (Unknown vulnerability in Mac OS X 10.3.9 allows local users to gain pr ...) NOT-FOR-US: Mac OS X CVE-2005-1334 REJECTED CVE-2005-1333 (Directory traversal vulnerability in the Bluetooth file and object exc ...) NOT-FOR-US: Mac OS X CVE-2005-1332 (Bluetooth-enabled systems in Mac OS X 10.3.9 enables the Bluetooth fil ...) NOT-FOR-US: Mac OS X CVE-2005-1331 (The AppleScript Editor in Mac OS X 10.3.9 does not properly display sc ...) NOT-FOR-US: Mac OS X CVE-2005-1330 (AppKit in Mac OS X 10.3.9 allows attackers to cause a denial of servic ...) NOT-FOR-US: Mac OS X CVE-2005-1329 (owOfflineCC.asp in OneWorldStore allows remote attackers to obtain sen ...) NOT-FOR-US: OneWorldStore CVE-2005-1328 (OneWorldStore allows remote attackers to cause a denial of service (ap ...) NOT-FOR-US: OneWorldStore CVE-2005-1327 (Cross-site scripting (XSS) vulnerability in pms.php for Woltlab Burnin ...) NOT-FOR-US: Woltlab Burning Board CVE-2005-1326 (Buffer overflow in VooDoo cIRCle BOTNET before 1.0.33 allows remote au ...) NOT-FOR-US: VooDoo cIRCle BOTNET CVE-2005-1325 (set_lang.php in phpMyVisites 1.3 allows remote attackers to read and i ...) NOT-FOR-US: phpMyVisites CVE-2005-1324 (Multiple cross-site scripting (XSS) vulnerabilities in index.php for p ...) NOT-FOR-US: phpMyVisites CVE-2005-1323 (Buffer overflow in NetFtpd for NetTerm 5.1.1 and earlier allows remote ...) NOT-FOR-US: NetTerm CVE-2005-1322 (Cross-site scripting (XSS) vulnerability in Horde Nag Task List Manage ...) - nag 1.1-3.1 (bug #307173) CVE-2005-1321 (Cross-site scripting (XSS) vulnerability in Horde Vacation module befo ...) - sork-vacation 2.2.2-1 CVE-2005-1320 (Cross-site scripting (XSS) vulnerability in Horde Mnemo Note Manager b ...) - mnemo 1.1-2.1 (bug #307180) - mnemo2 (fixed before 2.1.1) CVE-2005-1319 (Cross-site scripting (XSS) vulnerability in Horde IMP Webmail client b ...) - imp4 - imp3 3.2.8-1 (bug #328218; low) CVE-2005-1318 (Cross-site scripting (XSS) vulnerability in Horde Forwards E-Mail Forw ...) - sork-forwards 2.2.2-1 CVE-2005-1317 (Cross-site scripting (XSS) vulnerability in Horde Chora module before ...) NOT-FOR-US: Hord Chora module CVE-2005-1316 (Cross-site scripting (XSS) vulnerability in Horde Accounts module befo ...) - sork-accounts 2.1.2-1 CVE-2005-1315 (Cross-site scripting (XSS) vulnerability in Horde Turba module before ...) - turba 1.2.5-1 CVE-2005-1314 (Cross-site scripting (XSS) vulnerability in Horde Kronolith module bef ...) - kronolith 1.1.4-1 CVE-2005-1313 (Cross-site scripting (XSS) vulnerability in Horde Passwd module before ...) - sork-passwd 2.2.2-1 CVE-2005-1312 (PHP remote file inclusion vulnerability in Yappa-NG before 2.3.2 allow ...) NOT-FOR-US: Yappa-NG CVE-2005-1311 (Cross-site scripting (XSS) vulnerability in Yappa-NG before 2.3.2 allo ...) NOT-FOR-US: Yappa-NG CVE-2005-1310 (SQL injection vulnerability in bBlog 0.7.4 allows remote attackers to ...) NOT-FOR-US: bBlog CVE-2005-1309 (Cross-site scripting (XSS) vulnerability in bBlog 0.7.4 allows remote ...) NOT-FOR-US: bBlog CVE-2005-1308 (SqWebMail allows remote attackers to inject arbitrary web script or HT ...) - courier (bug #307575; unimportant) CVE-2005-1307 (The (1) stopserver.sh and (2) startserver.sh scripts in Adobe Version ...) NOT-FOR-US: Adobe Version Cue CVE-2005-1306 (The Adobe Reader control in Adobe Reader and Acrobat 7.0 and 7.0.1 all ...) NOT-FOR-US: Adobe Reader 7 CVE-2005-1305 (The hyper.cgi script allows remote attackers to read arbitrary files v ...) NOT-FOR-US: hyper.cgi CVE-2005-1304 (The citat.pl script allows remote attackers to execute arbitrary files ...) NOT-FOR-US: citat.pl CVE-2005-1303 (The citat.pl script allows remote attackers to read arbitrary files vi ...) NOT-FOR-US: citat.pl CVE-2005-1302 (SQL injection vulnerability in Confixx 3.08 and earlier allows remote ...) NOT-FOR-US: Confixx CVE-2005-1301 (nProtect:Netizen 2005.3.17.1 does not properly verify that the update ...) NOT-FOR-US: nProtect:Netizen CVE-2005-1300 (Cross-site scripting (XSS) vulnerability in the inserter.cgi script al ...) NOT-FOR-US: inserter.cgi CVE-2005-1299 (The inserter.cgi script allows remote attackers to execute arbitrary c ...) NOT-FOR-US: inserter.cgi CVE-2005-1298 (The inserter.cgi script allows remote attackers to read arbitrary file ...) NOT-FOR-US: inserter.cgi CVE-2005-1297 (Cross-site scripting (XSS) vulnerability in the include.cgi script all ...) NOT-FOR-US: include.cgi CVE-2005-1296 (include.cgi script allows remote attackers to execute arbitrary comman ...) NOT-FOR-US: include.cgi CVE-2005-1295 (include.cgi script allows remote attackers to read arbitrary files via ...) NOT-FOR-US: include.cgi CVE-2005-1294 (The affix_sock_register in the Affix Bluetooth Protocol Stack for Linu ...) - affix-kernel 2.1.1-1.1 CVE-2005-1293 (Multiple SQL injection vulnerabilities in default.asp in StorePortal 2 ...) NOT-FOR-US: StorePortal CVE-2005-1292 (Multiple cross-site scripting (XSS) vulnerabilities in CartWIZ ASP Car ...) NOT-FOR-US: CartWIZ ASP Cart CVE-2005-1291 (Multiple SQL injection vulnerabilities in CartWIZ ASP Cart allow remot ...) NOT-FOR-US: CartWIZ ASP Cart CVE-2005-1290 (Multiple cross-site scripting (XSS) vulnerabilities in phpBB 2.0.14 an ...) - phpbb2 2.0.13-6sarge1 (low) CVE-2005-1289 (index.cgi in E-Cart 2004 1.1 and earlier allows remote attackers to ex ...) NOT-FOR-US: E-Cart CVE-2005-1288 (inc_login_check.asp ACS Blog 0.8 through 1.1.3 allows remote attackers ...) NOT-FOR-US: ACS Blog CVE-2005-1287 (Multiple SQL injection vulnerabilities in BK Forum 4.0 allow remote at ...) NOT-FOR-US: BK Forum CVE-2005-1286 (Unquoted Windows search path vulnerability in BitDefender 8 allows loc ...) NOT-FOR-US: Bitdefender CVE-2005-1285 (Cross-site scripting (XSS) vulnerability in thread.php in WoltLab Burn ...) NOT-FOR-US: Woltlab Burning Board CVE-2005-1284 (The addnew script in Argosoft Mail Server Pro 1.8.7.6 allows remote at ...) NOT-FOR-US: Argosoft Mail Server Pro CVE-2005-1283 (Multiple directory traversal vulnerabilities in Argosoft Mail Server P ...) NOT-FOR-US: Argosoft Mail Server Pro CVE-2005-1282 (Multiple cross-site scripting (XSS) vulnerabilities in Argosoft Mail S ...) NOT-FOR-US: Argosoft Mail Server Pro CVE-2005-1281 (Ethereal 0.10.10 and earlier allows remote attackers to cause a denial ...) - ethereal 0.10.10-2 CVE-2005-1280 (The rsvp_print function in tcpdump 3.9.1 and earlier allows remote att ...) - ethereal 0.10.10-2 - tcpdump 3.8.3-4 CVE-2005-1279 (tcpdump 3.8.3 and earlier allows remote attackers to cause a denial of ...) {DSA-850-1} - tcpdump 3.8.3-4 CVE-2005-1278 (The isis_print function, as called by isoclns_print, in tcpdump 3.9.1 ...) - tcpdump 3.8.3-4 (bug #307920) CVE-2005-1277 REJECTED CVE-2005-1276 RESERVED CVE-2005-1275 (Heap-based buffer overflow in the ReadPNMImage function in pnm.c for I ...) - imagemagick 6:6.0.6.2-2.3 (bug #306424) CVE-2005-1274 (Stack-based buffer overflow in the getIfHeader function in the WebDAV ...) - maxdb-7.5.00 7.5.00.24-3 CVE-2005-1273 RESERVED CVE-2005-1272 (Stack-based buffer overflow in the Backup Agent for Microsoft SQL Serv ...) NOT-FOR-US: Backup Agent for Microsoft SQL CVE-2005-1271 REJECTED CVE-2005-1270 (The (1) check_update.sh and (2) rkhunter script in Rootkit Hunter befo ...) - rkhunter 1.2.7-14 (medium) CVE-2002-1658 (Buffer overflow in htdigest in Apache 1.3.26 and 1.3.27 may allow atta ...) - apache 1.3.31-1 CVE-2005-XXXX [Unspecified buffer overflow in Convert::UUlib perl module] - libconvert-uulib-perl 1.0.5.1-1 CVE-2005-1269 (Gaim before 1.3.1 allows remote attackers to cause a denial of service ...) {DSA-734-1} - gaim 1:1.3.1-1 (bug #315356; low) CVE-2005-1268 (Off-by-one error in the mod_ssl Certificate Revocation List (CRL) veri ...) {DSA-805-1} - apache2 2.0.54-5 (bug #320048; bug #320063; bug #322613; low) - apache (Not affected, see #322613) CVE-2005-1267 (The bgp_update_print function in tcpdump 3.x does not properly handle ...) {DSA-854-1} - tcpdump 3.9.0.cvs.20050614-1 (medium) CVE-2005-1266 (Apache SpamAssassin 3.0.1, 3.0.2, and 3.0.3 allows remote attackers to ...) {DSA-736-2 DSA-736-1} - spamassassin 3.0.4-1 (bug #314447; medium) CVE-2005-1265 (The mmap function in the Linux Kernel 2.6.10 can be used to create mem ...) {DSA-922-1} - linux-2.6 2.6.12-1 CVE-2005-1264 (Raw character devices (raw.c) in the Linux kernel 2.6.x call the wrong ...) - linux-2.6 (Fixed before upload into archive; 2.6.11.10) [sarge] - kernel-source-2.6.8 2.6.8-16 CVE-2005-1263 (The elf_core_dump function in binfmt_elf.c for Linux kernel 2.x.x to 2 ...) - linux-2.6 (Fixed before upload into archive; 2.6.12-rc4) [sarge] - kernel-source-2.6.8 2.6.8-16 [sarge] - kernel-source-2.4.27 2.4.27-10 NOTE: believed not to be exploitable in 2.6 after all, re Greg K-H CVE-2005-1262 (Gaim 1.2.1 and earlier allows remote attackers to cause a denial of se ...) - gaim 1:1.2.1-1.1 CVE-2005-1261 (Stack-based buffer overflow in the URL parsing function in Gaim before ...) - gaim 1:1.2.1-1.1 CVE-2005-1260 (bzip2 allows remote attackers to cause a denial of service (hard drive ...) {DSA-741-1} - bzip2 1.0.2-7 CVE-2005-1259 RESERVED CVE-2005-1258 RESERVED CVE-2005-1257 RESERVED CVE-2005-1256 (Stack-based buffer overflow in the IMAP daemon (IMAPD32.EXE) in IMail ...) NOT-FOR-US: IMail CVE-2005-1255 (Multiple stack-based buffer overflows in the IMAP server in IMail 8.12 ...) NOT-FOR-US: IMail CVE-2005-1254 (Stack-based buffer overflow in the IMAP server for Ipswitch IMail 8.12 ...) NOT-FOR-US: IMail CVE-2005-1253 RESERVED CVE-2005-1252 (Directory traversal vulnerability in the Web Calendaring server in Ips ...) NOT-FOR-US: IMail CVE-2005-1251 RESERVED CVE-2005-1250 (SQL injection vulnerability in the logon screen of the web front end ( ...) NOT-FOR-US: IpSwitch CVE-2005-1249 (The IMAP daemon (IMAPD32.EXE) in Ipswitch Collaboration Suite (ICS) al ...) NOT-FOR-US: IMail CVE-2005-1248 (Buffer overflow in Apple iTunes before 4.8 allows remote attackers to ...) NOT-FOR-US: Apple iTunes CVE-2005-1247 (webadmin.exe in Novell Nsure Audit 1.0.1 allows remote attackers to ca ...) NOT-FOR-US: Novell Nsure Audit CVE-2005-1246 (Format string vulnerability in the snmppd_log function in snmppd_util. ...) NOT-FOR-US: snmppd CVE-2005-XXXX [Multiple security problems in Quake 2] NOTE: this release added lots of warnings about the security problems - quake2 1:0.3-1.1 CVE-2005-1245 (Cross-site scripting (XSS) vulnerability in MediaWiki before 1.4.2, wh ...) - mediawiki 1.4.9 (bug #276057) CVE-2005-1244 NOT-FOR-US: AS/400 FTP server addon CVE-2005-1243 (Directory traversal vulnerability in the third party tool from SafeSto ...) NOT-FOR-US: AS/400 FTP server addon CVE-2005-1242 (Directory traversal vulnerability in the third party tool from Bsafe, ...) NOT-FOR-US: AS/400 FTP server addon CVE-2005-1241 (Directory traversal vulnerability in the third party tool from Powerte ...) NOT-FOR-US: AS/400 FTP server addon CVE-2005-1240 (Directory traversal vulnerability in the third party tool from Castleh ...) NOT-FOR-US: AS/400 FTP server addon CVE-2005-1239 (Directory traversal vulnerability in the third party tool from Raz-Lee ...) NOT-FOR-US: AS/400 FTP server addon CVE-2005-1238 (By design, the built-in FTP server for iSeries AS/400 systems does not ...) NOT-FOR-US: AS/400 FTP server CVE-2005-1237 (SQL injection vulnerability in news.php in FlexPHPNews 0.0.3 allows re ...) NOT-FOR-US: FlexPHPNews CVE-2005-1236 (Multiple SQL injection vulnerabilities in DUware DUportal 3.1.2 and 3. ...) NOT-FOR-US: DUPortal CVE-2005-1235 (auction_my_auctions.php in phpbb-Auction 1.2m and earlier allows remot ...) NOT-FOR-US: phpbb-Auction CVE-2005-1234 (Multiple SQL injection vulnerabilities in phpbb-Auction allow remote a ...) NOT-FOR-US: phpbb-Auction CVE-2005-1233 (Cross-site scripting (XSS) vulnerability in index.php in PHP Labs proF ...) NOT-FOR-US: PHP Labs proFile CVE-2005-1232 (Buffer overflow in Sun Java System Web Proxy Server (aka Sun ONE Proxy ...) NOT-FOR-US: Sun ONE Proxy Server CVE-2005-1231 (Cross-site scripting (XSS) vulnerability in the NewTerm function in Gl ...) NOT-FOR-US: JAWS CVE-2005-1230 (Directory traversal vulnerability in Yawcam 0.2.5 allows remote attack ...) NOT-FOR-US: Yawcan CVE-2005-1229 (Directory traversal vulnerability in cpio 2.6 and earlier allows remot ...) {DSA-846-1} - cpio 2.6-6 (bug #306693; medium) CVE-2005-1228 (Directory traversal vulnerability in gunzip -N in gzip 1.2.4 through 1 ...) {DSA-752-1} - gzip 1.3.5-10 CVE-2005-1227 (Cross-site scripting (XSS) vulnerability in PHProjekt 4.2 and earlier ...) NOT-FOR-US: PHPProjekt CVE-2005-1226 (Coppermine Photo Gallery 1.3.2 stores passwords in plaintext, which al ...) NOT-FOR-US: Coppermine Photo Gallery CVE-2005-1225 (SQL injection vulnerability in Coppermine Photo Gallery 1.3.2 allows r ...) NOT-FOR-US: Coppermine Photo Gallery CVE-2005-1224 (Multiple SQL injection vulnerabilities in DUware DUportal Pro 3.4 allo ...) NOT-FOR-US: DUPortal CVE-2005-1223 (Multiple SQL injection vulnerabilities in Ocean12 Calendar manager 1.0 ...) NOT-FOR-US: Ocean12 Calender manager CVE-2005-1222 (cat_for_gen.php in Annuaire Netref 4.2 allows remote attackers to exec ...) NOT-FOR-US: Annuaire Netref CVE-2005-1221 (SQL injection vulnerability in login.asp for Ecommerce-Carts EcommPro ...) NOT-FOR-US: ECommPro CVE-2005-1220 (Shoutbox SCRIPT 3.0.2 and earlier allows remote attackers to obtain se ...) NOT-FOR-US: Shoutbox CVE-2005-1219 (Buffer overflow in the Microsoft Color Management Module for Windows a ...) NOT-FOR-US: Microsoft Color Management Module CVE-2005-1218 (The Microsoft Windows kernel in Microsoft Windows 2000 Server, Windows ...) NOT-FOR-US: Microsoft Color Management Module CVE-2005-1217 RESERVED CVE-2005-1216 (Microsoft ISA Server 2000 allows remote attackers to connect to servic ...) NOT-FOR-US: Microsoft CVE-2005-1215 (Microsoft ISA Server 2000 allows remote attackers to poison the ISA ca ...) NOT-FOR-US: Microsoft CVE-2005-1214 (Microsoft Agent allows remote attackers to spoof trusted Internet cont ...) NOT-FOR-US: Microsoft CVE-2005-1213 (Stack-based buffer overflow in the news reader for Microsoft Outlook E ...) NOT-FOR-US: Microsoft CVE-2005-1212 (Buffer overflow in Microsoft Step-by-Step Interactive Training (orun32 ...) NOT-FOR-US: Microsoft CVE-2005-1211 (Buffer overflow in the PNG image rendering component of Microsoft Inte ...) NOT-FOR-US: Microsoft CVE-2005-1210 RESERVED CVE-2005-1209 RESERVED CVE-2005-1208 (Integer overflow in Microsoft Windows 98, 2000, XP SP2 and earlier, an ...) NOT-FOR-US: Microsoft CVE-2005-1207 (Buffer overflow in the Web Client service in Microsoft Windows XP and ...) NOT-FOR-US: Microsoft CVE-2005-1206 (Buffer overflow in the Server Message Block (SMB) functionality for Mi ...) NOT-FOR-US: Microsoft CVE-2005-1205 (The Telnet client for Microsoft Windows XP, Windows Server 2003, and W ...) NOT-FOR-US: Microsoft CVE-2002-1657 (PostgreSQL uses the username for a salt when generating passwords, whi ...) - postgresql (unimportant) NOTE: This is not a real world problem; it's only applicable in rare circurstances NOTE: like someone analysing stolen user database information and even then the gain NOTE: is slim. In that case SHA256 hashes would be more appropriate anyway. CVE-2005-XXXX [libpam-ssh: Inproper caching of pwd data with potential security implications] - libpam-ssh 1.91.0-9 CVE-2005-1204 (Desktop Rover 3.0, and possibly earlier versions, allows remote attack ...) NOT-FOR-US: Desktop Rover CVE-2005-1203 (Multiple SQL injection vulnerabilities in index.php in eGroupware befo ...) - egroupware 1.0.0.007-2.dfsg-1 CVE-2005-1202 (Multiple cross-site scripting (XSS) vulnerabilities in eGroupware befo ...) - egroupware 1.0.0.007-2.dfsg-1 CVE-2005-1201 (Multiple directory traversal vulnerabilities in AZ Bulletin board (AZb ...) NOT-FOR-US: AZbb CVE-2005-1200 (PHP remote file inclusion vulnerability in main_index.php in AZ Bullet ...) NOT-FOR-US: AZbb CVE-2005-1199 (SQL injection vulnerability in printthread.php in UBB.Threads allows r ...) NOT-FOR-US: UBB.threads CVE-2005-1198 (Directory traversal vulnerability in apexec.pl for Anaconda Foundation ...) NOT-FOR-US: Anaconda Foundation Directory CVE-2005-1197 (SQL injection vulnerability in the SYS.DBMS_CDC_IPUBLISH.CREATE_SCN_CH ...) NOT-FOR-US: Oracle CVE-2005-1196 (SQL injection vulnerability in kb.php in the Knowledge Base module for ...) NOT-FOR-US: PHPBB Knowledgebase Mod CVE-2005-1195 (Multiple heap-based buffer overflows in the code used to handle (1) MM ...) - xine-lib 1.0.1-1 - mplayer (fixed in 1.0-pre7, which was released before etch) CVE-2005-1194 (Stack-based buffer overflow in the ieee_putascii function for nasm 0.9 ...) - nasm 0.98.38-1.2 (bug #309049) CVE-2005-1193 (The bbencode_second_pass and make_clickable functions in bbcode.php fo ...) - phpbb2 2.0.13-6sarge1 (medium) CVE-2005-1192 (Unknown vulnerability in HP-UX B.11.00, B.11.04, B.11.11, B.11.22, and ...) NOT-FOR-US: HP-UX CVE-2004-1776 (Cisco IOS 12.1(3) and 12.1(3)T allows remote attackers to read and mod ...) NOT-FOR-US: Cisco CVE-2004-1775 (Cisco VACM (View-based Access Control MIB) for Catalyst Operating Soft ...) NOT-FOR-US: Cisco CVE-2003-1132 (The DNS server for Cisco Content Service Switch (CSS) 11000 and 11500, ...) NOT-FOR-US: Cisco CVE-2001-1476 (SSH before 2.0, with RC4 encryption and the "disallow NULL passwords" ...) NOT-FOR-US: Commercial SSH CVE-2001-1475 (SSH before 2.0, when using RC4 and password authentication, allows rem ...) NOT-FOR-US: Commercial SSH CVE-2001-1474 (SSH before 2.0 disables host key checking when connecting to the local ...) NOT-FOR-US: Commercial SSH CVE-2001-1473 (The SSH-1 protocol allows remote servers to conduct man-in-the-middle ...) NOTE: SSH1 protocol design flaw issue, proper fix is to use the SSH2 protocol. CVE-2001-1472 (SQL injection vulnerability in prefs.php in phpBB 1.4.0 and 1.4.1 allo ...) - phpbb2 2.0.6c-1 CVE-2001-1471 (prefs.php in phpBB 1.4.0 and earlier allows remote authenticated users ...) - phpbb2 2.0.6c-1 CVE-2001-1470 (The IDEA cipher as implemented by SSH1 does not protect the final bloc ...) NOT-FOR-US: SSH1 protocol design flaw issue, proper fix is to use the SSH2 protocol CVE-2001-1469 (The RC4 stream cipher as used by SSH1 allows remote attackers to modif ...) NOT-FOR-US: SSH1 protocol design flaw issue, proper fix is to use the SSH2 protocol CVE-2001-1468 (PHP remote file inclusion vulnerability in checklogin.php in phpSecure ...) NOT-FOR-US: phpSecurePages CVE-2001-1467 (mkpasswd in expect 5.2.8, as used by Red Hat Linux 6.2 through 7.0, se ...) - expect (in expect 5.42.1, mkpasswd does not seed by pid) NOTE: doesn't seem to seed at all; my tests indicate it generates no dups in NOTE: some 100000 passwords. CVE-2001-1466 (Buffer overflow in VanDyke SecureCRT before 3.4.2, when using the SSH- ...) NOT-FOR-US: VanDyke SecureCRT CVE-2001-1465 (SurfControl SuperScout only filters packets containing both an HTTP GE ...) NOT-FOR-US: SurfControl SuperScout CVE-2001-1464 (Crystal Reports, when displaying data for a password protected databas ...) NOT-FOR-US: Crystal Reports CVE-2001-1463 (The remote administration client for RhinoSoft Serv-U 3.0 sends the us ...) NOT-FOR-US: RhinoSoft Serv-U CVE-2001-1462 (WebID in RSA Security SecurID 5.0 as used by ACE/Agent for Windows, Wi ...) NOT-FOR-US: RSA Security SecurID CVE-2001-1461 (Directory traversal vulnerability in WebID in RSA Security SecurID 5.0 ...) NOT-FOR-US: RSA Security SecurID CVE-2001-1460 (SQL injection vulnerability in article.php in PostNuke 0.62 through 0. ...) NOT-FOR-US: PostNuke CVE-2001-1459 (OpenSSH 2.9 and earlier does not initiate a Pluggable Authentication M ...) - openssh 1:3.0.1p1-1 CVE-2001-1458 (Directory traversal vulnerability in Novell GroupWise 5.5 and 6.0 allo ...) NOT-FOR-US: Novell Groupwise CVE-2001-1457 (Buffer overflow in CrazyWWWBoard 2000p4 and 2000LEp5 allows remote att ...) NOT-FOR-US: CrazyWWWBoard CVE-2001-1456 (Buffer overflow in the (1) smap/smapd and (2) CSMAP daemons for Gauntl ...) NOT-FOR-US: Gauntlet Firewall CVE-2001-1455 (Netegrity SiteMinder 3.6 through 4.5.1 allows remote attackers to bypa ...) NOT-FOR-US: Netegrity SiteMinder CVE-2001-1454 (Buffer overflow in MySQL before 3.23.33 allows remote attackers to exe ...) - mysql-dfsg 3.23.33-1 CVE-2001-1453 (Buffer overflow in libmysqlclient.so in MySQL 3.23.33 and earlier allo ...) - mysql-dfsg 3.23.33-1 CVE-2001-1452 (By default, DNS servers on Windows NT 4.0 and Windows 2000 Server cach ...) NOT-FOR-US: Windows CVE-2001-1451 (Memory leak in the SNMP LAN Manager (LANMAN) MIB extension for Microso ...) NOT-FOR-US: Windows CVE-2001-1450 (Microsoft Internet Explorer 5.0 through 6.0 allows attackers to cause ...) NOT-FOR-US: Windows CVE-2001-1449 (The default installation of Apache before 1.3.19 on Mandrake Linux 7.1 ...) - apache (Mandrake specific packaging flaw) CVE-2001-1448 (Magic eDeveloper Enterprise Edition 8.30-5 and earlier allows local us ...) NOT-FOR-US: Magic eDeveloper CVE-2001-1447 (NetInfo Manager for Mac OS X 10.0 through 10.1 allows local users to g ...) NOT-FOR-US: Windows CVE-2001-1446 (Find-By-Content in Mac OS X 10.0 through 10.0.4 creates world-readable ...) NOT-FOR-US: MacOS X CVE-2001-1445 (Unknown vulnerability in the SMTP server in Lotus Domino 5.0 through 5 ...) NOT-FOR-US: Lotus Domino CVE-2001-1444 (The Kerberos Telnet protocol, as implemented by KTH Kerberos IV and Ke ...) NOT-FOR-US: Generic protocol flaw CVE-2001-1443 (KTH Kerberos IV and Kerberos V (Heimdal) for Telnet clients do not enc ...) NOT-FOR-US: Generic protocol flaw CVE-2001-1442 (Buffer overflow in innfeed for ISC InterNetNews (INN) before 2.3.0 all ...) - inn2 2.3.3+20020922-1 - innfeed 0.10.1.7-7 CVE-2001-1441 (Cross-site scripting (XSS) vulnerability in VisualAge for Java 3.5 Pro ...) NOT-FOR-US: VisualAge for Java CVE-2001-1440 (Unknown vulnerability in login for AIX 5.1L, when using loadable authe ...) NOT-FOR-US: AIX CVE-2001-1439 (Buffer overflow in the text editor functionality in HP-UX 10.01 throug ...) NOT-FOR-US: HP-UX CVE-2001-1438 (Handspring Visor 1.0 and 1.0.1 with the VisorPhone Springboard module ...) NOT-FOR-US: Handspring Visor CVE-2001-1437 (easyScripts easyNews 1.5 allows remote attackers to obtain the full pa ...) NOT-FOR-US: easyScripts easyNews CVE-2001-1436 (Dallas Semiconductor iButton DS1991 returns predictable values when gi ...) NOT-FOR-US: Dallas Semiconductor iButton DS1991 CVE-2001-1435 (inetd in Compaq Tru64 UNIX 5.1 allows attackers to cause a denial of s ...) NOT-FOR-US: Tru64 UNIX CVE-2001-1434 (Cisco IOS 12.0(5)XU through 12.1(2) allows remote attackers to read sy ...) NOT-FOR-US: IOS CVE-2000-1223 (quikstore.cgi in Quikstore Shopping Cart allows remote attackers to ex ...) NOT-FOR-US: Quikstore Shopping Cart CVE-2000-1222 (AIX sysback before 4.2.1.13 uses a relative path to find and execute t ...) NOT-FOR-US: AIX CVE-2000-1221 (The line printer daemon (lpd) in the lpr package in multiple Linux ope ...) - lpr 1:0.48-1 CVE-2000-1220 (The line printer daemon (lpd) in the lpr package in multiple Linux ope ...) - lpr 1:0.48-1 CVE-2000-1219 (The -ftrapv compiler option in gcc and g++ 3.3.3 and earlier does not ...) - gcc-3.3 1:3.3.4-1 CVE-2000-1218 (The default configuration for the domain name resolver for Microsoft W ...) NOT-FOR-US: Windows CVE-2000-1217 (Microsoft Windows 2000 before Service Pack 2 (SP2), when running in a ...) NOT-FOR-US: Windows CVE-2000-1216 (Buffer overflow in portmir for AIX 4.3.0 allows local users to corrupt ...) NOT-FOR-US: AIX CVE-2000-1215 (The default configuration of Lotus Domino server 5.0.8 includes system ...) NOT-FOR-US: Lotus Domino CVE-1999-1583 (Buffer overflow in nslookup for AIX 4.3 allows local users to execute ...) NOT-FOR-US: AIX CVE-1999-1582 (By design, the "established" command on the Cisco PIX firewall allows ...) NOT-FOR-US: Cisco CVE-1999-1581 (Memory leak in Simple Network Management Protocol (SNMP) agent (snmp.e ...) NOT-FOR-US: Windows CVE-1999-1580 (SunOS sendmail 5.59 through 5.65 uses popen to process a forwarding ho ...) - sendmail (Sun-specific) CVE-1999-1579 (The Cenroll ActiveX control (xenroll.dll) for Terminal Server Editions ...) NOT-FOR-US: Windows CVE-1999-1578 (Buffer overflow in Registration Wizard ActiveX control (regwizc.dll, I ...) NOT-FOR-US: Windows CVE-1999-1577 (Buffer overflow in HHOpen ActiveX control (hhopen.ocx) 1.0.0.1 for Int ...) NOT-FOR-US: Windows CVE-1999-1576 (Buffer overflow in Adobe Acrobat ActiveX control (pdf.ocx, PDF.PdfCtrl ...) NOT-FOR-US: Acrobat Reader CVE-1999-1575 (The Kodak/Wang (1) Image Edit (imgedit.ocx), (2) Image Annotation (img ...) NOT-FOR-US: Kodak/Wang tools for IE CVE-1999-1574 (Buffer overflow in the lex routines of nslookup for AIX 4.3 may allow ...) NOT-FOR-US: AIX CVE-1999-1573 (Multiple unknown vulnerabilities in the "r-cmnds" (1) remshd, (2) rexe ...) NOT-FOR-US: HP-UX CVE-2005-1191 (The Web View DLL (webvw.dll), as used in Windows Explorer on Windows 2 ...) NOT-FOR-US: Windows CVE-2005-1190 (WebcamXP PRO v2.16.468 and earlier allows remote attackers to cause a ...) NOT-FOR-US: WebcamXP CVE-2005-1189 (Cross-site scripting (XSS) vulnerability in WebcamXP PRO v2.16.468 and ...) NOT-FOR-US: WebcamXP CVE-2005-1188 (Cross-site scripting (XSS) vulnerability in comersus_searchItem.asp in ...) NOT-FOR-US: ComersusCart CVE-2005-1187 (Heap-based buffer overflow in WinHex 12.05 SR-14, and possibly other v ...) NOT-FOR-US: WinHex CVE-2005-1186 (Musicmatch Jukebox 10.00.2047 and earlier adds the musicmatch.com doma ...) NOT-FOR-US: Musicmatch CVE-2005-1185 (Unquoted Windows search path vulnerability in Musicmatch Jukebox 10.00 ...) NOT-FOR-US: Musicmatch CVE-2005-1184 (The TCP/IP stack in multiple operating systems allows remote attackers ...) NOT-FOR-US: Apparently bogus report. at least on Linux it couldn't be reproduced CVE-2005-1183 (Cross-site scripting (XSS) vulnerability in mvnForum 1.0 RC4 allows re ...) NOT-FOR-US: mvnForum CVE-2005-1182 (Unknown vulnerability in Incoming Remote Command (iSeries Access for W ...) NOT-FOR-US: iSeries OS CVE-2005-1181 NOT-FOR-US: Ariadne CMS CVE-2005-1180 (HTTP Response Splitting vulnerability in the Surveys module in PHP-Nuk ...) NOT-FOR-US: PHP-Nuke CVE-2005-1179 (Unknown vulnerability in Xerox MicroServer Web Server for various Work ...) NOT-FOR-US: Xerox CVE-2005-1178 (SQL injection vulnerability in Oracle Forms 10g allows remote attacker ...) NOT-FOR-US: Oracle CVE-2005-1177 (Unknown vulnerability in (1) Webmin and (2) Usermin before 1.200 cause ...) - webmin NOTE: I haven't found further information on this, but this appears to only NOTE: affect non-Debian setups CVE-2005-1176 (Race condition in JFS2 on AIX 5.2 and 5.3, when deleting a file while ...) NOT-FOR-US: AIX CVE-2005-1175 (Heap-based buffer overflow in the Key Distribution Center (KDC) in MIT ...) {DSA-757-1} - krb5 1.3.6-4 (bug #318437; medium) CVE-2005-1174 (MIT Kerberos 5 (krb5) 1.3 through 1.4.1 Key Distribution Center (KDC) ...) {DSA-757-1} - krb5 1.3.6-4 (bug #318437; medium) CVE-2004-1774 (Buffer overflow in the SDO_CODE_SIZE procedure of the MD2 package (MDS ...) NOT-FOR-US: Oracle CVE-2005-1173 (Buffer overflow in PMSoftware Simple Web Server 1.0 allows remote atta ...) NOT-FOR-US: PMSoftware Simple Web Server CVE-2005-1172 (Cross-site scripting (XSS) vulnerability in init.inc.php in Coppermine ...) NOT-FOR-US: Coppermine Photo Gallery CVE-2005-1171 (Cross-site scripting (XSS) vulnerability in mod.php in the datenbank m ...) NOT-FOR-US: moddb phpbb2 add-on CVE-2005-1170 (SQL injection vulnerability in mod.php in the datenbank module for php ...) NOT-FOR-US: moddb phpbb2 add-on CVE-2005-1169 (Mafia Blog .4 BETA does not properly protect the admin directory, whic ...) NOT-FOR-US: Mafia Blog CVE-2005-1168 (DiagCollectionControl.dll in Musicmatch 10.00.2047 and earlier allows ...) NOT-FOR-US: Musicmatch CVE-2005-1167 (Musicmatch 10.00.2047 and earlier store log files in the Program Files ...) NOT-FOR-US: Musicmatch CVE-2005-1166 (The DNTUS26 process in Dameware NT Utilities and the DWRCS process in ...) NOT-FOR-US: Dameware CVE-2005-1165 (Yager 5.24 and earlier allows remote attackers to cause a denial of se ...) NOT-FOR-US: Yager game CVE-2005-1164 (Yager 5.24 and earlier allows remote attackers to cause a denial of se ...) NOT-FOR-US: Yager game CVE-2005-1163 (Multiple buffer overflows in Yager 5.24 and earlier allow remote attac ...) NOT-FOR-US: Yager game CVE-2005-1162 (Multiple cross-site scripting (XSS) vulnerabilities in OneWorldStore a ...) NOT-FOR-US: OneWorldStore CVE-2005-1161 (Multiple SQL injection vulnerabilities in OneWorldStore allow remote a ...) NOT-FOR-US: OneWorldStore CVE-2005-1160 (The privileged "chrome" UI code in Firefox before 1.0.3 and Mozilla Su ...) {DSA-781-1} - mozilla-firefox 1.0.3-1 - mozilla 2:1.7.7-1 - mozilla-thunderbird 1.0.6-1 (bug #318728; high) CVE-2005-1159 (The native implementations of InstallTrigger and other functions in Fi ...) {DSA-781-1} - mozilla-firefox 1.0.3-1 - mozilla 2:1.7.7-1 - mozilla-thunderbird 1.0.6-1 (bug #318728; medium) CVE-2005-1158 (Multiple "missing security checks" in Firefox before 1.0.3 allow remot ...) - mozilla-firefox 1.0.3-1 CVE-2005-1157 (Firefox before 1.0.3, Mozilla Suite before 1.7.7, and Netscape 7.2 all ...) - mozilla-firefox 1.0.3-1 - mozilla 2:1.7.7-1 CVE-2005-1156 (Firefox before 1.0.3, Mozilla Suite before 1.7.7, and Netscape 7.2 all ...) - mozilla-firefox 1.0.3-1 - mozilla 2:1.7.7-1 CVE-2005-1155 (The favicon functionality in Firefox before 1.0.3 and Mozilla Suite be ...) - mozilla-firefox 1.0.3-1 - mozilla 2:1.7.7-1 CVE-2005-1154 (Firefox before 1.0.3 and Mozilla Suite before 1.7.7 allows remote atta ...) - mozilla-firefox 1.0.3-1 - mozilla 2:1.7.7-1 CVE-2005-1153 (Firefox before 1.0.3 and Mozilla Suite before 1.7.7, when blocking a p ...) - mozilla-firefox 1.0.3-1 - mozilla 2:1.7.7-1 CVE-2005-1152 (popauth.c in qpopper 4.0.5 and earlier does not properly set the umask ...) {DSA-728-1} - qpopper 4.0.5-4sarge1 CVE-2005-1151 (qpopper 4.0.5 and earlier does not properly drop privileges before pro ...) {DSA-728-1} - qpopper 4.0.5-4sarge1 CVE-2005-1150 (Unknown vulnerability in Sun Java System Web Server 6.0 SP7 and earlie ...) NOT-FOR-US: Sun Java CVE-2005-1149 (SQL injection vulnerability in admin/login.asp in aspclick.it ACNews 1 ...) NOT-FOR-US: ACNews CVE-2005-1148 (calendar.pl in CalendarScript 3.21 allows remote attackers to obtain s ...) NOT-FOR-US: CalenderScript CVE-2005-1147 (calendar.pl in CalendarScript 3.20 allows remote attackers to obtain s ...) NOT-FOR-US: CalenderScript CVE-2005-1146 NOT-FOR-US: CalenderScript CVE-2005-1145 NOT-FOR-US: CalenderScript CVE-2005-1144 (popup.php in EasyPHPCalendar before 6.2.8 allows remote attackers to o ...) NOT-FOR-US: EasyPHPCalender CVE-2005-1143 (Cross-site scripting (XSS) vulnerability in index.php in EasyPHPCalend ...) NOT-FOR-US: EasyPHPCalender CVE-2005-1142 (Heap-based buffer overflow in the readpgm function in pnm.c for GOCR 0 ...) - gocr 0.39-5 CVE-2005-1141 (Integer overflow in the readpgm function in pnm.c for GOCR 0.40, when ...) - gocr 0.39-5 CVE-2005-1140 (Cross-site scripting (XSS) vulnerability in myBloggie 2.1.1 allows rem ...) NOT-FOR-US: MyBloggie CVE-2005-1139 (Opera 8 Beta 3, when using first-generation vetted digital certificate ...) NOT-FOR-US: Opera CVE-2005-1138 (Unknown vulnerability in WebMail in Kerio MailServer before 6.0.9 allo ...) NOT-FOR-US: Kerio CVE-2005-1137 (Simple PHP Blog (sphpBlog) 0.4.0 allows remote attackers to obtain sen ...) NOT-FOR-US: sphpBlog CVE-2005-1136 (Simple PHP Blog (sphpBlog) 0.4.0 stores the (1) password.txt and (2) c ...) NOT-FOR-US: sphpBlog CVE-2005-1135 (Cross-site scripting (XSS) vulnerability in search.php for Simple PHP ...) NOT-FOR-US: sphpBlog CVE-2005-1134 (SQL injection vulnerability in exit.php for Serendipity 0.8 and earlie ...) NOT-FOR-US: Serendipity CVE-2005-1133 (The POP3 server in IBM iSeries AS/400 returns different error messages ...) NOT-FOR-US: AS/400 system software CVE-2005-1132 (LG U8120 mobile phone allows remote attackers to cause a denial of ser ...) NOT-FOR-US: LG mobile phone CVE-2005-1131 (Unknown vulnerability in Veritas i3 Focalpoint Server 7.1 and earlier ...) NOT-FOR-US: Veritas Focalpoint Server CVE-2005-1130 (Cross-site scripting (XSS) vulnerability in index.php in Pinnacle Cart ...) NOT-FOR-US: PinnacleCart CVE-2005-1129 (eGroupWare 1.0.6 and earlier, when an e-mail is composed with an attac ...) - egroupware 1.0.0.007-2.dfsg-1 CVE-2005-1128 (Multiple SQL injection vulnerabilities in VHCS 2.4 and earlier allow r ...) NOT-FOR-US: VHCS CVE-2005-1127 (Format string vulnerability in the log function in Net::Server 0.87 an ...) {DSA-1122 DSA-1121} - libnet-server-perl 0.89-1 (bug #378640) NOTE: Net::Server was already fixed in 0.87-1, although the changelog doesn't mention NOTE: the security implication, which was noticed later. I've verified both fixes NOTE: are identical NOTE: but DSA-1122 thinks it was fixed in 0.89-1, so mark that version to make NOTE: scripts happy (at time of writing, 0.90-1 is in testing) - postgrey 1.22-1 CVE-2005-1126 (The SIOCGIFCONF ioctl (ifconf function) in FreeBSD 4.x through 4.11 an ...) NOT-FOR-US: Free BSD CVE-2005-1125 (Race condition in libsafe 2.0.16 and earlier, when running in multi-th ...) - libsafe CVE-2005-1124 (Unknown vulnerability in the libgss Generic Security Services Library ...) NOT-FOR-US: Solaris CVE-2005-1123 (Monkey daemon (monkeyd) before 0.9.1 allows remote attackers to cause ...) NOT-FOR-US: monkeyd CVE-2005-1122 (Format string vulnerability in cgi.c for Monkey daemon (monkeyd) befor ...) NOT-FOR-US: monkeyd CVE-2005-1121 (Format string vulnerability in the my_xlog function in lib.c for Oops! ...) {DSA-726-1} - oops 1.5.23.cvs-2.2 (bug #307360; high) CVE-2005-1120 (Multiple cross-site scripting (XSS) vulnerabilities in IlohaMail 0.8.1 ...) {DSA-1010-1} - ilohamail 0.8.14-0rc3sarge1 (bug #304525; medium) CVE-2005-1119 (Sudo VISudo 1.6.8 and earlier allows local users to corrupt arbitrary ...) - sudo (bug #283161; unimportant) NOTE: That's a policy violation, but not a security problem CVE-2005-1118 (Cross-site scripting (XSS) vulnerability in IISWebAgentIF.dll in the R ...) NOT-FOR-US: RSA authentication agent CVE-2005-1117 (PHP remote file inclusion vulnerability in index.php in All4WWW-Homepa ...) NOT-FOR-US: All4WWW Homepage creator CVE-2005-1116 (Cross-site scripting (XSS) vulnerability in the Calendar module for ph ...) NOT-FOR-US: phpbb2 calendar addon CVE-2005-1115 (Multiple cross-site scripting (XSS) vulnerabilities in Photo Album 2.0 ...) NOT-FOR-US: Photo Album CVE-2005-1114 (Multiple SQL injection vulnerabilities in album_search.php in Photo Al ...) NOT-FOR-US: Photo Album CVE-2005-1113 (Multiple cross-site scripting (XSS) vulnerabilities in PhpBB Plus 1.52 ...) NOT-FOR-US: PhpBB Plus CVE-2005-1112 (IBM WebSphere Application Server 6.0 and earlier, when sharing the doc ...) NOT-FOR-US: IBM Websphere CVE-2005-1111 (Race condition in cpio 2.6 and earlier allows local users to modify pe ...) {DSA-846-1} - cpio 2.6-6 (bug #305372; low) CVE-2005-1110 (Stack-based buffer overflow in the RespondeHTTPPendiente function in t ...) NOT-FOR-US: Sumus web server CVE-2005-1109 (The filtering of URLs in JunkBuster before 2.0.2-r3 allows remote atta ...) {DSA-713-1} - junkbuster (bug #304793) - privoxy CVE-2005-1108 (The ij_untrusted_url function in JunkBuster 2.0.2-r2, with single-thre ...) {DSA-713-1} - junkbuster - privoxy CVE-2005-1107 (McAfee Internet Security Suite 2005 uses insecure default ACLs for ins ...) NOT-FOR-US: McAfee CVE-2005-XXXX [Remote DoS vulnerabilities in postgrey] - postgrey 1.21-1 CVE-2005-1106 (PictureViewer in QuickTime for Windows 6.5.2 allows remote attackers t ...) NOT-FOR-US: Windows CVE-2005-1105 (Directory traversal vulnerability in the MimeBodyPart.getFileName meth ...) - libgnumail-java (bug #304712; unimportant) NOTE: This just provides an Java API function to receive a file name, sanitising NOTE: this file name for further use must be done inside the application calling NOTE: the function CVE-2005-1104 (Multiple cross-site scripting (XSS) vulnerabilities in Centra 7 allow ...) NOT-FOR-US: Centra CVE-2005-1103 (Sygate Security Agent (SSA) in Sygate Secure Enterprise 3.5 through 4. ...) NOT-FOR-US: Sygate Secure Enterprise CVE-2005-1102 (Multiple cross-site scripting (XSS) vulnerabilities in template-functi ...) NOTE: Upstream developers don't consider this an issue, see bug #304468 CVE-2005-1101 (Multiple buffer overflows in Lotus Domino Server 6.0.5 and 6.5.4 allow ...) NOT-FOR-US: Lotus Domino Server CVE-2005-1100 (Format string vulnerability in the ErrorLog function in cnf.c in Greyl ...) - postfix-gld 1.5-1 CVE-2005-1099 (Multiple buffer overflows in the HandleChild function in server.c in G ...) - postfix-gld 1.5-1 CVE-2005-1098 (GetDataBack for NTFS 2.31 stores the username and license key in plain ...) NOT-FOR-US: GetDataBack for NTFS (Windows) CVE-2005-1097 (Rebrand P2P Share Spy 2.2 stores the user password in plaintext in the ...) NOT-FOR-US: Rebrand P2P Share Spy CVE-2005-1096 (SQL injection vulnerability in main.asp for Ocean12 Membership Manager ...) NOT-FOR-US: Ocean12 Membership Manager Pro CVE-2005-1095 (Cross-site scripting (XSS) vulnerability in main.asp for Ocean12 Membe ...) NOT-FOR-US: Ocean12 Membership Manager Pro CVE-2005-1094 (FTP Now 2.6.14 stores usernames and passwords in plaintext in sites.xm ...) NOT-FOR-US: FTP Now CVE-2005-1093 (Buffer overflow in the PopUp Plus 2.0.3.8 plugin for Miranda IM, with ...) NOT-FOR-US: Miranda IM CVE-2005-1092 (Lightspeed DeluxeFTP 6.01 stores usernames and passwords in plaintext ...) NOT-FOR-US: DeluxeFTP CVE-2005-1091 (Maxthon 1.2.0 and 1.2.1 allows remote attackers to bypass the security ...) NOT-FOR-US: Maxthon CVE-2005-1090 (Directory traversal vulnerability in the readFile and writeFile API fo ...) NOT-FOR-US: Maxthon CVE-2005-1089 (Unknown vulnerability in DC++ before 0.674 allows attackers to append ...) NOT-FOR-US: DC++ CVE-2005-1088 (Unknown vulnerability in DameWare NT Utilities 4.8 and earlier, and Mi ...) NOT-FOR-US: DameWare NT Utilities and Mini Remote Control CVE-2005-1087 (CRLF injection vulnerability in the cmdIS.DLL plugin for AN HTTPD Serv ...) NOT-FOR-US: AN HTTPD CVE-2005-1086 (Buffer overflow in the cmdIS.DLL plugin for AN HTTPD Server 1.42n allo ...) NOT-FOR-US: AN HTTPD CVE-2005-1085 (Cross-site scripting (XSS) vulnerability in the control panel in aeDat ...) NOT-FOR-US: aeDating CVE-2005-1084 (SQL injection vulnerability in sdating.php in aeDating 3.2 allows remo ...) NOT-FOR-US: aeDating CVE-2005-1083 (index.php in aeDating 3.2 allows remote attackers to include arbitrary ...) NOT-FOR-US: aeDating CVE-2005-1082 (Multiple SQL injection vulnerabilities in AzDGDatingPlatinum 1.1.0 all ...) NOT-FOR-US: AtDGDatingPlatinum CVE-2005-1081 (Cross-site scripting (XSS) vulnerability in view.php in AzDGDatingPlat ...) NOT-FOR-US: AtDGDatingPlatinum CVE-2005-1080 (Directory traversal vulnerability in the Java Archive Tool (Jar) utili ...) NOT-FOR-US: JAR in J2SE SDK CVE-2005-1079 (SQL injection vulnerability in index.php for zOOm Media Gallery 2.1.2 ...) NOT-FOR-US: zOOm Media Gallery CVE-2005-1078 (XAMPP 1.4.x has multiple default or null passwords, which allows attac ...) NOT-FOR-US: XAMPP Apache distribution specific issue CVE-2005-1077 (Multiple cross-site scripting (XSS) vulnerabilities in XAMPP 1.4.x all ...) NOT-FOR-US: XAMPP Apache distribution specific issue CVE-2005-1076 (Cross-site scripting (XSS) vulnerability in the discussion board funct ...) NOT-FOR-US: WebCT CVE-2005-1075 (Multiple cross-site scripting (XSS) vulnerabilities in RadScripts RadB ...) NOT-FOR-US: RadScripts RadBids Gold CVE-2005-1074 (SQL injection vulnerability in index.php for RadScripts RadBids Gold 2 ...) NOT-FOR-US: RadScripts RadBids Gold CVE-2005-1073 (Directory traversal vulnerability in index.php for RadScripts RadBids ...) NOT-FOR-US: RadScripts RadBids Gold CVE-2005-1072 (Cross-site scripting (XSS) vulnerability in PunBB before 1.2.5 allows ...) NOT-FOR-US: PunBB CVE-2005-1071 (SQL injection vulnerability in banner.inc.php in JPortal Web Portal 2. ...) NOT-FOR-US: JPortal CVE-2005-1070 (SQL injection vulnerability in index.php in Invision Power Board 1.3.1 ...) NOT-FOR-US: Invision Power Board CVE-2005-1069 (Unknown vulnerability in sCssBoard 1.11 and earlier has unknown impact ...) NOT-FOR-US: sCssBoard CVE-2005-1068 (Cross-site scripting (XSS) vulnerability in sCssBoard 1.11 and earlier ...) NOT-FOR-US: sCssBoard CVE-2005-1067 (Vulnerability in Access_user Class before 1.75 allows local users to g ...) NOT-FOR-US: Access_user class CVE-2005-1066 (Race condition in rpdump in Pine 4.62 and earlier allows local users t ...) - pine 4.63-1 (unimportant) - alpine (alpine is based on pine 4.64, this bug was in a previous version of pine) NOTE: Not shipped in the binary package CVE-2005-1065 (tetex in Novell Linux Desktop 9 allows local users to determine the ex ...) - tetex-base (/var/cache/fonts is not writable by normal users in Debian) CVE-2005-1064 (The copy_symlink function in rsnapshot 1.2.0 and 1.1.x before 1.1.7 ch ...) - rsnapshot 1.2.1-1 CVE-2005-1063 (The administration protocol for Kerio WinRoute Firewall 6.x up to 6.0. ...) NOT-FOR-US: Kerio CVE-2005-1062 (The administration protocol for Kerio WinRoute Firewall 6.x up to 6.0. ...) NOT-FOR-US: Kerio CVE-2005-1061 (The secure script in LogWatch before 2.6-2 allows attackers to prevent ...) - logwatch 5.0-1 CVE-2005-1060 (Unknown vulnerability in the TCP/IP functionality (TCPIP.NLM) in Novel ...) NOT-FOR-US: Novell Netware CVE-2005-1059 (Linksys WET11 1.5.4 allows remote attackers to change the password wit ...) NOT-FOR-US: Linksys WET11 CVE-2005-1058 (Cisco IOS 12.2T, 12.3 and 12.3T, when processing an ISAKMP profile tha ...) NOT-FOR-US: Cisco CVE-2005-1057 (Cisco IOS 12.2T, 12.3 and 12.3T, when using Easy VPN Server XAUTH vers ...) NOT-FOR-US: Cisco CVE-2005-1056 (Unknown vulnerability in HP OpenView Network Node Manager (NMM) 6.2 th ...) NOT-FOR-US: HP OpenView Network Node Manager CVE-2005-1055 (TowerBlog 0.6 and earlier stores the login data file under the web roo ...) NOT-FOR-US: TowerBlog CVE-2005-1054 (PHP remote file inclusion vulnerability in news.php in ModernBill 4.3. ...) NOT-FOR-US: ModernBill CVE-2005-1053 (Multiple cross-site scripting (XSS) vulnerabilities in orderwiz.php in ...) NOT-FOR-US: ModernBill CVE-2005-1052 (Microsoft Outlook 2003 and Outlook Web Access (OWA) 2003 do not proper ...) NOT-FOR-US: Microsoft CVE-2005-1051 (SQL injection vulnerability in profile.php in PunBB 1.2.4 allows remot ...) NOT-FOR-US: PunBB CVE-2005-1050 (The modload op in the Reviews module for PostNuke 0.760-RC3 allows rem ...) NOT-FOR-US: PostNuke CVE-2005-1049 (Multiple cross-site scripting vulnerabilities in PostNuke 0.760-RC3 al ...) NOT-FOR-US: PostNuke CVE-2005-1048 (SQL injection vulnerability in modules.php in PostNuke 0.760 RC3 allow ...) NOT-FOR-US: PostNuke CVE-2005-1047 (Meilad File upload script (up.php) mod for phpBB 2.0.x does not proper ...) NOT-FOR-US: PunBB CVE-2005-1046 (Buffer overflow in the kimgio library for KDE 3.4.0 allows remote atta ...) {DSA-714-1} - kdelibs 4:3.3.2-6 CVE-2005-1045 (OpenText FirstClass 8.0 client does not properly sanitize strings befo ...) NOT-FOR-US: OpenText CVE-2005-1044 REJECTED CVE-2005-1043 (exif.c in PHP before 4.3.11 allows remote attackers to cause a denial ...) - php4 4:4.3.10-10 (bug #306003) CVE-2005-1042 (Integer overflow in the exif_process_IFD_TAG function in exif.c in PHP ...) - php4 4:4.3.10-10 (bug #306003) CVE-2005-1041 (The fib_seq_start function in fib_hash.c in Linux kernel allows local ...) - linux-2.6 (Fixed before upload into archive; 2.6.11.5) [sarge] - kernel-source-2.6.8 2.6.8-16 - kernel-source-2.4.27 CVE-2005-1040 (Multiple unknown vulnerabilities in netapplet in Novell Linux Desktop ...) - netapplet (Not vulnerable, see bug #310833) CVE-2005-1039 (Race condition in Core Utilities (coreutils) 5.2.1, when (1) mkdir, (2 ...) - coreutils 6.10-1 (bug #304556; unimportant) NOTE: Minor issue, generic UNIX design issue, see discussion in #304556) CVE-2005-1038 (crontab in Vixie cron 4.1, when running with the -e option, allows loc ...) NOTE: long fixed in Debian's cron CVE-2005-1037 (Unknown vulnerability in AIX 5.3.0, when configured as an NIS client, ...) NOT-FOR-US: AIX CVE-2005-1036 (FreeBSD 5.x to 5.4 on AMD64 does not properly initialize the IO permis ...) NOT-FOR-US: FreeBSD CVE-2005-1035 (Multiple buffer overflows in Pavuk before 0.9.32 have unknown attack v ...) - pavuk 0.9.32-1 CVE-2005-1034 (SurgeFTP 2.2m1 allows remote attackers to cause a denial of service (a ...) NOT-FOR-US: SurgeFTP CVE-2005-1033 (CubeCart 2.0.6 allows remote attackers to obtain sensitive information ...) NOT-FOR-US: CubeCart CVE-2005-1032 REJECTED CVE-2005-1031 (RUNCMS 1.1A, and possibly other products based on e-Xoops (exoops), wh ...) NOT-FOR-US: exoops CVE-2005-1030 (Multiple cross-site scripting (XSS) vulnerabilities in Active Auction ...) NOT-FOR-US: Active Auction House CVE-2005-1029 (Multiple SQL injection vulnerabilities in Active Auction House allow r ...) NOT-FOR-US: Active Auction House CVE-2005-1028 (PHP-Nuke 6.x through 7.6 allows remote attackers to obtain sensitive i ...) NOT-FOR-US: PHP-Nuke CVE-2005-1027 (Multiple cross-site scripting (XSS) vulnerabilities in PHP-Nuke 6.x th ...) NOT-FOR-US: PHP-Nuke CVE-2005-1026 (Multiple SQL injection vulnerabilities in SnailSource phpBB 2.0.x mods ...) NOT-FOR-US: SnailSource phpBB mod CVE-2005-1025 (The FTP server in AS/400 4.3, when running in IFS mode, allows remote ...) NOT-FOR-US: IBM CVE-2005-1024 (modules.php in PHP-Nuke 6.x to 7.6 allows remote attackers to obtain s ...) NOT-FOR-US: PHP-Nuke CVE-2005-1023 (Multiple cross-site scripting (XSS) vulnerabilities in PHP-Nuke 6.x to ...) NOT-FOR-US: PHP-Nuke CVE-2005-1022 (ColdFusion 6.1 Updater 1 places Java .class files under the web root i ...) NOT-FOR-US: ColdFusion CVE-2005-1021 (Memory leak in Secure Shell (SSH) in Cisco IOS 12.0 through 12.3, when ...) NOT-FOR-US: IOS CVE-2005-1020 (Secure Shell (SSH) 2 in Cisco IOS 12.0 through 12.3 allows remote atta ...) NOT-FOR-US: IOS CVE-2005-1019 (Buffer overflow in the getConfig function in Aeon 0.2a and earlier all ...) NOT-FOR-US: Aeon CVE-2005-1018 (Buffer overflow in the UniversalAgent for Computer Associates (CA) Bri ...) NOT-FOR-US: CA ArcServe Backup CVE-2005-XXXX [Some security issues in mod_security] NOTE: I don't understand mod_security fully, so I'm not entirely sure which of NOTE: the changelog entries matches the security criteria, but the changelog NOTE: claims so. - libapache-mod-security 1.8.7-1 CVE-2005-XXXX [imms: Arbitrary command execution through inproper filename escaping] NOTE: Already fixed in 2.0.1-3.1, but 2.0.3 claims to have a better fix - imms 2.0.3-1 CVE-2005-XXXX [Variable function calls in Smarty allow bypassing security settings] - smarty 2.6.9-1 CVE-2005-XXXX [Possible problem with insecure usage of sscanf in obexftp client] - obexftp 0.10.7-3 CVE-2005-1017 (SQL injection vulnerability in the Update_Events function in events_fu ...) NOT-FOR-US: MaxWebPortal CVE-2005-1016 (Cross-site scripting (XSS) vulnerability in links_add_form.asp for Max ...) NOT-FOR-US: MaxWebPortal CVE-2005-1015 (Buffer overflow in MailEnable Imapd (MEIMAP.exe) allows remote attacke ...) NOT-FOR-US: MailEnable CVE-2005-1014 (Buffer overflow in the IMAP service for MailEnable Enterprise 1.04 and ...) NOT-FOR-US: MailEnable CVE-2005-1013 (The SMTP service in MailEnable Enterprise 1.04 and earlier and Profess ...) NOT-FOR-US: MailEnable CVE-2005-1012 (Cross-site scripting (XSS) vulnerability in Iatek SiteEnable allows re ...) NOT-FOR-US: SiteEnable CVE-2005-1011 (SQL injection vulnerability in content.asp in SiteEnable allows remote ...) NOT-FOR-US: SiteEnable CVE-2005-1010 (Cross-site scripting (XSS) vulnerability in Comersus Cart 6 allows rem ...) NOT-FOR-US: ComersusCart CVE-2005-1009 (Multiple buffer overflows in BakBone NetVault 6.x and 7.x allow (1) re ...) NOT-FOR-US: NetVault CVE-2005-1008 (Cross-site scripting (XSS) vulnerability in posts.asp for ASP-DEv XM F ...) NOT-FOR-US: XM Forum CVE-2005-1007 (Unknown vulnerability in the LIST functionality in CommuniGate Pro bef ...) NOT-FOR-US: CommuniGate Pro CVE-2005-1006 (Multiple cross-site scripting (XSS) vulnerabilities in SonicWALL SOHO ...) NOT-FOR-US: SonicWALL CVE-2005-1005 (ProfitCode PayProCart 3.0 allows remote attackers to bypass authentica ...) NOT-FOR-US: PayProCart CVE-2005-1004 (Cross-site scripting (XSS) vulnerability in usrdetails.php in ProfitCo ...) NOT-FOR-US: PayProCart CVE-2005-1003 (Directory traversal vulnerability in index.php for ProfitCode PayProCa ...) NOT-FOR-US: PayProCart CVE-2005-1002 (logwebftbs2000.exe in Logics Software File Transfer (LOG-FT) allows re ...) NOT-FOR-US: LOG-FT File Transfer CVE-2005-1001 (PHP-Nuke 7.6 allows remote attackers to obtain sensitive information v ...) NOT-FOR-US: PHP-Nuke CVE-2005-1000 (Multiple cross-site scripting (XSS) vulnerabilities in PHP-Nuke 7.6 al ...) NOT-FOR-US: PHP-Nuke CVE-2005-0999 (SQL injection vulnerability in the Top module for PHP-Nuke 6.x through ...) NOT-FOR-US: PHP-Nuke CVE-2005-0998 (The Web_Links module for PHP-Nuke 7.6 allows remote attackers to obtai ...) NOT-FOR-US: PHP-Nuke CVE-2005-0997 (Multiple SQL injection vulnerabilities in the Web_Links module for PHP ...) NOT-FOR-US: PHP-Nuke CVE-2005-0996 (Multiple SQL injection vulnerabilities in the Downloads module for PHP ...) NOT-FOR-US: PHP-Nuke CVE-2005-0995 (Multiple cross-site scripting (XSS) vulnerabilities in ProductCart 2.7 ...) NOT-FOR-US: ProductCart CVE-2005-0994 (Multiple SQL injection vulnerabilities in ProductCart 2.7 allow remote ...) NOT-FOR-US: ProductCart CVE-2005-0993 (Buffer overflow in nwprint in SCO OpenServer 5.0.7 allows local users ...) NOT-FOR-US: SCO CVE-2005-0992 (Cross-site scripting (XSS) vulnerability in index.php in phpMyAdmin be ...) - phpmyadmin 3:2.6.2-rc1-1 NOTE: https://www.phpmyadmin.net/security/PMASA-2005-3/ CVE-2005-0991 (RC.BOOT in IBM AIX 5.1, 5.2, and 5.3 does not "use a secure location f ...) NOT-FOR-US: AIX CVE-2005-0990 (unshar (unshar.c) in sharutils 4.2.1 allows local users to overwrite a ...) - sharutils 1:4.2.1-13 CVE-2005-0989 (The find_replen function in jsstr.c in the Javascript engine for Mozil ...) {DSA-781-1} - mozilla 2:1.7.7-1 (bug #306001) - mozilla-firefox 1.0.2-3 - mozilla-thunderbird 1.0.6-1 (bug #318728; medium) CVE-2005-0988 (Race condition in gzip 1.2.4, 1.3.3, and earlier, when decompressing a ...) {DSA-752-1} - gzip 1.3.5-10 CVE-2005-0987 (Unknown vulnerability in IRC Services NickServ LISTLINKS before 5.0.50 ...) NOT-FOR-US: IRC Services NickServ CVE-2005-0986 (NLSCCSTR.DLL in the web service in IBM Lotus Domino Server 6.5.1, 6.0. ...) NOT-FOR-US: Lotus Domino CVE-2005-0985 (Unspecified vulnerability in the Mac OS X kernel before 10.3.8 allows ...) NOT-FOR-US: Apple CVE-2005-0984 (Buffer overflow in the G_Printf function in Star Wars Jedi Knight: Jed ...) NOT-FOR-US: Star Wars game CVE-2005-0983 (Quake 3 engine, as used in multiple games, allows remote attackers to ...) NOT-FOR-US: Quake 3 based games CVE-2005-0982 (Multiple cross-site scripting (XSS) vulnerabilities in Yet Another For ...) NOT-FOR-US: Yet Another Forum.net CVE-2005-0981 (Multiple cross-site scripting (XSS) vulnerabilities in AlstraSoft EPay ...) NOT-FOR-US: Alstrasoft EPay CVE-2005-0980 (PHP remote file inclusion vulnerability in index.php in AlstraSoft EPa ...) NOT-FOR-US: Alstrasoft EPay CVE-2005-0979 (Multiple buffer overflows in RUMBA 7.3 and earlier allow remote attack ...) NOT-FOR-US: Rumba CVE-2005-0978 (Directory traversal vulnerability in the Object Push service in IVT Bl ...) NOT-FOR-US: IVT BlueSoleil CVE-2005-0977 (The shmem_nopage function in shmem.c for the tmpfs driver in Linux ker ...) [sarge] - kernel-source-2.6.8 2.6.8-16 (bug #303177) - linux-2.6 (Fixed before upload into archive) CVE-2005-0976 (AppleWebKit (WebCore and WebKit), as used in multiple products such as ...) NOT-FOR-US: Apple CVE-2005-0975 (Integer signedness error in the parse_machfile function in the mach-o ...) NOT-FOR-US: Apple CVE-2005-0974 (Unknown vulnerability in the nfs_mount call in Mac OS X 10.3.9 and ear ...) NOT-FOR-US: Apple CVE-2005-0973 (Unknown vulnerability in the setsockopt system call in Mac OS X 10.3.9 ...) NOT-FOR-US: Apple CVE-2005-0972 (Integer overflow in the searchfs system call in Mac OS X 10.3.9 and ea ...) NOT-FOR-US: Apple CVE-2005-0971 (Stack-based buffer overflow in the semop system call in Mac OS X 10.3. ...) NOT-FOR-US: Apple CVE-2005-0970 (Mac OS X 10.3.9 and earlier allows users to install, create, and execu ...) NOT-FOR-US: Apple CVE-2005-0969 (Heap-based buffer overflow in the syscall emulation functionality in M ...) NOT-FOR-US: Apple CVE-2005-0968 (Computer Associates (CA) eTrust Intrusion Detection 3.0 allows remote ...) NOT-FOR-US: CA eTrust IDS CVE-2005-0967 (Gaim 1.2.0 allows remote attackers to cause a denial of service (appli ...) - gaim 1:1.2.1-1 CVE-2005-XXXX [Insecure tempfile handling in openwebmail CGI scripts] - openwebmail CVE-2005-0966 (The IRC protocol plugin in Gaim 1.2.0, and possibly earlier versions, ...) - gaim 1:1.2.1-1 (bug #303581) CVE-2005-0965 (The gaim_markup_strip_html function in Gaim 1.2.0, and possibly earlie ...) - gaim 1:1.2.1-1 (bug #303581) CVE-2005-0964 (Unknown vulnerability in Kerio Personal Firewall 4.1.2 and earlier all ...) NOT-FOR-US: Kerio firewall CVE-2005-0963 (An error in the Toshiba ACPI BIOS 1.6 causes the BIOS to only examine ...) NOT-FOR-US: ACPI BIOS hardware issue CVE-2005-0962 (SQL injection vulnerability in index.php for Lighthouse Squirrelcart a ...) NOT-FOR-US: SquirrelCart CVE-2005-0961 (Cross-site scripting (XSS) vulnerability in Horde 3.0.4 before 3.0.4-R ...) - horde3 3.0.4-1 - horde2 2.2.8-1 CVE-2005-0960 (Multiple vulnerabilities in the SACK functionality in (1) tcp_input.c ...) NOT-FOR-US: OpenBSD CVE-2005-0959 (Buffer overflow in the mt_do_dir function in YepYep mtftpd 0.0.3 may a ...) NOT-FOR-US: YepYep mtftpd CVE-2005-0958 (Format string vulnerability in the log_do function in log.c for YepYep ...) NOT-FOR-US: YepYep mtftpd CVE-2005-0957 (Bay Technical Associates RPC-3 Telnet Host 3.05 allows remote attacker ...) NOT-FOR-US: BayTech RPC CVE-2005-0956 (Multiple SQL injection vulnerabilities in index.php in InterAKT MX Kar ...) NOT-FOR-US: InterAKT MX Kart CVE-2005-0955 (SQL injection vulnerability in InterAKT MX Shop 1.1.1 allows remote at ...) NOT-FOR-US: InterAKT MX Shop CVE-2005-0954 (Windows Explorer and Internet Explorer in Windows 2000 SP1 allows remo ...) NOT-FOR-US: Windows CVE-2005-0953 (Race condition in bzip2 1.0.2 and earlier allows local users to modify ...) {DSA-730-1} - bzip2 1.0.2-6 NOTE: This "vulnerability" is only exploitable under rarest circumstances: A (local) NOTE: attacker would have to exploit the minimal time span between uncompressing NOTE: the file and chmodding it to delete the file and place a hardlink to another NOTE: file of the "attacked" user. Additionally the attacker needs write permissions NOTE: to the directory where the file is being uncompressed, ruling out /~ etc. CVE-2005-0952 (Cross-site scripting vulnerability in pafiledb.php in PaFileDB 3.1 all ...) NOT-FOR-US: PafileDB CVE-2005-0951 REJECTED CVE-2005-0950 (Directory traversal vulnerability in FastStone 4in1 Browser 1.2 allows ...) NOT-FOR-US: FastStone 4in1 Browser CVE-2005-0949 (Multiple cross-site scripting (XSS) vulnerabilities in content.asp in ...) NOT-FOR-US: PortalApp CVE-2005-0948 (SQL injection vulnerability in ad_click.asp for PortalApp allows remot ...) NOT-FOR-US: PortalApp CVE-2005-0947 (Directory traversal vulnerability in auxpage.php in phpCoin 1.2.1b and ...) NOT-FOR-US: phpCoin CVE-2005-0946 (SQL injection vulnerability in phpCoin 1.2.1b and earlier allows remot ...) NOT-FOR-US: phpCoin CVE-2005-0945 (Cross-site scripting (XSS) vulnerability in ACS Blog 1.1.1 allows remo ...) NOT-FOR-US: ACS Blog CVE-2005-0944 (Unknown vulnerability in Microsoft Jet DB engine (msjet40.dll) 4.00.86 ...) NOT-FOR-US: Microsoft CVE-2005-0943 (Cisco VPN 3000 series Concentrator running firmware 4.1.7.A and earlie ...) NOT-FOR-US: Cisco CVE-2005-0942 (The XP Server process (xp_server) in Sybase Adaptive Server Enterprise ...) NOT-FOR-US: Sybase ASE CVE-2005-0941 (The StgCompObjStream::Load function in OpenOffice.org OpenOffice 1.1.4 ...) - openoffice.org 1.1.3-9 CVE-2005-0939 RESERVED CVE-2005-0938 (Ublog Reload 1.0 through 1.0.4 stores ublogreload.mdb under the web ro ...) NOT-FOR-US: UBlog CVE-2005-0937 (Some futex functions in futex.c for Linux kernel 2.6.x perform get_use ...) - kernel-source-2.6.8 2.6.8-16 CVE-2005-XXXX [Several DoS possibilities of clients against the server in Freeciv] - freeciv 2.0.1-1 CVE-2005-XXXX [mailscanner: lock/pid file location symlink attack] - mailscanner 4.40.11-1 CVE-2005-XXXX [KDE Kopete ICQ remote DoS] - kdenetwork 4:3.3.2-2 CVE-2005-0936 (Cross-site scripting vulnerability in products1h.php in ESMI PayPal St ...) NOT-FOR-US: ESMI PayPal Storefront CVE-2005-0935 (Multiple SQL injection vulnerabilities in ESMI PayPal Storefront allow ...) NOT-FOR-US: ESMI PayPal Storefront CVE-2005-0934 (Multiple cross-site scripting (XSS) vulnerabilities in WackoWiki R4 al ...) NOT-FOR-US: WackoWiki CVE-2005-0933 (Directory traversal vulnerability in auxpage.php for phpCOIN 1.2.1b an ...) NOT-FOR-US: phpCOIN CVE-2005-0932 (Multiple SQL injection vulnerabilities in phpCOIN 1.2.1b and earlier a ...) NOT-FOR-US: phpCOIN CVE-2005-0931 (PHP remote file inclusion vulnerability in The Includer 1.0 and 1.1 al ...) NOT-FOR-US: The Includer CVE-2005-0930 (Cross-site scripting (XSS) vulnerability in message.php in Chatness 2. ...) NOT-FOR-US: Chatness CVE-2005-0929 (SQL injection vulnerability in PhotoPost PHP Pro 5.x may allow remote ...) NOT-FOR-US: PhotoPost PHP Pro CVE-2005-0928 (Multiple cross-site scripting (XSS) vulnerabilities in PhotoPost PHP P ...) NOT-FOR-US: PhotoPost PHP Pro CVE-2005-0927 (Unknown vulnerability in subs.pl for WebAPP 0.9.9 through 0.9.9.2 has ...) NOT-FOR-US: WebAPP CVE-2005-0926 (Buffer overflow in Sylpheed before 1.0.4 allows remote attackers to ca ...) - sylpheed 1.0.4-1 - sylpheed-claws 1.0.4-1 CVE-2005-0925 (Cross-site scripting (XSS) vulnerability in login.asp for Ublog Reload ...) NOT-FOR-US: Uapplication Ublog CVE-2005-0924 (Cross-site scripting (XSS) vulnerability in Adventia E-Data 2.0 allows ...) NOT-FOR-US: Adventia E-Data CVE-2005-0923 (The SmartScan feature in the Auto-Protect module for Symantec Norton A ...) NOT-FOR-US: Norton AntiVirus CVE-2005-0922 (Unknown vulnerability in the Auto-Protect module in Symantec Norton An ...) NOT-FOR-US: Norton AntiVirus CVE-2005-0921 (Microsoft Outlook 2002 Connector for IBM Lotus Domino 2.0 allows local ...) NOT-FOR-US: Lotus CVE-2005-0920 (Multiple SQL injection vulnerabilities in Bugtracker.NET 2.0.1 allow r ...) NOT-FOR-US: Bugtracker.NET CVE-2005-0919 (Adventia Chat 3.1 and Server Pro 3.0 allows remote attackers to inject ...) NOT-FOR-US: Adventia E-Data CVE-2005-0918 (The NPSVG3.dll ActiveX control for Adobe SVG Viewer 3.02 and earlier, ...) NOT-FOR-US: Adobe SVG Viewer CVE-2005-0917 (PHP remote file inclusion vulnerability in index_header.php for Encaps ...) NOT-FOR-US: EncapsBB CVE-2005-0916 (AIO in the Linux kernel 2.6.11 on the PPC64 or IA64 architectures with ...) - kernel-source-2.6.8 2.6.8-16 - kernel-source-2.4.27 - linux-2.6 (Fixed before upload into archive) CVE-2005-0915 (Webmasters-Debutants WD Guestbook 2.8 allows remote attackers to bypas ...) NOT-FOR-US: Webmasters-Debutants WD Guestbook CVE-2005-0914 (Multiple cross-site scripting (XSS) vulnerabilities in CPG Dragonfly 9 ...) NOT-FOR-US: CPG Dragonfly CVE-2005-0913 (Unknown vulnerability in the regex_replace modifier (modifier.regex_re ...) - smarty 2.6.8-1 CVE-2005-0912 (Unknown vulnerabilities in deplate before 0.7.2 have unknown impact, p ...) NOT-FOR-US: deplate CVE-2005-0911 (Multiple SQL injection vulnerabilities in exoops may allow remote atta ...) NOT-FOR-US: exoops CVE-2005-0910 (Multiple cross-site scripting (XSS) vulnerabilities in exoops allow re ...) NOT-FOR-US: exoops CVE-2005-0909 (PHP remote file inclusion vulnerability in shoutact.php for TKai's Sho ...) NOT-FOR-US: THai's Shoutbox CVE-2005-0908 (Multiple cross-site scripting (XSS) vulnerabilities in Valdersoft Shop ...) NOT-FOR-US: Valdersoft Shopping Cart CVE-2005-0907 (Multiple SQL injection vulnerabilities in Valdersoft Shopping Cart 3.0 ...) NOT-FOR-US: Valdersoft Shopping Cart CVE-2005-0906 (Buffer overflow in a player logging function in the Tincat network lib ...) NOT-FOR-US: Tincat network library CVE-2005-0905 (Maxthon 1.2.0 allows remote malicious web sites to obtain potentially ...) NOT-FOR-US: Maxthon CVE-2005-0904 (Remote Desktop in Windows XP SP1 does not verify the "Force shutdown f ...) NOT-FOR-US: Microsoft CVE-2005-0903 (Buffer overflow in QuickTime PictureViewer 6.5.1 allows remote attacke ...) NOT-FOR-US: QuickTime PictureViewer CVE-2005-0902 (SQL injection vulnerability in marks.php in NukeBookmarks 0.6 for PHP- ...) NOT-FOR-US: NukeBookmarks for php-nuke CVE-2005-0901 (Multiple cross-site scripting (XSS) vulnerabilities in NukeBookmarks 0 ...) NOT-FOR-US: NukeBookmarks for php-nuke CVE-2005-0900 (marks.php in NukeBookmarks 0.6 for PHP-Nuke allows remote attackers to ...) NOT-FOR-US: NukeBookmarks for php-nuke CVE-2005-0899 (AS/400 running OS400 5.2 installs and enables LDAP by default, which a ...) NOT-FOR-US: AS/400 running OS400 CVE-2005-0898 (Cross-site scripting (XSS) vulnerability in downloadform.php in E-Stor ...) NOT-FOR-US: E-Store Kit-2 PayPal Edition CVE-2005-0897 (PHP remote file inclusion vulnerability in catalog.php in E-Store Kit- ...) NOT-FOR-US: E-Store Kit-2 PayPal Edition CVE-2005-0896 (Multiple cross-site scripting (XSS) vulnerabilities in review.php in p ...) NOT-FOR-US: phpMyDirectory CVE-2005-0895 (Netcomm 1300NB DSL Modem allows remote attackers to cause a denial of ...) NOT-FOR-US: Netcomm 1300NB DSL Modem CVE-2005-0894 (OpenmosixCollector and OpenMosixView in OpenMosixView 1.5 allow local ...) - openmosixview 1.5-7 CVE-2005-0893 (modes.c in smail 3.2.0.120 implements signal handlers with certain uns ...) - smail (bug #335042; unimportant) NOTE: cording to upstream impossible to exploit CVE-2005-0892 (Buffer overflow in smail 3.2.0.120 allows remote attackers or local us ...) {DSA-722-1} - smail 3.2.0.115-7 (bug #301428; high) CVE-2005-0891 (Double free vulnerability in gtk 2 (gtk2) before 2.2.4 allows remote a ...) NOTE: The description is wrong; 2.6 is affected as well - gtk+2.0 2.6.4-1 - gdk-pixbuf 0.22.0-7.1 CVE-2004-1773 (Multiple buffer overflows in sharutils 4.2.1 and earlier may allow att ...) - sharutils 1:4.2.1-12 CVE-2004-1772 (Stack-based buffer overflow in shar in GNU sharutils 4.2.1 allows loca ...) - sharutils 1:4.2.1-11 CVE-2002-1656 (X-News (x_news) 1.1 and earlier allows attackers to authenticate as ot ...) NOT-FOR-US: X-News CVE-2002-1655 (The Web Publishing feature in Netscape Enterprise Server 3.x and iPlan ...) NOT-FOR-US: Netscape Enterprise Server CVE-2002-1654 (iPlanet Web Server Enterprise Edition and Netscape Enterprise Server 4 ...) NOT-FOR-US: iPlanet Web Server Enterprise Edition and Netscape Enterprise Server CVE-2002-1653 (Farm9 Cryptcat, when started in server mode with the -e option, does n ...) - cryptcat 20031202-2 NOTE: don't know when it was fixed, verified above version is ok CVE-2002-1652 (Buffer overflow in cgicso.c for cgiemail 1.6 allows remote attackers t ...) - cgiemail 1.6-14 CVE-2002-1651 (Cross-site scripting (XSS) vulnerability in Verity Search97 allows rem ...) NOT-FOR-US: Verity Search97 CVE-2002-1650 (The spell checker plugin (check_me.mod.php) for SquirrelMail before 1. ...) - squirrelmail 1:1.2.3 CVE-2002-1649 (Cross-site scripting (XSS) vulnerability in read_body.php in SquirrelM ...) - squirrelmail 1:1.2.3 CVE-2002-1648 (Cross-site request forgery (CSRF) vulnerability in compose.php in Squi ...) - squirrelmail 1:1.2.3 CVE-2002-1647 (The quick login feature in Slash Slashcode does not redirect the user ...) - slash 2.2.6-8 (bug #160579; low) [sarge] - slash (Minor security implications) CVE-2002-1646 (SSH Secure Shell for Servers 3.0.0 to 3.1.1 allows remote attackers to ...) NOT-FOR-US: commercial ssh CVE-2002-1645 (Buffer overflow in the URL catcher feature for SSH Secure Shell for Wo ...) NOT-FOR-US: commercial ssh CVE-2002-1644 (SSH Secure Shell for Servers and SSH Secure Shell for Workstations 2.0 ...) NOT-FOR-US: commercial ssh CVE-2002-1643 (Multiple buffer overflows in RealNetworks Helix Universal Server 9.0 ( ...) NOT-FOR-US: RealNetworks Helix Universal Server CVE-2002-1642 (PostgreSQL 7.2.1 and 7.2.2 allows local users to delete transaction lo ...) - postgresql 7.2.3 CVE-2002-1641 (Multiple buffer overflows in Oracle Web Cache for Oracle 9i Applicatio ...) NOT-FOR-US: Oracle CVE-2002-1640 (Multiple cross-site scripting (XSS) vulnerabilities in Oracle Configur ...) NOT-FOR-US: Oracle CVE-2002-1639 (Oracle Configurator before 11.5.7.17.32 and 11.5.6.16.53 allows remote ...) NOT-FOR-US: Oracle CVE-2002-1638 REJECTED CVE-2002-1637 (Multiple components in Oracle 9i Application Server (9iAS) are install ...) NOT-FOR-US: Oracle CVE-2002-1636 (Cross-site scripting (XSS) vulnerability in the htp PL/SQL package for ...) NOT-FOR-US: Oracle CVE-2002-1635 (The Apache configuration file (httpd.conf) in Oracle 9i Application Se ...) NOT-FOR-US: Oracle CVE-2002-1634 (Novell NetWare 5.1 installs sample applications that allow remote atta ...) NOT-FOR-US: NetWare CVE-2002-1633 (Multiple buffer overflows in QNX 4.25 may allow local users to execute ...) NOT-FOR-US: QNX CVE-2002-1632 (Oracle 9i Application Server (9iAS) installs multiple sample pages tha ...) NOT-FOR-US: Oracle CVE-2002-1631 (SQL injection vulnerability in the query.xsql sample page in Oracle 9i ...) NOT-FOR-US: Oracle CVE-2002-1630 (The sendmail.jsp sample page in Oracle 9i Application Server (9iAS) al ...) NOT-FOR-US: Oracle CVE-2002-1629 (Multi-Tech ProxyServer products MTPSR1-100, MTPSR1-120, MTPSR1-202ST, ...) NOT-FOR-US: Multi-Tech ProxyServer CVE-2005-0890 (SQL injection vulnerability in Dream4 Koobi CMS 4.2.3 allows remote at ...) NOT-FOR-US: Dream4 Koobi CMS CVE-2005-0889 (Cross-site scripting (XSS) vulnerability in index.php for Dream4 Koobi ...) NOT-FOR-US: Dream4 Koobi CMS CVE-2005-0888 (Multiple cross-site scripting (XSS) vulnerabilities in functions.inc.p ...) - dcl (Vulnerable code not present, affected dcl "Double Choco Latte") NOTE: Until 2008 src:dcl was for the source for "Double Choco Latte". On NOTE: 2017-08-30 an unrelated source took over the source package name dcl. NOTE: Original issue fixed in dcl/1:0.9.4.4-1 CVE-2005-0887 (Eval injection vulnerability in Double Choco Latte before 0.9.4.3 allo ...) - dcl (Vulnerable code not present, affected dcl "Double Choco Latte") NOTE: Until 2008 src:dcl was for the source for "Double Choco Latte". On NOTE: 2017-08-30 an unrelated source took over the source package name dcl. NOTE: Original issue fixed in dcl/1:0.9.4.4-1 CVE-2005-0886 (Cross-site scripting (XSS) vulnerability in Invision Power Board 2.0.2 ...) NOT-FOR-US: Invision Power Board CVE-2005-0885 (Multiple cross-site scripting (XSS) vulnerabilities in XMB Forum 1.9.1 ...) NOT-FOR-US: XMB Forum CVE-2005-0884 (DigitalHive 2.0 allows remote attackers to re-install the product by d ...) NOT-FOR-US: DigitalHive CVE-2005-0883 (Multiple cross-site scripting (XSS) vulnerabilities in base.php for Di ...) NOT-FOR-US: DigitalHive CVE-2005-0882 (SQL injection vulnerability in admincore.php in BirdBlog before 1.2.0 ...) NOT-FOR-US: BirdBlog CVE-2005-0881 (Cross-site scripting (XSS) vulnerability in articles.newcomment for In ...) NOT-FOR-US: Interspire ArticleLive CVE-2005-0880 (content.php in Vortex Portal allows remote attackers to obtain sensiti ...) NOT-FOR-US: Vortex Portal CVE-2005-0879 (PHP remote file include vulnerability in (1) content.php and (2) index ...) NOT-FOR-US: Vortex Portal CVE-2005-0878 (Cross-site scripting (XSS) vulnerability in MercuryBoard before 1.1.3 ...) NOT-FOR-US: MercuryBoard CVE-2005-0877 (Dnsmasq before 2.21 allows remote attackers to poison the DNS cache vi ...) - dnsmasq 2.21 CVE-2005-0876 (Off-by-one buffer overflow in Dnsmasq before 2.21 may allow attackers ...) - dnsmasq 2.21 CVE-2005-0875 (Multiple buffer overflows in the Yahoo plug-in for Trillian 2.0, 3.0, ...) NOT-FOR-US: Cerulean Trillian CVE-2005-0874 (Multiple buffer overflows in the (1) AIM, (2) MSN, (3) RSS, and other ...) NOT-FOR-US: Cerulean Trillian CVE-2005-0873 (Multiple cross-site scripting (XSS) vulnerabilities in test.jsp in Ora ...) NOT-FOR-US: Oracle CVE-2005-0872 (Cross-site scripting (XSS) vulnerability in calendar_scheduler.php in ...) NOT-FOR-US: Topic Calendar phpbb2 plugin CVE-2005-0871 (calendar_scheduler.php in Topic Calendar 1.0.1 module for phpBB, when ...) NOT-FOR-US: Topic Calendar phpbb2 plugin CVE-2005-0870 (Multiple cross-site scripting (XSS) vulnerabilities in phpSysInfo 2.3, ...) {DSA-899-1 DSA-898-1 DSA-897-1 DSA-724-1} NOTE: Fix in phpsysinfo 2.3-3 was apparently incomplete. - phpsysinfo 2.3-7 - egroupware 1.0.0.009.dfsg-3-3 - phpgroupware 0.9.16.008-2 CVE-2005-0869 (phpSysInfo 2.3 allows remote attackers to obtain sensitive information ...) - phpsysinfo 2.3-3 (bug #301118; unimportant) CVE-2005-0868 (AS/400 Telnet 5250 terminal emulation clients, as implemented by (1) I ...) - tn5250 (cannot find STRPCO or STRPCCMD in tn5250) CVE-2005-0867 (Integer overflow in Linux kernel 2.6 allows local users to overwrite k ...) - kernel-source-2.4.27 (kernel 2.4 doesn't have sysfs) - linux-2.6 (Fixed before upload into archive) [sarge] - kernel-source-2.6.8 (Not vulnerable, see #306137) CVE-2005-0866 (cdrecord before 4:2.0, when DEBUG is enabled, allows local users to ov ...) - cdrtools 4:2.01+01a01-4 (bug #291376; low) [sarge] - cdrtools (Only exploitable in rare debugging mode) [woody] - cdrtools (Only exploitable in rare debugging mode) CVE-2004-1771 (Scalable OGo (SOGo) 1.0 allows remote authenticated users to bypass in ...) NOT-FOR-US: Scalable OGo (SOGo) CVE-2002-1628 (Directory traversal vulnerability in vote.cgi for Mike Spice Mike's Vo ...) NOT-FOR-US: Mike Spice Mike's Vote CGI CVE-2002-1627 (Directory traversal vulnerability in quiz.cgi for Mike Spice Quiz Me! ...) NOT-FOR-US: Mike Spice Quiz CGI CVE-2002-1626 (Directory traversal vulnerability in Mike Spice My Calendar before 1.5 ...) NOT-FOR-US: Mike Spice My Calendar CVE-2002-1625 (Macromedia Flash Player 6 does not terminate connections when the user ...) - flashplugin-nonfree 6.0.61.0-1 CVE-2002-1624 (Buffer overflow in Lotus Domino web server before R5.0.10, when loggin ...) NOT-FOR-US: Lotus Domino CVE-2002-1623 (The design of the Internet Key Exchange (IKE) protocol, when using Agg ...) NOT-FOR-US: General protocol flaw, cannot be fixed CVE-2002-1622 (Buffer overflow in certain RPC routines in IBM AIX 4.3 may allow attac ...) NOT-FOR-US: AIX CVE-2002-1621 (Buffer overflow in the file_comp function in rcp for IBM AIX 4.3.x and ...) NOT-FOR-US: AIX CVE-2002-1620 (Unknown vulnerability in IBM AIX Parallel Systems Support Programs (PS ...) NOT-FOR-US: AIX CVE-2002-1619 (Buffer overflow in the FC client for IBM AIX 4.3.x allows remote attac ...) NOT-FOR-US: AIX CVE-2005-0865 (Samsung ADSL Modem SMDK8947v1.2 uses default passwords for the (1) roo ...) NOT-FOR-US: Samsung ADSL modems CVE-2005-0864 (The Boa web server, as used in Samsung ADSL Modem SMDK8947v1.2 and pos ...) NOT-FOR-US: Samsung ASDL modems, Debian's boa has been fixed years ago CVE-2005-0863 (Cross-site scripting (XSS) vulnerability in PHPOpenChat v3.x allows re ...) NOT-FOR-US: PHPOpenChat CVE-2005-0862 (Multiple PHP remote file inclusion vulnerabilities in PHPOpenChat 3.0. ...) NOT-FOR-US: PHPOpenChat CVE-2005-0861 (Multiple buffer overflows in DeleGate before 8.11.1 may allow attacker ...) NOT-FOR-US: Delegate CVE-2005-0860 (PHP remote file inclusion vulnerability in TRG News Script 3.0 allows ...) NOT-FOR-US: TRG News Script CVE-2005-0859 (PHP remote file inclusion vulnerability in CzarNews 1.13b allows remot ...) NOT-FOR-US: CzarNews CVE-2005-0858 (Multiple SQL injection vulnerabilities in CoolForum 0.8 and earlier al ...) NOT-FOR-US: CoolForum CVE-2005-0857 (Cross-site scripting (XSS) vulnerability in avatar.php for CoolForum 0 ...) NOT-FOR-US: CoolForum CVE-2005-0856 (CoolForum 0.8.1 beta and earlier allows remote attackers to manipulate ...) NOT-FOR-US: CoolForum CVE-2005-0855 (CoolForum 0.8.1 beta and earlier allows remote attackers to obtain sen ...) NOT-FOR-US: CoolForum CVE-2005-0854 (betaparticle blog (bp blog), posisbly before version 4, allows remote ...) NOT-FOR-US: betaparticle blog CVE-2005-0853 (betaparticle blog (bp blog) stores the database under the web root, wh ...) NOT-FOR-US: betaparticle blog CVE-2005-0852 (Microsoft Windows XP SP1 allows local users to cause a denial of servi ...) NOT-FOR-US: Microsoft Windows CVE-2005-0851 (FileZilla FTP server before 0.9.6, when using MODE Z (zlib compression ...) NOT-FOR-US: FileZilla FTP server CVE-2005-0850 (FileZilla FTP server before 0.9.6 allows remote attackers to cause a d ...) NOT-FOR-US: FileZilla FTP server CVE-2005-0849 (Multiple games developed by FUN labs, including 4X4 Off-road Adventure ...) NOT-FOR-US: Multiple commercial games by FUN Labs CVE-2005-0848 (Multiple games developed by FUN labs, including 4X4 Off-road Adventure ...) NOT-FOR-US: Multiple commercial games by FUN Labs CVE-2005-0847 (Code Ocean FTP server 1.0 allows remote attackers to cause a denial of ...) NOT-FOR-US: Code Ocean FTP Server CVE-2002-1618 (JFS (JFS3.1 and OnlineJFS) in HP-UX 10.20, 11.00, and 11.04 does not p ...) NOT-FOR-US: HP-UX CVE-2002-1617 (Multiple buffer overflows in HP Tru64 UNIX 5.x allow local users to ex ...) NOT-FOR-US: HP Tru64 UNIX CVE-2002-1616 (Multiple buffer overflows in HP Tru64 UNIX 5.1a, 5.1, 5.0a, 4.0g, and ...) NOT-FOR-US: HP Tru64 UNIX CVE-2002-1615 (Multiple buffer overflows in HP Tru64 UNIX 5.1a, 5.1, 5.0a, 4.0g, and ...) NOT-FOR-US: HP Tru64 UNIX CVE-2002-1614 (Buffer overflow in HP Tru64 UNIX allows local users to execute arbitra ...) NOT-FOR-US: HP Tru64 UNIX CVE-2002-1613 (Buffer overflow in ps in HP Tru64 UNIX 5.1a, 5.1, 5.0a, 4.0g, and 4.0f ...) NOT-FOR-US: HP Tru64 UNIX CVE-2002-1612 (Buffer overflow in mailcv in HP Tru64 UNIX 5.1a, 5.1, 5.0a, 4.0g, and ...) NOT-FOR-US: HP Tru64 UNIX CVE-2002-1611 (Buffer overflow in quot in HP Tru64 UNIX 5.1a, 5.1, 5.0a, 4.0g, and 4. ...) NOT-FOR-US: HP Tru64 UNIX CVE-2002-1610 (Unknown vulnerability in ping in HP Tru64 UNIX 5.1a, 5.1, 5.0a, 4.0g, ...) NOT-FOR-US: HP Tru64 UNIX CVE-2002-1609 (Buffer overflow in binmail in HP Tru64 UNIX 5.1a, 5.1, 5.0a, 4.0g, and ...) NOT-FOR-US: HP Tru64 UNIX CVE-2002-1608 (Buffer overflow in traceroute in HP Tru64 UNIX 5.1a, 5.1, 5.0a, 4.0g, ...) NOT-FOR-US: HP Tru64 UNIX CVE-2002-1607 (Buffer overflow in ypmatch in HP Tru64 UNIX 5.1a, 5.1, 5.0a, 4.0g, and ...) NOT-FOR-US: HP Tru64 UNIX CVE-2002-1606 (Multiple buffer overflows in HP Tru64 UNIX 5.1a, 5.1, 5.0a, 4.0g, and ...) NOT-FOR-US: HP Tru64 UNIX CVE-2002-1605 (Buffer overflow in HP Tru64 UNIX 5.1a, 5.1, 5.0a, 4.0g, and 4.0f allow ...) NOT-FOR-US: HP Tru64 UNIX CVE-2002-1604 (Multiple buffer overflows in HP Tru64 UNIX allow local and possibly re ...) NOT-FOR-US: HP Tru64 UNIX CVE-2002-1603 (GoAhead Web Server 2.1.7 and earlier allows remote attackers to obtain ...) NOT-FOR-US: GoAhead Web Server CVE-2002-1602 (Buffer overflow in the Braille module for GNU screen 3.9.11, when HAVE ...) - screen (HAVE_BRAILLE not set in binary build) CVE-2005-0846 (Multiple cross-site scripting (XSS) vulnerabilities in the email auto- ...) NOT-FOR-US: SurgeMail CVE-2005-0845 (Directory traversal vulnerability in the Webmail interface in SurgeMai ...) NOT-FOR-US: SurgeMail CVE-2005-0844 (Nortel VPN client 5.01 stores the cleartext password in the memory of ...) NOT-FOR-US: Nortel Contivity CVE-2005-0843 (CRLF injection vulnerability in search.php in Phorum 5.0.14a allows re ...) NOT-FOR-US: Phorum CVE-2005-0842 (Cross-site scripting (XSS) vulnerability in index.php in Kayako eSuppo ...) NOT-FOR-US: Kayako eSupport CVE-2005-0841 (SQL injection vulnerability in (1) people.php, (2) track.php, (3) edit ...) NOT-FOR-US: phpmyfamily CVE-2005-0840 REJECTED CVE-2005-0839 (Linux kernel 2.6 before 2.6.11 does not restrict access to the N_MOUSE ...) - linux-2.6 (Fixed before upload into archive; 2.6.11) [sarge] - kernel-source-2.6.8 2.6.8-16 CVE-2005-0838 (Multiple buffer overflows in the XSL parser for IceCast 2.20 may allow ...) - icecast2 (bug #301368; unimportant) NOTE: According to upstream a non-issue CVE-2005-0837 (IceCast 2.20 allows remote attackers to bypass the XSL parser and obta ...) - icecast2 (bug #301368; unimportant) NOTE: According to upstream a non-issue CVE-2005-0836 (Argument injection vulnerability in Java Web Start for J2SE 1.4.2 up t ...) NOT-FOR-US: Java Web Start for proprietary Sun Java CVE-2005-0835 (The SNMP service in the Belkin 54G (F5D7130) wireless router allows re ...) NOT-FOR-US: Belkin 54G router CVE-2005-0834 (Belkin 54G (F5D7130) wireless router enables SNMP by default in a mann ...) NOT-FOR-US: Belkin 54G router CVE-2005-0833 (Belkin 54G (F5D7130) wireless router allows remote attackers to access ...) NOT-FOR-US: Belkin 54G router CVE-2005-0832 (Cross-site scripting (XSS) vulnerability in PHP-Post before 0.33 allow ...) NOT-FOR-US: PHP-Post CVE-2005-0831 (PHP-Post allows remote attackers to spoof the names of other users by ...) NOT-FOR-US: PHP-Post CVE-2005-0830 (Multiple buffer overflows in Xzabite DYNDNSUpdate 0.6.15 and earlier, ...) NOT-FOR-US: Xzabite DynDNS Updater CVE-2005-0829 (Cross-site scripting (XSS) vulnerability in setuser.php of the Digitan ...) NOT-FOR-US: PHP-Fusion Addon CVE-2005-0828 (highlight.php in (1) RUNCMS 1.1A, (2) CIAMOS 0.9.2 RC1, (3) e-Xoops 1. ...) NOT-FOR-US: e-Xoops based products CVE-2005-0827 (Viewcat.php in (1) RUNCMS 1.1A, (2) Ciamos 0.9.2 RC1, e-Xoops 1.05 Rev ...) NOT-FOR-US: e-Xoops based products CVE-2005-0826 (OllyDbg 1.10 and earlier allows remote attackers to cause a denial of ...) NOT-FOR-US: OllyDbg MS Windows debugger CVE-2005-0825 (Buffer overflow in LTris before 1.0.10 allows local users to execute a ...) - ltris 1.0.6-1.1 (bug #291620) CVE-2005-0824 (The internal_dump function in Mathopd before 1.5p5, and 1.6x before 1. ...) - mathopd 1.5p5-1 CVE-2001-1433 (Cherokee web server before 0.2.7 does not properly drop root privilege ...) NOT-FOR-US: Cherokee CVE-2001-1432 (Directory traversal vulnerability in Cherokee Web Server allows remote ...) NOT-FOR-US: Cherokee CVE-2001-1431 (Nokia Firewall Appliances running IPSO 3.3 and VPN-1/FireWall-1 4.1 Se ...) NOT-FOR-US: Nokia Firewall appliances CVE-2001-1430 (Cayman 3220-H DSL Router 1.0 ship without a password set, which allows ...) NOT-FOR-US: Cayman DSL router CVE-2001-1429 (Buffer overflow in mcedit in Midnight Commander 4.5.1 allows local use ...) NOTE: I could track this down to this posting NOTE: http://web.archive.org/web/20051206035530/http://cert.uni-stuttgart.de:80/archive/vuln-dev/2001/11/msg00104.html NOTE: This looks very obscure an does not contain useful information on how this NOTE: was triggered and even then it's not a problem, as mcedit usage does not NOTE: have a remote impact and is not suid CVE-2001-1428 (The (1) FTP and (2) Telnet services in Beck GmbH IPC@Chip are shipped ...) NOT-FOR-US: IPC@CHIP Embedded web server CVE-2001-1427 (Unknown vulnerability in ColdFusion Server 2.0 through 4.5.1 SP2 allow ...) NOT-FOR-US: ColdFusion CVE-2001-1426 (Alcatel Speed Touch running firmware KHDSAA.108 and KHDSAA.132 through ...) NOT-FOR-US: Alcatel Speed Touch CVE-2001-1425 (The challenge-response authentication of the EXPERT user for Alcatel S ...) NOT-FOR-US: Alcatel Speed Touch CVE-2001-1424 (Alcatel Speed Touch ADSL modem running firmware KHDSAA.108, KHDSAA.132 ...) NOT-FOR-US: Alcatel Speed Touch CVE-2005-XXXX [Various /tmp related security issues in cernlib] - cernlib 2004.11.04-3 CVE-2005-0823 (ThePoolClub (1) iPool and (2) iSnooker 1.6.81 and earlier stores usern ...) NOT-FOR-US: iSnooker CVE-2005-0822 (Citrix Metaframe Password Manager 2.5 and earlier stores a password in ...) NOT-FOR-US: Citrix CVE-2005-0821 (Unknown vulnerability in Citrix MetaFrame Conferencing Manager 3.0 all ...) NOT-FOR-US: Citrix CVE-2005-0820 (Microsoft Office InfoPath 2003 SP1 includes sensitive information in t ...) NOT-FOR-US: MS Office CVE-2005-0819 (The xvesa code in Novell Netware 6.5 SP2 and SP3 allows remote attacke ...) NOT-FOR-US: Novell Netware CVE-2005-0818 (Cross-site scripting (XSS) vulnerability in PunBB 1.2.3 allows remote ...) NOT-FOR-US: Pun BB CVE-2005-0817 (Unknown vulnerability in the DNSd proxy, as used in Symantec Gateway S ...) NOT-FOR-US: Symantec Gateway CVE-2005-0816 (Buffer overflow in newgrp in Solaris 7 through 9 allows local users to ...) NOT-FOR-US: Solaris CVE-2005-0815 (Multiple "range checking flaws" in the ISO9660 filesystem handler in L ...) - kernel-source-2.4.27 2.4.27-10 (bug #300783; medium) - linux-2.6 (Fixed before upload into archive; 2.6.12-rc1) [sarge] - kernel-source-2.6.8 2.6.8-16 CVE-2005-0814 (Unknown vulnerability in lshd in Lysator LSH 1.x and 2.x before 2.0.1 ...) {DSA-717-1} - lsh-utils 2.0.1-1 CVE-2005-0813 (Buffer overflow in Initial Redirect (ir) Squid Proxy Plug-In 0.1 and 0 ...) NOT-FOR-US: ir CVE-2005-0812 (The web interface in NotifyLink 3.0 displays passwords in cleartext on ...) NOT-FOR-US: NotifyLink CVE-2005-0811 (The web interface in NotifyLink 3.0 does not properly restrict access ...) NOT-FOR-US: NotifyLink CVE-2005-0810 (SQL injection vulnerability in NotifyLink before 3.0 allows remote att ...) NOT-FOR-US: NotifyLink CVE-2005-0809 (NotifyLink, when configured for client key retrieval, allows remote at ...) NOT-FOR-US: NotifyLink CVE-2005-0808 (Apache Tomcat before 5.x allows remote attackers to cause a denial of ...) NOT-FOR-US: Does not affect Tomcat 4.x according to http://www.securityfocus.com/bid/12795/info/ CVE-2005-0807 (Multiple buffer overflows in Cain & Abel before 2.67 allow remote ...) NOT-FOR-US: Cain & Abel CVE-2005-0806 (Evolution 2.0.3 allows remote attackers to cause a denial of service ( ...) - evolution 2.0.4-2 CVE-2005-0805 (SQL injection vulnerability in index.php in Subdreamer Light, when mag ...) NOT-FOR-US: Subdreamer CVE-2005-0804 (Format string vulnerability in MailEnable 1.8 allows remote attackers ...) NOT-FOR-US: MailEnable CVE-2005-0803 (The GetEnhMetaFilePaletteEntries API in GDI32.DLL in Windows 2000 allo ...) NOT-FOR-US: Windows CVE-2005-0802 (Cross-site scripting (XSS) vulnerability in search.asp in ACS Blog 0.8 ...) NOT-FOR-US: ACS Blog CVE-2005-0801 (Directory traversal vulnerability in includer.cgi in The Includer allo ...) NOT-FOR-US: The Includer CVE-2005-0800 (PHP remote file inclusion vulnerability in install.php in mcNews 1.3 a ...) NOT-FOR-US: mcNews CVE-2005-0799 (MySQL 4.1.9, and possibly earlier versions, allows remote attackers wi ...) NOT-FOR-US: MySQL on Windows CVE-2005-0798 (Novell iChain Mini FTP Server 2.3, and possibly earlier versions, does ...) NOT-FOR-US: Novell iChain CVE-2005-0797 (Novell iChain Mini FTP Server 2.3 displays different error messages if ...) NOT-FOR-US: Novell iChain CVE-2005-0796 (Directory traversal vulnerability in HolaCMS 1.4.9-1 allows remote att ...) NOT-FOR-US: Hola CMS CVE-2005-0795 (HolaCMS 1.4.9 does not restrict file access to the holaDB/votes direct ...) NOT-FOR-US: Hola CMS CVE-2005-0794 (ZPanel 2.0 and 2.5 beta 10 does not remove or protect installation scr ...) NOT-FOR-US: ZPanel CVE-2005-0793 (PHP remote file inclusion vulnerability in zpanel.php in ZPanel allows ...) NOT-FOR-US: ZPanel CVE-2005-0792 (SQL injection vulnerability in ZPanel 2.0 allows remote attackers to e ...) NOT-FOR-US: ZPanel CVE-2005-0791 (Cross-site scripting (XSS) vulnerability in adframe.php in phpAdsNew 2 ...) NOT-FOR-US: phpAdsNew CVE-2005-0790 (phpAdsNew 2.0.4 allows remote attackers to obtain sensitive informatio ...) NOT-FOR-US: phpAdsNew CVE-2005-0786 (SQL injection vulnerability in gb_new.inc in SimpGB allows remote atta ...) NOT-FOR-US: SimpGB CVE-2005-0785 (Cross-site scripting (XSS) vulnerability in usersrecentposts in YaBB 2 ...) NOT-FOR-US: YaBB CVE-2005-0784 (Multiple cross-site scripting (XSS) vulnerabilities in Phorum before 5 ...) NOT-FOR-US: Phorum CVE-2005-0783 (Cross-site scripting (XSS) vulnerability in Phorum before 5.0.14a allo ...) NOT-FOR-US: Phorum CVE-2005-0782 (Cross-site scripting (XSS) vulnerability in (1) viewall.php and (2) ca ...) NOT-FOR-US: paFileDB CVE-2005-0781 (SQL injection vulnerability in (1) viewall.php and (2) category.php in ...) NOT-FOR-US: paFileDB CVE-2005-0780 (paFileDB 3.1 and earlier allows remote attackers to obtain sensitive i ...) NOT-FOR-US: paFileDB CVE-2005-0779 (PlatinumFTP 1.0.18, and possibly earlier versions, allows remote attac ...) NOT-FOR-US: PlatinumFTP CVE-2005-0778 (PhotoPost PHP 5.0 RC3 does not fully verify that an uploaded file is a ...) NOT-FOR-US: PhotoPost CVE-2005-0777 (Multiple cross-site scripting (XSS) vulnerabilities in PhotoPost PHP 5 ...) NOT-FOR-US: PhotoPost CVE-2005-0776 (adm-photo.php in PhotoPost PHP 5.0 RC3 does not properly verify admini ...) NOT-FOR-US: PhotoPost CVE-2005-0775 (The reportpost action in misc.php for PhotoPost PHP 5.0 RC3 does not l ...) NOT-FOR-US: PhotoPost CVE-2005-0774 (SQL injection vulnerability in member.php and possibly other scripts i ...) NOT-FOR-US: PhotoPost CVE-2005-0773 (Stack-based buffer overflow in VERITAS Backup Exec Remote Agent 9.0 th ...) NOT-FOR-US: VERITAS Backup Exec CVE-2005-0772 (VERITAS Backup Exec 9.0 through 10.0 for Windows Servers, and 9.0.4019 ...) NOT-FOR-US: VERITAS Backup Exec CVE-2005-0771 (VERITAS Backup Exec Server (beserver.exe) 9.0 through 10.0 for Windows ...) NOT-FOR-US: VERITAS Backup Exec CVE-2005-0770 (Format string vulnerability in DataRescue Interactive Disassembler and ...) NOT-FOR-US: IDA Pro CVE-2005-0768 (Buffer overflow in the administration web server for GoodTech Telnet S ...) NOT-FOR-US: GoodTech Telnet Server CVE-2005-0767 (Race condition in the Radeon DRI driver for Linux kernel 2.6.8.1 allow ...) - kernel-source-2.6.8 2.6.8-15 CVE-2005-0766 (Unknown vulnerability in the sFlow dissector in Ethereal 0.9.14 throug ...) - ethereal 0.10.10-1 CVE-2005-0765 (Unknown vulnerability in the JXTA dissector in Ethereal 0.10.9 allows ...) - ethereal 0.10.10-1 CVE-2005-0764 (Buffer overflow in command.C for rxvt-unicode before 5.3 allows remote ...) - rxvt-unicode 5.3-1 CVE-2005-0763 (Buffer overflow in Midnight Commander (mc) 4.5.55 and earlier may allo ...) {DSA-698-1} - mc 1:4.6.0-4.6.1-pre3-1 NOTE: Sarge-specific regression correcting a previous DSA. CVE-2005-0762 (Heap-based buffer overflow in the SGI parser in ImageMagick before 6.0 ...) {DSA-702-1} - imagemagick 5:6.0.0-1 NOTE: Does only affect imagemagick releases prior to 6 CVE-2005-0761 (Unknown vulnerability in ImageMagick before 6.1.8 allows remote attack ...) - imagemagick 5:6.0.2.5 (bug #301110) CVE-2005-0760 (The TIFF decoder in ImageMagick before 6.0 allows remote attackers to ...) {DSA-702-1} - imagemagick 5:6.0.0-1 NOTE: Does only affect imagemagick releases prior to 6 CVE-2005-0759 (ImageMagick before 6.0 allows remote attackers to cause a denial of se ...) {DSA-702-1} - imagemagick 5:6.0.0-1 NOTE: Does only affect imagemagick releases prior to 6 CVE-2005-0758 (zgrep in gzip before 1.3.5 does not properly sanitize arguments, which ...) NOTE: see http://bugs.gentoo.org/show_bug.cgi?id=90626 - gzip 1.3.5-10 (low) - bzip2 1.0.2-8.1 (bug #321286; low) [sarge] - bzip2 (Minor issue) CVE-2005-0757 (The xattr file system code, as backported in Red Hat Enterprise Linux ...) {DSA-922-1 DSA-921-1} - kernel-source-2.4.27 2.4.27-11 (bug #311164) - linux-2.6 (Fixed before upload in archive) CVE-2005-0756 (ptrace in Linux kernel 2.6.8.1 does not properly verify addresses on t ...) {DSA-922-1 DSA-921-1} - kernel-source-2.4.27 2.4.27-11 (medium) - linux-2.6 (Fixed before upload into archive; 2.6.12-rc5) CVE-2005-0755 (Heap-based buffer overflow in RealPlayer 10 and earlier, Helix Player ...) - helix-player 1.0.4-1 CVE-2005-0754 (Kommander in KDE 3.2 through KDE 3.4.0 executes data files without con ...) - kdewebdev 1:3.3.2-6 CVE-2005-0753 (Buffer overflow in CVS before 1.11.20 allows remote attackers to execu ...) {DSA-742-1} - cvs 1:1.12.9-13 CVE-2005-0752 (The Plugin Finder Service (PFS) in Firefox before 1.0.3 allows remote ...) - mozilla-firefox 1.0.3-1 CVE-2005-0751 REJECTED CVE-2005-0750 (The bluez_sock_create function in the Bluetooth stack for Linux kernel ...) - kernel-source-2.4.27 2.4.27-10 [sarge] - kernel-source-2.6.8 2.6.8-16 - linux-2.6 (Fixed before upload into archive; 2.6.11.5) CVE-2005-0749 (The load_elf_library in the Linux kernel before 2.6.11.6 allows local ...) [sarge] - kernel-source-2.6.8 2.6.8-16 - kernel-source-2.4.27 2.4.27-10 - linux-2.6 (Fixed before upload into archive; 2.6.11.6) CVE-2003-1131 (PHP remote file inclusion vulnerability in index.php in KnowledgeBuild ...) NOT-FOR-US: ActiveCampaign KnowledgeBuilder CVE-2002-1601 (The Connectables feature in Adobe PhotoDeluxe 3.1 prepends the Adobe d ...) NOT-FOR-US: Adobe PhotoDeluxe CVE-2001-1423 (Advanced Poll before 1.61, when using a flat file database, allows rem ...) NOT-FOR-US: Advanced Poll CVE-2001-1422 (WinVNC 3.3.3 and earlier generates the same challenge string for multi ...) NOT-FOR-US: WinVNC CVE-2001-1421 (AOL Instant Messenger (AIM) 4.7 and earlier allows remote attackers to ...) NOT-FOR-US: AOL Instant Messenger CVE-2001-1420 (AOL Instant Messenger (AIM) 4.7 allows remote attackers to cause a den ...) NOT-FOR-US: AOL Instant Messenger CVE-2001-1419 (AOL Instant Messenger (AIM) 4.7.2480 and earlier allows remote attacke ...) NOT-FOR-US: AOL Instant Messenger CVE-2001-1418 (AOL Instant Messenger (AIM) 4.7 allows remote attackers to cause a den ...) NOT-FOR-US: AOL Instant Messenger CVE-2001-1417 (AOL Instant Messenger (AIM) 4.7 allows remote attackers to cause a den ...) NOT-FOR-US: AOL Instant Messenger CVE-2001-1416 (Multiple cross-site scripting (XSS) vulnerabilities in the log message ...) NOT-FOR-US: AOL Instant Messenger CVE-2001-1415 (vi.recover in OpenBSD before 3.1 allows local users to remove arbitrar ...) NOT-FOR-US: no_package NOTE: Debian's nvi recover script is very different CVE-2005-XXXX [Connection related DoS possibility in OmniORB 4] - omniorb4 4.0.5-2 CVE-2005-0789 (Directory traversal vulnerability in LimeWire 3.9.6 through 4.6.0 allo ...) NOT-FOR-US: not part of Woody, has been removed from sarge/sid CVE-2005-0788 (LimeWire 4.1.2 through 4.5.6 allows remote attackers to read arbitrary ...) NOT-FOR-US: Limewire has been removed from Sarge and sid, was never part of stable CVE-2005-0787 (Wine 20050211 and earlier creates temp files with world readable permi ...) - wine 0.0.20050310-1.1 CVE-2005-0769 (Multiple buffer overflows in OpenSLP before 1.1.5 allow remote attacke ...) - openslp 1.0.11a-2 CVE-2005-0748 (PHP remote file inclusion vulnerability in initdb.php for WEBInsta Mai ...) NOT-FOR-US: WEBInsta CVE-2005-0747 (ApplyYourself i-Class allows remote attackers to obtain sensitive info ...) NOT-FOR-US: ApplyYourself CVE-2005-0746 (The Mini FTP server in Novell iChain 2.2 and 2.3 SP2 and earlier allow ...) NOT-FOR-US: Novell iChain CVE-2005-0745 (UTStarcom iAN-02EX VoIP Analog Terminal Adaptor (ATA) allows local use ...) NOT-FOR-US: UTStarcom iAN-02EX VoIP Analog Terminal Adaptor CVE-2005-0744 (The web GUI for Novell iChain 2.2 and 2.3 SP2 and SP3 allows attackers ...) NOT-FOR-US: Novell iChain CVE-2005-0743 (The custom avatar uploading feature (uploader.php) for XOOPS 2.0.9.2 a ...) NOT-FOR-US: Xoops CVE-2005-0742 (Cross-site scripting (XSS) vulnerability in Sun Java System Applicatio ...) NOT-FOR-US: Sun Java System Application Server CVE-2005-0741 (Cross-site scripting (XSS) vulnerability in YaBB.pl for YaBB 2.0 RC1 a ...) NOT-FOR-US: YaBB CVE-2005-0740 (The TCP stack (tcp_input.c) in OpenBSD 3.5 and 3.6 allows remote attac ...) NOT-FOR-US: OpenBSD CVE-2005-0739 (The IAPP dissector (packet-iapp.c) for Ethereal 0.9.1 to 0.10.9 does n ...) {DSA-718-1} - ethereal 0.10.10-1 CVE-2005-0738 (Stack consumption vulnerability in Microsoft Exchange Server 2003 SP1 ...) NOT-FOR-US: Microsoft CVE-2005-0737 (Buffer overflow in Yahoo! Messenger allows remote attackers to execute ...) NOT-FOR-US: Yahoo Messenger CVE-2005-0736 (Integer overflow in sys_epoll_wait in eventpoll.c for Linux kernel 2.6 ...) - kernel-source-2.4.27 (There is no epoll in kernel 2.4) - linux-2.6 (Fixed before upload into archive; 2.6.11.1) [sarge] - kernel-source-2.6.8 2.6.8-14 CVE-2005-0735 (newsscript.pl for NewsScript allows remote attackers to gain privilege ...) NOT-FOR-US: newsscript CVE-2005-0734 (PY Software Active Webcam WebServer (webcam.exe) 5.5 allows remote att ...) NOT-FOR-US: PY Software Active Webcam WebServer CVE-2005-0733 (PY Software Active Webcam WebServer (webcam.exe) 5.5 allows remote att ...) NOT-FOR-US: PY Software Active Webcam WebServer CVE-2005-0732 (PY Software Active Webcam WebServer (webcam.exe) 5.5 allows remote att ...) NOT-FOR-US: PY Software Active Webcam WebServer CVE-2005-0731 (PY Software Active Webcam WebServer (webcam.exe) 5.5 allows remote att ...) NOT-FOR-US: PY Software Active Webcam WebServer CVE-2005-0730 (PY Software Active Webcam WebServer (webcam.exe) 5.5 allows remote att ...) NOT-FOR-US: PY Software Active Webcam WebServer CVE-2005-0729 (Format string vulnerability in Xpand Rally 1.1.0.0 and earlier allows ...) NOT-FOR-US: Xpand Rally CVE-2005-0728 REJECTED CVE-2005-0727 REJECTED CVE-2005-0726 (SQL injection vulnerability in editpost.php in UBB.threads 6.0 allows ...) NOT-FOR-US: UBB.threads CVE-2005-0725 (SQL injection vulnerability in the getAllbyArticle function in wfsfile ...) NOT-FOR-US: wfsections CVE-2005-0724 (paFileDB 3.1 and earlier allows remote attackers to obtain sensitive i ...) NOT-FOR-US: paFileDB CVE-2005-0723 (Cross-site scripting (XSS) vulnerability in the jumpmenu function in f ...) NOT-FOR-US: paFileDB CVE-2005-0722 (eXPerience2 allows remote attackers to obtain the full path for the we ...) NOT-FOR-US: eXPerience2 CVE-2005-0721 (PHP remote file inclusion vulnerability in modules.php in eXPerience2 ...) NOT-FOR-US: eXPerience2 CVE-2005-0720 (PHP remote file inclusion vulnerability in admin/header.php in PHP mcN ...) NOT-FOR-US: mcNews CVE-2005-0719 (Unknown vulnerability in the systems message queue in HP Tru64 Unix 4. ...) NOT-FOR-US: Tru64 CVE-2005-0718 (Squid 2.5.STABLE7 and earlier allows remote attackers to cause a denia ...) - squid 2.5.8 (bug #305605) CVE-2005-0717 RESERVED CVE-2005-0716 (Stack-based buffer overflow in the Core Foundation Library in Mac OS X ...) NOT-FOR-US: Mac OS CVE-2005-0715 (AFP Server in Mac OS X before 10.3.8 uses insecure permissions for "Dr ...) NOT-FOR-US: Mac OS CVE-2005-0714 REJECTED CVE-2005-0713 (The Bluetooth Setup Assistant for Mac OS X before 10.3.8 can be launch ...) NOT-FOR-US: Mac OS CVE-2005-0712 (Mac OS X before 10.3.8 users world-writable permissions for certain di ...) NOT-FOR-US: Mac OS CVE-2005-0711 (MySQL 4.0.23 and earlier, and 4.1.x up to 4.1.10, uses predictable fil ...) {DSA-707-1} - mysql-dfsg 4.0.24 - mysql-dfsg-4.1 4.1.10a CVE-2005-0710 (MySQL 4.0.23 and earlier, and 4.1.x up to 4.1.10, allows remote authen ...) {DSA-707-1} - mysql-dfsg 4.0.24 - mysql-dfsg-4.1 4.1.10a CVE-2005-0709 (MySQL 4.0.23 and earlier, and 4.1.x up to 4.1.10, allows remote authen ...) {DSA-707-1} - mysql-dfsg 4.0.24 - mysql-dfsg-4.1 4.1.10a CVE-2005-0708 (The sendfile system call in FreeBSD 4.8 through 4.11 and 5 through 5.4 ...) - kfreebsd-8 (Fixed before initial release; bug #613311) - kfreebsd-7 (Fixed before initial release; bug #613311) CVE-2003-1130 REJECTED CVE-2003-1129 (Buffer overflow in the Yahoo! Audio Conferencing (aka Voice Chat) Acti ...) NOT-FOR-US: Yahoo Audio Conferencing ActiveX control CVE-2003-1128 (XMMS.pm in X2 XMMS Remote, as obtained from the vendor server between ...) NOT-FOR-US: X2 XMMS Remote CVE-2003-1127 (Whale Communications e-Gap 2.5 on Windows 2000 allows remote attackers ...) NOT-FOR-US: e-Gap CVE-2003-1126 (Unknown vulnerability in SunOne/iPlanet Web Server SP3 through SP5 on ...) NOT-FOR-US: SunOne/iPlanet CVE-2003-1125 (Unknown vulnerability in ns-ldapd for Sun ONE Directory Server 4.16, 5 ...) NOT-FOR-US: SunOne CVE-2003-1124 (Unknown vulnerability in Sun Management Center (SunMC) 2.1.1, 3.0, and ...) NOT-FOR-US: Sun Management Center CVE-2003-1123 (Sun Java Runtime Environment (JRE) and SDK 1.4.0_01 and earlier allows ...) NOT-FOR-US: Sun JRE CVE-2003-1122 (ScriptLogic 4.01, and possibly other versions before 4.14, uses insecu ...) NOT-FOR-US: ScriptLogic CVE-2003-1121 (Services in ScriptLogic 4.01, and possibly other versions before 4.14, ...) NOT-FOR-US: ScriptLogic CVE-2003-1120 (Race condition in SSH Tectia Server 4.0.3 and 4.0.4 for Unix, when the ...) NOT-FOR-US: SSH Tectia Server CVE-2003-1119 (SSH Secure Shell before 3.2.9 allows remote attackers to cause a denia ...) - openssh CVE-2003-1118 (Buffer overflow in the SETI@home client 3.03 and other versions allows ...) - setiathome 3.04 CVE-2003-1117 (Buffer overflow in RealSystem Server 6.x, 7.x and 8.x, and RealSystem ...) NOT-FOR-US: RealSystem Server CVE-2003-1116 (The communications protocol for the Report Review Agent (RRA), aka FND ...) NOT-FOR-US: Oracle E-Business Suite CVE-2003-1115 (The Session Initiation Protocol (SIP) implementation in Nortel Network ...) NOT-FOR-US: Nortel Networks Succession Communication Server CVE-2003-1114 (The Session Initiation Protocol (SIP) implementation in Mediatrix Tele ...) NOT-FOR-US: Mediatrix Telecom VoIP Access Devices and Gateways CVE-2003-1113 (The Session Initiation Protocol (SIP) implementation in IPTel SIP Expr ...) NOT-FOR-US: IPTel SIP Express Router CVE-2003-1112 (The Session Initiation Protocol (SIP) implementation in Ingate Firewal ...) NOT-FOR-US: Ingate Firewall and Ingate SIParator CVE-2003-1111 (The Session Initiation Protocol (SIP) implementation in multiple dynam ...) NOT-FOR-US: dynamicsoft CVE-2003-1110 (The Session Initiation Protocol (SIP) implementation in Columbia SIP U ...) NOT-FOR-US: Columbia SIP User Agent CVE-2003-1109 (The Session Initiation Protocol (SIP) implementation in multiple Cisco ...) NOT-FOR-US: Cisco CVE-2003-1108 (The Session Initiation Protocol (SIP) implementation in Alcatel OmniPC ...) NOT-FOR-US: Alcatel CVE-2003-1107 (The DHTML capability in Microsoft Windows Media Player (WMP) 6.4, 7.0, ...) NOT-FOR-US: Microsoft CVE-2003-1106 (The SMTP service in Microsoft Windows 2000 before SP4 allows remote at ...) NOT-FOR-US: Microsoft CVE-2003-1105 (Unknown vulnerability in Internet Explorer 5.01 SP3 through 6.0 SP1 al ...) NOT-FOR-US: MSIE CVE-2003-1104 (Buffer overflow in IBM Tivoli Firewall Toolbox (TFST) 1.2 allows remot ...) NOT-FOR-US: IBM Tivoli Firewall Toolbox CVE-2003-1103 (SQL injection vulnerability in loginact.asp for Hummingbird CyberDOCS ...) NOT-FOR-US: Hummingbird CyberDOCS CVE-2003-1102 (Hummingbird CyberDOCS 3.5, 3.9, and 4.0, when running on IIS, uses ins ...) NOT-FOR-US: Hummingbird CyberDOCS CVE-2003-1101 (Hummingbird CyberDOCS 3.5.1, 3.9, and 4.0 allows remote attackers to o ...) NOT-FOR-US: Hummingbird CyberDOCS CVE-2003-1100 (Multiple cross-site scripting (XSS) vulnerabilities in Hummingbird Cyb ...) NOT-FOR-US: Hummingbird CyberDOCS CVE-2003-1099 (shar on HP-UX B.11.00, B.11.04, and B.11.11 creates temporary files wi ...) NOT-FOR-US: shar on HP-UX CVE-2003-1098 (The Xserver for HP-UX 11.22 was not properly built, which introduced a ...) NOT-FOR-US: HP-UX) CVE-2003-1097 (Buffer overflow in rexec on HP-UX B.10.20, B.11.00, and B.11.04, when ...) NOT-FOR-US: HP-UX) CVE-2002-1600 (Directory traversal vulnerability in Mike Spice's My Classifieds (clas ...) NOT-FOR-US: Mike Spice's My Classifieds CVE-2002-1599 (DansGuardian before 2.4.5-1 allows remote attackers to bypass content ...) - dansguardian 2.4.5-1 CVE-2002-1598 (Buffer overflows in Computer Associates MLink (CA-MLink) 6.5 and earli ...) NOT-FOR-US: Computer Associates MLink CVE-2002-1597 (Cisco SN 5420 Storage Router 1.1(5) and earlier allows remote attacker ...) NOT-FOR-US: Cisco CVE-2002-1596 (Cisco SN 5420 Storage Router 1.1(5) and earlier allows remote attacker ...) NOT-FOR-US: Cisco CVE-2002-1595 (Cisco SN 5420 Storage Router 1.1(5) and earlier allows attackers to re ...) NOT-FOR-US: Cisco CVE-2002-1594 (Buffer overflow in (1) grpck and (2) pwck, if installed setuid on a sy ...) - shadow (Debian's pwck and grpck do not overflow and are not suid) CVE-2002-1593 (mod_dav in Apache before 2.0.42 does not properly handle versioning ho ...) - apache2 2.0.42 CVE-2002-1592 (The ap_log_rerror function in Apache 2.0 through 2.035, when a CGI app ...) - apache2 2.0.36 CVE-2002-1591 (AOL Instant Messenger (AIM) 4.7.2480 adds free.aol.com to the Trusted ...) NOT-FOR-US: AIM in MSIE CVE-2005-0707 (Buffer overflow in the IMAP daemon (IMAP4d32.exe) for Ipswitch Collabo ...) NOT-FOR-US: Ipswitch Collaboration Suite CVE-2005-0706 (Buffer overflow in discdb.c for grip 3.1.2 allows attackers to cause a ...) [sarge] - gnome-vfs2 (does not install the module with the vulnerable code) - grip 3.2.0-4 (low) - libcdaudio 0.99.9-2.1 (bug #304799; low) - gnome-vfs 1.0.5-5.1 (bug #305163; low) - gnome-vfs2 2.10.1-3 CVE-2005-0705 (The GPRS-LLC dissector in Ethereal 0.10.7 through 0.10.9, with the "ig ...) - ethereal 0.10.10-1 CVE-2005-0704 (Buffer overflow in the Etheric dissector in Ethereal 0.10.7 through 0. ...) - ethereal 0.10.10-1 CVE-2004-1770 (The login page for cPanel 9.1.0, and possibly other versions, allows r ...) NOT-FOR-US: not our cpanel CVE-2004-1769 (The "Allow cPanel users to reset their password via email" feature in ...) NOT-FOR-US: not our cpanel CVE-2004-1768 (The character converters in the Spamhunter and Language ID modules for ...) NOT-FOR-US: Symantec Brightmail AntiSpam CVE-2004-1767 (The kernel in Solaris 2.6, 7, 8, and 9 allows local users to gain priv ...) NOT-FOR-US: Solaris CVE-2004-1766 (The default installation of NetScreen-Security Manager before Feature ...) NOT-FOR-US: NetScreen-Security Manager CVE-2004-1765 (Off-by-one buffer overflow in ModSecurity (mod_security) 1.7.4 for Apa ...) - libapache-mod-security (only seems to affect 1.7.4, not the newer branch in Debian) CVE-2004-1764 (Buffer overflow in CDE libDtSvc on HP-UX B.11.00, B.11.04, B.11.11, an ...) NOT-FOR-US: HP-UX CVE-2004-1763 (Buffer overflow in hsrun.exe for HAHTsite Scenario Server 5.1 Patch 06 ...) NOT-FOR-US: hsrun.exe CVE-2004-1762 (Unknown vulnerability in F-Secure Anti-Virus (FSAV) 4.52 for Linux bef ...) NOT-FOR-US: F-Secure Anti-Virus CVE-2004-1761 (Unknown vulnerability in Ethereal 0.8.13 to 0.10.2 allows attackers to ...) - ethereal 0.10.3 CVE-2004-1760 (The default installation of Cisco voice products, when running the IBM ...) NOT-FOR-US: Cisco CVE-2004-1759 (Cisco voice products, when running the IBM Director Agent on IBM serve ...) NOT-FOR-US: Cisco CVE-2004-1758 (BEA WebLogic Server and WebLogic Express version 8.1 up to SP2, 7.0 up ...) NOT-FOR-US: BEA WebLogic Server CVE-2004-1757 (BEA WebLogic Server and Express 8.1, SP1 and earlier, stores the admin ...) NOT-FOR-US: BEA WebLogic Server CVE-2004-1756 (BEA WebLogic Server and WebLogic Express 8.1 SP2 and earlier, and 7.0 ...) NOT-FOR-US: BEA WebLogic Server CVE-2004-1755 (The Web Services fat client for BEA WebLogic Server and Express 7.0 SP ...) NOT-FOR-US: BEA WebLogic Server CVE-2003-1096 (The Cisco LEAP challenge/response authentication mechanism uses passwo ...) NOT-FOR-US: Cisco CVE-2003-1095 (BEA WebLogic Server and Express 7.0 and 7.0.0.1, when using "memory" s ...) NOT-FOR-US: BEA WebLogic Server CVE-2003-1094 (BEA WebLogic Server and Express version 7.0 SP3 may follow certain cod ...) NOT-FOR-US: BEA WebLogic Server CVE-2003-1093 (BEA WebLogic Server 6.1, 7.0 and 7.0.0.1, when routing messages to a J ...) NOT-FOR-US: BEA WebLogic Server CVE-2003-1092 (Unknown vulnerability in the "Automatic File Content Type Recognition ...) - file 3.4.1 CVE-2003-1091 (Integer overflow in MP3Broadcaster for Apple QuickTime/Darwin Streamin ...) NOT-FOR-US: Apple QuickTime/Darwin Streaming Server CVE-2003-1090 (Buffer overflow in AbsoluteTelnet before 2.12 RC10 allows remote attac ...) NOT-FOR-US: AbsoluteTelnet CVE-2005-0703 (Xerox MicroServer Web Server for various WorkCentre products including ...) NOT-FOR-US: Xerox MicroServer Web Server CVE-2005-0702 (SQL injection vulnerability in phpMyFAQ 1.4 and 1.5 allows remote atta ...) NOT-FOR-US: phpMyFAQ CVE-2005-0701 (Directory traversal vulnerability in Oracle Database Server 8i and 9i ...) NOT-FOR-US: Oracle CVE-2005-0700 (The export_index action in myadmin.php for Aztek Forum 4.0 allows remo ...) NOT-FOR-US: Aztek CVE-2005-0699 (Multiple buffer overflows in the dissect_a11_radius function in the CD ...) - ethereal 0.10.9-2 CVE-2005-0698 (PHP remote file inclusion vulnerability in PHPWebLog 0.5.3 and earlier ...) NOT-FOR-US: PHPWebLog CVE-2005-0697 (SQL injection vulnerability in the process_picture function xp_publish ...) NOT-FOR-US: CopperExport CVE-2005-0696 (Buffer overflow in ArGoSoft FTP Server 1.4.2.8 allows remote authentic ...) NOT-FOR-US: ArGoSoft CVE-2005-0695 (The password recovery feature (forgotpassword.asp) in Hosting Controll ...) NOT-FOR-US: Hosting Controller CVE-2005-0694 (Hosting Controller 6.1 Hotfix 1.7 and earlier stores log files under t ...) NOT-FOR-US: Hosting Controller CVE-2005-0693 (Buffer overflow in JoWood Chaser 1.50 and earlier allows remote attack ...) NOT-FOR-US: JoWood Chaser (for Windows) CVE-2005-0692 (Cross-site scripting (XSS) vulnerability in fusion_core.php for PHP-Fu ...) NOT-FOR-US: PHP-Fusion CVE-2005-0691 (PHP remote file inclusion vulnerability in article mode for modules.ph ...) NOT-FOR-US: SocialMPN CVE-2005-0690 (Gene6 FTP Server does not properly restrict access to the control cons ...) NOT-FOR-US: Gene6 FTP Server for Win CVE-2005-0689 (includer.cgi in The Includer allows remote attackers to execute arbitr ...) NOT-FOR-US: The Includer CVE-2005-0688 (Windows Server 2003 and XP SP2, with Windows Firewall turned off, allo ...) NOT-FOR-US: Windows CVE-2005-0687 (Format string vulnerability in Hashcash 1.16 allows remote attackers t ...) - hashcash 1.17-1 CVE-2005-0686 (Integer overflow in mlterm 2.5.0 through 2.9.1, with gdk-pixbuf suppor ...) - mlterm 2.9.2 (bug #298621) CVE-2005-0685 (Multiple access validation errors in OutStart Participate Enterprise ( ...) NOT-FOR-US: OutStart Participate Enterprise CVE-2005-0684 (Multiple buffer overflows in the web tool for MySQL MaxDB before 7.5.0 ...) - maxdb-7.5.00 7.5.00.24-3 CVE-2005-0683 REJECTED CVE-2005-0682 (Cross-site scripting (XSS) vulnerability in common.inc in Drupal befor ...) - drupal 4.5.2 CVE-2005-0681 (Nokia Symbian 60 allows remote attackers to cause a denial of service ...) NOT-FOR-US: Nokia CVE-2005-0680 (PHP remote file inclusion vulnerability in download_center_lite.inc.ph ...) NOT-FOR-US: Download Center Lite CVE-2005-0679 (PHP remote file inclusion vulnerability in tell_a_friend.inc.php for T ...) NOT-FOR-US: Tell A Friend Script CVE-2005-0678 (PHP remote file inclusion vulnerability in formmail.inc.php for Form M ...) NOT-FOR-US: Form Mail Script CVE-2005-0677 (index.php for Zorum 3.5 allows remote attackers to perform certain act ...) NOT-FOR-US: Zorum CVE-2005-0676 (index.php in Zorum 3.5 allows remote attackers to trigger an SQL error ...) NOT-FOR-US: Zorum CVE-2005-0675 (Cross-site scripting (XSS) vulnerability in index.php for Zorum 3.5 al ...) NOT-FOR-US: Zorum CVE-2005-0674 (Cross-site scripting (XSS) vulnerability in the News module for paBox ...) NOT-FOR-US: Pabox for PHPNuke CVE-2005-0673 (Cross-site scripting (XSS) vulnerability in usercp_register.php for ph ...) - phpbb2 2.0.13-2 CVE-2005-0672 (Carsten's 3D Engine (Ca3DE), March 2004 version and earlier, allows re ...) NOT-FOR-US: Ca3DE CVE-2005-0671 (Format string vulnerability in Carsten's 3D Engine (Ca3DE), March 2004 ...) NOT-FOR-US: Ca3DE CVE-2005-0670 (Cross-site scripting (XSS) vulnerability in phpCOIN 1.2.0 through 1.2. ...) NOT-FOR-US: phpCOIN CVE-2005-0669 (Multiple SQL injection vulnerabilities in mod.php for phpCOIN 1.2.0 th ...) NOT-FOR-US: phpCOIN CVE-2005-0668 (Unknown vulnerability in HTTP Anti Virus Proxy (HAVP) before 0.51 prev ...) NOT-FOR-US: HAVP CVE-2005-0667 (Buffer overflow in Sylpheed before 1.0.3 and other versions before 1.9 ...) - sylpheed 1.0.3-1 - sylpheed-claws 1.0.3-1 CVE-2005-0666 (Unknown vulnerability in PaX from the September 2003 release to 2.2 be ...) - kernel-patch-adamantix 1.7 CVE-2005-0665 (Format string vulnerability in xv before 3.10a allows remote attackers ...) NOT-FOR-US: XV CVE-2005-0664 (Buffer overflow in the EXIF library (libexif) 0.6.9 does not properly ...) {DSA-709-1} - libexif 0.6.9-5 CVE-2005-0663 (SQL injection vulnerability in index.php for MercuryBoard 1.1.2 allows ...) NOT-FOR-US: Mercury Board CVE-2005-0662 (Cross-site scripting (XSS) vulnerability in index.php for MercuryBoard ...) NOT-FOR-US: Mercury Board CVE-2005-0661 (SQL injection vulnerability in the getwbbuserdata function in session. ...) NOT-FOR-US: Woltlab Burning Board CVE-2005-0660 (Multiple cross-site scripting (XSS) vulnerabilities in D-Forum 1.11 al ...) NOT-FOR-US: D-Forum CVE-2005-0659 (phpBB 2.0.13 and earlier allows remote attackers to obtain sensitive i ...) - phpbb2 (unimportant) CVE-2005-0658 (SQL injection vulnerability in a third party extension to TYPO3 allows ...) NOT-FOR-US: TYPO3 extension CVE-2005-0657 (Directory traversal vulnerability in Computalynx CProxy 3.3.x and 3.4. ...) NOT-FOR-US: Computalynx CProxy CVE-2005-0656 (Multiple cross-site scripting (XSS) vulnerabilities in auraCMS 1.5 all ...) NOT-FOR-US: auraCMS CVE-2005-0655 (auraCMS 1.5 allows remote attackers to obtain sensitive information vi ...) NOT-FOR-US: auraCMS CVE-2005-0654 (gifload.exe in GIMP 2.0.5, 2.2.3, and possibly 2.2.4 allows remote att ...) NOTE: this is not a security issue according to maintainer CVE-2005-0653 (phpMyAdmin 2.6.1 does not properly grant permissions on tables with an ...) - phpmyadmin 3:2.6.1-pl3-1 CVE-2005-0652 (Unknown vulnerability in HP OpenVMS VAX 7.x and 6.x and OpenVMS Alpha ...) NOT-FOR-US: OpenVMS CVE-2005-0651 (Multiple SQL injection vulnerabilities in ProjectBB 0.4.5.1 allow remo ...) NOT-FOR-US: ProjectBB CVE-2005-0650 (Multiple cross-site scripting (XSS) vulnerabilities in ProjectBB 0.4.5 ...) NOT-FOR-US: ProjectBB CVE-2005-0649 (Pixel-Apes SafeHTML before 1.2.1 allows remote attackers to bypass cro ...) NOT-FOR-US: Pixel-Apes SafeHTML CVE-2005-0648 (Multiple vulnerabilities in Pixel-Apes SafeHTML before 1.3.0 allow rem ...) NOT-FOR-US: Pixel-Apes SafeHTML CVE-2005-0647 (admin_setup.php in paNews 2.0.4b allows remote attackers to inject arb ...) NOT-FOR-US: paNews CVE-2005-0646 (SQL injection vulnerability in auth.php in paNews 2.0.4b allows remote ...) NOT-FOR-US: paNews CVE-2005-0645 (Cross-site scripting (XSS) vulnerability in show.inc.php in cuteNews 1 ...) NOT-FOR-US: CuteNews CVE-2005-0644 (Buffer overflow in McAfee Scan Engine 4320 with DAT version before 443 ...) NOT-FOR-US: McAfee Virus Scanners CVE-2005-0643 (Buffer overflow in McAfee Scan Engine 4320 with DAT version before 435 ...) NOT-FOR-US: McAfee Virus Scanners CVE-2005-0642 (SQL injection vulnerability in the Query Designer for Computer Associa ...) NOT-FOR-US: Computer Associates UAM CVE-2005-0641 (Cross-site scripting (XSS) vulnerability in the Reporter for Computer ...) NOT-FOR-US: Computer Associates UAM CVE-2005-0640 (Computer Associates (CA) Unicenter Asset Management (UAM) 4.0 does not ...) NOT-FOR-US: Computer Associates UAM CVE-2005-0639 (Multiple vulnerabilities in xli before 1.17 may allow remote attackers ...) {DSA-695-1 DSA-694-1} - xloadimage 4.1-14.2 - xli 1.17.0-17 CVE-2005-0638 (xloadimage before 4.1-r2, and xli before 1.17, allows attackers to exe ...) {DSA-695-1 DSA-694-1} - xli 1.17.0-18 - xloadimage 4.1-14.1 (bug #298926) CVE-2005-0637 (The copy functions in locore.s such as copyout in OpenBSD 3.5 and 3.6, ...) NOT-FOR-US: OpenBSD CVE-2005-0636 (Format string vulnerability in Foxmail Server 2.0 allows remote attack ...) NOT-FOR-US: Foxmail CVE-2005-0635 (Buffer overflow in Foxmail Server 2.0 allows remote attackers to execu ...) NOT-FOR-US: Foxmail CVE-2005-0634 (Buffer overflow in Golden FTP Server 1.92 allows remote attackers to e ...) NOT-FOR-US: Golden FTP Server CVE-2005-0633 (Buffer overflow in Trillian 3.0 and Pro 3.0 allows remote attackers to ...) NOT-FOR-US: Cerulean Trillian CVE-2005-0632 (PHP remote file inclusion vulnerability in auth.php in PHPNews 1.2.4 a ...) NOT-FOR-US: PHPNews CVE-2005-0631 (delpm.php in PBLang 4.63 allows remote authenticated users to delete a ...) NOT-FOR-US: PBLang CVE-2005-0630 (sendpm.php in PBLang 4.63 allows remote authenticated users to read ar ...) NOT-FOR-US: PBLang CVE-2005-0629 (Multiple cross-site scripting (XSS) vulnerabilities in profile.php in ...) NOT-FOR-US: 427BB CVE-2005-0628 (Multiple cross-site scripting (XSS) vulnerabilities in Forumwa 1.0 all ...) NOT-FOR-US: Forumwa CVE-2005-0627 (Qt before 3.3.4 searches the BUILD_PREFIX directory, which could be wo ...) - qt-x11-free (RPATH disabled in Debian's build) CVE-2004-1754 (The DNS proxy (DNSd) for multiple Symantec Gateway Security products a ...) NOT-FOR-US: Symantec DNSd CVE-2003-1089 (index.php for Zorum 3.4 allows remote attackers to determine the full ...) NOT-FOR-US: Zorum CVE-2003-1088 (Cross-site scripting (XSS) vulnerability in index.php for Zorum 3.4 an ...) NOT-FOR-US: Zorum CVE-2005-0626 (Race condition in Squid 2.5.STABLE7 to 2.5.STABLE9, when using the Net ...) - squid 2.5.9-2 CVE-2005-0940 REJECTED CVE-2005-0625 (reportbug 3.2 includes settings from .reportbugrc in bug reports, whic ...) - reportbug 3.8 (bug #295407) CVE-2005-0624 (reportbug before 2.62 creates the .reportbugrc configuration file with ...) - reportbug 3.8 (bug #295407) CVE-2005-0623 (Buffer overflow in RaidenHTTPD 1.1.32, and possibly other versions bef ...) NOT-FOR-US: RaidenHTTPD CVE-2005-0622 (RaidenHTTPD 1.1.32, and possibly other versions before 1.1.34, allows ...) NOT-FOR-US: RaidenHTTPD CVE-2005-0621 (Scrapland 1.0 and earlier allows remote attackers to cause a denial of ...) NOT-FOR-US: Scrapland CVE-2005-0620 (Einstein 1.0 stores credit card information in plaintext in the world- ...) NOT-FOR-US: Einstein CVE-2005-0619 (Einstein 1.0.1 stores sensitive information such as usernames and pass ...) NOT-FOR-US: Einstein CVE-2005-0618 (The SMTP binding function in Symantec Firewall/VPN Appliance 200/200R ...) NOT-FOR-US: Symantec Firewall/VPN Appliance 200/200R firmware CVE-2005-0617 (SQL injection vulnerability in dl-search.php in PostNuke 0.750 and 0.7 ...) NOT-FOR-US: PostNuke CVE-2005-0616 (Multiple cross-site scripting (XSS) vulnerabilities in the Download mo ...) NOT-FOR-US: PostNuke CVE-2005-0615 (Multiple SQL injection vulnerabilities in (1) index.php, (2) modules.p ...) NOT-FOR-US: PostNuke CVE-2005-0614 (sessions.php in phpBB 2.0.12 and earlier allows remote attackers to ga ...) - phpbb2 2.0.13-1 CVE-2005-0613 (Unknown vulnerability in FCKeditor 2.0 RC2, when used with PHP-Nuke, a ...) - knowledgeroot (fixed before first upload; see bug #381912) CVE-2005-0612 (Cisco IP/VC Videoconferencing System 3510, 3520, 3525 and 3530 contain ...) NOT-FOR-US: Cisco CVE-2005-0611 (Heap-based buffer overflow in RealNetworks RealPlayer 10.5 (6.0.12.105 ...) NOT-FOR-US: Real CVE-2005-0610 (Multiple symlink vulnerabilities in portupgrade before 20041226_2 in F ...) NOT-FOR-US: FreeBSD portupgrade CVE-2005-0609 REJECTED CVE-2005-0608 (Heap-based buffer overflow in server.cpp for WebMod 0.47 allows remote ...) NOT-FOR-US: Half Life WebMod CVE-2005-0607 (CubeCart 2.0.0 through 2.0.5 allows remote attackers to determine the ...) NOT-FOR-US: CubeCert CVE-2005-0606 (Cross-site scripting (XSS) vulnerability in settings.inc.php for CubeC ...) NOT-FOR-US: CubeCert CVE-2005-0605 (scan.c for LibXPM may allow attackers to execute arbitrary code via a ...) {DSA-723-1} - lesstif2 1:0.93.94-11.1 (bug #298183; bug #299236) NOTE: libxmp4 is the real culprit - xfree86 4.3.0.dfsg.1-13 - xorg-x11 (Fixed before upload into archive) - openmotif 2.2.3-1.1 (bug #308819; medium) [sarge] - openmotif (Non-free) CVE-2005-0604 (lnss.exe in GFI Languard Network Security Scanner 5.0 stores the usern ...) NOT-FOR-US: GFI Languard Network Security Scanner CVE-2005-0603 (viewtopic.php in phpBB 2.0.12 and earlier allows remote attackers to o ...) - phpbb2 2.0.13-1 CVE-2005-0602 (Unzip 5.51 and earlier does not properly warn the user when extracting ...) - unzip 5.52-1 NOTE: um, tar does this too, not really considered a security hole CVE-2005-0601 (Cisco devices running Application and Content Networking System (ACNS) ...) NOT-FOR-US: Cisco CVE-2005-0600 (Cisco devices running Application and Content Networking System (ACNS) ...) NOT-FOR-US: Cisco CVE-2005-0599 (Cisco devices running Application and Content Networking System (ACNS) ...) NOT-FOR-US: Cisco CVE-2005-0598 (The RealServer RealSubscriber on Cisco devices running Application and ...) NOT-FOR-US: Real CVE-2005-0597 (Cisco devices running Application and Content Networking System (ACNS) ...) NOT-FOR-US: Cisco CVE-2005-0596 (PHP 4 (PHP4) allows attackers to cause a denial of service (daemon cra ...) NOTE: Fixed in CVS after 4.3.4 release; see http://bugs.php.net/bug.php?id=27037 - php4 4:4.3.8-1 CVE-2005-0595 (Buffer overflow in ext.dll in BadBlue 2.55 allows remote attackers to ...) NOT-FOR-US: BadBlue CVE-2005-0594 (Buffer overflow in the Netinfo Setup Tool (NeST) allows local users to ...) NOT-FOR-US: Apple CVE-2005-0593 (Firefox before 1.0.1 and Mozilla before 1.7.6 allows remote attackers ...) - mozilla-firefox 1.0.1 - mozilla 2:1.7.6-1 CVE-2005-0592 (Heap-based buffer overflow in the UTF8ToNewUnicode function for Firefo ...) - mozilla-firefox 1.0.1 - mozilla 2:1.7.6-1 - mozilla-thunderbird 1.0.2-1 CVE-2005-0591 (Firefox before 1.0.1 allows remote attackers to spoof the (1) security ...) - mozilla-firefox 1.0.1 CVE-2005-0590 (The installation confirmation dialog in Firefox before 1.0.1, Thunderb ...) - mozilla-firefox 1.0.1 - mozilla-thunderbird 1.0.2-1 CVE-2005-0589 (The Form Fill feature in Firefox before 1.0.1 allows remote attackers ...) - mozilla-firefox 1.0.1 CVE-2005-0588 (Firefox before 1.0.1 and Mozilla before 1.7.6 does not restrict xsl:in ...) - mozilla-firefox 1.0.1 - mozilla 2:1.7.6-1 CVE-2005-0587 (Firefox before 1.0.1 and Mozilla before 1.7.6 allows remote malicious ...) NOTE: windows only CVE-2005-0586 (Firefox before 1.0.1 and Mozilla before 1.7.6 allows remote malicious ...) - mozilla-firefox 1.0.1 - mozilla 2:1.7.6-1 CVE-2005-0585 (Firefox before 1.0.1 and Mozilla before 1.7.6 truncates long sub-domai ...) - mozilla-firefox 1.0.1 - mozilla 2:1.7.6-1 CVE-2005-0584 (Firefox before 1.0.1 and Mozilla before 1.7.6, when displaying the HTT ...) - mozilla-firefox 1.0.1 - mozilla 2:1.7.6-1 CVE-2005-0583 (Directory traversal vulnerability in Computer Associates (CA) License ...) NOT-FOR-US: Computer Associates (CA) License Client CVE-2005-0582 (Buffer overflow in Computer Associates (CA) License Client 0.1.0.15 al ...) NOT-FOR-US: Computer Associates (CA) License Client CVE-2005-0581 (Multiple buffer overflows in Computer Associates (CA) License Client a ...) NOT-FOR-US: Computer Associates (CA) License Client CVE-2005-0580 (cmd5checkpw, when running setuid, does not properly drop privileges be ...) NOT-FOR-US: cmd5checkpw CVE-2005-0579 (nxagent in FreeNX before 0.2.8 does not properly handle when the XAUTH ...) NOT-FOR-US: FreeNX CVE-2005-0578 (Firefox before 1.0.1 and Mozilla Suite before 1.7.6 use a predictable ...) - mozilla-firefox 1.0.1-1 CVE-2005-0577 (Format string vulnerability in DNA MKBold-MKItalic 0.06_1 and earlier ...) NOT-FOR-US: MKBold-MKItalic CVE-2005-0576 (Unknown vulnerability in Standard Type Services Framework (STSF) Font ...) NOT-FOR-US: STSF in Solaris CVE-2005-0575 (Buffer overflow in Stormy Studios Knet 1.04c and earlier allows remote ...) NOT-FOR-US: Stormy Studios Knet CVE-2005-0574 (Directory traversal vulnerability in CIS WebServer 3.5.13 allows remot ...) NOT-FOR-US: CIS Webserver CVE-2005-0573 (Gaim 1.1.3 on Windows systems allows remote attackers to cause a denia ...) NOTE: Historic Gaim on Windows CVE-2005-0572 (index.php in phpWebSite 0.10.0 and earlier allows remote attackers to ...) NOT-FOR-US: phpWebSite CVE-2005-0571 (admin_loader.php in PunBB 1.2.1 allows remote attackers to read arbitr ...) NOT-FOR-US: PunBB CVE-2005-0570 (profile.php in PunBB 1.2.1 allows remote attackers to cause a denial o ...) NOT-FOR-US: PunBB CVE-2005-0569 (Multiple SQL injection vulnerabilities in PunBB 1.2.1 allow remote att ...) NOT-FOR-US: PunBB CVE-2005-0568 (Soldier of Fortune II 1.03 gold allows remote attackers to cause a den ...) NOT-FOR-US: Soldier of Fortune II CVE-2005-0567 (Multiple PHP remote file inclusion vulnerabilities in phpMyAdmin 2.6.1 ...) - phpmyadmin 3:2.6.1-pl2-1 NOTE: https://www.phpmyadmin.net/security/PMASA-2005-1/ CVE-2005-0566 (Buffer overflow in Golden FTP Server Pro (goldenftpd) 2.x allows remot ...) NOT-FOR-US: Golden FTP Server CVE-2005-0565 (The Announce module in phpWebSite 0.10.0 and earlier allows remote att ...) NOT-FOR-US: phpWebSite CVE-2005-0564 (Stack-based buffer overflow in Microsoft Word 2000 and Word 2002, and ...) NOT-FOR-US: Microsoft Word CVE-2005-0563 (Cross-site scripting (XSS) vulnerability in Microsoft Outlook Web Acce ...) NOT-FOR-US: Microsoft CVE-2005-0562 (GIF file validation error in MSN Messenger 6.2 allows remote attackers ...) NOT-FOR-US: MSN Messenger CVE-2005-0561 RESERVED CVE-2005-0560 (Heap-based buffer overflow in the SvrAppendReceivedChunk function in x ...) NOT-FOR-US: Exchange server CVE-2005-0559 RESERVED CVE-2005-0558 (Buffer overflow in Microsoft Word 2000, Word 2002, and Word 2003 allow ...) NOT-FOR-US: Microsoft Word CVE-2005-0557 RESERVED CVE-2005-0556 RESERVED CVE-2005-0555 (Buffer overflow in the Content Advisor in Microsoft Internet Explorer ...) NOT-FOR-US: MSIE CVE-2005-0554 (Buffer overflow in the URL processor of Microsoft Internet Explorer 5. ...) NOT-FOR-US: MSIE CVE-2005-0553 (Race condition in the memory management routines in the DHTML object p ...) NOT-FOR-US: MSIE CVE-2005-0552 RESERVED CVE-2005-0551 (Stack-based buffer overflow in WINSRV.DLL in the Client Server Runtime ...) NOT-FOR-US: Microsoft CVE-2005-0550 (Buffer overflow in Microsoft Windows 2000, Windows XP SP1 and SP2, and ...) NOT-FOR-US: Microsoft CVE-2005-0549 (Cross-site scripting (XSS) vulnerability in Solaris AnswerBook2 Docume ...) NOT-FOR-US: Solaris CVE-2005-0548 (Cross-site scripting (XSS) vulnerability in Solaris AnswerBook2 Docume ...) NOT-FOR-US: Solaris CVE-2004-1753 (The Apple Java plugin, as used in Netscape 7.1 and 7.2, Mozilla 1.7.2, ...) NOT-FOR-US: Apple Java plugin CVE-2004-1752 (Stack-based buffer overflow in Gaucho 1.4 Build 145 allows remote atta ...) NOT-FOR-US: Gaucho CVE-2004-1751 (Ground Control II: Operation Exodus 1.0.0.7 and earlier allows remote ...) NOT-FOR-US: Ground Control II CVE-2004-1750 (RealVNC 4.0 and earlier allows remote attackers to cause a denial of s ...) NOT-FOR-US: RealVNC CVE-2004-1749 (Attack Mitigator IPS 5500 3.11.008, and possibly other versions, when ...) NOT-FOR-US: Attack Mitigator IPS 5500 CVE-2004-1748 (NtRegmon before 6.12 allows local users to cause a denial of service ( ...) NOT-FOR-US: NtRegmon CVE-2004-1747 (Cross-site scripting (XSS) vulnerability in NetworkEverywhere NR041 ru ...) NOT-FOR-US: NetworkEverywhere NR041 CVE-2004-1746 (Cross-site scripting (XSS) vulnerability in index.php in PHP Code Snip ...) NOT-FOR-US: PHP Code Snippet Library CVE-2004-1745 (Buffer overflow in Painkiller 1.3.1 and earlier allows remote attacker ...) NOT-FOR-US: Painkiller CVE-2004-1744 (Easy File Sharing (EFS) Webserver 1.25 allows remote attackers to caus ...) NOT-FOR-US: ESF Webserver CVE-2004-1743 (Easy File Sharing (EFS) Webserver 1.25 allows remote attackers to view ...) NOT-FOR-US: ESF Webserver CVE-2004-1742 (Directory traversal vulnerability in WebAPP 0.9.9 allows remote attack ...) NOT-FOR-US: WebAPP CVE-2004-1741 (Music daemon (musicd) 0.0.3 and earlier allows remote attackers to cau ...) NOT-FOR-US: musicd CVE-2004-1740 (Music daemon (musicd) 0.0.3 and earlier allows remote attackers to rea ...) NOT-FOR-US: musicd CVE-2004-1739 (Bird Chat 1.61 allows remote attackers to cause a denial of service (c ...) NOT-FOR-US: Bird Chat CVE-2004-1738 (Cross-site scripting (XSS) vulnerability in page.php in JShop allows r ...) NOT-FOR-US: JShop CVE-2004-1737 (SQL injection vulnerability in auth_login.php in Cacti 0.8.5a allows r ...) - cacti 0.8.5a-5 CVE-2004-1736 (Cacti 0.8.5a allows remote attackers to gain sensitive information via ...) - cacti 0.8.5a-5 CVE-2004-1735 (Cross-site scripting (XSS) vulnerability in the create list option in ...) - sympa 4.1.5-4 (bug #298105; unimportant) NOTE: A user with the privilege to create new mailing lists needs to be trustworthy CVE-2004-1734 (PHP remote file inclusion vulnerability in Mantis 0.19.0a allows remot ...) - mantis 0.19.2-1 CVE-2004-1733 (Directory traversal vulnerability in MyDMS 1.4.2 and other versions al ...) - mydms 1.4.3-1 CVE-2004-1732 (SQL injection vulnerability in out.ViewFolder.php in MyDMS before 1.4. ...) - mydms 1.4.3-1 CVE-2004-1731 (signup_page.php in Mantis bugtracker allows remote attackers to send e ...) - mantis 0.19.0-1 CVE-2004-1730 (Cross-site scripting (XSS) vulnerability in Mantis bugtracker allows r ...) - mantis 0.19.0-1 CVE-2004-1729 (Cross-site scripting (XSS) vulnerability in Nihuo Web Log Analyzer 1.6 ...) NOT-FOR-US: Nihuo Web Log Analyzer CVE-2004-1728 (Buffer overflow in British National Corpus SARA (sarad) allows remote ...) NOT-FOR-US: sarad CVE-2004-1727 (BadBlue 2.5 allows remote attackers to cause a denial of service (refu ...) NOT-FOR-US: BadBlue CVE-2004-1726 (Multiple integer overflows in (1) xviris.c, (2) xvpcx.c, and (3) xvpm. ...) NOT-FOR-US: XV CVE-2004-1725 (Stack-based buffer overflow in xvbmp.c in XV allows remote attackers t ...) NOT-FOR-US: XV CVE-2004-1724 (The ReadMe First.txt file in PHP-Fusion 4.0 instructs users to set the ...) NOT-FOR-US: PHP-Fusion CVE-2004-1723 (The (1) updateuser.php and (2) forums_prune.php scripts in PHP-Fusion ...) NOT-FOR-US: PHP-Fusion CVE-2004-1722 (SQL injection vulnerability in calendar.html in Merak Mail Server 5.2. ...) NOT-FOR-US: Merak Mail Server CVE-2004-1721 (The (1) function.php or (2) function.view.php scripts in Merak Mail Se ...) NOT-FOR-US: Merak Mail Server CVE-2004-1720 (The (1) address.html and possibly (2) calendar.html pages in Merak Mai ...) NOT-FOR-US: Merak Mail Server CVE-2004-1719 (Multiple cross-site scripting (XSS) vulnerabilities in Merak Webmail S ...) NOT-FOR-US: Merak Webmail Server CVE-2004-1718 (The ZwOpenSection function in Integrity Protection Driver (IPD) 1.4 an ...) NOT-FOR-US: IPD CVE-2004-1717 (Multiple buffer overflows in the psscan function in ps.c for gv (ghost ...) - gv 1:3.6.1-1 CVE-2004-1716 (Cross-site scripting (XSS) vulnerability in PForum before 1.26 allows ...) NOT-FOR-US: PForum CVE-2004-1715 (Directory traversal vulnerability in MIMEsweeper for Web before 5.0.4 ...) NOT-FOR-US: MIMEsweeper CVE-2004-1714 (BlackICE PC Protection and Server Protection installs (1) firewall.ini ...) NOT-FOR-US: BlackICE PC Protection CVE-2004-1713 (Unknown vulnerability in HP Process Resource Manager (PRM) C.02.01[.01 ...) NOT-FOR-US: PRM on HP-UX CVE-2004-1712 (Cross-site scripting (XSS) vulnerability in TypePad allows remote atta ...) NOT-FOR-US: TypePad CVE-2004-1711 (Cross-site scripting (XSS) vulnerability in post.php in Moodle before ...) - moodle 1.4-1 CVE-2004-1710 (page.cgi allows remote attackers to execute arbitrary commands via she ...) NOT-FOR-US: page.cgi CVE-2004-1709 (Datakey Rainbow iKey2032 USB token, when using the CIP client package, ...) NOT-FOR-US: Datakey Rainbow iKey2032 USB token CVE-2004-1708 (Webbsyte Chat 0.9.0 allows remote attackers to cause a denial of servi ...) NOT-FOR-US: Webbsyte CVE-2004-1707 (The (1) dbsnmp and (2) nmo programs in Oracle 8i, Oracle 9i, and Oracl ...) NOT-FOR-US: Oracle CVE-2004-1706 (The U.S. Robotics USR808054 wireless access point allows remote attack ...) NOT-FOR-US: U.S. Robotics wireless access point CVE-2004-1705 (Buffer overflow in Citadel/UX 6.23 and earlier allows remote attackers ...) NOT-FOR-US: Citadel/UX CVE-2004-1704 (WpQuiz 2.60b1 through 2.60b8 allows remote attackers to gain privilege ...) NOT-FOR-US: WpQuiz CVE-2004-1703 (Fusion News 3.6.1 allows remote attackers to add user accounts, if the ...) NOT-FOR-US: Fusion News CVE-2004-0838 (Lexar Safe Guard for JumpDrive Secure 1.0 stores the password insecure ...) NOT-FOR-US: Lexar Safe Guard CVE-2003-1087 (Unknown vulnerability in diagmond and possibly other applications in H ...) NOT-FOR-US: diagmond on HP-UX CVE-2005-0547 (Unknown vulnerability in ftpd on HP-UX B.11.00, B.11.04, B.11.11, B.11 ...) NOT-FOR-US: ftpd on HP-UX CVE-2005-0546 (Multiple buffer overflows in Cyrus IMAPd before 2.2.11 may allow attac ...) - cyrus21-imapd 2.1.18-1 CVE-2005-0545 (Microsoft Windows XP Pro SP2 and Windows 2000 Server SP4 running Activ ...) NOT-FOR-US: MS Office CVE-2005-0544 (phpMyAdmin 2.6.1 allows remote attackers to obtain the full path of th ...) - phpmyadmin 3:2.6.1-pl2-1 NOTE: https://www.phpmyadmin.net/security/PMASA-2005-2/ CVE-2005-0543 (Cross-site scripting (XSS) vulnerability in phpMyAdmin 2.6.1 allows re ...) - phpmyadmin 3:2.6.1-pl2-1 CVE-2005-0542 (saveUser.do in Cyclades AlterPath Manager (APM) Console Server 1.2.1 a ...) NOT-FOR-US: Cyclades AlterPath Manager CVE-2005-0541 (consoleConnect.jsp in Cyclades AlterPath Manager (APM) Console Server ...) NOT-FOR-US: Cyclades AlterPath Manager CVE-2005-0540 (Cyclades AlterPath Manager (APM) Console Server 1.2.1 allows remote at ...) NOT-FOR-US: Cyclades AlterPath Manager CVE-2005-0539 (Unknown vulnerability in IBM Hardware Management Console (HMC) before ...) NOT-FOR-US: IBM CVE-2005-0538 (Directory traversal vulnerability in (1) GinpPictureServlet.java and ( ...) NOT-FOR-US: ginp CVE-2005-0537 (Multiple SQL injection vulnerabilities in page.php for iGeneric (iG) S ...) NOT-FOR-US: iGeneric (iG) Shop CVE-2005-0536 (Directory traversal vulnerability in MediaWiki 1.3.x before 1.3.11 and ...) - mediawiki 1.4.9 (bug #276057) CVE-2005-0535 (Cross-site request forgery (CSRF) vulnerability in MediaWiki 1.3.x bef ...) - mediawiki 1.4.9 (bug #276057) CVE-2005-0534 (Multiple cross-site scripting (XSS) vulnerabilities in MediaWiki 1.3.x ...) - mediawiki 1.4.9 (bug #276057) CVE-2005-0533 (Heap-based buffer overflow in Trend Micro AntiVirus Library VSAPI befo ...) NOT-FOR-US: Trend Micro AntiVirus CVE-2005-0532 (The reiserfs_copy_from_user_to_file_region function in reiserfs/file.c ...) - linux-2.6 (Fixed before upload into archive; 2.6.11-rc4) [sarge] - kernel-source-2.6.8 2.6.8-14 CVE-2005-0531 (The atm_get_addr function in addr.c for Linux kernel 2.6.10 and 2.6.11 ...) - linux-2.6 (Fixed before upload into archive; 2.6.11-rc4) [sarge] - kernel-source-2.6.8 2.6.8-14 - kernel-source-2.4.27 2.4.27-9 CVE-2005-0530 (Signedness error in the copy_from_read_buf function in n_tty.c for Lin ...) - kernel-source-2.6.8 2.6.8-14 NOTE: affects only 2.6 (see #296906) CVE-2005-0529 (Linux kernel 2.6.10 and 2.6.11rc1-bk6 uses different size types for of ...) - linux-2.6 (Fixed before upload into archive) [sarge] - kernel-source-2.6.8 2.6.8-14 CVE-2005-0528 REJECTED CVE-2005-0527 (Firefox 1.0 allows remote attackers to execute arbitrary code via plug ...) - mozilla-firefox 1.0.1 NOTE: didn't other with YA mozilla-browser bug, it has enough for 1.7.6 already.. - mozilla 2:1.7.6 CVE-2005-0526 (Multiple cross-site scripting (XSS) vulnerabilities in PBLang 4.65 all ...) NOT-FOR-US: PBLang CVE-2005-0525 (The php_next_marker function in image.c for PHP 4.2.2, 4.3.9, 4.3.10 a ...) {DSA-729-1 DSA-708-1} - php4 4:4.3.10-10 - php3 3:3.0.18-31 CVE-2005-0524 (The php_handle_iff function in image.c for PHP 4.2.2, 4.3.9, 4.3.10 an ...) - php3 - php4 4:4.3.10-10 CVE-2005-0523 (Format string vulnerability in ProZilla 1.3.7.3 and earlier allows rem ...) {DSA-719-1} - prozilla 1:1.3.7.4-1 CVE-2005-0522 (Chat Anywhere 2.72a stores sensitive information such as passwords in ...) NOT-FOR-US: Chat Anywhere CVE-2005-0521 (SendLink 1.5 stores sensitive information, possibly including password ...) NOT-FOR-US: SendLink CVE-2005-0520 (ArGoSoft FTP Server before 1.4.2.8 allows remote attackers to read arb ...) NOT-FOR-US: ArGoSoft CVE-2005-0519 (ArGoSoft FTP Server before 1.4.2.7 allows remote attackers to read arb ...) NOT-FOR-US: ArGoSoft CVE-2005-0518 (eXeem 0.21 stores sensitive information such as passwords in plaintext ...) NOT-FOR-US: eXeem CVE-2005-0517 (PeerFTP_5 stores sensitive information such as passwords in plaintext ...) NOT-FOR-US: PeerFTP CVE-2005-0516 (The ImageGalleryPlugin (ImageGalleryPlugin.pm) in Twiki allows remote ...) NOT-FOR-US: ImageGalleryPlugin for Twiki CVE-2005-0515 (Smc.exe in My Firewall Plus 5.0 build 1117, and possibly other version ...) NOT-FOR-US: My Firewall Plus CVE-2005-0514 (Cross-site scripting (XSS) vulnerability in Verity Ultraseek before 5. ...) NOT-FOR-US: Verity Ultraseek CVE-2005-0513 (PHP remote file inclusion vulnerability in mail_autocheck.php in the E ...) NOT-FOR-US: pMachine CVE-2005-0512 (PHP remote file inclusion vulnerability in Tar.php in Mambo 4.5.2 allo ...) NOT-FOR-US: Mambo CVE-2005-0511 (misc.php for vBulletin 3.0.6 and earlier, when "Add Template Name in H ...) NOT-FOR-US: vBulletin CVE-2003-1086 (PHP remote file inclusion vulnerability in pm/lib.inc.php in pMachine ...) NOT-FOR-US: pMachine CVE-2005-0510 (The daemon for fallback-reboot before 0.995 allows attackers to cause ...) NOT-FOR-US: fallback-reboot CVE-2005-0509 (Multiple cross-site scripting (XSS) vulnerabilities in the Mono 1.0.5 ...) NOTE: default config of Mono not vulnerable - mono 1.1.6-4 (medium) CVE-2005-0508 (Unknown vulnerability in Squiggle for Batik before 1.5.1 allows attack ...) - batik 1.5.1-1 CVE-2005-0507 (Directory traversal vulnerability in SD Server 4.0.70 and earlier allo ...) NOT-FOR-US: SD Server CVE-2005-0506 (The Avaya IP Office Phone Manager, and other products such as the IP S ...) NOT-FOR-US: Avaya IP Office Phone Manager CVE-2005-0505 (Unknown vulnerability in Information Resource Manager (IRM) before 1.5 ...) - irm 1.5.3.1-1 CVE-2005-0504 (Buffer overflow in the MoxaDriverIoctl function for the moxa serial dr ...) {DSA-1082-1 DSA-1070-1 DSA-1069-1 DSA-1067-1} - kernel-source-2.6.8 2.6.8-12 - kernel-source-2.6.9 2.6.9-5 - kernel-source-2.6.10 2.6.10-2 - kernel-source-2.4.27 2.4.27-8 CVE-2005-0503 (uim before 0.4.5.1 trusts certain environment variables when libUIM is ...) - uim 1:0.4.6beta2-1 CVE-2005-0502 (Directory traversal vulnerability in Xinkaa 1.0.3 and earlier allows r ...) NOT-FOR-US: Xinkaa CVE-2005-0501 (Buffer overflow in Bontago 1.1 and earlier allows remote attackers to ...) NOT-FOR-US: Bontago CVE-2005-0500 (Internet Explorer 6.0 on Windows XP SP2 allows remote attackers to spo ...) NOT-FOR-US: MSIE6 CVE-2005-0499 (Gigafast router (aka CompUSA router) with the DNS proxy option enabled ...) NOT-FOR-US: Gigafast router CVE-2005-0498 (Gigafast router (aka CompUSA router) allows remote attackers to gain s ...) NOT-FOR-US: Gigafast router CVE-2005-0497 (ADP Elite System Max 9000 allows remote authenticated users to gain pr ...) NOT-FOR-US: ADP Elite System CVE-2005-0496 (Arkeia Network Backup Client 5.x contains hard-coded credentials that ...) NOT-FOR-US: Arkeia Network Backup CVE-2005-0495 (Cross-site scripting (XSS) vulnerability in ZeroBoard allows remote at ...) NOT-FOR-US: ZeroBoard CVE-2005-0494 (The RgSecurity form in the HTTP server for the Thomson TCW690 cable mo ...) NOT-FOR-US: Thomson TCW690 cable modem CVE-2005-0493 (CRLF injection vulnerability in bizmail.cgi in Biz Mail Form before 2. ...) NOT-FOR-US: Biz Mail From CVE-2005-0492 (Adobe Acrobat Reader 6.0.3 and 7.0.0 allows remote attackers to cause ...) NOT-FOR-US: Acrobat Reader CVE-2005-0491 (Stack-based buffer overflow in Knox Arkeia Server Backup 5.3.x allows ...) NOT-FOR-US: Arkeia Server Backup CVE-2005-0490 (Multiple stack-based buffer overflows in libcURL and cURL 7.12.1, and ...) - curl 7.13.0-2 CVE-2005-0489 (The /proc handling (proc/base.c) Linux kernel 2.4 before 2.4.17 allows ...) {DSA-1082-1 DSA-1070-1 DSA-1069-1 DSA-1067-1} - linux-2.6 (Fixed before initial release) CVE-2004-1702 (The AuthenticationDialogue function in cfservd for Cfengine 2.0.0 to 2 ...) - cfengine2 2.1.8-1 CVE-2004-1701 (Heap-based buffer overflow in the AuthenticationDialogue function in c ...) - cfengine2 2.1.8-1 CVE-2004-1700 (Cross-site scripting (XSS) vulnerability in SettingsBase.php in Pinnac ...) NOT-FOR-US: Pinnacle ShowCenter CVE-2004-1699 (SettingsBase.php in Pinnacle ShowCenter 1.51 allows remote attackers t ...) NOT-FOR-US: Pinnacle ShowCenter CVE-2004-1698 (The Base64 function in PopMessenger 1.60 (before 20 Sep 2004) and earl ...) NOT-FOR-US: PopMessenger CVE-2004-1697 (The "Forgot your Password" link in Computer Associates (CA) Unicenter ...) NOT-FOR-US: Computer Associates Unicenter Management Portal CVE-2004-1696 (EmuLive Server4 Commerce Edition Build 7560 allows remote attackers to ...) NOT-FOR-US: EmuLive Server4 CVE-2004-1695 (EmuLive Server4 Commerce Edition Build 7560 allows remote attackers to ...) NOT-FOR-US: EmuLive Server4 CVE-2004-1694 (Symantec ON Command CCM 5.4.x and iCommand 3.0.x has four default user ...) NOT-FOR-US: Symantec CVE-2004-1693 (PHP remote file inclusion vulnerability in Function.php in Mambo 4.5 ( ...) NOT-FOR-US: Mambo CVE-2004-1692 (Cross-site scripting (XSS) vulnerability in index.php in Mambo 4.5 (1. ...) NOT-FOR-US: Mambo CVE-2004-1691 (The Web Server in DNS4Me 3.0.0.4 allows remote attackers to cause a de ...) NOT-FOR-US: DNS4Me CVE-2004-1690 (Cross-site scripting (XSS) vulnerability in the Web Server in DNS4Me 3 ...) NOT-FOR-US: DNS4Me CVE-2004-1689 (sudoedit (aka sudo -e) in sudo 1.6.8 opens a temporary file with root ...) - sudo 1.6.8p3-1 CVE-2004-1688 (Pigeon Server 3.02.0143 and earlier allows remote attackers to cause a ...) NOT-FOR-US: Pigeon Server CVE-2004-1687 (CRLF injection vulnerability in down.asp for Snitz Forums 2000 3.4.04 ...) NOT-FOR-US: Snitz Forums CVE-2004-1686 (Internet Explorer 6.0 in Windows XP SP2 allows remote attackers to byp ...) NOT-FOR-US: MSIE CVE-2004-1685 (SMC routers SMC7004VWBR running firmware 1.00.014 and SMC7008ABR EU ru ...) NOT-FOR-US: SMC router CVE-2004-1684 (Zyxel P681 running ZyNOS Vt020225a contains portions of memory in an A ...) NOT-FOR-US: Zyxel CVE-2004-1683 (A race condition in crrtrap for QNX RTP 6.1 allows local users to gain ...) NOT-FOR-US: crrtrap CVE-2004-1682 (Format string vulnerability in QNX 6.1 FTP client allows remote authen ...) NOT-FOR-US: QNX FTP CVE-2004-1681 (Multiple buffer overflows in (1) phrelay-cfg, (2) phlocale, (3) pkg-in ...) NOT-FOR-US: QNX CVE-2004-1680 (application.cgi in the Pingtel Xpressa handset running firmware 2.1.11 ...) NOT-FOR-US: Pingtel Xpressa CVE-2004-1679 (Directory traversal vulnerability in TwinFTP 1.0.3 R2 allows remote at ...) NOT-FOR-US: TwinFTP CVE-2004-1678 (Directory traversal vulnerability in pdesk.cgi in PerlDesk allows remo ...) NOT-FOR-US: PerlDesk CVE-2004-1677 (pdesk.cgi in PerlDesk allows remote attackers to gain sensitive inform ...) NOT-FOR-US: PerlDesk CVE-2004-1676 (Heap-based buffer overflow in the image sending feature in Gadu-Gadu 6 ...) NOT-FOR-US: Gadu-Gadu CVE-2004-1675 (Serv-U FTP server 4.x and 5.x allows remote attackers to cause a denia ...) NOT-FOR-US: Serv-U FTP CVE-2004-1674 (viewaction.html in Merak Mail Server 7.4.5 with Icewarp Web Mail 5.2.7 ...) NOT-FOR-US: Merak Mail Server CVE-2004-1673 (accountsettings_add.html in Merak Mail Server 7.4.5 with Icewarp Web M ...) NOT-FOR-US: Merak Mail Server CVE-2004-1672 (attachment.html in Merak Mail Server 7.4.5 with Icewarp Web Mail 5.2.7 ...) NOT-FOR-US: Merak Mail Server CVE-2004-1671 (Merak Mail Server 7.4.5 with Icewarp Web Mail 5.2.7 and possibly other ...) NOT-FOR-US: Merak Mail Server CVE-2004-1670 (Multiple directory traversal vulnerabilities Merak Mail Server 7.4.5 w ...) NOT-FOR-US: Merak Mail Server CVE-2004-1669 (Cross-site scripting (XSS) vulnerability in MERAK Mail Server 7.4.5 wi ...) NOT-FOR-US: Merak Mail Server CVE-2004-1668 (Multiple SQL injection vulnerabilities in index.php in Subjects 2.0 Po ...) NOT-FOR-US: Subjects CVE-2004-1667 (Off-by-one error in Halo Combat Evolved 1.04 and earlier allows remote ...) NOT-FOR-US: Halo Combat Evolved CVE-2004-1666 (Buffer overflow in the MSN module in Trillian 0.74i allows remote MSN ...) NOT-FOR-US: Cerulean Trillian CVE-2004-1665 (Cross-site scripting (XSS) vulnerability in index.php in PsNews 1.1 al ...) NOT-FOR-US: PsNews CVE-2004-1664 (Call of Duty 1.4 and earlier allows remote attackers to cause a denial ...) NOT-FOR-US: Call of Duty CVE-2004-1663 (Engenio/LSI Logic storage controllers, as used in products such as Sto ...) NOT-FOR-US: Engenio/LSI Logic storage controllers CVE-2004-1662 (YaBB SE 1.5.1 allows remote attackers to obtain sensitive information ...) NOT-FOR-US: YaBB CVE-2004-1661 (MailWorks Professional allows remote attackers to bypass authenticatio ...) NOT-FOR-US: MailWorks CVE-2004-1660 (PHP remote file inclusion vulnerability in CuteNews 1.3.6 and earlier ...) NOT-FOR-US: CuteNews CVE-2004-1659 (Cross-site scripting (XSS) vulnerability in index.php in CuteNews 1.3. ...) NOT-FOR-US: CuteNews CVE-2004-1658 (Kerio Personal Firewall 4.0 (KPF4) allows local users with administrat ...) NOT-FOR-US: Kerio Personal Firewall CVE-2004-1657 (Cross-site scripting (XSS) vulnerability in the Activity and Events Vi ...) NOT-FOR-US: DasBlog CVE-2004-1656 (CRLF injection vulnerability in Comersus Shopping Cart 5.0991 allows r ...) NOT-FOR-US: Comersus Shopping Cart CVE-2004-1655 (Cross-site scripting (XSS) vulnerability in phpWebsite 0.9.3-4 and ear ...) NOT-FOR-US: phpWebsite CVE-2004-1654 (SQL injection vulnerability in the calendar module in phpWebsite 0.9.3 ...) NOT-FOR-US: phpWebsite CVE-2004-1653 (The default configuration for OpenSSH enables AllowTcpForwarding, whic ...) - openssh (Documented SSH protocol behaviour, cannot be "fixed") NOTE: See bug #296547 for details CVE-2004-1652 (phpScheduleIt 1.0.0 RC1 does not clear administrative privileges if th ...) NOT-FOR-US: phpScheduleIt CVE-2004-1651 (Multiple cross-site scripting (XSS) vulnerabilities in the registratio ...) NOT-FOR-US: phpScheduleIt CVE-2004-1650 (D-Link DCS-900 Internet Camera listens on UDP port 62976 for an IP add ...) NOT-FOR-US: D-Link DCS-900 CVE-2004-1649 (Buffer overflow in Microsoft Msinfo32.exe might allow local users to e ...) NOT-FOR-US: Msinfo32.exe CVE-2004-1648 (Cross-site scripting (XSS) vulnerability in (1) index.asp, (2) ChangeP ...) NOT-FOR-US: Password Protect CVE-2004-1647 (SQL injection vulnerability in Password Protect allows remote attacker ...) NOT-FOR-US: Password Protect CVE-2004-1646 (Directory traversal vulnerability in Xedus 1.0 allows remote attackers ...) NOT-FOR-US: Xedus CVE-2004-1645 (Cross-site scripting (XSS) vulnerability in Xedus 1.0 allows remote at ...) NOT-FOR-US: Xedus CVE-2004-1644 (Xedus 1.0 allows remote attackers to cause a denial of service (refuse ...) NOT-FOR-US: Xedus CVE-2004-1643 (WS_FTP 5.0.2 allows remote authenticated users to cause a denial of se ...) NOT-FOR-US: WS_FTP CVE-2004-1642 (WFTPD Pro Server 3.21 allows remote authenticated users to cause a den ...) NOT-FOR-US: WS_FTP CVE-2004-1641 (Heap-based buffer overflow in Titan FTP 3.21 and earlier allows remote ...) NOT-FOR-US: Titan CVE-2004-1640 (Multiple cross-site scripting (XSS) vulnerabilities in XOOPS 0.94 and ...) NOT-FOR-US: XOOPS CVE-2003-1085 (The HTTP server in the Thomson TWC305, TWC315, and TCW690 cable modem ...) NOT-FOR-US: Thomson cable modem CVE-2005-0488 (Certain BSD-based Telnet clients, including those used on Solaris and ...) - krb4 (unimportant) [woody] - krb4 (Documented behaviour in MIT Kerberos) [sarge] - krb4 (Documented behaviour in MIT Kerberos) - krb5 1.8.3+dfsg-4 (unimportant) [woody] - krb5 (Documented behaviour in MIT Kerberos) [sarge] - krb5 (Documented behaviour in MIT Kerberos) - netkit-telnet (netkit-telnet is not affected) NOTE: telnet code was removed earlier than 1.8.3, but that's the version that was available to check CVE-2004-1639 (Mozilla Firefox before 0.10, Mozilla 5.0, and Gecko 20040913 allows re ...) NOTE: This is not a real security issue; it just describes the fact that the Gecko NOTE: engine of the Mozillae may be lead into a crash if you feed it with large chunks NOTE: of arbitrary binary data and label it as HTML. As the parsing garbage is displayed NOTE: during transfer any user will cancel the transfer and if you load it from the NOTE: hard disc, well than you have "DoSed" yourself, congratulations. NOTE: It's reproducable with 1.0.2, but I doubt it will ever be "fixed", as HTML parsers NOTE: generally try to make sense of anything even remotely resembling HTML. - firefox (unimportant) - iceweasel (unimportant) - mozilla (unimportant) CVE-2004-1638 (Buffer overflow in MailCarrier 2.51 allows remote attackers to execute ...) NOT-FOR-US: mailcarrier CVE-2004-1637 (The Hawking Technologies HAR11A modem/router allows remote attackers t ...) NOT-FOR-US: Hawking Technologies HAR11A modem/router CVE-2004-1636 (Heap-based buffer overflow in the WvTFTPServer::new_connection functio ...) NOT-FOR-US: WvTftp CVE-2004-1635 (Bugzilla 2.17.1 through 2.18rc2 and 2.19 from cvs, when using the insi ...) NOTE: does not affect older 2.16.7 in sid. CVE-2004-1634 (show_bug.cgi in Bugzilla 2.17.1 through 2.18rc2 and 2.19 from CVS, whe ...) NOTE: does not affect older 2.16.7 in sid. CVE-2004-1633 (process_bug.cgi in Bugzilla 2.9 through 2.18rc2 and 2.19 from CVS does ...) - bugzilla 2.16.7 CVE-2004-1632 (Cross-site scripting (XSS) vulnerability in wiki.php in MoniWiki 1.0.8 ...) - moniwiki 1.0.9 CVE-2004-1631 (Open WorkFlow Engine (OpenWFE) 1.4.x allows remote attackers to conduc ...) NOT-FOR-US: Open WorkFlow Engine CVE-2004-1630 (Cross-site scripting (XSS) vulnerability in the login form in Open Wor ...) NOT-FOR-US: Open WorkFlow Engine CVE-2004-1629 (Multiple SQL injection vulnerabilities in Dwc_articles 1.6 and earlier ...) NOT-FOR-US: Dwc_articles CVE-2004-1628 (Format string vulnerability in log.c in rssh before 2.2.2 allows remot ...) - rssh 2.2.2 CVE-2004-1627 (Buffer overflow in Ability Server 2.25, 2.32, 2.34, and possibly other ...) NOT-FOR-US: ability server CVE-2004-1626 (Buffer overflow in Ability Server 2.34, and possibly other versions, a ...) NOT-FOR-US: ability server CVE-2004-1625 (pGina 1.7.6 and possibly older versions, when the Restart or Shutdown ...) NOT-FOR-US: pGina CVE-2004-1624 (Carbon Copy 6.0.5257 does not drop system privileges when opening exte ...) NOT-FOR-US: Carbon Copy CVE-2004-1623 (The WAV file property handler in Windows XP SP1 allows remote attacker ...) NOT-FOR-US: Microsoft CVE-2004-1622 (SQL injection vulnerability in dosearch.php in UBB.threads 3.4.x allow ...) NOT-FOR-US: UBB.threads CVE-2004-1621 NOT-FOR-US: Lotus Notes CVE-2004-1620 (CRLF injection vulnerability in Serendipity before 0.7rc1 allows remot ...) NOT-FOR-US: Serendipity CVE-2004-1619 (Buffer overflow in Privateer's Bounty: Age of Sail II allows remote at ...) NOT-FOR-US: Privateer's Bounty: Age of Sail II CVE-2004-1618 (Vypress Tonecast 1.3 and earlier allows remote attackers to cause a de ...) NOT-FOR-US: Tonecast CVE-2004-1617 (Lynx, lynx-ssl, and lynx-cur before 2.8.6dev.8 allow remote attackers ...) {DSA-1077-1 DSA-1076-1} - lynx 2.8.5-2sarge1.2 (bug #296340; bug #384725; low) - lynx-cur 2.8.6-6 (low) - lynx-ssl CVE-2004-1616 (Links allows remote attackers to cause a denial of service (memory con ...) - links 0.99+1.00pre12-1 (bug #296341; low) CVE-2004-1615 (Opera allows remote attackers to cause a denial of service (invalid me ...) NOT-FOR-US: Opera CVE-2004-1614 (Mozilla allows remote attackers to cause a denial of service (applicat ...) - mozilla-firefox (assuming this is mozilla_die2.html, does not bother firefox 1.0+dfsg.1-6) NOTE: mozilla-browser 1.7.5-1 also ok CVE-2004-1613 (Mozilla allows remote attackers to cause a denial of service (applicat ...) NOTE: example page did not bother firefox 1.0+dfsg.1-6 NOTE: mozilla-browser 1.7.5-1 also ok CVE-2004-1612 (Directory traversal vulnerability in SalesLogix 6.1 allows remote atta ...) NOT-FOR-US: SalesLogix CVE-2004-1611 (SalesLogix 6.1 does not verify if a user is authenticated before perfo ...) NOT-FOR-US: SalesLogix CVE-2004-1610 (SalesLogix 6.1 uses client-specified pathnames for writing certain fil ...) NOT-FOR-US: SalesLogix CVE-2004-1609 (SalesLogix 6.1 includes usernames, passwords, and other sensitive info ...) NOT-FOR-US: SalesLogix CVE-2004-1608 (SQL injection vulnerability in SalesLogix 6.1 allows remote attackers ...) NOT-FOR-US: SalesLogix CVE-2004-1607 (slxweb.dll in SalesLogix 6.1 allows remote attackers to obtain sensiti ...) NOT-FOR-US: SalesLogix CVE-2004-1606 (slxweb.dll in SalesLogix 6.1 allows remote attackers to cause a denial ...) NOT-FOR-US: SalesLogix CVE-2004-1605 (SalesLogix 6.1 allows remote attackers to bypass authentication by mod ...) NOT-FOR-US: SalesLogix CVE-2004-1604 (cPanel 9.9.1-RELEASE-3 allows remote authenticated users to chmod arbi ...) NOT-FOR-US: not our cpanel CVE-2004-1603 (cPanel 9.4.1-RELEASE-64 follows hard links, which allows local users t ...) NOT-FOR-US: not our cpanel CVE-2004-1602 (ProFTPD 1.2.x, including 1.2.8 and 1.2.10, responds in a different amo ...) - proftpd 1.2.10-4 CVE-2004-1601 (Directory traversal vulnerability in index.php in CoolPHP 1.0-stable a ...) NOT-FOR-US: coolphp CVE-2004-1600 (index.php in CoolPHP 1.0-stable allows remote attackers to gain sensit ...) NOT-FOR-US: CoolPHP CVE-2004-1599 (Cross-site scripting (XSS) vulnerability in index.php in CoolPHP 1.0-s ...) NOT-FOR-US: CoolPHP CVE-2004-1598 (Adobe Acrobat and Acrobat Reader 6.0 allow remote attackers to read ar ...) NOT-FOR-US: Acrobat CVE-2004-1597 (RIM Blackberry 7230 running RIM Blackberry OS 3.7 SP1 allows remote at ...) NOT-FOR-US: RIM Blackberry CVE-2004-1596 (The 3COM Wireless router 3CRADSL72 running Boot Code 1.3d allows remot ...) NOT-FOR-US: 3COM router CVE-2004-1595 (Buffer overflow in ShixxNote 6.net build 117 allows remote attackers t ...) NOT-FOR-US: ShixxNote CVE-2004-1594 (Cross-site scripting (XSS) vulnerability in FuseTalk 4.0 allows remote ...) NOT-FOR-US: FuseTalk CVE-2004-1593 (Cross-site scripting (XSS) vulnerability in render.UserLayoutRootNode. ...) NOT-FOR-US: SCT email client CVE-2004-1592 (PHP remote file inclusion vulnerability in index.php in ocPortal 1.0.3 ...) - ocportal (bug #625865) CVE-2004-1591 (The web interface for Micronet Wireless Broadband Router SP916BM runni ...) NOT-FOR-US: Micronet Wireless Router CVE-2004-1590 (Clientexec allows remote attackers to gain sensitive information via a ...) NOT-FOR-US: clientexec CVE-2004-1589 (Cross-site scripting (XSS) vulnerability in GoSmart Message Board allo ...) NOT-FOR-US: GoSmart CVE-2004-1588 (SQL injection vulnerability in GoSmart Message Board allows remote att ...) NOT-FOR-US: GoSmart CVE-2004-1587 (Buffer overflow in Monolith games including (1) Alien versus Predator ...) NOT-FOR-US: Monolith Games CVE-2004-1586 (Flash Messaging clients can ignore disconnecting commands such as "shu ...) NOT-FOR-US: Flash Messaging CVE-2004-1585 (Flash Messaging 5.2.0g (rev 1.1.2) and earlier allows remote attackers ...) NOT-FOR-US: Flash Messaging CVE-2004-1584 (CRLF injection vulnerability in wp-login.php in WordPress 1.2 allows r ...) - wordpress 1.2.1-1.1 CVE-2004-1583 (Directory traversal vulnerability in the FTP server in TriDComm 1.3 an ...) NOT-FOR-US: FTP server in TriDComm CVE-2004-1582 (PHP remote file inclusion vulnerability in BlackBoard 1.5.1 allows rem ...) NOT-FOR-US: BlackBoard CVE-2004-1581 (BlackBoard 1.5.1 allows remote attackers to gain sensitive information ...) NOT-FOR-US: BlackBoard CVE-2004-1580 (SQL injection vulnerability in index.php in CubeCart 2.0.1 allows remo ...) NOT-FOR-US: CubeCart CVE-2004-1579 (index.php in CubeCart 2.0.1 allows remote attackers to gain sensitive ...) NOT-FOR-US: CubeCart CVE-2004-1578 (Cross-site scripting (XSS) vulnerability in index.php in Invision Powe ...) NOT-FOR-US: Invision Power Board CVE-2004-1577 (index.php in PHP Links allows remote attackers to gain sensitive infor ...) NOT-FOR-US: phplinks CVE-2004-1576 (Format string vulnerability in Judge Dredd: Dredd vs. Death 1.01 and e ...) NOT-FOR-US: Judge Dredd CVE-2004-1575 (The XML parser in Xerces-C++ 2.5.0 allows remote attackers to cause a ...) - xerces25 2.5.0-4 - xerces24 2.4.0-4 - xerces23 (not affected, see bug #296432) - xerces21 (not affected, see bug #296466) CVE-2004-1574 (Buffer overflow in Vypress Messenger 3.5.1 and earlier allows remote a ...) NOT-FOR-US: Vypress CVE-2004-1573 (The documentation for AJ-Fork 167 implies that users should set permis ...) NOT-FOR-US: AJ-Fork CVE-2004-1572 (AJ-Fork 167 does not restrict access to directories such as (1) data, ...) NOT-FOR-US: AJ-Fork CVE-2004-1571 (AJ-Fork 167 allows remote attackers to gain sensitive information via ...) NOT-FOR-US: AJ-Fork CVE-2004-1570 (SQL injection vulnerability in bBlog 0.7.2 and 0.7.3 allows remote att ...) NOT-FOR-US: bBlog CVE-2004-1569 (Buffer overflow in (1) MusicConverter.exe, (2) playlist.exe, and (3) a ...) NOT-FOR-US: dbPowerAmp CVE-2004-1568 (Directory traversal vulnerability in ParaChat Server 5.5 allows remote ...) NOT-FOR-US: Parachat CVE-2004-1567 (profile.php in Silent Storm Portal 2.1 and 2.2 allows remote attackers ...) NOT-FOR-US: Silent Storm Portal CVE-2004-1566 (Cross-site scripting (XSS) vulnerability in index.php in Silent Storm ...) NOT-FOR-US: Silent Storm Portal CVE-2004-1565 (list.php in w-Agora 4.1.6a allows remote attackers to reveal the full ...) NOT-FOR-US: w-Agora CVE-2004-1564 (CRLF injection vulnerability in subscribe_thread.php in w-Agora 4.1.6a ...) NOT-FOR-US: w-Agora CVE-2004-1563 (Multiple cross-site scripting (XSS) vulnerabilities in w-Agora 4.1.6a ...) NOT-FOR-US: w-Agora CVE-2004-1562 (SQL injection vulnerability in redir_url.php in w-Agora 4.1.6a allows ...) NOT-FOR-US: w-Agora CVE-2004-1561 (Buffer overflow in Icecast 2.0.1 and earlier allows remote attackers t ...) - icecast2 2.0.2.debian-1 CVE-2004-1560 (Microsoft SQL Server 7.0 allows remote attackers to cause a denial of ...) NOT-FOR-US: Microsoft SQL Server CVE-2004-1559 (Multiple cross-site scripting (XSS) vulnerabilities in Wordpress 1.2 a ...) - wordpress 1.2.2-1.1 CVE-2004-1558 (Multiple stack-based buffer overflows in YPOPs! (aka YahooPOPS) 0.4 th ...) NOT-FOR-US: YahooPOPS CVE-2004-1557 (MyWebServer 1.0.3 allows remote attackers to bypass authentication, mo ...) NOT-FOR-US: MyWebServer CVE-2004-1556 (MyWebServer 1.0.3 allows remote attackers to cause a denial of service ...) NOT-FOR-US: MyWebServer CVE-2004-1555 (Multiple SQL injection vulnerabilities in BroadBoard Instant ASP Messa ...) NOT-FOR-US: BroadBoard Instant ASP Message Board CVE-2004-1554 (PHP remote file inclusion vulnerability in livre_include.php in @lex G ...) NOT-FOR-US: @lex GuestBook CVE-2004-1553 (SQL injection vulnerability in aspWebAlbum allows remote attackers to ...) NOT-FOR-US: aspWebAlbum CVE-2004-1552 (SQL injection vulnerability in aspWebCalendar allows remote attackers ...) NOT-FOR-US: aspWebCalendar CVE-2004-1551 (Cross-site scripting (XSS) vulnerability in the (1) email or (2) file ...) NOT-FOR-US: PafileDB CVE-2004-1550 (Motorola Wireless Router WR850G running firmware 4.03 allows remote at ...) NOT-FOR-US: Motorola Router CVE-2004-1549 (The conference menu in ActivePost Standard 3.1 sends passwords of pass ...) NOT-FOR-US: ActivePost CVE-2004-1548 (Directory traversal vulnerability in the file server in ActivePost Sta ...) NOT-FOR-US: ActivePost CVE-2004-1547 (The file server in ActivePost Standard 3.1 and earlier allows remote a ...) NOT-FOR-US: ActivePost CVE-2004-1546 (Multiple buffer overflows in MDaemon 6.5.1 allow remote attackers to c ...) NOT-FOR-US: MDaemon CVE-2004-1545 (UploadFile.php in MoniWiki 1.0.9.2 and earlier, when used with Apache ...) - moniwiki 1.0.9-4 CVE-2005-0487 (Cross-site scripting (XSS) vulnerability in index.php for Kayako ESupp ...) NOT-FOR-US: Kyako ESupport CVE-2005-0486 (Tarantella Secure Global Desktop Enterprise Edition 4.00 and 3.42, and ...) NOT-FOR-US: Tarantella Secure Global Desktop CVE-2005-0485 (Cross-site scripting (XSS) vulnerability in comment.php for paNews 2.0 ...) NOT-FOR-US: paNews CVE-2005-0484 (Format string vulnerability in gprostats for GProFTPD before 8.1.9 may ...) NOT-FOR-US: GProFTPD CVE-2005-0483 (Multiple directory traversal vulnerabilities in sitenfo.sh, sitezipchk ...) NOT-FOR-US: Glftpd CVE-2005-0482 (TrackerCam 5.12 and earlier allows remote attackers to cause a denial ...) NOT-FOR-US: TrackerCam CVE-2005-0481 (TrackerCam 5.12 and earlier allows remote attackers to read log files ...) NOT-FOR-US: TrackerCam CVE-2005-0480 (Cross-site scripting (XSS) vulnerability in TrackerCam 5.12 and earlie ...) NOT-FOR-US: TrackerCam CVE-2005-0479 (Directory traversal vulnerability in ComGetLogFile.php3 for TrackerCam ...) NOT-FOR-US: TrackerCam CVE-2005-0478 (Multiple buffer overflows in TrackerCam 5.12 and earlier allow remote ...) NOT-FOR-US: TrackerCam CVE-2005-0477 (Cross-site scripting (XSS) vulnerability in the SML code for Invision ...) NOT-FOR-US: Invision Power Board CVE-2005-0476 (Cross-site scripting (XSS) vulnerability in hpm_guestbook.cgi allows r ...) NOT-FOR-US: hpm_guestbook.cgi CVE-2005-0475 (SQL injection vulnerability in paFAQ Beta4, and possibly other version ...) NOT-FOR-US: paFAQ CVE-2005-0474 (SQL injection vulnerability in the user_valid_crypt function in user.p ...) - webcalendar 0.9.45-3 CVE-2005-0473 (The HTML parsing functions in Gaim before 1.1.3 allow remote attackers ...) - gaim 1:1.1.3-1 CVE-2005-0472 (Gaim before 1.1.3 allows remote attackers to cause a denial of service ...) {DSA-716-1} - gaim 1:1.1.3-1 CVE-2005-0471 (Sun Java JRE 1.1.x through 1.4.x writes temporary files with long file ...) NOT-FOR-US: SUN JRE CVE-2005-0470 (Buffer overflow in wpa_supplicant before 0.2.7 allows remote attackers ...) - wpasupplicant 0.3.8-1 CVE-2005-0469 (Buffer overflow in the slc_add_reply function in various BSD-based Tel ...) {DSA-765-1 DSA-731-1 DSA-703-1 DSA-699-1 DSA-697-1} - krb4 1.2.2-11.2 (bug #306141) - krb5 1.3.6-2 - netkit-telnet-ssl 0.17.24+0.1-7.1 (bug #302036) - netkit-telnet 0.17-28 - heimdal 0.6.3-10 CVE-2005-0468 (Heap-based buffer overflow in the env_opt_add function in telnet.c for ...) {DSA-731-1 DSA-703-1} - krb5 1.3.6-2 - krb4 1.2.2-11.2 (bug #306141) CVE-2005-0467 (Multiple integer overflows in the (1) sftp_pkt_getstring and (2) fxp_r ...) - putty 0.57-1 CVE-2005-0466 RESERVED CVE-2005-0465 (gr_osview in SGI IRIX does not drop privileges before opening files, w ...) NOT-FOR-US: SGI IRIX CVE-2005-0464 (gr_osview in SGI IRIX 6.5.22, and possibly other 6.5 versions, does no ...) NOT-FOR-US: SGI IRIX CVE-2004-1544 (Cross-site scripting (XSS) vulnerability in Search.jsp in JSPWiki 2.1. ...) - jspwiki 2.0.52-8 CVE-2004-1543 (Directory traversal vulnerability in viewimg.php in KorWeblog 1.6.2-cv ...) NOT-FOR-US: KorWeblog CVE-2004-1542 (Buffer overflow in Soldier of Fortune II 1.03 Gold and earlier allows ...) NOT-FOR-US: Soldier of Fortune CVE-2004-1541 (SecureCRT 4.0, 4.1, and possibly other versions, allows remote attacke ...) NOT-FOR-US: SecureCRT CVE-2004-1540 (ZyXEL Prestige 623, 650, and 652 HW Routers, and possibly other versio ...) NOT-FOR-US: ZyXEL Routers CVE-2004-1539 (Halo: Combat Evolved 1.05 and earlier allows remote game servers to ca ...) NOT-FOR-US: Halo: Combat Evolved CVE-2004-1538 (SQL injection vulnerability in include.php in PHPKIT 1.6.03 through 1. ...) NOT-FOR-US: PHPKIT CVE-2004-1537 (Cross-site scripting (XSS) vulnerability in popup.php in PHPKIT 1.6.03 ...) NOT-FOR-US: PHPKIT CVE-2004-1536 (SQL injection vulnerability in index.php in the ibProArcade module for ...) NOT-FOR-US: Invision Power Board CVE-2004-1535 (PHP remote file inclusion vulnerability in admin_cash.php for the Cash ...) NOT-FOR-US: Cash Mod module of phpbb2 CVE-2004-1534 (ZoneAlarm and ZoneAlarm Pro before 5.5.062, with ad-blocking enabled, ...) NOT-FOR-US: ZoneAlarm CVE-2004-1533 (Buffer overflow in pop3svr.exe for DMS POP3 1.5.3.27 and earlier allow ...) NOT-FOR-US: DMS POP3 CVE-2004-1532 (AppServ 2.5.x and earlier installs a default username and password, wh ...) NOT-FOR-US: AppServ CVE-2004-1531 (SQL injection vulnerability in post.php in Invision Power Board (IPB) ...) NOT-FOR-US: Invision Power Board CVE-2004-1530 (SQL injection vulnerability in the Event Calendar module 2.13 for PHP- ...) NOT-FOR-US: PHP-Nuke CVE-2004-1529 (Cross-site scripting (XSS) vulnerability in the Event Calendar module ...) NOT-FOR-US: PHP-Nuke CVE-2004-1528 (The Event Calendar module 2.13 for PHP-Nuke allows remote attackers to ...) NOT-FOR-US: PHP-Nuke CVE-2004-1527 (Microsoft Internet Explorer 6.0 SP1 does not properly handle certain c ...) NOT-FOR-US: MSIE CVE-2004-1526 (Hired Team: Trial 2.0 and earlier and 2.200 does not limit how game pl ...) NOT-FOR-US: Hired Team CVE-2004-1525 (Hired Team: Trial 2.0 and earlier and 2.200 allows remote attackers to ...) NOT-FOR-US: Hired Team CVE-2004-1524 (Hired Team: Trial 2.0 and earlier and 2.200 allows remote attackers to ...) NOT-FOR-US: Hired Team CVE-2004-1523 (Format string vulnerability in the game console in Hired Team: Trial 2 ...) NOT-FOR-US: Hired Team CVE-2004-1522 (Format string vulnerability in Army Men RTS 1.0 allows remote attacker ...) NOT-FOR-US: Army Men RTS CVE-2004-1521 (Eudora 6.2.0.14 does not issue a warning when a user forwards an e-mai ...) NOT-FOR-US: Eudora CVE-2004-1520 (Stack-based buffer overflow in IPSwitch IMail 8.13 allows remote authe ...) NOT-FOR-US: IPSwitch IMail CVE-2004-1519 (SQL injection vulnerability in bug.php in phpBugTracker 0.9.1 allows r ...) NOT-FOR-US: phpBugTracker CVE-2004-1518 (SQL injection vulnerability in follow.php in Phorum 5.0.12 and earlier ...) NOT-FOR-US: Phorum CVE-2004-1517 (Zone Labs IMsecure and IMsecure Pro before 1.5 allow remote attackers ...) NOT-FOR-US: Zone Labs IMsecure CVE-2004-1516 (CRLF injection vulnerability in index.php in phpWebSite 0.9.3-4 allows ...) NOT-FOR-US: phpWebSite CVE-2004-1515 (SQL injection vulnerability in (1) ttlast.php and (2) last10.php in vB ...) NOT-FOR-US: vBulletin CVE-2004-1514 (04WebServer 1.42 allows remote attackers to cause a denial of service ...) NOT-FOR-US: 04Webserver CVE-2004-1513 (04WebServer 1.42 does not adequately filter data that is written to lo ...) NOT-FOR-US: 04Webserver CVE-2004-1512 (Cross-site scripting (XSS) vulnerability in Response_default.html in 0 ...) NOT-FOR-US: 04Webserver CVE-2004-1511 (Hotfoon 4.0 does not notify users before opening links in web browsers ...) NOT-FOR-US: Hotfoon CVE-2004-1510 (WebCalendar allows remote attackers to gain privileges by modifying cr ...) - webcalendar 0.9.45-1 CVE-2004-1509 (validate.php in WebCalendar allows remote attackers to gain sensitive ...) - webcalendar 0.9.45-1 CVE-2004-1508 (init.php in WebCalendar allows remote attackers to execute arbitrary l ...) - webcalendar 0.9.45-1 CVE-2004-1507 (CRLF injection vulnerability in login.php in WebCalendar allows remote ...) - webcalendar 0.9.45-1 CVE-2004-1506 (Multiple cross-site scripting (XSS) vulnerabilities in WebCalendar all ...) - webcalendar 0.9.45-1 CVE-2004-1505 (Directory traversal vulnerability in index.php in Just Another Flat fi ...) NOT-FOR-US: JAF CVE-2004-1504 (The displaycontent function in config.php for Just Another Flat file ( ...) NOT-FOR-US: JAF CVE-2004-1503 (Integer overflow in the InitialDirContext in Java Runtime Environment ...) NOT-FOR-US: Sun JRE CVE-2004-1502 (The Telnet proxy in 602 Lan Suite 2004.0.04.0909 and earlier allows re ...) NOT-FOR-US: 602 Lan Suite CVE-2004-1501 (The webmail service in 602 Lan Suite 2004.0.04.0909 and earlier allows ...) NOT-FOR-US: 602 Lan Suite CVE-2004-1500 (Format string vulnerability in the Lithtech engine, as used in multipl ...) NOT-FOR-US: Lithtech CVE-2004-1499 (Cross-site scripting (XSS) vulnerability in the compose message form i ...) NOT-FOR-US: HELM CVE-2004-1498 (SQL injection vulnerability in the compose message form in HELM 3.1.19 ...) NOT-FOR-US: HELM CVE-2004-1497 (Web Forums Server 1.6 and 2.0 Power Pack stores passwords in plaintext ...) NOT-FOR-US: Web Forums Server CVE-2004-1496 (Directory traversal vulnerability in Web Forums Server 1.6 and 2.0 Pow ...) NOT-FOR-US: Web Forums Server CVE-2004-1495 (The Repair Archive command in WinRAR 3.40 allows remote attackers to c ...) NOT-FOR-US: WinRAR CVE-2004-1494 (Buffer overflow in the Screen Fetch option in XDICT 2002 through 2005 ...) NOT-FOR-US: XDICT CVE-2004-1493 (Master of Orion III 1.2.5 and earlier allows remote attackers to cause ...) NOT-FOR-US: Master of Orion CVE-2004-1492 (Master of Orion III 1.2.5 and earlier allows remote attackers to cause ...) NOT-FOR-US: Master of Orion CVE-2005-0463 (Unknown "major security flaws" in Ulog-php before 1.0, related to inpu ...) NOT-FOR-US: ulog-php CVE-2005-0462 (Cross-site scripting (XSS) vulnerability in MercuryBoard 1.0.x and 1.1 ...) NOT-FOR-US: MercuryBoard CVE-2005-0461 (Unknown vulnerability in NewsBruiser 2.x before 2.6.1 allows remote at ...) NOT-FOR-US: NewsBruiser CVE-2005-0460 (index.php in MercuryBoard 1.0.x and 1.1.x allows remote attackers to o ...) NOT-FOR-US: MercuryBoard CVE-2005-0459 (phpMyAdmin 2.6.2-dev, and possibly earlier versions, allows remote att ...) - phpmyadmin 4:2.6.2 (unimportant) NOTE: From maintainer Piotr Roszatycki : NOTE: I think it is not a problem on Debian as far as everybody knows the full NOTE: path of phpMyAdmin is /usr/share/phpmyadmin. CVE-2005-0458 (Cross-site scripting (XSS) vulnerability in contact_us.php in osCommer ...) - oscommerce (bug #532489) CVE-2005-0457 (Opera 7.54 and earlier on Gentoo Linux uses an insecure path for plugi ...) NOT-FOR-US: Opera CVE-2005-0456 (Opera 7.54 and earlier does not properly validate base64 encoded binar ...) NOT-FOR-US: Opera CVE-2004-1491 (Opera 7.54 and earlier uses kfmclient exec to handle unknown MIME type ...) NOT-FOR-US: Opera CVE-2004-1490 (Opera 7.54 and earlier allows remote attackers to spoof file types in ...) NOT-FOR-US: Opera CVE-2004-1489 (Opera 7.54 and earlier does not properly limit an applet's access to i ...) NOT-FOR-US: Opera CVE-2005-0455 (Stack-based buffer overflow in the CSmil1Parser::testAttributeFailed f ...) NOT-FOR-US: Real CVE-2005-0454 (Multiple SQL injection vulnerabilities in DCP-Portal 6.1.1 and earlier ...) NOT-FOR-US: DCP-Portal CVE-2005-0453 (The buffer_urldecode function in Lighttpd 1.3.7 and earlier does not p ...) NOT-FOR-US: Lighttpd CVE-2005-0452 (Multiple cross-site scripting (XSS) vulnerabilities in Microsoft ASP.N ...) NOT-FOR-US: Microsoft CVE-2005-0451 (Sami HTTP Server 1.0.5 allows remote attackers to cause a denial of se ...) NOT-FOR-US: Sami HTTP Server CVE-2005-0450 (Directory traversal vulnerability in Sami HTTP Server 1.0.5 allows rem ...) NOT-FOR-US: Sami HTTP Server CVE-2005-0449 (The netfilter/iptables module in Linux before 2.6.8.1 allows remote at ...) {DSA-1018-1 DSA-1017-1} - linux-2.6 (Vulnerable code was removed betwen 2.6.11 and 2.6.12) CVE-2005-0448 (Race condition in the rmtree function in File::Path.pm in Perl before ...) {DSA-1678-1 DSA-696-1} - perl 5.8.4-7 CVE-2005-0430 (The Quake 3 engine, as used in multiple game packages, allows remote a ...) NOT-FOR-US: Quake 3 CVE-2005-0447 (Solaris 7, 8, and 9 allows remote attackers to cause a denial of servi ...) NOT-FOR-US: Solaris CVE-2005-0446 (Squid 2.5.STABLE8 and earlier allows remote attackers to cause a denia ...) {DSA-688-1} - squid 2.5.8-3 CVE-2005-0445 (Cross-site scripting (XSS) vulnerability in Open WebMail 2.x allows re ...) - openwebmail CVE-2005-0444 (VMware before 4.5.2.8848-r5 searches for gdk-pixbuf shared libraries u ...) NOT-FOR-US: VMware CVE-2005-0443 (index.php in CubeCart 2.0.4 allows remote attackers to (1) obtain the ...) NOT-FOR-US: CubeCart CVE-2005-0442 (Directory traversal vulnerability in index.php for CubeCart 2.0.4 allo ...) NOT-FOR-US: CubeCart CVE-2005-0441 (Multiple stack-based buffer overflows in Sybase Adaptive Server Enterp ...) NOT-FOR-US: Sybase CVE-2005-0440 (ELOG before 2.5.7 allows remote attackers to bypass authentication and ...) - elog 2.5.7+r1558-1 CVE-2005-0439 (Buffer overflow in the decode_post function in ELOG before 2.5.7 allow ...) - elog 2.5.7+r1558-1 CVE-2005-0438 (awstats.pl in AWStats 6.3 and 6.4 allows remote attackers to obtain se ...) - awstats 6.3-1 CVE-2005-0437 (Directory traversal vulnerability in awstats.pl in AWStats 6.3 and 6.4 ...) - awstats 6.3-1 CVE-2005-0436 (Direct code injection vulnerability in awstats.pl in AWStats 6.3 and 6 ...) - awstats 6.3-1 CVE-2005-0435 (awstats.pl in AWStats 6.3 and 6.4 allows remote attackers to read serv ...) - awstats 6.3-1 CVE-2005-0434 (Multiple cross-site scripting (XSS) vulnerabilities in Php-Nuke 7.5 al ...) NOT-FOR-US: PHP-Nuke CVE-2005-0433 (Php-Nuke 7.5 allows remote attackers to determine the full path of the ...) NOT-FOR-US: PHP-Nuke CVE-2005-0432 (BEA WebLogic Server 7.0 Service Pack 5 and earlier, and 8.1 Service Pa ...) NOT-FOR-US: BEA WebLogic Server CVE-2005-0431 (Barracuda Spam Firewall 3.1.10 and earlier does not restrict the domai ...) NOT-FOR-US: Barracuda Spam Firewall CVE-2005-0429 (Direct code injection vulnerability in forumdisplay.php in vBulletin 3 ...) NOT-FOR-US: vBulletin CVE-2005-0428 (The DNSPacket::expand method in dnspacket.cc in PowerDNS before 2.9.17 ...) - pdns 2.9.16-6 CVE-2005-0427 (The ebuild of Webmin before 1.170-r3 on Gentoo Linux includes the encr ...) - webmin (Gentoo specific) CVE-2005-0426 (Unknown vulnerability in Solaris 8 and 9 allows remote attackers to ca ...) NOT-FOR-US: Solaris CVE-2005-0425 (Unknown vulnerability in IBM Websphere Application Server 5.0, 5.1, an ...) NOT-FOR-US: Websphere CVE-2005-0424 (Unknown vulnerability in the delete.asp program in certain versions of ...) NOT-FOR-US: ASPjar Guestbook CVE-2005-0423 (SQL injection vulnerability in login.asp in ASPjar Guestbook allows re ...) NOT-FOR-US: ASPjar Guestbook CVE-2005-0422 (DelphiTurk CodeBank (aka KodBank) 3.1 and earlier stores usernames and ...) NOT-FOR-US: DelphiTurk CVE-2005-0421 (DelphiTurk FTP 1.0 stores usernames and passwords in the profile.dat f ...) NOT-FOR-US: DelphiTurk CVE-2005-0420 (Microsoft Outlook Web Access (OWA), when used with Exchange, allows re ...) NOT-FOR-US: Microsoft CVE-2005-0419 (Multiple heap-based buffer overflows in 3Com 3CServer allow remote aut ...) NOT-FOR-US: 3com CVE-2005-0418 (Argument injection vulnerability in Java Web Start for J2SE 1.4.2 up t ...) NOT-FOR-US: Sun Java CVE-2005-0417 (Unknown "high risk" vulnerability in DB2 Universal Database 8.1 and ea ...) NOT-FOR-US: IBM DB2 CVE-2005-0416 (The Windows Animated Cursor (ANI) capability in Windows NT, Windows 20 ...) NOT-FOR-US: Windows CVE-2005-0415 (Multiple memory leaks in the MQL parser in Emdros before 1.1.22 allow ...) NOT-FOR-US: Emdros CVE-2005-0414 (SQL injection vulnerability in post.php for MercuryBoard 1.1.1 allows ...) NOT-FOR-US: MercuryBoard CVE-2005-0413 (Multiple SQL injection vulnerabilities in MyPHP Forum 1.0 allow remote ...) NOT-FOR-US: MyPHP Forum CVE-2005-0412 (Cross-site scripting (XSS) vulnerability in Spidean PostWrap allows re ...) NOT-FOR-US: Spidean PostWrap CVE-2005-0411 (Directory traversal vulnerability in index.php for CitrusDB 0.3.6 and ...) NOT-FOR-US: CitrusDB CVE-2005-0410 (SQL injection vulnerability in importcc.php for CitrusDB 0.3.6 and ear ...) NOT-FOR-US: CitrusDB CVE-2005-0409 (CitrusDB 0.3.6 and earlier does not verify authorization for the (1) i ...) NOT-FOR-US: CitrusDB CVE-2005-0408 (CitrusDB 0.3.6 and earlier generates easily predictable MD5 hashes of ...) NOT-FOR-US: CitrusDB CVE-2005-0407 (Cross-site scripting (XSS) vulnerability in Openconf 1.04, and possibl ...) NOT-FOR-US: Openconf CVE-2005-0406 (A design flaw in image processing software that modifies JPEG images m ...) - imagemagick (bug #298051; unimportant) NOTE: The EXIF spec says "if your app can't handle $foo, don't touch $foo" NOTE: 'convert -strip' will remove exif data according to http://web.archive.org/web/20130922031724/http://www.imagemagick.org:80/pipermail/magick-users/2006-May/017538.html CVE-2005-0405 RESERVED CVE-2005-0404 (KMail 1.7.1 in KDE 3.3.2 allows remote attackers to spoof email inform ...) NOTE: see http://bugs.kde.org/show_bug.cgi?id=96020 - kdepim 3.4-1 (bug #305601; low) [sarge] - kdepim (Hardly exploitable) NOTE: According to the KDE bug the URL bar in 3.4 cannot be manipulated. Kmail also NOTE: warns that HTML mails introduce the risk of phishing. This could as well NOTE: be unimportant CVE-2005-0403 (init_dev in tty_io.c in the Red Hat backport of NPTL to Red Hat Enterp ...) - glibc (Specific to the NPTL backport for RHEL 3) CVE-2005-0402 (Firefox before 1.0.2 allows remote attackers to execute arbitrary code ...) - mozilla-firefox 1.0.2-1 CVE-2005-0401 (FireFox 1.0.1 and Mozilla before 1.7.6 do not sufficiently address all ...) - mozilla-firefox 1.0.2-1 - mozilla-thunderbird 1.0.2-1 CVE-2005-0400 (The ext2_make_empty function call in the Linux kernel before 2.6.11.6 ...) - linux-2.6 (Fixed before upload into archive; 2.6.11.6) - kernel-source-2.4.27 2.4.27-10 (bug #303294) CVE-2005-0399 (Heap-based buffer overflow in GIF2.cpp in Firefox before 1.0.2, Mozill ...) - mozilla-firefox 1.0.2-1 - mozilla-thunderbird 1.0.2-1 CVE-2005-0398 (The KAME racoon daemon in ipsec-tools before 0.5 allows remote attacke ...) - ipsec-tools 1:0.5-5 CVE-2005-0397 (Format string vulnerability in the SetImageInfo function in image.c fo ...) {DSA-702-1} - imagemagick 6:6.0.6.2-2.2 (bug #297990) - graphicsmagick 1.1.7-1 CVE-2005-0396 (Desktop Communication Protocol (DCOP) daemon, aka dcopserver, in KDE b ...) NOTE: fix in -4 was broken - kdelibs 4:3.3.2-6 CVE-2005-0395 REJECTED CVE-2005-0394 RESERVED CVE-2005-0393 (The helper scripts for crip 3.5 do not properly use temporary files, w ...) {DSA-733-1} - crip 3.5-1sarge2 (low) CVE-2005-0392 (ppxp does not drop root privileges before opening log files, which all ...) {DSA-725-2 DSA-725-1} - ppxp 0.2001080415-11 CVE-2005-0391 (geneweb 4.10 and earlier does not properly check file permissions and ...) {DSA-712-1} - geneweb 4.10-7 (bug #304405) CVE-2005-0390 (Buffer overflow in the HTTP redirection capability in conn.c for Axel ...) {DSA-706-1} - axel 1.0b-1 CVE-2005-0389 REJECTED CVE-2005-0388 (Unknown vulnerability in the remoteping service in remstats 1.0.13 and ...) {DSA-704-1} - remstats 1.0.13a-5 CVE-2005-0387 (remstats 1.0.13 and earlier, when processing uptime data, allows local ...) {DSA-704-1} - remstats 1.0.13a-5 CVE-2005-0386 (Cross-site scripting (XSS) vulnerability in network.cgi in mailreader ...) {DSA-700-1} - mailreader 2.3.29-11 CVE-2005-0385 (Buffer overflow in luxman before 0.41, if used with certain insecure s ...) {DSA-693-1} - luxman 0.41-20 (bug #299857) CVE-2005-0384 (Unknown vulnerability in the PPP driver for the Linux kernel 2.6.8.1 a ...) {DSA-1082-1 DSA-1070-1 DSA-1069-1 DSA-1067-1} - linux-2.6 (Fixed before upload into archive) - kernel-source-2.4.27 2.4.27-9 CVE-2004-1488 (wget 1.8.x and 1.9.x does not filter or quote control characters when ...) - wget 1.9.1-11 CVE-2004-1487 (wget 1.8.x and 1.9.x allows a remote malicious web server to overwrite ...) - wget 1.9.1-11 CVE-2005-0383 (Trend Micro Control Manager 3.0 Enterprise Edition allows remote attac ...) NOT-FOR-US: Trend Micro Control Manager CVE-2005-0382 (Breed patch 1 and earlier allows remote attackers to cause a denial of ...) NOT-FOR-US: Breed game CVE-2005-0381 (Cross-site scripting (XSS) vulnerability in f.aspx in forumKIT 1.0 all ...) NOT-FOR-US: forumKIT CVE-2005-0380 (Multiple PHP remote file inclusion vulnerabilities in (1) print_catego ...) NOT-FOR-US: ZeroBoard CVE-2005-0379 (Multiple directory traversal vulnerabilities in ZeroBoard 4.1pl5 and e ...) NOT-FOR-US: ZeroBoard CVE-2005-0378 (Multiple cross-site scripting (XSS) vulnerabilities in Horde 3.0 allow ...) - horde2 - horde3 3.0.1-1 CVE-2005-0377 (SQL injection vulnerability in imageview.php for SGallery 1.01 allows ...) NOT-FOR-US: sgallery CVE-2005-0376 (PHP remote file inclusion vulnerability in SGallery 1.01 allows local ...) NOT-FOR-US: sgallery CVE-2005-0375 (imageview.php in SGallery 1.01 allows remote attackers to obtain sensi ...) NOT-FOR-US: sgallery CVE-2005-0374 (Cross-site scripting (XSS) vulnerability in Bitboard 2.5 and earlier a ...) NOT-FOR-US: bitboard CVE-2005-0373 (Buffer overflow in digestmd5.c CVS release 1.170 (also referred to as ...) NOTE: had to extract gentoo ebuild from rsync.gentoo.org to get details NOTE: see cyrus-sasl-2.1.18-cvs-1.172.patch in there NOTE: cyrus-sasl2 already has patch applied NOTE: oldstable version not affected, thus marking it as done with the oldstable version - cyrus-sasl (cyrus-sasl code seems too old for any of the problems to apply) - cyrus-sasl2 2.1.19.dfsg1-0sarge2 CVE-2005-0372 (Directory traversal vulnerability in gftp before 2.0.18 for GTK+ allow ...) {DSA-686-1} - gftp 2.0.18-1 NOTE: CVE entry claims that 2.0.18 is vulnerable, but this is wrong. CVE-2005-0371 (Armagetron 0.2.6.0 and earlier and Armagetron Advanced 0.2.7.0 and ear ...) - armagetron 0.2.8.2.1-1 (bug #296840; low) [sarge] - armagetron (Remaining vulnerabilities are minor) [etch] - armagetron (Remaining vulnerabilities are minor) CVE-2005-0370 (Armagetron 0.2.6.0 and earlier and Armagetron Advanced 0.2.7.0 and ear ...) - armagetron 0.2.7.0-1 NOTE: Sarge has this version number, but oldstable is affected CVE-2005-0369 (Armagetron 0.2.6.0 and earlier and Armagetron Advanced 0.2.7.0 earlier ...) - armagetron 0.2.7.0-1 NOTE: Sarge has this version number, but olstable is affected CVE-2005-0368 (Multiple SQL injection vulnerabilities in CMScore allow remote attacke ...) NOT-FOR-US: CMScore CVE-2005-0367 (Multiple directory traversal vulnerabilities in ArGoSoft Mail Server 1 ...) NOT-FOR-US: ArGoSoft Mail Server CVE-2005-0366 (The integrity check feature in OpenPGP, when handling a message that w ...) - gnupg 1.4.1-1 CVE-2005-0364 (Unknown vulnerability in BIND 9.2.0 in HP-UX B.11.00, B.11.11, and B.1 ...) - bind9 (Bind on hp-ux) CVE-2005-0361 RESERVED CVE-2005-0360 (The Microsoft Log Sink Class ActiveX control in pkmcore.dll is marked ...) NOT-FOR-US: Microsoft CVE-2005-0359 (The Legato PortMapper in EMC Legato NetWorker, Sun Solstice Backup 6.0 ...) NOT-FOR-US: EMC Legato CVE-2005-0358 (EMC Legato NetWorker, Solstice Backup 6.0 and 6.1, and StorEdge Enterp ...) NOT-FOR-US: EMC Legato CVE-2005-0357 (EMC Legato NetWorker, Sun Solstice Backup 6.0 and 6.1, and StorEdge En ...) NOT-FOR-US: EMC Legato CVE-2005-0356 (Multiple TCP implementations with Protection Against Wrapped Sequence ...) - linux-2.6 (Linux is not vulnerable, see #310804) - kernel-source-2.4.27 (Linux is not vulnerable, see #310804) - kfreebsd5-source 5.3-15 (medium) CVE-2005-0355 RESERVED CVE-2005-0354 RESERVED CVE-2005-0353 (Buffer overflow in the Sentinel LM (Lservnt) service in the Sentinel L ...) NOT-FOR-US: Sentinel License Manager CVE-2005-0352 (Servers Alive 4.1 and 5.0, when running as a service, does not drop SY ...) NOT-FOR-US: Servers Alive CVE-2005-0351 (Buffer overflow in (1) termsh, (2) atcronsh, and (3) auditsh in SCO Op ...) NOT-FOR-US: SCO OpenServer CVE-2005-0350 (Heap-based buffer overflow in multiple F-Secure Anti-Virus and Interne ...) NOT-FOR-US: F-Secure Anti-Virus CVE-2005-0349 (The production release of the UniversalAgent for UNIX in BrightStor AR ...) NOT-FOR-US: BrightStor ARCserve Backup CVE-2004-9999 REJECTED CVE-2004-9998 REJECTED CVE-2004-1486 (Unknown vulnerability in Serviceguard A.11.13 through A.11.16.00 and C ...) NOT-FOR-US: Serviceguard and Cluster Object Manager on HP-UX, HP Linux CVE-2004-1485 (Buffer overflow in the TFTP client in InetUtils 1.4.2 allows remote ma ...) - inetutils (inetutils 2:1.4.2+20040207-4; not vulnerable and its tftpd is not shipped) - atftp (atftp checks h_length) - netkit-tftp (netkit-tftp not vulnerable) - tftp-hpa (bug #295297; not exploitable) NOTE: The address length comes from libc, not the network. CVE-2004-1484 (Format string vulnerability in the _msg function in error.c in socat 1 ...) - socat 1.4.0.3-1 CVE-2004-1483 (Multiple unknown vulnerabilities in the ActiveX and HTML file browsers ...) NOT-FOR-US: Symantec Clientless VPN Gateway 4400 Series CVE-2004-1482 (The sbuf_getmsg function in BNC incorrectly handles backspace characte ...) NOT-FOR-US: BNC irc proxy CVE-2004-1481 (Integer overflow in pnen3260.dll in RealPlayer 8 through 10.5 (6.0.12. ...) NOT-FOR-US: Real CVE-2004-1480 (Unknown vulnerability in the management station in HP StorageWorks Com ...) NOT-FOR-US: HP StorageWorks Command View XP CVE-2004-1479 REJECTED CVE-2004-1478 (JRun 4.0 does not properly generate and handle the JSESSIONID, which a ...) NOT-FOR-US: JRun CVE-2004-1477 (Cross-site scripting (XSS) vulnerability in the Management Console in ...) NOT-FOR-US: JRun CVE-2004-1476 (Stack-based buffer overflow in the VideoCD (VCD) code in xine-lib 1-rc ...) - xine-lib 1-rc6 - vlc (affected part of xine-lib code copy not present) - libcdio 0.69 CVE-2004-1475 (Multiple stack-based buffer overflows in xine-lib 1-rc2 through 1-rc5 ...) - xine-lib 1-rc6 - vlc (affected part of xine-lib code copy not present) CVE-2004-1474 (Symantec Enterprise Firewall/VPN Appliances 100, 200, and 200R running ...) NOT-FOR-US: Symantec Enterprise Firewall/VPN Appliances CVE-2004-1473 (Symantec Enterprise Firewall/VPN Appliances 100, 200, and 200R running ...) NOT-FOR-US: Symantec Enterprise Firewall/VPN Appliances CVE-2004-1472 (Symantec Enterprise Firewall/VPN Appliances 100, 200, and 200R running ...) NOT-FOR-US: Symantec Enterprise Firewall/VPN Appliances CVE-2004-1471 (Format string vulnerability in wrapper.c in CVS 1.12.x through 1.12.8, ...) - cvs 1:1.12.9 CVE-2004-1470 (CRLF injection vulnerability in SnipSnap 0.5.2a, and other versions be ...) NOT-FOR-US: snipsnap CVE-2004-1469 (Format string vulnerability in the log function in SUS 2.0.2, and othe ...) NOT-FOR-US: SUS CVE-2004-1468 (The web mail functionality in Usermin 1.x and Webmin 1.x allows remote ...) - webmin 1.160 - usermin 1.090 CVE-2004-1467 (Multiple cross-site scripting (XSS) vulnerabilities in eGroupWare 1.0. ...) - egroupware 1.0.00.004 CVE-2004-1466 (The set_time_limit function in Gallery before 1.4.4_p2 deletes non-ima ...) - gallery 1.4.4-pl2 CVE-2004-1465 (Multiple buffer overflows in WinZip 9.0 and earlier may allow attacker ...) NOT-FOR-US: WinZip CVE-2004-1464 (Cisco IOS 12.2(15) and earlier allows remote attackers to cause a deni ...) NOT-FOR-US: Cisco CVE-2004-1463 (Unknown vulnerability in the PageEditor in MoinMoin 1.2.2 and earlier, ...) - moin 1.2.3-1 CVE-2004-1462 (Unknown vulnerability in MoinMoin 1.2.2 and earlier allows remote atta ...) - moin 1.2.3-1 CVE-2004-1461 (Cisco Secure Access Control Server (ACS) 3.2(3) and earlier spawns a s ...) NOT-FOR-US: Cisco CVE-2004-1460 (Cisco Secure Access Control Server (ACS) 3.2(3) and earlier, when conf ...) NOT-FOR-US: Cisco CVE-2004-1459 (Cisco Secure Access Control Server (ACS) 3.2, when configured as a Lig ...) NOT-FOR-US: Cisco CVE-2004-1458 (The CSAdmin web administration interface for Cisco Secure Access Contr ...) NOT-FOR-US: Cisco CVE-2004-1457 (The Virtual Private Network (VPN) capability in Novell Bordermanager 3 ...) NOT-FOR-US: Novell CVE-2004-1456 (filediff in CVStrac allows remote attackers to execute arbitrary comma ...) - cvstrac 1.1.4-1 CVE-2004-1455 (Stack-based buffer overflow in Xine-lib-rc5 in xine-lib 1_rc5-r2 and e ...) - xine-lib 1-rc5-1.1 - vlc (vulnerable component of xine-lib code copy not present) CVE-2004-1454 (Cisco IOS 12.0S, 12.2, and 12.3, with Open Shortest Path First (OSPF) ...) NOT-FOR-US: Cisco CVE-2004-1453 (GNU glibc 2.3.4 before 2.3.4.20040619, 2.3.3 before 2.3.3.20040420, an ...) - glibc 2.3.5 (bug #272210; unimportant) NOTE: according to GOTO Masanori this is not a security problem NOTE: Jakub Jelinek confirms http://sources.redhat.com/ml/libc-hacker/2004-08/msg00059.html NOTE: Although not a real issue we should play safe with 2.3.5, where the code NOTE: was reorganized CVE-2004-1452 (Tomcat before 5.0.27-r3 in Gentoo Linux sets the default permissions o ...) NOT-FOR-US: Gentoo specific CVE-2004-1451 (Mozilla before 1.6 does not display the entire URL in the status bar w ...) - mozilla 2:1.6-1 CVE-2004-1450 (Unknown vulnerability in LiveConnect in Mozilla 1.7 beta allows remote ...) - mozilla 2:1.7.1-1 CVE-2004-1449 (Mozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7 all ...) - mozilla 2:1.7-1 CVE-2004-1448 (Jetbox One 2.0.8 and possibly other versions allow remote attackers wi ...) NOT-FOR-US: Jetbox One CVE-2004-1447 (Jetbox One 2.0.8 and possibly other versions stores passwords in the d ...) NOT-FOR-US: Jetbox One CVE-2004-1446 (Unknown vulnerability in ScreenOS in Juniper Networks NetScreen firewa ...) NOT-FOR-US: ScreenOS CVE-2004-1445 (A race condition in nessus-adduser in Nessus 2.0.11 and possibly earli ...) - nessus-core 2.0.12-1 CVE-2004-1444 (Directory traversal vulnerability in Roundup 0.6.4 and earlier allows ...) - roundup 0.7.3-1 CVE-2004-1443 (Cross-site scripting (XSS) vulnerability in the inline MIME viewer in ...) - imp3 3.2.5-1 CVE-2004-1442 (Cross-site scripting (XSS) vulnerability in db2www CGI interpreter in ...) NOT-FOR-US: db2www CVE-2004-1441 (Cross-site scripting (XSS) vulnerability in icq.cgi in Board Power 2.0 ...) NOT-FOR-US: Board Power CVE-2004-1440 (Multiple heap-based buffer overflows in the modpow function in PuTTY b ...) - putty 0.56-1 CVE-2004-1439 (Buffer overflow in BlackJumboDog 3.x allows remote attackers to execut ...) NOT-FOR-US: BlackJumboDog CVE-2004-1438 (The mod_authz_svn Apache module for Subversion 1.0.4-r1 and earlier al ...) - subversion 1.0.6-1 CVE-2004-1437 (Multiple buffer overflows in the digest authentication functionality i ...) - pavuk 0.9pl28-3.1 CVE-2004-1436 (The Transaction Language 1 (TL1) login interface in Cisco ONS 15327 4. ...) NOT-FOR-US: Cisco CVE-2004-1435 (Multiple versions of Cisco ONS 15327, ONS 15454, and ONS 15454 SDH, in ...) NOT-FOR-US: Cisco CVE-2004-1434 (Multiple versions of Cisco ONS 15327, ONS 15454, and ONS 15454 SDH, in ...) NOT-FOR-US: Cisco CVE-2004-1433 (Multiple versions of Cisco ONS 15327, ONS 15454, and ONS 15454 SDH, in ...) NOT-FOR-US: Cisco CVE-2004-1432 (Multiple versions of Cisco ONS 15327, ONS 15454, and ONS 15454 SDH, in ...) NOT-FOR-US: Cisco CVE-2004-1431 (FormMail.php 5.0, and possibly other versions, allows remote attackers ...) NOT-FOR-US: FormMail.php != nms-formmail CVE-2004-1430 (SQL injection vulnerability in the show_stats module in Arcade.php in ...) NOT-FOR-US: Arcade.php CVE-2004-1429 (ArGoSoft FTP 1.4.2.4 and earlier does not limit the number of times th ...) NOT-FOR-US: ArGoSoft CVE-2004-1428 (ArGoSoft FTP before 1.4.2.1 generates an error message if the user nam ...) NOT-FOR-US: ArGoSoft CVE-2004-1427 (PHP remote file inclusion vulnerability in main.inc in KorWeblog 1.6.2 ...) NOT-FOR-US: KorWeblog CVE-2004-1426 (Directory traversal vulnerability in index.php in KorWeblog 1.6.2-cvs ...) NOT-FOR-US: KorWeblog CVE-2004-1425 (Directory traversal vulnerability in file.php in Moodle 1.4.2 and earl ...) - moodle 1.4.3-1 CVE-2004-1424 (Cross-site scripting (XSS) vulnerability in view.php in Moodle 1.4.2 a ...) - moodle 1.4.3-1 CVE-2004-1423 (Multiple PHP remote file inclusion vulnerabilities in Sean Proctor PHP ...) NOT-FOR-US: PHP-Calendar CVE-2004-1422 (WHM AutoPilot 2.4.6.5 and earlier allows remote attackers to gain sens ...) NOT-FOR-US: WHM AutoPilot CVE-2004-1421 (Multiple PHP remote file inclusion vulnerabilities (1) step_one.php, ( ...) NOT-FOR-US: WHM AutoPilot CVE-2004-1420 (Multiple cross-site scripting (XSS) vulnerabilities in header.php in W ...) NOT-FOR-US: WHM AutoPilot CVE-2004-1419 (PHP remote file inclusion vulnerability in ZeroBoard 4.1pl4 and earlie ...) NOT-FOR-US: ZeroBoard CVE-2004-1418 (Cross-site scripting (XSS) vulnerability in WPKontakt 3.0.1 and earlie ...) NOT-FOR-US: WPKontakt CVE-2004-1417 (Cross-site scripting (XSS) vulnerability in login.php in PsychoStats 2 ...) NOT-FOR-US: PsychoStats CVE-2004-1416 (pnxr3260.dll in the RealOne 2.0 build 6.0.11.868 browser plugin, as us ...) NOT-FOR-US: RealOne IE plugin CVE-2004-1415 (SQL injection vulnerability in (1) disp_album.php and possibly (2) dis ...) NOT-FOR-US: 2Bgal CVE-2004-1414 (Gadu-Gadu 6.1 build 156 allows remote attackers to cause a denial of s ...) NOT-FOR-US: Gadu-Gadu CVE-2004-1413 (Multiple SQL injection vulnerabilities in Kayako eSupport 2.x allow re ...) NOT-FOR-US: Kayako CVE-2004-1412 (Cross-site scripting (XSS) vulnerability in index.php in Kayako eSuppo ...) NOT-FOR-US: Kayako CVE-2004-1411 (Gadu-Gadu build 155 and earlier allows remote attackers to cause a den ...) NOT-FOR-US: Gadu-Gadu CVE-2004-1410 (Cross-site scripting (XSS) vulnerability in Gadu-Gadu build 155 and ea ...) NOT-FOR-US: Gadu-Gadu CVE-2004-1409 (Multiple cross-site scripting vulnerabilities in Image Gallery Web App ...) NOT-FOR-US: Image Gallery Web Application CVE-2004-1408 (The addImage method for admin.class.php in Image Gallery Web Applicati ...) NOT-FOR-US: Image Gallery Web Application CVE-2004-1407 (Multiple directory traversal vulnerabilities in singapore Image Galler ...) NOT-FOR-US: Image Gallery Web Application CVE-2004-1406 (SQL injection vulnerability in ikonboard.cgi in Ikonboard 3.1.0 throug ...) NOT-FOR-US: Ikonboard CVE-2004-1405 (MediaWiki 1.3.8 and earlier, when used with Apache mod_mime, does not ...) - mediawiki 1.4.9 (bug #276057) CVE-2004-1404 (Attachment Mod 2.3.10 module for phpBB, when used with Apache mod_mime ...) NOT-FOR-US: Attachment Mod for phpBB CVE-2004-1403 (PHP remote file inclusion vulnerability in index.php in GNUBoard 3.39 ...) NOT-FOR-US: GNU Board CVE-2004-1402 (SQL injection vulnerability in iWebNegar allows remote attackers to ex ...) NOT-FOR-US: iWebNegar CVE-2004-1401 (SQL injection vulnerability in verify.asp in Asp-rider allows remote a ...) NOT-FOR-US: Asp-rider CVE-2004-1400 (The control panel in ASP Calendar does not require authentication to a ...) NOT-FOR-US: ASP Calendar CVE-2004-1399 (Directory traversal vulnerability in the Attachment module 2.3.10 and ...) NOT-FOR-US: Attachment Mod for phpBB CVE-2004-1398 (Format string vulnerability in prelink.c in kextload in Apple OS X, as ...) NOT-FOR-US: MacOSX CVE-2004-1397 (Cross-site scripting (XSS) vulnerability in UseModWiki 1.0 allows remo ...) - usemod-wiki 1.0-6 CVE-2004-1396 (Winamp 5.07 and possibly other versions, allows remote attackers to ca ...) NOT-FOR-US: Winamp CVE-2004-1395 (The Lithtech engine, as used in (1) Contract Jack 1.1 and earlier, (2) ...) NOT-FOR-US: Lithtech engine CVE-2003-1084 (Monit 1.4 to 4.1 allows remote attackers to cause a denial of service ...) - monit 1:4.2.1-1 CVE-2003-1083 (Stack-based buffer overflow in Monit 1.4 to 4.1 allows remote attacker ...) - monit 1:4.2.1-1 CVE-2005-0365 (The dcopidlng script in KDE 3.2.x and 3.3.x creates temporary files wi ...) - kdelibs 4:3.3.2-2 CVE-2005-0363 (awstats.pl in AWStats 4.0 and 6.2 allows remote attackers to execute a ...) {DSA-682-1} - awstats 6.2-1.2 CVE-2005-0362 (awstats.pl in AWStats 6.2 allows remote attackers to execute arbitrary ...) - awstats 6.2-1.2 NOTE: http://patches.ubuntu.com/patches/awstats.more-CVE-2005-0016.diff NOTE: http://packetstormsecurity.nl/0501-exploits/AWStatsVulnAnalysis.pdf CVE-2005-0284 (SQL injection vulnerability in addentry.php in Woltlab Burning Book 1. ...) NOT-FOR-US: Woltlab Burning Book CVE-2005-0348 (Directory traversal vulnerability in RealArcade 1.2.0.994 allows remot ...) NOT-FOR-US: RealArcade CVE-2005-0347 (Integer overflow in RealArcade 1.2.0.994 and earlier allows remote att ...) NOT-FOR-US: RealArcade CVE-2005-0346 (SafeNet SoftRemote VPN Client stores the VPN password (pre-shared key) ...) NOT-FOR-US: SafeNet CVE-2005-0345 (viewthread.php in php-fusion 4.x does not check the (1) forum_id or (2 ...) NOT-FOR-US: php-fusion CVE-2005-0344 (Directory traversal vulnerability in 602LAN SUITE 2004.0.04.1221 allow ...) NOT-FOR-US: 602LAN SUITE CVE-2005-0343 (SQL injection vulnerability in PerlDesk 1.x allows remote attackers to ...) NOT-FOR-US: PerlDesk CVE-2005-0342 (The Finder in Mac OS X and earlier allows local users to overwrite arb ...) NOT-FOR-US: Apple CVE-2005-0341 (Apple Safari 1.2.4 does not obey the Content-type field in the HTTP he ...) NOT-FOR-US: Apple CVE-2005-0340 (Integer signedness error in Apple File Service (AFP Server) allows rem ...) NOT-FOR-US: Apple CVE-2005-0339 (Buffer overflow in Foxmail 2.0 allows remote attackers to cause a deni ...) NOT-FOR-US: Foxmail CVE-2005-0338 (Buffer overflow in Savant Web Server 3.1 allows remote attackers to ex ...) NOT-FOR-US: Savant Web Server CVE-2005-0337 (Postfix 2.1.3, when /proc/net/if_inet6 is not available and permit_mx_ ...) - postfix 2.1.4-5 CVE-2005-0336 (Cross-site scripting (XSS) vulnerability in EMotion MediaPartner Web S ...) NOT-FOR-US: eMotion MediaPartner CVE-2005-0335 (Directory traversal vulnerability in EMotion MediaPartner Web Server 5 ...) NOT-FOR-US: eMotion MediaPartner CVE-2005-0334 (Linksys PSUS4 running firmware 6032 allows remote attackers to cause a ...) NOT-FOR-US: Linksys CVE-2005-0333 (LANChat Pro Revival 1.666c allows remote attackers to cause a denial o ...) NOT-FOR-US: LanChat CVE-2005-0332 (Directory traversal vulnerability in DeskNow Mail and Collaboration Se ...) NOT-FOR-US: DeskNow Mail server CVE-2005-0331 (Directory traversal vulnerability in WinRAR 3.42 and earlier, when the ...) NOT-FOR-US: Winrar CVE-2005-0330 (Buffer overflow in Painkiller 1.35 and earlier, and possibly other ver ...) NOT-FOR-US: Painkiller CVE-2005-0329 (Directory traversal vulnerability in ZipGenius 5.5 and earlier allows ...) NOT-FOR-US: ZipGenius CVE-2005-0328 (Zyxel P310, P314, P324 and Netgear RT311, RT314 running the latest fir ...) NOT-FOR-US: Netgear CVE-2005-0327 (pafiledb.php in Pafiledb 3.1 may allow remote attackers to execute arb ...) NOT-FOR-US: PafileDB CVE-2005-0326 (pafiledb.php in PaFileDB 3.1 allows remote attackers to gain sensitive ...) NOT-FOR-US: PafileDB CVE-2005-0325 (Xpand Rally 1.0.0.0 allows remote attackers or remote malicious game s ...) NOT-FOR-US: Xpand Rally CVE-2005-0324 (Infinite Mobile Delivery Webmail 2.6 allows remote attackers to gain s ...) NOT-FOR-US: Infinite Mobile Delivery Webmail CVE-2005-0323 (Cross-site scripting (XSS) vulnerability in Infinite Mobile Delivery W ...) NOT-FOR-US: Infinite Mobile Delivery Webmail CVE-2005-0322 (MERAK Mail Server 7.6.0 with Icewarp Web Mail 5.3.0 and Mail Server 7. ...) NOT-FOR-US: Merak Mail server CVE-2005-0321 (MERAK Mail Server 7.6.0 with Icewarp Web Mail 5.3.0 allows remote auth ...) NOT-FOR-US: Merak Mail server CVE-2005-0320 (Multiple cross-site scripting vulnerabilities in MERAK Mail Server 7.6 ...) NOT-FOR-US: Merak Mail server CVE-2005-0319 (Direct remote injection vulnerability in modalfram.wdm in Alt-N WebAdm ...) NOT-FOR-US: Webadmin CVE-2005-0318 (useredit_account.wdm in Alt-N WebAdmin 3.0.4 does not properly validat ...) NOT-FOR-US: Webadmin CVE-2005-0317 (Cross-site scripting (XSS) vulnerability in useredit_account.wdm in Al ...) NOT-FOR-US: Webadmin CVE-2005-0316 (WebWasher Classic 2.2.1 and 3.3, when running in server mode, does not ...) NOT-FOR-US: WebWasher CVE-2005-0315 (The FTP service in Magic Winmail Server 4.0 Build 1112 does not verify ...) NOT-FOR-US: Magic Winmail CVE-2005-0314 (Cross-site scripting (XSS) vulnerability in user.php in Magic Winmail ...) NOT-FOR-US: Magic Winmail CVE-2005-0313 (Multiple directory traversal vulnerabilities in Magic Winmail Server 4 ...) NOT-FOR-US: Magic Winmail CVE-2005-0312 (WarFTPD 1.82 RC9, when running as an NT service, allows remote authent ...) NOT-FOR-US: WarFTPD under NT CVE-2005-0311 (Ingate Firewall 4.1.3 and earlier does not terminate the PPTP session ...) NOT-FOR-US: Ingate CVE-2005-0310 (Exponent 0.95 allows remote attackers to obtain sensitive information ...) NOT-FOR-US: Exponent CVE-2005-0309 (Multiple cross-site scripting (XSS) vulnerabilities in (1) index.php o ...) NOT-FOR-US: Exponent CVE-2005-0308 (Buffer overflow in the wsprintf function in W32Dasm 8.93 and earlier a ...) NOT-FOR-US: W32Dasm CVE-2005-0307 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Me ...) NOT-FOR-US: MercuryBoard CVE-2005-0306 (MercuryBoard 1.1.1 allows remote attackers to gain sensitive informati ...) NOT-FOR-US: MercuryBoard CVE-2005-0305 (CRLF injection vulnerability in users.php in Siteman 1.1.10 and earlie ...) NOT-FOR-US: Siteman CVE-2005-0304 (Directory traversal vulnerability in DivX Player 2.6 and earlier allow ...) NOT-FOR-US: DivX Player CVE-2005-0303 (Multiple cross-site scripting (XSS) vulnerabilities in (1) comersus_su ...) NOT-FOR-US: BackOffice Lite CVE-2005-0302 (SQL injection vulnerability in default.asp in BackOffice Lite 6.0 and ...) NOT-FOR-US: BackOffice Lite CVE-2005-0301 (comersus_backoffice_install10.asp in BackOffice Lite 6.0 and 6.01 allo ...) NOT-FOR-US: BackOffice Lite CVE-2005-0300 (Directory traversal vulnerability in session.php in JSBoard 2.0.9 and ...) - jsboard 2.0.10-1 CVE-2005-0299 (Directory traversal vulnerability in GForge 3.3 and earlier allows rem ...) - gforge 3.1-26 CVE-2005-0298 (The DIRECTORY objects in Oracle 8i through Oracle 10g contain the loca ...) NOT-FOR-US: Oracle CVE-2005-0297 (SQL injection vulnerability in Oracle Database 9i and 10g allows remot ...) NOT-FOR-US: Oracle CVE-2005-0296 NOT-FOR-US: Novell CVE-2005-0295 (npptnt2.sys in nProtect Gameguard provides unrestricted I/O to any pro ...) NOT-FOR-US: nProtect CVE-2005-0294 (minis.php in Minis 0.2.1 allows remote attackers to cause a denial of ...) NOT-FOR-US: Minis CVE-2005-0293 (Directory traversal vulnerability in minis.php in Minis 0.2.1 allows r ...) NOT-FOR-US: Minis CVE-2005-0292 (Multiple SQL injection vulnerabilities in index.php in PHP Gift Regist ...) NOT-FOR-US: phpGiftReg CVE-2005-0291 (Cross-site scripting (XSS) vulnerability in the log viewer in NETGEAR ...) NOT-FOR-US: NetGear CVE-2005-0290 (NETGEAR FVS318 running firmware 2.4, and possibly other versions, allo ...) NOT-FOR-US: NetGear CVE-2005-0289 (Apple AirPort Express prior to 6.1.1 and Extreme prior to 5.5.1, confi ...) NOT-FOR-US: Apple CVE-2005-0288 (The change password functionality in Bottomline Webseries Payment Appl ...) NOT-FOR-US: BottomLine WebSeries CVE-2005-0287 (Bottomline Webseries Payment Application allows remote attackers to re ...) NOT-FOR-US: BottomLine WebSeries CVE-2005-0286 (eMotion MediaPartner Web Server 5.0 and 5.1 allows remote attackers to ...) NOT-FOR-US: eMotion MediaPartner CVE-2005-0285 (Webseries Payment Application does not properly restrict privileged op ...) NOT-FOR-US: BottomLine WebSeries CVE-2005-0283 (Directory traversal vulnerability in index.php in QwikiWiki allows rem ...) NOT-FOR-US: QwikiWiki CVE-2005-0282 (SQL injection vulnerability in member.php in MyBulletinBoard (MyBB) al ...) NOT-FOR-US: MyBB (aka MyBulletinBoard) CVE-2005-0281 (Cross-site scripting (XSS) vulnerability in the web interface in Soldn ...) NOT-FOR-US: Soldner Secret CVE-2005-0280 (Format string vulnerability in Soldner Secret Wars 30830 and earlier a ...) NOT-FOR-US: Soldner Secret CVE-2005-0279 (Soldner Secret Wars 30830 and earlier does not properly handle the "me ...) NOT-FOR-US: Soldner Secret CVE-2005-0278 (The FTP service in 3Com 3CDaemon 2.0 revision 10 allows remote attacke ...) NOT-FOR-US: 3COM 3CDaemon CVE-2005-0277 (Buffer overflow in the FTP service in 3Com 3CDaemon 2.0 revision 10 al ...) NOT-FOR-US: 3COM 3CDaemon CVE-2005-0276 (Multiple format string vulnerabilities in the FTP service in 3Com 3CDa ...) NOT-FOR-US: 3COM 3CDaemon CVE-2005-0275 (TFTP in 3Com 3CDaemon 2.0 revision 10 allows remote attackers to cause ...) NOT-FOR-US: 3COM 3CDaemon CVE-2005-0274 (Multiple cross-site scripting (XSS) vulnerabilities in showgallery.php ...) NOT-FOR-US: PhotoPost CVE-2005-0273 (Multiple SQL injection vulnerabilities in showgallery.php in PhotoPost ...) NOT-FOR-US: PhotoPost CVE-2005-0272 (ReviewPost PHP Pro before 2.84 allows remote attackers to upload and e ...) NOT-FOR-US: ReviewPost CVE-2005-0271 (Multiple SQL injection vulnerabilities in ReviewPost PHP Pro before 2. ...) NOT-FOR-US: ReviewPost CVE-2005-0270 (Multiple cross-site scripting (XSS) vulnerabilities in ReviewPost PHP ...) NOT-FOR-US: ReviewPost CVE-2005-0269 (The file extension check in GNUBoard 3.40 and earlier only verifies ex ...) NOT-FOR-US: GNU Board CVE-2005-0268 (Direct code injection vulnerability in FlatNuke 2.5.1 allows remote at ...) NOT-FOR-US: FlatNuke CVE-2005-0267 (index.php in FlatNuke 2.5.1 allows remote attackers to create an admin ...) NOT-FOR-US: FlatNuke CVE-2005-0266 (Cross-site scripting (XSS) vulnerability in index.php in SugarCRM 1.X ...) - sugarcrm-ce-5.0 (bug #457876) CVE-2005-0265 (Multiple SQL injection vulnerabilities in browse.php in OWL 0.7 and 0. ...) NOT-FOR-US: OWL intranet CVE-2005-0264 (Multiple cross-site scripting (XSS) vulnerabilities in browse.php in O ...) NOT-FOR-US: OWL intranet CVE-2005-0263 (Buffer overflow in netpmon on AIX 5.1, 5.2, and 5.3 allows local users ...) NOT-FOR-US: AIX CVE-2005-0262 (Buffer overflow in ipl_varyon on AIX 5.1, 5.2, and 5.3 allows local us ...) NOT-FOR-US: AIX CVE-2005-0261 (lspath in AIX 5.2, 5.3, and possibly earlier versions, does not drop p ...) NOT-FOR-US: AIX CVE-2005-0260 (Stack-based buffer overflow in the Discovery Service for BrightStor AR ...) NOT-FOR-US: ARCserve Backup CVE-2005-0259 (phpBB 2.0.11, and possibly other versions, with remote avatars and ava ...) - phpbb2 2.0.12-1 CVE-2005-0258 (Directory traversal vulnerability in (1) usercp_register.php and (2) u ...) - phpbb2 2.0.12-1 CVE-2005-0257 RESERVED CVE-2005-0256 (The wu_fnmatch function in wu_fnmatch.c in wu-ftpd 2.6.1 and 2.6.2 all ...) {DSA-705-1} - wu-ftpd 2.6.2-19 CVE-2005-0255 (String handling functions in Mozilla 1.7.3, Firefox 1.0, and Thunderbi ...) - mozilla-firefox 1.0.1 NOTE: didn't other with YA mozilla-browser bug, it has enough for 1.7.6 already.. - mozilla 2:1.7.6 CVE-2005-0254 (BibORB 1.3.2, and possibly earlier versions, does not properly enforce ...) NOT-FOR-US: BibORB CVE-2005-0253 (Directory traversal vulnerability in index.php for BibORB 1.3.2, and p ...) NOT-FOR-US: BibORB CVE-2005-0252 (SQL injection vulnerability in BibORB 1.3.2, and possibly earlier vers ...) NOT-FOR-US: BibORB CVE-2005-0251 (Cross-site scripting (XSS) vulnerability in bibindex.php for BibORB 1. ...) NOT-FOR-US: BibORB CVE-2005-0250 (Format string vulnerability in auditselect on IBM AIX 5.1, 5.2, and 5. ...) NOT-FOR-US: AIX CVE-2005-0249 (Heap-based buffer overflow in the DEC2EXE module for Symantec AntiViru ...) NOT-FOR-US: Symantec AntiVirus Library CVE-2005-0248 (The Solaris Management Console (SMC) GUI for Solaris 8 and 9, when cre ...) NOT-FOR-US: Solaris CVE-2005-0247 (Multiple buffer overflows in gram.y for PostgreSQL 8.0.1 and earlier m ...) {DSA-683-1} - postgresql 7.4.7-2 CVE-2005-0246 (The intagg contrib module for PostgreSQL 8.0.0 and earlier allows atta ...) - postgresql 7.4.7-1 CVE-2005-0245 (Buffer overflow in gram.y for PostgreSQL 8.0.0 and earlier may allow a ...) {DSA-683-1} - postgresql 7.4.7-1 CVE-2005-0244 (PostgreSQL 8.0.0 and earlier allows local users to bypass the EXECUTE ...) - postgresql 7.4.7-1 CVE-2005-0243 (Yahoo! Messenger 6.0.0.1750, and possibly other versions before 6.0.0. ...) NOT-FOR-US: Yahoo! Messenger CVE-2005-0242 (The Audio Setup Wizard (asw.dll) in Yahoo! Messenger 6.0.0.1750, and p ...) NOT-FOR-US: Yahoo! Messenger CVE-2005-0241 (The httpProcessReplyHeader function in http.c for Squid 2.5-STABLE7 an ...) - squid 2.5.7-7 CVE-2004-1394 (The pfexec function for Sun Solaris 8 and 9 does not properly handle w ...) NOT-FOR-US: Solaris CVE-2004-1393 (Unknown vulnerability in the tcsetattr function for Sun Solaris for SP ...) NOT-FOR-US: Solaris CVE-2003-1082 (Buffer overflow in utmp_update for Solaris 2.6 through 9 allows local ...) NOT-FOR-US: Solaris CVE-2003-1081 (Aspppls for Solaris 8 allows local users to overwrite arbitrary files ...) NOT-FOR-US: Solaris CVE-2003-1080 (Unknown vulnerability in mail for Solaris 2.6 through 9 allows local u ...) NOT-FOR-US: Solaris CVE-2003-1079 (Unknown vulnerability in UDP RPC for Solaris 2.5.1 through 9 for SPARC ...) NOT-FOR-US: Solaris CVE-2003-1078 (The FTP client for Solaris 2.6, 7, and 8 with the debug (-d) flag enab ...) NOT-FOR-US: Solaris CVE-2003-1077 (Unknown vulnerability in UFS for Solaris 9 for SPARC, with logging ena ...) NOT-FOR-US: Solaris CVE-2003-1076 (Unknown vulnerability in sendmail for Solaris 7, 8, and 9 allows local ...) NOT-FOR-US: Solaris CVE-2003-1075 (Unknown vulnerability in the FTP server (in.ftpd) for Solaris 2.6 thro ...) NOT-FOR-US: Solaris CVE-2003-1074 (Unknown vulnerability in newtask for Solaris 9 allows local users to g ...) NOT-FOR-US: Solaris CVE-2003-1073 (A race condition in the at command for Solaris 2.6 through 9 allows lo ...) NOT-FOR-US: Solaris CVE-2003-1072 (Memory leak in lofiadm in Solaris 8 allows local users to cause a deni ...) NOT-FOR-US: Solaris CVE-2003-1071 (rpc.walld (wall daemon) for Solaris 2.6 through 9 allows local users t ...) NOT-FOR-US: Solaris CVE-2003-1070 (Unknown vulnerability in rpcbind for Solaris 2.6 through 9 allows remo ...) NOT-FOR-US: Solaris CVE-2003-1069 (The Telnet daemon (in.telnetd) for Solaris 2.6 through 9 allows remote ...) NOT-FOR-US: Solaris CVE-2003-1068 (Buffer overflow in utmp_update for Solaris 2.6 through 9 allows local ...) NOT-FOR-US: Solaris CVE-2003-1067 (Multiple buffer overflows in the (1) dbm_open function, as used in ndb ...) NOT-FOR-US: Solaris CVE-2003-1066 (Buffer overflow in the syslog daemon for Solaris 2.6 through 9 allows ...) NOT-FOR-US: Solaris CVE-2003-1065 (Unknown vulnerability in patches 108993-14 through 108993-19 and 10899 ...) NOT-FOR-US: Solaris CVE-2003-1064 (Solaris 8 with IPv6 enabled allows remote attackers to cause a denial ...) NOT-FOR-US: Solaris CVE-2003-1063 (The patches (1) 105693-13, (2) 108800-02, (3) 105694-13, and (4) 10880 ...) NOT-FOR-US: Solaris CVE-2003-1062 (Unknown vulnerability in the sysinfo system call for Solaris for SPARC ...) NOT-FOR-US: Solaris CVE-2003-1061 (Race condition in Solaris 2.6 through 9 allows local users to cause a ...) NOT-FOR-US: Solaris CVE-2003-1060 (The NFS Server for Solaris 7, 8, and 9 allows remote attackers to caus ...) NOT-FOR-US: Solaris CVE-2003-1059 (Unknown vulnerability in the libraries for the PGX32 frame buffer in S ...) NOT-FOR-US: Solaris CVE-2003-1058 (The Xsun server for Sun Solaris 2.6 through 9, when running in Direct ...) NOT-FOR-US: Solaris CVE-2003-1057 (Unknown vulnerability in CDE Print Viewer (dtprintinfo) for Sun Solari ...) NOT-FOR-US: Solaris CVE-2003-1056 (The ed editor for Sun Solaris 2.6, 7, and 8 allows local users to crea ...) NOT-FOR-US: Solaris CVE-2003-1055 (Buffer overflow in the nss_ldap.so.1 library for Sun Solaris 8 and 9 m ...) NOT-FOR-US: Solaris CVE-2002-1590 (The Web-Based Enterprise Management (WBEM) packages (1) SUNWwbdoc, (2) ...) NOT-FOR-US: Solaris CVE-2002-1589 (Unknown vulnerability in Solaris 8, when the 0x02 bit (aka TEST, KMF_D ...) NOT-FOR-US: Solaris CVE-2002-1588 (Mailtool for OpenWindows 3.6, 3.6.1, and 3.6.2 allows remote attackers ...) NOT-FOR-US: Mailtool for OpenWindows CVE-2002-1587 (The libthread library (libthread.so.1) for Solaris 2.5.1 through 8 all ...) NOT-FOR-US: Solaris CVE-2002-1586 (Solaris 2.5.1 through 9 allows local users to cause a denial of servic ...) NOT-FOR-US: Solaris CVE-2002-1585 (Unknown vulnerability in Solaris 8 for Intel and Solaris 8 and 9 for S ...) NOT-FOR-US: Solaris CVE-2002-1584 (Unknown vulnerability in the AUTH_DES authentication for RPC in Solari ...) NOT-FOR-US: Solaris CVE-2001-1414 (The Basic Security Module (BSM) for Solaris 2.5.1, 2.6, 7, and 8 does ...) NOT-FOR-US: Solaris CVE-2005-0240 (Format string vulnerability in chdev on IBM AIX 5.2 allows local users ...) NOT-FOR-US: AIX CVE-2005-0239 (viewcert.php in the S/MIME plugin 0.4 and 0.5 for Squirrelmail allows ...) NOT-FOR-US: S/MIME plugin CVE-2005-0238 (The International Domain Name (IDN) support in Epiphany allows remote ...) NOTE: upstream bug https://bugzilla.mozilla.org/show_bug.cgi?id=281381 - epiphany-browser 1.4.8-2 CVE-2005-0237 (The International Domain Name (IDN) support in Konqueror 3.2.1 on KDE ...) - kdelibs 4:3.3.2-3 CVE-2005-0236 (The International Domain Name (IDN) support in Omniweb 5 allows remote ...) NOT-FOR-US: Omniweb CVE-2005-0235 (The International Domain Name (IDN) support in Opera 7.54 allows remot ...) NOT-FOR-US: Opera CVE-2005-0234 (The International Domain Name (IDN) support in Safari 1.2.5 allows rem ...) NOT-FOR-US: Safari CVE-2005-0233 (The International Domain Name (IDN) support in Firefox 1.0, Camino .8. ...) NOTE: IDN is now disabled by default in firefox, but there may be a more elegant NOTE: solution in the future - mozilla-firefox 1.0.1-1 - mozilla 2:1.7.6-1 CVE-2005-0232 (Firefox 1.0 allows remote attackers to modify Boolean configuration pa ...) - mozilla-firefox 1.0+dfsg.1-6 CVE-2005-0231 (Firefox 1.0 does not invoke the Javascript Security Manager when a use ...) - mozilla-firefox 1.0+dfsg.1-6 CVE-2005-0230 (Firefox 1.0 does not prevent the user from dragging an executable file ...) NOTE: I don't know if this could work under Linux, anything I drag on the Desktop from firefox is convert to a Link NOTE: "when it has an image/gif content type but has a dangerous extension such as .bat or .exe, allows remote attackers NOTE: to ... execute arbitrary commands via malformed GIF files ... parsed by the Windows batch file parser NOTE: any interpretor would require the file to be +x to execute it and then would spit if handed a GIF NOTE: < vorlon> hacim: it's specific to Windows, home to the dumbest interpreter on the planet. - mozilla-firefox (Affects only Firefox on Windows) CVE-2005-0229 (CitrusDB 0.3.5 and earlier stores the newfile.txt temporary data file ...) NOT-FOR-US: CitrusDB CVE-2005-0228 REJECTED CVE-2005-0227 (PostgreSQL (pgsql) 7.4.x, 7.2.x, and other versions allows local users ...) {DSA-668-1} - postgresql 7.4.7-1 CVE-2005-0226 (Format string vulnerability in the Log_Resolver function in log.c for ...) NOT-FOR-US: ngIRCd CVE-2005-0225 (firehol.sh in FireHOL before 1.224 creates temporary files with predic ...) - firehol 1.214-4 CVE-2005-0224 (Unknown vulnerability in HP-UX B.11.04 running Virtualvault 4.5 throug ...) NOT-FOR-US: HP-UX CVE-2005-0223 (The Software Development Kit (SDK) and Run Time Environment (RTE) 1.4. ...) NOT-FOR-US: Java SDK and RTE for Tru64 UNIX CVE-2005-0222 (main.php in Gallery 2.0 Alpha allows remote attackers to gain sensitiv ...) - gallery 1.4.4-pl5-1 CVE-2005-0221 (Cross-site scripting (XSS) vulnerability in login.php in Gallery 2.0 A ...) - gallery 1.4.4-pl5-1 CVE-2005-0220 (Cross-site scripting vulnerability in login.php in Gallery 1.4.4-pl2 a ...) - gallery 1.4.4-pl5-1 CVE-2005-0219 (Multiple cross-site scripting (XSS) vulnerabilities in Gallery 1.3.4-p ...) - gallery 1.4.4-pl5-1 CVE-2005-0217 (SQL injection vulnerability in index.php in Invision Community Blog al ...) NOT-FOR-US: Invision Community Blog CVE-2005-0216 (Cross-site scripting (XSS) vulnerability in formmail.php in Woltlab Bu ...) NOT-FOR-US: Woltlab Burning Board Lite CVE-2005-0215 (Mozilla 1.6 and possibly other versions allows remote attackers to cau ...) - mozilla (Mozilla 1.6 for Windows) CVE-2005-0214 (Directory traversal vulnerability in Simple PHP Blog (SPHPBlog) 0.3.7c ...) NOT-FOR-US: SPHPBlog CVE-2005-0213 (Directory traversal vulnerability in WinHKI 1.4d allows remote attacke ...) NOT-FOR-US: WinHKI CVE-2005-0212 (The Amp II engine as used by Gore: Ultimate Soldier 1.50 and earlier a ...) NOT-FOR-US: The Amp II engine as used by Gore: Ultimate Soldier CVE-2005-0211 (Buffer overflow in wccp.c in Squid 2.5 before 2.5.STABLE7 allows remot ...) {DSA-667-1} - squid 2.5.7-6 CVE-2005-0210 (Netfilter in the Linux kernel 2.6.8.1 allows local users to cause a de ...) - linux-2.6 (Fixed before upload into archive) [sarge] - kernel-source-2.6.8 2.6.8-15 - kernel-source-2.4.27 2.4.27-9 (bug #300838) CVE-2005-0209 (Netfilter in Linux kernel 2.6.8.1 allows remote attackers to cause a d ...) - linux-2.6 (Fixed before upload into archive) - kernel-source-2.4.27 2.4.27-9 CVE-2005-0208 (The HTML parsing functions in Gaim before 1.1.4 allow remote attackers ...) - gaim 1:1.1.4 CVE-2005-0207 (Unknown vulnerability in Linux kernel 2.4.x, 2.5.x, and 2.6.x allows N ...) - linux-2.6 (Fixed before upload into archive) [sarge] - kernel-source-2.6.8 2.6.8-14 CVE-2005-0206 (The patch for integer overflow vulnerabilities in Xpdf 2.0 and 3.0 (CV ...) - xpdf (Initial Debian fix was already correct) - gpdf (Initial Debian fix was already correct) - kdegraphics (Initial Debian fix was already correct) - tetex-bin (Initial Debian fix was already correct) - pdftohtml (Initial Debian fix was already correct) - cups 1.1.22-7 - cupsys 1.1.22-7 NOTE: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=135393 NOTE: cupsys uses an external xpdf now. CVE-2005-0205 (KPPP 2.1.2 in KDE 3.1.5 and earlier, when setuid root without certain ...) {DSA-692-1} - kdenetwork 4:3.1.6 CVE-2005-0204 (Linux kernel before 2.6.9, when running on the AMD64 and Intel EM64T a ...) - linux-2.6 (Fixed before upload into archive) - kernel-source-2.4.27 2.4.27-9 (bug #296700; high) CVE-2005-0203 REJECTED CVE-2005-0202 (Directory traversal vulnerability in the true_path function in private ...) {DSA-674-1} - mailman 2.1.5-6 CVE-2005-0201 (D-BUS (dbus) before 0.22 does not properly restrict access to a socket ...) - dbus 0.22 CVE-2005-0200 (TikiWiki before 1.8.5 does not properly validate files that have been ...) NOT-FOR-US: TikiWiki CVE-2005-0199 (Integer underflow in the Lists_MakeMask() function in lists.c in ngIRC ...) NOT-FOR-US: ngIRCd CVE-2005-0197 (Cisco IOS 12.1T, 12.2, 12.2T, 12.3 and 12.3T, with Multi Protocol Labe ...) NOT-FOR-US: Cisco CVE-2005-0196 (Cisco IOS 12.0 through 12.3YL, with BGP enabled and running the bgp lo ...) NOT-FOR-US: Cisco CVE-2005-0195 (Cisco IOS 12.0S through 12.3YH allows remote attackers to cause a deni ...) NOT-FOR-US: Cisco CVE-2005-0194 (Squid 2.5, when processing the configuration file, parses empty Access ...) {DSA-667-1} - squid 2.5.7-7 CVE-2005-0193 (Buffer overflow in the (1) -v and (2) -a switches in mRouter in iSync ...) NOT-FOR-US: mRouter in iSync in OS X CVE-2005-0192 (Directory traversal vulnerability in the parsing of Skin file names in ...) NOT-FOR-US: RealPlayer CVE-2005-0191 (Off-by-one buffer overflow in the processing of tags in Real Metadata ...) NOT-FOR-US: RealPlayer CVE-2005-0190 (Directory traversal vulnerability in RealPlayer 10.5 (6.0.12.1040) and ...) NOT-FOR-US: RealPlayer CVE-2005-0189 (Stack-based buffer overflow in the HandleAction function in RealPlayer ...) NOT-FOR-US: RealPlayer CVE-2005-0188 (Format string vulnerability in the SetBaseURL function in AtHoc toolba ...) NOT-FOR-US: AtHoc toolbar CVE-2005-0187 (Stack-based buffer overflow in the SetSkin function in AtHoc toolbar a ...) NOT-FOR-US: AtHoc toolbar CVE-2005-0186 (Cisco IOS 12.1YD, 12.2T, 12.3 and 12.3T, when configured for the IOS T ...) NOT-FOR-US: Cisco CVE-2005-0185 (Stack-based buffer overflow in NodeManager Professional 2.00 allows re ...) NOT-FOR-US: NodeManager Professional CVE-2005-0184 (Directory traversal vulnerability in ftpfile in the Vacation plugin 0. ...) NOT-FOR-US: vacation plugin CVE-2005-0183 (ftpfile in the Vacation plugin 0.15 and earlier for Squirrelmail allow ...) NOT-FOR-US: vacation plugin CVE-2005-0182 (The mod_dosevasive module 1.9 and earlier for Apache creates temporary ...) NOT-FOR-US: mod_dosevasive module for apache CVE-2005-0181 RESERVED CVE-2005-0180 (Multiple integer signedness errors in the sg_scsi_ioctl function in sc ...) [sarge] - kernel-source-2.6.8 2.6.8-12 - linux-2.6 (Fixed before upload into archive) - kernel-source-2.4.27 (intlen and outlen are unsigned in 2.4) CVE-2005-0179 (Linux kernel 2.4.x and 2.6.x allows local users to cause a denial of s ...) [sarge] - kernel-source-2.6.8 (Vulnerable code was only introduced in 2.6.9) - linux-2.6 (Fixed before initial release) CVE-2005-0178 (Race condition in the setsid function in Linux before 2.6.8.1 allows l ...) - kernel-source-2.4.27 (v2.4 is safe because back there current->signal was not shared.) - linux-2.6 (Fixed before upload into archive; 2.6.8.1) [sarge] - kernel-source-2.6.8 2.6.8-14 CVE-2005-0177 (nls_ascii.c in Linux before 2.6.8.1 uses an incorrect table size, whic ...) - kernel-source-2.4.27 (According to joshk, doesn't apply to 2.4.27) - linux-2.6 (Fixed before upload into archive; 2.6.8.1) [sarge] - kernel-source-2.6.8 2.6.8-14 CVE-2005-0176 (The shmctl function in Linux 2.6.9 and earlier allows local users to u ...) - linux-2.6 (Fixed before upload into archive) CVE-2004-1392 (PHP 4.0 with cURL functions allows remote attackers to bypass the open ...) - php4 4:4.3.10-3 CVE-2004-1391 (Untrusted execution path vulnerability in the PPPoE daemon (PPPoEd) in ...) NOT-FOR-US: PPPoE daemon (PPPoEd) in QNX RTP CVE-2004-1390 (Multiple buffer overflows in the PPPoE daemon (PPPoEd) in QNX RTP 6.1 ...) NOT-FOR-US: PPPoE daemon (PPPoEd) in QNX RTP CVE-2004-1389 (Unknown vulnerability in the Veritas NetBackup Administrative Assistan ...) NOT-FOR-US: Veritas NetBackup Administrative Assistant CVE-2004-1388 (Format string vulnerability in the gpsd_report function for BerliOS GP ...) - gpsd 2.7-4 CVE-2004-1387 (The check_forensic script in apache-utils package 1.3.31 allows local ...) - apache 1.3.33-3 CVE-2004-1386 (TikiWiki before 1.8.4.1 does not properly verify uploaded images, whic ...) NOT-FOR-US: TikiWiki CVE-2004-1385 (phpGroupWare 0.9.16.003 and earlier allows remote attackers to gain se ...) - phpgroupware 0.9.16.005-1 (unimportant) NOTE: path disclosure only, path is known on Debian anyway CVE-2004-1384 (Multiple cross-site scripting (XSS) vulnerabilities in phpGroupWare 0. ...) - phpgroupware 0.9.16.005-1 CVE-2004-1383 (Multiple SQL injection vulnerabilities in phpGroupWare 0.9.16.003 and ...) - phpgroupware 0.9.16.005-1 CVE-2004-1382 (The glibcbug script in glibc 2.3.4 and earlier allows local users to o ...) - glibc 2.3.2.ds1-19 CVE-2005-0218 (ClamAV 0.80 and earlier allows remote attackers to bypass virus scanni ...) - clamav 0.81 CVE-2005-0198 (A logic error in the CRAM-MD5 code for the University of Washington IM ...) - uw-imap 7:2002edebian1-6 CVE-2005-0175 (Squid 2.5 up to 2.5.STABLE7 allows remote attackers to poison the cach ...) {DSA-667-1} - squid 2.5.7-6 CVE-2005-0174 (Squid 2.5 up to 2.5.STABLE7 allows remote attackers to poison the cach ...) - squid 2.5.7-6 CVE-2005-0173 (squid_ldap_auth in Squid 2.5 and earlier allows remote authenticated u ...) {DSA-667-1} - squid 2.5.7-4 CVE-2005-0172 REJECTED CVE-2005-0171 REJECTED CVE-2005-0170 REJECTED CVE-2005-0169 REJECTED CVE-2005-0168 REJECTED CVE-2005-0167 REJECTED CVE-2005-0166 REJECTED CVE-2005-0165 REJECTED CVE-2005-0164 RESERVED CVE-2005-0163 RESERVED CVE-2005-0162 (Stack-based buffer overflow in the get_internal_addresses function in ...) - openswan 2.3.0-2 - freeswan CVE-2005-0161 (Multiple directory traversal vulnerabilities in unace 1.2b allow attac ...) - unace 1.2b-3 CVE-2005-0160 (Multiple buffer overflows in unace 1.2b allow attackers to execute arb ...) - unace 1.2b-3 CVE-2005-0159 (The tpkg-* scripts in the toolchain-source 3.0.4 package on Debian GNU ...) {DSA-679-1} - toolchain-source 3.4-5 CVE-2005-0158 (Format string vulnerability in bidwatcher before 1.3.17 allows remote ...) {DSA-687-1} - bidwatcher 1.3.17-1 CVE-2005-0157 (The confirm add-on in SmartList 3.15 and earlier allows attackers to s ...) {DSA-720-1} - smartlist 3.15-18 CVE-2005-0156 (Buffer overflow in the PerlIO implementation in Perl 5.8.0, when insta ...) - perl 5.8.4-6 CVE-2005-0155 (The PerlIO implementation in Perl 5.8.0, when installed with setuid su ...) - perl 5.8.4-6 - mooix 1.0rc5.pre4 CVE-2005-0154 RESERVED CVE-2005-0153 RESERVED CVE-2005-0152 (PHP remote file inclusion vulnerability in Squirrelmail 1.2.6 allows r ...) {DSA-662-1} - squirrelmail 1:1.2.7-1 NOTE: This bug exists only in version 1.2.6. CVE-2005-0151 (Unknown vulnerability in the installation of Adobe License Management ...) NOT-FOR-US: Adobe License Management Software CVE-2005-0150 (Firefox before 1.0 allows the user to store a (1) javascript: or (2) d ...) - mozilla-firefox 1.0 CVE-2005-0149 (Thunderbird 0.6 through 0.9 and Mozilla 1.7 through 1.7.3 does not obe ...) - mozilla-thunderbird 0.7 - mozilla 2:1.7.4 CVE-2005-0148 (Thunderbird before 0.9, when running on Windows systems, uses the defa ...) - mozilla-thunderbird (Affects only Thunderbird on Windows) CVE-2005-0147 (Firefox before 1.0 and Mozilla before 1.7.5, when configured to use a ...) - mozilla-firefox 1.0 - mozilla 2:1.7.5 CVE-2005-0146 (Firefox before 1.0 and Mozilla before 1.7.5 allow remote attackers to ...) - mozilla-firefox 1.0 - mozilla 2:1.7.5 CVE-2005-0145 (Firefox before 1.0 does not properly distinguish between user-generate ...) - mozilla-firefox 1.0 CVE-2005-0144 (Firefox before 1.0 and Mozilla before 1.7.5 display the secure site lo ...) - mozilla-firefox 1.0 - mozilla 2:1.7.5 CVE-2005-0143 (Firefox before 1.0 and Mozilla before 1.7.5 display the SSL lock icon ...) - mozilla-firefox 1.0 - mozilla 2:1.7.5 CVE-2005-0142 (Firefox 0.9, Thunderbird 0.6 and other versions before 0.9, and Mozill ...) - mozilla-firefox 1.0 - mozilla-thunderbird 0.7 - mozilla 2:1.7.5 CVE-2005-0141 (Firefox before 1.0 and Mozilla before 1.7.5 allow remote attackers to ...) - mozilla-firefox 1.0 - mozilla 2:1.7.5 CVE-2005-0140 (Buffer overflow in PeID allows attackers to execute arbitrary code via ...) NOT-FOR-US: PeID CVE-2005-0139 (Unknown vulnerability in rpc.mountd in SGI IRIX 6.5.25, 6.5.26, and 6. ...) NOT-FOR-US: Irix CVE-2005-0138 (rpc.mountd in SGI IRIX 6.5.25, 6.5.26, and 6.5.27 does not correctly a ...) NOT-FOR-US: Irix CVE-2005-0137 (Linux kernel 2.6 on Itanium (ia64) architectures allows local users to ...) - linux-2.6 - kernel-source-2.4.27 2.4.27-10 (bug #308584) CVE-2005-0136 (The Linux kernel before 2.6.11 on the Itanium IA64 platform has certai ...) [sarge] - kernel-source-2.6.8 2.6.8-14 - linux-2.6 2.6.11 CVE-2005-0135 (The unw_unwind_to_user function in unwind.c on Itanium (ia64) architec ...) {DSA-1082-1 DSA-1070-1 DSA-1067-1} - linux-2.6 [sarge] - kernel-source-2.6.8 2.6.8-14 CVE-2005-0134 (The X server in SCO UnixWare 7.1.1, 7.1.3, and 7.1.4 does not properly ...) NOT-FOR-US: SCO UnixWare CVE-2004-1381 (Firefox before 1.0 and Mozilla before 1.7.5 allow inactive (background ...) - mozilla-firefox 1.0 - mozilla 2:1.7.5 CVE-2004-1380 (Firefox before 1.0 and Mozilla before 1.7.5 allows inactive (backgroun ...) - mozilla-firefox 1.0 - mozilla 2:1.7.5 CVE-2005-0133 (ClamAV 0.80 and earlier allows remote attackers to cause a denial of s ...) - clamav 0.80-0.81rc1-1 CVE-2005-0132 RESERVED CVE-2005-0131 (The Quick Connection dialog in Konversation 0.15 inadvertently uses th ...) - konversation 0.15-3 CVE-2005-0130 (Certain Perl scripts in Konversation 0.15 allow remote attackers to ex ...) - konversation 0.15-3 CVE-2005-0129 (The Quick Buttons feature in Konversation 0.15 allows remote attackers ...) - konversation 0.15-3 CVE-2005-0128 REJECTED CVE-2005-0127 (Mail in Mac OS X 10.3.7, when generating a Message-ID header, generate ...) NOT-FOR-US: MacOS CVE-2005-0126 (ColorSync on Mac OS X 10.3.7 and 10.3.8 allows attackers to execute ar ...) NOT-FOR-US: MacOS CVE-2005-0125 (The "at" commands on Mac OS X 10.3.7 and earlier do not properly drop ...) NOT-FOR-US: MacOS CVE-2005-0124 (The coda_pioctl function in the coda functionality (pioctl.c) for Linu ...) {DSA-1082-1 DSA-1070-1 DSA-1069-1 DSA-1067-1 DSA-1017-1} - linux-2.6 2.6.12-1 CVE-2005-0123 REJECTED CVE-2005-0122 REJECTED CVE-2005-0121 (Multiple buffer overflows in golddig 2.0 and earlier allow local users ...) NOT-FOR-US: golddig CVE-2005-0120 (helvis 1.8h2_1 and earlier allows local users to delete arbitrary file ...) NOT-FOR-US: helvis CVE-2005-0119 (helvis 1.8h2_1 and earlier allows local users to recover and read the ...) NOT-FOR-US: helvis CVE-2005-0118 (helvis 1.8h2_1 and earlier stores recovery files in world readable dir ...) NOT-FOR-US: helvis CVE-2005-0117 (Buffer overflow in XShisen before 1.36 allows local users to execute a ...) - xshisen 1.51-1-1.1 (bug #289784) CVE-2005-0116 (AWStats 6.1, and other versions before 6.3, allows remote attackers to ...) - awstats 6.2-1.1 CVE-2005-0115 (Stack-based buffer overflow in DataRescue Interactive Disassembler (ID ...) NOT-FOR-US: DataRescue Interactive Disassembler CVE-2005-0114 (vsdatant.sys in Zone Lab ZoneAlarm before 5.5.062.011, ZoneAlarm Wirel ...) NOT-FOR-US: ZoneAlarm CVE-2005-0113 (inpview in SGI IRIX allows local users to execute arbitrary commands v ...) NOT-FOR-US: IRIX CVE-2005-0112 (The web-based administrative interface for 3Com OfficeConnect Wireless ...) NOT-FOR-US: 3Com OfficeConnect Wireless 11g Access Point CVE-2005-0111 (Stack-based buffer overflow in the websql CGI program in MySQL MaxDB 7 ...) - maxdb-7.5.00 7.5.00.18 CVE-2005-0110 (Internet Explorer 6 on Windows XP SP2 allows remote attackers to bypas ...) NOT-FOR-US: MSIE CVE-2005-0109 (Hyper-Threading technology, as used in FreeBSD and other operating sys ...) NOTE: According to Linus Torvalds and others on linux-kernel this is a theoretical NOTE: attack, paranoid people should disable hyper threading - kfreebsd5-source 5.3-11 CVE-2005-0108 (Apache mod_auth_radius 1.5.4 and libpam-radius-auth allow remote malic ...) {DSA-659-1} - libapache-mod-auth-radius 1.5.7-6 - libpam-radius-auth 1.3.16-3 CVE-2005-0107 (bsmtpd 2.3 and earlier does not properly sanitize e-mail addresses, wh ...) {DSA-690-1} - bsmtpd 2.3pl8b-16 CVE-2005-0106 (SSLeay.pm in libnet-ssleay-perl before 1.25 uses the /tmp/entropy file ...) - libnet-ssleay-perl 1.25-1.1 CVE-2005-0105 (Unknown vulnerability in typespeed 0.4.1 and earlier allows local user ...) {DSA-684-1} - typespeed 0.4.4-8 CVE-2005-0104 (Cross-site scripting (XSS) vulnerability in webmail.php in SquirrelMai ...) {DSA-662-1} - squirrelmail 2:1.4.4 CVE-2005-0103 (PHP remote file inclusion vulnerability in webmail.php in SquirrelMail ...) - squirrelmail 2:1.4.4-1 CVE-2005-0102 (Integer overflow in camel-lock-helper in Evolution 2.0.2 and earlier a ...) {DSA-673-1} - evolution 2.0.3-1.2 (bug #295548) CVE-2005-0101 (Buffer overflow in the socket_getline function in Newspost 2.1.1 and e ...) - newspost 2.1.1-2 CVE-2005-0100 (Format string vulnerability in the movemail utility in (1) Emacs 20.x, ...) {DSA-685-1 DSA-671-1 DSA-670-1} - emacs21 21.3+1-9 - xemacs21 21.4.16-2 CVE-2005-0099 (The SDL port of abuse (abuse-SDL) before 2.00 does not properly drop p ...) {DSA-691-1} - abuse CVE-2005-0098 (Multiple buffer overflows in the SDL port of abuse (abuse-SDL) before ...) {DSA-691-1} - abuse CVE-2005-0097 (The NTLM component in Squid 2.5.STABLE7 and earlier allows remote atta ...) - squid 2.5.7-4 CVE-2005-0096 (Memory leak in the NTLM fakeauth_auth helper for Squid 2.5.STABLE7 and ...) - squid 2.5.7-4 CVE-2005-0095 (The WCCP message parsing code in Squid 2.5.STABLE7 and earlier allows ...) {DSA-651-1} - squid 2.5.7-4 CVE-2005-0094 (Buffer overflow in the gopherToHTML function in the Gopher reply parse ...) {DSA-651-1} - squid 2.5.7-4 CVE-2005-0093 REJECTED CVE-2005-0092 (Unknown vulnerability in the Red Hat Enterprise Linux 4 kernel 4GB/4GB ...) - linux-2.6 (Apparently specific to Red hat hugemem kernel) CVE-2005-0091 (Unknown vulnerability in the Red Hat Enterprise Linux 4 kernel 4GB/4GB ...) - linux-2.6 (Apparently specific to Red hat hugemem kernel) CVE-2005-0090 (A regression error in the Red Hat Enterprise Linux 4 kernel 4GB/4GB sp ...) - linux-2.6 (Apparently specific to Red hat hugemem kernel) CVE-2005-0089 (The SimpleXMLRPCServer library module in Python 2.2, 2.3 before 2.3.5, ...) {DSA-666-1} - python2.2 2.2.3-14 - python2.3 2.3.4+2.3.5c1-2 - python2.4 2.4-5 CVE-2005-0088 (The publisher handler for mod_python 2.7.8 and earlier allows remote a ...) {DSA-689-1} - libapache2-mod-python 3.1.3-3 - libapache-mod-python 2:2.7.10-4 CVE-2005-0087 (The alsa-lib package in Red Hat Linux 4 disables stack protection for ...) NOTE: debian does not have stack protection, but it's fixed anyway since 1.0.9 - alsa-lib 1.0.9-1 (unimportant) CVE-2005-0086 (Heap-based buffer overflow in less in Red Hat Enterprise Linux 3 allow ...) - less (Red Hat specific less bug) CVE-2005-0085 (Cross-site scripting (XSS) vulnerability in ht://dig (htdig) before 3. ...) {DSA-680-1} - htdig 1:3.1.6-11 (bug #305996) CVE-2005-0084 (Buffer overflow in the X11 dissector in Ethereal 0.8.10 through 0.10.8 ...) {DSA-653-1} - ethereal 0.10.9-1 CVE-2005-0083 (MySQL MaxDB 7.5.00 for Windows, and possibly earlier versions and othe ...) - maxdb-7.5.00 7.5.00.24-1 CVE-2005-0082 (The sapdbwa_GetUserData function in MySQL MaxDB 7.5.0.0, and other ver ...) - maxdb-7.5.00 7.5.00.21-1 CVE-2005-0081 (MySQL MaxDB 7.5.0.0, and other versions before 7.5.0.21, allows remote ...) - maxdb-7.5.00 7.5.00.21-1 CVE-2004-1379 (Heap-based buffer overflow in the DVD subpicture decoder in xine xine- ...) {DSA-657-1} - xine-lib 1-rc6a-1 CVE-2004-1378 (The expat XML parser code, as used in the open source Jabber (jabberd) ...) - jabber 1.4.3-3 (unimportant) NOTE: We do not ship jadc2s. CVE-2004-1377 (The (1) fixps (aka fixps.in) and (2) psmandup (aka psmandup.in) script ...) - a2ps 1:4.13b-4.3 (bug #286387; bug #286385) CVE-2003-1054 (mod_access_referer 1.0.2 allows remote attackers to cause a denial of ...) NOT-FOR-US: mod_access_referer CVE-2003-1053 (Multiple buffer overflows in XShisen allow attackers to execute arbitr ...) - xshisen 1.51-1-1 (bug #213957) CVE-2005-0080 (The 55_options_traceback.dpatch patch for mailman 2.1.5 in Ubuntu 4.10 ...) - mailman 2.1.5-5 CVE-2005-0079 (Buffer overflow in xtrlock 2.0 allows local users to cause a denial of ...) {DSA-649-1} - xtrlock 2.0-9 CVE-2005-0078 (The KDE screen saver in KDE before 3.0.5 does not properly check the r ...) {DSA-660-1} - kdebase 4:3.0.5 CVE-2005-0077 (The DBI library (libdbi-perl) for Perl allows local users to overwrite ...) {DSA-658-1} - libdbi-perl 1.46-6 CVE-2005-0076 (Multiple buffer overflows in the XView library 3.2 may allow local use ...) {DSA-672-1} - xview 3.2p1.4-19 CVE-2005-0075 (prefs.php in SquirrelMail before 1.4.4, with register_globals enabled, ...) - squirrelmail 2:1.4.4-1 CVE-2005-0074 (Buffer overflow in pcdsvgaview in xpcd 2.08 allows local users to exec ...) {DSA-676-1} - xpcd 2.08-11.1 (bug #294793) CVE-2005-0073 (Buffer overflow in queue.c in a support script for sympa 3.3.3, when r ...) {DSA-677-1} - sympa 4.1.2-2.1 CVE-2005-0072 (zhcon before 0.2 does not drop privileges before reading a user config ...) {DSA-655-1} - zhcon 1:0.2.3-8.1 (bug #292210) CVE-2005-0071 (vdr before 1.2.6 does not securely create files, which allows attacker ...) {DSA-656-1} - vdr 1.2.6-6 CVE-2005-0070 (Synaesthesia 2.1 and earlier, and possibly other versions, when instal ...) {DSA-681-1} - synaesthesia 2.1-3 NOTE: does not apply for sarge, program is not setuid anymore CVE-2005-0069 (The (1) tcltags or (2) vimspell.sh scripts in vim 6.3 allow local user ...) - vim 1:6.3-058+1 CVE-2005-0068 (The original design of ICMP does not require authentication for host-g ...) NOTE: general icmp design error CVE-2005-0067 (The original design of TCP does not require that port numbers be assig ...) NOTE: general tcp design error, no indication it affects linux CVE-2005-0066 (The original design of TCP does not check that the TCP Acknowledgement ...) NOTE: general tcp design error CVE-2005-0065 (The original design of TCP does not check that the TCP sequence number ...) NOTE: general tcp design error CVE-2005-0064 (Buffer overflow in the Decrypt::makeFileKey2 function in Decrypt.cc fo ...) {DSA-648-1 DSA-645-1} - xpdf 3.00-13 - gpdf 2.8.2-1.2 - pdftohtml 0.36-11 - kdegraphics 4:3.3.2-2 - tetex-bin 2.0.2-26 - cupsys 1.1.22-6 (bug #324459) - cups 1.1.22-6 (bug #324459) NOTE: cupsys switched to an xpdf-utils wrapper in version 1.1.22-6. NOTE: In version 1.1.23-13, the dormant code in the source NOTE: package was fixed. CVE-2005-0063 (The document processing application used by the Windows Shell in Micro ...) NOT-FOR-US: Microsoft CVE-2005-0062 RESERVED CVE-2005-0061 (The kernel of Microsoft Windows 2000, Windows XP SP1 and SP2, and Wind ...) NOT-FOR-US: Microsoft CVE-2005-0060 (Buffer overflow in the font processing component of Microsoft Windows ...) NOT-FOR-US: Microsoft CVE-2005-0059 (Buffer overflow in the Message Queuing component of Microsoft Windows ...) NOT-FOR-US: Microsoft CVE-2005-0058 (Buffer overflow in the Telephony Application Programming Interface (TA ...) NOT-FOR-US: TAPI for Windows CVE-2005-0057 (The Hyperlink Object Library for Windows 98, 2000, XP, and Server 2003 ...) NOT-FOR-US: Microsoft CVE-2005-0056 (Internet Explorer 5.01, 5.5, and 6 does not properly validate certain ...) NOT-FOR-US: Microsoft CVE-2005-0055 (Internet Explorer 5.01, 5.5, and 6 does not properly validate buffers ...) NOT-FOR-US: Microsoft CVE-2005-0054 (Internet Explorer 5.01, 5.5, and 6 allows remote attackers to spoof a ...) NOT-FOR-US: Microsoft CVE-2005-0053 (Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute ...) NOT-FOR-US: Microsoft CVE-2005-0052 RESERVED CVE-2005-0051 (The Server service (srvsvc.dll) in Windows XP SP1 and SP2 allows remot ...) NOT-FOR-US: Microsoft CVE-2005-0050 (The License Logging service for Windows NT Server, Windows 2000 Server ...) NOT-FOR-US: Microsoft CVE-2005-0049 (Windows SharePoint Services and SharePoint Team Services for Windows S ...) NOT-FOR-US: Microsoft CVE-2005-0048 (Microsoft Windows XP SP2 and earlier, 2000 SP3 and SP4, Server 2003, a ...) NOT-FOR-US: Microsoft CVE-2005-0047 (Windows 2000, XP, and Server 2003 does not properly "validate the use ...) NOT-FOR-US: Microsoft CVE-2005-0046 RESERVED CVE-2005-0045 (The Server Message Block (SMB) implementation for Windows NT 4.0, 2000 ...) NOT-FOR-US: Microsoft CVE-2005-0044 (The OLE component in Windows 98, 2000, XP, and Server 2003, and Exchan ...) NOT-FOR-US: Microsoft CVE-2005-0043 (Buffer overflow in Apple iTunes 4.7 allows remote attackers to execute ...) NOT-FOR-US: iTunes CVE-2005-0042 RESERVED CVE-2005-0041 RESERVED CVE-2005-0040 (Multiple cross-site scripting (XSS) vulnerabilities in DotNetNuke befo ...) NOT-FOR-US: DotNetNuke CVE-2005-0039 (Certain configurations of IPsec, when using Encapsulating Security Pay ...) NOTE: These are known issues of IPSEC and basically every VPN system using NOTE: encryption without authentication. NOTE: openswan even prevents such configurations CVE-2005-0038 (The DNS implementation of PowerDNS 2.9.16 and earlier allows remote at ...) - pdns 2.9.17-1 CVE-2005-0037 (The DNS implementation of DNRD before 2.10 allows remote attackers to ...) NOT-FOR-US: dnrd CVE-2005-0036 (The DNS implementation in DeleGate 8.10.2 and earlier allows remote at ...) NOT-FOR-US: DeleGate CVE-2005-0035 (The Acrobat web control in Adobe Acrobat and Acrobat Reader 7.0 and ea ...) NOT-FOR-US: Adobe CVE-2005-0034 (An "incorrect assumption" in the authvalidated validator function in B ...) - bind9 1:9.3.1 [woody] - bind9 [sarge] - bind9 NOTE: only affects bind9 9.3.0, sarge and woody have an earlier versions CVE-2005-0033 (Buffer overflow in the code for recursion and glue fetching in BIND 8. ...) - bind 1:8.4.6-1 CVE-2004-1376 (Directory traversal vulnerability in Microsoft Internet Explorer 5.01, ...) NOT-FOR-US: MSIE CVE-2004-1375 (Unknown vulnerability in System Administration Manager (SAM) in HP-UX ...) NOT-FOR-US: HP-UX CVE-2004-1374 (Multiple buffer overflows in NetBSD kernel may allow local users to ex ...) NOT-FOR-US: NetBSD CVE-2004-1373 (Format string vulnerability in SHOUTcast 1.9.4 allows remote attackers ...) NOT-FOR-US: Shoutcast CVE-2004-1372 (Multiple stack-based buffer overflows in IBM DB2 7.x and 8.1 allow loc ...) NOT-FOR-US: IBM DB2 CVE-2004-1371 (Stack-based buffer overflow in Oracle 9i and 10g allows remote attacke ...) NOT-FOR-US: Oracle CVE-2004-1370 (Multiple SQL injection vulnerabilities in PL/SQL procedures that run w ...) NOT-FOR-US: Oracle CVE-2004-1369 (The TNS Listener in Oracle 10g allows remote attackers to cause a deni ...) NOT-FOR-US: Oracle CVE-2004-1368 (ISQL*Plus in Oracle 10g Application Server allows remote attackers to ...) NOT-FOR-US: Oracle CVE-2004-1367 (Oracle 10g Database Server, when installed with a password that contai ...) NOT-FOR-US: Oracle CVE-2004-1366 (Oracle 10g Database Server stores the password for the SYSMAN account ...) NOT-FOR-US: Oracle CVE-2004-1365 (Extproc in Oracle 9i and 10g does not require authentication to load a ...) NOT-FOR-US: Oracle CVE-2004-1364 (Directory traversal vulnerability in extproc in Oracle 9i and 10g allo ...) NOT-FOR-US: Oracle CVE-2004-1363 (Buffer overflow in extproc in Oracle 10g allows remote attackers to ex ...) NOT-FOR-US: Oracle CVE-2004-1362 (The PL/SQL module for the Oracle HTTP Server in Oracle Application Ser ...) NOT-FOR-US: Oracle CVE-2004-1361 (Integer underflow in winhlp32.exe in Windows NT, Windows 2000 through ...) NOT-FOR-US: Windows CVE-2004-1360 (Unknown vulnerability in conv_fix in Sun Solaris 7 through 9, when inv ...) NOT-FOR-US: Solaris CVE-2004-1359 (Multiple buffer overflows in uucp for Sun Solaris 2.6, 7, 8, and 9 all ...) NOT-FOR-US: Solaris CVE-2004-1358 (The patches (1) 114332-08 and (2) 114929-06 for Sun Solaris 9 disable ...) NOT-FOR-US: Solaris CVE-2004-1357 (The Secure Shell (SSH) Daemon (SSHD) in Sun Solaris 9 does not properl ...) NOT-FOR-US: ssh on Solaris CVE-2004-1356 (Unknown vulnerability in the sendfilev function in Sun Solaris 8 and 9 ...) NOT-FOR-US: Solaris CVE-2004-1355 (Unknown vulnerability in the TCP/IP stack for Sun Solaris 8 and 9 allo ...) NOT-FOR-US: Solaris CVE-2004-1354 (The Solaris Management Console (SMC) in Sun Solaris 8 and 9 generates ...) NOT-FOR-US: Solaris CVE-2004-1353 (Unknown vulnerability in LDAP on Sun Solaris 8 and 9, when using Role ...) NOT-FOR-US: Solaris CVE-2004-1352 (Buffer overflow in the ping daemon of Sun Solaris 7 through 9 may allo ...) NOT-FOR-US: Solaris CVE-2004-1351 (Unknown vulnerability in the rwho daemon (in.rwhod) for Solaris 7 thro ...) NOT-FOR-US: Solaris CVE-2004-1350 (Multiple buffer overflows in Sun Java System Web Proxy Server (formerl ...) NOT-FOR-US: Sun Java System Web Proxy Server CVE-2004-1349 (gzip before 1.3 in Solaris 8, when called with the -f or -force flags, ...) - gzip (gzip on Solaris) CVE-2004-1348 (Unknown vulnerability in in.named on Solaris 8 allows remote attackers ...) NOT-FOR-US: Solaris CVE-2004-1347 (X Display Manager (XDM) on Solaris 8 allows remote attackers to cause ...) - xfree86 (xdm on Solaris) - xorg-x11 (xdm on Solaris) CVE-2004-1346 (The Sun Solaris Volume Manager (SVM) on Solaris 9 allows local users t ...) NOT-FOR-US: Solaris CVE-2004-1345 (Unknown vulnerability in Sun StorEdge Enterprise Storage Manager (ESM) ...) NOT-FOR-US: Sun StorEdge Enterprise Storage Manager CVE-2004-1344 REJECTED CVE-2004-1343 (CVS 1.12 and earlier on Debian GNU/Linux does not properly handle when ...) {DSA-715-1} - cvs 1:1.12.9-12 CVE-2004-1342 (CVS 1.12 and earlier on Debian GNU/Linux, when using the repouid patch ...) {DSA-715-1} - cvs 1:1.12.9-12 CVE-2004-1341 (Cross-site scripting (XSS) vulnerability in info2www before 1.2.2.9 al ...) {DSA-711-1} - info2www 1.2.2.9-23 (bug #281655) CVE-2004-1340 (Debian GNU/Linux 3.0 installs the libpam-radius-auth package with the ...) {DSA-659-1} - libpam-radius-auth 1.3.16-1.1 CVE-2005-0032 RESERVED CVE-2005-0031 RESERVED CVE-2005-0030 RESERVED CVE-2005-0029 RESERVED CVE-2005-0028 RESERVED CVE-2005-0027 RESERVED CVE-2005-0026 RESERVED CVE-2005-0025 RESERVED CVE-2005-0024 RESERVED CVE-2005-0023 (gnome-pty-helper in GNOME libzvt2 and libvte4 allows local users to sp ...) - gnome-libs (bug #329156; unimportant) - vte (bug #330907; unimportant) NOTE: Not considered a security problem, see #329156 CVE-2005-0022 (Buffer overflow in the spa_base64_to_bits function in Exim before 4.43 ...) - exim4 4.34-10 CVE-2005-0021 (Multiple buffer overflows in Exim before 4.43 may allow attackers to e ...) {DSA-637-1 DSA-635-1} - exim4 4.34-10 - exim 3.36-13 (bug #290036) - exim-tls CVE-2005-0020 (Buffer overflow in playmidi before 2.4 allows local users to execute a ...) {DSA-641-1} - playmidi 2.4debian-3 CVE-2005-0019 (Unknown vulnerability in hztty 2.0 and earlier allows local users to e ...) {DSA-675-1} - hztty 2.0-6.1 CVE-2005-0018 (The f2 shell script in the f2c package 3.1 allows local users to read ...) {DSA-661-2} - f2c 20020621-3.4 (bug #292792) CVE-2005-0017 (The f2c translator in the f2c package 3.1 allows local users to read a ...) {DSA-661-2} - f2c 20020621-3.4 (bug #292792) CVE-2005-0016 (Buffer overflow in the exported_display function in xatitv in gatos be ...) {DSA-640-1} - gatos 0.0.5-15 CVE-2005-0015 (diatheke.pl in Sword 1.5.7a allows remote attackers to execute arbitra ...) {DSA-650-1} - sword 1.5.7-7 (bug #291433) CVE-2005-0014 (Buffer overflow in ncplogin in ncpfs before 2.2.6 allows remote malici ...) - ncpfs 2.2.6-1 CVE-2005-0013 (nwclient.c in ncpfs before 2.2.6 does not drop root privileges before ...) {DSA-665-1} - ncpfs 2.2.6-1 CVE-2005-0012 (Format string vulnerability in the a_Interface_msg function in Dillo b ...) - dillo 0.8.3-1 CVE-2005-0011 (Multiple vulnerabilities in fliccd, when installed setuid root as part ...) - kdeedu 4:3.3.2-2 CVE-2005-0010 (Unknown vulnerability in the MMSE dissector in Ethereal 0.10.4 through ...) - ethereal 0.10.9-1 CVE-2005-0009 (Unknown vulnerability in the Gnutella dissector in Ethereal 0.10.6 thr ...) - ethereal 0.10.9-1 CVE-2005-0008 (Unknown vulnerability in the DNP dissector in Ethereal 0.10.5 through ...) - ethereal 0.10.9-1 CVE-2005-0007 (Unknown vulnerability in the DLSw dissector in Ethereal 0.10.6 through ...) - ethereal 0.10.9-1 CVE-2005-0006 (The COPS dissector in Ethereal 0.10.6 through 0.10.8 allows remote att ...) - ethereal 0.10.9-1 CVE-2005-0005 (Heap-based buffer overflow in psd.c for ImageMagick 6.1.0, 6.1.7, and ...) {DSA-646-1} - imagemagick 6:6.0.6.2-2.1 (bug #291118; bug #291033) CVE-2005-0004 (The mysqlaccess script in MySQL 4.0.23 and earlier, 4.1.x before 4.1.1 ...) {DSA-647-1} - mysql-dfsg-4.1 4.1.8a-6 - mysql-dfsg 4.0.23-3 CVE-2005-0003 (The 64 bit ELF support in Linux kernel 2.6 before 2.6.10, on 64-bit ar ...) {DSA-1082-1 DSA-1070-1 DSA-1069-1 DSA-1067-1} - linux-2.6 (Fixed before upload into archive; 2.6.10) - kernel-source-2.4.27 2.4.27-9 [sarge] - kernel-source-2.6.8 2.6.8-9 CVE-2005-0002 (poppassd_pam 1.0 and earlier, when changing a user password, does not ...) NOT-FOR-US: poppassd_pam CVE-2005-0001 (Race condition in the page fault handler (fault.c) for Linux kernel 2. ...) {DSA-1082-1 DSA-1070-1 DSA-1069-1 DSA-1067-1} NOTE: i386 and smp specific - linux-2.6 (Fixed before upload into archive) - kernel-source-2.4.27 2.4.27-8 [sarge] - kernel-source-2.6.8 2.6.8-13 CVE-2004-1339 (SQL injection vulnerability in the (1) MDSYS.SDO_GEOM_TRIG_INS1 and (2 ...) NOT-FOR-US: oracle CVE-2004-1338 (The triggers in Oracle 9i and 10g allow local users to gain privileges ...) NOT-FOR-US: oracle CVE-2004-1337 (The POSIX Capability Linux Security Module (LSM) for Linux kernel 2.6 ...) - linux-2.6 (Fixed before upload into archive, 2.6.11) [sarge] - kernel-source-2.6.8 2.6.8-14 CVE-2004-1336 (The xdvizilla script in tetex-bin 2.0.2 creates temporary files with p ...) - tetex-bin 2.0.2-25 CVE-2004-1335 (Memory leak in the ip_options_get function in the Linux kernel before ...) {DSA-1082-1 DSA-1070-1 DSA-1069-1 DSA-1067-1} - linux-2.6 (Fixed before upload into archive; 2.6.10) [sarge] - kernel-source-2.6.8 2.6.8-11 - kernel-source-2.4.27 2.4.27-9 CVE-2004-1334 (Integer overflow in the ip_options_get function in the Linux kernel be ...) - linux-2.6 (Fixed before upload into archive; 2.6.10) [sarge] - kernel-source-2.6.8 2.6.8-11 - kernel-source-2.4.27 CVE-2004-1333 (Integer overflow in the vc_resize function in the Linux kernel 2.4 and ...) {DSA-1082-1 DSA-1070-1 DSA-1069-1 DSA-1067-1} - linux-2.6 (Fixed before upload into archive; 2.6.10) [sarge] - kernel-source-2.6.8 2.6.8-11 - kernel-source-2.4.27 2.4.27-9 CVE-2004-1332 (Stack-based buffer overflow in the FTP daemon in HP-UX 11.11i, with th ...) NOT-FOR-US: hpux CVE-2004-1331 (The execCommand method in Microsoft Internet Explorer 6.0 SP2 allows r ...) NOT-FOR-US: microsoft CVE-2004-1330 (Buffer overflow in paginit in AIX 5.1 through 5.3 allows local users t ...) NOT-FOR-US: AIX CVE-2004-1329 (Untrusted execution path vulnerability in the diag commands (1) lsmcod ...) NOT-FOR-US: AIX CVE-2004-1328 (Unknown vulnerability in newgrp in HP-UX B.11.00, B.11.04, and B.11.11 ...) NOT-FOR-US: hpux CVE-2004-1327 (Buffer overflow in Crystal FTP Client 2.8 allows remote malicious serv ...) NOT-FOR-US: Crystal FTP client CVE-2004-1326 (Buffer overflow in dxterm in Ultrix 4.5 allows local users to execute ...) NOT-FOR-US: Ultrix CVE-2004-1325 (The getItemInfoByAtom function in the ActiveX control for Microsoft Wi ...) NOT-FOR-US: Microsoft CVE-2004-1324 (The Microsoft Windows Media Player 9.0 ActiveX control may allow remot ...) NOT-FOR-US: Microsoft CVE-2004-1323 (Multiple syscalls in the compat subsystem for NetBSD before 2.0 allow ...) NOT-FOR-US: Netbsd CVE-2004-1322 (Cisco Unity 2.x, 3.x, and 4.x, when integrated with Microsoft Exchange ...) NOT-FOR-US: Cisco CVE-2004-1321 (The configuration backup in Asante FM2008 running firmware 1.06 stores ...) NOT-FOR-US: Asante FM2008 CVE-2004-1320 (Asante FM2008 running firmware 1.06 is shipped with a default username ...) NOT-FOR-US: Asante FM2008 CVE-2004-1319 (The DHTML Edit Control (dhtmled.ocx) allows remote attackers to inject ...) NOT-FOR-US: MSIE CVE-2004-1318 (Cross-site scripting (XSS) vulnerability in namazu.cgi for Namazu 2.0. ...) {DSA-627-1} - namazu2 2.0.14-1 CVE-2004-1317 (Stack-based buffer overflow in doexec.c in Netcat for Windows 1.1, whe ...) - netcat (only affects netcat in Windows) CVE-2004-1316 (Heap-based buffer overflow in MSG_UnEscapeSearchUrl in nsNNTPProtocol. ...) - mozilla 2:1.7.5-1 (bug #288047) CVE-2004-1315 (viewtopic.php in phpBB 2.x before 2.0.11 improperly URL decodes the hi ...) - phpbb2 2.0.10-3 CVE-2004-1314 (Safari 1.x allows remote attackers to spoof arbitrary web sites by inj ...) NOT-FOR-US: MacOS CVE-2004-1313 (The Smc.exe process in My Firewall Plus 5.0 build 1117, and possibly o ...) NOT-FOR-US: My Firewall Plus CVE-2004-1312 (A bug in the HTML parser in a certain Microsoft HTML library, as used ...) NOT-FOR-US: Microsoft CVE-2004-1311 (Integer overflow in the real_setup_and_get_header function in real.c f ...) - mplayer 1.0~pre6a-1 CVE-2004-1310 (Stack-based buffer overflow in the asf_mmst_streaming.c functionality ...) - mplayer 1.0~pre6a-1 CVE-2004-1309 (Heap-based buffer overflow in the demux_open_bmp function in demux_bmp ...) - mplayer 1.0~pre6a-1 CVE-2004-1308 (Integer overflow in (1) tif_dirread.c and (2) tif_fax3.c for libtiff 3 ...) {DSA-617-1} - tiff 3.6.1-4 - tiff3 (fixed prior to initial upload) CVE-2004-1307 (Integer overflow in the TIFFFetchStripThing function in tif_dirread.c ...) - tiff 3.7.0 (low) - tiff3 (fixed prior to initial upload) CVE-2004-1306 (Heap-based buffer overflow in winhlp32.exe in Windows NT, Windows 2000 ...) NOT-FOR-US: Windows CVE-2004-1305 (The Windows Animated Cursor (ANI) capability in Windows NT, Windows 20 ...) NOT-FOR-US: Microsoft CVE-2004-1304 (Stack-based buffer overflow in the ELF header parsing code in file bef ...) - file 4.12 CVE-2004-1303 (Buffer overflow in the get function in get.c for Yanf 0.4 allows remot ...) NOT-FOR-US: Yanf CVE-2004-1302 (The id3tag_sort function in id3tag.c for YAMT 0.5 allows remote attack ...) NOT-FOR-US: YAMT CVE-2004-1301 (Buffer overflow in the book_format_sql function in format.c for xlread ...) NOT-FOR-US: xlreader CVE-2004-1300 (Buffer overflow in the open_aiff_file function in demux_aiff.c for xin ...) - xine-lib 1-rc8-1 - vlc (vulnerable component of xine-lib code copy not present) CVE-2004-1299 (Buffer overflow in the get_attr function in html.c for vilistextum 2.6 ...) NOT-FOR-US: vilistextum CVE-2004-1298 (Buffer overflow in the parse function in vb2c.c for vb2c 0.02 allows r ...) NOT-FOR-US: vb2c CVE-2004-1297 (Buffer overflow in the process_font_table function in convert.c for un ...) - unrtf 0.19.3-1.1 (bug #287038) CVE-2004-1296 (The (1) eqn2graph and (2) pic2graph scripts in groff 1.18.1 allow loca ...) - groff 1.18.1.1-5 CVE-2004-1295 (The slip_down function in slip.c for the uml_net program in uml-utilit ...) - uml-utilities (uml_net is only executable by users in group uml-net) CVE-2004-1294 (The mget function in cmds.c for tnftp 20030825 allows remote FTP serve ...) - tnftp 20050625-0.1 (bug #285902; medium) CVE-2004-1293 (Buffer overflow in the ReadFontTbl function in reader.c for rtf2latex2 ...) NOT-FOR-US: rtf2latex2e CVE-2004-1292 (Buffer overflow in the parse_emelody function in parse_emelody.c for r ...) NOT-FOR-US: ringtonetools CVE-2004-1291 (Buffer overflow in qwik-smtpd allows remote attackers to use the serve ...) NOT-FOR-US: qwik-smtpd CVE-2004-1290 (Buffer overflow in the process_moves function in pgn2web.c for pgn2web ...) NOT-FOR-US: pgn2web CVE-2004-1289 (Multiple buffer overflows in (1) the getline function in pcalutil.c an ...) {DSA-625-1} - pcal 4.8.0-1 CVE-2004-1288 (Buffer overflow in the parse_html function in o3read.c for o3read 0.0. ...) NOT-FOR-US: o3read CVE-2004-1287 (Buffer overflow in the error function in preproc.c for NASM 0.98.38 1. ...) {DSA-623-1} - nasm 0.98.38-1.1 (bug #285889) CVE-2004-1286 (Buffer overflow in the auto_filter_extern function in auto.c for NapSh ...) NOT-FOR-US: NapShare CVE-2004-1285 (Buffer overflow in the get_header function in asf_mmst_streaming.c for ...) NOT-FOR-US: mplayer CVE-2004-1284 (Buffer overflow in the find_next_file function in playlist.c for mpg12 ...) NOTE: Previous fix 0.59r-18 introduced new integer overflows and caused regressions - mpg123 0.59r-20 (bug #287043) CVE-2004-1283 (Buffer overflow in the Mesh::type method in mesh.c for the mview progr ...) NOT-FOR-US: mview CVE-2004-1282 (Buffer overflow in the strexpand function in string.c for LinPopUp 1.2 ...) {DSA-632-1} - linpopup 1.2.0-7 CVE-2004-1281 (The ftp_retr function in junkie 0.3.1 allows remote malicious FTP serv ...) NOT-FOR-US: junkie CVE-2004-1280 (The gui_popup_view_fly function in gui_tview_popup.c for junkie 0.3.1 ...) NOT-FOR-US: junkie CVE-2004-1279 (Buffer overflow in the get_file_list_stdin function in jpegtoavi 1.5 a ...) NOT-FOR-US: jpegtoavi CVE-2004-1278 (Buffer overflow in the switch_voice function in parse.c for jcabc2ps 2 ...) NOT-FOR-US: jcabc2ps CVE-2004-1277 (The download_selection_recursive() function in ftplist.c for IglooFTP ...) NOT-FOR-US: IglooFTP CVE-2004-1276 (IglooFTP 0.6.1, when recursively uploading a directory, allows local u ...) NOT-FOR-US: IglooFTP CVE-2004-1275 (Buffer overflow in the remove_quote function in convert.c for html2hdm ...) NOT-FOR-US: html2hdml CVE-2004-1274 (The DownloadLoop function in main.c for greed 0.81p allows remote atta ...) NOT-FOR-US: greed NOTE: not the game in debian, the file download tool CVE-2004-1273 (Buffer overflow in the DownloadLoop function in main.c for greed 0.81p ...) NOT-FOR-US: greed NOTE: not the game in debian, the file download tool CVE-2004-1272 (Buffer overflow in the save_embedded_address function in filter.c for ...) - filter 2.4.2-1.1 CVE-2004-1271 (Buffer overflow in the dxfin function in d.c for dxfscope 0.2 allows r ...) NOT-FOR-US: dxfscope CVE-2004-1270 (lppasswd in CUPS 1.1.22, when run in environments that do not ensure t ...) - cups 1.1.22-2 - cupsys 1.1.22-2 CVE-2004-1269 (lppasswd in CUPS 1.1.22 does not remove the passwd.new file if it enco ...) - cups 1.1.22-2 - cupsys 1.1.22-2 CVE-2004-1268 (lppasswd in CUPS 1.1.22 ignores write errors when modifying the CUPS p ...) - cups 1.1.22-2 - cupsys 1.1.22-2 CVE-2004-1267 (Buffer overflow in the ParseCommand function in hpgl-input.c in the hp ...) - cups 1.1.22-2 - cupsys 1.1.22-2 CVE-2004-1266 (Buffer overflow in the get_field_headers function in csv2xml.cpp for c ...) NOT-FOR-US: csv2xml CVE-2004-1265 (Buffer overflow in the readObjectChunk function in 3dsimp.cpp for the ...) NOT-FOR-US: Convex CVE-2004-1264 (Buffer overflow in the simplify_path function in config.c for ChBg 1.5 ...) {DSA-644-1} - chbg 1.5-4 CVE-2004-1263 (changepassword.cgi in ChangePassword 0.8, when installed setuid, allow ...) NOT-FOR-US: ChangePassword CVE-2004-1262 (Buffer overflow in the bsb_open_header function in libbsb for bsb2ppm ...) NOT-FOR-US: bsb2ppm CVE-2004-1261 (Multiple buffer overflows in the preparse function in asp2php 0.76.23 ...) NOT-FOR-US: asp2php CVE-2004-1260 (Multiple buffer overflows in the (1) write_heading function in subs.cp ...) NOT-FOR-US: abctab2ps CVE-2004-1259 (Multiple buffer overflows in the handle_directive function in abcpp.c ...) NOT-FOR-US: abcpp CVE-2004-1258 (Buffer overflow in the put_words function in subs.c for abcm2ps 3.7.20 ...) - abcm2ps 4.8.5-1 CVE-2004-1257 (Buffer overflow in the process_abc function in abc.c for abc2mtex 1.6. ...) NOT-FOR-US: abc2mtex CVE-2004-1256 (Multiple buffer overflows in the (1) event_text and (2) event_specific ...) - abcmidi 20050101-1 CVE-2004-1255 (Buffer overflow in the expandtabs function in 2fax 3.04 allows remote ...) NOT-FOR-US: 2fax CVE-2004-1254 (WinRAR 3.40, and possibly earlier versions, allows remote attackers to ...) NOT-FOR-US: WinRAR CVE-2004-1253 RESERVED CVE-2004-1252 RESERVED CVE-2004-1251 RESERVED CVE-2004-1250 RESERVED CVE-2004-1249 RESERVED CVE-2004-1248 RESERVED CVE-2004-1247 RESERVED CVE-2004-1246 RESERVED CVE-2004-1245 RESERVED CVE-2004-1244 (Windows Media Player 9 allows remote attackers to execute arbitrary co ...) NOT-FOR-US: Microsoft CVE-2004-1243 REJECTED CVE-2004-1242 REJECTED CVE-2004-1241 REJECTED CVE-2004-1240 REJECTED CVE-2004-1239 REJECTED CVE-2004-1238 REJECTED CVE-2004-1237 (Unknown vulnerability in the system call filtering code in the audit s ...) - linux-2.6 (Apparently Red Hat specific) CVE-2004-1236 (Buffer overflow in the LDAP component for Netscape Directory Server (N ...) NOT-FOR-US: Netscape Directory Server on HP-UX CVE-2004-1235 (Race condition in the (1) load_elf_library and (2) binfmt_aout functio ...) {DSA-1082-1 DSA-1070-1 DSA-1069-1 DSA-1067-1} - linux-2.6 (Fixed before upload into archive) - kernel-source-2.4.27 2.4.27-8 (bug #289202; bug #289708; bug #291053; high) CVE-2004-1234 (load_elf_binary in Linux before 2.4.26 allows local users to cause a d ...) {DSA-1082-1 DSA-1070-1 DSA-1069-1 DSA-1067-1} - kernel-source-2.4.27 (Fixed before upload into archive; 2.4.26) CVE-2004-1233 (Integer overflow in Gadu-Gadu allows remote attackers to cause a denia ...) NOT-FOR-US: Gadu-Gadu CVE-2004-1232 (Stack-based buffer overflow in the code that sends images in Gadu-Gadu ...) NOT-FOR-US: Gadu-Gadu CVE-2004-1231 (Directory traversal vulnerability in Gadu-Gadu allows remote attackers ...) NOT-FOR-US: Gadu-Gadu CVE-2004-1230 (Gadu-Gadu allows remote attackers to gain sensitive information and re ...) NOT-FOR-US: Gadu-Gadu CVE-2004-1229 (Cross-site scripting vulnerability in the parser for Gadu-Gadu allows ...) NOT-FOR-US: Gadu-Gadu CVE-2004-1228 (The install scripts in SugarCRM Sugar Sales 2.0.1c and earlier are not ...) - sugarcrm-ce-5.0 (bug #457876) CVE-2004-1227 (Directory traversal vulnerability in SugarCRM Sugar Sales 2.0.1c and e ...) - sugarcrm-ce-5.0 (bug #457876) CVE-2004-1226 (SugarCRM Sugar Sales 2.0.1c and earlier allows remote attackers to gai ...) - sugarcrm-ce-5.0 (bug #457876) CVE-2004-1225 (SQL injection vulnerability in SugarCRM Sugar Sales before 2.0.1a allo ...) - sugarcrm-ce-5.0 (bug #457876) CVE-2004-1224 (Off-by-one error in the mtr_curses_keyaction function for mtr 0.55 thr ...) - mtr 0.67-1 CVE-2004-1223 (The Management Agent in F-Secure Policy Manager 5.11.2810 allows remot ...) NOT-FOR-US: F-Secure Policy Manager CVE-2004-1222 (weblibs.pl in WebLibs 1.0 allows remote attackers to execute arbitrary ...) NOT-FOR-US: weblibs.pl CVE-2004-1221 (Directory traversal vulnerability in weblibs.pl in WebLibs 1.0 allows ...) NOT-FOR-US: weblibs.pl CVE-2004-1220 (Battlefield 1942 1.6.19 and earlier, and Battlefield Vietnam 1.2 and e ...) NOT-FOR-US: Battlefield 1942, Battlefield Vietnam CVE-2004-1219 (paFileDB 3.1, when using sessions authentication and while the adminis ...) NOT-FOR-US: paFileDB CVE-2004-1218 (Remote Execute 2.30 allows remote attackers to cause a denial of servi ...) NOT-FOR-US: Remote Execute CVE-2004-1217 (Hosting Controller 6.1 Hotfix 1.4, and possibly other versions, allows ...) NOT-FOR-US: Hosting Controller CVE-2004-1216 (The scripts that handle players in Kreed 1.05 and earlier allow remote ...) NOT-FOR-US: Kreed CVE-2004-1215 (Kreed 1.05 and earlier allows remote attackers to cause a denial of se ...) NOT-FOR-US: Kreed CVE-2004-1214 (Format string vulnerability in Kreed 1.05 and earlier allows remote at ...) NOT-FOR-US: Kreed CVE-2004-1213 (Cross-site scripting (XSS) vulnerability in index.php in Advanced Gues ...) NOT-FOR-US: Advanced Guestbook CVE-2004-1212 (Directory traversal vulnerability in btdownload.php in Blog Torrent pr ...) NOT-FOR-US: Blog Torrent CVE-2004-1211 (Multiple buffer overflows in the IMAP service in Mercury/32 4.01a allo ...) NOT-FOR-US: Mercury Mail CVE-2004-1210 (Cross-site scripting (XSS) vulnerability in proxylog.dat in IPCop 1.4. ...) NOT-FOR-US: IpCop CVE-2004-1209 (Verisign Payflow Link, when running with empty Accepted URL fields, do ...) NOT-FOR-US: Verisign Payflow Link CVE-2004-1208 (Buffer overflow in Orbz 2.10 and earlier allows remote attackers to ca ...) NOT-FOR-US: Orbz CVE-2004-1207 (The Serious engine, as used in (1) Alpha Black Zero Intrepid Protocol ...) NOT-FOR-US: The Serious engine, as used in (1) Alpha Black Zero, (2) Nitro family, and (3) Serious Sam Second Encounter CVE-2004-1206 (Directory traversal vulnerability in codebrowserpntm.php in pnTresMail ...) NOT-FOR-US: pnTresMailer CVE-2004-1205 (codebrowserpntm.php in PnTresMailer 6.03 allows remote attackers to ga ...) NOT-FOR-US: pnTresMailer CVE-2004-1204 (FluxBox 0.9.10 and earlier versions allows local users to cause a deni ...) NOTE: at best a local DOS by the user running fluxbox. NOTE: Where's the security hole? - fluxbox 0.9.11-1 CVE-2004-1203 (parser.php in phpCMS 1.2.1 and earlier, with non-stealth and debug mod ...) NOT-FOR-US: phpCMS CVE-2004-1202 (Cross-site scripting (XSS) vulnerability in parser.php in phpCMS 1.2.1 ...) NOT-FOR-US: phpCMS CVE-2004-1201 (Opera 7.54 allows remote attackers to cause a denial of service (appli ...) NOT-FOR-US: Opera CVE-2004-1200 (Firefox and Mozilla allow remote attackers to cause a denial of servic ...) NOTE: memory leak, doubt it's usefully exploitable NOTE: did not followup CVE-2004-1199 (Safari 1.2.4 on Mac OS X 10.3.6 allows remote attackers to cause a den ...) NOT-FOR-US: Safari CVE-2004-1198 (Microsoft Internet Explorer allows remote attackers to cause a denial ...) NOT-FOR-US: MSIE CVE-2004-1197 (Cross-site scripting (XSS) vulnerability in inshop.pl in Insite inShop ...) NOT-FOR-US: inShop CVE-2004-1196 (Cross-site scripting (XSS) vulnerability in inmail.pl in Insite Inmail ...) NOT-FOR-US: Insite Inmail CVE-2004-1195 (Star Wars Battlefront 1.11 and earlier allows remote attackers to caus ...) NOT-FOR-US: Star Wars Battlefront CVE-2004-1194 (Buffer overflow in Star Wars Battlefront 1.11 and earlier allows remot ...) NOT-FOR-US: Star Wars Battlefront CVE-2004-1193 (Prevx Home 1.0 allows local users with administrator privileges to byp ...) NOT-FOR-US: Prevex Home CVE-2004-1192 (Format string vulnerability in the lprintf function in Citadel/UX 6.27 ...) NOT-FOR-US: Citadel/UX CVE-2004-1191 (Race condition in SuSE Linux 8.1 through 9.2, when run on SMP systems ...) NOTE: turned out that kernel-source-2.6.8 2.6.8-14 was incompletly fixed [sarge] - kernel-source-2.6.8 2.6.8-16 - kernel-source-2.4.27 2.4.27-6 - linux-2.6 (fixed before initial upload) - linux-2.6.24 (fixed before initial upload) CVE-2004-1190 (SUSE Linux before 9.1 and SUSE Linux Enterprise Server before 9 do not ...) NOTE: Response from Suse people reveals that http://linux.bkbits.net:8080/linux-2.6/hist/drivers/block/scsi_ioctl.c NOTE: has a misleading entry titled "Fix exploitable hole" NOTE: http://www.securityfocus.com/advisories/7579 NOTE: http://xforce.iss.net/xforce/xfdb/18370 NOTE: Response from Marcus Meissner saying the patch was integrated in upstream 2.6.8 NOTE: on further clarification he said that further fixes to this patch were made after 2.6.8 so only NOTE: 2.6.10 is actually fixed, but 2.6.8 is not - linux-2.6 (Fixed before upload into archive; 2.6.10) [sarge] - kernel-source-2.6.8 2.6.8-14 CVE-2004-1189 (The add_to_history function in svr_principal.c in libkadm5srv for MIT ...) {DSA-629-1} - krb5 1.3.6-1 CVE-2004-1188 (The pnm_get_chunk function in xine 0.99.2 and earlier, and other packa ...) - xine-lib 1-rc8-1 - mplayer (fixed in 1.0-pre5 which precedes the version included in etch) CVE-2004-1187 (Heap-based buffer overflow in the pnm_get_chunk function for xine 0.99 ...) - xine-lib 1-rc8-1 - mplayer (fixed in 1.0-pre5 which precedes the version included in etch) CVE-2004-1186 (Multiple buffer overflows in enscript 1.6.3 allow remote attackers or ...) {DSA-654-1} - enscript 1.6.4-6 CVE-2004-1185 (Enscript 1.6.3 does not sanitize filenames, which allows remote attack ...) {DSA-654-1} - enscript 1.6.4-6 CVE-2004-1184 (The EPSF pipe support in enscript 1.6.3 allows remote attackers or loc ...) {DSA-654-1} - enscript 1.6.4-6 CVE-2004-1183 (Integer overflow in the tiffdump utility for libtiff 3.7.1 and earlier ...) {DSA-626-1} - tiff 3.6.1-5 - tiff3 (fixed prior to initial upload) CVE-2004-1182 (hfaxd in HylaFAX before 4.2.1, when installed with a "weak" hosts.hfax ...) {DSA-634-1} - hylafax 1:4.2.1-1 CVE-2004-1181 (htmlheadline before 21.8 allows local users to overwrite arbitrary fil ...) {DSA-622-1} - htmlheadline CVE-2004-1180 (Unknown vulnerability in the rwho daemon (rwhod) before 0.17, on littl ...) {DSA-678-1} - netkit-rwho 0.17-8 CVE-2004-1179 (The debstd script in debmake 3.6.x before 3.6.10 and 3.7.x before 3.7. ...) {DSA-615-1} - debmake 3.7.7 CVE-2004-1178 RESERVED CVE-2004-1177 (Cross-site scripting (XSS) vulnerability in the driver script in mailm ...) {DSA-674-1} - mailman 2.1.5-5 CVE-2004-1176 (Buffer underflow in extfs.c in Midnight Commander (mc) 4.5.55 and earl ...) {DSA-639-1} NOTE: unstable not vulnerable according to DSA, DSA was wrong.. - mc 1:4.6.0-4.6.1-pre3-1 CVE-2004-1175 (fish.c in midnight commander allows remote attackers to execute arbitr ...) {DSA-639-1} NOTE: unstable not vulnerable according to DSA, DSA was wrong.. - mc 1:4.6.0-4.6.1-pre3-1 CVE-2004-1174 (direntry.c in Midnight Commander (mc) 4.5.55 and earlier allows attack ...) {DSA-639-1} NOTE: unstable not vulnerable according to DSA, DSA was wrong.. - mc 1:4.6.0-4.6.1-pre3-1 CVE-2004-1173 (Internet Explorer 6 allows remote attackers to bypass the popup blocke ...) NOT-FOR-US: MSIE CVE-2004-1172 (Stack-based buffer overflow in the Agent Browser in Veritas Backup Exe ...) NOT-FOR-US: Veritas Backup Exec CVE-2004-1171 (KDE 3.2.x and 3.3.0 through 3.3.2, when saving credentials that are (1 ...) - kdelibs 4:3.3.1-2 - kdebase 4:3.3.1-3 CVE-2004-1170 (a2ps 4.13 allows remote attackers to execute arbitrary commands via sh ...) {DSA-612-1} - a2ps 1:4.13b-4.2 (bug #283134) CVE-2004-1169 (MaxDB WebTools 7.5.00.18 and earlier allows remote attackers to cause ...) - maxdb-7.5.00 7.5.00.19-1 CVE-2004-1168 (Stack-based buffer overflow in the WebDav handler in MaxDB WebTools 7. ...) - maxdb-7.5.00 7.5.00.19-1 CVE-2004-1167 (mirrorselect before 0.89 creates temporary files in a world-writable l ...) NOT-FOR-US: gentoo mirrorselect CVE-2004-1166 (CRLF injection vulnerability in Microsoft Internet Explorer 6.0.2800.1 ...) NOT-FOR-US: Microsoft CVE-2004-1165 (Konqueror 3.3.1 allows remote attackers to execute arbitrary FTP comma ...) {DSA-631-1} - kdelibs 4:3.3.2-1 CVE-2004-1164 (The lock manager in Cisco CNS Network Registrar 6.0 through 6.1.1.3 al ...) NOT-FOR-US: Cisco CVE-2004-1163 (Cisco CNS Network Registrar Central Configuration Management (CCM) ser ...) NOT-FOR-US: Cisco CVE-2004-1162 (The unison command in scponly before 4.0 does not properly restrict pr ...) - scponly 4.0-1 CVE-2004-1161 (rssh 2.2.2 and earlier does not properly restrict programs that can be ...) - rssh 2.2.3-1 CVE-2004-1160 (Netscape 7.x to 7.2, and possibly other versions, allows remote attack ...) NOT-FOR-US: Netscape CVE-2004-1159 REJECTED CVE-2004-1158 (Konqueror 3.x up to 3.2.2-6, and possibly other versions, allows remot ...) - kdelibs 4:3.3.1-3 - kdebase 4:3.3.1-4 CVE-2004-1157 (Opera 7.x up to 7.54, and possibly other versions, allows remote attac ...) NOT-FOR-US: Opera CVE-2004-1156 (Mozilla before 1.7.6, and Firefox before 1.0.1, allows remote attacker ...) - mozilla 2:1.7.6-1 - mozilla-firefox 1.0.1 CVE-2004-1155 (Internet Explorer 5.01 through 6 allows remote attackers to spoof arbi ...) NOT-FOR-US: Microsoft MSIE CVE-2004-1154 (Integer overflow in the Samba daemon (smbd) in Samba 2.x and 3.0.x thr ...) {DSA-701-1} - samba 3.0.10-1 CVE-2004-1153 (Format string vulnerability in Adobe Acrobat Reader 6.0.0 through 6.0. ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2004-1152 (Buffer overflow in the mailListIsPdf function in Adobe Acrobat Reader ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2004-1151 (Multiple buffer overflows in the (1) sys32_ni_syscall and (2) sys32_vm ...) - linux-2.6 (Fixed before upload into archive; 2.6.10) [sarge] - kernel-source-2.6.8 2.6.8-11 CVE-2004-1150 (Stack-based buffer overflow in the in_cdda.dll plugin for Winamp 5.0 t ...) NOT-FOR-US: Winamp CVE-2004-1149 (Computer Associates eTrust EZ Antivirus 7.0.0 to 7.0.4, including 7.0. ...) NOT-FOR-US: Computer Associates eTrust EZ Antivirus CVE-2004-1148 (phpMyAdmin before 2.6.1, when configured with UploadDir functionality, ...) - phpmyadmin 2:2.6.1-rc1-1 NOTE: https://www.phpmyadmin.net/security/PMASA-2004-4/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/1d170eefbf3b07c6bd968d9905a419aaf3aeedf0 NOTE: A very big commit that might include useless changes NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/f1f39b8ed115c5cfbd18d3dca5fad1707beb00f2 CVE-2004-1147 (phpMyAdmin 2.6.0-pl2, and other versions before 2.6.1, with external t ...) - phpmyadmin 2:2.6.1-rc1-1 NOTE: https://www.phpmyadmin.net/security/PMASA-2004-4/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/1d170eefbf3b07c6bd968d9905a419aaf3aeedf0 NOTE: A very big commit that might include useless changes NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/f1f39b8ed115c5cfbd18d3dca5fad1707beb00f2 CVE-2004-1146 (Multiple cross-site scripting (XSS) vulnerabilities in (1) main.c and ...) - cvstrac 1.1.5 CVE-2004-1145 (Multiple vulnerabilities in Konqueror in KDE 3.3.1 and earlier (1) all ...) - kdelibs 4:3.3.2-1 CVE-2004-1144 (Unknown vulnerability in the 32bit emulation code in Linux 2.4 on AMD6 ...) NOTE: amd64 specific - kernel-source-2.4.27 2.4.27-9 CVE-2004-1143 (The password generation in mailman before 2.1.5 generates only 5 milli ...) - mailman 2.1.5-5 CVE-2004-1142 (Ethereal 0.9.0 through 0.10.7 allows remote attackers to cause a denia ...) {DSA-613-1} - ethereal 0.10.8-1 CVE-2004-1141 (The HTTP dissector in Ethereal 0.10.1 through 0.10.7 allows remote att ...) - ethereal 0.10.8-1 CVE-2004-1140 (Ethereal 0.9.0 through 0.10.7 allows remote attackers to cause a denia ...) - ethereal 0.10.8-1 CVE-2004-1139 (Unknown vulnerability in the DICOM dissector in Ethereal 0.10.4 throug ...) - ethereal 0.10.8-1 CVE-2004-1138 (VIM before 6.3 and gVim before 6.3 allow local users to execute arbitr ...) - vim 1:6.3-046+0sarge1 CVE-2004-1137 (Multiple vulnerabilities in the IGMP functionality for Linux kernel 2. ...) - linux-2.6 (Fixed before upload into the archive) - kernel-source-2.4.27 2.4.27-7 CVE-2004-1136 (Buffer overflow in CuteFTP Professional 6.0, and possibly other versio ...) NOT-FOR-US: CuteFTP CVE-2004-1135 (Multiple buffer overflows in WS_FTP Server 5.03 2004.10.14 allow remot ...) NOT-FOR-US: WS-Ftpd CVE-2004-1134 (Buffer overflow in the Microsoft W3Who ISAPI (w3who.dll) allows remote ...) NOT-FOR-US: Microsoft CVE-2004-1133 (Multiple cross-site scripting (XSS) vulnerabilities in Microsoft W3Who ...) NOT-FOR-US: Microsoft CVE-2004-1132 RESERVED CVE-2004-1131 (Multiple buffer overflows in the enable command for SCO OpenServer 5.0 ...) NOT-FOR-US: SCO CVE-2004-1130 (Cross-site scripting (XSS) vulnerability in admin.asp in CMailServer 5 ...) NOT-FOR-US: CMailServer CVE-2004-1129 (SQL injection vulnerability in (1) fdelmail.asp, (2) addressc.asp, and ...) NOT-FOR-US: CMailServer CVE-2004-1128 (Buffer overflow in CMailCOM.dll in CMailServer 5.2 allows remote attac ...) NOT-FOR-US: CMailServer CVE-2004-1127 (Buffer overflow in Open Dc Hub 0.7.14 allows remote attackers, with ad ...) - opendchub 0.7.14-1.1 (bug #284350; bug #283061) CVE-2004-1126 RESERVED CVE-2004-1125 (Buffer overflow in the Gfx::doImage function in Gfx.cc for xpdf 3.00, ...) {DSA-621-1 DSA-619-1} - xpdf 3.00-11 - cupsys 1.1.22-2 - cups 1.1.22-2 - tetex-bin 2.0.2-25 - gpdf 2.8.2-1 - koffice 1:1.3.5-1 CVE-2004-1124 (Unknown vulnerability in chroot on SCO UnixWare 7.1.1 through 7.1.4 al ...) NOT-FOR-US: UnixWare CVE-2004-1123 (Darwin Streaming Server 5.0.1, and possibly earlier versions, allows r ...) NOT-FOR-US: Darwin Streaming Server CVE-2004-1122 (Safari 1.x to 1.2.4, and possibly other versions, allows inactive wind ...) NOT-FOR-US: Safari CVE-2004-1121 (Apple Safari 1.0 through 1.2.3 allows remote attackers to spoof the UR ...) NOT-FOR-US: Safari CVE-2004-1120 (Multiple buffer overflows in (1) http.c, (2) http-retr.c, (3) main.c a ...) {DSA-663-1} - prozilla 1:1.3.7.3-1 CVE-2004-1119 (Stack-based buffer overflow in IN_CDDA.dll in Winamp 5.05, and possibl ...) NOT-FOR-US: Winamp CVE-2004-1118 (Buffer overflow in the WodFtpDLX.ocx (WeOnlyDo!) ActiveX component bef ...) NOT-FOR-US: WodFtpDLX.ocx ActiveX component CVE-2004-1117 (The init scripts in ChessBrain 20407 and earlier execute user-owned pr ...) NOT-FOR-US: ChessBrain CVE-2004-1116 (The init scripts in Great Internet Mersenne Prime Search (GIMPS) 23.9 ...) NOT-FOR-US: GIMPS CVE-2004-1115 (The init scripts in Search for Extraterrestrial Intelligence (SETI) pr ...) - setiathome (Gentoo-specific vulnerability) CVE-2004-1114 (Buffer overflow in the handling of command line arguments in Skype 1.0 ...) NOT-FOR-US: Skype CVE-2004-1113 (SQL injection vulnerability in SQLgrey Postfix greylisting service bef ...) - sqlgrey 1.2.0 CVE-2004-1112 (The buffer overflow trigger in Cisco Security Agent (CSA) before 4.0.3 ...) NOT-FOR-US: Cisco CVE-2004-1111 (Cisco IOS 2.2(18)EW, 12.2(18)EWA, 12.2(14)SZ, 12.2(18)S, 12.2(18)SE, 1 ...) NOT-FOR-US: Cisco CVE-2004-1110 (The mtink status monitor before 1.0.5 for Epson printers allows local ...) - mtink 1.0.5 NOTE: debian not vulnerable except in edge case CVE-2004-1109 (The FWDRV.SYS driver in Kerio Personal Firewall 4.1.1 and earlier allo ...) NOT-FOR-US: Kerio Personal Firewall CVE-2004-1108 (qpkg in Gentoolkit 0.2.0_pre10 and earlier allows local users to overw ...) NOT-FOR-US: Gentoolkit CVE-2004-1107 (dispatch-conf in Portage 2.0.51-r2 and earlier allows local users to o ...) NOT-FOR-US: Portage CVE-2004-1106 (Cross-site scripting (XSS) vulnerability in Gallery 1.4.4-pl3 and earl ...) {DSA-642-1} - gallery 1.4.4-pl4-1 CVE-2004-1105 (Nortel Networks Contivity VPN Client displays a different error messag ...) NOT-FOR-US: Nortel Networks Contivity VPN Client CVE-2004-1104 (Microsoft Internet Explorer 6.0 SP2 allows remote attackers to spoof a ...) NOT-FOR-US: Microsoft CVE-2004-1103 (MailPost 5.1.1sv, and possibly earlier versions, when debug mode is en ...) NOT-FOR-US: MailPost CVE-2004-1102 (MailPost 5.1.1sv, and possibly earlier versions, displays a different ...) NOT-FOR-US: MailPost CVE-2004-1101 (mailpost.exe in MailPost 5.1.1sv, and possibly earlier versions, allow ...) NOT-FOR-US: MailPost CVE-2004-1100 (Cross-site scripting (XSS) vulnerability in mailpost.exe in MailPost 5 ...) NOT-FOR-US: MailPost CVE-2004-1099 (Cisco Secure Access Control Server for Windows (ACS Windows) and Cisco ...) NOT-FOR-US: Cisco CVE-2004-1098 (MIMEDefang in MIME-tools 5.414 allows remote attackers to bypass virus ...) - mime-tools 5.415-1 CVE-2004-1097 (Format string vulnerability in the cherokee_logger_ncsa_write_string f ...) - cherokee (Fixed before upload into archive) CVE-2004-1096 (Archive::Zip Perl module before 1.14, when used by antivirus programs ...) - libarchive-zip-perl 1.14-1 CVE-2004-1095 (Multiple integer overflows in (1) readbmp.c, (2) readgif.c, (3) readgi ...) {DSA-608-1} - zgv 5.7-1.3 (bug #284124) CVE-2004-1094 (Buffer overflow in InnerMedia DynaZip DUNZIP32.dll file version 5.00.0 ...) NOT-FOR-US: RealPlayer CVE-2004-1093 (Midnight commander (mc) 4.5.55 and earlier allows remote attackers to ...) {DSA-639-1} NOTE: unstable not vulnerable according to DSA, DSA was wrong.. - mc 1:4.6.0-4.6.1-pre3-1 CVE-2004-1092 (Midnight commander (mc) 4.5.55 and earlier allows remote attackers to ...) {DSA-639-1} NOTE: unstable not vulnerable according to DSA, DSA was wrong.. - mc 1:4.6.0-4.6.1-pre3-1 CVE-2004-1091 (Midnight commander (mc) 4.5.55 and earlier allows remote attackers to ...) {DSA-639-1} NOTE: unstable not vulnerable according to DSA, DSA was wrong.. - mc 1:4.6.0-4.6.1-pre3-1 CVE-2004-1090 (Midnight commander (mc) 4.5.55 and earlier allows remote attackers to ...) {DSA-639-1} NOTE: unstable not vulnerable according to DSA, DSA was wrong.. - mc 1:4.6.0-4.6.1-pre3-1 CVE-2004-1089 (Unknown vulnerability in Apple Mac OS X 10.3.6 server, when using Kerb ...) NOT-FOR-US: Apple MacOS CVE-2004-1088 (Postfix server for Apple Mac OS X 10.3.6, when using CRAM-MD5, allows ...) NOT-FOR-US: Apple MacOS CVE-2004-1087 (Terminal for Apple Mac OS X 10.3.6 may indicate that "Secure Keyboard ...) NOT-FOR-US: Apple MacOS CVE-2004-1086 (Buffer overflow in PSNormalizer for Apple Mac OS X 10.3.6 allows remot ...) NOT-FOR-US: Apple MacOS CVE-2004-1085 (Human Interface Toolbox (HIToolBox) for Apple Mac 0S X 10.3.6 allows l ...) NOT-FOR-US: Apple MacOS CVE-2004-1084 (Apache for Apple Mac OS X 10.2.8 and 10.3.6 allows remote attackers to ...) NOT-FOR-US: Apple MacOS CVE-2004-1083 (Apache for Apple Mac OS X 10.2.8 and 10.3.6 restricts access to files ...) NOT-FOR-US: Apple MacOS CVE-2004-1081 (The Application Framework (AppKit) for Apple Mac OS X 10.2.8 and 10.3. ...) NOT-FOR-US: Apple MacOS CVE-2004-1082 (mod_digest_apple for Apache 1.3.31 and 1.3.32 on Mac OS X Server does ...) NOT-FOR-US: Apple MacOS CVE-2004-1080 (The WINS service (wins.exe) on Microsoft Windows NT Server 4.0, Window ...) NOT-FOR-US: Microsoft CVE-2004-1079 (Buffer overflow in (1) ncplogin and (2) ncpmap in nwclient.c for ncpfs ...) - ncpfs 2.2.5-2 CVE-2004-1078 (Stack-based buffer overflow in the client for Citrix Program Neighborh ...) NOT-FOR-US: Citrix CVE-2004-1077 (Citrix Program Neighborhood Agent for Win32 8.00.24737 and earlier and ...) NOT-FOR-US: Citrix CVE-2004-1076 (Multiple buffer overflows in the RtConfigLoad function in rt-config.c ...) {DSA-609-1} - atari800 1.3.2-1 CVE-2004-1075 (Cross-site scripting (XSS) vulnerability in standard_error_message.dtm ...) - zope-zwiki 0.37.0-1 CVE-2004-1074 (The binfmt functionality in the Linux kernel, when "memory overcommit" ...) {DSA-1082-1 DSA-1070-1 DSA-1069-1 DSA-1067-1} - linux-2.6 (Fixed before upload into archive; 2.6.10) [sarge] - kernel-source-2.6.8 2.6.8-11 - kernel-source-2.4.27 2.4.27-7 CVE-2004-1073 (The open_exec function in the execve functionality (exec.c) in Linux k ...) {DSA-1082-1 DSA-1070-1 DSA-1069-1 DSA-1067-1} - linux-2.6 (Fixed before upload into archive) - kernel-source-2.4.27 2.4.27-6 CVE-2004-1072 (The binfmt_elf loader (binfmt_elf.c) in Linux kernel 2.4.x up to 2.4.2 ...) {DSA-1082-1 DSA-1070-1 DSA-1069-1 DSA-1067-1} - linux-2.6 (Fixed before upload into archive) - kernel-source-2.4.27 2.4.27-6 CVE-2004-1071 (The binfmt_elf loader (binfmt_elf.c) in Linux kernel 2.4.x up to 2.4.2 ...) {DSA-1082-1 DSA-1070-1 DSA-1069-1 DSA-1067-1} - linux-2.6 (Fixed before upload into archive) - kernel-source-2.4.27 2.4.27-6 CVE-2004-1070 (The load_elf_binary function in the binfmt_elf loader (binfmt_elf.c) i ...) {DSA-1082-1 DSA-1070-1 DSA-1069-1 DSA-1067-1} - linux-2.6 (Fixed before upload into archive) - kernel-source-2.4.27 2.4.27-6 CVE-2004-1069 (Race condition in SELinux 2.6.x through 2.6.9 allows local users to ca ...) - linux-2.6 (Fixed before upload into archive) - kernel-source-2.4.27 (2.6 only issue) [sarge] - kernel-source-2.6.8 2.6.8-11 CVE-2004-1068 (A "missing serialization" error in the unix_dgram_recvmsg function in ...) {DSA-1082-1 DSA-1070-1 DSA-1069-1 DSA-1067-1} - linux-2.6 (Fixed before upload into archive; 2.6.9) - kernel-source-2.4.27 2.4.27-7 [sarge] - kernel-source-2.6.8 2.6.8-11 CVE-2004-1067 (Off-by-one error in the mysasl_canon_user function in Cyrus IMAP Serve ...) - cyrus21-imapd (Only affected 2.2 series) CVE-2004-1066 (The cmdline pseudofiles in (1) procfs on FreeBSD 4.8 through 5.3, and ...) NOT-FOR-US: FreeBSD CVE-2004-1065 (Buffer overflow in the exif_read_data function in PHP before 4.3.10 an ...) - php4 4:4.3.10-1 CVE-2004-1064 (The safe mode checks in PHP 4.x to 4.3.9 and PHP 5.x to 5.0.2 truncate ...) - php4 4:4.3.10-1 CVE-2004-1063 (PHP 4.x to 4.3.9, and PHP 5.x to 5.0.2, when running in safe mode on a ...) - php4 4:4.3.10-1 CVE-2004-1062 (Multiple cross-site scripting (XSS) vulnerabilities in ViewCVS 0.9.2 a ...) - viewcvs 0.9.2+cvs.1.0.dev.2004.07.28-1.3 (bug #287771) CVE-2004-1061 (Cross-site scripting (XSS) vulnerability in Bugzilla before 2.18, incl ...) - bugzilla 2.16.7-2 CVE-2004-1060 (Multiple TCP/IP and ICMP implementations, when using Path MTU (PMTU) d ...) NOTE: Linux kernel verifies TCP sequence numbers on ICMP errors CVE-2004-1059 (Multiple cross-site scripting (XSS) vulnerabilities in mnoGoSearch 3.2 ...) - mnogosearch 3.2.18-2.2 CVE-2004-1058 (Race condition in Linux kernel 2.6 allows local users to read the envi ...) {DSA-1018-1} - linux-2.6 (Fixed before upload into archive; 2.6.10) [sarge] - kernel-source-2.6.8 2.6.8-14 CVE-2004-1057 (Multiple drivers in Linux kernel 2.4.19 and earlier do not properly ma ...) - linux-2.6 (Fixed before upload into archive) - kernel-source-2.4.27 2.4.27-10 CVE-2004-1056 (Direct Rendering Manager (DRM) driver in Linux kernel 2.6 does not pro ...) - linux-2.6 (Fixed before upload into archive) - kernel-source-2.4.27 2.4.27-8 [sarge] - kernel-source-2.6.8 2.6.8-11 CVE-2004-1055 (Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 2.6. ...) - phpmyadmin 2:2.6.0-pl3-1 NOTE: https://www.phpmyadmin.net/security/PMASA-2004-3/ CVE-2004-1054 (Untrusted execution path vulnerability in invscout in IBM AIX 5.1.0, 5 ...) NOT-FOR-US: AIX CVE-2004-1053 (Integer overflow in fetch on FreeBSD 4.1 through 5.3 allows remote mal ...) NOT-FOR-US: fetch on FreeBSD CVE-2004-1052 (Buffer overflow in the getnickuserhost function in BNC 2.8.9, and poss ...) {DSA-595-1} - bnc CVE-2004-1051 (sudo before 1.6.8p2 allows local users to execute arbitrary commands b ...) {DSA-596-2} - sudo 1.6.8p3-1 CVE-2004-1050 (Heap-based buffer overflow in Internet Explorer 6 allows remote attack ...) NOT-FOR-US: Microsoft CVE-2004-1049 (Integer overflow in the LoadImage API of the USER32 Lib for Microsoft ...) NOT-FOR-US: Microsoft CVE-2004-1048 RESERVED CVE-2004-1047 RESERVED CVE-2004-1046 RESERVED CVE-2004-1045 RESERVED CVE-2004-1044 RESERVED CVE-2004-1043 (Internet Explorer 6.0 on Windows XP SP2 allows remote attackers to exe ...) NOT-FOR-US: MSIE CVE-2004-1042 RESERVED CVE-2004-1041 RESERVED CVE-2004-1040 RESERVED CVE-2004-1039 (The NFS mountd service on SCO UnixWare 7.1.1, 7.1.3, 7.1.4, and 7.0.1, ...) NOT-FOR-US: SCO UnixWare CVE-2004-1038 (A design error in the IEEE1394 specification allows attackers with phy ...) NOT-FOR-US: IEEE1394 specification bug, physical security CVE-2004-1037 (The search function in TWiki 20030201 allows remote attackers to execu ...) - twiki 20030201-6 CVE-2004-1036 (Cross-site scripting (XSS) vulnerability in the decoding of encoded te ...) - squirrelmail 2:1.4.3a-3 CVE-2004-1035 (Multiple integer signedness errors in (1) imapcommon.c, (2) main.c, (3 ...) - up-imapproxy 1.2.2+1.2.3rc2-1 CVE-2004-1034 (Buffer overflow in the http_open function in Kaffeine before 0.5, whos ...) - kaffeine 0.4.3.1-3 - gxine 0.4-rc1 CVE-2004-1033 (Fcron 2.0.1, 2.9.4, and possibly earlier versions leak file descriptor ...) - fcron 2.9.5.1-1 CVE-2004-1032 (fcronsighup in Fcron 2.0.1, 2.9.4, and possibly earlier versions allow ...) - fcron 2.9.5.1-1 CVE-2004-1031 (fcronsighup in Fcron 2.0.1, 2.9.4, and possibly earlier versions allow ...) - fcron 2.9.5.1-1 CVE-2004-1030 (fcronsighup in Fcron 2.0.1, 2.9.4, and possibly earlier versions allow ...) - fcron 2.9.5.1-1 CVE-2004-1029 (The Sun Java Plugin capability in Java 2 Runtime Environment (JRE) 1.4 ...) NOT-FOR-US: Sun JRE CVE-2004-1028 (Untrusted execution path vulnerability in chcod on AIX IBM 5.1.0, 5.2. ...) NOT-FOR-US: AIX CVE-2004-1027 (Directory traversal vulnerability in the -x (extract) command line opt ...) {DSA-652-1} - arj (sarge's unarj is from a different code base, probably not vulnerable) CVE-2004-1026 (Multiple integer overflows in the image handler for imlib 1.9.14 and e ...) {DSA-628-1 DSA-618-1} - imlib 1.9.14-17.1 (bug #284925) - imlib+png2 1.9.14-16.1 - imlib2 1.1.2-2.1 CVE-2004-1025 (Multiple heap-based buffer overflows in imlib 1.9.14 and earlier, whic ...) {DSA-618-1} - imlib 1.9.14-17.1 (bug #284925) - imlib+png2 1.9.14-16.1 CVE-2004-1024 RESERVED CVE-2004-1023 (Kerio Winroute Firewall before 6.0.9, ServerFirewall before 1.0.1, and ...) NOT-FOR-US: Kerio CVE-2004-1022 (Kerio Winroute Firewall before 6.0.7, ServerFirewall before 1.0.1, and ...) NOT-FOR-US: Kerio CVE-2004-1021 (iCal before 1.5.4 on Mac OS X 10.2.3, and other later versions, does n ...) NOT-FOR-US: MacOS CVE-2004-1020 (The addslashes function in PHP 4.3.9 does not properly escape a NULL ( ...) - php4 4:4.3.10-1 CVE-2004-1019 (The deserialization code in PHP before 4.3.10 and PHP 5.x up to 5.0.2 ...) - php4 4:4.3.10-1 CVE-2004-1018 (Multiple integer handling errors in PHP before 4.3.10 allow attackers ...) - php4 4:4.3.10-1 - php3 3:3.0.18-29 CVE-2004-1017 (Multiple "overflows" in the io_edgeport driver for Linux kernel 2.4.x ...) {DSA-1082-1 DSA-1070-1 DSA-1069-1 DSA-1067-1 DSA-1017-1} - linux-2.6 (2.4 specific vulnerability) CVE-2004-1016 (The scm_send function in the scm layer for Linux kernel 2.4.x up to 2. ...) {DSA-1082-1 DSA-1070-1 DSA-1069-1 DSA-1067-1} - linux-2.6 (Fixed before upload into archive) - kernel-source-2.4.27 2.4.27-7 CVE-2004-1015 (Buffer overflow in proxyd for Cyrus IMAP Server 2.2.9 and earlier, wit ...) - cyrus-imapd (cyrus-imapd not vulnerable) - cyrus21-imapd (cyrus21-imapd not vulnerable) CVE-2004-1014 (statd in nfs-utils 1.257 and earlier does not ignore the SIGPIPE signa ...) {DSA-606-1} - nfs-utils 1:1.0.6-3.1 CVE-2004-1013 (The argument parser of the FETCH command in Cyrus IMAP Server 2.2.x th ...) {DSA-597-1} - cyrus-imapd 1.5.19-20 - cyrus21-imapd 2.1.17-1 CVE-2004-1012 (The argument parser of the PARTIAL command in Cyrus IMAP Server 2.2.6 ...) {DSA-597-1} - cyrus-imapd 1.5.19-20 - cyrus21-imapd 2.1.17-1 CVE-2004-1011 (Stack-based buffer overflow in Cyrus IMAP Server 2.2.4 through 2.2.8, ...) - cyrus-imapd (cyrus-imapd not vulnerable) - cyrus21-imapd (cyrus21-imapd not vulnerable) CVE-2004-1010 (Buffer overflow in Info-Zip 2.3 and possibly earlier versions, when us ...) {DSA-624-1} - zip 2.30-8 CVE-2004-1009 (Midnight commander (mc) 4.5.55 and earlier allows remote attackers to ...) {DSA-639-1} NOTE: unstable not vulnerable according to DSA, DSA was wrong.. - mc 1:4.6.0-4.6.1-pre3-1 CVE-2004-1008 (Integer signedness error in the ssh2_rdpkt function in PuTTY before 0. ...) - putty 0.56-1 CVE-2004-1007 (The quoted-printable decoder in bogofilter 0.17.4 to 0.92.7 allows rem ...) - bogofilter 0.92.8-1 CVE-2004-1006 (Format string vulnerability in the log functions in dhcpd for dhcp 2.x ...) {DSA-584-1} - dhcp 2.0pl5-19.1 CVE-2004-1005 (Multiple buffer overflows in Midnight Commander (mc) 4.5.55 and earlie ...) {DSA-639-1} NOTE: unstable not vulnerable according to DSA, DSA was wrong.. - mc 1:4.6.0-4.6.1-pre3-1 CVE-2004-1004 (Multiple format string vulnerabilities in Midnight Commander (mc) 4.5. ...) {DSA-639-1} NOTE: unstable not vulnerable according to DSA, DSA was wrong.. - mc 1:4.6.0-4.6.1-pre3-1 CVE-2004-1003 (Trend ScanMail allows remote attackers to obtain potentially sensitive ...) NOT-FOR-US: Trend ScanMail CVE-2004-1002 (Integer underflow in pppd in cbcp.c for ppp 2.4.1 allows remote attack ...) - ppp 2.4.2+20040428-3 CVE-2004-1001 (Unknown vulnerability in the passwd_check function in Shadow 4.0.4.1, ...) {DSA-585-1} NOTE: Fixed in shadow 1:4.0.3-30.3 for the first time. NOTE: Apparently, the fix was lost somehow, see #309587. NOTE: It was reapplied to sarge before the release, and to sid in NOTE: version 1:4.0.3-35. - shadow 1:4.0.3-35 [sarge] - shadow 1:4.0.3-31sarge5 (bug #309587) CVE-2004-1000 (lintian 1.23 and earlier removes the working directory even if it was ...) {DSA-630-1} - lintian 1.23.6 (bug #286379; low) CVE-2004-0999 (zgv 5.5.3 allows remote attackers to cause a denial of service (applic ...) {DSA-608-1} - zgv 5.7-1.3 (bug #284124) NOTE: changelog says he only patched 1095, but diff comparison NOTE: shows 0999 was also fixed. CVE-2004-0998 (Format string vulnerability in telnetd-ssl 0.17 and earlier allows rem ...) {DSA-616-1} - netkit-telnet-ssl 0.17.24+0.1-6 CVE-2004-0997 (Unspecified vulnerability in the ptrace MIPS assembly code in Linux ke ...) {DSA-1082-1 DSA-1070-1 DSA-1069-1 DSA-1067-1} - linux-2.6 (fixed before first upload) CVE-2004-0996 (main.c in cscope 15-4 and 15-5 creates temporary files with predictabl ...) {DSA-610-1} - cscope 15.5-1.1 (bug #282815) NOTE: Patch in debian bts from ubuntu is good. All other patches are crap. CVE-2004-0995 REJECTED CVE-2004-0994 (Multiple integer overflows in xzgv 0.8 and earlier allow remote attack ...) {DSA-614-1} NOTE: only indication that it's this CVE is in the debian package changelog - xzgv 0.8-3 CVE-2004-0993 (Buffer overflow in hpsockd before 0.6 allows remote attackers to cause ...) {DSA-604-1} - hpsockd 0.14 CVE-2004-0992 (Format string vulnerability in the -a option (daemon mode) in Proxytun ...) NOT-FOR-US: Proxytunnel CVE-2004-0991 (Buffer overflow in mpg123 before 0.59s-r9 allows remote attackers to e ...) - mpg123 0.59r-19 - mp3gain 1.5.2-r2-6 (low) [wheezy] - mp3gain 1.5.2-r2-2+deb7u1 [squeeze] - mp3gain (Minor issue) CVE-2004-0990 (Integer overflow in GD Graphics Library libgd 2.0.28 (libgd2), and pos ...) {DSA-602-1 DSA-601-1 DSA-591-1 DSA-589-1} - libgd2 2.0.30-1 - libgd 1.8.4-36.1 CVE-2004-0989 (Multiple buffer overflows in libXML 2.6.12 and 2.6.13 (libxml2), and p ...) {DSA-582-1} - libxml 1:1.8.17-9 - libxml2 2.6.11-5 CVE-2004-0988 (Integer overflow on Apple QuickTime before 6.5.2, when running on Wind ...) NOT-FOR-US: Apple CVE-2004-0987 (Buffer overflow in the process_menu function in yardradius 1.0.20 allo ...) {DSA-598-1} - yardradius 1.0.20-15 CVE-2004-0986 (Iptables before 1.2.11, under certain conditions, does not properly lo ...) {DSA-580-1} - iptables 1.2.11-4 CVE-2004-0985 (Internet Explorer 6.x on Windows XP SP2 allows remote attackers to exe ...) NOT-FOR-US: windows CVE-2004-0984 (Unknown vulnerability in the dotlock implementation in mailutils befor ...) - mailutils 1:0.5-4 CVE-2004-0983 (The CGI module in Ruby 1.6 before 1.6.8, and 1.8 before 1.8.2, allows ...) {DSA-586-1} - ruby1.8 1.8.1+1.8.2pre2-4 - ruby1.6 1.6.8-12 - ruby CVE-2004-0982 (Buffer overflow in the getauthfromURL function in httpget.c in mpg123 ...) {DSA-578-1} - mpg123 0.59r-18 NOTE: Original fix in -17 was incomplete CVE-2004-0981 (Buffer overflow in the EXIF parsing routine in ImageMagick before 6.1. ...) {DSA-593-1} - imagemagick 6:6.0.6.2-1.5 (bug #278401) - graphicsmagick 1.1.7-1 CVE-2004-0980 (Format string vulnerability in ez-ipupdate.c for ez-ipupdate 3.0.10 th ...) {DSA-592-1} - ez-ipupdate 3.0.11b8-8 CVE-2004-0979 (Internet Explorer on Windows XP does not properly modify the "Drag and ...) NOT-FOR-US: windows CVE-2004-0978 (Heap-based buffer overflow in the Hrtbeat.ocx (Heartbeat) ActiveX cont ...) NOT-FOR-US: windows CVE-2004-0977 (The make_oidjoins_check script in PostgreSQL 7.4.5 and earlier allows ...) {DSA-577-1} - postgresql 7.4.6-1 CVE-2004-0976 (Multiple scripts in the perl package in Trustix Secure Linux 1.5 throu ...) {DSA-620-1} - perl 5.8.4-4 CVE-2004-0975 (The der_chop script in the openssl package in Trustix Secure Linux 1.5 ...) {DSA-603-1} - openssl 0.9.7e-3 NOTE: -1 claimed to include it, but it was missing CVE-2004-0974 (The netatalk package in Trustix Secure Linux 1.5 through 2.1, and poss ...) - netatalk 1.6.4a-1 (low) CVE-2004-0973 REJECTED CVE-2004-0972 (The lvmcreate_initrd script in the lvm package in Trustix Secure Linux ...) {DSA-583-1} - lvm10 1:1.0.8-8 CVE-2004-0971 (The krb5-send-pr script in the kerberos5 (krb5) package in Trustix Sec ...) NOTE: Not shipped in the krb5 binary package - krb5 (bug #278271; unimportant) - arla 0.36.2-11 CVE-2004-0970 (The (1) gzexe, (2) zdiff, and (3) znew scripts in the gzip package, as ...) {DSA-588-1} - gzip 1.3.5-8 (bug #259043; bug #257314; medium) CVE-2004-0969 (The groffer script in the Groff package 1.18 and later versions, as us ...) - groff 1.18.1.1-2 CVE-2004-0968 (The catchsegv script in glibc 2.3.2 and earlier allows local users to ...) {DSA-636-1} - glibc 2.3.2.ds1-19 CVE-2004-0967 (The (1) pj-gs.sh, (2) ps2epsi, (3) pv.sh, and (4) sysvlp.sh scripts in ...) - gs-common 0.3.6-0.1 - gs-gpl 8.56.dfsg.1-1 (bug #291373; unimportant) NOTE: ps2epsi hole present in gs-gpl, but not shipped in binary CVE-2004-0966 (The (1) autopoint and (2) gettextize scripts in the GNU gettext packag ...) - gettext 0.14.1-6 CVE-2004-0965 (stmkfont in HP-UX B.11.00 through B.11.23 relies on the user-specified ...) NOT-FOR-US: HP-UX CVE-2004-0964 (Buffer overflow in Zinf 2.2.1 on Windows, and other older versions for ...) {DSA-587-1} - zinf (According to DSA-587 not affected, as module was rewritten) - freeamp CVE-2004-0963 (Buffer overflow in Microsoft Word 2002 (10.6612.6714) SP3, and possibl ...) NOT-FOR-US: windows CVE-2004-0962 (Apple Remote Desktop Client 1.2.4 executes a GUI application as root w ...) NOT-FOR-US: Apple Remote Desktop Client CVE-2004-0961 (Memory leak in FreeRADIUS before 1.0.1 allows remote attackers to caus ...) - freeradius 1.0.1 CVE-2004-0960 (FreeRADIUS before 1.0.1 allows remote attackers to cause a denial of s ...) - freeradius 1.0.1 CVE-2004-0959 (rfc1867.c in PHP before 5.0.2 allows local users to upload files to ar ...) - php4 4:4.3.9 CVE-2004-0958 (php_variables.c in PHP before 5.0.2 allows remote attackers to read se ...) - php4 4:4.3.9 CVE-2004-0957 (Unknown vulnerability in MySQL 3.23.58 and earlier, when a local user ...) {DSA-707-1} - mysql-dfsg-4.1 4.1.10a-6 - mysql-dfsg 4.0.24-5 CVE-2004-0956 (MySQL before 4.0.20 allows remote attackers to cause a denial of servi ...) - mysql-dfsg (Not vulnerable, http://web.archive.org/web/20070529152436/http://www.debian.org/security/nonvulns-sarge) CVE-2004-0955 REJECTED CVE-2004-0954 REJECTED CVE-2004-0953 (Buffer overflow in the C2S module in the open source Jabber 2.x server ...) - jabber (Jabber version 2 is vulnerable, we have an older version that seems not) CVE-2004-0952 (HP-UX B.11.00 through B.11.23, when running Ignite-UX and using the ad ...) NOT-FOR-US: HP-UX CVE-2004-0951 (The make_recovery command for the TFTP server in HP Ignite-UX before C ...) NOT-FOR-US: HP-UX CVE-2004-0950 (NetOp Host before 7.65 build 2004278 allows remote attackers to obtain ...) NOT-FOR-US: NetOp Host CVE-2004-0949 (The smb_recv_trans2 function call in the samba filesystem (smbfs) in L ...) {DSA-1082-1 DSA-1070-1 DSA-1069-1 DSA-1067-1} - linux-2.6 (Fixed before upload into archive; 2.6.9) CVE-2004-0948 REJECTED CVE-2004-0947 (Buffer overflow in unarj before 2.63a-r2 allows remote attackers to ex ...) {DSA-652-1} NOTE: see http://lwn.net/Alerts/110733/ - arj (sarge's unarj is from a different code base, probably not vulnerable) CVE-2004-0946 (rquotad in nfs-utils (rquota_server.c) before 1.0.6-r6 on 64-bit archi ...) - nfs-utils (does not apply per maintainer) CVE-2004-0945 (The web management interface for Mitel 3300 Integrated Communications ...) NOT-FOR-US: Mitel 3300 Integrated Communications Platform CVE-2004-0944 (The web management interface for Mitel 3300 Integrated Communications ...) NOT-FOR-US: Mitel 3300 Integrated Communications Platform CVE-2004-0943 REJECTED CVE-2004-0942 (Apache webserver 2.0.52 and earlier allows remote attackers to cause a ...) - apache2 2.0.52-2 CVE-2004-0941 (Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 an ...) {DSA-602-1 DSA-601-1} - libgd2 2.0.33-1.1 - libgd 1.8.4-36.1 CVE-2004-0940 (Buffer overflow in the get_tag function in mod_include for Apache 1.3. ...) {DSA-594-1} - apache 1.3.33-2 CVE-2004-0939 (changepassword.cgi in Neoteris Instant Virtual Extranet (IVE) 3.x and ...) NOT-FOR-US: Neoteris Instant Virtual Extranet CVE-2004-0938 (FreeRADIUS before 1.0.1 allows remote attackers to cause a denial of s ...) - freeradius 1.0.1 CVE-2004-0937 (Sophos Anti-Virus before 3.87.0, and Sophos Anti-Virus for Windows 95, ...) NOT-FOR-US: Sophos Anti-Virus CVE-2004-0936 (RAV antivirus allows remote attackers to bypass antivirus protection v ...) NOT-FOR-US: RAV antivirus CVE-2004-0935 (Eset Anti-Virus before 1.020 (16th September 2004) allows remote attac ...) NOT-FOR-US: Eset anti-virus CVE-2004-0934 (Kaspersky 3.x to 4.x allows remote attackers to bypass antivirus prote ...) NOT-FOR-US: Kaspersky antivirus CVE-2004-0933 (Computer Associates (CA) InoculateIT 6.0, eTrust Antivirus r6.0 throug ...) NOT-FOR-US: Computer Associates (CA) InoculateIT 6.0, eTrust Antivirus CVE-2004-0932 (McAfee Anti-Virus Engine DATS drivers before 4398 released on Oct 13th ...) NOT-FOR-US: McAfee Anti-Virus Engine DATS drivers CVE-2004-0931 (MySQL MaxDB before 7.5.00.18 allows remote attackers to cause a denial ...) - maxdb-7.5.00 7.5.00.18 CVE-2004-0930 (The ms_fnmatch function in Samba 3.0.4 and 3.0.7 and possibly other ve ...) - samba 3.0.8-1 CVE-2004-0929 (Heap-based buffer overflow in the OJPEGVSetField function in tif_ojpeg ...) - tiff3g CVE-2004-0928 (The Microsoft IIS Connector in JRun 4.0 and Macromedia ColdFusion MX 6 ...) NOT-FOR-US: Macromedia CVE-2004-0927 (ServerAdmin in Mac OS X 10.2.8 through 10.3.5 uses the same example se ...) NOT-FOR-US: MacOS CVE-2004-0926 (Heap-based buffer overflow in Apple QuickTime on Mac OS 10.2.8 through ...) NOT-FOR-US: MacOS CVE-2004-0925 (Postfix on Mac OS X 10.3.x through 10.3.5, with SMTPD AUTH enabled, do ...) NOT-FOR-US: MacOS CVE-2004-0924 (NetInfo Manager on Mac OS X 10.3.x through 10.3.5, after an initial ro ...) NOT-FOR-US: MacOS CVE-2004-0923 (CUPS 1.1.20 and earlier records authentication information for a devic ...) {DSA-566-1} - cupsys 1.1.20final+rc1-9 - cups 1.1.20final+rc1-9 CVE-2004-0922 (AFP Server on Mac OS X 10.3.x to 10.3.5, under certain conditions, doe ...) NOT-FOR-US: MacOS CVE-2004-0921 (AFP Server on Mac OS X 10.3.x to 10.3.5, when a guest has mounted an A ...) NOT-FOR-US: MacOS CVE-2004-0920 (Symantec Norton AntiVirus 2004, and earlier versions, allows a virus o ...) NOT-FOR-US: norton CVE-2004-0919 (The syscons CONS_SCRSHOT ioctl in FreeBSD 5.x allows local users to re ...) NOT-FOR-US: FreeBSD CVE-2004-0918 (The asn_parse_header function (asn1.c) in the SNMP module for Squid We ...) {DSA-576-1} - squid 2.5.7 CVE-2004-0917 (The default installation of Vignette Application Portal installs the d ...) NOT-FOR-US: Vignette Application Portal CVE-2004-0916 (Directory traversal vulnerability in cabextract before 1.1 allows remo ...) {DSA-574-1} - cabextract 1.1-1 CVE-2004-0915 (Multiple unknown vulnerabilities in viewcvs before 0.9.2, when exporti ...) {DSA-605-1} - viewcvs 0.9.2+cvs.1.0.dev.2004.07.28-1.2 (bug #284237) CVE-2004-0914 (Multiple vulnerabilities in libXpm for 6.8.1 and earlier, as used in X ...) {DSA-607-1} NOTE: Previous -9 fix had some issues of its own - xfree86 4.3.0.dfsg.1-14 (bug #309143) NOTE: lesstif1 and 2 have to be fixed separately - lesstif1-1 1:0.93.94-11.3 (bug #294099) NOTE: but lesstif2 did get fixed for this hole.. - lesstif2 1:0.93.94-11.2 - openmotif 2.2.3-1.1 (bug #309819; medium) [sarge] - openmotif (Non-free) CVE-2004-0913 (Unknown vulnerability in ecartis 0.x before 0.129a+1.0.0-snap20020514- ...) {DSA-572-1} - ecartis 1.0.0+cvs.20030911-8 CVE-2004-0912 RESERVED CVE-2004-0911 (telnetd for netkit 0.17 and earlier, and possibly other versions, on D ...) {DSA-569-1 DSA-556-1} - netkit-telnet-ssl 0.17.24+0.1-4 - netkit-telnet 0.17-26 CVE-2004-0910 REJECTED CVE-2004-0909 (Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and ...) - mozilla-firefox 0.10.1+1.0PR - mozilla 2:1.7.3 - mozilla-thunderbird 0.8 CVE-2004-0908 (Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and ...) - mozilla-firefox 0.10.1+1.0PR - mozilla 2:1.7.3 - mozilla-thunderbird 0.8 CVE-2004-0907 (The Linux install .tar.gz archives for Mozilla Firefox before the Prev ...) - mozilla-firefox (non-Debian packaging issue) CVE-2004-0906 (The XPInstall installer in Mozilla Firefox before the Preview Release, ...) - mozilla-firefox 0.10.1+1.0PR - mozilla 2:1.7.3 - mozilla-thunderbird 0.8 CVE-2004-0905 (Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and ...) - mozilla-firefox 0.10.1+1.0PR - mozilla 2:1.7.3 - mozilla-thunderbird 0.8 CVE-2004-0904 (Integer overflow in the bitmap (BMP) decoder for Mozilla Firefox befor ...) - mozilla-firefox 0.10.1+1.0PR - mozilla 2:1.7.3 - mozilla-thunderbird 0.8 CVE-2004-0903 (Stack-based buffer overflow in the writeGroup function in nsVCardObj.c ...) - mozilla-firefox 0.10.1+1.0PR - mozilla 2:1.7.3 - mozilla-thunderbird 0.8 CVE-2004-0902 (Multiple heap-based buffer overflows in Mozilla Firefox before the Pre ...) - mozilla-firefox 0.10.1+1.0PR - mozilla 2:1.7.3 - mozilla-thunderbird 0.8 CVE-2004-0901 (Microsoft Word for Windows 6.0 Converter (MSWRD632.WPC), as used in Wo ...) NOT-FOR-US: Microsoft CVE-2004-0900 (The DHCP Server service for Microsoft Windows NT 4.0 Server and Termin ...) NOT-FOR-US: Microsoft CVE-2004-0899 (The DHCP Server service for Microsoft Windows NT 4.0 Server and Termin ...) NOT-FOR-US: Microsoft CVE-2004-0898 RESERVED CVE-2004-0897 (The Indexing Service for Microsoft Windows XP and Server 2003 does not ...) NOT-FOR-US: Windows CVE-2004-0896 RESERVED CVE-2004-0895 RESERVED CVE-2004-0894 (LSASS (Local Security Authority Subsystem Service) of Windows 2000 Ser ...) NOT-FOR-US: Microsoft CVE-2004-0893 (The Local Procedure Call (LPC) interface of the Windows Kernel for Win ...) NOT-FOR-US: Microsoft CVE-2004-0892 (Microsoft Proxy Server 2.0 and Microsoft ISA Server 2000 (which is inc ...) NOT-FOR-US: Microsoft CVE-2004-0891 (Buffer overflow in the MSN protocol handler for gaim 0.79 to 1.0.1 all ...) - gaim 1:1.0.2 CVE-2004-0890 REJECTED CVE-2004-0889 (Multiple integer overflows in xpdf 3.0, and other packages that use xp ...) - xpdf 3.00-10 (medium) CVE-2004-0888 (Multiple integer overflows in xpdf 2.0 and 3.0, and other packages tha ...) {DSA-599-1 DSA-581-1 DSA-573-1} - koffice 1:1.3.4-1 - tetex-bin 2.0.2-23 - xpdf 3.00-9 - gpdf 2.8.0-1 - kdegraphics 4:3.3.1-1 (bug #280373) - cupsys 1.1.22-6 (bug #324460) - cups 1.1.22-6 (bug #324460) NOTE: cupsys switched to an xpdf-utils wrapper in version 1.1.22-6. NOTE: In version 1.1.20final+rc1-10, the dormant code in the source NOTE: package was fixed. CVE-2004-0887 (SUSE Linux Enterprise Server 9 on the S/390 platform does not properly ...) {DSA-1018-1} - linux-2.6 (Fixed before upload into archive) - kernel-source-2.6.8 2.6.8-10 CVE-2004-0886 (Multiple integer overflows in libtiff 3.6.1 and earlier allow remote a ...) {DSA-567-1} - kdegraphics 3.3.2-1 - tiff 3.6.1-2 - tiff3 (fixed prior to initial upload) CVE-2004-0885 (The mod_ssl module in Apache 2.0.35 through 2.0.52, when using the "SS ...) - apache2 2.0.52-2 - libapache-mod-ssl 2.8.20-1 CVE-2004-0884 (The (1) libsasl and (2) libsasl2 libraries in Cyrus-SASL 2.1.18 and ea ...) {DSA-568-1 DSA-563-3} - cyrus-sasl - cyrus-sasl2 2.1.19-1.3 (bug #275431; bug #276865; bug #275432; bug #275553) CVE-2004-0883 (Multiple vulnerabilities in the samba filesystem (smbfs) in Linux kern ...) {DSA-1082-1 DSA-1070-1 DSA-1069-1 DSA-1067-1} - linux-2.6 (Fixed before upload into archive, 2.6.10) - kernel-source-2.4.27 2.4.27-6 [sarge] - kernel-source-2.6.8 2.6.8-13 CVE-2004-0882 (Buffer overflow in the QFILEPATHINFO request handler in Samba 3.0.x th ...) NOTE: details http://security.e-matters.de/advisories/132004.html - samba 3.0.7 CVE-2004-0881 (getmail 4.x before 4.2.0, and other versions before 3.2.5, when run as ...) {DSA-553-1} - getmail 3.2.5-1 CVE-2004-0880 (getmail 4.x before 4.2.0, when run as root, allows local users to over ...) {DSA-553-1} - getmail 3.2.5-1 CVE-2004-0879 RESERVED CVE-2004-0878 RESERVED CVE-2004-0877 RESERVED CVE-2004-0876 RESERVED CVE-2004-0875 (Multiple cross-site scripting (XSS) vulnerabilities in Phpgroupware (a ...) - phpgroupware 0.9.16.002 CVE-2004-0874 REJECTED CVE-2004-0873 (Apple iChat AV 2.1, AV 2.0, and 1.0.1 allows remote attackers to execu ...) NOT-FOR-US: apple CVE-2004-0872 (Opera does not prevent cookies that are sent over an insecure channel ...) NOT-FOR-US: Opera CVE-2004-0871 (Mozilla does not prevent cookies that are sent over an insecure channe ...) NOTE: upstream knows about the problem, no fix expected NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=252342 NOTE: http://www.securitytracker.com/alerts/2004/Sep/1011331.html NOTE: fix doesn't look likely any time soon CVE-2004-0870 (KDE Konqueror does not prevent cookies that are sent over an insecure ...) NOTE: upstream knows about the problem, no fix expected NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=252342 NOTE: http://www.securitytracker.com/alerts/2004/Sep/1011331.html NOTE: fix doesn't look likely any time soon CVE-2004-0869 (Internet Explorer does not prevent cookies that are sent over an insec ...) NOT-FOR-US: MSIE CVE-2004-0868 REJECTED CVE-2004-0867 (Mozilla Firefox 0.9.2 allows web sites to set cookies for country-spec ...) - mozilla-firefox 0.9.3 CVE-2004-0866 (Internet Explorer 6.0 allows web sites to set cookies for country-spec ...) NOT-FOR-US: MSIE CVE-2004-0865 RESERVED CVE-2004-0864 RESERVED CVE-2004-0863 RESERVED CVE-2004-0862 RESERVED CVE-2004-0861 REJECTED CVE-2004-0860 REJECTED CVE-2004-0859 REJECTED CVE-2004-0858 REJECTED CVE-2004-0857 REJECTED CVE-2004-0856 REJECTED CVE-2004-0855 REJECTED CVE-2004-0854 REJECTED CVE-2004-0853 REJECTED CVE-2004-0852 (Buffer overflow in htget 0.93 allows remote attackers to execute arbit ...) {DSA-611-1} - htget CVE-2004-0851 (The (1) write_list and (2) dump_curr_list functions in Net-Acct before ...) {DSA-559-1} - net-acct 0.71-7 CVE-2004-0850 (Star before 1.5_alpha46 does not drop the effective user ID (euid) bef ...) - star 1.5a46 CVE-2004-0849 (Integer overflow in the asn_decode_string() function defined in asn1.c ...) NOT-FOR-US: GNU Radius CVE-2004-0848 (Buffer overflow in Microsoft Office XP allows remote attackers to exec ...) NOT-FOR-US: microsoft CVE-2004-0847 (The Microsoft .NET forms authentication capability for ASP.NET allows ...) NOT-FOR-US: microsoft CVE-2004-0846 (Unknown vulnerability in Microsoft Excel 2000, 2002, 2001 for Mac, and ...) NOT-FOR-US: microsoft CVE-2004-0845 (Internet Explorer 5.01, 5.5, and 6 does not properly cache SSL content ...) NOT-FOR-US: microsoft CVE-2004-0844 (Internet Explorer 6 on Double Byte Character Set (DBCS) systems allows ...) NOT-FOR-US: microsoft CVE-2004-0843 (Internet Explorer 5.5 and 6 does not properly handle plug-in navigatio ...) NOT-FOR-US: microsoft CVE-2004-0842 (Internet Explorer 6.0 SP1 and earlier, and possibly other versions, al ...) NOT-FOR-US: microsoft CVE-2004-0841 (Internet Explorer 6.x allows remote attackers to install arbitrary pro ...) NOT-FOR-US: microsoft CVE-2004-0840 (The SMTP (Simple Mail Transfer Protocol) component of Microsoft Window ...) NOT-FOR-US: microsoft CVE-2004-0839 (Internet Explorer in Windows XP SP2, and other versions including 5.01 ...) NOT-FOR-US: microsoft CVE-2004-0837 (MySQL 4.x before 4.0.21, and 3.x before 3.23.49, allows attackers to c ...) {DSA-562-2} - mysql CVE-2004-0836 (Buffer overflow in the mysql_real_connect function in MySQL 4.x before ...) {DSA-562-2} - mysql CVE-2004-0835 (MySQL 3.x before 3.23.59, 4.x before 4.0.19, 4.1.x before 4.1.2, and 5 ...) {DSA-562-2} - mysql CVE-2004-0834 (Format string vulnerability in Speedtouch USB driver before 1.3.1 allo ...) - speedtouch 1.3.1 CVE-2004-0833 (Sendmail before 8.12.3 on Debian GNU/Linux, when using sasl and sasl-b ...) {DSA-554-1} - sendmail 8.13.1-13 CVE-2004-0832 (The (1) ntlm_fetch_string and (2) ntlm_get_string functions in Squid 2 ...) - squid 2.5.6-8 CVE-2004-0831 (McAfee VirusScan 4.5.1 does not drop SYSTEM privileges before allowing ...) NOT-FOR-US: McAfee CVE-2004-0830 (The Content Scanner Server in F-Secure Anti-Virus for Microsoft Exchan ...) NOT-FOR-US: Microsoft CVE-2004-0829 (smbd in Samba before 2.2.11 allows remote attackers to cause a denial ...) - samba 2.2.11 CVE-2004-0828 (The ctstrtcasd program in RSCT 2.3.0.0 and earlier on IBM AIX 5.2 and ...) NOTE: not-fos-us (AIX) CVE-2004-0827 (Multiple buffer overflows in the ImageMagick graphics library 5.x befo ...) {DSA-547-1} - imagemagick 5:6.0.7.1-1 CVE-2004-0826 (Heap-based buffer overflow in Netscape Network Security Services (NSS) ...) NOT-FOR-US: netscape NSS CVE-2004-0825 (QuickTime Streaming Server in Mac OS X Server 10.2.8, 10.3.4, and 10.3 ...) NOT-FOR-US: Apple CVE-2004-0824 (PPPDialer for Mac OS X 10.2.8 through 10.3.5 allows local users to ove ...) NOT-FOR-US: Apple CVE-2004-0823 (OpenLDAP 1.0 through 2.1.19, as used in Apple Mac OS 10.3.4 and 10.3.5 ...) NOT-FOR-US: Apple CVE-2004-0822 (Buffer overflow in The Core Foundation framework (CoreFoundation.frame ...) NOT-FOR-US: Apple CVE-2004-0821 (The CFPlugIn in Core Foundation framework in Mac OS X allows user supp ...) NOT-FOR-US: Apple CVE-2004-0820 (Winamp before 5.0.4 allows remote attackers to execute arbitrary scrip ...) NOT-FOR-US: winamp CVE-2004-0819 (The bridge functionality in OpenBSD 3.4 and 3.5, when running a gatewa ...) NOT-FOR-US: openbsd CVE-2004-0818 REJECTED CVE-2004-0817 (Multiple heap-based buffer overflows in the imlib BMP image handler al ...) {DSA-548-2} - imlib+png2 1.9.14-16.2 - imlib 1.9.14-17 (bug #285025) CVE-2004-0816 (Integer underflow in the firewall logging rules for iptables in Linux ...) - linux-2.6 (Fixed before upload into archive; 2.6.8) - kernel-source-2.4.27 (2.6 specific issue) CVE-2004-0815 (The unix_clean_name function in Samba 2.2.x through 2.2.11, and 3.0.x ...) {DSA-600-1} - samba 3.0.6-1 (bug #274342) CVE-2004-0814 (Multiple race conditions in the terminal layer in Linux 2.4.x, and 2.6 ...) - linux-2.6 (Fixed before upload into archive; 2.6.9) [sarge] - kernel-source-2.6.8 2.6.8-8 - kernel-source-2.4.27 2.4.27-7 CVE-2004-0813 (Unknown vulnerability in the SG_IO functionality in ide-cd allows loca ...) - linux-2.6 (Fixed before upload into archive, 2.6.10) - kernel-source-2.4.27 (Only an issue with botched permissions) CVE-2004-0812 (Unknown vulnerability in the Linux kernel before 2.4.23, on the AMD AM ...) - linux-2.6 (Fixed before upload into archive, 2.6.0-test10) - kernel-source-2.4.27 (2.4 not support for amd64) CVE-2004-0811 (Unknown vulnerability in Apache 2.0.51 prevents "the merging of the Sa ...) - apache2 2.0.52 CVE-2004-0810 (Buffer overflow in Netopia Timbuktu 7.0.3 allows remote attackers to c ...) NOT-FOR-US: Netopia Timbuktu CVE-2004-0809 (The mod_dav module in Apache 2.0.50 and earlier allows remote attacker ...) {DSA-558-1} - apache2 2.0.51-1 - libapache-mod-dav 1.0.3-10 CVE-2004-0808 (The process_logon_packet function in the nmbd server for Samba 3.0.6 a ...) - samba 3.0.7 CVE-2004-0807 (Samba 3.0.6 and earlier allows remote attackers to cause a denial of s ...) - samba 3.0.7 CVE-2004-0806 (cdrecord in the cdrtools package before 2.01, when installed setuid ro ...) - cdrtools 4:2.0+a34-2 CVE-2004-0805 (Buffer overflow in layer2.c in mpg123 0.59r and possibly mpg123 0.59s ...) {DSA-564-1} - mpg123 0.59r-16 - mp3gain 1.5.2-r2-6 (low) [wheezy] - mp3gain 1.5.2-r2-2+deb7u1 [squeeze] - mp3gain (Minor issue) CVE-2004-0804 (Vulnerability in tif_dirread.c for libtiff allows remote attackers to ...) {DSA-567-1} - kdegraphics 3.3.2-1 - tiff 3.6.1-2 - tiff3 (fixed prior to initial upload) CVE-2004-0803 (Multiple vulnerabilities in the RLE (run length encoding) decoders for ...) {DSA-567-1} - kdegraphics 3.3.2-1 - tiff 3.6.1-2 - tiff3 (fixed prior to initial upload) CVE-2004-0802 (Buffer overflow in the BMP loader in imlib2 before 1.1.2 allows remote ...) {DSA-552-1} - imlib2 1.1.0-12.4 CVE-2004-0801 (Unknown vulnerability in foomatic-rip in Foomatic before 3.0.2 allows ...) - foomatic-filters 3.0.2 CVE-2004-0800 (Format string vulnerability in CDE Mailer (dtmail) on Solaris 8 and 9 ...) NOT-FOR-US: Solaris CVE-2004-0799 (The HTTP daemon in Ipswitch WhatsUp Gold 8.03 and 8.03 Hotfix 1 allows ...) NOT-FOR-US: Ipswitch WhatsUp Gold CVE-2004-0798 (Buffer overflow in the _maincfgret.cgi script for Ipswitch WhatsUp Gol ...) NOT-FOR-US: Ipswitch WhatsUp Gold CVE-2004-0797 (The error handling in the (1) inflate and (2) inflateBack functions in ...) - zlib 1:1.2.1.1-6 [woody] - zlib (zlib 1.1 is not affected) CVE-2004-0796 (SpamAssassin 2.5x, and 2.6x before 2.64, allows remote attackers to ca ...) - spamassassin 2.64 CVE-2004-0795 (DB2 8.1 remote command server (DB2RCMD.EXE) executes the db2rcmdc.exe ...) NOT-FOR-US: IBM DB2 DB2RCMD.EXE CVE-2004-0794 (Multiple signal handler race conditions in lukemftpd (aka tnftpd befor ...) {DSA-551-1} - lukemftpd 1.1-2.2 (bug #266370) CVE-2004-0793 (The calendar program in bsdmainutils 6.0 through 6.0.14 does not drop ...) - bsdmainutils 6.0.15 CVE-2004-0792 (Directory traversal vulnerability in the sanitize_path function in uti ...) {DSA-538} - rsync 2.6.2-3 CVE-2004-0791 (Multiple TCP/IP and ICMP implementations allow remote attackers to cau ...) - kernel-source-2.4.27 (Kernel verifies the TCP sequence nr. on errors, will never abort) - linux-2.6 (Kernel verifies the TCP sequence nr. on errors, will never abort) CVE-2004-0790 (Multiple TCP/IP and ICMP implementations allow remote attackers to cau ...) - kernel-source-2.6.8 2.6.8-16 (bug #305664) - kernel-source-2.4.27 2.4.27-10 (bug #305664) CVE-2004-0789 (Multiple implementations of the DNS protocol, including (1) Poslib 1.0 ...) NOT-FOR-US: DNS impleementations not in Debian CVE-2004-0788 (Integer overflow in the ICO image decoder for (1) gdk-pixbuf before 0. ...) {DSA-549-1 DSA-546-1} - gtk+2.0 2.4.9-2 - gdk-pixbuf 0.22.0-7 CVE-2004-0787 (Cross-site scripting (XSS) vulnerability in the web frontend in OpenCA ...) NOT-FOR-US: OpenCA CVE-2004-0786 (The IPv6 URI parsing routines in the apr-util library for Apache 2.0.5 ...) - apache (not vulnerable according to http://web.archive.org/web/20070529152436/http://www.debian.org/security/nonvulns-sarge) - apache2 2.0.51 CVE-2004-0785 (Multiple buffer overflows in Gaim before 0.82 allow remote attackers t ...) - gaim 1:0.82 CVE-2004-0784 (The smiley theme functionality in Gaim before 0.82 allows remote attac ...) - gaim 1:0.82 CVE-2004-0783 (Stack-based buffer overflow in xpm_extract_color (io-xpm.c) in the XPM ...) {DSA-549-1} - gtk+2.0 2.4.9-2 CVE-2004-0782 (Integer overflow in pixbuf_create_from_xpm (io-xpm.c) in the XPM image ...) {DSA-549-1 DSA-546-1} - gtk+2.0 2.4.9-2 - gdk-pixbuf 0.22.0-7 CVE-2004-0781 (Cross-site scripting (XSS) vulnerability in list.cgi in the Icecast in ...) {DSA-541} - icecast-server 1:1.3.12-8 CVE-2004-0780 (Buffer overflow in uustat in Sun Solaris 8 and 9 allows local users to ...) NOT-FOR-US: Solaris CVE-2004-0779 (The (1) Mozilla 1.6, (2) Firebird 0.7 and (3) Firefox 0.8 web browsers ...) - mozilla 2:1.7 - mozilla-firefox 0.9 CVE-2004-0778 (CVS 1.11.x before 1.11.17, and 1.12.x before 1.12.9, allows remote att ...) - cvs 1:1.12.9 CVE-2004-0777 (Format string vulnerability in the auth_debug function in Courier-IMAP ...) - courier 0.45.6-1 (medium; bug #266723) NOTE: 0.45.6-1 is the first upload after the debug stuff rewrite NOTE: mentioned in the bug report. CVE-2004-0776 RESERVED CVE-2004-0775 (Buffer overflow in WIDCOMM Bluetooth Connectivity Software, as used in ...) NOT-FOR-US: Windows CVE-2004-0774 (RealNetworks Helix Universal Server 9.0.2 for Linux and 9.0.3 for Wind ...) NOT-FOR-US: Real Helix server CVE-2004-0773 RESERVED CVE-2004-0772 (Double free vulnerabilities in error handling code in krb524d for MIT ...) {DSA-543-1} - krb5 1.3.4-3 CVE-2004-0771 (Buffer overflow in the extract_one function from lhext.c in LHA may al ...) - lha 1.14i-9 (bug #279870) CVE-2004-0770 (romload.c in DGen Emulator 1.23 and earlier allows local users to over ...) - dgen 1.23-6 CVE-2004-0769 (Buffer overflow in LHA allows remote attackers to execute arbitrary co ...) - lha 1.14i-9 (bug #279870) CVE-2004-0768 (libpng 1.2.5 and earlier does not properly calculate certain buffer of ...) {DSA-536} - libpng 1.0.15-6 - libpng3 1.2.5.0-7 CVE-2004-0767 (NGSEC StackDefender 1.10 allows attackers to cause a denial of service ...) NOT-FOR-US: NGSEC StackDefender CVE-2004-0766 (NGSEC StackDefender 2.0 allows attackers to cause a denial of service ...) NOT-FOR-US: NGSEC StackDefender CVE-2004-0765 (The cert_TestHostName function in Mozilla before 1.7, Firefox before 0 ...) - mozilla 2:1.7 - mozilla-firefox 0.9 CVE-2004-0764 (Mozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, al ...) - mozilla 2:1.7 - mozilla-firefox 0.9 CVE-2004-0763 (Mozilla Firefox 0.9.1 and 0.9.2 allows remote web sites to spoof certi ...) - mozilla-firefox 0.9.3 CVE-2004-0762 (Mozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, al ...) - mozilla 2:1.7 - mozilla-firefox 0.9 CVE-2004-0761 (Mozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, al ...) - mozilla 2:1.7 - mozilla-firefox 0.9 CVE-2004-0760 (Mozilla allows remote attackers to cause Mozilla to open a URI as a di ...) - mozilla 2:1.7.2 - mozilla-firefox 0.9.3 CVE-2004-0759 (Mozilla before 1.7 allows remote web servers to read arbitrary files v ...) - mozilla 2:1.7 CVE-2004-0758 (Mozilla 1.5 through 1.7 allows a CA certificate to be imported even wh ...) - mozilla 2:1.7.2 - mozilla-firefox 0.9.3 CVE-2004-0757 (Heap-based buffer overflow in the SendUidl in the POP3 capability for ...) - mozilla 2:1.7 - mozilla-firefox 0.9 CVE-2004-0756 REJECTED CVE-2004-0755 (The FileStore capability in CGI::Session for Ruby before 1.8.1, and po ...) {DSA-537} - ruby1.8 1.8.1+1.8.2pre1-4 - ruby CVE-2004-0754 (Integer overflow in Gaim before 0.82 allows remote attackers to cause ...) - gaim 1:0.82.1-1 CVE-2004-0753 (The BMP image processor for (1) gdk-pixbuf before 0.22 and (2) gtk2 be ...) {DSA-546-1} - gdk-pixbuf 0.22.0-7 CVE-2004-0752 (OpenOffice (OOo) 1.1.2 creates predictable directory names with insecu ...) - openoffice.org 1.1.2-4 CVE-2004-0751 (The char_buffer_read function in the mod_ssl module for Apache 2.x, wh ...) - apache2 2.0.50-11 CVE-2004-0750 (Unknown vulnerability in redhat-config-nfs before 1.0.13, when shares ...) NOT-FOR-US: Red Hat specific CVE-2004-0749 (The mod_authz_svn module in Subversion 1.0.7 and earlier does not prop ...) - subversion 1.0.9-2 CVE-2004-0748 (mod_ssl in Apache 2.0.50 and earlier allows remote attackers to cause ...) - apache2 2.0.51 CVE-2004-0747 (Buffer overflow in Apache 2.0.50 and earlier allows local users to gai ...) [sarge] - apache2 - apache2 2.0.51 CVE-2004-0746 (Konqueror in KDE 3.2.3 and earlier allows web sites to set cookies for ...) [sarge] - kdelibs 4:3.2.3-3.sarge.1 - kdelibs 4:3.3 CVE-2004-0745 (LHA 1.14 and earlier allows attackers to execute arbitrary commands vi ...) - lha 1.14i-10 (bug #279870) CVE-2004-0744 (The TCP/IP Networking component in Mac OS X before 10.3.5 allows remot ...) NOT-FOR-US: MacOS CVE-2004-0743 (Safari in Mac OS X before 10.3.5, after sending form data using the PO ...) NOT-FOR-US: MacOS CVE-2004-0742 (Sun Java System Portal Server 6.2 (formerly Sun ONE) allows remote aut ...) NOT-FOR-US: Sun Java System Portal Server CVE-2004-0741 (LionMax Software WWW File Share Pro 2.60 allows remote attackers to ca ...) NOT-FOR-US: LionMax Software WWW File Share Pro CVE-2004-0740 (The HTTP server in Lexmark T522 and possibly other models allows remot ...) NOT-FOR-US: Lexmark CVE-2004-0739 (Buffer overflow in Whisper FTP Surfer 1.0.7 allows remote FTP servers ...) NOT-FOR-US: Whisper FTP Surfer CVE-2004-0738 (Multiple SQL injection vulnerabilities in the Search module in Php-Nuk ...) NOT-FOR-US: phpnuke CVE-2004-0737 (Multiple cross-site scripting vulnerabilities in index.php in the Sear ...) NOT-FOR-US: phpnuke CVE-2004-0736 (The search module in Php-Nuke allows remote attackers to gain sensitiv ...) NOT-FOR-US: phpnuke CVE-2004-0735 (Buffer overflow in Medal of Honor (1) Allied Assault 1.11v9 and earlie ...) NOT-FOR-US: various windows games CVE-2004-0734 (Web_Store.cgi allows remote attackers to execute arbitrary commands vi ...) NOT-FOR-US: Web_Store.cgi CVE-2004-0733 (Format string vulnerability in OllyDbg 1.10 allows remote attackers to ...) NOT-FOR-US: OllyDbg CVE-2004-0732 (SQL injection vulnerability in index.php in the Search module for Php- ...) NOT-FOR-US: phpnuke CVE-2004-0731 (Cross-site scripting (XSS) vulnerability in index.php in the Search mo ...) NOT-FOR-US: phpnuke CVE-2004-0730 (Multiple cross-site scripting (XSS) vulnerabilities in PhpBB 2.0.8 all ...) - phpbb2 2.0.10 CVE-2004-0729 (PhpBB 2.0.8 allows remote attackers to gain sensitive information via ...) - phpbb2 2.0.10 CVE-2004-0728 (The Remote Control Client service in Microsoft's Systems Management Se ...) NOT-FOR-US: Microsoft CVE-2004-0727 (Microsoft Internet Explorer 6.0.2800.1106 on Microsoft Windows XP SP2, ...) NOT-FOR-US: Microsoft CVE-2004-0726 (The Windows Media Player control in Microsoft Windows 2000 allows remo ...) NOT-FOR-US: Microsoft CVE-2004-0725 (Cross-site scripting (XSS) vulnerability in help.php in Moodle 1.3.2 a ...) - moodle 1.4 CVE-2004-0724 (The Half-Life engine before July 7 2004 allows remote attackers to cau ...) NOT-FOR-US: Half Life CVE-2004-0723 (Microsoft Java virtual machine (VM) 5.0.0.3810 allows remote attackers ...) NOT-FOR-US: Microsoft CVE-2004-0722 (Integer overflow in the SOAPParameter object constructor in (1) Netsca ...) - mozilla 2:1.6 CVE-2004-0721 (Konqueror 3.1.3, 3.2.2, and possibly other versions does not properly ...) [sarge] - kdebase 4:3.2.3-1.sarge.1 [sarge] - kdelibs 4:3.2.3-3.sarge.1 - kdelibs 4:3.3.0-1 - kdebase 4:3.3.0-1 CVE-2004-0720 (Safari 1.2.2 does not properly prevent a frame in one domain from inje ...) NOT-FOR-US: Safari CVE-2004-0719 (Internet Explorer for Mac 5.2.3, Internet Explorer 6 on Windows XP, an ...) NOT-FOR-US: Microsoft CVE-2004-0718 (The (1) Mozilla 1.6, (2) Firebird 0.7, (3) Firefox 0.8, and (4) Netsca ...) {DSA-810-1 DSA-777-1 DSA-775-1 DTSA-7-1 DTSA-8-2 DTSA-14-1} NOTE: This has been fixed in mozilla-firefox 0.8 and mozilla 1.6, but recent NOTE: upstream versions became vulnerable again, see NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=296850 NOTE: and were fixed again, it got CVE-2005-1937 for the reversion - mozilla 2:1.7.10-1 (medium) - mozilla-firefox 1.0.6-1 (medium) CVE-2004-0717 (Opera 7.51 for Windows and 7.50 for Linux does not properly prevent a ...) NOT-FOR-US: opera 7.50 CVE-2004-0716 (Buffer overflow in the DCE daemon (DCED) for the DCE endpoint mapper ( ...) NOT-FOR-US: HP-UX CVE-2004-0715 (The WebLogic Authentication provider for BEA WebLogic Server and WebLo ...) NOT-FOR-US: BEA WebLogic Server and WebLogic Express CVE-2004-0714 (Cisco Internetwork Operating System (IOS) 12.0S through 12.3T attempts ...) NOT-FOR-US: Cisco CVE-2004-0713 (The remove method in a stateful Enterprise JavaBean (EJB) in BEA WebLo ...) NOT-FOR-US: BEA WebLogic Server and WebLogic Express CVE-2004-0712 (The configuration tools (1) config.sh in Unix or (2) config.cmd in Win ...) NOT-FOR-US: BEA WebLogic Server CVE-2004-0711 (The URL pattern matching feature in BEA WebLogic Server 6.x matches il ...) NOT-FOR-US: BEA WebLogic Server CVE-2004-0710 (IP Security VPN Services Module (VPNSM) in Cisco Catalyst 6500 Series ...) NOT-FOR-US: Cisco CVE-2004-0709 (HP OpenView Select Access 5.0 through 6.0 does not correctly decode UT ...) NOT-FOR-US: HP OpenView Select Access CVE-2004-0708 (MoinMoin 1.2.1 and earlier allows remote attackers to gain privileges ...) - moin 1.2.2 CVE-2004-0707 (SQL injection vulnerability in editusers.cgi in Bugzilla 2.16.x before ...) - bugzilla 2.16.7-0.1 CVE-2004-0706 (Bugzilla 2.17.5 through 2.17.7 embeds the password in an image URL, wh ...) [woody] - bugzilla (Only 2.17.* versions are vulnerable) [sarge] - bugzilla (Only 2.17.* versions are vulnerable) - bugzilla 2.18-1 CVE-2004-0705 (Multiple cross-site scripting (XSS) vulnerabilities in (1) editcompone ...) - bugzilla 2.16.7-0.1 CVE-2004-0704 (Unknown vulnerability in (1) duplicates.cgi and (2) buglist.cgi in Bug ...) - bugzilla 2.16.7-0.1 CVE-2004-0703 (Unknown vulnerability in the administrative controls in Bugzilla 2.17. ...) [woody] - bugzilla (Only 2.17.* versions are vulnerable) [sarge] - bugzilla (Only 2.17.* versions are vulnerable) - bugzilla 2.18-1 CVE-2004-0702 (DBI in Bugzilla 2.17.1 through 2.17.7 displays the database password i ...) [woody] - bugzilla (Only 2.17.* versions are vulnerable) [sarge] - bugzilla (Only 2.17.* versions are vulnerable) - bugzilla 2.18-1 CVE-2004-0701 (Sun Ray Server Software (SRSS) 1.3 and 2.0 for Solaris 2.6, 7 and 8 do ...) NOT-FOR-US: Solaris CVE-2004-0700 (Format string vulnerability in the mod_proxy hook functions function i ...) {DSA-532} - libapache-mod-ssl 2.8.19-1 CVE-2004-0699 (Heap-based buffer overflow in ASN.1 decoding library in Check Point VP ...) NOT-FOR-US: Check Point VPN CVE-2004-0698 (4D WebSTAR 5.3.2 and earlier allows local users to read and modify arb ...) NOT-FOR-US: WebSTAR CVE-2004-0697 (Unknown vulnerability in 4D WebSTAR 5.3.2 and earlier allows remote at ...) NOT-FOR-US: WebSTAR CVE-2004-0696 (The ShellExample.cgi script in 4D WebSTAR 5.3.2 and earlier allows rem ...) NOT-FOR-US: WebSTAR CVE-2004-0695 (Stack-based buffer overflow in the FTP service for 4D WebSTAR 5.3.2 an ...) NOT-FOR-US: WebSTAR CVE-2004-0694 (Buffer overflow in LHA 1.14 and earlier allows remote attackers to cau ...) - lha 1.14i-10 (bug #279870) CVE-2004-0693 (The GIF parser in the QT library (qt3) before 3.3.3 allows remote atta ...) {DSA-542-1} - qt-x11-free 3:3.3.3-4 - qt-copy CVE-2004-0692 (The XPM parser in the QT library (qt3) before 3.3.3 allows remote atta ...) {DSA-542-1} - qt-x11-free 3:3.3.3-4 - qt-copy CVE-2004-0691 (Heap-based buffer overflow in the BMP image format parser for the QT l ...) {DSA-542-1} - qt-x11-free 3:3.3.3-4 - qt-copy CVE-2004-0690 (The DCOPServer in KDE 3.2.3 and earlier allows local users to gain una ...) [sarge] - kdelibs 4:3.2.3-3.sarge.1 - kdelibs 4:3.3.0-1 CVE-2004-0689 (KDE before 3.3.0 does not properly handle when certain symbolic links ...) {DSA-539} - kdelibs 4:3.3.0-1 CVE-2004-0688 (Multiple integer overflows in (1) the xpmParseColors function in parse ...) {DSA-561-1 DSA-560-1} NOTE: Matej Vela has checked that these are backported to lesstif1 as well - lesstif1-1 1:0.93.94-10 - openmotif 2.2.3-1.1 (bug #308819; low) [sarge] - openmotif (Non-free) - xfree86 4.3.0.dfsg.1-8 - xorg-x11 (Fixed before introduction into archive) CVE-2004-0687 (Multiple stack-based buffer overflows in (1) xpmParseColors in parse.c ...) {DSA-561-1 DSA-560-1} NOTE: Matej Vela has checked that these are backported to lesstif1 as well - lesstif1-1 1:0.93.94-10 - openmotif 2.2.3-1.1 (bug #308819; low) [sarge] - openmotif (Non-free) - xfree86 4.3.0.dfsg.1-8 - xorg-x11 (Fixed before introduction into archive) CVE-2004-0686 (Buffer overflow in Samba 2.2.x to 2.2.9, and 3.0.0 to 3.0.4, when the ...) - samba 3.0.5 (bug #260839; bug #260838) CVE-2004-0685 (Certain USB drivers in the Linux 2.4 kernel use the copy_to_user funct ...) {DSA-1082-1 DSA-1070-1 DSA-1069-1 DSA-1067-1} - kernel-source-2.4.27 2.4.27-1 CVE-2004-0684 (WebSphere Edge Component Caching Proxy in WebSphere Edge Server 5.02, ...) NOT-FOR-US: WebSphere Edge Server CVE-2004-0683 (Symantec Norton AntiVirus 2002 and 2003 allows remote attackers to cau ...) NOT-FOR-US: Norton CVE-2004-0682 (comersus_gatewayPayPal.asp in Comersus Cart 5.09, and possibly other v ...) NOT-FOR-US: Comersus Cart CVE-2004-0681 (Multiple cross-site scripting (XSS) vulnerabilities in (1) comersus_cu ...) NOT-FOR-US: Comersus Cart CVE-2004-0680 (Zoom X3 ADSL modem has a terminal running on port 254 that can be acce ...) NOT-FOR-US: Zoom DSL modem CVE-2004-0679 (The IP cloaking feature (cloak.c) in UnrealIRCd 3.2, and possibly othe ...) NOT-FOR-US: UnrealIRCd CVE-2004-0678 (Cross-site scripting (XSS) in one2planet.infolet.InfoServlet in 12Plan ...) NOT-FOR-US: 12Planet Chat Server CVE-2004-0677 (Fastream NETFile FTP Server 6.7.2.1085 and earlier allows remote attac ...) NOT-FOR-US: Fastream NETFile FTP Server CVE-2004-0676 (Directory traversal vulnerability in Fastream NETFile FTP/Web Server 6 ...) NOT-FOR-US: Fastream NETFile FTP Server CVE-2004-0675 (Cross-site scripting (XSS) vulnerability in (1) cart32.exe or (2) c32w ...) NOT-FOR-US: c32web.exe CVE-2004-0674 (Enterasys XSR-1800 series Security Routers, when running firmware 7.0. ...) NOT-FOR-US: Enterasys XSR-1800 series Security Routers CVE-2004-0673 (Cross-site scripting (XSS) vulnerability in SCI Photo Chat Server 3.4. ...) NOT-FOR-US: SCI Photo Chat Server CVE-2004-0672 (Multiple cross-site scripting (XSS) vulnerabilities in the primary and ...) NOT-FOR-US: Netegrity IdentityMinder Web Edition CVE-2004-0671 (Brightmail Spamfilter 6.0 and earlier beta releases allows remote atta ...) NOT-FOR-US: Brightmail Spamfilter CVE-2004-0670 (Prestige 650HW-31 running Rompager 4.7 software allows remote attacker ...) NOT-FOR-US: Rompager CVE-2004-0669 (Lotus Domino 6.5.0 and 6.5.1, with IMAP enabled, allows remote authent ...) NOT-FOR-US: Lotus CVE-2004-0668 (Web Access in Lotus Domino 6.5.1 allows remote attackers to cause a de ...) NOT-FOR-US: Lotus CVE-2004-0667 (Rule Set Based Access Control (RSBAC) 1.2.2 through 1.2.3 allows acces ...) NOTE: kernel-patch-adamantix contain the RSBAC patch v1.2.2 and is vulnerable. - kernel-patch-adamantix 1.6 CVE-2004-0666 (Off-by-one error in the POP3_readmsg function in popclient 3.0b6 allow ...) NOT-FOR-US: popclient CVE-2004-0665 (csFAQ.cgi in csFAQ allows remote attackers to gain sensitive informati ...) NOT-FOR-US: csFAQ CVE-2004-0664 (Directory traversal vulnerability in modules.php in PowerPortal 1.x al ...) NOT-FOR-US: PowerPortal CVE-2004-0663 (Cross-site scripting (XSS) vulnerability in modules.php in PowerPortal ...) NOT-FOR-US: PowerPortal CVE-2004-0662 (PowerPortal 1.x allows remote attackers to gain sensitive information ...) NOT-FOR-US: PowerPortal CVE-2004-0661 (Integer signedness error in D-Link AirPlus DI-614+ running firmware 2. ...) NOT-FOR-US: D-Link AirPlus DI-614+ CVE-2004-0660 (Cross-site scripting (XSS) vulnerability in (1) show_archives.php, (2) ...) NOT-FOR-US: CuteNews CVE-2004-0659 (Buffer overflow in TranslateFilename for common.c in MPlayer 1.0pre4 a ...) - mplayer (fixed before upload in archive; 1.0pre5) CVE-2004-0658 (Integer overflow in the hpsb_alloc_packet function (incorrectly report ...) - linux-2.6 (Invalid, according to Ben Collins) - kernel-source-2.4.27 (Invalid, according to Ben Collins) CVE-2004-0657 (Integer overflow in the NTP daemon (NTPd) before 4.0 causes the NTP se ...) - ntp 4.0 CVE-2004-0656 (The accept_client function in PureFTPd 1.0.18 and earlier allows remot ...) - pure-ftpd 1.0.19-1 CVE-2004-0655 (eupdatedb in esearch 0.6.1 and earlier allows local users to create ar ...) NOT-FOR-US: Gentoo specific CVE-2004-0654 (Unknown vulnerability in the Basic Security Module (BSM), when configu ...) NOT-FOR-US: Solaris CVE-2004-0653 (Solaris 9, when configured as a Kerberos client with patch 112908-12 o ...) NOT-FOR-US: Solaris CVE-2004-0652 (BEA WebLogic Server and WebLogic Express 7.0 through 7.0 Service Pack ...) NOT-FOR-US: BEA WebLogic Server and WebLogic Express CVE-2004-0651 (Unknown vulnerability in Sun Java Runtime Environment (JRE) 1.4.2 thro ...) NOT-FOR-US: Sun JRE CVE-2004-0650 (UploadServlet in Cisco Collaboration Server (CCS) running ServletExec ...) NOT-FOR-US: Cisco CVE-2004-0649 (Buffer overflow in write_packet in control.c for l2tpd may allow remot ...) {DSA-530} - l2tpd 0.70-pre20031121-2 CVE-2004-0648 (Mozilla (Suite) before 1.7.1, Firefox before 0.9.2, and Thunderbird be ...) - mozilla 2:1.7.1 - mozilla-firefox 0.9.2 - mozilla-thunderbird 0.7.2 CVE-2004-0647 (shorewall 1.4.10c and earlier, and 2.0.x before 2.0.3a, allows local u ...) - shorewall 2.0.3a CVE-2004-0646 (Buffer overflow in the WriteToLog function for JRun 3.0 through 4.0 we ...) NOT-FOR-US: JRun CVE-2004-0645 (Buffer overflow in the wvHandleDateTimePicture function in wv library ...) {DSA-579-1 DSA-550-1} - abiword 2.0.8 - wv 1.0.2-0.1 (bug #264972) NOTE: fixed version of abiword based on http://xforce.iss.net/xforce/xfdb/16660 CVE-2004-0644 (The asn1buf_skiptail function in the ASN.1 decoder library for MIT Ker ...) {DSA-543-1} - krb5 1.3.4-3 CVE-2004-0643 (Double free vulnerability in the krb5_rd_cred function for MIT Kerbero ...) {DSA-543-1} - krb5 1.3.4-3 CVE-2004-0642 (Double free vulnerabilities in the error handling code for ASN.1 decod ...) {DSA-543-1} - krb5 1.3.4-3 CVE-2004-0641 (Thomson SpeedTouch 510 ADSL Router with firmware GV8BAA3.270, and poss ...) NOT-FOR-US: Thomson hardware ADSL router CVE-2004-0640 (Format string vulnerability in the SSL_set_verify function in telnetd. ...) {DSA-529} - netkit-telnet-ssl 0.17.24+0.1-2 CVE-2004-0639 (Multiple cross-site scripting (XSS) vulnerabilities in Squirrelmail 1. ...) {DSA-535} - squirrelmail 2:1.4.3a-0.1 CVE-2004-0638 (Buffer overflow in the KSDWRTB function in the dbms_system package (db ...) NOT-FOR-US: Oracle CVE-2004-0637 (Oracle Database Server 8.1.7.4 through 9.2.0.4 allows local users to e ...) NOT-FOR-US: Oracle CVE-2004-0636 (Buffer overflow in the goaway function in the aim:goaway URI handler f ...) NOT-FOR-US: AOL Instant Messenger CVE-2004-0635 (The SNMP dissector in Ethereal 0.8.15 through 0.10.4 allows remote att ...) {DSA-528} - ethereal 0.10.5-1 CVE-2004-0634 (The SMB SID snooping capability in Ethereal 0.9.15 to 0.10.4 allows re ...) - ethereal 0.10.5 [woody] - ethereal (Not vulnerable according to DSA-528) CVE-2004-0633 (The iSNS dissector for Ethereal 0.10.3 through 0.10.4 allows remote at ...) - ethereal 0.10.5 [woody] - ethereal (Not vulnerable according to DSA-528) CVE-2004-0632 (Adobe Reader 6.0 does not properly handle null characters when splitti ...) NOT-FOR-US: adobe reader CVE-2004-0631 (Buffer overflow in the uudecoding feature for Adobe Acrobat Reader 5.0 ...) NOT-FOR-US: adobe acrobat CVE-2004-0630 (The uudecoding feature in Adobe Acrobat Reader 5.0.5 and 5.0.6 for Uni ...) NOT-FOR-US: adobe acrobat CVE-2004-0629 (Buffer overflow in the ActiveX component (pdf.ocx) for Adobe Acrobat 5 ...) NOT-FOR-US: adobe acrobat CVE-2004-0628 (Stack-based buffer overflow in MySQL 4.1.x before 4.1.3, and 5.0, allo ...) - mysql (Apparently 3.2 not exploitable, see #330164) - mysql-dfsg (Apparently 4.0 not exploitable, see #330164) - mysql-dfsg-4.1 (fixed before first upload; in 4.1.3) - mysql-dfsg-5.0 (fixed before first upload; in 5.0.0) CVE-2004-0627 (The check_scramble_323 function in MySQL 4.1.x before 4.1.3, and 5.0, ...) - mysql (Apparently 3.2 not exploitable, see #330164) - mysql-dfsg (Apparently 4.0 not exploitable, see #330164) - mysql-dfsg-4.1 4.1.11a-1 (bug #330164; bug #380507; medium) - mysql-dfsg-5.0 (Was fixed before MySQL 5.0 was uploaded into the archive) CVE-2004-0626 (The tcp_find_option function of the netfilter subsystem in Linux kerne ...) [sarge] - kernel-source-2.6.8 2.6.8-1 - kernel-source-2.4.27 - linux-2.6 (Fixed before upload into archive; 2.6.8) CVE-2004-0625 (SQL injection vulnerability in Infinity WEB 1.0 allows remote attacker ...) NOT-FOR-US: Infinity WEB CVE-2004-0624 (PHP remote file inclusion vulnerability in index.php for Artmedic link ...) NOT-FOR-US: Artmedic links CVE-2004-0623 (Format string vulnerability in misc.c in GNU GNATS 4.00 may allow remo ...) {DSA-590-1} - gnats 4.0-6.1 CVE-2004-0622 (Apple Mac OS X 10.3.4, 10.4, 10.5, and possibly other versions does no ...) NOT-FOR-US: MacOS CVE-2004-0621 (admin.php in Newsletter ZWS allows remote attackers to gain administra ...) NOT-FOR-US: Newsletter ZWS CVE-2004-0620 (Cross-site scripting (XSS) vulnerability in (1) newreply.php or (2) ne ...) NOT-FOR-US: vBulletin CVE-2004-0619 (Integer overflow in the ubsec_keysetup function for Linux Broadcom 582 ...) NOT-FOR-US: Linux Broadcom 5820 cryptonet driver NOTE: does not seem to be part of linux kernel or other package CVE-2004-0618 (FreeBSD 5.1 for the Alpha processor allows local users to cause a deni ...) NOT-FOR-US: freebsd CVE-2004-0617 (Cross-site scripting (XSS) vulnerability in ArbitroWeb 0.6 allows remo ...) NOT-FOR-US: ArbitroWeb CVE-2004-0616 (The BT Voyager 2000 Wireless ADSL Router has a default public SNMP com ...) NOT-FOR-US: BT Voyager 2000 Wireless ADSL Router CVE-2004-0615 (Cross-site scripting (XSS) vulnerability in D-Link DI-614+ SOHO router ...) NOT-FOR-US: D-Link DI-614+ SOHO router CVE-2004-0614 (osTicket trusts a hidden form field in the submit form to limit the up ...) NOT-FOR-US: osTicket CVE-2004-0613 (osTicket allows remote attackers to view sensitive uploaded files and ...) NOT-FOR-US: osTicket CVE-2004-0612 (The Mobile Code filter in ZoneAlarm Pro 5.0.590.015 does not filter mo ...) NOT-FOR-US: ZoneAlarm Pro CVE-2004-0611 (Web-Based Administration in Netgear FVS318 VPN Router allows remote at ...) NOT-FOR-US: Netgear FVS318 VPN Router CVE-2004-0610 (The Web administration interface in Microsoft MN-500 Wireless Router a ...) NOT-FOR-US: Microsoft MN-500 Wireless Router CVE-2004-0609 (rssh 2.0 through 2.1.x expands command line arguments before entering ...) - rssh 2.2.1 CVE-2004-0608 (The Unreal Engine, as used in DeusEx 1.112fm and earlier, Devastation ...) NOT-FOR-US: Unreal Engine CVE-2004-0607 (The eay_check_x509cert function in KAME Racoon successfully verifies c ...) - ipsec-tools 0.3.3-1 CVE-2004-0606 (Cross-site scripting (XSS) vulnerability in Infoblox DNS One running f ...) NOT-FOR-US: Infoblox DNS One CVE-2004-0605 (Non-registered IRC users using (1) ircd-hybrid 7.0.1 and earlier, (2) ...) NOTE: Dossibly fixed in ircd-hybrid 7.0.2: "fixed flood limit bug". CVE-2004-0604 (The HTTP client and server in giFT-FastTrack 0.8.6 and earlier allows ...) NOT-FOR-US: giFT-FastTrack not in debian CVE-2004-0603 (gzexe in gzip 1.3.3 and earlier will execute an argument when the crea ...) - gzip (Gentoo-specific bug in gzip introduced by botched security fix) CVE-2004-0602 (The binary compatibility mode for FreeBSD 4.x and 5.x does not properl ...) NOT-FOR-US: FreeBSD CVE-2004-0601 (distcc before 2.16, when running on 64-bit platforms, does not interpr ...) - distcc 2.18.1-4 CVE-2004-0600 (Buffer overflow in the Samba Web Administration Tool (SWAT) in Samba 3 ...) - samba 3.0.5 (bug #260838) CVE-2004-0599 (Multiple integer overflows in the (1) png_read_png in pngread.c or (2) ...) {DSA-571-1 DSA-570-1 DSA-536} - libpng 1.0.15-6 - libpng3 1.2.5.0-7 CVE-2004-0598 (The png_handle_iCCP function in libpng 1.2.5 and earlier allows remote ...) {DSA-536} - libpng 1.0.15-6 - libpng3 1.2.5.0-7 CVE-2004-0597 (Multiple buffer overflows in libpng 1.2.5 and earlier, as used in mult ...) {DSA-536} - libpng 1.0.15-6 - libpng3 1.2.5.0-7 CVE-2004-0596 (The Equalizer Load-balancer for serial network interfaces (eql.c) in L ...) - linux-2.6 (Fixed before upload into archive) CVE-2004-0595 (The strip_tags function in PHP 4.x up to 4.3.7, and 5.x up to 5.0.0RC3 ...) {DSA-669-1 DSA-531} - php3 3:3.0.18-27 - php4 4:4.3.8-1 CVE-2004-0594 (The memory_limit functionality in PHP 4.x up to 4.3.7, and 5.x up to 5 ...) {DSA-669-1 DSA-531} - php4 4:4.3.8-1 CVE-2004-0593 (Sygate Enforcer 3.5MR1 and earlier passes broadcast traffic before aut ...) NOT-FOR-US: Sygate Enforcer CVE-2004-0592 (The tcp_find_option function of the netfilter subsystem for IPv6 in th ...) NOT-FOR-US: linux 2.4 with usagi patches CVE-2004-0591 (Cross-site scripting (XSS) vulnerability in the print_header_uc functi ...) {DSA-533} - courier 0.45.4-4 CVE-2004-0590 (FreeS/WAN 1.x and 2.x, and other related products including superfrees ...) - freeswan 2.04-10 - openswan 2.2.0 CVE-2004-0589 (Cisco IOS 11.1(x) through 11.3(x) and 12.0(x) through 12.2(x), when co ...) NOT-FOR-US: Cisco CVE-2004-0588 (Cross-site scripting (XSS) vulnerability in the web mail module for Us ...) - usermin 1.090-1 CVE-2004-0587 (Insecure permissions for the /proc/scsi/qla2300/HbaApiNode file in Lin ...) - qla2x00 7.01.01-1 CVE-2004-0586 (acpRunner ActiveX 1.2.5.0 allows remote attackers to execute arbitrary ...) NOT-FOR-US: Windows CVE-2004-0585 REJECTED CVE-2004-0584 (Unknown vulnerability in Horde IMP 3.2.3 and earlier, before a "securi ...) - imp3 3.2.4 CVE-2004-0583 (The account lockout functionality in (1) Webmin 1.140 and (2) Usermin ...) {DSA-526} - usermin 1.090-1 - webmin 1.150-1 CVE-2004-0582 (Unknown vulnerability in Webmin 1.140 allows remote attackers to bypas ...) {DSA-526} - usermin 1.090-1 - webmin 1.150-1 CVE-2004-0581 (ksymoops-gznm script in Mandrake Linux 9.1 through 10.0, and Corporate ...) NOT-FOR-US: Mandrake script CVE-2004-0580 (DHCP on Linksys BEFSR11, BEFSR41, BEFSR81, and BEFSRU31 Cable/DSL Rout ...) NOT-FOR-US: Linksys routers CVE-2004-0579 (Format string vulnerability in super before 3.23 allows local users to ...) {DSA-522} - super 3.23.0-1 CVE-2004-0578 (WinGate 5.2.3 build 901 and 6.0 beta 2 build 942, and other versions s ...) NOT-FOR-US: Wingate CVE-2004-0577 (WinGate 5.2.3 build 901 and 6.0 beta 2 build 942, and other versions s ...) NOT-FOR-US: Wingate CVE-2004-0576 (The radius daemon (radiusd) for GNU Radius 1.1, when compiled with the ...) NOT-FOR-US: GNU radius CVE-2004-0575 (Integer overflow in DUNZIP32.DLL for Microsoft Windows XP, Windows XP ...) NOT-FOR-US: Windows CVE-2004-0574 (The Network News Transfer Protocol (NNTP) component of Microsoft Windo ...) NOT-FOR-US: Windows CVE-2004-0573 (Buffer overflow in the converter for Microsoft WordPerfect 5.x on Offi ...) NOT-FOR-US: Windows CVE-2004-0572 (Buffer overflow in the Windows Program Group Converter (grpconv.exe) m ...) NOT-FOR-US: Windows CVE-2004-0571 (Microsoft Word for Windows 6.0 Converter does not properly validate ce ...) NOT-FOR-US: Microsoft CVE-2004-0570 RESERVED CVE-2004-0569 (The RPC Runtime Library for Microsoft Windows NT 4.0 allows remote att ...) NOT-FOR-US: Windows CVE-2004-0568 (HyperTerminal application for Windows NT 4.0, Windows 2000, Windows XP ...) NOT-FOR-US: HyperTerminal CVE-2004-0567 (The Windows Internet Naming Service (WINS) in Windows NT Server 4.0 SP ...) NOT-FOR-US: Windows CVE-2004-0566 (Integer overflow in imgbmp.cxx for Windows 2000 allows remote attacker ...) NOT-FOR-US: Windows CVE-2004-0565 (Floating point information leak in the context switch code for Linux 2 ...) {DSA-1082-1 DSA-1070-1 DSA-1069-1 DSA-1067-1} - kernel-source-2.4.27 2.4.27-1 - linux-2.6 (fixed before first upload) CVE-2004-0564 (Roaring Penguin pppoe (rp-ppoe), if installed or configured to run set ...) {DSA-557-1} - rp-pppoe 3.5-4 (bug #343264) CVE-2004-0563 (The tspc.conf configuration file in freenet6 before 0.9.6 and before 1 ...) {DSA-555-1} - freenet6 1.0-2.2 CVE-2004-0562 REJECTED CVE-2004-0561 (Format string vulnerability in the log routine for gopher daemon (goph ...) {DSA-638-1} - gopher 3.0.6 NOTE: removed, deprecated in favor of pygopherd CVE-2004-0560 (Integer overflow in gopher daemon (gopherd) 3.0.3 allows remote attack ...) {DSA-638-1} - gopher 3.0.6 NOTE: removed, deprecated in favor of pygopherd CVE-2004-0559 (The maketemp.pl script in Usermin 1.070 and 1.080 allows local users t ...) {DSA-544-1} - webmin 1.160-1 - usermin 1.090-1 CVE-2004-0558 (The Internet Printing Protocol (IPP) implementation in CUPS before 1.1 ...) {DSA-545-1} - cups 1.1.20final+rc1-6 - cupsys 1.1.20final+rc1-6 CVE-2004-0557 (Multiple buffer overflows in the st_wavstartread function in wav.c for ...) {DSA-565-1} - sox 12.17.4-9 (bug #262083) CVE-2004-0556 REJECTED CVE-2004-0555 (Buffer overflow in (1) queue.c and (2) queued.c in queue before 1.30.1 ...) {DSA-643-1} - queue 1.30.1-5 CVE-2004-0554 (Linux kernel 2.4.x and 2.6.x for x86 allows local users to cause a den ...) {DSA-1082-1 DSA-1070-1 DSA-1069-1 DSA-1067-1} - kernel-source-2.4.27 2.4.27-1 - linux-2.6 2.6.12-1 (bug #261521) CVE-2004-0553 RESERVED CVE-2004-0552 (Sophos Small Business Suite 1.00 on Windows does not properly handle f ...) NOT-FOR-US: Sophos Small Business Suite CVE-2004-0551 (Cisco CatOS 5.x before 5.5(20) through 8.x before 8.2(2) and 8.3(2)GLX ...) NOT-FOR-US: Cisco CVE-2004-0550 (Buffer overflow in Real Networks RealPlayer 10 allows remote attackers ...) NOT-FOR-US: Real Player CVE-2004-0549 (The WebBrowser ActiveX control, or the Internet Explorer HTML renderin ...) NOT-FOR-US: Windows CVE-2004-0548 (Multiple stack-based buffer overflows in the word-list-compress functi ...) - aspell 0.50.5-3 CVE-2004-0547 (Buffer overflow in the ODBC driver for PostgreSQL before 7.2.1 allows ...) {DSA-516} - postgresql 07.03.0200-3 CVE-2004-0546 RESERVED CVE-2004-0545 (LVM for AIX 5.1 and 5.2 allows local users to overwrite arbitrary file ...) NOT-FOR-US: AIX CVE-2004-0544 (Multiple buffer overflows in LVM for AIX 5.1 and 5.2 allow local users ...) NOT-FOR-US: AIX CVE-2004-0543 (Multiple SQL injection vulnerabilities in Oracle Applications 11.0 and ...) NOT-FOR-US: Oracle CVE-2004-0542 (PHP before 4.3.7 on Win32 platforms does not properly filter all shell ...) - php4 (Only affects Windows) CVE-2004-0541 (Buffer overflow in the ntlm_check_auth (NTLM authentication) function ...) - squid 2.5.5-5 CVE-2004-0540 (Microsoft Windows 2000, when running in a domain whose Fully Qualified ...) NOT-FOR-US: Windows CVE-2004-0539 (The "Show in Finder" button in the Safari web browser in Mac OS X 10.3 ...) NOT-FOR-US: MacOS CVE-2004-0538 (LaunchServices in Mac OS X 10.3.4 and 10.2.8 automatically registers a ...) NOT-FOR-US: MacOS CVE-2004-0537 (Opera 7.50 and earlier allows remote web sites to provide a "Shortcut ...) NOT-FOR-US: Opera CVE-2004-0536 (Format string vulnerability in Tripwire commercial 4.0.1 and earlier, ...) - tripwire 2.3.1.2.0-2.1 CVE-2004-0535 (The e1000 driver for Linux kernel 2.4.26 and earlier does not properly ...) - kernel-source-2.4.27 2.4.27-1 - linux-2.6 (fixed before first upload; 2.6.6) CVE-2004-0534 (Cross-site scripting (XSS) vulnerability in Business Objects InfoView ...) NOT-FOR-US: Business Objects WebIntelligence CVE-2004-0533 (Business Objects WebIntelligence 2.7.0 through 2.7.4 only enforces acc ...) NOT-FOR-US: Business Objects WebIntelligence CVE-2004-0532 RESERVED CVE-2004-0531 RESERVED CVE-2004-0530 (The PHP package in Slackware 8.1, 9.0, and 9.1, when linked against a ...) - php4 (Slackware specific rpath issue) CVE-2004-0529 (The modified suexec program in cPanel, when configured for mod_php and ...) NOT-FOR-US: cPanel is not our cpanel CVE-2004-0528 (Netscape Navigator 7.1 allows remote attackers to spoof a legitimate U ...) NOT-FOR-US: Netscape Navigator 7.1 CVE-2004-0527 (KDE Konqueror 2.1.1 and 2.2.2 allows remote attackers to spoof a legit ...) - kdebase 2.2.3 CVE-2004-0526 (Unknown versions of Internet Explorer and Outlook allow remote attacke ...) NOT-FOR-US: Windows CVE-2004-0525 (HP Integrated Lights-Out (iLO) 1.10 and other versions before 1.55 all ...) NOT-FOR-US: iLO CVE-2004-0524 (Buffer overflow in the chpasswd command in the Change_passwd plugin be ...) NOT-FOR-US: Change_passwd SquirrelMail plugin not present in debian CVE-2004-0523 (Multiple buffer overflows in krb5_aname_to_localname for MIT Kerberos ...) {DSA-520} - krb5 1.3.3-2 CVE-2004-0522 (Gallery 1.4.3 and earlier allows remote attackers to bypass authentica ...) {DSA-512} - gallery 1.4.3-pl2-1 CVE-2004-0521 (SQL injection vulnerability in SquirrelMail before 1.4.3 RC1 allows re ...) {DSA-535} - squirrelmail 2:1.4.3a-0.1 CVE-2004-0520 (Cross-site scripting (XSS) vulnerability in mime.php for SquirrelMail ...) {DSA-535} - squirrelmail 2:1.4.3a-0.1 CVE-2004-0519 (Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1. ...) {DSA-535} - squirrelmail 2:1.4.3a-0.1 CVE-2004-0518 (Unknown vulnerability in AppleFileServer for Mac OS X 10.3.4, related ...) NOT-FOR-US: MacOS CVE-2004-0517 (Unknown vulnerability in Mac OS X 10.3.4, related to "handling of proc ...) NOT-FOR-US: MacOS CVE-2004-0516 (Unknown vulnerability in Mac OS X 10.3.4, related to "package installa ...) NOT-FOR-US: MacOS CVE-2004-0515 (Unknown vulnerability in LoginWindow for Mac OS X 10.3.4, related to " ...) NOT-FOR-US: MacOS CVE-2004-0514 (Unknown vulnerability in LoginWindow for Mac OS X 10.3.4, related to " ...) NOT-FOR-US: MacOS CVE-2004-0513 (Unspecified vulnerability in Mac OS X before 10.3.4 has unknown impact ...) NOT-FOR-US: MacOS CVE-2004-0512 (Multiple unknown vulnerabilities in MMDF on OpenServer 5.0.6 and 5.0.7 ...) NOT-FOR-US: SCO MMDF CVE-2004-0511 (Multiple unknown vulnerabilities in MMDF on OpenServer 5.0.6 and 5.0.7 ...) NOT-FOR-US: SCO MMDF CVE-2004-0510 (Multiple buffer overflows in MMDF on OpenServer 5.0.6 and 5.0.7, and p ...) NOT-FOR-US: SCO MMDF CVE-2004-0509 RESERVED CVE-2004-0508 RESERVED CVE-2004-0507 (Buffer overflow in the MMSE dissector for Ethereal 0.10.1 to 0.10.3 al ...) - ethereal 0.10.4 CVE-2004-0506 (The SPNEGO dissector in Ethereal 0.9.8 to 0.10.3 allows remote attacke ...) - ethereal 0.10.4 CVE-2004-0505 (The AIM dissector in Ethereal 0.10.3 allows remote attackers to cause ...) - ethereal 0.10.4 CVE-2004-0504 (Ethereal 0.10.3 allows remote attackers to cause a denial of service ( ...) - ethereal 0.10.4 CVE-2004-0503 (Microsoft Outlook 2003 allows remote attackers to bypass the default z ...) NOT-FOR-US: Microsoft CVE-2004-0502 (Outlook 2003, when replying to an e-mail message, stores certain files ...) NOT-FOR-US: Microsoft CVE-2004-0501 (Outlook 2003 allows remote attackers to bypass intended access restric ...) NOT-FOR-US: Microsoft CVE-2004-0500 (Buffer overflow in the MSN protocol plugins (1) object.c and (2) slp.c ...) - gaim 1:0.81-3 CVE-2004-0499 REJECTED CVE-2004-0498 (The H.323 protocol agent in StoneSoft firewall engine 2.2.8 and earlie ...) NOT-FOR-US: StoneSoft firewall engine CVE-2004-0497 (Unknown vulnerability in Linux kernel 2.x may allow local users to mod ...) - kernel-source-2.4.27 2.4.27-1 - linux-2.6 (fixed before first upload; 2.6.8) CVE-2004-0496 (Multiple unknown vulnerabilities in Linux kernel 2.6 allow local users ...) NOTE: fixed in 2.6.7 CVE-2004-0495 (Multiple unknown vulnerabilities in Linux kernel 2.4 and 2.6 allow loc ...) - kernel-source-2.4.27 (Fixed before upload into archive; 2.4.27-rc1) CVE-2004-0494 (Multiple extfs backend scripts for GNOME virtual file system (VFS) bef ...) - gnome-vfs 1.0.1 CVE-2004-0493 (The ap_get_mime_headers_core function in Apache httpd 2.0.49 allows re ...) - apache2 2.0.50-1 CVE-2004-0492 (Heap-based buffer overflow in proxy_util.c for mod_proxy in Apache 1.3 ...) {DSA-525} - apache 1.3.31-2 CVE-2004-0491 (The linux-2.4.21-mlock.patch in Red Hat Enterprise Linux 3 does not pr ...) NOTE: appears redhat specific CVE-2004-0490 (cPanel, when compiling Apache 1.3.29 and PHP with the mod_phpsuexec op ...) NOT-FOR-US: cPanel is not our cpanel CVE-2004-0489 (Argument injection vulnerability in the SSH URI handler for Safari on ...) NOT-FOR-US: MacOS CVE-2004-0488 (Stack-based buffer overflow in the ssl_util_uuencode_binary function i ...) {DSA-532} - apache2 2.0.50-1 - libapache-mod-ssl 2.8.19-1 CVE-2004-0487 (A certain ActiveX control in Symantec Norton AntiVirus 2004 allows rem ...) NOT-FOR-US: Norton CVE-2004-0486 (HelpViewer in Mac OS X 10.3.3 and 10.2.8 processes scripts that it did ...) NOT-FOR-US: MacOS CVE-2004-0485 (The default protocol helper for the disk: URI on Mac OS X 10.3.3 and 1 ...) NOT-FOR-US: MacOS CVE-2004-0484 (mshtml.dll in Microsoft Internet Explorer 6.0.2800 allows remote attac ...) NOT-FOR-US: Microsoft CVE-2004-0483 (Unknown vulnerability in rpc.mountd for SGI IRIX 6.5.24 allows remote ...) NOT-FOR-US: IRIX CVE-2004-0482 (Multiple integer overflows in (1) procfs_cmdline.c, (2) procfs_fpregs. ...) NOT-FOR-US: OpenBSD CVE-2004-0481 (The logging feature in kcms_configure in the KCMS package on Solaris 8 ...) NOT-FOR-US: the KCMS on Solaris CVE-2004-0480 (Argument injection vulnerability in IBM Lotus Notes 6.0.3 and 6.5 allo ...) NOT-FOR-US: Lotus Notes CVE-2004-0479 (Internet Explorer 6 allows remote attackers to cause a denial of servi ...) NOT-FOR-US: Microsoft CVE-2004-0478 (Unknown versions of Mozilla allow remote attackers to cause a denial o ...) NOTE: only a Mozilla DOS CVE-2004-0477 (Unknown vulnerability in 3Com OfficeConnect Remote 812 ADSL Router all ...) NOT-FOR-US: 3Com OfficeConnect Remote 812 ADSL Router CVE-2004-0476 (Buffer overflow in 3Com OfficeConnect Remote 812 ADSL Router 1.1.9.4 a ...) NOT-FOR-US: 3Com OfficeConnect Remote 812 ADSL Router CVE-2004-0475 (The showHelp function in Internet Explorer 6 on Windows XP Pro allows ...) NOT-FOR-US: Microsoft CVE-2004-0474 (Help Center (HelpCtr.exe) may allow remote attackers to read or execut ...) NOT-FOR-US: Help Center (HelpCtr.exe) CVE-2004-0473 (Argument injection vulnerability in Opera before 7.50 does not properl ...) NOT-FOR-US: opera CVE-2004-0472 REJECTED CVE-2004-0471 (BEA WebLogic Server and WebLogic Express 7.0 through SP5 and 8.1 throu ...) NOT-FOR-US: BEA WebLogic CVE-2004-0470 (BEA WebLogic Server and WebLogic Express 7.0 through SP5 and 8.1 throu ...) NOT-FOR-US: BEA WebLogic CVE-2004-0469 (Buffer overflow in the ISAKMP functionality for Check Point VPN-1 and ...) NOT-FOR-US: Check Point VPN CVE-2004-0468 (Memory leak in Juniper JUNOS Packet Forwarding Engine (PFE) allows rem ...) NOT-FOR-US: Juniper JUNOS CVE-2004-0467 (Juniper JUNOS 5.x through JUNOS 7.x allows remote attackers to cause a ...) NOT-FOR-US: Juniper JUNOS CVE-2004-0466 (WebConnect 6.5, 6.4.4, and possibly earlier versions allows remote att ...) NOT-FOR-US: WebConnect CVE-2004-0465 (Directory traversal vulnerability in jretest.html in WebConnect 6.5 an ...) NOT-FOR-US: WebConnect CVE-2004-0464 REJECTED CVE-2004-0463 REJECTED CVE-2004-0462 (The built-in web servers for multiple networking devices do not set th ...) NOT-FOR-US: Multiple embedded hardware vendors CVE-2004-0461 (The DHCP daemon (DHCPD) for ISC DHCP 3.0.1rc12 and 3.0.1rc13, when com ...) - dhcp3 3.0.1 CVE-2004-0460 (Buffer overflow in the logging capability for the DHCP daemon (DHCPD) ...) - dhcp3 3.0.1 CVE-2004-0459 (The Clear Channel Assessment (CCA) algorithm in the IEEE 802.11 wirele ...) NOT-FOR-US: DOS in 802.11 protocol CVE-2004-0458 (mah-jong before 1.6.2 allows remote attackers to cause a denial of ser ...) {DSA-503} - mah-jong 1.6.2-1 CVE-2004-0457 (The mysqlhotcopy script in mysql 4.0.20 and earlier, when using the sc ...) {DSA-540} - mysql-dfsg 4.0.20-11 - mysql CVE-2004-0456 (Stack-based buffer overflow in pavuk 0.9pl28, 0.9pl27, and possibly ot ...) {DSA-527} - pavuk 0.9pl28-3 (bug #264684) CVE-2004-0455 (Buffer overflow in cgi.c in www-sql before 0.5.7 allows local users to ...) {DSA-523} - www-sql 0.5.7-18 CVE-2004-0454 (Buffer overflow in the msg function for rlpr daemon (rlprd) 2.04 allow ...) {DSA-524} - rlpr 2.02-7.1 (bug #255402) CVE-2004-0453 (Format string vulnerability in the monitor "memory dump" command in VI ...) - vice 1.14-2 CVE-2004-0452 (Race condition in the rmtree function in the File::Path module in Perl ...) {DSA-1678-1 DSA-620-1} - perl 5.8.4-5 CVE-2004-0451 (Multiple format string vulnerabilities in the (1) logquit, (2) logerr, ...) {DSA-521} - sup 1.8-11 CVE-2004-0450 (Format string vulnerability in the printlog function in log2mail befor ...) {DSA-513} - log2mail 0.2.8-3 CVE-2004-0449 REJECTED CVE-2004-0448 (Format string vulnerability in the log function for jftpgw 0.13.4 and ...) {DSA-510} - jftpgw 0.13.4-1 CVE-2004-0447 (Unknown vulnerability in Linux before 2.4.26 for IA64 allows local use ...) {DSA-1082-1 DSA-1070-1 DSA-1069-1 DSA-1067-1} - kernel-source-2.4.27 (Fixed before upload into archive; 2.4.26) CVE-2004-0446 RESERVED CVE-2004-0445 (The SYMDNS.SYS driver in Symantec Norton Internet Security and Profess ...) NOT-FOR-US: Norton CVE-2004-0444 (Multiple vulnerabilities in SYMDNS.SYS for Symantec Norton Internet Se ...) NOT-FOR-US: Norton CVE-2004-0443 RESERVED CVE-2004-0442 RESERVED CVE-2004-0441 RESERVED CVE-2004-0440 RESERVED CVE-2004-0439 RESERVED CVE-2004-0438 RESERVED CVE-2004-0437 (Titan FTP Server version 3.01 build 163, and possibly other versions b ...) NOT-FOR-US: Titan FTP Server CVE-2004-0436 RESERVED CVE-2004-0435 (Certain "programming errors" in the msync system call for FreeBSD 5.2. ...) NOT-FOR-US: FreeBSD CVE-2004-0434 (k5admind (kadmind) for Heimdal allows remote attackers to execute arbi ...) {DSA-504} - heimdal 0.6.2-1 CVE-2004-0433 (Multiple buffer overflows in the Real-Time Streaming Protocol (RTSP) c ...) - mplayer 1.0~pre6a-1 - xine-lib 1-rc4 CVE-2004-0432 (ProFTPD 1.2.9 treats the Allow and Deny directives for CIDR based ACL ...) - proftpd 1.2.9-4 CVE-2004-0431 (Integer overflow in Apple QuickTime (QuickTime.qts) before 6.5.1 allow ...) NOT-FOR-US: Apple QuickTime CVE-2004-0430 (Stack-based buffer overflow in AppleFileServer for Mac OS X 10.3.3 and ...) NOT-FOR-US: MacOS CVE-2004-0429 (Unknown vulnerability related to "the handling of large requests" in R ...) NOT-FOR-US: RAdmin for Mac OS X CVE-2004-0428 (Unknown vulnerability in CoreFoundation in Mac OS X 10.3.3 and Mac OS ...) NOT-FOR-US: Mac OS X) CVE-2004-0427 (The do_fork function in Linux 2.4.x before 2.4.26, and 2.6.x before 2. ...) {DSA-1082-1 DSA-1070-1 DSA-1069-1 DSA-1067-1} - linux-2.6 (Fixed before upload of linux-2.6 package into the archive; 2.6.6) - kernel-source-2.4.27 (Fixed before upload of package into the archive; 2.4.26) CVE-2004-0426 (rsync before 2.6.1 does not properly sanitize paths when running a rea ...) {DSA-499} - rsync 2.6.1-1 CVE-2004-0425 (Heap-based buffer overflow in SiteMinder Affiliate Agent 4.x allows re ...) NOT-FOR-US: windows CVE-2004-0424 (Integer overflow in the ip_setsockopt function in Linux kernel 2.4.22 ...) NOTE: fixed after 2.6.4/2.4.26 kernel CVE-2004-0423 (The log_event function in ssmtp 2.50.6 and earlier allows local users ...) - ssmtp (unimportant) NOTE: bug still exists in the ssmtp source, but is only activated if NOTE: --enable-logfile is used in ./configure NOTE: The package doesn't enable that flag so it is safe. CVE-2004-0422 (flim before 1.14.3 creates temporary files insecurely, which allows lo ...) {DSA-500} - flim 1:1.14.6+0.20040415-1 CVE-2004-0421 (The Portable Network Graphics library (libpng) 1.0.15 and earlier allo ...) {DSA-498} - libpng 1.0.15-5 - libpng3 1.2.5.0-6 CVE-2004-0420 (The Windows Shell application in Windows 98, Windows ME, Windows NT 4. ...) NOT-FOR-US: windows CVE-2004-0419 (XDM in XFree86 opens a chooserFd TCP socket even when DisplayManager.r ...) [sarge] - xfree86 (vulnerable code not present) - xdm (vulnerable code not present) CVE-2004-0418 (serve_notify in CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, ...) {DSA-519} - cvs 1:1.12.9-1 CVE-2004-0417 (Integer overflow in the "Max-dotdot" CVS protocol command (serve_max_d ...) {DSA-519} - cvs 1:1.12.9-1 CVE-2004-0416 (Double free vulnerability for the error_prog_name string in CVS 1.12.x ...) {DSA-519} - cvs 1:1.12.9-1 CVE-2004-0415 (Linux kernel does not properly convert 64-bit file offset pointers to ...) - kernel-source-2.4.27 (Fixed before upload into archive; 2.4.27-rc6) CVE-2004-0414 (CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, does not proper ...) {DSA-517} - cvs 1:1.12.9-1 CVE-2004-0413 (libsvn_ra_svn in Subversion 1.0.4 trusts the length field of (1) svn:/ ...) - subversion 1.0.5-1 CVE-2004-0412 (Mailman before 2.1.5 allows remote attackers to obtain user passwords ...) - mailman 2.1.4-5 CVE-2004-0411 (The URI handlers in Konqueror for KDE 3.2.2 and earlier do not properl ...) {DSA-518} - kdelibs 4:3.2.3 CVE-2004-0410 REJECTED CVE-2004-0409 (Stack-based buffer overflow in the Socks-5 proxy code for XChat 1.8.0 ...) {DSA-493} - xchat 2.0.8-1 CVE-2004-0408 (Buffer overflow in the child_service function in the ident2 ident daem ...) {DSA-494} - ident2 1.04-2 CVE-2004-0407 (The HTML form upload capability in ColdFusion MX 6.1 does not reclaim ...) NOT-FOR-US: ColdFusion CVE-2004-0406 REJECTED CVE-2004-0405 (CVS before 1.11 allows CVS clients to read arbitrary files via .. (dot ...) {DSA-486} - cvs 1:1.12.5-4 (medium) CVE-2004-0404 (logcheck before 1.1.1 allows local users to overwrite arbitrary files ...) {DSA-488} - logcheck 1.1.1-13.2 CVE-2004-0403 (Racoon before 20040408a allows remote attackers to cause a denial of s ...) - ipsec-tools 0.3.1-3 CVE-2004-0402 (Buffer overflow in xpcd-svga in xpcd before 2.08, and possibly other v ...) {DSA-508} - xpcd 2.08-10 CVE-2004-0401 (Unknown vulnerability in libtasn1 0.1.x before 0.1.2, and 0.2.x before ...) - libtasn1 0.1.2-2 CVE-2004-0400 (Stack-based buffer overflow in Exim 4 before 4.33, when the headers_ch ...) {DSA-502 DSA-501} - exim 3.36-11 - exim4 4.33-1 - exim-tls CVE-2004-0399 (Stack-based buffer overflow in Exim 3.35, and other versions before 4, ...) {DSA-502 DSA-501} - exim 3.36-11 - exim4 4.33-1 - exim-tls CVE-2004-0398 (Heap-based buffer overflow in the ne_rfc1036_parse date parsing functi ...) {DSA-507 DSA-506} - cadaver 0.22.1-3 - neon 0.24.6.dfsg-1 CVE-2004-0397 (Stack-based buffer overflow during the apr_time_t data conversion in S ...) - subversion 1.0.3-1 (bug #249791) CVE-2004-0396 (Heap-based buffer overflow in CVS 1.11.x up to 1.11.15, and 1.12.x up ...) {DSA-505} - cvs 1:1.12.5-6 CVE-2004-0395 (The xatitv program in the gatos package does not properly drop root pr ...) {DSA-509} - gatos 0.0.5-12 CVE-2004-0394 (A "potential" buffer overflow exists in the panic() function in Linux ...) {DSA-1082-1 DSA-1070-1 DSA-1069-1 DSA-1067-1} - linux-2.6 NOTE: patch: http://www.ultramonkey.org/bugs/cve-patch/CAN-2004-0394.patch CVE-2004-0393 (Format string vulnerability in the msg function for rlpr daemon (rlprd ...) {DSA-524} - rlpr 2.02-7.1 (bug #255402) CVE-2004-0392 (racoon before 20040407b allows remote attackers to cause a denial of s ...) - apache 1.3.31-2 CVE-2004-0391 (Cisco Wireless LAN Solution Engine (WLSE) 2.0 through 2.5 and Hosting ...) NOT-FOR-US: Cisco CVE-2004-0390 (SCO OpenServer 5.0.5 through 5.0.7 only supports Xauthority style acce ...) NOT-FOR-US: SCO OpenServer CVE-2004-0389 (RealNetworks Helix Universal Server 9.0.1 and 9.0.2 allows remote atta ...) NOT-FOR-US: RealNetworks Helix Universal Server CVE-2004-0388 (The mysqld_multi script in MySQL allows local users to overwrite arbit ...) {DSA-483} - mysql-dfsg 4.0.18-6 CVE-2004-0387 (Stack-based buffer overflow in the RT3 plugin, as used in RealPlayer 8 ...) NOT-FOR-US: RealPlayer plugin CVE-2004-0386 (Buffer overflow in the HTTP parser for MPlayer 1.0pre3 and earlier, 0. ...) - mplayer 1.0~pre6a-1 CVE-2004-0385 (Heap-based buffer overflow in Oracle 9i Application Server Web Cache 9 ...) NOT-FOR-US: Oracle 9i Application Server Web Cache CVE-2004-0384 RESERVED CVE-2004-0383 (Unknown vulnerability in Mail for Mac OS X 10.3.3 and 10.2.8, with unk ...) NOT-FOR-US: Mail for Mac OS X CVE-2004-0382 (Unknown vulnerability in the CUPS printing system in Mac OS X 10.3.3 a ...) NOT-FOR-US: CUPS printing system in Mac OS X CVE-2004-0381 (mysqlbug in MySQL allows local users to overwrite arbitrary files via ...) {DSA-483} - mysql-dfsg 4.0.18-4 CVE-2004-0380 (The MHTML protocol handler in Microsoft Outlook Express 5.5 SP2 throug ...) NOT-FOR-US: Microsoft Outlook Express CVE-2004-0379 (Multiple cross-site scripting (XSS) vulnerabilities in Microsoft Share ...) NOT-FOR-US: Microsoft SharePoint Portal Server 2001 CVE-2004-0378 REJECTED CVE-2004-0377 (Buffer overflow in the win32_stat function for (1) ActiveState's Activ ...) - perl (Win32 specific) CVE-2004-0376 (oftpd 0.3.6 and earlier allows remote attackers to cause a denial of s ...) {DSA-473} - oftpd 20040304-1 (bug #353882) CVE-2004-0375 (SYMNDIS.SYS in Symantec Norton Internet Security 2003 and 2004, Norton ...) NOT-FOR-US: Symantec Norton Internet Security CVE-2004-0374 (Interchange before 5.0.1 allows remote attackers to "expose the conten ...) {DSA-471} - interchange 5.0.1-1 CVE-2004-0373 RESERVED CVE-2004-0372 (xine allows local users to overwrite arbitrary files via a symlink att ...) {DSA-477} - xine-ui 0.99.1-1 CVE-2004-0371 (Heimdal 0.6.x before 0.6.1 and 0.5.x before 0.5.3 does not properly pe ...) {DSA-476} - heimdal 0.6.1-1 CVE-2004-0370 (The setsockopt call in the KAME Project IPv6 implementation, as used i ...) NOT-FOR-US: KAME CVE-2004-0369 (Buffer overflow in Entrust LibKmp ISAKMP library, as used by Symantec ...) NOT-FOR-US: Entrust LibKmp ISAKMP library CVE-2004-0368 (Double free vulnerability in dtlogin in CDE on Solaris, HP-UX, and oth ...) NOT-FOR-US: CDE CVE-2004-0367 (Ethereal 0.10.1 to 0.10.2 allows remote attackers to cause a denial of ...) - ethereal 0.10.3 (bug #239576) [woody] - ethereal (Not vulnerable per DSA-511) CVE-2004-0366 (SQL injection vulnerability in the libpam-pgsql library before 0.5.2 a ...) {DSA-469} - pam-pgsql 0.5.2-7.1 NOTE: fix was accidentially reverted in a later upload and later re-introduced in 0.5.2-9 CVE-2004-0365 (The dissect_attribute_value_pairs function in packet-radius.c for Ethe ...) - ethereal 0.10.3 (bug #239576) [woody] - ethereal (Not vulnerable per DSA-511) CVE-2004-0364 (The WrapNISUM ActiveX component (WrapUM.dll) in Norton Internet Securi ...) NOT-FOR-US: WrapNISUM ActiveX CVE-2004-0363 (Stack-based buffer overflow in the SymSpamHelper ActiveX component (sy ...) NOT-FOR-US: SymSpamHelper ActiveX CVE-2004-0362 (Multiple stack-based buffer overflows in the ICQ parsing routines of t ...) NOT-FOR-US: ISS Protocol Analysis Module CVE-2004-0361 (The Javascript engine in Safari 1.2 and earlier allows remote attacker ...) NOT-FOR-US: safari CVE-2004-0360 (Unknown vulnerability in passwd(1) in Solaris 8.0 and 9.0 allows local ...) NOT-FOR-US: solaris CVE-2004-0359 (Cross-site scripting (XSS) vulnerability in index.php for Invision Pow ...) NOT-FOR-US: Invision Power Board CVE-2004-0358 (Cross-site scripting (XSS) vulnerability in VirtuaNews Admin Panel Pro ...) NOT-FOR-US: VirtuaNews Admin Panel CVE-2004-0357 (Stack-based buffer overflows in SL Mail Pro 2.0.9 allow remote attacke ...) NOT-FOR-US: SL Mail Pro CVE-2004-0355 (Invision Power Board 1.3 Final allows remote attackers to gain sensiti ...) NOT-FOR-US: Invision Power Board CVE-2004-0354 (Multiple format string vulnerabilities in GNU Anubis 3.6.0 through 3.6 ...) NOT-FOR-US: GNU Anubis CVE-2004-0353 (Multiple buffer overflows in auth_ident() function in auth.c for GNU A ...) NOT-FOR-US: GNU Anubis CVE-2004-0352 (Cisco 11000 Series Content Services Switches (CSS) running WebNS 5.0(x ...) NOT-FOR-US: Cisco CVE-2004-0351 (Spider Sales shopping cart stores the private key in the same database ...) NOT-FOR-US: Spider Sales CVE-2004-0350 (SpiderSales shopping cart does not enforce a minimum length for the pr ...) NOT-FOR-US: Spider Sales CVE-2004-0349 (Directory traversal vulnerability in GWeb HTTP Server 0.6 allows remot ...) NOT-FOR-US: GWeb HTTP Server CVE-2004-0348 (SQL injection vulnerability in viewCart.asp in SpiderSales shopping ca ...) NOT-FOR-US: SpiderSales CVE-2004-0346 (Off-by-one buffer overflow in _xlate_ascii_write() in ProFTPD 1.2.7 th ...) - proftpd 1.2.9 CVE-2004-0345 (Buffer overflow in Red Faction client 1.20 and earlier allows remote s ...) NOT-FOR-US: Red Faction CVE-2004-0344 (Directory traversal vulnerability in ModifyMessage.php in YaBB SE 1.5. ...) NOT-FOR-US: YaBB SE CVE-2004-0343 (Multiple SQL injection vulnerabilities in YaBB SE 1.5.4 through 1.5.5b ...) NOT-FOR-US: YaBB SE CVE-2004-0342 (WFTPD Pro Server 3.21 Release 1, with the XeroxDocutech option enabled ...) NOT-FOR-US: WFPTD CVE-2004-0341 (WFTPD Pro Server 3.21 Release 1 allocates memory for a command until a ...) NOT-FOR-US: WFPTD CVE-2004-0340 (Stack-based buffer overflow in WFTPD Pro Server 3.21 Release 1, Pro Se ...) NOT-FOR-US: WFPTD CVE-2004-0339 (Cross-site scripting (XSS) vulnerability in ViewTopic.php in phpBB, po ...) - phpbb2 2.0.6d CVE-2004-0338 (SQL injection vulnerability in search.php for Invision Board Forum all ...) NOT-FOR-US: Invision Board Forum CVE-2004-0337 (Cross-site scripting (XSS) vulnerability in LAN SUITE Web Mail 602Pro ...) NOT-FOR-US: 602LAN SUITE CVE-2004-0335 (LAN SUITE Web Mail 602Pro, when configured to use the "Directory brows ...) NOT-FOR-US: 602LAN SUITE CVE-2004-0334 (InnoMedia VideoPhone allows remote attackers to bypass Basic Authoriza ...) NOT-FOR-US: AXIS 2100 CVE-2004-0333 (Buffer overflow in the UUDeview package, as used in WinZip 6.2 through ...) - uudeview 0.5.20 (medium) CVE-2004-0332 (Extremail 1.5.9 does not check passwords correctly when they are all d ...) NOT-FOR-US: extremail CVE-2004-0331 (Heap-based buffer overflow in Dell OpenManage Web Server 3.4.0 allows ...) NOT-FOR-US: Dell OpenManage Web Server CVE-2004-0330 (Buffer overflow in Serv-U ftp before 5.0.0.4 allows remote authenticat ...) NOT-FOR-US: Serv-U CVE-2004-0329 (FreeChat 1.1.1a allows remote attackers to cause a denial of service ( ...) NOT-FOR-US: FreeChat CVE-2004-0328 (Gigabyte Gn-B46B 2.4Ghz wireless broadband router firmware 1.003.00 al ...) NOT-FOR-US: Gigabyte Broadband Router CVE-2004-0327 (Directory traversal vulnerability in functions.php in PhpNewsManager 1 ...) NOT-FOR-US: PhpNewsManager CVE-2004-0326 (Buffer overflow in the web proxy for GateKeeper Pro 4.7 allows remote ...) NOT-FOR-US: GateKeeper Pro CVE-2004-0325 (TYPSoft FTP Server 1.10 allows remote authenticated users to cause a d ...) NOT-FOR-US: TypSoft CVE-2004-0324 (Confirm 0.62 and earlier could allow remote attackers to execute arbit ...) NOT-FOR-US: confirm 0.70 CVE-2004-0323 (Multiple SQL injection vulnerabilities in XMB 1.8 Final SP2 allow remo ...) NOT-FOR-US: xmb 1.8 final sp2 CVE-2004-0322 (Multiple cross-site scripting (XSS) vulnerabilities in XMB 1.8 Final S ...) NOT-FOR-US: xmb 1.8 final sp2 CVE-2004-0321 (Team Factor 1.25 and earlier allows remote attackers to cause a denial ...) NOT-FOR-US: Team Factor CVE-2004-0319 (Cross-site scripting (XSS) vulnerability in the font tag in ezBoard 7. ...) NOT-FOR-US: ezBoard CVE-2004-0318 (Load Sharing Facility (LSF) 4.x, 5.x, and 6.x uses the LSF_EAUTH_UID e ...) NOT-FOR-US: Load Sharing Facility CVE-2004-0317 (Buffer overflow in eauth in Load Sharing Facility 4.x, 5.x, and 6.x al ...) NOT-FOR-US: Load Sharing Facility CVE-2004-0316 (Buffer overflow in Avirt Soho 4.3 allows remote attackers to cause a d ...) NOT-FOR-US: Avirt CVE-2004-0315 (Buffer overflow in Avirt Voice 4.0 allows remote attackers to cause a ...) NOT-FOR-US: Avirt CVE-2004-0314 (Cross-site scripting (XSS) vulnerability in done.jsp in WebzEdit 1.9 a ...) NOT-FOR-US: WebzEdit CVE-2004-0313 (Buffer overflow in PSOProxy 0.91 allows remote attackers to cause a de ...) NOT-FOR-US: PSOProxy CVE-2004-0312 (Linksys WAP55AG 1.07 allows remote attackers with access to an SNMP re ...) NOT-FOR-US: LINKSYS CVE-2004-0311 (American Power Conversion (APC) Web/SNMP Management SmartSlot Card 3.0 ...) NOT-FOR-US: APC CVE-2004-0310 (Cross-site scripting (XSS) vulnerability in LiveJournal 1.0 and 1.1 al ...) NOT-FOR-US: LiveJournal CVE-2004-0308 (Unknown vulnerability in Cisco ONS 15327 before 4.1(3), ONS 15454 befo ...) NOT-FOR-US: cisco CVE-2004-0305 (Cross-site scripting (XSS) vulnerability in error.asp in WebCortex Web ...) NOT-FOR-US: WebCortex WebStores CVE-2004-0304 (SQL injection vulnerability in browse_items.asp in WebCortex WebStores ...) NOT-FOR-US: WebCortex WebStores CVE-2004-0303 (OWLS 1.0 allows remote attackers to retrieve arbitrary files via absol ...) NOT-FOR-US: OWLS 1.0 CVE-2004-0302 (Directory traversal vulnerability in OWLS 1.0 allows remote attackers ...) NOT-FOR-US: OWLS 1.0 CVE-2004-0301 (Cross-site scripting (XSS) vulnerability in more.php for Online Store ...) NOT-FOR-US: Online Store Kit CVE-2004-0300 (SQL injection vulnerability in Online Store Kit 3.0 allows remote atta ...) NOT-FOR-US: Online Store Kit CVE-2004-0299 (Buffer overflow in smallftpd 0.99 allows local users to cause a denial ...) NOT-FOR-US: smallftpd; CVE-2004-0298 (CesarFTP 0.99e allows remote attackers to cause a denial of service (C ...) NOT-FOR-US: CesarFTP; Win32 CVE-2004-0296 (TsFtpSrv.exe in Broker FTP 6.1.0.0 allows remote attackers to cause a ...) NOT-FOR-US: Broker FTP 6.1.0.0; Win32 CVE-2004-0295 (TsFtpSrv.exe in Broker FTP 6.1.0.0 allows remote attackers to cause a ...) NOT-FOR-US: Broker FTP 6.1.0.0 again; Win32 CVE-2004-0294 (YaBB 1 SP 1.3.1 displays different error messages when a user exists o ...) NOT-FOR-US: yabb; CVE-2004-0293 (Directory traversal vulnerability in ShopCartCGI 2.3 allows remote att ...) NOT-FOR-US: ShopCartCGI 2.3; CVE-2004-0292 (Buffer overflow in KarjaSoft Sami HTTP Server 1.0.4 allows remote atta ...) NOT-FOR-US: KarjaSoft Sami HTTP Server 1.0.4; Win32 CVE-2004-0291 (SQL injection vulnerability in post.php for YaBB SE 1.5.4 and 1.5.5 al ...) NOT-FOR-US: YaBB; CVE-2004-0290 (Buffer overflow in Purge Jihad 2.0.1 and earlier allows remote game se ...) NOT-FOR-US: Purge Jihad; CVE-2004-0289 (Buffer overflow in sdbscan in SignatureDB 0.1.1 allows local users to ...) NOT-FOR-US: SignatureDB; CVE-2004-0288 (Buffer overflow in the UdmDocToTextBuf function in mnoGoSearch 3.2.13 ...) - mnogosearch 3.2.18 NOTE: it's not quite clear which version exactly fixes the problem; NOTE: I checked the source code of the most recent version and compared NOTE: it with the problematic section described in the advisory NOTE: (http://marc.info/?l=bugtraq&m=107695139930726&w=2) NOTE: and I can confirm the buffer overflow is fixed there CVE-2004-0287 (Xlight FTP server 1.52 allows remote authenticated users to cause a de ...) NOT-FOR-US: Xlight FTP server 1.52; CVE-2004-0286 (Buffer overflow in RobotFTP 1.0 and 2.0 beta 1 allows remote attackers ...) NOT-FOR-US: RobotFTP; CVE-2004-0285 (PHP remote file inclusion vulnerabilities in include/footer.inc.php in ...) NOT-FOR-US: PHP scripts CVE-2004-0284 (Microsoft Internet Explorer 6.0, Outlook 2002, and Outlook 2003 allow ...) NOT-FOR-US: MSIE bugs CVE-2004-0283 (Mailmgr 1.2.3 allows local users to overwrite arbitrary files via a sy ...) NOT-FOR-US: mailmgr; CVE-2004-0282 (Crob FTP daemon 3.5.2 allows remote attackers to cause a denial of ser ...) NOT-FOR-US: Crob FTP; CVE-2004-0281 (Caucho Technology Resin 2.1.12 allows remote attackers to gain sensiti ...) NOT-FOR-US: Caucho Technology Resin; CVE-2004-0280 (Caucho Technology Resin 2.1.12 allows remote attackers to view JSP sou ...) NOT-FOR-US: Caucho Technology Resin; CVE-2004-0279 (AIM Sniff (aimSniff.pl) 0.9b allows local users to overwrite arbitrary ...) NOT-FOR-US: AIMSniff; CVE-2004-0278 (Ratbag game engine, as used in products such as Dirt Track Racing, Lea ...) NOT-FOR-US: Ratbag game engine; CVE-2004-0277 (Format string vulnerability in Dream FTP 1.02 allows remote attackers ...) NOT-FOR-US: Dream FTP; CVE-2004-0275 (SQL injection vulnerability in calendar_download.php in BosDates 3.2 a ...) NOT-FOR-US: BosDates; CVE-2004-0272 (SQL injection vulnerability in MaxWebPortal allows remote attackers to ...) NOT-FOR-US: MaxWebPortal; CVE-2004-0271 (Multiple cross-site scripting vulnerabilities (XSS) in MaxWebPortal al ...) NOT-FOR-US: MaxWebPortal; CVE-2004-0269 (SQL injection vulnerability in PHP-Nuke 6.9 and earlier, and possibly ...) NOT-FOR-US: PHP-Nuke; CVE-2004-0268 (Multiple buffer overflows in EvolutionX 3921 and 3935 allow remote att ...) NOT-FOR-US: EvolutionX; CVE-2004-0267 (The (1) inoregupdate, (2) uniftest, or (3) unimove scripts in eTrust I ...) NOT-FOR-US: eTrust InoculateIT; CVE-2004-0266 (SQL injection vulnerability in the "public message" capability (public ...) NOT-FOR-US: PHP-Nuke; CVE-2004-0265 (Cross-site scripting (XSS) vulnerability in modules.php for Php-Nuke 6 ...) NOT-FOR-US: PHP-Nuke; CVE-2004-0264 (palmhttpd for PalmOS allows remote attackers to cause a denial of serv ...) NOT-FOR-US: PalmOS CVE-2004-0262 (Stack-based buffer overflow in The Palace 3.5 and earlier client allow ...) NOT-FOR-US: The Palace; CVE-2004-0260 (The AddToMailingList function in CactuSoft CactuShop 5.0 Lite contains ...) NOT-FOR-US: CactuShop; CVE-2004-0259 (The check_referer() function in Formmail.php 5.0 and earlier allows re ...) NOT-FOR-US: formmail.php; CVE-2004-0258 (Multiple buffer overflows in RealOne Player, RealOne Player 2.0, RealO ...) NOT-FOR-US: RealPlayer CVE-2004-0255 (Xlight 1.52, with log to screen enabled, allows remote attackers to ca ...) NOT-FOR-US: Xlight; CVE-2004-0254 (Cross-site scripting (XSS) vulnerability in Discuz! Board 2.x and 3.x ...) NOT-FOR-US: Discuz; CVE-2004-0253 (IBM Cloudscape 5.1 running jdk 1.4.2_03 allows remote attackers to exe ...) NOT-FOR-US: IBM Cloudscape CVE-2004-0252 (TYPSoft FTP Server 1.10 allows remote attackers to cause a denial of s ...) NOT-FOR-US: TYPSoft FTP Server CVE-2004-0251 (Cross-site scripting (XSS) vulnerability in rxgoogle.cgi allows remote ...) NOT-FOR-US: rxgoogle.cgi CVE-2004-0250 (SQL injection vulnerability in PhotoPost PHP Pro 4.6 and earlier allow ...) NOT-FOR-US: PhotoPost PHP Pro CVE-2004-0249 (PHPX 2.0 through 3.2.4 allows remote attackers to gain access to other ...) NOT-FOR-US: PHPX CVE-2004-0248 (Cross-site scripting vulnerability (XSS) in PHPX 3.2.3 allows remote a ...) NOT-FOR-US: PHPX CVE-2004-0247 (The client and server of Chaser 1.50 and earlier allow remote attacker ...) NOT-FOR-US: Chaser CVE-2004-0246 (Multiple PHP remote file inclusion vulnerabilities in (1) fonctions.li ...) NOT-FOR-US: Les Commentaires CVE-2004-0245 (Web Crossing 4.x and 5.x allows remote attackers to cause a denial of ...) NOT-FOR-US: Web Crossing CVE-2004-0244 (Cisco 6000, 6500, and 7600 series systems with Multilayer Switch Featu ...) NOT-FOR-US: Cisco CVE-2004-0243 (AIX 4.3.3 through AIX 5.1, when direct remote login is disabled, displ ...) NOT-FOR-US: AIX CVE-2004-0242 (X-Cart 3.4.3 allows remote attackers to gain sensitive information via ...) NOT-FOR-US: X-Cart 3.4.3 CVE-2004-0241 (X-Cart 3.4.3 allows remote attackers to execute arbitrary commands via ...) NOT-FOR-US: X-Cart 3.4.3 CVE-2004-0240 (Directory traversal vulnerability in X-Cart 3.4.3 allows remote attack ...) NOT-FOR-US: X-Cart 3.4.3 CVE-2004-0239 (SQL injection vulnerability in showphoto.php in PhotoPost PHP Pro 4.6 ...) NOT-FOR-US: PhotoPost PHP Pro CVE-2004-0238 (Multiple buffer overflows in Overkill (0verkill) 0.15pre3 might allow ...) - overkill 0.16-7 CVE-2004-0237 (Directory traversal vulnerability in index.php in Aprox PHP Portal all ...) NOT-FOR-US: Aprox PHP Portal CVE-2004-0236 (SQL injection vulnerability in login.asp in thePHOTOtool allows remote ...) NOT-FOR-US: thePHOTOtool CVE-2004-0235 (Multiple directory traversal vulnerabilities in LHA 1.14 allow remote ...) {DSA-515} - lha 1.14i-8 CVE-2004-0234 (Multiple stack-based buffer overflows in the get_header function in he ...) {DSA-515} - lha 1.14i-8 CVE-2004-0233 (Utempter allows device names that contain .. (dot dot) directory trave ...) NOT-FOR-US: utempter CVE-2004-0232 (Multiple format string vulnerabilities in Midnight Commander (mc) befo ...) {DSA-497} - mc 1:4.6.0-4.6.1-pre1-2 CVE-2004-0231 (Multiple vulnerabilities in Midnight Commander (mc) before 4.6.0, with ...) {DSA-497} - mc 1:4.6.0-4.6.1-pre1-2 CVE-2004-0230 (TCP, when using a large Window Size, makes it easier for remote attack ...) - linux (unimportant) - linux-2.6 (unimportant) - linux-2.6.24 (unimportant) NOTE: the attack works with a certain non-negligible probability, but even NOTE: when successful, it only causes a TCP disconnect, which will (in most NOTE: circumstances) be reestablished right away, causing essentially no impact CVE-2004-0229 (The framebuffer driver in Linux kernel 2.6.x does not properly use the ...) - linux-2.6 2.6.6-1 - linux-2.6.24 CVE-2004-0228 (Integer signedness error in the cpufreq proc handler (cpufreq_procctl) ...) - kernel-source-2.4.27 (2.4 does not have cpufreq) - linux-2.6 (fixed before first upload; 2.6.8) CVE-2004-0227 (Buffer overflow in the zms script in ZoneMinder before 1.19.2 may allo ...) - zoneminder 1.22.3-1 NOTE: fixed in 1.19.2, which was released before initial upload of 1.22.3 CVE-2004-0226 (Multiple buffer overflows in Midnight Commander (mc) before 4.6.0 may ...) {DSA-497} - mc 1:4.6.0-4.6.1-pre1-2 CVE-2004-0225 RESERVED CVE-2004-0224 (Multiple buffer overflows in (1) iso2022jp.c or (2) shiftjis.c for Cou ...) - courier 0.45.1-1 CVE-2004-0223 RESERVED CVE-2004-0222 (Multiple memory leaks in isakmpd in OpenBSD 3.4 and earlier allow remo ...) NOT-FOR-US: isakmpd in OpenBSD CVE-2004-0221 (isakmpd in OpenBSD 3.4 and earlier allows remote attackers to cause a ...) NOT-FOR-US: isakmpd in OpenBSD CVE-2004-0220 (isakmpd in OpenBSD 3.4 and earlier allows remote attackers to cause a ...) NOT-FOR-US: isakmpd in OpenBSD CVE-2004-0219 (isakmpd in OpenBSD 3.4 and earlier allows remote attackers to cause a ...) NOT-FOR-US: isakmpd in OpenBSD CVE-2004-0218 (isakmpd in OpenBSD 3.4 and earlier allows remote attackers to cause a ...) NOT-FOR-US: isakmpd in OpenBSD CVE-2004-0217 (The LiveUpdate capability (liveupdate.sh) in Symantec AntiVirus Scan E ...) NOT-FOR-US: Symantec AntiVirus Scan Engine for Red Hat CVE-2004-0216 (Integer overflow in the Install Engine (inseng.dll) for Internet Explo ...) NOT-FOR-US: MSIE bug CVE-2004-0215 (Microsoft Outlook Express 5.5 and 6 allows attackers to cause a denial ...) NOT-FOR-US: MS-Outlook-Express CVE-2004-0214 (Buffer overflow in Microsoft Internet Explorer and Explorer on Windows ...) NOT-FOR-US: MSIE bug CVE-2004-0213 (Utility Manager in Windows 2000 launches winhlp32.exe while Utility Ma ...) NOT-FOR-US: Windows bug CVE-2004-0212 (Stack-based buffer overflow in the Task Scheduler for Windows 2000 and ...) NOT-FOR-US: Windows bug CVE-2004-0211 (The kernel for Microsoft Windows Server 2003 does not reset certain va ...) NOT-FOR-US: Windows bug CVE-2004-0210 (The POSIX component of Microsoft Windows NT and Windows 2000 allows lo ...) NOT-FOR-US: Windows bug CVE-2004-0209 (Unknown vulnerability in the Graphics Rendering Engine processes of Mi ...) NOT-FOR-US: Windows bug CVE-2004-0208 (The Virtual DOS Machine (VDM) subsystem of Microsoft Windows NT 4.0, W ...) NOT-FOR-US: Windows bug CVE-2004-0207 ("Shatter" style vulnerability in the Window Management application pro ...) NOT-FOR-US: Windows bug CVE-2004-0206 (Network Dynamic Data Exchange (NetDDE) services for Microsoft Windows ...) NOT-FOR-US: Windows bug CVE-2004-0205 (Buffer overflow in Microsoft Internet Information Server (IIS) 4.0 all ...) NOT-FOR-US: Windows bug CVE-2004-0204 (Directory traversal vulnerability in the web viewers for Business Obje ...) NOT-FOR-US: Visual Studio bug CVE-2004-0203 (Cross-site scripting (XSS) vulnerability in Outlook Web Access for Exc ...) NOT-FOR-US: Exchange bug CVE-2004-0202 (IDirectPlay4 Application Programming Interface (API) of Microsoft Dire ...) NOT-FOR-US: DirectX CVE-2004-0201 (Heap-based buffer overflow in the HtmlHelp program (hh.exe) in HTML He ...) NOT-FOR-US: Windows HTML Help CVE-2004-0200 (Buffer overflow in the JPEG (JPG) parsing engine in the Microsoft Grap ...) NOT-FOR-US: famous Windows GDI+ JPEG parsing bug CVE-2004-0199 (Help and Support Center in Microsoft Windows XP and Windows Server 200 ...) NOT-FOR-US: Windows bug CVE-2004-0198 RESERVED CVE-2004-0197 (Buffer overflow in Microsoft Jet Database Engine 4.0 allows remote att ...) NOT-FOR-US: MSJet bug CVE-2004-0196 RESERVED CVE-2004-0195 RESERVED CVE-2004-0192 (Cross-site scripting (XSS) vulnerability in the Management Service for ...) NOT-FOR-US: Symantec Gateway Security CVE-2004-0187 REJECTED CVE-2004-0184 (Integer underflow in the isakmp_id_print for TCPDUMP 3.8.1 and earlier ...) {DSA-478} - tcpdump 3.7.2-4 CVE-2004-0183 (TCPDUMP 3.8.1 and earlier allows remote attackers to cause a denial of ...) {DSA-478} - tcpdump 3.7.2-4 CVE-2004-0182 (Mailman before 2.0.13 allows remote attackers to cause a denial of ser ...) - mailman (RedHat specific bug) CVE-2004-0181 (The JFS file system code in Linux 2.4.x has an information leak in whi ...) - kernel-source-2.4.27 (Fixed before upload into archive; 2.4.26-pre5) CVE-2004-0180 (The client for CVS before 1.11 allows a remote malicious CVS server to ...) {DSA-486} - cvs 1:1.12.5-4 (medium) CVE-2004-0179 (Multiple format string vulnerabilities in (1) neon 0.24.4 and earlier, ...) {DSA-487} - neon 0.24.5-1 CVE-2004-0178 (The OSS code for the Sound Blaster (sb16) driver in Linux 2.4.x before ...) {DSA-495 DSA-491 DSA-489 DSA-482 DSA-481 DSA-480 DSA-479} - linux-2.6 (fixed before first upload; 2.6.8) - kernel-source-2.4.27 (Fixed before upload into archive; 2.4.26-pre3) CVE-2004-0177 (The ext3 code in Linux 2.4.x before 2.4.26 does not properly initializ ...) {DSA-495 DSA-491 DSA-489 DSA-482 DSA-481 DSA-480 DSA-479} - linux-2.6 (fixed before first upload; 2.6.8) - kernel-source-2.4.27 (Fixed before upload into archive; 2.4.26-pre4) CVE-2004-0176 (Multiple buffer overflows in Ethereal 0.8.13 to 0.10.2 allow remote at ...) {DSA-511} - ethereal 0.10.3-1 (bug #239576) CVE-2004-0175 (Directory traversal vulnerability in scp for OpenSSH before 3.4p1 allo ...) {CVE-2000-0992} - openssh 1:3.9p1-1 (low; bug #270770) [sarge] - openssh (Minor issue) NOTE: The directory traversal part has been fixed in OpenSSH 3.9p1. NOTE: The "SUID/SGID across trust boundaries" issue remains, but is NOTE: largely theoretic. This is a rediscovery of CVE-2000-0992. NOTE: jmm: 3.9p1 thus marked as fixed version CVE-2004-0174 (Apache 1.4.x before 1.3.30, and 2.0.x before 2.0.49, when using multip ...) - apache 1.3.29.0.2-5 CVE-2004-0172 (Heap-based buffer overflow in the search_for_command function of ltrac ...) - ltrace (Not setuid/setgid in Debian) CVE-2004-0170 RESERVED CVE-2004-0168 (Unknown vulnerability in CoreFoundation for Mac OS X 10.3.2, related t ...) NOT-FOR-US: CoreFoundation for Mac OS X CVE-2004-0166 (Unknown vulnerability in Safari web browser for Mac OS X 10.2.8 relate ...) NOT-FOR-US: Safari CVE-2004-0164 (KAME IKE daemon (racoon) does not properly handle hash values, which a ...) - ipsec-tools 0.3.3-1 NOTE: not mentioned in the changelog, so I don't know which version exactly fixes NOTE: the problem, but the patch that fixes the bug is applied: NOTE: http://marc.info/?l=bugtraq&m=107411758202662&w=2 CVE-2004-0163 (Sygate Secure Enterprise (SSE) 3.5MR3 and earlier does not change the ...) NOT-FOR-US: Sygate Secure Enterprise CVE-2004-0162 (Multiple content security gateway and antivirus products allow remote ...) NOT-FOR-US: general MIME bug with security gateways CVE-2004-0161 (Multiple content security gateway and antivirus products allow remote ...) NOT-FOR-US: general MIME bug with security gateways CVE-2004-0158 (Buffer overflow in lbreakout2 allows local users to gain 'games' group ...) {DSA-445} - lbreakout2 2.4 CVE-2004-0157 (x11.c in xonix 1.4 and earlier uses the current working directory to f ...) {DSA-484} - xonix 1.4-21 CVE-2004-0156 (Format string vulnerabilities in the (1) die or (2) log_event function ...) {DSA-485} - ssmtp 2.60.7 CVE-2004-0155 (The KAME IKE Daemon Racoon, when authenticating a peer during Phase 1, ...) - ipsec-tools 0.2.5-2 CVE-2004-0154 (rpc.mountd in nfs-utils after 1.0.3 and before 1.0.6 allows attackers ...) - nfs-utils 1:1.0.5-3 CVE-2004-0153 (Multiple format string vulnerabilities in emil 2.1.0 and earlier may a ...) {DSA-468} - emil 2.1.0-beta9-14 CVE-2004-0152 (Multiple stack-based buffer overflows in (1) the encode_mime function, ...) {DSA-468} - emil 2.1.0-beta9-14 CVE-2004-0151 (Unknown vulnerability in xitalk 1.1.11 and earlier allows local users ...) {DSA-462} - xitalk 1.1.11-11 CVE-2004-0149 (Multiple buffer overflows in xboing before 2.4 allow local users to ga ...) {DSA-451} - xboing 2.4-26.1 (bug #174924) CVE-2004-0147 REJECTED CVE-2004-0146 REJECTED CVE-2004-0145 REJECTED CVE-2004-0144 REJECTED CVE-2004-0143 (Multiple vulnerabilities in Nokia 6310(i) Mobile phones allow remote a ...) NOT-FOR-US: Nokia mobile phones CVE-2004-0142 REJECTED CVE-2004-0141 REJECTED CVE-2004-0140 REJECTED CVE-2004-0139 (Unknown vulnerability in the bsd.a kernel networking for SGI IRIX 6.5. ...) NOT-FOR-US: SGI IRIX CVE-2004-0138 (The ELF loader in Linux kernel 2.4 before 2.4.25 allows local users to ...) {DSA-1082-1 DSA-1070-1 DSA-1069-1 DSA-1067-1} - linux-2.6 (fixed before first upload) CVE-2004-0137 (Unknown vulnerability in init for IRIX 6.5.20 through 6.5.24 allows lo ...) NOT-FOR-US: IRIX init CVE-2004-0136 (The mapelf32exec function call in IRIX 6.5.20 through 6.5.24 allows lo ...) NOT-FOR-US: IRIX CVE-2004-0135 (The syssgi SGI_IOPROBE system call in IRIX 6.5.20 through 6.5.24 allow ...) NOT-FOR-US: IRIX CVE-2004-0134 (cpr (libcpr) in SGI IRIX before 6.5.25 allows local users to gain priv ...) NOT-FOR-US: IRIX CVE-2004-0133 (The XFS file system code in Linux 2.4.x has an information leak in whi ...) - kernel-source-2.4.27 (Fixed before upload into archive; 2.4.26-rc2) - linux-2.6 (fixed before first upload; 2.6.5) CVE-2004-0132 (Multiple PHP remote file inclusion vulnerabilities in ezContents 2.0.2 ...) NOT-FOR-US: ezContents CVE-2004-0130 (login.php in phpGedView 2.65 and earlier allows remote attackers to ob ...) NOT-FOR-US: phpGedView CVE-2004-0127 (Directory traversal vulnerability in editconfig_gedcom.php for phpGedV ...) NOT-FOR-US: phpGedView CVE-2004-0125 (The jail system call in FreeBSD 4.x before 4.10-RELEASE does not verif ...) NOT-FOR-US: FreeBSD jail CVE-2004-0124 (The DCOM RPC interface for Microsoft Windows NT 4.0, 2000, XP, and Ser ...) NOT-FOR-US: Windows bug CVE-2004-0123 (Double free vulnerability in the ASN.1 library as used in Windows NT 4 ...) NOT-FOR-US: Windows bug CVE-2004-0120 (The Microsoft Secure Sockets Layer (SSL) library, as used in Windows 2 ...) NOT-FOR-US: Windows bug CVE-2004-0119 (The Negotiate Security Software Provider (SSP) interface in Windows 20 ...) NOT-FOR-US: Windows bug CVE-2004-0118 (The component for the Virtual DOS Machine (VDM) subsystem in Windows N ...) NOT-FOR-US: Windows bug CVE-2004-0117 (Unknown vulnerability in the H.323 protocol implementation in Windows ...) NOT-FOR-US: Windows bug CVE-2004-0116 (An Activation function in the RPCSS Service involved with DCOM activat ...) NOT-FOR-US: Windows bug CVE-2004-0112 (The SSL/TLS handshaking code in OpenSSL 0.9.7a, 0.9.7b, and 0.9.7c, wh ...) - openssl 0.9.7d-1 CVE-2004-0110 (Buffer overflow in the (1) nanohttp or (2) nanoftp modules in XMLSoft ...) {DSA-455} - libxml 1:1.8.17-5 - libxml2 2.6.6-1 CVE-2004-0109 (Buffer overflow in the ISO9660 file system component for Linux kernel ...) {DSA-495 DSA-491 DSA-489 DSA-482 DSA-481 DSA-480 DSA-479} - kernel-source-2.4.27 (Fixed before upload into archive; 2.4.26-rc4) - linux-2.6 (fixed before first upload; 2.6.6) CVE-2004-0107 (The (1) post and (2) trigger scripts in sysstat 4.0.7 and earlier allo ...) - sysstat 5.0.2-1 CVE-2004-0106 (Multiple unknown vulnerabilities in XFree86 4.1.0 to 4.3.0, related to ...) {DSA-443} - xfree86 4.3.0-2 CVE-2004-0105 (Multiple buffer overflows in Metamail 2.7 and earlier allow remote att ...) {DSA-449} - metamail 2.7-45.2 CVE-2004-0104 (Multiple format string vulnerabilities in Metamail 2.7 and earlier all ...) {DSA-449} - metamail 2.7-45.2 CVE-2004-0103 (crawl before 4.0.0 beta23 does not properly "apply a size check" when ...) {DSA-432} - crawl 1:4.0.0beta26-4 CVE-2004-0102 RESERVED CVE-2004-0101 RESERVED CVE-2004-0100 RESERVED CVE-2004-0098 REJECTED CVE-2004-0097 (Multiple vulnerabilities in PWLib before 1.6.0 allow remote attackers ...) {DSA-448} - pwlib 1.5.2-4 CVE-2004-0092 (Unknown vulnerability in Safari web browser in Mac OS X 10.2.8 and 10. ...) NOT-FOR-US: Safari CVE-2004-0091 NOT-FOR-US: vBulletin CVE-2004-0090 (Unknown vulnerability in Windows File Sharing for Mac OS X 10.1.5 thro ...) NOT-FOR-US: MacOS CVE-2004-0088 (The System Configuration subsystem in Mac OS 10.2.8 allows local users ...) NOT-FOR-US: MacOS CVE-2004-0087 (The System Configuration subsystem in Mac OS 10.2.8 and 10.3.2 allows ...) NOT-FOR-US: MacOS CVE-2004-0086 (Unknown vulnerability in the Mail application for Mac OS X 10.3.2 has ...) NOT-FOR-US: MacOS CVE-2004-0085 (Unknown vulnerability in the Mail application for Mac OS X 10.1.5 and ...) NOT-FOR-US: MacOS CVE-2004-0084 (Buffer overflow in the ReadFontAlias function in XFree86 4.1.0 to 4.3. ...) {DSA-443} - xfree86 4.3.0-2 CVE-2004-0083 (Buffer overflow in ReadFontAlias from dirfile.c of XFree86 4.1.0 throu ...) {DSA-443} - xfree86 4.3.0-2 CVE-2004-0081 (OpenSSL 0.9.6 before 0.9.6d does not properly handle unknown message t ...) {DSA-465} - openssl 0.9.6d-1 CVE-2004-0079 (The do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0. ...) {DSA-465} - openssl 0.9.7d-1 - openssl096 0.9.6m-1 CVE-2004-0076 REJECTED CVE-2004-0074 (Multiple buffer overflows in xsok 1.02 allows local users to gain priv ...) - xsok (Not vulnerable. See bug #278777) CVE-2004-0073 (PHP remote file inclusion vulnerability in (1) config.php and (2) conf ...) NOT-FOR-US: EasyDynamicPages CVE-2004-0072 (Directory traversal vulnerability in Accipiter Direct Server 6.0 allow ...) NOT-FOR-US: Accipiter Direct Server 6.0 CVE-2004-0071 (Directory traversal vulnerability in buildManPage in class.manpagelook ...) NOT-FOR-US: PHP Man Page Lookup 1.2.0 CVE-2004-0069 (Format string vulnerability in HD Soft Windows FTP Server 1.6 and earl ...) NOT-FOR-US: HD Soft Windows FTP Server 1.6 CVE-2004-0067 (Multiple cross-site scripting (XSS) vulnerabilities in phpGedView befo ...) NOT-FOR-US: phpGedView CVE-2004-0066 (phpGedView before 2.65 allows remote attackers to obtain the absolute ...) NOT-FOR-US: phpGedView CVE-2004-0065 (Multiple SQL injection vulnerabilities in phpGedView before 2.65 allow ...) NOT-FOR-US: phpGedView CVE-2004-0064 (The SuSEconfig.gnome-filesystem script for YaST in SuSE 9.0 allows loc ...) NOT-FOR-US: SuSE YaST CVE-2004-0062 (Integer overflow in the rnd arithmetic rounding function for various v ...) NOT-FOR-US: FishCart CVE-2004-0061 (WWW File Share Pro 2.42 and earlier allows remote attackers to bypass ...) NOT-FOR-US: WWW File Share Pro 2.42 CVE-2004-0060 (WWW File Share Pro 2.42 and earlier allows remote attackers to cause a ...) NOT-FOR-US: WWW File Share Pro 2.42 CVE-2004-0059 (Directory traversal vulnerability in upload capability of WWW File Sha ...) NOT-FOR-US: WWW File Share Pro 2.42 CVE-2004-0058 (Antivir / Linux 2.0.9-9, and possibly earlier versions, allows local u ...) NOT-FOR-US: Antivir CVE-2004-0057 (The rawprint function in the ISAKMP decoding routines (print-isakmp.c) ...) {DSA-425} - tcpdump 3.8.3-1 NOTE: Upstream version 3.8.3 is fixed; may have been fixed earlier. CVE-2004-0056 (Multiple vulnerabilities in the H.323 protocol implementation for Nort ...) NOT-FOR-US: Nortel Networks products CVE-2004-0055 (The print_attr_string function in print-radius.c for tcpdump 3.8.1 and ...) {DSA-425} - tcpdump 3.8.3-1 NOTE: Upstream version 3.8.3 is fixed; may have been fixed earlier. CVE-2004-0054 (Multiple vulnerabilities in the H.323 protocol implementation for Cisc ...) NOT-FOR-US: Cisco CVE-2004-0053 (Multiple content security gateway and antivirus products allow remote ...) NOT-FOR-US: Multiple security gateways MIME parsing stuff CVE-2004-0052 (Multiple content security gateway and antivirus products allow remote ...) NOT-FOR-US: Multiple security gateways MIME parsing stuff CVE-2004-0051 (Multiple content security gateway and antivirus products allow remote ...) NOT-FOR-US: Multiple security gateways MIME parsing stuff CVE-2004-0050 (Verity Ultraseek before 5.2.2 allows remote attackers to obtain the fu ...) NOT-FOR-US: Verity Ultraseek CVE-2004-0048 RESERVED CVE-2004-0047 (Multiple programs in trr19 1.0 do not properly drop privileges before ...) {DSA-430} - trr19 1.0beta5-17.1 (bug #264702) CVE-2004-0046 (Cross-site scripting (XSS) vulnerability in SnapStream PVS LITE allows ...) NOT-FOR-US: SnapStream PVS LITE CVE-2004-0043 (Buffer overflow in Yahoo Instant Messenger 5.6.0.1351 and earlier allo ...) NOT-FOR-US: Yahoo Instant Messenger CVE-2004-0042 (vsftpd 1.1.3 generates different error messages depending on whether o ...) - vsftpd 2.0.1-1 NOTE: can't find any mention of the bug being fixed, but vsftpd doesn't NOTE: show the beaviour described in http://www.securitytracker.com/alerts/2004/Jan/1008628.html CVE-2004-0041 (The mod_auth_shadow module 1.4 and earlier does not properly enforce t ...) {DSA-421} - mod-auth-shadow 1.4-1 CVE-2004-0039 (Multiple format string vulnerabilities in HTTP Application Intelligenc ...) NOT-FOR-US: Check Point Firewall CVE-2004-0038 (McAfee ePolicy Orchestrator (ePO) 2.5.1 Patch 13 and 3.0 SP2a Patch 3 ...) NOT-FOR-US: McAfee CVE-2004-0037 (FirstClass Desktop Client 7.1 allows remote attackers to execute arbit ...) NOT-FOR-US: FistClass Desktop Client CVE-2004-0034 (Multiple cross-site scripting (XSS) vulnerabilities in Phorum 3.4.5 an ...) NOT-FOR-US: Phorum CVE-2004-0030 (PHP remote file inclusion vulnerability in (1) functions.php, (2) auth ...) NOT-FOR-US: PHPGEDVIEW CVE-2004-0029 (Lotus Notes Domino 6.0.2 on Linux installs the notes.ini configuration ...) NOT-FOR-US: Lotus Notes Domino CVE-2004-0027 RESERVED CVE-2004-0026 RESERVED CVE-2004-0025 RESERVED CVE-2004-0024 RESERVED CVE-2004-0023 RESERVED CVE-2004-0022 RESERVED CVE-2004-0021 RESERVED CVE-2004-0020 RESERVED CVE-2004-0019 RESERVED CVE-2004-0018 RESERVED CVE-2004-0017 (Multiple SQL injection vulnerabilities in the (1) calendar and (2) inf ...) {DSA-419} - phpgroupware 0.9.14.007-4 CVE-2004-0014 (Multiple buffer overflows in the nd WebDAV interface 0.8.2 and earlier ...) {DSA-412} - nd 0.8.2-1 CVE-2004-0012 REJECTED CVE-2004-0010 (Stack-based buffer overflow in the ncp_lookup function for ncpfs in Li ...) {DSA-495 DSA-491 DSA-489 DSA-482 DSA-481 DSA-480 DSA-479} - kernel-source-2.4.27 (Fixed before upload into archive; 2.4.25-pre7) CVE-2004-0008 (Integer overflow in Gaim 0.74 and earlier, and Ultramagnetic before 0. ...) {DSA-434} - gaim 1:0.75-2 CVE-2004-0007 (Buffer overflow in the Extract Info Field Function for (1) MSN and (2) ...) {DSA-434} - gaim 1:0.75-2 CVE-2004-0006 (Multiple buffer overflows in Gaim 0.75 and earlier, and Ultramagnetic ...) {DSA-434} - gaim 1:0.75-2 CVE-2004-0005 (Multiple buffer overflows in Gaim 0.75 allow remote attackers to cause ...) {DSA-434} - gaim 1:0.75-2 CVE-2004-0003 (Unknown vulnerability in Linux kernel before 2.4.22 allows local users ...) {DSA-495 DSA-491 DSA-489 DSA-482 DSA-481 DSA-480 DSA-479} - kernel-source-2.4.27 (Fixed before upload into archive; 2.4.26-rc4) CVE-2004-0002 (The TCP MSS (maximum segment size) functionality in netinet allows rem ...) NOT-FOR-US: FreeBSD netinet CVE-2003-1565 REJECTED CVE-2003-1052 (IBM DB2 7.1 and 8.1 allow the bin user to gain root privileges by modi ...) NOT-FOR-US: IBM DB2 CVE-2003-1051 (Multiple format string vulnerabilities in IBM DB2 Universal Database 8 ...) NOT-FOR-US: IBM DB2 CVE-2003-1050 (Multiple buffer overflows in IBM DB2 Universal Database 8.1 may allow ...) NOT-FOR-US: IBM DB2 CVE-2003-1049 (IBM DB2 Universal Database 7 before FixPak 12 creates certain DMS dire ...) NOT-FOR-US: IBM DB2 CVE-2003-1048 (Double free vulnerability in mshtml.dll for certain versions of Intern ...) NOT-FOR-US: microsoft CVE-2003-1047 REJECTED CVE-2003-1046 (describecomponents.cgi in Bugzilla 2.17.3 and 2.17.4 does not properly ...) - bugzilla 2.16.4-1 CVE-2003-1045 (votes.cgi in Bugzilla 2.16.3 and earlier, and 2.17.1 through 2.17.4, a ...) - bugzilla 2.16.4-1 CVE-2003-1044 (editproducts.cgi in Bugzilla 2.16.3 and earlier, when usebuggroups is ...) - bugzilla 2.16.4-1 CVE-2003-1043 (SQL injection vulnerability in Bugzilla 2.16.3 and earlier, and 2.17.1 ...) - bugzilla 2.16.4-1 CVE-2003-1042 (SQL injection vulnerability in collectstats.pl for Bugzilla 2.16.3 and ...) - bugzilla 2.16.4-1 CVE-2003-1041 (Internet Explorer 5.x and 6.0 allows remote attackers to execute arbit ...) NOT-FOR-US: microsoft CVE-2003-1040 (kmod in the Linux kernel does not set its uid, suid, gid, or sgid to 0 ...) NOTE: linux kernel kmod local DoS, fixed in all current kernels CVE-2003-1039 (Multiple buffer overflows in the mySAP.com architecture for SAP allow ...) NOT-FOR-US: SAP CVE-2003-1038 (The AGate component for SAP Internet Transaction Server (ITS) allows r ...) NOT-FOR-US: SAP CVE-2003-1037 (Format string vulnerability in the WGate component for SAP Internet Tr ...) NOT-FOR-US: SAP CVE-2003-1036 (Multiple buffer overflows in the AGate component for SAP Internet Tran ...) NOT-FOR-US: SAP CVE-2003-1035 (The default installation of SAP R/3 46C/D allows remote attackers to b ...) NOT-FOR-US: SAP CVE-2003-1034 (The RPM installation of SAP DB 7.x creates the (1) dbmsrv or (2) lserv ...) NOT-FOR-US: SAP CVE-2003-1033 (The (1) instdbmsrv and (2) instlserver programs in SAP DB Development ...) NOT-FOR-US: SAP CVE-2003-1032 (Pi3Web web server 2.0.2 Beta 1, when the Directory Index is configured ...) NOT-FOR-US: Pi3Web not in debian CVE-2003-1031 (Cross-site scripting (XSS) vulnerability in register.php for vBulletin ...) NOT-FOR-US: VBulletin CVE-2003-1030 (Buffer overflow in DameWare Mini Remote Control before 3.73 allows rem ...) NOT-FOR-US: Dameware CVE-2003-1029 (The L2TP protocol parser in tcpdump 3.8.1 and earlier allows remote at ...) {DSA-425} - tcpdump 3.8.3-1 NOTE: Upstream version 3.8.3 is fixed; may have been fixed earlier. CVE-2003-1028 (The download function of Internet Explorer 6 SP1 allows remote attacke ...) NOT-FOR-US: microsoft CVE-2003-1027 (Internet Explorer 5.01 through 6 SP1 allows remote attackers to direct ...) NOT-FOR-US: microsoft CVE-2003-1026 (Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass ...) NOT-FOR-US: microsoft CVE-2003-1025 (Internet Explorer 5.01 through 6 SP1 allows remote attackers to spoof ...) NOT-FOR-US: microsoft CVE-2003-1024 (Unknown vulnerability in the ls-F builtin function in tcsh on Solaris ...) NOT-FOR-US: solaris CVE-2003-1023 (Stack-based buffer overflow in vfs_s_resolve_symlink of vfs/direntry.c ...) {DSA-424} - mc 1:4.6.0-4.6.1-pre1-1 CVE-2003-1021 (The scosession program in OpenServer 5.0.6 and 5.0.7 allows local user ...) NOT-FOR-US: SCO CVE-2003-1020 (The format_send_to_gui function in formats.c for irssi before 0.8.9 al ...) - irssi-text 0.8.9-0.1 CVE-2003-1019 RESERVED CVE-2003-1018 (Format string vulnerability in enq command in AIX 4.3, 5.1, and 5.2 al ...) NOT-FOR-US: AIX CVE-2003-1017 (Macromedia Flash Player before 7,0,19,0 stores a Flash data file in a ...) - flashplugin-nonfree 7.0.25-1 CVE-2003-1016 (Multiple content security gateway and antivirus products allow remote ...) NOTE: Multiple vendor MIME quote bypass filtering CVE-2003-1015 (Multiple content security gateway and antivirus products allow remote ...) - mime-tools 5.411-2 CVE-2003-1014 (Multiple content security gateway and antivirus products allow remote ...) NOTE: Multiple vendor MIME RFC822 comment bypass filtering CVE-2003-1013 (The Q.931 dissector in Ethereal before 0.10.0, and Tethereal, allows r ...) {DSA-407} - ethereal 0.10.0-1 CVE-2003-1012 (The SMB dissector in Ethereal before 0.10.0 allows remote attackers to ...) {DSA-407} - ethereal 0.10.0-1 CVE-2003-1011 (Apple Mac OS X 10.0 through 10.2.8 allows local users with a USB keybo ...) NOT-FOR-US: Apple CVE-2003-1010 (Unknown vulnerability in fs_usage in Mac OS X 10.2.8 and 10.3.2 and Ma ...) NOT-FOR-US: Apple CVE-2003-1009 (Directory Services in Apple Mac OS X 10.0.2, 10.0.3, 10.2.8, 10.3.2 an ...) NOT-FOR-US: Apple CVE-2003-1008 (Unknown vulnerability in Mac OS X 10.2.8 and 10.3.2 allows local users ...) NOT-FOR-US: Apple CVE-2003-1007 (AppleFileServer (AFS) in Apple Mac OS X 10.2.8 and 10.3.2 does not pro ...) NOT-FOR-US: Apple CVE-2003-1006 (Buffer overflow in cd9660.util in Apple Mac OS X 10.0 through 10.3.2 a ...) NOT-FOR-US: Apple CVE-2003-1005 (The PKI functionality in Mac OS X 10.2.8 and 10.3.2 allows remote atta ...) NOT-FOR-US: Apple CVE-2003-1004 (Cisco PIX firewall 6.2.x through 6.2.3, when configured as a VPN Clien ...) NOT-FOR-US: Cisco CVE-2003-1003 (Cisco PIX firewall 5.x.x, and 6.3.1 and earlier, allows remote attacke ...) NOT-FOR-US: Cisco CVE-2003-1002 (Cisco Firewall Services Module (FWSM) in Cisco Catalyst 6500 and 7600 ...) NOT-FOR-US: Cisco CVE-2003-1001 (Buffer overflow in the Cisco Firewall Services Module (FWSM) in Cisco ...) NOT-FOR-US: Cisco CVE-2003-1000 (xchat 2.0.6 allows remote attackers to cause a denial of service (cras ...) - xchat 2.0.7 CVE-2003-0999 (Unknown multiple vulnerabilities in (1) lpstat and (2) the libprint li ...) NOT-FOR-US: Solaris CVE-2003-0998 (Unknown "potential system security vulnerability" in Computer Associat ...) NOT-FOR-US: Computer Associates (CA) Unicenter Remote Control CVE-2003-0997 (Unknown "Denial of Service Attack" vulnerability in Computer Associate ...) NOT-FOR-US: Computer Associates (CA) Unicenter Remote Control CVE-2003-0995 (Buffer overflow in the Microsoft Message Queue Manager (MSQM) allows r ...) NOT-FOR-US: Microsoft CVE-2003-0992 (Cross-site scripting (XSS) vulnerability in the create CGI script for ...) - mailman 2.1.3 CVE-2003-0990 (The parseAddress code in (1) SquirrelMail 1.4.0 and (2) GPG Plugin 1.1 ...) - squirrelmail 1.4.2 (low) NOTE: Only potentially exploitable withexternel GPG Plugin, see NOTE: http://www.securityfocus.com/archive/1/348366 NOTE: The potential problems have been fixed as of 1.4.2 CVE-2003-0989 (tcpdump before 3.8.1 allows remote attackers to cause a denial of serv ...) {DSA-425} - tcpdump 3.8.1 CVE-2003-0987 (mod_digest for Apache before 1.3.31 does not properly verify the nonce ...) - apache 1.3.29.0.2-5 CVE-2003-0986 (Various routines for the ppc64 architecture on Linux kernel 2.6 prior ...) - kernel-source-2.4.27 (Fixed before initial upload; 2.4.24) - linux-2.6 (Fixed before upload into archive; 2.6.2) CVE-2003-0984 (Real time clock (RTC) routines in Linux kernel 2.4.23 and earlier do n ...) {DSA-1082-1 DSA-1070-1 DSA-1069-1 DSA-1067-1} - linux-2.6 (Fixed before upload into archive; 2.6.2) - kernel-source-2.4.27 (Fixed before upload into archive; 2.4.24-rc1) CVE-2003-0983 (Cisco Unity on IBM servers is shipped with default settings that shoul ...) NOT-FOR-US: Cisco CVE-2003-0982 (Buffer overflow in the authentication module for Cisco ACNS 4.x before ...) NOT-FOR-US: Cisco CVE-2003-0981 (FreeScripts VisitorBook LE (visitorbook.pl) logs the reverse DNS name ...) NOT-FOR-US: visitorbook.pl CVE-2003-0980 (Cross-site scripting (XSS) vulnerability in FreeScripts VisitorBook LE ...) NOT-FOR-US: visitorbook.pl CVE-2003-0979 (FreeScripts VisitorBook LE (visitorbook.pl) does not properly escape l ...) NOT-FOR-US: visitorbook.pl CVE-2003-0978 (Format string vulnerability in gpgkeys_hkp (experimental HKP interface ...) NOT-FOR-US: gpgkeys_hkp CVE-2003-0977 (CVS server before 1.11.10 may allow attackers to cause the CVS server ...) - cvs 1:1.11.10 CVE-2003-0976 (NFS Server (XNFS.NLM) for Novell NetWare 6.5 does not properly enforce ...) NOT-FOR-US: netware CVE-2003-0975 (Apple Safari 1.0 through 1.1 on Mac OS X 10.3.1 and Mac OS X 10.2.8 al ...) NOT-FOR-US: MacOS CVE-2003-0974 (Applied Watch Command Center allows remote attackers to conduct unauth ...) NOT-FOR-US: Applied Watch Command Center CVE-2003-0973 (Unknown vulnerability in mod_python 3.0.x before 3.0.4, and 2.7.x befo ...) {DSA-452} - libapache-mod-python 2:2.7.10-1 CVE-2003-0972 (Integer signedness error in ansi.c for GNU screen 4.0.1 and earlier, a ...) {DSA-408} - screen 4.0.2-0.1 CVE-2003-0971 (GnuPG (GPG) 1.0.2, and other versions up to 1.2.3, creates ElGamal typ ...) {DSA-429} - gnupg 1.2.4-1 CVE-2003-0970 (The Network Management Port on Sun Fire B1600 systems allows remote at ...) NOT-FOR-US: Sun Fire B1600 CVE-2003-0968 (Stack-based buffer overflow in SMB_Logon_Server of the rlm_smb experim ...) - freeradius 1.0.1 (unimportant) NOTE: freeradius module in question is not built in debian package CVE-2003-0967 (rad_decode in FreeRADIUS 0.9.2 and earlier allows remote attackers to ...) - freeradius 0.9.2-4 CVE-2003-0996 (Unknown "System Security Vulnerability" in Computer Associates (CA) Un ...) NOT-FOR-US: Computer Associates (CA) Unicenter Remote Control CVE-2003-0965 (Cross-site scripting (XSS) vulnerability in the admin CGI script for M ...) {DSA-436} - mailman 2.1.4-1 CVE-2003-0964 REJECTED CVE-2003-0963 (Buffer overflows in (1) try_netscape_proxy and (2) try_squid_eplf for ...) {DSA-406} - lftp 2.6.10-1 CVE-2003-0962 (Heap-based buffer overflow in rsync before 2.5.7, when running in serv ...) {DSA-404} - rsync 2.5.6-1.1 CVE-2003-0961 (Integer overflow in the do_brk function for the brk system call in Lin ...) {DSA-475 DSA-470 DSA-450 DSA-442 DSA-440 DSA-439 DSA-433 DSA-423 DSA-417 DSA-403} - kernel-source-2.4.27 (Fixed before initial upload; 2.4.23-pre7) CVE-2003-0960 (OpenCA before 0.9.1.4 does not use the correct certificate in a chain ...) NOT-FOR-US: OpenCA CVE-2003-0959 (Multiple integer overflows in the 32bit emulation for AMD64 architectu ...) - kernel-source-2.4.27 (Fixed before initial upload; 2.4.21) CVE-2003-0958 RESERVED CVE-2003-0957 RESERVED CVE-2003-0956 (Multiple race conditions in the handling of O_DIRECT in Linux kernel p ...) - kernel-source-2.4.27 (Fixed before initial upload; 2.4.22) CVE-2003-0955 (OpenBSD kernel 3.3 and 3.4 allows local users to cause a denial of ser ...) NOT-FOR-US: OpenBSD CVE-2003-0954 (Buffer overflow in rcp for AIX 4.3.3, 5.1 and 5.2 allows local users t ...) NOT-FOR-US: rcp CVE-2003-0953 REJECTED CVE-2003-0952 REJECTED CVE-2003-0951 (Partition Manager (parmgr) in HP-UX B.11.23 does not properly validate ...) NOT-FOR-US: HP-UX CVE-2003-0950 (PeopleSoft PeopleTools 8.1x, 8.2x, and 8.4x allows remote attackers to ...) NOT-FOR-US: PeopleSoft PeopleTools CVE-2003-0949 (xsok 1.02 does not properly drop privileges before finding and executi ...) {DSA-405} - xsok 1.02-11 CVE-2003-0948 (Buffer overflow in iwconfig allows local users to execute arbitrary co ...) - wireless-tools (iwconfig not setuid/setgid in Debian) CVE-2003-0947 (Buffer overflow in iwconfig, when installed setuid, allows local users ...) - wireless-tools (iwconfig not setuid/setgid in Debian) CVE-2003-0946 (Format string vulnerability in clamav-milter for Clam AntiVirus 0.60 t ...) - clamav 0.65 CVE-2003-0945 (The Web Database Manager in web-tools for SAP DB before 7.4.03.30 gene ...) NOT-FOR-US: Web Database Manager in web-tools for SAP DB CVE-2003-0944 (Buffer overflow in the WAECHO default service in web-tools in SAP DB b ...) NOT-FOR-US: Web Database Manager in web-tools for SAP DB CVE-2003-0943 (web-tools in SAP DB before 7.4.03.30 installs several services that ar ...) NOT-FOR-US: Web Database Manager in web-tools for SAP DB CVE-2003-0942 (Buffer overflow in Web Agent Administration service in web-tools for S ...) NOT-FOR-US: Web Database Manager in web-tools for SAP DB CVE-2003-0941 (web-tools in SAP DB before 7.4.03.30 allows remote attackers to access ...) NOT-FOR-US: Web Database Manager in web-tools for SAP DB CVE-2003-0940 (Directory traversal vulnerability in sqlfopenc for web-tools in SAP DB ...) NOT-FOR-US: Web Database Manager in web-tools for SAP DB CVE-2003-0939 (eo420_GetStringFromVarPart in veo420.c for SAP database server (SAP DB ...) NOT-FOR-US: SAP database server (SAP DB) CVE-2003-0938 (vos24u.c in SAP database server (SAP DB) 7.4.03.27 and earlier allows ...) NOT-FOR-US: SAP database server (SAP DB) CVE-2003-0937 (SCO UnixWare 7.1.1, 7.1.3, and Open UNIX 8.0.0 allows local users to b ...) NOT-FOR-US: UnixWare CVE-2003-0936 (Symantec PCAnywhere 10.x and 11, when started as a service, allows att ...) NOT-FOR-US: PCAnywhere CVE-2003-0935 (Net-SNMP before 5.0.9 allows a user or community to access data in MIB ...) - net-snmp 5.0.9 CVE-2003-0934 (Symbol Access Portable Data Terminal (PDT) 8100 does not hide the defa ...) NOT-FOR-US: Symbol Access Portable Data Terminal CVE-2003-0933 (Buffer overflow in conquest 7.2 and earlier may allow a local user to ...) {DSA-398} - conquest 7.2-5 CVE-2003-0932 (Buffer overflow in omega-rpg 0.90 allows local users to execute arbitr ...) {DSA-400} - omega-rpg 1:0.90-pa9-11 CVE-2003-0931 (Sygate Enforcer 4.0 earlier allows remote attackers to cause a denial ...) NOT-FOR-US: Sygate Enforcer CVE-2003-0930 (Clearswift MAILsweeper before 4.3.15 does not properly detect filename ...) NOT-FOR-US: Clearswift MAILsweeper CVE-2003-0929 (Clearswift MAILsweeper before 4.3.15 does not properly detect and filt ...) NOT-FOR-US: Clearswift MAILsweeper CVE-2003-0928 (Clearswift MAILsweeper before 4.3.15 does not properly detect and filt ...) NOT-FOR-US: Clearswift MAILsweeper CVE-2003-0927 (Heap-based buffer overflow in Ethereal 0.9.15 and earlier allows remot ...) {DSA-407} - ethereal 0.9.16-0.1 CVE-2003-0926 (Ethereal 0.9.15 and earlier, and Tethereal, allows remote attackers to ...) {DSA-407} - ethereal 0.9.16-0.1 CVE-2003-0925 (Buffer overflow in Ethereal 0.9.15 and earlier allows remote attackers ...) {DSA-407} - ethereal 0.9.16-0.1 CVE-2003-0923 REJECTED CVE-2003-0922 REJECTED CVE-2003-0921 REJECTED CVE-2003-0920 REJECTED CVE-2003-0919 REJECTED CVE-2003-0918 REJECTED CVE-2003-0917 REJECTED CVE-2003-0916 RESERVED CVE-2003-0915 RESERVED CVE-2003-0914 (ISC BIND 8.3.x before 8.3.7, and 8.4.x before 8.4.3, allows remote att ...) {DSA-409} - bind 1:8.4.3-1 CVE-2003-0913 (Unknown vulnerability in the Terminal application for Mac OS X 10.3 (C ...) NOT-FOR-US: MacOS CVE-2003-0912 RESERVED CVE-2003-0911 RESERVED CVE-2003-0910 (The NtSetLdtEntries function in the programming interface for the Loca ...) NOT-FOR-US: Windows CVE-2003-0909 (Windows XP allows local users to execute arbitrary programs by creatin ...) NOT-FOR-US: Windows CVE-2003-0908 (The Utility Manager in Microsoft Windows 2000 executes winhlp32.exe wi ...) NOT-FOR-US: Windows CVE-2003-0907 (Help and Support Center in Microsoft Windows XP SP1 does not properly ...) NOT-FOR-US: Windows CVE-2003-0906 (Buffer overflow in the rendering for (1) Windows Metafile (WMF) or (2) ...) NOT-FOR-US: Windows CVE-2003-0904 (Microsoft Exchange 2003 and Outlook Web Access (OWA), when configured ...) NOT-FOR-US: Windows CVE-2003-0902 (Unknown vulnerability in minimalist mailing list manager 2.4, 2.2, and ...) {DSA-402} - minimalist 2.4-1 CVE-2003-0901 (Buffer overflow in to_ascii for PostgreSQL 7.2.x, and 7.3.x before 7.3 ...) {DSA-397} - postgresql 7.3.4-1 NOTE: 7.3.4-1 was uploaded to unstable in August 2003, well before the NOTE: DSA, that's why the DSA says that unstable is not affected. CVE-2003-0900 (Perl 5.8.1 on Fedora Core does not properly initialize the random numb ...) - perl 5.8.2 CVE-2003-0899 (Buffer overflow in defang in libhttpd.c for thttpd 2.21 to 2.23b1 allo ...) {DSA-396} - thttpd 2.23beta1-2.3 CVE-2003-0898 (IBM DB2 7.2 before FixPak 10a, and earlier versions including 7.1, all ...) NOT-FOR-US: IBM DB2 CVE-2003-0897 ("Shatter" vulnerability in CommCtl32.dll in Windows XP may allow local ...) NOT-FOR-US: microsoft CVE-2003-0896 (The loadClass method of the sun.applet.AppletClassLoader class in the ...) NOT-FOR-US: Sun/Java CVE-2003-0895 (Buffer overflow in the Mac OS X kernel 10.2.8 and earlier allows local ...) NOT-FOR-US: Apple CVE-2003-0894 (Buffer overflow in the (1) oracle and (2) oracleO programs in Oracle 9 ...) NOT-FOR-US: Oracle CVE-2003-0893 RESERVED CVE-2003-0892 RESERVED CVE-2003-0891 RESERVED CVE-2003-0890 RESERVED CVE-2003-0889 RESERVED CVE-2003-0888 RESERVED CVE-2003-0887 (ez-ipupdate 3.0.11b7 and earlier creates insecure temporary cache file ...) NOTE: verified Debian is not explitable; we don't put the cache in /tmp CVE-2003-0886 (Format string vulnerability in hfaxd for Hylafax 4.1.7 and earlier all ...) {DSA-401} - hylafax 1:4.1.8-1 CVE-2003-0885 (Xscreensaver 4.14 contains certain debugging code that should have bee ...) - xscreensaver 4.15 CVE-2003-0884 RESERVED CVE-2003-0883 (The System Preferences capability in Mac OS X before 10.3 allows local ...) NOT-FOR-US: Apple CVE-2003-0882 (Mac OS X before 10.3 initializes the TCP timestamp with a constant num ...) NOT-FOR-US: Apple CVE-2003-0881 (Mail in Mac OS X before 10.3, when configured to use MD5 Challenge Res ...) NOT-FOR-US: Apple CVE-2003-0880 (Unknown vulnerability in Mac OS X before 10.3 allows local users to ac ...) NOT-FOR-US: Apple CVE-2003-0879 REJECTED CVE-2003-0878 (slpd daemon in Mac OS X before 10.3 allows local users to overwrite ar ...) NOT-FOR-US: Apple CVE-2003-0877 (Mac OS X before 10.3 with core files enabled allows local users to ove ...) NOT-FOR-US: Apple CVE-2003-0876 (Finder in Mac OS X 10.2.8 and earlier sets global read/write/execute p ...) NOT-FOR-US: Apple CVE-2003-0875 (Symbolic link vulnerability in the slpd script slpd.all_init for OpenS ...) NOTE: Vulnerable code not shipped in the binary package - openslp 1.0.11a-1 (unimportant) CVE-2003-0874 (Multiple SQL injection vulnerabilities in DeskPRO 1.1.0 and earlier al ...) NOT-FOR-US: Deskpro CVE-2003-0873 REJECTED CVE-2003-0872 (Certain scripts in OpenServer before 5.0.6 allow local users to overwr ...) NOT-FOR-US: SCO CVE-2003-0871 (Unknown vulnerability in QuickTime Java in Mac OS X v10.3 and Mac OS X ...) NOT-FOR-US: Apple CVE-2003-0870 (Heap-based buffer overflow in Opera 7.11 and 7.20 allows remote attack ...) NOT-FOR-US: Opera CVE-2003-0869 REJECTED CVE-2003-0868 REJECTED CVE-2003-0867 REJECTED CVE-2003-0866 (The Catalina org.apache.catalina.connector.http package in Tomcat 4.0. ...) {DSA-395} - tomcat4 4.1.24-2 CVE-2003-0865 (Heap-based buffer overflow in readstring of httpget.c for mpg123 0.59r ...) {DSA-435} - mpg123 0.59r-15 CVE-2003-0864 (Buffer overflow in m_join in channel.c for IRCnet IRCD 2.10.x to 2.10. ...) - ircd-irc2 2.10.3p5-1 CVE-2003-0863 (The php_check_safe_mode_include_dir function in fopen_wrappers.c of PH ...) NOTE: php4, this bug appears not to have been fixed. NOTE: submitted to BTS on libapache-mod-php4 NOTE: developer claims there is no problem CVE-2003-0862 REJECTED CVE-2003-0861 (Integer overflows in (1) base64_encode and (2) the GD library for PHP ...) - php4 4:4.3.3-1 CVE-2003-0860 (Buffer overflows in PHP before 4.3.3 have unknown impact and unknown a ...) - php4 4:4.3.3-1 CVE-2003-0859 (The getifaddrs function in GNU libc (glibc) 2.2.4 and earlier allows l ...) NOTE: affects glibc 2.2.4, Debian uses 2.3.2 CVE-2003-0858 (Zebra 0.93b and earlier, and quagga before 0.95, allows local users to ...) {DSA-415} - quagga 0.96.4x-4 CVE-2003-0857 (The (1) ipq_read and (2) ipulog_read functions in iptables allow local ...) NOT-FOR-US: Data predating security tracker CVE-2003-0856 (iproute 2.4.7 and earlier allows local users to cause a denial of serv ...) {DSA-492} - iproute 20010824-13.1 CVE-2003-0855 (Pan 0.13.3 and earlier allows remote attackers to cause a denial of se ...) - pan 0.13.4-1 CVE-2003-0854 (ls in the fileutils or coreutils packages allows local users to consum ...) - coreutils 5.2.1-1 CVE-2003-0853 (An integer overflow in ls in the fileutils or coreutils packages may a ...) - coreutils 5.2.1-1 CVE-2003-0852 (Format string vulnerability in send_message.c for Sylpheed-claws 0.9.4 ...) - sylpheed-claws 0.9.8claws-1 CVE-2003-0851 (OpenSSL 0.9.6k allows remote attackers to cause a denial of service (c ...) - openssl096 0.9.6l CVE-2003-0850 (The TCP reassembly functionality in libnids before 1.18 allows remote ...) {DSA-410} - libnids 1.18-1 CVE-2003-0849 (Buffer overflow in net.c for cfengine 2.x before 2.0.8 allows remote a ...) - cfengine2 2.0.9+2.1.0b3-1 CVE-2003-0848 (Heap-based buffer overflow in main.c of slocate 2.6, and possibly othe ...) {DSA-428} - slocate 2.7-3 CVE-2003-0847 (SuSEconfig.susewm in the susewm package on SuSE Linux 8.2Pro allows lo ...) NOT-FOR-US: SuSE CVE-2003-0846 (SuSEconfig.javarunt in the javarunt package on SuSE Linux 7.3Pro allow ...) NOT-FOR-US: SuSE CVE-2003-0845 (Unknown vulnerability in the HSQLDB component in JBoss 3.2.1 and 3.0.8 ...) NOT-FOR-US: JBoss CVE-2003-0844 (mod_gzip 1.3.26.1a and earlier, and possibly later official versions, ...) - libapache-mod-gzip (unimportant) NOTE: Debian doesn't enable vulnerable debug mode. CVE-2003-0843 (Format string vulnerability in mod_gzip_printf for mod_gzip 1.3.26.1a ...) - libapache-mod-gzip (unimportant) NOTE: Debian doesn't enable vulnerable debug mode. CVE-2003-0842 (Stack-based buffer overflow in mod_gzip_printf for mod_gzip 1.3.26.1a ...) - libapache-mod-gzip (unimportant) NOTE: Debian doesn't enable vulnerable debug mode. CVE-2003-0841 (The grid option in PeopleSoft 8.42 stores temporary .xls files in gues ...) NOT-FOR-US: Peoplesoft CVE-2003-0840 (Buffer overflow in dtprintinfo on HP-UX 11.00, and possibly other oper ...) NOT-FOR-US: HPUX CVE-2003-0839 (Directory traversal vulnerability in the "Shell Folders" capability in ...) NOT-FOR-US: microsoft CVE-2003-0838 (Internet Explorer allows remote attackers to bypass zone restrictions ...) NOT-FOR-US: microsoft CVE-2003-0837 (Stack-based buffer overflow in IBM DB2 Universal Data Base 7.2 for Win ...) NOT-FOR-US: IBM DB2 CVE-2003-0836 (Stack-based buffer overflow in IBM DB2 Universal Data Base 7.2 before ...) NOT-FOR-US: IBM DB2 CVE-2003-0835 (Multiple buffer overflows in asf_http_request of MPlayer before 0.92 a ...) NOTE: mplayer fixed before upload CVE-2003-0834 (Buffer overflow in CDE libDtHelp library allows local users to execute ...) NOT-FOR-US: CDE CVE-2003-0833 (Stack-based buffer overflow in webfs before 1.20 allows attackers to e ...) {DSA-392} - webfs 1.20 CVE-2003-0832 (Directory traversal vulnerability in webfs before 1.20 allows remote a ...) {DSA-392} - webfs 1.20 CVE-2003-0831 (ProFTPD 1.2.7 through 1.2.9rc2 does not properly translate newline cha ...) - proftpd 1.2.9-1 CVE-2003-0830 (Buffer overflow in marbles 1.0.2 and earlier allows local users to gai ...) {DSA-390} - marbles CVE-2003-0829 RESERVED CVE-2003-0828 (Buffer overflow in freesweep in Debian GNU/Linux 3.0 allows local user ...) {DSA-391} - freesweep 0.88-4.1 (bug #242616) CVE-2003-0827 (The DB2 Discovery Service for IBM DB2 before FixPak 10a allows remote ...) NOT-FOR-US: IBM DB2 CVE-2003-0826 (lsh daemon (lshd) does not properly return from certain functions in ( ...) {DSA-717-1} - lsh-utils 1.4.2-6 CVE-2003-0824 (Unknown vulnerability in the SmartHTML interpreter (shtml.dll) in Micr ...) NOT-FOR-US: microsoft CVE-2003-0823 (Internet Explorer 6 SP1 and earlier allows remote attackers to direct ...) NOT-FOR-US: microsoft CVE-2003-0822 (Buffer overflow in the debug functionality in fp30reg.dll of Microsoft ...) NOT-FOR-US: microsoft CVE-2003-0821 (Microsoft Excel 97, 2000, and 2002 allows remote attackers to execute ...) NOT-FOR-US: microsoft CVE-2003-0820 (Microsoft Word 97, 98(J), 2000, and 2002, and Microsoft Works Suites 2 ...) NOT-FOR-US: microsoft CVE-2003-0819 (Buffer overflow in the H.323 filter of Microsoft Internet Security and ...) NOT-FOR-US: microsoft CVE-2003-0818 (Multiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as ...) NOT-FOR-US: microsoft CVE-2003-0817 (Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass ...) NOT-FOR-US: microsoft CVE-2003-0816 (Internet Explorer 6 SP1 and earlier allows remote attackers to bypass ...) NOT-FOR-US: microsoft CVE-2003-0815 (Internet Explorer 6 SP1 and earlier allows remote attackers to bypass ...) NOT-FOR-US: microsoft CVE-2003-0814 (Internet Explorer 6 SP1 and earlier allows remote attackers to bypass ...) NOT-FOR-US: microsoft CVE-2003-0813 (A multi-threaded race condition in the Windows RPC DCOM functionality ...) NOT-FOR-US: microsoft CVE-2003-0812 (Stack-based buffer overflow in a logging function for Windows Workstat ...) NOT-FOR-US: microsoft CVE-2003-0811 RESERVED CVE-2003-0810 RESERVED CVE-2003-0809 (Internet Explorer 5.01 through 6.0 does not properly handle object tag ...) NOT-FOR-US: microsoft CVE-2003-0808 RESERVED CVE-2003-0807 (Buffer overflow in the COM Internet Services and in the RPC over HTTP ...) NOT-FOR-US: microsoft CVE-2003-0806 (Buffer overflow in the Windows logon process (winlogon) in Microsoft W ...) NOT-FOR-US: microsoft CVE-2003-0805 (Multiple buffer overflows in UMN gopher daemon (gopherd) 2.x and 3.x b ...) {DSA-387} - gopher 3.0.6 NOTE: gopherd was removed from the gopher package in version 3.0.6. CVE-2003-0804 (The arplookup function in FreeBSD 5.1 and earlier, Mac OS X before 10. ...) NOT-FOR-US: BSD CVE-2003-0803 (Nokia Electronic Documentation (NED) 5.0 allows remote attackers to us ...) NOT-FOR-US: Nokia CVE-2003-0802 (Nokia Electronic Documentation (NED) 5.0 allows remote attackers to ob ...) NOT-FOR-US: Nokia CVE-2003-0801 (Cross-site scripting (XSS) vulnerability in Nokia Electronic Documenta ...) NOT-FOR-US: Nokia CVE-2003-0800 REJECTED CVE-2003-0799 REJECTED CVE-2003-0798 REJECTED CVE-2003-0797 (Unknown vulnerability in rpc.mountd in SGI IRIX 6.5 through 6.5.22 all ...) NOT-FOR-US: SGI IRIX CVE-2003-0796 (Unknown vulnerability in rpc.mountd SGI IRIX 6.5.18 through 6.5.22 all ...) NOT-FOR-US: SGI IRIX CVE-2003-0795 (The vty layer in Quagga before 0.96.4, and Zebra 0.93b and earlier, do ...) {DSA-415} - quagga 0.96.4x-4 CVE-2003-0794 (GDM 2.4.4.x before 2.4.4.4, and 2.4.1.x before 2.4.1.7, does not limit ...) - gdm 2.4.4.4 CVE-2003-0793 (GDM 2.4.4.x before 2.4.4.4, and 2.4.1.x before 2.4.1.7, does not restr ...) - gdm 2.4.4.4 CVE-2003-0792 (Fetchmail 6.2.4 and earlier does not properly allocate memory for long ...) - fetchmail 6.2.5 CVE-2003-0791 (The Script.prototype.freeze/thaw functionality in Mozilla 1.4 and earl ...) - mozilla 2:1.5 CVE-2003-0790 REJECTED CVE-2003-0789 (mod_cgid in Apache before 2.0.48, when using a threaded MPM, does not ...) - apache2 2.0.48 CVE-2003-0788 (Unknown vulnerability in the Internet Printing Protocol (IPP) implemen ...) - cups 1.1.19 - cupsys 1.1.19 CVE-2003-0787 (The PAM conversation function in OpenSSH 3.7.1 and 3.7.1p1 interprets ...) - openssh 1:3.7.1p2 CVE-2003-0786 (The SSH1 PAM challenge response authentication in OpenSSH 3.7.1 and 3. ...) - openssh 1:3.7.1p2 CVE-2003-0785 (ipmasq before 3.5.12, in certain configurations, may forward packets t ...) {DSA-389} - ipmasq 3.5.12 CVE-2003-0784 (Format string vulnerability in tsm for the bos.rte.security fileset on ...) NOT-FOR-US: IBM TSM CVE-2003-0783 (Multiple buffer overflows in hztty 2.0 allow local users to gain root ...) {DSA-385} - hztty 2.0-6 CVE-2003-0782 (Multiple buffer overflows in ecartis before 1.0.0 allow attackers to c ...) {DSA-467} - ecartis 1.0.0+cvs.20030911 CVE-2003-0781 (Unknown vulnerability in ecartis before 1.0.0 does not properly valida ...) {DSA-467} - ecartis 1.0.0+cvs.20030911 CVE-2003-0780 (Buffer overflow in get_salt_from_password from sql_acl.cc for MySQL 4. ...) {DSA-381} - mysql-dfsg 4.0.15-1 CVE-2003-0779 (SQL injection vulnerability in the Call Detail Record (CDR) logging fu ...) - asterisk 0.7.0 CVE-2003-0778 (saned in sane-backends 1.0.7 and earlier, and possibly later versions, ...) {DSA-379} - sane-backends 1.0.11-1 CVE-2003-0777 (saned in sane-backends 1.0.7 and earlier, when debug messages are enab ...) {DSA-379} - sane-backends 1.0.11-1 CVE-2003-0776 (saned in sane-backends 1.0.7 and earlier does not properly "check the ...) {DSA-379} - sane-backends 1.0.11-1 CVE-2003-0775 (saned in sane-backends 1.0.7 and earlier calls malloc with an arbitrar ...) {DSA-379} - sane-backends 1.0.11-1 CVE-2003-0774 (saned in sane-backends 1.0.7 and earlier does not quickly handle conne ...) {DSA-379} - sane-backends 1.0.11-1 CVE-2003-0773 (saned in sane-backends 1.0.7 and earlier does not check the IP address ...) {DSA-379} - sane-backends 1.0.11-1 CVE-2003-0772 (Multiple buffer overflows in WS_FTP 3 and 4 allow remote authenticated ...) NOT-FOR-US: WS_FTP server CVE-2003-0771 (Gallery.pm in Apache::Gallery (aka A::G) uses predictable temporary fi ...) - libapache-gallery-perl 0.7 CVE-2003-0770 (FUNC.pm in IkonBoard 3.1.2a and earlier, including 3.1.1, does not pro ...) NOT-FOR-US: IkonBoard CVE-2003-0769 (Cross-site scripting (XSS) vulnerability in the ICQ Web Front guestboo ...) NOT-FOR-US: ICQ Web Front CVE-2003-0768 (Microsoft ASP.Net 1.1 allows remote attackers to bypass the Cross-Site ...) NOT-FOR-US: microsoft CVE-2003-0767 (Buffer overflow in RogerWilco graphical server 1.4.1.6 and earlier, de ...) NOT-FOR-US: RogerWilco CVE-2003-0766 (Multiple heap-based buffer overflows in FTP Desktop client 3.5, and po ...) NOT-FOR-US: ftp desktop (windows) CVE-2003-0765 (The IN_MIDI.DLL plugin 3.01 and earlier, as used in Winamp 2.91, allow ...) NOT-FOR-US: winamp CVE-2003-0764 (Escapade Scripting Engine (ESP) allows remote attackers to obtain sens ...) NOT-FOR-US: Escapade Scripting Engine (ESP CVE-2003-0763 (Cross-site scripting (XSS) vulnerability in Escapade Scripting Engine ...) NOT-FOR-US: Escapade Scripting Engine (ESP CVE-2003-0762 (Buffer overflow in (1) foxweb.dll and (2) foxweb.exe of Foxweb 2.5 all ...) NOT-FOR-US: foxweb CVE-2003-0761 (Buffer overflow in the get_msg_text of chan_sip.c in the Session Initi ...) - asterisk 0.5.0 CVE-2003-0760 (Blubster 2.5 allows remote attackers to cause a denial of service (cra ...) NOT-FOR-US: optisoft blubster CVE-2003-0759 (Buffer overflow in db2licm in IBM DB2 Universal Data Base 7.2 before F ...) NOT-FOR-US: IBM DB2 CVE-2003-0758 (Buffer overflow in db2dart in IBM DB2 Universal Data Base 7.2 before F ...) NOT-FOR-US: IBM DB2 CVE-2003-0757 (Check Point FireWall-1 4.0 and 4.1 before SP5 allows remote attackers ...) NOT-FOR-US: check point firewall CVE-2003-0756 (Directory traversal vulnerability in sitebuilder.cgi in SiteBuilder 1. ...) NOT-FOR-US: sitebuilder CVE-2003-0755 (Buffer overflow in sys_cmd.c for gtkftpd 1.0.4 and earlier allows remo ...) NOT-FOR-US: gtkftpd CVE-2003-0754 (nphpd.php in newsPHP 216 and earlier allows remote attackers to bypass ...) NOT-FOR-US: newsPHP CVE-2003-0753 (nphpd.php in newsPHP 216 and earlier allows remote attackers to read a ...) NOT-FOR-US: newsPHP CVE-2003-0752 (SQL injection vulnerability in global.php3 of AttilaPHP 3.0, and possi ...) NOT-FOR-US: AttilaPHP CVE-2003-0751 (SQL injection vulnerability in pass_done.php for PY-Membres 4.2 and ea ...) NOT-FOR-US: PY-Membres CVE-2003-0750 (secure.php in PY-Membres 4.2 and earlier allows remote attackers to by ...) NOT-FOR-US: PY-Membres CVE-2003-0749 (Cross-site scripting (XSS) vulnerability in wgate.dll for SAP Internet ...) NOT-FOR-US: SAP CVE-2003-0748 (Directory traversal vulnerability in wgate.dll for SAP Internet Transa ...) NOT-FOR-US: SAP CVE-2003-0747 (wgate.dll in SAP Internet Transaction Server (ITS) 4620.2.0.323011 all ...) NOT-FOR-US: SAP CVE-2003-0746 (Various Distributed Computing Environment (DCE) implementations, inclu ...) NOT-FOR-US: Distributed Computing Environment (DCE) not in Deb CVE-2003-0745 (SNMPc 6.0.8 and earlier performs authentication to the server on the c ...) NOT-FOR-US: castlerock SNMPc CVE-2003-0744 (The fetchnews NNTP client in leafnode 1.9.3 to 1.9.41 allows remote at ...) - leafnode 1.9.42 CVE-2003-0743 (Heap-based buffer overflow in smtp_in.c for Exim 3 (exim3) before 3.36 ...) {DSA-376} - exim 3.36-8 CVE-2003-0742 (SCO Internet Manager (mana) allows local users to execute arbitrary pr ...) NOT-FOR-US: SCO CVE-2003-0741 REJECTED CVE-2003-0740 (Stunnel 4.00, and 3.24 and earlier, leaks a privileged file descriptor ...) - stunnel 2:3.26 (bug #278942) - stunnel4 2:4.04 CVE-2003-0739 (VMware Workstation 4.0.1 for Linux, build 5289 and earlier, allows loc ...) NOT-FOR-US: VMware CVE-2003-0738 (The calendar module in phpWebSite 0.9.x and earlier allows remote atta ...) NOT-FOR-US: phpWebSite CVE-2003-0737 (The calendar module in phpWebSite 0.9.x and earlier allows remote atta ...) NOT-FOR-US: phpWebSite CVE-2003-0736 (Multiple cross-site scripting (XSS) vulnerabilities in phpWebSite 0.9. ...) NOT-FOR-US: phpWebSite CVE-2003-0735 (SQL injection vulnerability in the Calendar module of phpWebSite 0.9.x ...) NOT-FOR-US: phpWebSite CVE-2003-0734 (Unknown vulnerability in the pam_filter mechanism in pam_ldap before v ...) - libpam-ldap 164-1 - libnss-ldap 207-1 CVE-2003-0733 (Multiple cross-site scripting (XSS) vulnerabilities in WebLogic Integr ...) NOT-FOR-US: BEA weblogic CVE-2003-0732 (CiscoWorks Common Management Foundation (CMF) 2.1 and earlier allows t ...) NOT-FOR-US: cisco CVE-2003-0731 (CiscoWorks Common Management Foundation (CMF) 2.1 and earlier allows t ...) NOT-FOR-US: cisco CVE-2003-0730 (Multiple integer overflows in the font libraries for XFree86 4.3.0 all ...) {DSA-380} - xfree86 4.2.1-12 CVE-2003-0729 (Buffer overflow in Tellurian TftpdNT 1.8 allows remote attackers to ex ...) NOT-FOR-US: tellurian tftpdNT CVE-2003-0728 (Horde before 2.2.4 allows remote malicious web sites to steal session ...) - horde2 2.2.4 CVE-2003-0727 (Multiple buffer overflows in the XML Database (XDB) functionality for ...) NOT-FOR-US: oracle CVE-2003-0726 (RealOne player allows remote attackers to execute arbitrary script in ...) NOT-FOR-US: RealOne player CVE-2003-0725 (Buffer overflow in the RTSP protocol parser for the View Source plug-i ...) NOT-FOR-US: Real Networks Server / Helix Server CVE-2003-0724 (ssh on HP Tru64 UNIX 5.1B and 5.1A does not properly handle RSA signat ...) NOT-FOR-US: HP Tru64 CVE-2003-0723 (Buffer overflow in gkrellmd for gkrellm 2.1.x before 2.1.14 may allow ...) - gkrellm 2.1.14 CVE-2003-0722 (The default installation of sadmind on Solaris uses weak authenticatio ...) NOT-FOR-US: solaris CVE-2003-0721 (Integer signedness error in rfc2231_get_param from strings.c in PINE b ...) - pine 4.58 - alpine (alpine is based on pine 4.64, this bug was in a previous version of pine) CVE-2003-0720 (Buffer overflow in PINE before 4.58 allows remote attackers to execute ...) - pine 4.58 - alpine (alpine is based on pine 4.64, this bug was in a previous version of pine) CVE-2003-0719 (Buffer overflow in the Private Communications Transport (PCT) protocol ...) NOT-FOR-US: microsoft CVE-2003-0718 (The WebDAV Message Handler for Internet Information Services (IIS) 5.0 ...) NOT-FOR-US: microsoft CVE-2003-0717 (The Messenger Service for Windows NT through Server 2003 does not prop ...) NOT-FOR-US: microsoft CVE-2003-0716 RESERVED CVE-2003-0715 (Heap-based buffer overflow in the Distributed Component Object Model ( ...) NOT-FOR-US: microsoft CVE-2003-0714 (The Internet Mail Service in Exchange Server 5.5 and Exchange 2000 all ...) NOT-FOR-US: microsoft CVE-2003-0713 RESERVED CVE-2003-0712 (Cross-site scripting (XSS) vulnerability in the HTML encoding for the ...) NOT-FOR-US: microsoft CVE-2003-0711 (Stack-based buffer overflow in the PCHealth system in the Help and Sup ...) NOT-FOR-US: pchealth for windows CVE-2003-0710 RESERVED CVE-2003-0709 (Buffer overflow in the whois client, which is not setuid but is someti ...) - whois 4.6.7 CVE-2003-0708 (Format string vulnerability in LinuxNode (node) before 0.3.2 may allow ...) {DSA-375} - node 0.3.2-1 CVE-2003-0707 (Buffer overflow in LinuxNode (node) before 0.3.2 allows remote attacke ...) {DSA-375} - node 0.3.2-1 CVE-2003-0706 (Unknown vulnerability in mah-jong 1.5.6 and earlier allows remote atta ...) {DSA-378} - mah-jong 1.5.6-2 CVE-2003-0705 (Buffer overflow in mah-jong 1.5.6 and earlier allows remote attackers ...) {DSA-378} - mah-jong 1.5.6-2 CVE-2003-0704 (KisMAC before 0.05d trusts user-supplied variables when chown'ing file ...) NOT-FOR-US: KisMAC for Mac OS X CVE-2003-0703 (KisMAC before 0.05d trusts user-supplied variables to load arbitrary k ...) NOT-FOR-US: KisMAC for Mac OS X CVE-2003-0702 (Unknown vulnerability in an ISAPI plugin for ISS Server Sensor 7.0 XPU ...) NOT-FOR-US: microsoft CVE-2003-0701 (Buffer overflow in Internet Explorer 6 SP1 for certain languages that ...) NOT-FOR-US: microsoft CVE-2003-0700 (The C-Media PCI sound driver in Linux before 2.4.22 does not use the g ...) NOTE: fixed in 2.4.22-pre3 CVE-2003-0699 (The C-Media PCI sound driver in Linux before 2.4.21 does not use the g ...) NOTE: fixed in 2.4.21-rc2 CVE-2003-0698 REJECTED CVE-2003-0697 (Format string vulnerability in lpd in the bos.rte.printers fileset for ...) NOT-FOR-US: AIX CVE-2003-0696 (The getipnodebyname() API in AIX 5.1 and 5.2 does not properly close s ...) NOT-FOR-US: AIX CVE-2003-0695 (Multiple "buffer management errors" in OpenSSH before 3.7.1 may allow ...) {DSA-383 DSA-382} - openssh 1:3.7.1 CVE-2003-0694 (The prescan function in Sendmail 8.12.9 allows remote attackers to exe ...) {DSA-384} - sendmail 8.12.10-1 CVE-2003-0693 (A "buffer management error" in buffer_append_space of buffer.c for Ope ...) {DSA-383 DSA-382} - openssh 1:3.6.1p2-6.0 CVE-2003-0692 (KDM in KDE 3.1.3 and earlier uses a weak session cookie generation alg ...) {DSA-388} - kdebase 4:3.2 CVE-2003-0691 REJECTED CVE-2003-0690 (KDM in KDE 3.1.3 and earlier does not verify whether the pam_setcred f ...) {DSA-443 DSA-388} - xfree86 4.3.0-0pre1v2 - kdebase 4:3.2 CVE-2003-0689 (The getgrouplist function in GNU libc (glibc) 2.2.4 and earlier allows ...) - glibc 2.2.5 CVE-2003-0688 (The DNS map code in Sendmail 8.12.8 and earlier, when using the "enhdn ...) - sendmail 8.12.9 CVE-2003-0687 REJECTED CVE-2003-0686 (Buffer overflow in PAM SMB module (pam_smb) 1.1.6 and earlier, when au ...) {DSA-374} - libpam-smb CVE-2003-0685 (Buffer overflow in Netris 0.52 and earlier, and possibly other version ...) {DSA-372} - netris 0.52-1 CVE-2003-0684 REJECTED CVE-2003-0683 (NFS in SGI 6.5.21m and 6.5.21f does not perform access checks in certa ...) NOT-FOR-US: SGI CVE-2003-0682 ("Memory bugs" in OpenSSH 3.7.1 and earlier, with unknown impact, a dif ...) {DSA-383 DSA-382} - openssh 1:3.6.1p2-9 CVE-2003-0681 (A "potential buffer overflow in ruleset parsing" for Sendmail 8.12.9, ...) {DSA-384} - sendmail 8.12.10-1 CVE-2003-0680 (Unknown vulnerability in NFS for SGI IRIX 6.5.21 and earlier may allow ...) NOT-FOR-US: SGI IRIX CVE-2003-0679 (Unknown vulnerability in the libcpr library for the Checkpoint/Restart ...) NOT-FOR-US: SGI IRIX CVE-2003-0678 REJECTED CVE-2003-0677 (Cisco CSS 11000 routers on the CS800 chassis allow remote attackers to ...) NOT-FOR-US: Cisco CVE-2003-0676 (Directory traversal vulnerability in ViewLog for iPlanet Administratio ...) NOT-FOR-US: Sun iPlanet CVE-2003-0672 (Format string vulnerability in pam-pgsql 0.5.2 and earlier allows remo ...) {DSA-370} - pam-pgsql 0.5.2-7 CVE-2003-0671 (Format string vulnerability in tcpflow, when used in a setuid context, ...) NOT-FOR-US: sustworks IPNetSentryX CVE-2003-0670 (Sustworks IPNetSentryX and IPNetMonitorX allow local users to sniff ne ...) NOT-FOR-US: sustworks IPNetSentryX CVE-2003-0669 (Unknown vulnerability in Solaris 2.6 through 9 causes a denial of serv ...) NOT-FOR-US: solaris CVE-2003-0668 RESERVED CVE-2003-0667 RESERVED CVE-2003-0666 (Buffer overflow in Microsoft Wordperfect Converter allows remote attac ...) NOT-FOR-US: microsoft CVE-2003-0665 (Buffer overflow in the ActiveX control for Microsoft Access Snapshot V ...) NOT-FOR-US: microsoft CVE-2003-0664 (Microsoft Word 2002, 2000, 97, and 98(J) does not properly check certa ...) NOT-FOR-US: microsoft CVE-2003-0663 (Unknown vulnerability in the Local Security Authority Subsystem Servic ...) NOT-FOR-US: microsoft CVE-2003-0662 (Buffer overflow in Troubleshooter ActiveX Control (Tshoot.ocx) in Micr ...) NOT-FOR-US: microsoft CVE-2003-0661 (The NetBT Name Service (NBNS) for NetBIOS in Windows NT 4.0, 2000, XP, ...) NOT-FOR-US: microsoft CVE-2003-0660 (The Authenticode capability in Microsoft Windows NT through Server 200 ...) NOT-FOR-US: microsoft CVE-2003-0659 (Buffer overflow in a function in User32.dll on Windows NT through Serv ...) NOT-FOR-US: microsoft CVE-2003-0658 (Docview before 1.1-18 in Caldera OpenLinux 3.1.1, SCO Linux 4.0, OpenS ...) NOT-FOR-US: docview / caldera CVE-2003-0657 (Multiple SQL injection vulnerabilities in the infolog module for phpgr ...) {DSA-365} - phpgroupware 0.9.14.007-1 CVE-2003-0656 (eroaster before 2.2.0 allows local users to overwrite arbitrary files ...) {DSA-366} - eroaster 2.2.0-0.5-1 CVE-2003-0655 (rscsi in cdrtools 2.01 and earlier allows local users to overwrite arb ...) - cdrtools 4:2.0+a18-1 CVE-2003-0654 (Buffer overflow in autorespond may allow remote attackers to execute a ...) {DSA-373} - autorespond 2.0.4-1 CVE-2003-0653 (The OSI networking kernel (sys/netiso) in NetBSD 1.6.1 and earlier doe ...) NOT-FOR-US: NetBSD CVE-2003-0652 (Buffer overflow in xtokkaetama allows local users to gain privileges v ...) {DSA-367} - xtokkaetama 1.0b-9 CVE-2003-0651 (Buffer overflow in the mylo_log logging function for mod_mylo 0.2.1 an ...) NOT-FOR-US: mod_mylo for apache CVE-2003-0650 (Directory traversal vulnerability in GSAPAK.EXE for GameSpy Arcade, po ...) NOT-FOR-US: gamespy CVE-2003-0649 (Buffer overflow in xpcd-svga for xpcd 2.08 and earlier allows local us ...) {DSA-368} - xpcd 2.08-9 CVE-2003-0648 (Multiple buffer overflows in vfte, based on FTE, before 0.50, allow lo ...) {DSA-472} - fte 0.50.0-1.1 (bug #203871) CVE-2003-0647 (Buffer overflow in the HTTP server for Cisco IOS 12.2 and earlier allo ...) NOT-FOR-US: Cisco CVE-2003-0646 (Multiple buffer overflows in ActiveX controls used by Trend Micro Hous ...) NOT-FOR-US: ActiveX CVE-2003-0645 (man-db 2.3.12 and 2.3.18 to 2.4.1 uses certain user-controlled DEFINE ...) {DSA-364} - man-db 2.4.1-13 CVE-2003-0644 (Kdbg 1.1.0 through 1.2.8 does not check permissions of the .kdbgrc fil ...) - kdbg 1.2.9-1 CVE-2003-0643 (Integer signedness error in the Linux Socket Filter implementation (fi ...) {DSA-358} - kernel-source-2.4.27 (Fixed before upload in archive; 2.4.22-pre10) CVE-2003-0642 (WatchGuard ServerLock for Windows 2000 before SL 2.0.4 allows local us ...) NOT-FOR-US: Watchguard / win CVE-2003-0641 (WatchGuard ServerLock for Windows 2000 before SL 2.0.3 allows local us ...) NOT-FOR-US: Watchguard / win CVE-2003-0640 (BEA WebLogic Server and Express, when using NodeManager to start serve ...) NOT-FOR-US: BEA WebLogic CVE-2003-0639 (Unknown vulnerability in Novell iChain 2.2 before Support Pack 1 allow ...) NOT-FOR-US: novell ichain CVE-2003-0638 (Multiple buffer overflows in Novell iChain 2.1 before Field Patch 3, a ...) NOT-FOR-US: novell ichain CVE-2003-0637 (Novell iChain 2.2 before Support Pack 1 uses a shorter timeout for a n ...) NOT-FOR-US: novell ichain CVE-2003-0636 (Novell iChain 2.2 before Support Pack 1 does not properly verify that ...) NOT-FOR-US: novell ichain CVE-2003-0635 (Unknown vulnerability or vulnerabilities in Novell iChain 2.2 before S ...) NOT-FOR-US: novell ichain CVE-2003-0634 (Stack-based buffer overflow in the PL/SQL EXTPROC functionality for Or ...) NOT-FOR-US: oracle CVE-2003-0633 (Multiple vulnerabilities in aoljtest.jsp of Oracle Applications AOL/J ...) NOT-FOR-US: oracle CVE-2003-0632 (Buffer overflow in the Oracle Applications Web Report Review (FNDWRR) ...) NOT-FOR-US: oracle CVE-2003-0631 (VMware GSX Server 2.5.1 build 4968 and earlier, and Workstation 4.0 an ...) NOT-FOR-US: VMware CVE-2003-0630 (Multiple buffer overflows in the atari800.svgalib setuid program of th ...) {DSA-359} - atari800 1.3.1-2 CVE-2003-0629 (Cross-site scripting (XSS) vulnerability in PeopleSoft IScript environ ...) NOT-FOR-US: peoplesoft CVE-2003-0628 (PeopleSoft Gateway Administration servlet (gateway.administration) in ...) NOT-FOR-US: peoplesoft CVE-2003-0627 (psdoccgi.exe in PeopleSoft PeopleTools 8.4 through 8.43 allows remote ...) NOT-FOR-US: peoplesoft CVE-2003-0626 (psdoccgi.exe in PeopleSoft PeopleTools 8.4 through 8.43 allows remote ...) NOT-FOR-US: peoplesoft CVE-2003-0625 (Off-by-one error in certain versions of xfstt allows remote attackers ...) {DSA-360} - xfstt 1.5.1-1 CVE-2003-0624 (Cross-site scripting (XSS) vulnerability in InteractiveQuery.jsp for B ...) NOT-FOR-US: BEA WebLogic CVE-2003-0623 (Cross-site scripting (XSS) vulnerability in the Administration Console ...) NOT-FOR-US: BEA Tuxedo CVE-2003-0622 (The Administration Console for BEA Tuxedo 8.1 and earlier allows remot ...) NOT-FOR-US: BEA Tuxedo CVE-2003-0621 (The Administration Console for BEA Tuxedo 8.1 and earlier allows remot ...) NOT-FOR-US: BEA Tuxedo CVE-2003-0620 (Multiple buffer overflows in man-db 2.4.1 and earlier, when installed ...) {DSA-364} - man-db 2.4.1-13 CVE-2003-0619 (Integer signedness error in the decode_fh function of nfs3xdr.c in Lin ...) {DSA-358} - kernel-source-2.4.27 (Fixed before upload in archive; 2.4.21-pre3) CVE-2003-0618 (Multiple vulnerabilities in suidperl 5.6.1 and earlier allow a local u ...) {DSA-431} - perl 5.8.3-3 CVE-2003-0617 (mindi 0.58 and earlier does not properly create temporary files, which ...) {DSA-362} - mindi 0.86-1 CVE-2003-0616 (Format string vulnerability in ePO service for McAfee ePolicy Orchestr ...) NOT-FOR-US: McAfee CVE-2003-0615 (Cross-site scripting (XSS) vulnerability in start_form() of CGI.pm all ...) {DSA-371} - perl 5.8.0-19 CVE-2003-0614 (Cross-site scripting (XSS) vulnerability in search.php of Gallery 1.1 ...) {DSA-355} - gallery 1.3.4-3 CVE-2003-0613 (Buffer overflow in zblast-svgalib of zblast 1.2.1 and earlier allows l ...) {DSA-369} - zblast 1.2.1-7 CVE-2003-0612 (Multiple buffer overflows in main.c for Crafty 19.3 allow local users ...) - crafty 19.3-1 CVE-2003-0611 (Multiple buffer overflows in xtokkaetama 1.0 allow local users to gain ...) {DSA-356} - xtokkaetama 1.0b-8 CVE-2003-0610 (Directory traversal vulnerability in ePO agent for McAfee ePolicy Orch ...) NOT-FOR-US: McAfee CVE-2003-0609 (Stack-based buffer overflow in the runtime linker, ld.so.1, on Solaris ...) NOT-FOR-US: Solaris CVE-2003-0608 RESERVED CVE-2003-0607 (Buffer overflow in xconq 7.4.1 allows local users to become part of th ...) {DSA-354} - xconq 7.4.1-2.1 (bug #202963) CVE-2003-0606 (sup 1.8 and earlier does not properly create temporary files, which al ...) {DSA-353} - sup 1.8-9 CVE-2003-0605 (The RPC DCOM interface in Windows 2000 SP3 and SP4 allows remote attac ...) NOT-FOR-US: Microsoft CVE-2003-0604 (Windows Media Player (WMP) 7 and 8, as running on Internet Explorer an ...) NOT-FOR-US: Microsoft CVE-2003-0603 (Bugzilla 2.16.x before 2.16.3, 2.17.x before 2.17.4, and earlier versi ...) - bugzilla 2.16.3 CVE-2003-0602 (Multiple cross-site scripting vulnerabilities (XSS) in Bugzilla 2.16.x ...) - bugzilla 2.16.3 CVE-2003-0601 (Workgroup Manager in Apple Mac OS X Server 10.2 through 10.2.6 does no ...) NOT-FOR-US: Apple CVE-2003-0600 RESERVED CVE-2003-0599 (Unknown vulnerability in the Virtual File System (VFS) capability for ...) {DSA-365} - phpgroupware 0.9.14.007-1 CVE-2003-0598 REJECTED CVE-2003-0597 (Unknown vulnerability in display of Merge before 5.3.23a in UnixWare 7 ...) NOT-FOR-US: Unixware CVE-2003-0596 (FDclone 2.00a, and other versions before 2.02a, creates temporary dire ...) {DSA-352} - fdclone 2.04-1 CVE-2003-0595 (Buffer overflow in WiTango Application Server and Tango 2000 allows re ...) NOT-FOR-US: WiTango Application Server and Tango 2000 CVE-2003-0594 (Mozilla allows remote attackers to bypass intended cookie access restr ...) NOTE: cannot find reference to it being fixed. CVE-2003-0593 (Opera allows remote attackers to bypass intended cookie access restric ...) NOT-FOR-US: opera CVE-2003-0592 (Konqueror in KDE 3.1.3 and earlier (kdelibs) allows remote attackers t ...) {DSA-459} - kdelibs 4:3.1.3-1 CVE-2003-0591 REJECTED CVE-2003-0590 (Cross-site scripting (XSS) vulnerability in Splatt Forum allows remote ...) NOT-FOR-US: Splatt Forum CVE-2003-0589 (admin.php in Digi-ads 1.1 allows remote attackers to bypass authentica ...) NOT-FOR-US: Digi-ads CVE-2003-0588 (admin.php in Digi-news 1.1 allows remote attackers to bypass authentic ...) NOT-FOR-US: Digi-news CVE-2003-0587 (Cross-site scripting (XSS) vulnerability in Infopop Ultimate Bulletin ...) NOT-FOR-US: Infopop Ultimate Bulletin Board (UBB) CVE-2003-0586 (Brooky eStore 1.0.1 through 1.0.2b allows remote attackers to obtain s ...) NOT-FOR-US: Brooky eStore CVE-2003-0585 (SQL injection vulnerability in login.asp of Brooky eStore 1.0.1 throug ...) NOT-FOR-US: Brooky eStore CVE-2003-0584 (Format string vulnerability in Backup and Restore Utility for Unix (BR ...) NOT-FOR-US: BRU CVE-2003-0583 (Buffer overflow in Backup and Restore Utility for Unix (BRU) 17.0 and ...) NOT-FOR-US: BRU CVE-2003-0582 REJECTED CVE-2003-0581 (X Fontserver for Truetype fonts (xfstt) 1.4 allows remote attackers to ...) {DSA-360} - xfstt 1.5-1 CVE-2003-0580 (Buffer overflow in uvadmsh in IBM U2 UniVerse 10.0.0.9 and earlier all ...) NOT-FOR-US: IBM U2 UniVerse CVE-2003-0579 (uvadmsh in IBM U2 UniVerse 10.0.0.9 and earlier trusts the user-suppli ...) NOT-FOR-US: IBM U2 UniVerse CVE-2003-0578 (cci_dir in IBM U2 UniVerse 10.0.0.9 and earlier creates hard links and ...) NOT-FOR-US: IBM U2 UniVerse CVE-2003-0577 (mpg123 0.59r allows remote attackers to cause a denial of service and ...) - mpg123 0.59r-1 - mp3gain 1.5.2-r2-6 (low) [wheezy] - mp3gain 1.5.2-r2-2+deb7u1 [squeeze] - mp3gain (Minor issue) CVE-2003-0576 (Unknown vulnerability in the NFS daemon (nfsd) in SGI IRIX 6.5.19f and ...) NOT-FOR-US: IRIX CVE-2003-0575 (Heap-based buffer overflow in the name services daemon (nsd) in SGI IR ...) NOT-FOR-US: IRIX CVE-2003-0574 (Unknown vulnerability in SGI IRIX 6.5.x through 6.5.20, and possibly e ...) NOT-FOR-US: IRIX CVE-2003-0573 (The DNS callbacks in nsd in SGI IRIX 6.5.x through 6.5.20f, and possib ...) NOT-FOR-US: IRIX CVE-2003-0572 (Unknown vulnerability in nsd in SGI IRIX 6.5.x through 6.5.20f, and po ...) NOT-FOR-US: IRIX CVE-2003-0571 REJECTED CVE-2003-0570 REJECTED CVE-2003-0569 REJECTED CVE-2003-0568 REJECTED CVE-2003-0567 (Cisco IOS 11.x and 12.0 through 12.2 allows remote attackers to cause ...) NOT-FOR-US: Cisco CVE-2003-0566 RESERVED CVE-2003-0565 (Multiple vulnerabilities in multiple vendor implementations of the X.4 ...) NOTE: affects many implementations of the X.400 protocol CVE-2003-0564 (Multiple vulnerabilities in multiple vendor implementations of the Sec ...) NOTE: affects multiple S/MIME implementations NOTE: checked current mozilla, which contains safe NSS 3.9.1 - mozilla 2:1.7.3 CVE-2003-0563 RESERVED CVE-2003-0562 (Buffer overflow in the CGI2PERL.NLM PERL handler in Novell Netware 5.1 ...) NOT-FOR-US: Novell Netware CVE-2003-0561 (Multiple buffer overflows in IglooFTP PRO 3.8 allow remote FTP servers ...) NOT-FOR-US: IglooFTP CVE-2003-0560 (SQL injection vulnerability in shopexd.asp for VP-ASP allows remote at ...) NOT-FOR-US: VP-ASP CVE-2003-0559 (mainfile.php in phpforum 2 RC-1, and possibly earlier versions, allows ...) NOT-FOR-US: phpforum CVE-2003-0558 (Buffer overflow in LeapFTP 2.7.3.600 allows remote FTP servers to exec ...) NOT-FOR-US: LeapFTP CVE-2003-0557 (SQL injection vulnerability in login.asp for StoreFront 6.0, and possi ...) NOT-FOR-US: StoreFront CVE-2003-0556 (Polycom MGC 25 allows remote attackers to cause a denial of service (c ...) NOT-FOR-US: Polycom MGC CVE-2003-0555 (ImageMagick 5.4.3.x and earlier allows attackers to cause a denial of ...) NOTE: imagemagick %x exploit failed with 6.0.6.2-1.5 CVE-2003-0554 (NeoModus Direct Connect 1.0 build 9, and possibly other versions, allo ...) NOT-FOR-US: NeoModus Direct Connect CVE-2003-0553 (Buffer overflow in the Client Detection Tool (CDT) plugin (npcdt.dll) ...) NOT-FOR-US: Netscape CVE-2003-0552 (Linux 2.4.x allows remote attackers to spoof the bridge Forwarding tab ...) {DSA-423 DSA-358} - kernel-source-2.4.27 (Fixed before upload in the archive; 2.4.22-pre3) CVE-2003-0551 (The STP protocol implementation in Linux 2.4.x does not properly verif ...) {DSA-423 DSA-358} - kernel-source-2.4.27 (Fixed before upload in the archive; 2.4.22-pre3) CVE-2003-0550 (The STP protocol, as enabled in Linux 2.4.x, does not provide sufficie ...) {DSA-423 DSA-358} - kernel-source-2.4.27 (Fixed before upload in the archive; 2.4.22-pre3) CVE-2003-0549 (The X Display Manager Control Protocol (XDMCP) support for GDM before ...) - gdm 2.4.1.5 CVE-2003-0548 (The X Display Manager Control Protocol (XDMCP) support for GDM before ...) - gdm 2.4.1.5 CVE-2003-0547 (GDM before 2.4.1.6, when using the "examine session errors" feature, a ...) - gdm 2.4.1.5 CVE-2003-0546 (up2date 3.0.7 and 3.1.23 does not properly verify RPM GPG signatures, ...) NOT-FOR-US: up2date CVE-2003-0545 (Double free vulnerability in OpenSSL 0.9.7 allows remote attackers to ...) {DSA-394 DSA-393} - openssl 0.9.7c - openssl096 0.9.6k CVE-2003-0544 (OpenSSL 0.9.6 and 0.9.7 does not properly track the number of characte ...) {DSA-394 DSA-393} - openssl 0.9.7c - openssl096 0.9.6k CVE-2003-0543 (Integer overflow in OpenSSL 0.9.6 and 0.9.7 allows remote attackers to ...) {DSA-394 DSA-393} - openssl 0.9.7c - openssl096 0.9.6k CVE-2003-0542 (Multiple stack-based buffer overflows in (1) mod_alias and (2) mod_rew ...) - apache2 2.0.48 - apache 1.3.29 CVE-2003-0541 (gtkhtml before 1.1.10, as used in Evolution, allows remote attackers t ...) {DSA-710-1} - evolution (Does not affect evolution on debian) - gtkhtml 1.0.4-6.2 CVE-2003-0540 (The address parser code in Postfix 1.1.12 and earlier allows remote at ...) {DSA-363} - postfix 1.1.12 CVE-2003-0539 (skk (Simple Kana to Kanji conversion program) 12.1 and earlier, and th ...) {DSA-343} - skk 10.62a-6 - ddskk 12.1.cvs.20030622-1 CVE-2003-0538 (The mailcap file for mozart 1.2.5 and earlier causes Oz applications t ...) {DSA-342} - mozart 1.2.5.20030212-2 CVE-2003-0537 (The liece Emacs IRC client 2.0+0.20030527 and earlier creates temporar ...) {DSA-341} - liece 2.0+0.20030527cvs-1 CVE-2003-0536 (Directory traversal vulnerability in phpSysInfo 2.1 and earlier allows ...) {DSA-346} - phpsysinfo 2.1-1 CVE-2003-0535 (Buffer overflow in xbl 1.0k and earlier allows local users to gain pri ...) {DSA-345} - xbl 1.0k-6 CVE-2003-0534 RESERVED CVE-2003-0533 (Stack-based buffer overflow in certain Active Directory service functi ...) NOT-FOR-US: Microsoft CVE-2003-0532 (Internet Explorer 5.01 SP3 through 6.0 SP1 does not properly determine ...) NOT-FOR-US: Microsoft CVE-2003-0531 (Internet Explorer 5.01 SP3 through 6.0 SP1 allows remote attackers to ...) NOT-FOR-US: Microsoft CVE-2003-0530 (Buffer overflow in the BR549.DLL ActiveX control for Internet Explorer ...) NOT-FOR-US: Microsoft CVE-2003-0529 RESERVED CVE-2003-0528 (Heap-based buffer overflow in the Distributed Component Object Model ( ...) NOT-FOR-US: Microsoft CVE-2003-0527 RESERVED CVE-2003-0526 (Cross-site scripting (XSS) vulnerability in Microsoft Internet Securit ...) NOT-FOR-US: Microsoft CVE-2003-0525 (The getCanonicalPath function in Windows NT 4.0 may free memory that i ...) NOT-FOR-US: Microsoft CVE-2003-0524 (Qt in Knoppix 3.1 Live CD allows local users to overwrite arbitrary fi ...) - qt-x11-free (appears specific to the knoppix CD) CVE-2003-0523 (Cross-site scripting (XSS) vulnerability in msg.asp for certain versio ...) NOT-FOR-US: ProductCart CVE-2003-0522 (Multiple SQL injection vulnerabilities in ProductCart 1.5 through 2 al ...) NOT-FOR-US: ProductCart CVE-2003-0521 (Cross-site scripting (XSS) vulnerability in cPanel 6.4.2 allows remote ...) NOT-FOR-US: cPanel is not our cpanel CVE-2003-0520 (Trillian 1.0 Pro and 0.74 Freeware allows remote attackers to cause a ...) NOT-FOR-US: Cerulean Trillian CVE-2003-0519 (Certain versions of Internet Explorer 5 and 6, in certain Windows envi ...) NOT-FOR-US: Microsoft CVE-2003-0518 (The screen saver in MacOS X allows users with physical access to cause ...) NOT-FOR-US: MacOS CVE-2003-0517 (faxrunqd.in in mgetty 1.1.28 and earlier allows local users to overwri ...) - mgetty 1.1.29 (bug #199351) CVE-2003-0516 (cnd.c in mgetty 1.1.28 and earlier does not properly filter non-printa ...) - mgetty 1.1.29 (bug #199351) CVE-2003-0515 (SQL injection vulnerabilities in the (1) PostgreSQL or (2) MySQL authe ...) {DSA-347} - teapop 0.3.5-2 CVE-2003-0514 (Apple Safari allows remote attackers to bypass intended cookie access ...) NOT-FOR-US: Safari CVE-2003-0513 (Microsoft Internet Explorer allows remote attackers to bypass intended ...) NOT-FOR-US: MSIE CVE-2003-0512 (Cisco IOS 12.2 and earlier generates a "% Login invalid" message inste ...) NOT-FOR-US: Cisco CVE-2003-0511 (The web server for Cisco Aironet AP1x00 Series Wireless devices runnin ...) NOT-FOR-US: Cisco CVE-2003-0510 (Format string vulnerability in ezbounce 1.0 through 1.50 allows remote ...) NOT-FOR-US: ezbounce CVE-2003-0509 (SQL injection vulnerability in Cyberstrong eShop 4.2 and earlier allow ...) NOT-FOR-US: Cyberstrong eShop CVE-2003-0508 (Buffer overflow in the WWWLaunchNetscape function of Adobe Acrobat Rea ...) NOT-FOR-US: acroread CVE-2003-0507 (Stack-based buffer overflow in Active Directory in Windows 2000 before ...) NOT-FOR-US: Microsoft CVE-2003-0506 (Microsoft NetMeeting 3.01 2000 before SP4 allows remote attackers to c ...) NOT-FOR-US: Microsoft CVE-2003-0505 (Directory traversal vulnerability in Microsoft NetMeeting 3.01 2000 be ...) NOT-FOR-US: Microsoft CVE-2003-0504 (Multiple cross-site scripting (XSS) vulnerabilities in Phpgroupware 0. ...) {DSA-365} - phpgroupware 0.9.14.007-1 CVE-2003-0503 (Buffer overflow in the ShellExecute API function of SHELL32.DLL in Win ...) NOT-FOR-US: Microsoft CVE-2003-0502 (Apple QuickTime / Darwin Streaming Server before 4.1.3g allows remote ...) NOT-FOR-US: Apple Quicktime CVE-2003-0501 (The /proc filesystem in Linux allows local users to obtain sensitive i ...) {DSA-423 DSA-358} - kernel-source-2.4.27 (Fixed before upload in the archive; 2.4.22-pre10) CVE-2003-0500 (SQL injection vulnerability in the PostgreSQL authentication module (m ...) {DSA-338} - proftpd 1.2.8-8 CVE-2003-0499 (Mantis 0.17.5 and earlier stores its database password in cleartext in ...) {DSA-335} - mantis 0.17.5-6 CVE-2003-0498 (Caché Database 5.x installs the /cachesys/csp directory with inse ...) NOT-FOR-US: Intersystems Cache database CVE-2003-0497 (Caché Database 5.x installs /cachesys/bin/cache with world-writab ...) NOT-FOR-US: Intersystems Cache database CVE-2003-0496 (Microsoft SQL Server before Windows 2000 SP4 allows local users to gai ...) NOT-FOR-US: Microsoft CVE-2003-0495 (Cross-site scripting (XSS) vulnerability in LedNews 0.7 allows remote ...) NOT-FOR-US: lednews; not in debian CVE-2003-0494 (password.asp in Snitz Forums 3.4.03 and earlier allows remote attacker ...) NOT-FOR-US: snitz forums; not in debian CVE-2003-0493 (Snitz Forums 3.4.03 and earlier allows attackers to gain privileges as ...) NOT-FOR-US: snitz forums; not in debian CVE-2003-0492 (Cross-site scripting (XSS) vulnerability in search.asp for Snitz Forum ...) NOT-FOR-US: snitz forums; not in debian CVE-2003-0491 (The Tutorials 2.0 module in XOOPS and E-XOOPS allows remote attackers ...) NOT-FOR-US: Xoops CVE-2003-0490 (The installation of Dantz Retrospect Client 5.0.540 on MacOS X 10.2.6, ...) NOT-FOR-US: Dantz Retrospect CVE-2003-0489 (tcptraceroute 1.4 and earlier does not fully drop privileges after obt ...) {DSA-330} - tcptraceroute 1.4-4 CVE-2003-0488 (Multiple cross-site scripting (XSS) vulnerabilities in Kerio MailServe ...) NOT-FOR-US: Kerio Mail server CVE-2003-0487 (Multiple buffer overflows in Kerio MailServer 5.6.3 allow remote authe ...) NOT-FOR-US: Kerio Mail server CVE-2003-0486 (SQL injection vulnerability in viewtopic.php for phpBB 2.0.5 and earli ...) - phpbb2 2.0.6 CVE-2003-0485 (Buffer overflow in Progress 4GL Compiler 9.1D06 and earlier allows att ...) NOT-FOR-US: Progress 4GL Compiler CVE-2003-0484 (Cross-site scripting (XSS) vulnerability in viewtopic.php for phpBB al ...) - phpbb2 2.0.6d-3 CVE-2003-0483 (Cross-site scripting (XSS) vulnerabilities in XMB Forum 1.8 Partagium ...) NOT-FOR-US: XMB Forum CVE-2003-0482 (TUTOS 1.1 allows remote attackers to execute arbitrary code by uploadi ...) - tutos 1.1.20030715-1 CVE-2003-0481 (Multiple cross-site scripting (XSS) vulnerabilities in TUTOS 1.1 allow ...) - tutos 1.1.20030715-1 CVE-2003-0480 (VMware Workstation 4.0 for Linux allows local users to overwrite arbit ...) NOT-FOR-US: VMware CVE-2003-0479 (Cross-site scripting (XSS) vulnerability in the guestbook for WebBBS a ...) NOT-FOR-US: WebBBS; not in debian CVE-2003-0478 (Format string vulnerability in (1) Bahamut IRCd 1.4.35 and earlier, an ...) NOT-FOR-US: bahamut and other irc daemons; not in debian CVE-2003-0477 (wzdftpd 0.1rc4 and earlier allows remote attackers to cause a denial o ...) - wzdftpd 0.2 CVE-2003-0476 (The execve system call in Linux 2.4.x records the file descriptor of t ...) {DSA-423 DSA-358} - kernel-source-2.4.27 (Fixed before upload in the archive; 2.4.22-pre4) CVE-2003-0475 (Directory traversal vulnerability in iWeb Server 2 allows remote attac ...) NOT-FOR-US: iWeb server CVE-2003-0474 (Directory traversal vulnerability in iWeb Server allows remote attacke ...) NOT-FOR-US: iWeb server CVE-2003-0473 (Unknown vulnerability in the IPv6 capability in IRIX 6.5.19 causes sno ...) NOT-FOR-US: SGI IRIX CVE-2003-0472 (The IPv6 capability in IRIX 6.5.19 allows remote attackers to cause a ...) NOT-FOR-US: SGI IRIX CVE-2003-0471 (Buffer overflow in WebAdmin.exe for WebAdmin allows remote attackers t ...) NOT-FOR-US: webadmin / win CVE-2003-0470 (Buffer overflow in the "RuFSI Utility Class" ActiveX control (aka "RuF ...) NOT-FOR-US: symantec activex CVE-2003-0469 (Buffer overflow in the HTML Converter (HTML32.cnv) on various Windows ...) NOT-FOR-US: microsoft CVE-2003-0468 (Postfix 1.1.11 and earlier allows remote attackers to use Postfix to c ...) {DSA-363} - postfix 1.1.12 CVE-2003-0467 (Unknown vulnerability in ip_nat_sack_adjust of Netfilter in Linux kern ...) NOTE: fixed in linux 2.4.21 CVE-2003-0466 (Off-by-one error in the fb_realpath() function, as derived from the re ...) {DSA-357} - wu-ftpd 2.6.2-12 CVE-2003-0465 (The kernel strncpy function in Linux 2.4 and 2.5 does not %NUL pad the ...) - linux-2.6 (Generic C version fixed in 2.6.x) NOTE: generic .c version fixed in 2.6.x but not in 2.4.x NOTE: arch specific asm versions: NOTE: x86 is not affected NOTE: ppc32 fixed in 2.4.22-rc4 NOTE: not an issue on alpha, see bug #280492 - kernel-source-2.4.27 2.4.27-8 NOTE: above fixes s390x, ppc64 and s390 and generic C version CVE-2003-0464 (The RPC code in Linux kernel 2.4 sets the reuse flag when sockets are ...) NOTE: fixed in linux 2.4.22-pre8 CVE-2003-0463 REJECTED CVE-2003-0462 (A race condition in the way env_start and env_end pointers are initial ...) {DSA-423 DSA-358} - linux-2.6 (Fixed before upload into archive; 2.6.1) - kernel-source-2.4.27 (Fixed before upload in the archive; 2.4.22-pre10) CVE-2003-0461 (/proc/tty/driver/serial in Linux 2.4.x reveals the exact number of cha ...) {DSA-423 DSA-358} [sarge] - kernel-source-2.6.8 (Fixed before upload into archive; 2.6.1) - linux-2.6 (Fixed before upload into archive; 2.6.1) - kernel-source-2.4.27 2.4.27-1 CVE-2003-0460 (The rotatelogs program on Apache before 1.3.28, for Windows and OS/2 s ...) - apache (Affects only Apache for Windows and OS/2) CVE-2003-0459 (KDE Konqueror for KDE 3.1.2 and earlier does not remove authentication ...) {DSA-361} - kdelibs 4:3.1.3-1 CVE-2003-0458 (Unknown vulnerability in HP NonStop Server D40.00 through D48.03, and ...) NOT-FOR-US: HP CVE-2003-0457 RESERVED CVE-2003-0456 (VisNetic WebSite 3.5 allows remote attackers to obtain the full pathna ...) NOT-FOR-US: visnetic website CVE-2003-0455 (The imagemagick libmagick library 5.5 and earlier creates temporary fi ...) {DSA-331} - imagemagick 4:5.5.7-1 CVE-2003-0454 (Multiple buffer overflows in xgalaga 2.0.34 and earlier allow local us ...) {DSA-334} - xgalaga 2.0.34-22 CVE-2003-0453 (traceroute-nanog 6.1.1 allows local users to overwrite unauthorized me ...) {DSA-348} - traceroute-nanog 6.3.6-3 CVE-2003-0452 (Buffer overflows in osh before 1.7-11 allow local users to execute arb ...) {DSA-329} - osh 1.7-12 CVE-2003-0451 (Multiple buffer overflows in xbl before 1.0k allow local users to gain ...) {DSA-327} - xbl 1.0k-5 CVE-2003-0450 (Cistron RADIUS daemon (radiusd-cistron) 1.6.6 and earlier allows remot ...) {DSA-321} - radiusd-cistron 1.6.6-2 CVE-2003-0449 (Progress Database 9.1 to 9.1D06 trusts user input to find and load lib ...) NOT-FOR-US: progress database CVE-2003-0448 (Portmon 1.7 and possibly earlier versions allows local users to read a ...) NOT-FOR-US: portmon; not in debian CVE-2003-0447 (The Custom HTTP Errors capability in Internet Explorer 5.01, 5.5 and 6 ...) NOT-FOR-US: microsoft CVE-2003-0446 (Cross-site scripting (XSS) in Internet Explorer 5.5 and 6.0, possibly ...) NOT-FOR-US: microsoft CVE-2003-0445 (Buffer overflow in webfs before 1.17.1 allows remote attackers to exec ...) {DSA-328} - webfs 1.20 CVE-2003-0444 (Heap-based buffer overflow in GTKSee 0.5 and 0.5.1 allows remote attac ...) {DSA-337} - gtksee 0.5.6-1 CVE-2003-0443 RESERVED CVE-2003-0442 (Cross-site scripting (XSS) vulnerability in the transparent SID suppor ...) {DSA-351} - php4 4:4.3.2+rc3-1 CVE-2003-0441 (Multiple buffer overflows in Orville Write (orville-write) 2.53 and ea ...) {DSA-326} - orville-write 2.54-1 CVE-2003-0440 (The (1) semi MIME library 1.14.5 and earlier, and (2) wemi 1.14.0 and ...) {DSA-339} - semi 1.14.5+20030609-1 (bug #223456) - wemi CVE-2003-0439 REJECTED CVE-2003-0438 (eldav WebDAV client for Emacs, version 0.7.2 and earlier, allows local ...) {DSA-325} - eldav 0.7.2-1 CVE-2003-0437 (Buffer overflow in search.cgi for mnoGoSearch 3.2.10 allows remote att ...) - mnogosearch 3.2.11 CVE-2003-0436 (Buffer overflow in search.cgi for mnoGoSearch 3.1.20 allows remote att ...) - mnogosearch 3.2.11 CVE-2003-0435 (Buffer overflow in net_swapscore for typespeed 0.4.1 and earlier allow ...) {DSA-322} - typespeed 0.4.4 CVE-2003-0434 (Various PDF viewers including (1) Adobe Acrobat 5.06 and (2) Xpdf 1.01 ...) - kdegraphics (kdf does not seem to support hyperlinks; so not vulnerable) - gpdf (gpdf 2.8.0 does not seem to be vulnerable) - xpdf 2.02pl1-1 CVE-2003-0433 (Multiple buffer overflows in gnocatan 0.6.1 and earlier allow attacker ...) {DSA-315} - gnocatan 0.8.0-1 (bug #328136) - pioneers (bug #328136) CVE-2003-0432 (Ethereal 0.9.12 and earlier does not handle certain strings properly, ...) {DSA-324} - ethereal 0.9.13-1 CVE-2003-0431 (The tvb_get_nstringz0 function in Ethereal 0.9.12 and earlier does not ...) {DSA-324} - ethereal 0.9.13-1 CVE-2003-0430 (The SPNEGO dissector in Ethereal 0.9.12 and earlier allows remote atta ...) - ethereal 0.9.13-1 CVE-2003-0429 (The OSI dissector in Ethereal 0.9.12 and earlier allows remote attacke ...) {DSA-324} - ethereal 0.9.13-1 CVE-2003-0428 (Unknown vulnerability in the DCERPC (DCE/RPC) dissector in Ethereal 0. ...) {DSA-324} - ethereal 0.9.13-1 CVE-2003-0427 (Buffer overflow in mikmod 3.1.6 and earlier allows remote attackers to ...) {DSA-320} - mikmod 3.1.6-6 CVE-2003-0426 (The installation of Apple QuickTime / Darwin Streaming Server before 4 ...) NOT-FOR-US: Apple CVE-2003-0425 (Directory traversal vulnerability in Apple QuickTime / Darwin Streamin ...) NOT-FOR-US: Apple CVE-2003-0424 (Apple QuickTime / Darwin Streaming Server before 4.1.3f allows remote ...) NOT-FOR-US: Apple CVE-2003-0423 (parse_xml.cgi in Apple QuickTime / Darwin Streaming Server before 4.1. ...) NOT-FOR-US: Apple CVE-2003-0422 (Apple QuickTime / Darwin Streaming Server before 4.1.3f allows remote ...) NOT-FOR-US: Apple CVE-2003-0421 (Apple QuickTime / Darwin Streaming Server before 4.1.3f allows remote ...) NOT-FOR-US: Apple CVE-2003-0420 (Information leak in dsimportexport for Apple Macintosh OS X Server 10. ...) NOT-FOR-US: Apple CVE-2003-0419 (SMC Networks Barricade Wireless Cable/DSL Broadband Router SMC7004VWBR ...) NOT-FOR-US: SMC CVE-2003-0418 (The Linux 2.0 kernel IP stack does not properly calculate the size of ...) - kernel-source-2.4.27 (Affects only Linux 2.0.x) - linux-2.6 (Affects only Linux 2.0.x) CVE-2003-0417 (Directory traversal vulnerability in Son hServer 0.2 allows remote att ...) NOT-FOR-US: Son hServer CVE-2003-0416 (Cross-site scripting (XSS) vulnerability in index.cgi for Bandmin 1.4 ...) NOT-FOR-US: bandmin; CVE-2003-0415 (Remote PC Access Server 2.2 allows remote attackers to cause a denial ...) NOT-FOR-US: Remote PC Access CVE-2003-0414 (The installation of Sun ONE Application Server 7.0 for Windows 2000/XP ...) NOT-FOR-US: Sun ONE CVE-2003-0413 (Cross-site scripting (XSS) vulnerability in the webapps-simple sample ...) NOT-FOR-US: Sun ONE CVE-2003-0412 (Sun ONE Application Server 7.0 for Windows 2000/XP does not log the co ...) NOT-FOR-US: Sun ONE CVE-2003-0411 (Sun ONE Application Server 7.0 for Windows 2000/XP allows remote attac ...) NOT-FOR-US: Sun ONE CVE-2003-0410 (Buffer overflow in AnalogX Proxy 4.13 allows remote attackers to execu ...) NOT-FOR-US: AnalogX proxy CVE-2003-0409 (Buffer overflow in BRS WebWeaver 1.04 and earlier allows remote attack ...) NOT-FOR-US: BRS WebWeaver CVE-2003-0408 (Buffer overflow in Uptime Client (UpClient) 5.0b7, and possibly other ...) NOT-FOR-US: Uptimes Project upclient; CVE-2003-0407 (Buffer overflow in gbnserver for Gnome Batalla Naval 1.0.4 allows remo ...) - gbatnav 1.0.4-4 CVE-2003-0406 (PalmVNC 1.40 and earlier stores passwords in plaintext in the PalmVNCD ...) NOT-FOR-US: PalmVNC CVE-2003-0405 (Vignette StoryServer 5 and Vignette V/6 allows remote attackers to exe ...) NOT-FOR-US: Vignette CVE-2003-0404 (Multiple Cross Site Scripting (XSS) vulnerabilities in Vignette StoryS ...) NOT-FOR-US: Vignette CVE-2003-0403 (Vignette StoryServer 5 and Vignette V/5 allows remote attackers to rea ...) NOT-FOR-US: Vignette CVE-2003-0402 (The default login template (/vgn/login) in Vignette StoryServer 5 and ...) NOT-FOR-US: Vignette CVE-2003-0401 (Vignette StoryServer and Vignette V/5 allows remote attackers to obtai ...) NOT-FOR-US: Vignette CVE-2003-0400 (Vignette StoryServer and Vignette V/5 does not properly calculate the ...) NOT-FOR-US: Vignette / AIX CVE-2003-0399 (Vignette StoryServer 4 and 5, Vignette V/5, and possibly other version ...) NOT-FOR-US: Vignette StoryServer CVE-2003-0398 (Vignette StoryServer 4 and 5, and Vignette V/5 and V/6, with the SSI E ...) NOT-FOR-US: Vignette StoryServer CVE-2003-0397 (Buffer overflow in FastTrack (FT) network code, as used in Kazaa 2.0.2 ...) NOT-FOR-US: FastTrack network code (Kazaa) CVE-2003-0396 (Buffer overflow in les for ATM on Linux (linux-atm) before 2.4.1, if u ...) - linux-atm 2.4.1 CVE-2003-0395 (Ultimate PHP Board (UPB) 1.9 allows remote attackers to execute arbitr ...) NOT-FOR-US: Ultimate PHP Board CVE-2003-0394 (objects.inc.php4 in BLNews 2.1.3 allows remote attackers to execute ar ...) NOT-FOR-US: BLNews CVE-2003-0393 (Privacyware Privatefirewall 3.0 does not block certain incoming packet ...) NOT-FOR-US: Privacyware Privatefirewall CVE-2003-0392 (Directory traversal vulnerability in ST FTP Service 3.0 allows remote ...) NOT-FOR-US: ST FTP Service (DOS) CVE-2003-0391 (Format string vulnerability in Magic WinMail Server 2.3, and possibly ...) NOT-FOR-US: Magic WinMail Server CVE-2003-0390 (Multiple buffer overflows in Options Parsing Tool (OPT) shared library ...) - opt 3.19 CVE-2003-0389 (Cross-site scripting (XSS) vulnerability in the secure redirect functi ...) NOT-FOR-US: RSA ACE/Agent CVE-2003-0388 (pam_wheel in Linux-PAM 0.78, with the trust option enabled and the use ...) - pam (pam is not vulnerable at all in sarge, according to maintainer) NOTE: From the libc documentation: NOTE: "The user cannot do anything to fool these functions." NOTE: This means that this is not a bug in getlogin. CVE-2003-0387 RESERVED CVE-2003-0386 (OpenSSH 3.6.1 and earlier, when restricting host access by numeric IP ...) - openssh 1:3.8p1-1 CVE-2003-0385 (Buffer overflow in xaos 3.0-23 and earlier, when running setuid, allow ...) {DSA-310} - xaos 3.1r-4 CVE-2003-0384 RESERVED CVE-2003-0382 (Buffer overflow in Eterm 0.9.2 allows local users to gain privileges v ...) {DSA-309} - eterm 0.9.2-1 CVE-2003-0381 (Multiple vulnerabilities in noweb 2.9 and earlier creates temporary fi ...) {DSA-323} - noweb 2.10c-3.1 (bug #271146) CVE-2003-0380 (Buffer overflow in atftp daemon (atftpd) 0.6.1 and earlier, and possib ...) {DSA-314} - atftp 0.6.2 CVE-2003-0379 (Unknown vulnerability in Apple File Service (AFP Server) for Mac OS X ...) NOT-FOR-US: MaxOS CVE-2003-0378 (The Kerberos login authentication feature in Mac OS X, when used with ...) NOT-FOR-US: MaxOS CVE-2003-0377 (SQL injection vulnerability in the web-based administration interface ...) NOT-FOR-US: iisPROTECT CVE-2003-0376 (Buffer overflow in Eudora 5.2.1 allows remote attackers to cause a den ...) NOT-FOR-US: Eudora CVE-2003-0375 (Cross-site scripting (XSS) vulnerability in member.php of XMBforum XMB ...) NOT-FOR-US: XMBforum aka Partagium) CVE-2003-0374 (Multiple unknown vulnerabilities in Nessus before 2.0.6, in libnessus ...) - nessus-core 2.0.6 CVE-2003-0373 (Multiple buffer overflows in libnasl in Nessus before 2.0.6 allow loca ...) - nessus-core 2.0.6 CVE-2003-0372 (Signed integer vulnerability in libnasl in Nessus before 2.0.6 allows ...) - nessus-core 2.0.6 CVE-2003-0371 (Buffer overflow in Prishtina FTP client 1.x allows remote FTP servers ...) NOT-FOR-US: Prishtina FTP client CVE-2003-0370 (Konqueror Embedded and KDE 2.2.2 and earlier does not validate the Com ...) {DSA-361} - kdelibs 4:3.1.3-1 CVE-2003-0369 RESERVED CVE-2003-0368 (Nokia Gateway GPRS support node (GGSN) allows remote attackers to caus ...) NOT-FOR-US: Nokia Gateway GPRS CVE-2003-0367 (znew in the gzip package allows local users to overwrite arbitrary fil ...) {DSA-308} - gzip 1.3.5-6 CVE-2003-0366 (lyskom-server 2.0.7 and earlier allows unauthenticated users to cause ...) {DSA-318} - lyskom-server 2.0.7-2 CVE-2003-0365 (ICQLite 2003a creates the ICQ Lite directory with an ACE for "Full Con ...) NOT-FOR-US: ICQLite CVE-2003-0364 (The TCP/IP fragment reassembly handling in the Linux kernel 2.4 allows ...) {DSA-442 DSA-336 DSA-332 DSA-311} - kernel-source-2.4.27 (Fixed before initial upload; 2.4.21-rc6) CVE-2003-0363 (Format string vulnerability in LICQ 1.2.6, 1.0.3 and possibly other ve ...) - licq 1.2-7-1 CVE-2003-0362 (Buffer overflow in gPS before 0.10.2 may allow local users to cause a ...) {DSA-307} - gps 1.1.0-1 CVE-2003-0361 (gPS before 1.1.0 does not properly follow the rgpsp connection source ...) {DSA-307} - gps 1.1.0-1 CVE-2003-0360 (Multiple buffer overflows in gPS before 1.0.0 allow attackers to cause ...) {DSA-307} - gps 1.1.0-1 CVE-2003-0359 (nethack 3.4.0 and earlier installs certain setgid binaries with insecu ...) {DSA-316} - nethack 3.4.1-1 - jnethack 1.1.5-15 - slashem 0.0.6E4F8-6 CVE-2003-0358 (Buffer overflow in (1) nethack 3.4.0 and earlier, and (2) falconseye 1 ...) {DSA-350 DSA-316} - falconseye 1.9.3-9 - nethack 3.4.1-1 - slashem 0.0.6E4F8-6 - jnethack 1.1.5-15 CVE-2003-0357 (Multiple integer overflow vulnerabilities in Ethereal 0.9.11 and earli ...) {DSA-313} - ethereal 0.9.12-1 CVE-2003-0356 (Multiple off-by-one vulnerabilities in Ethereal 0.9.11 and earlier all ...) {DSA-313} - ethereal 0.9.12-1 CVE-2003-0355 (Safari 1.0 Beta 2 (v73) and earlier does not validate the Common Name ...) NOT-FOR-US: Safari CVE-2003-0354 (Unknown vulnerability in GNU Ghostscript before 7.07 allows attackers ...) - gs-gpl 7.07 CVE-2003-0353 (Buffer overflow in a component of SQL-DMO for Microsoft Data Access Co ...) NOT-FOR-US: Microsoft CVE-2003-0352 (Buffer overflow in a certain DCOM interface for RPC in Microsoft Windo ...) NOT-FOR-US: Microsoft CVE-2003-0351 REJECTED CVE-2003-0350 (The control for listing accessibility options in the Accessibility Uti ...) NOT-FOR-US: Microsoft CVE-2003-0349 (Buffer overflow in the streaming media component for logging multicast ...) NOT-FOR-US: Microsoft CVE-2003-0348 (A certain Microsoft Windows Media Player 9 Series ActiveX control allo ...) NOT-FOR-US: Microsoft CVE-2003-0347 (Heap-based buffer overflow in VBE.DLL and VBE6.DLL of Microsoft Visual ...) NOT-FOR-US: Microsoft CVE-2003-0346 (Multiple integer overflows in a Microsoft Windows DirectX MIDI library ...) NOT-FOR-US: Microsoft CVE-2003-0345 (Buffer overflow in the SMB capability for Microsoft Windows XP, 2000, ...) NOT-FOR-US: Microsoft CVE-2003-0344 (Buffer overflow in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allo ...) NOT-FOR-US: Microsoft CVE-2003-0343 (BlackMoon FTP Server 2.6 Free Edition, and possibly other distribution ...) NOT-FOR-US: BlackMoon FTP Server CVE-2003-0342 (BlackMoon FTP Server 2.6 Free Edition, and possibly other distribution ...) NOT-FOR-US: BlackMoon FTP Server CVE-2003-0341 (Cross-site scripting (XSS) vulnerability in Owl Intranet Engine 0.71 a ...) NOT-FOR-US: Owl Intranet Engine CVE-2003-0340 (Demarc Puresecure 1.6 stores authentication information for the loggin ...) NOT-FOR-US: Puresecure CVE-2003-0339 (Multiple heap-based buffer overflows in WsMp3 daemon (WsMp3d) 0.0.10 a ...) NOT-FOR-US: WsMp3 CVE-2003-0338 (Directory traversal vulnerability in WsMp3 daemon (WsMp3d) 0.0.10 and ...) NOT-FOR-US: WsMp3 CVE-2003-0337 (The ckconfig command in lsadmin for Load Sharing Facility (LSF) 5.1 al ...) NOT-FOR-US: lsadmin CVE-2003-0336 (Qualcomm Eudora 5.2.1 allows remote attackers to read arbitrary files ...) NOT-FOR-US: Eudora CVE-2003-0335 (rc.M in Slackware 9.0 calls quotacheck with the -M option, which cause ...) NOT-FOR-US: Slaskware specific CVE-2003-0334 (BitchX IRC client 1.0c20cvs and earlier allows attackers to cause a de ...) - ircii-pana 1:1.0-0c19.20030512-1 CVE-2003-0333 (Multiple buffer overflows in kermit in HP-UX 10.20 and 11.00 (C-Kermit ...) NOT-FOR-US: C-Kermit on HP-UX CVE-2003-0332 (The ISAPI extension in BadBlue 1.7 through 2.2, and possibly earlier v ...) NOT-FOR-US: BadBlue CVE-2003-0331 (SQL injection vulnerability in ttForum allows remote attackers to exec ...) NOT-FOR-US: ttForum CVE-2003-0330 (Buffer overflow in unknown versions of Maelstrom allows local users to ...) - maelstrom (Melstrom in Sarge tests not vulnerable to exploit. Unsure when fixed.) CVE-2003-0329 (CesarFTP 0.99g stores user names and passwords in plaintext in the set ...) NOT-FOR-US: CesarFTP CVE-2003-0328 (EPIC IRC Client (EPIC4) pre2.002, pre2.003, and possibly later version ...) {DSA-399 DSA-306} - epic4 1:1.1.11.20030409-2 - ircii-pana 1:1.0-0c19-8 CVE-2003-0327 (Sybase Adaptive Server Enterprise (ASE) 12.5 allows remote attackers t ...) NOT-FOR-US: Sybase Adaptive Server Enterprise CVE-2003-0326 (Integer overflow in parse_decode_path() of slocate may allow attackers ...) - slocate (Only an issue if kernel has been recompiled to allow 512 MB of command line arguments) NOTE: Even if exploited, you get only slocate gid. CVE-2003-0325 (Buffer overflow in Maelstrom 3.0.6, 3.0.5, and earlier allows local us ...) - maelstrom (Melstrom in Sarge tests not vulnerable to exploit. Unsure when fixed.) CVE-2003-0324 (Buffer overflows in EPIC IRC Client (EPIC4) 1.0.1 allows remote malici ...) {DSA-287} - epic4 1:1.1.11.20030409-1 - epic 3.004-19 CVE-2003-0323 (Multiple buffer overflows in ircII 20020912 allows remote malicious IR ...) {DSA-298 DSA-291} - epic4 1:1.1.11.20030409-1 - ircii 20030315-1 CVE-2003-0322 (Integer overflow in BitchX IRC client 1.0-0c19 and earlier allows remo ...) {DSA-306} - ircii-pana 1:1.0-0c19-8 CVE-2003-0321 (Multiple buffer overflows in BitchX IRC client 1.0-0c19 and earlier al ...) {DSA-306} - ircii-pana 1:1.0-0c19-8 CVE-2003-0320 (header.php in ttCMS 2.3 and earlier allows remote attackers to inject ...) NOT-FOR-US: ttCMS CVE-2003-0319 (Buffer overflow in the IMAP server (IMAPMax) for SmartMax MailMax 5.0. ...) NOT-FOR-US: SmartMax MailMax CVE-2003-0318 (Cross-site scripting (XSS) vulnerability in the Statistics module for ...) NOT-FOR-US: PHP-Nuke CVE-2003-0317 (iisPROTECT 2.1 and 2.2 allows remote attackers to bypass authenticatio ...) NOT-FOR-US: iisPROTECT CVE-2003-0316 (Venturi Client before 2.2, as used in certain Fourelle and Venturi Wir ...) NOT-FOR-US: Venturi Client CVE-2003-0315 (Snowblind Web Server 1.0 allows remote attackers to cause a denial of ...) NOT-FOR-US: Snowblind Web Server CVE-2003-0314 (Snowblind Web Server 1.0 allows remote attackers to cause a denial of ...) NOT-FOR-US: Snowblind Web Server CVE-2003-0313 (Directory traversal vulnerability in Snowblind Web Server 1.0 allows r ...) NOT-FOR-US: Snowblind Web Server CVE-2003-0312 (Directory traversal vulnerability in Snowblind Web Server 1.0 allows r ...) NOT-FOR-US: Snowblind Web Server CVE-2003-0311 RESERVED CVE-2003-0310 (Cross-site scripting (XSS) vulnerability in articleview.php for eZ pub ...) - ezpublish 2.2.8-1 CVE-2003-0309 (Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to bypass ...) NOT-FOR-US: MSIE CVE-2003-0308 (The Sendmail 8.12.3 package in Debian GNU/Linux 3.0 does not securely ...) {DSA-305} - sendmail 8.12.9-2 CVE-2003-0307 (Poster version.two allows remote authenticated users to gain administr ...) NOT-FOR-US: Poster version.two CVE-2003-0306 (Buffer overflow in EXPLORER.EXE on Windows XP allows attackers to exec ...) NOT-FOR-US: Windows CVE-2003-0305 (The Service Assurance Agent (SAA) in Cisco IOS 12.0 through 12.2, aka ...) NOT-FOR-US: Cisco CVE-2003-0304 (one||zero (aka One or Zero) Helpdesk 1.4 rc4 allows remote attackers t ...) NOT-FOR-US: one||zero (aka One or Zero) Helpdesk CVE-2003-0303 (SQL injection vulnerability in one||zero (aka One or Zero) Helpdesk 1. ...) NOT-FOR-US: one||zero (aka One or Zero) Helpdesk CVE-2003-0302 (The IMAP Client for Eudora 5.2.1 allows remote malicious IMAP servers ...) NOT-FOR-US: Eudora CVE-2003-0301 (The IMAP Client for Outlook Express 6.00.2800.1106 allows remote malic ...) NOT-FOR-US: Microsort CVE-2003-0300 (The IMAP Client for Sylpheed 0.8.11 allows remote malicious IMAP serve ...) NOT-FOR-US: Historic Sylpheed issues, only a crasher anyway CVE-2003-0299 (The IMAP Client, as used in mutt 1.4.1 and Balsa 2.0.10, allows remote ...) NOT-FOR-US: Historic mutt and Balsa issues, only a crasher anyway CVE-2003-0298 (The IMAP Client for Mozilla 1.3 and 1.4a allows remote malicious IMAP ...) - mozilla 2:1.5-1 NOTE: May have been fixed in an earlier version. Not clear how NOTE: Mozilla's a/b versions map to the Debian version. CVE-2003-0297 (c-client IMAP Client, as used in imap-2002b and Pine 4.53, allows remo ...) - uw-imap 7:2002c - pine 4.62-1 - alpine (this was fixed in pine before alpine was released to the public) NOTE: pine maybe fixed in earlier uploads, 4.62-1 is the sarge version and not vulnerable CVE-2003-0296 (The IMAP Client for Evolution 1.2.4 allows remote malicious IMAP serve ...) - evolution 1.3.2 CVE-2003-0295 (Cross-site scripting (XSS) vulnerability in private.php for vBulletin ...) NOT-FOR-US: vBulletin CVE-2003-0294 (autohtml.php in php-proxima 6.0 and earlier allows remote attackers to ...) NOT-FOR-US: php-proxima CVE-2003-0293 (PalmOS allows remote attackers to cause a denial of service (CPU consu ...) NOT-FOR-US: PalmOS CVE-2003-0292 (Cross-site scripting (XSS) vulnerability in Inktomi Traffic-Server 5.5 ...) NOT-FOR-US: Inktomi CVE-2003-0291 (3com OfficeConnect Remote 812 ADSL Router 1.1.7 does not properly clea ...) NOT-FOR-US: 3com OfficeConnect Remote 812 ADSL Router CVE-2003-0290 (Memory leak in eServ 2.9x allows remote attackers to cause a denial of ...) NOT-FOR-US: eServ CVE-2003-0289 (Format string vulnerability in scsiopen.c of the cdrecord program in c ...) - cdrtools 4:2.0+a14-1 CVE-2003-0288 (Buffer overflow in the file & folder transfer mechanism for IP Mes ...) NOT-FOR-US: IP Messenger for Win CVE-2003-0287 (Cross-site scripting (XSS) vulnerability in Movable Type before 2.6, a ...) NOT-FOR-US: Movable Type CVE-2003-0286 (SQL injection vulnerability in register.asp in Snitz Forums 2000 befor ...) NOT-FOR-US: Snitz Forums CVE-2003-0285 (IBM AIX 5.2 and earlier distributes Sendmail with a configuration file ...) NOT-FOR-US: bad sendmail config on AIX CVE-2003-0284 (Adobe Acrobat 5 does not properly validate JavaScript in PDF files, wh ...) NOT-FOR-US: Adobe Acrobat CVE-2003-0283 (Cross-site scripting (XSS) vulnerability in Phorum before 3.4.3 allows ...) NOT-FOR-US: Phorum CVE-2003-0282 (Directory traversal vulnerability in UnZip 5.50 allows attackers to ov ...) {DSA-344} - unzip 5.50-3 CVE-2003-0281 (Buffer overflow in Firebird 1.0.2 and other versions before 1.5, and p ...) - firebird2 1.5.1-1 (bug #251458) CVE-2003-0280 (Multiple buffer overflows in the SMTP Service for ESMTP CMailServer 4. ...) NOT-FOR-US: SMTP Service for ESMTP CMailServer CVE-2003-0279 (Multiple SQL injection vulnerabilities in the Web_Links module for PHP ...) NOT-FOR-US: PHP-Nuke CVE-2003-0278 (Cross-site scripting (XSS) vulnerability in normal_html.cgi in Happycg ...) NOT-FOR-US: HappyMail CVE-2003-0277 (Directory traversal vulnerability in normal_html.cgi in Happycgi.com H ...) NOT-FOR-US: HappyMail CVE-2003-0276 (Buffer overflow in Pi3Web 2.0.1 allows remote attackers to cause a den ...) NOT-FOR-US: Pi3Web CVE-2003-0275 (SSI.php in YaBB SE 1.5.2 allows remote attackers to execute arbitrary ...) NOT-FOR-US: YaBB SE CVE-2003-0274 (Buffer overflow in catmail for ListProc 8.2.09 and earlier allows remo ...) NOT-FOR-US: ListProc CVE-2003-0273 (Cross-site scripting (XSS) vulnerability in the web interface for Requ ...) - request-tracker3.4 (Affects older versions of Request Tracker not in Debian) CVE-2003-0272 (admin.php in miniPortail allows remote attackers to gain administrativ ...) NOT-FOR-US: miniPortail CVE-2003-0271 (Buffer overflow in Personal FTP Server allows remote attackers to exec ...) NOT-FOR-US: Personal FTP Server CVE-2003-0270 (The administration capability for Apple AirPort 802.11 wireless access ...) NOT-FOR-US: Apple Airport CVE-2003-0269 (Buffer overflow in youbin allows local users to gain privileges via a ...) NOT-FOR-US: youbin CVE-2003-0268 (SLWebMail 3 on Windows systems allows remote attackers to identify the ...) NOT-FOR-US: SLWebMail on Windows CVE-2003-0267 (ShowGodLog.dll in SLWebMail 3 on Windows systems allows remote attacke ...) NOT-FOR-US: SLWebMail on Windows CVE-2003-0266 (Multiple buffer overflows in SLWebMail 3 on Windows systems allows rem ...) NOT-FOR-US: SLWebMail on Windows CVE-2003-0265 (Race condition in SDBINST for SAP database 7.3.0.29 creates critical f ...) NOT-FOR-US: SDBINST for SAP database CVE-2003-0264 (Multiple buffer overflows in SLMail 5.1.0.4420 allows remote attackers ...) NOT-FOR-US: SLMail CVE-2003-0263 (Multiple buffer overflows in Floosietek FTGate Pro Mail Server (FTGate ...) NOT-FOR-US: FTGatePro CVE-2003-0262 (leksbot 1.2.3 in Debian GNU/Linux installs the KATAXWR as setuid root, ...) {DSA-299} - leksbot 1.2-5 (bug #186421) CVE-2003-0261 (fuzz 0.6 and earlier creates temporary files insecurely, which could a ...) {DSA-302} - fuzz 0.6-7.1 CVE-2003-0260 (Cisco VPN 3000 series concentrators and Cisco VPN 3002 Hardware Client ...) NOT-FOR-US: Cisco CVE-2003-0259 (Cisco VPN 3000 series concentrators and Cisco VPN 3002 Hardware Client ...) NOT-FOR-US: Cisco CVE-2003-0258 (Cisco VPN 3000 series concentrators and Cisco VPN 3002 Hardware Client ...) NOT-FOR-US: Cisco CVE-2003-0257 (Format string vulnerability in the printer capability for IBM AIX .3, ...) NOT-FOR-US: AIX CVE-2003-0256 (The GnuPG plugin in kopete before 0.6.2 does not properly cleanse the ...) - kdenetwork 3.2.0 CVE-2003-0255 (The key validation code in GnuPG before 1.2.2 does not properly determ ...) - gnupg 1.2.2 CVE-2003-0254 (Apache 2 before 2.0.47, when running on an IPv6 host, allows attackers ...) - apache2 2.0.47 CVE-2003-0253 (The prefork MPM in Apache 2 before 2.0.47 does not properly handle cer ...) - apache2 2.0.47 CVE-2003-0252 (Off-by-one error in the xlog function of mountd in the Linux NFS utils ...) {DSA-349} - nfs-utils 1:1.0.3-2 CVE-2003-0251 (ypserv NIS server before 2.7 allows remote attackers to cause a denial ...) NOTE: actually, we need ypserv 2.7, nis 3.11 has ypserv 2.13 - nis 3.11 CVE-2003-0250 RESERVED CVE-2003-0249 NOTE: unimportant (php) CVE-2003-0248 (The mxcsr code in Linux kernel 2.4 allows attackers to modify CPU stat ...) {DSA-442 DSA-336 DSA-332 DSA-312 DSA-311} - kernel-source-2.4.27 (Fixed before initial upload; 2.4.22-pre10) - linux-2.6 CVE-2003-0247 (Unknown vulnerability in the TTY layer of the Linux kernel 2.4 allows ...) {DSA-442 DSA-336 DSA-332 DSA-312 DSA-311} - kernel-source-2.4.27 (Fixed before initial upload; 2.4.21-rc4) - linux-2.6 CVE-2003-0246 (The ioperm system call in Linux kernel 2.4.20 and earlier does not pro ...) {DSA-442 DSA-336 DSA-332 DSA-312 DSA-311} - kernel-source-2.4.27 (Fixed before initial upload; 2.4.21-rc4) - linux-2.6 CVE-2003-0245 (Vulnerability in the apr_psprintf function in the Apache Portable Runt ...) - apache2 2.0.46 CVE-2003-0244 (The route cache implementation in Linux 2.4, and the Netfilter IP conn ...) {DSA-442 DSA-336 DSA-332 DSA-312 DSA-311} - kernel-source-2.4.27 (Fixed before initial upload; 2.4.21-rc2) - linux-2.6 CVE-2003-0243 (Happycgi.com Happymall 4.3 and 4.4 allows remote attackers to execute ...) NOT-FOR-US: Happycgi.com Happymall CVE-2003-0242 (IPSec in Mac OS X before 10.2.6 does not properly handle certain incom ...) NOT-FOR-US: MacOS CVE-2003-0241 (FrontRange GoldMine mail agent 5.70 and 6.00 before 30503 directly sen ...) NOT-FOR-US: FrontRange GoldMine / win CVE-2003-0240 (The web-based administration capability for various Axis Network Camer ...) NOT-FOR-US: Axis Network Camera CVE-2003-0239 (icqateimg32.dll parsing/rendering library in Mirabilis ICQ Pro 2003a a ...) NOT-FOR-US: Mirabilis ICQ / windows CVE-2003-0238 (The Message Session window in Mirabilis ICQ Pro 2003a allows remote at ...) NOT-FOR-US: Mirabilis ICQ / windows CVE-2003-0237 (The "ICQ Features on Demand" functionality for Mirabilis ICQ Pro 2003a ...) NOT-FOR-US: Mirabilis ICQ / windows CVE-2003-0236 (Integer signedness errors in the POP3 client for Mirabilis ICQ Pro 200 ...) NOT-FOR-US: Mirabilis ICQ / windows CVE-2003-0235 (Format string vulnerability in POP3 client for Mirabilis ICQ Pro 2003a ...) NOT-FOR-US: Mirabilis ICQ / windows CVE-2003-0234 RESERVED CVE-2003-0233 (Heap-based buffer overflow in plugin.ocx for Internet Explorer 5.01, 5 ...) NOT-FOR-US: microsoft CVE-2003-0232 (Microsoft SQL Server 7, 2000, and MSDE allows local users to execute a ...) NOT-FOR-US: microsoft CVE-2003-0231 (Microsoft SQL Server 7, 2000, and MSDE allows local or remote authenti ...) NOT-FOR-US: microsoft CVE-2003-0230 (Microsoft SQL Server 7, 2000, and MSDE allows local users to gain priv ...) NOT-FOR-US: microsoft CVE-2003-0229 RESERVED CVE-2003-0228 (Directory traversal vulnerability in Microsoft Windows Media Player 7. ...) NOT-FOR-US: microsoft CVE-2003-0227 (The logging capability for unicast and multicast transmissions in the ...) NOT-FOR-US: microsoft CVE-2003-0226 (Microsoft Internet Information Services (IIS) 5.0 and 5.1 allows remot ...) NOT-FOR-US: microsoft CVE-2003-0225 (The ASP function Response.AddHeader in Microsoft Internet Information ...) NOT-FOR-US: microsoft CVE-2003-0224 (Buffer overflow in ssinc.dll for Microsoft Internet Information Servic ...) NOT-FOR-US: microsoft CVE-2003-0223 (Cross-site scripting vulnerability (XSS) in the ASP function responsib ...) NOT-FOR-US: microsoft CVE-2003-0222 (Stack-based buffer overflow in Oracle Net Services for Oracle Database ...) NOT-FOR-US: oracle CVE-2003-0221 (The (1) dupatch and (2) setld utilities in HP Tru64 UNIX 5.1B PK1 and ...) NOT-FOR-US: HP tru64 CVE-2003-0220 (Buffer overflow in the administrator authentication process for Kerio ...) NOT-FOR-US: Kerio Personal Firewall CVE-2003-0219 (Kerio Personal Firewall (KPF) 2.1.4 and earlier allows remote attacker ...) NOT-FOR-US: Kerio Personal Firewall CVE-2003-0218 (Buffer overflow in PostMethod() function for Monkey HTTP Daemon (monke ...) NOT-FOR-US: Monkey http daemon; not in debian CVE-2003-0217 (Cross-site scripting (XSS) vulnerability in Neoteris Instant Virtual E ...) NOT-FOR-US: Neoteris Instant Virtual Extranet CVE-2003-0216 (Unknown vulnerability in Cisco Catalyst 7.5(1) allows local users to b ...) NOT-FOR-US: cisco CVE-2003-0215 (SQL injection vulnerability in bttlxeForum 2.0 beta 3 and earlier allo ...) NOT-FOR-US: bttlxeForum / win CVE-2003-0214 (run-mailcap in mime-support 3.22 and earlier allows local users to ove ...) {DSA-292} - mime-support 3.23-1 CVE-2003-0213 (ctrlpacket.c in PoPToP PPTP server before 1.1.4-b3 allows remote attac ...) {DSA-295} - pptpd 1.1.4-0.b3.2 CVE-2003-0212 (handleAccept in rinetd before 0.62 does not properly resize the connec ...) {DSA-289} - rinetd 0.61-2 CVE-2003-0211 (Memory leak in xinetd 2.3.10 allows remote attackers to cause a denial ...) - xinetd 1:2.3.11 CVE-2003-0210 (Buffer overflow in the administration service (CSAdmin) for Cisco Secu ...) NOT-FOR-US: cisco CVE-2003-0209 (Integer overflow in the TCP stream reassembly module (stream4) for Sno ...) {DSA-297} - snort 2.0.0-1 CVE-2003-0208 (Cross-site scripting (XSS) vulnerability in Macromedia Flash ad user t ...) NOT-FOR-US: macromedia flash CVE-2003-0207 (ps2epsi creates insecure temporary files when calling ghostscript, whi ...) {DSA-286} - gs-common 0.3.3.1 CVE-2003-0206 (gkrellm-newsticker gkrellm plugin before 0.3-3.1 allows remote attacke ...) {DSA-294} - gkrellm-newsticker CVE-2003-0205 (gkrellm-newsticker gkrellm plugin before 0.3-3.1 allows remote attacke ...) {DSA-294} - gkrellm-newsticker CVE-2003-0204 (KDE 2 and KDE 3.1.1 and earlier 3.x versions allows attackers to execu ...) {DSA-296 DSA-293 DSA-284} - kdebase 4:3.1.0-1 - kdegraphics 4:3.1.0-1 CVE-2003-0203 (Buffer overflow in moxftp 2.2 and earlier allows remote malicious FTP ...) {DSA-281} - moxftp 2.2-18.20 CVE-2003-0202 (The (1) halstead and (2) gather_stats scripts in metrics 1.0 allow loc ...) {DSA-279} - metrics CVE-2003-0201 (Buffer overflow in the call_trans2open function in trans2.c for Samba ...) {DSA-280} - samba 3.0 CVE-2003-0200 REJECTED CVE-2003-0199 REJECTED CVE-2003-0198 (Mac OS X before 10.2.5 allows guest users to modify the permissions of ...) NOT-FOR-US: MacOS CVE-2003-0197 (Buffer overflow gds_lock_mgr of Interbase Database 6.x allows local us ...) NOT-FOR-US: Interbase Database CVE-2003-0196 (Multiple buffer overflows in Samba before 2.2.8a may allow remote atta ...) {DSA-280} - samba 3.0 CVE-2003-0195 (CUPS before 1.1.19 allows remote attackers to cause a denial of servic ...) {DSA-317} - cups 1.1.19final-1 - cupsys 1.1.19final-1 CVE-2003-0194 (tcpdump does not properly drop privileges to the pcap user when starti ...) - tcpdump (Apparently a Red Hat specific compilation packaging flaw) CVE-2003-0193 (msxlsview.sh in xlsview for catdoc 0.91 and earlier allows local users ...) {DSA-575-1} - catdoc 0.91.5-2 CVE-2003-0192 (Apache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3 ...) - apache2 2.0.47 CVE-2003-0190 (OpenSSH-portable (OpenSSH) 3.6.1p1 and earlier with PAM support enable ...) - openssh 1:3.8.1p1-8.sarge.4 (bug #196413) CVE-2003-0189 (The authentication module for Apache 2.0.40 through 2.0.45 on Unix doe ...) - apache2 2.0.46 CVE-2003-0188 (lv reads a .lv file from the current working directory, which allows l ...) {DSA-304} - lv 4.49.5-2 CVE-2003-0187 (The connection tracking core of Netfilter for Linux 2.4.20, with CONFI ...) - kernel-source-2.4.27 (Fixed before upload into archive; 2.4.21) CVE-2003-0186 RESERVED CVE-2003-0185 RESERVED CVE-2003-0184 RESERVED CVE-2003-0183 RESERVED CVE-2003-0182 RESERVED CVE-2003-0181 (Lotus Domino Web Server (nhttp.exe) before 6.0.1 allows remote attacke ...) NOT-FOR-US: Lotus Domino Web Server CVE-2003-0180 (Lotus Domino Web Server (nhttp.exe) before 6.0.1 allows remote attacke ...) NOT-FOR-US: Lotus Domino Web Server CVE-2003-0179 (Buffer overflow in the COM Object Control Handler for Lotus Domino 6.0 ...) NOT-FOR-US: Lotus Domino Web Server CVE-2003-0178 (Multiple buffer overflows in Lotus Domino Web Server before 6.0.1 allo ...) NOT-FOR-US: Lotus Domino Web Server CVE-2003-0177 (SGI IRIX 6.5.x through 6.5.20f, and possibly earlier versions, does no ...) NOT-FOR-US: IRIX CVE-2003-0176 (The Name Service Daemon (nsd), when running on an NIS master on SGI IR ...) NOT-FOR-US: IRIX CVE-2003-0175 (SGI IRIX before 6.5.21 allows local users to cause a denial of service ...) NOT-FOR-US: IRIX CVE-2003-0174 (The LDAP name service (nsd) in IRIX 6.5.19 and earlier does not proper ...) NOT-FOR-US: IRIX CVE-2003-0173 (xfsdq in xfsdump does not create quota information files securely, whi ...) {DSA-283} - xfsdump 2.2.8-1 CVE-2003-0172 (Buffer overflow in openlog function for PHP 4.3.1 on Windows operating ...) - php4 (Non-issue; see http://marc.info/?l=bugtraq&m=104931415307111&w=2) CVE-2003-0171 (DirectoryServices in MacOS X trusts the PATH environment variable to l ...) NOT-FOR-US: MacOS CVE-2003-0170 (Unknown vulnerability in ftpd in IBM AIX 5.2, when configured to use K ...) NOT-FOR-US: AIX CVE-2003-0169 (hpnst.exe in the GoAhead-Webs webserver for HP Instant TopTools before ...) NOT-FOR-US: HP Instant TopTools CVE-2003-0168 (Buffer overflow in Apple QuickTime Player 5.x and 6.0 for Windows allo ...) NOT-FOR-US: Apple QuickTime Player CVE-2003-0167 (Multiple off-by-one buffer overflows in the IMAP capability for Mutt 1 ...) {DSA-300 DSA-274} - balsa 2.0.10 - mutt 1.4.0 CVE-2003-0166 (Integer signedness error in emalloc() function for PHP before 4.3.2 al ...) - php4 (Non-issue; see http://marc.info/?l=bugtraq&m=104931415307111&w=2) CVE-2003-0165 (Format string vulnerability in Eye Of Gnome (EOG) allows attackers to ...) - eog 2.2.1 CVE-2003-0164 RESERVED CVE-2003-0163 (decrypt_msg for the Gaim-Encryption GAIM plugin 1.15 and earlier does ...) - gaim-encryption (fixed before first upload; 1.16) CVE-2003-0162 (Ecartis 1.0.0 (formerly listar) before snapshot 20030227 allows remote ...) {DSA-271} - ecartis 1.0.0+cvs.20030321-1 CVE-2003-0161 (The prescan() function in the address parser (parseaddr.c) in Sendmail ...) {DSA-290 DSA-278} - sendmail-wide 8.12.9+3.5Wbeta-1 - sendmail 8.12.9-1 CVE-2003-0160 (Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail be ...) - squirrelmail 1:1.2.11 CVE-2003-0159 (Heap-based buffer overflow in the NTLMSSP code for Ethereal 0.9.9 and ...) - ethereal 0.9.10 CVE-2003-0158 REJECTED CVE-2003-0157 REJECTED CVE-2003-0156 (Directory traversal vulnerability in Cross-Referencing Linux (LXR) all ...) {DSA-264} - lxr 0.3-4 CVE-2003-0155 (bonsai Mozilla CVS query tool allows remote attackers to gain access t ...) {DSA-265} - bonsai 1.3+cvs20030317-1 CVE-2003-0154 (Cross-site scripting vulnerabilities (XSS) in bonsai Mozilla CVS query ...) {DSA-265} - bonsai 1.3+cvs20030317-1 CVE-2003-0153 (bonsai Mozilla CVS query tool leaks the absolute pathname of the tool ...) {DSA-265} - bonsai 1.3+cvs20030317-1 CVE-2003-0152 (Unknown vulnerability in bonsai Mozilla CVS query tool allows remote a ...) {DSA-265} - bonsai 1.3+cvs20030317-1 CVE-2003-0151 (BEA WebLogic Server and Express 6.0 through 7.0 does not properly rest ...) NOT-FOR-US: BEA WebLogic Server CVE-2003-0150 (MySQL 3.23.55 and earlier creates world-writeable files and allows mys ...) - mysql CVE-2003-0149 (Heap-based buffer overflow in ePO agent for McAfee ePolicy Orchestrato ...) NOT-FOR-US: McAfee ePolicy Orchestrator CVE-2003-0148 (The default installation of MSDE via McAfee ePolicy Orchestrator 2.0 t ...) NOT-FOR-US: McAfee ePolicy Orchestrator CVE-2003-0147 (OpenSSL does not use RSA blinding by default, which allows local and r ...) {DSA-288} - openssl 0.9.7b-1 - openssl096 0.9.6j-1 CVE-2003-0146 (Multiple vulnerabilities in NetPBM 9.20 and earlier, and possibly othe ...) {DSA-263} - lpr 1:2000.05.07-4.20 - netpbm-free 2:9.20-9 CVE-2003-0144 (Buffer overflow in the lprm command in the lprold lpr package on SuSE ...) {DSA-275 DSA-267} - lpr 1:2000.05.07-4.20 - lpr-ppd 1:0.72-3 CVE-2003-0142 (Adobe Acrobat Reader (acroread) 6, under certain circumstances when ru ...) NOT-FOR-US: acroread CVE-2003-0141 (The PNG deflate algorithm in RealOne Player 6.0.11.x and earlier, Real ...) NOT-FOR-US: Real CVE-2003-0140 (Buffer overflow in Mutt 1.4.0 and possibly earlier versions, 1.5.x up ...) {DSA-268} - mutt 1.5.4-1 CVE-2003-0139 (Certain weaknesses in the implementation of version 4 of the Kerberos ...) {DSA-273 DSA-266} - krb4 1.2.2-1 - krb5 1.2.7-3 CVE-2003-0138 (Version 4 of the Kerberos protocol (krb4), as used in Heimdal and othe ...) {DSA-273 DSA-269 DSA-266} - krb4 1.2.2-1 - heimdal 0.5.2-1 - krb5 1.2.7-3 CVE-2003-0137 (SNMP daemon in the DX200 based network element for Nokia Serving GPRS ...) NOT-FOR-US: Nokia Serving GPRS support node CVE-2003-0136 (psbanner in the LPRng package allows local users to overwrite arbitrar ...) {DSA-285} - lprng 3.8.20-4. CVE-2003-0135 (vsftpd FTP daemon in Red Hat Linux 9 is not compiled against TCP wrapp ...) - vsftpd (Red Hat specific packaging flaw) CVE-2003-0134 (Unknown vulnerability in filestat.c for Apache running on OS2, version ...) - apache2 2.0.46 CVE-2003-0133 (GtkHTML, as included in Evolution before 1.2.4, allows remote attacker ...) - evolution 1.2.4 CVE-2003-0132 (A memory leak in Apache 2.0 through 2.0.44 allows remote attackers to ...) - apache2 2.0.45 CVE-2003-0131 (The SSL and TLS components for OpenSSL 0.9.6i and earlier, 0.9.7, and ...) {DSA-288} - openssl 0.9.7b-1 - openssl096 0.9.6j-1 CVE-2003-0130 (The handle_image function in mail-format.c for Ximian Evolution Mail U ...) - evolution 1.2.3 CVE-2003-0129 (Ximian Evolution Mail User Agent 1.2.2 and earlier allows remote attac ...) - evolution 1.2.3 CVE-2003-0128 (The try_uudecoding function in mail-format.c for Ximian Evolution Mail ...) - evolution 1.2.3 CVE-2003-0127 (The kernel module loader in Linux kernel 2.2.x before 2.2.25, and 2.4. ...) {DSA-495 DSA-423 DSA-336 DSA-332 DSA-312 DSA-311 DSA-276 DSA-270} [sarge] - kernel-source-2.6.8 - linux-2.6 - kernel-source-2.4.27 (Fixed before upload in the archive, in 2.4.21) CVE-2003-0126 (The web interface for SOHO Routefinder 550 firmware 4.63 and earlier, ...) NOT-FOR-US: SOHO Routefinder 550 firmware CVE-2003-0121 (Clearswift MAILsweeper 4.x allows remote attackers to bypass attachmen ...) NOT-FOR-US: Clearswift MAILsweeper CVE-2003-0119 (The secldapclntd daemon in AIX 4.3, 5.1 and 5.2 uses an Internet socke ...) NOT-FOR-US: AIX CVE-2003-0118 (SQL injection vulnerability in the Document Tracking and Administratio ...) NOT-FOR-US: Microsoft CVE-2003-0117 (Buffer overflow in the HTTP receiver function (BizTalkHTTPReceive.dll ...) NOT-FOR-US: Microsoft CVE-2003-0116 (Microsoft Internet Explorer 5.01, 5.5 and 6.0 does not properly check ...) NOT-FOR-US: Microsoft CVE-2003-0115 (Microsoft Internet Explorer 5.01, 5.5 and 6.0 does not properly check ...) NOT-FOR-US: Microsoft CVE-2003-0114 (The file upload control in Microsoft Internet Explorer 5.01, 5.5, and ...) NOT-FOR-US: Microsoft CVE-2003-0113 (Buffer overflow in URLMON.DLL in Microsoft Internet Explorer 5.01, 5.5 ...) NOT-FOR-US: Microsoft CVE-2003-0112 (Buffer overflow in Windows Kernel allows local users to gain privilege ...) NOT-FOR-US: Microsoft CVE-2003-0111 (The ByteCode Verifier component of Microsoft Virtual Machine (VM) buil ...) NOT-FOR-US: Microsoft CVE-2003-0110 (The Winsock Proxy service in Microsoft Proxy Server 2.0 and the Micros ...) NOT-FOR-US: Microsoft CVE-2003-0109 (Buffer overflow in ntdll.dll on Microsoft Windows NT 4.0, Windows NT 4 ...) NOT-FOR-US: Microsoft CVE-2003-0106 (The HTTP proxy for Symantec Enterprise Firewall (SEF) 7.0 allows proxy ...) NOT-FOR-US: Symantec Enterprise Firewall CVE-2003-0105 (ServerMask 2.2 and earlier does not obfuscate (1) ETag, (2) HTTP Statu ...) NOT-FOR-US: ServerMask CVE-2003-0101 (miniserv.pl in (1) Webmin before 1.070 and (2) Usermin before 1.000 do ...) {DSA-319} - webmin 1.070-1 CVE-2003-0099 (Multiple buffer overflows in apcupsd before 3.8.6, and 3.10.x before 3 ...) {DSA-277} - apcupsd 3.8.5-1.2 CVE-2003-0098 (Unknown vulnerability in apcupsd before 3.8.6, and 3.10.x before 3.10. ...) {DSA-277} - apcupsd 3.8.5-1.2 CVE-2003-0096 (Multiple buffer overflows in Oracle 9i Database release 2, Release 1, ...) NOT-FOR-US: Oracle CVE-2003-0092 (Heap-based buffer overflow in dtsession for Solaris 2.5.1 through Sola ...) NOT-FOR-US: Solaris CVE-2003-0091 (Stack-based buffer overflow in the bsd_queue() function for lpq on Sol ...) NOT-FOR-US: Solaris CVE-2003-0090 REJECTED CVE-2003-0089 (Buffer overflow in the Software Distributor utilities for HP-UX B.11.0 ...) NOT-FOR-US: HP-UX CVE-2003-0086 (The code for writing reg files in Samba before 2.2.8 allows local user ...) {DSA-262} - samba 2.2.8 CVE-2003-0085 (Buffer overflow in the SMB/CIFS packet fragment re-assembly code for S ...) {DSA-262} - samba 2.2.8 CVE-2003-0084 (mod_auth_any package in Red Hat Enterprise Linux 2.1 and other operati ...) NOT-FOR-US: mod_auth_any not in Debian CVE-2003-0083 (Apache 1.3 before 1.3.25 and Apache 2.0 before version 2.0.46 does not ...) - apache2 2.0.46 - apache 1.3.25 CVE-2003-0082 (The Key Distribution Center (KDC) in Kerberos 5 (krb5) 1.2.7 and earli ...) {DSA-266} - krb5 1.3.3-2 CVE-2003-0080 (The iptables ruleset in Gnome-lokkit in Red Hat Linux 8.0 does not inc ...) - gnome-lokkit 0.50.22-4 CVE-2003-0076 (Unknown vulnerability in the directory parser for Direct Connect 4 Lin ...) - dcgui 0.2.2 CVE-2003-0074 (Format string vulnerability in mpmain.c for plpnfsd of the plptools pa ...) - plptools 0.12-0 CVE-2003-0072 (The Key Distribution Center (KDC) in Kerberos 5 (krb5) 1.2.7 and earli ...) {DSA-266} - krb5 1.2.7-3 NOTE: changelog does not mention this one, verified patch from upstream was applied to this version. CVE-2003-0061 (Buffer overflow in passwd for HP UX B.10.20 allows local users to exec ...) NOT-FOR-US: HP UX CVE-2003-0060 (Format string vulnerabilities in the logging routines for MIT Kerberos ...) - krb5 1.2.4 CVE-2003-0057 (Multiple buffer overflows in Hypermail 2 before 2.1.6 allows remote at ...) {DSA-248} - hypermail 2.1.6-1 CVE-2003-0056 (Buffer overflow in secure locate (slocate) before 2.7 allows local use ...) {DSA-252} - slocate 2.7-1 CVE-2003-0049 (Apple File Protocol (AFP) in Mac OS X before 10.2.4 allows administrat ...) NOT-FOR-US: MacOS CVE-2003-0048 (PuTTY 0.53b and earlier does not clear logon credentials from memory, ...) - putty 0.53-b-2003-01-04-1 NOTE: apparently fixed upstream 2002-11-12 changelog CVE-2003-0047 (SSH2 clients for VanDyke (1) SecureCRT 4.0.2 and 3.4.7, (2) SecureFX 2 ...) NOT-FOR-US: commercial ssh clients CVE-2003-0046 (AbsoluteTelnet SSH2 client does not clear logon credentials from memor ...) NOT-FOR-US: commercial ssh clients CVE-2003-0044 (Multiple cross-site scripting (XSS) vulnerabilities in the (1) example ...) {DSA-246} - tomcat CVE-2003-0042 (Jakarta Tomcat before 3.3.1a, when used with JDK 1.3.1 or earlier, all ...) {DSA-246} - tomcat CVE-2003-0041 (Kerberos FTP client allows remote FTP sites to execute arbitrary code ...) - krb5 (Verified sarge version of krb5-clients not vulnerable, nothing in changelogs) CVE-2003-0038 (Cross-site scripting (XSS) vulnerability in options.py for Mailman 2.1 ...) {DSA-436} - mailman 2.1.1-1 CVE-2003-0037 (Buffer overflows in noffle news server 1.0.1 and earlier allow remote ...) {DSA-244} - noffle 1.1.2-1 CVE-2003-0036 (ml85p, as included in the printer-drivers package for Mandrake Linux, ...) NOT-FOR-US: ml85p, as included in the printer-drivers package for Mandrake Linux CVE-2003-0035 (Buffer overflow in escputil, as included in the printer-drivers packag ...) NOT-FOR-US: ml85p, as included in the printer-drivers package for Mandrake Linux CVE-2003-0034 (Buffer overflow in the mtink status monitor, as included in the printe ...) - mtink (Not installed setuid or setgid, so this is not exploitable) NOTE: HOME overflow was fixed in mainSrc/rcfile.c, but not in NOTE: chooser/mtinkc.c's version, which goes into mtinkc CVE-2003-0031 (Multiple buffer overflows in libmcrypt before 2.5.5 allow attackers to ...) {DSA-228} - libmcrypt 2.5.5-1 CVE-2003-0030 (Buffer overflows in protegrity.dll of Protegrity Secure.Data Extension ...) NOT-FOR-US: Protegrity Secure.Data Extension Feature CVE-2003-0029 RESERVED CVE-2003-0028 (Integer overflow in the xdrmem_getbytes() function, and possibly other ...) {DSA-282 DSA-272 DSA-266} - glibc 2.3.1-16 - dietlibc 0.22-2 - krb5 1.3.3-2 NOTE: krb5: changelog does not mention this one, verified patch from Tom Yu was applied to this version. CVE-2003-0026 (Multiple stack-based buffer overflows in the error handling routines o ...) {DSA-231} - dhcp3 3.0+3.0.1rc11-1 CVE-2003-0025 (Multiple SQL injection vulnerabilities in IMP 2.2.8 and earlier allow ...) {DSA-229} - imp 2.2.6-7 - imp3 CVE-2003-0014 (gsinterf.c in bmv 1.2 and earlier allows local users to overwrite arbi ...) {DSA-633-1} - bmv 1.2-17 CVE-2003-0011 (Unknown vulnerability in the DNS intrusion detection application filte ...) NOT-FOR-US: Microsoft CVE-2003-0010 (Integer overflow in JsArrayFunctionHeapSort function used by Windows S ...) NOT-FOR-US: Windows Script Engine for JScript CVE-2003-0008 RESERVED CVE-2003-0006 RESERVED CVE-2003-0005 RESERVED CVE-2003-0001 (Multiple ethernet Network Interface Card (NIC) device drivers do not p ...) {DSA-442 DSA-423 DSA-336 DSA-332 DSA-312 DSA-311} - kernel-source-2.4.27 (Fixed before initial upload; 2.4.21-pre5) CVE-2002-1583 (Buffer overflow in sqllib/security/db2ckpw for IBM DB2 Universal Datab ...) NOT-FOR-US: IBM DB2 CVE-2002-1582 (compose.cgi in Mailreader.com 2.3.30 and 2.3.31, when using Sendmail a ...) [woody] - mailreader (Affects only 2.3.30-2.3.32) - mailreader 2.3.33 CVE-2002-1581 (Directory traversal vulnerability in nph-mr.cgi in Mailreader.com 2.3. ...) {DSA-534} - mailreader 2.3.29-9 CVE-2002-1580 (Integer overflow in imapparse.c for Cyrus IMAP server 1.4 and 2.1.10 a ...) {DSA-215} - cyrus-imapd 1.5.19-9.10 CVE-2002-1579 (SAP GUI (Sapgui) 4.6D allows remote attackers to cause a denial of ser ...) NOT-FOR-US: SAP CVE-2002-1578 (The default installation of SAP R/3, when using Oracle and SQL*net V2 ...) NOT-FOR-US: SAP CVE-2002-1577 (SAP R/3 2.0B to 4.6D installs several clients with default users and p ...) NOT-FOR-US: SAP CVE-2002-1576 (lserver in SAP DB 7.3 and earlier uses the current working directory t ...) NOT-FOR-US: SAP CVE-2002-1575 (cgiemail allows remote attackers to use cgiemail as a spam proxy via C ...) {DSA-437} - cgiemail 1.6-20 CVE-2002-1573 (Unspecified vulnerability in the pcilynx ieee1394 firewire driver (pci ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-1572 (Signed integer overflow in the bttv_read function in the bttv driver ( ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-1571 (The linux 2.4 kernel before 2.4.19 assumes that the fninit instruction ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-1570 (Heap-based buffer overflow in snmpnetstat for ucd-snmp 4.2.3 and earli ...) - ucd-snmp 4.2.3-2 CVE-2002-1569 (gv 3.5.8, and possibly earlier versions, allows remote attackers to ex ...) - gv 1:3.5.8-27 CVE-2002-1568 (OpenSSL 0.9.6e uses assertions when detecting buffer overflow attacks ...) - openssl 0.9.6g-1 CVE-2002-1567 (Cross-site scripting (XSS) vulnerability in Apache Tomcat 4.1 allows r ...) NOTE: tomcat4 cross-site scripting vuln CVE-2002-1566 (netris 0.5, and possibly other versions before 0.52, when running with ...) - netris 0.52-1 CVE-2002-1565 (Buffer overflow in url_filename function for wget 1.8.1 allows attacke ...) - wget 1.8.2-8 CVE-2002-1564 (Internet Explorer 5.5 and 6.0 allows remote attackers to steal potenti ...) NOT-FOR-US: microsoft CVE-2002-1563 (stunnel 4.0.3 and earlier allows attackers to cause a denial of servic ...) - stunnel4 4.04-1 - stunnel 2:3.24-1 CVE-2002-1562 (Directory traversal vulnerability in thttpd, when using virtual hostin ...) {DSA-396} - thttpd 2.23beta1-2.3 (bug #216677) CVE-2002-1561 (The RPC component in Windows 2000, Windows NT 4.0, and Windows XP allo ...) NOT-FOR-US: microsoft CVE-2002-1559 (Directory traversal vulnerability in ion-p.exe (aka ion-p) allows remo ...) NOT-FOR-US: ion-p CVE-2002-1558 (Cisco ONS15454 and ONS15327 running ONS before 3.4 have an account for ...) NOT-FOR-US: cisco CVE-2002-1557 (Cisco ONS15454 and ONS15327 running ONS before 3.4 allows attackers to ...) NOT-FOR-US: cisco CVE-2002-1556 (Cisco ONS15454 and ONS15327 running ONS before 3.4 allows attackers to ...) NOT-FOR-US: cisco CVE-2002-1555 (Cisco ONS15454 and ONS15327 running ONS before 3.4 uses a "public" SNM ...) NOT-FOR-US: cisco CVE-2002-1554 (Cisco ONS15454 and ONS15327 running ONS before 3.4 stores usernames an ...) NOT-FOR-US: cisco CVE-2002-1553 (Cisco ONS15454 and ONS15327 running ONS before 3.4 allows remote attac ...) NOT-FOR-US: cisco CVE-2002-1551 (Buffer overflow in nslookup in IBM AIX may allow attackers to cause a ...) NOT-FOR-US: AIX CVE-2002-1546 (BRS WebWeaver Web Server 1.01 allows remote attackers to bypass passwo ...) NOT-FOR-US: Webweaver CVE-2002-1545 (CooolSoft Personal FTP Server 2.24 allows remote attackers to obtain t ...) NOT-FOR-US: Coolsoft CVE-2002-1544 (Directory traversal vulnerability in CooolSoft Personal FTP Server 2.2 ...) NOT-FOR-US: Coolsoft CVE-2002-1542 (SolarWinds TFTP server 5.0.55 and earlier allows remote attackers to c ...) NOT-FOR-US: SolarWinds CVE-2002-1539 (Buffer overflow in MDaemon POP server 6.0.7 and earlier allows remote ...) NOT-FOR-US: MDaemon CVE-2002-1536 (Molly IRC bot 0.5 allows remote attackers to execute arbitrary command ...) NOT-FOR-US: Molly CVE-2002-1535 (Secure Webserver 1.1 in Raptor 6.5 and Symantec Enterprise Firewall 6. ...) NOT-FOR-US: Symantec CVE-2002-1533 (Cross-site scripting (XSS) vulnerability in Jetty JSP servlet engine a ...) - jetty (Fixed before upload into archive; 4.1 series) CVE-2002-1527 (emumail.cgi in EMU Webmail 5.0 allows remote attackers to determine th ...) NOT-FOR-US: EMU Webmail CVE-2002-1526 (Cross-site scripting (XSS) vulnerability in emumail.cgi for EMU Webmai ...) NOT-FOR-US: EMU Webmail CVE-2002-1525 (Directory traversal vulnerability in ASTAware SearchDisk engine for Su ...) NOT-FOR-US: Sun CVE-2002-1523 (Directory traversal vulnerability in Daniel Arenz Mini Server 2.1.6 al ...) NOT-FOR-US: Miniserver CVE-2002-1522 (Buffer overflow in PowerFTP FTP server 2.24, and possibly other versio ...) NOT-FOR-US: PowerFTP CVE-2002-1515 (Directory traversal vulnerability in avatar.php in CoolForum 0.5 beta ...) NOT-FOR-US: Coolforum CVE-2002-1512 (xbru in BRU Workstation 17.0 allows local users to overwrite arbitrary ...) NOT-FOR-US: BRU CVE-2002-1508 (slapd in OpenLDAP2 (OpenLDAP 2) 2.2.0 and earlier allows local users t ...) {DSA-227} - openldap2 2.0.27-3 CVE-2002-1507 (Unreal Tournament 2003 (ut2003) clients and servers allow remote attac ...) NOT-FOR-US: Unreal CVE-2002-1506 (Buffer overflow in Linuxconf before 1.28r4 allows local users to execu ...) - linuxconf CVE-2002-1504 (Directory traversal vulnerability in WebServer 4 Everyone 1.22 allows ...) NOT-FOR-US: webserver-4everyone CVE-2002-1503 (Buffer overflow in Automatic File Distributor (AFD) 1.2.14 and earlier ...) NOT-FOR-US: AFD not in debian CVE-2002-1500 (Buffer overflow in (1) mrinfo, (2) mtrace, and (3) pppd in NetBSD 1.4. ...) NOT-FOR-US: NetBSD CVE-2002-1499 (Multiple SQL injection vulnerabilities in FactoSystem CMS allows remot ...) NOT-FOR-US: FactoSystem CVE-2002-1498 (Directory traversal vulnerability in SWServer 2.2 and earlier allows r ...) NOT-FOR-US: SWServer CVE-2002-1495 (Cross-site scripting (XSS) vulnerability in JAWmail 1.0-rc1 allows rem ...) NOT-FOR-US: Jawmail CVE-2002-1492 (Buffer overflows in the Cisco VPN 5000 Client before 5.2.7 for Linux, ...) NOT-FOR-US: Cisco CVE-2002-1489 (Buffer overflow in PlanetDNS PlanetWeb 1.14 and earlier allows remote ...) NOT-FOR-US: PlanetDNS CVE-2002-1488 (The IRC component of Trillian 0.73 and 0.74 allows remote malicious IR ...) NOT-FOR-US: Cerulean Trillian CVE-2002-1487 (The IRC component of Trillian 0.73 and 0.74 allows remote malicious IR ...) NOT-FOR-US: Cerulean Trillian CVE-2002-1486 (Multiple buffer overflows in the IRC component of Trillian 0.73 and 0. ...) NOT-FOR-US: Cerulean Trillian CVE-2002-1485 (The AIM component of Trillian 0.73 and 0.74 allows remote attackers to ...) NOT-FOR-US: Cerulean Trillian CVE-2002-1484 (DB4Web server, when configured to use verbose debug messages, allows r ...) NOT-FOR-US: db4web CVE-2002-1483 (db4web_c and db4web_c.exe programs in DB4Web 3.4 and 3.6 allow remote ...) NOT-FOR-US: db4web CVE-2002-1482 (SQL injection vulnerability in login.php for phpGB 1.20 and earlier, w ...) NOT-FOR-US: phpGB not in Debian CVE-2002-1481 (savesettings.php in phpGB 1.20 and earlier does not require authentica ...) NOT-FOR-US: phpGB not in Debian CVE-2002-1480 (Cross-site scripting (XSS) vulnerability in phpGB before 1.20 allows r ...) NOT-FOR-US: phpGB not in Debian CVE-2002-1475 (Unknown vulnerability in the ARP component for HP Tru64 UNIX 4.0f, 4.0 ...) NOT-FOR-US: HPUX CVE-2002-1474 (Unknown vulnerability or vulnerabilities in TCP/IP component for HP Tr ...) NOT-FOR-US: HPUX CVE-2002-1473 (Multiple buffer overflows in lp subsystem for HP-UX 10.20 through 11.1 ...) NOT-FOR-US: HPUX CVE-2002-1470 (SHOUTcast 1.8.9 and earlier allows local users to obtain the cleartext ...) NOT-FOR-US: Shoutcase CVE-2002-1467 (Macromedia Flash Plugin before 6,0,47,0 allows remote attackers to byp ...) - flashplugin-nonfree 6.0.61.0-1 CVE-2002-1466 (CafeLog b2 Weblog Tool 2.06pre4, with allow_fopen_url enabled, allows ...) NOT-FOR-US: Cafelog CVE-2002-1465 (SQL injection vulnerability in CafeLog b2 Weblog Tool allows remote at ...) NOT-FOR-US: Cafelog CVE-2002-1464 (Cross-site scripting (XSS) vulnerability in CafeLog b2 Weblog Tool all ...) NOT-FOR-US: Cafelog CVE-2002-1462 (details2.php in OrganicPHP PHP-affiliate 1.0, and possibly later versi ...) NOT-FOR-US: Organic PHP CVE-2002-1461 (Web Shop Manager 1.1 allows remote attackers to execute arbitrary comm ...) NOT-FOR-US: Webshop Manager CVE-2002-1460 (L-Forum 2.40 and earlier does not properly verify whether a file was u ...) NOT-FOR-US: L-Forum not in Debian CVE-2002-1459 (Cross-site scripting vulnerability in L-Forum 2.40 and earlier, when t ...) NOT-FOR-US: L-Forum not in Debian CVE-2002-1458 (Cross-site scripting vulnerability in L-Forum 2.40 and earlier, when t ...) NOT-FOR-US: L-Forum not in Debian CVE-2002-1457 (SQL injection vulnerability in search.php for L-Forum 2.40 allows remo ...) NOT-FOR-US: L-Forum not in Debian CVE-2002-1456 (Buffer overflow in mIRC 6.0.2 and earlier allows remote attackers to e ...) NOT-FOR-US: mIRC CVE-2002-1455 (Multiple cross-site scripting (XSS) vulnerabilities in OmniHTTPd allow ...) NOT-FOR-US: OmniHTTPD CVE-2002-1454 (MyWebServer 1.0.2 allows remote attackers to determine the absolute pa ...) NOT-FOR-US: MyWebServer CVE-2002-1453 (Cross-site scripting (XSS) vulnerability in MyWebServer 1.0.2 allows r ...) NOT-FOR-US: MyWebServer CVE-2002-1452 (Buffer overflow in the search capability for MyWebServer 1.0.2 allows ...) NOT-FOR-US: MyWebServer CVE-2002-1451 (Blazix before 1.2.2 allows remote attackers to read source code of JSP ...) NOT-FOR-US: Blazix not in Debian CVE-2002-1450 (IBM UniVerse with UV/ODBC allows attackers to cause a denial of servic ...) NOT-FOR-US: IBM UniVerse CVE-2002-1449 (eUpload 1.0 stores the password.txt password file in plaintext under t ...) NOT-FOR-US: eUpload not in Debian CVE-2002-1445 (Cross-site scripting (XSS) vulnerability in CERN Proxy Server allows r ...) NOT-FOR-US: CERN HTTPD not in Debian CVE-2002-1444 (The Google toolbar 1.1.60, when running on Internet Explorer 5.5 and 6 ...) NOT-FOR-US: Google Toolbar CVE-2002-1442 (The Google toolbar 1.1.58 and earlier allows remote web sites to perfo ...) NOT-FOR-US: Google Toolbar CVE-2002-1441 (Multiple buffer overflows in Tomahawk SteelArrow before 4.5 allow remo ...) NOT-FOR-US: Tomahawk CVE-2002-1440 (The Gateway GS-400 server has a default root password of "0001n" that ...) NOT-FOR-US: Gateway CVE-2002-1439 (Unknown vulnerability related to stack corruption in the TGA daemon fo ...) NOT-FOR-US: HPUX CVE-2002-1434 (Multiple cross-site scripting (XSS) vulnerabilities in the Web mail mo ...) NOT-FOR-US: Kerio CVE-2002-1433 (Kerio MailServer 5.0 allows remote attackers to cause a denial of serv ...) NOT-FOR-US: Kerio CVE-2002-1432 (MidiCart stores the midicart.mdb database file under the Web document ...) NOT-FOR-US: MidiCart CVE-2002-1431 (Belkin F5D5230-4 4-Port Cable/DSL Gateway Router 1.20.000 modifies the ...) NOT-FOR-US: Belkin CVE-2002-1429 (Cross-site scripting vulnerability in board.php of endity.com ShoutBOX ...) NOT-FOR-US: ShoutBox CVE-2002-1428 (index.php in dotProject 0.2.1.5 allows remote attackers to bypass auth ...) NOT-FOR-US: dotproject CVE-2002-1427 (The print_html_to_file function in edit.cgi for Easy Homepage Creator ...) NOT-FOR-US: Easy Homepage Creator CVE-2002-1426 (HP ProCurve Switch 4000M C.07.23 allows remote attackers to cause a de ...) NOT-FOR-US: HP CVE-2002-1423 (tmp_view.php in FUDforum before 2.2.0 allows remote attackers to read ...) - phpgroupware (Issue in fudforum 2.2.0. fudforum in phpgroupware-fudforum is 2.5.x) CVE-2002-1422 (admbrowse.php in FUDforum before 2.2.0 allows remote attackers to crea ...) - phpgroupware (Issue in fudforum 2.2.0. fudforum in phpgroupware-fudforum is 2.5.x) CVE-2002-1421 (SQL injection vulnerabilities in FUDforum before 2.2.0 allow remote at ...) - phpgroupware (Issue in fudforum 2.2.0. fudforum in phpgroupware-fudforum is 2.5.x) CVE-2002-1416 (The POP3 service for WebEasyMail 3.4.2.2 and earlier generates difffer ...) NOT-FOR-US: Webeasymail CVE-2002-1415 (Format string vulnerability in SMTP service for WebEasyMail 3.4.2.2 an ...) NOT-FOR-US: Webeasymail CVE-2002-1411 (Directory traversal vulnerability in update.dpgs in Duma Photo Gallery ...) NOT-FOR-US: Duma CVE-2002-1410 (Easy Guestbook CGI programs do not authenticate the administrator, whi ...) NOT-FOR-US: East Guestbook CVE-2002-1409 (ptrace on HP-UX 11.00 through 11.11 allows local users to cause a deni ...) NOT-FOR-US: HPUX CVE-2002-1408 (Unknown vulnerability or vulnerabilities in HP OpenView EMANATE 14.2 s ...) NOT-FOR-US: HP Openview CVE-2002-1406 (Unknown vulnerability in passwd for VVOS HP-UX 11.04, with unknown imp ...) NOT-FOR-US: HPUX CVE-2002-1404 REJECTED CVE-2002-1402 (Buffer overflows in the (1) TZ and (2) SET TIME ZONE enivronment varia ...) {DSA-165} - postgresql 7.2.2-2 CVE-2002-1401 (Buffer overflows in (1) circle_poly, (2) path_encode and (3) path_add ...) {DSA-165} - postgresql 7.2.2-2 CVE-2002-1400 (Heap-based buffer overflow in the repeat() function for PostgreSQL bef ...) {DSA-165} - postgresql 7.2.2-2 CVE-2002-1399 (Unknown vulnerability in cash_out and possibly other functions in Post ...) - postgresql 7.2.2-2 CVE-2002-1398 (Buffer overflow in the date parser for PostgreSQL before 7.2.2 allows ...) {DSA-165} - postgresql 7.2.2-2 CVE-2002-1397 (Vulnerability in the cash_words() function for PostgreSQL 7.2 and earl ...) - postgresql 7.2.2-2 CVE-2002-1395 (Internet Message (IM) 141-18 and earlier uses predictable file and dir ...) {DSA-202} - im 1:141-20 CVE-2002-1393 (Multiple vulnerabilities in KDE 2 and KDE 3.x through 3.0.5 do not quo ...) {DSA-243 DSA-242 DSA-241 DSA-240 DSA-239 DSA-238 DSA-237 DSA-236 DSA-235 DSA-234} - kdemultimedia 4:3.0.5a - kdebase 4:3.0.5a - kdeutils 4:3.0.5a - kdegames 4:3.0.5a - kdesdk 4:3.0.5a - kdepim 4:3.0.5a - kdelibs 4:3.0.5a - kdenetwork 4:3.0.5a - kdegraphics 4:3.0.5a - kdeadmin 4:3.0.5a CVE-2002-1387 (The spray mode in traceroute-nanog (aka traceroute-ng) may allow local ...) {DSA-254} - traceroute-nanog 6.3.0-1 CVE-2002-1386 (Buffer overflow in traceroute-nanog (aka traceroute-ng) may allow loca ...) {DSA-254} - traceroute-nanog 6.3.0-1 CVE-2002-1383 (Multiple integer overflows in Common Unix Printing System (CUPS) 1.1.1 ...) {DSA-232} - cups 1.1.18-1 - cupsys 1.1.18-1 CVE-2002-1379 (OpenLDAP2 (OpenLDAP 2) 2.2.0 and earlier allows remote or local attack ...) {DSA-227} - openldap2 2.0.27-3 CVE-2002-1378 (Multiple buffer overflows in OpenLDAP2 (OpenLDAP 2) 2.2.0 and earlier ...) {DSA-227} - openldap2 2.0.27-3 CVE-2002-1376 (libmysqlclient client library in MySQL 3.x to 3.23.54, and 4.x to 4.0. ...) {DSA-212} - mysql CVE-2002-1370 REJECTED CVE-2002-1368 (Common Unix Printing System (CUPS) 1.1.14 through 1.1.17 allows remote ...) {DSA-232} - cups 1.1.18-1 - cupsys 1.1.18-1 CVE-2002-1360 (Multiple SSH2 servers and clients do not properly handle strings with ...) - openssh (OpenSSH not vulnerable) CVE-2002-1359 (Multiple SSH2 servers and clients do not properly handle large packets ...) - openssh (OpenSSH not vulnerable) CVE-2002-1358 (Multiple SSH2 servers and clients do not properly handle lists with em ...) - openssh (OpenSSH not vulnerable) CVE-2002-1357 (Multiple SSH2 servers and clients do not properly handle packets or da ...) - openssh (OpenSSH not vulnerable) CVE-2002-1356 (Ethereal 0.9.7 and earlier allows remote attackers to cause a denial o ...) - ethereal 0.9.8-1 CVE-2002-1355 (Multiple integer signedness errors in the BGP dissector in Ethereal 0. ...) - ethereal 0.9.8-1 CVE-2002-1354 (Directory traversal vulnerability in TYPSoft FTP Server 0.99.8 allows ...) NOT-FOR-US: TYPSoft FTP Server CVE-2002-1353 (LocalWEB2000 HTTP server 2.1.0 stores passwords in plain text under th ...) NOT-FOR-US: LocalWEB2000 HTTP server CVE-2002-1352 (Per Magne Knutsen's CartMan shopping cart (cartman.php) 1.04 and earli ...) NOT-FOR-US: CartMan CVE-2002-1351 (Buffer overflow in Melange Chat System 1.10 allows remote attackers to ...) NOT-FOR-US: Melange Chat System CVE-2002-1347 (Multiple buffer overflows in Cyrus SASL library 2.1.9 and earlier allo ...) - cyrus-sasl2 2.1.10-1 CVE-2002-1346 RESERVED CVE-2002-1345 (Directory traversal vulnerabilities in multiple FTP clients on UNIX sy ...) NOTE: multiple ftp client issues CVE-2002-1344 (Directory traversal vulnerability in wget before 1.8.2-4 allows a remo ...) {DSA-209} - wget 1.8.2-8 CVE-2002-1343 RESERVED CVE-2002-1342 (Unknown vulnerability in smb2www 980804-16 and earlier allows remote a ...) {DSA-203} - smb2www 980804-17 CVE-2002-1341 (Cross-site scripting (XSS) vulnerability in read_body.php for Squirrel ...) {DSA-220} - squirrelmail 1:1.3.2-2 CVE-2002-1340 (The "ConnectionFile" property in the DataSourceControl component in Of ...) NOT-FOR-US: Office Web Components CVE-2002-1339 (The "XMLURL" property in the Spreadsheet component of Office Web Compo ...) NOT-FOR-US: Office Web Components CVE-2002-1338 (The Load method in the Chart component of Office Web Components (OWC) ...) NOT-FOR-US: Office Web Components CVE-2002-1335 (Cross-site scripting (XSS) vulnerability in w3m 0.3.2 does not escape ...) {DSA-251 DSA-250 DSA-249} - w3m 0.3.2.2-1 - w3mmee 0.3.p24.17-3 - w3m-ssl CVE-2002-1334 (Cross-site scripting (XSS) vulnerability in BizDesign ImageFolio 3.01 ...) NOT-FOR-US: BizDesign CVE-2002-1333 RESERVED CVE-2002-1332 RESERVED CVE-2002-1331 RESERVED CVE-2002-1330 RESERVED CVE-2002-1329 RESERVED CVE-2002-1328 RESERVED CVE-2002-1326 RESERVED CVE-2002-1324 RESERVED CVE-2002-1322 (Rational ClearCase 4.1, 2002.05, and possibly other versions allows re ...) NOT-FOR-US: ClearCase CVE-2002-1321 (Multiple buffer overflows in RealOne and RealPlayer allow remote attac ...) NOT-FOR-US: Realplayer CVE-2002-1316 (importInfo in the Admin Server for iPlanet WebServer 4.x, up to SP11, ...) NOT-FOR-US: iPlanet CVE-2002-1315 (Cross-site scripting (XSS) vulnerability in the Admin Server for iPlan ...) NOT-FOR-US: iPlanet CVE-2002-1314 RESERVED CVE-2002-1312 (Buffer overflow in the Web management interface in Linksys BEFW11S4 wi ...) NOT-FOR-US: Linksys CVE-2002-1310 (Heap-based buffer overflow in the error-handling mechanism for the IIS ...) NOT-FOR-US: Macromedia CVE-2002-1309 (Heap-based buffer overflow in the error-handling mechanism for the IIS ...) NOT-FOR-US: Macromedia CVE-2002-1306 (Multiple buffer overflows in LISa on KDE 2.x for 2.1 and later, and KD ...) {DSA-214} - kdenetwork 4:2.2.2-14.20 CVE-2002-1305 REJECTED CVE-2002-1304 REJECTED CVE-2002-1303 REJECTED CVE-2002-1302 REJECTED CVE-2002-1301 REJECTED CVE-2002-1300 REJECTED CVE-2002-1299 REJECTED CVE-2002-1298 REJECTED CVE-2002-1297 REJECTED CVE-2002-1295 (The Microsoft Java implementation, as used in Internet Explorer, allow ...) NOT-FOR-US: Microsoft CVE-2002-1294 (The Microsoft Java implementation, as used in Internet Explorer, can p ...) NOT-FOR-US: Microsoft CVE-2002-1293 (The Microsoft Java implementation, as used in Internet Explorer, provi ...) NOT-FOR-US: Microsoft CVE-2002-1292 (The Microsoft Java virtual machine (VM) build 5.0.3805 and earlier, as ...) NOT-FOR-US: Microsoft CVE-2002-1291 (The Microsoft Java implementation, as used in Internet Explorer, allow ...) NOT-FOR-US: Microsoft CVE-2002-1290 (The Microsoft Java implementation, as used in Internet Explorer, allow ...) NOT-FOR-US: Microsoft CVE-2002-1289 (The Microsoft Java implementation, as used in Internet Explorer, allow ...) NOT-FOR-US: Microsoft CVE-2002-1288 (The Microsoft Java implementation, as used in Internet Explorer, allow ...) NOT-FOR-US: Microsoft CVE-2002-1287 (Stack-based buffer overflow in the Microsoft Java implementation, as u ...) NOT-FOR-US: Microsoft CVE-2002-1286 (The Microsoft Java implementation, as used in Internet Explorer, allow ...) NOT-FOR-US: Microsoft CVE-2002-1285 (runlpr in the LPRng package allows the local lp user to gain root priv ...) NOT-FOR-US: SuSE-specific lprfilter package CVE-2002-1283 (Buffer overflow in Novell iManager (eMFrame) before 1.5 allows remote ...) NOT-FOR-US: Novell iManager (eMFrame) CVE-2002-1282 (Unknown vulnerability in the telnet KIO subsystem (telnet.protocol) of ...) {DSA-204} - kdelibs 4:3.1.0-1 CVE-2002-1281 (Unknown vulnerability in the rlogin KIO subsystem (rlogin.protocol) of ...) {DSA-204} - kdelibs 4:3.1.0-1 CVE-2002-1280 (Memory leak in RealSecure Event Collector 6.5 allows attackers to caus ...) NOT-FOR-US: RealSecure Event Collector CVE-2002-1279 (Multiple buffer overflows in conf.c for Masqmail 0.1.x before 0.1.17, ...) {DSA-194} - masqmail 0.2.15-1 CVE-2002-1276 (An incomplete fix for a cross-site scripting (XSS) vulnerability in Sq ...) {DSA-191} - squirrelmail 1:1.2.8-1.1 CVE-2002-1275 (Unknown vulnerability in html2ps HTML/PostScript converter 1.0, when u ...) {DSA-192} - html2ps 1.0b3-2 CVE-2002-1274 RESERVED CVE-2002-1273 RESERVED CVE-2002-1269 (Unknown vulnerability in NetInfo Manager application in Mac OS X 10.2. ...) NOT-FOR-US: MacOS CVE-2002-1263 REJECTED CVE-2002-1262 (Internet Explorer 5.5 and 6.0 does not perform complete security check ...) NOT-FOR-US: Microsoft CVE-2002-1261 REJECTED CVE-2002-1259 REJECTED CVE-2002-1258 (Two vulnerabilities in Microsoft Virtual Machine (VM) up to and includ ...) NOT-FOR-US: Microsoft CVE-2002-1254 (Internet Explorer 5.5 and 6.0 allows remote attackers to bypass the cr ...) NOT-FOR-US: Microsoft CVE-2002-1249 RESERVED CVE-2002-1247 (Buffer overflow in LISa allows local users to gain access to a raw soc ...) {DSA-193} - kdenetwork 4:2.2.2-14.3 CVE-2002-1246 RESERVED CVE-2002-1243 RESERVED CVE-2002-1241 RESERVED CVE-2002-1240 RESERVED CVE-2002-1238 (Peter Sandvik's Simple Web Server 0.5.1 and earlier allows remote atta ...) NOT-FOR-US: Peter Sandvik's Simple Web Server CVE-2002-1237 RESERVED CVE-2002-1235 (The kadm_ser_in function in (1) the Kerberos v4compatibility administr ...) {DSA-185 DSA-184 DSA-183} - heimdal 0.4e-22 - krb4 1.1-11-8 - krb5 1.2.6-2 CVE-2002-1234 REJECTED CVE-2002-1233 (A regression error in the Debian distributions of the apache-ssl packa ...) {DSA-195 DSA-188 DSA-187} - apache-perl 1.3.26-1.1-1.27-3-1 - apache 1.3.27-1 CVE-2002-1229 (Avaya Cajun switches P880, P882, P580, and P550R 5.2.14 and earlier co ...) NOT-FOR-US: Avaya Cajun switches CVE-2002-1228 (Unknown vulnerability in NFS on Solaris 2.5.1 through Solaris 9 allows ...) NOT-FOR-US: Solaris CVE-2002-1226 (Unknown vulnerabilities in Heimdal before 0.5 with unknown impact, pos ...) {DSA-178} - heimdal 0.4e-21 CVE-2002-1225 (Multiple buffer overflows in Heimdal before 0.5, possibly in both the ...) {DSA-178} - heimdal 0.4e-21 CVE-2002-1218 RESERVED CVE-2002-1217 (Cross-Frame scripting vulnerability in the WebBrowser control as used ...) NOT-FOR-US: Microsoft CVE-2002-1216 (GNU tar 1.13.19 and other versions before 1.13.25 allows remote attack ...) - tar 1.13.25 CVE-2002-1215 (Multiple format string vulnerabilities in heartbeat 0.4.9 and earlier ...) {DSA-174} - heartbeat 0.4.9.2-1 CVE-2002-1213 (Directory traversal vulnerability in RadioBird Software WebServer 4 Ev ...) NOT-FOR-US: RadioBird Software WebServer 4 Everyone CVE-2002-1212 (Buffer overflow in RadioBird Software WebServer 4 Everyone 1.23 and 1. ...) NOT-FOR-US: RadioBird Software WebServer 4 Everyone CVE-2002-1210 (Qualcomm Eudora 5.1.1, 5.2, and possibly other versions stores email a ...) NOT-FOR-US: Eudora CVE-2002-1209 (Directory traversal vulnerability in SolarWinds TFTP Server 5.0.55, an ...) NOT-FOR-US: SolarWinds TFTP Server CVE-2002-1208 RESERVED CVE-2002-1207 RESERVED CVE-2002-1206 RESERVED CVE-2002-1205 RESERVED CVE-2002-1204 (Netscape Communicator 4.x allows attackers to use a link to steal a us ...) NOT-FOR-US: Netscape Communicator 4.x CVE-2002-1203 (IBM SecureWay Firewall before 4.2.2 performs extra processing before d ...) NOT-FOR-US: IBM SecureWay Firewall CVE-2002-1202 (Unknown vulnerability in routed for HP Tru64 UNIX V4.0F through V5.1A ...) NOT-FOR-US: HP Tru64 UNIX CVE-2002-1201 (IBM AIX 4.3.3 and AIX 5 allows remote attackers to cause a denial of s ...) NOT-FOR-US: AIX CVE-2002-1194 (Buffer overflow in talkd on NetBSD 1.6 and earlier, and possibly other ...) NOT-FOR-US: NetBSD CVE-2002-1192 (Multiple buffer overflows in rogue on NetBSD 1.6 and earlier, FreeBSD ...) NOT-FOR-US: NetBSD CVE-2002-1191 (The Sabserv client component in Sabre Desktop Reservation Software 4.2 ...) NOT-FOR-US: Sabre Desktop CVE-2002-1190 (Cisco Unity 2.x and 3.x uses well-known default user accounts, which c ...) NOT-FOR-US: Cisco CVE-2002-1181 (Multiple cross-site scripting (XSS) vulnerabilities in the administrat ...) NOT-FOR-US: Microsoft IIS CVE-2002-1177 (Multiple buffer overflows in Winamp 3.0, when displaying an MP3 in the ...) NOT-FOR-US: Winamp CVE-2002-1176 (Buffer overflow in Winamp 2.81 allows remote attackers to execute arbi ...) NOT-FOR-US: Winamp CVE-2002-1175 (The getmxrecord function in Fetchmail 6.0.0 and earlier does not prope ...) {DSA-171} - fetchmail 6.1.0-1 CVE-2002-1174 (Buffer overflows in Fetchmail 6.0.0 and earlier allow remote attackers ...) {DSA-171} - fetchmail 6.1.0-1 CVE-2002-1173 RESERVED CVE-2002-1172 RESERVED CVE-2002-1171 RESERVED CVE-2002-1168 (Cross-site scripting (XSS) vulnerability in IBM Web Traffic Express Ca ...) NOT-FOR-US: IBM Websphere CVE-2002-1167 (Cross-site scripting (XSS) vulnerability in IBM Web Traffic Express Ca ...) NOT-FOR-US: IBM Websphere CVE-2002-1166 (Buffer overflow in John Franks WN Server 1.18.2 through 2.0.0 allows r ...) - wn CVE-2002-1165 (Sendmail Consortium's Restricted Shell (SMRSH) in Sendmail 8.12.6, 8.1 ...) - sendmail 8.12.3-5 CVE-2002-1161 REJECTED CVE-2002-1155 (Buffer overflow in KON kon2 0.3.9b and earlier allows local users to e ...) NOTE: kon2. patched, but I don't know when. NOTE: assuming the current unstable/testing version is ok then.. - kon2 0.3.9b-18 CVE-2002-1150 (The Remote Desktop Sharing (RDS) Screen Saver Protection capability fo ...) NOT-FOR-US: Microsoft Netmeeting CVE-2002-1149 (The installation procedure for Invision Board suggests that users inst ...) NOT-FOR-US: Invision Board CVE-2002-1145 (The xp_runwebtask stored procedure in the Web Tasks component of Micro ...) NOT-FOR-US: Microsoft SQL CVE-2002-1144 RESERVED CVE-2002-1143 (Microsoft Word and Excel allow remote attackers to steal sensitive inf ...) NOT-FOR-US: Microsoft Word & Excel CVE-2002-1136 RESERVED CVE-2002-1134 (Unknown vulnerability in Compaq WEBES Service Tools 2.0 through WEBES ...) NOT-FOR-US: HP Tru64 CVE-2002-1133 (Encoded directory traversal vulnerability in Dino's web server 2.1 all ...) NOT-FOR-US: Dino's Webserver CVE-2002-1131 (Cross-site scripting vulnerabilities in SquirrelMail 1.2.7 and earlier ...) {DSA-191} - squirrelmail 1:1.2.8-1.1 CVE-2002-1130 RESERVED CVE-2002-1129 (Buffer overflow in dxterm allows local users to execute arbitrary code ...) NOT-FOR-US: HP Tru64 CVE-2002-1128 (Buffer overflow in inc mail utility for Compaq Tru64/OSF1 3.x allows l ...) NOT-FOR-US: HP Tru64 CVE-2002-1127 (Buffer overflow in uucp in Compaq Tru64/OSF1 3.x allows local users to ...) NOT-FOR-US: HP Tru64 CVE-2002-1125 (FreeBSD port programs that use libkvm for FreeBSD 4.6.2-RELEASE and ea ...) NOT-FOR-US: FreeBSD CVE-2002-1124 (Multiple buffer overflows in purity 1-16 allow local users to gain pri ...) {DSA-166} - purity 1-16 CVE-2002-1121 (SMTP content filter engines, including (1) GFI MailSecurity for Exchan ...) NOTE: Some SMTP mailscanners can be bypassed by fragmenting messages. CVE-2002-1120 (Buffer overflow in Savant Web Server 3.1 and earlier allows remote att ...) NOT-FOR-US: Savant Web Server CVE-2002-1115 (Mantis 0.17.4a and earlier allows remote attackers to view private bug ...) {DSA-161} - mantis 0.17.5-2 CVE-2002-1114 (config_inc2.php in Mantis before 0.17.4 allows remote attackers to exe ...) {DSA-153} - mantis 0.17.4a-2 CVE-2002-1110 (Multiple SQL injection vulnerabilities in Mantis 0.17.2 and earlier, w ...) {DSA-153} - mantis 0.17.4a-2 CVE-2002-1103 (Cisco VPN 3000 Concentrator 2.2.x, 3.6(Rel), and 3.x before 3.5.5, all ...) NOT-FOR-US: Cisco CVE-2002-1101 (Cisco VPN 3000 Concentrator 2.2.x, 3.6(Rel), and 3.x before 3.5.5, all ...) NOT-FOR-US: Cisco CVE-2002-1100 (Cisco VPN 3000 Concentrator 2.2.x, and 3.x before 3.5.3, allows remote ...) NOT-FOR-US: Cisco CVE-2002-1094 (Information leaks in Cisco VPN 3000 Concentrator 2.x.x and 3.x.x befor ...) NOT-FOR-US: Cisco CVE-2002-1090 (Buffer overflow in read_smtp_response of protocol.c in libesmtp before ...) - libesmtp 0.8.11-1 CVE-2002-1089 (rwcgi60 CGI program in Oracle Reports Server, by design, provides sens ...) NOT-FOR-US: Oracle CVE-2002-1087 (The scripts (1) createdir.php, (2) removedir.php and (3) uploadfile.ph ...) NOT-FOR-US: ezContents CVE-2002-1086 (Multiple SQL injection vulnerabilities in ezContents 1.41 and earlier ...) NOT-FOR-US: ezContents CVE-2002-1085 (Multiple cross-site scripting vulnerabilities in ezContents 1.41 and e ...) NOT-FOR-US: ezContents CVE-2002-1084 (The VerifyLogin function in ezContents 1.41 and earlier does not prope ...) NOT-FOR-US: ezContents CVE-2002-1083 (Directory traversal vulnerabilities in ezContents 1.41 and earlier all ...) NOT-FOR-US: ezContents CVE-2002-1082 (The Image Upload capability for ezContents 1.40 and earlier allows rem ...) NOT-FOR-US: ezContents CVE-2002-1080 (The Administration console for Abyss Web Server 1.0.3 before Patch 2 a ...) NOT-FOR-US: Abyss CVE-2002-1078 (Abyss Web Server 1.0.3 allows remote attackers to list directory conte ...) NOT-FOR-US: Abyss CVE-2002-1077 (IPSwitch IMail Web Calendaring service (iwebcal) allows remote attacke ...) NOT-FOR-US: IPSwitch CVE-2002-1075 (Buffer overflow in Pegasus mail client 4.01 and earlier allows remote ...) NOT-FOR-US: Pegasus CVE-2002-1073 (Buffer overflow in the control service for MERCUR Mailserver 4.2 allow ...) NOT-FOR-US: MERCUR Mailserver CVE-2002-1072 (ZyXEL Prestige 642R 2.50(FA.1) and Prestige 310 V3.25(M.01), allows re ...) NOT-FOR-US: ZyXEL CVE-2002-1071 (ZyXEL Prestige 642R allows remote attackers to cause a denial of servi ...) NOT-FOR-US: ZyXEL CVE-2002-1070 (Cross-site scripting vulnerability in PHPWiki Postnuke wiki module all ...) - phpwiki 1.3.4-1 CVE-2002-1069 (The remote administration capability for the D-Link DI-804 router 4.68 ...) NOT-FOR-US: D-Link hardware CVE-2002-1068 (The web server for D-Link DP-300 print server allows remote attackers ...) NOT-FOR-US: D-Link hardware CVE-2002-1067 (Administrative web interface for IC9 Pocket Print Server Firmware 7.1. ...) NOT-FOR-US: IC9 Print Server CVE-2002-1066 (Thomas Hauck Jana Server 1.4.6 and earlier allows remote attackers to ...) NOT-FOR-US: Jana Server CVE-2002-1065 (Thomas Hauck Jana Server 2.x through 2.2.1, and 1.4.6 and earlier, doe ...) NOT-FOR-US: Jana Server CVE-2002-1064 (Thomas Hauck Jana Server 2.x through 2.2.1, and 1.4.6 and earlier, gen ...) NOT-FOR-US: Jana Server CVE-2002-1063 (Thomas Hauck Jana Server 2.x through 2.2.1, and 1.4.6 and earlier, all ...) NOT-FOR-US: Jana Server CVE-2002-1062 (Signedness error in Thomas Hauck Jana Server 2.x through 2.2.1, and 1. ...) NOT-FOR-US: Jana Server CVE-2002-1061 (Multiple buffer overflows in Thomas Hauck Jana Server 2.x through 2.2. ...) NOT-FOR-US: Jana Server CVE-2002-1058 (Directory traversal vulnerability in splashAdmin.php for Cobalt Qube 3 ...) NOT-FOR-US: Cobalt Qube CVE-2002-1055 (Buffer overflow in administrative web server for Brother NC-3100h prin ...) NOT-FOR-US: Brother hardware CVE-2002-1052 (Jigsaw 2.2.1 on Windows systems allows remote attackers to use MS-DOS ...) NOT-FOR-US: Jigsaw CVE-2002-1048 (HP JetDirect printers allow remote attackers to obtain the administrat ...) NOT-FOR-US: HP printers CVE-2002-1047 (The FTP service in Watchguard Soho Firewall 5.0.35a allows remote atta ...) NOT-FOR-US: Soho Firewall CVE-2002-1045 (Ultrafunk Popcorn 1.20 allows remote attackers to cause a denial of se ...) NOT-FOR-US: Ultrafunk Popcorn CVE-2002-1044 (Buffer overflow in Ultrafunk Popcorn 1.20 allows remote attackers to c ...) NOT-FOR-US: Ultrafunk Popcorn CVE-2002-1043 (Ultrafunk Popcorn 1.20 allows remote attackers to cause a denial of se ...) NOT-FOR-US: Ultrafunk Popcorn CVE-2002-1042 (Directory traversal vulnerability in search engine for iPlanet web ser ...) NOT-FOR-US: iPlanet CVE-2002-1041 (Unknown vulnerability in DCE (1) SMIT panels and (2) configuration com ...) NOT-FOR-US: SMIT CVE-2002-1040 (Unknown vulnerability in the WebSecure (DFSWeb) configuration utilitie ...) NOT-FOR-US: WebSecure CVE-2002-1038 (Double Choco Latte (DCL) before 20020706 does not properly verify if a ...) - dcl (Vulnerable code not present, affected dcl "Double Choco Latte") NOTE: Until 2008 src:dcl was for the source for "Double Choco Latte". On NOTE: 2017-08-30 an unrelated source took over the source package name dcl. NOTE: Original issue fixed in dcl/1:0.9.2-1 CVE-2002-1037 (Cross-site scripting vulnerability in Double Choco Latte (DCL) before ...) - dcl (Vulnerable code not present, affected dcl "Double Choco Latte") NOTE: Until 2008 src:dcl was for the source for "Double Choco Latte". On NOTE: 2017-08-30 an unrelated source took over the source package name dcl. NOTE: Original issue fixed in dcl/1:0.9.2-1 CVE-2002-1036 (Cross-site scripting vulnerability in search.pl for Fluid Dynamics Sea ...) NOT-FOR-US: Fluid Dynamics CVE-2002-1034 (none.php for SunPS iRunbook 2.5.2 allows remote attackers to read arbi ...) NOT-FOR-US: iRunBook CVE-2002-1033 (Directory traversal vulnerability in none.php for SunPS iRunbook 2.5.2 ...) NOT-FOR-US: iRunBook CVE-2002-1032 (Buffer overflow in KeyFocus (KF) web server 1.0.5 and earlier allows r ...) NOT-FOR-US: KeyFocus Web Server CVE-2002-1029 (Res Manager in Worldspan for Windows Gateway 4.1 allows remote attacke ...) NOT-FOR-US: Worldspam for Windows CVE-2002-1028 (Multiple buffer overflows in the CGI programs for Oddsock Song Request ...) NOT-FOR-US: Oddsock Winamp plugin CVE-2002-1027 (Cross-site scripting vulnerability in the default HTTP 500 error scrip ...) NOT-FOR-US: Macromedia Sitespring CVE-2002-1026 (Macromedia Sitespring 1.2.0 (277.1) using Sybase runtime engine 7.0.2. ...) NOT-FOR-US: Macromedia Sitespring CVE-2002-1023 (BadBlue server allows remote attackers to cause a denial of service (c ...) NOT-FOR-US: BadBlue CVE-2002-1022 (BadBlue server stores passwords in plaintext in the ext.ini file, whic ...) NOT-FOR-US: BadBlue CVE-2002-1021 (BadBlue server allows remote attackers to read restricted files, such ...) NOT-FOR-US: BadBlue CVE-2002-1020 (The library feature for Adobe Content Server 3.0 allows a remote attac ...) NOT-FOR-US: Adobe CVE-2002-1019 (The library feature for Adobe Content Server 3.0 allows a remote attac ...) NOT-FOR-US: Adobe CVE-2002-1018 (The library feature for Adobe Content Server 3.0 does not verify if a ...) NOT-FOR-US: Adobe CVE-2002-1017 (Adobe eBook Reader 2.1 and 2.2 allows a user to copy eBooks to other s ...) NOT-FOR-US: Adobe CVE-2002-1016 (Adobe eBook Reader allows a user to bypass restrictions for copy, prin ...) NOT-FOR-US: Adobe CVE-2002-1012 (Buffer overflow in web server for Tivoli Management Framework (TMF) Ma ...) NOT-FOR-US: Tivoli CVE-2002-1011 (Buffer overflow in web server for Tivoli Management Framework (TMF) En ...) NOT-FOR-US: Tivoli CVE-2002-1010 (Lotus Domino R4 allows remote attackers to bypass access restrictions ...) NOT-FOR-US: Domino CVE-2002-1009 (Cross-site scripting vulnerability in PowerBASIC pbcgi.cgi, as include ...) NOT-FOR-US: PowerBASIC CVE-2002-1008 (Cross-site scripting vulnerability in PowerBASIC urlcount.cgi, as incl ...) NOT-FOR-US: PowerBASIC CVE-2002-1007 (Cross-site scripting vulnerabilities in Blackboard 5 allow remote atta ...) NOT-FOR-US: Blackboard CVE-2002-1005 (ArGoSoft Mail Server 1.8.1.7 and earlier allows a webmail user to caus ...) NOT-FOR-US: ArGoSoft CVE-2002-1003 (Buffer overflow in MyWebServer 1.02 and earlier allows remote attacker ...) NOT-FOR-US: MyWebServer CVE-2002-1001 (Buffer overflows in AnalogX Proxy before 4.12 allows remote attackers ...) NOT-FOR-US: AnalogX Proxy CVE-2002-0999 (Multiple SQL injection vulnerabilities in CARE 2002 before beta 1.0.02 ...) NOT-FOR-US: CARE CVE-2002-0998 (Directory traversal vulnerability in cafenews.php for CARE 2002 before ...) NOT-FOR-US: CARE CVE-2002-0997 (Buffer overflows in IMAP Agent (imapd) for Novell NetMail (NIMS) 3.0.3 ...) NOT-FOR-US: Novell CVE-2002-0996 (Multiple buffer overflows in Novell NetMail (NIMS) 3.0.3 before 3.0.3C ...) NOT-FOR-US: Novell CVE-2002-0994 (SunPCi II VNC uses a weak authentication scheme, which allows remote a ...) NOT-FOR-US: SunPci II VNC CVE-2002-0993 (Unknown vulnerability in HP Instant Support Enterprise Edition (ISEE) ...) NOT-FOR-US: HP CVE-2002-0992 (Unknown vulnerability in IPV6 functionality for DCE daemons (1) dced o ...) NOT-FOR-US: HP CVE-2002-0991 (Buffer overflows in the cifslogin command for HP CIFS/9000 Client A.01 ...) NOT-FOR-US: HP CVE-2002-0983 (IRC client irssi in irssi-text before 0.8.4 allows remote attackers to ...) {DSA-157} - irssi-text 0.8.5-2 CVE-2002-0982 (Microsoft SQL Server 2000 SP2, when configured as a distributor, allow ...) NOT-FOR-US: Microsoft CVE-2002-0980 (The Web Folder component for Internet Explorer 5.5 and 6.0 writes an e ...) NOT-FOR-US: Microsoft CVE-2002-0979 (The Java logging feature for the Java Virtual Machine in Internet Expl ...) NOT-FOR-US: Microsoft CVE-2002-0978 (Microsoft File Transfer Manager (FTM) ActiveX control before 4.0 allow ...) NOT-FOR-US: Microsoft CVE-2002-0977 (Buffer overflow in Microsoft File Transfer Manager (FTM) ActiveX contr ...) NOT-FOR-US: Microsoft CVE-2002-0976 (Internet Explorer 4.0 and later allows remote attackers to read arbitr ...) NOT-FOR-US: Microsoft CVE-2002-0975 (Buffer overflow in Microsoft DirectX Files Viewer ActiveX control (xwe ...) NOT-FOR-US: Microsoft CVE-2002-0973 (Integer signedness error in several system calls for FreeBSD 4.6.1 REL ...) NOT-FOR-US: FreeBSD CVE-2002-0972 (Buffer overflows in PostgreSQL 7.2 allow attackers to cause a denial o ...) {DSA-165} - postgresql 7.2.2-1 CVE-2002-0971 (Vulnerability in VNC, TightVNC, and TridiaVNC allows local users to ex ...) NOT-FOR-US: Microsoft Windows specific CVE-2002-0966 (Buffer overflow in 4D web server 6.7.3 allow remote attackers to cause ...) NOT-FOR-US: 4D web server CVE-2002-0963 (SQL injection vulnerability in comment.php for GeekLog 1.3.5 and earli ...) NOT-FOR-US: GeekLog CVE-2002-0962 (Cross-site scripting vulnerabilities in GeekLog 1.3.5 and earlier allo ...) NOT-FOR-US: GeekLog CVE-2002-0961 (Vulnerabilities in Voxel Dot Net CBMS 0.7 and earlier allow remote att ...) NOT-FOR-US: Voxel Dot Net CBMS CVE-2002-0960 (Multiple cross-site scripting vulnerabilities in Voxel Dot Net CBMS 0. ...) NOT-FOR-US: Voxel Dot Net CBMS CVE-2002-0959 (Cross-site scripting vulnerability in Splatt Forum 3.0 allows remote a ...) NOT-FOR-US: Splatt Forum CVE-2002-0957 (The default configuration of BlackICE Agent 3.1.eal and 3.1.ebh has a ...) NOT-FOR-US: BlackICE Agent CVE-2002-0956 (BlackICE Agent 3.1.eal does not always reactivate after a system stand ...) NOT-FOR-US: BlackICE Agent CVE-2002-0955 (Cross-site scripting vulnerability in YaBB.cgi for Yet Another Bulleti ...) NOT-FOR-US: YaBB CVE-2002-0954 (The encryption algorithms for enable and passwd commands on Cisco PIX ...) NOT-FOR-US: Cisco CVE-2002-0951 (SQL injection vulnerability in Ruslan <Body>Builder allows remot ...) NOT-FOR-US: Ruslan CVE-2002-0950 (Cross-site scripting vulnerability in TransWARE Active! mail 1.422 and ...) NOT-FOR-US: TransWARE Active! CVE-2002-0949 (Telindus 1100 series ADSL router allows remote attackers to gain privi ...) NOT-FOR-US: Telindus ADSL router CVE-2002-0948 (Scripts For Educators MakeBook 2.2 CGI program allows remote attackers ...) NOT-FOR-US: MakeBook CVE-2002-0944 (Cross-site scripting vulnerability in DeepMetrix LiveStats 5.03 throug ...) NOT-FOR-US: DeepMetrix LiveStats CVE-2002-0943 (MetaCart2.sql stores the user database under the web document root wit ...) NOT-FOR-US: MetaCart CVE-2002-0942 (Buffer overflows in Lugiment Log Explorer before 3.02 allow attackers ...) NOT-FOR-US: Lugiment Log Explorer CVE-2002-0940 (domesticinstall.exe for nCipher MSCAPI CSP 5.50 and 5.54 does not use ...) NOT-FOR-US: nCipher MSCAPI CVE-2002-0939 (The Install Wizard for nCipher MSCAPI CSP 5.50 does not use Operator C ...) NOT-FOR-US: nCipher MSCAPI CVE-2002-0937 (The Java Server Pages (JSP) engine in JRun allows web page owners to c ...) NOT-FOR-US: JRun CVE-2002-0936 (The Java Server Pages (JSP) engine in Tomcat allows web page owners to ...) - tomcat 3.2.3-1 CVE-2002-0934 (Directory traversal vulnerability in Jon Hedley AlienForm2 (typically ...) NOT-FOR-US: Jon Hedley AlienForm2 CVE-2002-0933 (Datalex PLC BookIt! Consumer before 2.2 stores usernames and passwords ...) NOT-FOR-US: Datalex PLC BooktIt Consumer CVE-2002-0932 (SQL injection vulnerability in index.php for MyHelpDesk 20020509, and ...) NOT-FOR-US: MyHelpDesk CVE-2002-0931 (Cross-site scripting vulnerabilities in MyHelpDesk 20020509, and possi ...) NOT-FOR-US: MyHelpDesk CVE-2002-0930 (Format string vulnerability in the FTP server for Novell Netware 6.0 S ...) NOT-FOR-US: Netware CVE-2002-0929 (Buffer overflows in the DHCP server for NetWare 6.0 SP1 allow remote a ...) NOT-FOR-US: Netware CVE-2002-0928 (Buffer overflow in the Pirch 98 IRC client allows remote attackers to ...) NOT-FOR-US: pirch CVE-2002-0926 (Directory traversal vulnerability in Wolfram Research webMathematica 1 ...) NOT-FOR-US: webMathematica CVE-2002-0925 (Format string vulnerability in mmsyslog function allows remote attacke ...) NOT-FOR-US: mmftpd not in Debian anymore CVE-2002-0924 (CGIScript.net csNews.cgi allows remote authenticated users to execute ...) NOT-FOR-US: CGIScript.net not int Debian CVE-2002-0923 (CGIScript.net csNews.cgi allows remote authenticated users to read arb ...) NOT-FOR-US: CGIScript.net not int Debian CVE-2002-0922 (CGIScript.net csNews.cgi allows remote attackers to obtain database fi ...) NOT-FOR-US: CGIScript.net not int Debian CVE-2002-0921 (CGIScript.net csNews.cgi allows remote attackers to obtain potentially ...) NOT-FOR-US: CGIScript.net not int Debian CVE-2002-0920 (CGIScript.net csPassword.cgi stores usernames and unencrypted password ...) NOT-FOR-US: CGIScript.net not int Debian CVE-2002-0919 (CGIScript.net csPassword.cgi allows remote authenticated users to modi ...) NOT-FOR-US: CGIScript.net not int Debian CVE-2002-0918 (CGIScript.net csPassword.cgi leaks sensitive information such as the p ...) NOT-FOR-US: CGIScript.net not int Debian CVE-2002-0917 (CGIScript.net csPassword.cgi stores .htpasswd files under the web docu ...) NOT-FOR-US: CGIScript.net not int Debian CVE-2002-0915 (autorun in Xandros based Linux distributions allows local users to rea ...) NOT-FOR-US: Xandros specific tool CVE-2002-0913 (Format string vulnerability in log_doit function of Slurp NNTP client ...) NOT-FOR-US: Slurp NNTP CVE-2002-0912 (in.uucpd UUCP server in Debian GNU/Linux 2.2, and possibly other opera ...) NOTE: DSA-129 CVE-2002-0910 (Buffer overflows in netstd 3.07-17 package allows remote DNS servers t ...) NOTE: netstd CVE-2002-0909 (Multiple buffer overflows in mnews 1.22 and earlier allow (1) a remote ...) NOT-FOR-US: mnews CVE-2002-0908 (Directory traversal vulnerability in the web server for Cisco IDS Devi ...) NOT-FOR-US: Cisco CVE-2002-0907 (Buffer overflow in SHOUTcast 1.8.9 and other versions before 1.8.12 al ...) NOT-FOR-US: SHOUTcast CVE-2002-0905 (Buffer overflow in sqlexec for Informix SE-7.25 allows local users to ...) NOT-FOR-US: Informix CVE-2002-0903 (register.php for WoltLab Burning Board (wbboard) 1.1.1 uses a small nu ...) NOT-FOR-US: wbboard CVE-2002-0902 (Cross-site scripting vulnerability in phpBB 2.0.0 (phpBB2) allows remo ...) - phpbb2 2.0.6c-1 CVE-2002-0901 (Multiple buffer overflows in Advanced Maryland Automatic Network Disk ...) - amanda 2.4.0b6-1 CVE-2002-0899 (Falcon web server 2.0.0.1021 and earlier allows remote attackers to by ...) NOT-FOR-US: Falcon CVE-2002-0896 (The throttle capability in Swatch may fail to report certain events if ...) - swatch 3.0.4-1 CVE-2002-0894 (NewAtlanta ServletExec ISAPI 4.1 allows remote attackers to cause a de ...) NOT-FOR-US: NewAtlanta ServletExec CVE-2002-0893 (Directory traversal vulnerability in NewAtlanta ServletExec ISAPI 4.1 ...) NOT-FOR-US: NewAtlanta ServletExec CVE-2002-0888 (3Com OfficeConnect Remote 812 ADSL Router, firmware 1.1.9 and 1.1.7, a ...) NOT-FOR-US: 3com CVE-2002-0886 (Cisco DSL CPE devices running CBOS 2.4.4 and earlier allows remote att ...) NOT-FOR-US: Cisco CVE-2002-0885 (Multiple buffer overflows in in.rarpd (ARP server) on Solaris, and pos ...) NOT-FOR-US: Solaris CVE-2002-0884 (Multiple format string vulnerabilities in in.rarpd (ARP server) on Sol ...) NOT-FOR-US: Solaris CVE-2002-0883 (Vulnerability in Compaq ProLiant BL e-Class Integrated Administrator 1 ...) NOT-FOR-US: Compaq CVE-2002-0882 (The web server for Cisco IP Phone (VoIP) models 7910, 7940, and 7960 a ...) NOT-FOR-US: Cisco CVE-2002-0881 (Cisco IP Phone (VoIP) models 7910, 7940, and 7960 use a default admini ...) NOT-FOR-US: Cisco CVE-2002-0880 (Cisco IP Phone (VoIP) models 7910, 7940, and 7960 allow remote attacke ...) NOT-FOR-US: Cisco CVE-2002-0879 (showtemp.cfm for Gafware CFXImage 1.6.6 allows remote attackers to rea ...) NOT-FOR-US: CFXImage CVE-2002-0878 (SQL injection vulnerability in the login form for LogiSense software i ...) NOT-FOR-US: LogiSense CVE-2002-0877 (Directory traversal vulnerability in the FTP server for Shambala 4.5 a ...) NOT-FOR-US: Shambala CVE-2002-0876 (Web server for Shambala 4.5 allows remote attackers to cause a denial ...) NOT-FOR-US: Shambala CVE-2002-0874 (Vulnerability in Interchange 4.8.6, 4.8.3, and other versions, when ru ...) {DSA-150} - interchange 4.8.6-1 CVE-2002-0870 (The original patch for the Cisco Content Service Switch 11000 Series a ...) NOT-FOR-US: Cisco CVE-2002-0869 (Unknown vulnerability in the hosting process (dllhost.exe) for Microso ...) NOT-FOR-US: IIS CVE-2002-0868 RESERVED CVE-2002-0863 (Remote Data Protocol (RDP) version 5.0 in Microsoft Windows 2000 and R ...) NOT-FOR-US: Windows CVE-2002-0862 (The (1) CertGetCertificateChain, (2) CertVerifyCertificateChainPolicy, ...) NOT-FOR-US: Microsoft CVE-2002-0861 (Microsoft Office Web Components (OWC) 2000 and 2002 allows remote atta ...) NOT-FOR-US: Microsoft CVE-2002-0858 (catsnmp in Oracle 9i and 8i is installed with a dbsnmp user with a def ...) NOT-FOR-US: Oracle CVE-2002-0857 (Format string vulnerabilities in Oracle Listener Control utility (lsnr ...) NOT-FOR-US: Oracle CVE-2002-0855 (Cross-site scripting vulnerability in Mailman before 2.0.12 allows rem ...) {DSA-147} - mailman 2.0.12-1 CVE-2002-0854 (Buffer overflows in ISDN Point to Point Protocol (PPP) daemon (ipppd) ...) NOT-FOR-US: SuSE specific CVE-2002-0852 (Buffer overflows in Cisco Virtual Private Network (VPN) Client 3.5.4 a ...) NOT-FOR-US: Cisco CVE-2002-0849 (Linux-iSCSI iSCSI implementation installs the iscsi.conf file with wor ...) NOT-FOR-US: iSCSI CVE-2002-0843 (Buffer overflows in the ApacheBench benchmark support program (ab.c) i ...) {DSA-195 DSA-188 DSA-187} - apache 1.3.27-0.1 - apache-perl 1.3.26-1.1-1.27-3-1 CVE-2002-0841 REJECTED CVE-2002-0839 (The shared memory scoreboard in the HTTP daemon for Apache 1.3.x befor ...) {DSA-195 DSA-188 DSA-187} - apache 1.3.27-0.1 - apache-perl 1.3.26-1.1-1.27-3-1 CVE-2002-0838 (Buffer overflow in (1) gv 3.5.8 and earlier, (2) gvv 1.0.2 and earlier ...) {DSA-182 DSA-179 DSA-176} - kdegraphics 4:2.2.2-6.9 - gnome-gv 1.99.7-9 - gv 1:3.5.8-27 CVE-2002-0837 (wordtrans 1.1pre8 and earlier in the wordtrans-web package allows remo ...) - wordtrans 1.1pre9 CVE-2002-0834 (Buffer overflow in the ISIS dissector for Ethereal 0.9.5 and earlier a ...) {DSA-162} - ethereal 0.9.6-1 CVE-2002-0833 (Buffer overflow in Eudora 5.1.1 and 5.0-J for Windows, and possibly ot ...) NOT-FOR-US: Eudora CVE-2002-0832 (Internet Explorer 5, 5.6, and 6 allows remote attackers to bypass cook ...) NOT-FOR-US: Internet Explorer CVE-2002-0828 REJECTED CVE-2002-0827 (Vulnerability in pppd on UnixWare 7.1.1 and Open UNIX 8.0.0 allows loc ...) NOT-FOR-US: UnixWare CVE-2002-0825 (Buffer overflow in the DNS SRV code for nss_ldap before nss_ldap-198 a ...) - libnss-ldap 199-1 CVE-2002-0822 (Ethereal 0.9.4 and earlier allows remote attackers to cause a denial o ...) - ethereal 0.9.4-1woody1 CVE-2002-0821 (Buffer overflows in Ethereal 0.9.4 and earlier allow remote attackers ...) - ethereal 0.9.4-1woody1 CVE-2002-0820 (FreeBSD kernel 4.6 and earlier closes the file descriptors 0, 1, and 2 ...) NOT-FOR-US: FreeBSD CVE-2002-0819 (Format string vulnerability in artsd, when called by artswrapper, allo ...) - arts (artscontrol not suid root) CVE-2002-0815 (The Javascript "Same Origin Policy" (SOP), as implemented in (1) Netsc ...) - mozilla 2:1.0.0-1 CVE-2002-0812 (Information leak in Compaq WL310, and the Orinoco Residential Gateway ...) NOT-FOR-US: Compaq hardware CVE-2002-0811 (Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, may allow remote ...) NOTE: bugzilla 2.16.0-2.1 CVE-2002-0807 (Cross-site scripting vulnerabilities in Bugzilla 2.14 before 2.14.2, a ...) NOTE: bugzilla 2.16.0-2.1 CVE-2002-0803 (Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, allows remote at ...) NOTE: bugzilla 2.16.0-2.1 CVE-2002-0800 (BadBlue 1.7.0 allows remote attackers to list the contents of director ...) NOT-FOR-US: BadBlue CVE-2002-0799 (Buffer overflow in YoungZSoft CMailServer 3.30 allows remote attackers ...) NOT-FOR-US: YoungZoft CVE-2002-0798 (Vulnerability in swinstall for HP-UX 11.00 and 11.11 allows local user ...) NOT-FOR-US: HP CVE-2002-0797 (Buffer overflow in the MIB parsing component of mibiisa for Solaris 5. ...) NOT-FOR-US: Solaris CVE-2002-0796 (Format string vulnerability in the logging component of snmpdx for Sol ...) NOT-FOR-US: Solaris CVE-2002-0793 (Hard link and possibly symbolic link following vulnerabilities in QNX ...) NOT-FOR-US: QNX CVE-2002-0792 (The web management interface for Cisco Content Service Switch (CSS) 11 ...) NOT-FOR-US: Cisco CVE-2002-0791 (Novell Netware FTP server NWFTPD before 5.02r allows remote attackers ...) NOT-FOR-US: Novell CVE-2002-0787 (Cross-site scripting vulnerabilities in iCon administrative web server ...) NOT-FOR-US: iCon CVE-2002-0786 (iCon administrative web server for Critical Path inJoin Directory Serv ...) NOT-FOR-US: Critical Path inJoin Directory Server CVE-2002-0784 (Directory traversal vulnerability in Lysias Lidik web server 0.7b allo ...) NOT-FOR-US: Lidik web server CVE-2002-0783 (Opera 6.01, 6.0, and 5.12 allows remote attackers to execute arbitrary ...) NOT-FOR-US: Opera CVE-2002-0782 (Novell BorderManager 3.5 with PAT (Port-Address Translate) enabled all ...) NOT-FOR-US: Novell CVE-2002-0781 (RTSP proxy for Novell BorderManager 3.6 SP 1a allows remote attackers ...) NOT-FOR-US: Novell CVE-2002-0780 (IP/IPX gateway for Novell BorderManager 3.6 SP 1a allows remote attack ...) NOT-FOR-US: Novell CVE-2002-0779 (FTP proxy server for Novell BorderManager 3.6 SP 1a allows remote atta ...) NOT-FOR-US: Novell CVE-2002-0775 (browse.asp in Hosting Controller allows remote attackers to view arbit ...) NOT-FOR-US: Hosting Controller CVE-2002-0774 (Hosting Controller creates a default user AdvWebadmin with a default p ...) NOT-FOR-US: Hosting Controller CVE-2002-0773 (imp_rootdir.asp for Hosting Controller allows remote attackers to copy ...) NOT-FOR-US: Hosting Controller CVE-2002-0772 (Directory traversal vulnerability in dsnmanager.asp for Hosting Contro ...) NOT-FOR-US: Hosting Controller CVE-2002-0771 (Cross-site scripting vulnerability in viewcvs.cgi for ViewCVS 0.9.2 al ...) - viewcvs 0.9.2-5 CVE-2002-0770 (Quake 2 (Q2) server 3.20 and 3.21 allows remote attackers to obtain se ...) NOT-FOR-US: Historic Quake2 issue CVE-2002-0769 (The web-based configuration interface for the Cisco ATA 186 Analog Tel ...) NOT-FOR-US: Cisco CVE-2002-0767 (simpleinit on Linux systems does not close a read/write FIFO file desc ...) NOT-FOR-US: simpleinit CVE-2002-0764 (Phorum 3.3.2a allows remote attackers to execute arbitrary commands vi ...) NOT-FOR-US: Phorum CVE-2002-0763 (Vulnerability in administration server for HP VirtualVault 4.5 on HP-U ...) NOT-FOR-US: HP CVE-2002-0757 ((1) Webmin 0.96 and (2) Usermin 0.90 with password timeouts enabled al ...) - webmin 0.980-1 - usermin 0.910-1 CVE-2002-0756 (Cross-site scripting vulnerability in the authentication page for (1) ...) - webmin 0.980-1 - usermin 0.910-1 CVE-2002-0753 (Buffer overflow in Talentsoft Web+ 5.0 allows remote attackers to exec ...) NOT-FOR-US: Talentsoft CVE-2002-0752 (CGIscript.net csMailto.cgi program exports feedback to a file that is ...) NOT-FOR-US: CGIscript.net CVE-2002-0751 (CGIscript.net csMailto.cgi program allows remote attackers to use csMa ...) NOT-FOR-US: CGIscript.net CVE-2002-0750 (CGIscript.net csMailto.cgi program allows remote attackers to read arb ...) NOT-FOR-US: CGIscript.net CVE-2002-0749 (CGIscript.net csMailto.cgi allows remote attackers to execute arbitrar ...) NOT-FOR-US: CGIscript.net CVE-2002-0747 (Buffer overflow in lsmcode in AIX 4.3.3. ...) NOT-FOR-US: AIX CVE-2002-0746 (Vulnerability in template.dhcpo in AIX 4.3.3 related to an insecure li ...) NOT-FOR-US: AIX CVE-2002-0745 (Buffer overflow in uucp in AIX 4.3.3. ...) NOT-FOR-US: AIX CVE-2002-0744 (namerslv in AIX 4.3.3 core dumps when called with a very long argument ...) NOT-FOR-US: AIX CVE-2002-0743 (mail and mailx in AIX 4.3.3 core dump when called with a very long arg ...) NOT-FOR-US: AIX CVE-2002-0742 (Buffer overflow in pioout on AIX 4.3.3. ...) NOT-FOR-US: AIX CVE-2002-0740 (Buffer overflow in slrnpull for the SLRN package, when installed setui ...) - slrn 0.9.6.2-9 CVE-2002-0739 (Cross-site scripting in PostCalendar 3.02 allows remote attackers to i ...) NOT-FOR-US: PostCalendat CVE-2002-0735 (Format string vulnerability in the logging() function in C-Note Squid ...) - squid (Historic vulnerability, fixed before Woody was released) CVE-2002-0732 (Cross-site scripting vulnerability in MyGuestbook 1.0 allows remote at ...) NOT-FOR-US: MyGuestbook CVE-2002-0731 (Cross-site scripting vulnerability in demonstration scripts for vqServ ...) NOT-FOR-US: vqServer CVE-2002-0730 (Cross-site scripting vulnerability in guestbook.pl for Philip Chinery' ...) NOT-FOR-US: guestbook CVE-2002-0728 (Buffer overflow in the progressive reader for libpng 1.2.x before 1.2. ...) {DSA-140} - libpng 1.0.12-4 - libpng3 1.2.1-2 CVE-2002-0725 (NTFS file system in Windows NT 4.0 and Windows 2000 SP2 allows local a ...) NOT-FOR-US: windows CVE-2002-0724 (Buffer overflow in SMB (Server Message Block) protocol in Microsoft Wi ...) NOT-FOR-US: windows CVE-2002-0723 (Microsoft Internet Explorer 5.5 and 6.0 does not properly verify the d ...) NOT-FOR-US: internet explorer CVE-2002-0721 (Microsoft SQL Server 7.0 and 2000 installs with weak permissions for e ...) NOT-FOR-US: Microsoft SQL Server CVE-2002-0717 (PHP 4.2.0 and 4.2.1 allows remote attackers to cause a denial of servi ...) - php4 4:4.2.2-1 CVE-2002-0715 (Vulnerability in Squid before 2.4.STABLE6 related to proxy authenticat ...) - squid 2.4.6-2 CVE-2002-0713 (Buffer overflows in Squid before 2.4.STABLE6 allow remote attackers to ...) - squid 2.4.6-2 CVE-2002-0712 (Entrust Authority Security Manager (EASM) 6.0 does not properly requir ...) NOT-FOR-US: EASM CVE-2002-0711 (Unknown vulnerability in Cluster Interconnect for HP TruCluster Server ...) NOT-FOR-US: HP CVE-2002-0709 (SQL injection vulnerabilities in the Web Reports Server for SurfContro ...) NOT-FOR-US: no_package CVE-2002-0708 (Directory traversal vulnerability in the Web Reports Server for SurfCo ...) NOT-FOR-US: no_package CVE-2002-0707 (The Web Reports Server for SurfControl SuperScout WebFilter allows rem ...) NOT-FOR-US: no_package CVE-2002-0706 (UserManager.js in the Web Reports Server for SurfControl SuperScout We ...) NOT-FOR-US: no_package CVE-2002-0705 (The Web Reports Server for SurfControl SuperScout WebFilter stores the ...) NOT-FOR-US: no_package CVE-2002-0702 (Format string vulnerabilities in the logging routines for dynamic DNS ...) - dhcp3 3.0+3.0.1rc9-1 CVE-2002-0699 (Unknown vulnerability in the Certificate Enrollment ActiveX Control in ...) NOT-FOR-US: windows CVE-2002-0693 (Buffer overflow in the HTML Help ActiveX Control (hhctrl.ocx) in Micro ...) NOT-FOR-US: windows CVE-2002-0690 (Format string vulnerability in McAfee Security ePolicy Orchestrator (e ...) NOT-FOR-US: McAfee CVE-2002-0689 RESERVED CVE-2002-0686 (Buffer overflow in the search component for iPlanet Web Server (iWS) 4 ...) NOT-FOR-US: no_package CVE-2002-0684 (Buffer overflow in DNS resolver functions that perform lookup of netwo ...) - glibc 2.2.5-8 CVE-2002-0683 (Directory traversal vulnerability in Carello 1.3 allows remote attacke ...) NOT-FOR-US: no_package CVE-2002-0681 (Cross-site scripting vulnerability in GoAhead Web Server 2.1 allows re ...) NOT-FOR-US: no_package CVE-2002-0680 (Directory traversal vulnerability in GoAhead Web Server 2.1 allows rem ...) NOT-FOR-US: no_package CVE-2002-0677 (CDE ToolTalk database server (ttdbserver) allows remote attackers to o ...) NOT-FOR-US: no_package CVE-2002-0675 (Pingtel xpressa SIP-based voice-over-IP phone 1.2.5 through 1.2.7.4 do ...) NOT-FOR-US: no_package CVE-2002-0670 (The web interface for Pingtel xpressa SIP-based voice-over-IP phone 1. ...) NOT-FOR-US: no_package CVE-2002-0669 (The web interface for Pingtel xpressa SIP-based voice-over-IP phone 1. ...) NOT-FOR-US: no_package CVE-2002-0667 (Pingtel xpressa SIP-based voice-over-IP phone 1.2.5 through 1.2.7.4 ha ...) NOT-FOR-US: no_package CVE-2002-0666 (IPSEC implementations including (1) FreeS/WAN and (2) KAME do not prop ...) {DSA-201} - freeswan 1.99-1 CVE-2002-0664 (The default Access Control Lists (ACLs) of the administration database ...) NOT-FOR-US: ZMerge CVE-2002-0661 (Directory traversal vulnerability in Apache 2.0 through 2.0.39 on Wind ...) - apache2 2.0.40 CVE-2002-0660 (Buffer overflow in libpng 1.0.12-3.woody.2 and libpng3 1.2.1-1.1.woody ...) {DSA-140} - libpng 1.0.12-4 - libpng3 1.2.1-2 CVE-2002-0659 (The ASN1 library in OpenSSL 0.9.6d and earlier, and 0.9.7-beta2 and ea ...) {DSA-136} - openssl 0.9.6e-1 CVE-2002-0657 (Buffer overflow in OpenSSL 0.9.7 before 0.9.7-beta3, with Kerberos ena ...) {DSA-136} - openssl 0.9.6e-1 CVE-2002-0656 (Buffer overflows in OpenSSL 0.9.6d and earlier, and 0.9.7-beta2 and ea ...) {DSA-136} - openssl 0.9.6e-1 CVE-2002-0655 (OpenSSL 0.9.6d and earlier, and 0.9.7-beta2 and earlier, does not prop ...) {DSA-136} - openssl 0.9.6e-1 CVE-2002-1412 (Gallery photo album package before 1.3.1 allows local and possibly rem ...) {DSA-138} - gallery 1.3-3 CVE-2004-0356 (Stack-based buffer overflow in Supervisor Report Center in SL Mail Pro ...) NOT-FOR-US: windows mta CVE-2004-0347 (Cross-site scripting (XSS) vulnerability in delhomepage.cgi in NetScre ...) NOT-FOR-US: juniper router CVE-2004-0336 (LAN SUITE Web Mail 602Pro allows remote attackers to gain sensitive in ...) NOT-FOR-US: windows mta CVE-2004-0320 (Unknown vulnerability in nCipher Hardware Security Modules (HSM) 1.67. ...) NOT-FOR-US: ncipher hardware CVE-2004-0309 (Stack-based buffer overflow in the SMTP service support in vsmon.exe i ...) NOT-FOR-US: windows firewall CVE-2004-0307 (Cisco ONS 15327 before 4.1(3), ONS 15454 before 4.6(1), and ONS 15454 ...) NOT-FOR-US: cisco CVE-2004-0306 (Cisco ONS 15327 before 4.1(3), ONS 15454 before 4.6(1), ONS 15454 SD b ...) NOT-FOR-US: cisco CVE-2004-0297 (Buffer overflow in the Lightweight Directory Access Protocol (LDAP) da ...) NOT-FOR-US: windows mta CVE-2004-0276 (The get_real_string function in Monkey HTTP Daemon (monkeyd) 0.8.1 and ...) NOT-FOR-US: monkeyd, not in debian CVE-2004-0274 (Share.mod in Eggheads Eggdrop IRC bot 1.6.10 through 1.6.15 can mistak ...) - eggdrop 1.6.17 CVE-2004-0273 (Directory traversal vulnerability in RealOne Player, RealOne Player 2. ...) NOT-FOR-US: realone player CVE-2004-0270 (libclamav in Clam AntiVirus 0.65 allows remote attackers to cause a de ...) - clamav 0.80 CVE-2004-0263 (PHP 4.3.4 and earlier in Apache 1.x and 2.x (mod_php) can leak global ...) - php4 4.3.9 CVE-2004-0261 (oj.cgi in OpenJournal 2.0 through 2.0.5 allows remote attackers to byp ...) NOT-FOR-US: openjournal, not in debian CVE-2004-0257 (OpenBSD 3.4 and NetBSD 1.6 and 1.6.1 allow remote attackers to cause a ...) NOT-FOR-US: open/netbsd CVE-2004-0256 (GNU libtool before 1.5.2, during compile time, allows local users to o ...) - libtool 1.5.6 CVE-2004-0194 (Stack-based buffer overflow in the OutputDebugString function for Adob ...) NOT-FOR-US: acroread CVE-2004-0193 (Heap-based buffer overflow in the ISS Protocol Analysis Module (PAM), ...) NOT-FOR-US: realsecure/blackice CVE-2004-0191 (Mozilla before 1.4.2 executes Javascript events in the context of a ne ...) - mozilla 2:1.7.3 CVE-2004-0190 (Symantec FireWall/VPN Appliance model 200 records a cleartext password ...) NOT-FOR-US: symantec CVE-2004-0189 (The "%xx" URL decoding function in Squid 2.5STABLE4 and earlier allows ...) {DSA-474} - squid 2.5.5-1 CVE-2004-0188 (Heap-based buffer overflow in Calife 2.8.5 and earlier may allow local ...) {DSA-461} - calife 2.8.6-1 (bug #235157) CVE-2004-0186 (smbmnt in Samba 2.x and 3.x on Linux 2.6, when installed setuid, allow ...) {DSA-463} - samba 3.0.2-2 CVE-2004-0185 (Buffer overflow in the skey_challenge function in ftpd.c for wu-ftp da ...) {DSA-457} - wu-ftpd 2.6.2-17.1 CVE-2004-0173 (Directory traversal vulnerability in Apache 1.3.29 and earlier, and Ap ...) NOT-FOR-US: apache/cygwin CVE-2004-0171 (FreeBSD 5.1 and earlier, and Mac OS X before 10.3.4, allows remote att ...) NOT-FOR-US: freebsd/os x CVE-2004-0169 (QuickTime Streaming Server in MacOS X 10.2.8 and 10.3.2 allows remote ...) NOT-FOR-US: os x CVE-2004-0167 (DiskArbitration in Mac OS X 10.2.8 and 10.3.2 does not properly initia ...) NOT-FOR-US: os x CVE-2004-0165 (Format string vulnerability in Point-to-Point Protocol (PPP) daemon (p ...) NOT-FOR-US: os x CVE-2004-0160 (Synaesthesia 2.2 and earlier allows local users to execute arbitrary c ...) {DSA-446} - synaesthesia 2.1-3 NOTE: synaesthesia is no longer setuid in Debian. CVE-2004-0159 (Format string vulnerability in hsftp 1.11 allows remote authenticated ...) {DSA-447} - hsftp 1.15-1 CVE-2004-0150 (Buffer overflow in the getaddrinfo function in Python 2.2 before 2.2.2 ...) {DSA-458-3} - python2.2 2.2.2 CVE-2004-0148 (wu-ftpd 2.6.2 and earlier, with the restricted-gid option enabled, all ...) {DSA-457} - wu-ftpd 2.6.2-17.1 CVE-2004-0131 (The rad_print_request function in logger.c for GNU Radius daemon (radi ...) NOT-FOR-US: gnu radiusd, not in debian CVE-2004-0129 (Directory traversal vulnerability in export.php in phpMyAdmin 2.5.5 an ...) - phpmyadmin 2:2.6.0-pl2 CVE-2004-0128 (PHP remote file inclusion vulnerability in the GEDCOM configuration sc ...) NOT-FOR-US: phpgedview, not in debian CVE-2004-0126 (The jail_attach system call in FreeBSD 5.1 and 5.2 changes the directo ...) NOT-FOR-US: freebsd CVE-2004-0122 (Microsoft MSN Messenger 6.0 and 6.1 does not properly handle certain r ...) NOT-FOR-US: microsoft CVE-2004-0121 (Argument injection vulnerability in Microsoft Outlook 2002 does not su ...) NOT-FOR-US: microsoft CVE-2004-0115 (VirtualPC_Services in Microsoft Virtual PC for Mac 6.0 through 6.1 all ...) NOT-FOR-US: microsoft CVE-2004-0114 (The shmat system call in the System V Shared Memory interface for Free ...) NOT-FOR-US: bsd CVE-2004-0113 (Memory leak in ssl_engine_io.c for mod_ssl in Apache 2 before 2.0.49 a ...) - apache2 2.0.52 CVE-2004-0111 (gdk-pixbuf before 0.20 allows attackers to cause a denial of service ( ...) {DSA-464} - gdk-pixbuf 0.22.0-3 CVE-2004-0108 (The isag utility, which processes sysstat data, allows local users to ...) {DSA-460} - sysstat 5.0.2-1 CVE-2004-0099 (mksnap_ffs in FreeBSD 5.1 and 5.2 only sets the snapshot flag when cre ...) NOT-FOR-US: freebsd CVE-2004-0096 (Unknown vulnerability in mod_python 2.7.9 allows remote attackers to c ...) - libapache-mod-python 2:2.7.10 CVE-2004-0095 (McAfee ePolicy Orchestrator agent allows remote attackers to cause a d ...) NOT-FOR-US: mcafee CVE-2004-0094 (Integer signedness errors in XFree86 4.1.0 allow remote attackers to c ...) {DSA-443} - xfree86 4.2.1-6 CVE-2004-0093 (XFree86 4.1.0 allows remote attackers to cause a denial of service and ...) {DSA-443} - xfree86 4.2.1-6 CVE-2004-0089 (Buffer overflow in TruBlueEnvironment in Mac OS X 10.3.x and 10.2.x al ...) NOT-FOR-US: os x CVE-2004-0082 (The mksmbpasswd shell script (mksmbpasswd.sh) in Samba 3.0.0 and 3.0.1 ...) - samba 3.0.7 CVE-2004-0080 (The login program in util-linux 2.11 and earlier uses a pointer after ...) NOT-FOR-US: debian uses different login CVE-2004-0078 (Buffer overflow in the index menu code (menu_pad_string of menu.c) for ...) - mutt 1.5.6-20040722+1 CVE-2004-0077 (The do_mremap function for the mremap system call in Linux 2.2 to 2.2. ...) {DSA-514 DSA-475 DSA-470 DSA-466 DSA-456 DSA-454 DSA-453 DSA-450 DSA-444 DSA-442 DSA-441 DSA-440 DSA-439 DSA-438} - kernel-source-2.4.27 (Fixed before initial upload; 2.4.26-pre3) - kernel-source-2.2.20 CVE-2004-0075 (The Vicam USB driver in Linux before 2.4.25 does not use the copy_from ...) - kernel-source-2.4.24 2.4.24-3 NOTE: fixed in 2.4.26-pre3 CVE-2004-0070 (PHP remote file inclusion vulnerability in module.php for ezContents a ...) NOT-FOR-US: ezcontents, commercial CVE-2004-0068 (PHP remote file inclusion vulnerability in config.php for PhpDig 1.6.5 ...) NOT-FOR-US: phpdig, not in debian CVE-2004-0063 (The SPP_VerifyPVV function in nCipher payShield SPP library 1.3.12, 1. ...) NOT-FOR-US: ncipher hsm CVE-2004-0049 (Helix Universal Server/Proxy 9 and Mobile Server 10 allow remote attac ...) NOT-FOR-US: real helix CVE-2004-0045 (Buffer overflow in the ARTpost function in art.c in the control messag ...) - inn2 2.4.1+20040820 [woody] - inn2 CVE-2004-0044 (Cisco Personal Assistant 1.4(1) and 1.4(2) disables password authentic ...) NOT-FOR-US: cisco CVE-2004-0040 (Stack-based buffer overflow in Check Point VPN-1 Server 4.1 through 4. ...) NOT-FOR-US: checkpoint CVE-2004-0036 (SQL injection vulnerability in calendar.php for vBulletin Forum 2.3.x ...) NOT-FOR-US: vbulletin, commercial CVE-2004-0035 (SQL injection vulnerability in register.php for Phorum 3.4.5 and earli ...) NOT-FOR-US: phorum, not in debian CVE-2004-0033 (admin.php in PHPGEDVIEW 2.61 allows remote attackers to obtain sensiti ...) NOT-FOR-US: phpgedview, not in debian CVE-2004-0032 (Cross-site scripting (XSS) vulnerability in search.php in PHPGEDVIEW 2 ...) NOT-FOR-US: phpgedview, not in debian CVE-2004-0031 (PHPGEDVIEW 2.61 allows remote attackers to reinstall the software and ...) NOT-FOR-US: phpgedview, not in debian CVE-2004-0028 (jitterbug 1.6.2 does not properly sanitize inputs, which allows remote ...) {DSA-420} - jitterbug 1.6.2-4.5 CVE-2004-0016 (The calendar module for phpgroupware 0.9.14 does not enforce the "save ...) {DSA-419} - phpgroupware 0.9.14.007-4 CVE-2004-0015 (vbox3 0.1.8 and earlier does not properly drop privileges before execu ...) {DSA-418} - vbox3 0.1.8 CVE-2004-0013 (jabber 1.4.2, 1.4.2a, and possibly earlier versions, does not properly ...) {DSA-414} - jabber 1.4.3-1 CVE-2004-0011 (Buffer overflow in fsp before 2.81.b18 allows remote users to execute ...) {DSA-416} - fsp 2.81.b18-1 CVE-2004-0009 (Apache-SSL 1.3.28+1.52 and earlier, with SSLVerifyClient set to 1 or 3 ...) - apache-ssl 1.3.31 CVE-2004-0004 (The libCheckSignature function in crypto-utils.lib for OpenCA 0.9.1.6 ...) NOT-FOR-US: openca, not in debian CVE-2004-0001 (Unknown vulnerability in the eflags checking in the 32-bit ptrace emul ...) - kernel-image-2.6.8-9-amd64-generic CVE-2003-1328 (The showHelp() function in Microsoft Internet Explorer 5.01, 5.5, and ...) NOT-FOR-US: windows CVE-2003-1326 (Microsoft Internet Explorer 5.5 and 6.0 allows remote attackers to byp ...) NOT-FOR-US: windows CVE-2003-1022 (Directory traversal vulnerability in fsp before 2.81.b18 allows remote ...) {DSA-416} - fsp 2.81.b18-1 CVE-2003-0994 (The GUI functionality for an interactive session in Symantec LiveUpdat ...) NOT-FOR-US: norton CVE-2003-0993 (mod_access in Apache 1.3 before 1.3.30, when running big-endian 64-bit ...) - apache 1.3.29.0.2-4 CVE-2003-0991 (Unknown vulnerability in the mail command handler in Mailman before 2. ...) {DSA-436} - mailman 2.1-1 NOTE: I have mailed Tollef Fog Heen about this. NOTE: Tollef Fog Heen reply to me that 2.1 versions are not vulnerable CVE-2003-0988 (Buffer overflow in the VCF file information reader for KDE Personal In ...) - kdepim 4:3.1.5-1 CVE-2003-0985 (The mremap system call (do_mremap) in Linux kernel 2.4.x before 2.4.21 ...) {DSA-475 DSA-470 DSA-450 DSA-442 DSA-440 DSA-439 DSA-427 DSA-423 DSA-417 DSA-413} - kernel-source-2.4.27 (Fixed before initial upload; 2.4.24-rc1) CVE-2003-0969 (mpg321 0.2.10 allows remote attackers to overwrite memory and possibly ...) {DSA-411} - mpg321 0.2.10.3 CVE-2003-0966 (Buffer overflow in the frm command in elm 2.5.6 and earlier, and possi ...) NOT-FOR-US: elm CVE-2003-0924 (netpbm 9.25 and earlier does not properly create temporary files, whic ...) {DSA-426} - netpbm-free 2:9.25-9 CVE-2003-0905 (Unknown vulnerability in Windows Media Station Service and Windows Med ...) NOT-FOR-US: microsoft CVE-2003-0903 (Buffer overflow in a component of Microsoft Data Access Components (MD ...) NOT-FOR-US: microsoft CVE-2003-0825 (The Windows Internet Naming Service (WINS) for Microsoft Windows Serve ...) NOT-FOR-US: microsoft CVE-2003-0145 (Unknown vulnerability in tcpdump before 3.7.2 related to an inability ...) {DSA-261} - tcpdump 3.7.2-1 CVE-2003-0143 (The pop_msg function in qpopper 4.0.x before 4.0.5fc2 does not null te ...) {DSA-259} - qpopper 4.0.4-9 CVE-2003-0125 (Buffer overflow in the web interface for SOHO Routefinder 550 before f ...) NOT-FOR-US: SOHO Routefinder CVE-2003-0124 (man before 1.5l allows attackers to execute arbitrary code via a malfo ...) NOT-FOR-US: man before 1.51 CVE-2003-0123 (Buffer overflow in Web Retriever client for Lotus Notes/Domino R4.5 th ...) NOT-FOR-US: lotus notes CVE-2003-0122 (Buffer overflow in Notes server before Lotus Notes R4, R5 before 5.0.1 ...) NOT-FOR-US: lotus notes CVE-2003-0120 (adb2mhc in the mhc-utils package before 0.25+20010625-7.1 allows local ...) {DSA-256} - mhc 0.25+20030224-1 CVE-2003-0108 (isakmp_sub_print in tcpdump 3.6 through 3.7.1 allows remote attackers ...) {DSA-255} - tcpdump 3.7.1-1.2 CVE-2003-0107 (Buffer overflow in the gzprintf function in zlib 1.1.4, when zlib is c ...) - zlib 1:1.1.4-10 CVE-2003-0104 (Directory traversal vulnerability in PeopleTools 8.10 through 8.18, 8. ...) NOT-FOR-US: peopletools CVE-2003-0103 (Format string vulnerability in Nokia 6210 handset allows remote attack ...) NOT-FOR-US: nokia handset CVE-2003-0102 (Buffer overflow in tryelf() in readelf.c of the file command allows at ...) {DSA-260} - file 3.40-1.1 CVE-2003-0100 (Buffer overflow in Cisco IOS 11.2.x to 12.0.x allows remote attackers ...) NOT-FOR-US: cisco CVE-2003-0097 (Unknown vulnerability in CGI module for PHP 4.3.0 allows attackers to ...) - php4 4:4.3.2+rc3-1 CVE-2003-0095 (Buffer overflow in ORACLE.EXE for Oracle Database Server 9i, 8i, 8.1.7 ...) NOT-FOR-US: oracle CVE-2003-0094 (A patch for mcookie in the util-linux package for Mandrake Linux 8.2 a ...) NOT-FOR-US: mandrake specific CVE-2003-0093 (The RADIUS decoder in tcpdump 3.6.2 and earlier allows remote attacker ...) {DSA-261} - tcpdump 3.7.1-1 CVE-2003-0088 (TruBlueEnvironment for MacOS 10.2.3 and earlier allows local users to ...) NOT-FOR-US: macosX CVE-2003-0087 (Buffer overflow in libIM library (libIM.a) for National Language Suppo ...) NOT-FOR-US: AIX CVE-2003-0081 (Format string vulnerability in packet-socks.c of the SOCKS dissector f ...) {DSA-258} - ethereal 0.9.9-2 CVE-2003-0079 (The DEC UDK processing feature in the hanterm (hanterm-xf) terminal em ...) NOT-FOR-US: hanterm before 2.0.5 CVE-2003-0078 (ssl3_get_record in s3_pkt.c for OpenSSL before 0.9.7a and 0.9.6 before ...) {DSA-253} - openssl 0.9.7a-1 CVE-2003-0077 (The hanterm (hanterm-xf) terminal emulator 2.0.5 and earlier, and poss ...) NOT-FOR-US: hanterm before 2.0.5 CVE-2003-0075 (Integer signedness error in the myFseek function of samplein.c for Bla ...) NOT-FOR-US: blade encoder not in Debian CVE-2003-0073 (Double-free vulnerability in mysqld for MySQL before 3.23.55 allows at ...) {DSA-303} - mysql-dfsg 4.0.12-2 CVE-2003-0071 (The DEC UDK processing feature in the xterm terminal emulator in XFree ...) {DSA-380} - xfree86 4.2.1-11 CVE-2003-0070 (VTE, as used by default in gnome-terminal terminal emulator 2.2 and as ...) - vte 1:0.11.10-1 CVE-2003-0069 (The PuTTY terminal emulator 0.53 allows attackers to modify the window ...) - putty 0.54-1 CVE-2003-0068 (The Eterm terminal emulator 0.9.1 and earlier allows attackers to modi ...) {DSA-496} - eterm 0.9.2-6 CVE-2003-0067 (The aterm terminal emulator 0.42 allows attackers to modify the window ...) NOTE: I have mailed Goran Weinholt about this. NOTE: Goran Weinholt tell me that aterm 0.4.2 was NOTE: never vulnerable to the problem described. NOTE: this CVE is bogus. CVE-2003-0066 (The rxvt terminal emulator 2.7.8 and earlier allows attackers to modif ...) - rxvt 1:2.6.4-6.1 (bug #244810) NOTE: woody version is still vulnerable CVE-2003-0065 (The uxterm terminal emulator allows attackers to modify the window tit ...) NOT-FOR-US: uxterm not in Debian CVE-2003-0064 (The dtterm terminal emulator allows attackers to modify the window tit ...) NOT-FOR-US: dtterm not in Debian CVE-2003-0063 (The xterm terminal emulator in XFree86 4.2.0 and earlier allows attack ...) {DSA-380} - xfree86 4.2.1-11 CVE-2003-0062 (Buffer overflow in Eset Software NOD32 for UNIX before 1.013 allows lo ...) NOT-FOR-US: NOD32 not in Debian CVE-2003-0059 (Unknown vulnerability in the chk_trans.c of the libkrb5 library for MI ...) - krb5 1.2.5-1 CVE-2003-0058 (MIT Kerberos V5 Key Distribution Center (KDC) before 1.2.5 allows remo ...) - krb5 1.2.5-1 CVE-2003-0055 (Buffer overflow in the MP3 broadcasting module of Apple Darwin Streami ...) NOT-FOR-US: apple CVE-2003-0054 (Apple Darwin Streaming Administration Server 4.1.2 and QuickTime Strea ...) NOT-FOR-US: apple CVE-2003-0053 (Cross-site scripting (XSS) vulnerability in parse_xml.cgi in Apple Dar ...) NOT-FOR-US: apple CVE-2003-0052 (parse_xml.cgi in Apple Darwin Streaming Administration Server 4.1.2 an ...) NOT-FOR-US: apple CVE-2003-0051 (parse_xml.cgi in Apple Darwin Streaming Administration Server 4.1.2 an ...) NOT-FOR-US: apple CVE-2003-0050 (parse_xml.cgi in Apple Darwin Streaming Administration Server 4.1.2 an ...) NOT-FOR-US: apple CVE-2003-0045 (Jakarta Tomcat before 3.3.1a on certain Windows systems may allow remo ...) NOT-FOR-US: windows CVE-2003-0043 (Jakarta Tomcat before 3.3.1a, when used with JDK 1.3.1 or earlier, use ...) {DSA-246} - tomcat 3.3.1a-1 CVE-2003-0040 (SQL injection vulnerability in the PostgreSQL auth module for courier ...) {DSA-247} - courier 0.40.2-3 - courier-ssl 0.40.2-3 CVE-2003-0039 (ISC dhcrelay (dhcp-relay) 3.0rc9 and earlier, and possibly other versi ...) {DSA-245} - dhcp3 3.0+3.0.1rc11-3 NOTE: Version information in DSA is wrong. CVE-2003-0033 (Buffer overflow in the RPC preprocessor for Snort 1.8 and 1.9.x before ...) {DSA-297} - snort 2.0.0-1 CVE-2003-0032 (Memory leak in libmcrypt before 2.5.5 allows attackers to cause a deni ...) {DSA-228} - libmcrypt 2.5.5-1 CVE-2003-0027 (Directory traversal vulnerability in Sun Kodak Color Management System ...) NOT-FOR-US: sun CVE-2003-0024 (The menuBar feature in aterm 0.42 allows attackers to modify menu opti ...) NOTE: I have mailed Goran Weinholt about this. NOTE: Goran Weinholt tell me that aterm 0.4.2 was NOTE: never vulnerable to the problem described. NOTE: this CVE is bogus. CVE-2003-0023 (The menuBar feature in rxvt 2.7.8 allows attackers to modify menu opti ...) - rxvt 1:2.6.4-6.1 CVE-2003-0022 (The "screen dump" feature in rxvt 2.7.8 allows attackers to overwrite ...) - rxvt 1:2.6.4-6.1 CVE-2003-0021 (The "screen dump" feature in Eterm 0.9.1 and earlier allows attackers ...) - eterm 0.9.2-1 NOTE: According to upstream changelog and http://marc.info/?l=bugtraq&m=104612710031920&w=2 NOTE: this is fixed in eterm 0.9.2 CVE-2003-0020 (Apache does not filter terminal escape sequences from its error logs, ...) - apache2 2.0.49 - apache 1.3.29.0.2-4 CVE-2003-0019 (uml_net in the kernel-utils package for Red Hat Linux 8.0 has incorrec ...) NOT-FOR-US: redhat 8.0 only CVE-2003-0018 (Linux kernel 2.4.10 through 2.4.21-pre4 does not properly handle the O ...) {DSA-423 DSA-358} - linux-2.6 (Fixed before upload into archive; in 2.5.27) - kernel-source-2.4.27 (Fixed before upload into archive; in 2.4.21) CVE-2003-0017 (Apache 2.0 before 2.0.44 on Windows platforms allows remote attackers ...) NOT-FOR-US: apache on windows CVE-2003-0016 (Apache before 2.0.44, when running on unpatched Windows 9x and Me oper ...) NOT-FOR-US: apache on windows CVE-2003-0015 (Double-free vulnerability in CVS 1.11.4 and earlier allows remote atta ...) {DSA-233} - cvs 1.11.2-5.1 CVE-2003-0013 (The default .htaccess scripts for Bugzilla 2.14.x before 2.14.5, 2.16. ...) {DSA-230} - bugzilla 2.16.2-1 CVE-2003-0012 (The data collection script for Bugzilla 2.14.x before 2.14.5, 2.16.x b ...) {DSA-230} - bugzilla 2.16.2-1 CVE-2003-0009 (Cross-site scripting (XSS) vulnerability in Help and Support Center fo ...) NOT-FOR-US: windows CVE-2003-0007 (Microsoft Outlook 2002 does not properly handle requests to encrypt em ...) NOT-FOR-US: windows CVE-2003-0004 (Buffer overflow in the Windows Redirector function in Microsoft Window ...) NOT-FOR-US: windows CVE-2003-0003 (Buffer overflow in the RPC Locator service for Microsoft Windows NT 4. ...) NOT-FOR-US: windows CVE-2003-0002 (Cross-site scripting vulnerability (XSS) in ManualLogin.asp script for ...) NOT-FOR-US: windows CVE-2002-1574 (Buffer overflow in the ixj telephony card driver in Linux before 2.4.2 ...) NOTE: fixed after 2.6/2.4.20 kernel CVE-2002-1560 (index.php in gBook 1.4 allows remote attackers to bypass authenticatio ...) NOT-FOR-US: gbook not in Debian CVE-2002-1552 (Novell eDirectory (eDir) 8.6.2 and Netware 5.1 eDir 85.x allows users ...) NOT-FOR-US: novell CVE-2002-1550 (dump_smutil.sh in IBM AIX allows local users to overwrite arbitrary fi ...) NOT-FOR-US: AIX CVE-2002-1549 (Buffer overflow in Light HTTPd (lhttpd) 0.1 allows remote attackers to ...) NOT-FOR-US: lhttpd not in Debian CVE-2002-1548 (Unknown vulnerability in autofs on AIX 4.3.0, when using executable ma ...) NOT-FOR-US: AIX CVE-2002-1547 (Netscreen running ScreenOS 4.0.0r6 and earlier allows remote attackers ...) NOT-FOR-US: Netscreen CVE-2002-1543 (Buffer overflow in trek on NetBSD 1.5 through 1.5.3 allows local users ...) NOT-FOR-US: NetBSD CVE-2002-1541 (BadBlue 1.7 allows remote attackers to bypass password protections for ...) NOT-FOR-US: BadBlue not in Debian CVE-2002-1540 (The client for Symantec Norton AntiVirus Corporate Edition 7.5.x befor ...) NOT-FOR-US: norton CVE-2002-1538 (Acuma Acusend 4, and possibly earlier versions, allows remote authenti ...) NOT-FOR-US: acusend not in Debian CVE-2002-1537 (admin_ug_auth.php in phpBB 2.0.0 allows local users to gain administra ...) - phpbb2 2.0.6c-1 NOTE: according to http://www.securityfocus.com/archive/1/297419 NOTE: phpBB versions above 2.0.0 are not vulnerable. CVE-2002-1534 (Macromedia Flash Player allows remote attackers to read arbitrary file ...) NOTE: only affects flash 6.0 - 6.0.47.0, which is not in Debian CVE-2002-1532 (The administrative web interface (STEMWADM) for SurfControl SuperScout ...) NOT-FOR-US: surfcontrol CVE-2002-1531 (The administrative web interface (STEMWADM) for SurfControl SuperScout ...) NOT-FOR-US: surfcontrol CVE-2002-1530 (The administrative web interface (STEMWADM) for SurfControl SuperScout ...) NOT-FOR-US: surfcontrol CVE-2002-1529 (Cross-site scripting (XSS) vulnerability in msgError.asp for the admin ...) NOT-FOR-US: surfcontrol CVE-2002-1528 (MsmMask.exe in MondoSearch 4.4 allows remote attackers to obtain the s ...) NOT-FOR-US: mondosearch CVE-2002-1524 (Buffer overflow in XML parser in wsabi.dll of Winamp 3 (1.0.0.488) all ...) NOT-FOR-US: winamp CVE-2002-1521 (Web Server 4D (WS4D) 3.6 stores passwords in plaintext in the Ws4d.4DD ...) NOT-FOR-US: webserver 4D CVE-2002-1520 (The CLI interface for WatchGuard Firebox Vclass 3.2 and earlier, and R ...) NOT-FOR-US: WatchGuard CVE-2002-1519 (Format string vulnerability in the CLI interface for WatchGuard Firebo ...) NOT-FOR-US: WatchGuard CVE-2002-1518 (mv in IRIX 6.5 creates a directory with world-writable permissions whi ...) NOT-FOR-US: IRIX CVE-2002-1517 (fsr_efs in IRIX 6.5 allows local users to conduct unauthorized file ac ...) NOT-FOR-US: IRIX CVE-2002-1516 (rpcbind in SGI IRIX, when using the -w command line switch, allows loc ...) NOT-FOR-US: IRIX CVE-2002-1514 (gds_lock_mgr in Borland InterBase allows local users to overwrite file ...) NOT-FOR-US: interbase CVE-2002-1513 (The UCX POP server in HP TCP/IP services for OpenVMS 4.2 through 5.3 a ...) NOT-FOR-US: OpenVMS CVE-2002-1511 (The vncserver wrapper for vnc before 3.3.3r2-21 uses the rand() functi ...) - vnc 3.3.3r2-21 CVE-2002-1510 (xdm, with the authComplain variable set to false, allows arbitrary att ...) - xfree86 4.1.0-7 CVE-2002-1509 (A patch for shadow-utils 20000902 causes the useradd command to create ...) NOT-FOR-US: redhat and mandrake only CVE-2002-1505 (SQL injection vulnerability in board.php for WoltLab Burning Board (wB ...) NOT-FOR-US: WoltLab Burning Board not in Debian CVE-2002-1502 (Symbolic link vulnerability in xbreaky before 0.5.5 allows local users ...) NOT-FOR-US: xbreaky not in Debian CVE-2002-1501 (The MPS functionality in Enterasys SSR8000 (Smart Switch Router) befor ...) NOT-FOR-US: Enterasys CVE-2002-1497 (Cross-site scripting (XSS) vulnerability in Null HTTP Server 0.5.0 and ...) NOT-FOR-US: Null HTTP Server not in Debian CVE-2002-1496 (Heap-based buffer overflow in Null HTTP Server 0.5.0 and earlier allow ...) NOT-FOR-US: Null HTTP Server not in Debian CVE-2002-1494 (Cross-site scripting (XSS) vulnerabilities in Aestiva HTML/OS allows r ...) NOT-FOR-US: Aestiva CVE-2002-1493 (Cross-site scripting (XSS) vulnerability in Lycos HTMLGear guestbook a ...) NOT-FOR-US: Lycos CVE-2002-1491 (The Cisco VPN 5000 Client for MacOS before 5.2.2 records the most rece ...) NOT-FOR-US: Cisco CVE-2002-1490 (NetBSD 1.4 through 1.6 beta allows local users to cause a denial of se ...) NOT-FOR-US: NetBSD CVE-2002-1479 (Cacti before 0.6.8 stores a MySQL username and password in plaintext i ...) - cacti 0.6.8-1 CVE-2002-1478 (Cacti before 0.6.8 allows attackers to execute arbitrary commands via ...) {DSA-164} - cacti 0.6.8a-2 CVE-2002-1477 (graphs.php in Cacti before 0.6.8 allows remote authenticated Cacti adm ...) {DSA-164} - cacti 0.6.8a-2 CVE-2002-1476 (Buffer overflow in setlocale in libc on NetBSD 1.4.x through 1.6, and ...) NOT-FOR-US: NetBSD CVE-2002-1472 (Untrusted search path vulnerability in libX11.so in xfree86, when used ...) - xfree86 4.2.1-1 (bug #280872) CVE-2002-1471 (The camel component for Ximian Evolution 1.0.x and earlier does not ve ...) - evolution 1.2.0-1 (bug #280883) CVE-2002-1469 (scponly does not properly verify the path when finding the (1) scp or ...) - scponly 3.8-1 NOTE: according to http://web.archive.org/web/20150425070754/http://sublimation.org/scponly/ (scponly home page) NOTE: only versions of scponly older than scponly-2.4 are affected CVE-2002-1468 (Buffer overflow in errpt in AIX 4.3.3 allows local users to execute ar ...) NOT-FOR-US: AIX CVE-2002-1463 (Symantec Raptor Firewall 6.5 and 6.5.3, Enterprise Firewall 6.5.2 and ...) NOT-FOR-US: symantec CVE-2002-1448 (An undocumented SNMP read/write community string ('NoGaH$@!') in Avaya ...) NOT-FOR-US: Avaya P330, P130, and M770-ATM Cajun products CVE-2002-1447 (Buffer overflow in the vpnclient program for UNIX VPN Client before 3. ...) NOT-FOR-US: Cisco CVE-2002-1446 (The error checking routine used for the C_Verify call on a symmetric v ...) NOT-FOR-US: nCipher PKCS#11 library CVE-2002-1443 (The Google toolbar 1.1.58 and earlier allows remote web sites to monit ...) NOT-FOR-US: Google toolbar CVE-2002-1438 (The web handler for Perl 5.003 on Novell NetWare 5.1 and NetWare 6 all ...) NOT-FOR-US: Perl on Novell CVE-2002-1437 (Directory traversal vulnerability in the web handler for Perl 5.003 on ...) NOT-FOR-US: Perl on Novell CVE-2002-1436 (The web handler for Perl 5.003 on Novell NetWare 5.1 and NetWare 6 all ...) NOT-FOR-US: Perl on Novell CVE-2002-1435 (class.atkdateattribute.js.php in Achievo 0.7.0 through 0.9.1, except 0 ...) NOT-FOR-US: Achievo not in Debian CVE-2002-1430 (Unknown vulnerability in Sympoll 1.2 allows remote attackers to read a ...) NOT-FOR-US: Sympoll not in Debian CVE-2002-1425 (Directory traversal vulnerability in munpack in mpack 1.5 and earlier ...) {DSA-141} - mpack 1.5-9 CVE-2002-1424 (Buffer overflow in munpack in mpack 1.5 and earlier allows remote atta ...) - mpack 1.5-9 CVE-2002-1420 (Integer signedness error in select() on OpenBSD 3.1 and earlier allows ...) NOT-FOR-US: OpenBSD CVE-2002-1419 (The upgrade of IRIX on Origin 3000 to 6.5.13 through 6.5.16 changes th ...) NOT-FOR-US: IRIX on Origin CVE-2002-1418 (Buffer overflow in the interpreter for Novell NetBasic Scripting Serve ...) NOT-FOR-US: Novell NetBasic Scripting Server CVE-2002-1417 (Directory traversal vulnerability in Novell NetBasic Scripting Server ...) NOT-FOR-US: Novell NetBasic Scripting Server CVE-2002-1414 (Buffer overflow in qmailadmin allows local users to gain privileges vi ...) - qmailadmin 1.0.6-1 CVE-2002-1413 (RCONAG6 for Novell Netware SP2, while running RconJ in secure mode, al ...) NOT-FOR-US: RCONAG6 for Novell Netware SP2 CVE-2002-1407 (TinySSL 1.02 and earlier does not verify the Basic Constraints for an ...) NOT-FOR-US: TinySSL not in Debian CVE-2002-1405 (CRLF injection vulnerability in Lynx 2.8.4 and earlier allows remote a ...) {DSA-210} - lynx 2.8.4.1b-4 - lynx-ssl 1:2.8.4.1b-3.1 CVE-2002-XXXX [Cross-Site-Scripting in Bugzilla] - bugzilla 2.16.2-1 CVE-2002-1403 (dhcpcd DHCP client daemon 1.3.22 and earlier allows local users to exe ...) {DSA-219} - dhcpcd 1:1.3.22pl2-2 NOTE: Debian sarge uses dhcp >= 2.0 CVE-2002-1396 (Heap-based buffer overflow in the wordwrap function in PHP after 4.1.2 ...) - php4 4:4.3.2+rc3-1 NOTE: according to http://www.securityfocus.com/bid/6488 NOTE: woody is not vulnerable CVE-2002-1394 (Apache Tomcat 4.0.5 and earlier, when using both the invoker servlet a ...) {DSA-225} - tomcat4 4.1.16-1 CVE-2002-1392 (faxspool in mgetty before 1.1.29 uses a world-writable spool directory ...) - mgetty 1.1.30-1 NOTE: woody version seems to be vulnerable see bug #199351 CVE-2002-1391 (Buffer overflow in cnd-program for mgetty before 1.1.29 allows remote ...) - mgetty 1.1.30-1 NOTE: woody version seems to be vulnerable see bug #199351 CVE-2002-1390 (The daemon for GeneWeb before 4.09 does not properly handle requested ...) {DSA-223} - geneweb 4.09-1 CVE-2002-1389 (Buffer overflow in typespeed 0.4.2 and earlier allows local users to g ...) {DSA-217} - typespeed 0.4.2-2 CVE-2002-1388 (Cross-site scripting (XSS) vulnerability in MHonArc before 2.5.14 allo ...) {DSA-221} - mhonarc 2.5.14-1 CVE-2002-1385 (openwebmail_init in Open WebMail 1.81 and earlier allows local users t ...) - openwebmail 1.90-1 CVE-2002-1384 (Integer overflow in pdftops, as used in Xpdf 2.01 and earlier, xpdf-i, ...) {DSA-232 DSA-226 DSA-222} - xpdf-i 2.01-2 - xpdf 2.01-2 - cups 1.1.18-1 - cupsys 1.1.18-1 CVE-2002-1382 (Macromedia Flash Player before 6.0.65.0 allows remote attackers to exe ...) - flashplugin-nonfree 6.0.69-1 CVE-2002-1381 (Format string vulnerability in daemon.c for Exim 4.x through 4.10, and ...) - exim4 4.11-0.0.1 - exim 3.36-14 CVE-2002-1380 (Linux kernel 2.2.x allows local users to cause a denial of service (cr ...) {DSA-336} - kernel-source-2.2.25 2.2.25-2 CVE-2002-1377 (vim 6.0 and 6.1, and possibly other versions, allows attackers to exec ...) - vim 6.1.263-1 NOTE: woody seems to be still vulnerable NOTE: according to bug #178102 a fixed package was uploaded to the security team in January 2003 NOTE: but no advisory (nor fixed package) have been published yet. NOTE: I've mailed maintainer Luca Filipozzi about this. NOTE: No response from maintainer, I have mailed security team. NOTE: Martin Schulze don't consider this as an issue for updating woody. CVE-2002-1375 (The COM_CHANGE_USER command in MySQL 3.x before 3.23.54, and 4.x to 4. ...) {DSA-212} - mysql CVE-2002-1374 (The COM_CHANGE_USER command in MySQL 3.x before 3.23.54, and 4.x befor ...) {DSA-212} - mysql CVE-2002-1373 (Signed integer vulnerability in the COM_TABLE_DUMP package for MySQL 3 ...) {DSA-212} - mysql CVE-2002-1372 (Common Unix Printing System (CUPS) 1.1.14 through 1.1.17 does not prop ...) {DSA-232} - cups 1.1.18-1 - cupsys 1.1.18-1 CVE-2002-1371 (filters/image-gif.c in Common Unix Printing System (CUPS) 1.1.14 throu ...) {DSA-232} - cups 1.1.18-1 - cupsys 1.1.18-1 CVE-2002-1369 (jobs.c in Common Unix Printing System (CUPS) 1.1.14 through 1.1.17 doe ...) {DSA-232} - cups 1.1.18-1 - cupsys 1.1.18-1 CVE-2002-1367 (Common Unix Printing System (CUPS) 1.1.14 through 1.1.17 allows remote ...) {DSA-232} - cups 1.1.18-1 - cupsys 1.1.18-1 CVE-2002-1366 (Common Unix Printing System (CUPS) 1.1.14 through 1.1.17 allows local ...) {DSA-232} - cups 1.1.18-1 - cupsys 1.1.18-1 CVE-2002-1365 (Heap-based buffer overflow in Fetchmail 6.1.3 and earlier does not acc ...) {DSA-216} - fetchmail 6.2.0-1 CVE-2002-1364 (Buffer overflow in the get_origin function in traceroute-nanog allows ...) {DSA-254} - traceroute-nanog 6.3.0-1 CVE-2002-1363 (Portable Network Graphics (PNG) library libpng 1.2.5 and earlier does ...) {DSA-213} - libpng 1.0.12-7 - libpng3 1.2.5-8 CVE-2002-1362 (mICQ 0.4.9 and earlier allows remote attackers to cause a denial of se ...) {DSA-211} - micq 0.4.9.4-1 CVE-2002-1361 (overflow.cgi CGI script in Sun Cobalt RaQ 4 with the SHP (Security Har ...) NOT-FOR-US: sun CVE-2002-1350 (The BGP decoding routines in tcpdump 3.6.x before 3.7 do not properly ...) {DSA-206} - tcpdump 3.7.2-1 NOTE: The fix from 3.6.2-2.2 was not upload to unstable. CVE-2002-XXXX [Multiple buffer overflows in gtetrinet] - gtetrinet 0.4.4-1 CVE-2002-1349 (Buffer overflow in pop3trap.exe for PC-cillin 2000, 2002, and 2003 all ...) NOT-FOR-US: PC-cillin CVE-2002-1348 (w3m before 0.3.2.2 does not properly escape HTML tags in the ALT attri ...) {DSA-251 DSA-250 DSA-249} - w3m 0.3.2.2-1 - w3mmee 0.3.p24.17-3 CVE-2002-1337 (Buffer overflow in Sendmail 5.79 to 8.12.7 allows remote attackers to ...) {DSA-257} - sendmail 8.13.0.PreAlpha4-0 - sendmail-wine NOTE: problem in sendmail 8.12, sarge uses 8.13 CVE-2002-1336 (TightVNC before 1.2.6 generates the same challenge string for multiple ...) - tightvnc 1.2.6-1 CVE-2002-1327 (Buffer overflow in the Windows Shell function in Microsoft Windows XP ...) NOT-FOR-US: windows CVE-2002-1325 (Microsoft Virtual Machine (VM) build 5.0.3805 and earlier allows remot ...) NOT-FOR-US: windows CVE-2002-1323 (Safe.pm 2.0.7 and earlier, when used in Perl 5.8.0 and earlier, may al ...) {DSA-208} - perl 5.8.0-14 CVE-2002-1320 (Pine 4.44 and earlier allows remote attackers to cause a denial of ser ...) NOT-FOR-US: pine not in Debian CVE-2002-1319 (The Linux kernel 2.4.20 and earlier, and 2.5.x, when running on x86 sy ...) NOTE: fixed after 2.4.20 kernel (2.6 not vulnerable) CVE-2002-1318 (Buffer overflow in samba 2.2.2 through 2.2.6 allows remote attackers t ...) {DSA-200} - samba 2.2.7 CVE-2002-1317 (Buffer overflow in Dispatch() routine for XFS font server (fs.auto) on ...) NOT-FOR-US: solaris CVE-2002-1313 (nullmailer 1.00RC5 and earlier allows local users to cause a denial of ...) {DSA-198} - nullmailer 1.00RC5-17 CVE-2002-1311 (Courier sqwebmail before 0.40.0 does not quickly drop privileges after ...) {DSA-197} - courier 0.40.0-1 CVE-2002-1308 (Heap-based buffer overflow in Netscape and Mozilla allows remote attac ...) - mozilla 2:1.2-1 NOTE: woody is vulnerable see #237422 CVE-2002-1307 (Cross-site scripting vulnerability (XSS) in MHonArc 2.5.12 and earlier ...) {DSA-199} - mhonarc 2.5.13-1 CVE-2002-1296 (Directory traversal vulnerability in priocntl system call in Solaris d ...) NOT-FOR-US: Solaris CVE-2002-1284 (The wizard in KGPG 0.6 through 0.8.2 does not properly provide the pas ...) - kdeutils 4:3.2.1-1 CVE-2002-1278 (The mailconf module in Linuxconf 1.24, and other versions before 1.28, ...) NOTE: Linuxconf not in testing/unstable CVE-2002-1277 (Buffer overflow in Window Maker (wmaker) 0.80.0 and earlier may allow ...) {DSA-190} - wmaker 0.80.1-4 CVE-2002-1272 (Alcatel OmniSwitch 7700/7800 switches running AOS 5.1.1 contains a bac ...) NOT-FOR-US: Alcatel CVE-2002-1271 (The Mail::Mailer Perl module in the perl-MailTools package 1.47 and ea ...) {DSA-386} - libmailtools-perl 1.51 (bug #168381) CVE-2002-1270 (Mac OS X 10.2.2 allows local users to read files that only allow write ...) NOT-FOR-US: Mac OS X CVE-2002-1268 (Mac OS X 10.2.2 allows local users to gain privileges via a mounted IS ...) NOT-FOR-US: Mac OS X CVE-2002-1267 (Mac OS X 10.2.2 allows remote attackers to cause a denial of service b ...) NOT-FOR-US: Mac OS X CVE-2002-1266 (Mac OS X 10.2.2 allows local users to gain privileges by mounting a di ...) NOT-FOR-US: Mac OS X CVE-2002-1265 (The Sun RPC functionality in multiple libc implementations does not pr ...) NOTE: don't know which version of glibc fix this NOTE: I've mailed maintainers. CVE-2002-1264 (Buffer overflow in Oracle iSQL*Plus web application of the Oracle 9 da ...) NOT-FOR-US: oracle CVE-2002-1260 (The Java Database Connectivity (JDBC) APIs in Microsoft Virtual Machin ...) NOT-FOR-US: Microsoft JVM CVE-2002-1257 (Microsoft Virtual Machine (VM) up to and including build 5.0.3805 allo ...) NOT-FOR-US: Microsoft JVM CVE-2002-1256 (The SMB signing capability in the Server Message Block (SMB) protocol ...) NOT-FOR-US: Microsoft Windows CVE-2002-1255 (Microsoft Outlook 2002 allows remote attackers to cause a denial of se ...) NOT-FOR-US: Microsoft Outlook CVE-2002-1253 (Abuse 2.00 and earlier allows local users to gain privileges via comma ...) NOT-FOR-US: Abuse 2.00 not in Debian CVE-2002-1252 (The Application Messaging Gateway for PeopleTools 8.1x before 8.19, as ...) NOT-FOR-US: PeopleSoft CVE-2002-1251 (Buffer overflow in log2mail before 0.2.5.1 allows remote attackers to ...) {DSA-186} - log2mail 0.2.6-1 CVE-2002-1250 (Buffer overflow in Abuse 2.00 and earlier allows local users to gain r ...) NOT-FOR-US: Abuse 2.00 not in Debian CVE-2002-1248 (Northern Solutions Xeneo Web Server 2.1.0.0, 2.0.759.6, and other vers ...) NOT-FOR-US: Xeneo Web Server CVE-2002-1245 (Maped in LuxMan 0.41 uses the user-provided search path to find and ex ...) {DSA-189} - luxman 0.41-19 CVE-2002-1244 (Format string vulnerability in Pablo FTP Server 1.5, 1.3, and possibly ...) NOT-FOR-US: Pablo FTP Server CVE-2002-1242 (SQL injection vulnerability in PHP-Nuke before 6.0 allows remote authe ...) NOT-FOR-US: PHP-Nuke not in Debian CVE-2002-1239 (QNX Neutrino RTOS 6.2.0 uses the PATH environment variable to find and ...) NOT-FOR-US: QNX CVE-2002-1236 (The remote management web server for Linksys BEFSR41 EtherFast Cable/D ...) NOT-FOR-US: Linksys CVE-2002-1232 (Memory leak in ypdb_open in yp_db.c for ypserv before 2.5 in the NIS p ...) {DSA-180} - nis 3.9-6.2 CVE-2002-1231 (SCO UnixWare 7.1.1 and Open UNIX 8.0.0 allows local users to cause a d ...) NOT-FOR-US: SCO CVE-2002-1230 (NetDDE Agent on Windows NT 4.0, 4.0 Terminal Server Edition, Windows 2 ...) NOT-FOR-US: Windows NT CVE-2002-1227 (PAM 0.76 treats a disabled password as if it were an empty (null) pass ...) {DSA-177} - pam 0.76-6 CVE-2002-1224 (Directory traversal vulnerability in kpf for KDE 3.0.1 through KDE 3.0 ...) - kdenetwork 4:3.1.0-1 CVE-2002-1223 (Buffer overflow in DSC 3.0 parser from GSview, as used in KGhostView i ...) - kdegraphics 4:3.1.0-1 CVE-2002-1222 (Buffer overflow in the embedded HTTP server for Cisco Catalyst switche ...) NOT-FOR-US: CISCO CVE-2002-1221 (BIND 8.x through 8.3.3 allows remote attackers to cause a denial of se ...) {DSA-196} - bind 1:8.3.3-3 - bind9 CVE-2002-1220 (BIND 8.3.x through 8.3.3 allows remote attackers to cause a denial of ...) {DSA-196} - bind 1:8.3.3-3 - bind9 CVE-2002-1219 (Buffer overflow in named in BIND 4 versions 4.9.10 and earlier, and 8 ...) {DSA-196} - bind 1:8.3.3-3 - bind9 CVE-2002-1214 (Buffer overflow in Microsoft PPTP Service on Windows XP and Windows 20 ...) NOT-FOR-US: Microsoft CVE-2002-1211 (Prometheus 6.0 and earlier allows remote attackers to execute arbitrar ...) NOT-FOR-US: Prometheus not in Debian CVE-2002-1200 (Balabit Syslog-NG 1.4.x before 1.4.15, and 1.5.x before 1.5.20, when u ...) {DSA-175} - syslog-ng 1.5.21-1 CVE-2002-1199 (The getdbm procedure in ypxfrd allows local users to read arbitrary fi ...) NOT-FOR-US: ypxfrd not in Debian CVE-2002-1198 (Bugzilla 2.16.x before 2.16.1 does not properly filter apostrophes fro ...) - bugzilla 2.16.1-1 NOTE: woody seems to be vulnerable, bug #282500 CVE-2002-1197 (bugzilla_email_append.pl in Bugzilla 2.14.x before 2.14.4, and 2.16.x ...) - bugzilla 2.16.1-1 NOTE: woody seems to be vulnerable, bug #282501 CVE-2002-1196 (editproducts.cgi in Bugzilla 2.14.x before 2.14.4, and 2.16.x before 2 ...) {DSA-173} - bugzilla 2.16.0-2.1 CVE-2002-1195 (Cross-site scripting vulnerability (XSS) in the PHP interface for ht:/ ...) {DSA-169} - htcheck 1:1.1-1.2 CVE-2002-1193 (tkmail before 4.0beta9-8.1 allows local users to create or overwrite f ...) {DSA-172} - tkmail CVE-2002-1189 (The default configuration of Cisco Unity 2.x and 3.x does not block in ...) NOT-FOR-US: CISCO CVE-2002-1188 (Internet Explorer 5.01 through 6.0 allows remote attackers to identify ...) NOT-FOR-US: Microsoft CVE-2002-1187 (Cross-site scripting vulnerability (XSS) in Internet Explorer 5.01 thr ...) NOT-FOR-US: Microsoft CVE-2002-1186 (Internet Explorer 5.01 through 6.0 does not properly perform security ...) NOT-FOR-US: Microsoft CVE-2002-1185 (Internet Explorer 5.01 through 6.0 does not properly check certain par ...) NOT-FOR-US: Microsoft CVE-2002-1184 (The system root folder of Microsoft Windows 2000 has default permissio ...) NOT-FOR-US: Microsoft CVE-2002-1183 (Microsoft Windows 98 and Windows NT 4.0 do not properly verify the Bas ...) NOT-FOR-US: Microsoft CVE-2002-1182 (IIS 5.0 and 5.1 allows remote attackers to cause a denial of service ( ...) NOT-FOR-US: Microsoft CVE-2002-1180 (A typographical error in the script source access permissions for Inte ...) NOT-FOR-US: Microsoft CVE-2002-1179 (Buffer overflow in the S/MIME Parsing capability in Microsoft Outlook ...) NOT-FOR-US: Microsoft CVE-2002-1178 (Directory traversal vulnerability in the CGIServlet for Jetty HTTP ser ...) - jetty 4.1.0 CVE-2002-1170 (The handle_var_requests function in snmp_agent.c for the SNMP daemon i ...) - net-snmp 5.0.6 CVE-2002-1169 (IBM Web Traffic Express Caching Proxy Server 3.6 and 4.x before 4.0.1. ...) NOT-FOR-US: IBM Web Traffic Express Caching Proxy Server CVE-2002-1160 (The default configuration of the pam_xauth module forwards MIT-Magic-C ...) NOT-FOR-US: pam_xauth CVE-2002-1159 (Canna 3.6 and earlier does not properly validate requests, which allow ...) {DSA-224} - canna 3.6p1-1 CVE-2002-1158 (Buffer overflow in the irw_through function for Canna 3.5b2 and earlie ...) {DSA-224} - canna 3.6p1-1 CVE-2002-1157 (Cross-site scripting vulnerability in the mod_ssl Apache module 2.8.9 ...) {DSA-181} - libapache-mod-ssl 2.8.9-2.3 CVE-2002-1156 (Apache 2.0.42 allows remote attackers to view the source code of a CGI ...) - apache2 2.0.43 CVE-2002-1154 (anlgform.pl in Analog before 5.23 does not restrict access to the PROG ...) - analog 2:5.23 CVE-2002-1153 (IBM Websphere 4.0.3 allows remote attackers to cause a denial of servi ...) NOT-FOR-US: IBM Websphere CVE-2002-1152 (Konqueror in KDE 3.0 through 3.0.2 does not properly detect the "secur ...) - kdebase 3.03 CVE-2002-1151 (The cross-site scripting protection for Konqueror in KDE 2.2.2 and 3.0 ...) {DSA-167} - kdelibs 4:2.2.2-14 CVE-2002-1148 (The default servlet (org.apache.catalina.servlets.DefaultServlet) in T ...) {DSA-170} - tomcat4 4.1.12-1 CVE-2002-1147 (The HTTP administration interface for HP Procurve 4000M Switch firmwar ...) NOT-FOR-US: HP Procurve 4000M Switch firmware CVE-2002-1146 (The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries ...) NOTE: see http://www.kb.cert.org/vuls/id/AAMN-5D28K6 (glibc) NOTE: see http://www.kb.cert.org/vuls/id/AAMN-5D287U (bind) - glibc 2.3 - bind 1:8.3.3 CVE-2002-1142 (Heap-based buffer overflow in the Remote Data Services (RDS) component ...) NOT-FOR-US: Microsoft CVE-2002-1141 (An input validation error in the Sun Microsystems RPC library Services ...) NOT-FOR-US: Sun Microsystems RPC library Services for Unix 3.0 Interix SD, as implemented on Microsoft Windows NT4, 2000, and XP CVE-2002-1140 (The Sun Microsystems RPC library Services for Unix 3.0 Interix SD, as ...) NOT-FOR-US: Sun Microsystems RPC library Services for Unix 3.0 Interix SD, as implemented on Microsoft Windows NT4, 2000, and XP CVE-2002-1139 (The Compressed Folders feature in Microsoft Windows 98 with Plus! Pack ...) NOT-FOR-US: Microsoft CVE-2002-1138 (Microsoft SQL Server 7.0 and 2000, including Microsoft Data Engine (MS ...) NOT-FOR-US: Microsoft CVE-2002-1137 (Buffer overflow in the Database Console Command (DBCC) that handles us ...) NOT-FOR-US: Microsoft CVE-2002-1135 (modsecurity.php 1.10 and earlier, in phpWebSite 0.8.2 and earlier, all ...) NOT-FOR-US: phpWebSite CVE-2002-1132 (SquirrelMail 1.2.7 and earlier allows remote attackers to determine th ...) {DSA-191} - squirrelmail 1:1.2.8-1.1 CVE-2002-1126 (Mozilla 1.1 and earlier, and Mozilla-based browsers such as Netscape a ...) - mozilla 2:1.2 CVE-2002-1123 (Buffer overflow in the authentication function for Microsoft SQL Serve ...) NOT-FOR-US: Microsoft CVE-2002-1122 (Buffer overflow in the parsing mechanism for ISS Internet Scanner 6.2. ...) NOT-FOR-US: Microsoft CVE-2002-1119 (os._execvpe from os.py in Python 2.2.1 and earlier creates temporary f ...) {DSA-159} - python1.5 1.5.2-24 - python2.1 2.1.3-6a - python2.2 2.2.1-8 - python2.3 CVE-2002-1118 (TNS Listener in Oracle Net Services for Oracle 9i 9.2.x and 9.0.x, and ...) NOT-FOR-US: Oracle CVE-2002-1117 (Veritas Backup Exec 8.5 and earlier requires that the "RestrictAnonymo ...) NOT-FOR-US: Veritas Backup Exec CVE-2002-1116 (The "View Bugs" page (view_all_bug_page.php) in Mantis 0.17.4a and ear ...) {DSA-161} - mantis 0.17.5-2 CVE-2002-1113 (summary_graph_functions.php in Mantis 0.17.3 and earlier allows remote ...) {DSA-153} - mantis 0.17.4a-2 CVE-2002-1112 (Mantis before 0.17.4 allows remote attackers to list project bugs with ...) {DSA-153} - mantis 0.17.4a-2 CVE-2002-1111 (print_all_bug_page.php in Mantis 0.17.3 and earlier does not verify th ...) {DSA-153} - mantis 0.17.4a-2 CVE-2002-1109 (securetar, as used in AMaViS shell script 0.2.1 and earlier, allows us ...) NOTE: old amavis shell script CVE-2002-1108 (Cisco Virtual Private Network (VPN) Client software 2.x.x, and 3.x bef ...) NOT-FOR-US: Cisco CVE-2002-1107 (Cisco Virtual Private Network (VPN) Client software 2.x.x, and 3.x bef ...) NOT-FOR-US: Cisco CVE-2002-1106 (Cisco Virtual Private Network (VPN) Client software 2.x.x, and 3.x bef ...) NOT-FOR-US: Cisco CVE-2002-1105 (Cisco Virtual Private Network (VPN) Client software 2.x.x, and 3.x bef ...) NOT-FOR-US: Cisco CVE-2002-1104 (Cisco Virtual Private Network (VPN) Client software 2.x.x and 3.x befo ...) NOT-FOR-US: Cisco CVE-2002-1102 (The LAN-to-LAN IPSEC capability for Cisco VPN 3000 Concentrator 2.2.x, ...) NOT-FOR-US: Cisco CVE-2002-1099 (Cisco VPN 3000 Concentrator 2.2.x, and 3.x before 3.5.3, allows remote ...) NOT-FOR-US: Cisco CVE-2002-1098 (Cisco VPN 3000 Concentrator 2.2.x, and 3.x before 3.5.3, adds an "HTTP ...) NOT-FOR-US: Cisco CVE-2002-1097 (Cisco VPN 3000 Concentrator 2.2.x, and 3.x before 3.5.2, allows restri ...) NOT-FOR-US: Cisco CVE-2002-1096 (Cisco VPN 3000 Concentrator 2.2.x, and 3.x before 3.5.1, allows restri ...) NOT-FOR-US: Cisco CVE-2002-1095 (Cisco VPN 3000 Concentrator before 2.5.2(F), with encryption enabled, ...) NOT-FOR-US: Cisco CVE-2002-1093 (HTML interface for Cisco VPN 3000 Concentrator 2.x.x and 3.x.x before ...) NOT-FOR-US: Cisco CVE-2002-1092 (Cisco VPN 3000 Concentrator 3.6(Rel) and earlier, and 2.x.x, when conf ...) NOT-FOR-US: Cisco CVE-2002-1091 (Netscape 6.2.3 and earlier, and Mozilla 1.0.1, allow remote attackers ...) - mozilla 2:1.0.2 CVE-2002-1088 (Buffer overflow in Novell GroupWise 6.0.1 Support Pack 1 allows remote ...) NOT-FOR-US: Novell GroupWise CVE-2002-1081 (The Administration console for Abyss Web Server 1.0.3 allows remote at ...) NOT-FOR-US: Abyss Web Server CVE-2002-1079 (Directory traversal vulnerability in Abyss Web Server 1.0.3 allows rem ...) NOT-FOR-US: Abyss Web Server CVE-2002-1076 (Buffer overflow in the Web Messaging daemon for Ipswitch IMail before ...) NOT-FOR-US: Ipswitch IMail CVE-2002-1060 (Cross-site scripting (XSS) vulnerability in Blue Coat Systems (formerl ...) NOT-FOR-US: CacheFlow CacheOS CVE-2002-1059 (Buffer overflow in Van Dyke SecureCRT SSH client before 3.4.6, and 4.x ...) NOT-FOR-US: Van Dyke SecureCRT SSH client CVE-2002-1057 (Buffer overflow in SmartMax MailMax POP3 daemon (popmax) 4.8 allows re ...) NOT-FOR-US: SmartMax MailMax POP3 daemon CVE-2002-1056 (Microsoft Outlook 2000 and 2002, when configured to use Microsoft Word ...) NOT-FOR-US: Microsoft CVE-2002-1054 (Directory traversal vulnerability in Pablo FTP server 1.0 build 9 and ...) NOT-FOR-US: Pablo FTP server CVE-2002-1053 (Cross-site scripting (XSS) vulnerability in W3C Jigsaw Proxy Server be ...) NOT-FOR-US: W3C Jigsaw Proxy Server CVE-2002-1051 (Format string vulnerability in TrACESroute 6.0 GOLD (aka NANOG tracero ...) {DSA-254} - traceroute-nanog 6.3.0-1 CVE-2002-1050 (Buffer overflow in HylaFAX faxgetty before 4.1.3 allows remote attacke ...) {DSA-148} - hylafax 4.1.2-2.1 CVE-2002-1049 (Format string vulnerability in HylaFAX faxgetty before 4.1.3 allows re ...) {DSA-148} - hylafax 4.1.2-2.1 CVE-2002-1046 (Dynamic VPN Configuration Protocol service (DVCP) in Watchguard Firebo ...) NOT-FOR-US: Watchguard Firebox firmware CVE-2002-1039 (Directory traversal vulnerability in Double Choco Latte (DCL) before 2 ...) - dcl (Vulnerable code not present, affected dcl "Double Choco Latte") NOTE: Until 2008 src:dcl was for the source for "Double Choco Latte". On NOTE: 2017-08-30 an unrelated source took over the source package name dcl. NOTE: Original issue fixed in dcl/20020706 CVE-2002-1035 (Omnicron OmniHTTPd 2.09 allows remote attackers to cause a denial of s ...) NOT-FOR-US: Omnicron OmniHTTPd CVE-2002-1031 (KeyFocus (KF) web server 1.0.2 allows remote attackers to list directo ...) NOT-FOR-US: KeyFocus (KF) web server CVE-2002-1030 (Race condition in Performance Pack in BEA WebLogic Server and Express ...) NOT-FOR-US: BEA WebLogic Server and Express CVE-2002-1025 (JRun 3.0 through 4.0 allows remote attackers to read JSP source code v ...) NOT-FOR-US: JRun CVE-2002-1024 (Cisco IOS 12.0 through 12.2, when supporting SSH, allows remote attack ...) NOT-FOR-US: Cisco CVE-2002-1015 (RealJukebox 2 1.0.2.340 and 1.0.2.379, and RealOne Player Gold 6.0.10. ...) NOT-FOR-US: Real CVE-2002-1014 (Buffer overflow in RealJukebox 2 1.0.2.340 and 1.0.2.379, and RealOne ...) NOT-FOR-US: Real CVE-2002-1013 (Buffer overflow in traffic_manager for Inktomi Traffic Server 4.0.18 t ...) NOT-FOR-US: Inktomi CVE-2002-1006 (Cross-site scripting (XSS) vulnerability in BBC Education Text to Spee ...) NOT-FOR-US: Betsie CVE-2002-1004 (Directory traversal vulnerability in webmail feature of ArGoSoft Mail ...) NOT-FOR-US: ArGoSoft Mail Server CVE-2002-1002 (Buffer overflow in Novell iManager (eMFrame 1.2.1) allows remote attac ...) NOT-FOR-US: Novell CVE-2002-1000 (Buffer overflow in AnalogX SimpleServer:Shout 1.0 allows remote attack ...) NOT-FOR-US: AnalogX SimpleServer:Shout CVE-2002-0995 (login.php for PHPAuction allows remote attackers to gain privileges vi ...) NOT-FOR-US: PHPAuction CVE-2002-0990 (The web proxy component in Symantec Enterprise Firewall (SEF) 6.5.2 th ...) NOT-FOR-US: Symantec CVE-2002-0989 (The URL handler in the manual browser option for Gaim before 0.59.1 al ...) {DSA-158} - gaim 1:0.59.1-2 CVE-2002-0988 (Buffer overflow in X server (Xsco) in OpenUNIX 8.0.0 and UnixWare 7.1. ...) NOT-FOR-US: Xsco CVE-2002-0987 (X server (Xsco) in OpenUNIX 8.0.0 and UnixWare 7.1.1 does not drop pri ...) NOT-FOR-US: Xsco CVE-2002-0986 (The mail function in PHP 4.x to 4.2.2 does not filter ASCII control ch ...) {DSA-168} - php3 3:3.0.18-23.2 - php4 4:4.2.3-3 CVE-2002-0985 (Argument injection vulnerability in the mail function for PHP 4.x to 4 ...) {DSA-168} - php3 3:3.0.18-23.2 - php4 4:4.2.3-3 CVE-2002-0984 (The IRC script included in Light 2.7.x before 2.7.30p5, and 2.8.x befo ...) {DSA-156} - epic4-script-light 1:2.7.30p5-2 CVE-2002-0981 (Buffer overflow in ndcfg command for UnixWare 7.1.1 and Open UNIX 8.0. ...) NOT-FOR-US: ndcfg CVE-2002-0974 (Help and Support Center for Windows XP allows remote attackers to dele ...) NOT-FOR-US: Help and Support Center for Windows XP CVE-2002-0970 (The SSL capability for Konqueror in KDE 3.0.2 and earlier does not ver ...) {DSA-155} - kdelibs 4:2.2.2-14 CVE-2002-0969 (Buffer overflow in MySQL daemon (mysqld) before 3.23.50, and 4.0 beta ...) NOTE: mysql problem only affects Windows CVE-2002-0968 (Buffer overflow in AnalogX SimpleServer:WWW 1.16 and earlier allows re ...) NOT-FOR-US: AnalogX SimpleServer:WWW CVE-2002-0967 (Buffer overflow in eDonkey 2000 35.16.60 and earlier allows remote att ...) NOT-FOR-US: eDonkey CVE-2002-0965 (Buffer overflow in TNS Listener for Oracle 9i Database Server on Windo ...) NOT-FOR-US: Oracle CVE-2002-0964 (Half-Life Server 1.1.1.0 and earlier allows remote attackers to cause ...) NOT-FOR-US: Half Life CVE-2002-0958 (Cross-site scripting vulnerability in browse.php for PHP(Reactor) 1.2. ...) NOT-FOR-US: PHP Reactor CVE-2002-0953 (globals.php in PHP Address before 0.2f, with the PHP allow_url_fopen a ...) NOT-FOR-US: PHP Address CVE-2002-0952 (Cisco ONS15454 optical transport platform running ONS 3.1.0 to 3.2.0 a ...) NOT-FOR-US: Cisco CVE-2002-0947 (Buffer overflow in rwcgi60 CGI program for Oracle Reports Server 6.0.8 ...) NOT-FOR-US: Oracle CVE-2002-0946 (Directory traversal vulnerability in SeaNox Devwex before 1.2002.0601 ...) NOT-FOR-US: SeaNox Devwex CVE-2002-0945 (Buffer overflow in SeaNox Devwex allows remote attackers to cause a de ...) NOT-FOR-US: SeaNox Devwex CVE-2002-0941 (The ConsoleCallBack class for nCipher running under JRE 1.4.0 and 1.4. ...) NOT-FOR-US: Java on Windows CVE-2002-0938 (Cross-site scripting vulnerability in CiscoSecure ACS 3.0 allows remot ...) NOT-FOR-US: Cisco CVE-2002-0935 (Apache Tomcat 4.0.3, and possibly other versions before 4.1.3 beta, al ...) - tomcat4 4.1.9-1 CVE-2002-0916 (Format string vulnerability in the allowuser code for the Stellar-X ms ...) - squid 2.4.7 CVE-2002-0914 (Double Precision Courier e-mail MTA allows remote attackers to cause a ...) - courier 0.46 CVE-2002-0911 (Caldera Volution Manager 1.1 stores the Directory Administrator passwo ...) NOT-FOR-US: Caldera Volution Manager CVE-2002-0906 (Buffer overflow in Sendmail before 8.12.5, when configured to use a cu ...) - sendmail 8.12.5 CVE-2002-0904 (SayText function in Kismet 2.2.1 and earlier allows remote attackers t ...) - kismet 2.2.2-1 CVE-2002-0900 (Buffer overflow in pks PGP public key web server before 0.9.5 allows r ...) NOT-FOR-US: pks CVE-2002-0898 (Opera 6.0.1 and 6.0.2 allows a remote web site to upload arbitrary fil ...) NOT-FOR-US: Opera CVE-2002-0897 (LocalWEB2000 2.1.0 web server allows remote attackers to bypass access ...) NOT-FOR-US: LocalWEB2000 CVE-2002-0895 (Buffer overflow in MatuFtpServer 1.1.3.0 (1.1.3) allows remote attacke ...) NOT-FOR-US: MatuFtpServer CVE-2002-0892 (The default configuration of NewAtlanta ServletExec ISAPI 4.1 allows r ...) NOT-FOR-US: NewAtlanta ServletExec ISAPI CVE-2002-0891 (The web interface (WebUI) of NetScreen ScreenOS before 2.6.1r8, and ce ...) NOT-FOR-US: NetScreen ScreenOS CVE-2002-0889 (Buffer overflow in Qpopper (popper) 4.0.4 and earlier allows local use ...) - qpopper 4.0.5-1 CVE-2002-0887 (scoadmin for Caldera/SCO OpenServer 5.0.5 and 5.0.6 allows local users ...) NOT-FOR-US: scoadmin CVE-2002-0875 (Vulnerability in FAM 2.6.8, 2.6.6, and other versions allows unprivile ...) {DSA-154} - fam 2.6.8-1 CVE-2002-0873 (Vulnerability in l2tpd 0.67 allows remote attackers to overwrite the v ...) {DSA-152} - l2tpd 0.68-1 CVE-2002-0872 (l2tpd 0.67 does not initialize the random number generator, which allo ...) {DSA-152} - l2tpd 0.68-1 CVE-2002-0871 (xinetd 2.3.4 leaks file descriptors for the signal pipe to services th ...) {DSA-151} - xinetd 1:2.3.7-1 CVE-2002-0867 (Microsoft Virtual Machine (VM) up to and including build 5.0.3805 allo ...) NOT-FOR-US: Microsoft CVE-2002-0866 (Java Database Connectivity (JDBC) classes in Microsoft Virtual Machine ...) NOT-FOR-US: Microsoft CVE-2002-0865 (A certain class that supports XML (Extensible Markup Language) in Micr ...) NOT-FOR-US: Microsoft CVE-2002-0864 (The Remote Data Protocol (RDP) version 5.1 in Microsoft Windows XP all ...) NOT-FOR-US: Microsoft CVE-2002-0860 (The LoadText method in the spreadsheet component in Microsoft Office W ...) NOT-FOR-US: Microsoft CVE-2002-0859 (Buffer overflow in the OpenDataSource function of the Jet engine on Mi ...) NOT-FOR-US: Microsoft CVE-2002-0856 (SQL*NET listener for Oracle Net Oracle9i 9.0.x and 9.2 allows remote a ...) NOT-FOR-US: Oracle CVE-2002-0853 (Cisco Virtual Private Network (VPN) Client 3.5.4 and earlier allows re ...) NOT-FOR-US: Cisco CVE-2002-0851 (Format string vulnerability in ISDN Point to Point Protocol (PPP) daem ...) - isdnutils 1:3.2 CVE-2002-0850 (Buffer overflow in PGP Corporate Desktop 7.1.1 allows remote attackers ...) NOT-FOR-US: PGP corporate desktop CVE-2002-0848 (Cisco VPN 5000 series concentrator hardware 6.0.21.0002 and earlier, a ...) NOT-FOR-US: Cisco CVE-2002-0847 (tinyproxy HTTP proxy 1.5.0, 1.4.3, and earlier allows remote attackers ...) {DSA-145} - tinyproxy 1.4.3-3 CVE-2002-0846 (The decoder for Macromedia Shockwave Flash allows remote attackers to ...) - flashplugin-nonfree 6.0.47 CVE-2002-0845 (Buffer overflow in Sun ONE / iPlanet Web Server 4.1 and 6.0 allows rem ...) NOT-FOR-US: Sun ONE CVE-2002-0844 (Off-by-one overflow in the CVS PreservePermissions of rcs.c for CVSD b ...) - cvs 1:1.11.2 CVE-2002-0842 (Format string vulnerability in certain third party modifications to mo ...) NOTE: mod_dav for apache not vulnerable according to NOTE: lists.netsys.com/pipermail/full-disclosure/2003-February/003875.html CVE-2002-0840 (Cross-site scripting (XSS) vulnerability in the default error page of ...) {DSA-195 DSA-188 DSA-187} - apache2 2.0.43-1 - apache 1.3.27-0.1 - apache-perl 1.3.26-1.1-1.27-3-1 CVE-2002-0836 (dvips converter for Postscript files in the tetex package calls the sy ...) {DSA-207} - tetex-bin 1.0.7+20021025-4 CVE-2002-0835 (Preboot eXecution Environment (PXE) server allows remote attackers to ...) NOT-FOR-US: RedHat/Intel PXE daemon NOTE: this is not the one in Debian CVE-2002-0831 (The kqueue mechanism in FreeBSD 4.3 through 4.6 STABLE allows local us ...) NOT-FOR-US: FreeBSD CVE-2002-0830 (Network File System (NFS) in FreeBSD 4.6.1 RELEASE-p7 and earlier, Net ...) NOT-FOR-US: BSD/NFS CVE-2002-0829 (Integer overflow in the Berkeley Fast File System (FFS) in FreeBSD 4.6 ...) NOT-FOR-US: FreeBSD CVE-2002-0826 (Buffer overflow in WS_FTP FTP Server 3.1.1 allows remote authenticated ...) NOT-FOR-US: WS FTP server CVE-2002-0824 (BSD pppd allows local users to change the permissions of arbitrary fil ...) NOT-FOR-US: BSD/pppd CVE-2002-0823 (Buffer overflow in Winhlp32.exe allows remote attackers to execute arb ...) NOT-FOR-US: Windows CVE-2002-0818 (wwwoffled in World Wide Web Offline Explorer (WWWOFFLE) allows remote ...) {DSA-144} - wwwoffle 2.7d-1 CVE-2002-0817 (Format string vulnerability in super for Linux allows local users to g ...) {DSA-139} - super 3.18.0-3 CVE-2002-0816 (Buffer overflow in su in Tru64 Unix 5.x allows local users to gain roo ...) NOT-FOR-US: HP Tru64 CVE-2002-0814 (Buffer overflow in VMware Authorization Service for VMware GSX Server ...) NOT-FOR-US: VMware CVE-2002-0813 (Heap-based buffer overflow in the TFTP server capability in Cisco IOS ...) NOT-FOR-US: Cisco CVE-2002-0810 (Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, directs error me ...) - bugzilla 2.16.0 CVE-2002-0809 (Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, does not properl ...) - bugzilla 2.16.0 CVE-2002-0808 (Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, when performing ...) - bugzilla 2.16.0 CVE-2002-0806 (Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, allows authentic ...) - bugzilla 2.16.0 CVE-2002-0805 (Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, (1) creates new ...) - bugzilla 2.16.0 CVE-2002-0804 (Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, when configured ...) - bugzilla 2.16.0 CVE-2002-0802 (The multibyte support in PostgreSQL 6.5.x with SQL_ASCII encoding cons ...) - postgresql 7.2 CVE-2002-0801 (Buffer overflow in the ISAPI DLL filter for Macromedia JRun 3.1 allows ...) NOT-FOR-US: Macromedia / Windows CVE-2002-0795 (The rc system startup script for FreeBSD 4 through 4.5 allows local us ...) NOT-FOR-US: FreeBSD CVE-2002-0794 (The accept_filter mechanism in FreeBSD 4 through 4.5 does not properly ...) NOT-FOR-US: FreeBSD CVE-2002-0790 (clchkspuser and clpasswdremote in AIX expose an encrypted password in ...) NOT-FOR-US: AIX CVE-2002-0789 (Buffer overflow in search.cgi in mnoGoSearch 3.1.19 and earlier allows ...) - mnogosearch 3.1.19-3 CVE-2002-0788 (An interaction between PGP 7.0.3 with the "wipe deleted files" option, ...) NOT-FOR-US: windows CVE-2002-0785 (AOL Instant Messenger (AIM) allows remote attackers to cause a denial ...) NOT-FOR-US: AOL AIM CVE-2002-0778 (The default configuration of the proxy for Cisco Cache Engine and Cont ...) NOT-FOR-US: CISCO CVE-2002-0777 (Buffer overflow in the LDAP component of Ipswitch IMail 7.1 and earlie ...) NOT-FOR-US: Ipswitch not in Debian CVE-2002-0776 (getuserdesc.asp in Hosting Controller 2002 allows remote attackers to ...) NOT-FOR-US: Hosting Controller 2002 CVE-2002-0768 (Buffer overflow in lukemftp FTP client in SuSE 6.4 through 8.0, and po ...) - lukemftp 1.5-7 CVE-2002-0766 (OpenBSD 2.9 through 3.1 allows local users to cause a denial of servic ...) NOT-FOR-US: OpenBSD CVE-2002-0765 (sshd in OpenSSH 3.2.2, when using YP with netgroups and under certain ...) - openssh 1:3.3p1-0.0woody1 CVE-2002-0762 (shadow package in SuSE 8.0 allows local users to destroy the /etc/pass ...) NOT-FOR-US: SUSE specific CVE-2002-0761 (bzip2 before 1.0.2 in FreeBSD 4.5 and earlier, OpenLinux 3.1 and 3.1.1 ...) NOT-FOR-US: FreeBSD and OpenLinux CVE-2002-0760 (Race condition in bzip2 before 1.0.2 in FreeBSD 4.5 and earlier, OpenL ...) NOT-FOR-US: FreeBSD and OpenLinux CVE-2002-0759 (bzip2 before 1.0.2 in FreeBSD 4.5 and earlier, OpenLinux 3.1 and 3.1.1 ...) NOT-FOR-US: FreeBSD and OpenLinux CVE-2002-0758 (ifup-dhcp script in the sysconfig package for SuSE 8.0 allows remote a ...) NOT-FOR-US: SUSE specific CVE-2002-0755 (Kerberos 5 su (k5su) in FreeBSD 4.5 and earlier does not verify that a ...) NOT-FOR-US: FreeBSD CVE-2002-0754 (Kerberos 5 su (k5su) in FreeBSD 4.4 and earlier relies on the getlogin ...) NOT-FOR-US: FreeBSD CVE-2002-0748 (LabVIEW Web Server 5.1.1 through 6.1 allows remote attackers to cause ...) NOT-FOR-US: Labview CVE-2002-0741 (psyBNC 2.3 allows remote attackers to cause a denial of service (CPU c ...) NOT-FOR-US: psyBNC CVE-2002-0738 (MHonArc 2.5.2 and earlier does not properly filter Javascript from arc ...) {DSA-163} - mhonarc 2.5.11-1 CVE-2002-0737 (Sambar web server before 5.2 beta 1 allows remote attackers to obtain ...) NOT-FOR-US: Sambar web server CVE-2002-0736 (Microsoft BackOffice 4.0 and 4.5, when configured to be accessible by ...) NOT-FOR-US: Microsoft CVE-2002-0734 (b2edit.showposts.php in B2 2.0.6pre2 and earlier does not properly loa ...) NOT-FOR-US: B2 CVE-2002-0733 (Cross-site scripting vulnerability in thttpd 2.20 and earlier allows r ...) - thttpd 2.21 CVE-2002-0729 (Microsoft SQL Server 2000 allows remote attackers to cause a denial of ...) NOT-FOR-US: Microsoft CVE-2002-0727 (The Host function in Microsoft Office Web Components (OWC) 2000 and 20 ...) NOT-FOR-US: Microsoft CVE-2002-0726 (Buffer overflow in Microsoft Terminal Services Advanced Client (TSAC) ...) NOT-FOR-US: Microsoft CVE-2002-0722 (Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers ...) NOT-FOR-US: Microsoft CVE-2002-0720 (A handler routine for the Network Connection Manager (NCM) in Windows ...) NOT-FOR-US: Microsoft CVE-2002-0719 (SQL injection vulnerability in the function that services for Microsof ...) NOT-FOR-US: Microsoft CVE-2002-0718 (Web authoring command in Microsoft Content Management Server (MCMS) 20 ...) NOT-FOR-US: Microsoft CVE-2002-0716 (Format string vulnerability in crontab for SCO OpenServer 5.0.5 and 5. ...) NOT-FOR-US: SCO OpenServer CVE-2002-0714 (FTP proxy in Squid before 2.4.STABLE6 does not compare the IP addresse ...) - squid 2.4.6 CVE-2002-0710 (Directory traversal vulnerability in sendform.cgi 1.44 and earlier all ...) NOT-FOR-US: sendform.cgi CVE-2002-0704 (The Network Address Translation (NAT) capability for Netfilter ("iptab ...) NOTE: kernel netfilter bug, not in user space NOTE: this is fixed in kernel 2.4.20 - kernel-image-2.4.18-i386 (bug #152152; unimportant) CVE-2002-0703 (An interaction between the Perl MD5 module (perl-Digest-MD5) and Perl ...) - perl 5.8.0-7 (bug #282527) CVE-2002-0701 (ktrace in BSD-based operating systems allows the owner of a process wi ...) NOT-FOR-US: BSD CVE-2002-0700 (Buffer overflow in a system function that performs user authentication ...) NOT-FOR-US: Microsoft CVE-2002-0698 (Buffer overflow in Internet Mail Connector (IMC) for Microsoft Exchang ...) NOT-FOR-US: Microsoft CVE-2002-0697 (Microsoft Metadirectory Services (MMS) 2.2 allows remote attackers to ...) NOT-FOR-US: Microsoft CVE-2002-0696 (Microsoft Visual FoxPro 6.0 does not register its associated files wit ...) NOT-FOR-US: Microsoft CVE-2002-0695 (Buffer overflow in the Transact-SQL (T-SQL) OpenRowSet component of Mi ...) NOT-FOR-US: Microsoft CVE-2002-0694 (The HTML Help facility in Microsoft Windows 98, 98 Second Edition, Mil ...) NOT-FOR-US: Microsoft CVE-2002-0692 (Buffer overflow in SmartHTML Interpreter (shtml.dll) in Microsoft Fron ...) NOT-FOR-US: Microsoft CVE-2002-0691 (Microsoft Internet Explorer 5.01 and 5.5 allows remote attackers to ex ...) NOT-FOR-US: Microsoft CVE-2002-0688 (ZCatalog plug-in index support capability for Zope 2.4.0 through 2.5.1 ...) {DSA-490} - zope 2.6.0-0.1 CVE-2002-0687 (The "through the web code" capability for Zope 2.0 through 2.5.1 b1 al ...) - zope 2.5.1b2 CVE-2002-0685 (Heap-based buffer overflow in the message decoding functionality for P ...) NOT-FOR-US: PGP Outlook Encryption Plug-In CVE-2002-0682 (Cross-site scripting vulnerability in Apache Tomcat 4.0.3 allows remot ...) - tomcat 4.0.4 CVE-2002-0679 (Buffer overflow in Common Desktop Environment (CDE) ToolTalk RPC datab ...) NOT-FOR-US: CDE CVE-2002-0678 (CDE ToolTalk database server (ttdbserver) allows local users to overwr ...) NOT-FOR-US: CDE ToolTalk CVE-2002-0676 (SoftwareUpdate for MacOS 10.1.x does not use authentication when downl ...) NOT-FOR-US: MacOS CVE-2002-0674 (Pingtel xpressa SIP-based voice-over-IP phone 1.2.5 through 1.2.7.4 do ...) NOT-FOR-US: Pingtel xpressa SIP-based voice-over-IP phone CVE-2002-0673 (The enrollment process for Pingtel xpressa SIP-based voice-over-IP pho ...) NOT-FOR-US: Pingtel xpressa SIP-based voice-over-IP phone CVE-2002-0672 (Pingtel xpressa SIP-based voice-over-IP phone 1.2.5 through 1.2.7.4 al ...) NOT-FOR-US: Pingtel xpressa SIP-based voice-over-IP phone CVE-2002-0671 (Pingtel xpressa SIP-based voice-over-IP phone 1.2.5 through 1.2.7.4 do ...) NOT-FOR-US: Pingtel xpressa SIP-based voice-over-IP phone CVE-2002-0668 (The web interface for Pingtel xpressa SIP-based voice-over-IP phone 1. ...) NOT-FOR-US: Pingtel xpressa SIP-based voice-over-IP phone CVE-2002-0665 (Macromedia JRun Administration Server allows remote attackers to bypas ...) NOT-FOR-US: Microsoft CVE-2002-0663 (Buffer overflow in HTTP Proxy for Symantec Norton Personal Internet Fi ...) NOT-FOR-US: Norton CVE-2002-0662 (scrollkeeper-get-cl in ScrollKeeper 0.3 to 0.3.11 allows local users t ...) {DSA-160} - scrollkeeper 0.3.11-2 CVE-2002-0658 (OSSP mm library (libmm) before 1.2.0 allows the local Apache user to g ...) {DSA-137} - mm 1.1.3-7 CVE-2002-0653 (Off-by-one buffer overflow in the ssl_compat_directive function, as ca ...) {DSA-135} - libapache-mod-ssl 2.8.9-2 CVE-2002-0651 (Buffer overflow in the DNS resolver code used in libc, glibc, and libb ...) - glibc 2.2.5-8 CVE-2002-0650 (The keep-alive mechanism for Microsoft SQL Server 2000 allows remote a ...) NOT-FOR-US: microsoft CVE-2002-0648 (The legacy <script> data-island capability for XML in Microsoft ...) NOT-FOR-US: microsoft CVE-2002-0647 (Buffer overflow in a legacy ActiveX control used to display specially ...) NOT-FOR-US: microsoft CVE-2002-0642 (The registry key containing the SQL Server service account information ...) NOT-FOR-US: microsoft CVE-2002-0640 (Buffer overflow in sshd in OpenSSH 2.3.1 through 3.3 may allow remote ...) - openssh 1:3.4 (high) CVE-2002-0639 (Integer overflow in sshd in OpenSSH 2.9.9 through 3.3 allows remote at ...) - openssh 1:3.4 (high) CVE-2002-0638 (setpwnam.c in the util-linux package, as included in Red Hat Linux 7.3 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0631 (Unknown vulnerability in nveventd in NetVisualyzer on SGI IRIX 6.5 thr ...) NOT-FOR-US: SGI CVE-2002-0630 (The Telnet service for Polycom ViewStation before 7.2.4 allows remote ...) NOT-FOR-US: Polycom CVE-2002-0627 (The Web server for Polycom ViewStation before 7.2.4 allows remote atta ...) NOT-FOR-US: Polycom CVE-2002-0623 (Buffer overflow in AuthFilter ISAPI filter on Microsoft Commerce Serve ...) NOT-FOR-US: Microsoft CVE-2002-0622 (The Office Web Components (OWC) package installer for Microsoft Commer ...) NOT-FOR-US: Microsoft CVE-2002-0621 (Buffer overflow in the Office Web Components (OWC) package installer u ...) NOT-FOR-US: Microsoft CVE-2002-0619 (The Mail Merge Tool in Microsoft Word 2002 for Windows, when Microsoft ...) NOT-FOR-US: Microsoft CVE-2002-0618 (The Macro Security Model in Microsoft Excel 2000 and 2002 for Windows ...) NOT-FOR-US: Microsoft CVE-2002-0617 (The Macro Security Model in Microsoft Excel 2000 and 2002 for Windows ...) NOT-FOR-US: Microsoft CVE-2002-0616 (The Macro Security Model in Microsoft Excel 2000 and 2002 for Windows ...) NOT-FOR-US: Microsoft CVE-2002-0615 (The Windows Media Active Playlist in Microsoft Windows Media Player 7. ...) NOT-FOR-US: Microsoft CVE-2002-0613 (dnstools.php for DNSTools 2.0 beta 4 and earlier allows remote attacke ...) NOT-FOR-US: DNSTools CVE-2002-0605 (Buffer overflow in Flash OCX for Macromedia Flash 6 revision 23 (6,0,2 ...) NOT-FOR-US: Flash CVE-2002-0601 (ISS RealSecure Network Sensor 5.x through 6.5 allows remote attackers ...) NOT-FOR-US: ISS CVE-2002-0599 (Blahz-DNS 0.2 and earlier allows remote attackers to bypass authentica ...) NOT-FOR-US: Blahz CVE-2002-0598 (Format string vulnerability in Foundstone FScan 1.12 with banner grabb ...) NOT-FOR-US: Foundstone CVE-2002-0597 (LANMAN service on Microsoft Windows 2000 allows remote attackers to ca ...) NOT-FOR-US: Microsoft CVE-2002-0594 (Netscape 6 and Mozilla 1.0 RC1 and earlier allows remote attackers to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0576 (ColdFusion 5.0 and earlier on Windows systems allows remote attackers ...) NOT-FOR-US: ColdFusion CVE-2002-0575 (Buffer overflow in OpenSSH before 2.9.9, and 3.x before 3.2.1, with Ke ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0574 (Memory leak in FreeBSD 4.5 and earlier allows remote attackers to caus ...) NOT-FOR-US: FreeBSD CVE-2002-0573 (Format string vulnerability in RPC wall daemon (rpc.rwalld) for Solari ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0571 (Oracle Oracle9i database server 9.0.1.x allows local users to access r ...) NOT-FOR-US: Oracle CVE-2002-0569 (Oracle 9i Application Server allows remote attackers to bypass access ...) NOT-FOR-US: Oracle CVE-2002-0567 (Oracle 8i and 9i with PL/SQL package for External Procedures (EXTPROC) ...) NOT-FOR-US: Oracle CVE-2002-0553 (Cross-site scripting vulnerability in SunShop 2.5 and earlier allows r ...) NOT-FOR-US: SunShop CVE-2002-0546 (Cross-site scripting vulnerability in the mini-browser for Winamp 2.78 ...) NOT-FOR-US: Winamp CVE-2002-0545 (Cisco Aironet before 11.21 with Telnet enabled allows remote attackers ...) NOT-FOR-US: Cisco CVE-2002-0543 (Directory traversal vulnerability in Aprelium Abyss Web Server (abyssw ...) NOT-FOR-US: Aprelium CVE-2002-0542 (mail in OpenBSD 2.9 and 3.0 processes a tilde (~) escape character in ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0539 (Demarc PureSecure 1.05 allows remote attackers to gain administrative ...) NOT-FOR-US: Demarc CVE-2002-0538 (FTP proxy in Symantec Raptor Firewall 6.5.3 and Enterprise 7.0 rewrite ...) NOT-FOR-US: Symantec CVE-2002-0536 (PHPGroupware 0.9.12 and earlier, when running with the magic_quotes_gp ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0532 (EMU Webmail allows local users to execute arbitrary programs via a .. ...) NOT-FOR-US: EMU CVE-2002-0531 (Directory traversal vulnerability in emumail.cgi in EMU Webmail 4.5.x ...) NOT-FOR-US: EMU CVE-2002-0516 (SquirrelMail 1.2.5 and earlier allows authenticated SquirrelMail users ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0513 (The PHP administration script in popper_mod 1.2.1 and earlier relies o ...) NOT-FOR-US: popper_mod CVE-2002-0512 (startkde in KDE for Caldera OpenLinux 2.3 through 3.1.1 sets the LD_LI ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0511 (The default configuration of Name Service Cache Daemon (nscd) in Calde ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0506 (Buffer overflow in newt.c of newt windowing library (libnewt) 0.50.33 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0505 (Memory leak in the Call Telephony Integration (CTI) Framework authenti ...) NOT-FOR-US: Cisco CVE-2002-0501 (Format string vulnerability in log_print() function of Posadis DNS ser ...) NOT-FOR-US: Posadis CVE-2002-0497 (Buffer overflow in mtr 0.46 and earlier, when installed setuid root, a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0495 (csSearch.cgi in csSearch 2.3 and earlier allows remote attackers to ex ...) NOT-FOR-US: csSearch CVE-2002-0494 (Cross-site scripting vulnerability in WebSight Directory System 0.1 al ...) NOT-FOR-US: WebSight CVE-2002-0493 (Apache Tomcat may be started without proper security settings if error ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0490 (Instant Web Mail before 0.60 does not properly filter CR/LF sequences, ...) NOT-FOR-US: Instant Web Mail CVE-2002-0488 (Linux Directory Penguin traceroute.pl CGI script 1.0 allows remote att ...) NOT-FOR-US: Linux Directory Penguin CVE-2002-0484 (move_uploaded_file in PHP does not does not check for the base directo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0473 (db.php in phpBB 2.0 (aka phpBB2) RC-3 and earlier allows remote attack ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0464 (Directory traversal vulnerability in Hosting Controller 1.4.1 and earl ...) NOT-FOR-US: Hosting Controller CVE-2002-0463 (home.php in ARSC (Really Simple Chat) 1.0.1 and earlier allows remote ...) NOT-FOR-US: ARSC CVE-2002-0462 (bigsam_guestbook.php for Big Sam (Built-In Guestbook Stand-Alone Modul ...) NOT-FOR-US: Big Sam CVE-2002-0454 (Qpopper (aka in.qpopper or popper) 4.0.3 and earlier allows remote att ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0451 (filemanager_forms.php in PHProjekt 3.1 and 3.1a allows remote attacker ...) NOT-FOR-US: PHProjekt CVE-2002-0445 (article.php in PHP FirstPost 0.1 allows allows remote attackers to obt ...) NOT-FOR-US: PHP FirstPost CVE-2002-0444 (Microsoft Windows 2000 running the Terminal Server 90-day trial versio ...) NOT-FOR-US: Windows CVE-2002-0443 (Microsoft Windows 2000 allows local users to bypass the policy that pr ...) NOT-FOR-US: Windows CVE-2002-0442 (Buffer overflow in dlvr_audit for Caldera OpenServer 5.0.5 and 5.0.6 a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0441 (Directory traversal vulnerability in imlist.php for Php Imglist allows ...) NOT-FOR-US: PHP Imglist CVE-2002-0437 (Smsd in SMS Server Tools (SMStools) before 1.4.8 allows remote attacke ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0435 (Race condition in the recursive (1) directory deletion and (2) directo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0431 (XTux allows remote attackers to cause a denial of service (CPU consump ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0429 (The iBCS routines in arch/i386/kernel/traps.c for Linux kernels 2.4.18 ...) {DSA-442 DSA-336 DSA-332 DSA-312 DSA-311} - kernel-source-2.2.20 CVE-2002-0425 (mIRC DCC server protocol allows remote attackers to gain sensitive inf ...) NOT-FOR-US: mIRC CVE-2002-0424 (efingerd 1.61 and earlier, when configured without the -u option, exec ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0423 (Buffer overflow in efingerd 1.5 and earlier, and possibly up to 1.61, ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0414 (KAME-derived implementations of IPsec on NetBSD 1.5.2, FreeBSD 4.5, an ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0412 (Format string vulnerability in TraceEvent function for ntop before 2.1 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0406 (Menasoft SPHERE server 0.99x and 0.5x allows remote attackers to cause ...) NOT-FOR-US: SPHERE CVE-2002-0404 (Vulnerability in GIOP dissector in Ethereal before 0.9.3 allows remote ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0403 (DNS dissector in Ethereal before 0.9.3 allows remote attackers to caus ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0402 (Buffer overflow in X11 dissector in Ethereal 0.9.3 and earlier allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0401 (SMB dissector in Ethereal 0.9.3 and earlier allows remote attackers to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0400 (ISC BIND 9 before 9.2.1 allows remote attackers to cause a denial of s ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0398 (Red-M 1050 (Bluetooth Access Point) PPP server allows bonded users to ...) NOT-FOR-US: Red-M CVE-2002-0397 (Red-M 1050 (Bluetooth Access Point) publicizes its name, IP address, a ...) NOT-FOR-US: Red-M CVE-2002-0396 (The web management server for Red-M 1050 (Bluetooth Access Point) does ...) NOT-FOR-US: Red-M CVE-2002-0395 (The TFTP server for Red-M 1050 (Bluetooth Access Point) can not be dis ...) NOT-FOR-US: Red-M CVE-2002-0394 (Red-M 1050 (Bluetooth Access Point) uses case insensitive passwords, w ...) NOT-FOR-US: Red-M CVE-2002-0392 (Apache 1.3 through 1.3.24, and Apache 2.0 through 2.0.36, allows remot ...) - apache2 2.0.37 CVE-2002-0391 (Integer overflow in xdr_array function in RPC servers for operating sy ...) {DSA-333 DSA-149 DSA-146 DSA-143 DSA-142} - acm 5.0-10 - glibc 2.2.5-13 - dietlibc 0.20-0cvs20020808 - krb5 1.2.5-2 - openafs 1.2.6-1 CVE-2002-0389 (Pipermail in Mailman stores private mail messages with predictable fil ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0387 (Buffer overflow in gxnsapi6.dll NSAPI plugin of the Connector Module f ...) NOT-FOR-US: Sun CVE-2002-0384 (Buffer overflow in Jabber plug-in for Gaim client before 0.58 allows r ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0382 (XChat IRC client allows remote attackers to execute arbitrary commands ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0381 (The TCP implementation in various BSD operating systems (tcp_input.c) ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0380 (Buffer overflow in tcpdump 3.6.2 and earlier allows remote attackers t ...) {DSA-255} - tcpdump 3.7.1-1.2 CVE-2002-0379 (Buffer overflow in University of Washington imap server (uw-imapd) ima ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0377 (Gaim 0.57 stores sensitive information in world-readable and group-wri ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0376 (Buffer overflow in Apple QuickTime 5.0 ActiveX component allows remote ...) NOT-FOR-US: Apple CVE-2002-0374 (Format string vulnerability in the logging function for the pam_ldap P ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0373 (The Windows Media Device Manager (WMDM) Service in Microsoft Windows M ...) NOT-FOR-US: Microsoft CVE-2002-0372 (Microsoft Windows Media Player versions 6.4 and 7.1 and Media Player f ...) NOT-FOR-US: Microsoft CVE-2002-0369 (Buffer overflow in ASP.NET Worker Process allows remote attackers to c ...) NOT-FOR-US: Microsoft CVE-2002-0368 (The Store Service in Microsoft Exchange 2000 allows remote attackers t ...) NOT-FOR-US: Microsoft CVE-2002-0367 (smss.exe debugging subsystem in Windows NT and Windows 2000 does not p ...) NOT-FOR-US: Microsoft CVE-2002-0366 (Buffer overflow in Remote Access Service (RAS) phonebook for Windows N ...) NOT-FOR-US: Microsoft CVE-2002-0364 (Buffer overflow in the chunked encoding transfer mechanism in IIS 4.0 ...) NOT-FOR-US: Microsoft CVE-2002-0363 (ghostscript before 6.53 allows attackers to execute arbitrary commands ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0362 (Buffer overflow in AOL Instant Messenger (AIM) 4.2 and later allows re ...) NOT-FOR-US: AOL CVE-2002-0359 (xfsmd for IRIX 6.5 through 6.5.16 uses weak authentication, which allo ...) NOT-FOR-US: IRIX CVE-2002-0358 (MediaMail and MediaMail Pro in SGI IRIX 6.5.16 and earlier allows loca ...) NOT-FOR-US: MediaMail CVE-2002-0357 (Unknown vulnerability in rpc.passwd in the nfs.sw.nis subsystem of SGI ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0356 (Vulnerability in XFS filesystem reorganizer (fsr_xfs) in SGI IRIX 6.5. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0355 (netstat in SGI IRIX before 6.5.12 allows local users to determine the ...) NOT-FOR-US: SGI CVE-2002-0339 (Cisco IOS 11.1CC through 12.2 with Cisco Express Forwarding (CEF) enab ...) NOT-FOR-US: Cisco CVE-2002-0330 (Cross-site scripting vulnerability in codeparse.php of Open Bulletin B ...) NOT-FOR-US: OpenBB CVE-2002-0329 (Cross-site scripting vulnerability in Snitz Forums 2000 3.3.03 and ear ...) NOT-FOR-US: Snitz CVE-2002-0318 (FreeRADIUS RADIUS server allows remote attackers to cause a denial of ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0313 (Buffer overflow in Essentia Web Server 2.1 allows remote attackers to ...) NOT-FOR-US: Essentia CVE-2002-0309 (SMTP proxy in Symantec Enterprise Firewall (SEF) 6.5.x includes the fi ...) NOT-FOR-US: Symantec CVE-2002-0302 (The Notify daemon for Symantec Enterprise Firewall (SEF) 6.5.x drops l ...) NOT-FOR-US: Symantec CVE-2002-0300 (gnujsp 1.0.0 and 1.0.1 allows remote attackers to list directories, re ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0299 (CNet CatchUp before 1.3.1 allows attackers to execute arbitrary code v ...) NOT-FOR-US: CatchUp CVE-2002-0292 (Cross-site scripting vulnerability in Slash before 2.2.5, as used in S ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0290 (Buffer overflow in Netwin WebNews CGI program 1.1, Webnews.exe, allows ...) NOT-FOR-US: WebNews CVE-2002-0287 (pforum 1.14 and earlier does not explicitly enable PHP magic quotes, w ...) NOT-FOR-US: pforum CVE-2002-0276 (Buffer overflow in various decoders in Ettercap 0.6.3.1 and earlier, w ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0275 (Falcon web server 2.0.0.1020 and earlier allows remote attackers to by ...) NOT-FOR-US: Falcon CVE-2002-0274 (Exim 3.34 and earlier may allow local users to gain privileges via a b ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0267 (preferences.php in Simple Internet Publishing System (SIPS) before 0.3 ...) NOT-FOR-US: SIPS CVE-2002-0265 (Sawmill for Solaris 6.2.14 and earlier creates the AdminPassword file ...) NOT-FOR-US: Sawmill CVE-2002-0251 (Buffer overflow in licq 1.0.4 and earlier allows remote attackers to c ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0250 (Web configuration utility in HP AdvanceStack hubs J3200A through J3210 ...) NOT-FOR-US: HP CVE-2002-0246 (Format string vulnerability in the message catalog library functions i ...) NOT-FOR-US: UnixWare CVE-2002-0241 (NDSAuth.DLL in Cisco Secure Authentication Control Server (ACS) 3.0.1 ...) NOT-FOR-US: Cisco CVE-2002-0237 (Buffer overflow in ISS BlackICE Defender 2.9 and earlier, BlackICE Age ...) NOT-FOR-US: ISS CVE-2002-0226 (retrieve_password.pl in DCForum 6.x and 2000 generates predictable new ...) NOT-FOR-US: DCForum CVE-2002-0213 (xkas in Xinet K-AShare 0.011.01 for IRIX allows local users to read ar ...) NOT-FOR-US: Xinet CVE-2002-0211 (Race condition in the installation script for Tarantella Enterprise 3 ...) NOT-FOR-US: Tarantella CVE-2002-0209 (Nortel Alteon ACEdirector WebOS 9.0, with the Server Load Balancing (S ...) NOT-FOR-US: Nortel CVE-2002-0207 (Buffer overflow in Real Networks RealPlayer 8.0 and earlier allows rem ...) NOT-FOR-US: Real Networks CVE-2002-0197 (psyBNC 2.3 beta and earlier allows remote attackers to spoof encrypted ...) NOT-FOR-US: psyBNC CVE-2002-0196 (GetRelativePath in ACD Incorporated CwpAPI 1.1 only verifies if the se ...) NOT-FOR-US: ACD CVE-2002-0193 (Microsoft Internet Explorer 5.01 and 6.0 allow remote attackers to exe ...) NOT-FOR-US: Microsoft CVE-2002-0191 (Microsoft Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers ...) NOT-FOR-US: Microsoft CVE-2002-0190 (Microsoft Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers ...) NOT-FOR-US: Microsoft CVE-2002-0188 (Microsoft Internet Explorer 5.01 and 6.0 allow remote attackers to exe ...) NOT-FOR-US: Microsoft CVE-2002-0187 (Cross-site scripting vulnerability in the SQLXML component of Microsof ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0186 (Buffer overflow in the SQLXML ISAPI extension of Microsoft SQL Server ...) NOT-FOR-US: Microsoft CVE-2002-0185 (mod_python version 2.7.6 and earlier allows a module indirectly import ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0184 (Heap-based buffer overflow in sudo before 1.6.6 may allow local users ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0181 (Cross-site scripting vulnerability in status.php3 for IMP 2.2.8 and HO ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0179 (Buffer overflow in xpilot-server for XPilot 4.5.0 and earlier allows r ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0178 (uudecode, as available in the sharutils package before 4.2.1, does not ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0176 (The printf wrappers in libsafe 2.0-11 and earlier do not properly hand ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0175 (libsafe 2.0-11 and earlier allows attackers to bypass protection again ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0174 (nsd on SGI IRIX before 6.5.11 allows local users to overwrite arbitrar ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0173 (Buffer overflow in cpr for the eoe.sw.cpr SGI Checkpoint-Restart Softw ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0172 (/dev/ipfilter on SGI IRIX 6.5 is installed by /dev/MAKEDEV with insecu ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0171 (IRISconsole 2.0 may allow users to log into the icadmin account with a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0170 (Zope 2.2.0 through 2.5.1 does not properly verify the access for objec ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0169 (The default stylesheet for DocBook on Red Hat Linux 6.2 through 7.2 is ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0168 (Vulnerability in Imlib before 1.9.13 allows attackers to cause a denia ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0167 (Imlib before 1.9.13 sometimes uses the NetPBM package to load trusted ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0166 (Cross-site scripting vulnerability in analog before 5.22 allows remote ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0163 (Heap-based buffer overflow in Squid before 2.4 STABLE4, and Squid 2.5 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0160 (The administration function in Cisco Secure Access Control Server (ACS ...) NOT-FOR-US: Cisco CVE-2002-0159 (Format string vulnerability in the administration function in Cisco Se ...) NOT-FOR-US: Cisco CVE-2002-0158 (Buffer overflow in Xsun on Solaris 2.6 through 8 allows local users to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0157 (Nautilus 1.0.4 and earlier allows local users to overwrite arbitrary f ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0155 (Buffer overflow in Microsoft MSN Chat ActiveX Control, as used in MSN ...) NOT-FOR-US: Microsoft CVE-2002-0153 (Internet Explorer 5.1 for Macintosh allows remote attackers to bypass ...) NOT-FOR-US: Microsoft CVE-2002-0152 (Buffer overflow in various Microsoft applications for Macintosh allows ...) NOT-FOR-US: Microsoft CVE-2002-0151 (Buffer overflow in Multiple UNC Provider (MUP) in Microsoft Windows op ...) NOT-FOR-US: Microsoft CVE-2002-0150 (Buffer overflow in Internet Information Server (IIS) 4.0, 5.0, and 5.1 ...) NOT-FOR-US: Microsoft CVE-2002-0149 (Buffer overflow in ASP Server-Side Include Function in IIS 4.0, 5.0 an ...) NOT-FOR-US: Microsoft CVE-2002-0148 (Cross-site scripting vulnerability in Internet Information Server (IIS ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0147 (Buffer overflow in the ASP data transfer mechanism in Internet Informa ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0146 (fetchmail email client before 5.9.10 does not properly limit the maxim ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0143 (Buffer overflow in Eterm of Enlightenment Imlib2 1.0.4 and earlier all ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0139 (Pi-Soft SpoonFTP 1.1 and earlier allows remote attackers to redirect t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0128 (cgitest.exe in Sambar Server 5.1 before Beta 4 allows remote attackers ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0123 (MDG Computer Services Web Server 4D WS4D/eCommerce 3.0 and earlier, an ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0121 (PHP 4.0 through 4.1.1 stores session IDs in temporary files whose name ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0120 (Apple Palm Desktop 4.0b76 and 4.0b77 creates world-readable backup fil ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0117 (Cross-site scripting vulnerability in Yet Another Bulletin Board (YaBB ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0115 (Snort 1.8.3 does not properly define the minimum ICMP header size, whi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0111 (Directory traversal vulnerability in Funsoft Dino's Webserver 1.2 and ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0107 (Web administration interface in CacheFlow CacheOS 4.0.13 and earlier a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0098 (Buffer overflow in index.cgi administration interface for Boozt! Stand ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0097 (Geeklog 1.3 allows remote attackers to hijack user accounts, including ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0096 (The installation of Geeklog 1.3 creates an extra group_assignments rec ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0095 (The default configuration of BSCW (Basic Support for Cooperative Work) ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0094 (config_converters.py in BSCW (Basic Support for Cooperative Work) 3.x ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0092 (CVS before 1.10.8 does not properly initialize a global variable, whic ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0090 (Buffer overflow in Low BandWidth X proxy (lbxproxy) in Solaris 8 allow ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0083 (Off-by-one error in the channel code of OpenSSH 2.0 through 3.0.2 allo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0082 (The dbm and shm session cache code in mod_ssl before 2.8.7-1.3.23, and ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0081 (Buffer overflows in (1) php_mime_split in PHP 4.1.0, 4.1.1, and 4.0.6 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0080 (rsync, when running in daemon mode, does not properly call setgroups b ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0079 (Buffer overflow in the chunked encoding transfer mechanism in Internet ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0078 (The zone determination function in Microsoft Internet Explorer 5.5 and ...) NOT-FOR-US: Microsoft CVE-2002-0076 (Java Runtime Environment (JRE) Bytecode Verifier allows remote attacke ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0075 (Cross-site scripting vulnerability for Internet Information Server (II ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0074 (Cross-site scripting vulnerability in Help File search facility for In ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0073 (The FTP service in Internet Information Server (IIS) 4.0, 5.0 and 5.1 ...) NOT-FOR-US: Microsoft CVE-2002-0072 (The w3svc.dll ISAPI filter in Front Page Server Extensions and ASP.NET ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0071 (Buffer overflow in the ism.dll ISAPI extension that implements HTR scr ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0070 (Buffer overflow in Windows Shell (used as the Windows Desktop) allows ...) NOT-FOR-US: Microsoft CVE-2002-0069 (Memory leak in SNMP in Squid 2.4 STABLE3 and earlier allows remote att ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0068 (Squid 2.4 STABLE3 and earlier allows remote attackers to cause a denia ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0067 (Squid 2.4 STABLE3 and earlier does not properly disable HTCP, even whe ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0066 (Funk Software Proxy Host 3.x before 3.09A creates a Named Pipe that do ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0065 (Funk Software Proxy Host 3.x uses weak encryption for the Proxy Host p ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0064 (Funk Software Proxy Host 3.x is installed with insecure permissions fo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0063 (Buffer overflow in ippRead function of CUPS before 1.1.14 may allow at ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0062 (Buffer overflow in ncurses 5.0, and the ncurses4 compatibility package ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0061 (Apache for Win32 before 1.3.24, and 2.0.x before 2.0.34-beta, allows r ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0060 (IRC connection tracking helper module in the netfilter subsystem for L ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0059 (The decompression algorithm in zlib 1.1.3 and earlier, as used in many ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0057 (XMLHTTP control in Microsoft XML Core Services 2.6 and later does not ...) NOT-FOR-US: Microsoft CVE-2002-0055 (SMTP service in Microsoft Windows 2000, Windows XP Professional, and E ...) NOT-FOR-US: Microsoft CVE-2002-0054 (SMTP service in (1) Microsoft Windows 2000 and (2) Internet Mail Conne ...) NOT-FOR-US: Microsoft CVE-2002-0052 (Internet Explorer 6.0 and earlier does not properly handle VBScript in ...) NOT-FOR-US: Microsoft CVE-2002-0051 (Windows 2000 allows local users to prevent the application of new grou ...) NOT-FOR-US: Microsoft CVE-2002-0050 (Buffer overflow in AuthFilter ISAPI filter on Microsoft Commerce Serve ...) NOT-FOR-US: Microsoft CVE-2002-0049 (Microsoft Exchange Server 2000 System Attendant gives "Everyone" group ...) NOT-FOR-US: Microsoft CVE-2002-0047 (CIPE VPN package before 1.3.0-3 allows remote attackers to cause a den ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0046 (Linux kernel, and possibly other operating systems, allows remote atta ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0045 (slapd in OpenLDAP 2.0 through 2.0.19 allows local users, and anonymous ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0044 (GNU Enscript 1.6.1 and earlier allows local users to overwrite arbitra ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0043 (sudo 1.6.0 through 1.6.3p7 does not properly clear the environment bef ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0042 (Vulnerability in the XFS file system for SGI IRIX before 6.5.12 allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0040 (Vulnerability in SGI IRIX 6.5.11 through 6.5.15f allows local users to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0038 (Vulnerability in the cache-limiting function of the unified name servi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0036 (Integer signedness error in MIT Kerberos V5 ASN.1 decoder before krb5 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0033 (Heap-based buffer overflow in cfsd_calloc function of Solaris cachefsd ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0032 (Yahoo! Messenger 5,0,0,1064 and earlier allows remote attackers to exe ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0028 (Buffer overflow in ICQ before 2001B Beta v5.18 Build #3659 allows remo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0027 (Internet Explorer 5.5 and 6.0 allows remote attackers to read certain ...) NOT-FOR-US: Microsoft CVE-2002-0026 (Internet Explorer 5.5 and 6.0 allows remote attackers to bypass restri ...) NOT-FOR-US: Microsoft CVE-2002-0025 (Internet Explorer 5.01, 5.5 and 6.0 does not properly handle the Conte ...) NOT-FOR-US: Microsoft CVE-2002-0024 (File Download box in Internet Explorer 5.01, 5.5 and 6.0 allows an att ...) NOT-FOR-US: Microsoft CVE-2002-0023 (Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to read ar ...) NOT-FOR-US: Microsoft CVE-2002-0022 (Buffer overflow in the implementation of an HTML directive in mshtml.d ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0021 (Network Product Identification (PID) Checker in Microsoft Office v. X ...) NOT-FOR-US: Microsoft CVE-2002-0020 (Buffer overflow in telnet server in Windows 2000 and Interix 2.2 allow ...) NOT-FOR-US: Microsoft CVE-2002-0018 (In Microsoft Windows NT and Windows 2000, a trusting domain that recei ...) NOT-FOR-US: Microsoft CVE-2002-0017 (Buffer overflow in SNMP daemon (snmpd) on SGI IRIX 6.5 through 6.5.15m ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0014 (URL-handling code in Pine 4.43 and earlier allows remote attackers to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0011 (Information leak in doeditvotes.cgi in Bugzilla before 2.14.1 may allo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0009 (show_bug.cgi in Bugzilla before 2.14.1 allows a user with "Bugs Access ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0007 (CGI.pl in Bugzilla before 2.14.1, when using LDAP, allows remote attac ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0006 (XChat 1.8.7 and earlier, including default configurations of 1.4.2 and ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0005 (Buffer overflow in AOL Instant Messenger (AIM) 4.7.2480, 4.8.2616, and ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0004 (Heap corruption vulnerability in the "at" program allows local users t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0003 (Buffer overflow in the preprocessor in groff 1.16 and earlier allows r ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0002 (Format string vulnerability in stunnel before 3.22 when used in client ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1407 (Bugzilla before 2.14 allows Bugzilla users to bypass group security ch ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1406 (process_bug.cgi in Bugzilla before 2.14 does not set the "groupset" bi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1391 (Off-by-one vulnerability in CPIA driver of Linux kernel before 2.2.19 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1386 (WFTPD 3.00 allows remote attackers to read arbitrary files by uploadin ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1385 (The Apache module for PHP 4.0.0 through PHP 4.0.4, when disabled with ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1383 (initscript in setserial 2.17-4 and earlier uses predictable temporary ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1382 (The "echo simulation" traffic analysis countermeasure in OpenSSH befor ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1380 (OpenSSH before 2.9.9, while using keypairs and multiple keys of differ ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1378 (fetchmailconf in fetchmail before 5.7.4 allows local users to overwrit ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1375 (tcl/tk package (tcltk) 8.3.1 searches for its libraries in the current ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1374 (expect before 5.32 searches for its libraries in /var/tmp before other ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1373 (MailSafe in Zone Labs ZoneAlarm 2.6 and earlier and ZoneAlarm Pro 2.6 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1372 (Oracle 9i Application Server 1.0.2 allows remote attackers to obtain t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1371 (The default configuration of Oracle Application Server 9iAS 1.0.2.2 en ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1370 (prepend.php3 in PHPLib before 7.2d, when register_globals is enabled f ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1369 (Leon J Breedt pam-pgsql before 0.5.2 allows remote attackers to execut ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1367 (The checkAccess function in PHPSlice 0.1.4, and all other versions bet ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1359 (Volution clients 1.0.7 and earlier attempt to contact the computer cre ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1352 (Cross-site scripting vulnerability in Namazu 2.0.9 and earlier allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1351 (Cross-site scripting vulnerability in Namazu 2.0.8 and earlier allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1350 (Cross-site scripting vulnerability in namazu.cgi for Namazu 2.0.7 and ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1349 (Sendmail before 8.11.4, and 8.12.0 before 8.12.0.Beta10, allows local ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1347 (Windows 2000 allows local users to cause a denial of service and possi ...) NOT-FOR-US: Microsoft CVE-2001-1345 (bctool in Jetico BestCrypt 0.7 and earlier trusts the user-supplied PA ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1342 (Apache before 1.3.20 on Windows and OS/2 systems allows remote attacke ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1334 (Block_render_url.class in PHPSlash 0.6.1 allows remote attackers with ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1328 (Buffer overflow in ypbind daemon in Solaris 5.4 through 8 allows remot ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1327 (pmake before 2.1.35 in Turbolinux 6.05 and earlier is installed with s ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1322 (xinetd 2.1.8 and earlier runs with a default umask of 0, which could a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1303 (The default configuration of SecuRemote for Check Point Firewall-1 all ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1302 (The change password option in the Windows Security interface for Windo ...) NOT-FOR-US: Microsoft CVE-2001-1301 (rcs2log, as used in Emacs 20.4, xemacs 21.1.10 and other versions befo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1299 (Zorbat Zorbstats PHP script before 0.9 allows remote attackers to incl ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1297 (PHP remote file inclusion vulnerability in Actionpoll PHP script befor ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1296 (More.groupware PHP script allows remote attackers to include arbitrary ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1295 (Directory traversal vulnerability in Cerberus FTP Server 1.5 and earli ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1291 (The telnet server for 3Com hardware such as PS40 SuperStack II does no ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1279 (Buffer overflow in print-rx.c of tcpdump 3.x (probably 3.6x) allows re ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1277 (makewhatis in the man package before 1.5i2 allows an attacker in group ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1276 (ispell before 3.1.20 allows local users to overwrite files of other us ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1267 (Directory traversal vulnerability in GNU tar 1.13.19 and earlier allow ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1266 (Directory traversal vulnerability in Doug Neal's HTTPD Daemon (DNHTTPD ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1252 (Network Associates PGP Keyserver 7.0 allows remote attackers to bypass ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1251 (SmallHTTP 1.204 through 3.00 beta 8 allows remote attackers to cause a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1247 (PHP 4.0.4pl1 and 4.0.5 in safe mode allows remote attackers to read an ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1246 (PHP 4.0.5 through 4.1.0 in safe mode does not properly cleanse the 5th ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1240 (The default configuration of sudo in Engarde Secure Linux 1.0.1 allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1237 (Phormation PHP script 0.9.1 and earlier allows remote attackers to exe ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1236 (myphpPagetool PHP script 0.4.3-1 and earlier allows remote attackers t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1235 (pSlash PHP script 0.7 and earlier allows remote attackers to execute a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1234 (Bharat Mediratta Gallery PHP script before 1.2.1 allows remote attacke ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1231 (GroupWise 5.5 and 6 running in live remote or smart caching mode allow ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1227 (Zope before 2.2.4 allows partially trusted users to bypass security co ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1215 (Format string vulnerability in PFinger 0.7.5 through 0.7.7 allows remo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1203 (Format string vulnerability in gpm-root in gpm 1.17.8 through 1.17.18 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1201 (Buffer overflow in wmcube-gdk for WMCube/GDK 0.98 allows local users t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1200 (Microsoft Windows XP allows local users to bypass a locked screen and ...) NOT-FOR-US: Microsoft CVE-2001-1199 (Cross-site scripting vulnerability in agora.cgi for Agora 3.0a through ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1193 (Directory traversal vulnerability in EFTP 2.0.8.346 allows local users ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1186 (Microsoft IIS 5.0 allows remote attackers to cause a denial of service ...) NOT-FOR-US: Microsoft CVE-2001-1185 (Some AIO operations in FreeBSD 4.4 may be delayed until after a call t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1183 (PPTP implementation in Cisco IOS 12.1 and 12.2 allows remote attackers ...) NOT-FOR-US: Cisco CVE-2001-1180 (FreeBSD 4.3 does not properly clear shared signal handlers when execut ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1177 (ml85p in Samsung ML-85G GDI printer driver before 0.2.0 allows local u ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1176 (Format string vulnerability in Check Point VPN-1/FireWall-1 4.1 allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1175 (vipw in the util-linux package before 2.10 causes /etc/shadow to be wo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1174 (Buffer overflow in Elm 2.5.5 and earlier allows remote attackers to ex ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1172 (OmniSecure HTTProtect 1.1.1 allows a superuser without omnish privileg ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1166 (linprocfs on FreeBSD 4.3 and earlier does not properly restrict access ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1162 (Directory traversal vulnerability in the %m macro in the smb.conf conf ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1161 (Cross-site scripting (CSS) vulnerability in Lotus Domino 5.0.6 allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1160 (udirectory.pl in Microburst Technologies uDirectory 2.0 and earlier al ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1158 (Check Point VPN-1/FireWall-1 4.1 base.def contains a default macro, ac ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1155 (TCP Wrappers (tcp_wrappers) in FreeBSD 4.1.1 through 4.3 with the PARA ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1153 (lpsystem in OpenUnix 8.0.0 allows local users to cause a denial of ser ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1149 (Panda Antivirus Platinum before 6.23.00 allows a remore attacker to ca ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1147 (The PAM implementation in /bin/login of the util-linux package before ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1146 (AllCommerce with debugging enabled in EnGarde Secure Linux 1.0.1 creat ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1145 (fts routines in FreeBSD 4.3 and earlier, NetBSD before 1.5.2, and Open ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1144 (Directory traversal vulnerability in McAfee ASaP VirusScan agent 1.0 a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1141 (The Pseudo-Random Number Generator (PRNG) in SSLeay and OpenSSL before ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1132 (Mailman 2.0.x before 2.0.6 allows remote attackers to gain access to l ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1130 (Sdbsearch.cgi in SuSE Linux 6.0-7.2 could allow remote attackers to ex ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1121 (DEPRECATED. This entry has been deprecated. It is a duplicate of CVE ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1119 (cda in xmcd 3.0.2 and 2.6 in SuSE Linux allows local users to overwrit ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1118 (A module in Roxen 2.0 before 2.0.92, and 2.1 before 2.1.264, does not ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1117 (LinkSys EtherFast BEFSR41 Cable/DSL routers running firmware before 1. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1116 (Identix BioLogon 2.03 and earlier does not lock secondary displays on ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1113 (Buffer overflow in TrollFTPD 1.26 and earlier allows local users to ex ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1108 (Directory traversal vulnerability in SnapStream PVS 1.2a allows remote ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1106 (The default configuration of Sambar Server 5 and earlier uses a symmet ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1103 (FTP Voyager ActiveX control before 8.0, when it is marked as safe for ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1100 (sendmessage.cgi in W3Mail 1.0.2, and possibly other CGI programs, allo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1099 (The default configuration of Norton AntiVirus for Microsoft Exchange 2 ...) NOT-FOR-US: Norton CVE-2001-1098 (Cisco PIX firewall manager (PFM) 4.3(2)g logs the enable password in p ...) NOT-FOR-US: Cisco CVE-2001-1096 (Buffer overflows in muxatmd in AIX 4 allows an attacker to cause a cor ...) NOT-FOR-US: AIX CVE-2001-1095 (Buffer overflow in uuq in AIX 4 could allow local users to execute arb ...) NOT-FOR-US: AIX CVE-2001-1089 (libnss-pgsql in nss-pgsql 0.9.0 and earlier allows remote attackers to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1088 (Microsoft Outlook 8.5 and earlier, and Outlook Express 5 and earlier, ...) NOT-FOR-US: Microsoft CVE-2001-1085 (Lmail 2.7 and earlier allows local users to overwrite arbitrary files ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1084 (Cross-site scripting vulnerability in Allaire JRun 3.0 and 2.3.3 allow ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1083 (Icecast 1.3.7, and other versions before 1.3.11 with HTTP server file ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1081 (Format string vulnerabilities in Livingston/Lucent RADIUS before 2.1.v ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1080 (diagrpt in AIX 4.3.x and 5.1 uses the DIAGDATADIR environment variable ...) NOT-FOR-US: AIX CVE-2001-1079 (create_keyfiles in PSSP 3.2 with DCE 3.1 authentication on AIX creates ...) NOT-FOR-US: AIX CVE-2001-1075 (poprelayd script before 2.0 in Cobalt RaQ3 servers allows remote attac ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1074 (Webmin 0.84 and earlier does not properly clear the HTTP_AUTHORIZATION ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1072 (Apache with mod_rewrite enabled on most UNIX systems allows remote att ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1071 (Cisco IOS 12.2 and earlier running Cisco Discovery Protocol (CDP) allo ...) NOT-FOR-US: Cisco CVE-2001-1069 (libCoolType library as used in Adobe Acrobat (acroread) on Linux creat ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1067 (Buffer overflow in AOLserver 3.0 allows remote attackers to cause a de ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1066 (ns6install installation script for Netscape 6.01 on Solaris, and other ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1063 (Buffer overflow in uidadmin in Caldera Open Unix 8.0.0 and UnixWare 7 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1062 (Buffer overflow in mana in OpenServer 5.0.6a and earlier allows local ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1059 (VMWare creates a temporary file vmware-log.USERNAME with insecure perm ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1056 (IRC DCC helper in the ip_masq_irc IP masquerading module 2.2 allows re ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1055 (The Microsoft Windows network stack allows remote attackers to cause a ...) NOT-FOR-US: Microsoft CVE-2001-1054 (PHPAdsNew PHP script allows remote attackers to include arbitrary file ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1053 (AdLogin.pm in AdCycle 1.15 and earlier allows remote attackers to bypa ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1049 (Phorecast PHP script before 0.40 allows remote attackers to include ar ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1048 (AWOL PHP script allows remote attackers to include arbitrary files fro ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1046 (Buffer overflow in qpopper (aka qpop or popper) 4.0 through 4.0.2 allo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1043 (ArGoSoft FTP Server 1.2.2.2 allows remote attackers to read arbitrary ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1038 (Cisco SN 5420 Storage Router 1.1(3) and earlier allows remote attacker ...) NOT-FOR-US: Cisco CVE-2001-1037 (Cisco SN 5420 Storage Router 1.1(3) and earlier allows local users to ...) NOT-FOR-US: Cisco CVE-2001-1036 (GNU locate in findutils 4.1 on Slackware 7.1 and 8.0 allows local user ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1035 (Binary decoding feature of slrn 0.9 and earlier allows remote attacker ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1032 (admin.php in PHP-Nuke 5.2 and earlier, except 5.0RC1, does not check l ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1030 (Squid before 2.3STABLE5 in HTTP accelerator mode does not enable acces ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1029 (libutil in OpenSSH on FreeBSD 4.4 and earlier does not drop privileges ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1028 (Buffer overflow in ultimate_source function of man 1.5 and earlier all ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1027 (Buffer overflow in WindowMaker (aka wmaker) 0.64 and earlier allows re ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1022 (Format string vulnerability in pic utility in groff 1.16.1 and other v ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1020 (edit_image.php in Vibechild Directory Manager before 0.91 allows remot ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1017 (rmuser utility in FreeBSD 4.2 and 4.3 creates a copy of the master.pas ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1016 (PGP Corporate Desktop before 7.1, Personal Security before 7.0.3, Free ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1011 (index2.php in Mambo Site Server 3.0.0 through 3.0.5 allows remote atta ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1010 (Directory traversal vulnerability in pagecount CGI script in Sambar Se ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1008 (Java Plugin 1.4 for JRE 1.3 executes signed applets even if the certif ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1002 (The default configuration of the DVI print filter (dvips) in Red Hat L ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0998 (IBM HACMP 4.4 allows remote attackers to cause a denial of service via ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0995 (PHProjekt before 2.4a allows remote attackers to perform actions as ot ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0993 (sendmsg function in NetBSD 1.3 through 1.5 allows local users to cause ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0987 (Cross-site scripting vulnerability in CGIWrap before 3.7 allows remote ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0982 (Directory traversal vulnerability in IBM Tivoli WebSEAL Policy Directo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0981 (HP CIFS/9000 Server (SAMBA) A.01.07 and earlier with the "unix passwor ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0980 (docview before 1.0-15 allows remote attackers to execute arbitrary com ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0978 (login in HP-UX 10.26 does not record failed login attempts in /var/adm ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0977 (slapd in OpenLDAP 1.x before 1.2.12, and 2.x before 2.0.8, allows remo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0973 (BSCW groupware system 3.3 through 4.0.2 beta allows remote attackers t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0969 (ipfw in FreeBSD does not properly handle the use of "me" in its rules ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0965 (glFTPD 1.23 allows remote attackers to cause a denial of service (CPU ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0963 (Directory traversal vulnerability in SpoonFTP 1.1 allows local and som ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0962 (IBM WebSphere Application Server 3.02 through 3.53 uses predictable se ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0961 (Buffer overflow in tab expansion capability of the most program allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0960 (Computer Associates ARCserve for NT 6.61 SP2a and ARCserve 2000 7.0 st ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0959 (Computer Associates ARCserve for NT 6.61 SP2a and ARCserve 2000 7.0 cr ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0954 (Lotus Domino 5.0.5 and 5.0.8, and possibly other versions, allows remo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0951 (Windows 2000 allows remote attackers to cause a denial of service (CPU ...) NOT-FOR-US: Microsoft CVE-2001-0946 (apmscript in Apmd in Red Hat 7.2 "Enigma" allows local users to create ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0940 (Buffer overflow in the GUI authentication code of Check Point VPN-1/Fi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0939 (Lotus Domino 5.08 and earlier allows remote attackers to cause a denia ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0936 (Buffer overflow in Frox transparent FTP proxy 0.6.6 and earlier, with ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0929 (Cisco IOS Firewall Feature set, aka Context Based Access Control (CBAC ...) NOT-FOR-US: Cisco CVE-2001-0921 (Netscape 4.79 and earlier for MacOS allows an attacker with access to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0920 (Format string vulnerability in auto nice daemon (AND) 1.0.4 and earlie ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0918 (Vulnerabilities in CGI scripts in susehelp in SuSE 7.2 and 7.3 allow r ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0917 (Jakarta Tomcat 4.0.1 allows remote attackers to reveal physical path i ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0914 (Linux kernel before 2.4.11pre3 in multiple Linux distributions allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0912 (Packaging error for expect 8.3.3 in Mandrake Linux 8.1 causes expect t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0909 (Buffer overflow in helpctr.exe program in Microsoft Help Center for Wi ...) NOT-FOR-US: Microsoft CVE-2001-0907 (Linux kernel 2.2.1 through 2.2.19, and 2.4.1 through 2.4.10, allows lo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0906 (teTeX filter before 1.0.7 allows local users to gain privileges via a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0905 (Race condition in signal handling of procmail 3.20 and earlier, when r ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0902 (Microsoft IIS 5.0 allows remote attackers to spoof web log entries via ...) NOT-FOR-US: Microsoft CVE-2001-0901 (Hypermail allows remote attackers to execute arbitrary commands on a s ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0900 (Directory traversal vulnerability in modules.php in Gallery before 1.2 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0899 (Network Tools 0.2 for PHP-Nuke allows remote attackers to execute comm ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0896 (Inetd in OpenServer 5.0.5 allows remote attackers to cause a denial of ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0895 (Multiple Cisco networking products allow remote attackers to cause a d ...) NOT-FOR-US: Cisco CVE-2001-0894 (Vulnerability in Postfix SMTP server before 20010228-pl07, when config ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0891 (Format string vulnerability in NQS daemon (nqsdaemon) in NQE 3.3.0.16 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0889 (Exim 3.22 and earlier, in some configurations, does not properly verif ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0888 (Atmel Firmware 1.3 Wireless Access Point (WAP) allows remote attackers ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0887 (xSANE 0.81 and earlier allows local users to modify files of other xSA ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0886 (Buffer overflow in glob function of glibc allows attackers to cause a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0884 (Cross-site scripting vulnerability in Mailman email archiver before 2. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0879 (Format string vulnerability in the C runtime functions in SQL Server 7 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0877 (Universal Plug and Play (UPnP) on Windows 98, 98SE, ME, and XP allows ...) NOT-FOR-US: Microsoft CVE-2001-0876 (Buffer overflow in Universal Plug and Play (UPnP) on Windows 98, 98SE, ...) NOT-FOR-US: Microsoft CVE-2001-0875 (Internet Explorer 5.5 and 6.0 allows remote attackers to cause the Fil ...) NOT-FOR-US: Microsoft CVE-2001-0874 (Internet Explorer 5.5 and 6.0 allow remote attackers to read certain f ...) NOT-FOR-US: Microsoft CVE-2001-0873 (uuxqt in Taylor UUCP package does not properly remove dangerous long o ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0872 (OpenSSH 3.0.1 and earlier with UseLogin enabled does not properly clea ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0869 (Format string vulnerability in the default logging callback function _ ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0867 (Cisco 12000 with IOS 12.0 and line cards based on Engine 2 does not pr ...) NOT-FOR-US: Cisco CVE-2001-0866 (Cisco 12000 with IOS 12.0 and lines card based on Engine 2 does not pr ...) NOT-FOR-US: Cisco CVE-2001-0865 (Cisco 12000 with IOS 12.0 and line cards based on Engine 2 does not su ...) NOT-FOR-US: Cisco CVE-2001-0864 (Cisco 12000 with IOS 12.0 and line cards based on Engine 2 does not pr ...) NOT-FOR-US: Cisco CVE-2001-0863 (Cisco 12000 with IOS 12.0 and line cards based on Engine 2 does not ha ...) NOT-FOR-US: Cisco CVE-2001-0862 (Cisco 12000 with IOS 12.0 and line cards based on Engine 2 does not bl ...) NOT-FOR-US: Cisco CVE-2001-0861 (Cisco 12000 with IOS 12.0 and line cards based on Engine 2 and earlier ...) NOT-FOR-US: Cisco CVE-2001-0860 (Terminal Services Manager MMC in Windows 2000 and XP trusts the Client ...) NOT-FOR-US: Microsoft CVE-2001-0859 (2.4.3-12 kernel in Red Hat Linux 7.1 Korean installation program sets ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0857 (Cross-site scripting vulnerability in status.php3 in Imp Webmail 2.2.6 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0852 (TUX HTTP server 2.1.0-2 in Red Hat Linux allows remote attackers to ca ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0851 (Linux kernel 2.0, 2.2 and 2.4 with syncookies enabled allows remote at ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0850 (A configuration error in the libdb1 package in OpenLinux 3.1 uses inse ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0846 (Lotus Domino 5.x allows remote attackers to read files or execute arbi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0843 (Squid proxy server 2.4 and earlier allows remote attackers to cause a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0837 (DeltaThree Pc-To-Phone 3.0.3 places sensitive data in world-readable l ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0836 (Buffer overflow in Oracle9iAS Web Cache 2.0.0.1 allows remote attacker ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0834 (htsearch CGI program in htdig (ht://Dig) 3.1.5 and earlier allows remo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0833 (Buffer overflow in otrcrep in Oracle 8.0.x through 9.0.1 allows local ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0830 (6tunnel 0.08 and earlier does not properly close sockets that were ini ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0828 (A cross-site scripting vulnerability in Caucho Technology Resin before ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0825 (Buffer overflow in internal string handling routines of xinetd before ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0823 (The pmpost program in Performance Co-Pilot (PCP) before 2.2.1-3 allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0822 (FPF kernel module 1.0 allows a remote attacker to cause a denial of se ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0819 (A buffer overflow in Linux fetchmail before 5.8.6 allows remote attack ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0816 (OpenSSH before 2.9.9, when running sftp using sftp-server and using re ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0815 (Buffer overflow in PerlIS.dll in Activestate ActivePerl 5.6.1.629 and ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0806 (Apple MacOS X 10.0 and 10.1 allow a local user to read and write to a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0805 (Directory traversal vulnerability in ttawebtop.cgi in Tarantella Enter ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0804 (Directory traversal vulnerability in story.pl in Interactive Story 1.3 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0803 (Buffer overflow in the client connection routine of libDtSvc.so.1 in C ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0801 (lpstat in IRIX 6.5.13f and earlier allows local users to gain root pri ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0797 (Buffer overflow in login in various System V based operating systems a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0796 (SGI IRIX 6.5 through 6.5.12f and possibly earlier versions, and FreeBS ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0792 (Format string vulnerability in XChat 1.2.x allows remote attackers to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0787 (LPRng in Red Hat Linux 7.0 and 7.1 does not properly drop memberships ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0784 (Directory traversal vulnerability in Icecast 1.3.10 and earlier allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0779 (Buffer overflow in rpc.yppasswdd (yppasswd server) in Solaris 2.6, 7 a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0774 (Tripwire 1.3.1, 2.2.1 and 2.3.0 allows local users to overwrite arbitr ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0773 (Cayman 3220-H DSL Router 1.0 allows remote attacker to cause a denial ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0770 (Buffer overflow in GuildFTPd Server 0.97 allows remote attacker to exe ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0769 (Memory leak in GuildFTPd Server 0.97 allows remote attackers to cause ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0765 (BisonFTP V4R1 allows local users to access directories outside of thei ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0764 (Buffer overflow in ntping in scotty 2.1.0 allows local users to execut ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0763 (Buffer overflow in Linux xinetd 2.1.8.9pre11-1 and earlier may allow r ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0760 (Citrix Nfuse 1.51 allows remote attackers to obtain the absolute path ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0757 (Cisco 6400 Access Concentrator Node Route Processor 2 (NRP2) 12.1DC ca ...) NOT-FOR-US: Cisco CVE-2001-0754 (Cisco CBOS 2.3.8 and earlier allows remote attackers to cause a denial ...) NOT-FOR-US: Cisco CVE-2001-0752 (Cisco CBOS 2.3.8 and earlier allows remote attackers to cause a denial ...) NOT-FOR-US: Cisco CVE-2001-0751 (Cisco switches and routers running CBOS 2.3.8 and earlier use predicta ...) NOT-FOR-US: Cisco CVE-2001-0750 (Cisco IOS 12.1(2)T, 12.1(3)T allow remote attackers to cause a denial ...) NOT-FOR-US: Cisco CVE-2001-0749 (Beck IPC GmbH IPC@CHIP Embedded-Webserver allows remote attackers to r ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0748 (Acme.Serve 1.7, as used in Cisco Secure ACS Unix and possibly other pr ...) NOT-FOR-US: Cisco CVE-2001-0745 (Netscape 4.7x allows remote attackers to obtain sensitive information ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0741 (Cisco Hot Standby Routing Protocol (HSRP) allows local attackers to ca ...) NOT-FOR-US: Cisco CVE-2001-0740 (3COM OfficeConnect 812 and 840 ADSL Router 4.2, running OCR812 router ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0739 (Guardian Digital WebTool in EnGarde Secure Linux 1.0.1 allows restarte ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0738 (LogLine function in klogd in sysklogd 1.3 in various Linux distributio ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0733 (The #sinclude directive in Embedded Perl (ePerl) 2.2.14 and earlier al ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0731 (Apache 1.3.20 with Multiviews enabled allows remote attackers to view ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0730 (split-logfile in Apache 1.3.20 allows remote attackers to overwrite ar ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0728 (Buffer overflow in Compaq Management Agents before 5.2, included in Co ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0727 (Internet Explorer 6.0 allows remote attackers to execute arbitrary cod ...) NOT-FOR-US: Microsoft CVE-2001-0726 (Outlook Web Access (OWA) in Microsoft Exchange 5.5 Server, when used w ...) NOT-FOR-US: Microsoft CVE-2001-0724 (Internet Explorer 5.5 allows remote attackers to bypass security restr ...) NOT-FOR-US: Microsoft CVE-2001-0723 (Internet Explorer 5.5 and 6.0 allows remote attackers to read and modi ...) NOT-FOR-US: Microsoft CVE-2001-0722 (Internet Explorer 5.5 and 6.0 allows remote attackers to read and modi ...) NOT-FOR-US: Microsoft CVE-2001-0720 (Internet Explorer 5.1 for Macintosh on Mac OS X allows remote attacker ...) NOT-FOR-US: Microsoft CVE-2001-0719 (Buffer overflow in Microsoft Windows Media Player 6.4 allows remote at ...) NOT-FOR-US: Microsoft CVE-2001-0718 (Vulnerability in (1) Microsoft Excel 2002 and earlier and (2) Microsof ...) NOT-FOR-US: Microsoft CVE-2001-0717 (Format string vulnerability in ToolTalk database server rpc.ttdbserver ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0716 (Citrix MetaFrame 1.8 Server with Service Pack 3, and XP Server Service ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0710 (NetBSD 1.5 and earlier and FreeBSD 4.3 and earlier allows a remote att ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0706 (Maximum Rumpus FTP Server 2.0.3 dev and before allows an attacker to c ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0701 (Buffer overflow in ptexec in the Sun Validation Test Suite 4.3 and ear ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0700 (Buffer overflow in w3m 0.2.1 and earlier allows a remote attacker to e ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0699 (Buffer overflow in cb_reset in the System Service Processor (SSP) pack ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0698 (Directory traversal vulnerability in NetWin SurgeFTP 2.0a and 1.0b all ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0697 (NetWin SurgeFTP prior to 1.1h allows a remote attacker to cause a deni ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0696 (NetWin SurgeFTP 2.0a and 1.0b allows a remote attacker to cause a deni ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0692 (SMTP proxy in WatchGuard Firebox (2500 and 4500) 4.5 and 4.6 allows a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0690 (Format string vulnerability in exim (3.22-10 in Red Hat, 3.12 in Debia ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0686 (Buffer overflow in mail included with SunOS 5.8 for x86 allows a local ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0685 (Thibault Godouet FCron prior to 1.1.1 allows a local user to corrupt a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0682 (ZoneAlarm and ZoneAlarm Pro allows a local attacker to cause a denial ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0680 (Directory traversal vulnerability in ftpd in QPC QVT/Net 4.0 and AVT/T ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0677 (Eudora 5.0.2 allows a remote attacker to read arbitrary files via an e ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0676 (Directory traversal vulnerability in Rit Research Labs The Bat! 1.48f ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0675 (Rit Research Labs The Bat! 1.51 for Windows allows a remote attacker t ...) NOT-FOR-US: Microsoft CVE-2001-0670 (Buffer overflow in BSD line printer daemon (in.lpd or lpd) in various ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0668 (Buffer overflow in line printer daemon (rlpdaemon) in HP-UX 10.01 thro ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0667 (Internet Explorer 6 and earlier, when used with the Telnet client in S ...) NOT-FOR-US: Microsoft CVE-2001-0666 (Outlook Web Access (OWA) in Microsoft Exchange 2000 allows an authenti ...) NOT-FOR-US: Microsoft CVE-2001-0665 (Internet Explorer 6 and earlier allows remote attackers to cause certa ...) NOT-FOR-US: Microsoft CVE-2001-0664 (Internet Explorer 5.5 and 5.01 allows remote attackers to bypass secur ...) NOT-FOR-US: Microsoft CVE-2001-0663 (Terminal Server in Windows NT and Windows 2000 allows remote attackers ...) NOT-FOR-US: Microsoft CVE-2001-0662 (RPC endpoint mapper in Windows NT 4.0 allows remote attackers to cause ...) NOT-FOR-US: Microsoft CVE-2001-0660 (Outlook Web Access (OWA) in Microsoft Exchange 5.5, SP4 and earlier, a ...) NOT-FOR-US: Microsoft CVE-2001-0659 (Buffer overflow in IrDA driver providing infrared data exchange on Win ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0658 (Cross-site scripting (CSS) vulnerability in Microsoft Internet Securit ...) NOT-FOR-US: Microsoft CVE-2001-0653 (Sendmail 8.10.0 through 8.11.5, and 8.12.0 beta, allows local users to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0652 (Heap overflow in xlock in Solaris 2.6 through 8 allows local users to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0650 (Cisco devices IOS 12.0 and earlier allow a remote attacker to cause a ...) NOT-FOR-US: Cisco CVE-2001-0648 (Directory traversal vulnerability in PHProjekt 2.1 and earlier allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0646 (Maxum Rumpus FTP Server 1.3.3 and 2.0.3 dev 3 allows a remote attacker ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0644 (Maxum Rumpus FTP Server 1.3.3 and 2.0.3 dev 3 stores passwords in plai ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0643 (Internet Explorer 5.5 does not display the Class ID (CLSID) when it is ...) NOT-FOR-US: Microsoft CVE-2001-0641 (Buffer overflow in man program in various distributions of Linux allow ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0635 (Red Hat Linux 7.1 sets insecure permissions on swap files created duri ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0634 (Sun Chili!Soft ASP has weak permissions on various configuration files ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0631 (Centrinity First Class Internet Services 5.50 allows for the circumven ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0630 (Directory traversal vulnerability in MIMAnet viewsrc.cgi 2.0 allows a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0629 (HP Event Correlation Service (ecsd) as included with OpenView Network ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0628 (Microsoft Word 2000 does not check AutoRecovery (.asd) files for macro ...) NOT-FOR-US: Microsoft CVE-2001-0627 (vi as included with SCO OpenServer 5.0 - 5.0.6 allows a local attacker ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0626 (O'Reilly Website Professional 2.5.4 and earlier allows remote attacker ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0625 (ftpdownload in Computer Associates InoculateIT 6.0 allows a local atta ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0622 (The web management service on Cisco Content Service series 11000 switc ...) NOT-FOR-US: Cisco CVE-2001-0621 (The FTP server on Cisco Content Service 11000 series switches (CSS) be ...) NOT-FOR-US: Cisco CVE-2001-0616 (Faust Informatics Freestyle Chat server prior to 4.1 SR3 allows a remo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0615 (Directory traversal vulnerability in Faust Informatics Freestyle Chat ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0613 (Omnicron Technologies OmniHTTPD Professional 2.08 and earlier allows a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0612 (McAfee Remote Desktop 3.0 and earlier allows remote attackers to cause ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0611 (Becky! 2.00.05 and earlier can allow a remote attacker to gain additio ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0596 (Netscape Communicator before 4.77 allows remote attackers to execute a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0595 (Buffer overflow in the kcsSUNWIOsolf.so library in Solaris 7 and 8 all ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0594 (kcms_configure as included with Solaris 7 and 8 allows a local attacke ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0593 (Anaconda Partners Clipper 3.3 and earlier allows a remote attacker to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0591 (Directory traversal vulnerability in Oracle JSP 1.0.x through 1.1.1 an ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0590 (Apache Software Foundation Tomcat Servlet prior to 3.2.2 allows a remo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0589 (NetScreen ScreenOS prior to 2.5r6 on the NetScreen-10 and Netscreen-10 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0586 (TrendMicro ScanMail for Exchange 3.5 Evaluation allows a local attacke ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0585 (Gordano NTMail 6.0.3c allows a remote attacker to create a denial of s ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0574 (Directory traversal vulnerability in MP3Mystic prior to 1.04b3 allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0573 (lsfs in AIX 4.x allows a local user to gain additional privileges by c ...) NOT-FOR-US: AIX CVE-2001-0567 (Digital Creations Zope 2.3.2 and earlier allows a local attacker to ga ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0565 (Buffer overflow in mailx in Solaris 8 and earlier allows a local attac ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0564 (APC Web/SNMP Management Card prior to Firmware 310 only supports one t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0563 (ElectroSystems Engineering Inc. ElectroComm 2.0 and earlier allows a r ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0560 (Buffer overflow in Vixie cron 3.0.1-56 and earlier could allow a local ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0559 (crontab in Vixie cron 3.0.1 and earlier does not properly drop privile ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0558 (T. Hauck Jana Webserver 2.01 beta 1 and earlier allows a remote attack ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0554 (Buffer overflow in BSD-based telnetd telnet daemon on various operatin ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0553 (SSH Secure Shell 3.0.0 on Unix systems does not properly perform passw ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0550 (wu-ftpd 2.6.1 allows remote attackers to execute arbitrary commands vi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0549 (Symantec LiveUpdate 1.5 stores proxy passwords in cleartext in a regis ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0548 (Buffer overflow in dtmail in Solaris 2.6 and 7 allows local users to g ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0547 (Memory leak in the proxy service in Microsoft Internet Security and Ac ...) NOT-FOR-US: Microsoft CVE-2001-0546 (Memory leak in H.323 Gatekeeper Service in Microsoft Internet Security ...) NOT-FOR-US: Microsoft CVE-2001-0545 (IIS 4.0 with URL redirection enabled allows remote attackers to cause ...) NOT-FOR-US: Microsoft CVE-2001-0544 (IIS 5.0 allows local users to cause a denial of service (hang) via by ...) NOT-FOR-US: Microsoft CVE-2001-0543 (Memory leak in NNTP service in Windows NT 4.0 and Windows 2000 allows ...) NOT-FOR-US: Microsoft CVE-2001-0541 (Buffer overflow in Microsoft Windows Media Player 7.1 and earlier allo ...) NOT-FOR-US: Microsoft CVE-2001-0540 (Memory leak in Terminal servers in Windows NT and Windows 2000 allows ...) NOT-FOR-US: Microsoft CVE-2001-0538 (Microsoft Outlook View ActiveX Control in Microsoft Outlook 2002 and e ...) NOT-FOR-US: Microsoft CVE-2001-0537 (HTTP server for Cisco IOS 11.3 to 12.2 allows attackers to bypass auth ...) NOT-FOR-US: Cisco CVE-2001-0533 (Buffer overflow in libi18n library in IBM AIX 5.1 and 4.3.x allows loc ...) NOT-FOR-US: AIX CVE-2001-0530 (Spearhead NetGAP 200 and 300 before build 78 allow a remote attacker t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0529 (OpenSSH version 2.9 and earlier, with X forwarding enabled, allows a l ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0528 (Oracle E-Business Suite Release 11i Applications Desktop Integrator (A ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0527 (DCScripts DCForum versions 2000 and earlier allow a remote attacker to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0526 (Buffer overflow in the Xview library as used by mailtool in Solaris 8 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0525 (Buffer overflow in dsh in dqs 3.2.7 in SuSE Linux 7.0 and earlier, and ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0522 (Format string vulnerability in Gnu Privacy Guard (aka GnuPG or gpg) 1. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0518 (Oracle listener before Oracle 9i allows attackers to cause a denial of ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0517 (Oracle listener in Oracle 8i on Solaris allows remote attackers to cau ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0514 (SNMP service in Atmel 802.11b VNET-B Access Point 1.3 and earlier, as ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0513 (Oracle listener process on Windows NT redirects connection requests to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0508 (Vulnerability in IIS 5.0 allows remote attackers to cause a denial of ...) NOT-FOR-US: Microsoft CVE-2001-0507 (IIS 5.0 uses relative paths to find system files that will run in-proc ...) NOT-FOR-US: Microsoft CVE-2001-0506 (Buffer overflow in ssinc.dll in IIS 5.0 and 4.0 allows local users to ...) NOT-FOR-US: Microsoft CVE-2001-0504 (Vulnerability in authentication process for SMTP service in Microsoft ...) NOT-FOR-US: Microsoft CVE-2001-0503 (Microsoft NetMeeting 3.01 with Remote Desktop Sharing enabled allows r ...) NOT-FOR-US: Microsoft CVE-2001-0502 (Running Windows 2000 LDAP Server over SSL, a function does not properl ...) NOT-FOR-US: Microsoft CVE-2001-0501 (Microsoft Word 2002 and earlier allows attackers to automatically exec ...) NOT-FOR-US: Microsoft CVE-2001-0500 (Buffer overflow in ISAPI extension (idq.dll) in Index Server 2.0 and I ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0497 (dnskeygen in BIND 8.2.4 and earlier, and dnssec-keygen in BIND 9.1.2 a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0495 (Directory traversal in DataWizard WebXQ server 1.204 allows remote att ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0494 (Buffer overflow in IPSwitch IMail SMTP server 6.06 and possibly prior ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0493 (Small HTTP server 2.03 allows remote attackers to cause a denial of se ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0489 (Format string vulnerability in gftp prior to 2.0.8 allows remote malic ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0488 (pcltotiff in HP-UX 10.x has unnecessary set group id permissions, whic ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0487 (AIX SNMP server snmpd allows remote attackers to cause a denial of ser ...) NOT-FOR-US: AIX CVE-2001-0486 (Remote attackers can cause a denial of service in Novell BorderManager ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0485 (Unknown vulnerability in netprint in IRIX 6.2, and possibly other vers ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0482 (Configuration error in Argus PitBull LX allows root users to bypass sp ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0481 (Vulnerability in rpmdrake in Mandrake Linux 8.0 related to insecure te ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0475 (index.php in Jelsoft vBulletin does not properly initialize a PHP vari ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0474 (Utah-glx in Mesa before 3.3-14 on Mandrake Linux 7.2 allows local user ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0473 (Format string vulnerability in Mutt before 1.2.5 allows a remote malic ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0469 (rwho daemon rwhod in FreeBSD 4.2 and earlier, and possibly other opera ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0467 (Directory traversal vulnerability in RobTex Viking Web server before 1 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0465 (TurboTax saves passwords in a temporary file when a user imports inves ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0463 (Directory traversal vulnerability in cal_make.pl in PerlCal allows rem ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0462 (Directory traversal vulnerability in Perl web server 0.3 and earlier a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0461 (template.cgi in Free On-Line Dictionary of Computing (FOLDOC) allows r ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0457 (man2html before 1.5-22 allows remote attackers to cause a denial of se ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0456 (postinst installation script for Proftpd in Debian 2.2 does not proper ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0455 (Cisco Aironet 340 Series wireless bridge before 8.55 does not properly ...) NOT-FOR-US: Cisco CVE-2001-0449 (Buffer overflow in WinZip 8.0 allows attackers to execute arbitrary co ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0444 (Cisco CBOS 2.3.0.053 sends output of the "sh nat" (aka "show nat") com ...) NOT-FOR-US: Cisco CVE-2001-0442 (Buffer overflow in Mercury MTA POP3 server for NetWare 1.48 and earlie ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0440 (Buffer overflow in logging functions of licq before 1.0.3 allows remot ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0439 (licq before 1.0.3 allows remote attackers to execute arbitrary command ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0434 (The LogDataListToFile ActiveX function used in (1) Knowledge Center an ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0430 (Vulnerability in exuberant-ctags before 3.2.4-0.1 insecurely creates t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0429 (Cisco Catalyst 5000 series switches 6.1(2) and earlier will forward an ...) NOT-FOR-US: Cisco CVE-2001-0428 (Cisco VPN 3000 series concentrators before 2.5.2(F) allow remote attac ...) NOT-FOR-US: Cisco CVE-2001-0427 (Cisco VPN 3000 series concentrators before 2.5.2(F) allow remote attac ...) NOT-FOR-US: Cisco CVE-2001-0423 (Buffer overflow in ipcs in Solaris 7 x86 allows local users to execute ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0422 (Buffer overflow in Xsun in Solaris 8 and earlier allows local users to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0416 (sgml-tools (aka sgmltools) before 1.0.9-15 creates temporary files wit ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0414 (Buffer overflow in ntpd ntp daemon 4.0.99k and earlier (aka xntpd and ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0413 (BinTec X4000 Access router, and possibly other versions, allows remote ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0412 (Cisco Content Services (CSS) switch products 11800 and earlier, aka Ar ...) NOT-FOR-US: Cisco CVE-2001-0409 (vim (aka gvim) allows local users to modify files being edited by othe ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0408 (vim (aka gvim) processes VIM control codes that are embedded in a file ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0407 (Directory traversal vulnerability in MySQL before 3.23.36 allows local ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0405 (ip_conntrack_ftp in the IPTables firewall for Linux 2.4 allows remote ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0402 (IPFilter 3.4.16 and earlier does not include sufficient session inform ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0394 (Remote manager service in Website Pro 3.0.37 allows remote attackers t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0388 (time server daemon timed allows remote attackers to cause a denial of ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0387 (Format string vulnerability in hfaxd in HylaFAX before 4.1.b2_2 allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0386 (AnalogX SimpleServer:WWW 1.08 allows remote attackers to cause a denia ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0383 (banners.php in PHP-Nuke 4.4 and earlier allows remote attackers to mod ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0379 (Vulnerability in the newgrp program included with HP9000 servers runni ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0378 (readline prior to 4.1, in OpenBSD 2.8 and earlier, creates history fil ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0377 (Infradig Inframail prior to 3.98a allows a remote attacker to create a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0375 (Cisco PIX Firewall 515 and 520 with 5.1.4 OS running aaa authenticatio ...) NOT-FOR-US: Cisco CVE-2001-0373 (The default configuration of the Dr. Watson program in Windows NT and ...) NOT-FOR-US: Microsoft CVE-2001-0371 (Race condition in the UFS and EXT2FS file systems in FreeBSD 4.2 and e ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0368 (Directory traversal vulnerability in BearShare 2.2.2 and earlier allow ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0366 (saposcol in SAP R/3 Web Application Server Demo before 1.5 trusts the ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0365 (Eudora before 5.1 allows a remote attacker to execute arbitrary code, ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0364 (SSH Communications Security sshd 2.4 for Windows allows remote attacke ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0361 (Implementations of SSH version 1.5, including (1) OpenSSH up to versio ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0353 (Buffer overflow in the line printer daemon (in.lpd) for Solaris 8 and ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0351 (Microsoft Windows 2000 telnet service allows a local user to make a ce ...) NOT-FOR-US: Microsoft CVE-2001-0348 (Microsoft Windows 2000 telnet service allows attackers to cause a deni ...) NOT-FOR-US: Microsoft CVE-2001-0347 (Information disclosure vulnerability in Microsoft Windows 2000 telnet ...) NOT-FOR-US: Microsoft CVE-2001-0346 (Handle leak in Microsoft Windows 2000 telnet service allows attackers ...) NOT-FOR-US: Microsoft CVE-2001-0345 (Microsoft Windows 2000 telnet service allows attackers to prevent idle ...) NOT-FOR-US: Microsoft CVE-2001-0344 (An SQL query method in Microsoft SQL Server 2000 Gold and 7.0 using Mi ...) NOT-FOR-US: Microsoft CVE-2001-0341 (Buffer overflow in Microsoft Visual Studio RAD Support sub-component o ...) NOT-FOR-US: Microsoft CVE-2001-0340 (An interaction between the Outlook Web Access (OWA) service in Microso ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0339 (Internet Explorer 5.5 and earlier allows remote attackers to display a ...) NOT-FOR-US: Microsoft CVE-2001-0338 (Internet Explorer 5.5 and earlier does not properly validate digital c ...) NOT-FOR-US: Microsoft CVE-2001-0336 (The Microsoft MS00-060 patch for IIS 5.0 and earlier introduces an err ...) NOT-FOR-US: Microsoft CVE-2001-0335 (FTP service in IIS 5.0 and earlier allows remote attackers to enumerat ...) NOT-FOR-US: Microsoft CVE-2001-0334 (FTP service in IIS 5.0 and earlier allows remote attackers to cause a ...) NOT-FOR-US: Microsoft CVE-2001-0333 (Directory traversal vulnerability in IIS 5.0 and earlier allows remote ...) NOT-FOR-US: Microsoft CVE-2001-0331 (Buffer overflow in Embedded Support Partner (ESP) daemon (rpc.espd) in ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0330 (Bugzilla 2.10 allows remote attackers to access sensitive information, ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0327 (iPlanet Web Server Enterprise Edition 4.1 and earlier allows remote at ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0326 (Oracle Java Virtual Machine (JVM ) for Oracle 8.1.7 and Oracle Applica ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0321 (opendir.php script in PHP-Nuke allows remote attackers to read arbitra ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0319 (orderdspc.d2w macro in IBM Net.Commerce 3.x allows remote attackers to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0318 (Format string vulnerability in ProFTPD 1.2.0rc2 may allow attackers to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0317 (Race condition in ptrace in Linux kernel 2.4 and 2.2 allows local user ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0316 (Linux kernel 2.4 and 2.2 allows local users to read kernel memory and ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0311 (Vulnerability in OmniBackII A.03.50 in HP 11.x and earlier allows atta ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0310 (sort in FreeBSD 4.1.1 and earlier, and possibly other operating system ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0309 (inetd in Red Hat 6.2 does not properly close sockets for internal serv ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0301 (Buffer overflow in Analog before 4.16 allows remote attackers to execu ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0299 (Buffer overflow in Voyager web administration server for Nokia IP440 a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0295 (Directory traversal vulnerability in War FTP 1.67.04 allows remote att ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0290 (Vulnerability in Mailman 2.0.1 and earlier allows list administrators ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0289 (Joe text editor 2.8 searches the current working directory (CWD) for t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0288 (Cisco switches and routers running IOS 12.1 and earlier produce predic ...) NOT-FOR-US: Cisco CVE-2001-0287 (VERITAS Cluster Server (VCS) 1.3.0 on Solaris allows local users to ca ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0284 (Buffer overflow in IPSEC authentication mechanism for OpenBSD 2.8 and ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0280 (Buffer overflow in MERCUR SMTP server 3.30 allows remote attackers to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0279 (Buffer overflow in sudo earlier than 1.6.3p6 allows local users to gai ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0278 (Vulnerability in linkeditor in HP MPE/iX 6.5 and earlier allows local ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0276 (ext.dll in BadBlue 1.02.07 Personal Edition web server allows remote a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0274 (kicq IRC client 1.0.0, and possibly later versions, allows remote atta ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0269 (pam_ldap authentication module in Solaris 8 allows remote attackers to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0268 (The i386_set_ldt system call in NetBSD 1.5 and earlier, and OpenBSD 2. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0267 (NM debug in HP MPE/iX 6.5 and earlier does not properly handle breakpo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0266 (Vulnerability in Software Distributor SD-UX in HP-UX 11.0 and earlier ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0265 (ASCII Armor parser in Windows PGP 7.0.3 and earlier allows attackers t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0260 (Buffer overflow in Lotus Domino Mail Server 5.0.5 and earlier allows a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0259 (ssh-keygen in ssh 1.2.27 - 1.2.30 with Secure-RPC can allow local atta ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0252 (iPlanet (formerly Netscape) Enterprise Server 4.1 allows remote attack ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0245 (Microsoft Index Server 2.0 in Windows NT 4.0, and Indexing Service in ...) NOT-FOR-US: Microsoft CVE-2001-0244 (Buffer overflow in Microsoft Index Server 2.0 allows remote attackers ...) NOT-FOR-US: Microsoft CVE-2001-0243 (Windows Media Player 7 and earlier stores Internet shortcuts in a user ...) NOT-FOR-US: Microsoft CVE-2001-0241 (Buffer overflow in Internet Printing ISAPI extension in Windows 2000 a ...) NOT-FOR-US: Microsoft CVE-2001-0240 (Microsoft Word before Word 2002 allows attackers to automatically exec ...) NOT-FOR-US: Microsoft CVE-2001-0239 (Microsoft Internet Security and Acceleration (ISA) Server 2000 Web Pro ...) NOT-FOR-US: Microsoft CVE-2001-0238 (Microsoft Data Access Component Internet Publishing Provider 8.103.251 ...) NOT-FOR-US: Microsoft CVE-2001-0237 (Memory leak in Microsoft 2000 domain controller allows remote attacker ...) NOT-FOR-US: Microsoft CVE-2001-0236 (Buffer overflow in Solaris snmpXdmid SNMP to DMI mapper daemon allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0235 (Vulnerability in crontab allows local users to read crontab files of o ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0234 (NewsDaemon before 0.21b allows remote attackers to execute arbitrary S ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0233 (Buffer overflow in micq client 0.4.6 and earlier allows remote attacke ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0230 (Buffer overflow in dc20ctrl before 0.4_1 in FreeBSD, and possibly othe ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0222 (webmin 0.84 and earlier allows local users to overwrite and create arb ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0221 (Buffer overflow in ja-xklock 2.7.1 and earlier allows local users to g ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0219 (Vulnerability in Support Tools Manager (xstm,cstm,stm) in HP-UX 11.11 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0218 (Format string vulnerability in mars_nwe 0.99.pl19 allows remote attack ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0215 (ROADS search.pl program allows remote attackers to read arbitrary file ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0207 (Buffer overflow in bing allows remote attackers to execute arbitrary c ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0204 (Watchguard Firebox II allows remote attackers to cause a denial of ser ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0203 (Watchguard Firebox II firewall allows users with read-only access to g ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0197 (Format string vulnerability in print_client in icecast 1.3.8beta2 and ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0196 (inetd ident server in FreeBSD 4.x and earlier does not properly set gr ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0195 (sash before 3.4-4 in Debian GNU/Linux does not properly clone /etc/sha ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0194 (Buffer overflow in httpGets function in CUPS 1.1.5 allows remote attac ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0193 (Format string vulnerability in man in some Linux distributions allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0191 (gnuserv before 3.12, as shipped with XEmacs, does not properly check t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0190 (Buffer overflow in /usr/bin/cu in Solaris 2.8 and earlier, and possibl ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0189 (Directory traversal vulnerability in LocalWEB2000 HTTP server allows r ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0187 (Format string vulnerability in wu-ftp 2.6.1 and earlier, when running ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0185 (Netopia R9100 router version 4.6 allows authenticated users to cause a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0183 (ipfw and ip6fw in FreeBSD 4.2 and earlier allows remote attackers to b ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0182 (FireWall-1 4.1 with a limited-IP license allows remote attackers to ca ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0179 (Allaire JRun 3.0 allows remote attackers to list contents of the WEB-I ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0178 (kdesu program in KDE2 (KDE before 2.2.0-6) does not properly verify th ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0176 (The setuid doroot program in Voyant Sonata 3.x executes arbitrary comm ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0175 (The caching module in Netscape Fasttrack Server 4.1 allows remote atta ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0174 (Buffer overflow in Trend Micro Virus Buster 2001 8.00 allows remote at ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0170 (glibc 2.1.9x and earlier does not properly clear the RESOLV_HOST_CONF, ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0169 (When using the LD_PRELOAD environmental variable in SUID or SGID appli ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0166 (Macromedia Shockwave Flash plugin version 8 and earlier allows remote ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0165 (Buffer overflow in ximp40 shared library in Solaris 7 and Solaris 8 al ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0164 (Buffer overflow in Netscape Directory Server 4.12 and earlier allows r ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0157 (Debugging utility in the backdoor mode of Palm OS 3.5.2 and earlier al ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0156 (VShell SSH gateway 1.0.1 and earlier has a default port forwarding rul ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0155 (Format string vulnerability in VShell SSH gateway 1.0.1 and earlier al ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0154 (HTML e-mail feature in Internet Explorer 5.5 and earlier allows attack ...) NOT-FOR-US: Microsoft CVE-2001-0153 (Buffer overflow in VB-TSQL debugger object (vbsdicli.exe) in Visual St ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0152 (The password protection option for the Compressed Folders feature in P ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0151 (IIS 5.0 allows remote attackers to cause a denial of service via a ser ...) NOT-FOR-US: Microsoft CVE-2001-0150 (Internet Explorer 5.5 and earlier executes Telnet sessions using comma ...) NOT-FOR-US: Microsoft CVE-2001-0149 (Windows Scripting Host in Internet Explorer 5.5 and earlier allows rem ...) NOT-FOR-US: Microsoft CVE-2001-0148 (The WMP ActiveX Control in Windows Media Player 7 allows remote attack ...) NOT-FOR-US: Microsoft CVE-2001-0147 (Buffer overflow in Windows 2000 event viewer snap-in allows attackers ...) NOT-FOR-US: Microsoft CVE-2001-0144 (CORE SDI SSH1 CRC-32 compensation attack detector allows remote attack ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0143 (vpop3d program in linuxconf 1.23r and earlier allows local users to ov ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0142 (squid 2.3 and earlier allows local users to overwrite arbitrary files ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0141 (mgetty 1.1.22 allows local users to overwrite arbitrary files via a sy ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0140 (arpwatch 2.1a4 allows local users to overwrite arbitrary files via a s ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0139 (inn 2.2.3 allows local users to overwrite arbitrary files via a symlin ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0138 (privatepw program in wu-ftpd before 2.6.1-6 allows local users to over ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0137 (Windows Media Player 7 allows remote attackers to execute malicious Ja ...) NOT-FOR-US: Microsoft CVE-2001-0136 (Memory leak in ProFTPd 1.2.0rc2 allows remote attackers to cause a den ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0130 (Buffer overflow in HTML parser of the Lotus R5 Domino Server before 5. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0129 (Buffer overflow in Tinyproxy HTTP proxy 1.3.3 and earlier allows remot ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0128 (Zope before 2.2.4 does not properly compute local roles, which could a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0126 (Oracle XSQL servlet 1.0.3.0 and earlier allows remote attackers to exe ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0125 (exmh 2.2 and earlier allows local users to overwrite arbitrary files v ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0124 (Buffer overflow in exrecover in Solaris 2.6 and earlier possibly allow ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0123 (Directory traversal vulnerability in eXtropia bbs_forum.cgi 1.0 allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0122 (Kernel leak in AfpaCache module of the Fast Response Cache Accelerator ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0121 (ImageCast Control Center 4.1.0 allows remote attackers to cause a deni ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0120 (useradd program in shadow-utils program may allow local users to overw ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0119 (getty_ps 2.0.7j allows local users to overwrite arbitrary files via a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0118 (rdist 6.1.5 allows local users to overwrite arbitrary files via a syml ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0117 (sdiff 2.7 in the diffutils package allows local users to overwrite fil ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0116 (gpm 1.19.3 allows local users to overwrite arbitrary files via a symli ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0115 (Buffer overflow in arp command in Solaris 7 and earlier allows local u ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0111 (Format string vulnerability in splitvt before 1.6.5 allows local users ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0110 (Buffer overflow in jaZip Zip/Jaz drive manager allows local users to g ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0109 (rctab in SuSE 7.0 and earlier allows local users to create or overwrit ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0108 (PHP Apache module 4.0.4 and earlier allows remote attackers to bypass ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0106 (Vulnerability in inetd server in HP-UX 11.04 and earlier allows attack ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0105 (Vulnerability in top in HP-UX 11.04 and earlier allows local users to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0100 (bslist.cgi mailing list script allows remote attackers to execute arbi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0099 (bsguest.cgi guestbook script allows remote attackers to execute arbitr ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0096 (FrontPage Server Extensions (FPSE) in IIS 4.0 and 5.0 allows remote at ...) NOT-FOR-US: Microsoft CVE-2001-0095 (catman in Solaris 2.7 and 2.8 allows local users to overwrite arbitrar ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0094 (Buffer overflow in kdc_reply_cipher of libkrb (Kerberos 4 authenticati ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0092 (A function in Internet Explorer 5.0 through 5.5 does not properly veri ...) NOT-FOR-US: Microsoft CVE-2001-0091 (The ActiveX control for invoking a scriptlet in Internet Explorer 5.0 ...) NOT-FOR-US: Microsoft CVE-2001-0090 (The Print Templates feature in Internet Explorer 5.5 executes arbitrar ...) NOT-FOR-US: Microsoft CVE-2001-0089 (Internet Explorer 5.0 through 5.5 allows remote attackers to read arbi ...) NOT-FOR-US: Microsoft CVE-2001-0085 (Buffer overflow in Kermit communications software in HP-UX 11.0 and ea ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0083 (Windows Media Unicast Service in Windows Media Services 4.0 and 4.1 do ...) NOT-FOR-US: Microsoft CVE-2001-0081 (swinit in nCipher does not properly disable the Operator Card Set reco ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0080 (Cisco Catalyst 6000, 5000, or 4000 switches allow remote attackers to ...) NOT-FOR-US: Cisco CVE-2001-0078 (in.mond in Sun Cluster 2.x allows local users to read arbitrary files ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0077 (The clustmon service in Sun Cluster 2.x does not require authenticatio ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0072 (gpg (aka GnuPG) 1.0.4 and other versions imports both public and priva ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0071 (gpg (aka GnuPG) 1.0.4 and other versions does not properly verify deta ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0069 (dialog before 0.9a-20000118-3bis in Debian GNU/Linux allows local user ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0066 (Secure Locate (slocate) allows local users to corrupt memory via a mal ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0063 (procfs in FreeBSD and possibly other operating systems allows local us ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0062 (procfs in FreeBSD and possibly other operating systems allows local us ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0061 (procfs in FreeBSD and possibly other operating systems does not proper ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0060 (Format string vulnerability in stunnel 3.8 and earlier allows attacker ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0059 (patchadd in Solaris allows local users to overwrite arbitrary files vi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0058 (The Web interface to Cisco 600 routers running CBOS 2.4.1 and earlier ...) NOT-FOR-US: Cisco CVE-2001-0057 (Cisco 600 routers running CBOS 2.4.1 and earlier allow remote attacker ...) NOT-FOR-US: Cisco CVE-2001-0056 (The Cisco Web Management interface in routers running CBOS 2.4.1 and e ...) NOT-FOR-US: Cisco CVE-2001-0055 (CBOS 2.4.1 and earlier in Cisco 600 routers allows remote attackers to ...) NOT-FOR-US: Cisco CVE-2001-0054 (Directory traversal vulnerability in FTP Serv-U before 2.5i allows rem ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0053 (One-byte buffer overflow in replydirname function in BSD-based ftpd al ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0050 (Buffer overflow in BitchX IRC client allows remote attackers to cause ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0043 (phpGroupWare before 0.9.7 allows remote attackers to execute arbitrary ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0042 (PHP 3.x (PHP3) on Apache 1.3.6 allows remote attackers to read arbitra ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0041 (Memory leak in Cisco Catalyst 4000, 5000, and 6000 series switches all ...) NOT-FOR-US: Cisco CVE-2001-0040 (APC UPS daemon, apcupsd, saves its process ID in a world-writable file ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0039 (IPSwitch IMail 6.0.5 allows remote attackers to cause a denial of serv ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0036 (KTH Kerberos IV allows local users to overwrite arbitrary files via a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0035 (Buffer overflow in the kdc_reply_cipher function in KTH Kerberos IV al ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0034 (KTH Kerberos IV allows local users to specify an alternate proxy using ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0033 (KTH Kerberos IV allows local users to change the configuration of a Ke ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0028 (Buffer overflow in the HTML parsing code in oops WWW proxy server 1.5. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0026 (rp-pppoe PPPoE client allows remote attackers to cause a denial of ser ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0021 (MailMan Webmail 3.0.25 and earlier allows remote attackers to execute ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0020 (Directory traversal vulnerability in Arrowpoint (aka Cisco Content Ser ...) NOT-FOR-US: Cisco CVE-2001-0018 (Windows 2000 domain controller in Windows 2000 Server, Advanced Server ...) NOT-FOR-US: Microsoft CVE-2001-0017 (Memory leak in PPTP server in Windows NT 4.0 allows remote attackers t ...) NOT-FOR-US: Microsoft CVE-2001-0016 (NTLM Security Support Provider (NTLMSSP) service does not properly che ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0015 (Network Dynamic Data Exchange (DDE) in Windows 2000 allows local users ...) NOT-FOR-US: Microsoft CVE-2001-0014 (Remote Data Protocol (RDP) in Windows 2000 Terminal Service does not p ...) NOT-FOR-US: Microsoft CVE-2001-0013 (Format string vulnerability in nslookupComplain function in BIND 4 all ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0012 (BIND 4 and BIND 8 allow remote attackers to access sensitive informati ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0011 (Buffer overflow in nslookupComplain function in BIND 4 allows remote a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0010 (Buffer overflow in transaction signature (TSIG) handling code in BIND ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0009 (Directory traversal vulnerability in Lotus Domino 5.0.5 web server all ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0008 (Backdoor account in Interbase database server allows remote attackers ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0007 (Buffer overflow in NetScreen Firewall WebUI allows remote attackers to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0006 (The Winsock2ProtocolCatalogMutex mutex in Windows NT 4.0 has inappropr ...) NOT-FOR-US: Microsoft CVE-2001-0005 (Buffer overflow in the parsing mechanism of the file loader in Microso ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0004 (IIS 5.0 and 4.0 allows remote attackers to read the source code for ex ...) NOT-FOR-US: Microsoft CVE-2001-0003 (Web Extender Client (WEC) in Microsoft Office 2000, Windows 2000, and ...) NOT-FOR-US: Microsoft CVE-2001-0002 (Internet Explorer 5.5 and earlier allows remote attackers to obtain th ...) NOT-FOR-US: Microsoft CVE-2001-0001 (cookiedecode function in PHP-Nuke 4.4 allows users to bypass authentic ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1212 (Zope 2.2.0 through 2.2.4 does not properly protect a data updating met ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1211 (Zope 2.2.0 through 2.2.4 does not properly perform security registrati ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1210 (Directory traversal vulnerability in source.jsp of Apache Tomcat befor ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1203 (Lotus Domino SMTP server 4.63 through 5.08 allows remote attackers to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1200 (Windows NT allows remote attackers to list all users in a domain by ob ...) NOT-FOR-US: Microsoft CVE-2000-1196 (PSCOErrPage.htm in Netscape PublishingXpert 2.5 before SP2 allows remo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1195 (telnet daemon (telnetd) from the Linux netkit package before netkit-te ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1193 (Performance Metrics Collector Daemon (PMCD) in Performance Copilot in ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1190 (imwheel-solo in imwheel package allows local users to modify arbitrary ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1189 (Buffer overflow in pam_localuser PAM module in Red Hat Linux 7.x and 6 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1187 (Buffer overflow in the HTML parser for Netscape 4.75 and earlier allow ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1184 (telnetd in FreeBSD 4.2 and earlier, and possibly other operating syste ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1182 (WatchGuard Firebox II allows remote attackers to cause a denial of ser ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1181 (Real Networks RealServer 7 and earlier allows remote attackers to obta ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1180 (Buffer overflow in cmctl program in Oracle 8.1.5 Connection Manager Co ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1179 (Netopia ISDN Router 650-ST before 4.3.5 allows remote attackers to rea ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1178 (Joe text editor follows symbolic links when creating a rescue copy cal ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1174 (Multiple buffer overflows in AFS ACL parser for Ethereal 0.8.13 and ea ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1171 (Directory traversal vulnerability in cgiforum.pl script in CGIForum 1. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1170 (Buffer overflow in Netsnap webcam HTTP server before 1.2.9 allows remo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1169 (OpenSSH SSH client before 2.3.0 does not properly disable X11 or agent ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1167 (ppp utility in FreeBSD 4.1.1 and earlier does not properly restrict ac ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1166 (Twig webmail system does not properly set the "vhosts" variable if it ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1165 (Balabit syslog-ng allows remote attackers to cause a denial of service ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1164 (WinVNC installs the WinVNC3 registry key with permissions that give Sp ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1163 (ghostscript before 5.10-16 uses an empty LD_RUN_PATH environmental var ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1162 (ghostscript before 5.10-16 allows local users to overwrite files of ot ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1149 (Buffer overflow in RegAPI.DLL used by Windows NT 4.0 Terminal Server a ...) NOT-FOR-US: Microsoft CVE-2000-1148 (The installation of VolanoChatPro chat server sets world-readable perm ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1146 (Recourse ManTrap 1.6 allows attackers to cause a denial of service via ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1145 (Recourse ManTrap 1.6 allows attackers who have gained root access to u ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1144 (Recourse ManTrap 1.6 sets up a chroot environment to hide the fact tha ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1143 (Recourse ManTrap 1.6 hides the first 4 processes that run on a Solaris ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1142 (Recourse ManTrap 1.6 generates an error when an attacker cd's to /proc ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1141 (Recourse ManTrap 1.6 modifies the kernel so that ".." does not appear ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1140 (Recourse ManTrap 1.6 does not properly hide processes from attackers, ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1139 (The installation of Microsoft Exchange 2000 before Rev. A creates a us ...) NOT-FOR-US: Microsoft CVE-2000-1137 (GNU ed before 0.2-18.1 allows local users to overwrite the files of ot ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1136 (elvis-tiny before 1.4-10 in Debian GNU/Linux, and possibly other Linux ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1135 (fshd (fsh daemon) in Debian GNU/Linux allows local users to overwrite ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1132 (DCForum cgforum.cgi CGI script allows remote attackers to read arbitra ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1131 (Bill Kendrick web site guestbook (GBook) allows remote attackers to ex ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1124 (Buffer overflow in piobe command in IBM AIX 4.3.x allows local users t ...) NOT-FOR-US: AIX CVE-2000-1123 (Buffer overflow in pioout command in IBM AIX 4.3.x and earlier may all ...) NOT-FOR-US: AIX CVE-2000-1122 (Buffer overflow in setclock command in IBM AIX 4.3.x and earlier may a ...) NOT-FOR-US: AIX CVE-2000-1121 (Buffer overflow in enq command in IBM AIX 4.3.x and earlier may allow ...) NOT-FOR-US: AIX CVE-2000-1120 (Buffer overflow in digest command in IBM AIX 4.3.x and earlier allows ...) NOT-FOR-US: AIX CVE-2000-1119 (Buffer overflow in setsenv command in IBM AIX 4.3.x and earlier allows ...) NOT-FOR-US: AIX CVE-2000-1115 (Buffer overflow in remote web administration component (webprox.dll) o ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1113 (Buffer overflow in Microsoft Windows Media Player allows remote attack ...) NOT-FOR-US: Microsoft CVE-2000-1112 (Microsoft Windows Media Player 7 executes scripts in custom skin (.WMS ...) NOT-FOR-US: Microsoft CVE-2000-1111 (Telnet Service for Windows 2000 Professional does not properly termina ...) NOT-FOR-US: Microsoft CVE-2000-1109 (Midnight Commander (mc) 4.5.51 and earlier does not properly process m ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1108 (cons.saver in Midnight Commander (mc) 4.5.42 and earlier does not prop ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1107 (in.identd ident server in SuSE Linux 6.x and 7.0 allows remote attacke ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1106 (Trend Micro InterScan VirusWall creates an "Intscan" share to the "Int ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1101 (Directory traversal vulnerability in Winsock FTPd (WFTPD) 3.00 and 2.4 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1099 (Java Runtime Environment in Java Development Kit (JDK) 1.2.2_05 and ea ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1097 (The web server for the SonicWALL SOHO firewall allows remote attackers ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1096 (crontab by Paul Vixie uses predictable file names for a temporary file ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1095 (modprobe in the modutils 2.3.x package on Linux systems allows a local ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1094 (Buffer overflow in AOL Instant Messenger (AIM) before 4.3.2229 allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1089 (Buffer overflow in Microsoft Phone Book Service allows local users to ...) NOT-FOR-US: Microsoft CVE-2000-1080 (Quake 1 (quake1) and ProQuake 1.01 and earlier allow remote attackers ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1077 (Buffer overflow in the SHTML logging functionality of iPlanet Web Serv ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1075 (Directory traversal vulnerability in iPlanet Certificate Management Sy ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1074 (csstart program in iCal 2.1 Patch 2 uses relative pathnames to install ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1073 (csstart program in iCal 2.1 Patch 2 searches for the cshttpd program i ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1072 (iCal 2.1 Patch 2 installs many files with world-writeable permissions, ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1071 (The GUI installation for iCal 2.1 Patch 2 disables access control for ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1070 (pollit.cgi in Poll It 2.01 and earlier uses data files that are locate ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1069 (pollit.cgi in Poll It 2.01 and earlier allows remote attackers to acce ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1068 (pollit.cgi in Poll It 2.0 allows remote attackers to execute arbitrary ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1061 (Microsoft Virtual Machine (VM) in Internet Explorer 4.x and 5.x allows ...) NOT-FOR-US: Microsoft CVE-2000-1060 (The default configuration of XFCE 3.5.1 bypasses the Xauthority access ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1059 (The default configuration of the Xsession file in Mandrake Linux 7.1 a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1058 (Buffer overflow in OverView5 CGI program in HP OpenView Network Node M ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1057 (Vulnerabilities in database configuration scripts in HP OpenView Netwo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1056 (CiscoSecure ACS Server 2.4(2) and earlier allows remote attackers to b ...) NOT-FOR-US: Cisco CVE-2000-1055 (Buffer overflow in CiscoSecure ACS Server 2.4(2) and earlier allows re ...) NOT-FOR-US: Cisco CVE-2000-1054 (Buffer overflow in CSAdmin module in CiscoSecure ACS Server 2.4(2) and ...) NOT-FOR-US: Cisco CVE-2000-1051 (Directory traversal vulnerability in Allaire JRun 2.3 server allows re ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1050 (Allaire JRun 3.0 http servlet server allows remote attackers to direct ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1049 (Allaire JRun 3.0 http servlet server allows remote attackers to cause ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1047 (Buffer overflow in SMTP service of Lotus Domino 5.0.4 and earlier allo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1045 (nss_ldap earlier than 121, when run with nscd (name service caching da ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1044 (Format string vulnerability in ypbind-mt in SuSE SuSE-6.2, and possibl ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1043 (Format string vulnerability in ypserv in Mandrake Linux 7.1 and earlie ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1042 (Buffer overflow in ypserv in Mandrake Linux 7.1 and earlier, and possi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1041 (Buffer overflow in ypbind 3.3 possibly allows an attacker to gain root ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1040 (Format string vulnerability in logging function of ypbind 3.3, while r ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1038 (The web administration interface for IBM AS/400 Firewall allows remote ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1036 (Directory traversal vulnerability in Extent RBS ISP web server allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1034 (Buffer overflow in the System Monitor ActiveX control in Windows 2000 ...) NOT-FOR-US: Microsoft CVE-2000-1032 (The client authentication interface for Check Point Firewall-1 4.0 and ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1031 (Buffer overflow in dtterm in HP-UX 11.0 and HP Tru64 UNIX 4.0f through ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1027 (Cisco Secure PIX Firewall 5.2(2) allows remote attackers to determine ...) NOT-FOR-US: Cisco CVE-2000-1026 (Multiple buffer overflows in LBNL tcpdump allow remote attackers to ex ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1024 (eWave ServletExec 3.0C and earlier does not restrict access to the Upl ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1022 (The mailguard feature in Cisco Secure PIX Firewall 5.2(2) and earlier ...) NOT-FOR-US: Cisco CVE-2000-1019 (Search engine in Ultraseek 3.1 and 3.1.10 (aka Inktomi Search) allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1018 (shred 1.0 file wiping utility does not properly open a file for overwr ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1016 (The default configuration of Apache (httpd.conf) on SuSE 6.4 includes ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1014 (Format string vulnerability in the search97.cgi CGI script in SCO help ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1011 (Buffer overflow in catopen() function in FreeBSD 5.0 and earlier, and ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1010 (Format string vulnerability in talkd in OpenBSD and possibly other BSD ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1007 (I-gear 3.5.7 and earlier does not properly process log entries in whic ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1006 (Microsoft Exchange Server 5.5 does not properly handle a MIME header w ...) NOT-FOR-US: Microsoft CVE-2000-1005 (Directory traversal vulnerability in html_web_store.cgi and web_store. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1004 (Format string vulnerability in OpenBSD photurisd allows local users to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1003 (NETBIOS client in Windows 95 and Windows 98 allows a remote attacker t ...) NOT-FOR-US: Microsoft CVE-2000-1002 (POP3 daemon in Stalker CommuniGate Pro 3.3.2 generates different error ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1001 (add_2_basket.asp in Element InstantShop allows remote attackers to mod ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1000 (Format string vulnerability in AOL Instant Messenger (AIM) 4.1.2010 al ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0996 (Format string vulnerability in OpenBSD su program (and possibly other ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0995 (Format string vulnerability in OpenBSD yp_passwd program (and possibly ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0994 (Format string vulnerability in OpenBSD fstat program (and possibly oth ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0993 (Format string vulnerability in pw_error function in BSD libutil librar ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0992 (Directory traversal vulnerability in scp in sshd 1.2.xx allows a remot ...) {CVE-2004-0175} - openssh 1:3.9p1-1 (low; bug #270770) [sarge] - openssh (Minor issue) NOTE: Rediscoved as CVE-2004-0175, see there. CVE-2000-0991 (Buffer overflow in Hilgraeve, Inc. HyperTerminal client on Windows 98, ...) NOT-FOR-US: Microsoft CVE-2000-0990 (cmd5checkpw 0.21 and earlier allows remote attackers to cause a denial ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0989 (Buffer overflow in Intel InBusiness eMail Station 1.04.87 POP service ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0984 (The HTTP server in Cisco IOS 12.0 through 12.1 allows local users to c ...) NOT-FOR-US: Cisco CVE-2000-0983 (Microsoft NetMeeting with Remote Desktop Sharing enabled allows remote ...) NOT-FOR-US: Microsoft CVE-2000-0982 (Internet Explorer before 5.5 forwards cached user credentials for a se ...) NOT-FOR-US: Microsoft CVE-2000-0981 (MySQL Database Engine uses a weak authentication method which leaks in ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0980 (NMPI (Name Management Protocol on IPX) listener in Microsoft NWLink do ...) NOT-FOR-US: Microsoft CVE-2000-0979 (File and Print Sharing service in Windows 95, Windows 98, and Windows ...) NOT-FOR-US: Microsoft CVE-2000-0978 (bbd server in Big Brother System and Network Monitor before 1.5c2 allo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0977 (mailfile.cgi CGI program in MailFile 1.10 allows remote attackers to r ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0976 (Buffer overflow in xlib in XFree 3.3.x possibly allows local users to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0975 (Directory traversal vulnerability in apexec.pl in Anaconda Foundation ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0974 (GnuPG (gpg) 1.0.3 does not properly check all signatures of a file con ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0973 (Buffer overflow in curl earlier than 6.0-1.1, and curl-ssl earlier tha ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0972 (HP-UX 11.00 crontab allows local users to read arbitrary files via the ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0970 (IIS 4.0 and 5.0 .ASP pages send the same Session ID cookie for secure ...) NOT-FOR-US: Microsoft CVE-2000-0969 (Format string vulnerability in Half Life dedicated server build 3104 a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0968 (Buffer overflow in Half Life dedicated server before build 3104 allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0967 (PHP 3 and 4 do not properly cleanse user-injected format strings, whic ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0966 (Buffer overflows in lpspooler in the fileset PrinterMgmt.LP-SPOOL of H ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0965 (The NSAPI plugins for TGA and the Java Servlet proxy in HP-UX VVOS 10. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0964 (Buffer overflow in the web administration service for the HiNet LP5100 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0962 (The IPSEC implementation in OpenBSD 2.7 does not properly handle empty ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0961 (Buffer overflow in IMAP server in Netscape Messaging Server 4.15 Patch ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0960 (The POP3 server in Netscape Messaging Server 4.15p1 generates differen ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0959 (glibc2 does not properly clear the LD_DEBUG_OUTPUT and LD_DEBUG enviro ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0958 (HotJava Browser 3.0 allows remote attackers to access the DOM of a web ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0957 (The pluggable authentication module for mysql (pam_mysql) before 0.4.7 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0956 (cyrus-sasl before 1.5.24 in Red Hat Linux 7.0 does not properly verify ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0953 (Shambala Server 4.5 allows remote attackers to cause a denial of servi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0952 (global.cgi CGI program in Global 3.55 and earlier on NetBSD allows rem ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0951 (A misconfiguration in IIS 5.0 with Index Server enabled and the Index ...) NOT-FOR-US: Microsoft CVE-2000-0949 (Heap overflow in savestr function in LBNL traceroute 1.4a5 and earlier ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0948 (GnoRPM before 0.95 allows local users to modify arbitrary files via a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0947 (Format string vulnerability in cfd daemon in GNU CFEngine before 1.6.0 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0946 (Compaq Easy Access Keyboard software 1.3 does not properly disable acc ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0945 (The web configuration interface for Catalyst 3500 XL switches allows r ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0944 (CGI Script Center News Update 1.1 does not properly validate the origi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0943 (Buffer overflow in bftp daemon (bftpd) 1.0.11 allows remote attackers ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0942 (The CiWebHitsFile component in Microsoft Indexing Services for Windows ...) NOT-FOR-US: Microsoft CVE-2000-0941 (Kootenay Web KW Whois 1.0 CGI program allows remote attackers to execu ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0938 (Samba Web Administration Tool (SWAT) in Samba 2.0.7 supplies a differe ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0937 (Samba Web Administration Tool (SWAT) in Samba 2.0.7 does not log login ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0936 (Samba Web Administration Tool (SWAT) in Samba 2.0.7 installs the cgi.l ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0935 (Samba Web Administration Tool (SWAT) in Samba 2.0.7 allows local users ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0934 (Glint in Red Hat Linux 5.2 allows local users to overwrite arbitrary f ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0933 (The Input Method Editor (IME) in the Simplified Chinese version of Win ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0932 (MAILsweeper for SMTP 3.x does not properly handle corrupt CDA document ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0930 (Pegasus Mail 3.12 allows remote attackers to read arbitrary files via ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0929 (Microsoft Windows Media Player 7 allows attackers to cause a denial of ...) NOT-FOR-US: Microsoft CVE-2000-0928 (WQuinn QuotaAdvisor 4.1 allows users to list directories and files by ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0927 (WQuinn QuotaAdvisor 4.1 does not properly record file sizes if they ar ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0926 (SmartWin CyberOffice Shopping Cart 2 (aka CyberShop) allows remote att ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0925 (The default installation of SmartWin CyberOffice Shopping Cart 2 (aka ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0924 (Directory traversal vulnerability in search.cgi CGI script in Armada M ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0923 (authenticate.cgi CGI program in Aplio PRO allows remote attackers to e ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0922 (Directory traversal vulnerability in Bytes Interactive Web Shopper sho ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0921 (Directory traversal vulnerability in Hassan Consulting shop.cgi shoppi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0920 (Directory traversal vulnerability in BOA web server 0.94.8.2 and earli ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0919 (Directory traversal vulnerability in PHPix Photo Album 1.0.2 and earli ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0917 (Format string vulnerability in use_syslog() function in LPRng 3.6.24 a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0915 (fingerd in FreeBSD 4.1.1 allows remote attackers to read arbitrary fil ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0914 (OpenBSD 2.6 and earlier allows remote attackers to cause a denial of s ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0913 (mod_rewrite in Apache 1.3.12 and earlier allows remote attackers to re ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0912 (MultiHTML CGI script allows remote attackers to read arbitrary files a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0911 (IMP 2.2 and earlier allows attackers to read and delete arbitrary file ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0910 (Horde library 1.02 allows attackers to execute arbitrary commands via ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0909 (Buffer overflow in the automatic mail checking component of Pine 4.21 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0908 (BrowseGate 2.80 allows remote attackers to cause a denial of service a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0901 (Format string vulnerability in screen 3.9.5 and earlier allows local u ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0900 (Directory traversal vulnerability in ssi CGI program in thttpd 2.19 an ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0897 (Small HTTP Server 2.03 and earlier allows remote attackers to cause a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0896 (WatchGuard SOHO firewall allows remote attackers to cause a denial of ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0895 (Buffer overflow in HTTP server on the WatchGuard SOHO firewall allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0894 (HTTP server on the WatchGuard SOHO firewall does not properly restrict ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0892 (Some telnet clients allow remote telnet servers to request environment ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0891 (A default ECL in Lotus Notes before 5.02 allows remote attackers to ex ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0890 (periodic in FreeBSD 4.1.1 and earlier, and possibly other operating sy ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0888 (named in BIND 8.2 through 8.2.2-P6 allows remote attackers to cause a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0887 (named in BIND 8.2 through 8.2.2-P6 allows remote attackers to cause a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0886 (IIS 5.0 allows remote attackers to execute arbitrary commands via a ma ...) NOT-FOR-US: Microsoft CVE-2000-0884 (IIS 4.0 and 5.0 allows remote attackers to read documents outside of t ...) NOT-FOR-US: Microsoft CVE-2000-0883 (The default configuration of mod_perl for Apache as installed on Mandr ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0878 (The mailto CGI script allows remote attacker to execute arbitrary comm ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0877 (mailform.pl CGI script in MailForm 2.0 allows remote attackers to read ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0876 (WFTPD and WFTPD Pro 2.41 RC12 allows remote attackers to obtain the f ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0875 (WFTPD and WFTPD Pro 2.41 RC12 allows remote attackers to cause a denia ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0874 (Eudora mail client includes the absolute path of the sender's host wit ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0873 (netstat in AIX 4.x.x does not properly restrict access to the -Zi opti ...) NOT-FOR-US: AIX CVE-2000-0871 (Buffer overflow in EFTP allows remote attackers to cause a denial of s ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0870 (Buffer overflow in EFTP allows remote attackers to cause a denial of s ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0869 (The default configuration of Apache 1.3.12 in SuSE Linux 6.4 enables W ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0868 (The default configuration of Apache 1.3.12 in SuSE Linux 6.4 allows re ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0867 (Kernel logging daemon (klogd) in Linux does not properly cleanse user- ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0865 (Buffer overflow in dvtermtype in Tridia Double Vision 3.07.00 allows l ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0864 (Race condition in the creation of a Unix domain socket in GNOME esound ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0863 (Buffer overflow in listmanager earlier than 2.105.1 allows local users ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0862 (Vulnerability in an administrative interface utility for Allaire Spect ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0861 (Mailman 1.1 allows list administrators to execute arbitrary commands v ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0860 (The file upload capability in PHP versions 3 and 4 allows remote attac ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0859 (The web configuration server for NTMail V5 and V6 allows remote attack ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0858 (Vulnerability in Microsoft Windows NT 4.0 allows remote attackers to c ...) NOT-FOR-US: Microsoft CVE-2000-0856 (Buffer overflow in SunFTP build 9(1) allows remote attackers to cause ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0854 (When a Microsoft Office 2000 document is launched, the directory of th ...) NOT-FOR-US: Microsoft CVE-2000-0853 (YaBB Bulletin Board 9.1.2000 allows remote attackers to read arbitrary ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0852 (Multiple buffer overflows in eject on FreeBSD and possibly other OSes ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0851 (Buffer overflow in the Still Image Service in Windows 2000 allows loca ...) NOT-FOR-US: Microsoft CVE-2000-0850 (Netegrity SiteMinder before 4.11 allows remote attackers to bypass its ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0849 (Race condition in Microsoft Windows Media server allows remote attacke ...) NOT-FOR-US: Microsoft CVE-2000-0848 (Buffer overflow in IBM WebSphere web application server (WAS) allows r ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0847 (Buffer overflow in University of Washington c-client library (used by ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0846 (Buffer overflow in Darxite 0.4 and earlier allows a remote attacker to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0844 (Some functions that implement the locale subsystem on Unix do not pro ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0839 (WinCOM LPD 1.00.90 allows remote attackers to cause a denial of servic ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0838 (Fastream FUR HTTP server 1.0b allows remote attackers to cause a denia ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0837 (FTP Serv-U 2.5e allows remote attackers to cause a denial of service b ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0834 (The Windows 2000 telnet client attempts to perform NTLM authentication ...) NOT-FOR-US: Microsoft CVE-2000-0830 (annclist.exe in webTV for Windows allows remote attackers to cause a d ...) NOT-FOR-US: Microsoft CVE-2000-0829 (The tmpwatch utility in Red Hat Linux forks a new process for each dir ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0825 (Ipswitch Imail 6.0 allows remote attackers to cause a denial of servic ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0824 (The unsetenv function in glibc 2.1.1 does not properly unset an enviro ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0818 (The default installation for the Oracle listener program 7.3.4, 8.0.6, ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0816 (Linux tmpwatch --fuser option allows local users to execute arbitrary ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0813 (Check Point VPN-1/FireWall-1 4.1 and earlier allows remote attackers t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0811 (Auction Weaver 1.0 through 1.04 allows remote attackers to read arbitr ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0810 (Auction Weaver 1.0 through 1.04 does not properly validate the names o ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0809 (Buffer overflow in Getkey in the protocol checker in the inter-module ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0808 (The seed generation mechanism in the inter-module S/Key authentication ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0807 (The OPSEC communications authentication mechanism (fwn1) in Check Poin ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0806 (The inter-module authentication mechanism (fwa1) in Check Point VPN-1/ ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0805 (Check Point VPN-1/FireWall-1 4.1 and earlier improperly retransmits en ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0804 (Check Point VPN-1/FireWall-1 4.1 and earlier allows remote attackers t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0803 (GNU Groff uses the current working directory to find a device descript ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0799 (inpview in InPerson in SGI IRIX 5.3 through IRIX 6.5.10 allows local u ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0797 (Buffer overflow in gr_osview in IRIX 6.2 and 6.3 allows local users to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0796 (Buffer overflow in dmplay in IRIX 6.2 and 6.3 allows local users to ga ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0795 (Buffer overflow in lpstat in IRIX 6.2 and 6.3 allows local users to ga ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0792 (Gnome Lokkit firewall package before 0.41 does not properly restrict a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0790 (The web-based folder display capability in Microsoft Internet Explorer ...) NOT-FOR-US: Microsoft CVE-2000-0788 (The Mail Merge tool in Microsoft Word does not prompt the user before ...) NOT-FOR-US: Microsoft CVE-2000-0787 (IRC Xchat client versions 1.4.2 and earlier allows remote attackers to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0786 (GNU userv 1.0.0 and earlier does not properly perform file descriptor ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0783 (Watchguard Firebox II allows remote attackers to cause a denial of ser ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0782 (netauth.cgi program in Netwin Netauth 4.2e and earlier allows remote a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0781 (uagentsetup in ARCServeIT Client Agent 6.62 does not properly check fo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0780 (The web server in IPSWITCH IMail 6.04 and earlier allows remote attack ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0779 (Checkpoint Firewall-1 with the RSH/REXEC setting enabled allows remote ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0778 (IIS 5.0 allows remote attackers to obtain source code for .ASP files a ...) NOT-FOR-US: Microsoft CVE-2000-0777 (The password protection feature of Microsoft Money can store the passw ...) NOT-FOR-US: Microsoft CVE-2000-0776 (Mediahouse Statistics Server 5.02x allows remote attackers to execute ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0773 (Bajie HTTP web server 0.30a allows remote attackers to read arbitrary ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0771 (Microsoft Windows 2000 allows local users to cause a denial of service ...) NOT-FOR-US: Microsoft CVE-2000-0770 (IIS 4.0 and 5.0 does not properly restrict access to certain types of ...) NOT-FOR-US: Microsoft CVE-2000-0768 (A function in Internet Explorer 4.x and 5.x does not properly verify t ...) NOT-FOR-US: Microsoft CVE-2000-0767 (The ActiveX control for invoking a scriptlet in Internet Explorer 4.x ...) NOT-FOR-US: Microsoft CVE-2000-0766 (Buffer overflow in vqSoft vqServer 1.4.49 allows remote attackers to c ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0765 (Buffer overflow in the HTML interpreter in Microsoft Office 2000 allow ...) NOT-FOR-US: Microsoft CVE-2000-0764 (Intel Express 500 series switches allow a remote attacker to cause a d ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0763 (xlockmore and xlockf do not properly cleanse user-injected format stri ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0762 (The default installation of eTrust Access Control (formerly SeOS) uses ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0761 (OS2/Warp 4.5 FTP server allows remote attackers to cause a denial of s ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0758 (The web interface for Lyris List Manager 3 and 4 allows list subscribe ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0754 (Vulnerability in HP OpenView Network Node Manager (NMM) version 6.1 re ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0753 (The Microsoft Outlook mail client identifies the physical path of the ...) NOT-FOR-US: Microsoft CVE-2000-0751 (mopd (Maintenance Operations Protocol loader daemon) does not properly ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0750 (Buffer overflow in mopd (Maintenance Operations Protocol loader daemon ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0749 (Buffer overflow in the Linux binary compatibility module in FreeBSD 3. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0747 (The logrotate script for OpenLDAP before 1.2.11 in Conectiva Linux sen ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0745 (admin.php3 in PHP-Nuke does not properly verify the PHP-Nuke administr ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0744 (DEPRECATED. This entry has been deprecated. It is a duplicate of CVE ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0743 (Buffer overflow in University of Minnesota (UMN) gopherd 2.x allows re ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0742 (The IPX protocol implementation in Microsoft Windows 95 and 98 allows ...) NOT-FOR-US: Microsoft CVE-2000-0741 (Format string vulnerability in strong.exe program in NAI Net Tools PKI ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0740 (Buffer overflow in strong.exe program in NAI Net Tools PKI server 1.0 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0739 (Directory traversal vulnerability in strong.exe program in NAI Net Too ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0738 (WebShield SMTP 4.5 allows remote attackers to cause a denial of servic ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0737 (The Service Control Manager (SCM) in Windows 2000 creates predictable ...) NOT-FOR-US: Microsoft CVE-2000-0733 (Telnetd telnet server in IRIX 5.2 through 6.1 does not properly cleans ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0732 (Worm HTTP server allows remote attackers to cause a denial of service ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0731 (Directory traversal vulnerability in Worm HTTP server allows remote at ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0730 (Vulnerability in newgrp command in HP-UX 11.0 allows local users to ga ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0729 (FreeBSD 5.x, 4.x, and 3.x allows local users to cause a denial of serv ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0728 (xpdf PDF viewer client earlier than 0.91 allows local users to overwri ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0727 (xpdf PDF viewer client earlier than 0.91 does not properly launch a we ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0726 (CGIMail.exe CGI program in Stalkerlab Mailers 1.1.2 allows remote atta ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0725 (Zope before 2.2.1 does not properly restrict access to the getRoles me ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0720 (news.cgi in GWScripts News Publisher does not properly authenticate re ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0718 (A race condition in MandrakeUpdate allows local users to modify RPM fi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0717 (GoodTech FTP server allows remote attackers to cause a denial of servi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0716 (WorldClient email client in MDaemon 2.8 includes the session ID in the ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0712 (Linux Intrusion Detection System (LIDS) 0.9.7 allows local users to ga ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0711 (Netscape Communicator does not properly prevent a ServerSocket object ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0708 (Buffer overflow in Pragma Systems TelnetServer 2000 version 4.0 allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0707 (PCCS MySQLDatabase Admin Tool Manager 1.2.4 and earlier installs the f ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0706 (Buffer overflows in ntop running in web mode allows remote attackers t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0705 (ntop running in web mode allows remote attackers to read arbitrary fil ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0703 (suidperl (aka sperl) does not properly cleanse the escape sequence "~! ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0702 (The net.init rc script in HP-UX 11.00 (S008net.init) allows local user ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0700 (Cisco Gigabit Switch Routers (GSR) with Fast Ethernet / Gigabit Ethern ...) NOT-FOR-US: Cisco CVE-2000-0699 (Format string vulnerability in ftpd in HP-UX 10.20 allows remote attac ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0698 (Minicom 1.82.1 and earlier on some Linux systems allows local users to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0694 (pgxconfig in the Raptor GFX configuration tool allows local users to g ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0693 (pgxconfig in the Raptor GFX configuration tool uses a relative path na ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0685 (BEA WebLogic 5.1.x does not properly restrict access to the PageCompil ...) NOT-FOR-US: BEA WebLogic CVE-2000-0684 (BEA WebLogic 5.1.x does not properly restrict access to the JSPServlet ...) NOT-FOR-US: BEA WebLogic CVE-2000-0683 (BEA WebLogic 5.1.x allows remote attackers to read source code for par ...) NOT-FOR-US: BEA WebLogic CVE-2000-0682 (BEA WebLogic 5.1.x allows remote attackers to read source code for par ...) NOT-FOR-US: BEA WebLogic CVE-2000-0681 (Buffer overflow in BEA WebLogic server proxy plugin allows remote atta ...) NOT-FOR-US: BEA WebLogic CVE-2000-0679 (The CVS 1.10.8 client trusts pathnames that are provided by the CVS se ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0678 (PGP 5.5.x through 6.5.3 does not properly check if an Additional Decry ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0677 (Buffer overflow in IBM Net.Data db2www CGI program allows remote attac ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0676 (Netscape Communicator and Navigator 4.04 through 4.74 allows remote at ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0675 (Buffer overflow in Infopulse Gatekeeper 3.5 and earlier allows remote ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0674 (ftp.pl CGI program for Virtual Visions FTP browser allows remote attac ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0673 (The NetBIOS Name Server (NBNS) protocol does not perform authenticatio ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0672 (The default configuration of Jakarta Tomcat does not restrict access t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0671 (Roxen web server earlier than 2.0.69 allows allows remote attackers to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0670 (The cvsweb CGI script in CVSWeb 1.80 allows remote attackers with writ ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0669 (Novell NetWare 5.0 allows remote attackers to cause a denial of servic ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0668 (pam_console PAM module in Linux systems allows a user to access the sy ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0666 (rpc.statd in the nfs-utils package in various Linux distributions does ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0665 (GAMSoft TelSrv telnet server 1.5 and earlier allows remote attackers t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0664 (AnalogX SimpleServer:WWW 1.06 and earlier allows remote attackers to r ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0663 (The registry entry for the Windows Shell executable (Explorer.exe) in ...) NOT-FOR-US: Microsoft CVE-2000-0662 (Internet Explorer 5.x and Microsoft Outlook allows remote attackers to ...) NOT-FOR-US: Microsoft CVE-2000-0661 (WircSrv IRC Server 5.07s allows remote attackers to cause a denial of ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0660 (The WDaemon web server for WorldClient 2.1 allows remote attackers to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0655 (Netscape Communicator 4.73 and earlier allows remote attackers to caus ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0654 (Microsoft Enterprise Manager allows local users to obtain database pas ...) NOT-FOR-US: Microsoft CVE-2000-0652 (IBM WebSphere allows remote attackers to read source code for executab ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0651 (The ClientTrust program in Novell BorderManager does not properly veri ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0650 (The default installation of VirusScan 4.5 and NetShield 4.5 has insecu ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0644 (WFTPD and WFTPD Pro 2.41 allows remote attackers to cause a denial of ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0643 (Buffer overflow in WebActive HTTP Server 1.00 allows remote attackers ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0642 (The default configuration of WebActive HTTP Server 1.00 stores the web ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0641 (Savant web server allows remote attackers to execute arbitrary command ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0640 (Guild FTPd allows remote attackers to determine the existence of files ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0639 (The default configuration of Big Brother 1.4h2 and earlier does not in ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0638 (bb-hostsvc.sh in Big Brother 1.4h1 and earlier allows remote attackers ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0637 (Microsoft Excel 97 and 2000 allows an attacker to execute arbitrary co ...) NOT-FOR-US: Microsoft CVE-2000-0636 (HP JetDirect printers versions G.08.20 and H.08.20 and earlier allow r ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0635 (The view_page.html sample page in the MiniVend shopping cart program a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0634 (The web administration interface for CommuniGate Pro 3.2.5 and earlier ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0633 (Vulnerability in Mandrake Linux usermode package allows local users to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0632 (Buffer overflow in the web archive component of L-Soft Listserv 1.8d a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0631 (An administrative script from IIS 3.0, later included in IIS 4.0 and 5 ...) NOT-FOR-US: Microsoft CVE-2000-0630 (IIS 4.0 and 5.0 allows remote attackers to obtain fragments of source ...) NOT-FOR-US: Microsoft CVE-2000-0628 (The source.asp example script in the Apache ASP module Apache::ASP 1.9 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0627 (BlackBoard CourseInfo 4.0 does not properly authenticate users, which ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0624 (Buffer overflow in Winamp 2.64 and earlier allows remote attackers to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0622 (Buffer overflow in Webfind CGI program in O'Reilly WebSite Professiona ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0621 (Microsoft Outlook 98 and 2000, and Outlook Express 4.0x and 5.0x, allo ...) NOT-FOR-US: Microsoft CVE-2000-0620 (libX11 X library allows remote attackers to cause a denial of service ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0619 (Top Layer AppSwitch 2500 allows remote attackers to cause a denial of ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0616 (Vulnerability in HP TurboIMAGE DBUTIL allows local users to gain addit ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0615 (LPRng 3.6.x improperly installs lpd as setuid root, which can allow lo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0613 (Cisco Secure PIX Firewall does not properly identify forged TCP Reset ...) NOT-FOR-US: Cisco CVE-2000-0611 (The default configuration of NetWin dMailWeb and cwMail trusts all POP ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0610 (NetWin dMailWeb and cwMail 2.6g and earlier allows remote attackers to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0604 (gkermit in Red Hat Linux is improperly installed with setgid uucp, whi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0603 (Microsoft SQL Server 7.0 allows a local user to bypass permissions for ...) NOT-FOR-US: Microsoft CVE-2000-0602 (Secure Locate (slocate) in Red Hat Linux allows local users to gain pr ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0601 (LeafChat 1.7 IRC client allows a remote IRC server to cause a denial o ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0600 (Netscape Enterprise Server in NetWare 5.1 allows remote attackers to c ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0599 (Buffer overflow in iMesh 1.02 allows remote attackers to execute arbit ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0598 (Fortech Proxy+ allows remote attackers to bypass access restrictions f ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0597 (Microsoft Office 2000 (Excel and PowerPoint) and PowerPoint 97 are mar ...) NOT-FOR-US: Microsoft CVE-2000-0596 (Internet Explorer 5.x does not warn a user before opening a Microsoft ...) NOT-FOR-US: Microsoft CVE-2000-0595 (libedit searches for the .editrc file in the current directory instead ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0594 (BitchX IRC client does not properly cleanse an untrusted format string ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0593 (WinProxy 2.0 and 2.0.1 allows remote attackers to cause a denial of se ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0591 (Novell BorderManager 3.0 and 3.5 allows remote attackers to bypass URL ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0590 (Poll It 2.0 CGI script allows remote attackers to read arbitrary files ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0588 (SawMill 5.0.21 CGI program allows remote attackers to read the first l ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0587 (The privpath directive in glftpd 1.18 allows remote attackers to bypas ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0586 (Buffer overflow in Dalnet IRC server 4.6.5 allows remote attackers to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0585 (ISC DHCP client program dhclient allows remote attackers to execute ar ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0584 (Buffer overflow in Canna input system allows remote attackers to execu ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0583 (vchkpw program in vpopmail before version 4.8 does not properly cleans ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0582 (Check Point FireWall-1 4.0 and 4.1 allows remote attackers to cause a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0581 (Windows 2000 Telnet Server allows remote attackers to cause a denial o ...) NOT-FOR-US: Microsoft CVE-2000-0579 (IRIX crontab creates temporary files with predictable file names and w ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0577 (Netscape Professional Services FTP Server 1.3.6 allows remote attacker ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0576 (Oracle Web Listener for AIX versions 4.0.7.0.0 and 4.0.8.1.0 allows re ...) NOT-FOR-US: AIX CVE-2000-0575 (SSH 1.2.27 with Kerberos authentication support stores Kerberos ticket ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0573 (The lreply function in wu-ftpd 2.6.0 and earlier does not properly cle ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0571 (LocalWEB HTTP server 1.2.0 allows remote attackers to cause a denial o ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0570 (FirstClass Internet Services server 5.770, and other versions before 6 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0569 (Sybergen Sygate allows remote attackers to cause a denial of service b ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0568 (Sybergen Secure Desktop 2.1 does not properly protect against false ro ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0567 (Buffer overflow in Microsoft Outlook and Outlook Express allows remote ...) NOT-FOR-US: Microsoft CVE-2000-0566 (makewhatis in Linux man package allows local users to overwrite files ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0565 (SmartFTP Daemon 0.2 allows a local user to access arbitrary files by u ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0561 (Buffer overflow in WebBBS 1.15 allows remote attackers to execute arbi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0558 (Buffer overflow in HP Openview Network Node Manager 6.1 allows remote ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0557 (Buffer overflow in the web interface for Cmail 2.4.7 allows remote att ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0556 (Buffer overflow in the web interface for Cmail 2.4.7 allows remote att ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0555 (Ceilidh allows remote attackers to cause a denial of service via a lar ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0553 (Race condition in IPFilter firewall 3.4.3 and earlier, when configured ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0552 (ICQwebmail client for ICQ 2000A creates a world readable temporary fil ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0551 (The file transfer mechanism in Danware NetOp 6.0 does not provide auth ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0550 (Kerberos 4 KDC program improperly frees memory twice (aka "double-free ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0549 (Kerberos 4 KDC program does not properly check for null termination of ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0548 (Buffer overflow in Kerberos 4 KDC program allows remote attackers to c ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0542 (Tigris remote access server before 11.5.4.22 does not properly record ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0541 (The Panda Antivirus console on port 2001 allows local users to execute ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0540 (JSP sample files in Allaire JRun 2.3.x allow remote attackers to acces ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0539 (Servlet examples in Allaire JRun 2.3.x allow remote attackers to obtai ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0538 (ColdFusion Administrator for ColdFusion 4.5.1 and earlier allows remot ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0537 (BRU backup software allows local users to append data to arbitrary fil ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0536 (xinetd 2.1.8.x does not properly restrict connections if hostnames are ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0534 (The apsfilter software in the FreeBSD ports package does not properly ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0533 (Vulnerability in cvconnect in SGI IRIX WorkShop allows local users to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0532 (A FreeBSD patch for SSH on 2000-01-14 configures ssh to listen on port ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0530 (The KApplication class in the KDE 1.1.2 configuration file management ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0529 (Net Tools PKI Server allows remote attackers to cause a denial of serv ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0528 (Net Tools PKI Server does not properly restrict access to remote attac ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0525 (OpenSSH does not properly drop privileges when the UseLogin option is ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0523 (Buffer overflow in the logging feature of EServ 2.9.2 and earlier allo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0522 (RSA ACE/Server allows remote attackers to cause a denial of service by ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0521 (Savant web server allows remote attackers to read source code of CGI s ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0519 (Internet Explorer 4.x and 5.x does not properly re-validate an SSL cer ...) NOT-FOR-US: Microsoft CVE-2000-0518 (Internet Explorer 4.x and 5.x does not properly verify all contents of ...) NOT-FOR-US: Microsoft CVE-2000-0517 (Netscape 4.73 and earlier does not properly warn users about a potenti ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0516 (When configured to store configuration information in an LDAP director ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0515 (The snmpd.conf configuration file for the SNMP daemon (snmpd) in HP-UX ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0514 (GSSFTP FTP daemon in Kerberos 5 1.1.x does not properly restrict acces ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0513 (CUPS (Common Unix Printing System) 1.04 and earlier allows remote atta ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0512 (CUPS (Common Unix Printing System) 1.04 and earlier does not properly ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0511 (CUPS (Common Unix Printing System) 1.04 and earlier allows remote atta ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0510 (CUPS (Common Unix Printing System) 1.04 and earlier allows remote atta ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0508 (rpc.lockd in Red Hat Linux 6.1 and 6.2 allows remote attackers to caus ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0507 (Imate Webmail Server 2.5 allows remote attackers to cause a denial of ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0506 (The "capabilities" feature in Linux before 2.2.16 allows local users t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0505 (The Apache 1.3.x HTTP server for Windows platforms allows remote attac ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0504 (libICE in XFree86 allows remote attackers to cause a denial of service ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0502 (Mcafee VirusScan 4.03 does not properly restrict access to the alert t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0501 (Race condition in MDaemon 2.8.5.0 POP server allows local users to cau ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0500 (The default configuration of BEA WebLogic 5.1.0 allows a remote attack ...) NOT-FOR-US: BEA WebLogic CVE-2000-0499 (The default configuration of BEA WebLogic 3.1.8 through 4.5.1 allows a ...) NOT-FOR-US: BEA WebLogic CVE-2000-0498 (Unify eWave ServletExec allows a remote attacker to view source code o ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0497 (IBM WebSphere server 3.0.2 allows a remote attacker to view source cod ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0495 (Microsoft Windows Media Encoder allows remote attackers to cause a den ...) NOT-FOR-US: Microsoft CVE-2000-0494 (Veritas Volume Manager creates a world writable .server_pids file, whi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0493 (Buffer overflow in Simple Network Time Sync (SMTS) daemon allows remot ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0490 (Buffer overflow in the NetWin DSMTP 2.7q in the NetWin dmail package a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0489 (FreeBSD, NetBSD, and OpenBSD allow an attacker to cause a denial of se ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0488 (Buffer overflow in ITHouse mail server 1.04 allows remote attackers to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0486 (Buffer overflow in Cisco TACACS+ tac_plus server allows remote attacke ...) NOT-FOR-US: Cisco CVE-2000-0485 (Microsoft SQL Server allows local users to obtain database passwords v ...) NOT-FOR-US: Microsoft CVE-2000-0484 (Buffer overflow in Small HTTP Server allows remote attackers to cause ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0483 (The DocumentTemplate package in Zope 2.2 and earlier allows a remote a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0482 (Check Point Firewall-1 allows remote attackers to cause a denial of se ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0481 (Buffer overflow in KDE Kmail allows a remote attacker to cause a denia ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0478 (In some cases, Norton Antivirus for Exchange (NavExchange) enters a "f ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0477 (Buffer overflow in Norton Antivirus for Exchange (NavExchange) allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0475 (Windows 2000 allows a local user process to access another user's desk ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0474 (Real Networks RealServer 7.x allows remote attackers to cause a denial ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0472 (Buffer overflow in innd 2.2.2 allows remote attackers to execute arbit ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0471 (Buffer overflow in ufsrestore in Solaris 8 and earlier allows local us ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0470 (Allegro RomPager HTTP server allows remote attackers to cause a denial ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0469 (Selena Sol WebBanner 4.0 allows remote attackers to read arbitrary fil ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0468 (man in HP-UX 10.20 and 11 allows local attackers to overwrite files vi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0467 (Buffer overflow in Linux splitvt 1.6.3 and earlier allows local users ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0466 (AIX cdmount allows local users to gain root privileges via shell metac ...) NOT-FOR-US: AIX CVE-2000-0465 (Internet Explorer 4.x and 5.x does not properly verify the domain of a ...) NOT-FOR-US: Microsoft CVE-2000-0464 (Internet Explorer 4.x and 5.x allows remote attackers to execute arbit ...) NOT-FOR-US: Microsoft CVE-2000-0463 (BeOS 5.0 allows remote attackers to cause a denial of service via frag ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0462 (ftpd in NetBSD 1.4.2 does not properly parse entries in /etc/ftpchroot ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0461 (The undocumented semconfig system call in BSD freezes the state of sem ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0460 (Buffer overflow in KDE kdesud on Linux allows local uses to gain privi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0459 (IMP does not remove files properly if the MSWordView application quits ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0458 (The MSWordView application in IMP creates world-readable files in the ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0457 (ISM.DLL in IIS 4.0 and 5.0 allows remote attackers to read file conten ...) NOT-FOR-US: Microsoft CVE-2000-0456 (NetBSD 1.4.2 and earlier allows local users to cause a denial of servi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0455 (Buffer overflow in xlockmore xlock program version 4.16 and earlier al ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0454 (Buffer overflow in Linux cdrecord allows local users to gain privilege ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0453 (XFree86 3.3.x and 4.0 allows a user to cause a denial of service via a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0452 (Buffer overflow in the ESMTP service of Lotus Domino Server 5.0.1 allo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0451 (The Intel express 8100 ISDN router allows remote attackers to cause a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0448 (The WebShield SMTP Management Tool version 4.5.44 does not properly re ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0447 (Buffer overflow in WebShield SMTP 4.5.44 allows remote attackers to ex ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0446 (Buffer overflow in MDBMS database server allows remote attackers to ex ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0445 (The pgpk command in PGP 5.x on Unix systems uses an insufficiently ran ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0443 (The web interface server in HP Web JetAdmin 5.6 allows remote attacker ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0442 (Qpopper 2.53 and earlier allows local users to gain privileges via a f ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0441 (Vulnerability in AIX 3.2.x and 4.x allows local users to gain write ac ...) NOT-FOR-US: AIX CVE-2000-0440 (NetBSD 1.4.2 and earlier allows remote attackers to cause a denial of ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0439 (Internet Explorer 4.0 and 5.0 allows a malicious web site to obtain cl ...) NOT-FOR-US: Microsoft CVE-2000-0438 (Buffer overflow in fdmount on Linux systems allows local users in the ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0437 (Buffer overflow in the CyberPatrol daemon "cyberdaemon" used in gauntl ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0436 (MetaProducts Offline Explorer 1.2 and earlier allows remote attackers ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0435 (The allmanageup.pl file upload CGI script in the Allmanage Website adm ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0432 (The calender.pl and the calendar_admin.pl calendar scripts by Matt Kru ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0431 (Cobalt RaQ2 and RaQ3 does not properly set the access permissions and ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0430 (Cart32 allows remote attackers to access sensitive debugging informati ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0428 (Buffer overflow in the SMTP gateway for InterScan Virus Wall 3.32 and ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0427 (The Aladdin Knowledge Systems eToken device allows attackers with phys ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0426 (UltraBoard 1.6 and other versions allow remote attackers to cause a de ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0425 (Buffer overflow in the Web Archives component of L-Soft LISTSERV 1.8 a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0424 (The CGI counter 4.0.7 by George Burgyan allows remote attackers to exe ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0421 (The process_bug.cgi script in Bugzilla allows remote attackers to exec ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0419 (The Office 2000 UA ActiveX Control is marked as "safe for scripting," ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0418 (The Cayman 3220-H DSL router allows remote attackers to cause a denial ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0417 (The HTTP administration interface to the Cayman 3220-H DSL router allo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0416 (NTMail 5.x allows network users to bypass the NTMail proxy restriction ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0414 (Vulnerability in shutdown command for HP-UX 11.X and 10.X allows allow ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0411 (Matt Wright's FormMail CGI script allows remote attackers to obtain en ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0410 (ColdFusion Server 4.5.1 allows remote attackers to cause a denial of s ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0409 (Netscape 4.73 and earlier follows symlinks when it imports a new certi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0408 (IIS 4.05 and 5.0 allow remote attackers to cause a denial of service v ...) NOT-FOR-US: Microsoft CVE-2000-0407 (Buffer overflow in Solaris netpr program allows local users to execute ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0406 (Netscape Communicator before version 4.73 and Navigator 4.07 do not pr ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0405 (Buffer overflow in L0pht AntiSniff allows remote attackers to execute ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0404 (The CIFS Computer Browser service allows remote attackers to cause a d ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0403 (The CIFS Computer Browser service on Windows NT 4.0 allows a remote at ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0402 (The Mixed Mode authentication capability in Microsoft SQL Server 7.0 s ...) NOT-FOR-US: Microsoft CVE-2000-0399 (Buffer overflow in MDaemon POP server allows remote attackers to cause ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0398 (Buffer overflow in wconsole.dll in Rockliffe MailSite Management Agent ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0397 (The EMURL web-based email account software encodes predictable identif ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0396 (The add.exe program in the Carello shopping cart software allows remot ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0395 (Buffer overflow in CProxy 3.3 allows remote users to cause a denial of ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0394 (NetProwler 3.0 allows remote attackers to cause a denial of service by ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0393 (The KDE kscd program does not drop privileges when executing a program ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0392 (Buffer overflow in ksu in Kerberos 5 allows local users to gain root p ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0391 (Buffer overflow in krshd in Kerberos 5 allows remote attackers to gain ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0390 (Buffer overflow in krb425_conv_principal function in Kerberos 5 allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0389 (Buffer overflow in krb_rd_req function in Kerberos 4 and 5 allows remo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0388 (Buffer overflow in FreeBSD libmytinfo library allows local users to ex ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0387 (The makelev program in the golddig game from the FreeBSD ports collect ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0382 (ColdFusion ClusterCATS appends stale query string arguments to a URL d ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0381 (The Gossamer Threads DBMan db.cgi CGI script allows remote attackers t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0380 (The IOS HTTP service in Cisco routers and switches running IOS 11.1 th ...) NOT-FOR-US: Cisco CVE-2000-0379 (The Netopia R9100 router does not prevent authenticated users from mod ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0378 (The pam_console PAM module in Linux systems performs a chown on variou ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0377 (The Remote Registry server in Windows NT 4.0 allows local authenticate ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0376 (Buffer overflow in the HTTP proxy server for the i-drive Filo software ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0375 (The kernel in FreeBSD 3.2 follows symbolic links when it creates core ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0374 (The default configuration of kdm in Caldera and Mandrake Linux, and po ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0373 (Vulnerabilities in the KDE kvt terminal program allow local users to g ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0372 (Vulnerability in Caldera rmt command in the dump package 0.4b4 allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0371 (The libmediatool library used for the KDE mediatool allows local users ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0370 (The debug option in Caldera Linux smail allows remote attackers to exe ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0369 (The IDENT server in Caldera Linux 2.3 creates multiple threads for eac ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0368 (Classic Cisco IOS 9.1 and later allows attackers with access to the lo ...) NOT-FOR-US: Cisco CVE-2000-0367 (Vulnerability in eterm 0.8.8 in Debian GNU/Linux allows an attacker to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0366 (dump in Debian GNU/Linux 2.1 does not properly restore symlinks, which ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0363 (Linux cdwtools 093 and earlier allows local users to gain root privile ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0362 (Buffer overflows in Linux cdwtools 093 and earlier allows local users ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0361 (The PPP wvdial.lxdialog script in wvdial 1.4 and earlier creates a .co ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0360 (Buffer overflow in INN 2.2.1 and earlier allows remote attackers to ca ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0359 (Buffer overflow in Trivial HTTP (THTTPd) allows remote attackers to ca ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0356 (Pluggable Authentication Modules (PAM) in Red Hat Linux 6.1 does not p ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0354 (mirror 2.8.x in Linux systems allows remote attackers to create files ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0353 (Pine 4.x allows a remote attacker to execute arbitrary commands via an ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0352 (Pine before version 4.21 does not properly filter shell metacharacters ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0351 (Some packaging commands in SCO UnixWare 7.1.0 have insecure privileges ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0350 (A debugging feature in NetworkICE ICEcap 2.0.23 and earlier is enabled ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0349 (Vulnerability in the passthru driver in SCO UnixWare 7.1.0 allows an a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0348 (A vulnerability in the Sendmail configuration file sendmail.cf as inst ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0347 (Windows 95 and Windows 98 allow a remote attacker to cause a denial of ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0346 (AppleShare IP 6.1 and later allows a remote attacker to read potential ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0344 (The knfsd NFS server in Linux kernel 2.2.x allows remote attackers to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0342 (Eudora 4.x allows remote attackers to bypass the user warning for exec ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0341 (ATRIUM Cassandra NNTP Server 1.10 allows remote attackers to cause a d ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0340 (Buffer overflow in Gnomelib in SuSE Linux 6.3 allows local users to ex ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0339 (ZoneAlarm 2.1.10 and earlier does not filter UDP packets with a source ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0338 (Concurrent Versions Software (CVS) uses predictable temporary file nam ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0337 (Buffer overflow in Xsun X server in Solaris 7 allows local users to ga ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0336 (Linux OpenLDAP server allows local users to modify arbitrary files via ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0335 (The resolver in glibc 2.1.3 uses predictable IDs, which allows a local ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0334 (The Allaire Spectra container editor preview tool does not properly en ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0332 (UltraBoard.pl or UltraBoard.cgi CGI scripts in UltraBoard 1.6 allows r ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0331 (Buffer overflow in Microsoft command processor (CMD.EXE) for Windows N ...) NOT-FOR-US: Microsoft CVE-2000-0330 (The networking software in Windows 95 and Windows 98 allows remote att ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0329 (A Microsoft ActiveX control allows a remote attacker to execute a mali ...) NOT-FOR-US: Microsoft CVE-2000-0328 (Windows NT 4.0 generates predictable random TCP initial sequence numbe ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0327 (Microsoft Virtual Machine (VM) allows remote attackers to escape the J ...) NOT-FOR-US: Microsoft CVE-2000-0324 (pcAnywhere 8.x and 9.0 allows remote attackers to cause a denial of se ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0323 (The Microsoft Jet database engine allows an attacker to modify text fi ...) NOT-FOR-US: Microsoft CVE-2000-0322 (The passwd.php3 CGI script in the Red Hat Piranha Virtual Server Packa ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0320 (Qpopper 2.53 and 3.0 does not properly identify the \n string which id ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0319 (mail.local in Sendmail 8.10.x does not properly identify the .\n strin ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0318 (Atrium Mercur Mail Server 3.2 allows local attackers to read other use ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0316 (Buffer overflow in Solaris 7 lp allows local users to gain root privil ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0315 (traceroute in NetBSD 1.3.3 and Linux systems allows local unprivileged ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0314 (traceroute in NetBSD 1.3.3 and Linux systems allows local users to flo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0313 (Vulnerability in OpenBSD 2.6 allows a local user to change interface m ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0311 (The Windows 2000 domain controller allows a malicious user to modify A ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0310 (IP fragment assembly in OpenBSD 2.4 allows a remote attacker to cause ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0309 (The i386 trace-trap handling in OpenBSD 2.4 with DDB enabled allows a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0308 (Insecure file permissions for Netscape FastTrack Server 2.x, Enterpris ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0307 (Vulnerability in xserver in SCO UnixWare 2.1.x and OpenServer 5.05 and ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0306 (Buffer overflow in calserver in SCO OpenServer allows remote attackers ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0305 (Windows 95, Windows 98, Windows 2000, Windows NT 4.0, and Terminal Ser ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0304 (Microsoft IIS 4.0 and 5.0 with the IISADMPWD virtual directory install ...) NOT-FOR-US: Microsoft CVE-2000-0303 (Quake3 Arena allows malicious server operators to read or modify files ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0302 (Microsoft Index Server allows remote attackers to view the source code ...) NOT-FOR-US: Microsoft CVE-2000-0301 (Ipswitch IMAIL server 6.02 and earlier allows remote attackers to caus ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0298 (The unattended installation of Windows 2000 with the OEMPreinstall opt ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0297 (Allaire Forums 2.0.5 allows remote attackers to bypass access restrict ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0296 (fcheck allows local users to gain privileges by embedding shell metach ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0294 (Buffer overflow in healthd for FreeBSD allows local users to gain root ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0292 (The Adtran MX2800 M13 Multiplexer allows remote attackers to cause a d ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0290 (Buffer overflow in Webstar HTTP server allows remote attackers to caus ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0289 (IP masquerading in Linux 2.2.x allows remote attackers to route UDP pa ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0287 (The BizDB CGI script bizdb-search.cgi allows remote attackers to execu ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0285 (Buffer overflow in XFree86 3.3.x allows local users to execute arbitra ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0283 (The default installation of IRIX Performance Copilot allows remote att ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0282 (TalentSoft webpsvr daemon in the Web+ shopping cart application allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0279 (BeOS allows remote attackers to cause a denial of service via malforme ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0278 (The SalesLogix Eviewer allows remote attackers to cause a denial of se ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0277 (Microsoft Excel 97 and 2000 does not warn the user when executing Exce ...) NOT-FOR-US: Microsoft CVE-2000-0276 (BeOS 4.5 and 5.0 allow local users to cause a denial of service via ma ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0274 (The Linux trustees kernel patch allows attackers to cause a denial of ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0273 (PCAnywhere allows remote attackers to cause a denial of service by ter ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0272 (RealNetworks RealServer allows remote attackers to cause a denial of s ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0268 (Cisco IOS 11.x and 12.x allows remote attackers to cause a denial of s ...) NOT-FOR-US: Cisco CVE-2000-0267 (Cisco Catalyst 5.4.x allows a user to gain access to the "enable" mode ...) NOT-FOR-US: Cisco CVE-2000-0265 (Panda Security 3.0 allows users to uninstall the Panda software via it ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0264 (Panda Security 3.0 with registry editing disabled allows users to edit ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0263 (The X font server xfs in Red Hat Linux 6.x allows an attacker to cause ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0262 (The AVM KEN! ISDN Proxy server allows remote attackers to cause a deni ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0261 (The AVM KEN! web server allows remote attackers to read arbitrary file ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0260 (Buffer overflow in the dvwssr.dll DLL in Microsoft Visual Interdev 1.0 ...) NOT-FOR-US: Microsoft CVE-2000-0258 (IIS 4.0 and 5.0 allows remote attackers to cause a denial of service b ...) NOT-FOR-US: Microsoft CVE-2000-0257 (Buffer overflow in the NetWare remote web administration utility allow ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0255 (The Nbase-Xyplex EdgeBlaster router allows remote attackers to cause a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0254 (The dansie shopping cart application cart.pl allows remote attackers t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0253 (The dansie shopping cart application cart.pl allows remote attackers t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0252 (The dansie shopping cart application cart.pl allows remote attackers t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0251 (HP-UX 11.04 VirtualVault (VVOS) sends data to unprivileged processes v ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0249 (The AIX Fast Response Cache Accelerator (FRCA) allows local users to m ...) NOT-FOR-US: AIX CVE-2000-0247 (Unknown vulnerability in Generic-NQS (GNQS) allows local users to gain ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0246 (IIS 4.0 and 5.0 does not properly perform ISAPI extension processing i ...) NOT-FOR-US: Microsoft CVE-2000-0245 (Vulnerability in SGI IRIX objectserver daemon allows remote attackers ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0243 (AnalogX SimpleServer:WWW HTTP server 1.03 allows remote attackers to c ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0240 (vqSoft vqServer program allows remote attackers to read arbitrary file ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0238 (Buffer overflow in the web server for Norton AntiVirus for Internet Em ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0237 (Netscape Enterprise Server with Web Publishing enabled allows remote a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0236 (Netscape Enterprise Server with Directory Indexing enabled allows remo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0235 (Buffer overflow in the huh program in the orville-write package allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0234 (The default configuration of Cobalt RaQ2 and RaQ3 as specified in acce ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0233 (SuSE Linux IMAP server allows remote attackers to bypass IMAP authenti ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0232 (Microsoft TCP/IP Printing Services, aka Print Services for Unix, allow ...) NOT-FOR-US: Microsoft CVE-2000-0231 (Linux kreatecd trusts a user-supplied path that is used to find the cd ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0230 (Buffer overflow in imwheel allows local users to gain root privileges ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0229 (gpm-root in the gpm package does not properly drop privileges, which a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0228 (Microsoft Windows Media License Manager allows remote attackers to cau ...) NOT-FOR-US: Microsoft CVE-2000-0226 (IIS 4.0 allows attackers to cause a denial of service by requesting a ...) NOT-FOR-US: Microsoft CVE-2000-0225 (The Pocsag POC32 program does not properly prevent remote users from a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0224 (ARCserve agent in SCO UnixWare 7.x allows local attackers to gain root ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0223 (Buffer overflow in the wmcdplay CD player program for the WindowMaker ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0222 (The installation for Windows 2000 does not activate the Administrator ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0221 (The Nautica Marlin bridge allows remote attackers to cause a denial of ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0218 (Buffer overflow in Linux mount and umount allows local users to gain r ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0217 (The default configuration of SSH allows X forwarding, which could allo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0215 (Vulnerability in SCO cu program in UnixWare 7.x allows local users to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0212 (InterAccess TelnetD Server 4.0 allows remote attackers to conduct a de ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0211 (The Windows Media server allows remote attackers to cause a denial of ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0210 (The lit program in Sun Flex License Manager (FlexLM) follows symlinks, ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0209 (Buffer overflow in Lynx 2.x allows remote attackers to crash Lynx and ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0208 (The htdig (ht://Dig) CGI program htsearch allows remote attackers to r ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0207 (SGI InfoSearch CGI program infosrch.cgi allows remote attackers to exe ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0206 (The installation of Oracle 8.1.5.x on Linux follows symlinks and creat ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0202 (Microsoft SQL Server 7.0 and Microsoft Data Engine (MSDE) 1.0 allow re ...) NOT-FOR-US: Microsoft CVE-2000-0201 (The window.showHelp() method in Internet Explorer 5.x does not restric ...) NOT-FOR-US: Microsoft CVE-2000-0200 (Buffer overflow in Microsoft Clip Art Gallery allows remote attackers ...) NOT-FOR-US: Microsoft CVE-2000-0196 (Buffer overflow in mhshow in the Linux nmh package allows remote attac ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0195 (setxconf in Corel Linux allows local users to gain root access via the ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0194 (buildxconf in Corel Linux allows local users to modify or create arbit ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0193 (The default configuration of Dosemu in Corel Linux 1.0 allows local us ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0192 (The default installation of Caldera OpenLinux 2.3 includes the CGI pro ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0191 (Axis StorPoint CD allows remote attackers to access administrator URLs ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0189 (ColdFusion Server 4.x allows remote attackers to determine the real pa ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0186 (Buffer overflow in the dump utility in the Linux ext2fs backup package ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0185 (RealMedia RealServer reveals the real IP address of a Real Server, eve ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0184 (Linux printtool sets the permissions of printer configuration files to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0183 (Buffer overflow in ircII 4.4 IRC client allows remote attackers to exe ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0182 (iPlanet Web Server 4.1 allows remote attackers to cause a denial of se ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0181 (Firewall-1 3.0 and 4.0 leaks packets with private IP address informati ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0180 (Sojourn search engine allows remote attackers to read arbitrary files ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0179 (HP OpenView OmniBack 2.55 allows remote attackers to cause a denial of ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0178 (ServerIron switches by Foundry Networks have predictable TCP/IP sequen ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0175 (Buffer overflow in StarOffice StarScheduler web server allows remote a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0174 (StarOffice StarScheduler web server allows remote attackers to read ar ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0172 (The mtr program only uses a seteuid call when attempting to drop privi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0171 (atsadc in the atsar package for Linux does not properly check the perm ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0170 (Buffer overflow in the man program in Linux allows local users to gain ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0169 (Batch files in the Oracle web listener ows-bin directory allow remote ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0168 (Microsoft Windows 9x operating systems allow an attacker to cause a de ...) NOT-FOR-US: Microsoft CVE-2000-0166 (Buffer overflow in the InterAccess telnet server TelnetD allows remote ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0165 (The Delegate application proxy has several buffer overflows which allo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0164 (The installation of Sun Internet Mail Server (SIMS) creates a world-re ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0162 (The Microsoft virtual machine (VM) in Internet Explorer 4.x and 5.x al ...) NOT-FOR-US: Microsoft CVE-2000-0161 (Sample web sites on Microsoft Site Server 3.0 Commerce Edition do not ...) NOT-FOR-US: Microsoft CVE-2000-0159 (HP Ignite-UX does not save /etc/passwd when it creates an image of a t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0157 (NetBSD ptrace call on VAX allows local users to gain privileges by mod ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0156 (Internet Explorer 4.x and 5.x allows remote web servers to access file ...) NOT-FOR-US: Microsoft CVE-2000-0152 (Remote attackers can cause a denial of service in Novell BorderManager ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0150 (Check Point Firewall-1 allows remote attackers to bypass port access r ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0149 (Zeus web server allows remote attackers to view the source code for CG ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0148 (MySQL 3.22 allows remote attackers to bypass password authentication a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0146 (The Java Server in the Novell GroupWise Web Access Enhancement Pack al ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0145 (The libguile.so library file used by gnucash in Debian GNU/Linux is in ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0144 (Axis 700 Network Scanner does not properly restrict access to administ ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0141 (Infopop Ultimate Bulletin Board (UBB) allows remote attackers to execu ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0140 (Internet Anywhere POP3 Mail Server allows remote attackers to cause a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0139 (Internet Anywhere POP3 Mail Server allows local users to cause a denia ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0131 (Buffer overflow in War FTPd 1.6x allows users to cause a denial of ser ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0130 (Buffer overflow in SCO scohelp program allows remote attackers to exec ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0128 (The Finger Server 0.82 allows remote attackers to execute commands via ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0127 (The Webspeed configuration program does not properly disable access to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0121 (The Recycle Bin utility in Windows NT and Windows 2000 allows local us ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0120 (The Remote Access Service invoke.cfm template in Allaire Spectra 1.0 a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0117 (The siteUserMod.cgi program in Cobalt RaQ2 servers allows any Site Adm ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0116 (Firewall-1 does not properly filter script tags, which allows remote a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0113 (The SyGate Remote Management program does not properly restrict access ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0112 (The default installation of Debian GNU/Linux uses an insecure Master B ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0111 (The RightFax web client uses predictable session numbers, which allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0107 (Linux apcd program allows local attackers to modify arbitrary files vi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0100 (The SMS Remote Control program is installed with insecure permissions, ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0099 (Buffer overflow in UnixWare ppptalk command allows local users to gain ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0098 (Microsoft Index Server allows remote attackers to determine the real p ...) NOT-FOR-US: Microsoft CVE-2000-0097 (The WebHits ISAPI filter in Microsoft Index Server allows remote attac ...) NOT-FOR-US: Microsoft CVE-2000-0095 (The PMTU discovery procedure used by HP-UX 10.30 and 11.00 for determi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0094 (procfs in BSD systems allows local users to gain root privileges by mo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0092 (The BSD make program allows local users to modify files via a symlink ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0091 (Buffer overflow in vchkpw/vpopmail POP authentication package allows r ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0090 (VMWare 1.1.2 allows local users to cause a denial of service via a sym ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0089 (The rdisk utility in Microsoft Terminal Server Edition and Windows NT ...) NOT-FOR-US: Microsoft CVE-2000-0088 (Buffer overflow in the conversion utilities for Japanese, Korean and C ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0087 (Netscape Mail Notification (nsnotify) utility in Netscape Communicator ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0083 (HP asecure creates the Audio Security File audio.sec with insecure per ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0080 (AIX techlibss allows local users to overwrite files via a symlink atta ...) NOT-FOR-US: AIX CVE-2000-0076 (nviboot boot script in the Debian nvi package allows local users to de ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0075 (Super Mail Transfer Package (SMTP), later called MsgCore, has a memory ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0073 (Buffer overflow in Microsoft Rich Text Format (RTF) reader allows atta ...) NOT-FOR-US: Microsoft CVE-2000-0072 (Visual Casel (Vcasel) does not properly prevent users from executing f ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0070 (NtImpersonateClientOfPort local procedure call in Windows NT 4.0 allow ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0065 (Buffer overflow in InetServ 3.0 allows remote attackers to execute com ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0064 (cgiproc CGI script in Nortel Contivity HTTP server allows remote attac ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0063 (cgiproc CGI script in Nortel Contivity HTTP server allows remote attac ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0062 (The DTML implementation in the Z Object Publishing Environment (Zope) ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0060 (Buffer overflow in aVirt Rover POP3 server 1.1 allows remote attackers ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0057 (Cold Fusion CFCACHE tag places temporary cache files within the web do ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0056 (IMail IMONITOR status.cgi CGI script allows remote attackers to cause ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0053 (Microsoft Commercial Internet System (MCIS) IMAP server allows remote ...) NOT-FOR-US: Microsoft CVE-2000-0052 (Red Hat userhelper program in the usermode package allows local users ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0051 (The Allaire Spectra Configuration Wizard allows remote attackers to ca ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0050 (The Allaire Spectra Webtop allows authenticated users to access other ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0048 (get_it program in Corel Linux Update allows local users to gain root a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0045 (MySQL allows local users to modify passwords for arbitrary MySQL users ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0044 (Macros in War FTP 1.70 and 1.67b2 allow local or remote attackers to r ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0043 (Buffer overflow in CamShot WebCam HTTP server allows remote attackers ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0042 (Buffer overflow in CSM mail server allows remote attackers to cause a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0041 (Macintosh systems generate large ICMP datagrams in response to malform ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0040 (glFtpD allows local users to gain privileges via metacharacters in the ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0039 (AltaVista search engine allows remote attackers to read files above th ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0037 (Majordomo wrapper allows local users to gain privileges by specifying ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0036 (Outlook Express 5 for Macintosh downloads attachments to HTML mail wit ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0034 (Netscape 4.7 records user passwords in the preferences.js file during ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0033 (InterScan VirusWall SMTP scanner does not properly scan messages with ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0032 (Solaris dmi_cmd allows local users to crash the dmispd daemon by addin ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0031 (The initscripts package in Red Hat Linux allows local users to gain pr ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0030 (Solaris dmispd dmi_cmd allows local users to fill up restricted disk s ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0029 (UnixWare pis and mkpis commands allow local users to gain privileges v ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0027 (IBM Network Station Manager NetStation allows local users to gain priv ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0026 (Buffer overflow in UnixWare i2odialogd daemon allows remote attackers ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0025 (IIS 4.0 and Site Server 3.0 allow remote attackers to read source code ...) NOT-FOR-US: Microsoft CVE-2000-0024 (IIS does not properly canonicalize URLs, potentially allowing remote a ...) NOT-FOR-US: Microsoft CVE-2000-0023 (Buffer overflow in Lotus Domino HTTP server allows remote attackers to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0022 (Lotus Domino HTTP server does not properly disable anonymous access fo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0020 (DNS PRO allows remote attackers to conduct a denial of service via a l ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0018 (wmmon in FreeBSD allows local users to gain privileges via the .wmmonr ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0015 (CascadeView TFTP server allows local users to gain privileges via a sy ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0014 (Denial of service in Savant web server via a null character in the req ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0013 (IRIX soundplayer program allows local users to gain privileges by incl ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0012 (Buffer overflow in w3-msql CGI program in miniSQL package allows remot ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0011 (Buffer overflow in AnalogX SimpleServer:WWW HTTP server allows remote ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0010 (WebWho+ whois.cgi program allows remote attackers to execute commands ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0009 (The bna_pass program in Optivity NETarchitect uses the PATH environmen ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0007 (Trend Micro PC-Cillin does not restrict access to its internal proxy p ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0006 (strace allows local users to read arbitrary files via memory mapped fi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0004 (ZBServer Pro allows remote attackers to read source code for executabl ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0003 (Buffer overflow in UnixWare rtpm program allows local users to gain pr ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0002 (Buffer overflow in ZBServer Pro 1.50 allows remote attackers to execut ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0001 (RealMedia server allows remote attackers to cause a denial of service ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1568 (Off-by-one error in NcFTPd FTP server before 2.4.1 allows a remote att ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1565 (Man2html 2.1 and earlier allows local users to overwrite arbitrary fil ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1556 (Microsoft SQL Server 6.5 uses weak encryption for the password for the ...) NOT-FOR-US: Microsoft CVE-1999-1550 (bigconf.conf in F5 BIG/ip 2.1.2 and earlier allows remote attackers to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1542 (RPMMail before 1.4 allows remote attackers to execute commands via an ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1537 (IIS 3.x and 4.x does not distinguish between pages requiring encryptio ...) NOT-FOR-US: Microsoft CVE-1999-1535 (Buffer overflow in AspUpload.dll in Persits Software AspUpload before ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1531 (Buffer overflow in IBM HomePagePrint 1.0.7 for Windows98J allows a mal ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1530 (cgiwrap as used on Cobalt RaQ 2.0 and RaQ 3i does not properly identif ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1520 (A configuration problem in the Ad Server Sample directory (AdSamples) ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1512 (The AMaViS virus scanner 0.2.0-pre4 and earlier allows remote attacker ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1507 (Sun SunOS 4.1 through 4.1.3 allows local attackers to gain root access ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1494 (colorview in Silicon Graphics IRIX 5.1, 5.2, and 6.0 allows local atta ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1490 (xosview 1.5.1 in Red Hat 5.1 allows local users to gain root access vi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1488 (sdrd daemon in IBM SP2 System Data Repository (SDR) allows remote atta ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1486 (sadc in IBM AIX 4.1 through 4.3, when called from programs such as tim ...) NOT-FOR-US: AIX CVE-1999-1481 (Squid 2.2.STABLE5 and below, when using external authentication, allow ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1478 (The Sun HotSpot Performance Engine VM allows a remote attacker to caus ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1476 (A bug in Intel Pentium processor (MMX and Overdrive) allows local user ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1473 (When a Web site redirects the browser to another site, Internet Explor ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1472 (Internet Explorer 4.0 allows remote attackers to read arbitrary text a ...) NOT-FOR-US: Microsoft CVE-1999-1468 (rdist in various UNIX systems uses popen to execute sendmail, which al ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1456 (thttpd HTTP server 2.03 and earlier allows remote attackers to read ar ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1455 (RSH service utility RSHSVC in Windows NT 3.5 through 4.0 does not prop ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1452 (GINA in Windows NT 4.0 allows attackers with physical access to displa ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1437 (ePerl 2.2.12 allows remote attackers to read arbitrary files and possi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1433 (HP JetAdmin D.01.09 on Solaris allows local users to change the permis ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1432 (Power management (Powermanagement) on Solaris 2.4 through 2.6 does not ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1423 (ping in Solaris 2.3 through 2.6 allows local users to cause a denial o ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1419 (Buffer overflow in nss_nisplus.so.1 library in NIS+ in Solaris 2.3 and ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1414 (IBM Netfinity Remote Control allows local users to gain administrator ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1411 (The installation of the fsp package 2.71-10 in Debian GNU/Linux 2.0 ad ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1409 (The at program in IRIX 6.2 and NetBSD 1.3.2 and earlier allows local u ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1407 (ifdhcpc-done script for configuring DHCP on Red Hat Linux 5 allows loc ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1402 (The access permissions for a UNIX domain socket are ignored in Solaris ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1397 (Index Server 2.0 on IIS 4.0 stores physical path information in the Co ...) NOT-FOR-US: Microsoft CVE-1999-1386 (Perl 5.004_04 and earlier follows symbolic links when running with the ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1385 (Buffer overflow in ppp program in FreeBSD 2.1 and earlier allows local ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1384 (Indigo Magic System Tour in the SGI system tour package (systour) for ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1382 (NetWare NFS mode 1 and 2 implements the "Read Only" flag in Unix by ch ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1380 (Symantec Norton Utilities 2.0 for Windows 95 marks the TUNEOCX.OCX Act ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1379 (DNS allows remote attackers to use DNS name servers as traffic amplifi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1365 (Windows NT searches a user's home directory (%systemroot% by default) ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1363 (Windows NT 3.51 and 4.0 allow local users to cause a denial of service ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1362 (Win32k.sys in Windows NT 4.0 before SP2 allows local users to cause a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1360 (Windows NT 4.0 allows local users to cause a denial of service via a u ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1359 (When the Ntconfig.pol file is used on a server whose name is longer th ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1358 (When an administrator in Windows NT or Windows 2000 changes a user pol ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1356 (Compaq Integration Maintenance Utility as used in Compaq Insight Manag ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1351 (Directory traversal vulnerability in KVIrc IRC client 0.9.0 with the " ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1341 (Linux kernel before 2.3.18 or 2.2.13pre15, with SLIP and PPP options, ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1339 (Vulnerability when Network Address Translation (NAT) is enabled in Lin ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1337 (FTP client in Midnight Commander (mc) before 4.5.11 stores usernames a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1336 (3Com HiPer Access Router Card (HiperARC) 4.0 through 4.2.29 allows rem ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1335 (snmpd server in cmu-snmp SNMP package before 3.3-1 in Red Hat Linux 4. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1333 (automatic download option in ncftp 2.4.2 FTP client in Red Hat Linux 5 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1332 (gzexe in the gzip package on Red Hat Linux 5.0 and earlier allows loca ...) {DSA-308} - gzip 1.3.5-6 CVE-1999-1331 (netcfg 2.16-1 in Red Hat Linux 4.2 allows the Ethernet interface to be ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1330 (The snprintf function in the db library 1.85.4 ignores the size parame ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1329 (Buffer overflow in SysVInit in Red Hat Linux 5.1 and earlier allows lo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1328 (linuxconf before 1.11.r11-rh3 on Red Hat Linux 5.1 allows local users ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1327 (Buffer overflow in linuxconf 1.11r11-rh2 on Red Hat Linux 5.1 allows l ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1326 (wu-ftpd 2.4 FTP server does not properly drop privileges when an ABOR ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1325 (SAS System 5.18 on VAX/VMS is installed with insecure permissions for ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1324 (VAXstations running Open VMS 5.3 through 5.5-2 with VMS DECwindows or ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1321 (Buffer overflow in ssh 1.2.26 client with Kerberos V enabled could all ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1320 (Vulnerability in Novell NetWare 3.x and earlier allows local users to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1318 (/usr/5bin/su in SunOS 4.1.3 and earlier uses a search path that includ ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1317 (Windows NT 4.0 SP4 and earlier allows local users to gain privileges b ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1316 (Passfilt.dll in Windows NT SP2 allows users to create a password that ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1309 (Sendmail before 8.6.7 allows local users to gain root access via a lar ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1301 (A design flaw in the Z-Modem protocol allows the remote sender of a fi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1298 (Sysinstall in FreeBSD 2.2.1 and earlier, when configuring anonymous FT ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1297 (cmdtool in OpenWindows 3.0 and XView 3.0 in SunOS 4.1.4 and earlier al ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1294 (Office Shortcut Bar (OSB) in Windows 3.51 enables backup and restore p ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1290 (Buffer overflow in nftp FTP client version 1.40 allows remote maliciou ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1288 (Samba 1.9.18 inadvertently includes a prototype application, wsmbconf, ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1284 (NukeNabber allows remote attackers to cause a denial of service by con ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1279 (An interaction between the AS/400 shared folders feature and Microsoft ...) NOT-FOR-US: Microsoft CVE-1999-1276 (fte-console in the fte package before 0.46b-4.1 does not drop root pri ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1263 (Metamail before 2.7-7.2 allows remote attackers to overwrite arbitrary ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1262 (Java in Netscape 4.5 does not properly restrict applets from connectin ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1259 (Microsoft Office 98, Macintosh Edition, does not properly initialize t ...) NOT-FOR-US: Microsoft CVE-1999-1258 (rpc.pwdauthd in SunOS 4.1.1 and earlier does not properly prevent remo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1249 (movemail in HP-UX 10.20 has insecure permissions, which allows local u ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1246 (Direct Mailer feature in Microsoft Site Server 3.0 saves user domain n ...) NOT-FOR-US: Microsoft CVE-1999-1243 (SGI Desktop Permissions Tool in IRIX 6.0.1 and earlier allows local us ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1233 (IIS 4.0 does not properly restrict access for the initial session requ ...) NOT-FOR-US: Microsoft CVE-1999-1226 (Netscape Communicator 4.7 and earlier allows remote attackers to cause ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1223 (IIS 3.0 allows remote attackers to cause a denial of service via a req ...) NOT-FOR-US: Microsoft CVE-1999-1222 (Netbt.sys in Windows NT 4.0 allows remote malicious DNS servers to cau ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1217 (The PATH in Windows NT includes the current working directory (.), whi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1215 (LOGIN.EXE program in Novell Netware 4.0 and 4.01 temporarily writes us ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1214 (The asynchronous I/O facility in 4.4 BSD kernel does not check user cr ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1209 (Vulnerability in scoterm in SCO OpenServer 5.0 and SCO Open Desktop/Op ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1208 (Buffer overflow in ping in AIX 4.2 and earlier allows local users to g ...) NOT-FOR-US: AIX CVE-1999-1205 (nettune in HP-UX 10.01 and 10.00 is installed setuid root, which allow ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1204 (Check Point Firewall-1 does not properly handle certain restricted key ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1203 (Multilink PPP for ISDN dialup users in Ascend before 4.6 allows remote ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1201 (Windows 95 and Windows 98 systems, when configured with multiple TCP/I ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1199 (Apache WWW server 1.3.1 and earlier allows remote attackers to cause a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1198 (BuildDisk program on NeXT systems before 2.0 does not prompt users for ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1197 (TIOCCONS in SunOS 4.1.1 does not properly check the permissions of a u ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1194 (chroot in Digital Ultrix 4.1 and 4.0 is insecurely installed, which al ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1193 (The "me" user in NeXT NeXTstep 2.1 and earlier has wheel group privile ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1192 (Buffer overflow in eeprom in Solaris 2.5.1 and earlier allows local us ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1191 (Buffer overflow in chkey in Solaris 2.5.1 and earlier allows local use ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1189 (Buffer overflow in Netscape Navigator/Communicator 4.7 for Windows 95 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1188 (mysqld in MySQL 3.21 creates log files with world-readable permissions ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1181 (Vulnerability in On-Line Customer Registration software for IRIX 6.2 t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1177 (Directory traversal vulnerability in nph-publish before 1.2 allows rem ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1175 (Web Cache Control Protocol (WCCP) in Cisco Cache Engine for Cisco IOS ...) NOT-FOR-US: Cisco CVE-1999-1167 (Cross-site scripting vulnerability in Third Voice Web annotation utili ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1163 (Vulnerability in HP Series 800 S/X/V Class servers allows remote attac ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1162 (Vulnerability in passwd in SCO UNIX 4.0 and earlier allows attackers t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1161 (Vulnerability in ppl in HP-UX 10.x and earlier allows local users to g ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1160 (Vulnerability in ftpd/kftpd in HP-UX 10.x and 9.x allows local and pos ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1159 (SSH 2.0.11 and earlier allows local users to request remote forwarding ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1157 (Tcpip.sys in Windows NT 4.0 before SP4 allows remote attackers to caus ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1156 (BisonWare FTP Server 4.1 and earlier allows remote attackers to cause ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1148 (FTP service in IIS 4.0 and earlier allows remote attackers to cause a ...) NOT-FOR-US: Microsoft CVE-1999-1147 (Buffer overflow in Platinum Policy Compliance Manager (PCM) 7.0 allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1146 (Vulnerability in Glance and gpm programs in GlancePlus for HP-UX 9.x a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1145 (Vulnerability in Glance programs in GlancePlus for HP-UX 10.20 and ear ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1144 (Certain files in MPower in HP-UX 10.x are installed with insecure perm ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1143 (Vulnerability in runtime linker program rld in SGI IRIX 6.x and earlie ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1142 (SunOS 4.1.2 and earlier allows local users to gain privileges via "LD_ ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1140 (Buffer overflow in CrackLib 2.5 may allow local users to gain root pri ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1139 (Character-Terminal User Environment (CUE) in HP-UX 11.0 and earlier al ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1138 (SCO UNIX System V/386 Release 3.2, and other SCO products, installs th ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1137 (The permissions for the /dev/audio device on Solaris 2.2 and earlier, ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1136 (Vulnerability in Predictive on HP-UX 11.0 and earlier, and MPE/iX 5.5 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1132 (Windows NT 4.0 allows remote attackers to cause a denial of service (c ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1131 (Buffer overflow in OSF Distributed Computing Environment (DCE) securit ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1127 (Windows NT 4.0 does not properly shut down invalid named pipe RPC conn ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1122 (Vulnerability in restore in SunOS 4.0.3 and earlier allows local users ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1121 (The default configuration for UUCP in AIX before 3.2 allows local user ...) NOT-FOR-US: AIX CVE-1999-1120 (netprint in SGI IRIX 6.4 and earlier trusts the PATH environmental var ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1119 (FTP installation script anon.ftp in AIX insecurely configures anonymou ...) NOT-FOR-US: AIX CVE-1999-1118 (ndd in Solaris 2.6 allows local users to cause a denial of service by ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1117 (lquerypv in AIX 4.1 and 4.2 allows local users to read arbitrary files ...) NOT-FOR-US: AIX CVE-1999-1116 (Vulnerability in runpriv in Indigo Magic System Administration subsyst ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1115 (Vulnerability in the /etc/suid_exec program in HP Apollo Domain/OS sr1 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1114 (Buffer overflow in Korn Shell (ksh) suid_exec program on IRIX 6.x and ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1111 (Vulnerability in StackGuard before 1.21 allows remote attackers to byp ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1109 (Sendmail before 8.10.0 allows remote attackers to cause a denial of se ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1105 (Windows 95, when Remote Administration and File Sharing for NetWare Ne ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1104 (Windows 95 uses weak encryption for the password list (.pwl) file used ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1103 (dxconsole in DEC OSF/1 3.2C and earlier allows local users to read arb ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1102 (lpr on SunOS 4.1.1, BSD 4.3, A/UX 2.0.1, and other BSD-based operating ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1100 (Cisco PIX Private Link 4.1.6 and earlier does not properly process cer ...) NOT-FOR-US: Cisco CVE-1999-1099 (Kerberos 4 allows remote attackers to obtain sensitive information via ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1098 (Vulnerability in BSD Telnet client with encryption and Kerberos 4 auth ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1094 (Buffer overflow in Internet Explorer 4.01 and earlier allows remote at ...) NOT-FOR-US: Microsoft CVE-1999-1093 (Buffer overflow in the Window.External function in the JScript Scripti ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1090 (The default configuration of NCSA Telnet package for Macintosh and PC ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1087 (Internet Explorer 4 treats a 32-bit number ("dotless IP address") in t ...) NOT-FOR-US: Microsoft CVE-1999-1085 (SSH 1.2.25, 1.2.23, and other versions, when used in in CBC (Cipher Bl ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1080 (rmmount in SunOS 5.7 may mount file systems without the nosuid flag se ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1074 (Webmin before 0.5 does not restrict the number of invalid passwords th ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1059 (Vulnerability in rexec daemon (rexecd) in AT&T TCP/IP 4.0 for vari ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1057 (VMS 4.0 through 5.3 allows local users to gain privileges via the ANAL ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1055 (Microsoft Excel 97 does not warn the user before executing worksheet f ...) NOT-FOR-US: Microsoft CVE-1999-1048 (Buffer overflow in bash 2.0.0, 1.4.17, and other versions allows local ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1047 (When BSDI patches for Gauntlet 5.0 BSDI are installed in a particular ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1045 (pnserver in RealServer 5.0 and earlier allows remote attackers to caus ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1044 (Vulnerability in Advanced File System Utility (advfs) in Digital UNIX ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1037 (rex.satan in SATAN 1.1.1 allows local users to overwrite arbitrary fil ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1035 (IIS 3.0 and 4.0 on x86 and Alpha allows remote attackers to cause a de ...) NOT-FOR-US: Microsoft CVE-1999-1034 (Vulnerability in login in AT&T System V Release 4 allows local use ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1032 (Vulnerability in LAT/Telnet Gateway (lattelnet) on Ultrix 4.1 and 4.2 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1028 (Symantec pcAnywhere 8.0 allows remote attackers to cause a denial of s ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1027 (Solaris 2.6 HW3/98 installs admintool with world-writable permissions, ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1021 (NFS on SunOS 4.1 through 4.1.2 ignores the high order 16 bits in a 32 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1019 (SpectroSERVER in Cabletron Spectrum Enterprise Manager 5.0 installs a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1014 (Buffer overflow in mail command in Solaris 2.7 and 2.7 allows local us ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1011 (The Remote Data Service (RDS) DataFactory component of Microsoft Data ...) NOT-FOR-US: Microsoft CVE-1999-1010 (An SSH 1.2.27 server allows a client to use the "none" cipher, even if ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1008 (xsoldier program allows local users to gain root access via a long arg ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1007 (Buffer overflow in VDO Live Player allows remote attackers to execute ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1005 (Groupwise web server GWWEB.EXE allows remote attackers to read arbitra ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1004 (Buffer overflow in the POP server POProxy for the Norton Anti-Virus pr ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1001 (Cisco Cache Engine allows a remote attacker to gain access via a null ...) NOT-FOR-US: Cisco CVE-1999-1000 (The web administration interface for Cisco Cache Engine allows remote ...) NOT-FOR-US: Cisco CVE-1999-0999 (Microsoft SQL 7.0 server allows a remote attacker to cause a denial of ...) NOT-FOR-US: Microsoft CVE-1999-0998 (Cisco Cache Engine allows an attacker to replace content in the cache. ...) NOT-FOR-US: Cisco CVE-1999-0997 (wu-ftp with FTP conversion enabled allows an attacker to execute comma ...) {DSA-377} - wu-ftpd 2.6.2-15 CVE-1999-0996 (Buffer overflow in Infoseek Ultraseek search engine allows remote atta ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0995 (Windows NT Local Security Authority (LSA) allows remote attackers to c ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0994 (Windows NT with SYSKEY reuses the keystream that is used for encryptin ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0992 (HP VirtualVault with the PHSS_17692 patch allows unprivileged processe ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0991 (Buffer overflow in GoodTech Telnet Server NT allows remote users to ca ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0989 (Buffer overflow in Internet Explorer 5 directshow filter (MSDXM.OCX) a ...) NOT-FOR-US: Microsoft CVE-1999-0987 (Windows NT does not properly download a system policy if the domain us ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0986 (The ping command in Linux 2.0.3x allows local users to cause a denial ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0982 (The Sun Web-Based Enterprise Management (WBEM) installation script sto ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0981 (Internet Explorer 5.01 and earlier allows a remote attacker to create ...) NOT-FOR-US: Microsoft CVE-1999-0980 (Windows NT Service Control Manager (SCM) allows remote attackers to ca ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0979 (The SCO UnixWare privileged process system allows local users to gain ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0978 (htdig allows remote attackers to execute commands via filenames with s ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0977 (Buffer overflow in Solaris sadmind allows remote attackers to gain roo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0976 (Sendmail allows local users to reinitialize the aliases database via t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0975 (The Windows help system can allow a local user to execute commands as ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0974 (Buffer overflow in Solaris snoop allows remote attackers to gain root ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0973 (Buffer overflow in Solaris snoop program allows remote attackers to ga ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0972 (Buffer overflow in Xshipwars xsw program. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0971 (Buffer overflow in Exim allows local users to gain root privileges via ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0969 (The Windows NT RPC service allows remote attackers to conduct a denial ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0968 (Buffer overflow in BNC IRC proxy allows remote attackers to gain privi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0967 (Buffer overflow in the HTML library used by Internet Explorer, Outlook ...) NOT-FOR-US: Microsoft CVE-1999-0966 (Buffer overflow in Solaris getopt in libc allows local users to gain r ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0965 (Race condition in xterm allows local users to modify arbitrary files v ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0964 (Buffer overflow in FreeBSD setlocale in the libc module allows attacke ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0963 (FreeBSD mount_union command allows local users to gain root privileges ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0962 (Buffer overflow in HPUX passwd command allows local users to gain root ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0961 (HPUX sysdiag allows local users to gain root privileges via a symlink ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0960 (IRIX cdplayer allows local users to create directories in arbitrary lo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0959 (IRIX startmidi program allows local users to modify arbitrary files vi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0958 (sudo 1.5.x allows local users to execute arbitrary commands via a .. ( ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0957 (MajorCool mj_key_cache program allows local users to modify files via ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0956 (The NeXT NetInfo _writers property allows local users to gain root pri ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0955 (Race condition in wu-ftpd and BSDI ftpd allows remote attackers to gai ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0954 (WWWBoard has a default username and default password. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0953 (WWWBoard stores encrypted passwords in a password file that is under t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0951 (Buffer overflow in OmniHTTPd CGI program imagemap.exe allows remote at ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0950 (Buffer overflow in WFTPD FTP server allows remote attackers to gain ro ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0947 (AN-HTTPd provides example CGI scripts test.bat, input.bat, input2.bat, ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0946 (Buffer overflow in Yamaha MidiPlug via a Text variable in an EMBED tag ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0945 (Buffer overflow in Internet Mail Service (IMS) for Microsoft Exchange ...) NOT-FOR-US: Microsoft CVE-1999-0943 (Buffer overflow in OpenLink 3.2 allows remote attackers to gain privil ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0942 (UnixWare dos7utils allows a local user to gain root privileges by usin ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0940 (Buffer overflow in mutt mail client allows remote attackers to execute ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0939 (Denial of service in Debian IRC Epic/epic4 client via a long string. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0938 (MBone SDR Package allows remote attackers to execute commands via shel ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0937 (BNBForm allows remote attackers to read arbitrary files via the autome ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0936 (BNBSurvey survey.cgi program allows remote attackers to execute comman ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0935 (classifieds.cgi allows remote attackers to execute arbitrary commands ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0934 (classifieds.cgi allows remote attackers to read arbitrary files via sh ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0933 (TeamTrack web server allows remote attackers to read arbitrary files v ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0932 (Mediahouse Statistics Server allows remote attackers to read the admin ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0931 (Buffer overflow in Mediahouse Statistics Server allows remote attacker ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0930 (wwwboard allows a remote attacker to delete message board articles via ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0928 (Buffer overflow in SmartDesk WebSuite allows remote attackers to cause ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0927 (NTMail allows remote attackers to read arbitrary files via a .. (dot d ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0924 (The Syntax Checker in ColdFusion Server 4.0 allows remote attackers to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0922 (An example application in ColdFusion Server 4.0 allows remote attacker ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0921 (BMC Patrol allows any remote attacker to flood its UDP port, causing a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0920 (Buffer overflow in the pop-2d POP daemon in the IMAP package allows re ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0918 (Denial of service in various Windows systems via malformed, fragmented ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0917 (The Preloader ActiveX control used by Internet Explorer allows remote ...) NOT-FOR-US: Microsoft CVE-1999-0916 (WebTrends software stores account names and passwords in a file which ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0915 (URL Live! web server allows remote attackers to read arbitrary files v ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0914 (Buffer overflow in the FTP client in the Debian GNU/Linux netstd packa ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0912 (FreeBSD VFS cache (vfs_cache) allows local users to cause a denial of ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0909 (Multihomed Windows systems allow a remote attacker to bypass IP source ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0908 (Denial of service in Solaris TCP streams driver via a malicious connec ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0907 (sccw allows local users to read arbitrary files. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0906 (Buffer overflow in sccw allows local users to gain root access via the ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0905 (Denial of service in Axent Raptor firewall via malformed zero-length I ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0904 (Buffer overflow in BFTelnet allows remote attackers to cause a denial ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0903 (genfilt in the AIX Packet Filtering Module does not properly filter tr ...) NOT-FOR-US: AIX CVE-1999-0902 (ypserv allows local administrators to modify password tables. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0901 (ypserv allows a local user to modify the GECOS and login shells of oth ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0900 (Buffer overflow in rpc.yppasswdd allows a local user to gain privilege ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0899 (The Windows NT 4.0 print spooler allows a local user to execute arbitr ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0898 (Buffer overflows in Windows NT 4.0 print spooler allow remote attacker ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0897 (iChat ROOMS Webserver allows remote attackers to read arbitrary files ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0896 (Buffer overflow in RealNetworks RealServer administration utility allo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0895 (Firewall-1 does not properly restrict access to LDAP attributes. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0894 (Red Hat Linux screen program does not use Unix98 ptys, allowing local ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0893 (userOsa in SCO OpenServer allows local users to corrupt files via a sy ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0892 (Buffer overflow in Netscape Communicator before 4.7 via a dynamic font ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0891 (The "download behavior" in Internet Explorer 5 allows remote attackers ...) NOT-FOR-US: Microsoft CVE-1999-0890 (iHTML Merchant allows remote attackers to obtain sensitive information ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0889 (Cisco 675 routers running CBOS allow remote attackers to establish tel ...) NOT-FOR-US: Cisco CVE-1999-0888 (dbsnmp in Oracle Intelligent Agent allows local users to gain privileg ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0887 (FTGate web interface server allows remote attackers to read files via ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0886 (The security descriptor for RASMAN allows users to point to an alterna ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0884 (The Zeus web server administrative interface uses weak encryption for ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0883 (Zeus web server allows remote attackers to read arbitrary files by spe ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0881 (Falcon web server allows remote attackers to read arbitrary files via ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0880 (Denial of service in WU-FTPD via the SITE NEWER command, which does no ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0879 (Buffer overflow in WU-FTPD and related FTP servers allows remote attac ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0878 (Buffer overflow in WU-FTPD and related FTP servers allows remote attac ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0877 (Internet Explorer 5 allows remote attackers to read files via an ExecC ...) NOT-FOR-US: Microsoft CVE-1999-0876 (Buffer overflow in Internet Explorer 4.0 via EMBED tag. ...) NOT-FOR-US: Microsoft CVE-1999-0875 (DHCP clients with ICMP Router Discovery Protocol (IRDP) enabled allow ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0874 (Buffer overflow in IIS 4.0 allows remote attackers to cause a denial o ...) NOT-FOR-US: Microsoft CVE-1999-0873 (Buffer overflow in Skyfull mail server via MAIL FROM command. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0871 (Internet Explorer 4.0 and 4.01 allow a remote attacker to read files v ...) NOT-FOR-US: Microsoft CVE-1999-0870 (Internet Explorer 4.01 allows remote attackers to read arbitrary files ...) NOT-FOR-US: Microsoft CVE-1999-0869 (Internet Explorer 3.x to 4.01 allows a remote attacker to insert malic ...) NOT-FOR-US: Microsoft CVE-1999-0868 (ucbmail allows remote attackers to execute commands via shell metachar ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0867 (Denial of service in IIS 4.0 via a flood of HTTP requests with malform ...) NOT-FOR-US: Microsoft CVE-1999-0866 (Buffer overflow in UnixWare xauto program allows local users to gain r ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0865 (Buffer overflow in CommuniGatePro via a long string to the HTTP config ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0864 (UnixWare programs that dump core allow a local user to modify files vi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0861 (Race condition in the SSL ISAPI filter in IIS and other servers may le ...) NOT-FOR-US: Microsoft CVE-1999-0859 (Solaris arp allows local users to read files via the -f parameter, whi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0858 (Internet Explorer 5 allows a remote attacker to modify the IE client's ...) NOT-FOR-US: Microsoft CVE-1999-0856 (login in Slackware 7.0 allows remote attackers to identify valid users ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0854 (Ultimate Bulletin Board stores data files in the cgi-bin directory, al ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0853 (Buffer overflow in Netscape Enterprise Server and Netscape FastTrack S ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0851 (Denial of service in BIND named via naptr. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0849 (Denial of service in BIND named via maxdname. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0848 (Denial of service in BIND named via consuming more than "fdmax" file d ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0847 (Buffer overflow in free internet chess server (FICS) program, xboard. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0842 (Symantec Mail-Gear 1.0 web interface server allows remote users to rea ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0839 (Windows NT Task Scheduler installed with Internet Explorer 5 allows a ...) NOT-FOR-US: Microsoft CVE-1999-0838 (Buffer overflow in Serv-U FTP 2.5 allows remote users to conduct a den ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0837 (Denial of service in BIND by improperly closing TCP sessions via so_li ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0836 (UnixWare uidadmin allows local users to modify arbitrary files via a s ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0835 (Denial of service in BIND named via malformed SIG records. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0834 (Buffer overflow in RSAREF2 via the encryption and decryption functions ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0833 (Buffer overflow in BIND 8.2 via NXT records. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0832 (Buffer overflow in NFS server on Linux allows attackers to execute com ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0831 (Denial of service in Linux syslogd via a large number of connections. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0826 (Buffer overflow in FreeBSD angband allows local users to gain privileg ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0824 (A Windows NT user can use SUBST to map a drive letter to a folder, whi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0823 (Buffer overflow in FreeBSD xmindpath allows local users to gain privil ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0820 (FreeBSD seyon allows users to gain privileges via a modified PATH vari ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0819 (NTMail does not disable the VRFY command, even if the administrator ha ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0817 (Lynx WWW client allows a remote attacker to specify command-line param ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0815 (Memory leak in SNMP agent in Windows NT 4.0 before SP5 allows remote a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0814 (Red Hat pump DHCP client allows remote attackers to gain root access i ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0813 (Cfingerd with ALLOW_EXECUTION enabled does not properly drop privilege ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0812 (Race condition in Samba smbmnt allows local users to mount file system ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0811 (Buffer overflow in Samba smbd program via a malformed message command. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0810 (Denial of service in Samba NETBIOS name service daemon (nmbd). ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0809 (Netscape Communicator 4.x with Javascript enabled does not warn a user ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0807 (The Netscape Directory Server installation procedure leaves sensitive ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0806 (Buffer overflow in Solaris dtprintinfo program. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0804 (Denial of service in Linux 2.2.x kernels via malformed ICMP packets co ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0803 (The fwluser script in AIX eNetwork Firewall allows local users to writ ...) NOT-FOR-US: AIX CVE-1999-0802 (Buffer overflow in Internet Explorer 5 allows remote attackers to exec ...) NOT-FOR-US: Microsoft CVE-1999-0801 (BMC Patrol allows remote attackers to gain access to an agent by spoof ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0800 (The GetFile.cfm file in Allaire Forums allows remote attackers to read ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0799 (Buffer overflow in bootpd 2.4.3 and earlier via a long boot file locat ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0797 (NIS finger allows an attacker to conduct a denial of service via a lar ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0796 (FreeBSD T/TCP Extensions for Transactions can be subjected to spoofing ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0794 (Microsoft Excel does not warn a user when a macro is present in a Symb ...) NOT-FOR-US: Microsoft CVE-1999-0793 (Internet Explorer allows remote attackers to read files by redirecting ...) NOT-FOR-US: Microsoft CVE-1999-0791 (Hybrid Network cable modems do not include an authentication mechanism ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0790 (A remote attacker can read information from a Netscape user's cache vi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0789 (Buffer overflow in AIX ftpd in the libc library. ...) NOT-FOR-US: AIX CVE-1999-0788 (Arkiea nlservd allows remote attackers to conduct a denial of service. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0787 (The SSH authentication agent follows symlinks via a UNIX domain socket ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0786 (The dynamic linker in Solaris allows a local user to create arbitrary ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0785 (The INN inndstart program allows local users to gain root privileges v ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0783 (FreeBSD allows local users to conduct a denial of service by creating ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0782 (KDE kppp allows local users to create a directory in an arbitrary loca ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0781 (KDE allows local users to execute arbitrary commands by setting the KD ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0780 (KDE klock allows local users to kill arbitrary processes by specifying ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0779 (Denial of service in HP-UX SharedX recserv program. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0778 (Buffer overflow in Xi Graphics Accelerated-X server allows local users ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0777 (IIS FTP servers may allow a remote attacker to read or delete files on ...) NOT-FOR-US: Microsoft CVE-1999-0775 (Cisco Gigabit Switch routers running IOS allow remote attackers to for ...) NOT-FOR-US: Cisco CVE-1999-0774 (Buffer overflows in Mars NetWare Emulation (NWE, mars_nwe) package via ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0773 (Buffer overflow in Solaris lpset program allows local users to gain ro ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0772 (Denial of service in Compaq Management Agents and the Compaq Survey Ut ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0771 (The web components of Compaq Management Agents and the Compaq Survey U ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0770 (Firewall-1 sets a long timeout for connections that begin with ACK or ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0769 (Vixie Cron on Linux systems allows local users to set parameters of se ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0768 (Buffer overflow in Vixie Cron on Red Hat systems via the MAILTO enviro ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0766 (The Microsoft Java Virtual Machine allows a malicious Java applet to e ...) NOT-FOR-US: Microsoft CVE-1999-0765 (SGI IRIX midikeys program allows local users to modify arbitrary files ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0764 (NetBSD allows ARP packets to overwrite static ARP entries. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0763 (NetBSD on a multi-homed host allows ARP packets on one network to modi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0762 (When Javascript is embedded within the TITLE tag, Netscape Communicato ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0761 (Buffer overflow in FreeBSD fts library routines allows local user to m ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0760 (Undocumented ColdFusion Markup Language (CFML) tags and functions in t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0759 (Buffer overflow in FuseMAIL POP service via long USER and PASS command ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0758 (Netscape Enterprise 3.5.1 and FastTrack 3.01 servers allow a remote at ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0756 (ColdFusion Administrator with Advanced Security enabled allows remote ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0755 (Windows NT RRAS and RAS clients cache a user's password even if the us ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0754 (The INN inndstart program allows local users to gain privileges by spe ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0753 (The w3-msql CGI script provided with Mini SQL allows remote attackers ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0752 (Denial of service in Netscape Enterprise Server via a buffer overflow ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0751 (Buffer overflow in Accept command in Netscape Enterprise Server 3.6 wi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0749 (Buffer overflow in Microsoft Telnet client in Windows 95 and Windows 9 ...) NOT-FOR-US: Microsoft CVE-1999-0747 (Denial of service in BSDi Symmetric Multiprocessing (SMP) when an fsta ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0746 (A default configuration of in.identd in SuSE Linux waits 120 seconds b ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0745 (Buffer overflow in Source Code Browser Program Database Name Server Da ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0744 (Buffer overflow in Netscape Enterprise Server and FastTrask Server all ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0743 (Trn allows local users to overwrite other users' files via symlinks. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0742 (The Debian mailman package uses weak authentication, which allows atta ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0740 (Remote attackers can cause a denial of service on Linux in.telnetd tel ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0735 (KDE K-Mail allows local users to gain privileges via a symlink attack ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0734 (A default configuration of CiscoSecure Access Control Server (ACS) all ...) NOT-FOR-US: Cisco CVE-1999-0733 (Buffer overflow in VMWare 1.0.1 for Linux via a long HOME environmenta ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0732 (The logging facility of the Debian smtp-refuser package allows local u ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0731 (The KDE klock program allows local users to unlock a session using mal ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0730 (The zsoelim program in the Debian man-db package allows local users to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0729 (Buffer overflow in Lotus Notes LDAP (NLDAP) allows an attacker to cond ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0728 (A Windows NT user can disable the keyboard or mouse by directly callin ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0727 (A kernel leak in the OpenBSD kernel allows IPsec packets to be sent un ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0726 (An attacker can conduct a denial of service in Windows NT by executing ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0725 (When IIS is run with a default language of Chinese, Korean, or Japanes ...) NOT-FOR-US: Microsoft CVE-1999-0724 (Buffer overflow in OpenBSD procfs and fdescfs file systems via uio_off ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0723 (The Windows NT Client Server Runtime Subsystem (CSRSS) can be subjecte ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0722 (The default configuration of Cobalt RaQ2 servers allows remote users t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0721 (Denial of service in Windows NT Local Security Authority (LSA) through ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0720 (The pt_chown command in Linux allows local users to modify TTY termina ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0719 (The Guile plugin for the Gnumeric spreadsheet package allows attackers ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0718 (IBM GINA, when used for OS/2 domain authentication of Windows NT users ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0717 (A remote attacker can disable the virus warning mechanism in Microsoft ...) NOT-FOR-US: Microsoft CVE-1999-0716 (Buffer overflow in Windows NT 4.0 help file utility via a malformed he ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0715 (Buffer overflow in Remote Access Service (RAS) client allows an attack ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0714 (Vulnerability in Compaq Tru64 UNIX edauth command. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0713 (The dtlogin program in Compaq Tru64 UNIX allows local users to gain ro ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0711 (The oratclsh interpreter in Oracle 8.x Intelligent Agent for Unix allo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0710 (The Squid package in Red Hat Linux 5.2 and 6.0, and other distribution ...) {DSA-576-1} - squid 2.5.7-1 CVE-1999-0708 (Buffer overflow in cfingerd allows local users to gain root privileges ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0707 (The default FTP configuration in HP Visualize Conference allows confer ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0706 (Linux xmonisdn package allows local users to gain root privileges by m ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0705 (Buffer overflow in INN inews program. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0704 (Buffer overflow in Berkeley automounter daemon (amd) logging facility ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0703 (OpenBSD, BSDI, and other Unix operating systems allow users to set chf ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0702 (Internet Explorer 5.0 and 5.01 allows remote attackers to modify or ex ...) NOT-FOR-US: Microsoft CVE-1999-0701 (After an unattended installation of Windows NT 4.0, an installation fi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0700 (Buffer overflow in Microsoft Phone Dialer (dialer.exe), via a malforme ...) NOT-FOR-US: Microsoft CVE-1999-0699 (The Bluestone Sapphire web server allows session hijacking via easily ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0697 (SCO Doctor allows local users to gain root privileges through a Tools ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0696 (Buffer overflow in CDE Calendar Manager Service Daemon (rpc.cmsd). ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0695 (The Sybase PowerDynamo personal web server allows attackers to read ar ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0694 (Denial of service in AIX ptrace system call allows local users to cras ...) NOT-FOR-US: AIX CVE-1999-0693 (Buffer overflow in TT_SESSION environment variable in ToolTalk shared ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0692 (The default configuration of the Array Services daemon (arrayd) disabl ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0691 (Buffer overflow in the AddSuLog function of the CDE dtaction utility a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0690 (HP CDE program includes the current directory in root's PATH variable. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0689 (The CDE dtspcd daemon allows local users to execute arbitrary commands ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0688 (Buffer overflows in HP Software Distributor (SD) for HPUX 10.x and 11. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0687 (The ToolTalk ttsession daemon uses weak RPC authentication, which allo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0686 (Denial of service in Netscape Enterprise Server (NES) in HP Virtual Va ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0685 (Buffer overflow in Netscape Communicator via EMBED tags in the plugins ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0683 (Denial of service in Gauntlet Firewall via a malformed ICMP packet. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0682 (Microsoft Exchange 5.5 allows a remote attacker to relay email (i.e. s ...) NOT-FOR-US: Microsoft CVE-1999-0681 (Buffer overflow in Microsoft FrontPage Server Extensions (PWS) 3.0.2.9 ...) NOT-FOR-US: Microsoft CVE-1999-0680 (Windows NT Terminal Server performs extra work when a client opens a n ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0679 (Buffer overflow in hybrid-6 IRC server commonly used on EFnet allows r ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0678 (A default configuration of Apache on Debian GNU/Linux sets the ServerR ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0676 (sdtcm_convert in Solaris 2.6 allows a local user to overwrite sensitiv ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0675 (Check Point FireWall-1 can be subjected to a denial of service via UDP ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0674 (The BSD profil system call allows a local user to modify the internal ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0672 (Buffer overflow in Fujitsu Chocoa IRC client via IRC channel topics. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0671 (Buffer overflow in ToxSoft NextFTP client through CWD command. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0668 (The scriptlet.typelib ActiveX control is marked as "safe for scripting ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0628 (The rwho/rwhod service is running, which exposes machine status and us ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0627 (The rexd service is running, which uses weak authentication that can a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0626 (A version of rusers is running that exposes valid user information to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0612 (A version of finger is running that exposes valid user information to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0608 (An incorrect configuration of the PDG Shopping Cart CGI program "shopp ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0566 (An attacker can write to syslog files from any location, causing a den ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0551 (HP OpenMail can be misconfigured to allow users to run arbitrary comma ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0526 (An X server's access control is disabled (e.g. through an "xhost +" co ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0514 (UDP messages to broadcast addresses are allowed, allowing for a Fraggl ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0513 (ICMP messages to broadcast addresses are allowed, allowing for a Smurf ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0496 (A Windows NT 4.0 user can gain administrative rights by forcing NtOpen ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0494 (Denial of service in WinGate proxy through a buffer overflow in POP3. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0493 (rpc.statd allows remote attackers to forward RPC calls to the local op ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0491 (The prompt parsing in bash allows a local user to execute commands as ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0487 (The DHTML Edit ActiveX control in Internet Explorer allows remote atta ...) NOT-FOR-US: Microsoft CVE-1999-0485 (Remote attackers can cause a system crash through ipintr() in ipq in O ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0484 (Buffer overflow in OpenBSD ping. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0483 (OpenBSD crash using nlink value in FFS and EXT2FS filesystems. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0482 (OpenBSD kernel crash through TSS handling, as caused by the crashme pr ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0481 (Denial of service in "poll" in OpenBSD. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0479 (Denial of service Netscape Enterprise Server with VirtualVault on HP-U ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0478 (Denial of service in HP-UX sendmail 8.8.6 related to accepting connect ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0475 (A race condition in how procmail handles .procmailrc files allows a lo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0474 (The ICQ Webserver allows remote attackers to use .. to access arbitrar ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0473 (The rsync command before rsync 2.3.1 may inadvertently change the perm ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0472 (The SNMP default community name "public" is not properly removed in Ne ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0471 (The remote proxy server in Winroute allows a remote attacker to reconf ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0470 (A weak encryption algorithm is used for passwords in Novell Remote.NLM ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0468 (Internet Explorer 5.0 allows a remote server to read arbitrary files o ...) NOT-FOR-US: Microsoft CVE-1999-0466 (The SVR4 /dev/wabi special device file in NetBSD 1.3.3 and earlier all ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0464 (Local users can perform a denial of service in Tripwire 1.2 and earlie ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0463 (Remote attackers can perform a denial of service using IRIX fcagent. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0458 (L0phtcrack 2.5 used temporary files in the system TEMP directory which ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0457 (Linux ftpwatch program allows local users to gain root privileges. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0449 (The ExAir sample site in IIS 4 allows remote attackers to cause a deni ...) NOT-FOR-US: Microsoft CVE-1999-0448 (IIS 4.0 and Apache log HTTP request methods, regardless of how long th ...) NOT-FOR-US: Microsoft CVE-1999-0447 (Local users can gain privileges using the debug utility in the MPE/iX ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0446 (Local users can perform a denial of service in NetBSD 1.3.3 and earlie ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0445 (In Cisco routers under some versions of IOS 12.0 running NAT, some pac ...) NOT-FOR-US: Cisco CVE-1999-0442 (Solaris ff.core allows local users to modify files. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0441 (Remote attackers can perform a denial of service in WinGate machines u ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0440 (The byte code verifier component of the Java Virtual Machine (JVM) all ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0439 (Buffer overflow in procmail before version 3.12 allows remote or local ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0438 (Remote attackers can perform a denial of service in WebRamp systems by ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0437 (Remote attackers can perform a denial of service in WebRamp systems by ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0436 (Domain Enterprise Server Management System (DESMS) in HP-UX allows loc ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0433 (XFree86 startx command is vulnerable to a symlink attack, allowing loc ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0432 (ftp on HP-UX 11.00 allows local users to gain privileges. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0430 (Cisco Catalyst LAN switches running Catalyst 5000 supervisor software ...) NOT-FOR-US: Cisco CVE-1999-0429 (The Lotus Notes 4.5 client may send a copy of encrypted mail in the cl ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0428 (OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and by ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0425 (talkback in Netscape 4.5 allows a local user to kill an arbitrary proc ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0424 (talkback in Netscape 4.5 allows a local user to overwrite arbitrary fi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0423 (Vulnerability in hpterm on HP-UX 10.20 allows local users to gain addi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0422 (In some cases, NetBSD 1.3.3 mount allows local users to execute progra ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0421 (During a reboot after an installation of Linux Slackware 3.6, a remote ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0420 (umapfs allows local users to gain root privileges by changing their ui ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0417 (64 bit Solaris 7 procfs allows local users to perform a denial of serv ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0416 (Vulnerability in Cisco 7xx series routers allows a remote attacker to ...) NOT-FOR-US: Cisco CVE-1999-0415 (The HTTP server in Cisco 7xx series routers 3.2 through 4.2 is enabled ...) NOT-FOR-US: Cisco CVE-1999-0414 (In Linux before version 2.0.36, remote attackers can spoof a TCP conne ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0413 (A buffer overflow in the SGI X server allows local users to gain root ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0412 (In IIS and other web servers, an attacker can attack commands as SYSTE ...) NOT-FOR-US: Microsoft CVE-1999-0410 (The cancel command in Solaris 2.6 (i386) has a buffer overflow that al ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0409 (Buffer overflow in gnuplot in Linux version 3.5 allows local users to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0408 (Files created from interactive shell sessions in Cobalt RaQ microserve ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0407 (By default, IIS 4.0 has a virtual directory /IISADMPWD which contains ...) NOT-FOR-US: Microsoft CVE-1999-0405 (A buffer overflow in lsof allows local users to obtain root privilege. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0404 (Buffer overflow in the Mail-Max SMTP server for Windows systems allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0403 (A bug in Cyrix CPUs on Linux allows local users to perform a denial of ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0402 (wget 1.5.3 follows symlinks to change permissions of the target file i ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0396 (A race condition between the select() and accept() calls in NetBSD TCP ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0395 (A race condition in the BackWeb Polite Agent Protocol allows an attack ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0393 (Remote attackers can cause a denial of service in Sendmail 8.8.x and 8 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0392 (Buffer overflow in Thomas Boutell's cgic library version up to 1.05. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0391 (The cryptographic challenge of SMB authentication in Windows 95 and Wi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0390 (Buffer overflow in Dosemu Slang library in Linux. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0388 (DataLynx suGuard trusts the PATH environment variable to execute the p ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0387 (A legacy credential caching mechanism used in Windows 95 and Windows 9 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0386 (Microsoft Personal Web Server and FrontPage Personal Web Server in som ...) NOT-FOR-US: Microsoft CVE-1999-0385 (The LDAP bind function in Exchange 5.5 has a buffer overflow that allo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0384 (The Forms 2.0 ActiveX control (included with Visual Basic for Applicat ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0383 (ACC Tigris allows public access without a login. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0382 (The screen saver in Windows NT does not verify that its security conte ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0380 (SLMail 3.1 and 3.2 allows local users to access any file in the NTFS f ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0379 (Microsoft Taskpads allows remote web sites to execute commands on the ...) NOT-FOR-US: Microsoft CVE-1999-0378 (InterScan VirusWall for Solaris doesn't scan files for viruses when a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0377 (Process table attack in Unix systems allows a remote attacker to perfo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0376 (Local users in Windows NT can obtain administrator privileges by chang ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0375 (Buffer overflow in webd in Network Flight Recorder (NFR) 2.0.2-Researc ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0374 (Debian GNU/Linux cfengine package is susceptible to a symlink attack. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0373 (Buffer overflow in the "Super" utility in Debian GNU/Linux, and other ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0372 (The installer for BackOffice Server includes account names and passwor ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0371 (Lynx allows a local user to overwrite sensitive files through /tmp sym ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0369 (The Sun sdtcm_convert calendar utility for OpenWindows has a buffer ov ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0368 (Buffer overflows in wuarchive ftpd (wu-ftpd) and ProFTPD lead to remot ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0367 (NetBSD netstat command allows local users to access kernel memory. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0366 (In some cases, Service Pack 4 for Windows NT 4.0 can allow access to n ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0365 (The metamail package allows remote command execution using shell metac ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0363 (SuSE 5.2 PLP lpc program has a buffer overflow that leads to root comp ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0362 (WS_FTP server remote denial of service through cwd command. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0358 (Digital Unix 4.0 has a buffer overflow in the inc program of the mh pa ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0357 (Windows 98 and other operating systems allows remote attackers to caus ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0355 (Local or remote users can force ControlIT 4.5 to reboot or force a use ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0353 (rpc.pcnfsd in HP gives remote root access by changing the permissions ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0351 (FTP PASV "Pizza Thief" denial of service and unauthorized data access. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0350 (Race condition in the db_loader program in ClearCase gives local users ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0349 (A buffer overflow in the FTP list (ls) command in IIS allows remote at ...) NOT-FOR-US: Microsoft CVE-1999-0348 (IIS ASP caching problem releases sensitive information when two virtua ...) NOT-FOR-US: Microsoft CVE-1999-0346 (CGI PHP mlog script allows an attacker to read any file on the target ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0344 (NT users can gain debug-level access on a system process using the Sec ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0343 (A malicious Palace server can force a client to execute arbitrary prog ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0342 (Linux PAM modules allow local users to gain root access using temporar ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0341 (Buffer overflow in the Linux mail program "deliver" allows local users ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0340 (Buffer overflow in Linux Slackware crond program allows local users to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0339 (Buffer overflow in the libauth library in Solaris allows local users t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0338 (AIX Licensed Program Product performance tools allow local users to ga ...) NOT-FOR-US: AIX CVE-1999-0337 (AIX batch queue (bsh) allows local and remote users to gain additional ...) NOT-FOR-US: AIX CVE-1999-0335 (DEPRECATED. This entry has been deprecated. It is a duplicate of CVE ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0334 (In Solaris 2.2 and 2.3, when fsck fails on startup, it allows a local ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0332 (Buffer overflow in NetMeeting allows denial of service and remote comm ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0329 (SGI mediad program allows local users to gain root access. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0328 (SGI permissions program allows local users to gain root privileges. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0327 (SGI syserr program allows local users to corrupt files. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0326 (Vulnerability in HP-UX mediainit program. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0325 (vhe_u_mnt program in HP-UX allows local users to create root files thr ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0324 (ppl program in HP-UX allows local users to create root files through s ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0323 (FreeBSD mmap function allows users to modify append-only or immutable ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0322 (The open() function in FreeBSD allows local attackers to write to arbi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0321 (Buffer overflow in Solaris kcms_configure command allows local users t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0320 (SunOS rpc.cmsd allows attackers to obtain root access by overwriting a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0318 (Buffer overflow in xmcd 2.0p12 allows local users to gain access throu ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0316 (Buffer overflow in Linux splitvt command gives root access to local us ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0315 (Buffer overflow in Solaris fdformat command gives root access to local ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0314 (ioconfig on SGI IRIX 6.4 S2MP for Origin/Onyx2 allows local users to g ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0313 (disk_bandwidth on SGI IRIX 6.4 S2MP for Origin/Onyx2 allows local user ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0312 (HP ypbind allows attackers with root privileges to modify NIS data. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0311 (fpkg2swpk in HP-UX allows local users to gain root access. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0310 (SSH 1.2.25 on HP-UX allows access to new user accounts. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0309 (HP-UX vgdisplay program gives root access to local users. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0308 (HP-UX gwind program allows users to modify arbitrary files. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0305 (The system configuration control (sysctl) facility in BSD based operat ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0304 (mmap function in BSD allows local attackers in the kmem group to modif ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0303 (Buffer overflow in BNU UUCP daemon (uucpd) through long hostnames. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0302 (SunOS/Solaris FTP clients can be forced to execute arbitrary commands ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0301 (Buffer overflow in SunOS/Solaris ps command. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0300 (nis_cachemgr for Solaris NIS+ allows attackers to add malicious NIS+ s ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0299 (Buffer overflow in FreeBSD lpd through long DNS hostnames. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0297 (Buffer overflow in Vixie Cron library up to version 3.0 allows local u ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0296 (Solaris volrmmount program allows attackers to read any file. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0295 (Solaris sysdef command allows local users to read kernel memory, poten ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0294 (All records in a WINS database can be deleted through SNMP for a denia ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0293 (AAA authentication on Cisco systems allows attackers to execute comman ...) NOT-FOR-US: Cisco CVE-1999-0292 (Denial of service through Winpopup using large user names. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0291 (The WinGate proxy is installed without a password, which allows remote ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0290 (The WinGate telnet proxy allows remote attackers to cause a denial of ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0289 (The Apache web server for Win32 may provide access to restricted files ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0288 (The WINS server in Microsoft Windows NT 4.0 before SP4 allows remote a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0281 (Denial of service in IIS using long URLs. ...) NOT-FOR-US: Microsoft CVE-1999-0280 (Remote command execution in Microsoft Internet Explorer using .lnk and ...) NOT-FOR-US: Microsoft CVE-1999-0279 (Excite for Web Servers (EWS) allows remote command execution via shell ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0278 (In IIS, remote attackers can obtain source code for ASP files by appen ...) NOT-FOR-US: Microsoft CVE-1999-0277 (The WorkMan program can be used to overwrite any file to get root acce ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0276 (mSQL v2.0.1 and below allows remote execution through a buffer overflo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0275 (Denial of service in Windows NT DNS servers by flooding port 53 with t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0274 (Denial of service in Windows NT DNS servers through malicious packet w ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0273 (Denial of service through Solaris 2.5.1 telnet by sending ^D character ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0272 (Denial of service in Slmail v2.5 through the POP3 port. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0270 (Directory traversal vulnerability in pfdispaly.cgi program (sometimes ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0269 (Netscape Enterprise servers may list files through the PageServices qu ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0268 (MetaInfo MetaWeb web server allows users to upload, execute, and read ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0267 (Buffer overflow in NCSA HTTP daemon v1.3 allows remote command executi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0266 (The info2www CGI script allows remote file access or remote command ex ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0265 (ICMP redirect messages may crash or lock up a host. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0264 (htmlscript CGI program allows remote read access to files. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0263 (Solaris SUNWadmap can be exploited to obtain root access. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0262 (Hylafax faxsurvey CGI script on Linux allows remote attackers to execu ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0260 (The jj CGI program allows command execution via shell metacharacters. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0259 (cfingerd lists all users on a system via search.**@target. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0256 (Buffer overflow in War FTP allows remote execution of commands. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0252 (Buffer overflow in listserv allows arbitrary command execution. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0251 (Denial of service in talk program allows remote attackers to disrupt a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0248 (A race condition in the authentication agent mechanism of sshd 1.2.17 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0247 (Buffer overflow in nnrpd program in INN up to version 1.6 allows remot ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0245 (Some configurations of NIS+ in Linux allowed attackers to log in as th ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0244 (Livingston RADIUS code has a buffer overflow which can allow remote ex ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0239 (Netscape FastTrack Web server lists files when a lowercase "get" comma ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0237 (Remote execution of arbitrary commands through Guestbook CGI program. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0236 (ScriptAlias directory in NCSA and Apache httpd allowed attackers to re ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0234 (Bash treats any character with a value of 255 as a command separator. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0233 (IIS 1.0 allows users to execute arbitrary commands using .bat or .cmd ...) NOT-FOR-US: Microsoft CVE-1999-0230 (Buffer overflow in Cisco 7xx routers through the telnet service. ...) NOT-FOR-US: Cisco CVE-1999-0228 (Denial of service in RPCSS.EXE program (RPC Locator) in Windows NT. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0227 (Access violation in LSASS.EXE (LSA/LSARPC) program in Windows NT allow ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0225 (Windows NT 4.0 allows remote attackers to cause a denial of service vi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0224 (Denial of service in Windows NT messenger service through a long usern ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0223 (Solaris syslogd crashes when receiving a message from a host that does ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0221 (Denial of service of Ascend routers through port 150 (remote administr ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0219 (Buffer overflow in FTP Serv-U 2.5 allows remote authenticated users to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0218 (Livingston portmaster machines could be rebooted via a series of comma ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0217 (Malicious option settings in UDP packets could force a reboot in SunOS ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0215 (Routed allows attackers to append data to files. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0214 (Denial of service by sending forged ICMP unreachable packets. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0212 (Solaris rpc.mountd generates error messages that allow a remote attack ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0211 (Extra long export lists over 256 characters in some mount daemons allo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0210 (Automount daemon automountd allows local or remote users to gain privi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0209 (The SunView (SunTools) selection_svc facility allows remote users to r ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0208 (rpc.ypupdated (NIS) allows remote users to execute arbitrary commands. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0207 (Remote attacker can execute commands through Majordomo using the Reply ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0206 (MIME buffer overflow in Sendmail 8.8.0 and 8.8.1 gives root access. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0204 (Sendmail 8.6.9 allows remote attackers to execute root commands, using ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0203 (In Sendmail, attackers can gain root privileges via SMTP by specifying ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0202 (The GNU tar command, when used in FTP sessions, may allow an attacker ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0201 (A quote cwd command on FTP servers can reveal the full path of the hom ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0196 (websendmail in Webgais 1.0 allows a remote user to access arbitrary fi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0194 (Denial of service in in.comsat allows attackers to generate messages. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0192 (Buffer overflow in telnet daemon tgetent routing allows remote attacke ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0191 (IIS newdsn.exe CGI script allows remote users to overwrite files. ...) NOT-FOR-US: Microsoft CVE-1999-0190 (Solaris rpcbind can be exploited to overwrite arbitrary files and gain ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0189 (Solaris rpcbind listens on a high numbered UDP port, which may not be ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0188 (The passwd command in Solaris can be subjected to a denial of service. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0185 (In SunOS or Solaris, a remote user could connect from an FTP server's ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0184 (When compiled with the -DALLOW_UPDATES option, bind allows dynamic upd ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0183 (Linux implementations of TFTP would allow access to files outside the ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0182 (Samba has a buffer overflow which allows a remote attacker to obtain r ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0181 (The wall daemon can be used for denial of service, social engineering ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0180 (in.rshd allows users to login with a NULL username and execute command ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0179 (Windows NT crashes or locks up when a Samba client executes a "cd .." ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0178 (Buffer overflow in the win-c-sample program (win-c-sample.exe) in the ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0177 (The uploader program in the WebSite web server allows a remote attacke ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0176 (The Webgais program allows a remote user to execute arbitrary commands ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0175 (The convert.bas program in the Novell web server allows a remote attac ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0174 (The view-source CGI program allows remote attackers to read arbitrary ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0173 (FormMail CGI program can be used by web servers other than the host se ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0172 (FormMail CGI program allows remote execution of commands. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0170 (Remote attackers can mount an NFS file system in Ultrix or OSF, even i ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0168 (The portmapper may act as a proxy and redirect service requests from a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0167 (In SunOS, NFS file handles could be guessed, giving unauthorized acces ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0166 (NFS allows users to use a "cd .." command to access other directories ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0164 (A race condition in the Solaris ps command allows an attacker to overw ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0162 (The "established" keyword in some Cisco IOS software allowed an attack ...) NOT-FOR-US: Cisco CVE-1999-0161 (In Cisco IOS 10.3, with the tacacs-ds or tacacs keyword, an extended I ...) NOT-FOR-US: Cisco CVE-1999-0160 (Some classic Cisco IOS devices have a vulnerability in the PPP CHAP au ...) NOT-FOR-US: Cisco CVE-1999-0159 (Attackers can crash a Cisco IOS router or device, provided they can ge ...) NOT-FOR-US: Cisco CVE-1999-0158 (Cisco PIX firewall manager (PFM) on Windows NT allows attackers to con ...) NOT-FOR-US: Cisco CVE-1999-0157 (Cisco PIX firewall and CBAC IP fragmentation attack results in a denia ...) NOT-FOR-US: Cisco CVE-1999-0155 (The ghostscript command with the -dSAFER option allows remote attacker ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0153 (Windows 95/NT out of band (OOB) data denial of service through NETBIOS ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0152 (The DG/UX finger daemon allows remote command execution through shell ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0151 (The SATAN session key may be disclosed if the user points the web brow ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0150 (The Perl fingerd program allows arbitrary command execution from remot ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0149 (The wrap CGI program in IRIX allows remote attackers to view arbitrary ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0148 (The handler CGI program in IRIX allows arbitrary command execution. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0147 (The aglimpse CGI program of the Glimpse package allows remote executio ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0146 (The campas CGI program provided with some NCSA web servers allows an a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0145 (Sendmail WIZ command enabled, allowing root access. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0143 (Kerberos 4 key servers allow a user to masquerade as another by breaki ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0142 (The Java Applet Security Manager implementation in Netscape Navigator ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0141 (Java Bytecode Verifier allows malicious applets to execute arbitrary c ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0139 (Buffer overflow in Solaris x86 mkcookie allows local users to obtain r ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0138 (The suidperl and sperl program do not give up root privileges when cha ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0137 (The dip program on many Linux systems allows local users to gain root ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0136 (Kodak Color Management System (KCMS) on Solaris allows a local user to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0135 (admintool in Solaris allows a local user to write to arbitrary files a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0134 (vold in Solaris 2.x allows local users to gain root access. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0133 (fm_fls license server for Adobe Framemaker allows local users to overw ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0132 (Expreserve, as used in vi and ex, allows local users to overwrite arbi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0131 (Buffer overflow and denial of service in Sendmail 8.7.5 and earlier th ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0130 (Local users can start Sendmail in daemon mode and gain root privileges ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0129 (Sendmail allows local users to write to a file and gain group permissi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0128 (Oversized ICMP ping packets can result in a denial of service, aka Pin ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0126 (SGI IRIX buffer overflow in xterm and Xaw allows root access. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0125 (Buffer overflow in SGI IRIX mailx program. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0124 (Vulnerabilities in UMN gopher and gopher+ versions 1.12 and 2.0x allow ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0122 (Buffer overflow in AIX lchangelv gives root access. ...) NOT-FOR-US: AIX CVE-1999-0120 (Sun/Solaris utmp file allows local users to gain root access if it is ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0118 (AIX infod allows local users to gain root access through an X display. ...) NOT-FOR-US: AIX CVE-1999-0117 (AIX passwd allows local users to gain root access. ...) NOT-FOR-US: AIX CVE-1999-0116 (Denial of service when an attacker sends many SYN packets to create mu ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0115 (AIX bugfiler program allows local users to gain root access. ...) NOT-FOR-US: AIX CVE-1999-0113 (Some implementations of rlogin allow root access if given a -froot par ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0112 (Buffer overflow in AIX dtterm program for the CDE. ...) NOT-FOR-US: AIX CVE-1999-0111 (RIP v1 is susceptible to spoofing. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0109 (Buffer overflow in ffbconfig in Solaris 2.5.1. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0108 (The printers program in IRIX has a buffer overflow that gives root acc ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0103 (Echo and chargen, or other combinations of UDP services, can be used i ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0102 (Buffer overflow in SLmail 3.x allows attackers to execute commands usi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0101 (Buffer overflow in AIX and Solaris "gethostbyname" library call allows ...) NOT-FOR-US: AIX CVE-1999-0100 (Remote access in AIX innd 1.5.1, using control messages. ...) NOT-FOR-US: AIX CVE-1999-0099 (Buffer overflow in syslog utility allows local or remote attackers to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0097 (The AIX FTP client can be forced to execute commands from a malicious ...) NOT-FOR-US: AIX CVE-1999-0096 (Sendmail decode alias can be used to overwrite sensitive files. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0095 (The debug command in Sendmail is enabled, allowing attackers to execut ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0094 (AIX piodmgrsu command allows local users to gain additional group priv ...) NOT-FOR-US: AIX CVE-1999-0093 (AIX nslookup command allows local users to obtain root access by not d ...) NOT-FOR-US: AIX CVE-1999-0091 (Buffer overflow in AIX writesrv command allows local users to obtain r ...) NOT-FOR-US: AIX CVE-1999-0090 (Buffer overflow in AIX rcp command allows local users to obtain root a ...) NOT-FOR-US: AIX CVE-1999-0087 (Denial of service in AIX telnet can freeze a system and prevent users ...) NOT-FOR-US: AIX CVE-1999-0085 (Buffer overflow in rwhod on AIX and other operating systems allows rem ...) NOT-FOR-US: AIX CVE-1999-0084 (Certain NFS servers allow users to use mknod to gain privileges by cre ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0083 (getcwd() file descriptor leak in FTP. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0082 (CWD ~root command in ftpd allows root access. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0081 (wu-ftp allows files to be overwritten via the rnfr command. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0080 (Certain configurations of wu-ftp FTP server 2.4 use a _PATH_EXECPATH s ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0079 (Remote attackers can cause a denial of service in FTP by issuing multi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0077 (Predictable TCP sequence numbers allow spoofing. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0075 (PASV core dump in wu-ftpd daemon when attacker uses a QUOTE PASV comma ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0074 (Listening TCP ports are sequentially allocated, allowing spoofing atta ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0073 (Telnet allows a remote client to specify environment variables includi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0072 (Buffer overflow in AIX xdat gives root access to local users. ...) NOT-FOR-US: AIX CVE-1999-0071 (Apache httpd cookie buffer overflow for versions 1.1.1 and earlier. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0070 (test-cgi program allows an attacker to list files on the server. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0069 (Solaris ufsrestore buffer overflow. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0068 (CGI PHP mylog script allows an attacker to read any file on the target ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0067 (phf CGI program allows remote command execution through shell metachar ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0066 (AnyForm CGI remote execution. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0065 (Multiple buffer overflows in how dtmail handles attachments allows a r ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0064 (Buffer overflow in AIX lquerylv program gives root access to local use ...) NOT-FOR-US: AIX CVE-1999-0063 (Cisco IOS 12.0 and other versions can be crashed by malicious UDP pack ...) NOT-FOR-US: Cisco CVE-1999-0062 (The chpass command in OpenBSD allows a local user to gain root access ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0060 (Attackers can cause a denial of service in Ascend MAX and Pipeline rou ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0059 (IRIX fam service allows an attacker to obtain a list of all files on t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0058 (Buffer overflow in PHP cgi program, php.cgi allows shell access. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0057 (Vacation program allows command execution by remote users through a se ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0056 (Buffer overflow in Sun's ping program can give root access to local us ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0055 (Buffer overflows in Sun libnsl allow root access. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0054 (Sun's ftpd daemon can be subjected to a denial of service. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0053 (TCP RST denial of service in FreeBSD. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0052 (IP fragmentation denial of service in FreeBSD allows a remote attacker ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0051 (Arbitrary file creation and program execution using FLEXlm LicenseMana ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0050 (Buffer overflow in HP-UX newgrp program. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0049 (Csetup under IRIX allows arbitrary file creation or overwriting. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0048 (Talkd, when given corrupt DNS information, can be used to execute arbi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0047 (MIME conversion buffer overflow in sendmail versions 8.8.3 and 8.8.4. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0046 (Buffer overflow of rlogin program using TERM environmental variable. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0045 (List of arbitrary files on Web host via nph-test-cgi script. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0044 (fsdump command in IRIX allows local users to obtain root access by mod ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0043 (Command execution via shell metachars in INN daemon (innd) 1.5 using " ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0042 (Buffer overflow in University of Washington's implementation of IMAP a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0041 (Buffer overflow in NLS (Natural Language Service). ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0040 (Buffer overflow in Xt library of X Windowing System allows local users ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0039 (webdist CGI program (webdist.cgi) in SGI IRIX allows remote attackers ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0038 (Buffer overflow in xlock program allows local users to execute command ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0037 (Arbitrary command execution via metamail package using message headers ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0036 (IRIX login program with a nonzero LOCKOUT parameter allows creation or ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0035 (Race condition in signal handling routine in ftpd, allowing read/write ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0034 (Buffer overflow in suidperl (sperl), Perl 4.x and 5.x. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0032 (Buffer overflow in lpr, as used in BSD-based systems including Linux, ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0031 (JavaScript in Internet Explorer 3.x and 4.x, and Netscape 2.x, 3.x and ...) NOT-FOR-US: Microsoft CVE-1999-0029 (root privileges via buffer overflow in ordist command on SGI IRIX syst ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0028 (root privileges via buffer overflow in login/scheme command on SGI IRI ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0027 (root privileges via buffer overflow in eject command on SGI IRIX syste ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0026 (root privileges via buffer overflow in pset command on SGI IRIX system ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0025 (root privileges via buffer overflow in df command on SGI IRIX systems. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0024 (DNS cache poisoning via BIND, by predictable query IDs. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0023 (Local user gains root privileges via buffer overflow in rdist, via loo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0022 (Local user gains root privileges via buffer overflow in rdist, via exp ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0021 (Arbitrary command execution via buffer overflow in Count.cgi (wwwcount ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0019 (Delete or create a file via rpc.statd, due to invalid information. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0018 (Buffer overflow in statd allows root privileges. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0017 (FTP servers can allow an attacker to connect to arbitrary ports on mac ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0016 (Land IP denial of service. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0014 (Unauthorized privileged access or denial of service via dtappgather pr ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0013 (Stolen credentials from SSH clients via ssh-agent program, allowing ot ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0012 (Some web servers under Microsoft Windows allow remote attackers to byp ...) NOT-FOR-US: Microsoft CVE-1999-0011 (Denial of Service vulnerabilities in BIND 4.9 and BIND 8 Releases via ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0010 (Denial of Service vulnerability in BIND 8 Releases via maliciously for ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0009 (Inverse query buffer overflow in BIND 4.9 and BIND 8 Releases. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0008 (Buffer overflow in NIS+, in Sun's rpc.nisd program. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0007 (Information from SSL-encrypted sessions via PKCS #1. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0006 (Buffer overflow in POP servers based on BSD/Qualcomm's qpopper allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0005 (Arbitrary command execution via IMAP buffer overflow in authenticate c ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0003 (Execute commands as root via buffer overflow in Tooltalk database serv ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0002 (Buffer overflow in NFS mountd gives root access to remote attackers, m ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0654 (Apache 2.0 through 2.0.39 on Windows, OS2, and Netware allows remote a ...) - apache2 2.0.40 CVE-2002-0652 (xfsmd for IRIX 6.5 through 6.5.16 allows remote attackers to execute a ...) NOT-FOR-US: IRIX CVE-2002-0649 (Multiple buffer overflows in the Resolution Service for Microsoft SQL ...) NOT-FOR-US: Microsoft CVE-2002-0646 REJECTED CVE-2002-0645 (SQL injection vulnerability in stored procedures for Microsoft SQL Ser ...) NOT-FOR-US: Microsoft CVE-2002-0644 (Buffer overflow in several Database Consistency Checkers (DBCCs) for M ...) NOT-FOR-US: Microsoft CVE-2002-0643 (The installation of Microsoft Data Engine 1.0 (MSDE 1.0), and Microsof ...) NOT-FOR-US: Microsoft CVE-2002-0641 (Buffer overflow in bulk insert procedure of Microsoft SQL Server 2000, ...) NOT-FOR-US: Microsoft CVE-2002-0637 (InterScan VirusWall 3.52 build 1462 allows remote attackers to bypass ...) NOT-FOR-US: InterScan CVE-2002-0636 RESERVED CVE-2002-0635 REJECTED CVE-2002-0634 REJECTED CVE-2002-0633 REJECTED CVE-2002-0632 (Vulnerability in SGI BDS (Bulk Data Service) BDSPro 2.4 and earlier al ...) NOT-FOR-US: SGI CVE-2002-0629 (The Telnet service for Polycom ViewStation before 7.2.4 allows remote ...) NOT-FOR-US: Polycom CVE-2002-0628 (The Telnet service for Polycom ViewStation before 7.2.4 does not restr ...) NOT-FOR-US: Polycom CVE-2002-0626 (Polycom ViewStation before 7.2.4 has a default null password for the a ...) NOT-FOR-US: Polycom CVE-2002-0624 (Buffer overflow in the password encryption function of Microsoft SQL S ...) NOT-FOR-US: Microsoft CVE-2002-0620 (Buffer overflow in the Profile Service of Microsoft Commerce Server 20 ...) NOT-FOR-US: Microsoft CVE-2002-0614 (PHP-Survey 20000615 and earlier stores the global.inc file under the w ...) NOT-FOR-US: PHP-Survey CVE-2002-0612 (FileSeek.cgi allows remote attackers to execute arbitrary commands via ...) NOT-FOR-US: FileSeek CVE-2002-0611 (Directory traversal vulnerability in FileSeek.cgi allows remote attack ...) NOT-FOR-US: FileSeek CVE-2002-0610 (Vulnerability in FTPSRVR in HP MPE/iX 6.0 through 7.0 does not properl ...) NOT-FOR-US: HP CVE-2002-0609 (Vulnerability in HP MPE/iX 6.0 through 7.0 allows attackers to cause a ...) NOT-FOR-US: HP CVE-2002-0608 (Buffer overflow in Matu FTP client 1.74 allows remote FTP servers to e ...) NOT-FOR-US: Matu CVE-2002-0607 (members.asp in Snitz Forums 2000 version 3.3.03 and earlier allows rem ...) NOT-FOR-US: Snitz CVE-2002-0606 (Buffer overflow in 3Cdaemon 2.0 FTP server allows remote attackers to ...) NOT-FOR-US: 3Cdaemon CVE-2002-0604 (Snapgear Lite+ firewall 1.5.3 and 1.5.4 allows remote attackers to cau ...) NOT-FOR-US: Snapgear CVE-2002-0603 (Snapgear Lite+ firewall 1.5.3 allows remote attackers to cause a denia ...) NOT-FOR-US: Snapgear CVE-2002-0602 (Snapgear Lite+ firewall 1.5.4 and 1.5.3 allows remote attackers to cau ...) NOT-FOR-US: Snapgear CVE-2002-0600 (Heap overflow in the KTH Kerberos 4 FTP client 4-1.1.1 allows remote m ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0596 (WebTrends Reporting Center 4.0d allows remote attackers to determine t ...) NOT-FOR-US: WebTrends CVE-2002-0595 (Buffer overflow in WTRS_UI.EXE (WTX_REMOTE.DLL) for WebTrends Reportin ...) NOT-FOR-US: WebTrends CVE-2002-0593 (Buffer overflow in Netscape 6 and Mozilla 1.0 RC1 and earlier allows r ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0592 (AOL Instant Messenger (AIM) allows remote attackers to steal files tha ...) NOT-FOR-US: AOL CVE-2002-0591 (Directory traversal vulnerability in AOL Instant Messenger (AIM) 4.8 b ...) NOT-FOR-US: AOL CVE-2002-0590 (Cross-site scripting (CSS) vulnerability in IcrediBB 1.1 Beta allows r ...) NOT-FOR-US: IncrediBB CVE-2002-0589 (PVote before 1.9 allows remote attackers to change the administrative ...) NOT-FOR-US: PVote CVE-2002-0588 (PVote before 1.9 does not authenticate users for restricted operations ...) NOT-FOR-US: PVote CVE-2002-0587 (Buffer overflow in Ns_PdLog function for the external database driver ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0586 (Format string vulnerability in Ns_PdLog function for the external data ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0585 (Unknown vulnerability in ndd for HP-UX 11.11 with certain TRANSPORT pa ...) NOT-FOR-US: HP-UX CVE-2002-0584 (WorkforceROI Xpede 4.1 allows remote attackers to read user timesheets ...) NOT-FOR-US: WorkforceROI CVE-2002-0583 (WorkforceROI Xpede 4.1 uses a small random namespace (5 alphanumeric c ...) NOT-FOR-US: WorkforceROI CVE-2002-0582 (WorkforceROI Xpede 4.1 stores temporary expense claim reports in a wor ...) NOT-FOR-US: WorkforceROI CVE-2002-0581 (WorkforceROI Xpede 4.1 allows remote attackers to execute arbitrary SQ ...) NOT-FOR-US: WorkforceROI CVE-2002-0580 (WorkforceROI Xpede 4.1 allows remote attackers to obtain the database ...) NOT-FOR-US: WorkforceROI CVE-2002-0579 (WorkforceROI Xpede 4.1 allows remote attackers to gain privileges as a ...) NOT-FOR-US: WorkforceROI CVE-2002-0578 (Buffer overflow in 4D WebServer 6.7.3 allows remote attackers to cause ...) NOT-FOR-US: 4D WebServer CVE-2002-0577 (Vulnerability in passwd for HP-UX 11.00 and 11.11 allows local users t ...) NOT-FOR-US: HP-UX CVE-2002-0572 (FreeBSD 4.5 and earlier, and possibly other BSD-based operating system ...) NOT-FOR-US: FreeBSD CVE-2002-0570 (The encrypted loop device in Linux kernel 2.4.10 and earlier does not ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0568 (Oracle 9i Application Server stores XSQL and SOAP configuration files ...) NOT-FOR-US: Oracle CVE-2002-0566 (PL/SQL module 3.0.9.8.2 in Oracle 9i Application Server 1.0.2.x allows ...) NOT-FOR-US: Oracle CVE-2002-0565 (Oracle 9iAS 1.0.2.x compiles JSP files in the _pages directory with wo ...) NOT-FOR-US: Oracle CVE-2002-0564 (PL/SQL module 3.0.9.8.2 in Oracle 9i Application Server 1.0.2.x allows ...) NOT-FOR-US: Oracle CVE-2002-0563 (The default configuration of Oracle 9i Application Server 1.0.2.x allo ...) NOT-FOR-US: Oracle CVE-2002-0562 (The default configuration of Oracle 9i Application Server 1.0.2.x runn ...) NOT-FOR-US: Oracle CVE-2002-0561 (The default configuration of the PL/SQL Gateway web administration int ...) NOT-FOR-US: Oracle CVE-2002-0560 (PL/SQL module 3.0.9.8.2 in Oracle 9i Application Server 1.0.2.x allows ...) NOT-FOR-US: Oracle CVE-2002-0559 (Buffer overflows in PL/SQL module 3.0.9.8.2 in Oracle 9i Application S ...) NOT-FOR-US: Oracle CVE-2002-0558 (Directory traversal vulnerability in TYPSoft FTP server 0.97.1 and ear ...) NOT-FOR-US: TYPSoft CVE-2002-0557 (Vulnerability in OpenBSD 3.0, when using YP with netgroups in the pass ...) NOT-FOR-US: OpenBSD CVE-2002-0556 (Directory traversal vulnerability in Quik-Serv HTTP server 1.1B allows ...) NOT-FOR-US: Quik-Serv CVE-2002-0555 (IBM Informix Web DataBlade 4.12 unescapes user input even if an applic ...) NOT-FOR-US: IBM CVE-2002-0554 (webdriver in IBM Informix Web DataBlade 4.12 allows remote attackers t ...) NOT-FOR-US: IBM CVE-2002-0552 (Multiple buffer overflows in Melange Chat server 2.02 allow remote or ...) NOT-FOR-US: Melange CVE-2002-0551 (Cross-site scripting vulnerability in Dynamic Guestbook 3.0 allows rem ...) NOT-FOR-US: Dynamic Guestbook CVE-2002-0550 (Dynamic Guestbook 3.0 allows remote attackers to execute arbitrary cod ...) NOT-FOR-US: Dynamic Guestbook CVE-2002-0549 (Cross-site scripting vulnerabilities in Anthill allow remote attackers ...) NOT-FOR-US: Anthill CVE-2002-0548 (Anthill allows remote attackers to bypass authentication and file bug ...) NOT-FOR-US: Anthill CVE-2002-0547 (Buffer overflow in the mini-browser for Winamp 2.79 and earlier allows ...) NOT-FOR-US: Winamp CVE-2002-0544 (Aprelium Abyss Web Server (abyssws) before 1.0.3 stores the administra ...) NOT-FOR-US: Aprelium CVE-2002-0541 (Buffer overflow in Tivoli Storage Manager TSM (1) Server or Storage Ag ...) NOT-FOR-US: Tivoli CVE-2002-0540 (Nortel CVX 1800 is installed with a default "public" community string, ...) NOT-FOR-US: Nortel CVE-2002-0537 (The admin.html file in StepWeb Search Engine (SWS) 2.5 stores password ...) NOT-FOR-US: SWS CVE-2002-0535 (Cross-site scripting vulnerabilities in PostBoard 2.0.1 and earlier al ...) NOT-FOR-US: PostBoard CVE-2002-0534 (PostBoard 2.0.1 and earlier with BBcode allows remote attackers to cau ...) NOT-FOR-US: PostBoard CVE-2002-0533 (phpBB 1.4.4 and earlier with BBcode allows remote attackers to cause a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0530 (Cross-site scripting vulnerability in Novell Web Search 2.0.1 allows r ...) NOT-FOR-US: Novell CVE-2002-0529 (HP Photosmart printer driver for Mac OS X installs the hp_imaging_conn ...) NOT-FOR-US: HP/Apple CVE-2002-0528 (Watchguard SOHO firewall 5.0.35 unpredictably disables certain IP rest ...) NOT-FOR-US: Watchguard CVE-2002-0527 (Watchguard SOHO firewall before 5.0.35 allows remote attackers to caus ...) NOT-FOR-US: Watchguard CVE-2002-0526 (Vulnerability in (1) inews or (2) rnews for INN 2.2.3 and earlier, rel ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0525 (Format string vulnerabilities in (1) inews or (2) rnews for INN 2.2.3 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0524 (ASP-Nuke RC2 and earlier allows remote attackers to determine the abso ...) NOT-FOR-US: ASP-Nuke CVE-2002-0523 (ASP-Nuke RC2 and earlier allows remote attackers to list all logged-in ...) NOT-FOR-US: ASP-Nuke CVE-2002-0522 (ASP-Nuke RC2 and earlier allows remote attackers to bypass authenticat ...) NOT-FOR-US: ASP-Nuke CVE-2002-0521 (Cross-site scripting vulnerabilities in ASP-Nuke RC2 and earlier allow ...) NOT-FOR-US: ASP-Nuke CVE-2002-0520 (Cross-site scripting vulnerability in functions-inc.asp for ASP-Nuke R ...) NOT-FOR-US: ASP-Nuke CVE-2002-0518 (The SYN cache (syncache) and SYN cookie (syncookie) mechanism in FreeB ...) NOT-FOR-US: FreeBSD CVE-2002-0517 (Buffer overflow in X11 library (libX11) on Caldera Open UNIX 8.0.0, Un ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0515 (IPFilter 3.4.25 and earlier sets a different TTL when a port is being ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0514 (PF in OpenBSD 3.0 with the return-rst rule sets the TTL to 128 in the ...) NOT-FOR-US: OpenBSD CVE-2002-0510 (The UDP implementation in Linux 2.4.x kernels keeps the IP Identificat ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0509 (Transparent Network Substrate (TNS) Listener in Oracle 9i 9.0.1.1 allo ...) NOT-FOR-US: Oracle CVE-2002-0508 (wwwisis 3.45 and earlier allows remote attackers to execute arbitrary ...) NOT-FOR-US: wwwisis CVE-2002-0507 (An interaction between Microsoft Outlook Web Access (OWA) with RSA Sec ...) NOT-FOR-US: Microsoft CVE-2002-0504 (Cross-site scripting vulnerability in Citrix NFuse 1.6 and earlier doe ...) NOT-FOR-US: Citrix CVE-2002-0503 (Directory traversal vulnerability in boilerplate.asp for Citrix NFuse ...) NOT-FOR-US: Citrix CVE-2002-0502 (Citrix NFuse 1.6 may allow remote attackers to list applications witho ...) NOT-FOR-US: Citrix CVE-2002-0500 (Internet Explorer 5.0 through 6.0 allows remote attackers to determine ...) NOT-FOR-US: Microsoft CVE-2002-0499 (The d_path function in Linux kernel 2.2.20 and earlier, and 2.4.18 and ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0498 (Etnus TotalView 5.0.0-4 installs certain files with UID 5039 and GID 5 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0496 (The HTTP server for SouthWest Talker server 1.0.0 allows remote attack ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0492 (dcshop.cgi in DCShop 1.002 Beta allows remote attackers to delete arbi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0491 (admin.php in AlGuest 1.0 guestbook checks for the existence of the adm ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0489 (Linux Directory Penguin NsLookup CGI script (nslookup.pl) 1.0 allows r ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0487 (Intellisol Xpede 4.1 stores passwords in plaintext in a Javascript "se ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0486 (Intellisol Xpede 4.1 uses weak encryption to store authentication info ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0485 (Norton Anti-Virus (NAV) allows remote attackers to bypass content filt ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0483 (index.php for PHP-Nuke 5.4 and earlier allows remote attackers to dete ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0482 (Directory traversal vulnerability in PCI Netsupport Manager before ver ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0481 (An interaction between Windows Media Player (WMP) and Outlook 2002 all ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0480 (ISS RealSecure for Nokia devices before IPSO build 6.0.2001.141d is co ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0479 (Gravity Storm Service Pack Manager 2000 creates a hidden share (SPM200 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0478 (The default configuration of Foundry Networks EdgeIron 4802F allows re ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0477 (Standalone Macromedia Flash Player 5.0 before 5,0,30,2 allows remote a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0476 (Standalone Macromedia Flash Player 5.0 allows remote attackers to save ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0475 (Cross-site scripting vulnerability in phpBB 1.4.4 and earlier allows r ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0474 (Cross-site scripting vulnerability in ZeroForum allows remote attacker ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0472 (MSN Messenger Service 3.6, and possibly other versions, uses weak auth ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0471 (PHPNetToolpack 0.1 allows remote attackers to execute arbitrary code v ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0470 (PHPNetToolpack 0.1 relies on its environment's PATH to find and execut ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0469 (Ecartis (formerly Listar) 1.0.0 in snapshot 20020125 and earlier does ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0468 (Buffer overflows in Ecartis (formerly Listar) 1.0.0 in snapshot 200204 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0467 (Buffer overflows in Ecartis (formerly Listar) 1.0.0 before snapshot 20 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0466 (Hosting Controller 1.4.1 and earlier allows remote attackers to browse ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0465 (Directory traversal vulnerability in filemanager.asp for Hosting Contr ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0461 (Internet Explorer 5.01 through 6 allows remote attackers to cause a de ...) NOT-FOR-US: Microsoft CVE-2002-0460 (Bitvise WinSSHD before 2002-03-16 allows remote attackers to cause a d ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0459 (Cross-site scripting vulnerability in Board-TNK 1.3.1 and earlier allo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0458 (Cross-site scripting vulnerability in News-TNK 1.2.1 and earlier allow ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0457 (Cross-site scripting vulnerability in signgbook.php for BG GuestBook 1 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0456 (Eudora 5.1 and earlier versions stores attachments in a directory with ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0455 (IncrediMail stores attachments in a directory with a fixed name, which ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0453 (The account lockout capability in Oblix NetPoint 5.2 and earlier only ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0452 (Foundry Networks ServerIron switches do not decode URIs when applying ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0450 (Buffer overflow in Talentsoft Web+ 5.0 and earlier allows remote attac ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0449 (Buffer overflow in webpsvc.exe for Talentsoft Web+ 5.0 and earlier all ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0448 (Xerver Free Web Server 2.10 and earlier allows remote attackers to cau ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0447 (Directory traversal vulnerability in Xerver Free Web Server 2.10 and e ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0446 (categorie.php3 in Black Tie Project (BTP) 0.4b through 0.5b allows rem ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0440 (Trend Micro InterScan VirusWall HTTP proxy 3.6 with the "Skip scanning ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0439 (Cross-site scripting vulnerability in CaupoShop 1.30a and earlier, and ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0438 (ZyXEL ZyWALL 10 before 3.50 allows remote attackers to cause a denial ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0436 (sscd_suncourier.pl CGI script in the Sun Sunsolve CD pack allows remot ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0434 (Marcus S. Xenakis directory.php script allows remote attackers to exec ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0433 (Pi3Web 2.0.0 allows remote attackers to view restricted files via an H ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0432 (Buffer overflow in (1) lprintf and (2) cprintf in sysdep.c of Citadel/ ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0430 (MultiFileUploadHandler.php in the Sun Cobalt RaQ XTR administration in ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0428 (Check Point FireWall-1 SecuRemote/SecuClient 4.0 and 4.1 allows client ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0427 (Buffer overflows in fpexec in mod_frontpage before 1.6.1 may allow att ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0426 (VPN Server module in Linksys EtherFast BEFVP41 Cable/DSL VPN Router be ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0422 (IIS 5 and 5.1 supporting WebDAV methods allows remote attackers to det ...) NOT-FOR-US: Microsoft CVE-2002-0421 (IIS 4.0 allows local users to bypass the "User cannot change password" ...) NOT-FOR-US: Microsoft CVE-2002-0420 (Vulnerability in PureTLS before 0.9b2 related to injection attacks, wh ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0419 (Information leaks in IIS 4 through 5.1 allow remote attackers to obtai ...) NOT-FOR-US: Microsoft CVE-2002-0418 (Directory traversal vulnerability in the com.endymion.sake.servlet.mai ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0417 (Directory traversal vulnerability in Endymion MailMan before 3.1 allow ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0416 (Buffer overflow in SH39 MailServer 1.21 and earlier allows remote atta ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0415 (Directory traversal vulnerability in the web server used in RealPlayer ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0413 (Cross-site scripting vulnerability in ReBB allows remote attackers to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0411 (Cross-site scripting vulnerability in message.php for AeroMail before ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0410 (send_message.php in AeroMail before 1.45 allows remote attackers to re ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0409 (orderdetails.aspx, as made available to Microsoft .NET developers as e ...) NOT-FOR-US: Microsoft CVE-2002-0408 (htcgibin.exe in Lotus Domino server 5.0.9a and earlier, when configure ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0407 (htcgibin.exe in Lotus Domino server 5.0.9a and earlier allows remote a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0405 (Buffer overflow in Transsoft Broker FTP Server 5.0 evaluation allows r ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0399 (Directory traversal vulnerability in GNU tar 1.13.19 through 1.13.25, ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0393 (Buffer overflow in Red-M 1050 (Bluetooth Access Point) management web ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0390 REJECTED CVE-2002-0388 (Cross-site scripting vulnerabilities in Mailman before 2.0.11 allow re ...) {DSA-147} - mailman 2.0.12-1 CVE-2002-0386 (The administration module for Oracle Web Cache in Oracle9iAS (9i Appli ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0385 (Vignette Story Server 4.1 and 6.0 allows remote attackers to obtain se ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0383 RESERVED CVE-2002-0378 (The default configuration of LPRng print spooler in Red Hat Linux 7.0 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0375 (Cross-site scripting vulnerability in sgdynamo.exe for Sgdynamo allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0371 (Buffer overflow in gopher client for Microsoft Internet Explorer 5.1 t ...) NOT-FOR-US: Microsoft CVE-2002-0370 (Buffer overflow in the ZIP capability for multiple products allows rem ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0365 RESERVED CVE-2002-0361 RESERVED CVE-2002-0360 (Buffer overflow in Sun AnswerBook2 1.4 through 1.4.3 allows remote att ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0354 (The XMLHttpRequest object (XMLHTTP) in Netscape 6.1 and Mozilla 0.9.7 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0353 (The ASN.1 parser in Ethereal 0.9.2 and earlier allows remote attackers ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0352 (Phorum 3.3.2 allows remote attackers to determine the email addresses ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0351 (Buffer overflows in CFS daemon (cfsd) before 1.3.3-8.1, and 1.4x befor ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0350 (HP Procurve Switch 4000M running firmware C.08.22 and C.09.09 allows r ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0349 (Tiny Personal Firewall (TPF) 2.0.15, under certain configurations, wil ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0348 (service.cgi in Cobalt RAQ 4 allows remote attackers to cause a denial ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0347 (Directory traversal vulnerability in Cobalt RAQ 4 allows remote attack ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0346 (Cross-site scripting vulnerability in Cobalt RAQ 4 allows remote attac ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0345 (Symantec Ghost 7.0 stores usernames and passwords in plaintext in the ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0344 (Symantec LiveUpdate 1.5 and earlier in Norton Antivirus stores usernam ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0343 (Hotline Client 1.8.5 stores sensitive user information, including pass ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0342 (Kmail 1.2 on KDE 2.1.1 allows remote attackers to cause a denial of se ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0341 (GWWEB.EXE in GroupWise Web Access 5.5, and possibly other versions, al ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0340 (Windows Media Player (WMP) 8.00.00.4477, and possibly other versions, ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0338 (The Bat! 1.53d and 1.54beta, and possibly other versions, allows remot ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0337 (RealPlayer 8 allows remote attackers to cause a denial of service (CPU ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0336 (Buffer overflow in Galacticomm Worldgroup FTP server 3.20 and earlier ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0335 (Buffer overflow in Galacticomm Worldgroup web server 3.20 and earlier ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0334 (xtell (xtelld) 1.91.1 and earlier, and 2.x before 2.7, allows local us ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0333 (Directory traversal vulnerability in xtell (xtelld) 1.91.1 and earlier ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0332 (Buffer overflows in xtell (xtelld) 1.91.1 and earlier, and 2.x before ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0331 (Directory traversal vulnerability in the HTTP server for BPM Studio Pr ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0328 (Cross-site scripting vulnerability in Ikonboard 3.0.1 allows remote at ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0327 (Buffer overflow in Century Software TERM allows local users to gain ro ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0326 (Cross-site scripting vulnerability in BadBlue before 1.6.1 beta allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0325 (Directory traversal vulnerability in BadBlue before 1.6.1 allows remot ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0324 (Greymatter 1.21c and earlier with the Bookmarklet feature enabled allo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0323 (comment2.jse in ScriptEase:WebServer allows remote attackers to read a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0322 (Yahoo! Messenger 4.0 sends user passwords in cleartext, which could al ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0321 (Yahoo! Messenger 5.0 allows remote attackers to spoof other users by m ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0320 (Buffer overflow in Yahoo! Messenger 5.0 allows remote attackers to cau ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0319 (Cross-site scripting vulnerability in edituser.php for pforum 1.14 and ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0317 (Gator ActiveX component (IEGator.dll) 3.0.6.1 allows remote web sites ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0316 (Cross-site scripting vulnerability in eXtreme message board (XMB) 1.6x ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0315 (fasttrack p2p, as used in (1) KaZaA, (2) grokster, and (3) morpheus al ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0314 (fasttrack p2p, as used in (1) KaZaA before 1.5, (2) grokster, and (3) ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0312 (Directory traversal vulnerability in Essentia Web Server 2.1 allows re ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0311 (Vulnerability in webtop in UnixWare 7.1.1 and Open UNIX 8.0.0 allows l ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0310 (Netwin WebNews 1.1k CGI program includes several default usernames and ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0308 (admin.asp in AdMentor 2.11 allows remote attackers to bypass authentic ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0307 (Directory traversal vulnerability in ans.pl in Avenger's News System ( ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0306 (ans.pl in Avenger's News System (ANS) 2.11 and earlier allows remote a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0305 (Zero One Tech (ZOT) P100s print server does not properly disable the S ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0304 (Lil HTTP Server 2.1 allows remote attackers to read password-protected ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0303 (GroupWise 6, when using LDAP authentication and when Post Office has a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0301 (Citrix NFuse 1.6 allows remote attackers to bypass authentication and ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0298 (ScriptEase MiniWeb Server 0.95 allows remote attackers to cause a deni ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0297 (Buffer overflow in ScriptEase MiniWeb Server 0.95 allows remote attack ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0296 (The installation of Tarantella Enterprise 3 allows local users to over ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0295 (Alcatel OmniPCX 4400 installs files with world-writable permissions, w ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0294 (Alcatel 4400 installs the /chetc/shutdown command with setgid privileg ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0293 (FTP service in Alcatel OmniPCX 4400 allows the "halt" user to gain roo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0291 (Dino's Webserver 1.2 allows remote attackers to cause a denial of serv ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0289 (Buffer overflow in Phusion web server 1.0 allows remote attackers to c ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0288 (Directory traversal vulnerability in Phusion web server 1.0 allows rem ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0286 (The GetPassword function in function.php of SiteNews 0.10 and 0.11 all ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0285 (Outlook Express 5.5 and 6.0 on Windows treats a carriage return ("CR") ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0284 (Winamp 2.78 and 2.77, when opening a wma file that requires a license, ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0283 (Windows XP with port 445 open allows remote attackers to cause a denia ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0282 (DCP-Portal 3.7 through 4.5 allows remote attackers to obtain the physi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0281 (Cross-site scripting vulnerability in DCP-Portal 4.2 and earlier allow ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0280 (Buffer overflow in CodeBlue 4 and earlier, and possibly other versions ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0279 (The kernel in HP-UX 11.11 does not properly provide arguments for setr ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0278 (Directory traversal vulnerability in Add2it Mailman Free 1.73 and earl ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0277 (Add2it Mailman Free 1.73 and earlier allows remote attackers to execut ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0273 (Buffer overflow in CWMail.exe in NetWin before 2.8a allows remote auth ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0272 (Buffer overflows in mpg321 before 0.2.9 allows local and possibly remo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0271 (Runtime library in GNU Ada compiler (GNAT) 3.12p through 3.14p allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0270 (Opera, when configured with the "Determine action by MIME type" option ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0269 (Internet Explorer 5.x and 6 interprets an object as an HTML document e ...) NOT-FOR-US: Microsoft CVE-2002-0268 (Identix BioLogon 3 allows users with physical access to the system to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0266 (Thunderstone Texis CGI script allows remote attackers to obtain the fu ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0264 (PowerFTP Personal FTP Server 2.03 through 2.10 stores sensitive accoun ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0263 (Buffer overflow in EasyBoard 2000 1.27 (aka EZboard) allows remote att ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0262 (Directory traversal vulnerability in netget for Sybex E-Trainer web se ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0261 (Directory traversal vulnerability in InstantServers MiniPortal 1.1.5 a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0260 (Buffer overflow in InstantServers MiniPortal 1.1.5 and earlier allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0259 (InstantServers MiniPortal 1.1.5 and earlier stores sensitive login and ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0258 (Merak Mail IceWarp Web Mail uses a static identifier as a user session ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0257 (Cross-site scripting vulnerability in auction.pl of MakeBid Auction De ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0256 (The telnet port in Arescom NetDSL 1000 router allows remote attackers ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0255 (The default configuration of Arescom NetDSL 800 does not require authe ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0254 (ICQ 2001b Build 3659 allows remote attackers to cause a denial of serv ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0253 (PHP, when not configured with the "display_errors = Off" setting in ph ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0252 (Buffer overflow in Apple QuickTime Player 5.01 and 5.02 allows remote ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0249 (PHP for Windows, when installed on Apache 2.0.28 beta as a standalone ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0248 (wmtv 0.6.5 and earlier allows local users to modify arbitrary files vi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0247 (Buffer overflows in wmtv 0.6.5 and earlier may allow local users to ga ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0245 (Lotus Domino server 5.0.8 with NoBanner enabled allows remote attacker ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0244 (Directory traversal vulnerability in chroot function in AtheOS 0.3.7 a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0243 (Cross-site scripting vulnerability in Opera 6.0 and earlier allows rem ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0242 (Cross-site scripting vulnerability in Internet Explorer 6 earlier allo ...) NOT-FOR-US: Microsoft CVE-2002-0240 (PHP, when installed with Apache and configured to search for index.php ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0239 (Buffer overflow in hanterm 3.3.1 and earlier allows local users to exe ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0238 (Cross-site scripting vulnerability in web administration interface for ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0236 (Lucent VitalSuite 8.0 through 8.2, including VitalNet, VitalEvent, and ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0235 (Castelle FaxPress, possibly 6.3 and other versions, when configured to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0234 (NetScreen ScreenOS before 2.6.1 does not support a maximum number of c ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0233 (Directory traversal vulnerability in eshare Expressions 4 Web server a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0232 (Directory traversal vulnerability in Multi Router Traffic Grapher (MRT ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0231 (Buffer overflow in mIRC 5.91 and earlier allows a remote server to exe ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0230 (Cross-site scripting vulnerability in fom.cgi of Faq-O-Matic 2.712 all ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0229 (Safe Mode feature (safe_mode) in PHP 3.0 through 4.1.0 allows attacker ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0228 (Microsoft MSN Messenger allows remote attackers to use Javascript that ...) NOT-FOR-US: Microsoft CVE-2002-0227 (KICQ 2.0.0b1 allows remote attackers to cause a denial of service (cra ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0225 (tac_plus Tacacs+ daemon F4.0.4.alpha, originally maintained by Cisco, ...) NOT-FOR-US: Cisco CVE-2002-0224 (The MSDTC (Microsoft Distributed Transaction Service Coordinator) for ...) NOT-FOR-US: Microsoft CVE-2002-0223 (Infopop UBB.Threads 5.4 and Wired Community Software WWWThreads 5.0 th ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0222 (Etype Eserv 2.97 allows remote attackers to redirect traffic to other ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0221 (Etype Eserv 2.97 allows remote attackers to cause a denial of service ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0220 (phpsmssend.php in PhpSmsSend 1.0 allows remote attackers to execute ar ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0219 (Buffer overflow in (1) sastcpd in SAS/Base 8.0 and 8.1 or (2) objspawn ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0218 (Format string vulnerability in (1) sastcpd in SAS/Base 8.0 and 8.1 or ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0217 (Cross-site scripting (CSS) vulnerabilities in the Private Message Syst ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0216 (userinfo.php in XOOPS 1.0 RC1 allows remote attackers to obtain sensit ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0215 (Agora.cgi 3.2r through 4.0 while in debug mode allows remote attackers ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0214 (Compaq Intel PRO/Wireless 2011B LAN USB Device Driver 1.5.16.0 through ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0212 (The login for Hosting Controller 1.1 through 1.4.1 returns different e ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0210 (setlicense for TOLIS Group Backup and Restore Utility (BRU) 17.0 allow ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0208 (PGP Security PGPfire 7.1 for Windows alters the system's TCP/IP stack ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0206 (index.php in Francisco Burzi PHP-Nuke 5.3.1 and earlier, and possibly ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0205 (Cross-site scripting (CSS) vulnerability in error.asp for Plumtree Cor ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0204 (Buffer overflow in GNU Chess (gnuchess) 5.02 and earlier, if modified ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0203 (ttawebtop.cgi in Tarantella Enterprise 3.20 on SPARC Solaris and Linux ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0202 (PaintBBS 1.2 installs certain files and directories with insecure perm ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0201 (Cyberstop Web Server for Windows 0.1 allows remote attackers to cause ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0200 (Cyberstop Web Server for Windows 0.1 allows remote attackers to cause ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0199 (Buffer overflow in admin.cgi for Nullsoft Shoutcast Server 1.8.3 allow ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0198 (Buffer overflow in plDaniels ripMime 1.2.6 and earlier, as used in oth ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0195 RESERVED CVE-2002-0194 RESERVED CVE-2002-0192 REJECTED CVE-2002-0189 (Cross-site scripting vulnerability in Internet Explorer 6.0 allows rem ...) NOT-FOR-US: Microsoft CVE-2002-0182 RESERVED CVE-2002-0180 (Buffer overflow in Webalizer 2.01-06, when configured to use reverse D ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0177 (Buffer overflows in icecast 1.3.11 and earlier allows remote attackers ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0165 (LogWatch 2.5 allows local users to gain root privileges via a symlink ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0164 (Vulnerability in the MIT-SHM extension of the X server on Linux (XFree ...) {DSA-380} - xfree86 4.2.1-11 CVE-2002-0162 (LogWatch before 2.5 allows local users to execute arbitrary code via a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0161 RESERVED CVE-2002-0154 (Buffer overflows in extended stored procedures for Microsoft SQL Serve ...) NOT-FOR-US: Microsoft CVE-2002-0145 (chuid 1.2 and earlier does not properly verify the ownership of files ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0144 (Directory traversal vulnerability in chuid 1.2 and earlier allows remo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0142 (CGI handler in John Roy Pi3Web for Windows 2.0 beta 1 and 2 allows rem ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0141 (Maelstrom GPL 3.0.1 allows local users to overwrite arbitrary files of ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0140 (Domain Name Relay Daemon (dnrd) 2.10 and earlier allows remote malicio ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0138 (CDRDAO 1.1.4 and 1.1.5 allows local users to read arbitrary files via ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0137 (CDRDAO 1.1.4 and 1.1.5 allows local users to overwrite arbitrary files ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0136 (Microsoft Internet Explorer 5.5 on Windows 98 allows remote web pages ...) NOT-FOR-US: Microsoft CVE-2002-0135 (Netopia Timbuktu Pro 6.0.1 and earlier allows remote attackers to caus ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0134 (Telnet proxy in Avirt Gateway Suite 4.2 does not require authenticatio ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0133 (Buffer overflows in Avirt Gateway Suite 4.2 allow remote attackers to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0132 (Buffer overflow in Chinput 3.0 allows local users to execute arbitrary ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0131 (ActivePython ActiveX control for Python in the AXScript package, when ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0130 (Buffer overflow in efax 0.9 and earlier, when installed setuid root, a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0129 (efax 0.9 and earlier, when installed setuid root, allows local users t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0127 (Netgear RP114 Cable/DSL Web Safe Router Firmware 3.26, when configured ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0126 (Buffer overflow in BlackMoon FTP Server 1.0 through 1.5 allows remote ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0125 (Buffer overflow in ClanLib library 0.5 may allow local users to execut ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0124 (MDG Computer Services Web Server 4D/eCommerce 3.5.3 allows remote atta ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0122 (Siemens 3568i WAP mobile phones allows remote attackers to cause a den ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0119 (Alcatel Speed Touch Home ADSL Modem allows remote attackers to cause a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0118 (Cross-site scripting vulnerability in Infopop Ultimate Bulletin Board ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0116 (Palm OS 3.5h and possibly other versions, as used in Handspring Visor ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0114 (EMC NetWorker (formerly Legato NetWorker) before 7.0 stores passwords ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0113 (EMC NetWorker (formerly Legato NetWorker) before 7.0 stores log files ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0112 (Etype Eserv 2.97 allows remote attackers to view password protected fi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0110 (Nevrona Designs MiraMail 1.04 and earlier stores authentication inform ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0109 (Linksys EtherFast BEFN2PS4, BEFSR41, and BEFSR81 Routers, and possibly ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0108 (Allaire Forums 2.0.4 and 2.0.5 and Forums! 3.0 and 3.1 allows remote a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0106 (BEA Systems Weblogic Server 6.1 allows remote attackers to cause a den ...) NOT-FOR-US: BEA WebLogic CVE-2002-0105 (CDE dtlogin in Caldera UnixWare 7.1.0, and possibly other operating sy ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0104 (AFTPD 5.4.4 allows remote attackers to gain sensitive information via ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0103 (An installer program for Oracle9iAS Web Cache 2.0.0.x creates executab ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0102 (Oracle9iAS Web Cache 2.0.0.x allows remote attackers to cause a denial ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0101 (Microsoft Internet Explorer 6.0 and earlier allows local users to caus ...) NOT-FOR-US: Microsoft CVE-2002-0100 (AOL AOLserver 3.4.2 Win32 allows remote attackers to bypass authentica ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0099 (Buffer overflow in Michael Lamont Savant Web Server 3.0 allows remote ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0093 (Buffer overflow in ipcs for HP Tru64 UNIX 4.0f through 5.1a may allow ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0091 (Multiple CGI scripts in CIDER SHADOW 1.5 and 1.6 allows remote attacke ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0089 (Buffer overflow in admintool in Solaris 2.5 through 8 allows local use ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0088 (Buffer overflow in admintool in Solaris 2.6, 7, and 8 allows local use ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0087 (bindsock in Lotus Domino 5.07 on Solaris allows local users to create ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0086 (Buffer overflow in bindsock in Lotus Domino 5.0.4 and 5.0.7 on Linux a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0085 (cachefsd in Solaris 2.6, 7, and 8 allows remote attackers to cause a d ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0084 (Buffer overflow in the fscache_setup function of cachefsd in Solaris 2 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0077 (Microsoft Internet Explorer 5.01, 5.5 and 6.0 treats objects invoked o ...) NOT-FOR-US: Microsoft CVE-2002-0058 (Vulnerability in Java Runtime Environment (JRE) allows remote maliciou ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0056 (Buffer overflow in SQL Server 7.0 and 2000 allows remote attackers to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0053 (Buffer overflow in SNMP agent service in Windows 95/98/98SE, Windows N ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0048 (Multiple signedness errors (mixed signed and unsigned numbers) in the ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0041 (Unknown vulnerability in Mail for SGI IRIX 6.5 through 6.5.15f, and po ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0039 (rpcbind in SGI IRIX 6.5 through 6.5.15f, and possibly earlier versions ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0037 (Lotus Domino Servers 5.x, 4.6x, and 4.5x allows attackers to bypass th ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0035 REJECTED CVE-2002-0034 (The Microsoft CONVERT.EXE program, when used on Windows 2000 and Windo ...) NOT-FOR-US: Microsoft CVE-2002-0031 (Buffer overflows in Yahoo! Messenger 5,0,0,1064 and earlier allows rem ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0030 (The digital signature mechanism for the Adobe Acrobat PDF viewer only ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0029 (Buffer overflows in the DNS stub resolver library in ISC BIND 4.9.2 th ...) {DSA-196} - bind9 - bind 1:8.3.3-3 CVE-2002-0019 RESERVED CVE-2002-0016 RESERVED CVE-2002-0015 RESERVED CVE-2002-0013 (Vulnerabilities in the SNMPv1 request handling of a large number of SN ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0012 (Vulnerabilities in a large number of SNMP implementations allow remote ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0010 (Bugzilla before 2.14.1 allows remote attackers to inject arbitrary SQL ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0008 (Bugzilla before 2.14.1 allows remote attackers to (1) spoof a user com ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2002-0001 (Vulnerability in RFC822 address parser in mutt before 1.2.5.1 and mutt ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1413 (Stack-based buffer overflow in the comprexx function for ncompress 4.2 ...) NOTE: not vulnerable according to http://web.archive.org/web/20070529152436/http://www.debian.org/security/nonvulns-sarge NOTE: discussion at: NOTE: http://archives.neohapsis.com/archives/linux/lsap/2001-q2/0081.html NOTE: listed sarge version contains a fix like the patch from Gentoo - ncompress 4.2.4-15 CVE-2001-1412 (nidump on MacOS X before 10.3 allows local users to read the encrypted ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1411 (Format string vulnerability in gm4 (aka m4) on Mac OS X may allow loca ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1410 (Internet Explorer 6 and earlier allows remote attackers to create chro ...) NOT-FOR-US: Microsoft CVE-2001-1409 (dexconf in XFree86 Xserver 4.1.0-2 creates the /dev/dri directory with ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1408 (Directory traversal vulnerability in readmsg.php in WebMail 2.0.1 in C ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1405 (Bugzilla before 2.14 does not restrict access to sanitycheck.cgi, whic ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1404 (Bugzilla before 2.14 stores user passwords in plaintext and sends pass ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1403 (Bugzilla before 2.14 includes the username and password in URLs, which ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1402 (Bugzilla before 2.14 does not properly escape untrusted parameters, wh ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1401 (Bugzilla before 2.14 does not properly restrict access to confidential ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1400 (Unknown vulnerabilities in the UDP port allocation for Linux kernel be ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1399 (Certain operations in Linux kernel before 2.2.19 on the x86 architectu ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1398 (Masquerading code for Linux kernel before 2.2.19 does not fully check ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1397 (The System V (SYS5) shared memory implementation for Linux kernel befo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1396 (Unknown vulnerabilities in strnlen_user for Linux kernel before 2.2.19 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1395 (Unknown vulnerability in sockfilter for Linux kernel before 2.2.19 rel ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1394 (Signedness error in (1) getsockopt and (2) setsockopt for Linux kernel ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1393 (Unknown vulnerability in classifier code for Linux kernel before 2.2.1 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1392 (The Linux kernel before 2.2.19 does not have unregister calls for (1) ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1390 (Unknown vulnerability in binfmt_misc in the Linux kernel before 2.2.19 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1389 (Multiple vulnerabilities in xinetd 2.3.0 and earlier, and additional v ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1388 (iptables before 1.2.4 does not accurately convert rate limits that are ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1387 (iptables-save in iptables before 1.2.4 records the "--reject-with icmp ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1384 (ptrace in Linux 2.2.x through 2.2.19, and 2.4.x through 2.4.9, allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1379 (The PostgreSQL authentication modules (1) mod_auth_pgsql 0.9.5, and (2 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1377 (Multiple RADIUS implementations do not properly validate the Vendor-Le ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1376 (Buffer overflow in digest calculation function of multiple RADIUS impl ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1368 (Vulnerability in iPlanet Web Server 4 included in Virtualvault Operati ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1366 (netscript before 1.6.3 parses dynamic variables, which could allow rem ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1365 (Vulnerability in IntraGnat before 1.4. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1364 (Vulnerability in autodns.pl for AutoDNS before 0.0.4 related to domain ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1363 (Vulnerability in phpWebSite before 0.7.9 related to running multiple i ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1362 (Vulnerability in the server for nPULSE before 0.53p4. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1361 (Vulnerability in The Web Information Gateway (TWIG) 2.7.1, possibly re ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1360 (Vulnerability in Scanner Access Now Easy (SANE) before 1.0.5, related ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1358 (Vulnerabilities in phpMyChat before 0.14.4 allow local and possibly re ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1357 (Multiple vulnerabilities in phpMyChat before 0.14.5 exist in (1) input ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1356 (NetWin SurgeFTP 2.0f and earlier encrypts passwords using weak hashing ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1355 (Buffer overflows in NetWin Authentication Module (NWAuth) 3.0b and ear ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1354 (NetWin Authentication module (NWAuth) 2.0 and 3.0b, as implemented in ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1353 (ghostscript before 6.51 allows local users to read and write arbitrary ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1348 (TWIG 2.6.2 and earlier allows remote attackers to perform unauthorized ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1346 (Computer Associates ARCserveIT 6.61 and 6.63 (also called ARCservIT) a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1344 (WSSecurity.pl in WebStore allows remote attackers to bypass authentica ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1343 (ws_mail.cgi in WebStore 400/400CS 4.14 allows remote authenticated Web ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1341 (The Beck GmbH IPC@Chip embedded web server installs the chipcfg.cgi pr ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1340 (Beck GmbH IPC@Chip TelnetD service supports only one connection and do ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1339 (Beck IPC GmbH IPC@CHIP telnet service does not delay or disconnect use ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1338 (Beck IPC GmbH IPC@CHIP TelnetD server generates different responses wh ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1337 (Beck IPC GmbH IPC@CHIP Embedded-Webserver allows remote attackers to c ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1336 (CesarFTP 0.98b and earlier stores usernames and passwords in plaintext ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1335 (Directory traversal vulnerability in CesarFTP 0.98b and earlier allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1333 (Linux CUPS before 1.1.6 does not securely handle temporary files, poss ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1332 (Buffer overflows in Linux CUPS before 1.1.6 may allow remote attackers ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1331 (mandb in the man-db package before 2.3.16-3 allows local users to over ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1330 (Buffer overflow in rsh on AIX 4.2.0.0 may allow local users to gain ro ...) NOT-FOR-US: AIX CVE-2001-1329 (Buffer overflow in rsh on AIX 4.2.0.0 may allow local users to gain ro ...) NOT-FOR-US: AIX CVE-2001-1326 (Eudora 5.1 allows remote attackers to execute arbitrary code when the ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1325 (Internet Explorer 5.0 and 5.5, and Outlook Express 5.0 and 5.5, allow ...) NOT-FOR-US: Microsoft CVE-2001-1324 (cvmlogin and statfile in Paul Jarc idtools before 2001.06.27 do not pr ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1323 (Buffer overflow in MIT Kerberos 5 (krb5) 1.2.2 and earlier allows remo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1321 (Oracle Internet Directory Server 2.1.1.x and 3.0.1 allows remote attac ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1320 (Network Associates PGP Keyserver 7.0 allows remote attackers to cause ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1319 (Microsoft Exchange 5.5 2000 allows remote attackers to cause a denial ...) NOT-FOR-US: Microsoft CVE-2001-1318 (Vulnerabilities in Qualcomm Eudora WorldMail Server may allow remote a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1317 (Teamware Office Enterprise Directory allows remote attackers to cause ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1316 (Buffer overflows in Teamware Office Enterprise Directory allows remote ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1315 (Critical Path (1) InJoin Directory Server or (2) LiveContent Directory ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1314 (Buffer overflows in Critical Path (1) InJoin Directory Server or (2) L ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1313 (Lotus Domino R5 before R5.0.7a allows remote attackers to cause a deni ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1312 (Format string vulnerabilities in Lotus Domino R5 before R5.0.7a allow ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1311 (Buffer overflows in Lotus Domino R5 before R5.0.7a allow remote attack ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1310 (IBM SecureWay 3.2.1 allow remote attackers to cause a denial of servic ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1309 (Buffer overflows in IBM SecureWay 3.2.1 allow remote attackers to caus ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1308 (Format string vulnerabilities in iPlanet Directory Server 4.1.4 and ea ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1307 (Buffer overflows in iPlanet Directory Server 4.1.4 and earlier (LDAP) ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1306 (iPlanet Directory Server 4.1.4 and earlier (LDAP) allows remote attack ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1305 (ICQ 2001a Alpha and earlier allows remote attackers to automatically a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1304 (Buffer overflow in SHOUTcast Server 1.8.2 allows remote attackers to c ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1300 (Directory traversal vulnerability in Dynu FTP server 1.05 and earlier ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1298 (Webodex PHP script 1.0 and earlier allows remote attackers to include ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1294 (Buffer overflow in A-V Tronics Inetserv 3.2.1 and earlier allows remot ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1293 (Buffer overflow in web server of 3com HomeConnect Cable Modem External ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1292 (Sambar Telnet Proxy/Server allows remote attackers to cause a denial o ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1290 (admin.cgi in Active Classifieds Free Edition 1.0, and possibly commerc ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1289 (Quake 3 arena 1.29f and 1.29g allows remote attackers to cause a denia ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1288 (Windows 2000 and Windows NT allows local users to cause a denial of se ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1287 (Buffer overflow in Web Calendar in Ipswitch IMail 7.04 and earlier all ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1286 (Ipswitch IMail 7.04 and earlier stores a user's session ID in a URL, w ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1285 (Directory traversal vulnerability in readmail.cgi for Ipswitch IMail 7 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1284 (Ipswitch IMail 7.04 and earlier uses predictable session IDs for authe ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1283 (The webmail interface for Ipswitch IMail 7.04 and earlier allows remot ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1282 (Ipswitch IMail 7.04 and earlier records the physical path of attachmen ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1281 (Web Messaging Server for Ipswitch IMail 7.04 and earlier allows remote ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1280 (POP3 Server for Ipswitch IMail 7.04 and earlier generates different re ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1278 (Zope before 2.2.4 allows partially trusted users to bypass security co ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1275 (MySQL before 3.23.31 allows users with a MySQL account to use the SHOW ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1274 (Buffer overflow in MySQL before 3.23.31 allows attackers to cause a de ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1273 (The "mxcsr P4" vulnerability in the Linux kernel before 2.2.17-14, whe ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1272 (wmtv 0.6.5 and earlier does not properly drop privileges, which allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1271 (Directory traversal vulnerability in rar 2.02 and earlier allows attac ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1270 (Directory traversal vulnerability in the console version of PKZip (pkz ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1269 (Info-ZIP UnZip 5.42 and earlier allows attackers to overwrite arbitrar ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1268 (Directory traversal vulnerability in Info-ZIP UnZip 5.42 and earlier a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1265 (Directory traversal vulnerability in IBM alphaWorks Java TFTP server 1 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1264 (Vulnerability in mkacct in HP-UX 11.04 running Virtualvault Operating ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1263 (telnet95.exe in Pragma InterAccess 4.0 build 5 allows remote attackers ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1262 (Avaya Argent Office 2.1 compares a user-provided SNMP community string ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1261 (Avaya Argent Office 2.1 may allow remote attackers to change hold musi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1260 (Avaya Argent Office uses weak encryption (trivial encoding) for passwo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1259 (Avaya Argent Office allows remote attackers to cause a denial of servi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1258 (Horde Internet Messaging Program (IMP) before 2.2.6 allows local users ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1257 (Cross-site scripting vulnerability in Horde Internet Messaging Program ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1256 (kmmodreg in HP-UX 11.11, 11.04 and 11.00 allows local users to create ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1255 (WinMySQLadmin 1.1 stores the MySQL password in plain text in the my.in ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1254 (Web Access component for COM2001 Alexis 2.0 and 2.1 in InternetPBX sen ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1253 (Alexis 2.0 and 2.1 in COM2001 InternetPBX stores voicemail passwords i ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1250 (vWebServer 1.2.0 allows remote attackers to cause a denial of service ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1249 (vWebServer 1.2.0 allows remote attackers to cause a denial of service ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1248 (vWebServer 1.2.0 allows remote attackers to view arbitrary ASP scripts ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1245 (Opera 5.0 for Linux does not properly handle malformed HTTP headers, w ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1244 (Multiple TCP implementations could allow remote attackers to cause a d ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1243 (Scripting.FileSystemObject in asp.dll for Microsoft IIS 4.0 and 5.0 al ...) NOT-FOR-US: Microsoft CVE-2001-1242 (Directory traversal vulnerability in Un-CGI 1.9 and earlier allows rem ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1241 (Un-CGI 1.9 and earlier does not verify that a CGI script has the execu ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1239 (PowerNet IX allows remote attackers to cause a denial of service via a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1238 (Task Manager in Windows 2000 does not allow local users to end process ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1233 (Netware Enterprise Web Server 5.1 running GroupWise WebAccess 5.5 with ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1232 (GroupWise WebAccess 5.5 with directory indexing enabled allows a remot ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1230 (Buffer overflows in Icecast before 1.3.10 allow remote attackers to ca ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1229 (Buffer overflows in (1) Icecast before 1.3.9 and (2) libshout before 1 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1228 (Buffer overflows in gzip 1.3x, 1.2.4, and other versions might allow a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1226 (AdCycle 1.17 and earlier allow remote attackers to modify SQL queries, ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1225 (Hughes Technology Mini SQL 2.0.10 through 2.0.12 allows local users to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1224 (get_input in adrotate.pm for Les VanBrunt AdRotate Pro 2.0 allows remo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1223 (The web administration server for ELSA Lancom 1100 Office does not req ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1222 (Plesk Server Administrator (PSA) 1.0 allows remote attackers to obtain ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1221 (D-Link DWL-1000AP Firmware 3.2.28 #483 Wireless LAN Access Point uses ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1220 (D-Link DWL-1000AP Firmware 3.2.28 #483 Wireless LAN Access Point store ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1219 (Microsoft Internet Explorer 6.0 and earlier allows malicious website o ...) NOT-FOR-US: Microsoft CVE-2001-1218 (Microsoft Internet Explorer for Unix 5.0SP1 allows local users to poss ...) NOT-FOR-US: Microsoft CVE-2001-1217 (Directory traversal vulnerability in PL/SQL Apache module in Oracle Or ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1216 (Buffer overflow in PL/SQL Apache module in Oracle 9i Application Serve ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1214 (manual.php in Marcus S. Xenakis Unix Manual 1.0 allows remote attacker ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1213 (The default configuration of DataWizard FtpXQ 2.0 and 2.1 includes a d ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1212 (Cross-site scripting vulnerability in catgy.cgi for Aktivate 1.03 allo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1211 (Ipswitch IMail 7.0.4 and earlier allows attackers with administrator p ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1210 (Cisco ubr900 series routers that conform to the Data-over-Cable Servic ...) NOT-FOR-US: Cisco CVE-2001-1209 (Directory traversal vulnerability in zml.cgi allows remote attackers t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1208 (Format string vulnerability in DayDream BBS allows remote attackers to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1207 (Buffer overflows in DayDream BBS 2.9 through 2.13 allow remote attacke ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1206 (Matrix CGI vault Last Lines 2.0 allows remote attackers to execute arb ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1205 (Directory traversal vulnerability in lastlines.cgi for Last Lines 2.0 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1204 (Directory traversal vulnerability in phprocketaddin in Total PC Soluti ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1202 (Cross-site scripting vulnerability in DeleGate 7.7.0 and 7.7.1 does no ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1198 (RLPDaemon in HP-UX 10.20 and 11.0 allows local users to overwrite arbi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1197 (klprfax_filter in KDE2 KDEUtils allows local users to overwrite arbitr ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1196 (Directory traversal vulnerability in edit_action.cgi of Webmin Directo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1195 (Novell Groupwise 5.5 and 6.0 Servlet Gateway is installed with a defau ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1194 (Zyxel Prestige 681 and 1600 SDSL Routers allow remote attackers to cau ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1192 (Citrix Independent Computing Architecture (ICA) Client for Windows 6.1 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1191 (WebSeal in IBM Tivoli SecureWay Policy Director 3.8 allows remote atta ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1190 (The default PAM files included with passwd in Mandrake Linux 8.1 do no ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1189 (IBM Websphere Application Server 3.5.3 and earlier stores a password i ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1188 (mailto.exe in Brian Dorricott MAILTO 1.0.9 and earlier allows remote a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1187 (csvform.pl 0.1 allows remote attackers to execute arbitrary commands v ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1184 (wrshdsp.exe in Denicomp Winsock RSHD/NT 2.21.00 and earlier allows rem ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1182 (Vulnerability in login in HP-UX 11.00, 11.11, and 10.20 allows restric ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1181 (Dynamically Loadable Kernel Module (dlkm) static kernel symbol table i ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1179 (xman allows local users to gain privileges by modifying the MANPATH to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1178 (Buffer overflow in xman allows local users to gain privileges via a lo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1173 (Vulnerability in MasqMail before 0.1.15 allows local users to gain pri ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1171 (Check Point Firewall-1 3.0b through 4.0 SP1 follows symlinks and creat ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1170 (AmTote International homebet program stores the homebet.log file in th ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1169 (keyinit in S/Key does not require authentication to initialize a one-t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1168 (Directory traversal vulnerability in index.php in PhpMyExplorer before ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1167 REJECTED CVE-2001-1165 (Intego FileGuard 4.0 uses weak encryption to store user information an ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1164 (Buffer overflow in uucp utilities in UnixWare 7 allows local users to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1163 (Buffer overflow in Munica Corporation NetSQL 1.0 allows remote attacke ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1159 (load_prefs.php and supporting include files in SquirrelMail 1.0.4 and ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1157 (Baltimore Technologies WEBsweeper 4.0 and 4.02 does not properly filte ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1156 (TYPSoft FTP 0.95 allows remote attackers to cause a denial of service ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1154 (Cyrus 2.0.15, 2.0.16, and 1.6.24 on BSDi 4.2, with IMAP enabled, allow ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1152 (Baltimore Technologies WEBsweeper 4.02, when used to manage URL blackl ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1151 (Trend Micro OfficeScan Corporate Edition (aka Virus Buster) 3.53 allow ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1150 (Vulnerability in cgiWebupdate.exe in Trend Micro OfficeScan Corporate ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1148 (Multiple buffer overflows in programs used by scoadmin and sysadmsh in ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1143 (IBM DB2 7.0 allows a remote attacker to cause a denial of service (cra ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1142 (ArGoSoft FTP Server 1.2.2.2 uses weak encryption for user passwords, w ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1140 (BadBlue Personal Edition v1.02 beta allows remote attackers to read so ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1139 (Directory traversal vulnerability in ASCII NT WinWrapper Professional ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1138 (Directory traversal vulnerability in r.pl (aka r.cgi) of Randy Parker ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1137 (D-Link DI-704 Internet Gateway firmware earlier than V2.56b6 allows re ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1136 (The libsecurity library in HP-UX 11.04 (VVOS) allows attackers to caus ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1135 (ZyXEL Prestige 642R and 642R-I routers do not filter the routers' Teln ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1134 (Xerox DocuPrint N40 Printers allow remote attackers to cause a denial ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1133 (Vulnerability in a system call in BSDI 3.0 and 3.1 allows local users ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1131 (Directory traversal vulnerability in WhitSoft Development SlimFTPd 2.2 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1129 (Format string vulnerabilities in (1) _probuild, (2) _dbutil, (3) _mpro ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1128 (Buffer overflow in Progress database 8.3D and 9.1C allows local users ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1127 (Buffer overflow in Progress database 8.3D and 9.1C could allow a local ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1126 (Symantec LiveUpdate 1.4 through 1.6, and possibly later versions, allo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1125 (Symantec LiveUpdate before 1.6 does not use cryptography to ensure the ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1124 (rpcbind in HP-UX 11.00, 11.04 and 11.11 allows remote attackers to cau ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1123 (Vulnerability in Network Node Manager (NNM) 6.2 and earlier in HP Open ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1122 (Windows NT 4.0 SP 6a allows a local user with write access to winnt/sy ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1120 (Vulnerabilities in ColdFusion 2.0 through 4.5.1 SP 2 allow remote atta ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1115 (generate.cgi in SIX-webboard 2.01 and before allows remote attackers t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1114 (book.cgi in NetCode NC Book 0.2b allows remote attackers to execute ar ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1112 (Buffer overflow in EFTP 2.0.7.337 allows remote attackers to execute a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1111 (EFTP 2.0.7.337 stores user passwords in plaintext in the eftp2users.da ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1110 (EFTP 2.0.7.337 allows remote attackers to obtain NETBIOS credentials b ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1109 (Directory traversal vulnerability in EFTP 2.0.7.337 allows remote auth ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1107 (SnapStream PVS 1.2a stores its passwords in plaintext in the file SSD. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1105 (RSA BSAFE SSL-J 3.0, 3.0.1 and 3.1, as used in Cisco iCND 2.0, caches ...) NOT-FOR-US: Cisco CVE-2001-1104 (SonicWALL SOHO uses easily predictable TCP sequence numbers, which all ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1102 (Check Point FireWall-1 3.0b through 4.1 for Solaris allows local users ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1101 (The Log Viewer function in the Check Point FireWall-1 GUI for Solaris ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1097 (Cisco routers and switches running IOS 12.0 through 12.2.1 allows a re ...) NOT-FOR-US: Cisco CVE-2001-1094 (NetOp School 1.5 allows local users to bypass access restrictions on t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1093 (Buffer overflow in msgchk in Digital UNIX 4.0G and earlier allows loca ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1092 (msgchk in Digital UNIX 4.0G and earlier allows a local user to read th ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1091 (The (1) dump and (2) dump_lfs commands in NetBSD 1.4.x through 1.5.1 d ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1090 (nss_postgresql 0.6.1 and before allows a remote attacker to execute ar ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1087 (The default configuration of the config.http.tunnel.allow_ports option ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1086 (XDM in XFree86 3.3 and 3.3.3 generates easily guessable cookies using ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1082 (Directory traversal vulnerability in Livingston/Lucent RADIUS before 2 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1078 (Format string vulnerability in flog function of eXtremail 1.1.9 and ea ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1077 (Buffer overflow in tt_printf function of rxvt 2.6.2 allows local users ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1076 (Buffer overflow in whodo in Solaris SunOS 5.5.1 through 5.8 allows loc ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1073 (Webridge PX Application Suite allows remote attackers to obtain sensit ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1070 (Sage Software MAS 200 allows remote attackers to cause a denial of ser ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1068 (qpopper 4.01 with PAM based authentication on Red Hat systems generate ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1065 (Web-based configuration utility in Cisco 600 series routers running CB ...) NOT-FOR-US: Cisco CVE-2001-1064 (Cisco 600 series routers running CBOS 2.0.1 through 2.4.2ap allows rem ...) NOT-FOR-US: Cisco CVE-2001-1061 (Vulnerability in lsmcode in unknown versions of AIX, possibly related ...) NOT-FOR-US: AIX CVE-2001-1060 (phpMyAdmin 2.2.0rc3 and earlier allows remote attackers to execute arb ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1058 (The License Manager (mathlm) for Mathematica 4.0 and 4.1 allows remote ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1057 (The License Manager (mathlm) for Mathematica 4.0 and 4.1 allows remote ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1052 (Empris PHP script allows remote attackers to include arbitrary files f ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1051 (Dark Hart Portal (darkportal) PHP script allows remote attackers to in ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1050 (CCCSoftware CCC PHP script allows remote attackers to include arbitrar ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1047 (Race condition in OpenBSD VFS allows local users to cause a denial of ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1045 (Directory traversal vulnerability in basilix.php3 in Basilix Webmail 1 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1044 (Basilix Webmail 0.9.7beta, and possibly other versions, stores *.class ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1042 (Transsoft Broker 5.9.5.0 allows remote attackers to read arbitrary fil ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1041 (oracle program in Oracle 8.0.x, 8.1.x and 9.0.1 allows local users to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1040 (HP LaserJet, and possibly other JetDirect devices, resets the admin pa ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1039 (The JetAdmin web interface for HP JetDirect does not set a password fo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1034 (Format string vulnerability in Hylafax on FreeBSD allows local users t ...) {DSA-148} - hylafax 4.1.2-2.1 CVE-2001-1033 (Compaq TruCluster 1.5 allows remote attackers to cause a denial of ser ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1031 (Directory traversal vulnerability in Meteor FTP 1.0 allows remote atta ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1026 (Trend Micro InterScan AppletTrap 2.0 does not properly filter URLs whe ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1025 (PHP-Nuke 5.x allows remote attackers to perform arbitrary SQL operatio ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1024 (login.gas.bat and other CGI scripts in Entrust getAccess allow remote ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1023 (Xcache 2.1 allows remote attackers to determine the absolute path of w ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1021 (Buffer overflows in WS_FTP 2.02 allow remote attackers to execute arbi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1019 (Directory traversal vulnerability in view_item CGI program in sglMerch ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1018 (Lotus Domino web server 5.08 allows remote attackers to determine the ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1015 (Buffer overflow in Snes9x 1.37, when installed setuid root, allows loc ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1014 (eshop.pl in WebDiscount(e)shop allows remote attackers to execute arbi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1013 (Apache on Red Hat Linux with with the UserDir directive enabled genera ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1012 (Vulnerability in screen before 3.9.10, related to a multi-attach error ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1009 (Fetchmail (aka fetchmail-ssl) before 5.8.17 allows a remote malicious ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1007 (Starfish Truesync Desktop 2.0b as used on the REX 5000 PDA uses a smal ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1006 (Starfish Truesync Desktop 2.0b as used on the REX 5000 PDA does not en ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1005 (Starfish Truesync Desktop 2.0b as used on the REX 5000 PDA uses weak e ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1004 (Cross-site scripting (CSS) vulnerability in gnut Gnutella client befor ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1003 (Respondus 1.1.2 for WebCT uses weak encryption to remember usernames a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-1000 (rlmadmin RADIUS management utility in Merit AAA Server 3.8M, 5.01, and ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0999 (Outlook Express 6.00 allows remote attackers to execute arbitrary scri ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0997 (Textor Webmasters Ltd listrec.pl CGI program allows remote attackers t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0996 (POP3Lite before 0.2.4 does not properly quote a . (dot) in an email me ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0994 (Marconi ForeThought 7.1 allows remote attackers to cause a denial of s ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0992 (shopplus.cgi in ShopPlus shopping cart allows remote attackers to exec ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0991 (Cross-site scripting vulnerability in Proxomitron Naoko-4 BetaFour and ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0990 (Inter7 vpopmail 4.10.35 and earlier, when using the MySQL module, comp ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0989 (Buffer overflows in Pileup before 1.2 allows local users to gain root ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0988 (Arkeia backup server 4.2.8-2 and earlier creates its database files wi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0986 (SQLQHit.asp sample file in Microsoft Index Server 2.0 allows remote at ...) NOT-FOR-US: Microsoft CVE-2001-0985 (shop.pl in Hassan Consulting Shopping Cart 1.23 allows remote attacker ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0984 (Password Safe 1.7(1) leaves cleartext passwords in memory when a user ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0983 (UltraEdit uses weak encryption to record FTP passwords in the uedit32. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0979 (Buffer overflow in swverify in HP-UX 11.0, and possibly other programs ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0976 (Vulnerability in HP Process Resource Manager (PRM) C.01.08.2 and earli ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0975 (Buffer overflow vulnerabilities in Oracle Internet Directory Server (L ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0974 (Format string vulnerabilities in Oracle Internet Directory Server (LDA ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0972 (Surf-Net ASP Forum before 2.30 uses easily guessable cookies based on ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0971 (Directory traversal vulnerability in ACI 4d webserver allows remote at ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0970 (Cross-site scripting vulnerability in TDForum 1.2 CGI script (tdforum1 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0968 (Knox Arkeia server 4.2, and possibly other versions, installs its root ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0967 (Knox Arkeia server 4.2, and possibly other versions, uses a constant s ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0966 (Directory traversal vulnerability in Nudester 1.10 and earlier allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0964 (Buffer overflow in client for Half-Life 1.1.0.8 and earlier allows mal ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0958 (Buffer overflows in eManager plugin for Trend Micro InterScan VirusWal ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0956 (speechd 0.54 and earlier, with the Festival or rsynth speech synthesis ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0955 (Buffer overflow in fbglyph.c in XFree86 before 4.2.0, related to glyph ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0953 (Kebi WebMail allows remote attackers to access the administrator menu ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0952 (THQ Volition Red Faction Game allows remote attackers to cause a denia ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0950 (ValiCert Enterprise Validation Authority (EVA) Administration Server 3 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0949 (Buffer overflows in forms.exe CGI program in ValiCert Enterprise Valid ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0948 (Cross-site scripting (CSS) vulnerability in ValiCert Enterprise Valida ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0947 (Forms.exe CGI program in ValiCert Enterprise Validation Authority (EVA ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0945 (Buffer overflow in Outlook Express 5.0 through 5.02 for Macintosh allo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0944 (DDE in mIRC allows local users to launch applications under another us ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0943 (dbsnmp in Oracle 8.0.5 and 8.1.5, under certain conditions, trusts the ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0942 (dbsnmp in Oracle 8.1.6 and 8.1.7 uses the ORACLE_HOME environment vari ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0941 (Buffer overflow in dbsnmp in Oracle 8.0.6 through 9.0.1 allows local u ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0938 (Directory traversal vulnerability in AspUpload 2.1, in certain configu ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0937 (PGPMail.pl 1.31 allows remote attackers to execute arbitrary commands ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0935 (Vulnerability in wu-ftpd 2.6.0, and possibly earlier versions, which i ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0934 (Cooolsoft PowerFTP Server 2.03 allows remote attackers to obtain the p ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0933 (Cooolsoft PowerFTP Server 2.03 allows remote attackers to list the con ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0932 (Buffer overflow in Cooolsoft PowerFTP Server 2.03 allows remote attack ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0931 (Directory traversal vulnerability in Cooolsoft PowerFTP Server 2.03 al ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0930 (Sendpage.pl allows remote attackers to execute arbitrary commands via ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0928 (Buffer overflow in the permitted function of GNOME gtop daemon (libgto ...) {DSA-301} - libgtop 1.0.13-4 CVE-2001-0927 (Format string vulnerability in the permitted function of GNOME libgtop ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0926 (SSIFilter in Allaire JRun 3.1, 3.0 and 2.3.3 allows remote attackers t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0925 (The default installation of Apache before 1.3.19 allows remote attacke ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0924 (Directory traversal vulnerability in ifx CGI program in Informix Web D ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0923 (RPM Package Manager 4.0.x through 4.0.2.x allows an attacker to execut ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0922 (ndcgi.exe in Netdynamics 4.x through 5.x, and possibly earlier version ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0919 (Internet Explorer 5.50.4134.0100 on Windows ME with "Prompt to allow c ...) NOT-FOR-US: Microsoft CVE-2001-0916 (Buffer overflow in Berkeley parallel make (pmake) 2.1.33 and earlier a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0915 (Format string vulnerability in Berkeley parallel make (pmake) 2.1.33 a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0913 (Format string vulnerability in Network Solutions Rwhoisd 1.5.7.2 and e ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0911 (PHP-Nuke 5.1 stores user and administrator passwords in a base-64 enco ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0910 (Legato Networker before 6.1 allows remote attackers to bypass access r ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0908 (CITRIX Metaframe 1.8 logs the Client Address (IP address) that is prov ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0904 (Internet Explorer 5.5 and 6 with the Q312461 (MS01-055) patch modifies ...) NOT-FOR-US: Microsoft CVE-2001-0903 (Linear key exchange process in High-bandwidth Digital Content Protecti ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0898 (Opera 6.0 and earlier allows remote attackers to access sensitive info ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0897 (Cross-site scripting vulnerability in Infopop Ultimate Bulletin Board ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0893 (Acme mini_httpd before 1.16 allows remote attackers to view sensitive ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0892 (Acme Thttpd Secure Webserver before 2.22, with the chroot option enabl ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0890 (Certain backend drivers in the SANE library 1.0.3 and earlier, as used ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0885 RESERVED CVE-2001-0883 RESERVED CVE-2001-0882 RESERVED CVE-2001-0881 RESERVED CVE-2001-0880 RESERVED CVE-2001-0878 RESERVED CVE-2001-0871 (Directory traversal vulnerability in HTTP server for Alchemy Eye and A ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0870 (HTTP server in Alchemy Eye and Alchemy Network Monitor 1.9x through 2. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0868 (Red Hat Stronghold 2.3 to 3.0 allows remote attackers to retrieve syst ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0858 (Buffer overflow in pppattach and other linked PPP utilities in Caldera ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0856 (Common Cryptographic Architecture (CCA) in IBM 4758 allows an attacker ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0855 (Buffer overflow in db_loader in ClearCase 4.2 and earlier allows local ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0854 (PHP-Nuke 5.2 allows remote attackers to copy and delete arbitrary file ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0853 (Directory traversal vulnerability in Entrust GetAccess allows remote a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0849 (viralator CGI script in Viralator 0.9pre1 and earlier allows remote at ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0848 (join.cfm in e-Zone Media Fuse Talk allows a local user to execute arbi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0847 (Lotus Domino Web Server 5.x allows remote attackers to gain sensitive ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0845 (Vulnerability in DECwindows Motif Server on OpenVMS VAX or Alpha 6.2 t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0844 (Vulnerability in (1) Book of guests and (2) Post it! allows remote att ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0842 (Directory traversal vulnerability in Search.cgi in Leoboard LB5000 LB5 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0841 (Directory traversal vulnerability in Search.cgi in Ikonboard ib219 and ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0840 (Buffer overflow in Compaq Insight Manager XE 2.1b and earlier allows r ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0839 (ibillpm.pl in iBill password management system generates weak password ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0838 (Format string vulnerability in Network Solutions Rwhoisd 1.5.x allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0835 (Cross-site scripting vulnerability in Webalizer 2.01-06, and possibly ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0832 (Vulnerability in Oracle 8.0.x through 9.0.1 on Unix allows local users ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0831 (Unknown vulnerability in Oracle Label Security in Oracle 8.1.7 and 9.0 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0829 (A cross-site scripting vulnerability in Apache Tomcat 3.2.1 allows a m ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0827 (Cerberus FTP server 1.0 - 1.5 allows remote attackers to cause a denia ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0826 (Buffer overflows in CesarFTPD 0.98b allows remote attackers to execute ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0824 (Cross-site scripting vulnerability in IBM WebSphere 3.02 and 3.5 FP2 a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0821 (The default configuration of DCShop 1.002 beta places sensitive files ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0820 (Buffer overflows in GazTek ghttpd 1.4 allows a remote attacker to exec ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0818 (A buffer overflow the '\s' console command in MDBMS 0.99b9 and earlier ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0817 (Vulnerability in HP-UX line printer daemon (rlpdaemon) in HP-UX 10.01 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0814 REJECTED CVE-2001-0813 REJECTED CVE-2001-0812 REJECTED CVE-2001-0811 REJECTED CVE-2001-0810 REJECTED CVE-2001-0809 (Vulnerability in CIFS/9000 Server (SAMBA) A.01.06 and earlier in HP-UX ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0808 (gnatsweb.pl in GNATS GnatsWeb 2.7 through 3.95 allows remote attackers ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0807 (Internet Explorer 5.0, and possibly other versions, may allow remote a ...) NOT-FOR-US: Microsoft CVE-2001-0802 REJECTED CVE-2001-0800 (lpsched in IRIX 6.5.13f and earlier allows remote attackers to execute ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0799 (Buffer overflows in lpsched in IRIX 6.5.13f and earlier allow remote a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0798 REJECTED CVE-2001-0795 (Perception LiteServe 1.25 allows remote attackers to obtain source cod ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0794 (Buffer overflow in A-FTP Anonymous FTP Server allows remote attackers ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0791 (Trend Micro InterScan VirusWall for Windows NT allows remote attackers ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0790 (Specter IDS version 4.5 and 5.0 allows a remote attacker to cause a de ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0789 (Format string vulnerability in avpkeeper in Kaspersky KAV 3.5.135.2 fo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0788 (Internet Software Solutions Air Messenger LAN Server (AMLServer) 3.4.2 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0786 (Internet Software Solutions Air Messenger LAN Server (AMLServer) 3.4.2 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0785 (Directory traversal in Webpaging interface in Internet Software Soluti ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0783 (Cisco TFTP server 1.1 allows remote attackers to read arbitrary files ...) NOT-FOR-US: Cisco CVE-2001-0782 (KDE ktvision 0.1.1-271 and earlier allows local attackers to gain root ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0781 (Buffer overflow in SpoonFTP 1.0.0.12 allows remote attackers to execut ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0780 (Directory traversal vulnerability in cosmicpro.cgi in Cosmicperl Direc ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0778 (OmniHTTPd 2.0.8 and earlier allow remote attackers to obtain source co ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0777 (Omnicron OmniHTTPd 2.0.8 allows remote attackers to cause a denial of ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0776 (Buffer overflow in DynFX MailServer version 2.10 allows remote attacke ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0775 (Buffer overflow in xloadimage 4.1 (aka xli 1.16 and 1.17) in Linux all ...) {DSA-695-1} - xli 1.17.0-17 CVE-2001-0772 (Buffer overflows and other vulnerabilities in multiple Common Desktop ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0771 (Spytech SpyAnywhere 1.50 allows remote attackers to gain administrator ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0768 (GuildFTPd 0.9.7 stores user names and passwords in plaintext in the de ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0767 (Directory traversal vulnerability in GuildFTPd 0.9.7 allows attackers ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0766 (Apache on MacOS X Client 10.0.3 with the HFS+ file system allows remot ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0762 (Buffer overflow in su-wrapper 1.1.1 allows local users to execute arbi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0761 (Buffer overflow in HttpSave.dll in Trend Micro InterScan WebManager 1. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0759 (Buffer overflow in bctool in Jetico BestCrypt 0.8.1 and earlier allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0758 (Directory traversal vulnerability in Shambala 4.5 allows remote attack ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0756 (CatalogMgr.pl in VirtualCatalog (incorrectly claimed to be in VirtualC ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0755 (Buffer overflow in ftp daemon (ftpd) 6.2 in Debian GNU/Linux allows at ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0753 (Cisco CBOS 2.3.8 and earlier stores the passwords for (1) exec and (2) ...) NOT-FOR-US: Cisco CVE-2001-0747 (Buffer overflow in iPlanet Web Server (iWS) Enterprise Edition 4.1, se ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0746 (Buffer overflow in Web Publisher in iPlanet Web Server Enterprise Edit ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0744 (Horde IMP 2.2.4 and earlier allows local users to overwrite files via ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0743 (Paging function in O'Reilly WebBoard Pager 4.10 allows remote attacker ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0742 (Buffer overflow in Computalynx CMail POP3 mail server 2.4.9 allows rem ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0737 (A long 'synch' delay in Logitech wireless mice and keyboard receivers ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0736 (Vulnerability in (1) pine before 4.33 and (2) the pico editor, include ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0735 (Buffer overflow in cfingerd 1.4.3 and earlier with the ALLOW_LINE_PARS ...) - cfingerd 1.4.3-1.1 (bug #104394) NOTE: 1.4.3-1.2 is not in the PTS, but 1.4.3-1.2 incorporates NOTE: its changes. CVE-2001-0734 (Hitachi Super-H architecture in NetBSD 1.5 and 1.4.1 allows a local us ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0729 (Apache 1.3.20 on Windows servers allows remote attackers to bypass the ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0725 RESERVED CVE-2001-0721 (Universal Plug and Play (UPnP) in Windows 98, 98SE, ME, and XP allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0715 (Sendmail before 8.12.1, without the RestrictQueueRun option enabled, a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0714 (Sendmail before 8.12.1, without the RestrictQueueRun option enabled, a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0713 (Sendmail before 8.12.1 does not properly drop privileges when the -C o ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0712 (The rendering engine in Internet Explorer determines the MIME type ind ...) NOT-FOR-US: Microsoft CVE-2001-0711 (Cisco IOS 11.x and 12.0 with ATM support allows attackers to cause a d ...) NOT-FOR-US: Cisco CVE-2001-0709 (Microsoft IIS 4.0 and before, when installed on a FAT partition, allow ...) NOT-FOR-US: Microsoft CVE-2001-0708 (Denicomp REXECD 1.05 and earlier allows a remote attacker to cause a d ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0707 (Denicomp RSHD 2.18 and earlier allows a remote attacker to cause a den ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0705 (Directory traversal vulnerability in tradecli.dll in Arcadia Internet ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0704 (tradecli.dll in Arcadia Internet Store 1.0 allows a remote attacker to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0703 (tradecli.dll in Arcadia Internet Store 1.0 allows a remote attacker to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0702 (Cerberus FTP 1.5 and earlier allows remote attackers to cause a denial ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0695 (WFTPD 3.00 R5 allows a remote attacker to cause a denial of service by ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0694 (Directory traversal vulnerability in WFTPD 3.00 R5 allows a remote att ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0693 (WebTrends HTTP Server 3.1c and 3.5 allows a remote attacker to view sc ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0691 (Buffer overflows in Washington University imapd 2000a through 2000c co ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0689 (Vulnerability in TrendMicro Virus Control System 1.8 allows a remote a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0688 (Broker FTP Server 5.9.5.0 allows a remote attacker to cause a denial o ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0687 (Broker FTP server 5.9.5 for Windows NT and 9x allows a remote attacker ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0684 (Netscape Collabra Server 3.5.4 and earlier allows a remote attacker to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0683 (Memory leak in Netscape Collabra Server 3.5.4 and earlier allows a rem ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0681 (Buffer overflow in ftpd in QPC QVT/Net 5.0 and QVT/Term 5.0 allows a r ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0679 (A buffer overflow in InterScan VirusWall 3.23 and 3.3 allows a remote ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0678 (A buffer overflow in reggo.dll file used by Trend Micro InterScan Viru ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0674 (Directory traversal vulnerability in RobTex Viking Web server before 1 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0673 RESERVED CVE-2001-0672 RESERVED CVE-2001-0671 (Buffer overflows in (1) send_status, (2) kill_print, and (3) chk_fhost ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0669 (Various Intrusion Detection Systems (IDS) including (1) Cisco Secure I ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0661 RESERVED CVE-2001-0657 REJECTED CVE-2001-0656 REJECTED CVE-2001-0655 REJECTED CVE-2001-0654 REJECTED CVE-2001-0649 (Personal Web Sharing 1.5.5 allows a remote attacker to cause a denial ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0647 (Orange Web Server 2.1, based on GoAhead, allows a remote attacker to p ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0645 (Symantec/AXENT NetProwler 3.5.x contains several default passwords, wh ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0642 (Directory traversal vulnerability in IncrediMail version 1400185 and e ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0636 (Buffer overflows in Raytheon SilentRunner allow remote attackers to (1 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0633 (Directory traversal vulnerability in Sun Chili!Soft ASP on multiple Un ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0632 (Sun Chili!Soft 3.5.2 on Linux and 3.6 on AIX creates a default admin u ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0624 (QNX 2.4 allows a local user to read arbitrary files by directly access ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0623 (sendfiled, as included with Simple Asynchronous File Transfer (SAFT), ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0620 (iPlanet Calendar Server 5.0p2 and earlier allows a local attacker to g ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0619 (The Lucent Closed Network protocol can allow remote attackers to join ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0618 (Orinoco RG-1000 wireless Residential Gateway uses the last 5 digits of ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0617 (Allied Telesyn AT-AR220e cable/DSL router firmware 1.08a RC14 with the ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0614 (Carello E-Commerce 1.2.1 and earlier allows a remote attacker to gain ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0610 (kfm as included with KDE 1.x can allow a local attacker to gain additi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0609 (Format string vulnerability in Infodrom cfingerd 1.4.3 and earlier all ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0608 (HP architected interface facility (AIF) as includes with MPE/iX 5.5 th ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0607 (asecure as included with HP-UX 10.01 through 11.00 can allow a local a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0606 (Vulnerability in iPlanet Web Server 4.X in HP-UX 11.04 (VVOS) with Vir ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0605 (Headlight Software MyGetright prior to 1.0b allows a remote attacker t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0604 (Lotus Domino R5 prior to 5.0.7 allows a remote attacker to create a de ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0603 (Lotus Domino R5 prior to 5.0.7 allows a remote attacker to create a de ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0602 (Lotus Domino R5 prior to 5.0.7 allows a remote attacker to create a de ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0601 (Lotus Domino R5 prior to 5.0.7 allows a remote attacker to create a de ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0600 (Lotus Domino R5 prior to 5.0.7 allows a remote attacker to create a de ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0599 (Sybase Adaptive Server Anywhere Database Engine 6.0.3.2747 and earlier ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0598 (Symantec Ghost 6.5 and earlier allows a remote attacker to create a de ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0597 (Zetetic Secure Tool for Recalling Important Passwords (STRIP) 0.5 and ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0592 (Watchguard Firebox II prior to 4.6 allows a remote attacker to create ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0588 (sendmail 8.9.3, as included with the MMDF 2.43.3b package in SCO OpenS ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0587 (deliver program in MMDF 2.43.3b in SCO OpenServer 5.0.6 can allow a lo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0584 (IMAP server in Alt-N Technologies MDaemon 3.5.6 allows a local user to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0583 (Alt-N Technologies MDaemon 3.5.4 allows a remote attacker to create a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0582 (Ben Spink CrushFTP FTP Server 2.1.6 and earlier allows a local attacke ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0581 (Spytech Spynet Chat Server 6.5 allows a remote attacker to create a de ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0580 (Hughes Technologies Virtual DNS (VDNS) Server 1.0 allows a remote atta ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0579 (lpadmin in SCO OpenServer 5.0.6 can allow a local attacker to gain add ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0578 (Buffer overflow in lpforms in SCO OpenServer 5.0-5.0.6 can allow a loc ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0577 (recon in SCO OpenServer 5.0 through 5.0.6 can allow a local attacker t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0576 (lpusers as included with SCO OpenServer 5.0 through 5.0.6 allows a lo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0575 (Buffer overflow in lpshut in SCO OpenServer 5.0.6 can allow a local at ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0572 (The SSH protocols 1 and 2 (aka SSH-2) as implemented in OpenSSH and ot ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0571 (Directory traversal vulnerability in the web server for (1) Elron Inte ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0570 (minicom 1.83.1 and earlier allows a local attacker to gain additional ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0569 (Digital Creations Zope 2.3.1 b1 and earlier contains a problem in the ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0568 (Digital Creations Zope 2.3.1 b1 and earlier allows a local attacker (Z ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0566 (Cisco Catalyst 2900XL switch allows a remote attacker to create a deni ...) NOT-FOR-US: Cisco CVE-2001-0562 (a1disp.cgi program in Drummond Miles A1Stats prior to 1.6 allows a rem ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0561 (Directory traversal vulnerability in Drummond Miles A1Stats prior to 1 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0557 (T. Hauck Jana Webserver 1.46 and earlier allows a remote attacker to v ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0556 (The Nirvana Editor (NEdit) 5.1.1 and earlier allows a local attacker t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0555 (ScreamingMedia SITEWare versions 2.5 through 3.1 allows a remote attac ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0552 (ovactiond in HP OpenView Network Node Manager (NNM) 6.1 and Tivoli Net ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0551 (Buffer overflow in CDE Print Viewer (dtprintinfo) allows local users t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0542 (Buffer overflows in Microsoft SQL Server 7.0 and 2000 allow attackers ...) NOT-FOR-US: Microsoft CVE-2001-0539 RESERVED CVE-2001-0535 (Example applications (Exampleapps) in ColdFusion Server 4.x do not pro ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0534 (Multiple buffer overflows in RADIUS daemon radiusd in (1) Merit 3.6b a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0532 RESERVED CVE-2001-0531 RESERVED CVE-2001-0524 (eEye SecureIIS versions 1.0.3 and earlier does not perform length chec ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0523 (eEye SecureIIS versions 1.0.3 and earlier allows a remote attacker to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0521 (Aladdin eSafe Gateway versions 3.0 and earlier allows a remote attacke ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0520 (Aladdin eSafe Gateway versions 3.0 and earlier allows a remote attacke ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0519 (Aladdin eSafe Gateway versions 2.x allows a remote attacker to circumv ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0516 (Oracle listener between Oracle 9i and Oracle 8.0 allows remote attacke ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0515 (Oracle Listener in Oracle 7.3 and 8i allows remote attackers to cause ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0509 (Vulnerabilities in RPC servers in (1) Microsoft Exchange Server 2000 a ...) NOT-FOR-US: Microsoft CVE-2001-0505 (Multiple memory leaks in Microsoft Services for Unix 2.0 allow remote ...) NOT-FOR-US: Microsoft CVE-2001-0499 (Buffer overflow in Transparent Network Substrate (TNS) Listener in Ora ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0498 (Transparent Network Substrate (TNS) over Net8 (SQLNet) in Oracle 8i 8. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0496 (kdesu in kdelibs package creates world readable temporary files contai ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0492 (Netcruiser Web server version 0.1.2.8 and earlier allows remote attack ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0491 (Directory traversal vulnerability in RaidenFTPD Server 2.1 before buil ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0490 (Buffer overflow in WINAMP 2.6x and 2.7x allows attackers to execute ar ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0484 (Tektronix PhaserLink 850 does not require authentication for access to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0483 (Configuration error in Axent Raptor Firewall 6.5 allows remote attacke ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0480 (Directory traversal vulnerability in Alex's FTP Server 0.7 allows remo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0479 (Directory traversal vulnerability in phpPgAdmin 2.2.1 and earlier vers ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0478 (Directory traversal vulnerability in phpMyAdmin 2.2.0 and earlier vers ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0477 (Vulnerability in WebCalendar 0.9.26 allows remote command execution. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0476 (Multiple buffer overflows in s.cgi program in Aspseek search engine 1. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0472 (Hursley Software Laboratories Consumer Transaction Framework (HSLCTF) ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0471 (SSH daemon version 1 (aka SSHD-1 or SSH-1) 1.2.30 and earlier does not ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0470 (Buffer overflow in SNMP proxy agent snmpd in Solaris 8 may allow local ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0468 (Buffer overflow in FTPFS allows local users to gain root privileges vi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0466 (Directory traversal vulnerability in ustorekeeper 1.61 allows remote a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0464 (Buffer overflow in websync.exe in Cyberscheduler allows remote attacke ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0460 (Websweeper 4.0 does not limit the length of certain HTTP headers, whic ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0459 (Buffer overflows in ascdc Afterstep while running setuid allows local ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0458 (Multiple buffer overflows in ePerl before 2.2.14-0.7 allow local and r ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0454 (Directory traversal vulnerability in SlimServe HTTPd 1.1a allows remot ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0453 (Directory traversal vulnerability in BRS WebWeaver HTTP server allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0452 (BRS WebWeaver FTP server before 0.64 Beta allows remote attackers to o ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0451 (INDEXU 2.0 beta and earlier allows remote attackers to bypass authenti ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0450 (Directory traversal vulnerability in Transsoft FTP Broker before 5.5 a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0448 (Web configuration server in 602Pro LAN SUITE allows remote attackers t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0447 (Web configuration server in 602Pro LAN SUITE allows remote attackers t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0446 (IBM WCS (WebSphere Commerce Suite) 4.0.1 with Application Server 3.0.2 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0443 (Buffer overflow in QPC QVT/Net Popd 4.20 in QVT/Net 5.0 allows remote ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0441 (Buffer overflow in (1) wrapping and (2) unwrapping functions of slrn n ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0438 (Preview version of Timbuktu for Mac OS X allows local users to modify ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0437 (upload_file.pl in DCForum 2000 1.0 allows remote attackers to upload a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0436 (dcboard.cgi in DCForum 2000 1.0 allows remote attackers to execute arb ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0435 (The split key mechanism used by PGP 7.0 allows a key share holder to o ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0433 (Buffer overflow in Savant 3.0 web server allows remote attackers to ca ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0432 (Buffer overflows in various CGI programs in the remote administration ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0431 (Vulnerability in iPlanet Web Server Enterprise Edition 4.x. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0426 (Buffer overflow in dtsession on Solaris, and possibly other operating ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0425 (AdLibrary.pm in AdCycle 0.78b allows remote attackers to gain privileg ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0424 (BubbleMon 1.31 does not properly drop group privileges before executin ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0421 (FTP server in Solaris 8 and earlier allows local and remote attackers ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0420 (Directory traversal vulnerability in talkback.cgi program allows remot ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0419 (Buffer overflow in shared library ndwfn4.so for iPlanet Web Server (iW ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0418 (content.pl script in NCM Content Management System allows remote attac ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0417 (Kerberos 4 (aka krb4) allows local users to overwrite arbitrary files ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0415 (REDIPlus program, REDI.exe, stores passwords and user names in clearte ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0411 (Reliant Unix 5.44 and earlier allows remote attackers to cause a denia ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0410 (Buffer overflow in Trend Micro Virus Buster 2001 8.02 allows remote at ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0406 (Samba before 2.2.0 allows local attackers to overwrite arbitrary files ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0404 (Directory traversal vulnerability in JavaServer Web Dev Kit (JSWDK) 1. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0403 (/opt/JSparm/bin/perfmon program in Solaris allows local users to creat ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0401 (Buffer overflow in tip in Solaris 8 and earlier allows local users to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0400 (nph-maillist.pl allows remote attackers to execute arbitrary commands ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0399 (Caucho Resin 1.3b1 and earlier allows remote attackers to read source ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0398 (The BAT! mail client allows remote attackers to bypass user warnings o ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0397 (Buffer overflow in Silent Runner Collector (SRC) 1.6.1 allows remote a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0396 (The pre-login mode in the System Administrator interface of Lightwave ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0395 (Lightwave ConsoleServer 3200 does not disconnect users after unsuccess ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0393 (Navision Financials Server 2.0 allows remote attackers to cause a deni ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0392 (Navision Financials Server 2.60 and earlier allows remote attackers to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0391 (Xitami 2.5d4 and earlier allows remote attackers to crash the server v ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0390 (IBM Websphere/NetCommerce3 3.1.2 allows remote attackers to cause a de ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0389 (IBM Websphere/NetCommerce3 3.1.2 allows remote attackers to determine ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0385 (GoAhead webserver 2.1 allows remote attackers to cause a denial of ser ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0384 (ppd in Reliant Sinix allows local users to corrupt arbitrary files via ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0382 (Computer Associates CCC\Harvest 5.0 for Windows NT/2000 uses weak encr ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0381 (The OpenPGP PGP standard allows an attacker to determine the private s ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0380 (Crosscom/Olicom XLT-F running XL 80 IM Version 5.5 Build Level 2 allow ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0376 (SonicWALL Tele2 and SOHO firewalls with 6.0.0.0 firmware using IPSEC w ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0374 (The HTTP server in Compaq web-enabled management software for (1) Foun ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0372 (Akopia Interchange 4.5.3 through 4.6.3 installs demo stores with a def ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0370 (fcheck prior to 2.57.59 calls the file signature checking program inse ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0369 (Buffer overflow in lpsched on DGUX version R4.20MU06 and MU02 allows a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0367 (Mirabilis ICQ WebFront Plug-in ICQ2000b Build 3278 allows a remote att ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0360 (Directory traversal vulnerability in help.cgi in Ikonboard 2.1.7b and ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0359 (Format string vulnerability in Sierra Half-Life build 1573 and earlier ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0358 (Buffer overflows in Sierra Half-Life build 1573 and earlier allow remo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0357 (FormMail.pl in FormMail 1.6 and earlier allows a remote attacker to se ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0355 (Novell Groupwise 5.5 (sp1 and sp2) allows a remote user to access arbi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0354 (TheNet CheckBO 1.56 allows remote attackers to cause a denial of servi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0352 (SNMP agents in 3Com AirConnect AP-4111 and Symbol 41X1 Access Point al ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0350 (Microsoft Windows 2000 telnet service creates named pipes with predict ...) NOT-FOR-US: Microsoft CVE-2001-0349 (Microsoft Windows 2000 telnet service creates named pipes with predict ...) NOT-FOR-US: Microsoft CVE-2001-0343 RESERVED CVE-2001-0342 RESERVED CVE-2001-0337 (The Microsoft MS01-014 and MS01-016 patches for IIS 5.0 and earlier in ...) NOT-FOR-US: Microsoft CVE-2001-0332 (Internet Explorer 5.5 and earlier does not properly verify the domain ...) NOT-FOR-US: Microsoft CVE-2001-0329 (Bugzilla 2.10 allows remote attackers to execute arbitrary commands vi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0328 (TCP implementations that use random increments for initial sequence nu ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0325 (Buffer overflow in QNX RTP 5.60 allows remote attackers to cause a den ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0324 (Windows 98 and Windows 2000 Java clients allow remote attackers to cau ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0323 (The ICMP path MTU (PMTU) discovery feature in various UNIX systems all ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0322 (MSHTML.DLL HTML parser in Internet Explorer 4.0, and other versions, a ...) NOT-FOR-US: Microsoft CVE-2001-0320 (bb_smilies.php and bbcode_ref.php in PHP-Nuke 4.4 allows remote attack ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0315 (The locking feature in mIRC 5.7 allows local users to bypass the passw ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0314 (Buffer overflow in www.tol module in America Online (AOL) 5.0 may allo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0313 (Borderware Firewall Server 6.1.2 allows remote attackers to cause a de ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0312 (IBM WebSphere plugin for Netscape Enterprise server allows remote atta ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0308 (UploadServlet in Bajie HTTP JServer 0.78, and possibly other versions ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0307 (Bajie HTTP JServer 0.78, and other versions before 0.80, allows remote ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0306 (Directory traversal vulnerability in ITAfrica WEBactive HTTP Server 1. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0305 (Directory traversal vulnerability in store.cgi in Thinking Arts ES.One ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0304 (Directory traversal vulnerability in Caucho Resin 1.2.2 allows remote ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0303 (tstisapi.dll in Pi3Web 1.0.1 web server allows remote attackers to det ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0302 (Buffer overflow in tstisapi.dll in Pi3Web 1.0.1 web server allows remo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0300 (oidldapd 2.1.1.1 in Oracle 8.1.7 records log files in a directory (lda ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0298 (Buffer overflow in WebReflex 1.55 HTTPd allows remote attackers to cau ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0297 (Directory traversal vulnerability in Simple Server HTTPd 1.0 (original ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0296 (Buffer overflow in WFTPD Pro 3.00 allows remote attackers to execute a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0294 (Directory traversal vulnerability in TYPSoft FTP Server 0.85 allows re ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0293 (Directory traversal vulnerability in FtpXQ FTP server 2.0.93 allows re ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0292 (PHP-Nuke 4.4.1a allows remote attackers to modify a user's email addre ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0291 (Buffer overflow in post-query sample CGI program allows remote attacke ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0286 (Directory traversal vulnerability in A1 HTTP server 1.0a allows remote ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0285 (Buffer overflow in A1 HTTP server 1.0a allows remote attackers to caus ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0283 (Directory traversal vulnerability in SunFTP build 9 allows remote atta ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0282 (SEDUM 2.1 HTTP server allows remote attackers to cause a denial of ser ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0281 (Format string vulnerability in DbgPrint function, used in debug messag ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0277 (Buffer overflow in ext.dll in BadBlue 1.02.07 Personal Edition allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0275 (Moby Netsuite Web Server 1.02 allows remote attackers to cause a denia ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0273 (pgp4pine Pine/PGP interface version 1.75-6 does not properly check to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0272 (Directory traversal vulnerability in sendtemp.pl in W3.org Anaya Web d ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0271 (mailnews.cgi 1.3 and earlier allows remote attackers to execute arbitr ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0270 (Marconi ASX-1000 ASX switches allow remote attackers to cause a denial ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0264 (Gene6 G6 FTP Server 2.0 (aka BPFTP Server 2.10) allows remote attacker ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0263 (Gene6 G6 FTP Server 2.0 (aka BPFTP Server 2.10) allows attackers to re ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0262 (Buffer overflow in Netscape SmartDownload 1.3 allows remote attackers ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0261 (Microsoft Windows 2000 Encrypted File System does not properly destroy ...) NOT-FOR-US: Microsoft CVE-2001-0258 (The Easycom/Safecom Print Server (firmware 404.590) PrintGuide server ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0257 (Buffer overflow in Easycom/Safecom Print Server Web service, version 4 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0256 (FaSTream FTP++ Server 2.0 allows remote attackers to cause a denial of ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0255 (FaSTream FTP++ Server 2.0 allows remote attackers to list arbitrary di ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0254 (FaSTream FTP++ Server 2.0 allows remote attackers to obtain the real p ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0253 (Directory traversal vulnerability in hsx.cgi program in iWeb Hyperseek ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0251 (The Web Publishing feature in Netscape Enterprise Server 3.x allows re ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0250 (The Web Publishing feature in Netscape Enterprise Server 4.x and earli ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0249 (Heap overflow in FTP daemon in Solaris 8 allows remote attackers to ex ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0248 (Buffer overflow in FTP server in HPUX 11 allows remote attackers to ex ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0247 (Buffer overflows in BSD-based FTP servers allows remote attackers to e ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0246 (Internet Explorer 5.5 and earlier does not properly verify the domain ...) NOT-FOR-US: Microsoft CVE-2001-0242 (Buffer overflows in Microsoft Windows Media Player 7 and earlier allow ...) NOT-FOR-US: Microsoft CVE-2001-0232 (newsdesk.cgi in News Desk 1.2 allows remote attackers to read arbitrar ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0231 (Directory traversal vulnerability in newsdesk.cgi in News Desk 1.2 all ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0229 (Chili!Soft ASP for Linux before 3.6 does not properly set group privil ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0228 (Directory traversal vulnerability in GoAhead web server 2.1 and earlie ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0227 (Buffer overflow in BiblioWeb web server 2.0 allows remote attackers to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0226 (Directory traversal vulnerability in BiblioWeb web server 2.0 allows r ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0225 (fortran math component in Infobot 0.44.5.3 and earlier allows remote a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0224 (Muscat Empower CGI program allows remote attackers to obtain the absol ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0223 (Buffer overflow in wwwwais allows remote attackers to execute arbitrar ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0220 (Buffer overflow in ja-elvis and ko-helvis ports of elvis allow local u ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0217 (Directory traversal vulnerability in PALS Library System pals-cgi prog ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0216 (PALS Library System pals-cgi program allows remote attackers to execut ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0214 (Way-board CGI program allows remote attackers to read arbitrary files ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0213 (Buffer overflow in pi program in PlanetIntra 2.5 allows remote attacke ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0212 (Directory traversal vulnerability in HIS Auktion 1.62 allows remote at ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0211 (Directory traversal vulnerability in WebSPIRS 3.1 allows remote attack ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0210 (Directory traversal vulnerability in commerce.cgi CGI program allows r ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0209 (Buffer overflow in Shoutcast Distributed Network Audio Server (DNAS) 1 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0208 (MicroFocus Cobol 4.1, with the AppTrack feature enabled, installs the ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0206 (Directory traversal vulnerability in Soft Lite ServerWorx 3.00 allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0205 (Directory traversal vulnerability in AOLserver 3.2 and earlier allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0202 (Picserver web server allows remote attackers to read arbitrary files v ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0201 (The Postaci frontend for PostgreSQL does not properly filter character ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0200 (HSWeb 2.0 HTTP server allows remote attackers to obtain the physical p ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0199 (Directory traversal vulnerability in SEDUM HTTP Server 2.0 allows remo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0198 (Buffer overflow in QuickTime Player plugin 4.1.2 (Japanese) allows rem ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0192 (Buffer overflows in CTRLServer in XMail allows attackers to execute ar ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0188 (GoodTech FTP server 3.0.1.2.1.0 and earlier allows remote attackers to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0186 (Directory traversal vulnerability in Free Java Web Server 1.0 allows r ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0184 (eEye Iris 1.01 beta allows remote attackers to cause a denial of servi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0181 (Format string vulnerability in the error logging code of DHCP server a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0180 (Lars Ellingsen guestserver.cgi allows remote attackers to execute arbi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0177 (WebMaster ConferenceRoom 1.8.1 allows remote attackers to cause a deni ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0173 (Buffer overflow in qDecoder library 5.08 and earlier, as used in Crazy ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0172 (Buffer overflow in ReiserFS 3.5.28 in SuSE Linux allows local users to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0171 (Buffer overflow in SlimServe HTTPd 1.0 allows remote attackers to caus ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0168 (Buffer overflow in AT&T WinVNC (Virtual Network Computing) server ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0167 (Buffer overflow in AT&T WinVNC (Virtual Network Computing) client ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0163 (Cisco AP340 base station produces predictable TCP Initial Sequence Num ...) NOT-FOR-US: Cisco CVE-2001-0162 (WinCE 3.0.9348 generates predictable TCP Initial Sequence Numbers (ISN ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0161 (Cisco 340-series Aironet access point using firmware 11.01 does not us ...) NOT-FOR-US: Cisco CVE-2001-0160 (Lucent/ORiNOCO WaveLAN cards generate predictable Initialization Vecto ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0159 RESERVED CVE-2001-0158 RESERVED CVE-2001-0146 (IIS 5.0 and Microsoft Exchange 2000 allow remote attackers to cause a ...) NOT-FOR-US: Microsoft CVE-2001-0145 (Buffer overflow in VCard handler in Outlook 2000 and 98, and Outlook E ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0135 (The default installation of Ultraboard 2000 2.11 creates the Skins, Da ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0134 (Buffer overflow in cpqlogin.htm in web-enabled agents for various Comp ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0133 (The web administration interface for Interscan VirusWall 3.6.x and ear ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0132 (Interscan VirusWall 3.6.x and earlier follows symbolic links when unin ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0131 (htpasswd and htdigest in Apache 2.0a9, 1.3.14, and others allows local ...) {DSA-195 DSA-188 DSA-187} - apache-perl 1.3.26-1.1-1.27-3-1 - apache 1.3.27-1 CVE-2001-0127 (Buffer overflow in Olivier Debon Flash plugin (not the Macromedia plug ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0114 (statsconfig.pl in OmniHTTPd 2.07 allows remote attackers to overwrite ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0113 (statsconfig.pl in OmniHTTPd 2.07 allows remote attackers to execute ar ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0112 (Multiple buffer overflows in splitvt before 1.6.5 allow local users to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0107 (Veritas Backup agent on Linux allows remote attackers to cause a denia ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0104 (MDaemon Pro 3.5.1 and earlier allows local users to bypass the "lock s ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0103 (CoffeeCup Direct and Free FTP clients uses weak encryption to store pa ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0102 ("Multiple Users" Control Panel in Mac OS 9 allows Normal users to gain ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0101 (Vulnerability in fetchmail 5.5.0-2 and earlier in the AUTHENTICATE GSS ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0098 (Buffer overflow in Bea WebLogic Server before 5.1.0 allows remote atta ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0097 (The Web interface for Infinite Interchange 3.6.1 allows remote attacke ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0093 (Vulnerability in telnetd in FreeBSD 1.5 allows local users to gain roo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0088 (common.inc.php in phpWebLog 0.4.2 does not properly initialize the $CO ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0087 (itetris/xitetris 1.6.2 and earlier trusts the PATH environmental varia ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0086 (CGI Script Center Subscribe Me LITE 2.0 and earlier allows remote atta ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0084 (GTK+ library allows local users to specify arbitrary modules via the G ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0082 (Check Point VPN-1/FireWall-1 4.1 SP2 with Fastmode enabled allows remo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0079 (Support Tools Manager (STM) A.22.00 for HP-UX allows local users to ov ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0076 (register.cgi in Ikonboard 2.1.7b and earlier allows remote attackers t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0075 (Directory traversal vulnerability in main.cgi in Technote allows remot ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0074 (Directory traversal vulnerability in print.cgi in Technote allows remo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0073 (Buffer overflow in the find_default_type function in libsecure in NSA ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0070 (Buffer overflow in 1st Up Mail Server 4.1 allows remote attackers to c ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0068 (Mac OS Runtime for Java (MRJ) 2.2.3 allows remote attackers to use mal ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0067 (The installation of J-Pilot creates the .jpilot directory with the use ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0065 (Buffer overflow in bftpd 1.0.13 allows remote attackers to cause a den ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0064 (Webconfig, IMAP, and other services in MDaemon 3.5.0 and earlier allow ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0052 (IBM DB2 Universal Database version 6.1 allows users to cause a denial ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0051 (IBM DB2 Universal Database version 6.1 creates an account with a defau ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0049 (WatchGuard SOHO FireWall 2.2.1 and earlier allows remote attackers to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0048 (The "Configure Your Server" tool in Microsoft 2000 domain controllers ...) NOT-FOR-US: Microsoft CVE-2001-0047 (The default permissions for the MTS Package Administration registry ke ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0046 (The default permissions for the SNMP Parameters registry key in Window ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0045 (The default permissions for the RAS Administration key in Windows NT 4 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0044 (Multiple buffer overflows in Lexmark MarkVision printer driver program ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0038 (Offline Explorer 1.4 before Service Release 2 allows remote attackers ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0037 (Directory traversal vulnerability in HomeSeer before 1.4.29 allows rem ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0032 (Format string vulnerability in ssldump possibly allows remote attacker ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0031 (BroadVision One-To-One Enterprise allows remote attackers to determine ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0030 (FoolProof 3.9 allows local users to bypass program execution restricti ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0029 (Buffer overflow in oops WWW proxy server 1.4.6 (and possibly other ver ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0027 (mod_sqlpw module in ProFTPD does not reset a cached password when a us ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0025 (ad.cgi CGI program by Leif Wright allows remote attackers to execute a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0024 (simplestmail.cgi CGI program by Leif Wright allows remote attackers to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0023 (everythingform.cgi CGI program by Leif Wright allows remote attackers ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0022 (simplestguest.cgi CGI program by Leif Wright allows remote attackers t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2001-0019 (Arrowpoint (aka Cisco Content Services, or CSS) allows local users to ...) NOT-FOR-US: Cisco CVE-2000-1214 (Buffer overflows in the (1) outpack or (2) buf variables of ping in ip ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1213 (ping in iputils before 20001010, as distributed on Red Hat Linux 6.2 t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1209 (The "sa" account is installed with a default null password on (1) Micr ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1208 (Format string vulnerability in startprinting() function of printjob.c ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1207 (userhelper in the usermode package on Red Hat Linux executes non-setui ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1206 (Vulnerability in Apache httpd before 1.3.11, when configured for mass ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1205 (Cross site scripting vulnerabilities in Apache 1.3.0 through 1.3.11 al ...) - apache 1.3.11 (unimportant) NOTE: only an example script /usr/share/doc/apache-common/examples/ CVE-2000-1204 (Vulnerability in the mod_vhost_alias virtual hosting module for Apache ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1202 (ikeyman in IBM IBMHSSSB 1.0 sets the CLASSPATH environmental variable ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1201 (Check Point FireWall-1 allows remote attackers to cause a denial of se ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1199 (PostgreSQL stores usernames and passwords in plaintext in (1) pg_shado ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1198 (qpopper POP server creates lock files with predictable names, which al ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1197 (POP2 or POP3 server (pop3d) in imap-uw IMAP package on FreeBSD and oth ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1194 (Argosoft FRP server 1.0 allows remote attackers to cause a denial of s ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1192 (Buffer overflow in BTT Software SNMP Trap Watcher 1.16 allows remote a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1191 (htsearch program in htDig 3.2 beta, 3.1.6, 3.1.5, and earlier allows r ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1188 (Directory traversal vulnerability in Quikstore shopping cart program a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1186 (Buffer overflow in phf CGI program allows remote attackers to execute ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1185 (The telnet proxy in RideWay PN proxy server allows remote attackers to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1183 (Buffer overflow in socks5 server on Linux allows attackers to execute ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1177 (bb-hist.sh, bb-histlog.sh, bb-hostsvc.sh, bb-rep.sh, bb-replog.sh, and ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1176 (Directory traversal vulnerability in YaBB search.pl CGI script allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1175 (Buffer overflow in Koules 1.4 allows local users to execute arbitrary ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1173 (Microsys CyberPatrol uses weak encryption (trivial encoding) for credi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1172 (Buffer overflow in Gaim 0.10.3 and earlier using the OSCAR protocol al ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1168 (IBM HTTP Server 1.3.6 (based on Apache) allows remote attackers to cau ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1161 (The installation of AdCycle banner management system leaves the build. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1160 (NAI Sniffer Agent allows remote attackers to cause a denial of service ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1159 (NAI Sniffer Agent allows remote attackers to gain privileges on the ag ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1158 (NAI Sniffer Agent uses base64 encoding for authentication, which allow ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1157 (Buffer overflow in NAI Sniffer Agent allows remote attackers to execut ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1156 (StarOffice 5.2 follows symlinks and sets world-readable permissions fo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1155 (RHDaemon in RobinHood 1.1 web server in BeOS r5 pro and earlier allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1154 (RHConsole in RobinHood 1.1 web server in BeOS r5 pro and earlier allow ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1153 (PostMaster 1.0 in BeOS r5 pro and earlier allows remote attackers to c ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1152 (Browser IRC client in BeOS r5 pro and earlier allows remote attackers ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1151 (Baxter IRC client in BeOS r5 pro and earlier allows remote attackers t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1150 (Felix IRC client in BeOS r5 pro and earlier allows remote attackers to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1147 (Buffer overflow in IIS ISAPI .ASP parsing mechanism allows attackers t ...) NOT-FOR-US: Microsoft CVE-2000-1138 (Lotus Notes R5 client R5.0.5 and earlier does not properly warn users ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1134 (Multiple shell programs on various Unix systems, including (1) tcsh, ( ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1133 (Authentix Authentix100 allows remote attackers to bypass authenticatio ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1130 (McAfee WebShield SMTP 4.5 allows remote attackers to bypass email cont ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1129 (McAfee WebShield SMTP 4.5 allows remote attackers to cause a denial of ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1128 (The default configuration of McAfee VirusScan 4.5 does not quote the I ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1127 (registrar in the HP resource monitor service allows local users to rea ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1126 (Vulnerability in auto_parms and set_parms in HP-UX 11.00 and earlier a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1125 (restore 0.4b15 and earlier in Red Hat Linux 6.2 trusts the pathname sp ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1118 (24Link 1.06 web server allows remote attackers to bypass access restri ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1117 (The Extended Control List (ECL) feature of the Java Virtual Machine (J ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1116 (Buffer overflow in TransSoft Broker FTP Server before 4.3.0.1 allows r ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1114 (Unify ServletExec AS v3.0C allows remote attackers to read source code ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1110 (document.d2w CGI program in the IBM Net.Data db2www package allows rem ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1105 (The ixsso.query ActiveX Object is marked as safe for scripting, which ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1104 (Variant of the "IIS Cross-Site Scripting" vulnerability as originally ...) NOT-FOR-US: Microsoft CVE-2000-1103 (rcvtty in BSD 3.0 and 4.0 does not properly drop privileges before exe ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1102 (PTlink IRCD 3.5.3 and PTlink Services 1.8.1 allow remote attackers to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1100 (The default configuration for PostACI webmail system installs the /inc ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1098 (The web server for the SonicWALL SOHO firewall allows remote attackers ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1093 (Buffer overflow in AOL Instant Messenger before 4.3.2229 allows remote ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1092 (loadpage.cgi CGI program in EZshopper 3.0 and 2.0 allows remote attack ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1090 (Microsoft IIS for Far East editions 4.0 and 5.0 allows remote attacker ...) NOT-FOR-US: Microsoft CVE-2000-1088 (The xp_SetSQLSecurity function in Microsoft SQL Server 2000 and SQL Se ...) NOT-FOR-US: Microsoft CVE-2000-1087 (The xp_proxiedmetadata function in Microsoft SQL Server 2000 and SQL S ...) NOT-FOR-US: Microsoft CVE-2000-1086 (The xp_printstatements function in Microsoft SQL Server 2000 and SQL S ...) NOT-FOR-US: Microsoft CVE-2000-1085 (The xp_peekqueue function in Microsoft SQL Server 2000 and SQL Server ...) NOT-FOR-US: Microsoft CVE-2000-1084 (The xp_updatecolvbm function in SQL Server and Microsoft SQL Server De ...) NOT-FOR-US: Microsoft CVE-2000-1083 (The xp_showcolv function in SQL Server and Microsoft SQL Server Deskto ...) NOT-FOR-US: Microsoft CVE-2000-1082 (The xp_enumresultset function in SQL Server and Microsoft SQL Server D ...) NOT-FOR-US: Microsoft CVE-2000-1081 (The xp_displayparamstmt function in SQL Server and Microsoft SQL Serve ...) NOT-FOR-US: Microsoft CVE-2000-1079 (Interactions between the CIFS Browser Protocol and NetBIOS as implemen ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1078 (ICQ Web Front HTTPd allows remote attackers to cause a denial of servi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1076 (Netscape (iPlanet) Certificate Management System 4.2 and Directory Ser ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1066 (The getnameinfo function in FreeBSD 4.1.1 and earlier, and possibly ot ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1065 (Vulnerability in IP implementation of HP JetDirect printer card Firmwa ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1064 (Buffer overflow in the LPD service in HP JetDirect printer card Firmwa ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1063 (Buffer overflow in the Telnet service in HP JetDirect printer card Fir ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1062 (Buffer overflow in the FTP service in HP JetDirect printer card Firmwa ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1053 (Allaire JRun 2.3.3 server allows remote attackers to compile and execu ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1052 (Allaire JRun 2.3 server allows remote attackers to obtain source code ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1048 (Directory traversal vulnerability in the logfile service of Wingate 4. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1046 (Multiple buffer overflows in the ESMTP service of Lotus Domino 5.0.2c ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1039 (Various TCP/IP stacks and network applications allow remote attackers ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1037 (Check Point Firewall-1 session agent 3.0 through 4.1 generates differe ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1035 (Buffer overflows in TYPSoft FTP Server 0.78 and earlier allows remote ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1033 (Serv-U FTP Server allows remote attackers to bypass its anti-hammering ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1030 (CS&T CorporateTime for the Web returns different error messages fo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1029 (Buffer overflow in host command allows a remote attacker to execute ar ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1028 (Buffer overflow in cu program in HP-UX 11.0 may allow local users to g ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1025 (eWave ServletExec JSP/Java servlet engine, versions 3.0C and earlier, ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1023 (The Alabanza Control Panel does not require passwords to access admini ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1021 (Heap overflow in WebConfig in Mdaemon 3.1.1 and earlier allows remote ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1020 (Heap overflow in Worldclient in Mdaemon 3.1.1 and earlier allows remot ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1017 (Webteachers Webdata allows remote attackers with valid Webdata account ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1015 (The default configuration of Slashcode before version 2.0 Alpha has a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1013 (The setlocale function in FreeBSD 5.0 and earlier, and possibly other ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1012 (The catopen function in FreeBSD 5.0 and earlier, and possibly other OS ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1009 (dump in Red Hat Linux 6.2 trusts the pathname specified by the RSH env ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-1008 (PalmOS 3.5.2 and earlier uses weak encryption to store the user passwo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0999 (Format string vulnerabilities in OpenBSD ssh program (and possibly oth ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0998 (Format string vulnerability in top program allows local attackers to g ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0997 (Format string vulnerabilities in eeprom program in OpenBSD, NetBSD, an ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0988 (WinU 1.0 through 5.1 has a backdoor password that allows remote attack ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0987 (Buffer overflow in oidldapd in Oracle 8.1.6 allow local users to gain ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0986 (Buffer overflow in Oracle 8.1.5 applications such as names, namesctl, ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0985 (Buffer overflow in All-Mail 1.1 allows remote attackers to execute arb ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0971 (Avirt Mail 4.0 and 4.2 allows remote attackers to cause a denial of se ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0963 (Buffer overflow in ncurses library allows local users to execute arbit ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0955 (Cisco Virtual Central Office 4000 (VCO/4K) uses weak encryption to sto ...) NOT-FOR-US: Cisco CVE-2000-0954 (Shambala Server 4.5 stores passwords in plaintext, which could allow l ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0950 (Format string vulnerability in x-gw in TIS Firewall Toolkit (FWTK) all ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0940 (Directory traversal vulnerability in Metertek pagelog.cgi allows remot ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0939 (Samba Web Administration Tool (SWAT) in Samba 2.0.7 allows remote atta ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0931 (Buffer overflow in Pegasus Mail 3.11 allows remote attackers to cause ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0918 (Format string vulnerability in kvt in KDE 1.1.2 may allow local users ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0916 (FreeBSD 4.1.1 and earlier, and possibly other BSD-based OSes, uses an ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0907 (EServ 2.92 Build 2982 allows remote attackers to cause a denial of ser ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0906 (Directory traversal vulnerability in Moreover.com cached_feed.cgi scri ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0905 (QNX Embedded Resource Manager in Voyager web server 2.01B in the demo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0904 (Voyager web server 2.01B in the demo disks for QNX 405 stores sensitiv ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0903 (Directory traversal vulnerability in Voyager web server 2.01B in the d ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0902 (getalbum.php in PhotoAlbum before 0.9.9 allows remote attackers to rea ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0899 (Small HTTP Server 2.01 allows remote attackers to cause a denial of se ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0898 (Small HTTP Server 2.01 does not properly process Server Side Includes ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0893 (The presence of the Distributed GL Daemon (dgld) service on port 5232 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0889 (Two Sun security certificates have been compromised, which could allow ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0885 (Buffer overflows in Microsoft Network Monitor (Netmon) allow remote at ...) NOT-FOR-US: Microsoft CVE-2000-0882 (Intel Express 500 series switches allow a remote attacker to cause a d ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0881 (The dccscan setuid program in LPPlus does not properly check if the us ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0880 (LPPlus creates the lpdprocess file with world-writeable permissions, w ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0879 (LPPlus programs dccsched, dcclpdser, dccbkst, dccshut, dcclpdshut, and ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0872 (explorer.php in PhotoAlbum 0.9.9 allows remote attackers to read arbit ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0866 (Interbase 6 SuperServer for Linux allows an attacker to cause a denial ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0857 (The logging capability in muh 2.05d IRC server does not properly clean ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0855 (SunFTP build 9(1) allows remote attackers to cause a denial of service ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0845 (kdebug daemon (kdebugd) in Digital Unix 4.0F allows remote attackers t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0843 (Buffer overflow in pam_smb and pam_ntdom pluggable authentication modu ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0842 (The search97cgi/vtopic" in the UnixWare 7 scohelphttp webserver allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0841 (Buffer overflow in XMail POP3 server before version 0.59 allows remote ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0840 (Buffer overflow in XMail POP3 server before version 0.59 allows remote ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0836 (Buffer overflow in CamShot WebCam Trial2.6 allows remote attackers to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0835 (search.dll Sambar ISAPI Search utility in Sambar Server 4.4 Beta 3 all ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0833 (Buffer overflow in WinSMTP 1.06f and 2.X allows remote attackers to ca ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0832 (Htgrep CGI program allows remote attackers to read arbitrary files by ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0831 (Buffer overflow in Fastream FTP++ 2.0 allows remote attackers to cause ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0828 (Buffer overflow in ddicgi.exe in Mobius DocumentDirect for the Interne ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0827 (Buffer overflow in the web authorization form of Mobius DocumentDirect ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0826 (Buffer overflow in ddicgi.exe program in Mobius DocumentDirect for the ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0817 (Buffer overflow in the HTTP protocol parser for Microsoft Network Moni ...) NOT-FOR-US: Microsoft CVE-2000-0812 (The administration module in Sun Java web server allows remote attacke ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0802 (The BAIR program does not properly restrict access to the Internet Exp ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0801 (Buffer overflow in bdf program in HP-UX 11.00 may allow local users to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0800 (String parsing error in rpc.kstatd in the linuxnfs or knfsd packages i ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0798 (The truncate function in IRIX 6.x does not properly check for privileg ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0794 (Buffer overflow in IRIX libgl.so library allows local users to gain ro ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0793 (Norton AntiVirus 5.00.01C with the Novell Netware client does not prop ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0791 (Trustix installs the httpsd program for Apache-SSL with world-writeabl ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0789 (WinU 5.x and earlier uses weak encryption to store its configuration p ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0785 (WircSrv IRC Server 5.07s allows IRC operators to read arbitrary files ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0784 (sshd program in the Rapidstream 2.1 Beta VPN appliance has a hard-code ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0775 (Buffer overflow in RobTex Viking server earlier than 1.06-370 allows r ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0774 (The sample Java servlet "test" in Bajie HTTP web server 0.30a reveals ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0772 (The installation of Tumbleweed Messaging Management System (MMS) 4.6 a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0769 (O'Reilly WebSite Pro 2.3.7 installs the uploader.exe program with exec ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0760 (The Snoop servlet in Jakarta Tomcat 3.1 and 3.0 under Apache reveals s ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0759 (Jakarta Tomcat 3.1 under Apache reveals physical path information when ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0757 (The sysgen service in Aptis Totalbill does not perform authentication, ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0756 (Microsoft Outlook 2000 does not properly process long or malformed fie ...) NOT-FOR-US: Microsoft CVE-2000-0755 (Vulnerability in the newgrp command in HP-UX 11.00 allows local users ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0752 (Buffer overflows in brouted in FreeBSD and possibly other OSes allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0748 (OpenLDAP 1.2.11 and earlier improperly installs the ud binary with gro ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0746 (Vulnerabilities in IIS 4.0 and 5.0 do not properly protect against cro ...) NOT-FOR-US: Microsoft CVE-2000-0736 (Buffer overflow in Becky! Internet Mail client 1.26.04 and earlier all ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0735 (Buffer overflow in Becky! Internet Mail client 1.26.03 and earlier all ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0734 (eEye IRIS 1.01 beta allows remote attackers to cause a denial of servi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0724 (The go-gnome Helix GNOME pre-installer allows local users to overwrite ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0723 (Helix GNOME Updater helix-update 0.5 and earlier does not properly cre ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0722 (Helix GNOME Updater helix-update 0.5 and earlier allows local users to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0721 (The FSserial, FlagShip_c, and FlagShip_p programs in the FlagShip pack ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0719 (VariCAD 7.0 is installed with world-writeable files, which allows loca ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0715 (DiskCheck script diskcheck.pl in Red Hat Linux 6.2 allows local users ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0714 (umb-scheme 3.2-11 for Red Hat Linux is installed with world-writeable ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0713 (Buffer overflow in Adobe Acrobat 4.05, Reader, Business Tools, and Fil ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0710 (The shtml.exe component of Microsoft FrontPage 2000 Server Extensions ...) NOT-FOR-US: Microsoft CVE-2000-0709 (The shtml.exe component of Microsoft FrontPage 2000 Server Extensions ...) NOT-FOR-US: Microsoft CVE-2000-0704 (Buffer overflow in SGI Omron WorldView Wnn allows remote attackers to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0701 (The wrapper program in mailman 2.0beta3 and 2.0beta4 does not properly ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0697 (The administration interface for the dwhttpd web server in Solaris Ans ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0696 (The administration interface for the dwhttpd web server in Solaris Ans ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0695 (Buffer overflows in pgxconfig in the Raptor GFX configuration tool all ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0692 (ISS RealSecure 3.2.1 and 3.2.2 allows remote attackers to cause a deni ...) - kdebase 4:2.2.2-14.6 CVE-2000-0691 (The faxrunq and faxrunqd in the mgetty package allows local users to c ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0690 (Auction Weaver CGI script 1.02 and earlier allows remote attackers to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0689 (Account Manager LITE does not properly authenticate attempts to change ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0688 (Subscribe Me LITE does not properly authenticate attempts to change th ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0687 (Auction Weaver CGI script 1.03 and earlier allows remote attackers to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0686 (Auction Weaver CGI script 1.03 and earlier allows remote attackers to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0680 (The CVS 1.10.8 server does not properly restrict users from creating a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0667 (Vulnerability in gpm in Caldera Linux allows local users to delete arb ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0659 (Buffer overflow in AnalogX proxy server 4.04 and earlier allows remote ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0658 (Buffer overflow in AnalogX proxy server 4.04 and earlier allows remote ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0657 (Buffer overflow in AnalogX proxy server 4.04 and earlier allows remote ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0656 (Buffer overflow in AnalogX proxy server 4.04 and earlier allows remote ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0653 (Microsoft Outlook Express allows remote attackers to monitor a user's ...) NOT-FOR-US: Microsoft CVE-2000-0649 (IIS 4.0 allows remote attackers to obtain the internal IP address of t ...) NOT-FOR-US: Microsoft CVE-2000-0648 (WFTPD and WFTPD Pro 2.41 allows local users to cause a denial of servi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0647 (WFTPD and WFTPD Pro 2.41 allows remote attackers to cause a denial of ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0646 (WFTPD and WFTPD Pro 2.41 allows remote attackers to obtain the real pa ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0645 (WFTPD and WFTPD Pro 2.41 allows remote attackers to cause a denial of ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0629 (The default configuration of the Sun Java web server 2.0 and earlier a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0626 (Buffer overflow in Alibaba web server allows remote attackers to cause ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0625 (NetZero 3.0 and earlier uses weak encryption for storing a user's logi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0623 (Buffer overflow in O'Reilly WebSite Professional web server 2.4 and ea ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0618 (Buffer overflow in xconq and cconq game programs on Red Hat Linux allo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0617 (Buffer overflow in xconq and cconq game programs on Red Hat Linux allo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0614 (Tnef program in Linux systems allows remote attackers to overwrite arb ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0612 (Windows 95 and Windows 98 do not properly process spoofed ARP packets, ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0609 (NetWin dMailWeb and cwMail 2.6g and earlier allows remote attackers to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0608 (NetWin dMailWeb and cwMail 2.6i and earlier allows remote attackers to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0607 (Buffer overflow in fld program in Kanji on Console (KON) package on Li ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0606 (Buffer overflow in kon program in Kanji on Console (KON) package on Li ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0605 (Blackboard CourseInfo 4.0 stores the local and SQL administrator user ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0592 (Buffer overflows in POP3 service in WinProxy 2.0 and 2.0.1 allow remot ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0589 (SawMill 5.0.21 uses weak encryption to store passwords, which allows a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0580 (Windows 2000 Server allows remote attackers to cause a denial of servi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0578 (SGI MIPSPro compilers C, C++, F77 and F90 generate temporary files in ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0574 (FTP servers such as OpenBSD ftpd, NetBSD ftpd, ProFTPd and Opieftpd do ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0572 (The Razor configuration management tool uses weak encryption for its p ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0564 (The guestbook CGI program in ICQ Web Front service for ICQ 2000a, 99b, ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0563 (The URLConnection function in MacOS Runtime Java (MRJ) 2.1 and earlier ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0562 (BlackIce Defender 2.1 and earlier, and BlackIce Pro 2.0.23 and earlier ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0559 (eTrust Intrusion Detection System (formerly SessionWall-3) uses weak e ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0554 (Ceilidh allows remote attackers to obtain the real path of the Ceilidh ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0547 (Buffer overflow in Kerberos 4 KDC program allows remote attackers to c ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0546 (Buffer overflow in Kerberos 4 KDC program allows remote attackers to c ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0545 (Buffer overflow in mailx mail command (aka Mail) on Linux systems allo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0544 (Windows NT and Windows 2000 hosts allow a remote attacker to cause a d ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0543 (The command port for PGP Certificate Server 2.5.0 and 2.5.1 allows rem ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0535 (OpenSSL 0.9.4 and OpenSSH for FreeBSD do not properly check for the ex ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0531 (Linux gpm program allows local users to cause a denial of service by f ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0527 (userreg.cgi CGI program in MailStudio 2000 2.0 and earlier allows remo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0526 (mailview.cgi CGI program in MailStudio 2000 2.0 and earlier allows rem ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0524 (Microsoft Outlook and Outlook Express allow remote attackers to cause ...) NOT-FOR-US: Microsoft CVE-2000-0520 (Buffer overflow in restore program 0.4b17 and earlier in dump package ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0509 (Buffer overflows in the finger and whois demonstration scripts in Samb ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0503 (The IFRAME of the WebBrowser control in Internet Explorer 5.01 allows ...) NOT-FOR-US: Microsoft CVE-2000-0492 (PassWD 1.2 uses weak encryption (trivial encoding) to store passwords, ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0491 (Buffer overflow in the XDMCP parsing code of GNOME gdm, KDE kdm, and w ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0487 (The Protected Store in Windows 2000 does not properly select the stron ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0480 (Dragon telnet server allows remote attackers to cause a denial of serv ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0479 (Dragon FTP server allows remote attackers to cause a denial of service ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0476 (xterm, Eterm, and rxvt allow an attacker to cause a denial of service ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0473 (Buffer overflow in AnalogX SimpleServer 1.05 allows a remote attacker ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0450 (Vulnerability in bbd server in Big Brother System and Network Monitor ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0449 (Omnis Studio 2.4 uses weak encryption (trivial encoding) for encryptin ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0444 (HP Web JetAdmin 6.0 allows remote attackers to cause a denial of servi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0434 (The administrative password for the Allmanage web site administration ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0433 (The SuSE aaa_base package installs some system accounts with home dire ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0429 (A backdoor password in Cart32 3.0 and earlier allows remote attackers ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0423 (Buffer overflow in Netwin DNEWSWEB CGI program allows remote attackers ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0422 (Buffer overflow in Netwin DMailWeb CGI program allows remote attackers ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0420 (The default configuration of SYSKEY in Windows 2000 stores the startup ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0415 (Buffer overflow in Outlook Express 4.x allows attackers to cause a den ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0413 (The shtml.exe program in the FrontPage extensions package of IIS 4.0 a ...) NOT-FOR-US: Microsoft CVE-2000-0412 (The gnapster and knapster clients for Napster do not properly restrict ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0401 (Buffer overflows in redirect.exe and changepw.exe in PDGSoft shopping ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0400 (The Microsoft Active Movie ActiveX Control in Internet Explorer 5 does ...) NOT-FOR-US: Microsoft CVE-2000-0386 (FileMaker Pro 5 Web Companion allows remote attackers to send anonymou ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0385 (FileMaker Pro 5 Web Companion allows remote attackers to bypass Field- ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0384 (NetStructure 7110 and 7180 have undocumented accounts (servnow, root, ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0383 (The file transfer component of AOL Instant Messenger (AIM) reveals the ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0365 (Red Hat Linux 6.0 installs the /dev/pts file system with insecure mode ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0364 (screen and rxvt in Red Hat Linux 6.0 do not properly set the modes of ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0358 (ORBit and gnome-session in Red Hat Linux 6.1 allows remote attackers t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0357 (ORBit and esound in Red Hat Linux 6.1 do not use sufficiently random n ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0355 (pg and pb in SuSE pbpg 1.x package allows an attacker to read arbitrar ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0345 (The on-line help system options in Cisco routers allows non-privileged ...) NOT-FOR-US: Cisco CVE-2000-0343 (Buffer overflow in Sniffit 0.3.x with the -L logging option enabled al ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0333 (tcpdump, Ethereal, and other sniffer packages allow remote attackers t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0326 (Meeting Maker uses weak encryption (a polyalphabetic substitution ciph ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0325 (The Microsoft Jet database engine allows an attacker to execute comman ...) NOT-FOR-US: Microsoft CVE-2000-0321 (Buffer overflow in IC Radius package allows a remote attacker to cause ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0317 (Buffer overflow in Solaris 7 lpset allows local users to gain root pri ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0312 (cron in OpenBSD 2.5 allows local users to gain root privileges via an ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0300 (The default encryption method of PcAnywhere 9.x uses weak encryption, ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0299 (Buffer overflow in WebObjects.exe in the WebObjects Developer 4.5 pack ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0295 (Buffer overflow in LCDproc allows remote attackers to gain root privil ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0293 (aaa_base in SuSE Linux 6.3, and cron.daily in earlier versions, allow ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0291 (Buffer overflow in Star Office 5.1 allows attackers to cause a denial ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0288 (Infonautics getdoc.cgi allows remote attackers to bypass the payment p ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0286 (X fontserver xfs allows local users to cause a denial of service via m ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0284 (Buffer overflow in University of Washington imapd version 4.7 allows u ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0281 (Buffer overflow in the Napster client beta 5 allows remote attackers t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0280 (Buffer overflow in the RealNetworks RealPlayer client versions 6 and 7 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0275 (CRYPTOCard CryptoAdmin for PalmOS uses weak encryption to store a user ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0271 (read-passwd and other Lisp functions in Emacs 20 do not properly clear ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0270 (The make-temp-name Lisp function in Emacs 20 creates temporary files w ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0269 (Emacs 20 does not properly set permissions for a slave PTY device when ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0266 (Internet Explorer 5.01 allows remote attackers to bypass the cross fra ...) NOT-FOR-US: Microsoft CVE-2000-0259 (The default permissions for the Cryptography\Offload registry key used ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0256 (Buffer overflows in htimage.exe and Imagemap.exe in FrontPage 97 and 9 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0250 (The crypt function in QNX uses weak encryption, which allows local use ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0248 (The web GUI for the Linux Virtual Server (LVS) software in the Red Hat ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0244 (The Citrix ICA (Independent Computing Architecture) protocol uses weak ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0242 (WindMail allows remote attackers to read arbitrary files or execute co ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0241 (vqSoft vqServer stores sensitive information such as passwords in clea ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0239 (Buffer overflow in the MERCUR WebView WebMail server allows remote att ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0227 (The Linux 2.2.x kernel does not restrict the number of Unix domain soc ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0220 (ZoneAlarm sends sensitive system and network information in cleartext ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0219 (Red Hat 6.0 allows local users to gain root access by booting single u ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0216 (Microsoft email clients in Outlook, Exchange, and Windows Messaging au ...) NOT-FOR-US: Microsoft CVE-2000-0214 (FTP Explorer uses weak encryption for storing the username, password, ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0213 (The Sambar server includes batch files ECHO.BAT and HELLO.BAT in the C ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0205 (Trend Micro OfficeScan allows remote attackers to replay administrativ ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0204 (The Trend Micro OfficeScan client allows remote attackers to cause a d ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0203 (The Trend Micro OfficeScan client tmlisten.exe allows remote attackers ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0199 (When a new SQL Server is registered in Enterprise Manager for Microsof ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0198 (Buffer overflow in POP3 and IMAP servers in the MERCUR mail server sui ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0197 (The Windows NT scheduler uses the drive mapping of the interactive use ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0190 (AOL Instant Messenger (AIM) client allows remote attackers to cause a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0188 (EZShopper 3.0 search.cgi CGI script allows remote attackers to read ar ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0187 (EZShopper 3.0 loadpage.cgi CGI script allows remote attackers to read ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0177 (DNSTools CGI applications allow remote attackers to execute arbitrary ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0176 (The default configuration of Serv-U 2.5d and earlier allows remote att ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0173 (Vulnerability in the EELS system in SCO UnixWare 7.1.x allows remote a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0167 (IIS Inetinfo.exe allows local users to cause a denial of service by cr ...) NOT-FOR-US: Microsoft CVE-2000-0163 (asmon and ascpu in FreeBSD allow local users to gain root privileges v ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0160 (The Microsoft Active Setup ActiveX component in Internet Explorer 4.x ...) NOT-FOR-US: Microsoft CVE-2000-0158 (Buffer overflow in MMDF server allows remote attackers to gain privile ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0155 (Windows NT Autorun executes the autorun.inf file on non-removable medi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0154 (The ARCserve agent in UnixWare allows local attackers to modify arbitr ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0153 (FrontPage Personal Web Server (PWS) allows remote attackers to read fi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0151 (GNU make follows symlinks when it reads a Makefile from stdin, which a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0147 (snmpd in SCO OpenServer has an SNMP community string that is writable ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0143 (The SSH protocol server sshd allows local users without shell access t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0142 (The authentication protocol in Timbuktu Pro 2.0b650 allows remote atta ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0138 (A system has a distributed denial of service (DDOS) attack master, age ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0137 (The CartIt shopping cart application allows remote users to modify sen ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0136 (The Cart32 shopping cart application allows remote users to modify sen ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0135 (The @Retail shopping cart application allows remote users to modify se ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0134 (The Check It Out shopping cart application allows remote users to modi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0133 (Buffer overflows in Tiny FTPd 0.52 beta3 FTP server allows users to ex ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0132 (Microsoft Java Virtual Machine allows remote attackers to read files v ...) NOT-FOR-US: Microsoft CVE-2000-0129 (Buffer overflow in the SHGetPathFromIDList function of the Serv-U FTP ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0126 (Sample Internet Data Query (IDQ) scripts in IIS 3 and 4 allow remote a ...) NOT-FOR-US: Microsoft CVE-2000-0125 (wwwthreads does not properly cleanse numeric data or table names that ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0124 (surfCONTROL SuperScout does not properly asign a category to web sites ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0123 (The shopping cart application provided with Filemaker allows remote us ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0122 (Frontpage Server Extensions allows remote attackers to determine the p ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0119 (The default configurations for McAfee Virus Scan and Norton Anti-Virus ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0118 (The Red Hat Linux su program does not log failed password guesses if t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0115 (IIS allows local users to cause a denial of service via invalid regula ...) NOT-FOR-US: Microsoft CVE-2000-0114 (Frontpage Server Extensions allows remote attackers to determine the n ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0110 (The WebSiteTool shopping cart application allows remote users to modif ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0109 (The mcsp Client Site Processor system (MultiCSP) in Standard and Poor' ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0108 (The Intellivend shopping cart application allows remote users to modif ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0106 (The EasyCart shopping cart application allows remote users to modify s ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0105 (Outlook Express 5.01 and Internet Explorer 5.01 allow remote attackers ...) NOT-FOR-US: Microsoft CVE-2000-0104 (The Shoptron shopping cart application allows remote users to modify s ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0103 (The SmartCart shopping cart application allows remote users to modify ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0102 (The SalesCart shopping cart application allows remote users to modify ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0101 (The Make-a-Store OrderPage shopping cart application allows remote use ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0096 (Buffer overflow in qpopper 3.0 beta versions allows local users to gai ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0093 (An installation of Red Hat uses DES password encryption with crypt() f ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0086 (Netopia Timbuktu Pro sends user IDs and passwords in cleartext, which ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0085 (Hotmail does not properly filter JavaScript code from a user's mailbox ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0084 (CuteFTP uses weak encryption to store password information in its tree ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0082 (WebTV email client allows remote attackers to force the client to send ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0081 (Hotmail does not properly filter JavaScript code from a user's mailbox ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0079 (The W3C CERN httpd HTTP server allows remote attackers to determine th ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0078 (The June 1999 version of the HP-UX aserver program allows local users ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0077 (The October 1998 version of the HP-UX aserver program allows local use ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0074 (PowerScripts PlusMail CGI program allows remote attackers to execute c ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0071 (IIS 4.0 allows a remote attacker to obtain the real pathname of the do ...) NOT-FOR-US: Microsoft CVE-2000-0069 (The recover program in Solstice Backup allows local users to restore s ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0068 (daynad program in Intel InBusiness E-mail Station does not require aut ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0067 (CyberCash Merchant Connection Kit (MCK) allows local users to modify f ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0066 (WebSite Pro allows remote attackers to determine the real pathname of ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0061 (Internet Explorer 5 does not modify the security zone for a document t ...) NOT-FOR-US: Microsoft CVE-2000-0059 (PHP3 with safe_mode enabled does not properly filter shell metacharact ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0058 (Network HotSync program in Handspring Visor does not have authenticati ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0055 (Buffer overflow in Solaris chkperm command allows local users to gain ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0054 (search.cgi in the SolutionScripts Home Free package allows remote atta ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0049 (Buffer overflow in Winamp client allows remote attackers to execute co ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0047 (Buffer overflow in Yahoo Pager/Messenger client allows remote attacker ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0046 (Buffer overflow in ICQ 99b 1.1.1.1 client allows remote attackers to e ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0038 (glFtpD includes a default glftpd user account with a default password ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0035 (resend command in Majordomo allows local users to gain privileges via ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0028 (Internet Explorer 5.0 and 5.01 allows remote attackers to bypass the c ...) NOT-FOR-US: Microsoft CVE-2000-0021 (Lotus Domino HTTP server allows remote attackers to determine the real ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0019 (IMail POP3 daemon uses weak encryption, which allows local users to re ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0017 (Buffer overflow in Linux linuxconf package allows remote attackers to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0016 (Buffer overflow in Internet Anywhere POP3 Mail Server allows remote at ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0008 (FTPPro allows local users to read sensitive information, which is stor ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0005 (HP-UX aserver program allows local users to gain privileges via a syml ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1572 (cpio on FreeBSD 2.1.0, Debian GNU/Linux 3.0, and possibly other operat ...) {DSA-664-1} - cpio 2.5-1.2 (bug #293379) CVE-1999-1571 (Buffer overflow in sar for SCO OpenServer 5.0.0 through 5.0.5 may allo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1570 (Buffer overflow in sar for OpenServer 5.0.5 allows local users to gain ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1569 (Quake 1 and NetQuake servers allow remote attackers to cause a denial ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1567 (Seapine Software TestTrack server allows a remote attacker to cause a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1566 (Buffer overflow in iParty server 1.2 and earlier allows remote attacke ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1564 (FreeBSD 3.2 and possibly other versions allows a local user to cause a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1563 (Nachuatec D435 and D445 printer allows remote attackers to cause a den ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1562 (gFTP FTP client 1.13, and other versions before 2.0.0, records a passw ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1561 (Nullsoft SHOUTcast server stores the administrative password in plaint ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1560 (Vulnerability in a script in Texas A&M University (TAMU) Tiger all ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1559 (Xylan OmniSwitch before 3.2.6 allows remote attackers to bypass the lo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1558 (Vulnerability in loginout in Digital OpenVMS 7.1 and earlier allows un ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1557 (Buffer overflow in the login functions in IMAP server (imapd) in Ipswi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1555 (Cheyenne InocuLAN Anti-Virus Server in Inoculan 4.0 before Service Pac ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1554 (/usr/sbin/Mail on SGI IRIX 3.3 and 3.3.1 does not properly set the gro ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1553 (Buffer overflow in XCmail 0.99.6 with autoquote enabled allows remote ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1552 (dpsexec (DPS Server) when running under XDM in IBM AIX 3.2.5 and earli ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1551 (Buffer overflow in Ipswitch IMail Service 5.0 allows an attacker to ca ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1549 (Lynx 2.x does not properly distinguish between internal and external H ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1548 (Cabletron SmartSwitch Router (SSR) 8000 firmware 2.x can only handle 2 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1547 (Oracle Web Listener 2.1 allows remote attackers to bypass access restr ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1546 (netstation.navio-com.rte 1.1.0.1 configuration script for Navio NC on ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1545 (Joe's Own Editor (joe) 2.8 sets the world-readable permission on its c ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1544 (Buffer overflow in FTP server in Microsoft IIS 3.0 and 4.0 allows loca ...) NOT-FOR-US: Microsoft CVE-1999-1543 (MacOS uses weak encryption for passwords that are stored in the Users ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1541 (shell-lock in Cactus Software Shell Lock allows local users to read or ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1540 (shell-lock in Cactus Software Shell Lock uses weak encryption (trivial ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1539 (Buffer overflow in FTP server in QPC Software's QVT/Term Plus versions ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1538 (When IIS 2 or 3 is upgraded to IIS 4, ism.dll is inadvertently left in ...) NOT-FOR-US: Microsoft CVE-1999-1536 (.sbstart startup script in AcuShop Salesbuilder is world writable, whi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1534 (Buffer overflow in (1) nlservd and (2) rnavc in Knox Software Arkeia b ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1533 (Eicon Technology Diva LAN ISDN modem allows a remote attacker to cause ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1532 (Netscape Messaging Server 3.54, 3.55, and 3.6 allows a remote attacker ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1529 (A buffer overflow exists in the HELO command in Trend Micro Interscan ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1528 (ProSoft Netware Client 5.12 on Macintosh MacOS 9 does not automaticall ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1527 (Internal HTTP server in Sun Netbeans Java IDE in Netbeans Developer 3. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1526 (Auto-update feature of Macromedia Shockwave 7 transmits a user's passw ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1525 (Macromedia Shockwave before 6.0 allows a malicious webmaster to read a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1524 (FlowPoint DSL router firmware versions prior to 3.0.8 allows a remote ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1523 (Buffer overflow in Sambar Web Server 4.2.1 allows remote attackers to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1522 (Vulnerability in htmlparse.pike in Roxen Web Server 1.3.11 and earlier ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1521 (Computalynx CMail 2.4 and CMail 2.3 SP2 SMTP servers are vulnerable to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1519 (Gene6 G6 FTP Server 2.0 allows a remote attacker to cause a denial of ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1518 (Operating systems with shared memory implementations based on BSD 4.4 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1517 (runtar in the Amanda backup system used in various UNIX operating syst ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1516 (A buffer overflow in TenFour TFS Gateway SMTP mail server 3.2 allows a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1515 (A non-default configuration in TenFour TFS Gateway 4.0 allows an attac ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1514 (Buffer overflow in Celtech ExpressFS FTP server 2.x allows remote atta ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1513 (Management information base (MIB) for a 3Com SuperStack II hub running ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1511 (Buffer overflows in Xtramail 1.11 allow attackers to cause a denial of ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1510 (Buffer overflows in Bisonware FTP server prior to 4.1 allow remote att ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1509 (Directory traversal vulnerability in Etype Eserv 2.50 web server allow ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1508 (Web server in Tektronix PhaserLink Printer 840.0 and earlier allows a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1506 (Vulnerability in SMI Sendmail 4.0 and earlier, on SunOS up to 4.0.3, a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1505 (Buffer overflow in QuakeWorld 2.10 allows remote attackers to cause a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1504 (Stalker Internet Mail Server 1.6 allows a remote attacker to cause a d ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1503 (Network Flight Recorder (NFR) 1.5 and 1.6 allows remote attackers to c ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1502 (Buffer overflows in Quake 1.9 client allows remote malicious servers t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1501 ((1) ipxchk and (2) ipxlink in SGI OS2 IRIX 6.3 does not properly clear ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1500 (Internet Anywhere POP3 Mail Server 2.3.1 allows remote attackers to ca ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1499 (named in ISC BIND 4.9 and 8.1 allows local users to destroy files via ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1498 (Slackware Linux 3.4 pkgtool allows local attacker to read and write to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1497 (Ipswitch IMail 5.0 and 6.0 uses weak encryption to store passwords in ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1496 (Sudo 1.5 in Debian Linux 2.1 and Red Hat 6.0 allows local users to det ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1495 (xtvscreen in SuSE Linux 6.0 allows local users to overwrite arbitrary ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1493 (Vulnerability in crp in Hewlett Packard Apollo Domain OS SR10 through ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1492 (Vulnerability in (1) diskperf and (2) diskalign in IRIX 6.4 allows loc ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1491 (abuse.console in Red Hat 2.1 uses relative pathnames to find and execu ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1489 (Buffer overflow in TestChip function in XFree86 SuperProbe in Slackwar ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1487 (Vulnerability in digest in AIX 4.3 allows printq users to gain root pr ...) NOT-FOR-US: AIX CVE-1999-1485 (nsd in IRIX 6.5 through 6.5.2 exports a virtual filesystem on a UDP po ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1484 (Buffer overflow in MSN Setup BBS 4.71.0.10 ActiveX control (setupbbs.o ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1483 (Buffer overflow in zgv in svgalib 1.2.10 and earlier allows local user ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1482 (SVGAlib zgv 3.0-7 and earlier allows local users to gain root access v ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1480 ((1) acledit and (2) aclput in AIX 4.3 allow local users to create or m ...) NOT-FOR-US: AIX CVE-1999-1479 (The textcounter.pl by Matt Wright allows remote attackers to execute a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1477 (Buffer overflow in GNOME libraries 1.0.8 allows local user to gain roo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1475 (ProFTPd 1.2 compiled with the mod_sqlpw module records user passwords ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1474 (PowerPoint 95 and 97 allows remote attackers to cause an application t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1471 (Buffer overflow in passwd in BSD based operating systems 4.3 and earli ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1470 (Eastman Work Management 3.21 stores passwords in cleartext in the COMM ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1469 (Buffer overflow in w3-auth CGI program in miniSQL package allows remot ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1467 (Vulnerability in rcp on SunOS 4.0.x allows remote attackers from trust ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1466 (Vulnerability in Cisco routers versions 8.2 through 9.1 allows remote ...) NOT-FOR-US: Cisco CVE-1999-1465 (Vulnerability in Cisco IOS 11.1 through 11.3 with distributed fast swi ...) NOT-FOR-US: Cisco CVE-1999-1464 (Vulnerability in Cisco IOS 11.1CC and 11.1CT with distributed fast swi ...) NOT-FOR-US: Cisco CVE-1999-1463 (Windows NT 4.0 before SP3 allows remote attackers to bypass firewall r ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1462 (Vulnerability in bb-hist.sh CGI History module in Big Brother 1.09b an ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1461 (inpview in InPerson on IRIX 5.3 through IRIX 6.5.10 trusts the PATH en ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1460 (BMC PATROL SNMP Agent before 3.2.07 allows local users to create arbit ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1459 (BMC PATROL Agent before 3.2.07 allows local users to gain root privile ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1458 (Buffer overflow in at program in Digital UNIX 4.0 allows local users t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1457 (Buffer overflow in thttpd HTTP server before 2.04-31 allows remote att ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1454 (Macromedia "The Matrix" screen saver on Windows 95 with the "Password ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1453 (Internet Explorer 4 allows remote attackers (malicious web site operat ...) NOT-FOR-US: Microsoft CVE-1999-1451 (The Winmsdp.exe sample file in IIS 4.0 and Site Server 3.0 allows remo ...) NOT-FOR-US: Microsoft CVE-1999-1450 (Vulnerability in (1) rlogin daemon rshd and (2) scheme on SCO UNIX Ope ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1449 (SunOS 4.1.4 on a Sparc 20 machine allows local users to cause a denial ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1448 (Eudora and Eudora Light before 3.05 allows remote attackers to cause a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1447 (Internet Explorer 4.0 allows remote attackers to cause a denial of ser ...) NOT-FOR-US: Microsoft CVE-1999-1446 (Internet Explorer 3 records a history of all URL's that are visited by ...) NOT-FOR-US: Microsoft CVE-1999-1445 (Vulnerability in imapd and ipop3d in Slackware 3.4 and 3.3 with shadow ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1444 (genkey utility in Alibaba 2.0 generates RSA key pairs with an exponent ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1443 (Micah Software Full Armor Network Configurator and Zero Administration ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1442 (Bug in AMD K6 processor on Linux 2.0.x and 2.1.x kernels allows local ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1441 (Linux 2.0.34 does not properly prevent users from sending SIGIO signal ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1440 (Win32 ICQ 98a 1.30, and possibly other versions, does not display the ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1439 (gcc 2.7.2 allows local users to overwrite arbitrary files via a symlin ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1438 (Vulnerability in /bin/mail in SunOS 4.1.1 and earlier allows local use ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1436 (Ray Chan WWW Authorization Gateway 0.1 CGI program allows remote attac ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1435 (Buffer overflow in libsocks5 library of Socks 5 (socks5) 1.0r5 allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1434 (login in Slackware Linux 3.2 through 3.5 does not properly check for a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1431 (ZAK in Appstation mode allows users to bypass the "Run only allowed ap ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1430 (PIM software for Royal daVinci does not properly password-protext acce ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1429 (DIT TransferPro installs devices with world-readable and world-writabl ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1428 (Solaris Solstice AdminSuite (AdminSuite) 2.1 and 2.2 allows local user ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1427 (Solaris Solstice AdminSuite (AdminSuite) 2.1 and 2.2 create lock files ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1426 (Solaris Solstice AdminSuite (AdminSuite) 2.1 follows symbolic links wh ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1425 (Solaris Solstice AdminSuite (AdminSuite) 2.1 incorrectly sets write pe ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1424 (Solaris Solstice AdminSuite (AdminSuite) 2.1 uses unsafe permissions w ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1422 (The default configuration of Slackware 3.4, and possibly other version ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1421 (NBase switches NH208 and NH215 run a TFTP server which allows remote a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1420 (NBase switches NH2012, NH2012R, NH2015, and NH2048 have a back door pa ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1418 (ICQ99 ICQ web server build 1701 with "Active Homepage" enabled generat ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1417 (Format string vulnerability in AnswerBook2 (AB2) web server dwhttpd 3. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1416 (AnswerBook2 (AB2) web server dwhttpd 3.1a4 allows remote attackers to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1415 (Vulnerability in /usr/bin/mail in DEC ULTRIX before 4.2 allows local u ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1413 (Solaris 2.4 before kernel jumbo patch -35 allows set-gid programs to d ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1412 (A possible interaction between Apple MacOS X release 1.0 and Apache HT ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1410 (addnetpr in IRIX 5.3 and 6.2 allows local users to overwrite arbitrary ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1408 (Vulnerability in AIX 4.1.4 and HP-UX 10.01 and 9.05 allows local users ...) NOT-FOR-US: AIX CVE-1999-1406 (dumpreg in Red Hat Linux 5.1 opens /dev/mem with O_RDWR access, which ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1405 (snap command in AIX before 4.3.2 creates the /tmp/ibmsupt directory wi ...) NOT-FOR-US: AIX CVE-1999-1404 (IBM/Tivoli OPC Tracker Agent version 2 release 1 allows remote attacke ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1403 (IBM/Tivoli OPC Tracker Agent version 2 release 1 creates files, direct ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1401 (Vulnerability in Desktop searchbook program in IRIX 5.0.x through 6.2 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1400 (The Economist screen saver 1999 with the "Password Protected" option e ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1399 (spaceball program in SpaceWare 7.3 v1.0 in IRIX 6.2 allows local users ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1398 (Vulnerability in xfsdump in SGI IRIX may allow local users to obtain r ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1396 (Vulnerability in integer multiplication emulation code on SPARC archit ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1395 (Vulnerability in Monitor utility (SYS$SHARE:SPISHR.EXE) in VMS 5.0 thr ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1394 (BSD 4.4 based operating systems, when running at security level 1, all ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1393 (Control Panel "Password Security" option for Apple Powerbooks allows a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1392 (Vulnerability in restore0.9 installation script in NeXT 1.0a and 1.0 a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1391 (Vulnerability in NeXT 1.0a and 1.0 with publicly accessible printers a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1390 (suidexec in suidmanager 0.18 on Debian 2.0 allows local users to gain ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1389 (US Robotics/3Com Total Control Chassis with Frame Relay between 3.6.22 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1388 (passwd in SunOS 4.1.x allows local users to overwrite arbitrary files ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1387 (Windows NT 4.0 SP2 allows remote attackers to cause a denial of servic ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1383 ((1) bash before 1.14.7, and (2) tcsh 6.05 allow local users to gain pr ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1381 (Buffer overflow in dbadmin CGI program 1.0.1 on Linux allows remote at ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1378 (dbmlparser.exe CGI guestbook program does not perform a chroot operati ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1377 (Matt Wright's download.cgi 1.0 allows remote attackers to read arbitra ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1376 (Buffer overflow in fpcount.exe in IIS 4.0 with FrontPage Server Extens ...) NOT-FOR-US: Microsoft CVE-1999-1375 (FileSystemObject (FSO) in the showfile.asp Active Server Page (ASP) al ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1374 (perlshop.cgi shopping cart program stores sensitive customer informati ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1373 (FORE PowerHub before 5.0.1 allows remote attackers to cause a denial o ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1372 (Triactive Remote Manager with Basic authentication enabled stores the ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1371 (Buffer overflow in /usr/bin/write in Solaris 2.6 and 7 allows local us ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1370 (The setup wizard (ie5setup.exe) for Internet Explorer 5.0 disables (1) ...) NOT-FOR-US: Microsoft CVE-1999-1369 (Real Media RealServer (rmserver) 6.0.3.353 stores a password in plaint ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1368 (AV Option for MS Exchange Server option for InoculateIT 4.53, and poss ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1367 (Internet Explorer 5.0 does not properly reset the username/password ca ...) NOT-FOR-US: Microsoft CVE-1999-1366 (Pegasus e-mail client 3.0 and earlier uses weak encryption to store PO ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1364 (Windows NT 4.0 allows local users to cause a denial of service (crash) ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1361 (Windows NT 3.51 and 4.0 running WINS (Windows Internet Name Service) a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1357 (Netscape Communicator 4.04 through 4.7 (and possibly other versions) i ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1355 (BMC Patrol component, when installed with Compaq Insight Management Ag ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1354 (E-mail client in Softarc FirstClass Internet Server 5.506 and earlier ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1353 (Nosque MsgCore 2.14 stores passwords in cleartext: (1) the administrat ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1352 (mknod in Linux 2.2 follows symbolic links, which could allow local use ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1350 (ARCAD Systemhaus 0.078-5 installs critical programs and files with wor ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1349 (NFS daemon (nfsd.exe) for Omni-NFS/X 6.1 allows remote attackers to ca ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1348 (Linuxconf on Red Hat Linux 6.0 and earlier does not properly disable P ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1347 (Xsession in Red Hat Linux 6.1 and earlier can allow local users with r ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1346 (PAM configuration file for rlogin in Red Hat Linux 6.1 and earlier inc ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1345 (Auto_FTP.pl script in Auto_FTP 0.2 uses the /tmp/ftp_tmp as a shared d ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1344 (Auto_FTP.pl script in Auto_FTP 0.2 stores usernames and passwords in p ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1343 (HTTP server for Xerox DocuColor 4 LP allows remote attackers to cause ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1342 (ICQ ActiveList Server allows remote attackers to cause a denial of ser ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1340 (Buffer overflow in faxalter in hylafax 4.0.2 allows local users to gai ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1338 (Delegate proxy 5.9.3 and earlier creates files and directories in the ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1334 (Multiple buffer overflows in filter command in Elm 2.4 allows attacker ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1323 (Norton AntiVirus for Internet Email Gateways (NAVIEG) 1.0.1.7 and earl ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1322 (The installation of 1ArcServe Backup and Inoculan AV client modules fo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1319 (Vulnerability in object server program in SGI IRIX 5.2 through 6.1 all ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1315 (Vulnerabilities in DECnet/OSI for OpenVMS before 5.8 on DEC Alpha AXP ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1314 (Vulnerability in union file system in FreeBSD 2.2 and earlier, and pos ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1313 (Manual page reader (man) in FreeBSD 2.2 and earlier allows local users ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1312 (Vulnerability in DEC OpenVMS VAX 5.5-2 through 5.0, and OpenVMS AXP 1. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1311 (Vulnerability in dtlogin and dtsession in HP-UX 10.20 and 10.10 allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1310 REJECTED CVE-1999-1308 (Certain programs in HP-UX 10.20 do not properly handle large user IDs ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1307 (Vulnerability in urestore in Novell UnixWare 1.1 allows local users to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1306 (Cisco IOS 9.1 and earlier does not properly handle extended IP access ...) NOT-FOR-US: Cisco CVE-1999-1305 (Vulnerability in "at" program in SCO UNIX 4.2 and earlier allows local ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1304 (Vulnerability in login in SCO UNIX 4.2 and earlier allows local users ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1303 (Vulnerability in prwarn in SCO UNIX 4.2 and earlier allows local users ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1302 (Unspecified vulnerability in pt_chmod in SCO UNIX 4.2 and earlier allo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1300 (Vulnerability in accton in Cray UNICOS 6.1 and 6.0 allows local users ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1299 (rcp on various Linux systems including Red Hat 4.0 allows a "nobody" u ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1296 (Buffer overflow in Kerberos IV compatibility libraries as used in Kerb ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1295 (Transarc DCE Distributed File System (DFS) 1.1 for Solaris 2.4 and 2.5 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1293 (mod_proxy in Apache 1.2.5 and earlier allows remote attackers to cause ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1292 (Buffer overflow in web administration feature of Kolban Webcam32 4.8.3 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1291 (TCP/IP implementation in Microsoft Windows 95, Windows NT 4.0, and pos ...) NOT-FOR-US: Microsoft CVE-1999-1289 (ICQ 98 beta on Windows NT leaks the internal IP address of a client in ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1287 (Vulnerability in Analog 3.0 and earlier allows remote attackers to rea ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1286 (addnetpr in SGI IRIX 6.2 and earlier allows local users to modify arbi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1285 (Linux 2.1.132 and earlier allows local users to cause a denial of serv ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1283 (Opera 3.2.1 allows remote attackers to cause a denial of service (appl ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1282 (RealSystem G2 server stores the administrator password in cleartext in ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1281 (Development version of Breeze Network Server allows remote attackers t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1280 (Hummingbird Exceed 6.0.1.0 inadvertently includes a DLL that was meant ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1278 (nlog CGI scripts do not properly filter shell metacharacters from the ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1277 (BackWeb client stores the username and password in cleartext for proxy ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1275 (Lotus cc:Mail release 8 stores the postoffice password in plaintext in ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1274 (iPass RoamServer 3.1 creates temporary files with world-writable permi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1273 (Squid Internet Object Cache 1.1.20 allows users to bypass access contr ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1272 (Buffer overflows in CDROM Confidence Test program (cdrom) allow local ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1271 (Macromedia Dreamweaver uses weak encryption to store FTP passwords, wh ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1270 (KMail in KDE 1.0 provides a PGP passphrase as a command line argument ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1269 (Screen savers in KDE beta 3 allows local users to overwrite arbitrary ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1268 (Vulnerability in KDE konsole allows local users to hijack or observe s ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1267 (KDE file manager (kfm) uses a TCP server for certain file operations, ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1266 (rsh daemon (rshd) generates different error messages when a valid user ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1265 (SMTP server in SLmail 3.1 and earlier allows remote attackers to cause ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1264 (WebRamp M3 router does not disable remote telnet or HTTP access to its ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1261 (Buffer overflow in Rainbow Six Multiplayer allows remote attackers to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1260 (mSQL (Mini SQL) 2.0.6 allows remote attackers to obtain sensitive serv ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1257 (Xyplex terminal server 6.0.1S1, and possibly other versions, allows re ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1256 (Oracle Database Assistant 1.0 in Oracle 8.0.3 Enterprise Edition store ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1255 (Hyperseek allows remote attackers to modify the hyperseek configuratio ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1254 (Windows 95, 98, and NT 4.0 allow remote attackers to cause a denial of ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1253 (Vulnerability in a kernel error handling routine in SCO OpenServer 5.0 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1252 (Vulnerability in a certain system call in SCO UnixWare 2.0.x and 2.1.0 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1251 (Vulnerability in direct audio user space code on HP-UX 10.20 and 10.10 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1250 (Vulnerability in CGI program in the Lasso application by Blue World, a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1248 (Vulnerability in Support Watch (aka SupportWatch) in HP-UX 8.0 through ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1247 (Vulnerability in HP Camera component of HP DCE/9000 in HP-UX 9.x allow ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1245 (vacm ucd-snmp SNMP server, version 3.52, does not properly disable acc ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1244 (IPFilter 3.2.3 through 3.2.10 allows local users to modify arbitrary f ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1242 (Vulnerability in subnetconfig in HP-UX 9.01 and 9.0 allows local users ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1241 (Internet Explorer, with a security setting below Medium, allows remote ...) NOT-FOR-US: Microsoft CVE-1999-1240 (Buffer overflow in cddbd CD database server allows remote attackers to ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1239 (HP-UX 9.x does not properly enable the Xauthority mechanism in certain ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1238 (Vulnerability in CORE-DIAG fileset in HP message catalog in HP-UX 9.05 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1237 (Multiple buffer overflows in smbvalid/smbval SMB authentication librar ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1236 (Internet Anywhere Mail Server 2.3.1 stores passwords in plaintext in t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1235 (Internet Explorer 5.0 records the username and password for FTP server ...) NOT-FOR-US: Microsoft CVE-1999-1234 (LSA (LSASS.EXE) in Windows NT 4.0 allows remote attackers to cause a d ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1232 (Untrusted search path vulnerability in day5datacopier in SGI IRIX 6.2 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1231 (ssh 2.0.12, and possibly other versions, allows valid user names to at ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1230 (Quake 2 server allows remote attackers to cause a denial of service vi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1229 (Quake 2 server 3.13 on Linux does not properly check file permissions ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1228 (Various modems that do not implement a guard time, or are configured w ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1227 (Ethereal allows local users to overwrite arbitrary files via a symlink ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1225 (rpc.mountd on Linux, Ultrix, and possibly other operating systems, all ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1224 (IMAP 4.1 BETA, and possibly other versions, does not properly handle t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1221 (dxchpwd in Digital Unix (OSF/1) 3.x allows local users to modify arbit ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1220 (Majordomo 1.94.3 and earlier allows remote attackers to execute arbitr ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1219 (Vulnerability in sgihelp in the SGI help system and print manager in I ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1218 (Vulnerability in finger in Commodore Amiga UNIX 2.1p2a and earlier all ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1216 (Cisco routers 9.17 and earlier allow remote attackers to bypass securi ...) NOT-FOR-US: Cisco CVE-1999-1213 (Vulnerability in telnet service in HP-UX 10.30 allows attackers to cau ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1212 (Vulnerability in in.rlogind in SunOS 4.0.3 and 4.0.3c allows local use ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1211 (Vulnerability in in.telnetd in SunOS 4.1.1 and earlier allows local us ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1210 (xterm in Digital UNIX 4.0B *with* patch kit 5 allows local users to ov ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1207 (Buffer overflow in web-admin tool in NetXRay 2.6 allows remote attacke ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1206 (SystemSoft SystemWizard package in HP Pavilion PC with Windows 98, and ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1202 (StarTech (1) POP3 proxy server and (2) telnet server allows remote att ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1200 (Vintra SMTP MailServer allows remote attackers to cause a denial of se ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1196 (Hummingbird Exceed X version 5 allows remote attackers to cause a deni ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1195 (NAI VirusScan NT 4.0.2 does not properly modify the scan.dat virus def ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1190 (Buffer overflow in POP3 server of Admiral Systems EmailClub 1.05 allow ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1187 (Pine before version 3.94 allows local users to gain privileges via a s ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1186 (rxvt, when compiled with the PRINT_PIPE option in various Linux operat ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1185 (Buffer overflow in SCO mscreen allows local users to gain root privile ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1184 (Buffer overflow in Elm 2.4 and earlier allows local users to gain priv ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1183 (System Manager sysmgr GUI in SGI IRIX 6.4 and 6.3 allows remote attack ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1182 (Buffer overflow in run-time linkers (1) ld.so or (2) ld-linux.so for L ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1180 (O'Reilly WebSite 1.1e and Website Pro 2.0 allows remote attackers to e ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1179 (Vulnerability in man.sh CGI script, included in May 1998 issue of SysA ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1178 (Sambar Server 4.1 beta allows remote attackers to obtain sensitive inf ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1176 (Buffer overflow in cidentd ident daemon allows local users to gain roo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1174 (ZIP drive for Iomega ZIP-100 disks allows attackers with physical acce ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1173 (Corel Word Perfect 8 for Linux creates a temporary working directory w ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1172 (By design, Maximizer Enterprise 4 calendar and address book program al ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1171 (IPswitch WS_FTP allows local users to gain additional privileges and m ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1170 (IPswitch IMail allows local users to gain additional privileges and mo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1169 (nobo 1.2 allows remote attackers to cause a denial of service (crash) ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1168 (install.iss installation script for Internet Security Scanner (ISS) fo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1166 (Linux 2.0.37 does not properly encode the Custom segment limit, which ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1165 (GNU fingerd 1.37 does not properly drop privileges before accessing us ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1164 (Microsoft Outlook client allows remote attackers to cause a denial of ...) NOT-FOR-US: Microsoft CVE-1999-1158 (Buffer overflow in (1) pluggable authentication module (PAM) on Solari ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1155 (LakeWeb Mail List CGI script allows remote attackers to execute arbitr ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1154 (LakeWeb Filemail CGI script allows remote attackers to execute arbitra ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1153 (HAMcards Postcard CGI script 1.0 allows remote attackers to execute ar ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1152 (Compaq/Microcom 6000 Access Integrator does not disconnect a client af ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1151 (Compaq/Microcom 6000 Access Integrator does not cause a session timeou ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1150 (Livingston Portmaster routers running ComOS use the same initial seque ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1149 (Buffer overflow in CSM Proxy 4.1 allows remote attackers to cause a de ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1141 (Ascom Timeplex router allows remote attackers to obtain sensitive info ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1135 (Vulnerability in VUE 3.0 in HP 9.x allows local users to gain root pri ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1134 (Vulnerability in Vue 3.0 in HP 9.x allows local users to gain root pri ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1133 (HP-UX 9.x and 10.x running X windows may allow local attackers to gain ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1130 (Default configuration of the search engine in Netscape Enterprise Serv ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1129 (Cisco Catalyst 2900 Virtual LAN (VLAN) switches allow remote attackers ...) NOT-FOR-US: Cisco CVE-1999-1128 (Internet Explorer 3.01 on Windows 95 allows remote malicious web sites ...) NOT-FOR-US: Microsoft CVE-1999-1126 (Cisco Resource Manager (CRM) 1.1 and earlier creates certain files wit ...) NOT-FOR-US: Cisco CVE-1999-1125 (Oracle Webserver 2.1 and earlier runs setuid root, but the configurati ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1124 (HTTP Client application in ColdFusion allows remote attackers to bypas ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1123 (The installation of Sun Source (sunsrc) tapes allows local users to ga ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1113 (Buffer overflow in Eudora Internet Mail Server (EIMS) 2.01 and earlier ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1112 (Buffer overflow in IrfanView32 3.07 and earlier allows attackers to ex ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1110 (Windows Media Player ActiveX object as used in Internet Explorer 5.0 r ...) NOT-FOR-US: Microsoft CVE-1999-1108 REJECTED CVE-1999-1107 (Buffer overflow in kppp in KDE allows local users to gain root access ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1106 (Buffer overflow in kppp in KDE allows local users to gain root access ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1101 (Kabsoftware Lydia utility uses weak encryption to store user passwords ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1097 (Microsoft NetMeeting 2.1 allows one client to read the contents of ano ...) NOT-FOR-US: Microsoft CVE-1999-1096 (Buffer overflow in kscreensaver in KDE klock allows local users to gai ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1095 (sort creates temporary files and follows symbolic links, which allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1092 (tin 1.40 creates the .tin directory with insecure permissions, which a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1091 (UNIX news readers tin and rtin create the /tmp/.tin_log file with inse ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1089 (Buffer overflow in chfn command in HP-UX 9.X through 10.20 allows loca ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1088 (Vulnerability in chsh command in HP-UX 9.X through 10.20 allows local ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1086 (Novell 5 and earlier, when running over IPX with a packet signature le ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1084 (The "AEDebug" registry key is installed with insecure permissions, whi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1083 (Directory traversal vulnerability in Jana proxy web server 1.45 allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1082 (Directory traversal vulnerability in Jana proxy web server 1.40 allows ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1081 (Vulnerability in files.pl script in Novell WebServer Examples Toolkit ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1079 (Vulnerability in ptrace in AIX 4.3 allows local users to gain privileg ...) NOT-FOR-US: AIX CVE-1999-1078 (WS_FTP Pro 6.0 uses weak encryption for passwords in its initializatio ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1077 (Idle locking function in MacOS 9 allows local attackers to bypass the ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1076 (Idle locking function in MacOS 9 allows local users to bypass the pass ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1075 (inetd in AIX 4.1.5 dynamically assigns a port N when starting ttdbserv ...) NOT-FOR-US: AIX CVE-1999-1073 (Excite for Web Servers (EWS) 1.1 records the first two characters of a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1072 (Excite for Web Servers (EWS) 1.1 allows local users to gain privileges ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1071 (Excite for Web Servers (EWS) 1.1 installs the Architext.conf authentic ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1070 (Buffer overflow in ping CGI program in Xylogics Annex terminal service ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1069 (Directory traversal vulnerability in carbo.dll in iCat Carbo Server 3. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1068 (Oracle Webserver 2.1, when serving PL/SQL stored procedures, allows re ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1067 (SGI MachineInfo CGI program, installed by default on some web servers, ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1066 (Quake 1 server responds to an initial UDP game connection request with ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1065 (Palm Pilot HotSync Manager 3.0.4 in Windows 98 allows remote attackers ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1064 (Multiple buffer overflows in WindowMaker 0.52 through 0.60.0 allow att ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1063 (CDomain whois_raw.cgi whois CGI script allows remote attackers to exec ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1062 (HP Laserjet printers with JetDirect cards, when configured with TCP/IP ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1061 (HP Laserjet printers with JetDirect cards, when configured with TCP/IP ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1060 (Buffer overflow in Tetrix TetriNet daemon 1.13.16 allows remote attack ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1058 (Buffer overflow in Vermillion FTP Daemon VFTPD 1.23 allows remote atta ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1056 REJECTED CVE-1999-1054 (The default configuration of FLEXlm license manager 6.0d, and possibly ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1053 (guestbook.pl cleanses user-inserted SSI commands by removing text betw ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1052 (Microsoft FrontPage stores form results in a default location in /_pri ...) NOT-FOR-US: Microsoft CVE-1999-1051 (Default configuration in Matt Wright FormHandler.cgi script allows arb ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1050 (Directory traversal vulnerability in Matt Wright FormHandler.cgi scrip ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1049 (ARCserve NT agents use weak encryption (XOR) for passwords, which allo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1046 (Buffer overflow in IMonitor in IMail 5.0 allows remote attackers to ca ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1043 (Microsoft Exchange Server 5.5 and 5.0 does not properly handle (1) mal ...) NOT-FOR-US: Microsoft CVE-1999-1042 (Cisco Resource Manager (CRM) 1.0 and 1.1 creates world-readable log fi ...) NOT-FOR-US: Cisco CVE-1999-1041 (Buffer overflow in mscreen on SCO OpenServer 5.0 and SCO UNIX 3.2v4 al ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1040 (Vulnerabilities in (1) ipxchk and (2) ipxlink in NetWare Client 1.0 on ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1039 (Vulnerability in (1) diskalign and (2) diskperf in IRIX 6.4 patches 22 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1038 (Tiger 2.2.3 allows local users to overwrite arbitrary files via a syml ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1036 (COPS 1.04 allows local users to overwrite or create arbitrary files vi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1033 (Microsoft Outlook Express before 4.72.3612.1700 allows a malicious use ...) NOT-FOR-US: Microsoft CVE-1999-1031 (counter.exe 2.70 allows a remote attacker to cause a denial of service ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1030 (counter.exe 2.70 allows a remote attacker to cause a denial of service ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1029 (SSH server (sshd2) before 2.0.12 does not properly record login attemp ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1026 (aspppd on Solaris 2.5 x86 allows local users to modify arbitrary files ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1025 (CDE screen lock program (screenlock) on Solaris 2.6 does not properly ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1024 (ip_print procedure in Tcpdump 3.4a allows remote attackers to cause a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1023 (useradd in Solaris 7.0 does not properly interpret certain date format ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1022 (serial_ports administrative program in IRIX 4.x and 5.x trusts the use ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1020 (The installation of Novell Netware NDS 5.99 provides an unauthenticate ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1018 (IPChains in Linux kernels 2.2.10 and earlier does not reassemble IP fr ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1017 (Seattle Labs Emurl 2.0, and possibly earlier versions, stores e-mail a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1016 (Microsoft HTML control as used in (1) Internet Explorer 5.0, (2) Front ...) NOT-FOR-US: Microsoft CVE-1999-1015 (Buffer overflow in Apple AppleShare Mail Server 5.0.3 on MacOS 8.1 and ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1013 (named-xfer in AIX 4.1.5 and 4.2.1 allows members of the system group t ...) NOT-FOR-US: AIX CVE-1999-1012 (SMTP component of Lotus Domino 4.6.1 on AS/400, and possibly other ope ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1009 (The Disney Go Express Search allows remote attackers to access and mod ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1006 (Groupwise web server GWWEB.EXE allows remote attackers to determine th ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1003 (War FTP Daemon 1.70 allows remote attackers to cause a denial of servi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-1002 (Netscape Navigator uses weak encryption for storing a user's Netscape ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0993 (Modifications to ACLs (Access Control Lists) in Microsoft Exchange 5. ...) NOT-FOR-US: Microsoft CVE-1999-0990 (Error messages generated by gdm with the VerboseAuth setting allows an ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0988 (UnixWare pkgtrans allows local users to read arbitrary files via a sym ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0985 (CC Whois program whois.cgi allows remote attackers to execute commands ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0984 (Matt's Whois program whois.cgi allows remote attackers to execute comm ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0983 (Whois Internic Lookup program whois.cgi allows remote attackers to exe ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0970 (The OmniHTTPD visadmin.exe program allows a remote attacker to conduct ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0952 (Buffer overflow in Solaris lpstat via class argument allows local user ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0949 (Buffer overflow in canuum program for Canna input system allows local ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0948 (Buffer overflow in uum program for Canna input system allows local use ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0944 (IBM WebSphere ikeyman tool uses weak encryption to store a password fo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0941 (Mutt mail client allows a remote attacker to execute commands via shel ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0929 (Novell NetWare with Novell-HTTP-Server or YAWN web servers allows remo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0926 (Apache allows remote attackers to conduct a denial of service via a la ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0925 (UnityMail allows remote attackers to conduct a denial of service via a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0923 (Sample runnable code snippets in ColdFusion Server 4.0 allow remote at ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0919 (A memory leak in a Motorola CableRouter allows remote attackers to con ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0913 (dfire.cgi script in Dragon-Fire IDS allows remote users to execute com ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0911 (Buffer overflow in ProFTPD, wu-ftpd, and beroftpd allows remote attack ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0910 (Microsoft Site Server and Commercial Internet System (MCIS) do not set ...) NOT-FOR-US: Microsoft CVE-1999-0885 (Alibaba web server allows remote attackers to execute commands via a p ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0882 (Falcon web server allows remote attackers to determine the absolute pa ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0872 (Buffer overflow in Vixie cron allows local users to gain root access v ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0863 (Buffer overflow in FreeBSD seyon via HOME environmental variable, -emu ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0862 (Insecure directory permissions in RPM distribution for PostgreSQL allo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0860 (Solaris chkperm allows local users to read files owned by bin via the ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0857 (FreeBSD gdc program allows local users to modify files via a symlink a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0855 (Buffer overflow in FreeBSD gdc program. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0852 (IBM WebSphere sets permissions that allow a local user to modify a dei ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0850 (The default permissions for Endymion MailMan allow local users to read ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0846 (Denial of service in MDaemon 2.7 via a large number of connection atte ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0845 (Buffer overflow in SCO su program allows local users to gain root acce ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0844 (Denial of service in MDaemon WorldClient and WebConfig services via a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0843 (Denial of service in Cisco routers running NAT via a PORT command from ...) NOT-FOR-US: Cisco CVE-1999-0841 (Buffer overflow in CDE mailtool allows local users to gain root privil ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0840 (Buffer overflow in CDE dtmail and dtmailpr programs allows local users ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0830 (Buffer overflow in SCO UnixWare Xsco command via a long argument. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0829 (HP Secure Web Console uses weak encryption. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0828 (UnixWare pkg commands such as pkginfo, pkgcat, and pkgparam allow loca ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0827 (By default, Internet Explorer 5.0 and other versions enables the "Navi ...) NOT-FOR-US: Microsoft CVE-1999-0825 (The default permissions for UnixWare /var/mail allow local users to re ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0822 (Buffer overflow in Qpopper (qpop) 3.0 allows remote root access via AU ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0821 (FreeBSD seyon allows local users to gain privileges by providing a mal ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0818 (Buffer overflow in Solaris kcms_configure via a long NETPATH environme ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0816 (The Motorola CableRouter allows any remote user to connect to and conf ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0808 (Multiple buffer overflows in ISC DHCP Distribution server (dhcpd) 1.0 ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0805 (Novell NetWare Transaction Tracking System (TTS) in Novell 4.11 and ea ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0798 (Buffer overflow in bootpd on OpenBSD, FreeBSD, and Linux systems via a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0795 (The NIS+ rpc.nisd server allows remote attackers to execute certain RP ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0792 (ROUTERmate has a default SNMP community name which allows remote attac ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0784 (Denial of service in Oracle TNSLSNR SQL*Net Listener via a malformed s ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0776 (Alibaba HTTP server allows remote attackers to read files via a .. (do ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0767 (Buffer overflow in Solaris libc, ufsrestore, and rcp via LC_MESSAGES e ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0757 (The ColdFusion CFCRYPT program for encrypting CFML templates has weak ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0750 (Hotmail allows Javascript to be executed via the HTML STYLE tag, allow ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0748 (Buffer overflows in Red Hat net-tools package. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0741 (QMS CrownNet Unix Utilities for 2060 allows root to log on without a p ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0739 (The codebrws.asp sample file in IIS and Site Server allows remote atta ...) NOT-FOR-US: Microsoft CVE-1999-0738 (The code.asp sample file in IIS and Site Server allows remote attacker ...) NOT-FOR-US: Microsoft CVE-1999-0737 (The viewcode.asp sample file in IIS and Site Server allows remote atta ...) NOT-FOR-US: Microsoft CVE-1999-0736 (The showcode.asp sample file in IIS and Site Server allows remote atta ...) NOT-FOR-US: Microsoft CVE-1999-0712 (A vulnerability in Caldera Open Administration System (COAS) allows th ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0698 (Denial of service in IP protocol logger (ippl) on Red Hat and Debian L ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0684 (Denial of service in Sendmail 8.8.6 in HPUX. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0677 (The WebRamp web administration utility has a default password. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0673 (Buffer overflow in ALMail32 POP3 client via From: or To: headers. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0670 (Buffer overflow in the Eyedog ActiveX control allows a remote attacker ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0669 (The Eyedog ActiveX control is marked as "safe for scripting" for Inter ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0667 (The ARP protocol allows any host to spoof ARP replies and poison the A ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0665 (An application-critical Windows NT registry key has an inappropriate v ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0664 (An application-critical Windows NT registry key has inappropriate perm ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0663 (A system-critical program, library, or file has a checksum or other in ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0662 (A system-critical program or library does not have the appropriate pat ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0661 (A system is running a version of software that was replaced with a Tro ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0660 REJECTED CVE-1999-0659 REJECTED CVE-1999-0658 REJECTED CVE-1999-0657 (WinGate is being used. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0656 (The ugidd RPC interface, by design, allows remote attackers to enumera ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0655 REJECTED CVE-1999-0654 (The OS/2 or POSIX subsystem in NT is enabled. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0653 (A component service related to NIS+ is running. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0652 REJECTED CVE-1999-0651 (The rsh/rlogin service is running. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0650 (The netstat service is running, which provides sensitive information t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0649 REJECTED CVE-1999-0648 REJECTED CVE-1999-0647 REJECTED CVE-1999-0646 REJECTED CVE-1999-0645 REJECTED CVE-1999-0644 REJECTED CVE-1999-0643 REJECTED CVE-1999-0642 REJECTED CVE-1999-0641 (The UUCP service is running. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0640 (The Gopher service is running. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0639 (The chargen service is running. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0638 (The daytime service is running. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0637 (The systat service is running. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0636 (The discard service is running. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0635 (The echo service is running. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0634 REJECTED CVE-1999-0633 REJECTED CVE-1999-0632 (The RPC portmapper service is running. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0631 REJECTED CVE-1999-0630 (The NT Alerter and Messenger services are running. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0629 (The ident/identd service is running. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0625 (The rpc.rquotad service is running. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0624 (The rstat/rstatd service is running. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0623 REJECTED CVE-1999-0622 REJECTED CVE-1999-0621 REJECTED CVE-1999-0620 REJECTED CVE-1999-0619 REJECTED CVE-1999-0618 (The rexec service is running. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0617 REJECTED CVE-1999-0616 REJECTED CVE-1999-0615 REJECTED CVE-1999-0614 REJECTED CVE-1999-0613 (The rpc.sprayd service is running. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0611 (A system-critical Windows NT registry key has an inappropriate value. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0610 (An incorrect configuration of the Webcart CGI program could disclose p ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0609 (An incorrect configuration of the SoftCart CGI program "SoftCart.exe" ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0607 (quikstore.cgi in QuikStore shopping cart stores quikstore.cfg under th ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0606 (An incorrect configuration of the EZMall 2000 shopping cart CGI progr ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0605 (An incorrect configuration of the Order Form 1.0 shopping cart CGI pr ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0604 (An incorrect configuration of the WebStore 1.0 shopping cart CGI progr ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0603 (In Windows NT, an inappropriate user is a member of a group, e.g. Admi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0602 (A network intrusion detection system (IDS) does not properly reassembl ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0601 (A network intrusion detection system (IDS) does not properly handle da ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0600 (A network intrusion detection system (IDS) does not verify the checksu ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0599 (A network intrusion detection system (IDS) does not properly handle pa ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0598 (A network intrusion detection system (IDS) does not properly handle pa ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0597 (A Windows NT account policy does not forcibly disconnect remote users ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0596 (A Windows NT log file has an inappropriate maximum size or retention p ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0595 (A Windows NT system does not clear the system page file during shutdow ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0594 (A Windows NT system does not restrict access to removable media drives ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0593 (The default setting for the Winlogon key entry ShutdownWithoutLogon in ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0592 (The Logon box of a Windows NT system displays the name of the last use ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0591 (An event log in Windows NT has inappropriate access permissions. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0590 (A system does not present an appropriate legal message or warning to a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0589 (A system-critical Windows NT registry key has inappropriate permission ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0588 (A filter in a router or firewall allows unusual fragmented packets. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0587 (A WWW server is not running in a restricted file system, e.g. through ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0586 (A network service is running on a nonstandard port. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0585 (A Windows NT administrator account has the default name of Administrat ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0584 (A Windows NT file system is not NTFS. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0583 (There is a one-way or two-way trust relationship between Windows NT do ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0582 (A Windows NT account policy has inappropriate, security-critical setti ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0581 (The HKEY_CLASSES_ROOT key in a Windows NT system has inappropriate, sy ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0580 (The HKEY_LOCAL_MACHINE key in a Windows NT system has inappropriate, s ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0579 (A Windows NT system's registry audit policy does not log an event succ ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0578 (A Windows NT system's registry audit policy does not log an event succ ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0577 (A Windows NT system's file audit policy does not log an event success ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0576 (A Windows NT system's file audit policy does not log an event success ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0575 (A Windows NT system's user audit policy does not log an event success ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0572 (.reg files are associated with the Windows NT registry editor (regedit ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0571 (A router's configuration service or management interface (such as a we ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0570 (Windows NT is not using a password filter utility, e.g. PASSFILT.DLL. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0569 (A URL for a WWW directory allows auto-indexing, which provides a list ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0568 (rpc.admind in Solaris is not running in a secure mode. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0565 (A Sendmail alias allows input to be piped to a program. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0564 (An attacker can force a printer to print arbitrary documents (e.g. if ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0562 (The registry in Windows NT can be accessed remotely by users who are n ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0561 (IIS has the #exec function enabled for Server Side Include (SSI) files ...) NOT-FOR-US: Microsoft CVE-1999-0560 (A system-critical Windows NT file or directory has inappropriate permi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0559 (A system-critical Unix file or directory has inappropriate permissions ...) - webmin 1.160-1 CVE-1999-0556 (Two or more Unix accounts have the same UID. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0555 (A Unix account with a name other than "root" has UID 0, i.e. root priv ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0554 (NFS exports system-critical data to the world, e.g. / or a password fi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0550 (A router's routing tables can be obtained from arbitrary hosts. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0549 (Windows NT automatically logs in an administrator upon rebooting. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0548 (A superfluous NFS server is running, but it is not importing or export ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0547 (An SSH server allows authentication through the .rhosts file. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0546 (The Windows NT guest account is enabled. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0541 (A password for accessing a WWW URL is guessable. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0539 (A trust relationship exists between two Unix hosts. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0537 (A configuration in a web browser such as Internet Explorer or Netscape ...) NOT-FOR-US: Microsoft CVE-1999-0535 (A Windows NT account policy for passwords has inappropriate, security- ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0534 (A Windows NT user has inappropriate rights or privileges, e.g. Act as ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0533 (A DNS server allows inverse queries. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0532 (A DNS server allows zone transfers. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0531 REJECTED CVE-1999-0530 (A system is operating in "promiscuous" mode which allows it to perform ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0529 (A router or firewall forwards packets that claim to come from IANA res ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0528 (A router or firewall forwards external packets that claim to come from ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0527 (The permissions for system-critical data in an anonymous FTP account a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0525 (IP traceroute is allowed from arbitrary hosts. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0524 (ICMP information such as (1) netmask and (2) timestamp is allowed from ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0523 (ICMP echo (ping) is allowed from arbitrary hosts. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0522 (The permissions for a system-critical NIS+ table (e.g. passwd) are ina ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0521 (An NIS domain name is easily guessable. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0520 (A system-critical NETBIOS/SMB share has inappropriate access control. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0519 (A NETBIOS/SMB share password is the default, null, or missing. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0518 (A NETBIOS/SMB share password is guessable. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0517 (An SNMP community name is the default (e.g. public), null, or missing. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0516 (An SNMP community name is guessable. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0515 (An unrestricted remote trust relationship for Unix systems has been se ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0512 (A mail server is explicitly configured to allow SMTP mail relay, which ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0511 (IP forwarding is enabled on a machine which is not a router or firewal ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0510 (A router or firewall allows source routed packets from arbitrary hosts ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0509 (Perl, sh, csh, or other shell interpreters are installed in the cgi-bi ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0508 (An account on a router, firewall, or other network device has a defaul ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0507 (An account on a router, firewall, or other network device has a guessa ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0506 (A Windows NT domain user or administrator account has a default, null, ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0505 (A Windows NT domain user or administrator account has a guessable pass ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0504 (A Windows NT local user or administrator account has a default, null, ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0503 (A Windows NT local user or administrator account has a guessable passw ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0502 (A Unix account has a default, null, blank, or missing password. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0501 (A Unix account has a guessable password. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0499 (NETBIOS share information may be published through SNMP registry keys ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0498 (TFTP is not running in a restricted directory, allowing a remote attac ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0497 (Anonymous FTP is enabled. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0495 (A remote attacker can gain access to a file system using .. (dot dot) ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0492 (The ffingerd 1.19 allows remote attackers to identify users on the tar ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0490 (MSHTML.DLL in Internet Explorer 5.0 allows a remote attacker to learn ...) NOT-FOR-US: Microsoft CVE-1999-0489 (MSHTML.DLL in Internet Explorer 5.0 allows a remote attacker to paste ...) NOT-FOR-US: Microsoft CVE-1999-0488 (Internet Explorer 4.0 and 5.0 allows a remote attacker to execute secu ...) NOT-FOR-US: Microsoft CVE-1999-0486 (Denial of service in AOL Instant Messenger when a remote attacker send ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0480 (Local attackers can conduct a denial of service in Midnight Commander ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0477 (The Expression Evaluator in the ColdFusion Application Server allows a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0476 (A weak encryption algorithm is used for passwords in SCO TermVision, a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0469 (Internet Explorer 5.0 allows window spoofing, allowing a remote attack ...) NOT-FOR-US: Microsoft CVE-1999-0467 (The Webcom CGI Guestbook programs wguest.exe and rguest.exe allow a re ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0465 (Remote attackers can crash Lynx and Internet Explorer using an IMG tag ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0462 (suidperl in Linux Perl does not check the nosuid mount option on file ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0461 (Versions of rpcbind including Linux, IRIX, and Wietse Venema's rpcbind ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0460 (Buffer overflow in Linux autofs module through long directory names al ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0459 (Local users can perform a denial of service in Alpha Linux, using MILO ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0455 (The Expression Evaluator sample application in ColdFusion allows remot ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0454 (A remote attacker can sometimes identify the operating system of a hos ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0453 (An attacker can identify a CISCO device by sending a SYN packet to por ...) NOT-FOR-US: Cisco CVE-1999-0452 (A service or application has a backdoor password that was placed there ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0451 (Denial of service in Linux 2.0.36 allows local users to prevent any se ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0450 (In IIS, an attacker could determine a real path using a request for a ...) NOT-FOR-US: Microsoft CVE-1999-0444 (Remote attackers can perform a denial of service in Windows machines u ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0443 (Patrol management software allows a remote attacker to conduct a repla ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0435 (MC/ServiceGuard and MC/LockManager in HP-UX allows local users to gain ...) NOT-FOR-US: HP-UX CVE-1999-0434 (XFree86 xfs command is vulnerable to a symlink attack, allowing local ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0431 (Linux 2.2.3 and earlier allow a remote attacker to perform an IP fragm ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0427 (Eudora 4.1 allows remote attackers to perform a denial of service by s ...) NOT-FOR-US: Eudora CVE-1999-0426 (The default permissions of /dev/kmem in Linux versions before 2.0.36 a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0419 (When the Microsoft SMTP service attempts to send a message to a server ...) NOT-FOR-US: Microsoft CVE-1999-0418 (Denial of service in SMTP applications such as Sendmail, when a remote ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0411 (Several startup scripts in SCO OpenServer Enterprise System v 5.0.4p, ...) NOT-FOR-US: SCO CVE-1999-0406 (Digital Unix Networker program nsralist has a buffer overflow which al ...) NOT-FOR-US: DEC UNIX CVE-1999-0401 (A race condition in Linux 2.2.1 allows local users to read arbitrary m ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0400 (Denial of service in Linux 2.2.0 running the ldd command on a core fil ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0399 (The DCC server command in the Mirc 5.5 client doesn't filter character ...) NOT-FOR-US: Mirc CVE-1999-0398 (In some instances of SSH 1.2.27 and 2.0.11 on Linux systems, SSH will ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0397 (The demo version of the Quakenbush NT Password Appraiser sends passwor ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0394 (DPEC Online Courseware allows an attacker to change another user's pas ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0389 (Buffer overflow in the bootp server in the Debian Linux netstd package ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0381 (super 3.11.6 and other versions have a buffer overflow in the syslog u ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0370 (In Sun Solaris and SunOS, man and catman contain vulnerabilities that ...) NOT-FOR-US: Sun CVE-1999-0364 (Microsoft Access 97 stores a database password as plaintext in a forei ...) NOT-FOR-US: Microsoft CVE-1999-0361 (NetWare version of LaserFiche stores usernames and passwords unencrypt ...) NOT-FOR-US: NetWare CVE-1999-0360 (MS Site Server 2.0 with IIS 4 can allow users to upload content, inclu ...) NOT-FOR-US: Windows CVE-1999-0359 (ptylogin in Unix systems allows users to perform a denial of service b ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0356 (ControlIT v4.5 and earlier uses weak encryption to store usernames and ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0354 (Internet Explorer 4.x or 5.x with Word 97 allows arbitrary execution o ...) NOT-FOR-US: Windows CVE-1999-0352 (ControlIT 4.5 and earlier (aka Remotely Possible) has weak password en ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0347 (Internet Explorer 4.01 allows remote attackers to read local files and ...) NOT-FOR-US: Windows CVE-1999-0345 (Jolt ICMP attack causes a denial of service in Windows 95 and Windows ...) NOT-FOR-US: Windows CVE-1999-0336 (Buffer overflow in mstm in HP-UX allows local users to gain root acces ...) NOT-FOR-US: HP CVE-1999-0333 (HP OpenView Omniback allows remote execution of commands as root via s ...) NOT-FOR-US: HP CVE-1999-0331 (Buffer overflow in Internet Explorer 4.0(1). ...) NOT-FOR-US: Windows CVE-1999-0330 (Linux bdash game has a buffer overflow that allows local users to gain ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0319 (Buffer overflow in xmcd 2.1 allows local users to gain access through ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0317 (Buffer overflow in Linux su command gives root access to local users. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0307 (Buffer overflow in HP-UX cstm program allows local users to gain root ...) NOT-FOR-US: HP CVE-1999-0306 (buffer overflow in HP xlock program. ...) NOT-FOR-US: HP CVE-1999-0298 (ypbind with -ypset and -ypsetme options activated in Linux Slackware a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0287 (Vulnerability in the Wguest CGI program. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0286 (In some NT web servers, appending a space at the end of a URL may allo ...) NOT-FOR-US: Windows CVE-1999-0285 (Denial of service in telnet from the Windows NT Resource Kit, by openi ...) NOT-FOR-US: Windows CVE-1999-0284 (Denial of service to NT mail servers including Ipswitch, Mdaemon, and ...) NOT-FOR-US: Windows CVE-1999-0283 (The Java Web Server would allow remote users to obtain the source code ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0282 REJECTED CVE-1999-0271 (Progressive Networks Real Video server (pnserver) can be crashed remot ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0261 (Netmanager Chameleon SMTPd has several buffer overflows that cause a c ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0258 (Bonk variation of teardrop IP fragmentation denial of service. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0257 (Nestea variation of teardrop IP fragmentation denial of service. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0255 (Buffer overflow in ircd allows arbitrary command execution. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0254 (A hidden SNMP community string in HP OpenView allows remote attackers ...) NOT-FOR-US: HP CVE-1999-0253 (IIS 3.0 with the iis-fix hotfix installed allows remote intruders to r ...) NOT-FOR-US: Windows CVE-1999-0250 (Denial of service in Qmail through long SMTP commands. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0249 (Windows NT RSHSVC program allows remote users to execute arbitrary com ...) NOT-FOR-US: Windows CVE-1999-0246 (HP Remote Watch allows a remote user to gain root access. ...) NOT-FOR-US: HP CVE-1999-0243 (Linux cfingerd could be exploited to gain root access. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0242 (Remote attackers can access mail files via POP3 in some Linux systems ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0241 (Guessable magic cookies in X Windows allows remote attackers to execut ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0240 (Some filters or firewalls allow fragmented SYN packets with IP reserve ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0238 (php.cgi allows attackers to read any file on the system. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0235 (Buffer overflow in NCSA WebServer (1.4.1 and below) gives remote acces ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0232 (Buffer overflow in NCSA WebServer (version 1.5c) gives remote access. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0231 (Buffer overflow in IP-Switch IMail and Seattle Labs Slmail 2.6 package ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0229 (Denial of service in Windows NT IIS server using ..\.. ...) NOT-FOR-US: Windows CVE-1999-0226 (Windows NT TCP/IP processes fragmented IP packets improperly, causing ...) NOT-FOR-US: Windows CVE-1999-0222 (Denial of service in Cisco IOS web server allows attackers to reboot t ...) NOT-FOR-US: Cisco CVE-1999-0220 (Attackers can do a denial of service of IRC by crashing the server. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0216 (Denial of service of inetd on Linux through SYN and RST packets. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0213 (libnsl in Solaris allowed an attacker to perform a denial of service o ...) NOT-FOR-US: Solaris CVE-1999-0205 (Denial of service in Sendmail 8.6.11 and 8.6.12. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0200 (Windows NT FTP server (WFTP) with the guest account enabled without a ...) NOT-FOR-US: Windows CVE-1999-0198 (finger .@host on some systems may print information on some user accou ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0197 (finger 0@host on some systems may print information on some user accou ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0195 (Denial of service in RPC portmapper allows attackers to register or un ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0193 (Denial of service in Ascend and 3com routers, which can be rebooted by ...) NOT-FOR-US: Ascend/3com CVE-1999-0187 REJECTED CVE-1999-0186 (In Solaris, an SNMP subagent has a default community string that allow ...) NOT-FOR-US: Solaris CVE-1999-0171 (Denial of service in syslog by sending it a large number of superfluou ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0169 (NFS allows attackers to read and write any file on the system by speci ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0165 (NFS cache poisoning. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0163 (In older versions of Sendmail, an attacker could use a pipe character ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0156 (wu-ftpd FTP daemon allows any user and password combination. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0154 (IIS 2.0 and 3.0 allows remote attackers to read the source code for AS ...) NOT-FOR-US: Windows CVE-1999-0144 (Denial of service in Qmail by specifying a large number of recipients ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0140 (Denial of service in RAS/PPTP on NT systems. ...) NOT-FOR-US: Windows CVE-1999-0127 (swinstall and swmodify commands in SD-UX package in HP-UX systems allo ...) NOT-FOR-US: HP-UX CVE-1999-0123 (Race condition in Linux mailx command allows local users to read user ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0121 (Buffer overflow in dtaction command gives root access. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0119 (Windows NT 4.0 beta allows users to read and delete shares. ...) NOT-FOR-US: Windows CVE-1999-0114 (Local users can execute commands as other users, and read other users' ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0110 REJECTED CVE-1999-0107 (Buffer overflow in Apache 1.2.5 and earlier allows a remote attacker t ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0106 (Finger redirection allows finger bombs. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0105 (finger allows recursive searches by using a long string of @ symbols. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0104 (A later variation on the Teardrop IP denial of service attack, a.k.a. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0098 (Buffer overflow in SMTP HELO command in Sendmail allows a remote attac ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0092 (Various vulnerabilities in the AIX portmir command allows local users ...) NOT-FOR-US: AIX CVE-1999-0089 (Buffer overflow in AIX libDtSvc library can allow local users to gain ...) NOT-FOR-US: AIX CVE-1999-0088 (IRIX and AIX automountd services (autofsd) allow remote users to execu ...) NOT-FOR-US: AIX CVE-1999-0086 (AIX routed allows remote users to modify sensitive files. ...) NOT-FOR-US: AIX CVE-1999-0078 (pcnfsd (aka rpc.pcnfsd) allows local users to change file permissions, ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0076 (Buffer overflow in wu-ftp from PASV command causes a core dump. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0061 (File creation and deletion, and remote execution, in the BSD line prin ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0033 (Command execution in Sun systems via buffer overflow in the at program ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0030 (root privileges via buffer overflow in xlock command on SGI IRIX syste ...) NOT-FOR-US: SGI CVE-1999-0020 REJECTED CVE-1999-0015 (Teardrop IP denial of service. ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0004 (MIME buffer overflow in email clients, e.g. Solaris mailtool and Outlo ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-1999-0001 (ip_input.c in BSD-derived TCP/IP implementations allows remote attacke ...) NOT-FOR-US: Data pre-dating the Security Tracker